Kernel

kernel@openeuler.org

November 2022

18 participants
78 discussions

[OLK-5.10 v2 00/36] Perf tool add Hip09 json support
by Junhao He 30 Nov '22

30 Nov '22

Perf tool add Hip09 json support. Change log: Fix the Refs tag. Jin Yao (2): perf tools: Fix pattern matching for same substring in different PMU type perf pmu: Save pmu name John Garry (27): perf jevents: Add support for an extra directory level perf jevents: Add support for system events tables perf pmu: Add pmu_id() perf pmu: Add pmu_add_sys_aliases() perf evlist: Change evlist__splice_list_tail() ordering perf metricgroup: Fix metrics using aliases covering multiple PMUs perf metricgroup: Split up metricgroup__print() perf metricgroup: Support printing metric groups for system PMUs perf metricgroup: Support adding metrics for system PMUs perf pmu: Fix alias matching perf jevents: Add test for arch std events perf jevents: Make build dependency on test JSONs perf test: Factor out pmu-events event comparison perf jevents: Relocate test events to cpu folder perf test: Declare pmu-events test events separately perf test: Factor out pmu-events alias comparison perf test: Test pmu-events core aliases separately perf pmu: Check .is_uncore field in pmu_add_cpu_aliases_map() perf test: Re-add pmu-event uncore PMU alias test perf test: Add more pmu-events uncore aliases perf pmu: Make pmu_add_sys_aliases() public perf jevents: Print SoC name per system event table perf test: Add pmu-events sys event support perf parse-events: Set numeric term config perf jevents: Support ConfigCode perf test: Verify more event members in pmu-events test perf vendor events arm64: Revise hip08 uncore events Junhao He (1): perf test: Add pmu-events test for aliases of hip09 ddrc pmu Qi Liu (6): perf pmu: Add alias match method to fit pmu_name of HiSilicon DDRC perf jevents: Add support for HiSilicon L3C PMU aliasing perf jevents: Add support for HiSilicon DDRC PMU aliasing perf jevents: Add support for HiSilicon HHA PMU aliasing perf jevents: Add support for HiSilicon SLLC PMU aliasing perf jevents: Add support for HiSilicon PA PMU aliasing tools/perf/pmu-events/Build | 5 +- .../arm64/hisilicon/hip08/uncore-ddrc.json | 32 +- .../arm64/hisilicon/hip08/uncore-hha.json | 120 ++- .../arm64/hisilicon/hip08/uncore-l3c.json | 52 +- .../hisilicon/hip09/sys/uncore-ddrc.json | 117 +++ .../arm64/hisilicon/hip09/sys/uncore-hha.json | 102 +++ .../arm64/hisilicon/hip09/sys/uncore-l3c.json | 125 +++ .../arm64/hisilicon/hip09/sys/uncore-pa.json | 86 ++ .../hisilicon/hip09/sys/uncore-sllc.json | 134 ++++ .../pmu-events/arch/test/arch-std-events.json | 8 + .../{test_cpu => test_soc/cpu}/branch.json | 0 .../arch/test/test_soc/cpu/cache.json | 5 + .../{test_cpu => test_soc/cpu}/other.json | 0 .../{test_cpu => test_soc/cpu}/uncore.json | 21 + .../arch/test/test_soc/sys/uncore.json | 17 + tools/perf/pmu-events/jevents.c | 118 ++- tools/perf/pmu-events/pmu-events.h | 7 + tools/perf/tests/parse-events.c | 8 +- tools/perf/tests/pmu-events.c | 747 +++++++++++++----- tools/perf/util/evlist.c | 19 +- tools/perf/util/metricgroup.c | 255 ++++-- tools/perf/util/parse-events.c | 2 +- tools/perf/util/parse-events.y | 2 +- tools/perf/util/pmu.c | 158 +++- tools/perf/util/pmu.h | 7 + 25 files changed, 1806 insertions(+), 341 deletions(-) create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-ddrc.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-hha.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-l3c.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-pa.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-sllc.json create mode 100644 tools/perf/pmu-events/arch/test/arch-std-events.json rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/branch.json (100%) create mode 100644 tools/perf/pmu-events/arch/test/test_soc/cpu/cache.json rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/other.json (100%) rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/uncore.json (52%) create mode 100644 tools/perf/pmu-events/arch/test/test_soc/sys/uncore.json -- 2.33.0

1 36

[PATCH openEuler-5.10 001/102] crypto: hisilicon/qm - fix the qos value initialization
by Zheng Zengkai 30 Nov '22

30 Nov '22

From: Kai Ye <yekai13(a)huawei.com> mainline inclusion from v6.1-rc4 commit f5b657e5dbf830cfcb19b588b784b8190a5164a0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZHPY CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- The default qos value is not initialized when sriov is repeatedly enabled and disabled. So add the vf qos value initialized in the sriov enable process. Signed-off-by: Kai Ye <yekai13(a)huawei.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Jiangshui Yang <yangjiangshui(a)h-partners.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- drivers/crypto/hisilicon/qm.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c index af86579bee35..9e6f5004bdaf 100644 --- a/drivers/crypto/hisilicon/qm.c +++ b/drivers/crypto/hisilicon/qm.c @@ -4805,6 +4805,14 @@ void hisi_qm_debug_regs_clear(struct hisi_qm *qm) } EXPORT_SYMBOL_GPL(hisi_qm_debug_regs_clear); +static void hisi_qm_init_vf_qos(struct hisi_qm *qm, int total_func) +{ + int i; + + for (i = 1; i <= total_func; i++) + qm->factor[i].func_qos = QM_QOS_MAX_VAL; +} + /** * hisi_qm_sriov_enable() - enable virtual functions * @pdev: the PCIe device @@ -4838,6 +4846,10 @@ int hisi_qm_sriov_enable(struct pci_dev *pdev, int max_vfs) } num_vfs = max_vfs; + + if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps)) + hisi_qm_init_vf_qos(qm, num_vfs); + ret = qm_vf_q_assign(qm, num_vfs); if (ret) { pci_err(pdev, "Can't assign queues for VF!\n"); @@ -4873,7 +4885,6 @@ EXPORT_SYMBOL_GPL(hisi_qm_sriov_enable); int hisi_qm_sriov_disable(struct pci_dev *pdev, bool is_frozen) { struct hisi_qm *qm = pci_get_drvdata(pdev); - int total_vfs = pci_sriov_get_totalvfs(qm->pdev); int ret; if (pci_vfs_assigned(pdev)) { @@ -4888,9 +4899,6 @@ int hisi_qm_sriov_disable(struct pci_dev *pdev, bool is_frozen) } pci_disable_sriov(pdev); - /* clear vf function shaper configure array */ - if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps)) - memset(qm->factor + 1, 0, sizeof(struct qm_shaper_factor) * total_vfs); ret = qm_clear_vft_config(qm); if (ret) @@ -6303,7 +6311,7 @@ static int hisi_qp_alloc_memory(struct hisi_qm *qm) static int hisi_qm_memory_init(struct hisi_qm *qm) { struct device *dev = &qm->pdev->dev; - int ret, total_func, i; + int ret, total_func; size_t off = 0; if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps)) { @@ -6312,8 +6320,8 @@ static int hisi_qm_memory_init(struct hisi_qm *qm) if (!qm->factor) return -ENOMEM; - for (i = 0; i < total_func; i++) - qm->factor[i].func_qos = QM_QOS_MAX_VAL; + /* Only the PF value needs to be initialized */ + qm->factor[0].func_qos = QM_QOS_MAX_VAL; } #define QM_INIT_BUF(qm, type, num) do { \ -- 2.20.1

1 101

[OLK-5.10 00/36] Perf tool add Hip09 json support
by Junhao He 30 Nov '22

30 Nov '22

Perf tool add Hip09 json support. Jin Yao (2): perf tools: Fix pattern matching for same substring in different PMU type perf pmu: Save pmu name John Garry (27): perf jevents: Add support for an extra directory level perf jevents: Add support for system events tables perf pmu: Add pmu_id() perf pmu: Add pmu_add_sys_aliases() perf evlist: Change evlist__splice_list_tail() ordering perf metricgroup: Fix metrics using aliases covering multiple PMUs perf metricgroup: Split up metricgroup__print() perf metricgroup: Support printing metric groups for system PMUs perf metricgroup: Support adding metrics for system PMUs perf pmu: Fix alias matching perf jevents: Add test for arch std events perf jevents: Make build dependency on test JSONs perf test: Factor out pmu-events event comparison perf jevents: Relocate test events to cpu folder perf test: Declare pmu-events test events separately perf test: Factor out pmu-events alias comparison perf test: Test pmu-events core aliases separately perf pmu: Check .is_uncore field in pmu_add_cpu_aliases_map() perf test: Re-add pmu-event uncore PMU alias test perf test: Add more pmu-events uncore aliases perf pmu: Make pmu_add_sys_aliases() public perf jevents: Print SoC name per system event table perf test: Add pmu-events sys event support perf parse-events: Set numeric term config perf jevents: Support ConfigCode perf test: Verify more event members in pmu-events test perf vendor events arm64: Revise hip08 uncore events Junhao He (1): perf test: Add pmu-events test for aliases of hip09 ddrc pmu Qi Liu (6): {topost} perf pmu: Add alias match method to fit pmu_name of HiSilicon DDRC {topost} perf jevents: Add support for HiSilicon L3C PMU aliasing {topost} perf jevents: Add support for HiSilicon DDRC PMU aliasing {topost} perf jevents: Add support for HiSilicon HHA PMU aliasing {topost} perf jevents: Add support for HiSilicon SLLC PMU aliasing {topost} perf jevents: Add support for HiSilicon PA PMU aliasing tools/perf/pmu-events/Build | 5 +- .../arm64/hisilicon/hip08/uncore-ddrc.json | 32 +- .../arm64/hisilicon/hip08/uncore-hha.json | 120 ++- .../arm64/hisilicon/hip08/uncore-l3c.json | 52 +- .../hisilicon/hip09/sys/uncore-ddrc.json | 117 +++ .../arm64/hisilicon/hip09/sys/uncore-hha.json | 102 +++ .../arm64/hisilicon/hip09/sys/uncore-l3c.json | 125 +++ .../arm64/hisilicon/hip09/sys/uncore-pa.json | 86 ++ .../hisilicon/hip09/sys/uncore-sllc.json | 134 ++++ .../pmu-events/arch/test/arch-std-events.json | 8 + .../{test_cpu => test_soc/cpu}/branch.json | 0 .../arch/test/test_soc/cpu/cache.json | 5 + .../{test_cpu => test_soc/cpu}/other.json | 0 .../{test_cpu => test_soc/cpu}/uncore.json | 21 + .../arch/test/test_soc/sys/uncore.json | 17 + tools/perf/pmu-events/jevents.c | 118 ++- tools/perf/pmu-events/pmu-events.h | 7 + tools/perf/tests/parse-events.c | 8 +- tools/perf/tests/pmu-events.c | 747 +++++++++++++----- tools/perf/util/evlist.c | 19 +- tools/perf/util/metricgroup.c | 255 ++++-- tools/perf/util/parse-events.c | 2 +- tools/perf/util/parse-events.y | 2 +- tools/perf/util/pmu.c | 158 +++- tools/perf/util/pmu.h | 7 + 25 files changed, 1806 insertions(+), 341 deletions(-) create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-ddrc.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-hha.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-l3c.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-pa.json create mode 100644 tools/perf/pmu-events/arch/arm64/hisilicon/hip09/sys/uncore-sllc.json create mode 100644 tools/perf/pmu-events/arch/test/arch-std-events.json rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/branch.json (100%) create mode 100644 tools/perf/pmu-events/arch/test/test_soc/cpu/cache.json rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/other.json (100%) rename tools/perf/pmu-events/arch/test/{test_cpu => test_soc/cpu}/uncore.json (52%) create mode 100644 tools/perf/pmu-events/arch/test/test_soc/sys/uncore.json -- 2.33.0

3 40

[PATCH OLK-5.10 1/7] memcontrol: Add oom recover for kmemcg when release buddy hugepage
by Zhang Jian 29 Nov '22

29 Nov '22

From: Jian Zhang <zhangjian210(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I63SDZ ------------------------------- In Ascend, we use tmp hugepage and disable OOM-killer, when we cause a OOM, and after some time, the memory is enough for process, the process will not return to run normal. In this case, we must use oom recover to let the process run. Signed-off-by: Jian Zhang <zhangjian210(a)huawei.com> --- mm/memcontrol.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index a3617f0a0fd1..b2c4bc4bb591 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -3116,12 +3116,23 @@ void __memcg_kmem_uncharge_page(struct page *page, int order) { struct obj_cgroup *objcg; unsigned int nr_pages = 1 << order; +#ifdef CONFIG_ASCEND_FEATURES + struct mem_cgroup *memcg; +#endif if (!PageMemcgKmem(page)) return; objcg = __page_objcg(page); obj_cgroup_uncharge_pages(objcg, nr_pages); + +#ifdef CONFIG_ASCEND_FEATURES + memcg = get_mem_cgroup_from_objcg(objcg); + if (!mem_cgroup_is_root(memcg)) + memcg_oom_recover(memcg); + css_put(&memcg->css); +#endif + page->memcg_data = 0; obj_cgroup_put(objcg); } -- 2.17.1

1 6

[PATCH openEuler-1.0-LTS] drivers: net: slip: fix NPD bug in sl_tx_timeout()
by Yongqiang Liu 29 Nov '22

29 Nov '22

From: Duoming Zhou <duoming(a)zju.edu.cn> stable inclusion from stable-4.19.239 commit 753b9d220a7d36dac70e7c6d05492d10d6f9dd36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I62KQZ CVE: CVE-2022-41858 -------------------------------- [ Upstream commit ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 ] When a slip driver is detaching, the slip_close() will act to cleanup necessary resources and sl->tty is set to NULL in slip_close(). Meanwhile, the packet we transmit is blocked, sl_tx_timeout() will be called. Although slip_close() and sl_tx_timeout() use sl->lock to synchronize, we don`t judge whether sl->tty equals to NULL in sl_tx_timeout() and the null pointer dereference bug will happen. (Thread 1) | (Thread 2) | slip_close() | spin_lock_bh(&sl->lock) | ... ... | sl->tty = NULL //(1) sl_tx_timeout() | spin_unlock_bh(&sl->lock) spin_lock(&sl->lock); | ... | ... tty_chars_in_buffer(sl->tty)| if (tty->ops->..) //(2) | ... | synchronize_rcu() We set NULL to sl->tty in position (1) and dereference sl->tty in position (2). This patch adds check in sl_tx_timeout(). If sl->tty equals to NULL, sl_tx_timeout() will goto out. Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/net/slip/slip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c index 93f303ec17e2..a959e01610b1 100644 --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -471,7 +471,7 @@ static void sl_tx_timeout(struct net_device *dev) spin_lock(&sl->lock); if (netif_queue_stopped(dev)) { - if (!netif_running(dev)) + if (!netif_running(dev) || !sl->tty) goto out; /* May be we must check transmitter timeout here ? -- 2.25.1

1 0

[PATCH] openEuler: add openEuler/MAINTAINERS for Maintainers & Committers
by Xie XiuQi 29 Nov '22

29 Nov '22

openEuler inclusion category: doc bugzilla: https://gitee.com/openeuler/kernel/issues/I63OX8 Add the Maintainer & Committers list for the openEuler/kernel repository by referring to the MAINTAINERS file of the upstream community. It is convenient to obtain the list of Maintainers & Committers of the openEuler/kernel based on the submitted PR or patches. Only the of the scheduling subsystem is added to openEuler/MAINTAINERS. This is used as a reference for other modules and subsystems. Example: $./scripts/get_maintainer.pl -no-l --no-rolestats --maintainer-path=openEuler/MAINTAINERS --no-tree --no-fixes --no-git-blame-signatures --no-git-fallback 0001-sched-fair-Fix-fault-in-reweight_entity.patch Signed-off-by: Xie XiuQi <xiexiuqi(a)huawei.com> --- openEuler/MAINTAINERS | 85 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 openEuler/MAINTAINERS diff --git a/openEuler/MAINTAINERS b/openEuler/MAINTAINERS new file mode 100644 index 000000000000..151c64ec85bd --- /dev/null +++ b/openEuler/MAINTAINERS @@ -0,0 +1,85 @@ +List of maintainers/committers +==================================================== + +Descriptions of section entries and preferred order +--------------------------------------------------- + + M: *Mail* patches to: FullName <address@domain> + R: Designated *Reviewer*: FullName <address@domain> + These reviewers should be CCed on patches. + L: *Mailing list* that is relevant to this area + S: *Status*, one of the following: + Supported: Someone is actually paid to look after this. + Maintained: Someone actually looks after it. + Odd Fixes: It has a maintainer but they don't have time to do + much other than throw the odd patch in. See below.. + Orphan: No current maintainer [but maybe you could take the + role as you write your new code]. + Obsolete: Old code. Something tagged obsolete generally means + it has been replaced by a better system and you + should be using that. + W: *Web-page* with status/info + Q: *Patchwork* web based patch tracking system site + B: URI for where to file *bugs*. A web-page with detailed bug + filing info, a direct bug tracker link, or a mailto: URI. + C: URI for *chat* protocol, server and channel where developers + usually hang out, for example irc://server/channel. + P: Subsystem Profile document for more details submitting + patches to the given subsystem. This is either an in-tree file, + or a URI. See Documentation/maintainer/maintainer-entry-profile.rst + for details. + T: *SCM* tree type and location. + Type is one of: git, hg, quilt, stgit, topgit + F: *Files* and directories wildcard patterns. + A trailing slash includes all files and subdirectory files. + F: drivers/net/ all files in and below drivers/net + F: drivers/net/* all files in drivers/net, but not below + F: */net/* all files in "any top level directory"/net + One pattern per line. Multiple F: lines acceptable. + X: *Excluded* files and directories that are NOT maintained, same + rules as F:. Files exclusions are tested before file matches. + Can be useful for excluding a specific subdirectory, for instance: + F: net/ + X: net/ipv6/ + matches all files in and below net excluding net/ipv6/ + N: Files and directories *Regex* patterns. + N: [^a-z]tegra all files whose path contains tegra + (not including files like integrator) + One pattern per line. Multiple N: lines acceptable. + scripts/get_maintainer.pl has different behavior for files that + match F: pattern and matches of N: patterns. By default, + get_maintainer will not look at git log history when an F: pattern + match occurs. When an N: match occurs, git log history is used + to also notify the people that have git commit signatures. + K: *Content regex* (perl extended) pattern match in a patch or file. + For instance: + K: of_get_profile + matches patches or files that contain "of_get_profile" + K: \b(printk|pr_(info|err))\b + matches patches or files that contain one or more of the words + printk, pr_info or pr_err + One regex pattern per line. Multiple K: lines acceptable. + +Maintainers List +---------------- + +.. note:: When reading this list, please look for the most precise areas + first. When adding to this list, please keep the entries in + alphabetical order. + +SCHEDULER +M: zhengzucheng(a)huawei.com +S: Maintained +F: include/linux/preempt.h +F: include/linux/sched.h +F: include/linux/wait.h +F: include/uapi/linux/sched.h +F: kernel/sched/ + +THE REST +M: xiexiuqi(a)huawei.com +M: zhengzengkai(a)huawei.com +L: kernel(a)openeuler.org +S: Buried alive in reporters +F: * +F: */ -- 2.20.1

1 0

[PATCH openEuler-1.0-LTS] staging: rtl8712: fix use after free bugs
by Yongqiang Liu 29 Nov '22

29 Nov '22

From: Dan Carpenter <dan.carpenter(a)oracle.com> stable inclusion from stable-v5.10.142 commit 19e3f69d19801940abc2ac37c169882769ed9770 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I62AX2 CVE: CVE-2022-4095 -------------------------------- _Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl() functions don't do anything except free the "pcmd" pointer. It results in a use after free. Delete them. Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") Cc: stable <stable(a)kernel.org> Reported-by: Zheng Wang <hackerzheng666(a)gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guan Jing <guanjing6(a)huawei.com> Reviewed-by: Zhang Qiao <zhangqiao22(a)huawei.com> Reviewed-by: Chen Hui <judy.chenhui(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/staging/rtl8712/rtl8712_cmd.c | 36 --------------------------- 1 file changed, 36 deletions(-) diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c index 63bc811681d9..fb092d4ec521 100644 --- a/drivers/staging/rtl8712/rtl8712_cmd.c +++ b/drivers/staging/rtl8712/rtl8712_cmd.c @@ -129,34 +129,6 @@ static void r871x_internal_cmd_hdl(struct _adapter *padapter, u8 *pbuf) kfree(pdrvcmd->pbuf); } -static u8 read_macreg_hdl(struct _adapter *padapter, u8 *pbuf) -{ - void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); - struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; - - /* invoke cmd->callback function */ - pcmd_callback = cmd_callback[pcmd->cmdcode].callback; - if (!pcmd_callback) - r8712_free_cmd_obj(pcmd); - else - pcmd_callback(padapter, pcmd); - return H2C_SUCCESS; -} - -static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf) -{ - void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); - struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; - - /* invoke cmd->callback function */ - pcmd_callback = cmd_callback[pcmd->cmdcode].callback; - if (!pcmd_callback) - r8712_free_cmd_obj(pcmd); - else - pcmd_callback(padapter, pcmd); - return H2C_SUCCESS; -} - static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) { struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; @@ -225,14 +197,6 @@ static struct cmd_obj *cmd_hdl_filter(struct _adapter *padapter, pcmd_r = NULL; switch (pcmd->cmdcode) { - case GEN_CMD_CODE(_Read_MACREG): - read_macreg_hdl(padapter, (u8 *)pcmd); - pcmd_r = pcmd; - break; - case GEN_CMD_CODE(_Write_MACREG): - write_macreg_hdl(padapter, (u8 *)pcmd); - pcmd_r = pcmd; - break; case GEN_CMD_CODE(_Read_BBREG): read_bbreg_hdl(padapter, (u8 *)pcmd); break; -- 2.25.1

1 0

openEuler Kernel SIG双周例会
by openEuler conference 28 Nov '22

28 Nov '22

您好！ Kernel SIG 邀请您参加 2022-12-02 14:00 召开的Zoom会议(自动录制) 会议主题：openEuler Kernel SIG双周例会会议内容： 1. 进展update 2. 议题征集中欢迎大家积极申报议题（新增议题可以回复邮件反馈，或者录入会议看板）会议链接：https://us06web.zoom.us/j/88119872664?pwd=V1V3eFBJeVBPZ25RbExvWGthZXJWUT09 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 温馨提醒：建议接入会议后修改参会人的姓名，也可以使用您在gitee.com的ID 更多资讯尽在：https://openeuler.org/zh/ Hello! openEuler Kernel SIG invites you to attend the Zoom conference(auto recording) will be held at 2022-12-02 14:00, The subject of the conference is openEuler Kernel SIG双周例会, Summary: 1. 进展update 2. 议题征集中欢迎大家积极申报议题（新增议题可以回复邮件反馈，或者录入会议看板） You can join the meeting at https://us06web.zoom.us/j/88119872664?pwd=V1V3eFBJeVBPZ25RbExvWGthZXJWUT09. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. Note: You are advised to change the participant name after joining the conference or use your ID at gitee.com. More information: https://openeuler.org/en/

1 0

转发: cgroupv1使能cgroup writeback.pptx
by Zhengzengkai 28 Nov '22

28 Nov '22

发件人: Zhengzengkai 发送时间: 2022年11月28日 10:39 收件人: kernel <kernel(a)openeuler.org> 抄送: Xiexiuqi <xiexiuqi(a)huawei.com>; liwei (GF) <liwei391(a)huawei.com> 主题: cgroupv1使能cgroup writeback.pptx

1 0

cgroupv1使能cgroup writeback.pptx
by Zhengzengkai 28 Nov '22

28 Nov '22

1 0

[PATCH openEuler-1.0-LTS] x86/tsc: use topology_max_packages() in tsc watchdog check
by Yongqiang Liu 27 Nov '22

27 Nov '22

From: Feng Tang <feng.tang(a)intel.com> hulk inclusion category: bugfix bugzilla: 187942, https://gitee.com/openeuler/kernel/issues/I5U037 CVE: NA ------------------------------- Commit b50db7095fe0 ("x86/tsc: Disable clocksource watchdog for TSC on qualified platorms") was introduced to solve problem that sometimes TSC clocksource is wrongly judged as unstable by watchdog like 'jiffies', HPET, etc. In it, the hardware socket number is a key factor for judging whether to disable the watchdog for TSC, and 'nr_online_nodes' was chosen as an estimation due to it is needed in early boot phase before registering 'tsc-early' clocksource, where all none-boot CPUs are not brought up yet. In recent patch review, Dave Hansen pointed out there are many cases that 'nr_online_nodes' could have issue, like: * numa emulation (numa=fake=4 etc.) * numa=off * platforms with CPU+DRAM nodes, CPU-less HBM nodes, CPU-less persistent memory nodes. Peter Zijlstra suggested to use logical package ids, but it is only usable after smp_init() and all CPUs are initialized. One solution is to skip the watchdog for 'tsc-early' clocksource, and move the check after smp_init(), while before 'tsc' clocksoure is registered, where topology_max_packages() could be used as a much more accurate socket number. Signed-off-by: Feng Tang <feng.tang(a)intel.com> Conflict: arch/x86/kernel/tsc.c Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/x86/kernel/tsc.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c index b1ae78bdba50..a7f447c30089 100644 --- a/arch/x86/kernel/tsc.c +++ b/arch/x86/kernel/tsc.c @@ -1095,8 +1095,7 @@ static struct clocksource clocksource_tsc_early = { .rating = 299, .read = read_tsc, .mask = CLOCKSOURCE_MASK(64), - .flags = CLOCK_SOURCE_IS_CONTINUOUS | - CLOCK_SOURCE_MUST_VERIFY, + .flags = CLOCK_SOURCE_IS_CONTINUOUS, .archdata = { .vclock_mode = VCLOCK_TSC }, .resume = tsc_resume, .mark_unstable = tsc_cs_mark_unstable, @@ -1353,6 +1352,20 @@ static int __init init_tsc_clocksource(void) if (boot_cpu_has(X86_FEATURE_NONSTOP_TSC_S3)) clocksource_tsc.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP; + /* + * Disable the clocksource watchdog when the system has: + * - TSC running at constant frequency + * - TSC which does not stop in C-States + * - the TSC_ADJUST register which allows to detect even minimal + * modifications + * - not more than four sockets. + */ + if (boot_cpu_has(X86_FEATURE_CONSTANT_TSC) && + boot_cpu_has(X86_FEATURE_NONSTOP_TSC) && + boot_cpu_has(X86_FEATURE_TSC_ADJUST) && + topology_max_packages() <= 4) + clocksource_tsc.flags &= ~CLOCK_SOURCE_MUST_VERIFY; + /* * When TSC frequency is known (retrieved via MSR or CPUID), we skip * the refined calibration and directly register it as a clocksource. @@ -1483,9 +1496,6 @@ void __init tsc_init(void) return; } - if (tsc_clocksource_reliable) - clocksource_tsc_early.flags &= ~CLOCK_SOURCE_MUST_VERIFY; - clocksource_register_khz(&clocksource_tsc_early, tsc_khz); detect_art(); } -- 2.25.1

1 0

[PATCH openEuler-5.10-LTS 000/151] Backport 5.10.138 LTS patches
by Zheng Zengkai 26 Nov '22

26 Nov '22

Backport 5.10.138 LTS patches from upstream. git cherry-pick v5.10.137..v5.10.138~1 -s Already merged(-5): 0e28678a770d devlink: Fix use-after-free after a failed reload 38ddccbda5e8 vsock: Fix memory leak in vsock_connect() a0ae122e9aec atm: idt77252: fix use-after-free bugs caused by tst_timer a220ff343396 can: j1939: j1939_session_destroy(): fix memory leak of skbs 3527e3cbb84d bpf: Fix KASAN use-after-free Read in compute_effective_progs Context conflict： 63671b2bdf5f watchdog: export lockup_detector_reconfigure Defered for performance degradation(-1): 823280a8fba3 locking/atomic: Make test_and_*_bit() ordered on failure Total patches: 157 - 5 - 1 = 151 Aaron Lu (1): x86/mm: Use proper mask when setting PUD mapping Al Viro (6): nios2: page fault et.al. are *not* restartable syscalls... nios2: don't leave NULLs in sys_call_table[] nios2: traced syscall does need to check the syscall number nios2: fix syscall restart checks nios2: restarts apply only to the first sigframe we build... nios2: add force_successful_syscall_return() Alan Brady (1): i40e: Fix to stop tx_timeout recovery if GLOBR fails Amadeusz Sławiński (1): ALSA: info: Fix llseek return value when using callback Amelie Delaunay (1): usb: dwc2: gadget: remove D+ pull-up while no vbus with usb-role-switch Andrew Donnellan (1): gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file Andy Shevchenko (1): pinctrl: intel: Check against matching data instead of ACPI companion Arun Ramadoss (1): net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry Bard Liao (1): ASoC: SOF: intel: move sof_intel_dsp_desc() forward Bob Pearson (1): RDMA/rxe: Limit the number of calls to each tasklet Celeste Liu (1): riscv: mmap with PROT_WRITE but no PROT_READ is invalid Chao Yu (2): f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() f2fs: fix to do sanity check on segment type in build_sit_entries() Chen Lin (1): dpaa2-eth: trace the allocated address instead of page struct Chia-Lin Kao (AceLan) (1): net: atlantic: fix aq_vec index out of range error Christoffer Sandberg (1): ALSA: hda/realtek: Add quirk for Clevo NS50PU, NS70PU Christophe JAILLET (6): mmc: pxamci: Fix another error handling path in pxamci_probe() mmc: pxamci: Fix an error handling path in pxamci_probe() mmc: meson-gx: Fix an error handling path in meson_mmc_probe() perf probe: Fix an error handling path in 'parse_perf_probe_command()' stmmac: intel: Add a missing clk_disable_unprepare() call in intel_eth_pci_remove() cxl: Fix a memory leak in an error handling path Christophe Leroy (1): powerpc/32: Don't always pass -mcpu=powerpc to the compiler Csókás Bence (1): fec: Fix timer capture timing in `fec_ptp_enable_pps()` Damien Le Moal (1): ata: libata-eh: Add missing command name Dan Aloni (1): sunrpc: fix expiry of auth creds Dan Carpenter (3): NTB: ntb_tool: uninitialized heap data in tool_fn_write() xen/xenbus: fix return type in xenbus_file_read() netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect() Dmitry Baryshkov (1): dt-bindings: clock: qcom,gcc-msm8996: add more GCC clock sources Dongliang Mu (1): netfilter: nf_tables: fix audit memory leak in nf_tables_commit Fedor Pchelkin (1): can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() Filipe Manana (1): btrfs: fix lost error handling when looking up extended ref on log replay Florian Westphal (1): plip: avoid rcu debug splat Frank Li (1): usb: cdns3 fix use-after-free at workaround 2 Frieder Schrempf (1): regulator: pca9450: Remove restrictions for regulator-name Grzegorz Siwik (1): ice: Ignore EEXIST when setting promisc mode Guenter Roeck (1): lib/list_debug.c: Detect uninitialized lists Helge Deller (1): modules: Ensure natural alignment for .altinstructions and __bug_table sections Hou Tao (5): bpf: Acquire map uref in .init_seq_private for array map iterator bpf: Acquire map uref in .init_seq_private for hash map iterator bpf: Acquire map uref in .init_seq_private for sock local storage map iterator bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator bpf: Check the validity of max_rdwr_access for sock local storage map iterator Huacai Chen (1): PCI/ACPI: Guard ARM64-specific mcfg_quirks Jakub Kicinski (1): net: genl: fix error path memory leak in policy dumping James Smart (1): scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input Jason A. Donenfeld (1): um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups Jean-Philippe Brucker (1): uacce: Handle parent device removal or parent driver module rmmod Jeff Layton (1): ceph: don't leak snap_rwsem in handle_cap_grant Jens Wiklander (1): tee: fix memory leak in tee_shm_register() Jianhua Lu (1): pinctrl: qcom: sm8250: Fix PDC map John Johansen (5): apparmor: fix quiet_denied for file rules apparmor: fix absroot causing audited secids to begin with = apparmor: Fix failed mount permission check error message apparmor: fix setting unconfined mode on a loaded profile apparmor: fix overlapping attachment computation Jozef Martiniak (1): gadgetfs: ep_io - wait until IRQ finishes Keith Busch (1): PCI/ERR: Retain status from error notification Kiselev, Oleg (1): ext4: avoid resizing to a partial cluster size Krzysztof Kozlowski (1): dt-bindings: arm: qcom: fix MSM8916 MTP compatibles Laurent Dufour (1): watchdog: export lockup_detector_reconfigure Liang He (5): drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() usb: host: ohci-ppc-of: Fix refcount leak bug usb: renesas: Fix refcount leak bug tty: serial: Fix refcount leak bug in ucc_uart.c mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start Liao Chang (1): csky/kprobe: reclaim insn_slot on kprobe unregistration Lin Ma (1): igb: Add lock to avoid data race Logan Gunthorpe (1): md: Notify sysfs sync_completed in md_reap_sync_thread() Luís Henriques (1): ceph: use correct index when encoding client supported features Marc Kleine-Budde (1): can: ems_usb: fix clang's -Wunaligned-access warning Martin Povišer (4): ASoC: tas2770: Set correct FSYNC polarity ASoC: tas2770: Allow mono streams ASoC: tas2770: Drop conflicting set_bias_level power setting ASoC: tas2770: Fix handling of mute/unmute Masahiro Yamada (1): kbuild: fix the modules order between drivers and libs Matthew Wilcox (Oracle) (1): qrtr: Convert qrtr_ports from IDR to XArray Matthias May (3): geneve: do not use RT_TOS for IPv6 flowlabel ipv6: do not use RT_TOS for IPv6 flowlabel geneve: fix TOS inheriting for ipv4 Miaoqian Lin (1): pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map Michael Ellerman (1): powerpc/pci: Fix get_phb_number() locking Michael Grzeschik (1): usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Mikulas Patocka (1): rds: add missing barrier to release_refill Nathan Chancellor (1): MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 Neil Armstrong (1): spi: meson-spicc: add local pow2 clock ops to preserve rate between messages Nikita Travkin (1): pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed Ondrej Mosnacek (1): kbuild: dummy-tools: avoid tmpdir leak in dummy gcc Pablo Neira Ayuso (5): netfilter: nf_tables: really skip inactive sets when allocating name netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified netfilter: nftables: add helper function to set the base sequence number netfilter: add helper function to set up the nfnetlink header and use it Pascal Terjan (1): vboxguest: Do not use devm for irq Pavan Chebbi (1): PCI: Add ACS quirk for Broadcom BCM5750x NICs Peilin Ye (1): vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() Przemyslaw Patynowski (1): iavf: Fix adminq error handling Qifu Zhang (1): Documentation: ACPI: EINJ: Fix obsolete example Richard Guy Briggs (1): audit: log nftables configuration change events once per table Robert Marko (1): clk: qcom: ipq8074: dont disable gcc_sleep_clk_src Roberto Sassu (1): tools build: Switch to new openssl API for test-libcrypto Rustam Subkhankulov (1): net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions() Sagi Grimberg (1): nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown Sai Prakash Ranjan (2): irqchip/tegra: Fix overflow implicit truncation warnings drm/meson: Fix overflow implicit truncation warnings Sakari Ailus (1): ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool Samuel Holland (2): pinctrl: sunxi: Add I/O bias setting for H6 R-PIO drm/sun4i: dsi: Prevent underflow when computing packet sizes Sandor Bodo-Merle (1): net: bgmac: Fix a BUG triggered by wrong bytes_compl Schspa Shi (1): vfio: Clear the caps->buf to NULL after free Sebastian Würl (1): can: mcp251x: Fix race condition on receive interrupt Sergei Antonov (2): net: dsa: mv88e6060: prevent crash on an unused port net: moxa: pass pdev instead of ndev to DMA functions Sergey Senozhatsky (1): zram: do not lookup algorithm in backends table Steve French (1): smb3: check xattr value length earlier Steven Rostedt (Google) (3): tracing: Have filter accept "common_cpu" to be consistent selftests/kprobe: Do not test for GRP/ without event failures tracing/probes: Have kprobes and uprobes use $COMM too Takashi Iwai (4): ALSA: usb-audio: More comprehensive mixer map for ASUS ROG Zenith II ALSA: core: Add async signal helpers ALSA: timer: Use deferred fasync helper ALSA: control: Use deferred fasync helper Tom Rix (1): apparmor: fix aa_label_asxprint return check Tony Lindgren (1): clk: ti: Stop using legacy clkctrl names for omap4 and 5 Trond Myklebust (5): NFSv4.1: Don't decrease the value of seq_nr_highest_sent NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly NFSv4: Fix races in the legacy idmapper upcall NFSv4/pnfs: Fix a use-after-free bug in open SUNRPC: Reinitialise the backchannel request buffers before reuse Tzung-Bi Shih (1): platform/chrome: cros_ec_proto: don't show MKBP version if unsupported Uwe Kleine-König (2): i2c: imx: Make sure to unregister adapter on remove() dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed Vladimir Oltean (1): net: dsa: felix: fix ethtool 256-511 and 512-1023 TX packet counters Vladimir Zapolskiy (1): clk: qcom: clk-alpha-pll: fix clk_trion_pll_configure description Wentao_Liang (1): drivers:md:fix a potential use-after-free bug Xianting Tian (1): RISC-V: Add fast call path of crash_kexec() Xin Xiong (1): apparmor: fix reference count leak in aa_pivotroot() Xiu Jianfeng (1): apparmor: Fix memleak in aa_simple_write_to_buffer() Xuan Zhuo (1): virtio_net: fix memory leak inside XPD_TX with mergeable Ye Bin (1): ext4: avoid remove directory when directory is corrupted Yu Xiao (1): nfp: ethtool: fix the display error of `ethtool -m DEVNAME` Yuanzheng Song (1): tools/vm/slabinfo: use alphabetic order when two values are equal Zhang Xianwei (1): NFSv4.1: RECLAIM_COMPLETE must handle EACCES Zheyu Ma (1): video: fbdev: i740fb: Check the argument of i740_calc_vclk() Zhouyi Zhou (1): powerpc/64: Init jump labels before parse_early_param() .../devicetree/bindings/arm/qcom.yaml | 2 +- .../bindings/clock/qcom,gcc-msm8996.yaml | 16 + .../regulator/nxp,pca9450-regulator.yaml | 11 - .../firmware-guide/acpi/apei/einj.rst | 2 +- Makefile | 6 +- arch/csky/kernel/probes/kprobes.c | 4 + arch/mips/cavium-octeon/octeon-platform.c | 3 +- arch/mips/mm/tlbex.c | 4 +- arch/nios2/include/asm/entry.h | 3 +- arch/nios2/include/asm/ptrace.h | 2 + arch/nios2/kernel/entry.S | 22 +- arch/nios2/kernel/signal.c | 3 +- arch/nios2/kernel/syscall_table.c | 1 + arch/powerpc/Makefile | 26 +- arch/powerpc/kernel/pci-common.c | 16 +- arch/powerpc/kernel/prom.c | 7 + arch/powerpc/platforms/Kconfig.cputype | 21 +- arch/riscv/kernel/sys_riscv.c | 5 +- arch/riscv/kernel/traps.c | 4 + arch/um/os-Linux/skas/process.c | 17 +- arch/x86/mm/init_64.c | 2 +- drivers/acpi/pci_mcfg.c | 3 + drivers/acpi/property.c | 8 +- drivers/ata/libata-eh.c | 1 + drivers/block/zram/zcomp.c | 11 +- drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/gcc-ipq8074.c | 1 + drivers/clk/ti/clk-44xx.c | 210 +++++------ drivers/clk/ti/clk-54xx.c | 160 ++++----- drivers/clk/ti/clkctrl.c | 4 - drivers/dma/sprd-dma.c | 5 +- drivers/gpu/drm/meson/meson_drv.c | 5 +- drivers/gpu/drm/meson/meson_viu.c | 22 +- drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 10 +- drivers/i2c/busses/i2c-imx.c | 20 +- drivers/infiniband/sw/rxe/rxe_param.h | 6 + drivers/infiniband/sw/rxe/rxe_task.c | 16 +- drivers/irqchip/irq-tegra.c | 10 +- drivers/md/md.c | 1 + drivers/md/raid5.c | 2 +- drivers/misc/cxl/irq.c | 1 + drivers/misc/uacce/uacce.c | 133 ++++--- drivers/mmc/host/meson-gx-mmc.c | 6 +- drivers/mmc/host/pxamci.c | 4 +- drivers/net/can/spi/mcp251x.c | 18 +- drivers/net/can/usb/ems_usb.c | 2 +- drivers/net/dsa/microchip/ksz9477.c | 3 + drivers/net/dsa/mv88e6060.c | 3 + drivers/net/dsa/ocelot/felix_vsc9959.c | 3 +- drivers/net/dsa/sja1105/sja1105_devlink.c | 2 +- .../net/ethernet/aquantia/atlantic/aq_nic.c | 21 +- drivers/net/ethernet/broadcom/bgmac.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 +- drivers/net/ethernet/freescale/fec_ptp.c | 6 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 4 +- drivers/net/ethernet/intel/iavf/iavf_adminq.c | 15 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 +- drivers/net/ethernet/intel/igb/igb.h | 2 + drivers/net/ethernet/intel/igb/igb_main.c | 12 +- drivers/net/ethernet/moxa/moxart_ether.c | 20 +- .../ethernet/netronome/nfp/nfp_net_ethtool.c | 2 + .../net/ethernet/stmicro/stmmac/dwmac-intel.c | 1 + drivers/net/geneve.c | 15 +- drivers/net/plip/plip.c | 2 +- drivers/net/virtio_net.c | 5 +- drivers/ntb/test/ntb_tool.c | 8 +- drivers/nvme/target/tcp.c | 3 +- drivers/pci/pcie/err.c | 3 +- drivers/pci/quirks.c | 3 + drivers/pinctrl/intel/pinctrl-intel.c | 14 +- drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +- drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 +- drivers/pinctrl/qcom/pinctrl-sm8250.c | 2 +- drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c | 1 + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 7 +- drivers/platform/chrome/cros_ec_proto.c | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 20 +- drivers/spi/spi-meson-spicc.c | 129 +++++-- drivers/tee/tee_core.c | 3 + drivers/tee/tee_shm.c | 3 - drivers/tty/serial/ucc_uart.c | 2 + drivers/usb/cdns3/gadget.c | 2 +- drivers/usb/dwc2/gadget.c | 3 +- drivers/usb/gadget/function/uvc_video.c | 2 +- drivers/usb/gadget/legacy/inode.c | 1 + drivers/usb/host/ohci-ppc-of.c | 1 + drivers/usb/renesas_usbhs/rza.c | 4 + drivers/vfio/vfio.c | 1 + drivers/video/fbdev/i740fb.c | 9 +- drivers/virt/vboxguest/vboxguest_linux.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 4 +- fs/btrfs/tree-log.c | 4 +- fs/ceph/caps.c | 27 +- fs/ceph/mds_client.c | 7 +- fs/ceph/mds_client.h | 6 - fs/cifs/smb2ops.c | 5 +- fs/ext4/namei.c | 7 +- fs/ext4/resize.c | 10 + fs/f2fs/node.c | 6 +- fs/f2fs/segment.c | 13 + fs/nfs/nfs4idmap.c | 46 +-- fs/nfs/nfs4proc.c | 20 +- include/linux/netfilter/nfnetlink.h | 27 ++ include/linux/nmi.h | 2 + include/linux/uacce.h | 6 +- include/sound/control.h | 2 +- include/sound/core.h | 8 + kernel/bpf/arraymap.c | 6 + kernel/bpf/hashtab.c | 2 + kernel/trace/trace_events.c | 1 + kernel/trace/trace_probe.c | 5 +- kernel/watchdog.c | 21 +- lib/list_debug.c | 12 +- net/can/j1939/socket.c | 5 +- net/core/bpf_sk_storage.c | 12 +- net/core/sock_map.c | 20 +- net/ipv6/ip6_output.c | 3 +- net/netfilter/ipset/ip_set_core.c | 17 +- net/netfilter/nf_conntrack_netlink.c | 77 ++--- net/netfilter/nf_tables_api.c | 325 +++++++++--------- net/netfilter/nf_tables_trace.c | 9 +- net/netfilter/nfnetlink_acct.c | 11 +- net/netfilter/nfnetlink_cthelper.c | 11 +- net/netfilter/nfnetlink_cttimeout.c | 22 +- net/netfilter/nfnetlink_log.c | 11 +- net/netfilter/nfnetlink_queue.c | 12 +- net/netfilter/nft_compat.c | 11 +- net/netlink/genetlink.c | 6 +- net/netlink/policy.c | 14 +- net/qrtr/qrtr.c | 42 +-- net/rds/ib_recv.c | 1 + net/sunrpc/auth.c | 2 +- net/sunrpc/backchannel_rqst.c | 14 + net/vmw_vsock/af_vsock.c | 1 + scripts/Makefile.gcc-plugins | 2 +- scripts/dummy-tools/gcc | 8 +- scripts/module.lds.S | 2 + security/apparmor/apparmorfs.c | 2 +- security/apparmor/audit.c | 2 +- security/apparmor/domain.c | 2 +- security/apparmor/include/lib.h | 5 + security/apparmor/include/policy.h | 2 +- security/apparmor/label.c | 13 +- security/apparmor/mount.c | 8 +- security/apparmor/policy_unpack.c | 12 +- sound/core/control.c | 7 +- sound/core/info.c | 6 +- sound/core/misc.c | 94 +++++ sound/core/timer.c | 11 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/tas2770.c | 98 +++--- sound/soc/codecs/tas2770.h | 5 + sound/soc/sof/intel/hda.c | 22 +- sound/usb/card.c | 8 + sound/usb/mixer_maps.c | 34 +- tools/build/feature/test-libcrypto.c | 15 +- tools/perf/util/probe-event.c | 6 +- .../test.d/kprobe/kprobe_syntax_errors.tc | 1 - tools/vm/slabinfo.c | 32 +- 159 files changed, 1459 insertions(+), 1020 deletions(-) -- 2.20.1

1 151

[PATCH openEuler-1.0-LTS 1/2] ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
by Yongqiang Liu 26 Nov '22

26 Nov '22

From: Luís Henriques <lhenriques(a)suse.de> mainline inclusion from mainline-v6.0-rc7 commit 29a5b8a137ac8eb410cc823653a29ac0e7b7e1b0 category: bugfix bugzilla: 187444, https://gitee.com/openeuler/kernel/issues/I6261Z CVE: NA -------------------------------- When walking through an inode extents, the ext4_ext_binsearch_idx() function assumes that the extent header has been previously validated. However, there are no checks that verify that the number of entries (eh->eh_entries) is non-zero when depth is > 0. And this will lead to problems because the EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this: [ 135.245946] ------------[ cut here ]------------ [ 135.247579] kernel BUG at fs/ext4/extents.c:2258! [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4 [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0 [ 135.256475] Code: [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246 [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023 [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024 [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000 [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0 [ 135.277952] Call Trace: [ 135.278635] <TASK> [ 135.279247] ? preempt_count_add+0x6d/0xa0 [ 135.280358] ? percpu_counter_add_batch+0x55/0xb0 [ 135.281612] ? _raw_read_unlock+0x18/0x30 [ 135.282704] ext4_map_blocks+0x294/0x5a0 [ 135.283745] ? xa_load+0x6f/0xa0 [ 135.284562] ext4_mpage_readpages+0x3d6/0x770 [ 135.285646] read_pages+0x67/0x1d0 [ 135.286492] ? folio_add_lru+0x51/0x80 [ 135.287441] page_cache_ra_unbounded+0x124/0x170 [ 135.288510] filemap_get_pages+0x23d/0x5a0 [ 135.289457] ? path_openat+0xa72/0xdd0 [ 135.290332] filemap_read+0xbf/0x300 [ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40 [ 135.292192] new_sync_read+0x103/0x170 [ 135.293014] vfs_read+0x15d/0x180 [ 135.293745] ksys_read+0xa1/0xe0 [ 135.294461] do_syscall_64+0x3c/0x80 [ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch simply adds an extra check in __ext4_ext_check(), verifying that eh_entries is not 0 when eh_depth is > 0. Link: https://bugzilla.kernel.org/show_bug.cgi?id=215941 Link: https://bugzilla.kernel.org/show_bug.cgi?id=216283 Cc: Baokun Li <libaokun1(a)huawei.com> Cc: stable(a)kernel.org Signed-off-by: Luís Henriques <lhenriques(a)suse.de> Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Baokun Li <libaokun1(a)huawei.com> Link: https://lore.kernel.org/r/20220822094235.2690-1-lhenriques@suse.de Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/ext4/extents.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 578769f10906..6edab0ef28fd 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -508,6 +508,10 @@ static int __ext4_ext_check(const char *function, unsigned int line, error_msg = "invalid eh_entries"; goto corrupted; } + if (unlikely((eh->eh_entries == 0) && (depth > 0))) { + error_msg = "eh_entries is 0 but eh_depth is > 0"; + goto corrupted; + } if (!ext4_valid_extent_entries(inode, eh, lblk, &pblk, depth)) { error_msg = "invalid extent entries"; goto corrupted; -- 2.25.1

1 1

[PATCH openEuler-5.10-LTS 1/2] Bluetooth: L2CAP: Fix attempting to access uninitialized memory
by Zheng Zengkai 23 Nov '22

23 Nov '22

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> stable inclusion from stable-v5.10.154 commit 26ca2ac091b49281d73df86111d16e5a76e43bd7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNRS CVE: CVE-2022-42895 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream. On l2cap_parse_conf_req the variable efs is only initialized if remote_efs has been set. CVE: CVE-2022-42895 CC: stable(a)vger.kernel.org Reported-by: Tamás Koczka <poprdi(a)google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Reviewed-by: Tedd Ho-Jeong An <tedd.an(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Baisong Zhong <zhongbaisong(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> --- net/bluetooth/l2cap_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 584a9deb8c80..d35b168e7793 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3758,7 +3758,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), (unsigned long) &rfc, endptr - ptr); - if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { + if (remote_efs && + test_bit(FLAG_EFS_ENABLE, &chan->flags)) { chan->remote_id = efs.id; chan->remote_stype = efs.stype; chan->remote_msdu = le16_to_cpu(efs.msdu); -- 2.20.1

1 1

[PATCH OLK-5.10 v4] mm: Fix kabi change caused by saved_auxv[] in mm_struct for x86_64
by Zheng Zengkai 23 Nov '22

23 Nov '22

openeuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5RQLJ CVE: NA Intel-SIG: mm: Fix kabi change caused by saved_auxv[] in mm_struct for x86_64. -------------------------------- Use the KABI_DEPRECATE and KABI_USE macro to fix kabi change caused by commit 1c33bb050750 ("x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ"). The extended saved_auxv[] causes the kabi breakage, move the saved_auxv[] to the end of struct mm_struct. To avoid introducing too many size increase of mm_struct, use a pointer to indirectly reference the relocated saved_auxv[], then adapt the code where mm->saved_auxv is used. Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> Signed-off-by: Lin Wang <lin.x.wang(a)intel.com> Signed-off-by: Aichun Shi <aichun.shi(a)intel.com> --- arch/x86/include/uapi/asm/auxvec.h | 2 ++ fs/binfmt_elf.c | 12 ++++---- fs/binfmt_elf_fdpic.c | 2 +- fs/proc/base.c | 6 ++-- include/linux/mm_types.h | 30 ++++++++++++++++++++ kernel/fork.c | 44 ++++++++++++++++++++++++++---- kernel/sys.c | 10 +++---- 7 files changed, 86 insertions(+), 20 deletions(-) diff --git a/arch/x86/include/uapi/asm/auxvec.h b/arch/x86/include/uapi/asm/auxvec.h index 6beb55bbefa4..6be5f6584119 100644 --- a/arch/x86/include/uapi/asm/auxvec.h +++ b/arch/x86/include/uapi/asm/auxvec.h @@ -13,8 +13,10 @@ /* entries in ARCH_DLINFO: */ #if defined(CONFIG_IA32_EMULATION) || !defined(CONFIG_X86_64) # define AT_VECTOR_SIZE_ARCH 3 +# define ORIG_AT_VECTOR_SIZE_ARCH 2 #else /* else it's non-compat x86-64 */ # define AT_VECTOR_SIZE_ARCH 2 +# define ORIG_AT_VECTOR_SIZE_ARCH 1 #endif #endif /* _ASM_X86_AUXVEC_H */ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index ed507d27034b..8e56bb649f0e 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -236,7 +236,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, return -EFAULT; /* Create the ELF interpreter info */ - elf_info = (elf_addr_t *)mm->saved_auxv; + elf_info = (elf_addr_t *)MM_SAVED_AUXV(mm); /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */ #define NEW_AUX_ENT(id, val) \ do { \ @@ -285,13 +285,13 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, } #undef NEW_AUX_ENT /* AT_NULL is zero; clear the rest too */ - memset(elf_info, 0, (char *)mm->saved_auxv + - sizeof(mm->saved_auxv) - (char *)elf_info); + memset(elf_info, 0, (char *)MM_SAVED_AUXV(mm) + + sizeof(MM_SAVED_AUXV(mm)) - (char *)elf_info); /* And advance past the AT_NULL entry. */ elf_info += 2; - ei_index = elf_info - (elf_addr_t *)mm->saved_auxv; + ei_index = elf_info - (elf_addr_t *)MM_SAVED_AUXV(mm); sp = STACK_ADD(p, ei_index); items = (argc + 1) + (envc + 1) + 1; @@ -352,7 +352,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, mm->env_end = p; /* Put the elf_info on the stack in the right place. */ - if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t))) + if (copy_to_user(sp, MM_SAVED_AUXV(mm), ei_index * sizeof(elf_addr_t))) return -EFAULT; return 0; } @@ -1586,7 +1586,7 @@ static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { - elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; + elf_addr_t *auxv = (elf_addr_t *) MM_SAVED_AUXV(mm); int i = 0; do i += 2; diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index be4062b8ba75..06d45339676f 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -1550,7 +1550,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm) fill_note(&psinfo_note, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo); thread_status_size += notesize(&psinfo_note); - auxv = (elf_addr_t *) current->mm->saved_auxv; + auxv = (elf_addr_t *) current->MM_SAVED_AUXV(mm); i = 0; do i += 2; diff --git a/fs/proc/base.c b/fs/proc/base.c index cc1fdff2e136..fe2633176ed5 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1038,9 +1038,9 @@ static ssize_t auxv_read(struct file *file, char __user *buf, return 0; do { nwords += 2; - } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */ - return simple_read_from_buffer(buf, count, ppos, mm->saved_auxv, - nwords * sizeof(mm->saved_auxv[0])); + } while (MM_SAVED_AUXV(mm)[nwords - 2] != 0); /* AT_NULL */ + return simple_read_from_buffer(buf, count, ppos, MM_SAVED_AUXV(mm), + nwords * sizeof(MM_SAVED_AUXV(mm)[0])); } static const struct file_operations proc_auxv_operations = { diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 15ff1e20f5ca..ba69c5ecd4ce 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -24,6 +24,21 @@ #endif #define AT_VECTOR_SIZE (2*(AT_VECTOR_SIZE_ARCH + AT_VECTOR_SIZE_BASE + 1)) +#define _MM_STRUCT_SIZE (sizeof(struct mm_struct) + cpumask_size()) + +#if defined(CONFIG_X86_64) + #define ORIG_AT_VECTOR_SIZE (2*(ORIG_AT_VECTOR_SIZE_ARCH + AT_VECTOR_SIZE_BASE + 1)) + #define MM_SAVED_AUXV(mm) mm->mm_extend->saved_auxv + #define MM_STRUCT_SIZE (_MM_STRUCT_SIZE + sizeof(struct mm_struct_extend)) + #define OFFSET_OF_MM_SAVED_AUXV (_MM_STRUCT_SIZE + offsetof(struct mm_struct_extend, saved_auxv)) + #define SIZE_OF_MM_SAVED_AUXV sizeof_field(struct mm_struct_extend, saved_auxv) +#else + #define MM_SAVED_AUXV(mm) mm->saved_auxv + #define MM_STRUCT_SIZE _MM_STRUCT_SIZE + #define OFFSET_OF_MM_SAVED_AUXV offsetof(struct mm_struct, saved_auxv) + #define SIZE_OF_MM_SAVED_AUXV sizeof_field(struct mm_struct, saved_auxv) +#endif + #define INIT_PASID 0 struct address_space; @@ -394,6 +409,13 @@ struct core_state { }; struct kioctx_table; + +#if defined(CONFIG_X86_64) +struct mm_struct_extend { + unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ +}; +#endif + struct mm_struct { struct { struct vm_area_struct *mmap; /* list of VMAs */ @@ -508,7 +530,11 @@ struct mm_struct { unsigned long start_brk, brk, start_stack; unsigned long arg_start, arg_end, env_start, env_end; +#if defined(CONFIG_X86_64) + KABI_DEPRECATE(unsigned long, saved_auxv[ORIG_AT_VECTOR_SIZE]) +#else unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ +#endif /* * Special counters, in some configurations protected by the @@ -592,7 +618,11 @@ struct mm_struct { #endif } __randomize_layout; +#if defined(CONFIG_X86_64) + KABI_USE(1, struct mm_struct_extend *mm_extend) +#else KABI_RESERVE(1) +#endif KABI_RESERVE(2) KABI_RESERVE(3) KABI_RESERVE(4) diff --git a/kernel/fork.c b/kernel/fork.c index 8a40bfda35e1..c2f13f635135 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1088,6 +1088,21 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, return NULL; } +static inline void mm_struct_clear(struct mm_struct *mm) +{ + memset(mm, 0, sizeof(*mm)); + +#if (defined(CONFIG_X86_64)) + /* + * init the mm_struct_extend extra area at the bottom of + * the allocated mm struct and reset mm->mm_extend accordingly. + */ + memset((void *)((unsigned long) mm + _MM_STRUCT_SIZE), + 0, sizeof(struct mm_struct_extend)); + mm->mm_extend = (struct mm_struct_extend *)((unsigned long) mm + _MM_STRUCT_SIZE); +#endif +} + /* * Allocate and initialize an mm_struct. */ @@ -1099,7 +1114,8 @@ struct mm_struct *mm_alloc(void) if (!mm) return NULL; - memset(mm, 0, sizeof(*mm)); + mm_struct_clear(mm); + return mm_init(mm, current, current_user_ns()); } @@ -1382,6 +1398,24 @@ void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm) mm_release(tsk, mm); } +static inline void mm_struct_copy(struct mm_struct *mm, struct mm_struct *oldmm) +{ + memcpy(mm, oldmm, sizeof(*mm)); + +#if defined(CONFIG_X86_64) + /* + * copy the mm_struct_extend extra area at the bottom of + * the oldmm slab object over to the newly allocated mm struct, + * and reset mm->mm_extend accordingly. + */ + memcpy((void *)((unsigned long) mm + _MM_STRUCT_SIZE), + (void *)((unsigned long) oldmm + _MM_STRUCT_SIZE), + sizeof(struct mm_struct_extend)); + + mm->mm_extend = (struct mm_struct_extend *)((unsigned long) mm + _MM_STRUCT_SIZE); +#endif +} + /** * dup_mm() - duplicates an existing mm structure * @tsk: the task_struct with which the new mm will be associated. @@ -1402,7 +1436,7 @@ static struct mm_struct *dup_mm(struct task_struct *tsk, if (!mm) goto fail_nomem; - memcpy(mm, oldmm, sizeof(*mm)); + mm_struct_copy(mm, oldmm); if (!mm_init(mm, tsk, mm->user_ns)) goto fail_nomem; @@ -2872,13 +2906,13 @@ void __init proc_caches_init(void) * dynamically sized based on the maximum CPU number this system * can have, taking hotplug into account (nr_cpu_ids). */ - mm_size = sizeof(struct mm_struct) + cpumask_size(); + mm_size = MM_STRUCT_SIZE; mm_cachep = kmem_cache_create_usercopy("mm_struct", mm_size, ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, - offsetof(struct mm_struct, saved_auxv), - sizeof_field(struct mm_struct, saved_auxv), + OFFSET_OF_MM_SAVED_AUXV, + SIZE_OF_MM_SAVED_AUXV, NULL); vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT); mmap_init(); diff --git a/kernel/sys.c b/kernel/sys.c index c8a31e1037be..10c5a6d2acdc 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1962,7 +1962,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data struct mm_struct *mm = current->mm; int error; - BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); + BUILD_BUG_ON(sizeof(user_auxv) != sizeof(MM_SAVED_AUXV(mm))); BUILD_BUG_ON(sizeof(struct prctl_mm_map) > 256); if (opt == PR_SET_MM_MAP_SIZE) @@ -1984,7 +1984,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data * Someone is trying to cheat the auxv vector. */ if (!prctl_map.auxv || - prctl_map.auxv_size > sizeof(mm->saved_auxv)) + prctl_map.auxv_size > sizeof(MM_SAVED_AUXV(mm))) return -EINVAL; memset(user_auxv, 0, sizeof(user_auxv)); @@ -2056,7 +2056,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data * more complex. */ if (prctl_map.auxv_size) - memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv)); + memcpy(MM_SAVED_AUXV(mm), user_auxv, sizeof(user_auxv)); mmap_read_unlock(mm); return 0; @@ -2084,10 +2084,10 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, user_auxv[AT_VECTOR_SIZE - 2] = 0; user_auxv[AT_VECTOR_SIZE - 1] = 0; - BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); + BUILD_BUG_ON(sizeof(user_auxv) != sizeof(MM_SAVED_AUXV(mm))); task_lock(current); - memcpy(mm->saved_auxv, user_auxv, len); + memcpy(MM_SAVED_AUXV(mm), user_auxv, len); task_unlock(current); return 0; -- 2.20.1

1 0

[PATCH openEuler-5.10 01/81] Revert "block/wbt: fix negative inflight counter when remove scsi device"
by Zheng Zengkai 21 Nov '22

21 Nov '22

From: Li Nan <linan122(a)huawei.com> hulk inclusion category: bugfix bugzilla: 187584, https://gitee.com/openeuler/kernel/issues/I5QW2R CVE: NA -------------------------------- This reverts commit 37838982c0e97898780682980aaf10755625630e. There are two wbt_enable_default() in bfq_exit_queue(). Although it will not lead to no fault, revert one. Signed-off-by: Li Nan <linan122(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- block/bfq-iosched.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 4bfea5e5354e..1aec01c0a707 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -6418,8 +6418,6 @@ static void bfq_exit_queue(struct elevator_queue *e) spin_unlock_irq(&bfqd->lock); #endif - wbt_enable_default(bfqd->queue); - kfree(bfqd); /* Re-enable throttling in case elevator disabled it */ -- 2.20.1

1 80

[openEuler-5.10 000/150] Backport 5.10.138 LTS
by Zheng Zengkai 21 Nov '22

21 Nov '22

Backport 5.10.138 LTS patches from upstream. git cherry-pick v5.10.137..v5.10.138~1 -s Already merged(-6): 0e28678a770d devlink: Fix use-after-free after a failed reload 38ddccbda5e8 vsock: Fix memory leak in vsock_connect() a0ae122e9aec atm: idt77252: fix use-after-free bugs caused by tst_timer a220ff343396 can: j1939: j1939_session_destroy(): fix memory leak of skbs 3527e3cbb84d bpf: Fix KASAN use-after-free Read in compute_effective_progs 1daa7629d2a2 PCI/ERR: Retain status from error notification Context conflict： 63671b2bdf5f watchdog: export lockup_detector_reconfigure Defered for performance degradation(-1): 823280a8fba3 locking/atomic: Make test_and_*_bit() ordered on failure Total patches: 157 - 6 - 1 = 150 Aaron Lu (1): x86/mm: Use proper mask when setting PUD mapping Al Viro (6): nios2: page fault et.al. are *not* restartable syscalls... nios2: don't leave NULLs in sys_call_table[] nios2: traced syscall does need to check the syscall number nios2: fix syscall restart checks nios2: restarts apply only to the first sigframe we build... nios2: add force_successful_syscall_return() Alan Brady (1): i40e: Fix to stop tx_timeout recovery if GLOBR fails Amadeusz Sławiński (1): ALSA: info: Fix llseek return value when using callback Amelie Delaunay (1): usb: dwc2: gadget: remove D+ pull-up while no vbus with usb-role-switch Andrew Donnellan (1): gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file Andy Shevchenko (1): pinctrl: intel: Check against matching data instead of ACPI companion Arun Ramadoss (1): net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry Bard Liao (1): ASoC: SOF: intel: move sof_intel_dsp_desc() forward Bob Pearson (1): RDMA/rxe: Limit the number of calls to each tasklet Celeste Liu (1): riscv: mmap with PROT_WRITE but no PROT_READ is invalid Chao Yu (2): f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() f2fs: fix to do sanity check on segment type in build_sit_entries() Chen Lin (1): dpaa2-eth: trace the allocated address instead of page struct Chia-Lin Kao (AceLan) (1): net: atlantic: fix aq_vec index out of range error Christoffer Sandberg (1): ALSA: hda/realtek: Add quirk for Clevo NS50PU, NS70PU Christophe JAILLET (6): mmc: pxamci: Fix another error handling path in pxamci_probe() mmc: pxamci: Fix an error handling path in pxamci_probe() mmc: meson-gx: Fix an error handling path in meson_mmc_probe() perf probe: Fix an error handling path in 'parse_perf_probe_command()' stmmac: intel: Add a missing clk_disable_unprepare() call in intel_eth_pci_remove() cxl: Fix a memory leak in an error handling path Christophe Leroy (1): powerpc/32: Don't always pass -mcpu=powerpc to the compiler Csókás Bence (1): fec: Fix timer capture timing in `fec_ptp_enable_pps()` Damien Le Moal (1): ata: libata-eh: Add missing command name Dan Aloni (1): sunrpc: fix expiry of auth creds Dan Carpenter (3): NTB: ntb_tool: uninitialized heap data in tool_fn_write() xen/xenbus: fix return type in xenbus_file_read() netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect() Dmitry Baryshkov (1): dt-bindings: clock: qcom,gcc-msm8996: add more GCC clock sources Dongliang Mu (1): netfilter: nf_tables: fix audit memory leak in nf_tables_commit Fedor Pchelkin (1): can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() Filipe Manana (1): btrfs: fix lost error handling when looking up extended ref on log replay Florian Westphal (1): plip: avoid rcu debug splat Frank Li (1): usb: cdns3 fix use-after-free at workaround 2 Frieder Schrempf (1): regulator: pca9450: Remove restrictions for regulator-name Grzegorz Siwik (1): ice: Ignore EEXIST when setting promisc mode Guenter Roeck (1): lib/list_debug.c: Detect uninitialized lists Helge Deller (1): modules: Ensure natural alignment for .altinstructions and __bug_table sections Hou Tao (5): bpf: Acquire map uref in .init_seq_private for array map iterator bpf: Acquire map uref in .init_seq_private for hash map iterator bpf: Acquire map uref in .init_seq_private for sock local storage map iterator bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator bpf: Check the validity of max_rdwr_access for sock local storage map iterator Huacai Chen (1): PCI/ACPI: Guard ARM64-specific mcfg_quirks Jakub Kicinski (1): net: genl: fix error path memory leak in policy dumping James Smart (1): scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input Jason A. Donenfeld (1): um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups Jean-Philippe Brucker (1): uacce: Handle parent device removal or parent driver module rmmod Jeff Layton (1): ceph: don't leak snap_rwsem in handle_cap_grant Jens Wiklander (1): tee: fix memory leak in tee_shm_register() Jianhua Lu (1): pinctrl: qcom: sm8250: Fix PDC map John Johansen (5): apparmor: fix quiet_denied for file rules apparmor: fix absroot causing audited secids to begin with = apparmor: Fix failed mount permission check error message apparmor: fix setting unconfined mode on a loaded profile apparmor: fix overlapping attachment computation Jozef Martiniak (1): gadgetfs: ep_io - wait until IRQ finishes Kiselev, Oleg (1): ext4: avoid resizing to a partial cluster size Krzysztof Kozlowski (1): dt-bindings: arm: qcom: fix MSM8916 MTP compatibles Laurent Dufour (1): watchdog: export lockup_detector_reconfigure Liang He (5): drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() usb: host: ohci-ppc-of: Fix refcount leak bug usb: renesas: Fix refcount leak bug tty: serial: Fix refcount leak bug in ucc_uart.c mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start Liao Chang (1): csky/kprobe: reclaim insn_slot on kprobe unregistration Lin Ma (1): igb: Add lock to avoid data race Logan Gunthorpe (1): md: Notify sysfs sync_completed in md_reap_sync_thread() Luís Henriques (1): ceph: use correct index when encoding client supported features Marc Kleine-Budde (1): can: ems_usb: fix clang's -Wunaligned-access warning Martin Povišer (4): ASoC: tas2770: Set correct FSYNC polarity ASoC: tas2770: Allow mono streams ASoC: tas2770: Drop conflicting set_bias_level power setting ASoC: tas2770: Fix handling of mute/unmute Masahiro Yamada (1): kbuild: fix the modules order between drivers and libs Matthew Wilcox (Oracle) (1): qrtr: Convert qrtr_ports from IDR to XArray Matthias May (3): geneve: do not use RT_TOS for IPv6 flowlabel ipv6: do not use RT_TOS for IPv6 flowlabel geneve: fix TOS inheriting for ipv4 Miaoqian Lin (1): pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map Michael Ellerman (1): powerpc/pci: Fix get_phb_number() locking Michael Grzeschik (1): usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Mikulas Patocka (1): rds: add missing barrier to release_refill Nathan Chancellor (1): MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 Neil Armstrong (1): spi: meson-spicc: add local pow2 clock ops to preserve rate between messages Nikita Travkin (1): pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed Ondrej Mosnacek (1): kbuild: dummy-tools: avoid tmpdir leak in dummy gcc Pablo Neira Ayuso (5): netfilter: nf_tables: really skip inactive sets when allocating name netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified netfilter: nftables: add helper function to set the base sequence number netfilter: add helper function to set up the nfnetlink header and use it Pascal Terjan (1): vboxguest: Do not use devm for irq Pavan Chebbi (1): PCI: Add ACS quirk for Broadcom BCM5750x NICs Peilin Ye (1): vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() Przemyslaw Patynowski (1): iavf: Fix adminq error handling Qifu Zhang (1): Documentation: ACPI: EINJ: Fix obsolete example Richard Guy Briggs (1): audit: log nftables configuration change events once per table Robert Marko (1): clk: qcom: ipq8074: dont disable gcc_sleep_clk_src Roberto Sassu (1): tools build: Switch to new openssl API for test-libcrypto Rustam Subkhankulov (1): net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions() Sagi Grimberg (1): nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown Sai Prakash Ranjan (2): irqchip/tegra: Fix overflow implicit truncation warnings drm/meson: Fix overflow implicit truncation warnings Sakari Ailus (1): ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool Samuel Holland (2): pinctrl: sunxi: Add I/O bias setting for H6 R-PIO drm/sun4i: dsi: Prevent underflow when computing packet sizes Sandor Bodo-Merle (1): net: bgmac: Fix a BUG triggered by wrong bytes_compl Schspa Shi (1): vfio: Clear the caps->buf to NULL after free Sebastian Würl (1): can: mcp251x: Fix race condition on receive interrupt Sergei Antonov (2): net: dsa: mv88e6060: prevent crash on an unused port net: moxa: pass pdev instead of ndev to DMA functions Sergey Senozhatsky (1): zram: do not lookup algorithm in backends table Steve French (1): smb3: check xattr value length earlier Steven Rostedt (Google) (3): tracing: Have filter accept "common_cpu" to be consistent selftests/kprobe: Do not test for GRP/ without event failures tracing/probes: Have kprobes and uprobes use $COMM too Takashi Iwai (4): ALSA: usb-audio: More comprehensive mixer map for ASUS ROG Zenith II ALSA: core: Add async signal helpers ALSA: timer: Use deferred fasync helper ALSA: control: Use deferred fasync helper Tom Rix (1): apparmor: fix aa_label_asxprint return check Tony Lindgren (1): clk: ti: Stop using legacy clkctrl names for omap4 and 5 Trond Myklebust (5): NFSv4.1: Don't decrease the value of seq_nr_highest_sent NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly NFSv4: Fix races in the legacy idmapper upcall NFSv4/pnfs: Fix a use-after-free bug in open SUNRPC: Reinitialise the backchannel request buffers before reuse Tzung-Bi Shih (1): platform/chrome: cros_ec_proto: don't show MKBP version if unsupported Uwe Kleine-König (2): i2c: imx: Make sure to unregister adapter on remove() dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed Vladimir Oltean (1): net: dsa: felix: fix ethtool 256-511 and 512-1023 TX packet counters Vladimir Zapolskiy (1): clk: qcom: clk-alpha-pll: fix clk_trion_pll_configure description Wentao_Liang (1): drivers:md:fix a potential use-after-free bug Xianting Tian (1): RISC-V: Add fast call path of crash_kexec() Xin Xiong (1): apparmor: fix reference count leak in aa_pivotroot() Xiu Jianfeng (1): apparmor: Fix memleak in aa_simple_write_to_buffer() Xuan Zhuo (1): virtio_net: fix memory leak inside XPD_TX with mergeable Ye Bin (1): ext4: avoid remove directory when directory is corrupted Yu Xiao (1): nfp: ethtool: fix the display error of `ethtool -m DEVNAME` Yuanzheng Song (1): tools/vm/slabinfo: use alphabetic order when two values are equal Zhang Xianwei (1): NFSv4.1: RECLAIM_COMPLETE must handle EACCES Zheyu Ma (1): video: fbdev: i740fb: Check the argument of i740_calc_vclk() Zhouyi Zhou (1): powerpc/64: Init jump labels before parse_early_param() .../devicetree/bindings/arm/qcom.yaml | 2 +- .../bindings/clock/qcom,gcc-msm8996.yaml | 16 + .../regulator/nxp,pca9450-regulator.yaml | 11 - .../firmware-guide/acpi/apei/einj.rst | 2 +- Makefile | 6 +- arch/csky/kernel/probes/kprobes.c | 4 + arch/mips/cavium-octeon/octeon-platform.c | 3 +- arch/mips/mm/tlbex.c | 4 +- arch/nios2/include/asm/entry.h | 3 +- arch/nios2/include/asm/ptrace.h | 2 + arch/nios2/kernel/entry.S | 22 +- arch/nios2/kernel/signal.c | 3 +- arch/nios2/kernel/syscall_table.c | 1 + arch/powerpc/Makefile | 26 +- arch/powerpc/kernel/pci-common.c | 16 +- arch/powerpc/kernel/prom.c | 7 + arch/powerpc/platforms/Kconfig.cputype | 21 +- arch/riscv/kernel/sys_riscv.c | 5 +- arch/riscv/kernel/traps.c | 4 + arch/um/os-Linux/skas/process.c | 17 +- arch/x86/mm/init_64.c | 2 +- drivers/acpi/pci_mcfg.c | 3 + drivers/acpi/property.c | 8 +- drivers/ata/libata-eh.c | 1 + drivers/block/zram/zcomp.c | 11 +- drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/gcc-ipq8074.c | 1 + drivers/clk/ti/clk-44xx.c | 210 +++++------ drivers/clk/ti/clk-54xx.c | 160 ++++----- drivers/clk/ti/clkctrl.c | 4 - drivers/dma/sprd-dma.c | 5 +- drivers/gpu/drm/meson/meson_drv.c | 5 +- drivers/gpu/drm/meson/meson_viu.c | 22 +- drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 10 +- drivers/i2c/busses/i2c-imx.c | 20 +- drivers/infiniband/sw/rxe/rxe_param.h | 6 + drivers/infiniband/sw/rxe/rxe_task.c | 16 +- drivers/irqchip/irq-tegra.c | 10 +- drivers/md/md.c | 1 + drivers/md/raid5.c | 2 +- drivers/misc/cxl/irq.c | 1 + drivers/misc/uacce/uacce.c | 133 ++++--- drivers/mmc/host/meson-gx-mmc.c | 6 +- drivers/mmc/host/pxamci.c | 4 +- drivers/net/can/spi/mcp251x.c | 18 +- drivers/net/can/usb/ems_usb.c | 2 +- drivers/net/dsa/microchip/ksz9477.c | 3 + drivers/net/dsa/mv88e6060.c | 3 + drivers/net/dsa/ocelot/felix_vsc9959.c | 3 +- drivers/net/dsa/sja1105/sja1105_devlink.c | 2 +- .../net/ethernet/aquantia/atlantic/aq_nic.c | 21 +- drivers/net/ethernet/broadcom/bgmac.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 +- drivers/net/ethernet/freescale/fec_ptp.c | 6 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 4 +- drivers/net/ethernet/intel/iavf/iavf_adminq.c | 15 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 +- drivers/net/ethernet/intel/igb/igb.h | 2 + drivers/net/ethernet/intel/igb/igb_main.c | 12 +- drivers/net/ethernet/moxa/moxart_ether.c | 20 +- .../ethernet/netronome/nfp/nfp_net_ethtool.c | 2 + .../net/ethernet/stmicro/stmmac/dwmac-intel.c | 1 + drivers/net/geneve.c | 15 +- drivers/net/plip/plip.c | 2 +- drivers/net/virtio_net.c | 5 +- drivers/ntb/test/ntb_tool.c | 8 +- drivers/nvme/target/tcp.c | 3 +- drivers/pci/quirks.c | 3 + drivers/pinctrl/intel/pinctrl-intel.c | 14 +- drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +- drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 +- drivers/pinctrl/qcom/pinctrl-sm8250.c | 2 +- drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c | 1 + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 7 +- drivers/platform/chrome/cros_ec_proto.c | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 20 +- drivers/spi/spi-meson-spicc.c | 129 +++++-- drivers/tee/tee_core.c | 3 + drivers/tee/tee_shm.c | 3 - drivers/tty/serial/ucc_uart.c | 2 + drivers/usb/cdns3/gadget.c | 2 +- drivers/usb/dwc2/gadget.c | 3 +- drivers/usb/gadget/function/uvc_video.c | 2 +- drivers/usb/gadget/legacy/inode.c | 1 + drivers/usb/host/ohci-ppc-of.c | 1 + drivers/usb/renesas_usbhs/rza.c | 4 + drivers/vfio/vfio.c | 1 + drivers/video/fbdev/i740fb.c | 9 +- drivers/virt/vboxguest/vboxguest_linux.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 4 +- fs/btrfs/tree-log.c | 4 +- fs/ceph/caps.c | 27 +- fs/ceph/mds_client.c | 7 +- fs/ceph/mds_client.h | 6 - fs/cifs/smb2ops.c | 5 +- fs/ext4/namei.c | 7 +- fs/ext4/resize.c | 10 + fs/f2fs/node.c | 6 +- fs/f2fs/segment.c | 13 + fs/nfs/nfs4idmap.c | 46 +-- fs/nfs/nfs4proc.c | 20 +- include/linux/netfilter/nfnetlink.h | 27 ++ include/linux/nmi.h | 2 + include/linux/uacce.h | 6 +- include/sound/control.h | 2 +- include/sound/core.h | 8 + kernel/bpf/arraymap.c | 6 + kernel/bpf/hashtab.c | 2 + kernel/trace/trace_events.c | 1 + kernel/trace/trace_probe.c | 5 +- kernel/watchdog.c | 21 +- lib/list_debug.c | 12 +- net/can/j1939/socket.c | 5 +- net/core/bpf_sk_storage.c | 12 +- net/core/sock_map.c | 20 +- net/ipv6/ip6_output.c | 3 +- net/netfilter/ipset/ip_set_core.c | 17 +- net/netfilter/nf_conntrack_netlink.c | 77 ++--- net/netfilter/nf_tables_api.c | 325 +++++++++--------- net/netfilter/nf_tables_trace.c | 9 +- net/netfilter/nfnetlink_acct.c | 11 +- net/netfilter/nfnetlink_cthelper.c | 11 +- net/netfilter/nfnetlink_cttimeout.c | 22 +- net/netfilter/nfnetlink_log.c | 11 +- net/netfilter/nfnetlink_queue.c | 12 +- net/netfilter/nft_compat.c | 11 +- net/netlink/genetlink.c | 6 +- net/netlink/policy.c | 14 +- net/qrtr/qrtr.c | 42 +-- net/rds/ib_recv.c | 1 + net/sunrpc/auth.c | 2 +- net/sunrpc/backchannel_rqst.c | 14 + net/vmw_vsock/af_vsock.c | 1 + scripts/Makefile.gcc-plugins | 2 +- scripts/dummy-tools/gcc | 8 +- scripts/module.lds.S | 2 + security/apparmor/apparmorfs.c | 2 +- security/apparmor/audit.c | 2 +- security/apparmor/domain.c | 2 +- security/apparmor/include/lib.h | 5 + security/apparmor/include/policy.h | 2 +- security/apparmor/label.c | 13 +- security/apparmor/mount.c | 8 +- security/apparmor/policy_unpack.c | 12 +- sound/core/control.c | 7 +- sound/core/info.c | 6 +- sound/core/misc.c | 94 +++++ sound/core/timer.c | 11 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/tas2770.c | 98 +++--- sound/soc/codecs/tas2770.h | 5 + sound/soc/sof/intel/hda.c | 22 +- sound/usb/card.c | 8 + sound/usb/mixer_maps.c | 34 +- tools/build/feature/test-libcrypto.c | 15 +- tools/perf/util/probe-event.c | 6 +- .../test.d/kprobe/kprobe_syntax_errors.tc | 1 - tools/vm/slabinfo.c | 32 +- 158 files changed, 1458 insertions(+), 1018 deletions(-) -- 2.20.1

1 150

[PATCH openEuler-1.0-LTS] svm: Delete unused ioctl command
by Yongqiang Liu 21 Nov '22

21 Nov '22

From: Wang Wensheng <wangwensheng4(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I61RA3 CVE: NA ------------------------------- The following two ioctl commands are not in used at all. Delete those implementation. SVM_IOCTL_SET_RC SVM_IOCTL_REMAP_PROC Signed-off-by: Wang Wensheng <wangwensheng4(a)huawei.com> Reviewed-by: chenweilong <chenweilong(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/char/svm.c | 196 ++------------------------------------------- 1 file changed, 5 insertions(+), 191 deletions(-) diff --git a/drivers/char/svm.c b/drivers/char/svm.c index 6b44026252e4..4cd04ca378ff 100644 --- a/drivers/char/svm.c +++ b/drivers/char/svm.c @@ -1484,186 +1484,6 @@ int svm_get_pasid(pid_t vpid, int dev_id __maybe_unused) } EXPORT_SYMBOL_GPL(svm_get_pasid); -static int svm_set_rc(unsigned long __user *arg) -{ - unsigned long addr, size, rc; - unsigned long end, page_size, offset; - pte_t *pte = NULL; - struct mm_struct *mm = current->mm; - - if (acpi_disabled) - return -EPERM; - - if (arg == NULL) - return -EINVAL; - - if (get_user(addr, arg)) - return -EFAULT; - - if (get_user(size, arg + 1)) - return -EFAULT; - - if (get_user(rc, arg + 2)) - return -EFAULT; - - end = addr + size; - if (addr >= end) - return -EINVAL; - - down_read(&mm->mmap_sem); - while (addr < end) { - pte = svm_walk_pt(addr, &page_size, &offset); - if (!pte) { - up_read(&mm->mmap_sem); - return -ESRCH; - } - pte->pte |= (rc & (u64)0x0f) << 59; - addr += page_size - offset; - } - up_read(&mm->mmap_sem); - - return 0; -} - -static long svm_remap_get_phys(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long addr, unsigned long *phys, - unsigned long *page_size, unsigned long *offset) -{ - long err = -EINVAL; - pgd_t *pgd = NULL; - pud_t *pud = NULL; - pte_t *pte = NULL; - - if (mm == NULL || vma == NULL || phys == NULL || - page_size == NULL || offset == NULL) - return err; - - pgd = pgd_offset(mm, addr); - if (pgd_none(*pgd)) - return err; - - pud = pud_offset(pgd, addr); - if (pud_none(*pud)) - return err; - - pte = svm_get_pte(vma, pud, addr, page_size, offset); - if (pte && pte_present(*pte)) { - *phys = PFN_PHYS(pte_pfn(*pte)); - return 0; - } - - return err; -} - -static long svm_remap_proc(unsigned long __user *arg) -{ - long ret = -EINVAL; - struct svm_proc_mem pmem; - struct task_struct *ptask = NULL; - struct mm_struct *pmm = NULL, *mm = current->mm; - struct vm_area_struct *pvma = NULL, *vma = NULL; - unsigned long end, vaddr, phys, buf, offset, pagesize; - - if (!acpi_disabled) - return -EPERM; - - if (arg == NULL) { - pr_err("arg is invalid.\n"); - return ret; - } - - ret = copy_from_user(&pmem, (void __user *)arg, sizeof(pmem)); - if (ret) { - pr_err("failed to copy args from user space.\n"); - return -EFAULT; - } - - if (pmem.buf & (PAGE_SIZE - 1)) { - pr_err("address is not aligned with page size, addr:%pK.\n", - (void *)pmem.buf); - return -EINVAL; - } - - if (pmem.pid) { - ptask = find_get_task_by_vpid(pmem.pid); - if (!ptask) { - pr_err("No task for this pid\n"); - return -EINVAL; - } - } else { - rcu_read_lock(); - ptask = current; - get_task_struct(ptask); - rcu_read_unlock(); - } - - pmm = ptask->mm; - - down_read(&mm->mmap_sem); - down_read(&pmm->mmap_sem); - - pvma = find_vma(pmm, pmem.vaddr); - if (pvma == NULL) { - ret = -ESRCH; - goto err; - } - - vma = find_vma(mm, pmem.buf); - if (vma == NULL) { - ret = -ESRCH; - goto err; - } - - if (pmem.len > SVM_REMAP_MEM_LEN_MAX) { - ret = -EINVAL; - pr_err("too large length of memory.\n"); - goto err; - } - vaddr = pmem.vaddr; - end = vaddr + pmem.len; - buf = pmem.buf; - vma->vm_flags |= VM_SHARED; - if (end > pvma->vm_end || end < vaddr) { - ret = -EINVAL; - pr_err("memory length is out of range, vaddr:%pK, len:%u.\n", - (void *)vaddr, pmem.len); - goto err; - } - - do { - ret = svm_remap_get_phys(pmm, pvma, vaddr, - &phys, &pagesize, &offset); - if (ret) { - ret = -EINVAL; - goto err; - } - - vaddr += pagesize - offset; - - do { - if (remap_pfn_range(vma, buf, phys >> PAGE_SHIFT, - PAGE_SIZE, - __pgprot(vma->vm_page_prot.pgprot | - PTE_DIRTY))) { - - ret = -ESRCH; - goto err; - } - - offset += PAGE_SIZE; - buf += PAGE_SIZE; - phys += PAGE_SIZE; - } while (offset < pagesize); - - } while (vaddr < end); - -err: - up_read(&pmm->mmap_sem); - up_read(&mm->mmap_sem); - put_task_struct(ptask); - return ret; -} - static int svm_proc_load_flag(int __user *arg) { static atomic_t l2buf_load_flag = ATOMIC_INIT(0); @@ -1897,18 +1717,12 @@ static long svm_ioctl(struct file *file, unsigned int cmd, case SVM_IOCTL_GET_PHYS: err = svm_get_phys((unsigned long __user *)arg); break; - case SVM_IOCTL_SET_RC: - err = svm_set_rc((unsigned long __user *)arg); - break; case SVM_IOCTL_PIN_MEMORY: err = svm_pin_memory((unsigned long __user *)arg); break; case SVM_IOCTL_UNPIN_MEMORY: err = svm_unpin_memory((unsigned long __user *)arg); break; - case SVM_IOCTL_REMAP_PROC: - err = svm_remap_proc((unsigned long __user *)arg); - break; case SVM_IOCTL_LOAD_FLAG: err = svm_proc_load_flag((int __user *)arg); break; @@ -1922,12 +1736,12 @@ static long svm_ioctl(struct file *file, unsigned int cmd, err = svm_sp_free_mem((unsigned long __user *)arg); break; default: - err = -EINVAL; - } + err = -EINVAL; + } - if (err) - dev_err(sdev->dev, "%s: %s failed err = %d\n", __func__, - svm_cmd_to_string(cmd), err); + if (err) + dev_err(sdev->dev, "%s: %s failed err = %d\n", __func__, + svm_cmd_to_string(cmd), err); return err; } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] Revert "posix-cpu-timers: Make timespec to nsec conversion safe"
by Yongqiang Liu 19 Nov '22

19 Nov '22

From: Yuyao Lin <linyuyao1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I61XP8 CVE: NA -------------------------------- This reverts commit 098b0e01a91c42aaaf0425605cd126b03fcb0bcf. Function timespec64_to_ns() Add the upper and lower limits check in commit c0b527413194 ("time: Prevent undefined behaviour in timespec64_to_ns()"), timespec64_to_ktime() only check the upper limits, so revert this patch can fix overflow. Signed-off-by: Yuyao Lin <linyuyao1(a)huawei.com> Reviewed-by: Wei Li <liwei391(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- kernel/time/posix-cpu-timers.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c index bfaa44a80c03..5ea7ccfb62b8 100644 --- a/kernel/time/posix-cpu-timers.c +++ b/kernel/time/posix-cpu-timers.c @@ -584,11 +584,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags, if (WARN_ON_ONCE(!p)) return -EINVAL; - /* - * Use the to_ktime conversion because that clamps the maximum - * value to KTIME_MAX and avoid multiplication overflows. - */ - new_expires = ktime_to_ns(timespec64_to_ktime(new->it_value)); + new_expires = timespec64_to_ns(&new->it_value); /* * Protect against sighand release/switch in exit/exec and p->cpu_timers -- 2.25.1

1 0

[PATCH] Revert "posix-cpu-timers: Make timespec to nsec conversion safe"
by Laibin Qiu 19 Nov '22

19 Nov '22

From: Yuyao Lin <linyuyao1(a)huawei.com> Offering: HULK hulk inclusion category: bugfix bugzilla: 186339 -------------------------------- This reverts commit 098b0e01a91c42aaaf0425605cd126b03fcb0bcf. Function timespec64_to_ns() Add the upper and lower limits check in commit c0b527413194 ("time: Prevent undefined behaviour in timespec64_to_ns()"), timespec64_to_ktime() only check the upper limits, so revert this patch can fix overflow. Signed-off-by: Yuyao Lin <linyuyao1(a)huawei.com> Reviewed-by: Wei Li <liwei391(a)huawei.com> Signed-off-by: Laibin Qiu <qiulaibin(a)huawei.com> --- kernel/time/posix-cpu-timers.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c index bfaa44a80c03..5ea7ccfb62b8 100644 --- a/kernel/time/posix-cpu-timers.c +++ b/kernel/time/posix-cpu-timers.c @@ -584,11 +584,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags, if (WARN_ON_ONCE(!p)) return -EINVAL; - /* - * Use the to_ktime conversion because that clamps the maximum - * value to KTIME_MAX and avoid multiplication overflows. - */ - new_expires = ktime_to_ns(timespec64_to_ktime(new->it_value)); + new_expires = timespec64_to_ns(&new->it_value); /* * Protect against sighand release/switch in exit/exec and p->cpu_timers -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/3] Bluetooth: L2CAP: Fix attempting to access uninitialized memory
by Yongqiang Liu 19 Nov '22

19 Nov '22

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> stable inclusion from stable-v4.19.265 commit 36919a82f335784d86b4def308739559bb47943d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNRS CVE: CVE-2022-42895 -------------------------------- commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream. On l2cap_parse_conf_req the variable efs is only initialized if remote_efs has been set. CVE: CVE-2022-42895 CC: stable(a)vger.kernel.org Reported-by: Tamás Koczka <poprdi(a)google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Reviewed-by: Tedd Ho-Jeong An <tedd.an(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Baisong Zhong <zhongbaisong(a)huawei.com> Reviewed-by: Liu Jian <liujian56(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/bluetooth/l2cap_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 436a92e3bf20..b6c57a48870a 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3517,7 +3517,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), (unsigned long) &rfc, endptr - ptr); - if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { + if (remote_efs && + test_bit(FLAG_EFS_ENABLE, &chan->flags)) { chan->remote_id = efs.id; chan->remote_stype = efs.stype; chan->remote_msdu = le16_to_cpu(efs.msdu); -- 2.25.1

1 2

用XDP加速Redis PPT
by Zhengzengkai 18 Nov '22

18 Nov '22

1 0

[PATCH OLK-5.10] svm: Delete unused ioctl command
by Zhang Jian 18 Nov '22

18 Nov '22

From: Wang Wensheng <wangwensheng4(a)huawei.com> Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I61RA3 ------------------------------- The following three ioctl command are not in used at all. Delete those implementation. SVM_IOCTL_SET_RC SVM_IOCTL_REMAP_PROC Signed-off-by: Wang Wensheng <wangwensheng4(a)huawei.com> --- drivers/char/svm.c | 192 +-------------------------------------------- 1 file changed, 2 insertions(+), 190 deletions(-) diff --git a/drivers/char/svm.c b/drivers/char/svm.c index 3b591f197af6..6945e93354b4 100644 --- a/drivers/char/svm.c +++ b/drivers/char/svm.c @@ -1085,188 +1085,6 @@ static int svm_open(struct inode *inode, struct file *file) return 0; } -static int svm_set_rc(unsigned long __user *arg) -{ - unsigned long addr, size, rc; - unsigned long end, page_size, offset; - pte_t *pte = NULL; - struct mm_struct *mm = current->mm; - - if (acpi_disabled) - return -EPERM; - - if (arg == NULL) - return -EINVAL; - - if (get_user(addr, arg)) - return -EFAULT; - - if (get_user(size, arg + 1)) - return -EFAULT; - - if (get_user(rc, arg + 2)) - return -EFAULT; - - end = addr + size; - if (addr >= end) - return -EINVAL; - - down_read(&mm->mmap_lock); - while (addr < end) { - pte = svm_walk_pt(addr, &page_size, &offset); - if (!pte) { - up_read(&mm->mmap_lock); - return -ESRCH; - } - pte->pte |= (rc & (u64)0x0f) << 59; - addr += page_size - offset; - } - up_read(&mm->mmap_lock); - - return 0; -} - -static long svm_remap_get_phys(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long addr, unsigned long *phys, - unsigned long *page_size, unsigned long *offset) -{ - long err = -EINVAL; - pgd_t *pgd = NULL; - p4d_t *p4d = NULL; - pud_t *pud = NULL; - pte_t *pte = NULL; - - if (mm == NULL || vma == NULL || phys == NULL || - page_size == NULL || offset == NULL) - return err; - - pgd = pgd_offset(mm, addr); - if (pgd_none(*pgd)) - return err; - - p4d = p4d_offset(pgd, addr); - if (p4d_none(*p4d)) - return err; - - pud = pud_offset(p4d, addr); - if (pud_none(*pud)) - return err; - - pte = svm_get_pte(vma, pud, addr, page_size, offset); - if (pte && pte_present(*pte)) { - *phys = PFN_PHYS(pte_pfn(*pte)); - return 0; - } - - return err; -} - -static long svm_remap_proc(unsigned long __user *arg) -{ - long ret = -EINVAL; - struct svm_proc_mem pmem; - struct task_struct *ptask = NULL; - struct mm_struct *pmm = NULL, *mm = current->mm; - struct vm_area_struct *pvma = NULL, *vma = NULL; - unsigned long end, vaddr, phys, buf, offset, pagesize; - - if (!acpi_disabled) - return -EPERM; - - if (arg == NULL) { - pr_err("arg is invalid.\n"); - return ret; - } - - ret = copy_from_user(&pmem, (void __user *)arg, sizeof(pmem)); - if (ret) { - pr_err("failed to copy args from user space.\n"); - return -EFAULT; - } - - if (pmem.buf & (PAGE_SIZE - 1)) { - pr_err("address is not aligned with page size, addr:%pK.\n", - (void *)pmem.buf); - return -EINVAL; - } - - if (pmem.pid) { - ptask = find_get_task_by_vpid(pmem.pid); - if (!ptask) { - pr_err("No task for this pid\n"); - return -EINVAL; - } - } else { - ptask = current; - } - - pmm = ptask->mm; - - down_read(&mm->mmap_lock); - down_read(&pmm->mmap_lock); - - pvma = find_vma(pmm, pmem.vaddr); - if (pvma == NULL) { - ret = -ESRCH; - goto err; - } - - vma = find_vma(mm, pmem.buf); - if (vma == NULL) { - ret = -ESRCH; - goto err; - } - - if (pmem.len > SVM_REMAP_MEM_LEN_MAX) { - ret = -EINVAL; - pr_err("too large length of memory.\n"); - goto err; - } - vaddr = pmem.vaddr; - end = vaddr + pmem.len; - buf = pmem.buf; - vma->vm_flags |= VM_SHARED; - if (end > pvma->vm_end || end < vaddr) { - ret = -EINVAL; - pr_err("memory length is out of range, vaddr:%pK, len:%u.\n", - (void *)vaddr, pmem.len); - goto err; - } - - do { - ret = svm_remap_get_phys(pmm, pvma, vaddr, - &phys, &pagesize, &offset); - if (ret) { - ret = -EINVAL; - goto err; - } - - vaddr += pagesize - offset; - - do { - if (remap_pfn_range(vma, buf, phys >> PAGE_SHIFT, - PAGE_SIZE, - __pgprot(vma->vm_page_prot.pgprot | - PTE_DIRTY))) { - - ret = -ESRCH; - goto err; - } - - offset += PAGE_SIZE; - buf += PAGE_SIZE; - phys += PAGE_SIZE; - } while (offset < pagesize); - - } while (vaddr < end); - -err: - up_read(&pmm->mmap_lock); - up_read(&mm->mmap_lock); - put_task_struct(ptask); - return ret; -} - static int svm_proc_load_flag(int __user *arg) { static atomic_t l2buf_load_flag = ATOMIC_INIT(0); @@ -1432,18 +1250,12 @@ static long svm_ioctl(struct file *file, unsigned int cmd, case SVM_IOCTL_GET_PHYS: err = svm_get_phys((unsigned long __user *)arg); break; - case SVM_IOCTL_SET_RC: - err = svm_set_rc((unsigned long __user *)arg); - break; case SVM_IOCTL_PIN_MEMORY: err = svm_pin_memory((unsigned long __user *)arg); break; case SVM_IOCTL_UNPIN_MEMORY: err = svm_unpin_memory((unsigned long __user *)arg); break; - case SVM_IOCTL_REMAP_PROC: - err = svm_remap_proc((unsigned long __user *)arg); - break; case SVM_IOCTL_LOAD_FLAG: err = svm_proc_load_flag((int __user *)arg); break; @@ -1451,8 +1263,8 @@ static long svm_ioctl(struct file *file, unsigned int cmd, err = svm_release_phys32((unsigned long __user *)arg); break; default: - err = -EINVAL; - } + err = -EINVAL; + } if (err) dev_err(sdev->dev, "%s: %s failed err = %d\n", __func__, -- 2.17.1

1 0

[openEuler-5.10-LTS 000/501] Backport 5.10.137 LTS
by Zheng Zengkai 18 Nov '22

18 Nov '22

Backport 5.10.137 LTS patches from upstream. git cherry-pick v5.10.136..v5.10.137~1 -s Already merged(-36): f5f3e54f8116 mm: Add kvrealloc() e32bb2428104 xfs: only set IOMAP_F_SHARED when providing a srcmap to a write 0a69f1f84207 xfs: fix I_DONTCACHE 2613baa3ab21 mm/mremap: hold the rmap lock in write mode when moving page table entries. 1a4b18b1ff11 netfilter: nf_tables: do not allow SET_ID to refer to another table 9e7dcb88ec8e netfilter: nf_tables: do not allow CHAIN_ID to refer to another table 0cc5c6b7567d netfilter: nf_tables: do not allow RULE_ID to refer to another chain 353b4673d01c arm64: fix oops in concurrently setting insn_emulation sysctls d0412d8f693e net: fix sk_wmem_schedule() and sk_rmem_schedule() errors eccd7c3e2596 ath9k: fix use-after-free in ath9k_hif_usb_rx_cb 1f697d795290 crypto: hisilicon/sec - fixes some coding style 16e18a8ac7c9 crypto: hisilicon/sec - don't sleep when in softirq 0ecc91cf9645 RDMA/hns: Fix incorrect clearing of interrupt status register 914bf4aa2d5b jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() a6d7f224730e ext4: recover csum seed of tmp_inode after migrating to extents f7161d0da975 jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted 541840859ace posix-cpu-timers: Cleanup CPU timers before freeing them during exec dce8d7427c6a PCI/AER: Write AER Capability only when we control it 78d431e8a56c PCI/ERR: Bind RCEC devices to the Root Port driver de4534ac28c4 PCI/ERR: Rename reset_link() to reset_subordinates() f236fa38508b PCI/ERR: Simplify by using pci_upstream_bridge() 2e3458b995aa PCI/ERR: Simplify by computing pci_pcie_type() once 078d79fad521 PCI/ERR: Use "bridge" for clarity in pcie_do_recovery() 7730ba6151b7 PCI/ERR: Avoid negated conditional for clarity bb6990fd3729 PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() d83d886e69bd PCI/ERR: Recover from RCEC AER errors 5e2cf705155a dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 441726394efa KVM: x86/pmu: preserve IA32_PERF_CAPABILITIES across CPUID refresh 1571c4613059 ext4: check if directory block is within i_size 2da44a2927a7 ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h 69d1a36eb4b2 ext4: make sure ext4_append() always allocates new block bb8592efcf8e ext4: fix use-after-free in ext4_xattr_set_entry 603fb7bd744a ext4: correct max_inline_xattr_value_size computing d0b495aa2692 ext4: correct the misjudgment in ext4_iget_extra_inode 7018f03d97da net_sched: cls_route: remove from list when handle is 0 a93f33aeef4e driver core: fix potential deadlock in __driver_attach Rejected due to openEuler hinic driver maintenance policy(-3): 8369a39b529d hinic: Use the bitmap API when applicable e286a882f227 net: hinic: fix bug that ethtool get wrong stats e74f3097a9c7 net: hinic: avoid kernel hung in hinic_get_stats64() Total patches: 540 -36 -3 = 501 Aaron Lewis (1): kvm: x86/pmu: Fix the compare function used by the pmu event filter Adrian Hunter (1): perf tools: Fix dso_id inode generation comparison Ahmed Zaki (1): mac80211: fix a memory leak where sta_info is not freed Al Viro (1): __follow_mount_rcu(): verify that mount_lock remains unchanged Alex Deucher (1): drm/radeon: fix incorrrect SPDX-License-Identifiers Alexander Gordeev (2): s390/dump: fix old lowcore virtual vs physical address confusion s390/zcore: fix race when reading from hardware system area Alexander Lobakin (3): ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() x86/olpc: fix 'logical not is only applied to the left hand side' iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) Alexander Shishkin (4): intel_th: msu: Fix vmalloced buffers intel_th: pci: Add Meteor Lake-P support intel_th: pci: Add Raptor Lake-S PCH support intel_th: pci: Add Raptor Lake-S CPU support Alexander Stein (6): ARM: dts: imx6ul: add missing properties for sram ARM: dts: imx6ul: change operating-points to uint32-matrix ARM: dts: imx6ul: fix keypad compatible ARM: dts: imx6ul: fix csi node compatible ARM: dts: imx6ul: fix lcdif node compatible ARM: dts: imx6ul: fix qspi node compatible Alexandru Elisei (1): arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 Alexei Starovoitov (1): bpf: Fix subprog names in stack traces. Alexey Khoroshilov (1): crypto: sun8i-ss - fix infinite loop in sun8i_ss_setup_ivs() Alexey Kodanev (2): drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() Allen Ballway (1): ALSA: hda/cirrus - support for iMac 12,1 model Amit Kumar Mahapatra (1): mtd: rawnand: arasan: Update NAND bus clock instead of system clock Ammar Faizi (1): wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` Andrea Righi (1): x86/entry: Build thunk_$(BITS) only if CONFIG_PREEMPTION=y Andrei Vagin (1): selftests: kvm: set rax before vmcall Andrey Strachuk (1): usb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable() Andy Shevchenko (2): serial: 8250_pci: Refactor the loop in pci_ite887x_init() serial: 8250_pci: Replace dev_*() by pci_*() macros AngeloGioacchino Del Regno (2): media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment rpmsg: mtk_rpmsg: Fix circular locking dependency Anquan Wu (1): libbpf: Fix the name of a reused map Anshuman Khandual (1): drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX Ansuel Smith (1): clk: qcom: clk-krait: unlock spin after mux completion Antonio Borneo (2): genirq: Don't return error on missing optional irq_request_resources() drm: adv7511: override i2c address of cec before accessing it Arnaldo Carvalho de Melo (1): genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO Artem Borisov (1): HID: alps: Declare U1_UNICORN_LEGACY support Arun Easi (3): scsi: qla2xxx: Fix discovery issues in FC-AL topology scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with I/Os scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests Athira Rajeev (1): powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable Austin Kim (1): dmaengine: sf-pdma: apply proper spinlock flags in sf_pdma_prep_dma_memcpy() Bart Van Assche (4): blktrace: Trace remapped requests correctly RDMA/srpt: Duplicate port name members RDMA/srpt: Introduce a reference count in struct srpt_device RDMA/srpt: Fix a use-after-free Bartosz Golaszewski (2): lib: bitmap: order includes alphabetically lib: bitmap: provide devm_bitmap_alloc() and devm_bitmap_zalloc() Bean Huo (1): nvme: use command_id instead of req->tag in trace_nvme_complete_rq() Bedant Patnaik (1): ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED Benjamin Segall (1): epoll: autoremove wakers even more aggressively Biju Das (1): spi: spi-rspi: Fix PIO fallback on RZ platforms Bikash Hazarika (2): scsi: qla2xxx: Fix incorrect display of max frame size scsi: qla2xxx: Zero undefined mailbox IN registers Bo-Chen Chen (1): drm/mediatek: dpi: Remove output format of YUV Brian Norris (1): drm/rockchip: vop: Don't crash for invalid duplicate_state() Byungki Lee (1): f2fs: write checkpoint during FG_GC Chao Liu (1): f2fs: fix to remove F2FS_COMPR_FL and tag F2FS_NOCOMP_FL at the same time Chao Yu (1): f2fs: don't set GC_FAILURE_PIN for background GC Chen Zhongjin (2): profiling: fix shift too large makes kernel panic kprobes: Forbid probing on trampoline and BPF code areas Cheng Xu (1): RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event Christian Lamparter (1): ARM: dts: BCM5301X: Add DT for Meraki MR26 Christian Loehle (1): mmc: block: Add single read for 4k sector cards Christian Marangi (1): PCI: qcom: Set up rev 2.1.0 PARF_PHY before enabling clocks Christoph Hellwig (1): block: remove the request_queue to argument request based tracepoints Christophe JAILLET (8): drm/rockchip: Fix an error handling path rockchip_dp_probe() wifi: p54: Fix an error handling path in p54spi_probe() mtd: rawnand: meson: Fix a potential double free issue misc: rtsx: Fix an error handling path in rtsx_pci_probe() intel_th: Fix a resource leak in an error handling path memstick/ms_block: Fix some incorrect memory allocation memstick/ms_block: Fix a memory leak ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() Christophe Leroy (2): powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 Christopher Obbard (1): um: random: Don't initialise hwrng struct with zero Chuansheng Liu (1): drm/i915/dg1: Update DMC_DEBUG3 register Claudio Imbrenda (1): KVM: s390: pv: leak the topmost page table when destroy fails Claudiu Beznea (1): ASoC: mchp-spdifrx: disable end of block interrupt on failures Corentin Labbe (1): crypto: sun8i-ss - do not allocate memory when handling hash requests Dan Carpenter (8): wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() crypto: sun8i-ss - fix error codes in allocate_flows() wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() selftests/bpf: fix a test for snprintf() overflow eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() platform/olpc: Fix uninitialized data in debugfs write null_blk: fix ida error handling in null_add_dev() kfifo: fix kfifo_to_user() return type Dan Williams (1): ACPI: APEI: Fix _EINJ vs EFI_MEMORY_SP Daniel Starke (8): tty: n_gsm: fix user open not possible at responder until initiator open tty: n_gsm: fix wrong queuing behavior in gsm_dlci_data_output() tty: n_gsm: fix non flow control frames during mux flow off tty: n_gsm: fix packet re-transmission without open control channel tty: n_gsm: fix race condition in gsmld_write() tty: n_gsm: fix wrong T1 retry count handling tty: n_gsm: fix DM command tty: n_gsm: fix missing corner cases in gsmld_poll() Dave Stevenson (8): drm/vc4: plane: Fix margin calculations for the right/bottom edges drm/vc4: dsi: Correct DSI divider calculations drm/vc4: dsi: Correct pixel order for DSI0 drm/vc4: dsi: Register dsi0 as the correct vc4 encoder type drm/vc4: dsi: Fix dsi0 interrupt support drm/vc4: dsi: Add correct stop condition to vc4_dsi_encoder_disable iteration drm/vc4: hdmi: Correct HDMI timing registers for interlaced modes drm/vc4: drv: Adopt the dma configuration from the HVS or V3D component David Collins (1): spmi: trace: fix stack-out-of-bound access in SPMI tracing functions David Howells (1): vfs: Check the truncate maximum size in inode_newsize_ok() Dietmar Eggemann (1): sched/deadline: Merge dl_task_can_attach() and dl_cpu_busy() Dimitri John Ledkov (1): riscv: set default pm_power_off to NULL Dmitry Osipenko (1): drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error Dom Cobley (3): drm/vc4: plane: Remove subpixel positioning check drm/vc4: hdmi: Remove firmware logic for MAI threshold setting drm/vc4: hdmi: Avoid full hdmi audio fifo writes Duoming Zhou (3): mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback Elia Devito (1): HID: Ignore battery for Elan touchscreen on HP Spectre X360 15-df0xxx Eric Dumazet (5): inet: add READ_ONCE(sk->sk_bound_dev_if) in INET_MATCH() tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH() net: rose: fix netdev reference changes tcp: fix over estimation in sk_forced_mem_schedule() Eric Farman (1): vfio/ccw: Do not change FSM state in subchannel event Eric Whitney (1): ext4: fix extent status tree race in writeback error recovery path Eugen Hristev (1): mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R Florian Fainelli (1): tools/thermal: Fix possible path truncations Florian Westphal (1): netfilter: nf_tables: fix null deref due to zeroed list head Francis Laniel (1): arm64: Do not forget syscall when starting a new thread. Gal Pressman (1): net/mlx5e: Remove WARN_ON when trying to offload an unsupported TLS cipher/version Gao Xiang (1): erofs: avoid consecutive detection for Highmem memory Geert Uytterhoeven (3): arm64: dts: renesas: beacon: Fix regulator node names soc: renesas: r8a779a0-sysc: Fix A2DP1 and A2CV[2357] PDR values arm64: dts: renesas: Fix thermal-sensors on single-zone sensors Gioh Kim (1): RDMA/rtrs: Define MIN_CHUNK_SIZE Greg Kroah-Hartman (1): Revert "mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv" Guilherme G. Piccoli (1): ACPI: processor/idle: Annotate more functions to live in cpuidle section Guillaume Ranquet (1): drm/mediatek: dpi: Only enable dpi after the bridge is enabled Guo Mengqi (1): spi: synquacer: Add missing clk_disable_unprepare() Hangyu Hua (3): drm: bridge: sii8620: fix possible off-by-one wifi: libertas: Fix possible refcount leak in if_usb_probe() dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock Hans de Goede (2): ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks ACPI: EC: Drop the EC_FLAGS_IGNORE_DSDT_GPE quirk Harshit Mogalapalli (2): HID: cp2112: prevent a buffer overflow in cp2112_xfer() HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Helge Deller (4): fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters fbcon: Fix accelerated fbdev scrolling while logo is still shown parisc: Fix device names in /proc/iomem parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode Huacai Chen (2): MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH Ian Rogers (1): perf symbol: Fail to read phdr workaround Ilpo Järvinen (1): serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() Ivan Hasenkampf (1): ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx Jack Wang (2): RDMA/rtrs: Avoid Wtautological-constant-out-of-range-compare RDMA/rtrs-srv: Fix modinfo output for stringify Jagath Jog J (2): iio: accel: bma400: Fix the scale min and max macro values iio: accel: bma400: Reordering of header files Jakub Kicinski (1): netdevsim: Avoid allocation warnings triggered from user space Jamal Hadi Salim (1): net_sched: cls_route: disallow handle of 0 Jan Kara (1): ext2: Add more validity checks for inode counts Jason A. Donenfeld (4): fs: check FMODE_LSEEK to control internal pipe splicing wireguard: ratelimiter: use hrtimer in selftest wireguard: allowedips: don't corrupt stack when detecting overflow timekeeping: contribute wall clock to rng on time change Jason Gunthorpe (4): vfio: Remove extra put/gets around vfio_device->group vfio: Simplify the lifetime logic for vfio_device vfio: Split creation of a vfio_device into init and register ops vfio/mdev: Make to_mdev_device() into a static inline Javier Martinez Canillas (1): drm/st7735r: Fix module autoloading for Okaya RH128128T Jens Wiklander (1): tee: add overflow check in register_shm_helper() Jeongik Cha (1): wifi: mac80211_hwsim: fix race condition in pending packet Jernej Skrabec (1): media: cedrus: hevc: Add check for invalid timestamp Jiachen Zhang (1): ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() Jian Shen (2): test_bpf: fix incorrect netdev features net: ionic: fix error check for vlan flags in ionic_set_nic_features() Jian Zhang (1): drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. Jianglei Nie (2): RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() RDMA/hfi1: fix potential memory leak in setup_base_ctxt() Jiasheng Jiang (4): drm: bridge: adv7511: Add check for mipi_dsi_driver_register Bluetooth: hci_intel: Add check for platform_driver_register intel_th: msu-sink: Potential dereference of null pointer ASoC: codecs: da7210: add check for i2c_add_driver Jim Mattson (2): KVM: x86/pmu: Use binary search to check filtered events KVM: x86/pmu: Use different raw event masks for AMD and Intel Jitao Shi (2): drm/mediatek: Separate poweron/poweroff from enable/disable and define new funcs drm/mediatek: Keep dsi as LP00 before dcs cmds transfer Joe Lawrence (1): selftests/livepatch: better synchronize test_klp_callbacks_busy Johan Hovold (4): x86/pmem: Fix platform-device leak in error path ath11k: fix netdev open race usb: dwc3: qcom: fix missing optional irq warnings USB: serial: fix tty-port initialized comments Johannes Berg (3): wifi: mac80211_hwsim: add back erroneously removed cast wifi: mac80211_hwsim: use 32-bit skb cookie um: Allow PM with suspend-to-idle Jonas Dreßler (1): mwifiex: Ignore BTCOEX events from the 88W8897 firmware Jose Alonso (1): Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Jose Ignacio Tornos Martinez (1): wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue Josef Bacik (1): btrfs: reset block group chunk force if we have to wait Josh Poimboeuf (1): scripts/faddr2line: Fix vmlinux detection on arm64 Julien STEPHAN (1): drm/mediatek: Allow commands to be sent during video mode Juri Lelli (1): wait: Fix __wait_event_hrtimeout for RT/DL tasks Kai Ye (1): crypto: hisilicon/sec - fix auth key size error Keith Busch (1): block: fix infinite loop for invalid zone append Kim Phillips (1): x86/bugs: Enable STIBP for IBPB mitigated RETBleed Konrad Dybcio (1): soc: qcom: Make QCOM_RPMPD depend on PM Krzysztof Kozlowski (6): ARM: dts: ast2500-evb: fix board compatible ARM: dts: ast2600-evb: fix board compatible ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg ARM: dts: qcom: pm8841: add required thermal-sensor-cells ath10k: do not enforce interrupt trigger type ASoC: samsung: h1940_uda1380: include proepr GPIO consumer header Kunihiko Hayashi (2): ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC Kuniyuki Iwashima (1): tcp: Fix data-races around sysctl_tcp_l3mdev_accept. Lars-Peter Clausen (1): i2c: cadence: Support PEC for SMBus block read Leo Li (1): drm/amdgpu: Check BO's requested pinning domains against its preferred_domains Lev Kujawski (1): KVM: set_msr_mce: Permit guests to ignore single-bit ECC errors Liang He (14): ARM: OMAP2+: display: Fix refcount leak bug ARM: shmobile: rcar-gen2: Increase refcount for new reference soc: amlogic: Fix refcount leak in meson-secure-pwrc.c regulator: of: Fix refcount leak bug in of_get_regulation_constraints() mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() i2c: mux-gpmux: Add of_node_put() when breaking out of loop usb: aspeed-vhub: Fix refcount leak bug in ast_vhub_init_desc() gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() mmc: cavium-octeon: Add of_node_put() when breaking out of loop mmc: cavium-thunderx: Add of_node_put() when breaking out of loop ASoC: qcom: Fix missing of_node_put() in asoc_qcom_lpass_cpu_platform_probe() iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop ASoC: audio-graph-card: Add of_node_put() in fail path video: fbdev: amba-clcd: Fix refcount leak bugs Like Xu (2): KVM: x86/pmu: Introduce the ctrl_mask value for fixed counter KVM: x86/pmu: Ignore pmu->global_ctrl check if vPMU doesn't support global_ctrl Linus Walleij (2): Input: atmel_mxt_ts - fix up inverted RESET handler hwmon: (drivetemp) Add module alias Linyu Yuan (1): usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion Lorenzo Bianconi (1): mt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Lukas Wunner (3): usbnet: Fix linkwatch use-after-free on disconnect usbnet: smsc95xx: Don't clear read-only PHY interrupt usbnet: smsc95xx: Avoid link settings race on interrupt reception Lv Ruyi (1): firmware: tegra: Fix error check return value of debugfs_create_file() Lyude Paul (2): drm/nouveau: Don't pm_runtime_put_sync(), only pm_runtime_put_autosuspend() drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from pm_runtime Maciej Fijalkowski (1): selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0 Maciej S. Szmigiero (1): KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 Maciej W. Rozycki (4): serial: 8250: Export ICR access helpers for internal use serial: 8250: Dissociate 4MHz Titan ports from Oxford ports serial: 8250: Correct the clock for OxSemi PCIe devices serial: 8250: Fold EndRun device support into OxSemi Tornado code Mahesh Rajashekhara (1): scsi: smartpqi: Fix DMA direction for RAID requests Manikanta Pubbisetty (1): ath11k: Fix incorrect debug_mask mappings Manyi Li (1): ACPI: PM: save NVS memory for Lenovo G40-45 Maor Gottlieb (1): RDMA/mlx5: Add missing check for return value in get namespace flow Marcel Ziswiler (1): ARM: dts: imx7d-colibri-emmc: add cpu1 supply Marco Pagani (1): fpga: altera-pr-ip: fix unsigned comparison with less than zero Marek Vasut (3): drm/bridge: tc358767: Move (e)DP bridge endpoint parsing into dedicated function drm/bridge: tc358767: Make sure Refclk clock are enabled drm/bridge: tc358767: Fix (e)DP bridge endpoint parsing in dedicated function Markus Mayer (1): thermal/tools/tmon: Include pthread and time headers in tmon.h Mateusz Kwiatkowski (1): drm/vc4: hdmi: Fix timings for interlaced modes Max Filippov (1): xtensa: iss/network: provide release() callback Maxim Mikityanskiy (1): net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS Maxime Ripard (5): drm/vc4: drv: Remove the DSI pointer in vc4_drv drm/vc4: dsi: Use snprintf for the PHY clocks instead of an array drm/vc4: dsi: Introduce a variant structure drm/vc4: hdmi: Don't access the connector state in reset if kmalloc fails drm/vc4: hdmi: Limit the BCM2711 to the max without scrambling Maximilian Heyne (1): xen-blkback: Apply 'feature_persistent' parameter when connect Meng Tang (2): ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model ALSA: hda/realtek: Add quirk for another Asus K42JZ model Miaohe Lin (1): mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region Miaoqian Lin (27): meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init ARM: bcm: Fix refcount leak in bcm_kona_smc_init ARM: OMAP2+: Fix refcount leak in omapdss_init_of ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init cpufreq: zynq: Fix refcount leak in zynq_get_revision soc: qcom: ocmem: Fix refcount leak in of_get_ocmem soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register drm/mcde: Fix refcount leak in mcde_dsi_bind media: tw686x: Fix memory leak in tw686x_video_init mtd: maps: Fix refcount leak in of_flash_probe_versatile mtd: maps: Fix refcount leak in ap_flash_init PCI: tegra194: Fix PM error handling in tegra_pcie_config_ep() mtd: partitions: Fix refcount leak in parse_redboot_of usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch ASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe ASoC: samsung: Fix error handling in aries_audio_probe ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe remoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge mfd: max77620: Fix refcount leak in max77620_initialise_fps powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader powerpc/xive: Fix refcount leak in xive_get_max_prio powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address Michael Ellerman (3): powerpc/powernv: Avoid crashing if rng is NULL powerpc/64s: Disable stack variable initialisation for prom_init powerpc/pci: Fix PHB numbering when using opal-phbid Michael Grzeschik (2): usb: dwc3: gadget: refactor dwc3_repare_one_trb usb: dwc3: gadget: fix high speed multiplier setting Michael Walle (1): soc: fsl: guts: machine variable might be unset Michal Suchanek (1): kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Mike Manning (1): net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set Mike Snitzer (1): dm: return early from dm_pr_call() if DM device is suspended Miklos Szeredi (1): fuse: limit nsec Mikulas Patocka (6): add barriers to buffer_uptodate and set_buffer_uptodate md-raid: destroy the bitmap after destroying the thread md-raid10: fix KASAN warning dm writecache: set a default MAX_WRITEBACK_JOBS dm raid: fix address sanitizer warning in raid_resume dm raid: fix address sanitizer warning in raid_status Ming Lei (1): blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created Ming Qian (1): media: v4l2-mem2mem: prevent pollerr when last_buffer_dequeued is set Miquel Raynal (6): mtd: rawnand: Add a helper to clarify the interface configuration mtd: rawnand: arasan: Check the proposed data interface is supported mtd: rawnand: Add NV-DDR timings mtd: rawnand: arasan: Fix a macro parameter mtd: rawnand: arasan: Support NV-DDR interface mtd: rawnand: arasan: Prevent an unsupported configuration Mohamed Khalfella (1): PCI/AER: Iterate over error counters instead of error strings Narendra Hadke (1): serial: mvebu-uart: uart2 error bits clearing Nathan Chancellor (2): hexagon: select ARCH_WANT_LD_ORPHAN_WARN usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() Nick Desaulniers (2): Makefile: link with -z noexecstack --no-warn-rwx-segments x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Nick Hainke (1): arm64: dts: mt7622: fix BPI-R64 WPS button Nico Boehr (1): KVM: s390: pv: don't present the ecall interrupt twice Nicolas Saenz Julienne (1): nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() Niels Dossche (1): media: hdpvr: fix error value returns in hdpvr_read Nilesh Javali (1): scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" Olga Kitaina (1): mtd: rawnand: arasan: Fix clock rate in NV-DDR Pali Rohár (4): PCI: Add defines for normal and subtractive PCI bridges powerpc/fsl-pci: Fix Class Code of PCIe Root Port crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias Peng Fan (1): interconnect: imx: fix max_node_id Peter Zijlstra (1): locking/lockdep: Fix lockdep_init_map_*() confusion Phil Elwell (1): drm/vc4: hdmi: Disable audio if dmas property is present but empty Pierre-Louis Bossart (1): soundwire: bus_type: fix remove and shutdown support Ping Cheng (2): HID: wacom: Only report rotation for art pen HID: wacom: Don't register pad_input for touch switch Prabhakar Kushwaha (1): RDMA/qedr: Improve error logs for rdma_alloc_tid error return Przemyslaw Patynowski (1): iavf: Fix max_rate limiting Qian Cai (1): crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE Qu Wenruo (3): btrfs: reject log replay if there is unsupported RO compat flag btrfs: only write the sectors in the vertical stripe which has data stripes btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() Quentin Perret (1): KVM: arm64: Don't return from void function Quinn Tran (2): scsi: qla2xxx: Turn off multi-queue for 8G adapters scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection Rafael J. Wysocki (2): thermal: sysfs: Fix cooling_device_stats_setup() error code path ACPI: CPPC: Do not prevent CPPC from working in the future Ralph Siemsen (1): clk: renesas: r9a06g032: Fix UART clkgrp bitsel Randy Dunlap (1): usb: gadget: udc: amd5536 depends on HAS_DMA Rex-BC Chen (1): clk: mediatek: reset: Fix written reset bit offset Rob Clark (1): drm/msm/mdp5: Fix global state lock backoff Robert Marko (5): arm64: dts: qcom: ipq8074: fix NAND node name clk: qcom: ipq8074: fix NSS core PLL-s clk: qcom: ipq8074: SW workaround for UBI32 PLL lock clk: qcom: ipq8074: fix NSS port frequency tables clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks Rohith Kollalsi (1): usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during bootup Russell King (Oracle) (1): ARM: findbit: fix overflowing offset Rustam Subkhankulov (2): wifi: p54: add missing parentheses in p54_flush() video: fbdev: sis: fix typos in SiS_GetModeID() Sam Protsenko (1): iommu/exynos: Handle failed IOMMU device registration properly Samuel Holland (3): irqchip/mips-gic: Only register IPI domain when SMP is enabled genirq: GENERIC_IRQ_IPI depends on SMP arm64: dts: allwinner: a64: orangepi-win: Fix LED node name Sean Christopherson (15): KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP KVM: x86: Tag kvm_mmu_x86_module_init() with __init KVM: Don't set Accessed/Dirty bits for ZERO_PAGE KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS) KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4() KVM: SVM: Drop VMXE check from svm_set_cr4() KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 KVM: VMX: Mark all PERF_GLOBAL_(OVF)_CTRL bits reserved if there's no vPMU KVM: Add infrastructure and macro to mark VM as bugged SeongJae Park (2): xen-blkback: fix persistent grants negotiation xen-blkfront: Apply 'feature_persistent' parameter when connect Serge Semin (4): dmaengine: dw-edma: Fix eDMA Rd/Wr-channels and DMA-direction semantics PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu() PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors PCI: dwc: Always enable CDM check if "snps,enable-cdm-check" exists Sergey Shtylyov (1): usb: host: xhci: use snprintf() in xhci_decode_trb() Shengjiu Wang (1): ASoC: fsl_easrc: use snd_pcm_format_t type for sample_format Shunsuke Mie (1): PCI: endpoint: Don't stop controller when unbinding endpoint function Sibi Sankar (1): remoteproc: sysmon: Wait for SSCTL service to come up Siddh Raman Pant (1): x86/numa: Use cpumask_available instead of hardcoded NULL check Sireesh Kodali (1): remoteproc: qcom: wcnss: Fix handling of IRQs Srinivas Kandagatla (2): ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV Stefan Roese (1): PCI/portdrv: Don't disable AER reporting in get_port_device_capability() Steffen Maier (1): scsi: zfcp: Fix missing auto port scan and thus missing target ports Stephan Gerhold (1): regulator: qcom_smd: Fix pm8916_pldo range Stephen Boyd (1): platform/chrome: cros_ec: Always expose last resume result Steven Rostedt (Google) (2): ftrace/x86: Add back ftrace_expected assignment tracing: Use a struct alignof to determine trace event field alignment Sudeep Holla (1): firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails Sumit Garg (1): arm64: dts: qcom: qcs404: Fix incorrect USB2 PHYs assignment Suzuki K Poulose (1): coresight: Clear the connection field properly Tadeusz Struk (1): sched/fair: Fix fault in reweight_entity Tali Perry (2): i2c: npcm: Remove own slave addresses 2:10 i2c: npcm: Correct slave role behavior Tamás Szűcs (1): arm64: tegra: Fix SDMMC1 CD on P2888 Tang Bin (3): usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init() usb: xhci: tegra: Fix error check opp: Fix error check in dev_pm_opp_attach_genpd() Tetsuo Handa (4): tty: vt: initialize unicode screen buffer lockdep: Allow tuning tracing capacity constants. PM: hibernate: defer device probing when resuming from hibernation lib/smp_processor_id: fix imbalanced instrumentation_end() call Theodore Ts'o (1): ext4: update s_overhead_clusters in the superblock during an on-line resize Thinh Nguyen (1): usb: dwc3: core: Deprecate GCTL.CORESOFTRESET Thomas Gleixner (1): netfilter: xtables: Bring SPDX identifier back Tianchen Ding (1): sched: Fix the check of nr_running at queue wakelist Tianjia Zhang (1): KEYS: asymmetric: enforce SM2 signature use pkey algo Tim Crawford (1): ALSA: hda/realtek: Add quirk for Clevo NV45PZ Timur Tabi (1): drm/nouveau: fix another off-by-one in nvbios_addr Tom Lendacky (1): crypto: ccp - During shutdown, check SEV data pointer before using Tom Rix (2): ASoC: samsung: change gpiod_speaker_power and rx1950_audio from global to static variables drm/vc4: change vc4_dma_range_matches from a global to static Tony Battersby (1): scsi: sg: Allow waiting for commands to complete on removed device Trond Myklebust (1): Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING" Tyler Hicks (1): net/9p: Initialize the iounit field during fid creation Uwe Kleine-König (6): pwm: sifive: Don't check the return code of pwmchip_remove() pwm: sifive: Simplify offset calculation for PWMCMP registers pwm: sifive: Ensure the clk is enabled exactly once per running PWM pwm: sifive: Shut down hardware only after pwmchip_remove() completed mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path mfd: t7l66xb: Drop platform disable callback Viacheslav Mitrofanov (1): dmaengine: sf-pdma: Add multithread support for a DMA channel Vidya Sagar (2): PCI: tegra194: Fix Root Port interrupt handling PCI: tegra194: Fix link up retry sequence Vincent Mailhol (10): can: pch_can: do not report txerr and rxerr during bus-off can: rcar_can: do not report txerr and rxerr during bus-off can: sja1000: do not report txerr and rxerr during bus-off can: hi311x: do not report txerr and rxerr during bus-off can: sun4i_can: do not report txerr and rxerr during bus-off can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off can: usb_8dev: do not report txerr and rxerr during bus-off can: error: specify the values of data[5..7] of CAN error frames can: pch_can: pch_can_error(): initialize errc before using it Vitaly Kuznetsov (2): KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() Vladimir Zapolskiy (1): clk: qcom: camcc-sdm845: Fix topology around titan_top power domain Waiman Long (1): sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed Weitao Wang (1): USB: HCD: Fix URB giveback issue in tasklet function William Dean (3): parisc: Check the return value of ioremap() in lba_driver_probe() irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() Wolfram Sang (2): selftests: timers: valid-adjtimex: build fix for newer toolchains selftests: timers: clocksource-switch: fix passing errors from child Wyes Karny (1): x86: Handle idle=nomwait cmdline properly for x86_idle Xiaomeng Tong (2): media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator virtio-gpu: fix a missing check to avoid NULL dereference Xie Shaowen (1): Input: gscps2 - check return value of ioremap() in gscps2_probe() Xie Yongji (1): fuse: Remove the control interface for virtio-fs Xinlei Lee (2): drm/mediatek: Modify dsi funcs to atomic operations drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function Xiu Jianfeng (1): selinux: Add boundary check in put_entry() Xu Wang (1): i2c: Fix a potential use after free Yang Xu (1): fs: Add missing umask strip in vfs_tmpfile Yang Yingliang (2): bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() xtensa: iss: fix handling error cases in iss_net_configure() Yangtao Li (1): pwm: lpc18xx-sct: Convert to devm_platform_ioremap_resource() Ye Bin (1): ext4: fix warning in ext4_iomap_begin as race between bmap and write YiFei Zhu (1): selftests/seccomp: Fix compile warning when CC=clang Yonglong Li (1): tcp: make retransmitted SKB fit into the send window Yunhao Tian (1): drm/mipi-dbi: align max_chunk to 2 in spi_transfer Zhengchao Shao (2): crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq crypto: hisilicon/hpre - don't use GFP_KERNEL to alloc mem during softirq Zhenguo Zhao (1): tty: n_gsm: Delete gsmtty open SABM frame when config requester Zheyu Ma (7): ALSA: bcd2000: Fix a UAF bug on the error path of probing iio: light: isl29028: Fix the warning in isl29028_remove() media: tw686x: Register the irq at the end of probe video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() video: fbdev: vt8623fb: Check the size of screen before memset_io() video: fbdev: arkfb: Check the size of screen before memset_io() video: fbdev: s3fb: Check the size of screen before memset_io() Zhu Yanjun (1): RDMA/rxe: Fix error unwind in rxe_create_qp() Zoltan Tamas Vajda (1): HID: hid-input: add Surface Go battery quirk huhai (1): ACPI: LPSS: Fix missing check in register_device_clock() .../ABI/testing/sysfs-driver-xen-blkback | 2 +- .../ABI/testing/sysfs-driver-xen-blkfront | 2 +- .../admin-guide/kernel-parameters.txt | 29 +- Documentation/admin-guide/pm/cpuidle.rst | 15 +- Documentation/driver-api/vfio.rst | 31 +- Makefile | 3 + arch/arm/boot/dts/Makefile | 1 + arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- arch/arm/boot/dts/aspeed-ast2600-evb.dts | 2 +- arch/arm/boot/dts/bcm53015-meraki-mr26.dts | 166 ++++++++++ arch/arm/boot/dts/imx53-ppd.dts | 2 +- arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-eval.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-ixora-v1.1.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-ixora.dts | 2 +- arch/arm/boot/dts/imx6ul.dtsi | 33 +- arch/arm/boot/dts/imx7-colibri-aster.dtsi | 2 +- arch/arm/boot/dts/imx7-colibri-eval-v3.dtsi | 2 +- arch/arm/boot/dts/imx7d-colibri-emmc.dtsi | 4 + .../boot/dts/motorola-mapphone-common.dtsi | 2 +- arch/arm/boot/dts/qcom-mdm9615.dtsi | 1 + arch/arm/boot/dts/qcom-pm8841.dtsi | 1 + arch/arm/boot/dts/s5pv210-aries.dtsi | 2 +- .../boot/dts/tegra20-acer-a500-picasso.dts | 2 +- arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 +- arch/arm/lib/findbit.S | 16 +- arch/arm/mach-bcm/bcm_kona_smc.c | 1 + arch/arm/mach-omap2/display.c | 3 + arch/arm/mach-omap2/prm3xxx.c | 1 + .../mach-shmobile/regulator-quirk-rcar-gen2.c | 5 +- arch/arm/mach-zynq/common.c | 1 + .../dts/allwinner/sun50i-a64-orangepi-win.dts | 2 +- .../dts/mediatek/mt7622-bananapi-bpi-r64.dts | 2 +- .../arm64/boot/dts/nvidia/tegra194-p2888.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404.dtsi | 4 +- .../dts/renesas/beacon-renesom-baseboard.dtsi | 6 +- arch/arm64/boot/dts/renesas/r8a774c0.dtsi | 2 +- arch/arm64/boot/dts/renesas/r8a77990.dtsi | 2 +- .../boot/dts/socionext/uniphier-pxs3.dtsi | 8 +- arch/arm64/crypto/Kconfig | 1 + arch/arm64/include/asm/processor.h | 3 +- arch/arm64/kernel/cpufeature.c | 2 +- arch/arm64/kvm/hyp/nvhe/switch.c | 2 +- arch/arm64/kvm/hyp/vhe/switch.c | 2 +- arch/hexagon/Kconfig | 1 + arch/ia64/include/asm/processor.h | 2 +- arch/mips/kernel/proc.c | 2 +- arch/parisc/kernel/drivers.c | 9 +- arch/parisc/kernel/syscalls/syscall.tbl | 2 +- arch/powerpc/kernel/Makefile | 1 + arch/powerpc/kernel/pci-common.c | 29 +- arch/powerpc/mm/ptdump/shared.c | 6 +- arch/powerpc/perf/core-book3s.c | 35 +- arch/powerpc/platforms/Kconfig.cputype | 4 +- arch/powerpc/platforms/cell/axon_msi.c | 1 + arch/powerpc/platforms/cell/spufs/inode.c | 1 + arch/powerpc/platforms/powernv/rng.c | 2 + arch/powerpc/sysdev/fsl_pci.c | 8 + arch/powerpc/sysdev/fsl_pci.h | 1 + arch/powerpc/sysdev/xive/spapr.c | 1 + arch/riscv/kernel/reset.c | 12 +- arch/s390/include/asm/gmap.h | 2 + arch/s390/kernel/asm-offsets.c | 2 + arch/s390/kernel/crash_dump.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 18 +- arch/s390/kernel/os_info.c | 3 +- arch/s390/kvm/intercept.c | 15 + arch/s390/kvm/pv.c | 9 +- arch/s390/kvm/sigp.c | 4 +- arch/s390/mm/gmap.c | 86 +++++ arch/um/Kconfig | 5 + arch/um/drivers/random.c | 2 +- arch/um/include/shared/kern_util.h | 2 + arch/um/include/shared/os.h | 1 + arch/um/kernel/um_arch.c | 25 ++ arch/um/os-Linux/signal.c | 14 +- arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 2 + arch/x86/entry/Makefile | 3 +- arch/x86/entry/thunk_32.S | 2 - arch/x86/entry/thunk_64.S | 4 - arch/x86/entry/vdso/Makefile | 2 +- arch/x86/include/asm/kvm_host.h | 7 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/ftrace.c | 1 + arch/x86/kernel/process.c | 9 +- arch/x86/kvm/emulate.c | 23 +- arch/x86/kvm/hyperv.c | 3 + arch/x86/kvm/lapic.c | 4 + arch/x86/kvm/mmu/mmu.c | 2 +- arch/x86/kvm/pmu.c | 36 +- arch/x86/kvm/svm/pmu.c | 1 + arch/x86/kvm/svm/svm.c | 14 +- arch/x86/kvm/svm/svm.h | 2 +- arch/x86/kvm/vmx/nested.c | 99 +++--- arch/x86/kvm/vmx/pmu_intel.c | 12 +- arch/x86/kvm/vmx/vmx.c | 35 +- arch/x86/kvm/vmx/vmx.h | 2 +- arch/x86/kvm/x86.c | 17 +- arch/x86/mm/numa.c | 4 +- arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +- arch/x86/um/Makefile | 3 +- arch/xtensa/platforms/iss/network.c | 42 ++- block/bio.c | 3 - block/blk-merge.c | 2 +- block/blk-mq-debugfs.c | 3 + block/blk-mq-sched.c | 2 +- block/blk-mq.c | 8 +- crypto/asymmetric_keys/public_key.c | 7 +- drivers/acpi/acpi_lpss.c | 3 + drivers/acpi/apei/einj.c | 2 + drivers/acpi/cppc_acpi.c | 54 ++- drivers/acpi/ec.c | 82 +---- drivers/acpi/processor_idle.c | 6 +- drivers/acpi/sleep.c | 8 + drivers/block/null_blk_main.c | 14 +- drivers/block/xen-blkback/xenbus.c | 20 +- drivers/block/xen-blkfront.c | 4 +- drivers/bluetooth/hci_intel.c | 6 +- drivers/bus/hisi_lpc.c | 10 +- drivers/clk/mediatek/reset.c | 4 +- drivers/clk/qcom/camcc-sdm845.c | 4 + drivers/clk/qcom/clk-krait.c | 7 +- drivers/clk/qcom/gcc-ipq8074.c | 60 +++- drivers/clk/renesas/r9a06g032-clocks.c | 8 +- .../allwinner/sun8i-ss/sun8i-ss-cipher.c | 1 + .../crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 22 +- .../crypto/allwinner/sun8i-ss/sun8i-ss-hash.c | 15 +- drivers/crypto/allwinner/sun8i-ss/sun8i-ss.h | 4 + drivers/crypto/ccp/sev-dev.c | 2 +- drivers/crypto/hisilicon/hpre/hpre_crypto.c | 2 +- drivers/crypto/hisilicon/sec/sec_algs.c | 14 +- drivers/crypto/hisilicon/sec/sec_drv.h | 2 +- drivers/crypto/hisilicon/sec2/sec_crypto.c | 6 +- drivers/crypto/hisilicon/sec2/sec_crypto.h | 1 + drivers/crypto/inside-secure/safexcel.c | 2 + drivers/dma/dw-edma/dw-edma-core.c | 2 +- drivers/dma/sf-pdma/sf-pdma.c | 49 ++- drivers/firmware/arm_scpi.c | 61 ++-- drivers/firmware/tegra/bpmp-debugfs.c | 10 +- drivers/fpga/altera-pr-ip-core.c | 2 +- drivers/gpio/gpiolib-of.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 24 +- drivers/gpu/drm/bridge/sil-sii8620.c | 4 +- drivers/gpu/drm/bridge/tc358767.c | 62 +++- drivers/gpu/drm/drm_gem.c | 4 +- drivers/gpu/drm/drm_mipi_dbi.c | 7 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 17 +- .../drm/i915/display/intel_display_debugfs.c | 4 +- drivers/gpu/drm/i915/i915_reg.h | 3 +- drivers/gpu/drm/mcde/mcde_dsi.c | 1 + drivers/gpu/drm/mediatek/mtk_dpi.c | 33 +- drivers/gpu/drm/mediatek/mtk_dsi.c | 126 ++++--- drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c | 3 +- drivers/gpu/drm/nouveau/nouveau_display.c | 4 +- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- .../gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- drivers/gpu/drm/radeon/.gitignore | 2 +- drivers/gpu/drm/radeon/Kconfig | 2 +- drivers/gpu/drm/radeon/Makefile | 2 +- drivers/gpu/drm/radeon/ni_dpm.c | 6 +- .../gpu/drm/rockchip/analogix_dp-rockchip.c | 10 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 + drivers/gpu/drm/tiny/st7735r.c | 1 + drivers/gpu/drm/vc4/vc4_crtc.c | 10 +- drivers/gpu/drm/vc4/vc4_drv.c | 19 ++ drivers/gpu/drm/vc4/vc4_drv.h | 1 - drivers/gpu/drm/vc4/vc4_dsi.c | 208 ++++++++---- drivers/gpu/drm/vc4/vc4_hdmi.c | 50 ++- drivers/gpu/drm/vc4/vc4_plane.c | 30 +- drivers/gpu/drm/virtio/virtgpu_ioctl.c | 6 +- drivers/hid/hid-alps.c | 2 + drivers/hid/hid-cp2112.c | 5 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-input.c | 4 + drivers/hid/hid-mcp2221.c | 3 + drivers/hid/wacom_sys.c | 2 +- drivers/hid/wacom_wac.c | 72 ++-- drivers/hwmon/drivetemp.c | 1 + drivers/hwtracing/coresight/coresight-core.c | 1 + drivers/hwtracing/intel_th/msu-sink.c | 3 + drivers/hwtracing/intel_th/msu.c | 14 +- drivers/hwtracing/intel_th/pci.c | 25 +- drivers/i2c/busses/i2c-cadence.c | 10 +- drivers/i2c/busses/i2c-npcm7xx.c | 50 ++- drivers/i2c/i2c-core-base.c | 3 +- drivers/i2c/muxes/i2c-mux-gpmux.c | 1 + drivers/iio/accel/bma400.h | 23 +- drivers/iio/accel/bma400_core.c | 4 +- drivers/iio/light/isl29028.c | 2 +- drivers/infiniband/hw/hfi1/file_ops.c | 4 +- drivers/infiniband/hw/mlx5/fs.c | 6 +- drivers/infiniband/hw/qedr/verbs.c | 26 +- drivers/infiniband/sw/rxe/rxe_qp.c | 12 +- drivers/infiniband/sw/siw/siw_cm.c | 7 +- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 5 - drivers/infiniband/ulp/rtrs/rtrs-pri.h | 22 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 148 ++++++--- drivers/infiniband/ulp/srpt/ib_srpt.h | 18 +- drivers/input/serio/gscps2.c | 4 + drivers/input/touchscreen/atmel_mxt_ts.c | 6 +- drivers/interconnect/imx/imx.c | 8 +- drivers/iommu/arm/arm-smmu/qcom_iommu.c | 7 +- drivers/iommu/exynos-iommu.c | 6 +- drivers/iommu/intel/dmar.c | 2 +- drivers/irqchip/Kconfig | 5 +- drivers/irqchip/irq-mips-gic.c | 84 +++-- drivers/md/dm-raid.c | 4 +- drivers/md/dm-rq.c | 2 +- drivers/md/dm-writecache.c | 2 +- drivers/md/dm.c | 5 + drivers/md/md.c | 2 +- drivers/md/raid10.c | 5 +- drivers/media/pci/tw686x/tw686x-core.c | 18 +- drivers/media/pci/tw686x/tw686x-video.c | 4 +- drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h | 2 + drivers/media/usb/hdpvr/hdpvr-video.c | 2 +- drivers/media/v4l2-core/v4l2-mem2mem.c | 2 +- drivers/memstick/core/ms_block.c | 11 +- drivers/mfd/max77620.c | 2 + drivers/mfd/t7l66xb.c | 6 +- drivers/misc/cardreader/rtsx_pcr.c | 6 +- drivers/misc/eeprom/idt_89hpesx.c | 8 +- drivers/mmc/core/block.c | 28 +- drivers/mmc/host/cavium-octeon.c | 1 + drivers/mmc/host/cavium-thunderx.c | 4 +- drivers/mmc/host/sdhci-of-at91.c | 9 +- drivers/mmc/host/sdhci-of-esdhc.c | 1 + drivers/mtd/devices/st_spi_fsm.c | 8 +- drivers/mtd/maps/physmap-versatile.c | 2 + drivers/mtd/nand/raw/arasan-nand-controller.c | 57 +++- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- drivers/mtd/nand/raw/meson_nand.c | 1 - drivers/mtd/nand/raw/nand_timings.c | 255 +++++++++++++++ drivers/mtd/parsers/redboot.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/can/pch_can.c | 8 +- drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/sja1000/sja1000.c | 7 +- drivers/net/can/spi/hi311x.c | 5 +- drivers/net/can/sun4i_can.c | 9 +- .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 12 +- .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +- drivers/net/can/usb/usb_8dev.c | 7 +- drivers/net/ethernet/intel/iavf/iavf.h | 1 + drivers/net/ethernet/intel/iavf/iavf_main.c | 25 +- drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- .../mellanox/mlx5/core/en_accel/ktls.c | 2 +- .../net/ethernet/pensando/ionic/ionic_lif.c | 2 +- drivers/net/netdevsim/bpf.c | 8 +- drivers/net/usb/ax88179_178a.c | 20 +- drivers/net/usb/smsc95xx.c | 20 +- drivers/net/usb/usbnet.c | 8 +- drivers/net/wireguard/allowedips.c | 9 +- drivers/net/wireguard/selftest/allowedips.c | 6 +- drivers/net/wireguard/selftest/ratelimiter.c | 25 +- drivers/net/wireless/ath/ath10k/snoc.c | 5 +- drivers/net/wireless/ath/ath11k/core.c | 16 +- drivers/net/wireless/ath/ath11k/debug.h | 4 +- drivers/net/wireless/ath/wil6210/debugfs.c | 18 +- drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 1 + drivers/net/wireless/intersil/p54/main.c | 2 +- drivers/net/wireless/intersil/p54/p54spi.c | 3 +- drivers/net/wireless/mac80211_hwsim.c | 14 +- .../net/wireless/marvell/libertas/if_usb.c | 1 + drivers/net/wireless/marvell/mwifiex/main.h | 2 + drivers/net/wireless/marvell/mwifiex/pcie.c | 3 + .../net/wireless/marvell/mwifiex/sta_event.c | 3 + drivers/net/wireless/mediatek/mt76/mac80211.c | 1 + .../wireless/mediatek/mt76/mt76x02_usb_mcu.c | 2 +- drivers/net/wireless/realtek/rtlwifi/debug.c | 8 +- drivers/nvdimm/pmem_legacy_device.c | 7 +- drivers/nvme/host/trace.h | 2 +- drivers/opp/core.c | 4 +- drivers/parisc/lba_pci.c | 6 +- .../pci/controller/dwc/pcie-designware-ep.c | 18 +- drivers/pci/controller/dwc/pcie-designware.c | 30 +- drivers/pci/controller/dwc/pcie-qcom.c | 10 +- drivers/pci/controller/dwc/pcie-tegra194.c | 49 ++- drivers/pci/endpoint/functions/pci-epf-test.c | 1 - drivers/pci/pcie/aer.c | 7 +- drivers/pci/pcie/portdrv_core.c | 9 +- drivers/perf/arm_spe_pmu.c | 22 +- drivers/platform/chrome/cros_ec.c | 8 +- drivers/platform/olpc/olpc-ec.c | 2 +- drivers/pwm/pwm-lpc18xx-sct.c | 4 +- drivers/pwm/pwm-sifive.c | 65 ++-- drivers/regulator/of_regulator.c | 6 +- drivers/regulator/qcom_smd-regulator.c | 4 +- drivers/remoteproc/qcom_sysmon.c | 10 + drivers/remoteproc/qcom_wcnss.c | 10 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 2 + drivers/rpmsg/mtk_rpmsg.c | 2 + drivers/rpmsg/qcom_smd.c | 1 + drivers/s390/char/zcore.c | 11 +- drivers/s390/cio/vfio_ccw_drv.c | 14 +- drivers/s390/scsi/zfcp_fc.c | 29 +- drivers/s390/scsi/zfcp_fc.h | 6 +- drivers/s390/scsi/zfcp_fsf.c | 7 +- drivers/scsi/qla2xxx/qla_def.h | 5 +- drivers/scsi/qla2xxx/qla_gbl.h | 3 +- drivers/scsi/qla2xxx/qla_gs.c | 11 +- drivers/scsi/qla2xxx/qla_init.c | 48 ++- drivers/scsi/qla2xxx/qla_isr.c | 20 +- drivers/scsi/qla2xxx/qla_mbx.c | 19 +- drivers/scsi/qla2xxx/qla_nvme.c | 5 - drivers/scsi/sg.c | 53 +-- drivers/scsi/smartpqi/smartpqi_init.c | 4 +- drivers/soc/amlogic/meson-mx-socinfo.c | 1 + drivers/soc/amlogic/meson-secure-pwrc.c | 4 +- drivers/soc/fsl/guts.c | 2 +- drivers/soc/qcom/Kconfig | 1 + drivers/soc/qcom/ocmem.c | 3 + drivers/soc/qcom/qcom_aoss.c | 4 +- drivers/soc/renesas/r8a779a0-sysc.c | 10 +- drivers/soundwire/bus_type.c | 8 +- drivers/spi/spi-rspi.c | 4 + drivers/spi/spi-synquacer.c | 1 + .../staging/media/atomisp/pci/atomisp_cmd.c | 57 ++-- .../staging/media/sunxi/cedrus/cedrus_h265.c | 3 + drivers/staging/rtl8192u/r8192U.h | 2 +- drivers/staging/rtl8192u/r8192U_dm.c | 38 +-- drivers/staging/rtl8192u/r8192U_dm.h | 2 +- drivers/tee/tee_shm.c | 3 + drivers/thermal/thermal_sysfs.c | 10 +- drivers/tty/n_gsm.c | 199 ++++++++--- drivers/tty/serial/8250/8250.h | 22 ++ drivers/tty/serial/8250/8250_dw.c | 3 + drivers/tty/serial/8250/8250_pci.c | 308 +++++++++--------- drivers/tty/serial/8250/8250_port.c | 21 -- drivers/tty/serial/mvebu-uart.c | 11 + drivers/tty/vt/vt.c | 2 +- drivers/usb/cdns3/gadget.c | 11 +- drivers/usb/core/hcd.c | 26 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/dwc3-qcom.c | 4 +- drivers/usb/dwc3/gadget.c | 92 +++--- drivers/usb/gadget/udc/Kconfig | 2 +- drivers/usb/gadget/udc/aspeed-vhub/hub.c | 4 +- drivers/usb/gadget/udc/tegra-xudc.c | 8 +- drivers/usb/host/ehci-ppc-of.c | 1 + drivers/usb/host/ohci-nxp.c | 1 + drivers/usb/host/xhci-tegra.c | 8 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/sierra.c | 3 +- drivers/usb/serial/usb-serial.c | 2 +- drivers/usb/serial/usb_wwan.c | 3 +- drivers/usb/typec/ucsi/ucsi.c | 4 + drivers/vfio/mdev/mdev_private.h | 5 +- drivers/vfio/vfio.c | 207 +++++------- drivers/video/fbdev/amba-clcd.c | 24 +- drivers/video/fbdev/arkfb.c | 9 +- drivers/video/fbdev/core/fbcon.c | 12 +- drivers/video/fbdev/s3fb.c | 2 + drivers/video/fbdev/sis/init.c | 4 +- drivers/video/fbdev/vt8623fb.c | 2 + drivers/watchdog/armada_37xx_wdt.c | 2 + fs/attr.c | 2 + fs/btrfs/block-group.c | 1 + fs/btrfs/disk-io.c | 14 + fs/btrfs/raid56.c | 74 ++++- fs/erofs/decompressor.c | 16 +- fs/eventpoll.c | 22 ++ fs/ext2/super.c | 12 +- fs/ext4/inode.c | 19 +- fs/ext4/resize.c | 1 + fs/f2fs/file.c | 9 +- fs/f2fs/gc.c | 41 ++- fs/fuse/control.c | 4 +- fs/fuse/inode.c | 6 + fs/namei.c | 4 + fs/nfs/nfs3client.c | 1 - fs/overlayfs/export.c | 2 +- fs/splice.c | 10 +- include/acpi/cppc_acpi.h | 2 +- include/linux/bitmap.h | 12 +- include/linux/blktrace_api.h | 5 +- include/linux/buffer_head.h | 25 +- include/linux/kfifo.h | 2 +- include/linux/kvm_host.h | 28 +- include/linux/lockdep.h | 30 +- include/linux/mfd/t7l66xb.h | 1 - include/linux/mtd/rawnand.h | 123 ++++++- include/linux/pci_ids.h | 2 + include/linux/sched.h | 2 +- include/linux/tpm_eventlog.h | 2 +- include/linux/usb/hcd.h | 1 + include/linux/vfio.h | 16 + include/linux/wait.h | 9 +- include/net/inet6_hashtables.h | 27 +- include/net/inet_hashtables.h | 44 +-- include/net/inet_sock.h | 18 +- include/net/sock.h | 3 - include/trace/events/block.h | 30 +- include/trace/events/spmi.h | 12 +- include/trace/trace_events.h | 8 +- include/uapi/linux/can/error.h | 5 +- include/uapi/linux/netfilter/xt_IDLETIMER.h | 17 +- kernel/bpf/verifier.c | 4 +- kernel/cgroup/cpuset.c | 2 +- kernel/irq/Kconfig | 1 + kernel/irq/chip.c | 3 +- kernel/kprobes.c | 3 +- kernel/locking/lockdep.c | 9 +- kernel/locking/lockdep_internals.h | 8 +- kernel/power/user.c | 13 +- kernel/profile.c | 7 + kernel/sched/core.c | 34 +- kernel/sched/deadline.c | 52 +-- kernel/sched/rt.c | 15 +- kernel/sched/sched.h | 3 +- kernel/time/hrtimer.c | 1 + kernel/time/timekeeping.c | 7 +- kernel/trace/blktrace.c | 46 +-- lib/Kconfig.debug | 40 +++ lib/bitmap.c | 42 ++- lib/livepatch/test_klp_callbacks_busy.c | 8 + lib/smp_processor_id.c | 2 +- lib/test_bpf.c | 4 +- mm/mmap.c | 1 - net/9p/client.c | 5 +- net/bluetooth/l2cap_core.c | 13 +- net/dccp/proto.c | 10 +- net/ipv4/inet_hashtables.c | 17 +- net/ipv4/tcp_output.c | 30 +- net/ipv4/udp.c | 3 +- net/ipv6/inet6_hashtables.c | 6 +- net/ipv6/udp.c | 2 +- net/mac80211/sta_info.c | 6 +- net/netfilter/nf_tables_api.c | 1 + net/rose/af_rose.c | 11 +- net/rose/rose_route.c | 2 + net/sched/cls_route.c | 10 + scripts/faddr2line | 4 +- security/selinux/ss/policydb.h | 2 + sound/pci/hda/patch_cirrus.c | 1 + sound/pci/hda/patch_conexant.c | 11 +- sound/pci/hda/patch_realtek.c | 15 + sound/soc/atmel/mchp-spdifrx.c | 9 +- sound/soc/codecs/cros_ec_codec.c | 1 + sound/soc/codecs/da7210.c | 2 + sound/soc/codecs/msm8916-wcd-digital.c | 46 +-- sound/soc/codecs/wcd9335.c | 81 ++--- sound/soc/fsl/fsl_easrc.c | 9 +- sound/soc/fsl/fsl_easrc.h | 2 +- sound/soc/generic/audio-graph-card.c | 4 +- sound/soc/mediatek/mt6797/mt6797-mt6351.c | 6 +- .../mediatek/mt8173/mt8173-rt5650-rt5676.c | 10 +- sound/soc/mediatek/mt8173/mt8173-rt5650.c | 9 +- sound/soc/qcom/lpass-cpu.c | 1 + sound/soc/qcom/qdsp6/q6adm.c | 2 +- sound/soc/samsung/aries_wm8994.c | 6 +- sound/soc/samsung/h1940_uda1380.c | 2 +- sound/soc/samsung/rx1950_uda1380.c | 4 +- sound/usb/bcd2000/bcd2000.c | 3 +- tools/lib/bpf/libbpf.c | 9 +- tools/lib/bpf/xsk.c | 9 +- tools/perf/util/dsos.c | 15 +- tools/perf/util/genelf.c | 6 +- tools/perf/util/symbol-elf.c | 27 +- tools/testing/selftests/bpf/prog_tests/btf.c | 2 +- .../selftests/kvm/lib/x86_64/processor.c | 2 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- .../selftests/timers/clocksource-switch.c | 6 +- .../testing/selftests/timers/valid-adjtimex.c | 2 +- tools/thermal/tmon/sysfs.c | 24 +- tools/thermal/tmon/tmon.h | 3 + virt/kvm/kvm_main.c | 26 +- 472 files changed, 4378 insertions(+), 2282 deletions(-) create mode 100644 arch/arm/boot/dts/bcm53015-meraki-mr26.dts -- 2.20.1

1 501

[openEuler-5.10 000/496] Backport 5.10.137 LTS
by Zheng Zengkai 18 Nov '22

18 Nov '22

Backport 5.10.137 LTS patches from upstream. git cherry-pick v5.10.136..v5.10.137~1 -s Already merged(-41): f5f3e54f8116 mm: Add kvrealloc() e32bb2428104 xfs: only set IOMAP_F_SHARED when providing a srcmap to a write 0a69f1f84207 xfs: fix I_DONTCACHE 2613baa3ab21 mm/mremap: hold the rmap lock in write mode when moving page table entries. 1a4b18b1ff11 netfilter: nf_tables: do not allow SET_ID to refer to another table 9e7dcb88ec8e netfilter: nf_tables: do not allow CHAIN_ID to refer to another table 0cc5c6b7567d netfilter: nf_tables: do not allow RULE_ID to refer to another chain 353b4673d01c arm64: fix oops in concurrently setting insn_emulation sysctls d0412d8f693e net: fix sk_wmem_schedule() and sk_rmem_schedule() errors eccd7c3e2596 ath9k: fix use-after-free in ath9k_hif_usb_rx_cb 1f697d795290 crypto: hisilicon/sec - fixes some coding style 16e18a8ac7c9 crypto: hisilicon/sec - don't sleep when in softirq 0ecc91cf9645 RDMA/hns: Fix incorrect clearing of interrupt status register 914bf4aa2d5b jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() a6d7f224730e ext4: recover csum seed of tmp_inode after migrating to extents f7161d0da975 jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted 541840859ace posix-cpu-timers: Cleanup CPU timers before freeing them during exec dce8d7427c6a PCI/AER: Write AER Capability only when we control it 78d431e8a56c PCI/ERR: Bind RCEC devices to the Root Port driver de4534ac28c4 PCI/ERR: Rename reset_link() to reset_subordinates() f236fa38508b PCI/ERR: Simplify by using pci_upstream_bridge() 2e3458b995aa PCI/ERR: Simplify by computing pci_pcie_type() once 078d79fad521 PCI/ERR: Use "bridge" for clarity in pcie_do_recovery() 7730ba6151b7 PCI/ERR: Avoid negated conditional for clarity bb6990fd3729 PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() d83d886e69bd PCI/ERR: Recover from RCEC AER errors 5e2cf705155a dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 441726394efa KVM: x86/pmu: preserve IA32_PERF_CAPABILITIES across CPUID refresh 1571c4613059 ext4: check if directory block is within i_size 2da44a2927a7 ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h 69d1a36eb4b2 ext4: make sure ext4_append() always allocates new block bb8592efcf8e ext4: fix use-after-free in ext4_xattr_set_entry 603fb7bd744a ext4: correct max_inline_xattr_value_size computing d0b495aa2692 ext4: correct the misjudgment in ext4_iget_extra_inode 7018f03d97da net_sched: cls_route: remove from list when handle is 0 a93f33aeef4e driver core: fix potential deadlock in __driver_attach fb086aea3910 x86: Handle idle=nomwait cmdline properly for x86_idle 71042279b161 ACPI: APEI: Fix _EINJ vs EFI_MEMORY_SP 1008c6d98b6d crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq cb6277507998 crypto: hisilicon/hpre - don't use GFP_KERNEL to alloc mem during softirq c206177ca8a9 crypto: hisilicon/sec - fix auth key size error Rejected due to openEuler hinic driver maintenance policy(-3): 8369a39b529d hinic: Use the bitmap API when applicable e286a882f227 net: hinic: fix bug that ethtool get wrong stats e74f3097a9c7 net: hinic: avoid kernel hung in hinic_get_stats64() Total patches: 540 -41 -3 = 496 Aaron Lewis (1): kvm: x86/pmu: Fix the compare function used by the pmu event filter Adrian Hunter (1): perf tools: Fix dso_id inode generation comparison Ahmed Zaki (1): mac80211: fix a memory leak where sta_info is not freed Al Viro (1): __follow_mount_rcu(): verify that mount_lock remains unchanged Alex Deucher (1): drm/radeon: fix incorrrect SPDX-License-Identifiers Alexander Gordeev (2): s390/dump: fix old lowcore virtual vs physical address confusion s390/zcore: fix race when reading from hardware system area Alexander Lobakin (3): ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() x86/olpc: fix 'logical not is only applied to the left hand side' iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) Alexander Shishkin (4): intel_th: msu: Fix vmalloced buffers intel_th: pci: Add Meteor Lake-P support intel_th: pci: Add Raptor Lake-S PCH support intel_th: pci: Add Raptor Lake-S CPU support Alexander Stein (6): ARM: dts: imx6ul: add missing properties for sram ARM: dts: imx6ul: change operating-points to uint32-matrix ARM: dts: imx6ul: fix keypad compatible ARM: dts: imx6ul: fix csi node compatible ARM: dts: imx6ul: fix lcdif node compatible ARM: dts: imx6ul: fix qspi node compatible Alexandru Elisei (1): arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 Alexei Starovoitov (1): bpf: Fix subprog names in stack traces. Alexey Khoroshilov (1): crypto: sun8i-ss - fix infinite loop in sun8i_ss_setup_ivs() Alexey Kodanev (2): drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() Allen Ballway (1): ALSA: hda/cirrus - support for iMac 12,1 model Amit Kumar Mahapatra (1): mtd: rawnand: arasan: Update NAND bus clock instead of system clock Ammar Faizi (1): wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` Andrea Righi (1): x86/entry: Build thunk_$(BITS) only if CONFIG_PREEMPTION=y Andrei Vagin (1): selftests: kvm: set rax before vmcall Andrey Strachuk (1): usb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable() Andy Shevchenko (2): serial: 8250_pci: Refactor the loop in pci_ite887x_init() serial: 8250_pci: Replace dev_*() by pci_*() macros AngeloGioacchino Del Regno (2): media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment rpmsg: mtk_rpmsg: Fix circular locking dependency Anquan Wu (1): libbpf: Fix the name of a reused map Anshuman Khandual (1): drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX Ansuel Smith (1): clk: qcom: clk-krait: unlock spin after mux completion Antonio Borneo (2): genirq: Don't return error on missing optional irq_request_resources() drm: adv7511: override i2c address of cec before accessing it Arnaldo Carvalho de Melo (1): genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO Artem Borisov (1): HID: alps: Declare U1_UNICORN_LEGACY support Arun Easi (3): scsi: qla2xxx: Fix discovery issues in FC-AL topology scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with I/Os scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests Athira Rajeev (1): powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable Austin Kim (1): dmaengine: sf-pdma: apply proper spinlock flags in sf_pdma_prep_dma_memcpy() Bart Van Assche (4): blktrace: Trace remapped requests correctly RDMA/srpt: Duplicate port name members RDMA/srpt: Introduce a reference count in struct srpt_device RDMA/srpt: Fix a use-after-free Bartosz Golaszewski (2): lib: bitmap: order includes alphabetically lib: bitmap: provide devm_bitmap_alloc() and devm_bitmap_zalloc() Bean Huo (1): nvme: use command_id instead of req->tag in trace_nvme_complete_rq() Bedant Patnaik (1): ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED Benjamin Segall (1): epoll: autoremove wakers even more aggressively Biju Das (1): spi: spi-rspi: Fix PIO fallback on RZ platforms Bikash Hazarika (2): scsi: qla2xxx: Fix incorrect display of max frame size scsi: qla2xxx: Zero undefined mailbox IN registers Bo-Chen Chen (1): drm/mediatek: dpi: Remove output format of YUV Brian Norris (1): drm/rockchip: vop: Don't crash for invalid duplicate_state() Byungki Lee (1): f2fs: write checkpoint during FG_GC Chao Liu (1): f2fs: fix to remove F2FS_COMPR_FL and tag F2FS_NOCOMP_FL at the same time Chao Yu (1): f2fs: don't set GC_FAILURE_PIN for background GC Chen Zhongjin (2): profiling: fix shift too large makes kernel panic kprobes: Forbid probing on trampoline and BPF code areas Cheng Xu (1): RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event Christian Lamparter (1): ARM: dts: BCM5301X: Add DT for Meraki MR26 Christian Loehle (1): mmc: block: Add single read for 4k sector cards Christian Marangi (1): PCI: qcom: Set up rev 2.1.0 PARF_PHY before enabling clocks Christoph Hellwig (1): block: remove the request_queue to argument request based tracepoints Christophe JAILLET (8): drm/rockchip: Fix an error handling path rockchip_dp_probe() wifi: p54: Fix an error handling path in p54spi_probe() mtd: rawnand: meson: Fix a potential double free issue misc: rtsx: Fix an error handling path in rtsx_pci_probe() intel_th: Fix a resource leak in an error handling path memstick/ms_block: Fix some incorrect memory allocation memstick/ms_block: Fix a memory leak ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() Christophe Leroy (2): powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 Christopher Obbard (1): um: random: Don't initialise hwrng struct with zero Chuansheng Liu (1): drm/i915/dg1: Update DMC_DEBUG3 register Claudio Imbrenda (1): KVM: s390: pv: leak the topmost page table when destroy fails Claudiu Beznea (1): ASoC: mchp-spdifrx: disable end of block interrupt on failures Corentin Labbe (1): crypto: sun8i-ss - do not allocate memory when handling hash requests Dan Carpenter (8): wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() crypto: sun8i-ss - fix error codes in allocate_flows() wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() selftests/bpf: fix a test for snprintf() overflow eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() platform/olpc: Fix uninitialized data in debugfs write null_blk: fix ida error handling in null_add_dev() kfifo: fix kfifo_to_user() return type Daniel Starke (8): tty: n_gsm: fix user open not possible at responder until initiator open tty: n_gsm: fix wrong queuing behavior in gsm_dlci_data_output() tty: n_gsm: fix non flow control frames during mux flow off tty: n_gsm: fix packet re-transmission without open control channel tty: n_gsm: fix race condition in gsmld_write() tty: n_gsm: fix wrong T1 retry count handling tty: n_gsm: fix DM command tty: n_gsm: fix missing corner cases in gsmld_poll() Dave Stevenson (8): drm/vc4: plane: Fix margin calculations for the right/bottom edges drm/vc4: dsi: Correct DSI divider calculations drm/vc4: dsi: Correct pixel order for DSI0 drm/vc4: dsi: Register dsi0 as the correct vc4 encoder type drm/vc4: dsi: Fix dsi0 interrupt support drm/vc4: dsi: Add correct stop condition to vc4_dsi_encoder_disable iteration drm/vc4: hdmi: Correct HDMI timing registers for interlaced modes drm/vc4: drv: Adopt the dma configuration from the HVS or V3D component David Collins (1): spmi: trace: fix stack-out-of-bound access in SPMI tracing functions David Howells (1): vfs: Check the truncate maximum size in inode_newsize_ok() Dietmar Eggemann (1): sched/deadline: Merge dl_task_can_attach() and dl_cpu_busy() Dimitri John Ledkov (1): riscv: set default pm_power_off to NULL Dmitry Osipenko (1): drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error Dom Cobley (3): drm/vc4: plane: Remove subpixel positioning check drm/vc4: hdmi: Remove firmware logic for MAI threshold setting drm/vc4: hdmi: Avoid full hdmi audio fifo writes Duoming Zhou (3): mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback Elia Devito (1): HID: Ignore battery for Elan touchscreen on HP Spectre X360 15-df0xxx Eric Dumazet (5): inet: add READ_ONCE(sk->sk_bound_dev_if) in INET_MATCH() tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH() net: rose: fix netdev reference changes tcp: fix over estimation in sk_forced_mem_schedule() Eric Farman (1): vfio/ccw: Do not change FSM state in subchannel event Eric Whitney (1): ext4: fix extent status tree race in writeback error recovery path Eugen Hristev (1): mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R Florian Fainelli (1): tools/thermal: Fix possible path truncations Florian Westphal (1): netfilter: nf_tables: fix null deref due to zeroed list head Francis Laniel (1): arm64: Do not forget syscall when starting a new thread. Gal Pressman (1): net/mlx5e: Remove WARN_ON when trying to offload an unsupported TLS cipher/version Gao Xiang (1): erofs: avoid consecutive detection for Highmem memory Geert Uytterhoeven (3): arm64: dts: renesas: beacon: Fix regulator node names soc: renesas: r8a779a0-sysc: Fix A2DP1 and A2CV[2357] PDR values arm64: dts: renesas: Fix thermal-sensors on single-zone sensors Gioh Kim (1): RDMA/rtrs: Define MIN_CHUNK_SIZE Greg Kroah-Hartman (1): Revert "mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv" Guilherme G. Piccoli (1): ACPI: processor/idle: Annotate more functions to live in cpuidle section Guillaume Ranquet (1): drm/mediatek: dpi: Only enable dpi after the bridge is enabled Guo Mengqi (1): spi: synquacer: Add missing clk_disable_unprepare() Hangyu Hua (3): drm: bridge: sii8620: fix possible off-by-one wifi: libertas: Fix possible refcount leak in if_usb_probe() dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock Hans de Goede (2): ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks ACPI: EC: Drop the EC_FLAGS_IGNORE_DSDT_GPE quirk Harshit Mogalapalli (2): HID: cp2112: prevent a buffer overflow in cp2112_xfer() HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Helge Deller (4): fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters fbcon: Fix accelerated fbdev scrolling while logo is still shown parisc: Fix device names in /proc/iomem parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode Huacai Chen (2): MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH Ian Rogers (1): perf symbol: Fail to read phdr workaround Ilpo Järvinen (1): serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() Ivan Hasenkampf (1): ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx Jack Wang (2): RDMA/rtrs: Avoid Wtautological-constant-out-of-range-compare RDMA/rtrs-srv: Fix modinfo output for stringify Jagath Jog J (2): iio: accel: bma400: Fix the scale min and max macro values iio: accel: bma400: Reordering of header files Jakub Kicinski (1): netdevsim: Avoid allocation warnings triggered from user space Jamal Hadi Salim (1): net_sched: cls_route: disallow handle of 0 Jan Kara (1): ext2: Add more validity checks for inode counts Jason A. Donenfeld (4): fs: check FMODE_LSEEK to control internal pipe splicing wireguard: ratelimiter: use hrtimer in selftest wireguard: allowedips: don't corrupt stack when detecting overflow timekeeping: contribute wall clock to rng on time change Jason Gunthorpe (4): vfio: Remove extra put/gets around vfio_device->group vfio: Simplify the lifetime logic for vfio_device vfio: Split creation of a vfio_device into init and register ops vfio/mdev: Make to_mdev_device() into a static inline Javier Martinez Canillas (1): drm/st7735r: Fix module autoloading for Okaya RH128128T Jens Wiklander (1): tee: add overflow check in register_shm_helper() Jeongik Cha (1): wifi: mac80211_hwsim: fix race condition in pending packet Jernej Skrabec (1): media: cedrus: hevc: Add check for invalid timestamp Jiachen Zhang (1): ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() Jian Shen (2): test_bpf: fix incorrect netdev features net: ionic: fix error check for vlan flags in ionic_set_nic_features() Jian Zhang (1): drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. Jianglei Nie (2): RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() RDMA/hfi1: fix potential memory leak in setup_base_ctxt() Jiasheng Jiang (4): drm: bridge: adv7511: Add check for mipi_dsi_driver_register Bluetooth: hci_intel: Add check for platform_driver_register intel_th: msu-sink: Potential dereference of null pointer ASoC: codecs: da7210: add check for i2c_add_driver Jim Mattson (2): KVM: x86/pmu: Use binary search to check filtered events KVM: x86/pmu: Use different raw event masks for AMD and Intel Jitao Shi (2): drm/mediatek: Separate poweron/poweroff from enable/disable and define new funcs drm/mediatek: Keep dsi as LP00 before dcs cmds transfer Joe Lawrence (1): selftests/livepatch: better synchronize test_klp_callbacks_busy Johan Hovold (4): x86/pmem: Fix platform-device leak in error path ath11k: fix netdev open race usb: dwc3: qcom: fix missing optional irq warnings USB: serial: fix tty-port initialized comments Johannes Berg (3): wifi: mac80211_hwsim: add back erroneously removed cast wifi: mac80211_hwsim: use 32-bit skb cookie um: Allow PM with suspend-to-idle Jonas Dreßler (1): mwifiex: Ignore BTCOEX events from the 88W8897 firmware Jose Alonso (1): Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Jose Ignacio Tornos Martinez (1): wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue Josef Bacik (1): btrfs: reset block group chunk force if we have to wait Josh Poimboeuf (1): scripts/faddr2line: Fix vmlinux detection on arm64 Julien STEPHAN (1): drm/mediatek: Allow commands to be sent during video mode Juri Lelli (1): wait: Fix __wait_event_hrtimeout for RT/DL tasks Keith Busch (1): block: fix infinite loop for invalid zone append Kim Phillips (1): x86/bugs: Enable STIBP for IBPB mitigated RETBleed Konrad Dybcio (1): soc: qcom: Make QCOM_RPMPD depend on PM Krzysztof Kozlowski (6): ARM: dts: ast2500-evb: fix board compatible ARM: dts: ast2600-evb: fix board compatible ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg ARM: dts: qcom: pm8841: add required thermal-sensor-cells ath10k: do not enforce interrupt trigger type ASoC: samsung: h1940_uda1380: include proepr GPIO consumer header Kunihiko Hayashi (2): ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC Kuniyuki Iwashima (1): tcp: Fix data-races around sysctl_tcp_l3mdev_accept. Lars-Peter Clausen (1): i2c: cadence: Support PEC for SMBus block read Leo Li (1): drm/amdgpu: Check BO's requested pinning domains against its preferred_domains Lev Kujawski (1): KVM: set_msr_mce: Permit guests to ignore single-bit ECC errors Liang He (14): ARM: OMAP2+: display: Fix refcount leak bug ARM: shmobile: rcar-gen2: Increase refcount for new reference soc: amlogic: Fix refcount leak in meson-secure-pwrc.c regulator: of: Fix refcount leak bug in of_get_regulation_constraints() mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() i2c: mux-gpmux: Add of_node_put() when breaking out of loop usb: aspeed-vhub: Fix refcount leak bug in ast_vhub_init_desc() gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() mmc: cavium-octeon: Add of_node_put() when breaking out of loop mmc: cavium-thunderx: Add of_node_put() when breaking out of loop ASoC: qcom: Fix missing of_node_put() in asoc_qcom_lpass_cpu_platform_probe() iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop ASoC: audio-graph-card: Add of_node_put() in fail path video: fbdev: amba-clcd: Fix refcount leak bugs Like Xu (2): KVM: x86/pmu: Introduce the ctrl_mask value for fixed counter KVM: x86/pmu: Ignore pmu->global_ctrl check if vPMU doesn't support global_ctrl Linus Walleij (2): Input: atmel_mxt_ts - fix up inverted RESET handler hwmon: (drivetemp) Add module alias Linyu Yuan (1): usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion Lorenzo Bianconi (1): mt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Lukas Wunner (3): usbnet: Fix linkwatch use-after-free on disconnect usbnet: smsc95xx: Don't clear read-only PHY interrupt usbnet: smsc95xx: Avoid link settings race on interrupt reception Lv Ruyi (1): firmware: tegra: Fix error check return value of debugfs_create_file() Lyude Paul (2): drm/nouveau: Don't pm_runtime_put_sync(), only pm_runtime_put_autosuspend() drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from pm_runtime Maciej Fijalkowski (1): selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0 Maciej S. Szmigiero (1): KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 Maciej W. Rozycki (4): serial: 8250: Export ICR access helpers for internal use serial: 8250: Dissociate 4MHz Titan ports from Oxford ports serial: 8250: Correct the clock for OxSemi PCIe devices serial: 8250: Fold EndRun device support into OxSemi Tornado code Mahesh Rajashekhara (1): scsi: smartpqi: Fix DMA direction for RAID requests Manikanta Pubbisetty (1): ath11k: Fix incorrect debug_mask mappings Manyi Li (1): ACPI: PM: save NVS memory for Lenovo G40-45 Maor Gottlieb (1): RDMA/mlx5: Add missing check for return value in get namespace flow Marcel Ziswiler (1): ARM: dts: imx7d-colibri-emmc: add cpu1 supply Marco Pagani (1): fpga: altera-pr-ip: fix unsigned comparison with less than zero Marek Vasut (3): drm/bridge: tc358767: Move (e)DP bridge endpoint parsing into dedicated function drm/bridge: tc358767: Make sure Refclk clock are enabled drm/bridge: tc358767: Fix (e)DP bridge endpoint parsing in dedicated function Markus Mayer (1): thermal/tools/tmon: Include pthread and time headers in tmon.h Mateusz Kwiatkowski (1): drm/vc4: hdmi: Fix timings for interlaced modes Max Filippov (1): xtensa: iss/network: provide release() callback Maxim Mikityanskiy (1): net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS Maxime Ripard (5): drm/vc4: drv: Remove the DSI pointer in vc4_drv drm/vc4: dsi: Use snprintf for the PHY clocks instead of an array drm/vc4: dsi: Introduce a variant structure drm/vc4: hdmi: Don't access the connector state in reset if kmalloc fails drm/vc4: hdmi: Limit the BCM2711 to the max without scrambling Maximilian Heyne (1): xen-blkback: Apply 'feature_persistent' parameter when connect Meng Tang (2): ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model ALSA: hda/realtek: Add quirk for another Asus K42JZ model Miaohe Lin (1): mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region Miaoqian Lin (27): meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init ARM: bcm: Fix refcount leak in bcm_kona_smc_init ARM: OMAP2+: Fix refcount leak in omapdss_init_of ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init cpufreq: zynq: Fix refcount leak in zynq_get_revision soc: qcom: ocmem: Fix refcount leak in of_get_ocmem soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register drm/mcde: Fix refcount leak in mcde_dsi_bind media: tw686x: Fix memory leak in tw686x_video_init mtd: maps: Fix refcount leak in of_flash_probe_versatile mtd: maps: Fix refcount leak in ap_flash_init PCI: tegra194: Fix PM error handling in tegra_pcie_config_ep() mtd: partitions: Fix refcount leak in parse_redboot_of usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch ASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe ASoC: samsung: Fix error handling in aries_audio_probe ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe remoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge mfd: max77620: Fix refcount leak in max77620_initialise_fps powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader powerpc/xive: Fix refcount leak in xive_get_max_prio powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address Michael Ellerman (3): powerpc/powernv: Avoid crashing if rng is NULL powerpc/64s: Disable stack variable initialisation for prom_init powerpc/pci: Fix PHB numbering when using opal-phbid Michael Grzeschik (2): usb: dwc3: gadget: refactor dwc3_repare_one_trb usb: dwc3: gadget: fix high speed multiplier setting Michael Walle (1): soc: fsl: guts: machine variable might be unset Michal Suchanek (1): kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Mike Manning (1): net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set Mike Snitzer (1): dm: return early from dm_pr_call() if DM device is suspended Miklos Szeredi (1): fuse: limit nsec Mikulas Patocka (6): add barriers to buffer_uptodate and set_buffer_uptodate md-raid: destroy the bitmap after destroying the thread md-raid10: fix KASAN warning dm writecache: set a default MAX_WRITEBACK_JOBS dm raid: fix address sanitizer warning in raid_resume dm raid: fix address sanitizer warning in raid_status Ming Lei (1): blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created Ming Qian (1): media: v4l2-mem2mem: prevent pollerr when last_buffer_dequeued is set Miquel Raynal (6): mtd: rawnand: Add a helper to clarify the interface configuration mtd: rawnand: arasan: Check the proposed data interface is supported mtd: rawnand: Add NV-DDR timings mtd: rawnand: arasan: Fix a macro parameter mtd: rawnand: arasan: Support NV-DDR interface mtd: rawnand: arasan: Prevent an unsupported configuration Mohamed Khalfella (1): PCI/AER: Iterate over error counters instead of error strings Narendra Hadke (1): serial: mvebu-uart: uart2 error bits clearing Nathan Chancellor (2): hexagon: select ARCH_WANT_LD_ORPHAN_WARN usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() Nick Desaulniers (2): Makefile: link with -z noexecstack --no-warn-rwx-segments x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Nick Hainke (1): arm64: dts: mt7622: fix BPI-R64 WPS button Nico Boehr (1): KVM: s390: pv: don't present the ecall interrupt twice Nicolas Saenz Julienne (1): nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() Niels Dossche (1): media: hdpvr: fix error value returns in hdpvr_read Nilesh Javali (1): scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" Olga Kitaina (1): mtd: rawnand: arasan: Fix clock rate in NV-DDR Pali Rohár (4): PCI: Add defines for normal and subtractive PCI bridges powerpc/fsl-pci: Fix Class Code of PCIe Root Port crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias Peng Fan (1): interconnect: imx: fix max_node_id Peter Zijlstra (1): locking/lockdep: Fix lockdep_init_map_*() confusion Phil Elwell (1): drm/vc4: hdmi: Disable audio if dmas property is present but empty Pierre-Louis Bossart (1): soundwire: bus_type: fix remove and shutdown support Ping Cheng (2): HID: wacom: Only report rotation for art pen HID: wacom: Don't register pad_input for touch switch Prabhakar Kushwaha (1): RDMA/qedr: Improve error logs for rdma_alloc_tid error return Przemyslaw Patynowski (1): iavf: Fix max_rate limiting Qian Cai (1): crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE Qu Wenruo (3): btrfs: reject log replay if there is unsupported RO compat flag btrfs: only write the sectors in the vertical stripe which has data stripes btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() Quentin Perret (1): KVM: arm64: Don't return from void function Quinn Tran (2): scsi: qla2xxx: Turn off multi-queue for 8G adapters scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection Rafael J. Wysocki (2): thermal: sysfs: Fix cooling_device_stats_setup() error code path ACPI: CPPC: Do not prevent CPPC from working in the future Ralph Siemsen (1): clk: renesas: r9a06g032: Fix UART clkgrp bitsel Randy Dunlap (1): usb: gadget: udc: amd5536 depends on HAS_DMA Rex-BC Chen (1): clk: mediatek: reset: Fix written reset bit offset Rob Clark (1): drm/msm/mdp5: Fix global state lock backoff Robert Marko (5): arm64: dts: qcom: ipq8074: fix NAND node name clk: qcom: ipq8074: fix NSS core PLL-s clk: qcom: ipq8074: SW workaround for UBI32 PLL lock clk: qcom: ipq8074: fix NSS port frequency tables clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks Rohith Kollalsi (1): usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during bootup Russell King (Oracle) (1): ARM: findbit: fix overflowing offset Rustam Subkhankulov (2): wifi: p54: add missing parentheses in p54_flush() video: fbdev: sis: fix typos in SiS_GetModeID() Sam Protsenko (1): iommu/exynos: Handle failed IOMMU device registration properly Samuel Holland (3): irqchip/mips-gic: Only register IPI domain when SMP is enabled genirq: GENERIC_IRQ_IPI depends on SMP arm64: dts: allwinner: a64: orangepi-win: Fix LED node name Sean Christopherson (15): KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP KVM: x86: Tag kvm_mmu_x86_module_init() with __init KVM: Don't set Accessed/Dirty bits for ZERO_PAGE KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS) KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4() KVM: SVM: Drop VMXE check from svm_set_cr4() KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 KVM: VMX: Mark all PERF_GLOBAL_(OVF)_CTRL bits reserved if there's no vPMU KVM: Add infrastructure and macro to mark VM as bugged SeongJae Park (2): xen-blkback: fix persistent grants negotiation xen-blkfront: Apply 'feature_persistent' parameter when connect Serge Semin (4): dmaengine: dw-edma: Fix eDMA Rd/Wr-channels and DMA-direction semantics PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu() PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors PCI: dwc: Always enable CDM check if "snps,enable-cdm-check" exists Sergey Shtylyov (1): usb: host: xhci: use snprintf() in xhci_decode_trb() Shengjiu Wang (1): ASoC: fsl_easrc: use snd_pcm_format_t type for sample_format Shunsuke Mie (1): PCI: endpoint: Don't stop controller when unbinding endpoint function Sibi Sankar (1): remoteproc: sysmon: Wait for SSCTL service to come up Siddh Raman Pant (1): x86/numa: Use cpumask_available instead of hardcoded NULL check Sireesh Kodali (1): remoteproc: qcom: wcnss: Fix handling of IRQs Srinivas Kandagatla (2): ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV Stefan Roese (1): PCI/portdrv: Don't disable AER reporting in get_port_device_capability() Steffen Maier (1): scsi: zfcp: Fix missing auto port scan and thus missing target ports Stephan Gerhold (1): regulator: qcom_smd: Fix pm8916_pldo range Stephen Boyd (1): platform/chrome: cros_ec: Always expose last resume result Steven Rostedt (Google) (2): ftrace/x86: Add back ftrace_expected assignment tracing: Use a struct alignof to determine trace event field alignment Sudeep Holla (1): firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails Sumit Garg (1): arm64: dts: qcom: qcs404: Fix incorrect USB2 PHYs assignment Suzuki K Poulose (1): coresight: Clear the connection field properly Tadeusz Struk (1): sched/fair: Fix fault in reweight_entity Tali Perry (2): i2c: npcm: Remove own slave addresses 2:10 i2c: npcm: Correct slave role behavior Tamás Szűcs (1): arm64: tegra: Fix SDMMC1 CD on P2888 Tang Bin (3): usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init() usb: xhci: tegra: Fix error check opp: Fix error check in dev_pm_opp_attach_genpd() Tetsuo Handa (4): tty: vt: initialize unicode screen buffer lockdep: Allow tuning tracing capacity constants. PM: hibernate: defer device probing when resuming from hibernation lib/smp_processor_id: fix imbalanced instrumentation_end() call Theodore Ts'o (1): ext4: update s_overhead_clusters in the superblock during an on-line resize Thinh Nguyen (1): usb: dwc3: core: Deprecate GCTL.CORESOFTRESET Thomas Gleixner (1): netfilter: xtables: Bring SPDX identifier back Tianchen Ding (1): sched: Fix the check of nr_running at queue wakelist Tianjia Zhang (1): KEYS: asymmetric: enforce SM2 signature use pkey algo Tim Crawford (1): ALSA: hda/realtek: Add quirk for Clevo NV45PZ Timur Tabi (1): drm/nouveau: fix another off-by-one in nvbios_addr Tom Lendacky (1): crypto: ccp - During shutdown, check SEV data pointer before using Tom Rix (2): ASoC: samsung: change gpiod_speaker_power and rx1950_audio from global to static variables drm/vc4: change vc4_dma_range_matches from a global to static Tony Battersby (1): scsi: sg: Allow waiting for commands to complete on removed device Trond Myklebust (1): Revert "pNFS: nfs3_set_ds_client should set NFS_CS_NOPING" Tyler Hicks (1): net/9p: Initialize the iounit field during fid creation Uwe Kleine-König (6): pwm: sifive: Don't check the return code of pwmchip_remove() pwm: sifive: Simplify offset calculation for PWMCMP registers pwm: sifive: Ensure the clk is enabled exactly once per running PWM pwm: sifive: Shut down hardware only after pwmchip_remove() completed mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path mfd: t7l66xb: Drop platform disable callback Viacheslav Mitrofanov (1): dmaengine: sf-pdma: Add multithread support for a DMA channel Vidya Sagar (2): PCI: tegra194: Fix Root Port interrupt handling PCI: tegra194: Fix link up retry sequence Vincent Mailhol (10): can: pch_can: do not report txerr and rxerr during bus-off can: rcar_can: do not report txerr and rxerr during bus-off can: sja1000: do not report txerr and rxerr during bus-off can: hi311x: do not report txerr and rxerr during bus-off can: sun4i_can: do not report txerr and rxerr during bus-off can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off can: usb_8dev: do not report txerr and rxerr during bus-off can: error: specify the values of data[5..7] of CAN error frames can: pch_can: pch_can_error(): initialize errc before using it Vitaly Kuznetsov (2): KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() Vladimir Zapolskiy (1): clk: qcom: camcc-sdm845: Fix topology around titan_top power domain Waiman Long (1): sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed Weitao Wang (1): USB: HCD: Fix URB giveback issue in tasklet function William Dean (3): parisc: Check the return value of ioremap() in lba_driver_probe() irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() Wolfram Sang (2): selftests: timers: valid-adjtimex: build fix for newer toolchains selftests: timers: clocksource-switch: fix passing errors from child Xiaomeng Tong (2): media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator virtio-gpu: fix a missing check to avoid NULL dereference Xie Shaowen (1): Input: gscps2 - check return value of ioremap() in gscps2_probe() Xie Yongji (1): fuse: Remove the control interface for virtio-fs Xinlei Lee (2): drm/mediatek: Modify dsi funcs to atomic operations drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function Xiu Jianfeng (1): selinux: Add boundary check in put_entry() Xu Wang (1): i2c: Fix a potential use after free Yang Xu (1): fs: Add missing umask strip in vfs_tmpfile Yang Yingliang (2): bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() xtensa: iss: fix handling error cases in iss_net_configure() Yangtao Li (1): pwm: lpc18xx-sct: Convert to devm_platform_ioremap_resource() Ye Bin (1): ext4: fix warning in ext4_iomap_begin as race between bmap and write YiFei Zhu (1): selftests/seccomp: Fix compile warning when CC=clang Yonglong Li (1): tcp: make retransmitted SKB fit into the send window Yunhao Tian (1): drm/mipi-dbi: align max_chunk to 2 in spi_transfer Zhenguo Zhao (1): tty: n_gsm: Delete gsmtty open SABM frame when config requester Zheyu Ma (7): ALSA: bcd2000: Fix a UAF bug on the error path of probing iio: light: isl29028: Fix the warning in isl29028_remove() media: tw686x: Register the irq at the end of probe video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() video: fbdev: vt8623fb: Check the size of screen before memset_io() video: fbdev: arkfb: Check the size of screen before memset_io() video: fbdev: s3fb: Check the size of screen before memset_io() Zhu Yanjun (1): RDMA/rxe: Fix error unwind in rxe_create_qp() Zoltan Tamas Vajda (1): HID: hid-input: add Surface Go battery quirk huhai (1): ACPI: LPSS: Fix missing check in register_device_clock() .../ABI/testing/sysfs-driver-xen-blkback | 2 +- .../ABI/testing/sysfs-driver-xen-blkfront | 2 +- .../admin-guide/kernel-parameters.txt | 29 +- Documentation/driver-api/vfio.rst | 31 +- Makefile | 3 + arch/arm/boot/dts/Makefile | 1 + arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- arch/arm/boot/dts/aspeed-ast2600-evb.dts | 2 +- arch/arm/boot/dts/bcm53015-meraki-mr26.dts | 166 ++++++++++ arch/arm/boot/dts/imx53-ppd.dts | 2 +- arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-eval.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-ixora-v1.1.dts | 2 +- arch/arm/boot/dts/imx6q-apalis-ixora.dts | 2 +- arch/arm/boot/dts/imx6ul.dtsi | 33 +- arch/arm/boot/dts/imx7-colibri-aster.dtsi | 2 +- arch/arm/boot/dts/imx7-colibri-eval-v3.dtsi | 2 +- arch/arm/boot/dts/imx7d-colibri-emmc.dtsi | 4 + .../boot/dts/motorola-mapphone-common.dtsi | 2 +- arch/arm/boot/dts/qcom-mdm9615.dtsi | 1 + arch/arm/boot/dts/qcom-pm8841.dtsi | 1 + arch/arm/boot/dts/s5pv210-aries.dtsi | 2 +- .../boot/dts/tegra20-acer-a500-picasso.dts | 2 +- arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 +- arch/arm/lib/findbit.S | 16 +- arch/arm/mach-bcm/bcm_kona_smc.c | 1 + arch/arm/mach-omap2/display.c | 3 + arch/arm/mach-omap2/prm3xxx.c | 1 + .../mach-shmobile/regulator-quirk-rcar-gen2.c | 5 +- arch/arm/mach-zynq/common.c | 1 + .../dts/allwinner/sun50i-a64-orangepi-win.dts | 2 +- .../dts/mediatek/mt7622-bananapi-bpi-r64.dts | 2 +- .../arm64/boot/dts/nvidia/tegra194-p2888.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404.dtsi | 4 +- .../dts/renesas/beacon-renesom-baseboard.dtsi | 6 +- arch/arm64/boot/dts/renesas/r8a774c0.dtsi | 2 +- arch/arm64/boot/dts/renesas/r8a77990.dtsi | 2 +- .../boot/dts/socionext/uniphier-pxs3.dtsi | 8 +- arch/arm64/crypto/Kconfig | 1 + arch/arm64/include/asm/processor.h | 3 +- arch/arm64/kernel/cpufeature.c | 2 +- arch/arm64/kvm/hyp/nvhe/switch.c | 2 +- arch/arm64/kvm/hyp/vhe/switch.c | 2 +- arch/hexagon/Kconfig | 1 + arch/ia64/include/asm/processor.h | 2 +- arch/mips/kernel/proc.c | 2 +- arch/parisc/kernel/drivers.c | 9 +- arch/parisc/kernel/syscalls/syscall.tbl | 2 +- arch/powerpc/kernel/Makefile | 1 + arch/powerpc/kernel/pci-common.c | 29 +- arch/powerpc/mm/ptdump/shared.c | 6 +- arch/powerpc/perf/core-book3s.c | 35 +- arch/powerpc/platforms/Kconfig.cputype | 4 +- arch/powerpc/platforms/cell/axon_msi.c | 1 + arch/powerpc/platforms/cell/spufs/inode.c | 1 + arch/powerpc/platforms/powernv/rng.c | 2 + arch/powerpc/sysdev/fsl_pci.c | 8 + arch/powerpc/sysdev/fsl_pci.h | 1 + arch/powerpc/sysdev/xive/spapr.c | 1 + arch/riscv/kernel/reset.c | 12 +- arch/s390/include/asm/gmap.h | 2 + arch/s390/kernel/asm-offsets.c | 2 + arch/s390/kernel/crash_dump.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 18 +- arch/s390/kernel/os_info.c | 3 +- arch/s390/kvm/intercept.c | 15 + arch/s390/kvm/pv.c | 9 +- arch/s390/kvm/sigp.c | 4 +- arch/s390/mm/gmap.c | 86 +++++ arch/um/Kconfig | 5 + arch/um/drivers/random.c | 2 +- arch/um/include/shared/kern_util.h | 2 + arch/um/include/shared/os.h | 1 + arch/um/kernel/um_arch.c | 25 ++ arch/um/os-Linux/signal.c | 14 +- arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 2 + arch/x86/entry/Makefile | 3 +- arch/x86/entry/thunk_32.S | 2 - arch/x86/entry/thunk_64.S | 4 - arch/x86/entry/vdso/Makefile | 2 +- arch/x86/include/asm/kvm_host.h | 7 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/ftrace.c | 1 + arch/x86/kvm/emulate.c | 23 +- arch/x86/kvm/hyperv.c | 3 + arch/x86/kvm/lapic.c | 4 + arch/x86/kvm/mmu/mmu.c | 2 +- arch/x86/kvm/pmu.c | 36 +- arch/x86/kvm/svm/pmu.c | 1 + arch/x86/kvm/svm/svm.c | 14 +- arch/x86/kvm/svm/svm.h | 2 +- arch/x86/kvm/vmx/nested.c | 99 +++--- arch/x86/kvm/vmx/pmu_intel.c | 12 +- arch/x86/kvm/vmx/vmx.c | 35 +- arch/x86/kvm/vmx/vmx.h | 2 +- arch/x86/kvm/x86.c | 17 +- arch/x86/mm/numa.c | 4 +- arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +- arch/x86/um/Makefile | 3 +- arch/xtensa/platforms/iss/network.c | 42 ++- block/bio.c | 3 - block/blk-merge.c | 2 +- block/blk-mq-debugfs.c | 3 + block/blk-mq-sched.c | 2 +- block/blk-mq.c | 8 +- crypto/asymmetric_keys/public_key.c | 7 +- drivers/acpi/acpi_lpss.c | 3 + drivers/acpi/cppc_acpi.c | 54 ++- drivers/acpi/ec.c | 82 +---- drivers/acpi/processor_idle.c | 6 +- drivers/acpi/sleep.c | 8 + drivers/block/null_blk_main.c | 14 +- drivers/block/xen-blkback/xenbus.c | 20 +- drivers/block/xen-blkfront.c | 4 +- drivers/bluetooth/hci_intel.c | 6 +- drivers/bus/hisi_lpc.c | 10 +- drivers/clk/mediatek/reset.c | 4 +- drivers/clk/qcom/camcc-sdm845.c | 4 + drivers/clk/qcom/clk-krait.c | 7 +- drivers/clk/qcom/gcc-ipq8074.c | 60 +++- drivers/clk/renesas/r9a06g032-clocks.c | 8 +- .../allwinner/sun8i-ss/sun8i-ss-cipher.c | 1 + .../crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 22 +- .../crypto/allwinner/sun8i-ss/sun8i-ss-hash.c | 15 +- drivers/crypto/allwinner/sun8i-ss/sun8i-ss.h | 4 + drivers/crypto/ccp/sev-dev.c | 2 +- drivers/crypto/inside-secure/safexcel.c | 2 + drivers/dma/dw-edma/dw-edma-core.c | 2 +- drivers/dma/sf-pdma/sf-pdma.c | 49 ++- drivers/firmware/arm_scpi.c | 61 ++-- drivers/firmware/tegra/bpmp-debugfs.c | 10 +- drivers/fpga/altera-pr-ip-core.c | 2 +- drivers/gpio/gpiolib-of.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 24 +- drivers/gpu/drm/bridge/sil-sii8620.c | 4 +- drivers/gpu/drm/bridge/tc358767.c | 62 +++- drivers/gpu/drm/drm_gem.c | 4 +- drivers/gpu/drm/drm_mipi_dbi.c | 7 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 17 +- .../drm/i915/display/intel_display_debugfs.c | 4 +- drivers/gpu/drm/i915/i915_reg.h | 3 +- drivers/gpu/drm/mcde/mcde_dsi.c | 1 + drivers/gpu/drm/mediatek/mtk_dpi.c | 33 +- drivers/gpu/drm/mediatek/mtk_dsi.c | 126 ++++--- drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c | 3 +- drivers/gpu/drm/nouveau/nouveau_display.c | 4 +- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- .../gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- drivers/gpu/drm/radeon/.gitignore | 2 +- drivers/gpu/drm/radeon/Kconfig | 2 +- drivers/gpu/drm/radeon/Makefile | 2 +- drivers/gpu/drm/radeon/ni_dpm.c | 6 +- .../gpu/drm/rockchip/analogix_dp-rockchip.c | 10 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 + drivers/gpu/drm/tiny/st7735r.c | 1 + drivers/gpu/drm/vc4/vc4_crtc.c | 10 +- drivers/gpu/drm/vc4/vc4_drv.c | 19 ++ drivers/gpu/drm/vc4/vc4_drv.h | 1 - drivers/gpu/drm/vc4/vc4_dsi.c | 208 ++++++++---- drivers/gpu/drm/vc4/vc4_hdmi.c | 50 ++- drivers/gpu/drm/vc4/vc4_plane.c | 30 +- drivers/gpu/drm/virtio/virtgpu_ioctl.c | 6 +- drivers/hid/hid-alps.c | 2 + drivers/hid/hid-cp2112.c | 5 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-input.c | 4 + drivers/hid/hid-mcp2221.c | 3 + drivers/hid/wacom_sys.c | 2 +- drivers/hid/wacom_wac.c | 72 ++-- drivers/hwmon/drivetemp.c | 1 + drivers/hwtracing/coresight/coresight-core.c | 1 + drivers/hwtracing/intel_th/msu-sink.c | 3 + drivers/hwtracing/intel_th/msu.c | 14 +- drivers/hwtracing/intel_th/pci.c | 25 +- drivers/i2c/busses/i2c-cadence.c | 10 +- drivers/i2c/busses/i2c-npcm7xx.c | 50 ++- drivers/i2c/i2c-core-base.c | 3 +- drivers/i2c/muxes/i2c-mux-gpmux.c | 1 + drivers/iio/accel/bma400.h | 23 +- drivers/iio/accel/bma400_core.c | 4 +- drivers/iio/light/isl29028.c | 2 +- drivers/infiniband/hw/hfi1/file_ops.c | 4 +- drivers/infiniband/hw/mlx5/fs.c | 6 +- drivers/infiniband/hw/qedr/verbs.c | 26 +- drivers/infiniband/sw/rxe/rxe_qp.c | 12 +- drivers/infiniband/sw/siw/siw_cm.c | 7 +- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 5 - drivers/infiniband/ulp/rtrs/rtrs-pri.h | 22 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 148 ++++++--- drivers/infiniband/ulp/srpt/ib_srpt.h | 18 +- drivers/input/serio/gscps2.c | 4 + drivers/input/touchscreen/atmel_mxt_ts.c | 6 +- drivers/interconnect/imx/imx.c | 8 +- drivers/iommu/arm/arm-smmu/qcom_iommu.c | 7 +- drivers/iommu/exynos-iommu.c | 6 +- drivers/iommu/intel/dmar.c | 2 +- drivers/irqchip/Kconfig | 5 +- drivers/irqchip/irq-mips-gic.c | 84 +++-- drivers/md/dm-raid.c | 4 +- drivers/md/dm-rq.c | 2 +- drivers/md/dm-writecache.c | 2 +- drivers/md/dm.c | 5 + drivers/md/md.c | 2 +- drivers/md/raid10.c | 5 +- drivers/media/pci/tw686x/tw686x-core.c | 18 +- drivers/media/pci/tw686x/tw686x-video.c | 4 +- drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h | 2 + drivers/media/usb/hdpvr/hdpvr-video.c | 2 +- drivers/media/v4l2-core/v4l2-mem2mem.c | 2 +- drivers/memstick/core/ms_block.c | 11 +- drivers/mfd/max77620.c | 2 + drivers/mfd/t7l66xb.c | 6 +- drivers/misc/cardreader/rtsx_pcr.c | 6 +- drivers/misc/eeprom/idt_89hpesx.c | 8 +- drivers/mmc/core/block.c | 28 +- drivers/mmc/host/cavium-octeon.c | 1 + drivers/mmc/host/cavium-thunderx.c | 4 +- drivers/mmc/host/sdhci-of-at91.c | 9 +- drivers/mmc/host/sdhci-of-esdhc.c | 1 + drivers/mtd/devices/st_spi_fsm.c | 8 +- drivers/mtd/maps/physmap-versatile.c | 2 + drivers/mtd/nand/raw/arasan-nand-controller.c | 57 +++- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- drivers/mtd/nand/raw/meson_nand.c | 1 - drivers/mtd/nand/raw/nand_timings.c | 255 +++++++++++++++ drivers/mtd/parsers/redboot.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/can/pch_can.c | 8 +- drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/sja1000/sja1000.c | 7 +- drivers/net/can/spi/hi311x.c | 5 +- drivers/net/can/sun4i_can.c | 9 +- .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 12 +- .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +- drivers/net/can/usb/usb_8dev.c | 7 +- drivers/net/ethernet/intel/iavf/iavf.h | 1 + drivers/net/ethernet/intel/iavf/iavf_main.c | 25 +- drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- .../mellanox/mlx5/core/en_accel/ktls.c | 2 +- .../net/ethernet/pensando/ionic/ionic_lif.c | 2 +- drivers/net/netdevsim/bpf.c | 8 +- drivers/net/usb/ax88179_178a.c | 20 +- drivers/net/usb/smsc95xx.c | 20 +- drivers/net/usb/usbnet.c | 8 +- drivers/net/wireguard/allowedips.c | 9 +- drivers/net/wireguard/selftest/allowedips.c | 6 +- drivers/net/wireguard/selftest/ratelimiter.c | 25 +- drivers/net/wireless/ath/ath10k/snoc.c | 5 +- drivers/net/wireless/ath/ath11k/core.c | 16 +- drivers/net/wireless/ath/ath11k/debug.h | 4 +- drivers/net/wireless/ath/wil6210/debugfs.c | 18 +- drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 1 + drivers/net/wireless/intersil/p54/main.c | 2 +- drivers/net/wireless/intersil/p54/p54spi.c | 3 +- drivers/net/wireless/mac80211_hwsim.c | 14 +- .../net/wireless/marvell/libertas/if_usb.c | 1 + drivers/net/wireless/marvell/mwifiex/main.h | 2 + drivers/net/wireless/marvell/mwifiex/pcie.c | 3 + .../net/wireless/marvell/mwifiex/sta_event.c | 3 + drivers/net/wireless/mediatek/mt76/mac80211.c | 1 + .../wireless/mediatek/mt76/mt76x02_usb_mcu.c | 2 +- drivers/net/wireless/realtek/rtlwifi/debug.c | 8 +- drivers/nvdimm/pmem_legacy_device.c | 7 +- drivers/nvme/host/trace.h | 2 +- drivers/opp/core.c | 4 +- drivers/parisc/lba_pci.c | 6 +- .../pci/controller/dwc/pcie-designware-ep.c | 18 +- drivers/pci/controller/dwc/pcie-designware.c | 30 +- drivers/pci/controller/dwc/pcie-qcom.c | 10 +- drivers/pci/controller/dwc/pcie-tegra194.c | 49 ++- drivers/pci/endpoint/functions/pci-epf-test.c | 1 - drivers/pci/pcie/aer.c | 7 +- drivers/pci/pcie/portdrv_core.c | 9 +- drivers/perf/arm_spe_pmu.c | 22 +- drivers/platform/chrome/cros_ec.c | 8 +- drivers/platform/olpc/olpc-ec.c | 2 +- drivers/pwm/pwm-lpc18xx-sct.c | 4 +- drivers/pwm/pwm-sifive.c | 65 ++-- drivers/regulator/of_regulator.c | 6 +- drivers/regulator/qcom_smd-regulator.c | 4 +- drivers/remoteproc/qcom_sysmon.c | 10 + drivers/remoteproc/qcom_wcnss.c | 10 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 2 + drivers/rpmsg/mtk_rpmsg.c | 2 + drivers/rpmsg/qcom_smd.c | 1 + drivers/s390/char/zcore.c | 11 +- drivers/s390/cio/vfio_ccw_drv.c | 14 +- drivers/s390/scsi/zfcp_fc.c | 29 +- drivers/s390/scsi/zfcp_fc.h | 6 +- drivers/s390/scsi/zfcp_fsf.c | 7 +- drivers/scsi/qla2xxx/qla_def.h | 5 +- drivers/scsi/qla2xxx/qla_gbl.h | 3 +- drivers/scsi/qla2xxx/qla_gs.c | 11 +- drivers/scsi/qla2xxx/qla_init.c | 48 ++- drivers/scsi/qla2xxx/qla_isr.c | 20 +- drivers/scsi/qla2xxx/qla_mbx.c | 19 +- drivers/scsi/qla2xxx/qla_nvme.c | 5 - drivers/scsi/sg.c | 53 +-- drivers/scsi/smartpqi/smartpqi_init.c | 4 +- drivers/soc/amlogic/meson-mx-socinfo.c | 1 + drivers/soc/amlogic/meson-secure-pwrc.c | 4 +- drivers/soc/fsl/guts.c | 2 +- drivers/soc/qcom/Kconfig | 1 + drivers/soc/qcom/ocmem.c | 3 + drivers/soc/qcom/qcom_aoss.c | 4 +- drivers/soc/renesas/r8a779a0-sysc.c | 10 +- drivers/soundwire/bus_type.c | 8 +- drivers/spi/spi-rspi.c | 4 + drivers/spi/spi-synquacer.c | 1 + .../staging/media/atomisp/pci/atomisp_cmd.c | 57 ++-- .../staging/media/sunxi/cedrus/cedrus_h265.c | 3 + drivers/staging/rtl8192u/r8192U.h | 2 +- drivers/staging/rtl8192u/r8192U_dm.c | 38 +-- drivers/staging/rtl8192u/r8192U_dm.h | 2 +- drivers/tee/tee_shm.c | 3 + drivers/thermal/thermal_sysfs.c | 10 +- drivers/tty/n_gsm.c | 199 ++++++++--- drivers/tty/serial/8250/8250.h | 22 ++ drivers/tty/serial/8250/8250_dw.c | 3 + drivers/tty/serial/8250/8250_pci.c | 308 +++++++++--------- drivers/tty/serial/8250/8250_port.c | 21 -- drivers/tty/serial/mvebu-uart.c | 11 + drivers/tty/vt/vt.c | 2 +- drivers/usb/cdns3/gadget.c | 11 +- drivers/usb/core/hcd.c | 26 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/dwc3-qcom.c | 4 +- drivers/usb/dwc3/gadget.c | 92 +++--- drivers/usb/gadget/udc/Kconfig | 2 +- drivers/usb/gadget/udc/aspeed-vhub/hub.c | 4 +- drivers/usb/gadget/udc/tegra-xudc.c | 8 +- drivers/usb/host/ehci-ppc-of.c | 1 + drivers/usb/host/ohci-nxp.c | 1 + drivers/usb/host/xhci-tegra.c | 8 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/sierra.c | 3 +- drivers/usb/serial/usb-serial.c | 2 +- drivers/usb/serial/usb_wwan.c | 3 +- drivers/usb/typec/ucsi/ucsi.c | 4 + drivers/vfio/mdev/mdev_private.h | 5 +- drivers/vfio/vfio.c | 207 +++++------- drivers/video/fbdev/amba-clcd.c | 24 +- drivers/video/fbdev/arkfb.c | 9 +- drivers/video/fbdev/core/fbcon.c | 12 +- drivers/video/fbdev/s3fb.c | 2 + drivers/video/fbdev/sis/init.c | 4 +- drivers/video/fbdev/vt8623fb.c | 2 + drivers/watchdog/armada_37xx_wdt.c | 2 + fs/attr.c | 2 + fs/btrfs/block-group.c | 1 + fs/btrfs/disk-io.c | 14 + fs/btrfs/raid56.c | 74 ++++- fs/erofs/decompressor.c | 16 +- fs/eventpoll.c | 22 ++ fs/ext2/super.c | 12 +- fs/ext4/inode.c | 19 +- fs/ext4/resize.c | 1 + fs/f2fs/file.c | 9 +- fs/f2fs/gc.c | 41 ++- fs/fuse/control.c | 4 +- fs/fuse/inode.c | 6 + fs/namei.c | 4 + fs/nfs/nfs3client.c | 1 - fs/overlayfs/export.c | 2 +- fs/splice.c | 10 +- include/acpi/cppc_acpi.h | 2 +- include/linux/bitmap.h | 12 +- include/linux/blktrace_api.h | 5 +- include/linux/buffer_head.h | 25 +- include/linux/kfifo.h | 2 +- include/linux/kvm_host.h | 28 +- include/linux/lockdep.h | 30 +- include/linux/mfd/t7l66xb.h | 1 - include/linux/mtd/rawnand.h | 123 ++++++- include/linux/pci_ids.h | 2 + include/linux/sched.h | 2 +- include/linux/tpm_eventlog.h | 2 +- include/linux/usb/hcd.h | 1 + include/linux/vfio.h | 16 + include/linux/wait.h | 9 +- include/net/inet6_hashtables.h | 27 +- include/net/inet_hashtables.h | 44 +-- include/net/inet_sock.h | 18 +- include/net/sock.h | 3 - include/trace/events/block.h | 30 +- include/trace/events/spmi.h | 12 +- include/trace/trace_events.h | 8 +- include/uapi/linux/can/error.h | 5 +- include/uapi/linux/netfilter/xt_IDLETIMER.h | 17 +- kernel/bpf/verifier.c | 4 +- kernel/cgroup/cpuset.c | 2 +- kernel/irq/Kconfig | 1 + kernel/irq/chip.c | 3 +- kernel/kprobes.c | 3 +- kernel/locking/lockdep.c | 9 +- kernel/locking/lockdep_internals.h | 8 +- kernel/power/user.c | 13 +- kernel/profile.c | 7 + kernel/sched/core.c | 34 +- kernel/sched/deadline.c | 52 +-- kernel/sched/rt.c | 15 +- kernel/sched/sched.h | 3 +- kernel/time/hrtimer.c | 1 + kernel/time/timekeeping.c | 7 +- kernel/trace/blktrace.c | 46 +-- lib/Kconfig.debug | 40 +++ lib/bitmap.c | 42 ++- lib/livepatch/test_klp_callbacks_busy.c | 8 + lib/smp_processor_id.c | 2 +- lib/test_bpf.c | 4 +- mm/mmap.c | 1 - net/9p/client.c | 5 +- net/bluetooth/l2cap_core.c | 13 +- net/dccp/proto.c | 10 +- net/ipv4/inet_hashtables.c | 17 +- net/ipv4/tcp_output.c | 30 +- net/ipv4/udp.c | 3 +- net/ipv6/inet6_hashtables.c | 6 +- net/ipv6/udp.c | 2 +- net/mac80211/sta_info.c | 6 +- net/netfilter/nf_tables_api.c | 1 + net/rose/af_rose.c | 11 +- net/rose/rose_route.c | 2 + net/sched/cls_route.c | 10 + scripts/faddr2line | 4 +- security/selinux/ss/policydb.h | 2 + sound/pci/hda/patch_cirrus.c | 1 + sound/pci/hda/patch_conexant.c | 11 +- sound/pci/hda/patch_realtek.c | 15 + sound/soc/atmel/mchp-spdifrx.c | 9 +- sound/soc/codecs/cros_ec_codec.c | 1 + sound/soc/codecs/da7210.c | 2 + sound/soc/codecs/msm8916-wcd-digital.c | 46 +-- sound/soc/codecs/wcd9335.c | 81 ++--- sound/soc/fsl/fsl_easrc.c | 9 +- sound/soc/fsl/fsl_easrc.h | 2 +- sound/soc/generic/audio-graph-card.c | 4 +- sound/soc/mediatek/mt6797/mt6797-mt6351.c | 6 +- .../mediatek/mt8173/mt8173-rt5650-rt5676.c | 10 +- sound/soc/mediatek/mt8173/mt8173-rt5650.c | 9 +- sound/soc/qcom/lpass-cpu.c | 1 + sound/soc/qcom/qdsp6/q6adm.c | 2 +- sound/soc/samsung/aries_wm8994.c | 6 +- sound/soc/samsung/h1940_uda1380.c | 2 +- sound/soc/samsung/rx1950_uda1380.c | 4 +- sound/usb/bcd2000/bcd2000.c | 3 +- tools/lib/bpf/libbpf.c | 9 +- tools/lib/bpf/xsk.c | 9 +- tools/perf/util/dsos.c | 15 +- tools/perf/util/genelf.c | 6 +- tools/perf/util/symbol-elf.c | 27 +- tools/testing/selftests/bpf/prog_tests/btf.c | 2 +- .../selftests/kvm/lib/x86_64/processor.c | 2 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- .../selftests/timers/clocksource-switch.c | 6 +- .../testing/selftests/timers/valid-adjtimex.c | 2 +- tools/thermal/tmon/sysfs.c | 24 +- tools/thermal/tmon/tmon.h | 3 + virt/kvm/kvm_main.c | 26 +- 464 files changed, 4348 insertions(+), 2261 deletions(-) create mode 100644 arch/arm/boot/dts/bcm53015-meraki-mr26.dts -- 2.20.1

1 496

[PATCH OLK-5.10 v2 00/11]arm64: add machine checksafe support
by Tong Tiangen 18 Nov '22

18 Nov '22

With the increase of memory capacity and density, the probability of memory error increases. The increasing size and density of server RAM in the data center and cloud have shown increased uncorrectable memory errors. Currently, the kernel has a mechanism to recover from hardware memory errors. This patchset provides an new recovery mechanism. For arm64, the hardware memory error handling is do_sea() which divided into two cases: 1. The user state consumed the memory errors, the solution is kill the user process and isolate the error page. 2. The kernel state consumed the memory errors, the solution is panic. For case 2, Undifferentiated panic maybe not the optimal choice, it can be handled better, in some scenarios, we can avoid panic, such as uaccess, if the uaccess fails due to memory error, only the user process will be affected, kill the user process and isolate the user page with hardware memory errors is a better choice. v1 -> v2: Integrated bugfix patchs into the fixed patch. Tong Tiangen (11): Revert "arm64: ras: copy_from_user scenario support uce kernel recovery" Revert "arm64: config: enable CONFIG_ARM64_UCE_KERNEL_RECOVERY" uaccess: add generic fallback version of copy_mc_to_user() arm64: extable: add new extable type "__mc_ex_table" arm64: add support for machine check error safe arm64: copy_form/to_user support machine check safe arm64: get/put_user support machine check safe arm64: add cow to machine check safe arm64: introduce copy_mc_to_kernel() implementation arm64: add dump_user_range() to machine check safe arm64: add machine check safe sysctl interface Documentation/admin-guide/sysctl/kernel.rst | 38 ++-- arch/arm64/Kconfig | 14 +- arch/arm64/configs/openeuler_defconfig | 1 - arch/arm64/include/asm/asm-uaccess.h | 5 + arch/arm64/include/asm/assembler.h | 26 ++- arch/arm64/include/asm/exception.h | 13 -- arch/arm64/include/asm/extable.h | 1 + arch/arm64/include/asm/mte.h | 4 + arch/arm64/include/asm/page.h | 10 + arch/arm64/include/asm/processor.h | 2 + arch/arm64/include/asm/string.h | 5 + arch/arm64/include/asm/uaccess.h | 70 +++++-- arch/arm64/lib/Makefile | 10 +- arch/arm64/lib/copy_from_user.S | 19 +- arch/arm64/lib/copy_page_mc.S | 80 ++++++++ arch/arm64/lib/copy_to_user.S | 10 +- arch/arm64/lib/memcpy_mc.S | 73 ++++++++ arch/arm64/lib/mte.S | 19 ++ arch/arm64/mm/Makefile | 2 - arch/arm64/mm/copypage.c | 37 +++- arch/arm64/mm/extable.c | 12 ++ arch/arm64/mm/fault.c | 36 +++- arch/arm64/mm/uce_kernel_recovery.c | 198 -------------------- arch/powerpc/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 1 + fs/coredump.c | 2 + include/asm-generic/vmlinux.lds.h | 19 +- include/linux/extable.h | 23 +++ include/linux/highmem.h | 8 + include/linux/module.h | 11 ++ include/linux/sched.h | 1 + include/linux/uaccess.h | 9 + kernel/extable.c | 29 +++ kernel/module.c | 38 ++++ kernel/sysctl.c | 11 ++ lib/iov_iter.c | 12 +- mm/memory.c | 2 +- scripts/sorttable.h | 27 +++ 38 files changed, 583 insertions(+), 296 deletions(-) create mode 100644 arch/arm64/lib/copy_page_mc.S create mode 100644 arch/arm64/lib/memcpy_mc.S delete mode 100644 arch/arm64/mm/uce_kernel_recovery.c -- 2.25.1

1 11

[PATCH OLK-5.10] cgroup: Support iocost for cgroup v1
by Li Nan 17 Nov '22

17 Nov '22

Offering: HULK hulk inclusion category: feature bugzilla: 187731 --------------------------- Since iocost can only be used in cgroup v2, add it to v1 now. Signed-off-by: Li Nan <linan122(a)huawei.com> --- block/blk-iocost.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 08e4ba856e3b..64119eaf29da 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -3396,6 +3396,28 @@ static ssize_t ioc_cost_model_write(struct kernfs_open_file *of, char *input, return ret; } +static struct cftype ioc_legacy_files[] = { + { + .name = "cost.weight", + .flags = CFTYPE_NOT_ON_ROOT, + .seq_show = ioc_weight_show, + .write = ioc_weight_write, + }, + { + .name = "cost.qos", + .flags = CFTYPE_ONLY_ON_ROOT, + .seq_show = ioc_qos_show, + .write = ioc_qos_write, + }, + { + .name = "cost.model", + .flags = CFTYPE_ONLY_ON_ROOT, + .seq_show = ioc_cost_model_show, + .write = ioc_cost_model_write, + }, + {} +}; + static struct cftype ioc_files[] = { { .name = "weight", @@ -3420,6 +3442,7 @@ static struct cftype ioc_files[] = { static struct blkcg_policy blkcg_policy_iocost = { .dfl_cftypes = ioc_files, + .legacy_cftypes = ioc_legacy_files, .cpd_alloc_fn = ioc_cpd_alloc, .cpd_free_fn = ioc_cpd_free, .pd_alloc_fn = ioc_pd_alloc, -- 2.31.1

1 0

答复: [PATCH openEuler-22.03-LTS 2/2] block: Fix kabi broken in blk-merge.h and blk-cgroup.h
by linan (AK) 17 Nov '22

17 Nov '22

-----邮件原件----- 发件人: linan (AK) <linan122(a)huawei.com> 发送时间: 2022年11月17日 21:42 收件人: Zhengzengkai <zhengzengkai(a)huawei.com>; Xiexiuqi <xiexiuqi(a)huawei.com>; pmail_patchwork <patchwork(a)huawei.com> 抄送: linan (AK) <linan122(a)huawei.com>; zhangyi (F) <yi.zhang(a)huawei.com>; houtao (A) <houtao1(a)huawei.com>; yukuai (C) <yukuai3(a)huawei.com>; chenxiaosong (A) <chenxiaosong2(a)huawei.com>; chengzhihao <chengzhihao1(a)huawei.com>; libaokun (C) <libaokun1(a)huawei.com>; luomeng <luomeng12(a)huawei.com>; yanaijie <yanaijie(a)huawei.com>; yangerkun <yangerkun(a)huawei.com>; yebin (H) <yebin10(a)huawei.com>; yuyufen <yuyufen(a)huawei.com>; zhangxiaoxu (A) <zhangxiaoxu5(a)huawei.com>; Zhengbin (OSKernel) <zhengbin13(a)huawei.com>; koulihong <koulihong(a)huawei.com>; qiulaibin <qiulaibin(a)huawei.com> 主题: [PATCH openEuler-22.03-LTS 2/2] block: Fix kabi broken in blk-merge.h and blk-cgroup.h hulk inclusion category: bugfix bugzilla: 187443, https://gitee.com/openeuler/kernel/issues/I5Z7O2 CVE: NA -------------------------------- Include additional files and add new function will cause kabi broken. So move changes to blk-mq.h. bio_issue_as_root_blkg() is needed by blk_cgroup_mergeable(), move it together. It is used by iocost, too, so add blk-mq.h to blk-iocost.c. Signed-off-by: Li Nan <linan122(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- block/blk-iocost.c | 1 + block/blk-merge.c | 1 - block/blk-mq.h | 34 ++++++++++++++++++++++++++++++++++ include/linux/blk-cgroup.h | 33 --------------------------------- 4 files changed, 35 insertions(+), 34 deletions(-) diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 08e4ba856e3b..462dbb766ed1 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -184,6 +184,7 @@ #include "blk-rq-qos.h" #include "blk-stat.h" #include "blk-wbt.h" +#include "blk-mq.h" #ifdef CONFIG_TRACEPOINTS diff --git a/block/blk-merge.c b/block/blk-merge.c index f3fca8bb326d..1ed1b5146db2 100644 --- a/block/blk-merge.c +++ b/block/blk-merge.c @@ -7,7 +7,6 @@ #include <linux/bio.h> #include <linux/blkdev.h> #include <linux/scatterlist.h> -#include <linux/blk-cgroup.h> #include <trace/events/block.h> diff --git a/block/blk-mq.h b/block/blk-mq.h index 5572277cf9a3..1c86f7d56e72 100644 --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -338,5 +338,39 @@ static inline bool hctx_may_queue(struct blk_mq_hw_ctx *hctx, return __blk_mq_active_requests(hctx) < depth; } +/** + * bio_issue_as_root_blkg - see if this bio needs to be issued as root +blkg + * @return: true if this bio needs to be submitted with the root blkg context. + * + * In order to avoid priority inversions we sometimes need to issue a +bio as if + * it were attached to the root blkg, and then backcharge to the actual +owning + * blkg. The idea is we do bio_blkcg() to look up the actual context +for the + * bio and attach the appropriate blkg to the bio. Then we call this +helper and + * if it is true run with the root blkg for that queue and then do any + * backcharging to the originating cgroup once the io is complete. + */ +static inline bool bio_issue_as_root_blkg(struct bio *bio) { + return (bio->bi_opf & (REQ_META | REQ_SWAP)) != 0; } + +#ifdef CONFIG_BLK_CGROUP +/** + * blk_cgroup_mergeable - Determine whether to allow or disallow merges + * @rq: request to merge into + * @bio: bio to merge + * + * @bio and @rq should belong to the same cgroup and their +issue_as_root should + * match. The latter is necessary as we don't want to throttle e.g. a +metadata + * update because it happens to be next to a regular IO. + */ +static inline bool blk_cgroup_mergeable(struct request *rq, struct bio +*bio) { + return rq->bio->bi_blkg == bio->bi_blkg && + bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio); } +#else /* CONFIG_BLK_CGROUP */ +static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) { return true; } +#endif /* CONFIG_BLK_CGROUP */ #endif diff --git a/include/linux/blk-cgroup.h b/include/linux/blk-cgroup.h index dac9804907df..994ff06de40f 100644 --- a/include/linux/blk-cgroup.h +++ b/include/linux/blk-cgroup.h @@ -25,7 +25,6 @@ #include <linux/atomic.h> #include <linux/kthread.h> #include <linux/fs.h> -#include <linux/blk-mq.h> /* percpu_counter batch for blkg_[rw]stats, per-cpu drift doesn't matter */ #define BLKG_STAT_CPU_BATCH (INT_MAX / 2) @@ -297,22 +296,6 @@ static inline bool blk_cgroup_congested(void) return ret; } -/** - * bio_issue_as_root_blkg - see if this bio needs to be issued as root blkg - * @return: true if this bio needs to be submitted with the root blkg context. - * - * In order to avoid priority inversions we sometimes need to issue a bio as if - * it were attached to the root blkg, and then backcharge to the actual owning - * blkg. The idea is we do bio_blkcg() to look up the actual context for the - * bio and attach the appropriate blkg to the bio. Then we call this helper and - * if it is true run with the root blkg for that queue and then do any - * backcharging to the originating cgroup once the io is complete. - */ -static inline bool bio_issue_as_root_blkg(struct bio *bio) -{ - return (bio->bi_opf & (REQ_META | REQ_SWAP)) != 0; -} - /** * blkcg_parent - get the parent of a blkcg * @blkcg: blkcg of interest @@ -611,21 +594,6 @@ static inline void blkcg_clear_delay(struct blkcg_gq *blkg) atomic_dec(&blkg->blkcg->css.cgroup->congestion_count); } -/** - * blk_cgroup_mergeable - Determine whether to allow or disallow merges - * @rq: request to merge into - * @bio: bio to merge - * - * @bio and @rq should belong to the same cgroup and their issue_as_root should - * match. The latter is necessary as we don't want to throttle e.g. a metadata - * update because it happens to be next to a regular IO. - */ -static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) -{ - return rq->bio->bi_blkg == bio->bi_blkg && - bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio); -} - void blk_cgroup_bio_start(struct bio *bio); void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta); void blkcg_schedule_throttle(struct request_queue *q, bool use_memdelay); @@ -681,7 +649,6 @@ static inline void blkg_put(struct blkcg_gq *blkg) { } static inline bool blkcg_punt_bio_submit(struct bio *bio) { return false; } static inline void blkcg_bio_issue_init(struct bio *bio) { } static inline void blk_cgroup_bio_start(struct bio *bio) { } -static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) { return true; } #define blk_queue_for_each_rl(rl, q) \ for ((rl) = &(q)->root_rl; (rl); (rl) = NULL) -- 2.31.1

1 0

[PATCH OLK-5.10] mm: Fix kabi change caused by saved_auxv[] in mm_struct for x86_64
by Zheng Zengkai 17 Nov '22

17 Nov '22

openeuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5RQLJ CVE: NA Intel-SIG: mm: Fix kabi change caused by saved_auxv[] in mm_struct for x86_64. -------------------------------- Use the KABI_DEPRECATE and KABI_USE macro to fix kabi change caused by commit 1c33bb050750 ("x86/elf: Support a new ELF aux vector AT_MINSIGSTKSZ"). The extended saved_auxv[] causes the kabi breakage, move the saved_auxv[] to the end of struct mm_struct. To avoid introducing too many size increase of mm_struct, use a pointer to indirectly reference the relocated saved_auxv[], then adapt the code where mm->saved_auxv is used. Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> Signed-off-by: Lin Wang <lin.x.wang(a)intel.com> Signed-off-by: Aichun Shi <aichun.shi(a)intel.com> --- arch/x86/include/uapi/asm/auxvec.h | 2 ++ fs/binfmt_elf.c | 12 ++++++------ fs/proc/base.c | 6 +++--- include/linux/mm_types.h | 16 ++++++++++++++-- kernel/fork.c | 29 ++++++++++++++++++++++++++--- kernel/sys.c | 10 +++++----- 6 files changed, 56 insertions(+), 19 deletions(-) diff --git a/arch/x86/include/uapi/asm/auxvec.h b/arch/x86/include/uapi/asm/auxvec.h index 6beb55bbefa4..6be5f6584119 100644 --- a/arch/x86/include/uapi/asm/auxvec.h +++ b/arch/x86/include/uapi/asm/auxvec.h @@ -13,8 +13,10 @@ /* entries in ARCH_DLINFO: */ #if defined(CONFIG_IA32_EMULATION) || !defined(CONFIG_X86_64) # define AT_VECTOR_SIZE_ARCH 3 +# define ORIG_AT_VECTOR_SIZE_ARCH 2 #else /* else it's non-compat x86-64 */ # define AT_VECTOR_SIZE_ARCH 2 +# define ORIG_AT_VECTOR_SIZE_ARCH 1 #endif #endif /* _ASM_X86_AUXVEC_H */ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index ed507d27034b..1813c6fc8487 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -236,7 +236,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, return -EFAULT; /* Create the ELF interpreter info */ - elf_info = (elf_addr_t *)mm->saved_auxv; + elf_info = (elf_addr_t *)mm->mm_extend->saved_auxv; /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */ #define NEW_AUX_ENT(id, val) \ do { \ @@ -285,13 +285,13 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, } #undef NEW_AUX_ENT /* AT_NULL is zero; clear the rest too */ - memset(elf_info, 0, (char *)mm->saved_auxv + - sizeof(mm->saved_auxv) - (char *)elf_info); + memset(elf_info, 0, (char *)mm->mm_extend->saved_auxv + + sizeof(mm->mm_extend->saved_auxv) - (char *)elf_info); /* And advance past the AT_NULL entry. */ elf_info += 2; - ei_index = elf_info - (elf_addr_t *)mm->saved_auxv; + ei_index = elf_info - (elf_addr_t *)mm->mm_extend->saved_auxv; sp = STACK_ADD(p, ei_index); items = (argc + 1) + (envc + 1) + 1; @@ -352,7 +352,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, mm->env_end = p; /* Put the elf_info on the stack in the right place. */ - if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t))) + if (copy_to_user(sp, mm->mm_extend->saved_auxv, ei_index * sizeof(elf_addr_t))) return -EFAULT; return 0; } @@ -1586,7 +1586,7 @@ static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { - elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; + elf_addr_t *auxv = (elf_addr_t *) mm->mm_extend->saved_auxv; int i = 0; do i += 2; diff --git a/fs/proc/base.c b/fs/proc/base.c index cc1fdff2e136..83f04d728172 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1038,9 +1038,9 @@ static ssize_t auxv_read(struct file *file, char __user *buf, return 0; do { nwords += 2; - } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */ - return simple_read_from_buffer(buf, count, ppos, mm->saved_auxv, - nwords * sizeof(mm->saved_auxv[0])); + } while (mm->mm_extend->saved_auxv[nwords - 2] != 0); /* AT_NULL */ + return simple_read_from_buffer(buf, count, ppos, mm->mm_extend->saved_auxv, + nwords * sizeof(mm->mm_extend->saved_auxv[0])); } static const struct file_operations proc_auxv_operations = { diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 15ff1e20f5ca..64d1c1f62968 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -24,6 +24,13 @@ #endif #define AT_VECTOR_SIZE (2*(AT_VECTOR_SIZE_ARCH + AT_VECTOR_SIZE_BASE + 1)) + +#ifndef ORIG_AT_VECTOR_SIZE_ARCH +#define ORIG_AT_VECTOR_SIZE_ARCH AT_VECTOR_SIZE_ARCH +#endif +/* To pass the check of check-kabi, define the macro instead of number "46". */ +#define ORIG_AT_VECTOR_SIZE (2*(ORIG_AT_VECTOR_SIZE_ARCH + AT_VECTOR_SIZE_BASE + 1)) + #define INIT_PASID 0 struct address_space; @@ -394,6 +401,11 @@ struct core_state { }; struct kioctx_table; + +struct mm_struct_extend { + unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ +}; + struct mm_struct { struct { struct vm_area_struct *mmap; /* list of VMAs */ @@ -508,7 +520,7 @@ struct mm_struct { unsigned long start_brk, brk, start_stack; unsigned long arg_start, arg_end, env_start, env_end; - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ + KABI_DEPRECATE(unsigned long, saved_auxv[ORIG_AT_VECTOR_SIZE]) /* * Special counters, in some configurations protected by the @@ -592,7 +604,7 @@ struct mm_struct { #endif } __randomize_layout; - KABI_RESERVE(1) + KABI_USE(1, struct mm_struct_extend *mm_extend) KABI_RESERVE(2) KABI_RESERVE(3) KABI_RESERVE(4) diff --git a/kernel/fork.c b/kernel/fork.c index 8a2e827815b6..c46fef2b1d1d 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1076,12 +1076,17 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, struct mm_struct *mm_alloc(void) { struct mm_struct *mm; + off_t mm_extend_offset = sizeof(struct mm_struct) + cpumask_size(); mm = allocate_mm(); if (!mm) return NULL; memset(mm, 0, sizeof(*mm)); + memset((void *)((unsigned long) mm + mm_extend_offset), + 0, sizeof(struct mm_struct_extend)); + mm->mm_extend = (struct mm_struct_extend *)((unsigned long) mm + mm_extend_offset); + return mm_init(mm, current, current_user_ns()); } @@ -1367,6 +1372,22 @@ void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm) mm_release(tsk, mm); } +/* + * dup_mm_extend() copies the mm_struct_extend extra area at the bottom of + * the oldmm slab object over to the newly allocated mm struct, + * and resets mm->mm_extend accordingly. + */ +void dup_mm_extend(struct mm_struct *mm, struct mm_struct *oldmm) +{ + off_t mm_extend_offset = sizeof(struct mm_struct) + cpumask_size(); + + memcpy((void *)((unsigned long) mm + mm_extend_offset), + (void *)((unsigned long) oldmm + mm_extend_offset), + sizeof(struct mm_struct_extend)); + + mm->mm_extend = (struct mm_struct_extend *)((unsigned long) mm + mm_extend_offset); +} + /** * dup_mm() - duplicates an existing mm structure * @tsk: the task_struct with which the new mm will be associated. @@ -1388,6 +1409,7 @@ static struct mm_struct *dup_mm(struct task_struct *tsk, goto fail_nomem; memcpy(mm, oldmm, sizeof(*mm)); + dup_mm_extend(mm, oldmm); if (!mm_init(mm, tsk, mm->user_ns)) goto fail_nomem; @@ -2857,13 +2879,14 @@ void __init proc_caches_init(void) * dynamically sized based on the maximum CPU number this system * can have, taking hotplug into account (nr_cpu_ids). */ - mm_size = sizeof(struct mm_struct) + cpumask_size(); + mm_size = sizeof(struct mm_struct) + cpumask_size() + sizeof(struct mm_struct_extend); mm_cachep = kmem_cache_create_usercopy("mm_struct", mm_size, ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, - offsetof(struct mm_struct, saved_auxv), - sizeof_field(struct mm_struct, saved_auxv), + sizeof(struct mm_struct) + cpumask_size() + + offsetof(struct mm_struct_extend, saved_auxv), + sizeof_field(struct mm_struct_extend, saved_auxv), NULL); vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT); mmap_init(); diff --git a/kernel/sys.c b/kernel/sys.c index c8a31e1037be..72c093d798c7 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1962,7 +1962,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data struct mm_struct *mm = current->mm; int error; - BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); + BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->mm_extend->saved_auxv)); BUILD_BUG_ON(sizeof(struct prctl_mm_map) > 256); if (opt == PR_SET_MM_MAP_SIZE) @@ -1984,7 +1984,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data * Someone is trying to cheat the auxv vector. */ if (!prctl_map.auxv || - prctl_map.auxv_size > sizeof(mm->saved_auxv)) + prctl_map.auxv_size > sizeof(mm->mm_extend->saved_auxv)) return -EINVAL; memset(user_auxv, 0, sizeof(user_auxv)); @@ -2056,7 +2056,7 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data * more complex. */ if (prctl_map.auxv_size) - memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv)); + memcpy(mm->mm_extend->saved_auxv, user_auxv, sizeof(user_auxv)); mmap_read_unlock(mm); return 0; @@ -2084,10 +2084,10 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, user_auxv[AT_VECTOR_SIZE - 2] = 0; user_auxv[AT_VECTOR_SIZE - 1] = 0; - BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); + BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->mm_extend->saved_auxv)); task_lock(current); - memcpy(mm->saved_auxv, user_auxv, len); + memcpy(mm->mm_extend->saved_auxv, user_auxv, len); task_unlock(current); return 0; -- 2.20.1

1 0

咨询可编程调度框架的方案介绍和开发指南
by 文白林 17 Nov '22

17 Nov '22

你好，我是超聚变的文白林，是否可以在周例会上介绍一下可编程调度框架的方案和开发指南，谢谢！

1 0

[PATCH 000/308] *** ksmbd-introduce-new-SMB3-kernel-server ***
by Zhong Jinghua 16 Nov '22

16 Nov '22

*** BLURB HERE *** Christian Brauner (2): ksmbd: ensure error is surfaced in set_file_basic_info() ksmbd: remove setattr preparations in set_file_basic_info() Christophe JAILLET (2): ksmbd: Remove redundant 'flush_workqueue()' calls ksmbd: Fix an error handling path in 'smb2_sess_setup()' Colin Ian King (4): cifsd: Fix a handful of spelling mistakes cifsd: remove redundant assignment to variable err ksmbd: fix kfree of uninitialized pointer oid ksmbd: Fix read on the uninitialized pointer sess Dan Carpenter (10): cifsd: fix a precedence bug in parse_dacl() cifsd: fix a IS_ERR() vs NULL bug cifsd: Fix a use after free on error path cifsd: Fix an error code in smb2_read() cifsd: fix error handling in ksmbd_server_init() ksmbd: delete some stray tabs ksmbd: use kasprintf() in ksmbd_vfs_xattr_stream_name() ksmbd: fix an oops in error handling in smb2_open() ksmbd: missing check for NULL in convert_to_nt_pathname() ksmbd: uninitialized variable in create_socket() David Howells (1): vfs: Check the truncate maximum size in inode_newsize_ok() Enzo Matsumiya (1): ksmbd: fix documentation for 2 functions Gibeom Kim (1): cifsd: remove stale prototype and variables Hyunchul Lee (45): cifsd: fix incorrect comments cifsd: remove calling d_path in error paths cifsd: handle unhashed dentry in ksmbd_vfs_mkdir cifsd: use file_inode() instead of d_inode() cifsd: remove useless error handling in ksmbd_vfs_read cifsd: re-implement ksmbd_vfs_kern_path cifsd: fix reference count decrement of unclaimed file in __ksmbd_lookup_fd cifsd: decoding gss token using lib/asn1_decoder.c cifsd: lookup a file with LOOKUP_FOLLOW only if 'follow symlinks = yes' cifsd: enclose macro variables in parenthesis cifsd: make alignment match open parenthesis cifsd: append ksmbd prefix into names for asn1 decoder ksmbd: factor out a ksmbd_vfs_lock_parent helper ksmbd: set MAY_* flags together with open flags ksmbd: remove macros in transport_ipc.c ksmbd: replace BUFFER_NR_PAGES with inline function ksmbd: replace KSMBD_ALIGN with kernel ALIGN macro ksmbd: replace PAYLOAD_HEAD with inline function ksmbd: remove getting worker state macros ksmbd: remove and replace macros with inline functions in smb_common.h ksmbd: replace struct dentry with struct path in some function's arguments ksmbd: fix the running request count decrement ksmbd: free ksmbd_lock when file is closed ksmbd: uninterruptible wait for a file being unlocked ksmbd: make smb2_find_context_vals return NULL if not found ksmbd: handle error cases first in smb2_create_sd_buffers ksmbd: set RDMA capability for FSCTL_QUERY_NETWORK_INTERFACE_INFO ksmbd: fix an error message in ksmbd_conn_trasnport_init ksmbd: fix -Wstringop-truncation warnings ksmbd: smbd: fix kernel oops during server shutdown ksmbd: smbd: fix dma mapping error in smb_direct_post_send_data ksmbd: prevent out of share access ksmbd: use LOOKUP_BENEATH to prevent the out of share access ksmbd: add buffer validation for SMB2_CREATE_CONTEXT ksmbd: improve credits management ksmbd: add buffer validation for smb direct ksmbd: validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests ksmbd: register ksmbd ib client with ib_register_client() ksmbd: smbd: call rdma_accept() under CM handler ksmbd: smbd: create MR pool ksmbd: smbd: change the default maximum read/write, receive size ksmbd: smbd: fix missing client's memory region invalidation ksmbd: smbd: validate buffer descriptor structures ksmbd: smbd: fix connection dropped issue ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT Jason A. Donenfeld (1): ksmbd: use vfs_llseek instead of dereferencing NULL Jason Yan (1): ksmbd: adapt vfs api to 5.10 Marcos Del Sol Vives (1): ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 Marios Makassikis (17): cifsd: Remove smb2_put_name() cifsd: Fix potential null-ptr-deref in smb2_open() cifsd: Update access check in set_file_allocation_info/set_end_of_file_info cifsd: Remove is_attributes_write_allowed() wrapper cifsd: Call smb2_set_err_rsp() in smb2_read/smb2_write error path cifsd: Handle ksmbd_session_rpc_open() failure in create_smb2_pipe() cifsd: Update out_buf_len in smb2_populate_readdir_entry() cifsd: Fix potential null-ptr-deref in destroy_previous_session() cifsd: Do not use 0 or 0xFFFFFFFF for TreeID ksmbd: Relax credit_charge check in smb2_validate_credit_charge() ksmbd: Fix potential memory leak in tcp_destroy_socket() ksmbd: Return STATUS_OBJECT_PATH_NOT_FOUND if smb2_creat() returns ENOENT ksmbd: Fix multi-protocol negotiation ksmbd: add buffer validation in session setup ksmbd: Fix buffer length check in fsctl_validate_negotiate_info() ksmbd: Remove unused parameter from smb2_get_name() ksmbd: Remove unused fields from ksmbd_file struct definition Mauro Carvalho Chehab (1): doc: cifsd: change the reference to configuration.txt Mickaël Salaün (1): ksmbd: Fix user namespace mapping Mike Galbraith (1): ksmbd: transport_rdma: Don't include rwlock.h directly Muhammad Usama Anjum (2): cifsd: fix memory leak when loop ends cifsd: use kfree to free memory allocated by kmalloc or kzalloc Namjae Jeon (194): cifsd: add server handler for central processing and tranport layers cifsd: add server-side procedures for SMB3 cifsd: add file operations cifsd: fix static checker warning from smb_direct_post_send_data() cifsd: fix static checker warning from smb_check_perm_dacl() cifsd: fix warning: variable 'total_ace_size' and 'posix_ccontext' set but not used cifsd: Pass string length parameter to match_pattern() cifsd: remove unneeded macros cifsd: fix wrong use of rw semaphore in __session_create() cifsd: use kmalloc() for small allocations cifsd: add the check to work file lock and rename behaviors like Windows unless POSIX extensions are negotiated cifsd: fix error return code in ksmbd_vfs_remove_file() cifsd: clean-up codes using chechpatch.pl --strict cifsd: merge time_wrappers.h into smb_common.h cifsd: fix wrong prototype in comment cifsd: remove smack inherit leftovers cifsd: use xarray instead of linked list for tree connect list cifsd: remove wrappers of kvmalloc/kvfree cifsd: prevent a integer overflow in wm_alloc() cifsd: declare ida statically cifsd: add the check if parent is stable by unexpected rename cifsd: get parent dentry from child in ksmbd_vfs_remove_file() cifsd: remove unused smberr.h cifsd: remove unused nterr.c file cifsd: move nt time functions to misc.c cifsd: use d_inode() cifsd: remove the dead code of unimplemented durable handle cifsd: add support for AES256 encryption cifsd: fix invalid memory access in smb2_write() cifsd: fix WARNING: Possible unnecessary 'out of memory' message cifsd: fix WARNING: Too many leading tabs cifsd: fix xfstests generic/504 test failure cifsd: add support for FSCTL_DUPLICATE_EXTENTS_TO_FILE cifsd: add goto fail in asn1_oid_decode() cifsd: use memcmp instead of for loop check in oid_eq() cifsd: add goto fail in neg_token_init_mech_type() cifsd: move fips_enabled check before the str_to_key() cifsd: just return smbhash() instead of using rc return value cifsd: move ret check before the out label cifsd: simplify error handling in ksmbd_auth_ntlm() cifsd: remove unneeded type casting cifsd: set error return value for memcmp() difference cifsd: return zero in always success case cifsd: never return 1 on failure cifsd: add the check if nvec is zero cifsd: len can never be negative in ksmbd_init_sg() cifsd: remove unneeded initialization of rc variable in ksmbd_crypt_message() cifsd: fix wrong return value in ksmbd_crypt_message() cifsd: change success handling to failure handling cifsd: add default case in switch statment in alloc_shash_desc() cifsd: call kzalloc() directly instead of wrapper cifsd: simplify error handling in ksmbd_gen_preauth_integrity_hash() cifsd: return -ENOMEM about error from ksmbd_crypto_ctx_find_xxx calls cifsd: alignment match open parenthesis cifsd: add the check to prevent potential overflow with smb_strtoUTF16() and UNICODE_LEN() cifsd: braces {} should be used on all arms of this statement cifsd: spaces preferred around that '/' cifsd: don't use multiple blank lines cifsd: No space is necessary after a cast cifsd: Blank lines aren't necessary after an open brace '{' cifsd: Alignment should match open parenthesis cifsd: remove unnecessary parentheses around cifsd: Prefer kernel type 'u16' over 'uint16_t' cifsd: fix Control flow issues in ksmbd_build_ntlmssp_challenge_blob() cifsd: fix potential read overflow in ksmbd_vfs_stream_read() cifsd: fix additional warnings from checkpatch.pl --strict cifsd: fix list_add double add BUG_ON trap in setup_async_work() cifsd: set epoch in smb2_lease_break response ksmbd: add support for SMB3 multichannel ksmbd: remove cache read/trans buffer support ksmbd: initialize variables on the declaration ksmbd: remove ksmbd_vfs_copy_file_range ksmbd: use list_for_each_entry instead of list_for_each ksmbd: use goto instead of duplicating the resoure cleanup in ksmbd_open_fd ksmbd: fix overly long line ksmbd: remove unneeded FIXME comment ksmbd: remove ____ksmbd_align in ksmbd_server.h ksmbd: replace KSMBD_SHARE_CONFIG_PATH with inline function ksmbd: remove ksmbd_err/info ksmbd: opencode to avoid trivial wrappers ksmbd: factor out a ksmbd_validate_entry_in_use helper from __ksmbd_vfs_rename ksmbd: opencode posix acl functions instead of wrappers ksmbd: change stream type macro to enumeration ksmbd: use f_bsize instead of q->limits.logical_block_size ksmbd: remove unneeded NULL check in the list iterator ksmbd: use f_bsize in FS_SECTOR_SIZE_INFORMATION cifsd: fix WARNING: Title overline too short cifsd: update cifsd.rst document cifsd: fix build warnings from cifsd.rst cifsd: add ksmbd/nfsd interoperability to feature table cifsd: fix WARNING: document isn't included in any toctree cifsd: add index.rst in cifs documentation ksmbd: move fs/cifsd to fs/ksmbd ksmbd: replace SMB_DIRECT_TRANS macro with inline function ksmbd: replace request and respone buffer macro with inline functions ksmbd: allow PROTECTED_DACL_SECINFO and UNPROTECTED_DACL_SECINFO addition information in smb2 set info security ksmbd: fix dentry racy with rename() ksmbd: opencode to remove FP_INODE macro ksmbd: use ksmbd_vfs_lock_parent to get stable parent dentry ksmbd: opencode to remove ATTR_FP macro ksmbd: remove SMB1 oplock level macros ksmbd: change ACE types to enumeration ksmbd: change sid types to enumeration ksmbd: change server state type macro to enumeration ksmbd: change server config string index to enumeration ksmbd: reorder and document on-disk and netlink structures in headers ksmbd: fix kernel oops in ksmbd_rpc_ioctl/rap() ksmbd: remove unneeded NULL check in for_each_netdev ksmbd: fix read on the uninitialized send_ctx ksmbd: fix memory leak smb2_populate_readdir_entry() ksmbd: fix memory leak in smb_inherit_dacl() ksmbd: change data type of volatile/persistent id to u64 ksmbd: remove unneeded check_context_err ksmbd: fix memory leak in ksmbd_vfs_get_sd_xattr() ksmbd: fix unused err value in smb2_lock ksmbd: fix typo in comment ksmbd: fix wrong compression context size ksmbd: fix wrong error status return on session setup ksmbd: set STATUS_INVALID_PARAMETER error status if credit charge is invalid ksmbd: move credit charge verification over smb2 request size verification ksmbd: fix typo of MS-SMBD ksmbd: add negotiate context verification ksmbd: add support for negotiating signing algorithm ksmbd: don't set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO ksmbd: use channel signingkey for binding SMB2 session setup ksmbd: fix missing error code in smb2_lock ksmbd: add ipv6_addr_v4mapped check to know if connection from client is ipv4 ksmbd: change int data type to boolean ksmbd: update the comment for smb2_get_ksmbd_tcon() ksmbd: use proper errno instead of -1 in smb2_get_ksmbd_tcon() ksmbd: don't set FILE DELETE and FILE_DELETE_CHILD in access mask by default ksmbd: fix permission check issue on chown and chmod ksmbd: fix __write_overflow warning in ndr_read_string ksmbd: remove unused ksmbd_file_table_flush function ksmbd: fix read of uninitialized variable ret in set_file_basic_info ksmbd: add validation for FILE_FULL_EA_INFORMATION of smb2_get_info ksmbd: add default data stream name in FILE_STREAM_INFORMATION ksmbd: check protocol id in ksmbd_verify_smb_message() ksmbd: remove follow symlinks support ksmbd: fix invalid request buffer access in compound ksmbd: remove NTLMv1 authentication ksmbd: use correct basic info level in set_file_basic_info() ksmbd: add request buffer validation in smb2_set_info ksmbd: add validation in smb2 negotiate ksmbd: fix transform header validation ksmbd: add the check to vaildate if stream protocol length exceeds maximum value ksmbd: check strictly data area in ksmbd_smb2_check_message() ksmbd: remove the leftover of smb2.0 dialect support ksmbd: use buf_data_size instead of recalculation in smb3_decrypt_req() ksmbd: fix version mismatch with out of tree ksmbd: fix oops from fuse driver ksmbd: add validation in smb2_ioctl ksmbd: fix potencial 32bit overflow from data area check in smb2_write ksmbd: validate compound response buffer ksmbd: limit read/write/trans buffer size not to exceed 8MB ksmbd: throttle session setup failures to avoid dictionary attacks ksmbd: don't need 8byte alignment for request length in ksmbd_check_message ksmbd: remove smb2_buf_length in smb2_hdr ksmbd: remove smb2_buf_length in smb2_transform_hdr ksmbd: change LeaseKey data type to u8 array ksmbd: downgrade addition info error msg to debug in smb2_get_info_sec() ksmbd: contain default data stream even if xattr is empty ksmbd: fix memleak in get_file_stream_info() ksmbd: remove select FS_POSIX_ACL in Kconfig ksmbd: fix uninitialized symbol 'pntsd_size' ksmbd: set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO ksmbd: set both ipv4 and ipv6 in FSCTL_QUERY_NETWORK_INTERFACE_INFO ksmbd: fix multi session connection failure ksmbd: set 445 port to smbdirect port by default ksmbd: fix guest connection failure with nautilus ksmbd: fix SMB 3.11 posix extension mount failure ksmbd: fix same UniqueId for dot and dotdot entries ksmbd: don't align last entry offset in smb2 query directory ksmbd: reduce smb direct max read/write size ksmbd: add channel rwlock ksmbd: handle smb2 query dir request for OutputBufferLength that is too small ksmbd: fix incorrect handling of iterate_dir ksmbd: use wait_event instead of schedule_timeout() ksmbd: replace sessions list in connection with xarray ksmbd: fix kernel oops from idr_remove() ksmbd: remove unused ksmbd_share_configs_cleanup function ksmbd: fix racy issue while destroying session on multichannel ksmbd: fix memory leak in smb2_handle_negotiate ksmbd: fix use-after-free bug in smb2_tree_disconect ksmbd: return STATUS_BAD_NETWORK_NAME error status if share is not configured ksmbd: fix endless loop when encryption for response fails ksmbd: fix encryption failure issue for session logoff response ksmbd: set NTLMSSP_NEGOTIATE_SEAL flag to challenge blob cifsd: add Kconfig and Makefile ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION ksmbd: add support for smb2 max credit parameter ksmbd: move credit charge deduction under processing request ksmbd: limits exceeding the maximum allowable outstanding requests ksmbd: add reserved room in ipc request/response Per Forlin (1): ksmbd: Reduce error log 'speed is unknown' to debug Ralph Boehme (4): ksmbd: validate credit charge after validating SMB2 PDU body size ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Ronnie Sahlberg (1): ksmbd: remove RFC1002 check in smb2 request Sebastian Gottschall (1): cifsd: Fix regression in smb2_get_info Sergey Senozhatsky (1): cifsd: remove unneeded FIXME comments Stephen Rothwell (1): cifsd: uniquify extract_sharename() Steve French (1): ksmbd: log that server is experimental at module load Tian Tao (1): cifsd: remove unused including <linux/version.h> Wan Jiabing (1): cifsd: remove duplicated argument Xin Xiong (1): ksmbd: fix reference count leak in smb_check_perm_dacl() Yang Li (3): ksmbd: Fix buffer_check_err() kernel-doc comment ksmbd: Fix smb2_set_info_file() kernel-doc comment ksmbd: Fix smb2_get_name() kernel-doc comment Yang Yingliang (3): cifsd: fix memleak in ksmbd_vfs_stream_write() cifsd: fix memleak in ksmbd_vfs_stream_read() cifsd: check return value of ksmbd_vfs_getcasexattr() correctly Yufan Chen (1): ksmbd: add smb-direct shutdown Zhang Xiaoxu (1): ksmbd: Fix wrong return value and message length check in smb2_ioctl() kernel test robot (2): cifsd: fix memdup.cocci warnings cifsd: fix boolreturn.cocci warnings Documentation/filesystems/cifs/index.rst | 10 + Documentation/filesystems/cifs/ksmbd.rst | 164 + Documentation/filesystems/index.rst | 2 +- fs/Kconfig | 1 + fs/Makefile | 1 + fs/attr.c | 2 + fs/ksmbd/Kconfig | 68 + fs/ksmbd/Makefile | 20 + fs/ksmbd/asn1.c | 343 + fs/ksmbd/asn1.h | 21 + fs/ksmbd/auth.c | 1174 +++ fs/ksmbd/auth.h | 71 + fs/ksmbd/connection.c | 425 ++ fs/ksmbd/connection.h | 203 + fs/ksmbd/crypto_ctx.c | 266 + fs/ksmbd/crypto_ctx.h | 66 + fs/ksmbd/glob.h | 49 + fs/ksmbd/ksmbd_netlink.h | 407 + fs/ksmbd/ksmbd_spnego_negtokeninit.asn1 | 31 + fs/ksmbd/ksmbd_spnego_negtokentarg.asn1 | 19 + fs/ksmbd/ksmbd_work.c | 79 + fs/ksmbd/ksmbd_work.h | 117 + fs/ksmbd/mgmt/ksmbd_ida.c | 46 + fs/ksmbd/mgmt/ksmbd_ida.h | 34 + fs/ksmbd/mgmt/share_config.c | 224 + fs/ksmbd/mgmt/share_config.h | 79 + fs/ksmbd/mgmt/tree_connect.c | 122 + fs/ksmbd/mgmt/tree_connect.h | 58 + fs/ksmbd/mgmt/user_config.c | 79 + fs/ksmbd/mgmt/user_config.h | 68 + fs/ksmbd/mgmt/user_session.c | 380 + fs/ksmbd/mgmt/user_session.h | 104 + fs/ksmbd/misc.c | 331 + fs/ksmbd/misc.h | 35 + fs/ksmbd/ndr.c | 343 + fs/ksmbd/ndr.h | 22 + fs/ksmbd/nterr.h | 543 ++ fs/ksmbd/ntlmssp.h | 169 + fs/ksmbd/oplock.c | 1733 +++++ fs/ksmbd/oplock.h | 129 + fs/ksmbd/server.c | 640 ++ fs/ksmbd/server.h | 70 + fs/ksmbd/smb2misc.c | 447 ++ fs/ksmbd/smb2ops.c | 315 + fs/ksmbd/smb2pdu.c | 8611 ++++++++++++++++++++++ fs/ksmbd/smb2pdu.h | 1708 +++++ fs/ksmbd/smb_common.c | 684 ++ fs/ksmbd/smb_common.h | 529 ++ fs/ksmbd/smbacl.c | 1366 ++++ fs/ksmbd/smbacl.h | 212 + fs/ksmbd/smbfsctl.h | 91 + fs/ksmbd/smbstatus.h | 1822 +++++ fs/ksmbd/transport_ipc.c | 877 +++ fs/ksmbd/transport_ipc.h | 47 + fs/ksmbd/transport_rdma.c | 2219 ++++++ fs/ksmbd/transport_rdma.h | 61 + fs/ksmbd/transport_tcp.c | 619 ++ fs/ksmbd/transport_tcp.h | 13 + fs/ksmbd/unicode.c | 384 + fs/ksmbd/unicode.h | 357 + fs/ksmbd/uniupr.h | 268 + fs/ksmbd/vfs.c | 1841 +++++ fs/ksmbd/vfs.h | 184 + fs/ksmbd/vfs_cache.c | 708 ++ fs/ksmbd/vfs_cache.h | 167 + fs/ksmbd/xattr.h | 122 + 66 files changed, 32399 insertions(+), 1 deletion(-) create mode 100644 Documentation/filesystems/cifs/index.rst create mode 100644 Documentation/filesystems/cifs/ksmbd.rst create mode 100644 fs/ksmbd/Kconfig create mode 100644 fs/ksmbd/Makefile create mode 100644 fs/ksmbd/asn1.c create mode 100644 fs/ksmbd/asn1.h create mode 100644 fs/ksmbd/auth.c create mode 100644 fs/ksmbd/auth.h create mode 100644 fs/ksmbd/connection.c create mode 100644 fs/ksmbd/connection.h create mode 100644 fs/ksmbd/crypto_ctx.c create mode 100644 fs/ksmbd/crypto_ctx.h create mode 100644 fs/ksmbd/glob.h create mode 100644 fs/ksmbd/ksmbd_netlink.h create mode 100644 fs/ksmbd/ksmbd_spnego_negtokeninit.asn1 create mode 100644 fs/ksmbd/ksmbd_spnego_negtokentarg.asn1 create mode 100644 fs/ksmbd/ksmbd_work.c create mode 100644 fs/ksmbd/ksmbd_work.h create mode 100644 fs/ksmbd/mgmt/ksmbd_ida.c create mode 100644 fs/ksmbd/mgmt/ksmbd_ida.h create mode 100644 fs/ksmbd/mgmt/share_config.c create mode 100644 fs/ksmbd/mgmt/share_config.h create mode 100644 fs/ksmbd/mgmt/tree_connect.c create mode 100644 fs/ksmbd/mgmt/tree_connect.h create mode 100644 fs/ksmbd/mgmt/user_config.c create mode 100644 fs/ksmbd/mgmt/user_config.h create mode 100644 fs/ksmbd/mgmt/user_session.c create mode 100644 fs/ksmbd/mgmt/user_session.h create mode 100644 fs/ksmbd/misc.c create mode 100644 fs/ksmbd/misc.h create mode 100644 fs/ksmbd/ndr.c create mode 100644 fs/ksmbd/ndr.h create mode 100644 fs/ksmbd/nterr.h create mode 100644 fs/ksmbd/ntlmssp.h create mode 100644 fs/ksmbd/oplock.c create mode 100644 fs/ksmbd/oplock.h create mode 100644 fs/ksmbd/server.c create mode 100644 fs/ksmbd/server.h create mode 100644 fs/ksmbd/smb2misc.c create mode 100644 fs/ksmbd/smb2ops.c create mode 100644 fs/ksmbd/smb2pdu.c create mode 100644 fs/ksmbd/smb2pdu.h create mode 100644 fs/ksmbd/smb_common.c create mode 100644 fs/ksmbd/smb_common.h create mode 100644 fs/ksmbd/smbacl.c create mode 100644 fs/ksmbd/smbacl.h create mode 100644 fs/ksmbd/smbfsctl.h create mode 100644 fs/ksmbd/smbstatus.h create mode 100644 fs/ksmbd/transport_ipc.c create mode 100644 fs/ksmbd/transport_ipc.h create mode 100644 fs/ksmbd/transport_rdma.c create mode 100644 fs/ksmbd/transport_rdma.h create mode 100644 fs/ksmbd/transport_tcp.c create mode 100644 fs/ksmbd/transport_tcp.h create mode 100644 fs/ksmbd/unicode.c create mode 100644 fs/ksmbd/unicode.h create mode 100644 fs/ksmbd/uniupr.h create mode 100644 fs/ksmbd/vfs.c create mode 100644 fs/ksmbd/vfs.h create mode 100644 fs/ksmbd/vfs_cache.c create mode 100644 fs/ksmbd/vfs_cache.h create mode 100644 fs/ksmbd/xattr.h -- 2.31.1

1 308

Patch 发送到蓝云
by zhongjinghua 16 Nov '22

16 Nov '22

Patch 发送到蓝云

1 0

[PATCH openEuler-5.10 01/60] stack: Optionally randomize kernel stack offset each syscall
by Zheng Zengkai 15 Nov '22

15 Nov '22

From: Kees Cook <keescook(a)chromium.org> mainline inclusion from mainline-v5.13-rc1 commit 39218ff4c625dbf2e68224024fe0acaa60bcd51a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5YQ6Z CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This provides the ability for architectures to enable kernel stack base address offset randomization. This feature is controlled by the boot param "randomize_kstack_offset=on/off", with its default value set by CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. This feature is based on the original idea from the last public release of PaX's RANDKSTACK feature: https://pax.grsecurity.net/docs/randkstack.txt All the credit for the original idea goes to the PaX team. Note that the design and implementation of this upstream randomize_kstack_offset feature differs greatly from the RANDKSTACK feature (see below). Reasoning for the feature: This feature aims to make harder the various stack-based attacks that rely on deterministic stack structure. We have had many such attacks in past (just to name few): https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf https://jon.oberheide.org/files/stackjacking-infiltrate11.pdf https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linu… As Linux kernel stack protections have been constantly improving (vmap-based stack allocation with guard pages, removal of thread_info, STACKLEAK), attackers have had to find new ways for their exploits to work. They have done so, continuing to rely on the kernel's stack determinism, in situations where VMAP_STACK and THREAD_INFO_IN_TASK_STRUCT were not relevant. For example, the following recent attacks would have been hampered if the stack offset was non-deterministic between syscalls: https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf (page 70: targeting the pt_regs copy with linear stack overflow) https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html (leaked stack address from one syscall as a target during next syscall) The main idea is that since the stack offset is randomized on each system call, it is harder for an attack to reliably land in any particular place on the thread stack, even with address exposures, as the stack base will change on the next syscall. Also, since randomization is performed after placing pt_regs, the ptrace-based approach[1] to discover the randomized offset during a long-running syscall should not be possible. Design description: During most of the kernel's execution, it runs on the "thread stack", which is pretty deterministic in its structure: it is fixed in size, and on every entry from userspace to kernel on a syscall the thread stack starts construction from an address fetched from the per-cpu cpu_current_top_of_stack variable. The first element to be pushed to the thread stack is the pt_regs struct that stores all required CPU registers and syscall parameters. Finally the specific syscall function is called, with the stack being used as the kernel executes the resulting request. The goal of randomize_kstack_offset feature is to add a random offset after the pt_regs has been pushed to the stack and before the rest of the thread stack is used during the syscall processing, and to change it every time a process issues a syscall. The source of randomness is currently architecture-defined (but x86 is using the low byte of rdtsc()). Future improvements for different entropy sources is possible, but out of scope for this patch. Further more, to add more unpredictability, new offsets are chosen at the end of syscalls (the timing of which should be less easy to measure from userspace than at syscall entry time), and stored in a per-CPU variable, so that the life of the value does not stay explicitly tied to a single task. As suggested by Andy Lutomirski, the offset is added using alloca() and an empty asm() statement with an output constraint, since it avoids changes to assembly syscall entry code, to the unwinder, and provides correct stack alignment as defined by the compiler. In order to make this available by default with zero performance impact for those that don't want it, it is boot-time selectable with static branches. This way, if the overhead is not wanted, it can just be left turned off with no performance impact. The generated assembly for x86_64 with GCC looks like this: ... ffffffff81003977: 65 8b 05 02 ea 00 7f mov %gs:0x7f00ea02(%rip),%eax # 12380 <kstack_offset> ffffffff8100397e: 25 ff 03 00 00 and $0x3ff,%eax ffffffff81003983: 48 83 c0 0f add $0xf,%rax ffffffff81003987: 25 f8 07 00 00 and $0x7f8,%eax ffffffff8100398c: 48 29 c4 sub %rax,%rsp ffffffff8100398f: 48 8d 44 24 0f lea 0xf(%rsp),%rax ffffffff81003994: 48 83 e0 f0 and $0xfffffffffffffff0,%rax ... As a result of the above stack alignment, this patch introduces about 5 bits of randomness after pt_regs is spilled to the thread stack on x86_64, and 6 bits on x86_32 (since its has 1 fewer bit required for stack alignment). The amount of entropy could be adjusted based on how much of the stack space we wish to trade for security. My measure of syscall performance overhead (on x86_64): lmbench: /usr/lib/lmbench/bin/x86_64-linux-gnu/lat_syscall -N 10000 null randomize_kstack_offset=y Simple syscall: 0.7082 microseconds randomize_kstack_offset=n Simple syscall: 0.7016 microseconds So, roughly 0.9% overhead growth for a no-op syscall, which is very manageable. And for people that don't want this, it's off by default. There are two gotchas with using the alloca() trick. First, compilers that have Stack Clash protection (-fstack-clash-protection) enabled by default (e.g. Ubuntu[3]) add pagesize stack probes to any dynamic stack allocations. While the randomization offset is always less than a page, the resulting assembly would still contain (unreachable!) probing routines, bloating the resulting assembly. To avoid this, -fno-stack-clash-protection is unconditionally added to the kernel Makefile since this is the only dynamic stack allocation in the kernel (now that VLAs have been removed) and it is provably safe from Stack Clash style attacks. The second gotcha with alloca() is a negative interaction with -fstack-protector*, in that it sees the alloca() as an array allocation, which triggers the unconditional addition of the stack canary function pre/post-amble which slows down syscalls regardless of the static branch. In order to avoid adding this unneeded check and its associated performance impact, architectures need to carefully remove uses of -fstack-protector-strong (or -fstack-protector) in the compilation units that use the add_random_kstack() macro and to audit the resulting stack mitigation coverage (to make sure no desired coverage disappears). No change is visible for this on x86 because the stack protector is already unconditionally disabled for the compilation unit, but the change is required on arm64. There is, unfortunately, no attribute that can be used to disable stack protector for specific functions. Comparison to PaX RANDKSTACK feature: The RANDKSTACK feature randomizes the location of the stack start (cpu_current_top_of_stack), i.e. including the location of pt_regs structure itself on the stack. Initially this patch followed the same approach, but during the recent discussions[2], it has been determined to be of a little value since, if ptrace functionality is available for an attacker, they can use PTRACE_PEEKUSR/PTRACE_POKEUSR to read/write different offsets in the pt_regs struct, observe the cache behavior of the pt_regs accesses, and figure out the random stack offset. Another difference is that the random offset is stored in a per-cpu variable, rather than having it be per-thread. As a result, these implementations differ a fair bit in their implementation details and results, though obviously the intent is similar. [1] https://lore.kernel.org/kernel-hardening/2236FBA76BA1254E88B949DDB74E612BA4… [2] https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshe… [3] https://lists.ubuntu.com/archives/ubuntu-devel/2019-June/040741.html Co-developed-by: Elena Reshetova <elena.reshetova(a)intel.com> Signed-off-by: Elena Reshetova <elena.reshetova(a)intel.com> Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/r/20210401232347.2791257-4-keescook@chromium.org conflict: Documentation/admin-guide/kernel-parameters.txt arch/Kconfig Signed-off-by: Yi Yang <yiyang13(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Reviewed-by: GONG Ruiqi <gongruiqi1(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- .../admin-guide/kernel-parameters.txt | 11 ++++ Makefile | 4 ++ arch/Kconfig | 23 ++++++++ include/linux/randomize_kstack.h | 54 +++++++++++++++++++ init/main.c | 23 ++++++++ 5 files changed, 115 insertions(+) create mode 100644 include/linux/randomize_kstack.h diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0ec4c66752af..dca5a96e49b2 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4258,6 +4258,17 @@ fully seed the kernel's CRNG. Default is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER. + randomize_kstack_offset= + [KNL] Enable or disable kernel stack offset + randomization, which provides roughly 5 bits of + entropy, frustrating memory corruption attacks + that depend on stack address determinism or + cross-syscall address exposures. This is only + available on architectures that have defined + CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET. + Format: <bool> (1/Y/y=enable, 0/N/n=disable) + Default is CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT. + ras=option[,option,...] [KNL] RAS-specific options cec_disable [X86] diff --git a/Makefile b/Makefile index 6fa75aa5836d..df7e3d33a9e1 100644 --- a/Makefile +++ b/Makefile @@ -825,6 +825,10 @@ KBUILD_CFLAGS += -ftrivial-auto-var-init=zero KBUILD_CFLAGS += -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang endif +# While VLAs have been removed, GCC produces unreachable stack probes +# for the randomize_kstack_offset feature. Disable it for all compilers. +KBUILD_CFLAGS += $(call cc-option, -fno-stack-clash-protection) + DEBUG_CFLAGS := # Workaround for GCC versions < 5.0 diff --git a/arch/Kconfig b/arch/Kconfig index 7800502d9b6e..97fc1bdcdc8d 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -989,6 +989,29 @@ config VMAP_STACK virtual mappings with real shadow memory, and KASAN_VMALLOC must be enabled. +config HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET + def_bool n + help + An arch should select this symbol if it can support kernel stack + offset randomization with calls to add_random_kstack_offset() + during syscall entry and choose_random_kstack_offset() during + syscall exit. Careful removal of -fstack-protector-strong and + -fstack-protector should also be applied to the entry code and + closely examined, as the artificial stack bump looks like an array + to the compiler, so it will attempt to add canary checks regardless + of the static branch state. + +config RANDOMIZE_KSTACK_OFFSET_DEFAULT + bool "Randomize kernel stack offset on syscall entry" + depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET + help + The kernel stack offset can be randomized (after pt_regs) by + roughly 5 bits of entropy, frustrating memory corruption + attacks that depend on stack address determinism or + cross-syscall address exposures. This feature is controlled + by kernel boot param "randomize_kstack_offset=on/off", and this + config chooses the default boot state. + config ARCH_OPTIONAL_KERNEL_RWX def_bool n diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h new file mode 100644 index 000000000000..fd80fab663a9 --- /dev/null +++ b/include/linux/randomize_kstack.h @@ -0,0 +1,54 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef _LINUX_RANDOMIZE_KSTACK_H +#define _LINUX_RANDOMIZE_KSTACK_H + +#include <linux/kernel.h> +#include <linux/jump_label.h> +#include <linux/percpu-defs.h> + +DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, + randomize_kstack_offset); +DECLARE_PER_CPU(u32, kstack_offset); + +/* + * Do not use this anywhere else in the kernel. This is used here because + * it provides an arch-agnostic way to grow the stack with correct + * alignment. Also, since this use is being explicitly masked to a max of + * 10 bits, stack-clash style attacks are unlikely. For more details see + * "VLAs" in Documentation/process/deprecated.rst + */ +void *__builtin_alloca(size_t size); +/* + * Use, at most, 10 bits of entropy. We explicitly cap this to keep the + * "VLA" from being unbounded (see above). 10 bits leaves enough room for + * per-arch offset masks to reduce entropy (by removing higher bits, since + * high entropy may overly constrain usable stack space), and for + * compiler/arch-specific stack alignment to remove the lower bits. + */ +#define KSTACK_OFFSET_MAX(x) ((x) & 0x3FF) + +/* + * These macros must be used during syscall entry when interrupts and + * preempt are disabled, and after user registers have been stored to + * the stack. + */ +#define add_random_kstack_offset() do { \ + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ + &randomize_kstack_offset)) { \ + u32 offset = raw_cpu_read(kstack_offset); \ + u8 *ptr = __builtin_alloca(KSTACK_OFFSET_MAX(offset)); \ + /* Keep allocation even after "ptr" loses scope. */ \ + asm volatile("" : "=o"(*ptr) :: "memory"); \ + } \ +} while (0) + +#define choose_random_kstack_offset(rand) do { \ + if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ + &randomize_kstack_offset)) { \ + u32 offset = raw_cpu_read(kstack_offset); \ + offset ^= (rand); \ + raw_cpu_write(kstack_offset, offset); \ + } \ +} while (0) + +#endif diff --git a/init/main.c b/init/main.c index 7f4e8a8964b1..e1d179fa1f4a 100644 --- a/init/main.c +++ b/init/main.c @@ -846,6 +846,29 @@ static void __init mm_init(void) pti_init(); } +#ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET +DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, + randomize_kstack_offset); +DEFINE_PER_CPU(u32, kstack_offset); + +static int __init early_randomize_kstack_offset(char *buf) +{ + int ret; + bool bool_result; + + ret = kstrtobool(buf, &bool_result); + if (ret) + return ret; + + if (bool_result) + static_branch_enable(&randomize_kstack_offset); + else + static_branch_disable(&randomize_kstack_offset); + return 0; +} +early_param("randomize_kstack_offset", early_randomize_kstack_offset); +#endif + void __init __weak arch_call_rest_init(void) { rest_init(); -- 2.20.1

1 59

[PATCH OLK-5.10 v2 001/308] cifsd: add server handler for central processing and tranport layers
by Zhong Jinghua 15 Nov '22

15 Nov '22

From: Jason Yan <yanaijie(a)huawei.com> From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 0626e6641f6b467447c81dd7678a69c66f7746cf category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0626e6641f6b ------------------------------- This adds server handler for central processing, transport layers(tcp, rdma, ipc) and a document describing cifsd architecture. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 136 ++ fs/cifsd/connection.c | 416 +++++ fs/cifsd/connection.h | 212 +++ fs/cifsd/glob.h | 67 + fs/cifsd/ksmbd_server.h | 285 +++ fs/cifsd/ksmbd_work.c | 93 + fs/cifsd/ksmbd_work.h | 124 ++ fs/cifsd/server.c | 635 +++++++ fs/cifsd/server.h | 62 + fs/cifsd/transport_ipc.c | 900 ++++++++++ fs/cifsd/transport_ipc.h | 63 + fs/cifsd/transport_rdma.c | 2050 ++++++++++++++++++++++ fs/cifsd/transport_rdma.h | 61 + fs/cifsd/transport_tcp.c | 624 +++++++ fs/cifsd/transport_tcp.h | 13 + 15 files changed, 5741 insertions(+) create mode 100644 Documentation/filesystems/cifs/cifsd.rst create mode 100644 fs/cifsd/connection.c create mode 100644 fs/cifsd/connection.h create mode 100644 fs/cifsd/glob.h create mode 100644 fs/cifsd/ksmbd_server.h create mode 100644 fs/cifsd/ksmbd_work.c create mode 100644 fs/cifsd/ksmbd_work.h create mode 100644 fs/cifsd/server.c create mode 100644 fs/cifsd/server.h create mode 100644 fs/cifsd/transport_ipc.c create mode 100644 fs/cifsd/transport_ipc.h create mode 100644 fs/cifsd/transport_rdma.c create mode 100644 fs/cifsd/transport_rdma.h create mode 100644 fs/cifsd/transport_tcp.c create mode 100644 fs/cifsd/transport_tcp.h diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst new file mode 100644 index 000000000000..e0c33d03f290 --- /dev/null +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -0,0 +1,136 @@ +.. SPDX-License-Identifier: GPL-2.0 + +========================= +CIFSD - SMB3 Kernel Server +========================= + +CIFSD is a linux kernel server which implements SMB3 protocol in kernel space +for sharing files over network. + +CIFSD architecture +================== + +The subset of performance related operations belong in kernelspace and +the other subset which belong to operations which are not really related with +performance in userspace. So, DCE/RPC management that has historically resulted +into number of buffer overflow issues and dangerous security bugs and user +account management are implemented in user space as ksmbd.mountd. +File operations that are related with performance (open/read/write/close etc.) +in kernel space (ksmbd). This also allows for easier integration with VFS +interface for all file operations. + +ksmbd (kernel daemon) +--------------------- + +When the server daemon is started, It starts up a forker thread +(ksmbd/interface name) at initialization time and open a dedicated port 445 +for listening to SMB requests. Whenever new clients make request, Forker +thread will accept the client connection and fork a new thread for dedicated +communication channel between the client and the server. It allows for parallel +processing of SMB requests(commands) from clients as well as allowing for new +clients to make new connections. Each instance is named ksmbd/1~n(port number) +to indicate connected clients. Depending on the SMB request types, each new +thread can decide to pass through the commands to the user space (ksmbd.mountd), +currently DCE/RPC commands are identified to be handled through the user space. +To further utilize the linux kernel, it has been chosen to process the commands +as workitems and to be executed in the handlers of the ksmbd-io kworker threads. +It allows for multiplexing of the handlers as the kernel take care of initiating +extra worker threads if the load is increased and vice versa, if the load is +decreased it destroys the extra worker threads. So, after connection is +established with client. Dedicated ksmbd/1..n(port number) takes complete +ownership of receiving/parsing of SMB commands. Each received command is worked +in parallel i.e., There can be multiple clients commands which are worked in +parallel. After receiving each command a separated kernel workitem is prepared +for each command which is further queued to be handled by ksmbd-io kworkers. +So, each SMB workitem is queued to the kworkers. This allows the benefit of load +sharing to be managed optimally by the default kernel and optimizing client +performance by handling client commands in parallel. + +ksmbd.mountd (user space daemon) +-------------------------------- + +ksmbd.mountd is userspace process to, transfer user account and password that +are registered using ksmbd.adduser(part of utils for user space). Further it +allows sharing information parameters that parsed from smb.conf to ksmbd in +kernel. For the execution part it has a daemon which is continuously running +and connected to the kernel interface using netlink socket, it waits for the +requests(dcerpc and share/user info). It handles RPC calls (at a minimum few +dozen) that are most important for file server from NetShareEnum and +NetServerGetInfo. Complete DCE/RPC response is prepared from the user space +and passed over to the associated kernel thread for the client. + +Key Features +============ + +The supported features are: + * SMB3 protocols for basic file sharing + * Auto negotiation + * Compound requests + * Oplock/Lease + * Large MTU + * NTLM/NTLMv2 + * HMAC-SHA256 Signing + * Secure negotiate + * Signing Update + * Pre-authentication integrity(SMB 3.1.1) + * SMB3 encryption(CCM, GCM) + * SMB direct(RDMA) + * SMB3.1.1 POSIX extension support + * ACLs + * Kerberos + +The features that are planned or not supported: + * SMB3 Multi-channel + * Durable handle v1,v2 + * Persistent handles + * Directory lease + * SMB2 notify + +How to run +========== + +1. Download ksmbd-tools and compile them. + - https://github.com/cifsd-team/ksmbd-tools + +2. Create user/password for SMB share. + + # mkdir /etc/ksmbd/ + # ksmbd.adduser -a <Enter USERNAME for SMB share access> + +3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file + - Refer smb.conf.example and Documentation/configuration.txt + in ksmbd-tools + +4. Insert ksmbd.ko module + + # insmod ksmbd.ko + +5. Start ksmbd user space daemon + # ksmbd.mountd + +6. Access share from Windows or Linux using CIFS + +Shutdown CIFSD +============== + +1. kill user and kernel space daemon + # sudo ksmbd.control -s + +How to turn debug print on +========================== + +Each layer +/sys/class/ksmbd-control/debug + +1. Enable all component prints + # sudo ksmbd.control -d "all" + +2. Enable one of components(smb, auth, vfs, oplock, ipc, conn, rdma) + # sudo ksmbd.control -d "smb" + +3. Show what prints are enable. + # cat/sys/class/ksmbd-control/debug + [smb] auth vfs oplock ipc conn [rdma] + +4. Disable prints: + If you try the selected component once more, It is disabled without brackets. diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c new file mode 100644 index 000000000000..d27553dee2ad --- /dev/null +++ b/fs/cifsd/connection.c @@ -0,0 +1,416 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <namjae.jeon(a)protocolfreedom.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/mutex.h> +#include <linux/freezer.h> +#include <linux/module.h> + +#include "server.h" +#include "buffer_pool.h" +#include "smb_common.h" +#include "mgmt/ksmbd_ida.h" +#include "connection.h" +#include "transport_tcp.h" +#include "transport_rdma.h" + +static DEFINE_MUTEX(init_lock); + +static struct ksmbd_conn_ops default_conn_ops; + +static LIST_HEAD(conn_list); +static DEFINE_RWLOCK(conn_list_lock); + +/** + * ksmbd_conn_free() - free resources of the connection instance + * + * @conn: connection instance to be cleand up + * + * During the thread termination, the corresponding conn instance + * resources(sock/memory) are released and finally the conn object is freed. + */ +void ksmbd_conn_free(struct ksmbd_conn *conn) +{ + write_lock(&conn_list_lock); + list_del(&conn->conns_list); + write_unlock(&conn_list_lock); + + ksmbd_free_request(conn->request_buf); + ksmbd_ida_free(conn->async_ida); + kfree(conn->preauth_info); + kfree(conn); +} + +/** + * ksmbd_conn_alloc() - initialize a new connection instance + * + * Return: ksmbd_conn struct on success, otherwise NULL + */ +struct ksmbd_conn *ksmbd_conn_alloc(void) +{ + struct ksmbd_conn *conn; + + conn = kzalloc(sizeof(struct ksmbd_conn), GFP_KERNEL); + if (!conn) + return NULL; + + conn->need_neg = true; + conn->status = KSMBD_SESS_NEW; + conn->local_nls = load_nls("utf8"); + if (!conn->local_nls) + conn->local_nls = load_nls_default(); + atomic_set(&conn->req_running, 0); + atomic_set(&conn->r_count, 0); + init_waitqueue_head(&conn->req_running_q); + INIT_LIST_HEAD(&conn->conns_list); + INIT_LIST_HEAD(&conn->sessions); + INIT_LIST_HEAD(&conn->requests); + INIT_LIST_HEAD(&conn->async_requests); + spin_lock_init(&conn->request_lock); + spin_lock_init(&conn->credits_lock); + conn->async_ida = ksmbd_ida_alloc(); + + write_lock(&conn_list_lock); + list_add(&conn->conns_list, &conn_list); + write_unlock(&conn_list_lock); + return conn; +} + +bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c) +{ + struct ksmbd_conn *t; + bool ret = false; + + read_lock(&conn_list_lock); + list_for_each_entry(t, &conn_list, conns_list) { + if (memcmp(t->ClientGUID, c->ClientGUID, SMB2_CLIENT_GUID_SIZE)) + continue; + + ret = true; + break; + } + read_unlock(&conn_list_lock); + return ret; +} + +void ksmbd_conn_enqueue_request(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct list_head *requests_queue = NULL; + + if (conn->ops->get_cmd_val(work) != SMB2_CANCEL_HE) { + requests_queue = &conn->requests; + work->syncronous = true; + } + + if (requests_queue) { + atomic_inc(&conn->req_running); + spin_lock(&conn->request_lock); + list_add_tail(&work->request_entry, requests_queue); + spin_unlock(&conn->request_lock); + } +} + +int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + int ret = 1; + + if (list_empty(&work->request_entry) && + list_empty(&work->async_request_entry)) + return 0; + + atomic_dec(&conn->req_running); + spin_lock(&conn->request_lock); + if (!work->multiRsp) { + list_del_init(&work->request_entry); + if (work->syncronous == false) + list_del_init(&work->async_request_entry); + ret = 0; + } + spin_unlock(&conn->request_lock); + + wake_up_all(&conn->req_running_q); + return ret; +} + +static void ksmbd_conn_lock(struct ksmbd_conn *conn) +{ + mutex_lock(&conn->srv_mutex); +} + +static void ksmbd_conn_unlock(struct ksmbd_conn *conn) +{ + mutex_unlock(&conn->srv_mutex); +} + +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) +{ + wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); +} + +int ksmbd_conn_write(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb_hdr *rsp_hdr = RESPONSE_BUF(work); + size_t len = 0; + int sent; + struct kvec iov[3]; + int iov_idx = 0; + + ksmbd_conn_try_dequeue_request(work); + if (!rsp_hdr) { + ksmbd_err("NULL response header\n"); + return -EINVAL; + } + + if (HAS_TRANSFORM_BUF(work)) { + iov[iov_idx] = (struct kvec) { work->tr_buf, + sizeof(struct smb2_transform_hdr) }; + len += iov[iov_idx++].iov_len; + } + + if (HAS_AUX_PAYLOAD(work)) { + iov[iov_idx] = (struct kvec) { rsp_hdr, RESP_HDR_SIZE(work) }; + len += iov[iov_idx++].iov_len; + iov[iov_idx] = (struct kvec) { AUX_PAYLOAD(work), + AUX_PAYLOAD_SIZE(work) }; + len += iov[iov_idx++].iov_len; + } else { + if (HAS_TRANSFORM_BUF(work)) + iov[iov_idx].iov_len = RESP_HDR_SIZE(work); + else + iov[iov_idx].iov_len = get_rfc1002_len(rsp_hdr) + 4; + iov[iov_idx].iov_base = rsp_hdr; + len += iov[iov_idx++].iov_len; + } + + ksmbd_conn_lock(conn); + sent = conn->transport->ops->writev(conn->transport, &iov[0], + iov_idx, len, + work->need_invalidate_rkey, + work->remote_key); + ksmbd_conn_unlock(conn); + + if (sent < 0) { + ksmbd_err("Failed to send message: %d\n", sent); + return sent; + } + + return 0; +} + +int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len) +{ + int ret = -EINVAL; + + if (conn->transport->ops->rdma_read) + ret = conn->transport->ops->rdma_read(conn->transport, + buf, buflen, + remote_key, remote_offset, + remote_len); + return ret; +} + +int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len) +{ + int ret = -EINVAL; + + if (conn->transport->ops->rdma_write) + ret = conn->transport->ops->rdma_write(conn->transport, + buf, buflen, + remote_key, remote_offset, + remote_len); + return ret; +} + +bool ksmbd_conn_alive(struct ksmbd_conn *conn) +{ + if (!ksmbd_server_running()) + return false; + + if (conn->status == KSMBD_SESS_EXITING) + return false; + + if (kthread_should_stop()) + return false; + + if (atomic_read(&conn->stats.open_files_count) > 0) + return true; + + /* + * Stop current session if the time that get last request from client + * is bigger than deadtime user configured and openning file count is + * zero. + */ + if (server_conf.deadtime > 0 && + time_after(jiffies, conn->last_active + server_conf.deadtime)) { + ksmbd_debug(CONN, "No response from client in %lu minutes\n", + server_conf.deadtime / SMB_ECHO_INTERVAL); + return false; + } + return true; +} + +/** + * ksmbd_conn_handler_loop() - session thread to listen on new smb requests + * @p: connection instance + * + * One thread each per connection + * + * Return: 0 on success + */ +int ksmbd_conn_handler_loop(void *p) +{ + struct ksmbd_conn *conn = (struct ksmbd_conn *)p; + struct ksmbd_transport *t = conn->transport; + unsigned int pdu_size; + char hdr_buf[4] = {0,}; + int size; + + mutex_init(&conn->srv_mutex); + __module_get(THIS_MODULE); + + if (t->ops->prepare && t->ops->prepare(t)) + goto out; + + conn->last_active = jiffies; + while (ksmbd_conn_alive(conn)) { + if (try_to_freeze()) + continue; + + ksmbd_free_request(conn->request_buf); + conn->request_buf = NULL; + + size = t->ops->read(t, hdr_buf, sizeof(hdr_buf)); + if (size != sizeof(hdr_buf)) + break; + + pdu_size = get_rfc1002_len(hdr_buf); + ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size); + + /* make sure we have enough to get to SMB header end */ + if (!ksmbd_pdu_size_has_room(pdu_size)) { + ksmbd_debug(CONN, "SMB request too short (%u bytes)\n", + pdu_size); + continue; + } + + /* 4 for rfc1002 length field */ + size = pdu_size + 4; + conn->request_buf = ksmbd_alloc_request(size); + if (!conn->request_buf) + continue; + + memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf)); + if (!ksmbd_smb_request(conn)) + break; + + /* + * We already read 4 bytes to find out PDU size, now + * read in PDU + */ + size = t->ops->read(t, conn->request_buf + 4, pdu_size); + if (size < 0) { + ksmbd_err("sock_read failed: %d\n", size); + break; + } + + if (size != pdu_size) { + ksmbd_err("PDU error. Read: %d, Expected: %d\n", + size, + pdu_size); + continue; + } + + if (!default_conn_ops.process_fn) { + ksmbd_err("No connection request callback\n"); + break; + } + + if (default_conn_ops.process_fn(conn)) { + ksmbd_err("Cannot handle request\n"); + break; + } + } + +out: + /* Wait till all reference dropped to the Server object*/ + while (atomic_read(&conn->r_count) > 0) + schedule_timeout(HZ); + + unload_nls(conn->local_nls); + if (default_conn_ops.terminate_fn) + default_conn_ops.terminate_fn(conn); + t->ops->disconnect(t); + module_put(THIS_MODULE); + return 0; +} + +void ksmbd_conn_init_server_callbacks(struct ksmbd_conn_ops *ops) +{ + default_conn_ops.process_fn = ops->process_fn; + default_conn_ops.terminate_fn = ops->terminate_fn; +} + +int ksmbd_conn_transport_init(void) +{ + int ret; + + mutex_lock(&init_lock); + ret = ksmbd_tcp_init(); + if (ret) { + pr_err("Failed to init TCP subsystem: %d\n", ret); + goto out; + } + + ret = ksmbd_rdma_init(); + if (ret) { + pr_err("Failed to init KSMBD subsystem: %d\n", ret); + goto out; + } +out: + mutex_unlock(&init_lock); + return ret; +} + +static void stop_sessions(void) +{ + struct ksmbd_conn *conn; + +again: + read_lock(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + struct task_struct *task; + + task = conn->transport->handler; + if (task) + ksmbd_debug(CONN, "Stop session handler %s/%d\n", + task->comm, + task_pid_nr(task)); + conn->status = KSMBD_SESS_EXITING; + } + read_unlock(&conn_list_lock); + + if (!list_empty(&conn_list)) { + schedule_timeout_interruptible(HZ/10); /* 100ms */ + goto again; + } +} + +void ksmbd_conn_transport_destroy(void) +{ + mutex_lock(&init_lock); + ksmbd_tcp_destroy(); + ksmbd_rdma_destroy(); + stop_sessions(); + mutex_unlock(&init_lock); +} diff --git a/fs/cifsd/connection.h b/fs/cifsd/connection.h new file mode 100644 index 000000000000..179fb9278999 --- /dev/null +++ b/fs/cifsd/connection.h @@ -0,0 +1,212 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_CONNECTION_H__ +#define __KSMBD_CONNECTION_H__ + +#include <linux/list.h> +#include <linux/ip.h> +#include <net/sock.h> +#include <net/tcp.h> +#include <net/inet_connection_sock.h> +#include <net/request_sock.h> +#include <linux/kthread.h> +#include <linux/nls.h> + +#include "smb_common.h" +#include "ksmbd_work.h" + +#define KSMBD_SOCKET_BACKLOG 16 + +/* + * WARNING + * + * This is nothing but a HACK. Session status should move to channel + * or to session. As of now we have 1 tcp_conn : 1 ksmbd_session, but + * we need to change it to 1 tcp_conn : N ksmbd_sessions. + */ +enum { + KSMBD_SESS_NEW = 0, + KSMBD_SESS_GOOD, + KSMBD_SESS_EXITING, + KSMBD_SESS_NEED_RECONNECT, + KSMBD_SESS_NEED_NEGOTIATE +}; + +struct ksmbd_stats { + atomic_t open_files_count; + atomic64_t request_served; +}; + +struct ksmbd_transport; + +struct ksmbd_conn { + struct smb_version_values *vals; + struct smb_version_ops *ops; + struct smb_version_cmds *cmds; + unsigned int max_cmds; + struct mutex srv_mutex; + int status; + unsigned int cli_cap; + char *request_buf; + struct ksmbd_transport *transport; + struct nls_table *local_nls; + struct list_head conns_list; + /* smb session 1 per user */ + struct list_head sessions; + unsigned long last_active; + /* How many request are running currently */ + atomic_t req_running; + /* References which are made for this Server object*/ + atomic_t r_count; + unsigned short total_credits; + unsigned short max_credits; + spinlock_t credits_lock; + wait_queue_head_t req_running_q; + /* Lock to protect requests list*/ + spinlock_t request_lock; + struct list_head requests; + struct list_head async_requests; + int connection_type; + struct ksmbd_stats stats; + char ClientGUID[SMB2_CLIENT_GUID_SIZE]; + union { + /* pending trans request table */ + struct trans_state *recent_trans; + /* Used by ntlmssp */ + char *ntlmssp_cryptkey; + }; + + struct preauth_integrity_info *preauth_info; + + bool need_neg; + unsigned int auth_mechs; + unsigned int preferred_auth_mech; + bool sign; + bool use_spnego:1; + __u16 cli_sec_mode; + __u16 srv_sec_mode; + /* dialect index that server chose */ + __u16 dialect; + + char *mechToken; + + struct ksmbd_conn_ops *conn_ops; + + /* Preauth Session Table */ + struct list_head preauth_sess_table; + + struct sockaddr_storage peer_addr; + + /* Identifier for async message */ + struct ksmbd_ida *async_ida; + + __le16 cipher_type; + __le16 compress_algorithm; + bool posix_ext_supported; +}; + +struct ksmbd_conn_ops { + int (*process_fn)(struct ksmbd_conn *conn); + int (*terminate_fn)(struct ksmbd_conn *conn); +}; + +struct ksmbd_transport_ops { + int (*prepare)(struct ksmbd_transport *t); + void (*disconnect)(struct ksmbd_transport *t); + int (*read)(struct ksmbd_transport *t, + char *buf, unsigned int size); + int (*writev)(struct ksmbd_transport *t, + struct kvec *iovs, int niov, int size, + bool need_invalidate_rkey, unsigned int remote_key); + int (*rdma_read)(struct ksmbd_transport *t, + void *buf, unsigned int len, u32 remote_key, + u64 remote_offset, u32 remote_len); + int (*rdma_write)(struct ksmbd_transport *t, + void *buf, unsigned int len, u32 remote_key, + u64 remote_offset, u32 remote_len); +}; + +struct ksmbd_transport { + struct ksmbd_conn *conn; + struct ksmbd_transport_ops *ops; + struct task_struct *handler; +}; + +#define KSMBD_TCP_RECV_TIMEOUT (7 * HZ) +#define KSMBD_TCP_SEND_TIMEOUT (5 * HZ) +#define KSMBD_TCP_PEER_SOCKADDR(c) ((struct sockaddr *)&((c)->peer_addr)) + +bool ksmbd_conn_alive(struct ksmbd_conn *conn); +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); + +struct ksmbd_conn *ksmbd_conn_alloc(void); +void ksmbd_conn_free(struct ksmbd_conn *conn); +bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); +int ksmbd_conn_write(struct ksmbd_work *work); +int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len); +int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len); + +void ksmbd_conn_enqueue_request(struct ksmbd_work *work); +int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work); +void ksmbd_conn_init_server_callbacks(struct ksmbd_conn_ops *ops); + +int ksmbd_conn_handler_loop(void *p); + +int ksmbd_conn_transport_init(void); +void ksmbd_conn_transport_destroy(void); + +/* + * WARNING + * + * This is a hack. We will move status to a proper place once we land + * a multi-sessions support. + */ +static inline bool ksmbd_conn_good(struct ksmbd_work *work) +{ + return work->conn->status == KSMBD_SESS_GOOD; +} + +static inline bool ksmbd_conn_need_negotiate(struct ksmbd_work *work) +{ + return work->conn->status == KSMBD_SESS_NEED_NEGOTIATE; +} + +static inline bool ksmbd_conn_need_reconnect(struct ksmbd_work *work) +{ + return work->conn->status == KSMBD_SESS_NEED_RECONNECT; +} + +static inline bool ksmbd_conn_exiting(struct ksmbd_work *work) +{ + return work->conn->status == KSMBD_SESS_EXITING; +} + +static inline void ksmbd_conn_set_good(struct ksmbd_work *work) +{ + work->conn->status = KSMBD_SESS_GOOD; +} + +static inline void ksmbd_conn_set_need_negotiate(struct ksmbd_work *work) +{ + work->conn->status = KSMBD_SESS_NEED_NEGOTIATE; +} + +static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_work *work) +{ + work->conn->status = KSMBD_SESS_NEED_RECONNECT; +} + +static inline void ksmbd_conn_set_exiting(struct ksmbd_work *work) +{ + work->conn->status = KSMBD_SESS_EXITING; +} +#endif /* __CONNECTION_H__ */ diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h new file mode 100644 index 000000000000..2dc3f603e837 --- /dev/null +++ b/fs/cifsd/glob.h @@ -0,0 +1,67 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_GLOB_H +#define __KSMBD_GLOB_H + +#include <linux/ctype.h> +#include <linux/version.h> + +#include "unicode.h" +#include "vfs_cache.h" +#include "smberr.h" + +#define KSMBD_VERSION "3.1.9" + +/* @FIXME clean up this code */ + +extern int ksmbd_debug_types; +extern int ksmbd_caseless_search; + +#define DATA_STREAM 1 +#define DIR_STREAM 2 + +#define KSMBD_DEBUG_SMB (1 << 0) +#define KSMBD_DEBUG_AUTH (1 << 1) +#define KSMBD_DEBUG_VFS (1 << 2) +#define KSMBD_DEBUG_OPLOCK (1 << 3) +#define KSMBD_DEBUG_IPC (1 << 4) +#define KSMBD_DEBUG_CONN (1 << 5) +#define KSMBD_DEBUG_RDMA (1 << 6) +#define KSMBD_DEBUG_ALL (KSMBD_DEBUG_SMB | KSMBD_DEBUG_AUTH | \ + KSMBD_DEBUG_VFS | KSMBD_DEBUG_OPLOCK | \ + KSMBD_DEBUG_IPC | KSMBD_DEBUG_CONN | \ + KSMBD_DEBUG_RDMA) + +#ifndef ksmbd_pr_fmt +#ifdef SUBMOD_NAME +#define ksmbd_pr_fmt(fmt) "ksmbd: " SUBMOD_NAME ": " fmt +#else +#define ksmbd_pr_fmt(fmt) "ksmbd: " fmt +#endif +#endif + +#define ksmbd_debug(type, fmt, ...) \ + do { \ + if (ksmbd_debug_types & KSMBD_DEBUG_##type) \ + pr_info(ksmbd_pr_fmt("%s:%d: " fmt), \ + __func__, \ + __LINE__, \ + ##__VA_ARGS__); \ + } while (0) + +#define ksmbd_info(fmt, ...) \ + pr_info(ksmbd_pr_fmt(fmt), ##__VA_ARGS__) + +#define ksmbd_err(fmt, ...) \ + pr_err(ksmbd_pr_fmt("%s:%d: " fmt), \ + __func__, \ + __LINE__, \ + ##__VA_ARGS__) + +#define UNICODE_LEN(x) ((x) * 2) + +#endif /* __KSMBD_GLOB_H */ diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h new file mode 100644 index 000000000000..01eaf9ec4fde --- /dev/null +++ b/fs/cifsd/ksmbd_server.h @@ -0,0 +1,285 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + * + * linux-ksmbd-devel(a)lists.sourceforge.net + */ + +#ifndef _LINUX_KSMBD_SERVER_H +#define _LINUX_KSMBD_SERVER_H + +#include <linux/types.h> + +#define KSMBD_GENL_NAME "SMBD_GENL" +#define KSMBD_GENL_VERSION 0x01 + +#ifndef ____ksmbd_align +#define ____ksmbd_align __aligned(4) +#endif + +#define KSMBD_REQ_MAX_ACCOUNT_NAME_SZ 48 +#define KSMBD_REQ_MAX_HASH_SZ 18 +#define KSMBD_REQ_MAX_SHARE_NAME 64 + +struct ksmbd_heartbeat { + __u32 handle; +}; + +/* + * Global config flags. + */ +#define KSMBD_GLOBAL_FLAG_INVALID (0) +#define KSMBD_GLOBAL_FLAG_SMB2_LEASES (1 << 0) +#define KSMBD_GLOBAL_FLAG_CACHE_TBUF (1 << 1) +#define KSMBD_GLOBAL_FLAG_CACHE_RBUF (1 << 2) +#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION (1 << 3) +#define KSMBD_GLOBAL_FLAG_DURABLE_HANDLE (1 << 4) + +struct ksmbd_startup_request { + __u32 flags; + __s32 signing; + __s8 min_prot[16]; + __s8 max_prot[16]; + __s8 netbios_name[16]; + __s8 work_group[64]; + __s8 server_string[64]; + __u16 tcp_port; + __u16 ipc_timeout; + __u32 deadtime; + __u32 file_max; + __u32 smb2_max_write; + __u32 smb2_max_read; + __u32 smb2_max_trans; + __u32 share_fake_fscaps; + __u32 sub_auth[3]; + __u32 ifc_list_sz; + __s8 ____payload[0]; +} ____ksmbd_align; + +#define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload) + +struct ksmbd_shutdown_request { + __s32 reserved; +} ____ksmbd_align; + +struct ksmbd_login_request { + __u32 handle; + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; +} ____ksmbd_align; + +struct ksmbd_login_response { + __u32 handle; + __u32 gid; + __u32 uid; + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; + __u16 status; + __u16 hash_sz; + __s8 hash[KSMBD_REQ_MAX_HASH_SZ]; +} ____ksmbd_align; + +struct ksmbd_share_config_request { + __u32 handle; + __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; +} ____ksmbd_align; + +struct ksmbd_share_config_response { + __u32 handle; + __u32 flags; + __u16 create_mask; + __u16 directory_mask; + __u16 force_create_mode; + __u16 force_directory_mode; + __u16 force_uid; + __u16 force_gid; + __u32 veto_list_sz; + __s8 ____payload[0]; +} ____ksmbd_align; + +#define KSMBD_SHARE_CONFIG_VETO_LIST(s) ((s)->____payload) +#define KSMBD_SHARE_CONFIG_PATH(s) \ + ({ \ + char *p = (s)->____payload; \ + if ((s)->veto_list_sz) \ + p += (s)->veto_list_sz + 1; \ + p; \ + }) + +struct ksmbd_tree_connect_request { + __u32 handle; + __u16 account_flags; + __u16 flags; + __u64 session_id; + __u64 connect_id; + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; + __s8 share[KSMBD_REQ_MAX_SHARE_NAME]; + __s8 peer_addr[64]; +} ____ksmbd_align; + +struct ksmbd_tree_connect_response { + __u32 handle; + __u16 status; + __u16 connection_flags; +} ____ksmbd_align; + +struct ksmbd_tree_disconnect_request { + __u64 session_id; + __u64 connect_id; +} ____ksmbd_align; + +struct ksmbd_logout_request { + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; +} ____ksmbd_align; + +struct ksmbd_rpc_command { + __u32 handle; + __u32 flags; + __u32 payload_sz; + __u8 payload[0]; +} ____ksmbd_align; + +struct ksmbd_spnego_authen_request { + __u32 handle; + __u16 spnego_blob_len; + __u8 spnego_blob[0]; +} ____ksmbd_align; + +struct ksmbd_spnego_authen_response { + __u32 handle; + struct ksmbd_login_response login_response; + __u16 session_key_len; + __u16 spnego_blob_len; + __u8 payload[0]; /* session key + AP_REP */ +} ____ksmbd_align; + +/* + * This also used as NETLINK attribute type value. + * + * NOTE: + * Response message type value should be equal to + * request message type value + 1. + */ +enum ksmbd_event { + KSMBD_EVENT_UNSPEC = 0, + KSMBD_EVENT_HEARTBEAT_REQUEST, + + KSMBD_EVENT_STARTING_UP, + KSMBD_EVENT_SHUTTING_DOWN, + + KSMBD_EVENT_LOGIN_REQUEST, + KSMBD_EVENT_LOGIN_RESPONSE = 5, + + KSMBD_EVENT_SHARE_CONFIG_REQUEST, + KSMBD_EVENT_SHARE_CONFIG_RESPONSE, + + KSMBD_EVENT_TREE_CONNECT_REQUEST, + KSMBD_EVENT_TREE_CONNECT_RESPONSE, + + KSMBD_EVENT_TREE_DISCONNECT_REQUEST = 10, + + KSMBD_EVENT_LOGOUT_REQUEST, + + KSMBD_EVENT_RPC_REQUEST, + KSMBD_EVENT_RPC_RESPONSE, + + KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST, + KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE = 15, + + KSMBD_EVENT_MAX +}; + +enum KSMBD_TREE_CONN_STATUS { + KSMBD_TREE_CONN_STATUS_OK = 0, + KSMBD_TREE_CONN_STATUS_NOMEM, + KSMBD_TREE_CONN_STATUS_NO_SHARE, + KSMBD_TREE_CONN_STATUS_NO_USER, + KSMBD_TREE_CONN_STATUS_INVALID_USER, + KSMBD_TREE_CONN_STATUS_HOST_DENIED = 5, + KSMBD_TREE_CONN_STATUS_CONN_EXIST, + KSMBD_TREE_CONN_STATUS_TOO_MANY_CONNS, + KSMBD_TREE_CONN_STATUS_TOO_MANY_SESSIONS, + KSMBD_TREE_CONN_STATUS_ERROR, +}; + +/* + * User config flags. + */ +#define KSMBD_USER_FLAG_INVALID (0) +#define KSMBD_USER_FLAG_OK (1 << 0) +#define KSMBD_USER_FLAG_BAD_PASSWORD (1 << 1) +#define KSMBD_USER_FLAG_BAD_UID (1 << 2) +#define KSMBD_USER_FLAG_BAD_USER (1 << 3) +#define KSMBD_USER_FLAG_GUEST_ACCOUNT (1 << 4) + +/* + * Share config flags. + */ +#define KSMBD_SHARE_FLAG_INVALID (0) +#define KSMBD_SHARE_FLAG_AVAILABLE (1 << 0) +#define KSMBD_SHARE_FLAG_BROWSEABLE (1 << 1) +#define KSMBD_SHARE_FLAG_WRITEABLE (1 << 2) +#define KSMBD_SHARE_FLAG_READONLY (1 << 3) +#define KSMBD_SHARE_FLAG_GUEST_OK (1 << 4) +#define KSMBD_SHARE_FLAG_GUEST_ONLY (1 << 5) +#define KSMBD_SHARE_FLAG_STORE_DOS_ATTRS (1 << 6) +#define KSMBD_SHARE_FLAG_OPLOCKS (1 << 7) +#define KSMBD_SHARE_FLAG_PIPE (1 << 8) +#define KSMBD_SHARE_FLAG_HIDE_DOT_FILES (1 << 9) +#define KSMBD_SHARE_FLAG_INHERIT_SMACK (1 << 10) +#define KSMBD_SHARE_FLAG_INHERIT_OWNER (1 << 11) +#define KSMBD_SHARE_FLAG_STREAMS (1 << 12) +#define KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS (1 << 13) +#define KSMBD_SHARE_FLAG_ACL_XATTR (1 << 14) + +/* + * Tree connect request flags. + */ +#define KSMBD_TREE_CONN_FLAG_REQUEST_SMB1 (0) +#define KSMBD_TREE_CONN_FLAG_REQUEST_IPV6 (1 << 0) +#define KSMBD_TREE_CONN_FLAG_REQUEST_SMB2 (1 << 1) + +/* + * Tree connect flags. + */ +#define KSMBD_TREE_CONN_FLAG_GUEST_ACCOUNT (1 << 0) +#define KSMBD_TREE_CONN_FLAG_READ_ONLY (1 << 1) +#define KSMBD_TREE_CONN_FLAG_WRITABLE (1 << 2) +#define KSMBD_TREE_CONN_FLAG_ADMIN_ACCOUNT (1 << 3) + +/* + * RPC over IPC. + */ +#define KSMBD_RPC_METHOD_RETURN (1 << 0) +#define KSMBD_RPC_SRVSVC_METHOD_INVOKE (1 << 1) +#define KSMBD_RPC_SRVSVC_METHOD_RETURN ((1 << 1) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_WKSSVC_METHOD_INVOKE (1 << 2) +#define KSMBD_RPC_WKSSVC_METHOD_RETURN ((1 << 2) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_IOCTL_METHOD ((1 << 3) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_OPEN_METHOD (1 << 4) +#define KSMBD_RPC_WRITE_METHOD (1 << 5) +#define KSMBD_RPC_READ_METHOD ((1 << 6) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_CLOSE_METHOD (1 << 7) +#define KSMBD_RPC_RAP_METHOD ((1 << 8) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_RESTRICTED_CONTEXT (1 << 9) +#define KSMBD_RPC_SAMR_METHOD_INVOKE (1 << 10) +#define KSMBD_RPC_SAMR_METHOD_RETURN ((1 << 10) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_LSARPC_METHOD_INVOKE (1 << 11) +#define KSMBD_RPC_LSARPC_METHOD_RETURN ((1 << 11) | KSMBD_RPC_METHOD_RETURN) + +#define KSMBD_RPC_OK 0 +#define KSMBD_RPC_EBAD_FUNC 0x00000001 +#define KSMBD_RPC_EACCESS_DENIED 0x00000005 +#define KSMBD_RPC_EBAD_FID 0x00000006 +#define KSMBD_RPC_ENOMEM 0x00000008 +#define KSMBD_RPC_EBAD_DATA 0x0000000D +#define KSMBD_RPC_ENOTIMPLEMENTED 0x00000040 +#define KSMBD_RPC_EINVALID_PARAMETER 0x00000057 +#define KSMBD_RPC_EMORE_DATA 0x000000EA +#define KSMBD_RPC_EINVALID_LEVEL 0x0000007C +#define KSMBD_RPC_SOME_NOT_MAPPED 0x00000107 + +#define KSMBD_CONFIG_OPT_DISABLED 0 +#define KSMBD_CONFIG_OPT_ENABLED 1 +#define KSMBD_CONFIG_OPT_AUTO 2 +#define KSMBD_CONFIG_OPT_MANDATORY 3 + +#endif /* _LINUX_KSMBD_SERVER_H */ diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c new file mode 100644 index 000000000000..8cd5dff0762d --- /dev/null +++ b/fs/cifsd/ksmbd_work.c @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#include <linux/list.h> +#include <linux/mm.h> +#include <linux/slab.h> +#include <linux/workqueue.h> + +#include "server.h" +#include "connection.h" +#include "ksmbd_work.h" +#include "buffer_pool.h" +#include "mgmt/ksmbd_ida.h" + +/* @FIXME */ +#include "ksmbd_server.h" + +static struct kmem_cache *work_cache; +static struct workqueue_struct *ksmbd_wq; + +struct ksmbd_work *ksmbd_alloc_work_struct(void) +{ + struct ksmbd_work *work = kmem_cache_zalloc(work_cache, GFP_KERNEL); + + if (work) { + work->compound_fid = KSMBD_NO_FID; + work->compound_pfid = KSMBD_NO_FID; + INIT_LIST_HEAD(&work->request_entry); + INIT_LIST_HEAD(&work->async_request_entry); + INIT_LIST_HEAD(&work->fp_entry); + INIT_LIST_HEAD(&work->interim_entry); + } + return work; +} + +void ksmbd_free_work_struct(struct ksmbd_work *work) +{ + WARN_ON(work->saved_cred != NULL); + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && + work->set_trans_buf) + ksmbd_release_buffer(RESPONSE_BUF(work)); + else + ksmbd_free_response(RESPONSE_BUF(work)); + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF && + work->set_read_buf) + ksmbd_release_buffer(AUX_PAYLOAD(work)); + else + ksmbd_free_response(AUX_PAYLOAD(work)); + + ksmbd_free_response(TRANSFORM_BUF(work)); + ksmbd_free_request(REQUEST_BUF(work)); + if (work->async_id) + ksmbd_release_id(work->conn->async_ida, work->async_id); + kmem_cache_free(work_cache, work); +} + +void ksmbd_work_pool_destroy(void) +{ + kmem_cache_destroy(work_cache); +} + +int ksmbd_work_pool_init(void) +{ + work_cache = kmem_cache_create("ksmbd_work_cache", + sizeof(struct ksmbd_work), 0, + SLAB_HWCACHE_ALIGN, NULL); + if (!work_cache) + return -ENOMEM; + return 0; +} + +int ksmbd_workqueue_init(void) +{ + ksmbd_wq = alloc_workqueue("ksmbd-io", 0, 0); + if (!ksmbd_wq) + return -ENOMEM; + return 0; +} + +void ksmbd_workqueue_destroy(void) +{ + flush_workqueue(ksmbd_wq); + destroy_workqueue(ksmbd_wq); + ksmbd_wq = NULL; +} + +bool ksmbd_queue_work(struct ksmbd_work *work) +{ + return queue_work(ksmbd_wq, &work->work); +} diff --git a/fs/cifsd/ksmbd_work.h b/fs/cifsd/ksmbd_work.h new file mode 100644 index 000000000000..405434d4c8ab --- /dev/null +++ b/fs/cifsd/ksmbd_work.h @@ -0,0 +1,124 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_WORK_H__ +#define __KSMBD_WORK_H__ + +#include <linux/ctype.h> +#include <linux/workqueue.h> + +struct ksmbd_conn; +struct ksmbd_session; +struct ksmbd_tree_connect; + +enum { + KSMBD_WORK_ACTIVE = 0, + KSMBD_WORK_CANCELLED, + KSMBD_WORK_CLOSED, +}; + +/* one of these for every pending CIFS request at the connection */ +struct ksmbd_work { + /* Server corresponding to this mid */ + struct ksmbd_conn *conn; + struct ksmbd_session *sess; + struct ksmbd_tree_connect *tcon; + + /* Pointer to received SMB header */ + char *request_buf; + /* Response buffer */ + char *response_buf; + + /* Read data buffer */ + char *aux_payload_buf; + + /* Next cmd hdr in compound req buf*/ + int next_smb2_rcv_hdr_off; + /* Next cmd hdr in compound rsp buf*/ + int next_smb2_rsp_hdr_off; + + /* + * Current Local FID assigned compound response if SMB2 CREATE + * command is present in compound request + */ + unsigned int compound_fid; + unsigned int compound_pfid; + unsigned int compound_sid; + + const struct cred *saved_cred; + + /* Number of granted credits */ + unsigned int credits_granted; + + /* response smb header size */ + unsigned int resp_hdr_sz; + unsigned int response_sz; + /* Read data count */ + unsigned int aux_payload_sz; + + void *tr_buf; + + unsigned char state; + /* Multiple responses for one request e.g. SMB ECHO */ + bool multiRsp:1; + /* No response for cancelled request */ + bool send_no_response:1; + /* Request is encrypted */ + bool encrypted:1; + /* Is this SYNC or ASYNC ksmbd_work */ + bool syncronous:1; + bool need_invalidate_rkey:1; + bool set_trans_buf:1; + bool set_read_buf:1; + + unsigned int remote_key; + /* cancel works */ + int async_id; + void **cancel_argv; + void (*cancel_fn)(void **argv); + + struct work_struct work; + /* List head at conn->requests */ + struct list_head request_entry; + /* List head at conn->async_requests */ + struct list_head async_request_entry; + struct list_head fp_entry; + struct list_head interim_entry; +}; + +#define WORK_CANCELLED(w) ((w)->state == KSMBD_WORK_CANCELLED) +#define WORK_CLOSED(w) ((w)->state == KSMBD_WORK_CLOSED) +#define WORK_ACTIVE(w) ((w)->state == KSMBD_WORK_ACTIVE) + +#define RESPONSE_BUF(w) ((void *)(w)->response_buf) +#define REQUEST_BUF(w) ((void *)(w)->request_buf) + +#define RESPONSE_BUF_NEXT(w) \ + ((void *)((w)->response_buf + (w)->next_smb2_rsp_hdr_off)) +#define REQUEST_BUF_NEXT(w) \ + ((void *)((w)->request_buf + (w)->next_smb2_rcv_hdr_off)) + +#define RESPONSE_SZ(w) ((w)->response_sz) + +#define INIT_AUX_PAYLOAD(w) ((w)->aux_payload_buf = NULL) +#define HAS_AUX_PAYLOAD(w) ((w)->aux_payload_sz != 0) +#define AUX_PAYLOAD(w) ((void *)((w)->aux_payload_buf)) +#define AUX_PAYLOAD_SIZE(w) ((w)->aux_payload_sz) +#define RESP_HDR_SIZE(w) ((w)->resp_hdr_sz) + +#define HAS_TRANSFORM_BUF(w) ((w)->tr_buf != NULL) +#define TRANSFORM_BUF(w) ((void *)((w)->tr_buf)) + +struct ksmbd_work *ksmbd_alloc_work_struct(void); +void ksmbd_free_work_struct(struct ksmbd_work *work); + +void ksmbd_work_pool_destroy(void); +int ksmbd_work_pool_init(void); + +int ksmbd_workqueue_init(void); +void ksmbd_workqueue_destroy(void); +bool ksmbd_queue_work(struct ksmbd_work *work); + +#endif /* __KSMBD_WORK_H__ */ diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c new file mode 100644 index 000000000000..b9e114f8a5d2 --- /dev/null +++ b/fs/cifsd/server.c @@ -0,0 +1,635 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include "glob.h" +#include "oplock.h" +#include "misc.h" +#include <linux/sched/signal.h> +#include <linux/workqueue.h> +#include <linux/sysfs.h> +#include <linux/module.h> +#include <linux/moduleparam.h> + +#include "server.h" +#include "smb_common.h" +#include "smbstatus.h" +#include "buffer_pool.h" +#include "connection.h" +#include "transport_ipc.h" +#include "mgmt/user_session.h" +#include "crypto_ctx.h" +#include "auth.h" + +int ksmbd_debug_types; + +struct ksmbd_server_config server_conf; + +enum SERVER_CTRL_TYPE { + SERVER_CTRL_TYPE_INIT, + SERVER_CTRL_TYPE_RESET, +}; + +struct server_ctrl_struct { + int type; + struct work_struct ctrl_work; +}; + +static DEFINE_MUTEX(ctrl_lock); + +static int ___server_conf_set(int idx, char *val) +{ + if (idx >= ARRAY_SIZE(server_conf.conf)) + return -EINVAL; + + if (!val || val[0] == 0x00) + return -EINVAL; + + kfree(server_conf.conf[idx]); + server_conf.conf[idx] = kstrdup(val, GFP_KERNEL); + if (!server_conf.conf[idx]) + return -ENOMEM; + return 0; +} + +int ksmbd_set_netbios_name(char *v) +{ + return ___server_conf_set(SERVER_CONF_NETBIOS_NAME, v); +} + +int ksmbd_set_server_string(char *v) +{ + return ___server_conf_set(SERVER_CONF_SERVER_STRING, v); +} + +int ksmbd_set_work_group(char *v) +{ + return ___server_conf_set(SERVER_CONF_WORK_GROUP, v); +} + +char *ksmbd_netbios_name(void) +{ + return server_conf.conf[SERVER_CONF_NETBIOS_NAME]; +} + +char *ksmbd_server_string(void) +{ + return server_conf.conf[SERVER_CONF_SERVER_STRING]; +} + +char *ksmbd_work_group(void) +{ + return server_conf.conf[SERVER_CONF_WORK_GROUP]; +} + +/** + * check_conn_state() - check state of server thread connection + * @ksmbd_work: smb work containing server thread information + * + * Return: 0 on valid connection, otherwise 1 to reconnect + */ +static inline int check_conn_state(struct ksmbd_work *work) +{ + struct smb_hdr *rsp_hdr; + + if (ksmbd_conn_exiting(work) || ksmbd_conn_need_reconnect(work)) { + rsp_hdr = RESPONSE_BUF(work); + rsp_hdr->Status.CifsError = STATUS_CONNECTION_DISCONNECTED; + return 1; + } + return 0; +} + +/* @FIXME what a mess... god help. */ + +#define TCP_HANDLER_CONTINUE 0 +#define TCP_HANDLER_ABORT 1 + +static int __process_request(struct ksmbd_work *work, + struct ksmbd_conn *conn, + uint16_t *cmd) +{ + struct smb_version_cmds *cmds; + uint16_t command; + int ret; + + if (check_conn_state(work)) + return TCP_HANDLER_CONTINUE; + + if (ksmbd_verify_smb_message(work)) + return TCP_HANDLER_ABORT; + + command = conn->ops->get_cmd_val(work); + *cmd = command; + +andx_again: + if (command >= conn->max_cmds) { + conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return TCP_HANDLER_CONTINUE; + } + + cmds = &conn->cmds[command]; + if (!cmds->proc) { + ksmbd_debug(SMB, "*** not implemented yet cmd = %x\n", command); + conn->ops->set_rsp_status(work, STATUS_NOT_IMPLEMENTED); + return TCP_HANDLER_CONTINUE; + } + + if (work->sess && conn->ops->is_sign_req(work, command)) { + ret = conn->ops->check_sign_req(work); + if (!ret) { + conn->ops->set_rsp_status(work, STATUS_ACCESS_DENIED); + return TCP_HANDLER_CONTINUE; + } + } + + ret = cmds->proc(work); + + if (ret < 0) + ksmbd_debug(CONN, "Failed to process %u [%d]\n", command, ret); + /* AndX commands - chained request can return positive values */ + else if (ret > 0) { + command = ret; + *cmd = command; + goto andx_again; + } + + if (work->send_no_response) + return TCP_HANDLER_ABORT; + return TCP_HANDLER_CONTINUE; +} + +static void __handle_ksmbd_work(struct ksmbd_work *work, + struct ksmbd_conn *conn) +{ + uint16_t command = 0; + int rc; + + if (conn->ops->allocate_rsp_buf(work)) + return; + + if (conn->ops->is_transform_hdr && + conn->ops->is_transform_hdr(REQUEST_BUF(work))) { + rc = conn->ops->decrypt_req(work); + if (rc < 0) { + conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + goto send; + } + + work->encrypted = true; + } + + rc = conn->ops->init_rsp_hdr(work); + if (rc) { + /* either uid or tid is not correct */ + conn->ops->set_rsp_status(work, STATUS_INVALID_HANDLE); + goto send; + } + + if (conn->ops->check_user_session) { + rc = conn->ops->check_user_session(work); + if (rc < 0) { + command = conn->ops->get_cmd_val(work); + conn->ops->set_rsp_status(work, + STATUS_USER_SESSION_DELETED); + goto send; + } else if (rc > 0) { + rc = conn->ops->get_ksmbd_tcon(work); + if (rc < 0) { + conn->ops->set_rsp_status(work, + STATUS_NETWORK_NAME_DELETED); + goto send; + } + } + } + + do { + rc = __process_request(work, conn, &command); + if (rc == TCP_HANDLER_ABORT) + break; + + /* + * Call smb2_set_rsp_credits() function to set number of credits + * granted in hdr of smb2 response. + */ + if (conn->ops->set_rsp_credits) { + spin_lock(&conn->credits_lock); + rc = conn->ops->set_rsp_credits(work); + spin_unlock(&conn->credits_lock); + if (rc < 0) { + conn->ops->set_rsp_status(work, + STATUS_INVALID_PARAMETER); + goto send; + } + } + + if (work->sess && (work->sess->sign || + smb3_11_final_sess_setup_resp(work) || + conn->ops->is_sign_req(work, command))) + conn->ops->set_sign_rsp(work); + } while (is_chained_smb2_message(work)); + + if (work->send_no_response) + return; + +send: + smb3_preauth_hash_rsp(work); + if (work->sess && work->sess->enc && work->encrypted && + conn->ops->encrypt_resp) { + rc = conn->ops->encrypt_resp(work); + if (rc < 0) { + conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + goto send; + } + } + + ksmbd_conn_write(work); +} + +/** + * handle_ksmbd_work() - process pending smb work requests + * @ksmbd_work: smb work containing request command buffer + * + * called by kworker threads to processing remaining smb work requests + */ +static void handle_ksmbd_work(struct work_struct *wk) +{ + struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work); + struct ksmbd_conn *conn = work->conn; + + atomic64_inc(&conn->stats.request_served); + + __handle_ksmbd_work(work, conn); + + ksmbd_conn_try_dequeue_request(work); + ksmbd_free_work_struct(work); + atomic_dec(&conn->r_count); +} + +/** + * queue_ksmbd_work() - queue a smb request to worker thread queue + * for proccessing smb command and sending response + * @conn: connection instance + * + * read remaining data from socket create and submit work. + */ +static int queue_ksmbd_work(struct ksmbd_conn *conn) +{ + struct ksmbd_work *work; + + work = ksmbd_alloc_work_struct(); + if (!work) { + ksmbd_err("allocation for work failed\n"); + return -ENOMEM; + } + + work->conn = conn; + work->request_buf = conn->request_buf; + conn->request_buf = NULL; + + if (ksmbd_init_smb_server(work)) { + ksmbd_free_work_struct(work); + return -EINVAL; + } + + ksmbd_conn_enqueue_request(work); + atomic_inc(&conn->r_count); + /* update activity on connection */ + conn->last_active = jiffies; + INIT_WORK(&work->work, handle_ksmbd_work); + ksmbd_queue_work(work); + return 0; +} + +static int ksmbd_server_process_request(struct ksmbd_conn *conn) +{ + return queue_ksmbd_work(conn); +} + +static int ksmbd_server_terminate_conn(struct ksmbd_conn *conn) +{ + ksmbd_sessions_deregister(conn); + destroy_lease_table(conn); + return 0; +} + +static void ksmbd_server_tcp_callbacks_init(void) +{ + struct ksmbd_conn_ops ops; + + ops.process_fn = ksmbd_server_process_request; + ops.terminate_fn = ksmbd_server_terminate_conn; + + ksmbd_conn_init_server_callbacks(&ops); +} + +static void server_conf_free(void) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(server_conf.conf); i++) { + kfree(server_conf.conf[i]); + server_conf.conf[i] = NULL; + } +} + +static int server_conf_init(void) +{ + WRITE_ONCE(server_conf.state, SERVER_STATE_STARTING_UP); + server_conf.enforced_signing = 0; + server_conf.min_protocol = ksmbd_min_protocol(); + server_conf.max_protocol = ksmbd_max_protocol(); + server_conf.auth_mechs = KSMBD_AUTH_NTLMSSP; +#ifdef CONFIG_SMB_SERVER_KERBEROS5 + server_conf.auth_mechs |= KSMBD_AUTH_KRB5 | + KSMBD_AUTH_MSKRB5; +#endif + return 0; +} + +static void server_ctrl_handle_init(struct server_ctrl_struct *ctrl) +{ + int ret; + + ret = ksmbd_conn_transport_init(); + if (ret) { + server_queue_ctrl_reset_work(); + return; + } + + WRITE_ONCE(server_conf.state, SERVER_STATE_RUNNING); +} + +static void server_ctrl_handle_reset(struct server_ctrl_struct *ctrl) +{ + ksmbd_ipc_soft_reset(); + ksmbd_conn_transport_destroy(); + server_conf_free(); + server_conf_init(); + WRITE_ONCE(server_conf.state, SERVER_STATE_STARTING_UP); +} + +static void server_ctrl_handle_work(struct work_struct *work) +{ + struct server_ctrl_struct *ctrl; + + ctrl = container_of(work, struct server_ctrl_struct, ctrl_work); + + mutex_lock(&ctrl_lock); + switch (ctrl->type) { + case SERVER_CTRL_TYPE_INIT: + server_ctrl_handle_init(ctrl); + break; + case SERVER_CTRL_TYPE_RESET: + server_ctrl_handle_reset(ctrl); + break; + default: + pr_err("Unknown server work type: %d\n", ctrl->type); + } + mutex_unlock(&ctrl_lock); + kfree(ctrl); + module_put(THIS_MODULE); +} + +static int __queue_ctrl_work(int type) +{ + struct server_ctrl_struct *ctrl; + + ctrl = kmalloc(sizeof(struct server_ctrl_struct), GFP_KERNEL); + if (!ctrl) + return -ENOMEM; + + __module_get(THIS_MODULE); + ctrl->type = type; + INIT_WORK(&ctrl->ctrl_work, server_ctrl_handle_work); + queue_work(system_long_wq, &ctrl->ctrl_work); + return 0; +} + +int server_queue_ctrl_init_work(void) +{ + return __queue_ctrl_work(SERVER_CTRL_TYPE_INIT); +} + +int server_queue_ctrl_reset_work(void) +{ + return __queue_ctrl_work(SERVER_CTRL_TYPE_RESET); +} + +static ssize_t stats_show(struct class *class, + struct class_attribute *attr, + char *buf) +{ + /* + * Inc this each time you change stats output format, + * so user space will know what to do. + */ + static int stats_version = 2; + static const char * const state[] = { + "startup", + "running", + "reset", + "shutdown" + }; + + ssize_t sz = scnprintf(buf, + PAGE_SIZE, + "%d %s %d %lu\n", + stats_version, + state[server_conf.state], + server_conf.tcp_port, + server_conf.ipc_last_active / HZ); + return sz; +} + +static ssize_t kill_server_store(struct class *class, + struct class_attribute *attr, + const char *buf, + size_t len) +{ + if (!sysfs_streq(buf, "hard")) + return len; + + ksmbd_info("kill command received\n"); + mutex_lock(&ctrl_lock); + WRITE_ONCE(server_conf.state, SERVER_STATE_RESETTING); + __module_get(THIS_MODULE); + server_ctrl_handle_reset(NULL); + module_put(THIS_MODULE); + mutex_unlock(&ctrl_lock); + return len; +} + +static const char * const debug_type_strings[] = {"smb", "auth", "vfs", + "oplock", "ipc", "conn", + "rdma"}; + +static ssize_t debug_show(struct class *class, + struct class_attribute *attr, + char *buf) +{ + ssize_t sz = 0; + int i, pos = 0; + + for (i = 0; i < ARRAY_SIZE(debug_type_strings); i++) { + if ((ksmbd_debug_types >> i) & 1) { + pos = scnprintf(buf + sz, + PAGE_SIZE - sz, + "[%s] ", + debug_type_strings[i]); + } else { + pos = scnprintf(buf + sz, + PAGE_SIZE - sz, + "%s ", + debug_type_strings[i]); + } + sz += pos; + + } + sz += scnprintf(buf + sz, PAGE_SIZE - sz, "\n"); + return sz; +} + +static ssize_t debug_store(struct class *class, + struct class_attribute *attr, + const char *buf, + size_t len) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(debug_type_strings); i++) { + if (sysfs_streq(buf, "all")) { + if (ksmbd_debug_types == KSMBD_DEBUG_ALL) + ksmbd_debug_types = 0; + else + ksmbd_debug_types = KSMBD_DEBUG_ALL; + break; + } + + if (sysfs_streq(buf, debug_type_strings[i])) { + if (ksmbd_debug_types & (1 << i)) + ksmbd_debug_types &= ~(1 << i); + else + ksmbd_debug_types |= (1 << i); + break; + } + } + + return len; +} + +static CLASS_ATTR_RO(stats); +static CLASS_ATTR_WO(kill_server); +static CLASS_ATTR_RW(debug); + +static struct attribute *ksmbd_control_class_attrs[] = { + &class_attr_stats.attr, + &class_attr_kill_server.attr, + &class_attr_debug.attr, + NULL, +}; +ATTRIBUTE_GROUPS(ksmbd_control_class); + +static struct class ksmbd_control_class = { + .name = "ksmbd-control", + .owner = THIS_MODULE, + .class_groups = ksmbd_control_class_groups, +}; + +static int ksmbd_server_shutdown(void) +{ + WRITE_ONCE(server_conf.state, SERVER_STATE_SHUTTING_DOWN); + + class_unregister(&ksmbd_control_class); + ksmbd_workqueue_destroy(); + ksmbd_ipc_release(); + ksmbd_conn_transport_destroy(); + ksmbd_free_session_table(); + ksmbd_crypto_destroy(); + ksmbd_free_global_file_table(); + destroy_lease_table(NULL); + ksmbd_destroy_buffer_pools(); + server_conf_free(); + return 0; +} + +static int __init ksmbd_server_init(void) +{ + int ret; + + ret = class_register(&ksmbd_control_class); + if (ret) { + ksmbd_err("Unable to register ksmbd-control class\n"); + return ret; + } + + ksmbd_server_tcp_callbacks_init(); + + ret = server_conf_init(); + if (ret) + return ret; + + ret = ksmbd_init_buffer_pools(); + if (ret) + return ret; + + ret = ksmbd_init_session_table(); + if (ret) + goto error; + + ret = ksmbd_ipc_init(); + if (ret) + goto error; + + ret = ksmbd_init_global_file_table(); + if (ret) + goto error; + + ret = ksmbd_inode_hash_init(); + if (ret) + goto error; + + ret = ksmbd_crypto_create(); + if (ret) + goto error; + + ret = ksmbd_workqueue_init(); + if (ret) + goto error; + return 0; + +error: + ksmbd_server_shutdown(); + return ret; +} + +/** + * exit_smb_server() - shutdown forker thread and free memory at module exit + */ +static void __exit ksmbd_server_exit(void) +{ + ksmbd_server_shutdown(); + ksmbd_release_inode_hash(); +} + +MODULE_AUTHOR("Namjae Jeon <linkinjeon(a)kernel.org>"); +MODULE_VERSION(KSMBD_VERSION); +MODULE_DESCRIPTION("Linux kernel CIFS/SMB SERVER"); +MODULE_LICENSE("GPL"); +MODULE_SOFTDEP("pre: arc4"); +MODULE_SOFTDEP("pre: ecb"); +MODULE_SOFTDEP("pre: hmac"); +MODULE_SOFTDEP("pre: md4"); +MODULE_SOFTDEP("pre: md5"); +MODULE_SOFTDEP("pre: nls"); +MODULE_SOFTDEP("pre: aes"); +MODULE_SOFTDEP("pre: cmac"); +MODULE_SOFTDEP("pre: sha256"); +MODULE_SOFTDEP("pre: sha512"); +MODULE_SOFTDEP("pre: aead2"); +MODULE_SOFTDEP("pre: ccm"); +MODULE_SOFTDEP("pre: gcm"); +module_init(ksmbd_server_init) +module_exit(ksmbd_server_exit) diff --git a/fs/cifsd/server.h b/fs/cifsd/server.h new file mode 100644 index 000000000000..7b2f6318fcff --- /dev/null +++ b/fs/cifsd/server.h @@ -0,0 +1,62 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __SERVER_H__ +#define __SERVER_H__ + +#include "smbacl.h" + +#define SERVER_STATE_STARTING_UP 0 +#define SERVER_STATE_RUNNING 1 +#define SERVER_STATE_RESETTING 2 +#define SERVER_STATE_SHUTTING_DOWN 3 + +#define SERVER_CONF_NETBIOS_NAME 0 +#define SERVER_CONF_SERVER_STRING 1 +#define SERVER_CONF_WORK_GROUP 2 + +extern int ksmbd_debugging; + +struct ksmbd_server_config { + unsigned int flags; + unsigned int state; + short signing; + short enforced_signing; + short min_protocol; + short max_protocol; + unsigned short tcp_port; + unsigned short ipc_timeout; + unsigned long ipc_last_active; + unsigned long deadtime; + unsigned int share_fake_fscaps; + struct smb_sid domain_sid; + unsigned int auth_mechs; + + char *conf[SERVER_CONF_WORK_GROUP + 1]; +}; + +extern struct ksmbd_server_config server_conf; + +int ksmbd_set_netbios_name(char *v); +int ksmbd_set_server_string(char *v); +int ksmbd_set_work_group(char *v); + +char *ksmbd_netbios_name(void); +char *ksmbd_server_string(void); +char *ksmbd_work_group(void); + +static inline int ksmbd_server_running(void) +{ + return READ_ONCE(server_conf.state) == SERVER_STATE_RUNNING; +} + +static inline int ksmbd_server_configurable(void) +{ + return READ_ONCE(server_conf.state) < SERVER_STATE_RESETTING; +} + +int server_queue_ctrl_init_work(void); +int server_queue_ctrl_reset_work(void); +#endif /* __SERVER_H__ */ diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c new file mode 100644 index 000000000000..b91fa265f85d --- /dev/null +++ b/fs/cifsd/transport_ipc.c @@ -0,0 +1,900 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/jhash.h> +#include <linux/slab.h> +#include <linux/rwsem.h> +#include <linux/mutex.h> +#include <linux/wait.h> +#include <linux/hashtable.h> +#include <net/net_namespace.h> +#include <net/genetlink.h> +#include <linux/socket.h> +#include <linux/workqueue.h> + +#include "vfs_cache.h" +#include "transport_ipc.h" +#include "buffer_pool.h" +#include "server.h" +#include "smb_common.h" + +#include "mgmt/user_config.h" +#include "mgmt/share_config.h" +#include "mgmt/user_session.h" +#include "mgmt/tree_connect.h" +#include "mgmt/ksmbd_ida.h" +#include "connection.h" +#include "transport_tcp.h" + +/* @FIXME fix this code */ +extern int get_protocol_idx(char *str); + +#define IPC_WAIT_TIMEOUT (2 * HZ) + +#define IPC_MSG_HASH_BITS 3 +static DEFINE_HASHTABLE(ipc_msg_table, IPC_MSG_HASH_BITS); +static DECLARE_RWSEM(ipc_msg_table_lock); +static DEFINE_MUTEX(startup_lock); + +static struct ksmbd_ida *ida; + +static unsigned int ksmbd_tools_pid; + +#define KSMBD_IPC_MSG_HANDLE(m) (*(unsigned int *)m) + +static bool ksmbd_ipc_validate_version(struct genl_info *m) +{ + if (m->genlhdr->version != KSMBD_GENL_VERSION) { + ksmbd_err("%s. ksmbd: %d, kernel module: %d. %s.\n", + "Daemon and kernel module version mismatch", + m->genlhdr->version, + KSMBD_GENL_VERSION, + "User-space ksmbd should terminate"); + return false; + } + return true; +} + +struct ksmbd_ipc_msg { + unsigned int type; + unsigned int sz; + unsigned char ____payload[0]; +}; + +#define KSMBD_IPC_MSG_PAYLOAD(m) \ + ((void *)(((struct ksmbd_ipc_msg *)(m))->____payload)) + +struct ipc_msg_table_entry { + unsigned int handle; + unsigned int type; + wait_queue_head_t wait; + struct hlist_node ipc_table_hlist; + + void *response; +}; + +static struct delayed_work ipc_timer_work; + +static int handle_startup_event(struct sk_buff *skb, struct genl_info *info); +static int handle_unsupported_event(struct sk_buff *skb, + struct genl_info *info); +static int handle_generic_event(struct sk_buff *skb, struct genl_info *info); +static int ksmbd_ipc_heartbeat_request(void); + +static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX] = { + [KSMBD_EVENT_UNSPEC] = { + .len = 0, + }, + [KSMBD_EVENT_HEARTBEAT_REQUEST] = { + .len = sizeof(struct ksmbd_heartbeat), + }, + [KSMBD_EVENT_STARTING_UP] = { + .len = sizeof(struct ksmbd_startup_request), + }, + [KSMBD_EVENT_SHUTTING_DOWN] = { + .len = sizeof(struct ksmbd_shutdown_request), + }, + [KSMBD_EVENT_LOGIN_REQUEST] = { + .len = sizeof(struct ksmbd_login_request), + }, + [KSMBD_EVENT_LOGIN_RESPONSE] = { + .len = sizeof(struct ksmbd_login_response), + }, + [KSMBD_EVENT_SHARE_CONFIG_REQUEST] = { + .len = sizeof(struct ksmbd_share_config_request), + }, + [KSMBD_EVENT_SHARE_CONFIG_RESPONSE] = { + .len = sizeof(struct ksmbd_share_config_response), + }, + [KSMBD_EVENT_TREE_CONNECT_REQUEST] = { + .len = sizeof(struct ksmbd_tree_connect_request), + }, + [KSMBD_EVENT_TREE_CONNECT_RESPONSE] = { + .len = sizeof(struct ksmbd_tree_connect_response), + }, + [KSMBD_EVENT_TREE_DISCONNECT_REQUEST] = { + .len = sizeof(struct ksmbd_tree_disconnect_request), + }, + [KSMBD_EVENT_LOGOUT_REQUEST] = { + .len = sizeof(struct ksmbd_logout_request), + }, + [KSMBD_EVENT_RPC_REQUEST] = { + }, + [KSMBD_EVENT_RPC_RESPONSE] = { + }, + [KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST] = { + }, + [KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE] = { + }, +}; + +static struct genl_ops ksmbd_genl_ops[] = { + { + .cmd = KSMBD_EVENT_UNSPEC, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_HEARTBEAT_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_STARTING_UP, + .doit = handle_startup_event, + }, + { + .cmd = KSMBD_EVENT_SHUTTING_DOWN, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_LOGIN_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_LOGIN_RESPONSE, + .doit = handle_generic_event, + }, + { + .cmd = KSMBD_EVENT_SHARE_CONFIG_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_SHARE_CONFIG_RESPONSE, + .doit = handle_generic_event, + }, + { + .cmd = KSMBD_EVENT_TREE_CONNECT_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_TREE_CONNECT_RESPONSE, + .doit = handle_generic_event, + }, + { + .cmd = KSMBD_EVENT_TREE_DISCONNECT_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_LOGOUT_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_RPC_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_RPC_RESPONSE, + .doit = handle_generic_event, + }, + { + .cmd = KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST, + .doit = handle_unsupported_event, + }, + { + .cmd = KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE, + .doit = handle_generic_event, + }, +}; + +static struct genl_family ksmbd_genl_family = { + .name = KSMBD_GENL_NAME, + .version = KSMBD_GENL_VERSION, + .hdrsize = 0, + .maxattr = KSMBD_EVENT_MAX, + .netnsok = true, + .module = THIS_MODULE, + .ops = ksmbd_genl_ops, + .n_ops = ARRAY_SIZE(ksmbd_genl_ops), +}; + +static void ksmbd_nl_init_fixup(void) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(ksmbd_genl_ops); i++) + ksmbd_genl_ops[i].validate = GENL_DONT_VALIDATE_STRICT | + GENL_DONT_VALIDATE_DUMP; + + ksmbd_genl_family.policy = ksmbd_nl_policy; +} + +static int rpc_context_flags(struct ksmbd_session *sess) +{ + if (user_guest(sess->user)) + return KSMBD_RPC_RESTRICTED_CONTEXT; + return 0; +} + +static void ipc_update_last_active(void) +{ + if (server_conf.ipc_timeout) + server_conf.ipc_last_active = jiffies; +} + +static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz) +{ + struct ksmbd_ipc_msg *msg; + size_t msg_sz = sz + sizeof(struct ksmbd_ipc_msg); + + msg = ksmbd_alloc(msg_sz); + if (msg) + msg->sz = sz; + return msg; +} + +static void ipc_msg_free(struct ksmbd_ipc_msg *msg) +{ + ksmbd_free(msg); +} + +static void ipc_msg_handle_free(int handle) +{ + if (handle >= 0) + ksmbd_release_id(ida, handle); +} + +static int handle_response(int type, void *payload, size_t sz) +{ + int handle = KSMBD_IPC_MSG_HANDLE(payload); + struct ipc_msg_table_entry *entry; + int ret = 0; + + ipc_update_last_active(); + down_read(&ipc_msg_table_lock); + hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) { + if (handle != entry->handle) + continue; + + entry->response = NULL; + /* + * Response message type value should be equal to + * request message type + 1. + */ + if (entry->type + 1 != type) { + ksmbd_err("Waiting for IPC type %d, got %d. Ignore.\n", + entry->type + 1, type); + } + + entry->response = ksmbd_alloc(sz); + if (!entry->response) { + ret = -ENOMEM; + break; + } + + memcpy(entry->response, payload, sz); + wake_up_interruptible(&entry->wait); + ret = 0; + break; + } + up_read(&ipc_msg_table_lock); + + return ret; +} + +static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) +{ + int ret; + + ksmbd_set_fd_limit(req->file_max); + server_conf.flags = req->flags; + server_conf.signing = req->signing; + server_conf.tcp_port = req->tcp_port; + server_conf.ipc_timeout = req->ipc_timeout * HZ; + server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL; + server_conf.share_fake_fscaps = req->share_fake_fscaps; + ksmbd_init_domain(req->sub_auth); + + if (req->smb2_max_read) + init_smb2_max_read_size(req->smb2_max_read); + if (req->smb2_max_write) + init_smb2_max_write_size(req->smb2_max_write); + if (req->smb2_max_trans) + init_smb2_max_trans_size(req->smb2_max_trans); + + ret = ksmbd_set_netbios_name(req->netbios_name); + ret |= ksmbd_set_server_string(req->server_string); + ret |= ksmbd_set_work_group(req->work_group); + ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req), + req->ifc_list_sz); + if (ret) { + ksmbd_err("Server configuration error: %s %s %s\n", + req->netbios_name, + req->server_string, + req->work_group); + return ret; + } + + if (req->min_prot[0]) { + ret = ksmbd_lookup_protocol_idx(req->min_prot); + if (ret >= 0) + server_conf.min_protocol = ret; + } + if (req->max_prot[0]) { + ret = ksmbd_lookup_protocol_idx(req->max_prot); + if (ret >= 0) + server_conf.max_protocol = ret; + } + + if (server_conf.ipc_timeout) + schedule_delayed_work(&ipc_timer_work, server_conf.ipc_timeout); + return 0; +} + +static int handle_startup_event(struct sk_buff *skb, struct genl_info *info) +{ + int ret = 0; + +#ifdef CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN + if (!netlink_capable(skb, CAP_NET_ADMIN)) + return -EPERM; +#endif + + if (!ksmbd_ipc_validate_version(info)) + return -EINVAL; + + if (!info->attrs[KSMBD_EVENT_STARTING_UP]) + return -EINVAL; + + mutex_lock(&startup_lock); + if (!ksmbd_server_configurable()) { + mutex_unlock(&startup_lock); + ksmbd_err("Server reset is in progress, can't start daemon\n"); + return -EINVAL; + } + + if (ksmbd_tools_pid) { + if (ksmbd_ipc_heartbeat_request() == 0) { + ret = -EINVAL; + goto out; + } + + ksmbd_err("Reconnect to a new user space daemon\n"); + } else { + struct ksmbd_startup_request *req; + + req = nla_data(info->attrs[info->genlhdr->cmd]); + ret = ipc_server_config_on_startup(req); + if (ret) + goto out; + server_queue_ctrl_init_work(); + } + + ksmbd_tools_pid = info->snd_portid; + ipc_update_last_active(); + +out: + mutex_unlock(&startup_lock); + return ret; +} + +static int handle_unsupported_event(struct sk_buff *skb, + struct genl_info *info) +{ + ksmbd_err("Unknown IPC event: %d, ignore.\n", info->genlhdr->cmd); + return -EINVAL; +} + +static int handle_generic_event(struct sk_buff *skb, struct genl_info *info) +{ + void *payload; + int sz; + int type = info->genlhdr->cmd; + +#ifdef CONFIG_SMB_SERVER_CHECK_CAP_NET_ADMIN + if (!netlink_capable(skb, CAP_NET_ADMIN)) + return -EPERM; +#endif + + if (type >= KSMBD_EVENT_MAX) { + WARN_ON(1); + return -EINVAL; + } + + if (!ksmbd_ipc_validate_version(info)) + return -EINVAL; + + if (!info->attrs[type]) + return -EINVAL; + + payload = nla_data(info->attrs[info->genlhdr->cmd]); + sz = nla_len(info->attrs[info->genlhdr->cmd]); + return handle_response(type, payload, sz); +} + +static int ipc_msg_send(struct ksmbd_ipc_msg *msg) +{ + struct genlmsghdr *nlh; + struct sk_buff *skb; + int ret = -EINVAL; + + if (!ksmbd_tools_pid) + return ret; + + skb = genlmsg_new(msg->sz, GFP_KERNEL); + if (!skb) + return -ENOMEM; + + nlh = genlmsg_put(skb, 0, 0, &ksmbd_genl_family, 0, msg->type); + if (!nlh) + goto out; + + ret = nla_put(skb, msg->type, msg->sz, KSMBD_IPC_MSG_PAYLOAD(msg)); + if (ret) { + genlmsg_cancel(skb, nlh); + goto out; + } + + genlmsg_end(skb, nlh); + ret = genlmsg_unicast(&init_net, skb, ksmbd_tools_pid); + if (!ret) + ipc_update_last_active(); + return ret; + +out: + nlmsg_free(skb); + return ret; +} + +static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, + unsigned int handle) +{ + struct ipc_msg_table_entry entry; + int ret; + + if ((int)handle < 0) + return NULL; + + entry.type = msg->type; + entry.response = NULL; + init_waitqueue_head(&entry.wait); + + down_write(&ipc_msg_table_lock); + entry.handle = handle; + hash_add(ipc_msg_table, &entry.ipc_table_hlist, entry.handle); + up_write(&ipc_msg_table_lock); + + ret = ipc_msg_send(msg); + if (ret) + goto out; + + ret = wait_event_interruptible_timeout(entry.wait, + entry.response != NULL, + IPC_WAIT_TIMEOUT); +out: + down_write(&ipc_msg_table_lock); + hash_del(&entry.ipc_table_hlist); + up_write(&ipc_msg_table_lock); + return entry.response; +} + +static int ksmbd_ipc_heartbeat_request(void) +{ + struct ksmbd_ipc_msg *msg; + int ret; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_heartbeat)); + if (!msg) + return -EINVAL; + + msg->type = KSMBD_EVENT_HEARTBEAT_REQUEST; + ret = ipc_msg_send(msg); + ipc_msg_free(msg); + return ret; +} + +struct ksmbd_login_response *ksmbd_ipc_login_request(const char *account) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_login_request *req; + struct ksmbd_login_response *resp; + + if (strlen(account) >= KSMBD_REQ_MAX_ACCOUNT_NAME_SZ) + return NULL; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_login_request)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_LOGIN_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = ksmbd_acquire_id(ida); + strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_handle_free(req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_spnego_authen_response * +ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_spnego_authen_request *req; + struct ksmbd_spnego_authen_response *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) + + blob_len + 1); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = ksmbd_acquire_id(ida); + req->spnego_blob_len = blob_len; + memcpy(req->spnego_blob, spnego_blob, blob_len); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_handle_free(req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_tree_connect_response * +ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_tree_connect_request *req; + struct ksmbd_tree_connect_response *resp; + + if (strlen(user_name(sess->user)) >= KSMBD_REQ_MAX_ACCOUNT_NAME_SZ) + return NULL; + + if (strlen(share->name) >= KSMBD_REQ_MAX_SHARE_NAME) + return NULL; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_tree_connect_request)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_TREE_CONNECT_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + + req->handle = ksmbd_acquire_id(ida); + req->account_flags = sess->user->flags; + req->session_id = sess->id; + req->connect_id = tree_conn->id; + strscpy(req->account, user_name(sess->user), KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); + strscpy(req->share, share->name, KSMBD_REQ_MAX_SHARE_NAME); + snprintf(req->peer_addr, sizeof(req->peer_addr), "%pIS", peer_addr); + + if (peer_addr->sa_family == AF_INET6) + req->flags |= KSMBD_TREE_CONN_FLAG_REQUEST_IPV6; + if (test_session_flag(sess, CIFDS_SESSION_FLAG_SMB2)) + req->flags |= KSMBD_TREE_CONN_FLAG_REQUEST_SMB2; + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_handle_free(req->handle); + ipc_msg_free(msg); + return resp; +} + +int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, + unsigned long long connect_id) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_tree_disconnect_request *req; + int ret; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_tree_disconnect_request)); + if (!msg) + return -ENOMEM; + + msg->type = KSMBD_EVENT_TREE_DISCONNECT_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->session_id = session_id; + req->connect_id = connect_id; + + ret = ipc_msg_send(msg); + ipc_msg_free(msg); + return ret; +} + +int ksmbd_ipc_logout_request(const char *account) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_logout_request *req; + int ret; + + if (strlen(account) >= KSMBD_REQ_MAX_ACCOUNT_NAME_SZ) + return -EINVAL; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_logout_request)); + if (!msg) + return -ENOMEM; + + msg->type = KSMBD_EVENT_LOGOUT_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); + + ret = ipc_msg_send(msg); + ipc_msg_free(msg); + return ret; +} + +struct ksmbd_share_config_response * +ksmbd_ipc_share_config_request(const char *name) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_share_config_request *req; + struct ksmbd_share_config_response *resp; + + if (strlen(name) >= KSMBD_REQ_MAX_SHARE_NAME) + return NULL; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_share_config_request)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_SHARE_CONFIG_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = ksmbd_acquire_id(ida); + strscpy(req->share_name, name, KSMBD_REQ_MAX_SHARE_NAME); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_handle_free(req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, + int handle) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = handle; + req->flags = ksmbd_session_rpc_method(sess, handle); + req->flags |= KSMBD_RPC_OPEN_METHOD; + req->payload_sz = 0; + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, + int handle) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = handle; + req->flags = ksmbd_session_rpc_method(sess, handle); + req->flags |= KSMBD_RPC_CLOSE_METHOD; + req->payload_sz = 0; + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, + int handle, + void *payload, + size_t payload_sz) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = handle; + req->flags = ksmbd_session_rpc_method(sess, handle); + req->flags |= rpc_context_flags(sess); + req->flags |= KSMBD_RPC_WRITE_METHOD; + req->payload_sz = payload_sz; + memcpy(req->payload, payload, payload_sz); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, + int handle) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command)); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = handle; + req->flags = ksmbd_session_rpc_method(sess, handle); + req->flags |= rpc_context_flags(sess); + req->flags |= KSMBD_RPC_READ_METHOD; + req->payload_sz = 0; + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, + int handle, + void *payload, + size_t payload_sz) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = handle; + req->flags = ksmbd_session_rpc_method(sess, handle); + req->flags |= rpc_context_flags(sess); + req->flags |= KSMBD_RPC_IOCTL_METHOD; + req->payload_sz = payload_sz; + memcpy(req->payload, payload, payload_sz); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_free(msg); + return resp; +} + +struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, + void *payload, + size_t payload_sz) +{ + struct ksmbd_ipc_msg *msg; + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); + if (!msg) + return NULL; + + msg->type = KSMBD_EVENT_RPC_REQUEST; + req = KSMBD_IPC_MSG_PAYLOAD(msg); + req->handle = ksmbd_acquire_id(ida); + req->flags = rpc_context_flags(sess); + req->flags |= KSMBD_RPC_RAP_METHOD; + req->payload_sz = payload_sz; + memcpy(req->payload, payload, payload_sz); + + resp = ipc_msg_send_request(msg, req->handle); + ipc_msg_handle_free(req->handle); + ipc_msg_free(msg); + return resp; +} + +static int __ipc_heartbeat(void) +{ + unsigned long delta; + + if (!ksmbd_server_running()) + return 0; + + if (time_after(jiffies, server_conf.ipc_last_active)) { + delta = (jiffies - server_conf.ipc_last_active); + } else { + ipc_update_last_active(); + schedule_delayed_work(&ipc_timer_work, + server_conf.ipc_timeout); + return 0; + } + + if (delta < server_conf.ipc_timeout) { + schedule_delayed_work(&ipc_timer_work, + server_conf.ipc_timeout - delta); + return 0; + } + + if (ksmbd_ipc_heartbeat_request() == 0) { + schedule_delayed_work(&ipc_timer_work, + server_conf.ipc_timeout); + return 0; + } + + mutex_lock(&startup_lock); + WRITE_ONCE(server_conf.state, SERVER_STATE_RESETTING); + server_conf.ipc_last_active = 0; + ksmbd_tools_pid = 0; + ksmbd_err("No IPC daemon response for %lus\n", delta / HZ); + mutex_unlock(&startup_lock); + return -EINVAL; +} + +static void ipc_timer_heartbeat(struct work_struct *w) +{ + if (__ipc_heartbeat()) + server_queue_ctrl_reset_work(); +} + +int ksmbd_ipc_id_alloc(void) +{ + return ksmbd_acquire_id(ida); +} + +void ksmbd_rpc_id_free(int handle) +{ + ksmbd_release_id(ida, handle); +} + +void ksmbd_ipc_release(void) +{ + cancel_delayed_work_sync(&ipc_timer_work); + ksmbd_ida_free(ida); + genl_unregister_family(&ksmbd_genl_family); +} + +void ksmbd_ipc_soft_reset(void) +{ + mutex_lock(&startup_lock); + ksmbd_tools_pid = 0; + cancel_delayed_work_sync(&ipc_timer_work); + mutex_unlock(&startup_lock); +} + +int ksmbd_ipc_init(void) +{ + int ret; + + ksmbd_nl_init_fixup(); + INIT_DELAYED_WORK(&ipc_timer_work, ipc_timer_heartbeat); + + ret = genl_register_family(&ksmbd_genl_family); + if (ret) { + ksmbd_err("Failed to register KSMBD netlink interface %d\n", + ret); + return ret; + } + + ida = ksmbd_ida_alloc(); + if (!ida) + return -ENOMEM; + return 0; +} diff --git a/fs/cifsd/transport_ipc.h b/fs/cifsd/transport_ipc.h new file mode 100644 index 000000000000..68c003027811 --- /dev/null +++ b/fs/cifsd/transport_ipc.h @@ -0,0 +1,63 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_TRANSPORT_IPC_H__ +#define __KSMBD_TRANSPORT_IPC_H__ + +#include <linux/wait.h> +#include "ksmbd_server.h" /* FIXME */ + +#define KSMBD_IPC_MAX_PAYLOAD 4096 + +struct ksmbd_login_response * +ksmbd_ipc_login_request(const char *account); + +struct ksmbd_session; +struct ksmbd_share_config; +struct ksmbd_tree_connect; +struct sockaddr; + +struct ksmbd_tree_connect_response * +ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr); + +int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, + unsigned long long connect_id); +int ksmbd_ipc_logout_request(const char *account); + +struct ksmbd_share_config_response * +ksmbd_ipc_share_config_request(const char *name); + +struct ksmbd_spnego_authen_response * +ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len); + +int ksmbd_ipc_id_alloc(void); +void ksmbd_rpc_id_free(int handle); + +struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, + int handle); +struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, + int handle); + +struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, + int handle, + void *payload, + size_t payload_sz); +struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, + int handle); +struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, + int handle, + void *payload, + size_t payload_sz); +struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, + void *payload, + size_t payload_sz); + +void ksmbd_ipc_release(void); +void ksmbd_ipc_soft_reset(void); +int ksmbd_ipc_init(void); +#endif /* __KSMBD_TRANSPORT_IPC_H__ */ diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c new file mode 100644 index 000000000000..1698f7ed9c2f --- /dev/null +++ b/fs/cifsd/transport_rdma.c @@ -0,0 +1,2050 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2017, Microsoft Corporation. + * Copyright (C) 2018, LG Electronics. + * + * Author(s): Long Li <longli(a)microsoft.com>, + * Hyunchul Lee <hyc.lee(a)gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See + * the GNU General Public License for more details. + */ + +#define SUBMOD_NAME "smb_direct" + +#include <linux/kthread.h> +#include <linux/rwlock.h> +#include <linux/list.h> +#include <linux/mempool.h> +#include <linux/highmem.h> +#include <linux/scatterlist.h> +#include <rdma/ib_verbs.h> +#include <rdma/rdma_cm.h> +#include <rdma/rw.h> + +#include "glob.h" +#include "connection.h" +#include "smb_common.h" +#include "smbstatus.h" +#include "buffer_pool.h" +#include "transport_rdma.h" + +#define SMB_DIRECT_PORT 5445 + +#define SMB_DIRECT_VERSION_LE cpu_to_le16(0x0100) + +/* SMB_DIRECT negotiation timeout in seconds */ +#define SMB_DIRECT_NEGOTIATE_TIMEOUT 120 + +#define SMB_DIRECT_MAX_SEND_SGES 8 +#define SMB_DIRECT_MAX_RECV_SGES 1 + +/* + * Default maximum number of RDMA read/write outstanding on this connection + * This value is possibly decreased during QP creation on hardware limit + */ +#define SMB_DIRECT_CM_INITIATOR_DEPTH 8 + +/* Maximum number of retries on data transfer operations */ +#define SMB_DIRECT_CM_RETRY 6 +/* No need to retry on Receiver Not Ready since SMB_DIRECT manages credits */ +#define SMB_DIRECT_CM_RNR_RETRY 0 + +/* + * User configurable initial values per SMB_DIRECT transport connection + * as defined in [MS-KSMBD] 3.1.1.1 + * Those may change after a SMB_DIRECT negotiation + */ +/* The local peer's maximum number of credits to grant to the peer */ +static int smb_direct_receive_credit_max = 255; + +/* The remote peer's credit request of local peer */ +static int smb_direct_send_credit_target = 255; + +/* The maximum single message size can be sent to remote peer */ +static int smb_direct_max_send_size = 8192; + +/* The maximum fragmented upper-layer payload receive size supported */ +static int smb_direct_max_fragmented_recv_size = 1024 * 1024; + +/* The maximum single-message size which can be received */ +static int smb_direct_max_receive_size = 8192; + +static int smb_direct_max_read_write_size = 1024 * 1024; + +static int smb_direct_max_outstanding_rw_ops = 8; + +static struct smb_direct_listener { + struct rdma_cm_id *cm_id; +} smb_direct_listener; + + +static struct workqueue_struct *smb_direct_wq; + +enum smb_direct_status { + SMB_DIRECT_CS_NEW = 0, + SMB_DIRECT_CS_CONNECTED, + SMB_DIRECT_CS_DISCONNECTING, + SMB_DIRECT_CS_DISCONNECTED, +}; + +struct smb_direct_transport { + struct ksmbd_transport transport; + + enum smb_direct_status status; + bool full_packet_received; + wait_queue_head_t wait_status; + + struct rdma_cm_id *cm_id; + struct ib_cq *send_cq; + struct ib_cq *recv_cq; + struct ib_pd *pd; + struct ib_qp *qp; + + int max_send_size; + int max_recv_size; + int max_fragmented_send_size; + int max_fragmented_recv_size; + int max_rdma_rw_size; + + spinlock_t reassembly_queue_lock; + struct list_head reassembly_queue; + int reassembly_data_length; + int reassembly_queue_length; + int first_entry_offset; + wait_queue_head_t wait_reassembly_queue; + + spinlock_t receive_credit_lock; + int recv_credits; + int count_avail_recvmsg; + int recv_credit_max; + int recv_credit_target; + + spinlock_t recvmsg_queue_lock; + struct list_head recvmsg_queue; + + spinlock_t empty_recvmsg_queue_lock; + struct list_head empty_recvmsg_queue; + + int send_credit_target; + atomic_t send_credits; + spinlock_t lock_new_recv_credits; + int new_recv_credits; + atomic_t rw_avail_ops; + + wait_queue_head_t wait_send_credits; + wait_queue_head_t wait_rw_avail_ops; + + mempool_t *sendmsg_mempool; + struct kmem_cache *sendmsg_cache; + mempool_t *recvmsg_mempool; + struct kmem_cache *recvmsg_cache; + + wait_queue_head_t wait_send_payload_pending; + atomic_t send_payload_pending; + wait_queue_head_t wait_send_pending; + atomic_t send_pending; + + struct delayed_work post_recv_credits_work; + struct work_struct send_immediate_work; + struct work_struct disconnect_work; + + bool negotiation_requested; +}; + +#define KSMBD_TRANS(t) ((struct ksmbd_transport *)&((t)->transport)) +#define SMB_DIRECT_TRANS(t) ((struct smb_direct_transport *)container_of(t, \ + struct smb_direct_transport, transport)) + +enum { + SMB_DIRECT_MSG_NEGOTIATE_REQ = 0, + SMB_DIRECT_MSG_DATA_TRANSFER +}; + +static struct ksmbd_transport_ops ksmbd_smb_direct_transport_ops; + +struct smb_direct_send_ctx { + struct list_head msg_list; + int wr_cnt; + bool need_invalidate_rkey; + unsigned int remote_key; +}; + +struct smb_direct_sendmsg { + struct smb_direct_transport *transport; + struct ib_send_wr wr; + struct list_head list; + int num_sge; + struct ib_sge sge[SMB_DIRECT_MAX_SEND_SGES]; + struct ib_cqe cqe; + u8 packet[]; +}; + +struct smb_direct_recvmsg { + struct smb_direct_transport *transport; + struct list_head list; + int type; + struct ib_sge sge; + struct ib_cqe cqe; + bool first_segment; + u8 packet[]; +}; + +struct smb_direct_rdma_rw_msg { + struct smb_direct_transport *t; + struct ib_cqe cqe; + struct completion *completion; + struct rdma_rw_ctx rw_ctx; + struct sg_table sgt; + struct scatterlist sg_list[0]; +}; + +#define BUFFER_NR_PAGES(buf, len) \ + (DIV_ROUND_UP((unsigned long)(buf) + (len), PAGE_SIZE) \ + - (unsigned long)(buf) / PAGE_SIZE) + +static void smb_direct_destroy_pools(struct smb_direct_transport *transport); +static void smb_direct_post_recv_credits(struct work_struct *work); +static int smb_direct_post_send_data(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, int remaining_data_length); + +static inline void +*smb_direct_recvmsg_payload(struct smb_direct_recvmsg *recvmsg) +{ + return (void *)recvmsg->packet; +} + +static inline bool is_receive_credit_post_required(int receive_credits, + int avail_recvmsg_count) +{ + return receive_credits <= (smb_direct_receive_credit_max >> 3) && + avail_recvmsg_count >= (receive_credits >> 2); +} + +static struct +smb_direct_recvmsg *get_free_recvmsg(struct smb_direct_transport *t) +{ + struct smb_direct_recvmsg *recvmsg = NULL; + + spin_lock(&t->recvmsg_queue_lock); + if (!list_empty(&t->recvmsg_queue)) { + recvmsg = list_first_entry(&t->recvmsg_queue, + struct smb_direct_recvmsg, + list); + list_del(&recvmsg->list); + } + spin_unlock(&t->recvmsg_queue_lock); + return recvmsg; +} + +static void put_recvmsg(struct smb_direct_transport *t, + struct smb_direct_recvmsg *recvmsg) +{ + ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, + recvmsg->sge.length, DMA_FROM_DEVICE); + + spin_lock(&t->recvmsg_queue_lock); + list_add(&recvmsg->list, &t->recvmsg_queue); + spin_unlock(&t->recvmsg_queue_lock); + +} + +static struct +smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t) +{ + struct smb_direct_recvmsg *recvmsg = NULL; + + spin_lock(&t->empty_recvmsg_queue_lock); + if (!list_empty(&t->empty_recvmsg_queue)) { + recvmsg = list_first_entry( + &t->empty_recvmsg_queue, + struct smb_direct_recvmsg, list); + list_del(&recvmsg->list); + } + spin_unlock(&t->empty_recvmsg_queue_lock); + return recvmsg; +} + +static void put_empty_recvmsg(struct smb_direct_transport *t, + struct smb_direct_recvmsg *recvmsg) +{ + ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, + recvmsg->sge.length, DMA_FROM_DEVICE); + + spin_lock(&t->empty_recvmsg_queue_lock); + list_add_tail(&recvmsg->list, &t->empty_recvmsg_queue); + spin_unlock(&t->empty_recvmsg_queue_lock); +} + +static void enqueue_reassembly(struct smb_direct_transport *t, + struct smb_direct_recvmsg *recvmsg, + int data_length) +{ + spin_lock(&t->reassembly_queue_lock); + list_add_tail(&recvmsg->list, &t->reassembly_queue); + t->reassembly_queue_length++; + /* + * Make sure reassembly_data_length is updated after list and + * reassembly_queue_length are updated. On the dequeue side + * reassembly_data_length is checked without a lock to determine + * if reassembly_queue_length and list is up to date + */ + virt_wmb(); + t->reassembly_data_length += data_length; + spin_unlock(&t->reassembly_queue_lock); + +} + +static struct smb_direct_recvmsg *get_first_reassembly( + struct smb_direct_transport *t) +{ + if (!list_empty(&t->reassembly_queue)) + return list_first_entry(&t->reassembly_queue, + struct smb_direct_recvmsg, list); + else + return NULL; +} + +static void smb_direct_disconnect_rdma_work(struct work_struct *work) +{ + struct smb_direct_transport *t = + container_of(work, struct smb_direct_transport, + disconnect_work); + + if (t->status == SMB_DIRECT_CS_CONNECTED) { + t->status = SMB_DIRECT_CS_DISCONNECTING; + rdma_disconnect(t->cm_id); + } +} + +static void +smb_direct_disconnect_rdma_connection(struct smb_direct_transport *t) +{ + queue_work(smb_direct_wq, &t->disconnect_work); +} + +static void smb_direct_send_immediate_work(struct work_struct *work) +{ + struct smb_direct_transport *t = container_of(work, + struct smb_direct_transport, send_immediate_work); + + if (t->status != SMB_DIRECT_CS_CONNECTED) + return; + + smb_direct_post_send_data(t, NULL, NULL, 0, 0); +} + +static struct smb_direct_transport *alloc_transport(struct rdma_cm_id *cm_id) +{ + struct smb_direct_transport *t; + struct ksmbd_conn *conn; + + t = kzalloc(sizeof(*t), GFP_KERNEL); + if (!t) + return NULL; + + t->cm_id = cm_id; + cm_id->context = t; + + t->status = SMB_DIRECT_CS_NEW; + init_waitqueue_head(&t->wait_status); + + spin_lock_init(&t->reassembly_queue_lock); + INIT_LIST_HEAD(&t->reassembly_queue); + t->reassembly_data_length = 0; + t->reassembly_queue_length = 0; + init_waitqueue_head(&t->wait_reassembly_queue); + init_waitqueue_head(&t->wait_send_credits); + init_waitqueue_head(&t->wait_rw_avail_ops); + + spin_lock_init(&t->receive_credit_lock); + spin_lock_init(&t->recvmsg_queue_lock); + INIT_LIST_HEAD(&t->recvmsg_queue); + + spin_lock_init(&t->empty_recvmsg_queue_lock); + INIT_LIST_HEAD(&t->empty_recvmsg_queue); + + init_waitqueue_head(&t->wait_send_payload_pending); + atomic_set(&t->send_payload_pending, 0); + init_waitqueue_head(&t->wait_send_pending); + atomic_set(&t->send_pending, 0); + + spin_lock_init(&t->lock_new_recv_credits); + + INIT_DELAYED_WORK(&t->post_recv_credits_work, + smb_direct_post_recv_credits); + INIT_WORK(&t->send_immediate_work, smb_direct_send_immediate_work); + INIT_WORK(&t->disconnect_work, smb_direct_disconnect_rdma_work); + + conn = ksmbd_conn_alloc(); + if (!conn) + goto err; + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_smb_direct_transport_ops; + return t; +err: + kfree(t); + return NULL; +} + +static void free_transport(struct smb_direct_transport *t) +{ + struct smb_direct_recvmsg *recvmsg; + + wake_up_interruptible(&t->wait_send_credits); + + ksmbd_debug(RDMA, "wait for all send posted to IB to finish\n"); + wait_event(t->wait_send_payload_pending, + atomic_read(&t->send_payload_pending) == 0); + wait_event(t->wait_send_pending, + atomic_read(&t->send_pending) == 0); + + cancel_work_sync(&t->disconnect_work); + cancel_delayed_work_sync(&t->post_recv_credits_work); + cancel_work_sync(&t->send_immediate_work); + + if (t->qp) { + ib_drain_qp(t->qp); + ib_destroy_qp(t->qp); + } + + ksmbd_debug(RDMA, "drain the reassembly queue\n"); + do { + spin_lock(&t->reassembly_queue_lock); + recvmsg = get_first_reassembly(t); + if (recvmsg) { + list_del(&recvmsg->list); + spin_unlock( + &t->reassembly_queue_lock); + put_recvmsg(t, recvmsg); + } else + spin_unlock(&t->reassembly_queue_lock); + } while (recvmsg); + t->reassembly_data_length = 0; + + if (t->send_cq) + ib_free_cq(t->send_cq); + if (t->recv_cq) + ib_free_cq(t->recv_cq); + if (t->pd) + ib_dealloc_pd(t->pd); + if (t->cm_id) + rdma_destroy_id(t->cm_id); + + smb_direct_destroy_pools(t); + ksmbd_conn_free(KSMBD_TRANS(t)->conn); + kfree(t); +} + +static struct smb_direct_sendmsg +*smb_direct_alloc_sendmsg(struct smb_direct_transport *t) +{ + struct smb_direct_sendmsg *msg; + + msg = mempool_alloc(t->sendmsg_mempool, GFP_KERNEL); + if (!msg) + return ERR_PTR(-ENOMEM); + msg->transport = t; + INIT_LIST_HEAD(&msg->list); + msg->num_sge = 0; + return msg; +} + +static void smb_direct_free_sendmsg(struct smb_direct_transport *t, + struct smb_direct_sendmsg *msg) +{ + int i; + + if (msg->num_sge > 0) { + ib_dma_unmap_single(t->cm_id->device, + msg->sge[0].addr, msg->sge[0].length, + DMA_TO_DEVICE); + for (i = 1; i < msg->num_sge; i++) + ib_dma_unmap_page(t->cm_id->device, + msg->sge[i].addr, msg->sge[i].length, + DMA_TO_DEVICE); + } + mempool_free(msg, t->sendmsg_mempool); +} + +static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) +{ + switch (recvmsg->type) { + case SMB_DIRECT_MSG_DATA_TRANSFER: { + struct smb_direct_data_transfer *req = + (struct smb_direct_data_transfer *) recvmsg->packet; + struct smb2_hdr *hdr = (struct smb2_hdr *) (recvmsg->packet + + le32_to_cpu(req->data_offset) - 4); + ksmbd_debug(RDMA, + "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemaingDataLength: %u, SMB: %x, Command: %u\n", + le16_to_cpu(req->credits_granted), + le16_to_cpu(req->credits_requested), + req->data_length, req->remaining_data_length, + hdr->ProtocolId, hdr->Command); + break; + } + case SMB_DIRECT_MSG_NEGOTIATE_REQ: { + struct smb_direct_negotiate_req *req = + (struct smb_direct_negotiate_req *)recvmsg->packet; + ksmbd_debug(RDMA, + "MinVersion: %u, MaxVersion: %u, CreditRequested: %u, MaxSendSize: %u, MaxRecvSize: %u, MaxFragmentedSize: %u\n", + le16_to_cpu(req->min_version), + le16_to_cpu(req->max_version), + le16_to_cpu(req->credits_requested), + le32_to_cpu(req->preferred_send_size), + le32_to_cpu(req->max_receive_size), + le32_to_cpu(req->max_fragmented_size)); + if (le16_to_cpu(req->min_version) > 0x0100 || + le16_to_cpu(req->max_version) < 0x0100) + return -EOPNOTSUPP; + if (le16_to_cpu(req->credits_requested) <= 0 || + le32_to_cpu(req->max_receive_size) <= 128 || + le32_to_cpu(req->max_fragmented_size) <= + 128*1024) + return -ECONNABORTED; + + break; + } + default: + return -EINVAL; + } + return 0; +} + +static void recv_done(struct ib_cq *cq, struct ib_wc *wc) +{ + struct smb_direct_recvmsg *recvmsg; + struct smb_direct_transport *t; + + recvmsg = container_of(wc->wr_cqe, struct smb_direct_recvmsg, cqe); + t = recvmsg->transport; + + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { + if (wc->status != IB_WC_WR_FLUSH_ERR) { + ksmbd_err("Recv error. status='%s (%d)' opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); + smb_direct_disconnect_rdma_connection(t); + } + put_empty_recvmsg(t, recvmsg); + return; + } + + ksmbd_debug(RDMA, "Recv completed. status='%s (%d)', opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); + + ib_dma_sync_single_for_cpu(wc->qp->device, recvmsg->sge.addr, + recvmsg->sge.length, DMA_FROM_DEVICE); + + switch (recvmsg->type) { + case SMB_DIRECT_MSG_NEGOTIATE_REQ: + t->negotiation_requested = true; + t->full_packet_received = true; + wake_up_interruptible(&t->wait_status); + break; + case SMB_DIRECT_MSG_DATA_TRANSFER: { + struct smb_direct_data_transfer *data_transfer = + (struct smb_direct_data_transfer *)recvmsg->packet; + int data_length = le32_to_cpu(data_transfer->data_length); + int avail_recvmsg_count, receive_credits; + + if (data_length) { + if (t->full_packet_received) + recvmsg->first_segment = true; + + if (le32_to_cpu(data_transfer->remaining_data_length)) + t->full_packet_received = false; + else + t->full_packet_received = true; + + enqueue_reassembly(t, recvmsg, data_length); + wake_up_interruptible(&t->wait_reassembly_queue); + + spin_lock(&t->receive_credit_lock); + receive_credits = --(t->recv_credits); + avail_recvmsg_count = t->count_avail_recvmsg; + spin_unlock(&t->receive_credit_lock); + } else { + put_empty_recvmsg(t, recvmsg); + + spin_lock(&t->receive_credit_lock); + receive_credits = --(t->recv_credits); + avail_recvmsg_count = ++(t->count_avail_recvmsg); + spin_unlock(&t->receive_credit_lock); + } + + t->recv_credit_target = + le16_to_cpu(data_transfer->credits_requested); + atomic_add(le16_to_cpu(data_transfer->credits_granted), + &t->send_credits); + + if (le16_to_cpu(data_transfer->flags) & + SMB_DIRECT_RESPONSE_REQUESTED) + queue_work(smb_direct_wq, &t->send_immediate_work); + + if (atomic_read(&t->send_credits) > 0) + wake_up_interruptible(&t->wait_send_credits); + + if (is_receive_credit_post_required(receive_credits, + avail_recvmsg_count)) + mod_delayed_work(smb_direct_wq, + &t->post_recv_credits_work, 0); + break; + } + default: + break; + } +} + +static int smb_direct_post_recv(struct smb_direct_transport *t, + struct smb_direct_recvmsg *recvmsg) +{ + struct ib_recv_wr wr; + int ret; + + recvmsg->sge.addr = ib_dma_map_single(t->cm_id->device, + recvmsg->packet, t->max_recv_size, + DMA_FROM_DEVICE); + ret = ib_dma_mapping_error(t->cm_id->device, recvmsg->sge.addr); + if (ret) + return ret; + recvmsg->sge.length = t->max_recv_size; + recvmsg->sge.lkey = t->pd->local_dma_lkey; + recvmsg->cqe.done = recv_done; + + wr.wr_cqe = &recvmsg->cqe; + wr.next = NULL; + wr.sg_list = &recvmsg->sge; + wr.num_sge = 1; + + ret = ib_post_recv(t->qp, &wr, NULL); + if (ret) { + ksmbd_err("Can't post recv: %d\n", ret); + ib_dma_unmap_single(t->cm_id->device, + recvmsg->sge.addr, recvmsg->sge.length, + DMA_FROM_DEVICE); + smb_direct_disconnect_rdma_connection(t); + return ret; + } + return ret; +} + +static int smb_direct_read(struct ksmbd_transport *t, char *buf, + unsigned int size) +{ + struct smb_direct_recvmsg *recvmsg; + struct smb_direct_data_transfer *data_transfer; + int to_copy, to_read, data_read, offset; + u32 data_length, remaining_data_length, data_offset; + int rc; + struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + +again: + if (st->status != SMB_DIRECT_CS_CONNECTED) { + ksmbd_err("disconnected\n"); + return -ENOTCONN; + } + + /* + * No need to hold the reassembly queue lock all the time as we are + * the only one reading from the front of the queue. The transport + * may add more entries to the back of the queue at the same time + */ + if (st->reassembly_data_length >= size) { + int queue_length; + int queue_removed = 0; + + /* + * Need to make sure reassembly_data_length is read before + * reading reassembly_queue_length and calling + * get_first_reassembly. This call is lock free + * as we never read at the end of the queue which are being + * updated in SOFTIRQ as more data is received + */ + virt_rmb(); + queue_length = st->reassembly_queue_length; + data_read = 0; + to_read = size; + offset = st->first_entry_offset; + while (data_read < size) { + recvmsg = get_first_reassembly(st); + data_transfer = smb_direct_recvmsg_payload(recvmsg); + data_length = le32_to_cpu(data_transfer->data_length); + remaining_data_length = + le32_to_cpu( + data_transfer->remaining_data_length); + data_offset = le32_to_cpu(data_transfer->data_offset); + + /* + * The upper layer expects RFC1002 length at the + * beginning of the payload. Return it to indicate + * the total length of the packet. This minimize the + * change to upper layer packet processing logic. This + * will be eventually remove when an intermediate + * transport layer is added + */ + if (recvmsg->first_segment && size == 4) { + unsigned int rfc1002_len = + data_length + remaining_data_length; + *((__be32 *)buf) = cpu_to_be32(rfc1002_len); + data_read = 4; + recvmsg->first_segment = false; + ksmbd_debug(RDMA, + "returning rfc1002 length %d\n", + rfc1002_len); + goto read_rfc1002_done; + } + + to_copy = min_t(int, data_length - offset, to_read); + memcpy( + buf + data_read, + (char *)data_transfer + data_offset + offset, + to_copy); + + /* move on to the next buffer? */ + if (to_copy == data_length - offset) { + queue_length--; + /* + * No need to lock if we are not at the + * end of the queue + */ + if (queue_length) + list_del(&recvmsg->list); + else { + spin_lock_irq( + &st->reassembly_queue_lock); + list_del(&recvmsg->list); + spin_unlock_irq( + &st->reassembly_queue_lock); + } + queue_removed++; + put_recvmsg(st, recvmsg); + offset = 0; + } else + offset += to_copy; + + to_read -= to_copy; + data_read += to_copy; + } + + spin_lock_irq(&st->reassembly_queue_lock); + st->reassembly_data_length -= data_read; + st->reassembly_queue_length -= queue_removed; + spin_unlock_irq(&st->reassembly_queue_lock); + + spin_lock(&st->receive_credit_lock); + st->count_avail_recvmsg += queue_removed; + if (is_receive_credit_post_required(st->recv_credits, + st->count_avail_recvmsg)) { + spin_unlock(&st->receive_credit_lock); + mod_delayed_work(smb_direct_wq, + &st->post_recv_credits_work, 0); + } else + spin_unlock(&st->receive_credit_lock); + + st->first_entry_offset = offset; + ksmbd_debug(RDMA, + "returning to thread data_read=%d reassembly_data_length=%d first_entry_offset=%d\n", + data_read, st->reassembly_data_length, + st->first_entry_offset); +read_rfc1002_done: + return data_read; + } + + ksmbd_debug(RDMA, "wait_event on more data\n"); + rc = wait_event_interruptible( + st->wait_reassembly_queue, + st->reassembly_data_length >= size || + st->status != SMB_DIRECT_CS_CONNECTED); + if (rc) + return -EINTR; + + goto again; +} + +static void smb_direct_post_recv_credits(struct work_struct *work) +{ + struct smb_direct_transport *t = container_of(work, + struct smb_direct_transport, post_recv_credits_work.work); + struct smb_direct_recvmsg *recvmsg; + int receive_credits, credits = 0; + int ret; + int use_free = 1; + + spin_lock(&t->receive_credit_lock); + receive_credits = t->recv_credits; + spin_unlock(&t->receive_credit_lock); + + if (receive_credits < t->recv_credit_target) { + while (true) { + if (use_free) + recvmsg = get_free_recvmsg(t); + else + recvmsg = get_empty_recvmsg(t); + if (!recvmsg) { + if (use_free) { + use_free = 0; + continue; + } else + break; + } + + recvmsg->type = SMB_DIRECT_MSG_DATA_TRANSFER; + recvmsg->first_segment = false; + + ret = smb_direct_post_recv(t, recvmsg); + if (ret) { + ksmbd_err("Can't post recv: %d\n", ret); + put_recvmsg(t, recvmsg); + break; + } + credits++; + } + } + + spin_lock(&t->receive_credit_lock); + t->recv_credits += credits; + t->count_avail_recvmsg -= credits; + spin_unlock(&t->receive_credit_lock); + + spin_lock(&t->lock_new_recv_credits); + t->new_recv_credits += credits; + spin_unlock(&t->lock_new_recv_credits); + + if (credits) + queue_work(smb_direct_wq, &t->send_immediate_work); +} + +static void send_done(struct ib_cq *cq, struct ib_wc *wc) +{ + struct smb_direct_sendmsg *sendmsg, *sibling; + struct smb_direct_transport *t; + struct list_head *pos, *prev, *end; + + sendmsg = container_of(wc->wr_cqe, struct smb_direct_sendmsg, cqe); + t = sendmsg->transport; + + ksmbd_debug(RDMA, "Send completed. status='%s (%d)', opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); + + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { + ksmbd_err("Send error. status='%s (%d)', opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); + smb_direct_disconnect_rdma_connection(t); + } + + if (sendmsg->num_sge > 1) { + if (atomic_dec_and_test(&t->send_payload_pending)) + wake_up(&t->wait_send_payload_pending); + } else { + if (atomic_dec_and_test(&t->send_pending)) + wake_up(&t->wait_send_pending); + } + + /* iterate and free the list of messages in reverse. the list's head + * is invalid. + */ + for (pos = &sendmsg->list, prev = pos->prev, end = sendmsg->list.next; + prev != end; pos = prev, prev = prev->prev) { + sibling = container_of(pos, struct smb_direct_sendmsg, list); + smb_direct_free_sendmsg(t, sibling); + } + + sibling = container_of(pos, struct smb_direct_sendmsg, list); + smb_direct_free_sendmsg(t, sibling); +} + +static int manage_credits_prior_sending(struct smb_direct_transport *t) +{ + int new_credits; + + spin_lock(&t->lock_new_recv_credits); + new_credits = t->new_recv_credits; + t->new_recv_credits = 0; + spin_unlock(&t->lock_new_recv_credits); + + return new_credits; +} + +static int smb_direct_post_send(struct smb_direct_transport *t, + struct ib_send_wr *wr) +{ + int ret; + + if (wr->num_sge > 1) + atomic_inc(&t->send_payload_pending); + else + atomic_inc(&t->send_pending); + + ret = ib_post_send(t->qp, wr, NULL); + if (ret) { + ksmbd_err("failed to post send: %d\n", ret); + if (wr->num_sge > 1) { + if (atomic_dec_and_test(&t->send_payload_pending)) + wake_up(&t->wait_send_payload_pending); + } else { + if (atomic_dec_and_test(&t->send_pending)) + wake_up(&t->wait_send_pending); + } + smb_direct_disconnect_rdma_connection(t); + } + return ret; +} + +static void smb_direct_send_ctx_init(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx, + bool need_invalidate_rkey, unsigned int remote_key) +{ + INIT_LIST_HEAD(&send_ctx->msg_list); + send_ctx->wr_cnt = 0; + send_ctx->need_invalidate_rkey = need_invalidate_rkey; + send_ctx->remote_key = remote_key; +} + +static int smb_direct_flush_send_list(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx, bool is_last) +{ + struct smb_direct_sendmsg *first, *last; + int ret; + + if (list_empty(&send_ctx->msg_list)) + return 0; + + first = list_first_entry(&send_ctx->msg_list, + struct smb_direct_sendmsg, + list); + last = list_last_entry(&send_ctx->msg_list, + struct smb_direct_sendmsg, + list); + + last->wr.send_flags = IB_SEND_SIGNALED; + last->wr.wr_cqe = &last->cqe; + if (is_last && send_ctx->need_invalidate_rkey) { + last->wr.opcode = IB_WR_SEND_WITH_INV; + last->wr.ex.invalidate_rkey = send_ctx->remote_key; + } + + ret = smb_direct_post_send(t, &first->wr); + if (!ret) { + smb_direct_send_ctx_init(t, send_ctx, + send_ctx->need_invalidate_rkey, send_ctx->remote_key); + } else { + atomic_add(send_ctx->wr_cnt, &t->send_credits); + wake_up(&t->wait_send_credits); + list_for_each_entry_safe(first, last, &send_ctx->msg_list, + list) { + smb_direct_free_sendmsg(t, first); + } + } + return ret; +} + +static int wait_for_credits(struct smb_direct_transport *t, + wait_queue_head_t *waitq, atomic_t *credits) +{ + int ret; + + do { + if (atomic_dec_return(credits) >= 0) + return 0; + + atomic_inc(credits); + ret = wait_event_interruptible(*waitq, + atomic_read(credits) > 0 || + t->status != SMB_DIRECT_CS_CONNECTED); + + if (t->status != SMB_DIRECT_CS_CONNECTED) + return -ENOTCONN; + else if (ret < 0) + return ret; + } while (true); +} + +static int wait_for_send_credits(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx) +{ + int ret; + + if (send_ctx && (send_ctx->wr_cnt >= 16 || + atomic_read(&t->send_credits) <= 1)) { + ret = smb_direct_flush_send_list(t, send_ctx, false); + if (ret) + return ret; + } + + return wait_for_credits(t, &t->wait_send_credits, &t->send_credits); +} + +static int smb_direct_create_header(struct smb_direct_transport *t, + int size, int remaining_data_length, + struct smb_direct_sendmsg **sendmsg_out) +{ + struct smb_direct_sendmsg *sendmsg; + struct smb_direct_data_transfer *packet; + int header_length; + int ret; + + sendmsg = smb_direct_alloc_sendmsg(t); + if (!sendmsg) + return -ENOMEM; + + /* Fill in the packet header */ + packet = (struct smb_direct_data_transfer *)sendmsg->packet; + packet->credits_requested = cpu_to_le16(t->send_credit_target); + packet->credits_granted = cpu_to_le16(manage_credits_prior_sending(t)); + + packet->flags = 0; + packet->reserved = 0; + if (!size) + packet->data_offset = 0; + else + packet->data_offset = cpu_to_le32(24); + packet->data_length = cpu_to_le32(size); + packet->remaining_data_length = cpu_to_le32(remaining_data_length); + packet->padding = 0; + + ksmbd_debug(RDMA, + "credits_requested=%d credits_granted=%d data_offset=%d data_length=%d remaining_data_length=%d\n", + le16_to_cpu(packet->credits_requested), + le16_to_cpu(packet->credits_granted), + le32_to_cpu(packet->data_offset), + le32_to_cpu(packet->data_length), + le32_to_cpu(packet->remaining_data_length)); + + /* Map the packet to DMA */ + header_length = sizeof(struct smb_direct_data_transfer); + /* If this is a packet without payload, don't send padding */ + if (!size) + header_length = + offsetof(struct smb_direct_data_transfer, padding); + + sendmsg->sge[0].addr = ib_dma_map_single(t->cm_id->device, + (void *)packet, + header_length, + DMA_TO_DEVICE); + ret = ib_dma_mapping_error(t->cm_id->device, sendmsg->sge[0].addr); + if (ret) { + smb_direct_free_sendmsg(t, sendmsg); + return ret; + } + + sendmsg->num_sge = 1; + sendmsg->sge[0].length = header_length; + sendmsg->sge[0].lkey = t->pd->local_dma_lkey; + + *sendmsg_out = sendmsg; + return 0; +} + +static int get_sg_list(void *buf, int size, + struct scatterlist *sg_list, int nentries) +{ + bool high = is_vmalloc_addr(buf); + struct page *page; + int offset, len; + int i = 0; + + if (nentries < BUFFER_NR_PAGES(buf, size)) + return -EINVAL; + + offset = offset_in_page(buf); + buf -= offset; + while (size > 0) { + len = min_t(int, PAGE_SIZE - offset, size); + if (high) + page = vmalloc_to_page(buf); + else + page = kmap_to_page(buf); + + if (!sg_list) + return -EINVAL; + sg_set_page(sg_list, page, len, offset); + sg_list = sg_next(sg_list); + + buf += PAGE_SIZE; + size -= len; + offset = 0; + i++; + } + return i; +} + +static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, + struct scatterlist *sg_list, int nentries, + enum dma_data_direction dir) +{ + int npages; + + npages = get_sg_list(buf, size, sg_list, nentries); + if (npages <= 0) + return -EINVAL; + return ib_dma_map_sg(device, sg_list, npages, dir); +} + +static int post_sendmsg(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx, + struct smb_direct_sendmsg *msg) +{ + int i; + + for (i = 0; i < msg->num_sge; i++) + ib_dma_sync_single_for_device(t->cm_id->device, + msg->sge[i].addr, msg->sge[i].length, + DMA_TO_DEVICE); + + msg->cqe.done = send_done; + msg->wr.opcode = IB_WR_SEND; + msg->wr.sg_list = &msg->sge[0]; + msg->wr.num_sge = msg->num_sge; + msg->wr.next = NULL; + + if (send_ctx) { + msg->wr.wr_cqe = NULL; + msg->wr.send_flags = 0; + if (!list_empty(&send_ctx->msg_list)) { + struct smb_direct_sendmsg *last; + + last = list_last_entry(&send_ctx->msg_list, + struct smb_direct_sendmsg, + list); + last->wr.next = &msg->wr; + } + list_add_tail(&msg->list, &send_ctx->msg_list); + send_ctx->wr_cnt++; + return 0; + } + + msg->wr.wr_cqe = &msg->cqe; + msg->wr.send_flags = IB_SEND_SIGNALED; + return smb_direct_post_send(t, &msg->wr); +} + +static int smb_direct_post_send_data(struct smb_direct_transport *t, + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, int remaining_data_length) +{ + int i, j, ret; + struct smb_direct_sendmsg *msg; + int data_length; + struct scatterlist sg[SMB_DIRECT_MAX_SEND_SGES-1]; + + ret = wait_for_send_credits(t, send_ctx); + if (ret) + return ret; + + data_length = 0; + for (i = 0; i < niov; i++) + data_length += iov[i].iov_len; + + ret = smb_direct_create_header(t, data_length, remaining_data_length, + &msg); + if (ret) { + atomic_inc(&t->send_credits); + return ret; + } + + for (i = 0; i < niov; i++) { + struct ib_sge *sge; + int sg_cnt; + + sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES-1); + sg_cnt = get_mapped_sg_list(t->cm_id->device, + iov[i].iov_base, iov[i].iov_len, + sg, SMB_DIRECT_MAX_SEND_SGES-1, DMA_TO_DEVICE); + if (sg_cnt <= 0) { + ksmbd_err("failed to map buffer\n"); + goto err; + } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES-1) { + ksmbd_err("buffer not fitted into sges\n"); + ret = -E2BIG; + ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt, + DMA_TO_DEVICE); + goto err; + } + + for (j = 0; j < sg_cnt; j++) { + sge = &msg->sge[msg->num_sge]; + sge->addr = sg_dma_address(&sg[j]); + sge->length = sg_dma_len(&sg[j]); + sge->lkey = t->pd->local_dma_lkey; + msg->num_sge++; + } + } + + ret = post_sendmsg(t, send_ctx, msg); + if (ret) + goto err; + return 0; +err: + smb_direct_free_sendmsg(t, msg); + atomic_inc(&t->send_credits); + return ret; +} + +static int smb_direct_writev(struct ksmbd_transport *t, + struct kvec *iov, int niovs, int buflen, + bool need_invalidate, unsigned int remote_key) +{ + struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + int remaining_data_length; + int start, i, j; + int max_iov_size = st->max_send_size - + sizeof(struct smb_direct_data_transfer); + int ret; + struct kvec vec; + struct smb_direct_send_ctx send_ctx; + + if (st->status != SMB_DIRECT_CS_CONNECTED) { + ret = -ENOTCONN; + goto done; + } + + //FIXME: skip RFC1002 header.. + buflen -= 4; + iov[0].iov_base += 4; + iov[0].iov_len -= 4; + + remaining_data_length = buflen; + ksmbd_debug(RDMA, "Sending smb (RDMA): smb_len=%u\n", buflen); + + smb_direct_send_ctx_init(st, &send_ctx, need_invalidate, remote_key); + start = i = 0; + buflen = 0; + while (true) { + buflen += iov[i].iov_len; + if (buflen > max_iov_size) { + if (i > start) { + remaining_data_length -= + (buflen-iov[i].iov_len); + ret = smb_direct_post_send_data(st, &send_ctx, + &iov[start], i-start, + remaining_data_length); + if (ret) + goto done; + } else { + /* iov[start] is too big, break it */ + int nvec = (buflen+max_iov_size-1) / + max_iov_size; + + for (j = 0; j < nvec; j++) { + vec.iov_base = + (char *)iov[start].iov_base + + j*max_iov_size; + vec.iov_len = + min_t(int, max_iov_size, + buflen - max_iov_size*j); + remaining_data_length -= vec.iov_len; + ret = smb_direct_post_send_data(st, + &send_ctx, &vec, 1, + remaining_data_length); + if (ret) + goto done; + } + i++; + if (i == niovs) + break; + } + start = i; + buflen = 0; + } else { + i++; + if (i == niovs) { + /* send out all remaining vecs */ + remaining_data_length -= buflen; + ret = smb_direct_post_send_data(st, &send_ctx, + &iov[start], i-start, + remaining_data_length); + if (ret) + goto done; + break; + } + } + } + +done: + ret = smb_direct_flush_send_list(st, &send_ctx, true); + + /* + * As an optimization, we don't wait for individual I/O to finish + * before sending the next one. + * Send them all and wait for pending send count to get to 0 + * that means all the I/Os have been out and we are good to return + */ + + wait_event(st->wait_send_payload_pending, + atomic_read(&st->send_payload_pending) == 0); + return ret; +} + +static void read_write_done(struct ib_cq *cq, struct ib_wc *wc, + enum dma_data_direction dir) +{ + struct smb_direct_rdma_rw_msg *msg = container_of(wc->wr_cqe, + struct smb_direct_rdma_rw_msg, cqe); + struct smb_direct_transport *t = msg->t; + + if (wc->status != IB_WC_SUCCESS) { + ksmbd_err("read/write error. opcode = %d, status = %s(%d)\n", + wc->opcode, ib_wc_status_msg(wc->status), wc->status); + smb_direct_disconnect_rdma_connection(t); + } + + if (atomic_inc_return(&t->rw_avail_ops) > 0) + wake_up(&t->wait_rw_avail_ops); + + rdma_rw_ctx_destroy(&msg->rw_ctx, t->qp, t->qp->port, + msg->sg_list, msg->sgt.nents, dir); + sg_free_table_chained(&msg->sgt, SG_CHUNK_SIZE); + complete(msg->completion); + kfree(msg); +} + +static void read_done(struct ib_cq *cq, struct ib_wc *wc) +{ + read_write_done(cq, wc, DMA_FROM_DEVICE); +} + +static void write_done(struct ib_cq *cq, struct ib_wc *wc) +{ + read_write_done(cq, wc, DMA_TO_DEVICE); +} + +static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, + int buf_len, u32 remote_key, u64 remote_offset, u32 remote_len, + bool is_read) +{ + struct smb_direct_rdma_rw_msg *msg; + int ret; + DECLARE_COMPLETION_ONSTACK(completion); + struct ib_send_wr *first_wr = NULL; + + ret = wait_for_credits(t, &t->wait_rw_avail_ops, &t->rw_avail_ops); + if (ret < 0) + return ret; + + /* TODO: mempool */ + msg = kmalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) + + sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL); + if (!msg) { + atomic_inc(&t->rw_avail_ops); + return -ENOMEM; + } + + msg->sgt.sgl = &msg->sg_list[0]; + ret = sg_alloc_table_chained(&msg->sgt, + BUFFER_NR_PAGES(buf, buf_len), + msg->sg_list, SG_CHUNK_SIZE); + if (ret) { + atomic_inc(&t->rw_avail_ops); + kfree(msg); + return -ENOMEM; + } + + ret = get_sg_list(buf, buf_len, msg->sgt.sgl, msg->sgt.orig_nents); + if (ret <= 0) { + ksmbd_err("failed to get pages\n"); + goto err; + } + + ret = rdma_rw_ctx_init(&msg->rw_ctx, t->qp, t->qp->port, + msg->sg_list, BUFFER_NR_PAGES(buf, buf_len), + 0, remote_offset, remote_key, + is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); + if (ret < 0) { + ksmbd_err("failed to init rdma_rw_ctx: %d\n", ret); + goto err; + } + + msg->t = t; + msg->cqe.done = is_read ? read_done : write_done; + msg->completion = &completion; + first_wr = rdma_rw_ctx_wrs(&msg->rw_ctx, t->qp, t->qp->port, + &msg->cqe, NULL); + + ret = ib_post_send(t->qp, first_wr, NULL); + if (ret) { + ksmbd_err("failed to post send wr: %d\n", ret); + goto err; + } + + wait_for_completion(&completion); + return 0; + +err: + atomic_inc(&t->rw_avail_ops); + if (first_wr) + rdma_rw_ctx_destroy(&msg->rw_ctx, t->qp, t->qp->port, + msg->sg_list, msg->sgt.nents, + is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); + sg_free_table_chained(&msg->sgt, SG_CHUNK_SIZE); + kfree(msg); + return ret; + +} + +static int smb_direct_rdma_write(struct ksmbd_transport *t, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len) +{ + return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, + remote_key, remote_offset, + remote_len, false); +} + +static int smb_direct_rdma_read(struct ksmbd_transport *t, + void *buf, unsigned int buflen, + u32 remote_key, u64 remote_offset, + u32 remote_len) +{ + return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, + remote_key, remote_offset, + remote_len, true); +} + +static void smb_direct_disconnect(struct ksmbd_transport *t) +{ + struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + + ksmbd_debug(RDMA, "Disconnecting cm_id=%p\n", st->cm_id); + + smb_direct_disconnect_rdma_connection(st); + wait_event_interruptible(st->wait_status, + st->status == SMB_DIRECT_CS_DISCONNECTED); + free_transport(st); +} + +static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, + struct rdma_cm_event *event) +{ + struct smb_direct_transport *t = cm_id->context; + + ksmbd_debug(RDMA, "RDMA CM event. cm_id=%p event=%s (%d)\n", + cm_id, rdma_event_msg(event->event), event->event); + + switch (event->event) { + case RDMA_CM_EVENT_ESTABLISHED: { + t->status = SMB_DIRECT_CS_CONNECTED; + wake_up_interruptible(&t->wait_status); + break; + } + case RDMA_CM_EVENT_DEVICE_REMOVAL: + case RDMA_CM_EVENT_DISCONNECTED: { + t->status = SMB_DIRECT_CS_DISCONNECTED; + wake_up_interruptible(&t->wait_status); + wake_up_interruptible(&t->wait_reassembly_queue); + wake_up(&t->wait_send_credits); + break; + } + case RDMA_CM_EVENT_CONNECT_ERROR: { + t->status = SMB_DIRECT_CS_DISCONNECTED; + wake_up_interruptible(&t->wait_status); + break; + } + default: + ksmbd_err("Unexpected RDMA CM event. cm_id=%p, event=%s (%d)\n", + cm_id, rdma_event_msg(event->event), + event->event); + break; + } + return 0; +} + +static void smb_direct_qpair_handler(struct ib_event *event, void *context) +{ + struct smb_direct_transport *t = context; + + ksmbd_debug(RDMA, "Received QP event. cm_id=%p, event=%s (%d)\n", + t->cm_id, ib_event_msg(event->event), event->event); + + switch (event->event) { + case IB_EVENT_CQ_ERR: + case IB_EVENT_QP_FATAL: + smb_direct_disconnect_rdma_connection(t); + break; + default: + break; + } +} + +static int smb_direct_send_negotiate_response(struct smb_direct_transport *t, + int failed) +{ + struct smb_direct_sendmsg *sendmsg; + struct smb_direct_negotiate_resp *resp; + int ret; + + sendmsg = smb_direct_alloc_sendmsg(t); + if (IS_ERR(sendmsg)) + return -ENOMEM; + + resp = (struct smb_direct_negotiate_resp *)sendmsg->packet; + if (failed) { + memset(resp, 0, sizeof(*resp)); + resp->min_version = cpu_to_le16(0x0100); + resp->max_version = cpu_to_le16(0x0100); + resp->status = STATUS_NOT_SUPPORTED; + } else { + resp->status = STATUS_SUCCESS; + resp->min_version = SMB_DIRECT_VERSION_LE; + resp->max_version = SMB_DIRECT_VERSION_LE; + resp->negotiated_version = SMB_DIRECT_VERSION_LE; + resp->reserved = 0; + resp->credits_requested = + cpu_to_le16(t->send_credit_target); + resp->credits_granted = cpu_to_le16( + manage_credits_prior_sending(t)); + resp->max_readwrite_size = cpu_to_le32(t->max_rdma_rw_size); + resp->preferred_send_size = cpu_to_le32(t->max_send_size); + resp->max_receive_size = cpu_to_le32(t->max_recv_size); + resp->max_fragmented_size = + cpu_to_le32(t->max_fragmented_recv_size); + } + + sendmsg->sge[0].addr = ib_dma_map_single(t->cm_id->device, + (void *)resp, sizeof(*resp), DMA_TO_DEVICE); + ret = ib_dma_mapping_error(t->cm_id->device, + sendmsg->sge[0].addr); + if (ret) { + smb_direct_free_sendmsg(t, sendmsg); + return ret; + } + + sendmsg->num_sge = 1; + sendmsg->sge[0].length = sizeof(*resp); + sendmsg->sge[0].lkey = t->pd->local_dma_lkey; + + ret = post_sendmsg(t, NULL, sendmsg); + if (ret) { + smb_direct_free_sendmsg(t, sendmsg); + return ret; + } + + wait_event(t->wait_send_pending, + atomic_read(&t->send_pending) == 0); + return 0; +} + +static int smb_direct_accept_client(struct smb_direct_transport *t) +{ + struct rdma_conn_param conn_param; + struct ib_port_immutable port_immutable; + u32 ird_ord_hdr[2]; + int ret; + + memset(&conn_param, 0, sizeof(conn_param)); + conn_param.initiator_depth = min_t(u8, + t->cm_id->device->attrs.max_qp_rd_atom, + SMB_DIRECT_CM_INITIATOR_DEPTH); + conn_param.responder_resources = 0; + + t->cm_id->device->ops.get_port_immutable(t->cm_id->device, + t->cm_id->port_num, &port_immutable); + if (port_immutable.core_cap_flags & RDMA_CORE_PORT_IWARP) { + ird_ord_hdr[0] = conn_param.responder_resources; + ird_ord_hdr[1] = 1; + conn_param.private_data = ird_ord_hdr; + conn_param.private_data_len = sizeof(ird_ord_hdr); + } else { + conn_param.private_data = NULL; + conn_param.private_data_len = 0; + } + conn_param.retry_count = SMB_DIRECT_CM_RETRY; + conn_param.rnr_retry_count = SMB_DIRECT_CM_RNR_RETRY; + conn_param.flow_control = 0; + + ret = rdma_accept(t->cm_id, &conn_param); + if (ret) { + ksmbd_err("error at rdma_accept: %d\n", ret); + return ret; + } + + wait_event_interruptible(t->wait_status, + t->status != SMB_DIRECT_CS_NEW); + if (t->status != SMB_DIRECT_CS_CONNECTED) + return -ENOTCONN; + return 0; +} + +static int smb_direct_negotiate(struct smb_direct_transport *t) +{ + int ret; + struct smb_direct_recvmsg *recvmsg; + struct smb_direct_negotiate_req *req; + + recvmsg = get_free_recvmsg(t); + if (!recvmsg) + return -ENOMEM; + recvmsg->type = SMB_DIRECT_MSG_NEGOTIATE_REQ; + + ret = smb_direct_post_recv(t, recvmsg); + if (ret) { + ksmbd_err("Can't post recv: %d\n", ret); + goto out; + } + + t->negotiation_requested = false; + ret = smb_direct_accept_client(t); + if (ret) { + ksmbd_err("Can't accept client\n"); + goto out; + } + + smb_direct_post_recv_credits(&t->post_recv_credits_work.work); + + ksmbd_debug(RDMA, "Waiting for SMB_DIRECT negotiate request\n"); + ret = wait_event_interruptible_timeout(t->wait_status, + t->negotiation_requested || + t->status == SMB_DIRECT_CS_DISCONNECTED, + SMB_DIRECT_NEGOTIATE_TIMEOUT * HZ); + if (ret <= 0 || t->status == SMB_DIRECT_CS_DISCONNECTED) { + ret = ret < 0 ? ret : -ETIMEDOUT; + goto out; + } + + ret = smb_direct_check_recvmsg(recvmsg); + if (ret == -ECONNABORTED) + goto out; + + req = (struct smb_direct_negotiate_req *)recvmsg->packet; + t->max_recv_size = min_t(int, t->max_recv_size, + le32_to_cpu(req->preferred_send_size)); + t->max_send_size = min_t(int, t->max_send_size, + le32_to_cpu(req->max_receive_size)); + t->max_fragmented_send_size = + le32_to_cpu(req->max_fragmented_size); + + ret = smb_direct_send_negotiate_response(t, ret); +out: + if (recvmsg) + put_recvmsg(t, recvmsg); + return ret; +} + +static int smb_direct_init_params(struct smb_direct_transport *t, + struct ib_qp_cap *cap) +{ + struct ib_device *device = t->cm_id->device; + int max_send_sges, max_pages, max_rw_wrs, max_send_wrs; + + /* need 2 more sge. because a SMB_DIRECT header will be mapped, + * and maybe a send buffer could be not page aligned. + */ + t->max_send_size = smb_direct_max_send_size; + max_send_sges = DIV_ROUND_UP(t->max_send_size, PAGE_SIZE) + 2; + if (max_send_sges > SMB_DIRECT_MAX_SEND_SGES) { + ksmbd_err("max_send_size %d is too large\n", t->max_send_size); + return -EINVAL; + } + + /* + * allow smb_direct_max_outstanding_rw_ops of in-flight RDMA + * read/writes. HCA guarantees at least max_send_sge of sges for + * a RDMA read/write work request, and if memory registration is used, + * we need reg_mr, local_inv wrs for each read/write. + */ + t->max_rdma_rw_size = smb_direct_max_read_write_size; + max_pages = DIV_ROUND_UP(t->max_rdma_rw_size, PAGE_SIZE) + 1; + max_rw_wrs = DIV_ROUND_UP(max_pages, SMB_DIRECT_MAX_SEND_SGES); + max_rw_wrs += rdma_rw_mr_factor(device, t->cm_id->port_num, + max_pages) * 2; + max_rw_wrs *= smb_direct_max_outstanding_rw_ops; + + max_send_wrs = smb_direct_send_credit_target + max_rw_wrs; + if (max_send_wrs > device->attrs.max_cqe || + max_send_wrs > device->attrs.max_qp_wr) { + ksmbd_err("consider lowering send_credit_target = %d, or max_outstanding_rw_ops = %d\n", + smb_direct_send_credit_target, + smb_direct_max_outstanding_rw_ops); + ksmbd_err("Possible CQE overrun, device reporting max_cqe %d max_qp_wr %d\n", + device->attrs.max_cqe, device->attrs.max_qp_wr); + return -EINVAL; + } + + if (smb_direct_receive_credit_max > device->attrs.max_cqe || + smb_direct_receive_credit_max > device->attrs.max_qp_wr) { + ksmbd_err("consider lowering receive_credit_max = %d\n", + smb_direct_receive_credit_max); + ksmbd_err("Possible CQE overrun, device reporting max_cpe %d max_qp_wr %d\n", + device->attrs.max_cqe, device->attrs.max_qp_wr); + return -EINVAL; + } + + if (device->attrs.max_send_sge < SMB_DIRECT_MAX_SEND_SGES) { + ksmbd_err("warning: device max_send_sge = %d too small\n", + device->attrs.max_send_sge); + return -EINVAL; + } + if (device->attrs.max_recv_sge < SMB_DIRECT_MAX_RECV_SGES) { + ksmbd_err("warning: device max_recv_sge = %d too small\n", + device->attrs.max_recv_sge); + return -EINVAL; + } + + t->recv_credits = 0; + t->count_avail_recvmsg = 0; + + t->recv_credit_max = smb_direct_receive_credit_max; + t->recv_credit_target = 10; + t->new_recv_credits = 0; + + t->send_credit_target = smb_direct_send_credit_target; + atomic_set(&t->send_credits, 0); + atomic_set(&t->rw_avail_ops, smb_direct_max_outstanding_rw_ops); + + t->max_send_size = smb_direct_max_send_size; + t->max_recv_size = smb_direct_max_receive_size; + t->max_fragmented_recv_size = smb_direct_max_fragmented_recv_size; + + cap->max_send_wr = max_send_wrs; + cap->max_recv_wr = t->recv_credit_max; + cap->max_send_sge = SMB_DIRECT_MAX_SEND_SGES; + cap->max_recv_sge = SMB_DIRECT_MAX_RECV_SGES; + cap->max_inline_data = 0; + cap->max_rdma_ctxs = 0; + return 0; +} + +static void smb_direct_destroy_pools(struct smb_direct_transport *t) +{ + struct smb_direct_recvmsg *recvmsg; + + while ((recvmsg = get_free_recvmsg(t))) + mempool_free(recvmsg, t->recvmsg_mempool); + while ((recvmsg = get_empty_recvmsg(t))) + mempool_free(recvmsg, t->recvmsg_mempool); + + mempool_destroy(t->recvmsg_mempool); + t->recvmsg_mempool = NULL; + + kmem_cache_destroy(t->recvmsg_cache); + t->recvmsg_cache = NULL; + + mempool_destroy(t->sendmsg_mempool); + t->sendmsg_mempool = NULL; + + kmem_cache_destroy(t->sendmsg_cache); + t->sendmsg_cache = NULL; +} + +static int smb_direct_create_pools(struct smb_direct_transport *t) +{ + char name[80]; + int i; + struct smb_direct_recvmsg *recvmsg; + + snprintf(name, sizeof(name), "smb_direct_rqst_pool_%p", t); + t->sendmsg_cache = kmem_cache_create(name, + sizeof(struct smb_direct_sendmsg) + + sizeof(struct smb_direct_negotiate_resp), + 0, SLAB_HWCACHE_ALIGN, NULL); + if (!t->sendmsg_cache) + return -ENOMEM; + + t->sendmsg_mempool = mempool_create(t->send_credit_target, + mempool_alloc_slab, mempool_free_slab, + t->sendmsg_cache); + if (!t->sendmsg_mempool) + goto err; + + snprintf(name, sizeof(name), "smb_direct_resp_%p", t); + t->recvmsg_cache = kmem_cache_create(name, + sizeof(struct smb_direct_recvmsg) + + t->max_recv_size, + 0, SLAB_HWCACHE_ALIGN, NULL); + if (!t->recvmsg_cache) + goto err; + + t->recvmsg_mempool = + mempool_create(t->recv_credit_max, mempool_alloc_slab, + mempool_free_slab, t->recvmsg_cache); + if (!t->recvmsg_mempool) + goto err; + + INIT_LIST_HEAD(&t->recvmsg_queue); + + for (i = 0; i < t->recv_credit_max; i++) { + recvmsg = mempool_alloc(t->recvmsg_mempool, GFP_KERNEL); + if (!recvmsg) + goto err; + recvmsg->transport = t; + list_add(&recvmsg->list, &t->recvmsg_queue); + } + t->count_avail_recvmsg = t->recv_credit_max; + + return 0; +err: + smb_direct_destroy_pools(t); + return -ENOMEM; +} + +static int smb_direct_create_qpair(struct smb_direct_transport *t, + struct ib_qp_cap *cap) +{ + int ret; + struct ib_qp_init_attr qp_attr; + + t->pd = ib_alloc_pd(t->cm_id->device, 0); + if (IS_ERR(t->pd)) { + ksmbd_err("Can't create RDMA PD\n"); + ret = PTR_ERR(t->pd); + t->pd = NULL; + return ret; + } + + t->send_cq = ib_alloc_cq(t->cm_id->device, t, + t->send_credit_target, 0, IB_POLL_WORKQUEUE); + if (IS_ERR(t->send_cq)) { + ksmbd_err("Can't create RDMA send CQ\n"); + ret = PTR_ERR(t->send_cq); + t->send_cq = NULL; + goto err; + } + + t->recv_cq = ib_alloc_cq(t->cm_id->device, t, + cap->max_send_wr + cap->max_rdma_ctxs, + 0, IB_POLL_WORKQUEUE); + if (IS_ERR(t->recv_cq)) { + ksmbd_err("Can't create RDMA recv CQ\n"); + ret = PTR_ERR(t->recv_cq); + t->recv_cq = NULL; + goto err; + } + + memset(&qp_attr, 0, sizeof(qp_attr)); + qp_attr.event_handler = smb_direct_qpair_handler; + qp_attr.qp_context = t; + qp_attr.cap = *cap; + qp_attr.sq_sig_type = IB_SIGNAL_REQ_WR; + qp_attr.qp_type = IB_QPT_RC; + qp_attr.send_cq = t->send_cq; + qp_attr.recv_cq = t->recv_cq; + qp_attr.port_num = ~0; + + ret = rdma_create_qp(t->cm_id, t->pd, &qp_attr); + if (ret) { + ksmbd_err("Can't create RDMA QP: %d\n", ret); + goto err; + } + + t->qp = t->cm_id->qp; + t->cm_id->event_handler = smb_direct_cm_handler; + + return 0; +err: + if (t->qp) { + ib_destroy_qp(t->qp); + t->qp = NULL; + } + if (t->recv_cq) { + ib_destroy_cq(t->recv_cq); + t->recv_cq = NULL; + } + if (t->send_cq) { + ib_destroy_cq(t->send_cq); + t->send_cq = NULL; + } + if (t->pd) { + ib_dealloc_pd(t->pd); + t->pd = NULL; + } + return ret; +} + +static int smb_direct_prepare(struct ksmbd_transport *t) +{ + struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + int ret; + struct ib_qp_cap qp_cap; + + ret = smb_direct_init_params(st, &qp_cap); + if (ret) { + ksmbd_err("Can't configure RDMA parameters\n"); + return ret; + } + + ret = smb_direct_create_pools(st); + if (ret) { + ksmbd_err("Can't init RDMA pool: %d\n", ret); + return ret; + } + + ret = smb_direct_create_qpair(st, &qp_cap); + if (ret) { + ksmbd_err("Can't accept RDMA client: %d\n", ret); + return ret; + } + + ret = smb_direct_negotiate(st); + if (ret) { + ksmbd_err("Can't negotiate: %d\n", ret); + return ret; + } + + st->status = SMB_DIRECT_CS_CONNECTED; + return 0; +} + +static bool rdma_frwr_is_supported(struct ib_device_attr *attrs) +{ + if (!(attrs->device_cap_flags & IB_DEVICE_MEM_MGT_EXTENSIONS)) + return false; + if (attrs->max_fast_reg_page_list_len == 0) + return false; + return true; +} + +static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) +{ + struct smb_direct_transport *t; + + if (!rdma_frwr_is_supported(&new_cm_id->device->attrs)) { + ksmbd_debug(RDMA, + "Fast Registration Work Requests is not supported. device capabilities=%llx\n", + new_cm_id->device->attrs.device_cap_flags); + return -EPROTONOSUPPORT; + } + + t = alloc_transport(new_cm_id); + if (!t) + return -ENOMEM; + + KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, + KSMBD_TRANS(t)->conn, "ksmbd:r%u", SMB_DIRECT_PORT); + if (IS_ERR(KSMBD_TRANS(t)->handler)) { + int ret = PTR_ERR(KSMBD_TRANS(t)->handler); + + ksmbd_err("Can't start thread\n"); + free_transport(t); + return ret; + } + + return 0; +} + +static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, + struct rdma_cm_event *event) +{ + switch (event->event) { + case RDMA_CM_EVENT_CONNECT_REQUEST: { + int ret = smb_direct_handle_connect_request(cm_id); + + if (ret) { + ksmbd_err("Can't create transport: %d\n", ret); + return ret; + } + + ksmbd_debug(RDMA, "Received connection request. cm_id=%p\n", + cm_id); + break; + } + default: + ksmbd_err("Unexpected listen event. cm_id=%p, event=%s (%d)\n", + cm_id, + rdma_event_msg(event->event), event->event); + break; + } + return 0; +} + +static int smb_direct_listen(int port) +{ + int ret; + struct rdma_cm_id *cm_id; + struct sockaddr_in sin = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_ANY), + .sin_port = htons(port), + }; + + cm_id = rdma_create_id(&init_net, smb_direct_listen_handler, + &smb_direct_listener, RDMA_PS_TCP, IB_QPT_RC); + if (IS_ERR(cm_id)) { + ksmbd_err("Can't create cm id: %ld\n", + PTR_ERR(cm_id)); + return PTR_ERR(cm_id); + } + + ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin); + if (ret) { + ksmbd_err("Can't bind: %d\n", ret); + goto err; + } + + smb_direct_listener.cm_id = cm_id; + + ret = rdma_listen(cm_id, 10); + if (ret) { + ksmbd_err("Can't listen: %d\n", ret); + goto err; + } + return 0; +err: + smb_direct_listener.cm_id = NULL; + rdma_destroy_id(cm_id); + return ret; +} + +int ksmbd_rdma_init(void) +{ + int ret; + + smb_direct_listener.cm_id = NULL; + + /* When a client is running out of send credits, the credits are + * granted by the server's sending a packet using this queue. + * This avoids the situation that a clients cannot send packets + * for lack of credits + */ + smb_direct_wq = alloc_workqueue("ksmbd-smb_direct-wq", + WQ_HIGHPRI|WQ_MEM_RECLAIM, 0); + if (!smb_direct_wq) + return -ENOMEM; + + ret = smb_direct_listen(SMB_DIRECT_PORT); + if (ret) { + destroy_workqueue(smb_direct_wq); + smb_direct_wq = NULL; + ksmbd_err("Can't listen: %d\n", ret); + return ret; + } + + ksmbd_debug(RDMA, "init RDMA listener. cm_id=%p\n", + smb_direct_listener.cm_id); + return 0; +} + +int ksmbd_rdma_destroy(void) +{ + if (smb_direct_listener.cm_id) + rdma_destroy_id(smb_direct_listener.cm_id); + smb_direct_listener.cm_id = NULL; + + if (smb_direct_wq) { + flush_workqueue(smb_direct_wq); + destroy_workqueue(smb_direct_wq); + smb_direct_wq = NULL; + } + return 0; +} + +static struct ksmbd_transport_ops ksmbd_smb_direct_transport_ops = { + .prepare = smb_direct_prepare, + .disconnect = smb_direct_disconnect, + .writev = smb_direct_writev, + .read = smb_direct_read, + .rdma_read = smb_direct_rdma_read, + .rdma_write = smb_direct_rdma_write, +}; diff --git a/fs/cifsd/transport_rdma.h b/fs/cifsd/transport_rdma.h new file mode 100644 index 000000000000..da60fcec3ede --- /dev/null +++ b/fs/cifsd/transport_rdma.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2017, Microsoft Corporation. + * Copyright (C) 2018, LG Electronics. + */ + +#ifndef __KSMBD_TRANSPORT_RDMA_H__ +#define __KSMBD_TRANSPORT_RDMA_H__ + +#define SMB_DIRECT_PORT 5445 + +/* SMB DIRECT negotiation request packet [MS-KSMBD] 2.2.1 */ +struct smb_direct_negotiate_req { + __le16 min_version; + __le16 max_version; + __le16 reserved; + __le16 credits_requested; + __le32 preferred_send_size; + __le32 max_receive_size; + __le32 max_fragmented_size; +} __packed; + +/* SMB DIRECT negotiation response packet [MS-KSMBD] 2.2.2 */ +struct smb_direct_negotiate_resp { + __le16 min_version; + __le16 max_version; + __le16 negotiated_version; + __le16 reserved; + __le16 credits_requested; + __le16 credits_granted; + __le32 status; + __le32 max_readwrite_size; + __le32 preferred_send_size; + __le32 max_receive_size; + __le32 max_fragmented_size; +} __packed; + +#define SMB_DIRECT_RESPONSE_REQUESTED 0x0001 + +/* SMB DIRECT data transfer packet with payload [MS-KSMBD] 2.2.3 */ +struct smb_direct_data_transfer { + __le16 credits_requested; + __le16 credits_granted; + __le16 flags; + __le16 reserved; + __le32 remaining_data_length; + __le32 data_offset; + __le32 data_length; + __le32 padding; + __u8 buffer[]; +} __packed; + +#ifdef CONFIG_SMB_SERVER_SMBDIRECT +int ksmbd_rdma_init(void); +int ksmbd_rdma_destroy(void); +#else +static inline int ksmbd_rdma_init(void) { return 0; } +static inline int ksmbd_rdma_destroy(void) { return 0; } +#endif + +#endif /* __KSMBD_TRANSPORT_RDMA_H__ */ diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c new file mode 100644 index 000000000000..60ec9b2e0370 --- /dev/null +++ b/fs/cifsd/transport_tcp.c @@ -0,0 +1,624 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/freezer.h> + +#include "smb_common.h" +#include "server.h" +#include "auth.h" +#include "buffer_pool.h" +#include "connection.h" +#include "transport_tcp.h" + +#define IFACE_STATE_DOWN (1 << 0) +#define IFACE_STATE_CONFIGURED (1 << 1) + +struct interface { + struct task_struct *ksmbd_kthread; + struct socket *ksmbd_socket; + struct list_head entry; + char *name; + struct mutex sock_release_lock; + int state; +}; + +static LIST_HEAD(iface_list); + +static int bind_additional_ifaces; + +struct tcp_transport { + struct ksmbd_transport transport; + struct socket *sock; + struct kvec *iov; + unsigned int nr_iov; +}; + +static struct ksmbd_transport_ops ksmbd_tcp_transport_ops; + +static void tcp_stop_kthread(struct task_struct *kthread); +static struct interface *alloc_iface(char *ifname); + +#define KSMBD_TRANS(t) (&(t)->transport) +#define TCP_TRANS(t) ((struct tcp_transport *)container_of(t, \ + struct tcp_transport, transport)) + +static inline void ksmbd_tcp_nodelay(struct socket *sock) +{ + tcp_sock_set_nodelay(sock->sk); +} + +static inline void ksmbd_tcp_reuseaddr(struct socket *sock) +{ + sock_set_reuseaddr(sock->sk); +} + +static inline void ksmbd_tcp_rcv_timeout(struct socket *sock, s64 secs) +{ + lock_sock(sock->sk); + if (secs && secs < MAX_SCHEDULE_TIMEOUT / HZ - 1) + sock->sk->sk_rcvtimeo = secs * HZ; + else + sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT; + release_sock(sock->sk); +} + +static inline void ksmbd_tcp_snd_timeout(struct socket *sock, s64 secs) +{ + sock_set_sndtimeo(sock->sk, secs); +} + +static struct tcp_transport *alloc_transport(struct socket *client_sk) +{ + struct tcp_transport *t; + struct ksmbd_conn *conn; + + t = kzalloc(sizeof(*t), GFP_KERNEL); + if (!t) + return NULL; + t->sock = client_sk; + + conn = ksmbd_conn_alloc(); + if (!conn) { + kfree(t); + return NULL; + } + + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops; + return t; +} + +static void free_transport(struct tcp_transport *t) +{ + kernel_sock_shutdown(t->sock, SHUT_RDWR); + sock_release(t->sock); + t->sock = NULL; + + ksmbd_conn_free(KSMBD_TRANS(t)->conn); + kfree(t->iov); + kfree(t); +} + +/** + * kvec_array_init() - initialize a IO vector segment + * @new: IO vector to be initialized + * @iov: base IO vector + * @nr_segs: number of segments in base iov + * @bytes: total iovec length so far for read + * + * Return: Number of IO segments + */ +static unsigned int kvec_array_init(struct kvec *new, struct kvec *iov, + unsigned int nr_segs, size_t bytes) +{ + size_t base = 0; + + while (bytes || !iov->iov_len) { + int copy = min(bytes, iov->iov_len); + + bytes -= copy; + base += copy; + if (iov->iov_len == base) { + iov++; + nr_segs--; + base = 0; + } + } + + memcpy(new, iov, sizeof(*iov) * nr_segs); + new->iov_base += base; + new->iov_len -= base; + return nr_segs; +} + +/** + * get_conn_iovec() - get connection iovec for reading from socket + * @t: TCP transport instance + * @nr_segs: number of segments in iov + * + * Return: return existing or newly allocate iovec + */ +static struct kvec *get_conn_iovec(struct tcp_transport *t, + unsigned int nr_segs) +{ + struct kvec *new_iov; + + if (t->iov && nr_segs <= t->nr_iov) + return t->iov; + + /* not big enough -- allocate a new one and release the old */ + new_iov = kmalloc_array(nr_segs, sizeof(*new_iov), GFP_KERNEL); + if (new_iov) { + kfree(t->iov); + t->iov = new_iov; + t->nr_iov = nr_segs; + } + return new_iov; +} + +static unsigned short ksmbd_tcp_get_port(const struct sockaddr *sa) +{ + switch (sa->sa_family) { + case AF_INET: + return ntohs(((struct sockaddr_in *)sa)->sin_port); + case AF_INET6: + return ntohs(((struct sockaddr_in6 *)sa)->sin6_port); + } + return 0; +} + +/** + * ksmbd_tcp_new_connection() - create a new tcp session on mount + * @sock: socket associated with new connection + * + * whenever a new connection is requested, create a conn thread + * (session thread) to handle new incoming smb requests from the connection + * + * Return: 0 on success, otherwise error + */ +static int ksmbd_tcp_new_connection(struct socket *client_sk) +{ + struct sockaddr *csin; + int rc = 0; + struct tcp_transport *t; + + t = alloc_transport(client_sk); + if (!t) + return -ENOMEM; + + csin = KSMBD_TCP_PEER_SOCKADDR(KSMBD_TRANS(t)->conn); + if (kernel_getpeername(client_sk, csin) < 0) { + ksmbd_err("client ip resolution failed\n"); + rc = -EINVAL; + goto out_error; + } + + KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, + KSMBD_TRANS(t)->conn, + "ksmbd:%u", ksmbd_tcp_get_port(csin)); + if (IS_ERR(KSMBD_TRANS(t)->handler)) { + ksmbd_err("cannot start conn thread\n"); + rc = PTR_ERR(KSMBD_TRANS(t)->handler); + free_transport(t); + } + return rc; + +out_error: + free_transport(t); + return rc; +} + +/** + * ksmbd_kthread_fn() - listen to new SMB connections and callback server + * @p: arguments to forker thread + * + * Return: Returns a task_struct or ERR_PTR + */ +static int ksmbd_kthread_fn(void *p) +{ + struct socket *client_sk = NULL; + struct interface *iface = (struct interface *)p; + int ret; + + while (!kthread_should_stop()) { + mutex_lock(&iface->sock_release_lock); + if (!iface->ksmbd_socket) { + mutex_unlock(&iface->sock_release_lock); + break; + } + ret = kernel_accept(iface->ksmbd_socket, &client_sk, + O_NONBLOCK); + mutex_unlock(&iface->sock_release_lock); + if (ret) { + if (ret == -EAGAIN) + /* check for new connections every 100 msecs */ + schedule_timeout_interruptible(HZ / 10); + continue; + } + + ksmbd_debug(CONN, "connect success: accepted new connection\n"); + client_sk->sk->sk_rcvtimeo = KSMBD_TCP_RECV_TIMEOUT; + client_sk->sk->sk_sndtimeo = KSMBD_TCP_SEND_TIMEOUT; + + ksmbd_tcp_new_connection(client_sk); + } + + ksmbd_debug(CONN, "releasing socket\n"); + return 0; +} + +/** + * ksmbd_create_ksmbd_kthread() - start forker thread + * + * start forker thread(ksmbd/0) at module init time to listen + * on port 445 for new SMB connection requests. It creates per connection + * server threads(ksmbd/x) + * + * Return: 0 on success or error number + */ +static int ksmbd_tcp_run_kthread(struct interface *iface) +{ + int rc; + struct task_struct *kthread; + + kthread = kthread_run(ksmbd_kthread_fn, (void *)iface, + "ksmbd-%s", iface->name); + if (IS_ERR(kthread)) { + rc = PTR_ERR(kthread); + return rc; + } + iface->ksmbd_kthread = kthread; + + return 0; +} + +/** + * ksmbd_tcp_readv() - read data from socket in given iovec + * @t: TCP transport instance + * @iov_orig: base IO vector + * @nr_segs: number of segments in base iov + * @to_read: number of bytes to read from socket + * + * Return: on success return number of bytes read from socket, + * otherwise return error number + */ +static int ksmbd_tcp_readv(struct tcp_transport *t, + struct kvec *iov_orig, + unsigned int nr_segs, + unsigned int to_read) +{ + int length = 0; + int total_read; + unsigned int segs; + struct msghdr ksmbd_msg; + struct kvec *iov; + struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn; + + iov = get_conn_iovec(t, nr_segs); + if (!iov) + return -ENOMEM; + + ksmbd_msg.msg_control = NULL; + ksmbd_msg.msg_controllen = 0; + + for (total_read = 0; to_read; total_read += length, to_read -= length) { + try_to_freeze(); + + if (!ksmbd_conn_alive(conn)) { + total_read = -ESHUTDOWN; + break; + } + segs = kvec_array_init(iov, iov_orig, nr_segs, total_read); + + length = kernel_recvmsg(t->sock, &ksmbd_msg, + iov, segs, to_read, 0); + + if (length == -EINTR) { + total_read = -ESHUTDOWN; + break; + } else if (conn->status == KSMBD_SESS_NEED_RECONNECT) { + total_read = -EAGAIN; + break; + } else if (length == -ERESTARTSYS || length == -EAGAIN) { + usleep_range(1000, 2000); + length = 0; + continue; + } else if (length <= 0) { + total_read = -EAGAIN; + break; + } + } + return total_read; +} + +/** + * ksmbd_tcp_read() - read data from socket in given buffer + * @t: TCP transport instance + * @buf: buffer to store read data from socket + * @to_read: number of bytes to read from socket + * + * Return: on success return number of bytes read from socket, + * otherwise return error number + */ +static int ksmbd_tcp_read(struct ksmbd_transport *t, + char *buf, + unsigned int to_read) +{ + struct kvec iov; + + iov.iov_base = buf; + iov.iov_len = to_read; + + return ksmbd_tcp_readv(TCP_TRANS(t), &iov, 1, to_read); +} + +static int ksmbd_tcp_writev(struct ksmbd_transport *t, + struct kvec *iov, int nvecs, int size, + bool need_invalidate, unsigned int remote_key) + +{ + struct msghdr smb_msg = {.msg_flags = MSG_NOSIGNAL}; + + return kernel_sendmsg(TCP_TRANS(t)->sock, &smb_msg, iov, nvecs, size); +} + +static void ksmbd_tcp_disconnect(struct ksmbd_transport *t) +{ + free_transport(TCP_TRANS(t)); +} + +static void tcp_destroy_socket(struct socket *ksmbd_socket) +{ + int ret; + + if (!ksmbd_socket) + return; + + /* set zero to timeout */ + ksmbd_tcp_rcv_timeout(ksmbd_socket, 0); + ksmbd_tcp_snd_timeout(ksmbd_socket, 0); + + ret = kernel_sock_shutdown(ksmbd_socket, SHUT_RDWR); + if (ret) + ksmbd_err("Failed to shutdown socket: %d\n", ret); + else + sock_release(ksmbd_socket); +} + +/** + * create_socket - create socket for ksmbd/0 + * + * Return: Returns a task_struct or ERR_PTR + */ +static int create_socket(struct interface *iface) +{ + int ret; + struct sockaddr_in6 sin6; + struct sockaddr_in sin; + struct socket *ksmbd_socket; + bool ipv4 = false; + + ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket); + if (ret) { + ksmbd_err("Can't create socket for ipv6, try ipv4: %d\n", ret); + ret = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, + &ksmbd_socket); + if (ret) { + ksmbd_err("Can't create socket for ipv4: %d\n", ret); + goto out_error; + } + + sin.sin_family = PF_INET; + sin.sin_addr.s_addr = htonl(INADDR_ANY); + sin.sin_port = htons(server_conf.tcp_port); + ipv4 = true; + } else { + sin6.sin6_family = PF_INET6; + sin6.sin6_addr = in6addr_any; + sin6.sin6_port = htons(server_conf.tcp_port); + } + + ksmbd_tcp_nodelay(ksmbd_socket); + ksmbd_tcp_reuseaddr(ksmbd_socket); + + ret = sock_setsockopt(ksmbd_socket, + SOL_SOCKET, + SO_BINDTODEVICE, + KERNEL_SOCKPTR(iface->name), + strlen(iface->name)); + if (ret != -ENODEV && ret < 0) { + ksmbd_err("Failed to set SO_BINDTODEVICE: %d\n", ret); + goto out_error; + } + + if (ipv4) + ret = kernel_bind(ksmbd_socket, (struct sockaddr *)&sin, + sizeof(sin)); + else + ret = kernel_bind(ksmbd_socket, (struct sockaddr *)&sin6, + sizeof(sin6)); + if (ret) { + ksmbd_err("Failed to bind socket: %d\n", ret); + goto out_error; + } + + ksmbd_socket->sk->sk_rcvtimeo = KSMBD_TCP_RECV_TIMEOUT; + ksmbd_socket->sk->sk_sndtimeo = KSMBD_TCP_SEND_TIMEOUT; + + ret = kernel_listen(ksmbd_socket, KSMBD_SOCKET_BACKLOG); + if (ret) { + ksmbd_err("Port listen() error: %d\n", ret); + goto out_error; + } + + iface->ksmbd_socket = ksmbd_socket; + ret = ksmbd_tcp_run_kthread(iface); + if (ret) { + ksmbd_err("Can't start ksmbd main kthread: %d\n", ret); + goto out_error; + } + iface->state = IFACE_STATE_CONFIGURED; + + return 0; + +out_error: + tcp_destroy_socket(ksmbd_socket); + iface->ksmbd_socket = NULL; + return ret; +} + +static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, + void *ptr) +{ + struct net_device *netdev = netdev_notifier_info_to_dev(ptr); + struct interface *iface; + int ret, found = 0; + + switch (event) { + case NETDEV_UP: + if (netdev->priv_flags & IFF_BRIDGE_PORT) + return NOTIFY_OK; + + list_for_each_entry(iface, &iface_list, entry) { + if (!strcmp(iface->name, netdev->name)) { + found = 1; + if (iface->state != IFACE_STATE_DOWN) + break; + ret = create_socket(iface); + if (ret) + return NOTIFY_OK; + break; + } + } + if (!found && bind_additional_ifaces) { + iface = alloc_iface(kstrdup(netdev->name, GFP_KERNEL)); + if (!iface) + return NOTIFY_OK; + ret = create_socket(iface); + if (ret) + break; + } + break; + case NETDEV_DOWN: + list_for_each_entry(iface, &iface_list, entry) { + if (!strcmp(iface->name, netdev->name) && + iface->state == IFACE_STATE_CONFIGURED) { + tcp_stop_kthread(iface->ksmbd_kthread); + iface->ksmbd_kthread = NULL; + mutex_lock(&iface->sock_release_lock); + tcp_destroy_socket(iface->ksmbd_socket); + iface->ksmbd_socket = NULL; + mutex_unlock(&iface->sock_release_lock); + + iface->state = IFACE_STATE_DOWN; + break; + } + } + break; + } + + return NOTIFY_DONE; + +} + +static struct notifier_block ksmbd_netdev_notifier = { + .notifier_call = ksmbd_netdev_event, +}; + +int ksmbd_tcp_init(void) +{ + register_netdevice_notifier(&ksmbd_netdev_notifier); + + return 0; +} + +static void tcp_stop_kthread(struct task_struct *kthread) +{ + int ret; + + if (!kthread) + return; + + ret = kthread_stop(kthread); + if (ret) + ksmbd_err("failed to stop forker thread\n"); +} + +void ksmbd_tcp_destroy(void) +{ + struct interface *iface, *tmp; + + unregister_netdevice_notifier(&ksmbd_netdev_notifier); + + list_for_each_entry_safe(iface, tmp, &iface_list, entry) { + list_del(&iface->entry); + kfree(iface->name); + ksmbd_free(iface); + } +} + +static struct interface *alloc_iface(char *ifname) +{ + struct interface *iface; + + if (!ifname) + return NULL; + + iface = ksmbd_alloc(sizeof(struct interface)); + if (!iface) { + kfree(ifname); + return NULL; + } + + iface->name = ifname; + iface->state = IFACE_STATE_DOWN; + list_add(&iface->entry, &iface_list); + mutex_init(&iface->sock_release_lock); + return iface; +} + +int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz) +{ + int sz = 0; + + if (!ifc_list_sz) { + struct net_device *netdev; + + rtnl_lock(); + for_each_netdev(&init_net, netdev) { + if (netdev->priv_flags & IFF_BRIDGE_PORT) + continue; + if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL))) + return -ENOMEM; + } + rtnl_unlock(); + bind_additional_ifaces = 1; + return 0; + } + + while (ifc_list_sz > 0) { + if (!alloc_iface(kstrdup(ifc_list, GFP_KERNEL))) + return -ENOMEM; + + sz = strlen(ifc_list); + if (!sz) + break; + + ifc_list += sz + 1; + ifc_list_sz -= (sz + 1); + } + + bind_additional_ifaces = 0; + + return 0; +} + +static struct ksmbd_transport_ops ksmbd_tcp_transport_ops = { + .read = ksmbd_tcp_read, + .writev = ksmbd_tcp_writev, + .disconnect = ksmbd_tcp_disconnect, +}; diff --git a/fs/cifsd/transport_tcp.h b/fs/cifsd/transport_tcp.h new file mode 100644 index 000000000000..e338bebe322f --- /dev/null +++ b/fs/cifsd/transport_tcp.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_TRANSPORT_TCP_H__ +#define __KSMBD_TRANSPORT_TCP_H__ + +int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz); +int ksmbd_tcp_init(void); +void ksmbd_tcp_destroy(void); + +#endif /* __KSMBD_TRANSPORT_TCP_H__ */ From patchwork Mon Nov 14 12:48:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183100 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:11 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 002/308] cifsd: add server-side procedures for SMB3 Date: Mon, 14 Nov 2022 20:48:31 +0800 Message-ID: <20221114125337.1831594-3-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 565dbde2-f44a-44bf-6d78-08dac63c40d9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.8780854 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e2f34481b24d ------------------------------- This adds smb3 engine, NTLM/NTLMv2/Kerberos authentication, oplock/lease cache mechanism for cifsd. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 702 +++ fs/cifsd/asn1.h | 29 + fs/cifsd/auth.c | 1348 ++++++ fs/cifsd/auth.h | 90 + fs/cifsd/crypto_ctx.c | 287 ++ fs/cifsd/crypto_ctx.h | 77 + fs/cifsd/mgmt/ksmbd_ida.c | 69 + fs/cifsd/mgmt/ksmbd_ida.h | 41 + fs/cifsd/mgmt/share_config.c | 239 + fs/cifsd/mgmt/share_config.h | 83 + fs/cifsd/mgmt/tree_connect.c | 129 + fs/cifsd/mgmt/tree_connect.h | 56 + fs/cifsd/mgmt/user_config.c | 70 + fs/cifsd/mgmt/user_config.h | 67 + fs/cifsd/mgmt/user_session.c | 345 ++ fs/cifsd/mgmt/user_session.h | 105 + fs/cifsd/misc.c | 293 ++ fs/cifsd/misc.h | 38 + fs/cifsd/ndr.c | 344 ++ fs/cifsd/ndr.h | 21 + fs/cifsd/netmisc.c | 46 + fs/cifsd/nterr.c | 674 +++ fs/cifsd/nterr.h | 552 +++ fs/cifsd/ntlmssp.h | 169 + fs/cifsd/oplock.c | 1693 +++++++ fs/cifsd/oplock.h | 138 + fs/cifsd/smb2misc.c | 458 ++ fs/cifsd/smb2ops.c | 300 ++ fs/cifsd/smb2pdu.c | 8486 ++++++++++++++++++++++++++++++++++ fs/cifsd/smb2pdu.h | 1649 +++++++ fs/cifsd/smb_common.c | 668 +++ fs/cifsd/smb_common.h | 546 +++ fs/cifsd/smbacl.c | 1309 ++++++ fs/cifsd/smbacl.h | 202 + fs/cifsd/smberr.h | 235 + fs/cifsd/smbfsctl.h | 90 + fs/cifsd/smbstatus.h | 1822 ++++++++ fs/cifsd/time_wrappers.h | 34 + fs/cifsd/unicode.c | 391 ++ fs/cifsd/unicode.h | 374 ++ fs/cifsd/uniupr.h | 268 ++ 41 files changed, 24537 insertions(+) create mode 100644 fs/cifsd/asn1.c create mode 100644 fs/cifsd/asn1.h create mode 100644 fs/cifsd/auth.c create mode 100644 fs/cifsd/auth.h create mode 100644 fs/cifsd/crypto_ctx.c create mode 100644 fs/cifsd/crypto_ctx.h create mode 100644 fs/cifsd/mgmt/ksmbd_ida.c create mode 100644 fs/cifsd/mgmt/ksmbd_ida.h create mode 100644 fs/cifsd/mgmt/share_config.c create mode 100644 fs/cifsd/mgmt/share_config.h create mode 100644 fs/cifsd/mgmt/tree_connect.c create mode 100644 fs/cifsd/mgmt/tree_connect.h create mode 100644 fs/cifsd/mgmt/user_config.c create mode 100644 fs/cifsd/mgmt/user_config.h create mode 100644 fs/cifsd/mgmt/user_session.c create mode 100644 fs/cifsd/mgmt/user_session.h create mode 100644 fs/cifsd/misc.c create mode 100644 fs/cifsd/misc.h create mode 100644 fs/cifsd/ndr.c create mode 100644 fs/cifsd/ndr.h create mode 100644 fs/cifsd/netmisc.c create mode 100644 fs/cifsd/nterr.c create mode 100644 fs/cifsd/nterr.h create mode 100644 fs/cifsd/ntlmssp.h create mode 100644 fs/cifsd/oplock.c create mode 100644 fs/cifsd/oplock.h create mode 100644 fs/cifsd/smb2misc.c create mode 100644 fs/cifsd/smb2ops.c create mode 100644 fs/cifsd/smb2pdu.c create mode 100644 fs/cifsd/smb2pdu.h create mode 100644 fs/cifsd/smb_common.c create mode 100644 fs/cifsd/smb_common.h create mode 100644 fs/cifsd/smbacl.c create mode 100644 fs/cifsd/smbacl.h create mode 100644 fs/cifsd/smberr.h create mode 100644 fs/cifsd/smbfsctl.h create mode 100644 fs/cifsd/smbstatus.h create mode 100644 fs/cifsd/time_wrappers.h create mode 100644 fs/cifsd/unicode.c create mode 100644 fs/cifsd/unicode.h create mode 100644 fs/cifsd/uniupr.h diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c new file mode 100644 index 000000000000..aa702b665849 --- /dev/null +++ b/fs/cifsd/asn1.c @@ -0,0 +1,702 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * The ASB.1/BER parsing code is derived from ip_nat_snmp_basic.c which was in + * turn derived from the gxsnmp package by Gregory McLean & Jochen Friedrich + * + * Copyright (c) 2000 RP Internet (www.rpi.net.au) + */ + +#include <linux/module.h> +#include <linux/types.h> +#include <linux/kernel.h> +#include <linux/mm.h> +#include <linux/slab.h> + +#include "glob.h" + +#include "asn1.h" +#include "connection.h" +#include "auth.h" + +/***************************************************************************** + * + * Basic ASN.1 decoding routines (gxsnmp author Dirk Wisse) + * + *****************************************************************************/ + +/* Class */ +#define ASN1_UNI 0 /* Universal */ +#define ASN1_APL 1 /* Application */ +#define ASN1_CTX 2 /* Context */ +#define ASN1_PRV 3 /* Private */ + +/* Tag */ +#define ASN1_EOC 0 /* End Of Contents or N/A */ +#define ASN1_BOL 1 /* Boolean */ +#define ASN1_INT 2 /* Integer */ +#define ASN1_BTS 3 /* Bit String */ +#define ASN1_OTS 4 /* Octet String */ +#define ASN1_NUL 5 /* Null */ +#define ASN1_OJI 6 /* Object Identifier */ +#define ASN1_OJD 7 /* Object Description */ +#define ASN1_EXT 8 /* External */ +#define ASN1_ENUM 10 /* Enumerated */ +#define ASN1_SEQ 16 /* Sequence */ +#define ASN1_SET 17 /* Set */ +#define ASN1_NUMSTR 18 /* Numerical String */ +#define ASN1_PRNSTR 19 /* Printable String */ +#define ASN1_TEXSTR 20 /* Teletext String */ +#define ASN1_VIDSTR 21 /* Video String */ +#define ASN1_IA5STR 22 /* IA5 String */ +#define ASN1_UNITIM 23 /* Universal Time */ +#define ASN1_GENTIM 24 /* General Time */ +#define ASN1_GRASTR 25 /* Graphical String */ +#define ASN1_VISSTR 26 /* Visible String */ +#define ASN1_GENSTR 27 /* General String */ + +/* Primitive / Constructed methods*/ +#define ASN1_PRI 0 /* Primitive */ +#define ASN1_CON 1 /* Constructed */ + +/* + * Error codes. + */ +#define ASN1_ERR_NOERROR 0 +#define ASN1_ERR_DEC_EMPTY 2 +#define ASN1_ERR_DEC_EOC_MISMATCH 3 +#define ASN1_ERR_DEC_LENGTH_MISMATCH 4 +#define ASN1_ERR_DEC_BADVALUE 5 + +#define SPNEGO_OID_LEN 7 +#define NTLMSSP_OID_LEN 10 +#define KRB5_OID_LEN 7 +#define KRB5U2U_OID_LEN 8 +#define MSKRB5_OID_LEN 7 +static unsigned long SPNEGO_OID[7] = { 1, 3, 6, 1, 5, 5, 2 }; +static unsigned long NTLMSSP_OID[10] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10 }; +static unsigned long KRB5_OID[7] = { 1, 2, 840, 113554, 1, 2, 2 }; +static unsigned long KRB5U2U_OID[8] = { 1, 2, 840, 113554, 1, 2, 2, 3 }; +static unsigned long MSKRB5_OID[7] = { 1, 2, 840, 48018, 1, 2, 2 }; + +static char NTLMSSP_OID_STR[NTLMSSP_OID_LEN] = { 0x2b, 0x06, 0x01, 0x04, 0x01, + 0x82, 0x37, 0x02, 0x02, 0x0a }; + +/* + * ASN.1 context. + */ +struct asn1_ctx { + int error; /* Error condition */ + unsigned char *pointer; /* Octet just to be decoded */ + unsigned char *begin; /* First octet */ + unsigned char *end; /* Octet after last octet */ +}; + +/* + * Octet string (not null terminated) + */ +struct asn1_octstr { + unsigned char *data; + unsigned int len; +}; + +static void +asn1_open(struct asn1_ctx *ctx, unsigned char *buf, unsigned int len) +{ + ctx->begin = buf; + ctx->end = buf + len; + ctx->pointer = buf; + ctx->error = ASN1_ERR_NOERROR; +} + +static unsigned char +asn1_octet_decode(struct asn1_ctx *ctx, unsigned char *ch) +{ + if (ctx->pointer >= ctx->end) { + ctx->error = ASN1_ERR_DEC_EMPTY; + return 0; + } + *ch = *(ctx->pointer)++; + return 1; +} + +static unsigned char +asn1_tag_decode(struct asn1_ctx *ctx, unsigned int *tag) +{ + unsigned char ch; + + *tag = 0; + + do { + if (!asn1_octet_decode(ctx, &ch)) + return 0; + *tag <<= 7; + *tag |= ch & 0x7F; + } while ((ch & 0x80) == 0x80); + return 1; +} + +static unsigned char +asn1_id_decode(struct asn1_ctx *ctx, + unsigned int *cls, unsigned int *con, unsigned int *tag) +{ + unsigned char ch; + + if (!asn1_octet_decode(ctx, &ch)) + return 0; + + *cls = (ch & 0xC0) >> 6; + *con = (ch & 0x20) >> 5; + *tag = (ch & 0x1F); + + if (*tag == 0x1F) { + if (!asn1_tag_decode(ctx, tag)) + return 0; + } + return 1; +} + +static unsigned char +asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len) +{ + unsigned char ch, cnt; + + if (!asn1_octet_decode(ctx, &ch)) + return 0; + + if (ch == 0x80) + *def = 0; + else { + *def = 1; + + if (ch < 0x80) + *len = ch; + else { + cnt = (unsigned char) (ch & 0x7F); + *len = 0; + + while (cnt > 0) { + if (!asn1_octet_decode(ctx, &ch)) + return 0; + *len <<= 8; + *len |= ch; + cnt--; + } + } + } + + /* don't trust len bigger than ctx buffer */ + if (*len > ctx->end - ctx->pointer) + return 0; + + return 1; +} + +static unsigned char +asn1_header_decode(struct asn1_ctx *ctx, + unsigned char **eoc, + unsigned int *cls, unsigned int *con, unsigned int *tag) +{ + unsigned int def = 0; + unsigned int len = 0; + + if (!asn1_id_decode(ctx, cls, con, tag)) + return 0; + + if (!asn1_length_decode(ctx, &def, &len)) + return 0; + + /* primitive shall be definite, indefinite shall be constructed */ + if (*con == ASN1_PRI && !def) + return 0; + + if (def) + *eoc = ctx->pointer + len; + else + *eoc = NULL; + return 1; +} + +static unsigned char +asn1_eoc_decode(struct asn1_ctx *ctx, unsigned char *eoc) +{ + unsigned char ch; + + if (!eoc) { + if (!asn1_octet_decode(ctx, &ch)) + return 0; + + if (ch != 0x00) { + ctx->error = ASN1_ERR_DEC_EOC_MISMATCH; + return 0; + } + + if (!asn1_octet_decode(ctx, &ch)) + return 0; + + if (ch != 0x00) { + ctx->error = ASN1_ERR_DEC_EOC_MISMATCH; + return 0; + } + } else { + if (ctx->pointer != eoc) { + ctx->error = ASN1_ERR_DEC_LENGTH_MISMATCH; + return 0; + } + } + return 1; +} + +static unsigned char +asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid) +{ + unsigned char ch; + + *subid = 0; + + do { + if (!asn1_octet_decode(ctx, &ch)) + return 0; + + *subid <<= 7; + *subid |= ch & 0x7F; + } while ((ch & 0x80) == 0x80); + return 1; +} + +static int +asn1_oid_decode(struct asn1_ctx *ctx, + unsigned char *eoc, unsigned long **oid, unsigned int *len) +{ + unsigned long subid; + unsigned int size; + unsigned long *optr; + + size = eoc - ctx->pointer + 1; + + /* first subid actually encodes first two subids */ + if (size < 2 || size > UINT_MAX/sizeof(unsigned long)) + return 0; + + *oid = kmalloc(size * sizeof(unsigned long), GFP_KERNEL); + if (!*oid) + return 0; + + optr = *oid; + + if (!asn1_subid_decode(ctx, &subid)) { + kfree(*oid); + *oid = NULL; + return 0; + } + + if (subid < 40) { + optr[0] = 0; + optr[1] = subid; + } else if (subid < 80) { + optr[0] = 1; + optr[1] = subid - 40; + } else { + optr[0] = 2; + optr[1] = subid - 80; + } + + *len = 2; + optr += 2; + + while (ctx->pointer < eoc) { + if (++(*len) > size) { + ctx->error = ASN1_ERR_DEC_BADVALUE; + kfree(*oid); + *oid = NULL; + return 0; + } + + if (!asn1_subid_decode(ctx, optr++)) { + kfree(*oid); + *oid = NULL; + return 0; + } + } + return 1; +} + +static int +compare_oid(unsigned long *oid1, unsigned int oid1len, + unsigned long *oid2, unsigned int oid2len) +{ + unsigned int i; + + if (oid1len != oid2len) + return 0; + + for (i = 0; i < oid1len; i++) { + if (oid1[i] != oid2[i]) + return 0; + } + return 1; +} + +/* BB check for endian conversion issues here */ + +int +ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, + struct ksmbd_conn *conn) +{ + struct asn1_ctx ctx; + unsigned char *end; + unsigned char *sequence_end; + unsigned long *oid = NULL; + unsigned int cls, con, tag, oidlen, rc, mechTokenlen; + unsigned int mech_type; + + ksmbd_debug(AUTH, "Received SecBlob: length %d\n", length); + + asn1_open(&ctx, security_blob, length); + + /* GSSAPI header */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); + return 0; + } else if ((cls != ASN1_APL) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { + ksmbd_debug(AUTH, "cls = %d con = %d tag = %d\n", cls, con, + tag); + return 0; + } + + /* Check for SPNEGO OID -- remember to free obj->oid */ + rc = asn1_header_decode(&ctx, &end, &cls, &con, &tag); + if (rc) { + if ((tag == ASN1_OJI) && (con == ASN1_PRI) && + (cls == ASN1_UNI)) { + rc = asn1_oid_decode(&ctx, end, &oid, &oidlen); + if (rc) { + rc = compare_oid(oid, oidlen, SPNEGO_OID, + SPNEGO_OID_LEN); + kfree(oid); + } + } else + rc = 0; + } + + /* SPNEGO OID not present or garbled -- bail out */ + if (!rc) { + ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); + return 0; + } + + /* SPNEGO */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", + cls, con, tag, end, *end); + return 0; + } + + /* negTokenInit */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", + cls, con, tag, end, *end); + return 0; + } + + /* sequence */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", + cls, con, tag, end, *end); + return 0; + } + + /* sequence of */ + if (asn1_header_decode + (&ctx, &sequence_end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", + cls, con, tag, end, *end); + return 0; + } + + /* list of security mechanisms */ + while (!asn1_eoc_decode(&ctx, sequence_end)) { + rc = asn1_header_decode(&ctx, &end, &cls, &con, &tag); + if (!rc) { + ksmbd_debug(AUTH, + "Error decoding negTokenInit hdr exit2\n"); + return 0; + } + if ((tag == ASN1_OJI) && (con == ASN1_PRI)) { + if (asn1_oid_decode(&ctx, end, &oid, &oidlen)) { + if (compare_oid(oid, oidlen, MSKRB5_OID, + MSKRB5_OID_LEN)) + mech_type = KSMBD_AUTH_MSKRB5; + else if (compare_oid(oid, oidlen, KRB5U2U_OID, + KRB5U2U_OID_LEN)) + mech_type = KSMBD_AUTH_KRB5U2U; + else if (compare_oid(oid, oidlen, KRB5_OID, + KRB5_OID_LEN)) + mech_type = KSMBD_AUTH_KRB5; + else if (compare_oid(oid, oidlen, NTLMSSP_OID, + NTLMSSP_OID_LEN)) + mech_type = KSMBD_AUTH_NTLMSSP; + else { + kfree(oid); + continue; + } + + conn->auth_mechs |= mech_type; + if (conn->preferred_auth_mech == 0) + conn->preferred_auth_mech = mech_type; + kfree(oid); + } + } else { + ksmbd_debug(AUTH, + "Should be an oid what is going on?\n"); + } + } + + /* sequence */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_INT)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", + cls, con, tag, end, *end); + return 0; + } + + /* sequence of */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_PRI) + || (tag != ASN1_OTS)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", + cls, con, tag, end, *end); + return 0; + } + + mechTokenlen = ctx.end - ctx.pointer; + conn->mechToken = kmalloc(mechTokenlen + 1, GFP_KERNEL); + if (!conn->mechToken) { + ksmbd_err("memory allocation error\n"); + return 0; + } + + memcpy(conn->mechToken, ctx.pointer, mechTokenlen); + conn->mechToken[mechTokenlen] = '\0'; + + return 1; +} + +int +ksmbd_decode_negTokenTarg(unsigned char *security_blob, int length, + struct ksmbd_conn *conn) +{ + struct asn1_ctx ctx; + unsigned char *end; + unsigned int cls, con, tag, mechTokenlen; + + ksmbd_debug(AUTH, "Received Auth SecBlob: length %d\n", length); + + asn1_open(&ctx, security_blob, length); + + /* GSSAPI header */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_BOL)) { + ksmbd_debug(AUTH, "cls = %d con = %d tag = %d\n", cls, con, + tag); + return 0; + } + + /* SPNEGO */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", + cls, con, tag, end, *end); + return 0; + } + + /* negTokenTarg */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_INT)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", + cls, con, tag, end, *end); + return 0; + } + + /* negTokenTarg */ + if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { + ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_PRI) + || (tag != ASN1_OTS)) { + ksmbd_debug(AUTH, + "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", + cls, con, tag, end, *end); + return 0; + } + + mechTokenlen = ctx.end - ctx.pointer; + conn->mechToken = kmalloc(mechTokenlen + 1, GFP_KERNEL); + if (!conn->mechToken) { + ksmbd_err("memory allocation error\n"); + return 0; + } + + memcpy(conn->mechToken, ctx.pointer, mechTokenlen); + conn->mechToken[mechTokenlen] = '\0'; + + return 1; +} + +static int compute_asn_hdr_len_bytes(int len) +{ + if (len > 0xFFFFFF) + return 4; + else if (len > 0xFFFF) + return 3; + else if (len > 0xFF) + return 2; + else if (len > 0x7F) + return 1; + else + return 0; +} + +static void encode_asn_tag(char *buf, + unsigned int *ofs, + char tag, + char seq, + int length) +{ + int i; + int index = *ofs; + char hdr_len = compute_asn_hdr_len_bytes(length); + int len = length + 2 + hdr_len; + + /* insert tag */ + buf[index++] = tag; + + if (!hdr_len) + buf[index++] = len; + else { + buf[index++] = 0x80 | hdr_len; + for (i = hdr_len - 1; i >= 0; i--) + buf[index++] = (len >> (i * 8)) & 0xFF; + } + + /* insert seq */ + len = len - (index - *ofs); + buf[index++] = seq; + + if (!hdr_len) + buf[index++] = len; + else { + buf[index++] = 0x80 | hdr_len; + for (i = hdr_len - 1; i >= 0; i--) + buf[index++] = (len >> (i * 8)) & 0xFF; + } + + *ofs += (index - *ofs); +} + +int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, u16 *buflen, + char *ntlm_blob, int ntlm_blob_len) +{ + char *buf; + unsigned int ofs = 0; + int neg_result_len = 4 + compute_asn_hdr_len_bytes(1) * 2 + 1; + int oid_len = 4 + compute_asn_hdr_len_bytes(NTLMSSP_OID_LEN) * 2 + + NTLMSSP_OID_LEN; + int ntlmssp_len = 4 + compute_asn_hdr_len_bytes(ntlm_blob_len) * 2 + + ntlm_blob_len; + int total_len = 4 + compute_asn_hdr_len_bytes(neg_result_len + + oid_len + ntlmssp_len) * 2 + + neg_result_len + oid_len + ntlmssp_len; + + buf = kmalloc(total_len, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + /* insert main gss header */ + encode_asn_tag(buf, &ofs, 0xa1, 0x30, neg_result_len + oid_len + + ntlmssp_len); + + /* insert neg result */ + encode_asn_tag(buf, &ofs, 0xa0, 0x0a, 1); + buf[ofs++] = 1; + + /* insert oid */ + encode_asn_tag(buf, &ofs, 0xa1, 0x06, NTLMSSP_OID_LEN); + memcpy(buf + ofs, NTLMSSP_OID_STR, NTLMSSP_OID_LEN); + ofs += NTLMSSP_OID_LEN; + + /* insert response token - ntlmssp blob */ + encode_asn_tag(buf, &ofs, 0xa2, 0x04, ntlm_blob_len); + memcpy(buf + ofs, ntlm_blob, ntlm_blob_len); + ofs += ntlm_blob_len; + + *pbuffer = buf; + *buflen = total_len; + return 0; +} + +int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, + int neg_result) +{ + char *buf; + unsigned int ofs = 0; + int neg_result_len = 4 + compute_asn_hdr_len_bytes(1) * 2 + 1; + int total_len = 4 + compute_asn_hdr_len_bytes(neg_result_len) * 2 + + neg_result_len; + + buf = kmalloc(total_len, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + /* insert main gss header */ + encode_asn_tag(buf, &ofs, 0xa1, 0x30, neg_result_len); + + /* insert neg result */ + encode_asn_tag(buf, &ofs, 0xa0, 0x0a, 1); + if (neg_result) + buf[ofs++] = 2; + else + buf[ofs++] = 0; + + *pbuffer = buf; + *buflen = total_len; + return 0; +} diff --git a/fs/cifsd/asn1.h b/fs/cifsd/asn1.h new file mode 100644 index 000000000000..ff2692b502d6 --- /dev/null +++ b/fs/cifsd/asn1.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * The ASB.1/BER parsing code is derived from ip_nat_snmp_basic.c which was in + * turn derived from the gxsnmp package by Gregory McLean & Jochen Friedrich + * + * Copyright (c) 2000 RP Internet (www.rpi.net.au) + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __ASN1_H__ +#define __ASN1_H__ + +int ksmbd_decode_negTokenInit(unsigned char *security_blob, + int length, + struct ksmbd_conn *conn); + +int ksmbd_decode_negTokenTarg(unsigned char *security_blob, + int length, + struct ksmbd_conn *conn); + +int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, + u16 *buflen, + char *ntlm_blob, + int ntlm_blob_len); + +int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, + u16 *buflen, + int neg_result); +#endif /* __ASN1_H__ */ diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c new file mode 100644 index 000000000000..0a49c67a69d6 --- /dev/null +++ b/fs/cifsd/auth.c @@ -0,0 +1,1348 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/kernel.h> +#include <linux/fs.h> +#include <linux/uaccess.h> +#include <linux/backing-dev.h> +#include <linux/writeback.h> +#include <linux/uio.h> +#include <linux/xattr.h> +#include <crypto/hash.h> +#include <crypto/aead.h> +#include <linux/random.h> +#include <linux/scatterlist.h> + +#include "auth.h" +#include "glob.h" + +#include <linux/fips.h> +#include <crypto/des.h> + +#include "server.h" +#include "smb_common.h" +#include "connection.h" +#include "mgmt/user_session.h" +#include "mgmt/user_config.h" +#include "crypto_ctx.h" +#include "transport_ipc.h" +#include "buffer_pool.h" + +/* + * Fixed format data defining GSS header and fixed string + * "not_defined_in_RFC4178@please_ignore". + * So sec blob data in neg phase could be generated statically. + */ +static char NEGOTIATE_GSS_HEADER[AUTH_GSS_LENGTH] = { +#ifdef CONFIG_SMB_SERVER_KERBEROS5 + 0x60, 0x5e, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, + 0x05, 0x02, 0xa0, 0x54, 0x30, 0x52, 0xa0, 0x24, + 0x30, 0x22, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x12, 0x01, 0x02, 0x02, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02, + 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, + 0x37, 0x02, 0x02, 0x0a, 0xa3, 0x2a, 0x30, 0x28, + 0xa0, 0x26, 0x1b, 0x24, 0x6e, 0x6f, 0x74, 0x5f, + 0x64, 0x65, 0x66, 0x69, 0x6e, 0x65, 0x64, 0x5f, + 0x69, 0x6e, 0x5f, 0x52, 0x46, 0x43, 0x34, 0x31, + 0x37, 0x38, 0x40, 0x70, 0x6c, 0x65, 0x61, 0x73, + 0x65, 0x5f, 0x69, 0x67, 0x6e, 0x6f, 0x72, 0x65 +#else + 0x60, 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, + 0x05, 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, + 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa3, 0x2a, + 0x30, 0x28, 0xa0, 0x26, 0x1b, 0x24, 0x6e, 0x6f, + 0x74, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x65, + 0x64, 0x5f, 0x69, 0x6e, 0x5f, 0x52, 0x46, 0x43, + 0x34, 0x31, 0x37, 0x38, 0x40, 0x70, 0x6c, 0x65, + 0x61, 0x73, 0x65, 0x5f, 0x69, 0x67, 0x6e, 0x6f, + 0x72, 0x65 +#endif +}; + + +void ksmbd_copy_gss_neg_header(void *buf) +{ + memcpy(buf, NEGOTIATE_GSS_HEADER, AUTH_GSS_LENGTH); +} + +static void +str_to_key(unsigned char *str, unsigned char *key) +{ + int i; + + key[0] = str[0] >> 1; + key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2); + key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3); + key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4); + key[4] = ((str[3] & 0x0F) << 3) | (str[4] >> 5); + key[5] = ((str[4] & 0x1F) << 2) | (str[5] >> 6); + key[6] = ((str[5] & 0x3F) << 1) | (str[6] >> 7); + key[7] = str[6] & 0x7F; + for (i = 0; i < 8; i++) + key[i] = (key[i] << 1); +} + +static int +smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) +{ + unsigned char key2[8]; + struct des_ctx ctx; + + str_to_key(key, key2); + + if (fips_enabled) { + ksmbd_debug(AUTH, + "FIPS compliance enabled: DES not permitted\n"); + return -ENOENT; + } + + des_expand_key(&ctx, key2, DES_KEY_SIZE); + des_encrypt(&ctx, out, in); + memzero_explicit(&ctx, sizeof(ctx)); + return 0; +} + +static int ksmbd_enc_p24(unsigned char *p21, + const unsigned char *c8, + unsigned char *p24) +{ + int rc; + + rc = smbhash(p24, c8, p21); + if (rc) + return rc; + rc = smbhash(p24 + 8, c8, p21 + 7); + if (rc) + return rc; + rc = smbhash(p24 + 16, c8, p21 + 14); + return rc; +} + +/* produce a md4 message digest from data of length n bytes */ +static int ksmbd_enc_md4(unsigned char *md4_hash, + unsigned char *link_str, + int link_len) +{ + int rc; + struct ksmbd_crypto_ctx *ctx; + + ctx = ksmbd_crypto_ctx_find_md4(); + if (!ctx) { + ksmbd_debug(AUTH, "Crypto md4 allocation error\n"); + return -EINVAL; + } + + rc = crypto_shash_init(CRYPTO_MD4(ctx)); + if (rc) { + ksmbd_debug(AUTH, "Could not init md4 shash\n"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_MD4(ctx), link_str, link_len); + if (rc) { + ksmbd_debug(AUTH, "Could not update with link_str\n"); + goto out; + } + + rc = crypto_shash_final(CRYPTO_MD4(ctx), md4_hash); + if (rc) + ksmbd_debug(AUTH, "Could not generate md4 hash\n"); +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, + char *nonce, + char *server_challenge, + int len) +{ + int rc; + struct ksmbd_crypto_ctx *ctx; + + ctx = ksmbd_crypto_ctx_find_md5(); + if (!ctx) { + ksmbd_debug(AUTH, "Crypto md5 allocation error\n"); + return -EINVAL; + } + + rc = crypto_shash_init(CRYPTO_MD5(ctx)); + if (rc) { + ksmbd_debug(AUTH, "Could not init md5 shash\n"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_MD5(ctx), server_challenge, len); + if (rc) { + ksmbd_debug(AUTH, "Could not update with challenge\n"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_MD5(ctx), nonce, len); + if (rc) { + ksmbd_debug(AUTH, "Could not update with nonce\n"); + goto out; + } + + rc = crypto_shash_final(CRYPTO_MD5(ctx), md5_hash); + if (rc) + ksmbd_debug(AUTH, "Could not generate md5 hash\n"); +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +/** + * ksmbd_gen_sess_key() - function to generate session key + * @sess: session of connection + * @hash: source hash value to be used for find session key + * @hmac: source hmac value to be used for finding session key + * + */ +static int ksmbd_gen_sess_key(struct ksmbd_session *sess, + char *hash, + char *hmac) +{ + struct ksmbd_crypto_ctx *ctx; + int rc = -EINVAL; + + ctx = ksmbd_crypto_ctx_find_hmacmd5(); + if (!ctx) + goto out; + + rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx), + hash, + CIFS_HMAC_MD5_HASH_SIZE); + if (rc) { + ksmbd_debug(AUTH, "hmacmd5 set key fail error %d\n", rc); + goto out; + } + + rc = crypto_shash_init(CRYPTO_HMACMD5(ctx)); + if (rc) { + ksmbd_debug(AUTH, "could not init hmacmd5 error %d\n", rc); + goto out; + } + + rc = crypto_shash_update(CRYPTO_HMACMD5(ctx), + hmac, + SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) { + ksmbd_debug(AUTH, "Could not update with response error %d\n", + rc); + goto out; + } + + rc = crypto_shash_final(CRYPTO_HMACMD5(ctx), sess->sess_key); + if (rc) { + ksmbd_debug(AUTH, "Could not generate hmacmd5 hash error %d\n", + rc); + goto out; + } + +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, + char *dname) +{ + int ret = -EINVAL, len; + wchar_t *domain = NULL; + __le16 *uniname = NULL; + struct ksmbd_crypto_ctx *ctx; + + ctx = ksmbd_crypto_ctx_find_hmacmd5(); + if (!ctx) { + ksmbd_debug(AUTH, "can't generate ntlmv2 hash\n"); + goto out; + } + + ret = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx), + user_passkey(sess->user), + CIFS_ENCPWD_SIZE); + if (ret) { + ksmbd_debug(AUTH, "Could not set NT Hash as a key\n"); + goto out; + } + + ret = crypto_shash_init(CRYPTO_HMACMD5(ctx)); + if (ret) { + ksmbd_debug(AUTH, "could not init hmacmd5\n"); + goto out; + } + + /* convert user_name to unicode */ + len = strlen(user_name(sess->user)); + uniname = kzalloc(2 + UNICODE_LEN(len), GFP_KERNEL); + if (!uniname) { + ret = -ENOMEM; + goto out; + } + + if (len) { + len = smb_strtoUTF16(uniname, user_name(sess->user), len, + sess->conn->local_nls); + UniStrupr(uniname); + } + + ret = crypto_shash_update(CRYPTO_HMACMD5(ctx), + (char *)uniname, + UNICODE_LEN(len)); + if (ret) { + ksmbd_debug(AUTH, "Could not update with user\n"); + goto out; + } + + /* Convert domain name or conn name to unicode and uppercase */ + len = strlen(dname); + domain = kzalloc(2 + UNICODE_LEN(len), GFP_KERNEL); + if (!domain) { + ret = -ENOMEM; + goto out; + } + + len = smb_strtoUTF16((__le16 *)domain, dname, len, + sess->conn->local_nls); + + ret = crypto_shash_update(CRYPTO_HMACMD5(ctx), + (char *)domain, + UNICODE_LEN(len)); + if (ret) { + ksmbd_debug(AUTH, "Could not update with domain\n"); + goto out; + } + + ret = crypto_shash_final(CRYPTO_HMACMD5(ctx), ntlmv2_hash); +out: + if (ret) + ksmbd_debug(AUTH, "Could not generate md5 hash\n"); + kfree(uniname); + kfree(domain); + ksmbd_release_crypto_ctx(ctx); + return ret; +} + +/** + * ksmbd_auth_ntlm() - NTLM authentication handler + * @sess: session of connection + * @pw_buf: NTLM challenge response + * @passkey: user password + * + * Return: 0 on success, error number on error + */ +int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) +{ + int rc; + unsigned char p21[21]; + char key[CIFS_AUTH_RESP_SIZE]; + + memset(p21, '\0', 21); + memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); + rc = ksmbd_enc_p24(p21, sess->ntlmssp.cryptkey, key); + if (rc) { + ksmbd_err("password processing failed\n"); + return rc; + } + + ksmbd_enc_md4(sess->sess_key, + user_passkey(sess->user), + CIFS_SMB1_SESSKEY_SIZE); + memcpy(sess->sess_key + CIFS_SMB1_SESSKEY_SIZE, key, + CIFS_AUTH_RESP_SIZE); + sess->sequence_number = 1; + + if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { + ksmbd_debug(AUTH, "ntlmv1 authentication failed\n"); + rc = -EINVAL; + } else + ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); + + return rc; +} + +/** + * ksmbd_auth_ntlmv2() - NTLMv2 authentication handler + * @sess: session of connection + * @ntlmv2: NTLMv2 challenge response + * @blen: NTLMv2 blob length + * @domain_name: domain name + * + * Return: 0 on success, error number on error + */ +int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, + struct ntlmv2_resp *ntlmv2, + int blen, + char *domain_name) +{ + char ntlmv2_hash[CIFS_ENCPWD_SIZE]; + char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; + struct ksmbd_crypto_ctx *ctx; + char *construct = NULL; + int rc = -EINVAL, len; + + ctx = ksmbd_crypto_ctx_find_hmacmd5(); + if (!ctx) { + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); + goto out; + } + + rc = calc_ntlmv2_hash(sess, ntlmv2_hash, domain_name); + if (rc) { + ksmbd_debug(AUTH, "could not get v2 hash rc %d\n", rc); + goto out; + } + + rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx), + ntlmv2_hash, + CIFS_HMAC_MD5_HASH_SIZE); + if (rc) { + ksmbd_debug(AUTH, "Could not set NTLMV2 Hash as a key\n"); + goto out; + } + + rc = crypto_shash_init(CRYPTO_HMACMD5(ctx)); + if (rc) { + ksmbd_debug(AUTH, "Could not init hmacmd5\n"); + goto out; + } + + len = CIFS_CRYPTO_KEY_SIZE + blen; + construct = kzalloc(len, GFP_KERNEL); + if (!construct) { + rc = -ENOMEM; + goto out; + } + + memcpy(construct, sess->ntlmssp.cryptkey, CIFS_CRYPTO_KEY_SIZE); + memcpy(construct + CIFS_CRYPTO_KEY_SIZE, + (char *)(&ntlmv2->blob_signature), blen); + + rc = crypto_shash_update(CRYPTO_HMACMD5(ctx), construct, len); + if (rc) { + ksmbd_debug(AUTH, "Could not update with response\n"); + goto out; + } + + rc = crypto_shash_final(CRYPTO_HMACMD5(ctx), ntlmv2_rsp); + if (rc) { + ksmbd_debug(AUTH, "Could not generate md5 hash\n"); + goto out; + } + + rc = ksmbd_gen_sess_key(sess, ntlmv2_hash, ntlmv2_rsp); + if (rc) { + ksmbd_debug(AUTH, "Could not generate sess key\n"); + goto out; + } + + rc = memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE); +out: + ksmbd_release_crypto_ctx(ctx); + kfree(construct); + return rc; +} + +/** + * __ksmbd_auth_ntlmv2() - NTLM2(extended security) authentication handler + * @sess: session of connection + * @client_nonce: client nonce from LM response. + * @ntlm_resp: ntlm response data from client. + * + * Return: 0 on success, error number on error + */ +static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, + char *client_nonce, + char *ntlm_resp) +{ + char sess_key[CIFS_SMB1_SESSKEY_SIZE] = {0}; + int rc; + unsigned char p21[21]; + char key[CIFS_AUTH_RESP_SIZE]; + + rc = ksmbd_enc_update_sess_key(sess_key, + client_nonce, + (char *)sess->ntlmssp.cryptkey, 8); + if (rc) { + ksmbd_err("password processing failed\n"); + goto out; + } + + memset(p21, '\0', 21); + memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); + rc = ksmbd_enc_p24(p21, sess_key, key); + if (rc) { + ksmbd_err("password processing failed\n"); + goto out; + } + + rc = memcmp(ntlm_resp, key, CIFS_AUTH_RESP_SIZE); +out: + return rc; +} + +/** + * ksmbd_decode_ntlmssp_auth_blob() - helper function to construct + * authenticate blob + * @authblob: authenticate blob source pointer + * @usr: user details + * @sess: session of connection + * + * Return: 0 on success, error number on error + */ +int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, + int blob_len, + struct ksmbd_session *sess) +{ + char *domain_name; + unsigned int lm_off, nt_off; + unsigned short nt_len; + int ret; + + if (blob_len < sizeof(struct authenticate_message)) { + ksmbd_debug(AUTH, "negotiate blob len %d too small\n", + blob_len); + return -EINVAL; + } + + if (memcmp(authblob->Signature, "NTLMSSP", 8)) { + ksmbd_debug(AUTH, "blob signature incorrect %s\n", + authblob->Signature); + return -EINVAL; + } + + lm_off = le32_to_cpu(authblob->LmChallengeResponse.BufferOffset); + nt_off = le32_to_cpu(authblob->NtChallengeResponse.BufferOffset); + nt_len = le16_to_cpu(authblob->NtChallengeResponse.Length); + + /* process NTLM authentication */ + if (nt_len == CIFS_AUTH_RESP_SIZE) { + if (le32_to_cpu(authblob->NegotiateFlags) + & NTLMSSP_NEGOTIATE_EXTENDED_SEC) + return __ksmbd_auth_ntlmv2(sess, (char *)authblob + + lm_off, (char *)authblob + nt_off); + else + return ksmbd_auth_ntlm(sess, (char *)authblob + + nt_off); + } + + /* TODO : use domain name that imported from configuration file */ + domain_name = smb_strndup_from_utf16( + (const char *)authblob + + le32_to_cpu(authblob->DomainName.BufferOffset), + le16_to_cpu(authblob->DomainName.Length), true, + sess->conn->local_nls); + if (IS_ERR(domain_name)) + return PTR_ERR(domain_name); + + /* process NTLMv2 authentication */ + ksmbd_debug(AUTH, "decode_ntlmssp_authenticate_blob dname%s\n", + domain_name); + ret = ksmbd_auth_ntlmv2(sess, + (struct ntlmv2_resp *)((char *)authblob + nt_off), + nt_len - CIFS_ENCPWD_SIZE, + domain_name); + kfree(domain_name); + return ret; +} + +/** + * ksmbd_decode_ntlmssp_neg_blob() - helper function to construct + * negotiate blob + * @negblob: negotiate blob source pointer + * @rsp: response header pointer to be updated + * @sess: session of connection + * + */ +int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, + int blob_len, + struct ksmbd_session *sess) +{ + if (blob_len < sizeof(struct negotiate_message)) { + ksmbd_debug(AUTH, "negotiate blob len %d too small\n", + blob_len); + return -EINVAL; + } + + if (memcmp(negblob->Signature, "NTLMSSP", 8)) { + ksmbd_debug(AUTH, "blob signature incorrect %s\n", + negblob->Signature); + return -EINVAL; + } + + sess->ntlmssp.client_flags = le32_to_cpu(negblob->NegotiateFlags); + return 0; +} + +/** + * ksmbd_build_ntlmssp_challenge_blob() - helper function to construct + * challenge blob + * @chgblob: challenge blob source pointer to initialize + * @rsp: response header pointer to be updated + * @sess: session of connection + * + */ +unsigned int +ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, + struct ksmbd_session *sess) +{ + struct target_info *tinfo; + wchar_t *name; + __u8 *target_name; + unsigned int len, flags, blob_off, blob_len, type, target_info_len = 0; + int cflags = sess->ntlmssp.client_flags; + + memcpy(chgblob->Signature, NTLMSSP_SIGNATURE, 8); + chgblob->MessageType = NtLmChallenge; + + flags = NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_TARGET_TYPE_SERVER | + NTLMSSP_NEGOTIATE_TARGET_INFO; + + if (cflags & NTLMSSP_NEGOTIATE_SIGN) { + flags |= NTLMSSP_NEGOTIATE_SIGN; + flags |= cflags & (NTLMSSP_NEGOTIATE_128 | + NTLMSSP_NEGOTIATE_56); + } + + if (cflags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) + flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + + if (cflags & NTLMSSP_REQUEST_TARGET) + flags |= NTLMSSP_REQUEST_TARGET; + + if (sess->conn->use_spnego && + (cflags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) + flags |= NTLMSSP_NEGOTIATE_EXTENDED_SEC; + + chgblob->NegotiateFlags = cpu_to_le32(flags); + len = strlen(ksmbd_netbios_name()); + name = kmalloc(2 + (len * 2), GFP_KERNEL); + if (!name) + return -ENOMEM; + + len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, + sess->conn->local_nls); + len = UNICODE_LEN(len); + + blob_off = sizeof(struct challenge_message); + blob_len = blob_off + len; + + chgblob->TargetName.Length = cpu_to_le16(len); + chgblob->TargetName.MaximumLength = cpu_to_le16(len); + chgblob->TargetName.BufferOffset = cpu_to_le32(blob_off); + + /* Initialize random conn challenge */ + get_random_bytes(sess->ntlmssp.cryptkey, sizeof(__u64)); + memcpy(chgblob->Challenge, sess->ntlmssp.cryptkey, + CIFS_CRYPTO_KEY_SIZE); + + /* Add Target Information to security buffer */ + chgblob->TargetInfoArray.BufferOffset = cpu_to_le32(blob_len); + + target_name = (__u8 *)chgblob + blob_off; + memcpy(target_name, name, len); + tinfo = (struct target_info *)(target_name + len); + + chgblob->TargetInfoArray.Length = 0; + /* Add target info list for NetBIOS/DNS settings */ + for (type = NTLMSSP_AV_NB_COMPUTER_NAME; + type <= NTLMSSP_AV_DNS_DOMAIN_NAME; type++) { + tinfo->Type = cpu_to_le16(type); + tinfo->Length = cpu_to_le16(len); + memcpy(tinfo->Content, name, len); + tinfo = (struct target_info *)((char *)tinfo + 4 + len); + target_info_len += 4 + len; + } + + /* Add terminator subblock */ + tinfo->Type = 0; + tinfo->Length = 0; + target_info_len += 4; + + chgblob->TargetInfoArray.Length = cpu_to_le16(target_info_len); + chgblob->TargetInfoArray.MaximumLength = cpu_to_le16(target_info_len); + blob_len += target_info_len; + kfree(name); + ksmbd_debug(AUTH, "NTLMSSP SecurityBufferLength %d\n", blob_len); + return blob_len; +} + +#ifdef CONFIG_SMB_SERVER_KERBEROS5 +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, + char *in_blob, int in_len, + char *out_blob, int *out_len) +{ + struct ksmbd_spnego_authen_response *resp; + struct ksmbd_user *user = NULL; + int retval; + + resp = ksmbd_ipc_spnego_authen_request(in_blob, in_len); + if (!resp) { + ksmbd_debug(AUTH, "SPNEGO_AUTHEN_REQUEST failure\n"); + return -EINVAL; + } + + if (!(resp->login_response.status & KSMBD_USER_FLAG_OK)) { + ksmbd_debug(AUTH, "krb5 authentication failure\n"); + retval = -EPERM; + goto out; + } + + if (*out_len <= resp->spnego_blob_len) { + ksmbd_debug(AUTH, "buf len %d, but blob len %d\n", + *out_len, resp->spnego_blob_len); + retval = -EINVAL; + goto out; + } + + if (resp->session_key_len > sizeof(sess->sess_key)) { + ksmbd_debug(AUTH, "session key is too long\n"); + retval = -EINVAL; + goto out; + } + + user = ksmbd_alloc_user(&resp->login_response); + if (!user) { + ksmbd_debug(AUTH, "login failure\n"); + retval = -ENOMEM; + goto out; + } + sess->user = user; + + memcpy(sess->sess_key, resp->payload, resp->session_key_len); + memcpy(out_blob, resp->payload + resp->session_key_len, + resp->spnego_blob_len); + *out_len = resp->spnego_blob_len; + retval = 0; +out: + ksmbd_free(resp); + return retval; +} +#else +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, + char *in_blob, int in_len, + char *out_blob, int *out_len) +{ + return -EOPNOTSUPP; +} +#endif + +/** + * ksmbd_sign_smb2_pdu() - function to generate packet signing + * @conn: connection + * @key: signing key + * @iov: buffer iov array + * @n_vec: number of iovecs + * @sig: signature value generated for client request packet + * + */ +int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, + char *key, + struct kvec *iov, + int n_vec, + char *sig) +{ + struct ksmbd_crypto_ctx *ctx; + int rc = -EINVAL; + int i; + + ctx = ksmbd_crypto_ctx_find_hmacsha256(); + if (!ctx) { + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); + goto out; + } + + rc = crypto_shash_setkey(CRYPTO_HMACSHA256_TFM(ctx), + key, + SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + goto out; + + rc = crypto_shash_init(CRYPTO_HMACSHA256(ctx)); + if (rc) { + ksmbd_debug(AUTH, "hmacsha256 init error %d\n", rc); + goto out; + } + + for (i = 0; i < n_vec; i++) { + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), + iov[i].iov_base, + iov[i].iov_len); + if (rc) { + ksmbd_debug(AUTH, "hmacsha256 update error %d\n", rc); + goto out; + } + } + + rc = crypto_shash_final(CRYPTO_HMACSHA256(ctx), sig); + if (rc) + ksmbd_debug(AUTH, "hmacsha256 generation error %d\n", rc); +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +/** + * ksmbd_sign_smb3_pdu() - function to generate packet signing + * @conn: connection + * @key: signing key + * @iov: buffer iov array + * @n_vec: number of iovecs + * @sig: signature value generated for client request packet + * + */ +int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, + char *key, + struct kvec *iov, + int n_vec, + char *sig) +{ + struct ksmbd_crypto_ctx *ctx; + int rc = -EINVAL; + int i; + + ctx = ksmbd_crypto_ctx_find_cmacaes(); + if (!ctx) { + ksmbd_debug(AUTH, "could not crypto alloc cmac rc %d\n", rc); + goto out; + } + + rc = crypto_shash_setkey(CRYPTO_CMACAES_TFM(ctx), + key, + SMB2_CMACAES_SIZE); + if (rc) + goto out; + + rc = crypto_shash_init(CRYPTO_CMACAES(ctx)); + if (rc) { + ksmbd_debug(AUTH, "cmaces init error %d\n", rc); + goto out; + } + + for (i = 0; i < n_vec; i++) { + rc = crypto_shash_update(CRYPTO_CMACAES(ctx), + iov[i].iov_base, + iov[i].iov_len); + if (rc) { + ksmbd_debug(AUTH, "cmaces update error %d\n", rc); + goto out; + } + } + + rc = crypto_shash_final(CRYPTO_CMACAES(ctx), sig); + if (rc) + ksmbd_debug(AUTH, "cmaces generation error %d\n", rc); +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +struct derivation { + struct kvec label; + struct kvec context; + bool binding; +}; + +static int generate_key(struct ksmbd_session *sess, struct kvec label, + struct kvec context, __u8 *key, unsigned int key_size) +{ + unsigned char zero = 0x0; + __u8 i[4] = {0, 0, 0, 1}; + __u8 L[4] = {0, 0, 0, 128}; + int rc = -EINVAL; + unsigned char prfhash[SMB2_HMACSHA256_SIZE]; + unsigned char *hashptr = prfhash; + struct ksmbd_crypto_ctx *ctx; + + memset(prfhash, 0x0, SMB2_HMACSHA256_SIZE); + memset(key, 0x0, key_size); + + ctx = ksmbd_crypto_ctx_find_hmacsha256(); + if (!ctx) { + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); + goto smb3signkey_ret; + } + + rc = crypto_shash_setkey(CRYPTO_HMACSHA256_TFM(ctx), + sess->sess_key, + SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + goto smb3signkey_ret; + + rc = crypto_shash_init(CRYPTO_HMACSHA256(ctx)); + if (rc) { + ksmbd_debug(AUTH, "hmacsha256 init error %d\n", rc); + goto smb3signkey_ret; + } + + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), i, 4); + if (rc) { + ksmbd_debug(AUTH, "could not update with n\n"); + goto smb3signkey_ret; + } + + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), + label.iov_base, + label.iov_len); + if (rc) { + ksmbd_debug(AUTH, "could not update with label\n"); + goto smb3signkey_ret; + } + + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), &zero, 1); + if (rc) { + ksmbd_debug(AUTH, "could not update with zero\n"); + goto smb3signkey_ret; + } + + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), + context.iov_base, + context.iov_len); + if (rc) { + ksmbd_debug(AUTH, "could not update with context\n"); + goto smb3signkey_ret; + } + + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L, 4); + if (rc) { + ksmbd_debug(AUTH, "could not update with L\n"); + goto smb3signkey_ret; + } + + rc = crypto_shash_final(CRYPTO_HMACSHA256(ctx), hashptr); + if (rc) { + ksmbd_debug(AUTH, "Could not generate hmacmd5 hash error %d\n", + rc); + goto smb3signkey_ret; + } + + memcpy(key, hashptr, key_size); + +smb3signkey_ret: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +static int generate_smb3signingkey(struct ksmbd_session *sess, + const struct derivation *signing) +{ + int rc; + struct channel *chann; + char *key; + + chann = lookup_chann_list(sess); + if (!chann) + return 0; + + if (sess->conn->dialect >= SMB30_PROT_ID && signing->binding) + key = chann->smb3signingkey; + else + key = sess->smb3signingkey; + + rc = generate_key(sess, signing->label, signing->context, key, + SMB3_SIGN_KEY_SIZE); + if (rc) + return rc; + + if (!(sess->conn->dialect >= SMB30_PROT_ID && signing->binding)) + memcpy(chann->smb3signingkey, key, SMB3_SIGN_KEY_SIZE); + + ksmbd_debug(AUTH, "dumping generated AES signing keys\n"); + ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); + ksmbd_debug(AUTH, "Session Key %*ph\n", + SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); + ksmbd_debug(AUTH, "Signing Key %*ph\n", + SMB3_SIGN_KEY_SIZE, key); + return rc; +} + +int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess) +{ + struct derivation d; + + d.label.iov_base = "SMB2AESCMAC"; + d.label.iov_len = 12; + d.context.iov_base = "SmbSign"; + d.context.iov_len = 8; + d.binding = false; + + return generate_smb3signingkey(sess, &d); +} + +int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess) +{ + struct derivation d; + + d.label.iov_base = "SMBSigningKey"; + d.label.iov_len = 14; + d.context.iov_base = sess->Preauth_HashValue; + d.context.iov_len = 64; + d.binding = false; + + return generate_smb3signingkey(sess, &d); +} + +struct derivation_twin { + struct derivation encryption; + struct derivation decryption; +}; + +static int generate_smb3encryptionkey(struct ksmbd_session *sess, + const struct derivation_twin *ptwin) +{ + int rc; + + rc = generate_key(sess, ptwin->encryption.label, + ptwin->encryption.context, sess->smb3encryptionkey, + SMB3_SIGN_KEY_SIZE); + if (rc) + return rc; + + rc = generate_key(sess, ptwin->decryption.label, + ptwin->decryption.context, + sess->smb3decryptionkey, SMB3_SIGN_KEY_SIZE); + if (rc) + return rc; + + ksmbd_debug(AUTH, "dumping generated AES encryption keys\n"); + ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); + ksmbd_debug(AUTH, "Session Key %*ph\n", + SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); + ksmbd_debug(AUTH, "ServerIn Key %*ph\n", + SMB3_SIGN_KEY_SIZE, sess->smb3encryptionkey); + ksmbd_debug(AUTH, "ServerOut Key %*ph\n", + SMB3_SIGN_KEY_SIZE, sess->smb3decryptionkey); + return rc; +} + +int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess) +{ + struct derivation_twin twin; + struct derivation *d; + + d = &twin.encryption; + d->label.iov_base = "SMB2AESCCM"; + d->label.iov_len = 11; + d->context.iov_base = "ServerOut"; + d->context.iov_len = 10; + + d = &twin.decryption; + d->label.iov_base = "SMB2AESCCM"; + d->label.iov_len = 11; + d->context.iov_base = "ServerIn "; + d->context.iov_len = 10; + + return generate_smb3encryptionkey(sess, &twin); +} + +int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) +{ + struct derivation_twin twin; + struct derivation *d; + + d = &twin.encryption; + d->label.iov_base = "SMBS2CCipherKey"; + d->label.iov_len = 16; + d->context.iov_base = sess->Preauth_HashValue; + d->context.iov_len = 64; + + d = &twin.decryption; + d->label.iov_base = "SMBC2SCipherKey"; + d->label.iov_len = 16; + d->context.iov_base = sess->Preauth_HashValue; + d->context.iov_len = 64; + + return generate_smb3encryptionkey(sess, &twin); +} + +int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, + char *buf, + __u8 *pi_hash) +{ + int rc = -1; + struct smb2_hdr *rcv_hdr = (struct smb2_hdr *)buf; + char *all_bytes_msg = (char *)&rcv_hdr->ProtocolId; + int msg_size = be32_to_cpu(rcv_hdr->smb2_buf_length); + struct ksmbd_crypto_ctx *ctx = NULL; + + if (conn->preauth_info->Preauth_HashId == + SMB2_PREAUTH_INTEGRITY_SHA512) { + ctx = ksmbd_crypto_ctx_find_sha512(); + if (!ctx) { + ksmbd_debug(AUTH, "could not alloc sha512 rc %d\n", rc); + goto out; + } + } else + goto out; + + rc = crypto_shash_init(CRYPTO_SHA512(ctx)); + if (rc) { + ksmbd_debug(AUTH, "could not init shashn"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_SHA512(ctx), pi_hash, 64); + if (rc) { + ksmbd_debug(AUTH, "could not update with n\n"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_SHA512(ctx), all_bytes_msg, msg_size); + if (rc) { + ksmbd_debug(AUTH, "could not update with n\n"); + goto out; + } + + rc = crypto_shash_final(CRYPTO_SHA512(ctx), pi_hash); + if (rc) { + ksmbd_debug(AUTH, "Could not generate hash err : %d\n", rc); + goto out; + } +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, + __u8 *pi_hash) +{ + int rc = -1; + struct ksmbd_crypto_ctx *ctx = NULL; + + ctx = ksmbd_crypto_ctx_find_sha256(); + if (!ctx) { + ksmbd_debug(AUTH, "could not alloc sha256 rc %d\n", rc); + goto out; + } + + rc = crypto_shash_init(CRYPTO_SHA256(ctx)); + if (rc) { + ksmbd_debug(AUTH, "could not init shashn"); + goto out; + } + + rc = crypto_shash_update(CRYPTO_SHA256(ctx), sd_buf, len); + if (rc) { + ksmbd_debug(AUTH, "could not update with n\n"); + goto out; + } + + rc = crypto_shash_final(CRYPTO_SHA256(ctx), pi_hash); + if (rc) { + ksmbd_debug(AUTH, "Could not generate hash err : %d\n", rc); + goto out; + } +out: + ksmbd_release_crypto_ctx(ctx); + return rc; +} + +static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, + __u64 ses_id, + int enc, + u8 *key) +{ + struct ksmbd_session *sess; + u8 *ses_enc_key; + + sess = ksmbd_session_lookup(conn, ses_id); + if (!sess) + return 1; + + ses_enc_key = enc ? sess->smb3encryptionkey : + sess->smb3decryptionkey; + memcpy(key, ses_enc_key, SMB3_SIGN_KEY_SIZE); + + return 0; +} + +static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, + unsigned int buflen) +{ + void *addr; + + if (is_vmalloc_addr(buf)) + addr = vmalloc_to_page(buf); + else + addr = virt_to_page(buf); + sg_set_page(sg, addr, buflen, offset_in_page(buf)); +} + +static struct scatterlist *ksmbd_init_sg(struct kvec *iov, + unsigned int nvec, + u8 *sign) +{ + struct scatterlist *sg; + unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; + int i, nr_entries[3] = {0}, total_entries = 0, sg_idx = 0; + + for (i = 0; i < nvec - 1; i++) { + unsigned long kaddr = (unsigned long)iov[i + 1].iov_base; + + if (is_vmalloc_addr(iov[i + 1].iov_base)) { + nr_entries[i] = ((kaddr + iov[i + 1].iov_len + + PAGE_SIZE - 1) >> PAGE_SHIFT) - + (kaddr >> PAGE_SHIFT); + } else + nr_entries[i]++; + total_entries += nr_entries[i]; + } + + /* Add two entries for transform header and signature */ + total_entries += 2; + + sg = kmalloc_array(total_entries, sizeof(struct scatterlist), GFP_KERNEL); + if (!sg) + return NULL; + + sg_init_table(sg, total_entries); + smb2_sg_set_buf(&sg[sg_idx++], iov[0].iov_base + 24, assoc_data_len); + for (i = 0; i < nvec - 1; i++) { + void *data = iov[i + 1].iov_base; + int len = iov[i + 1].iov_len; + + if (is_vmalloc_addr(data)) { + int j, offset = offset_in_page(data); + + for (j = 0; j < nr_entries[i]; j++) { + unsigned int bytes = PAGE_SIZE - offset; + + if (len <= 0) + break; + + if (bytes > len) + bytes = len; + + sg_set_page(&sg[sg_idx++], + vmalloc_to_page(data), bytes, + offset_in_page(data)); + + data += bytes; + len -= bytes; + offset = 0; + } + } else { + sg_set_page(&sg[sg_idx++], virt_to_page(data), len, + offset_in_page(data)); + } + + } + smb2_sg_set_buf(&sg[sg_idx], sign, SMB2_SIGNATURE_SIZE); + return sg; +} + +int ksmbd_crypt_message(struct ksmbd_conn *conn, + struct kvec *iov, + unsigned int nvec, + int enc) +{ + struct smb2_transform_hdr *tr_hdr = + (struct smb2_transform_hdr *)iov[0].iov_base; + unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; + int rc = 0; + struct scatterlist *sg; + u8 sign[SMB2_SIGNATURE_SIZE] = {}; + u8 key[SMB3_SIGN_KEY_SIZE]; + struct aead_request *req; + char *iv; + unsigned int iv_len; + struct crypto_aead *tfm; + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + struct ksmbd_crypto_ctx *ctx; + + rc = ksmbd_get_encryption_key(conn, + le64_to_cpu(tr_hdr->SessionId), + enc, + key); + if (rc) { + ksmbd_err("Could not get %scryption key\n", enc ? "en" : "de"); + return 0; + } + + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + ctx = ksmbd_crypto_ctx_find_gcm(); + else + ctx = ksmbd_crypto_ctx_find_ccm(); + if (!ctx) { + ksmbd_err("crypto alloc failed\n"); + return -EINVAL; + } + + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + tfm = CRYPTO_GCM(ctx); + else + tfm = CRYPTO_CCM(ctx); + + rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE); + if (rc) { + ksmbd_err("Failed to set aead key %d\n", rc); + goto free_ctx; + } + + rc = crypto_aead_setauthsize(tfm, SMB2_SIGNATURE_SIZE); + if (rc) { + ksmbd_err("Failed to set authsize %d\n", rc); + goto free_ctx; + } + + req = aead_request_alloc(tfm, GFP_KERNEL); + if (!req) { + ksmbd_err("Failed to alloc aead request\n"); + rc = -ENOMEM; + goto free_ctx; + } + + if (!enc) { + memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE); + crypt_len += SMB2_SIGNATURE_SIZE; + } + + sg = ksmbd_init_sg(iov, nvec, sign); + if (!sg) { + ksmbd_err("Failed to init sg\n"); + rc = -ENOMEM; + goto free_req; + } + + iv_len = crypto_aead_ivsize(tfm); + iv = kzalloc(iv_len, GFP_KERNEL); + if (!iv) { + ksmbd_err("Failed to alloc IV\n"); + rc = -ENOMEM; + goto free_sg; + } + + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES128GCM_NONCE); + else { + iv[0] = 3; + memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES128CCM_NONCE); + } + + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); + + if (enc) + rc = crypto_aead_encrypt(req); + else + rc = crypto_aead_decrypt(req); + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); + + kfree(iv); +free_sg: + kfree(sg); +free_req: + kfree(req); +free_ctx: + ksmbd_release_crypto_ctx(ctx); + return rc; +} diff --git a/fs/cifsd/auth.h b/fs/cifsd/auth.h new file mode 100644 index 000000000000..6fcfad5e7e1f --- /dev/null +++ b/fs/cifsd/auth.h @@ -0,0 +1,90 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __AUTH_H__ +#define __AUTH_H__ + +#include "ntlmssp.h" + +#ifdef CONFIG_SMB_SERVER_KERBEROS5 +#define AUTH_GSS_LENGTH 96 +#define AUTH_GSS_PADDING 0 +#else +#define AUTH_GSS_LENGTH 74 +#define AUTH_GSS_PADDING 6 +#endif + +#define CIFS_HMAC_MD5_HASH_SIZE (16) +#define CIFS_NTHASH_SIZE (16) + +/* + * Size of the ntlm client response + */ +#define CIFS_AUTH_RESP_SIZE 24 +#define CIFS_SMB1_SIGNATURE_SIZE 8 +#define CIFS_SMB1_SESSKEY_SIZE 16 + +#define KSMBD_AUTH_NTLMSSP 0x0001 +#define KSMBD_AUTH_KRB5 0x0002 +#define KSMBD_AUTH_MSKRB5 0x0004 +#define KSMBD_AUTH_KRB5U2U 0x0008 + +struct ksmbd_session; +struct ksmbd_conn; +struct kvec; + +int ksmbd_crypt_message(struct ksmbd_conn *conn, + struct kvec *iov, + unsigned int nvec, + int enc); + +void ksmbd_copy_gss_neg_header(void *buf); + +int ksmbd_auth_ntlm(struct ksmbd_session *sess, + char *pw_buf); + +int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, + struct ntlmv2_resp *ntlmv2, + int blen, + char *domain_name); + +int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, + int blob_len, + struct ksmbd_session *sess); + +int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, + int blob_len, + struct ksmbd_session *sess); + +unsigned int +ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, + struct ksmbd_session *sess); + +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, + char *in_blob, int in_len, + char *out_blob, int *out_len); + +int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, + char *key, + struct kvec *iov, + int n_vec, + char *sig); +int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, + char *key, + struct kvec *iov, + int n_vec, + char *sig); + +int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess); +int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess); +int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess); +int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess); + +int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, + char *buf, + __u8 *pi_hash); +int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, + __u8 *pi_hash); +#endif diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c new file mode 100644 index 000000000000..15d7e2f7c3d7 --- /dev/null +++ b/fs/cifsd/crypto_ctx.c @@ -0,0 +1,287 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#include <linux/kernel.h> +#include <linux/string.h> +#include <linux/err.h> +#include <linux/slab.h> +#include <linux/wait.h> +#include <linux/sched.h> +#include <linux/version.h> + +#include "glob.h" +#include "crypto_ctx.h" +#include "buffer_pool.h" + +struct crypto_ctx_list { + spinlock_t ctx_lock; + int avail_ctx; + struct list_head idle_ctx; + wait_queue_head_t ctx_wait; +}; + +static struct crypto_ctx_list ctx_list; + +static inline void free_aead(struct crypto_aead *aead) +{ + if (aead) + crypto_free_aead(aead); +} + +static void free_shash(struct shash_desc *shash) +{ + if (shash) { + crypto_free_shash(shash->tfm); + kfree(shash); + } +} + +static struct crypto_aead *alloc_aead(int id) +{ + struct crypto_aead *tfm = NULL; + + switch (id) { + case CRYPTO_AEAD_AES128_GCM: + tfm = crypto_alloc_aead("gcm(aes)", 0, 0); + break; + case CRYPTO_AEAD_AES128_CCM: + tfm = crypto_alloc_aead("ccm(aes)", 0, 0); + break; + default: + ksmbd_err("Does not support encrypt ahead(id : %d)\n", id); + return NULL; + } + + if (IS_ERR(tfm)) { + ksmbd_err("Failed to alloc encrypt aead : %ld\n", PTR_ERR(tfm)); + return NULL; + } + + return tfm; +} + +static struct shash_desc *alloc_shash_desc(int id) +{ + struct crypto_shash *tfm = NULL; + struct shash_desc *shash; + + switch (id) { + case CRYPTO_SHASH_HMACMD5: + tfm = crypto_alloc_shash("hmac(md5)", 0, 0); + break; + case CRYPTO_SHASH_HMACSHA256: + tfm = crypto_alloc_shash("hmac(sha256)", 0, 0); + break; + case CRYPTO_SHASH_CMACAES: + tfm = crypto_alloc_shash("cmac(aes)", 0, 0); + break; + case CRYPTO_SHASH_SHA256: + tfm = crypto_alloc_shash("sha256", 0, 0); + break; + case CRYPTO_SHASH_SHA512: + tfm = crypto_alloc_shash("sha512", 0, 0); + break; + case CRYPTO_SHASH_MD4: + tfm = crypto_alloc_shash("md4", 0, 0); + break; + case CRYPTO_SHASH_MD5: + tfm = crypto_alloc_shash("md5", 0, 0); + break; + } + + if (IS_ERR(tfm)) + return NULL; + + shash = kzalloc(sizeof(*shash) + crypto_shash_descsize(tfm), + GFP_KERNEL); + if (!shash) + crypto_free_shash(tfm); + else + shash->tfm = tfm; + return shash; +} + +static struct ksmbd_crypto_ctx *ctx_alloc(void) +{ + return ksmbd_alloc(sizeof(struct ksmbd_crypto_ctx)); +} + +static void ctx_free(struct ksmbd_crypto_ctx *ctx) +{ + int i; + + for (i = 0; i < CRYPTO_SHASH_MAX; i++) + free_shash(ctx->desc[i]); + for (i = 0; i < CRYPTO_AEAD_MAX; i++) + free_aead(ctx->ccmaes[i]); + ksmbd_free(ctx); +} + +static struct ksmbd_crypto_ctx *ksmbd_find_crypto_ctx(void) +{ + struct ksmbd_crypto_ctx *ctx; + + while (1) { + spin_lock(&ctx_list.ctx_lock); + if (!list_empty(&ctx_list.idle_ctx)) { + ctx = list_entry(ctx_list.idle_ctx.next, + struct ksmbd_crypto_ctx, + list); + list_del(&ctx->list); + spin_unlock(&ctx_list.ctx_lock); + return ctx; + } + + if (ctx_list.avail_ctx > num_online_cpus()) { + spin_unlock(&ctx_list.ctx_lock); + wait_event(ctx_list.ctx_wait, + !list_empty(&ctx_list.idle_ctx)); + continue; + } + + ctx_list.avail_ctx++; + spin_unlock(&ctx_list.ctx_lock); + + ctx = ctx_alloc(); + if (!ctx) { + spin_lock(&ctx_list.ctx_lock); + ctx_list.avail_ctx--; + spin_unlock(&ctx_list.ctx_lock); + wait_event(ctx_list.ctx_wait, + !list_empty(&ctx_list.idle_ctx)); + continue; + } + break; + } + return ctx; +} + +void ksmbd_release_crypto_ctx(struct ksmbd_crypto_ctx *ctx) +{ + if (!ctx) + return; + + spin_lock(&ctx_list.ctx_lock); + if (ctx_list.avail_ctx <= num_online_cpus()) { + list_add(&ctx->list, &ctx_list.idle_ctx); + spin_unlock(&ctx_list.ctx_lock); + wake_up(&ctx_list.ctx_wait); + return; + } + + ctx_list.avail_ctx--; + spin_unlock(&ctx_list.ctx_lock); + ctx_free(ctx); +} + +static struct ksmbd_crypto_ctx *____crypto_shash_ctx_find(int id) +{ + struct ksmbd_crypto_ctx *ctx; + + if (id >= CRYPTO_SHASH_MAX) + return NULL; + + ctx = ksmbd_find_crypto_ctx(); + if (ctx->desc[id]) + return ctx; + + ctx->desc[id] = alloc_shash_desc(id); + if (ctx->desc[id]) + return ctx; + ksmbd_release_crypto_ctx(ctx); + return NULL; +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacmd5(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_HMACMD5); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacsha256(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_HMACSHA256); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_cmacaes(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_CMACAES); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha256(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_SHA256); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_SHA512); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD4); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void) +{ + return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD5); +} + +static struct ksmbd_crypto_ctx *____crypto_aead_ctx_find(int id) +{ + struct ksmbd_crypto_ctx *ctx; + + if (id >= CRYPTO_AEAD_MAX) + return NULL; + + ctx = ksmbd_find_crypto_ctx(); + if (ctx->ccmaes[id]) + return ctx; + + ctx->ccmaes[id] = alloc_aead(id); + if (ctx->ccmaes[id]) + return ctx; + ksmbd_release_crypto_ctx(ctx); + return NULL; +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void) +{ + return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES128_GCM); +} + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void) +{ + return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES128_CCM); +} + +void ksmbd_crypto_destroy(void) +{ + struct ksmbd_crypto_ctx *ctx; + + while (!list_empty(&ctx_list.idle_ctx)) { + ctx = list_entry(ctx_list.idle_ctx.next, + struct ksmbd_crypto_ctx, + list); + list_del(&ctx->list); + ctx_free(ctx); + } +} + +int ksmbd_crypto_create(void) +{ + struct ksmbd_crypto_ctx *ctx; + + spin_lock_init(&ctx_list.ctx_lock); + INIT_LIST_HEAD(&ctx_list.idle_ctx); + init_waitqueue_head(&ctx_list.ctx_wait); + ctx_list.avail_ctx = 1; + + ctx = ctx_alloc(); + if (!ctx) + return -ENOMEM; + list_add(&ctx->list, &ctx_list.idle_ctx); + return 0; +} diff --git a/fs/cifsd/crypto_ctx.h b/fs/cifsd/crypto_ctx.h new file mode 100644 index 000000000000..64a11dfd6c83 --- /dev/null +++ b/fs/cifsd/crypto_ctx.h @@ -0,0 +1,77 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#ifndef __CRYPTO_CTX_H__ +#define __CRYPTO_CTX_H__ + +#include <crypto/hash.h> +#include <crypto/aead.h> + +enum { + CRYPTO_SHASH_HMACMD5 = 0, + CRYPTO_SHASH_HMACSHA256, + CRYPTO_SHASH_CMACAES, + CRYPTO_SHASH_SHA256, + CRYPTO_SHASH_SHA512, + CRYPTO_SHASH_MD4, + CRYPTO_SHASH_MD5, + CRYPTO_SHASH_MAX, +}; + +enum { + CRYPTO_AEAD_AES128_GCM = 16, + CRYPTO_AEAD_AES128_CCM, + CRYPTO_AEAD_MAX, +}; + +enum { + CRYPTO_BLK_ECBDES = 32, + CRYPTO_BLK_MAX, +}; + +struct ksmbd_crypto_ctx { + struct list_head list; + + struct shash_desc *desc[CRYPTO_SHASH_MAX]; + struct crypto_aead *ccmaes[CRYPTO_AEAD_MAX]; +}; + +#define CRYPTO_HMACMD5(c) ((c)->desc[CRYPTO_SHASH_HMACMD5]) +#define CRYPTO_HMACSHA256(c) ((c)->desc[CRYPTO_SHASH_HMACSHA256]) +#define CRYPTO_CMACAES(c) ((c)->desc[CRYPTO_SHASH_CMACAES]) +#define CRYPTO_SHA256(c) ((c)->desc[CRYPTO_SHASH_SHA256]) +#define CRYPTO_SHA512(c) ((c)->desc[CRYPTO_SHASH_SHA512]) +#define CRYPTO_MD4(c) ((c)->desc[CRYPTO_SHASH_MD4]) +#define CRYPTO_MD5(c) ((c)->desc[CRYPTO_SHASH_MD5]) + +#define CRYPTO_HMACMD5_TFM(c) ((c)->desc[CRYPTO_SHASH_HMACMD5]->tfm) +#define CRYPTO_HMACSHA256_TFM(c)\ + ((c)->desc[CRYPTO_SHASH_HMACSHA256]->tfm) +#define CRYPTO_CMACAES_TFM(c) ((c)->desc[CRYPTO_SHASH_CMACAES]->tfm) +#define CRYPTO_SHA256_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA256]->tfm) +#define CRYPTO_SHA512_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA512]->tfm) +#define CRYPTO_MD4_TFM(c) ((c)->desc[CRYPTO_SHASH_MD4]->tfm) +#define CRYPTO_MD5_TFM(c) ((c)->desc[CRYPTO_SHASH_MD5]->tfm) + +#define CRYPTO_GCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES128_GCM]) +#define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES128_CCM]) + +void ksmbd_release_crypto_ctx(struct ksmbd_crypto_ctx *ctx); + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacmd5(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacsha256(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_cmacaes(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha256(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void); + +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void); +struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void); + +void ksmbd_crypto_destroy(void); +int ksmbd_crypto_create(void); + +#endif /* __CRYPTO_CTX_H__ */ diff --git a/fs/cifsd/mgmt/ksmbd_ida.c b/fs/cifsd/mgmt/ksmbd_ida.c new file mode 100644 index 000000000000..cbc9fd049852 --- /dev/null +++ b/fs/cifsd/mgmt/ksmbd_ida.c @@ -0,0 +1,69 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include "ksmbd_ida.h" + +struct ksmbd_ida *ksmbd_ida_alloc(void) +{ + struct ksmbd_ida *ida; + + ida = kmalloc(sizeof(struct ksmbd_ida), GFP_KERNEL); + if (!ida) + return NULL; + + ida_init(&ida->map); + return ida; +} + +void ksmbd_ida_free(struct ksmbd_ida *ida) +{ + if (!ida) + return; + + ida_destroy(&ida->map); + kfree(ida); +} + +static inline int __acquire_id(struct ksmbd_ida *ida, int from, int to) +{ + return ida_simple_get(&ida->map, from, to, GFP_KERNEL); +} + +int ksmbd_acquire_smb2_tid(struct ksmbd_ida *ida) +{ + int id; + + do { + id = __acquire_id(ida, 0, 0); + } while (id == 0xFFFF); + + return id; +} + +int ksmbd_acquire_smb2_uid(struct ksmbd_ida *ida) +{ + int id; + + do { + id = __acquire_id(ida, 1, 0); + } while (id == 0xFFFE); + + return id; +} + +int ksmbd_acquire_async_msg_id(struct ksmbd_ida *ida) +{ + return __acquire_id(ida, 1, 0); +} + +int ksmbd_acquire_id(struct ksmbd_ida *ida) +{ + return __acquire_id(ida, 0, 0); +} + +void ksmbd_release_id(struct ksmbd_ida *ida, int id) +{ + ida_simple_remove(&ida->map, id); +} diff --git a/fs/cifsd/mgmt/ksmbd_ida.h b/fs/cifsd/mgmt/ksmbd_ida.h new file mode 100644 index 000000000000..b075156adf23 --- /dev/null +++ b/fs/cifsd/mgmt/ksmbd_ida.h @@ -0,0 +1,41 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_IDA_MANAGEMENT_H__ +#define __KSMBD_IDA_MANAGEMENT_H__ + +#include <linux/slab.h> +#include <linux/idr.h> + +struct ksmbd_ida { + struct ida map; +}; + +struct ksmbd_ida *ksmbd_ida_alloc(void); +void ksmbd_ida_free(struct ksmbd_ida *ida); + +/* + * 2.2.1.6.7 TID Generation + * The value 0xFFFF MUST NOT be used as a valid TID. All other + * possible values for TID, including zero (0x0000), are valid. + * The value 0xFFFF is used to specify all TIDs or no TID, + * depending upon the context in which it is used. + */ +int ksmbd_acquire_smb2_tid(struct ksmbd_ida *ida); + +/* + * 2.2.1.6.8 UID Generation + * The value 0xFFFE was declared reserved in the LAN Manager 1.0 + * documentation, so a value of 0xFFFE SHOULD NOT be used as a + * valid UID.<21> All other possible values for a UID, excluding + * zero (0x0000), are valid. + */ +int ksmbd_acquire_smb2_uid(struct ksmbd_ida *ida); +int ksmbd_acquire_async_msg_id(struct ksmbd_ida *ida); + +int ksmbd_acquire_id(struct ksmbd_ida *ida); + +void ksmbd_release_id(struct ksmbd_ida *ida, int id); +#endif /* __KSMBD_IDA_MANAGEMENT_H__ */ diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c new file mode 100644 index 000000000000..0593702babfe --- /dev/null +++ b/fs/cifsd/mgmt/share_config.c @@ -0,0 +1,239 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/list.h> +#include <linux/jhash.h> +#include <linux/slab.h> +#include <linux/rwsem.h> +#include <linux/parser.h> +#include <linux/namei.h> +#include <linux/sched.h> + +#include "share_config.h" +#include "user_config.h" +#include "user_session.h" +#include "../buffer_pool.h" +#include "../transport_ipc.h" +#include "../ksmbd_server.h" /* FIXME */ + +#define SHARE_HASH_BITS 3 +static DEFINE_HASHTABLE(shares_table, SHARE_HASH_BITS); +static DECLARE_RWSEM(shares_table_lock); + +struct ksmbd_veto_pattern { + char *pattern; + struct list_head list; +}; + +static unsigned int share_name_hash(char *name) +{ + return jhash(name, strlen(name), 0); +} + +static void kill_share(struct ksmbd_share_config *share) +{ + while (!list_empty(&share->veto_list)) { + struct ksmbd_veto_pattern *p; + + p = list_entry(share->veto_list.next, + struct ksmbd_veto_pattern, + list); + list_del(&p->list); + kfree(p->pattern); + kfree(p); + } + + if (share->path) + path_put(&share->vfs_path); + kfree(share->name); + kfree(share->path); + kfree(share); +} + +void __ksmbd_share_config_put(struct ksmbd_share_config *share) +{ + down_write(&shares_table_lock); + hash_del(&share->hlist); + up_write(&shares_table_lock); + + kill_share(share); +} + +static struct ksmbd_share_config * +__get_share_config(struct ksmbd_share_config *share) +{ + if (!atomic_inc_not_zero(&share->refcount)) + return NULL; + return share; +} + +static struct ksmbd_share_config *__share_lookup(char *name) +{ + struct ksmbd_share_config *share; + unsigned int key = share_name_hash(name); + + hash_for_each_possible(shares_table, share, hlist, key) { + if (!strcmp(name, share->name)) + return share; + } + return NULL; +} + +static int parse_veto_list(struct ksmbd_share_config *share, + char *veto_list, + int veto_list_sz) +{ + int sz = 0; + + if (!veto_list_sz) + return 0; + + while (veto_list_sz > 0) { + struct ksmbd_veto_pattern *p; + + p = ksmbd_alloc(sizeof(struct ksmbd_veto_pattern)); + if (!p) + return -ENOMEM; + + sz = strlen(veto_list); + if (!sz) + break; + + p->pattern = kstrdup(veto_list, GFP_KERNEL); + if (!p->pattern) { + ksmbd_free(p); + return -ENOMEM; + } + + list_add(&p->list, &share->veto_list); + + veto_list += sz + 1; + veto_list_sz -= (sz + 1); + } + + return 0; +} + +static struct ksmbd_share_config *share_config_request(char *name) +{ + struct ksmbd_share_config_response *resp; + struct ksmbd_share_config *share = NULL; + struct ksmbd_share_config *lookup; + int ret; + + resp = ksmbd_ipc_share_config_request(name); + if (!resp) + return NULL; + + if (resp->flags == KSMBD_SHARE_FLAG_INVALID) + goto out; + + share = ksmbd_alloc(sizeof(struct ksmbd_share_config)); + if (!share) + goto out; + + share->flags = resp->flags; + atomic_set(&share->refcount, 1); + INIT_LIST_HEAD(&share->veto_list); + share->name = kstrdup(name, GFP_KERNEL); + + if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { + share->path = kstrdup(KSMBD_SHARE_CONFIG_PATH(resp), + GFP_KERNEL); + if (share->path) + share->path_sz = strlen(share->path); + share->create_mask = resp->create_mask; + share->directory_mask = resp->directory_mask; + share->force_create_mode = resp->force_create_mode; + share->force_directory_mode = resp->force_directory_mode; + share->force_uid = resp->force_uid; + share->force_gid = resp->force_gid; + ret = parse_veto_list(share, + KSMBD_SHARE_CONFIG_VETO_LIST(resp), + resp->veto_list_sz); + if (!ret && share->path) { + ret = kern_path(share->path, 0, &share->vfs_path); + if (ret) { + ksmbd_debug(SMB, "failed to access '%s'\n", + share->path); + /* Avoid put_path() */ + kfree(share->path); + share->path = NULL; + } + } + if (ret || !share->name) { + kill_share(share); + share = NULL; + goto out; + } + } + + down_write(&shares_table_lock); + lookup = __share_lookup(name); + if (lookup) + lookup = __get_share_config(lookup); + if (!lookup) { + hash_add(shares_table, &share->hlist, share_name_hash(name)); + } else { + kill_share(share); + share = lookup; + } + up_write(&shares_table_lock); + +out: + ksmbd_free(resp); + return share; +} + +static void strtolower(char *share_name) +{ + while (*share_name) { + *share_name = tolower(*share_name); + share_name++; + } +} + +struct ksmbd_share_config *ksmbd_share_config_get(char *name) +{ + struct ksmbd_share_config *share; + + strtolower(name); + + down_read(&shares_table_lock); + share = __share_lookup(name); + if (share) + share = __get_share_config(share); + up_read(&shares_table_lock); + + if (share) + return share; + return share_config_request(name); +} + +bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, + const char *filename) +{ + struct ksmbd_veto_pattern *p; + + list_for_each_entry(p, &share->veto_list, list) { + if (match_wildcard(p->pattern, filename)) + return true; + } + return false; +} + +void ksmbd_share_configs_cleanup(void) +{ + struct ksmbd_share_config *share; + struct hlist_node *tmp; + int i; + + down_write(&shares_table_lock); + hash_for_each_safe(shares_table, i, tmp, share, hlist) { + hash_del(&share->hlist); + kill_share(share); + } + up_write(&shares_table_lock); +} diff --git a/fs/cifsd/mgmt/share_config.h b/fs/cifsd/mgmt/share_config.h new file mode 100644 index 000000000000..c47b874bd80b --- /dev/null +++ b/fs/cifsd/mgmt/share_config.h @@ -0,0 +1,83 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __SHARE_CONFIG_MANAGEMENT_H__ +#define __SHARE_CONFIG_MANAGEMENT_H__ + +#include <linux/workqueue.h> +#include <linux/hashtable.h> +#include <linux/path.h> + +#include "../glob.h" /* FIXME */ + +struct ksmbd_share_config { + char *name; + char *path; + + unsigned int path_sz; + unsigned int flags; + struct list_head veto_list; + + struct path vfs_path; + + atomic_t refcount; + struct hlist_node hlist; + unsigned short create_mask; + unsigned short directory_mask; + unsigned short force_create_mode; + unsigned short force_directory_mode; + unsigned short force_uid; + unsigned short force_gid; +}; + +#define KSMBD_SHARE_INVALID_UID ((__u16)-1) +#define KSMBD_SHARE_INVALID_GID ((__u16)-1) + +static inline int share_config_create_mode(struct ksmbd_share_config *share, + umode_t posix_mode) +{ + if (!share->force_create_mode) { + if (!posix_mode) + return share->create_mask; + else + return posix_mode & share->create_mask; + } + return share->force_create_mode & share->create_mask; +} + +static inline int share_config_directory_mode(struct ksmbd_share_config *share, + umode_t posix_mode) +{ + if (!share->force_directory_mode) { + if (!posix_mode) + return share->directory_mask; + else + return posix_mode & share->directory_mask; + } + + return share->force_directory_mode & share->directory_mask; +} + +static inline int test_share_config_flag(struct ksmbd_share_config *share, + int flag) +{ + return share->flags & flag; +} + +extern void __ksmbd_share_config_put(struct ksmbd_share_config *share); + +static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) +{ + if (!atomic_dec_and_test(&share->refcount)) + return; + __ksmbd_share_config_put(share); +} + +struct ksmbd_share_config *ksmbd_share_config_get(char *name); +bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, + const char *filename); +void ksmbd_share_configs_cleanup(void); + +#endif /* __SHARE_CONFIG_MANAGEMENT_H__ */ diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c new file mode 100644 index 000000000000..2be7b2e2e3cd --- /dev/null +++ b/fs/cifsd/mgmt/tree_connect.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/list.h> +#include <linux/slab.h> + +#include "../ksmbd_server.h" /* FIXME */ +#include "../buffer_pool.h" +#include "../transport_ipc.h" +#include "../connection.h" + +#include "tree_connect.h" +#include "user_config.h" +#include "share_config.h" +#include "user_session.h" + +struct ksmbd_tree_conn_status +ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) +{ + struct ksmbd_tree_conn_status status = {-EINVAL, NULL}; + struct ksmbd_tree_connect_response *resp = NULL; + struct ksmbd_share_config *sc; + struct ksmbd_tree_connect *tree_conn = NULL; + struct sockaddr *peer_addr; + + sc = ksmbd_share_config_get(share_name); + if (!sc) + return status; + + tree_conn = ksmbd_alloc(sizeof(struct ksmbd_tree_connect)); + if (!tree_conn) { + status.ret = -ENOMEM; + goto out_error; + } + + tree_conn->id = ksmbd_acquire_tree_conn_id(sess); + if (tree_conn->id < 0) { + status.ret = -EINVAL; + goto out_error; + } + + peer_addr = KSMBD_TCP_PEER_SOCKADDR(sess->conn); + resp = ksmbd_ipc_tree_connect_request(sess, + sc, + tree_conn, + peer_addr); + if (!resp) { + status.ret = -EINVAL; + goto out_error; + } + + status.ret = resp->status; + if (status.ret != KSMBD_TREE_CONN_STATUS_OK) + goto out_error; + + tree_conn->flags = resp->connection_flags; + tree_conn->user = sess->user; + tree_conn->share_conf = sc; + status.tree_conn = tree_conn; + + list_add(&tree_conn->list, &sess->tree_conn_list); + + ksmbd_free(resp); + return status; + +out_error: + if (tree_conn) + ksmbd_release_tree_conn_id(sess, tree_conn->id); + ksmbd_share_config_put(sc); + ksmbd_free(tree_conn); + ksmbd_free(resp); + return status; +} + +int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, + struct ksmbd_tree_connect *tree_conn) +{ + int ret; + + ret = ksmbd_ipc_tree_disconnect_request(sess->id, tree_conn->id); + ksmbd_release_tree_conn_id(sess, tree_conn->id); + list_del(&tree_conn->list); + ksmbd_share_config_put(tree_conn->share_conf); + ksmbd_free(tree_conn); + return ret; +} + +struct ksmbd_tree_connect *ksmbd_tree_conn_lookup(struct ksmbd_session *sess, + unsigned int id) +{ + struct ksmbd_tree_connect *tree_conn; + struct list_head *tmp; + + list_for_each(tmp, &sess->tree_conn_list) { + tree_conn = list_entry(tmp, struct ksmbd_tree_connect, list); + if (tree_conn->id == id) + return tree_conn; + } + return NULL; +} + +struct ksmbd_share_config *ksmbd_tree_conn_share(struct ksmbd_session *sess, + unsigned int id) +{ + struct ksmbd_tree_connect *tc; + + tc = ksmbd_tree_conn_lookup(sess, id); + if (tc) + return tc->share_conf; + return NULL; +} + +int ksmbd_tree_conn_session_logoff(struct ksmbd_session *sess) +{ + int ret = 0; + + while (!list_empty(&sess->tree_conn_list)) { + struct ksmbd_tree_connect *tc; + + tc = list_entry(sess->tree_conn_list.next, + struct ksmbd_tree_connect, + list); + ret |= ksmbd_tree_conn_disconnect(sess, tc); + } + + return ret; +} diff --git a/fs/cifsd/mgmt/tree_connect.h b/fs/cifsd/mgmt/tree_connect.h new file mode 100644 index 000000000000..46237cd05b9c --- /dev/null +++ b/fs/cifsd/mgmt/tree_connect.h @@ -0,0 +1,56 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __TREE_CONNECT_MANAGEMENT_H__ +#define __TREE_CONNECT_MANAGEMENT_H__ + +#include <linux/hashtable.h> + +#include "../ksmbd_server.h" /* FIXME */ + +struct ksmbd_share_config; +struct ksmbd_user; + +struct ksmbd_tree_connect { + int id; + + unsigned int flags; + struct ksmbd_share_config *share_conf; + struct ksmbd_user *user; + + struct list_head list; + + int maximal_access; + bool posix_extensions; +}; + +struct ksmbd_tree_conn_status { + unsigned int ret; + struct ksmbd_tree_connect *tree_conn; +}; + +static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, + int flag) +{ + return tree_conn->flags & flag; +} + +struct ksmbd_session; + +struct ksmbd_tree_conn_status +ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name); + +int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, + struct ksmbd_tree_connect *tree_conn); + +struct ksmbd_tree_connect *ksmbd_tree_conn_lookup(struct ksmbd_session *sess, + unsigned int id); + +struct ksmbd_share_config *ksmbd_tree_conn_share(struct ksmbd_session *sess, + unsigned int id); + +int ksmbd_tree_conn_session_logoff(struct ksmbd_session *sess); + +#endif /* __TREE_CONNECT_MANAGEMENT_H__ */ diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c new file mode 100644 index 000000000000..1ab68f80f72e --- /dev/null +++ b/fs/cifsd/mgmt/user_config.c @@ -0,0 +1,70 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/slab.h> + +#include "user_config.h" +#include "../buffer_pool.h" +#include "../transport_ipc.h" +#include "../ksmbd_server.h" /* FIXME */ + +struct ksmbd_user *ksmbd_login_user(const char *account) +{ + struct ksmbd_login_response *resp; + struct ksmbd_user *user = NULL; + + resp = ksmbd_ipc_login_request(account); + if (!resp) + return NULL; + + if (!(resp->status & KSMBD_USER_FLAG_OK)) + goto out; + + user = ksmbd_alloc_user(resp); +out: + ksmbd_free(resp); + return user; +} + +struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp) +{ + struct ksmbd_user *user = NULL; + + user = ksmbd_alloc(sizeof(struct ksmbd_user)); + if (!user) + return NULL; + + user->name = kstrdup(resp->account, GFP_KERNEL); + user->flags = resp->status; + user->gid = resp->gid; + user->uid = resp->uid; + user->passkey_sz = resp->hash_sz; + user->passkey = ksmbd_alloc(resp->hash_sz); + if (user->passkey) + memcpy(user->passkey, resp->hash, resp->hash_sz); + + if (!user->name || !user->passkey) { + kfree(user->name); + ksmbd_free(user->passkey); + ksmbd_free(user); + user = NULL; + } + return user; +} + +void ksmbd_free_user(struct ksmbd_user *user) +{ + ksmbd_ipc_logout_request(user->name); + kfree(user->name); + ksmbd_free(user->passkey); + ksmbd_free(user); +} + +int ksmbd_anonymous_user(struct ksmbd_user *user) +{ + if (user->name[0] == '\0') + return 1; + return 0; +} diff --git a/fs/cifsd/mgmt/user_config.h b/fs/cifsd/mgmt/user_config.h new file mode 100644 index 000000000000..5cda4a5d3e2f --- /dev/null +++ b/fs/cifsd/mgmt/user_config.h @@ -0,0 +1,67 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __USER_CONFIG_MANAGEMENT_H__ +#define __USER_CONFIG_MANAGEMENT_H__ + +#include "../glob.h" /* FIXME */ +#include "../ksmbd_server.h" /* FIXME */ + +struct ksmbd_user { + unsigned short flags; + + unsigned int uid; + unsigned int gid; + + char *name; + + size_t passkey_sz; + char *passkey; +}; + +static inline bool user_guest(struct ksmbd_user *user) +{ + return user->flags & KSMBD_USER_FLAG_GUEST_ACCOUNT; +} + +static inline void set_user_flag(struct ksmbd_user *user, int flag) +{ + user->flags |= flag; +} + +static inline int test_user_flag(struct ksmbd_user *user, int flag) +{ + return user->flags & flag; +} + +static inline void set_user_guest(struct ksmbd_user *user) +{ +} + +static inline char *user_passkey(struct ksmbd_user *user) +{ + return user->passkey; +} + +static inline char *user_name(struct ksmbd_user *user) +{ + return user->name; +} + +static inline unsigned int user_uid(struct ksmbd_user *user) +{ + return user->uid; +} + +static inline unsigned int user_gid(struct ksmbd_user *user) +{ + return user->gid; +} + +struct ksmbd_user *ksmbd_login_user(const char *account); +struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp); +void ksmbd_free_user(struct ksmbd_user *user); +int ksmbd_anonymous_user(struct ksmbd_user *user); +#endif /* __USER_CONFIG_MANAGEMENT_H__ */ diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c new file mode 100644 index 000000000000..d9f6dbde850a --- /dev/null +++ b/fs/cifsd/mgmt/user_session.c @@ -0,0 +1,345 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/list.h> +#include <linux/slab.h> +#include <linux/rwsem.h> + +#include "ksmbd_ida.h" +#include "user_session.h" +#include "user_config.h" +#include "tree_connect.h" +#include "../transport_ipc.h" +#include "../connection.h" +#include "../buffer_pool.h" +#include "../ksmbd_server.h" /* FIXME */ +#include "../vfs_cache.h" + +static struct ksmbd_ida *session_ida; + +#define SESSION_HASH_BITS 3 +static DEFINE_HASHTABLE(sessions_table, SESSION_HASH_BITS); +static DECLARE_RWSEM(sessions_table_lock); + +struct ksmbd_session_rpc { + int id; + unsigned int method; + struct list_head list; +}; + +static void free_channel_list(struct ksmbd_session *sess) +{ + struct channel *chann; + struct list_head *tmp, *t; + + list_for_each_safe(tmp, t, &sess->ksmbd_chann_list) { + chann = list_entry(tmp, struct channel, chann_list); + if (chann) { + list_del(&chann->chann_list); + kfree(chann); + } + } +} + +static void __session_rpc_close(struct ksmbd_session *sess, + struct ksmbd_session_rpc *entry) +{ + struct ksmbd_rpc_command *resp; + + resp = ksmbd_rpc_close(sess, entry->id); + if (!resp) + pr_err("Unable to close RPC pipe %d\n", entry->id); + + ksmbd_free(resp); + ksmbd_rpc_id_free(entry->id); + ksmbd_free(entry); +} + +static void ksmbd_session_rpc_clear_list(struct ksmbd_session *sess) +{ + struct ksmbd_session_rpc *entry; + + while (!list_empty(&sess->rpc_handle_list)) { + entry = list_entry(sess->rpc_handle_list.next, + struct ksmbd_session_rpc, + list); + + list_del(&entry->list); + __session_rpc_close(sess, entry); + } +} + +static int __rpc_method(char *rpc_name) +{ + if (!strcmp(rpc_name, "\\srvsvc") || !strcmp(rpc_name, "srvsvc")) + return KSMBD_RPC_SRVSVC_METHOD_INVOKE; + + if (!strcmp(rpc_name, "\\wkssvc") || !strcmp(rpc_name, "wkssvc")) + return KSMBD_RPC_WKSSVC_METHOD_INVOKE; + + if (!strcmp(rpc_name, "LANMAN") || !strcmp(rpc_name, "lanman")) + return KSMBD_RPC_RAP_METHOD; + + if (!strcmp(rpc_name, "\\samr") || !strcmp(rpc_name, "samr")) + return KSMBD_RPC_SAMR_METHOD_INVOKE; + + if (!strcmp(rpc_name, "\\lsarpc") || !strcmp(rpc_name, "lsarpc")) + return KSMBD_RPC_LSARPC_METHOD_INVOKE; + + ksmbd_err("Unsupported RPC: %s\n", rpc_name); + return 0; +} + +int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) +{ + struct ksmbd_session_rpc *entry; + struct ksmbd_rpc_command *resp; + int method; + + method = __rpc_method(rpc_name); + if (!method) + return -EINVAL; + + entry = ksmbd_alloc(sizeof(struct ksmbd_session_rpc)); + if (!entry) + return -EINVAL; + + list_add(&entry->list, &sess->rpc_handle_list); + entry->method = method; + entry->id = ksmbd_ipc_id_alloc(); + if (entry->id < 0) + goto error; + + resp = ksmbd_rpc_open(sess, entry->id); + if (!resp) + goto error; + + ksmbd_free(resp); + return entry->id; +error: + list_del(&entry->list); + ksmbd_free(entry); + return -EINVAL; +} + +void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id) +{ + struct ksmbd_session_rpc *entry; + + list_for_each_entry(entry, &sess->rpc_handle_list, list) { + if (entry->id == id) { + list_del(&entry->list); + __session_rpc_close(sess, entry); + break; + } + } +} + +int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id) +{ + struct ksmbd_session_rpc *entry; + + list_for_each_entry(entry, &sess->rpc_handle_list, list) { + if (entry->id == id) + return entry->method; + } + return 0; +} + +void ksmbd_session_destroy(struct ksmbd_session *sess) +{ + if (!sess) + return; + + if (!atomic_dec_and_test(&sess->refcnt)) + return; + + list_del(&sess->sessions_entry); + + if (IS_SMB2(sess->conn)) { + down_write(&sessions_table_lock); + hash_del(&sess->hlist); + up_write(&sessions_table_lock); + } + + if (sess->user) + ksmbd_free_user(sess->user); + + ksmbd_tree_conn_session_logoff(sess); + ksmbd_destroy_file_table(&sess->file_table); + ksmbd_session_rpc_clear_list(sess); + free_channel_list(sess); + kfree(sess->Preauth_HashValue); + ksmbd_release_id(session_ida, sess->id); + + ksmbd_ida_free(sess->tree_conn_ida); + ksmbd_free(sess); +} + +static struct ksmbd_session *__session_lookup(unsigned long long id) +{ + struct ksmbd_session *sess; + + hash_for_each_possible(sessions_table, sess, hlist, id) { + if (id == sess->id) + return sess; + } + return NULL; +} + +void ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess) +{ + sess->conn = conn; + list_add(&sess->sessions_entry, &conn->sessions); +} + +void ksmbd_sessions_deregister(struct ksmbd_conn *conn) +{ + struct ksmbd_session *sess; + + while (!list_empty(&conn->sessions)) { + sess = list_entry(conn->sessions.next, + struct ksmbd_session, + sessions_entry); + + ksmbd_session_destroy(sess); + } +} + +bool ksmbd_session_id_match(struct ksmbd_session *sess, unsigned long long id) +{ + return sess->id == id; +} + +struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id) +{ + struct ksmbd_session *sess = NULL; + + list_for_each_entry(sess, &conn->sessions, sessions_entry) { + if (ksmbd_session_id_match(sess, id)) + return sess; + } + return NULL; +} + +int get_session(struct ksmbd_session *sess) +{ + return atomic_inc_not_zero(&sess->refcnt); +} + +void put_session(struct ksmbd_session *sess) +{ + if (atomic_dec_and_test(&sess->refcnt)) + ksmbd_err("get/%s seems to be mismatched.", __func__); +} + +struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) +{ + struct ksmbd_session *sess; + + down_read(&sessions_table_lock); + sess = __session_lookup(id); + if (sess) { + if (!get_session(sess)) + sess = NULL; + } + up_read(&sessions_table_lock); + + return sess; +} + +static int __init_smb2_session(struct ksmbd_session *sess) +{ + int id = ksmbd_acquire_smb2_uid(session_ida); + + if (id < 0) + return -EINVAL; + sess->id = id; + return 0; +} + +static struct ksmbd_session *__session_create(int protocol) +{ + struct ksmbd_session *sess; + int ret; + + sess = ksmbd_alloc(sizeof(struct ksmbd_session)); + if (!sess) + return NULL; + + if (ksmbd_init_file_table(&sess->file_table)) + goto error; + + set_session_flag(sess, protocol); + INIT_LIST_HEAD(&sess->sessions_entry); + INIT_LIST_HEAD(&sess->tree_conn_list); + INIT_LIST_HEAD(&sess->ksmbd_chann_list); + INIT_LIST_HEAD(&sess->rpc_handle_list); + sess->sequence_number = 1; + atomic_set(&sess->refcnt, 1); + + switch (protocol) { + case CIFDS_SESSION_FLAG_SMB2: + ret = __init_smb2_session(sess); + break; + default: + ret = -EINVAL; + break; + } + + if (ret) + goto error; + + sess->tree_conn_ida = ksmbd_ida_alloc(); + if (!sess->tree_conn_ida) + goto error; + + if (protocol == CIFDS_SESSION_FLAG_SMB2) { + down_read(&sessions_table_lock); + hash_add(sessions_table, &sess->hlist, sess->id); + up_read(&sessions_table_lock); + } + return sess; + +error: + ksmbd_session_destroy(sess); + return NULL; +} + +struct ksmbd_session *ksmbd_smb2_session_create(void) +{ + return __session_create(CIFDS_SESSION_FLAG_SMB2); +} + +int ksmbd_acquire_tree_conn_id(struct ksmbd_session *sess) +{ + int id = -EINVAL; + + if (test_session_flag(sess, CIFDS_SESSION_FLAG_SMB2)) + id = ksmbd_acquire_smb2_tid(sess->tree_conn_ida); + + return id; +} + +void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id) +{ + if (id >= 0) + ksmbd_release_id(sess->tree_conn_ida, id); +} + +int ksmbd_init_session_table(void) +{ + session_ida = ksmbd_ida_alloc(); + if (!session_ida) + return -ENOMEM; + return 0; +} + +void ksmbd_free_session_table(void) +{ + ksmbd_ida_free(session_ida); +} diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h new file mode 100644 index 000000000000..0a6eb21647ab --- /dev/null +++ b/fs/cifsd/mgmt/user_session.h @@ -0,0 +1,105 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __USER_SESSION_MANAGEMENT_H__ +#define __USER_SESSION_MANAGEMENT_H__ + +#include <linux/hashtable.h> + +#include "../smb_common.h" +#include "../ntlmssp.h" + +#define CIFDS_SESSION_FLAG_SMB2 (1 << 1) + +#define PREAUTH_HASHVALUE_SIZE 64 + +struct ksmbd_ida; +struct ksmbd_file_table; + +struct channel { + __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; + struct ksmbd_conn *conn; + struct list_head chann_list; +}; + +struct preauth_session { + __u8 Preauth_HashValue[PREAUTH_HASHVALUE_SIZE]; + uint64_t sess_id; + struct list_head list_entry; +}; + +struct ksmbd_session { + uint64_t id; + + struct ksmbd_user *user; + struct ksmbd_conn *conn; + unsigned int sequence_number; + unsigned int flags; + + bool sign; + bool enc; + bool is_anonymous; + + int state; + __u8 *Preauth_HashValue; + + struct ntlmssp_auth ntlmssp; + char sess_key[CIFS_KEY_SIZE]; + + struct hlist_node hlist; + struct list_head ksmbd_chann_list; + struct list_head tree_conn_list; + struct ksmbd_ida *tree_conn_ida; + struct list_head rpc_handle_list; + + __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE]; + __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; + __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; + + struct list_head sessions_entry; + struct ksmbd_file_table file_table; + atomic_t refcnt; +}; + +static inline int test_session_flag(struct ksmbd_session *sess, int bit) +{ + return sess->flags & bit; +} + +static inline void set_session_flag(struct ksmbd_session *sess, int bit) +{ + sess->flags |= bit; +} + +static inline void clear_session_flag(struct ksmbd_session *sess, int bit) +{ + sess->flags &= ~bit; +} + +struct ksmbd_session *ksmbd_smb2_session_create(void); + +void ksmbd_session_destroy(struct ksmbd_session *sess); + +bool ksmbd_session_id_match(struct ksmbd_session *sess, unsigned long long id); +struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id); +struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id); +void ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess); +void ksmbd_sessions_deregister(struct ksmbd_conn *conn); + +int ksmbd_acquire_tree_conn_id(struct ksmbd_session *sess); +void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id); + +int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name); +void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id); +int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id); +int get_session(struct ksmbd_session *sess); +void put_session(struct ksmbd_session *sess); + +int ksmbd_init_session_table(void); +void ksmbd_free_session_table(void); + +#endif /* __USER_SESSION_MANAGEMENT_H__ */ diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c new file mode 100644 index 000000000000..9e689c33f7bb --- /dev/null +++ b/fs/cifsd/misc.c @@ -0,0 +1,293 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/kernel.h> +#include <linux/version.h> +#include <linux/xattr.h> +#include <linux/fs.h> + +#include "misc.h" +#include "smb_common.h" +#include "connection.h" +#include "vfs.h" + +#include "mgmt/share_config.h" + +/** + * match_pattern() - compare a string with a pattern which might include + * wildcard '*' and '?' + * TODO : implement consideration about DOS_DOT, DOS_QM and DOS_STAR + * + * @string: string to compare with a pattern + * @pattern: pattern string which might include wildcard '*' and '?' + * + * Return: 0 if pattern matched with the string, otherwise non zero value + */ +int match_pattern(const char *str, const char *pattern) +{ + const char *s = str; + const char *p = pattern; + bool star = false; + + while (*s) { + switch (*p) { + case '?': + s++; + p++; + break; + case '*': + star = true; + str = s; + if (!*++p) + return true; + pattern = p; + break; + default: + if (tolower(*s) == tolower(*p)) { + s++; + p++; + } else { + if (!star) + return false; + str++; + s = str; + p = pattern; + } + break; + } + } + + if (*p == '*') + ++p; + return !*p; +} + +/* + * is_char_allowed() - check for valid character + * @ch: input character to be checked + * + * Return: 1 if char is allowed, otherwise 0 + */ +static inline int is_char_allowed(char ch) +{ + /* check for control chars, wildcards etc. */ + if (!(ch & 0x80) && + (ch <= 0x1f || + ch == '?' || ch == '"' || ch == '<' || + ch == '>' || ch == '|' || ch == '*')) + return 0; + + return 1; +} + +int ksmbd_validate_filename(char *filename) +{ + while (*filename) { + char c = *filename; + + filename++; + if (!is_char_allowed(c)) { + ksmbd_debug(VFS, "File name validation failed: 0x%x\n", c); + return -ENOENT; + } + } + + return 0; +} + +static int ksmbd_validate_stream_name(char *stream_name) +{ + while (*stream_name) { + char c = *stream_name; + + stream_name++; + if (c == '/' || c == ':' || c == '\\') { + ksmbd_err("Stream name validation failed: %c\n", c); + return -ENOENT; + } + } + + return 0; +} + +int parse_stream_name(char *filename, char **stream_name, int *s_type) +{ + char *stream_type; + char *s_name; + int rc = 0; + + s_name = filename; + filename = strsep(&s_name, ":"); + ksmbd_debug(SMB, "filename : %s, streams : %s\n", filename, s_name); + if (strchr(s_name, ':')) { + stream_type = s_name; + s_name = strsep(&stream_type, ":"); + + rc = ksmbd_validate_stream_name(s_name); + if (rc < 0) { + rc = -ENOENT; + goto out; + } + + ksmbd_debug(SMB, "stream name : %s, stream type : %s\n", s_name, + stream_type); + if (!strncasecmp("$data", stream_type, 5)) + *s_type = DATA_STREAM; + else if (!strncasecmp("$index_allocation", stream_type, 17)) + *s_type = DIR_STREAM; + else + rc = -ENOENT; + } + + *stream_name = s_name; +out: + return rc; +} + +/** + * convert_to_nt_pathname() - extract and return windows path string + * whose share directory prefix was removed from file path + * @filename : unix filename + * @sharepath: share path string + * + * Return : windows path string or error + */ + +char *convert_to_nt_pathname(char *filename, char *sharepath) +{ + char *ab_pathname; + int len, name_len; + + name_len = strlen(filename); + ab_pathname = kmalloc(name_len, GFP_KERNEL); + if (!ab_pathname) + return NULL; + + ab_pathname[0] = '\\'; + ab_pathname[1] = '\0'; + + len = strlen(sharepath); + if (!strncmp(filename, sharepath, len) && name_len != len) { + strscpy(ab_pathname, &filename[len], name_len); + ksmbd_conv_path_to_windows(ab_pathname); + } + + return ab_pathname; +} + +int get_nlink(struct kstat *st) +{ + int nlink; + + nlink = st->nlink; + if (S_ISDIR(st->mode)) + nlink--; + + return nlink; +} + +void ksmbd_conv_path_to_unix(char *path) +{ + strreplace(path, '\\', '/'); +} + +void ksmbd_strip_last_slash(char *path) +{ + int len = strlen(path); + + while (len && path[len - 1] == '/') { + path[len - 1] = '\0'; + len--; + } +} + +void ksmbd_conv_path_to_windows(char *path) +{ + strreplace(path, '/', '\\'); +} + +/** + * extract_sharename() - get share name from tree connect request + * @treename: buffer containing tree name and share name + * + * Return: share name on success, otherwise error + */ +char *extract_sharename(char *treename) +{ + char *name = treename; + char *dst; + char *pos = strrchr(name, '\\'); + + if (pos) + name = (pos + 1); + + /* caller has to free the memory */ + dst = kstrdup(name, GFP_KERNEL); + if (!dst) + return ERR_PTR(-ENOMEM); + return dst; +} + +/** + * convert_to_unix_name() - convert windows name to unix format + * @path: name to be converted + * @tid: tree id of mathing share + * + * Return: converted name on success, otherwise NULL + */ +char *convert_to_unix_name(struct ksmbd_share_config *share, char *name) +{ + int no_slash = 0, name_len, path_len; + char *new_name; + + if (name[0] == '/') + name++; + + path_len = share->path_sz; + name_len = strlen(name); + new_name = kmalloc(path_len + name_len + 2, GFP_KERNEL); + if (!new_name) + return new_name; + + memcpy(new_name, share->path, path_len); + if (new_name[path_len - 1] != '/') { + new_name[path_len] = '/'; + no_slash = 1; + } + + memcpy(new_name + path_len + no_slash, name, name_len); + path_len += name_len + no_slash; + new_name[path_len] = 0x00; + return new_name; +} + +char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, + const struct nls_table *local_nls, + int *conv_len) +{ + char *conv; + int sz = min(4 * d_info->name_len, PATH_MAX); + + if (!sz) + return NULL; + + conv = kmalloc(sz, GFP_KERNEL); + if (!conv) + return NULL; + + /* XXX */ + *conv_len = smbConvertToUTF16((__le16 *)conv, + d_info->name, + d_info->name_len, + local_nls, + 0); + *conv_len *= 2; + + /* We allocate buffer twice bigger than needed. */ + conv[*conv_len] = 0x00; + conv[*conv_len + 1] = 0x00; + return conv; +} diff --git a/fs/cifsd/misc.h b/fs/cifsd/misc.h new file mode 100644 index 000000000000..d67843aad509 --- /dev/null +++ b/fs/cifsd/misc.h @@ -0,0 +1,38 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_MISC_H__ +#define __KSMBD_MISC_H__ + +struct ksmbd_share_config; +struct nls_table; +struct kstat; +struct ksmbd_file; + +int match_pattern(const char *str, const char *pattern); + +int ksmbd_validate_filename(char *filename); + +int parse_stream_name(char *filename, char **stream_name, int *s_type); + +char *convert_to_nt_pathname(char *filename, char *sharepath); + +int get_nlink(struct kstat *st); + +void ksmbd_conv_path_to_unix(char *path); +void ksmbd_strip_last_slash(char *path); +void ksmbd_conv_path_to_windows(char *path); + +char *extract_sharename(char *treename); + +char *convert_to_unix_name(struct ksmbd_share_config *share, char *name); + +#define KSMBD_DIR_INFO_ALIGNMENT 8 + +struct ksmbd_dir_info; +char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, + const struct nls_table *local_nls, + int *conv_len); +#endif /* __KSMBD_MISC_H__ */ diff --git a/fs/cifsd/ndr.c b/fs/cifsd/ndr.c new file mode 100644 index 000000000000..d96dcd9e43c6 --- /dev/null +++ b/fs/cifsd/ndr.c @@ -0,0 +1,344 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2021 Samsung Electronics Co., Ltd. + * Author(s): Namjae Jeon <linkinjeon(a)kernel.org> + */ + +#include <linux/fs.h> + +#include "glob.h" +#include "ndr.h" + +#define PAYLOAD_HEAD(d) ((d)->data + (d)->offset) + +#define KSMBD_ALIGN_MASK(x, mask) (((x) + (mask)) & ~(mask)) + +#define KSMBD_ALIGN(x, a) \ + ({ \ + typeof(x) ret = (x); \ + if (((x) & ((typeof(x))(a) - 1)) != 0) \ + ret = KSMBD_ALIGN_MASK(x, (typeof(x))(a) - 1); \ + ret; \ + }) + +static void align_offset(struct ndr *ndr, int n) +{ + ndr->offset = KSMBD_ALIGN(ndr->offset, n); +} + +static int try_to_realloc_ndr_blob(struct ndr *n, size_t sz) +{ + char *data; + + data = krealloc(n->data, n->offset + sz + 1024, GFP_KERNEL); + if (!data) + return -ENOMEM; + + n->data = data; + n->length += 1024; + memset(n->data + n->offset, 0, 1024); + return 0; +} + +static void ndr_write_int16(struct ndr *n, __u16 value) +{ + if (n->length <= n->offset + sizeof(value)) + try_to_realloc_ndr_blob(n, sizeof(value)); + + *(__le16 *)PAYLOAD_HEAD(n) = cpu_to_le16(value); + n->offset += sizeof(value); +} + +static void ndr_write_int32(struct ndr *n, __u32 value) +{ + if (n->length <= n->offset + sizeof(value)) + try_to_realloc_ndr_blob(n, sizeof(value)); + + *(__le32 *)PAYLOAD_HEAD(n) = cpu_to_le32(value); + n->offset += sizeof(value); +} + +static void ndr_write_int64(struct ndr *n, __u64 value) +{ + if (n->length <= n->offset + sizeof(value)) + try_to_realloc_ndr_blob(n, sizeof(value)); + + *(__le64 *)PAYLOAD_HEAD(n) = cpu_to_le64(value); + n->offset += sizeof(value); +} + +static int ndr_write_bytes(struct ndr *n, void *value, size_t sz) +{ + if (n->length <= n->offset + sz) + try_to_realloc_ndr_blob(n, sz); + + memcpy(PAYLOAD_HEAD(n), value, sz); + n->offset += sz; + return 0; +} + +static int ndr_write_string(struct ndr *n, void *value, size_t sz) +{ + if (n->length <= n->offset + sz) + try_to_realloc_ndr_blob(n, sz); + + strncpy(PAYLOAD_HEAD(n), value, sz); + sz++; + n->offset += sz; + align_offset(n, 2); + return 0; +} + +static int ndr_read_string(struct ndr *n, void *value, size_t sz) +{ + int len = strnlen(PAYLOAD_HEAD(n), sz); + + memcpy(value, PAYLOAD_HEAD(n), len); + len++; + n->offset += len; + align_offset(n, 2); + return 0; +} + +static int ndr_read_bytes(struct ndr *n, void *value, size_t sz) +{ + memcpy(value, PAYLOAD_HEAD(n), sz); + n->offset += sz; + return 0; +} + +static __u16 ndr_read_int16(struct ndr *n) +{ + __u16 ret; + + ret = le16_to_cpu(*(__le16 *)PAYLOAD_HEAD(n)); + n->offset += sizeof(__u16); + return ret; +} + +static __u32 ndr_read_int32(struct ndr *n) +{ + __u32 ret; + + ret = le32_to_cpu(*(__le32 *)PAYLOAD_HEAD(n)); + n->offset += sizeof(__u32); + return ret; +} + +static __u64 ndr_read_int64(struct ndr *n) +{ + __u64 ret; + + ret = le64_to_cpu(*(__le64 *)PAYLOAD_HEAD(n)); + n->offset += sizeof(__u64); + return ret; +} + +int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) +{ + char hex_attr[12] = {0}; + + n->offset = 0; + n->length = 1024; + n->data = kzalloc(n->length, GFP_KERNEL); + if (!n->data) + return -ENOMEM; + + if (da->version == 3) { + snprintf(hex_attr, 10, "0x%x", da->attr); + ndr_write_string(n, hex_attr, strlen(hex_attr)); + } else { + ndr_write_string(n, "", strlen("")); + } + ndr_write_int16(n, da->version); + ndr_write_int32(n, da->version); + + ndr_write_int32(n, da->flags); + ndr_write_int32(n, da->attr); + if (da->version == 3) { + ndr_write_int32(n, da->ea_size); + ndr_write_int64(n, da->size); + ndr_write_int64(n, da->alloc_size); + } else + ndr_write_int64(n, da->itime); + ndr_write_int64(n, da->create_time); + if (da->version == 3) + ndr_write_int64(n, da->change_time); + return 0; +} + +int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) +{ + char hex_attr[12] = {0}; + int version2; + + n->offset = 0; + ndr_read_string(n, hex_attr, n->length - n->offset); + da->version = ndr_read_int16(n); + + if (da->version != 3 && da->version != 4) { + ksmbd_err("v%d version is not supported\n", da->version); + return -EINVAL; + } + + version2 = ndr_read_int32(n); + if (da->version != version2) { + ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", + da->version, version2); + return -EINVAL; + } + + ndr_read_int32(n); + da->attr = ndr_read_int32(n); + if (da->version == 4) { + da->itime = ndr_read_int64(n); + da->create_time = ndr_read_int64(n); + } else { + ndr_read_int32(n); + ndr_read_int64(n); + ndr_read_int64(n); + da->create_time = ndr_read_int64(n); + ndr_read_int64(n); + } + + return 0; +} + +static int ndr_encode_posix_acl_entry(struct ndr *n, struct xattr_smb_acl *acl) +{ + int i; + + ndr_write_int32(n, acl->count); + align_offset(n, 8); + ndr_write_int32(n, acl->count); + ndr_write_int32(n, 0); + + for (i = 0; i < acl->count; i++) { + align_offset(n, 8); + ndr_write_int16(n, acl->entries[i].type); + ndr_write_int16(n, acl->entries[i].type); + + if (acl->entries[i].type == SMB_ACL_USER) { + align_offset(n, 8); + ndr_write_int64(n, acl->entries[i].uid); + } else if (acl->entries[i].type == SMB_ACL_GROUP) { + align_offset(n, 8); + ndr_write_int64(n, acl->entries[i].gid); + } + + /* push permission */ + ndr_write_int32(n, acl->entries[i].perm); + } + + return 0; +} + +int ndr_encode_posix_acl(struct ndr *n, struct inode *inode, + struct xattr_smb_acl *acl, struct xattr_smb_acl *def_acl) +{ + int ref_id = 0x00020000; + + n->offset = 0; + n->length = 1024; + n->data = kzalloc(n->length, GFP_KERNEL); + if (!n->data) + return -ENOMEM; + + if (acl) { + /* ACL ACCESS */ + ndr_write_int32(n, ref_id); + ref_id += 4; + } else + ndr_write_int32(n, 0); + + if (def_acl) { + /* DEFAULT ACL ACCESS */ + ndr_write_int32(n, ref_id); + ref_id += 4; + } else + ndr_write_int32(n, 0); + + ndr_write_int64(n, from_kuid(&init_user_ns, inode->i_uid)); + ndr_write_int64(n, from_kgid(&init_user_ns, inode->i_gid)); + ndr_write_int32(n, inode->i_mode); + + if (acl) { + ndr_encode_posix_acl_entry(n, acl); + if (def_acl) + ndr_encode_posix_acl_entry(n, def_acl); + } + return 0; +} + +int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) +{ + int ref_id = 0x00020004; + + n->offset = 0; + n->length = 2048; + n->data = kzalloc(n->length, GFP_KERNEL); + if (!n->data) + return -ENOMEM; + + ndr_write_int16(n, acl->version); + ndr_write_int32(n, acl->version); + ndr_write_int16(n, 2); + ndr_write_int32(n, ref_id); + + /* push hash type and hash 64bytes */ + ndr_write_int16(n, acl->hash_type); + ndr_write_bytes(n, acl->hash, XATTR_SD_HASH_SIZE); + ndr_write_bytes(n, acl->desc, acl->desc_len); + ndr_write_int64(n, acl->current_time); + ndr_write_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE); + + /* push ndr for security descriptor */ + ndr_write_bytes(n, acl->sd_buf, acl->sd_size); + + return 0; +} + +int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) +{ + int version2; + + n->offset = 0; + acl->version = ndr_read_int16(n); + if (acl->version != 4) { + ksmbd_err("v%d version is not supported\n", acl->version); + return -EINVAL; + } + + version2 = ndr_read_int32(n); + if (acl->version != version2) { + ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", + acl->version, version2); + return -EINVAL; + } + + /* Read Level */ + ndr_read_int16(n); + /* Read Ref Id */ + ndr_read_int32(n); + acl->hash_type = ndr_read_int16(n); + ndr_read_bytes(n, acl->hash, XATTR_SD_HASH_SIZE); + + ndr_read_bytes(n, acl->desc, 10); + if (strncmp(acl->desc, "posix_acl", 9)) { + ksmbd_err("Invalid acl desciption : %s\n", acl->desc); + return -EINVAL; + } + + /* Read Time */ + ndr_read_int64(n); + /* Read Posix ACL hash */ + ndr_read_bytes(n, acl->posix_acl_hash, XATTR_SD_HASH_SIZE); + acl->sd_size = n->length - n->offset; + acl->sd_buf = kzalloc(acl->sd_size, GFP_KERNEL); + if (!acl->sd_buf) + return -ENOMEM; + + ndr_read_bytes(n, acl->sd_buf, acl->sd_size); + + return 0; +} diff --git a/fs/cifsd/ndr.h b/fs/cifsd/ndr.h new file mode 100644 index 000000000000..a9db968b78ac --- /dev/null +++ b/fs/cifsd/ndr.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2020 Samsung Electronics Co., Ltd. + * Author(s): Namjae Jeon <linkinjeon(a)kernel.org> + */ + +struct ndr { + char *data; + int offset; + int length; +}; + +#define NDR_NTSD_OFFSETOF 0xA0 + +int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da); +int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da); +int ndr_encode_posix_acl(struct ndr *n, struct inode *inode, + struct xattr_smb_acl *acl, struct xattr_smb_acl *def_acl); +int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl); +int ndr_encode_v3_ntacl(struct ndr *n, struct xattr_ntacl *acl); +int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl); diff --git a/fs/cifsd/netmisc.c b/fs/cifsd/netmisc.c new file mode 100644 index 000000000000..6f7dd78348a3 --- /dev/null +++ b/fs/cifsd/netmisc.c @@ -0,0 +1,46 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * fs/ksmbd/netmisc.c + * + * Copyright (c) International Business Machines Corp., 2002,2008 + * Author(s): Steve French (sfrench(a)us.ibm.com) + * + * Error mapping routines from Samba libsmb/errormap.c + * Copyright (C) Andrew Tridgell 2001 + */ + +#include "glob.h" +#include "smberr.h" +#include "nterr.h" +#include "time_wrappers.h" + +/* + * Convert the NT UTC (based 1601-01-01, in hundred nanosecond units) + * into Unix UTC (based 1970-01-01, in seconds). + */ +struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc) +{ + struct timespec64 ts; + + /* Subtract the NTFS time offset, then convert to 1s intervals. */ + s64 t = le64_to_cpu(ntutc) - NTFS_TIME_OFFSET; + u64 abs_t; + + /* + * Unfortunately can not use normal 64 bit division on 32 bit arch, but + * the alternative, do_div, does not work with negative numbers so have + * to special case them + */ + if (t < 0) { + abs_t = -t; + ts.tv_nsec = do_div(abs_t, 10000000) * 100; + ts.tv_nsec = -ts.tv_nsec; + ts.tv_sec = -abs_t; + } else { + abs_t = t; + ts.tv_nsec = do_div(abs_t, 10000000) * 100; + ts.tv_sec = abs_t; + } + + return ts; +} diff --git a/fs/cifsd/nterr.c b/fs/cifsd/nterr.c new file mode 100644 index 000000000000..358a766375b4 --- /dev/null +++ b/fs/cifsd/nterr.c @@ -0,0 +1,674 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Luke Kenneth Casson Leighton 1997-2001. + */ + +/* NT error codes - see nterr.h */ +#include <linux/types.h> +#include <linux/fs.h> +#include "nterr.h" + +const struct nt_err_code_struct nt_errs[] = { + {"NT_STATUS_OK", NT_STATUS_OK}, + {"NT_STATUS_UNSUCCESSFUL", NT_STATUS_UNSUCCESSFUL}, + {"NT_STATUS_NOT_IMPLEMENTED", NT_STATUS_NOT_IMPLEMENTED}, + {"NT_STATUS_INVALID_INFO_CLASS", NT_STATUS_INVALID_INFO_CLASS}, + {"NT_STATUS_INFO_LENGTH_MISMATCH", NT_STATUS_INFO_LENGTH_MISMATCH}, + {"NT_STATUS_ACCESS_VIOLATION", NT_STATUS_ACCESS_VIOLATION}, + {"NT_STATUS_BUFFER_OVERFLOW", NT_STATUS_BUFFER_OVERFLOW}, + {"NT_STATUS_IN_PAGE_ERROR", NT_STATUS_IN_PAGE_ERROR}, + {"NT_STATUS_PAGEFILE_QUOTA", NT_STATUS_PAGEFILE_QUOTA}, + {"NT_STATUS_INVALID_HANDLE", NT_STATUS_INVALID_HANDLE}, + {"NT_STATUS_BAD_INITIAL_STACK", NT_STATUS_BAD_INITIAL_STACK}, + {"NT_STATUS_BAD_INITIAL_PC", NT_STATUS_BAD_INITIAL_PC}, + {"NT_STATUS_INVALID_CID", NT_STATUS_INVALID_CID}, + {"NT_STATUS_TIMER_NOT_CANCELED", NT_STATUS_TIMER_NOT_CANCELED}, + {"NT_STATUS_INVALID_PARAMETER", NT_STATUS_INVALID_PARAMETER}, + {"NT_STATUS_NO_SUCH_DEVICE", NT_STATUS_NO_SUCH_DEVICE}, + {"NT_STATUS_NO_SUCH_FILE", NT_STATUS_NO_SUCH_FILE}, + {"NT_STATUS_INVALID_DEVICE_REQUEST", + NT_STATUS_INVALID_DEVICE_REQUEST}, + {"NT_STATUS_END_OF_FILE", NT_STATUS_END_OF_FILE}, + {"NT_STATUS_WRONG_VOLUME", NT_STATUS_WRONG_VOLUME}, + {"NT_STATUS_NO_MEDIA_IN_DEVICE", NT_STATUS_NO_MEDIA_IN_DEVICE}, + {"NT_STATUS_UNRECOGNIZED_MEDIA", NT_STATUS_UNRECOGNIZED_MEDIA}, + {"NT_STATUS_NONEXISTENT_SECTOR", NT_STATUS_NONEXISTENT_SECTOR}, + {"NT_STATUS_MORE_PROCESSING_REQUIRED", + NT_STATUS_MORE_PROCESSING_REQUIRED}, + {"NT_STATUS_NO_MEMORY", NT_STATUS_NO_MEMORY}, + {"NT_STATUS_CONFLICTING_ADDRESSES", + NT_STATUS_CONFLICTING_ADDRESSES}, + {"NT_STATUS_NOT_MAPPED_VIEW", NT_STATUS_NOT_MAPPED_VIEW}, + {"NT_STATUS_UNABLE_TO_FREE_VM", NT_STATUS_UNABLE_TO_FREE_VM}, + {"NT_STATUS_UNABLE_TO_DELETE_SECTION", + NT_STATUS_UNABLE_TO_DELETE_SECTION}, + {"NT_STATUS_INVALID_SYSTEM_SERVICE", + NT_STATUS_INVALID_SYSTEM_SERVICE}, + {"NT_STATUS_ILLEGAL_INSTRUCTION", NT_STATUS_ILLEGAL_INSTRUCTION}, + {"NT_STATUS_INVALID_LOCK_SEQUENCE", + NT_STATUS_INVALID_LOCK_SEQUENCE}, + {"NT_STATUS_INVALID_VIEW_SIZE", NT_STATUS_INVALID_VIEW_SIZE}, + {"NT_STATUS_INVALID_FILE_FOR_SECTION", + NT_STATUS_INVALID_FILE_FOR_SECTION}, + {"NT_STATUS_ALREADY_COMMITTED", NT_STATUS_ALREADY_COMMITTED}, + {"NT_STATUS_ACCESS_DENIED", NT_STATUS_ACCESS_DENIED}, + {"NT_STATUS_BUFFER_TOO_SMALL", NT_STATUS_BUFFER_TOO_SMALL}, + {"NT_STATUS_OBJECT_TYPE_MISMATCH", NT_STATUS_OBJECT_TYPE_MISMATCH}, + {"NT_STATUS_NONCONTINUABLE_EXCEPTION", + NT_STATUS_NONCONTINUABLE_EXCEPTION}, + {"NT_STATUS_INVALID_DISPOSITION", NT_STATUS_INVALID_DISPOSITION}, + {"NT_STATUS_UNWIND", NT_STATUS_UNWIND}, + {"NT_STATUS_BAD_STACK", NT_STATUS_BAD_STACK}, + {"NT_STATUS_INVALID_UNWIND_TARGET", + NT_STATUS_INVALID_UNWIND_TARGET}, + {"NT_STATUS_NOT_LOCKED", NT_STATUS_NOT_LOCKED}, + {"NT_STATUS_PARITY_ERROR", NT_STATUS_PARITY_ERROR}, + {"NT_STATUS_UNABLE_TO_DECOMMIT_VM", + NT_STATUS_UNABLE_TO_DECOMMIT_VM}, + {"NT_STATUS_NOT_COMMITTED", NT_STATUS_NOT_COMMITTED}, + {"NT_STATUS_INVALID_PORT_ATTRIBUTES", + NT_STATUS_INVALID_PORT_ATTRIBUTES}, + {"NT_STATUS_PORT_MESSAGE_TOO_LONG", + NT_STATUS_PORT_MESSAGE_TOO_LONG}, + {"NT_STATUS_INVALID_PARAMETER_MIX", + NT_STATUS_INVALID_PARAMETER_MIX}, + {"NT_STATUS_INVALID_QUOTA_LOWER", NT_STATUS_INVALID_QUOTA_LOWER}, + {"NT_STATUS_DISK_CORRUPT_ERROR", NT_STATUS_DISK_CORRUPT_ERROR}, + {"NT_STATUS_OBJECT_NAME_INVALID", NT_STATUS_OBJECT_NAME_INVALID}, + {"NT_STATUS_OBJECT_NAME_NOT_FOUND", + NT_STATUS_OBJECT_NAME_NOT_FOUND}, + {"NT_STATUS_OBJECT_NAME_COLLISION", + NT_STATUS_OBJECT_NAME_COLLISION}, + {"NT_STATUS_HANDLE_NOT_WAITABLE", NT_STATUS_HANDLE_NOT_WAITABLE}, + {"NT_STATUS_PORT_DISCONNECTED", NT_STATUS_PORT_DISCONNECTED}, + {"NT_STATUS_DEVICE_ALREADY_ATTACHED", + NT_STATUS_DEVICE_ALREADY_ATTACHED}, + {"NT_STATUS_OBJECT_PATH_INVALID", NT_STATUS_OBJECT_PATH_INVALID}, + {"NT_STATUS_OBJECT_PATH_NOT_FOUND", + NT_STATUS_OBJECT_PATH_NOT_FOUND}, + {"NT_STATUS_OBJECT_PATH_SYNTAX_BAD", + NT_STATUS_OBJECT_PATH_SYNTAX_BAD}, + {"NT_STATUS_DATA_OVERRUN", NT_STATUS_DATA_OVERRUN}, + {"NT_STATUS_DATA_LATE_ERROR", NT_STATUS_DATA_LATE_ERROR}, + {"NT_STATUS_DATA_ERROR", NT_STATUS_DATA_ERROR}, + {"NT_STATUS_CRC_ERROR", NT_STATUS_CRC_ERROR}, + {"NT_STATUS_SECTION_TOO_BIG", NT_STATUS_SECTION_TOO_BIG}, + {"NT_STATUS_PORT_CONNECTION_REFUSED", + NT_STATUS_PORT_CONNECTION_REFUSED}, + {"NT_STATUS_INVALID_PORT_HANDLE", NT_STATUS_INVALID_PORT_HANDLE}, + {"NT_STATUS_SHARING_VIOLATION", NT_STATUS_SHARING_VIOLATION}, + {"NT_STATUS_QUOTA_EXCEEDED", NT_STATUS_QUOTA_EXCEEDED}, + {"NT_STATUS_INVALID_PAGE_PROTECTION", + NT_STATUS_INVALID_PAGE_PROTECTION}, + {"NT_STATUS_MUTANT_NOT_OWNED", NT_STATUS_MUTANT_NOT_OWNED}, + {"NT_STATUS_SEMAPHORE_LIMIT_EXCEEDED", + NT_STATUS_SEMAPHORE_LIMIT_EXCEEDED}, + {"NT_STATUS_PORT_ALREADY_SET", NT_STATUS_PORT_ALREADY_SET}, + {"NT_STATUS_SECTION_NOT_IMAGE", NT_STATUS_SECTION_NOT_IMAGE}, + {"NT_STATUS_SUSPEND_COUNT_EXCEEDED", + NT_STATUS_SUSPEND_COUNT_EXCEEDED}, + {"NT_STATUS_THREAD_IS_TERMINATING", + NT_STATUS_THREAD_IS_TERMINATING}, + {"NT_STATUS_BAD_WORKING_SET_LIMIT", + NT_STATUS_BAD_WORKING_SET_LIMIT}, + {"NT_STATUS_INCOMPATIBLE_FILE_MAP", + NT_STATUS_INCOMPATIBLE_FILE_MAP}, + {"NT_STATUS_SECTION_PROTECTION", NT_STATUS_SECTION_PROTECTION}, + {"NT_STATUS_EAS_NOT_SUPPORTED", NT_STATUS_EAS_NOT_SUPPORTED}, + {"NT_STATUS_EA_TOO_LARGE", NT_STATUS_EA_TOO_LARGE}, + {"NT_STATUS_NONEXISTENT_EA_ENTRY", NT_STATUS_NONEXISTENT_EA_ENTRY}, + {"NT_STATUS_NO_EAS_ON_FILE", NT_STATUS_NO_EAS_ON_FILE}, + {"NT_STATUS_EA_CORRUPT_ERROR", NT_STATUS_EA_CORRUPT_ERROR}, + {"NT_STATUS_FILE_LOCK_CONFLICT", NT_STATUS_FILE_LOCK_CONFLICT}, + {"NT_STATUS_LOCK_NOT_GRANTED", NT_STATUS_LOCK_NOT_GRANTED}, + {"NT_STATUS_DELETE_PENDING", NT_STATUS_DELETE_PENDING}, + {"NT_STATUS_CTL_FILE_NOT_SUPPORTED", + NT_STATUS_CTL_FILE_NOT_SUPPORTED}, + {"NT_STATUS_UNKNOWN_REVISION", NT_STATUS_UNKNOWN_REVISION}, + {"NT_STATUS_REVISION_MISMATCH", NT_STATUS_REVISION_MISMATCH}, + {"NT_STATUS_INVALID_OWNER", NT_STATUS_INVALID_OWNER}, + {"NT_STATUS_INVALID_PRIMARY_GROUP", + NT_STATUS_INVALID_PRIMARY_GROUP}, + {"NT_STATUS_NO_IMPERSONATION_TOKEN", + NT_STATUS_NO_IMPERSONATION_TOKEN}, + {"NT_STATUS_CANT_DISABLE_MANDATORY", + NT_STATUS_CANT_DISABLE_MANDATORY}, + {"NT_STATUS_NO_LOGON_SERVERS", NT_STATUS_NO_LOGON_SERVERS}, + {"NT_STATUS_NO_SUCH_LOGON_SESSION", + NT_STATUS_NO_SUCH_LOGON_SESSION}, + {"NT_STATUS_NO_SUCH_PRIVILEGE", NT_STATUS_NO_SUCH_PRIVILEGE}, + {"NT_STATUS_PRIVILEGE_NOT_HELD", NT_STATUS_PRIVILEGE_NOT_HELD}, + {"NT_STATUS_INVALID_ACCOUNT_NAME", NT_STATUS_INVALID_ACCOUNT_NAME}, + {"NT_STATUS_USER_EXISTS", NT_STATUS_USER_EXISTS}, + {"NT_STATUS_NO_SUCH_USER", NT_STATUS_NO_SUCH_USER}, + {"NT_STATUS_GROUP_EXISTS", NT_STATUS_GROUP_EXISTS}, + {"NT_STATUS_NO_SUCH_GROUP", NT_STATUS_NO_SUCH_GROUP}, + {"NT_STATUS_MEMBER_IN_GROUP", NT_STATUS_MEMBER_IN_GROUP}, + {"NT_STATUS_MEMBER_NOT_IN_GROUP", NT_STATUS_MEMBER_NOT_IN_GROUP}, + {"NT_STATUS_LAST_ADMIN", NT_STATUS_LAST_ADMIN}, + {"NT_STATUS_WRONG_PASSWORD", NT_STATUS_WRONG_PASSWORD}, + {"NT_STATUS_ILL_FORMED_PASSWORD", NT_STATUS_ILL_FORMED_PASSWORD}, + {"NT_STATUS_PASSWORD_RESTRICTION", NT_STATUS_PASSWORD_RESTRICTION}, + {"NT_STATUS_LOGON_FAILURE", NT_STATUS_LOGON_FAILURE}, + {"NT_STATUS_ACCOUNT_RESTRICTION", NT_STATUS_ACCOUNT_RESTRICTION}, + {"NT_STATUS_INVALID_LOGON_HOURS", NT_STATUS_INVALID_LOGON_HOURS}, + {"NT_STATUS_INVALID_WORKSTATION", NT_STATUS_INVALID_WORKSTATION}, + {"NT_STATUS_PASSWORD_EXPIRED", NT_STATUS_PASSWORD_EXPIRED}, + {"NT_STATUS_ACCOUNT_DISABLED", NT_STATUS_ACCOUNT_DISABLED}, + {"NT_STATUS_NONE_MAPPED", NT_STATUS_NONE_MAPPED}, + {"NT_STATUS_TOO_MANY_LUIDS_REQUESTED", + NT_STATUS_TOO_MANY_LUIDS_REQUESTED}, + {"NT_STATUS_LUIDS_EXHAUSTED", NT_STATUS_LUIDS_EXHAUSTED}, + {"NT_STATUS_INVALID_SUB_AUTHORITY", + NT_STATUS_INVALID_SUB_AUTHORITY}, + {"NT_STATUS_INVALID_ACL", NT_STATUS_INVALID_ACL}, + {"NT_STATUS_INVALID_SID", NT_STATUS_INVALID_SID}, + {"NT_STATUS_INVALID_SECURITY_DESCR", + NT_STATUS_INVALID_SECURITY_DESCR}, + {"NT_STATUS_PROCEDURE_NOT_FOUND", NT_STATUS_PROCEDURE_NOT_FOUND}, + {"NT_STATUS_INVALID_IMAGE_FORMAT", NT_STATUS_INVALID_IMAGE_FORMAT}, + {"NT_STATUS_NO_TOKEN", NT_STATUS_NO_TOKEN}, + {"NT_STATUS_BAD_INHERITANCE_ACL", NT_STATUS_BAD_INHERITANCE_ACL}, + {"NT_STATUS_RANGE_NOT_LOCKED", NT_STATUS_RANGE_NOT_LOCKED}, + {"NT_STATUS_DISK_FULL", NT_STATUS_DISK_FULL}, + {"NT_STATUS_SERVER_DISABLED", NT_STATUS_SERVER_DISABLED}, + {"NT_STATUS_SERVER_NOT_DISABLED", NT_STATUS_SERVER_NOT_DISABLED}, + {"NT_STATUS_TOO_MANY_GUIDS_REQUESTED", + NT_STATUS_TOO_MANY_GUIDS_REQUESTED}, + {"NT_STATUS_GUIDS_EXHAUSTED", NT_STATUS_GUIDS_EXHAUSTED}, + {"NT_STATUS_INVALID_ID_AUTHORITY", NT_STATUS_INVALID_ID_AUTHORITY}, + {"NT_STATUS_AGENTS_EXHAUSTED", NT_STATUS_AGENTS_EXHAUSTED}, + {"NT_STATUS_INVALID_VOLUME_LABEL", NT_STATUS_INVALID_VOLUME_LABEL}, + {"NT_STATUS_SECTION_NOT_EXTENDED", NT_STATUS_SECTION_NOT_EXTENDED}, + {"NT_STATUS_NOT_MAPPED_DATA", NT_STATUS_NOT_MAPPED_DATA}, + {"NT_STATUS_RESOURCE_DATA_NOT_FOUND", + NT_STATUS_RESOURCE_DATA_NOT_FOUND}, + {"NT_STATUS_RESOURCE_TYPE_NOT_FOUND", + NT_STATUS_RESOURCE_TYPE_NOT_FOUND}, + {"NT_STATUS_RESOURCE_NAME_NOT_FOUND", + NT_STATUS_RESOURCE_NAME_NOT_FOUND}, + {"NT_STATUS_ARRAY_BOUNDS_EXCEEDED", + NT_STATUS_ARRAY_BOUNDS_EXCEEDED}, + {"NT_STATUS_FLOAT_DENORMAL_OPERAND", + NT_STATUS_FLOAT_DENORMAL_OPERAND}, + {"NT_STATUS_FLOAT_DIVIDE_BY_ZERO", NT_STATUS_FLOAT_DIVIDE_BY_ZERO}, + {"NT_STATUS_FLOAT_INEXACT_RESULT", NT_STATUS_FLOAT_INEXACT_RESULT}, + {"NT_STATUS_FLOAT_INVALID_OPERATION", + NT_STATUS_FLOAT_INVALID_OPERATION}, + {"NT_STATUS_FLOAT_OVERFLOW", NT_STATUS_FLOAT_OVERFLOW}, + {"NT_STATUS_FLOAT_STACK_CHECK", NT_STATUS_FLOAT_STACK_CHECK}, + {"NT_STATUS_FLOAT_UNDERFLOW", NT_STATUS_FLOAT_UNDERFLOW}, + {"NT_STATUS_INTEGER_DIVIDE_BY_ZERO", + NT_STATUS_INTEGER_DIVIDE_BY_ZERO}, + {"NT_STATUS_INTEGER_OVERFLOW", NT_STATUS_INTEGER_OVERFLOW}, + {"NT_STATUS_PRIVILEGED_INSTRUCTION", + NT_STATUS_PRIVILEGED_INSTRUCTION}, + {"NT_STATUS_TOO_MANY_PAGING_FILES", + NT_STATUS_TOO_MANY_PAGING_FILES}, + {"NT_STATUS_FILE_INVALID", NT_STATUS_FILE_INVALID}, + {"NT_STATUS_ALLOTTED_SPACE_EXCEEDED", + NT_STATUS_ALLOTTED_SPACE_EXCEEDED}, + {"NT_STATUS_INSUFFICIENT_RESOURCES", + NT_STATUS_INSUFFICIENT_RESOURCES}, + {"NT_STATUS_DFS_EXIT_PATH_FOUND", NT_STATUS_DFS_EXIT_PATH_FOUND}, + {"NT_STATUS_DEVICE_DATA_ERROR", NT_STATUS_DEVICE_DATA_ERROR}, + {"NT_STATUS_DEVICE_NOT_CONNECTED", NT_STATUS_DEVICE_NOT_CONNECTED}, + {"NT_STATUS_DEVICE_POWER_FAILURE", NT_STATUS_DEVICE_POWER_FAILURE}, + {"NT_STATUS_FREE_VM_NOT_AT_BASE", NT_STATUS_FREE_VM_NOT_AT_BASE}, + {"NT_STATUS_MEMORY_NOT_ALLOCATED", NT_STATUS_MEMORY_NOT_ALLOCATED}, + {"NT_STATUS_WORKING_SET_QUOTA", NT_STATUS_WORKING_SET_QUOTA}, + {"NT_STATUS_MEDIA_WRITE_PROTECTED", + NT_STATUS_MEDIA_WRITE_PROTECTED}, + {"NT_STATUS_DEVICE_NOT_READY", NT_STATUS_DEVICE_NOT_READY}, + {"NT_STATUS_INVALID_GROUP_ATTRIBUTES", + NT_STATUS_INVALID_GROUP_ATTRIBUTES}, + {"NT_STATUS_BAD_IMPERSONATION_LEVEL", + NT_STATUS_BAD_IMPERSONATION_LEVEL}, + {"NT_STATUS_CANT_OPEN_ANONYMOUS", NT_STATUS_CANT_OPEN_ANONYMOUS}, + {"NT_STATUS_BAD_VALIDATION_CLASS", NT_STATUS_BAD_VALIDATION_CLASS}, + {"NT_STATUS_BAD_TOKEN_TYPE", NT_STATUS_BAD_TOKEN_TYPE}, + {"NT_STATUS_BAD_MASTER_BOOT_RECORD", + NT_STATUS_BAD_MASTER_BOOT_RECORD}, + {"NT_STATUS_INSTRUCTION_MISALIGNMENT", + NT_STATUS_INSTRUCTION_MISALIGNMENT}, + {"NT_STATUS_INSTANCE_NOT_AVAILABLE", + NT_STATUS_INSTANCE_NOT_AVAILABLE}, + {"NT_STATUS_PIPE_NOT_AVAILABLE", NT_STATUS_PIPE_NOT_AVAILABLE}, + {"NT_STATUS_INVALID_PIPE_STATE", NT_STATUS_INVALID_PIPE_STATE}, + {"NT_STATUS_PIPE_BUSY", NT_STATUS_PIPE_BUSY}, + {"NT_STATUS_ILLEGAL_FUNCTION", NT_STATUS_ILLEGAL_FUNCTION}, + {"NT_STATUS_PIPE_DISCONNECTED", NT_STATUS_PIPE_DISCONNECTED}, + {"NT_STATUS_PIPE_CLOSING", NT_STATUS_PIPE_CLOSING}, + {"NT_STATUS_PIPE_CONNECTED", NT_STATUS_PIPE_CONNECTED}, + {"NT_STATUS_PIPE_LISTENING", NT_STATUS_PIPE_LISTENING}, + {"NT_STATUS_INVALID_READ_MODE", NT_STATUS_INVALID_READ_MODE}, + {"NT_STATUS_IO_TIMEOUT", NT_STATUS_IO_TIMEOUT}, + {"NT_STATUS_FILE_FORCED_CLOSED", NT_STATUS_FILE_FORCED_CLOSED}, + {"NT_STATUS_PROFILING_NOT_STARTED", + NT_STATUS_PROFILING_NOT_STARTED}, + {"NT_STATUS_PROFILING_NOT_STOPPED", + NT_STATUS_PROFILING_NOT_STOPPED}, + {"NT_STATUS_COULD_NOT_INTERPRET", NT_STATUS_COULD_NOT_INTERPRET}, + {"NT_STATUS_FILE_IS_A_DIRECTORY", NT_STATUS_FILE_IS_A_DIRECTORY}, + {"NT_STATUS_NOT_SUPPORTED", NT_STATUS_NOT_SUPPORTED}, + {"NT_STATUS_REMOTE_NOT_LISTENING", NT_STATUS_REMOTE_NOT_LISTENING}, + {"NT_STATUS_DUPLICATE_NAME", NT_STATUS_DUPLICATE_NAME}, + {"NT_STATUS_BAD_NETWORK_PATH", NT_STATUS_BAD_NETWORK_PATH}, + {"NT_STATUS_NETWORK_BUSY", NT_STATUS_NETWORK_BUSY}, + {"NT_STATUS_DEVICE_DOES_NOT_EXIST", + NT_STATUS_DEVICE_DOES_NOT_EXIST}, + {"NT_STATUS_TOO_MANY_COMMANDS", NT_STATUS_TOO_MANY_COMMANDS}, + {"NT_STATUS_ADAPTER_HARDWARE_ERROR", + NT_STATUS_ADAPTER_HARDWARE_ERROR}, + {"NT_STATUS_INVALID_NETWORK_RESPONSE", + NT_STATUS_INVALID_NETWORK_RESPONSE}, + {"NT_STATUS_UNEXPECTED_NETWORK_ERROR", + NT_STATUS_UNEXPECTED_NETWORK_ERROR}, + {"NT_STATUS_BAD_REMOTE_ADAPTER", NT_STATUS_BAD_REMOTE_ADAPTER}, + {"NT_STATUS_PRINT_QUEUE_FULL", NT_STATUS_PRINT_QUEUE_FULL}, + {"NT_STATUS_NO_SPOOL_SPACE", NT_STATUS_NO_SPOOL_SPACE}, + {"NT_STATUS_PRINT_CANCELLED", NT_STATUS_PRINT_CANCELLED}, + {"NT_STATUS_NETWORK_NAME_DELETED", NT_STATUS_NETWORK_NAME_DELETED}, + {"NT_STATUS_NETWORK_ACCESS_DENIED", + NT_STATUS_NETWORK_ACCESS_DENIED}, + {"NT_STATUS_BAD_DEVICE_TYPE", NT_STATUS_BAD_DEVICE_TYPE}, + {"NT_STATUS_BAD_NETWORK_NAME", NT_STATUS_BAD_NETWORK_NAME}, + {"NT_STATUS_TOO_MANY_NAMES", NT_STATUS_TOO_MANY_NAMES}, + {"NT_STATUS_TOO_MANY_SESSIONS", NT_STATUS_TOO_MANY_SESSIONS}, + {"NT_STATUS_SHARING_PAUSED", NT_STATUS_SHARING_PAUSED}, + {"NT_STATUS_REQUEST_NOT_ACCEPTED", NT_STATUS_REQUEST_NOT_ACCEPTED}, + {"NT_STATUS_REDIRECTOR_PAUSED", NT_STATUS_REDIRECTOR_PAUSED}, + {"NT_STATUS_NET_WRITE_FAULT", NT_STATUS_NET_WRITE_FAULT}, + {"NT_STATUS_PROFILING_AT_LIMIT", NT_STATUS_PROFILING_AT_LIMIT}, + {"NT_STATUS_NOT_SAME_DEVICE", NT_STATUS_NOT_SAME_DEVICE}, + {"NT_STATUS_FILE_RENAMED", NT_STATUS_FILE_RENAMED}, + {"NT_STATUS_VIRTUAL_CIRCUIT_CLOSED", + NT_STATUS_VIRTUAL_CIRCUIT_CLOSED}, + {"NT_STATUS_NO_SECURITY_ON_OBJECT", + NT_STATUS_NO_SECURITY_ON_OBJECT}, + {"NT_STATUS_CANT_WAIT", NT_STATUS_CANT_WAIT}, + {"NT_STATUS_PIPE_EMPTY", NT_STATUS_PIPE_EMPTY}, + {"NT_STATUS_CANT_ACCESS_DOMAIN_INFO", + NT_STATUS_CANT_ACCESS_DOMAIN_INFO}, + {"NT_STATUS_CANT_TERMINATE_SELF", NT_STATUS_CANT_TERMINATE_SELF}, + {"NT_STATUS_INVALID_SERVER_STATE", NT_STATUS_INVALID_SERVER_STATE}, + {"NT_STATUS_INVALID_DOMAIN_STATE", NT_STATUS_INVALID_DOMAIN_STATE}, + {"NT_STATUS_INVALID_DOMAIN_ROLE", NT_STATUS_INVALID_DOMAIN_ROLE}, + {"NT_STATUS_NO_SUCH_DOMAIN", NT_STATUS_NO_SUCH_DOMAIN}, + {"NT_STATUS_DOMAIN_EXISTS", NT_STATUS_DOMAIN_EXISTS}, + {"NT_STATUS_DOMAIN_LIMIT_EXCEEDED", + NT_STATUS_DOMAIN_LIMIT_EXCEEDED}, + {"NT_STATUS_OPLOCK_NOT_GRANTED", NT_STATUS_OPLOCK_NOT_GRANTED}, + {"NT_STATUS_INVALID_OPLOCK_PROTOCOL", + NT_STATUS_INVALID_OPLOCK_PROTOCOL}, + {"NT_STATUS_INTERNAL_DB_CORRUPTION", + NT_STATUS_INTERNAL_DB_CORRUPTION}, + {"NT_STATUS_INTERNAL_ERROR", NT_STATUS_INTERNAL_ERROR}, + {"NT_STATUS_GENERIC_NOT_MAPPED", NT_STATUS_GENERIC_NOT_MAPPED}, + {"NT_STATUS_BAD_DESCRIPTOR_FORMAT", + NT_STATUS_BAD_DESCRIPTOR_FORMAT}, + {"NT_STATUS_INVALID_USER_BUFFER", NT_STATUS_INVALID_USER_BUFFER}, + {"NT_STATUS_UNEXPECTED_IO_ERROR", NT_STATUS_UNEXPECTED_IO_ERROR}, + {"NT_STATUS_UNEXPECTED_MM_CREATE_ERR", + NT_STATUS_UNEXPECTED_MM_CREATE_ERR}, + {"NT_STATUS_UNEXPECTED_MM_MAP_ERROR", + NT_STATUS_UNEXPECTED_MM_MAP_ERROR}, + {"NT_STATUS_UNEXPECTED_MM_EXTEND_ERR", + NT_STATUS_UNEXPECTED_MM_EXTEND_ERR}, + {"NT_STATUS_NOT_LOGON_PROCESS", NT_STATUS_NOT_LOGON_PROCESS}, + {"NT_STATUS_LOGON_SESSION_EXISTS", NT_STATUS_LOGON_SESSION_EXISTS}, + {"NT_STATUS_INVALID_PARAMETER_1", NT_STATUS_INVALID_PARAMETER_1}, + {"NT_STATUS_INVALID_PARAMETER_2", NT_STATUS_INVALID_PARAMETER_2}, + {"NT_STATUS_INVALID_PARAMETER_3", NT_STATUS_INVALID_PARAMETER_3}, + {"NT_STATUS_INVALID_PARAMETER_4", NT_STATUS_INVALID_PARAMETER_4}, + {"NT_STATUS_INVALID_PARAMETER_5", NT_STATUS_INVALID_PARAMETER_5}, + {"NT_STATUS_INVALID_PARAMETER_6", NT_STATUS_INVALID_PARAMETER_6}, + {"NT_STATUS_INVALID_PARAMETER_7", NT_STATUS_INVALID_PARAMETER_7}, + {"NT_STATUS_INVALID_PARAMETER_8", NT_STATUS_INVALID_PARAMETER_8}, + {"NT_STATUS_INVALID_PARAMETER_9", NT_STATUS_INVALID_PARAMETER_9}, + {"NT_STATUS_INVALID_PARAMETER_10", NT_STATUS_INVALID_PARAMETER_10}, + {"NT_STATUS_INVALID_PARAMETER_11", NT_STATUS_INVALID_PARAMETER_11}, + {"NT_STATUS_INVALID_PARAMETER_12", NT_STATUS_INVALID_PARAMETER_12}, + {"NT_STATUS_REDIRECTOR_NOT_STARTED", + NT_STATUS_REDIRECTOR_NOT_STARTED}, + {"NT_STATUS_REDIRECTOR_STARTED", NT_STATUS_REDIRECTOR_STARTED}, + {"NT_STATUS_STACK_OVERFLOW", NT_STATUS_STACK_OVERFLOW}, + {"NT_STATUS_NO_SUCH_PACKAGE", NT_STATUS_NO_SUCH_PACKAGE}, + {"NT_STATUS_BAD_FUNCTION_TABLE", NT_STATUS_BAD_FUNCTION_TABLE}, + {"NT_STATUS_DIRECTORY_NOT_EMPTY", NT_STATUS_DIRECTORY_NOT_EMPTY}, + {"NT_STATUS_FILE_CORRUPT_ERROR", NT_STATUS_FILE_CORRUPT_ERROR}, + {"NT_STATUS_NOT_A_DIRECTORY", NT_STATUS_NOT_A_DIRECTORY}, + {"NT_STATUS_BAD_LOGON_SESSION_STATE", + NT_STATUS_BAD_LOGON_SESSION_STATE}, + {"NT_STATUS_LOGON_SESSION_COLLISION", + NT_STATUS_LOGON_SESSION_COLLISION}, + {"NT_STATUS_NAME_TOO_LONG", NT_STATUS_NAME_TOO_LONG}, + {"NT_STATUS_FILES_OPEN", NT_STATUS_FILES_OPEN}, + {"NT_STATUS_CONNECTION_IN_USE", NT_STATUS_CONNECTION_IN_USE}, + {"NT_STATUS_MESSAGE_NOT_FOUND", NT_STATUS_MESSAGE_NOT_FOUND}, + {"NT_STATUS_PROCESS_IS_TERMINATING", + NT_STATUS_PROCESS_IS_TERMINATING}, + {"NT_STATUS_INVALID_LOGON_TYPE", NT_STATUS_INVALID_LOGON_TYPE}, + {"NT_STATUS_NO_GUID_TRANSLATION", NT_STATUS_NO_GUID_TRANSLATION}, + {"NT_STATUS_CANNOT_IMPERSONATE", NT_STATUS_CANNOT_IMPERSONATE}, + {"NT_STATUS_IMAGE_ALREADY_LOADED", NT_STATUS_IMAGE_ALREADY_LOADED}, + {"NT_STATUS_ABIOS_NOT_PRESENT", NT_STATUS_ABIOS_NOT_PRESENT}, + {"NT_STATUS_ABIOS_LID_NOT_EXIST", NT_STATUS_ABIOS_LID_NOT_EXIST}, + {"NT_STATUS_ABIOS_LID_ALREADY_OWNED", + NT_STATUS_ABIOS_LID_ALREADY_OWNED}, + {"NT_STATUS_ABIOS_NOT_LID_OWNER", NT_STATUS_ABIOS_NOT_LID_OWNER}, + {"NT_STATUS_ABIOS_INVALID_COMMAND", + NT_STATUS_ABIOS_INVALID_COMMAND}, + {"NT_STATUS_ABIOS_INVALID_LID", NT_STATUS_ABIOS_INVALID_LID}, + {"NT_STATUS_ABIOS_SELECTOR_NOT_AVAILABLE", + NT_STATUS_ABIOS_SELECTOR_NOT_AVAILABLE}, + {"NT_STATUS_ABIOS_INVALID_SELECTOR", + NT_STATUS_ABIOS_INVALID_SELECTOR}, + {"NT_STATUS_NO_LDT", NT_STATUS_NO_LDT}, + {"NT_STATUS_INVALID_LDT_SIZE", NT_STATUS_INVALID_LDT_SIZE}, + {"NT_STATUS_INVALID_LDT_OFFSET", NT_STATUS_INVALID_LDT_OFFSET}, + {"NT_STATUS_INVALID_LDT_DESCRIPTOR", + NT_STATUS_INVALID_LDT_DESCRIPTOR}, + {"NT_STATUS_INVALID_IMAGE_NE_FORMAT", + NT_STATUS_INVALID_IMAGE_NE_FORMAT}, + {"NT_STATUS_RXACT_INVALID_STATE", NT_STATUS_RXACT_INVALID_STATE}, + {"NT_STATUS_RXACT_COMMIT_FAILURE", NT_STATUS_RXACT_COMMIT_FAILURE}, + {"NT_STATUS_MAPPED_FILE_SIZE_ZERO", + NT_STATUS_MAPPED_FILE_SIZE_ZERO}, + {"NT_STATUS_TOO_MANY_OPENED_FILES", + NT_STATUS_TOO_MANY_OPENED_FILES}, + {"NT_STATUS_CANCELLED", NT_STATUS_CANCELLED}, + {"NT_STATUS_CANNOT_DELETE", NT_STATUS_CANNOT_DELETE}, + {"NT_STATUS_INVALID_COMPUTER_NAME", + NT_STATUS_INVALID_COMPUTER_NAME}, + {"NT_STATUS_FILE_DELETED", NT_STATUS_FILE_DELETED}, + {"NT_STATUS_SPECIAL_ACCOUNT", NT_STATUS_SPECIAL_ACCOUNT}, + {"NT_STATUS_SPECIAL_GROUP", NT_STATUS_SPECIAL_GROUP}, + {"NT_STATUS_SPECIAL_USER", NT_STATUS_SPECIAL_USER}, + {"NT_STATUS_MEMBERS_PRIMARY_GROUP", + NT_STATUS_MEMBERS_PRIMARY_GROUP}, + {"NT_STATUS_FILE_CLOSED", NT_STATUS_FILE_CLOSED}, + {"NT_STATUS_TOO_MANY_THREADS", NT_STATUS_TOO_MANY_THREADS}, + {"NT_STATUS_THREAD_NOT_IN_PROCESS", + NT_STATUS_THREAD_NOT_IN_PROCESS}, + {"NT_STATUS_TOKEN_ALREADY_IN_USE", NT_STATUS_TOKEN_ALREADY_IN_USE}, + {"NT_STATUS_PAGEFILE_QUOTA_EXCEEDED", + NT_STATUS_PAGEFILE_QUOTA_EXCEEDED}, + {"NT_STATUS_COMMITMENT_LIMIT", NT_STATUS_COMMITMENT_LIMIT}, + {"NT_STATUS_INVALID_IMAGE_LE_FORMAT", + NT_STATUS_INVALID_IMAGE_LE_FORMAT}, + {"NT_STATUS_INVALID_IMAGE_NOT_MZ", NT_STATUS_INVALID_IMAGE_NOT_MZ}, + {"NT_STATUS_INVALID_IMAGE_PROTECT", + NT_STATUS_INVALID_IMAGE_PROTECT}, + {"NT_STATUS_INVALID_IMAGE_WIN_16", NT_STATUS_INVALID_IMAGE_WIN_16}, + {"NT_STATUS_LOGON_SERVER_CONFLICT", + NT_STATUS_LOGON_SERVER_CONFLICT}, + {"NT_STATUS_TIME_DIFFERENCE_AT_DC", + NT_STATUS_TIME_DIFFERENCE_AT_DC}, + {"NT_STATUS_SYNCHRONIZATION_REQUIRED", + NT_STATUS_SYNCHRONIZATION_REQUIRED}, + {"NT_STATUS_DLL_NOT_FOUND", NT_STATUS_DLL_NOT_FOUND}, + {"NT_STATUS_OPEN_FAILED", NT_STATUS_OPEN_FAILED}, + {"NT_STATUS_IO_PRIVILEGE_FAILED", NT_STATUS_IO_PRIVILEGE_FAILED}, + {"NT_STATUS_ORDINAL_NOT_FOUND", NT_STATUS_ORDINAL_NOT_FOUND}, + {"NT_STATUS_ENTRYPOINT_NOT_FOUND", NT_STATUS_ENTRYPOINT_NOT_FOUND}, + {"NT_STATUS_CONTROL_C_EXIT", NT_STATUS_CONTROL_C_EXIT}, + {"NT_STATUS_LOCAL_DISCONNECT", NT_STATUS_LOCAL_DISCONNECT}, + {"NT_STATUS_REMOTE_DISCONNECT", NT_STATUS_REMOTE_DISCONNECT}, + {"NT_STATUS_REMOTE_RESOURCES", NT_STATUS_REMOTE_RESOURCES}, + {"NT_STATUS_LINK_FAILED", NT_STATUS_LINK_FAILED}, + {"NT_STATUS_LINK_TIMEOUT", NT_STATUS_LINK_TIMEOUT}, + {"NT_STATUS_INVALID_CONNECTION", NT_STATUS_INVALID_CONNECTION}, + {"NT_STATUS_INVALID_ADDRESS", NT_STATUS_INVALID_ADDRESS}, + {"NT_STATUS_DLL_INIT_FAILED", NT_STATUS_DLL_INIT_FAILED}, + {"NT_STATUS_MISSING_SYSTEMFILE", NT_STATUS_MISSING_SYSTEMFILE}, + {"NT_STATUS_UNHANDLED_EXCEPTION", NT_STATUS_UNHANDLED_EXCEPTION}, + {"NT_STATUS_APP_INIT_FAILURE", NT_STATUS_APP_INIT_FAILURE}, + {"NT_STATUS_PAGEFILE_CREATE_FAILED", + NT_STATUS_PAGEFILE_CREATE_FAILED}, + {"NT_STATUS_NO_PAGEFILE", NT_STATUS_NO_PAGEFILE}, + {"NT_STATUS_INVALID_LEVEL", NT_STATUS_INVALID_LEVEL}, + {"NT_STATUS_WRONG_PASSWORD_CORE", NT_STATUS_WRONG_PASSWORD_CORE}, + {"NT_STATUS_ILLEGAL_FLOAT_CONTEXT", + NT_STATUS_ILLEGAL_FLOAT_CONTEXT}, + {"NT_STATUS_PIPE_BROKEN", NT_STATUS_PIPE_BROKEN}, + {"NT_STATUS_REGISTRY_CORRUPT", NT_STATUS_REGISTRY_CORRUPT}, + {"NT_STATUS_REGISTRY_IO_FAILED", NT_STATUS_REGISTRY_IO_FAILED}, + {"NT_STATUS_NO_EVENT_PAIR", NT_STATUS_NO_EVENT_PAIR}, + {"NT_STATUS_UNRECOGNIZED_VOLUME", NT_STATUS_UNRECOGNIZED_VOLUME}, + {"NT_STATUS_SERIAL_NO_DEVICE_INITED", + NT_STATUS_SERIAL_NO_DEVICE_INITED}, + {"NT_STATUS_NO_SUCH_ALIAS", NT_STATUS_NO_SUCH_ALIAS}, + {"NT_STATUS_MEMBER_NOT_IN_ALIAS", NT_STATUS_MEMBER_NOT_IN_ALIAS}, + {"NT_STATUS_MEMBER_IN_ALIAS", NT_STATUS_MEMBER_IN_ALIAS}, + {"NT_STATUS_ALIAS_EXISTS", NT_STATUS_ALIAS_EXISTS}, + {"NT_STATUS_LOGON_NOT_GRANTED", NT_STATUS_LOGON_NOT_GRANTED}, + {"NT_STATUS_TOO_MANY_SECRETS", NT_STATUS_TOO_MANY_SECRETS}, + {"NT_STATUS_SECRET_TOO_LONG", NT_STATUS_SECRET_TOO_LONG}, + {"NT_STATUS_INTERNAL_DB_ERROR", NT_STATUS_INTERNAL_DB_ERROR}, + {"NT_STATUS_FULLSCREEN_MODE", NT_STATUS_FULLSCREEN_MODE}, + {"NT_STATUS_TOO_MANY_CONTEXT_IDS", NT_STATUS_TOO_MANY_CONTEXT_IDS}, + {"NT_STATUS_LOGON_TYPE_NOT_GRANTED", + NT_STATUS_LOGON_TYPE_NOT_GRANTED}, + {"NT_STATUS_NOT_REGISTRY_FILE", NT_STATUS_NOT_REGISTRY_FILE}, + {"NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED", + NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED}, + {"NT_STATUS_DOMAIN_CTRLR_CONFIG_ERROR", + NT_STATUS_DOMAIN_CTRLR_CONFIG_ERROR}, + {"NT_STATUS_FT_MISSING_MEMBER", NT_STATUS_FT_MISSING_MEMBER}, + {"NT_STATUS_ILL_FORMED_SERVICE_ENTRY", + NT_STATUS_ILL_FORMED_SERVICE_ENTRY}, + {"NT_STATUS_ILLEGAL_CHARACTER", NT_STATUS_ILLEGAL_CHARACTER}, + {"NT_STATUS_UNMAPPABLE_CHARACTER", NT_STATUS_UNMAPPABLE_CHARACTER}, + {"NT_STATUS_UNDEFINED_CHARACTER", NT_STATUS_UNDEFINED_CHARACTER}, + {"NT_STATUS_FLOPPY_VOLUME", NT_STATUS_FLOPPY_VOLUME}, + {"NT_STATUS_FLOPPY_ID_MARK_NOT_FOUND", + NT_STATUS_FLOPPY_ID_MARK_NOT_FOUND}, + {"NT_STATUS_FLOPPY_WRONG_CYLINDER", + NT_STATUS_FLOPPY_WRONG_CYLINDER}, + {"NT_STATUS_FLOPPY_UNKNOWN_ERROR", NT_STATUS_FLOPPY_UNKNOWN_ERROR}, + {"NT_STATUS_FLOPPY_BAD_REGISTERS", NT_STATUS_FLOPPY_BAD_REGISTERS}, + {"NT_STATUS_DISK_RECALIBRATE_FAILED", + NT_STATUS_DISK_RECALIBRATE_FAILED}, + {"NT_STATUS_DISK_OPERATION_FAILED", + NT_STATUS_DISK_OPERATION_FAILED}, + {"NT_STATUS_DISK_RESET_FAILED", NT_STATUS_DISK_RESET_FAILED}, + {"NT_STATUS_SHARED_IRQ_BUSY", NT_STATUS_SHARED_IRQ_BUSY}, + {"NT_STATUS_FT_ORPHANING", NT_STATUS_FT_ORPHANING}, + {"NT_STATUS_PARTITION_FAILURE", NT_STATUS_PARTITION_FAILURE}, + {"NT_STATUS_INVALID_BLOCK_LENGTH", NT_STATUS_INVALID_BLOCK_LENGTH}, + {"NT_STATUS_DEVICE_NOT_PARTITIONED", + NT_STATUS_DEVICE_NOT_PARTITIONED}, + {"NT_STATUS_UNABLE_TO_LOCK_MEDIA", NT_STATUS_UNABLE_TO_LOCK_MEDIA}, + {"NT_STATUS_UNABLE_TO_UNLOAD_MEDIA", + NT_STATUS_UNABLE_TO_UNLOAD_MEDIA}, + {"NT_STATUS_EOM_OVERFLOW", NT_STATUS_EOM_OVERFLOW}, + {"NT_STATUS_NO_MEDIA", NT_STATUS_NO_MEDIA}, + {"NT_STATUS_NO_SUCH_MEMBER", NT_STATUS_NO_SUCH_MEMBER}, + {"NT_STATUS_INVALID_MEMBER", NT_STATUS_INVALID_MEMBER}, + {"NT_STATUS_KEY_DELETED", NT_STATUS_KEY_DELETED}, + {"NT_STATUS_NO_LOG_SPACE", NT_STATUS_NO_LOG_SPACE}, + {"NT_STATUS_TOO_MANY_SIDS", NT_STATUS_TOO_MANY_SIDS}, + {"NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED", + NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED}, + {"NT_STATUS_KEY_HAS_CHILDREN", NT_STATUS_KEY_HAS_CHILDREN}, + {"NT_STATUS_CHILD_MUST_BE_VOLATILE", + NT_STATUS_CHILD_MUST_BE_VOLATILE}, + {"NT_STATUS_DEVICE_CONFIGURATION_ERROR", + NT_STATUS_DEVICE_CONFIGURATION_ERROR}, + {"NT_STATUS_DRIVER_INTERNAL_ERROR", + NT_STATUS_DRIVER_INTERNAL_ERROR}, + {"NT_STATUS_INVALID_DEVICE_STATE", NT_STATUS_INVALID_DEVICE_STATE}, + {"NT_STATUS_IO_DEVICE_ERROR", NT_STATUS_IO_DEVICE_ERROR}, + {"NT_STATUS_DEVICE_PROTOCOL_ERROR", + NT_STATUS_DEVICE_PROTOCOL_ERROR}, + {"NT_STATUS_BACKUP_CONTROLLER", NT_STATUS_BACKUP_CONTROLLER}, + {"NT_STATUS_LOG_FILE_FULL", NT_STATUS_LOG_FILE_FULL}, + {"NT_STATUS_TOO_LATE", NT_STATUS_TOO_LATE}, + {"NT_STATUS_NO_TRUST_LSA_SECRET", NT_STATUS_NO_TRUST_LSA_SECRET}, + {"NT_STATUS_NO_TRUST_SAM_ACCOUNT", NT_STATUS_NO_TRUST_SAM_ACCOUNT}, + {"NT_STATUS_TRUSTED_DOMAIN_FAILURE", + NT_STATUS_TRUSTED_DOMAIN_FAILURE}, + {"NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE", + NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE}, + {"NT_STATUS_EVENTLOG_FILE_CORRUPT", + NT_STATUS_EVENTLOG_FILE_CORRUPT}, + {"NT_STATUS_EVENTLOG_CANT_START", NT_STATUS_EVENTLOG_CANT_START}, + {"NT_STATUS_TRUST_FAILURE", NT_STATUS_TRUST_FAILURE}, + {"NT_STATUS_MUTANT_LIMIT_EXCEEDED", + NT_STATUS_MUTANT_LIMIT_EXCEEDED}, + {"NT_STATUS_NETLOGON_NOT_STARTED", NT_STATUS_NETLOGON_NOT_STARTED}, + {"NT_STATUS_ACCOUNT_EXPIRED", NT_STATUS_ACCOUNT_EXPIRED}, + {"NT_STATUS_POSSIBLE_DEADLOCK", NT_STATUS_POSSIBLE_DEADLOCK}, + {"NT_STATUS_NETWORK_CREDENTIAL_CONFLICT", + NT_STATUS_NETWORK_CREDENTIAL_CONFLICT}, + {"NT_STATUS_REMOTE_SESSION_LIMIT", NT_STATUS_REMOTE_SESSION_LIMIT}, + {"NT_STATUS_EVENTLOG_FILE_CHANGED", + NT_STATUS_EVENTLOG_FILE_CHANGED}, + {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT", + NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT}, + {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT", + NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT}, + {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT", + NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT}, + {"NT_STATUS_DOMAIN_TRUST_INCONSISTENT", + NT_STATUS_DOMAIN_TRUST_INCONSISTENT}, + {"NT_STATUS_FS_DRIVER_REQUIRED", NT_STATUS_FS_DRIVER_REQUIRED}, + {"NT_STATUS_NO_USER_SESSION_KEY", NT_STATUS_NO_USER_SESSION_KEY}, + {"NT_STATUS_USER_SESSION_DELETED", NT_STATUS_USER_SESSION_DELETED}, + {"NT_STATUS_RESOURCE_LANG_NOT_FOUND", + NT_STATUS_RESOURCE_LANG_NOT_FOUND}, + {"NT_STATUS_INSUFF_SERVER_RESOURCES", + NT_STATUS_INSUFF_SERVER_RESOURCES}, + {"NT_STATUS_INVALID_BUFFER_SIZE", NT_STATUS_INVALID_BUFFER_SIZE}, + {"NT_STATUS_INVALID_ADDRESS_COMPONENT", + NT_STATUS_INVALID_ADDRESS_COMPONENT}, + {"NT_STATUS_INVALID_ADDRESS_WILDCARD", + NT_STATUS_INVALID_ADDRESS_WILDCARD}, + {"NT_STATUS_TOO_MANY_ADDRESSES", NT_STATUS_TOO_MANY_ADDRESSES}, + {"NT_STATUS_ADDRESS_ALREADY_EXISTS", + NT_STATUS_ADDRESS_ALREADY_EXISTS}, + {"NT_STATUS_ADDRESS_CLOSED", NT_STATUS_ADDRESS_CLOSED}, + {"NT_STATUS_CONNECTION_DISCONNECTED", + NT_STATUS_CONNECTION_DISCONNECTED}, + {"NT_STATUS_CONNECTION_RESET", NT_STATUS_CONNECTION_RESET}, + {"NT_STATUS_TOO_MANY_NODES", NT_STATUS_TOO_MANY_NODES}, + {"NT_STATUS_TRANSACTION_ABORTED", NT_STATUS_TRANSACTION_ABORTED}, + {"NT_STATUS_TRANSACTION_TIMED_OUT", + NT_STATUS_TRANSACTION_TIMED_OUT}, + {"NT_STATUS_TRANSACTION_NO_RELEASE", + NT_STATUS_TRANSACTION_NO_RELEASE}, + {"NT_STATUS_TRANSACTION_NO_MATCH", NT_STATUS_TRANSACTION_NO_MATCH}, + {"NT_STATUS_TRANSACTION_RESPONDED", + NT_STATUS_TRANSACTION_RESPONDED}, + {"NT_STATUS_TRANSACTION_INVALID_ID", + NT_STATUS_TRANSACTION_INVALID_ID}, + {"NT_STATUS_TRANSACTION_INVALID_TYPE", + NT_STATUS_TRANSACTION_INVALID_TYPE}, + {"NT_STATUS_NOT_SERVER_SESSION", NT_STATUS_NOT_SERVER_SESSION}, + {"NT_STATUS_NOT_CLIENT_SESSION", NT_STATUS_NOT_CLIENT_SESSION}, + {"NT_STATUS_CANNOT_LOAD_REGISTRY_FILE", + NT_STATUS_CANNOT_LOAD_REGISTRY_FILE}, + {"NT_STATUS_DEBUG_ATTACH_FAILED", NT_STATUS_DEBUG_ATTACH_FAILED}, + {"NT_STATUS_SYSTEM_PROCESS_TERMINATED", + NT_STATUS_SYSTEM_PROCESS_TERMINATED}, + {"NT_STATUS_DATA_NOT_ACCEPTED", NT_STATUS_DATA_NOT_ACCEPTED}, + {"NT_STATUS_NO_BROWSER_SERVERS_FOUND", + NT_STATUS_NO_BROWSER_SERVERS_FOUND}, + {"NT_STATUS_VDM_HARD_ERROR", NT_STATUS_VDM_HARD_ERROR}, + {"NT_STATUS_DRIVER_CANCEL_TIMEOUT", + NT_STATUS_DRIVER_CANCEL_TIMEOUT}, + {"NT_STATUS_REPLY_MESSAGE_MISMATCH", + NT_STATUS_REPLY_MESSAGE_MISMATCH}, + {"NT_STATUS_MAPPED_ALIGNMENT", NT_STATUS_MAPPED_ALIGNMENT}, + {"NT_STATUS_IMAGE_CHECKSUM_MISMATCH", + NT_STATUS_IMAGE_CHECKSUM_MISMATCH}, + {"NT_STATUS_LOST_WRITEBEHIND_DATA", + NT_STATUS_LOST_WRITEBEHIND_DATA}, + {"NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID", + NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID}, + {"NT_STATUS_PASSWORD_MUST_CHANGE", NT_STATUS_PASSWORD_MUST_CHANGE}, + {"NT_STATUS_NOT_FOUND", NT_STATUS_NOT_FOUND}, + {"NT_STATUS_NOT_TINY_STREAM", NT_STATUS_NOT_TINY_STREAM}, + {"NT_STATUS_RECOVERY_FAILURE", NT_STATUS_RECOVERY_FAILURE}, + {"NT_STATUS_STACK_OVERFLOW_READ", NT_STATUS_STACK_OVERFLOW_READ}, + {"NT_STATUS_FAIL_CHECK", NT_STATUS_FAIL_CHECK}, + {"NT_STATUS_DUPLICATE_OBJECTID", NT_STATUS_DUPLICATE_OBJECTID}, + {"NT_STATUS_OBJECTID_EXISTS", NT_STATUS_OBJECTID_EXISTS}, + {"NT_STATUS_CONVERT_TO_LARGE", NT_STATUS_CONVERT_TO_LARGE}, + {"NT_STATUS_RETRY", NT_STATUS_RETRY}, + {"NT_STATUS_FOUND_OUT_OF_SCOPE", NT_STATUS_FOUND_OUT_OF_SCOPE}, + {"NT_STATUS_ALLOCATE_BUCKET", NT_STATUS_ALLOCATE_BUCKET}, + {"NT_STATUS_PROPSET_NOT_FOUND", NT_STATUS_PROPSET_NOT_FOUND}, + {"NT_STATUS_MARSHALL_OVERFLOW", NT_STATUS_MARSHALL_OVERFLOW}, + {"NT_STATUS_INVALID_VARIANT", NT_STATUS_INVALID_VARIANT}, + {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND", + NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND}, + {"NT_STATUS_ACCOUNT_LOCKED_OUT", NT_STATUS_ACCOUNT_LOCKED_OUT}, + {"NT_STATUS_HANDLE_NOT_CLOSABLE", NT_STATUS_HANDLE_NOT_CLOSABLE}, + {"NT_STATUS_CONNECTION_REFUSED", NT_STATUS_CONNECTION_REFUSED}, + {"NT_STATUS_GRACEFUL_DISCONNECT", NT_STATUS_GRACEFUL_DISCONNECT}, + {"NT_STATUS_ADDRESS_ALREADY_ASSOCIATED", + NT_STATUS_ADDRESS_ALREADY_ASSOCIATED}, + {"NT_STATUS_ADDRESS_NOT_ASSOCIATED", + NT_STATUS_ADDRESS_NOT_ASSOCIATED}, + {"NT_STATUS_CONNECTION_INVALID", NT_STATUS_CONNECTION_INVALID}, + {"NT_STATUS_CONNECTION_ACTIVE", NT_STATUS_CONNECTION_ACTIVE}, + {"NT_STATUS_NETWORK_UNREACHABLE", NT_STATUS_NETWORK_UNREACHABLE}, + {"NT_STATUS_HOST_UNREACHABLE", NT_STATUS_HOST_UNREACHABLE}, + {"NT_STATUS_PROTOCOL_UNREACHABLE", NT_STATUS_PROTOCOL_UNREACHABLE}, + {"NT_STATUS_PORT_UNREACHABLE", NT_STATUS_PORT_UNREACHABLE}, + {"NT_STATUS_REQUEST_ABORTED", NT_STATUS_REQUEST_ABORTED}, + {"NT_STATUS_CONNECTION_ABORTED", NT_STATUS_CONNECTION_ABORTED}, + {"NT_STATUS_BAD_COMPRESSION_BUFFER", + NT_STATUS_BAD_COMPRESSION_BUFFER}, + {"NT_STATUS_USER_MAPPED_FILE", NT_STATUS_USER_MAPPED_FILE}, + {"NT_STATUS_AUDIT_FAILED", NT_STATUS_AUDIT_FAILED}, + {"NT_STATUS_TIMER_RESOLUTION_NOT_SET", + NT_STATUS_TIMER_RESOLUTION_NOT_SET}, + {"NT_STATUS_CONNECTION_COUNT_LIMIT", + NT_STATUS_CONNECTION_COUNT_LIMIT}, + {"NT_STATUS_LOGIN_TIME_RESTRICTION", + NT_STATUS_LOGIN_TIME_RESTRICTION}, + {"NT_STATUS_LOGIN_WKSTA_RESTRICTION", + NT_STATUS_LOGIN_WKSTA_RESTRICTION}, + {"NT_STATUS_IMAGE_MP_UP_MISMATCH", NT_STATUS_IMAGE_MP_UP_MISMATCH}, + {"NT_STATUS_INSUFFICIENT_LOGON_INFO", + NT_STATUS_INSUFFICIENT_LOGON_INFO}, + {"NT_STATUS_BAD_DLL_ENTRYPOINT", NT_STATUS_BAD_DLL_ENTRYPOINT}, + {"NT_STATUS_BAD_SERVICE_ENTRYPOINT", + NT_STATUS_BAD_SERVICE_ENTRYPOINT}, + {"NT_STATUS_LPC_REPLY_LOST", NT_STATUS_LPC_REPLY_LOST}, + {"NT_STATUS_IP_ADDRESS_CONFLICT1", NT_STATUS_IP_ADDRESS_CONFLICT1}, + {"NT_STATUS_IP_ADDRESS_CONFLICT2", NT_STATUS_IP_ADDRESS_CONFLICT2}, + {"NT_STATUS_REGISTRY_QUOTA_LIMIT", NT_STATUS_REGISTRY_QUOTA_LIMIT}, + {"NT_STATUS_PATH_NOT_COVERED", NT_STATUS_PATH_NOT_COVERED}, + {"NT_STATUS_NO_CALLBACK_ACTIVE", NT_STATUS_NO_CALLBACK_ACTIVE}, + {"NT_STATUS_LICENSE_QUOTA_EXCEEDED", + NT_STATUS_LICENSE_QUOTA_EXCEEDED}, + {"NT_STATUS_PWD_TOO_SHORT", NT_STATUS_PWD_TOO_SHORT}, + {"NT_STATUS_PWD_TOO_RECENT", NT_STATUS_PWD_TOO_RECENT}, + {"NT_STATUS_PWD_HISTORY_CONFLICT", NT_STATUS_PWD_HISTORY_CONFLICT}, + {"NT_STATUS_PLUGPLAY_NO_DEVICE", NT_STATUS_PLUGPLAY_NO_DEVICE}, + {"NT_STATUS_UNSUPPORTED_COMPRESSION", + NT_STATUS_UNSUPPORTED_COMPRESSION}, + {"NT_STATUS_INVALID_HW_PROFILE", NT_STATUS_INVALID_HW_PROFILE}, + {"NT_STATUS_INVALID_PLUGPLAY_DEVICE_PATH", + NT_STATUS_INVALID_PLUGPLAY_DEVICE_PATH}, + {"NT_STATUS_DRIVER_ORDINAL_NOT_FOUND", + NT_STATUS_DRIVER_ORDINAL_NOT_FOUND}, + {"NT_STATUS_DRIVER_ENTRYPOINT_NOT_FOUND", + NT_STATUS_DRIVER_ENTRYPOINT_NOT_FOUND}, + {"NT_STATUS_RESOURCE_NOT_OWNED", NT_STATUS_RESOURCE_NOT_OWNED}, + {"NT_STATUS_TOO_MANY_LINKS", NT_STATUS_TOO_MANY_LINKS}, + {"NT_STATUS_QUOTA_LIST_INCONSISTENT", + NT_STATUS_QUOTA_LIST_INCONSISTENT}, + {"NT_STATUS_FILE_IS_OFFLINE", NT_STATUS_FILE_IS_OFFLINE}, + {"NT_STATUS_NO_MORE_ENTRIES", NT_STATUS_NO_MORE_ENTRIES}, + {"NT_STATUS_MORE_ENTRIES", NT_STATUS_MORE_ENTRIES}, + {"NT_STATUS_SOME_UNMAPPED", NT_STATUS_SOME_UNMAPPED}, + {NULL, 0} +}; diff --git a/fs/cifsd/nterr.h b/fs/cifsd/nterr.h new file mode 100644 index 000000000000..9f5004b69d30 --- /dev/null +++ b/fs/cifsd/nterr.h @@ -0,0 +1,552 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * NT error code constants + * Copyright (C) Andrew Tridgell 1992-2000 + * Copyright (C) John H Terpstra 1996-2000 + * Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + * Copyright (C) Paul Ashton 1998-2000 + */ + + + +#ifndef _NTERR_H +#define _NTERR_H + +struct nt_err_code_struct { + char *nt_errstr; + __u32 nt_errcode; +}; + +extern const struct nt_err_code_struct nt_errs[]; + +/* Win32 Status codes. */ +#define NT_STATUS_MORE_ENTRIES 0x0105 +#define NT_ERROR_INVALID_PARAMETER 0x0057 +#define NT_ERROR_INSUFFICIENT_BUFFER 0x007a +#define NT_STATUS_1804 0x070c +#define NT_STATUS_NOTIFY_ENUM_DIR 0x010c +#define NT_STATUS_INVALID_LOCK_RANGE (0xC0000000 | 0x01a1) +/* + * Win32 Error codes extracted using a loop in smbclient then printing a netmon + * sniff to a file. + */ + +#define NT_STATUS_OK 0x0000 +#define NT_STATUS_SOME_UNMAPPED 0x0107 +#define NT_STATUS_BUFFER_OVERFLOW 0x80000005 +#define NT_STATUS_NO_MORE_ENTRIES 0x8000001a +#define NT_STATUS_MEDIA_CHANGED 0x8000001c +#define NT_STATUS_END_OF_MEDIA 0x8000001e +#define NT_STATUS_MEDIA_CHECK 0x80000020 +#define NT_STATUS_NO_DATA_DETECTED 0x8000001c +#define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002d +#define NT_STATUS_DEVICE_REQUIRES_CLEANING 0x80000288 +#define NT_STATUS_DEVICE_DOOR_OPEN 0x80000288 +#define NT_STATUS_UNSUCCESSFUL (0xC0000000 | 0x0001) +#define NT_STATUS_NOT_IMPLEMENTED (0xC0000000 | 0x0002) +#define NT_STATUS_INVALID_INFO_CLASS (0xC0000000 | 0x0003) +#define NT_STATUS_INFO_LENGTH_MISMATCH (0xC0000000 | 0x0004) +#define NT_STATUS_ACCESS_VIOLATION (0xC0000000 | 0x0005) +#define NT_STATUS_IN_PAGE_ERROR (0xC0000000 | 0x0006) +#define NT_STATUS_PAGEFILE_QUOTA (0xC0000000 | 0x0007) +#define NT_STATUS_INVALID_HANDLE (0xC0000000 | 0x0008) +#define NT_STATUS_BAD_INITIAL_STACK (0xC0000000 | 0x0009) +#define NT_STATUS_BAD_INITIAL_PC (0xC0000000 | 0x000a) +#define NT_STATUS_INVALID_CID (0xC0000000 | 0x000b) +#define NT_STATUS_TIMER_NOT_CANCELED (0xC0000000 | 0x000c) +#define NT_STATUS_INVALID_PARAMETER (0xC0000000 | 0x000d) +#define NT_STATUS_NO_SUCH_DEVICE (0xC0000000 | 0x000e) +#define NT_STATUS_NO_SUCH_FILE (0xC0000000 | 0x000f) +#define NT_STATUS_INVALID_DEVICE_REQUEST (0xC0000000 | 0x0010) +#define NT_STATUS_END_OF_FILE (0xC0000000 | 0x0011) +#define NT_STATUS_WRONG_VOLUME (0xC0000000 | 0x0012) +#define NT_STATUS_NO_MEDIA_IN_DEVICE (0xC0000000 | 0x0013) +#define NT_STATUS_UNRECOGNIZED_MEDIA (0xC0000000 | 0x0014) +#define NT_STATUS_NONEXISTENT_SECTOR (0xC0000000 | 0x0015) +#define NT_STATUS_MORE_PROCESSING_REQUIRED (0xC0000000 | 0x0016) +#define NT_STATUS_NO_MEMORY (0xC0000000 | 0x0017) +#define NT_STATUS_CONFLICTING_ADDRESSES (0xC0000000 | 0x0018) +#define NT_STATUS_NOT_MAPPED_VIEW (0xC0000000 | 0x0019) +#define NT_STATUS_UNABLE_TO_FREE_VM (0x80000000 | 0x001a) +#define NT_STATUS_UNABLE_TO_DELETE_SECTION (0xC0000000 | 0x001b) +#define NT_STATUS_INVALID_SYSTEM_SERVICE (0xC0000000 | 0x001c) +#define NT_STATUS_ILLEGAL_INSTRUCTION (0xC0000000 | 0x001d) +#define NT_STATUS_INVALID_LOCK_SEQUENCE (0xC0000000 | 0x001e) +#define NT_STATUS_INVALID_VIEW_SIZE (0xC0000000 | 0x001f) +#define NT_STATUS_INVALID_FILE_FOR_SECTION (0xC0000000 | 0x0020) +#define NT_STATUS_ALREADY_COMMITTED (0xC0000000 | 0x0021) +#define NT_STATUS_ACCESS_DENIED (0xC0000000 | 0x0022) +#define NT_STATUS_BUFFER_TOO_SMALL (0xC0000000 | 0x0023) +#define NT_STATUS_OBJECT_TYPE_MISMATCH (0xC0000000 | 0x0024) +#define NT_STATUS_NONCONTINUABLE_EXCEPTION (0xC0000000 | 0x0025) +#define NT_STATUS_INVALID_DISPOSITION (0xC0000000 | 0x0026) +#define NT_STATUS_UNWIND (0xC0000000 | 0x0027) +#define NT_STATUS_BAD_STACK (0xC0000000 | 0x0028) +#define NT_STATUS_INVALID_UNWIND_TARGET (0xC0000000 | 0x0029) +#define NT_STATUS_NOT_LOCKED (0xC0000000 | 0x002a) +#define NT_STATUS_PARITY_ERROR (0xC0000000 | 0x002b) +#define NT_STATUS_UNABLE_TO_DECOMMIT_VM (0xC0000000 | 0x002c) +#define NT_STATUS_NOT_COMMITTED (0xC0000000 | 0x002d) +#define NT_STATUS_INVALID_PORT_ATTRIBUTES (0xC0000000 | 0x002e) +#define NT_STATUS_PORT_MESSAGE_TOO_LONG (0xC0000000 | 0x002f) +#define NT_STATUS_INVALID_PARAMETER_MIX (0xC0000000 | 0x0030) +#define NT_STATUS_INVALID_QUOTA_LOWER (0xC0000000 | 0x0031) +#define NT_STATUS_DISK_CORRUPT_ERROR (0xC0000000 | 0x0032) +#define NT_STATUS_OBJECT_NAME_INVALID (0xC0000000 | 0x0033) +#define NT_STATUS_OBJECT_NAME_NOT_FOUND (0xC0000000 | 0x0034) +#define NT_STATUS_OBJECT_NAME_COLLISION (0xC0000000 | 0x0035) +#define NT_STATUS_HANDLE_NOT_WAITABLE (0xC0000000 | 0x0036) +#define NT_STATUS_PORT_DISCONNECTED (0xC0000000 | 0x0037) +#define NT_STATUS_DEVICE_ALREADY_ATTACHED (0xC0000000 | 0x0038) +#define NT_STATUS_OBJECT_PATH_INVALID (0xC0000000 | 0x0039) +#define NT_STATUS_OBJECT_PATH_NOT_FOUND (0xC0000000 | 0x003a) +#define NT_STATUS_OBJECT_PATH_SYNTAX_BAD (0xC0000000 | 0x003b) +#define NT_STATUS_DATA_OVERRUN (0xC0000000 | 0x003c) +#define NT_STATUS_DATA_LATE_ERROR (0xC0000000 | 0x003d) +#define NT_STATUS_DATA_ERROR (0xC0000000 | 0x003e) +#define NT_STATUS_CRC_ERROR (0xC0000000 | 0x003f) +#define NT_STATUS_SECTION_TOO_BIG (0xC0000000 | 0x0040) +#define NT_STATUS_PORT_CONNECTION_REFUSED (0xC0000000 | 0x0041) +#define NT_STATUS_INVALID_PORT_HANDLE (0xC0000000 | 0x0042) +#define NT_STATUS_SHARING_VIOLATION (0xC0000000 | 0x0043) +#define NT_STATUS_QUOTA_EXCEEDED (0xC0000000 | 0x0044) +#define NT_STATUS_INVALID_PAGE_PROTECTION (0xC0000000 | 0x0045) +#define NT_STATUS_MUTANT_NOT_OWNED (0xC0000000 | 0x0046) +#define NT_STATUS_SEMAPHORE_LIMIT_EXCEEDED (0xC0000000 | 0x0047) +#define NT_STATUS_PORT_ALREADY_SET (0xC0000000 | 0x0048) +#define NT_STATUS_SECTION_NOT_IMAGE (0xC0000000 | 0x0049) +#define NT_STATUS_SUSPEND_COUNT_EXCEEDED (0xC0000000 | 0x004a) +#define NT_STATUS_THREAD_IS_TERMINATING (0xC0000000 | 0x004b) +#define NT_STATUS_BAD_WORKING_SET_LIMIT (0xC0000000 | 0x004c) +#define NT_STATUS_INCOMPATIBLE_FILE_MAP (0xC0000000 | 0x004d) +#define NT_STATUS_SECTION_PROTECTION (0xC0000000 | 0x004e) +#define NT_STATUS_EAS_NOT_SUPPORTED (0xC0000000 | 0x004f) +#define NT_STATUS_EA_TOO_LARGE (0xC0000000 | 0x0050) +#define NT_STATUS_NONEXISTENT_EA_ENTRY (0xC0000000 | 0x0051) +#define NT_STATUS_NO_EAS_ON_FILE (0xC0000000 | 0x0052) +#define NT_STATUS_EA_CORRUPT_ERROR (0xC0000000 | 0x0053) +#define NT_STATUS_FILE_LOCK_CONFLICT (0xC0000000 | 0x0054) +#define NT_STATUS_LOCK_NOT_GRANTED (0xC0000000 | 0x0055) +#define NT_STATUS_DELETE_PENDING (0xC0000000 | 0x0056) +#define NT_STATUS_CTL_FILE_NOT_SUPPORTED (0xC0000000 | 0x0057) +#define NT_STATUS_UNKNOWN_REVISION (0xC0000000 | 0x0058) +#define NT_STATUS_REVISION_MISMATCH (0xC0000000 | 0x0059) +#define NT_STATUS_INVALID_OWNER (0xC0000000 | 0x005a) +#define NT_STATUS_INVALID_PRIMARY_GROUP (0xC0000000 | 0x005b) +#define NT_STATUS_NO_IMPERSONATION_TOKEN (0xC0000000 | 0x005c) +#define NT_STATUS_CANT_DISABLE_MANDATORY (0xC0000000 | 0x005d) +#define NT_STATUS_NO_LOGON_SERVERS (0xC0000000 | 0x005e) +#define NT_STATUS_NO_SUCH_LOGON_SESSION (0xC0000000 | 0x005f) +#define NT_STATUS_NO_SUCH_PRIVILEGE (0xC0000000 | 0x0060) +#define NT_STATUS_PRIVILEGE_NOT_HELD (0xC0000000 | 0x0061) +#define NT_STATUS_INVALID_ACCOUNT_NAME (0xC0000000 | 0x0062) +#define NT_STATUS_USER_EXISTS (0xC0000000 | 0x0063) +#define NT_STATUS_NO_SUCH_USER (0xC0000000 | 0x0064) +#define NT_STATUS_GROUP_EXISTS (0xC0000000 | 0x0065) +#define NT_STATUS_NO_SUCH_GROUP (0xC0000000 | 0x0066) +#define NT_STATUS_MEMBER_IN_GROUP (0xC0000000 | 0x0067) +#define NT_STATUS_MEMBER_NOT_IN_GROUP (0xC0000000 | 0x0068) +#define NT_STATUS_LAST_ADMIN (0xC0000000 | 0x0069) +#define NT_STATUS_WRONG_PASSWORD (0xC0000000 | 0x006a) +#define NT_STATUS_ILL_FORMED_PASSWORD (0xC0000000 | 0x006b) +#define NT_STATUS_PASSWORD_RESTRICTION (0xC0000000 | 0x006c) +#define NT_STATUS_LOGON_FAILURE (0xC0000000 | 0x006d) +#define NT_STATUS_ACCOUNT_RESTRICTION (0xC0000000 | 0x006e) +#define NT_STATUS_INVALID_LOGON_HOURS (0xC0000000 | 0x006f) +#define NT_STATUS_INVALID_WORKSTATION (0xC0000000 | 0x0070) +#define NT_STATUS_PASSWORD_EXPIRED (0xC0000000 | 0x0071) +#define NT_STATUS_ACCOUNT_DISABLED (0xC0000000 | 0x0072) +#define NT_STATUS_NONE_MAPPED (0xC0000000 | 0x0073) +#define NT_STATUS_TOO_MANY_LUIDS_REQUESTED (0xC0000000 | 0x0074) +#define NT_STATUS_LUIDS_EXHAUSTED (0xC0000000 | 0x0075) +#define NT_STATUS_INVALID_SUB_AUTHORITY (0xC0000000 | 0x0076) +#define NT_STATUS_INVALID_ACL (0xC0000000 | 0x0077) +#define NT_STATUS_INVALID_SID (0xC0000000 | 0x0078) +#define NT_STATUS_INVALID_SECURITY_DESCR (0xC0000000 | 0x0079) +#define NT_STATUS_PROCEDURE_NOT_FOUND (0xC0000000 | 0x007a) +#define NT_STATUS_INVALID_IMAGE_FORMAT (0xC0000000 | 0x007b) +#define NT_STATUS_NO_TOKEN (0xC0000000 | 0x007c) +#define NT_STATUS_BAD_INHERITANCE_ACL (0xC0000000 | 0x007d) +#define NT_STATUS_RANGE_NOT_LOCKED (0xC0000000 | 0x007e) +#define NT_STATUS_DISK_FULL (0xC0000000 | 0x007f) +#define NT_STATUS_SERVER_DISABLED (0xC0000000 | 0x0080) +#define NT_STATUS_SERVER_NOT_DISABLED (0xC0000000 | 0x0081) +#define NT_STATUS_TOO_MANY_GUIDS_REQUESTED (0xC0000000 | 0x0082) +#define NT_STATUS_GUIDS_EXHAUSTED (0xC0000000 | 0x0083) +#define NT_STATUS_INVALID_ID_AUTHORITY (0xC0000000 | 0x0084) +#define NT_STATUS_AGENTS_EXHAUSTED (0xC0000000 | 0x0085) +#define NT_STATUS_INVALID_VOLUME_LABEL (0xC0000000 | 0x0086) +#define NT_STATUS_SECTION_NOT_EXTENDED (0xC0000000 | 0x0087) +#define NT_STATUS_NOT_MAPPED_DATA (0xC0000000 | 0x0088) +#define NT_STATUS_RESOURCE_DATA_NOT_FOUND (0xC0000000 | 0x0089) +#define NT_STATUS_RESOURCE_TYPE_NOT_FOUND (0xC0000000 | 0x008a) +#define NT_STATUS_RESOURCE_NAME_NOT_FOUND (0xC0000000 | 0x008b) +#define NT_STATUS_ARRAY_BOUNDS_EXCEEDED (0xC0000000 | 0x008c) +#define NT_STATUS_FLOAT_DENORMAL_OPERAND (0xC0000000 | 0x008d) +#define NT_STATUS_FLOAT_DIVIDE_BY_ZERO (0xC0000000 | 0x008e) +#define NT_STATUS_FLOAT_INEXACT_RESULT (0xC0000000 | 0x008f) +#define NT_STATUS_FLOAT_INVALID_OPERATION (0xC0000000 | 0x0090) +#define NT_STATUS_FLOAT_OVERFLOW (0xC0000000 | 0x0091) +#define NT_STATUS_FLOAT_STACK_CHECK (0xC0000000 | 0x0092) +#define NT_STATUS_FLOAT_UNDERFLOW (0xC0000000 | 0x0093) +#define NT_STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000000 | 0x0094) +#define NT_STATUS_INTEGER_OVERFLOW (0xC0000000 | 0x0095) +#define NT_STATUS_PRIVILEGED_INSTRUCTION (0xC0000000 | 0x0096) +#define NT_STATUS_TOO_MANY_PAGING_FILES (0xC0000000 | 0x0097) +#define NT_STATUS_FILE_INVALID (0xC0000000 | 0x0098) +#define NT_STATUS_ALLOTTED_SPACE_EXCEEDED (0xC0000000 | 0x0099) +#define NT_STATUS_INSUFFICIENT_RESOURCES (0xC0000000 | 0x009a) +#define NT_STATUS_DFS_EXIT_PATH_FOUND (0xC0000000 | 0x009b) +#define NT_STATUS_DEVICE_DATA_ERROR (0xC0000000 | 0x009c) +#define NT_STATUS_DEVICE_NOT_CONNECTED (0xC0000000 | 0x009d) +#define NT_STATUS_DEVICE_POWER_FAILURE (0xC0000000 | 0x009e) +#define NT_STATUS_FREE_VM_NOT_AT_BASE (0xC0000000 | 0x009f) +#define NT_STATUS_MEMORY_NOT_ALLOCATED (0xC0000000 | 0x00a0) +#define NT_STATUS_WORKING_SET_QUOTA (0xC0000000 | 0x00a1) +#define NT_STATUS_MEDIA_WRITE_PROTECTED (0xC0000000 | 0x00a2) +#define NT_STATUS_DEVICE_NOT_READY (0xC0000000 | 0x00a3) +#define NT_STATUS_INVALID_GROUP_ATTRIBUTES (0xC0000000 | 0x00a4) +#define NT_STATUS_BAD_IMPERSONATION_LEVEL (0xC0000000 | 0x00a5) +#define NT_STATUS_CANT_OPEN_ANONYMOUS (0xC0000000 | 0x00a6) +#define NT_STATUS_BAD_VALIDATION_CLASS (0xC0000000 | 0x00a7) +#define NT_STATUS_BAD_TOKEN_TYPE (0xC0000000 | 0x00a8) +#define NT_STATUS_BAD_MASTER_BOOT_RECORD (0xC0000000 | 0x00a9) +#define NT_STATUS_INSTRUCTION_MISALIGNMENT (0xC0000000 | 0x00aa) +#define NT_STATUS_INSTANCE_NOT_AVAILABLE (0xC0000000 | 0x00ab) +#define NT_STATUS_PIPE_NOT_AVAILABLE (0xC0000000 | 0x00ac) +#define NT_STATUS_INVALID_PIPE_STATE (0xC0000000 | 0x00ad) +#define NT_STATUS_PIPE_BUSY (0xC0000000 | 0x00ae) +#define NT_STATUS_ILLEGAL_FUNCTION (0xC0000000 | 0x00af) +#define NT_STATUS_PIPE_DISCONNECTED (0xC0000000 | 0x00b0) +#define NT_STATUS_PIPE_CLOSING (0xC0000000 | 0x00b1) +#define NT_STATUS_PIPE_CONNECTED (0xC0000000 | 0x00b2) +#define NT_STATUS_PIPE_LISTENING (0xC0000000 | 0x00b3) +#define NT_STATUS_INVALID_READ_MODE (0xC0000000 | 0x00b4) +#define NT_STATUS_IO_TIMEOUT (0xC0000000 | 0x00b5) +#define NT_STATUS_FILE_FORCED_CLOSED (0xC0000000 | 0x00b6) +#define NT_STATUS_PROFILING_NOT_STARTED (0xC0000000 | 0x00b7) +#define NT_STATUS_PROFILING_NOT_STOPPED (0xC0000000 | 0x00b8) +#define NT_STATUS_COULD_NOT_INTERPRET (0xC0000000 | 0x00b9) +#define NT_STATUS_FILE_IS_A_DIRECTORY (0xC0000000 | 0x00ba) +#define NT_STATUS_NOT_SUPPORTED (0xC0000000 | 0x00bb) +#define NT_STATUS_REMOTE_NOT_LISTENING (0xC0000000 | 0x00bc) +#define NT_STATUS_DUPLICATE_NAME (0xC0000000 | 0x00bd) +#define NT_STATUS_BAD_NETWORK_PATH (0xC0000000 | 0x00be) +#define NT_STATUS_NETWORK_BUSY (0xC0000000 | 0x00bf) +#define NT_STATUS_DEVICE_DOES_NOT_EXIST (0xC0000000 | 0x00c0) +#define NT_STATUS_TOO_MANY_COMMANDS (0xC0000000 | 0x00c1) +#define NT_STATUS_ADAPTER_HARDWARE_ERROR (0xC0000000 | 0x00c2) +#define NT_STATUS_INVALID_NETWORK_RESPONSE (0xC0000000 | 0x00c3) +#define NT_STATUS_UNEXPECTED_NETWORK_ERROR (0xC0000000 | 0x00c4) +#define NT_STATUS_BAD_REMOTE_ADAPTER (0xC0000000 | 0x00c5) +#define NT_STATUS_PRINT_QUEUE_FULL (0xC0000000 | 0x00c6) +#define NT_STATUS_NO_SPOOL_SPACE (0xC0000000 | 0x00c7) +#define NT_STATUS_PRINT_CANCELLED (0xC0000000 | 0x00c8) +#define NT_STATUS_NETWORK_NAME_DELETED (0xC0000000 | 0x00c9) +#define NT_STATUS_NETWORK_ACCESS_DENIED (0xC0000000 | 0x00ca) +#define NT_STATUS_BAD_DEVICE_TYPE (0xC0000000 | 0x00cb) +#define NT_STATUS_BAD_NETWORK_NAME (0xC0000000 | 0x00cc) +#define NT_STATUS_TOO_MANY_NAMES (0xC0000000 | 0x00cd) +#define NT_STATUS_TOO_MANY_SESSIONS (0xC0000000 | 0x00ce) +#define NT_STATUS_SHARING_PAUSED (0xC0000000 | 0x00cf) +#define NT_STATUS_REQUEST_NOT_ACCEPTED (0xC0000000 | 0x00d0) +#define NT_STATUS_REDIRECTOR_PAUSED (0xC0000000 | 0x00d1) +#define NT_STATUS_NET_WRITE_FAULT (0xC0000000 | 0x00d2) +#define NT_STATUS_PROFILING_AT_LIMIT (0xC0000000 | 0x00d3) +#define NT_STATUS_NOT_SAME_DEVICE (0xC0000000 | 0x00d4) +#define NT_STATUS_FILE_RENAMED (0xC0000000 | 0x00d5) +#define NT_STATUS_VIRTUAL_CIRCUIT_CLOSED (0xC0000000 | 0x00d6) +#define NT_STATUS_NO_SECURITY_ON_OBJECT (0xC0000000 | 0x00d7) +#define NT_STATUS_CANT_WAIT (0xC0000000 | 0x00d8) +#define NT_STATUS_PIPE_EMPTY (0xC0000000 | 0x00d9) +#define NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xC0000000 | 0x00da) +#define NT_STATUS_CANT_TERMINATE_SELF (0xC0000000 | 0x00db) +#define NT_STATUS_INVALID_SERVER_STATE (0xC0000000 | 0x00dc) +#define NT_STATUS_INVALID_DOMAIN_STATE (0xC0000000 | 0x00dd) +#define NT_STATUS_INVALID_DOMAIN_ROLE (0xC0000000 | 0x00de) +#define NT_STATUS_NO_SUCH_DOMAIN (0xC0000000 | 0x00df) +#define NT_STATUS_DOMAIN_EXISTS (0xC0000000 | 0x00e0) +#define NT_STATUS_DOMAIN_LIMIT_EXCEEDED (0xC0000000 | 0x00e1) +#define NT_STATUS_OPLOCK_NOT_GRANTED (0xC0000000 | 0x00e2) +#define NT_STATUS_INVALID_OPLOCK_PROTOCOL (0xC0000000 | 0x00e3) +#define NT_STATUS_INTERNAL_DB_CORRUPTION (0xC0000000 | 0x00e4) +#define NT_STATUS_INTERNAL_ERROR (0xC0000000 | 0x00e5) +#define NT_STATUS_GENERIC_NOT_MAPPED (0xC0000000 | 0x00e6) +#define NT_STATUS_BAD_DESCRIPTOR_FORMAT (0xC0000000 | 0x00e7) +#define NT_STATUS_INVALID_USER_BUFFER (0xC0000000 | 0x00e8) +#define NT_STATUS_UNEXPECTED_IO_ERROR (0xC0000000 | 0x00e9) +#define NT_STATUS_UNEXPECTED_MM_CREATE_ERR (0xC0000000 | 0x00ea) +#define NT_STATUS_UNEXPECTED_MM_MAP_ERROR (0xC0000000 | 0x00eb) +#define NT_STATUS_UNEXPECTED_MM_EXTEND_ERR (0xC0000000 | 0x00ec) +#define NT_STATUS_NOT_LOGON_PROCESS (0xC0000000 | 0x00ed) +#define NT_STATUS_LOGON_SESSION_EXISTS (0xC0000000 | 0x00ee) +#define NT_STATUS_INVALID_PARAMETER_1 (0xC0000000 | 0x00ef) +#define NT_STATUS_INVALID_PARAMETER_2 (0xC0000000 | 0x00f0) +#define NT_STATUS_INVALID_PARAMETER_3 (0xC0000000 | 0x00f1) +#define NT_STATUS_INVALID_PARAMETER_4 (0xC0000000 | 0x00f2) +#define NT_STATUS_INVALID_PARAMETER_5 (0xC0000000 | 0x00f3) +#define NT_STATUS_INVALID_PARAMETER_6 (0xC0000000 | 0x00f4) +#define NT_STATUS_INVALID_PARAMETER_7 (0xC0000000 | 0x00f5) +#define NT_STATUS_INVALID_PARAMETER_8 (0xC0000000 | 0x00f6) +#define NT_STATUS_INVALID_PARAMETER_9 (0xC0000000 | 0x00f7) +#define NT_STATUS_INVALID_PARAMETER_10 (0xC0000000 | 0x00f8) +#define NT_STATUS_INVALID_PARAMETER_11 (0xC0000000 | 0x00f9) +#define NT_STATUS_INVALID_PARAMETER_12 (0xC0000000 | 0x00fa) +#define NT_STATUS_REDIRECTOR_NOT_STARTED (0xC0000000 | 0x00fb) +#define NT_STATUS_REDIRECTOR_STARTED (0xC0000000 | 0x00fc) +#define NT_STATUS_STACK_OVERFLOW (0xC0000000 | 0x00fd) +#define NT_STATUS_NO_SUCH_PACKAGE (0xC0000000 | 0x00fe) +#define NT_STATUS_BAD_FUNCTION_TABLE (0xC0000000 | 0x00ff) +#define NT_STATUS_DIRECTORY_NOT_EMPTY (0xC0000000 | 0x0101) +#define NT_STATUS_FILE_CORRUPT_ERROR (0xC0000000 | 0x0102) +#define NT_STATUS_NOT_A_DIRECTORY (0xC0000000 | 0x0103) +#define NT_STATUS_BAD_LOGON_SESSION_STATE (0xC0000000 | 0x0104) +#define NT_STATUS_LOGON_SESSION_COLLISION (0xC0000000 | 0x0105) +#define NT_STATUS_NAME_TOO_LONG (0xC0000000 | 0x0106) +#define NT_STATUS_FILES_OPEN (0xC0000000 | 0x0107) +#define NT_STATUS_CONNECTION_IN_USE (0xC0000000 | 0x0108) +#define NT_STATUS_MESSAGE_NOT_FOUND (0xC0000000 | 0x0109) +#define NT_STATUS_PROCESS_IS_TERMINATING (0xC0000000 | 0x010a) +#define NT_STATUS_INVALID_LOGON_TYPE (0xC0000000 | 0x010b) +#define NT_STATUS_NO_GUID_TRANSLATION (0xC0000000 | 0x010c) +#define NT_STATUS_CANNOT_IMPERSONATE (0xC0000000 | 0x010d) +#define NT_STATUS_IMAGE_ALREADY_LOADED (0xC0000000 | 0x010e) +#define NT_STATUS_ABIOS_NOT_PRESENT (0xC0000000 | 0x010f) +#define NT_STATUS_ABIOS_LID_NOT_EXIST (0xC0000000 | 0x0110) +#define NT_STATUS_ABIOS_LID_ALREADY_OWNED (0xC0000000 | 0x0111) +#define NT_STATUS_ABIOS_NOT_LID_OWNER (0xC0000000 | 0x0112) +#define NT_STATUS_ABIOS_INVALID_COMMAND (0xC0000000 | 0x0113) +#define NT_STATUS_ABIOS_INVALID_LID (0xC0000000 | 0x0114) +#define NT_STATUS_ABIOS_SELECTOR_NOT_AVAILABLE (0xC0000000 | 0x0115) +#define NT_STATUS_ABIOS_INVALID_SELECTOR (0xC0000000 | 0x0116) +#define NT_STATUS_NO_LDT (0xC0000000 | 0x0117) +#define NT_STATUS_INVALID_LDT_SIZE (0xC0000000 | 0x0118) +#define NT_STATUS_INVALID_LDT_OFFSET (0xC0000000 | 0x0119) +#define NT_STATUS_INVALID_LDT_DESCRIPTOR (0xC0000000 | 0x011a) +#define NT_STATUS_INVALID_IMAGE_NE_FORMAT (0xC0000000 | 0x011b) +#define NT_STATUS_RXACT_INVALID_STATE (0xC0000000 | 0x011c) +#define NT_STATUS_RXACT_COMMIT_FAILURE (0xC0000000 | 0x011d) +#define NT_STATUS_MAPPED_FILE_SIZE_ZERO (0xC0000000 | 0x011e) +#define NT_STATUS_TOO_MANY_OPENED_FILES (0xC0000000 | 0x011f) +#define NT_STATUS_CANCELLED (0xC0000000 | 0x0120) +#define NT_STATUS_CANNOT_DELETE (0xC0000000 | 0x0121) +#define NT_STATUS_INVALID_COMPUTER_NAME (0xC0000000 | 0x0122) +#define NT_STATUS_FILE_DELETED (0xC0000000 | 0x0123) +#define NT_STATUS_SPECIAL_ACCOUNT (0xC0000000 | 0x0124) +#define NT_STATUS_SPECIAL_GROUP (0xC0000000 | 0x0125) +#define NT_STATUS_SPECIAL_USER (0xC0000000 | 0x0126) +#define NT_STATUS_MEMBERS_PRIMARY_GROUP (0xC0000000 | 0x0127) +#define NT_STATUS_FILE_CLOSED (0xC0000000 | 0x0128) +#define NT_STATUS_TOO_MANY_THREADS (0xC0000000 | 0x0129) +#define NT_STATUS_THREAD_NOT_IN_PROCESS (0xC0000000 | 0x012a) +#define NT_STATUS_TOKEN_ALREADY_IN_USE (0xC0000000 | 0x012b) +#define NT_STATUS_PAGEFILE_QUOTA_EXCEEDED (0xC0000000 | 0x012c) +#define NT_STATUS_COMMITMENT_LIMIT (0xC0000000 | 0x012d) +#define NT_STATUS_INVALID_IMAGE_LE_FORMAT (0xC0000000 | 0x012e) +#define NT_STATUS_INVALID_IMAGE_NOT_MZ (0xC0000000 | 0x012f) +#define NT_STATUS_INVALID_IMAGE_PROTECT (0xC0000000 | 0x0130) +#define NT_STATUS_INVALID_IMAGE_WIN_16 (0xC0000000 | 0x0131) +#define NT_STATUS_LOGON_SERVER_CONFLICT (0xC0000000 | 0x0132) +#define NT_STATUS_TIME_DIFFERENCE_AT_DC (0xC0000000 | 0x0133) +#define NT_STATUS_SYNCHRONIZATION_REQUIRED (0xC0000000 | 0x0134) +#define NT_STATUS_DLL_NOT_FOUND (0xC0000000 | 0x0135) +#define NT_STATUS_OPEN_FAILED (0xC0000000 | 0x0136) +#define NT_STATUS_IO_PRIVILEGE_FAILED (0xC0000000 | 0x0137) +#define NT_STATUS_ORDINAL_NOT_FOUND (0xC0000000 | 0x0138) +#define NT_STATUS_ENTRYPOINT_NOT_FOUND (0xC0000000 | 0x0139) +#define NT_STATUS_CONTROL_C_EXIT (0xC0000000 | 0x013a) +#define NT_STATUS_LOCAL_DISCONNECT (0xC0000000 | 0x013b) +#define NT_STATUS_REMOTE_DISCONNECT (0xC0000000 | 0x013c) +#define NT_STATUS_REMOTE_RESOURCES (0xC0000000 | 0x013d) +#define NT_STATUS_LINK_FAILED (0xC0000000 | 0x013e) +#define NT_STATUS_LINK_TIMEOUT (0xC0000000 | 0x013f) +#define NT_STATUS_INVALID_CONNECTION (0xC0000000 | 0x0140) +#define NT_STATUS_INVALID_ADDRESS (0xC0000000 | 0x0141) +#define NT_STATUS_DLL_INIT_FAILED (0xC0000000 | 0x0142) +#define NT_STATUS_MISSING_SYSTEMFILE (0xC0000000 | 0x0143) +#define NT_STATUS_UNHANDLED_EXCEPTION (0xC0000000 | 0x0144) +#define NT_STATUS_APP_INIT_FAILURE (0xC0000000 | 0x0145) +#define NT_STATUS_PAGEFILE_CREATE_FAILED (0xC0000000 | 0x0146) +#define NT_STATUS_NO_PAGEFILE (0xC0000000 | 0x0147) +#define NT_STATUS_INVALID_LEVEL (0xC0000000 | 0x0148) +#define NT_STATUS_WRONG_PASSWORD_CORE (0xC0000000 | 0x0149) +#define NT_STATUS_ILLEGAL_FLOAT_CONTEXT (0xC0000000 | 0x014a) +#define NT_STATUS_PIPE_BROKEN (0xC0000000 | 0x014b) +#define NT_STATUS_REGISTRY_CORRUPT (0xC0000000 | 0x014c) +#define NT_STATUS_REGISTRY_IO_FAILED (0xC0000000 | 0x014d) +#define NT_STATUS_NO_EVENT_PAIR (0xC0000000 | 0x014e) +#define NT_STATUS_UNRECOGNIZED_VOLUME (0xC0000000 | 0x014f) +#define NT_STATUS_SERIAL_NO_DEVICE_INITED (0xC0000000 | 0x0150) +#define NT_STATUS_NO_SUCH_ALIAS (0xC0000000 | 0x0151) +#define NT_STATUS_MEMBER_NOT_IN_ALIAS (0xC0000000 | 0x0152) +#define NT_STATUS_MEMBER_IN_ALIAS (0xC0000000 | 0x0153) +#define NT_STATUS_ALIAS_EXISTS (0xC0000000 | 0x0154) +#define NT_STATUS_LOGON_NOT_GRANTED (0xC0000000 | 0x0155) +#define NT_STATUS_TOO_MANY_SECRETS (0xC0000000 | 0x0156) +#define NT_STATUS_SECRET_TOO_LONG (0xC0000000 | 0x0157) +#define NT_STATUS_INTERNAL_DB_ERROR (0xC0000000 | 0x0158) +#define NT_STATUS_FULLSCREEN_MODE (0xC0000000 | 0x0159) +#define NT_STATUS_TOO_MANY_CONTEXT_IDS (0xC0000000 | 0x015a) +#define NT_STATUS_LOGON_TYPE_NOT_GRANTED (0xC0000000 | 0x015b) +#define NT_STATUS_NOT_REGISTRY_FILE (0xC0000000 | 0x015c) +#define NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED (0xC0000000 | 0x015d) +#define NT_STATUS_DOMAIN_CTRLR_CONFIG_ERROR (0xC0000000 | 0x015e) +#define NT_STATUS_FT_MISSING_MEMBER (0xC0000000 | 0x015f) +#define NT_STATUS_ILL_FORMED_SERVICE_ENTRY (0xC0000000 | 0x0160) +#define NT_STATUS_ILLEGAL_CHARACTER (0xC0000000 | 0x0161) +#define NT_STATUS_UNMAPPABLE_CHARACTER (0xC0000000 | 0x0162) +#define NT_STATUS_UNDEFINED_CHARACTER (0xC0000000 | 0x0163) +#define NT_STATUS_FLOPPY_VOLUME (0xC0000000 | 0x0164) +#define NT_STATUS_FLOPPY_ID_MARK_NOT_FOUND (0xC0000000 | 0x0165) +#define NT_STATUS_FLOPPY_WRONG_CYLINDER (0xC0000000 | 0x0166) +#define NT_STATUS_FLOPPY_UNKNOWN_ERROR (0xC0000000 | 0x0167) +#define NT_STATUS_FLOPPY_BAD_REGISTERS (0xC0000000 | 0x0168) +#define NT_STATUS_DISK_RECALIBRATE_FAILED (0xC0000000 | 0x0169) +#define NT_STATUS_DISK_OPERATION_FAILED (0xC0000000 | 0x016a) +#define NT_STATUS_DISK_RESET_FAILED (0xC0000000 | 0x016b) +#define NT_STATUS_SHARED_IRQ_BUSY (0xC0000000 | 0x016c) +#define NT_STATUS_FT_ORPHANING (0xC0000000 | 0x016d) +#define NT_STATUS_PARTITION_FAILURE (0xC0000000 | 0x0172) +#define NT_STATUS_INVALID_BLOCK_LENGTH (0xC0000000 | 0x0173) +#define NT_STATUS_DEVICE_NOT_PARTITIONED (0xC0000000 | 0x0174) +#define NT_STATUS_UNABLE_TO_LOCK_MEDIA (0xC0000000 | 0x0175) +#define NT_STATUS_UNABLE_TO_UNLOAD_MEDIA (0xC0000000 | 0x0176) +#define NT_STATUS_EOM_OVERFLOW (0xC0000000 | 0x0177) +#define NT_STATUS_NO_MEDIA (0xC0000000 | 0x0178) +#define NT_STATUS_NO_SUCH_MEMBER (0xC0000000 | 0x017a) +#define NT_STATUS_INVALID_MEMBER (0xC0000000 | 0x017b) +#define NT_STATUS_KEY_DELETED (0xC0000000 | 0x017c) +#define NT_STATUS_NO_LOG_SPACE (0xC0000000 | 0x017d) +#define NT_STATUS_TOO_MANY_SIDS (0xC0000000 | 0x017e) +#define NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED (0xC0000000 | 0x017f) +#define NT_STATUS_KEY_HAS_CHILDREN (0xC0000000 | 0x0180) +#define NT_STATUS_CHILD_MUST_BE_VOLATILE (0xC0000000 | 0x0181) +#define NT_STATUS_DEVICE_CONFIGURATION_ERROR (0xC0000000 | 0x0182) +#define NT_STATUS_DRIVER_INTERNAL_ERROR (0xC0000000 | 0x0183) +#define NT_STATUS_INVALID_DEVICE_STATE (0xC0000000 | 0x0184) +#define NT_STATUS_IO_DEVICE_ERROR (0xC0000000 | 0x0185) +#define NT_STATUS_DEVICE_PROTOCOL_ERROR (0xC0000000 | 0x0186) +#define NT_STATUS_BACKUP_CONTROLLER (0xC0000000 | 0x0187) +#define NT_STATUS_LOG_FILE_FULL (0xC0000000 | 0x0188) +#define NT_STATUS_TOO_LATE (0xC0000000 | 0x0189) +#define NT_STATUS_NO_TRUST_LSA_SECRET (0xC0000000 | 0x018a) +#define NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xC0000000 | 0x018b) +#define NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xC0000000 | 0x018c) +#define NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE (0xC0000000 | 0x018d) +#define NT_STATUS_EVENTLOG_FILE_CORRUPT (0xC0000000 | 0x018e) +#define NT_STATUS_EVENTLOG_CANT_START (0xC0000000 | 0x018f) +#define NT_STATUS_TRUST_FAILURE (0xC0000000 | 0x0190) +#define NT_STATUS_MUTANT_LIMIT_EXCEEDED (0xC0000000 | 0x0191) +#define NT_STATUS_NETLOGON_NOT_STARTED (0xC0000000 | 0x0192) +#define NT_STATUS_ACCOUNT_EXPIRED (0xC0000000 | 0x0193) +#define NT_STATUS_POSSIBLE_DEADLOCK (0xC0000000 | 0x0194) +#define NT_STATUS_NETWORK_CREDENTIAL_CONFLICT (0xC0000000 | 0x0195) +#define NT_STATUS_REMOTE_SESSION_LIMIT (0xC0000000 | 0x0196) +#define NT_STATUS_EVENTLOG_FILE_CHANGED (0xC0000000 | 0x0197) +#define NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT (0xC0000000 | 0x0198) +#define NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xC0000000 | 0x0199) +#define NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT (0xC0000000 | 0x019a) +#define NT_STATUS_DOMAIN_TRUST_INCONSISTENT (0xC0000000 | 0x019b) +#define NT_STATUS_FS_DRIVER_REQUIRED (0xC0000000 | 0x019c) +#define NT_STATUS_NO_USER_SESSION_KEY (0xC0000000 | 0x0202) +#define NT_STATUS_USER_SESSION_DELETED (0xC0000000 | 0x0203) +#define NT_STATUS_RESOURCE_LANG_NOT_FOUND (0xC0000000 | 0x0204) +#define NT_STATUS_INSUFF_SERVER_RESOURCES (0xC0000000 | 0x0205) +#define NT_STATUS_INVALID_BUFFER_SIZE (0xC0000000 | 0x0206) +#define NT_STATUS_INVALID_ADDRESS_COMPONENT (0xC0000000 | 0x0207) +#define NT_STATUS_INVALID_ADDRESS_WILDCARD (0xC0000000 | 0x0208) +#define NT_STATUS_TOO_MANY_ADDRESSES (0xC0000000 | 0x0209) +#define NT_STATUS_ADDRESS_ALREADY_EXISTS (0xC0000000 | 0x020a) +#define NT_STATUS_ADDRESS_CLOSED (0xC0000000 | 0x020b) +#define NT_STATUS_CONNECTION_DISCONNECTED (0xC0000000 | 0x020c) +#define NT_STATUS_CONNECTION_RESET (0xC0000000 | 0x020d) +#define NT_STATUS_TOO_MANY_NODES (0xC0000000 | 0x020e) +#define NT_STATUS_TRANSACTION_ABORTED (0xC0000000 | 0x020f) +#define NT_STATUS_TRANSACTION_TIMED_OUT (0xC0000000 | 0x0210) +#define NT_STATUS_TRANSACTION_NO_RELEASE (0xC0000000 | 0x0211) +#define NT_STATUS_TRANSACTION_NO_MATCH (0xC0000000 | 0x0212) +#define NT_STATUS_TRANSACTION_RESPONDED (0xC0000000 | 0x0213) +#define NT_STATUS_TRANSACTION_INVALID_ID (0xC0000000 | 0x0214) +#define NT_STATUS_TRANSACTION_INVALID_TYPE (0xC0000000 | 0x0215) +#define NT_STATUS_NOT_SERVER_SESSION (0xC0000000 | 0x0216) +#define NT_STATUS_NOT_CLIENT_SESSION (0xC0000000 | 0x0217) +#define NT_STATUS_CANNOT_LOAD_REGISTRY_FILE (0xC0000000 | 0x0218) +#define NT_STATUS_DEBUG_ATTACH_FAILED (0xC0000000 | 0x0219) +#define NT_STATUS_SYSTEM_PROCESS_TERMINATED (0xC0000000 | 0x021a) +#define NT_STATUS_DATA_NOT_ACCEPTED (0xC0000000 | 0x021b) +#define NT_STATUS_NO_BROWSER_SERVERS_FOUND (0xC0000000 | 0x021c) +#define NT_STATUS_VDM_HARD_ERROR (0xC0000000 | 0x021d) +#define NT_STATUS_DRIVER_CANCEL_TIMEOUT (0xC0000000 | 0x021e) +#define NT_STATUS_REPLY_MESSAGE_MISMATCH (0xC0000000 | 0x021f) +#define NT_STATUS_MAPPED_ALIGNMENT (0xC0000000 | 0x0220) +#define NT_STATUS_IMAGE_CHECKSUM_MISMATCH (0xC0000000 | 0x0221) +#define NT_STATUS_LOST_WRITEBEHIND_DATA (0xC0000000 | 0x0222) +#define NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID (0xC0000000 | 0x0223) +#define NT_STATUS_PASSWORD_MUST_CHANGE (0xC0000000 | 0x0224) +#define NT_STATUS_NOT_FOUND (0xC0000000 | 0x0225) +#define NT_STATUS_NOT_TINY_STREAM (0xC0000000 | 0x0226) +#define NT_STATUS_RECOVERY_FAILURE (0xC0000000 | 0x0227) +#define NT_STATUS_STACK_OVERFLOW_READ (0xC0000000 | 0x0228) +#define NT_STATUS_FAIL_CHECK (0xC0000000 | 0x0229) +#define NT_STATUS_DUPLICATE_OBJECTID (0xC0000000 | 0x022a) +#define NT_STATUS_OBJECTID_EXISTS (0xC0000000 | 0x022b) +#define NT_STATUS_CONVERT_TO_LARGE (0xC0000000 | 0x022c) +#define NT_STATUS_RETRY (0xC0000000 | 0x022d) +#define NT_STATUS_FOUND_OUT_OF_SCOPE (0xC0000000 | 0x022e) +#define NT_STATUS_ALLOCATE_BUCKET (0xC0000000 | 0x022f) +#define NT_STATUS_PROPSET_NOT_FOUND (0xC0000000 | 0x0230) +#define NT_STATUS_MARSHALL_OVERFLOW (0xC0000000 | 0x0231) +#define NT_STATUS_INVALID_VARIANT (0xC0000000 | 0x0232) +#define NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xC0000000 | 0x0233) +#define NT_STATUS_ACCOUNT_LOCKED_OUT (0xC0000000 | 0x0234) +#define NT_STATUS_HANDLE_NOT_CLOSABLE (0xC0000000 | 0x0235) +#define NT_STATUS_CONNECTION_REFUSED (0xC0000000 | 0x0236) +#define NT_STATUS_GRACEFUL_DISCONNECT (0xC0000000 | 0x0237) +#define NT_STATUS_ADDRESS_ALREADY_ASSOCIATED (0xC0000000 | 0x0238) +#define NT_STATUS_ADDRESS_NOT_ASSOCIATED (0xC0000000 | 0x0239) +#define NT_STATUS_CONNECTION_INVALID (0xC0000000 | 0x023a) +#define NT_STATUS_CONNECTION_ACTIVE (0xC0000000 | 0x023b) +#define NT_STATUS_NETWORK_UNREACHABLE (0xC0000000 | 0x023c) +#define NT_STATUS_HOST_UNREACHABLE (0xC0000000 | 0x023d) +#define NT_STATUS_PROTOCOL_UNREACHABLE (0xC0000000 | 0x023e) +#define NT_STATUS_PORT_UNREACHABLE (0xC0000000 | 0x023f) +#define NT_STATUS_REQUEST_ABORTED (0xC0000000 | 0x0240) +#define NT_STATUS_CONNECTION_ABORTED (0xC0000000 | 0x0241) +#define NT_STATUS_BAD_COMPRESSION_BUFFER (0xC0000000 | 0x0242) +#define NT_STATUS_USER_MAPPED_FILE (0xC0000000 | 0x0243) +#define NT_STATUS_AUDIT_FAILED (0xC0000000 | 0x0244) +#define NT_STATUS_TIMER_RESOLUTION_NOT_SET (0xC0000000 | 0x0245) +#define NT_STATUS_CONNECTION_COUNT_LIMIT (0xC0000000 | 0x0246) +#define NT_STATUS_LOGIN_TIME_RESTRICTION (0xC0000000 | 0x0247) +#define NT_STATUS_LOGIN_WKSTA_RESTRICTION (0xC0000000 | 0x0248) +#define NT_STATUS_IMAGE_MP_UP_MISMATCH (0xC0000000 | 0x0249) +#define NT_STATUS_INSUFFICIENT_LOGON_INFO (0xC0000000 | 0x0250) +#define NT_STATUS_BAD_DLL_ENTRYPOINT (0xC0000000 | 0x0251) +#define NT_STATUS_BAD_SERVICE_ENTRYPOINT (0xC0000000 | 0x0252) +#define NT_STATUS_LPC_REPLY_LOST (0xC0000000 | 0x0253) +#define NT_STATUS_IP_ADDRESS_CONFLICT1 (0xC0000000 | 0x0254) +#define NT_STATUS_IP_ADDRESS_CONFLICT2 (0xC0000000 | 0x0255) +#define NT_STATUS_REGISTRY_QUOTA_LIMIT (0xC0000000 | 0x0256) +#define NT_STATUS_PATH_NOT_COVERED (0xC0000000 | 0x0257) +#define NT_STATUS_NO_CALLBACK_ACTIVE (0xC0000000 | 0x0258) +#define NT_STATUS_LICENSE_QUOTA_EXCEEDED (0xC0000000 | 0x0259) +#define NT_STATUS_PWD_TOO_SHORT (0xC0000000 | 0x025a) +#define NT_STATUS_PWD_TOO_RECENT (0xC0000000 | 0x025b) +#define NT_STATUS_PWD_HISTORY_CONFLICT (0xC0000000 | 0x025c) +#define NT_STATUS_PLUGPLAY_NO_DEVICE (0xC0000000 | 0x025e) +#define NT_STATUS_UNSUPPORTED_COMPRESSION (0xC0000000 | 0x025f) +#define NT_STATUS_INVALID_HW_PROFILE (0xC0000000 | 0x0260) +#define NT_STATUS_INVALID_PLUGPLAY_DEVICE_PATH (0xC0000000 | 0x0261) +#define NT_STATUS_DRIVER_ORDINAL_NOT_FOUND (0xC0000000 | 0x0262) +#define NT_STATUS_DRIVER_ENTRYPOINT_NOT_FOUND (0xC0000000 | 0x0263) +#define NT_STATUS_RESOURCE_NOT_OWNED (0xC0000000 | 0x0264) +#define NT_STATUS_TOO_MANY_LINKS (0xC0000000 | 0x0265) +#define NT_STATUS_QUOTA_LIST_INCONSISTENT (0xC0000000 | 0x0266) +#define NT_STATUS_FILE_IS_OFFLINE (0xC0000000 | 0x0267) +#define NT_STATUS_NETWORK_SESSION_EXPIRED (0xC0000000 | 0x035c) +#define NT_STATUS_NO_SUCH_JOB (0xC0000000 | 0xEDE) /* scheduler */ +#define NT_STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP (0xC0000000 | 0x5D0000) +#define NT_STATUS_PENDING 0x00000103 +#endif /* _NTERR_H */ diff --git a/fs/cifsd/ntlmssp.h b/fs/cifsd/ntlmssp.h new file mode 100644 index 000000000000..adaf4c0cbe8f --- /dev/null +++ b/fs/cifsd/ntlmssp.h @@ -0,0 +1,169 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +/* + * Copyright (c) International Business Machines Corp., 2002,2007 + * Author(s): Steve French (sfrench(a)us.ibm.com) + */ + +#ifndef __KSMBD_NTLMSSP_H +#define __KSMBD_NTLMSSP_H + +#define NTLMSSP_SIGNATURE "NTLMSSP" + +/* Security blob target info data */ +#define TGT_Name "KSMBD" + +/* + * Size of the crypto key returned on the negotiate SMB in bytes + */ +#define CIFS_CRYPTO_KEY_SIZE (8) +#define CIFS_KEY_SIZE (40) + +/* + * Size of encrypted user password in bytes + */ +#define CIFS_ENCPWD_SIZE (16) +#define CIFS_CPHTXT_SIZE (16) + +/* Message Types */ +#define NtLmNegotiate cpu_to_le32(1) +#define NtLmChallenge cpu_to_le32(2) +#define NtLmAuthenticate cpu_to_le32(3) +#define UnknownMessage cpu_to_le32(8) + +/* Negotiate Flags */ +#define NTLMSSP_NEGOTIATE_UNICODE 0x01 /* Text strings are unicode */ +#define NTLMSSP_NEGOTIATE_OEM 0x02 /* Text strings are in OEM */ +#define NTLMSSP_REQUEST_TARGET 0x04 /* Srv returns its auth realm */ +/* define reserved9 0x08 */ +#define NTLMSSP_NEGOTIATE_SIGN 0x0010 /* Request signing capability */ +#define NTLMSSP_NEGOTIATE_SEAL 0x0020 /* Request confidentiality */ +#define NTLMSSP_NEGOTIATE_DGRAM 0x0040 +#define NTLMSSP_NEGOTIATE_LM_KEY 0x0080 /* Use LM session key */ +/* defined reserved 8 0x0100 */ +#define NTLMSSP_NEGOTIATE_NTLM 0x0200 /* NTLM authentication */ +#define NTLMSSP_NEGOTIATE_NT_ONLY 0x0400 /* Lanman not allowed */ +#define NTLMSSP_ANONYMOUS 0x0800 +#define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED 0x1000 /* reserved6 */ +#define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x2000 +#define NTLMSSP_NEGOTIATE_LOCAL_CALL 0x4000 /* client/server same machine */ +#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x8000 /* Sign. All security levels */ +#define NTLMSSP_TARGET_TYPE_DOMAIN 0x10000 +#define NTLMSSP_TARGET_TYPE_SERVER 0x20000 +#define NTLMSSP_TARGET_TYPE_SHARE 0x40000 +#define NTLMSSP_NEGOTIATE_EXTENDED_SEC 0x80000 /* NB:not related to NTLMv2 pwd*/ +/* #define NTLMSSP_REQUEST_INIT_RESP 0x100000 */ +#define NTLMSSP_NEGOTIATE_IDENTIFY 0x100000 +#define NTLMSSP_REQUEST_ACCEPT_RESP 0x200000 /* reserved5 */ +#define NTLMSSP_REQUEST_NON_NT_KEY 0x400000 +#define NTLMSSP_NEGOTIATE_TARGET_INFO 0x800000 +/* #define reserved4 0x1000000 */ +#define NTLMSSP_NEGOTIATE_VERSION 0x2000000 /* we do not set */ +/* #define reserved3 0x4000000 */ +/* #define reserved2 0x8000000 */ +/* #define reserved1 0x10000000 */ +#define NTLMSSP_NEGOTIATE_128 0x20000000 +#define NTLMSSP_NEGOTIATE_KEY_XCH 0x40000000 +#define NTLMSSP_NEGOTIATE_56 0x80000000 + +/* Define AV Pair Field IDs */ +enum av_field_type { + NTLMSSP_AV_EOL = 0, + NTLMSSP_AV_NB_COMPUTER_NAME, + NTLMSSP_AV_NB_DOMAIN_NAME, + NTLMSSP_AV_DNS_COMPUTER_NAME, + NTLMSSP_AV_DNS_DOMAIN_NAME, + NTLMSSP_AV_DNS_TREE_NAME, + NTLMSSP_AV_FLAGS, + NTLMSSP_AV_TIMESTAMP, + NTLMSSP_AV_RESTRICTION, + NTLMSSP_AV_TARGET_NAME, + NTLMSSP_AV_CHANNEL_BINDINGS +}; + +/* Although typedefs are not commonly used for structure definitions */ +/* in the Linux kernel, in this particular case they are useful */ +/* to more closely match the standards document for NTLMSSP from */ +/* OpenGroup and to make the code more closely match the standard in */ +/* appearance */ + +struct security_buffer { + __le16 Length; + __le16 MaximumLength; + __le32 BufferOffset; /* offset to buffer */ +} __packed; + +struct target_info { + __le16 Type; + __le16 Length; + __u8 Content[0]; +} __packed; + +struct negotiate_message { + __u8 Signature[sizeof(NTLMSSP_SIGNATURE)]; + __le32 MessageType; /* NtLmNegotiate = 1 */ + __le32 NegotiateFlags; + struct security_buffer DomainName; /* RFC 1001 style and ASCII */ + struct security_buffer WorkstationName; /* RFC 1001 and ASCII */ + /* + * struct security_buffer for version info not present since we + * do not set the version is present flag + */ + char DomainString[0]; + /* followed by WorkstationString */ +} __packed; + +struct challenge_message { + __u8 Signature[sizeof(NTLMSSP_SIGNATURE)]; + __le32 MessageType; /* NtLmChallenge = 2 */ + struct security_buffer TargetName; + __le32 NegotiateFlags; + __u8 Challenge[CIFS_CRYPTO_KEY_SIZE]; + __u8 Reserved[8]; + struct security_buffer TargetInfoArray; + /* + * struct security_buffer for version info not present since we + * do not set the version is present flag + */ +} __packed; + +struct authenticate_message { + __u8 Signature[sizeof(NTLMSSP_SIGNATURE)]; + __le32 MessageType; /* NtLmsAuthenticate = 3 */ + struct security_buffer LmChallengeResponse; + struct security_buffer NtChallengeResponse; + struct security_buffer DomainName; + struct security_buffer UserName; + struct security_buffer WorkstationName; + struct security_buffer SessionKey; + __le32 NegotiateFlags; + /* + * struct security_buffer for version info not present since we + * do not set the version is present flag + */ + char UserString[0]; +} __packed; + +struct ntlmv2_resp { + char ntlmv2_hash[CIFS_ENCPWD_SIZE]; + __le32 blob_signature; + __u32 reserved; + __le64 time; + __u64 client_chal; /* random */ + __u32 reserved2; + /* array of name entries could follow ending in minimum 4 byte struct */ +} __packed; + +/* per smb session structure/fields */ +struct ntlmssp_auth { + /* whether session key is per smb session */ + bool sesskey_per_smbsess; + /* sent by client in type 1 ntlmsssp exchange */ + __u32 client_flags; + /* sent by server in type 2 ntlmssp exchange */ + __u32 conn_flags; + /* sent to server */ + unsigned char ciphertext[CIFS_CPHTXT_SIZE]; + /* used by ntlmssp */ + char cryptkey[CIFS_CRYPTO_KEY_SIZE]; +}; +#endif /* __KSMBD_NTLMSSP_H */ diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c new file mode 100644 index 000000000000..6c3dbc71134e --- /dev/null +++ b/fs/cifsd/oplock.c @@ -0,0 +1,1693 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/moduleparam.h> + +#include "glob.h" +#include "oplock.h" + +#include "smb_common.h" +#include "smbstatus.h" +#include "buffer_pool.h" +#include "connection.h" +#include "mgmt/user_session.h" +#include "mgmt/share_config.h" +#include "mgmt/tree_connect.h" + +static LIST_HEAD(lease_table_list); +static DEFINE_RWLOCK(lease_list_lock); + +/** + * get_new_opinfo() - allocate a new opinfo object for oplock info + * @conn: connection instance + * @id: fid of open file + * @Tid: tree id of connection + * @lctx: lease context information + * + * Return: allocated opinfo object on success, otherwise NULL + */ +static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, + uint64_t id, __u16 Tid) +{ + struct ksmbd_session *sess = work->sess; + struct oplock_info *opinfo; + + opinfo = kzalloc(sizeof(struct oplock_info), GFP_KERNEL); + if (!opinfo) + return NULL; + + opinfo->sess = sess; + opinfo->conn = sess->conn; + opinfo->level = OPLOCK_NONE; + opinfo->op_state = OPLOCK_STATE_NONE; + opinfo->pending_break = 0; + opinfo->fid = id; + opinfo->Tid = Tid; + INIT_LIST_HEAD(&opinfo->op_entry); + INIT_LIST_HEAD(&opinfo->interim_list); + init_waitqueue_head(&opinfo->oplock_q); + init_waitqueue_head(&opinfo->oplock_brk); + atomic_set(&opinfo->refcount, 1); + atomic_set(&opinfo->breaking_cnt, 0); + + return opinfo; +} + +static void lease_add_list(struct oplock_info *opinfo) +{ + struct lease_table *lb = opinfo->o_lease->l_lb; + + spin_lock(&lb->lb_lock); + list_add_rcu(&opinfo->lease_entry, &lb->lease_list); + spin_unlock(&lb->lb_lock); +} + +static void lease_del_list(struct oplock_info *opinfo) +{ + struct lease_table *lb = opinfo->o_lease->l_lb; + + if (!lb) + return; + + spin_lock(&lb->lb_lock); + if (list_empty(&opinfo->lease_entry)) { + spin_unlock(&lb->lb_lock); + return; + } + + list_del_init(&opinfo->lease_entry); + opinfo->o_lease->l_lb = NULL; + spin_unlock(&lb->lb_lock); +} + +static void lb_add(struct lease_table *lb) +{ + write_lock(&lease_list_lock); + list_add(&lb->l_entry, &lease_table_list); + write_unlock(&lease_list_lock); +} + +static int alloc_lease(struct oplock_info *opinfo, + struct lease_ctx_info *lctx) +{ + struct lease *lease; + + lease = kmalloc(sizeof(struct lease), GFP_KERNEL); + if (!lease) + return -ENOMEM; + + memcpy(lease->lease_key, lctx->lease_key, SMB2_LEASE_KEY_SIZE); + lease->state = lctx->req_state; + lease->new_state = 0; + lease->flags = lctx->flags; + lease->duration = lctx->duration; + INIT_LIST_HEAD(&opinfo->lease_entry); + opinfo->o_lease = lease; + + return 0; +} + +static void free_lease(struct oplock_info *opinfo) +{ + struct lease *lease; + + lease = opinfo->o_lease; + kfree(lease); +} + +static void free_opinfo(struct oplock_info *opinfo) +{ + if (opinfo->is_lease) + free_lease(opinfo); + kfree(opinfo); +} + +static inline void opinfo_free_rcu(struct rcu_head *rcu_head) +{ + struct oplock_info *opinfo; + + opinfo = container_of(rcu_head, struct oplock_info, rcu_head); + free_opinfo(opinfo); +} + +struct oplock_info *opinfo_get(struct ksmbd_file *fp) +{ + struct oplock_info *opinfo; + + rcu_read_lock(); + opinfo = rcu_dereference(fp->f_opinfo); + if (opinfo && !atomic_inc_not_zero(&opinfo->refcount)) + opinfo = NULL; + rcu_read_unlock(); + + return opinfo; +} + +static struct oplock_info *opinfo_get_list(struct ksmbd_inode *ci) +{ + struct oplock_info *opinfo; + + if (list_empty(&ci->m_op_list)) + return NULL; + + rcu_read_lock(); + opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info, + op_entry); + if (opinfo && !atomic_inc_not_zero(&opinfo->refcount)) + opinfo = NULL; + rcu_read_unlock(); + + return opinfo; +} + +void opinfo_put(struct oplock_info *opinfo) +{ + if (!atomic_dec_and_test(&opinfo->refcount)) + return; + + call_rcu(&opinfo->rcu_head, opinfo_free_rcu); +} + +static void opinfo_add(struct oplock_info *opinfo) +{ + struct ksmbd_inode *ci = opinfo->o_fp->f_ci; + + write_lock(&ci->m_lock); + list_add_rcu(&opinfo->op_entry, &ci->m_op_list); + write_unlock(&ci->m_lock); +} + +static void opinfo_del(struct oplock_info *opinfo) +{ + struct ksmbd_inode *ci = opinfo->o_fp->f_ci; + + if (opinfo->is_lease) { + write_lock(&lease_list_lock); + lease_del_list(opinfo); + write_unlock(&lease_list_lock); + } + write_lock(&ci->m_lock); + list_del_rcu(&opinfo->op_entry); + write_unlock(&ci->m_lock); +} + +static unsigned long opinfo_count(struct ksmbd_file *fp) +{ + if (ksmbd_stream_fd(fp)) + return atomic_read(&fp->f_ci->sop_count); + else + return atomic_read(&fp->f_ci->op_count); +} + +static void opinfo_count_inc(struct ksmbd_file *fp) +{ + if (ksmbd_stream_fd(fp)) + return atomic_inc(&fp->f_ci->sop_count); + else + return atomic_inc(&fp->f_ci->op_count); +} + +static void opinfo_count_dec(struct ksmbd_file *fp) +{ + if (ksmbd_stream_fd(fp)) + return atomic_dec(&fp->f_ci->sop_count); + else + return atomic_dec(&fp->f_ci->op_count); +} + +/** + * opinfo_write_to_read() - convert a write oplock to read oplock + * @opinfo: current oplock info + * + * Return: 0 on success, otherwise -EINVAL + */ +int opinfo_write_to_read(struct oplock_info *opinfo) +{ + struct lease *lease = opinfo->o_lease; + + if (!((opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) || + (opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE))) { + ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + if (opinfo->is_lease) + ksmbd_err("lease state(0x%x)\n", lease->state); + return -EINVAL; + } + opinfo->level = SMB2_OPLOCK_LEVEL_II; + + if (opinfo->is_lease) + lease->state = lease->new_state; + return 0; +} + +/** + * opinfo_read_handle_to_read() - convert a read/handle oplock to read oplock + * @opinfo: current oplock info + * + * Return: 0 on success, otherwise -EINVAL + */ +int opinfo_read_handle_to_read(struct oplock_info *opinfo) +{ + struct lease *lease = opinfo->o_lease; + + lease->state = lease->new_state; + opinfo->level = SMB2_OPLOCK_LEVEL_II; + return 0; +} + +/** + * opinfo_write_to_none() - convert a write oplock to none + * @opinfo: current oplock info + * + * Return: 0 on success, otherwise -EINVAL + */ +int opinfo_write_to_none(struct oplock_info *opinfo) +{ + struct lease *lease = opinfo->o_lease; + + if (!((opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) || + (opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE))) { + ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + if (opinfo->is_lease) + ksmbd_err("lease state(0x%x)\n", + lease->state); + return -EINVAL; + } + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; + if (opinfo->is_lease) + lease->state = lease->new_state; + return 0; +} + +/** + * opinfo_read_to_none() - convert a write read to none + * @opinfo: current oplock info + * + * Return: 0 on success, otherwise -EINVAL + */ +int opinfo_read_to_none(struct oplock_info *opinfo) +{ + struct lease *lease = opinfo->o_lease; + + if (opinfo->level != SMB2_OPLOCK_LEVEL_II) { + ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + if (opinfo->is_lease) + ksmbd_err("lease state(0x%x)\n", lease->state); + return -EINVAL; + } + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; + if (opinfo->is_lease) + lease->state = lease->new_state; + return 0; +} + +/** + * lease_read_to_write() - upgrade lease state from read to write + * @opinfo: current lease info + * + * Return: 0 on success, otherwise -EINVAL + */ +int lease_read_to_write(struct oplock_info *opinfo) +{ + struct lease *lease = opinfo->o_lease; + + if (!(lease->state & SMB2_LEASE_READ_CACHING_LE)) { + ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", + lease->state); + return -EINVAL; + } + + lease->new_state = SMB2_LEASE_NONE_LE; + lease->state |= SMB2_LEASE_WRITE_CACHING_LE; + if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + opinfo->level = SMB2_OPLOCK_LEVEL_BATCH; + else + opinfo->level = SMB2_OPLOCK_LEVEL_EXCLUSIVE; + return 0; +} + +/** + * lease_none_upgrade() - upgrade lease state from none + * @opinfo: current lease info + * @new_state: new lease state + * + * Return: 0 on success, otherwise -EINVAL + */ +static int lease_none_upgrade(struct oplock_info *opinfo, + __le32 new_state) +{ + struct lease *lease = opinfo->o_lease; + + if (!(lease->state == SMB2_LEASE_NONE_LE)) { + ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", + lease->state); + return -EINVAL; + } + + lease->new_state = SMB2_LEASE_NONE_LE; + lease->state = new_state; + if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) + opinfo->level = SMB2_OPLOCK_LEVEL_BATCH; + else + opinfo->level = SMB2_OPLOCK_LEVEL_II; + else if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) + opinfo->level = SMB2_OPLOCK_LEVEL_EXCLUSIVE; + else if (lease->state & SMB2_LEASE_READ_CACHING_LE) + opinfo->level = SMB2_OPLOCK_LEVEL_II; + + return 0; +} + +/** + * close_id_del_oplock() - release oplock object at file close time + * @fp: ksmbd file pointer + */ +void close_id_del_oplock(struct ksmbd_file *fp) +{ + struct oplock_info *opinfo; + + if (S_ISDIR(file_inode(fp->filp)->i_mode)) + return; + + opinfo = opinfo_get(fp); + if (!opinfo) + return; + + opinfo_del(opinfo); + + rcu_assign_pointer(fp->f_opinfo, NULL); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { + opinfo->op_state = OPLOCK_CLOSING; + wake_up_interruptible_all(&opinfo->oplock_q); + if (opinfo->is_lease) { + atomic_set(&opinfo->breaking_cnt, 0); + wake_up_interruptible_all(&opinfo->oplock_brk); + } + } + + opinfo_count_dec(fp); + atomic_dec(&opinfo->refcount); + opinfo_put(opinfo); +} + +/** + * grant_write_oplock() - grant exclusive/batch oplock or write lease + * @opinfo_new: new oplock info object + * @req_oplock: request oplock + * @lctx: lease context information + * + * Return: 0 + */ +static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, + struct lease_ctx_info *lctx) +{ + struct lease *lease = opinfo_new->o_lease; + + if (req_oplock == SMB2_OPLOCK_LEVEL_BATCH) + opinfo_new->level = SMB2_OPLOCK_LEVEL_BATCH; + else + opinfo_new->level = SMB2_OPLOCK_LEVEL_EXCLUSIVE; + + if (lctx) { + lease->state = lctx->req_state; + memcpy(lease->lease_key, lctx->lease_key, + SMB2_LEASE_KEY_SIZE); + } +} + +/** + * grant_read_oplock() - grant level2 oplock or read lease + * @opinfo_new: new oplock info object + * @lctx: lease context information + * + * Return: 0 + */ +static void grant_read_oplock(struct oplock_info *opinfo_new, + struct lease_ctx_info *lctx) +{ + struct lease *lease = opinfo_new->o_lease; + + opinfo_new->level = SMB2_OPLOCK_LEVEL_II; + + if (lctx) { + lease->state = SMB2_LEASE_READ_CACHING_LE; + if (lctx->req_state & SMB2_LEASE_HANDLE_CACHING_LE) + lease->state |= SMB2_LEASE_HANDLE_CACHING_LE; + memcpy(lease->lease_key, lctx->lease_key, + SMB2_LEASE_KEY_SIZE); + } +} + +/** + * grant_none_oplock() - grant none oplock or none lease + * @opinfo_new: new oplock info object + * @lctx: lease context information + * + * Return: 0 + */ +static void grant_none_oplock(struct oplock_info *opinfo_new, + struct lease_ctx_info *lctx) +{ + struct lease *lease = opinfo_new->o_lease; + + opinfo_new->level = SMB2_OPLOCK_LEVEL_NONE; + + if (lctx) { + lease->state = 0; + memcpy(lease->lease_key, lctx->lease_key, + SMB2_LEASE_KEY_SIZE); + } +} + +/** + * find_opinfo() - find lease object for given client guid and lease key + * @head: oplock list(read,write or none) head + * @guid1: client guid of matching lease owner + * @key1: lease key of matching lease owner + * + * Return: oplock(lease) object on success, otherwise NULL + */ +static inline int compare_guid_key(struct oplock_info *opinfo, + const char *guid1, const char *key1) +{ + const char *guid2, *key2; + + guid2 = opinfo->conn->ClientGUID; + key2 = opinfo->o_lease->lease_key; + if (!memcmp(guid1, guid2, SMB2_CLIENT_GUID_SIZE) && + !memcmp(key1, key2, SMB2_LEASE_KEY_SIZE)) + return 1; + + return 0; +} + +/** + * same_client_has_lease() - check whether current lease request is + * from lease owner of file + * @ci: master file pointer + * @client_guid: Client GUID + * @lctx: lease context information + * + * Return: oplock(lease) object on success, otherwise NULL + */ +static struct oplock_info *same_client_has_lease(struct ksmbd_inode *ci, + char *client_guid, struct lease_ctx_info *lctx) +{ + int ret; + struct lease *lease; + struct oplock_info *opinfo; + struct oplock_info *m_opinfo = NULL; + + if (!lctx) + return NULL; + + /* + * Compare lease key and client_guid to know request from same owner + * of same client + */ + read_lock(&ci->m_lock); + list_for_each_entry(opinfo, &ci->m_op_list, op_entry) { + if (!opinfo->is_lease) + continue; + read_unlock(&ci->m_lock); + lease = opinfo->o_lease; + + ret = compare_guid_key(opinfo, client_guid, lctx->lease_key); + if (ret) { + m_opinfo = opinfo; + /* skip upgrading lease about breaking lease */ + if (atomic_read(&opinfo->breaking_cnt)) { + read_lock(&ci->m_lock); + continue; + } + + /* upgrading lease */ + if ((atomic_read(&ci->op_count) + + atomic_read(&ci->sop_count)) == 1) { + if (lease->state == + (lctx->req_state & lease->state)) { + lease->state |= lctx->req_state; + if (lctx->req_state & + SMB2_LEASE_WRITE_CACHING_LE) + lease_read_to_write(opinfo); + } + } else if ((atomic_read(&ci->op_count) + + atomic_read(&ci->sop_count)) > 1) { + if (lctx->req_state == + (SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)) + lease->state = lctx->req_state; + } + + if (lctx->req_state && lease->state == + SMB2_LEASE_NONE_LE) + lease_none_upgrade(opinfo, lctx->req_state); + } + read_lock(&ci->m_lock); + } + read_unlock(&ci->m_lock); + + return m_opinfo; +} + +static void wait_for_break_ack(struct oplock_info *opinfo) +{ + int rc = 0; + + rc = wait_event_interruptible_timeout(opinfo->oplock_q, + opinfo->op_state == OPLOCK_STATE_NONE || + opinfo->op_state == OPLOCK_CLOSING, + OPLOCK_WAIT_TIME); + + /* is this a timeout ? */ + if (!rc) { + if (opinfo->is_lease) + opinfo->o_lease->state = SMB2_LEASE_NONE_LE; + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; + opinfo->op_state = OPLOCK_STATE_NONE; + } +} + +static void wake_up_oplock_break(struct oplock_info *opinfo) +{ + clear_bit_unlock(0, &opinfo->pending_break); + /* memory barrier is needed for wake_up_bit() */ + smp_mb__after_atomic(); + wake_up_bit(&opinfo->pending_break, 0); +} + +static int oplock_break_pending(struct oplock_info *opinfo, int req_op_level) +{ + while (test_and_set_bit(0, &opinfo->pending_break)) { + wait_on_bit(&opinfo->pending_break, 0, TASK_UNINTERRUPTIBLE); + + /* Not immediately break to none. */ + opinfo->open_trunc = 0; + + if (opinfo->op_state == OPLOCK_CLOSING) + return -ENOENT; + else if (!opinfo->is_lease && opinfo->level <= req_op_level) + return 1; + } + + if (!opinfo->is_lease && opinfo->level <= req_op_level) { + wake_up_oplock_break(opinfo); + return 1; + } + return 0; +} + +static inline int allocate_oplock_break_buf(struct ksmbd_work *work) +{ + work->response_buf = ksmbd_alloc_response(MAX_CIFS_SMALL_BUFFER_SIZE); + if (!work->response_buf) + return -ENOMEM; + work->response_sz = MAX_CIFS_SMALL_BUFFER_SIZE; + return 0; +} + +/** + * smb2_oplock_break_noti() - send smb2 oplock break cmd from conn + * to client + * @work: smb work object + * + * There are two ways this function can be called. 1- while file open we break + * from exclusive/batch lock to levelII oplock and 2- while file write/truncate + * we break from levelII oplock no oplock. + * REQUEST_BUF(work) contains oplock_info. + */ +static void __smb2_oplock_break_noti(struct work_struct *wk) +{ + struct smb2_oplock_break *rsp = NULL; + struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work); + struct ksmbd_conn *conn = work->conn; + struct oplock_break_info *br_info = REQUEST_BUF(work); + struct smb2_hdr *rsp_hdr; + struct ksmbd_file *fp; + + fp = ksmbd_lookup_durable_fd(br_info->fid); + if (!fp) { + atomic_dec(&conn->r_count); + ksmbd_free_work_struct(work); + return; + } + + if (allocate_oplock_break_buf(work)) { + ksmbd_err("smb2_allocate_rsp_buf failed! "); + atomic_dec(&conn->r_count); + ksmbd_free_work_struct(work); + ksmbd_fd_put(work, fp); + return; + } + + rsp_hdr = RESPONSE_BUF(work); + memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); + rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; + rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; + rsp_hdr->CreditRequest = cpu_to_le16(0); + rsp_hdr->Command = SMB2_OPLOCK_BREAK; + rsp_hdr->Flags = (SMB2_FLAGS_SERVER_TO_REDIR); + rsp_hdr->NextCommand = 0; + rsp_hdr->MessageId = cpu_to_le64(-1); + rsp_hdr->Id.SyncId.ProcessId = 0; + rsp_hdr->Id.SyncId.TreeId = 0; + rsp_hdr->SessionId = 0; + memset(rsp_hdr->Signature, 0, 16); + + + rsp = RESPONSE_BUF(work); + + rsp->StructureSize = cpu_to_le16(24); + if (!br_info->open_trunc && + (br_info->level == SMB2_OPLOCK_LEVEL_BATCH || + br_info->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) + rsp->OplockLevel = SMB2_OPLOCK_LEVEL_II; + else + rsp->OplockLevel = SMB2_OPLOCK_LEVEL_NONE; + rsp->Reserved = 0; + rsp->Reserved2 = 0; + rsp->PersistentFid = cpu_to_le64(fp->persistent_id); + rsp->VolatileFid = cpu_to_le64(fp->volatile_id); + + inc_rfc1001_len(rsp, 24); + + ksmbd_debug(OPLOCK, + "sending oplock break v_id %llu p_id = %llu lock level = %d\n", + rsp->VolatileFid, rsp->PersistentFid, rsp->OplockLevel); + + ksmbd_fd_put(work, fp); + ksmbd_conn_write(work); + ksmbd_free_work_struct(work); + atomic_dec(&conn->r_count); +} + +/** + * smb2_oplock_break() - send smb2 exclusive/batch to level2 oplock + * break command from server to client + * @opinfo: oplock info object + * @ack_required if requiring ack + * + * Return: 0 on success, otherwise error + */ +static int smb2_oplock_break_noti(struct oplock_info *opinfo) +{ + struct ksmbd_conn *conn = opinfo->conn; + struct oplock_break_info *br_info; + int ret = 0; + struct ksmbd_work *work = ksmbd_alloc_work_struct(); + + if (!work) + return -ENOMEM; + + br_info = kmalloc(sizeof(struct oplock_break_info), GFP_KERNEL); + if (!br_info) { + ksmbd_free_work_struct(work); + return -ENOMEM; + } + + br_info->level = opinfo->level; + br_info->fid = opinfo->fid; + br_info->open_trunc = opinfo->open_trunc; + + work->request_buf = (char *)br_info; + work->conn = conn; + work->sess = opinfo->sess; + + atomic_inc(&conn->r_count); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { + INIT_WORK(&work->work, __smb2_oplock_break_noti); + ksmbd_queue_work(work); + + wait_for_break_ack(opinfo); + } else { + __smb2_oplock_break_noti(&work->work); + if (opinfo->level == SMB2_OPLOCK_LEVEL_II) + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; + } + return ret; +} + +/** + * __smb2_lease_break_noti() - send lease break command from server + * to client + * @work: smb work object + */ +static void __smb2_lease_break_noti(struct work_struct *wk) +{ + struct smb2_lease_break *rsp = NULL; + struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work); + struct lease_break_info *br_info = REQUEST_BUF(work); + struct ksmbd_conn *conn = work->conn; + struct smb2_hdr *rsp_hdr; + + if (allocate_oplock_break_buf(work)) { + ksmbd_debug(OPLOCK, "smb2_allocate_rsp_buf failed! "); + ksmbd_free_work_struct(work); + atomic_dec(&conn->r_count); + return; + } + + rsp_hdr = RESPONSE_BUF(work); + memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); + rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; + rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; + rsp_hdr->CreditRequest = cpu_to_le16(0); + rsp_hdr->Command = SMB2_OPLOCK_BREAK; + rsp_hdr->Flags = (SMB2_FLAGS_SERVER_TO_REDIR); + rsp_hdr->NextCommand = 0; + rsp_hdr->MessageId = cpu_to_le64(-1); + rsp_hdr->Id.SyncId.ProcessId = 0; + rsp_hdr->Id.SyncId.TreeId = 0; + rsp_hdr->SessionId = 0; + memset(rsp_hdr->Signature, 0, 16); + + rsp = RESPONSE_BUF(work); + rsp->StructureSize = cpu_to_le16(44); + rsp->Reserved = 0; + rsp->Flags = 0; + + if (br_info->curr_state & (SMB2_LEASE_WRITE_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)) + rsp->Flags = SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED; + + memcpy(rsp->LeaseKey, br_info->lease_key, SMB2_LEASE_KEY_SIZE); + rsp->CurrentLeaseState = br_info->curr_state; + rsp->NewLeaseState = br_info->new_state; + rsp->BreakReason = 0; + rsp->AccessMaskHint = 0; + rsp->ShareMaskHint = 0; + + inc_rfc1001_len(rsp, 44); + + ksmbd_conn_write(work); + ksmbd_free_work_struct(work); + atomic_dec(&conn->r_count); +} + +/** + * smb2_break_lease() - break lease when a new client request + * write lease + * @opinfo: conains lease state information + * @ack_required: if requring ack + * + * Return: 0 on success, otherwise error + */ +static int smb2_lease_break_noti(struct oplock_info *opinfo) +{ + struct ksmbd_conn *conn = opinfo->conn; + struct list_head *tmp, *t; + struct ksmbd_work *work; + struct lease_break_info *br_info; + struct lease *lease = opinfo->o_lease; + + work = ksmbd_alloc_work_struct(); + if (!work) + return -ENOMEM; + + br_info = kmalloc(sizeof(struct lease_break_info), GFP_KERNEL); + if (!br_info) { + ksmbd_free_work_struct(work); + return -ENOMEM; + } + + br_info->curr_state = lease->state; + br_info->new_state = lease->new_state; + memcpy(br_info->lease_key, lease->lease_key, SMB2_LEASE_KEY_SIZE); + + work->request_buf = (char *)br_info; + work->conn = conn; + work->sess = opinfo->sess; + + atomic_inc(&conn->r_count); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { + list_for_each_safe(tmp, t, &opinfo->interim_list) { + struct ksmbd_work *in_work; + + in_work = list_entry(tmp, struct ksmbd_work, + interim_entry); + setup_async_work(in_work, NULL, NULL); + smb2_send_interim_resp(in_work, STATUS_PENDING); + list_del(&in_work->interim_entry); + } + INIT_WORK(&work->work, __smb2_lease_break_noti); + ksmbd_queue_work(work); + wait_for_break_ack(opinfo); + } else { + __smb2_lease_break_noti(&work->work); + if (opinfo->o_lease->new_state == SMB2_LEASE_NONE_LE) { + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; + opinfo->o_lease->state = SMB2_LEASE_NONE_LE; + } + } + return 0; +} + +static void wait_lease_breaking(struct oplock_info *opinfo) +{ + if (!opinfo->is_lease) + return; + + wake_up_interruptible_all(&opinfo->oplock_brk); + if (atomic_read(&opinfo->breaking_cnt)) { + int ret = 0; + + ret = wait_event_interruptible_timeout( + opinfo->oplock_brk, + atomic_read(&opinfo->breaking_cnt) == 0, + HZ); + if (!ret) + atomic_set(&opinfo->breaking_cnt, 0); + } +} + +static int oplock_break(struct oplock_info *brk_opinfo, int req_op_level) +{ + int err = 0; + + /* Need to break exclusive/batch oplock, write lease or overwrite_if */ + ksmbd_debug(OPLOCK, + "request to send oplock(level : 0x%x) break notification\n", + brk_opinfo->level); + + if (brk_opinfo->is_lease) { + struct lease *lease = brk_opinfo->o_lease; + + atomic_inc(&brk_opinfo->breaking_cnt); + + err = oplock_break_pending(brk_opinfo, req_op_level); + if (err) + return err < 0 ? err : 0; + + if (brk_opinfo->open_trunc) { + /* + * Create overwrite break trigger the lease break to + * none. + */ + lease->new_state = SMB2_LEASE_NONE_LE; + } else { + if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) { + if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + lease->new_state = + SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE; + else + lease->new_state = + SMB2_LEASE_READ_CACHING_LE; + } else { + if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + lease->new_state = + SMB2_LEASE_READ_CACHING_LE; + else + lease->new_state = SMB2_LEASE_NONE_LE; + } + } + + if (lease->state & (SMB2_LEASE_WRITE_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)) + brk_opinfo->op_state = OPLOCK_ACK_WAIT; + else + atomic_dec(&brk_opinfo->breaking_cnt); + } else { + err = oplock_break_pending(brk_opinfo, req_op_level); + if (err) + return err < 0 ? err : 0; + + if (brk_opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || + brk_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) + brk_opinfo->op_state = OPLOCK_ACK_WAIT; + } + + if (brk_opinfo->is_lease) + err = smb2_lease_break_noti(brk_opinfo); + else + err = smb2_oplock_break_noti(brk_opinfo); + + ksmbd_debug(OPLOCK, "oplock granted = %d\n", brk_opinfo->level); + if (brk_opinfo->op_state == OPLOCK_CLOSING) + err = -ENOENT; + wake_up_oplock_break(brk_opinfo); + + wait_lease_breaking(brk_opinfo); + + return err; +} + +void destroy_lease_table(struct ksmbd_conn *conn) +{ + struct lease_table *lb, *lbtmp; + struct oplock_info *opinfo; + + write_lock(&lease_list_lock); + if (list_empty(&lease_table_list)) { + write_unlock(&lease_list_lock); + return; + } + + list_for_each_entry_safe(lb, lbtmp, &lease_table_list, l_entry) { + if (conn && memcmp(lb->client_guid, conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) + continue; +again: + rcu_read_lock(); + list_for_each_entry_rcu(opinfo, &lb->lease_list, + lease_entry) { + rcu_read_unlock(); + lease_del_list(opinfo); + goto again; + } + rcu_read_unlock(); + list_del(&lb->l_entry); + kfree(lb); + } + write_unlock(&lease_list_lock); +} + +int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, + struct lease_ctx_info *lctx) +{ + struct oplock_info *opinfo; + int err = 0; + struct lease_table *lb; + + if (!lctx) + return err; + + read_lock(&lease_list_lock); + if (list_empty(&lease_table_list)) { + read_unlock(&lease_list_lock); + return 0; + } + + list_for_each_entry(lb, &lease_table_list, l_entry) { + if (!memcmp(lb->client_guid, sess->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) + goto found; + } + read_unlock(&lease_list_lock); + + return 0; + +found: + rcu_read_lock(); + list_for_each_entry_rcu(opinfo, &lb->lease_list, + lease_entry) { + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + rcu_read_unlock(); + if (opinfo->o_fp->f_ci == ci) + goto op_next; + err = compare_guid_key(opinfo, + sess->conn->ClientGUID, + lctx->lease_key); + if (err) { + err = -EINVAL; + ksmbd_debug(OPLOCK, + "found same lease key is already used in other files\n"); + opinfo_put(opinfo); + goto out; + } +op_next: + opinfo_put(opinfo); + rcu_read_lock(); + } + rcu_read_unlock(); + +out: + read_unlock(&lease_list_lock); + return err; +} + +static void copy_lease(struct oplock_info *op1, struct oplock_info *op2) +{ + struct lease *lease1 = op1->o_lease; + struct lease *lease2 = op2->o_lease; + + op2->level = op1->level; + lease2->state = lease1->state; + memcpy(lease2->lease_key, lease1->lease_key, + SMB2_LEASE_KEY_SIZE); + lease2->duration = lease1->duration; + lease2->flags = lease1->flags; +} + +static int add_lease_global_list(struct oplock_info *opinfo) +{ + struct lease_table *lb; + + read_lock(&lease_list_lock); + list_for_each_entry(lb, &lease_table_list, l_entry) { + if (!memcmp(lb->client_guid, opinfo->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) { + opinfo->o_lease->l_lb = lb; + lease_add_list(opinfo); + read_unlock(&lease_list_lock); + return 0; + } + } + read_unlock(&lease_list_lock); + + lb = kmalloc(sizeof(struct lease_table), GFP_KERNEL); + if (!lb) + return -ENOMEM; + + memcpy(lb->client_guid, opinfo->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE); + INIT_LIST_HEAD(&lb->lease_list); + spin_lock_init(&lb->lb_lock); + opinfo->o_lease->l_lb = lb; + lease_add_list(opinfo); + lb_add(lb); + return 0; +} + +static void set_oplock_level(struct oplock_info *opinfo, int level, + struct lease_ctx_info *lctx) +{ + switch (level) { + case SMB2_OPLOCK_LEVEL_BATCH: + case SMB2_OPLOCK_LEVEL_EXCLUSIVE: + grant_write_oplock(opinfo, + level, lctx); + break; + case SMB2_OPLOCK_LEVEL_II: + grant_read_oplock(opinfo, lctx); + break; + default: + grant_none_oplock(opinfo, lctx); + break; + } +} + +/** + * smb_grant_oplock() - handle oplock/lease request on file open + * @fp: ksmbd file pointer + * @oplock: granted oplock type + * @id: fid of open file + * @Tid: Tree id of connection + * @lctx: lease context information on file open + * @attr_only: attribute only file open type + * + * Return: 0 on success, otherwise error + */ +int smb_grant_oplock(struct ksmbd_work *work, + int req_op_level, + uint64_t pid, + struct ksmbd_file *fp, + __u16 tid, + struct lease_ctx_info *lctx, + int share_ret) +{ + struct ksmbd_session *sess = work->sess; + int err = 0; + struct oplock_info *opinfo = NULL, *prev_opinfo = NULL; + struct ksmbd_inode *ci = fp->f_ci; + bool prev_op_has_lease; + __le32 prev_op_state = 0; + + /* not support directory lease */ + if (S_ISDIR(file_inode(fp->filp)->i_mode)) { + if (lctx) + lctx->dlease = 1; + return 0; + } + + opinfo = alloc_opinfo(work, pid, tid); + if (!opinfo) + return -ENOMEM; + + if (lctx) { + err = alloc_lease(opinfo, lctx); + if (err) + goto err_out; + opinfo->is_lease = 1; + } + + /* ci does not have any oplock */ + if (!opinfo_count(fp)) + goto set_lev; + + /* grant none-oplock if second open is trunc */ + if (ATTR_FP(fp)) { + req_op_level = SMB2_OPLOCK_LEVEL_NONE; + goto set_lev; + } + + if (lctx) { + struct oplock_info *m_opinfo; + + /* is lease already granted ? */ + m_opinfo = same_client_has_lease(ci, sess->conn->ClientGUID, + lctx); + if (m_opinfo) { + copy_lease(m_opinfo, opinfo); + if (atomic_read(&m_opinfo->breaking_cnt)) + opinfo->o_lease->flags = + SMB2_LEASE_FLAG_BREAK_IN_PROGRESS_LE; + goto out; + } + } + prev_opinfo = opinfo_get_list(ci); + if (!prev_opinfo || + (prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx)) + goto set_lev; + prev_op_has_lease = prev_opinfo->is_lease; + if (prev_op_has_lease) + prev_op_state = prev_opinfo->o_lease->state; + + if (share_ret < 0 && + (prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { + err = share_ret; + opinfo_put(prev_opinfo); + goto err_out; + } + + if ((prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH) && + (prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { + opinfo_put(prev_opinfo); + goto op_break_not_needed; + } + + list_add(&work->interim_entry, &prev_opinfo->interim_list); + err = oplock_break(prev_opinfo, SMB2_OPLOCK_LEVEL_II); + opinfo_put(prev_opinfo); + if (err == -ENOENT) + goto set_lev; + /* Check all oplock was freed by close */ + else if (err < 0) + goto err_out; + +op_break_not_needed: + if (share_ret < 0) { + err = share_ret; + goto err_out; + } + + if (req_op_level != SMB2_OPLOCK_LEVEL_NONE) + req_op_level = SMB2_OPLOCK_LEVEL_II; + + /* grant fixed oplock on stacked locking between lease and oplock */ + if (prev_op_has_lease && !lctx) + if (prev_op_state & SMB2_LEASE_HANDLE_CACHING_LE) + req_op_level = SMB2_OPLOCK_LEVEL_NONE; + + if (!prev_op_has_lease && lctx) { + req_op_level = SMB2_OPLOCK_LEVEL_II; + lctx->req_state = SMB2_LEASE_READ_CACHING_LE; + } + +set_lev: + set_oplock_level(opinfo, req_op_level, lctx); + +out: + rcu_assign_pointer(fp->f_opinfo, opinfo); + opinfo->o_fp = fp; + + opinfo_count_inc(fp); + opinfo_add(opinfo); + if (opinfo->is_lease) { + err = add_lease_global_list(opinfo); + if (err) + goto err_out; + } + + return 0; +err_out: + free_opinfo(opinfo); + return err; +} + +/** + * smb_break_write_oplock() - break batch/exclusive oplock to level2 + * @work: smb work + * @fp: ksmbd file pointer + * @openfile: open file object + */ +static void smb_break_all_write_oplock(struct ksmbd_work *work, + struct ksmbd_file *fp, int is_trunc) +{ + struct oplock_info *brk_opinfo; + + brk_opinfo = opinfo_get_list(fp->f_ci); + if (!brk_opinfo) + return; + if (brk_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH && + brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { + opinfo_put(brk_opinfo); + return; + } + + brk_opinfo->open_trunc = is_trunc; + list_add(&work->interim_entry, &brk_opinfo->interim_list); + oplock_break(brk_opinfo, SMB2_OPLOCK_LEVEL_II); + opinfo_put(brk_opinfo); +} + +/** + * smb_break_all_levII_oplock() - send level2 oplock or read lease break command + * from server to client + * @conn: connection instance + * @fp: ksmbd file pointer + * @is_trunc: truncate on open + */ +void smb_break_all_levII_oplock(struct ksmbd_work *work, + struct ksmbd_file *fp, int is_trunc) +{ + struct oplock_info *op, *brk_op; + struct ksmbd_inode *ci; + struct ksmbd_conn *conn = work->sess->conn; + + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_OPLOCKS)) { + return; + } + + ci = fp->f_ci; + op = opinfo_get(fp); + + rcu_read_lock(); + list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) { + if (!atomic_inc_not_zero(&brk_op->refcount)) + continue; + rcu_read_unlock(); + if (brk_op->is_lease && (brk_op->o_lease->state & + (~(SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)))) { + ksmbd_debug(OPLOCK, "unexpected lease state(0x%x)\n", + brk_op->o_lease->state); + goto next; + } else if (brk_op->level != + SMB2_OPLOCK_LEVEL_II) { + ksmbd_debug(OPLOCK, "unexpected oplock(0x%x)\n", + brk_op->level); + goto next; + } + + /* Skip oplock being break to none */ + if (brk_op->is_lease && (brk_op->o_lease->new_state == + SMB2_LEASE_NONE_LE) && + atomic_read(&brk_op->breaking_cnt)) + goto next; + + if (op && op->is_lease && + brk_op->is_lease && + !memcmp(conn->ClientGUID, brk_op->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE) && + !memcmp(op->o_lease->lease_key, + brk_op->o_lease->lease_key, + SMB2_LEASE_KEY_SIZE)) + goto next; + brk_op->open_trunc = is_trunc; + oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE); +next: + opinfo_put(brk_op); + rcu_read_lock(); + } + rcu_read_unlock(); + + if (op) + opinfo_put(op); +} + +/** + * smb_break_all_oplock() - break both batch/exclusive and level2 oplock + * @work: smb work + * @fp: ksmbd file pointer + */ +void smb_break_all_oplock(struct ksmbd_work *work, struct ksmbd_file *fp) +{ + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_OPLOCKS)) + return; + + smb_break_all_write_oplock(work, fp, 1); + smb_break_all_levII_oplock(work, fp, 1); +} + +/** + * smb2_map_lease_to_oplock() - map lease state to corresponding oplock type + * @lease_state: lease type + * + * Return: 0 if no mapping, otherwise corresponding oplock type + */ +__u8 smb2_map_lease_to_oplock(__le32 lease_state) +{ + if (lease_state == (SMB2_LEASE_HANDLE_CACHING_LE | + SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_WRITE_CACHING_LE)) + return SMB2_OPLOCK_LEVEL_BATCH; + else if (lease_state != SMB2_LEASE_WRITE_CACHING_LE && + lease_state & SMB2_LEASE_WRITE_CACHING_LE) { + if (!(lease_state & SMB2_LEASE_HANDLE_CACHING_LE)) + return SMB2_OPLOCK_LEVEL_EXCLUSIVE; + } else if (lease_state & SMB2_LEASE_READ_CACHING_LE) + return SMB2_OPLOCK_LEVEL_II; + return 0; +} + +/** + * create_lease_buf() - create lease context for open cmd response + * @rbuf: buffer to create lease context response + * @lreq: buffer to stored parsed lease state information + */ +void create_lease_buf(u8 *rbuf, struct lease *lease) +{ + struct create_lease *buf = (struct create_lease *)rbuf; + char *LeaseKey = (char *)&lease->lease_key; + + memset(buf, 0, sizeof(struct create_lease)); + buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); + buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); + buf->lcontext.LeaseFlags = lease->flags; + buf->lcontext.LeaseState = lease->state; + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_lease, lcontext)); + buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context)); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_lease, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + buf->Name[0] = 'R'; + buf->Name[1] = 'q'; + buf->Name[2] = 'L'; + buf->Name[3] = 's'; +} + +/** + * parse_lease_state() - parse lease context containted in file open request + * @open_req: buffer containing smb2 file open(create) request + * @lreq: buffer to stored parsed lease state information + * + * Return: oplock state, -ENOENT if create lease context not found + */ +struct lease_ctx_info *parse_lease_state(void *open_req) +{ + char *data_offset; + struct create_context *cc; + unsigned int next = 0; + char *name; + bool found = false; + struct smb2_create_req *req = (struct smb2_create_req *)open_req; + struct lease_ctx_info *lreq = kzalloc(sizeof(struct lease_ctx_info), + GFP_KERNEL); + if (!lreq) + return NULL; + + data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); + cc = (struct create_context *)data_offset; + do { + cc = (struct create_context *)((char *)cc + next); + name = le16_to_cpu(cc->NameOffset) + (char *)cc; + if (le16_to_cpu(cc->NameLength) != 4 || + strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) { + next = le32_to_cpu(cc->Next); + continue; + } + found = true; + break; + } while (next != 0); + + if (found) { + struct create_lease *lc = (struct create_lease *)cc; + *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; + *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; + lreq->req_state = lc->lcontext.LeaseState; + lreq->flags = lc->lcontext.LeaseFlags; + lreq->duration = lc->lcontext.LeaseDuration; + return lreq; + } + + kfree(lreq); + return NULL; +} + +/** + * smb2_find_context_vals() - find a particular context info in open request + * @open_req: buffer containing smb2 file open(create) request + * @str: context name to search for + * + * Return: pointer to requested context, NULL if @str context not found + */ +struct create_context *smb2_find_context_vals(void *open_req, const char *tag) +{ + char *data_offset; + struct create_context *cc; + unsigned int next = 0; + char *name; + struct smb2_create_req *req = (struct smb2_create_req *)open_req; + + data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); + cc = (struct create_context *)data_offset; + do { + int val; + + cc = (struct create_context *)((char *)cc + next); + name = le16_to_cpu(cc->NameOffset) + (char *)cc; + val = le16_to_cpu(cc->NameLength); + if (val < 4) + return ERR_PTR(-EINVAL); + + if (memcmp(name, tag, val) == 0) + return cc; + next = le32_to_cpu(cc->Next); + } while (next != 0); + + return ERR_PTR(-ENOENT); +} + +/** + * create_durable_buf() - create durable handle context + * @cc: buffer to create durable context response + */ +void create_durable_rsp_buf(char *cc) +{ + struct create_durable_rsp *buf; + + buf = (struct create_durable_rsp *)cc; + memset(buf, 0, sizeof(struct create_durable_rsp)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_durable_rsp, Data)); + buf->ccontext.DataLength = cpu_to_le32(8); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_durable_rsp, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + /* SMB2_CREATE_DURABLE_HANDLE_RESPONSE is "DHnQ" */ + buf->Name[0] = 'D'; + buf->Name[1] = 'H'; + buf->Name[2] = 'n'; + buf->Name[3] = 'Q'; +} + +/** + * create_durable_buf() - create durable handle v2 context + * @cc: buffer to create durable context response + */ +void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp) +{ + struct create_durable_v2_rsp *buf; + + buf = (struct create_durable_v2_rsp *)cc; + memset(buf, 0, sizeof(struct create_durable_rsp)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_durable_rsp, Data)); + buf->ccontext.DataLength = cpu_to_le32(8); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_durable_rsp, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + /* SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2 is "DH2Q" */ + buf->Name[0] = 'D'; + buf->Name[1] = 'H'; + buf->Name[2] = '2'; + buf->Name[3] = 'Q'; + + buf->Timeout = cpu_to_le32(fp->durable_timeout); + if (fp->is_persistent) + buf->Flags = SMB2_FLAGS_REPLAY_OPERATIONS; +} + +/** + * create_mxac_buf() - create query maximal access context + * @cc: buffer to create maximal access context response + */ +void create_mxac_rsp_buf(char *cc, int maximal_access) +{ + struct create_mxac_rsp *buf; + + buf = (struct create_mxac_rsp *)cc; + memset(buf, 0, sizeof(struct create_mxac_rsp)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_mxac_rsp, QueryStatus)); + buf->ccontext.DataLength = cpu_to_le32(8); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_mxac_rsp, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + /* SMB2_CREATE_QUERY_MAXIMAL_ACCESS_RESPONSE is "MxAc" */ + buf->Name[0] = 'M'; + buf->Name[1] = 'x'; + buf->Name[2] = 'A'; + buf->Name[3] = 'c'; + + buf->QueryStatus = STATUS_SUCCESS; + buf->MaximalAccess = cpu_to_le32(maximal_access); +} + +/** + * create_mxac_buf() - create query maximal access context + * @cc: buffer to create query disk on id context response + */ +void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id) +{ + struct create_disk_id_rsp *buf; + + buf = (struct create_disk_id_rsp *)cc; + memset(buf, 0, sizeof(struct create_disk_id_rsp)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_disk_id_rsp, DiskFileId)); + buf->ccontext.DataLength = cpu_to_le32(32); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_mxac_rsp, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + /* SMB2_CREATE_QUERY_ON_DISK_ID_RESPONSE is "QFid" */ + buf->Name[0] = 'Q'; + buf->Name[1] = 'F'; + buf->Name[2] = 'i'; + buf->Name[3] = 'd'; + + buf->DiskFileId = cpu_to_le64(file_id); + buf->VolumeId = cpu_to_le64(vol_id); +} + +/** + * create_posix_buf() - create posix extension context + * @cc: buffer to create posix on posix response + */ +void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) +{ + struct create_posix_rsp *buf; + struct inode *inode = FP_INODE(fp); + + buf = (struct create_posix_rsp *)cc; + memset(buf, 0, sizeof(struct create_posix_rsp)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_posix_rsp, nlink)); + buf->ccontext.DataLength = cpu_to_le32(52); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_posix_rsp, Name)); + buf->ccontext.NameLength = cpu_to_le16(POSIX_CTXT_DATA_LEN); + /* SMB2_CREATE_TAG_POSIX is "0x93AD25509CB411E7B42383DE968BCD7C" */ + buf->Name[0] = 0x93; + buf->Name[1] = 0xAD; + buf->Name[2] = 0x25; + buf->Name[3] = 0x50; + buf->Name[4] = 0x9C; + buf->Name[5] = 0xB4; + buf->Name[6] = 0x11; + buf->Name[7] = 0xE7; + buf->Name[8] = 0xB4; + buf->Name[9] = 0x23; + buf->Name[10] = 0x83; + buf->Name[11] = 0xDE; + buf->Name[12] = 0x96; + buf->Name[13] = 0x8B; + buf->Name[14] = 0xCD; + buf->Name[15] = 0x7C; + + buf->nlink = cpu_to_le32(inode->i_nlink); + buf->reparse_tag = cpu_to_le32(fp->volatile_id); + buf->mode = cpu_to_le32(inode->i_mode); + id_to_sid(from_kuid(&init_user_ns, inode->i_uid), + SIDNFS_USER, (struct smb_sid *)&buf->SidBuffer[0]); + id_to_sid(from_kgid(&init_user_ns, inode->i_gid), + SIDNFS_GROUP, (struct smb_sid *)&buf->SidBuffer[20]); +} + +/* + * Find lease object(opinfo) for given lease key/fid from lease + * break/file close path. + */ +/** + * lookup_lease_in_table() - find a matching lease info object + * @conn: connection instance + * @lease_key: lease key to be searched for + * + * Return: opinfo if found matching opinfo, otherwise NULL + */ +struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, + char *lease_key) +{ + struct oplock_info *opinfo = NULL, *ret_op = NULL; + struct lease_table *lt; + int ret; + + read_lock(&lease_list_lock); + list_for_each_entry(lt, &lease_table_list, l_entry) { + if (!memcmp(lt->client_guid, conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) + goto found; + } + + read_unlock(&lease_list_lock); + return NULL; + +found: + rcu_read_lock(); + list_for_each_entry_rcu(opinfo, &lt->lease_list, lease_entry) { + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + rcu_read_unlock(); + if (!opinfo->op_state || + opinfo->op_state == OPLOCK_CLOSING) + goto op_next; + if (!(opinfo->o_lease->state & + (SMB2_LEASE_HANDLE_CACHING_LE | + SMB2_LEASE_WRITE_CACHING_LE))) + goto op_next; + ret = compare_guid_key(opinfo, conn->ClientGUID, + lease_key); + if (ret) { + ksmbd_debug(OPLOCK, "found opinfo\n"); + ret_op = opinfo; + goto out; + } +op_next: + opinfo_put(opinfo); + rcu_read_lock(); + } + rcu_read_unlock(); + +out: + read_unlock(&lease_list_lock); + return ret_op; +} + +int smb2_check_durable_oplock(struct ksmbd_file *fp, + struct lease_ctx_info *lctx, char *name) +{ + struct oplock_info *opinfo = opinfo_get(fp); + int ret = 0; + + if (opinfo && opinfo->is_lease) { + if (!lctx) { + ksmbd_err("open does not include lease\n"); + ret = -EBADF; + goto out; + } + if (memcmp(opinfo->o_lease->lease_key, lctx->lease_key, + SMB2_LEASE_KEY_SIZE)) { + ksmbd_err("invalid lease key\n"); + ret = -EBADF; + goto out; + } + if (name && strcmp(fp->filename, name)) { + ksmbd_err("invalid name reconnect %s\n", name); + ret = -EINVAL; + goto out; + } + } +out: + if (opinfo) + opinfo_put(opinfo); + return ret; +} diff --git a/fs/cifsd/oplock.h b/fs/cifsd/oplock.h new file mode 100644 index 000000000000..b0e2e795f29a --- /dev/null +++ b/fs/cifsd/oplock.h @@ -0,0 +1,138 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_OPLOCK_H +#define __KSMBD_OPLOCK_H + +#include "smb_common.h" + +#define OPLOCK_WAIT_TIME (35*HZ) + +/* SMB Oplock levels */ +#define OPLOCK_NONE 0 +#define OPLOCK_EXCLUSIVE 1 +#define OPLOCK_BATCH 2 +#define OPLOCK_READ 3 /* level 2 oplock */ + +/* SMB2 Oplock levels */ +#define SMB2_OPLOCK_LEVEL_NONE 0x00 +#define SMB2_OPLOCK_LEVEL_II 0x01 +#define SMB2_OPLOCK_LEVEL_EXCLUSIVE 0x08 +#define SMB2_OPLOCK_LEVEL_BATCH 0x09 +#define SMB2_OPLOCK_LEVEL_LEASE 0xFF + +/* Oplock states */ +#define OPLOCK_STATE_NONE 0x00 +#define OPLOCK_ACK_WAIT 0x01 +#define OPLOCK_CLOSING 0x02 + +#define OPLOCK_WRITE_TO_READ 0x01 +#define OPLOCK_READ_HANDLE_TO_READ 0x02 +#define OPLOCK_WRITE_TO_NONE 0x04 +#define OPLOCK_READ_TO_NONE 0x08 + +#define SMB2_LEASE_KEY_SIZE 16 + +struct lease_ctx_info { + __u8 lease_key[SMB2_LEASE_KEY_SIZE]; + __le32 req_state; + __le32 flags; + __le64 duration; + int dlease; +}; + +struct lease_table { + char client_guid[SMB2_CLIENT_GUID_SIZE]; + struct list_head lease_list; + struct list_head l_entry; + spinlock_t lb_lock; +}; + +struct lease { + __u8 lease_key[SMB2_LEASE_KEY_SIZE]; + __le32 state; + __le32 new_state; + __le32 flags; + __le64 duration; + struct lease_table *l_lb; +}; + +struct oplock_info { + struct ksmbd_conn *conn; + struct ksmbd_session *sess; + struct ksmbd_work *work; + struct ksmbd_file *o_fp; + int level; + int op_state; + unsigned long pending_break; + uint64_t fid; + atomic_t breaking_cnt; + atomic_t refcount; + __u16 Tid; + bool is_lease; + bool open_trunc; /* truncate on open */ + struct lease *o_lease; + struct list_head interim_list; + struct list_head op_entry; + struct list_head lease_entry; + wait_queue_head_t oplock_q; /* Other server threads */ + wait_queue_head_t oplock_brk; /* oplock breaking wait */ + struct rcu_head rcu_head; +}; + +struct lease_break_info { + __le32 curr_state; + __le32 new_state; + char lease_key[SMB2_LEASE_KEY_SIZE]; +}; + +struct oplock_break_info { + int level; + int open_trunc; + int fid; +}; + +extern int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, + uint64_t pid, struct ksmbd_file *fp, __u16 tid, + struct lease_ctx_info *lctx, int share_ret); +extern void smb_break_all_levII_oplock(struct ksmbd_work *work, + struct ksmbd_file *fp, int is_trunc); + +int opinfo_write_to_read(struct oplock_info *opinfo); +int opinfo_read_handle_to_read(struct oplock_info *opinfo); +int opinfo_write_to_none(struct oplock_info *opinfo); +int opinfo_read_to_none(struct oplock_info *opinfo); +void close_id_del_oplock(struct ksmbd_file *fp); +void smb_break_all_oplock(struct ksmbd_work *work, struct ksmbd_file *fp); +struct oplock_info *opinfo_get(struct ksmbd_file *fp); +void opinfo_put(struct oplock_info *opinfo); + +/* Lease related functions */ +void create_lease_buf(u8 *rbuf, struct lease *lease); +struct lease_ctx_info *parse_lease_state(void *open_req); +__u8 smb2_map_lease_to_oplock(__le32 lease_state); +int lease_read_to_write(struct oplock_info *opinfo); + +/* Durable related functions */ +void create_durable_rsp_buf(char *cc); +void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp); +void create_mxac_rsp_buf(char *cc, int maximal_access); +void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); +void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); +struct create_context *smb2_find_context_vals(void *open_req, const char *str); +int ksmbd_durable_verify_and_del_oplock(struct ksmbd_session *curr_sess, + struct ksmbd_session *prev_sess, + int fid, struct file **filp, + uint64_t sess_id); +struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, + char *lease_key); +int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, + struct lease_ctx_info *lctx); +void destroy_lease_table(struct ksmbd_conn *conn); +int smb2_check_durable_oplock(struct ksmbd_file *fp, + struct lease_ctx_info *lctx, char *name); + +#endif /* __KSMBD_OPLOCK_H */ diff --git a/fs/cifsd/smb2misc.c b/fs/cifsd/smb2misc.c new file mode 100644 index 000000000000..485f431c776c --- /dev/null +++ b/fs/cifsd/smb2misc.c @@ -0,0 +1,458 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include "glob.h" +#include "nterr.h" +#include "smb2pdu.h" +#include "smb_common.h" +#include "smbstatus.h" +#include "mgmt/user_session.h" +#include "connection.h" + +static int check_smb2_hdr(struct smb2_hdr *hdr) +{ + /* + * Make sure that this really is an SMB, that it is a response. + */ + if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) + return 1; + return 0; +} + +/* + * The following table defines the expected "StructureSize" of SMB2 requests + * in order by SMB2 command. This is similar to "wct" in SMB/CIFS requests. + * + * Note that commands are defined in smb2pdu.h in le16 but the array below is + * indexed by command in host byte order + */ +static const __le16 smb2_req_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { + /* SMB2_NEGOTIATE */ cpu_to_le16(36), + /* SMB2_SESSION_SETUP */ cpu_to_le16(25), + /* SMB2_LOGOFF */ cpu_to_le16(4), + /* SMB2_TREE_CONNECT */ cpu_to_le16(9), + /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), + /* SMB2_CREATE */ cpu_to_le16(57), + /* SMB2_CLOSE */ cpu_to_le16(24), + /* SMB2_FLUSH */ cpu_to_le16(24), + /* SMB2_READ */ cpu_to_le16(49), + /* SMB2_WRITE */ cpu_to_le16(49), + /* SMB2_LOCK */ cpu_to_le16(48), + /* SMB2_IOCTL */ cpu_to_le16(57), + /* SMB2_CANCEL */ cpu_to_le16(4), + /* SMB2_ECHO */ cpu_to_le16(4), + /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(33), + /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(32), + /* SMB2_QUERY_INFO */ cpu_to_le16(41), + /* SMB2_SET_INFO */ cpu_to_le16(33), + /* use 44 for lease break */ + /* SMB2_OPLOCK_BREAK */ cpu_to_le16(36) +}; + +/* + * The size of the variable area depends on the offset and length fields + * located in different fields for various SMB2 requests. SMB2 requests + * with no variable length info, show an offset of zero for the offset field. + */ +static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { + /* SMB2_NEGOTIATE */ true, + /* SMB2_SESSION_SETUP */ true, + /* SMB2_LOGOFF */ false, + /* SMB2_TREE_CONNECT */ true, + /* SMB2_TREE_DISCONNECT */ false, + /* SMB2_CREATE */ true, + /* SMB2_CLOSE */ false, + /* SMB2_FLUSH */ false, + /* SMB2_READ */ true, + /* SMB2_WRITE */ true, + /* SMB2_LOCK */ true, + /* SMB2_IOCTL */ true, + /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ + /* SMB2_ECHO */ false, + /* SMB2_QUERY_DIRECTORY */ true, + /* SMB2_CHANGE_NOTIFY */ false, + /* SMB2_QUERY_INFO */ true, + /* SMB2_SET_INFO */ true, + /* SMB2_OPLOCK_BREAK */ false +}; + +/* + * Returns the pointer to the beginning of the data area. Length of the data + * area and the offset to it (from the beginning of the smb are also returned. + */ +static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) +{ + *off = 0; + *len = 0; + + /* error reqeusts do not have data area */ + if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && + (((struct smb2_err_rsp *)hdr)->StructureSize) == + SMB2_ERROR_STRUCTURE_SIZE2_LE) + return NULL; + + /* + * Following commands have data areas so we have to get the location + * of the data buffer offset and data buffer length for the particular + * command. + */ + switch (hdr->Command) { + case SMB2_SESSION_SETUP: + *off = le16_to_cpu( + ((struct smb2_sess_setup_req *)hdr)->SecurityBufferOffset); + *len = le16_to_cpu( + ((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength); + break; + case SMB2_TREE_CONNECT: + *off = le16_to_cpu( + ((struct smb2_tree_connect_req *)hdr)->PathOffset); + *len = le16_to_cpu( + ((struct smb2_tree_connect_req *)hdr)->PathLength); + break; + case SMB2_CREATE: + { + if (((struct smb2_create_req *)hdr)->CreateContextsLength) { + *off = le32_to_cpu(((struct smb2_create_req *) + hdr)->CreateContextsOffset); + *len = le32_to_cpu(((struct smb2_create_req *) + hdr)->CreateContextsLength); + break; + } + + *off = le16_to_cpu( + ((struct smb2_create_req *)hdr)->NameOffset); + *len = le16_to_cpu( + ((struct smb2_create_req *)hdr)->NameLength); + break; + } + case SMB2_QUERY_INFO: + *off = le16_to_cpu( + ((struct smb2_query_info_req *)hdr)->InputBufferOffset); + *len = le32_to_cpu( + ((struct smb2_query_info_req *)hdr)->InputBufferLength); + break; + case SMB2_SET_INFO: + *off = le16_to_cpu( + ((struct smb2_set_info_req *)hdr)->BufferOffset); + *len = le32_to_cpu( + ((struct smb2_set_info_req *)hdr)->BufferLength); + break; + case SMB2_READ: + *off = le16_to_cpu( + ((struct smb2_read_req *)hdr)->ReadChannelInfoOffset); + *len = le16_to_cpu( + ((struct smb2_read_req *)hdr)->ReadChannelInfoLength); + break; + case SMB2_WRITE: + if (((struct smb2_write_req *)hdr)->DataOffset) { + *off = le16_to_cpu( + ((struct smb2_write_req *)hdr)->DataOffset); + *len = le32_to_cpu( + ((struct smb2_write_req *)hdr)->Length); + break; + } + + *off = le16_to_cpu( + ((struct smb2_write_req *)hdr)->WriteChannelInfoOffset); + *len = le16_to_cpu( + ((struct smb2_write_req *)hdr)->WriteChannelInfoLength); + break; + case SMB2_QUERY_DIRECTORY: + *off = le16_to_cpu( + ((struct smb2_query_directory_req *)hdr)->FileNameOffset); + *len = le16_to_cpu( + ((struct smb2_query_directory_req *)hdr)->FileNameLength); + break; + case SMB2_LOCK: + { + int lock_count; + + /* + * smb2_lock request size is 48 included single + * smb2_lock_element structure size. + */ + lock_count = le16_to_cpu( + ((struct smb2_lock_req *)hdr)->LockCount) - 1; + if (lock_count > 0) { + *off = __SMB2_HEADER_STRUCTURE_SIZE + 48; + *len = sizeof(struct smb2_lock_element) * lock_count; + } + break; + } + case SMB2_IOCTL: + *off = le32_to_cpu( + ((struct smb2_ioctl_req *)hdr)->InputOffset); + *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); + + break; + default: + ksmbd_debug(SMB, "no length check for command\n"); + break; + } + + /* + * Invalid length or offset probably means data area is invalid, but + * we have little choice but to ignore the data area in this case. + */ + if (*off > 4096) { + ksmbd_debug(SMB, "offset %d too large, data area ignored\n", + *off); + *len = 0; + *off = 0; + } else if (*off < 0) { + ksmbd_debug(SMB, + "negative offset %d to data invalid ignore data area\n", + *off); + *off = 0; + *len = 0; + } else if (*len < 0) { + ksmbd_debug(SMB, + "negative data length %d invalid, data area ignored\n", + *len); + *len = 0; + } else if (*len > 128 * 1024) { + ksmbd_debug(SMB, "data area larger than 128K: %d\n", *len); + *len = 0; + } + + /* return pointer to beginning of data area, ie offset from SMB start */ + if ((*off != 0) && (*len != 0)) + return (char *)hdr + *off; + else + return NULL; +} + +/* + * Calculate the size of the SMB message based on the fixed header + * portion, the number of word parameters and the data portion of the message. + */ +static unsigned int smb2_calc_size(void *buf) +{ + struct smb2_pdu *pdu = (struct smb2_pdu *)buf; + struct smb2_hdr *hdr = &pdu->hdr; + int offset; /* the offset from the beginning of SMB to data area */ + int data_length; /* the length of the variable length data area */ + /* Structure Size has already been checked to make sure it is 64 */ + int len = le16_to_cpu(hdr->StructureSize); + + /* + * StructureSize2, ie length of fixed parameter area has already + * been checked to make sure it is the correct length. + */ + len += le16_to_cpu(pdu->StructureSize2); + + if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false) + goto calc_size_exit; + + smb2_get_data_area_len(&offset, &data_length, hdr); + ksmbd_debug(SMB, "SMB2 data length %d offset %d\n", data_length, + offset); + + if (data_length > 0) { + /* + * Check to make sure that data area begins after fixed area, + * Note that last byte of the fixed area is part of data area + * for some commands, typically those with odd StructureSize, + * so we must add one to the calculation. + */ + if (offset + 1 < len) + ksmbd_debug(SMB, + "data area offset %d overlaps SMB2 header %d\n", + offset + 1, len); + else + len = offset + data_length; + } +calc_size_exit: + ksmbd_debug(SMB, "SMB2 len %d\n", len); + return len; +} + +static inline int smb2_query_info_req_len(struct smb2_query_info_req *h) +{ + return le32_to_cpu(h->InputBufferLength) + + le32_to_cpu(h->OutputBufferLength); +} + +static inline int smb2_set_info_req_len(struct smb2_set_info_req *h) +{ + return le32_to_cpu(h->BufferLength); +} + +static inline int smb2_read_req_len(struct smb2_read_req *h) +{ + return le32_to_cpu(h->Length); +} + +static inline int smb2_write_req_len(struct smb2_write_req *h) +{ + return le32_to_cpu(h->Length); +} + +static inline int smb2_query_dir_req_len(struct smb2_query_directory_req *h) +{ + return le32_to_cpu(h->OutputBufferLength); +} + +static inline int smb2_ioctl_req_len(struct smb2_ioctl_req *h) +{ + return le32_to_cpu(h->InputCount) + + le32_to_cpu(h->OutputCount); +} + +static inline int smb2_ioctl_resp_len(struct smb2_ioctl_req *h) +{ + return le32_to_cpu(h->MaxInputResponse) + + le32_to_cpu(h->MaxOutputResponse); +} + +static int smb2_validate_credit_charge(struct smb2_hdr *hdr) +{ + int req_len = 0, expect_resp_len = 0, calc_credit_num, max_len; + int credit_charge = le16_to_cpu(hdr->CreditCharge); + void *__hdr = hdr; + + switch (hdr->Command) { + case SMB2_QUERY_INFO: + req_len = smb2_query_info_req_len(__hdr); + break; + case SMB2_SET_INFO: + req_len = smb2_set_info_req_len(__hdr); + break; + case SMB2_READ: + req_len = smb2_read_req_len(__hdr); + break; + case SMB2_WRITE: + req_len = smb2_write_req_len(__hdr); + break; + case SMB2_QUERY_DIRECTORY: + req_len = smb2_query_dir_req_len(__hdr); + break; + case SMB2_IOCTL: + req_len = smb2_ioctl_req_len(__hdr); + expect_resp_len = smb2_ioctl_resp_len(__hdr); + break; + default: + return 0; + } + + max_len = max(req_len, expect_resp_len); + calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); + if (!credit_charge && max_len > SMB2_MAX_BUFFER_SIZE) { + ksmbd_err("credit charge is zero and payload size(%d) is bigger than 64K\n", + max_len); + return 1; + } else if (credit_charge < calc_credit_num) { + ksmbd_err("credit charge : %d, calc_credit_num : %d\n", + credit_charge, calc_credit_num); + return 1; + } + + return 0; +} + +int ksmbd_smb2_check_message(struct ksmbd_work *work) +{ + struct smb2_pdu *pdu = REQUEST_BUF(work); + struct smb2_hdr *hdr = &pdu->hdr; + int command; + __u32 clc_len; /* calculated length */ + __u32 len = get_rfc1002_len(pdu); + + if (work->next_smb2_rcv_hdr_off) { + pdu = REQUEST_BUF_NEXT(work); + hdr = &pdu->hdr; + } + + if (le32_to_cpu(hdr->NextCommand) > 0) + len = le32_to_cpu(hdr->NextCommand); + else if (work->next_smb2_rcv_hdr_off) { + len -= work->next_smb2_rcv_hdr_off; + len = round_up(len, 8); + } + + if (check_smb2_hdr(hdr)) + return 1; + + if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { + ksmbd_debug(SMB, "Illegal structure size %u\n", + le16_to_cpu(hdr->StructureSize)); + return 1; + } + + command = le16_to_cpu(hdr->Command); + if (command >= NUMBER_OF_SMB2_COMMANDS) { + ksmbd_debug(SMB, "Illegal SMB2 command %d\n", command); + return 1; + } + + if (smb2_req_struct_sizes[command] != pdu->StructureSize2) { + if (command != SMB2_OPLOCK_BREAK_HE && (hdr->Status == 0 || + pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { + /* error packets have 9 byte structure size */ + ksmbd_debug(SMB, + "Illegal request size %u for command %d\n", + le16_to_cpu(pdu->StructureSize2), command); + return 1; + } else if (command == SMB2_OPLOCK_BREAK_HE + && (hdr->Status == 0) + && (le16_to_cpu(pdu->StructureSize2) != + OP_BREAK_STRUCT_SIZE_20) + && (le16_to_cpu(pdu->StructureSize2) != + OP_BREAK_STRUCT_SIZE_21)) { + /* special case for SMB2.1 lease break message */ + ksmbd_debug(SMB, + "Illegal request size %d for oplock break\n", + le16_to_cpu(pdu->StructureSize2)); + return 1; + } + } + + clc_len = smb2_calc_size(hdr); + if (len != clc_len) { + /* server can return one byte more due to implied bcc[0] */ + if (clc_len == len + 1) + return 0; + + /* + * Some windows servers (win2016) will pad also the final + * PDU in a compound to 8 bytes. + */ + if (ALIGN(clc_len, 8) == len) + return 0; + + /* + * windows client also pad up to 8 bytes when compounding. + * If pad is longer than eight bytes, log the server behavior + * (once), since may indicate a problem but allow it and + * continue since the frame is parseable. + */ + if (clc_len < len) { + ksmbd_debug(SMB, + "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n", + len, clc_len, command, + le64_to_cpu(hdr->MessageId)); + return 0; + } + + if (command == SMB2_LOCK_HE && len == 88) + return 0; + + ksmbd_debug(SMB, + "cli req too short, len %d not %d. cmd:%d mid:%llu\n", + len, clc_len, command, + le64_to_cpu(hdr->MessageId)); + + return 1; + } + + return work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU ? + smb2_validate_credit_charge(hdr) : 0; +} + +int smb2_negotiate_request(struct ksmbd_work *work) +{ + return ksmbd_smb_negotiate_common(work, SMB2_NEGOTIATE_HE); +} diff --git a/fs/cifsd/smb2ops.c b/fs/cifsd/smb2ops.c new file mode 100644 index 000000000000..a47219ea3b80 --- /dev/null +++ b/fs/cifsd/smb2ops.c @@ -0,0 +1,300 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/slab.h> +#include "glob.h" +#include "smb2pdu.h" + +#include "auth.h" +#include "connection.h" +#include "smb_common.h" +#include "server.h" +#include "ksmbd_server.h" + +static struct smb_version_values smb21_server_values = { + .version_string = SMB21_VERSION_STRING, + .protocol_id = SMB21_PROT_ID, + .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU, + .max_read_size = SMB21_DEFAULT_IOSIZE, + .max_write_size = SMB21_DEFAULT_IOSIZE, + .max_trans_size = SMB21_DEFAULT_IOSIZE, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, + .shared_lock_type = SMB2_LOCKFLAG_SHARED, + .unlock_lock_type = SMB2_LOCKFLAG_UNLOCK, + .header_size = sizeof(struct smb2_hdr), + .max_header_size = MAX_SMB2_HDR_SIZE, + .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, + .cap_large_files = SMB2_LARGE_FILES, + .create_lease_size = sizeof(struct create_lease), + .create_durable_size = sizeof(struct create_durable_rsp), + .create_mxac_size = sizeof(struct create_mxac_rsp), + .create_disk_id_size = sizeof(struct create_disk_id_rsp), + .create_posix_size = sizeof(struct create_posix_rsp), +}; + +static struct smb_version_values smb30_server_values = { + .version_string = SMB30_VERSION_STRING, + .protocol_id = SMB30_PROT_ID, + .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU, + .max_read_size = SMB3_DEFAULT_IOSIZE, + .max_write_size = SMB3_DEFAULT_IOSIZE, + .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, + .shared_lock_type = SMB2_LOCKFLAG_SHARED, + .unlock_lock_type = SMB2_LOCKFLAG_UNLOCK, + .header_size = sizeof(struct smb2_hdr), + .max_header_size = MAX_SMB2_HDR_SIZE, + .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, + .cap_large_files = SMB2_LARGE_FILES, + .create_lease_size = sizeof(struct create_lease), + .create_durable_size = sizeof(struct create_durable_rsp), + .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), + .create_mxac_size = sizeof(struct create_mxac_rsp), + .create_disk_id_size = sizeof(struct create_disk_id_rsp), + .create_posix_size = sizeof(struct create_posix_rsp), +}; + +static struct smb_version_values smb302_server_values = { + .version_string = SMB302_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, + .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU, + .max_read_size = SMB3_DEFAULT_IOSIZE, + .max_write_size = SMB3_DEFAULT_IOSIZE, + .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, + .shared_lock_type = SMB2_LOCKFLAG_SHARED, + .unlock_lock_type = SMB2_LOCKFLAG_UNLOCK, + .header_size = sizeof(struct smb2_hdr), + .max_header_size = MAX_SMB2_HDR_SIZE, + .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, + .cap_large_files = SMB2_LARGE_FILES, + .create_lease_size = sizeof(struct create_lease), + .create_durable_size = sizeof(struct create_durable_rsp), + .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), + .create_mxac_size = sizeof(struct create_mxac_rsp), + .create_disk_id_size = sizeof(struct create_disk_id_rsp), + .create_posix_size = sizeof(struct create_posix_rsp), +}; + +static struct smb_version_values smb311_server_values = { + .version_string = SMB311_VERSION_STRING, + .protocol_id = SMB311_PROT_ID, + .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU, + .max_read_size = SMB3_DEFAULT_IOSIZE, + .max_write_size = SMB3_DEFAULT_IOSIZE, + .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, + .shared_lock_type = SMB2_LOCKFLAG_SHARED, + .unlock_lock_type = SMB2_LOCKFLAG_UNLOCK, + .header_size = sizeof(struct smb2_hdr), + .max_header_size = MAX_SMB2_HDR_SIZE, + .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, + .cap_large_files = SMB2_LARGE_FILES, + .create_lease_size = sizeof(struct create_lease), + .create_durable_size = sizeof(struct create_durable_rsp), + .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), + .create_mxac_size = sizeof(struct create_mxac_rsp), + .create_disk_id_size = sizeof(struct create_disk_id_rsp), + .create_posix_size = sizeof(struct create_posix_rsp), +}; + +static struct smb_version_ops smb2_0_server_ops = { + .get_cmd_val = get_smb2_cmd_val, + .init_rsp_hdr = init_smb2_rsp_hdr, + .set_rsp_status = set_smb2_rsp_status, + .allocate_rsp_buf = smb2_allocate_rsp_buf, + .set_rsp_credits = smb2_set_rsp_credits, + .check_user_session = smb2_check_user_session, + .get_ksmbd_tcon = smb2_get_ksmbd_tcon, + .is_sign_req = smb2_is_sign_req, + .check_sign_req = smb2_check_sign_req, + .set_sign_rsp = smb2_set_sign_rsp +}; + +static struct smb_version_ops smb3_0_server_ops = { + .get_cmd_val = get_smb2_cmd_val, + .init_rsp_hdr = init_smb2_rsp_hdr, + .set_rsp_status = set_smb2_rsp_status, + .allocate_rsp_buf = smb2_allocate_rsp_buf, + .set_rsp_credits = smb2_set_rsp_credits, + .check_user_session = smb2_check_user_session, + .get_ksmbd_tcon = smb2_get_ksmbd_tcon, + .is_sign_req = smb2_is_sign_req, + .check_sign_req = smb3_check_sign_req, + .set_sign_rsp = smb3_set_sign_rsp, + .generate_signingkey = ksmbd_gen_smb30_signingkey, + .generate_encryptionkey = ksmbd_gen_smb30_encryptionkey, + .is_transform_hdr = smb3_is_transform_hdr, + .decrypt_req = smb3_decrypt_req, + .encrypt_resp = smb3_encrypt_resp +}; + +static struct smb_version_ops smb3_11_server_ops = { + .get_cmd_val = get_smb2_cmd_val, + .init_rsp_hdr = init_smb2_rsp_hdr, + .set_rsp_status = set_smb2_rsp_status, + .allocate_rsp_buf = smb2_allocate_rsp_buf, + .set_rsp_credits = smb2_set_rsp_credits, + .check_user_session = smb2_check_user_session, + .get_ksmbd_tcon = smb2_get_ksmbd_tcon, + .is_sign_req = smb2_is_sign_req, + .check_sign_req = smb3_check_sign_req, + .set_sign_rsp = smb3_set_sign_rsp, + .generate_signingkey = ksmbd_gen_smb311_signingkey, + .generate_encryptionkey = ksmbd_gen_smb311_encryptionkey, + .is_transform_hdr = smb3_is_transform_hdr, + .decrypt_req = smb3_decrypt_req, + .encrypt_resp = smb3_encrypt_resp +}; + +static struct smb_version_cmds smb2_0_server_cmds[NUMBER_OF_SMB2_COMMANDS] = { + [SMB2_NEGOTIATE_HE] = { .proc = smb2_negotiate_request, }, + [SMB2_SESSION_SETUP_HE] = { .proc = smb2_sess_setup, }, + [SMB2_TREE_CONNECT_HE] = { .proc = smb2_tree_connect,}, + [SMB2_TREE_DISCONNECT_HE] = { .proc = smb2_tree_disconnect,}, + [SMB2_LOGOFF_HE] = { .proc = smb2_session_logoff,}, + [SMB2_CREATE_HE] = { .proc = smb2_open}, + [SMB2_QUERY_INFO_HE] = { .proc = smb2_query_info}, + [SMB2_QUERY_DIRECTORY_HE] = { .proc = smb2_query_dir}, + [SMB2_CLOSE_HE] = { .proc = smb2_close}, + [SMB2_ECHO_HE] = { .proc = smb2_echo}, + [SMB2_SET_INFO_HE] = { .proc = smb2_set_info}, + [SMB2_READ_HE] = { .proc = smb2_read}, + [SMB2_WRITE_HE] = { .proc = smb2_write}, + [SMB2_FLUSH_HE] = { .proc = smb2_flush}, + [SMB2_CANCEL_HE] = { .proc = smb2_cancel}, + [SMB2_LOCK_HE] = { .proc = smb2_lock}, + [SMB2_IOCTL_HE] = { .proc = smb2_ioctl}, + [SMB2_OPLOCK_BREAK_HE] = { .proc = smb2_oplock_break}, + [SMB2_CHANGE_NOTIFY_HE] = { .proc = smb2_notify}, +}; + +int init_smb2_0_server(struct ksmbd_conn *conn) +{ + return -EOPNOTSUPP; +} + +/** + * init_smb2_1_server() - initialize a smb server connection with smb2.1 + * command dispatcher + * @conn: connection instance + */ +void init_smb2_1_server(struct ksmbd_conn *conn) +{ + conn->vals = &smb21_server_values; + conn->ops = &smb2_0_server_ops; + conn->cmds = smb2_0_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); + conn->max_credits = SMB2_MAX_CREDITS; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; +} + +/** + * init_smb3_0_server() - initialize a smb server connection with smb3.0 + * command dispatcher + * @conn: connection instance + */ +void init_smb3_0_server(struct ksmbd_conn *conn) +{ + conn->vals = &smb30_server_values; + conn->ops = &smb3_0_server_ops; + conn->cmds = smb2_0_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); + conn->max_credits = SMB2_MAX_CREDITS; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; +} + +/** + * init_smb3_02_server() - initialize a smb server connection with smb3.02 + * command dispatcher + * @conn: connection instance + */ +void init_smb3_02_server(struct ksmbd_conn *conn) +{ + conn->vals = &smb302_server_values; + conn->ops = &smb3_0_server_ops; + conn->cmds = smb2_0_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); + conn->max_credits = SMB2_MAX_CREDITS; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; +} + +/** + * init_smb3_11_server() - initialize a smb server connection with smb3.11 + * command dispatcher + * @conn: connection instance + */ +int init_smb3_11_server(struct ksmbd_conn *conn) +{ + conn->vals = &smb311_server_values; + conn->ops = &smb3_11_server_ops; + conn->cmds = smb2_0_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); + conn->max_credits = SMB2_MAX_CREDITS; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; + + if (conn->cipher_type) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; + + INIT_LIST_HEAD(&conn->preauth_sess_table); + return 0; +} + +void init_smb2_max_read_size(unsigned int sz) +{ + smb21_server_values.max_read_size = sz; + smb30_server_values.max_read_size = sz; + smb302_server_values.max_read_size = sz; + smb311_server_values.max_read_size = sz; +} + +void init_smb2_max_write_size(unsigned int sz) +{ + smb21_server_values.max_write_size = sz; + smb30_server_values.max_write_size = sz; + smb302_server_values.max_write_size = sz; + smb311_server_values.max_write_size = sz; +} + +void init_smb2_max_trans_size(unsigned int sz) +{ + smb21_server_values.max_trans_size = sz; + smb30_server_values.max_trans_size = sz; + smb302_server_values.max_trans_size = sz; + smb311_server_values.max_trans_size = sz; +} diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c new file mode 100644 index 000000000000..b20cc07ee809 --- /dev/null +++ b/fs/cifsd/smb2pdu.c @@ -0,0 +1,8486 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/inetdevice.h> +#include <net/addrconf.h> +#include <linux/syscalls.h> +#include <linux/namei.h> +#include <linux/statfs.h> +#include <linux/ethtool.h> + +#include "glob.h" +#include "smb2pdu.h" +#include "smbfsctl.h" +#include "oplock.h" +#include "smbacl.h" + +#include "auth.h" +#include "asn1.h" +#include "buffer_pool.h" +#include "connection.h" +#include "transport_ipc.h" +#include "vfs.h" +#include "vfs_cache.h" +#include "misc.h" + +#include "time_wrappers.h" +#include "server.h" +#include "smb_common.h" +#include "smbstatus.h" +#include "ksmbd_work.h" +#include "mgmt/user_config.h" +#include "mgmt/share_config.h" +#include "mgmt/tree_connect.h" +#include "mgmt/user_session.h" +#include "mgmt/ksmbd_ida.h" +#include "ndr.h" + +static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) +{ + if (work->next_smb2_rcv_hdr_off) { + *req = REQUEST_BUF_NEXT(work); + *rsp = RESPONSE_BUF_NEXT(work); + } else { + *req = REQUEST_BUF(work); + *rsp = RESPONSE_BUF(work); + } +} + +#define WORK_BUFFERS(w, rq, rs) __wbuf((w), (void **)&(rq), (void **)&(rs)) + +/** + * check_session_id() - check for valid session id in smb header + * @conn: connection instance + * @id: session id from smb header + * + * Return: 1 if valid session id, otherwise 0 + */ +static inline int check_session_id(struct ksmbd_conn *conn, uint64_t id) +{ + struct ksmbd_session *sess; + + if (id == 0 || id == -1) + return 0; + + sess = ksmbd_session_lookup(conn, id); + if (sess) + return 1; + ksmbd_err("Invalid user session id: %llu\n", id); + return 0; +} + +struct channel *lookup_chann_list(struct ksmbd_session *sess) +{ + struct channel *chann; + struct list_head *t; + + list_for_each(t, &sess->ksmbd_chann_list) { + chann = list_entry(t, struct channel, chann_list); + if (chann && chann->conn == sess->conn) + return chann; + } + + return NULL; +} + +/** + * smb2_get_ksmbd_tcon() - get tree connection information for a tree id + * @sess: session containing tree list + * @tid: match tree connection with tree id + * + * Return: matching tree connection on success, otherwise error + */ +int smb2_get_ksmbd_tcon(struct ksmbd_work *work) +{ + struct smb2_hdr *req_hdr = REQUEST_BUF(work); + int tree_id; + + work->tcon = NULL; + if ((work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE) || + (work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE) || + (work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE)) { + ksmbd_debug(SMB, "skip to check tree connect request\n"); + return 0; + } + + if (list_empty(&work->sess->tree_conn_list)) { + ksmbd_debug(SMB, "NO tree connected\n"); + return -1; + } + + tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); + work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); + if (!work->tcon) { + ksmbd_err("Invalid tid %d\n", tree_id); + return -1; + } + + return 1; +} + +/** + * smb2_set_err_rsp() - set error response code on smb response + * @work: smb work containing response buffer + */ +void smb2_set_err_rsp(struct ksmbd_work *work) +{ + struct smb2_err_rsp *err_rsp; + + if (work->next_smb2_rcv_hdr_off) + err_rsp = RESPONSE_BUF_NEXT(work); + else + err_rsp = RESPONSE_BUF(work); + + if (err_rsp->hdr.Status != STATUS_STOPPED_ON_SYMLINK) { + err_rsp->StructureSize = SMB2_ERROR_STRUCTURE_SIZE2_LE; + err_rsp->ErrorContextCount = 0; + err_rsp->Reserved = 0; + err_rsp->ByteCount = 0; + err_rsp->ErrorData[0] = 0; + inc_rfc1001_len(RESPONSE_BUF(work), SMB2_ERROR_STRUCTURE_SIZE2); + } +} + +/** + * is_smb2_neg_cmd() - is it smb2 negotiation command + * @work: smb work containing smb header + * + * Return: 1 if smb2 negotiation command, otherwise 0 + */ +int is_smb2_neg_cmd(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = REQUEST_BUF(work); + + /* is it SMB2 header ? */ + if (hdr->ProtocolId != SMB2_PROTO_NUMBER) + return 0; + + /* make sure it is request not response message */ + if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) + return 0; + + if (hdr->Command != SMB2_NEGOTIATE) + return 0; + + return 1; +} + +/** + * is_smb2_rsp() - is it smb2 response + * @work: smb work containing smb response buffer + * + * Return: 1 if smb2 response, otherwise 0 + */ +int is_smb2_rsp(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = RESPONSE_BUF(work); + + /* is it SMB2 header ? */ + if (hdr->ProtocolId != SMB2_PROTO_NUMBER) + return 0; + + /* make sure it is response not request message */ + if (!(hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)) + return 0; + + return 1; +} + +/** + * get_smb2_cmd_val() - get smb command code from smb header + * @work: smb work containing smb request buffer + * + * Return: smb2 request command value + */ +uint16_t get_smb2_cmd_val(struct ksmbd_work *work) +{ + struct smb2_hdr *rcv_hdr; + + if (work->next_smb2_rcv_hdr_off) + rcv_hdr = REQUEST_BUF_NEXT(work); + else + rcv_hdr = REQUEST_BUF(work); + return le16_to_cpu(rcv_hdr->Command); +} + +/** + * set_smb2_rsp_status() - set error response code on smb2 header + * @work: smb work containing response buffer + */ +void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) +{ + struct smb2_hdr *rsp_hdr; + + if (work->next_smb2_rcv_hdr_off) + rsp_hdr = RESPONSE_BUF_NEXT(work); + else + rsp_hdr = RESPONSE_BUF(work); + rsp_hdr->Status = err; + smb2_set_err_rsp(work); +} + +/** + * init_smb2_neg_rsp() - initialize smb2 response for negotiate command + * @work: smb work containing smb request buffer + * + * smb2 negotiate response is sent in reply of smb1 negotiate command for + * dialect auto-negotiation. + */ +int init_smb2_neg_rsp(struct ksmbd_work *work) +{ + struct smb2_hdr *rsp_hdr; + struct smb2_negotiate_rsp *rsp; + struct ksmbd_conn *conn = work->conn; + + if (conn->need_neg == false) + return -EINVAL; + if (!(conn->dialect >= SMB20_PROT_ID && + conn->dialect <= SMB311_PROT_ID)) + return -EINVAL; + + rsp_hdr = RESPONSE_BUF(work); + + memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); + + rsp_hdr->smb2_buf_length = + cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + + rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; + rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; + rsp_hdr->CreditRequest = cpu_to_le16(2); + rsp_hdr->Command = SMB2_NEGOTIATE; + rsp_hdr->Flags = (SMB2_FLAGS_SERVER_TO_REDIR); + rsp_hdr->NextCommand = 0; + rsp_hdr->MessageId = 0; + rsp_hdr->Id.SyncId.ProcessId = 0; + rsp_hdr->Id.SyncId.TreeId = 0; + rsp_hdr->SessionId = 0; + memset(rsp_hdr->Signature, 0, 16); + + rsp = RESPONSE_BUF(work); + + WARN_ON(ksmbd_conn_good(work)); + + rsp->StructureSize = cpu_to_le16(65); + ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect); + rsp->DialectRevision = cpu_to_le16(conn->dialect); + /* Not setting conn guid rsp->ServerGUID, as it + * not used by client for identifying connection + */ + rsp->Capabilities = cpu_to_le32(conn->vals->capabilities); + /* Default Max Message Size till SMB2.0, 64K*/ + rsp->MaxTransactSize = cpu_to_le32(conn->vals->max_trans_size); + rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size); + rsp->MaxWriteSize = cpu_to_le32(conn->vals->max_write_size); + + rsp->SystemTime = cpu_to_le64(ksmbd_systime()); + rsp->ServerStartTime = 0; + + rsp->SecurityBufferOffset = cpu_to_le16(128); + rsp->SecurityBufferLength = cpu_to_le16(AUTH_GSS_LENGTH); + ksmbd_copy_gss_neg_header(((char *)(&rsp->hdr) + + sizeof(rsp->hdr.smb2_buf_length)) + + le16_to_cpu(rsp->SecurityBufferOffset)); + inc_rfc1001_len(rsp, sizeof(struct smb2_negotiate_rsp) - + sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + + AUTH_GSS_LENGTH); + rsp->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED_LE; + if (server_conf.signing == KSMBD_CONFIG_OPT_MANDATORY) + rsp->SecurityMode |= SMB2_NEGOTIATE_SIGNING_REQUIRED_LE; + conn->use_spnego = true; + + ksmbd_conn_set_need_negotiate(work); + return 0; +} + +static int smb2_consume_credit_charge(struct ksmbd_work *work, + unsigned short credit_charge) +{ + struct ksmbd_conn *conn = work->conn; + unsigned int rsp_credits = 1; + + if (!conn->total_credits) + return 0; + + if (credit_charge > 0) + rsp_credits = credit_charge; + + conn->total_credits -= rsp_credits; + return rsp_credits; +} + +/** + * smb2_set_rsp_credits() - set number of credits in response buffer + * @work: smb work containing smb response buffer + */ +int smb2_set_rsp_credits(struct ksmbd_work *work) +{ + struct smb2_hdr *req_hdr = REQUEST_BUF_NEXT(work); + struct smb2_hdr *hdr = RESPONSE_BUF_NEXT(work); + struct ksmbd_conn *conn = work->conn; + unsigned short credits_requested = le16_to_cpu(req_hdr->CreditRequest); + unsigned short credit_charge = 1, credits_granted = 0; + unsigned short aux_max, aux_credits, min_credits; + int rsp_credit_charge; + + if (hdr->Command == SMB2_CANCEL) + goto out; + + /* get default minimum credits by shifting maximum credits by 4 */ + min_credits = conn->max_credits >> 4; + + if (conn->total_credits >= conn->max_credits) { + ksmbd_err("Total credits overflow: %d\n", conn->total_credits); + conn->total_credits = min_credits; + } + + rsp_credit_charge = smb2_consume_credit_charge(work, + le16_to_cpu(req_hdr->CreditCharge)); + if (rsp_credit_charge < 0) + return -EINVAL; + + hdr->CreditCharge = cpu_to_le16(rsp_credit_charge); + + if (credits_requested > 0) { + aux_credits = credits_requested - 1; + aux_max = 32; + if (hdr->Command == SMB2_NEGOTIATE) + aux_max = 0; + aux_credits = (aux_credits < aux_max) ? aux_credits : aux_max; + credits_granted = aux_credits + credit_charge; + + /* if credits granted per client is getting bigger than default + * minimum credits then we should wrap it up within the limits. + */ + if ((conn->total_credits + credits_granted) > min_credits) + credits_granted = min_credits - conn->total_credits; + /* + * TODO: Need to adjuct CreditRequest value according to + * current cpu load + */ + } else if (conn->total_credits == 0) { + credits_granted = 1; + } + + conn->total_credits += credits_granted; + work->credits_granted += credits_granted; + + if (!req_hdr->NextCommand) { + /* Update CreditRequest in last request */ + hdr->CreditRequest = cpu_to_le16(work->credits_granted); + } +out: + ksmbd_debug(SMB, + "credits: requested[%d] granted[%d] total_granted[%d]\n", + credits_requested, credits_granted, + conn->total_credits); + return 0; +} + +/** + * init_chained_smb2_rsp() - initialize smb2 chained response + * @work: smb work containing smb response buffer + */ +static void init_chained_smb2_rsp(struct ksmbd_work *work) +{ + struct smb2_hdr *req = REQUEST_BUF_NEXT(work); + struct smb2_hdr *rsp = RESPONSE_BUF_NEXT(work); + struct smb2_hdr *rsp_hdr; + struct smb2_hdr *rcv_hdr; + int next_hdr_offset = 0; + int len, new_len; + + /* Len of this response = updated RFC len - offset of previous cmd + * in the compound rsp + */ + + /* Storing the current local FID which may be needed by subsequent + * command in the compound request + */ + if (req->Command == SMB2_CREATE && rsp->Status == STATUS_SUCCESS) { + work->compound_fid = + le64_to_cpu(((struct smb2_create_rsp *)rsp)-> + VolatileFileId); + work->compound_pfid = + le64_to_cpu(((struct smb2_create_rsp *)rsp)-> + PersistentFileId); + work->compound_sid = le64_to_cpu(rsp->SessionId); + } + + len = get_rfc1002_len(RESPONSE_BUF(work)) - work->next_smb2_rsp_hdr_off; + next_hdr_offset = le32_to_cpu(req->NextCommand); + + new_len = ALIGN(len, 8); + inc_rfc1001_len(RESPONSE_BUF(work), ((sizeof(struct smb2_hdr) - 4) + + new_len - len)); + rsp->NextCommand = cpu_to_le32(new_len); + + work->next_smb2_rcv_hdr_off += next_hdr_offset; + work->next_smb2_rsp_hdr_off += new_len; + ksmbd_debug(SMB, + "Compound req new_len = %d rcv off = %d rsp off = %d\n", + new_len, work->next_smb2_rcv_hdr_off, + work->next_smb2_rsp_hdr_off); + + rsp_hdr = RESPONSE_BUF_NEXT(work); + rcv_hdr = REQUEST_BUF_NEXT(work); + + if (!(rcv_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS)) { + ksmbd_debug(SMB, "related flag should be set\n"); + work->compound_fid = KSMBD_NO_FID; + work->compound_pfid = KSMBD_NO_FID; + } + memset((char *)rsp_hdr + 4, 0, sizeof(struct smb2_hdr) + 2); + rsp_hdr->ProtocolId = rcv_hdr->ProtocolId; + rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; + rsp_hdr->Command = rcv_hdr->Command; + + /* + * Message is response. We don't grant oplock yet. + */ + rsp_hdr->Flags = (SMB2_FLAGS_SERVER_TO_REDIR | + SMB2_FLAGS_RELATED_OPERATIONS); + rsp_hdr->NextCommand = 0; + rsp_hdr->MessageId = rcv_hdr->MessageId; + rsp_hdr->Id.SyncId.ProcessId = rcv_hdr->Id.SyncId.ProcessId; + rsp_hdr->Id.SyncId.TreeId = rcv_hdr->Id.SyncId.TreeId; + rsp_hdr->SessionId = rcv_hdr->SessionId; + memcpy(rsp_hdr->Signature, rcv_hdr->Signature, 16); +} + +/** + * is_chained_smb2_message() - check for chained command + * @work: smb work containing smb request buffer + * + * Return: true if chained request, otherwise false + */ +bool is_chained_smb2_message(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = REQUEST_BUF(work); + unsigned int len; + + if (hdr->ProtocolId != SMB2_PROTO_NUMBER) + return false; + + hdr = REQUEST_BUF_NEXT(work); + if (le32_to_cpu(hdr->NextCommand) > 0) { + ksmbd_debug(SMB, "got SMB2 chained command\n"); + init_chained_smb2_rsp(work); + return true; + } else if (work->next_smb2_rcv_hdr_off) { + /* + * This is last request in chained command, + * align response to 8 byte + */ + len = ALIGN(get_rfc1002_len(RESPONSE_BUF(work)), 8); + len = len - get_rfc1002_len(RESPONSE_BUF(work)); + if (len) { + ksmbd_debug(SMB, "padding len %u\n", len); + inc_rfc1001_len(RESPONSE_BUF(work), len); + if (HAS_AUX_PAYLOAD(work)) + work->aux_payload_sz += len; + } + } + return false; +} + +/** + * init_smb2_rsp_hdr() - initialize smb2 response + * @work: smb work containing smb request buffer + * + * Return: 0 + */ +int init_smb2_rsp_hdr(struct ksmbd_work *work) +{ + struct smb2_hdr *rsp_hdr = RESPONSE_BUF(work); + struct smb2_hdr *rcv_hdr = REQUEST_BUF(work); + struct ksmbd_conn *conn = work->conn; + + memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); + rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->ProtocolId = rcv_hdr->ProtocolId; + rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; + rsp_hdr->Command = rcv_hdr->Command; + + /* + * Message is response. We don't grant oplock yet. + */ + rsp_hdr->Flags = (SMB2_FLAGS_SERVER_TO_REDIR); + rsp_hdr->NextCommand = 0; + rsp_hdr->MessageId = rcv_hdr->MessageId; + rsp_hdr->Id.SyncId.ProcessId = rcv_hdr->Id.SyncId.ProcessId; + rsp_hdr->Id.SyncId.TreeId = rcv_hdr->Id.SyncId.TreeId; + rsp_hdr->SessionId = rcv_hdr->SessionId; + memcpy(rsp_hdr->Signature, rcv_hdr->Signature, 16); + + work->syncronous = true; + if (work->async_id) { + ksmbd_release_id(conn->async_ida, work->async_id); + work->async_id = 0; + } + + return 0; +} + +/** + * smb2_allocate_rsp_buf() - allocate smb2 response buffer + * @work: smb work containing smb request buffer + * + * Return: 0 on success, otherwise -ENOMEM + */ +int smb2_allocate_rsp_buf(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = REQUEST_BUF(work); + size_t small_sz = MAX_CIFS_SMALL_BUFFER_SIZE; + size_t large_sz = work->conn->vals->max_trans_size + MAX_SMB2_HDR_SIZE; + size_t sz = small_sz; + int cmd = le16_to_cpu(hdr->Command); + + if (cmd == SMB2_IOCTL_HE || cmd == SMB2_QUERY_DIRECTORY_HE) { + sz = large_sz; + work->set_trans_buf = true; + } + + if (cmd == SMB2_QUERY_INFO_HE) { + struct smb2_query_info_req *req; + + req = REQUEST_BUF(work); + if (req->InfoType == SMB2_O_INFO_FILE && + (req->FileInfoClass == FILE_FULL_EA_INFORMATION || + req->FileInfoClass == FILE_ALL_INFORMATION)) { + sz = large_sz; + work->set_trans_buf = true; + } + } + + /* allocate large response buf for chained commands */ + if (le32_to_cpu(hdr->NextCommand) > 0) + sz = large_sz; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && + work->set_trans_buf) + work->response_buf = ksmbd_find_buffer(sz); + else + work->response_buf = ksmbd_alloc_response(sz); + + if (!RESPONSE_BUF(work)) { + ksmbd_err("Failed to allocate %zu bytes buffer\n", sz); + return -ENOMEM; + } + + work->response_sz = sz; + return 0; +} + +/** + * smb2_check_user_session() - check for valid session for a user + * @work: smb work containing smb request buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_check_user_session(struct ksmbd_work *work) +{ + struct smb2_hdr *req_hdr = REQUEST_BUF(work); + struct ksmbd_conn *conn = work->conn; + unsigned int cmd = conn->ops->get_cmd_val(work); + unsigned long long sess_id; + + work->sess = NULL; + /* + * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not + * require a session id, so no need to validate user session's for + * these commands. + */ + if (cmd == SMB2_ECHO_HE || cmd == SMB2_NEGOTIATE_HE || + cmd == SMB2_SESSION_SETUP_HE) + return 0; + + if (!ksmbd_conn_good(work)) + return -EINVAL; + + sess_id = le64_to_cpu(req_hdr->SessionId); + /* Check for validity of user session */ + work->sess = ksmbd_session_lookup(conn, sess_id); + if (work->sess) + return 1; + ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); + return -EINVAL; +} + +static void destroy_previous_session(struct ksmbd_user *user, uint64_t id) +{ + struct ksmbd_session *prev_sess = ksmbd_session_lookup_slowpath(id); + struct ksmbd_user *prev_user; + + if (!prev_sess) + return; + + prev_user = prev_sess->user; + + if (strcmp(user->name, prev_user->name) || + user->passkey_sz != prev_user->passkey_sz || + memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) { + put_session(prev_sess); + return; + } + + put_session(prev_sess); + ksmbd_session_destroy(prev_sess); +} + +/** + * smb2_get_name() - get filename string from on the wire smb format + * @src: source buffer + * @maxlen: maxlen of source string + * @work: smb work containing smb request buffer + * + * Return: matching converted filename on success, otherwise error ptr + */ +static char * +smb2_get_name(struct ksmbd_share_config *share, + const char *src, + const int maxlen, + struct nls_table *local_nls) +{ + char *name, *unixname; + + name = smb_strndup_from_utf16(src, maxlen, 1, + local_nls); + if (IS_ERR(name)) { + ksmbd_err("failed to get name %ld\n", PTR_ERR(name)); + return name; + } + + /* change it to absolute unix name */ + ksmbd_conv_path_to_unix(name); + ksmbd_strip_last_slash(name); + + unixname = convert_to_unix_name(share, name); + kfree(name); + if (!unixname) { + ksmbd_err("can not convert absolute name\n"); + return ERR_PTR(-ENOMEM); + } + + ksmbd_debug(SMB, "absolute name = %s\n", unixname); + return unixname; +} + +/** + * smb2_put_name() - free memory allocated for filename + * @name: filename pointer to be freed + */ +static void smb2_put_name(void *name) +{ + if (!IS_ERR(name)) + kfree(name); +} + +int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) +{ + struct smb2_hdr *rsp_hdr; + struct ksmbd_conn *conn = work->conn; + int id; + + rsp_hdr = RESPONSE_BUF(work); + rsp_hdr->Flags |= SMB2_FLAGS_ASYNC_COMMAND; + + id = ksmbd_acquire_async_msg_id(conn->async_ida); + if (id < 0) { + ksmbd_err("Failed to alloc async message id\n"); + return id; + } + work->syncronous = false; + work->async_id = id; + rsp_hdr->Id.AsyncId = cpu_to_le64(id); + + ksmbd_debug(SMB, + "Send interim Response to inform async request id : %d\n", + work->async_id); + + work->cancel_fn = fn; + work->cancel_argv = arg; + + spin_lock(&conn->request_lock); + list_add_tail(&work->async_request_entry, &conn->async_requests); + spin_unlock(&conn->request_lock); + + return 0; +} + +void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status) +{ + struct smb2_hdr *rsp_hdr; + + rsp_hdr = RESPONSE_BUF(work); + smb2_set_err_rsp(work); + rsp_hdr->Status = status; + + work->multiRsp = 1; + ksmbd_conn_write(work); + rsp_hdr->Status = 0; + work->multiRsp = 0; +} + +static __le32 smb2_get_reparse_tag_special_file(umode_t mode) +{ + if (S_ISDIR(mode) || S_ISREG(mode)) + return 0; + + if (S_ISLNK(mode)) + return IO_REPARSE_TAG_LX_SYMLINK_LE; + else if (S_ISFIFO(mode)) + return IO_REPARSE_TAG_LX_FIFO_LE; + else if (S_ISSOCK(mode)) + return IO_REPARSE_TAG_AF_UNIX_LE; + else if (S_ISCHR(mode)) + return IO_REPARSE_TAG_LX_CHR_LE; + else if (S_ISBLK(mode)) + return IO_REPARSE_TAG_LX_BLK_LE; + + return 0; +} + +/** + * smb2_get_dos_mode() - get file mode in dos format from unix mode + * @stat: kstat containing file mode + * + * Return: converted dos mode + */ +static int smb2_get_dos_mode(struct kstat *stat, int attribute) +{ + int attr = 0; + + if (S_ISDIR(stat->mode)) + attr = ATTR_DIRECTORY | + (attribute & (ATTR_HIDDEN | ATTR_SYSTEM)); + else { + attr = (attribute & 0x00005137) | ATTR_ARCHIVE; + attr &= ~(ATTR_DIRECTORY); + if (S_ISREG(stat->mode) && (server_conf.share_fake_fscaps & + FILE_SUPPORTS_SPARSE_FILES)) + attr |= ATTR_SPARSE; + + if (smb2_get_reparse_tag_special_file(stat->mode)) + attr |= ATTR_REPARSE; + } + + return attr; +} + +static void build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt, + __le16 hash_id) +{ + pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES; + pneg_ctxt->DataLength = cpu_to_le16(38); + pneg_ctxt->HashAlgorithmCount = cpu_to_le16(1); + pneg_ctxt->Reserved = cpu_to_le32(0); + pneg_ctxt->SaltLength = cpu_to_le16(SMB311_SALT_SIZE); + get_random_bytes(pneg_ctxt->Salt, SMB311_SALT_SIZE); + pneg_ctxt->HashAlgorithms = hash_id; +} + +static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt, + __le16 cipher_type) +{ + pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; + pneg_ctxt->DataLength = cpu_to_le16(4); + pneg_ctxt->Reserved = cpu_to_le32(0); + pneg_ctxt->CipherCount = cpu_to_le16(1); + pneg_ctxt->Ciphers[0] = cipher_type; +} + +static void build_compression_ctxt(struct smb2_compression_ctx *pneg_ctxt, + __le16 comp_algo) +{ + pneg_ctxt->ContextType = SMB2_COMPRESSION_CAPABILITIES; + pneg_ctxt->DataLength = + cpu_to_le16(sizeof(struct smb2_compression_ctx) + - sizeof(struct smb2_neg_context)); + pneg_ctxt->Reserved = cpu_to_le32(0); + pneg_ctxt->CompressionAlgorithmCount = cpu_to_le16(1); + pneg_ctxt->Reserved1 = cpu_to_le32(0); + pneg_ctxt->CompressionAlgorithms[0] = comp_algo; +} + +static void +build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) +{ + pneg_ctxt->ContextType = SMB2_POSIX_EXTENSIONS_AVAILABLE; + pneg_ctxt->DataLength = cpu_to_le16(POSIX_CTXT_DATA_LEN); + /* SMB2_CREATE_TAG_POSIX is "0x93AD25509CB411E7B42383DE968BCD7C" */ + pneg_ctxt->Name[0] = 0x93; + pneg_ctxt->Name[1] = 0xAD; + pneg_ctxt->Name[2] = 0x25; + pneg_ctxt->Name[3] = 0x50; + pneg_ctxt->Name[4] = 0x9C; + pneg_ctxt->Name[5] = 0xB4; + pneg_ctxt->Name[6] = 0x11; + pneg_ctxt->Name[7] = 0xE7; + pneg_ctxt->Name[8] = 0xB4; + pneg_ctxt->Name[9] = 0x23; + pneg_ctxt->Name[10] = 0x83; + pneg_ctxt->Name[11] = 0xDE; + pneg_ctxt->Name[12] = 0x96; + pneg_ctxt->Name[13] = 0x8B; + pneg_ctxt->Name[14] = 0xCD; + pneg_ctxt->Name[15] = 0x7C; +} + +static void +assemble_neg_contexts(struct ksmbd_conn *conn, + struct smb2_negotiate_rsp *rsp) +{ + /* +4 is to account for the RFC1001 len field */ + char *pneg_ctxt = (char *)rsp + + le32_to_cpu(rsp->NegotiateContextOffset) + 4; + int neg_ctxt_cnt = 1; + int ctxt_size; + + ksmbd_debug(SMB, + "assemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); + build_preauth_ctxt((struct smb2_preauth_neg_context *)pneg_ctxt, + conn->preauth_info->Preauth_HashId); + rsp->NegotiateContextCount = cpu_to_le16(neg_ctxt_cnt); + inc_rfc1001_len(rsp, AUTH_GSS_PADDING); + ctxt_size = sizeof(struct smb2_preauth_neg_context); + /* Round to 8 byte boundary */ + pneg_ctxt += round_up(sizeof(struct smb2_preauth_neg_context), 8); + + if (conn->cipher_type) { + ctxt_size = round_up(ctxt_size, 8); + ksmbd_debug(SMB, + "assemble SMB2_ENCRYPTION_CAPABILITIES context\n"); + build_encrypt_ctxt( + (struct smb2_encryption_neg_context *)pneg_ctxt, + conn->cipher_type); + rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); + ctxt_size += sizeof(struct smb2_encryption_neg_context); + /* Round to 8 byte boundary */ + pneg_ctxt += + round_up(sizeof(struct smb2_encryption_neg_context), + 8); + } + + if (conn->compress_algorithm) { + ctxt_size = round_up(ctxt_size, 8); + ksmbd_debug(SMB, + "assemble SMB2_COMPRESSION_CAPABILITIES context\n"); + /* Temporarily set to SMB3_COMPRESS_NONE */ + build_compression_ctxt((struct smb2_compression_ctx *)pneg_ctxt, + conn->compress_algorithm); + rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); + ctxt_size += sizeof(struct smb2_compression_ctx); + /* Round to 8 byte boundary */ + pneg_ctxt += round_up(sizeof(struct smb2_compression_ctx), 8); + } + + if (conn->posix_ext_supported) { + ctxt_size = round_up(ctxt_size, 8); + ksmbd_debug(SMB, + "assemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); + build_posix_ctxt((struct smb2_posix_neg_context *)pneg_ctxt); + rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); + ctxt_size += sizeof(struct smb2_posix_neg_context); + } + + inc_rfc1001_len(rsp, ctxt_size); +} + +static __le32 +decode_preauth_ctxt(struct ksmbd_conn *conn, + struct smb2_preauth_neg_context *pneg_ctxt) +{ + __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; + + if (pneg_ctxt->HashAlgorithms == + SMB2_PREAUTH_INTEGRITY_SHA512) { + conn->preauth_info->Preauth_HashId = + SMB2_PREAUTH_INTEGRITY_SHA512; + err = STATUS_SUCCESS; + } + + return err; +} + +static int decode_encrypt_ctxt(struct ksmbd_conn *conn, + struct smb2_encryption_neg_context *pneg_ctxt) +{ + int i; + int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); + + conn->cipher_type = 0; + + if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)) + goto out; + + for (i = 0; i < cph_cnt; i++) { + if (pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_GCM || + pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_CCM) { + ksmbd_debug(SMB, "Cipher ID = 0x%x\n", + pneg_ctxt->Ciphers[i]); + conn->cipher_type = pneg_ctxt->Ciphers[i]; + break; + } + } + +out: + /* + * Return encrypt context size in request. + * So need to plus extra number of ciphers size. + */ + return sizeof(struct smb2_encryption_neg_context) + + ((cph_cnt - 1) * 2); +} + +static int decode_compress_ctxt(struct ksmbd_conn *conn, + struct smb2_compression_ctx *pneg_ctxt) +{ + int algo_cnt = le16_to_cpu(pneg_ctxt->CompressionAlgorithmCount); + + conn->compress_algorithm = SMB3_COMPRESS_NONE; + + /* + * Return compression context size in request. + * So need to plus extra number of CompressionAlgorithms size. + */ + return sizeof(struct smb2_encryption_neg_context) + + ((algo_cnt - 1) * 2); +} + +static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, + struct smb2_negotiate_req *req) +{ + int i = 0; + __le32 status = 0; + /* +4 is to account for the RFC1001 len field */ + char *pneg_ctxt = (char *)req + + le32_to_cpu(req->NegotiateContextOffset) + 4; + __le16 *ContextType = (__le16 *)pneg_ctxt; + int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount); + int ctxt_size; + + ksmbd_debug(SMB, "negotiate context count = %d\n", neg_ctxt_cnt); + status = STATUS_INVALID_PARAMETER; + while (i++ < neg_ctxt_cnt) { + if (*ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); + if (conn->preauth_info->Preauth_HashId) + break; + + status = decode_preauth_ctxt(conn, + (struct smb2_preauth_neg_context *)pneg_ctxt); + pneg_ctxt += DIV_ROUND_UP( + sizeof(struct smb2_preauth_neg_context), 8) * 8; + } else if (*ContextType == SMB2_ENCRYPTION_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_ENCRYPTION_CAPABILITIES context\n"); + if (conn->cipher_type) + break; + + ctxt_size = decode_encrypt_ctxt(conn, + (struct smb2_encryption_neg_context *) + pneg_ctxt); + pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; + } else if (*ContextType == SMB2_COMPRESSION_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); + if (conn->compress_algorithm) + break; + + ctxt_size = decode_compress_ctxt(conn, + (struct smb2_compression_ctx *) + pneg_ctxt); + pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; + } else if (*ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { + ksmbd_debug(SMB, + "deassemble SMB2_NETNAME_NEGOTIATE_CONTEXT_ID context\n"); + ctxt_size = sizeof(struct smb2_netname_neg_context); + ctxt_size += DIV_ROUND_UP( + le16_to_cpu(((struct smb2_netname_neg_context *) + pneg_ctxt)->DataLength), 8) * 8; + pneg_ctxt += ctxt_size; + } else if (*ContextType == SMB2_POSIX_EXTENSIONS_AVAILABLE) { + ksmbd_debug(SMB, + "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); + conn->posix_ext_supported = true; + pneg_ctxt += DIV_ROUND_UP( + sizeof(struct smb2_posix_neg_context), 8) * 8; + } + ContextType = (__le16 *)pneg_ctxt; + + if (status != STATUS_SUCCESS) + break; + } + return status; +} + +/** + * smb2_handle_negotiate() - handler for smb2 negotiate command + * @work: smb work containing smb request buffer + * + * Return: 0 + */ +int smb2_handle_negotiate(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_negotiate_req *req = REQUEST_BUF(work); + struct smb2_negotiate_rsp *rsp = RESPONSE_BUF(work); + int rc = 0; + __le32 status; + + ksmbd_debug(SMB, "Received negotiate request\n"); + conn->need_neg = false; + if (ksmbd_conn_good(work)) { + ksmbd_err("conn->tcp_status is already in CifsGood State\n"); + work->send_no_response = 1; + return rc; + } + + if (req->DialectCount == 0) { + ksmbd_err("malformed packet\n"); + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + conn->cli_cap = le32_to_cpu(req->Capabilities); + switch (conn->dialect) { + case SMB311_PROT_ID: + conn->preauth_info = + kzalloc(sizeof(struct preauth_integrity_info), + GFP_KERNEL); + if (!conn->preauth_info) { + rc = -ENOMEM; + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto err_out; + } + + status = deassemble_neg_contexts(conn, req); + if (status != STATUS_SUCCESS) { + ksmbd_err("deassemble_neg_contexts error(0x%x)\n", + status); + rsp->hdr.Status = status; + rc = -EINVAL; + goto err_out; + } + + rc = init_smb3_11_server(conn); + if (rc < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto err_out; + } + + ksmbd_gen_preauth_integrity_hash(conn, + REQUEST_BUF(work), + conn->preauth_info->Preauth_HashValue); + rsp->NegotiateContextOffset = + cpu_to_le32(OFFSET_OF_NEG_CONTEXT); + assemble_neg_contexts(conn, rsp); + break; + case SMB302_PROT_ID: + init_smb3_02_server(conn); + break; + case SMB30_PROT_ID: + init_smb3_0_server(conn); + break; + case SMB21_PROT_ID: + init_smb2_1_server(conn); + break; + case SMB20_PROT_ID: + rc = init_smb2_0_server(conn); + if (rc) { + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + goto err_out; + } + break; + case SMB2X_PROT_ID: + case BAD_PROT_ID: + default: + ksmbd_debug(SMB, "Server dialect :0x%x not supported\n", + conn->dialect); + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + rc = -EINVAL; + goto err_out; + } + rsp->Capabilities = cpu_to_le32(conn->vals->capabilities); + + /* For stats */ + conn->connection_type = conn->dialect; + + rsp->MaxTransactSize = cpu_to_le32(conn->vals->max_trans_size); + rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size); + rsp->MaxWriteSize = cpu_to_le32(conn->vals->max_write_size); + + if (conn->dialect > SMB20_PROT_ID) { + memcpy(conn->ClientGUID, req->ClientGUID, + SMB2_CLIENT_GUID_SIZE); + conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); + } + + rsp->StructureSize = cpu_to_le16(65); + rsp->DialectRevision = cpu_to_le16(conn->dialect); + /* Not setting conn guid rsp->ServerGUID, as it + * not used by client for identifying server + */ + memset(rsp->ServerGUID, 0, SMB2_CLIENT_GUID_SIZE); + + rsp->SystemTime = cpu_to_le64(ksmbd_systime()); + rsp->ServerStartTime = 0; + ksmbd_debug(SMB, "negotiate context offset %d, count %d\n", + le32_to_cpu(rsp->NegotiateContextOffset), + le16_to_cpu(rsp->NegotiateContextCount)); + + rsp->SecurityBufferOffset = cpu_to_le16(128); + rsp->SecurityBufferLength = cpu_to_le16(AUTH_GSS_LENGTH); + ksmbd_copy_gss_neg_header(((char *)(&rsp->hdr) + + sizeof(rsp->hdr.smb2_buf_length)) + + le16_to_cpu(rsp->SecurityBufferOffset)); + inc_rfc1001_len(rsp, sizeof(struct smb2_negotiate_rsp) - + sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + + AUTH_GSS_LENGTH); + rsp->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED_LE; + conn->use_spnego = true; + + if ((server_conf.signing == KSMBD_CONFIG_OPT_AUTO || + server_conf.signing == KSMBD_CONFIG_OPT_DISABLED) && + req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED_LE) + conn->sign = true; + else if (server_conf.signing == KSMBD_CONFIG_OPT_MANDATORY) { + server_conf.enforced_signing = true; + rsp->SecurityMode |= SMB2_NEGOTIATE_SIGNING_REQUIRED_LE; + conn->sign = true; + } + + conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode); + ksmbd_conn_set_need_negotiate(work); + +err_out: + if (rc < 0) + smb2_set_err_rsp(work); + + return rc; +} + +static int alloc_preauth_hash(struct ksmbd_session *sess, + struct ksmbd_conn *conn) +{ + if (sess->Preauth_HashValue) + return 0; + + sess->Preauth_HashValue = ksmbd_alloc(PREAUTH_HASHVALUE_SIZE); + if (!sess->Preauth_HashValue) + return -ENOMEM; + + memcpy(sess->Preauth_HashValue, + conn->preauth_info->Preauth_HashValue, + PREAUTH_HASHVALUE_SIZE); + return 0; +} + +static int generate_preauth_hash(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; + + if (conn->dialect != SMB311_PROT_ID) + return 0; + + if (!sess->Preauth_HashValue) { + if (alloc_preauth_hash(sess, conn)) + return -ENOMEM; + } + + ksmbd_gen_preauth_integrity_hash(conn, + REQUEST_BUF(work), + sess->Preauth_HashValue); + return 0; +} + +static int decode_negotiation_token(struct ksmbd_work *work, + struct negotiate_message *negblob) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_sess_setup_req *req; + int sz; + + if (!conn->use_spnego) + return -EINVAL; + + req = REQUEST_BUF(work); + sz = le16_to_cpu(req->SecurityBufferLength); + + if (!ksmbd_decode_negTokenInit((char *)negblob, sz, conn)) { + if (!ksmbd_decode_negTokenTarg((char *)negblob, sz, conn)) { + conn->auth_mechs |= KSMBD_AUTH_NTLMSSP; + conn->preferred_auth_mech = KSMBD_AUTH_NTLMSSP; + conn->use_spnego = false; + } + } + return 0; +} + +static int ntlm_negotiate(struct ksmbd_work *work, + struct negotiate_message *negblob) +{ + struct smb2_sess_setup_req *req = REQUEST_BUF(work); + struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct challenge_message *chgblob; + unsigned char *spnego_blob = NULL; + u16 spnego_blob_len; + char *neg_blob; + int sz, rc; + + ksmbd_debug(SMB, "negotiate phase\n"); + sz = le16_to_cpu(req->SecurityBufferLength); + rc = ksmbd_decode_ntlmssp_neg_blob(negblob, sz, work->sess); + if (rc) + return rc; + + sz = le16_to_cpu(rsp->SecurityBufferOffset); + chgblob = + (struct challenge_message *)((char *)&rsp->hdr.ProtocolId + sz); + memset(chgblob, 0, sizeof(struct challenge_message)); + + if (!work->conn->use_spnego) { + sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->sess); + if (sz < 0) + return -ENOMEM; + + rsp->SecurityBufferLength = cpu_to_le16(sz); + return 0; + } + + sz = sizeof(struct challenge_message); + sz += (strlen(ksmbd_netbios_name()) * 2 + 1 + 4) * 6; + + neg_blob = kzalloc(sz, GFP_KERNEL); + if (!neg_blob) + return -ENOMEM; + + chgblob = (struct challenge_message *)neg_blob; + sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->sess); + if (sz < 0) { + rc = -ENOMEM; + goto out; + } + + rc = build_spnego_ntlmssp_neg_blob(&spnego_blob, + &spnego_blob_len, + neg_blob, + sz); + if (rc) { + rc = -ENOMEM; + goto out; + } + + sz = le16_to_cpu(rsp->SecurityBufferOffset); + memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + +out: + kfree(spnego_blob); + kfree(neg_blob); + return rc; +} + +static struct authenticate_message *user_authblob(struct ksmbd_conn *conn, + struct smb2_sess_setup_req *req) +{ + int sz; + + if (conn->use_spnego && conn->mechToken) + return (struct authenticate_message *)conn->mechToken; + + sz = le16_to_cpu(req->SecurityBufferOffset); + return (struct authenticate_message *)((char *)&req->hdr.ProtocolId + + sz); +} + +static struct ksmbd_user *session_user(struct ksmbd_conn *conn, + struct smb2_sess_setup_req *req) +{ + struct authenticate_message *authblob; + struct ksmbd_user *user; + char *name; + int sz; + + authblob = user_authblob(conn, req); + sz = le32_to_cpu(authblob->UserName.BufferOffset); + name = smb_strndup_from_utf16((const char *)authblob + sz, + le16_to_cpu(authblob->UserName.Length), + true, + conn->local_nls); + if (IS_ERR(name)) { + ksmbd_err("cannot allocate memory\n"); + return NULL; + } + + ksmbd_debug(SMB, "session setup request for user %s\n", name); + user = ksmbd_login_user(name); + kfree(name); + return user; +} + +static int ntlm_authenticate(struct ksmbd_work *work) +{ + struct smb2_sess_setup_req *req = REQUEST_BUF(work); + struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; + struct channel *chann = NULL; + struct ksmbd_user *user; + uint64_t prev_id; + int sz, rc; + + ksmbd_debug(SMB, "authenticate phase\n"); + if (conn->use_spnego) { + unsigned char *spnego_blob; + u16 spnego_blob_len; + + rc = build_spnego_ntlmssp_auth_blob(&spnego_blob, + &spnego_blob_len, + 0); + if (rc) + return -ENOMEM; + + sz = le16_to_cpu(rsp->SecurityBufferOffset); + memcpy((char *)&rsp->hdr.ProtocolId + sz, + spnego_blob, + spnego_blob_len); + rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); + kfree(spnego_blob); + inc_rfc1001_len(rsp, spnego_blob_len - 1); + } + + user = session_user(conn, req); + if (!user) { + ksmbd_debug(SMB, "Unknown user name or an error\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return -EINVAL; + } + + /* Check for previous session */ + prev_id = le64_to_cpu(req->PreviousSessionId); + if (prev_id && prev_id != sess->id) + destroy_previous_session(user, prev_id); + + if (sess->state == SMB2_SESSION_VALID) { + /* + * Reuse session if anonymous try to connect + * on reauthetication. + */ + if (ksmbd_anonymous_user(user)) { + ksmbd_free_user(user); + return 0; + } + ksmbd_free_user(sess->user); + } + + sess->user = user; + if (user_guest(sess->user)) { + if (conn->sign) { + ksmbd_debug(SMB, + "Guest login not allowed when signing enabled\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return -EACCES; + } + + rsp->SessionFlags = SMB2_SESSION_FLAG_IS_GUEST_LE; + } else { + struct authenticate_message *authblob; + + authblob = user_authblob(conn, req); + sz = le16_to_cpu(req->SecurityBufferLength); + rc = ksmbd_decode_ntlmssp_auth_blob(authblob, sz, sess); + if (rc) { + set_user_flag(sess->user, KSMBD_USER_FLAG_BAD_PASSWORD); + ksmbd_debug(SMB, "authentication failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return -EINVAL; + } + + /* + * If session state is SMB2_SESSION_VALID, We can assume + * that it is reauthentication. And the user/password + * has been verified, so return it here. + */ + if (sess->state == SMB2_SESSION_VALID) + return 0; + + if ((conn->sign || server_conf.enforced_signing) || + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + + if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && + conn->ops->generate_encryptionkey) { + rc = conn->ops->generate_encryptionkey(sess); + if (rc) { + ksmbd_debug(SMB, + "SMB3 encryption key generation failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return rc; + } + sess->enc = true; + rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; + /* + * signing is disable if encryption is enable + * on this session + */ + sess->sign = false; + } + } + + if (conn->dialect >= SMB30_PROT_ID) { + chann = lookup_chann_list(sess); + if (!chann) { + chann = kmalloc(sizeof(struct channel), GFP_KERNEL); + if (!chann) + return -ENOMEM; + + chann->conn = conn; + INIT_LIST_HEAD(&chann->chann_list); + list_add(&chann->chann_list, &sess->ksmbd_chann_list); + } + } + + if (conn->ops->generate_signingkey) { + rc = conn->ops->generate_signingkey(sess); + if (rc) { + ksmbd_debug(SMB, + "SMB3 signing key generation failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return rc; + } + } + + if (conn->dialect > SMB20_PROT_ID) { + if (!ksmbd_conn_lookup_dialect(conn)) { + ksmbd_err("fail to verify the dialect\n"); + rsp->hdr.Status = STATUS_USER_SESSION_DELETED; + return -EPERM; + } + } + return 0; +} + +#ifdef CONFIG_SMB_SERVER_KERBEROS5 +static int krb5_authenticate(struct ksmbd_work *work) +{ + struct smb2_sess_setup_req *req = REQUEST_BUF(work); + struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; + char *in_blob, *out_blob; + struct channel *chann = NULL; + uint64_t prev_sess_id; + int in_len, out_len; + int retval; + + in_blob = (char *)&req->hdr.ProtocolId + + le16_to_cpu(req->SecurityBufferOffset); + in_len = le16_to_cpu(req->SecurityBufferLength); + out_blob = (char *)&rsp->hdr.ProtocolId + + le16_to_cpu(rsp->SecurityBufferOffset); + out_len = work->response_sz - + offsetof(struct smb2_hdr, smb2_buf_length) - + le16_to_cpu(rsp->SecurityBufferOffset); + + /* Check previous session */ + prev_sess_id = le64_to_cpu(req->PreviousSessionId); + if (prev_sess_id && prev_sess_id != sess->id) + destroy_previous_session(sess->user, prev_sess_id); + + if (sess->state == SMB2_SESSION_VALID) + ksmbd_free_user(sess->user); + + retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, + out_blob, &out_len); + if (retval) { + ksmbd_debug(SMB, "krb5 authentication failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return retval; + } + rsp->SecurityBufferLength = cpu_to_le16(out_len); + inc_rfc1001_len(rsp, out_len - 1); + + if ((conn->sign || server_conf.enforced_signing) || + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + + if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) && + conn->ops->generate_encryptionkey) { + retval = conn->ops->generate_encryptionkey(sess); + if (retval) { + ksmbd_debug(SMB, + "SMB3 encryption key generation failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return retval; + } + sess->enc = true; + rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; + sess->sign = false; + } + + if (conn->dialect >= SMB30_PROT_ID) { + chann = lookup_chann_list(sess); + if (!chann) { + chann = kmalloc(sizeof(struct channel), GFP_KERNEL); + if (!chann) + return -ENOMEM; + + chann->conn = conn; + INIT_LIST_HEAD(&chann->chann_list); + list_add(&chann->chann_list, &sess->ksmbd_chann_list); + } + } + + if (conn->ops->generate_signingkey) { + retval = conn->ops->generate_signingkey(sess); + if (retval) { + ksmbd_debug(SMB, + "SMB3 signing key generation failed\n"); + rsp->hdr.Status = STATUS_LOGON_FAILURE; + return retval; + } + } + + if (conn->dialect > SMB20_PROT_ID) { + if (!ksmbd_conn_lookup_dialect(conn)) { + ksmbd_err("fail to verify the dialect\n"); + rsp->hdr.Status = STATUS_USER_SESSION_DELETED; + return -EPERM; + } + } + return 0; +} +#else +static int krb5_authenticate(struct ksmbd_work *work) +{ + return -EOPNOTSUPP; +} +#endif + +int smb2_sess_setup(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_sess_setup_req *req = REQUEST_BUF(work); + struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_session *sess; + struct negotiate_message *negblob; + int rc = 0; + + ksmbd_debug(SMB, "Received request for session setup\n"); + + rsp->StructureSize = cpu_to_le16(9); + rsp->SessionFlags = 0; + rsp->SecurityBufferOffset = cpu_to_le16(72); + rsp->SecurityBufferLength = 0; + inc_rfc1001_len(rsp, 9); + + if (!req->hdr.SessionId) { + sess = ksmbd_smb2_session_create(); + if (!sess) { + rc = -ENOMEM; + goto out_err; + } + rsp->hdr.SessionId = cpu_to_le64(sess->id); + ksmbd_session_register(conn, sess); + } else { + sess = ksmbd_session_lookup(conn, + le64_to_cpu(req->hdr.SessionId)); + if (!sess) { + rc = -ENOENT; + rsp->hdr.Status = STATUS_USER_SESSION_DELETED; + goto out_err; + } + } + work->sess = sess; + + if (sess->state == SMB2_SESSION_EXPIRED) + sess->state = SMB2_SESSION_IN_PROGRESS; + + negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId + + le16_to_cpu(req->SecurityBufferOffset)); + + if (decode_negotiation_token(work, negblob) == 0) { + if (conn->mechToken) + negblob = (struct negotiate_message *)conn->mechToken; + } + + if (server_conf.auth_mechs & conn->auth_mechs) { + if (conn->preferred_auth_mech & + (KSMBD_AUTH_KRB5 | KSMBD_AUTH_MSKRB5)) { + rc = generate_preauth_hash(work); + if (rc) + goto out_err; + + rc = krb5_authenticate(work); + if (rc) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out_err; + } + + ksmbd_conn_set_good(work); + sess->state = SMB2_SESSION_VALID; + ksmbd_free(sess->Preauth_HashValue); + sess->Preauth_HashValue = NULL; + } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { + rc = generate_preauth_hash(work); + if (rc) + goto out_err; + + if (negblob->MessageType == NtLmNegotiate) { + rc = ntlm_negotiate(work, negblob); + if (rc) + goto out_err; + rsp->hdr.Status = + STATUS_MORE_PROCESSING_REQUIRED; + /* + * Note: here total size -1 is done as an + * adjustment for 0 size blob + */ + inc_rfc1001_len(rsp, + le16_to_cpu(rsp->SecurityBufferLength) + - 1); + + } else if (negblob->MessageType == NtLmAuthenticate) { + rc = ntlm_authenticate(work); + if (rc) + goto out_err; + + ksmbd_conn_set_good(work); + sess->state = SMB2_SESSION_VALID; + ksmbd_free(sess->Preauth_HashValue); + sess->Preauth_HashValue = NULL; + } + } else { + /* TODO: need one more negotiation */ + ksmbd_err("Not support the preferred authentication\n"); + rc = -EINVAL; + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + } + } else { + ksmbd_err("Not support authentication\n"); + rc = -EINVAL; + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + } + +out_err: + if (conn->use_spnego && conn->mechToken) { + kfree(conn->mechToken); + conn->mechToken = NULL; + } + + if (rc < 0 && sess) { + ksmbd_session_destroy(sess); + work->sess = NULL; + } + + return rc; +} + +/** + * smb2_tree_connect() - handler for smb2 tree connect command + * @work: smb work containing smb request buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_tree_connect(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_tree_connect_req *req = REQUEST_BUF(work); + struct smb2_tree_connect_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_session *sess = work->sess; + char *treename = NULL, *name = NULL; + struct ksmbd_tree_conn_status status; + struct ksmbd_share_config *share; + int rc = -EINVAL; + + treename = smb_strndup_from_utf16(req->Buffer, + le16_to_cpu(req->PathLength), true, conn->local_nls); + if (IS_ERR(treename)) { + ksmbd_err("treename is NULL\n"); + status.ret = KSMBD_TREE_CONN_STATUS_ERROR; + goto out_err1; + } + + name = extract_sharename(treename); + if (IS_ERR(name)) { + status.ret = KSMBD_TREE_CONN_STATUS_ERROR; + goto out_err1; + } + + ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", + name, treename); + + status = ksmbd_tree_conn_connect(sess, name); + if (status.ret == KSMBD_TREE_CONN_STATUS_OK) + rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); + else + goto out_err1; + + share = status.tree_conn->share_conf; + if (test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { + ksmbd_debug(SMB, "IPC share path request\n"); + rsp->ShareType = SMB2_SHARE_TYPE_PIPE; + rsp->MaximalAccess = FILE_READ_DATA_LE | FILE_READ_EA_LE | + FILE_EXECUTE_LE | FILE_READ_ATTRIBUTES_LE | + FILE_DELETE_LE | FILE_READ_CONTROL_LE | + FILE_WRITE_DAC_LE | FILE_WRITE_OWNER_LE | + FILE_SYNCHRONIZE_LE; + } else { + rsp->ShareType = SMB2_SHARE_TYPE_DISK; + rsp->MaximalAccess = FILE_READ_DATA_LE | FILE_READ_EA_LE | + FILE_EXECUTE_LE | FILE_READ_ATTRIBUTES_LE; + if (test_tree_conn_flag(status.tree_conn, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + rsp->MaximalAccess |= FILE_WRITE_DATA_LE | + FILE_APPEND_DATA_LE | FILE_WRITE_EA_LE | + FILE_DELETE_CHILD_LE | FILE_DELETE_LE | + FILE_WRITE_ATTRIBUTES_LE | FILE_DELETE_LE | + FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE | + FILE_WRITE_OWNER_LE | FILE_SYNCHRONIZE_LE; + } + } + + status.tree_conn->maximal_access = le32_to_cpu(rsp->MaximalAccess); + if (conn->posix_ext_supported) + status.tree_conn->posix_extensions = true; + +out_err1: + rsp->StructureSize = cpu_to_le16(16); + rsp->Capabilities = 0; + rsp->Reserved = 0; + /* default manual caching */ + rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING; + inc_rfc1001_len(rsp, 16); + + if (!IS_ERR(treename)) + kfree(treename); + if (!IS_ERR(name)) + kfree(name); + + switch (status.ret) { + case KSMBD_TREE_CONN_STATUS_OK: + rsp->hdr.Status = STATUS_SUCCESS; + rc = 0; + break; + case KSMBD_TREE_CONN_STATUS_NO_SHARE: + rsp->hdr.Status = STATUS_BAD_NETWORK_PATH; + break; + case -ENOMEM: + case KSMBD_TREE_CONN_STATUS_NOMEM: + rsp->hdr.Status = STATUS_NO_MEMORY; + break; + case KSMBD_TREE_CONN_STATUS_ERROR: + case KSMBD_TREE_CONN_STATUS_TOO_MANY_CONNS: + case KSMBD_TREE_CONN_STATUS_TOO_MANY_SESSIONS: + rsp->hdr.Status = STATUS_ACCESS_DENIED; + break; + case -EINVAL: + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + break; + default: + rsp->hdr.Status = STATUS_ACCESS_DENIED; + } + + return rc; +} + +/** + * smb2_create_open_flags() - convert smb open flags to unix open flags + * @file_present: is file already present + * @access: file access flags + * @disposition: file disposition flags + * @work: smb work containing smb request buffer + * + * Return: file open flags + */ +static int smb2_create_open_flags(bool file_present, __le32 access, + __le32 disposition) +{ + int oflags = O_NONBLOCK | O_LARGEFILE; + + if (access & FILE_READ_DESIRED_ACCESS_LE && + access & FILE_WRITE_DESIRE_ACCESS_LE) + oflags |= O_RDWR; + else if (access & FILE_WRITE_DESIRE_ACCESS_LE) + oflags |= O_WRONLY; + else + oflags |= O_RDONLY; + + if (access == FILE_READ_ATTRIBUTES_LE) + oflags |= O_PATH; + + if (file_present) { + switch (disposition & FILE_CREATE_MASK_LE) { + case FILE_OPEN_LE: + case FILE_CREATE_LE: + break; + case FILE_SUPERSEDE_LE: + case FILE_OVERWRITE_LE: + case FILE_OVERWRITE_IF_LE: + oflags |= O_TRUNC; + break; + default: + break; + } + } else { + switch (disposition & FILE_CREATE_MASK_LE) { + case FILE_SUPERSEDE_LE: + case FILE_CREATE_LE: + case FILE_OPEN_IF_LE: + case FILE_OVERWRITE_IF_LE: + oflags |= O_CREAT; + break; + case FILE_OPEN_LE: + case FILE_OVERWRITE_LE: + oflags &= ~O_CREAT; + break; + default: + break; + } + } + return oflags; +} + +/** + * smb2_tree_disconnect() - handler for smb tree connect request + * @work: smb work containing request buffer + * + * Return: 0 + */ +int smb2_tree_disconnect(struct ksmbd_work *work) +{ + struct smb2_tree_disconnect_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_session *sess = work->sess; + struct ksmbd_tree_connect *tcon = work->tcon; + + rsp->StructureSize = cpu_to_le16(4); + inc_rfc1001_len(rsp, 4); + + ksmbd_debug(SMB, "request\n"); + + if (!tcon) { + struct smb2_tree_disconnect_req *req = REQUEST_BUF(work); + + ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); + rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; + smb2_set_err_rsp(work); + return 0; + } + + ksmbd_close_tree_conn_fds(work); + ksmbd_tree_conn_disconnect(sess, tcon); + return 0; +} + +/** + * smb2_session_logoff() - handler for session log off request + * @work: smb work containing request buffer + * + * Return: 0 + */ +int smb2_session_logoff(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_logoff_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_session *sess = work->sess; + + rsp->StructureSize = cpu_to_le16(4); + inc_rfc1001_len(rsp, 4); + + ksmbd_debug(SMB, "request\n"); + + /* Got a valid session, set connection state */ + WARN_ON(sess->conn != conn); + + /* setting CifsExiting here may race with start_tcp_sess */ + ksmbd_conn_set_need_reconnect(work); + ksmbd_close_session_fds(work); + ksmbd_conn_wait_idle(conn); + + if (ksmbd_tree_conn_session_logoff(sess)) { + struct smb2_logoff_req *req = REQUEST_BUF(work); + + ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); + rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; + smb2_set_err_rsp(work); + return 0; + } + + ksmbd_destroy_file_table(&sess->file_table); + sess->state = SMB2_SESSION_EXPIRED; + + ksmbd_free_user(sess->user); + sess->user = NULL; + + /* let start_tcp_sess free connection info now */ + ksmbd_conn_set_need_negotiate(work); + return 0; +} + +/** + * create_smb2_pipe() - create IPC pipe + * @work: smb work containing request buffer + * + * Return: 0 on success, otherwise error + */ +static noinline int create_smb2_pipe(struct ksmbd_work *work) +{ + struct smb2_create_rsp *rsp = RESPONSE_BUF(work); + struct smb2_create_req *req = REQUEST_BUF(work); + int id; + int err; + char *name; + + name = smb_strndup_from_utf16(req->Buffer, le16_to_cpu(req->NameLength), + 1, work->conn->local_nls); + if (IS_ERR(name)) { + rsp->hdr.Status = STATUS_NO_MEMORY; + err = PTR_ERR(name); + goto out; + } + + id = ksmbd_session_rpc_open(work->sess, name); + if (id < 0) + ksmbd_err("Unable to open RPC pipe: %d\n", id); + + rsp->StructureSize = cpu_to_le16(89); + rsp->OplockLevel = SMB2_OPLOCK_LEVEL_NONE; + rsp->Reserved = 0; + rsp->CreateAction = cpu_to_le32(FILE_OPENED); + + rsp->CreationTime = cpu_to_le64(0); + rsp->LastAccessTime = cpu_to_le64(0); + rsp->ChangeTime = cpu_to_le64(0); + rsp->AllocationSize = cpu_to_le64(0); + rsp->EndofFile = cpu_to_le64(0); + rsp->FileAttributes = ATTR_NORMAL_LE; + rsp->Reserved2 = 0; + rsp->VolatileFileId = cpu_to_le64(id); + rsp->PersistentFileId = 0; + rsp->CreateContextsOffset = 0; + rsp->CreateContextsLength = 0; + + inc_rfc1001_len(rsp, 88); /* StructureSize - 1*/ + kfree(name); + return 0; + +out: + smb2_set_err_rsp(work); + return err; +} + +#define DURABLE_RECONN_V2 1 +#define DURABLE_RECONN 2 +#define DURABLE_REQ_V2 3 +#define DURABLE_REQ 4 +#define APP_INSTANCE_ID 5 + +struct durable_info { + struct ksmbd_file *fp; + int type; + int reconnected; + int persistent; + int timeout; + char *CreateGuid; + char *app_id; +}; + +static int parse_durable_handle_context(struct ksmbd_work *work, + struct smb2_create_req *req, struct lease_ctx_info *lc, + struct durable_info *d_info) +{ + struct ksmbd_conn *conn = work->conn; + struct create_context *context; + int i, err = 0; + uint64_t persistent_id = 0; + int req_op_level; + static const char * const durable_arr[] = {"DH2C", "DHnC", "DH2Q", + "DHnQ", SMB2_CREATE_APP_INSTANCE_ID}; + + req_op_level = req->RequestedOplockLevel; + for (i = 1; i <= 5; i++) { + context = smb2_find_context_vals(req, durable_arr[i - 1]); + if (IS_ERR(context)) { + err = PTR_ERR(context); + if (err == -EINVAL) { + ksmbd_err("bad name length\n"); + goto out; + } + err = 0; + continue; + } + + switch (i) { + case DURABLE_RECONN_V2: + { + struct create_durable_reconn_v2_req *recon_v2; + + recon_v2 = + (struct create_durable_reconn_v2_req *)context; + persistent_id = le64_to_cpu( + recon_v2->Fid.PersistentFileId); + d_info->fp = ksmbd_lookup_durable_fd(persistent_id); + if (!d_info->fp) { + ksmbd_err("Failed to get Durable handle state\n"); + err = -EBADF; + goto out; + } + + if (memcmp(d_info->fp->create_guid, + recon_v2->CreateGuid, + SMB2_CREATE_GUID_SIZE)) { + err = -EBADF; + goto out; + } + d_info->type = i; + d_info->reconnected = 1; + ksmbd_debug(SMB, + "reconnect v2 Persistent-id from reconnect = %llu\n", + persistent_id); + break; + } + case DURABLE_RECONN: + { + struct create_durable_reconn_req *recon; + + if (d_info->type == DURABLE_RECONN_V2 || + d_info->type == DURABLE_REQ_V2) { + err = -EINVAL; + goto out; + } + + recon = + (struct create_durable_reconn_req *)context; + persistent_id = le64_to_cpu( + recon->Data.Fid.PersistentFileId); + d_info->fp = ksmbd_lookup_durable_fd(persistent_id); + if (!d_info->fp) { + ksmbd_err("Failed to get Durable handle state\n"); + err = -EBADF; + goto out; + } + d_info->type = i; + d_info->reconnected = 1; + ksmbd_debug(SMB, + "reconnect Persistent-id from reconnect = %llu\n", + persistent_id); + break; + } + case DURABLE_REQ_V2: + { + struct create_durable_req_v2 *durable_v2_blob; + + if (d_info->type == DURABLE_RECONN || + d_info->type == DURABLE_RECONN_V2) { + err = -EINVAL; + goto out; + } + + durable_v2_blob = + (struct create_durable_req_v2 *)context; + ksmbd_debug(SMB, "Request for durable v2 open\n"); + d_info->fp = ksmbd_lookup_fd_cguid( + durable_v2_blob->CreateGuid); + if (d_info->fp) { + if (!memcmp(conn->ClientGUID, + d_info->fp->client_guid, + SMB2_CLIENT_GUID_SIZE)) { + if (!(req->hdr.Flags & + SMB2_FLAGS_REPLAY_OPERATIONS)) { + err = -ENOEXEC; + goto out; + } + + d_info->fp->conn = conn; + d_info->reconnected = 1; + goto out; + } + } + if (((lc && + (lc->req_state & + SMB2_LEASE_HANDLE_CACHING_LE)) || + (req_op_level == SMB2_OPLOCK_LEVEL_BATCH))) { + d_info->CreateGuid = + durable_v2_blob->CreateGuid; + d_info->persistent = + le32_to_cpu(durable_v2_blob->Flags); + d_info->timeout = + le32_to_cpu(durable_v2_blob->Timeout); + d_info->type = i; + } + break; + } + case DURABLE_REQ: + if (d_info->type == DURABLE_RECONN) + goto out; + if (d_info->type == DURABLE_RECONN_V2 || + d_info->type == DURABLE_REQ_V2) { + err = -EINVAL; + goto out; + } + + if (((lc && + (lc->req_state & + SMB2_LEASE_HANDLE_CACHING_LE)) || + (req_op_level == SMB2_OPLOCK_LEVEL_BATCH))) { + ksmbd_debug(SMB, "Request for durable open\n"); + d_info->type = i; + } + break; + case APP_INSTANCE_ID: + { + struct create_app_inst_id *inst_id; + + inst_id = (struct create_app_inst_id *)context; + ksmbd_close_fd_app_id(work, inst_id->AppInstanceId); + d_info->app_id = inst_id->AppInstanceId; + break; + } + default: + break; + } + } + +out: + + return err; +} + +/** + * smb2_set_ea() - handler for setting extended attributes using set + * info command + * @eabuf: set info command buffer + * @path: dentry path for get ea + * + * Return: 0 on success, otherwise error + */ +static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) +{ + char *attr_name = NULL, *value; + int rc = 0; + int next = 0; + + attr_name = kmalloc(XATTR_NAME_MAX + 1, GFP_KERNEL); + if (!attr_name) + return -ENOMEM; + + do { + if (!eabuf->EaNameLength) + goto next; + + ksmbd_debug(SMB, + "name : <%s>, name_len : %u, value_len : %u, next : %u\n", + eabuf->name, eabuf->EaNameLength, + le16_to_cpu(eabuf->EaValueLength), + le32_to_cpu(eabuf->NextEntryOffset)); + + if (eabuf->EaNameLength > + (XATTR_NAME_MAX - XATTR_USER_PREFIX_LEN)) { + rc = -EINVAL; + break; + } + + memcpy(attr_name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN); + memcpy(&attr_name[XATTR_USER_PREFIX_LEN], eabuf->name, + eabuf->EaNameLength); + attr_name[XATTR_USER_PREFIX_LEN + eabuf->EaNameLength] = '\0'; + value = (char *)&eabuf->name + eabuf->EaNameLength + 1; + + if (!eabuf->EaValueLength) { + rc = ksmbd_vfs_casexattr_len(path->dentry, + attr_name, + XATTR_USER_PREFIX_LEN + + eabuf->EaNameLength); + + /* delete the EA only when it exits */ + if (rc > 0) { + rc = ksmbd_vfs_remove_xattr(path->dentry, + attr_name); + + if (rc < 0) { + ksmbd_debug(SMB, + "remove xattr failed(%d)\n", + rc); + break; + } + } + + /* if the EA doesn't exist, just do nothing. */ + rc = 0; + } else { + rc = ksmbd_vfs_setxattr(path->dentry, attr_name, value, + le16_to_cpu(eabuf->EaValueLength), 0); + if (rc < 0) { + ksmbd_debug(SMB, + "ksmbd_vfs_setxattr is failed(%d)\n", + rc); + break; + } + } + +next: + next = le32_to_cpu(eabuf->NextEntryOffset); + eabuf = (struct smb2_ea_info *)((char *)eabuf + next); + } while (next != 0); + + kfree(attr_name); + return rc; +} + +static inline int check_context_err(void *ctx, char *str) +{ + int err; + + err = PTR_ERR(ctx); + ksmbd_debug(SMB, "find context %s err %d\n", str, err); + + if (err == -EINVAL) { + ksmbd_err("bad name length\n"); + return err; + } + + return 0; +} + +static noinline int smb2_set_stream_name_xattr(struct path *path, + struct ksmbd_file *fp, + char *stream_name, + int s_type) +{ + size_t xattr_stream_size; + char *xattr_stream_name; + int rc; + + rc = ksmbd_vfs_xattr_stream_name(stream_name, + &xattr_stream_name, + &xattr_stream_size, + s_type); + if (rc) + return rc; + + fp->stream.name = xattr_stream_name; + fp->stream.size = xattr_stream_size; + + /* Check if there is stream prefix in xattr space */ + rc = ksmbd_vfs_casexattr_len(path->dentry, + xattr_stream_name, + xattr_stream_size); + if (rc >= 0) + return 0; + + if (fp->cdoption == FILE_OPEN_LE) { + ksmbd_debug(SMB, "XATTR stream name lookup failed: %d\n", rc); + return -EBADF; + } + + rc = ksmbd_vfs_setxattr(path->dentry, xattr_stream_name, NULL, 0, 0); + if (rc < 0) + ksmbd_err("Failed to store XATTR stream name :%d\n", rc); + return 0; +} + +static int smb2_remove_smb_xattrs(struct dentry *dentry) +{ + char *name, *xattr_list = NULL; + ssize_t xattr_list_len; + int err = 0; + + xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + if (xattr_list_len < 0) { + goto out; + } else if (!xattr_list_len) { + ksmbd_debug(SMB, "empty xattr in the file\n"); + goto out; + } + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); + + if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && + strncmp(&name[XATTR_USER_PREFIX_LEN], + DOS_ATTRIBUTE_PREFIX, + DOS_ATTRIBUTE_PREFIX_LEN) && + strncmp(&name[XATTR_USER_PREFIX_LEN], + STREAM_PREFIX, + STREAM_PREFIX_LEN)) + continue; + + err = ksmbd_vfs_remove_xattr(dentry, name); + if (err) + ksmbd_debug(SMB, "remove xattr failed : %s\n", name); + } +out: + ksmbd_vfs_xattr_free(xattr_list); + return err; +} + +static int smb2_create_truncate(struct path *path) +{ + int rc = vfs_truncate(path, 0); + + if (rc) { + ksmbd_err("vfs_truncate failed, rc %d\n", rc); + return rc; + } + + rc = smb2_remove_smb_xattrs(path->dentry); + if (rc == -EOPNOTSUPP) + rc = 0; + if (rc) + ksmbd_debug(SMB, + "ksmbd_truncate_stream_name_xattr failed, rc %d\n", + rc); + return rc; +} + +static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, + struct path *path, + struct ksmbd_file *fp) +{ + struct xattr_dos_attrib da = {0}; + int rc; + + if (!test_share_config_flag(tcon->share_conf, + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) + return; + + da.version = 4; + da.attr = le32_to_cpu(fp->f_ci->m_fattr); + da.itime = da.create_time = fp->create_time; + da.flags = XATTR_DOSINFO_ATTRIB | XATTR_DOSINFO_CREATE_TIME | + XATTR_DOSINFO_ITIME; + + rc = ksmbd_vfs_set_dos_attrib_xattr(path->dentry, &da); + if (rc) + ksmbd_debug(SMB, "failed to store file attribute into xattr\n"); +} + +static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, + struct path *path, + struct ksmbd_file *fp) +{ + struct xattr_dos_attrib da; + int rc; + + fp->f_ci->m_fattr &= ~(ATTR_HIDDEN_LE | ATTR_SYSTEM_LE); + + /* get FileAttributes from XATTR_NAME_DOS_ATTRIBUTE */ + if (!test_share_config_flag(tcon->share_conf, + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) + return; + + rc = ksmbd_vfs_get_dos_attrib_xattr(path->dentry, &da); + if (rc > 0) { + fp->f_ci->m_fattr = cpu_to_le32(da.attr); + fp->create_time = da.create_time; + fp->itime = da.itime; + } +} + +static int smb2_creat(struct ksmbd_work *work, + struct path *path, + char *name, + int open_flags, + umode_t posix_mode, + bool is_dir) +{ + struct ksmbd_tree_connect *tcon = work->tcon; + struct ksmbd_share_config *share = tcon->share_conf; + umode_t mode; + int rc; + + if (!(open_flags & O_CREAT)) + return -EBADF; + + ksmbd_debug(SMB, "file does not exist, so creating\n"); + if (is_dir == true) { + ksmbd_debug(SMB, "creating directory\n"); + + mode = share_config_directory_mode(share, posix_mode); + rc = ksmbd_vfs_mkdir(work, name, mode); + if (rc) + return rc; + } else { + ksmbd_debug(SMB, "creating regular file\n"); + + mode = share_config_create_mode(share, posix_mode); + rc = ksmbd_vfs_create(work, name, mode); + if (rc) + return rc; + } + + rc = ksmbd_vfs_kern_path(name, 0, path, 0); + if (rc) { + ksmbd_err("cannot get linux path (%s), err = %d\n", + name, rc); + return rc; + } + return 0; +} + +static int smb2_create_sd_buffer(struct ksmbd_work *work, + struct smb2_create_req *req, struct dentry *dentry) +{ + struct create_context *context; + int rc = -ENOENT; + + if (!req->CreateContextsOffset) + return rc; + + /* Parse SD BUFFER create contexts */ + context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER); + if (context && !IS_ERR(context)) { + struct create_sd_buf_req *sd_buf; + + ksmbd_debug(SMB, + "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); + sd_buf = (struct create_sd_buf_req *)context; + rc = set_info_sec(work->conn, work->tcon, dentry, &sd_buf->ntsd, + le32_to_cpu(sd_buf->ccontext.DataLength), true); + } + + return rc; +} + +/** + * smb2_open() - handler for smb file open request + * @work: smb work containing request buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_open(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; + struct ksmbd_tree_connect *tcon = work->tcon; + struct smb2_create_req *req; + struct smb2_create_rsp *rsp, *rsp_org; + struct path path; + struct ksmbd_share_config *share = tcon->share_conf; + struct ksmbd_file *fp = NULL; + struct file *filp = NULL; + struct kstat stat; + struct create_context *context; + struct lease_ctx_info *lc = NULL; + struct create_ea_buf_req *ea_buf = NULL; + struct oplock_info *opinfo; + __le32 *next_ptr = NULL; + int req_op_level = 0, open_flags = 0, file_info = 0; + int rc = 0, len = 0; + int contxt_cnt = 0, query_disk_id = 0; + int maximal_access_ctxt = 0, posix_ctxt = 0; + int s_type = 0; + int next_off = 0; + char *name = NULL; + char *stream_name = NULL; + bool file_present = false, created = false, already_permitted = false; + struct durable_info d_info; + int share_ret, need_truncate = 0; + u64 time; + umode_t posix_mode = 0; + __le32 daccess, maximal_access = 0; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + if (req->hdr.NextCommand && !work->next_smb2_rcv_hdr_off && + (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS)) { + ksmbd_debug(SMB, "invalid flag in chained command\n"); + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + smb2_set_err_rsp(work); + return -EINVAL; + } + + if (test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { + ksmbd_debug(SMB, "IPC pipe create request\n"); + return create_smb2_pipe(work); + } + + if (req->NameLength) { + if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && + *(char *)req->Buffer == '\\') { + ksmbd_err("not allow directory name included leadning slash\n"); + rc = -EINVAL; + goto err_out1; + } + + name = smb2_get_name(share, + req->Buffer, + le16_to_cpu(req->NameLength), + work->conn->local_nls); + if (IS_ERR(name)) { + rc = PTR_ERR(name); + if (rc != -ENOMEM) + rc = -ENOENT; + goto err_out1; + } + + ksmbd_debug(SMB, "converted name = %s\n", name); + if (strchr(name, ':')) { + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_STREAMS)) { + rc = -EBADF; + goto err_out1; + } + rc = parse_stream_name(name, &stream_name, &s_type); + if (rc < 0) + goto err_out1; + } + + rc = ksmbd_validate_filename(name); + if (rc < 0) + goto err_out1; + + if (ksmbd_share_veto_filename(share, name)) { + rc = -ENOENT; + ksmbd_debug(SMB, "Reject open(), vetoed file: %s\n", + name); + goto err_out1; + } + } else { + len = strlen(share->path); + ksmbd_debug(SMB, "share path len %d\n", len); + name = kmalloc(len + 1, GFP_KERNEL); + if (!name) { + rsp->hdr.Status = STATUS_NO_MEMORY; + rc = -ENOMEM; + goto err_out1; + } + + memcpy(name, share->path, len); + *(name + len) = '\0'; + } + + req_op_level = req->RequestedOplockLevel; + memset(&d_info, 0, sizeof(struct durable_info)); + if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && + req->CreateContextsOffset) { + lc = parse_lease_state(req); + rc = parse_durable_handle_context(work, req, lc, &d_info); + if (rc) { + ksmbd_err("error parsing durable handle context\n"); + goto err_out1; + } + + if (d_info.reconnected) { + fp = d_info.fp; + rc = smb2_check_durable_oplock(d_info.fp, lc, name); + if (rc) + goto err_out1; + rc = ksmbd_reopen_durable_fd(work, d_info.fp); + if (rc) + goto err_out1; + if (ksmbd_override_fsids(work)) { + rc = -ENOMEM; + goto err_out1; + } + file_info = FILE_OPENED; + fp = d_info.fp; + goto reconnected; + } + } else { + if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) + lc = parse_lease_state(req); + } + + if (le32_to_cpu(req->ImpersonationLevel) > + le32_to_cpu(IL_DELEGATE_LE)) { + ksmbd_err("Invalid impersonationlevel : 0x%x\n", + le32_to_cpu(req->ImpersonationLevel)); + rc = -EIO; + rsp->hdr.Status = STATUS_BAD_IMPERSONATION_LEVEL; + goto err_out1; + } + + if (req->CreateOptions && !(req->CreateOptions & CREATE_OPTIONS_MASK)) { + ksmbd_err("Invalid create options : 0x%x\n", + le32_to_cpu(req->CreateOptions)); + rc = -EINVAL; + goto err_out1; + } else { + + if (req->CreateOptions & FILE_SEQUENTIAL_ONLY_LE && + req->CreateOptions & FILE_RANDOM_ACCESS_LE) + req->CreateOptions = ~(FILE_SEQUENTIAL_ONLY_LE); + + if (req->CreateOptions & (FILE_OPEN_BY_FILE_ID_LE | + CREATE_TREE_CONNECTION | FILE_RESERVE_OPFILTER_LE)) { + rc = -EOPNOTSUPP; + goto err_out1; + } + + if (req->CreateOptions & FILE_DIRECTORY_FILE_LE) { + if (req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE) { + rc = -EINVAL; + goto err_out1; + } else if (req->CreateOptions & FILE_NO_COMPRESSION_LE) + req->CreateOptions = ~(FILE_NO_COMPRESSION_LE); + } + } + + if (le32_to_cpu(req->CreateDisposition) > + le32_to_cpu(FILE_OVERWRITE_IF_LE)) { + ksmbd_err("Invalid create disposition : 0x%x\n", + le32_to_cpu(req->CreateDisposition)); + rc = -EINVAL; + goto err_out1; + } + + if (!(req->DesiredAccess & DESIRED_ACCESS_MASK)) { + ksmbd_err("Invalid disired access : 0x%x\n", + le32_to_cpu(req->DesiredAccess)); + rc = -EACCES; + goto err_out1; + } + + if (req->FileAttributes && + !(req->FileAttributes & ATTR_MASK_LE)) { + ksmbd_err("Invalid file attribute : 0x%x\n", + le32_to_cpu(req->FileAttributes)); + rc = -EINVAL; + goto err_out1; + } + + if (req->CreateContextsOffset) { + /* Parse non-durable handle create contexts */ + context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER); + if (IS_ERR(context)) { + rc = check_context_err(context, SMB2_CREATE_EA_BUFFER); + if (rc < 0) + goto err_out1; + } else { + ea_buf = (struct create_ea_buf_req *)context; + if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { + rsp->hdr.Status = STATUS_ACCESS_DENIED; + rc = -EACCES; + goto err_out1; + } + } + + context = smb2_find_context_vals(req, + SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); + if (IS_ERR(context)) { + rc = check_context_err(context, + SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); + if (rc < 0) + goto err_out1; + } else { + ksmbd_debug(SMB, + "get query maximal access context\n"); + maximal_access_ctxt = 1; + } + + context = smb2_find_context_vals(req, + SMB2_CREATE_TIMEWARP_REQUEST); + if (IS_ERR(context)) { + rc = check_context_err(context, + SMB2_CREATE_TIMEWARP_REQUEST); + if (rc < 0) + goto err_out1; + } else { + ksmbd_debug(SMB, "get timewarp context\n"); + rc = -EBADF; + goto err_out1; + } + + if (tcon->posix_extensions) { + context = smb2_find_context_vals(req, + SMB2_CREATE_TAG_POSIX); + if (IS_ERR(context)) { + rc = check_context_err(context, + SMB2_CREATE_TAG_POSIX); + if (rc < 0) + goto err_out1; + } else { + struct create_posix *posix = + (struct create_posix *)context; + ksmbd_debug(SMB, "get posix context\n"); + + posix_mode = le32_to_cpu(posix->Mode); + posix_ctxt = 1; + } + } + } + + if (ksmbd_override_fsids(work)) { + rc = -ENOMEM; + goto err_out1; + } + + if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) { + /* + * On delete request, instead of following up, need to + * look the current entity + */ + rc = ksmbd_vfs_kern_path(name, 0, &path, 1); + if (!rc) { + /* + * If file exists with under flags, return access + * denied error. + */ + if (req->CreateDisposition == FILE_OVERWRITE_IF_LE || + req->CreateDisposition == FILE_OPEN_IF_LE) { + rc = -EACCES; + path_put(&path); + goto err_out; + } + + if (!test_tree_conn_flag(tcon, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + rc = -EACCES; + path_put(&path); + goto err_out; + } + } + } else { + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) { + /* + * Use LOOKUP_FOLLOW to follow the path of + * symlink in path buildup + */ + rc = ksmbd_vfs_kern_path(name, LOOKUP_FOLLOW, &path, 1); + if (rc) { /* Case for broken link ?*/ + rc = ksmbd_vfs_kern_path(name, 0, &path, 1); + } + } else { + rc = ksmbd_vfs_kern_path(name, 0, &path, 1); + if (!rc && d_is_symlink(path.dentry)) { + rc = -EACCES; + path_put(&path); + goto err_out; + } + } + } + + if (rc) { + if (rc == -EACCES) { + ksmbd_debug(SMB, + "User does not have right permission\n"); + goto err_out; + } + ksmbd_debug(SMB, "can not get linux path for %s, rc = %d\n", + name, rc); + rc = 0; + } else { + file_present = true; + generic_fillattr(&init_user_ns, d_inode(path.dentry), &stat); + } + if (stream_name) { + if (req->CreateOptions & FILE_DIRECTORY_FILE_LE) { + if (s_type == DATA_STREAM) { + rc = -EIO; + rsp->hdr.Status = STATUS_NOT_A_DIRECTORY; + } + } else { + if (S_ISDIR(stat.mode) && s_type == DATA_STREAM) { + rc = -EIO; + rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; + } + } + + if (req->CreateOptions & FILE_DIRECTORY_FILE_LE && + req->FileAttributes & ATTR_NORMAL_LE) { + rsp->hdr.Status = STATUS_NOT_A_DIRECTORY; + rc = -EIO; + } + + if (rc < 0) + goto err_out; + } + + if (file_present && req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE + && S_ISDIR(stat.mode) && + !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { + ksmbd_debug(SMB, "open() argument is a directory: %s, %x\n", + name, req->CreateOptions); + rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; + rc = -EIO; + goto err_out; + } + + if (file_present && (req->CreateOptions & FILE_DIRECTORY_FILE_LE) && + !(req->CreateDisposition == FILE_CREATE_LE) && + !S_ISDIR(stat.mode)) { + rsp->hdr.Status = STATUS_NOT_A_DIRECTORY; + rc = -EIO; + goto err_out; + } + + if (!stream_name && file_present && + (req->CreateDisposition == FILE_CREATE_LE)) { + rc = -EEXIST; + goto err_out; + } + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && + file_present) + file_present = ksmbd_close_inode_fds(work, + d_inode(path.dentry)); + + daccess = smb_map_generic_desired_access(req->DesiredAccess); + + if (file_present && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { + rc = smb_check_perm_dacl(conn, path.dentry, &daccess, + sess->user->uid); + if (rc) + goto err_out; + } + + if (daccess & FILE_MAXIMAL_ACCESS_LE) { + if (!file_present) { + daccess = cpu_to_le32(GENERIC_ALL_FLAGS); + } else { + rc = ksmbd_vfs_query_maximal_access(path.dentry, + &daccess); + if (rc) + goto err_out; + already_permitted = true; + } + maximal_access = daccess; + } + + open_flags = smb2_create_open_flags(file_present, + daccess, req->CreateDisposition); + + if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (open_flags & O_CREAT) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + rc = -EACCES; + goto err_out; + } + } + + /*create file if not present */ + if (!file_present) { + rc = smb2_creat(work, &path, name, open_flags, posix_mode, + req->CreateOptions & FILE_DIRECTORY_FILE_LE); + if (rc) + goto err_out; + + created = true; + if (ea_buf) { + rc = smb2_set_ea(&ea_buf->ea, &path); + if (rc == -EOPNOTSUPP) + rc = 0; + else if (rc) + goto err_out; + } + } else if (!already_permitted) { + bool may_delete; + + may_delete = daccess & FILE_DELETE_LE || + req->CreateOptions & FILE_DELETE_ON_CLOSE_LE; + + /* FILE_READ_ATTRIBUTE is allowed without inode_permission, + * because execute(search) permission on a parent directory, + * is already granted. + */ + if (daccess & ~(FILE_READ_ATTRIBUTES_LE | + FILE_READ_CONTROL_LE)) { + if (ksmbd_vfs_inode_permission(path.dentry, + open_flags & O_ACCMODE, may_delete)) { + rc = -EACCES; + goto err_out; + } + } + } + + rc = ksmbd_query_inode_status(d_inode(path.dentry->d_parent)); + if (rc == KSMBD_INODE_STATUS_PENDING_DELETE) { + rc = -EBUSY; + goto err_out; + } + + rc = 0; + filp = dentry_open(&path, open_flags, current_cred()); + if (IS_ERR(filp)) { + rc = PTR_ERR(filp); + ksmbd_err("dentry open for dir failed, rc %d\n", rc); + goto err_out; + } + + if (file_present) { + if (!(open_flags & O_TRUNC)) + file_info = FILE_OPENED; + else + file_info = FILE_OVERWRITTEN; + + if ((req->CreateDisposition & FILE_CREATE_MASK_LE) + == FILE_SUPERSEDE_LE) + file_info = FILE_SUPERSEDED; + } else if (open_flags & O_CREAT) + file_info = FILE_CREATED; + + ksmbd_vfs_set_fadvise(filp, req->CreateOptions); + + /* Obtain Volatile-ID */ + fp = ksmbd_open_fd(work, filp); + if (IS_ERR(fp)) { + fput(filp); + rc = PTR_ERR(fp); + fp = NULL; + goto err_out; + } + + /* Get Persistent-ID */ + ksmbd_open_durable_fd(fp); + if (!HAS_FILE_ID(fp->persistent_id)) { + rc = -ENOMEM; + goto err_out; + } + + fp->filename = name; + fp->cdoption = req->CreateDisposition; + fp->daccess = daccess; + fp->saccess = req->ShareAccess; + fp->coption = req->CreateOptions; + + /* Set default windows and posix acls if creating new file */ + if (created) { + int posix_acl_rc; + struct inode *inode = path.dentry->d_inode; + + posix_acl_rc = ksmbd_vfs_inherit_posix_acl(inode, path.dentry->d_parent->d_inode); + if (posix_acl_rc) + ksmbd_debug(SMB, "inherit posix acl failed : %d\n", posix_acl_rc); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_ACL_XATTR)) { + rc = smb_inherit_dacl(conn, path.dentry, sess->user->uid, + sess->user->gid); + } + + if (rc) { + rc = smb2_create_sd_buffer(work, req, path.dentry); + if (rc) { + if (posix_acl_rc) + ksmbd_vfs_set_init_posix_acl(inode); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_ACL_XATTR)) { + struct smb_fattr fattr; + struct smb_ntsd *pntsd; + int pntsd_size, ace_num; + + fattr.cf_uid = inode->i_uid; + fattr.cf_gid = inode->i_gid; + fattr.cf_mode = inode->i_mode; + fattr.cf_dacls = NULL; + + fattr.cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); + ace_num = fattr.cf_acls->a_count; + if (S_ISDIR(inode->i_mode)) { + fattr.cf_dacls = + ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); + ace_num += fattr.cf_dacls->a_count; + } + + pntsd = kmalloc(sizeof(struct smb_ntsd) + + sizeof(struct smb_sid)*3 + + sizeof(struct smb_acl) + + sizeof(struct smb_ace)*ace_num*2, + GFP_KERNEL); + if (!pntsd) + goto err_out; + + rc = build_sec_desc(pntsd, NULL, + OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO, + &pntsd_size, &fattr); + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + + rc = ksmbd_vfs_set_sd_xattr(conn, + path.dentry, pntsd, pntsd_size); + if (rc) + ksmbd_err("failed to store ntacl in xattr : %d\n", + rc); + } + } + } + rc = 0; + } + + if (stream_name) { + rc = smb2_set_stream_name_xattr(&path, + fp, + stream_name, + s_type); + if (rc) + goto err_out; + file_info = FILE_CREATED; + } + + fp->attrib_only = !(req->DesiredAccess & ~(FILE_READ_ATTRIBUTES_LE | + FILE_WRITE_ATTRIBUTES_LE | FILE_SYNCHRONIZE_LE)); + if (!S_ISDIR(file_inode(filp)->i_mode) && open_flags & O_TRUNC + && !fp->attrib_only && !stream_name) { + smb_break_all_oplock(work, fp); + need_truncate = 1; + } + + /* fp should be searchable through ksmbd_inode.m_fp_list + * after daccess, saccess, attrib_only, and stream are + * initialized. + */ + write_lock(&fp->f_ci->m_lock); + list_add(&fp->node, &fp->f_ci->m_fp_list); + write_unlock(&fp->f_ci->m_lock); + + rc = ksmbd_vfs_getattr(&path, &stat); + if (rc) { + generic_fillattr(&init_user_ns, d_inode(path.dentry), &stat); + rc = 0; + } + + /* Check delete pending among previous fp before oplock break */ + if (ksmbd_inode_pending_delete(fp)) { + rc = -EBUSY; + goto err_out; + } + + share_ret = ksmbd_smb_check_shared_mode(fp->filp, fp); + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_OPLOCKS) || + (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && + !(conn->vals->capabilities & SMB2_GLOBAL_CAP_LEASING))) { + if (share_ret < 0 && !S_ISDIR(FP_INODE(fp)->i_mode)) { + rc = share_ret; + goto err_out; + } + } else { + if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) { + req_op_level = smb2_map_lease_to_oplock(lc->req_state); + ksmbd_debug(SMB, + "lease req for(%s) req oplock state 0x%x, lease state 0x%x\n", + name, req_op_level, lc->req_state); + rc = find_same_lease_key(sess, fp->f_ci, lc); + if (rc) + goto err_out; + } else if (open_flags == O_RDONLY && + (req_op_level == SMB2_OPLOCK_LEVEL_BATCH || + req_op_level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) + req_op_level = SMB2_OPLOCK_LEVEL_II; + + rc = smb_grant_oplock(work, req_op_level, + fp->persistent_id, fp, + le32_to_cpu(req->hdr.Id.SyncId.TreeId), + lc, share_ret); + if (rc < 0) + goto err_out; + } + + if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) + ksmbd_fd_set_delete_on_close(fp, file_info); + + if (need_truncate) { + rc = smb2_create_truncate(&path); + if (rc) + goto err_out; + } + + if (req->CreateContextsOffset) { + struct create_alloc_size_req *az_req; + + az_req = (struct create_alloc_size_req *) + smb2_find_context_vals(req, + SMB2_CREATE_ALLOCATION_SIZE); + if (IS_ERR(az_req)) { + rc = check_context_err(az_req, + SMB2_CREATE_ALLOCATION_SIZE); + if (rc < 0) + goto err_out; + } else { + loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); + int err; + + ksmbd_debug(SMB, + "request smb2 create allocate size : %llu\n", + alloc_size); + err = ksmbd_vfs_alloc_size(work, fp, alloc_size); + if (err < 0) + ksmbd_debug(SMB, + "ksmbd_vfs_alloc_size is failed : %d\n", + err); + } + + context = smb2_find_context_vals(req, + SMB2_CREATE_QUERY_ON_DISK_ID); + if (IS_ERR(context)) { + rc = check_context_err(context, + SMB2_CREATE_QUERY_ON_DISK_ID); + if (rc < 0) + goto err_out; + } else { + ksmbd_debug(SMB, "get query on disk id context\n"); + query_disk_id = 1; + } + } + + if (stat.result_mask & STATX_BTIME) + fp->create_time = ksmbd_UnixTimeToNT(stat.btime); + else + fp->create_time = ksmbd_UnixTimeToNT(stat.ctime); + if (req->FileAttributes || fp->f_ci->m_fattr == 0) + fp->f_ci->m_fattr = cpu_to_le32(smb2_get_dos_mode(&stat, + le32_to_cpu(req->FileAttributes))); + + if (!created) + smb2_update_xattrs(tcon, &path, fp); + else + smb2_new_xattrs(tcon, &path, fp); + + memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); + + if (d_info.type) { + if (d_info.type == DURABLE_REQ_V2 && + d_info.persistent) + fp->is_persistent = 1; + else + fp->is_durable = 1; + + if (d_info.type == DURABLE_REQ_V2) { + memcpy(fp->create_guid, d_info.CreateGuid, + SMB2_CREATE_GUID_SIZE); + if (d_info.timeout) + fp->durable_timeout = d_info.timeout; + else + fp->durable_timeout = 1600; + if (d_info.app_id) + memcpy(fp->app_instance_id, + d_info.app_id, 16); + } + } + +reconnected: + generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + + rsp->StructureSize = cpu_to_le16(89); + rcu_read_lock(); + opinfo = rcu_dereference(fp->f_opinfo); + rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0; + rcu_read_unlock(); + rsp->Reserved = 0; + rsp->CreateAction = cpu_to_le32(file_info); + rsp->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(stat.atime); + rsp->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.mtime); + rsp->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.ctime); + rsp->ChangeTime = cpu_to_le64(time); + rsp->AllocationSize = S_ISDIR(stat.mode) ? 0 : + cpu_to_le64(stat.blocks << 9); + rsp->EndofFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + rsp->FileAttributes = fp->f_ci->m_fattr; + + rsp->Reserved2 = 0; + + rsp->PersistentFileId = cpu_to_le64(fp->persistent_id); + rsp->VolatileFileId = cpu_to_le64(fp->volatile_id); + + rsp->CreateContextsOffset = 0; + rsp->CreateContextsLength = 0; + inc_rfc1001_len(rsp_org, 88); /* StructureSize - 1*/ + + /* If lease is request send lease context response */ + if (opinfo && opinfo->is_lease) { + struct create_context *lease_ccontext; + + ksmbd_debug(SMB, "lease granted on(%s) lease state 0x%x\n", + name, opinfo->o_lease->state); + rsp->OplockLevel = SMB2_OPLOCK_LEVEL_LEASE; + + lease_ccontext = (struct create_context *)rsp->Buffer; + contxt_cnt++; + create_lease_buf(rsp->Buffer, opinfo->o_lease); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_lease_size); + inc_rfc1001_len(rsp_org, conn->vals->create_lease_size); + next_ptr = &lease_ccontext->Next; + next_off = conn->vals->create_lease_size; + } + + if (d_info.type == DURABLE_REQ || d_info.type == DURABLE_REQ_V2) { + struct create_context *durable_ccontext; + + durable_ccontext = (struct create_context *)(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength)); + contxt_cnt++; + if (d_info.type == DURABLE_REQ) { + create_durable_rsp_buf(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength)); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_durable_size); + inc_rfc1001_len(rsp_org, + conn->vals->create_durable_size); + } else { + create_durable_v2_rsp_buf(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength), + fp); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_durable_v2_size); + inc_rfc1001_len(rsp_org, + conn->vals->create_durable_v2_size); + } + + if (next_ptr) + *next_ptr = cpu_to_le32(next_off); + next_ptr = &durable_ccontext->Next; + next_off = conn->vals->create_durable_size; + } + + if (maximal_access_ctxt) { + struct create_context *mxac_ccontext; + + if (maximal_access == 0) + ksmbd_vfs_query_maximal_access(path.dentry, + &maximal_access); + mxac_ccontext = (struct create_context *)(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength)); + contxt_cnt++; + create_mxac_rsp_buf(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength), + le32_to_cpu(maximal_access)); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_mxac_size); + inc_rfc1001_len(rsp_org, conn->vals->create_mxac_size); + if (next_ptr) + *next_ptr = cpu_to_le32(next_off); + next_ptr = &mxac_ccontext->Next; + next_off = conn->vals->create_mxac_size; + } + + if (query_disk_id) { + struct create_context *disk_id_ccontext; + + disk_id_ccontext = (struct create_context *)(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength)); + contxt_cnt++; + create_disk_id_rsp_buf(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength), + stat.ino, tcon->id); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_disk_id_size); + inc_rfc1001_len(rsp_org, conn->vals->create_disk_id_size); + if (next_ptr) + *next_ptr = cpu_to_le32(next_off); + next_ptr = &disk_id_ccontext->Next; + next_off = conn->vals->create_disk_id_size; + } + + if (posix_ctxt) { + struct create_context *posix_ccontext; + + posix_ccontext = (struct create_context *)(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength)); + contxt_cnt++; + create_posix_rsp_buf(rsp->Buffer + + le32_to_cpu(rsp->CreateContextsLength), + fp); + le32_add_cpu(&rsp->CreateContextsLength, + conn->vals->create_posix_size); + inc_rfc1001_len(rsp_org, conn->vals->create_posix_size); + if (next_ptr) + *next_ptr = cpu_to_le32(next_off); + } + + if (contxt_cnt > 0) { + rsp->CreateContextsOffset = + cpu_to_le32(offsetof(struct smb2_create_rsp, Buffer) + - 4); + } + +err_out: + if (file_present || created) + path_put(&path); + ksmbd_revert_fsids(work); +err_out1: + if (rc) { + if (rc == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (rc == -EOPNOTSUPP) + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + else if (rc == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (rc == -ENOENT) + rsp->hdr.Status = STATUS_OBJECT_NAME_INVALID; + else if (rc == -EPERM) + rsp->hdr.Status = STATUS_SHARING_VIOLATION; + else if (rc == -EBUSY) + rsp->hdr.Status = STATUS_DELETE_PENDING; + else if (rc == -EBADF) + rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; + else if (rc == -ENOEXEC) + rsp->hdr.Status = STATUS_DUPLICATE_OBJECTID; + else if (rc == -ENXIO) + rsp->hdr.Status = STATUS_NO_SUCH_DEVICE; + else if (rc == -EEXIST) + rsp->hdr.Status = STATUS_OBJECT_NAME_COLLISION; + else if (rc == -EMFILE) + rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES; + if (!rsp->hdr.Status) + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + + if (!fp || !fp->filename) + kfree(name); + if (fp) + ksmbd_fd_put(work, fp); + smb2_set_err_rsp(work); + ksmbd_debug(SMB, "Error response: %x\n", rsp->hdr.Status); + } + + kfree(lc); + + return 0; +} + +static int readdir_info_level_struct_sz(int info_level) +{ + switch (info_level) { + case FILE_FULL_DIRECTORY_INFORMATION: + return sizeof(struct file_full_directory_info); + case FILE_BOTH_DIRECTORY_INFORMATION: + return sizeof(struct file_both_directory_info); + case FILE_DIRECTORY_INFORMATION: + return sizeof(struct file_directory_info); + case FILE_NAMES_INFORMATION: + return sizeof(struct file_names_info); + case FILEID_FULL_DIRECTORY_INFORMATION: + return sizeof(struct file_id_full_dir_info); + case FILEID_BOTH_DIRECTORY_INFORMATION: + return sizeof(struct file_id_both_directory_info); + case SMB_FIND_FILE_POSIX_INFO: + return sizeof(struct smb2_posix_info); + default: + return -EOPNOTSUPP; + } +} + +static int dentry_name(struct ksmbd_dir_info *d_info, int info_level) +{ + switch (info_level) { + case FILE_FULL_DIRECTORY_INFORMATION: + { + struct file_full_directory_info *ffdinfo; + + ffdinfo = (struct file_full_directory_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(ffdinfo->NextEntryOffset); + d_info->name = ffdinfo->FileName; + d_info->name_len = le32_to_cpu(ffdinfo->FileNameLength); + return 0; + } + case FILE_BOTH_DIRECTORY_INFORMATION: + { + struct file_both_directory_info *fbdinfo; + + fbdinfo = (struct file_both_directory_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(fbdinfo->NextEntryOffset); + d_info->name = fbdinfo->FileName; + d_info->name_len = le32_to_cpu(fbdinfo->FileNameLength); + return 0; + } + case FILE_DIRECTORY_INFORMATION: + { + struct file_directory_info *fdinfo; + + fdinfo = (struct file_directory_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(fdinfo->NextEntryOffset); + d_info->name = fdinfo->FileName; + d_info->name_len = le32_to_cpu(fdinfo->FileNameLength); + return 0; + } + case FILE_NAMES_INFORMATION: + { + struct file_names_info *fninfo; + + fninfo = (struct file_names_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(fninfo->NextEntryOffset); + d_info->name = fninfo->FileName; + d_info->name_len = le32_to_cpu(fninfo->FileNameLength); + return 0; + } + case FILEID_FULL_DIRECTORY_INFORMATION: + { + struct file_id_full_dir_info *dinfo; + + dinfo = (struct file_id_full_dir_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(dinfo->NextEntryOffset); + d_info->name = dinfo->FileName; + d_info->name_len = le32_to_cpu(dinfo->FileNameLength); + return 0; + } + case FILEID_BOTH_DIRECTORY_INFORMATION: + { + struct file_id_both_directory_info *fibdinfo; + + fibdinfo = (struct file_id_both_directory_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(fibdinfo->NextEntryOffset); + d_info->name = fibdinfo->FileName; + d_info->name_len = le32_to_cpu(fibdinfo->FileNameLength); + return 0; + } + case SMB_FIND_FILE_POSIX_INFO: + { + struct smb2_posix_info *posix_info; + + posix_info = (struct smb2_posix_info *)d_info->rptr; + d_info->rptr += le32_to_cpu(posix_info->NextEntryOffset); + d_info->name = posix_info->name; + d_info->name_len = le32_to_cpu(posix_info->name_len); + return 0; + } + default: + return -EINVAL; + } +} + +/** + * smb2_populate_readdir_entry() - encode directory entry in smb2 response + * buffer + * @conn: connection instance + * @info_level: smb information level + * @d_info: structure included variables for query dir + * @ksmbd_kstat: ksmbd wrapper of dirent stat information + * + * if directory has many entries, find first can't read it fully. + * find next might be called multiple times to read remaining dir entries + * + * Return: 0 on success, otherwise error + */ +static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, + int info_level, + struct ksmbd_dir_info *d_info, + struct ksmbd_kstat *ksmbd_kstat) +{ + int next_entry_offset = 0; + char *conv_name; + int conv_len; + void *kstat; + int struct_sz; + + conv_name = ksmbd_convert_dir_info_name(d_info, + conn->local_nls, + &conv_len); + if (!conv_name) + return -ENOMEM; + + /* Somehow the name has only terminating NULL bytes */ + if (conv_len < 0) { + kfree(conv_name); + return -EINVAL; + } + + struct_sz = readdir_info_level_struct_sz(info_level); + next_entry_offset = ALIGN(struct_sz - 1 + conv_len, + KSMBD_DIR_INFO_ALIGNMENT); + + if (next_entry_offset > d_info->out_buf_len) { + d_info->out_buf_len = 0; + return -ENOSPC; + } + + kstat = d_info->wptr; + if (info_level != FILE_NAMES_INFORMATION) + kstat = ksmbd_vfs_init_kstat(&d_info->wptr, ksmbd_kstat); + + switch (info_level) { + case FILE_FULL_DIRECTORY_INFORMATION: + { + struct file_full_directory_info *ffdinfo; + + ffdinfo = (struct file_full_directory_info *)kstat; + ffdinfo->FileNameLength = cpu_to_le32(conv_len); + ffdinfo->EaSize = + smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode); + if (ffdinfo->EaSize) + ffdinfo->ExtFileAttributes = ATTR_REPARSE_POINT_LE; + if (d_info->hide_dot_file && d_info->name[0] == '.') + ffdinfo->ExtFileAttributes |= ATTR_HIDDEN_LE; + memcpy(ffdinfo->FileName, conv_name, conv_len); + ffdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_BOTH_DIRECTORY_INFORMATION: + { + struct file_both_directory_info *fbdinfo; + + fbdinfo = (struct file_both_directory_info *)kstat; + fbdinfo->FileNameLength = cpu_to_le32(conv_len); + fbdinfo->EaSize = + smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode); + if (fbdinfo->EaSize) + fbdinfo->ExtFileAttributes = ATTR_REPARSE_POINT_LE; + fbdinfo->ShortNameLength = 0; + fbdinfo->Reserved = 0; + if (d_info->hide_dot_file && d_info->name[0] == '.') + fbdinfo->ExtFileAttributes |= ATTR_HIDDEN_LE; + memcpy(fbdinfo->FileName, conv_name, conv_len); + fbdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_DIRECTORY_INFORMATION: + { + struct file_directory_info *fdinfo; + + fdinfo = (struct file_directory_info *)kstat; + fdinfo->FileNameLength = cpu_to_le32(conv_len); + if (d_info->hide_dot_file && d_info->name[0] == '.') + fdinfo->ExtFileAttributes |= ATTR_HIDDEN_LE; + memcpy(fdinfo->FileName, conv_name, conv_len); + fdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_NAMES_INFORMATION: + { + struct file_names_info *fninfo; + + fninfo = (struct file_names_info *)kstat; + fninfo->FileNameLength = cpu_to_le32(conv_len); + memcpy(fninfo->FileName, conv_name, conv_len); + fninfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILEID_FULL_DIRECTORY_INFORMATION: + { + struct file_id_full_dir_info *dinfo; + + dinfo = (struct file_id_full_dir_info *)kstat; + dinfo->FileNameLength = cpu_to_le32(conv_len); + dinfo->EaSize = + smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode); + if (dinfo->EaSize) + dinfo->ExtFileAttributes = ATTR_REPARSE_POINT_LE; + dinfo->Reserved = 0; + dinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino); + if (d_info->hide_dot_file && d_info->name[0] == '.') + dinfo->ExtFileAttributes |= ATTR_HIDDEN_LE; + memcpy(dinfo->FileName, conv_name, conv_len); + dinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILEID_BOTH_DIRECTORY_INFORMATION: + { + struct file_id_both_directory_info *fibdinfo; + + fibdinfo = (struct file_id_both_directory_info *)kstat; + fibdinfo->FileNameLength = cpu_to_le32(conv_len); + fibdinfo->EaSize = + smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode); + if (fibdinfo->EaSize) + fibdinfo->ExtFileAttributes = ATTR_REPARSE_POINT_LE; + fibdinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino); + fibdinfo->ShortNameLength = 0; + fibdinfo->Reserved = 0; + fibdinfo->Reserved2 = cpu_to_le16(0); + if (d_info->hide_dot_file && d_info->name[0] == '.') + fibdinfo->ExtFileAttributes |= ATTR_HIDDEN_LE; + memcpy(fibdinfo->FileName, conv_name, conv_len); + fibdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case SMB_FIND_FILE_POSIX_INFO: + { + struct smb2_posix_info *posix_info; + u64 time; + + posix_info = (struct smb2_posix_info *)kstat; + posix_info->Ignored = 0; + posix_info->CreationTime = cpu_to_le64(ksmbd_kstat->create_time); + time = ksmbd_UnixTimeToNT(ksmbd_kstat->kstat->ctime); + posix_info->ChangeTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(ksmbd_kstat->kstat->atime); + posix_info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(ksmbd_kstat->kstat->mtime); + posix_info->LastWriteTime = cpu_to_le64(time); + posix_info->EndOfFile = cpu_to_le64(ksmbd_kstat->kstat->size); + posix_info->AllocationSize = cpu_to_le64(ksmbd_kstat->kstat->blocks << 9); + posix_info->DeviceId = cpu_to_le32(ksmbd_kstat->kstat->rdev); + posix_info->HardLinks = cpu_to_le32(ksmbd_kstat->kstat->nlink); + posix_info->Mode = cpu_to_le32(ksmbd_kstat->kstat->mode); + posix_info->Inode = cpu_to_le64(ksmbd_kstat->kstat->ino); + posix_info->DosAttributes = + S_ISDIR(ksmbd_kstat->kstat->mode) ? ATTR_DIRECTORY_LE : ATTR_ARCHIVE_LE; + if (d_info->hide_dot_file && d_info->name[0] == '.') + posix_info->DosAttributes |= ATTR_HIDDEN_LE; + id_to_sid(from_kuid(&init_user_ns, ksmbd_kstat->kstat->uid), + SIDNFS_USER, (struct smb_sid *)&posix_info->SidBuffer[0]); + id_to_sid(from_kgid(&init_user_ns, ksmbd_kstat->kstat->gid), + SIDNFS_GROUP, (struct smb_sid *)&posix_info->SidBuffer[20]); + memcpy(posix_info->name, conv_name, conv_len); + posix_info->name_len = cpu_to_le32(conv_len); + posix_info->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + + } /* switch (info_level) */ + + d_info->last_entry_offset = d_info->data_count; + d_info->data_count += next_entry_offset; + d_info->wptr += next_entry_offset; + kfree(conv_name); + + ksmbd_debug(SMB, + "info_level : %d, buf_len :%d, next_offset : %d, data_count : %d\n", + info_level, d_info->out_buf_len, + next_entry_offset, d_info->data_count); + + return 0; +} + +struct smb2_query_dir_private { + struct ksmbd_work *work; + char *search_pattern; + struct ksmbd_file *dir_fp; + + struct ksmbd_dir_info *d_info; + int info_level; +}; + +static void lock_dir(struct ksmbd_file *dir_fp) +{ + struct dentry *dir = dir_fp->filp->f_path.dentry; + + inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); +} + +static void unlock_dir(struct ksmbd_file *dir_fp) +{ + struct dentry *dir = dir_fp->filp->f_path.dentry; + + inode_unlock(d_inode(dir)); +} + +static int process_query_dir_entries(struct smb2_query_dir_private *priv) +{ + struct kstat kstat; + struct ksmbd_kstat ksmbd_kstat; + int rc; + int i; + + for (i = 0; i < priv->d_info->num_entry; i++) { + struct dentry *dent; + + if (dentry_name(priv->d_info, priv->info_level)) + return -EINVAL; + + lock_dir(priv->dir_fp); + dent = lookup_one_len(priv->d_info->name, + priv->dir_fp->filp->f_path.dentry, + priv->d_info->name_len); + unlock_dir(priv->dir_fp); + + if (IS_ERR(dent)) { + ksmbd_debug(SMB, "Cannot lookup `%s' [%ld]\n", + priv->d_info->name, + PTR_ERR(dent)); + continue; + } + if (unlikely(d_is_negative(dent))) { + dput(dent); + ksmbd_debug(SMB, "Negative dentry `%s'\n", + priv->d_info->name); + continue; + } + + ksmbd_kstat.kstat = &kstat; + if (priv->info_level != FILE_NAMES_INFORMATION) + ksmbd_vfs_fill_dentry_attrs(priv->work, + dent, + &ksmbd_kstat); + + rc = smb2_populate_readdir_entry(priv->work->conn, + priv->info_level, + priv->d_info, + &ksmbd_kstat); + dput(dent); + if (rc) + return rc; + } + return 0; +} + +static int reserve_populate_dentry(struct ksmbd_dir_info *d_info, + int info_level) +{ + int struct_sz; + int conv_len; + int next_entry_offset; + + struct_sz = readdir_info_level_struct_sz(info_level); + if (struct_sz == -EOPNOTSUPP) + return -EOPNOTSUPP; + + conv_len = (d_info->name_len + 1) * 2; + next_entry_offset = ALIGN(struct_sz - 1 + conv_len, + KSMBD_DIR_INFO_ALIGNMENT); + + if (next_entry_offset > d_info->out_buf_len) { + d_info->out_buf_len = 0; + return -ENOSPC; + } + + switch (info_level) { + case FILE_FULL_DIRECTORY_INFORMATION: + { + struct file_full_directory_info *ffdinfo; + + ffdinfo = (struct file_full_directory_info *)d_info->wptr; + memcpy(ffdinfo->FileName, d_info->name, d_info->name_len); + ffdinfo->FileName[d_info->name_len] = 0x00; + ffdinfo->FileNameLength = cpu_to_le32(d_info->name_len); + ffdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_BOTH_DIRECTORY_INFORMATION: + { + struct file_both_directory_info *fbdinfo; + + fbdinfo = (struct file_both_directory_info *)d_info->wptr; + memcpy(fbdinfo->FileName, d_info->name, d_info->name_len); + fbdinfo->FileName[d_info->name_len] = 0x00; + fbdinfo->FileNameLength = cpu_to_le32(d_info->name_len); + fbdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_DIRECTORY_INFORMATION: + { + struct file_directory_info *fdinfo; + + fdinfo = (struct file_directory_info *)d_info->wptr; + memcpy(fdinfo->FileName, d_info->name, d_info->name_len); + fdinfo->FileName[d_info->name_len] = 0x00; + fdinfo->FileNameLength = cpu_to_le32(d_info->name_len); + fdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILE_NAMES_INFORMATION: + { + struct file_names_info *fninfo; + + fninfo = (struct file_names_info *)d_info->wptr; + memcpy(fninfo->FileName, d_info->name, d_info->name_len); + fninfo->FileName[d_info->name_len] = 0x00; + fninfo->FileNameLength = cpu_to_le32(d_info->name_len); + fninfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILEID_FULL_DIRECTORY_INFORMATION: + { + struct file_id_full_dir_info *dinfo; + + dinfo = (struct file_id_full_dir_info *)d_info->wptr; + memcpy(dinfo->FileName, d_info->name, d_info->name_len); + dinfo->FileName[d_info->name_len] = 0x00; + dinfo->FileNameLength = cpu_to_le32(d_info->name_len); + dinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case FILEID_BOTH_DIRECTORY_INFORMATION: + { + struct file_id_both_directory_info *fibdinfo; + + fibdinfo = (struct file_id_both_directory_info *)d_info->wptr; + memcpy(fibdinfo->FileName, d_info->name, d_info->name_len); + fibdinfo->FileName[d_info->name_len] = 0x00; + fibdinfo->FileNameLength = cpu_to_le32(d_info->name_len); + fibdinfo->NextEntryOffset = cpu_to_le32(next_entry_offset); + break; + } + case SMB_FIND_FILE_POSIX_INFO: + { + struct smb2_posix_info *posix_info; + + posix_info = (struct smb2_posix_info *)d_info->wptr; + memcpy(posix_info->name, d_info->name, d_info->name_len); + posix_info->name[d_info->name_len] = 0x00; + posix_info->name_len = cpu_to_le32(d_info->name_len); + posix_info->NextEntryOffset = + cpu_to_le32(next_entry_offset); + break; + } + } /* switch (info_level) */ + + d_info->num_entry++; + d_info->out_buf_len -= next_entry_offset; + d_info->wptr += next_entry_offset; + return 0; +} + +static int __query_dir(struct dir_context *ctx, + const char *name, + int namlen, + loff_t offset, + u64 ino, + unsigned int d_type) +{ + struct ksmbd_readdir_data *buf; + struct smb2_query_dir_private *priv; + struct ksmbd_dir_info *d_info; + int rc; + + buf = container_of(ctx, struct ksmbd_readdir_data, ctx); + priv = buf->private; + d_info = priv->d_info; + + /* dot and dotdot entries are already reserved */ + if (!strcmp(".", name) || !strcmp("..", name)) + return 0; + if (ksmbd_share_veto_filename(priv->work->tcon->share_conf, name)) + return 0; + if (!match_pattern(name, priv->search_pattern)) + return 0; + + d_info->name = name; + d_info->name_len = namlen; + rc = reserve_populate_dentry(d_info, priv->info_level); + if (rc) + return rc; + if (d_info->flags & SMB2_RETURN_SINGLE_ENTRY) { + d_info->out_buf_len = 0; + return 0; + } + return 0; +} + +static void restart_ctx(struct dir_context *ctx) +{ + ctx->pos = 0; +} + +static int verify_info_level(int info_level) +{ + switch (info_level) { + case FILE_FULL_DIRECTORY_INFORMATION: + case FILE_BOTH_DIRECTORY_INFORMATION: + case FILE_DIRECTORY_INFORMATION: + case FILE_NAMES_INFORMATION: + case FILEID_FULL_DIRECTORY_INFORMATION: + case FILEID_BOTH_DIRECTORY_INFORMATION: + case SMB_FIND_FILE_POSIX_INFO: + break; + default: + return -EOPNOTSUPP; + } + + return 0; +} + +int smb2_query_dir(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_query_directory_req *req; + struct smb2_query_directory_rsp *rsp, *rsp_org; + struct ksmbd_share_config *share = work->tcon->share_conf; + struct ksmbd_file *dir_fp = NULL; + struct ksmbd_dir_info d_info; + int rc = 0; + char *srch_ptr = NULL; + unsigned char srch_flag; + int buffer_sz; + struct smb2_query_dir_private query_dir_private = {NULL, }; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + if (ksmbd_override_fsids(work)) { + rsp->hdr.Status = STATUS_NO_MEMORY; + smb2_set_err_rsp(work); + return -ENOMEM; + } + + rc = verify_info_level(req->FileInformationClass); + if (rc) { + rc = -EFAULT; + goto err_out2; + } + + dir_fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (!dir_fp) { + rc = -EBADF; + goto err_out2; + } + + if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || + inode_permission(&init_user_ns, file_inode(dir_fp->filp), + MAY_READ | MAY_EXEC)) { + ksmbd_err("no right to enumerate directory (%s)\n", + FP_FILENAME(dir_fp)); + rc = -EACCES; + goto err_out2; + } + + if (!S_ISDIR(file_inode(dir_fp->filp)->i_mode)) { + ksmbd_err("can't do query dir for a file\n"); + rc = -EINVAL; + goto err_out2; + } + + srch_flag = req->Flags; + srch_ptr = smb_strndup_from_utf16(req->Buffer, + le16_to_cpu(req->FileNameLength), 1, + conn->local_nls); + if (IS_ERR(srch_ptr)) { + ksmbd_debug(SMB, "Search Pattern not found\n"); + rc = -EINVAL; + goto err_out2; + } else + ksmbd_debug(SMB, "Search pattern is %s\n", srch_ptr); + + ksmbd_debug(SMB, "Directory name is %s\n", dir_fp->filename); + + if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) { + ksmbd_debug(SMB, "Restart directory scan\n"); + generic_file_llseek(dir_fp->filp, 0, SEEK_SET); + restart_ctx(&dir_fp->readdir_data.ctx); + } + + memset(&d_info, 0, sizeof(struct ksmbd_dir_info)); + d_info.wptr = (char *)rsp->Buffer; + d_info.rptr = (char *)rsp->Buffer; + d_info.out_buf_len = (work->response_sz - + (get_rfc1002_len(rsp_org) + 4)); + d_info.out_buf_len = min_t(int, d_info.out_buf_len, + le32_to_cpu(req->OutputBufferLength)) - + sizeof(struct smb2_query_directory_rsp); + d_info.flags = srch_flag; + + /* + * reserve dot and dotdot entries in head of buffer + * in first response + */ + rc = ksmbd_populate_dot_dotdot_entries(work, req->FileInformationClass, + dir_fp, &d_info, srch_ptr, smb2_populate_readdir_entry); + if (rc == -ENOSPC) + rc = 0; + else if (rc) + goto err_out; + + if (test_share_config_flag(share, KSMBD_SHARE_FLAG_HIDE_DOT_FILES)) + d_info.hide_dot_file = true; + + buffer_sz = d_info.out_buf_len; + d_info.rptr = d_info.wptr; + query_dir_private.work = work; + query_dir_private.search_pattern = srch_ptr; + query_dir_private.dir_fp = dir_fp; + query_dir_private.d_info = &d_info; + query_dir_private.info_level = req->FileInformationClass; + dir_fp->readdir_data.private = &query_dir_private; + set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir); + + rc = ksmbd_vfs_readdir(dir_fp->filp, &dir_fp->readdir_data); + if (rc == 0) + restart_ctx(&dir_fp->readdir_data.ctx); + if (rc == -ENOSPC) + rc = 0; + if (rc) + goto err_out; + + d_info.wptr = d_info.rptr; + d_info.out_buf_len = buffer_sz; + rc = process_query_dir_entries(&query_dir_private); + if (rc) + goto err_out; + + if (!d_info.data_count && d_info.out_buf_len >= 0) { + if (srch_flag & SMB2_RETURN_SINGLE_ENTRY && !is_asterisk(srch_ptr)) + rsp->hdr.Status = STATUS_NO_SUCH_FILE; + else { + dir_fp->dot_dotdot[0] = dir_fp->dot_dotdot[1] = 0; + rsp->hdr.Status = STATUS_NO_MORE_FILES; + } + rsp->StructureSize = cpu_to_le16(9); + rsp->OutputBufferOffset = cpu_to_le16(0); + rsp->OutputBufferLength = cpu_to_le32(0); + rsp->Buffer[0] = 0; + inc_rfc1001_len(rsp_org, 9); + } else { + ((struct file_directory_info *) + ((char *)rsp->Buffer + d_info.last_entry_offset)) + ->NextEntryOffset = 0; + + rsp->StructureSize = cpu_to_le16(9); + rsp->OutputBufferOffset = cpu_to_le16(72); + rsp->OutputBufferLength = cpu_to_le32(d_info.data_count); + inc_rfc1001_len(rsp_org, 8 + d_info.data_count); + } + + kfree(srch_ptr); + ksmbd_fd_put(work, dir_fp); + ksmbd_revert_fsids(work); + return 0; + +err_out: + ksmbd_err("error while processing smb2 query dir rc = %d\n", rc); + kfree(srch_ptr); + +err_out2: + if (rc == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (rc == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (rc == -ENOENT) + rsp->hdr.Status = STATUS_NO_SUCH_FILE; + else if (rc == -EBADF) + rsp->hdr.Status = STATUS_FILE_CLOSED; + else if (rc == -ENOMEM) + rsp->hdr.Status = STATUS_NO_MEMORY; + else if (rc == -EFAULT) + rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; + if (!rsp->hdr.Status) + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + + smb2_set_err_rsp(work); + ksmbd_fd_put(work, dir_fp); + ksmbd_revert_fsids(work); + return 0; +} + +/** + * buffer_check_err() - helper function to check buffer errors + * @reqOutputBufferLength: max buffer length expected in command response + * @rsp: query info response buffer contains output buffer length + * @infoclass_size: query info class response buffer size + * + * Return: 0 on success, otherwise error + */ +static int buffer_check_err(int reqOutputBufferLength, + struct smb2_query_info_rsp *rsp, int infoclass_size) +{ + if (reqOutputBufferLength < le32_to_cpu(rsp->OutputBufferLength)) { + if (reqOutputBufferLength < infoclass_size) { + ksmbd_err("Invalid Buffer Size Requested\n"); + rsp->hdr.Status = STATUS_INFO_LENGTH_MISMATCH; + rsp->hdr.smb2_buf_length = cpu_to_be32( + sizeof(struct smb2_hdr) - 4); + return -EINVAL; + } + + ksmbd_debug(SMB, "Buffer Overflow\n"); + rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; + rsp->hdr.smb2_buf_length = cpu_to_be32( + sizeof(struct smb2_hdr) - 4 + + reqOutputBufferLength); + rsp->OutputBufferLength = cpu_to_le32( + reqOutputBufferLength); + } + return 0; +} + +static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp) +{ + struct smb2_file_standard_info *sinfo; + + sinfo = (struct smb2_file_standard_info *)rsp->Buffer; + + sinfo->AllocationSize = cpu_to_le64(4096); + sinfo->EndOfFile = cpu_to_le64(0); + sinfo->NumberOfLinks = cpu_to_le32(1); + sinfo->DeletePending = 1; + sinfo->Directory = 0; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_standard_info)); + inc_rfc1001_len(rsp, sizeof(struct smb2_file_standard_info)); +} + +static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, + uint64_t num) +{ + struct smb2_file_internal_info *file_info; + + file_info = (struct smb2_file_internal_info *)rsp->Buffer; + + /* any unique number */ + file_info->IndexNumber = cpu_to_le64(num | (1ULL << 63)); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_internal_info)); + inc_rfc1001_len(rsp, sizeof(struct smb2_file_internal_info)); +} + +/** + * smb2_info_file_pipe() - handler for smb2 query info on IPC pipe + * @work: smb work containing query info command buffer + * + * Return: 0 on success, otherwise error + */ +static int smb2_get_info_file_pipe(struct ksmbd_session *sess, + struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp) +{ + uint64_t id; + int rc; + + /* + * Windows can sometime send query file info request on + * pipe without opening it, checking error condition here + */ + id = le64_to_cpu(req->VolatileFileId); + if (!ksmbd_session_rpc_method(sess, id)) + return -ENOENT; + + ksmbd_debug(SMB, "FileInfoClass %u, FileId 0x%llx\n", + req->FileInfoClass, le64_to_cpu(req->VolatileFileId)); + + switch (req->FileInfoClass) { + case FILE_STANDARD_INFORMATION: + get_standard_info_pipe(rsp); + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, FILE_STANDARD_INFORMATION_SIZE); + break; + case FILE_INTERNAL_INFORMATION: + get_internal_info_pipe(rsp, id); + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, FILE_INTERNAL_INFORMATION_SIZE); + break; + default: + ksmbd_debug(SMB, "smb2_info_file_pipe for %u not supported\n", + req->FileInfoClass); + rc = -EOPNOTSUPP; + } + return rc; +} + +/** + * smb2_get_ea() - handler for smb2 get extended attribute command + * @work: smb work containing query info command buffer + * @path: path of file/dir to query info command + * @rq: get extended attribute request + * @resp: response buffer pointer + * @resp_org: base response buffer pointer in case of chained response + * + * Return: 0 on success, otherwise error + */ +static int smb2_get_ea(struct ksmbd_work *work, + struct ksmbd_file *fp, + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct smb2_ea_info *eainfo, *prev_eainfo; + char *name, *ptr, *xattr_list = NULL, *buf; + int rc, name_len, value_len, xattr_list_len, idx; + ssize_t buf_free_len, alignment_bytes, next_offset, rsp_data_cnt = 0; + struct smb2_ea_info_req *ea_req = NULL; + struct path *path; + + if (!(fp->daccess & FILE_READ_EA_LE)) { + ksmbd_err("Not permitted to read ext attr : 0x%x\n", + fp->daccess); + return -EACCES; + } + + path = &fp->filp->f_path; + /* single EA entry is requested with given user.* name */ + if (req->InputBufferLength) + ea_req = (struct smb2_ea_info_req *)req->Buffer; + else { + /* need to send all EAs, if no specific EA is requested*/ + if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY) + ksmbd_debug(SMB, + "All EAs are requested but need to send single EA entry in rsp flags 0x%x\n", + le32_to_cpu(req->Flags)); + } + + buf_free_len = work->response_sz - + (get_rfc1002_len(rsp_org) + 4) - + sizeof(struct smb2_query_info_rsp); + + if (le32_to_cpu(req->OutputBufferLength) < buf_free_len) + buf_free_len = le32_to_cpu(req->OutputBufferLength); + + rc = ksmbd_vfs_listxattr(path->dentry, &xattr_list); + if (rc < 0) { + rsp->hdr.Status = STATUS_INVALID_HANDLE; + goto out; + } else if (!rc) { /* there is no EA in the file */ + ksmbd_debug(SMB, "no ea data in the file\n"); + goto done; + } + xattr_list_len = rc; + + ptr = (char *)rsp->Buffer; + eainfo = (struct smb2_ea_info *)ptr; + prev_eainfo = eainfo; + idx = 0; + + while (idx < xattr_list_len) { + name = xattr_list + idx; + name_len = strlen(name); + + ksmbd_debug(SMB, "%s, len %d\n", name, name_len); + idx += name_len + 1; + + /* + * CIFS does not support EA other than user.* namespace, + * still keep the framework generic, to list other attrs + * in future. + */ + if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) + continue; + + if (!strncmp(&name[XATTR_USER_PREFIX_LEN], STREAM_PREFIX, + STREAM_PREFIX_LEN)) + continue; + + if (req->InputBufferLength && + (strncmp(&name[XATTR_USER_PREFIX_LEN], + ea_req->name, ea_req->EaNameLength))) + continue; + + if (!strncmp(&name[XATTR_USER_PREFIX_LEN], + DOS_ATTRIBUTE_PREFIX, DOS_ATTRIBUTE_PREFIX_LEN)) + continue; + + if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) + name_len -= XATTR_USER_PREFIX_LEN; + + ptr = (char *)(&eainfo->name + name_len + 1); + buf_free_len -= (offsetof(struct smb2_ea_info, name) + + name_len + 1); + /* bailout if xattr can't fit in buf_free_len */ + value_len = ksmbd_vfs_getxattr(path->dentry, name, &buf); + if (value_len <= 0) { + rc = -ENOENT; + rsp->hdr.Status = STATUS_INVALID_HANDLE; + goto out; + } + + buf_free_len -= value_len; + if (buf_free_len < 0) { + ksmbd_free(buf); + break; + } + + memcpy(ptr, buf, value_len); + ksmbd_free(buf); + + ptr += value_len; + eainfo->Flags = 0; + eainfo->EaNameLength = name_len; + + if (!strncmp(name, XATTR_USER_PREFIX, + XATTR_USER_PREFIX_LEN)) + memcpy(eainfo->name, &name[XATTR_USER_PREFIX_LEN], + name_len); + else + memcpy(eainfo->name, name, name_len); + + eainfo->name[name_len] = '\0'; + eainfo->EaValueLength = cpu_to_le16(value_len); + next_offset = offsetof(struct smb2_ea_info, name) + + name_len + 1 + value_len; + + /* align next xattr entry at 4 byte bundary */ + alignment_bytes = ((next_offset + 3) & ~3) - next_offset; + if (alignment_bytes) { + memset(ptr, '\0', alignment_bytes); + ptr += alignment_bytes; + next_offset += alignment_bytes; + buf_free_len -= alignment_bytes; + } + eainfo->NextEntryOffset = cpu_to_le32(next_offset); + prev_eainfo = eainfo; + eainfo = (struct smb2_ea_info *)ptr; + rsp_data_cnt += next_offset; + + if (req->InputBufferLength) { + ksmbd_debug(SMB, "single entry requested\n"); + break; + } + } + + /* no more ea entries */ + prev_eainfo->NextEntryOffset = 0; +done: + rc = 0; + if (rsp_data_cnt == 0) + rsp->hdr.Status = STATUS_NO_EAS_ON_FILE; + rsp->OutputBufferLength = cpu_to_le32(rsp_data_cnt); + inc_rfc1001_len(rsp_org, rsp_data_cnt); +out: + ksmbd_vfs_xattr_free(xattr_list); + return rc; +} + +static void get_file_access_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_access_info *file_info; + + file_info = (struct smb2_file_access_info *)rsp->Buffer; + file_info->AccessFlags = fp->daccess; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_access_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_access_info)); +} + +static int get_file_basic_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_all_info *basic_info; + struct kstat stat; + u64 time; + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_err("no right to read the attributes : 0x%x\n", + fp->daccess); + return -EACCES; + } + + basic_info = (struct smb2_file_all_info *)rsp->Buffer; + generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + basic_info->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(stat.atime); + basic_info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.mtime); + basic_info->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.ctime); + basic_info->ChangeTime = cpu_to_le64(time); + basic_info->Attributes = fp->f_ci->m_fattr; + basic_info->Pad1 = 0; + rsp->OutputBufferLength = + cpu_to_le32(offsetof(struct smb2_file_all_info, + AllocationSize)); + inc_rfc1001_len(rsp_org, offsetof(struct smb2_file_all_info, + AllocationSize)); + return 0; +} + +static unsigned long long get_allocation_size(struct inode *inode, + struct kstat *stat) +{ + unsigned long long alloc_size = 0; + + if (!S_ISDIR(stat->mode)) { + if ((inode->i_blocks << 9) <= stat->size) + alloc_size = stat->size; + else + alloc_size = inode->i_blocks << 9; + + } + + return alloc_size; +} + +static void get_file_standard_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_standard_info *sinfo; + unsigned int delete_pending; + struct inode *inode; + struct kstat stat; + + inode = FP_INODE(fp); + generic_fillattr(&init_user_ns, inode, &stat); + + sinfo = (struct smb2_file_standard_info *)rsp->Buffer; + delete_pending = ksmbd_inode_pending_delete(fp); + + sinfo->AllocationSize = cpu_to_le64(get_allocation_size(inode, &stat)); + sinfo->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + sinfo->NumberOfLinks = cpu_to_le32(get_nlink(&stat) - delete_pending); + sinfo->DeletePending = delete_pending; + sinfo->Directory = S_ISDIR(stat.mode) ? 1 : 0; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_standard_info)); + inc_rfc1001_len(rsp_org, + sizeof(struct smb2_file_standard_info)); +} + +static void get_file_alignment_info(struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct smb2_file_alignment_info *file_info; + + file_info = (struct smb2_file_alignment_info *)rsp->Buffer; + file_info->AlignmentRequirement = 0; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_alignment_info)); + inc_rfc1001_len(rsp_org, + sizeof(struct smb2_file_alignment_info)); +} + +static int get_file_all_info(struct ksmbd_work *work, + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_file_all_info *file_info; + unsigned int delete_pending; + struct inode *inode; + struct kstat stat; + int conv_len; + char *filename; + u64 time; + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n", + fp->daccess); + return -EACCES; + } + + filename = convert_to_nt_pathname(fp->filename, + work->tcon->share_conf->path); + if (!filename) + return -ENOMEM; + + inode = FP_INODE(fp); + generic_fillattr(&init_user_ns, inode, &stat); + + ksmbd_debug(SMB, "filename = %s\n", filename); + delete_pending = ksmbd_inode_pending_delete(fp); + file_info = (struct smb2_file_all_info *)rsp->Buffer; + + file_info->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(stat.atime); + file_info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.mtime); + file_info->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.ctime); + file_info->ChangeTime = cpu_to_le64(time); + file_info->Attributes = fp->f_ci->m_fattr; + file_info->Pad1 = 0; + file_info->AllocationSize = + cpu_to_le64(get_allocation_size(inode, &stat)); + file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + file_info->NumberOfLinks = + cpu_to_le32(get_nlink(&stat) - delete_pending); + file_info->DeletePending = delete_pending; + file_info->Directory = S_ISDIR(stat.mode) ? 1 : 0; + file_info->Pad2 = 0; + file_info->IndexNumber = cpu_to_le64(stat.ino); + file_info->EASize = 0; + file_info->AccessFlags = fp->daccess; + file_info->CurrentByteOffset = cpu_to_le64(fp->filp->f_pos); + file_info->Mode = fp->coption; + file_info->AlignmentRequirement = 0; + conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, + filename, + PATH_MAX, + conn->local_nls, + 0); + conv_len *= 2; + file_info->FileNameLength = cpu_to_le32(conv_len); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_all_info) + conv_len - 1); + kfree(filename); + inc_rfc1001_len(rsp_org, le32_to_cpu(rsp->OutputBufferLength)); + return 0; +} + +static void get_file_alternate_info(struct ksmbd_work *work, + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_file_alt_name_info *file_info; + int conv_len; + char *filename; + + filename = (char *)FP_FILENAME(fp); + file_info = (struct smb2_file_alt_name_info *)rsp->Buffer; + conv_len = ksmbd_extract_shortname(conn, + filename, + file_info->FileName); + file_info->FileNameLength = cpu_to_le32(conv_len); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_alt_name_info) + conv_len); + inc_rfc1001_len(rsp_org, le32_to_cpu(rsp->OutputBufferLength)); +} + +static void get_file_stream_info(struct ksmbd_work *work, + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_file_stream_info *file_info; + char *stream_name, *xattr_list = NULL, *stream_buf; + struct kstat stat; + struct path *path = &fp->filp->f_path; + ssize_t xattr_list_len; + int nbytes = 0, streamlen, stream_name_len, next, idx = 0; + + generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + file_info = (struct smb2_file_stream_info *)rsp->Buffer; + + xattr_list_len = ksmbd_vfs_listxattr(path->dentry, &xattr_list); + if (xattr_list_len < 0) { + goto out; + } else if (!xattr_list_len) { + ksmbd_debug(SMB, "empty xattr in the file\n"); + goto out; + } + + while (idx < xattr_list_len) { + stream_name = xattr_list + idx; + streamlen = strlen(stream_name); + idx += streamlen + 1; + + ksmbd_debug(SMB, "%s, len %d\n", stream_name, streamlen); + + if (strncmp(&stream_name[XATTR_USER_PREFIX_LEN], + STREAM_PREFIX, STREAM_PREFIX_LEN)) + continue; + + stream_name_len = streamlen - (XATTR_USER_PREFIX_LEN + + STREAM_PREFIX_LEN); + streamlen = stream_name_len; + + /* plus : size */ + streamlen += 1; + stream_buf = kmalloc(streamlen + 1, GFP_KERNEL); + if (!stream_buf) + break; + + streamlen = snprintf(stream_buf, streamlen + 1, + ":%s", &stream_name[XATTR_NAME_STREAM_LEN]); + + file_info = (struct smb2_file_stream_info *) + &rsp->Buffer[nbytes]; + streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, + stream_buf, + streamlen, + conn->local_nls, + 0); + streamlen *= 2; + kfree(stream_buf); + file_info->StreamNameLength = cpu_to_le32(streamlen); + file_info->StreamSize = cpu_to_le64(stream_name_len); + file_info->StreamAllocationSize = cpu_to_le64(stream_name_len); + + next = sizeof(struct smb2_file_stream_info) + streamlen; + nbytes += next; + file_info->NextEntryOffset = cpu_to_le32(next); + } + + if (nbytes) { + file_info = (struct smb2_file_stream_info *) + &rsp->Buffer[nbytes]; + streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, + "::$DATA", 7, conn->local_nls, 0); + streamlen *= 2; + file_info->StreamNameLength = cpu_to_le32(streamlen); + file_info->StreamSize = S_ISDIR(stat.mode) ? 0 : + cpu_to_le64(stat.size); + file_info->StreamAllocationSize = S_ISDIR(stat.mode) ? 0 : + cpu_to_le64(stat.size); + nbytes += sizeof(struct smb2_file_stream_info) + streamlen; + } + + /* last entry offset should be 0 */ + file_info->NextEntryOffset = 0; +out: + ksmbd_vfs_xattr_free(xattr_list); + + rsp->OutputBufferLength = cpu_to_le32(nbytes); + inc_rfc1001_len(rsp_org, nbytes); +} + +static void get_file_internal_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_internal_info *file_info; + struct kstat stat; + + generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + file_info = (struct smb2_file_internal_info *)rsp->Buffer; + file_info->IndexNumber = cpu_to_le64(stat.ino); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_internal_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_internal_info)); +} + +static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_ntwrk_info *file_info; + struct inode *inode; + struct kstat stat; + u64 time; + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_err("no right to read the attributes : 0x%x\n", + fp->daccess); + return -EACCES; + } + + file_info = (struct smb2_file_ntwrk_info *)rsp->Buffer; + + inode = FP_INODE(fp); + generic_fillattr(&init_user_ns, inode, &stat); + + file_info->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(stat.atime); + file_info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.mtime); + file_info->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(stat.ctime); + file_info->ChangeTime = cpu_to_le64(time); + file_info->Attributes = fp->f_ci->m_fattr; + file_info->AllocationSize = + cpu_to_le64(get_allocation_size(inode, &stat)); + file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + file_info->Reserved = cpu_to_le32(0); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_ntwrk_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_ntwrk_info)); + return 0; +} + +static void get_file_ea_info(struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct smb2_file_ea_info *file_info; + + file_info = (struct smb2_file_ea_info *)rsp->Buffer; + file_info->EASize = 0; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_ea_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_ea_info)); +} + +static void get_file_position_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_pos_info *file_info; + + file_info = (struct smb2_file_pos_info *)rsp->Buffer; + file_info->CurrentByteOffset = cpu_to_le64(fp->filp->f_pos); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_pos_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_pos_info)); +} + +static void get_file_mode_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_mode_info *file_info; + + file_info = (struct smb2_file_mode_info *)rsp->Buffer; + file_info->Mode = fp->coption & FILE_MODE_INFO_MASK; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_mode_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_mode_info)); +} + +static void get_file_compression_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_comp_info *file_info; + struct kstat stat; + + generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + + file_info = (struct smb2_file_comp_info *)rsp->Buffer; + file_info->CompressedFileSize = cpu_to_le64(stat.blocks << 9); + file_info->CompressionFormat = COMPRESSION_FORMAT_NONE; + file_info->CompressionUnitShift = 0; + file_info->ChunkShift = 0; + file_info->ClusterShift = 0; + memset(&file_info->Reserved[0], 0, 3); + + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_comp_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_comp_info)); +} + +static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb2_file_attr_tag_info *file_info; + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_err("no right to read the attributes : 0x%x\n", + fp->daccess); + return -EACCES; + } + + file_info = (struct smb2_file_attr_tag_info *)rsp->Buffer; + file_info->FileAttributes = fp->f_ci->m_fattr; + file_info->ReparseTag = 0; + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb2_file_attr_tag_info)); + inc_rfc1001_len(rsp_org, + sizeof(struct smb2_file_attr_tag_info)); + return 0; +} + +static int find_file_posix_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) +{ + struct smb311_posix_qinfo *file_info; + struct inode *inode = FP_INODE(fp); + u64 time; + + file_info = (struct smb311_posix_qinfo *)rsp->Buffer; + file_info->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(inode->i_atime); + file_info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(inode->i_mtime); + file_info->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(inode->i_ctime); + file_info->ChangeTime = cpu_to_le64(time); + file_info->DosAttributes = fp->f_ci->m_fattr; + file_info->Inode = cpu_to_le64(inode->i_ino); + file_info->EndOfFile = cpu_to_le64(inode->i_size); + file_info->AllocationSize = cpu_to_le64(inode->i_blocks << 9); + file_info->HardLinks = cpu_to_le32(inode->i_nlink); + file_info->Mode = cpu_to_le32(inode->i_mode); + file_info->DeviceId = cpu_to_le32(inode->i_rdev); + rsp->OutputBufferLength = + cpu_to_le32(sizeof(struct smb311_posix_qinfo)); + inc_rfc1001_len(rsp_org, + sizeof(struct smb311_posix_qinfo)); + return 0; +} + +/** + * smb2_get_info_file() - handler for smb2 query info command + * @work: smb work containing query info request buffer + * + * Return: 0 on success, otherwise error + */ +static int smb2_get_info_file(struct ksmbd_work *work, + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct ksmbd_file *fp; + int fileinfoclass = 0; + int rc = 0; + int file_infoclass_size; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_PIPE)) { + /* smb2 info file called for pipe */ + return smb2_get_info_file_pipe(work->sess, req, rsp); + } + + if (work->next_smb2_rcv_hdr_off) { + if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %u\n", + work->compound_fid); + id = work->compound_fid; + pid = work->compound_pfid; + } + } + + if (!HAS_FILE_ID(id)) { + id = le64_to_cpu(req->VolatileFileId); + pid = le64_to_cpu(req->PersistentFileId); + } + + fp = ksmbd_lookup_fd_slow(work, id, pid); + if (!fp) + return -ENOENT; + + fileinfoclass = req->FileInfoClass; + + switch (fileinfoclass) { + case FILE_ACCESS_INFORMATION: + get_file_access_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_ACCESS_INFORMATION_SIZE; + break; + + case FILE_BASIC_INFORMATION: + rc = get_file_basic_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_BASIC_INFORMATION_SIZE; + break; + + case FILE_STANDARD_INFORMATION: + get_file_standard_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_STANDARD_INFORMATION_SIZE; + break; + + case FILE_ALIGNMENT_INFORMATION: + get_file_alignment_info(rsp, rsp_org); + file_infoclass_size = FILE_ALIGNMENT_INFORMATION_SIZE; + break; + + case FILE_ALL_INFORMATION: + rc = get_file_all_info(work, rsp, fp, rsp_org); + file_infoclass_size = FILE_ALL_INFORMATION_SIZE; + break; + + case FILE_ALTERNATE_NAME_INFORMATION: + get_file_alternate_info(work, rsp, fp, rsp_org); + file_infoclass_size = FILE_ALTERNATE_NAME_INFORMATION_SIZE; + break; + + case FILE_STREAM_INFORMATION: + get_file_stream_info(work, rsp, fp, rsp_org); + file_infoclass_size = FILE_STREAM_INFORMATION_SIZE; + break; + + case FILE_INTERNAL_INFORMATION: + get_file_internal_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_INTERNAL_INFORMATION_SIZE; + break; + + case FILE_NETWORK_OPEN_INFORMATION: + rc = get_file_network_open_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_NETWORK_OPEN_INFORMATION_SIZE; + break; + + case FILE_EA_INFORMATION: + get_file_ea_info(rsp, rsp_org); + file_infoclass_size = FILE_EA_INFORMATION_SIZE; + break; + + case FILE_FULL_EA_INFORMATION: + rc = smb2_get_ea(work, fp, req, rsp, rsp_org); + file_infoclass_size = FILE_FULL_EA_INFORMATION_SIZE; + break; + + case FILE_POSITION_INFORMATION: + get_file_position_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_POSITION_INFORMATION_SIZE; + break; + + case FILE_MODE_INFORMATION: + get_file_mode_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_MODE_INFORMATION_SIZE; + break; + + case FILE_COMPRESSION_INFORMATION: + get_file_compression_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_COMPRESSION_INFORMATION_SIZE; + break; + + case FILE_ATTRIBUTE_TAG_INFORMATION: + rc = get_file_attribute_tag_info(rsp, fp, rsp_org); + file_infoclass_size = FILE_ATTRIBUTE_TAG_INFORMATION_SIZE; + break; + case SMB_FIND_FILE_POSIX_INFO: + if (!work->tcon->posix_extensions) { + ksmbd_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); + rc = -EOPNOTSUPP; + } else { + rc = find_file_posix_info(rsp, fp, rsp_org); + file_infoclass_size = sizeof(struct smb311_posix_qinfo); + } + break; + default: + ksmbd_debug(SMB, "fileinfoclass %d not supported yet\n", + fileinfoclass); + rc = -EOPNOTSUPP; + } + if (!rc) + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, + file_infoclass_size); + ksmbd_fd_put(work, fp); + return rc; +} + +/** + * smb2_get_info_filesystem() - handler for smb2 query info command + * @work: smb work containing query info request buffer + * + * Return: 0 on success, otherwise error + * TODO: need to implement STATUS_INFO_LENGTH_MISMATCH error handling + */ +static int smb2_get_info_filesystem(struct ksmbd_work *work, + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct ksmbd_session *sess = work->sess; + struct ksmbd_conn *conn = sess->conn; + struct ksmbd_share_config *share = work->tcon->share_conf; + int fsinfoclass = 0; + struct kstatfs stfs; + struct path path; + int rc = 0, len; + int fs_infoclass_size = 0; + + rc = ksmbd_vfs_kern_path(share->path, LOOKUP_FOLLOW, &path, 0); + if (rc) { + ksmbd_err("cannot create vfs path\n"); + return -EIO; + } + + rc = vfs_statfs(&path, &stfs); + if (rc) { + ksmbd_err("cannot do stat of path %s\n", share->path); + path_put(&path); + return -EIO; + } + + fsinfoclass = req->FileInfoClass; + + switch (fsinfoclass) { + case FS_DEVICE_INFORMATION: + { + struct filesystem_device_info *info; + + info = (struct filesystem_device_info *)rsp->Buffer; + + info->DeviceType = cpu_to_le32(stfs.f_type); + info->DeviceCharacteristics = cpu_to_le32(0x00000020); + rsp->OutputBufferLength = cpu_to_le32(8); + inc_rfc1001_len(rsp_org, 8); + fs_infoclass_size = FS_DEVICE_INFORMATION_SIZE; + break; + } + case FS_ATTRIBUTE_INFORMATION: + { + struct filesystem_attribute_info *info; + size_t sz; + + info = (struct filesystem_attribute_info *)rsp->Buffer; + info->Attributes = cpu_to_le32(FILE_SUPPORTS_OBJECT_IDS | + FILE_PERSISTENT_ACLS | + FILE_UNICODE_ON_DISK | + FILE_CASE_PRESERVED_NAMES | + FILE_CASE_SENSITIVE_SEARCH); + + info->Attributes |= cpu_to_le32(server_conf.share_fake_fscaps); + + info->MaxPathNameComponentLength = cpu_to_le32(stfs.f_namelen); + len = smbConvertToUTF16((__le16 *)info->FileSystemName, + "NTFS", PATH_MAX, conn->local_nls, 0); + len = len * 2; + info->FileSystemNameLen = cpu_to_le32(len); + sz = sizeof(struct filesystem_attribute_info) - 2 + len; + rsp->OutputBufferLength = cpu_to_le32(sz); + inc_rfc1001_len(rsp_org, sz); + fs_infoclass_size = FS_ATTRIBUTE_INFORMATION_SIZE; + break; + } + case FS_VOLUME_INFORMATION: + { + struct filesystem_vol_info *info; + size_t sz; + + info = (struct filesystem_vol_info *)(rsp->Buffer); + info->VolumeCreationTime = 0; + /* Taking dummy value of serial number*/ + info->SerialNumber = cpu_to_le32(0xbc3ac512); + len = smbConvertToUTF16((__le16 *)info->VolumeLabel, + share->name, PATH_MAX, + conn->local_nls, 0); + len = len * 2; + info->VolumeLabelSize = cpu_to_le32(len); + info->Reserved = 0; + sz = sizeof(struct filesystem_vol_info) - 2 + len; + rsp->OutputBufferLength = cpu_to_le32(sz); + inc_rfc1001_len(rsp_org, sz); + fs_infoclass_size = FS_VOLUME_INFORMATION_SIZE; + break; + } + case FS_SIZE_INFORMATION: + { + struct filesystem_info *info; + unsigned short logical_sector_size; + + info = (struct filesystem_info *)(rsp->Buffer); + logical_sector_size = + ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); + + info->TotalAllocationUnits = cpu_to_le64(stfs.f_blocks); + info->FreeAllocationUnits = cpu_to_le64(stfs.f_bfree); + info->SectorsPerAllocationUnit = cpu_to_le32(stfs.f_bsize >> 9); + info->BytesPerSector = cpu_to_le32(logical_sector_size); + rsp->OutputBufferLength = cpu_to_le32(24); + inc_rfc1001_len(rsp_org, 24); + fs_infoclass_size = FS_SIZE_INFORMATION_SIZE; + break; + } + case FS_FULL_SIZE_INFORMATION: + { + struct smb2_fs_full_size_info *info; + unsigned short logical_sector_size; + + info = (struct smb2_fs_full_size_info *)(rsp->Buffer); + logical_sector_size = + ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); + + info->TotalAllocationUnits = cpu_to_le64(stfs.f_blocks); + info->CallerAvailableAllocationUnits = + cpu_to_le64(stfs.f_bavail); + info->ActualAvailableAllocationUnits = + cpu_to_le64(stfs.f_bfree); + info->SectorsPerAllocationUnit = cpu_to_le32(stfs.f_bsize >> 9); + info->BytesPerSector = cpu_to_le32(logical_sector_size); + rsp->OutputBufferLength = cpu_to_le32(32); + inc_rfc1001_len(rsp_org, 32); + fs_infoclass_size = FS_FULL_SIZE_INFORMATION_SIZE; + break; + } + case FS_OBJECT_ID_INFORMATION: + { + struct object_id_info *info; + + info = (struct object_id_info *)(rsp->Buffer); + + if (!user_guest(sess->user)) + memcpy(info->objid, user_passkey(sess->user), 16); + else + memset(info->objid, 0, 16); + + info->extended_info.magic = cpu_to_le32(EXTENDED_INFO_MAGIC); + info->extended_info.version = cpu_to_le32(1); + info->extended_info.release = cpu_to_le32(1); + info->extended_info.rel_date = 0; + memcpy(info->extended_info.version_string, + "1.1.0", + strlen("1.1.0")); + rsp->OutputBufferLength = cpu_to_le32(64); + inc_rfc1001_len(rsp_org, 64); + fs_infoclass_size = FS_OBJECT_ID_INFORMATION_SIZE; + break; + } + case FS_SECTOR_SIZE_INFORMATION: + { + struct smb3_fs_ss_info *info; + struct ksmbd_fs_sector_size fs_ss; + + info = (struct smb3_fs_ss_info *)(rsp->Buffer); + ksmbd_vfs_smb2_sector_size(d_inode(path.dentry), &fs_ss); + + info->LogicalBytesPerSector = + cpu_to_le32(fs_ss.logical_sector_size); + info->PhysicalBytesPerSectorForAtomicity = + cpu_to_le32(fs_ss.physical_sector_size); + info->PhysicalBytesPerSectorForPerf = + cpu_to_le32(fs_ss.optimal_io_size); + info->FSEffPhysicalBytesPerSectorForAtomicity = + cpu_to_le32(fs_ss.optimal_io_size); + info->Flags = cpu_to_le32(SSINFO_FLAGS_ALIGNED_DEVICE | + SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE); + info->ByteOffsetForSectorAlignment = 0; + info->ByteOffsetForPartitionAlignment = 0; + rsp->OutputBufferLength = cpu_to_le32(28); + inc_rfc1001_len(rsp_org, 28); + fs_infoclass_size = FS_SECTOR_SIZE_INFORMATION_SIZE; + break; + } + case FS_CONTROL_INFORMATION: + { + /* + * TODO : The current implementation is based on + * test result with win7(NTFS) server. It's need to + * modify this to get valid Quota values + * from Linux kernel + */ + struct smb2_fs_control_info *info; + + info = (struct smb2_fs_control_info *)(rsp->Buffer); + info->FreeSpaceStartFiltering = 0; + info->FreeSpaceThreshold = 0; + info->FreeSpaceStopFiltering = 0; + info->DefaultQuotaThreshold = cpu_to_le64(SMB2_NO_FID); + info->DefaultQuotaLimit = cpu_to_le64(SMB2_NO_FID); + info->Padding = 0; + rsp->OutputBufferLength = cpu_to_le32(48); + inc_rfc1001_len(rsp_org, 48); + fs_infoclass_size = FS_CONTROL_INFORMATION_SIZE; + break; + } + case FS_POSIX_INFORMATION: + { + struct filesystem_posix_info *info; + unsigned short logical_sector_size; + + if (!work->tcon->posix_extensions) { + ksmbd_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); + rc = -EOPNOTSUPP; + } else { + info = (struct filesystem_posix_info *)(rsp->Buffer); + logical_sector_size = + ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); + info->OptimalTransferSize = cpu_to_le32(logical_sector_size); + info->BlockSize = cpu_to_le32(stfs.f_bsize); + info->TotalBlocks = cpu_to_le64(stfs.f_blocks); + info->BlocksAvail = cpu_to_le64(stfs.f_bfree); + info->UserBlocksAvail = cpu_to_le64(stfs.f_bavail); + info->TotalFileNodes = cpu_to_le64(stfs.f_files); + info->FreeFileNodes = cpu_to_le64(stfs.f_ffree); + rsp->OutputBufferLength = cpu_to_le32(56); + inc_rfc1001_len(rsp_org, 56); + fs_infoclass_size = FS_POSIX_INFORMATION_SIZE; + } + break; + } + default: + path_put(&path); + return -EOPNOTSUPP; + } + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, + fs_infoclass_size); + path_put(&path); + return rc; +} + +static int smb2_get_info_sec(struct ksmbd_work *work, + struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp, + void *rsp_org) +{ + struct ksmbd_file *fp; + struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; + struct smb_fattr fattr = {{0}}; + struct inode *inode; + __u32 secdesclen; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + int addition_info = le32_to_cpu(req->AdditionalInformation); + int rc; + + if (work->next_smb2_rcv_hdr_off) { + if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %u\n", + work->compound_fid); + id = work->compound_fid; + pid = work->compound_pfid; + } + } + + if (!HAS_FILE_ID(id)) { + id = le64_to_cpu(req->VolatileFileId); + pid = le64_to_cpu(req->PersistentFileId); + } + + fp = ksmbd_lookup_fd_slow(work, id, pid); + if (!fp) + return -ENOENT; + + inode = FP_INODE(fp); + fattr.cf_uid = inode->i_uid; + fattr.cf_gid = inode->i_gid; + fattr.cf_mode = inode->i_mode; + fattr.cf_dacls = NULL; + + fattr.cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + fattr.cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_ACL_XATTR)) + ksmbd_vfs_get_sd_xattr(work->conn, fp->filp->f_path.dentry, &ppntsd); + + rc = build_sec_desc(pntsd, ppntsd, addition_info, &secdesclen, &fattr); + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + kfree(ppntsd); + ksmbd_fd_put(work, fp); + if (rc) + return rc; + + rsp->OutputBufferLength = cpu_to_le32(secdesclen); + inc_rfc1001_len(rsp_org, secdesclen); + return 0; +} + +/** + * smb2_query_info() - handler for smb2 query info command + * @work: smb work containing query info request buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_query_info(struct ksmbd_work *work) +{ + struct smb2_query_info_req *req; + struct smb2_query_info_rsp *rsp, *rsp_org; + int rc = 0; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + ksmbd_debug(SMB, "GOT query info request\n"); + + switch (req->InfoType) { + case SMB2_O_INFO_FILE: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); + rc = smb2_get_info_file(work, req, rsp, (void *)rsp_org); + break; + case SMB2_O_INFO_FILESYSTEM: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILESYSTEM\n"); + rc = smb2_get_info_filesystem(work, req, rsp, (void *)rsp_org); + break; + case SMB2_O_INFO_SECURITY: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); + rc = smb2_get_info_sec(work, req, rsp, (void *)rsp_org); + break; + default: + ksmbd_debug(SMB, "InfoType %d not supported yet\n", + req->InfoType); + rc = -EOPNOTSUPP; + } + + if (rc < 0) { + if (rc == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (rc == -ENOENT) + rsp->hdr.Status = STATUS_FILE_CLOSED; + else if (rc == -EIO) + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + else if (rc == -EOPNOTSUPP || rsp->hdr.Status == 0) + rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; + smb2_set_err_rsp(work); + + ksmbd_debug(SMB, "error while processing smb2 query rc = %d\n", + rc); + return rc; + } + rsp->StructureSize = cpu_to_le16(9); + rsp->OutputBufferOffset = cpu_to_le16(72); + inc_rfc1001_len(rsp_org, 8); + return 0; +} + +/** + * smb2_close_pipe() - handler for closing IPC pipe + * @work: smb work containing close request buffer + * + * Return: 0 + */ +static noinline int smb2_close_pipe(struct ksmbd_work *work) +{ + uint64_t id; + struct smb2_close_req *req = REQUEST_BUF(work); + struct smb2_close_rsp *rsp = RESPONSE_BUF(work); + + id = le64_to_cpu(req->VolatileFileId); + ksmbd_session_rpc_close(work->sess, id); + + rsp->StructureSize = cpu_to_le16(60); + rsp->Flags = 0; + rsp->Reserved = 0; + rsp->CreationTime = 0; + rsp->LastAccessTime = 0; + rsp->LastWriteTime = 0; + rsp->ChangeTime = 0; + rsp->AllocationSize = 0; + rsp->EndOfFile = 0; + rsp->Attributes = 0; + inc_rfc1001_len(rsp, 60); + return 0; +} + +/** + * smb2_close() - handler for smb2 close file command + * @work: smb work containing close request buffer + * + * Return: 0 + */ +int smb2_close(struct ksmbd_work *work) +{ + unsigned int volatile_id = KSMBD_NO_FID; + uint64_t sess_id; + struct smb2_close_req *req; + struct smb2_close_rsp *rsp; + struct smb2_close_rsp *rsp_org; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_file *fp; + struct inode *inode; + u64 time; + int err = 0; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_PIPE)) { + ksmbd_debug(SMB, "IPC pipe close request\n"); + return smb2_close_pipe(work); + } + + sess_id = le64_to_cpu(req->hdr.SessionId); + if (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS) + sess_id = work->compound_sid; + + work->compound_sid = 0; + if (check_session_id(conn, sess_id)) + work->compound_sid = sess_id; + else { + rsp->hdr.Status = STATUS_USER_SESSION_DELETED; + if (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EBADF; + goto out; + } + + if (work->next_smb2_rcv_hdr_off && + !HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + if (!HAS_FILE_ID(work->compound_fid)) { + /* file already closed, return FILE_CLOSED */ + ksmbd_debug(SMB, "file already closed\n"); + rsp->hdr.Status = STATUS_FILE_CLOSED; + err = -EBADF; + goto out; + } else { + ksmbd_debug(SMB, "Compound request set FID = %u:%u\n", + work->compound_fid, + work->compound_pfid); + volatile_id = work->compound_fid; + + /* file closed, stored id is not valid anymore */ + work->compound_fid = KSMBD_NO_FID; + work->compound_pfid = KSMBD_NO_FID; + } + } else { + volatile_id = le64_to_cpu(req->VolatileFileId); + } + ksmbd_debug(SMB, "volatile_id = %u\n", volatile_id); + + rsp->StructureSize = cpu_to_le16(60); + rsp->Reserved = 0; + + if (req->Flags == SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB) { + fp = ksmbd_lookup_fd_fast(work, volatile_id); + if (!fp) { + err = -ENOENT; + goto out; + } + + inode = FP_INODE(fp); + rsp->Flags = SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB; + rsp->AllocationSize = S_ISDIR(inode->i_mode) ? 0 : + cpu_to_le64(inode->i_blocks << 9); + rsp->EndOfFile = cpu_to_le64(inode->i_size); + rsp->Attributes = fp->f_ci->m_fattr; + rsp->CreationTime = cpu_to_le64(fp->create_time); + time = ksmbd_UnixTimeToNT(inode->i_atime); + rsp->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(inode->i_mtime); + rsp->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(inode->i_ctime); + rsp->ChangeTime = cpu_to_le64(time); + ksmbd_fd_put(work, fp); + } else { + rsp->Flags = 0; + rsp->AllocationSize = 0; + rsp->EndOfFile = 0; + rsp->Attributes = 0; + rsp->CreationTime = 0; + rsp->LastAccessTime = 0; + rsp->LastWriteTime = 0; + rsp->ChangeTime = 0; + } + + err = ksmbd_close_fd(work, volatile_id); +out: + if (err) { + if (rsp->hdr.Status == 0) + rsp->hdr.Status = STATUS_FILE_CLOSED; + smb2_set_err_rsp(work); + } else { + inc_rfc1001_len(rsp_org, 60); + } + + return 0; +} + +/** + * smb2_echo() - handler for smb2 echo(ping) command + * @work: smb work containing echo request buffer + * + * Return: 0 + */ +int smb2_echo(struct ksmbd_work *work) +{ + struct smb2_echo_rsp *rsp = RESPONSE_BUF(work); + + rsp->StructureSize = cpu_to_le16(4); + rsp->Reserved = 0; + inc_rfc1001_len(rsp, 4); + return 0; +} + +/** + * smb2_rename() - handler for rename using smb2 setinfo command + * @work: smb work containing set info command buffer + * @filp: file pointer of source file + * @old_fid: file id of source file + * + * Return: 0 on success, otherwise error + */ +static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, + struct smb2_file_rename_info *file_info, + struct nls_table *local_nls) +{ + struct ksmbd_share_config *share = fp->tcon->share_conf; + char *new_name = NULL, *abs_oldname = NULL, *old_name = NULL; + char *pathname = NULL; + struct path path; + bool file_present = true; + int rc; + + ksmbd_debug(SMB, "setting FILE_RENAME_INFO\n"); + pathname = kmalloc(PATH_MAX, GFP_KERNEL); + if (!pathname) + return -ENOMEM; + + abs_oldname = d_path(&fp->filp->f_path, pathname, PATH_MAX); + if (IS_ERR(abs_oldname)) { + rc = -EINVAL; + goto out; + } + old_name = strrchr(abs_oldname, '/'); + if (old_name && old_name[1] != '\0') + old_name++; + else { + ksmbd_debug(SMB, "can't get last component in path %s\n", + abs_oldname); + rc = -ENOENT; + goto out; + } + + new_name = smb2_get_name(share, + file_info->FileName, + le32_to_cpu(file_info->FileNameLength), + local_nls); + if (IS_ERR(new_name)) { + rc = PTR_ERR(new_name); + goto out; + } + + if (strchr(new_name, ':')) { + int s_type; + char *xattr_stream_name, *stream_name = NULL; + size_t xattr_stream_size; + int len; + + rc = parse_stream_name(new_name, &stream_name, &s_type); + if (rc < 0) + goto out; + + len = strlen(new_name); + if (new_name[len - 1] != '/') { + ksmbd_err("not allow base filename in rename\n"); + rc = -ESHARE; + goto out; + } + + rc = ksmbd_vfs_xattr_stream_name(stream_name, + &xattr_stream_name, + &xattr_stream_size, + s_type); + if (rc) + goto out; + + rc = ksmbd_vfs_setxattr(fp->filp->f_path.dentry, + xattr_stream_name, + NULL, 0, 0); + if (rc < 0) { + ksmbd_err("failed to store stream name in xattr: %d\n", + rc); + rc = -EINVAL; + goto out; + } + + goto out; + } + + ksmbd_debug(SMB, "new name %s\n", new_name); + rc = ksmbd_vfs_kern_path(new_name, 0, &path, 1); + if (rc) + file_present = false; + else + path_put(&path); + + if (ksmbd_share_veto_filename(share, new_name)) { + rc = -ENOENT; + ksmbd_debug(SMB, "Can't rename vetoed file: %s\n", new_name); + goto out; + } + + if (file_info->ReplaceIfExists) { + if (file_present) { + rc = ksmbd_vfs_remove_file(work, new_name); + if (rc) { + if (rc != -ENOTEMPTY) + rc = -EINVAL; + ksmbd_debug(SMB, "cannot delete %s, rc %d\n", + new_name, rc); + goto out; + } + } + } else { + if (file_present && + strncmp(old_name, path.dentry->d_name.name, + strlen(old_name))) { + rc = -EEXIST; + ksmbd_debug(SMB, + "cannot rename already existing file\n"); + goto out; + } + } + + rc = ksmbd_vfs_fp_rename(work, fp, new_name); +out: + kfree(pathname); + if (!IS_ERR(new_name)) + smb2_put_name(new_name); + return rc; +} + +/** + * smb2_create_link() - handler for creating hardlink using smb2 + * set info command + * @work: smb work containing set info command buffer + * @filp: file pointer of source file + * + * Return: 0 on success, otherwise error + */ +static int smb2_create_link(struct ksmbd_work *work, + struct ksmbd_share_config *share, + struct smb2_file_link_info *file_info, + struct file *filp, + struct nls_table *local_nls) +{ + char *link_name = NULL, *target_name = NULL, *pathname = NULL; + struct path path; + bool file_present = true; + int rc; + + ksmbd_debug(SMB, "setting FILE_LINK_INFORMATION\n"); + pathname = kmalloc(PATH_MAX, GFP_KERNEL); + if (!pathname) + return -ENOMEM; + + link_name = smb2_get_name(share, + file_info->FileName, + le32_to_cpu(file_info->FileNameLength), + local_nls); + if (IS_ERR(link_name) || S_ISDIR(file_inode(filp)->i_mode)) { + rc = -EINVAL; + goto out; + } + + ksmbd_debug(SMB, "link name is %s\n", link_name); + target_name = d_path(&filp->f_path, pathname, PATH_MAX); + if (IS_ERR(target_name)) { + rc = -EINVAL; + goto out; + } + + ksmbd_debug(SMB, "target name is %s\n", target_name); + rc = ksmbd_vfs_kern_path(link_name, 0, &path, 0); + if (rc) + file_present = false; + else + path_put(&path); + + if (file_info->ReplaceIfExists) { + if (file_present) { + rc = ksmbd_vfs_remove_file(work, link_name); + if (rc) { + rc = -EINVAL; + ksmbd_debug(SMB, "cannot delete %s\n", + link_name); + goto out; + } + } + } else { + if (file_present) { + rc = -EEXIST; + ksmbd_debug(SMB, "link already exists\n"); + goto out; + } + } + + rc = ksmbd_vfs_link(work, target_name, link_name); + if (rc) + rc = -EINVAL; +out: + if (!IS_ERR(link_name)) + smb2_put_name(link_name); + kfree(pathname); + return rc; +} + +static bool is_attributes_write_allowed(struct ksmbd_file *fp) +{ + return fp->daccess & FILE_WRITE_ATTRIBUTES_LE; +} + +static int set_file_basic_info(struct ksmbd_file *fp, + char *buf, + struct ksmbd_share_config *share) +{ + struct smb2_file_all_info *file_info; + struct iattr attrs; + struct iattr temp_attrs; + struct file *filp; + struct inode *inode; + int rc; + + if (!is_attributes_write_allowed(fp)) + return -EACCES; + + file_info = (struct smb2_file_all_info *)buf; + attrs.ia_valid = 0; + filp = fp->filp; + inode = file_inode(filp); + + if (file_info->CreationTime) + fp->create_time = le64_to_cpu(file_info->CreationTime); + + if (file_info->LastAccessTime) { + attrs.ia_atime = ksmbd_NTtimeToUnix(file_info->LastAccessTime); + attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET); + } + + if (file_info->ChangeTime) { + temp_attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); + attrs.ia_ctime = temp_attrs.ia_ctime; + attrs.ia_valid |= ATTR_CTIME; + } else + temp_attrs.ia_ctime = inode->i_ctime; + + if (file_info->LastWriteTime) { + attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime); + attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET); + } + + if (file_info->Attributes) { + if (!S_ISDIR(inode->i_mode) && + file_info->Attributes & ATTR_DIRECTORY_LE) { + ksmbd_err("can't change a file to a directory\n"); + return -EINVAL; + } + + if (!(S_ISDIR(inode->i_mode) && file_info->Attributes == ATTR_NORMAL_LE)) + fp->f_ci->m_fattr = file_info->Attributes | + (fp->f_ci->m_fattr & ATTR_DIRECTORY_LE); + } + + if (test_share_config_flag(share, KSMBD_SHARE_FLAG_STORE_DOS_ATTRS) && + (file_info->CreationTime || file_info->Attributes)) { + struct xattr_dos_attrib da = {0}; + + da.version = 4; + da.itime = fp->itime; + da.create_time = fp->create_time; + da.attr = le32_to_cpu(fp->f_ci->m_fattr); + da.flags = XATTR_DOSINFO_ATTRIB | XATTR_DOSINFO_CREATE_TIME | + XATTR_DOSINFO_ITIME; + + rc = ksmbd_vfs_set_dos_attrib_xattr(filp->f_path.dentry, &da); + if (rc) + ksmbd_debug(SMB, + "failed to restore file attribute in EA\n"); + rc = 0; + } + + /* + * HACK : set ctime here to avoid ctime changed + * when file_info->ChangeTime is zero. + */ + attrs.ia_ctime = temp_attrs.ia_ctime; + attrs.ia_valid |= ATTR_CTIME; + + if (attrs.ia_valid) { + struct dentry *dentry = filp->f_path.dentry; + struct inode *inode = d_inode(dentry); + + if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) + return -EACCES; + + rc = setattr_prepare(&init_user_ns, dentry, &attrs); + if (rc) + return -EINVAL; + + inode_lock(inode); + setattr_copy(&init_user_ns, inode, &attrs); + attrs.ia_valid &= ~ATTR_CTIME; + rc = notify_change(&init_user_ns, dentry, &attrs, NULL); + inode_unlock(inode); + } + return 0; +} + +static int set_file_allocation_info(struct ksmbd_work *work, + struct ksmbd_file *fp, + char *buf) +{ + /* + * TODO : It's working fine only when store dos attributes + * is not yes. need to implement a logic which works + * properly with any smb.conf option + */ + + struct smb2_file_alloc_info *file_alloc_info; + loff_t alloc_blks; + struct inode *inode; + int rc; + + if (!is_attributes_write_allowed(fp)) + return -EACCES; + + file_alloc_info = (struct smb2_file_alloc_info *)buf; + alloc_blks = (le64_to_cpu(file_alloc_info->AllocationSize) + 511) >> 9; + inode = file_inode(fp->filp); + + if (alloc_blks > inode->i_blocks) { + rc = ksmbd_vfs_alloc_size(work, fp, alloc_blks * 512); + if (rc && rc != -EOPNOTSUPP) { + ksmbd_err("ksmbd_vfs_alloc_size is failed : %d\n", rc); + return rc; + } + } else if (alloc_blks < inode->i_blocks) { + loff_t size; + + /* + * Allocation size could be smaller than original one + * which means allocated blocks in file should be + * deallocated. use truncate to cut out it, but inode + * size is also updated with truncate offset. + * inode size is retained by backup inode size. + */ + size = i_size_read(inode); + rc = ksmbd_vfs_truncate(work, NULL, fp, alloc_blks * 512); + if (rc) { + ksmbd_err("truncate failed! filename : %s, err %d\n", + fp->filename, rc); + return rc; + } + if (size < alloc_blks * 512) + i_size_write(inode, size); + } + return 0; +} + +static int set_end_of_file_info(struct ksmbd_work *work, + struct ksmbd_file *fp, + char *buf) +{ + struct smb2_file_eof_info *file_eof_info; + loff_t newsize; + struct inode *inode; + int rc; + + if (!is_attributes_write_allowed(fp)) + return -EACCES; + + file_eof_info = (struct smb2_file_eof_info *)buf; + newsize = le64_to_cpu(file_eof_info->EndOfFile); + inode = file_inode(fp->filp); + + /* + * If FILE_END_OF_FILE_INFORMATION of set_info_file is called + * on FAT32 shared device, truncate execution time is too long + * and network error could cause from windows client. because + * truncate of some filesystem like FAT32 fill zero data in + * truncated range. + */ + if (inode->i_sb->s_magic != MSDOS_SUPER_MAGIC) { + ksmbd_debug(SMB, "filename : %s truncated to newsize %lld\n", + fp->filename, newsize); + rc = ksmbd_vfs_truncate(work, NULL, fp, newsize); + if (rc) { + ksmbd_debug(SMB, + "truncate failed! filename : %s err %d\n", + fp->filename, rc); + if (rc != -EAGAIN) + rc = -EBADF; + return rc; + } + } + return 0; +} + +static int set_rename_info(struct ksmbd_work *work, + struct ksmbd_file *fp, + char *buf) +{ + struct ksmbd_file *parent_fp; + + if (!(fp->daccess & FILE_DELETE_LE)) { + ksmbd_err("no right to delete : 0x%x\n", fp->daccess); + return -EACCES; + } + + if (ksmbd_stream_fd(fp)) + goto next; + + parent_fp = ksmbd_lookup_fd_inode(PARENT_INODE(fp)); + if (parent_fp) { + if (parent_fp->daccess & FILE_DELETE_LE) { + ksmbd_err("parent dir is opened with delete access\n"); + return -ESHARE; + } + } +next: + return smb2_rename(work, fp, + (struct smb2_file_rename_info *)buf, + work->sess->conn->local_nls); +} + +static int set_file_disposition_info(struct ksmbd_file *fp, + char *buf) +{ + struct smb2_file_disposition_info *file_info; + struct inode *inode; + + if (!(fp->daccess & FILE_DELETE_LE)) { + ksmbd_err("no right to delete : 0x%x\n", fp->daccess); + return -EACCES; + } + + inode = file_inode(fp->filp); + file_info = (struct smb2_file_disposition_info *)buf; + if (file_info->DeletePending) { + if (S_ISDIR(inode->i_mode) && + ksmbd_vfs_empty_dir(fp) == -ENOTEMPTY) + return -EBUSY; + ksmbd_set_inode_pending_delete(fp); + } else { + ksmbd_clear_inode_pending_delete(fp); + } + return 0; +} + +static int set_file_position_info(struct ksmbd_file *fp, + char *buf) +{ + struct smb2_file_pos_info *file_info; + loff_t current_byte_offset; + unsigned short sector_size; + struct inode *inode; + + inode = file_inode(fp->filp); + file_info = (struct smb2_file_pos_info *)buf; + current_byte_offset = le64_to_cpu(file_info->CurrentByteOffset); + sector_size = ksmbd_vfs_logical_sector_size(inode); + + if (current_byte_offset < 0 || + (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && + current_byte_offset & (sector_size-1))) { + ksmbd_err("CurrentByteOffset is not valid : %llu\n", + current_byte_offset); + return -EINVAL; + } + + fp->filp->f_pos = current_byte_offset; + return 0; +} + +static int set_file_mode_info(struct ksmbd_file *fp, + char *buf) +{ + struct smb2_file_mode_info *file_info; + __le32 mode; + + file_info = (struct smb2_file_mode_info *)buf; + mode = file_info->Mode; + + if ((mode & (~FILE_MODE_INFO_MASK)) || + (mode & FILE_SYNCHRONOUS_IO_ALERT_LE && + mode & FILE_SYNCHRONOUS_IO_NONALERT_LE)) { + ksmbd_err("Mode is not valid : 0x%x\n", le32_to_cpu(mode)); + return -EINVAL; + } + + /* + * TODO : need to implement consideration for + * FILE_SYNCHRONOUS_IO_ALERT and FILE_SYNCHRONOUS_IO_NONALERT + */ + ksmbd_vfs_set_fadvise(fp->filp, mode); + fp->coption = mode; + return 0; +} + +/** + * smb2_set_info_file() - handler for smb2 set info command + * @work: smb work containing set info command buffer + * + * Return: 0 on success, otherwise error + * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH + */ +static int smb2_set_info_file(struct ksmbd_work *work, + struct ksmbd_file *fp, + int info_class, + char *buf, + struct ksmbd_share_config *share) +{ + switch (info_class) { + case FILE_BASIC_INFORMATION: + return set_file_basic_info(fp, buf, share); + + case FILE_ALLOCATION_INFORMATION: + return set_file_allocation_info(work, fp, buf); + + case FILE_END_OF_FILE_INFORMATION: + return set_end_of_file_info(work, fp, buf); + + case FILE_RENAME_INFORMATION: + if (!test_tree_conn_flag(work->tcon, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + return -EACCES; + } + return set_rename_info(work, fp, buf); + + case FILE_LINK_INFORMATION: + return smb2_create_link(work, work->tcon->share_conf, + (struct smb2_file_link_info *)buf, fp->filp, + work->sess->conn->local_nls); + + case FILE_DISPOSITION_INFORMATION: + if (!test_tree_conn_flag(work->tcon, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + return -EACCES; + } + return set_file_disposition_info(fp, buf); + + case FILE_FULL_EA_INFORMATION: + { + if (!(fp->daccess & FILE_WRITE_EA_LE)) { + ksmbd_err("Not permitted to write ext attr: 0x%x\n", + fp->daccess); + return -EACCES; + } + + return smb2_set_ea((struct smb2_ea_info *)buf, + &fp->filp->f_path); + } + + case FILE_POSITION_INFORMATION: + return set_file_position_info(fp, buf); + + case FILE_MODE_INFORMATION: + return set_file_mode_info(fp, buf); + } + + ksmbd_err("Unimplemented Fileinfoclass :%d\n", info_class); + return -EOPNOTSUPP; +} + +static int smb2_set_info_sec(struct ksmbd_file *fp, + int addition_info, + char *buffer, + int buf_len) +{ + struct smb_ntsd *pntsd = (struct smb_ntsd *)buffer; + + fp->saccess |= FILE_SHARE_DELETE_LE; + + return set_info_sec(fp->conn, fp->tcon, fp->filp->f_path.dentry, pntsd, + buf_len, false); +} + +/** + * smb2_set_info() - handler for smb2 set info command handler + * @work: smb work containing set info request buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_set_info(struct ksmbd_work *work) +{ + struct smb2_set_info_req *req; + struct smb2_set_info_rsp *rsp, *rsp_org; + struct ksmbd_file *fp; + int rc = 0; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + + ksmbd_debug(SMB, "Received set info request\n"); + + rsp_org = RESPONSE_BUF(work); + if (work->next_smb2_rcv_hdr_off) { + req = REQUEST_BUF_NEXT(work); + rsp = RESPONSE_BUF_NEXT(work); + if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %u\n", + work->compound_fid); + id = work->compound_fid; + pid = work->compound_pfid; + } + } else { + req = REQUEST_BUF(work); + rsp = RESPONSE_BUF(work); + } + + if (!HAS_FILE_ID(id)) { + id = le64_to_cpu(req->VolatileFileId); + pid = le64_to_cpu(req->PersistentFileId); + } + + fp = ksmbd_lookup_fd_slow(work, id, pid); + if (!fp) { + ksmbd_debug(SMB, "Invalid id for close: %u\n", id); + rc = -ENOENT; + goto err_out; + } + + switch (req->InfoType) { + case SMB2_O_INFO_FILE: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); + rc = smb2_set_info_file(work, fp, req->FileInfoClass, + req->Buffer, work->tcon->share_conf); + break; + case SMB2_O_INFO_SECURITY: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); + rc = smb2_set_info_sec(fp, + le32_to_cpu(req->AdditionalInformation), req->Buffer, + le32_to_cpu(req->BufferLength)); + break; + default: + rc = -EOPNOTSUPP; + } + + if (rc < 0) + goto err_out; + + rsp->StructureSize = cpu_to_le16(2); + inc_rfc1001_len(rsp_org, 2); + ksmbd_fd_put(work, fp); + return 0; + +err_out: + if (rc == -EACCES || rc == -EPERM) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (rc == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (rc == -ESHARE) + rsp->hdr.Status = STATUS_SHARING_VIOLATION; + else if (rc == -ENOENT) + rsp->hdr.Status = STATUS_OBJECT_NAME_INVALID; + else if (rc == -EBUSY || rc == -ENOTEMPTY) + rsp->hdr.Status = STATUS_DIRECTORY_NOT_EMPTY; + else if (rc == -EAGAIN) + rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; + else if (rc == -EBADF) + rsp->hdr.Status = STATUS_INVALID_HANDLE; + else if (rc == -EEXIST) + rsp->hdr.Status = STATUS_OBJECT_NAME_COLLISION; + else if (rsp->hdr.Status == 0 || rc == -EOPNOTSUPP) + rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; + smb2_set_err_rsp(work); + ksmbd_fd_put(work, fp); + ksmbd_debug(SMB, "error while processing smb2 query rc = %d\n", + rc); + return rc; +} + +/** + * smb2_read_pipe() - handler for smb2 read from IPC pipe + * @work: smb work containing read IPC pipe command buffer + * + * Return: 0 on success, otherwise error + */ +static noinline int smb2_read_pipe(struct ksmbd_work *work) +{ + int nbytes = 0, err; + uint64_t id; + struct ksmbd_rpc_command *rpc_resp; + struct smb2_read_req *req = REQUEST_BUF(work); + struct smb2_read_rsp *rsp = RESPONSE_BUF(work); + + id = le64_to_cpu(req->VolatileFileId); + + inc_rfc1001_len(rsp, 16); + rpc_resp = ksmbd_rpc_read(work->sess, id); + if (rpc_resp) { + if (rpc_resp->flags != KSMBD_RPC_OK) { + err = -EINVAL; + goto out; + } + + work->aux_payload_buf = + ksmbd_alloc_response(rpc_resp->payload_sz); + if (!work->aux_payload_buf) { + err = -ENOMEM; + goto out; + } + + memcpy(work->aux_payload_buf, rpc_resp->payload, + rpc_resp->payload_sz); + + nbytes = rpc_resp->payload_sz; + work->resp_hdr_sz = get_rfc1002_len(rsp) + 4; + work->aux_payload_sz = nbytes; + ksmbd_free(rpc_resp); + } + + rsp->StructureSize = cpu_to_le16(17); + rsp->DataOffset = 80; + rsp->Reserved = 0; + rsp->DataLength = cpu_to_le32(nbytes); + rsp->DataRemaining = 0; + rsp->Reserved2 = 0; + inc_rfc1001_len(rsp, nbytes); + return 0; + +out: + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + smb2_set_err_rsp(work); + ksmbd_free(rpc_resp); + return err; +} + +static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, + struct smb2_read_req *req, + void *data_buf, size_t length) +{ + struct smb2_buffer_desc_v1 *desc = + (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; + int err; + + if (work->conn->dialect == SMB30_PROT_ID + && req->Channel != SMB2_CHANNEL_RDMA_V1) + return -EINVAL; + + if (req->ReadChannelInfoOffset == 0 + || le16_to_cpu(req->ReadChannelInfoLength) < sizeof(*desc)) + return -EINVAL; + + work->need_invalidate_rkey = + (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); + work->remote_key = le32_to_cpu(desc->token); + + err = ksmbd_conn_rdma_write(work->conn, + data_buf, length, + le32_to_cpu(desc->token), + le64_to_cpu(desc->offset), + le32_to_cpu(desc->length)); + if (err) + return err; + + return length; +} + +/** + * smb2_read() - handler for smb2 read from file + * @work: smb work containing read command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_read(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_read_req *req; + struct smb2_read_rsp *rsp, *rsp_org; + struct ksmbd_file *fp; + loff_t offset; + size_t length, mincount; + ssize_t nbytes = 0, remain_bytes = 0; + int err = 0; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_PIPE)) { + ksmbd_debug(SMB, "IPC pipe read request\n"); + return smb2_read_pipe(work); + } + + fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (!fp) { + rsp->hdr.Status = STATUS_FILE_CLOSED; + return -ENOENT; + } + + if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { + ksmbd_err("Not permitted to read : 0x%x\n", fp->daccess); + err = -EACCES; + goto out; + } + + offset = le64_to_cpu(req->Offset); + length = le32_to_cpu(req->Length); + mincount = le32_to_cpu(req->MinimumCount); + + if (length > conn->vals->max_read_size) { + ksmbd_debug(SMB, "limiting read size to max size(%u)\n", + conn->vals->max_read_size); + err = -EINVAL; + goto out; + } + + ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", FP_FILENAME(fp), + offset, length); + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) { + work->aux_payload_buf = + ksmbd_find_buffer(conn->vals->max_read_size); + work->set_read_buf = true; + } else { + work->aux_payload_buf = ksmbd_alloc_response(length); + } + if (!work->aux_payload_buf) { + err = nbytes; + goto out; + } + + nbytes = ksmbd_vfs_read(work, fp, length, &offset); + if (nbytes < 0) { + err = nbytes; + goto out; + } + + if ((nbytes == 0 && length != 0) || nbytes < mincount) { + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) + ksmbd_release_buffer(AUX_PAYLOAD(work)); + else + ksmbd_free_response(AUX_PAYLOAD(work)); + INIT_AUX_PAYLOAD(work); + rsp->hdr.Status = STATUS_END_OF_FILE; + smb2_set_err_rsp(work); + ksmbd_fd_put(work, fp); + return 0; + } + + ksmbd_debug(SMB, "nbytes %zu, offset %lld mincount %zu\n", + nbytes, offset, mincount); + + if (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE || + req->Channel == SMB2_CHANNEL_RDMA_V1) { + /* write data to the client using rdma channel */ + remain_bytes = smb2_read_rdma_channel(work, req, + AUX_PAYLOAD(work), nbytes); + if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) + ksmbd_release_buffer(AUX_PAYLOAD(work)); + else + ksmbd_free_response(AUX_PAYLOAD(work)); + INIT_AUX_PAYLOAD(work); + + nbytes = 0; + if (remain_bytes < 0) { + err = (int)remain_bytes; + goto out; + } + } + + rsp->StructureSize = cpu_to_le16(17); + rsp->DataOffset = 80; + rsp->Reserved = 0; + rsp->DataLength = cpu_to_le32(nbytes); + rsp->DataRemaining = cpu_to_le32(remain_bytes); + rsp->Reserved2 = 0; + inc_rfc1001_len(rsp_org, 16); + work->resp_hdr_sz = get_rfc1002_len(rsp_org) + 4; + work->aux_payload_sz = nbytes; + inc_rfc1001_len(rsp_org, nbytes); + ksmbd_fd_put(work, fp); + return 0; + +out: + if (err) { + if (err == -EISDIR) + rsp->hdr.Status = STATUS_INVALID_DEVICE_REQUEST; + else if (err == -EAGAIN) + rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; + else if (err == -ENOENT) + rsp->hdr.Status = STATUS_FILE_CLOSED; + else if (err == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (err == -ESHARE) + rsp->hdr.Status = STATUS_SHARING_VIOLATION; + else if (err == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else + rsp->hdr.Status = STATUS_INVALID_HANDLE; + + smb2_set_err_rsp(work); + } + ksmbd_fd_put(work, fp); + return err; +} + +/** + * smb2_write_pipe() - handler for smb2 write on IPC pipe + * @work: smb work containing write IPC pipe command buffer + * + * Return: 0 on success, otherwise error + */ +static noinline int smb2_write_pipe(struct ksmbd_work *work) +{ + struct smb2_write_req *req = REQUEST_BUF(work); + struct smb2_write_rsp *rsp = RESPONSE_BUF(work); + struct ksmbd_rpc_command *rpc_resp; + uint64_t id = 0; + int err = 0, ret = 0; + char *data_buf; + size_t length; + + length = le32_to_cpu(req->Length); + id = le64_to_cpu(req->VolatileFileId); + + if (le16_to_cpu(req->DataOffset) == + (offsetof(struct smb2_write_req, Buffer) - 4)) { + data_buf = (char *)&req->Buffer[0]; + } else { + if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || + (le16_to_cpu(req->DataOffset) + + length > get_rfc1002_len(req))) { + ksmbd_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); + err = -EINVAL; + goto out; + } + + data_buf = (char *)(((char *)&req->hdr.ProtocolId) + + le16_to_cpu(req->DataOffset)); + } + + rpc_resp = ksmbd_rpc_write(work->sess, id, data_buf, length); + if (rpc_resp) { + if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) { + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + ksmbd_free(rpc_resp); + smb2_set_err_rsp(work); + return -EOPNOTSUPP; + } + if (rpc_resp->flags != KSMBD_RPC_OK) { + rsp->hdr.Status = STATUS_INVALID_HANDLE; + smb2_set_err_rsp(work); + ksmbd_free(rpc_resp); + return ret; + } + ksmbd_free(rpc_resp); + } + + rsp->StructureSize = cpu_to_le16(17); + rsp->DataOffset = 0; + rsp->Reserved = 0; + rsp->DataLength = cpu_to_le32(length); + rsp->DataRemaining = 0; + rsp->Reserved2 = 0; + inc_rfc1001_len(rsp, 16); + return 0; +out: + if (err) { + rsp->hdr.Status = STATUS_INVALID_HANDLE; + smb2_set_err_rsp(work); + } + + return err; +} + +static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, + struct smb2_write_req *req, struct ksmbd_file *fp, + loff_t offset, size_t length, bool sync) +{ + struct smb2_buffer_desc_v1 *desc; + char *data_buf; + int ret; + ssize_t nbytes; + + desc = (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; + + if (work->conn->dialect == SMB30_PROT_ID && + req->Channel != SMB2_CHANNEL_RDMA_V1) + return -EINVAL; + + if (req->Length != 0 || req->DataOffset != 0) + return -EINVAL; + + if (req->WriteChannelInfoOffset == 0 + || le16_to_cpu(req->WriteChannelInfoLength) < sizeof(*desc)) + return -EINVAL; + + work->need_invalidate_rkey = + (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); + work->remote_key = le32_to_cpu(desc->token); + + data_buf = ksmbd_alloc_response(length); + if (!data_buf) + return -ENOMEM; + + ret = ksmbd_conn_rdma_read(work->conn, data_buf, length, + le32_to_cpu(desc->token), + le64_to_cpu(desc->offset), + le32_to_cpu(desc->length)); + + if (ret < 0) { + ksmbd_free_response(data_buf); + return ret; + } + + ret = ksmbd_vfs_write(work, fp, data_buf, length, &offset, + sync, &nbytes); + + ksmbd_free_response(data_buf); + if (ret < 0) + return ret; + + return nbytes; +} + +/** + * smb2_write() - handler for smb2 write from file + * @work: smb work containing write command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_write(struct ksmbd_work *work) +{ + struct smb2_write_req *req; + struct smb2_write_rsp *rsp, *rsp_org; + struct ksmbd_file *fp = NULL; + loff_t offset; + size_t length; + ssize_t nbytes; + char *data_buf; + bool writethrough = false; + int err = 0; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_PIPE)) { + ksmbd_debug(SMB, "IPC pipe write request\n"); + return smb2_write_pipe(work); + } + + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, "User does not have write permission\n"); + err = -EACCES; + goto out; + } + + fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (!fp) { + rsp->hdr.Status = STATUS_FILE_CLOSED; + return -ENOENT; + } + + if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { + ksmbd_err("Not permitted to write : 0x%x\n", fp->daccess); + err = -EACCES; + goto out; + } + + offset = le64_to_cpu(req->Offset); + length = le32_to_cpu(req->Length); + + if (length > work->conn->vals->max_write_size) { + ksmbd_debug(SMB, "limiting write size to max size(%u)\n", + work->conn->vals->max_write_size); + err = -EINVAL; + goto out; + } + + if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH) + writethrough = true; + + if (req->Channel != SMB2_CHANNEL_RDMA_V1 && + req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { + + if (le16_to_cpu(req->DataOffset) == + (offsetof(struct smb2_write_req, Buffer) - 4)) { + data_buf = (char *)&req->Buffer[0]; + } else { + if ((le16_to_cpu(req->DataOffset) > + get_rfc1002_len(req)) || + (le16_to_cpu(req->DataOffset) + + length > get_rfc1002_len(req))) { + ksmbd_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); + err = -EINVAL; + goto out; + } + + data_buf = (char *)(((char *)&req->hdr.ProtocolId) + + le16_to_cpu(req->DataOffset)); + } + + ksmbd_debug(SMB, "flags %u\n", le32_to_cpu(req->Flags)); + if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH) + writethrough = true; + + ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", + FP_FILENAME(fp), offset, length); + err = ksmbd_vfs_write(work, fp, data_buf, length, &offset, + writethrough, &nbytes); + if (err < 0) + goto out; + } else { + /* read data from the client using rdma channel, and + * write the data. + */ + nbytes = smb2_write_rdma_channel(work, req, fp, offset, + le32_to_cpu(req->RemainingBytes), + writethrough); + if (nbytes < 0) { + err = (int)nbytes; + goto out; + } + } + + rsp->StructureSize = cpu_to_le16(17); + rsp->DataOffset = 0; + rsp->Reserved = 0; + rsp->DataLength = cpu_to_le32(nbytes); + rsp->DataRemaining = 0; + rsp->Reserved2 = 0; + inc_rfc1001_len(rsp_org, 16); + ksmbd_fd_put(work, fp); + return 0; + +out: + if (err == -EAGAIN) + rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; + else if (err == -ENOSPC || err == -EFBIG) + rsp->hdr.Status = STATUS_DISK_FULL; + else if (err == -ENOENT) + rsp->hdr.Status = STATUS_FILE_CLOSED; + else if (err == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (err == -ESHARE) + rsp->hdr.Status = STATUS_SHARING_VIOLATION; + else if (err == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else + rsp->hdr.Status = STATUS_INVALID_HANDLE; + + smb2_set_err_rsp(work); + ksmbd_fd_put(work, fp); + return err; +} + +/** + * smb2_flush() - handler for smb2 flush file - fsync + * @work: smb work containing flush command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_flush(struct ksmbd_work *work) +{ + struct smb2_flush_req *req; + struct smb2_flush_rsp *rsp, *rsp_org; + int err; + + rsp_org = RESPONSE_BUF(work); + WORK_BUFFERS(work, req, rsp); + + ksmbd_debug(SMB, "SMB2_FLUSH called for fid %llu\n", + le64_to_cpu(req->VolatileFileId)); + + err = ksmbd_vfs_fsync(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (err) + goto out; + + rsp->StructureSize = cpu_to_le16(4); + rsp->Reserved = 0; + inc_rfc1001_len(rsp_org, 4); + return 0; + +out: + if (err) { + rsp->hdr.Status = STATUS_INVALID_HANDLE; + smb2_set_err_rsp(work); + } + + return err; +} + +/** + * smb2_cancel() - handler for smb2 cancel command + * @work: smb work containing cancel command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_cancel(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_hdr *hdr = REQUEST_BUF(work); + struct smb2_hdr *chdr; + struct ksmbd_work *cancel_work = NULL; + struct list_head *tmp; + int canceled = 0; + struct list_head *command_list; + + ksmbd_debug(SMB, "smb2 cancel called on mid %llu, async flags 0x%x\n", + hdr->MessageId, hdr->Flags); + + if (hdr->Flags & SMB2_FLAGS_ASYNC_COMMAND) { + command_list = &conn->async_requests; + + spin_lock(&conn->request_lock); + list_for_each(tmp, command_list) { + cancel_work = list_entry(tmp, struct ksmbd_work, + async_request_entry); + chdr = REQUEST_BUF(cancel_work); + + if (cancel_work->async_id != + le64_to_cpu(hdr->Id.AsyncId)) + continue; + + ksmbd_debug(SMB, + "smb2 with AsyncId %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->Id.AsyncId), + le16_to_cpu(chdr->Command)); + canceled = 1; + break; + } + spin_unlock(&conn->request_lock); + } else { + command_list = &conn->requests; + + spin_lock(&conn->request_lock); + list_for_each(tmp, command_list) { + cancel_work = list_entry(tmp, struct ksmbd_work, + request_entry); + chdr = REQUEST_BUF(cancel_work); + + if (chdr->MessageId != hdr->MessageId || + cancel_work == work) + continue; + + ksmbd_debug(SMB, + "smb2 with mid %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->MessageId), + le16_to_cpu(chdr->Command)); + canceled = 1; + break; + } + spin_unlock(&conn->request_lock); + } + + if (canceled) { + cancel_work->state = KSMBD_WORK_CANCELLED; + if (cancel_work->cancel_fn) + cancel_work->cancel_fn(cancel_work->cancel_argv); + } + + /* For SMB2_CANCEL command itself send no response*/ + work->send_no_response = 1; + return 0; +} + +struct file_lock *smb_flock_init(struct file *f) +{ + struct file_lock *fl; + + fl = locks_alloc_lock(); + if (!fl) + goto out; + + locks_init_lock(fl); + + fl->fl_owner = f; + fl->fl_pid = current->tgid; + fl->fl_file = f; + fl->fl_flags = FL_POSIX; + fl->fl_ops = NULL; + fl->fl_lmops = NULL; + +out: + return fl; +} + +static int smb2_set_flock_flags(struct file_lock *flock, int flags) +{ + int cmd = -EINVAL; + + /* Checking for wrong flag combination during lock request*/ + switch (flags) { + case SMB2_LOCKFLAG_SHARED: + ksmbd_debug(SMB, "received shared request\n"); + cmd = F_SETLKW; + flock->fl_type = F_RDLCK; + flock->fl_flags |= FL_SLEEP; + break; + case SMB2_LOCKFLAG_EXCLUSIVE: + ksmbd_debug(SMB, "received exclusive request\n"); + cmd = F_SETLKW; + flock->fl_type = F_WRLCK; + flock->fl_flags |= FL_SLEEP; + break; + case SMB2_LOCKFLAG_SHARED|SMB2_LOCKFLAG_FAIL_IMMEDIATELY: + ksmbd_debug(SMB, + "received shared & fail immediately request\n"); + cmd = F_SETLK; + flock->fl_type = F_RDLCK; + break; + case SMB2_LOCKFLAG_EXCLUSIVE|SMB2_LOCKFLAG_FAIL_IMMEDIATELY: + ksmbd_debug(SMB, + "received exclusive & fail immediately request\n"); + cmd = F_SETLK; + flock->fl_type = F_WRLCK; + break; + case SMB2_LOCKFLAG_UNLOCK: + ksmbd_debug(SMB, "received unlock request\n"); + flock->fl_type = F_UNLCK; + cmd = 0; + break; + } + + return cmd; +} + +static struct ksmbd_lock *smb2_lock_init(struct file_lock *flock, + unsigned int cmd, int flags, struct list_head *lock_list) +{ + struct ksmbd_lock *lock; + + lock = kzalloc(sizeof(struct ksmbd_lock), GFP_KERNEL); + if (!lock) + return NULL; + + lock->cmd = cmd; + lock->fl = flock; + lock->start = flock->fl_start; + lock->end = flock->fl_end; + lock->flags = flags; + if (lock->start == lock->end) + lock->zero_len = 1; + INIT_LIST_HEAD(&lock->llist); + INIT_LIST_HEAD(&lock->glist); + list_add_tail(&lock->llist, lock_list); + + return lock; +} + +static void smb2_remove_blocked_lock(void **argv) +{ + struct file_lock *flock = (struct file_lock *)argv[0]; + + ksmbd_vfs_posix_lock_unblock(flock); + wake_up(&flock->fl_wait); +} + +static inline bool lock_defer_pending(struct file_lock *fl) +{ + /* check pending lock waiters */ + return waitqueue_active(&fl->fl_wait); +} + +/** + * smb2_lock() - handler for smb2 file lock command + * @work: smb work containing lock command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_lock(struct ksmbd_work *work) +{ + struct smb2_lock_req *req = REQUEST_BUF(work); + struct smb2_lock_rsp *rsp = RESPONSE_BUF(work); + struct smb2_lock_element *lock_ele; + struct ksmbd_file *fp = NULL; + struct file_lock *flock = NULL; + struct file *filp = NULL; + int lock_count; + int flags = 0; + int cmd = 0; + int err = 0, i; + uint64_t lock_length; + struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp; + int nolock = 0; + LIST_HEAD(lock_list); + LIST_HEAD(rollback_list); + int prior_lock = 0; + + ksmbd_debug(SMB, "Received lock request\n"); + fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (!fp) { + ksmbd_debug(SMB, "Invalid file id for lock : %llu\n", + le64_to_cpu(req->VolatileFileId)); + rsp->hdr.Status = STATUS_FILE_CLOSED; + goto out2; + } + + filp = fp->filp; + lock_count = le16_to_cpu(req->LockCount); + lock_ele = req->locks; + + ksmbd_debug(SMB, "lock count is %d\n", lock_count); + if (!lock_count) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out2; + } + + for (i = 0; i < lock_count; i++) { + flags = le32_to_cpu(lock_ele[i].Flags); + + flock = smb_flock_init(filp); + if (!flock) { + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } + + cmd = smb2_set_flock_flags(flock, flags); + + flock->fl_start = le64_to_cpu(lock_ele[i].Offset); + if (flock->fl_start > OFFSET_MAX) { + ksmbd_err("Invalid lock range requested\n"); + rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; + goto out; + } + + lock_length = le64_to_cpu(lock_ele[i].Length); + if (lock_length > 0) { + if (lock_length > + OFFSET_MAX - flock->fl_start) { + ksmbd_debug(SMB, + "Invalid lock range requested\n"); + lock_length = OFFSET_MAX - flock->fl_start; + rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; + goto out; + } + } else + lock_length = 0; + + flock->fl_end = flock->fl_start + lock_length; + + if (flock->fl_end < flock->fl_start) { + ksmbd_debug(SMB, + "the end offset(%llx) is smaller than the start offset(%llx)\n", + flock->fl_end, flock->fl_start); + rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; + goto out; + } + + /* Check conflict locks in one request */ + list_for_each_entry(cmp_lock, &lock_list, llist) { + if (cmp_lock->fl->fl_start <= flock->fl_start && + cmp_lock->fl->fl_end >= flock->fl_end) { + if (cmp_lock->fl->fl_type != F_UNLCK && + flock->fl_type != F_UNLCK) { + ksmbd_err("conflict two locks in one request\n"); + rsp->hdr.Status = + STATUS_INVALID_PARAMETER; + goto out; + } + } + } + + smb_lock = smb2_lock_init(flock, cmd, flags, &lock_list); + if (!smb_lock) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + } + + list_for_each_entry_safe(smb_lock, tmp, &lock_list, llist) { + if (smb_lock->cmd < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + + if (!(smb_lock->flags & SMB2_LOCKFLAG_MASK)) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + + if ((prior_lock & (SMB2_LOCKFLAG_EXCLUSIVE | + SMB2_LOCKFLAG_SHARED) && + smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) || + (prior_lock == SMB2_LOCKFLAG_UNLOCK && + !(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK))) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + + prior_lock = smb_lock->flags; + + if (!(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) && + !(smb_lock->flags & SMB2_LOCKFLAG_FAIL_IMMEDIATELY)) + goto no_check_gl; + + nolock = 1; + /* check locks in global list */ + list_for_each_entry(cmp_lock, &global_lock_list, glist) { + if (file_inode(cmp_lock->fl->fl_file) != + file_inode(smb_lock->fl->fl_file)) + continue; + + if (smb_lock->fl->fl_type == F_UNLCK) { + if (cmp_lock->fl->fl_file == + smb_lock->fl->fl_file && + cmp_lock->start == smb_lock->start && + cmp_lock->end == smb_lock->end && + !lock_defer_pending(cmp_lock->fl)) { + nolock = 0; + locks_free_lock(cmp_lock->fl); + list_del(&cmp_lock->glist); + kfree(cmp_lock); + break; + } + continue; + } + + if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file) { + if (smb_lock->flags & SMB2_LOCKFLAG_SHARED) + continue; + } else { + if (cmp_lock->flags & SMB2_LOCKFLAG_SHARED) + continue; + } + + /* check zero byte lock range */ + if (cmp_lock->zero_len && !smb_lock->zero_len && + cmp_lock->start > smb_lock->start && + cmp_lock->start < smb_lock->end) { + ksmbd_err("previous lock conflict with zero byte lock range\n"); + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } + + if (smb_lock->zero_len && !cmp_lock->zero_len && + smb_lock->start > cmp_lock->start && + smb_lock->start < cmp_lock->end) { + ksmbd_err("current lock conflict with zero byte lock range\n"); + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } + + if (((cmp_lock->start <= smb_lock->start && + cmp_lock->end > smb_lock->start) || + (cmp_lock->start < smb_lock->end && + cmp_lock->end >= smb_lock->end)) && + !cmp_lock->zero_len && !smb_lock->zero_len) { + ksmbd_err("Not allow lock operation on exclusive lock range\n"); + rsp->hdr.Status = + STATUS_LOCK_NOT_GRANTED; + goto out; + } + } + + if (smb_lock->fl->fl_type == F_UNLCK && nolock) { + ksmbd_err("Try to unlock nolocked range\n"); + rsp->hdr.Status = STATUS_RANGE_NOT_LOCKED; + goto out; + } + +no_check_gl: + if (smb_lock->zero_len) { + err = 0; + goto skip; + } + + flock = smb_lock->fl; + list_del(&smb_lock->llist); +retry: + err = ksmbd_vfs_lock(filp, smb_lock->cmd, flock); +skip: + if (flags & SMB2_LOCKFLAG_UNLOCK) { + if (!err) + ksmbd_debug(SMB, "File unlocked\n"); + else if (err == -ENOENT) { + rsp->hdr.Status = STATUS_NOT_LOCKED; + goto out; + } + locks_free_lock(flock); + kfree(smb_lock); + } else { + if (err == FILE_LOCK_DEFERRED) { + void **argv; + + ksmbd_debug(SMB, + "would have to wait for getting lock\n"); + list_add_tail(&smb_lock->glist, + &global_lock_list); + list_add(&smb_lock->llist, &rollback_list); + + argv = kmalloc(sizeof(void *), GFP_KERNEL); + if (!argv) { + err = -ENOMEM; + goto out; + } + argv[0] = flock; + + err = setup_async_work(work, + smb2_remove_blocked_lock, argv); + if (err) { + rsp->hdr.Status = + STATUS_INSUFFICIENT_RESOURCES; + goto out; + } + spin_lock(&fp->f_lock); + list_add(&work->fp_entry, &fp->blocked_works); + spin_unlock(&fp->f_lock); + + smb2_send_interim_resp(work, STATUS_PENDING); + + err = ksmbd_vfs_posix_lock_wait(flock); + + if (!WORK_ACTIVE(work)) { + list_del(&smb_lock->llist); + list_del(&smb_lock->glist); + locks_free_lock(flock); + + if (WORK_CANCELLED(work)) { + spin_lock(&fp->f_lock); + list_del(&work->fp_entry); + spin_unlock(&fp->f_lock); + rsp->hdr.Status = + STATUS_CANCELLED; + kfree(smb_lock); + smb2_send_interim_resp(work, + STATUS_CANCELLED); + work->send_no_response = 1; + goto out; + } + init_smb2_rsp_hdr(work); + smb2_set_err_rsp(work); + rsp->hdr.Status = + STATUS_RANGE_NOT_LOCKED; + kfree(smb_lock); + goto out2; + } + + list_del(&smb_lock->llist); + list_del(&smb_lock->glist); + spin_lock(&fp->f_lock); + list_del(&work->fp_entry); + spin_unlock(&fp->f_lock); + goto retry; + } else if (!err) { + list_add_tail(&smb_lock->glist, + &global_lock_list); + list_add(&smb_lock->llist, &rollback_list); + ksmbd_debug(SMB, "successful in taking lock\n"); + } else { + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } + } + } + + if (atomic_read(&fp->f_ci->op_count) > 1) + smb_break_all_oplock(work, fp); + + rsp->StructureSize = cpu_to_le16(4); + ksmbd_debug(SMB, "successful in taking lock\n"); + rsp->hdr.Status = STATUS_SUCCESS; + rsp->Reserved = 0; + inc_rfc1001_len(rsp, 4); + ksmbd_fd_put(work, fp); + return err; + +out: + list_for_each_entry_safe(smb_lock, tmp, &lock_list, llist) { + locks_free_lock(smb_lock->fl); + list_del(&smb_lock->llist); + kfree(smb_lock); + } + + list_for_each_entry_safe(smb_lock, tmp, &rollback_list, llist) { + struct file_lock *rlock = NULL; + + rlock = smb_flock_init(filp); + rlock->fl_type = F_UNLCK; + rlock->fl_start = smb_lock->start; + rlock->fl_end = smb_lock->end; + + err = ksmbd_vfs_lock(filp, 0, rlock); + if (err) + ksmbd_err("rollback unlock fail : %d\n", err); + list_del(&smb_lock->llist); + list_del(&smb_lock->glist); + locks_free_lock(smb_lock->fl); + locks_free_lock(rlock); + kfree(smb_lock); + } +out2: + ksmbd_debug(SMB, "failed in taking lock(flags : %x)\n", flags); + smb2_set_err_rsp(work); + ksmbd_fd_put(work, fp); + return 0; +} + +static int fsctl_copychunk(struct ksmbd_work *work, + struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) +{ + struct copychunk_ioctl_req *ci_req; + struct copychunk_ioctl_rsp *ci_rsp; + struct ksmbd_file *src_fp = NULL, *dst_fp = NULL; + struct srv_copychunk *chunks; + unsigned int i, chunk_count, chunk_count_written = 0; + unsigned int chunk_size_written = 0; + loff_t total_size_written = 0; + int ret, cnt_code; + + cnt_code = le32_to_cpu(req->CntCode); + ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0]; + ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; + + rsp->VolatileFileId = req->VolatileFileId; + rsp->PersistentFileId = req->PersistentFileId; + ci_rsp->ChunksWritten = cpu_to_le32( + ksmbd_server_side_copy_max_chunk_count()); + ci_rsp->ChunkBytesWritten = cpu_to_le32( + ksmbd_server_side_copy_max_chunk_size()); + ci_rsp->TotalBytesWritten = cpu_to_le32( + ksmbd_server_side_copy_max_total_size()); + + chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; + chunk_count = le32_to_cpu(ci_req->ChunkCount); + total_size_written = 0; + + /* verify the SRV_COPYCHUNK_COPY packet */ + if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || + le32_to_cpu(req->InputCount) < + offsetof(struct copychunk_ioctl_req, Chunks) + + chunk_count * sizeof(struct srv_copychunk)) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + return -EINVAL; + } + + for (i = 0; i < chunk_count; i++) { + if (le32_to_cpu(chunks[i].Length) == 0 || + le32_to_cpu(chunks[i].Length) > + ksmbd_server_side_copy_max_chunk_size()) + break; + total_size_written += le32_to_cpu(chunks[i].Length); + } + if (i < chunk_count || total_size_written > + ksmbd_server_side_copy_max_total_size()) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + return -EINVAL; + } + + src_fp = ksmbd_lookup_foreign_fd(work, + le64_to_cpu(ci_req->ResumeKey[0])); + dst_fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + + ret = -EINVAL; + if (!src_fp || src_fp->persistent_id != + le64_to_cpu(ci_req->ResumeKey[1])) { + rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; + goto out; + } + if (!dst_fp) { + rsp->hdr.Status = STATUS_FILE_CLOSED; + goto out; + } + + /* + * FILE_READ_DATA should only be included in + * the FSCTL_COPYCHUNK case + */ + if (cnt_code == FSCTL_COPYCHUNK && !(dst_fp->daccess & + (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE))) { + rsp->hdr.Status = STATUS_ACCESS_DENIED; + goto out; + } + + ret = ksmbd_vfs_copy_file_ranges(work, src_fp, dst_fp, + chunks, chunk_count, + &chunk_count_written, &chunk_size_written, + &total_size_written); + if (ret < 0) { + if (ret == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + if (ret == -EAGAIN) + rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; + else if (ret == -EBADF) + rsp->hdr.Status = STATUS_INVALID_HANDLE; + else if (ret == -EFBIG || ret == -ENOSPC) + rsp->hdr.Status = STATUS_DISK_FULL; + else if (ret == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (ret == -EISDIR) + rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; + else if (ret == -E2BIG) + rsp->hdr.Status = STATUS_INVALID_VIEW_SIZE; + else + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + } + + ci_rsp->ChunksWritten = cpu_to_le32(chunk_count_written); + ci_rsp->ChunkBytesWritten = cpu_to_le32(chunk_size_written); + ci_rsp->TotalBytesWritten = cpu_to_le32(total_size_written); +out: + ksmbd_fd_put(work, src_fp); + ksmbd_fd_put(work, dst_fp); + return ret; +} + +static __be32 idev_ipv4_address(struct in_device *idev) +{ + __be32 addr = 0; + + struct in_ifaddr *ifa; + + rcu_read_lock(); + in_dev_for_each_ifa_rcu(ifa, idev) { + if (ifa->ifa_flags & IFA_F_SECONDARY) + continue; + + addr = ifa->ifa_address; + break; + } + rcu_read_unlock(); + return addr; +} + +static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, + struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) +{ + struct network_interface_info_ioctl_rsp *nii_rsp = NULL; + int nbytes = 0; + struct net_device *netdev; + struct sockaddr_storage_rsp *sockaddr_storage; + unsigned int flags; + unsigned long long speed; + + rtnl_lock(); + for_each_netdev(&init_net, netdev) { + if (unlikely(!netdev)) { + rtnl_unlock(); + return -EINVAL; + } + + if (netdev->type == ARPHRD_LOOPBACK) + continue; + + flags = dev_get_flags(netdev); + if (!(flags & IFF_RUNNING)) + continue; + + nii_rsp = (struct network_interface_info_ioctl_rsp *) + &rsp->Buffer[nbytes]; + nii_rsp->IfIndex = cpu_to_le32(netdev->ifindex); + + /* TODO: specify the RDMA capabilities */ + if (netdev->num_tx_queues > 1) + nii_rsp->Capability = cpu_to_le32(RSS_CAPABLE); + else + nii_rsp->Capability = 0; + + nii_rsp->Next = cpu_to_le32(152); + nii_rsp->Reserved = 0; + + if (netdev->ethtool_ops->get_link_ksettings) { + struct ethtool_link_ksettings cmd; + + netdev->ethtool_ops->get_link_ksettings(netdev, &cmd); + speed = cmd.base.speed; + } else { + ksmbd_err("%s %s %s\n", + netdev->name, + "speed is unknown,", + "defaulting to 1Gb/sec"); + speed = SPEED_1000; + } + + speed *= 1000000; + nii_rsp->LinkSpeed = cpu_to_le64(speed); + + sockaddr_storage = (struct sockaddr_storage_rsp *) + nii_rsp->SockAddr_Storage; + memset(sockaddr_storage, 0, 128); + + if (conn->peer_addr.ss_family == PF_INET) { + struct in_device *idev; + + sockaddr_storage->Family = cpu_to_le16(INTERNETWORK); + sockaddr_storage->addr4.Port = 0; + + idev = __in_dev_get_rtnl(netdev); + if (!idev) + continue; + sockaddr_storage->addr4.IPv4address = + idev_ipv4_address(idev); + } else { + struct inet6_dev *idev6; + struct inet6_ifaddr *ifa; + __u8 *ipv6_addr = sockaddr_storage->addr6.IPv6address; + + sockaddr_storage->Family = cpu_to_le16(INTERNETWORKV6); + sockaddr_storage->addr6.Port = 0; + sockaddr_storage->addr6.FlowInfo = 0; + + idev6 = __in6_dev_get(netdev); + if (!idev6) + continue; + + list_for_each_entry(ifa, &idev6->addr_list, if_list) { + if (ifa->flags & (IFA_F_TENTATIVE | + IFA_F_DEPRECATED)) + continue; + memcpy(ipv6_addr, ifa->addr.s6_addr, 16); + break; + } + sockaddr_storage->addr6.ScopeId = 0; + } + + nbytes += sizeof(struct network_interface_info_ioctl_rsp); + } + rtnl_unlock(); + + /* zero if this is last one */ + if (nii_rsp) + nii_rsp->Next = 0; + + if (!nbytes) { + rsp->hdr.Status = STATUS_BUFFER_TOO_SMALL; + return -EINVAL; + } + + rsp->PersistentFileId = cpu_to_le64(SMB2_NO_FID); + rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); + return nbytes; +} + + +static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, + struct validate_negotiate_info_req *neg_req, + struct validate_negotiate_info_rsp *neg_rsp) +{ + int ret = 0; + int dialect; + + dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects, + neg_req->DialectCount); + if (dialect == BAD_PROT_ID || dialect != conn->dialect) { + ret = -EINVAL; + goto err_out; + } + + if (strncmp(neg_req->Guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE)) { + ret = -EINVAL; + goto err_out; + } + + if (le16_to_cpu(neg_req->SecurityMode) != conn->cli_sec_mode) { + ret = -EINVAL; + goto err_out; + } + + if (le32_to_cpu(neg_req->Capabilities) != conn->cli_cap) { + ret = -EINVAL; + goto err_out; + } + + neg_rsp->Capabilities = cpu_to_le32(conn->vals->capabilities); + memset(neg_rsp->Guid, 0, SMB2_CLIENT_GUID_SIZE); + neg_rsp->SecurityMode = cpu_to_le16(conn->srv_sec_mode); + neg_rsp->Dialect = cpu_to_le16(conn->dialect); +err_out: + return ret; +} + +static int fsctl_query_allocated_ranges(struct ksmbd_work *work, uint64_t id, + struct file_allocated_range_buffer *qar_req, + struct file_allocated_range_buffer *qar_rsp, + int in_count, int *out_count) +{ + struct ksmbd_file *fp; + loff_t start, length; + int ret = 0; + + *out_count = 0; + if (in_count == 0) + return -EINVAL; + + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) + return -ENOENT; + + start = le64_to_cpu(qar_req->file_offset); + length = le64_to_cpu(qar_req->length); + + ret = ksmbd_vfs_fqar_lseek(fp, start, length, + qar_rsp, in_count, out_count); + if (ret && ret != -E2BIG) + *out_count = 0; + + ksmbd_fd_put(work, fp); + return ret; +} + +static int fsctl_pipe_transceive(struct ksmbd_work *work, uint64_t id, + int out_buf_len, struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) +{ + struct ksmbd_rpc_command *rpc_resp; + char *data_buf = (char *)&req->Buffer[0]; + int nbytes = 0; + + rpc_resp = ksmbd_rpc_ioctl(work->sess, id, + data_buf, + le32_to_cpu(req->InputCount)); + if (rpc_resp) { + if (rpc_resp->flags == KSMBD_RPC_SOME_NOT_MAPPED) { + /* + * set STATUS_SOME_NOT_MAPPED response + * for unknown domain sid. + */ + rsp->hdr.Status = STATUS_SOME_NOT_MAPPED; + } else if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) { + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + goto out; + } else if (rpc_resp->flags != KSMBD_RPC_OK) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + + nbytes = rpc_resp->payload_sz; + if (rpc_resp->payload_sz > out_buf_len) { + rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; + nbytes = out_buf_len; + } + + if (!rpc_resp->payload_sz) { + rsp->hdr.Status = + STATUS_UNEXPECTED_IO_ERROR; + goto out; + } + + memcpy((char *)rsp->Buffer, rpc_resp->payload, nbytes); + } +out: + ksmbd_free(rpc_resp); + return nbytes; +} + +static inline int fsctl_set_sparse(struct ksmbd_work *work, uint64_t id, + struct file_sparse *sparse) +{ + struct ksmbd_file *fp; + int ret = 0; + __le32 old_fattr; + + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) + return -ENOENT; + + old_fattr = fp->f_ci->m_fattr; + if (sparse->SetSparse) + fp->f_ci->m_fattr |= ATTR_SPARSE_FILE_LE; + else + fp->f_ci->m_fattr &= ~ATTR_SPARSE_FILE_LE; + + if (fp->f_ci->m_fattr != old_fattr && + test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { + struct xattr_dos_attrib da; + + ret = ksmbd_vfs_get_dos_attrib_xattr(fp->filp->f_path.dentry, &da); + if (ret <= 0) + goto out; + + da.attr = le32_to_cpu(fp->f_ci->m_fattr); + ret = ksmbd_vfs_set_dos_attrib_xattr(fp->filp->f_path.dentry, &da); + if (ret) + fp->f_ci->m_fattr = old_fattr; + } + +out: + ksmbd_fd_put(work, fp); + return ret; +} + +static int fsctl_request_resume_key(struct ksmbd_work *work, + struct smb2_ioctl_req *req, struct resume_key_ioctl_rsp *key_rsp) +{ + struct ksmbd_file *fp; + + fp = ksmbd_lookup_fd_slow(work, + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); + if (!fp) + return -ENOENT; + + memset(key_rsp, 0, sizeof(*key_rsp)); + key_rsp->ResumeKey[0] = req->VolatileFileId; + key_rsp->ResumeKey[1] = req->PersistentFileId; + ksmbd_fd_put(work, fp); + + return 0; +} + +/** + * smb2_ioctl() - handler for smb2 ioctl command + * @work: smb work containing ioctl command buffer + * + * Return: 0 on success, otherwise error + */ +int smb2_ioctl(struct ksmbd_work *work) +{ + struct smb2_ioctl_req *req; + struct smb2_ioctl_rsp *rsp, *rsp_org; + int cnt_code, nbytes = 0; + int out_buf_len; + uint64_t id = KSMBD_NO_FID; + struct ksmbd_conn *conn = work->conn; + int ret = 0; + + rsp_org = RESPONSE_BUF(work); + if (work->next_smb2_rcv_hdr_off) { + req = REQUEST_BUF_NEXT(work); + rsp = RESPONSE_BUF_NEXT(work); + if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %u\n", + work->compound_fid); + id = work->compound_fid; + } + } else { + req = REQUEST_BUF(work); + rsp = RESPONSE_BUF(work); + } + + if (!HAS_FILE_ID(id)) + id = le64_to_cpu(req->VolatileFileId); + + if (req->Flags != cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL)) { + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + goto out; + } + + cnt_code = le32_to_cpu(req->CntCode); + out_buf_len = le32_to_cpu(req->MaxOutputResponse); + out_buf_len = min(KSMBD_IPC_MAX_PAYLOAD, out_buf_len); + + switch (cnt_code) { + case FSCTL_DFS_GET_REFERRALS: + case FSCTL_DFS_GET_REFERRALS_EX: + /* Not support DFS yet */ + rsp->hdr.Status = STATUS_FS_DRIVER_REQUIRED; + goto out; + case FSCTL_CREATE_OR_GET_OBJECT_ID: + { + struct file_object_buf_type1_ioctl_rsp *obj_buf; + + nbytes = sizeof(struct file_object_buf_type1_ioctl_rsp); + obj_buf = (struct file_object_buf_type1_ioctl_rsp *) + &rsp->Buffer[0]; + + /* + * TODO: This is dummy implementation to pass smbtorture + * Need to check correct response later + */ + memset(obj_buf->ObjectId, 0x0, 16); + memset(obj_buf->BirthVolumeId, 0x0, 16); + memset(obj_buf->BirthObjectId, 0x0, 16); + memset(obj_buf->DomainId, 0x0, 16); + + break; + } + case FSCTL_PIPE_TRANSCEIVE: + nbytes = fsctl_pipe_transceive(work, id, out_buf_len, req, rsp); + break; + case FSCTL_VALIDATE_NEGOTIATE_INFO: + if (conn->dialect < SMB30_PROT_ID) { + ret = -EOPNOTSUPP; + goto out; + } + + ret = fsctl_validate_negotiate_info(conn, + (struct validate_negotiate_info_req *)&req->Buffer[0], + (struct validate_negotiate_info_rsp *)&rsp->Buffer[0]); + if (ret < 0) + goto out; + + nbytes = sizeof(struct validate_negotiate_info_rsp); + rsp->PersistentFileId = cpu_to_le64(SMB2_NO_FID); + rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); + break; + case FSCTL_QUERY_NETWORK_INTERFACE_INFO: + nbytes = fsctl_query_iface_info_ioctl(conn, req, rsp); + if (nbytes < 0) + goto out; + break; + case FSCTL_REQUEST_RESUME_KEY: + if (out_buf_len < sizeof(struct resume_key_ioctl_rsp)) { + ret = -EINVAL; + goto out; + } + + ret = fsctl_request_resume_key(work, req, + (struct resume_key_ioctl_rsp *)&rsp->Buffer[0]); + if (ret < 0) + goto out; + rsp->PersistentFileId = req->PersistentFileId; + rsp->VolatileFileId = req->VolatileFileId; + nbytes = sizeof(struct resume_key_ioctl_rsp); + break; + case FSCTL_COPYCHUNK: + case FSCTL_COPYCHUNK_WRITE: + if (!test_tree_conn_flag(work->tcon, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + ret = -EACCES; + goto out; + } + + if (out_buf_len < sizeof(struct copychunk_ioctl_rsp)) { + ret = -EINVAL; + goto out; + } + + nbytes = sizeof(struct copychunk_ioctl_rsp); + fsctl_copychunk(work, req, rsp); + break; + case FSCTL_SET_SPARSE: + ret = fsctl_set_sparse(work, id, + (struct file_sparse *)&req->Buffer[0]); + if (ret < 0) + goto out; + break; + case FSCTL_SET_ZERO_DATA: + { + struct file_zero_data_information *zero_data; + struct ksmbd_file *fp; + loff_t off, len; + + if (!test_tree_conn_flag(work->tcon, + KSMBD_TREE_CONN_FLAG_WRITABLE)) { + ksmbd_debug(SMB, + "User does not have write permission\n"); + ret = -EACCES; + goto out; + } + + zero_data = + (struct file_zero_data_information *)&req->Buffer[0]; + + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) { + ret = -ENOENT; + goto out; + } + + off = le64_to_cpu(zero_data->FileOffset); + len = le64_to_cpu(zero_data->BeyondFinalZero) - off; + + ret = ksmbd_vfs_zero_data(work, fp, off, len); + ksmbd_fd_put(work, fp); + if (ret < 0) + goto out; + break; + } + case FSCTL_QUERY_ALLOCATED_RANGES: + ret = fsctl_query_allocated_ranges(work, id, + (struct file_allocated_range_buffer *)&req->Buffer[0], + (struct file_allocated_range_buffer *)&rsp->Buffer[0], + out_buf_len / + sizeof(struct file_allocated_range_buffer), &nbytes); + if (ret == -E2BIG) { + rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; + } else if (ret < 0) { + nbytes = 0; + goto out; + } + + nbytes *= sizeof(struct file_allocated_range_buffer); + break; + case FSCTL_GET_REPARSE_POINT: + { + struct reparse_data_buffer *reparse_ptr; + struct ksmbd_file *fp; + + reparse_ptr = (struct reparse_data_buffer *)&rsp->Buffer[0]; + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) { + ksmbd_err("not found fp!!\n"); + ret = -ENOENT; + goto out; + } + + reparse_ptr->ReparseTag = + smb2_get_reparse_tag_special_file(FP_INODE(fp)->i_mode); + reparse_ptr->ReparseDataLength = 0; + ksmbd_fd_put(work, fp); + nbytes = sizeof(struct reparse_data_buffer); + break; + } + default: + ksmbd_debug(SMB, "not implemented yet ioctl command 0x%x\n", + cnt_code); + ret = -EOPNOTSUPP; + goto out; + } + + rsp->CntCode = cpu_to_le32(cnt_code); + rsp->InputCount = cpu_to_le32(0); + rsp->InputOffset = cpu_to_le32(112); + rsp->OutputOffset = cpu_to_le32(112); + rsp->OutputCount = cpu_to_le32(nbytes); + rsp->StructureSize = cpu_to_le16(49); + rsp->Reserved = cpu_to_le16(0); + rsp->Flags = cpu_to_le32(0); + rsp->Reserved2 = cpu_to_le32(0); + inc_rfc1001_len(rsp_org, 48 + nbytes); + + return 0; + +out: + if (ret == -EACCES) + rsp->hdr.Status = STATUS_ACCESS_DENIED; + else if (ret == -ENOENT) + rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; + else if (ret == -EOPNOTSUPP) + rsp->hdr.Status = STATUS_NOT_SUPPORTED; + else if (ret < 0 || rsp->hdr.Status == 0) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + smb2_set_err_rsp(work); + return 0; +} + +/** + * smb20_oplock_break_ack() - handler for smb2.0 oplock break command + * @work: smb work containing oplock break command buffer + * + * Return: 0 + */ +static void smb20_oplock_break_ack(struct ksmbd_work *work) +{ + struct smb2_oplock_break *req = REQUEST_BUF(work); + struct smb2_oplock_break *rsp = RESPONSE_BUF(work); + struct ksmbd_file *fp; + struct oplock_info *opinfo = NULL; + __le32 err = 0; + int ret = 0; + uint64_t volatile_id, persistent_id; + char req_oplevel = 0, rsp_oplevel = 0; + unsigned int oplock_change_type; + + volatile_id = le64_to_cpu(req->VolatileFid); + persistent_id = le64_to_cpu(req->PersistentFid); + req_oplevel = req->OplockLevel; + ksmbd_debug(OPLOCK, "v_id %llu, p_id %llu request oplock level %d\n", + volatile_id, persistent_id, req_oplevel); + + fp = ksmbd_lookup_fd_slow(work, volatile_id, persistent_id); + if (!fp) { + rsp->hdr.Status = STATUS_FILE_CLOSED; + smb2_set_err_rsp(work); + return; + } + + opinfo = opinfo_get(fp); + if (!opinfo) { + ksmbd_err("unexpected null oplock_info\n"); + rsp->hdr.Status = STATUS_INVALID_OPLOCK_PROTOCOL; + smb2_set_err_rsp(work); + ksmbd_fd_put(work, fp); + return; + } + + if (opinfo->level == SMB2_OPLOCK_LEVEL_NONE) { + rsp->hdr.Status = STATUS_INVALID_OPLOCK_PROTOCOL; + goto err_out; + } + + if (opinfo->op_state == OPLOCK_STATE_NONE) { + ksmbd_debug(SMB, "unexpected oplock state 0x%x\n", opinfo->op_state); + rsp->hdr.Status = STATUS_UNSUCCESSFUL; + goto err_out; + } + + if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) || + (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && + ((req_oplevel != SMB2_OPLOCK_LEVEL_II) && + (req_oplevel != SMB2_OPLOCK_LEVEL_NONE))) { + err = STATUS_INVALID_OPLOCK_PROTOCOL; + oplock_change_type = OPLOCK_WRITE_TO_NONE; + } else if ((opinfo->level == SMB2_OPLOCK_LEVEL_II) && + (req_oplevel != SMB2_OPLOCK_LEVEL_NONE)) { + err = STATUS_INVALID_OPLOCK_PROTOCOL; + oplock_change_type = OPLOCK_READ_TO_NONE; + } else if ((req_oplevel == SMB2_OPLOCK_LEVEL_II) || + (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + err = STATUS_INVALID_DEVICE_STATE; + if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) || + (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && + (req_oplevel == SMB2_OPLOCK_LEVEL_II)) { + oplock_change_type = OPLOCK_WRITE_TO_READ; + } else if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) + || (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && + (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + oplock_change_type = OPLOCK_WRITE_TO_NONE; + } else if ((opinfo->level == SMB2_OPLOCK_LEVEL_II) && + (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + oplock_change_type = OPLOCK_READ_TO_NONE; + } else + oplock_change_type = 0; + } else + oplock_change_type = 0; + + switch (oplock_change_type) { + case OPLOCK_WRITE_TO_READ: + ret = opinfo_write_to_read(opinfo); + rsp_oplevel = SMB2_OPLOCK_LEVEL_II; + break; + case OPLOCK_WRITE_TO_NONE: + ret = opinfo_write_to_none(opinfo); + rsp_oplevel = SMB2_OPLOCK_LEVEL_NONE; + break; + case OPLOCK_READ_TO_NONE: + ret = opinfo_read_to_none(opinfo); + rsp_oplevel = SMB2_OPLOCK_LEVEL_NONE; + break; + default: + ksmbd_err("unknown oplock change 0x%x -> 0x%x\n", + opinfo->level, rsp_oplevel); + } + + if (ret < 0) { + rsp->hdr.Status = err; + goto err_out; + } + + opinfo_put(opinfo); + ksmbd_fd_put(work, fp); + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + + rsp->StructureSize = cpu_to_le16(24); + rsp->OplockLevel = rsp_oplevel; + rsp->Reserved = 0; + rsp->Reserved2 = 0; + rsp->VolatileFid = cpu_to_le64(volatile_id); + rsp->PersistentFid = cpu_to_le64(persistent_id); + inc_rfc1001_len(rsp, 24); + return; + +err_out: + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + + opinfo_put(opinfo); + ksmbd_fd_put(work, fp); + smb2_set_err_rsp(work); +} + +static int check_lease_state(struct lease *lease, __le32 req_state) +{ + if ((lease->new_state == + (SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_HANDLE_CACHING_LE)) + && !(req_state & SMB2_LEASE_WRITE_CACHING_LE)) { + lease->new_state = req_state; + return 0; + } + + if (lease->new_state == req_state) + return 0; + + return 1; +} + +/** + * smb21_lease_break_ack() - handler for smb2.1 lease break command + * @work: smb work containing lease break command buffer + * + * Return: 0 + */ +static void smb21_lease_break_ack(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_lease_ack *req = REQUEST_BUF(work); + struct smb2_lease_ack *rsp = RESPONSE_BUF(work); + struct oplock_info *opinfo; + __le32 err = 0; + int ret = 0; + unsigned int lease_change_type; + __le32 lease_state; + struct lease *lease; + + ksmbd_debug(OPLOCK, "smb21 lease break, lease state(0x%x)\n", + le32_to_cpu(req->LeaseState)); + opinfo = lookup_lease_in_table(conn, req->LeaseKey); + if (!opinfo) { + ksmbd_debug(OPLOCK, "file not opened\n"); + smb2_set_err_rsp(work); + rsp->hdr.Status = STATUS_UNSUCCESSFUL; + return; + } + lease = opinfo->o_lease; + + if (opinfo->op_state == OPLOCK_STATE_NONE) { + ksmbd_err("unexpected lease break state 0x%x\n", + opinfo->op_state); + rsp->hdr.Status = STATUS_UNSUCCESSFUL; + goto err_out; + } + + if (check_lease_state(lease, req->LeaseState)) { + rsp->hdr.Status = STATUS_REQUEST_NOT_ACCEPTED; + ksmbd_debug(OPLOCK, + "req lease state: 0x%x, expected state: 0x%x\n", + req->LeaseState, lease->new_state); + goto err_out; + } + + if (!atomic_read(&opinfo->breaking_cnt)) { + rsp->hdr.Status = STATUS_UNSUCCESSFUL; + goto err_out; + } + + /* check for bad lease state */ + if (req->LeaseState & (~(SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE))) { + err = STATUS_INVALID_OPLOCK_PROTOCOL; + if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) + lease_change_type = OPLOCK_WRITE_TO_NONE; + else + lease_change_type = OPLOCK_READ_TO_NONE; + ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); + } else if ((lease->state == SMB2_LEASE_READ_CACHING_LE) && + (req->LeaseState != SMB2_LEASE_NONE_LE)) { + err = STATUS_INVALID_OPLOCK_PROTOCOL; + lease_change_type = OPLOCK_READ_TO_NONE; + ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); + } else { + /* valid lease state changes */ + err = STATUS_INVALID_DEVICE_STATE; + if (req->LeaseState == SMB2_LEASE_NONE_LE) { + if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) + lease_change_type = OPLOCK_WRITE_TO_NONE; + else + lease_change_type = OPLOCK_READ_TO_NONE; + } else if (req->LeaseState & SMB2_LEASE_READ_CACHING_LE) { + if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) + lease_change_type = OPLOCK_WRITE_TO_READ; + else + lease_change_type = OPLOCK_READ_HANDLE_TO_READ; + } else + lease_change_type = 0; + } + + switch (lease_change_type) { + case OPLOCK_WRITE_TO_READ: + ret = opinfo_write_to_read(opinfo); + break; + case OPLOCK_READ_HANDLE_TO_READ: + ret = opinfo_read_handle_to_read(opinfo); + break; + case OPLOCK_WRITE_TO_NONE: + ret = opinfo_write_to_none(opinfo); + break; + case OPLOCK_READ_TO_NONE: + ret = opinfo_read_to_none(opinfo); + break; + default: + ksmbd_debug(OPLOCK, "unknown lease change 0x%x -> 0x%x\n", + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); + } + + lease_state = lease->state; + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + atomic_dec(&opinfo->breaking_cnt); + wake_up_interruptible_all(&opinfo->oplock_brk); + opinfo_put(opinfo); + + if (ret < 0) { + rsp->hdr.Status = err; + goto err_out; + } + + rsp->StructureSize = cpu_to_le16(36); + rsp->Reserved = 0; + rsp->Flags = 0; + memcpy(rsp->LeaseKey, req->LeaseKey, 16); + rsp->LeaseState = lease_state; + rsp->LeaseDuration = 0; + inc_rfc1001_len(rsp, 36); + return; + +err_out: + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + atomic_dec(&opinfo->breaking_cnt); + wake_up_interruptible_all(&opinfo->oplock_brk); + + opinfo_put(opinfo); + smb2_set_err_rsp(work); +} + +/** + * smb2_oplock_break() - dispatcher for smb2.0 and 2.1 oplock/lease break + * @work: smb work containing oplock/lease break command buffer + * + * Return: 0 + */ +int smb2_oplock_break(struct ksmbd_work *work) +{ + struct smb2_oplock_break *req = REQUEST_BUF(work); + struct smb2_oplock_break *rsp = RESPONSE_BUF(work); + + switch (le16_to_cpu(req->StructureSize)) { + case OP_BREAK_STRUCT_SIZE_20: + smb20_oplock_break_ack(work); + break; + case OP_BREAK_STRUCT_SIZE_21: + smb21_lease_break_ack(work); + break; + default: + ksmbd_debug(OPLOCK, "invalid break cmd %d\n", + le16_to_cpu(req->StructureSize)); + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + smb2_set_err_rsp(work); + } + + return 0; +} + +/** + * smb2_notify() - handler for smb2 notify request + * @ksmbd_work: smb work containing notify command buffer + * + * Return: 0 + */ +int smb2_notify(struct ksmbd_work *work) +{ + struct smb2_notify_req *req; + struct smb2_notify_rsp *rsp; + + WORK_BUFFERS(work, req, rsp); + + if (work->next_smb2_rcv_hdr_off && req->hdr.NextCommand) { + rsp->hdr.Status = STATUS_INTERNAL_ERROR; + smb2_set_err_rsp(work); + return 0; + } + + smb2_set_err_rsp(work); + rsp->hdr.Status = STATUS_NOT_IMPLEMENTED; + return 0; +} + +/** + * smb2_is_sign_req() - handler for checking packet signing status + * @work:smb work containing notify command buffer + * + * Return: true if packed is signed, false otherwise + */ +bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) +{ + struct smb2_hdr *rcv_hdr2 = REQUEST_BUF(work); + + if ((rcv_hdr2->Flags & SMB2_FLAGS_SIGNED) && + command != SMB2_NEGOTIATE_HE && + command != SMB2_SESSION_SETUP_HE && + command != SMB2_OPLOCK_BREAK_HE) + return true; + + return 0; +} + +/** + * smb2_check_sign_req() - handler for req packet sign processing + * @work: smb work containing notify command buffer + * + * Return: 1 on success, 0 otherwise + */ +int smb2_check_sign_req(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr, *hdr_org; + char signature_req[SMB2_SIGNATURE_SIZE]; + char signature[SMB2_HMACSHA256_SIZE]; + struct kvec iov[1]; + size_t len; + + hdr_org = hdr = REQUEST_BUF(work); + if (work->next_smb2_rcv_hdr_off) + hdr = REQUEST_BUF_NEXT(work); + + if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) + len = be32_to_cpu(hdr_org->smb2_buf_length); + else if (hdr->NextCommand) + len = le32_to_cpu(hdr->NextCommand); + else + len = be32_to_cpu(hdr_org->smb2_buf_length) - + work->next_smb2_rcv_hdr_off; + + memcpy(signature_req, hdr->Signature, SMB2_SIGNATURE_SIZE); + memset(hdr->Signature, 0, SMB2_SIGNATURE_SIZE); + + iov[0].iov_base = (char *)&hdr->ProtocolId; + iov[0].iov_len = len; + + if (ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, 1, + signature)) + return 0; + + if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + ksmbd_err("bad smb2 signature\n"); + return 0; + } + + return 1; +} + +/** + * smb2_set_sign_rsp() - handler for rsp packet sign processing + * @work: smb work containing notify command buffer + * + */ +void smb2_set_sign_rsp(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr, *hdr_org; + struct smb2_hdr *req_hdr; + char signature[SMB2_HMACSHA256_SIZE]; + struct kvec iov[2]; + size_t len; + int n_vec = 1; + + hdr_org = hdr = RESPONSE_BUF(work); + if (work->next_smb2_rsp_hdr_off) + hdr = RESPONSE_BUF_NEXT(work); + + req_hdr = REQUEST_BUF_NEXT(work); + + if (!work->next_smb2_rsp_hdr_off) { + len = get_rfc1002_len(hdr_org); + if (req_hdr->NextCommand) + len = ALIGN(len, 8); + } else { + len = get_rfc1002_len(hdr_org) - work->next_smb2_rsp_hdr_off; + len = ALIGN(len, 8); + } + + if (req_hdr->NextCommand) + hdr->NextCommand = cpu_to_le32(len); + + hdr->Flags |= SMB2_FLAGS_SIGNED; + memset(hdr->Signature, 0, SMB2_SIGNATURE_SIZE); + + iov[0].iov_base = (char *)&hdr->ProtocolId; + iov[0].iov_len = len; + + if (HAS_AUX_PAYLOAD(work)) { + iov[0].iov_len -= AUX_PAYLOAD_SIZE(work); + + iov[1].iov_base = AUX_PAYLOAD(work); + iov[1].iov_len = AUX_PAYLOAD_SIZE(work); + n_vec++; + } + + if (!ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, n_vec, + signature)) + memcpy(hdr->Signature, signature, SMB2_SIGNATURE_SIZE); +} + +/** + * smb3_check_sign_req() - handler for req packet sign processing + * @work: smb work containing notify command buffer + * + * Return: 1 on success, 0 otherwise + */ +int smb3_check_sign_req(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn; + char *signing_key; + struct smb2_hdr *hdr, *hdr_org; + struct channel *chann; + char signature_req[SMB2_SIGNATURE_SIZE]; + char signature[SMB2_CMACAES_SIZE]; + struct kvec iov[1]; + size_t len; + + hdr_org = hdr = REQUEST_BUF(work); + if (work->next_smb2_rcv_hdr_off) + hdr = REQUEST_BUF_NEXT(work); + + if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) + len = be32_to_cpu(hdr_org->smb2_buf_length); + else if (hdr->NextCommand) + len = le32_to_cpu(hdr->NextCommand); + else + len = be32_to_cpu(hdr_org->smb2_buf_length) - + work->next_smb2_rcv_hdr_off; + + if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { + signing_key = work->sess->smb3signingkey; + conn = work->sess->conn; + } else { + chann = lookup_chann_list(work->sess); + if (!chann) + return 0; + signing_key = chann->smb3signingkey; + conn = chann->conn; + } + + if (!signing_key) { + ksmbd_err("SMB3 signing key is not generated\n"); + return 0; + } + + memcpy(signature_req, hdr->Signature, SMB2_SIGNATURE_SIZE); + memset(hdr->Signature, 0, SMB2_SIGNATURE_SIZE); + iov[0].iov_base = (char *)&hdr->ProtocolId; + iov[0].iov_len = len; + + if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature)) + return 0; + + if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + ksmbd_err("bad smb2 signature\n"); + return 0; + } + + return 1; +} + +/** + * smb3_set_sign_rsp() - handler for rsp packet sign processing + * @work: smb work containing notify command buffer + * + */ +void smb3_set_sign_rsp(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn; + struct smb2_hdr *req_hdr; + struct smb2_hdr *hdr, *hdr_org; + struct channel *chann; + char signature[SMB2_CMACAES_SIZE]; + struct kvec iov[2]; + int n_vec = 1; + size_t len; + char *signing_key; + + hdr_org = hdr = RESPONSE_BUF(work); + if (work->next_smb2_rsp_hdr_off) + hdr = RESPONSE_BUF_NEXT(work); + + req_hdr = REQUEST_BUF_NEXT(work); + + if (!work->next_smb2_rsp_hdr_off) { + len = get_rfc1002_len(hdr_org); + if (req_hdr->NextCommand) + len = ALIGN(len, 8); + } else { + len = get_rfc1002_len(hdr_org) - work->next_smb2_rsp_hdr_off; + len = ALIGN(len, 8); + } + + if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { + signing_key = work->sess->smb3signingkey; + conn = work->sess->conn; + } else { + chann = lookup_chann_list(work->sess); + if (!chann) + return; + signing_key = chann->smb3signingkey; + conn = chann->conn; + } + + if (!signing_key) + return; + + if (req_hdr->NextCommand) + hdr->NextCommand = cpu_to_le32(len); + + hdr->Flags |= SMB2_FLAGS_SIGNED; + memset(hdr->Signature, 0, SMB2_SIGNATURE_SIZE); + iov[0].iov_base = (char *)&hdr->ProtocolId; + iov[0].iov_len = len; + if (HAS_AUX_PAYLOAD(work)) { + iov[0].iov_len -= AUX_PAYLOAD_SIZE(work); + iov[1].iov_base = AUX_PAYLOAD(work); + iov[1].iov_len = AUX_PAYLOAD_SIZE(work); + n_vec++; + } + + if (!ksmbd_sign_smb3_pdu(conn, signing_key, iov, n_vec, signature)) + memcpy(hdr->Signature, signature, SMB2_SIGNATURE_SIZE); +} + +/** + * smb3_preauth_hash_rsp() - handler for computing preauth hash on response + * @work: smb work containing response buffer + * + */ +void smb3_preauth_hash_rsp(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; + struct smb2_hdr *req, *rsp; + + if (conn->dialect != SMB311_PROT_ID) + return; + + WORK_BUFFERS(work, req, rsp); + + if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE) + ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, + conn->preauth_info->Preauth_HashValue); + + if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && + sess && sess->state == SMB2_SESSION_IN_PROGRESS) { + __u8 *hash_value; + + hash_value = sess->Preauth_HashValue; + ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, + hash_value); + } +} + +static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, + char *old_buf, + __le16 cipher_type) +{ + struct smb2_hdr *hdr = (struct smb2_hdr *)old_buf; + unsigned int orig_len = get_rfc1002_len(old_buf); + + memset(tr_hdr, 0, sizeof(struct smb2_transform_hdr)); + tr_hdr->ProtocolId = SMB2_TRANSFORM_PROTO_NUM; + tr_hdr->OriginalMessageSize = cpu_to_le32(orig_len); + tr_hdr->Flags = cpu_to_le16(0x01); + if (cipher_type == SMB2_ENCRYPTION_AES128_GCM) + get_random_bytes(&tr_hdr->Nonce, SMB3_AES128GCM_NONCE); + else + get_random_bytes(&tr_hdr->Nonce, SMB3_AES128CCM_NONCE); + memcpy(&tr_hdr->SessionId, &hdr->SessionId, 8); + inc_rfc1001_len(tr_hdr, sizeof(struct smb2_transform_hdr) - 4); + inc_rfc1001_len(tr_hdr, orig_len); +} + +int smb3_encrypt_resp(struct ksmbd_work *work) +{ + char *buf = RESPONSE_BUF(work); + struct smb2_transform_hdr *tr_hdr; + struct kvec iov[3]; + int rc = -ENOMEM; + int buf_size = 0, rq_nvec = 2 + (HAS_AUX_PAYLOAD(work) ? 1 : 0); + + if (ARRAY_SIZE(iov) < rq_nvec) + return -ENOMEM; + + tr_hdr = ksmbd_alloc_response(sizeof(struct smb2_transform_hdr)); + if (!tr_hdr) + return rc; + + /* fill transform header */ + fill_transform_hdr(tr_hdr, buf, work->conn->cipher_type); + + iov[0].iov_base = tr_hdr; + iov[0].iov_len = sizeof(struct smb2_transform_hdr); + buf_size += iov[0].iov_len - 4; + + iov[1].iov_base = buf + 4; + iov[1].iov_len = get_rfc1002_len(buf); + if (HAS_AUX_PAYLOAD(work)) { + iov[1].iov_len = RESP_HDR_SIZE(work) - 4; + + iov[2].iov_base = AUX_PAYLOAD(work); + iov[2].iov_len = AUX_PAYLOAD_SIZE(work); + buf_size += iov[2].iov_len; + } + buf_size += iov[1].iov_len; + work->resp_hdr_sz = iov[1].iov_len; + + rc = ksmbd_crypt_message(work->conn, iov, rq_nvec, 1); + if (rc) + return rc; + + memmove(buf, iov[1].iov_base, iov[1].iov_len); + tr_hdr->smb2_buf_length = cpu_to_be32(buf_size); + work->tr_buf = tr_hdr; + + return rc; +} + +int smb3_is_transform_hdr(void *buf) +{ + struct smb2_transform_hdr *trhdr = buf; + + return trhdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM; +} + +int smb3_decrypt_req(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess; + char *buf = REQUEST_BUF(work); + struct smb2_hdr *hdr; + unsigned int pdu_length = get_rfc1002_len(buf); + struct kvec iov[2]; + unsigned int buf_data_size = pdu_length + 4 - + sizeof(struct smb2_transform_hdr); + struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; + unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + int rc = 0; + + sess = ksmbd_session_lookup(conn, le64_to_cpu(tr_hdr->SessionId)); + if (!sess) { + ksmbd_err("invalid session id(%llx) in transform header\n", + le64_to_cpu(tr_hdr->SessionId)); + return -ECONNABORTED; + } + + if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + + sizeof(struct smb2_hdr)) { + ksmbd_err("Transform message is too small (%u)\n", + pdu_length); + return -ECONNABORTED; + } + + if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { + ksmbd_err("Transform message is broken\n"); + return -ECONNABORTED; + } + + iov[0].iov_base = buf; + iov[0].iov_len = sizeof(struct smb2_transform_hdr); + iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr); + iov[1].iov_len = buf_data_size; + rc = ksmbd_crypt_message(conn, iov, 2, 0); + if (rc) + return rc; + + memmove(buf + 4, iov[1].iov_base, buf_data_size); + hdr = (struct smb2_hdr *)buf; + hdr->smb2_buf_length = cpu_to_be32(buf_data_size); + + return rc; +} + +bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + struct smb2_hdr *rsp = RESPONSE_BUF(work); + + if (conn->dialect < SMB30_PROT_ID) + return false; + + if (work->next_smb2_rcv_hdr_off) + rsp = RESPONSE_BUF_NEXT(work); + + if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && + rsp->Status == STATUS_SUCCESS) + return true; + return false; +} diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h new file mode 100644 index 000000000000..deb3d7444c2a --- /dev/null +++ b/fs/cifsd/smb2pdu.h @@ -0,0 +1,1649 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef _SMB2PDU_H +#define _SMB2PDU_H + +#include "ntlmssp.h" +#include "smbacl.h" + +/* + * Note that, due to trying to use names similar to the protocol specifications, + * there are many mixed case field names in the structures below. Although + * this does not match typical Linux kernel style, it is necessary to be + * able to match against the protocol specfication. + * + * SMB2 commands + * Some commands have minimal (wct=0,bcc=0), or uninteresting, responses + * (ie no useful data other than the SMB error code itself) and are marked such. + * Knowing this helps avoid response buffer allocations and copy in some cases. + */ + +/* List of commands in host endian */ +#define SMB2_NEGOTIATE_HE 0x0000 +#define SMB2_SESSION_SETUP_HE 0x0001 +#define SMB2_LOGOFF_HE 0x0002 /* trivial request/resp */ +#define SMB2_TREE_CONNECT_HE 0x0003 +#define SMB2_TREE_DISCONNECT_HE 0x0004 /* trivial req/resp */ +#define SMB2_CREATE_HE 0x0005 +#define SMB2_CLOSE_HE 0x0006 +#define SMB2_FLUSH_HE 0x0007 /* trivial resp */ +#define SMB2_READ_HE 0x0008 +#define SMB2_WRITE_HE 0x0009 +#define SMB2_LOCK_HE 0x000A +#define SMB2_IOCTL_HE 0x000B +#define SMB2_CANCEL_HE 0x000C +#define SMB2_ECHO_HE 0x000D +#define SMB2_QUERY_DIRECTORY_HE 0x000E +#define SMB2_CHANGE_NOTIFY_HE 0x000F +#define SMB2_QUERY_INFO_HE 0x0010 +#define SMB2_SET_INFO_HE 0x0011 +#define SMB2_OPLOCK_BREAK_HE 0x0012 + +/* The same list in little endian */ +#define SMB2_NEGOTIATE cpu_to_le16(SMB2_NEGOTIATE_HE) +#define SMB2_SESSION_SETUP cpu_to_le16(SMB2_SESSION_SETUP_HE) +#define SMB2_LOGOFF cpu_to_le16(SMB2_LOGOFF_HE) +#define SMB2_TREE_CONNECT cpu_to_le16(SMB2_TREE_CONNECT_HE) +#define SMB2_TREE_DISCONNECT cpu_to_le16(SMB2_TREE_DISCONNECT_HE) +#define SMB2_CREATE cpu_to_le16(SMB2_CREATE_HE) +#define SMB2_CLOSE cpu_to_le16(SMB2_CLOSE_HE) +#define SMB2_FLUSH cpu_to_le16(SMB2_FLUSH_HE) +#define SMB2_READ cpu_to_le16(SMB2_READ_HE) +#define SMB2_WRITE cpu_to_le16(SMB2_WRITE_HE) +#define SMB2_LOCK cpu_to_le16(SMB2_LOCK_HE) +#define SMB2_IOCTL cpu_to_le16(SMB2_IOCTL_HE) +#define SMB2_CANCEL cpu_to_le16(SMB2_CANCEL_HE) +#define SMB2_ECHO cpu_to_le16(SMB2_ECHO_HE) +#define SMB2_QUERY_DIRECTORY cpu_to_le16(SMB2_QUERY_DIRECTORY_HE) +#define SMB2_CHANGE_NOTIFY cpu_to_le16(SMB2_CHANGE_NOTIFY_HE) +#define SMB2_QUERY_INFO cpu_to_le16(SMB2_QUERY_INFO_HE) +#define SMB2_SET_INFO cpu_to_le16(SMB2_SET_INFO_HE) +#define SMB2_OPLOCK_BREAK cpu_to_le16(SMB2_OPLOCK_BREAK_HE) + +/*Create Action Flags*/ +#define FILE_SUPERSEDED 0x00000000 +#define FILE_OPENED 0x00000001 +#define FILE_CREATED 0x00000002 +#define FILE_OVERWRITTEN 0x00000003 + +/* + * Size of the session key (crypto key encrypted with the password + */ +#define SMB2_NTLMV2_SESSKEY_SIZE 16 +#define SMB2_SIGNATURE_SIZE 16 +#define SMB2_HMACSHA256_SIZE 32 +#define SMB2_CMACAES_SIZE 16 + +/* + * Size of the smb3 signing key + */ +#define SMB3_SIGN_KEY_SIZE 16 + +#define CIFS_CLIENT_CHALLENGE_SIZE 8 +#define SMB_SERVER_CHALLENGE_SIZE 8 + +/* SMB2 Max Credits */ +#define SMB2_MAX_CREDITS 8192 + +#define SMB2_CLIENT_GUID_SIZE 16 +#define SMB2_CREATE_GUID_SIZE 16 + +/* Maximum buffer size value we can send with 1 credit */ +#define SMB2_MAX_BUFFER_SIZE 65536 + +#define NUMBER_OF_SMB2_COMMANDS 0x0013 + +/* BB FIXME - analyze following length BB */ +#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */ + +#define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe) /* 'B''M''S' */ +#define SMB2_TRANSFORM_PROTO_NUM cpu_to_le32(0x424d53fd) + +#define SMB21_DEFAULT_IOSIZE (1024 * 1024) +#define SMB3_DEFAULT_IOSIZE (4 * 1024 * 1024) +#define SMB3_DEFAULT_TRANS_SIZE (1024 * 1024) + +/* + * SMB2 Header Definition + * + * "MBZ" : Must be Zero + * "BB" : BugBug, Something to check/review/analyze later + * "PDU" : "Protocol Data Unit" (ie a network "frame") + * + */ + +#define __SMB2_HEADER_STRUCTURE_SIZE 64 +#define SMB2_HEADER_STRUCTURE_SIZE \ + cpu_to_le16(__SMB2_HEADER_STRUCTURE_SIZE) + +struct smb2_hdr { + __be32 smb2_buf_length; /* big endian on wire */ + /* + * length is only two or three bytes - with + * one or two byte type preceding it that MBZ + */ + __le32 ProtocolId; /* 0xFE 'S' 'M' 'B' */ + __le16 StructureSize; /* 64 */ + __le16 CreditCharge; /* MBZ */ + __le32 Status; /* Error from server */ + __le16 Command; + __le16 CreditRequest; /* CreditResponse */ + __le32 Flags; + __le32 NextCommand; + __le64 MessageId; + union { + struct { + __le32 ProcessId; + __le32 TreeId; + } __packed SyncId; + __le64 AsyncId; + } __packed Id; + __le64 SessionId; + __u8 Signature[16]; +} __packed; + +struct smb2_pdu { + struct smb2_hdr hdr; + __le16 StructureSize2; /* size of wct area (varies, request specific) */ +} __packed; + +#define SMB3_AES128CCM_NONCE 11 +#define SMB3_AES128GCM_NONCE 12 + +struct smb2_transform_hdr { + __be32 smb2_buf_length; /* big endian on wire */ + /* + * length is only two or three bytes - with + * one or two byte type preceding it that MBZ + */ + __le32 ProtocolId; /* 0xFD 'S' 'M' 'B' */ + __u8 Signature[16]; + __u8 Nonce[16]; + __le32 OriginalMessageSize; + __u16 Reserved1; + __le16 Flags; /* EncryptionAlgorithm */ + __le64 SessionId; +} __packed; + +/* + * SMB2 flag definitions + */ +#define SMB2_FLAGS_SERVER_TO_REDIR cpu_to_le32(0x00000001) +#define SMB2_FLAGS_ASYNC_COMMAND cpu_to_le32(0x00000002) +#define SMB2_FLAGS_RELATED_OPERATIONS cpu_to_le32(0x00000004) +#define SMB2_FLAGS_SIGNED cpu_to_le32(0x00000008) +#define SMB2_FLAGS_DFS_OPERATIONS cpu_to_le32(0x10000000) +#define SMB2_FLAGS_REPLAY_OPERATIONS cpu_to_le32(0x20000000) + +/* + * Definitions for SMB2 Protocol Data Units (network frames) + * + * See MS-SMB2.PDF specification for protocol details. + * The Naming convention is the lower case version of the SMB2 + * command code name for the struct. Note that structures must be packed. + * + */ + +#define SMB2_ERROR_STRUCTURE_SIZE2 9 +#define SMB2_ERROR_STRUCTURE_SIZE2_LE cpu_to_le16(SMB2_ERROR_STRUCTURE_SIZE2) + +struct smb2_err_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; + __u8 ErrorContextCount; + __u8 Reserved; + __le32 ByteCount; /* even if zero, at least one byte follows */ + __u8 ErrorData[1]; /* variable length */ +} __packed; + +struct smb2_negotiate_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 36 */ + __le16 DialectCount; + __le16 SecurityMode; + __le16 Reserved; /* MBZ */ + __le32 Capabilities; + __u8 ClientGUID[SMB2_CLIENT_GUID_SIZE]; + /* In SMB3.02 and earlier next three were MBZ le64 ClientStartTime */ + __le32 NegotiateContextOffset; /* SMB3.1.1 only. MBZ earlier */ + __le16 NegotiateContextCount; /* SMB3.1.1 only. MBZ earlier */ + __le16 Reserved2; + __le16 Dialects[1]; /* One dialect (vers=) at a time for now */ +} __packed; + +/* SecurityMode flags */ +#define SMB2_NEGOTIATE_SIGNING_ENABLED_LE cpu_to_le16(0x0001) +#define SMB2_NEGOTIATE_SIGNING_REQUIRED 0x0002 +#define SMB2_NEGOTIATE_SIGNING_REQUIRED_LE cpu_to_le16(0x0002) +/* Capabilities flags */ +#define SMB2_GLOBAL_CAP_DFS 0x00000001 +#define SMB2_GLOBAL_CAP_LEASING 0x00000002 /* Resp only New to SMB2.1 */ +#define SMB2_GLOBAL_CAP_LARGE_MTU 0X00000004 /* Resp only New to SMB2.1 */ +#define SMB2_GLOBAL_CAP_MULTI_CHANNEL 0x00000008 /* New to SMB3 */ +#define SMB2_GLOBAL_CAP_PERSISTENT_HANDLES 0x00000010 /* New to SMB3 */ +#define SMB2_GLOBAL_CAP_DIRECTORY_LEASING 0x00000020 /* New to SMB3 */ +#define SMB2_GLOBAL_CAP_ENCRYPTION 0x00000040 /* New to SMB3 */ +/* Internal types */ +#define SMB2_NT_FIND 0x00100000 +#define SMB2_LARGE_FILES 0x00200000 + +#define SMB311_SALT_SIZE 32 +/* Hash Algorithm Types */ +#define SMB2_PREAUTH_INTEGRITY_SHA512 cpu_to_le16(0x0001) + +#define PREAUTH_HASHVALUE_SIZE 64 + +struct preauth_integrity_info { + /* PreAuth integrity Hash ID */ + __le16 Preauth_HashId; + /* PreAuth integrity Hash Value */ + __u8 Preauth_HashValue[PREAUTH_HASHVALUE_SIZE]; +}; + +/* offset is sizeof smb2_negotiate_rsp - 4 but rounded up to 8 bytes. */ +#ifdef CONFIG_SMB_SERVER_KERBEROS5 +/* sizeof(struct smb2_negotiate_rsp) - 4 = + * header(64) + response(64) + GSS_LENGTH(96) + GSS_PADDING(0) + */ +#define OFFSET_OF_NEG_CONTEXT 0xe0 +#else +/* sizeof(struct smb2_negotiate_rsp) - 4 = + * header(64) + response(64) + GSS_LENGTH(74) + GSS_PADDING(6) + */ +#define OFFSET_OF_NEG_CONTEXT 0xd0 +#endif + +#define SMB2_PREAUTH_INTEGRITY_CAPABILITIES cpu_to_le16(1) +#define SMB2_ENCRYPTION_CAPABILITIES cpu_to_le16(2) +#define SMB2_COMPRESSION_CAPABILITIES cpu_to_le16(3) +#define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID cpu_to_le16(5) +#define SMB2_POSIX_EXTENSIONS_AVAILABLE cpu_to_le16(0x100) + +struct smb2_neg_context { + __le16 ContextType; + __le16 DataLength; + __le32 Reserved; + /* Followed by array of data */ +} __packed; + +struct smb2_preauth_neg_context { + __le16 ContextType; /* 1 */ + __le16 DataLength; + __le32 Reserved; + __le16 HashAlgorithmCount; /* 1 */ + __le16 SaltLength; + __le16 HashAlgorithms; /* HashAlgorithms[0] since only one defined */ + __u8 Salt[SMB311_SALT_SIZE]; +} __packed; + +/* Encryption Algorithms Ciphers */ +#define SMB2_ENCRYPTION_AES128_CCM cpu_to_le16(0x0001) +#define SMB2_ENCRYPTION_AES128_GCM cpu_to_le16(0x0002) + +struct smb2_encryption_neg_context { + __le16 ContextType; /* 2 */ + __le16 DataLength; + __le32 Reserved; + __le16 CipherCount; /* AES-128-GCM and AES-128-CCM */ + __le16 Ciphers[1]; /* Ciphers[0] since only one used now */ +} __packed; + +#define SMB3_COMPRESS_NONE cpu_to_le16(0x0000) +#define SMB3_COMPRESS_LZNT1 cpu_to_le16(0x0001) +#define SMB3_COMPRESS_LZ77 cpu_to_le16(0x0002) +#define SMB3_COMPRESS_LZ77_HUFF cpu_to_le16(0x0003) + +struct smb2_compression_ctx { + __le16 ContextType; /* 3 */ + __le16 DataLength; + __le32 Reserved; + __le16 CompressionAlgorithmCount; + __u16 Padding; + __le32 Reserved1; + __le16 CompressionAlgorithms[1]; +} __packed; + +#define POSIX_CTXT_DATA_LEN 16 +struct smb2_posix_neg_context { + __le16 ContextType; /* 0x100 */ + __le16 DataLength; + __le32 Reserved; + __u8 Name[16]; /* POSIX ctxt GUID 93AD25509CB411E7B42383DE968BCD7C */ +} __packed; + +struct smb2_netname_neg_context { + __le16 ContextType; /* 0x100 */ + __le16 DataLength; + __le32 Reserved; + __le16 NetName[0]; /* hostname of target converted to UCS-2 */ +} __packed; + +struct smb2_negotiate_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 65 */ + __le16 SecurityMode; + __le16 DialectRevision; + __le16 NegotiateContextCount; /* Prior to SMB3.1.1 was Reserved & MBZ */ + __u8 ServerGUID[16]; + __le32 Capabilities; + __le32 MaxTransactSize; + __le32 MaxReadSize; + __le32 MaxWriteSize; + __le64 SystemTime; /* MBZ */ + __le64 ServerStartTime; + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; + __le32 NegotiateContextOffset; /* Pre:SMB3.1.1 was reserved/ignored */ + __u8 Buffer[1]; /* variable length GSS security buffer */ +} __packed; + +/* Flags */ +#define SMB2_SESSION_REQ_FLAG_BINDING 0x01 +#define SMB2_SESSION_REQ_FLAG_ENCRYPT_DATA 0x04 + +#define SMB2_SESSION_EXPIRED (0) +#define SMB2_SESSION_IN_PROGRESS (1 << 0) +#define SMB2_SESSION_VALID (1 << 1) + +/* Flags */ +#define SMB2_SESSION_REQ_FLAG_BINDING 0x01 +#define SMB2_SESSION_REQ_FLAG_ENCRYPT_DATA 0x04 + +struct smb2_sess_setup_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 25 */ + __u8 Flags; + __u8 SecurityMode; + __le32 Capabilities; + __le32 Channel; + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; + __le64 PreviousSessionId; + __u8 Buffer[1]; /* variable length GSS security buffer */ +} __packed; + +/* Flags/Reserved for SMB3.1.1 */ +#define SMB2_SHAREFLAG_CLUSTER_RECONNECT 0x0001 + +/* Currently defined SessionFlags */ +#define SMB2_SESSION_FLAG_IS_GUEST_LE cpu_to_le16(0x0001) +#define SMB2_SESSION_FLAG_IS_NULL_LE cpu_to_le16(0x0002) +#define SMB2_SESSION_FLAG_ENCRYPT_DATA_LE cpu_to_le16(0x0004) +struct smb2_sess_setup_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 9 */ + __le16 SessionFlags; + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; + __u8 Buffer[1]; /* variable length GSS security buffer */ +} __packed; + +struct smb2_logoff_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __le16 Reserved; +} __packed; + +struct smb2_logoff_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __le16 Reserved; +} __packed; + +struct smb2_tree_connect_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 9 */ + __le16 Reserved; /* Flags in SMB3.1.1 */ + __le16 PathOffset; + __le16 PathLength; + __u8 Buffer[1]; /* variable length */ +} __packed; + +struct smb2_tree_connect_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 16 */ + __u8 ShareType; /* see below */ + __u8 Reserved; + __le32 ShareFlags; /* see below */ + __le32 Capabilities; /* see below */ + __le32 MaximalAccess; +} __packed; + +/* Possible ShareType values */ +#define SMB2_SHARE_TYPE_DISK 0x01 +#define SMB2_SHARE_TYPE_PIPE 0x02 +#define SMB2_SHARE_TYPE_PRINT 0x03 + +/* + * Possible ShareFlags - exactly one and only one of the first 4 caching flags + * must be set (any of the remaining, SHI1005, flags may be set individually + * or in combination. + */ +#define SMB2_SHAREFLAG_MANUAL_CACHING 0x00000000 +#define SMB2_SHAREFLAG_AUTO_CACHING 0x00000010 +#define SMB2_SHAREFLAG_VDO_CACHING 0x00000020 +#define SMB2_SHAREFLAG_NO_CACHING 0x00000030 +#define SHI1005_FLAGS_DFS 0x00000001 +#define SHI1005_FLAGS_DFS_ROOT 0x00000002 +#define SHI1005_FLAGS_RESTRICT_EXCLUSIVE_OPENS 0x00000100 +#define SHI1005_FLAGS_FORCE_SHARED_DELETE 0x00000200 +#define SHI1005_FLAGS_ALLOW_NAMESPACE_CACHING 0x00000400 +#define SHI1005_FLAGS_ACCESS_BASED_DIRECTORY_ENUM 0x00000800 +#define SHI1005_FLAGS_FORCE_LEVELII_OPLOCK 0x00001000 +#define SHI1005_FLAGS_ENABLE_HASH 0x00002000 + +/* Possible share capabilities */ +#define SMB2_SHARE_CAP_DFS cpu_to_le32(0x00000008) + +struct smb2_tree_disconnect_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __le16 Reserved; +} __packed; + +struct smb2_tree_disconnect_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __le16 Reserved; +} __packed; + +#define ATTR_READONLY_LE cpu_to_le32(ATTR_READONLY) +#define ATTR_HIDDEN_LE cpu_to_le32(ATTR_HIDDEN) +#define ATTR_SYSTEM_LE cpu_to_le32(ATTR_SYSTEM) +#define ATTR_DIRECTORY_LE cpu_to_le32(ATTR_DIRECTORY) +#define ATTR_ARCHIVE_LE cpu_to_le32(ATTR_ARCHIVE) +#define ATTR_NORMAL_LE cpu_to_le32(ATTR_NORMAL) +#define ATTR_TEMPORARY_LE cpu_to_le32(ATTR_TEMPORARY) +#define ATTR_SPARSE_FILE_LE cpu_to_le32(ATTR_SPARSE) +#define ATTR_REPARSE_POINT_LE cpu_to_le32(ATTR_REPARSE) +#define ATTR_COMPRESSED_LE cpu_to_le32(ATTR_COMPRESSED) +#define ATTR_OFFLINE_LE cpu_to_le32(ATTR_OFFLINE) +#define ATTR_NOT_CONTENT_INDEXED_LE cpu_to_le32(ATTR_NOT_CONTENT_INDEXED) +#define ATTR_ENCRYPTED_LE cpu_to_le32(ATTR_ENCRYPTED) +#define ATTR_INTEGRITY_STREAML_LE cpu_to_le32(0x00008000) +#define ATTR_NO_SCRUB_DATA_LE cpu_to_le32(0x00020000) +#define ATTR_MASK_LE cpu_to_le32(0x00007FB7) + +/* Oplock levels */ +#define SMB2_OPLOCK_LEVEL_NONE 0x00 +#define SMB2_OPLOCK_LEVEL_II 0x01 +#define SMB2_OPLOCK_LEVEL_EXCLUSIVE 0x08 +#define SMB2_OPLOCK_LEVEL_BATCH 0x09 +#define SMB2_OPLOCK_LEVEL_LEASE 0xFF +/* Non-spec internal type */ +#define SMB2_OPLOCK_LEVEL_NOCHANGE 0x99 + +/* Desired Access Flags */ +#define FILE_READ_DATA_LE cpu_to_le32(0x00000001) +#define FILE_LIST_DIRECTORY_LE cpu_to_le32(0x00000001) +#define FILE_WRITE_DATA_LE cpu_to_le32(0x00000002) +#define FILE_ADD_FILE_LE cpu_to_le32(0x00000002) +#define FILE_APPEND_DATA_LE cpu_to_le32(0x00000004) +#define FILE_ADD_SUBDIRECTORY_LE cpu_to_le32(0x00000004) +#define FILE_READ_EA_LE cpu_to_le32(0x00000008) +#define FILE_WRITE_EA_LE cpu_to_le32(0x00000010) +#define FILE_EXECUTE_LE cpu_to_le32(0x00000020) +#define FILE_TRAVERSE_LE cpu_to_le32(0x00000020) +#define FILE_DELETE_CHILD_LE cpu_to_le32(0x00000040) +#define FILE_READ_ATTRIBUTES_LE cpu_to_le32(0x00000080) +#define FILE_WRITE_ATTRIBUTES_LE cpu_to_le32(0x00000100) +#define FILE_DELETE_LE cpu_to_le32(0x00010000) +#define FILE_READ_CONTROL_LE cpu_to_le32(0x00020000) +#define FILE_WRITE_DAC_LE cpu_to_le32(0x00040000) +#define FILE_WRITE_OWNER_LE cpu_to_le32(0x00080000) +#define FILE_SYNCHRONIZE_LE cpu_to_le32(0x00100000) +#define FILE_ACCESS_SYSTEM_SECURITY_LE cpu_to_le32(0x01000000) +#define FILE_MAXIMAL_ACCESS_LE cpu_to_le32(0x02000000) +#define FILE_GENERIC_ALL_LE cpu_to_le32(0x10000000) +#define FILE_GENERIC_EXECUTE_LE cpu_to_le32(0x20000000) +#define FILE_GENERIC_WRITE_LE cpu_to_le32(0x40000000) +#define FILE_GENERIC_READ_LE cpu_to_le32(0x80000000) +#define DESIRED_ACCESS_MASK cpu_to_le32(0xF21F01FF) + +/* ShareAccess Flags */ +#define FILE_SHARE_READ_LE cpu_to_le32(0x00000001) +#define FILE_SHARE_WRITE_LE cpu_to_le32(0x00000002) +#define FILE_SHARE_DELETE_LE cpu_to_le32(0x00000004) +#define FILE_SHARE_ALL_LE cpu_to_le32(0x00000007) + +/* CreateDisposition Flags */ +#define FILE_SUPERSEDE_LE cpu_to_le32(0x00000000) +#define FILE_OPEN_LE cpu_to_le32(0x00000001) +#define FILE_CREATE_LE cpu_to_le32(0x00000002) +#define FILE_OPEN_IF_LE cpu_to_le32(0x00000003) +#define FILE_OVERWRITE_LE cpu_to_le32(0x00000004) +#define FILE_OVERWRITE_IF_LE cpu_to_le32(0x00000005) +#define FILE_CREATE_MASK_LE cpu_to_le32(0x00000007) + +#define FILE_READ_DESIRED_ACCESS_LE (FILE_READ_DATA_LE | \ + FILE_READ_EA_LE | \ + FILE_GENERIC_READ_LE) +#define FILE_WRITE_DESIRE_ACCESS_LE (FILE_WRITE_DATA_LE | \ + FILE_APPEND_DATA_LE | \ + FILE_WRITE_EA_LE | \ + FILE_WRITE_ATTRIBUTES_LE | \ + FILE_GENERIC_WRITE_LE) + +/* Impersonation Levels */ +#define IL_ANONYMOUS_LE cpu_to_le32(0x00000000) +#define IL_IDENTIFICATION_LE cpu_to_le32(0x00000001) +#define IL_IMPERSONATION_LE cpu_to_le32(0x00000002) +#define IL_DELEGATE_LE cpu_to_le32(0x00000003) + +/* Create Context Values */ +#define SMB2_CREATE_EA_BUFFER "ExtA" /* extended attributes */ +#define SMB2_CREATE_SD_BUFFER "SecD" /* security descriptor */ +#define SMB2_CREATE_DURABLE_HANDLE_REQUEST "DHnQ" +#define SMB2_CREATE_DURABLE_HANDLE_RECONNECT "DHnC" +#define SMB2_CREATE_ALLOCATION_SIZE "AlSi" +#define SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" +#define SMB2_CREATE_TIMEWARP_REQUEST "TWrp" +#define SMB2_CREATE_QUERY_ON_DISK_ID "QFid" +#define SMB2_CREATE_REQUEST_LEASE "RqLs" +#define SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q" +#define SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2 "DH2C" +#define SMB2_CREATE_APP_INSTANCE_ID "\x45\xBC\xA6\x6A\xEF\xA7\xF7\x4A\x90\x08\xFA\x46\x2E\x14\x4D\x74" + #define SMB2_CREATE_APP_INSTANCE_VERSION "\xB9\x82\xD0\xB7\x3B\x56\x07\x4F\xA0\x7B\x52\x4A\x81\x16\xA0\x10" +#define SVHDX_OPEN_DEVICE_CONTEXT 0x83CE6F1AD851E0986E34401CC9BCFCE9 +#define SMB2_CREATE_TAG_POSIX "\x93\xAD\x25\x50\x9C\xB4\x11\xE7\xB4\x23\x83\xDE\x96\x8B\xCD\x7C" + +struct smb2_create_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 57 */ + __u8 SecurityFlags; + __u8 RequestedOplockLevel; + __le32 ImpersonationLevel; + __le64 SmbCreateFlags; + __le64 Reserved; + __le32 DesiredAccess; + __le32 FileAttributes; + __le32 ShareAccess; + __le32 CreateDisposition; + __le32 CreateOptions; + __le16 NameOffset; + __le16 NameLength; + __le32 CreateContextsOffset; + __le32 CreateContextsLength; + __u8 Buffer[0]; +} __packed; + +struct smb2_create_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 89 */ + __u8 OplockLevel; + __u8 Reserved; + __le32 CreateAction; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 AllocationSize; + __le64 EndofFile; + __le32 FileAttributes; + __le32 Reserved2; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le32 CreateContextsOffset; + __le32 CreateContextsLength; + __u8 Buffer[1]; +} __packed; + +struct create_context { + __le32 Next; + __le16 NameOffset; + __le16 NameLength; + __le16 Reserved; + __le16 DataOffset; + __le32 DataLength; + __u8 Buffer[0]; +} __packed; + +struct create_durable_req_v2 { + struct create_context ccontext; + __u8 Name[8]; + __le32 Timeout; + __le32 Flags; + __u8 Reserved[8]; + __u8 CreateGuid[16]; +} __packed; + +struct create_durable_reconn_req { + struct create_context ccontext; + __u8 Name[8]; + union { + __u8 Reserved[16]; + struct { + __le64 PersistentFileId; + __le64 VolatileFileId; + } Fid; + } Data; +} __packed; + +struct create_durable_reconn_v2_req { + struct create_context ccontext; + __u8 Name[8]; + struct { + __le64 PersistentFileId; + __le64 VolatileFileId; + } Fid; + __u8 CreateGuid[16]; + __le32 Flags; +} __packed; + +struct create_app_inst_id { + struct create_context ccontext; + __u8 Name[8]; + __u8 Reserved[8]; + __u8 AppInstanceId[16]; +} __packed; + +struct create_app_inst_id_vers { + struct create_context ccontext; + __u8 Name[8]; + __u8 Reserved[2]; + __u8 Padding[4]; + __le64 AppInstanceVersionHigh; + __le64 AppInstanceVersionLow; +} __packed; + +struct create_mxac_req { + struct create_context ccontext; + __u8 Name[8]; + __le64 Timestamp; +} __packed; + +struct create_alloc_size_req { + struct create_context ccontext; + __u8 Name[8]; + __le64 AllocationSize; +} __packed; + +struct create_posix { + struct create_context ccontext; + __u8 Name[16]; + __le32 Mode; + __u32 Reserved; +} __packed; + +struct create_durable_rsp { + struct create_context ccontext; + __u8 Name[8]; + union { + __u8 Reserved[8]; + __u64 data; + } Data; +} __packed; + +struct create_durable_v2_rsp { + struct create_context ccontext; + __u8 Name[8]; + __le32 Timeout; + __le32 Flags; +} __packed; + +struct create_mxac_rsp { + struct create_context ccontext; + __u8 Name[8]; + __le32 QueryStatus; + __le32 MaximalAccess; +} __packed; + +struct create_disk_id_rsp { + struct create_context ccontext; + __u8 Name[8]; + __le64 DiskFileId; + __le64 VolumeId; + __u8 Reserved[16]; +} __packed; + +/* equivalent of the contents of SMB3.1.1 POSIX open context response */ +struct create_posix_rsp { + struct create_context ccontext; + __u8 Name[16]; + __le32 nlink; + __le32 reparse_tag; + __le32 mode; + u8 SidBuffer[40]; +} __packed; + +#define SMB2_LEASE_NONE_LE cpu_to_le32(0x00) +#define SMB2_LEASE_READ_CACHING_LE cpu_to_le32(0x01) +#define SMB2_LEASE_HANDLE_CACHING_LE cpu_to_le32(0x02) +#define SMB2_LEASE_WRITE_CACHING_LE cpu_to_le32(0x04) + +#define SMB2_LEASE_FLAG_BREAK_IN_PROGRESS_LE cpu_to_le32(0x02) + +struct lease_context { + __le64 LeaseKeyLow; + __le64 LeaseKeyHigh; + __le32 LeaseState; + __le32 LeaseFlags; + __le64 LeaseDuration; +} __packed; + +struct create_lease { + struct create_context ccontext; + __u8 Name[8]; + struct lease_context lcontext; +} __packed; + +/* Currently defined values for close flags */ +#define SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB cpu_to_le16(0x0001) +struct smb2_close_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 24 */ + __le16 Flags; + __le32 Reserved; + __le64 PersistentFileId; + __le64 VolatileFileId; +} __packed; + +struct smb2_close_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* 60 */ + __le16 Flags; + __le32 Reserved; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 AllocationSize; /* Beginning of FILE_STANDARD_INFO equivalent */ + __le64 EndOfFile; + __le32 Attributes; +} __packed; + +struct smb2_flush_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 24 */ + __le16 Reserved1; + __le32 Reserved2; + __le64 PersistentFileId; + __le64 VolatileFileId; +} __packed; + +struct smb2_flush_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; + __le16 Reserved; +} __packed; + +struct smb2_buffer_desc_v1 { + __le64 offset; + __le32 token; + __le32 length; +} __packed; + +#define SMB2_CHANNEL_NONE cpu_to_le32(0x00000000) +#define SMB2_CHANNEL_RDMA_V1 cpu_to_le32(0x00000001) +#define SMB2_CHANNEL_RDMA_V1_INVALIDATE cpu_to_le32(0x00000002) + +struct smb2_read_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 49 */ + __u8 Padding; /* offset from start of SMB2 header to place read */ + __u8 Reserved; + __le32 Length; + __le64 Offset; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le32 MinimumCount; + __le32 Channel; /* Reserved MBZ */ + __le32 RemainingBytes; + __le16 ReadChannelInfoOffset; /* Reserved MBZ */ + __le16 ReadChannelInfoLength; /* Reserved MBZ */ + __u8 Buffer[1]; +} __packed; + +struct smb2_read_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 17 */ + __u8 DataOffset; + __u8 Reserved; + __le32 DataLength; + __le32 DataRemaining; + __u32 Reserved2; + __u8 Buffer[1]; +} __packed; + +/* For write request Flags field below the following flag is defined: */ +#define SMB2_WRITEFLAG_WRITE_THROUGH 0x00000001 + +struct smb2_write_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 49 */ + __le16 DataOffset; /* offset from start of SMB2 header to write data */ + __le32 Length; + __le64 Offset; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le32 Channel; /* Reserved MBZ */ + __le32 RemainingBytes; + __le16 WriteChannelInfoOffset; /* Reserved MBZ */ + __le16 WriteChannelInfoLength; /* Reserved MBZ */ + __le32 Flags; + __u8 Buffer[1]; +} __packed; + +struct smb2_write_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 17 */ + __u8 DataOffset; + __u8 Reserved; + __le32 DataLength; + __le32 DataRemaining; + __u32 Reserved2; + __u8 Buffer[1]; +} __packed; + +#define SMB2_0_IOCTL_IS_FSCTL 0x00000001 + +struct smb2_ioctl_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 57 */ + __le16 Reserved; /* offset from start of SMB2 header to write data */ + __le32 CntCode; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le32 InputOffset; /* Reserved MBZ */ + __le32 InputCount; + __le32 MaxInputResponse; + __le32 OutputOffset; + __le32 OutputCount; + __le32 MaxOutputResponse; + __le32 Flags; + __le32 Reserved2; + __u8 Buffer[1]; +} __packed; + +struct smb2_ioctl_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 49 */ + __le16 Reserved; /* offset from start of SMB2 header to write data */ + __le32 CntCode; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le32 InputOffset; /* Reserved MBZ */ + __le32 InputCount; + __le32 OutputOffset; + __le32 OutputCount; + __le32 Flags; + __le32 Reserved2; + __u8 Buffer[1]; +} __packed; + +struct validate_negotiate_info_req { + __le32 Capabilities; + __u8 Guid[SMB2_CLIENT_GUID_SIZE]; + __le16 SecurityMode; + __le16 DialectCount; + __le16 Dialects[1]; /* dialect (someday maybe list) client asked for */ +} __packed; + +struct validate_negotiate_info_rsp { + __le32 Capabilities; + __u8 Guid[SMB2_CLIENT_GUID_SIZE]; + __le16 SecurityMode; + __le16 Dialect; /* Dialect in use for the connection */ +} __packed; + +struct smb_sockaddr_in { + __be16 Port; + __be32 IPv4address; + __u8 Reserved[8]; +} __packed; + +struct smb_sockaddr_in6 { + __be16 Port; + __be32 FlowInfo; + __u8 IPv6address[16]; + __be32 ScopeId; +} __packed; + +#define INTERNETWORK 0x0002 +#define INTERNETWORKV6 0x0017 + +struct sockaddr_storage_rsp { + __le16 Family; + union { + struct smb_sockaddr_in addr4; + struct smb_sockaddr_in6 addr6; + }; +} __packed; + +#define RSS_CAPABLE 0x00000001 +#define RDMA_CAPABLE 0x00000002 + +struct network_interface_info_ioctl_rsp { + __le32 Next; /* next interface. zero if this is last one */ + __le32 IfIndex; + __le32 Capability; /* RSS or RDMA Capable */ + __le32 Reserved; + __le64 LinkSpeed; + char SockAddr_Storage[128]; +} __packed; + +struct file_object_buf_type1_ioctl_rsp { + __u8 ObjectId[16]; + __u8 BirthVolumeId[16]; + __u8 BirthObjectId[16]; + __u8 DomainId[16]; +} __packed; + +struct resume_key_ioctl_rsp { + __le64 ResumeKey[3]; + __le32 ContextLength; + __u8 Context[4]; /* ignored, Windows sets to 4 bytes of zero */ +} __packed; + +struct copychunk_ioctl_req { + __le64 ResumeKey[3]; + __le32 ChunkCount; + __le32 Reserved; + __u8 Chunks[1]; /* array of srv_copychunk */ +} __packed; + +struct srv_copychunk { + __le64 SourceOffset; + __le64 TargetOffset; + __le32 Length; + __le32 Reserved; +} __packed; + +struct copychunk_ioctl_rsp { + __le32 ChunksWritten; + __le32 ChunkBytesWritten; + __le32 TotalBytesWritten; +} __packed; + +struct file_sparse { + __u8 SetSparse; +} __packed; + +struct file_zero_data_information { + __le64 FileOffset; + __le64 BeyondFinalZero; +} __packed; + +struct file_allocated_range_buffer { + __le64 file_offset; + __le64 length; +} __packed; + +struct reparse_data_buffer { + __le32 ReparseTag; + __le16 ReparseDataLength; + __u16 Reserved; + __u8 DataBuffer[]; /* Variable Length */ +} __packed; + +/* Completion Filter flags for Notify */ +#define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001 +#define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002 +#define FILE_NOTIFY_CHANGE_NAME 0x00000003 +#define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004 +#define FILE_NOTIFY_CHANGE_SIZE 0x00000008 +#define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010 +#define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020 +#define FILE_NOTIFY_CHANGE_CREATION 0x00000040 +#define FILE_NOTIFY_CHANGE_EA 0x00000080 +#define FILE_NOTIFY_CHANGE_SECURITY 0x00000100 +#define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200 +#define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400 +#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800 + +/* Flags */ +#define SMB2_WATCH_TREE 0x0001 + +struct smb2_notify_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 32 */ + __le16 Flags; + __le32 OutputBufferLength; + __le64 PersistentFileId; + __le64 VolatileFileId; + __u32 CompletionFileter; + __u32 Reserved; +} __packed; + +struct smb2_notify_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; + __u8 Buffer[1]; +} __packed; + +/* SMB2 Notify Action Flags */ +#define FILE_ACTION_ADDED 0x00000001 +#define FILE_ACTION_REMOVED 0x00000002 +#define FILE_ACTION_MODIFIED 0x00000003 +#define FILE_ACTION_RENAMED_OLD_NAME 0x00000004 +#define FILE_ACTION_RENAMED_NEW_NAME 0x00000005 +#define FILE_ACTION_ADDED_STREAM 0x00000006 +#define FILE_ACTION_REMOVED_STREAM 0x00000007 +#define FILE_ACTION_MODIFIED_STREAM 0x00000008 +#define FILE_ACTION_REMOVED_BY_DELETE 0x00000009 + +#define SMB2_LOCKFLAG_SHARED 0x0001 +#define SMB2_LOCKFLAG_EXCLUSIVE 0x0002 +#define SMB2_LOCKFLAG_UNLOCK 0x0004 +#define SMB2_LOCKFLAG_FAIL_IMMEDIATELY 0x0010 +#define SMB2_LOCKFLAG_MASK 0x0007 + +struct smb2_lock_element { + __le64 Offset; + __le64 Length; + __le32 Flags; + __le32 Reserved; +} __packed; + +struct smb2_lock_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 48 */ + __le16 LockCount; + __le32 Reserved; + __le64 PersistentFileId; + __le64 VolatileFileId; + /* Followed by at least one */ + struct smb2_lock_element locks[1]; +} __packed; + +struct smb2_lock_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __le16 Reserved; +} __packed; + +struct smb2_echo_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __u16 Reserved; +} __packed; + +struct smb2_echo_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 4 */ + __u16 Reserved; +} __packed; + +/* search (query_directory) Flags field */ +#define SMB2_RESTART_SCANS 0x01 +#define SMB2_RETURN_SINGLE_ENTRY 0x02 +#define SMB2_INDEX_SPECIFIED 0x04 +#define SMB2_REOPEN 0x10 + +struct smb2_query_directory_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 33 */ + __u8 FileInformationClass; + __u8 Flags; + __le32 FileIndex; + __le64 PersistentFileId; + __le64 VolatileFileId; + __le16 FileNameOffset; + __le16 FileNameLength; + __le32 OutputBufferLength; + __u8 Buffer[1]; +} __packed; + +struct smb2_query_directory_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; + __u8 Buffer[1]; +} __packed; + +/* Possible InfoType values */ +#define SMB2_O_INFO_FILE 0x01 +#define SMB2_O_INFO_FILESYSTEM 0x02 +#define SMB2_O_INFO_SECURITY 0x03 +#define SMB2_O_INFO_QUOTA 0x04 + +/* Security info type additionalinfo flags. See MS-SMB2 (2.2.37) or MS-DTYP */ +#define OWNER_SECINFO 0x00000001 +#define GROUP_SECINFO 0x00000002 +#define DACL_SECINFO 0x00000004 +#define SACL_SECINFO 0x00000008 +#define LABEL_SECINFO 0x00000010 +#define ATTRIBUTE_SECINFO 0x00000020 +#define SCOPE_SECINFO 0x00000040 +#define BACKUP_SECINFO 0x00010000 +#define UNPROTECTED_SACL_SECINFO 0x10000000 +#define UNPROTECTED_DACL_SECINFO 0x20000000 +#define PROTECTED_SACL_SECINFO 0x40000000 +#define PROTECTED_DACL_SECINFO 0x80000000 + +struct smb2_query_info_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 41 */ + __u8 InfoType; + __u8 FileInfoClass; + __le32 OutputBufferLength; + __le16 InputBufferOffset; + __u16 Reserved; + __le32 InputBufferLength; + __le32 AdditionalInformation; + __le32 Flags; + __le64 PersistentFileId; + __le64 VolatileFileId; + __u8 Buffer[1]; +} __packed; + +struct smb2_query_info_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; + __u8 Buffer[1]; +} __packed; + +struct smb2_set_info_req { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 33 */ + __u8 InfoType; + __u8 FileInfoClass; + __le32 BufferLength; + __le16 BufferOffset; + __u16 Reserved; + __le32 AdditionalInformation; + __le64 PersistentFileId; + __le64 VolatileFileId; + __u8 Buffer[1]; +} __packed; + +struct smb2_set_info_rsp { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 2 */ +} __packed; + + +/* FILE Info response size */ +#define FILE_DIRECTORY_INFORMATION_SIZE 1 +#define FILE_FULL_DIRECTORY_INFORMATION_SIZE 2 +#define FILE_BOTH_DIRECTORY_INFORMATION_SIZE 3 +#define FILE_BASIC_INFORMATION_SIZE 40 +#define FILE_STANDARD_INFORMATION_SIZE 24 +#define FILE_INTERNAL_INFORMATION_SIZE 8 +#define FILE_EA_INFORMATION_SIZE 4 +#define FILE_ACCESS_INFORMATION_SIZE 4 +#define FILE_NAME_INFORMATION_SIZE 9 +#define FILE_RENAME_INFORMATION_SIZE 10 +#define FILE_LINK_INFORMATION_SIZE 11 +#define FILE_NAMES_INFORMATION_SIZE 12 +#define FILE_DISPOSITION_INFORMATION_SIZE 13 +#define FILE_POSITION_INFORMATION_SIZE 14 +#define FILE_FULL_EA_INFORMATION_SIZE 15 +#define FILE_MODE_INFORMATION_SIZE 4 +#define FILE_ALIGNMENT_INFORMATION_SIZE 4 +#define FILE_ALL_INFORMATION_SIZE 104 +#define FILE_ALLOCATION_INFORMATION_SIZE 19 +#define FILE_END_OF_FILE_INFORMATION_SIZE 20 +#define FILE_ALTERNATE_NAME_INFORMATION_SIZE 8 +#define FILE_STREAM_INFORMATION_SIZE 32 +#define FILE_PIPE_INFORMATION_SIZE 23 +#define FILE_PIPE_LOCAL_INFORMATION_SIZE 24 +#define FILE_PIPE_REMOTE_INFORMATION_SIZE 25 +#define FILE_MAILSLOT_QUERY_INFORMATION_SIZE 26 +#define FILE_MAILSLOT_SET_INFORMATION_SIZE 27 +#define FILE_COMPRESSION_INFORMATION_SIZE 16 +#define FILE_OBJECT_ID_INFORMATION_SIZE 29 +/* Number 30 not defined in documents */ +#define FILE_MOVE_CLUSTER_INFORMATION_SIZE 31 +#define FILE_QUOTA_INFORMATION_SIZE 32 +#define FILE_REPARSE_POINT_INFORMATION_SIZE 33 +#define FILE_NETWORK_OPEN_INFORMATION_SIZE 56 +#define FILE_ATTRIBUTE_TAG_INFORMATION_SIZE 8 + + +/* FS Info response size */ +#define FS_DEVICE_INFORMATION_SIZE 8 +#define FS_ATTRIBUTE_INFORMATION_SIZE 16 +#define FS_VOLUME_INFORMATION_SIZE 24 +#define FS_SIZE_INFORMATION_SIZE 24 +#define FS_FULL_SIZE_INFORMATION_SIZE 32 +#define FS_SECTOR_SIZE_INFORMATION_SIZE 28 +#define FS_OBJECT_ID_INFORMATION_SIZE 64 +#define FS_CONTROL_INFORMATION_SIZE 48 +#define FS_POSIX_INFORMATION_SIZE 56 + +/* FS_ATTRIBUTE_File_System_Name */ +#define FS_TYPE_SUPPORT_SIZE 44 +struct fs_type_info { + char *fs_name; + long magic_number; +} __packed; + +struct smb2_oplock_break { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 24 */ + __u8 OplockLevel; + __u8 Reserved; + __le32 Reserved2; + __le64 PersistentFid; + __le64 VolatileFid; +} __packed; + +#define SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED cpu_to_le32(0x01) + +struct smb2_lease_break { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 44 */ + __le16 Reserved; + __le32 Flags; + __u8 LeaseKey[16]; + __le32 CurrentLeaseState; + __le32 NewLeaseState; + __le32 BreakReason; + __le32 AccessMaskHint; + __le32 ShareMaskHint; +} __packed; + +struct smb2_lease_ack { + struct smb2_hdr hdr; + __le16 StructureSize; /* Must be 36 */ + __le16 Reserved; + __le32 Flags; + __u8 LeaseKey[16]; + __le32 LeaseState; + __le64 LeaseDuration; +} __packed; + +/* + * PDU infolevel structure definitions + * BB consider moving to a different header + */ + +/* File System Information Classes */ +#define FS_VOLUME_INFORMATION 1 /* Query */ +#define FS_LABEL_INFORMATION 2 /* Set */ +#define FS_SIZE_INFORMATION 3 /* Query */ +#define FS_DEVICE_INFORMATION 4 /* Query */ +#define FS_ATTRIBUTE_INFORMATION 5 /* Query */ +#define FS_CONTROL_INFORMATION 6 /* Query, Set */ +#define FS_FULL_SIZE_INFORMATION 7 /* Query */ +#define FS_OBJECT_ID_INFORMATION 8 /* Query, Set */ +#define FS_DRIVER_PATH_INFORMATION 9 /* Query */ +#define FS_SECTOR_SIZE_INFORMATION 11 /* SMB3 or later. Query */ +#define FS_POSIX_INFORMATION 100 /* SMB3.1.1 POSIX. Query */ + +struct smb2_fs_full_size_info { + __le64 TotalAllocationUnits; + __le64 CallerAvailableAllocationUnits; + __le64 ActualAvailableAllocationUnits; + __le32 SectorsPerAllocationUnit; + __le32 BytesPerSector; +} __packed; + +#define SSINFO_FLAGS_ALIGNED_DEVICE 0x00000001 +#define SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE 0x00000002 +#define SSINFO_FLAGS_NO_SEEK_PENALTY 0x00000004 +#define SSINFO_FLAGS_TRIM_ENABLED 0x00000008 + +/* sector size info struct */ +struct smb3_fs_ss_info { + __le32 LogicalBytesPerSector; + __le32 PhysicalBytesPerSectorForAtomicity; + __le32 PhysicalBytesPerSectorForPerf; + __le32 FSEffPhysicalBytesPerSectorForAtomicity; + __le32 Flags; + __le32 ByteOffsetForSectorAlignment; + __le32 ByteOffsetForPartitionAlignment; +} __packed; + +/* File System Control Information */ +struct smb2_fs_control_info { + __le64 FreeSpaceStartFiltering; + __le64 FreeSpaceThreshold; + __le64 FreeSpaceStopFiltering; + __le64 DefaultQuotaThreshold; + __le64 DefaultQuotaLimit; + __le32 FileSystemControlFlags; + __le32 Padding; +} __packed; + +/* partial list of QUERY INFO levels */ +#define FILE_DIRECTORY_INFORMATION 1 +#define FILE_FULL_DIRECTORY_INFORMATION 2 +#define FILE_BOTH_DIRECTORY_INFORMATION 3 +#define FILE_BASIC_INFORMATION 4 +#define FILE_STANDARD_INFORMATION 5 +#define FILE_INTERNAL_INFORMATION 6 +#define FILE_EA_INFORMATION 7 +#define FILE_ACCESS_INFORMATION 8 +#define FILE_NAME_INFORMATION 9 +#define FILE_RENAME_INFORMATION 10 +#define FILE_LINK_INFORMATION 11 +#define FILE_NAMES_INFORMATION 12 +#define FILE_DISPOSITION_INFORMATION 13 +#define FILE_POSITION_INFORMATION 14 +#define FILE_FULL_EA_INFORMATION 15 +#define FILE_MODE_INFORMATION 16 +#define FILE_ALIGNMENT_INFORMATION 17 +#define FILE_ALL_INFORMATION 18 +#define FILE_ALLOCATION_INFORMATION 19 +#define FILE_END_OF_FILE_INFORMATION 20 +#define FILE_ALTERNATE_NAME_INFORMATION 21 +#define FILE_STREAM_INFORMATION 22 +#define FILE_PIPE_INFORMATION 23 +#define FILE_PIPE_LOCAL_INFORMATION 24 +#define FILE_PIPE_REMOTE_INFORMATION 25 +#define FILE_MAILSLOT_QUERY_INFORMATION 26 +#define FILE_MAILSLOT_SET_INFORMATION 27 +#define FILE_COMPRESSION_INFORMATION 28 +#define FILE_OBJECT_ID_INFORMATION 29 +/* Number 30 not defined in documents */ +#define FILE_MOVE_CLUSTER_INFORMATION 31 +#define FILE_QUOTA_INFORMATION 32 +#define FILE_REPARSE_POINT_INFORMATION 33 +#define FILE_NETWORK_OPEN_INFORMATION 34 +#define FILE_ATTRIBUTE_TAG_INFORMATION 35 +#define FILE_TRACKING_INFORMATION 36 +#define FILEID_BOTH_DIRECTORY_INFORMATION 37 +#define FILEID_FULL_DIRECTORY_INFORMATION 38 +#define FILE_VALID_DATA_LENGTH_INFORMATION 39 +#define FILE_SHORT_NAME_INFORMATION 40 +#define FILE_SFIO_RESERVE_INFORMATION 44 +#define FILE_SFIO_VOLUME_INFORMATION 45 +#define FILE_HARD_LINK_INFORMATION 46 +#define FILE_NORMALIZED_NAME_INFORMATION 48 +#define FILEID_GLOBAL_TX_DIRECTORY_INFORMATION 50 +#define FILE_STANDARD_LINK_INFORMATION 54 + +#define OP_BREAK_STRUCT_SIZE_20 24 +#define OP_BREAK_STRUCT_SIZE_21 36 + +struct smb2_file_access_info { + __le32 AccessFlags; +} __packed; + +struct smb2_file_alignment_info { + __le32 AlignmentRequirement; +} __packed; + +struct smb2_file_internal_info { + __le64 IndexNumber; +} __packed; /* level 6 Query */ + +struct smb2_file_rename_info { /* encoding of request for level 10 */ + __u8 ReplaceIfExists; /* 1 = replace existing target with new */ + /* 0 = fail if target already exists */ + __u8 Reserved[7]; + __u64 RootDirectory; /* MBZ for network operations (why says spec?) */ + __le32 FileNameLength; + char FileName[0]; /* New name to be assigned */ +} __packed; /* level 10 Set */ + +struct smb2_file_link_info { /* encoding of request for level 11 */ + __u8 ReplaceIfExists; /* 1 = replace existing link with new */ + /* 0 = fail if link already exists */ + __u8 Reserved[7]; + __u64 RootDirectory; /* MBZ for network operations (why says spec?) */ + __le32 FileNameLength; + char FileName[0]; /* Name to be assigned to new link */ +} __packed; /* level 11 Set */ + +/* + * This level 18, although with struct with same name is different from cifs + * level 0x107. Level 0x107 has an extra u64 between AccessFlags and + * CurrentByteOffset. + */ +struct smb2_file_all_info { /* data block encoding of response to level 18 */ + __le64 CreationTime; /* Beginning of FILE_BASIC_INFO equivalent */ + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le32 Attributes; + __u32 Pad1; /* End of FILE_BASIC_INFO_INFO equivalent */ + __le64 AllocationSize; /* Beginning of FILE_STANDARD_INFO equivalent */ + __le64 EndOfFile; /* size ie offset to first free byte in file */ + __le32 NumberOfLinks; /* hard links */ + __u8 DeletePending; + __u8 Directory; + __u16 Pad2; /* End of FILE_STANDARD_INFO equivalent */ + __le64 IndexNumber; + __le32 EASize; + __le32 AccessFlags; + __le64 CurrentByteOffset; + __le32 Mode; + __le32 AlignmentRequirement; + __le32 FileNameLength; + char FileName[1]; +} __packed; /* level 18 Query */ + +struct smb2_file_alt_name_info { + __le32 FileNameLength; + char FileName[0]; +} __packed; + +struct smb2_file_stream_info { + __le32 NextEntryOffset; + __le32 StreamNameLength; + __le64 StreamSize; + __le64 StreamAllocationSize; + char StreamName[0]; +} __packed; + +struct smb2_file_eof_info { /* encoding of request for level 10 */ + __le64 EndOfFile; /* new end of file value */ +} __packed; /* level 20 Set */ + +struct smb2_file_ntwrk_info { + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 AllocationSize; + __le64 EndOfFile; + __le32 Attributes; + __le32 Reserved; +} __packed; + +struct smb2_file_standard_info { + __le64 AllocationSize; + __le64 EndOfFile; + __le32 NumberOfLinks; /* hard links */ + __u8 DeletePending; + __u8 Directory; + __le16 Reserved; +} __packed; /* level 18 Query */ + +struct smb2_file_ea_info { + __le32 EASize; +} __packed; + +struct smb2_file_alloc_info { + __le64 AllocationSize; +} __packed; + +struct smb2_file_disposition_info { + __u8 DeletePending; +} __packed; + +struct smb2_file_pos_info { + __le64 CurrentByteOffset; +} __packed; + +#define FILE_MODE_INFO_MASK cpu_to_le32(0x0000103e) + +struct smb2_file_mode_info { + __le32 Mode; +} __packed; + +#define COMPRESSION_FORMAT_NONE 0x0000 +#define COMPRESSION_FORMAT_LZNT1 0x0002 + +struct smb2_file_comp_info { + __le64 CompressedFileSize; + __le16 CompressionFormat; + __u8 CompressionUnitShift; + __u8 ChunkShift; + __u8 ClusterShift; + __u8 Reserved[3]; +} __packed; + +struct smb2_file_attr_tag_info { + __le32 FileAttributes; + __le32 ReparseTag; +} __packed; + +#define SL_RESTART_SCAN 0x00000001 +#define SL_RETURN_SINGLE_ENTRY 0x00000002 +#define SL_INDEX_SPECIFIED 0x00000004 + +struct smb2_ea_info_req { + __le32 NextEntryOffset; + __u8 EaNameLength; + char name[1]; +} __packed; /* level 15 Query */ + +struct smb2_ea_info { + __le32 NextEntryOffset; + __u8 Flags; + __u8 EaNameLength; + __le16 EaValueLength; + char name[1]; + /* optionally followed by value */ +} __packed; /* level 15 Query */ + +struct create_ea_buf_req { + struct create_context ccontext; + __u8 Name[8]; + struct smb2_ea_info ea; +} __packed; + +struct create_sd_buf_req { + struct create_context ccontext; + __u8 Name[8]; + struct smb_ntsd ntsd; +} __packed; + +/* Find File infolevels */ +#define SMB_FIND_FILE_POSIX_INFO 0x064 + +/* Level 100 query info */ +struct smb311_posix_qinfo { + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 DosAttributes; + __le64 Inode; + __le32 DeviceId; + __le32 Zero; + /* beginning of POSIX Create Context Response */ + __le32 HardLinks; + __le32 ReparseTag; + __le32 Mode; + u8 Sids[]; + /* + * var sized owner SID + * var sized group SID + * le32 filenamelength + * u8 filename[] + */ +} __packed; + +struct smb2_posix_info { + __le32 NextEntryOffset; + __u32 Ignored; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 DosAttributes; + __le64 Inode; + __le32 DeviceId; + __le32 Zero; + /* beginning of POSIX Create Context Response */ + __le32 HardLinks; + __le32 ReparseTag; + __le32 Mode; + u8 SidBuffer[40]; + __le32 name_len; + u8 name[1]; + /* + * var sized owner SID + * var sized group SID + * le32 filenamelength + * u8 filename[] + */ +} __packed; + +/* functions */ + +extern int init_smb2_0_server(struct ksmbd_conn *conn); +extern void init_smb2_1_server(struct ksmbd_conn *conn); +extern void init_smb3_0_server(struct ksmbd_conn *conn); +extern void init_smb3_02_server(struct ksmbd_conn *conn); +extern int init_smb3_11_server(struct ksmbd_conn *conn); + +extern void init_smb2_max_read_size(unsigned int sz); +extern void init_smb2_max_write_size(unsigned int sz); +extern void init_smb2_max_trans_size(unsigned int sz); + +extern int is_smb2_neg_cmd(struct ksmbd_work *work); +extern int is_smb2_rsp(struct ksmbd_work *work); + +extern uint16_t get_smb2_cmd_val(struct ksmbd_work *work); +extern void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err); +extern int init_smb2_rsp_hdr(struct ksmbd_work *work); +extern int smb2_allocate_rsp_buf(struct ksmbd_work *work); +extern bool is_chained_smb2_message(struct ksmbd_work *work); +extern int init_smb2_neg_rsp(struct ksmbd_work *work); +extern void smb2_set_err_rsp(struct ksmbd_work *work); +extern int smb2_check_user_session(struct ksmbd_work *work); +extern int smb2_get_ksmbd_tcon(struct ksmbd_work *work); +extern bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command); +extern int smb2_check_sign_req(struct ksmbd_work *work); +extern void smb2_set_sign_rsp(struct ksmbd_work *work); +extern int smb3_check_sign_req(struct ksmbd_work *work); +extern void smb3_set_sign_rsp(struct ksmbd_work *work); +extern int find_matching_smb2_dialect(int start_index, __le16 *cli_dialects, + __le16 dialects_count); +extern struct file_lock *smb_flock_init(struct file *f); +extern int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), + void **arg); +extern void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); +extern struct channel *lookup_chann_list(struct ksmbd_session *sess); +extern void smb3_preauth_hash_rsp(struct ksmbd_work *work); +extern int smb3_is_transform_hdr(void *buf); +extern int smb3_decrypt_req(struct ksmbd_work *work); +extern int smb3_encrypt_resp(struct ksmbd_work *work); +extern bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work); +extern int smb2_set_rsp_credits(struct ksmbd_work *work); + +/* smb2 misc functions */ +extern int ksmbd_smb2_check_message(struct ksmbd_work *work); + +/* smb2 command handlers */ +extern int smb2_handle_negotiate(struct ksmbd_work *work); +extern int smb2_negotiate_request(struct ksmbd_work *work); +extern int smb2_sess_setup(struct ksmbd_work *work); +extern int smb2_tree_connect(struct ksmbd_work *work); +extern int smb2_tree_disconnect(struct ksmbd_work *work); +extern int smb2_session_logoff(struct ksmbd_work *work); +extern int smb2_open(struct ksmbd_work *work); +extern int smb2_query_info(struct ksmbd_work *work); +extern int smb2_query_dir(struct ksmbd_work *work); +extern int smb2_close(struct ksmbd_work *work); +extern int smb2_echo(struct ksmbd_work *work); +extern int smb2_set_info(struct ksmbd_work *work); +extern int smb2_read(struct ksmbd_work *work); +extern int smb2_write(struct ksmbd_work *work); +extern int smb2_flush(struct ksmbd_work *work); +extern int smb2_cancel(struct ksmbd_work *work); +extern int smb2_lock(struct ksmbd_work *work); +extern int smb2_ioctl(struct ksmbd_work *work); +extern int smb2_oplock_break(struct ksmbd_work *work); +extern int smb2_notify(struct ksmbd_work *ksmbd_work); + +#endif /* _SMB2PDU_H */ diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c new file mode 100644 index 000000000000..f7560b68b820 --- /dev/null +++ b/fs/cifsd/smb_common.c @@ -0,0 +1,668 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + * Copyright (C) 2018 Namjae Jeon <linkinjeon(a)kernel.org> + */ + +#include "smb_common.h" +#include "server.h" +#include "misc.h" +#include "smbstatus.h" +/* @FIXME */ +#include "connection.h" +#include "ksmbd_work.h" +#include "mgmt/user_session.h" +#include "mgmt/user_config.h" +#include "mgmt/tree_connect.h" +#include "mgmt/share_config.h" + +/*for shortname implementation */ +static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; +#define MANGLE_BASE (sizeof(basechars)/sizeof(char)-1) +#define MAGIC_CHAR '~' +#define PERIOD '.' +#define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) +#define KSMBD_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr)) + +LIST_HEAD(global_lock_list); + +struct smb_protocol { + int index; + char *name; + char *prot; + __u16 prot_id; +}; + +static struct smb_protocol smb_protos[] = { + { + SMB21_PROT, + "\2SMB 2.1", + "SMB2_10", + SMB21_PROT_ID + }, + { + SMB2X_PROT, + "\2SMB 2.???", + "SMB2_22", + SMB2X_PROT_ID + }, + { + SMB30_PROT, + "\2SMB 3.0", + "SMB3_00", + SMB30_PROT_ID + }, + { + SMB302_PROT, + "\2SMB 3.02", + "SMB3_02", + SMB302_PROT_ID + }, + { + SMB311_PROT, + "\2SMB 3.1.1", + "SMB3_11", + SMB311_PROT_ID + }, +}; + +unsigned int ksmbd_server_side_copy_max_chunk_count(void) +{ + return 256; +} + +unsigned int ksmbd_server_side_copy_max_chunk_size(void) +{ + return (2U << 30) - 1; +} + +unsigned int ksmbd_server_side_copy_max_total_size(void) +{ + return (2U << 30) - 1; +} + +inline int ksmbd_min_protocol(void) +{ + return SMB2_PROT; +} + +inline int ksmbd_max_protocol(void) +{ + return SMB311_PROT; +} + +int ksmbd_lookup_protocol_idx(char *str) +{ + int offt = ARRAY_SIZE(smb_protos) - 1; + int len = strlen(str); + + while (offt >= 0) { + if (!strncmp(str, smb_protos[offt].prot, len)) { + ksmbd_debug(SMB, "selected %s dialect idx = %d\n", + smb_protos[offt].prot, offt); + return smb_protos[offt].index; + } + offt--; + } + return -1; +} + +/** + * check_message() - check for valid smb2 request header + * @buf: smb2 header to be checked + * + * check for valid smb signature and packet direction(request/response) + * + * Return: 0 on success, otherwise 1 + */ +int ksmbd_verify_smb_message(struct ksmbd_work *work) +{ + struct smb2_hdr *smb2_hdr = REQUEST_BUF(work); + + if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) + return ksmbd_smb2_check_message(work); + + return 0; +} + +/** + * is_smb_request() - check for valid smb request type + * @conn: connection instance + * @type: smb request type + * + * Return: true on success, otherwise false + */ +bool ksmbd_smb_request(struct ksmbd_conn *conn) +{ + int type = *(char *)conn->request_buf; + + switch (type) { + case RFC1002_SESSION_MESSAGE: + /* Regular SMB request */ + return true; + case RFC1002_SESSION_KEEP_ALIVE: + ksmbd_debug(SMB, "RFC 1002 session keep alive\n"); + break; + default: + ksmbd_debug(SMB, "RFC 1002 unknown request type 0x%x\n", type); + } + + return false; +} + +static bool supported_protocol(int idx) +{ + if (idx == SMB2X_PROT && + (server_conf.min_protocol >= SMB21_PROT || + server_conf.max_protocol <= SMB311_PROT)) + return true; + + return (server_conf.min_protocol <= idx && + idx <= server_conf.max_protocol); +} + +static char *next_dialect(char *dialect, int *next_off) +{ + dialect = dialect + *next_off; + *next_off = strlen(dialect); + return dialect; +} + +static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) +{ + int i, seq_num, bcount, next; + char *dialect; + + for (i = ARRAY_SIZE(smb_protos) - 1; i >= 0; i--) { + seq_num = 0; + next = 0; + dialect = cli_dialects; + bcount = le16_to_cpu(byte_count); + do { + dialect = next_dialect(dialect, &next); + ksmbd_debug(SMB, "client requested dialect %s\n", + dialect); + if (!strcmp(dialect, smb_protos[i].name)) { + if (supported_protocol(smb_protos[i].index)) { + ksmbd_debug(SMB, + "selected %s dialect\n", + smb_protos[i].name); + if (smb_protos[i].index == SMB1_PROT) + return seq_num; + return smb_protos[i].prot_id; + } + } + seq_num++; + bcount -= (++next); + } while (bcount > 0); + } + + return BAD_PROT_ID; +} + +int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) +{ + int i; + int count; + + for (i = ARRAY_SIZE(smb_protos) - 1; i >= 0; i--) { + count = le16_to_cpu(dialects_count); + while (--count >= 0) { + ksmbd_debug(SMB, "client requested dialect 0x%x\n", + le16_to_cpu(cli_dialects[count])); + if (le16_to_cpu(cli_dialects[count]) != + smb_protos[i].prot_id) + continue; + + if (supported_protocol(smb_protos[i].index)) { + ksmbd_debug(SMB, "selected %s dialect\n", + smb_protos[i].name); + return smb_protos[i].prot_id; + } + } + } + + return BAD_PROT_ID; +} + +int ksmbd_negotiate_smb_dialect(void *buf) +{ + __le32 proto; + + proto = ((struct smb2_hdr *)buf)->ProtocolId; + if (proto == SMB2_PROTO_NUMBER) { + struct smb2_negotiate_req *req; + + req = (struct smb2_negotiate_req *)buf; + return ksmbd_lookup_dialect_by_id(req->Dialects, + req->DialectCount); + } + + proto = *(__le32 *)((struct smb_hdr *)buf)->Protocol; + if (proto == SMB1_PROTO_NUMBER) { + struct smb_negotiate_req *req; + + req = (struct smb_negotiate_req *)buf; + return ksmbd_lookup_dialect_by_name(req->DialectsArray, + req->ByteCount); + } + + return BAD_PROT_ID; +} + +#define SMB_COM_NEGOTIATE 0x72 +int ksmbd_init_smb_server(struct ksmbd_work *work) +{ + struct ksmbd_conn *conn = work->conn; + + if (conn->need_neg == false) + return 0; + + init_smb3_11_server(conn); + + if (conn->ops->get_cmd_val(work) != SMB_COM_NEGOTIATE) + conn->need_neg = false; + return 0; +} + +bool ksmbd_pdu_size_has_room(unsigned int pdu) +{ + return (pdu >= KSMBD_MIN_SUPPORTED_HEADER_SIZE - 4); +} + +int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, + int info_level, + struct ksmbd_file *dir, + struct ksmbd_dir_info *d_info, + char *search_pattern, + int (*fn)(struct ksmbd_conn *, + int, + struct ksmbd_dir_info *, + struct ksmbd_kstat *)) +{ + int i, rc = 0; + struct ksmbd_conn *conn = work->conn; + + for (i = 0; i < 2; i++) { + struct kstat kstat; + struct ksmbd_kstat ksmbd_kstat; + + if (!dir->dot_dotdot[i]) { /* fill dot entry info */ + if (i == 0) { + d_info->name = "."; + d_info->name_len = 1; + } else { + d_info->name = ".."; + d_info->name_len = 2; + } + + if (!match_pattern(d_info->name, search_pattern)) { + dir->dot_dotdot[i] = 1; + continue; + } + + ksmbd_kstat.kstat = &kstat; + ksmbd_vfs_fill_dentry_attrs(work, + dir->filp->f_path.dentry->d_parent, + &ksmbd_kstat); + rc = fn(conn, info_level, d_info, &ksmbd_kstat); + if (rc) + break; + if (d_info->out_buf_len <= 0) + break; + + dir->dot_dotdot[i] = 1; + if (d_info->flags & SMB2_RETURN_SINGLE_ENTRY) { + d_info->out_buf_len = 0; + break; + } + } + } + + return rc; +} + +/** + * ksmbd_extract_shortname() - get shortname from long filename + * @conn: connection instance + * @longname: source long filename + * @shortname: destination short filename + * + * Return: shortname length or 0 when source long name is '.' or '..' + * TODO: Though this function comforms the restriction of 8.3 Filename spec, + * but the result is different with Windows 7's one. need to check. + */ +int ksmbd_extract_shortname(struct ksmbd_conn *conn, + const char *longname, + char *shortname) +{ + const char *p; + char base[9], extension[4]; + char out[13] = {0}; + int baselen = 0; + int extlen = 0, len = 0; + unsigned int csum = 0; + const unsigned char *ptr; + bool dot_present = true; + + p = longname; + if ((*p == '.') || (!(strcmp(p, "..")))) { + /*no mangling required */ + return 0; + } + + p = strrchr(longname, '.'); + if (p == longname) { /*name starts with a dot*/ + strscpy(extension, "___", strlen("___")); + } else { + if (p != NULL) { + p++; + while (*p && extlen < 3) { + if (*p != '.') + extension[extlen++] = toupper(*p); + p++; + } + extension[extlen] = '\0'; + } else + dot_present = false; + } + + p = longname; + if (*p == '.') { + p++; + longname++; + } + while (*p && (baselen < 5)) { + if (*p != '.') + base[baselen++] = toupper(*p); + p++; + } + + base[baselen] = MAGIC_CHAR; + memcpy(out, base, baselen+1); + + ptr = longname; + len = strlen(longname); + for (; len > 0; len--, ptr++) + csum += *ptr; + + csum = csum % (MANGLE_BASE * MANGLE_BASE); + out[baselen+1] = mangle(csum/MANGLE_BASE); + out[baselen+2] = mangle(csum); + out[baselen+3] = PERIOD; + + if (dot_present) + memcpy(&out[baselen+4], extension, 4); + else + out[baselen+4] = '\0'; + smbConvertToUTF16((__le16 *)shortname, out, PATH_MAX, + conn->local_nls, 0); + len = strlen(out) * 2; + return len; +} + +static int __smb2_negotiate(struct ksmbd_conn *conn) +{ + return (conn->dialect >= SMB20_PROT_ID && + conn->dialect <= SMB311_PROT_ID); +} + +static int smb_handle_negotiate(struct ksmbd_work *work) +{ + struct smb_negotiate_rsp *neg_rsp = RESPONSE_BUF(work); + + ksmbd_debug(SMB, "Unsupported SMB protocol\n"); + neg_rsp->hdr.Status.CifsError = STATUS_INVALID_LOGON_TYPE; + return -EINVAL; +} + +int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) +{ + struct ksmbd_conn *conn = work->conn; + int ret; + + conn->dialect = ksmbd_negotiate_smb_dialect(REQUEST_BUF(work)); + ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect); + + if (command == SMB2_NEGOTIATE_HE) { + struct smb2_hdr *smb2_hdr = REQUEST_BUF(work); + + if (smb2_hdr->ProtocolId != SMB2_PROTO_NUMBER) { + ksmbd_debug(SMB, "Downgrade to SMB1 negotiation\n"); + command = SMB_COM_NEGOTIATE; + } + } + + if (command == SMB2_NEGOTIATE_HE) { + ret = smb2_handle_negotiate(work); + init_smb2_neg_rsp(work); + return ret; + } + + if (command == SMB_COM_NEGOTIATE) { + if (__smb2_negotiate(conn)) { + conn->need_neg = true; + init_smb3_11_server(conn); + init_smb2_neg_rsp(work); + ksmbd_debug(SMB, "Upgrade to SMB2 negotiation\n"); + return 0; + } + return smb_handle_negotiate(work); + } + + ksmbd_err("Unknown SMB negotiation command: %u\n", command); + return -EINVAL; +} + +enum SHARED_MODE_ERRORS { + SHARE_DELETE_ERROR, + SHARE_READ_ERROR, + SHARE_WRITE_ERROR, + FILE_READ_ERROR, + FILE_WRITE_ERROR, + FILE_DELETE_ERROR, +}; + +static const char * const shared_mode_errors[] = { + "Current access mode does not permit SHARE_DELETE", + "Current access mode does not permit SHARE_READ", + "Current access mode does not permit SHARE_WRITE", + "Desired access mode does not permit FILE_READ", + "Desired access mode does not permit FILE_WRITE", + "Desired access mode does not permit FILE_DELETE", +}; + +static void smb_shared_mode_error(int error, + struct ksmbd_file *prev_fp, + struct ksmbd_file *curr_fp) +{ + ksmbd_debug(SMB, "%s\n", shared_mode_errors[error]); + ksmbd_debug(SMB, "Current mode: 0x%x Desired mode: 0x%x\n", + prev_fp->saccess, curr_fp->daccess); +} + +int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) +{ + int rc = 0; + struct ksmbd_file *prev_fp; + struct list_head *cur; + + /* + * Lookup fp in master fp list, and check desired access and + * shared mode between previous open and current open. + */ + read_lock(&curr_fp->f_ci->m_lock); + list_for_each(cur, &curr_fp->f_ci->m_fp_list) { + prev_fp = list_entry(cur, struct ksmbd_file, node); + if (file_inode(filp) != FP_INODE(prev_fp)) + continue; + + if (filp == prev_fp->filp) + continue; + + if (ksmbd_stream_fd(prev_fp) && ksmbd_stream_fd(curr_fp)) + if (strcmp(prev_fp->stream.name, curr_fp->stream.name)) + continue; + + if (prev_fp->is_durable) { + prev_fp->is_durable = 0; + continue; + } + + if (prev_fp->attrib_only != curr_fp->attrib_only) + continue; + + if (!(prev_fp->saccess & FILE_SHARE_DELETE_LE) && + curr_fp->daccess & FILE_DELETE_LE) { + smb_shared_mode_error(SHARE_DELETE_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + + /* + * Only check FILE_SHARE_DELETE if stream opened and + * normal file opened. + */ + if (ksmbd_stream_fd(prev_fp) && !ksmbd_stream_fd(curr_fp)) + continue; + + if (!(prev_fp->saccess & FILE_SHARE_READ_LE) && + curr_fp->daccess & (FILE_EXECUTE_LE | + FILE_READ_DATA_LE)) { + smb_shared_mode_error(SHARE_READ_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + + if (!(prev_fp->saccess & FILE_SHARE_WRITE_LE) && + curr_fp->daccess & (FILE_WRITE_DATA_LE | + FILE_APPEND_DATA_LE)) { + smb_shared_mode_error(SHARE_WRITE_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + + if (prev_fp->daccess & (FILE_EXECUTE_LE | + FILE_READ_DATA_LE) && + !(curr_fp->saccess & FILE_SHARE_READ_LE)) { + smb_shared_mode_error(FILE_READ_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + + if (prev_fp->daccess & (FILE_WRITE_DATA_LE | + FILE_APPEND_DATA_LE) && + !(curr_fp->saccess & FILE_SHARE_WRITE_LE)) { + smb_shared_mode_error(FILE_WRITE_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + + if (prev_fp->daccess & FILE_DELETE_LE && + !(curr_fp->saccess & FILE_SHARE_DELETE_LE)) { + smb_shared_mode_error(FILE_DELETE_ERROR, + prev_fp, + curr_fp); + rc = -EPERM; + break; + } + } + read_unlock(&curr_fp->f_ci->m_lock); + + return rc; +} + +bool is_asterisk(char *p) +{ + return p && p[0] == '*'; +} + +int ksmbd_override_fsids(struct ksmbd_work *work) +{ + struct ksmbd_session *sess = work->sess; + struct ksmbd_share_config *share = work->tcon->share_conf; + struct cred *cred; + struct group_info *gi; + unsigned int uid; + unsigned int gid; + + uid = user_uid(sess->user); + gid = user_gid(sess->user); + if (share->force_uid != KSMBD_SHARE_INVALID_UID) + uid = share->force_uid; + if (share->force_gid != KSMBD_SHARE_INVALID_GID) + gid = share->force_gid; + + cred = prepare_kernel_cred(NULL); + if (!cred) + return -ENOMEM; + + cred->fsuid = make_kuid(current_user_ns(), uid); + cred->fsgid = make_kgid(current_user_ns(), gid); + + gi = groups_alloc(0); + if (!gi) { + abort_creds(cred); + return -ENOMEM; + } + set_groups(cred, gi); + put_group_info(gi); + + if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID)) + cred->cap_effective = cap_drop_fs_set(cred->cap_effective); + + WARN_ON(work->saved_cred != NULL); + work->saved_cred = override_creds(cred); + if (!work->saved_cred) { + abort_creds(cred); + return -EINVAL; + } + return 0; +} + +void ksmbd_revert_fsids(struct ksmbd_work *work) +{ + const struct cred *cred; + + WARN_ON(work->saved_cred == NULL); + + cred = current_cred(); + revert_creds(work->saved_cred); + put_cred(cred); + work->saved_cred = NULL; +} + +__le32 smb_map_generic_desired_access(__le32 daccess) +{ + if (daccess & FILE_GENERIC_READ_LE) { + daccess |= cpu_to_le32(GENERIC_READ_FLAGS); + daccess &= ~FILE_GENERIC_READ_LE; + } + + if (daccess & FILE_GENERIC_WRITE_LE) { + daccess |= cpu_to_le32(GENERIC_WRITE_FLAGS); + daccess &= ~FILE_GENERIC_WRITE_LE; + } + + if (daccess & FILE_GENERIC_EXECUTE_LE) { + daccess |= cpu_to_le32(GENERIC_EXECUTE_FLAGS); + daccess &= ~FILE_GENERIC_EXECUTE_LE; + } + + if (daccess & FILE_GENERIC_ALL_LE) { + daccess |= cpu_to_le32(GENERIC_ALL_FLAGS); + daccess &= ~FILE_GENERIC_ALL_LE; + } + + return daccess; +} diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h new file mode 100644 index 000000000000..ec954e6bc4ae --- /dev/null +++ b/fs/cifsd/smb_common.h @@ -0,0 +1,546 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __SMB_COMMON_H__ +#define __SMB_COMMON_H__ + +#include <linux/kernel.h> + +#include "glob.h" +#include "nterr.h" +#include "smb2pdu.h" + +/* ksmbd's Specific ERRNO */ +#define ESHARE 50000 + +#define SMB1_PROT 0 +#define SMB2_PROT 1 +#define SMB21_PROT 2 +/* multi-protocol negotiate request */ +#define SMB2X_PROT 3 +#define SMB30_PROT 4 +#define SMB302_PROT 5 +#define SMB311_PROT 6 +#define BAD_PROT 0xFFFF + +#define SMB1_VERSION_STRING "1.0" +#define SMB20_VERSION_STRING "2.0" +#define SMB21_VERSION_STRING "2.1" +#define SMB30_VERSION_STRING "3.0" +#define SMB302_VERSION_STRING "3.02" +#define SMB311_VERSION_STRING "3.1.1" + +/* Dialects */ +#define SMB10_PROT_ID 0x00 +#define SMB20_PROT_ID 0x0202 +#define SMB21_PROT_ID 0x0210 +/* multi-protocol negotiate request */ +#define SMB2X_PROT_ID 0x02FF +#define SMB30_PROT_ID 0x0300 +#define SMB302_PROT_ID 0x0302 +#define SMB311_PROT_ID 0x0311 +#define BAD_PROT_ID 0xFFFF + +#define SMB_ECHO_INTERVAL (60*HZ) + +#define CIFS_DEFAULT_IOSIZE (64 * 1024) +#define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ + +extern struct list_head global_lock_list; + +#define IS_SMB2(x) ((x)->vals->protocol_id != SMB10_PROT_ID) + +#define HEADER_SIZE(conn) ((conn)->vals->header_size) +#define HEADER_SIZE_NO_BUF_LEN(conn) ((conn)->vals->header_size - 4) +#define MAX_HEADER_SIZE(conn) ((conn)->vals->max_header_size) + +/* RFC 1002 session packet types */ +#define RFC1002_SESSION_MESSAGE 0x00 +#define RFC1002_SESSION_REQUEST 0x81 +#define RFC1002_POSITIVE_SESSION_RESPONSE 0x82 +#define RFC1002_NEGATIVE_SESSION_RESPONSE 0x83 +#define RFC1002_RETARGET_SESSION_RESPONSE 0x84 +#define RFC1002_SESSION_KEEP_ALIVE 0x85 + +/* Responses when opening a file. */ +#define F_SUPERSEDED 0 +#define F_OPENED 1 +#define F_CREATED 2 +#define F_OVERWRITTEN 3 + +/* + * File Attribute flags + */ +#define ATTR_READONLY 0x0001 +#define ATTR_HIDDEN 0x0002 +#define ATTR_SYSTEM 0x0004 +#define ATTR_VOLUME 0x0008 +#define ATTR_DIRECTORY 0x0010 +#define ATTR_ARCHIVE 0x0020 +#define ATTR_DEVICE 0x0040 +#define ATTR_NORMAL 0x0080 +#define ATTR_TEMPORARY 0x0100 +#define ATTR_SPARSE 0x0200 +#define ATTR_REPARSE 0x0400 +#define ATTR_COMPRESSED 0x0800 +#define ATTR_OFFLINE 0x1000 +#define ATTR_NOT_CONTENT_INDEXED 0x2000 +#define ATTR_ENCRYPTED 0x4000 +#define ATTR_POSIX_SEMANTICS 0x01000000 +#define ATTR_BACKUP_SEMANTICS 0x02000000 +#define ATTR_DELETE_ON_CLOSE 0x04000000 +#define ATTR_SEQUENTIAL_SCAN 0x08000000 +#define ATTR_RANDOM_ACCESS 0x10000000 +#define ATTR_NO_BUFFERING 0x20000000 +#define ATTR_WRITE_THROUGH 0x80000000 + +#define ATTR_READONLY_LE cpu_to_le32(ATTR_READONLY) +#define ATTR_HIDDEN_LE cpu_to_le32(ATTR_HIDDEN) +#define ATTR_SYSTEM_LE cpu_to_le32(ATTR_SYSTEM) +#define ATTR_DIRECTORY_LE cpu_to_le32(ATTR_DIRECTORY) +#define ATTR_ARCHIVE_LE cpu_to_le32(ATTR_ARCHIVE) +#define ATTR_NORMAL_LE cpu_to_le32(ATTR_NORMAL) +#define ATTR_TEMPORARY_LE cpu_to_le32(ATTR_TEMPORARY) +#define ATTR_SPARSE_FILE_LE cpu_to_le32(ATTR_SPARSE) +#define ATTR_REPARSE_POINT_LE cpu_to_le32(ATTR_REPARSE) +#define ATTR_COMPRESSED_LE cpu_to_le32(ATTR_COMPRESSED) +#define ATTR_OFFLINE_LE cpu_to_le32(ATTR_OFFLINE) +#define ATTR_NOT_CONTENT_INDEXED_LE cpu_to_le32(ATTR_NOT_CONTENT_INDEXED) +#define ATTR_ENCRYPTED_LE cpu_to_le32(ATTR_ENCRYPTED) +#define ATTR_INTEGRITY_STREAML_LE cpu_to_le32(0x00008000) +#define ATTR_NO_SCRUB_DATA_LE cpu_to_le32(0x00020000) +#define ATTR_MASK_LE cpu_to_le32(0x00007FB7) + +/* List of FileSystemAttributes - see 2.5.1 of MS-FSCC */ +#define FILE_SUPPORTS_SPARSE_VDL 0x10000000 /* faster nonsparse extend */ +#define FILE_SUPPORTS_BLOCK_REFCOUNTING 0x08000000 /* allow ioctl dup extents */ +#define FILE_SUPPORT_INTEGRITY_STREAMS 0x04000000 +#define FILE_SUPPORTS_USN_JOURNAL 0x02000000 +#define FILE_SUPPORTS_OPEN_BY_FILE_ID 0x01000000 +#define FILE_SUPPORTS_EXTENDED_ATTRIBUTES 0x00800000 +#define FILE_SUPPORTS_HARD_LINKS 0x00400000 +#define FILE_SUPPORTS_TRANSACTIONS 0x00200000 +#define FILE_SEQUENTIAL_WRITE_ONCE 0x00100000 +#define FILE_READ_ONLY_VOLUME 0x00080000 +#define FILE_NAMED_STREAMS 0x00040000 +#define FILE_SUPPORTS_ENCRYPTION 0x00020000 +#define FILE_SUPPORTS_OBJECT_IDS 0x00010000 +#define FILE_VOLUME_IS_COMPRESSED 0x00008000 +#define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100 +#define FILE_SUPPORTS_REPARSE_POINTS 0x00000080 +#define FILE_SUPPORTS_SPARSE_FILES 0x00000040 +#define FILE_VOLUME_QUOTAS 0x00000020 +#define FILE_FILE_COMPRESSION 0x00000010 +#define FILE_PERSISTENT_ACLS 0x00000008 +#define FILE_UNICODE_ON_DISK 0x00000004 +#define FILE_CASE_PRESERVED_NAMES 0x00000002 +#define FILE_CASE_SENSITIVE_SEARCH 0x00000001 + +#define FILE_READ_DATA 0x00000001 /* Data can be read from the file */ +#define FILE_WRITE_DATA 0x00000002 /* Data can be written to the file */ +#define FILE_APPEND_DATA 0x00000004 /* Data can be appended to the file */ +#define FILE_READ_EA 0x00000008 /* Extended attributes associated */ +/* with the file can be read */ +#define FILE_WRITE_EA 0x00000010 /* Extended attributes associated */ +/* with the file can be written */ +#define FILE_EXECUTE 0x00000020 /*Data can be read into memory from */ +/* the file using system paging I/O */ +#define FILE_DELETE_CHILD 0x00000040 +#define FILE_READ_ATTRIBUTES 0x00000080 /* Attributes associated with the */ +/* file can be read */ +#define FILE_WRITE_ATTRIBUTES 0x00000100 /* Attributes associated with the */ +/* file can be written */ +#define DELETE 0x00010000 /* The file can be deleted */ +#define READ_CONTROL 0x00020000 /* The access control list and */ +/* ownership associated with the */ +/* file can be read */ +#define WRITE_DAC 0x00040000 /* The access control list and */ +/* ownership associated with the */ +/* file can be written. */ +#define WRITE_OWNER 0x00080000 /* Ownership information associated */ +/* with the file can be written */ +#define SYNCHRONIZE 0x00100000 /* The file handle can waited on to */ +/* synchronize with the completion */ +/* of an input/output request */ +#define GENERIC_ALL 0x10000000 +#define GENERIC_EXECUTE 0x20000000 +#define GENERIC_WRITE 0x40000000 +#define GENERIC_READ 0x80000000 +/* In summary - Relevant file */ +/* access flags from CIFS are */ +/* file_read_data, file_write_data */ +/* file_execute, file_read_attributes*/ +/* write_dac, and delete. */ + +#define FILE_READ_RIGHTS (FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES) +#define FILE_WRITE_RIGHTS (FILE_WRITE_DATA | FILE_APPEND_DATA \ + | FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES) +#define FILE_EXEC_RIGHTS (FILE_EXECUTE) + +#define SET_FILE_READ_RIGHTS (FILE_READ_DATA | FILE_READ_EA \ + | FILE_READ_ATTRIBUTES \ + | DELETE | READ_CONTROL | WRITE_DAC \ + | WRITE_OWNER | SYNCHRONIZE) +#define SET_FILE_WRITE_RIGHTS (FILE_WRITE_DATA | FILE_APPEND_DATA \ + | FILE_WRITE_EA \ + | FILE_DELETE_CHILD \ + | FILE_WRITE_ATTRIBUTES \ + | DELETE | READ_CONTROL | WRITE_DAC \ + | WRITE_OWNER | SYNCHRONIZE) +#define SET_FILE_EXEC_RIGHTS (FILE_READ_EA | FILE_WRITE_EA | FILE_EXECUTE \ + | FILE_READ_ATTRIBUTES \ + | FILE_WRITE_ATTRIBUTES \ + | DELETE | READ_CONTROL | WRITE_DAC \ + | WRITE_OWNER | SYNCHRONIZE) + +#define SET_MINIMUM_RIGHTS (FILE_READ_EA | FILE_READ_ATTRIBUTES \ + | READ_CONTROL | SYNCHRONIZE) + +/* generic flags for file open */ +#define GENERIC_READ_FLAGS (READ_CONTROL | FILE_READ_DATA | \ + FILE_READ_ATTRIBUTES | \ + FILE_READ_EA | SYNCHRONIZE) + +#define GENERIC_WRITE_FLAGS (READ_CONTROL | FILE_WRITE_DATA | \ + FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | \ + FILE_APPEND_DATA | SYNCHRONIZE) + +#define GENERIC_EXECUTE_FLAGS (READ_CONTROL | FILE_EXECUTE | \ + FILE_READ_ATTRIBUTES | SYNCHRONIZE) + +#define GENERIC_ALL_FLAGS (DELETE | READ_CONTROL | WRITE_DAC | \ + WRITE_OWNER | SYNCHRONIZE | FILE_READ_DATA | \ + FILE_WRITE_DATA | FILE_APPEND_DATA | \ + FILE_READ_EA | FILE_WRITE_EA | \ + FILE_EXECUTE | FILE_DELETE_CHILD | \ + FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES) + +#define SMB1_PROTO_NUMBER cpu_to_le32(0x424d53ff) + +#define SMB1_CLIENT_GUID_SIZE (16) +struct smb_hdr { + __be32 smb_buf_length; + __u8 Protocol[4]; + __u8 Command; + union { + struct { + __u8 ErrorClass; + __u8 Reserved; + __le16 Error; + } __packed DosError; + __le32 CifsError; + } __packed Status; + __u8 Flags; + __le16 Flags2; /* note: le */ + __le16 PidHigh; + union { + struct { + __le32 SequenceNumber; /* le */ + __u32 Reserved; /* zero */ + } __packed Sequence; + __u8 SecuritySignature[8]; /* le */ + } __packed Signature; + __u8 pad[2]; + __le16 Tid; + __le16 Pid; + __le16 Uid; + __le16 Mid; + __u8 WordCount; +} __packed; + +struct smb_negotiate_req { + struct smb_hdr hdr; /* wct = 0 */ + __le16 ByteCount; + unsigned char DialectsArray[1]; +} __packed; + +struct smb_negotiate_rsp { + struct smb_hdr hdr; /* wct = 17 */ + __le16 DialectIndex; /* 0xFFFF = no dialect acceptable */ + __u8 SecurityMode; + __le16 MaxMpxCount; + __le16 MaxNumberVcs; + __le32 MaxBufferSize; + __le32 MaxRawSize; + __le32 SessionKey; + __le32 Capabilities; /* see below */ + __le32 SystemTimeLow; + __le32 SystemTimeHigh; + __le16 ServerTimeZone; + __u8 EncryptionKeyLength; + __le16 ByteCount; + union { + unsigned char EncryptionKey[8]; /* cap extended security off */ + /* followed by Domain name - if extended security is off */ + /* followed by 16 bytes of server GUID */ + /* then security blob if cap_extended_security negotiated */ + struct { + unsigned char GUID[SMB1_CLIENT_GUID_SIZE]; + unsigned char SecurityBlob[1]; + } __packed extended_response; + } __packed u; +} __packed; + +struct filesystem_attribute_info { + __le32 Attributes; + __le32 MaxPathNameComponentLength; + __le32 FileSystemNameLen; + __le16 FileSystemName[1]; /* do not have to save this - get subset? */ +} __packed; + +struct filesystem_device_info { + __le32 DeviceType; + __le32 DeviceCharacteristics; +} __packed; /* device info level 0x104 */ + +struct filesystem_vol_info { + __le64 VolumeCreationTime; + __le32 SerialNumber; + __le32 VolumeLabelSize; + __le16 Reserved; + __le16 VolumeLabel[1]; +} __packed; + +struct filesystem_info { + __le64 TotalAllocationUnits; + __le64 FreeAllocationUnits; + __le32 SectorsPerAllocationUnit; + __le32 BytesPerSector; +} __packed; /* size info, level 0x103 */ + +#define EXTENDED_INFO_MAGIC 0x43667364 /* Cfsd */ +#define STRING_LENGTH 28 + +struct fs_extended_info { + __le32 magic; + __le32 version; + __le32 release; + __u64 rel_date; + char version_string[STRING_LENGTH]; +} __packed; + +struct object_id_info { + char objid[16]; + struct fs_extended_info extended_info; +} __packed; + +struct file_directory_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 ExtFileAttributes; + __le32 FileNameLength; + char FileName[1]; +} __packed; /* level 0x101 FF resp data */ + +struct file_names_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le32 FileNameLength; + char FileName[1]; +} __packed; /* level 0xc FF resp data */ + +struct file_full_directory_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 ExtFileAttributes; + __le32 FileNameLength; + __le32 EaSize; + char FileName[1]; +} __packed; /* level 0x102 FF resp */ + +struct file_both_directory_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 ExtFileAttributes; + __le32 FileNameLength; + __le32 EaSize; /* length of the xattrs */ + __u8 ShortNameLength; + __u8 Reserved; + __u8 ShortName[24]; + char FileName[1]; +} __packed; /* level 0x104 FFrsp data */ + +struct file_id_both_directory_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 ExtFileAttributes; + __le32 FileNameLength; + __le32 EaSize; /* length of the xattrs */ + __u8 ShortNameLength; + __u8 Reserved; + __u8 ShortName[24]; + __le16 Reserved2; + __le64 UniqueId; + char FileName[1]; +} __packed; + +struct file_id_full_dir_info { + __le32 NextEntryOffset; + __u32 FileIndex; + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le64 EndOfFile; + __le64 AllocationSize; + __le32 ExtFileAttributes; + __le32 FileNameLength; + __le32 EaSize; /* EA size */ + __le32 Reserved; + __le64 UniqueId; /* inode num - le since Samba puts ino in low 32 bit*/ + char FileName[1]; +} __packed; /* level 0x105 FF rsp data */ + +struct smb_version_values { + char *version_string; + __u16 protocol_id; + __le16 lock_cmd; + __u32 capabilities; + __u32 max_read_size; + __u32 max_write_size; + __u32 max_trans_size; + __u32 large_lock_type; + __u32 exclusive_lock_type; + __u32 shared_lock_type; + __u32 unlock_lock_type; + size_t header_size; + size_t max_header_size; + size_t read_rsp_size; + unsigned int cap_unix; + unsigned int cap_nt_find; + unsigned int cap_large_files; + __u16 signing_enabled; + __u16 signing_required; + size_t create_lease_size; + size_t create_durable_size; + size_t create_durable_v2_size; + size_t create_mxac_size; + size_t create_disk_id_size; + size_t create_posix_size; +}; + +struct filesystem_posix_info { + /* For undefined recommended transfer size return -1 in that field */ + __le32 OptimalTransferSize; /* bsize on some os, iosize on other os */ + __le32 BlockSize; + /* The next three fields are in terms of the block size. + * (above). If block size is unknown, 4096 would be a + * reasonable block size for a server to report. + * Note that returning the blocks/blocksavail removes need + * to make a second call (to QFSInfo level 0x103 to get this info. + * UserBlockAvail is typically less than or equal to BlocksAvail, + * if no distinction is made return the same value in each + */ + __le64 TotalBlocks; + __le64 BlocksAvail; /* bfree */ + __le64 UserBlocksAvail; /* bavail */ + /* For undefined Node fields or FSID return -1 */ + __le64 TotalFileNodes; + __le64 FreeFileNodes; + __le64 FileSysIdentifier; /* fsid */ + /* NB Namelen comes from FILE_SYSTEM_ATTRIBUTE_INFO call */ + /* NB flags can come from FILE_SYSTEM_DEVICE_INFO call */ +} __packed; + +struct smb_version_ops { + uint16_t (*get_cmd_val)(struct ksmbd_work *swork); + int (*init_rsp_hdr)(struct ksmbd_work *swork); + void (*set_rsp_status)(struct ksmbd_work *swork, __le32 err); + int (*allocate_rsp_buf)(struct ksmbd_work *work); + int (*set_rsp_credits)(struct ksmbd_work *work); + int (*check_user_session)(struct ksmbd_work *work); + int (*get_ksmbd_tcon)(struct ksmbd_work *work); + bool (*is_sign_req)(struct ksmbd_work *work, unsigned int command); + int (*check_sign_req)(struct ksmbd_work *work); + void (*set_sign_rsp)(struct ksmbd_work *work); + int (*generate_signingkey)(struct ksmbd_session *sess); + int (*generate_encryptionkey)(struct ksmbd_session *sess); + int (*is_transform_hdr)(void *buf); + int (*decrypt_req)(struct ksmbd_work *work); + int (*encrypt_resp)(struct ksmbd_work *work); +}; + +struct smb_version_cmds { + int (*proc)(struct ksmbd_work *swork); +}; + + + +int ksmbd_min_protocol(void); +int ksmbd_max_protocol(void); + +int ksmbd_lookup_protocol_idx(char *str); + +int ksmbd_verify_smb_message(struct ksmbd_work *work); +bool ksmbd_smb_request(struct ksmbd_conn *conn); + +int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); + +int ksmbd_negotiate_smb_dialect(void *buf); +int ksmbd_init_smb_server(struct ksmbd_work *work); + +bool ksmbd_pdu_size_has_room(unsigned int pdu); + +struct ksmbd_kstat; +int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, + int info_level, + struct ksmbd_file *dir, + struct ksmbd_dir_info *d_info, + char *search_pattern, + int (*fn)(struct ksmbd_conn *, + int, + struct ksmbd_dir_info *, + struct ksmbd_kstat *)); + +int ksmbd_extract_shortname(struct ksmbd_conn *conn, + const char *longname, + char *shortname); + +int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command); + +int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp); +int ksmbd_override_fsids(struct ksmbd_work *work); +void ksmbd_revert_fsids(struct ksmbd_work *work); + +unsigned int ksmbd_server_side_copy_max_chunk_count(void); +unsigned int ksmbd_server_side_copy_max_chunk_size(void); +unsigned int ksmbd_server_side_copy_max_total_size(void); +bool is_asterisk(char *p); +__le32 smb_map_generic_desired_access(__le32 daccess); + +static inline unsigned int get_rfc1002_len(void *buf) +{ + return be32_to_cpu(*((__be32 *)buf)) & 0xffffff; +} + +static inline void inc_rfc1001_len(void *buf, int count) +{ + be32_add_cpu((__be32 *)buf, count); +} +#endif /* __SMB_COMMON_H__ */ diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c new file mode 100644 index 000000000000..8d8360ca4751 --- /dev/null +++ b/fs/cifsd/smbacl.c @@ -0,0 +1,1309 @@ +// SPDX-License-Identifier: LGPL-2.1+ +/* + * Copyright (C) International Business Machines Corp., 2007,2008 + * Author(s): Steve French (sfrench(a)us.ibm.com) + * Copyright (C) 2020 Samsung Electronics Co., Ltd. + * Author(s): Namjae Jeon <linkinjeon(a)kernel.org> + */ + +#include <linux/fs.h> +#include <linux/slab.h> +#include <linux/string.h> + +#include "smbacl.h" +#include "smb_common.h" +#include "server.h" +#include "misc.h" +#include "ksmbd_server.h" +#include "mgmt/share_config.h" + +static const struct smb_sid domain = {1, 4, {0, 0, 0, 0, 0, 5}, + {cpu_to_le32(21), cpu_to_le32(1), cpu_to_le32(2), cpu_to_le32(3), + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* security id for everyone/world system group */ +static const struct smb_sid creator_owner = { + 1, 1, {0, 0, 0, 0, 0, 3}, {0} }; +/* security id for everyone/world system group */ +static const struct smb_sid creator_group = { + 1, 1, {0, 0, 0, 0, 0, 3}, {cpu_to_le32(1)} }; + +/* security id for everyone/world system group */ +static const struct smb_sid sid_everyone = { + 1, 1, {0, 0, 0, 0, 0, 1}, {0} }; +/* security id for Authenticated Users system group */ +static const struct smb_sid sid_authusers = { + 1, 1, {0, 0, 0, 0, 0, 5}, {cpu_to_le32(11)} }; + +/* S-1-22-1 Unmapped Unix users */ +static const struct smb_sid sid_unix_users = {1, 1, {0, 0, 0, 0, 0, 22}, + {cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* S-1-22-2 Unmapped Unix groups */ +static const struct smb_sid sid_unix_groups = { 1, 1, {0, 0, 0, 0, 0, 22}, + {cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* + * See http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx + */ + +/* S-1-5-88 MS NFS and Apple style UID/GID/mode */ + +/* S-1-5-88-1 Unix uid */ +static const struct smb_sid sid_unix_NFS_users = { 1, 2, {0, 0, 0, 0, 0, 5}, + {cpu_to_le32(88), + cpu_to_le32(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* S-1-5-88-2 Unix gid */ +static const struct smb_sid sid_unix_NFS_groups = { 1, 2, {0, 0, 0, 0, 0, 5}, + {cpu_to_le32(88), + cpu_to_le32(2), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* S-1-5-88-3 Unix mode */ +static const struct smb_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5}, + {cpu_to_le32(88), + cpu_to_le32(3), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }; + +/* + * if the two SIDs (roughly equivalent to a UUID for a user or group) are + * the same returns zero, if they do not match returns non-zero. + */ +int +compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid) +{ + int i; + int num_subauth, num_sat, num_saw; + + if ((!ctsid) || (!cwsid)) + return 1; + + /* compare the revision */ + if (ctsid->revision != cwsid->revision) { + if (ctsid->revision > cwsid->revision) + return 1; + else + return -1; + } + + /* compare all of the six auth values */ + for (i = 0; i < NUM_AUTHS; ++i) { + if (ctsid->authority[i] != cwsid->authority[i]) { + if (ctsid->authority[i] > cwsid->authority[i]) + return 1; + else + return -1; + } + } + + /* compare all of the subauth values if any */ + num_sat = ctsid->num_subauth; + num_saw = cwsid->num_subauth; + num_subauth = num_sat < num_saw ? num_sat : num_saw; + if (num_subauth) { + for (i = 0; i < num_subauth; ++i) { + if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) { + if (le32_to_cpu(ctsid->sub_auth[i]) > + le32_to_cpu(cwsid->sub_auth[i])) + return 1; + else + return -1; + } + } + } + + return 0; /* sids compare/match */ +} + +static void +smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src) +{ + int i; + + dst->revision = src->revision; + dst->num_subauth = min_t(u8, src->num_subauth, SID_MAX_SUB_AUTHORITIES); + for (i = 0; i < NUM_AUTHS; ++i) + dst->authority[i] = src->authority[i]; + for (i = 0; i < dst->num_subauth; ++i) + dst->sub_auth[i] = src->sub_auth[i]; +} + +/* + * change posix mode to reflect permissions + * pmode is the existing mode (we only want to overwrite part of this + * bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007 + */ +static umode_t access_flags_to_mode(struct smb_fattr *fattr, __le32 ace_flags, + int type) +{ + __u32 flags = le32_to_cpu(ace_flags); + umode_t mode = 0; + + if (flags & GENERIC_ALL) { + mode = 0777; + ksmbd_debug(SMB, "all perms\n"); + return mode; + } + + if ((flags & GENERIC_READ) || + (flags & FILE_READ_RIGHTS)) + mode = 0444; + if ((flags & GENERIC_WRITE) || + (flags & FILE_WRITE_RIGHTS)) { + mode |= 0222; + if (S_ISDIR(fattr->cf_mode)) + mode |= 0111; + } + if ((flags & GENERIC_EXECUTE) || + (flags & FILE_EXEC_RIGHTS)) + mode |= 0111; + + if (type == ACCESS_DENIED_ACE_TYPE || + type == ACCESS_DENIED_OBJECT_ACE_TYPE) + mode = ~mode; + + ksmbd_debug(SMB, "access flags 0x%x mode now %04o\n", flags, mode); + + return mode; +} + +/* + * Generate access flags to reflect permissions mode is the existing mode. + * This function is called for every ACE in the DACL whose SID matches + * with either owner or group or everyone. + */ +static void mode_to_access_flags(umode_t mode, umode_t bits_to_use, + __u32 *pace_flags) +{ + /* reset access mask */ + *pace_flags = 0x0; + + /* bits to use are either S_IRWXU or S_IRWXG or S_IRWXO */ + mode &= bits_to_use; + + /* + * check for R/W/X UGO since we do not know whose flags + * is this but we have cleared all the bits sans RWX for + * either user or group or other as per bits_to_use + */ + if (mode & 0444) + *pace_flags |= SET_FILE_READ_RIGHTS; + if (mode & 0222) + *pace_flags |= FILE_WRITE_RIGHTS; + if (mode & 0111) + *pace_flags |= SET_FILE_EXEC_RIGHTS; + + ksmbd_debug(SMB, "mode: %o, access flags now 0x%x\n", + mode, *pace_flags); +} + +static __u16 fill_ace_for_sid(struct smb_ace *pntace, + const struct smb_sid *psid, int type, int flags, + umode_t mode, umode_t bits) +{ + int i; + __u16 size = 0; + __u32 access_req = 0; + + pntace->type = type; + pntace->flags = flags; + mode_to_access_flags(mode, bits, &access_req); + if (!access_req) + access_req = SET_MINIMUM_RIGHTS; + pntace->access_req = cpu_to_le32(access_req); + + pntace->sid.revision = psid->revision; + pntace->sid.num_subauth = psid->num_subauth; + for (i = 0; i < NUM_AUTHS; i++) + pntace->sid.authority[i] = psid->authority[i]; + for (i = 0; i < psid->num_subauth; i++) + pntace->sid.sub_auth[i] = psid->sub_auth[i]; + + size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth * 4); + pntace->size = cpu_to_le16(size); + + return size; +} + +void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid) +{ + switch (sidtype) { + case SIDOWNER: + smb_copy_sid(ssid, &server_conf.domain_sid); + break; + case SIDUNIX_USER: + smb_copy_sid(ssid, &sid_unix_users); + break; + case SIDUNIX_GROUP: + smb_copy_sid(ssid, &sid_unix_groups); + break; + case SIDCREATOR_OWNER: + smb_copy_sid(ssid, &creator_owner); + return; + case SIDCREATOR_GROUP: + smb_copy_sid(ssid, &creator_group); + return; + case SIDNFS_USER: + smb_copy_sid(ssid, &sid_unix_NFS_users); + break; + case SIDNFS_GROUP: + smb_copy_sid(ssid, &sid_unix_NFS_groups); + break; + case SIDNFS_MODE: + smb_copy_sid(ssid, &sid_unix_NFS_mode); + break; + default: + return; + } + + /* RID */ + ssid->sub_auth[ssid->num_subauth] = cpu_to_le32(cid); + ssid->num_subauth++; +} + +static int sid_to_id(struct smb_sid *psid, uint sidtype, + struct smb_fattr *fattr) +{ + int rc = -EINVAL; + + /* + * If we have too many subauthorities, then something is really wrong. + * Just return an error. + */ + if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) { + ksmbd_err("%s: %u subauthorities is too many!\n", + __func__, psid->num_subauth); + return -EIO; + } + + if (sidtype == SIDOWNER) { + kuid_t uid; + uid_t id; + + id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]); + if (id > 0) { + uid = make_kuid(&init_user_ns, id); + if (uid_valid(uid) && + kuid_has_mapping(&init_user_ns, uid)) { + fattr->cf_uid = uid; + rc = 0; + } + } + } else { + kgid_t gid; + gid_t id; + + id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]); + if (id > 0) { + gid = make_kgid(&init_user_ns, id); + if (gid_valid(gid) && + kgid_has_mapping(&init_user_ns, gid)) { + fattr->cf_gid = gid; + rc = 0; + } + } + } + + return rc; +} + +void posix_state_to_acl(struct posix_acl_state *state, + struct posix_acl_entry *pace) +{ + int i; + + pace->e_tag = ACL_USER_OBJ; + pace->e_perm = state->owner.allow; + for (i = 0; i < state->users->n; i++) { + pace++; + pace->e_tag = ACL_USER; + pace->e_uid = state->users->aces[i].uid; + pace->e_perm = state->users->aces[i].perms.allow; + } + + pace++; + pace->e_tag = ACL_GROUP_OBJ; + pace->e_perm = state->group.allow; + + for (i = 0; i < state->groups->n; i++) { + pace++; + pace->e_tag = ACL_GROUP; + pace->e_gid = state->groups->aces[i].gid; + pace->e_perm = state->groups->aces[i].perms.allow; + } + + if (state->users->n || state->groups->n) { + pace++; + pace->e_tag = ACL_MASK; + pace->e_perm = state->mask.allow; + } + + pace++; + pace->e_tag = ACL_OTHER; + pace->e_perm = state->other.allow; +} + +int init_acl_state(struct posix_acl_state *state, int cnt) +{ + int alloc; + + memset(state, 0, sizeof(struct posix_acl_state)); + /* + * In the worst case, each individual acl could be for a distinct + * named user or group, but we don't know which, so we allocate + * enough space for either: + */ + alloc = sizeof(struct posix_ace_state_array) + + cnt*sizeof(struct posix_user_ace_state); + state->users = kzalloc(alloc, GFP_KERNEL); + if (!state->users) + return -ENOMEM; + state->groups = kzalloc(alloc, GFP_KERNEL); + if (!state->groups) { + kfree(state->users); + return -ENOMEM; + } + return 0; +} + +void free_acl_state(struct posix_acl_state *state) +{ + kfree(state->users); + kfree(state->groups); +} + +static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + struct smb_sid *pownersid, struct smb_sid *pgrpsid, + struct smb_fattr *fattr) +{ + int i, ret; + int num_aces = 0; + int acl_size; + char *acl_base; + struct smb_ace **ppace; + struct posix_acl_entry *cf_pace, *cf_pdace; + struct posix_acl_state acl_state, default_acl_state; + umode_t mode = 0, acl_mode; + bool owner_found = false, group_found = false, others_found = false; + + if (!pdacl) + return; + + /* validate that we do not go past end of acl */ + if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { + ksmbd_err("ACL too small to parse DACL\n"); + return; + } + + ksmbd_debug(SMB, "DACL revision %d size %d num aces %d\n", + le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), + le32_to_cpu(pdacl->num_aces)); + + acl_base = (char *)pdacl; + acl_size = sizeof(struct smb_acl); + + num_aces = le32_to_cpu(pdacl->num_aces); + if (num_aces <= 0) + return; + + if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + return; + + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), + GFP_KERNEL); + if (!ppace) + return; + + ret = init_acl_state(&acl_state, num_aces); + if (ret) + return; + ret = init_acl_state(&default_acl_state, num_aces); + if (ret) { + free_acl_state(&acl_state); + return; + } + + /* + * reset rwx permissions for user/group/other. + * Also, if num_aces is 0 i.e. DACL has no ACEs, + * user/group/other have no permissions + */ + for (i = 0; i < num_aces; ++i) { + ppace[i] = (struct smb_ace *) (acl_base + acl_size); + acl_base = (char *)ppace[i]; + acl_size = le16_to_cpu(ppace[i]->size); + ppace[i]->access_req = + smb_map_generic_desired_access(ppace[i]->access_req); + + if (!(compare_sids(&(ppace[i]->sid), &sid_unix_NFS_mode))) { + fattr->cf_mode = + le32_to_cpu(ppace[i]->sid.sub_auth[2]); + break; + } else if (!compare_sids(&(ppace[i]->sid), pownersid)) { + acl_mode = access_flags_to_mode(fattr, + ppace[i]->access_req, ppace[i]->type); + acl_mode &= 0700; + + if (!owner_found) { + mode &= ~(0700); + mode |= acl_mode; + } + owner_found = true; + } else if (!compare_sids(&(ppace[i]->sid), pgrpsid) || + ppace[i]->sid.sub_auth[ppace[i]->sid.num_subauth - 1] == + DOMAIN_USER_RID_LE) { + acl_mode = access_flags_to_mode(fattr, + ppace[i]->access_req, ppace[i]->type); + acl_mode &= 0070; + if (!group_found) { + mode &= ~(0070); + mode |= acl_mode; + } + group_found = true; + } else if (!compare_sids(&(ppace[i]->sid), &sid_everyone)) { + acl_mode = access_flags_to_mode(fattr, + ppace[i]->access_req, ppace[i]->type); + acl_mode &= 0007; + if (!others_found) { + mode &= ~(0007); + mode |= acl_mode; + } + others_found = true; + } else if (!compare_sids(&(ppace[i]->sid), &creator_owner)) + continue; + else if (!compare_sids(&(ppace[i]->sid), &creator_group)) + continue; + else if (!compare_sids(&(ppace[i]->sid), &sid_authusers)) + continue; + else { + struct smb_fattr temp_fattr; + + acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, + ppace[i]->type); + temp_fattr.cf_uid = INVALID_UID; + ret = sid_to_id(&ppace[i]->sid, SIDOWNER, &temp_fattr); + if (ret || uid_eq(temp_fattr.cf_uid, INVALID_UID)) { + ksmbd_err("%s: Error %d mapping Owner SID to uid\n", + __func__, ret); + continue; + } + + acl_state.owner.allow = ((acl_mode & 0700) >> 6) | 0004; + acl_state.users->aces[acl_state.users->n].uid = + temp_fattr.cf_uid; + acl_state.users->aces[acl_state.users->n++].perms.allow = + ((acl_mode & 0700) >> 6) | 0004; + default_acl_state.owner.allow = ((acl_mode & 0700) >> 6) | 0004; + default_acl_state.users->aces[default_acl_state.users->n].uid = + temp_fattr.cf_uid; + default_acl_state.users->aces[default_acl_state.users->n++].perms.allow = + ((acl_mode & 0700) >> 6) | 0004; + } + } + kfree(ppace); + + if (owner_found) { + /* The owner must be set to at least read-only. */ + acl_state.owner.allow = ((mode & 0700) >> 6) | 0004; + acl_state.users->aces[acl_state.users->n].uid = fattr->cf_uid; + acl_state.users->aces[acl_state.users->n++].perms.allow = + ((mode & 0700) >> 6) | 0004; + default_acl_state.owner.allow = ((mode & 0700) >> 6) | 0004; + default_acl_state.users->aces[default_acl_state.users->n].uid = + fattr->cf_uid; + default_acl_state.users->aces[default_acl_state.users->n++].perms.allow = + ((mode & 0700) >> 6) | 0004; + } + + if (group_found) { + acl_state.group.allow = (mode & 0070) >> 3; + acl_state.groups->aces[acl_state.groups->n].gid = + fattr->cf_gid; + acl_state.groups->aces[acl_state.groups->n++].perms.allow = + (mode & 0070) >> 3; + default_acl_state.group.allow = mode & 0070 >> 3; + default_acl_state.groups->aces[default_acl_state.groups->n].gid = + fattr->cf_gid; + default_acl_state.groups->aces[default_acl_state.groups->n++].perms.allow = + (mode & 0070) >> 3; + } + + if (others_found) { + fattr->cf_mode &= ~(0007); + fattr->cf_mode |= mode & 0007; + + acl_state.other.allow = mode & 0007; + default_acl_state.other.allow = mode & 0007; + } + + if (acl_state.users->n || acl_state.groups->n) { + acl_state.mask.allow = 0x07; + fattr->cf_acls = ksmbd_vfs_posix_acl_alloc(acl_state.users->n + + acl_state.groups->n + 4, GFP_KERNEL); + if (fattr->cf_acls) { + cf_pace = fattr->cf_acls->a_entries; + posix_state_to_acl(&acl_state, cf_pace); + } + } + + if (default_acl_state.users->n || default_acl_state.groups->n) { + default_acl_state.mask.allow = 0x07; + fattr->cf_dacls = + ksmbd_vfs_posix_acl_alloc(default_acl_state.users->n + + default_acl_state.groups->n + 4, GFP_KERNEL); + if (fattr->cf_dacls) { + cf_pdace = fattr->cf_dacls->a_entries; + posix_state_to_acl(&default_acl_state, cf_pdace); + } + } + free_acl_state(&acl_state); + free_acl_state(&default_acl_state); +} + +static void set_posix_acl_entries_dacl(struct smb_ace *pndace, + struct smb_fattr *fattr, u32 *num_aces, u16 *size, u32 nt_aces_num) +{ + struct posix_acl_entry *pace; + struct smb_sid *sid; + struct smb_ace *ntace; + int i, j; + + if (!fattr->cf_acls) + goto posix_default_acl; + + pace = fattr->cf_acls->a_entries; + for (i = 0; i < fattr->cf_acls->a_count; i++, pace++) { + int flags = 0; + + sid = kmalloc(sizeof(struct smb_sid), GFP_KERNEL); + if (!sid) + break; + + if (pace->e_tag == ACL_USER) { + uid_t uid; + unsigned int sid_type = SIDOWNER; + + uid = from_kuid(&init_user_ns, pace->e_uid); + if (!uid) + sid_type = SIDUNIX_USER; + id_to_sid(uid, sid_type, sid); + } else if (pace->e_tag == ACL_GROUP) { + gid_t gid; + + gid = from_kgid(&init_user_ns, pace->e_gid); + id_to_sid(gid, SIDUNIX_GROUP, sid); + } else if (pace->e_tag == ACL_OTHER && !nt_aces_num) { + smb_copy_sid(sid, &sid_everyone); + } else { + kfree(sid); + continue; + } + ntace = pndace; + for (j = 0; j < nt_aces_num; j++) { + if (ntace->sid.sub_auth[ntace->sid.num_subauth - 1] == + sid->sub_auth[sid->num_subauth - 1]) + goto pass_same_sid; + ntace = (struct smb_ace *)((char *)ntace + + le16_to_cpu(ntace->size)); + } + + if (S_ISDIR(fattr->cf_mode) && pace->e_tag == ACL_OTHER) + flags = 0x03; + + ntace = (struct smb_ace *) ((char *)pndace + *size); + *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags, + pace->e_perm, 0777); + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= + FILE_DELETE_LE | FILE_DELETE_CHILD_LE; + + if (S_ISDIR(fattr->cf_mode) && + (pace->e_tag == ACL_USER || pace->e_tag == ACL_GROUP)) { + ntace = (struct smb_ace *) ((char *)pndace + *size); + *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, + 0x03, pace->e_perm, 0777); + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= + FILE_DELETE_LE | FILE_DELETE_CHILD_LE; + } + +pass_same_sid: + kfree(sid); + } + + if (nt_aces_num) + return; + +posix_default_acl: + if (!fattr->cf_dacls) + return; + + pace = fattr->cf_dacls->a_entries; + for (i = 0; i < fattr->cf_dacls->a_count; i++, pace++) { + sid = kmalloc(sizeof(struct smb_sid), GFP_KERNEL); + if (!sid) + break; + + if (pace->e_tag == ACL_USER) { + uid_t uid; + + uid = from_kuid(&init_user_ns, pace->e_uid); + id_to_sid(uid, SIDCREATOR_OWNER, sid); + } else if (pace->e_tag == ACL_GROUP) { + gid_t gid; + + gid = from_kgid(&init_user_ns, pace->e_gid); + id_to_sid(gid, SIDCREATOR_GROUP, sid); + } else { + kfree(sid); + continue; + } + + ntace = (struct smb_ace *) ((char *)pndace + *size); + *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b, + pace->e_perm, 0777); + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= + FILE_DELETE_LE | FILE_DELETE_CHILD_LE; + kfree(sid); + } +} + +static void set_ntacl_dacl(struct smb_acl *pndacl, struct smb_acl *nt_dacl, + const struct smb_sid *pownersid, const struct smb_sid *pgrpsid, + struct smb_fattr *fattr) +{ + struct smb_ace *ntace, *pndace; + int nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0; + unsigned short size = 0; + int i; + + pndace = (struct smb_ace *)((char *)pndacl + sizeof(struct smb_acl)); + if (nt_num_aces) { + ntace = (struct smb_ace *)((char *)nt_dacl + sizeof(struct smb_acl)); + for (i = 0; i < nt_num_aces; i++) { + memcpy((char *)pndace + size, ntace, le16_to_cpu(ntace->size)); + size += le16_to_cpu(ntace->size); + ntace = (struct smb_ace *)((char *)ntace + le16_to_cpu(ntace->size)); + num_aces++; + } + } + + set_posix_acl_entries_dacl(pndace, fattr, &num_aces, &size, nt_num_aces); + pndacl->num_aces = cpu_to_le32(num_aces); + pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); +} + +static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) +{ + struct smb_ace *pace, *pndace; + u32 num_aces = 0; + u16 size = 0, ace_size = 0; + uid_t uid; + const struct smb_sid *sid; + + pace = pndace = (struct smb_ace *)((char *)pndacl + sizeof(struct smb_acl)); + + if (fattr->cf_acls) { + set_posix_acl_entries_dacl(pndace, fattr, &num_aces, &size, num_aces); + goto out; + } + + /* owner RID */ + uid = from_kuid(&init_user_ns, fattr->cf_uid); + if (uid) + sid = &server_conf.domain_sid; + else + sid = &sid_unix_users; + ace_size = fill_ace_for_sid(pace, sid, ACCESS_ALLOWED, 0, + fattr->cf_mode, 0700); + pace->sid.sub_auth[pace->sid.num_subauth++] = cpu_to_le32(uid); + pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; + pace->size = cpu_to_le16(ace_size + 4); + size += le16_to_cpu(pace->size); + pace = (struct smb_ace *)((char *)pndace + size); + + /* Group RID */ + ace_size = fill_ace_for_sid(pace, &sid_unix_groups, + ACCESS_ALLOWED, 0, fattr->cf_mode, 0070); + pace->sid.sub_auth[pace->sid.num_subauth++] = + cpu_to_le32(from_kgid(&init_user_ns, fattr->cf_gid)); + pace->size = cpu_to_le16(ace_size + 4); + size += le16_to_cpu(pace->size); + pace = (struct smb_ace *)((char *)pndace + size); + num_aces = 3; + + if (S_ISDIR(fattr->cf_mode)) { + pace = (struct smb_ace *)((char *)pndace + size); + + /* creator owner */ + size += fill_ace_for_sid(pace, &creator_owner, ACCESS_ALLOWED, + 0x0b, fattr->cf_mode, 0700); + pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; + pace = (struct smb_ace *)((char *)pndace + size); + + /* creator group */ + size += fill_ace_for_sid(pace, &creator_group, ACCESS_ALLOWED, + 0x0b, fattr->cf_mode, 0070); + pace = (struct smb_ace *)((char *)pndace + size); + num_aces = 5; + } + + /* other */ + size += fill_ace_for_sid(pace, &sid_everyone, ACCESS_ALLOWED, 0, + fattr->cf_mode, 0007); + +out: + pndacl->num_aces = cpu_to_le32(num_aces); + pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); +} + +static int parse_sid(struct smb_sid *psid, char *end_of_acl) +{ + /* + * validate that we do not go past end of ACL - sid must be at least 8 + * bytes long (assuming no sub-auths - e.g. the null SID + */ + if (end_of_acl < (char *)psid + 8) { + ksmbd_err("ACL too small to parse SID %p\n", psid); + return -EINVAL; + } + + return 0; +} + +/* Convert CIFS ACL to POSIX form */ +int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, + struct smb_fattr *fattr) +{ + int rc = 0; + struct smb_sid *owner_sid_ptr, *group_sid_ptr; + struct smb_acl *dacl_ptr; /* no need for SACL ptr */ + char *end_of_acl = ((char *)pntsd) + acl_len; + __u32 dacloffset; + int total_ace_size = 0, pntsd_type; + + if (pntsd == NULL) + return -EIO; + + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->osidoffset)); + group_sid_ptr = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->gsidoffset)); + dacloffset = le32_to_cpu(pntsd->dacloffset); + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + ksmbd_debug(SMB, + "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n", + pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset), + le32_to_cpu(pntsd->gsidoffset), + le32_to_cpu(pntsd->sacloffset), dacloffset); + + if (dacloffset && dacl_ptr) + total_ace_size = + le16_to_cpu(dacl_ptr->size) - sizeof(struct smb_acl); + + pntsd_type = le16_to_cpu(pntsd->type); + + if (!(pntsd_type & DACL_PRESENT)) { + ksmbd_debug(SMB, "DACL_PRESENT in DACL type is not set\n"); + return rc; + } + + pntsd->type = cpu_to_le16(DACL_PRESENT); + + if (pntsd->osidoffset) { + rc = parse_sid(owner_sid_ptr, end_of_acl); + if (rc) { + ksmbd_err("%s: Error %d parsing Owner SID\n", __func__, rc); + return rc; + } + + rc = sid_to_id(owner_sid_ptr, SIDOWNER, fattr); + if (rc) { + ksmbd_err("%s: Error %d mapping Owner SID to uid\n", + __func__, rc); + owner_sid_ptr = NULL; + } + } + + if (pntsd->gsidoffset) { + rc = parse_sid(group_sid_ptr, end_of_acl); + if (rc) { + ksmbd_err("%s: Error %d mapping Owner SID to gid\n", + __func__, rc); + return rc; + } + rc = sid_to_id(group_sid_ptr, SIDUNIX_GROUP, fattr); + if (rc) { + ksmbd_err("%s: Error %d mapping Group SID to gid\n", + __func__, rc); + group_sid_ptr = NULL; + } + } + + if ((pntsd_type & + (DACL_AUTO_INHERITED | DACL_AUTO_INHERIT_REQ)) == + (DACL_AUTO_INHERITED | DACL_AUTO_INHERIT_REQ)) + pntsd->type |= cpu_to_le16(DACL_AUTO_INHERITED); + if (pntsd_type & DACL_PROTECTED) + pntsd->type |= cpu_to_le16(DACL_PROTECTED); + + if (dacloffset) { + parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr, group_sid_ptr, + fattr); + } + + return 0; +} + +/* Convert permission bits from mode to equivalent CIFS ACL */ +int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, + int addition_info, __u32 *secdesclen, struct smb_fattr *fattr) +{ + int rc = 0; + __u32 offset; + struct smb_sid *owner_sid_ptr, *group_sid_ptr; + struct smb_sid *nowner_sid_ptr, *ngroup_sid_ptr; + struct smb_acl *dacl_ptr = NULL; /* no need for SACL ptr */ + uid_t uid; + gid_t gid; + unsigned int sid_type = SIDOWNER; + + nowner_sid_ptr = kmalloc(sizeof(struct smb_sid), GFP_KERNEL); + if (!nowner_sid_ptr) + return -ENOMEM; + + uid = from_kuid(&init_user_ns, fattr->cf_uid); + if (!uid) + sid_type = SIDUNIX_USER; + id_to_sid(uid, sid_type, nowner_sid_ptr); + + ngroup_sid_ptr = kmalloc(sizeof(struct smb_sid), GFP_KERNEL); + if (!ngroup_sid_ptr) { + kfree(nowner_sid_ptr); + return -ENOMEM; + } + + gid = from_kgid(&init_user_ns, fattr->cf_gid); + id_to_sid(gid, SIDUNIX_GROUP, ngroup_sid_ptr); + + offset = sizeof(struct smb_ntsd); + pntsd->sacloffset = 0; + pntsd->revision = cpu_to_le16(1); + pntsd->type = cpu_to_le16(SELF_RELATIVE); + if (ppntsd) + pntsd->type |= ppntsd->type; + + if (addition_info & OWNER_SECINFO) { + pntsd->osidoffset = cpu_to_le32(offset); + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + offset); + smb_copy_sid(owner_sid_ptr, nowner_sid_ptr); + offset += 1 + 1 + 6 + (nowner_sid_ptr->num_subauth * 4); + } + + if (addition_info & GROUP_SECINFO) { + pntsd->gsidoffset = cpu_to_le32(offset); + group_sid_ptr = (struct smb_sid *)((char *)pntsd + offset); + smb_copy_sid(group_sid_ptr, ngroup_sid_ptr); + offset += 1 + 1 + 6 + (ngroup_sid_ptr->num_subauth * 4); + } + + if (addition_info & DACL_SECINFO) { + pntsd->type |= cpu_to_le16(DACL_PRESENT); + dacl_ptr = (struct smb_acl *)((char *)pntsd + offset); + dacl_ptr->revision = cpu_to_le16(2); + dacl_ptr->size = cpu_to_le16(sizeof(struct smb_acl)); + dacl_ptr->num_aces = 0; + + if (!ppntsd) + set_mode_dacl(dacl_ptr, fattr); + else if (!ppntsd->dacloffset) + goto out; + else { + struct smb_acl *ppdacl_ptr; + + ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + + le32_to_cpu(ppntsd->dacloffset)); + set_ntacl_dacl(dacl_ptr, ppdacl_ptr, nowner_sid_ptr, + ngroup_sid_ptr, fattr); + } + pntsd->dacloffset = cpu_to_le32(offset); + offset += le16_to_cpu(dacl_ptr->size); + } + +out: + kfree(nowner_sid_ptr); + kfree(ngroup_sid_ptr); + *secdesclen = offset; + return rc; +} + +static void smb_set_ace(struct smb_ace *ace, const struct smb_sid *sid, u8 type, + u8 flags, __le32 access_req) +{ + ace->type = type; + ace->flags = flags; + ace->access_req = access_req; + smb_copy_sid(&ace->sid, sid); + ace->size = cpu_to_le16(1 + 1 + 2 + 4 + 1 + 1 + 6 + (sid->num_subauth * 4)); +} + +int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, + unsigned int uid, unsigned int gid) +{ + const struct smb_sid *psid, *creator = NULL; + struct smb_ace *parent_aces, *aces; + struct smb_acl *parent_pdacl; + struct smb_ntsd *parent_pntsd = NULL; + struct smb_sid owner_sid, group_sid; + struct dentry *parent = dentry->d_parent; + int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; + int rc = -ENOENT, num_aces, dacloffset, pntsd_type, acl_len; + char *aces_base; + bool is_dir = S_ISDIR(dentry->d_inode->i_mode); + + acl_len = ksmbd_vfs_get_sd_xattr(conn, parent, &parent_pntsd); + if (acl_len <= 0) + return rc; + dacloffset = le32_to_cpu(parent_pntsd->dacloffset); + if (!dacloffset) + goto out; + + parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); + num_aces = le32_to_cpu(parent_pdacl->num_aces); + pntsd_type = le16_to_cpu(parent_pntsd->type); + + aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL); + if (!aces_base) + goto out; + + aces = (struct smb_ace *)aces_base; + parent_aces = (struct smb_ace *)((char *)parent_pdacl + + sizeof(struct smb_acl)); + + if (pntsd_type & DACL_AUTO_INHERITED) + inherited_flags = INHERITED_ACE; + + for (i = 0; i < num_aces; i++) { + flags = parent_aces->flags; + if (!smb_inherit_flags(flags, is_dir)) + goto pass; + if (is_dir) { + flags &= ~(INHERIT_ONLY_ACE | INHERITED_ACE); + if (!(flags & CONTAINER_INHERIT_ACE)) + flags |= INHERIT_ONLY_ACE; + if (flags & NO_PROPAGATE_INHERIT_ACE) + flags = 0; + } else + flags = 0; + + if (!compare_sids(&creator_owner, &parent_aces->sid)) { + creator = &creator_owner; + id_to_sid(uid, SIDOWNER, &owner_sid); + psid = &owner_sid; + } else if (!compare_sids(&creator_group, &parent_aces->sid)) { + creator = &creator_group; + id_to_sid(gid, SIDUNIX_GROUP, &group_sid); + psid = &group_sid; + } else { + creator = NULL; + psid = &parent_aces->sid; + } + + if (is_dir && creator && flags & CONTAINER_INHERIT_ACE) { + smb_set_ace(aces, psid, parent_aces->type, inherited_flags, + parent_aces->access_req); + nt_size += le16_to_cpu(aces->size); + ace_cnt++; + aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); + flags |= INHERIT_ONLY_ACE; + psid = creator; + } else if (is_dir && !(parent_aces->flags & NO_PROPAGATE_INHERIT_ACE)) + psid = &parent_aces->sid; + + smb_set_ace(aces, psid, parent_aces->type, flags | inherited_flags, + parent_aces->access_req); + nt_size += le16_to_cpu(aces->size); + aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); + ace_cnt++; +pass: + parent_aces = + (struct smb_ace *)((char *)parent_aces + le16_to_cpu(parent_aces->size)); + } + + if (nt_size > 0) { + struct smb_ntsd *pntsd; + struct smb_acl *pdacl; + struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL; + int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size; + + if (parent_pntsd->osidoffset) { + powner_sid = (struct smb_sid *)((char *)parent_pntsd + + le32_to_cpu(parent_pntsd->osidoffset)); + powner_sid_size = 1 + 1 + 6 + (powner_sid->num_subauth * 4); + } + if (parent_pntsd->gsidoffset) { + pgroup_sid = (struct smb_sid *)((char *)parent_pntsd + + le32_to_cpu(parent_pntsd->gsidoffset)); + pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4); + } + + pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size + + pgroup_sid_size + sizeof(struct smb_acl) + + nt_size, GFP_KERNEL); + if (!pntsd) { + rc = -ENOMEM; + goto out; + } + + pntsd->revision = cpu_to_le16(1); + pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PRESENT); + if (le16_to_cpu(parent_pntsd->type) & DACL_AUTO_INHERITED) + pntsd->type |= cpu_to_le16(DACL_AUTO_INHERITED); + pntsd_size = sizeof(struct smb_ntsd); + pntsd->osidoffset = parent_pntsd->osidoffset; + pntsd->gsidoffset = parent_pntsd->gsidoffset; + pntsd->dacloffset = parent_pntsd->dacloffset; + + if (pntsd->osidoffset) { + struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->osidoffset)); + memcpy(owner_sid, powner_sid, powner_sid_size); + pntsd_size += powner_sid_size; + } + + if (pntsd->gsidoffset) { + struct smb_sid *group_sid = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->gsidoffset)); + memcpy(group_sid, pgroup_sid, pgroup_sid_size); + pntsd_size += pgroup_sid_size; + } + + if (pntsd->dacloffset) { + struct smb_ace *pace; + + pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); + pdacl->revision = cpu_to_le16(2); + pdacl->size = cpu_to_le16(sizeof(struct smb_acl) + nt_size); + pdacl->num_aces = cpu_to_le32(ace_cnt); + pace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + memcpy(pace, aces_base, nt_size); + pntsd_size += sizeof(struct smb_acl) + nt_size; + } + + ksmbd_vfs_set_sd_xattr(conn, dentry, pntsd, pntsd_size); + kfree(pntsd); + rc = 0; + } + + kfree(aces_base); +out: + return rc; +} + +bool smb_inherit_flags(int flags, bool is_dir) +{ + if (!is_dir) + return (flags & OBJECT_INHERIT_ACE) != 0; + + if (flags & OBJECT_INHERIT_ACE && !(flags & NO_PROPAGATE_INHERIT_ACE)) + return true; + + if (flags & CONTAINER_INHERIT_ACE) + return true; + return false; +} + +int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, + __le32 *pdaccess, int uid) +{ + struct smb_ntsd *pntsd = NULL; + struct smb_acl *pdacl; + struct posix_acl *posix_acls; + int rc = 0, acl_size; + struct smb_sid sid; + int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE); + struct smb_ace *ace; + int i, found = 0; + unsigned int access_bits = 0; + struct smb_ace *others_ace = NULL; + struct posix_acl_entry *pa_entry; + unsigned int sid_type = SIDOWNER; + + ksmbd_debug(SMB, "check permission using windows acl\n"); + acl_size = ksmbd_vfs_get_sd_xattr(conn, dentry, &pntsd); + if (acl_size <= 0 || (pntsd && !pntsd->dacloffset)) + return 0; + + pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); + if (!pdacl->num_aces) { + if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) && + *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) { + rc = -EACCES; + goto err_out; + } + kfree(pntsd); + return 0; + } + + if (*pdaccess & FILE_MAXIMAL_ACCESS_LE) { + granted = READ_CONTROL | WRITE_DAC | FILE_READ_ATTRIBUTES | + DELETE; + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { + granted |= le32_to_cpu(ace->access_req); + ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + } + + if (!pdacl->num_aces) + granted = GENERIC_ALL_FLAGS; + } + + if (!uid) + sid_type = SIDUNIX_USER; + id_to_sid(uid, sid_type, &sid); + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { + if (!compare_sids(&sid, &ace->sid) || + !compare_sids(&sid_unix_NFS_mode, &ace->sid)) { + found = 1; + break; + } + if (!compare_sids(&sid_everyone, &ace->sid)) + others_ace = ace; + + ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + } + + if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) { + granted = READ_CONTROL | WRITE_DAC | FILE_READ_ATTRIBUTES | + DELETE; + + granted |= le32_to_cpu(ace->access_req); + + if (!pdacl->num_aces) + granted = GENERIC_ALL_FLAGS; + } + + posix_acls = ksmbd_vfs_get_acl(dentry->d_inode, ACL_TYPE_ACCESS); + if (posix_acls && !found) { + unsigned int id = -1; + + pa_entry = posix_acls->a_entries; + for (i = 0; i < posix_acls->a_count; i++, pa_entry++) { + if (pa_entry->e_tag == ACL_USER) + id = from_kuid(&init_user_ns, pa_entry->e_uid); + else if (pa_entry->e_tag == ACL_GROUP) + id = from_kgid(&init_user_ns, pa_entry->e_gid); + else + continue; + + if (id == uid) { + mode_to_access_flags(pa_entry->e_perm, 0777, &access_bits); + if (!access_bits) + access_bits = SET_MINIMUM_RIGHTS; + goto check_access_bits; + } + } + } + if (posix_acls) + posix_acl_release(posix_acls); + + if (!found) { + if (others_ace) + ace = others_ace; + else { + ksmbd_debug(SMB, "Can't find corresponding sid\n"); + rc = -EACCES; + goto err_out; + } + } + + switch (ace->type) { + case ACCESS_ALLOWED_ACE_TYPE: + access_bits = le32_to_cpu(ace->access_req); + break; + case ACCESS_DENIED_ACE_TYPE: + case ACCESS_DENIED_CALLBACK_ACE_TYPE: + access_bits = le32_to_cpu(~ace->access_req); + break; + } + +check_access_bits: + if (granted & ~(access_bits | FILE_READ_ATTRIBUTES | + READ_CONTROL | WRITE_DAC | DELETE)) { + ksmbd_debug(SMB, "Access denied with winACL, granted : %x, access_req : %x\n", + granted, le32_to_cpu(ace->access_req)); + rc = -EACCES; + goto err_out; + } + + *pdaccess = cpu_to_le32(granted); +err_out: + kfree(pntsd); + return rc; +} + +int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, + struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + bool type_check) +{ + int rc; + struct smb_fattr fattr = {{0}}; + struct inode *inode = dentry->d_inode; + + fattr.cf_uid = INVALID_UID; + fattr.cf_gid = INVALID_GID; + fattr.cf_mode = inode->i_mode; + + rc = parse_sec_desc(pntsd, ntsd_len, &fattr); + if (rc) + goto out; + + inode->i_mode = (inode->i_mode & ~0777) | (fattr.cf_mode & 0777); + if (!uid_eq(fattr.cf_uid, INVALID_UID)) + inode->i_uid = fattr.cf_uid; + if (!gid_eq(fattr.cf_gid, INVALID_GID)) + inode->i_gid = fattr.cf_gid; + mark_inode_dirty(inode); + + ksmbd_vfs_remove_acl_xattrs(dentry); + /* Update posix acls */ + if (fattr.cf_dacls) { + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, + fattr.cf_acls); + if (S_ISDIR(inode->i_mode) && fattr.cf_dacls) + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, + fattr.cf_dacls); + } + + /* Check it only calling from SD BUFFER context */ + if (type_check && !(le16_to_cpu(pntsd->type) & DACL_PRESENT)) + goto out; + + if (test_share_config_flag(tcon->share_conf, + KSMBD_SHARE_FLAG_ACL_XATTR)) { + /* Update WinACL in xattr */ + ksmbd_vfs_remove_sd_xattrs(dentry); + ksmbd_vfs_set_sd_xattr(conn, dentry, pntsd, ntsd_len); + } + +out: + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + mark_inode_dirty(inode); + return rc; +} + +void ksmbd_init_domain(u32 *sub_auth) +{ + int i; + + memcpy(&server_conf.domain_sid, &domain, sizeof(struct smb_sid)); + for (i = 0; i < 3; ++i) + server_conf.domain_sid.sub_auth[i + 1] = cpu_to_le32(sub_auth[i]); +} diff --git a/fs/cifsd/smbacl.h b/fs/cifsd/smbacl.h new file mode 100644 index 000000000000..9b22bff4191f --- /dev/null +++ b/fs/cifsd/smbacl.h @@ -0,0 +1,202 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +/* + * Copyright (c) International Business Machines Corp., 2007 + * Author(s): Steve French (sfrench(a)us.ibm.com) + * Modified by Namjae Jeon (linkinjeon(a)kernel.org) + */ + +#ifndef _SMBACL_H +#define _SMBACL_H + +#include <linux/fs.h> +#include <linux/namei.h> +#include <linux/posix_acl.h> + +#include "mgmt/tree_connect.h" + +#define NUM_AUTHS (6) /* number of authority fields */ +#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ + +#define ACCESS_ALLOWED 0 +#define ACCESS_DENIED 1 + +#define SIDOWNER 1 +#define SIDGROUP 2 +#define SIDCREATOR_OWNER 3 +#define SIDCREATOR_GROUP 4 +#define SIDUNIX_USER 5 +#define SIDUNIX_GROUP 6 +#define SIDNFS_USER 7 +#define SIDNFS_GROUP 8 +#define SIDNFS_MODE 9 + +/* Revision for ACLs */ +#define SD_REVISION 1 + +/* Control flags for Security Descriptor */ +#define OWNER_DEFAULTED 0x0001 +#define GROUP_DEFAULTED 0x0002 +#define DACL_PRESENT 0x0004 +#define DACL_DEFAULTED 0x0008 +#define SACL_PRESENT 0x0010 +#define SACL_DEFAULTED 0x0020 +#define DACL_TRUSTED 0x0040 +#define SERVER_SECURITY 0x0080 +#define DACL_AUTO_INHERIT_REQ 0x0100 +#define SACL_AUTO_INHERIT_REQ 0x0200 +#define DACL_AUTO_INHERITED 0x0400 +#define SACL_AUTO_INHERITED 0x0800 +#define DACL_PROTECTED 0x1000 +#define SACL_PROTECTED 0x2000 +#define RM_CONTROL_VALID 0x4000 +#define SELF_RELATIVE 0x8000 + +/* ACE types - see MS-DTYP 2.4.4.1 */ +#define ACCESS_ALLOWED_ACE_TYPE 0x00 +#define ACCESS_DENIED_ACE_TYPE 0x01 +#define SYSTEM_AUDIT_ACE_TYPE 0x02 +#define SYSTEM_ALARM_ACE_TYPE 0x03 +#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE 0x04 +#define ACCESS_ALLOWED_OBJECT_ACE_TYPE 0x05 +#define ACCESS_DENIED_OBJECT_ACE_TYPE 0x06 +#define SYSTEM_AUDIT_OBJECT_ACE_TYPE 0x07 +#define SYSTEM_ALARM_OBJECT_ACE_TYPE 0x08 +#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE 0x09 +#define ACCESS_DENIED_CALLBACK_ACE_TYPE 0x0A +#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE 0x0B +#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE 0x0C +#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE 0x0D +#define SYSTEM_ALARM_CALLBACK_ACE_TYPE 0x0E /* Reserved */ +#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 0x0F +#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 0x10 /* reserved */ +#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11 +#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12 +#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13 + +/* ACE flags */ +#define OBJECT_INHERIT_ACE 0x01 +#define CONTAINER_INHERIT_ACE 0x02 +#define NO_PROPAGATE_INHERIT_ACE 0x04 +#define INHERIT_ONLY_ACE 0x08 +#define INHERITED_ACE 0x10 +#define SUCCESSFUL_ACCESS_ACE_FLAG 0x40 +#define FAILED_ACCESS_ACE_FLAG 0x80 + +/* + * Maximum size of a string representation of a SID: + * + * The fields are unsigned values in decimal. So: + * + * u8: max 3 bytes in decimal + * u32: max 10 bytes in decimal + * + * "S-" + 3 bytes for version field + 15 for authority field + NULL terminator + * + * For authority field, max is when all 6 values are non-zero and it must be + * represented in hex. So "-0x" + 12 hex digits. + * + * Add 11 bytes for each subauthority field (10 bytes each + 1 for '-') + */ +#define SID_STRING_BASE_SIZE (2 + 3 + 15 + 1) +#define SID_STRING_SUBAUTH_SIZE (11) /* size of a single subauth string */ + +#define DOMAIN_USER_RID_LE cpu_to_le32(513) + +struct ksmbd_conn; + +struct smb_ntsd { + __le16 revision; /* revision level */ + __le16 type; + __le32 osidoffset; + __le32 gsidoffset; + __le32 sacloffset; + __le32 dacloffset; +} __packed; + +struct smb_sid { + __u8 revision; /* revision level */ + __u8 num_subauth; + __u8 authority[NUM_AUTHS]; + __le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ +} __packed; + +/* size of a struct cifs_sid, sans sub_auth array */ +#define CIFS_SID_BASE_SIZE (1 + 1 + NUM_AUTHS) + +struct smb_acl { + __le16 revision; /* revision level */ + __le16 size; + __le32 num_aces; +} __packed; + +struct smb_ace { + __u8 type; + __u8 flags; + __le16 size; + __le32 access_req; + struct smb_sid sid; /* ie UUID of user or group who gets these perms */ +} __packed; + +struct smb_fattr { + kuid_t cf_uid; + kgid_t cf_gid; + umode_t cf_mode; + __le32 daccess; + struct posix_acl *cf_acls; + struct posix_acl *cf_dacls; +}; + +struct posix_ace_state { + u32 allow; + u32 deny; +}; + +struct posix_user_ace_state { + union { + kuid_t uid; + kgid_t gid; + }; + struct posix_ace_state perms; +}; + +struct posix_ace_state_array { + int n; + struct posix_user_ace_state aces[]; +}; + +/* + * while processing the nfsv4 ace, this maintains the partial permissions + * calculated so far: + */ + +struct posix_acl_state { + struct posix_ace_state owner; + struct posix_ace_state group; + struct posix_ace_state other; + struct posix_ace_state everyone; + struct posix_ace_state mask; /* deny unused in this case */ + struct posix_ace_state_array *users; + struct posix_ace_state_array *groups; +}; + +int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, + struct smb_fattr *fattr); +int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, + int addition_info, __u32 *secdesclen, struct smb_fattr *fattr); +int init_acl_state(struct posix_acl_state *state, int cnt); +void free_acl_state(struct posix_acl_state *state); +void posix_state_to_acl(struct posix_acl_state *state, + struct posix_acl_entry *pace); +int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); +bool smb_inherit_flags(int flags, bool is_dir); +int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, + unsigned int uid, unsigned int gid); +int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, + __le32 *pdaccess, int uid); +int store_init_posix_acl(struct inode *inode, umode_t perm); +int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, + struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + bool type_check); +void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); +void ksmbd_init_domain(u32 *sub_auth); +#endif /* _SMBACL_H */ diff --git a/fs/cifsd/smberr.h b/fs/cifsd/smberr.h new file mode 100644 index 000000000000..ce842303ae1f --- /dev/null +++ b/fs/cifsd/smberr.h @@ -0,0 +1,235 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +/* + * Copyright (c) International Business Machines Corp., 2002,2004 + * Author(s): Steve French (sfrench(a)us.ibm.com) + * + * See Error Codes section of the SNIA CIFS Specification + * for more information + */ +#ifndef __KSMBD_SMBERR_H +#define __KSMBD_SMBERR_H + +#define SUCCESS 0x00 /* The request was successful. */ +#define ERRDOS 0x01 /* Error is from the core DOS operating system set */ +#define ERRSRV 0x02 /* Error is generated by the file server daemon */ +#define ERRHRD 0x03 /* Error is a hardware error. */ +#define ERRCMD 0xFF /* Command was not in the "SMB" format. */ + +/* The following error codes may be generated with the SUCCESS error class.*/ + +/*#define SUCCESS 0 The request was successful. */ + +/* The following error codes may be generated with the ERRDOS error class.*/ + +#define ERRbadfunc 1 /* + * Invalid function. The server did not + * recognize or could not perform a + * system call generated by the server, + * e.g., set the DIRECTORY attribute on + * a data file, invalid seek mode. + */ +#define ERRbadfile 2 /* + * File not found. The last component + * of a file's pathname could not be + * found. + */ +#define ERRbadpath 3 /* + * Directory invalid. A directory + * component in a pathname could not be + * found. + */ +#define ERRnofids 4 /* + * Too many open files. The server has + * no file handles available. + */ +#define ERRnoaccess 5 /* + * Access denied, the client's context + * does not permit the requested + * function. This includes the + * following conditions: invalid rename + * command, write to Fid open for read + * only, read on Fid open for write + * only, attempt to delete a non-empty + * directory + */ +#define ERRbadfid 6 /* + * Invalid file handle. The file handle + * specified was not recognized by the + * server. + */ +#define ERRbadmcb 7 /* Memory control blocks destroyed. */ +#define ERRnomem 8 /* + * Insufficient server memory to + * perform the requested function. + */ +#define ERRbadmem 9 /* Invalid memory block address. */ +#define ERRbadenv 10 /* Invalid environment. */ +#define ERRbadformat 11 /* Invalid format. */ +#define ERRbadaccess 12 /* Invalid open mode. */ +#define ERRbaddata 13 /* + * Invalid data (generated only by + * IOCTL calls within the server). + */ +#define ERRbaddrive 15 /* Invalid drive specified. */ +#define ERRremcd 16 /* + * A Delete Directory request attempted + * to remove the server's current + * directory. + */ +#define ERRdiffdevice 17 /* + * Not same device (e.g., a cross + * volume rename was attempted + */ +#define ERRnofiles 18 /* + * A File Search command can find no + * more files matching the specified + * criteria. + */ +#define ERRwriteprot 19 /* media is write protected */ +#define ERRgeneral 31 +#define ERRbadshare 32 /* + * The sharing mode specified for an + * Open conflicts with existing FIDs on + * the file. + */ +#define ERRlock 33 /* + * A Lock request conflicted with an + * existing lock or specified an + * invalid mode, or an Unlock requested + * attempted to remove a lock held by + * another process. + */ +#define ERRunsup 50 +#define ERRnosuchshare 67 +#define ERRfilexists 80 /* + * The file named in the request + * already exists. + */ +#define ERRinvparm 87 +#define ERRdiskfull 112 +#define ERRinvname 123 +#define ERRinvlevel 124 +#define ERRdirnotempty 145 +#define ERRnotlocked 158 +#define ERRcancelviolation 173 +#define ERRnoatomiclocks 174 +#define ERRalreadyexists 183 +#define ERRbadpipe 230 +#define ERRpipebusy 231 +#define ERRpipeclosing 232 +#define ERRnotconnected 233 +#define ERRmoredata 234 +#define ERReasnotsupported 282 +#define ErrQuota 0x200 /* + * The operation would cause a quota + * limit to be exceeded. + */ +#define ErrNotALink 0x201 /* + * A link operation was performed on a + * pathname that was not a link. + */ + +/* + * Below errors are used internally (do not come over the wire) for passthrough + * from STATUS codes to POSIX only + */ +#define ERRsymlink 0xFFFD +#define ErrTooManyLinks 0xFFFE + +/* Following error codes may be generated with the ERRSRV error class.*/ + +#define ERRerror 1 /* + * Non-specific error code. It is + * returned under the following + * conditions: resource other than disk + * space exhausted (e.g. TIDs), first + * SMB command was not negotiate, + * multiple negotiates attempted, and + * internal server error. + */ +#define ERRbadpw 2 /* + * Bad password - name/password pair in + * a TreeConnect or Session Setup are + * invalid. + */ +#define ERRbadtype 3 /* + * used for indicating DFS referral + * needed + */ +#define ERRaccess 4 /* + * The client does not have the + * necessary access rights within the + * specified context for requested + * function. + */ +#define ERRinvtid 5 /* + * The Tid specified in a command was + * invalid. + */ +#define ERRinvnetname 6 /* + * Invalid network name in tree + * connect. + */ +#define ERRinvdevice 7 /* + * Invalid device - printer request + * made to non-printer connection or + * non-printer request made to printer + * connection. + */ +#define ERRqfull 49 /* + * Print queue full (files) -- returned + * by open print file. + */ +#define ERRqtoobig 50 /* Print queue full -- no space. */ +#define ERRqeof 51 /* EOF on print queue dump */ +#define ERRinvpfid 52 /* Invalid print file FID. */ +#define ERRsmbcmd 64 /* + * The server did not recognize the + * command received. + */ +#define ERRsrverror 65 /* + * The server encountered an internal + * error, e.g., system file + * unavailable. + */ +#define ERRbadBID 66 /* (obsolete) */ +#define ERRfilespecs 67 /* + * The Fid and pathname parameters + * contained an invalid combination of + * values. + */ +#define ERRbadLink 68 /* (obsolete) */ +#define ERRbadpermits 69 /* + * The access permissions specified for + * a file or directory are not a valid + * combination. + */ +#define ERRbadPID 70 +#define ERRsetattrmode 71 /* attribute (mode) is invalid */ +#define ERRpaused 81 /* Server is paused */ +#define ERRmsgoff 82 /* reserved - messaging off */ +#define ERRnoroom 83 /* reserved - no room for message */ +#define ERRrmuns 87 /* reserved - too many remote names */ +#define ERRtimeout 88 /* operation timed out */ +#define ERRnoresource 89 /* No resources available for request */ +#define ERRtoomanyuids 90 /* + * Too many UIDs active on this session + */ +#define ERRbaduid 91 /* + * The UID is not known as a valid user + */ +#define ERRusempx 250 /* temporarily unable to use raw */ +#define ERRusestd 251 /* + * temporarily unable to use either raw + * or mpx + */ +#define ERR_NOTIFY_ENUM_DIR 1024 +#define ERRnoSuchUser 2238 /* user account does not exist */ +#define ERRaccountexpired 2239 +#define ERRbadclient 2240 /* can not logon from this client */ +#define ERRbadLogonTime 2241 /* logon hours do not allow this */ +#define ERRpasswordExpired 2242 +#define ERRnetlogonNotStarted 2455 +#define ERRnosupport 0xFFFF + +#endif /* __KSMBD_SMBERR_H */ diff --git a/fs/cifsd/smbfsctl.h b/fs/cifsd/smbfsctl.h new file mode 100644 index 000000000000..908c4e68a479 --- /dev/null +++ b/fs/cifsd/smbfsctl.h @@ -0,0 +1,90 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +/* + * fs/cifs/smbfsctl.h: SMB, CIFS, SMB2 FSCTL definitions + * + * Copyright (c) International Business Machines Corp., 2002,2009 + * Author(s): Steve French (sfrench(a)us.ibm.com) + */ + +/* IOCTL information */ +/* + * List of ioctl/fsctl function codes that are or could be useful in the + * future to remote clients like cifs or SMB2 client. There is probably + * a slightly larger set of fsctls that NTFS local filesystem could handle, + * including the seven below that we do not have struct definitions for. + * Even with protocol definitions for most of these now available, we still + * need to do some experimentation to identify which are practical to do + * remotely. Some of the following, such as the encryption/compression ones + * could be invoked from tools via a specialized hook into the VFS rather + * than via the standard vfs entry points + */ + +#ifndef __KSMBD_SMBFSCTL_H +#define __KSMBD_SMBFSCTL_H + +#define FSCTL_DFS_GET_REFERRALS 0x00060194 +#define FSCTL_DFS_GET_REFERRALS_EX 0x000601B0 +#define FSCTL_REQUEST_OPLOCK_LEVEL_1 0x00090000 +#define FSCTL_REQUEST_OPLOCK_LEVEL_2 0x00090004 +#define FSCTL_REQUEST_BATCH_OPLOCK 0x00090008 +#define FSCTL_LOCK_VOLUME 0x00090018 +#define FSCTL_UNLOCK_VOLUME 0x0009001C +#define FSCTL_IS_PATHNAME_VALID 0x0009002C /* BB add struct */ +#define FSCTL_GET_COMPRESSION 0x0009003C /* BB add struct */ +#define FSCTL_SET_COMPRESSION 0x0009C040 /* BB add struct */ +#define FSCTL_QUERY_FAT_BPB 0x00090058 /* BB add struct */ +/* Verify the next FSCTL number, we had it as 0x00090090 before */ +#define FSCTL_FILESYSTEM_GET_STATS 0x00090060 /* BB add struct */ +#define FSCTL_GET_NTFS_VOLUME_DATA 0x00090064 /* BB add struct */ +#define FSCTL_GET_RETRIEVAL_POINTERS 0x00090073 /* BB add struct */ +#define FSCTL_IS_VOLUME_DIRTY 0x00090078 /* BB add struct */ +#define FSCTL_ALLOW_EXTENDED_DASD_IO 0x00090083 /* BB add struct */ +#define FSCTL_REQUEST_FILTER_OPLOCK 0x0009008C +#define FSCTL_FIND_FILES_BY_SID 0x0009008F /* BB add struct */ +#define FSCTL_SET_OBJECT_ID 0x00090098 /* BB add struct */ +#define FSCTL_GET_OBJECT_ID 0x0009009C /* BB add struct */ +#define FSCTL_DELETE_OBJECT_ID 0x000900A0 /* BB add struct */ +#define FSCTL_SET_REPARSE_POINT 0x000900A4 /* BB add struct */ +#define FSCTL_GET_REPARSE_POINT 0x000900A8 /* BB add struct */ +#define FSCTL_DELETE_REPARSE_POINT 0x000900AC /* BB add struct */ +#define FSCTL_SET_OBJECT_ID_EXTENDED 0x000900BC /* BB add struct */ +#define FSCTL_CREATE_OR_GET_OBJECT_ID 0x000900C0 /* BB add struct */ +#define FSCTL_SET_SPARSE 0x000900C4 /* BB add struct */ +#define FSCTL_SET_ZERO_DATA 0x000980C8 /* BB add struct */ +#define FSCTL_SET_ENCRYPTION 0x000900D7 /* BB add struct */ +#define FSCTL_ENCRYPTION_FSCTL_IO 0x000900DB /* BB add struct */ +#define FSCTL_WRITE_RAW_ENCRYPTED 0x000900DF /* BB add struct */ +#define FSCTL_READ_RAW_ENCRYPTED 0x000900E3 /* BB add struct */ +#define FSCTL_READ_FILE_USN_DATA 0x000900EB /* BB add struct */ +#define FSCTL_WRITE_USN_CLOSE_RECORD 0x000900EF /* BB add struct */ +#define FSCTL_SIS_COPYFILE 0x00090100 /* BB add struct */ +#define FSCTL_RECALL_FILE 0x00090117 /* BB add struct */ +#define FSCTL_QUERY_SPARING_INFO 0x00090138 /* BB add struct */ +#define FSCTL_SET_ZERO_ON_DEALLOC 0x00090194 /* BB add struct */ +#define FSCTL_SET_SHORT_NAME_BEHAVIOR 0x000901B4 /* BB add struct */ +#define FSCTL_QUERY_ALLOCATED_RANGES 0x000940CF /* BB add struct */ +#define FSCTL_SET_DEFECT_MANAGEMENT 0x00098134 /* BB add struct */ +#define FSCTL_SIS_LINK_FILES 0x0009C104 +#define FSCTL_PIPE_PEEK 0x0011400C /* BB add struct */ +#define FSCTL_PIPE_TRANSCEIVE 0x0011C017 /* BB add struct */ +/* strange that the number for this op is not sequential with previous op */ +#define FSCTL_PIPE_WAIT 0x00110018 /* BB add struct */ +#define FSCTL_REQUEST_RESUME_KEY 0x00140078 +#define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */ +#define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */ +#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204 +#define FSCTL_QUERY_NETWORK_INTERFACE_INFO 0x001401FC +#define FSCTL_COPYCHUNK 0x001440F2 +#define FSCTL_COPYCHUNK_WRITE 0x001480F2 + +#define IO_REPARSE_TAG_MOUNT_POINT 0xA0000003 +#define IO_REPARSE_TAG_HSM 0xC0000004 +#define IO_REPARSE_TAG_SIS 0x80000007 + +/* WSL reparse tags */ +#define IO_REPARSE_TAG_LX_SYMLINK_LE cpu_to_le32(0xA000001D) +#define IO_REPARSE_TAG_AF_UNIX_LE cpu_to_le32(0x80000023) +#define IO_REPARSE_TAG_LX_FIFO_LE cpu_to_le32(0x80000024) +#define IO_REPARSE_TAG_LX_CHR_LE cpu_to_le32(0x80000025) +#define IO_REPARSE_TAG_LX_BLK_LE cpu_to_le32(0x80000026) +#endif /* __KSMBD_SMBFSCTL_H */ diff --git a/fs/cifsd/smbstatus.h b/fs/cifsd/smbstatus.h new file mode 100644 index 000000000000..108a8b6ed24a --- /dev/null +++ b/fs/cifsd/smbstatus.h @@ -0,0 +1,1822 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +/* + * fs/cifs/smb2status.h + * + * SMB2 Status code (network error) definitions + * Definitions are from MS-ERREF + * + * Copyright (c) International Business Machines Corp., 2009,2011 + * Author(s): Steve French (sfrench(a)us.ibm.com) + */ + +/* + * 0 1 2 3 4 5 6 7 8 9 0 A B C D E F 0 1 2 3 4 5 6 7 8 9 A B C D E F + * SEV C N <-------Facility--------> <------Error Status Code------> + * + * C is set if "customer defined" error, N bit is reserved and MBZ + */ + +#define STATUS_SEVERITY_SUCCESS cpu_to_le32(0x0000) +#define STATUS_SEVERITY_INFORMATIONAL cpu_to_le32(0x0001) +#define STATUS_SEVERITY_WARNING cpu_to_le32(0x0002) +#define STATUS_SEVERITY_ERROR cpu_to_le32(0x0003) + +struct ntstatus { + /* Facility is the high 12 bits of the following field */ + __le32 Facility; /* low 2 bits Severity, next is Customer, then rsrvd */ + __le32 Code; +}; + +#define STATUS_SUCCESS 0x00000000 +#define STATUS_WAIT_0 cpu_to_le32(0x00000000) +#define STATUS_WAIT_1 cpu_to_le32(0x00000001) +#define STATUS_WAIT_2 cpu_to_le32(0x00000002) +#define STATUS_WAIT_3 cpu_to_le32(0x00000003) +#define STATUS_WAIT_63 cpu_to_le32(0x0000003F) +#define STATUS_ABANDONED cpu_to_le32(0x00000080) +#define STATUS_ABANDONED_WAIT_0 cpu_to_le32(0x00000080) +#define STATUS_ABANDONED_WAIT_63 cpu_to_le32(0x000000BF) +#define STATUS_USER_APC cpu_to_le32(0x000000C0) +#define STATUS_KERNEL_APC cpu_to_le32(0x00000100) +#define STATUS_ALERTED cpu_to_le32(0x00000101) +#define STATUS_TIMEOUT cpu_to_le32(0x00000102) +#define STATUS_PENDING cpu_to_le32(0x00000103) +#define STATUS_REPARSE cpu_to_le32(0x00000104) +#define STATUS_MORE_ENTRIES cpu_to_le32(0x00000105) +#define STATUS_NOT_ALL_ASSIGNED cpu_to_le32(0x00000106) +#define STATUS_SOME_NOT_MAPPED cpu_to_le32(0x00000107) +#define STATUS_OPLOCK_BREAK_IN_PROGRESS cpu_to_le32(0x00000108) +#define STATUS_VOLUME_MOUNTED cpu_to_le32(0x00000109) +#define STATUS_RXACT_COMMITTED cpu_to_le32(0x0000010A) +#define STATUS_NOTIFY_CLEANUP cpu_to_le32(0x0000010B) +#define STATUS_NOTIFY_ENUM_DIR cpu_to_le32(0x0000010C) +#define STATUS_NO_QUOTAS_FOR_ACCOUNT cpu_to_le32(0x0000010D) +#define STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED cpu_to_le32(0x0000010E) +#define STATUS_PAGE_FAULT_TRANSITION cpu_to_le32(0x00000110) +#define STATUS_PAGE_FAULT_DEMAND_ZERO cpu_to_le32(0x00000111) +#define STATUS_PAGE_FAULT_COPY_ON_WRITE cpu_to_le32(0x00000112) +#define STATUS_PAGE_FAULT_GUARD_PAGE cpu_to_le32(0x00000113) +#define STATUS_PAGE_FAULT_PAGING_FILE cpu_to_le32(0x00000114) +#define STATUS_CACHE_PAGE_LOCKED cpu_to_le32(0x00000115) +#define STATUS_CRASH_DUMP cpu_to_le32(0x00000116) +#define STATUS_BUFFER_ALL_ZEROS cpu_to_le32(0x00000117) +#define STATUS_REPARSE_OBJECT cpu_to_le32(0x00000118) +#define STATUS_RESOURCE_REQUIREMENTS_CHANGED cpu_to_le32(0x00000119) +#define STATUS_TRANSLATION_COMPLETE cpu_to_le32(0x00000120) +#define STATUS_DS_MEMBERSHIP_EVALUATED_LOCALLY cpu_to_le32(0x00000121) +#define STATUS_NOTHING_TO_TERMINATE cpu_to_le32(0x00000122) +#define STATUS_PROCESS_NOT_IN_JOB cpu_to_le32(0x00000123) +#define STATUS_PROCESS_IN_JOB cpu_to_le32(0x00000124) +#define STATUS_VOLSNAP_HIBERNATE_READY cpu_to_le32(0x00000125) +#define STATUS_FSFILTER_OP_COMPLETED_SUCCESSFULLY cpu_to_le32(0x00000126) +#define STATUS_INTERRUPT_VECTOR_ALREADY_CONNECTED cpu_to_le32(0x00000127) +#define STATUS_INTERRUPT_STILL_CONNECTED cpu_to_le32(0x00000128) +#define STATUS_PROCESS_CLONED cpu_to_le32(0x00000129) +#define STATUS_FILE_LOCKED_WITH_ONLY_READERS cpu_to_le32(0x0000012A) +#define STATUS_FILE_LOCKED_WITH_WRITERS cpu_to_le32(0x0000012B) +#define STATUS_RESOURCEMANAGER_READ_ONLY cpu_to_le32(0x00000202) +#define STATUS_WAIT_FOR_OPLOCK cpu_to_le32(0x00000367) +#define DBG_EXCEPTION_HANDLED cpu_to_le32(0x00010001) +#define DBG_CONTINUE cpu_to_le32(0x00010002) +#define STATUS_FLT_IO_COMPLETE cpu_to_le32(0x001C0001) +#define STATUS_OBJECT_NAME_EXISTS cpu_to_le32(0x40000000) +#define STATUS_THREAD_WAS_SUSPENDED cpu_to_le32(0x40000001) +#define STATUS_WORKING_SET_LIMIT_RANGE cpu_to_le32(0x40000002) +#define STATUS_IMAGE_NOT_AT_BASE cpu_to_le32(0x40000003) +#define STATUS_RXACT_STATE_CREATED cpu_to_le32(0x40000004) +#define STATUS_SEGMENT_NOTIFICATION cpu_to_le32(0x40000005) +#define STATUS_LOCAL_USER_SESSION_KEY cpu_to_le32(0x40000006) +#define STATUS_BAD_CURRENT_DIRECTORY cpu_to_le32(0x40000007) +#define STATUS_SERIAL_MORE_WRITES cpu_to_le32(0x40000008) +#define STATUS_REGISTRY_RECOVERED cpu_to_le32(0x40000009) +#define STATUS_FT_READ_RECOVERY_FROM_BACKUP cpu_to_le32(0x4000000A) +#define STATUS_FT_WRITE_RECOVERY cpu_to_le32(0x4000000B) +#define STATUS_SERIAL_COUNTER_TIMEOUT cpu_to_le32(0x4000000C) +#define STATUS_NULL_LM_PASSWORD cpu_to_le32(0x4000000D) +#define STATUS_IMAGE_MACHINE_TYPE_MISMATCH cpu_to_le32(0x4000000E) +#define STATUS_RECEIVE_PARTIAL cpu_to_le32(0x4000000F) +#define STATUS_RECEIVE_EXPEDITED cpu_to_le32(0x40000010) +#define STATUS_RECEIVE_PARTIAL_EXPEDITED cpu_to_le32(0x40000011) +#define STATUS_EVENT_DONE cpu_to_le32(0x40000012) +#define STATUS_EVENT_PENDING cpu_to_le32(0x40000013) +#define STATUS_CHECKING_FILE_SYSTEM cpu_to_le32(0x40000014) +#define STATUS_FATAL_APP_EXIT cpu_to_le32(0x40000015) +#define STATUS_PREDEFINED_HANDLE cpu_to_le32(0x40000016) +#define STATUS_WAS_UNLOCKED cpu_to_le32(0x40000017) +#define STATUS_SERVICE_NOTIFICATION cpu_to_le32(0x40000018) +#define STATUS_WAS_LOCKED cpu_to_le32(0x40000019) +#define STATUS_LOG_HARD_ERROR cpu_to_le32(0x4000001A) +#define STATUS_ALREADY_WIN32 cpu_to_le32(0x4000001B) +#define STATUS_WX86_UNSIMULATE cpu_to_le32(0x4000001C) +#define STATUS_WX86_CONTINUE cpu_to_le32(0x4000001D) +#define STATUS_WX86_SINGLE_STEP cpu_to_le32(0x4000001E) +#define STATUS_WX86_BREAKPOINT cpu_to_le32(0x4000001F) +#define STATUS_WX86_EXCEPTION_CONTINUE cpu_to_le32(0x40000020) +#define STATUS_WX86_EXCEPTION_LASTCHANCE cpu_to_le32(0x40000021) +#define STATUS_WX86_EXCEPTION_CHAIN cpu_to_le32(0x40000022) +#define STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE cpu_to_le32(0x40000023) +#define STATUS_NO_YIELD_PERFORMED cpu_to_le32(0x40000024) +#define STATUS_TIMER_RESUME_IGNORED cpu_to_le32(0x40000025) +#define STATUS_ARBITRATION_UNHANDLED cpu_to_le32(0x40000026) +#define STATUS_CARDBUS_NOT_SUPPORTED cpu_to_le32(0x40000027) +#define STATUS_WX86_CREATEWX86TIB cpu_to_le32(0x40000028) +#define STATUS_MP_PROCESSOR_MISMATCH cpu_to_le32(0x40000029) +#define STATUS_HIBERNATED cpu_to_le32(0x4000002A) +#define STATUS_RESUME_HIBERNATION cpu_to_le32(0x4000002B) +#define STATUS_FIRMWARE_UPDATED cpu_to_le32(0x4000002C) +#define STATUS_DRIVERS_LEAKING_LOCKED_PAGES cpu_to_le32(0x4000002D) +#define STATUS_MESSAGE_RETRIEVED cpu_to_le32(0x4000002E) +#define STATUS_SYSTEM_POWERSTATE_TRANSITION cpu_to_le32(0x4000002F) +#define STATUS_ALPC_CHECK_COMPLETION_LIST cpu_to_le32(0x40000030) +#define STATUS_SYSTEM_POWERSTATE_COMPLEX_TRANSITION cpu_to_le32(0x40000031) +#define STATUS_ACCESS_AUDIT_BY_POLICY cpu_to_le32(0x40000032) +#define STATUS_ABANDON_HIBERFILE cpu_to_le32(0x40000033) +#define STATUS_BIZRULES_NOT_ENABLED cpu_to_le32(0x40000034) +#define STATUS_WAKE_SYSTEM cpu_to_le32(0x40000294) +#define STATUS_DS_SHUTTING_DOWN cpu_to_le32(0x40000370) +#define DBG_REPLY_LATER cpu_to_le32(0x40010001) +#define DBG_UNABLE_TO_PROVIDE_HANDLE cpu_to_le32(0x40010002) +#define DBG_TERMINATE_THREAD cpu_to_le32(0x40010003) +#define DBG_TERMINATE_PROCESS cpu_to_le32(0x40010004) +#define DBG_CONTROL_C cpu_to_le32(0x40010005) +#define DBG_PRINTEXCEPTION_C cpu_to_le32(0x40010006) +#define DBG_RIPEXCEPTION cpu_to_le32(0x40010007) +#define DBG_CONTROL_BREAK cpu_to_le32(0x40010008) +#define DBG_COMMAND_EXCEPTION cpu_to_le32(0x40010009) +#define RPC_NT_UUID_LOCAL_ONLY cpu_to_le32(0x40020056) +#define RPC_NT_SEND_INCOMPLETE cpu_to_le32(0x400200AF) +#define STATUS_CTX_CDM_CONNECT cpu_to_le32(0x400A0004) +#define STATUS_CTX_CDM_DISCONNECT cpu_to_le32(0x400A0005) +#define STATUS_SXS_RELEASE_ACTIVATION_CONTEXT cpu_to_le32(0x4015000D) +#define STATUS_RECOVERY_NOT_NEEDED cpu_to_le32(0x40190034) +#define STATUS_RM_ALREADY_STARTED cpu_to_le32(0x40190035) +#define STATUS_LOG_NO_RESTART cpu_to_le32(0x401A000C) +#define STATUS_VIDEO_DRIVER_DEBUG_REPORT_REQUEST cpu_to_le32(0x401B00EC) +#define STATUS_GRAPHICS_PARTIAL_DATA_POPULATED cpu_to_le32(0x401E000A) +#define STATUS_GRAPHICS_DRIVER_MISMATCH cpu_to_le32(0x401E0117) +#define STATUS_GRAPHICS_MODE_NOT_PINNED cpu_to_le32(0x401E0307) +#define STATUS_GRAPHICS_NO_PREFERRED_MODE cpu_to_le32(0x401E031E) +#define STATUS_GRAPHICS_DATASET_IS_EMPTY cpu_to_le32(0x401E034B) +#define STATUS_GRAPHICS_NO_MORE_ELEMENTS_IN_DATASET cpu_to_le32(0x401E034C) +#define STATUS_GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_PINNED \ + cpu_to_le32(0x401E0351) +#define STATUS_GRAPHICS_UNKNOWN_CHILD_STATUS cpu_to_le32(0x401E042F) +#define STATUS_GRAPHICS_LEADLINK_START_DEFERRED cpu_to_le32(0x401E0437) +#define STATUS_GRAPHICS_POLLING_TOO_FREQUENTLY cpu_to_le32(0x401E0439) +#define STATUS_GRAPHICS_START_DEFERRED cpu_to_le32(0x401E043A) +#define STATUS_NDIS_INDICATION_REQUIRED cpu_to_le32(0x40230001) +#define STATUS_GUARD_PAGE_VIOLATION cpu_to_le32(0x80000001) +#define STATUS_DATATYPE_MISALIGNMENT cpu_to_le32(0x80000002) +#define STATUS_BREAKPOINT cpu_to_le32(0x80000003) +#define STATUS_SINGLE_STEP cpu_to_le32(0x80000004) +#define STATUS_BUFFER_OVERFLOW cpu_to_le32(0x80000005) +#define STATUS_NO_MORE_FILES cpu_to_le32(0x80000006) +#define STATUS_WAKE_SYSTEM_DEBUGGER cpu_to_le32(0x80000007) +#define STATUS_HANDLES_CLOSED cpu_to_le32(0x8000000A) +#define STATUS_NO_INHERITANCE cpu_to_le32(0x8000000B) +#define STATUS_GUID_SUBSTITUTION_MADE cpu_to_le32(0x8000000C) +#define STATUS_PARTIAL_COPY cpu_to_le32(0x8000000D) +#define STATUS_DEVICE_PAPER_EMPTY cpu_to_le32(0x8000000E) +#define STATUS_DEVICE_POWERED_OFF cpu_to_le32(0x8000000F) +#define STATUS_DEVICE_OFF_LINE cpu_to_le32(0x80000010) +#define STATUS_DEVICE_BUSY cpu_to_le32(0x80000011) +#define STATUS_NO_MORE_EAS cpu_to_le32(0x80000012) +#define STATUS_INVALID_EA_NAME cpu_to_le32(0x80000013) +#define STATUS_EA_LIST_INCONSISTENT cpu_to_le32(0x80000014) +#define STATUS_INVALID_EA_FLAG cpu_to_le32(0x80000015) +#define STATUS_VERIFY_REQUIRED cpu_to_le32(0x80000016) +#define STATUS_EXTRANEOUS_INFORMATION cpu_to_le32(0x80000017) +#define STATUS_RXACT_COMMIT_NECESSARY cpu_to_le32(0x80000018) +#define STATUS_NO_MORE_ENTRIES cpu_to_le32(0x8000001A) +#define STATUS_FILEMARK_DETECTED cpu_to_le32(0x8000001B) +#define STATUS_MEDIA_CHANGED cpu_to_le32(0x8000001C) +#define STATUS_BUS_RESET cpu_to_le32(0x8000001D) +#define STATUS_END_OF_MEDIA cpu_to_le32(0x8000001E) +#define STATUS_BEGINNING_OF_MEDIA cpu_to_le32(0x8000001F) +#define STATUS_MEDIA_CHECK cpu_to_le32(0x80000020) +#define STATUS_SETMARK_DETECTED cpu_to_le32(0x80000021) +#define STATUS_NO_DATA_DETECTED cpu_to_le32(0x80000022) +#define STATUS_REDIRECTOR_HAS_OPEN_HANDLES cpu_to_le32(0x80000023) +#define STATUS_SERVER_HAS_OPEN_HANDLES cpu_to_le32(0x80000024) +#define STATUS_ALREADY_DISCONNECTED cpu_to_le32(0x80000025) +#define STATUS_LONGJUMP cpu_to_le32(0x80000026) +#define STATUS_CLEANER_CARTRIDGE_INSTALLED cpu_to_le32(0x80000027) +#define STATUS_PLUGPLAY_QUERY_VETOED cpu_to_le32(0x80000028) +#define STATUS_UNWIND_CONSOLIDATE cpu_to_le32(0x80000029) +#define STATUS_REGISTRY_HIVE_RECOVERED cpu_to_le32(0x8000002A) +#define STATUS_DLL_MIGHT_BE_INSECURE cpu_to_le32(0x8000002B) +#define STATUS_DLL_MIGHT_BE_INCOMPATIBLE cpu_to_le32(0x8000002C) +#define STATUS_STOPPED_ON_SYMLINK cpu_to_le32(0x8000002D) +#define STATUS_DEVICE_REQUIRES_CLEANING cpu_to_le32(0x80000288) +#define STATUS_DEVICE_DOOR_OPEN cpu_to_le32(0x80000289) +#define STATUS_DATA_LOST_REPAIR cpu_to_le32(0x80000803) +#define DBG_EXCEPTION_NOT_HANDLED cpu_to_le32(0x80010001) +#define STATUS_CLUSTER_NODE_ALREADY_UP cpu_to_le32(0x80130001) +#define STATUS_CLUSTER_NODE_ALREADY_DOWN cpu_to_le32(0x80130002) +#define STATUS_CLUSTER_NETWORK_ALREADY_ONLINE cpu_to_le32(0x80130003) +#define STATUS_CLUSTER_NETWORK_ALREADY_OFFLINE cpu_to_le32(0x80130004) +#define STATUS_CLUSTER_NODE_ALREADY_MEMBER cpu_to_le32(0x80130005) +#define STATUS_COULD_NOT_RESIZE_LOG cpu_to_le32(0x80190009) +#define STATUS_NO_TXF_METADATA cpu_to_le32(0x80190029) +#define STATUS_CANT_RECOVER_WITH_HANDLE_OPEN cpu_to_le32(0x80190031) +#define STATUS_TXF_METADATA_ALREADY_PRESENT cpu_to_le32(0x80190041) +#define STATUS_TRANSACTION_SCOPE_CALLBACKS_NOT_SET cpu_to_le32(0x80190042) +#define STATUS_VIDEO_HUNG_DISPLAY_DRIVER_THREAD_RECOVERED \ + cpu_to_le32(0x801B00EB) +#define STATUS_FLT_BUFFER_TOO_SMALL cpu_to_le32(0x801C0001) +#define STATUS_FVE_PARTIAL_METADATA cpu_to_le32(0x80210001) +#define STATUS_UNSUCCESSFUL cpu_to_le32(0xC0000001) +#define STATUS_NOT_IMPLEMENTED cpu_to_le32(0xC0000002) +#define STATUS_INVALID_INFO_CLASS cpu_to_le32(0xC0000003) +#define STATUS_INFO_LENGTH_MISMATCH cpu_to_le32(0xC0000004) +#define STATUS_ACCESS_VIOLATION cpu_to_le32(0xC0000005) +#define STATUS_IN_PAGE_ERROR cpu_to_le32(0xC0000006) +#define STATUS_PAGEFILE_QUOTA cpu_to_le32(0xC0000007) +#define STATUS_INVALID_HANDLE cpu_to_le32(0xC0000008) +#define STATUS_BAD_INITIAL_STACK cpu_to_le32(0xC0000009) +#define STATUS_BAD_INITIAL_PC cpu_to_le32(0xC000000A) +#define STATUS_INVALID_CID cpu_to_le32(0xC000000B) +#define STATUS_TIMER_NOT_CANCELED cpu_to_le32(0xC000000C) +#define STATUS_INVALID_PARAMETER cpu_to_le32(0xC000000D) +#define STATUS_NO_SUCH_DEVICE cpu_to_le32(0xC000000E) +#define STATUS_NO_SUCH_FILE cpu_to_le32(0xC000000F) +#define STATUS_INVALID_DEVICE_REQUEST cpu_to_le32(0xC0000010) +#define STATUS_END_OF_FILE cpu_to_le32(0xC0000011) +#define STATUS_WRONG_VOLUME cpu_to_le32(0xC0000012) +#define STATUS_NO_MEDIA_IN_DEVICE cpu_to_le32(0xC0000013) +#define STATUS_UNRECOGNIZED_MEDIA cpu_to_le32(0xC0000014) +#define STATUS_NONEXISTENT_SECTOR cpu_to_le32(0xC0000015) +#define STATUS_MORE_PROCESSING_REQUIRED cpu_to_le32(0xC0000016) +#define STATUS_NO_MEMORY cpu_to_le32(0xC0000017) +#define STATUS_CONFLICTING_ADDRESSES cpu_to_le32(0xC0000018) +#define STATUS_NOT_MAPPED_VIEW cpu_to_le32(0xC0000019) +#define STATUS_UNABLE_TO_FREE_VM cpu_to_le32(0xC000001A) +#define STATUS_UNABLE_TO_DELETE_SECTION cpu_to_le32(0xC000001B) +#define STATUS_INVALID_SYSTEM_SERVICE cpu_to_le32(0xC000001C) +#define STATUS_ILLEGAL_INSTRUCTION cpu_to_le32(0xC000001D) +#define STATUS_INVALID_LOCK_SEQUENCE cpu_to_le32(0xC000001E) +#define STATUS_INVALID_VIEW_SIZE cpu_to_le32(0xC000001F) +#define STATUS_INVALID_FILE_FOR_SECTION cpu_to_le32(0xC0000020) +#define STATUS_ALREADY_COMMITTED cpu_to_le32(0xC0000021) +#define STATUS_ACCESS_DENIED cpu_to_le32(0xC0000022) +#define STATUS_BUFFER_TOO_SMALL cpu_to_le32(0xC0000023) +#define STATUS_OBJECT_TYPE_MISMATCH cpu_to_le32(0xC0000024) +#define STATUS_NONCONTINUABLE_EXCEPTION cpu_to_le32(0xC0000025) +#define STATUS_INVALID_DISPOSITION cpu_to_le32(0xC0000026) +#define STATUS_UNWIND cpu_to_le32(0xC0000027) +#define STATUS_BAD_STACK cpu_to_le32(0xC0000028) +#define STATUS_INVALID_UNWIND_TARGET cpu_to_le32(0xC0000029) +#define STATUS_NOT_LOCKED cpu_to_le32(0xC000002A) +#define STATUS_PARITY_ERROR cpu_to_le32(0xC000002B) +#define STATUS_UNABLE_TO_DECOMMIT_VM cpu_to_le32(0xC000002C) +#define STATUS_NOT_COMMITTED cpu_to_le32(0xC000002D) +#define STATUS_INVALID_PORT_ATTRIBUTES cpu_to_le32(0xC000002E) +#define STATUS_PORT_MESSAGE_TOO_LONG cpu_to_le32(0xC000002F) +#define STATUS_INVALID_PARAMETER_MIX cpu_to_le32(0xC0000030) +#define STATUS_INVALID_QUOTA_LOWER cpu_to_le32(0xC0000031) +#define STATUS_DISK_CORRUPT_ERROR cpu_to_le32(0xC0000032) +#define STATUS_OBJECT_NAME_INVALID cpu_to_le32(0xC0000033) +#define STATUS_OBJECT_NAME_NOT_FOUND cpu_to_le32(0xC0000034) +#define STATUS_OBJECT_NAME_COLLISION cpu_to_le32(0xC0000035) +#define STATUS_PORT_DISCONNECTED cpu_to_le32(0xC0000037) +#define STATUS_DEVICE_ALREADY_ATTACHED cpu_to_le32(0xC0000038) +#define STATUS_OBJECT_PATH_INVALID cpu_to_le32(0xC0000039) +#define STATUS_OBJECT_PATH_NOT_FOUND cpu_to_le32(0xC000003A) +#define STATUS_OBJECT_PATH_SYNTAX_BAD cpu_to_le32(0xC000003B) +#define STATUS_DATA_OVERRUN cpu_to_le32(0xC000003C) +#define STATUS_DATA_LATE_ERROR cpu_to_le32(0xC000003D) +#define STATUS_DATA_ERROR cpu_to_le32(0xC000003E) +#define STATUS_CRC_ERROR cpu_to_le32(0xC000003F) +#define STATUS_SECTION_TOO_BIG cpu_to_le32(0xC0000040) +#define STATUS_PORT_CONNECTION_REFUSED cpu_to_le32(0xC0000041) +#define STATUS_INVALID_PORT_HANDLE cpu_to_le32(0xC0000042) +#define STATUS_SHARING_VIOLATION cpu_to_le32(0xC0000043) +#define STATUS_QUOTA_EXCEEDED cpu_to_le32(0xC0000044) +#define STATUS_INVALID_PAGE_PROTECTION cpu_to_le32(0xC0000045) +#define STATUS_MUTANT_NOT_OWNED cpu_to_le32(0xC0000046) +#define STATUS_SEMAPHORE_LIMIT_EXCEEDED cpu_to_le32(0xC0000047) +#define STATUS_PORT_ALREADY_SET cpu_to_le32(0xC0000048) +#define STATUS_SECTION_NOT_IMAGE cpu_to_le32(0xC0000049) +#define STATUS_SUSPEND_COUNT_EXCEEDED cpu_to_le32(0xC000004A) +#define STATUS_THREAD_IS_TERMINATING cpu_to_le32(0xC000004B) +#define STATUS_BAD_WORKING_SET_LIMIT cpu_to_le32(0xC000004C) +#define STATUS_INCOMPATIBLE_FILE_MAP cpu_to_le32(0xC000004D) +#define STATUS_SECTION_PROTECTION cpu_to_le32(0xC000004E) +#define STATUS_EAS_NOT_SUPPORTED cpu_to_le32(0xC000004F) +#define STATUS_EA_TOO_LARGE cpu_to_le32(0xC0000050) +#define STATUS_NONEXISTENT_EA_ENTRY cpu_to_le32(0xC0000051) +#define STATUS_NO_EAS_ON_FILE cpu_to_le32(0xC0000052) +#define STATUS_EA_CORRUPT_ERROR cpu_to_le32(0xC0000053) +#define STATUS_FILE_LOCK_CONFLICT cpu_to_le32(0xC0000054) +#define STATUS_LOCK_NOT_GRANTED cpu_to_le32(0xC0000055) +#define STATUS_DELETE_PENDING cpu_to_le32(0xC0000056) +#define STATUS_CTL_FILE_NOT_SUPPORTED cpu_to_le32(0xC0000057) +#define STATUS_UNKNOWN_REVISION cpu_to_le32(0xC0000058) +#define STATUS_REVISION_MISMATCH cpu_to_le32(0xC0000059) +#define STATUS_INVALID_OWNER cpu_to_le32(0xC000005A) +#define STATUS_INVALID_PRIMARY_GROUP cpu_to_le32(0xC000005B) +#define STATUS_NO_IMPERSONATION_TOKEN cpu_to_le32(0xC000005C) +#define STATUS_CANT_DISABLE_MANDATORY cpu_to_le32(0xC000005D) +#define STATUS_NO_LOGON_SERVERS cpu_to_le32(0xC000005E) +#define STATUS_NO_SUCH_LOGON_SESSION cpu_to_le32(0xC000005F) +#define STATUS_NO_SUCH_PRIVILEGE cpu_to_le32(0xC0000060) +#define STATUS_PRIVILEGE_NOT_HELD cpu_to_le32(0xC0000061) +#define STATUS_INVALID_ACCOUNT_NAME cpu_to_le32(0xC0000062) +#define STATUS_USER_EXISTS cpu_to_le32(0xC0000063) +#define STATUS_NO_SUCH_USER cpu_to_le32(0xC0000064) +#define STATUS_GROUP_EXISTS cpu_to_le32(0xC0000065) +#define STATUS_NO_SUCH_GROUP cpu_to_le32(0xC0000066) +#define STATUS_MEMBER_IN_GROUP cpu_to_le32(0xC0000067) +#define STATUS_MEMBER_NOT_IN_GROUP cpu_to_le32(0xC0000068) +#define STATUS_LAST_ADMIN cpu_to_le32(0xC0000069) +#define STATUS_WRONG_PASSWORD cpu_to_le32(0xC000006A) +#define STATUS_ILL_FORMED_PASSWORD cpu_to_le32(0xC000006B) +#define STATUS_PASSWORD_RESTRICTION cpu_to_le32(0xC000006C) +#define STATUS_LOGON_FAILURE cpu_to_le32(0xC000006D) +#define STATUS_ACCOUNT_RESTRICTION cpu_to_le32(0xC000006E) +#define STATUS_INVALID_LOGON_HOURS cpu_to_le32(0xC000006F) +#define STATUS_INVALID_WORKSTATION cpu_to_le32(0xC0000070) +#define STATUS_PASSWORD_EXPIRED cpu_to_le32(0xC0000071) +#define STATUS_ACCOUNT_DISABLED cpu_to_le32(0xC0000072) +#define STATUS_NONE_MAPPED cpu_to_le32(0xC0000073) +#define STATUS_TOO_MANY_LUIDS_REQUESTED cpu_to_le32(0xC0000074) +#define STATUS_LUIDS_EXHAUSTED cpu_to_le32(0xC0000075) +#define STATUS_INVALID_SUB_AUTHORITY cpu_to_le32(0xC0000076) +#define STATUS_INVALID_ACL cpu_to_le32(0xC0000077) +#define STATUS_INVALID_SID cpu_to_le32(0xC0000078) +#define STATUS_INVALID_SECURITY_DESCR cpu_to_le32(0xC0000079) +#define STATUS_PROCEDURE_NOT_FOUND cpu_to_le32(0xC000007A) +#define STATUS_INVALID_IMAGE_FORMAT cpu_to_le32(0xC000007B) +#define STATUS_NO_TOKEN cpu_to_le32(0xC000007C) +#define STATUS_BAD_INHERITANCE_ACL cpu_to_le32(0xC000007D) +#define STATUS_RANGE_NOT_LOCKED cpu_to_le32(0xC000007E) +#define STATUS_DISK_FULL cpu_to_le32(0xC000007F) +#define STATUS_SERVER_DISABLED cpu_to_le32(0xC0000080) +#define STATUS_SERVER_NOT_DISABLED cpu_to_le32(0xC0000081) +#define STATUS_TOO_MANY_GUIDS_REQUESTED cpu_to_le32(0xC0000082) +#define STATUS_GUIDS_EXHAUSTED cpu_to_le32(0xC0000083) +#define STATUS_INVALID_ID_AUTHORITY cpu_to_le32(0xC0000084) +#define STATUS_AGENTS_EXHAUSTED cpu_to_le32(0xC0000085) +#define STATUS_INVALID_VOLUME_LABEL cpu_to_le32(0xC0000086) +#define STATUS_SECTION_NOT_EXTENDED cpu_to_le32(0xC0000087) +#define STATUS_NOT_MAPPED_DATA cpu_to_le32(0xC0000088) +#define STATUS_RESOURCE_DATA_NOT_FOUND cpu_to_le32(0xC0000089) +#define STATUS_RESOURCE_TYPE_NOT_FOUND cpu_to_le32(0xC000008A) +#define STATUS_RESOURCE_NAME_NOT_FOUND cpu_to_le32(0xC000008B) +#define STATUS_ARRAY_BOUNDS_EXCEEDED cpu_to_le32(0xC000008C) +#define STATUS_FLOAT_DENORMAL_OPERAND cpu_to_le32(0xC000008D) +#define STATUS_FLOAT_DIVIDE_BY_ZERO cpu_to_le32(0xC000008E) +#define STATUS_FLOAT_INEXACT_RESULT cpu_to_le32(0xC000008F) +#define STATUS_FLOAT_INVALID_OPERATION cpu_to_le32(0xC0000090) +#define STATUS_FLOAT_OVERFLOW cpu_to_le32(0xC0000091) +#define STATUS_FLOAT_STACK_CHECK cpu_to_le32(0xC0000092) +#define STATUS_FLOAT_UNDERFLOW cpu_to_le32(0xC0000093) +#define STATUS_INTEGER_DIVIDE_BY_ZERO cpu_to_le32(0xC0000094) +#define STATUS_INTEGER_OVERFLOW cpu_to_le32(0xC0000095) +#define STATUS_PRIVILEGED_INSTRUCTION cpu_to_le32(0xC0000096) +#define STATUS_TOO_MANY_PAGING_FILES cpu_to_le32(0xC0000097) +#define STATUS_FILE_INVALID cpu_to_le32(0xC0000098) +#define STATUS_ALLOTTED_SPACE_EXCEEDED cpu_to_le32(0xC0000099) +#define STATUS_INSUFFICIENT_RESOURCES cpu_to_le32(0xC000009A) +#define STATUS_DFS_EXIT_PATH_FOUND cpu_to_le32(0xC000009B) +#define STATUS_DEVICE_DATA_ERROR cpu_to_le32(0xC000009C) +#define STATUS_DEVICE_NOT_CONNECTED cpu_to_le32(0xC000009D) +#define STATUS_DEVICE_POWER_FAILURE cpu_to_le32(0xC000009E) +#define STATUS_FREE_VM_NOT_AT_BASE cpu_to_le32(0xC000009F) +#define STATUS_MEMORY_NOT_ALLOCATED cpu_to_le32(0xC00000A0) +#define STATUS_WORKING_SET_QUOTA cpu_to_le32(0xC00000A1) +#define STATUS_MEDIA_WRITE_PROTECTED cpu_to_le32(0xC00000A2) +#define STATUS_DEVICE_NOT_READY cpu_to_le32(0xC00000A3) +#define STATUS_INVALID_GROUP_ATTRIBUTES cpu_to_le32(0xC00000A4) +#define STATUS_BAD_IMPERSONATION_LEVEL cpu_to_le32(0xC00000A5) +#define STATUS_CANT_OPEN_ANONYMOUS cpu_to_le32(0xC00000A6) +#define STATUS_BAD_VALIDATION_CLASS cpu_to_le32(0xC00000A7) +#define STATUS_BAD_TOKEN_TYPE cpu_to_le32(0xC00000A8) +#define STATUS_BAD_MASTER_BOOT_RECORD cpu_to_le32(0xC00000A9) +#define STATUS_INSTRUCTION_MISALIGNMENT cpu_to_le32(0xC00000AA) +#define STATUS_INSTANCE_NOT_AVAILABLE cpu_to_le32(0xC00000AB) +#define STATUS_PIPE_NOT_AVAILABLE cpu_to_le32(0xC00000AC) +#define STATUS_INVALID_PIPE_STATE cpu_to_le32(0xC00000AD) +#define STATUS_PIPE_BUSY cpu_to_le32(0xC00000AE) +#define STATUS_ILLEGAL_FUNCTION cpu_to_le32(0xC00000AF) +#define STATUS_PIPE_DISCONNECTED cpu_to_le32(0xC00000B0) +#define STATUS_PIPE_CLOSING cpu_to_le32(0xC00000B1) +#define STATUS_PIPE_CONNECTED cpu_to_le32(0xC00000B2) +#define STATUS_PIPE_LISTENING cpu_to_le32(0xC00000B3) +#define STATUS_INVALID_READ_MODE cpu_to_le32(0xC00000B4) +#define STATUS_IO_TIMEOUT cpu_to_le32(0xC00000B5) +#define STATUS_FILE_FORCED_CLOSED cpu_to_le32(0xC00000B6) +#define STATUS_PROFILING_NOT_STARTED cpu_to_le32(0xC00000B7) +#define STATUS_PROFILING_NOT_STOPPED cpu_to_le32(0xC00000B8) +#define STATUS_COULD_NOT_INTERPRET cpu_to_le32(0xC00000B9) +#define STATUS_FILE_IS_A_DIRECTORY cpu_to_le32(0xC00000BA) +#define STATUS_NOT_SUPPORTED cpu_to_le32(0xC00000BB) +#define STATUS_REMOTE_NOT_LISTENING cpu_to_le32(0xC00000BC) +#define STATUS_DUPLICATE_NAME cpu_to_le32(0xC00000BD) +#define STATUS_BAD_NETWORK_PATH cpu_to_le32(0xC00000BE) +#define STATUS_NETWORK_BUSY cpu_to_le32(0xC00000BF) +#define STATUS_DEVICE_DOES_NOT_EXIST cpu_to_le32(0xC00000C0) +#define STATUS_TOO_MANY_COMMANDS cpu_to_le32(0xC00000C1) +#define STATUS_ADAPTER_HARDWARE_ERROR cpu_to_le32(0xC00000C2) +#define STATUS_INVALID_NETWORK_RESPONSE cpu_to_le32(0xC00000C3) +#define STATUS_UNEXPECTED_NETWORK_ERROR cpu_to_le32(0xC00000C4) +#define STATUS_BAD_REMOTE_ADAPTER cpu_to_le32(0xC00000C5) +#define STATUS_PRINT_QUEUE_FULL cpu_to_le32(0xC00000C6) +#define STATUS_NO_SPOOL_SPACE cpu_to_le32(0xC00000C7) +#define STATUS_PRINT_CANCELLED cpu_to_le32(0xC00000C8) +#define STATUS_NETWORK_NAME_DELETED cpu_to_le32(0xC00000C9) +#define STATUS_NETWORK_ACCESS_DENIED cpu_to_le32(0xC00000CA) +#define STATUS_BAD_DEVICE_TYPE cpu_to_le32(0xC00000CB) +#define STATUS_BAD_NETWORK_NAME cpu_to_le32(0xC00000CC) +#define STATUS_TOO_MANY_NAMES cpu_to_le32(0xC00000CD) +#define STATUS_TOO_MANY_SESSIONS cpu_to_le32(0xC00000CE) +#define STATUS_SHARING_PAUSED cpu_to_le32(0xC00000CF) +#define STATUS_REQUEST_NOT_ACCEPTED cpu_to_le32(0xC00000D0) +#define STATUS_REDIRECTOR_PAUSED cpu_to_le32(0xC00000D1) +#define STATUS_NET_WRITE_FAULT cpu_to_le32(0xC00000D2) +#define STATUS_PROFILING_AT_LIMIT cpu_to_le32(0xC00000D3) +#define STATUS_NOT_SAME_DEVICE cpu_to_le32(0xC00000D4) +#define STATUS_FILE_RENAMED cpu_to_le32(0xC00000D5) +#define STATUS_VIRTUAL_CIRCUIT_CLOSED cpu_to_le32(0xC00000D6) +#define STATUS_NO_SECURITY_ON_OBJECT cpu_to_le32(0xC00000D7) +#define STATUS_CANT_WAIT cpu_to_le32(0xC00000D8) +#define STATUS_PIPE_EMPTY cpu_to_le32(0xC00000D9) +#define STATUS_CANT_ACCESS_DOMAIN_INFO cpu_to_le32(0xC00000DA) +#define STATUS_CANT_TERMINATE_SELF cpu_to_le32(0xC00000DB) +#define STATUS_INVALID_SERVER_STATE cpu_to_le32(0xC00000DC) +#define STATUS_INVALID_DOMAIN_STATE cpu_to_le32(0xC00000DD) +#define STATUS_INVALID_DOMAIN_ROLE cpu_to_le32(0xC00000DE) +#define STATUS_NO_SUCH_DOMAIN cpu_to_le32(0xC00000DF) +#define STATUS_DOMAIN_EXISTS cpu_to_le32(0xC00000E0) +#define STATUS_DOMAIN_LIMIT_EXCEEDED cpu_to_le32(0xC00000E1) +#define STATUS_OPLOCK_NOT_GRANTED cpu_to_le32(0xC00000E2) +#define STATUS_INVALID_OPLOCK_PROTOCOL cpu_to_le32(0xC00000E3) +#define STATUS_INTERNAL_DB_CORRUPTION cpu_to_le32(0xC00000E4) +#define STATUS_INTERNAL_ERROR cpu_to_le32(0xC00000E5) +#define STATUS_GENERIC_NOT_MAPPED cpu_to_le32(0xC00000E6) +#define STATUS_BAD_DESCRIPTOR_FORMAT cpu_to_le32(0xC00000E7) +#define STATUS_INVALID_USER_BUFFER cpu_to_le32(0xC00000E8) +#define STATUS_UNEXPECTED_IO_ERROR cpu_to_le32(0xC00000E9) +#define STATUS_UNEXPECTED_MM_CREATE_ERR cpu_to_le32(0xC00000EA) +#define STATUS_UNEXPECTED_MM_MAP_ERROR cpu_to_le32(0xC00000EB) +#define STATUS_UNEXPECTED_MM_EXTEND_ERR cpu_to_le32(0xC00000EC) +#define STATUS_NOT_LOGON_PROCESS cpu_to_le32(0xC00000ED) +#define STATUS_LOGON_SESSION_EXISTS cpu_to_le32(0xC00000EE) +#define STATUS_INVALID_PARAMETER_1 cpu_to_le32(0xC00000EF) +#define STATUS_INVALID_PARAMETER_2 cpu_to_le32(0xC00000F0) +#define STATUS_INVALID_PARAMETER_3 cpu_to_le32(0xC00000F1) +#define STATUS_INVALID_PARAMETER_4 cpu_to_le32(0xC00000F2) +#define STATUS_INVALID_PARAMETER_5 cpu_to_le32(0xC00000F3) +#define STATUS_INVALID_PARAMETER_6 cpu_to_le32(0xC00000F4) +#define STATUS_INVALID_PARAMETER_7 cpu_to_le32(0xC00000F5) +#define STATUS_INVALID_PARAMETER_8 cpu_to_le32(0xC00000F6) +#define STATUS_INVALID_PARAMETER_9 cpu_to_le32(0xC00000F7) +#define STATUS_INVALID_PARAMETER_10 cpu_to_le32(0xC00000F8) +#define STATUS_INVALID_PARAMETER_11 cpu_to_le32(0xC00000F9) +#define STATUS_INVALID_PARAMETER_12 cpu_to_le32(0xC00000FA) +#define STATUS_REDIRECTOR_NOT_STARTED cpu_to_le32(0xC00000FB) +#define STATUS_REDIRECTOR_STARTED cpu_to_le32(0xC00000FC) +#define STATUS_STACK_OVERFLOW cpu_to_le32(0xC00000FD) +#define STATUS_NO_SUCH_PACKAGE cpu_to_le32(0xC00000FE) +#define STATUS_BAD_FUNCTION_TABLE cpu_to_le32(0xC00000FF) +#define STATUS_VARIABLE_NOT_FOUND cpu_to_le32(0xC0000100) +#define STATUS_DIRECTORY_NOT_EMPTY cpu_to_le32(0xC0000101) +#define STATUS_FILE_CORRUPT_ERROR cpu_to_le32(0xC0000102) +#define STATUS_NOT_A_DIRECTORY cpu_to_le32(0xC0000103) +#define STATUS_BAD_LOGON_SESSION_STATE cpu_to_le32(0xC0000104) +#define STATUS_LOGON_SESSION_COLLISION cpu_to_le32(0xC0000105) +#define STATUS_NAME_TOO_LONG cpu_to_le32(0xC0000106) +#define STATUS_FILES_OPEN cpu_to_le32(0xC0000107) +#define STATUS_CONNECTION_IN_USE cpu_to_le32(0xC0000108) +#define STATUS_MESSAGE_NOT_FOUND cpu_to_le32(0xC0000109) +#define STATUS_PROCESS_IS_TERMINATING cpu_to_le32(0xC000010A) +#define STATUS_INVALID_LOGON_TYPE cpu_to_le32(0xC000010B) +#define STATUS_NO_GUID_TRANSLATION cpu_to_le32(0xC000010C) +#define STATUS_CANNOT_IMPERSONATE cpu_to_le32(0xC000010D) +#define STATUS_IMAGE_ALREADY_LOADED cpu_to_le32(0xC000010E) +#define STATUS_ABIOS_NOT_PRESENT cpu_to_le32(0xC000010F) +#define STATUS_ABIOS_LID_NOT_EXIST cpu_to_le32(0xC0000110) +#define STATUS_ABIOS_LID_ALREADY_OWNED cpu_to_le32(0xC0000111) +#define STATUS_ABIOS_NOT_LID_OWNER cpu_to_le32(0xC0000112) +#define STATUS_ABIOS_INVALID_COMMAND cpu_to_le32(0xC0000113) +#define STATUS_ABIOS_INVALID_LID cpu_to_le32(0xC0000114) +#define STATUS_ABIOS_SELECTOR_NOT_AVAILABLE cpu_to_le32(0xC0000115) +#define STATUS_ABIOS_INVALID_SELECTOR cpu_to_le32(0xC0000116) +#define STATUS_NO_LDT cpu_to_le32(0xC0000117) +#define STATUS_INVALID_LDT_SIZE cpu_to_le32(0xC0000118) +#define STATUS_INVALID_LDT_OFFSET cpu_to_le32(0xC0000119) +#define STATUS_INVALID_LDT_DESCRIPTOR cpu_to_le32(0xC000011A) +#define STATUS_INVALID_IMAGE_NE_FORMAT cpu_to_le32(0xC000011B) +#define STATUS_RXACT_INVALID_STATE cpu_to_le32(0xC000011C) +#define STATUS_RXACT_COMMIT_FAILURE cpu_to_le32(0xC000011D) +#define STATUS_MAPPED_FILE_SIZE_ZERO cpu_to_le32(0xC000011E) +#define STATUS_TOO_MANY_OPENED_FILES cpu_to_le32(0xC000011F) +#define STATUS_CANCELLED cpu_to_le32(0xC0000120) +#define STATUS_CANNOT_DELETE cpu_to_le32(0xC0000121) +#define STATUS_INVALID_COMPUTER_NAME cpu_to_le32(0xC0000122) +#define STATUS_FILE_DELETED cpu_to_le32(0xC0000123) +#define STATUS_SPECIAL_ACCOUNT cpu_to_le32(0xC0000124) +#define STATUS_SPECIAL_GROUP cpu_to_le32(0xC0000125) +#define STATUS_SPECIAL_USER cpu_to_le32(0xC0000126) +#define STATUS_MEMBERS_PRIMARY_GROUP cpu_to_le32(0xC0000127) +#define STATUS_FILE_CLOSED cpu_to_le32(0xC0000128) +#define STATUS_TOO_MANY_THREADS cpu_to_le32(0xC0000129) +#define STATUS_THREAD_NOT_IN_PROCESS cpu_to_le32(0xC000012A) +#define STATUS_TOKEN_ALREADY_IN_USE cpu_to_le32(0xC000012B) +#define STATUS_PAGEFILE_QUOTA_EXCEEDED cpu_to_le32(0xC000012C) +#define STATUS_COMMITMENT_LIMIT cpu_to_le32(0xC000012D) +#define STATUS_INVALID_IMAGE_LE_FORMAT cpu_to_le32(0xC000012E) +#define STATUS_INVALID_IMAGE_NOT_MZ cpu_to_le32(0xC000012F) +#define STATUS_INVALID_IMAGE_PROTECT cpu_to_le32(0xC0000130) +#define STATUS_INVALID_IMAGE_WIN_16 cpu_to_le32(0xC0000131) +#define STATUS_LOGON_SERVER_CONFLICT cpu_to_le32(0xC0000132) +#define STATUS_TIME_DIFFERENCE_AT_DC cpu_to_le32(0xC0000133) +#define STATUS_SYNCHRONIZATION_REQUIRED cpu_to_le32(0xC0000134) +#define STATUS_DLL_NOT_FOUND cpu_to_le32(0xC0000135) +#define STATUS_OPEN_FAILED cpu_to_le32(0xC0000136) +#define STATUS_IO_PRIVILEGE_FAILED cpu_to_le32(0xC0000137) +#define STATUS_ORDINAL_NOT_FOUND cpu_to_le32(0xC0000138) +#define STATUS_ENTRYPOINT_NOT_FOUND cpu_to_le32(0xC0000139) +#define STATUS_CONTROL_C_EXIT cpu_to_le32(0xC000013A) +#define STATUS_LOCAL_DISCONNECT cpu_to_le32(0xC000013B) +#define STATUS_REMOTE_DISCONNECT cpu_to_le32(0xC000013C) +#define STATUS_REMOTE_RESOURCES cpu_to_le32(0xC000013D) +#define STATUS_LINK_FAILED cpu_to_le32(0xC000013E) +#define STATUS_LINK_TIMEOUT cpu_to_le32(0xC000013F) +#define STATUS_INVALID_CONNECTION cpu_to_le32(0xC0000140) +#define STATUS_INVALID_ADDRESS cpu_to_le32(0xC0000141) +#define STATUS_DLL_INIT_FAILED cpu_to_le32(0xC0000142) +#define STATUS_MISSING_SYSTEMFILE cpu_to_le32(0xC0000143) +#define STATUS_UNHANDLED_EXCEPTION cpu_to_le32(0xC0000144) +#define STATUS_APP_INIT_FAILURE cpu_to_le32(0xC0000145) +#define STATUS_PAGEFILE_CREATE_FAILED cpu_to_le32(0xC0000146) +#define STATUS_NO_PAGEFILE cpu_to_le32(0xC0000147) +#define STATUS_INVALID_LEVEL cpu_to_le32(0xC0000148) +#define STATUS_WRONG_PASSWORD_CORE cpu_to_le32(0xC0000149) +#define STATUS_ILLEGAL_FLOAT_CONTEXT cpu_to_le32(0xC000014A) +#define STATUS_PIPE_BROKEN cpu_to_le32(0xC000014B) +#define STATUS_REGISTRY_CORRUPT cpu_to_le32(0xC000014C) +#define STATUS_REGISTRY_IO_FAILED cpu_to_le32(0xC000014D) +#define STATUS_NO_EVENT_PAIR cpu_to_le32(0xC000014E) +#define STATUS_UNRECOGNIZED_VOLUME cpu_to_le32(0xC000014F) +#define STATUS_SERIAL_NO_DEVICE_INITED cpu_to_le32(0xC0000150) +#define STATUS_NO_SUCH_ALIAS cpu_to_le32(0xC0000151) +#define STATUS_MEMBER_NOT_IN_ALIAS cpu_to_le32(0xC0000152) +#define STATUS_MEMBER_IN_ALIAS cpu_to_le32(0xC0000153) +#define STATUS_ALIAS_EXISTS cpu_to_le32(0xC0000154) +#define STATUS_LOGON_NOT_GRANTED cpu_to_le32(0xC0000155) +#define STATUS_TOO_MANY_SECRETS cpu_to_le32(0xC0000156) +#define STATUS_SECRET_TOO_LONG cpu_to_le32(0xC0000157) +#define STATUS_INTERNAL_DB_ERROR cpu_to_le32(0xC0000158) +#define STATUS_FULLSCREEN_MODE cpu_to_le32(0xC0000159) +#define STATUS_TOO_MANY_CONTEXT_IDS cpu_to_le32(0xC000015A) +#define STATUS_LOGON_TYPE_NOT_GRANTED cpu_to_le32(0xC000015B) +#define STATUS_NOT_REGISTRY_FILE cpu_to_le32(0xC000015C) +#define STATUS_NT_CROSS_ENCRYPTION_REQUIRED cpu_to_le32(0xC000015D) +#define STATUS_DOMAIN_CTRLR_CONFIG_ERROR cpu_to_le32(0xC000015E) +#define STATUS_FT_MISSING_MEMBER cpu_to_le32(0xC000015F) +#define STATUS_ILL_FORMED_SERVICE_ENTRY cpu_to_le32(0xC0000160) +#define STATUS_ILLEGAL_CHARACTER cpu_to_le32(0xC0000161) +#define STATUS_UNMAPPABLE_CHARACTER cpu_to_le32(0xC0000162) +#define STATUS_UNDEFINED_CHARACTER cpu_to_le32(0xC0000163) +#define STATUS_FLOPPY_VOLUME cpu_to_le32(0xC0000164) +#define STATUS_FLOPPY_ID_MARK_NOT_FOUND cpu_to_le32(0xC0000165) +#define STATUS_FLOPPY_WRONG_CYLINDER cpu_to_le32(0xC0000166) +#define STATUS_FLOPPY_UNKNOWN_ERROR cpu_to_le32(0xC0000167) +#define STATUS_FLOPPY_BAD_REGISTERS cpu_to_le32(0xC0000168) +#define STATUS_DISK_RECALIBRATE_FAILED cpu_to_le32(0xC0000169) +#define STATUS_DISK_OPERATION_FAILED cpu_to_le32(0xC000016A) +#define STATUS_DISK_RESET_FAILED cpu_to_le32(0xC000016B) +#define STATUS_SHARED_IRQ_BUSY cpu_to_le32(0xC000016C) +#define STATUS_FT_ORPHANING cpu_to_le32(0xC000016D) +#define STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT cpu_to_le32(0xC000016E) +#define STATUS_PARTITION_FAILURE cpu_to_le32(0xC0000172) +#define STATUS_INVALID_BLOCK_LENGTH cpu_to_le32(0xC0000173) +#define STATUS_DEVICE_NOT_PARTITIONED cpu_to_le32(0xC0000174) +#define STATUS_UNABLE_TO_LOCK_MEDIA cpu_to_le32(0xC0000175) +#define STATUS_UNABLE_TO_UNLOAD_MEDIA cpu_to_le32(0xC0000176) +#define STATUS_EOM_OVERFLOW cpu_to_le32(0xC0000177) +#define STATUS_NO_MEDIA cpu_to_le32(0xC0000178) +#define STATUS_NO_SUCH_MEMBER cpu_to_le32(0xC000017A) +#define STATUS_INVALID_MEMBER cpu_to_le32(0xC000017B) +#define STATUS_KEY_DELETED cpu_to_le32(0xC000017C) +#define STATUS_NO_LOG_SPACE cpu_to_le32(0xC000017D) +#define STATUS_TOO_MANY_SIDS cpu_to_le32(0xC000017E) +#define STATUS_LM_CROSS_ENCRYPTION_REQUIRED cpu_to_le32(0xC000017F) +#define STATUS_KEY_HAS_CHILDREN cpu_to_le32(0xC0000180) +#define STATUS_CHILD_MUST_BE_VOLATILE cpu_to_le32(0xC0000181) +#define STATUS_DEVICE_CONFIGURATION_ERROR cpu_to_le32(0xC0000182) +#define STATUS_DRIVER_INTERNAL_ERROR cpu_to_le32(0xC0000183) +#define STATUS_INVALID_DEVICE_STATE cpu_to_le32(0xC0000184) +#define STATUS_IO_DEVICE_ERROR cpu_to_le32(0xC0000185) +#define STATUS_DEVICE_PROTOCOL_ERROR cpu_to_le32(0xC0000186) +#define STATUS_BACKUP_CONTROLLER cpu_to_le32(0xC0000187) +#define STATUS_LOG_FILE_FULL cpu_to_le32(0xC0000188) +#define STATUS_TOO_LATE cpu_to_le32(0xC0000189) +#define STATUS_NO_TRUST_LSA_SECRET cpu_to_le32(0xC000018A) +#define STATUS_NO_TRUST_SAM_ACCOUNT cpu_to_le32(0xC000018B) +#define STATUS_TRUSTED_DOMAIN_FAILURE cpu_to_le32(0xC000018C) +#define STATUS_TRUSTED_RELATIONSHIP_FAILURE cpu_to_le32(0xC000018D) +#define STATUS_EVENTLOG_FILE_CORRUPT cpu_to_le32(0xC000018E) +#define STATUS_EVENTLOG_CANT_START cpu_to_le32(0xC000018F) +#define STATUS_TRUST_FAILURE cpu_to_le32(0xC0000190) +#define STATUS_MUTANT_LIMIT_EXCEEDED cpu_to_le32(0xC0000191) +#define STATUS_NETLOGON_NOT_STARTED cpu_to_le32(0xC0000192) +#define STATUS_ACCOUNT_EXPIRED cpu_to_le32(0xC0000193) +#define STATUS_POSSIBLE_DEADLOCK cpu_to_le32(0xC0000194) +#define STATUS_NETWORK_CREDENTIAL_CONFLICT cpu_to_le32(0xC0000195) +#define STATUS_REMOTE_SESSION_LIMIT cpu_to_le32(0xC0000196) +#define STATUS_EVENTLOG_FILE_CHANGED cpu_to_le32(0xC0000197) +#define STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT cpu_to_le32(0xC0000198) +#define STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT cpu_to_le32(0xC0000199) +#define STATUS_NOLOGON_SERVER_TRUST_ACCOUNT cpu_to_le32(0xC000019A) +#define STATUS_DOMAIN_TRUST_INCONSISTENT cpu_to_le32(0xC000019B) +#define STATUS_FS_DRIVER_REQUIRED cpu_to_le32(0xC000019C) +#define STATUS_IMAGE_ALREADY_LOADED_AS_DLL cpu_to_le32(0xC000019D) +#define STATUS_NETWORK_OPEN_RESTRICTION cpu_to_le32(0xC0000201) +#define STATUS_NO_USER_SESSION_KEY cpu_to_le32(0xC0000202) +#define STATUS_USER_SESSION_DELETED cpu_to_le32(0xC0000203) +#define STATUS_RESOURCE_LANG_NOT_FOUND cpu_to_le32(0xC0000204) +#define STATUS_INSUFF_SERVER_RESOURCES cpu_to_le32(0xC0000205) +#define STATUS_INVALID_BUFFER_SIZE cpu_to_le32(0xC0000206) +#define STATUS_INVALID_ADDRESS_COMPONENT cpu_to_le32(0xC0000207) +#define STATUS_INVALID_ADDRESS_WILDCARD cpu_to_le32(0xC0000208) +#define STATUS_TOO_MANY_ADDRESSES cpu_to_le32(0xC0000209) +#define STATUS_ADDRESS_ALREADY_EXISTS cpu_to_le32(0xC000020A) +#define STATUS_ADDRESS_CLOSED cpu_to_le32(0xC000020B) +#define STATUS_CONNECTION_DISCONNECTED cpu_to_le32(0xC000020C) +#define STATUS_CONNECTION_RESET cpu_to_le32(0xC000020D) +#define STATUS_TOO_MANY_NODES cpu_to_le32(0xC000020E) +#define STATUS_TRANSACTION_ABORTED cpu_to_le32(0xC000020F) +#define STATUS_TRANSACTION_TIMED_OUT cpu_to_le32(0xC0000210) +#define STATUS_TRANSACTION_NO_RELEASE cpu_to_le32(0xC0000211) +#define STATUS_TRANSACTION_NO_MATCH cpu_to_le32(0xC0000212) +#define STATUS_TRANSACTION_RESPONDED cpu_to_le32(0xC0000213) +#define STATUS_TRANSACTION_INVALID_ID cpu_to_le32(0xC0000214) +#define STATUS_TRANSACTION_INVALID_TYPE cpu_to_le32(0xC0000215) +#define STATUS_NOT_SERVER_SESSION cpu_to_le32(0xC0000216) +#define STATUS_NOT_CLIENT_SESSION cpu_to_le32(0xC0000217) +#define STATUS_CANNOT_LOAD_REGISTRY_FILE cpu_to_le32(0xC0000218) +#define STATUS_DEBUG_ATTACH_FAILED cpu_to_le32(0xC0000219) +#define STATUS_SYSTEM_PROCESS_TERMINATED cpu_to_le32(0xC000021A) +#define STATUS_DATA_NOT_ACCEPTED cpu_to_le32(0xC000021B) +#define STATUS_NO_BROWSER_SERVERS_FOUND cpu_to_le32(0xC000021C) +#define STATUS_VDM_HARD_ERROR cpu_to_le32(0xC000021D) +#define STATUS_DRIVER_CANCEL_TIMEOUT cpu_to_le32(0xC000021E) +#define STATUS_REPLY_MESSAGE_MISMATCH cpu_to_le32(0xC000021F) +#define STATUS_MAPPED_ALIGNMENT cpu_to_le32(0xC0000220) +#define STATUS_IMAGE_CHECKSUM_MISMATCH cpu_to_le32(0xC0000221) +#define STATUS_LOST_WRITEBEHIND_DATA cpu_to_le32(0xC0000222) +#define STATUS_CLIENT_SERVER_PARAMETERS_INVALID cpu_to_le32(0xC0000223) +#define STATUS_PASSWORD_MUST_CHANGE cpu_to_le32(0xC0000224) +#define STATUS_NOT_FOUND cpu_to_le32(0xC0000225) +#define STATUS_NOT_TINY_STREAM cpu_to_le32(0xC0000226) +#define STATUS_RECOVERY_FAILURE cpu_to_le32(0xC0000227) +#define STATUS_STACK_OVERFLOW_READ cpu_to_le32(0xC0000228) +#define STATUS_FAIL_CHECK cpu_to_le32(0xC0000229) +#define STATUS_DUPLICATE_OBJECTID cpu_to_le32(0xC000022A) +#define STATUS_OBJECTID_EXISTS cpu_to_le32(0xC000022B) +#define STATUS_CONVERT_TO_LARGE cpu_to_le32(0xC000022C) +#define STATUS_RETRY cpu_to_le32(0xC000022D) +#define STATUS_FOUND_OUT_OF_SCOPE cpu_to_le32(0xC000022E) +#define STATUS_ALLOCATE_BUCKET cpu_to_le32(0xC000022F) +#define STATUS_PROPSET_NOT_FOUND cpu_to_le32(0xC0000230) +#define STATUS_MARSHALL_OVERFLOW cpu_to_le32(0xC0000231) +#define STATUS_INVALID_VARIANT cpu_to_le32(0xC0000232) +#define STATUS_DOMAIN_CONTROLLER_NOT_FOUND cpu_to_le32(0xC0000233) +#define STATUS_ACCOUNT_LOCKED_OUT cpu_to_le32(0xC0000234) +#define STATUS_HANDLE_NOT_CLOSABLE cpu_to_le32(0xC0000235) +#define STATUS_CONNECTION_REFUSED cpu_to_le32(0xC0000236) +#define STATUS_GRACEFUL_DISCONNECT cpu_to_le32(0xC0000237) +#define STATUS_ADDRESS_ALREADY_ASSOCIATED cpu_to_le32(0xC0000238) +#define STATUS_ADDRESS_NOT_ASSOCIATED cpu_to_le32(0xC0000239) +#define STATUS_CONNECTION_INVALID cpu_to_le32(0xC000023A) +#define STATUS_CONNECTION_ACTIVE cpu_to_le32(0xC000023B) +#define STATUS_NETWORK_UNREACHABLE cpu_to_le32(0xC000023C) +#define STATUS_HOST_UNREACHABLE cpu_to_le32(0xC000023D) +#define STATUS_PROTOCOL_UNREACHABLE cpu_to_le32(0xC000023E) +#define STATUS_PORT_UNREACHABLE cpu_to_le32(0xC000023F) +#define STATUS_REQUEST_ABORTED cpu_to_le32(0xC0000240) +#define STATUS_CONNECTION_ABORTED cpu_to_le32(0xC0000241) +#define STATUS_BAD_COMPRESSION_BUFFER cpu_to_le32(0xC0000242) +#define STATUS_USER_MAPPED_FILE cpu_to_le32(0xC0000243) +#define STATUS_AUDIT_FAILED cpu_to_le32(0xC0000244) +#define STATUS_TIMER_RESOLUTION_NOT_SET cpu_to_le32(0xC0000245) +#define STATUS_CONNECTION_COUNT_LIMIT cpu_to_le32(0xC0000246) +#define STATUS_LOGIN_TIME_RESTRICTION cpu_to_le32(0xC0000247) +#define STATUS_LOGIN_WKSTA_RESTRICTION cpu_to_le32(0xC0000248) +#define STATUS_IMAGE_MP_UP_MISMATCH cpu_to_le32(0xC0000249) +#define STATUS_INSUFFICIENT_LOGON_INFO cpu_to_le32(0xC0000250) +#define STATUS_BAD_DLL_ENTRYPOINT cpu_to_le32(0xC0000251) +#define STATUS_BAD_SERVICE_ENTRYPOINT cpu_to_le32(0xC0000252) +#define STATUS_LPC_REPLY_LOST cpu_to_le32(0xC0000253) +#define STATUS_IP_ADDRESS_CONFLICT1 cpu_to_le32(0xC0000254) +#define STATUS_IP_ADDRESS_CONFLICT2 cpu_to_le32(0xC0000255) +#define STATUS_REGISTRY_QUOTA_LIMIT cpu_to_le32(0xC0000256) +#define STATUS_PATH_NOT_COVERED cpu_to_le32(0xC0000257) +#define STATUS_NO_CALLBACK_ACTIVE cpu_to_le32(0xC0000258) +#define STATUS_LICENSE_QUOTA_EXCEEDED cpu_to_le32(0xC0000259) +#define STATUS_PWD_TOO_SHORT cpu_to_le32(0xC000025A) +#define STATUS_PWD_TOO_RECENT cpu_to_le32(0xC000025B) +#define STATUS_PWD_HISTORY_CONFLICT cpu_to_le32(0xC000025C) +#define STATUS_PLUGPLAY_NO_DEVICE cpu_to_le32(0xC000025E) +#define STATUS_UNSUPPORTED_COMPRESSION cpu_to_le32(0xC000025F) +#define STATUS_INVALID_HW_PROFILE cpu_to_le32(0xC0000260) +#define STATUS_INVALID_PLUGPLAY_DEVICE_PATH cpu_to_le32(0xC0000261) +#define STATUS_DRIVER_ORDINAL_NOT_FOUND cpu_to_le32(0xC0000262) +#define STATUS_DRIVER_ENTRYPOINT_NOT_FOUND cpu_to_le32(0xC0000263) +#define STATUS_RESOURCE_NOT_OWNED cpu_to_le32(0xC0000264) +#define STATUS_TOO_MANY_LINKS cpu_to_le32(0xC0000265) +#define STATUS_QUOTA_LIST_INCONSISTENT cpu_to_le32(0xC0000266) +#define STATUS_FILE_IS_OFFLINE cpu_to_le32(0xC0000267) +#define STATUS_EVALUATION_EXPIRATION cpu_to_le32(0xC0000268) +#define STATUS_ILLEGAL_DLL_RELOCATION cpu_to_le32(0xC0000269) +#define STATUS_LICENSE_VIOLATION cpu_to_le32(0xC000026A) +#define STATUS_DLL_INIT_FAILED_LOGOFF cpu_to_le32(0xC000026B) +#define STATUS_DRIVER_UNABLE_TO_LOAD cpu_to_le32(0xC000026C) +#define STATUS_DFS_UNAVAILABLE cpu_to_le32(0xC000026D) +#define STATUS_VOLUME_DISMOUNTED cpu_to_le32(0xC000026E) +#define STATUS_WX86_INTERNAL_ERROR cpu_to_le32(0xC000026F) +#define STATUS_WX86_FLOAT_STACK_CHECK cpu_to_le32(0xC0000270) +#define STATUS_VALIDATE_CONTINUE cpu_to_le32(0xC0000271) +#define STATUS_NO_MATCH cpu_to_le32(0xC0000272) +#define STATUS_NO_MORE_MATCHES cpu_to_le32(0xC0000273) +#define STATUS_NOT_A_REPARSE_POINT cpu_to_le32(0xC0000275) +#define STATUS_IO_REPARSE_TAG_INVALID cpu_to_le32(0xC0000276) +#define STATUS_IO_REPARSE_TAG_MISMATCH cpu_to_le32(0xC0000277) +#define STATUS_IO_REPARSE_DATA_INVALID cpu_to_le32(0xC0000278) +#define STATUS_IO_REPARSE_TAG_NOT_HANDLED cpu_to_le32(0xC0000279) +#define STATUS_REPARSE_POINT_NOT_RESOLVED cpu_to_le32(0xC0000280) +#define STATUS_DIRECTORY_IS_A_REPARSE_POINT cpu_to_le32(0xC0000281) +#define STATUS_RANGE_LIST_CONFLICT cpu_to_le32(0xC0000282) +#define STATUS_SOURCE_ELEMENT_EMPTY cpu_to_le32(0xC0000283) +#define STATUS_DESTINATION_ELEMENT_FULL cpu_to_le32(0xC0000284) +#define STATUS_ILLEGAL_ELEMENT_ADDRESS cpu_to_le32(0xC0000285) +#define STATUS_MAGAZINE_NOT_PRESENT cpu_to_le32(0xC0000286) +#define STATUS_REINITIALIZATION_NEEDED cpu_to_le32(0xC0000287) +#define STATUS_ENCRYPTION_FAILED cpu_to_le32(0xC000028A) +#define STATUS_DECRYPTION_FAILED cpu_to_le32(0xC000028B) +#define STATUS_RANGE_NOT_FOUND cpu_to_le32(0xC000028C) +#define STATUS_NO_RECOVERY_POLICY cpu_to_le32(0xC000028D) +#define STATUS_NO_EFS cpu_to_le32(0xC000028E) +#define STATUS_WRONG_EFS cpu_to_le32(0xC000028F) +#define STATUS_NO_USER_KEYS cpu_to_le32(0xC0000290) +#define STATUS_FILE_NOT_ENCRYPTED cpu_to_le32(0xC0000291) +#define STATUS_NOT_EXPORT_FORMAT cpu_to_le32(0xC0000292) +#define STATUS_FILE_ENCRYPTED cpu_to_le32(0xC0000293) +#define STATUS_WMI_GUID_NOT_FOUND cpu_to_le32(0xC0000295) +#define STATUS_WMI_INSTANCE_NOT_FOUND cpu_to_le32(0xC0000296) +#define STATUS_WMI_ITEMID_NOT_FOUND cpu_to_le32(0xC0000297) +#define STATUS_WMI_TRY_AGAIN cpu_to_le32(0xC0000298) +#define STATUS_SHARED_POLICY cpu_to_le32(0xC0000299) +#define STATUS_POLICY_OBJECT_NOT_FOUND cpu_to_le32(0xC000029A) +#define STATUS_POLICY_ONLY_IN_DS cpu_to_le32(0xC000029B) +#define STATUS_VOLUME_NOT_UPGRADED cpu_to_le32(0xC000029C) +#define STATUS_REMOTE_STORAGE_NOT_ACTIVE cpu_to_le32(0xC000029D) +#define STATUS_REMOTE_STORAGE_MEDIA_ERROR cpu_to_le32(0xC000029E) +#define STATUS_NO_TRACKING_SERVICE cpu_to_le32(0xC000029F) +#define STATUS_SERVER_SID_MISMATCH cpu_to_le32(0xC00002A0) +#define STATUS_DS_NO_ATTRIBUTE_OR_VALUE cpu_to_le32(0xC00002A1) +#define STATUS_DS_INVALID_ATTRIBUTE_SYNTAX cpu_to_le32(0xC00002A2) +#define STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED cpu_to_le32(0xC00002A3) +#define STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS cpu_to_le32(0xC00002A4) +#define STATUS_DS_BUSY cpu_to_le32(0xC00002A5) +#define STATUS_DS_UNAVAILABLE cpu_to_le32(0xC00002A6) +#define STATUS_DS_NO_RIDS_ALLOCATED cpu_to_le32(0xC00002A7) +#define STATUS_DS_NO_MORE_RIDS cpu_to_le32(0xC00002A8) +#define STATUS_DS_INCORRECT_ROLE_OWNER cpu_to_le32(0xC00002A9) +#define STATUS_DS_RIDMGR_INIT_ERROR cpu_to_le32(0xC00002AA) +#define STATUS_DS_OBJ_CLASS_VIOLATION cpu_to_le32(0xC00002AB) +#define STATUS_DS_CANT_ON_NON_LEAF cpu_to_le32(0xC00002AC) +#define STATUS_DS_CANT_ON_RDN cpu_to_le32(0xC00002AD) +#define STATUS_DS_CANT_MOD_OBJ_CLASS cpu_to_le32(0xC00002AE) +#define STATUS_DS_CROSS_DOM_MOVE_FAILED cpu_to_le32(0xC00002AF) +#define STATUS_DS_GC_NOT_AVAILABLE cpu_to_le32(0xC00002B0) +#define STATUS_DIRECTORY_SERVICE_REQUIRED cpu_to_le32(0xC00002B1) +#define STATUS_REPARSE_ATTRIBUTE_CONFLICT cpu_to_le32(0xC00002B2) +#define STATUS_CANT_ENABLE_DENY_ONLY cpu_to_le32(0xC00002B3) +#define STATUS_FLOAT_MULTIPLE_FAULTS cpu_to_le32(0xC00002B4) +#define STATUS_FLOAT_MULTIPLE_TRAPS cpu_to_le32(0xC00002B5) +#define STATUS_DEVICE_REMOVED cpu_to_le32(0xC00002B6) +#define STATUS_JOURNAL_DELETE_IN_PROGRESS cpu_to_le32(0xC00002B7) +#define STATUS_JOURNAL_NOT_ACTIVE cpu_to_le32(0xC00002B8) +#define STATUS_NOINTERFACE cpu_to_le32(0xC00002B9) +#define STATUS_DS_ADMIN_LIMIT_EXCEEDED cpu_to_le32(0xC00002C1) +#define STATUS_DRIVER_FAILED_SLEEP cpu_to_le32(0xC00002C2) +#define STATUS_MUTUAL_AUTHENTICATION_FAILED cpu_to_le32(0xC00002C3) +#define STATUS_CORRUPT_SYSTEM_FILE cpu_to_le32(0xC00002C4) +#define STATUS_DATATYPE_MISALIGNMENT_ERROR cpu_to_le32(0xC00002C5) +#define STATUS_WMI_READ_ONLY cpu_to_le32(0xC00002C6) +#define STATUS_WMI_SET_FAILURE cpu_to_le32(0xC00002C7) +#define STATUS_COMMITMENT_MINIMUM cpu_to_le32(0xC00002C8) +#define STATUS_REG_NAT_CONSUMPTION cpu_to_le32(0xC00002C9) +#define STATUS_TRANSPORT_FULL cpu_to_le32(0xC00002CA) +#define STATUS_DS_SAM_INIT_FAILURE cpu_to_le32(0xC00002CB) +#define STATUS_ONLY_IF_CONNECTED cpu_to_le32(0xC00002CC) +#define STATUS_DS_SENSITIVE_GROUP_VIOLATION cpu_to_le32(0xC00002CD) +#define STATUS_PNP_RESTART_ENUMERATION cpu_to_le32(0xC00002CE) +#define STATUS_JOURNAL_ENTRY_DELETED cpu_to_le32(0xC00002CF) +#define STATUS_DS_CANT_MOD_PRIMARYGROUPID cpu_to_le32(0xC00002D0) +#define STATUS_SYSTEM_IMAGE_BAD_SIGNATURE cpu_to_le32(0xC00002D1) +#define STATUS_PNP_REBOOT_REQUIRED cpu_to_le32(0xC00002D2) +#define STATUS_POWER_STATE_INVALID cpu_to_le32(0xC00002D3) +#define STATUS_DS_INVALID_GROUP_TYPE cpu_to_le32(0xC00002D4) +#define STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN cpu_to_le32(0xC00002D5) +#define STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN cpu_to_le32(0xC00002D6) +#define STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER cpu_to_le32(0xC00002D7) +#define STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER cpu_to_le32(0xC00002D8) +#define STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER cpu_to_le32(0xC00002D9) +#define STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER cpu_to_le32(0xC00002DA) +#define STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER \ + cpu_to_le32(0xC00002DB) +#define STATUS_DS_HAVE_PRIMARY_MEMBERS cpu_to_le32(0xC00002DC) +#define STATUS_WMI_NOT_SUPPORTED cpu_to_le32(0xC00002DD) +#define STATUS_INSUFFICIENT_POWER cpu_to_le32(0xC00002DE) +#define STATUS_SAM_NEED_BOOTKEY_PASSWORD cpu_to_le32(0xC00002DF) +#define STATUS_SAM_NEED_BOOTKEY_FLOPPY cpu_to_le32(0xC00002E0) +#define STATUS_DS_CANT_START cpu_to_le32(0xC00002E1) +#define STATUS_DS_INIT_FAILURE cpu_to_le32(0xC00002E2) +#define STATUS_SAM_INIT_FAILURE cpu_to_le32(0xC00002E3) +#define STATUS_DS_GC_REQUIRED cpu_to_le32(0xC00002E4) +#define STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY cpu_to_le32(0xC00002E5) +#define STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS cpu_to_le32(0xC00002E6) +#define STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED cpu_to_le32(0xC00002E7) +#define STATUS_MULTIPLE_FAULT_VIOLATION cpu_to_le32(0xC00002E8) +#define STATUS_CURRENT_DOMAIN_NOT_ALLOWED cpu_to_le32(0xC00002E9) +#define STATUS_CANNOT_MAKE cpu_to_le32(0xC00002EA) +#define STATUS_SYSTEM_SHUTDOWN cpu_to_le32(0xC00002EB) +#define STATUS_DS_INIT_FAILURE_CONSOLE cpu_to_le32(0xC00002EC) +#define STATUS_DS_SAM_INIT_FAILURE_CONSOLE cpu_to_le32(0xC00002ED) +#define STATUS_UNFINISHED_CONTEXT_DELETED cpu_to_le32(0xC00002EE) +#define STATUS_NO_TGT_REPLY cpu_to_le32(0xC00002EF) +#define STATUS_OBJECTID_NOT_FOUND cpu_to_le32(0xC00002F0) +#define STATUS_NO_IP_ADDRESSES cpu_to_le32(0xC00002F1) +#define STATUS_WRONG_CREDENTIAL_HANDLE cpu_to_le32(0xC00002F2) +#define STATUS_CRYPTO_SYSTEM_INVALID cpu_to_le32(0xC00002F3) +#define STATUS_MAX_REFERRALS_EXCEEDED cpu_to_le32(0xC00002F4) +#define STATUS_MUST_BE_KDC cpu_to_le32(0xC00002F5) +#define STATUS_STRONG_CRYPTO_NOT_SUPPORTED cpu_to_le32(0xC00002F6) +#define STATUS_TOO_MANY_PRINCIPALS cpu_to_le32(0xC00002F7) +#define STATUS_NO_PA_DATA cpu_to_le32(0xC00002F8) +#define STATUS_PKINIT_NAME_MISMATCH cpu_to_le32(0xC00002F9) +#define STATUS_SMARTCARD_LOGON_REQUIRED cpu_to_le32(0xC00002FA) +#define STATUS_KDC_INVALID_REQUEST cpu_to_le32(0xC00002FB) +#define STATUS_KDC_UNABLE_TO_REFER cpu_to_le32(0xC00002FC) +#define STATUS_KDC_UNKNOWN_ETYPE cpu_to_le32(0xC00002FD) +#define STATUS_SHUTDOWN_IN_PROGRESS cpu_to_le32(0xC00002FE) +#define STATUS_SERVER_SHUTDOWN_IN_PROGRESS cpu_to_le32(0xC00002FF) +#define STATUS_NOT_SUPPORTED_ON_SBS cpu_to_le32(0xC0000300) +#define STATUS_WMI_GUID_DISCONNECTED cpu_to_le32(0xC0000301) +#define STATUS_WMI_ALREADY_DISABLED cpu_to_le32(0xC0000302) +#define STATUS_WMI_ALREADY_ENABLED cpu_to_le32(0xC0000303) +#define STATUS_MFT_TOO_FRAGMENTED cpu_to_le32(0xC0000304) +#define STATUS_COPY_PROTECTION_FAILURE cpu_to_le32(0xC0000305) +#define STATUS_CSS_AUTHENTICATION_FAILURE cpu_to_le32(0xC0000306) +#define STATUS_CSS_KEY_NOT_PRESENT cpu_to_le32(0xC0000307) +#define STATUS_CSS_KEY_NOT_ESTABLISHED cpu_to_le32(0xC0000308) +#define STATUS_CSS_SCRAMBLED_SECTOR cpu_to_le32(0xC0000309) +#define STATUS_CSS_REGION_MISMATCH cpu_to_le32(0xC000030A) +#define STATUS_CSS_RESETS_EXHAUSTED cpu_to_le32(0xC000030B) +#define STATUS_PKINIT_FAILURE cpu_to_le32(0xC0000320) +#define STATUS_SMARTCARD_SUBSYSTEM_FAILURE cpu_to_le32(0xC0000321) +#define STATUS_NO_KERB_KEY cpu_to_le32(0xC0000322) +#define STATUS_HOST_DOWN cpu_to_le32(0xC0000350) +#define STATUS_UNSUPPORTED_PREAUTH cpu_to_le32(0xC0000351) +#define STATUS_EFS_ALG_BLOB_TOO_BIG cpu_to_le32(0xC0000352) +#define STATUS_PORT_NOT_SET cpu_to_le32(0xC0000353) +#define STATUS_DEBUGGER_INACTIVE cpu_to_le32(0xC0000354) +#define STATUS_DS_VERSION_CHECK_FAILURE cpu_to_le32(0xC0000355) +#define STATUS_AUDITING_DISABLED cpu_to_le32(0xC0000356) +#define STATUS_PRENT4_MACHINE_ACCOUNT cpu_to_le32(0xC0000357) +#define STATUS_DS_AG_CANT_HAVE_UNIVERSAL_MEMBER cpu_to_le32(0xC0000358) +#define STATUS_INVALID_IMAGE_WIN_32 cpu_to_le32(0xC0000359) +#define STATUS_INVALID_IMAGE_WIN_64 cpu_to_le32(0xC000035A) +#define STATUS_BAD_BINDINGS cpu_to_le32(0xC000035B) +#define STATUS_NETWORK_SESSION_EXPIRED cpu_to_le32(0xC000035C) +#define STATUS_APPHELP_BLOCK cpu_to_le32(0xC000035D) +#define STATUS_ALL_SIDS_FILTERED cpu_to_le32(0xC000035E) +#define STATUS_NOT_SAFE_MODE_DRIVER cpu_to_le32(0xC000035F) +#define STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT cpu_to_le32(0xC0000361) +#define STATUS_ACCESS_DISABLED_BY_POLICY_PATH cpu_to_le32(0xC0000362) +#define STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER cpu_to_le32(0xC0000363) +#define STATUS_ACCESS_DISABLED_BY_POLICY_OTHER cpu_to_le32(0xC0000364) +#define STATUS_FAILED_DRIVER_ENTRY cpu_to_le32(0xC0000365) +#define STATUS_DEVICE_ENUMERATION_ERROR cpu_to_le32(0xC0000366) +#define STATUS_MOUNT_POINT_NOT_RESOLVED cpu_to_le32(0xC0000368) +#define STATUS_INVALID_DEVICE_OBJECT_PARAMETER cpu_to_le32(0xC0000369) +#define STATUS_MCA_OCCURRED cpu_to_le32(0xC000036A) +#define STATUS_DRIVER_BLOCKED_CRITICAL cpu_to_le32(0xC000036B) +#define STATUS_DRIVER_BLOCKED cpu_to_le32(0xC000036C) +#define STATUS_DRIVER_DATABASE_ERROR cpu_to_le32(0xC000036D) +#define STATUS_SYSTEM_HIVE_TOO_LARGE cpu_to_le32(0xC000036E) +#define STATUS_INVALID_IMPORT_OF_NON_DLL cpu_to_le32(0xC000036F) +#define STATUS_NO_SECRETS cpu_to_le32(0xC0000371) +#define STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY cpu_to_le32(0xC0000372) +#define STATUS_FAILED_STACK_SWITCH cpu_to_le32(0xC0000373) +#define STATUS_HEAP_CORRUPTION cpu_to_le32(0xC0000374) +#define STATUS_SMARTCARD_WRONG_PIN cpu_to_le32(0xC0000380) +#define STATUS_SMARTCARD_CARD_BLOCKED cpu_to_le32(0xC0000381) +#define STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED cpu_to_le32(0xC0000382) +#define STATUS_SMARTCARD_NO_CARD cpu_to_le32(0xC0000383) +#define STATUS_SMARTCARD_NO_KEY_CONTAINER cpu_to_le32(0xC0000384) +#define STATUS_SMARTCARD_NO_CERTIFICATE cpu_to_le32(0xC0000385) +#define STATUS_SMARTCARD_NO_KEYSET cpu_to_le32(0xC0000386) +#define STATUS_SMARTCARD_IO_ERROR cpu_to_le32(0xC0000387) +#define STATUS_DOWNGRADE_DETECTED cpu_to_le32(0xC0000388) +#define STATUS_SMARTCARD_CERT_REVOKED cpu_to_le32(0xC0000389) +#define STATUS_ISSUING_CA_UNTRUSTED cpu_to_le32(0xC000038A) +#define STATUS_REVOCATION_OFFLINE_C cpu_to_le32(0xC000038B) +#define STATUS_PKINIT_CLIENT_FAILURE cpu_to_le32(0xC000038C) +#define STATUS_SMARTCARD_CERT_EXPIRED cpu_to_le32(0xC000038D) +#define STATUS_DRIVER_FAILED_PRIOR_UNLOAD cpu_to_le32(0xC000038E) +#define STATUS_SMARTCARD_SILENT_CONTEXT cpu_to_le32(0xC000038F) +#define STATUS_PER_USER_TRUST_QUOTA_EXCEEDED cpu_to_le32(0xC0000401) +#define STATUS_ALL_USER_TRUST_QUOTA_EXCEEDED cpu_to_le32(0xC0000402) +#define STATUS_USER_DELETE_TRUST_QUOTA_EXCEEDED cpu_to_le32(0xC0000403) +#define STATUS_DS_NAME_NOT_UNIQUE cpu_to_le32(0xC0000404) +#define STATUS_DS_DUPLICATE_ID_FOUND cpu_to_le32(0xC0000405) +#define STATUS_DS_GROUP_CONVERSION_ERROR cpu_to_le32(0xC0000406) +#define STATUS_VOLSNAP_PREPARE_HIBERNATE cpu_to_le32(0xC0000407) +#define STATUS_USER2USER_REQUIRED cpu_to_le32(0xC0000408) +#define STATUS_STACK_BUFFER_OVERRUN cpu_to_le32(0xC0000409) +#define STATUS_NO_S4U_PROT_SUPPORT cpu_to_le32(0xC000040A) +#define STATUS_CROSSREALM_DELEGATION_FAILURE cpu_to_le32(0xC000040B) +#define STATUS_REVOCATION_OFFLINE_KDC cpu_to_le32(0xC000040C) +#define STATUS_ISSUING_CA_UNTRUSTED_KDC cpu_to_le32(0xC000040D) +#define STATUS_KDC_CERT_EXPIRED cpu_to_le32(0xC000040E) +#define STATUS_KDC_CERT_REVOKED cpu_to_le32(0xC000040F) +#define STATUS_PARAMETER_QUOTA_EXCEEDED cpu_to_le32(0xC0000410) +#define STATUS_HIBERNATION_FAILURE cpu_to_le32(0xC0000411) +#define STATUS_DELAY_LOAD_FAILED cpu_to_le32(0xC0000412) +#define STATUS_AUTHENTICATION_FIREWALL_FAILED cpu_to_le32(0xC0000413) +#define STATUS_VDM_DISALLOWED cpu_to_le32(0xC0000414) +#define STATUS_HUNG_DISPLAY_DRIVER_THREAD cpu_to_le32(0xC0000415) +#define STATUS_INSUFFICIENT_RESOURCE_FOR_SPECIFIED_SHARED_SECTION_SIZE \ + cpu_to_le32(0xC0000416) +#define STATUS_INVALID_CRUNTIME_PARAMETER cpu_to_le32(0xC0000417) +#define STATUS_NTLM_BLOCKED cpu_to_le32(0xC0000418) +#define STATUS_ASSERTION_FAILURE cpu_to_le32(0xC0000420) +#define STATUS_VERIFIER_STOP cpu_to_le32(0xC0000421) +#define STATUS_CALLBACK_POP_STACK cpu_to_le32(0xC0000423) +#define STATUS_INCOMPATIBLE_DRIVER_BLOCKED cpu_to_le32(0xC0000424) +#define STATUS_HIVE_UNLOADED cpu_to_le32(0xC0000425) +#define STATUS_COMPRESSION_DISABLED cpu_to_le32(0xC0000426) +#define STATUS_FILE_SYSTEM_LIMITATION cpu_to_le32(0xC0000427) +#define STATUS_INVALID_IMAGE_HASH cpu_to_le32(0xC0000428) +#define STATUS_NOT_CAPABLE cpu_to_le32(0xC0000429) +#define STATUS_REQUEST_OUT_OF_SEQUENCE cpu_to_le32(0xC000042A) +#define STATUS_IMPLEMENTATION_LIMIT cpu_to_le32(0xC000042B) +#define STATUS_ELEVATION_REQUIRED cpu_to_le32(0xC000042C) +#define STATUS_BEYOND_VDL cpu_to_le32(0xC0000432) +#define STATUS_ENCOUNTERED_WRITE_IN_PROGRESS cpu_to_le32(0xC0000433) +#define STATUS_PTE_CHANGED cpu_to_le32(0xC0000434) +#define STATUS_PURGE_FAILED cpu_to_le32(0xC0000435) +#define STATUS_CRED_REQUIRES_CONFIRMATION cpu_to_le32(0xC0000440) +#define STATUS_CS_ENCRYPTION_INVALID_SERVER_RESPONSE cpu_to_le32(0xC0000441) +#define STATUS_CS_ENCRYPTION_UNSUPPORTED_SERVER cpu_to_le32(0xC0000442) +#define STATUS_CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE cpu_to_le32(0xC0000443) +#define STATUS_CS_ENCRYPTION_NEW_ENCRYPTED_FILE cpu_to_le32(0xC0000444) +#define STATUS_CS_ENCRYPTION_FILE_NOT_CSE cpu_to_le32(0xC0000445) +#define STATUS_INVALID_LABEL cpu_to_le32(0xC0000446) +#define STATUS_DRIVER_PROCESS_TERMINATED cpu_to_le32(0xC0000450) +#define STATUS_AMBIGUOUS_SYSTEM_DEVICE cpu_to_le32(0xC0000451) +#define STATUS_SYSTEM_DEVICE_NOT_FOUND cpu_to_le32(0xC0000452) +#define STATUS_RESTART_BOOT_APPLICATION cpu_to_le32(0xC0000453) +#define STATUS_INVALID_TASK_NAME cpu_to_le32(0xC0000500) +#define STATUS_INVALID_TASK_INDEX cpu_to_le32(0xC0000501) +#define STATUS_THREAD_ALREADY_IN_TASK cpu_to_le32(0xC0000502) +#define STATUS_CALLBACK_BYPASS cpu_to_le32(0xC0000503) +#define STATUS_PORT_CLOSED cpu_to_le32(0xC0000700) +#define STATUS_MESSAGE_LOST cpu_to_le32(0xC0000701) +#define STATUS_INVALID_MESSAGE cpu_to_le32(0xC0000702) +#define STATUS_REQUEST_CANCELED cpu_to_le32(0xC0000703) +#define STATUS_RECURSIVE_DISPATCH cpu_to_le32(0xC0000704) +#define STATUS_LPC_RECEIVE_BUFFER_EXPECTED cpu_to_le32(0xC0000705) +#define STATUS_LPC_INVALID_CONNECTION_USAGE cpu_to_le32(0xC0000706) +#define STATUS_LPC_REQUESTS_NOT_ALLOWED cpu_to_le32(0xC0000707) +#define STATUS_RESOURCE_IN_USE cpu_to_le32(0xC0000708) +#define STATUS_HARDWARE_MEMORY_ERROR cpu_to_le32(0xC0000709) +#define STATUS_THREADPOOL_HANDLE_EXCEPTION cpu_to_le32(0xC000070A) +#define STATUS_THREADPOOL_SET_EVENT_ON_COMPLETION_FAILED cpu_to_le32(0xC000070B) +#define STATUS_THREADPOOL_RELEASE_SEMAPHORE_ON_COMPLETION_FAILED \ + cpu_to_le32(0xC000070C) +#define STATUS_THREADPOOL_RELEASE_MUTEX_ON_COMPLETION_FAILED \ + cpu_to_le32(0xC000070D) +#define STATUS_THREADPOOL_FREE_LIBRARY_ON_COMPLETION_FAILED \ + cpu_to_le32(0xC000070E) +#define STATUS_THREADPOOL_RELEASED_DURING_OPERATION cpu_to_le32(0xC000070F) +#define STATUS_CALLBACK_RETURNED_WHILE_IMPERSONATING cpu_to_le32(0xC0000710) +#define STATUS_APC_RETURNED_WHILE_IMPERSONATING cpu_to_le32(0xC0000711) +#define STATUS_PROCESS_IS_PROTECTED cpu_to_le32(0xC0000712) +#define STATUS_MCA_EXCEPTION cpu_to_le32(0xC0000713) +#define STATUS_CERTIFICATE_MAPPING_NOT_UNIQUE cpu_to_le32(0xC0000714) +#define STATUS_SYMLINK_CLASS_DISABLED cpu_to_le32(0xC0000715) +#define STATUS_INVALID_IDN_NORMALIZATION cpu_to_le32(0xC0000716) +#define STATUS_NO_UNICODE_TRANSLATION cpu_to_le32(0xC0000717) +#define STATUS_ALREADY_REGISTERED cpu_to_le32(0xC0000718) +#define STATUS_CONTEXT_MISMATCH cpu_to_le32(0xC0000719) +#define STATUS_PORT_ALREADY_HAS_COMPLETION_LIST cpu_to_le32(0xC000071A) +#define STATUS_CALLBACK_RETURNED_THREAD_PRIORITY cpu_to_le32(0xC000071B) +#define STATUS_INVALID_THREAD cpu_to_le32(0xC000071C) +#define STATUS_CALLBACK_RETURNED_TRANSACTION cpu_to_le32(0xC000071D) +#define STATUS_CALLBACK_RETURNED_LDR_LOCK cpu_to_le32(0xC000071E) +#define STATUS_CALLBACK_RETURNED_LANG cpu_to_le32(0xC000071F) +#define STATUS_CALLBACK_RETURNED_PRI_BACK cpu_to_le32(0xC0000720) +#define STATUS_CALLBACK_RETURNED_THREAD_AFFINITY cpu_to_le32(0xC0000721) +#define STATUS_DISK_REPAIR_DISABLED cpu_to_le32(0xC0000800) +#define STATUS_DS_DOMAIN_RENAME_IN_PROGRESS cpu_to_le32(0xC0000801) +#define STATUS_DISK_QUOTA_EXCEEDED cpu_to_le32(0xC0000802) +#define STATUS_CONTENT_BLOCKED cpu_to_le32(0xC0000804) +#define STATUS_BAD_CLUSTERS cpu_to_le32(0xC0000805) +#define STATUS_VOLUME_DIRTY cpu_to_le32(0xC0000806) +#define STATUS_FILE_CHECKED_OUT cpu_to_le32(0xC0000901) +#define STATUS_CHECKOUT_REQUIRED cpu_to_le32(0xC0000902) +#define STATUS_BAD_FILE_TYPE cpu_to_le32(0xC0000903) +#define STATUS_FILE_TOO_LARGE cpu_to_le32(0xC0000904) +#define STATUS_FORMS_AUTH_REQUIRED cpu_to_le32(0xC0000905) +#define STATUS_VIRUS_INFECTED cpu_to_le32(0xC0000906) +#define STATUS_VIRUS_DELETED cpu_to_le32(0xC0000907) +#define STATUS_BAD_MCFG_TABLE cpu_to_le32(0xC0000908) +#define STATUS_WOW_ASSERTION cpu_to_le32(0xC0009898) +#define STATUS_INVALID_SIGNATURE cpu_to_le32(0xC000A000) +#define STATUS_HMAC_NOT_SUPPORTED cpu_to_le32(0xC000A001) +#define STATUS_IPSEC_QUEUE_OVERFLOW cpu_to_le32(0xC000A010) +#define STATUS_ND_QUEUE_OVERFLOW cpu_to_le32(0xC000A011) +#define STATUS_HOPLIMIT_EXCEEDED cpu_to_le32(0xC000A012) +#define STATUS_PROTOCOL_NOT_SUPPORTED cpu_to_le32(0xC000A013) +#define STATUS_LOST_WRITEBEHIND_DATA_NETWORK_DISCONNECTED \ + cpu_to_le32(0xC000A080) +#define STATUS_LOST_WRITEBEHIND_DATA_NETWORK_SERVER_ERROR \ + cpu_to_le32(0xC000A081) +#define STATUS_LOST_WRITEBEHIND_DATA_LOCAL_DISK_ERROR cpu_to_le32(0xC000A082) +#define STATUS_XML_PARSE_ERROR cpu_to_le32(0xC000A083) +#define STATUS_XMLDSIG_ERROR cpu_to_le32(0xC000A084) +#define STATUS_WRONG_COMPARTMENT cpu_to_le32(0xC000A085) +#define STATUS_AUTHIP_FAILURE cpu_to_le32(0xC000A086) +#define DBG_NO_STATE_CHANGE cpu_to_le32(0xC0010001) +#define DBG_APP_NOT_IDLE cpu_to_le32(0xC0010002) +#define RPC_NT_INVALID_STRING_BINDING cpu_to_le32(0xC0020001) +#define RPC_NT_WRONG_KIND_OF_BINDING cpu_to_le32(0xC0020002) +#define RPC_NT_INVALID_BINDING cpu_to_le32(0xC0020003) +#define RPC_NT_PROTSEQ_NOT_SUPPORTED cpu_to_le32(0xC0020004) +#define RPC_NT_INVALID_RPC_PROTSEQ cpu_to_le32(0xC0020005) +#define RPC_NT_INVALID_STRING_UUID cpu_to_le32(0xC0020006) +#define RPC_NT_INVALID_ENDPOINT_FORMAT cpu_to_le32(0xC0020007) +#define RPC_NT_INVALID_NET_ADDR cpu_to_le32(0xC0020008) +#define RPC_NT_NO_ENDPOINT_FOUND cpu_to_le32(0xC0020009) +#define RPC_NT_INVALID_TIMEOUT cpu_to_le32(0xC002000A) +#define RPC_NT_OBJECT_NOT_FOUND cpu_to_le32(0xC002000B) +#define RPC_NT_ALREADY_REGISTERED cpu_to_le32(0xC002000C) +#define RPC_NT_TYPE_ALREADY_REGISTERED cpu_to_le32(0xC002000D) +#define RPC_NT_ALREADY_LISTENING cpu_to_le32(0xC002000E) +#define RPC_NT_NO_PROTSEQS_REGISTERED cpu_to_le32(0xC002000F) +#define RPC_NT_NOT_LISTENING cpu_to_le32(0xC0020010) +#define RPC_NT_UNKNOWN_MGR_TYPE cpu_to_le32(0xC0020011) +#define RPC_NT_UNKNOWN_IF cpu_to_le32(0xC0020012) +#define RPC_NT_NO_BINDINGS cpu_to_le32(0xC0020013) +#define RPC_NT_NO_PROTSEQS cpu_to_le32(0xC0020014) +#define RPC_NT_CANT_CREATE_ENDPOINT cpu_to_le32(0xC0020015) +#define RPC_NT_OUT_OF_RESOURCES cpu_to_le32(0xC0020016) +#define RPC_NT_SERVER_UNAVAILABLE cpu_to_le32(0xC0020017) +#define RPC_NT_SERVER_TOO_BUSY cpu_to_le32(0xC0020018) +#define RPC_NT_INVALID_NETWORK_OPTIONS cpu_to_le32(0xC0020019) +#define RPC_NT_NO_CALL_ACTIVE cpu_to_le32(0xC002001A) +#define RPC_NT_CALL_FAILED cpu_to_le32(0xC002001B) +#define RPC_NT_CALL_FAILED_DNE cpu_to_le32(0xC002001C) +#define RPC_NT_PROTOCOL_ERROR cpu_to_le32(0xC002001D) +#define RPC_NT_UNSUPPORTED_TRANS_SYN cpu_to_le32(0xC002001F) +#define RPC_NT_UNSUPPORTED_TYPE cpu_to_le32(0xC0020021) +#define RPC_NT_INVALID_TAG cpu_to_le32(0xC0020022) +#define RPC_NT_INVALID_BOUND cpu_to_le32(0xC0020023) +#define RPC_NT_NO_ENTRY_NAME cpu_to_le32(0xC0020024) +#define RPC_NT_INVALID_NAME_SYNTAX cpu_to_le32(0xC0020025) +#define RPC_NT_UNSUPPORTED_NAME_SYNTAX cpu_to_le32(0xC0020026) +#define RPC_NT_UUID_NO_ADDRESS cpu_to_le32(0xC0020028) +#define RPC_NT_DUPLICATE_ENDPOINT cpu_to_le32(0xC0020029) +#define RPC_NT_UNKNOWN_AUTHN_TYPE cpu_to_le32(0xC002002A) +#define RPC_NT_MAX_CALLS_TOO_SMALL cpu_to_le32(0xC002002B) +#define RPC_NT_STRING_TOO_LONG cpu_to_le32(0xC002002C) +#define RPC_NT_PROTSEQ_NOT_FOUND cpu_to_le32(0xC002002D) +#define RPC_NT_PROCNUM_OUT_OF_RANGE cpu_to_le32(0xC002002E) +#define RPC_NT_BINDING_HAS_NO_AUTH cpu_to_le32(0xC002002F) +#define RPC_NT_UNKNOWN_AUTHN_SERVICE cpu_to_le32(0xC0020030) +#define RPC_NT_UNKNOWN_AUTHN_LEVEL cpu_to_le32(0xC0020031) +#define RPC_NT_INVALID_AUTH_IDENTITY cpu_to_le32(0xC0020032) +#define RPC_NT_UNKNOWN_AUTHZ_SERVICE cpu_to_le32(0xC0020033) +#define EPT_NT_INVALID_ENTRY cpu_to_le32(0xC0020034) +#define EPT_NT_CANT_PERFORM_OP cpu_to_le32(0xC0020035) +#define EPT_NT_NOT_REGISTERED cpu_to_le32(0xC0020036) +#define RPC_NT_NOTHING_TO_EXPORT cpu_to_le32(0xC0020037) +#define RPC_NT_INCOMPLETE_NAME cpu_to_le32(0xC0020038) +#define RPC_NT_INVALID_VERS_OPTION cpu_to_le32(0xC0020039) +#define RPC_NT_NO_MORE_MEMBERS cpu_to_le32(0xC002003A) +#define RPC_NT_NOT_ALL_OBJS_UNEXPORTED cpu_to_le32(0xC002003B) +#define RPC_NT_INTERFACE_NOT_FOUND cpu_to_le32(0xC002003C) +#define RPC_NT_ENTRY_ALREADY_EXISTS cpu_to_le32(0xC002003D) +#define RPC_NT_ENTRY_NOT_FOUND cpu_to_le32(0xC002003E) +#define RPC_NT_NAME_SERVICE_UNAVAILABLE cpu_to_le32(0xC002003F) +#define RPC_NT_INVALID_NAF_ID cpu_to_le32(0xC0020040) +#define RPC_NT_CANNOT_SUPPORT cpu_to_le32(0xC0020041) +#define RPC_NT_NO_CONTEXT_AVAILABLE cpu_to_le32(0xC0020042) +#define RPC_NT_INTERNAL_ERROR cpu_to_le32(0xC0020043) +#define RPC_NT_ZERO_DIVIDE cpu_to_le32(0xC0020044) +#define RPC_NT_ADDRESS_ERROR cpu_to_le32(0xC0020045) +#define RPC_NT_FP_DIV_ZERO cpu_to_le32(0xC0020046) +#define RPC_NT_FP_UNDERFLOW cpu_to_le32(0xC0020047) +#define RPC_NT_FP_OVERFLOW cpu_to_le32(0xC0020048) +#define RPC_NT_CALL_IN_PROGRESS cpu_to_le32(0xC0020049) +#define RPC_NT_NO_MORE_BINDINGS cpu_to_le32(0xC002004A) +#define RPC_NT_GROUP_MEMBER_NOT_FOUND cpu_to_le32(0xC002004B) +#define EPT_NT_CANT_CREATE cpu_to_le32(0xC002004C) +#define RPC_NT_INVALID_OBJECT cpu_to_le32(0xC002004D) +#define RPC_NT_NO_INTERFACES cpu_to_le32(0xC002004F) +#define RPC_NT_CALL_CANCELLED cpu_to_le32(0xC0020050) +#define RPC_NT_BINDING_INCOMPLETE cpu_to_le32(0xC0020051) +#define RPC_NT_COMM_FAILURE cpu_to_le32(0xC0020052) +#define RPC_NT_UNSUPPORTED_AUTHN_LEVEL cpu_to_le32(0xC0020053) +#define RPC_NT_NO_PRINC_NAME cpu_to_le32(0xC0020054) +#define RPC_NT_NOT_RPC_ERROR cpu_to_le32(0xC0020055) +#define RPC_NT_SEC_PKG_ERROR cpu_to_le32(0xC0020057) +#define RPC_NT_NOT_CANCELLED cpu_to_le32(0xC0020058) +#define RPC_NT_INVALID_ASYNC_HANDLE cpu_to_le32(0xC0020062) +#define RPC_NT_INVALID_ASYNC_CALL cpu_to_le32(0xC0020063) +#define RPC_NT_PROXY_ACCESS_DENIED cpu_to_le32(0xC0020064) +#define RPC_NT_NO_MORE_ENTRIES cpu_to_le32(0xC0030001) +#define RPC_NT_SS_CHAR_TRANS_OPEN_FAIL cpu_to_le32(0xC0030002) +#define RPC_NT_SS_CHAR_TRANS_SHORT_FILE cpu_to_le32(0xC0030003) +#define RPC_NT_SS_IN_NULL_CONTEXT cpu_to_le32(0xC0030004) +#define RPC_NT_SS_CONTEXT_MISMATCH cpu_to_le32(0xC0030005) +#define RPC_NT_SS_CONTEXT_DAMAGED cpu_to_le32(0xC0030006) +#define RPC_NT_SS_HANDLES_MISMATCH cpu_to_le32(0xC0030007) +#define RPC_NT_SS_CANNOT_GET_CALL_HANDLE cpu_to_le32(0xC0030008) +#define RPC_NT_NULL_REF_POINTER cpu_to_le32(0xC0030009) +#define RPC_NT_ENUM_VALUE_OUT_OF_RANGE cpu_to_le32(0xC003000A) +#define RPC_NT_BYTE_COUNT_TOO_SMALL cpu_to_le32(0xC003000B) +#define RPC_NT_BAD_STUB_DATA cpu_to_le32(0xC003000C) +#define RPC_NT_INVALID_ES_ACTION cpu_to_le32(0xC0030059) +#define RPC_NT_WRONG_ES_VERSION cpu_to_le32(0xC003005A) +#define RPC_NT_WRONG_STUB_VERSION cpu_to_le32(0xC003005B) +#define RPC_NT_INVALID_PIPE_OBJECT cpu_to_le32(0xC003005C) +#define RPC_NT_INVALID_PIPE_OPERATION cpu_to_le32(0xC003005D) +#define RPC_NT_WRONG_PIPE_VERSION cpu_to_le32(0xC003005E) +#define RPC_NT_PIPE_CLOSED cpu_to_le32(0xC003005F) +#define RPC_NT_PIPE_DISCIPLINE_ERROR cpu_to_le32(0xC0030060) +#define RPC_NT_PIPE_EMPTY cpu_to_le32(0xC0030061) +#define STATUS_PNP_BAD_MPS_TABLE cpu_to_le32(0xC0040035) +#define STATUS_PNP_TRANSLATION_FAILED cpu_to_le32(0xC0040036) +#define STATUS_PNP_IRQ_TRANSLATION_FAILED cpu_to_le32(0xC0040037) +#define STATUS_PNP_INVALID_ID cpu_to_le32(0xC0040038) +#define STATUS_IO_REISSUE_AS_CACHED cpu_to_le32(0xC0040039) +#define STATUS_CTX_WINSTATION_NAME_INVALID cpu_to_le32(0xC00A0001) +#define STATUS_CTX_INVALID_PD cpu_to_le32(0xC00A0002) +#define STATUS_CTX_PD_NOT_FOUND cpu_to_le32(0xC00A0003) +#define STATUS_CTX_CLOSE_PENDING cpu_to_le32(0xC00A0006) +#define STATUS_CTX_NO_OUTBUF cpu_to_le32(0xC00A0007) +#define STATUS_CTX_MODEM_INF_NOT_FOUND cpu_to_le32(0xC00A0008) +#define STATUS_CTX_INVALID_MODEMNAME cpu_to_le32(0xC00A0009) +#define STATUS_CTX_RESPONSE_ERROR cpu_to_le32(0xC00A000A) +#define STATUS_CTX_MODEM_RESPONSE_TIMEOUT cpu_to_le32(0xC00A000B) +#define STATUS_CTX_MODEM_RESPONSE_NO_CARRIER cpu_to_le32(0xC00A000C) +#define STATUS_CTX_MODEM_RESPONSE_NO_DIALTONE cpu_to_le32(0xC00A000D) +#define STATUS_CTX_MODEM_RESPONSE_BUSY cpu_to_le32(0xC00A000E) +#define STATUS_CTX_MODEM_RESPONSE_VOICE cpu_to_le32(0xC00A000F) +#define STATUS_CTX_TD_ERROR cpu_to_le32(0xC00A0010) +#define STATUS_CTX_LICENSE_CLIENT_INVALID cpu_to_le32(0xC00A0012) +#define STATUS_CTX_LICENSE_NOT_AVAILABLE cpu_to_le32(0xC00A0013) +#define STATUS_CTX_LICENSE_EXPIRED cpu_to_le32(0xC00A0014) +#define STATUS_CTX_WINSTATION_NOT_FOUND cpu_to_le32(0xC00A0015) +#define STATUS_CTX_WINSTATION_NAME_COLLISION cpu_to_le32(0xC00A0016) +#define STATUS_CTX_WINSTATION_BUSY cpu_to_le32(0xC00A0017) +#define STATUS_CTX_BAD_VIDEO_MODE cpu_to_le32(0xC00A0018) +#define STATUS_CTX_GRAPHICS_INVALID cpu_to_le32(0xC00A0022) +#define STATUS_CTX_NOT_CONSOLE cpu_to_le32(0xC00A0024) +#define STATUS_CTX_CLIENT_QUERY_TIMEOUT cpu_to_le32(0xC00A0026) +#define STATUS_CTX_CONSOLE_DISCONNECT cpu_to_le32(0xC00A0027) +#define STATUS_CTX_CONSOLE_CONNECT cpu_to_le32(0xC00A0028) +#define STATUS_CTX_SHADOW_DENIED cpu_to_le32(0xC00A002A) +#define STATUS_CTX_WINSTATION_ACCESS_DENIED cpu_to_le32(0xC00A002B) +#define STATUS_CTX_INVALID_WD cpu_to_le32(0xC00A002E) +#define STATUS_CTX_WD_NOT_FOUND cpu_to_le32(0xC00A002F) +#define STATUS_CTX_SHADOW_INVALID cpu_to_le32(0xC00A0030) +#define STATUS_CTX_SHADOW_DISABLED cpu_to_le32(0xC00A0031) +#define STATUS_RDP_PROTOCOL_ERROR cpu_to_le32(0xC00A0032) +#define STATUS_CTX_CLIENT_LICENSE_NOT_SET cpu_to_le32(0xC00A0033) +#define STATUS_CTX_CLIENT_LICENSE_IN_USE cpu_to_le32(0xC00A0034) +#define STATUS_CTX_SHADOW_ENDED_BY_MODE_CHANGE cpu_to_le32(0xC00A0035) +#define STATUS_CTX_SHADOW_NOT_RUNNING cpu_to_le32(0xC00A0036) +#define STATUS_CTX_LOGON_DISABLED cpu_to_le32(0xC00A0037) +#define STATUS_CTX_SECURITY_LAYER_ERROR cpu_to_le32(0xC00A0038) +#define STATUS_TS_INCOMPATIBLE_SESSIONS cpu_to_le32(0xC00A0039) +#define STATUS_MUI_FILE_NOT_FOUND cpu_to_le32(0xC00B0001) +#define STATUS_MUI_INVALID_FILE cpu_to_le32(0xC00B0002) +#define STATUS_MUI_INVALID_RC_CONFIG cpu_to_le32(0xC00B0003) +#define STATUS_MUI_INVALID_LOCALE_NAME cpu_to_le32(0xC00B0004) +#define STATUS_MUI_INVALID_ULTIMATEFALLBACK_NAME cpu_to_le32(0xC00B0005) +#define STATUS_MUI_FILE_NOT_LOADED cpu_to_le32(0xC00B0006) +#define STATUS_RESOURCE_ENUM_USER_STOP cpu_to_le32(0xC00B0007) +#define STATUS_CLUSTER_INVALID_NODE cpu_to_le32(0xC0130001) +#define STATUS_CLUSTER_NODE_EXISTS cpu_to_le32(0xC0130002) +#define STATUS_CLUSTER_JOIN_IN_PROGRESS cpu_to_le32(0xC0130003) +#define STATUS_CLUSTER_NODE_NOT_FOUND cpu_to_le32(0xC0130004) +#define STATUS_CLUSTER_LOCAL_NODE_NOT_FOUND cpu_to_le32(0xC0130005) +#define STATUS_CLUSTER_NETWORK_EXISTS cpu_to_le32(0xC0130006) +#define STATUS_CLUSTER_NETWORK_NOT_FOUND cpu_to_le32(0xC0130007) +#define STATUS_CLUSTER_NETINTERFACE_EXISTS cpu_to_le32(0xC0130008) +#define STATUS_CLUSTER_NETINTERFACE_NOT_FOUND cpu_to_le32(0xC0130009) +#define STATUS_CLUSTER_INVALID_REQUEST cpu_to_le32(0xC013000A) +#define STATUS_CLUSTER_INVALID_NETWORK_PROVIDER cpu_to_le32(0xC013000B) +#define STATUS_CLUSTER_NODE_DOWN cpu_to_le32(0xC013000C) +#define STATUS_CLUSTER_NODE_UNREACHABLE cpu_to_le32(0xC013000D) +#define STATUS_CLUSTER_NODE_NOT_MEMBER cpu_to_le32(0xC013000E) +#define STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS cpu_to_le32(0xC013000F) +#define STATUS_CLUSTER_INVALID_NETWORK cpu_to_le32(0xC0130010) +#define STATUS_CLUSTER_NO_NET_ADAPTERS cpu_to_le32(0xC0130011) +#define STATUS_CLUSTER_NODE_UP cpu_to_le32(0xC0130012) +#define STATUS_CLUSTER_NODE_PAUSED cpu_to_le32(0xC0130013) +#define STATUS_CLUSTER_NODE_NOT_PAUSED cpu_to_le32(0xC0130014) +#define STATUS_CLUSTER_NO_SECURITY_CONTEXT cpu_to_le32(0xC0130015) +#define STATUS_CLUSTER_NETWORK_NOT_INTERNAL cpu_to_le32(0xC0130016) +#define STATUS_CLUSTER_POISONED cpu_to_le32(0xC0130017) +#define STATUS_ACPI_INVALID_OPCODE cpu_to_le32(0xC0140001) +#define STATUS_ACPI_STACK_OVERFLOW cpu_to_le32(0xC0140002) +#define STATUS_ACPI_ASSERT_FAILED cpu_to_le32(0xC0140003) +#define STATUS_ACPI_INVALID_INDEX cpu_to_le32(0xC0140004) +#define STATUS_ACPI_INVALID_ARGUMENT cpu_to_le32(0xC0140005) +#define STATUS_ACPI_FATAL cpu_to_le32(0xC0140006) +#define STATUS_ACPI_INVALID_SUPERNAME cpu_to_le32(0xC0140007) +#define STATUS_ACPI_INVALID_ARGTYPE cpu_to_le32(0xC0140008) +#define STATUS_ACPI_INVALID_OBJTYPE cpu_to_le32(0xC0140009) +#define STATUS_ACPI_INVALID_TARGETTYPE cpu_to_le32(0xC014000A) +#define STATUS_ACPI_INCORRECT_ARGUMENT_COUNT cpu_to_le32(0xC014000B) +#define STATUS_ACPI_ADDRESS_NOT_MAPPED cpu_to_le32(0xC014000C) +#define STATUS_ACPI_INVALID_EVENTTYPE cpu_to_le32(0xC014000D) +#define STATUS_ACPI_HANDLER_COLLISION cpu_to_le32(0xC014000E) +#define STATUS_ACPI_INVALID_DATA cpu_to_le32(0xC014000F) +#define STATUS_ACPI_INVALID_REGION cpu_to_le32(0xC0140010) +#define STATUS_ACPI_INVALID_ACCESS_SIZE cpu_to_le32(0xC0140011) +#define STATUS_ACPI_ACQUIRE_GLOBAL_LOCK cpu_to_le32(0xC0140012) +#define STATUS_ACPI_ALREADY_INITIALIZED cpu_to_le32(0xC0140013) +#define STATUS_ACPI_NOT_INITIALIZED cpu_to_le32(0xC0140014) +#define STATUS_ACPI_INVALID_MUTEX_LEVEL cpu_to_le32(0xC0140015) +#define STATUS_ACPI_MUTEX_NOT_OWNED cpu_to_le32(0xC0140016) +#define STATUS_ACPI_MUTEX_NOT_OWNER cpu_to_le32(0xC0140017) +#define STATUS_ACPI_RS_ACCESS cpu_to_le32(0xC0140018) +#define STATUS_ACPI_INVALID_TABLE cpu_to_le32(0xC0140019) +#define STATUS_ACPI_REG_HANDLER_FAILED cpu_to_le32(0xC0140020) +#define STATUS_ACPI_POWER_REQUEST_FAILED cpu_to_le32(0xC0140021) +#define STATUS_SXS_SECTION_NOT_FOUND cpu_to_le32(0xC0150001) +#define STATUS_SXS_CANT_GEN_ACTCTX cpu_to_le32(0xC0150002) +#define STATUS_SXS_INVALID_ACTCTXDATA_FORMAT cpu_to_le32(0xC0150003) +#define STATUS_SXS_ASSEMBLY_NOT_FOUND cpu_to_le32(0xC0150004) +#define STATUS_SXS_MANIFEST_FORMAT_ERROR cpu_to_le32(0xC0150005) +#define STATUS_SXS_MANIFEST_PARSE_ERROR cpu_to_le32(0xC0150006) +#define STATUS_SXS_ACTIVATION_CONTEXT_DISABLED cpu_to_le32(0xC0150007) +#define STATUS_SXS_KEY_NOT_FOUND cpu_to_le32(0xC0150008) +#define STATUS_SXS_VERSION_CONFLICT cpu_to_le32(0xC0150009) +#define STATUS_SXS_WRONG_SECTION_TYPE cpu_to_le32(0xC015000A) +#define STATUS_SXS_THREAD_QUERIES_DISABLED cpu_to_le32(0xC015000B) +#define STATUS_SXS_ASSEMBLY_MISSING cpu_to_le32(0xC015000C) +#define STATUS_SXS_PROCESS_DEFAULT_ALREADY_SET cpu_to_le32(0xC015000E) +#define STATUS_SXS_EARLY_DEACTIVATION cpu_to_le32(0xC015000F) +#define STATUS_SXS_INVALID_DEACTIVATION cpu_to_le32(0xC0150010) +#define STATUS_SXS_MULTIPLE_DEACTIVATION cpu_to_le32(0xC0150011) +#define STATUS_SXS_SYSTEM_DEFAULT_ACTIVATION_CONTEXT_EMPTY \ + cpu_to_le32(0xC0150012) +#define STATUS_SXS_PROCESS_TERMINATION_REQUESTED cpu_to_le32(0xC0150013) +#define STATUS_SXS_CORRUPT_ACTIVATION_STACK cpu_to_le32(0xC0150014) +#define STATUS_SXS_CORRUPTION cpu_to_le32(0xC0150015) +#define STATUS_SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE cpu_to_le32(0xC0150016) +#define STATUS_SXS_INVALID_IDENTITY_ATTRIBUTE_NAME cpu_to_le32(0xC0150017) +#define STATUS_SXS_IDENTITY_DUPLICATE_ATTRIBUTE cpu_to_le32(0xC0150018) +#define STATUS_SXS_IDENTITY_PARSE_ERROR cpu_to_le32(0xC0150019) +#define STATUS_SXS_COMPONENT_STORE_CORRUPT cpu_to_le32(0xC015001A) +#define STATUS_SXS_FILE_HASH_MISMATCH cpu_to_le32(0xC015001B) +#define STATUS_SXS_MANIFEST_IDENTITY_SAME_BUT_CONTENTS_DIFFERENT \ + cpu_to_le32(0xC015001C) +#define STATUS_SXS_IDENTITIES_DIFFERENT cpu_to_le32(0xC015001D) +#define STATUS_SXS_ASSEMBLY_IS_NOT_A_DEPLOYMENT cpu_to_le32(0xC015001E) +#define STATUS_SXS_FILE_NOT_PART_OF_ASSEMBLY cpu_to_le32(0xC015001F) +#define STATUS_ADVANCED_INSTALLER_FAILED cpu_to_le32(0xC0150020) +#define STATUS_XML_ENCODING_MISMATCH cpu_to_le32(0xC0150021) +#define STATUS_SXS_MANIFEST_TOO_BIG cpu_to_le32(0xC0150022) +#define STATUS_SXS_SETTING_NOT_REGISTERED cpu_to_le32(0xC0150023) +#define STATUS_SXS_TRANSACTION_CLOSURE_INCOMPLETE cpu_to_le32(0xC0150024) +#define STATUS_SMI_PRIMITIVE_INSTALLER_FAILED cpu_to_le32(0xC0150025) +#define STATUS_GENERIC_COMMAND_FAILED cpu_to_le32(0xC0150026) +#define STATUS_SXS_FILE_HASH_MISSING cpu_to_le32(0xC0150027) +#define STATUS_TRANSACTIONAL_CONFLICT cpu_to_le32(0xC0190001) +#define STATUS_INVALID_TRANSACTION cpu_to_le32(0xC0190002) +#define STATUS_TRANSACTION_NOT_ACTIVE cpu_to_le32(0xC0190003) +#define STATUS_TM_INITIALIZATION_FAILED cpu_to_le32(0xC0190004) +#define STATUS_RM_NOT_ACTIVE cpu_to_le32(0xC0190005) +#define STATUS_RM_METADATA_CORRUPT cpu_to_le32(0xC0190006) +#define STATUS_TRANSACTION_NOT_JOINED cpu_to_le32(0xC0190007) +#define STATUS_DIRECTORY_NOT_RM cpu_to_le32(0xC0190008) +#define STATUS_TRANSACTIONS_UNSUPPORTED_REMOTE cpu_to_le32(0xC019000A) +#define STATUS_LOG_RESIZE_INVALID_SIZE cpu_to_le32(0xC019000B) +#define STATUS_REMOTE_FILE_VERSION_MISMATCH cpu_to_le32(0xC019000C) +#define STATUS_CRM_PROTOCOL_ALREADY_EXISTS cpu_to_le32(0xC019000F) +#define STATUS_TRANSACTION_PROPAGATION_FAILED cpu_to_le32(0xC0190010) +#define STATUS_CRM_PROTOCOL_NOT_FOUND cpu_to_le32(0xC0190011) +#define STATUS_TRANSACTION_SUPERIOR_EXISTS cpu_to_le32(0xC0190012) +#define STATUS_TRANSACTION_REQUEST_NOT_VALID cpu_to_le32(0xC0190013) +#define STATUS_TRANSACTION_NOT_REQUESTED cpu_to_le32(0xC0190014) +#define STATUS_TRANSACTION_ALREADY_ABORTED cpu_to_le32(0xC0190015) +#define STATUS_TRANSACTION_ALREADY_COMMITTED cpu_to_le32(0xC0190016) +#define STATUS_TRANSACTION_INVALID_MARSHALL_BUFFER cpu_to_le32(0xC0190017) +#define STATUS_CURRENT_TRANSACTION_NOT_VALID cpu_to_le32(0xC0190018) +#define STATUS_LOG_GROWTH_FAILED cpu_to_le32(0xC0190019) +#define STATUS_OBJECT_NO_LONGER_EXISTS cpu_to_le32(0xC0190021) +#define STATUS_STREAM_MINIVERSION_NOT_FOUND cpu_to_le32(0xC0190022) +#define STATUS_STREAM_MINIVERSION_NOT_VALID cpu_to_le32(0xC0190023) +#define STATUS_MINIVERSION_INACCESSIBLE_FROM_SPECIFIED_TRANSACTION \ + cpu_to_le32(0xC0190024) +#define STATUS_CANT_OPEN_MINIVERSION_WITH_MODIFY_INTENT cpu_to_le32(0xC0190025) +#define STATUS_CANT_CREATE_MORE_STREAM_MINIVERSIONS cpu_to_le32(0xC0190026) +#define STATUS_HANDLE_NO_LONGER_VALID cpu_to_le32(0xC0190028) +#define STATUS_LOG_CORRUPTION_DETECTED cpu_to_le32(0xC0190030) +#define STATUS_RM_DISCONNECTED cpu_to_le32(0xC0190032) +#define STATUS_ENLISTMENT_NOT_SUPERIOR cpu_to_le32(0xC0190033) +#define STATUS_FILE_IDENTITY_NOT_PERSISTENT cpu_to_le32(0xC0190036) +#define STATUS_CANT_BREAK_TRANSACTIONAL_DEPENDENCY cpu_to_le32(0xC0190037) +#define STATUS_CANT_CROSS_RM_BOUNDARY cpu_to_le32(0xC0190038) +#define STATUS_TXF_DIR_NOT_EMPTY cpu_to_le32(0xC0190039) +#define STATUS_INDOUBT_TRANSACTIONS_EXIST cpu_to_le32(0xC019003A) +#define STATUS_TM_VOLATILE cpu_to_le32(0xC019003B) +#define STATUS_ROLLBACK_TIMER_EXPIRED cpu_to_le32(0xC019003C) +#define STATUS_TXF_ATTRIBUTE_CORRUPT cpu_to_le32(0xC019003D) +#define STATUS_EFS_NOT_ALLOWED_IN_TRANSACTION cpu_to_le32(0xC019003E) +#define STATUS_TRANSACTIONAL_OPEN_NOT_ALLOWED cpu_to_le32(0xC019003F) +#define STATUS_TRANSACTED_MAPPING_UNSUPPORTED_REMOTE cpu_to_le32(0xC0190040) +#define STATUS_TRANSACTION_REQUIRED_PROMOTION cpu_to_le32(0xC0190043) +#define STATUS_CANNOT_EXECUTE_FILE_IN_TRANSACTION cpu_to_le32(0xC0190044) +#define STATUS_TRANSACTIONS_NOT_FROZEN cpu_to_le32(0xC0190045) +#define STATUS_TRANSACTION_FREEZE_IN_PROGRESS cpu_to_le32(0xC0190046) +#define STATUS_NOT_SNAPSHOT_VOLUME cpu_to_le32(0xC0190047) +#define STATUS_NO_SAVEPOINT_WITH_OPEN_FILES cpu_to_le32(0xC0190048) +#define STATUS_SPARSE_NOT_ALLOWED_IN_TRANSACTION cpu_to_le32(0xC0190049) +#define STATUS_TM_IDENTITY_MISMATCH cpu_to_le32(0xC019004A) +#define STATUS_FLOATED_SECTION cpu_to_le32(0xC019004B) +#define STATUS_CANNOT_ACCEPT_TRANSACTED_WORK cpu_to_le32(0xC019004C) +#define STATUS_CANNOT_ABORT_TRANSACTIONS cpu_to_le32(0xC019004D) +#define STATUS_TRANSACTION_NOT_FOUND cpu_to_le32(0xC019004E) +#define STATUS_RESOURCEMANAGER_NOT_FOUND cpu_to_le32(0xC019004F) +#define STATUS_ENLISTMENT_NOT_FOUND cpu_to_le32(0xC0190050) +#define STATUS_TRANSACTIONMANAGER_NOT_FOUND cpu_to_le32(0xC0190051) +#define STATUS_TRANSACTIONMANAGER_NOT_ONLINE cpu_to_le32(0xC0190052) +#define STATUS_TRANSACTIONMANAGER_RECOVERY_NAME_COLLISION \ + cpu_to_le32(0xC0190053) +#define STATUS_TRANSACTION_NOT_ROOT cpu_to_le32(0xC0190054) +#define STATUS_TRANSACTION_OBJECT_EXPIRED cpu_to_le32(0xC0190055) +#define STATUS_COMPRESSION_NOT_ALLOWED_IN_TRANSACTION cpu_to_le32(0xC0190056) +#define STATUS_TRANSACTION_RESPONSE_NOT_ENLISTED cpu_to_le32(0xC0190057) +#define STATUS_TRANSACTION_RECORD_TOO_LONG cpu_to_le32(0xC0190058) +#define STATUS_NO_LINK_TRACKING_IN_TRANSACTION cpu_to_le32(0xC0190059) +#define STATUS_OPERATION_NOT_SUPPORTED_IN_TRANSACTION cpu_to_le32(0xC019005A) +#define STATUS_TRANSACTION_INTEGRITY_VIOLATED cpu_to_le32(0xC019005B) +#define STATUS_LOG_SECTOR_INVALID cpu_to_le32(0xC01A0001) +#define STATUS_LOG_SECTOR_PARITY_INVALID cpu_to_le32(0xC01A0002) +#define STATUS_LOG_SECTOR_REMAPPED cpu_to_le32(0xC01A0003) +#define STATUS_LOG_BLOCK_INCOMPLETE cpu_to_le32(0xC01A0004) +#define STATUS_LOG_INVALID_RANGE cpu_to_le32(0xC01A0005) +#define STATUS_LOG_BLOCKS_EXHAUSTED cpu_to_le32(0xC01A0006) +#define STATUS_LOG_READ_CONTEXT_INVALID cpu_to_le32(0xC01A0007) +#define STATUS_LOG_RESTART_INVALID cpu_to_le32(0xC01A0008) +#define STATUS_LOG_BLOCK_VERSION cpu_to_le32(0xC01A0009) +#define STATUS_LOG_BLOCK_INVALID cpu_to_le32(0xC01A000A) +#define STATUS_LOG_READ_MODE_INVALID cpu_to_le32(0xC01A000B) +#define STATUS_LOG_METADATA_CORRUPT cpu_to_le32(0xC01A000D) +#define STATUS_LOG_METADATA_INVALID cpu_to_le32(0xC01A000E) +#define STATUS_LOG_METADATA_INCONSISTENT cpu_to_le32(0xC01A000F) +#define STATUS_LOG_RESERVATION_INVALID cpu_to_le32(0xC01A0010) +#define STATUS_LOG_CANT_DELETE cpu_to_le32(0xC01A0011) +#define STATUS_LOG_CONTAINER_LIMIT_EXCEEDED cpu_to_le32(0xC01A0012) +#define STATUS_LOG_START_OF_LOG cpu_to_le32(0xC01A0013) +#define STATUS_LOG_POLICY_ALREADY_INSTALLED cpu_to_le32(0xC01A0014) +#define STATUS_LOG_POLICY_NOT_INSTALLED cpu_to_le32(0xC01A0015) +#define STATUS_LOG_POLICY_INVALID cpu_to_le32(0xC01A0016) +#define STATUS_LOG_POLICY_CONFLICT cpu_to_le32(0xC01A0017) +#define STATUS_LOG_PINNED_ARCHIVE_TAIL cpu_to_le32(0xC01A0018) +#define STATUS_LOG_RECORD_NONEXISTENT cpu_to_le32(0xC01A0019) +#define STATUS_LOG_RECORDS_RESERVED_INVALID cpu_to_le32(0xC01A001A) +#define STATUS_LOG_SPACE_RESERVED_INVALID cpu_to_le32(0xC01A001B) +#define STATUS_LOG_TAIL_INVALID cpu_to_le32(0xC01A001C) +#define STATUS_LOG_FULL cpu_to_le32(0xC01A001D) +#define STATUS_LOG_MULTIPLEXED cpu_to_le32(0xC01A001E) +#define STATUS_LOG_DEDICATED cpu_to_le32(0xC01A001F) +#define STATUS_LOG_ARCHIVE_NOT_IN_PROGRESS cpu_to_le32(0xC01A0020) +#define STATUS_LOG_ARCHIVE_IN_PROGRESS cpu_to_le32(0xC01A0021) +#define STATUS_LOG_EPHEMERAL cpu_to_le32(0xC01A0022) +#define STATUS_LOG_NOT_ENOUGH_CONTAINERS cpu_to_le32(0xC01A0023) +#define STATUS_LOG_CLIENT_ALREADY_REGISTERED cpu_to_le32(0xC01A0024) +#define STATUS_LOG_CLIENT_NOT_REGISTERED cpu_to_le32(0xC01A0025) +#define STATUS_LOG_FULL_HANDLER_IN_PROGRESS cpu_to_le32(0xC01A0026) +#define STATUS_LOG_CONTAINER_READ_FAILED cpu_to_le32(0xC01A0027) +#define STATUS_LOG_CONTAINER_WRITE_FAILED cpu_to_le32(0xC01A0028) +#define STATUS_LOG_CONTAINER_OPEN_FAILED cpu_to_le32(0xC01A0029) +#define STATUS_LOG_CONTAINER_STATE_INVALID cpu_to_le32(0xC01A002A) +#define STATUS_LOG_STATE_INVALID cpu_to_le32(0xC01A002B) +#define STATUS_LOG_PINNED cpu_to_le32(0xC01A002C) +#define STATUS_LOG_METADATA_FLUSH_FAILED cpu_to_le32(0xC01A002D) +#define STATUS_LOG_INCONSISTENT_SECURITY cpu_to_le32(0xC01A002E) +#define STATUS_LOG_APPENDED_FLUSH_FAILED cpu_to_le32(0xC01A002F) +#define STATUS_LOG_PINNED_RESERVATION cpu_to_le32(0xC01A0030) +#define STATUS_VIDEO_HUNG_DISPLAY_DRIVER_THREAD cpu_to_le32(0xC01B00EA) +#define STATUS_FLT_NO_HANDLER_DEFINED cpu_to_le32(0xC01C0001) +#define STATUS_FLT_CONTEXT_ALREADY_DEFINED cpu_to_le32(0xC01C0002) +#define STATUS_FLT_INVALID_ASYNCHRONOUS_REQUEST cpu_to_le32(0xC01C0003) +#define STATUS_FLT_DISALLOW_FAST_IO cpu_to_le32(0xC01C0004) +#define STATUS_FLT_INVALID_NAME_REQUEST cpu_to_le32(0xC01C0005) +#define STATUS_FLT_NOT_SAFE_TO_POST_OPERATION cpu_to_le32(0xC01C0006) +#define STATUS_FLT_NOT_INITIALIZED cpu_to_le32(0xC01C0007) +#define STATUS_FLT_FILTER_NOT_READY cpu_to_le32(0xC01C0008) +#define STATUS_FLT_POST_OPERATION_CLEANUP cpu_to_le32(0xC01C0009) +#define STATUS_FLT_INTERNAL_ERROR cpu_to_le32(0xC01C000A) +#define STATUS_FLT_DELETING_OBJECT cpu_to_le32(0xC01C000B) +#define STATUS_FLT_MUST_BE_NONPAGED_POOL cpu_to_le32(0xC01C000C) +#define STATUS_FLT_DUPLICATE_ENTRY cpu_to_le32(0xC01C000D) +#define STATUS_FLT_CBDQ_DISABLED cpu_to_le32(0xC01C000E) +#define STATUS_FLT_DO_NOT_ATTACH cpu_to_le32(0xC01C000F) +#define STATUS_FLT_DO_NOT_DETACH cpu_to_le32(0xC01C0010) +#define STATUS_FLT_INSTANCE_ALTITUDE_COLLISION cpu_to_le32(0xC01C0011) +#define STATUS_FLT_INSTANCE_NAME_COLLISION cpu_to_le32(0xC01C0012) +#define STATUS_FLT_FILTER_NOT_FOUND cpu_to_le32(0xC01C0013) +#define STATUS_FLT_VOLUME_NOT_FOUND cpu_to_le32(0xC01C0014) +#define STATUS_FLT_INSTANCE_NOT_FOUND cpu_to_le32(0xC01C0015) +#define STATUS_FLT_CONTEXT_ALLOCATION_NOT_FOUND cpu_to_le32(0xC01C0016) +#define STATUS_FLT_INVALID_CONTEXT_REGISTRATION cpu_to_le32(0xC01C0017) +#define STATUS_FLT_NAME_CACHE_MISS cpu_to_le32(0xC01C0018) +#define STATUS_FLT_NO_DEVICE_OBJECT cpu_to_le32(0xC01C0019) +#define STATUS_FLT_VOLUME_ALREADY_MOUNTED cpu_to_le32(0xC01C001A) +#define STATUS_FLT_ALREADY_ENLISTED cpu_to_le32(0xC01C001B) +#define STATUS_FLT_CONTEXT_ALREADY_LINKED cpu_to_le32(0xC01C001C) +#define STATUS_FLT_NO_WAITER_FOR_REPLY cpu_to_le32(0xC01C0020) +#define STATUS_MONITOR_NO_DESCRIPTOR cpu_to_le32(0xC01D0001) +#define STATUS_MONITOR_UNKNOWN_DESCRIPTOR_FORMAT cpu_to_le32(0xC01D0002) +#define STATUS_MONITOR_INVALID_DESCRIPTOR_CHECKSUM cpu_to_le32(0xC01D0003) +#define STATUS_MONITOR_INVALID_STANDARD_TIMING_BLOCK cpu_to_le32(0xC01D0004) +#define STATUS_MONITOR_WMI_DATABLOCK_REGISTRATION_FAILED cpu_to_le32(0xC01D0005) +#define STATUS_MONITOR_INVALID_SERIAL_NUMBER_MONDSC_BLOCK \ + cpu_to_le32(0xC01D0006) +#define STATUS_MONITOR_INVALID_USER_FRIENDLY_MONDSC_BLOCK \ + cpu_to_le32(0xC01D0007) +#define STATUS_MONITOR_NO_MORE_DESCRIPTOR_DATA cpu_to_le32(0xC01D0008) +#define STATUS_MONITOR_INVALID_DETAILED_TIMING_BLOCK cpu_to_le32(0xC01D0009) +#define STATUS_GRAPHICS_NOT_EXCLUSIVE_MODE_OWNER cpu_to_le32(0xC01E0000) +#define STATUS_GRAPHICS_INSUFFICIENT_DMA_BUFFER cpu_to_le32(0xC01E0001) +#define STATUS_GRAPHICS_INVALID_DISPLAY_ADAPTER cpu_to_le32(0xC01E0002) +#define STATUS_GRAPHICS_ADAPTER_WAS_RESET cpu_to_le32(0xC01E0003) +#define STATUS_GRAPHICS_INVALID_DRIVER_MODEL cpu_to_le32(0xC01E0004) +#define STATUS_GRAPHICS_PRESENT_MODE_CHANGED cpu_to_le32(0xC01E0005) +#define STATUS_GRAPHICS_PRESENT_OCCLUDED cpu_to_le32(0xC01E0006) +#define STATUS_GRAPHICS_PRESENT_DENIED cpu_to_le32(0xC01E0007) +#define STATUS_GRAPHICS_CANNOTCOLORCONVERT cpu_to_le32(0xC01E0008) +#define STATUS_GRAPHICS_NO_VIDEO_MEMORY cpu_to_le32(0xC01E0100) +#define STATUS_GRAPHICS_CANT_LOCK_MEMORY cpu_to_le32(0xC01E0101) +#define STATUS_GRAPHICS_ALLOCATION_BUSY cpu_to_le32(0xC01E0102) +#define STATUS_GRAPHICS_TOO_MANY_REFERENCES cpu_to_le32(0xC01E0103) +#define STATUS_GRAPHICS_TRY_AGAIN_LATER cpu_to_le32(0xC01E0104) +#define STATUS_GRAPHICS_TRY_AGAIN_NOW cpu_to_le32(0xC01E0105) +#define STATUS_GRAPHICS_ALLOCATION_INVALID cpu_to_le32(0xC01E0106) +#define STATUS_GRAPHICS_UNSWIZZLING_APERTURE_UNAVAILABLE cpu_to_le32(0xC01E0107) +#define STATUS_GRAPHICS_UNSWIZZLING_APERTURE_UNSUPPORTED cpu_to_le32(0xC01E0108) +#define STATUS_GRAPHICS_CANT_EVICT_PINNED_ALLOCATION cpu_to_le32(0xC01E0109) +#define STATUS_GRAPHICS_INVALID_ALLOCATION_USAGE cpu_to_le32(0xC01E0110) +#define STATUS_GRAPHICS_CANT_RENDER_LOCKED_ALLOCATION cpu_to_le32(0xC01E0111) +#define STATUS_GRAPHICS_ALLOCATION_CLOSED cpu_to_le32(0xC01E0112) +#define STATUS_GRAPHICS_INVALID_ALLOCATION_INSTANCE cpu_to_le32(0xC01E0113) +#define STATUS_GRAPHICS_INVALID_ALLOCATION_HANDLE cpu_to_le32(0xC01E0114) +#define STATUS_GRAPHICS_WRONG_ALLOCATION_DEVICE cpu_to_le32(0xC01E0115) +#define STATUS_GRAPHICS_ALLOCATION_CONTENT_LOST cpu_to_le32(0xC01E0116) +#define STATUS_GRAPHICS_GPU_EXCEPTION_ON_DEVICE cpu_to_le32(0xC01E0200) +#define STATUS_GRAPHICS_INVALID_VIDPN_TOPOLOGY cpu_to_le32(0xC01E0300) +#define STATUS_GRAPHICS_VIDPN_TOPOLOGY_NOT_SUPPORTED cpu_to_le32(0xC01E0301) +#define STATUS_GRAPHICS_VIDPN_TOPOLOGY_CURRENTLY_NOT_SUPPORTED \ + cpu_to_le32(0xC01E0302) +#define STATUS_GRAPHICS_INVALID_VIDPN cpu_to_le32(0xC01E0303) +#define STATUS_GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE cpu_to_le32(0xC01E0304) +#define STATUS_GRAPHICS_INVALID_VIDEO_PRESENT_TARGET cpu_to_le32(0xC01E0305) +#define STATUS_GRAPHICS_VIDPN_MODALITY_NOT_SUPPORTED cpu_to_le32(0xC01E0306) +#define STATUS_GRAPHICS_INVALID_VIDPN_SOURCEMODESET cpu_to_le32(0xC01E0308) +#define STATUS_GRAPHICS_INVALID_VIDPN_TARGETMODESET cpu_to_le32(0xC01E0309) +#define STATUS_GRAPHICS_INVALID_FREQUENCY cpu_to_le32(0xC01E030A) +#define STATUS_GRAPHICS_INVALID_ACTIVE_REGION cpu_to_le32(0xC01E030B) +#define STATUS_GRAPHICS_INVALID_TOTAL_REGION cpu_to_le32(0xC01E030C) +#define STATUS_GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE_MODE \ + cpu_to_le32(0xC01E0310) +#define STATUS_GRAPHICS_INVALID_VIDEO_PRESENT_TARGET_MODE \ + cpu_to_le32(0xC01E0311) +#define STATUS_GRAPHICS_PINNED_MODE_MUST_REMAIN_IN_SET cpu_to_le32(0xC01E0312) +#define STATUS_GRAPHICS_PATH_ALREADY_IN_TOPOLOGY cpu_to_le32(0xC01E0313) +#define STATUS_GRAPHICS_MODE_ALREADY_IN_MODESET cpu_to_le32(0xC01E0314) +#define STATUS_GRAPHICS_INVALID_VIDEOPRESENTSOURCESET cpu_to_le32(0xC01E0315) +#define STATUS_GRAPHICS_INVALID_VIDEOPRESENTTARGETSET cpu_to_le32(0xC01E0316) +#define STATUS_GRAPHICS_SOURCE_ALREADY_IN_SET cpu_to_le32(0xC01E0317) +#define STATUS_GRAPHICS_TARGET_ALREADY_IN_SET cpu_to_le32(0xC01E0318) +#define STATUS_GRAPHICS_INVALID_VIDPN_PRESENT_PATH cpu_to_le32(0xC01E0319) +#define STATUS_GRAPHICS_NO_RECOMMENDED_VIDPN_TOPOLOGY cpu_to_le32(0xC01E031A) +#define STATUS_GRAPHICS_INVALID_MONITOR_FREQUENCYRANGESET \ + cpu_to_le32(0xC01E031B) +#define STATUS_GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE cpu_to_le32(0xC01E031C) +#define STATUS_GRAPHICS_FREQUENCYRANGE_NOT_IN_SET cpu_to_le32(0xC01E031D) +#define STATUS_GRAPHICS_FREQUENCYRANGE_ALREADY_IN_SET cpu_to_le32(0xC01E031F) +#define STATUS_GRAPHICS_STALE_MODESET cpu_to_le32(0xC01E0320) +#define STATUS_GRAPHICS_INVALID_MONITOR_SOURCEMODESET cpu_to_le32(0xC01E0321) +#define STATUS_GRAPHICS_INVALID_MONITOR_SOURCE_MODE cpu_to_le32(0xC01E0322) +#define STATUS_GRAPHICS_NO_RECOMMENDED_FUNCTIONAL_VIDPN cpu_to_le32(0xC01E0323) +#define STATUS_GRAPHICS_MODE_ID_MUST_BE_UNIQUE cpu_to_le32(0xC01E0324) +#define STATUS_GRAPHICS_EMPTY_ADAPTER_MONITOR_MODE_SUPPORT_INTERSECTION \ + cpu_to_le32(0xC01E0325) +#define STATUS_GRAPHICS_VIDEO_PRESENT_TARGETS_LESS_THAN_SOURCES \ + cpu_to_le32(0xC01E0326) +#define STATUS_GRAPHICS_PATH_NOT_IN_TOPOLOGY cpu_to_le32(0xC01E0327) +#define STATUS_GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_SOURCE \ + cpu_to_le32(0xC01E0328) +#define STATUS_GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_TARGET \ + cpu_to_le32(0xC01E0329) +#define STATUS_GRAPHICS_INVALID_MONITORDESCRIPTORSET cpu_to_le32(0xC01E032A) +#define STATUS_GRAPHICS_INVALID_MONITORDESCRIPTOR cpu_to_le32(0xC01E032B) +#define STATUS_GRAPHICS_MONITORDESCRIPTOR_NOT_IN_SET cpu_to_le32(0xC01E032C) +#define STATUS_GRAPHICS_MONITORDESCRIPTOR_ALREADY_IN_SET cpu_to_le32(0xC01E032D) +#define STATUS_GRAPHICS_MONITORDESCRIPTOR_ID_MUST_BE_UNIQUE \ + cpu_to_le32(0xC01E032E) +#define STATUS_GRAPHICS_INVALID_VIDPN_TARGET_SUBSET_TYPE cpu_to_le32(0xC01E032F) +#define STATUS_GRAPHICS_RESOURCES_NOT_RELATED cpu_to_le32(0xC01E0330) +#define STATUS_GRAPHICS_SOURCE_ID_MUST_BE_UNIQUE cpu_to_le32(0xC01E0331) +#define STATUS_GRAPHICS_TARGET_ID_MUST_BE_UNIQUE cpu_to_le32(0xC01E0332) +#define STATUS_GRAPHICS_NO_AVAILABLE_VIDPN_TARGET cpu_to_le32(0xC01E0333) +#define STATUS_GRAPHICS_MONITOR_COULD_NOT_BE_ASSOCIATED_WITH_ADAPTER \ + cpu_to_le32(0xC01E0334) +#define STATUS_GRAPHICS_NO_VIDPNMGR cpu_to_le32(0xC01E0335) +#define STATUS_GRAPHICS_NO_ACTIVE_VIDPN cpu_to_le32(0xC01E0336) +#define STATUS_GRAPHICS_STALE_VIDPN_TOPOLOGY cpu_to_le32(0xC01E0337) +#define STATUS_GRAPHICS_MONITOR_NOT_CONNECTED cpu_to_le32(0xC01E0338) +#define STATUS_GRAPHICS_SOURCE_NOT_IN_TOPOLOGY cpu_to_le32(0xC01E0339) +#define STATUS_GRAPHICS_INVALID_PRIMARYSURFACE_SIZE cpu_to_le32(0xC01E033A) +#define STATUS_GRAPHICS_INVALID_VISIBLEREGION_SIZE cpu_to_le32(0xC01E033B) +#define STATUS_GRAPHICS_INVALID_STRIDE cpu_to_le32(0xC01E033C) +#define STATUS_GRAPHICS_INVALID_PIXELFORMAT cpu_to_le32(0xC01E033D) +#define STATUS_GRAPHICS_INVALID_COLORBASIS cpu_to_le32(0xC01E033E) +#define STATUS_GRAPHICS_INVALID_PIXELVALUEACCESSMODE cpu_to_le32(0xC01E033F) +#define STATUS_GRAPHICS_TARGET_NOT_IN_TOPOLOGY cpu_to_le32(0xC01E0340) +#define STATUS_GRAPHICS_NO_DISPLAY_MODE_MANAGEMENT_SUPPORT \ + cpu_to_le32(0xC01E0341) +#define STATUS_GRAPHICS_VIDPN_SOURCE_IN_USE cpu_to_le32(0xC01E0342) +#define STATUS_GRAPHICS_CANT_ACCESS_ACTIVE_VIDPN cpu_to_le32(0xC01E0343) +#define STATUS_GRAPHICS_INVALID_PATH_IMPORTANCE_ORDINAL cpu_to_le32(0xC01E0344) +#define STATUS_GRAPHICS_INVALID_PATH_CONTENT_GEOMETRY_TRANSFORMATION \ + cpu_to_le32(0xC01E0345) +#define STATUS_GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_SUPPORTED \ + cpu_to_le32(0xC01E0346) +#define STATUS_GRAPHICS_INVALID_GAMMA_RAMP cpu_to_le32(0xC01E0347) +#define STATUS_GRAPHICS_GAMMA_RAMP_NOT_SUPPORTED cpu_to_le32(0xC01E0348) +#define STATUS_GRAPHICS_MULTISAMPLING_NOT_SUPPORTED cpu_to_le32(0xC01E0349) +#define STATUS_GRAPHICS_MODE_NOT_IN_MODESET cpu_to_le32(0xC01E034A) +#define STATUS_GRAPHICS_INVALID_VIDPN_TOPOLOGY_RECOMMENDATION_REASON \ + cpu_to_le32(0xC01E034D) +#define STATUS_GRAPHICS_INVALID_PATH_CONTENT_TYPE cpu_to_le32(0xC01E034E) +#define STATUS_GRAPHICS_INVALID_COPYPROTECTION_TYPE cpu_to_le32(0xC01E034F) +#define STATUS_GRAPHICS_UNASSIGNED_MODESET_ALREADY_EXISTS \ + cpu_to_le32(0xC01E0350) +#define STATUS_GRAPHICS_INVALID_SCANLINE_ORDERING cpu_to_le32(0xC01E0352) +#define STATUS_GRAPHICS_TOPOLOGY_CHANGES_NOT_ALLOWED cpu_to_le32(0xC01E0353) +#define STATUS_GRAPHICS_NO_AVAILABLE_IMPORTANCE_ORDINALS cpu_to_le32(0xC01E0354) +#define STATUS_GRAPHICS_INCOMPATIBLE_PRIVATE_FORMAT cpu_to_le32(0xC01E0355) +#define STATUS_GRAPHICS_INVALID_MODE_PRUNING_ALGORITHM cpu_to_le32(0xC01E0356) +#define STATUS_GRAPHICS_INVALID_MONITOR_CAPABILITY_ORIGIN \ + cpu_to_le32(0xC01E0357) +#define STATUS_GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE_CONSTRAINT \ + cpu_to_le32(0xC01E0358) +#define STATUS_GRAPHICS_MAX_NUM_PATHS_REACHED cpu_to_le32(0xC01E0359) +#define STATUS_GRAPHICS_CANCEL_VIDPN_TOPOLOGY_AUGMENTATION \ + cpu_to_le32(0xC01E035A) +#define STATUS_GRAPHICS_INVALID_CLIENT_TYPE cpu_to_le32(0xC01E035B) +#define STATUS_GRAPHICS_CLIENTVIDPN_NOT_SET cpu_to_le32(0xC01E035C) +#define STATUS_GRAPHICS_SPECIFIED_CHILD_ALREADY_CONNECTED \ + cpu_to_le32(0xC01E0400) +#define STATUS_GRAPHICS_CHILD_DESCRIPTOR_NOT_SUPPORTED cpu_to_le32(0xC01E0401) +#define STATUS_GRAPHICS_NOT_A_LINKED_ADAPTER cpu_to_le32(0xC01E0430) +#define STATUS_GRAPHICS_LEADLINK_NOT_ENUMERATED cpu_to_le32(0xC01E0431) +#define STATUS_GRAPHICS_CHAINLINKS_NOT_ENUMERATED cpu_to_le32(0xC01E0432) +#define STATUS_GRAPHICS_ADAPTER_CHAIN_NOT_READY cpu_to_le32(0xC01E0433) +#define STATUS_GRAPHICS_CHAINLINKS_NOT_STARTED cpu_to_le32(0xC01E0434) +#define STATUS_GRAPHICS_CHAINLINKS_NOT_POWERED_ON cpu_to_le32(0xC01E0435) +#define STATUS_GRAPHICS_INCONSISTENT_DEVICE_LINK_STATE cpu_to_le32(0xC01E0436) +#define STATUS_GRAPHICS_NOT_POST_DEVICE_DRIVER cpu_to_le32(0xC01E0438) +#define STATUS_GRAPHICS_ADAPTER_ACCESS_NOT_EXCLUDED cpu_to_le32(0xC01E043B) +#define STATUS_GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_COPP_SEMANTICS \ + cpu_to_le32(0xC01E051C) +#define STATUS_GRAPHICS_OPM_INVALID_INFORMATION_REQUEST cpu_to_le32(0xC01E051D) +#define STATUS_GRAPHICS_OPM_DRIVER_INTERNAL_ERROR cpu_to_le32(0xC01E051E) +#define STATUS_GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_OPM_SEMANTICS \ + cpu_to_le32(0xC01E051F) +#define STATUS_GRAPHICS_OPM_SIGNALING_NOT_SUPPORTED cpu_to_le32(0xC01E0520) +#define STATUS_GRAPHICS_OPM_INVALID_CONFIGURATION_REQUEST \ + cpu_to_le32(0xC01E0521) +#define STATUS_GRAPHICS_OPM_NOT_SUPPORTED cpu_to_le32(0xC01E0500) +#define STATUS_GRAPHICS_COPP_NOT_SUPPORTED cpu_to_le32(0xC01E0501) +#define STATUS_GRAPHICS_UAB_NOT_SUPPORTED cpu_to_le32(0xC01E0502) +#define STATUS_GRAPHICS_OPM_INVALID_ENCRYPTED_PARAMETERS cpu_to_le32(0xC01E0503) +#define STATUS_GRAPHICS_OPM_PARAMETER_ARRAY_TOO_SMALL cpu_to_le32(0xC01E0504) +#define STATUS_GRAPHICS_OPM_NO_PROTECTED_OUTPUTS_EXIST cpu_to_le32(0xC01E0505) +#define STATUS_GRAPHICS_PVP_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME \ + cpu_to_le32(0xC01E0506) +#define STATUS_GRAPHICS_PVP_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP \ + cpu_to_le32(0xC01E0507) +#define STATUS_GRAPHICS_PVP_MIRRORING_DEVICES_NOT_SUPPORTED \ + cpu_to_le32(0xC01E0508) +#define STATUS_GRAPHICS_OPM_INVALID_POINTER cpu_to_le32(0xC01E050A) +#define STATUS_GRAPHICS_OPM_INTERNAL_ERROR cpu_to_le32(0xC01E050B) +#define STATUS_GRAPHICS_OPM_INVALID_HANDLE cpu_to_le32(0xC01E050C) +#define STATUS_GRAPHICS_PVP_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE \ + cpu_to_le32(0xC01E050D) +#define STATUS_GRAPHICS_PVP_INVALID_CERTIFICATE_LENGTH cpu_to_le32(0xC01E050E) +#define STATUS_GRAPHICS_OPM_SPANNING_MODE_ENABLED cpu_to_le32(0xC01E050F) +#define STATUS_GRAPHICS_OPM_THEATER_MODE_ENABLED cpu_to_le32(0xC01E0510) +#define STATUS_GRAPHICS_PVP_HFS_FAILED cpu_to_le32(0xC01E0511) +#define STATUS_GRAPHICS_OPM_INVALID_SRM cpu_to_le32(0xC01E0512) +#define STATUS_GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_HDCP cpu_to_le32(0xC01E0513) +#define STATUS_GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_ACP cpu_to_le32(0xC01E0514) +#define STATUS_GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_CGMSA \ + cpu_to_le32(0xC01E0515) +#define STATUS_GRAPHICS_OPM_HDCP_SRM_NEVER_SET cpu_to_le32(0xC01E0516) +#define STATUS_GRAPHICS_OPM_RESOLUTION_TOO_HIGH cpu_to_le32(0xC01E0517) +#define STATUS_GRAPHICS_OPM_ALL_HDCP_HARDWARE_ALREADY_IN_USE \ + cpu_to_le32(0xC01E0518) +#define STATUS_GRAPHICS_OPM_PROTECTED_OUTPUT_NO_LONGER_EXISTS \ + cpu_to_le32(0xC01E051A) +#define STATUS_GRAPHICS_OPM_SESSION_TYPE_CHANGE_IN_PROGRESS \ + cpu_to_le32(0xC01E051B) +#define STATUS_GRAPHICS_I2C_NOT_SUPPORTED cpu_to_le32(0xC01E0580) +#define STATUS_GRAPHICS_I2C_DEVICE_DOES_NOT_EXIST cpu_to_le32(0xC01E0581) +#define STATUS_GRAPHICS_I2C_ERROR_TRANSMITTING_DATA cpu_to_le32(0xC01E0582) +#define STATUS_GRAPHICS_I2C_ERROR_RECEIVING_DATA cpu_to_le32(0xC01E0583) +#define STATUS_GRAPHICS_DDCCI_VCP_NOT_SUPPORTED cpu_to_le32(0xC01E0584) +#define STATUS_GRAPHICS_DDCCI_INVALID_DATA cpu_to_le32(0xC01E0585) +#define STATUS_GRAPHICS_DDCCI_MONITOR_RETURNED_INVALID_TIMING_STATUS_BYTE \ + cpu_to_le32(0xC01E0586) +#define STATUS_GRAPHICS_DDCCI_INVALID_CAPABILITIES_STRING \ + cpu_to_le32(0xC01E0587) +#define STATUS_GRAPHICS_MCA_INTERNAL_ERROR cpu_to_le32(0xC01E0588) +#define STATUS_GRAPHICS_DDCCI_INVALID_MESSAGE_COMMAND cpu_to_le32(0xC01E0589) +#define STATUS_GRAPHICS_DDCCI_INVALID_MESSAGE_LENGTH cpu_to_le32(0xC01E058A) +#define STATUS_GRAPHICS_DDCCI_INVALID_MESSAGE_CHECKSUM cpu_to_le32(0xC01E058B) +#define STATUS_GRAPHICS_INVALID_PHYSICAL_MONITOR_HANDLE cpu_to_le32(0xC01E058C) +#define STATUS_GRAPHICS_MONITOR_NO_LONGER_EXISTS cpu_to_le32(0xC01E058D) +#define STATUS_GRAPHICS_ONLY_CONSOLE_SESSION_SUPPORTED cpu_to_le32(0xC01E05E0) +#define STATUS_GRAPHICS_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME \ + cpu_to_le32(0xC01E05E1) +#define STATUS_GRAPHICS_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP \ + cpu_to_le32(0xC01E05E2) +#define STATUS_GRAPHICS_MIRRORING_DEVICES_NOT_SUPPORTED cpu_to_le32(0xC01E05E3) +#define STATUS_GRAPHICS_INVALID_POINTER cpu_to_le32(0xC01E05E4) +#define STATUS_GRAPHICS_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE \ + cpu_to_le32(0xC01E05E5) +#define STATUS_GRAPHICS_PARAMETER_ARRAY_TOO_SMALL cpu_to_le32(0xC01E05E6) +#define STATUS_GRAPHICS_INTERNAL_ERROR cpu_to_le32(0xC01E05E7) +#define STATUS_GRAPHICS_SESSION_TYPE_CHANGE_IN_PROGRESS cpu_to_le32(0xC01E05E8) +#define STATUS_FVE_LOCKED_VOLUME cpu_to_le32(0xC0210000) +#define STATUS_FVE_NOT_ENCRYPTED cpu_to_le32(0xC0210001) +#define STATUS_FVE_BAD_INFORMATION cpu_to_le32(0xC0210002) +#define STATUS_FVE_TOO_SMALL cpu_to_le32(0xC0210003) +#define STATUS_FVE_FAILED_WRONG_FS cpu_to_le32(0xC0210004) +#define STATUS_FVE_FAILED_BAD_FS cpu_to_le32(0xC0210005) +#define STATUS_FVE_FS_NOT_EXTENDED cpu_to_le32(0xC0210006) +#define STATUS_FVE_FS_MOUNTED cpu_to_le32(0xC0210007) +#define STATUS_FVE_NO_LICENSE cpu_to_le32(0xC0210008) +#define STATUS_FVE_ACTION_NOT_ALLOWED cpu_to_le32(0xC0210009) +#define STATUS_FVE_BAD_DATA cpu_to_le32(0xC021000A) +#define STATUS_FVE_VOLUME_NOT_BOUND cpu_to_le32(0xC021000B) +#define STATUS_FVE_NOT_DATA_VOLUME cpu_to_le32(0xC021000C) +#define STATUS_FVE_CONV_READ_ERROR cpu_to_le32(0xC021000D) +#define STATUS_FVE_CONV_WRITE_ERROR cpu_to_le32(0xC021000E) +#define STATUS_FVE_OVERLAPPED_UPDATE cpu_to_le32(0xC021000F) +#define STATUS_FVE_FAILED_SECTOR_SIZE cpu_to_le32(0xC0210010) +#define STATUS_FVE_FAILED_AUTHENTICATION cpu_to_le32(0xC0210011) +#define STATUS_FVE_NOT_OS_VOLUME cpu_to_le32(0xC0210012) +#define STATUS_FVE_KEYFILE_NOT_FOUND cpu_to_le32(0xC0210013) +#define STATUS_FVE_KEYFILE_INVALID cpu_to_le32(0xC0210014) +#define STATUS_FVE_KEYFILE_NO_VMK cpu_to_le32(0xC0210015) +#define STATUS_FVE_TPM_DISABLED cpu_to_le32(0xC0210016) +#define STATUS_FVE_TPM_SRK_AUTH_NOT_ZERO cpu_to_le32(0xC0210017) +#define STATUS_FVE_TPM_INVALID_PCR cpu_to_le32(0xC0210018) +#define STATUS_FVE_TPM_NO_VMK cpu_to_le32(0xC0210019) +#define STATUS_FVE_PIN_INVALID cpu_to_le32(0xC021001A) +#define STATUS_FVE_AUTH_INVALID_APPLICATION cpu_to_le32(0xC021001B) +#define STATUS_FVE_AUTH_INVALID_CONFIG cpu_to_le32(0xC021001C) +#define STATUS_FVE_DEBUGGER_ENABLED cpu_to_le32(0xC021001D) +#define STATUS_FVE_DRY_RUN_FAILED cpu_to_le32(0xC021001E) +#define STATUS_FVE_BAD_METADATA_POINTER cpu_to_le32(0xC021001F) +#define STATUS_FVE_OLD_METADATA_COPY cpu_to_le32(0xC0210020) +#define STATUS_FVE_REBOOT_REQUIRED cpu_to_le32(0xC0210021) +#define STATUS_FVE_RAW_ACCESS cpu_to_le32(0xC0210022) +#define STATUS_FVE_RAW_BLOCKED cpu_to_le32(0xC0210023) +#define STATUS_FWP_CALLOUT_NOT_FOUND cpu_to_le32(0xC0220001) +#define STATUS_FWP_CONDITION_NOT_FOUND cpu_to_le32(0xC0220002) +#define STATUS_FWP_FILTER_NOT_FOUND cpu_to_le32(0xC0220003) +#define STATUS_FWP_LAYER_NOT_FOUND cpu_to_le32(0xC0220004) +#define STATUS_FWP_PROVIDER_NOT_FOUND cpu_to_le32(0xC0220005) +#define STATUS_FWP_PROVIDER_CONTEXT_NOT_FOUND cpu_to_le32(0xC0220006) +#define STATUS_FWP_SUBLAYER_NOT_FOUND cpu_to_le32(0xC0220007) +#define STATUS_FWP_NOT_FOUND cpu_to_le32(0xC0220008) +#define STATUS_FWP_ALREADY_EXISTS cpu_to_le32(0xC0220009) +#define STATUS_FWP_IN_USE cpu_to_le32(0xC022000A) +#define STATUS_FWP_DYNAMIC_SESSION_IN_PROGRESS cpu_to_le32(0xC022000B) +#define STATUS_FWP_WRONG_SESSION cpu_to_le32(0xC022000C) +#define STATUS_FWP_NO_TXN_IN_PROGRESS cpu_to_le32(0xC022000D) +#define STATUS_FWP_TXN_IN_PROGRESS cpu_to_le32(0xC022000E) +#define STATUS_FWP_TXN_ABORTED cpu_to_le32(0xC022000F) +#define STATUS_FWP_SESSION_ABORTED cpu_to_le32(0xC0220010) +#define STATUS_FWP_INCOMPATIBLE_TXN cpu_to_le32(0xC0220011) +#define STATUS_FWP_TIMEOUT cpu_to_le32(0xC0220012) +#define STATUS_FWP_NET_EVENTS_DISABLED cpu_to_le32(0xC0220013) +#define STATUS_FWP_INCOMPATIBLE_LAYER cpu_to_le32(0xC0220014) +#define STATUS_FWP_KM_CLIENTS_ONLY cpu_to_le32(0xC0220015) +#define STATUS_FWP_LIFETIME_MISMATCH cpu_to_le32(0xC0220016) +#define STATUS_FWP_BUILTIN_OBJECT cpu_to_le32(0xC0220017) +#define STATUS_FWP_TOO_MANY_BOOTTIME_FILTERS cpu_to_le32(0xC0220018) +#define STATUS_FWP_TOO_MANY_CALLOUTS cpu_to_le32(0xC0220018) +#define STATUS_FWP_NOTIFICATION_DROPPED cpu_to_le32(0xC0220019) +#define STATUS_FWP_TRAFFIC_MISMATCH cpu_to_le32(0xC022001A) +#define STATUS_FWP_INCOMPATIBLE_SA_STATE cpu_to_le32(0xC022001B) +#define STATUS_FWP_NULL_POINTER cpu_to_le32(0xC022001C) +#define STATUS_FWP_INVALID_ENUMERATOR cpu_to_le32(0xC022001D) +#define STATUS_FWP_INVALID_FLAGS cpu_to_le32(0xC022001E) +#define STATUS_FWP_INVALID_NET_MASK cpu_to_le32(0xC022001F) +#define STATUS_FWP_INVALID_RANGE cpu_to_le32(0xC0220020) +#define STATUS_FWP_INVALID_INTERVAL cpu_to_le32(0xC0220021) +#define STATUS_FWP_ZERO_LENGTH_ARRAY cpu_to_le32(0xC0220022) +#define STATUS_FWP_NULL_DISPLAY_NAME cpu_to_le32(0xC0220023) +#define STATUS_FWP_INVALID_ACTION_TYPE cpu_to_le32(0xC0220024) +#define STATUS_FWP_INVALID_WEIGHT cpu_to_le32(0xC0220025) +#define STATUS_FWP_MATCH_TYPE_MISMATCH cpu_to_le32(0xC0220026) +#define STATUS_FWP_TYPE_MISMATCH cpu_to_le32(0xC0220027) +#define STATUS_FWP_OUT_OF_BOUNDS cpu_to_le32(0xC0220028) +#define STATUS_FWP_RESERVED cpu_to_le32(0xC0220029) +#define STATUS_FWP_DUPLICATE_CONDITION cpu_to_le32(0xC022002A) +#define STATUS_FWP_DUPLICATE_KEYMOD cpu_to_le32(0xC022002B) +#define STATUS_FWP_ACTION_INCOMPATIBLE_WITH_LAYER cpu_to_le32(0xC022002C) +#define STATUS_FWP_ACTION_INCOMPATIBLE_WITH_SUBLAYER cpu_to_le32(0xC022002D) +#define STATUS_FWP_CONTEXT_INCOMPATIBLE_WITH_LAYER cpu_to_le32(0xC022002E) +#define STATUS_FWP_CONTEXT_INCOMPATIBLE_WITH_CALLOUT cpu_to_le32(0xC022002F) +#define STATUS_FWP_INCOMPATIBLE_AUTH_METHOD cpu_to_le32(0xC0220030) +#define STATUS_FWP_INCOMPATIBLE_DH_GROUP cpu_to_le32(0xC0220031) +#define STATUS_FWP_EM_NOT_SUPPORTED cpu_to_le32(0xC0220032) +#define STATUS_FWP_NEVER_MATCH cpu_to_le32(0xC0220033) +#define STATUS_FWP_PROVIDER_CONTEXT_MISMATCH cpu_to_le32(0xC0220034) +#define STATUS_FWP_INVALID_PARAMETER cpu_to_le32(0xC0220035) +#define STATUS_FWP_TOO_MANY_SUBLAYERS cpu_to_le32(0xC0220036) +#define STATUS_FWP_CALLOUT_NOTIFICATION_FAILED cpu_to_le32(0xC0220037) +#define STATUS_FWP_INCOMPATIBLE_AUTH_CONFIG cpu_to_le32(0xC0220038) +#define STATUS_FWP_INCOMPATIBLE_CIPHER_CONFIG cpu_to_le32(0xC0220039) +#define STATUS_FWP_TCPIP_NOT_READY cpu_to_le32(0xC0220100) +#define STATUS_FWP_INJECT_HANDLE_CLOSING cpu_to_le32(0xC0220101) +#define STATUS_FWP_INJECT_HANDLE_STALE cpu_to_le32(0xC0220102) +#define STATUS_FWP_CANNOT_PEND cpu_to_le32(0xC0220103) +#define STATUS_NDIS_CLOSING cpu_to_le32(0xC0230002) +#define STATUS_NDIS_BAD_VERSION cpu_to_le32(0xC0230004) +#define STATUS_NDIS_BAD_CHARACTERISTICS cpu_to_le32(0xC0230005) +#define STATUS_NDIS_ADAPTER_NOT_FOUND cpu_to_le32(0xC0230006) +#define STATUS_NDIS_OPEN_FAILED cpu_to_le32(0xC0230007) +#define STATUS_NDIS_DEVICE_FAILED cpu_to_le32(0xC0230008) +#define STATUS_NDIS_MULTICAST_FULL cpu_to_le32(0xC0230009) +#define STATUS_NDIS_MULTICAST_EXISTS cpu_to_le32(0xC023000A) +#define STATUS_NDIS_MULTICAST_NOT_FOUND cpu_to_le32(0xC023000B) +#define STATUS_NDIS_REQUEST_ABORTED cpu_to_le32(0xC023000C) +#define STATUS_NDIS_RESET_IN_PROGRESS cpu_to_le32(0xC023000D) +#define STATUS_NDIS_INVALID_PACKET cpu_to_le32(0xC023000F) +#define STATUS_NDIS_INVALID_DEVICE_REQUEST cpu_to_le32(0xC0230010) +#define STATUS_NDIS_ADAPTER_NOT_READY cpu_to_le32(0xC0230011) +#define STATUS_NDIS_INVALID_LENGTH cpu_to_le32(0xC0230014) +#define STATUS_NDIS_INVALID_DATA cpu_to_le32(0xC0230015) +#define STATUS_NDIS_BUFFER_TOO_SHORT cpu_to_le32(0xC0230016) +#define STATUS_NDIS_INVALID_OID cpu_to_le32(0xC0230017) +#define STATUS_NDIS_ADAPTER_REMOVED cpu_to_le32(0xC0230018) +#define STATUS_NDIS_UNSUPPORTED_MEDIA cpu_to_le32(0xC0230019) +#define STATUS_NDIS_GROUP_ADDRESS_IN_USE cpu_to_le32(0xC023001A) +#define STATUS_NDIS_FILE_NOT_FOUND cpu_to_le32(0xC023001B) +#define STATUS_NDIS_ERROR_READING_FILE cpu_to_le32(0xC023001C) +#define STATUS_NDIS_ALREADY_MAPPED cpu_to_le32(0xC023001D) +#define STATUS_NDIS_RESOURCE_CONFLICT cpu_to_le32(0xC023001E) +#define STATUS_NDIS_MEDIA_DISCONNECTED cpu_to_le32(0xC023001F) +#define STATUS_NDIS_INVALID_ADDRESS cpu_to_le32(0xC0230022) +#define STATUS_NDIS_PAUSED cpu_to_le32(0xC023002A) +#define STATUS_NDIS_INTERFACE_NOT_FOUND cpu_to_le32(0xC023002B) +#define STATUS_NDIS_UNSUPPORTED_REVISION cpu_to_le32(0xC023002C) +#define STATUS_NDIS_INVALID_PORT cpu_to_le32(0xC023002D) +#define STATUS_NDIS_INVALID_PORT_STATE cpu_to_le32(0xC023002E) +#define STATUS_NDIS_LOW_POWER_STATE cpu_to_le32(0xC023002F) +#define STATUS_NDIS_NOT_SUPPORTED cpu_to_le32(0xC02300BB) +#define STATUS_NDIS_DOT11_AUTO_CONFIG_ENABLED cpu_to_le32(0xC0232000) +#define STATUS_NDIS_DOT11_MEDIA_IN_USE cpu_to_le32(0xC0232001) +#define STATUS_NDIS_DOT11_POWER_STATE_INVALID cpu_to_le32(0xC0232002) +#define STATUS_IPSEC_BAD_SPI cpu_to_le32(0xC0360001) +#define STATUS_IPSEC_SA_LIFETIME_EXPIRED cpu_to_le32(0xC0360002) +#define STATUS_IPSEC_WRONG_SA cpu_to_le32(0xC0360003) +#define STATUS_IPSEC_REPLAY_CHECK_FAILED cpu_to_le32(0xC0360004) +#define STATUS_IPSEC_INVALID_PACKET cpu_to_le32(0xC0360005) +#define STATUS_IPSEC_INTEGRITY_CHECK_FAILED cpu_to_le32(0xC0360006) +#define STATUS_IPSEC_CLEAR_TEXT_DROP cpu_to_le32(0xC0360007) + +#define STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP cpu_to_le32(0xC05D0000) +#define STATUS_INVALID_LOCK_RANGE cpu_to_le32(0xC00001a1) diff --git a/fs/cifsd/time_wrappers.h b/fs/cifsd/time_wrappers.h new file mode 100644 index 000000000000..a702ca96947e --- /dev/null +++ b/fs/cifsd/time_wrappers.h @@ -0,0 +1,34 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_TIME_WRAPPERS_H +#define __KSMBD_TIME_WRAPPERS_H + +/* + * A bunch of ugly hacks to workaoround all the API differences + * between different kernel versions. + */ + +#define NTFS_TIME_OFFSET ((u64)(369*365 + 89) * 24 * 3600 * 10000000) + +/* Convert the Unix UTC into NT UTC. */ +static inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) +{ + /* Convert to 100ns intervals and then add the NTFS time offset. */ + return (u64) t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; +} + +struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); + +#define KSMBD_TIME_TO_TM time64_to_tm + +static inline long long ksmbd_systime(void) +{ + struct timespec64 ts; + + ktime_get_real_ts64(&ts); + return ksmbd_UnixTimeToNT(ts); +} +#endif /* __KSMBD_TIME_WRAPPERS_H */ diff --git a/fs/cifsd/unicode.c b/fs/cifsd/unicode.c new file mode 100644 index 000000000000..22a4d10a2000 --- /dev/null +++ b/fs/cifsd/unicode.c @@ -0,0 +1,391 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Some of the source code in this file came from fs/cifs/cifs_unicode.c + * + * Copyright (c) International Business Machines Corp., 2000,2009 + * Modified by Steve French (sfrench(a)us.ibm.com) + * Modified by Namjae Jeon (linkinjeon(a)kernel.org) + */ +#include <linux/fs.h> +#include <linux/slab.h> +#include <asm/unaligned.h> +#include "glob.h" +#include "unicode.h" +#include "uniupr.h" +#include "smb_common.h" + +/* + * smb_utf16_bytes() - how long will a string be after conversion? + * @from: pointer to input string + * @maxbytes: don't go past this many bytes of input string + * @codepage: destination codepage + * + * Walk a utf16le string and return the number of bytes that the string will + * be after being converted to the given charset, not including any null + * termination required. Don't walk past maxbytes in the source buffer. + * + * Return: string length after conversion + */ +static int smb_utf16_bytes(const __le16 *from, + int maxbytes, + const struct nls_table *codepage) +{ + int i; + int charlen, outlen = 0; + int maxwords = maxbytes / 2; + char tmp[NLS_MAX_CHARSET_SIZE]; + __u16 ftmp; + + for (i = 0; i < maxwords; i++) { + ftmp = get_unaligned_le16(&from[i]); + if (ftmp == 0) + break; + + charlen = codepage->uni2char(ftmp, tmp, NLS_MAX_CHARSET_SIZE); + if (charlen > 0) + outlen += charlen; + else + outlen++; + } + + return outlen; +} + +/* + * cifs_mapchar() - convert a host-endian char to proper char in codepage + * @target: where converted character should be copied + * @src_char: 2 byte host-endian source character + * @cp: codepage to which character should be converted + * @mapchar: should character be mapped according to mapchars mount option? + * + * This function handles the conversion of a single character. It is the + * responsibility of the caller to ensure that the target buffer is large + * enough to hold the result of the conversion (at least NLS_MAX_CHARSET_SIZE). + * + * Return: string length after conversion + */ +static int +cifs_mapchar(char *target, const __u16 src_char, const struct nls_table *cp, + bool mapchar) +{ + int len = 1; + + if (!mapchar) + goto cp_convert; + + /* + * BB: Cannot handle remapping UNI_SLASH until all the calls to + * build_path_from_dentry are modified, as they use slash as + * separator. + */ + switch (src_char) { + case UNI_COLON: + *target = ':'; + break; + case UNI_ASTERISK: + *target = '*'; + break; + case UNI_QUESTION: + *target = '?'; + break; + case UNI_PIPE: + *target = '|'; + break; + case UNI_GRTRTHAN: + *target = '>'; + break; + case UNI_LESSTHAN: + *target = '<'; + break; + default: + goto cp_convert; + } + +out: + return len; + +cp_convert: + len = cp->uni2char(src_char, target, NLS_MAX_CHARSET_SIZE); + if (len <= 0) { + *target = '?'; + len = 1; + } + + goto out; +} + +/* + * is_char_allowed() - check for valid character + * @ch: input character to be checked + * + * Return: 1 if char is allowed, otherwise 0 + */ +static inline int is_char_allowed(char *ch) +{ + /* check for control chars, wildcards etc. */ + if (!(*ch & 0x80) && + (*ch <= 0x1f || + *ch == '?' || *ch == '"' || *ch == '<' || + *ch == '>' || *ch == '|')) + return 0; + + return 1; +} + +/* + * smb_from_utf16() - convert utf16le string to local charset + * @to: destination buffer + * @from: source buffer + * @tolen: destination buffer size (in bytes) + * @fromlen: source buffer size (in bytes) + * @codepage: codepage to which characters should be converted + * @mapchar: should characters be remapped according to the mapchars option? + * + * Convert a little-endian utf16le string (as sent by the server) to a string + * in the provided codepage. The tolen and fromlen parameters are to ensure + * that the code doesn't walk off of the end of the buffer (which is always + * a danger if the alignment of the source buffer is off). The destination + * string is always properly null terminated and fits in the destination + * buffer. Returns the length of the destination string in bytes (including + * null terminator). + * + * Note that some windows versions actually send multiword UTF-16 characters + * instead of straight UTF16-2. The linux nls routines however aren't able to + * deal with those characters properly. In the event that we get some of + * those characters, they won't be translated properly. + * + * Return: string length after conversion + */ +static int smb_from_utf16(char *to, + const __le16 *from, + int tolen, + int fromlen, + const struct nls_table *codepage, + bool mapchar) +{ + int i, charlen, safelen; + int outlen = 0; + int nullsize = nls_nullsize(codepage); + int fromwords = fromlen / 2; + char tmp[NLS_MAX_CHARSET_SIZE]; + __u16 ftmp; + + /* + * because the chars can be of varying widths, we need to take care + * not to overflow the destination buffer when we get close to the + * end of it. Until we get to this offset, we don't need to check + * for overflow however. + */ + safelen = tolen - (NLS_MAX_CHARSET_SIZE + nullsize); + + for (i = 0; i < fromwords; i++) { + ftmp = get_unaligned_le16(&from[i]); + if (ftmp == 0) + break; + + /* + * check to see if converting this character might make the + * conversion bleed into the null terminator + */ + if (outlen >= safelen) { + charlen = cifs_mapchar(tmp, ftmp, codepage, mapchar); + if ((outlen + charlen) > (tolen - nullsize)) + break; + } + + /* put converted char into 'to' buffer */ + charlen = cifs_mapchar(&to[outlen], ftmp, codepage, mapchar); + outlen += charlen; + } + + /* properly null-terminate string */ + for (i = 0; i < nullsize; i++) + to[outlen++] = 0; + + return outlen; +} + +/* + * smb_strtoUTF16() - Convert character string to unicode string + * @to: destination buffer + * @from: source buffer + * @len: destination buffer size (in bytes) + * @codepage: codepage to which characters should be converted + * + * Return: string length after conversion + */ +int +smb_strtoUTF16(__le16 *to, const char *from, int len, + const struct nls_table *codepage) +{ + int charlen; + int i; + wchar_t wchar_to; /* needed to quiet sparse */ + + /* special case for utf8 to handle no plane0 chars */ + if (!strcmp(codepage->charset, "utf8")) { + /* + * convert utf8 -> utf16, we assume we have enough space + * as caller should have assumed conversion does not overflow + * in destination len is length in wchar_t units (16bits) + */ + i = utf8s_to_utf16s(from, len, UTF16_LITTLE_ENDIAN, + (wchar_t *) to, len); + + /* if success terminate and exit */ + if (i >= 0) + goto success; + /* + * if fails fall back to UCS encoding as this + * function should not return negative values + * currently can fail only if source contains + * invalid encoded characters + */ + } + + for (i = 0; len > 0 && *from; i++, from += charlen, len -= charlen) { + charlen = codepage->char2uni(from, len, &wchar_to); + if (charlen < 1) { + /* A question mark */ + wchar_to = 0x003f; + charlen = 1; + } + put_unaligned_le16(wchar_to, &to[i]); + } + +success: + put_unaligned_le16(0, &to[i]); + return i; +} + +/* + * smb_strndup_from_utf16() - copy a string from wire format to the local + * codepage + * @src: source string + * @maxlen: don't walk past this many bytes in the source string + * @is_unicode: is this a unicode string? + * @codepage: destination codepage + * + * Take a string given by the server, convert it to the local codepage and + * put it in a new buffer. Returns a pointer to the new string or NULL on + * error. + * + * Return: destination string buffer or error ptr + */ +char * +smb_strndup_from_utf16(const char *src, const int maxlen, + const bool is_unicode, const struct nls_table *codepage) +{ + int len, ret; + char *dst; + + if (is_unicode) { + len = smb_utf16_bytes((__le16 *) src, maxlen, codepage); + len += nls_nullsize(codepage); + dst = kmalloc(len, GFP_KERNEL); + if (!dst) + return ERR_PTR(-ENOMEM); + ret = smb_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, + false); + if (ret < 0) { + kfree(dst); + return ERR_PTR(-EINVAL); + } + } else { + len = strnlen(src, maxlen); + len++; + dst = kmalloc(len, GFP_KERNEL); + if (!dst) + return ERR_PTR(-ENOMEM); + strscpy(dst, src, len); + } + + return dst; +} + +/* + * Convert 16 bit Unicode pathname to wire format from string in current code + * page. Conversion may involve remapping up the six characters that are + * only legal in POSIX-like OS (if they are present in the string). Path + * names are little endian 16 bit Unicode on the wire + */ +/* + * smbConvertToUTF16() - convert string from local charset to utf16 + * @target: destination buffer + * @source: source buffer + * @srclen: source buffer size (in bytes) + * @cp: codepage to which characters should be converted + * @mapchar: should characters be remapped according to the mapchars option? + * + * Convert 16 bit Unicode pathname to wire format from string in current code + * page. Conversion may involve remapping up the six characters that are + * only legal in POSIX-like OS (if they are present in the string). Path + * names are little endian 16 bit Unicode on the wire + * + * Return: char length after conversion + */ +int +smbConvertToUTF16(__le16 *target, const char *source, int srclen, + const struct nls_table *cp, int mapchars) +{ + int i, j, charlen; + char src_char; + __le16 dst_char; + wchar_t tmp; + + if (!mapchars) + return smb_strtoUTF16(target, source, srclen, cp); + + for (i = 0, j = 0; i < srclen; j++) { + src_char = source[i]; + charlen = 1; + switch (src_char) { + case 0: + put_unaligned(0, &target[j]); + return j; + case ':': + dst_char = cpu_to_le16(UNI_COLON); + break; + case '*': + dst_char = cpu_to_le16(UNI_ASTERISK); + break; + case '?': + dst_char = cpu_to_le16(UNI_QUESTION); + break; + case '<': + dst_char = cpu_to_le16(UNI_LESSTHAN); + break; + case '>': + dst_char = cpu_to_le16(UNI_GRTRTHAN); + break; + case '|': + dst_char = cpu_to_le16(UNI_PIPE); + break; + /* + * FIXME: We can not handle remapping backslash (UNI_SLASH) + * until all the calls to build_path_from_dentry are modified, + * as they use backslash as separator. + */ + default: + charlen = cp->char2uni(source + i, srclen - i, &tmp); + dst_char = cpu_to_le16(tmp); + + /* + * if no match, use question mark, which at least in + * some cases serves as wild card + */ + if (charlen < 1) { + dst_char = cpu_to_le16(0x003f); + charlen = 1; + } + } + /* + * character may take more than one byte in the source string, + * but will take exactly two bytes in the target string + */ + i += charlen; + put_unaligned(dst_char, &target[j]); + } + + return j; +} diff --git a/fs/cifsd/unicode.h b/fs/cifsd/unicode.h new file mode 100644 index 000000000000..228a02c9b95d --- /dev/null +++ b/fs/cifsd/unicode.h @@ -0,0 +1,374 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Some of the source code in this file came from fs/cifs/cifs_unicode.c + * cifs_unicode: Unicode kernel case support + * + * Function: + * Convert a unicode character to upper or lower case using + * compressed tables. + * + * Copyright (c) International Business Machines Corp., 2000,2009 + * + * + * Notes: + * These APIs are based on the C library functions. The semantics + * should match the C functions but with expanded size operands. + * + * The upper/lower functions are based on a table created by mkupr. + * This is a compressed table of upper and lower case conversion. + * + */ +#ifndef _CIFS_UNICODE_H +#define _CIFS_UNICODE_H + +#include <asm/byteorder.h> +#include <linux/types.h> +#include <linux/nls.h> + +#define UNIUPR_NOLOWER /* Example to not expand lower case tables */ + +/* + * Windows maps these to the user defined 16 bit Unicode range since they are + * reserved symbols (along with \ and /), otherwise illegal to store + * in filenames in NTFS + */ +#define UNI_ASTERISK ((__u16) ('*' + 0xF000)) +#define UNI_QUESTION ((__u16) ('?' + 0xF000)) +#define UNI_COLON ((__u16) (':' + 0xF000)) +#define UNI_GRTRTHAN ((__u16) ('>' + 0xF000)) +#define UNI_LESSTHAN ((__u16) ('<' + 0xF000)) +#define UNI_PIPE ((__u16) ('|' + 0xF000)) +#define UNI_SLASH ((__u16) ('\\' + 0xF000)) + +/* Just define what we want from uniupr.h. We don't want to define the tables + * in each source file. + */ +#ifndef UNICASERANGE_DEFINED +struct UniCaseRange { + wchar_t start; + wchar_t end; + signed char *table; +}; +#endif /* UNICASERANGE_DEFINED */ + +#ifndef UNIUPR_NOUPPER +extern signed char SmbUniUpperTable[512]; +extern const struct UniCaseRange SmbUniUpperRange[]; +#endif /* UNIUPR_NOUPPER */ + +#ifndef UNIUPR_NOLOWER +extern signed char CifsUniLowerTable[512]; +extern const struct UniCaseRange CifsUniLowerRange[]; +#endif /* UNIUPR_NOLOWER */ + +#ifdef __KERNEL__ +int smb_strtoUTF16(__le16 *to, const char *from, int len, + const struct nls_table *codepage); +char *smb_strndup_from_utf16(const char *src, const int maxlen, + const bool is_unicode, + const struct nls_table *codepage); +extern int smbConvertToUTF16(__le16 *target, const char *source, int srclen, + const struct nls_table *cp, int mapchars); +extern char *extract_sharename(char *treename); +#endif + +wchar_t cifs_toupper(wchar_t in); + +/* + * UniStrcat: Concatenate the second string to the first + * + * Returns: + * Address of the first string + */ + static inline wchar_t * +UniStrcat(wchar_t *ucs1, const wchar_t *ucs2) +{ + wchar_t *anchor = ucs1; /* save a pointer to start of ucs1 */ + + while (*ucs1++) + /*NULL*/; /* To end of first string */ + ucs1--; /* Return to the null */ + while ((*ucs1++ = *ucs2++)) + /*NULL*/; /* copy string 2 over */ + return anchor; +} + +/* + * UniStrchr: Find a character in a string + * + * Returns: + * Address of first occurrence of character in string + * or NULL if the character is not in the string + */ + static inline wchar_t * +UniStrchr(const wchar_t *ucs, wchar_t uc) +{ + while ((*ucs != uc) && *ucs) + ucs++; + + if (*ucs == uc) + return (wchar_t *) ucs; + return NULL; +} + +/* + * UniStrcmp: Compare two strings + * + * Returns: + * < 0: First string is less than second + * = 0: Strings are equal + * > 0: First string is greater than second + */ + static inline int +UniStrcmp(const wchar_t *ucs1, const wchar_t *ucs2) +{ + while ((*ucs1 == *ucs2) && *ucs1) { + ucs1++; + ucs2++; + } + return (int) *ucs1 - (int) *ucs2; +} + +/* + * UniStrcpy: Copy a string + */ + static inline wchar_t * +UniStrcpy(wchar_t *ucs1, const wchar_t *ucs2) +{ + wchar_t *anchor = ucs1; /* save the start of result string */ + + while ((*ucs1++ = *ucs2++)) + /*NULL*/; + return anchor; +} + +/* + * UniStrlen: Return the length of a string (in 16 bit Unicode chars not bytes) + */ + static inline size_t +UniStrlen(const wchar_t *ucs1) +{ + int i = 0; + + while (*ucs1++) + i++; + return i; +} + +/* + * UniStrnlen: Return the length (in 16 bit Unicode chars not bytes) of a + * string (length limited) + */ + static inline size_t +UniStrnlen(const wchar_t *ucs1, int maxlen) +{ + int i = 0; + + while (*ucs1++) { + i++; + if (i >= maxlen) + break; + } + return i; +} + +/* + * UniStrncat: Concatenate length limited string + */ + static inline wchar_t * +UniStrncat(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +{ + wchar_t *anchor = ucs1; /* save pointer to string 1 */ + + while (*ucs1++) + /*NULL*/; + ucs1--; /* point to null terminator of s1 */ + while (n-- && (*ucs1 = *ucs2)) { /* copy s2 after s1 */ + ucs1++; + ucs2++; + } + *ucs1 = 0; /* Null terminate the result */ + return anchor; +} + +/* + * UniStrncmp: Compare length limited string + */ + static inline int +UniStrncmp(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) +{ + if (!n) + return 0; /* Null strings are equal */ + while ((*ucs1 == *ucs2) && *ucs1 && --n) { + ucs1++; + ucs2++; + } + return (int) *ucs1 - (int) *ucs2; +} + +/* + * UniStrncmp_le: Compare length limited string - native to little-endian + */ + static inline int +UniStrncmp_le(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) +{ + if (!n) + return 0; /* Null strings are equal */ + while ((*ucs1 == __le16_to_cpu(*ucs2)) && *ucs1 && --n) { + ucs1++; + ucs2++; + } + return (int) *ucs1 - (int) __le16_to_cpu(*ucs2); +} + +/* + * UniStrncpy: Copy length limited string with pad + */ + static inline wchar_t * +UniStrncpy(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +{ + wchar_t *anchor = ucs1; + + while (n-- && *ucs2) /* Copy the strings */ + *ucs1++ = *ucs2++; + + n++; + while (n--) /* Pad with nulls */ + *ucs1++ = 0; + return anchor; +} + +/* + * UniStrncpy_le: Copy length limited string with pad to little-endian + */ + static inline wchar_t * +UniStrncpy_le(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +{ + wchar_t *anchor = ucs1; + + while (n-- && *ucs2) /* Copy the strings */ + *ucs1++ = __le16_to_cpu(*ucs2++); + + n++; + while (n--) /* Pad with nulls */ + *ucs1++ = 0; + return anchor; +} + +/* + * UniStrstr: Find a string in a string + * + * Returns: + * Address of first match found + * NULL if no matching string is found + */ + static inline wchar_t * +UniStrstr(const wchar_t *ucs1, const wchar_t *ucs2) +{ + const wchar_t *anchor1 = ucs1; + const wchar_t *anchor2 = ucs2; + + while (*ucs1) { + if (*ucs1 == *ucs2) { + /* Partial match found */ + ucs1++; + ucs2++; + } else { + if (!*ucs2) /* Match found */ + return (wchar_t *) anchor1; + ucs1 = ++anchor1; /* No match */ + ucs2 = anchor2; + } + } + + if (!*ucs2) /* Both end together */ + return (wchar_t *) anchor1; /* Match found */ + return NULL; /* No match */ +} + +#ifndef UNIUPR_NOUPPER +/* + * UniToupper: Convert a unicode character to upper case + */ + static inline wchar_t +UniToupper(register wchar_t uc) +{ + register const struct UniCaseRange *rp; + + if (uc < sizeof(SmbUniUpperTable)) { + /* Latin characters */ + return uc + SmbUniUpperTable[uc]; /* Use base tables */ + } + + rp = SmbUniUpperRange; /* Use range tables */ + while (rp->start) { + if (uc < rp->start) /* Before start of range */ + return uc; /* Uppercase = input */ + if (uc <= rp->end) /* In range */ + return uc + rp->table[uc - rp->start]; + rp++; /* Try next range */ + } + return uc; /* Past last range */ +} + +/* + * UniStrupr: Upper case a unicode string + */ + static inline __le16 * +UniStrupr(register __le16 *upin) +{ + register __le16 *up; + + up = upin; + while (*up) { /* For all characters */ + *up = cpu_to_le16(UniToupper(le16_to_cpu(*up))); + up++; + } + return upin; /* Return input pointer */ +} +#endif /* UNIUPR_NOUPPER */ + +#ifndef UNIUPR_NOLOWER +/* + * UniTolower: Convert a unicode character to lower case + */ + static inline wchar_t +UniTolower(register wchar_t uc) +{ + register const struct UniCaseRange *rp; + + if (uc < sizeof(CifsUniLowerTable)) { + /* Latin characters */ + return uc + CifsUniLowerTable[uc]; /* Use base tables */ + } + + rp = CifsUniLowerRange; /* Use range tables */ + while (rp->start) { + if (uc < rp->start) /* Before start of range */ + return uc; /* Uppercase = input */ + if (uc <= rp->end) /* In range */ + return uc + rp->table[uc - rp->start]; + rp++; /* Try next range */ + } + return uc; /* Past last range */ +} + +/* + * UniStrlwr: Lower case a unicode string + */ + static inline wchar_t * +UniStrlwr(register wchar_t *upin) +{ + register wchar_t *up; + + up = upin; + while (*up) { /* For all characters */ + *up = UniTolower(*up); + up++; + } + return upin; /* Return input pointer */ +} + +#endif + +#endif /* _CIFS_UNICODE_H */ diff --git a/fs/cifsd/uniupr.h b/fs/cifsd/uniupr.h new file mode 100644 index 000000000000..26583b776897 --- /dev/null +++ b/fs/cifsd/uniupr.h @@ -0,0 +1,268 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Some of the source code in this file came from fs/cifs/uniupr.h + * Copyright (c) International Business Machines Corp., 2000,2002 + * + * uniupr.h - Unicode compressed case ranges + * + */ +#ifndef __KSMBD_UNIUPR_H +#define __KSMBD_UNIUPR_H + +#ifndef UNIUPR_NOUPPER +/* + * Latin upper case + */ +signed char SmbUniUpperTable[512] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 000-00f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 010-01f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 020-02f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 030-03f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 040-04f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 050-05f */ + 0, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, -32, /* 060-06f */ + -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, 0, 0, 0, 0, 0, /* 070-07f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 080-08f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 090-09f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0a0-0af */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0b0-0bf */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0c0-0cf */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0d0-0df */ + -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, -32, -32, /* 0e0-0ef */ + -32, -32, -32, -32, -32, -32, -32, 0, -32, -32, + -32, -32, -32, -32, -32, 121, /* 0f0-0ff */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 100-10f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 110-11f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 120-12f */ + 0, 0, 0, -1, 0, -1, 0, -1, 0, 0, -1, 0, -1, 0, -1, 0, /* 130-13f */ + -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, 0, -1, 0, -1, 0, -1, /* 140-14f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 150-15f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 160-16f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, 0, -1, 0, -1, 0, -1, 0, /* 170-17f */ + 0, 0, 0, -1, 0, -1, 0, 0, -1, 0, 0, 0, -1, 0, 0, 0, /* 180-18f */ + 0, 0, -1, 0, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 0, 0, /* 190-19f */ + 0, -1, 0, -1, 0, -1, 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, /* 1a0-1af */ + -1, 0, 0, 0, -1, 0, -1, 0, 0, -1, 0, 0, 0, -1, 0, 0, /* 1b0-1bf */ + 0, 0, 0, 0, 0, -1, -2, 0, -1, -2, 0, -1, -2, 0, -1, 0, /* 1c0-1cf */ + -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, -79, 0, -1, /* 1d0-1df */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e0-1ef */ + 0, 0, -1, -2, 0, -1, 0, 0, 0, -1, 0, -1, 0, -1, 0, -1, /* 1f0-1ff */ +}; + +/* Upper case range - Greek */ +static signed char UniCaseRangeU03a0[47] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -38, -37, -37, -37, /* 3a0-3af */ + 0, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, /* 3b0-3bf */ + -32, -32, -31, -32, -32, -32, -32, -32, -32, -32, -32, -32, -64, + -63, -63, +}; + +/* Upper case range - Cyrillic */ +static signed char UniCaseRangeU0430[48] = { + -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, /* 430-43f */ + -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, /* 440-44f */ + 0, -80, -80, -80, -80, -80, -80, -80, -80, -80, -80, + -80, -80, 0, -80, -80, /* 450-45f */ +}; + +/* Upper case range - Extended cyrillic */ +static signed char UniCaseRangeU0490[61] = { + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 490-49f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 4a0-4af */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 4b0-4bf */ + 0, 0, -1, 0, -1, 0, 0, 0, -1, 0, 0, 0, -1, +}; + +/* Upper case range - Extended latin and greek */ +static signed char UniCaseRangeU1e00[509] = { + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e00-1e0f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e10-1e1f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e20-1e2f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e30-1e3f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e40-1e4f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e50-1e5f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e60-1e6f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e70-1e7f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e80-1e8f */ + 0, -1, 0, -1, 0, -1, 0, 0, 0, 0, 0, -59, 0, -1, 0, -1, /* 1e90-1e9f */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1ea0-1eaf */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1eb0-1ebf */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1ec0-1ecf */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1ed0-1edf */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1ee0-1eef */ + 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, 0, 0, 0, 0, 0, /* 1ef0-1eff */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f00-1f0f */ + 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f10-1f1f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f20-1f2f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f30-1f3f */ + 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f40-1f4f */ + 0, 8, 0, 8, 0, 8, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f50-1f5f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f60-1f6f */ + 74, 74, 86, 86, 86, 86, 100, 100, 0, 0, 112, 112, + 126, 126, 0, 0, /* 1f70-1f7f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f80-1f8f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f90-1f9f */ + 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, /* 1fa0-1faf */ + 8, 8, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1fb0-1fbf */ + 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1fc0-1fcf */ + 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1fd0-1fdf */ + 8, 8, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1fe0-1fef */ + 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, +}; + +/* Upper case range - Wide latin */ +static signed char UniCaseRangeUff40[27] = { + 0, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, + -32, -32, -32, -32, -32, /* ff40-ff4f */ + -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, +}; + +/* + * Upper Case Range + */ +const struct UniCaseRange SmbUniUpperRange[] = { + {0x03a0, 0x03ce, UniCaseRangeU03a0}, + {0x0430, 0x045f, UniCaseRangeU0430}, + {0x0490, 0x04cc, UniCaseRangeU0490}, + {0x1e00, 0x1ffc, UniCaseRangeU1e00}, + {0xff40, 0xff5a, UniCaseRangeUff40}, + {0} +}; +#endif + +#ifndef UNIUPR_NOLOWER +/* + * Latin lower case + */ +signed char CifsUniLowerTable[512] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 000-00f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 010-01f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 020-02f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 030-03f */ + 0, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, /* 040-04f */ + 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 0, 0, + 0, 0, 0, /* 050-05f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 060-06f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 070-07f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 080-08f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 090-09f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0a0-0af */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0b0-0bf */ + 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, 32, /* 0c0-0cf */ + 32, 32, 32, 32, 32, 32, 32, 0, 32, 32, 32, 32, + 32, 32, 32, 0, /* 0d0-0df */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0e0-0ef */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0f0-0ff */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 100-10f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 110-11f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 120-12f */ + 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, /* 130-13f */ + 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, /* 140-14f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 150-15f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 160-16f */ + 1, 0, 1, 0, 1, 0, 1, 0, -121, 1, 0, 1, 0, 1, 0, + 0, /* 170-17f */ + 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 79, + 0, /* 180-18f */ + 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, /* 190-19f */ + 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, /* 1a0-1af */ + 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, /* 1b0-1bf */ + 0, 0, 0, 0, 2, 1, 0, 2, 1, 0, 2, 1, 0, 1, 0, 1, /* 1c0-1cf */ + 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, /* 1d0-1df */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e0-1ef */ + 0, 2, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1f0-1ff */ +}; + +/* Lower case range - Greek */ +static signed char UniCaseRangeL0380[44] = { + 0, 0, 0, 0, 0, 0, 38, 0, 37, 37, 37, 0, 64, 0, 63, 63, /* 380-38f */ + 0, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, /* 390-39f */ + 32, 32, 0, 32, 32, 32, 32, 32, 32, 32, 32, 32, +}; + +/* Lower case range - Cyrillic */ +static signed char UniCaseRangeL0400[48] = { + 0, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, + 0, 80, 80, /* 400-40f */ + 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, /* 410-41f */ + 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, /* 420-42f */ +}; + +/* Lower case range - Extended cyrillic */ +static signed char UniCaseRangeL0490[60] = { + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 490-49f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 4a0-4af */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 4b0-4bf */ + 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, +}; + +/* Lower case range - Extended latin and greek */ +static signed char UniCaseRangeL1e00[504] = { + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e00-1e0f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e10-1e1f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e20-1e2f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e30-1e3f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e40-1e4f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e50-1e5f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e60-1e6f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e70-1e7f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1e80-1e8f */ + 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, /* 1e90-1e9f */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1ea0-1eaf */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1eb0-1ebf */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1ec0-1ecf */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1ed0-1edf */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 1ee0-1eef */ + 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, /* 1ef0-1eff */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f00-1f0f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, 0, 0, /* 1f10-1f1f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f20-1f2f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f30-1f3f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, 0, 0, /* 1f40-1f4f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, -8, 0, -8, 0, -8, 0, -8, /* 1f50-1f5f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f60-1f6f */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 1f70-1f7f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f80-1f8f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1f90-1f9f */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -8, -8, -8, -8, -8, -8, /* 1fa0-1faf */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -74, -74, -9, 0, 0, 0, /* 1fb0-1fbf */ + 0, 0, 0, 0, 0, 0, 0, 0, -86, -86, -86, -86, -9, 0, + 0, 0, /* 1fc0-1fcf */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -100, -100, 0, 0, 0, 0, /* 1fd0-1fdf */ + 0, 0, 0, 0, 0, 0, 0, 0, -8, -8, -112, -112, -7, 0, + 0, 0, /* 1fe0-1fef */ + 0, 0, 0, 0, 0, 0, 0, 0, +}; + +/* Lower case range - Wide latin */ +static signed char UniCaseRangeLff20[27] = { + 0, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, /* ff20-ff2f */ + 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, +}; + +/* + * Lower Case Range + */ +const struct UniCaseRange CifsUniLowerRange[] = { + {0x0380, 0x03ab, UniCaseRangeL0380}, + {0x0400, 0x042f, UniCaseRangeL0400}, + {0x0490, 0x04cb, UniCaseRangeL0490}, + {0x1e00, 0x1ff7, UniCaseRangeL1e00}, + {0xff20, 0xff3a, UniCaseRangeLff20}, + {0} +}; +#endif + +#endif /* __KSMBD_UNIUPR_H */ From patchwork Mon Nov 14 12:48:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183099 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 003/308] cifsd: add file operations Date: Mon, 14 Nov 2022 20:48:32 +0800 Message-ID: <20221114125337.1831594-4-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7b8cc0f0-ecb7-4957-b523-08dac63c415c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.8511994 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f44158485826c076335d6860d35872271a83791d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f44158485826 ------------------------------- This adds file operations and buffer pool for cifsd. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/buffer_pool.c | 292 ++++++ fs/cifsd/buffer_pool.h | 28 + fs/cifsd/vfs.c | 1989 ++++++++++++++++++++++++++++++++++++++++ fs/cifsd/vfs.h | 314 +++++++ fs/cifsd/vfs_cache.c | 855 +++++++++++++++++ fs/cifsd/vfs_cache.h | 213 +++++ 6 files changed, 3691 insertions(+) create mode 100644 fs/cifsd/buffer_pool.c create mode 100644 fs/cifsd/buffer_pool.h create mode 100644 fs/cifsd/vfs.c create mode 100644 fs/cifsd/vfs.h create mode 100644 fs/cifsd/vfs_cache.c create mode 100644 fs/cifsd/vfs_cache.h diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c new file mode 100644 index 000000000000..864fea547c68 --- /dev/null +++ b/fs/cifsd/buffer_pool.c @@ -0,0 +1,292 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/kernel.h> +#include <linux/wait.h> +#include <linux/sched.h> +#include <linux/mm.h> +#include <linux/slab.h> +#include <linux/vmalloc.h> +#include <linux/rwlock.h> + +#include "glob.h" +#include "buffer_pool.h" +#include "connection.h" +#include "mgmt/ksmbd_ida.h" + +static struct kmem_cache *filp_cache; + +struct wm { + struct list_head list; + unsigned int sz; + char buffer[0]; +}; + +struct wm_list { + struct list_head list; + unsigned int sz; + + spinlock_t wm_lock; + int avail_wm; + struct list_head idle_wm; + wait_queue_head_t wm_wait; +}; + +static LIST_HEAD(wm_lists); +static DEFINE_RWLOCK(wm_lists_lock); + +void *ksmbd_alloc(size_t size) +{ + return kvmalloc(size, GFP_KERNEL | __GFP_ZERO); +} + +void ksmbd_free(void *ptr) +{ + kvfree(ptr); +} + +static struct wm *wm_alloc(size_t sz, gfp_t flags) +{ + struct wm *wm; + size_t alloc_sz = sz + sizeof(struct wm); + + wm = kvmalloc(alloc_sz, flags); + if (!wm) + return NULL; + wm->sz = sz; + return wm; +} + +static int register_wm_size_class(size_t sz) +{ + struct wm_list *l, *nl; + + nl = kvmalloc(sizeof(struct wm_list), GFP_KERNEL); + if (!nl) + return -ENOMEM; + + nl->sz = sz; + spin_lock_init(&nl->wm_lock); + INIT_LIST_HEAD(&nl->idle_wm); + INIT_LIST_HEAD(&nl->list); + init_waitqueue_head(&nl->wm_wait); + nl->avail_wm = 0; + + write_lock(&wm_lists_lock); + list_for_each_entry(l, &wm_lists, list) { + if (l->sz == sz) { + write_unlock(&wm_lists_lock); + kvfree(nl); + return 0; + } + } + + list_add(&nl->list, &wm_lists); + write_unlock(&wm_lists_lock); + return 0; +} + +static struct wm_list *match_wm_list(size_t size) +{ + struct wm_list *l, *rl = NULL; + + read_lock(&wm_lists_lock); + list_for_each_entry(l, &wm_lists, list) { + if (l->sz == size) { + rl = l; + break; + } + } + read_unlock(&wm_lists_lock); + return rl; +} + +static struct wm *find_wm(size_t size) +{ + struct wm_list *wm_list; + struct wm *wm; + + wm_list = match_wm_list(size); + if (!wm_list) { + if (register_wm_size_class(size)) + return NULL; + wm_list = match_wm_list(size); + } + + if (!wm_list) + return NULL; + + while (1) { + spin_lock(&wm_list->wm_lock); + if (!list_empty(&wm_list->idle_wm)) { + wm = list_entry(wm_list->idle_wm.next, + struct wm, + list); + list_del(&wm->list); + spin_unlock(&wm_list->wm_lock); + return wm; + } + + if (wm_list->avail_wm > num_online_cpus()) { + spin_unlock(&wm_list->wm_lock); + wait_event(wm_list->wm_wait, + !list_empty(&wm_list->idle_wm)); + continue; + } + + wm_list->avail_wm++; + spin_unlock(&wm_list->wm_lock); + + wm = wm_alloc(size, GFP_KERNEL); + if (!wm) { + spin_lock(&wm_list->wm_lock); + wm_list->avail_wm--; + spin_unlock(&wm_list->wm_lock); + wait_event(wm_list->wm_wait, + !list_empty(&wm_list->idle_wm)); + continue; + } + break; + } + + return wm; +} + +static void release_wm(struct wm *wm, struct wm_list *wm_list) +{ + if (!wm) + return; + + spin_lock(&wm_list->wm_lock); + if (wm_list->avail_wm <= num_online_cpus()) { + list_add(&wm->list, &wm_list->idle_wm); + spin_unlock(&wm_list->wm_lock); + wake_up(&wm_list->wm_wait); + return; + } + + wm_list->avail_wm--; + spin_unlock(&wm_list->wm_lock); + ksmbd_free(wm); +} + +static void wm_list_free(struct wm_list *l) +{ + struct wm *wm; + + while (!list_empty(&l->idle_wm)) { + wm = list_entry(l->idle_wm.next, struct wm, list); + list_del(&wm->list); + kvfree(wm); + } + kvfree(l); +} + +static void wm_lists_destroy(void) +{ + struct wm_list *l; + + while (!list_empty(&wm_lists)) { + l = list_entry(wm_lists.next, struct wm_list, list); + list_del(&l->list); + wm_list_free(l); + } +} + +void ksmbd_free_request(void *addr) +{ + kvfree(addr); +} + +void *ksmbd_alloc_request(size_t size) +{ + return kvmalloc(size, GFP_KERNEL); +} + +void ksmbd_free_response(void *buffer) +{ + kvfree(buffer); +} + +void *ksmbd_alloc_response(size_t size) +{ + return kvmalloc(size, GFP_KERNEL | __GFP_ZERO); +} + +void *ksmbd_find_buffer(size_t size) +{ + struct wm *wm; + + wm = find_wm(size); + + WARN_ON(!wm); + if (wm) + return wm->buffer; + return NULL; +} + +void ksmbd_release_buffer(void *buffer) +{ + struct wm_list *wm_list; + struct wm *wm; + + if (!buffer) + return; + + wm = container_of(buffer, struct wm, buffer); + wm_list = match_wm_list(wm->sz); + WARN_ON(!wm_list); + if (wm_list) + release_wm(wm, wm_list); +} + +void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz) +{ + size_t sz = min(old_sz, new_sz); + void *nptr; + + nptr = ksmbd_alloc_response(new_sz); + if (!nptr) + return ptr; + memcpy(nptr, ptr, sz); + ksmbd_free_response(ptr); + return nptr; +} + +void ksmbd_free_file_struct(void *filp) +{ + kmem_cache_free(filp_cache, filp); +} + +void *ksmbd_alloc_file_struct(void) +{ + return kmem_cache_zalloc(filp_cache, GFP_KERNEL); +} + +void ksmbd_destroy_buffer_pools(void) +{ + wm_lists_destroy(); + ksmbd_work_pool_destroy(); + kmem_cache_destroy(filp_cache); +} + +int ksmbd_init_buffer_pools(void) +{ + if (ksmbd_work_pool_init()) + goto out; + + filp_cache = kmem_cache_create("ksmbd_file_cache", + sizeof(struct ksmbd_file), 0, + SLAB_HWCACHE_ALIGN, NULL); + if (!filp_cache) + goto out; + + return 0; + +out: + ksmbd_err("failed to allocate memory\n"); + ksmbd_destroy_buffer_pools(); + return -ENOMEM; +} diff --git a/fs/cifsd/buffer_pool.h b/fs/cifsd/buffer_pool.h new file mode 100644 index 000000000000..2b3d03afcf27 --- /dev/null +++ b/fs/cifsd/buffer_pool.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_BUFFER_POOL_H__ +#define __KSMBD_BUFFER_POOL_H__ + +void *ksmbd_find_buffer(size_t size); +void ksmbd_release_buffer(void *buffer); + +void *ksmbd_alloc(size_t size); +void ksmbd_free(void *ptr); + +void ksmbd_free_request(void *addr); +void *ksmbd_alloc_request(size_t size); +void ksmbd_free_response(void *buffer); +void *ksmbd_alloc_response(size_t size); + +void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz); + +void ksmbd_free_file_struct(void *filp); +void *ksmbd_alloc_file_struct(void); + +void ksmbd_destroy_buffer_pools(void); +int ksmbd_init_buffer_pools(void); + +#endif /* __KSMBD_BUFFER_POOL_H__ */ diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c new file mode 100644 index 000000000000..00f80ca45690 --- /dev/null +++ b/fs/cifsd/vfs.c @@ -0,0 +1,1989 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#include <linux/kernel.h> +#include <linux/fs.h> +#include <linux/uaccess.h> +#include <linux/backing-dev.h> +#include <linux/writeback.h> +#include <linux/version.h> +#include <linux/xattr.h> +#include <linux/falloc.h> +#include <linux/genhd.h> +#include <linux/blkdev.h> +#include <linux/fsnotify.h> +#include <linux/dcache.h> +#include <linux/slab.h> +#include <linux/vmalloc.h> +#include <linux/sched/xacct.h> +#include <linux/crc32c.h> + +#include "glob.h" +#include "oplock.h" +#include "connection.h" +#include "buffer_pool.h" +#include "vfs.h" +#include "vfs_cache.h" +#include "smbacl.h" +#include "ndr.h" +#include "auth.h" + +#include "time_wrappers.h" +#include "smb_common.h" +#include "mgmt/share_config.h" +#include "mgmt/tree_connect.h" +#include "mgmt/user_session.h" +#include "mgmt/user_config.h" + +static char *extract_last_component(char *path) +{ + char *p = strrchr(path, '/'); + + if (p && p[1] != '\0') { + *p = '\0'; + p++; + } else { + p = NULL; + ksmbd_err("Invalid path %s\n", path); + } + return p; +} + +static void rollback_path_modification(char *filename) +{ + if (filename) { + filename--; + *filename = '/'; + } +} + +static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, + struct inode *parent_inode, + struct inode *inode) +{ + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_INHERIT_OWNER)) + return; + + i_uid_write(inode, i_uid_read(parent_inode)); +} + +static void ksmbd_vfs_inherit_smack(struct ksmbd_work *work, + struct dentry *dir_dentry, + struct dentry *dentry) +{ + char *name, *xattr_list = NULL, *smack_buf; + int value_len, xattr_list_len; + + if (!test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_INHERIT_SMACK)) + return; + + xattr_list_len = ksmbd_vfs_listxattr(dir_dentry, &xattr_list); + if (xattr_list_len < 0) { + goto out; + } else if (!xattr_list_len) { + ksmbd_err("no ea data in the file\n"); + return; + } + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + int rc; + + ksmbd_debug(VFS, "%s, len %zd\n", name, strlen(name)); + if (strcmp(name, XATTR_NAME_SMACK)) + continue; + + value_len = ksmbd_vfs_getxattr(dir_dentry, name, &smack_buf); + if (value_len <= 0) + continue; + + rc = ksmbd_vfs_setxattr(dentry, XATTR_NAME_SMACK, smack_buf, + value_len, 0); + ksmbd_free(smack_buf); + if (rc < 0) + ksmbd_err("ksmbd_vfs_setxattr() failed: %d\n", rc); + } +out: + ksmbd_vfs_xattr_free(xattr_list); +} + +int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) +{ + int mask; + + mask = 0; + acc_mode &= O_ACCMODE; + + if (acc_mode == O_RDONLY) + mask = MAY_READ; + else if (acc_mode == O_WRONLY) + mask = MAY_WRITE; + else if (acc_mode == O_RDWR) + mask = MAY_READ | MAY_WRITE; + + if (inode_permission(&init_user_ns, d_inode(dentry), mask | MAY_OPEN)) + return -EACCES; + + if (delete) { + struct dentry *parent; + + parent = dget_parent(dentry); + if (!parent) + return -EINVAL; + + if (inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) { + dput(parent); + return -EACCES; + } + dput(parent); + } + return 0; +} + +int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) +{ + struct dentry *parent; + + *daccess = cpu_to_le32(FILE_READ_ATTRIBUTES | READ_CONTROL); + + if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_WRITE)) + *daccess |= cpu_to_le32(WRITE_DAC | WRITE_OWNER | SYNCHRONIZE | + FILE_WRITE_DATA | FILE_APPEND_DATA | + FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES | + FILE_DELETE_CHILD); + + if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_READ)) + *daccess |= FILE_READ_DATA_LE | FILE_READ_EA_LE; + + if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_EXEC)) + *daccess |= FILE_EXECUTE_LE; + + parent = dget_parent(dentry); + if (!parent) + return 0; + + if (!inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) + *daccess |= FILE_DELETE_LE; + dput(parent); + return 0; +} + + +/** + * ksmbd_vfs_create() - vfs helper for smb create file + * @work: work + * @name: file name + * @mode: file create mode + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_create(struct ksmbd_work *work, + const char *name, + umode_t mode) +{ + struct path path; + struct dentry *dentry; + int err; + + dentry = kern_path_create(AT_FDCWD, name, &path, 0); + if (IS_ERR(dentry)) { + err = PTR_ERR(dentry); + if (err != -ENOENT) + ksmbd_err("path create failed for %s, err %d\n", + name, err); + return err; + } + + mode |= S_IFREG; + err = vfs_create(&init_user_ns, d_inode(path.dentry), dentry, mode, true); + if (!err) { + ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), + d_inode(dentry)); + ksmbd_vfs_inherit_smack(work, path.dentry, dentry); + } else { + ksmbd_err("File(%s): creation failed (err:%d)\n", name, err); + } + done_path_create(&path, dentry); + return err; +} + +/** + * ksmbd_vfs_mkdir() - vfs helper for smb create directory + * @work: work + * @name: directory name + * @mode: directory create mode + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_mkdir(struct ksmbd_work *work, + const char *name, + umode_t mode) +{ + struct path path; + struct dentry *dentry; + int err; + + dentry = kern_path_create(AT_FDCWD, name, &path, LOOKUP_DIRECTORY); + if (IS_ERR(dentry)) { + err = PTR_ERR(dentry); + if (err != -EEXIST) + ksmbd_debug(VFS, "path create failed for %s, err %d\n", + name, err); + return err; + } + + mode |= S_IFDIR; + err = vfs_mkdir(&init_user_ns, d_inode(path.dentry), dentry, mode); + if (!err) { + ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), + d_inode(dentry)); + ksmbd_vfs_inherit_smack(work, path.dentry, dentry); + } else + ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); + + done_path_create(&path, dentry); + return err; +} + +static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, + char *attr_name, + int attr_name_len, + char **attr_value) +{ + char *name, *xattr_list = NULL; + ssize_t value_len = -ENOENT, xattr_list_len; + + xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + if (xattr_list_len <= 0) + goto out; + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + ksmbd_debug(VFS, "%s, len %zd\n", name, strlen(name)); + if (strncasecmp(attr_name, name, attr_name_len)) + continue; + + value_len = ksmbd_vfs_getxattr(dentry, + name, + attr_value); + if (value_len < 0) + ksmbd_err("failed to get xattr in file\n"); + break; + } + +out: + ksmbd_vfs_xattr_free(xattr_list); + return value_len; +} + +static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, + size_t count) +{ + ssize_t v_len; + char *stream_buf = NULL; + int err; + + ksmbd_debug(VFS, "read stream data pos : %llu, count : %zd\n", + *pos, count); + + v_len = ksmbd_vfs_getcasexattr(fp->filp->f_path.dentry, + fp->stream.name, + fp->stream.size, + &stream_buf); + if (v_len == -ENOENT) { + ksmbd_err("not found stream in xattr : %zd\n", v_len); + err = -ENOENT; + return err; + } + + memcpy(buf, &stream_buf[*pos], count); + return v_len > count ? count : v_len; +} + +/** + * check_lock_range() - vfs helper for smb byte range file locking + * @filp: the file to apply the lock to + * @start: lock start byte offset + * @end: lock end byte offset + * @type: byte range type read/write + * + * Return: 0 on success, otherwise error + */ +static int check_lock_range(struct file *filp, + loff_t start, + loff_t end, + unsigned char type) +{ + struct file_lock *flock; + struct file_lock_context *ctx = file_inode(filp)->i_flctx; + int error = 0; + + if (!ctx || list_empty_careful(&ctx->flc_posix)) + return 0; + + spin_lock(&ctx->flc_lock); + list_for_each_entry(flock, &ctx->flc_posix, fl_list) { + /* check conflict locks */ + if (flock->fl_end >= start && end >= flock->fl_start) { + if (flock->fl_type == F_RDLCK) { + if (type == WRITE) { + ksmbd_err("not allow write by shared lock\n"); + error = 1; + goto out; + } + } else if (flock->fl_type == F_WRLCK) { + /* check owner in lock */ + if (flock->fl_file != filp) { + error = 1; + ksmbd_err("not allow rw access by exclusive lock from other opens\n"); + goto out; + } + } + } + } +out: + spin_unlock(&ctx->flc_lock); + return error; +} + +/** + * ksmbd_vfs_read() - vfs helper for smb file read + * @work: smb work + * @fid: file id of open file + * @count: read byte count + * @pos: file pos + * + * Return: number of read bytes on success, otherwise error + */ +int ksmbd_vfs_read(struct ksmbd_work *work, + struct ksmbd_file *fp, + size_t count, + loff_t *pos) +{ + struct file *filp; + ssize_t nbytes = 0; + char *rbuf, *name; + struct inode *inode; + char namebuf[NAME_MAX]; + int ret; + + rbuf = AUX_PAYLOAD(work); + filp = fp->filp; + inode = d_inode(filp->f_path.dentry); + if (S_ISDIR(inode->i_mode)) + return -EISDIR; + + if (unlikely(count == 0)) + return 0; + + if (work->conn->connection_type) { + if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { + ksmbd_err("no right to read(%s)\n", FP_FILENAME(fp)); + return -EACCES; + } + } + + if (ksmbd_stream_fd(fp)) + return ksmbd_vfs_stream_read(fp, rbuf, pos, count); + + ret = check_lock_range(filp, *pos, *pos + count - 1, + READ); + if (ret) { + ksmbd_err("unable to read due to lock\n"); + return -EAGAIN; + } + + nbytes = kernel_read(filp, rbuf, count, pos); + if (nbytes < 0) { + name = d_path(&filp->f_path, namebuf, sizeof(namebuf)); + if (IS_ERR(name)) + name = "(error)"; + ksmbd_err("smb read failed for (%s), err = %zd\n", + name, nbytes); + return nbytes; + } + + filp->f_pos = *pos; + return nbytes; +} + +static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, + size_t count) +{ + char *stream_buf = NULL, *wbuf; + size_t size, v_len; + int err = 0; + + ksmbd_debug(VFS, "write stream data pos : %llu, count : %zd\n", + *pos, count); + + size = *pos + count; + if (size > XATTR_SIZE_MAX) { + size = XATTR_SIZE_MAX; + count = (*pos + count) - XATTR_SIZE_MAX; + } + + v_len = ksmbd_vfs_getcasexattr(fp->filp->f_path.dentry, + fp->stream.name, + fp->stream.size, + &stream_buf); + if (v_len == -ENOENT) { + ksmbd_err("not found stream in xattr : %zd\n", v_len); + err = -ENOENT; + goto out; + } + + if (v_len < size) { + wbuf = ksmbd_alloc(size); + if (!wbuf) { + err = -ENOMEM; + goto out; + } + + if (v_len > 0) + memcpy(wbuf, stream_buf, v_len); + stream_buf = wbuf; + } + + memcpy(&stream_buf[*pos], buf, count); + + err = ksmbd_vfs_setxattr(fp->filp->f_path.dentry, + fp->stream.name, + (void *)stream_buf, + size, + 0); + if (err < 0) + goto out; + + fp->filp->f_pos = *pos; + err = 0; +out: + ksmbd_free(stream_buf); + return err; +} + +/** + * ksmbd_vfs_write() - vfs helper for smb file write + * @work: work + * @fid: file id of open file + * @buf: buf containing data for writing + * @count: read byte count + * @pos: file pos + * @sync: fsync after write + * @written: number of bytes written + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, + char *buf, size_t count, loff_t *pos, bool sync, ssize_t *written) +{ + struct ksmbd_session *sess = work->sess; + struct file *filp; + loff_t offset = *pos; + int err = 0; + + if (sess->conn->connection_type) { + if (!(fp->daccess & FILE_WRITE_DATA_LE)) { + ksmbd_err("no right to write(%s)\n", FP_FILENAME(fp)); + err = -EACCES; + goto out; + } + } + + filp = fp->filp; + + if (ksmbd_stream_fd(fp)) { + err = ksmbd_vfs_stream_write(fp, buf, pos, count); + if (!err) + *written = count; + goto out; + } + + err = check_lock_range(filp, *pos, *pos + count - 1, WRITE); + if (err) { + ksmbd_err("unable to write due to lock\n"); + err = -EAGAIN; + goto out; + } + + /* Do we need to break any of a levelII oplock? */ + smb_break_all_levII_oplock(work, fp, 1); + + err = kernel_write(filp, buf, count, pos); + if (err < 0) { + ksmbd_debug(VFS, "smb write failed, err = %d\n", err); + goto out; + } + + filp->f_pos = *pos; + *written = err; + err = 0; + if (sync) { + err = vfs_fsync_range(filp, offset, offset + *written, 0); + if (err < 0) + ksmbd_err("fsync failed for filename = %s, err = %d\n", + FP_FILENAME(fp), err); + } + +out: + return err; +} + +/** + * ksmbd_vfs_getattr() - vfs helper for smb getattr + * @work: work + * @fid: file id of open file + * @attrs: inode attributes + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_getattr(struct path *path, struct kstat *stat) +{ + int err; + + err = vfs_getattr(path, stat, STATX_BTIME, AT_STATX_SYNC_AS_STAT); + if (err) + ksmbd_err("getattr failed, err %d\n", err); + return err; +} + +/** + * ksmbd_vfs_fsync() - vfs helper for smb fsync + * @work: work + * @fid: file id of open file + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_fsync(struct ksmbd_work *work, uint64_t fid, uint64_t p_id) +{ + struct ksmbd_file *fp; + int err; + + fp = ksmbd_lookup_fd_slow(work, fid, p_id); + if (!fp) { + ksmbd_err("failed to get filp for fid %llu\n", fid); + return -ENOENT; + } + err = vfs_fsync(fp->filp, 0); + if (err < 0) + ksmbd_err("smb fsync failed, err = %d\n", err); + ksmbd_fd_put(work, fp); + return err; +} + +/** + * ksmbd_vfs_remove_file() - vfs helper for smb rmdir or unlink + * @name: absolute directory or file name + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) +{ + struct path parent; + struct dentry *dir, *dentry; + char *last; + int err = -ENOENT; + + last = extract_last_component(name); + if (!last) + return -ENOENT; + + if (ksmbd_override_fsids(work)) + return -ENOMEM; + + err = kern_path(name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &parent); + if (err) { + ksmbd_debug(VFS, "can't get %s, err %d\n", name, err); + ksmbd_revert_fsids(work); + rollback_path_modification(last); + return err; + } + + dir = parent.dentry; + if (!d_inode(dir)) + goto out; + + inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); + dentry = lookup_one_len(last, dir, strlen(last)); + if (IS_ERR(dentry)) { + err = PTR_ERR(dentry); + ksmbd_debug(VFS, "%s: lookup failed, err %d\n", last, err); + goto out_err; + } + + if (!d_inode(dentry) || !d_inode(dentry)->i_nlink) { + dput(dentry); + err = -ENOENT; + goto out_err; + } + + if (S_ISDIR(d_inode(dentry)->i_mode)) { + err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); + if (err && err != -ENOTEMPTY) + ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, + err); + } else { + err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); + if (err) + ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, + err); + } + + dput(dentry); +out_err: + inode_unlock(d_inode(dir)); +out: + rollback_path_modification(last); + path_put(&parent); + ksmbd_revert_fsids(work); + return err; +} + +/** + * ksmbd_vfs_link() - vfs helper for creating smb hardlink + * @oldname: source file name + * @newname: hardlink name + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_link(struct ksmbd_work *work, + const char *oldname, const char *newname) +{ + struct path oldpath, newpath; + struct dentry *dentry; + int err; + + if (ksmbd_override_fsids(work)) + return -ENOMEM; + + err = kern_path(oldname, LOOKUP_FOLLOW, &oldpath); + if (err) { + ksmbd_err("cannot get linux path for %s, err = %d\n", + oldname, err); + goto out1; + } + + dentry = kern_path_create(AT_FDCWD, newname, &newpath, + LOOKUP_FOLLOW | LOOKUP_REVAL); + if (IS_ERR(dentry)) { + err = PTR_ERR(dentry); + ksmbd_err("path create err for %s, err %d\n", newname, err); + goto out2; + } + + err = -EXDEV; + if (oldpath.mnt != newpath.mnt) { + ksmbd_err("vfs_link failed err %d\n", err); + goto out3; + } + + err = vfs_link(oldpath.dentry, &init_user_ns, d_inode(newpath.dentry), + dentry, NULL); + if (err) + ksmbd_debug(VFS, "vfs_link failed err %d\n", err); + +out3: + done_path_create(&newpath, dentry); +out2: + path_put(&oldpath); +out1: + ksmbd_revert_fsids(work); + return err; +} + +static int __ksmbd_vfs_rename(struct ksmbd_work *work, + struct dentry *src_dent_parent, + struct dentry *src_dent, + struct dentry *dst_dent_parent, + struct dentry *trap_dent, + char *dst_name) +{ + struct dentry *dst_dent; + int err; + + spin_lock(&src_dent->d_lock); + list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) { + struct ksmbd_file *child_fp; + + if (d_really_is_negative(dst_dent)) + continue; + + child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent)); + if (child_fp) { + spin_unlock(&src_dent->d_lock); + ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n"); + return -EACCES; + } + } + spin_unlock(&src_dent->d_lock); + + if (d_really_is_negative(src_dent_parent)) + return -ENOENT; + if (d_really_is_negative(dst_dent_parent)) + return -ENOENT; + if (d_really_is_negative(src_dent)) + return -ENOENT; + if (src_dent == trap_dent) + return -EINVAL; + + if (ksmbd_override_fsids(work)) + return -ENOMEM; + + dst_dent = lookup_one_len(dst_name, dst_dent_parent, strlen(dst_name)); + err = PTR_ERR(dst_dent); + if (IS_ERR(dst_dent)) { + ksmbd_err("lookup failed %s [%d]\n", dst_name, err); + goto out; + } + + err = -ENOTEMPTY; + if (dst_dent != trap_dent && !d_really_is_positive(dst_dent)) { + struct renamedata rd = { + .old_mnt_userns = &init_user_ns, + .old_dir = d_inode(src_dent_parent), + .old_dentry = src_dent, + .new_mnt_userns = &init_user_ns, + .new_dir = d_inode(dst_dent_parent), + .new_dentry = dst_dent, + }; + err = vfs_rename(&rd); + } + if (err) + ksmbd_err("vfs_rename failed err %d\n", err); + if (dst_dent) + dput(dst_dent); +out: + ksmbd_revert_fsids(work); + return err; +} + +int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, + char *newname) +{ + struct path dst_path; + struct dentry *src_dent_parent, *dst_dent_parent; + struct dentry *src_dent, *trap_dent; + char *dst_name; + int err; + + dst_name = extract_last_component(newname); + if (!dst_name) + return -EINVAL; + + src_dent_parent = dget_parent(fp->filp->f_path.dentry); + if (!src_dent_parent) + return -EINVAL; + + src_dent = fp->filp->f_path.dentry; + dget(src_dent); + + err = kern_path(newname, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &dst_path); + if (err) { + ksmbd_debug(VFS, "Cannot get path for %s [%d]\n", newname, err); + goto out; + } + dst_dent_parent = dst_path.dentry; + dget(dst_dent_parent); + + trap_dent = lock_rename(src_dent_parent, dst_dent_parent); + err = __ksmbd_vfs_rename(work, + src_dent_parent, + src_dent, + dst_dent_parent, + trap_dent, + dst_name); + unlock_rename(src_dent_parent, dst_dent_parent); + dput(dst_dent_parent); + path_put(&dst_path); +out: + dput(src_dent); + dput(src_dent_parent); + return err; +} + +/** + * ksmbd_vfs_truncate() - vfs helper for smb file truncate + * @work: work + * @name: old filename + * @fid: file id of old file + * @size: truncate to given size + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, + struct ksmbd_file *fp, loff_t size) +{ + struct path path; + int err = 0; + struct inode *inode; + + if (name) { + err = kern_path(name, 0, &path); + if (err) { + ksmbd_err("cannot get linux path for %s, err %d\n", + name, err); + return err; + } + err = vfs_truncate(&path, size); + if (err) + ksmbd_err("truncate failed for %s err %d\n", + name, err); + path_put(&path); + } else { + struct file *filp; + + filp = fp->filp; + + /* Do we need to break any of a levelII oplock? */ + smb_break_all_levII_oplock(work, fp, 1); + + inode = file_inode(filp); + if (size < inode->i_size) { + err = check_lock_range(filp, size, + inode->i_size - 1, WRITE); + } else { + err = check_lock_range(filp, inode->i_size, + size - 1, WRITE); + } + + if (err) { + ksmbd_err("failed due to lock\n"); + return -EAGAIN; + } + + err = vfs_truncate(&filp->f_path, size); + if (err) + ksmbd_err("truncate failed for filename : %s err %d\n", + fp->filename, err); + } + + return err; +} + +/** + * ksmbd_vfs_listxattr() - vfs helper for smb list extended attributes + * @dentry: dentry of file for listing xattrs + * @list: destination buffer + * @size: destination buffer length + * + * Return: xattr list length on success, otherwise error + */ +ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list) +{ + ssize_t size; + char *vlist = NULL; + + size = vfs_listxattr(dentry, NULL, 0); + if (size <= 0) + return size; + + vlist = ksmbd_alloc(size); + if (!vlist) + return -ENOMEM; + + *list = vlist; + size = vfs_listxattr(dentry, vlist, size); + if (size < 0) { + ksmbd_debug(VFS, "listxattr failed\n"); + ksmbd_vfs_xattr_free(vlist); + *list = NULL; + } + + return size; +} + +static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, + char *xattr_name) +{ + return vfs_getxattr(&init_user_ns, dentry, xattr_name, NULL, 0); +} + +/** + * ksmbd_vfs_getxattr() - vfs helper for smb get extended attributes value + * @dentry: dentry of file for getting xattrs + * @xattr_name: name of xattr name to query + * @xattr_buf: destination buffer xattr value + * + * Return: read xattr value length on success, otherwise error + */ +ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, + char *xattr_name, + char **xattr_buf) +{ + ssize_t xattr_len; + char *buf; + + *xattr_buf = NULL; + xattr_len = ksmbd_vfs_xattr_len(dentry, xattr_name); + if (xattr_len < 0) + return xattr_len; + + buf = kmalloc(xattr_len + 1, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + xattr_len = vfs_getxattr(&init_user_ns, dentry, xattr_name, (void *)buf, + xattr_len); + if (xattr_len > 0) + *xattr_buf = buf; + else + kfree(buf); + return xattr_len; +} + +/** + * ksmbd_vfs_setxattr() - vfs helper for smb set extended attributes value + * @dentry: dentry to set XATTR at + * @name: xattr name for setxattr + * @value: xattr value to set + * @size: size of xattr value + * @flags: destination buffer length + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_setxattr(struct dentry *dentry, + const char *attr_name, + const void *attr_value, + size_t attr_size, + int flags) +{ + int err; + + err = vfs_setxattr(&init_user_ns, dentry, + attr_name, + attr_value, + attr_size, + flags); + if (err) + ksmbd_debug(VFS, "setxattr failed, err %d\n", err); + return err; +} + +/** + * ksmbd_vfs_set_fadvise() - convert smb IO caching options to linux options + * @filp: file pointer for IO + * @options: smb IO options + */ +void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option) +{ + struct address_space *mapping; + + mapping = filp->f_mapping; + + if (!option || !mapping) + return; + + if (option & FILE_WRITE_THROUGH_LE) + filp->f_flags |= O_SYNC; + else if (option & FILE_SEQUENTIAL_ONLY_LE) { + filp->f_ra.ra_pages = inode_to_bdi(mapping->host)->ra_pages * 2; + spin_lock(&filp->f_lock); + filp->f_mode &= ~FMODE_RANDOM; + spin_unlock(&filp->f_lock); + } else if (option & FILE_RANDOM_ACCESS_LE) { + spin_lock(&filp->f_lock); + filp->f_mode |= FMODE_RANDOM; + spin_unlock(&filp->f_lock); + } +} + +/** + * ksmbd_vfs_lock() - vfs helper for smb file locking + * @filp: the file to apply the lock to + * @cmd: type of locking operation (F_SETLK, F_GETLK, etc.) + * @flock: The lock to be applied + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_lock(struct file *filp, int cmd, + struct file_lock *flock) +{ + ksmbd_debug(VFS, "calling vfs_lock_file\n"); + return vfs_lock_file(filp, cmd, flock, NULL); +} + +int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata) +{ + return iterate_dir(file, &rdata->ctx); +} + +int ksmbd_vfs_alloc_size(struct ksmbd_work *work, + struct ksmbd_file *fp, + loff_t len) +{ + smb_break_all_levII_oplock(work, fp, 1); + return vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, len); +} + +int ksmbd_vfs_zero_data(struct ksmbd_work *work, + struct ksmbd_file *fp, + loff_t off, + loff_t len) +{ + smb_break_all_levII_oplock(work, fp, 1); + if (fp->f_ci->m_fattr & ATTR_SPARSE_FILE_LE) + return vfs_fallocate(fp->filp, + FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, off, len); + + return vfs_fallocate(fp->filp, FALLOC_FL_ZERO_RANGE, off, len); +} + +int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, + struct file_allocated_range_buffer *ranges, + int in_count, int *out_count) +{ + struct file *f = fp->filp; + struct inode *inode = FP_INODE(fp); + loff_t maxbytes = (u64)inode->i_sb->s_maxbytes, end; + loff_t extent_start, extent_end; + int ret = 0; + + if (start > maxbytes) + return -EFBIG; + + if (!in_count) + return 0; + + /* + * Shrink request scope to what the fs can actually handle. + */ + if (length > maxbytes || (maxbytes - length) < start) + length = maxbytes - start; + + if (start + length > inode->i_size) + length = inode->i_size - start; + + *out_count = 0; + end = start + length; + while (start < end && *out_count < in_count) { + extent_start = f->f_op->llseek(f, start, SEEK_DATA); + if (extent_start < 0) { + if (extent_start != -ENXIO) + ret = (int)extent_start; + break; + } + + if (extent_start >= end) + break; + + extent_end = f->f_op->llseek(f, extent_start, SEEK_HOLE); + if (extent_end < 0) { + if (extent_end != -ENXIO) + ret = (int)extent_end; + break; + } else if (extent_start >= extent_end) + break; + + ranges[*out_count].file_offset = cpu_to_le64(extent_start); + ranges[(*out_count)++].length = + cpu_to_le64(min(extent_end, end) - extent_start); + + start = extent_end; + } + + return ret; +} + +int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name) +{ + return vfs_removexattr(&init_user_ns, dentry, attr_name); +} + +void ksmbd_vfs_xattr_free(char *xattr) +{ + ksmbd_free(xattr); +} + +int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) +{ + int err = 0; + + dget(dentry); + inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); + if (!d_inode(dentry) || !d_inode(dentry)->i_nlink) { + err = -ENOENT; + goto out; + } + + if (S_ISDIR(d_inode(dentry)->i_mode)) + err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); + else + err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); + +out: + inode_unlock(d_inode(dir)); + dput(dentry); + if (err) + ksmbd_debug(VFS, "failed to delete, err %d\n", err); + + return err; +} + +/* + * ksmbd_vfs_get_logical_sector_size() - get logical sector size from inode + * @inode: inode + * + * Return: logical sector size + */ +unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode) +{ + struct request_queue *q; + unsigned short ret_val = 512; + + if (!inode->i_sb->s_bdev) + return ret_val; + + q = inode->i_sb->s_bdev->bd_disk->queue; + + if (q && q->limits.logical_block_size) + ret_val = q->limits.logical_block_size; + + return ret_val; +} + +/* + * ksmbd_vfs_get_smb2_sector_size() - get fs sector sizes + * @inode: inode + * @fs_ss: fs sector size struct + */ +void ksmbd_vfs_smb2_sector_size(struct inode *inode, + struct ksmbd_fs_sector_size *fs_ss) +{ + struct request_queue *q; + + fs_ss->logical_sector_size = 512; + fs_ss->physical_sector_size = 512; + fs_ss->optimal_io_size = 512; + + if (!inode->i_sb->s_bdev) + return; + + q = inode->i_sb->s_bdev->bd_disk->queue; + + if (q) { + if (q->limits.logical_block_size) + fs_ss->logical_sector_size = + q->limits.logical_block_size; + if (q->limits.physical_block_size) + fs_ss->physical_sector_size = + q->limits.physical_block_size; + if (q->limits.io_opt) + fs_ss->optimal_io_size = q->limits.io_opt; + } +} + +static int __dir_empty(struct dir_context *ctx, + const char *name, + int namlen, + loff_t offset, + u64 ino, + unsigned int d_type) +{ + struct ksmbd_readdir_data *buf; + + buf = container_of(ctx, struct ksmbd_readdir_data, ctx); + buf->dirent_count++; + + if (buf->dirent_count > 2) + return -ENOTEMPTY; + return 0; +} + +/** + * ksmbd_vfs_empty_dir() - check for empty directory + * @fp: ksmbd file pointer + * + * Return: true if directory empty, otherwise false + */ +int ksmbd_vfs_empty_dir(struct ksmbd_file *fp) +{ + int err; + struct ksmbd_readdir_data readdir_data; + + memset(&readdir_data, 0, sizeof(struct ksmbd_readdir_data)); + + set_ctx_actor(&readdir_data.ctx, __dir_empty); + readdir_data.dirent_count = 0; + + err = ksmbd_vfs_readdir(fp->filp, &readdir_data); + if (readdir_data.dirent_count > 2) + err = -ENOTEMPTY; + else + err = 0; + return err; +} + +static int __caseless_lookup(struct dir_context *ctx, + const char *name, + int namlen, + loff_t offset, + u64 ino, + unsigned int d_type) +{ + struct ksmbd_readdir_data *buf; + + buf = container_of(ctx, struct ksmbd_readdir_data, ctx); + + if (buf->used != namlen) + return 0; + if (!strncasecmp((char *)buf->private, name, namlen)) { + memcpy((char *)buf->private, name, namlen); + buf->dirent_count = 1; + return -EEXIST; + } + return 0; +} + +/** + * ksmbd_vfs_lookup_in_dir() - lookup a file in a directory + * @dirname: directory name + * @filename: filename to lookup + * + * Return: 0 on success, otherwise error + */ +static int ksmbd_vfs_lookup_in_dir(char *dirname, char *filename) +{ + struct path dir_path; + int ret; + struct file *dfilp; + int flags = O_RDONLY|O_LARGEFILE; + int dirnamelen = strlen(dirname); + struct ksmbd_readdir_data readdir_data = { + .ctx.actor = __caseless_lookup, + .private = filename, + .used = strlen(filename), + }; + + ret = ksmbd_vfs_kern_path(dirname, 0, &dir_path, true); + if (ret) + goto error; + + dfilp = dentry_open(&dir_path, flags, current_cred()); + if (IS_ERR(dfilp)) { + path_put(&dir_path); + ksmbd_err("cannot open directory %s\n", dirname); + ret = -EINVAL; + goto error; + } + + ret = ksmbd_vfs_readdir(dfilp, &readdir_data); + if (readdir_data.dirent_count > 0) + ret = 0; + + fput(dfilp); + path_put(&dir_path); +error: + dirname[dirnamelen] = '/'; + return ret; +} + +/** + * ksmbd_vfs_kern_path() - lookup a file and get path info + * @name: name of file for lookup + * @flags: lookup flags + * @path: if lookup succeed, return path info + * @caseless: caseless filename lookup + * + * Return: 0 on success, otherwise error + */ +int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, + bool caseless) +{ + char *filename = NULL; + int err; + + err = kern_path(name, flags, path); + if (!err) + return err; + + if (caseless) { + filename = extract_last_component(name); + if (!filename) + goto out; + + /* root reached */ + if (strlen(name) == 0) + goto out; + + err = ksmbd_vfs_lookup_in_dir(name, filename); + if (err) + goto out; + err = kern_path(name, flags, path); + } + +out: + rollback_path_modification(filename); + return err; +} + +int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) +{ + char *name, *xattr_list = NULL; + ssize_t xattr_list_len; + int err = 0; + + xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + if (xattr_list_len < 0) { + goto out; + } else if (!xattr_list_len) { + ksmbd_debug(SMB, "empty xattr in the file\n"); + goto out; + } + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); + + if (!strncmp(name, XATTR_NAME_POSIX_ACL_ACCESS, + sizeof(XATTR_NAME_POSIX_ACL_ACCESS)-1) || + !strncmp(name, XATTR_NAME_POSIX_ACL_DEFAULT, + sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)-1)) { + err = ksmbd_vfs_remove_xattr(dentry, name); + if (err) + ksmbd_debug(SMB, + "remove acl xattr failed : %s\n", name); + } + } +out: + ksmbd_vfs_xattr_free(xattr_list); + return err; +} + +int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry) +{ + char *name, *xattr_list = NULL; + ssize_t xattr_list_len; + int err = 0; + + xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + if (xattr_list_len < 0) { + goto out; + } else if (!xattr_list_len) { + ksmbd_debug(SMB, "empty xattr in the file\n"); + goto out; + } + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); + + if (!strncmp(name, XATTR_NAME_SD, XATTR_NAME_SD_LEN)) { + err = ksmbd_vfs_remove_xattr(dentry, name); + if (err) + ksmbd_debug(SMB, "remove xattr failed : %s\n", name); + } + } +out: + ksmbd_vfs_xattr_free(xattr_list); + return err; +} + +static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, + int acl_type) +{ + struct xattr_smb_acl *smb_acl = NULL; + struct posix_acl *posix_acls; + struct posix_acl_entry *pa_entry; + struct xattr_acl_entry *xa_entry; + int i; + + posix_acls = ksmbd_vfs_get_acl(inode, acl_type); + if (!posix_acls) + return NULL; + + smb_acl = kzalloc(sizeof(struct xattr_smb_acl) + + sizeof(struct xattr_acl_entry) * posix_acls->a_count, + GFP_KERNEL); + if (!smb_acl) + goto out; + + smb_acl->count = posix_acls->a_count; + pa_entry = posix_acls->a_entries; + xa_entry = smb_acl->entries; + for (i = 0; i < posix_acls->a_count; i++, pa_entry++, xa_entry++) { + switch (pa_entry->e_tag) { + case ACL_USER: + xa_entry->type = SMB_ACL_USER; + xa_entry->uid = from_kuid(&init_user_ns, pa_entry->e_uid); + break; + case ACL_USER_OBJ: + xa_entry->type = SMB_ACL_USER_OBJ; + break; + case ACL_GROUP: + xa_entry->type = SMB_ACL_GROUP; + xa_entry->gid = from_kgid(&init_user_ns, pa_entry->e_gid); + break; + case ACL_GROUP_OBJ: + xa_entry->type = SMB_ACL_GROUP_OBJ; + break; + case ACL_OTHER: + xa_entry->type = SMB_ACL_OTHER; + break; + case ACL_MASK: + xa_entry->type = SMB_ACL_MASK; + break; + default: + ksmbd_err("unknown type : 0x%x\n", pa_entry->e_tag); + goto out; + } + + if (pa_entry->e_perm & ACL_READ) + xa_entry->perm |= SMB_ACL_READ; + if (pa_entry->e_perm & ACL_WRITE) + xa_entry->perm |= SMB_ACL_WRITE; + if (pa_entry->e_perm & ACL_EXECUTE) + xa_entry->perm |= SMB_ACL_EXECUTE; + } +out: + posix_acl_release(posix_acls); + return smb_acl; +} + +int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, + struct smb_ntsd *pntsd, int len) +{ + int rc; + struct ndr sd_ndr = {0}, acl_ndr = {0}; + struct xattr_ntacl acl = {0}; + struct xattr_smb_acl *smb_acl, *def_smb_acl = NULL; + struct inode *inode = dentry->d_inode; + + acl.version = 4; + acl.hash_type = XATTR_SD_HASH_TYPE_SHA256; + acl.current_time = ksmbd_UnixTimeToNT(current_time(dentry->d_inode)); + + memcpy(acl.desc, "posix_acl", 9); + acl.desc_len = 10; + + pntsd->osidoffset = + cpu_to_le32(le32_to_cpu(pntsd->osidoffset) + NDR_NTSD_OFFSETOF); + pntsd->gsidoffset = + cpu_to_le32(le32_to_cpu(pntsd->gsidoffset) + NDR_NTSD_OFFSETOF); + pntsd->dacloffset = + cpu_to_le32(le32_to_cpu(pntsd->dacloffset) + NDR_NTSD_OFFSETOF); + + acl.sd_buf = (char *)pntsd; + acl.sd_size = len; + + rc = ksmbd_gen_sd_hash(conn, acl.sd_buf, acl.sd_size, acl.hash); + if (rc) { + ksmbd_err("failed to generate hash for ndr acl\n"); + return rc; + } + + smb_acl = ksmbd_vfs_make_xattr_posix_acl(dentry->d_inode, ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(dentry->d_inode, + ACL_TYPE_DEFAULT); + + rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); + if (rc) { + ksmbd_err("failed to encode ndr to posix acl\n"); + goto out; + } + + rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, + acl.posix_acl_hash); + if (rc) { + ksmbd_err("failed to generate hash for ndr acl\n"); + goto out; + } + + rc = ndr_encode_v4_ntacl(&sd_ndr, &acl); + if (rc) { + ksmbd_err("failed to encode ndr to posix acl\n"); + goto out; + } + + rc = ksmbd_vfs_setxattr(dentry, XATTR_NAME_SD, sd_ndr.data, + sd_ndr.offset, 0); + if (rc < 0) + ksmbd_err("Failed to store XATTR ntacl :%d\n", rc); + + kfree(sd_ndr.data); +out: + kfree(acl_ndr.data); + kfree(smb_acl); + kfree(def_smb_acl); + return rc; +} + +int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, + struct smb_ntsd **pntsd) +{ + int rc; + struct ndr n; + + rc = ksmbd_vfs_getxattr(dentry, XATTR_NAME_SD, &n.data); + if (rc > 0) { + struct inode *inode = dentry->d_inode; + struct ndr acl_ndr = {0}; + struct xattr_ntacl acl; + struct xattr_smb_acl *smb_acl = NULL, *def_smb_acl = NULL; + __u8 cmp_hash[XATTR_SD_HASH_SIZE] = {0}; + + n.length = rc; + rc = ndr_decode_v4_ntacl(&n, &acl); + if (rc) + return rc; + + smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, + ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, + ACL_TYPE_DEFAULT); + + rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); + if (rc) { + ksmbd_err("failed to encode ndr to posix acl\n"); + goto out; + } + + rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, + cmp_hash); + if (rc) { + ksmbd_err("failed to generate hash for ndr acl\n"); + goto out; + } + + if (memcmp(cmp_hash, acl.posix_acl_hash, XATTR_SD_HASH_SIZE)) { + ksmbd_err("hash value diff\n"); + rc = -EINVAL; + goto out; + } + + *pntsd = acl.sd_buf; + (*pntsd)->osidoffset = + cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) - NDR_NTSD_OFFSETOF); + (*pntsd)->gsidoffset = + cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) - NDR_NTSD_OFFSETOF); + (*pntsd)->dacloffset = + cpu_to_le32(le32_to_cpu((*pntsd)->dacloffset) - NDR_NTSD_OFFSETOF); + + rc = acl.sd_size; +out: + kfree(n.data); + kfree(acl_ndr.data); + kfree(smb_acl); + kfree(def_smb_acl); + } + + return rc; +} + +int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, + struct xattr_dos_attrib *da) +{ + struct ndr n; + int err; + + err = ndr_encode_dos_attr(&n, da); + if (err) + return err; + + err = ksmbd_vfs_setxattr(dentry, + XATTR_NAME_DOS_ATTRIBUTE, + (void *)n.data, + n.offset, + 0); + if (err) + ksmbd_debug(SMB, "failed to store dos attribute in xattr\n"); + kfree(n.data); + + return err; +} + +int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, + struct xattr_dos_attrib *da) +{ + struct ndr n; + int err; + + err = ksmbd_vfs_getxattr(dentry, + XATTR_NAME_DOS_ATTRIBUTE, + (char **)&n.data); + if (err > 0) { + n.length = err; + if (ndr_decode_dos_attr(&n, da)) + err = -EINVAL; + ksmbd_free(n.data); + } else + ksmbd_debug(SMB, "failed to load dos attribute in xattr\n"); + + return err; +} + +struct posix_acl *ksmbd_vfs_posix_acl_alloc(int count, gfp_t flags) +{ +#if IS_ENABLED(CONFIG_FS_POSIX_ACL) + return posix_acl_alloc(count, flags); +#else + return NULL; +#endif +} + +struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type) +{ +#if IS_ENABLED(CONFIG_FS_POSIX_ACL) + return get_acl(inode, type); +#else + return NULL; +#endif +} + +int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, + struct posix_acl *acl) +{ +#if IS_ENABLED(CONFIG_FS_POSIX_ACL) + return set_posix_acl(&init_user_ns, inode, type, acl); +#else + return -EOPNOTSUPP; +#endif +} + +/** + * ksmbd_vfs_init_kstat() - convert unix stat information to smb stat format + * @p: destination buffer + * @ksmbd_kstat: ksmbd kstat wrapper + */ +void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat) +{ + struct file_directory_info *info = (struct file_directory_info *)(*p); + struct kstat *kstat = ksmbd_kstat->kstat; + u64 time; + + info->FileIndex = 0; + info->CreationTime = cpu_to_le64(ksmbd_kstat->create_time); + time = ksmbd_UnixTimeToNT(kstat->atime); + info->LastAccessTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(kstat->mtime); + info->LastWriteTime = cpu_to_le64(time); + time = ksmbd_UnixTimeToNT(kstat->ctime); + info->ChangeTime = cpu_to_le64(time); + + if (ksmbd_kstat->file_attributes & ATTR_DIRECTORY_LE) { + info->EndOfFile = 0; + info->AllocationSize = 0; + } else { + info->EndOfFile = cpu_to_le64(kstat->size); + info->AllocationSize = cpu_to_le64(kstat->blocks << 9); + } + info->ExtFileAttributes = ksmbd_kstat->file_attributes; + + return info; +} + +int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, + struct dentry *dentry, + struct ksmbd_kstat *ksmbd_kstat) +{ + u64 time; + int rc; + + generic_fillattr(&init_user_ns, d_inode(dentry), ksmbd_kstat->kstat); + + time = ksmbd_UnixTimeToNT(ksmbd_kstat->kstat->ctime); + ksmbd_kstat->create_time = time; + + /* + * set default value for the case that store dos attributes is not yes + * or that acl is disable in server's filesystem and the config is yes. + */ + if (S_ISDIR(ksmbd_kstat->kstat->mode)) + ksmbd_kstat->file_attributes = ATTR_DIRECTORY_LE; + else + ksmbd_kstat->file_attributes = ATTR_ARCHIVE_LE; + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { + struct xattr_dos_attrib da; + + rc = ksmbd_vfs_get_dos_attrib_xattr(dentry, &da); + if (rc > 0) { + ksmbd_kstat->file_attributes = cpu_to_le32(da.attr); + ksmbd_kstat->create_time = da.create_time; + } else + ksmbd_debug(VFS, "fail to load dos attribute.\n"); + } + + return 0; +} + +ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, + char *attr_name, + int attr_name_len) +{ + char *name, *xattr_list = NULL; + ssize_t value_len = -ENOENT, xattr_list_len; + + xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + if (xattr_list_len <= 0) + goto out; + + for (name = xattr_list; name - xattr_list < xattr_list_len; + name += strlen(name) + 1) { + ksmbd_debug(VFS, "%s, len %zd\n", name, strlen(name)); + if (strncasecmp(attr_name, name, attr_name_len)) + continue; + + value_len = ksmbd_vfs_xattr_len(dentry, name); + break; + } + +out: + ksmbd_vfs_xattr_free(xattr_list); + return value_len; +} + +int ksmbd_vfs_xattr_stream_name(char *stream_name, + char **xattr_stream_name, + size_t *xattr_stream_name_size, + int s_type) +{ + int stream_name_size; + char *xattr_stream_name_buf; + char *type; + int type_len; + + if (s_type == DIR_STREAM) + type = ":$INDEX_ALLOCATION"; + else + type = ":$DATA"; + + type_len = strlen(type); + stream_name_size = strlen(stream_name); + *xattr_stream_name_size = stream_name_size + XATTR_NAME_STREAM_LEN + 1; + xattr_stream_name_buf = kmalloc(*xattr_stream_name_size + type_len, + GFP_KERNEL); + if (!xattr_stream_name_buf) + return -ENOMEM; + + memcpy(xattr_stream_name_buf, + XATTR_NAME_STREAM, + XATTR_NAME_STREAM_LEN); + + if (stream_name_size) { + memcpy(&xattr_stream_name_buf[XATTR_NAME_STREAM_LEN], + stream_name, + stream_name_size); + } + memcpy(&xattr_stream_name_buf[*xattr_stream_name_size - 1], type, type_len); + *xattr_stream_name_size += type_len; + + xattr_stream_name_buf[*xattr_stream_name_size - 1] = '\0'; + *xattr_stream_name = xattr_stream_name_buf; + + return 0; +} + +static int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, + size_t len) +{ + struct inode *inode_in = file_inode(file_in); + struct inode *inode_out = file_inode(file_out); + int ret; + + ret = vfs_copy_file_range(file_in, pos_in, file_out, pos_out, len, 0); + /* do splice for the copy between different file systems */ + if (ret != -EXDEV) + return ret; + + if (S_ISDIR(inode_in->i_mode) || S_ISDIR(inode_out->i_mode)) + return -EISDIR; + if (!S_ISREG(inode_in->i_mode) || !S_ISREG(inode_out->i_mode)) + return -EINVAL; + + if (!(file_in->f_mode & FMODE_READ) || + !(file_out->f_mode & FMODE_WRITE)) + return -EBADF; + + if (len == 0) + return 0; + + file_start_write(file_out); + + /* + * skip the verification of the range of data. it will be done + * in do_splice_direct + */ + ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out, + len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0); + if (ret > 0) { + fsnotify_access(file_in); + add_rchar(current, ret); + fsnotify_modify(file_out); + add_wchar(current, ret); + } + + inc_syscr(current); + inc_syscw(current); + + file_end_write(file_out); + return ret; +} + +int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, + struct ksmbd_file *src_fp, + struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, + unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, + loff_t *total_size_written) +{ + unsigned int i; + loff_t src_off, dst_off, src_file_size; + size_t len; + int ret; + + *chunk_count_written = 0; + *chunk_size_written = 0; + *total_size_written = 0; + + if (!(src_fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { + ksmbd_err("no right to read(%s)\n", FP_FILENAME(src_fp)); + return -EACCES; + } + if (!(dst_fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) { + ksmbd_err("no right to write(%s)\n", FP_FILENAME(dst_fp)); + return -EACCES; + } + + if (ksmbd_stream_fd(src_fp) || ksmbd_stream_fd(dst_fp)) + return -EBADF; + + smb_break_all_levII_oplock(work, dst_fp, 1); + + for (i = 0; i < chunk_count; i++) { + src_off = le64_to_cpu(chunks[i].SourceOffset); + dst_off = le64_to_cpu(chunks[i].TargetOffset); + len = le32_to_cpu(chunks[i].Length); + + if (check_lock_range(src_fp->filp, src_off, + src_off + len - 1, READ)) + return -EAGAIN; + if (check_lock_range(dst_fp->filp, dst_off, + dst_off + len - 1, WRITE)) + return -EAGAIN; + } + + src_file_size = i_size_read(file_inode(src_fp->filp)); + + for (i = 0; i < chunk_count; i++) { + src_off = le64_to_cpu(chunks[i].SourceOffset); + dst_off = le64_to_cpu(chunks[i].TargetOffset); + len = le32_to_cpu(chunks[i].Length); + + if (src_off + len > src_file_size) + return -E2BIG; + + ret = ksmbd_vfs_copy_file_range(src_fp->filp, src_off, + dst_fp->filp, dst_off, len); + if (ret < 0) + return ret; + + *chunk_count_written += 1; + *total_size_written += ret; + } + return 0; +} + +int ksmbd_vfs_posix_lock_wait(struct file_lock *flock) +{ + return wait_event_interruptible(flock->fl_wait, !flock->fl_blocker); +} + +int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout) +{ + return wait_event_interruptible_timeout(flock->fl_wait, + !flock->fl_blocker, + timeout); +} + +void ksmbd_vfs_posix_lock_unblock(struct file_lock *flock) +{ + locks_delete_block(flock); +} + +int ksmbd_vfs_set_init_posix_acl(struct inode *inode) +{ + struct posix_acl_state acl_state; + struct posix_acl *acls; + int rc; + + ksmbd_debug(SMB, "Set posix acls\n"); + rc = init_acl_state(&acl_state, 1); + if (rc) + return rc; + + /* Set default owner group */ + acl_state.owner.allow = (inode->i_mode & 0700) >> 6; + acl_state.group.allow = (inode->i_mode & 0070) >> 3; + acl_state.other.allow = inode->i_mode & 0007; + acl_state.users->aces[acl_state.users->n].uid = inode->i_uid; + acl_state.users->aces[acl_state.users->n++].perms.allow = + acl_state.owner.allow; + acl_state.groups->aces[acl_state.groups->n].gid = inode->i_gid; + acl_state.groups->aces[acl_state.groups->n++].perms.allow = + acl_state.group.allow; + acl_state.mask.allow = 0x07; + + acls = ksmbd_vfs_posix_acl_alloc(6, GFP_KERNEL); + if (!acls) { + free_acl_state(&acl_state); + return -ENOMEM; + } + posix_state_to_acl(&acl_state, acls->a_entries); + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); + if (rc < 0) + ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", + rc); + else if (S_ISDIR(inode->i_mode)) { + posix_state_to_acl(&acl_state, acls->a_entries); + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); + if (rc < 0) + ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", + rc); + } + free_acl_state(&acl_state); + posix_acl_release(acls); + return rc; +} + +int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) +{ + struct posix_acl *acls; + struct posix_acl_entry *pace; + int rc, i; + + acls = ksmbd_vfs_get_acl(parent_inode, ACL_TYPE_DEFAULT); + if (!acls) + return -ENOENT; + pace = acls->a_entries; + + for (i = 0; i < acls->a_count; i++, pace++) { + if (pace->e_tag == ACL_MASK) { + pace->e_perm = 0x07; + break; + } + } + + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); + if (rc < 0) + ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", + rc); + if (S_ISDIR(inode->i_mode)) { + rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); + if (rc < 0) + ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", + rc); + } + posix_acl_release(acls); + return rc; +} diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h new file mode 100644 index 000000000000..bbef5c20c146 --- /dev/null +++ b/fs/cifsd/vfs.h @@ -0,0 +1,314 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + +#ifndef __KSMBD_VFS_H__ +#define __KSMBD_VFS_H__ + +#include <linux/file.h> +#include <linux/fs.h> +#include <linux/namei.h> +#include <uapi/linux/xattr.h> +#include <linux/posix_acl.h> + +#include "smbacl.h" + +/* STREAM XATTR PREFIX */ +#define STREAM_PREFIX "DosStream." +#define STREAM_PREFIX_LEN (sizeof(STREAM_PREFIX) - 1) +#define XATTR_NAME_STREAM (XATTR_USER_PREFIX STREAM_PREFIX) +#define XATTR_NAME_STREAM_LEN (sizeof(XATTR_NAME_STREAM) - 1) + +enum { + XATTR_DOSINFO_ATTRIB = 0x00000001, + XATTR_DOSINFO_EA_SIZE = 0x00000002, + XATTR_DOSINFO_SIZE = 0x00000004, + XATTR_DOSINFO_ALLOC_SIZE = 0x00000008, + XATTR_DOSINFO_CREATE_TIME = 0x00000010, + XATTR_DOSINFO_CHANGE_TIME = 0x00000020, + XATTR_DOSINFO_ITIME = 0x00000040 +}; + +struct xattr_dos_attrib { + __u16 version; + __u32 flags; + __u32 attr; + __u32 ea_size; + __u64 size; + __u64 alloc_size; + __u64 create_time; + __u64 change_time; + __u64 itime; +}; + +/* DOS ATTRIBUITE XATTR PREFIX */ +#define DOS_ATTRIBUTE_PREFIX "DOSATTRIB" +#define DOS_ATTRIBUTE_PREFIX_LEN (sizeof(DOS_ATTRIBUTE_PREFIX) - 1) +#define XATTR_NAME_DOS_ATTRIBUTE \ + (XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) +#define XATTR_NAME_DOS_ATTRIBUTE_LEN \ + (sizeof(XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) - 1) + +#define XATTR_SD_HASH_TYPE_SHA256 0x1 +#define XATTR_SD_HASH_SIZE 64 + +#define SMB_ACL_READ 4 +#define SMB_ACL_WRITE 2 +#define SMB_ACL_EXECUTE 1 + +enum { + SMB_ACL_TAG_INVALID = 0, + SMB_ACL_USER, + SMB_ACL_USER_OBJ, + SMB_ACL_GROUP, + SMB_ACL_GROUP_OBJ, + SMB_ACL_OTHER, + SMB_ACL_MASK +}; + +struct xattr_acl_entry { + int type; + uid_t uid; + gid_t gid; + mode_t perm; +}; + +struct xattr_smb_acl { + int count; + int next; + struct xattr_acl_entry entries[0]; +}; + +struct xattr_ntacl { + __u16 version; + void *sd_buf; + __u32 sd_size; + __u16 hash_type; + __u8 desc[10]; + __u16 desc_len; + __u64 current_time; + __u8 hash[XATTR_SD_HASH_SIZE]; + __u8 posix_acl_hash[XATTR_SD_HASH_SIZE]; +}; + +/* SECURITY DESCRIPTOR XATTR PREFIX */ +#define SD_PREFIX "NTACL" +#define SD_PREFIX_LEN (sizeof(SD_PREFIX) - 1) +#define XATTR_NAME_SD \ + (XATTR_SECURITY_PREFIX SD_PREFIX) +#define XATTR_NAME_SD_LEN \ + (sizeof(XATTR_SECURITY_PREFIX SD_PREFIX) - 1) + + +/* CreateOptions */ +/* Flag is set, it must not be a file , valid for directory only */ +#define FILE_DIRECTORY_FILE_LE cpu_to_le32(0x00000001) +#define FILE_WRITE_THROUGH_LE cpu_to_le32(0x00000002) +#define FILE_SEQUENTIAL_ONLY_LE cpu_to_le32(0x00000004) + +/* Should not buffer on server*/ +#define FILE_NO_INTERMEDIATE_BUFFERING_LE cpu_to_le32(0x00000008) +/* MBZ */ +#define FILE_SYNCHRONOUS_IO_ALERT_LE cpu_to_le32(0x00000010) +/* MBZ */ +#define FILE_SYNCHRONOUS_IO_NONALERT_LE cpu_to_le32(0x00000020) + +/* Flaf must not be set for directory */ +#define FILE_NON_DIRECTORY_FILE_LE cpu_to_le32(0x00000040) + +/* Should be zero */ +#define CREATE_TREE_CONNECTION cpu_to_le32(0x00000080) +#define FILE_COMPLETE_IF_OPLOCKED_LE cpu_to_le32(0x00000100) +#define FILE_NO_EA_KNOWLEDGE_LE cpu_to_le32(0x00000200) +#define FILE_OPEN_REMOTE_INSTANCE cpu_to_le32(0x00000400) + +/** + * Doc says this is obsolete "open for recovery" flag should be zero + * in any case. + */ +#define CREATE_OPEN_FOR_RECOVERY cpu_to_le32(0x00000400) +#define FILE_RANDOM_ACCESS_LE cpu_to_le32(0x00000800) +#define FILE_DELETE_ON_CLOSE_LE cpu_to_le32(0x00001000) +#define FILE_OPEN_BY_FILE_ID_LE cpu_to_le32(0x00002000) +#define FILE_OPEN_FOR_BACKUP_INTENT_LE cpu_to_le32(0x00004000) +#define FILE_NO_COMPRESSION_LE cpu_to_le32(0x00008000) + +/* Should be zero*/ +#define FILE_OPEN_REQUIRING_OPLOCK cpu_to_le32(0x00010000) +#define FILE_DISALLOW_EXCLUSIVE cpu_to_le32(0x00020000) +#define FILE_RESERVE_OPFILTER_LE cpu_to_le32(0x00100000) +#define FILE_OPEN_REPARSE_POINT_LE cpu_to_le32(0x00200000) +#define FILE_OPEN_NO_RECALL_LE cpu_to_le32(0x00400000) + +/* Should be zero */ +#define FILE_OPEN_FOR_FREE_SPACE_QUERY_LE cpu_to_le32(0x00800000) +#define CREATE_OPTIONS_MASK cpu_to_le32(0x00FFFFFF) +#define CREATE_OPTION_READONLY 0x10000000 +/* system. NB not sent over wire */ +#define CREATE_OPTION_SPECIAL 0x20000000 + +struct ksmbd_work; +struct ksmbd_file; +struct ksmbd_conn; + +struct ksmbd_dir_info { + const char *name; + char *wptr; + char *rptr; + int name_len; + int out_buf_len; + int num_entry; + int data_count; + int last_entry_offset; + bool hide_dot_file; + int flags; +}; + +struct ksmbd_readdir_data { + struct dir_context ctx; + union { + void *private; + char *dirent; + }; + + unsigned int used; + unsigned int dirent_count; + unsigned int file_attr; +}; + +/* ksmbd kstat wrapper to get valid create time when reading dir entry */ +struct ksmbd_kstat { + struct kstat *kstat; + unsigned long long create_time; + __le32 file_attributes; +}; + +struct ksmbd_fs_sector_size { + unsigned short logical_sector_size; + unsigned int physical_sector_size; + unsigned int optimal_io_size; +}; + +int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, + bool delete); +int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); +int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode); +int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode); +int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, + size_t count, loff_t *pos); +int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, + char *buf, size_t count, loff_t *pos, bool sync, ssize_t *written); +int ksmbd_vfs_fsync(struct ksmbd_work *work, uint64_t fid, uint64_t p_id); +int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name); +int ksmbd_vfs_link(struct ksmbd_work *work, + const char *oldname, const char *newname); +int ksmbd_vfs_getattr(struct path *path, struct kstat *stat); +int ksmbd_vfs_symlink(const char *name, const char *symname); +int ksmbd_vfs_readlink(struct path *path, char *buf, int lenp); + +int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, + char *newname); +int ksmbd_vfs_rename_slowpath(struct ksmbd_work *work, + char *oldname, char *newname); + +int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, + struct ksmbd_file *fp, loff_t size); + +struct srv_copychunk; +int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, + struct ksmbd_file *src_fp, + struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, + unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, + loff_t *total_size_written); + +struct ksmbd_file *ksmbd_vfs_dentry_open(struct ksmbd_work *work, + const struct path *path, + int flags, + __le32 option, + int fexist); + +ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list); +ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, + char *xattr_name, + char **xattr_buf); + +ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, + char *attr_name, + int attr_name_len); + +int ksmbd_vfs_setxattr(struct dentry *dentry, + const char *attr_name, + const void *attr_value, + size_t attr_size, + int flags); + +int ksmbd_vfs_fsetxattr(const char *filename, + const char *attr_name, + const void *attr_value, + size_t attr_size, + int flags); + +int ksmbd_vfs_xattr_stream_name(char *stream_name, + char **xattr_stream_name, + size_t *xattr_stream_name_size, + int s_type); + +int ksmbd_vfs_truncate_xattr(struct dentry *dentry, int wo_streams); +int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); +void ksmbd_vfs_xattr_free(char *xattr); + +int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, + bool caseless); +int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); +void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option); +int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock); +int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata); +int ksmbd_vfs_alloc_size(struct ksmbd_work *work, + struct ksmbd_file *fp, + loff_t len); +int ksmbd_vfs_zero_data(struct ksmbd_work *work, + struct ksmbd_file *fp, + loff_t off, + loff_t len); + +struct file_allocated_range_buffer; +int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, + struct file_allocated_range_buffer *ranges, + int in_count, int *out_count); +int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); +unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode); +void ksmbd_vfs_smb2_sector_size(struct inode *inode, + struct ksmbd_fs_sector_size *fs_ss); +void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); + +int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, + struct dentry *dentry, + struct ksmbd_kstat *ksmbd_kstat); + +int ksmbd_vfs_posix_lock_wait(struct file_lock *flock); +int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout); +void ksmbd_vfs_posix_lock_unblock(struct file_lock *flock); + +int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry); +int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry); +int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, + struct smb_ntsd *pntsd, int len); +int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, + struct smb_ntsd **pntsd); +int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, + struct xattr_dos_attrib *da); +int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, + struct xattr_dos_attrib *da); +struct posix_acl *ksmbd_vfs_posix_acl_alloc(int count, gfp_t flags); +struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type); +int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, + struct posix_acl *acl); +int ksmbd_vfs_set_init_posix_acl(struct inode *inode); +int ksmbd_vfs_inherit_posix_acl(struct inode *inode, + struct inode *parent_inode); +#endif /* __KSMBD_VFS_H__ */ diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c new file mode 100644 index 000000000000..8d8c4e373308 --- /dev/null +++ b/fs/cifsd/vfs_cache.c @@ -0,0 +1,855 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2016 Namjae Jeon <linkinjeon(a)kernel.org> + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#include <linux/fs.h> +#include <linux/slab.h> +#include <linux/vmalloc.h> + +/* @FIXME */ +#include "glob.h" +#include "vfs_cache.h" +#include "buffer_pool.h" + +#include "oplock.h" +#include "vfs.h" +#include "connection.h" +#include "mgmt/tree_connect.h" +#include "mgmt/user_session.h" + +/* @FIXME */ +#include "smb_common.h" + +#define S_DEL_PENDING 1 +#define S_DEL_ON_CLS 2 +#define S_DEL_ON_CLS_STREAM 8 + +static unsigned int inode_hash_mask __read_mostly; +static unsigned int inode_hash_shift __read_mostly; +static struct hlist_head *inode_hashtable __read_mostly; +static DEFINE_RWLOCK(inode_hash_lock); + +static struct ksmbd_file_table global_ft; +static atomic_long_t fd_limit; + +void ksmbd_set_fd_limit(unsigned long limit) +{ + limit = min(limit, get_max_files()); + atomic_long_set(&fd_limit, limit); +} + +static bool fd_limit_depleted(void) +{ + long v = atomic_long_dec_return(&fd_limit); + + if (v >= 0) + return false; + atomic_long_inc(&fd_limit); + return true; +} + +static void fd_limit_close(void) +{ + atomic_long_inc(&fd_limit); +} + +/* + * INODE hash + */ + +static unsigned long inode_hash(struct super_block *sb, unsigned long hashval) +{ + unsigned long tmp; + + tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / + L1_CACHE_BYTES; + tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift); + return tmp & inode_hash_mask; +} + +static struct ksmbd_inode *__ksmbd_inode_lookup(struct inode *inode) +{ + struct hlist_head *head = inode_hashtable + + inode_hash(inode->i_sb, inode->i_ino); + struct ksmbd_inode *ci = NULL, *ret_ci = NULL; + + hlist_for_each_entry(ci, head, m_hash) { + if (ci->m_inode == inode) { + if (atomic_inc_not_zero(&ci->m_count)) + ret_ci = ci; + break; + } + } + return ret_ci; +} + +static struct ksmbd_inode *ksmbd_inode_lookup(struct ksmbd_file *fp) +{ + return __ksmbd_inode_lookup(FP_INODE(fp)); +} + +static struct ksmbd_inode *ksmbd_inode_lookup_by_vfsinode(struct inode *inode) +{ + struct ksmbd_inode *ci; + + read_lock(&inode_hash_lock); + ci = __ksmbd_inode_lookup(inode); + read_unlock(&inode_hash_lock); + return ci; +} + +int ksmbd_query_inode_status(struct inode *inode) +{ + struct ksmbd_inode *ci; + int ret = KSMBD_INODE_STATUS_UNKNOWN; + + read_lock(&inode_hash_lock); + ci = __ksmbd_inode_lookup(inode); + if (ci) { + ret = KSMBD_INODE_STATUS_OK; + if (ci->m_flags & S_DEL_PENDING) + ret = KSMBD_INODE_STATUS_PENDING_DELETE; + atomic_dec(&ci->m_count); + } + read_unlock(&inode_hash_lock); + return ret; +} + +bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) +{ + return (fp->f_ci->m_flags & S_DEL_PENDING); +} + +void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) +{ + fp->f_ci->m_flags |= S_DEL_PENDING; +} + +void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp) +{ + fp->f_ci->m_flags &= ~S_DEL_PENDING; +} + +void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, + int file_info) +{ + if (ksmbd_stream_fd(fp)) { + fp->f_ci->m_flags |= S_DEL_ON_CLS_STREAM; + return; + } + + fp->f_ci->m_flags |= S_DEL_ON_CLS; +} + +static void ksmbd_inode_hash(struct ksmbd_inode *ci) +{ + struct hlist_head *b = inode_hashtable + + inode_hash(ci->m_inode->i_sb, ci->m_inode->i_ino); + + hlist_add_head(&ci->m_hash, b); +} + +static void ksmbd_inode_unhash(struct ksmbd_inode *ci) +{ + write_lock(&inode_hash_lock); + hlist_del_init(&ci->m_hash); + write_unlock(&inode_hash_lock); +} + +static int ksmbd_inode_init(struct ksmbd_inode *ci, struct ksmbd_file *fp) +{ + ci->m_inode = FP_INODE(fp); + atomic_set(&ci->m_count, 1); + atomic_set(&ci->op_count, 0); + atomic_set(&ci->sop_count, 0); + ci->m_flags = 0; + ci->m_fattr = 0; + INIT_LIST_HEAD(&ci->m_fp_list); + INIT_LIST_HEAD(&ci->m_op_list); + rwlock_init(&ci->m_lock); + return 0; +} + +static struct ksmbd_inode *ksmbd_inode_get(struct ksmbd_file *fp) +{ + struct ksmbd_inode *ci, *tmpci; + int rc; + + read_lock(&inode_hash_lock); + ci = ksmbd_inode_lookup(fp); + read_unlock(&inode_hash_lock); + if (ci) + return ci; + + ci = kmalloc(sizeof(struct ksmbd_inode), GFP_KERNEL); + if (!ci) + return NULL; + + rc = ksmbd_inode_init(ci, fp); + if (rc) { + ksmbd_err("inode initialized failed\n"); + kfree(ci); + return NULL; + } + + write_lock(&inode_hash_lock); + tmpci = ksmbd_inode_lookup(fp); + if (!tmpci) { + ksmbd_inode_hash(ci); + } else { + kfree(ci); + ci = tmpci; + } + write_unlock(&inode_hash_lock); + return ci; +} + +static void ksmbd_inode_free(struct ksmbd_inode *ci) +{ + ksmbd_inode_unhash(ci); + kfree(ci); +} + +static void ksmbd_inode_put(struct ksmbd_inode *ci) +{ + if (atomic_dec_and_test(&ci->m_count)) + ksmbd_inode_free(ci); +} + +int __init ksmbd_inode_hash_init(void) +{ + unsigned int loop; + unsigned long numentries = 16384; + unsigned long bucketsize = sizeof(struct hlist_head); + unsigned long size; + + inode_hash_shift = ilog2(numentries); + inode_hash_mask = (1 << inode_hash_shift) - 1; + + size = bucketsize << inode_hash_shift; + + /* init master fp hash table */ + inode_hashtable = vmalloc(size); + if (!inode_hashtable) + return -ENOMEM; + + for (loop = 0; loop < (1U << inode_hash_shift); loop++) + INIT_HLIST_HEAD(&inode_hashtable[loop]); + return 0; +} + +void __exit ksmbd_release_inode_hash(void) +{ + vfree(inode_hashtable); +} + +static void __ksmbd_inode_close(struct ksmbd_file *fp) +{ + struct dentry *dir, *dentry; + struct ksmbd_inode *ci = fp->f_ci; + int err; + struct file *filp; + + filp = fp->filp; + if (ksmbd_stream_fd(fp) && (ci->m_flags & S_DEL_ON_CLS_STREAM)) { + ci->m_flags &= ~S_DEL_ON_CLS_STREAM; + err = ksmbd_vfs_remove_xattr(filp->f_path.dentry, + fp->stream.name); + if (err) + ksmbd_err("remove xattr failed : %s\n", + fp->stream.name); + } + + if (atomic_dec_and_test(&ci->m_count)) { + write_lock(&ci->m_lock); + if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) { + dentry = filp->f_path.dentry; + dir = dentry->d_parent; + ci->m_flags &= ~(S_DEL_ON_CLS | S_DEL_PENDING); + write_unlock(&ci->m_lock); + ksmbd_vfs_unlink(dir, dentry); + write_lock(&ci->m_lock); + } + write_unlock(&ci->m_lock); + + ksmbd_inode_free(ci); + } +} + +static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) +{ + if (!HAS_FILE_ID(fp->persistent_id)) + return; + + write_lock(&global_ft.lock); + idr_remove(global_ft.idr, fp->persistent_id); + write_unlock(&global_ft.lock); +} + +static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, + struct ksmbd_file *fp) +{ + if (!HAS_FILE_ID(fp->volatile_id)) + return; + + write_lock(&fp->f_ci->m_lock); + list_del_init(&fp->node); + write_unlock(&fp->f_ci->m_lock); + + write_lock(&ft->lock); + idr_remove(ft->idr, fp->volatile_id); + write_unlock(&ft->lock); +} + +static void __ksmbd_close_fd(struct ksmbd_file_table *ft, + struct ksmbd_file *fp) +{ + struct file *filp; + + fd_limit_close(); + __ksmbd_remove_durable_fd(fp); + __ksmbd_remove_fd(ft, fp); + + close_id_del_oplock(fp); + filp = fp->filp; + + __ksmbd_inode_close(fp); + if (!IS_ERR_OR_NULL(filp)) + fput(filp); + kfree(fp->filename); + if (ksmbd_stream_fd(fp)) + kfree(fp->stream.name); + ksmbd_free_file_struct(fp); +} + +static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) +{ + if (!atomic_inc_not_zero(&fp->refcount)) + return NULL; + return fp; +} + +static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, + unsigned int id) +{ + bool unclaimed = true; + struct ksmbd_file *fp; + + read_lock(&ft->lock); + fp = idr_find(ft->idr, id); + if (fp) + fp = ksmbd_fp_get(fp); + + if (fp && fp->f_ci) { + read_lock(&fp->f_ci->m_lock); + unclaimed = list_empty(&fp->node); + read_unlock(&fp->f_ci->m_lock); + } + read_unlock(&ft->lock); + + if (fp && unclaimed) { + atomic_dec(&fp->refcount); + return NULL; + } + return fp; +} + +static void __put_fd_final(struct ksmbd_work *work, + struct ksmbd_file *fp) +{ + __ksmbd_close_fd(&work->sess->file_table, fp); + atomic_dec(&work->conn->stats.open_files_count); +} + +static void set_close_state_blocked_works(struct ksmbd_file *fp) +{ + struct ksmbd_work *cancel_work, *ctmp; + + spin_lock(&fp->f_lock); + list_for_each_entry_safe(cancel_work, ctmp, &fp->blocked_works, + fp_entry) { + list_del(&cancel_work->fp_entry); + cancel_work->state = KSMBD_WORK_CLOSED; + cancel_work->cancel_fn(cancel_work->cancel_argv); + } + spin_unlock(&fp->f_lock); +} + +int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id) +{ + struct ksmbd_file *fp; + struct ksmbd_file_table *ft; + + if (!HAS_FILE_ID(id)) + return 0; + + ft = &work->sess->file_table; + read_lock(&ft->lock); + fp = idr_find(ft->idr, id); + if (fp) { + set_close_state_blocked_works(fp); + + if (!atomic_dec_and_test(&fp->refcount)) + fp = NULL; + } + read_unlock(&ft->lock); + + if (!fp) + return -EINVAL; + + __put_fd_final(work, fp); + return 0; +} + +void ksmbd_fd_put(struct ksmbd_work *work, + struct ksmbd_file *fp) +{ + if (!fp) + return; + + if (!atomic_dec_and_test(&fp->refcount)) + return; + __put_fd_final(work, fp); +} + +static bool __sanity_check(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp) +{ + if (!fp) + return false; + if (fp->tcon != tcon) + return false; + return true; +} + +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, + unsigned int id) +{ + return __ksmbd_lookup_fd(&work->sess->file_table, id); +} + +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, + unsigned int id) +{ + struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id); + + if (__sanity_check(work->tcon, fp)) + return fp; + + ksmbd_fd_put(work, fp); + return NULL; +} + +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, + unsigned int id, + unsigned int pid) +{ + struct ksmbd_file *fp; + + if (!HAS_FILE_ID(id)) { + id = work->compound_fid; + pid = work->compound_pfid; + } + + if (!HAS_FILE_ID(id)) + return NULL; + + fp = __ksmbd_lookup_fd(&work->sess->file_table, id); + if (!__sanity_check(work->tcon, fp)) { + ksmbd_fd_put(work, fp); + return NULL; + } + if (fp->persistent_id != pid) { + ksmbd_fd_put(work, fp); + return NULL; + } + return fp; +} + +struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id) +{ + return __ksmbd_lookup_fd(&global_ft, id); +} + +int ksmbd_close_fd_app_id(struct ksmbd_work *work, + char *app_id) +{ + struct ksmbd_file *fp = NULL; + unsigned int id; + + read_lock(&global_ft.lock); + idr_for_each_entry(global_ft.idr, fp, id) { + if (!memcmp(fp->app_instance_id, + app_id, + SMB2_CREATE_GUID_SIZE)) { + if (!atomic_dec_and_test(&fp->refcount)) + fp = NULL; + break; + } + } + read_unlock(&global_ft.lock); + + if (!fp) + return -EINVAL; + + __put_fd_final(work, fp); + return 0; +} + +struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) +{ + struct ksmbd_file *fp = NULL; + unsigned int id; + + read_lock(&global_ft.lock); + idr_for_each_entry(global_ft.idr, fp, id) { + if (!memcmp(fp->create_guid, + cguid, + SMB2_CREATE_GUID_SIZE)) { + fp = ksmbd_fp_get(fp); + break; + } + } + read_unlock(&global_ft.lock); + + return fp; +} + +struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, + char *filename) +{ + struct ksmbd_file *fp = NULL; + unsigned int id; + + read_lock(&work->sess->file_table.lock); + idr_for_each_entry(work->sess->file_table.idr, fp, id) { + if (!strcmp(fp->filename, filename)) { + fp = ksmbd_fp_get(fp); + break; + } + } + read_unlock(&work->sess->file_table.lock); + + return fp; +} + +struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode) +{ + struct ksmbd_file *lfp; + struct ksmbd_inode *ci; + struct list_head *cur; + + ci = ksmbd_inode_lookup_by_vfsinode(inode); + if (!ci) + return NULL; + + read_lock(&ci->m_lock); + list_for_each(cur, &ci->m_fp_list) { + lfp = list_entry(cur, struct ksmbd_file, node); + if (inode == FP_INODE(lfp)) { + atomic_dec(&ci->m_count); + read_unlock(&ci->m_lock); + return lfp; + } + } + atomic_dec(&ci->m_count); + read_unlock(&ci->m_lock); + return NULL; +} + +#define OPEN_ID_TYPE_VOLATILE_ID (0) +#define OPEN_ID_TYPE_PERSISTENT_ID (1) + +static void __open_id_set(struct ksmbd_file *fp, unsigned int id, int type) +{ + if (type == OPEN_ID_TYPE_VOLATILE_ID) + fp->volatile_id = id; + if (type == OPEN_ID_TYPE_PERSISTENT_ID) + fp->persistent_id = id; +} + +static int __open_id(struct ksmbd_file_table *ft, + struct ksmbd_file *fp, + int type) +{ + unsigned int id = 0; + int ret; + + if (type == OPEN_ID_TYPE_VOLATILE_ID && fd_limit_depleted()) { + __open_id_set(fp, KSMBD_NO_FID, type); + return -EMFILE; + } + + idr_preload(GFP_KERNEL); + write_lock(&ft->lock); + ret = idr_alloc_cyclic(ft->idr, fp, 0, INT_MAX, GFP_NOWAIT); + if (ret >= 0) { + id = ret; + ret = 0; + } else { + id = KSMBD_NO_FID; + fd_limit_close(); + } + + __open_id_set(fp, id, type); + write_unlock(&ft->lock); + idr_preload_end(); + return ret; +} + +unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp) +{ + __open_id(&global_ft, fp, OPEN_ID_TYPE_PERSISTENT_ID); + return fp->persistent_id; +} + +struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, + struct file *filp) +{ + struct ksmbd_file *fp; + int ret; + + fp = ksmbd_alloc_file_struct(); + if (!fp) { + ksmbd_err("Failed to allocate memory\n"); + return ERR_PTR(-ENOMEM); + } + + INIT_LIST_HEAD(&fp->blocked_works); + INIT_LIST_HEAD(&fp->node); + spin_lock_init(&fp->f_lock); + atomic_set(&fp->refcount, 1); + + fp->filp = filp; + fp->conn = work->sess->conn; + fp->tcon = work->tcon; + fp->volatile_id = KSMBD_NO_FID; + fp->persistent_id = KSMBD_NO_FID; + fp->f_ci = ksmbd_inode_get(fp); + + if (!fp->f_ci) { + ksmbd_free_file_struct(fp); + return ERR_PTR(-ENOMEM); + } + + ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); + if (ret) { + ksmbd_inode_put(fp->f_ci); + ksmbd_free_file_struct(fp); + return ERR_PTR(ret); + } + + atomic_inc(&work->conn->stats.open_files_count); + return fp; +} + +static inline bool is_reconnectable(struct ksmbd_file *fp) +{ + struct oplock_info *opinfo = opinfo_get(fp); + bool reconn = false; + + if (!opinfo) + return false; + + if (opinfo->op_state != OPLOCK_STATE_NONE) { + opinfo_put(opinfo); + return false; + } + + if (fp->is_resilient || fp->is_persistent) + reconn = true; + else if (fp->is_durable && opinfo->is_lease && + opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + reconn = true; + + else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) + reconn = true; + + opinfo_put(opinfo); + return reconn; +} + +static int +__close_file_table_ids(struct ksmbd_file_table *ft, + struct ksmbd_tree_connect *tcon, + bool (*skip)(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp)) +{ + unsigned int id; + struct ksmbd_file *fp; + int num = 0; + + idr_for_each_entry(ft->idr, fp, id) { + if (skip(tcon, fp)) + continue; + + set_close_state_blocked_works(fp); + + if (!atomic_dec_and_test(&fp->refcount)) + continue; + __ksmbd_close_fd(ft, fp); + num++; + } + return num; +} + +static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp) +{ + return fp->tcon != tcon; +} + +static bool session_fd_check(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp) +{ + if (!is_reconnectable(fp)) + return false; + + fp->conn = NULL; + fp->tcon = NULL; + fp->volatile_id = KSMBD_NO_FID; + return true; +} + +void ksmbd_close_tree_conn_fds(struct ksmbd_work *work) +{ + int num = __close_file_table_ids(&work->sess->file_table, + work->tcon, + tree_conn_fd_check); + + atomic_sub(num, &work->conn->stats.open_files_count); +} + +void ksmbd_close_session_fds(struct ksmbd_work *work) +{ + int num = __close_file_table_ids(&work->sess->file_table, + work->tcon, + session_fd_check); + + atomic_sub(num, &work->conn->stats.open_files_count); +} + +int ksmbd_init_global_file_table(void) +{ + return ksmbd_init_file_table(&global_ft); +} + +void ksmbd_free_global_file_table(void) +{ + struct ksmbd_file *fp = NULL; + unsigned int id; + + idr_for_each_entry(global_ft.idr, fp, id) { + __ksmbd_remove_durable_fd(fp); + ksmbd_free_file_struct(fp); + } + + ksmbd_destroy_file_table(&global_ft); +} + +int ksmbd_reopen_durable_fd(struct ksmbd_work *work, + struct ksmbd_file *fp) +{ + if (!fp->is_durable || fp->conn || fp->tcon) { + ksmbd_err("Invalid durable fd [%p:%p]\n", + fp->conn, fp->tcon); + return -EBADF; + } + + if (HAS_FILE_ID(fp->volatile_id)) { + ksmbd_err("Still in use durable fd: %u\n", fp->volatile_id); + return -EBADF; + } + + fp->conn = work->sess->conn; + fp->tcon = work->tcon; + + __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); + if (!HAS_FILE_ID(fp->volatile_id)) { + fp->conn = NULL; + fp->tcon = NULL; + return -EBADF; + } + return 0; +} + +static void close_fd_list(struct ksmbd_work *work, struct list_head *head) +{ + while (!list_empty(head)) { + struct ksmbd_file *fp; + + fp = list_first_entry(head, struct ksmbd_file, node); + list_del_init(&fp->node); + + __ksmbd_close_fd(&work->sess->file_table, fp); + } +} + +int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode) +{ + struct ksmbd_inode *ci; + bool unlinked = true; + struct ksmbd_file *fp, *fptmp; + LIST_HEAD(dispose); + + ci = ksmbd_inode_lookup_by_vfsinode(inode); + if (!ci) + return true; + + if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) + unlinked = false; + + write_lock(&ci->m_lock); + list_for_each_entry_safe(fp, fptmp, &ci->m_fp_list, node) { + if (fp->conn) + continue; + + list_del(&fp->node); + list_add(&fp->node, &dispose); + } + atomic_dec(&ci->m_count); + write_unlock(&ci->m_lock); + + close_fd_list(work, &dispose); + return unlinked; +} + +int ksmbd_file_table_flush(struct ksmbd_work *work) +{ + struct ksmbd_file *fp = NULL; + unsigned int id; + int ret; + + read_lock(&work->sess->file_table.lock); + idr_for_each_entry(work->sess->file_table.idr, fp, id) { + ret = ksmbd_vfs_fsync(work, fp->volatile_id, KSMBD_NO_FID); + if (ret) + break; + } + read_unlock(&work->sess->file_table.lock); + return ret; +} + +int ksmbd_init_file_table(struct ksmbd_file_table *ft) +{ + ft->idr = ksmbd_alloc(sizeof(struct idr)); + if (!ft->idr) + return -ENOMEM; + + idr_init(ft->idr); + rwlock_init(&ft->lock); + return 0; +} + +void ksmbd_destroy_file_table(struct ksmbd_file_table *ft) +{ + if (!ft->idr) + return; + + __close_file_table_ids(ft, NULL, session_fd_check); + idr_destroy(ft->idr); + ksmbd_free(ft->idr); + ft->idr = NULL; +} diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h new file mode 100644 index 000000000000..7d23657c86c6 --- /dev/null +++ b/fs/cifsd/vfs_cache.h @@ -0,0 +1,213 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2019 Samsung Electronics Co., Ltd. + */ + +#ifndef __VFS_CACHE_H__ +#define __VFS_CACHE_H__ + +#include <linux/version.h> +#include <linux/file.h> +#include <linux/fs.h> +#include <linux/rwsem.h> +#include <linux/spinlock.h> +#include <linux/idr.h> +#include <linux/workqueue.h> + +#include "vfs.h" + +/* Windows style file permissions for extended response */ +#define FILE_GENERIC_ALL 0x1F01FF +#define FILE_GENERIC_READ 0x120089 +#define FILE_GENERIC_WRITE 0x120116 +#define FILE_GENERIC_EXECUTE 0X1200a0 + +#define KSMBD_START_FID 0 +#define KSMBD_NO_FID (UINT_MAX) +#define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) + +#define FP_FILENAME(fp) fp->filp->f_path.dentry->d_name.name +#define FP_INODE(fp) fp->filp->f_path.dentry->d_inode +#define PARENT_INODE(fp) fp->filp->f_path.dentry->d_parent->d_inode + +#define ATTR_FP(fp) (fp->attrib_only && \ + (fp->cdoption != FILE_OVERWRITE_IF_LE && \ + fp->cdoption != FILE_OVERWRITE_LE && \ + fp->cdoption != FILE_SUPERSEDE_LE)) + +struct ksmbd_conn; +struct ksmbd_session; + +struct ksmbd_lock { + struct file_lock *fl; + struct list_head glist; + struct list_head llist; + unsigned int flags; + int cmd; + int zero_len; + unsigned long long start; + unsigned long long end; +}; + +struct stream { + char *name; + ssize_t size; +}; + +struct ksmbd_inode { + rwlock_t m_lock; + atomic_t m_count; + atomic_t op_count; + /* opinfo count for streams */ + atomic_t sop_count; + struct inode *m_inode; + unsigned int m_flags; + struct hlist_node m_hash; + struct list_head m_fp_list; + struct list_head m_op_list; + struct oplock_info *m_opinfo; + __le32 m_fattr; +}; + +struct ksmbd_file { + struct file *filp; + char *filename; + unsigned int persistent_id; + unsigned int volatile_id; + + spinlock_t f_lock; + + struct ksmbd_inode *f_ci; + struct ksmbd_inode *f_parent_ci; + struct oplock_info __rcu *f_opinfo; + struct ksmbd_conn *conn; + struct ksmbd_tree_connect *tcon; + + atomic_t refcount; + __le32 daccess; + __le32 saccess; + __le32 coption; + __le32 cdoption; + __u64 create_time; + __u64 itime; + + bool is_durable; + bool is_resilient; + bool is_persistent; + bool is_nt_open; + bool attrib_only; + + char client_guid[16]; + char create_guid[16]; + char app_instance_id[16]; + + struct stream stream; + struct list_head node; + struct list_head blocked_works; + + int durable_timeout; + + /* for SMB1 */ + int pid; + + /* conflict lock fail count for SMB1 */ + unsigned int cflock_cnt; + /* last lock failure start offset for SMB1 */ + unsigned long long llock_fstart; + + int dirent_offset; + + /* if ls is happening on directory, below is valid*/ + struct ksmbd_readdir_data readdir_data; + int dot_dotdot[2]; +}; + +static inline void set_ctx_actor(struct dir_context *ctx, + filldir_t actor) +{ + ctx->actor = actor; +} + +#define KSMBD_NR_OPEN_DEFAULT BITS_PER_LONG + +struct ksmbd_file_table { + rwlock_t lock; + struct idr *idr; +}; + +static inline bool HAS_FILE_ID(unsigned long long req) +{ + unsigned int id = (unsigned int)req; + + return id < KSMBD_NO_FID; +} + +static inline bool ksmbd_stream_fd(struct ksmbd_file *fp) +{ + return fp->stream.name != NULL; +} + +int ksmbd_init_file_table(struct ksmbd_file_table *ft); +void ksmbd_destroy_file_table(struct ksmbd_file_table *ft); + +int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id); + +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, + unsigned int id); +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, + unsigned int id); +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, + unsigned int id, + unsigned int pid); + +void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp); + +int ksmbd_close_fd_app_id(struct ksmbd_work *work, char *app_id); +struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id); +struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid); +struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, + char *filename); +struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode); + +unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp); + +struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, + struct file *filp); + +void ksmbd_close_tree_conn_fds(struct ksmbd_work *work); +void ksmbd_close_session_fds(struct ksmbd_work *work); + +int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode); + +int ksmbd_reopen_durable_fd(struct ksmbd_work *work, + struct ksmbd_file *fp); + +int ksmbd_init_global_file_table(void); +void ksmbd_free_global_file_table(void); + +int ksmbd_file_table_flush(struct ksmbd_work *work); + +void ksmbd_set_fd_limit(unsigned long limit); + +/* + * INODE hash + */ + +int __init ksmbd_inode_hash_init(void); +void __exit ksmbd_release_inode_hash(void); + +enum KSMBD_INODE_STATUS { + KSMBD_INODE_STATUS_OK, + KSMBD_INODE_STATUS_UNKNOWN, + KSMBD_INODE_STATUS_PENDING_DELETE, +}; + +int ksmbd_query_inode_status(struct inode *inode); + +bool ksmbd_inode_pending_delete(struct ksmbd_file *fp); +void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp); +void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp); + +void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, + int file_info); +#endif /* __VFS_CACHE_H__ */ From patchwork Mon Nov 14 12:48:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183101 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 004/308] cifsd: uniquify extract_sharename() Date: Mon, 14 Nov 2022 20:48:33 +0800 Message-ID: <20221114125337.1831594-5-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: efc5a278-2b32-4750-f682-08dac63c41ae X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7073844 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Stephen Rothwell <sfr(a)canb.auug.org.au> mainline inclusion from mainline-5.15-rc1 commit 36ba38663be0a1b34aee1c79f3bb359fcac96c55 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/36ba38663be0 ------------------------------- uniquify extract_sharename(). Signed-off-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/misc.c | 4 ++-- fs/cifsd/misc.h | 2 +- fs/cifsd/smb2pdu.c | 2 +- fs/cifsd/unicode.h | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index 9e689c33f7bb..68983b08d519 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -210,12 +210,12 @@ void ksmbd_conv_path_to_windows(char *path) } /** - * extract_sharename() - get share name from tree connect request + * ksmbd_extract_sharename() - get share name from tree connect request * @treename: buffer containing tree name and share name * * Return: share name on success, otherwise error */ -char *extract_sharename(char *treename) +char *ksmbd_extract_sharename(char *treename) { char *name = treename; char *dst; diff --git a/fs/cifsd/misc.h b/fs/cifsd/misc.h index d67843aad509..41b3dac2f5fc 100644 --- a/fs/cifsd/misc.h +++ b/fs/cifsd/misc.h @@ -25,7 +25,7 @@ void ksmbd_conv_path_to_unix(char *path); void ksmbd_strip_last_slash(char *path); void ksmbd_conv_path_to_windows(char *path); -char *extract_sharename(char *treename); +char *ksmbd_extract_sharename(char *treename); char *convert_to_unix_name(struct ksmbd_share_config *share, char *name); diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index b20cc07ee809..a4e78ebb0773 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1709,7 +1709,7 @@ int smb2_tree_connect(struct ksmbd_work *work) goto out_err1; } - name = extract_sharename(treename); + name = ksmbd_extract_sharename(treename); if (IS_ERR(name)) { status.ret = KSMBD_TREE_CONN_STATUS_ERROR; goto out_err1; diff --git a/fs/cifsd/unicode.h b/fs/cifsd/unicode.h index 228a02c9b95d..7135d62bf9b0 100644 --- a/fs/cifsd/unicode.h +++ b/fs/cifsd/unicode.h @@ -69,7 +69,7 @@ char *smb_strndup_from_utf16(const char *src, const int maxlen, const struct nls_table *codepage); extern int smbConvertToUTF16(__le16 *target, const char *source, int srclen, const struct nls_table *cp, int mapchars); -extern char *extract_sharename(char *treename); +extern char *ksmbd_extract_sharename(char *treename); #endif wchar_t cifs_toupper(wchar_t in); From patchwork Mon Nov 14 12:48:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183102 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 005/308] cifsd: Fix a handful of spelling mistakes Date: Mon, 14 Nov 2022 20:48:34 +0800 Message-ID: <20221114125337.1831594-6-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4818e0f9-7378-4c5c-8872-08dac63c41f7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7125840 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Colin Ian King <colin.king(a)canonical.com> mainline inclusion from mainline-5.15-rc1 commit 1e853b937b2fcc51ff3939c7ae657d0726681ca1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1e853b937b2f ------------------------------- There are several spelling mistakes in various ksmbd_err and ksmbd_debug messages. Fix these. Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/ndr.c | 2 +- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/transport_rdma.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/ndr.c b/fs/cifsd/ndr.c index d96dcd9e43c6..aa0cb8fc555d 100644 --- a/fs/cifsd/ndr.c +++ b/fs/cifsd/ndr.c @@ -325,7 +325,7 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) ndr_read_bytes(n, acl->desc, 10); if (strncmp(acl->desc, "posix_acl", 9)) { - ksmbd_err("Invalid acl desciption : %s\n", acl->desc); + ksmbd_err("Invalid acl description : %s\n", acl->desc); return -EINVAL; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index a4e78ebb0773..730bddbc8152 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2508,7 +2508,7 @@ int smb2_open(struct ksmbd_work *work) if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { - ksmbd_err("not allow directory name included leadning slash\n"); + ksmbd_err("not allow directory name included leading slash\n"); rc = -EINVAL; goto err_out1; } @@ -2636,7 +2636,7 @@ int smb2_open(struct ksmbd_work *work) } if (!(req->DesiredAccess & DESIRED_ACCESS_MASK)) { - ksmbd_err("Invalid disired access : 0x%x\n", + ksmbd_err("Invalid desired access : 0x%x\n", le32_to_cpu(req->DesiredAccess)); rc = -EACCES; goto err_out1; diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index 1698f7ed9c2f..4f4806d67ab0 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -485,7 +485,7 @@ static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) struct smb2_hdr *hdr = (struct smb2_hdr *) (recvmsg->packet + le32_to_cpu(req->data_offset) - 4); ksmbd_debug(RDMA, - "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemaingDataLength: %u, SMB: %x, Command: %u\n", + "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemainingDataLength: %u, SMB: %x, Command: %u\n", le16_to_cpu(req->credits_granted), le16_to_cpu(req->credits_requested), req->data_length, req->remaining_data_length, From patchwork Mon Nov 14 12:48:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183103 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 006/308] cifsd: fix a precedence bug in parse_dacl() Date: Mon, 14 Nov 2022 20:48:35 +0800 Message-ID: <20221114125337.1831594-7-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 22710a90-e440-44c5-4032-08dac63c4240 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6976017 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 86df49e105afa6a205abb7d90809c3c76136eaa9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/86df49e105af ------------------------------- The shift has higher precedence than mask so this doesn't work as intended. Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smbacl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 8d8360ca4751..294c5a8fe9af 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -520,7 +520,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, fattr->cf_gid; acl_state.groups->aces[acl_state.groups->n++].perms.allow = (mode & 0070) >> 3; - default_acl_state.group.allow = mode & 0070 >> 3; + default_acl_state.group.allow = (mode & 0070) >> 3; default_acl_state.groups->aces[default_acl_state.groups->n].gid = fattr->cf_gid; default_acl_state.groups->aces[default_acl_state.groups->n++].perms.allow = From patchwork Mon Nov 14 12:48:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183104 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 007/308] cifsd: fix a IS_ERR() vs NULL bug Date: Mon, 14 Nov 2022 20:48:36 +0800 Message-ID: <20221114125337.1831594-8-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 63ec9b29-8955-4210-2a9b-08dac63c428a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7260184 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 8ef32967065737dac51974efae333436354bea0a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8ef329670657 ------------------------------- The smb_direct_alloc_sendmsg() function never returns NULL, it only returns error pointers so the check needs to be updated. Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/transport_rdma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index 4f4806d67ab0..d235051dc5b1 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -997,8 +997,8 @@ static int smb_direct_create_header(struct smb_direct_transport *t, int ret; sendmsg = smb_direct_alloc_sendmsg(t); - if (!sendmsg) - return -ENOMEM; + if (IS_ERR(sendmsg)) + return PTR_ERR(sendmsg); /* Fill in the packet header */ packet = (struct smb_direct_data_transfer *)sendmsg->packet; From patchwork Mon Nov 14 12:48:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183105 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 008/308] cifsd: Fix a use after free on error path Date: Mon, 14 Nov 2022 20:48:37 +0800 Message-ID: <20221114125337.1831594-9-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 568d6f8a-038b-436b-1296-08dac63c42d4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7053472 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit a2ba2709f5e465b316ef1f18605190d249847aad category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a2ba2709f5e4 ------------------------------- The ksmbd_free_work_struct() frees "work" so we need to swap the order of these two function calls to avoid a use after free. Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 6c3dbc71134e..f694c14be0df 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) if (allocate_oplock_break_buf(work)) { ksmbd_err("smb2_allocate_rsp_buf failed! "); atomic_dec(&conn->r_count); - ksmbd_free_work_struct(work); ksmbd_fd_put(work, fp); + ksmbd_free_work_struct(work); return; } From patchwork Mon Nov 14 12:48:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183106 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 009/308] cifsd: fix static checker warning from smb_direct_post_send_data() Date: Mon, 14 Nov 2022 20:48:38 +0800 Message-ID: <20221114125337.1831594-10-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4b2c2481-f18e-454a-2240-08dac63c431e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6775579 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit bc3fcc9462ef4ba3ae66593cbaf47bf7af703ed3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/bc3fcc9462ef ------------------------------- Dan reported static checker warning: fs/cifsd/transport_rdma.c:1168 smb_direct_post_send_data() warn: missing error code 'ret' This patch add missing ret error code. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/transport_rdma.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index d235051dc5b1..45b76847f1e7 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -1165,6 +1165,7 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, sg, SMB_DIRECT_MAX_SEND_SGES-1, DMA_TO_DEVICE); if (sg_cnt <= 0) { ksmbd_err("failed to map buffer\n"); + ret = -ENOMEM; goto err; } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES-1) { ksmbd_err("buffer not fitted into sges\n"); From patchwork Mon Nov 14 12:48:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183107 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 010/308] cifsd: fix static checker warning from smb_check_perm_dacl() Date: Mon, 14 Nov 2022 20:48:39 +0800 Message-ID: <20221114125337.1831594-11-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7f16bfe2-9dc2-4303-7d50-08dac63c4368 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7210129 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 50355b0b20103a2be39e269a92909fa69f16f2d0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/50355b0b2010 ------------------------------- Dan reported static checker warning: fs/cifsd/smbacl.c:1140 smb_check_perm_dacl() error: we previously assumed 'pntsd' could be null (see line 1137) This patch validate bounds of pntsd buffer. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smbacl.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 294c5a8fe9af..77c79cf4afd0 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -800,9 +800,13 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, le32_to_cpu(pntsd->gsidoffset), le32_to_cpu(pntsd->sacloffset), dacloffset); - if (dacloffset && dacl_ptr) + if (dacloffset) { + if (end_of_acl <= (char *)dacl_ptr || + end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) + return -EIO; total_ace_size = le16_to_cpu(dacl_ptr->size) - sizeof(struct smb_acl); + } pntsd_type = le16_to_cpu(pntsd->type); @@ -1131,13 +1135,28 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, struct smb_ace *others_ace = NULL; struct posix_acl_entry *pa_entry; unsigned int sid_type = SIDOWNER; + char *end_of_acl; ksmbd_debug(SMB, "check permission using windows acl\n"); acl_size = ksmbd_vfs_get_sd_xattr(conn, dentry, &pntsd); - if (acl_size <= 0 || (pntsd && !pntsd->dacloffset)) + if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) { + kfree(pntsd); return 0; + } pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); + end_of_acl = ((char *)pntsd) + acl_size; + if (end_of_acl <= (char *)pdacl) { + kfree(pntsd); + return 0; + } + + if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size) || + le16_to_cpu(pdacl->size) < sizeof(struct smb_acl)) { + kfree(pntsd); + return 0; + } + if (!pdacl->num_aces) { if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) && *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) { @@ -1156,6 +1175,8 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { granted |= le32_to_cpu(ace->access_req); ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + if (end_of_acl < (char *)ace) + goto err_out; } if (!pdacl->num_aces) @@ -1177,6 +1198,8 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, others_ace = ace; ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + if (end_of_acl < (char *)ace) + goto err_out; } if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) { From patchwork Mon Nov 14 12:48:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183108 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 011/308] cifsd: remove unneeded FIXME comments Date: Mon, 14 Nov 2022 20:48:40 +0800 Message-ID: <20221114125337.1831594-12-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: db5b6905-b6de-4740-e91e-08dac63c43b0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7011317 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> mainline inclusion from mainline-5.15-rc1 commit 2e2b0dda188993c86490cca02892a9a6e1449f5d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2e2b0dda1889 ------------------------------- Remove unneeded FIXME comments. Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/share_config.c | 1 - fs/cifsd/mgmt/share_config.h | 2 -- fs/cifsd/mgmt/tree_connect.c | 1 - fs/cifsd/mgmt/tree_connect.h | 2 +- fs/cifsd/mgmt/user_config.c | 1 - fs/cifsd/mgmt/user_config.h | 3 +-- fs/cifsd/mgmt/user_session.c | 1 - fs/cifsd/server.c | 2 -- fs/cifsd/smb_common.c | 1 - fs/cifsd/transport_ipc.c | 3 --- fs/cifsd/transport_ipc.h | 1 - fs/cifsd/vfs_cache.c | 4 ---- 12 files changed, 2 insertions(+), 20 deletions(-) diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index 0593702babfe..9bc7f7555ee2 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -16,7 +16,6 @@ #include "user_session.h" #include "../buffer_pool.h" #include "../transport_ipc.h" -#include "../ksmbd_server.h" /* FIXME */ #define SHARE_HASH_BITS 3 static DEFINE_HASHTABLE(shares_table, SHARE_HASH_BITS); diff --git a/fs/cifsd/mgmt/share_config.h b/fs/cifsd/mgmt/share_config.h index c47b874bd80b..49ca89667991 100644 --- a/fs/cifsd/mgmt/share_config.h +++ b/fs/cifsd/mgmt/share_config.h @@ -10,8 +10,6 @@ #include <linux/hashtable.h> #include <linux/path.h> -#include "../glob.h" /* FIXME */ - struct ksmbd_share_config { char *name; char *path; diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index 2be7b2e2e3cd..d5670f2596a3 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -6,7 +6,6 @@ #include <linux/list.h> #include <linux/slab.h> -#include "../ksmbd_server.h" /* FIXME */ #include "../buffer_pool.h" #include "../transport_ipc.h" #include "../connection.h" diff --git a/fs/cifsd/mgmt/tree_connect.h b/fs/cifsd/mgmt/tree_connect.h index 46237cd05b9c..4e40ec3f4774 100644 --- a/fs/cifsd/mgmt/tree_connect.h +++ b/fs/cifsd/mgmt/tree_connect.h @@ -8,7 +8,7 @@ #include <linux/hashtable.h> -#include "../ksmbd_server.h" /* FIXME */ +#include "../ksmbd_server.h" struct ksmbd_share_config; struct ksmbd_user; diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c index 1ab68f80f72e..a1a454bfb57b 100644 --- a/fs/cifsd/mgmt/user_config.c +++ b/fs/cifsd/mgmt/user_config.c @@ -8,7 +8,6 @@ #include "user_config.h" #include "../buffer_pool.h" #include "../transport_ipc.h" -#include "../ksmbd_server.h" /* FIXME */ struct ksmbd_user *ksmbd_login_user(const char *account) { diff --git a/fs/cifsd/mgmt/user_config.h b/fs/cifsd/mgmt/user_config.h index 5cda4a5d3e2f..b2bb074a0150 100644 --- a/fs/cifsd/mgmt/user_config.h +++ b/fs/cifsd/mgmt/user_config.h @@ -6,8 +6,7 @@ #ifndef __USER_CONFIG_MANAGEMENT_H__ #define __USER_CONFIG_MANAGEMENT_H__ -#include "../glob.h" /* FIXME */ -#include "../ksmbd_server.h" /* FIXME */ +#include "../glob.h" struct ksmbd_user { unsigned short flags; diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index d9f6dbde850a..afcdf76a3851 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -14,7 +14,6 @@ #include "../transport_ipc.h" #include "../connection.h" #include "../buffer_pool.h" -#include "../ksmbd_server.h" /* FIXME */ #include "../vfs_cache.h" static struct ksmbd_ida *session_ida; diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index b9e114f8a5d2..4db443cd6dd1 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -102,8 +102,6 @@ static inline int check_conn_state(struct ksmbd_work *work) return 0; } -/* @FIXME what a mess... god help. */ - #define TCP_HANDLER_CONTINUE 0 #define TCP_HANDLER_ABORT 1 diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index f7560b68b820..7eb6d98656c7 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -8,7 +8,6 @@ #include "server.h" #include "misc.h" #include "smbstatus.h" -/* @FIXME */ #include "connection.h" #include "ksmbd_work.h" #include "mgmt/user_session.h" diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index b91fa265f85d..c49e46fda9b1 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -28,9 +28,6 @@ #include "connection.h" #include "transport_tcp.h" -/* @FIXME fix this code */ -extern int get_protocol_idx(char *str); - #define IPC_WAIT_TIMEOUT (2 * HZ) #define IPC_MSG_HASH_BITS 3 diff --git a/fs/cifsd/transport_ipc.h b/fs/cifsd/transport_ipc.h index 68c003027811..6ed7cbea727e 100644 --- a/fs/cifsd/transport_ipc.h +++ b/fs/cifsd/transport_ipc.h @@ -7,7 +7,6 @@ #define __KSMBD_TRANSPORT_IPC_H__ #include <linux/wait.h> -#include "ksmbd_server.h" /* FIXME */ #define KSMBD_IPC_MAX_PAYLOAD 4096 diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 8d8c4e373308..af92fab5b7ae 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -8,18 +8,14 @@ #include <linux/slab.h> #include <linux/vmalloc.h> -/* @FIXME */ #include "glob.h" #include "vfs_cache.h" #include "buffer_pool.h" - #include "oplock.h" #include "vfs.h" #include "connection.h" #include "mgmt/tree_connect.h" #include "mgmt/user_session.h" - -/* @FIXME */ #include "smb_common.h" #define S_DEL_PENDING 1 From patchwork Mon Nov 14 12:48:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183109 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 012/308] cifsd: fix incorrect comments Date: Mon, 14 Nov 2022 20:48:41 +0800 Message-ID: <20221114125337.1831594-13-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5c433ec2-3367-4eca-54bf-08dac63c43f9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7122418 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 95fa1ce947d60b1bb4a0b6c92989cbe3612c1e68 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/95fa1ce947d6 ------------------------------- kernel test bot reports some incorrect comments. This patch fixes these comments. Reported-by: kernel test bot <lkp(a)intel.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/oplock.c | 66 ++++++++++++++++------------------------ fs/cifsd/server.c | 6 ++-- fs/cifsd/smb2pdu.c | 60 +++++++++--------------------------- fs/cifsd/smb_common.c | 7 ++--- fs/cifsd/transport_tcp.c | 5 +-- 5 files changed, 51 insertions(+), 93 deletions(-) diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index f694c14be0df..e56c938a8f7a 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -21,11 +21,10 @@ static LIST_HEAD(lease_table_list); static DEFINE_RWLOCK(lease_list_lock); /** - * get_new_opinfo() - allocate a new opinfo object for oplock info - * @conn: connection instance + * alloc_opinfo() - allocate a new opinfo object for oplock info + * @work: smb work * @id: fid of open file * @Tid: tree id of connection - * @lctx: lease context information * * Return: allocated opinfo object on success, otherwise NULL */ @@ -462,14 +461,6 @@ static void grant_none_oplock(struct oplock_info *opinfo_new, } } -/** - * find_opinfo() - find lease object for given client guid and lease key - * @head: oplock list(read,write or none) head - * @guid1: client guid of matching lease owner - * @key1: lease key of matching lease owner - * - * Return: oplock(lease) object on success, otherwise NULL - */ static inline int compare_guid_key(struct oplock_info *opinfo, const char *guid1, const char *key1) { @@ -610,9 +601,9 @@ static inline int allocate_oplock_break_buf(struct ksmbd_work *work) } /** - * smb2_oplock_break_noti() - send smb2 oplock break cmd from conn + * __smb2_oplock_break_noti() - send smb2 oplock break cmd from conn * to client - * @work: smb work object + * @wk: smb work object * * There are two ways this function can be called. 1- while file open we break * from exclusive/batch lock to levelII oplock and 2- while file write/truncate @@ -686,10 +677,9 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) } /** - * smb2_oplock_break() - send smb2 exclusive/batch to level2 oplock + * smb2_oplock_break_noti() - send smb2 exclusive/batch to level2 oplock * break command from server to client * @opinfo: oplock info object - * @ack_required if requiring ack * * Return: 0 on success, otherwise error */ @@ -734,7 +724,7 @@ static int smb2_oplock_break_noti(struct oplock_info *opinfo) /** * __smb2_lease_break_noti() - send lease break command from server * to client - * @work: smb work object + * @wk: smb work object */ static void __smb2_lease_break_noti(struct work_struct *wk) { @@ -790,10 +780,9 @@ static void __smb2_lease_break_noti(struct work_struct *wk) } /** - * smb2_break_lease() - break lease when a new client request + * smb2_lease_break_noti() - break lease when a new client request * write lease * @opinfo: conains lease state information - * @ack_required: if requring ack * * Return: 0 on success, otherwise error */ @@ -1085,12 +1074,13 @@ static void set_oplock_level(struct oplock_info *opinfo, int level, /** * smb_grant_oplock() - handle oplock/lease request on file open - * @fp: ksmbd file pointer - * @oplock: granted oplock type - * @id: fid of open file - * @Tid: Tree id of connection - * @lctx: lease context information on file open - * @attr_only: attribute only file open type + * @work: smb work + * @req_op_level: oplock level + * @pid: id of open file + * @fp: ksmbd file pointer + * @tid: Tree id of connection + * @lctx: lease context information on file open + * @share_ret: share mode * * Return: 0 on success, otherwise error */ @@ -1222,10 +1212,10 @@ int smb_grant_oplock(struct ksmbd_work *work, } /** - * smb_break_write_oplock() - break batch/exclusive oplock to level2 + * smb_break_all_write_oplock() - break batch/exclusive oplock to level2 * @work: smb work * @fp: ksmbd file pointer - * @openfile: open file object + * @is_trunc: truncate on open */ static void smb_break_all_write_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, int is_trunc) @@ -1250,7 +1240,7 @@ static void smb_break_all_write_oplock(struct ksmbd_work *work, /** * smb_break_all_levII_oplock() - send level2 oplock or read lease break command * from server to client - * @conn: connection instance + * @work: smb work * @fp: ksmbd file pointer * @is_trunc: truncate on open */ @@ -1351,7 +1341,7 @@ __u8 smb2_map_lease_to_oplock(__le32 lease_state) /** * create_lease_buf() - create lease context for open cmd response * @rbuf: buffer to create lease context response - * @lreq: buffer to stored parsed lease state information + * @lease: buffer to stored parsed lease state information */ void create_lease_buf(u8 *rbuf, struct lease *lease) { @@ -1378,7 +1368,6 @@ void create_lease_buf(u8 *rbuf, struct lease *lease) /** * parse_lease_state() - parse lease context containted in file open request * @open_req: buffer containing smb2 file open(create) request - * @lreq: buffer to stored parsed lease state information * * Return: oplock state, -ENOENT if create lease context not found */ @@ -1426,7 +1415,7 @@ struct lease_ctx_info *parse_lease_state(void *open_req) /** * smb2_find_context_vals() - find a particular context info in open request * @open_req: buffer containing smb2 file open(create) request - * @str: context name to search for + * @tag: context name to search for * * Return: pointer to requested context, NULL if @str context not found */ @@ -1458,7 +1447,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) } /** - * create_durable_buf() - create durable handle context + * create_durable_rsp__buf() - create durable handle context * @cc: buffer to create durable context response */ void create_durable_rsp_buf(char *cc) @@ -1481,8 +1470,9 @@ void create_durable_rsp_buf(char *cc) } /** - * create_durable_buf() - create durable handle v2 context + * create_durable_v2_rsp_buf() - create durable handle v2 context * @cc: buffer to create durable context response + * @fp: ksmbd file pointer */ void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp) { @@ -1508,8 +1498,9 @@ void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp) } /** - * create_mxac_buf() - create query maximal access context - * @cc: buffer to create maximal access context response + * create_mxac_rsp_buf() - create query maximal access context + * @cc: buffer to create maximal access context response + * @maximal_access: maximal access */ void create_mxac_rsp_buf(char *cc, int maximal_access) { @@ -1533,10 +1524,6 @@ void create_mxac_rsp_buf(char *cc, int maximal_access) buf->MaximalAccess = cpu_to_le32(maximal_access); } -/** - * create_mxac_buf() - create query maximal access context - * @cc: buffer to create query disk on id context response - */ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id) { struct create_disk_id_rsp *buf; @@ -1560,8 +1547,9 @@ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id) } /** - * create_posix_buf() - create posix extension context + * create_posix_rsp_buf() - create posix extension context * @cc: buffer to create posix on posix response + * @fp: ksmbd file pointer */ void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) { diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 4db443cd6dd1..d222190a846b 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -86,7 +86,7 @@ char *ksmbd_work_group(void) /** * check_conn_state() - check state of server thread connection - * @ksmbd_work: smb work containing server thread information + * @work: smb work containing server thread information * * Return: 0 on valid connection, otherwise 1 to reconnect */ @@ -248,7 +248,7 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, /** * handle_ksmbd_work() - process pending smb work requests - * @ksmbd_work: smb work containing request command buffer + * @wk: smb work containing request command buffer * * called by kworker threads to processing remaining smb work requests */ @@ -604,7 +604,7 @@ static int __init ksmbd_server_init(void) } /** - * exit_smb_server() - shutdown forker thread and free memory at module exit + * ksmbd_server_exit() - shutdown forker thread and free memory at module exit */ static void __exit ksmbd_server_exit(void) { diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 730bddbc8152..e4b91838d35c 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -88,8 +88,7 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess) /** * smb2_get_ksmbd_tcon() - get tree connection information for a tree id - * @sess: session containing tree list - * @tid: match tree connection with tree id + * @work: smb work * * Return: matching tree connection on success, otherwise error */ @@ -209,6 +208,7 @@ uint16_t get_smb2_cmd_val(struct ksmbd_work *work) /** * set_smb2_rsp_status() - set error response code on smb2 header * @work: smb work containing response buffer + * @err: error response code */ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) { @@ -633,9 +633,10 @@ static void destroy_previous_session(struct ksmbd_user *user, uint64_t id) /** * smb2_get_name() - get filename string from on the wire smb format + * @share: ksmbd_share_config pointer * @src: source buffer * @maxlen: maxlen of source string - * @work: smb work containing smb request buffer + * @nls_table: nls_table pointer * * Return: matching converted filename on success, otherwise error ptr */ @@ -747,6 +748,7 @@ static __le32 smb2_get_reparse_tag_special_file(umode_t mode) /** * smb2_get_dos_mode() - get file mode in dos format from unix mode * @stat: kstat containing file mode + * @attribute: attribute flags * * Return: converted dos mode */ @@ -1797,7 +1799,6 @@ int smb2_tree_connect(struct ksmbd_work *work) * @file_present: is file already present * @access: file access flags * @disposition: file disposition flags - * @work: smb work containing smb request buffer * * Return: file open flags */ @@ -4112,12 +4113,6 @@ static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, inc_rfc1001_len(rsp, sizeof(struct smb2_file_internal_info)); } -/** - * smb2_info_file_pipe() - handler for smb2 query info on IPC pipe - * @work: smb work containing query info command buffer - * - * Return: 0 on success, otherwise error - */ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp) { @@ -4157,10 +4152,10 @@ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, /** * smb2_get_ea() - handler for smb2 get extended attribute command * @work: smb work containing query info command buffer - * @path: path of file/dir to query info command - * @rq: get extended attribute request - * @resp: response buffer pointer - * @resp_org: base response buffer pointer in case of chained response + * @fp: ksmbd_file pointer + * @req: get extended attribute request + * @rsp: response buffer pointer + * @rsp_org: base response buffer pointer in case of chained response * * Return: 0 on success, otherwise error */ @@ -4761,12 +4756,6 @@ static int find_file_posix_info(struct smb2_query_info_rsp *rsp, return 0; } -/** - * smb2_get_info_file() - handler for smb2 query info command - * @work: smb work containing query info request buffer - * - * Return: 0 on success, otherwise error - */ static int smb2_get_info_file(struct ksmbd_work *work, struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp, @@ -4901,13 +4890,6 @@ static int smb2_get_info_file(struct ksmbd_work *work, return rc; } -/** - * smb2_get_info_filesystem() - handler for smb2 query info command - * @work: smb work containing query info request buffer - * - * Return: 0 on success, otherwise error - * TODO: need to implement STATUS_INFO_LENGTH_MISMATCH error handling - */ static int smb2_get_info_filesystem(struct ksmbd_work *work, struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp, @@ -5416,14 +5398,6 @@ int smb2_echo(struct ksmbd_work *work) return 0; } -/** - * smb2_rename() - handler for rename using smb2 setinfo command - * @work: smb work containing set info command buffer - * @filp: file pointer of source file - * @old_fid: file id of source file - * - * Return: 0 on success, otherwise error - */ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, struct smb2_file_rename_info *file_info, struct nls_table *local_nls) @@ -5544,14 +5518,6 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, return rc; } -/** - * smb2_create_link() - handler for creating hardlink using smb2 - * set info command - * @work: smb work containing set info command buffer - * @filp: file pointer of source file - * - * Return: 0 on success, otherwise error - */ static int smb2_create_link(struct ksmbd_work *work, struct ksmbd_share_config *share, struct smb2_file_link_info *file_info, @@ -5914,6 +5880,9 @@ static int set_file_mode_info(struct ksmbd_file *fp, /** * smb2_set_info_file() - handler for smb2 set info command * @work: smb work containing set info command buffer + * @fp: ksmbd_file pointer + * @info_class: smb2 set info class + * @share: ksmbd_share_config pointer * * Return: 0 on success, otherwise error * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH @@ -8057,7 +8026,7 @@ int smb2_oplock_break(struct ksmbd_work *work) /** * smb2_notify() - handler for smb2 notify request - * @ksmbd_work: smb work containing notify command buffer + * @work: smb work containing notify command buffer * * Return: 0 */ @@ -8081,7 +8050,8 @@ int smb2_notify(struct ksmbd_work *work) /** * smb2_is_sign_req() - handler for checking packet signing status - * @work:smb work containing notify command buffer + * @work: smb work containing notify command buffer + * @command: SMB2 command id * * Return: true if packed is signed, false otherwise */ diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index 7eb6d98656c7..f779aae3fd6c 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -107,8 +107,8 @@ int ksmbd_lookup_protocol_idx(char *str) } /** - * check_message() - check for valid smb2 request header - * @buf: smb2 header to be checked + * ksmbd_verify_smb_message() - check for valid smb2 request header + * @work: smb work * * check for valid smb signature and packet direction(request/response) * @@ -125,9 +125,8 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work) } /** - * is_smb_request() - check for valid smb request type + * ksmbd_smb_request() - check for valid smb request type * @conn: connection instance - * @type: smb request type * * Return: true on success, otherwise false */ diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 60ec9b2e0370..359401227d93 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -173,7 +173,7 @@ static unsigned short ksmbd_tcp_get_port(const struct sockaddr *sa) /** * ksmbd_tcp_new_connection() - create a new tcp session on mount - * @sock: socket associated with new connection + * @client_sk: socket associated with new connection * * whenever a new connection is requested, create a conn thread * (session thread) to handle new incoming smb requests from the connection @@ -252,7 +252,8 @@ static int ksmbd_kthread_fn(void *p) } /** - * ksmbd_create_ksmbd_kthread() - start forker thread + * ksmbd_tcp_run_kthread() - start forker thread + * @iface: pointer to struct interface * * start forker thread(ksmbd/0) at module init time to listen * on port 445 for new SMB connection requests. It creates per connection From patchwork Mon Nov 14 12:48:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183110 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 013/308] cifsd: fix warning: variable 'total_ace_size' and 'posix_ccontext' set but not used Date: Mon, 14 Nov 2022 20:48:42 +0800 Message-ID: <20221114125337.1831594-14-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ece37d63-aa11-4e34-32d8-08dac63c4442 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6822122 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 548e9ad317393b0439081454d2110f519431d5ef category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/548e9ad31739 ------------------------------- kernel test robot reported warnings: fs/cifsd/smbacl.c: In function 'parse_sec_desc': >> fs/cifsd/smbacl.c:786:6: warning: variable 'total_ace_size' set but not used [-Wunused-but-set-variable] 786 | int total_ace_size = 0, pntsd_type; | ^~~~~~~~~~~~~~ --- fs/cifsd/smb2pdu.c: In function 'smb2_open': >> fs/cifsd/smb2pdu.c:3285:26: warning: variable 'posix_ccontext' set but not used [-Wunused-but-set-variable] 3285 | struct create_context *posix_ccontext; | ^~~~~~~~~~~~~~ Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 ---- fs/cifsd/smbacl.c | 14 +++----------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index e4b91838d35c..4ec45c3fa00e 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -3283,10 +3283,6 @@ int smb2_open(struct ksmbd_work *work) } if (posix_ctxt) { - struct create_context *posix_ccontext; - - posix_ccontext = (struct create_context *)(rsp->Buffer + - le32_to_cpu(rsp->CreateContextsLength)); contxt_cnt++; create_posix_rsp_buf(rsp->Buffer + le32_to_cpu(rsp->CreateContextsLength), diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 77c79cf4afd0..7f6d5313a02c 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -389,7 +389,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, return; /* validate that we do not go past end of acl */ - if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { + if (end_of_acl <= (char *)pdacl || + end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { ksmbd_err("ACL too small to parse DACL\n"); return; } @@ -783,7 +784,7 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, struct smb_acl *dacl_ptr; /* no need for SACL ptr */ char *end_of_acl = ((char *)pntsd) + acl_len; __u32 dacloffset; - int total_ace_size = 0, pntsd_type; + int pntsd_type; if (pntsd == NULL) return -EIO; @@ -800,16 +801,7 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, le32_to_cpu(pntsd->gsidoffset), le32_to_cpu(pntsd->sacloffset), dacloffset); - if (dacloffset) { - if (end_of_acl <= (char *)dacl_ptr || - end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) - return -EIO; - total_ace_size = - le16_to_cpu(dacl_ptr->size) - sizeof(struct smb_acl); - } - pntsd_type = le16_to_cpu(pntsd->type); - if (!(pntsd_type & DACL_PRESENT)) { ksmbd_debug(SMB, "DACL_PRESENT in DACL type is not set\n"); return rc; From patchwork Mon Nov 14 12:48:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183111 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 014/308] cifsd: Pass string length parameter to match_pattern() Date: Mon, 14 Nov 2022 20:48:43 +0800 Message-ID: <20221114125337.1831594-15-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2d8481bd-faf1-462b-eae7-08dac63c448a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7073721 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit b24c93358035e3c20630a45c0bcdbb45aad9707d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b24c93358035 ------------------------------- When iterating through a directory, a file's name may not be null-terminated (depending on the underlying filesystem implementation). Modify match_pattern to take the string's length into account when matching it against the request pattern. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/misc.c | 7 +++++-- fs/cifsd/misc.h | 2 +- fs/cifsd/smb2pdu.c | 2 +- fs/cifsd/smb_common.c | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index 68983b08d519..189b90414976 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -22,20 +22,22 @@ * TODO : implement consideration about DOS_DOT, DOS_QM and DOS_STAR * * @string: string to compare with a pattern + * @len: string length * @pattern: pattern string which might include wildcard '*' and '?' * * Return: 0 if pattern matched with the string, otherwise non zero value */ -int match_pattern(const char *str, const char *pattern) +int match_pattern(const char *str, size_t len, const char *pattern) { const char *s = str; const char *p = pattern; bool star = false; - while (*s) { + while (*s && len) { switch (*p) { case '?': s++; + len--; p++; break; case '*': @@ -48,6 +50,7 @@ int match_pattern(const char *str, const char *pattern) default: if (tolower(*s) == tolower(*p)) { s++; + len--; p++; } else { if (!star) diff --git a/fs/cifsd/misc.h b/fs/cifsd/misc.h index 41b3dac2f5fc..73b21709b6c9 100644 --- a/fs/cifsd/misc.h +++ b/fs/cifsd/misc.h @@ -11,7 +11,7 @@ struct nls_table; struct kstat; struct ksmbd_file; -int match_pattern(const char *str, const char *pattern); +int match_pattern(const char *str, size_t len, const char *pattern); int ksmbd_validate_filename(char *filename); diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 4ec45c3fa00e..32816baa8a99 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -3837,7 +3837,7 @@ static int __query_dir(struct dir_context *ctx, return 0; if (ksmbd_share_veto_filename(priv->work->tcon->share_conf, name)) return 0; - if (!match_pattern(name, priv->search_pattern)) + if (!match_pattern(name, namlen, priv->search_pattern)) return 0; d_info->name = name; diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index f779aae3fd6c..2f58ef003238 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -294,7 +294,8 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, d_info->name_len = 2; } - if (!match_pattern(d_info->name, search_pattern)) { + if (!match_pattern(d_info->name, d_info->name_len, + search_pattern)) { dir->dot_dotdot[i] = 1; continue; } From patchwork Mon Nov 14 12:48:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183112 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 015/308] cifsd: Fix an error code in smb2_read() Date: Mon, 14 Nov 2022 20:48:44 +0800 Message-ID: <20221114125337.1831594-16-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 73870316-d0cb-4f77-c904-08dac63c44d3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6834675 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit c1ea111fd1bb4c4020503f5c53cd05a703d1a30b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c1ea111fd1bb ------------------------------- This code is assigning the wrong variable to "err" so it returns zero/success instead of -ENOMEM. Fixes: 788b6f45c1d2 ("cifsd: add server-side procedures for SMB3") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 32816baa8a99..6770ebedc24a 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -6200,7 +6200,7 @@ int smb2_read(struct ksmbd_work *work) work->aux_payload_buf = ksmbd_alloc_response(length); } if (!work->aux_payload_buf) { - err = nbytes; + err = -ENOMEM; goto out; } From patchwork Mon Nov 14 12:48:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183113 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 016/308] cifsd: fix error handling in ksmbd_server_init() Date: Mon, 14 Nov 2022 20:48:45 +0800 Message-ID: <20221114125337.1831594-17-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3eef6d13-a311-4c06-b225-08dac63c451d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7068589 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 849f59e1a18adecf0617afc82efbfc5d126c49f8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/849f59e1a18a ------------------------------- The error handling in ksmbd_server_init() uses "one function to free everything style" which is impossible to audit and leads to several canonical bugs. When we free something that wasn't allocated it may be uninitialized, an error pointer, freed in a different function or we try freeing "foo->bar" when "foo" is a NULL pointer. And since the code is impossible to audit then it leads to memory leaks. In the ksmbd_server_init() function, every goto will lead to a crash because we have not allocated the work queue but we call ksmbd_workqueue_destroy() which tries to flush a NULL work queue. Another bug is if ksmbd_init_buffer_pools() fails then it leads to a double free because we free "work_cache" twice. A third type of bug is that we forgot to call ksmbd_release_inode_hash() so that is a resource leak. A better way to write error handling is for every function to clean up after itself and never leave things partially allocated. Then we can use "free the last successfully allocated resource" style. That way when someone is reading the code they can just track the last resource in their head and verify that the goto matches what they expect. In this patch I modified ksmbd_ipc_init() to clean up after itself and then I converted ksmbd_server_init() to use gotos to clean up. Fixes: cabcebc31de4 ("cifsd: introduce SMB3 kernel server") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/server.c | 33 +++++++++++++++++++++++---------- fs/cifsd/transport_ipc.c | 14 +++++++++++--- fs/cifsd/vfs_cache.c | 2 +- fs/cifsd/vfs_cache.h | 2 +- 4 files changed, 36 insertions(+), 15 deletions(-) diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index d222190a846b..048bbc66aa60 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -567,39 +567,52 @@ static int __init ksmbd_server_init(void) ret = server_conf_init(); if (ret) - return ret; + goto err_unregister; ret = ksmbd_init_buffer_pools(); if (ret) - return ret; + goto err_unregister; ret = ksmbd_init_session_table(); if (ret) - goto error; + goto err_destroy_pools; ret = ksmbd_ipc_init(); if (ret) - goto error; + goto err_free_session_table; ret = ksmbd_init_global_file_table(); if (ret) - goto error; + goto err_ipc_release; ret = ksmbd_inode_hash_init(); if (ret) - goto error; + goto err_destroy_file_table; ret = ksmbd_crypto_create(); if (ret) - goto error; + goto err_release_inode_hash; ret = ksmbd_workqueue_init(); if (ret) - goto error; + goto err_crypto_destroy; return 0; -error: - ksmbd_server_shutdown(); +err_crypto_destroy: + ksmbd_crypto_destroy(); +err_release_inode_hash: + ksmbd_release_inode_hash(); +err_destroy_file_table: + ksmbd_free_global_file_table(); +err_ipc_release: + ksmbd_ipc_release(); +err_free_session_table: + ksmbd_free_session_table(); +err_destroy_pools: + ksmbd_destroy_buffer_pools(); +err_unregister: + class_unregister(&ksmbd_control_class); + return ret; } diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index c49e46fda9b1..e5f4d97b2924 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -887,11 +887,19 @@ int ksmbd_ipc_init(void) if (ret) { ksmbd_err("Failed to register KSMBD netlink interface %d\n", ret); - return ret; + goto cancel_work; } ida = ksmbd_ida_alloc(); - if (!ida) - return -ENOMEM; + if (!ida) { + ret = -ENOMEM; + goto unregister; + } return 0; + +unregister: + genl_unregister_family(&ksmbd_genl_family); +cancel_work: + cancel_delayed_work_sync(&ipc_timer_work); + return ret; } diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index af92fab5b7ae..34e045f27230 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -236,7 +236,7 @@ int __init ksmbd_inode_hash_init(void) return 0; } -void __exit ksmbd_release_inode_hash(void) +void ksmbd_release_inode_hash(void) { vfree(inode_hashtable); } diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 7d23657c86c6..04ab5967a9ae 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -194,7 +194,7 @@ void ksmbd_set_fd_limit(unsigned long limit); */ int __init ksmbd_inode_hash_init(void); -void __exit ksmbd_release_inode_hash(void); +void ksmbd_release_inode_hash(void); enum KSMBD_INODE_STATUS { KSMBD_INODE_STATUS_OK, From patchwork Mon Nov 14 12:48:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183114 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 017/308] cifsd: remove redundant assignment to variable err Date: Mon, 14 Nov 2022 20:48:46 +0800 Message-ID: <20221114125337.1831594-18-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d7f64538-d9fe-4dc4-1dfd-08dac63c4566 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6999095 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Colin Ian King <colin.king(a)canonical.com> mainline inclusion from mainline-5.15-rc1 commit 3161ad3a717e69b26ea3d73467ed8399023b5075 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3161ad3a717e ------------------------------- The variable err is being initialized with a value that is never read and it is being updated later with a new value. The initialization is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 00f80ca45690..3d7413b8f526 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -587,7 +587,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) struct path parent; struct dentry *dir, *dentry; char *last; - int err = -ENOENT; + int err; last = extract_last_component(name); if (!last) From patchwork Mon Nov 14 12:48:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183115 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 018/308] cifsd: remove unneeded macros Date: Mon, 14 Nov 2022 20:48:47 +0800 Message-ID: <20221114125337.1831594-19-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 91ef09b4-fbe2-459a-2dcf-08dac63c45b0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7053408 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e5066499079de0e1dac094baf4cb62eb86cbdd4f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e5066499079d ------------------------------- Remove unneeded RESPONSE_BUF, REQUEST_BUF, RESPONSE_SZ, INIT_AUX_PAYLOAD, HAS_AUX_PAYLOAD, AUX_PAYLOAD, AUX_PAYLOAD_SIZE, RESP_HDR_SIZE, HAS_TRANSFORM_BUF and TRANSFORM_BUF macros. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/connection.c | 15 ++- fs/cifsd/ksmbd_work.c | 12 +-- fs/cifsd/ksmbd_work.h | 24 +---- fs/cifsd/oplock.c | 14 +-- fs/cifsd/server.c | 4 +- fs/cifsd/smb2misc.c | 2 +- fs/cifsd/smb2pdu.c | 212 +++++++++++++++++++++--------------------- fs/cifsd/smb_common.c | 8 +- fs/cifsd/vfs.c | 2 +- 9 files changed, 139 insertions(+), 154 deletions(-) diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index d27553dee2ad..bdfde5ca2ded 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -154,7 +154,7 @@ void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb_hdr *rsp_hdr = RESPONSE_BUF(work); + struct smb_hdr *rsp_hdr = work->response_buf; size_t len = 0; int sent; struct kvec iov[3]; @@ -166,21 +166,20 @@ int ksmbd_conn_write(struct ksmbd_work *work) return -EINVAL; } - if (HAS_TRANSFORM_BUF(work)) { + if (work->tr_buf) { iov[iov_idx] = (struct kvec) { work->tr_buf, sizeof(struct smb2_transform_hdr) }; len += iov[iov_idx++].iov_len; } - if (HAS_AUX_PAYLOAD(work)) { - iov[iov_idx] = (struct kvec) { rsp_hdr, RESP_HDR_SIZE(work) }; + if (work->aux_payload_sz) { + iov[iov_idx] = (struct kvec) { rsp_hdr, work->resp_hdr_sz }; len += iov[iov_idx++].iov_len; - iov[iov_idx] = (struct kvec) { AUX_PAYLOAD(work), - AUX_PAYLOAD_SIZE(work) }; + iov[iov_idx] = (struct kvec) { work->aux_payload_buf, work->aux_payload_sz }; len += iov[iov_idx++].iov_len; } else { - if (HAS_TRANSFORM_BUF(work)) - iov[iov_idx].iov_len = RESP_HDR_SIZE(work); + if (work->tr_buf) + iov[iov_idx].iov_len = work->resp_hdr_sz; else iov[iov_idx].iov_len = get_rfc1002_len(rsp_hdr) + 4; iov[iov_idx].iov_base = rsp_hdr; diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index 8cd5dff0762d..505e59df3071 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -40,18 +40,18 @@ void ksmbd_free_work_struct(struct ksmbd_work *work) WARN_ON(work->saved_cred != NULL); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && work->set_trans_buf) - ksmbd_release_buffer(RESPONSE_BUF(work)); + ksmbd_release_buffer(work->response_buf); else - ksmbd_free_response(RESPONSE_BUF(work)); + ksmbd_free_response(work->response_buf); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF && work->set_read_buf) - ksmbd_release_buffer(AUX_PAYLOAD(work)); + ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(AUX_PAYLOAD(work)); + ksmbd_free_response(work->aux_payload_buf); - ksmbd_free_response(TRANSFORM_BUF(work)); - ksmbd_free_request(REQUEST_BUF(work)); + ksmbd_free_response(work->tr_buf); + ksmbd_free_request(work->request_buf); if (work->async_id) ksmbd_release_id(work->conn->async_ida, work->async_id); kmem_cache_free(work_cache, work); diff --git a/fs/cifsd/ksmbd_work.h b/fs/cifsd/ksmbd_work.h index 405434d4c8ab..28a1692ed37f 100644 --- a/fs/cifsd/ksmbd_work.h +++ b/fs/cifsd/ksmbd_work.h @@ -27,12 +27,12 @@ struct ksmbd_work { struct ksmbd_tree_connect *tcon; /* Pointer to received SMB header */ - char *request_buf; + void *request_buf; /* Response buffer */ - char *response_buf; + void *response_buf; /* Read data buffer */ - char *aux_payload_buf; + void *aux_payload_buf; /* Next cmd hdr in compound req buf*/ int next_smb2_rcv_hdr_off; @@ -92,24 +92,10 @@ struct ksmbd_work { #define WORK_CLOSED(w) ((w)->state == KSMBD_WORK_CLOSED) #define WORK_ACTIVE(w) ((w)->state == KSMBD_WORK_ACTIVE) -#define RESPONSE_BUF(w) ((void *)(w)->response_buf) -#define REQUEST_BUF(w) ((void *)(w)->request_buf) - #define RESPONSE_BUF_NEXT(w) \ - ((void *)((w)->response_buf + (w)->next_smb2_rsp_hdr_off)) + (((w)->response_buf + (w)->next_smb2_rsp_hdr_off)) #define REQUEST_BUF_NEXT(w) \ - ((void *)((w)->request_buf + (w)->next_smb2_rcv_hdr_off)) - -#define RESPONSE_SZ(w) ((w)->response_sz) - -#define INIT_AUX_PAYLOAD(w) ((w)->aux_payload_buf = NULL) -#define HAS_AUX_PAYLOAD(w) ((w)->aux_payload_sz != 0) -#define AUX_PAYLOAD(w) ((void *)((w)->aux_payload_buf)) -#define AUX_PAYLOAD_SIZE(w) ((w)->aux_payload_sz) -#define RESP_HDR_SIZE(w) ((w)->resp_hdr_sz) - -#define HAS_TRANSFORM_BUF(w) ((w)->tr_buf != NULL) -#define TRANSFORM_BUF(w) ((void *)((w)->tr_buf)) + (((w)->request_buf + (w)->next_smb2_rcv_hdr_off)) struct ksmbd_work *ksmbd_alloc_work_struct(void); void ksmbd_free_work_struct(struct ksmbd_work *work); diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index e56c938a8f7a..25823bb7d086 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -608,14 +608,14 @@ static inline int allocate_oplock_break_buf(struct ksmbd_work *work) * There are two ways this function can be called. 1- while file open we break * from exclusive/batch lock to levelII oplock and 2- while file write/truncate * we break from levelII oplock no oplock. - * REQUEST_BUF(work) contains oplock_info. + * work->request_buf contains oplock_info. */ static void __smb2_oplock_break_noti(struct work_struct *wk) { struct smb2_oplock_break *rsp = NULL; struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work); struct ksmbd_conn *conn = work->conn; - struct oplock_break_info *br_info = REQUEST_BUF(work); + struct oplock_break_info *br_info = work->request_buf; struct smb2_hdr *rsp_hdr; struct ksmbd_file *fp; @@ -634,7 +634,7 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) return; } - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; @@ -650,7 +650,7 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) memset(rsp_hdr->Signature, 0, 16); - rsp = RESPONSE_BUF(work); + rsp = work->response_buf; rsp->StructureSize = cpu_to_le16(24); if (!br_info->open_trunc && @@ -730,7 +730,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) { struct smb2_lease_break *rsp = NULL; struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work); - struct lease_break_info *br_info = REQUEST_BUF(work); + struct lease_break_info *br_info = work->request_buf; struct ksmbd_conn *conn = work->conn; struct smb2_hdr *rsp_hdr; @@ -741,7 +741,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) return; } - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; @@ -756,7 +756,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = RESPONSE_BUF(work); + rsp = work->response_buf; rsp->StructureSize = cpu_to_le16(44); rsp->Reserved = 0; rsp->Flags = 0; diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 048bbc66aa60..80f5229da3ac 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -95,7 +95,7 @@ static inline int check_conn_state(struct ksmbd_work *work) struct smb_hdr *rsp_hdr; if (ksmbd_conn_exiting(work) || ksmbd_conn_need_reconnect(work)) { - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; rsp_hdr->Status.CifsError = STATUS_CONNECTION_DISCONNECTED; return 1; } @@ -169,7 +169,7 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, return; if (conn->ops->is_transform_hdr && - conn->ops->is_transform_hdr(REQUEST_BUF(work))) { + conn->ops->is_transform_hdr(work->request_buf)) { rc = conn->ops->decrypt_req(work); if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); diff --git a/fs/cifsd/smb2misc.c b/fs/cifsd/smb2misc.c index 485f431c776c..e6b87d9d33ed 100644 --- a/fs/cifsd/smb2misc.c +++ b/fs/cifsd/smb2misc.c @@ -355,7 +355,7 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) int ksmbd_smb2_check_message(struct ksmbd_work *work) { - struct smb2_pdu *pdu = REQUEST_BUF(work); + struct smb2_pdu *pdu = work->request_buf; struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 6770ebedc24a..460d5ba275bf 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -44,8 +44,8 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) *req = REQUEST_BUF_NEXT(work); *rsp = RESPONSE_BUF_NEXT(work); } else { - *req = REQUEST_BUF(work); - *rsp = RESPONSE_BUF(work); + *req = work->request_buf; + *rsp = work->response_buf; } } @@ -94,7 +94,7 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess) */ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { - struct smb2_hdr *req_hdr = REQUEST_BUF(work); + struct smb2_hdr *req_hdr = work->request_buf; int tree_id; work->tcon = NULL; @@ -131,7 +131,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) err_rsp = RESPONSE_BUF_NEXT(work); else - err_rsp = RESPONSE_BUF(work); + err_rsp = work->response_buf; if (err_rsp->hdr.Status != STATUS_STOPPED_ON_SYMLINK) { err_rsp->StructureSize = SMB2_ERROR_STRUCTURE_SIZE2_LE; @@ -139,7 +139,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) err_rsp->Reserved = 0; err_rsp->ByteCount = 0; err_rsp->ErrorData[0] = 0; - inc_rfc1001_len(RESPONSE_BUF(work), SMB2_ERROR_STRUCTURE_SIZE2); + inc_rfc1001_len(work->response_buf, SMB2_ERROR_STRUCTURE_SIZE2); } } @@ -151,7 +151,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) */ int is_smb2_neg_cmd(struct ksmbd_work *work) { - struct smb2_hdr *hdr = REQUEST_BUF(work); + struct smb2_hdr *hdr = work->request_buf; /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -175,7 +175,7 @@ int is_smb2_neg_cmd(struct ksmbd_work *work) */ int is_smb2_rsp(struct ksmbd_work *work) { - struct smb2_hdr *hdr = RESPONSE_BUF(work); + struct smb2_hdr *hdr = work->response_buf; /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -201,7 +201,7 @@ uint16_t get_smb2_cmd_val(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) rcv_hdr = REQUEST_BUF_NEXT(work); else - rcv_hdr = REQUEST_BUF(work); + rcv_hdr = work->request_buf; return le16_to_cpu(rcv_hdr->Command); } @@ -217,7 +217,7 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) if (work->next_smb2_rcv_hdr_off) rsp_hdr = RESPONSE_BUF_NEXT(work); else - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; rsp_hdr->Status = err; smb2_set_err_rsp(work); } @@ -241,7 +241,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) conn->dialect <= SMB311_PROT_ID)) return -EINVAL; - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); @@ -260,7 +260,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = RESPONSE_BUF(work); + rsp = work->response_buf; WARN_ON(ksmbd_conn_good(work)); @@ -410,11 +410,11 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->compound_sid = le64_to_cpu(rsp->SessionId); } - len = get_rfc1002_len(RESPONSE_BUF(work)) - work->next_smb2_rsp_hdr_off; + len = get_rfc1002_len(work->response_buf) - work->next_smb2_rsp_hdr_off; next_hdr_offset = le32_to_cpu(req->NextCommand); new_len = ALIGN(len, 8); - inc_rfc1001_len(RESPONSE_BUF(work), ((sizeof(struct smb2_hdr) - 4) + inc_rfc1001_len(work->response_buf, ((sizeof(struct smb2_hdr) - 4) + new_len - len)); rsp->NextCommand = cpu_to_le32(new_len); @@ -459,7 +459,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) */ bool is_chained_smb2_message(struct ksmbd_work *work) { - struct smb2_hdr *hdr = REQUEST_BUF(work); + struct smb2_hdr *hdr = work->request_buf; unsigned int len; if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -475,12 +475,12 @@ bool is_chained_smb2_message(struct ksmbd_work *work) * This is last request in chained command, * align response to 8 byte */ - len = ALIGN(get_rfc1002_len(RESPONSE_BUF(work)), 8); - len = len - get_rfc1002_len(RESPONSE_BUF(work)); + len = ALIGN(get_rfc1002_len(work->response_buf), 8); + len = len - get_rfc1002_len(work->response_buf); if (len) { ksmbd_debug(SMB, "padding len %u\n", len); - inc_rfc1001_len(RESPONSE_BUF(work), len); - if (HAS_AUX_PAYLOAD(work)) + inc_rfc1001_len(work->response_buf, len); + if (work->aux_payload_sz) work->aux_payload_sz += len; } } @@ -495,8 +495,8 @@ bool is_chained_smb2_message(struct ksmbd_work *work) */ int init_smb2_rsp_hdr(struct ksmbd_work *work) { - struct smb2_hdr *rsp_hdr = RESPONSE_BUF(work); - struct smb2_hdr *rcv_hdr = REQUEST_BUF(work); + struct smb2_hdr *rsp_hdr = work->response_buf; + struct smb2_hdr *rcv_hdr = work->request_buf; struct ksmbd_conn *conn = work->conn; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); @@ -533,7 +533,7 @@ int init_smb2_rsp_hdr(struct ksmbd_work *work) */ int smb2_allocate_rsp_buf(struct ksmbd_work *work) { - struct smb2_hdr *hdr = REQUEST_BUF(work); + struct smb2_hdr *hdr = work->request_buf; size_t small_sz = MAX_CIFS_SMALL_BUFFER_SIZE; size_t large_sz = work->conn->vals->max_trans_size + MAX_SMB2_HDR_SIZE; size_t sz = small_sz; @@ -547,7 +547,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; - req = REQUEST_BUF(work); + req = work->request_buf; if (req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || req->FileInfoClass == FILE_ALL_INFORMATION)) { @@ -566,7 +566,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) else work->response_buf = ksmbd_alloc_response(sz); - if (!RESPONSE_BUF(work)) { + if (!work->response_buf) { ksmbd_err("Failed to allocate %zu bytes buffer\n", sz); return -ENOMEM; } @@ -583,7 +583,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) */ int smb2_check_user_session(struct ksmbd_work *work) { - struct smb2_hdr *req_hdr = REQUEST_BUF(work); + struct smb2_hdr *req_hdr = work->request_buf; struct ksmbd_conn *conn = work->conn; unsigned int cmd = conn->ops->get_cmd_val(work); unsigned long long sess_id; @@ -686,7 +686,7 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) struct ksmbd_conn *conn = work->conn; int id; - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; rsp_hdr->Flags |= SMB2_FLAGS_ASYNC_COMMAND; id = ksmbd_acquire_async_msg_id(conn->async_ida); @@ -716,7 +716,7 @@ void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status) { struct smb2_hdr *rsp_hdr; - rsp_hdr = RESPONSE_BUF(work); + rsp_hdr = work->response_buf; smb2_set_err_rsp(work); rsp_hdr->Status = status; @@ -1030,8 +1030,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, int smb2_handle_negotiate(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_negotiate_req *req = REQUEST_BUF(work); - struct smb2_negotiate_rsp *rsp = RESPONSE_BUF(work); + struct smb2_negotiate_req *req = work->request_buf; + struct smb2_negotiate_rsp *rsp = work->response_buf; int rc = 0; __le32 status; @@ -1078,7 +1078,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) } ksmbd_gen_preauth_integrity_hash(conn, - REQUEST_BUF(work), + work->request_buf, conn->preauth_info->Preauth_HashValue); rsp->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT); @@ -1198,7 +1198,7 @@ static int generate_preauth_hash(struct ksmbd_work *work) } ksmbd_gen_preauth_integrity_hash(conn, - REQUEST_BUF(work), + work->request_buf, sess->Preauth_HashValue); return 0; } @@ -1213,7 +1213,7 @@ static int decode_negotiation_token(struct ksmbd_work *work, if (!conn->use_spnego) return -EINVAL; - req = REQUEST_BUF(work); + req = work->request_buf; sz = le16_to_cpu(req->SecurityBufferLength); if (!ksmbd_decode_negTokenInit((char *)negblob, sz, conn)) { @@ -1229,8 +1229,8 @@ static int decode_negotiation_token(struct ksmbd_work *work, static int ntlm_negotiate(struct ksmbd_work *work, struct negotiate_message *negblob) { - struct smb2_sess_setup_req *req = REQUEST_BUF(work); - struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct smb2_sess_setup_req *req = work->request_buf; + struct smb2_sess_setup_rsp *rsp = work->response_buf; struct challenge_message *chgblob; unsigned char *spnego_blob = NULL; u16 spnego_blob_len; @@ -1330,8 +1330,8 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, static int ntlm_authenticate(struct ksmbd_work *work) { - struct smb2_sess_setup_req *req = REQUEST_BUF(work); - struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct smb2_sess_setup_req *req = work->request_buf; + struct smb2_sess_setup_rsp *rsp = work->response_buf; struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; struct channel *chann = NULL; @@ -1473,8 +1473,8 @@ static int ntlm_authenticate(struct ksmbd_work *work) #ifdef CONFIG_SMB_SERVER_KERBEROS5 static int krb5_authenticate(struct ksmbd_work *work) { - struct smb2_sess_setup_req *req = REQUEST_BUF(work); - struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct smb2_sess_setup_req *req = work->request_buf; + struct smb2_sess_setup_rsp *rsp = work->response_buf; struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; char *in_blob, *out_blob; @@ -1570,8 +1570,8 @@ static int krb5_authenticate(struct ksmbd_work *work) int smb2_sess_setup(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_sess_setup_req *req = REQUEST_BUF(work); - struct smb2_sess_setup_rsp *rsp = RESPONSE_BUF(work); + struct smb2_sess_setup_req *req = work->request_buf; + struct smb2_sess_setup_rsp *rsp = work->response_buf; struct ksmbd_session *sess; struct negotiate_message *negblob; int rc = 0; @@ -1695,8 +1695,8 @@ int smb2_sess_setup(struct ksmbd_work *work) int smb2_tree_connect(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_tree_connect_req *req = REQUEST_BUF(work); - struct smb2_tree_connect_rsp *rsp = RESPONSE_BUF(work); + struct smb2_tree_connect_req *req = work->request_buf; + struct smb2_tree_connect_rsp *rsp = work->response_buf; struct ksmbd_session *sess = work->sess; char *treename = NULL, *name = NULL; struct ksmbd_tree_conn_status status; @@ -1858,7 +1858,7 @@ static int smb2_create_open_flags(bool file_present, __le32 access, */ int smb2_tree_disconnect(struct ksmbd_work *work) { - struct smb2_tree_disconnect_rsp *rsp = RESPONSE_BUF(work); + struct smb2_tree_disconnect_rsp *rsp = work->response_buf; struct ksmbd_session *sess = work->sess; struct ksmbd_tree_connect *tcon = work->tcon; @@ -1868,7 +1868,7 @@ int smb2_tree_disconnect(struct ksmbd_work *work) ksmbd_debug(SMB, "request\n"); if (!tcon) { - struct smb2_tree_disconnect_req *req = REQUEST_BUF(work); + struct smb2_tree_disconnect_req *req = work->request_buf; ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; @@ -1890,7 +1890,7 @@ int smb2_tree_disconnect(struct ksmbd_work *work) int smb2_session_logoff(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_logoff_rsp *rsp = RESPONSE_BUF(work); + struct smb2_logoff_rsp *rsp = work->response_buf; struct ksmbd_session *sess = work->sess; rsp->StructureSize = cpu_to_le16(4); @@ -1907,7 +1907,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_wait_idle(conn); if (ksmbd_tree_conn_session_logoff(sess)) { - struct smb2_logoff_req *req = REQUEST_BUF(work); + struct smb2_logoff_req *req = work->request_buf; ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; @@ -1934,8 +1934,8 @@ int smb2_session_logoff(struct ksmbd_work *work) */ static noinline int create_smb2_pipe(struct ksmbd_work *work) { - struct smb2_create_rsp *rsp = RESPONSE_BUF(work); - struct smb2_create_req *req = REQUEST_BUF(work); + struct smb2_create_rsp *rsp = work->response_buf; + struct smb2_create_req *req = work->request_buf; int id; int err; char *name; @@ -2490,7 +2490,7 @@ int smb2_open(struct ksmbd_work *work) umode_t posix_mode = 0; __le32 daccess, maximal_access = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (req->hdr.NextCommand && !work->next_smb2_rcv_hdr_off && @@ -3889,7 +3889,7 @@ int smb2_query_dir(struct ksmbd_work *work) int buffer_sz; struct smb2_query_dir_private query_dir_private = {NULL, }; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (ksmbd_override_fsids(work)) { @@ -5190,7 +5190,7 @@ int smb2_query_info(struct ksmbd_work *work) struct smb2_query_info_rsp *rsp, *rsp_org; int rc = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); ksmbd_debug(SMB, "GOT query info request\n"); @@ -5244,8 +5244,8 @@ int smb2_query_info(struct ksmbd_work *work) static noinline int smb2_close_pipe(struct ksmbd_work *work) { uint64_t id; - struct smb2_close_req *req = REQUEST_BUF(work); - struct smb2_close_rsp *rsp = RESPONSE_BUF(work); + struct smb2_close_req *req = work->request_buf; + struct smb2_close_rsp *rsp = work->response_buf; id = le64_to_cpu(req->VolatileFileId); ksmbd_session_rpc_close(work->sess, id); @@ -5283,7 +5283,7 @@ int smb2_close(struct ksmbd_work *work) u64 time; int err = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, @@ -5386,7 +5386,7 @@ int smb2_close(struct ksmbd_work *work) */ int smb2_echo(struct ksmbd_work *work) { - struct smb2_echo_rsp *rsp = RESPONSE_BUF(work); + struct smb2_echo_rsp *rsp = work->response_buf; rsp->StructureSize = cpu_to_le16(4); rsp->Reserved = 0; @@ -5974,7 +5974,7 @@ int smb2_set_info(struct ksmbd_work *work) ksmbd_debug(SMB, "Received set info request\n"); - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { req = REQUEST_BUF_NEXT(work); rsp = RESPONSE_BUF_NEXT(work); @@ -5985,8 +5985,8 @@ int smb2_set_info(struct ksmbd_work *work) pid = work->compound_pfid; } } else { - req = REQUEST_BUF(work); - rsp = RESPONSE_BUF(work); + req = work->request_buf; + rsp = work->response_buf; } if (!HAS_FILE_ID(id)) { @@ -6062,8 +6062,8 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) int nbytes = 0, err; uint64_t id; struct ksmbd_rpc_command *rpc_resp; - struct smb2_read_req *req = REQUEST_BUF(work); - struct smb2_read_rsp *rsp = RESPONSE_BUF(work); + struct smb2_read_req *req = work->request_buf; + struct smb2_read_rsp *rsp = work->response_buf; id = le64_to_cpu(req->VolatileFileId); @@ -6155,7 +6155,7 @@ int smb2_read(struct ksmbd_work *work) ssize_t nbytes = 0, remain_bytes = 0; int err = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, @@ -6212,10 +6212,10 @@ int smb2_read(struct ksmbd_work *work) if ((nbytes == 0 && length != 0) || nbytes < mincount) { if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) - ksmbd_release_buffer(AUX_PAYLOAD(work)); + ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(AUX_PAYLOAD(work)); - INIT_AUX_PAYLOAD(work); + ksmbd_free_response(work->aux_payload_buf); + work->aux_payload_buf = NULL; rsp->hdr.Status = STATUS_END_OF_FILE; smb2_set_err_rsp(work); ksmbd_fd_put(work, fp); @@ -6229,12 +6229,12 @@ int smb2_read(struct ksmbd_work *work) req->Channel == SMB2_CHANNEL_RDMA_V1) { /* write data to the client using rdma channel */ remain_bytes = smb2_read_rdma_channel(work, req, - AUX_PAYLOAD(work), nbytes); + work->aux_payload_buf, nbytes); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) - ksmbd_release_buffer(AUX_PAYLOAD(work)); + ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(AUX_PAYLOAD(work)); - INIT_AUX_PAYLOAD(work); + ksmbd_free_response(work->aux_payload_buf); + work->aux_payload_buf = NULL; nbytes = 0; if (remain_bytes < 0) { @@ -6287,8 +6287,8 @@ int smb2_read(struct ksmbd_work *work) */ static noinline int smb2_write_pipe(struct ksmbd_work *work) { - struct smb2_write_req *req = REQUEST_BUF(work); - struct smb2_write_rsp *rsp = RESPONSE_BUF(work); + struct smb2_write_req *req = work->request_buf; + struct smb2_write_rsp *rsp = work->response_buf; struct ksmbd_rpc_command *rpc_resp; uint64_t id = 0; int err = 0, ret = 0; @@ -6418,7 +6418,7 @@ int smb2_write(struct ksmbd_work *work) bool writethrough = false; int err = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, @@ -6548,7 +6548,7 @@ int smb2_flush(struct ksmbd_work *work) struct smb2_flush_rsp *rsp, *rsp_org; int err; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); ksmbd_debug(SMB, "SMB2_FLUSH called for fid %llu\n", @@ -6583,7 +6583,7 @@ int smb2_flush(struct ksmbd_work *work) int smb2_cancel(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_hdr *hdr = REQUEST_BUF(work); + struct smb2_hdr *hdr = work->request_buf; struct smb2_hdr *chdr; struct ksmbd_work *cancel_work = NULL; struct list_head *tmp; @@ -6600,7 +6600,7 @@ int smb2_cancel(struct ksmbd_work *work) list_for_each(tmp, command_list) { cancel_work = list_entry(tmp, struct ksmbd_work, async_request_entry); - chdr = REQUEST_BUF(cancel_work); + chdr = cancel_work->request_buf; if (cancel_work->async_id != le64_to_cpu(hdr->Id.AsyncId)) @@ -6621,7 +6621,7 @@ int smb2_cancel(struct ksmbd_work *work) list_for_each(tmp, command_list) { cancel_work = list_entry(tmp, struct ksmbd_work, request_entry); - chdr = REQUEST_BUF(cancel_work); + chdr = cancel_work->request_buf; if (chdr->MessageId != hdr->MessageId || cancel_work == work) @@ -6754,8 +6754,8 @@ static inline bool lock_defer_pending(struct file_lock *fl) */ int smb2_lock(struct ksmbd_work *work) { - struct smb2_lock_req *req = REQUEST_BUF(work); - struct smb2_lock_rsp *rsp = RESPONSE_BUF(work); + struct smb2_lock_req *req = work->request_buf; + struct smb2_lock_rsp *rsp = work->response_buf; struct smb2_lock_element *lock_ele; struct ksmbd_file *fp = NULL; struct file_lock *flock = NULL; @@ -7504,7 +7504,7 @@ int smb2_ioctl(struct ksmbd_work *work) struct ksmbd_conn *conn = work->conn; int ret = 0; - rsp_org = RESPONSE_BUF(work); + rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { req = REQUEST_BUF_NEXT(work); rsp = RESPONSE_BUF_NEXT(work); @@ -7514,8 +7514,8 @@ int smb2_ioctl(struct ksmbd_work *work) id = work->compound_fid; } } else { - req = REQUEST_BUF(work); - rsp = RESPONSE_BUF(work); + req = work->request_buf; + rsp = work->response_buf; } if (!HAS_FILE_ID(id)) @@ -7725,8 +7725,8 @@ int smb2_ioctl(struct ksmbd_work *work) */ static void smb20_oplock_break_ack(struct ksmbd_work *work) { - struct smb2_oplock_break *req = REQUEST_BUF(work); - struct smb2_oplock_break *rsp = RESPONSE_BUF(work); + struct smb2_oplock_break *req = work->request_buf; + struct smb2_oplock_break *rsp = work->response_buf; struct ksmbd_file *fp; struct oplock_info *opinfo = NULL; __le32 err = 0; @@ -7867,8 +7867,8 @@ static int check_lease_state(struct lease *lease, __le32 req_state) static void smb21_lease_break_ack(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_lease_ack *req = REQUEST_BUF(work); - struct smb2_lease_ack *rsp = RESPONSE_BUF(work); + struct smb2_lease_ack *req = work->request_buf; + struct smb2_lease_ack *rsp = work->response_buf; struct oplock_info *opinfo; __le32 err = 0; int ret = 0; @@ -8000,8 +8000,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) */ int smb2_oplock_break(struct ksmbd_work *work) { - struct smb2_oplock_break *req = REQUEST_BUF(work); - struct smb2_oplock_break *rsp = RESPONSE_BUF(work); + struct smb2_oplock_break *req = work->request_buf; + struct smb2_oplock_break *rsp = work->response_buf; switch (le16_to_cpu(req->StructureSize)) { case OP_BREAK_STRUCT_SIZE_20: @@ -8053,7 +8053,7 @@ int smb2_notify(struct ksmbd_work *work) */ bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) { - struct smb2_hdr *rcv_hdr2 = REQUEST_BUF(work); + struct smb2_hdr *rcv_hdr2 = work->request_buf; if ((rcv_hdr2->Flags & SMB2_FLAGS_SIGNED) && command != SMB2_NEGOTIATE_HE && @@ -8078,7 +8078,7 @@ int smb2_check_sign_req(struct ksmbd_work *work) struct kvec iov[1]; size_t len; - hdr_org = hdr = REQUEST_BUF(work); + hdr_org = hdr = work->request_buf; if (work->next_smb2_rcv_hdr_off) hdr = REQUEST_BUF_NEXT(work); @@ -8122,7 +8122,7 @@ void smb2_set_sign_rsp(struct ksmbd_work *work) size_t len; int n_vec = 1; - hdr_org = hdr = RESPONSE_BUF(work); + hdr_org = hdr = work->response_buf; if (work->next_smb2_rsp_hdr_off) hdr = RESPONSE_BUF_NEXT(work); @@ -8146,11 +8146,11 @@ void smb2_set_sign_rsp(struct ksmbd_work *work) iov[0].iov_base = (char *)&hdr->ProtocolId; iov[0].iov_len = len; - if (HAS_AUX_PAYLOAD(work)) { - iov[0].iov_len -= AUX_PAYLOAD_SIZE(work); + if (work->aux_payload_sz) { + iov[0].iov_len -= work->aux_payload_sz; - iov[1].iov_base = AUX_PAYLOAD(work); - iov[1].iov_len = AUX_PAYLOAD_SIZE(work); + iov[1].iov_base = work->aux_payload_buf; + iov[1].iov_len = work->aux_payload_sz; n_vec++; } @@ -8176,7 +8176,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) struct kvec iov[1]; size_t len; - hdr_org = hdr = REQUEST_BUF(work); + hdr_org = hdr = work->request_buf; if (work->next_smb2_rcv_hdr_off) hdr = REQUEST_BUF_NEXT(work); @@ -8237,7 +8237,7 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) size_t len; char *signing_key; - hdr_org = hdr = RESPONSE_BUF(work); + hdr_org = hdr = work->response_buf; if (work->next_smb2_rsp_hdr_off) hdr = RESPONSE_BUF_NEXT(work); @@ -8273,10 +8273,10 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) memset(hdr->Signature, 0, SMB2_SIGNATURE_SIZE); iov[0].iov_base = (char *)&hdr->ProtocolId; iov[0].iov_len = len; - if (HAS_AUX_PAYLOAD(work)) { - iov[0].iov_len -= AUX_PAYLOAD_SIZE(work); - iov[1].iov_base = AUX_PAYLOAD(work); - iov[1].iov_len = AUX_PAYLOAD_SIZE(work); + if (work->aux_payload_sz) { + iov[0].iov_len -= work->aux_payload_sz; + iov[1].iov_base = work->aux_payload_buf; + iov[1].iov_len = work->aux_payload_sz; n_vec++; } @@ -8336,11 +8336,11 @@ static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, int smb3_encrypt_resp(struct ksmbd_work *work) { - char *buf = RESPONSE_BUF(work); + char *buf = work->response_buf; struct smb2_transform_hdr *tr_hdr; struct kvec iov[3]; int rc = -ENOMEM; - int buf_size = 0, rq_nvec = 2 + (HAS_AUX_PAYLOAD(work) ? 1 : 0); + int buf_size = 0, rq_nvec = 2 + (work->aux_payload_sz ? 1 : 0); if (ARRAY_SIZE(iov) < rq_nvec) return -ENOMEM; @@ -8358,11 +8358,11 @@ int smb3_encrypt_resp(struct ksmbd_work *work) iov[1].iov_base = buf + 4; iov[1].iov_len = get_rfc1002_len(buf); - if (HAS_AUX_PAYLOAD(work)) { - iov[1].iov_len = RESP_HDR_SIZE(work) - 4; + if (work->aux_payload_sz) { + iov[1].iov_len = work->resp_hdr_sz - 4; - iov[2].iov_base = AUX_PAYLOAD(work); - iov[2].iov_len = AUX_PAYLOAD_SIZE(work); + iov[2].iov_base = work->aux_payload_buf; + iov[2].iov_len = work->aux_payload_sz; buf_size += iov[2].iov_len; } buf_size += iov[1].iov_len; @@ -8390,7 +8390,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess; - char *buf = REQUEST_BUF(work); + char *buf = work->request_buf; struct smb2_hdr *hdr; unsigned int pdu_length = get_rfc1002_len(buf); struct kvec iov[2]; @@ -8437,7 +8437,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_hdr *rsp = RESPONSE_BUF(work); + struct smb2_hdr *rsp = work->response_buf; if (conn->dialect < SMB30_PROT_ID) return false; diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index 2f58ef003238..da1928b948f8 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -116,7 +116,7 @@ int ksmbd_lookup_protocol_idx(char *str) */ int ksmbd_verify_smb_message(struct ksmbd_work *work) { - struct smb2_hdr *smb2_hdr = REQUEST_BUF(work); + struct smb2_hdr *smb2_hdr = work->request_buf; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) return ksmbd_smb2_check_message(work); @@ -408,7 +408,7 @@ static int __smb2_negotiate(struct ksmbd_conn *conn) static int smb_handle_negotiate(struct ksmbd_work *work) { - struct smb_negotiate_rsp *neg_rsp = RESPONSE_BUF(work); + struct smb_negotiate_rsp *neg_rsp = work->response_buf; ksmbd_debug(SMB, "Unsupported SMB protocol\n"); neg_rsp->hdr.Status.CifsError = STATUS_INVALID_LOGON_TYPE; @@ -420,11 +420,11 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) struct ksmbd_conn *conn = work->conn; int ret; - conn->dialect = ksmbd_negotiate_smb_dialect(REQUEST_BUF(work)); + conn->dialect = ksmbd_negotiate_smb_dialect(work->request_buf); ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect); if (command == SMB2_NEGOTIATE_HE) { - struct smb2_hdr *smb2_hdr = REQUEST_BUF(work); + struct smb2_hdr *smb2_hdr = work->request_buf; if (smb2_hdr->ProtocolId != SMB2_PROTO_NUMBER) { ksmbd_debug(SMB, "Downgrade to SMB1 negotiation\n"); diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 3d7413b8f526..e860ff9145a7 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -372,7 +372,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, char namebuf[NAME_MAX]; int ret; - rbuf = AUX_PAYLOAD(work); + rbuf = work->aux_payload_buf; filp = fp->filp; inode = d_inode(filp->f_path.dentry); if (S_ISDIR(inode->i_mode)) From patchwork Mon Nov 14 12:48:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183116 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 019/308] cifsd: fix wrong use of rw semaphore in __session_create() Date: Mon, 14 Nov 2022 20:48:48 +0800 Message-ID: <20221114125337.1831594-20-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b314706b-939f-450f-5771-08dac63c45f9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7164575 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 69f447be15130b57cc00fa0a5c2d3fa949a46165 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/69f447be1513 ------------------------------- Adding list to session table should be protected by down_write/up_write(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/user_session.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index afcdf76a3851..1b71a20dacdb 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -298,9 +298,9 @@ static struct ksmbd_session *__session_create(int protocol) goto error; if (protocol == CIFDS_SESSION_FLAG_SMB2) { - down_read(&sessions_table_lock); + down_write(&sessions_table_lock); hash_add(sessions_table, &sess->hlist, sess->id); - up_read(&sessions_table_lock); + up_write(&sessions_table_lock); } return sess; From patchwork Mon Nov 14 12:48:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183117 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 020/308] cifsd: use kmalloc() for small allocations Date: Mon, 14 Nov 2022 20:48:49 +0800 Message-ID: <20221114125337.1831594-21-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cb7210a4-21b4-4368-1ab1-08dac63c4643 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7247924 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 20ea7fd2ac7513c90b5d0675360298ca6722593d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/20ea7fd2ac75 ------------------------------- Just use kmalloc() for small allocations. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/buffer_pool.c | 2 +- fs/cifsd/mgmt/share_config.c | 4 ++-- fs/cifsd/mgmt/user_config.c | 4 ++-- fs/cifsd/mgmt/user_session.c | 4 ++-- fs/cifsd/oplock.c | 2 +- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/transport_tcp.c | 2 +- fs/cifsd/vfs_cache.c | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index 864fea547c68..91c04879e931 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -63,7 +63,7 @@ static int register_wm_size_class(size_t sz) { struct wm_list *l, *nl; - nl = kvmalloc(sizeof(struct wm_list), GFP_KERNEL); + nl = kmalloc(sizeof(struct wm_list), GFP_KERNEL); if (!nl) return -ENOMEM; diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index 9bc7f7555ee2..db780febd692 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -92,7 +92,7 @@ static int parse_veto_list(struct ksmbd_share_config *share, while (veto_list_sz > 0) { struct ksmbd_veto_pattern *p; - p = ksmbd_alloc(sizeof(struct ksmbd_veto_pattern)); + p = kzalloc(sizeof(struct ksmbd_veto_pattern), GFP_KERNEL); if (!p) return -ENOMEM; @@ -129,7 +129,7 @@ static struct ksmbd_share_config *share_config_request(char *name) if (resp->flags == KSMBD_SHARE_FLAG_INVALID) goto out; - share = ksmbd_alloc(sizeof(struct ksmbd_share_config)); + share = kzalloc(sizeof(struct ksmbd_share_config), GFP_KERNEL); if (!share) goto out; diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c index a1a454bfb57b..f0c2f8994a6b 100644 --- a/fs/cifsd/mgmt/user_config.c +++ b/fs/cifsd/mgmt/user_config.c @@ -31,7 +31,7 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp) { struct ksmbd_user *user = NULL; - user = ksmbd_alloc(sizeof(struct ksmbd_user)); + user = kmalloc(sizeof(struct ksmbd_user), GFP_KERNEL); if (!user) return NULL; @@ -40,7 +40,7 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp) user->gid = resp->gid; user->uid = resp->uid; user->passkey_sz = resp->hash_sz; - user->passkey = ksmbd_alloc(resp->hash_sz); + user->passkey = kmalloc(resp->hash_sz, GFP_KERNEL); if (user->passkey) memcpy(user->passkey, resp->hash, resp->hash_sz); diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 1b71a20dacdb..5a2113bf18ef 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -101,7 +101,7 @@ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) if (!method) return -EINVAL; - entry = ksmbd_alloc(sizeof(struct ksmbd_session_rpc)); + entry = kzalloc(sizeof(struct ksmbd_session_rpc), GFP_KERNEL); if (!entry) return -EINVAL; @@ -266,7 +266,7 @@ static struct ksmbd_session *__session_create(int protocol) struct ksmbd_session *sess; int ret; - sess = ksmbd_alloc(sizeof(struct ksmbd_session)); + sess = kzalloc(sizeof(struct ksmbd_session), GFP_KERNEL); if (!sess) return NULL; diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 25823bb7d086..d76aa47e19e4 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -593,7 +593,7 @@ static int oplock_break_pending(struct oplock_info *opinfo, int req_op_level) static inline int allocate_oplock_break_buf(struct ksmbd_work *work) { - work->response_buf = ksmbd_alloc_response(MAX_CIFS_SMALL_BUFFER_SIZE); + work->response_buf = kzalloc(MAX_CIFS_SMALL_BUFFER_SIZE, GFP_KERNEL); if (!work->response_buf) return -ENOMEM; work->response_sz = MAX_CIFS_SMALL_BUFFER_SIZE; diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 460d5ba275bf..a1aa42b52597 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1174,7 +1174,7 @@ static int alloc_preauth_hash(struct ksmbd_session *sess, if (sess->Preauth_HashValue) return 0; - sess->Preauth_HashValue = ksmbd_alloc(PREAUTH_HASHVALUE_SIZE); + sess->Preauth_HashValue = kmalloc(PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); if (!sess->Preauth_HashValue) return -ENOMEM; @@ -8345,7 +8345,7 @@ int smb3_encrypt_resp(struct ksmbd_work *work) if (ARRAY_SIZE(iov) < rq_nvec) return -ENOMEM; - tr_hdr = ksmbd_alloc_response(sizeof(struct smb2_transform_hdr)); + tr_hdr = kzalloc(sizeof(struct smb2_transform_hdr), GFP_KERNEL); if (!tr_hdr) return rc; diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 359401227d93..5dd8641f66ba 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -569,7 +569,7 @@ static struct interface *alloc_iface(char *ifname) if (!ifname) return NULL; - iface = ksmbd_alloc(sizeof(struct interface)); + iface = kzalloc(sizeof(struct interface), GFP_KERNEL); if (!iface) { kfree(ifname); return NULL; diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 34e045f27230..2b38628e1cb8 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -830,7 +830,7 @@ int ksmbd_file_table_flush(struct ksmbd_work *work) int ksmbd_init_file_table(struct ksmbd_file_table *ft) { - ft->idr = ksmbd_alloc(sizeof(struct idr)); + ft->idr = kzalloc(sizeof(struct idr), GFP_KERNEL); if (!ft->idr) return -ENOMEM; From patchwork Mon Nov 14 12:48:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183118 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 021/308] cifsd: add the check to work file lock and rename behaviors like Windows unless POSIX extensions are negotiated Date: Mon, 14 Nov 2022 20:48:50 +0800 Message-ID: <20221114125337.1831594-22-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8bdd7fb8-8ccf-45a9-f8b9-08dac63c468b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7139324 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c36fca8630dda0fba7b9672f3c99ac4e260a0fd0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c36fca8630dd ------------------------------- This patch add the check to work file lock and rename behaviors like Windows if POSIX extensions are not negotiated. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 101 +++++++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 45 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index e860ff9145a7..f93cc55ea153 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -370,7 +370,6 @@ int ksmbd_vfs_read(struct ksmbd_work *work, char *rbuf, *name; struct inode *inode; char namebuf[NAME_MAX]; - int ret; rbuf = work->aux_payload_buf; filp = fp->filp; @@ -391,11 +390,15 @@ int ksmbd_vfs_read(struct ksmbd_work *work, if (ksmbd_stream_fd(fp)) return ksmbd_vfs_stream_read(fp, rbuf, pos, count); - ret = check_lock_range(filp, *pos, *pos + count - 1, - READ); - if (ret) { - ksmbd_err("unable to read due to lock\n"); - return -EAGAIN; + if (!work->tcon->posix_extensions) { + int ret; + + ret = check_lock_range(filp, *pos, *pos + count - 1, + READ); + if (ret) { + ksmbd_err("unable to read due to lock\n"); + return -EAGAIN; + } } nbytes = kernel_read(filp, rbuf, count, pos); @@ -504,11 +507,13 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, goto out; } - err = check_lock_range(filp, *pos, *pos + count - 1, WRITE); - if (err) { - ksmbd_err("unable to write due to lock\n"); - err = -EAGAIN; - goto out; + if (!work->tcon->posix_extensions) { + err = check_lock_range(filp, *pos, *pos + count - 1, WRITE); + if (err) { + ksmbd_err("unable to write due to lock\n"); + err = -EAGAIN; + goto out; + } } /* Do we need to break any of a levelII oplock? */ @@ -706,21 +711,23 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, struct dentry *dst_dent; int err; - spin_lock(&src_dent->d_lock); - list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) { - struct ksmbd_file *child_fp; + if (!work->tcon->posix_extensions) { + spin_lock(&src_dent->d_lock); + list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) { + struct ksmbd_file *child_fp; - if (d_really_is_negative(dst_dent)) - continue; + if (d_really_is_negative(dst_dent)) + continue; - child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent)); - if (child_fp) { - spin_unlock(&src_dent->d_lock); - ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n"); - return -EACCES; + child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent)); + if (child_fp) { + spin_unlock(&src_dent->d_lock); + ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n"); + return -EACCES; + } } + spin_unlock(&src_dent->d_lock); } - spin_unlock(&src_dent->d_lock); if (d_really_is_negative(src_dent_parent)) return -ENOENT; @@ -820,7 +827,6 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, { struct path path; int err = 0; - struct inode *inode; if (name) { err = kern_path(name, 0, &path); @@ -842,18 +848,21 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, /* Do we need to break any of a levelII oplock? */ smb_break_all_levII_oplock(work, fp, 1); - inode = file_inode(filp); - if (size < inode->i_size) { - err = check_lock_range(filp, size, - inode->i_size - 1, WRITE); - } else { - err = check_lock_range(filp, inode->i_size, - size - 1, WRITE); - } + if (!work->tcon->posix_extensions) { + struct inode *inode = file_inode(filp); - if (err) { - ksmbd_err("failed due to lock\n"); - return -EAGAIN; + if (size < inode->i_size) { + err = check_lock_range(filp, size, + inode->i_size - 1, WRITE); + } else { + err = check_lock_range(filp, inode->i_size, + size - 1, WRITE); + } + + if (err) { + ksmbd_err("failed due to lock\n"); + return -EAGAIN; + } } err = vfs_truncate(&filp->f_path, size); @@ -1860,17 +1869,19 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, smb_break_all_levII_oplock(work, dst_fp, 1); - for (i = 0; i < chunk_count; i++) { - src_off = le64_to_cpu(chunks[i].SourceOffset); - dst_off = le64_to_cpu(chunks[i].TargetOffset); - len = le32_to_cpu(chunks[i].Length); - - if (check_lock_range(src_fp->filp, src_off, - src_off + len - 1, READ)) - return -EAGAIN; - if (check_lock_range(dst_fp->filp, dst_off, - dst_off + len - 1, WRITE)) - return -EAGAIN; + if (!work->tcon->posix_extensions) { + for (i = 0; i < chunk_count; i++) { + src_off = le64_to_cpu(chunks[i].SourceOffset); + dst_off = le64_to_cpu(chunks[i].TargetOffset); + len = le32_to_cpu(chunks[i].Length); + + if (check_lock_range(src_fp->filp, src_off, + src_off + len - 1, READ)) + return -EAGAIN; + if (check_lock_range(dst_fp->filp, dst_off, + dst_off + len - 1, WRITE)) + return -EAGAIN; + } } src_file_size = i_size_read(file_inode(src_fp->filp)); From patchwork Mon Nov 14 12:48:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183119 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 022/308] cifsd: fix error return code in ksmbd_vfs_remove_file() Date: Mon, 14 Nov 2022 20:48:51 +0800 Message-ID: <20221114125337.1831594-23-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cb86b2a2-649a-4552-fcc4-08dac63c46d4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7000713 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 7cb82de3cdf2da0acd6fc3e670c7271ded37e116 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7cb82de3cdf2 ------------------------------- Change -ENOENT error to -EINVAL to response STATUS_INVALID_PARAMETER. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index f93cc55ea153..da44d131e25b 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -596,7 +596,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) last = extract_last_component(name); if (!last) - return -ENOENT; + return -EINVAL; if (ksmbd_override_fsids(work)) return -ENOMEM; From patchwork Mon Nov 14 12:48:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183120 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 023/308] cifsd: clean-up codes using chechpatch.pl --strict Date: Mon, 14 Nov 2022 20:48:52 +0800 Message-ID: <20221114125337.1831594-24-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9f3b704d-0bf3-47cb-5e4c-08dac63c4723 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0594383 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 64b39f4a2fd293cf899dd8062c57ce3715dd7ee9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/64b39f4a2fd2 ------------------------------- Dan Carpenter suggested to run chechpatch.pl --strict on ksmbd to fix check warnings. This patch does not fix all warnings but only things that I can understand. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 117 ++--- fs/cifsd/buffer_pool.c | 3 +- fs/cifsd/connection.c | 23 +- fs/cifsd/connection.h | 34 +- fs/cifsd/glob.h | 14 +- fs/cifsd/ksmbd_server.h | 94 ++-- fs/cifsd/mgmt/user_session.h | 4 +- fs/cifsd/misc.c | 9 +- fs/cifsd/ndr.c | 9 +- fs/cifsd/netmisc.c | 2 - fs/cifsd/oplock.c | 118 +++-- fs/cifsd/oplock.h | 24 +- fs/cifsd/server.c | 35 +- fs/cifsd/smb2misc.c | 81 ++-- fs/cifsd/smb2ops.c | 2 +- fs/cifsd/smb2pdu.c | 827 +++++++++++++++-------------------- fs/cifsd/smb2pdu.h | 129 +++--- fs/cifsd/smb_common.c | 68 ++- fs/cifsd/smb_common.h | 4 +- fs/cifsd/smbacl.c | 85 ++-- fs/cifsd/time_wrappers.h | 4 +- fs/cifsd/transport_ipc.c | 46 +- fs/cifsd/transport_ipc.h | 34 +- fs/cifsd/transport_rdma.c | 163 ++++--- fs/cifsd/transport_tcp.c | 27 +- fs/cifsd/unicode.c | 40 +- fs/cifsd/unicode.h | 80 ++-- fs/cifsd/vfs.c | 158 +++---- fs/cifsd/vfs.h | 89 ++-- fs/cifsd/vfs_cache.c | 57 +-- fs/cifsd/vfs_cache.h | 35 +- 31 files changed, 1011 insertions(+), 1404 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 0a49c67a69d6..b9fd62f77e1c 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -64,7 +64,6 @@ static char NEGOTIATE_GSS_HEADER[AUTH_GSS_LENGTH] = { #endif }; - void ksmbd_copy_gss_neg_header(void *buf) { memcpy(buf, NEGOTIATE_GSS_HEADER, AUTH_GSS_LENGTH); @@ -107,9 +106,7 @@ smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) return 0; } -static int ksmbd_enc_p24(unsigned char *p21, - const unsigned char *c8, - unsigned char *p24) +static int ksmbd_enc_p24(unsigned char *p21, const unsigned char *c8, unsigned char *p24) { int rc; @@ -124,9 +121,8 @@ static int ksmbd_enc_p24(unsigned char *p21, } /* produce a md4 message digest from data of length n bytes */ -static int ksmbd_enc_md4(unsigned char *md4_hash, - unsigned char *link_str, - int link_len) +static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, + int link_len) { int rc; struct ksmbd_crypto_ctx *ctx; @@ -157,10 +153,8 @@ static int ksmbd_enc_md4(unsigned char *md4_hash, return rc; } -static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, - char *nonce, - char *server_challenge, - int len) +static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, + char *server_challenge, int len) { int rc; struct ksmbd_crypto_ctx *ctx; @@ -204,9 +198,8 @@ static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, * @hmac: source hmac value to be used for finding session key * */ -static int ksmbd_gen_sess_key(struct ksmbd_session *sess, - char *hash, - char *hmac) +static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, + char *hmac) { struct ksmbd_crypto_ctx *ctx; int rc = -EINVAL; @@ -251,7 +244,7 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, } static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, - char *dname) + char *dname) { int ret = -EINVAL, len; wchar_t *domain = NULL; @@ -361,8 +354,9 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { ksmbd_debug(AUTH, "ntlmv1 authentication failed\n"); rc = -EINVAL; - } else + } else { ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); + } return rc; } @@ -376,10 +370,8 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) * * Return: 0 on success, error number on error */ -int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, - struct ntlmv2_resp *ntlmv2, - int blen, - char *domain_name) +int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, + int blen, char *domain_name) { char ntlmv2_hash[CIFS_ENCPWD_SIZE]; char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; @@ -457,9 +449,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, * * Return: 0 on success, error number on error */ -static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, - char *client_nonce, - char *ntlm_resp) +static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, + char *ntlm_resp) { char sess_key[CIFS_SMB1_SESSKEY_SIZE] = {0}; int rc; @@ -497,8 +488,7 @@ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, * Return: 0 on success, error number on error */ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, - int blob_len, - struct ksmbd_session *sess) + int blob_len, struct ksmbd_session *sess) { char *domain_name; unsigned int lm_off, nt_off; @@ -523,8 +513,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, /* process NTLM authentication */ if (nt_len == CIFS_AUTH_RESP_SIZE) { - if (le32_to_cpu(authblob->NegotiateFlags) - & NTLMSSP_NEGOTIATE_EXTENDED_SEC) + if (le32_to_cpu(authblob->NegotiateFlags) & + NTLMSSP_NEGOTIATE_EXTENDED_SEC) return __ksmbd_auth_ntlmv2(sess, (char *)authblob + lm_off, (char *)authblob + nt_off); else @@ -533,8 +523,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, } /* TODO : use domain name that imported from configuration file */ - domain_name = smb_strndup_from_utf16( - (const char *)authblob + + domain_name = smb_strndup_from_utf16((const char *)authblob + le32_to_cpu(authblob->DomainName.BufferOffset), le16_to_cpu(authblob->DomainName.Length), true, sess->conn->local_nls); @@ -561,8 +550,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, * */ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, - int blob_len, - struct ksmbd_session *sess) + int blob_len, struct ksmbd_session *sess) { if (blob_len < sizeof(struct negotiate_message)) { ksmbd_debug(AUTH, "negotiate blob len %d too small\n", @@ -618,7 +606,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, flags |= NTLMSSP_REQUEST_TARGET; if (sess->conn->use_spnego && - (cflags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) + (cflags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) flags |= NTLMSSP_NEGOTIATE_EXTENDED_SEC; chgblob->NegotiateFlags = cpu_to_le32(flags); @@ -675,9 +663,8 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, } #ifdef CONFIG_SMB_SERVER_KERBEROS5 -int ksmbd_krb5_authenticate(struct ksmbd_session *sess, - char *in_blob, int in_len, - char *out_blob, int *out_len) +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, + int in_len, char *out_blob, int *out_len) { struct ksmbd_spnego_authen_response *resp; struct ksmbd_user *user = NULL; @@ -726,9 +713,8 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, return retval; } #else -int ksmbd_krb5_authenticate(struct ksmbd_session *sess, - char *in_blob, int in_len, - char *out_blob, int *out_len) +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, + int in_len, char *out_blob, int *out_len) { return -EOPNOTSUPP; } @@ -743,11 +729,8 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, * @sig: signature value generated for client request packet * */ -int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, - char *key, - struct kvec *iov, - int n_vec, - char *sig) +int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, + int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; int rc = -EINVAL; @@ -798,11 +781,8 @@ int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, * @sig: signature value generated for client request packet * */ -int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, - char *key, - struct kvec *iov, - int n_vec, - char *sig) +int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, + int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; int rc = -EINVAL; @@ -851,7 +831,7 @@ struct derivation { }; static int generate_key(struct ksmbd_session *sess, struct kvec label, - struct kvec context, __u8 *key, unsigned int key_size) + struct kvec context, __u8 *key, unsigned int key_size) { unsigned char zero = 0x0; __u8 i[4] = {0, 0, 0, 1}; @@ -931,7 +911,7 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, } static int generate_smb3signingkey(struct ksmbd_session *sess, - const struct derivation *signing) + const struct derivation *signing) { int rc; struct channel *chann; @@ -995,7 +975,7 @@ struct derivation_twin { }; static int generate_smb3encryptionkey(struct ksmbd_session *sess, - const struct derivation_twin *ptwin) + const struct derivation_twin *ptwin) { int rc; @@ -1062,9 +1042,8 @@ int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) return generate_smb3encryptionkey(sess, &twin); } -int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, - char *buf, - __u8 *pi_hash) +int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, + __u8 *pi_hash) { int rc = -1; struct smb2_hdr *rcv_hdr = (struct smb2_hdr *)buf; @@ -1073,14 +1052,15 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, struct ksmbd_crypto_ctx *ctx = NULL; if (conn->preauth_info->Preauth_HashId == - SMB2_PREAUTH_INTEGRITY_SHA512) { + SMB2_PREAUTH_INTEGRITY_SHA512) { ctx = ksmbd_crypto_ctx_find_sha512(); if (!ctx) { ksmbd_debug(AUTH, "could not alloc sha512 rc %d\n", rc); goto out; } - } else + } else { goto out; + } rc = crypto_shash_init(CRYPTO_SHA512(ctx)); if (rc) { @@ -1144,10 +1124,8 @@ int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, return rc; } -static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, - __u64 ses_id, - int enc, - u8 *key) +static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, + int enc, u8 *key) { struct ksmbd_session *sess; u8 *ses_enc_key; @@ -1175,9 +1153,8 @@ static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, sg_set_page(sg, addr, buflen, offset_in_page(buf)); } -static struct scatterlist *ksmbd_init_sg(struct kvec *iov, - unsigned int nvec, - u8 *sign) +static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, + u8 *sign) { struct scatterlist *sg; unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; @@ -1190,8 +1167,9 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, nr_entries[i] = ((kaddr + iov[i + 1].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT) - (kaddr >> PAGE_SHIFT); - } else + } else { nr_entries[i]++; + } total_entries += nr_entries[i]; } @@ -1232,16 +1210,13 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, sg_set_page(&sg[sg_idx++], virt_to_page(data), len, offset_in_page(data)); } - } smb2_sg_set_buf(&sg[sg_idx], sign, SMB2_SIGNATURE_SIZE); return sg; } -int ksmbd_crypt_message(struct ksmbd_conn *conn, - struct kvec *iov, - unsigned int nvec, - int enc) +int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, + unsigned int nvec, int enc) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)iov[0].iov_base; @@ -1319,9 +1294,9 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, goto free_sg; } - if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) { memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES128GCM_NONCE); - else { + } else { iv[0] = 3; memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES128CCM_NONCE); } diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index 91c04879e931..ad2a2c885a2c 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -278,8 +278,7 @@ int ksmbd_init_buffer_pools(void) goto out; filp_cache = kmem_cache_create("ksmbd_file_cache", - sizeof(struct ksmbd_file), 0, - SLAB_HWCACHE_ALIGN, NULL); + sizeof(struct ksmbd_file), 0, SLAB_HWCACHE_ALIGN, NULL); if (!filp_cache) goto out; diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index bdfde5ca2ded..df56e347b709 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -119,7 +119,7 @@ int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work) int ret = 1; if (list_empty(&work->request_entry) && - list_empty(&work->async_request_entry)) + list_empty(&work->async_request_entry)) return 0; atomic_dec(&conn->req_running); @@ -201,10 +201,9 @@ int ksmbd_conn_write(struct ksmbd_work *work) return 0; } -int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len) +int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len) { int ret = -EINVAL; @@ -216,10 +215,9 @@ int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, return ret; } -int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len) +int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len) { int ret = -EINVAL; @@ -251,7 +249,7 @@ bool ksmbd_conn_alive(struct ksmbd_conn *conn) * zero. */ if (server_conf.deadtime > 0 && - time_after(jiffies, conn->last_active + server_conf.deadtime)) { + time_after(jiffies, conn->last_active + server_conf.deadtime)) { ksmbd_debug(CONN, "No response from client in %lu minutes\n", server_conf.deadtime / SMB_ECHO_INTERVAL); return false; @@ -393,14 +391,13 @@ static void stop_sessions(void) task = conn->transport->handler; if (task) ksmbd_debug(CONN, "Stop session handler %s/%d\n", - task->comm, - task_pid_nr(task)); + task->comm, task_pid_nr(task)); conn->status = KSMBD_SESS_EXITING; } read_unlock(&conn_list_lock); if (!list_empty(&conn_list)) { - schedule_timeout_interruptible(HZ/10); /* 100ms */ + schedule_timeout_interruptible(HZ / 10); /* 100ms */ goto again; } } diff --git a/fs/cifsd/connection.h b/fs/cifsd/connection.h index 179fb9278999..021dada3d76d 100644 --- a/fs/cifsd/connection.h +++ b/fs/cifsd/connection.h @@ -116,17 +116,15 @@ struct ksmbd_conn_ops { struct ksmbd_transport_ops { int (*prepare)(struct ksmbd_transport *t); void (*disconnect)(struct ksmbd_transport *t); - int (*read)(struct ksmbd_transport *t, - char *buf, unsigned int size); - int (*writev)(struct ksmbd_transport *t, - struct kvec *iovs, int niov, int size, - bool need_invalidate_rkey, unsigned int remote_key); - int (*rdma_read)(struct ksmbd_transport *t, - void *buf, unsigned int len, u32 remote_key, - u64 remote_offset, u32 remote_len); - int (*rdma_write)(struct ksmbd_transport *t, - void *buf, unsigned int len, u32 remote_key, - u64 remote_offset, u32 remote_len); + int (*read)(struct ksmbd_transport *t, char *buf, unsigned int size); + int (*writev)(struct ksmbd_transport *t, struct kvec *iovs, int niov, + int size, bool need_invalidate_rkey, + unsigned int remote_key); + int (*rdma_read)(struct ksmbd_transport *t, void *buf, unsigned int len, + u32 remote_key, u64 remote_offset, u32 remote_len); + int (*rdma_write)(struct ksmbd_transport *t, void *buf, + unsigned int len, u32 remote_key, u64 remote_offset, + u32 remote_len); }; struct ksmbd_transport { @@ -146,14 +144,12 @@ struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); int ksmbd_conn_write(struct ksmbd_work *work); -int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len); -int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len); +int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len); +int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len); void ksmbd_conn_enqueue_request(struct ksmbd_work *work); int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work); diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index 2dc3f603e837..27500afbeaf5 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -24,13 +24,13 @@ extern int ksmbd_caseless_search; #define DATA_STREAM 1 #define DIR_STREAM 2 -#define KSMBD_DEBUG_SMB (1 << 0) -#define KSMBD_DEBUG_AUTH (1 << 1) -#define KSMBD_DEBUG_VFS (1 << 2) -#define KSMBD_DEBUG_OPLOCK (1 << 3) -#define KSMBD_DEBUG_IPC (1 << 4) -#define KSMBD_DEBUG_CONN (1 << 5) -#define KSMBD_DEBUG_RDMA (1 << 6) +#define KSMBD_DEBUG_SMB BIT(0) +#define KSMBD_DEBUG_AUTH BIT(1) +#define KSMBD_DEBUG_VFS BIT(2) +#define KSMBD_DEBUG_OPLOCK BIT(3) +#define KSMBD_DEBUG_IPC BIT(4) +#define KSMBD_DEBUG_CONN BIT(5) +#define KSMBD_DEBUG_RDMA BIT(6) #define KSMBD_DEBUG_ALL (KSMBD_DEBUG_SMB | KSMBD_DEBUG_AUTH | \ KSMBD_DEBUG_VFS | KSMBD_DEBUG_OPLOCK | \ KSMBD_DEBUG_IPC | KSMBD_DEBUG_CONN | \ diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index 01eaf9ec4fde..c5181a2702ff 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -29,11 +29,11 @@ struct ksmbd_heartbeat { * Global config flags. */ #define KSMBD_GLOBAL_FLAG_INVALID (0) -#define KSMBD_GLOBAL_FLAG_SMB2_LEASES (1 << 0) -#define KSMBD_GLOBAL_FLAG_CACHE_TBUF (1 << 1) -#define KSMBD_GLOBAL_FLAG_CACHE_RBUF (1 << 2) -#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION (1 << 3) -#define KSMBD_GLOBAL_FLAG_DURABLE_HANDLE (1 << 4) +#define KSMBD_GLOBAL_FLAG_SMB2_LEASES BIT(0) +#define KSMBD_GLOBAL_FLAG_CACHE_TBUF BIT(1) +#define KSMBD_GLOBAL_FLAG_CACHE_RBUF BIT(2) +#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(3) +#define KSMBD_GLOBAL_FLAG_DURABLE_HANDLE BIT(4) struct ksmbd_startup_request { __u32 flags; @@ -204,66 +204,66 @@ enum KSMBD_TREE_CONN_STATUS { * User config flags. */ #define KSMBD_USER_FLAG_INVALID (0) -#define KSMBD_USER_FLAG_OK (1 << 0) -#define KSMBD_USER_FLAG_BAD_PASSWORD (1 << 1) -#define KSMBD_USER_FLAG_BAD_UID (1 << 2) -#define KSMBD_USER_FLAG_BAD_USER (1 << 3) -#define KSMBD_USER_FLAG_GUEST_ACCOUNT (1 << 4) +#define KSMBD_USER_FLAG_OK BIT(0) +#define KSMBD_USER_FLAG_BAD_PASSWORD BIT(1) +#define KSMBD_USER_FLAG_BAD_UID BIT(2) +#define KSMBD_USER_FLAG_BAD_USER BIT(3) +#define KSMBD_USER_FLAG_GUEST_ACCOUNT BIT(4) /* * Share config flags. */ #define KSMBD_SHARE_FLAG_INVALID (0) -#define KSMBD_SHARE_FLAG_AVAILABLE (1 << 0) -#define KSMBD_SHARE_FLAG_BROWSEABLE (1 << 1) -#define KSMBD_SHARE_FLAG_WRITEABLE (1 << 2) -#define KSMBD_SHARE_FLAG_READONLY (1 << 3) -#define KSMBD_SHARE_FLAG_GUEST_OK (1 << 4) -#define KSMBD_SHARE_FLAG_GUEST_ONLY (1 << 5) -#define KSMBD_SHARE_FLAG_STORE_DOS_ATTRS (1 << 6) -#define KSMBD_SHARE_FLAG_OPLOCKS (1 << 7) -#define KSMBD_SHARE_FLAG_PIPE (1 << 8) -#define KSMBD_SHARE_FLAG_HIDE_DOT_FILES (1 << 9) -#define KSMBD_SHARE_FLAG_INHERIT_SMACK (1 << 10) -#define KSMBD_SHARE_FLAG_INHERIT_OWNER (1 << 11) -#define KSMBD_SHARE_FLAG_STREAMS (1 << 12) -#define KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS (1 << 13) -#define KSMBD_SHARE_FLAG_ACL_XATTR (1 << 14) +#define KSMBD_SHARE_FLAG_AVAILABLE BIT(0) +#define KSMBD_SHARE_FLAG_BROWSEABLE BIT(1) +#define KSMBD_SHARE_FLAG_WRITEABLE BIT(2) +#define KSMBD_SHARE_FLAG_READONLY BIT(3) +#define KSMBD_SHARE_FLAG_GUEST_OK BIT(4) +#define KSMBD_SHARE_FLAG_GUEST_ONLY BIT(5) +#define KSMBD_SHARE_FLAG_STORE_DOS_ATTRS BIT(6) +#define KSMBD_SHARE_FLAG_OPLOCKS BIT(7) +#define KSMBD_SHARE_FLAG_PIPE BIT(8) +#define KSMBD_SHARE_FLAG_HIDE_DOT_FILES BIT(9) +#define KSMBD_SHARE_FLAG_INHERIT_SMACK BIT(10) +#define KSMBD_SHARE_FLAG_INHERIT_OWNER BIT(11) +#define KSMBD_SHARE_FLAG_STREAMS BIT(12) +#define KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS BIT(13) +#define KSMBD_SHARE_FLAG_ACL_XATTR BIT(14) /* * Tree connect request flags. */ #define KSMBD_TREE_CONN_FLAG_REQUEST_SMB1 (0) -#define KSMBD_TREE_CONN_FLAG_REQUEST_IPV6 (1 << 0) -#define KSMBD_TREE_CONN_FLAG_REQUEST_SMB2 (1 << 1) +#define KSMBD_TREE_CONN_FLAG_REQUEST_IPV6 BIT(0) +#define KSMBD_TREE_CONN_FLAG_REQUEST_SMB2 BIT(1) /* * Tree connect flags. */ -#define KSMBD_TREE_CONN_FLAG_GUEST_ACCOUNT (1 << 0) -#define KSMBD_TREE_CONN_FLAG_READ_ONLY (1 << 1) -#define KSMBD_TREE_CONN_FLAG_WRITABLE (1 << 2) -#define KSMBD_TREE_CONN_FLAG_ADMIN_ACCOUNT (1 << 3) +#define KSMBD_TREE_CONN_FLAG_GUEST_ACCOUNT BIT(0) +#define KSMBD_TREE_CONN_FLAG_READ_ONLY BIT(1) +#define KSMBD_TREE_CONN_FLAG_WRITABLE BIT(2) +#define KSMBD_TREE_CONN_FLAG_ADMIN_ACCOUNT BIT(3) /* * RPC over IPC. */ -#define KSMBD_RPC_METHOD_RETURN (1 << 0) -#define KSMBD_RPC_SRVSVC_METHOD_INVOKE (1 << 1) -#define KSMBD_RPC_SRVSVC_METHOD_RETURN ((1 << 1) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_WKSSVC_METHOD_INVOKE (1 << 2) -#define KSMBD_RPC_WKSSVC_METHOD_RETURN ((1 << 2) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_IOCTL_METHOD ((1 << 3) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_OPEN_METHOD (1 << 4) -#define KSMBD_RPC_WRITE_METHOD (1 << 5) -#define KSMBD_RPC_READ_METHOD ((1 << 6) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_CLOSE_METHOD (1 << 7) -#define KSMBD_RPC_RAP_METHOD ((1 << 8) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_RESTRICTED_CONTEXT (1 << 9) -#define KSMBD_RPC_SAMR_METHOD_INVOKE (1 << 10) -#define KSMBD_RPC_SAMR_METHOD_RETURN ((1 << 10) | KSMBD_RPC_METHOD_RETURN) -#define KSMBD_RPC_LSARPC_METHOD_INVOKE (1 << 11) -#define KSMBD_RPC_LSARPC_METHOD_RETURN ((1 << 11) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_METHOD_RETURN BIT(0) +#define KSMBD_RPC_SRVSVC_METHOD_INVOKE BIT(1) +#define KSMBD_RPC_SRVSVC_METHOD_RETURN (KSMBD_RPC_SRVSVC_METHOD_INVOKE | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_WKSSVC_METHOD_INVOKE BIT(2) +#define KSMBD_RPC_WKSSVC_METHOD_RETURN (KSMBD_RPC_WKSSVC_METHOD_INVOKE | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_IOCTL_METHOD (BIT(3) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_OPEN_METHOD BIT(4) +#define KSMBD_RPC_WRITE_METHOD BIT(5) +#define KSMBD_RPC_READ_METHOD (BIT(6) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_CLOSE_METHOD BIT(7) +#define KSMBD_RPC_RAP_METHOD (BIT(8) | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_RESTRICTED_CONTEXT BIT(9) +#define KSMBD_RPC_SAMR_METHOD_INVOKE BIT(10) +#define KSMBD_RPC_SAMR_METHOD_RETURN (KSMBD_RPC_SAMR_METHOD_INVOKE | KSMBD_RPC_METHOD_RETURN) +#define KSMBD_RPC_LSARPC_METHOD_INVOKE BIT(11) +#define KSMBD_RPC_LSARPC_METHOD_RETURN (KSMBD_RPC_LSARPC_METHOD_INVOKE | KSMBD_RPC_METHOD_RETURN) #define KSMBD_RPC_OK 0 #define KSMBD_RPC_EBAD_FUNC 0x00000001 diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 0a6eb21647ab..68018f0f5c0b 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -26,12 +26,12 @@ struct channel { struct preauth_session { __u8 Preauth_HashValue[PREAUTH_HASHVALUE_SIZE]; - uint64_t sess_id; + u64 sess_id; struct list_head list_entry; }; struct ksmbd_session { - uint64_t id; + u64 id; struct ksmbd_user *user; struct ksmbd_conn *conn; diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index 189b90414976..b6f3f0818217 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -78,9 +78,9 @@ static inline int is_char_allowed(char ch) { /* check for control chars, wildcards etc. */ if (!(ch & 0x80) && - (ch <= 0x1f || - ch == '?' || ch == '"' || ch == '<' || - ch == '>' || ch == '|' || ch == '*')) + (ch <= 0x1f || + ch == '?' || ch == '"' || ch == '<' || + ch == '>' || ch == '|' || ch == '*')) return 0; return 1; @@ -268,8 +268,7 @@ char *convert_to_unix_name(struct ksmbd_share_config *share, char *name) } char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, - const struct nls_table *local_nls, - int *conv_len) + const struct nls_table *local_nls, int *conv_len) { char *conv; int sz = min(4 * d_info->name_len, PATH_MAX); diff --git a/fs/cifsd/ndr.c b/fs/cifsd/ndr.c index aa0cb8fc555d..1838fc2b1d7c 100644 --- a/fs/cifsd/ndr.c +++ b/fs/cifsd/ndr.c @@ -159,8 +159,9 @@ int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) ndr_write_int32(n, da->ea_size); ndr_write_int64(n, da->size); ndr_write_int64(n, da->alloc_size); - } else + } else { ndr_write_int64(n, da->itime); + } ndr_write_int64(n, da->create_time); if (da->version == 3) ndr_write_int64(n, da->change_time); @@ -248,15 +249,17 @@ int ndr_encode_posix_acl(struct ndr *n, struct inode *inode, /* ACL ACCESS */ ndr_write_int32(n, ref_id); ref_id += 4; - } else + } else { ndr_write_int32(n, 0); + } if (def_acl) { /* DEFAULT ACL ACCESS */ ndr_write_int32(n, ref_id); ref_id += 4; - } else + } else { ndr_write_int32(n, 0); + } ndr_write_int64(n, from_kuid(&init_user_ns, inode->i_uid)); ndr_write_int64(n, from_kgid(&init_user_ns, inode->i_gid)); diff --git a/fs/cifsd/netmisc.c b/fs/cifsd/netmisc.c index 6f7dd78348a3..55393667abcc 100644 --- a/fs/cifsd/netmisc.c +++ b/fs/cifsd/netmisc.c @@ -1,7 +1,5 @@ // SPDX-License-Identifier: GPL-2.0-or-later /* - * fs/ksmbd/netmisc.c - * * Copyright (c) International Business Machines Corp., 2002,2008 * Author(s): Steve French (sfrench(a)us.ibm.com) * diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index d76aa47e19e4..8e072c3e7b89 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -29,7 +29,7 @@ static DEFINE_RWLOCK(lease_list_lock); * Return: allocated opinfo object on success, otherwise NULL */ static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, - uint64_t id, __u16 Tid) + u64 id, __u16 Tid) { struct ksmbd_session *sess = work->sess; struct oplock_info *opinfo; @@ -89,8 +89,7 @@ static void lb_add(struct lease_table *lb) write_unlock(&lease_list_lock); } -static int alloc_lease(struct oplock_info *opinfo, - struct lease_ctx_info *lctx) +static int alloc_lease(struct oplock_info *opinfo, struct lease_ctx_info *lctx) { struct lease *lease; @@ -227,8 +226,8 @@ int opinfo_write_to_read(struct oplock_info *opinfo) { struct lease *lease = opinfo->o_lease; - if (!((opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) || - (opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE))) { + if (!(opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || + opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { ksmbd_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) ksmbd_err("lease state(0x%x)\n", lease->state); @@ -266,8 +265,8 @@ int opinfo_write_to_none(struct oplock_info *opinfo) { struct lease *lease = opinfo->o_lease; - if (!((opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) || - (opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE))) { + if (!(opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || + opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { ksmbd_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) ksmbd_err("lease state(0x%x)\n", @@ -334,8 +333,7 @@ int lease_read_to_write(struct oplock_info *opinfo) * * Return: 0 on success, otherwise -EINVAL */ -static int lease_none_upgrade(struct oplock_info *opinfo, - __le32 new_state) +static int lease_none_upgrade(struct oplock_info *opinfo, __le32 new_state) { struct lease *lease = opinfo->o_lease; @@ -401,7 +399,7 @@ void close_id_del_oplock(struct ksmbd_file *fp) * Return: 0 */ static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -425,7 +423,7 @@ static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, * Return: 0 */ static void grant_read_oplock(struct oplock_info *opinfo_new, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -448,7 +446,7 @@ static void grant_read_oplock(struct oplock_info *opinfo_new, * Return: 0 */ static void grant_none_oplock(struct oplock_info *opinfo_new, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -469,7 +467,7 @@ static inline int compare_guid_key(struct oplock_info *opinfo, guid2 = opinfo->conn->ClientGUID; key2 = opinfo->o_lease->lease_key; if (!memcmp(guid1, guid2, SMB2_CLIENT_GUID_SIZE) && - !memcmp(key1, key2, SMB2_LEASE_KEY_SIZE)) + !memcmp(key1, key2, SMB2_LEASE_KEY_SIZE)) return 1; return 0; @@ -485,7 +483,7 @@ static inline int compare_guid_key(struct oplock_info *opinfo, * Return: oplock(lease) object on success, otherwise NULL */ static struct oplock_info *same_client_has_lease(struct ksmbd_inode *ci, - char *client_guid, struct lease_ctx_info *lctx) + char *client_guid, struct lease_ctx_info *lctx) { int ret; struct lease *lease; @@ -649,13 +647,12 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = work->response_buf; rsp->StructureSize = cpu_to_le16(24); if (!br_info->open_trunc && - (br_info->level == SMB2_OPLOCK_LEVEL_BATCH || - br_info->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) + (br_info->level == SMB2_OPLOCK_LEVEL_BATCH || + br_info->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) rsp->OplockLevel = SMB2_OPLOCK_LEVEL_II; else rsp->OplockLevel = SMB2_OPLOCK_LEVEL_NONE; @@ -845,10 +842,8 @@ static void wait_lease_breaking(struct oplock_info *opinfo) if (atomic_read(&opinfo->breaking_cnt)) { int ret = 0; - ret = wait_event_interruptible_timeout( - opinfo->oplock_brk, - atomic_read(&opinfo->breaking_cnt) == 0, - HZ); + ret = wait_event_interruptible_timeout(opinfo->oplock_brk, + atomic_read(&opinfo->breaking_cnt) == 0, HZ); if (!ret) atomic_set(&opinfo->breaking_cnt, 0); } @@ -907,7 +902,7 @@ static int oplock_break(struct oplock_info *brk_opinfo, int req_op_level) return err < 0 ? err : 0; if (brk_opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || - brk_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) + brk_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) brk_opinfo->op_state = OPLOCK_ACK_WAIT; } @@ -939,7 +934,7 @@ void destroy_lease_table(struct ksmbd_conn *conn) list_for_each_entry_safe(lb, lbtmp, &lease_table_list, l_entry) { if (conn && memcmp(lb->client_guid, conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE)) + SMB2_CLIENT_GUID_SIZE)) continue; again: rcu_read_lock(); @@ -974,7 +969,7 @@ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, list_for_each_entry(lb, &lease_table_list, l_entry) { if (!memcmp(lb->client_guid, sess->conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE)) + SMB2_CLIENT_GUID_SIZE)) goto found; } read_unlock(&lease_list_lock); @@ -1031,7 +1026,7 @@ static int add_lease_global_list(struct oplock_info *opinfo) read_lock(&lease_list_lock); list_for_each_entry(lb, &lease_table_list, l_entry) { if (!memcmp(lb->client_guid, opinfo->conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE)) { + SMB2_CLIENT_GUID_SIZE)) { opinfo->o_lease->l_lb = lb; lease_add_list(opinfo); read_unlock(&lease_list_lock); @@ -1055,13 +1050,12 @@ static int add_lease_global_list(struct oplock_info *opinfo) } static void set_oplock_level(struct oplock_info *opinfo, int level, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { switch (level) { case SMB2_OPLOCK_LEVEL_BATCH: case SMB2_OPLOCK_LEVEL_EXCLUSIVE: - grant_write_oplock(opinfo, - level, lctx); + grant_write_oplock(opinfo, level, lctx); break; case SMB2_OPLOCK_LEVEL_II: grant_read_oplock(opinfo, lctx); @@ -1084,13 +1078,9 @@ static void set_oplock_level(struct oplock_info *opinfo, int level, * * Return: 0 on success, otherwise error */ -int smb_grant_oplock(struct ksmbd_work *work, - int req_op_level, - uint64_t pid, - struct ksmbd_file *fp, - __u16 tid, - struct lease_ctx_info *lctx, - int share_ret) +int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, + struct ksmbd_file *fp, __u16 tid, struct lease_ctx_info *lctx, + int share_ret) { struct ksmbd_session *sess = work->sess; int err = 0; @@ -1150,14 +1140,14 @@ int smb_grant_oplock(struct ksmbd_work *work, prev_op_state = prev_opinfo->o_lease->state; if (share_ret < 0 && - (prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { + prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) { err = share_ret; opinfo_put(prev_opinfo); goto err_out; } - if ((prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH) && - (prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { + if (prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH && + prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { opinfo_put(prev_opinfo); goto op_break_not_needed; } @@ -1218,7 +1208,7 @@ int smb_grant_oplock(struct ksmbd_work *work, * @is_trunc: truncate on open */ static void smb_break_all_write_oplock(struct ksmbd_work *work, - struct ksmbd_file *fp, int is_trunc) + struct ksmbd_file *fp, int is_trunc) { struct oplock_info *brk_opinfo; @@ -1226,7 +1216,7 @@ static void smb_break_all_write_oplock(struct ksmbd_work *work, if (!brk_opinfo) return; if (brk_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH && - brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { + brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { opinfo_put(brk_opinfo); return; } @@ -1244,17 +1234,16 @@ static void smb_break_all_write_oplock(struct ksmbd_work *work, * @fp: ksmbd file pointer * @is_trunc: truncate on open */ -void smb_break_all_levII_oplock(struct ksmbd_work *work, - struct ksmbd_file *fp, int is_trunc) +void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, + int is_trunc) { struct oplock_info *op, *brk_op; struct ksmbd_inode *ci; struct ksmbd_conn *conn = work->sess->conn; if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_OPLOCKS)) { + KSMBD_SHARE_FLAG_OPLOCKS)) return; - } ci = fp->f_ci; op = opinfo_get(fp); @@ -1283,13 +1272,11 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, atomic_read(&brk_op->breaking_cnt)) goto next; - if (op && op->is_lease && - brk_op->is_lease && - !memcmp(conn->ClientGUID, brk_op->conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE) && - !memcmp(op->o_lease->lease_key, - brk_op->o_lease->lease_key, - SMB2_LEASE_KEY_SIZE)) + if (op && op->is_lease && brk_op->is_lease && + !memcmp(conn->ClientGUID, brk_op->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE) && + !memcmp(op->o_lease->lease_key, brk_op->o_lease->lease_key, + SMB2_LEASE_KEY_SIZE)) goto next; brk_op->open_trunc = is_trunc; oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE); @@ -1311,7 +1298,7 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, void smb_break_all_oplock(struct ksmbd_work *work, struct ksmbd_file *fp) { if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_OPLOCKS)) + KSMBD_SHARE_FLAG_OPLOCKS)) return; smb_break_all_write_oplock(work, fp, 1); @@ -1327,14 +1314,16 @@ void smb_break_all_oplock(struct ksmbd_work *work, struct ksmbd_file *fp) __u8 smb2_map_lease_to_oplock(__le32 lease_state) { if (lease_state == (SMB2_LEASE_HANDLE_CACHING_LE | - SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_WRITE_CACHING_LE)) + SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_WRITE_CACHING_LE)) { return SMB2_OPLOCK_LEVEL_BATCH; - else if (lease_state != SMB2_LEASE_WRITE_CACHING_LE && - lease_state & SMB2_LEASE_WRITE_CACHING_LE) { + } else if (lease_state != SMB2_LEASE_WRITE_CACHING_LE && + lease_state & SMB2_LEASE_WRITE_CACHING_LE) { if (!(lease_state & SMB2_LEASE_HANDLE_CACHING_LE)) return SMB2_OPLOCK_LEVEL_EXCLUSIVE; - } else if (lease_state & SMB2_LEASE_READ_CACHING_LE) + } else if (lease_state & SMB2_LEASE_READ_CACHING_LE) { return SMB2_OPLOCK_LEVEL_II; + } return 0; } @@ -1390,7 +1379,7 @@ struct lease_ctx_info *parse_lease_state(void *open_req) cc = (struct create_context *)((char *)cc + next); name = le16_to_cpu(cc->NameOffset) + (char *)cc; if (le16_to_cpu(cc->NameLength) != 4 || - strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) { + strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) { next = le32_to_cpu(cc->Next); continue; } @@ -1603,7 +1592,7 @@ void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) * Return: opinfo if found matching opinfo, otherwise NULL */ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, - char *lease_key) + char *lease_key) { struct oplock_info *opinfo = NULL, *ret_op = NULL; struct lease_table *lt; @@ -1612,7 +1601,7 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, read_lock(&lease_list_lock); list_for_each_entry(lt, &lease_table_list, l_entry) { if (!memcmp(lt->client_guid, conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE)) + SMB2_CLIENT_GUID_SIZE)) goto found; } @@ -1625,12 +1614,11 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, if (!atomic_inc_not_zero(&opinfo->refcount)) continue; rcu_read_unlock(); - if (!opinfo->op_state || - opinfo->op_state == OPLOCK_CLOSING) + if (!opinfo->op_state || opinfo->op_state == OPLOCK_CLOSING) goto op_next; if (!(opinfo->o_lease->state & - (SMB2_LEASE_HANDLE_CACHING_LE | - SMB2_LEASE_WRITE_CACHING_LE))) + (SMB2_LEASE_HANDLE_CACHING_LE | + SMB2_LEASE_WRITE_CACHING_LE))) goto op_next; ret = compare_guid_key(opinfo, conn->ClientGUID, lease_key); @@ -1651,7 +1639,7 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, } int smb2_check_durable_oplock(struct ksmbd_file *fp, - struct lease_ctx_info *lctx, char *name) + struct lease_ctx_info *lctx, char *name) { struct oplock_info *opinfo = opinfo_get(fp); int ret = 0; @@ -1663,7 +1651,7 @@ int smb2_check_durable_oplock(struct ksmbd_file *fp, goto out; } if (memcmp(opinfo->o_lease->lease_key, lctx->lease_key, - SMB2_LEASE_KEY_SIZE)) { + SMB2_LEASE_KEY_SIZE)) { ksmbd_err("invalid lease key\n"); ret = -EBADF; goto out; diff --git a/fs/cifsd/oplock.h b/fs/cifsd/oplock.h index b0e2e795f29a..5b6615f99c76 100644 --- a/fs/cifsd/oplock.h +++ b/fs/cifsd/oplock.h @@ -9,7 +9,7 @@ #include "smb_common.h" -#define OPLOCK_WAIT_TIME (35*HZ) +#define OPLOCK_WAIT_TIME (35 * HZ) /* SMB Oplock levels */ #define OPLOCK_NONE 0 @@ -68,7 +68,7 @@ struct oplock_info { int level; int op_state; unsigned long pending_break; - uint64_t fid; + u64 fid; atomic_t breaking_cnt; atomic_t refcount; __u16 Tid; @@ -95,11 +95,11 @@ struct oplock_break_info { int fid; }; -extern int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, - uint64_t pid, struct ksmbd_file *fp, __u16 tid, +int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, + u64 pid, struct ksmbd_file *fp, __u16 tid, struct lease_ctx_info *lctx, int share_ret); -extern void smb_break_all_levII_oplock(struct ksmbd_work *work, - struct ksmbd_file *fp, int is_trunc); +void smb_break_all_levII_oplock(struct ksmbd_work *work, + struct ksmbd_file *fp, int is_trunc); int opinfo_write_to_read(struct oplock_info *opinfo); int opinfo_read_handle_to_read(struct oplock_info *opinfo); @@ -124,15 +124,13 @@ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); struct create_context *smb2_find_context_vals(void *open_req, const char *str); int ksmbd_durable_verify_and_del_oplock(struct ksmbd_session *curr_sess, - struct ksmbd_session *prev_sess, - int fid, struct file **filp, - uint64_t sess_id); + struct ksmbd_session *prev_sess, int fid, struct file **filp, + u64 sess_id); struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, - char *lease_key); + char *lease_key); int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, - struct lease_ctx_info *lctx); + struct lease_ctx_info *lctx); void destroy_lease_table(struct ksmbd_conn *conn); int smb2_check_durable_oplock(struct ksmbd_file *fp, - struct lease_ctx_info *lctx, char *name); - + struct lease_ctx_info *lctx, char *name); #endif /* __KSMBD_OPLOCK_H */ diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 80f5229da3ac..04f959a88a1a 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -105,9 +105,8 @@ static inline int check_conn_state(struct ksmbd_work *work) #define TCP_HANDLER_CONTINUE 0 #define TCP_HANDLER_ABORT 1 -static int __process_request(struct ksmbd_work *work, - struct ksmbd_conn *conn, - uint16_t *cmd) +static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, + uint16_t *cmd) { struct smb_version_cmds *cmds; uint16_t command; @@ -160,16 +159,16 @@ static int __process_request(struct ksmbd_work *work, } static void __handle_ksmbd_work(struct ksmbd_work *work, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { - uint16_t command = 0; + u16 command = 0; int rc; if (conn->ops->allocate_rsp_buf(work)) return; if (conn->ops->is_transform_hdr && - conn->ops->is_transform_hdr(work->request_buf)) { + conn->ops->is_transform_hdr(work->request_buf)) { rc = conn->ops->decrypt_req(work); if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); @@ -224,7 +223,7 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, } if (work->sess && (work->sess->sign || - smb3_11_final_sess_setup_resp(work) || + smb3_11_final_sess_setup_resp(work) || conn->ops->is_sign_req(work, command))) conn->ops->set_sign_rsp(work); } while (is_chained_smb2_message(work)); @@ -235,7 +234,7 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, send: smb3_preauth_hash_rsp(work); if (work->sess && work->sess->enc && work->encrypted && - conn->ops->encrypt_resp) { + conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); @@ -416,9 +415,8 @@ int server_queue_ctrl_reset_work(void) return __queue_ctrl_work(SERVER_CTRL_TYPE_RESET); } -static ssize_t stats_show(struct class *class, - struct class_attribute *attr, - char *buf) +static ssize_t stats_show(struct class *class, struct class_attribute *attr, + char *buf) { /* * Inc this each time you change stats output format, @@ -443,9 +441,8 @@ static ssize_t stats_show(struct class *class, } static ssize_t kill_server_store(struct class *class, - struct class_attribute *attr, - const char *buf, - size_t len) + struct class_attribute *attr, const char *buf, + size_t len) { if (!sysfs_streq(buf, "hard")) return len; @@ -464,8 +461,7 @@ static const char * const debug_type_strings[] = {"smb", "auth", "vfs", "oplock", "ipc", "conn", "rdma"}; -static ssize_t debug_show(struct class *class, - struct class_attribute *attr, +static ssize_t debug_show(struct class *class, struct class_attribute *attr, char *buf) { ssize_t sz = 0; @@ -484,16 +480,13 @@ static ssize_t debug_show(struct class *class, debug_type_strings[i]); } sz += pos; - } sz += scnprintf(buf + sz, PAGE_SIZE - sz, "\n"); return sz; } -static ssize_t debug_store(struct class *class, - struct class_attribute *attr, - const char *buf, - size_t len) +static ssize_t debug_store(struct class *class, struct class_attribute *attr, + const char *buf, size_t len) { int i; diff --git a/fs/cifsd/smb2misc.c b/fs/cifsd/smb2misc.c index e6b87d9d33ed..5a50c4ec43f2 100644 --- a/fs/cifsd/smb2misc.c +++ b/fs/cifsd/smb2misc.c @@ -90,8 +90,7 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) /* error reqeusts do not have data area */ if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && - (((struct smb2_err_rsp *)hdr)->StructureSize) == - SMB2_ERROR_STRUCTURE_SIZE2_LE) + (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) return NULL; /* @@ -101,16 +100,12 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) */ switch (hdr->Command) { case SMB2_SESSION_SETUP: - *off = le16_to_cpu( - ((struct smb2_sess_setup_req *)hdr)->SecurityBufferOffset); - *len = le16_to_cpu( - ((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength); + *off = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferOffset); + *len = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength); break; case SMB2_TREE_CONNECT: - *off = le16_to_cpu( - ((struct smb2_tree_connect_req *)hdr)->PathOffset); - *len = le16_to_cpu( - ((struct smb2_tree_connect_req *)hdr)->PathLength); + *off = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathOffset); + *len = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathLength); break; case SMB2_CREATE: { @@ -122,49 +117,35 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) break; } - *off = le16_to_cpu( - ((struct smb2_create_req *)hdr)->NameOffset); - *len = le16_to_cpu( - ((struct smb2_create_req *)hdr)->NameLength); + *off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset); + *len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); break; } case SMB2_QUERY_INFO: - *off = le16_to_cpu( - ((struct smb2_query_info_req *)hdr)->InputBufferOffset); - *len = le32_to_cpu( - ((struct smb2_query_info_req *)hdr)->InputBufferLength); + *off = le16_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferOffset); + *len = le32_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferLength); break; case SMB2_SET_INFO: - *off = le16_to_cpu( - ((struct smb2_set_info_req *)hdr)->BufferOffset); - *len = le32_to_cpu( - ((struct smb2_set_info_req *)hdr)->BufferLength); + *off = le16_to_cpu(((struct smb2_set_info_req *)hdr)->BufferOffset); + *len = le32_to_cpu(((struct smb2_set_info_req *)hdr)->BufferLength); break; case SMB2_READ: - *off = le16_to_cpu( - ((struct smb2_read_req *)hdr)->ReadChannelInfoOffset); - *len = le16_to_cpu( - ((struct smb2_read_req *)hdr)->ReadChannelInfoLength); + *off = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoOffset); + *len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength); break; case SMB2_WRITE: if (((struct smb2_write_req *)hdr)->DataOffset) { - *off = le16_to_cpu( - ((struct smb2_write_req *)hdr)->DataOffset); - *len = le32_to_cpu( - ((struct smb2_write_req *)hdr)->Length); + *off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset); + *len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length); break; } - *off = le16_to_cpu( - ((struct smb2_write_req *)hdr)->WriteChannelInfoOffset); - *len = le16_to_cpu( - ((struct smb2_write_req *)hdr)->WriteChannelInfoLength); + *off = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoOffset); + *len = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoLength); break; case SMB2_QUERY_DIRECTORY: - *off = le16_to_cpu( - ((struct smb2_query_directory_req *)hdr)->FileNameOffset); - *len = le16_to_cpu( - ((struct smb2_query_directory_req *)hdr)->FileNameLength); + *off = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameOffset); + *len = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameLength); break; case SMB2_LOCK: { @@ -174,8 +155,7 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) * smb2_lock request size is 48 included single * smb2_lock_element structure size. */ - lock_count = le16_to_cpu( - ((struct smb2_lock_req *)hdr)->LockCount) - 1; + lock_count = le16_to_cpu(((struct smb2_lock_req *)hdr)->LockCount) - 1; if (lock_count > 0) { *off = __SMB2_HEADER_STRUCTURE_SIZE + 48; *len = sizeof(struct smb2_lock_element) * lock_count; @@ -183,8 +163,7 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) break; } case SMB2_IOCTL: - *off = le32_to_cpu( - ((struct smb2_ioctl_req *)hdr)->InputOffset); + *off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset); *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); break; @@ -366,9 +345,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) hdr = &pdu->hdr; } - if (le32_to_cpu(hdr->NextCommand) > 0) + if (le32_to_cpu(hdr->NextCommand) > 0) { len = le32_to_cpu(hdr->NextCommand); - else if (work->next_smb2_rcv_hdr_off) { + } else if (work->next_smb2_rcv_hdr_off) { len -= work->next_smb2_rcv_hdr_off; len = round_up(len, 8); } @@ -389,19 +368,17 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } if (smb2_req_struct_sizes[command] != pdu->StructureSize2) { - if (command != SMB2_OPLOCK_BREAK_HE && (hdr->Status == 0 || - pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { + if (command != SMB2_OPLOCK_BREAK_HE && + (hdr->Status == 0 || pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { /* error packets have 9 byte structure size */ ksmbd_debug(SMB, "Illegal request size %u for command %d\n", le16_to_cpu(pdu->StructureSize2), command); return 1; - } else if (command == SMB2_OPLOCK_BREAK_HE - && (hdr->Status == 0) - && (le16_to_cpu(pdu->StructureSize2) != - OP_BREAK_STRUCT_SIZE_20) - && (le16_to_cpu(pdu->StructureSize2) != - OP_BREAK_STRUCT_SIZE_21)) { + } else if (command == SMB2_OPLOCK_BREAK_HE && + hdr->Status == 0 && + le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 && + le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { /* special case for SMB2.1 lease break message */ ksmbd_debug(SMB, "Illegal request size %d for oplock break\n", diff --git a/fs/cifsd/smb2ops.c b/fs/cifsd/smb2ops.c index a47219ea3b80..945bc6a78d3c 100644 --- a/fs/cifsd/smb2ops.c +++ b/fs/cifsd/smb2ops.c @@ -248,7 +248,7 @@ void init_smb3_02_server(struct ksmbd_conn *conn) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && - conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index a1aa42b52597..3e8f1a3800dd 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -58,7 +58,7 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) * * Return: 1 if valid session id, otherwise 0 */ -static inline int check_session_id(struct ksmbd_conn *conn, uint64_t id) +static inline int check_session_id(struct ksmbd_conn *conn, u64 id) { struct ksmbd_session *sess; @@ -98,9 +98,9 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) int tree_id; work->tcon = NULL; - if ((work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE) || - (work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE) || - (work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE)) { + if (work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE || + work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE || + work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE) { ksmbd_debug(SMB, "skip to check tree connect request\n"); return 0; } @@ -238,7 +238,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) if (conn->need_neg == false) return -EINVAL; if (!(conn->dialect >= SMB20_PROT_ID && - conn->dialect <= SMB311_PROT_ID)) + conn->dialect <= SMB311_PROT_ID)) return -EINVAL; rsp_hdr = work->response_buf; @@ -549,8 +549,8 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) req = work->request_buf; if (req->InfoType == SMB2_O_INFO_FILE && - (req->FileInfoClass == FILE_FULL_EA_INFORMATION || - req->FileInfoClass == FILE_ALL_INFORMATION)) { + (req->FileInfoClass == FILE_FULL_EA_INFORMATION || + req->FileInfoClass == FILE_ALL_INFORMATION)) { sz = large_sz; work->set_trans_buf = true; } @@ -595,7 +595,7 @@ int smb2_check_user_session(struct ksmbd_work *work) * these commands. */ if (cmd == SMB2_ECHO_HE || cmd == SMB2_NEGOTIATE_HE || - cmd == SMB2_SESSION_SETUP_HE) + cmd == SMB2_SESSION_SETUP_HE) return 0; if (!ksmbd_conn_good(work)) @@ -610,7 +610,7 @@ int smb2_check_user_session(struct ksmbd_work *work) return -EINVAL; } -static void destroy_previous_session(struct ksmbd_user *user, uint64_t id) +static void destroy_previous_session(struct ksmbd_user *user, u64 id) { struct ksmbd_session *prev_sess = ksmbd_session_lookup_slowpath(id); struct ksmbd_user *prev_user; @@ -641,15 +641,12 @@ static void destroy_previous_session(struct ksmbd_user *user, uint64_t id) * Return: matching converted filename on success, otherwise error ptr */ static char * -smb2_get_name(struct ksmbd_share_config *share, - const char *src, - const int maxlen, - struct nls_table *local_nls) +smb2_get_name(struct ksmbd_share_config *share, const char *src, + const int maxlen, struct nls_table *local_nls) { char *name, *unixname; - name = smb_strndup_from_utf16(src, maxlen, 1, - local_nls); + name = smb_strndup_from_utf16(src, maxlen, 1, local_nls); if (IS_ERR(name)) { ksmbd_err("failed to get name %ld\n", PTR_ERR(name)); return name; @@ -756,10 +753,10 @@ static int smb2_get_dos_mode(struct kstat *stat, int attribute) { int attr = 0; - if (S_ISDIR(stat->mode)) + if (S_ISDIR(stat->mode)) { attr = ATTR_DIRECTORY | (attribute & (ATTR_HIDDEN | ATTR_SYSTEM)); - else { + } else { attr = (attribute & 0x00005137) | ATTR_ARCHIVE; attr &= ~(ATTR_DIRECTORY); if (S_ISREG(stat->mode) && (server_conf.share_fake_fscaps & @@ -774,7 +771,7 @@ static int smb2_get_dos_mode(struct kstat *stat, int attribute) } static void build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt, - __le16 hash_id) + __le16 hash_id) { pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES; pneg_ctxt->DataLength = cpu_to_le16(38); @@ -786,7 +783,7 @@ static void build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt, } static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt, - __le16 cipher_type) + __le16 cipher_type) { pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; pneg_ctxt->DataLength = cpu_to_le16(4); @@ -796,7 +793,7 @@ static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt, } static void build_compression_ctxt(struct smb2_compression_ctx *pneg_ctxt, - __le16 comp_algo) + __le16 comp_algo) { pneg_ctxt->ContextType = SMB2_COMPRESSION_CAPABILITIES; pneg_ctxt->DataLength = @@ -808,8 +805,7 @@ static void build_compression_ctxt(struct smb2_compression_ctx *pneg_ctxt, pneg_ctxt->CompressionAlgorithms[0] = comp_algo; } -static void -build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) +static void build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) { pneg_ctxt->ContextType = SMB2_POSIX_EXTENSIONS_AVAILABLE; pneg_ctxt->DataLength = cpu_to_le16(POSIX_CTXT_DATA_LEN); @@ -832,9 +828,8 @@ build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) pneg_ctxt->Name[15] = 0x7C; } -static void -assemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_rsp *rsp) +static void assemble_neg_contexts(struct ksmbd_conn *conn, + struct smb2_negotiate_rsp *rsp) { /* +4 is to account for the RFC1001 len field */ char *pneg_ctxt = (char *)rsp + @@ -856,8 +851,7 @@ assemble_neg_contexts(struct ksmbd_conn *conn, ctxt_size = round_up(ctxt_size, 8); ksmbd_debug(SMB, "assemble SMB2_ENCRYPTION_CAPABILITIES context\n"); - build_encrypt_ctxt( - (struct smb2_encryption_neg_context *)pneg_ctxt, + build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt, conn->cipher_type); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); ctxt_size += sizeof(struct smb2_encryption_neg_context); @@ -892,9 +886,8 @@ assemble_neg_contexts(struct ksmbd_conn *conn, inc_rfc1001_len(rsp, ctxt_size); } -static __le32 -decode_preauth_ctxt(struct ksmbd_conn *conn, - struct smb2_preauth_neg_context *pneg_ctxt) +static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, + struct smb2_preauth_neg_context *pneg_ctxt) { __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; @@ -909,7 +902,7 @@ decode_preauth_ctxt(struct ksmbd_conn *conn, } static int decode_encrypt_ctxt(struct ksmbd_conn *conn, - struct smb2_encryption_neg_context *pneg_ctxt) + struct smb2_encryption_neg_context *pneg_ctxt) { int i; int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); @@ -921,7 +914,7 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, for (i = 0; i < cph_cnt; i++) { if (pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_GCM || - pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_CCM) { + pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_CCM) { ksmbd_debug(SMB, "Cipher ID = 0x%x\n", pneg_ctxt->Ciphers[i]); conn->cipher_type = pneg_ctxt->Ciphers[i]; @@ -939,7 +932,7 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, } static int decode_compress_ctxt(struct ksmbd_conn *conn, - struct smb2_compression_ctx *pneg_ctxt) + struct smb2_compression_ctx *pneg_ctxt) { int algo_cnt = le16_to_cpu(pneg_ctxt->CompressionAlgorithmCount); @@ -954,7 +947,7 @@ static int decode_compress_ctxt(struct ksmbd_conn *conn, } static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_req *req) + struct smb2_negotiate_req *req) { int i = 0; __le32 status = 0; @@ -976,8 +969,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, status = decode_preauth_ctxt(conn, (struct smb2_preauth_neg_context *)pneg_ctxt); - pneg_ctxt += DIV_ROUND_UP( - sizeof(struct smb2_preauth_neg_context), 8) * 8; + pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_preauth_neg_context), 8) * 8; } else if (*ContextType == SMB2_ENCRYPTION_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_ENCRYPTION_CAPABILITIES context\n"); @@ -985,8 +977,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, break; ctxt_size = decode_encrypt_ctxt(conn, - (struct smb2_encryption_neg_context *) - pneg_ctxt); + (struct smb2_encryption_neg_context *)pneg_ctxt); pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; } else if (*ContextType == SMB2_COMPRESSION_CAPABILITIES) { ksmbd_debug(SMB, @@ -995,23 +986,20 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, break; ctxt_size = decode_compress_ctxt(conn, - (struct smb2_compression_ctx *) - pneg_ctxt); + (struct smb2_compression_ctx *) pneg_ctxt); pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; } else if (*ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { ksmbd_debug(SMB, "deassemble SMB2_NETNAME_NEGOTIATE_CONTEXT_ID context\n"); ctxt_size = sizeof(struct smb2_netname_neg_context); - ctxt_size += DIV_ROUND_UP( - le16_to_cpu(((struct smb2_netname_neg_context *) + ctxt_size += DIV_ROUND_UP(le16_to_cpu(((struct smb2_netname_neg_context *) pneg_ctxt)->DataLength), 8) * 8; pneg_ctxt += ctxt_size; } else if (*ContextType == SMB2_POSIX_EXTENSIONS_AVAILABLE) { ksmbd_debug(SMB, "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); conn->posix_ext_supported = true; - pneg_ctxt += DIV_ROUND_UP( - sizeof(struct smb2_posix_neg_context), 8) * 8; + pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_posix_neg_context), 8) * 8; } ContextType = (__le16 *)pneg_ctxt; @@ -1149,8 +1137,8 @@ int smb2_handle_negotiate(struct ksmbd_work *work) conn->use_spnego = true; if ((server_conf.signing == KSMBD_CONFIG_OPT_AUTO || - server_conf.signing == KSMBD_CONFIG_OPT_DISABLED) && - req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED_LE) + server_conf.signing == KSMBD_CONFIG_OPT_DISABLED) && + req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED_LE) conn->sign = true; else if (server_conf.signing == KSMBD_CONFIG_OPT_MANDATORY) { server_conf.enforced_signing = true; @@ -1169,7 +1157,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) } static int alloc_preauth_hash(struct ksmbd_session *sess, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { if (sess->Preauth_HashValue) return 0; @@ -1204,7 +1192,7 @@ static int generate_preauth_hash(struct ksmbd_work *work) } static int decode_negotiation_token(struct ksmbd_work *work, - struct negotiate_message *negblob) + struct negotiate_message *negblob) { struct ksmbd_conn *conn = work->conn; struct smb2_sess_setup_req *req; @@ -1227,7 +1215,7 @@ static int decode_negotiation_token(struct ksmbd_work *work, } static int ntlm_negotiate(struct ksmbd_work *work, - struct negotiate_message *negblob) + struct negotiate_message *negblob) { struct smb2_sess_setup_req *req = work->request_buf; struct smb2_sess_setup_rsp *rsp = work->response_buf; @@ -1291,7 +1279,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, } static struct authenticate_message *user_authblob(struct ksmbd_conn *conn, - struct smb2_sess_setup_req *req) + struct smb2_sess_setup_req *req) { int sz; @@ -1304,7 +1292,7 @@ static struct authenticate_message *user_authblob(struct ksmbd_conn *conn, } static struct ksmbd_user *session_user(struct ksmbd_conn *conn, - struct smb2_sess_setup_req *req) + struct smb2_sess_setup_req *req) { struct authenticate_message *authblob; struct ksmbd_user *user; @@ -1336,7 +1324,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) struct ksmbd_session *sess = work->sess; struct channel *chann = NULL; struct ksmbd_user *user; - uint64_t prev_id; + u64 prev_id; int sz, rc; ksmbd_debug(SMB, "authenticate phase\n"); @@ -1351,9 +1339,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) return -ENOMEM; sz = le16_to_cpu(rsp->SecurityBufferOffset); - memcpy((char *)&rsp->hdr.ProtocolId + sz, - spnego_blob, - spnego_blob_len); + memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); kfree(spnego_blob); inc_rfc1001_len(rsp, spnego_blob_len - 1); @@ -1386,8 +1372,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) sess->user = user; if (user_guest(sess->user)) { if (conn->sign) { - ksmbd_debug(SMB, - "Guest login not allowed when signing enabled\n"); + ksmbd_debug(SMB, "Guest login not allowed when signing enabled\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; return -EACCES; } @@ -1415,11 +1400,11 @@ static int ntlm_authenticate(struct ksmbd_work *work) return 0; if ((conn->sign || server_conf.enforced_signing) || - (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) sess->sign = true; if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && - conn->ops->generate_encryptionkey) { + conn->ops->generate_encryptionkey) { rc = conn->ops->generate_encryptionkey(sess); if (rc) { ksmbd_debug(SMB, @@ -1453,8 +1438,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (conn->ops->generate_signingkey) { rc = conn->ops->generate_signingkey(sess); if (rc) { - ksmbd_debug(SMB, - "SMB3 signing key generation failed\n"); + ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; return rc; } @@ -1479,7 +1463,7 @@ static int krb5_authenticate(struct ksmbd_work *work) struct ksmbd_session *sess = work->sess; char *in_blob, *out_blob; struct channel *chann = NULL; - uint64_t prev_sess_id; + u64 prev_sess_id; int in_len, out_len; int retval; @@ -1511,11 +1495,11 @@ static int krb5_authenticate(struct ksmbd_work *work) inc_rfc1001_len(rsp, out_len - 1); if ((conn->sign || server_conf.enforced_signing) || - (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) sess->sign = true; if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) && - conn->ops->generate_encryptionkey) { + conn->ops->generate_encryptionkey) { retval = conn->ops->generate_encryptionkey(sess); if (retval) { ksmbd_debug(SMB, @@ -1544,8 +1528,7 @@ static int krb5_authenticate(struct ksmbd_work *work) if (conn->ops->generate_signingkey) { retval = conn->ops->generate_signingkey(sess); if (retval) { - ksmbd_debug(SMB, - "SMB3 signing key generation failed\n"); + ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; return retval; } @@ -1646,9 +1629,7 @@ int smb2_sess_setup(struct ksmbd_work *work) * Note: here total size -1 is done as an * adjustment for 0 size blob */ - inc_rfc1001_len(rsp, - le16_to_cpu(rsp->SecurityBufferLength) - - 1); + inc_rfc1001_len(rsp, le16_to_cpu(rsp->SecurityBufferLength) - 1); } else if (negblob->MessageType == NtLmAuthenticate) { rc = ntlm_authenticate(work); @@ -1704,7 +1685,7 @@ int smb2_tree_connect(struct ksmbd_work *work) int rc = -EINVAL; treename = smb_strndup_from_utf16(req->Buffer, - le16_to_cpu(req->PathLength), true, conn->local_nls); + le16_to_cpu(req->PathLength), true, conn->local_nls); if (IS_ERR(treename)) { ksmbd_err("treename is NULL\n"); status.ret = KSMBD_TREE_CONN_STATUS_ERROR; @@ -1808,7 +1789,7 @@ static int smb2_create_open_flags(bool file_present, __le32 access, int oflags = O_NONBLOCK | O_LARGEFILE; if (access & FILE_READ_DESIRED_ACCESS_LE && - access & FILE_WRITE_DESIRE_ACCESS_LE) + access & FILE_WRITE_DESIRE_ACCESS_LE) oflags |= O_RDWR; else if (access & FILE_WRITE_DESIRE_ACCESS_LE) oflags |= O_WRONLY; @@ -1995,13 +1976,13 @@ struct durable_info { }; static int parse_durable_handle_context(struct ksmbd_work *work, - struct smb2_create_req *req, struct lease_ctx_info *lc, - struct durable_info *d_info) + struct smb2_create_req *req, struct lease_ctx_info *lc, + struct durable_info *d_info) { struct ksmbd_conn *conn = work->conn; struct create_context *context; int i, err = 0; - uint64_t persistent_id = 0; + u64 persistent_id = 0; int req_op_level; static const char * const durable_arr[] = {"DH2C", "DHnC", "DH2Q", "DHnQ", SMB2_CREATE_APP_INSTANCE_ID}; @@ -2026,8 +2007,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, recon_v2 = (struct create_durable_reconn_v2_req *)context; - persistent_id = le64_to_cpu( - recon_v2->Fid.PersistentFileId); + persistent_id = le64_to_cpu(recon_v2->Fid.PersistentFileId); d_info->fp = ksmbd_lookup_durable_fd(persistent_id); if (!d_info->fp) { ksmbd_err("Failed to get Durable handle state\n"); @@ -2035,9 +2015,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work, goto out; } - if (memcmp(d_info->fp->create_guid, - recon_v2->CreateGuid, - SMB2_CREATE_GUID_SIZE)) { + if (memcmp(d_info->fp->create_guid, recon_v2->CreateGuid, + SMB2_CREATE_GUID_SIZE)) { err = -EBADF; goto out; } @@ -2053,15 +2032,14 @@ static int parse_durable_handle_context(struct ksmbd_work *work, struct create_durable_reconn_req *recon; if (d_info->type == DURABLE_RECONN_V2 || - d_info->type == DURABLE_REQ_V2) { + d_info->type == DURABLE_REQ_V2) { err = -EINVAL; goto out; } recon = (struct create_durable_reconn_req *)context; - persistent_id = le64_to_cpu( - recon->Data.Fid.PersistentFileId); + persistent_id = le64_to_cpu(recon->Data.Fid.PersistentFileId); d_info->fp = ksmbd_lookup_durable_fd(persistent_id); if (!d_info->fp) { ksmbd_err("Failed to get Durable handle state\n"); @@ -2080,7 +2058,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, struct create_durable_req_v2 *durable_v2_blob; if (d_info->type == DURABLE_RECONN || - d_info->type == DURABLE_RECONN_V2) { + d_info->type == DURABLE_RECONN_V2) { err = -EINVAL; goto out; } @@ -2088,14 +2066,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work, durable_v2_blob = (struct create_durable_req_v2 *)context; ksmbd_debug(SMB, "Request for durable v2 open\n"); - d_info->fp = ksmbd_lookup_fd_cguid( - durable_v2_blob->CreateGuid); + d_info->fp = ksmbd_lookup_fd_cguid(durable_v2_blob->CreateGuid); if (d_info->fp) { - if (!memcmp(conn->ClientGUID, - d_info->fp->client_guid, - SMB2_CLIENT_GUID_SIZE)) { - if (!(req->hdr.Flags & - SMB2_FLAGS_REPLAY_OPERATIONS)) { + if (!memcmp(conn->ClientGUID, d_info->fp->client_guid, + SMB2_CLIENT_GUID_SIZE)) { + if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATIONS)) { err = -ENOEXEC; goto out; } @@ -2105,10 +2080,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work, goto out; } } - if (((lc && - (lc->req_state & - SMB2_LEASE_HANDLE_CACHING_LE)) || - (req_op_level == SMB2_OPLOCK_LEVEL_BATCH))) { + if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) || + req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) { d_info->CreateGuid = durable_v2_blob->CreateGuid; d_info->persistent = @@ -2123,15 +2096,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work, if (d_info->type == DURABLE_RECONN) goto out; if (d_info->type == DURABLE_RECONN_V2 || - d_info->type == DURABLE_REQ_V2) { + d_info->type == DURABLE_REQ_V2) { err = -EINVAL; goto out; } - if (((lc && - (lc->req_state & - SMB2_LEASE_HANDLE_CACHING_LE)) || - (req_op_level == SMB2_OPLOCK_LEVEL_BATCH))) { + if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) || + req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) { ksmbd_debug(SMB, "Request for durable open\n"); d_info->type = i; } @@ -2252,9 +2223,7 @@ static inline int check_context_err(void *ctx, char *str) } static noinline int smb2_set_stream_name_xattr(struct path *path, - struct ksmbd_file *fp, - char *stream_name, - int s_type) + struct ksmbd_file *fp, char *stream_name, int s_type) { size_t xattr_stream_size; char *xattr_stream_name; @@ -2307,12 +2276,9 @@ static int smb2_remove_smb_xattrs(struct dentry *dentry) ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); if (strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && - strncmp(&name[XATTR_USER_PREFIX_LEN], - DOS_ATTRIBUTE_PREFIX, - DOS_ATTRIBUTE_PREFIX_LEN) && - strncmp(&name[XATTR_USER_PREFIX_LEN], - STREAM_PREFIX, - STREAM_PREFIX_LEN)) + strncmp(&name[XATTR_USER_PREFIX_LEN], DOS_ATTRIBUTE_PREFIX, + DOS_ATTRIBUTE_PREFIX_LEN) && + strncmp(&name[XATTR_USER_PREFIX_LEN], STREAM_PREFIX, STREAM_PREFIX_LEN)) continue; err = ksmbd_vfs_remove_xattr(dentry, name); @@ -2343,9 +2309,8 @@ static int smb2_create_truncate(struct path *path) return rc; } -static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, - struct path *path, - struct ksmbd_file *fp) +static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, struct path *path, + struct ksmbd_file *fp) { struct xattr_dos_attrib da = {0}; int rc; @@ -2366,8 +2331,7 @@ static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, } static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, - struct path *path, - struct ksmbd_file *fp) + struct path *path, struct ksmbd_file *fp) { struct xattr_dos_attrib da; int rc; @@ -2376,7 +2340,7 @@ static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, /* get FileAttributes from XATTR_NAME_DOS_ATTRIBUTE */ if (!test_share_config_flag(tcon->share_conf, - KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) return; rc = ksmbd_vfs_get_dos_attrib_xattr(path->dentry, &da); @@ -2387,12 +2351,8 @@ static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, } } -static int smb2_creat(struct ksmbd_work *work, - struct path *path, - char *name, - int open_flags, - umode_t posix_mode, - bool is_dir) +static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, + int open_flags, umode_t posix_mode, bool is_dir) { struct ksmbd_tree_connect *tcon = work->tcon; struct ksmbd_share_config *share = tcon->share_conf; @@ -2494,7 +2454,7 @@ int smb2_open(struct ksmbd_work *work) WORK_BUFFERS(work, req, rsp); if (req->hdr.NextCommand && !work->next_smb2_rcv_hdr_off && - (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS)) { + (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS)) { ksmbd_debug(SMB, "invalid flag in chained command\n"); rsp->hdr.Status = STATUS_INVALID_PARAMETER; smb2_set_err_rsp(work); @@ -2508,7 +2468,7 @@ int smb2_open(struct ksmbd_work *work) if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && - *(char *)req->Buffer == '\\') { + *(char *)req->Buffer == '\\') { ksmbd_err("not allow directory name included leading slash\n"); rc = -EINVAL; goto err_out1; @@ -2528,7 +2488,7 @@ int smb2_open(struct ksmbd_work *work) ksmbd_debug(SMB, "converted name = %s\n", name); if (strchr(name, ':')) { if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_STREAMS)) { + KSMBD_SHARE_FLAG_STREAMS)) { rc = -EBADF; goto err_out1; } @@ -2564,7 +2524,7 @@ int smb2_open(struct ksmbd_work *work) req_op_level = req->RequestedOplockLevel; memset(&d_info, 0, sizeof(struct durable_info)); if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && - req->CreateContextsOffset) { + req->CreateContextsOffset) { lc = parse_lease_state(req); rc = parse_durable_handle_context(work, req, lc, &d_info); if (rc) { @@ -2593,8 +2553,7 @@ int smb2_open(struct ksmbd_work *work) lc = parse_lease_state(req); } - if (le32_to_cpu(req->ImpersonationLevel) > - le32_to_cpu(IL_DELEGATE_LE)) { + if (le32_to_cpu(req->ImpersonationLevel) > le32_to_cpu(IL_DELEGATE_LE)) { ksmbd_err("Invalid impersonationlevel : 0x%x\n", le32_to_cpu(req->ImpersonationLevel)); rc = -EIO; @@ -2610,7 +2569,7 @@ int smb2_open(struct ksmbd_work *work) } else { if (req->CreateOptions & FILE_SEQUENTIAL_ONLY_LE && - req->CreateOptions & FILE_RANDOM_ACCESS_LE) + req->CreateOptions & FILE_RANDOM_ACCESS_LE) req->CreateOptions = ~(FILE_SEQUENTIAL_ONLY_LE); if (req->CreateOptions & (FILE_OPEN_BY_FILE_ID_LE | @@ -2623,8 +2582,9 @@ int smb2_open(struct ksmbd_work *work) if (req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE) { rc = -EINVAL; goto err_out1; - } else if (req->CreateOptions & FILE_NO_COMPRESSION_LE) + } else if (req->CreateOptions & FILE_NO_COMPRESSION_LE) { req->CreateOptions = ~(FILE_NO_COMPRESSION_LE); + } } } @@ -2643,8 +2603,7 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } - if (req->FileAttributes && - !(req->FileAttributes & ATTR_MASK_LE)) { + if (req->FileAttributes && !(req->FileAttributes & ATTR_MASK_LE)) { ksmbd_err("Invalid file attribute : 0x%x\n", le32_to_cpu(req->FileAttributes)); rc = -EINVAL; @@ -2729,14 +2688,13 @@ int smb2_open(struct ksmbd_work *work) * denied error. */ if (req->CreateDisposition == FILE_OVERWRITE_IF_LE || - req->CreateDisposition == FILE_OPEN_IF_LE) { + req->CreateDisposition == FILE_OPEN_IF_LE) { rc = -EACCES; path_put(&path); goto err_out; } - if (!test_tree_conn_flag(tcon, - KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); rc = -EACCES; @@ -2746,7 +2704,7 @@ int smb2_open(struct ksmbd_work *work) } } else { if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) { + KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) { /* * Use LOOKUP_FOLLOW to follow the path of * symlink in path buildup @@ -2792,7 +2750,7 @@ int smb2_open(struct ksmbd_work *work) } if (req->CreateOptions & FILE_DIRECTORY_FILE_LE && - req->FileAttributes & ATTR_NORMAL_LE) { + req->FileAttributes & ATTR_NORMAL_LE) { rsp->hdr.Status = STATUS_NOT_A_DIRECTORY; rc = -EIO; } @@ -2801,9 +2759,8 @@ int smb2_open(struct ksmbd_work *work) goto err_out; } - if (file_present && req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE - && S_ISDIR(stat.mode) && - !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { + if (file_present && req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE && + S_ISDIR(stat.mode) && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { ksmbd_debug(SMB, "open() argument is a directory: %s, %x\n", name, req->CreateOptions); rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; @@ -2812,21 +2769,21 @@ int smb2_open(struct ksmbd_work *work) } if (file_present && (req->CreateOptions & FILE_DIRECTORY_FILE_LE) && - !(req->CreateDisposition == FILE_CREATE_LE) && - !S_ISDIR(stat.mode)) { + !(req->CreateDisposition == FILE_CREATE_LE) && + !S_ISDIR(stat.mode)) { rsp->hdr.Status = STATUS_NOT_A_DIRECTORY; rc = -EIO; goto err_out; } if (!stream_name && file_present && - (req->CreateDisposition == FILE_CREATE_LE)) { + req->CreateDisposition == FILE_CREATE_LE) { rc = -EEXIST; goto err_out; } if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && - file_present) + file_present) file_present = ksmbd_close_inode_fds(work, d_inode(path.dentry)); @@ -2889,10 +2846,10 @@ int smb2_open(struct ksmbd_work *work) * because execute(search) permission on a parent directory, * is already granted. */ - if (daccess & ~(FILE_READ_ATTRIBUTES_LE | - FILE_READ_CONTROL_LE)) { + if (daccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_READ_CONTROL_LE)) { if (ksmbd_vfs_inode_permission(path.dentry, - open_flags & O_ACCMODE, may_delete)) { + open_flags & O_ACCMODE, + may_delete)) { rc = -EACCES; goto err_out; } @@ -2922,8 +2879,9 @@ int smb2_open(struct ksmbd_work *work) if ((req->CreateDisposition & FILE_CREATE_MASK_LE) == FILE_SUPERSEDE_LE) file_info = FILE_SUPERSEDED; - } else if (open_flags & O_CREAT) + } else if (open_flags & O_CREAT) { file_info = FILE_CREATED; + } ksmbd_vfs_set_fadvise(filp, req->CreateOptions); @@ -2959,7 +2917,7 @@ int smb2_open(struct ksmbd_work *work) ksmbd_debug(SMB, "inherit posix acl failed : %d\n", posix_acl_rc); if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_ACL_XATTR)) { + KSMBD_SHARE_FLAG_ACL_XATTR)) { rc = smb_inherit_dacl(conn, path.dentry, sess->user->uid, sess->user->gid); } @@ -2971,7 +2929,7 @@ int smb2_open(struct ksmbd_work *work) ksmbd_vfs_set_init_posix_acl(inode); if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_ACL_XATTR)) { + KSMBD_SHARE_FLAG_ACL_XATTR)) { struct smb_fattr fattr; struct smb_ntsd *pntsd; int pntsd_size, ace_num; @@ -2990,9 +2948,9 @@ int smb2_open(struct ksmbd_work *work) } pntsd = kmalloc(sizeof(struct smb_ntsd) + - sizeof(struct smb_sid)*3 + + sizeof(struct smb_sid) * 3 + sizeof(struct smb_acl) + - sizeof(struct smb_ace)*ace_num*2, + sizeof(struct smb_ace) * ace_num * 2, GFP_KERNEL); if (!pntsd) goto err_out; @@ -3026,8 +2984,8 @@ int smb2_open(struct ksmbd_work *work) fp->attrib_only = !(req->DesiredAccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_WRITE_ATTRIBUTES_LE | FILE_SYNCHRONIZE_LE)); - if (!S_ISDIR(file_inode(filp)->i_mode) && open_flags & O_TRUNC - && !fp->attrib_only && !stream_name) { + if (!S_ISDIR(file_inode(filp)->i_mode) && open_flags & O_TRUNC && + !fp->attrib_only && !stream_name) { smb_break_all_oplock(work, fp); need_truncate = 1; } @@ -3053,10 +3011,9 @@ int smb2_open(struct ksmbd_work *work) } share_ret = ksmbd_smb_check_shared_mode(fp->filp, fp); - if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_OPLOCKS) || - (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && - !(conn->vals->capabilities & SMB2_GLOBAL_CAP_LEASING))) { + if (!test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_OPLOCKS) || + (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && + !(conn->vals->capabilities & SMB2_GLOBAL_CAP_LEASING))) { if (share_ret < 0 && !S_ISDIR(FP_INODE(fp)->i_mode)) { rc = share_ret; goto err_out; @@ -3071,8 +3028,8 @@ int smb2_open(struct ksmbd_work *work) if (rc) goto err_out; } else if (open_flags == O_RDONLY && - (req_op_level == SMB2_OPLOCK_LEVEL_BATCH || - req_op_level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) + (req_op_level == SMB2_OPLOCK_LEVEL_BATCH || + req_op_level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) req_op_level = SMB2_OPLOCK_LEVEL_II; rc = smb_grant_oplock(work, req_op_level, @@ -3117,11 +3074,9 @@ int smb2_open(struct ksmbd_work *work) err); } - context = smb2_find_context_vals(req, - SMB2_CREATE_QUERY_ON_DISK_ID); + context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); if (IS_ERR(context)) { - rc = check_context_err(context, - SMB2_CREATE_QUERY_ON_DISK_ID); + rc = check_context_err(context, SMB2_CREATE_QUERY_ON_DISK_ID); if (rc < 0) goto err_out; } else { @@ -3146,8 +3101,7 @@ int smb2_open(struct ksmbd_work *work) memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); if (d_info.type) { - if (d_info.type == DURABLE_REQ_V2 && - d_info.persistent) + if (d_info.type == DURABLE_REQ_V2 && d_info.persistent) fp->is_persistent = 1; else fp->is_durable = 1; @@ -3160,8 +3114,7 @@ int smb2_open(struct ksmbd_work *work) else fp->durable_timeout = 1600; if (d_info.app_id) - memcpy(fp->app_instance_id, - d_info.app_id, 16); + memcpy(fp->app_instance_id, d_info.app_id, 16); } } @@ -3457,10 +3410,8 @@ static int dentry_name(struct ksmbd_dir_info *d_info, int info_level) * * Return: 0 on success, otherwise error */ -static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, - int info_level, - struct ksmbd_dir_info *d_info, - struct ksmbd_kstat *ksmbd_kstat) +static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, + struct ksmbd_dir_info *d_info, struct ksmbd_kstat *ksmbd_kstat) { int next_entry_offset = 0; char *conv_name; @@ -3710,7 +3661,7 @@ static int process_query_dir_entries(struct smb2_query_dir_private *priv) } static int reserve_populate_dentry(struct ksmbd_dir_info *d_info, - int info_level) + int info_level) { int struct_sz; int conv_len; @@ -3816,12 +3767,8 @@ static int reserve_populate_dentry(struct ksmbd_dir_info *d_info, return 0; } -static int __query_dir(struct dir_context *ctx, - const char *name, - int namlen, - loff_t offset, - u64 ino, - unsigned int d_type) +static int __query_dir(struct dir_context *ctx, const char *name, int namlen, + loff_t offset, u64 ino, unsigned int d_type) { struct ksmbd_readdir_data *buf; struct smb2_query_dir_private *priv; @@ -3913,8 +3860,7 @@ int smb2_query_dir(struct ksmbd_work *work) } if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || - inode_permission(&init_user_ns, file_inode(dir_fp->filp), - MAY_READ | MAY_EXEC)) { + inode_permission(&init_user_ns, file_inode(dir_fp->filp), MAY_READ | MAY_EXEC)) { ksmbd_err("no right to enumerate directory (%s)\n", FP_FILENAME(dir_fp)); rc = -EACCES; @@ -3935,8 +3881,9 @@ int smb2_query_dir(struct ksmbd_work *work) ksmbd_debug(SMB, "Search Pattern not found\n"); rc = -EINVAL; goto err_out2; - } else + } else { ksmbd_debug(SMB, "Search pattern is %s\n", srch_ptr); + } ksmbd_debug(SMB, "Directory name is %s\n", dir_fp->filename); @@ -3949,11 +3896,9 @@ int smb2_query_dir(struct ksmbd_work *work) memset(&d_info, 0, sizeof(struct ksmbd_dir_info)); d_info.wptr = (char *)rsp->Buffer; d_info.rptr = (char *)rsp->Buffer; - d_info.out_buf_len = (work->response_sz - - (get_rfc1002_len(rsp_org) + 4)); + d_info.out_buf_len = (work->response_sz - (get_rfc1002_len(rsp_org) + 4)); d_info.out_buf_len = min_t(int, d_info.out_buf_len, - le32_to_cpu(req->OutputBufferLength)) - - sizeof(struct smb2_query_directory_rsp); + le32_to_cpu(req->OutputBufferLength)) - sizeof(struct smb2_query_directory_rsp); d_info.flags = srch_flag; /* @@ -3995,9 +3940,9 @@ int smb2_query_dir(struct ksmbd_work *work) goto err_out; if (!d_info.data_count && d_info.out_buf_len >= 0) { - if (srch_flag & SMB2_RETURN_SINGLE_ENTRY && !is_asterisk(srch_ptr)) + if (srch_flag & SMB2_RETURN_SINGLE_ENTRY && !is_asterisk(srch_ptr)) { rsp->hdr.Status = STATUS_NO_SUCH_FILE; - else { + } else { dir_fp->dot_dotdot[0] = dir_fp->dot_dotdot[1] = 0; rsp->hdr.Status = STATUS_NO_MORE_FILES; } @@ -4057,24 +4002,21 @@ int smb2_query_dir(struct ksmbd_work *work) * Return: 0 on success, otherwise error */ static int buffer_check_err(int reqOutputBufferLength, - struct smb2_query_info_rsp *rsp, int infoclass_size) + struct smb2_query_info_rsp *rsp, int infoclass_size) { if (reqOutputBufferLength < le32_to_cpu(rsp->OutputBufferLength)) { if (reqOutputBufferLength < infoclass_size) { ksmbd_err("Invalid Buffer Size Requested\n"); rsp->hdr.Status = STATUS_INFO_LENGTH_MISMATCH; - rsp->hdr.smb2_buf_length = cpu_to_be32( - sizeof(struct smb2_hdr) - 4); + rsp->hdr.smb2_buf_length = cpu_to_be32(sizeof(struct smb2_hdr) - 4); return -EINVAL; } ksmbd_debug(SMB, "Buffer Overflow\n"); rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; - rsp->hdr.smb2_buf_length = cpu_to_be32( - sizeof(struct smb2_hdr) - 4 - + reqOutputBufferLength); - rsp->OutputBufferLength = cpu_to_le32( - reqOutputBufferLength); + rsp->hdr.smb2_buf_length = cpu_to_be32(sizeof(struct smb2_hdr) - 4 + + reqOutputBufferLength); + rsp->OutputBufferLength = cpu_to_le32(reqOutputBufferLength); } return 0; } @@ -4096,7 +4038,7 @@ static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp) } static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, - uint64_t num) + u64 num) { struct smb2_file_internal_info *file_info; @@ -4110,9 +4052,10 @@ static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, } static int smb2_get_info_file_pipe(struct ksmbd_session *sess, - struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp) { - uint64_t id; + u64 id; int rc; /* @@ -4155,11 +4098,9 @@ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, * * Return: 0 on success, otherwise error */ -static int smb2_get_ea(struct ksmbd_work *work, - struct ksmbd_file *fp, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, - void *rsp_org) +static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct smb2_ea_info *eainfo, *prev_eainfo; char *name, *ptr, *xattr_list = NULL, *buf; @@ -4176,9 +4117,9 @@ static int smb2_get_ea(struct ksmbd_work *work, path = &fp->filp->f_path; /* single EA entry is requested with given user.* name */ - if (req->InputBufferLength) + if (req->InputBufferLength) { ea_req = (struct smb2_ea_info_req *)req->Buffer; - else { + } else { /* need to send all EAs, if no specific EA is requested*/ if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY) ksmbd_debug(SMB, @@ -4224,16 +4165,16 @@ static int smb2_get_ea(struct ksmbd_work *work, continue; if (!strncmp(&name[XATTR_USER_PREFIX_LEN], STREAM_PREFIX, - STREAM_PREFIX_LEN)) + STREAM_PREFIX_LEN)) continue; if (req->InputBufferLength && - (strncmp(&name[XATTR_USER_PREFIX_LEN], - ea_req->name, ea_req->EaNameLength))) + strncmp(&name[XATTR_USER_PREFIX_LEN], ea_req->name, + ea_req->EaNameLength)) continue; if (!strncmp(&name[XATTR_USER_PREFIX_LEN], - DOS_ATTRIBUTE_PREFIX, DOS_ATTRIBUTE_PREFIX_LEN)) + DOS_ATTRIBUTE_PREFIX, DOS_ATTRIBUTE_PREFIX_LEN)) continue; if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) @@ -4263,8 +4204,7 @@ static int smb2_get_ea(struct ksmbd_work *work, eainfo->Flags = 0; eainfo->EaNameLength = name_len; - if (!strncmp(name, XATTR_USER_PREFIX, - XATTR_USER_PREFIX_LEN)) + if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) memcpy(eainfo->name, &name[XATTR_USER_PREFIX_LEN], name_len); else @@ -4308,8 +4248,7 @@ static int smb2_get_ea(struct ksmbd_work *work, } static void get_file_access_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_access_info *file_info; @@ -4321,8 +4260,7 @@ static void get_file_access_info(struct smb2_query_info_rsp *rsp, } static int get_file_basic_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_all_info *basic_info; struct kstat stat; @@ -4346,8 +4284,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, basic_info->Attributes = fp->f_ci->m_fattr; basic_info->Pad1 = 0; rsp->OutputBufferLength = - cpu_to_le32(offsetof(struct smb2_file_all_info, - AllocationSize)); + cpu_to_le32(offsetof(struct smb2_file_all_info, AllocationSize)); inc_rfc1001_len(rsp_org, offsetof(struct smb2_file_all_info, AllocationSize)); return 0; @@ -4363,15 +4300,13 @@ static unsigned long long get_allocation_size(struct inode *inode, alloc_size = stat->size; else alloc_size = inode->i_blocks << 9; - } return alloc_size; } static void get_file_standard_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_standard_info *sinfo; unsigned int delete_pending; @@ -4396,7 +4331,7 @@ static void get_file_standard_info(struct smb2_query_info_rsp *rsp, } static void get_file_alignment_info(struct smb2_query_info_rsp *rsp, - void *rsp_org) + void *rsp_org) { struct smb2_file_alignment_info *file_info; @@ -4409,9 +4344,8 @@ static void get_file_alignment_info(struct smb2_query_info_rsp *rsp, } static int get_file_all_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_all_info *file_info; @@ -4478,9 +4412,8 @@ static int get_file_all_info(struct ksmbd_work *work, } static void get_file_alternate_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_alt_name_info *file_info; @@ -4499,9 +4432,8 @@ static void get_file_alternate_info(struct ksmbd_work *work, } static void get_file_stream_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_stream_info *file_info; @@ -4530,7 +4462,7 @@ static void get_file_stream_info(struct ksmbd_work *work, ksmbd_debug(SMB, "%s, len %d\n", stream_name, streamlen); if (strncmp(&stream_name[XATTR_USER_PREFIX_LEN], - STREAM_PREFIX, STREAM_PREFIX_LEN)) + STREAM_PREFIX, STREAM_PREFIX_LEN)) continue; stream_name_len = streamlen - (XATTR_USER_PREFIX_LEN + @@ -4588,8 +4520,7 @@ static void get_file_stream_info(struct ksmbd_work *work, } static void get_file_internal_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_internal_info *file_info; struct kstat stat; @@ -4603,8 +4534,7 @@ static void get_file_internal_info(struct smb2_query_info_rsp *rsp, } static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_ntwrk_info *file_info; struct inode *inode; @@ -4640,8 +4570,7 @@ static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, return 0; } -static void get_file_ea_info(struct smb2_query_info_rsp *rsp, - void *rsp_org) +static void get_file_ea_info(struct smb2_query_info_rsp *rsp, void *rsp_org) { struct smb2_file_ea_info *file_info; @@ -4653,8 +4582,7 @@ static void get_file_ea_info(struct smb2_query_info_rsp *rsp, } static void get_file_position_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_pos_info *file_info; @@ -4666,8 +4594,7 @@ static void get_file_position_info(struct smb2_query_info_rsp *rsp, } static void get_file_mode_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_mode_info *file_info; @@ -4679,8 +4606,7 @@ static void get_file_mode_info(struct smb2_query_info_rsp *rsp, } static void get_file_compression_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_comp_info *file_info; struct kstat stat; @@ -4701,8 +4627,7 @@ static void get_file_compression_info(struct smb2_query_info_rsp *rsp, } static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_attr_tag_info *file_info; @@ -4723,8 +4648,7 @@ static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, } static int find_file_posix_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, - void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb311_posix_qinfo *file_info; struct inode *inode = FP_INODE(fp); @@ -4747,15 +4671,13 @@ static int find_file_posix_info(struct smb2_query_info_rsp *rsp, file_info->DeviceId = cpu_to_le32(inode->i_rdev); rsp->OutputBufferLength = cpu_to_le32(sizeof(struct smb311_posix_qinfo)); - inc_rfc1001_len(rsp_org, - sizeof(struct smb311_posix_qinfo)); + inc_rfc1001_len(rsp_org, sizeof(struct smb311_posix_qinfo)); return 0; } static int smb2_get_info_file(struct ksmbd_work *work, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, - void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_file *fp; int fileinfoclass = 0; @@ -4764,7 +4686,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_PIPE)) { + KSMBD_SHARE_FLAG_PIPE)) { /* smb2 info file called for pipe */ return smb2_get_info_file_pipe(work->sess, req, rsp); } @@ -4887,9 +4809,8 @@ static int smb2_get_info_file(struct ksmbd_work *work, } static int smb2_get_info_filesystem(struct ksmbd_work *work, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, - void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_session *sess = work->sess; struct ksmbd_conn *conn = sess->conn; @@ -5029,9 +4950,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->extended_info.version = cpu_to_le32(1); info->extended_info.release = cpu_to_le32(1); info->extended_info.rel_date = 0; - memcpy(info->extended_info.version_string, - "1.1.0", - strlen("1.1.0")); + memcpy(info->extended_info.version_string, "1.1.0", strlen("1.1.0")); rsp->OutputBufferLength = cpu_to_le32(64); inc_rfc1001_len(rsp_org, 64); fs_infoclass_size = FS_OBJECT_ID_INFORMATION_SIZE; @@ -5121,8 +5040,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, } static int smb2_get_info_sec(struct ksmbd_work *work, - struct smb2_query_info_req *req, struct smb2_query_info_rsp *rsp, - void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_file *fp; struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; @@ -5162,7 +5081,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, fattr.cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_ACL_XATTR)) + KSMBD_SHARE_FLAG_ACL_XATTR)) ksmbd_vfs_get_sd_xattr(work->conn, fp->filp->f_path.dentry, &ppntsd); rc = build_sec_desc(pntsd, ppntsd, addition_info, &secdesclen, &fattr); @@ -5243,7 +5162,7 @@ int smb2_query_info(struct ksmbd_work *work) */ static noinline int smb2_close_pipe(struct ksmbd_work *work) { - uint64_t id; + u64 id; struct smb2_close_req *req = work->request_buf; struct smb2_close_rsp *rsp = work->response_buf; @@ -5273,7 +5192,7 @@ static noinline int smb2_close_pipe(struct ksmbd_work *work) int smb2_close(struct ksmbd_work *work) { unsigned int volatile_id = KSMBD_NO_FID; - uint64_t sess_id; + u64 sess_id; struct smb2_close_req *req; struct smb2_close_rsp *rsp; struct smb2_close_rsp *rsp_org; @@ -5297,9 +5216,9 @@ int smb2_close(struct ksmbd_work *work) sess_id = work->compound_sid; work->compound_sid = 0; - if (check_session_id(conn, sess_id)) + if (check_session_id(conn, sess_id)) { work->compound_sid = sess_id; - else { + } else { rsp->hdr.Status = STATUS_USER_SESSION_DELETED; if (req->hdr.Flags & SMB2_FLAGS_RELATED_OPERATIONS) rsp->hdr.Status = STATUS_INVALID_PARAMETER; @@ -5308,7 +5227,7 @@ int smb2_close(struct ksmbd_work *work) } if (work->next_smb2_rcv_hdr_off && - !HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { + !HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { if (!HAS_FILE_ID(work->compound_fid)) { /* file already closed, return FILE_CLOSED */ ksmbd_debug(SMB, "file already closed\n"); @@ -5395,8 +5314,8 @@ int smb2_echo(struct ksmbd_work *work) } static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, - struct smb2_file_rename_info *file_info, - struct nls_table *local_nls) + struct smb2_file_rename_info *file_info, + struct nls_table *local_nls) { struct ksmbd_share_config *share = fp->tcon->share_conf; char *new_name = NULL, *abs_oldname = NULL, *old_name = NULL; @@ -5416,9 +5335,9 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, goto out; } old_name = strrchr(abs_oldname, '/'); - if (old_name && old_name[1] != '\0') + if (old_name && old_name[1] != '\0') { old_name++; - else { + } else { ksmbd_debug(SMB, "can't get last component in path %s\n", abs_oldname); rc = -ENOENT; @@ -5497,8 +5416,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, } } else { if (file_present && - strncmp(old_name, path.dentry->d_name.name, - strlen(old_name))) { + strncmp(old_name, path.dentry->d_name.name, strlen(old_name))) { rc = -EEXIST; ksmbd_debug(SMB, "cannot rename already existing file\n"); @@ -5515,10 +5433,9 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, } static int smb2_create_link(struct ksmbd_work *work, - struct ksmbd_share_config *share, - struct smb2_file_link_info *file_info, - struct file *filp, - struct nls_table *local_nls) + struct ksmbd_share_config *share, + struct smb2_file_link_info *file_info, struct file *filp, + struct nls_table *local_nls) { char *link_name = NULL, *target_name = NULL, *pathname = NULL; struct path path; @@ -5586,9 +5503,8 @@ static bool is_attributes_write_allowed(struct ksmbd_file *fp) return fp->daccess & FILE_WRITE_ATTRIBUTES_LE; } -static int set_file_basic_info(struct ksmbd_file *fp, - char *buf, - struct ksmbd_share_config *share) +static int set_file_basic_info(struct ksmbd_file *fp, char *buf, + struct ksmbd_share_config *share) { struct smb2_file_all_info *file_info; struct iattr attrs; @@ -5617,8 +5533,9 @@ static int set_file_basic_info(struct ksmbd_file *fp, temp_attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); attrs.ia_ctime = temp_attrs.ia_ctime; attrs.ia_valid |= ATTR_CTIME; - } else + } else { temp_attrs.ia_ctime = inode->i_ctime; + } if (file_info->LastWriteTime) { attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime); @@ -5627,7 +5544,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, if (file_info->Attributes) { if (!S_ISDIR(inode->i_mode) && - file_info->Attributes & ATTR_DIRECTORY_LE) { + file_info->Attributes & ATTR_DIRECTORY_LE) { ksmbd_err("can't change a file to a directory\n"); return -EINVAL; } @@ -5683,8 +5600,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, } static int set_file_allocation_info(struct ksmbd_work *work, - struct ksmbd_file *fp, - char *buf) + struct ksmbd_file *fp, char *buf) { /* * TODO : It's working fine only when store dos attributes @@ -5733,9 +5649,8 @@ static int set_file_allocation_info(struct ksmbd_work *work, return 0; } -static int set_end_of_file_info(struct ksmbd_work *work, - struct ksmbd_file *fp, - char *buf) +static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, + char *buf) { struct smb2_file_eof_info *file_eof_info; loff_t newsize; @@ -5761,8 +5676,7 @@ static int set_end_of_file_info(struct ksmbd_work *work, fp->filename, newsize); rc = ksmbd_vfs_truncate(work, NULL, fp, newsize); if (rc) { - ksmbd_debug(SMB, - "truncate failed! filename : %s err %d\n", + ksmbd_debug(SMB, "truncate failed! filename : %s err %d\n", fp->filename, rc); if (rc != -EAGAIN) rc = -EBADF; @@ -5772,9 +5686,8 @@ static int set_end_of_file_info(struct ksmbd_work *work, return 0; } -static int set_rename_info(struct ksmbd_work *work, - struct ksmbd_file *fp, - char *buf) +static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, + char *buf) { struct ksmbd_file *parent_fp; @@ -5799,8 +5712,7 @@ static int set_rename_info(struct ksmbd_work *work, work->sess->conn->local_nls); } -static int set_file_disposition_info(struct ksmbd_file *fp, - char *buf) +static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) { struct smb2_file_disposition_info *file_info; struct inode *inode; @@ -5814,7 +5726,7 @@ static int set_file_disposition_info(struct ksmbd_file *fp, file_info = (struct smb2_file_disposition_info *)buf; if (file_info->DeletePending) { if (S_ISDIR(inode->i_mode) && - ksmbd_vfs_empty_dir(fp) == -ENOTEMPTY) + ksmbd_vfs_empty_dir(fp) == -ENOTEMPTY) return -EBUSY; ksmbd_set_inode_pending_delete(fp); } else { @@ -5823,8 +5735,7 @@ static int set_file_disposition_info(struct ksmbd_file *fp, return 0; } -static int set_file_position_info(struct ksmbd_file *fp, - char *buf) +static int set_file_position_info(struct ksmbd_file *fp, char *buf) { struct smb2_file_pos_info *file_info; loff_t current_byte_offset; @@ -5837,8 +5748,8 @@ static int set_file_position_info(struct ksmbd_file *fp, sector_size = ksmbd_vfs_logical_sector_size(inode); if (current_byte_offset < 0 || - (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && - current_byte_offset & (sector_size-1))) { + (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && + current_byte_offset & (sector_size - 1))) { ksmbd_err("CurrentByteOffset is not valid : %llu\n", current_byte_offset); return -EINVAL; @@ -5848,8 +5759,7 @@ static int set_file_position_info(struct ksmbd_file *fp, return 0; } -static int set_file_mode_info(struct ksmbd_file *fp, - char *buf) +static int set_file_mode_info(struct ksmbd_file *fp, char *buf) { struct smb2_file_mode_info *file_info; __le32 mode; @@ -5857,9 +5767,9 @@ static int set_file_mode_info(struct ksmbd_file *fp, file_info = (struct smb2_file_mode_info *)buf; mode = file_info->Mode; - if ((mode & (~FILE_MODE_INFO_MASK)) || - (mode & FILE_SYNCHRONOUS_IO_ALERT_LE && - mode & FILE_SYNCHRONOUS_IO_NONALERT_LE)) { + if ((mode & ~FILE_MODE_INFO_MASK) || + (mode & FILE_SYNCHRONOUS_IO_ALERT_LE && + mode & FILE_SYNCHRONOUS_IO_NONALERT_LE)) { ksmbd_err("Mode is not valid : 0x%x\n", le32_to_cpu(mode)); return -EINVAL; } @@ -5883,11 +5793,8 @@ static int set_file_mode_info(struct ksmbd_file *fp, * Return: 0 on success, otherwise error * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH */ -static int smb2_set_info_file(struct ksmbd_work *work, - struct ksmbd_file *fp, - int info_class, - char *buf, - struct ksmbd_share_config *share) +static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, + int info_class, char *buf, struct ksmbd_share_config *share) { switch (info_class) { case FILE_BASIC_INFORMATION: @@ -5900,8 +5807,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, return set_end_of_file_info(work, fp, buf); case FILE_RENAME_INFORMATION: - if (!test_tree_conn_flag(work->tcon, - KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; @@ -5914,8 +5820,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, work->sess->conn->local_nls); case FILE_DISPOSITION_INFORMATION: - if (!test_tree_conn_flag(work->tcon, - KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; @@ -5945,10 +5850,8 @@ static int smb2_set_info_file(struct ksmbd_work *work, return -EOPNOTSUPP; } -static int smb2_set_info_sec(struct ksmbd_file *fp, - int addition_info, - char *buffer, - int buf_len) +static int smb2_set_info_sec(struct ksmbd_file *fp, int addition_info, + char *buffer, int buf_len) { struct smb_ntsd *pntsd = (struct smb_ntsd *)buffer; @@ -6060,7 +5963,7 @@ int smb2_set_info(struct ksmbd_work *work) static noinline int smb2_read_pipe(struct ksmbd_work *work) { int nbytes = 0, err; - uint64_t id; + u64 id; struct ksmbd_rpc_command *rpc_resp; struct smb2_read_req *req = work->request_buf; struct smb2_read_rsp *rsp = work->response_buf; @@ -6108,30 +6011,27 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) } static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, - struct smb2_read_req *req, - void *data_buf, size_t length) + struct smb2_read_req *req, void *data_buf, size_t length) { struct smb2_buffer_desc_v1 *desc = (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; int err; - if (work->conn->dialect == SMB30_PROT_ID - && req->Channel != SMB2_CHANNEL_RDMA_V1) + if (work->conn->dialect == SMB30_PROT_ID && + req->Channel != SMB2_CHANNEL_RDMA_V1) return -EINVAL; - if (req->ReadChannelInfoOffset == 0 - || le16_to_cpu(req->ReadChannelInfoLength) < sizeof(*desc)) + if (req->ReadChannelInfoOffset == 0 || + le16_to_cpu(req->ReadChannelInfoLength) < sizeof(*desc)) return -EINVAL; work->need_invalidate_rkey = (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); work->remote_key = le32_to_cpu(desc->token); - err = ksmbd_conn_rdma_write(work->conn, - data_buf, length, - le32_to_cpu(desc->token), - le64_to_cpu(desc->offset), - le32_to_cpu(desc->length)); + err = ksmbd_conn_rdma_write(work->conn, data_buf, length, + le32_to_cpu(desc->token), le64_to_cpu(desc->offset), + le32_to_cpu(desc->length)); if (err) return err; @@ -6226,7 +6126,7 @@ int smb2_read(struct ksmbd_work *work) nbytes, offset, mincount); if (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE || - req->Channel == SMB2_CHANNEL_RDMA_V1) { + req->Channel == SMB2_CHANNEL_RDMA_V1) { /* write data to the client using rdma channel */ remain_bytes = smb2_read_rdma_channel(work, req, work->aux_payload_buf, nbytes); @@ -6290,7 +6190,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) struct smb2_write_req *req = work->request_buf; struct smb2_write_rsp *rsp = work->response_buf; struct ksmbd_rpc_command *rpc_resp; - uint64_t id = 0; + u64 id = 0; int err = 0, ret = 0; char *data_buf; size_t length; @@ -6299,15 +6199,13 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) id = le64_to_cpu(req->VolatileFileId); if (le16_to_cpu(req->DataOffset) == - (offsetof(struct smb2_write_req, Buffer) - 4)) { + (offsetof(struct smb2_write_req, Buffer) - 4)) { data_buf = (char *)&req->Buffer[0]; } else { if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || - (le16_to_cpu(req->DataOffset) + - length > get_rfc1002_len(req))) { + (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { ksmbd_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + le16_to_cpu(req->DataOffset), get_rfc1002_len(req)); err = -EINVAL; goto out; } @@ -6351,8 +6249,8 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) } static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, - struct smb2_write_req *req, struct ksmbd_file *fp, - loff_t offset, size_t length, bool sync) + struct smb2_write_req *req, struct ksmbd_file *fp, + loff_t offset, size_t length, bool sync) { struct smb2_buffer_desc_v1 *desc; char *data_buf; @@ -6362,14 +6260,14 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, desc = (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; if (work->conn->dialect == SMB30_PROT_ID && - req->Channel != SMB2_CHANNEL_RDMA_V1) + req->Channel != SMB2_CHANNEL_RDMA_V1) return -EINVAL; if (req->Length != 0 || req->DataOffset != 0) return -EINVAL; - if (req->WriteChannelInfoOffset == 0 - || le16_to_cpu(req->WriteChannelInfoLength) < sizeof(*desc)) + if (req->WriteChannelInfoOffset == 0 || + le16_to_cpu(req->WriteChannelInfoLength) < sizeof(*desc)) return -EINVAL; work->need_invalidate_rkey = @@ -6384,15 +6282,12 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, le32_to_cpu(desc->token), le64_to_cpu(desc->offset), le32_to_cpu(desc->length)); - if (ret < 0) { ksmbd_free_response(data_buf); return ret; } - ret = ksmbd_vfs_write(work, fp, data_buf, length, &offset, - sync, &nbytes); - + ret = ksmbd_vfs_write(work, fp, data_buf, length, &offset, sync, &nbytes); ksmbd_free_response(data_buf); if (ret < 0) return ret; @@ -6421,8 +6316,7 @@ int smb2_write(struct ksmbd_work *work) rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_PIPE)) { + if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_PIPE)) { ksmbd_debug(SMB, "IPC pipe write request\n"); return smb2_write_pipe(work); } @@ -6433,9 +6327,8 @@ int smb2_write(struct ksmbd_work *work) goto out; } - fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!fp) { rsp->hdr.Status = STATUS_FILE_CLOSED; return -ENOENT; @@ -6461,16 +6354,13 @@ int smb2_write(struct ksmbd_work *work) writethrough = true; if (req->Channel != SMB2_CHANNEL_RDMA_V1 && - req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { - + req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { if (le16_to_cpu(req->DataOffset) == (offsetof(struct smb2_write_req, Buffer) - 4)) { data_buf = (char *)&req->Buffer[0]; } else { - if ((le16_to_cpu(req->DataOffset) > - get_rfc1002_len(req)) || - (le16_to_cpu(req->DataOffset) + - length > get_rfc1002_len(req))) { + if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || + (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { ksmbd_err("invalid write data offset %u, smb_len %u\n", le16_to_cpu(req->DataOffset), get_rfc1002_len(req)); @@ -6603,7 +6493,7 @@ int smb2_cancel(struct ksmbd_work *work) chdr = cancel_work->request_buf; if (cancel_work->async_id != - le64_to_cpu(hdr->Id.AsyncId)) + le64_to_cpu(hdr->Id.AsyncId)) continue; ksmbd_debug(SMB, @@ -6624,7 +6514,7 @@ int smb2_cancel(struct ksmbd_work *work) chdr = cancel_work->request_buf; if (chdr->MessageId != hdr->MessageId || - cancel_work == work) + cancel_work == work) continue; ksmbd_debug(SMB, @@ -6687,13 +6577,13 @@ static int smb2_set_flock_flags(struct file_lock *flock, int flags) flock->fl_type = F_WRLCK; flock->fl_flags |= FL_SLEEP; break; - case SMB2_LOCKFLAG_SHARED|SMB2_LOCKFLAG_FAIL_IMMEDIATELY: + case SMB2_LOCKFLAG_SHARED | SMB2_LOCKFLAG_FAIL_IMMEDIATELY: ksmbd_debug(SMB, "received shared & fail immediately request\n"); cmd = F_SETLK; flock->fl_type = F_RDLCK; break; - case SMB2_LOCKFLAG_EXCLUSIVE|SMB2_LOCKFLAG_FAIL_IMMEDIATELY: + case SMB2_LOCKFLAG_EXCLUSIVE | SMB2_LOCKFLAG_FAIL_IMMEDIATELY: ksmbd_debug(SMB, "received exclusive & fail immediately request\n"); cmd = F_SETLK; @@ -6710,7 +6600,7 @@ static int smb2_set_flock_flags(struct file_lock *flock, int flags) } static struct ksmbd_lock *smb2_lock_init(struct file_lock *flock, - unsigned int cmd, int flags, struct list_head *lock_list) + unsigned int cmd, int flags, struct list_head *lock_list) { struct ksmbd_lock *lock; @@ -6764,7 +6654,7 @@ int smb2_lock(struct ksmbd_work *work) int flags = 0; int cmd = 0; int err = 0, i; - uint64_t lock_length; + u64 lock_length; struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp; int nolock = 0; LIST_HEAD(lock_list); @@ -6773,8 +6663,8 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "Received lock request\n"); fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!fp) { ksmbd_debug(SMB, "Invalid file id for lock : %llu\n", le64_to_cpu(req->VolatileFileId)); @@ -6812,16 +6702,16 @@ int smb2_lock(struct ksmbd_work *work) lock_length = le64_to_cpu(lock_ele[i].Length); if (lock_length > 0) { - if (lock_length > - OFFSET_MAX - flock->fl_start) { + if (lock_length > OFFSET_MAX - flock->fl_start) { ksmbd_debug(SMB, "Invalid lock range requested\n"); lock_length = OFFSET_MAX - flock->fl_start; rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; goto out; } - } else + } else { lock_length = 0; + } flock->fl_end = flock->fl_start + lock_length; @@ -6836,9 +6726,9 @@ int smb2_lock(struct ksmbd_work *work) /* Check conflict locks in one request */ list_for_each_entry(cmp_lock, &lock_list, llist) { if (cmp_lock->fl->fl_start <= flock->fl_start && - cmp_lock->fl->fl_end >= flock->fl_end) { + cmp_lock->fl->fl_end >= flock->fl_end) { if (cmp_lock->fl->fl_type != F_UNLCK && - flock->fl_type != F_UNLCK) { + flock->fl_type != F_UNLCK) { ksmbd_err("conflict two locks in one request\n"); rsp->hdr.Status = STATUS_INVALID_PARAMETER; @@ -6865,11 +6755,10 @@ int smb2_lock(struct ksmbd_work *work) goto out; } - if ((prior_lock & (SMB2_LOCKFLAG_EXCLUSIVE | - SMB2_LOCKFLAG_SHARED) && - smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) || - (prior_lock == SMB2_LOCKFLAG_UNLOCK && - !(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK))) { + if ((prior_lock & (SMB2_LOCKFLAG_EXCLUSIVE | SMB2_LOCKFLAG_SHARED) && + smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) || + (prior_lock == SMB2_LOCKFLAG_UNLOCK && + !(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK))) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; goto out; } @@ -6877,22 +6766,21 @@ int smb2_lock(struct ksmbd_work *work) prior_lock = smb_lock->flags; if (!(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) && - !(smb_lock->flags & SMB2_LOCKFLAG_FAIL_IMMEDIATELY)) + !(smb_lock->flags & SMB2_LOCKFLAG_FAIL_IMMEDIATELY)) goto no_check_gl; nolock = 1; /* check locks in global list */ list_for_each_entry(cmp_lock, &global_lock_list, glist) { if (file_inode(cmp_lock->fl->fl_file) != - file_inode(smb_lock->fl->fl_file)) + file_inode(smb_lock->fl->fl_file)) continue; if (smb_lock->fl->fl_type == F_UNLCK) { - if (cmp_lock->fl->fl_file == - smb_lock->fl->fl_file && - cmp_lock->start == smb_lock->start && - cmp_lock->end == smb_lock->end && - !lock_defer_pending(cmp_lock->fl)) { + if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file && + cmp_lock->start == smb_lock->start && + cmp_lock->end == smb_lock->end && + !lock_defer_pending(cmp_lock->fl)) { nolock = 0; locks_free_lock(cmp_lock->fl); list_del(&cmp_lock->glist); @@ -6912,26 +6800,25 @@ int smb2_lock(struct ksmbd_work *work) /* check zero byte lock range */ if (cmp_lock->zero_len && !smb_lock->zero_len && - cmp_lock->start > smb_lock->start && - cmp_lock->start < smb_lock->end) { + cmp_lock->start > smb_lock->start && + cmp_lock->start < smb_lock->end) { ksmbd_err("previous lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; } if (smb_lock->zero_len && !cmp_lock->zero_len && - smb_lock->start > cmp_lock->start && - smb_lock->start < cmp_lock->end) { + smb_lock->start > cmp_lock->start && + smb_lock->start < cmp_lock->end) { ksmbd_err("current lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; } if (((cmp_lock->start <= smb_lock->start && - cmp_lock->end > smb_lock->start) || - (cmp_lock->start < smb_lock->end && - cmp_lock->end >= smb_lock->end)) && - !cmp_lock->zero_len && !smb_lock->zero_len) { + cmp_lock->end > smb_lock->start) || + (cmp_lock->start < smb_lock->end && cmp_lock->end >= smb_lock->end)) && + !cmp_lock->zero_len && !smb_lock->zero_len) { ksmbd_err("Not allow lock operation on exclusive lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; @@ -6957,9 +6844,9 @@ int smb2_lock(struct ksmbd_work *work) err = ksmbd_vfs_lock(filp, smb_lock->cmd, flock); skip: if (flags & SMB2_LOCKFLAG_UNLOCK) { - if (!err) + if (!err) { ksmbd_debug(SMB, "File unlocked\n"); - else if (err == -ENOENT) { + } else if (err == -ENOENT) { rsp->hdr.Status = STATUS_NOT_LOCKED; goto out; } @@ -7082,9 +6969,8 @@ int smb2_lock(struct ksmbd_work *work) return 0; } -static int fsctl_copychunk(struct ksmbd_work *work, - struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) +static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) { struct copychunk_ioctl_req *ci_req; struct copychunk_ioctl_rsp *ci_rsp; @@ -7101,12 +6987,12 @@ static int fsctl_copychunk(struct ksmbd_work *work, rsp->VolatileFileId = req->VolatileFileId; rsp->PersistentFileId = req->PersistentFileId; - ci_rsp->ChunksWritten = cpu_to_le32( - ksmbd_server_side_copy_max_chunk_count()); - ci_rsp->ChunkBytesWritten = cpu_to_le32( - ksmbd_server_side_copy_max_chunk_size()); - ci_rsp->TotalBytesWritten = cpu_to_le32( - ksmbd_server_side_copy_max_total_size()); + ci_rsp->ChunksWritten = + cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); + ci_rsp->ChunkBytesWritten = + cpu_to_le32(ksmbd_server_side_copy_max_chunk_size()); + ci_rsp->TotalBytesWritten = + cpu_to_le32(ksmbd_server_side_copy_max_total_size()); chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; chunk_count = le32_to_cpu(ci_req->ChunkCount); @@ -7114,22 +7000,22 @@ static int fsctl_copychunk(struct ksmbd_work *work, /* verify the SRV_COPYCHUNK_COPY packet */ if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || - le32_to_cpu(req->InputCount) < - offsetof(struct copychunk_ioctl_req, Chunks) + - chunk_count * sizeof(struct srv_copychunk)) { + le32_to_cpu(req->InputCount) < + offsetof(struct copychunk_ioctl_req, Chunks) + + chunk_count * sizeof(struct srv_copychunk)) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; return -EINVAL; } for (i = 0; i < chunk_count; i++) { if (le32_to_cpu(chunks[i].Length) == 0 || - le32_to_cpu(chunks[i].Length) > - ksmbd_server_side_copy_max_chunk_size()) + le32_to_cpu(chunks[i].Length) > ksmbd_server_side_copy_max_chunk_size()) break; total_size_written += le32_to_cpu(chunks[i].Length); } - if (i < chunk_count || total_size_written > - ksmbd_server_side_copy_max_total_size()) { + + if (i < chunk_count || + total_size_written > ksmbd_server_side_copy_max_total_size()) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; return -EINVAL; } @@ -7139,13 +7025,13 @@ static int fsctl_copychunk(struct ksmbd_work *work, dst_fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), le64_to_cpu(req->PersistentFileId)); - ret = -EINVAL; - if (!src_fp || src_fp->persistent_id != - le64_to_cpu(ci_req->ResumeKey[1])) { + if (!src_fp || + src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; goto out; } + if (!dst_fp) { rsp->hdr.Status = STATUS_FILE_CLOSED; goto out; @@ -7212,8 +7098,7 @@ static __be32 idev_ipv4_address(struct in_device *idev) } static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, - struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) { struct network_interface_info_ioctl_rsp *nii_rsp = NULL; int nbytes = 0; @@ -7255,10 +7140,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, netdev->ethtool_ops->get_link_ksettings(netdev, &cmd); speed = cmd.base.speed; } else { - ksmbd_err("%s %s %s\n", - netdev->name, - "speed is unknown,", - "defaulting to 1Gb/sec"); + ksmbd_err("%s %s\n", netdev->name, + "speed is unknown, defaulting to 1Gb/sec"); speed = SPEED_1000; } @@ -7321,10 +7204,9 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, return nbytes; } - static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, - struct validate_negotiate_info_req *neg_req, - struct validate_negotiate_info_rsp *neg_rsp) + struct validate_negotiate_info_req *neg_req, + struct validate_negotiate_info_rsp *neg_rsp) { int ret = 0; int dialect; @@ -7359,10 +7241,10 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, return ret; } -static int fsctl_query_allocated_ranges(struct ksmbd_work *work, uint64_t id, - struct file_allocated_range_buffer *qar_req, - struct file_allocated_range_buffer *qar_rsp, - int in_count, int *out_count) +static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, + struct file_allocated_range_buffer *qar_req, + struct file_allocated_range_buffer *qar_rsp, + int in_count, int *out_count) { struct ksmbd_file *fp; loff_t start, length; @@ -7388,15 +7270,15 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, uint64_t id, return ret; } -static int fsctl_pipe_transceive(struct ksmbd_work *work, uint64_t id, - int out_buf_len, struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) +static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, + int out_buf_len, struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) { struct ksmbd_rpc_command *rpc_resp; char *data_buf = (char *)&req->Buffer[0]; int nbytes = 0; - rpc_resp = ksmbd_rpc_ioctl(work->sess, id, - data_buf, + rpc_resp = ksmbd_rpc_ioctl(work->sess, id, data_buf, le32_to_cpu(req->InputCount)); if (rpc_resp) { if (rpc_resp->flags == KSMBD_RPC_SOME_NOT_MAPPED) { @@ -7432,8 +7314,8 @@ static int fsctl_pipe_transceive(struct ksmbd_work *work, uint64_t id, return nbytes; } -static inline int fsctl_set_sparse(struct ksmbd_work *work, uint64_t id, - struct file_sparse *sparse) +static inline int fsctl_set_sparse(struct ksmbd_work *work, u64 id, + struct file_sparse *sparse) { struct ksmbd_file *fp; int ret = 0; @@ -7450,8 +7332,8 @@ static inline int fsctl_set_sparse(struct ksmbd_work *work, uint64_t id, fp->f_ci->m_fattr &= ~ATTR_SPARSE_FILE_LE; if (fp->f_ci->m_fattr != old_fattr && - test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { + test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { struct xattr_dos_attrib da; ret = ksmbd_vfs_get_dos_attrib_xattr(fp->filp->f_path.dentry, &da); @@ -7470,7 +7352,8 @@ static inline int fsctl_set_sparse(struct ksmbd_work *work, uint64_t id, } static int fsctl_request_resume_key(struct ksmbd_work *work, - struct smb2_ioctl_req *req, struct resume_key_ioctl_rsp *key_rsp) + struct smb2_ioctl_req *req, + struct resume_key_ioctl_rsp *key_rsp) { struct ksmbd_file *fp; @@ -7500,7 +7383,7 @@ int smb2_ioctl(struct ksmbd_work *work) struct smb2_ioctl_rsp *rsp, *rsp_org; int cnt_code, nbytes = 0; int out_buf_len; - uint64_t id = KSMBD_NO_FID; + u64 id = KSMBD_NO_FID; struct ksmbd_conn *conn = work->conn; int ret = 0; @@ -7595,8 +7478,7 @@ int smb2_ioctl(struct ksmbd_work *work) break; case FSCTL_COPYCHUNK: case FSCTL_COPYCHUNK_WRITE: - if (!test_tree_conn_flag(work->tcon, - KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); ret = -EACCES; @@ -7623,8 +7505,7 @@ int smb2_ioctl(struct ksmbd_work *work) struct ksmbd_file *fp; loff_t off, len; - if (!test_tree_conn_flag(work->tcon, - KSMBD_TREE_CONN_FLAG_WRITABLE)) { + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); ret = -EACCES; @@ -7731,7 +7612,7 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) struct oplock_info *opinfo = NULL; __le32 err = 0; int ret = 0; - uint64_t volatile_id, persistent_id; + u64 volatile_id, persistent_id; char req_oplevel = 0, rsp_oplevel = 0; unsigned int oplock_change_type; @@ -7768,34 +7649,36 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) goto err_out; } - if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) || - (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && - ((req_oplevel != SMB2_OPLOCK_LEVEL_II) && - (req_oplevel != SMB2_OPLOCK_LEVEL_NONE))) { + if ((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE || + opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) && + (req_oplevel != SMB2_OPLOCK_LEVEL_II && + req_oplevel != SMB2_OPLOCK_LEVEL_NONE)) { err = STATUS_INVALID_OPLOCK_PROTOCOL; oplock_change_type = OPLOCK_WRITE_TO_NONE; - } else if ((opinfo->level == SMB2_OPLOCK_LEVEL_II) && - (req_oplevel != SMB2_OPLOCK_LEVEL_NONE)) { + } else if (opinfo->level == SMB2_OPLOCK_LEVEL_II && + req_oplevel != SMB2_OPLOCK_LEVEL_NONE) { err = STATUS_INVALID_OPLOCK_PROTOCOL; oplock_change_type = OPLOCK_READ_TO_NONE; - } else if ((req_oplevel == SMB2_OPLOCK_LEVEL_II) || - (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + } else if (req_oplevel == SMB2_OPLOCK_LEVEL_II || + req_oplevel == SMB2_OPLOCK_LEVEL_NONE) { err = STATUS_INVALID_DEVICE_STATE; - if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) || - (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && - (req_oplevel == SMB2_OPLOCK_LEVEL_II)) { + if ((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE || + opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) && + req_oplevel == SMB2_OPLOCK_LEVEL_II) { oplock_change_type = OPLOCK_WRITE_TO_READ; - } else if (((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) - || (opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)) && - (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + } else if ((opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE || + opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) && + req_oplevel == SMB2_OPLOCK_LEVEL_NONE) { oplock_change_type = OPLOCK_WRITE_TO_NONE; - } else if ((opinfo->level == SMB2_OPLOCK_LEVEL_II) && - (req_oplevel == SMB2_OPLOCK_LEVEL_NONE)) { + } else if (opinfo->level == SMB2_OPLOCK_LEVEL_II && + req_oplevel == SMB2_OPLOCK_LEVEL_NONE) { oplock_change_type = OPLOCK_READ_TO_NONE; - } else + } else { oplock_change_type = 0; - } else + } + } else { oplock_change_type = 0; + } switch (oplock_change_type) { case OPLOCK_WRITE_TO_READ: @@ -7846,8 +7729,8 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) static int check_lease_state(struct lease *lease, __le32 req_state) { if ((lease->new_state == - (SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_HANDLE_CACHING_LE)) - && !(req_state & SMB2_LEASE_WRITE_CACHING_LE)) { + (SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_HANDLE_CACHING_LE)) && + !(req_state & SMB2_LEASE_WRITE_CACHING_LE)) { lease->new_state = req_state; return 0; } @@ -7909,7 +7792,7 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) /* check for bad lease state */ if (req->LeaseState & (~(SMB2_LEASE_READ_CACHING_LE | - SMB2_LEASE_HANDLE_CACHING_LE))) { + SMB2_LEASE_HANDLE_CACHING_LE))) { err = STATUS_INVALID_OPLOCK_PROTOCOL; if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) lease_change_type = OPLOCK_WRITE_TO_NONE; @@ -7918,8 +7801,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", le32_to_cpu(lease->state), le32_to_cpu(req->LeaseState)); - } else if ((lease->state == SMB2_LEASE_READ_CACHING_LE) && - (req->LeaseState != SMB2_LEASE_NONE_LE)) { + } else if (lease->state == SMB2_LEASE_READ_CACHING_LE && + req->LeaseState != SMB2_LEASE_NONE_LE) { err = STATUS_INVALID_OPLOCK_PROTOCOL; lease_change_type = OPLOCK_READ_TO_NONE; ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", @@ -7938,8 +7821,9 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) lease_change_type = OPLOCK_WRITE_TO_READ; else lease_change_type = OPLOCK_READ_HANDLE_TO_READ; - } else + } else { lease_change_type = 0; + } } switch (lease_change_type) { @@ -8056,9 +7940,9 @@ bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) struct smb2_hdr *rcv_hdr2 = work->request_buf; if ((rcv_hdr2->Flags & SMB2_FLAGS_SIGNED) && - command != SMB2_NEGOTIATE_HE && - command != SMB2_SESSION_SETUP_HE && - command != SMB2_OPLOCK_BREAK_HE) + command != SMB2_NEGOTIATE_HE && + command != SMB2_SESSION_SETUP_HE && + command != SMB2_OPLOCK_BREAK_HE) return true; return 0; @@ -8097,7 +7981,7 @@ int smb2_check_sign_req(struct ksmbd_work *work) iov[0].iov_len = len; if (ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, 1, - signature)) + signature)) return 0; if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { @@ -8155,7 +8039,7 @@ void smb2_set_sign_rsp(struct ksmbd_work *work) } if (!ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, n_vec, - signature)) + signature)) memcpy(hdr->Signature, signature, SMB2_SIGNATURE_SIZE); } @@ -8305,7 +8189,7 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) conn->preauth_info->Preauth_HashValue); if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && - sess && sess->state == SMB2_SESSION_IN_PROGRESS) { + sess && sess->state == SMB2_SESSION_IN_PROGRESS) { __u8 *hash_value; hash_value = sess->Preauth_HashValue; @@ -8314,9 +8198,8 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) } } -static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, - char *old_buf, - __le16 cipher_type) +static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, char *old_buf, + __le16 cipher_type) { struct smb2_hdr *hdr = (struct smb2_hdr *)old_buf; unsigned int orig_len = get_rfc1002_len(old_buf); @@ -8403,7 +8286,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) sess = ksmbd_session_lookup(conn, le64_to_cpu(tr_hdr->SessionId)); if (!sess) { ksmbd_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); + le64_to_cpu(tr_hdr->SessionId)); return -ECONNABORTED; } @@ -8446,7 +8329,7 @@ bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work) rsp = RESPONSE_BUF_NEXT(work); if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && - rsp->Status == STATUS_SUCCESS) + rsp->Status == STATUS_SUCCESS) return true; return false; } diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index deb3d7444c2a..156ff6a2968b 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -346,8 +346,8 @@ struct smb2_negotiate_rsp { #define SMB2_SESSION_REQ_FLAG_ENCRYPT_DATA 0x04 #define SMB2_SESSION_EXPIRED (0) -#define SMB2_SESSION_IN_PROGRESS (1 << 0) -#define SMB2_SESSION_VALID (1 << 1) +#define SMB2_SESSION_IN_PROGRESS BIT(0) +#define SMB2_SESSION_VALID BIT(1) /* Flags */ #define SMB2_SESSION_REQ_FLAG_BINDING 0x01 @@ -1161,7 +1161,6 @@ struct smb2_set_info_rsp { __le16 StructureSize; /* Must be 2 */ } __packed; - /* FILE Info response size */ #define FILE_DIRECTORY_INFORMATION_SIZE 1 #define FILE_FULL_DIRECTORY_INFORMATION_SIZE 2 @@ -1199,7 +1198,6 @@ struct smb2_set_info_rsp { #define FILE_NETWORK_OPEN_INFORMATION_SIZE 56 #define FILE_ATTRIBUTE_TAG_INFORMATION_SIZE 8 - /* FS Info response size */ #define FS_DEVICE_INFORMATION_SIZE 8 #define FS_ATTRIBUTE_INFORMATION_SIZE 16 @@ -1579,71 +1577,70 @@ struct smb2_posix_info { } __packed; /* functions */ - -extern int init_smb2_0_server(struct ksmbd_conn *conn); -extern void init_smb2_1_server(struct ksmbd_conn *conn); -extern void init_smb3_0_server(struct ksmbd_conn *conn); -extern void init_smb3_02_server(struct ksmbd_conn *conn); -extern int init_smb3_11_server(struct ksmbd_conn *conn); - -extern void init_smb2_max_read_size(unsigned int sz); -extern void init_smb2_max_write_size(unsigned int sz); -extern void init_smb2_max_trans_size(unsigned int sz); - -extern int is_smb2_neg_cmd(struct ksmbd_work *work); -extern int is_smb2_rsp(struct ksmbd_work *work); - -extern uint16_t get_smb2_cmd_val(struct ksmbd_work *work); -extern void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err); -extern int init_smb2_rsp_hdr(struct ksmbd_work *work); -extern int smb2_allocate_rsp_buf(struct ksmbd_work *work); -extern bool is_chained_smb2_message(struct ksmbd_work *work); -extern int init_smb2_neg_rsp(struct ksmbd_work *work); -extern void smb2_set_err_rsp(struct ksmbd_work *work); -extern int smb2_check_user_session(struct ksmbd_work *work); -extern int smb2_get_ksmbd_tcon(struct ksmbd_work *work); -extern bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command); -extern int smb2_check_sign_req(struct ksmbd_work *work); -extern void smb2_set_sign_rsp(struct ksmbd_work *work); -extern int smb3_check_sign_req(struct ksmbd_work *work); -extern void smb3_set_sign_rsp(struct ksmbd_work *work); -extern int find_matching_smb2_dialect(int start_index, __le16 *cli_dialects, - __le16 dialects_count); -extern struct file_lock *smb_flock_init(struct file *f); -extern int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), - void **arg); -extern void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); -extern struct channel *lookup_chann_list(struct ksmbd_session *sess); -extern void smb3_preauth_hash_rsp(struct ksmbd_work *work); -extern int smb3_is_transform_hdr(void *buf); -extern int smb3_decrypt_req(struct ksmbd_work *work); -extern int smb3_encrypt_resp(struct ksmbd_work *work); -extern bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work); -extern int smb2_set_rsp_credits(struct ksmbd_work *work); +int init_smb2_0_server(struct ksmbd_conn *conn); +void init_smb2_1_server(struct ksmbd_conn *conn); +void init_smb3_0_server(struct ksmbd_conn *conn); +void init_smb3_02_server(struct ksmbd_conn *conn); +int init_smb3_11_server(struct ksmbd_conn *conn); + +void init_smb2_max_read_size(unsigned int sz); +void init_smb2_max_write_size(unsigned int sz); +void init_smb2_max_trans_size(unsigned int sz); + +int is_smb2_neg_cmd(struct ksmbd_work *work); +int is_smb2_rsp(struct ksmbd_work *work); + +u16 get_smb2_cmd_val(struct ksmbd_work *work); +void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err); +int init_smb2_rsp_hdr(struct ksmbd_work *work); +int smb2_allocate_rsp_buf(struct ksmbd_work *work); +bool is_chained_smb2_message(struct ksmbd_work *work); +int init_smb2_neg_rsp(struct ksmbd_work *work); +void smb2_set_err_rsp(struct ksmbd_work *work); +int smb2_check_user_session(struct ksmbd_work *work); +int smb2_get_ksmbd_tcon(struct ksmbd_work *work); +bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command); +int smb2_check_sign_req(struct ksmbd_work *work); +void smb2_set_sign_rsp(struct ksmbd_work *work); +int smb3_check_sign_req(struct ksmbd_work *work); +void smb3_set_sign_rsp(struct ksmbd_work *work); +int find_matching_smb2_dialect(int start_index, __le16 *cli_dialects, + __le16 dialects_count); +struct file_lock *smb_flock_init(struct file *f); +int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), + void **arg); +void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); +struct channel *lookup_chann_list(struct ksmbd_session *sess); +void smb3_preauth_hash_rsp(struct ksmbd_work *work); +int smb3_is_transform_hdr(void *buf); +int smb3_decrypt_req(struct ksmbd_work *work); +int smb3_encrypt_resp(struct ksmbd_work *work); +bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work); +int smb2_set_rsp_credits(struct ksmbd_work *work); /* smb2 misc functions */ -extern int ksmbd_smb2_check_message(struct ksmbd_work *work); +int ksmbd_smb2_check_message(struct ksmbd_work *work); /* smb2 command handlers */ -extern int smb2_handle_negotiate(struct ksmbd_work *work); -extern int smb2_negotiate_request(struct ksmbd_work *work); -extern int smb2_sess_setup(struct ksmbd_work *work); -extern int smb2_tree_connect(struct ksmbd_work *work); -extern int smb2_tree_disconnect(struct ksmbd_work *work); -extern int smb2_session_logoff(struct ksmbd_work *work); -extern int smb2_open(struct ksmbd_work *work); -extern int smb2_query_info(struct ksmbd_work *work); -extern int smb2_query_dir(struct ksmbd_work *work); -extern int smb2_close(struct ksmbd_work *work); -extern int smb2_echo(struct ksmbd_work *work); -extern int smb2_set_info(struct ksmbd_work *work); -extern int smb2_read(struct ksmbd_work *work); -extern int smb2_write(struct ksmbd_work *work); -extern int smb2_flush(struct ksmbd_work *work); -extern int smb2_cancel(struct ksmbd_work *work); -extern int smb2_lock(struct ksmbd_work *work); -extern int smb2_ioctl(struct ksmbd_work *work); -extern int smb2_oplock_break(struct ksmbd_work *work); -extern int smb2_notify(struct ksmbd_work *ksmbd_work); +int smb2_handle_negotiate(struct ksmbd_work *work); +int smb2_negotiate_request(struct ksmbd_work *work); +int smb2_sess_setup(struct ksmbd_work *work); +int smb2_tree_connect(struct ksmbd_work *work); +int smb2_tree_disconnect(struct ksmbd_work *work); +int smb2_session_logoff(struct ksmbd_work *work); +int smb2_open(struct ksmbd_work *work); +int smb2_query_info(struct ksmbd_work *work); +int smb2_query_dir(struct ksmbd_work *work); +int smb2_close(struct ksmbd_work *work); +int smb2_echo(struct ksmbd_work *work); +int smb2_set_info(struct ksmbd_work *work); +int smb2_read(struct ksmbd_work *work); +int smb2_write(struct ksmbd_work *work); +int smb2_flush(struct ksmbd_work *work); +int smb2_cancel(struct ksmbd_work *work); +int smb2_lock(struct ksmbd_work *work); +int smb2_ioctl(struct ksmbd_work *work); +int smb2_oplock_break(struct ksmbd_work *work); +int smb2_notify(struct ksmbd_work *ksmbd_work); #endif /* _SMB2PDU_H */ diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index da1928b948f8..b0510213eb6d 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -17,7 +17,7 @@ /*for shortname implementation */ static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; -#define MANGLE_BASE (sizeof(basechars)/sizeof(char)-1) +#define MANGLE_BASE (sizeof(basechars) / sizeof(char) - 1) #define MAGIC_CHAR '~' #define PERIOD '.' #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) @@ -268,15 +268,10 @@ bool ksmbd_pdu_size_has_room(unsigned int pdu) return (pdu >= KSMBD_MIN_SUPPORTED_HEADER_SIZE - 4); } -int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, - int info_level, - struct ksmbd_file *dir, - struct ksmbd_dir_info *d_info, - char *search_pattern, - int (*fn)(struct ksmbd_conn *, - int, - struct ksmbd_dir_info *, - struct ksmbd_kstat *)) +int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, + struct ksmbd_file *dir, struct ksmbd_dir_info *d_info, + char *search_pattern, int (*fn)(struct ksmbd_conn *, int, + struct ksmbd_dir_info *, struct ksmbd_kstat *)) { int i, rc = 0; struct ksmbd_conn *conn = work->conn; @@ -295,7 +290,7 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, } if (!match_pattern(d_info->name, d_info->name_len, - search_pattern)) { + search_pattern)) { dir->dot_dotdot[i] = 1; continue; } @@ -331,9 +326,8 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, * TODO: Though this function comforms the restriction of 8.3 Filename spec, * but the result is different with Windows 7's one. need to check. */ -int ksmbd_extract_shortname(struct ksmbd_conn *conn, - const char *longname, - char *shortname) +int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, + char *shortname) { const char *p; char base[9], extension[4]; @@ -354,7 +348,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, if (p == longname) { /*name starts with a dot*/ strscpy(extension, "___", strlen("___")); } else { - if (p != NULL) { + if (p) { p++; while (*p && extlen < 3) { if (*p != '.') @@ -362,8 +356,9 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, p++; } extension[extlen] = '\0'; - } else + } else { dot_present = false; + } } p = longname; @@ -378,7 +373,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, } base[baselen] = MAGIC_CHAR; - memcpy(out, base, baselen+1); + memcpy(out, base, baselen + 1); ptr = longname; len = strlen(longname); @@ -386,14 +381,14 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, csum += *ptr; csum = csum % (MANGLE_BASE * MANGLE_BASE); - out[baselen+1] = mangle(csum/MANGLE_BASE); - out[baselen+2] = mangle(csum); - out[baselen+3] = PERIOD; + out[baselen + 1] = mangle(csum / MANGLE_BASE); + out[baselen + 2] = mangle(csum); + out[baselen + 3] = PERIOD; if (dot_present) - memcpy(&out[baselen+4], extension, 4); + memcpy(&out[baselen + 4], extension, 4); else - out[baselen+4] = '\0'; + out[baselen + 4] = '\0'; smbConvertToUTF16((__le16 *)shortname, out, PATH_MAX, conn->local_nls, 0); len = strlen(out) * 2; @@ -471,9 +466,8 @@ static const char * const shared_mode_errors[] = { "Desired access mode does not permit FILE_DELETE", }; -static void smb_shared_mode_error(int error, - struct ksmbd_file *prev_fp, - struct ksmbd_file *curr_fp) +static void smb_shared_mode_error(int error, struct ksmbd_file *prev_fp, + struct ksmbd_file *curr_fp) { ksmbd_debug(SMB, "%s\n", shared_mode_errors[error]); ksmbd_debug(SMB, "Current mode: 0x%x Desired mode: 0x%x\n", @@ -512,7 +506,7 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) continue; if (!(prev_fp->saccess & FILE_SHARE_DELETE_LE) && - curr_fp->daccess & FILE_DELETE_LE) { + curr_fp->daccess & FILE_DELETE_LE) { smb_shared_mode_error(SHARE_DELETE_ERROR, prev_fp, curr_fp); @@ -528,8 +522,7 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) continue; if (!(prev_fp->saccess & FILE_SHARE_READ_LE) && - curr_fp->daccess & (FILE_EXECUTE_LE | - FILE_READ_DATA_LE)) { + curr_fp->daccess & (FILE_EXECUTE_LE | FILE_READ_DATA_LE)) { smb_shared_mode_error(SHARE_READ_ERROR, prev_fp, curr_fp); @@ -538,8 +531,7 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) } if (!(prev_fp->saccess & FILE_SHARE_WRITE_LE) && - curr_fp->daccess & (FILE_WRITE_DATA_LE | - FILE_APPEND_DATA_LE)) { + curr_fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE)) { smb_shared_mode_error(SHARE_WRITE_ERROR, prev_fp, curr_fp); @@ -547,9 +539,8 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) break; } - if (prev_fp->daccess & (FILE_EXECUTE_LE | - FILE_READ_DATA_LE) && - !(curr_fp->saccess & FILE_SHARE_READ_LE)) { + if (prev_fp->daccess & (FILE_EXECUTE_LE | FILE_READ_DATA_LE) && + !(curr_fp->saccess & FILE_SHARE_READ_LE)) { smb_shared_mode_error(FILE_READ_ERROR, prev_fp, curr_fp); @@ -557,9 +548,8 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) break; } - if (prev_fp->daccess & (FILE_WRITE_DATA_LE | - FILE_APPEND_DATA_LE) && - !(curr_fp->saccess & FILE_SHARE_WRITE_LE)) { + if (prev_fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE) && + !(curr_fp->saccess & FILE_SHARE_WRITE_LE)) { smb_shared_mode_error(FILE_WRITE_ERROR, prev_fp, curr_fp); @@ -568,7 +558,7 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) } if (prev_fp->daccess & FILE_DELETE_LE && - !(curr_fp->saccess & FILE_SHARE_DELETE_LE)) { + !(curr_fp->saccess & FILE_SHARE_DELETE_LE)) { smb_shared_mode_error(FILE_DELETE_ERROR, prev_fp, curr_fp); @@ -620,7 +610,7 @@ int ksmbd_override_fsids(struct ksmbd_work *work) if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID)) cred->cap_effective = cap_drop_fs_set(cred->cap_effective); - WARN_ON(work->saved_cred != NULL); + WARN_ON(work->saved_cred); work->saved_cred = override_creds(cred); if (!work->saved_cred) { abort_creds(cred); @@ -633,7 +623,7 @@ void ksmbd_revert_fsids(struct ksmbd_work *work) { const struct cred *cred; - WARN_ON(work->saved_cred == NULL); + WARN_ON(!work->saved_cred); cred = current_cred(); revert_creds(work->saved_cred); diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h index ec954e6bc4ae..2d7b1c693ff4 100644 --- a/fs/cifsd/smb_common.h +++ b/fs/cifsd/smb_common.h @@ -43,7 +43,7 @@ #define SMB311_PROT_ID 0x0311 #define BAD_PROT_ID 0xFFFF -#define SMB_ECHO_INTERVAL (60*HZ) +#define SMB_ECHO_INTERVAL (60 * HZ) #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ @@ -490,8 +490,6 @@ struct smb_version_cmds { int (*proc)(struct ksmbd_work *swork); }; - - int ksmbd_min_protocol(void); int ksmbd_max_protocol(void); diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 7f6d5313a02c..a3675aa837b9 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -68,13 +68,12 @@ static const struct smb_sid sid_unix_NFS_mode = { 1, 2, {0, 0, 0, 0, 0, 5}, * if the two SIDs (roughly equivalent to a UUID for a user or group) are * the same returns zero, if they do not match returns non-zero. */ -int -compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid) +int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid) { int i; int num_subauth, num_sat, num_saw; - if ((!ctsid) || (!cwsid)) + if (!ctsid || !cwsid) return 1; /* compare the revision */ @@ -103,7 +102,7 @@ compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid) for (i = 0; i < num_subauth; ++i) { if (ctsid->sub_auth[i] != cwsid->sub_auth[i]) { if (le32_to_cpu(ctsid->sub_auth[i]) > - le32_to_cpu(cwsid->sub_auth[i])) + le32_to_cpu(cwsid->sub_auth[i])) return 1; else return -1; @@ -114,8 +113,7 @@ compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid) return 0; /* sids compare/match */ } -static void -smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src) +static void smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src) { int i; @@ -144,21 +142,17 @@ static umode_t access_flags_to_mode(struct smb_fattr *fattr, __le32 ace_flags, return mode; } - if ((flags & GENERIC_READ) || - (flags & FILE_READ_RIGHTS)) + if ((flags & GENERIC_READ) || (flags & FILE_READ_RIGHTS)) mode = 0444; - if ((flags & GENERIC_WRITE) || - (flags & FILE_WRITE_RIGHTS)) { + if ((flags & GENERIC_WRITE) || (flags & FILE_WRITE_RIGHTS)) { mode |= 0222; if (S_ISDIR(fattr->cf_mode)) mode |= 0111; } - if ((flags & GENERIC_EXECUTE) || - (flags & FILE_EXEC_RIGHTS)) + if ((flags & GENERIC_EXECUTE) || (flags & FILE_EXEC_RIGHTS)) mode |= 0111; - if (type == ACCESS_DENIED_ACE_TYPE || - type == ACCESS_DENIED_OBJECT_ACE_TYPE) + if (type == ACCESS_DENIED_ACE_TYPE || type == ACCESS_DENIED_OBJECT_ACE_TYPE) mode = ~mode; ksmbd_debug(SMB, "access flags 0x%x mode now %04o\n", flags, mode); @@ -282,8 +276,7 @@ static int sid_to_id(struct smb_sid *psid, uint sidtype, id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]); if (id > 0) { uid = make_kuid(&init_user_ns, id); - if (uid_valid(uid) && - kuid_has_mapping(&init_user_ns, uid)) { + if (uid_valid(uid) && kuid_has_mapping(&init_user_ns, uid)) { fattr->cf_uid = uid; rc = 0; } @@ -295,8 +288,7 @@ static int sid_to_id(struct smb_sid *psid, uint sidtype, id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]); if (id > 0) { gid = make_kgid(&init_user_ns, id); - if (gid_valid(gid) && - kgid_has_mapping(&init_user_ns, gid)) { + if (gid_valid(gid) && kgid_has_mapping(&init_user_ns, gid)) { fattr->cf_gid = gid; rc = 0; } @@ -353,7 +345,7 @@ int init_acl_state(struct posix_acl_state *state, int cnt) * enough space for either: */ alloc = sizeof(struct posix_ace_state_array) - + cnt*sizeof(struct posix_user_ace_state); + + cnt * sizeof(struct posix_user_ace_state); state->users = kzalloc(alloc, GFP_KERNEL); if (!state->users) return -ENOMEM; @@ -429,17 +421,17 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, * user/group/other have no permissions */ for (i = 0; i < num_aces; ++i) { - ppace[i] = (struct smb_ace *) (acl_base + acl_size); + ppace[i] = (struct smb_ace *)(acl_base + acl_size); acl_base = (char *)ppace[i]; acl_size = le16_to_cpu(ppace[i]->size); ppace[i]->access_req = smb_map_generic_desired_access(ppace[i]->access_req); - if (!(compare_sids(&(ppace[i]->sid), &sid_unix_NFS_mode))) { + if (!(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) { fattr->cf_mode = le32_to_cpu(ppace[i]->sid.sub_auth[2]); break; - } else if (!compare_sids(&(ppace[i]->sid), pownersid)) { + } else if (!compare_sids(&ppace[i]->sid, pownersid)) { acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, ppace[i]->type); acl_mode &= 0700; @@ -449,9 +441,9 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, mode |= acl_mode; } owner_found = true; - } else if (!compare_sids(&(ppace[i]->sid), pgrpsid) || - ppace[i]->sid.sub_auth[ppace[i]->sid.num_subauth - 1] == - DOMAIN_USER_RID_LE) { + } else if (!compare_sids(&ppace[i]->sid, pgrpsid) || + ppace[i]->sid.sub_auth[ppace[i]->sid.num_subauth - 1] == + DOMAIN_USER_RID_LE) { acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, ppace[i]->type); acl_mode &= 0070; @@ -460,7 +452,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, mode |= acl_mode; } group_found = true; - } else if (!compare_sids(&(ppace[i]->sid), &sid_everyone)) { + } else if (!compare_sids(&ppace[i]->sid, &sid_everyone)) { acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, ppace[i]->type); acl_mode &= 0007; @@ -469,13 +461,13 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, mode |= acl_mode; } others_found = true; - } else if (!compare_sids(&(ppace[i]->sid), &creator_owner)) + } else if (!compare_sids(&ppace[i]->sid, &creator_owner)) { continue; - else if (!compare_sids(&(ppace[i]->sid), &creator_group)) + } else if (!compare_sids(&ppace[i]->sid, &creator_group)) { continue; - else if (!compare_sids(&(ppace[i]->sid), &sid_authusers)) + } else if (!compare_sids(&ppace[i]->sid, &sid_authusers)) { continue; - else { + } else { struct smb_fattr temp_fattr; acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, @@ -610,7 +602,7 @@ static void set_posix_acl_entries_dacl(struct smb_ace *pndace, if (S_ISDIR(fattr->cf_mode) && pace->e_tag == ACL_OTHER) flags = 0x03; - ntace = (struct smb_ace *) ((char *)pndace + *size); + ntace = (struct smb_ace *)((char *)pndace + *size); *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags, pace->e_perm, 0777); (*num_aces)++; @@ -619,8 +611,8 @@ static void set_posix_acl_entries_dacl(struct smb_ace *pndace, FILE_DELETE_LE | FILE_DELETE_CHILD_LE; if (S_ISDIR(fattr->cf_mode) && - (pace->e_tag == ACL_USER || pace->e_tag == ACL_GROUP)) { - ntace = (struct smb_ace *) ((char *)pndace + *size); + (pace->e_tag == ACL_USER || pace->e_tag == ACL_GROUP)) { + ntace = (struct smb_ace *)((char *)pndace + *size); *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x03, pace->e_perm, 0777); (*num_aces)++; @@ -661,7 +653,7 @@ static void set_posix_acl_entries_dacl(struct smb_ace *pndace, continue; } - ntace = (struct smb_ace *) ((char *)pndace + *size); + ntace = (struct smb_ace *)((char *)pndace + *size); *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b, pace->e_perm, 0777); (*num_aces)++; @@ -786,7 +778,7 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, __u32 dacloffset; int pntsd_type; - if (pntsd == NULL) + if (!pntsd) return -EIO; owner_sid_ptr = (struct smb_sid *)((char *)pntsd + @@ -913,11 +905,11 @@ int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, dacl_ptr->size = cpu_to_le16(sizeof(struct smb_acl)); dacl_ptr->num_aces = 0; - if (!ppntsd) + if (!ppntsd) { set_mode_dacl(dacl_ptr, fattr); - else if (!ppntsd->dacloffset) + } else if (!ppntsd->dacloffset) { goto out; - else { + } else { struct smb_acl *ppdacl_ptr; ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + @@ -992,8 +984,9 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, flags |= INHERIT_ONLY_ACE; if (flags & NO_PROPAGATE_INHERIT_ACE) flags = 0; - } else + } else { flags = 0; + } if (!compare_sids(&creator_owner, &parent_aces->sid)) { creator = &creator_owner; @@ -1016,8 +1009,9 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); flags |= INHERIT_ONLY_ACE; psid = creator; - } else if (is_dir && !(parent_aces->flags & NO_PROPAGATE_INHERIT_ACE)) + } else if (is_dir && !(parent_aces->flags & NO_PROPAGATE_INHERIT_ACE)) { psid = &parent_aces->sid; + } smb_set_ace(aces, psid, parent_aces->type, flags | inherited_flags, parent_aces->access_req); @@ -1166,7 +1160,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { granted |= le32_to_cpu(ace->access_req); - ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); if (end_of_acl < (char *)ace) goto err_out; } @@ -1189,7 +1183,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, if (!compare_sids(&sid_everyone, &ace->sid)) others_ace = ace; - ace = (struct smb_ace *) ((char *)ace + le16_to_cpu(ace->size)); + ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); if (end_of_acl < (char *)ace) goto err_out; } @@ -1229,9 +1223,9 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, posix_acl_release(posix_acls); if (!found) { - if (others_ace) + if (others_ace) { ace = others_ace; - else { + } else { ksmbd_debug(SMB, "Can't find corresponding sid\n"); rc = -EACCES; goto err_out; @@ -1300,8 +1294,7 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, if (type_check && !(le16_to_cpu(pntsd->type) & DACL_PRESENT)) goto out; - if (test_share_config_flag(tcon->share_conf, - KSMBD_SHARE_FLAG_ACL_XATTR)) { + if (test_share_config_flag(tcon->share_conf, KSMBD_SHARE_FLAG_ACL_XATTR)) { /* Update WinACL in xattr */ ksmbd_vfs_remove_sd_xattrs(dentry); ksmbd_vfs_set_sd_xattr(conn, dentry, pntsd, ntsd_len); diff --git a/fs/cifsd/time_wrappers.h b/fs/cifsd/time_wrappers.h index a702ca96947e..31bea2058f88 100644 --- a/fs/cifsd/time_wrappers.h +++ b/fs/cifsd/time_wrappers.h @@ -11,13 +11,13 @@ * between different kernel versions. */ -#define NTFS_TIME_OFFSET ((u64)(369*365 + 89) * 24 * 3600 * 10000000) +#define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) /* Convert the Unix UTC into NT UTC. */ static inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) { /* Convert to 100ns intervals and then add the NTFS time offset. */ - return (u64) t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; + return (u64)t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; } struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index e5f4d97b2924..1bbff53436b3 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -75,8 +75,7 @@ struct ipc_msg_table_entry { static struct delayed_work ipc_timer_work; static int handle_startup_event(struct sk_buff *skb, struct genl_info *info); -static int handle_unsupported_event(struct sk_buff *skb, - struct genl_info *info); +static int handle_unsupported_event(struct sk_buff *skb, struct genl_info *info); static int handle_generic_event(struct sk_buff *skb, struct genl_info *info); static int ksmbd_ipc_heartbeat_request(void); @@ -385,8 +384,7 @@ static int handle_startup_event(struct sk_buff *skb, struct genl_info *info) return ret; } -static int handle_unsupported_event(struct sk_buff *skb, - struct genl_info *info) +static int handle_unsupported_event(struct sk_buff *skb, struct genl_info *info) { ksmbd_err("Unknown IPC event: %d, ignore.\n", info->genlhdr->cmd); return -EINVAL; @@ -453,8 +451,7 @@ static int ipc_msg_send(struct ksmbd_ipc_msg *msg) return ret; } -static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, - unsigned int handle) +static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle) { struct ipc_msg_table_entry entry; int ret; @@ -550,9 +547,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) struct ksmbd_tree_connect_response * ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, - struct ksmbd_share_config *share, - struct ksmbd_tree_connect *tree_conn, - struct sockaddr *peer_addr) + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr) { struct ksmbd_ipc_msg *msg; struct ksmbd_tree_connect_request *req; @@ -591,7 +588,7 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, } int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, - unsigned long long connect_id) + unsigned long long connect_id) { struct ksmbd_ipc_msg *msg; struct ksmbd_tree_disconnect_request *req; @@ -658,8 +655,7 @@ ksmbd_ipc_share_config_request(const char *name) return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, - int handle) +struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, int handle) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -681,8 +677,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, - int handle) +struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, int handle) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -704,10 +699,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, - int handle, - void *payload, - size_t payload_sz) +struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle, + void *payload, size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -731,8 +724,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, - int handle) +struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -755,10 +747,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, - int handle, - void *payload, - size_t payload_sz) +struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle, + void *payload, size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -782,9 +772,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, return resp; } -struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, - void *payload, - size_t payload_sz) +struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload, + size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -885,8 +874,7 @@ int ksmbd_ipc_init(void) ret = genl_register_family(&ksmbd_genl_family); if (ret) { - ksmbd_err("Failed to register KSMBD netlink interface %d\n", - ret); + ksmbd_err("Failed to register KSMBD netlink interface %d\n", ret); goto cancel_work; } diff --git a/fs/cifsd/transport_ipc.h b/fs/cifsd/transport_ipc.h index 6ed7cbea727e..c3744ed7a085 100644 --- a/fs/cifsd/transport_ipc.h +++ b/fs/cifsd/transport_ipc.h @@ -20,9 +20,9 @@ struct sockaddr; struct ksmbd_tree_connect_response * ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, - struct ksmbd_share_config *share, - struct ksmbd_tree_connect *tree_conn, - struct sockaddr *peer_addr); + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr); int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, unsigned long long connect_id); @@ -37,24 +37,16 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len); int ksmbd_ipc_id_alloc(void); void ksmbd_rpc_id_free(int handle); -struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, - int handle); -struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, - int handle); - -struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, - int handle, - void *payload, - size_t payload_sz); -struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, - int handle); -struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, - int handle, - void *payload, - size_t payload_sz); -struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, - void *payload, - size_t payload_sz); +struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, int handle); +struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, int handle); + +struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle, + void *payload, size_t payload_sz); +struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle); +struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle, + void *payload, size_t payload_sz); +struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload, + size_t payload_sz); void ksmbd_ipc_release(void); void ksmbd_ipc_soft_reset(void); diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index 45b76847f1e7..8174a97bade4 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -85,7 +85,6 @@ static struct smb_direct_listener { struct rdma_cm_id *cm_id; } smb_direct_listener; - static struct workqueue_struct *smb_direct_wq; enum smb_direct_status { @@ -213,8 +212,8 @@ struct smb_direct_rdma_rw_msg { static void smb_direct_destroy_pools(struct smb_direct_transport *transport); static void smb_direct_post_recv_credits(struct work_struct *work); static int smb_direct_post_send_data(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct kvec *iov, int niov, int remaining_data_length); + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, int remaining_data_length); static inline void *smb_direct_recvmsg_payload(struct smb_direct_recvmsg *recvmsg) @@ -223,7 +222,7 @@ static inline void } static inline bool is_receive_credit_post_required(int receive_credits, - int avail_recvmsg_count) + int avail_recvmsg_count) { return receive_credits <= (smb_direct_receive_credit_max >> 3) && avail_recvmsg_count >= (receive_credits >> 2); @@ -246,7 +245,7 @@ smb_direct_recvmsg *get_free_recvmsg(struct smb_direct_transport *t) } static void put_recvmsg(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, recvmsg->sge.length, DMA_FROM_DEVICE); @@ -254,7 +253,6 @@ static void put_recvmsg(struct smb_direct_transport *t, spin_lock(&t->recvmsg_queue_lock); list_add(&recvmsg->list, &t->recvmsg_queue); spin_unlock(&t->recvmsg_queue_lock); - } static struct @@ -264,8 +262,7 @@ smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t) spin_lock(&t->empty_recvmsg_queue_lock); if (!list_empty(&t->empty_recvmsg_queue)) { - recvmsg = list_first_entry( - &t->empty_recvmsg_queue, + recvmsg = list_first_entry(&t->empty_recvmsg_queue, struct smb_direct_recvmsg, list); list_del(&recvmsg->list); } @@ -274,7 +271,7 @@ smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t) } static void put_empty_recvmsg(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, recvmsg->sge.length, DMA_FROM_DEVICE); @@ -285,8 +282,7 @@ static void put_empty_recvmsg(struct smb_direct_transport *t, } static void enqueue_reassembly(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg, - int data_length) + struct smb_direct_recvmsg *recvmsg, int data_length) { spin_lock(&t->reassembly_queue_lock); list_add_tail(&recvmsg->list, &t->reassembly_queue); @@ -300,11 +296,9 @@ static void enqueue_reassembly(struct smb_direct_transport *t, virt_wmb(); t->reassembly_data_length += data_length; spin_unlock(&t->reassembly_queue_lock); - } -static struct smb_direct_recvmsg *get_first_reassembly( - struct smb_direct_transport *t) +static struct smb_direct_recvmsg *get_first_reassembly(struct smb_direct_transport *t) { if (!list_empty(&t->reassembly_queue)) return list_first_entry(&t->reassembly_queue, @@ -423,11 +417,11 @@ static void free_transport(struct smb_direct_transport *t) recvmsg = get_first_reassembly(t); if (recvmsg) { list_del(&recvmsg->list); - spin_unlock( - &t->reassembly_queue_lock); + spin_unlock(&t->reassembly_queue_lock); put_recvmsg(t, recvmsg); - } else + } else { spin_unlock(&t->reassembly_queue_lock); + } } while (recvmsg); t->reassembly_data_length = 0; @@ -460,7 +454,7 @@ static struct smb_direct_sendmsg } static void smb_direct_free_sendmsg(struct smb_direct_transport *t, - struct smb_direct_sendmsg *msg) + struct smb_direct_sendmsg *msg) { int i; @@ -481,8 +475,8 @@ static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) switch (recvmsg->type) { case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *req = - (struct smb_direct_data_transfer *) recvmsg->packet; - struct smb2_hdr *hdr = (struct smb2_hdr *) (recvmsg->packet + (struct smb_direct_data_transfer *)recvmsg->packet; + struct smb2_hdr *hdr = (struct smb2_hdr *)(recvmsg->packet + le32_to_cpu(req->data_offset) - 4); ksmbd_debug(RDMA, "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemainingDataLength: %u, SMB: %x, Command: %u\n", @@ -504,12 +498,12 @@ static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) le32_to_cpu(req->max_receive_size), le32_to_cpu(req->max_fragmented_size)); if (le16_to_cpu(req->min_version) > 0x0100 || - le16_to_cpu(req->max_version) < 0x0100) + le16_to_cpu(req->max_version) < 0x0100) return -EOPNOTSUPP; if (le16_to_cpu(req->credits_requested) <= 0 || - le32_to_cpu(req->max_receive_size) <= 128 || - le32_to_cpu(req->max_fragmented_size) <= - 128*1024) + le32_to_cpu(req->max_receive_size) <= 128 || + le32_to_cpu(req->max_fragmented_size) <= + 128 * 1024) return -ECONNABORTED; break; @@ -595,8 +589,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) if (atomic_read(&t->send_credits) > 0) wake_up_interruptible(&t->wait_send_credits); - if (is_receive_credit_post_required(receive_credits, - avail_recvmsg_count)) + if (is_receive_credit_post_required(receive_credits, avail_recvmsg_count)) mod_delayed_work(smb_direct_wq, &t->post_recv_credits_work, 0); break; @@ -607,7 +600,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } static int smb_direct_post_recv(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { struct ib_recv_wr wr; int ret; @@ -681,8 +674,7 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, data_transfer = smb_direct_recvmsg_payload(recvmsg); data_length = le32_to_cpu(data_transfer->data_length); remaining_data_length = - le32_to_cpu( - data_transfer->remaining_data_length); + le32_to_cpu(data_transfer->remaining_data_length); data_offset = le32_to_cpu(data_transfer->data_offset); /* @@ -706,9 +698,7 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, } to_copy = min_t(int, data_length - offset, to_read); - memcpy( - buf + data_read, - (char *)data_transfer + data_offset + offset, + memcpy(buf + data_read, (char *)data_transfer + data_offset + offset, to_copy); /* move on to the next buffer? */ @@ -718,20 +708,19 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, * No need to lock if we are not at the * end of the queue */ - if (queue_length) + if (queue_length) { list_del(&recvmsg->list); - else { - spin_lock_irq( - &st->reassembly_queue_lock); + } else { + spin_lock_irq(&st->reassembly_queue_lock); list_del(&recvmsg->list); - spin_unlock_irq( - &st->reassembly_queue_lock); + spin_unlock_irq(&st->reassembly_queue_lock); } queue_removed++; put_recvmsg(st, recvmsg); offset = 0; - } else + } else { offset += to_copy; + } to_read -= to_copy; data_read += to_copy; @@ -744,13 +733,13 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, spin_lock(&st->receive_credit_lock); st->count_avail_recvmsg += queue_removed; - if (is_receive_credit_post_required(st->recv_credits, - st->count_avail_recvmsg)) { + if (is_receive_credit_post_required(st->recv_credits, st->count_avail_recvmsg)) { spin_unlock(&st->receive_credit_lock); mod_delayed_work(smb_direct_wq, &st->post_recv_credits_work, 0); - } else + } else { spin_unlock(&st->receive_credit_lock); + } st->first_entry_offset = offset; ksmbd_debug(RDMA, @@ -762,10 +751,8 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, } ksmbd_debug(RDMA, "wait_event on more data\n"); - rc = wait_event_interruptible( - st->wait_reassembly_queue, - st->reassembly_data_length >= size || - st->status != SMB_DIRECT_CS_CONNECTED); + rc = wait_event_interruptible(st->wait_reassembly_queue, + st->reassembly_data_length >= size || st->status != SMB_DIRECT_CS_CONNECTED); if (rc) return -EINTR; @@ -795,8 +782,9 @@ static void smb_direct_post_recv_credits(struct work_struct *work) if (use_free) { use_free = 0; continue; - } else + } else { break; + } } recvmsg->type = SMB_DIRECT_MSG_DATA_TRANSFER; @@ -904,8 +892,8 @@ static int smb_direct_post_send(struct smb_direct_transport *t, } static void smb_direct_send_ctx_init(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - bool need_invalidate_rkey, unsigned int remote_key) + struct smb_direct_send_ctx *send_ctx, + bool need_invalidate_rkey, unsigned int remote_key) { INIT_LIST_HEAD(&send_ctx->msg_list); send_ctx->wr_cnt = 0; @@ -914,7 +902,7 @@ static void smb_direct_send_ctx_init(struct smb_direct_transport *t, } static int smb_direct_flush_send_list(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, bool is_last) + struct smb_direct_send_ctx *send_ctx, bool is_last) { struct smb_direct_sendmsg *first, *last; int ret; @@ -973,12 +961,12 @@ static int wait_for_credits(struct smb_direct_transport *t, } static int wait_for_send_credits(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx) + struct smb_direct_send_ctx *send_ctx) { int ret; if (send_ctx && (send_ctx->wr_cnt >= 16 || - atomic_read(&t->send_credits) <= 1)) { + atomic_read(&t->send_credits) <= 1)) { ret = smb_direct_flush_send_list(t, send_ctx, false); if (ret) return ret; @@ -1048,8 +1036,7 @@ static int smb_direct_create_header(struct smb_direct_transport *t, return 0; } -static int get_sg_list(void *buf, int size, - struct scatterlist *sg_list, int nentries) +static int get_sg_list(void *buf, int size, struct scatterlist *sg_list, int nentries) { bool high = is_vmalloc_addr(buf); struct page *page; @@ -1082,8 +1069,8 @@ static int get_sg_list(void *buf, int size, } static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, - struct scatterlist *sg_list, int nentries, - enum dma_data_direction dir) + struct scatterlist *sg_list, int nentries, + enum dma_data_direction dir) { int npages; @@ -1094,8 +1081,8 @@ static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, } static int post_sendmsg(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct smb_direct_sendmsg *msg) + struct smb_direct_send_ctx *send_ctx, + struct smb_direct_sendmsg *msg) { int i; @@ -1132,13 +1119,13 @@ static int post_sendmsg(struct smb_direct_transport *t, } static int smb_direct_post_send_data(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct kvec *iov, int niov, int remaining_data_length) + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, int remaining_data_length) { int i, j, ret; struct smb_direct_sendmsg *msg; int data_length; - struct scatterlist sg[SMB_DIRECT_MAX_SEND_SGES-1]; + struct scatterlist sg[SMB_DIRECT_MAX_SEND_SGES - 1]; ret = wait_for_send_credits(t, send_ctx); if (ret) @@ -1159,15 +1146,15 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, struct ib_sge *sge; int sg_cnt; - sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES-1); + sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES - 1); sg_cnt = get_mapped_sg_list(t->cm_id->device, iov[i].iov_base, iov[i].iov_len, - sg, SMB_DIRECT_MAX_SEND_SGES-1, DMA_TO_DEVICE); + sg, SMB_DIRECT_MAX_SEND_SGES - 1, DMA_TO_DEVICE); if (sg_cnt <= 0) { ksmbd_err("failed to map buffer\n"); ret = -ENOMEM; goto err; - } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES-1) { + } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES - 1) { ksmbd_err("buffer not fitted into sges\n"); ret = -E2BIG; ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt, @@ -1195,8 +1182,8 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, } static int smb_direct_writev(struct ksmbd_transport *t, - struct kvec *iov, int niovs, int buflen, - bool need_invalidate, unsigned int remote_key) + struct kvec *iov, int niovs, int buflen, + bool need_invalidate, unsigned int remote_key) { struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); int remaining_data_length; @@ -1228,24 +1215,24 @@ static int smb_direct_writev(struct ksmbd_transport *t, if (buflen > max_iov_size) { if (i > start) { remaining_data_length -= - (buflen-iov[i].iov_len); + (buflen - iov[i].iov_len); ret = smb_direct_post_send_data(st, &send_ctx, - &iov[start], i-start, + &iov[start], i - start, remaining_data_length); if (ret) goto done; } else { /* iov[start] is too big, break it */ - int nvec = (buflen+max_iov_size-1) / + int nvec = (buflen + max_iov_size - 1) / max_iov_size; for (j = 0; j < nvec; j++) { vec.iov_base = (char *)iov[start].iov_base + - j*max_iov_size; + j * max_iov_size; vec.iov_len = min_t(int, max_iov_size, - buflen - max_iov_size*j); + buflen - max_iov_size * j); remaining_data_length -= vec.iov_len; ret = smb_direct_post_send_data(st, &send_ctx, &vec, 1, @@ -1265,7 +1252,7 @@ static int smb_direct_writev(struct ksmbd_transport *t, /* send out all remaining vecs */ remaining_data_length -= buflen; ret = smb_direct_post_send_data(st, &send_ctx, - &iov[start], i-start, + &iov[start], i - start, remaining_data_length); if (ret) goto done; @@ -1290,7 +1277,7 @@ static int smb_direct_writev(struct ksmbd_transport *t, } static void read_write_done(struct ib_cq *cq, struct ib_wc *wc, - enum dma_data_direction dir) + enum dma_data_direction dir) { struct smb_direct_rdma_rw_msg *msg = container_of(wc->wr_cqe, struct smb_direct_rdma_rw_msg, cqe); @@ -1323,8 +1310,8 @@ static void write_done(struct ib_cq *cq, struct ib_wc *wc) } static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, - int buf_len, u32 remote_key, u64 remote_offset, u32 remote_len, - bool is_read) + int buf_len, u32 remote_key, u64 remote_offset, u32 remote_len, + bool is_read) { struct smb_direct_rdma_rw_msg *msg; int ret; @@ -1392,23 +1379,20 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, sg_free_table_chained(&msg->sgt, SG_CHUNK_SIZE); kfree(msg); return ret; - } -static int smb_direct_rdma_write(struct ksmbd_transport *t, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len) +static int smb_direct_rdma_write(struct ksmbd_transport *t, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len) { return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, remote_key, remote_offset, remote_len, false); } -static int smb_direct_rdma_read(struct ksmbd_transport *t, - void *buf, unsigned int buflen, - u32 remote_key, u64 remote_offset, - u32 remote_len) +static int smb_direct_rdma_read(struct ksmbd_transport *t, void *buf, + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len) { return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, remote_key, remote_offset, @@ -1428,7 +1412,7 @@ static void smb_direct_disconnect(struct ksmbd_transport *t) } static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, - struct rdma_cm_event *event) + struct rdma_cm_event *event) { struct smb_direct_transport *t = cm_id->context; @@ -1505,8 +1489,7 @@ static int smb_direct_send_negotiate_response(struct smb_direct_transport *t, resp->reserved = 0; resp->credits_requested = cpu_to_le16(t->send_credit_target); - resp->credits_granted = cpu_to_le16( - manage_credits_prior_sending(t)); + resp->credits_granted = cpu_to_le16(manage_credits_prior_sending(t)); resp->max_readwrite_size = cpu_to_le32(t->max_rdma_rw_size); resp->preferred_send_size = cpu_to_le32(t->max_send_size); resp->max_receive_size = cpu_to_le32(t->max_recv_size); @@ -1665,7 +1648,7 @@ static int smb_direct_init_params(struct smb_direct_transport *t, max_send_wrs = smb_direct_send_credit_target + max_rw_wrs; if (max_send_wrs > device->attrs.max_cqe || - max_send_wrs > device->attrs.max_qp_wr) { + max_send_wrs > device->attrs.max_qp_wr) { ksmbd_err("consider lowering send_credit_target = %d, or max_outstanding_rw_ops = %d\n", smb_direct_send_credit_target, smb_direct_max_outstanding_rw_ops); @@ -1936,7 +1919,7 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) } static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, - struct rdma_cm_event *event) + struct rdma_cm_event *event) { switch (event->event) { case RDMA_CM_EVENT_CONNECT_REQUEST: { @@ -2010,7 +1993,7 @@ int ksmbd_rdma_init(void) * for lack of credits */ smb_direct_wq = alloc_workqueue("ksmbd-smb_direct-wq", - WQ_HIGHPRI|WQ_MEM_RECLAIM, 0); + WQ_HIGHPRI | WQ_MEM_RECLAIM, 0); if (!smb_direct_wq) return -ENOMEM; diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 5dd8641f66ba..67163efcf472 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -13,8 +13,8 @@ #include "connection.h" #include "transport_tcp.h" -#define IFACE_STATE_DOWN (1 << 0) -#define IFACE_STATE_CONFIGURED (1 << 1) +#define IFACE_STATE_DOWN BIT(0) +#define IFACE_STATE_CONFIGURED BIT(1) struct interface { struct task_struct *ksmbd_kthread; @@ -113,7 +113,7 @@ static void free_transport(struct tcp_transport *t) * Return: Number of IO segments */ static unsigned int kvec_array_init(struct kvec *new, struct kvec *iov, - unsigned int nr_segs, size_t bytes) + unsigned int nr_segs, size_t bytes) { size_t base = 0; @@ -142,8 +142,7 @@ static unsigned int kvec_array_init(struct kvec *new, struct kvec *iov, * * Return: return existing or newly allocate iovec */ -static struct kvec *get_conn_iovec(struct tcp_transport *t, - unsigned int nr_segs) +static struct kvec *get_conn_iovec(struct tcp_transport *t, unsigned int nr_segs) { struct kvec *new_iov; @@ -287,10 +286,8 @@ static int ksmbd_tcp_run_kthread(struct interface *iface) * Return: on success return number of bytes read from socket, * otherwise return error number */ -static int ksmbd_tcp_readv(struct tcp_transport *t, - struct kvec *iov_orig, - unsigned int nr_segs, - unsigned int to_read) +static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig, + unsigned int nr_segs, unsigned int to_read) { int length = 0; int total_read; @@ -345,9 +342,7 @@ static int ksmbd_tcp_readv(struct tcp_transport *t, * Return: on success return number of bytes read from socket, * otherwise return error number */ -static int ksmbd_tcp_read(struct ksmbd_transport *t, - char *buf, - unsigned int to_read) +static int ksmbd_tcp_read(struct ksmbd_transport *t, char *buf, unsigned int to_read) { struct kvec iov; @@ -357,9 +352,8 @@ static int ksmbd_tcp_read(struct ksmbd_transport *t, return ksmbd_tcp_readv(TCP_TRANS(t), &iov, 1, to_read); } -static int ksmbd_tcp_writev(struct ksmbd_transport *t, - struct kvec *iov, int nvecs, int size, - bool need_invalidate, unsigned int remote_key) +static int ksmbd_tcp_writev(struct ksmbd_transport *t, struct kvec *iov, + int nvecs, int size, bool need_invalidate, unsigned int remote_key) { struct msghdr smb_msg = {.msg_flags = MSG_NOSIGNAL}; @@ -473,7 +467,7 @@ static int create_socket(struct interface *iface) } static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, - void *ptr) + void *ptr) { struct net_device *netdev = netdev_notifier_info_to_dev(ptr); struct interface *iface; @@ -523,7 +517,6 @@ static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, } return NOTIFY_DONE; - } static struct notifier_block ksmbd_netdev_notifier = { diff --git a/fs/cifsd/unicode.c b/fs/cifsd/unicode.c index 22a4d10a2000..38bba50c4f16 100644 --- a/fs/cifsd/unicode.c +++ b/fs/cifsd/unicode.c @@ -26,9 +26,8 @@ * * Return: string length after conversion */ -static int smb_utf16_bytes(const __le16 *from, - int maxbytes, - const struct nls_table *codepage) +static int smb_utf16_bytes(const __le16 *from, int maxbytes, + const struct nls_table *codepage) { int i; int charlen, outlen = 0; @@ -66,7 +65,7 @@ static int smb_utf16_bytes(const __le16 *from, */ static int cifs_mapchar(char *target, const __u16 src_char, const struct nls_table *cp, - bool mapchar) + bool mapchar) { int len = 1; @@ -124,9 +123,9 @@ static inline int is_char_allowed(char *ch) { /* check for control chars, wildcards etc. */ if (!(*ch & 0x80) && - (*ch <= 0x1f || - *ch == '?' || *ch == '"' || *ch == '<' || - *ch == '>' || *ch == '|')) + (*ch <= 0x1f || + *ch == '?' || *ch == '"' || *ch == '<' || + *ch == '>' || *ch == '|')) return 0; return 1; @@ -156,12 +155,8 @@ static inline int is_char_allowed(char *ch) * * Return: string length after conversion */ -static int smb_from_utf16(char *to, - const __le16 *from, - int tolen, - int fromlen, - const struct nls_table *codepage, - bool mapchar) +static int smb_from_utf16(char *to, const __le16 *from, int tolen, int fromlen, + const struct nls_table *codepage, bool mapchar) { int i, charlen, safelen; int outlen = 0; @@ -214,8 +209,7 @@ static int smb_from_utf16(char *to, * * Return: string length after conversion */ -int -smb_strtoUTF16(__le16 *to, const char *from, int len, +int smb_strtoUTF16(__le16 *to, const char *from, int len, const struct nls_table *codepage) { int charlen; @@ -230,7 +224,7 @@ smb_strtoUTF16(__le16 *to, const char *from, int len, * in destination len is length in wchar_t units (16bits) */ i = utf8s_to_utf16s(from, len, UTF16_LITTLE_ENDIAN, - (wchar_t *) to, len); + (wchar_t *)to, len); /* if success terminate and exit */ if (i >= 0) @@ -272,20 +266,19 @@ smb_strtoUTF16(__le16 *to, const char *from, int len, * * Return: destination string buffer or error ptr */ -char * -smb_strndup_from_utf16(const char *src, const int maxlen, - const bool is_unicode, const struct nls_table *codepage) +char *smb_strndup_from_utf16(const char *src, const int maxlen, + const bool is_unicode, const struct nls_table *codepage) { int len, ret; char *dst; if (is_unicode) { - len = smb_utf16_bytes((__le16 *) src, maxlen, codepage); + len = smb_utf16_bytes((__le16 *)src, maxlen, codepage); len += nls_nullsize(codepage); dst = kmalloc(len, GFP_KERNEL); if (!dst) return ERR_PTR(-ENOMEM); - ret = smb_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, + ret = smb_from_utf16(dst, (__le16 *)src, len, maxlen, codepage, false); if (ret < 0) { kfree(dst); @@ -324,9 +317,8 @@ smb_strndup_from_utf16(const char *src, const int maxlen, * * Return: char length after conversion */ -int -smbConvertToUTF16(__le16 *target, const char *source, int srclen, - const struct nls_table *cp, int mapchars) +int smbConvertToUTF16(__le16 *target, const char *source, int srclen, + const struct nls_table *cp, int mapchars) { int i, j, charlen; char src_char; diff --git a/fs/cifsd/unicode.h b/fs/cifsd/unicode.h index 7135d62bf9b0..c37d7024cf60 100644 --- a/fs/cifsd/unicode.h +++ b/fs/cifsd/unicode.h @@ -32,13 +32,13 @@ * reserved symbols (along with \ and /), otherwise illegal to store * in filenames in NTFS */ -#define UNI_ASTERISK ((__u16) ('*' + 0xF000)) -#define UNI_QUESTION ((__u16) ('?' + 0xF000)) -#define UNI_COLON ((__u16) (':' + 0xF000)) -#define UNI_GRTRTHAN ((__u16) ('>' + 0xF000)) -#define UNI_LESSTHAN ((__u16) ('<' + 0xF000)) -#define UNI_PIPE ((__u16) ('|' + 0xF000)) -#define UNI_SLASH ((__u16) ('\\' + 0xF000)) +#define UNI_ASTERISK ((__u16)('*' + 0xF000)) +#define UNI_QUESTION ((__u16)('?' + 0xF000)) +#define UNI_COLON ((__u16)(':' + 0xF000)) +#define UNI_GRTRTHAN ((__u16)('>' + 0xF000)) +#define UNI_LESSTHAN ((__u16)('<' + 0xF000)) +#define UNI_PIPE ((__u16)('|' + 0xF000)) +#define UNI_SLASH ((__u16)('\\' + 0xF000)) /* Just define what we want from uniupr.h. We don't want to define the tables * in each source file. @@ -63,13 +63,12 @@ extern const struct UniCaseRange CifsUniLowerRange[]; #ifdef __KERNEL__ int smb_strtoUTF16(__le16 *to, const char *from, int len, - const struct nls_table *codepage); -char *smb_strndup_from_utf16(const char *src, const int maxlen, - const bool is_unicode, const struct nls_table *codepage); -extern int smbConvertToUTF16(__le16 *target, const char *source, int srclen, +char *smb_strndup_from_utf16(const char *src, const int maxlen, + const bool is_unicode, const struct nls_table *codepage); +int smbConvertToUTF16(__le16 *target, const char *source, int srclen, const struct nls_table *cp, int mapchars); -extern char *ksmbd_extract_sharename(char *treename); +char *ksmbd_extract_sharename(char *treename); #endif wchar_t cifs_toupper(wchar_t in); @@ -80,8 +79,7 @@ wchar_t cifs_toupper(wchar_t in); * Returns: * Address of the first string */ - static inline wchar_t * -UniStrcat(wchar_t *ucs1, const wchar_t *ucs2) +static inline wchar_t *UniStrcat(wchar_t *ucs1, const wchar_t *ucs2) { wchar_t *anchor = ucs1; /* save a pointer to start of ucs1 */ @@ -100,14 +98,13 @@ UniStrcat(wchar_t *ucs1, const wchar_t *ucs2) * Address of first occurrence of character in string * or NULL if the character is not in the string */ - static inline wchar_t * -UniStrchr(const wchar_t *ucs, wchar_t uc) +static inline wchar_t *UniStrchr(const wchar_t *ucs, wchar_t uc) { while ((*ucs != uc) && *ucs) ucs++; if (*ucs == uc) - return (wchar_t *) ucs; + return (wchar_t *)ucs; return NULL; } @@ -119,21 +116,19 @@ UniStrchr(const wchar_t *ucs, wchar_t uc) * = 0: Strings are equal * > 0: First string is greater than second */ - static inline int -UniStrcmp(const wchar_t *ucs1, const wchar_t *ucs2) +static inline int UniStrcmp(const wchar_t *ucs1, const wchar_t *ucs2) { while ((*ucs1 == *ucs2) && *ucs1) { ucs1++; ucs2++; } - return (int) *ucs1 - (int) *ucs2; + return (int)*ucs1 - (int)*ucs2; } /* * UniStrcpy: Copy a string */ - static inline wchar_t * -UniStrcpy(wchar_t *ucs1, const wchar_t *ucs2) +static inline wchar_t *UniStrcpy(wchar_t *ucs1, const wchar_t *ucs2) { wchar_t *anchor = ucs1; /* save the start of result string */ @@ -145,8 +140,7 @@ UniStrcpy(wchar_t *ucs1, const wchar_t *ucs2) /* * UniStrlen: Return the length of a string (in 16 bit Unicode chars not bytes) */ - static inline size_t -UniStrlen(const wchar_t *ucs1) +static inline size_t UniStrlen(const wchar_t *ucs1) { int i = 0; @@ -159,8 +153,7 @@ UniStrlen(const wchar_t *ucs1) * UniStrnlen: Return the length (in 16 bit Unicode chars not bytes) of a * string (length limited) */ - static inline size_t -UniStrnlen(const wchar_t *ucs1, int maxlen) +static inline size_t UniStrnlen(const wchar_t *ucs1, int maxlen) { int i = 0; @@ -175,8 +168,7 @@ UniStrnlen(const wchar_t *ucs1, int maxlen) /* * UniStrncat: Concatenate length limited string */ - static inline wchar_t * -UniStrncat(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +static inline wchar_t *UniStrncat(wchar_t *ucs1, const wchar_t *ucs2, size_t n) { wchar_t *anchor = ucs1; /* save pointer to string 1 */ @@ -194,8 +186,7 @@ UniStrncat(wchar_t *ucs1, const wchar_t *ucs2, size_t n) /* * UniStrncmp: Compare length limited string */ - static inline int -UniStrncmp(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) +static inline int UniStrncmp(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) { if (!n) return 0; /* Null strings are equal */ @@ -203,7 +194,7 @@ UniStrncmp(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) ucs1++; ucs2++; } - return (int) *ucs1 - (int) *ucs2; + return (int)*ucs1 - (int)*ucs2; } /* @@ -218,14 +209,13 @@ UniStrncmp_le(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) ucs1++; ucs2++; } - return (int) *ucs1 - (int) __le16_to_cpu(*ucs2); + return (int)*ucs1 - (int)__le16_to_cpu(*ucs2); } /* * UniStrncpy: Copy length limited string with pad */ - static inline wchar_t * -UniStrncpy(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +static inline wchar_t *UniStrncpy(wchar_t *ucs1, const wchar_t *ucs2, size_t n) { wchar_t *anchor = ucs1; @@ -241,8 +231,7 @@ UniStrncpy(wchar_t *ucs1, const wchar_t *ucs2, size_t n) /* * UniStrncpy_le: Copy length limited string with pad to little-endian */ - static inline wchar_t * -UniStrncpy_le(wchar_t *ucs1, const wchar_t *ucs2, size_t n) +static inline wchar_t *UniStrncpy_le(wchar_t *ucs1, const wchar_t *ucs2, size_t n) { wchar_t *anchor = ucs1; @@ -262,8 +251,7 @@ UniStrncpy_le(wchar_t *ucs1, const wchar_t *ucs2, size_t n) * Address of first match found * NULL if no matching string is found */ - static inline wchar_t * -UniStrstr(const wchar_t *ucs1, const wchar_t *ucs2) +static inline wchar_t *UniStrstr(const wchar_t *ucs1, const wchar_t *ucs2) { const wchar_t *anchor1 = ucs1; const wchar_t *anchor2 = ucs2; @@ -275,14 +263,14 @@ UniStrstr(const wchar_t *ucs1, const wchar_t *ucs2) ucs2++; } else { if (!*ucs2) /* Match found */ - return (wchar_t *) anchor1; + return (wchar_t *)anchor1; ucs1 = ++anchor1; /* No match */ ucs2 = anchor2; } } if (!*ucs2) /* Both end together */ - return (wchar_t *) anchor1; /* Match found */ + return (wchar_t *)anchor1; /* Match found */ return NULL; /* No match */ } @@ -290,8 +278,7 @@ UniStrstr(const wchar_t *ucs1, const wchar_t *ucs2) /* * UniToupper: Convert a unicode character to upper case */ - static inline wchar_t -UniToupper(register wchar_t uc) +static inline wchar_t UniToupper(register wchar_t uc) { register const struct UniCaseRange *rp; @@ -314,8 +301,7 @@ UniToupper(register wchar_t uc) /* * UniStrupr: Upper case a unicode string */ - static inline __le16 * -UniStrupr(register __le16 *upin) +static inline __le16 *UniStrupr(register __le16 *upin) { register __le16 *up; @@ -332,8 +318,7 @@ UniStrupr(register __le16 *upin) /* * UniTolower: Convert a unicode character to lower case */ - static inline wchar_t -UniTolower(register wchar_t uc) +static inline wchar_t UniTolower(register wchar_t uc) { register const struct UniCaseRange *rp; @@ -356,8 +341,7 @@ UniTolower(register wchar_t uc) /* * UniStrlwr: Lower case a unicode string */ - static inline wchar_t * -UniStrlwr(register wchar_t *upin) +static inline wchar_t *UniStrlwr(register wchar_t *upin) { register wchar_t *up; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index da44d131e25b..69dc1ee0fc75 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -61,19 +61,17 @@ static void rollback_path_modification(char *filename) } static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, - struct inode *parent_inode, - struct inode *inode) + struct inode *parent_inode, struct inode *inode) { if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_INHERIT_OWNER)) + KSMBD_SHARE_FLAG_INHERIT_OWNER)) return; i_uid_write(inode, i_uid_read(parent_inode)); } static void ksmbd_vfs_inherit_smack(struct ksmbd_work *work, - struct dentry *dir_dentry, - struct dentry *dentry) + struct dentry *dir_dentry, struct dentry *dentry) { char *name, *xattr_list = NULL, *smack_buf; int value_len, xattr_list_len; @@ -173,7 +171,6 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) return 0; } - /** * ksmbd_vfs_create() - vfs helper for smb create file * @work: work @@ -182,9 +179,7 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_create(struct ksmbd_work *work, - const char *name, - umode_t mode) +int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) { struct path path; struct dentry *dentry; @@ -220,9 +215,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_mkdir(struct ksmbd_work *work, - const char *name, - umode_t mode) +int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) { struct path path; struct dentry *dentry; @@ -243,17 +236,16 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(dentry)); ksmbd_vfs_inherit_smack(work, path.dentry, dentry); - } else + } else { ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); + } done_path_create(&path, dentry); return err; } -static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, - char *attr_name, - int attr_name_len, - char **attr_value) +static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, char *attr_name, + int attr_name_len, char **attr_value) { char *name, *xattr_list = NULL; ssize_t value_len = -ENOENT, xattr_list_len; @@ -282,7 +274,7 @@ static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, } static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, - size_t count) + size_t count) { ssize_t v_len; char *stream_buf = NULL; @@ -314,10 +306,8 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, * * Return: 0 on success, otherwise error */ -static int check_lock_range(struct file *filp, - loff_t start, - loff_t end, - unsigned char type) +static int check_lock_range(struct file *filp, loff_t start, loff_t end, + unsigned char type) { struct file_lock *flock; struct file_lock_context *ctx = file_inode(filp)->i_flctx; @@ -360,9 +350,7 @@ static int check_lock_range(struct file *filp, * * Return: number of read bytes on success, otherwise error */ -int ksmbd_vfs_read(struct ksmbd_work *work, - struct ksmbd_file *fp, - size_t count, +int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, loff_t *pos) { struct file *filp; @@ -416,7 +404,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, } static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, - size_t count) + size_t count) { char *stream_buf = NULL, *wbuf; size_t size, v_len; @@ -483,7 +471,8 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, * Return: 0 on success, otherwise error */ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf, size_t count, loff_t *pos, bool sync, ssize_t *written) + char *buf, size_t count, loff_t *pos, bool sync, + ssize_t *written) { struct ksmbd_session *sess = work->sess; struct file *filp; @@ -564,7 +553,7 @@ int ksmbd_vfs_getattr(struct path *path, struct kstat *stat) * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_fsync(struct ksmbd_work *work, uint64_t fid, uint64_t p_id) +int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) { struct ksmbd_file *fp; int err; @@ -656,8 +645,8 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_link(struct ksmbd_work *work, - const char *oldname, const char *newname) +int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, + const char *newname) { struct path oldpath, newpath; struct dentry *dentry; @@ -702,11 +691,9 @@ int ksmbd_vfs_link(struct ksmbd_work *work, } static int __ksmbd_vfs_rename(struct ksmbd_work *work, - struct dentry *src_dent_parent, - struct dentry *src_dent, - struct dentry *dst_dent_parent, - struct dentry *trap_dent, - char *dst_name) + struct dentry *src_dent_parent, struct dentry *src_dent, + struct dentry *dst_dent_parent, struct dentry *trap_dent, + char *dst_name) { struct dentry *dst_dent; int err; @@ -823,7 +810,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, * Return: 0 on success, otherwise error */ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, - struct ksmbd_file *fp, loff_t size) + struct ksmbd_file *fp, loff_t size) { struct path path; int err = 0; @@ -906,8 +893,7 @@ ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list) return size; } -static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, - char *xattr_name) +static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, char *xattr_name) { return vfs_getxattr(&init_user_ns, dentry, xattr_name, NULL, 0); } @@ -920,9 +906,8 @@ static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, * * Return: read xattr value length on success, otherwise error */ -ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, - char *xattr_name, - char **xattr_buf) +ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, + char **xattr_buf) { ssize_t xattr_len; char *buf; @@ -955,11 +940,8 @@ ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_setxattr(struct dentry *dentry, - const char *attr_name, - const void *attr_value, - size_t attr_size, - int flags) +int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, + const void *attr_value, size_t attr_size, int flags) { int err; @@ -987,9 +969,9 @@ void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option) if (!option || !mapping) return; - if (option & FILE_WRITE_THROUGH_LE) + if (option & FILE_WRITE_THROUGH_LE) { filp->f_flags |= O_SYNC; - else if (option & FILE_SEQUENTIAL_ONLY_LE) { + } else if (option & FILE_SEQUENTIAL_ONLY_LE) { filp->f_ra.ra_pages = inode_to_bdi(mapping->host)->ra_pages * 2; spin_lock(&filp->f_lock); filp->f_mode &= ~FMODE_RANDOM; @@ -1021,18 +1003,15 @@ int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata) return iterate_dir(file, &rdata->ctx); } -int ksmbd_vfs_alloc_size(struct ksmbd_work *work, - struct ksmbd_file *fp, - loff_t len) +int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, + loff_t len) { smb_break_all_levII_oplock(work, fp, 1); return vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, len); } -int ksmbd_vfs_zero_data(struct ksmbd_work *work, - struct ksmbd_file *fp, - loff_t off, - loff_t len) +int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, + loff_t off, loff_t len) { smb_break_all_levII_oplock(work, fp, 1); if (fp->f_ci->m_fattr & ATTR_SPARSE_FILE_LE) @@ -1085,8 +1064,9 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, if (extent_end != -ENXIO) ret = (int)extent_end; break; - } else if (extent_start >= extent_end) + } else if (extent_start >= extent_end) { break; + } ranges[*out_count].file_offset = cpu_to_le64(extent_start); ranges[(*out_count)++].length = @@ -1161,7 +1141,7 @@ unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode) * @fs_ss: fs sector size struct */ void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss) + struct ksmbd_fs_sector_size *fs_ss) { struct request_queue *q; @@ -1186,12 +1166,8 @@ void ksmbd_vfs_smb2_sector_size(struct inode *inode, } } -static int __dir_empty(struct dir_context *ctx, - const char *name, - int namlen, - loff_t offset, - u64 ino, - unsigned int d_type) +static int __dir_empty(struct dir_context *ctx, const char *name, int namlen, + loff_t offset, u64 ino, unsigned int d_type) { struct ksmbd_readdir_data *buf; @@ -1227,12 +1203,8 @@ int ksmbd_vfs_empty_dir(struct ksmbd_file *fp) return err; } -static int __caseless_lookup(struct dir_context *ctx, - const char *name, - int namlen, - loff_t offset, - u64 ino, - unsigned int d_type) +static int __caseless_lookup(struct dir_context *ctx, const char *name, + int namlen, loff_t offset, u64 ino, unsigned int d_type) { struct ksmbd_readdir_data *buf; @@ -1260,7 +1232,7 @@ static int ksmbd_vfs_lookup_in_dir(char *dirname, char *filename) struct path dir_path; int ret; struct file *dfilp; - int flags = O_RDONLY|O_LARGEFILE; + int flags = O_RDONLY | O_LARGEFILE; int dirnamelen = strlen(dirname); struct ksmbd_readdir_data readdir_data = { .ctx.actor = __caseless_lookup, @@ -1349,9 +1321,9 @@ int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); if (!strncmp(name, XATTR_NAME_POSIX_ACL_ACCESS, - sizeof(XATTR_NAME_POSIX_ACL_ACCESS)-1) || + sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1) || !strncmp(name, XATTR_NAME_POSIX_ACL_DEFAULT, - sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)-1)) { + sizeof(XATTR_NAME_POSIX_ACL_DEFAULT) - 1)) { err = ksmbd_vfs_remove_xattr(dentry, name); if (err) ksmbd_debug(SMB, @@ -1621,8 +1593,9 @@ int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, if (ndr_decode_dos_attr(&n, da)) err = -EINVAL; ksmbd_free(n.data); - } else + } else { ksmbd_debug(SMB, "failed to load dos attribute in xattr\n"); + } return err; } @@ -1687,9 +1660,8 @@ void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat) return info; } -int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, - struct dentry *dentry, - struct ksmbd_kstat *ksmbd_kstat) +int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, + struct ksmbd_kstat *ksmbd_kstat) { u64 time; int rc; @@ -1709,23 +1681,23 @@ int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, ksmbd_kstat->file_attributes = ATTR_ARCHIVE_LE; if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { + KSMBD_SHARE_FLAG_STORE_DOS_ATTRS)) { struct xattr_dos_attrib da; rc = ksmbd_vfs_get_dos_attrib_xattr(dentry, &da); if (rc > 0) { ksmbd_kstat->file_attributes = cpu_to_le32(da.attr); ksmbd_kstat->create_time = da.create_time; - } else + } else { ksmbd_debug(VFS, "fail to load dos attribute.\n"); + } } return 0; } -ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, - char *attr_name, - int attr_name_len) +ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, + int attr_name_len) { char *name, *xattr_list = NULL; ssize_t value_len = -ENOENT, xattr_list_len; @@ -1749,10 +1721,8 @@ ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, return value_len; } -int ksmbd_vfs_xattr_stream_name(char *stream_name, - char **xattr_stream_name, - size_t *xattr_stream_name_size, - int s_type) +int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, + size_t *xattr_stream_name_size, int s_type) { int stream_name_size; char *xattr_stream_name_buf; @@ -1791,8 +1761,7 @@ int ksmbd_vfs_xattr_stream_name(char *stream_name, } static int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, - size_t len) + struct file *file_out, loff_t pos_out, size_t len) { struct inode *inode_in = file_inode(file_in); struct inode *inode_out = file_inode(file_out); @@ -1838,13 +1807,10 @@ static int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, } int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, - struct ksmbd_file *src_fp, - struct ksmbd_file *dst_fp, - struct srv_copychunk *chunks, - unsigned int chunk_count, - unsigned int *chunk_count_written, - unsigned int *chunk_size_written, - loff_t *total_size_written) + struct ksmbd_file *src_fp, struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, loff_t *total_size_written) { unsigned int i; loff_t src_off, dst_off, src_file_size; @@ -1876,10 +1842,10 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, len = le32_to_cpu(chunks[i].Length); if (check_lock_range(src_fp->filp, src_off, - src_off + len - 1, READ)) + src_off + len - 1, READ)) return -EAGAIN; if (check_lock_range(dst_fp->filp, dst_off, - dst_off + len - 1, WRITE)) + dst_off + len - 1, WRITE)) return -EAGAIN; } } diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index bbef5c20c146..e1ca9ac11ba5 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -101,7 +101,6 @@ struct xattr_ntacl { #define XATTR_NAME_SD_LEN \ (sizeof(XATTR_SECURITY_PREFIX SD_PREFIX) - 1) - /* CreateOptions */ /* Flag is set, it must not be a file , valid for directory only */ #define FILE_DIRECTORY_FILE_LE cpu_to_le32(0x00000001) @@ -197,10 +196,11 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode); int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode); int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, - size_t count, loff_t *pos); + size_t count, loff_t *pos); int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf, size_t count, loff_t *pos, bool sync, ssize_t *written); -int ksmbd_vfs_fsync(struct ksmbd_work *work, uint64_t fid, uint64_t p_id); + char *buf, size_t count, loff_t *pos, bool sync, + ssize_t *written); +int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id); int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name); int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, const char *newname); @@ -210,90 +210,53 @@ int ksmbd_vfs_readlink(struct path *path, char *buf, int lenp); int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, char *newname); -int ksmbd_vfs_rename_slowpath(struct ksmbd_work *work, - char *oldname, char *newname); int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, - struct ksmbd_file *fp, loff_t size); + struct ksmbd_file *fp, loff_t size); struct srv_copychunk; int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, - struct ksmbd_file *src_fp, - struct ksmbd_file *dst_fp, - struct srv_copychunk *chunks, - unsigned int chunk_count, - unsigned int *chunk_count_written, - unsigned int *chunk_size_written, - loff_t *total_size_written); - -struct ksmbd_file *ksmbd_vfs_dentry_open(struct ksmbd_work *work, - const struct path *path, - int flags, - __le32 option, - int fexist); + struct ksmbd_file *src_fp, struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, loff_t *total_size_written); ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list); -ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, - char *xattr_name, - char **xattr_buf); - -ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, - char *attr_name, - int attr_name_len); - -int ksmbd_vfs_setxattr(struct dentry *dentry, - const char *attr_name, - const void *attr_value, - size_t attr_size, - int flags); - -int ksmbd_vfs_fsetxattr(const char *filename, - const char *attr_name, - const void *attr_value, - size_t attr_size, - int flags); - -int ksmbd_vfs_xattr_stream_name(char *stream_name, - char **xattr_stream_name, - size_t *xattr_stream_name_size, - int s_type); - +ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, + char **xattr_buf); +ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, + int attr_name_len); +int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, + const void *attr_value, size_t attr_size, int flags); +int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, + size_t *xattr_stream_name_size, int s_type); int ksmbd_vfs_truncate_xattr(struct dentry *dentry, int wo_streams); int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); void ksmbd_vfs_xattr_free(char *xattr); - int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, bool caseless); int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option); int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock); int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata); -int ksmbd_vfs_alloc_size(struct ksmbd_work *work, - struct ksmbd_file *fp, - loff_t len); -int ksmbd_vfs_zero_data(struct ksmbd_work *work, - struct ksmbd_file *fp, - loff_t off, - loff_t len); - +int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, + loff_t len); +int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, + loff_t off, loff_t len); struct file_allocated_range_buffer; int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, - struct file_allocated_range_buffer *ranges, - int in_count, int *out_count); + struct file_allocated_range_buffer *ranges, + int in_count, int *out_count); int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode); void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss); + struct ksmbd_fs_sector_size *fs_ss); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); - -int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, - struct dentry *dentry, - struct ksmbd_kstat *ksmbd_kstat); - +int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, + struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_posix_lock_wait(struct file_lock *flock); int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout); void ksmbd_vfs_posix_lock_unblock(struct file_lock *flock); - int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry); int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry); int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 2b38628e1cb8..ec631dc6f1fb 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -284,8 +284,7 @@ static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) write_unlock(&global_ft.lock); } -static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, - struct ksmbd_file *fp) +static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) { if (!HAS_FILE_ID(fp->volatile_id)) return; @@ -299,8 +298,7 @@ static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, write_unlock(&ft->lock); } -static void __ksmbd_close_fd(struct ksmbd_file_table *ft, - struct ksmbd_file *fp) +static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) { struct file *filp; @@ -328,7 +326,7 @@ static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) } static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, - unsigned int id) + unsigned int id) { bool unclaimed = true; struct ksmbd_file *fp; @@ -352,8 +350,7 @@ static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, return fp; } -static void __put_fd_final(struct ksmbd_work *work, - struct ksmbd_file *fp) +static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp) { __ksmbd_close_fd(&work->sess->file_table, fp); atomic_dec(&work->conn->stats.open_files_count); @@ -399,8 +396,7 @@ int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id) return 0; } -void ksmbd_fd_put(struct ksmbd_work *work, - struct ksmbd_file *fp) +void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp) { if (!fp) return; @@ -410,8 +406,7 @@ void ksmbd_fd_put(struct ksmbd_work *work, __put_fd_final(work, fp); } -static bool __sanity_check(struct ksmbd_tree_connect *tcon, - struct ksmbd_file *fp) +static bool __sanity_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) { if (!fp) return false; @@ -420,14 +415,12 @@ static bool __sanity_check(struct ksmbd_tree_connect *tcon, return true; } -struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, - unsigned int id) +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int id) { return __ksmbd_lookup_fd(&work->sess->file_table, id); } -struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, - unsigned int id) +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id) { struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id); @@ -438,9 +431,8 @@ struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, return NULL; } -struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, - unsigned int id, - unsigned int pid) +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, + unsigned int pid) { struct ksmbd_file *fp; @@ -469,8 +461,7 @@ struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id) return __ksmbd_lookup_fd(&global_ft, id); } -int ksmbd_close_fd_app_id(struct ksmbd_work *work, - char *app_id) +int ksmbd_close_fd_app_id(struct ksmbd_work *work, char *app_id) { struct ksmbd_file *fp = NULL; unsigned int id; @@ -513,8 +504,7 @@ struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) return fp; } -struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, - char *filename) +struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, char *filename) { struct ksmbd_file *fp = NULL; unsigned int id; @@ -566,8 +556,7 @@ static void __open_id_set(struct ksmbd_file *fp, unsigned int id, int type) fp->persistent_id = id; } -static int __open_id(struct ksmbd_file_table *ft, - struct ksmbd_file *fp, +static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp, int type) { unsigned int id = 0; @@ -601,8 +590,7 @@ unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp) return fp->persistent_id; } -struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, - struct file *filp) +struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) { struct ksmbd_file *fp; int ret; @@ -657,7 +645,7 @@ static inline bool is_reconnectable(struct ksmbd_file *fp) if (fp->is_resilient || fp->is_persistent) reconn = true; else if (fp->is_durable && opinfo->is_lease && - opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) + opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) reconn = true; else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) @@ -668,10 +656,8 @@ static inline bool is_reconnectable(struct ksmbd_file *fp) } static int -__close_file_table_ids(struct ksmbd_file_table *ft, - struct ksmbd_tree_connect *tcon, - bool (*skip)(struct ksmbd_tree_connect *tcon, - struct ksmbd_file *fp)) +__close_file_table_ids(struct ksmbd_file_table *ft, struct ksmbd_tree_connect *tcon, + bool (*skip)(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp)) { unsigned int id; struct ksmbd_file *fp; @@ -691,14 +677,12 @@ __close_file_table_ids(struct ksmbd_file_table *ft, return num; } -static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, - struct ksmbd_file *fp) +static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) { return fp->tcon != tcon; } -static bool session_fd_check(struct ksmbd_tree_connect *tcon, - struct ksmbd_file *fp) +static bool session_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) { if (!is_reconnectable(fp)) return false; @@ -745,8 +729,7 @@ void ksmbd_free_global_file_table(void) ksmbd_destroy_file_table(&global_ft); } -int ksmbd_reopen_durable_fd(struct ksmbd_work *work, - struct ksmbd_file *fp) +int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp) { if (!fp->is_durable || fp->conn || fp->tcon) { ksmbd_err("Invalid durable fd [%p:%p]\n", diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 04ab5967a9ae..318dcb1a297a 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -149,50 +149,31 @@ static inline bool ksmbd_stream_fd(struct ksmbd_file *fp) int ksmbd_init_file_table(struct ksmbd_file_table *ft); void ksmbd_destroy_file_table(struct ksmbd_file_table *ft); - int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id); - -struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, - unsigned int id); -struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, - unsigned int id); -struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, - unsigned int id, - unsigned int pid); - +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id); +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int id); +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, + unsigned int pid); void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp); - int ksmbd_close_fd_app_id(struct ksmbd_work *work, char *app_id); struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id); struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid); -struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, - char *filename); +struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, char *filename); struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode); - unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp); - -struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, - struct file *filp); - +struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp); void ksmbd_close_tree_conn_fds(struct ksmbd_work *work); void ksmbd_close_session_fds(struct ksmbd_work *work); - int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode); - -int ksmbd_reopen_durable_fd(struct ksmbd_work *work, - struct ksmbd_file *fp); - +int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp); int ksmbd_init_global_file_table(void); void ksmbd_free_global_file_table(void); - int ksmbd_file_table_flush(struct ksmbd_work *work); - void ksmbd_set_fd_limit(unsigned long limit); /* * INODE hash */ - int __init ksmbd_inode_hash_init(void); void ksmbd_release_inode_hash(void); @@ -203,11 +184,9 @@ enum KSMBD_INODE_STATUS { }; int ksmbd_query_inode_status(struct inode *inode); - bool ksmbd_inode_pending_delete(struct ksmbd_file *fp); void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp); void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp); - void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, int file_info); #endif /* __VFS_CACHE_H__ */ From patchwork Mon Nov 14 12:48:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183121 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 024/308] cifsd: merge time_wrappers.h into smb_common.h Date: Mon, 14 Nov 2022 20:48:53 +0800 Message-ID: <20221114125337.1831594-25-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b92a385b-5bd6-4297-3e31-08dac63c477a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7037939 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a648d8aff84beedaff6302df47a947a56533ec41 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a648d8aff84b ------------------------------- This patch merge time_wrappers.h into smb_common.h. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/netmisc.c | 17 ++++++++++++++++- fs/cifsd/smb2pdu.c | 1 - fs/cifsd/smb_common.h | 6 ++++++ fs/cifsd/time_wrappers.h | 34 ---------------------------------- fs/cifsd/vfs.c | 1 - 5 files changed, 22 insertions(+), 37 deletions(-) delete mode 100644 fs/cifsd/time_wrappers.h diff --git a/fs/cifsd/netmisc.c b/fs/cifsd/netmisc.c index 55393667abcc..5d0327d87397 100644 --- a/fs/cifsd/netmisc.c +++ b/fs/cifsd/netmisc.c @@ -10,7 +10,7 @@ #include "glob.h" #include "smberr.h" #include "nterr.h" -#include "time_wrappers.h" +#include "smb_common.h" /* * Convert the NT UTC (based 1601-01-01, in hundred nanosecond units) @@ -42,3 +42,18 @@ struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc) return ts; } + +/* Convert the Unix UTC into NT UTC. */ +inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) +{ + /* Convert to 100ns intervals and then add the NTFS time offset. */ + return (u64)t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; +} + +inline long long ksmbd_systime(void) +{ + struct timespec64 ts; + + ktime_get_real_ts64(&ts); + return ksmbd_UnixTimeToNT(ts); +} diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3e8f1a3800dd..139041768f65 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -26,7 +26,6 @@ #include "vfs_cache.h" #include "misc.h" -#include "time_wrappers.h" #include "server.h" #include "smb_common.h" #include "smbstatus.h" diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h index 2d7b1c693ff4..2e171c9002b2 100644 --- a/fs/cifsd/smb_common.h +++ b/fs/cifsd/smb_common.h @@ -541,4 +541,10 @@ static inline void inc_rfc1001_len(void *buf, int count) { be32_add_cpu((__be32 *)buf, count); } + +#define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) + +struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); +u64 ksmbd_UnixTimeToNT(struct timespec64 t); +long long ksmbd_systime(void); #endif /* __SMB_COMMON_H__ */ diff --git a/fs/cifsd/time_wrappers.h b/fs/cifsd/time_wrappers.h deleted file mode 100644 index 31bea2058f88..000000000000 --- a/fs/cifsd/time_wrappers.h +++ /dev/null @@ -1,34 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Copyright (C) 2019 Samsung Electronics Co., Ltd. - */ - -#ifndef __KSMBD_TIME_WRAPPERS_H -#define __KSMBD_TIME_WRAPPERS_H - -/* - * A bunch of ugly hacks to workaoround all the API differences - * between different kernel versions. - */ - -#define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) - -/* Convert the Unix UTC into NT UTC. */ -static inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) -{ - /* Convert to 100ns intervals and then add the NTFS time offset. */ - return (u64)t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; -} - -struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); - -#define KSMBD_TIME_TO_TM time64_to_tm - -static inline long long ksmbd_systime(void) -{ - struct timespec64 ts; - - ktime_get_real_ts64(&ts); - return ksmbd_UnixTimeToNT(ts); -} -#endif /* __KSMBD_TIME_WRAPPERS_H */ diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 69dc1ee0fc75..264f8932d40f 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -31,7 +31,6 @@ #include "ndr.h" #include "auth.h" -#include "time_wrappers.h" #include "smb_common.h" #include "mgmt/share_config.h" #include "mgmt/tree_connect.h" From patchwork Mon Nov 14 12:48:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183122 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 025/308] cifsd: fix wrong prototype in comment Date: Mon, 14 Nov 2022 20:48:54 +0800 Message-ID: <20221114125337.1831594-26-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cfee76de-8888-4310-1c98-08dac63c47c3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7098900 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 5365564901778d96a81e00e34c804d4fb05f0093 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/536556490177 ------------------------------- kernel test robot reported: >> fs/cifsd/oplock.c:1454: warning: expecting prototype for create_durable_rsp__buf(). Prototype was for create_durable_rsp_buf() instead This patch fix wrong prototype in comment. Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 8e072c3e7b89..4ff23aee69fa 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -1436,7 +1436,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) } /** - * create_durable_rsp__buf() - create durable handle context + * create_durable_rsp_buf() - create durable handle context * @cc: buffer to create durable context response */ void create_durable_rsp_buf(char *cc) From patchwork Mon Nov 14 12:48:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183123 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 026/308] cifsd: remove smack inherit leftovers Date: Mon, 14 Nov 2022 20:48:55 +0800 Message-ID: <20221114125337.1831594-27-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6bb6816d-d067-4e69-063b-08dac63c480d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6832120 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit d710f37c7bcd7f2cedab4762fff3e11c83aebf3f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d710f37c7bcd ------------------------------- smack inherit was added for internal product beofre. It is no longer used. This patch remove it's left overs. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/ksmbd_server.h | 9 ++++----- fs/cifsd/vfs.c | 42 ----------------------------------------- 2 files changed, 4 insertions(+), 47 deletions(-) diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index c5181a2702ff..e46be4084087 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -224,11 +224,10 @@ enum KSMBD_TREE_CONN_STATUS { #define KSMBD_SHARE_FLAG_OPLOCKS BIT(7) #define KSMBD_SHARE_FLAG_PIPE BIT(8) #define KSMBD_SHARE_FLAG_HIDE_DOT_FILES BIT(9) -#define KSMBD_SHARE_FLAG_INHERIT_SMACK BIT(10) -#define KSMBD_SHARE_FLAG_INHERIT_OWNER BIT(11) -#define KSMBD_SHARE_FLAG_STREAMS BIT(12) -#define KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS BIT(13) -#define KSMBD_SHARE_FLAG_ACL_XATTR BIT(14) +#define KSMBD_SHARE_FLAG_INHERIT_OWNER BIT(10) +#define KSMBD_SHARE_FLAG_STREAMS BIT(11) +#define KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS BIT(12) +#define KSMBD_SHARE_FLAG_ACL_XATTR BIT(13) /* * Tree connect request flags. diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 264f8932d40f..0ecdb5121c3a 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -69,46 +69,6 @@ static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, i_uid_write(inode, i_uid_read(parent_inode)); } -static void ksmbd_vfs_inherit_smack(struct ksmbd_work *work, - struct dentry *dir_dentry, struct dentry *dentry) -{ - char *name, *xattr_list = NULL, *smack_buf; - int value_len, xattr_list_len; - - if (!test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_INHERIT_SMACK)) - return; - - xattr_list_len = ksmbd_vfs_listxattr(dir_dentry, &xattr_list); - if (xattr_list_len < 0) { - goto out; - } else if (!xattr_list_len) { - ksmbd_err("no ea data in the file\n"); - return; - } - - for (name = xattr_list; name - xattr_list < xattr_list_len; - name += strlen(name) + 1) { - int rc; - - ksmbd_debug(VFS, "%s, len %zd\n", name, strlen(name)); - if (strcmp(name, XATTR_NAME_SMACK)) - continue; - - value_len = ksmbd_vfs_getxattr(dir_dentry, name, &smack_buf); - if (value_len <= 0) - continue; - - rc = ksmbd_vfs_setxattr(dentry, XATTR_NAME_SMACK, smack_buf, - value_len, 0); - ksmbd_free(smack_buf); - if (rc < 0) - ksmbd_err("ksmbd_vfs_setxattr() failed: %d\n", rc); - } -out: - ksmbd_vfs_xattr_free(xattr_list); -} - int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) { int mask; @@ -198,7 +158,6 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) if (!err) { ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(dentry)); - ksmbd_vfs_inherit_smack(work, path.dentry, dentry); } else { ksmbd_err("File(%s): creation failed (err:%d)\n", name, err); } @@ -234,7 +193,6 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) if (!err) { ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(dentry)); - ksmbd_vfs_inherit_smack(work, path.dentry, dentry); } else { ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); } From patchwork Mon Nov 14 12:48:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183124 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 027/308] cifsd: remove calling d_path in error paths Date: Mon, 14 Nov 2022 20:48:56 +0800 Message-ID: <20221114125337.1831594-28-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 1503914c-89b9-4d08-e3b0-08dac63c4855 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6903094 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 96a34377dc5a0969b7b0404fce84159b7c8f89d7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/96a34377dc5a ------------------------------- calling d_path is excessive in error paths. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 0ecdb5121c3a..b509c90d911f 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -312,9 +312,8 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, { struct file *filp; ssize_t nbytes = 0; - char *rbuf, *name; + char *rbuf; struct inode *inode; - char namebuf[NAME_MAX]; rbuf = work->aux_payload_buf; filp = fp->filp; @@ -348,11 +347,8 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, nbytes = kernel_read(filp, rbuf, count, pos); if (nbytes < 0) { - name = d_path(&filp->f_path, namebuf, sizeof(namebuf)); - if (IS_ERR(name)) - name = "(error)"; ksmbd_err("smb read failed for (%s), err = %zd\n", - name, nbytes); + fp->filename, nbytes); return nbytes; } From patchwork Mon Nov 14 12:48:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183125 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 028/308] cifsd: handle unhashed dentry in ksmbd_vfs_mkdir Date: Mon, 14 Nov 2022 20:48:57 +0800 Message-ID: <20221114125337.1831594-29-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: dea61c5f-d308-43eb-2981-08dac63c489e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6834585 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 1637023594c1fd11fa4d77dd0c9493a864aa0d17 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1637023594c1 ------------------------------- vfs_mkdir could return the dentry left unhashed negative on success. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index b509c90d911f..bdc30a7b6d52 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -190,14 +190,32 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) mode |= S_IFDIR; err = vfs_mkdir(&init_user_ns, d_inode(path.dentry), dentry, mode); - if (!err) { + if (err) + goto out; + else if (d_unhashed(dentry)) { + struct dentry *d; + + d = lookup_one_len(dentry->d_name.name, + dentry->d_parent, + dentry->d_name.len); + if (IS_ERR(d)) { + err = PTR_ERR(d); + goto out; + } + if (unlikely(d_is_negative(d))) { + dput(d); + err = -ENOENT; + goto out; + } + ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), - d_inode(dentry)); - } else { - ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); + d_inode(d)); + dput(d); } - +out: done_path_create(&path, dentry); + if (err) + ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); return err; } From patchwork Mon Nov 14 12:48:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183126 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 029/308] cifsd: use file_inode() instead of d_inode() Date: Mon, 14 Nov 2022 20:48:58 +0800 Message-ID: <20221114125337.1831594-30-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9efdcf63-c6cb-4d29-1265-08dac63c48e8 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6876691 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit d2f72ed8fa0c0e6c90af8ee0bbb39d41ab2d5465 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d2f72ed8fa0c ------------------------------- use file_inode() to get layerd filesystems right. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index bdc30a7b6d52..6313d5ca4b46 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -335,7 +335,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, rbuf = work->aux_payload_buf; filp = fp->filp; - inode = d_inode(filp->f_path.dentry); + inode = file_inode(filp); if (S_ISDIR(inode->i_mode)) return -EISDIR; From patchwork Mon Nov 14 12:48:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183127 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 030/308] cifsd: remove useless error handling in ksmbd_vfs_read Date: Mon, 14 Nov 2022 20:48:59 +0800 Message-ID: <20221114125337.1831594-31-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ccf3d24c-4b3f-492b-b0d8-08dac63c4931 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7431741 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 8044ee8e64b4fdb068e504ec3ade597d1ccad456 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8044ee8e64b4 ------------------------------- dentry->d_inode never happen to be NULL if we hold the dentry. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 6313d5ca4b46..ef823679f6be 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -550,7 +550,7 @@ int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) { struct path parent; - struct dentry *dir, *dentry; + struct dentry *dentry; char *last; int err; @@ -569,12 +569,8 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) return err; } - dir = parent.dentry; - if (!d_inode(dir)) - goto out; - - inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); - dentry = lookup_one_len(last, dir, strlen(last)); + inode_lock_nested(d_inode(parent.dentry), I_MUTEX_PARENT); + dentry = lookup_one_len(last, parent.dentry, strlen(last)); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); ksmbd_debug(VFS, "%s: lookup failed, err %d\n", last, err); @@ -588,12 +584,12 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) } if (S_ISDIR(d_inode(dentry)->i_mode)) { - err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); + err = vfs_rmdir(&init_user_ns, d_inode(parent.dentry), dentry); if (err && err != -ENOTEMPTY) ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, err); } else { - err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); + err = vfs_unlink(&init_user_ns, d_inode(parent.dentry), dentry, NULL); if (err) ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, err); @@ -601,8 +597,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) dput(dentry); out_err: - inode_unlock(d_inode(dir)); -out: + inode_unlock(d_inode(parent.dentry)); rollback_path_modification(last); path_put(&parent); ksmbd_revert_fsids(work); From patchwork Mon Nov 14 12:49:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183128 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 031/308] cifsd: use xarray instead of linked list for tree connect list Date: Mon, 14 Nov 2022 20:49:00 +0800 Message-ID: <20221114125337.1831594-32-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a7030dad-00ad-484f-40f4-08dac63c497a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7081186 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 02b68b2065c91ce706f462fd509032a77db5d9dc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/02b68b2065c9 ------------------------------- Matthew suggest to change linked list of tree connect list to xarray. It will be tree connect lookup in O(log(n)) time instead of O(n) time. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/tree_connect.c | 35 +++++++++++++++-------------------- fs/cifsd/mgmt/user_session.c | 4 +++- fs/cifsd/mgmt/user_session.h | 6 +++++- fs/cifsd/smb2pdu.c | 2 +- 4 files changed, 24 insertions(+), 23 deletions(-) diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index d5670f2596a3..0c8374e8240f 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -5,6 +5,8 @@ #include <linux/list.h> #include <linux/slab.h> +#include <linux/version.h> +#include <linux/xarray.h> #include "../buffer_pool.h" #include "../transport_ipc.h" @@ -23,6 +25,7 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; struct sockaddr *peer_addr; + int ret; sc = ksmbd_share_config_get(share_name); if (!sc) @@ -59,8 +62,12 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) tree_conn->share_conf = sc; status.tree_conn = tree_conn; - list_add(&tree_conn->list, &sess->tree_conn_list); - + ret = xa_err(xa_store(&sess->tree_conns, tree_conn->id, tree_conn, + GFP_KERNEL)); + if (ret) { + status.ret = -ENOMEM; + goto out_error; + } ksmbd_free(resp); return status; @@ -80,7 +87,7 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, ret = ksmbd_ipc_tree_disconnect_request(sess->id, tree_conn->id); ksmbd_release_tree_conn_id(sess, tree_conn->id); - list_del(&tree_conn->list); + xa_erase(&sess->tree_conns, tree_conn->id); ksmbd_share_config_put(tree_conn->share_conf); ksmbd_free(tree_conn); return ret; @@ -89,15 +96,7 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, struct ksmbd_tree_connect *ksmbd_tree_conn_lookup(struct ksmbd_session *sess, unsigned int id) { - struct ksmbd_tree_connect *tree_conn; - struct list_head *tmp; - - list_for_each(tmp, &sess->tree_conn_list) { - tree_conn = list_entry(tmp, struct ksmbd_tree_connect, list); - if (tree_conn->id == id) - return tree_conn; - } - return NULL; + return xa_load(&sess->tree_conns, id); } struct ksmbd_share_config *ksmbd_tree_conn_share(struct ksmbd_session *sess, @@ -114,15 +113,11 @@ struct ksmbd_share_config *ksmbd_tree_conn_share(struct ksmbd_session *sess, int ksmbd_tree_conn_session_logoff(struct ksmbd_session *sess) { int ret = 0; + struct ksmbd_tree_connect *tc; + unsigned long id; - while (!list_empty(&sess->tree_conn_list)) { - struct ksmbd_tree_connect *tc; - - tc = list_entry(sess->tree_conn_list.next, - struct ksmbd_tree_connect, - list); + xa_for_each(&sess->tree_conns, id, tc) ret |= ksmbd_tree_conn_disconnect(sess, tc); - } - + xa_destroy(&sess->tree_conns); return ret; } diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 5a2113bf18ef..f5cc7a62d848 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -6,6 +6,8 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/rwsem.h> +#include <linux/version.h> +#include <linux/xarray.h> #include "ksmbd_ida.h" #include "user_session.h" @@ -275,7 +277,7 @@ static struct ksmbd_session *__session_create(int protocol) set_session_flag(sess, protocol); INIT_LIST_HEAD(&sess->sessions_entry); - INIT_LIST_HEAD(&sess->tree_conn_list); + xa_init(&sess->tree_conns); INIT_LIST_HEAD(&sess->ksmbd_chann_list); INIT_LIST_HEAD(&sess->rpc_handle_list); sess->sequence_number = 1; diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 68018f0f5c0b..1a97c851f2fc 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -7,6 +7,8 @@ #define __USER_SESSION_MANAGEMENT_H__ #include <linux/hashtable.h> +#include <linux/version.h> +#include <linux/xarray.h> #include "../smb_common.h" #include "../ntlmssp.h" @@ -50,10 +52,12 @@ struct ksmbd_session { struct hlist_node hlist; struct list_head ksmbd_chann_list; - struct list_head tree_conn_list; + struct xarray tree_conns; struct ksmbd_ida *tree_conn_ida; struct list_head rpc_handle_list; + + __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE]; __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 139041768f65..0b7199444f73 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -104,7 +104,7 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) return 0; } - if (list_empty(&work->sess->tree_conn_list)) { + if (xa_empty(&work->sess->tree_conns)) { ksmbd_debug(SMB, "NO tree connected\n"); return -1; } From patchwork Mon Nov 14 12:49:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183129 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 032/308] cifsd: remove stale prototype and variables Date: Mon, 14 Nov 2022 20:49:01 +0800 Message-ID: <20221114125337.1831594-33-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4a365331-fd47-439f-041b-08dac63c49c4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6983889 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Gibeom Kim <gibeomii.kim(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 5da64d8784d36c0601743a5159a598f5888089c7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5da64d8784d3 ------------------------------- Remove unused function prototype and variables. Signed-off-by: Gibeom Kim <gibeomii.kim(a)samsung.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/glob.h | 1 - fs/cifsd/oplock.h | 3 --- fs/cifsd/server.h | 2 -- fs/cifsd/smbacl.h | 1 - fs/cifsd/unicode.h | 2 -- fs/cifsd/vfs.h | 3 --- 6 files changed, 12 deletions(-) diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index 27500afbeaf5..d0bc6edd0477 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -19,7 +19,6 @@ /* @FIXME clean up this code */ extern int ksmbd_debug_types; -extern int ksmbd_caseless_search; #define DATA_STREAM 1 #define DIR_STREAM 2 diff --git a/fs/cifsd/oplock.h b/fs/cifsd/oplock.h index 5b6615f99c76..f8b4b486eb93 100644 --- a/fs/cifsd/oplock.h +++ b/fs/cifsd/oplock.h @@ -123,9 +123,6 @@ void create_mxac_rsp_buf(char *cc, int maximal_access); void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); struct create_context *smb2_find_context_vals(void *open_req, const char *str); -int ksmbd_durable_verify_and_del_oplock(struct ksmbd_session *curr_sess, - struct ksmbd_session *prev_sess, int fid, struct file **filp, - u64 sess_id); struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, char *lease_key); int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, diff --git a/fs/cifsd/server.h b/fs/cifsd/server.h index 7b2f6318fcff..b682d28963e8 100644 --- a/fs/cifsd/server.h +++ b/fs/cifsd/server.h @@ -17,8 +17,6 @@ #define SERVER_CONF_SERVER_STRING 1 #define SERVER_CONF_WORK_GROUP 2 -extern int ksmbd_debugging; - struct ksmbd_server_config { unsigned int flags; unsigned int state; diff --git a/fs/cifsd/smbacl.h b/fs/cifsd/smbacl.h index 9b22bff4191f..032b6a3ec6f4 100644 --- a/fs/cifsd/smbacl.h +++ b/fs/cifsd/smbacl.h @@ -193,7 +193,6 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, unsigned int uid, unsigned int gid); int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, __le32 *pdaccess, int uid); -int store_init_posix_acl(struct inode *inode, umode_t perm); int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, bool type_check); diff --git a/fs/cifsd/unicode.h b/fs/cifsd/unicode.h index c37d7024cf60..68f1c8290911 100644 --- a/fs/cifsd/unicode.h +++ b/fs/cifsd/unicode.h @@ -71,8 +71,6 @@ int smbConvertToUTF16(__le16 *target, const char *source, int srclen, char *ksmbd_extract_sharename(char *treename); #endif -wchar_t cifs_toupper(wchar_t in); - /* * UniStrcat: Concatenate the second string to the first * diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index e1ca9ac11ba5..b41b23d40636 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -205,8 +205,6 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name); int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, const char *newname); int ksmbd_vfs_getattr(struct path *path, struct kstat *stat); -int ksmbd_vfs_symlink(const char *name, const char *symname); -int ksmbd_vfs_readlink(struct path *path, char *buf, int lenp); int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, char *newname); @@ -230,7 +228,6 @@ int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, const void *attr_value, size_t attr_size, int flags); int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, size_t *xattr_stream_name_size, int s_type); -int ksmbd_vfs_truncate_xattr(struct dentry *dentry, int wo_streams); int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); void ksmbd_vfs_xattr_free(char *xattr); int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, From patchwork Mon Nov 14 12:49:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183130 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 033/308] cifsd: fix memory leak when loop ends Date: Mon, 14 Nov 2022 20:49:02 +0800 Message-ID: <20221114125337.1831594-34-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f06a0938-fd8e-4154-bbe9-08dac63c4a0c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6784936 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Muhammad Usama Anjum <musamaanjum(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit c250e8f5566f2e1a0ea177837520eff8e59c0b7d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c250e8f5566f ------------------------------- Memory is being allocated and if veto_list is zero, the loop breaks without cleaning up the allocated memory. In this patch, the length check has been moved before allocation. If loop breaks, the memory isn't allocated in the first place. Thus the memory is being protected from leaking. Reported-by: coverity-bot <keescook+coverity-bot(a)chromium.org> Addresses-Coverity-ID: 1503590 ("Resource leaks") Signed-off-by: Muhammad Usama Anjum <musamaanjum(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/share_config.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index db780febd692..b2bd789af945 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -92,14 +92,14 @@ static int parse_veto_list(struct ksmbd_share_config *share, while (veto_list_sz > 0) { struct ksmbd_veto_pattern *p; - p = kzalloc(sizeof(struct ksmbd_veto_pattern), GFP_KERNEL); - if (!p) - return -ENOMEM; - sz = strlen(veto_list); if (!sz) break; + p = kzalloc(sizeof(struct ksmbd_veto_pattern), GFP_KERNEL); + if (!p) + return -ENOMEM; + p->pattern = kstrdup(veto_list, GFP_KERNEL); if (!p->pattern) { ksmbd_free(p); From patchwork Mon Nov 14 12:49:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183131 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 034/308] cifsd: use kfree to free memory allocated by kmalloc or kzalloc Date: Mon, 14 Nov 2022 20:49:03 +0800 Message-ID: <20221114125337.1831594-35-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2b6c10f7-8c60-4b7b-01a3-08dac63c4a55 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7668788 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Muhammad Usama Anjum <musamaanjum(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 822bc8ea514ecd4a8bbb86237858146ca8845eba category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/822bc8ea514e ------------------------------- kfree should be used to free memory allocated by kmalloc or kzalloc to avoid any overhead and for maintaining consistency. Signed-off-by: Muhammad Usama Anjum <musamaanjum(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/buffer_pool.c | 4 ++-- fs/cifsd/mgmt/share_config.c | 2 +- fs/cifsd/mgmt/user_config.c | 8 ++++---- fs/cifsd/mgmt/user_session.c | 6 +++--- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/transport_tcp.c | 2 +- fs/cifsd/vfs_cache.c | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index ad2a2c885a2c..a9ef3e703232 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -78,7 +78,7 @@ static int register_wm_size_class(size_t sz) list_for_each_entry(l, &wm_lists, list) { if (l->sz == sz) { write_unlock(&wm_lists_lock); - kvfree(nl); + kfree(nl); return 0; } } @@ -181,7 +181,7 @@ static void wm_list_free(struct wm_list *l) list_del(&wm->list); kvfree(wm); } - kvfree(l); + kfree(l); } static void wm_lists_destroy(void) diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index b2bd789af945..11abdbc8a533 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -102,7 +102,7 @@ static int parse_veto_list(struct ksmbd_share_config *share, p->pattern = kstrdup(veto_list, GFP_KERNEL); if (!p->pattern) { - ksmbd_free(p); + kfree(p); return -ENOMEM; } diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c index f0c2f8994a6b..c31e2c4d2d6f 100644 --- a/fs/cifsd/mgmt/user_config.c +++ b/fs/cifsd/mgmt/user_config.c @@ -46,8 +46,8 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp) if (!user->name || !user->passkey) { kfree(user->name); - ksmbd_free(user->passkey); - ksmbd_free(user); + kfree(user->passkey); + kfree(user); user = NULL; } return user; @@ -57,8 +57,8 @@ void ksmbd_free_user(struct ksmbd_user *user) { ksmbd_ipc_logout_request(user->name); kfree(user->name); - ksmbd_free(user->passkey); - ksmbd_free(user); + kfree(user->passkey); + kfree(user); } int ksmbd_anonymous_user(struct ksmbd_user *user) diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index f5cc7a62d848..9dfe222e51ab 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -55,7 +55,7 @@ static void __session_rpc_close(struct ksmbd_session *sess, ksmbd_free(resp); ksmbd_rpc_id_free(entry->id); - ksmbd_free(entry); + kfree(entry); } static void ksmbd_session_rpc_clear_list(struct ksmbd_session *sess) @@ -121,7 +121,7 @@ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) return entry->id; error: list_del(&entry->list); - ksmbd_free(entry); + kfree(entry); return -EINVAL; } @@ -176,7 +176,7 @@ void ksmbd_session_destroy(struct ksmbd_session *sess) ksmbd_release_id(session_ida, sess->id); ksmbd_ida_free(sess->tree_conn_ida); - ksmbd_free(sess); + kfree(sess); } static struct ksmbd_session *__session_lookup(unsigned long long id) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 0b7199444f73..7549b35bb792 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1611,7 +1611,7 @@ int smb2_sess_setup(struct ksmbd_work *work) ksmbd_conn_set_good(work); sess->state = SMB2_SESSION_VALID; - ksmbd_free(sess->Preauth_HashValue); + kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { rc = generate_preauth_hash(work); @@ -1637,7 +1637,7 @@ int smb2_sess_setup(struct ksmbd_work *work) ksmbd_conn_set_good(work); sess->state = SMB2_SESSION_VALID; - ksmbd_free(sess->Preauth_HashValue); + kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; } } else { diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 67163efcf472..040881893417 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -551,7 +551,7 @@ void ksmbd_tcp_destroy(void) list_for_each_entry_safe(iface, tmp, &iface_list, entry) { list_del(&iface->entry); kfree(iface->name); - ksmbd_free(iface); + kfree(iface); } } diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index ec631dc6f1fb..f2a863542dc7 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -829,6 +829,6 @@ void ksmbd_destroy_file_table(struct ksmbd_file_table *ft) __close_file_table_ids(ft, NULL, session_fd_check); idr_destroy(ft->idr); - ksmbd_free(ft->idr); + kfree(ft->idr); ft->idr = NULL; } From patchwork Mon Nov 14 12:49:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183132 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 035/308] cifsd: fix memdup.cocci warnings Date: Mon, 14 Nov 2022 20:49:04 +0800 Message-ID: <20221114125337.1831594-36-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 060aa6ee-f3ad-4812-e000-08dac63c4a9d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6845608 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: kernel test robot <lkp(a)intel.com> mainline inclusion from mainline-5.15-rc1 commit 86f52978465b8f4e384880a5fd0543e9e455fb62 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/86f52978465b ------------------------------- fs/cifsd/smb2pdu.c:1177:27-34: WARNING opportunity for kmemdup Use kmemdup rather than duplicating its implementation Generated by: scripts/coccinelle/api/memdup.cocci Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 7549b35bb792..e6cdc3b89d85 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1161,13 +1161,11 @@ static int alloc_preauth_hash(struct ksmbd_session *sess, if (sess->Preauth_HashValue) return 0; - sess->Preauth_HashValue = kmalloc(PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); + sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue, + PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); if (!sess->Preauth_HashValue) return -ENOMEM; - memcpy(sess->Preauth_HashValue, - conn->preauth_info->Preauth_HashValue, - PREAUTH_HASHVALUE_SIZE); return 0; } From patchwork Mon Nov 14 12:49:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183133 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 036/308] cifsd: remove wrappers of kvmalloc/kvfree Date: Mon, 14 Nov 2022 20:49:05 +0800 Message-ID: <20221114125337.1831594-37-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 76d26842-2093-418f-e416-08dac63c4ae6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7260012 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 79f6b11a104f3a32f4f4a6f7808a02c301c19710 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/79f6b11a104f ------------------------------- Do directly call kvmalloc/kvfree(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- fs/cifsd/buffer_pool.c | 36 +++------------------------------- fs/cifsd/buffer_pool.h | 8 -------- fs/cifsd/connection.c | 6 +++--- fs/cifsd/crypto_ctx.c | 4 ++-- fs/cifsd/ksmbd_work.c | 8 ++++---- fs/cifsd/mgmt/share_config.c | 3 ++- fs/cifsd/mgmt/tree_connect.c | 10 +++++----- fs/cifsd/mgmt/user_config.c | 3 ++- fs/cifsd/mgmt/user_session.c | 4 ++-- fs/cifsd/smb2pdu.c | 38 ++++++++++++++++++------------------ fs/cifsd/transport_ipc.c | 6 +++--- fs/cifsd/vfs.c | 23 +++++++++------------- fs/cifsd/vfs.h | 1 - 14 files changed, 55 insertions(+), 97 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index b9fd62f77e1c..437e58a0826d 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -709,7 +709,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, *out_len = resp->spnego_blob_len; retval = 0; out: - ksmbd_free(resp); + kvfree(resp); return retval; } #else diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index a9ef3e703232..caf22c190634 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -37,16 +37,6 @@ struct wm_list { static LIST_HEAD(wm_lists); static DEFINE_RWLOCK(wm_lists_lock); -void *ksmbd_alloc(size_t size) -{ - return kvmalloc(size, GFP_KERNEL | __GFP_ZERO); -} - -void ksmbd_free(void *ptr) -{ - kvfree(ptr); -} - static struct wm *wm_alloc(size_t sz, gfp_t flags) { struct wm *wm; @@ -169,7 +159,7 @@ static void release_wm(struct wm *wm, struct wm_list *wm_list) wm_list->avail_wm--; spin_unlock(&wm_list->wm_lock); - ksmbd_free(wm); + kvfree(wm); } static void wm_list_free(struct wm_list *l) @@ -195,26 +185,6 @@ static void wm_lists_destroy(void) } } -void ksmbd_free_request(void *addr) -{ - kvfree(addr); -} - -void *ksmbd_alloc_request(size_t size) -{ - return kvmalloc(size, GFP_KERNEL); -} - -void ksmbd_free_response(void *buffer) -{ - kvfree(buffer); -} - -void *ksmbd_alloc_response(size_t size) -{ - return kvmalloc(size, GFP_KERNEL | __GFP_ZERO); -} - void *ksmbd_find_buffer(size_t size) { struct wm *wm; @@ -247,11 +217,11 @@ void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz) size_t sz = min(old_sz, new_sz); void *nptr; - nptr = ksmbd_alloc_response(new_sz); + nptr = kvmalloc(new_sz, GFP_KERNEL | __GFP_ZERO); if (!nptr) return ptr; memcpy(nptr, ptr, sz); - ksmbd_free_response(ptr); + kvfree(ptr); return nptr; } diff --git a/fs/cifsd/buffer_pool.h b/fs/cifsd/buffer_pool.h index 2b3d03afcf27..f7157144a92f 100644 --- a/fs/cifsd/buffer_pool.h +++ b/fs/cifsd/buffer_pool.h @@ -9,14 +9,6 @@ void *ksmbd_find_buffer(size_t size); void ksmbd_release_buffer(void *buffer); -void *ksmbd_alloc(size_t size); -void ksmbd_free(void *ptr); - -void ksmbd_free_request(void *addr); -void *ksmbd_alloc_request(size_t size); -void ksmbd_free_response(void *buffer); -void *ksmbd_alloc_response(size_t size); - void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz); void ksmbd_free_file_struct(void *filp); diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index df56e347b709..e1814492fb58 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -37,7 +37,7 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) list_del(&conn->conns_list); write_unlock(&conn_list_lock); - ksmbd_free_request(conn->request_buf); + kvfree(conn->request_buf); ksmbd_ida_free(conn->async_ida); kfree(conn->preauth_info); kfree(conn); @@ -284,7 +284,7 @@ int ksmbd_conn_handler_loop(void *p) if (try_to_freeze()) continue; - ksmbd_free_request(conn->request_buf); + kvfree(conn->request_buf); conn->request_buf = NULL; size = t->ops->read(t, hdr_buf, sizeof(hdr_buf)); @@ -303,7 +303,7 @@ int ksmbd_conn_handler_loop(void *p) /* 4 for rfc1002 length field */ size = pdu_size + 4; - conn->request_buf = ksmbd_alloc_request(size); + conn->request_buf = kvmalloc(size, GFP_KERNEL); if (!conn->request_buf) continue; diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 15d7e2f7c3d7..2c31e8b32de7 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -105,7 +105,7 @@ static struct shash_desc *alloc_shash_desc(int id) static struct ksmbd_crypto_ctx *ctx_alloc(void) { - return ksmbd_alloc(sizeof(struct ksmbd_crypto_ctx)); + return kzalloc(sizeof(struct ksmbd_crypto_ctx), GFP_KERNEL); } static void ctx_free(struct ksmbd_crypto_ctx *ctx) @@ -116,7 +116,7 @@ static void ctx_free(struct ksmbd_crypto_ctx *ctx) free_shash(ctx->desc[i]); for (i = 0; i < CRYPTO_AEAD_MAX; i++) free_aead(ctx->ccmaes[i]); - ksmbd_free(ctx); + kfree(ctx); } static struct ksmbd_crypto_ctx *ksmbd_find_crypto_ctx(void) diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index 505e59df3071..33ee52c1829f 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -42,16 +42,16 @@ void ksmbd_free_work_struct(struct ksmbd_work *work) work->set_trans_buf) ksmbd_release_buffer(work->response_buf); else - ksmbd_free_response(work->response_buf); + kvfree(work->response_buf); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF && work->set_read_buf) ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(work->aux_payload_buf); + kvfree(work->aux_payload_buf); - ksmbd_free_response(work->tr_buf); - ksmbd_free_request(work->request_buf); + kfree(work->tr_buf); + kvfree(work->request_buf); if (work->async_id) ksmbd_release_id(work->conn->async_ida, work->async_id); kmem_cache_free(work_cache, work); diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index 11abdbc8a533..910d03516b73 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -10,6 +10,7 @@ #include <linux/parser.h> #include <linux/namei.h> #include <linux/sched.h> +#include <linux/mm.h> #include "share_config.h" #include "user_config.h" @@ -182,7 +183,7 @@ static struct ksmbd_share_config *share_config_request(char *name) up_write(&shares_table_lock); out: - ksmbd_free(resp); + kvfree(resp); return share; } diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index 0c8374e8240f..d3f28b10db4b 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -31,7 +31,7 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) if (!sc) return status; - tree_conn = ksmbd_alloc(sizeof(struct ksmbd_tree_connect)); + tree_conn = kzalloc(sizeof(struct ksmbd_tree_connect), GFP_KERNEL); if (!tree_conn) { status.ret = -ENOMEM; goto out_error; @@ -68,15 +68,15 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) status.ret = -ENOMEM; goto out_error; } - ksmbd_free(resp); + kvfree(resp); return status; out_error: if (tree_conn) ksmbd_release_tree_conn_id(sess, tree_conn->id); ksmbd_share_config_put(sc); - ksmbd_free(tree_conn); - ksmbd_free(resp); + kfree(tree_conn); + kvfree(resp); return status; } @@ -89,7 +89,7 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, ksmbd_release_tree_conn_id(sess, tree_conn->id); xa_erase(&sess->tree_conns, tree_conn->id); ksmbd_share_config_put(tree_conn->share_conf); - ksmbd_free(tree_conn); + kfree(tree_conn); return ret; } diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c index c31e2c4d2d6f..7f898c5bda25 100644 --- a/fs/cifsd/mgmt/user_config.c +++ b/fs/cifsd/mgmt/user_config.c @@ -4,6 +4,7 @@ */ #include <linux/slab.h> +#include <linux/mm.h> #include "user_config.h" #include "../buffer_pool.h" @@ -23,7 +24,7 @@ struct ksmbd_user *ksmbd_login_user(const char *account) user = ksmbd_alloc_user(resp); out: - ksmbd_free(resp); + kvfree(resp); return user; } diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 9dfe222e51ab..bd5789b7e08e 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -53,7 +53,7 @@ static void __session_rpc_close(struct ksmbd_session *sess, if (!resp) pr_err("Unable to close RPC pipe %d\n", entry->id); - ksmbd_free(resp); + kvfree(resp); ksmbd_rpc_id_free(entry->id); kfree(entry); } @@ -117,7 +117,7 @@ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) if (!resp) goto error; - ksmbd_free(resp); + kvfree(resp); return entry->id; error: list_del(&entry->list); diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index e6cdc3b89d85..c1f6361603b9 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -563,7 +563,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) work->set_trans_buf) work->response_buf = ksmbd_find_buffer(sz); else - work->response_buf = ksmbd_alloc_response(sz); + work->response_buf = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); if (!work->response_buf) { ksmbd_err("Failed to allocate %zu bytes buffer\n", sz); @@ -2283,7 +2283,7 @@ static int smb2_remove_smb_xattrs(struct dentry *dentry) ksmbd_debug(SMB, "remove xattr failed : %s\n", name); } out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return err; } @@ -4190,12 +4190,12 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, buf_free_len -= value_len; if (buf_free_len < 0) { - ksmbd_free(buf); + kfree(buf); break; } memcpy(ptr, buf, value_len); - ksmbd_free(buf); + kfree(buf); ptr += value_len; eainfo->Flags = 0; @@ -4240,7 +4240,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, rsp->OutputBufferLength = cpu_to_le32(rsp_data_cnt); inc_rfc1001_len(rsp_org, rsp_data_cnt); out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return rc; } @@ -4510,7 +4510,7 @@ static void get_file_stream_info(struct ksmbd_work *work, /* last entry offset should be 0 */ file_info->NextEntryOffset = 0; out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); rsp->OutputBufferLength = cpu_to_le32(nbytes); inc_rfc1001_len(rsp_org, nbytes); @@ -5976,7 +5976,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) } work->aux_payload_buf = - ksmbd_alloc_response(rpc_resp->payload_sz); + kvmalloc(rpc_resp->payload_sz, GFP_KERNEL | __GFP_ZERO); if (!work->aux_payload_buf) { err = -ENOMEM; goto out; @@ -5988,7 +5988,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) nbytes = rpc_resp->payload_sz; work->resp_hdr_sz = get_rfc1002_len(rsp) + 4; work->aux_payload_sz = nbytes; - ksmbd_free(rpc_resp); + kvfree(rpc_resp); } rsp->StructureSize = cpu_to_le16(17); @@ -6003,7 +6003,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) out: rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; smb2_set_err_rsp(work); - ksmbd_free(rpc_resp); + kvfree(rpc_resp); return err; } @@ -6094,7 +6094,7 @@ int smb2_read(struct ksmbd_work *work) ksmbd_find_buffer(conn->vals->max_read_size); work->set_read_buf = true; } else { - work->aux_payload_buf = ksmbd_alloc_response(length); + work->aux_payload_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); } if (!work->aux_payload_buf) { err = -ENOMEM; @@ -6111,7 +6111,7 @@ int smb2_read(struct ksmbd_work *work) if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(work->aux_payload_buf); + kvfree(work->aux_payload_buf); work->aux_payload_buf = NULL; rsp->hdr.Status = STATUS_END_OF_FILE; smb2_set_err_rsp(work); @@ -6130,7 +6130,7 @@ int smb2_read(struct ksmbd_work *work) if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) ksmbd_release_buffer(work->aux_payload_buf); else - ksmbd_free_response(work->aux_payload_buf); + kvfree(work->aux_payload_buf); work->aux_payload_buf = NULL; nbytes = 0; @@ -6215,17 +6215,17 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) if (rpc_resp) { if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) { rsp->hdr.Status = STATUS_NOT_SUPPORTED; - ksmbd_free(rpc_resp); + kvfree(rpc_resp); smb2_set_err_rsp(work); return -EOPNOTSUPP; } if (rpc_resp->flags != KSMBD_RPC_OK) { rsp->hdr.Status = STATUS_INVALID_HANDLE; smb2_set_err_rsp(work); - ksmbd_free(rpc_resp); + kvfree(rpc_resp); return ret; } - ksmbd_free(rpc_resp); + kvfree(rpc_resp); } rsp->StructureSize = cpu_to_le16(17); @@ -6271,7 +6271,7 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); work->remote_key = le32_to_cpu(desc->token); - data_buf = ksmbd_alloc_response(length); + data_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); if (!data_buf) return -ENOMEM; @@ -6280,12 +6280,12 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, le64_to_cpu(desc->offset), le32_to_cpu(desc->length)); if (ret < 0) { - ksmbd_free_response(data_buf); + kvfree(data_buf); return ret; } ret = ksmbd_vfs_write(work, fp, data_buf, length, &offset, sync, &nbytes); - ksmbd_free_response(data_buf); + kvfree(data_buf); if (ret < 0) return ret; @@ -7307,7 +7307,7 @@ static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, memcpy((char *)rsp->Buffer, rpc_resp->payload, nbytes); } out: - ksmbd_free(rpc_resp); + kvfree(rpc_resp); return nbytes; } diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index 1bbff53436b3..60c0289402c1 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -233,7 +233,7 @@ static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz) struct ksmbd_ipc_msg *msg; size_t msg_sz = sz + sizeof(struct ksmbd_ipc_msg); - msg = ksmbd_alloc(msg_sz); + msg = kvmalloc(msg_sz, GFP_KERNEL | __GFP_ZERO); if (msg) msg->sz = sz; return msg; @@ -241,7 +241,7 @@ static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz) static void ipc_msg_free(struct ksmbd_ipc_msg *msg) { - ksmbd_free(msg); + kvfree(msg); } static void ipc_msg_handle_free(int handle) @@ -272,7 +272,7 @@ static int handle_response(int type, void *payload, size_t sz) entry->type + 1, type); } - entry->response = ksmbd_alloc(sz); + entry->response = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); if (!entry->response) { ret = -ENOMEM; break; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index ef823679f6be..d3882208a259 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -244,7 +244,7 @@ static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, char *attr_name, } out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return value_len; } @@ -401,7 +401,7 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, } if (v_len < size) { - wbuf = ksmbd_alloc(size); + wbuf = kvmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!wbuf) { err = -ENOMEM; goto out; @@ -425,7 +425,7 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, fp->filp->f_pos = *pos; err = 0; out: - ksmbd_free(stream_buf); + kvfree(stream_buf); return err; } @@ -844,7 +844,7 @@ ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list) if (size <= 0) return size; - vlist = ksmbd_alloc(size); + vlist = kvmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!vlist) return -ENOMEM; @@ -852,7 +852,7 @@ ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list) size = vfs_listxattr(dentry, vlist, size); if (size < 0) { ksmbd_debug(VFS, "listxattr failed\n"); - ksmbd_vfs_xattr_free(vlist); + kvfree(vlist); *list = NULL; } @@ -1049,11 +1049,6 @@ int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name) return vfs_removexattr(&init_user_ns, dentry, attr_name); } -void ksmbd_vfs_xattr_free(char *xattr) -{ - ksmbd_free(xattr); -} - int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) { int err = 0; @@ -1297,7 +1292,7 @@ int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) } } out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return err; } @@ -1326,7 +1321,7 @@ int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry) } } out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return err; } @@ -1558,7 +1553,7 @@ int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, n.length = err; if (ndr_decode_dos_attr(&n, da)) err = -EINVAL; - ksmbd_free(n.data); + kfree(n.data); } else { ksmbd_debug(SMB, "failed to load dos attribute in xattr\n"); } @@ -1683,7 +1678,7 @@ ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, } out: - ksmbd_vfs_xattr_free(xattr_list); + kvfree(xattr_list); return value_len; } diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index b41b23d40636..0163be4297de 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -229,7 +229,6 @@ int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, size_t *xattr_stream_name_size, int s_type); int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); -void ksmbd_vfs_xattr_free(char *xattr); int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, bool caseless); int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); From patchwork Mon Nov 14 12:49:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183134 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 037/308] cifsd: prevent a integer overflow in wm_alloc() Date: Mon, 14 Nov 2022 20:49:06 +0800 Message-ID: <20221114125337.1831594-38-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 935ec38d-f772-4725-9cd3-08dac63c4b2f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7199482 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 4030b278368d89bba99a31e87766968cbf7909d2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4030b278368d ------------------------------- Dan Carpenter pointed out that there there is a possibility of integer overflow. This patch prevent a integer overflow in wm_alloc(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/buffer_pool.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index caf22c190634..1ee1feef1bb4 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -42,6 +42,9 @@ static struct wm *wm_alloc(size_t sz, gfp_t flags) struct wm *wm; size_t alloc_sz = sz + sizeof(struct wm); + if (sz > SIZE_MAX - sizeof(struct wm)) + return NULL; + wm = kvmalloc(alloc_sz, flags); if (!wm) return NULL; From patchwork Mon Nov 14 12:49:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183135 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 038/308] cifsd: remove unused including <linux/version.h> Date: Mon, 14 Nov 2022 20:49:07 +0800 Message-ID: <20221114125337.1831594-39-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 87b01901-f448-4f7b-5ebd-08dac63c4b79 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7032996 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Tian Tao <tiantao6(a)hisilicon.com> mainline inclusion from mainline-5.15-rc1 commit 1920bb1f8022202530eeae3e488d6f5156799faf category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1920bb1f8022 ------------------------------- Remove including <linux/version.h> that don't need it. Signed-off-by: Tian Tao <tiantao6(a)hisilicon.com> Signed-off-by: Zhiqi Song <songzhiqi1(a)huawei.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/crypto_ctx.c | 1 - fs/cifsd/glob.h | 1 - fs/cifsd/mgmt/tree_connect.c | 1 - fs/cifsd/mgmt/user_session.c | 1 - fs/cifsd/mgmt/user_session.h | 1 - fs/cifsd/misc.c | 1 - fs/cifsd/vfs.c | 1 - fs/cifsd/vfs_cache.h | 1 - 8 files changed, 8 deletions(-) diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 2c31e8b32de7..8322b0f7a7fc 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -9,7 +9,6 @@ #include <linux/slab.h> #include <linux/wait.h> #include <linux/sched.h> -#include <linux/version.h> #include "glob.h" #include "crypto_ctx.h" diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index d0bc6edd0477..9d70093a837a 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -8,7 +8,6 @@ #define __KSMBD_GLOB_H #include <linux/ctype.h> -#include <linux/version.h> #include "unicode.h" #include "vfs_cache.h" diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index d3f28b10db4b..b9cd8fc46e5e 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -5,7 +5,6 @@ #include <linux/list.h> #include <linux/slab.h> -#include <linux/version.h> #include <linux/xarray.h> #include "../buffer_pool.h" diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index bd5789b7e08e..52c5c036ecf9 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -6,7 +6,6 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/rwsem.h> -#include <linux/version.h> #include <linux/xarray.h> #include "ksmbd_ida.h" diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 1a97c851f2fc..ad5c0430b62a 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -7,7 +7,6 @@ #define __USER_SESSION_MANAGEMENT_H__ #include <linux/hashtable.h> -#include <linux/version.h> #include <linux/xarray.h> #include "../smb_common.h" diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index b6f3f0818217..cbaaecf2eca1 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -5,7 +5,6 @@ */ #include <linux/kernel.h> -#include <linux/version.h> #include <linux/xattr.h> #include <linux/fs.h> diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index d3882208a259..5985d2d1f276 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -9,7 +9,6 @@ #include <linux/uaccess.h> #include <linux/backing-dev.h> #include <linux/writeback.h> -#include <linux/version.h> #include <linux/xattr.h> #include <linux/falloc.h> #include <linux/genhd.h> diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 318dcb1a297a..8226fdf882e4 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -6,7 +6,6 @@ #ifndef __VFS_CACHE_H__ #define __VFS_CACHE_H__ -#include <linux/version.h> #include <linux/file.h> #include <linux/fs.h> #include <linux/rwsem.h> From patchwork Mon Nov 14 12:49:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183136 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 039/308] cifsd: declare ida statically Date: Mon, 14 Nov 2022 20:49:08 +0800 Message-ID: <20221114125337.1831594-40-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7d4294d6-c6fe-4660-16c9-08dac63c4bc2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7164172 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit d40012a83f87f47967ad0b3c346179c7e5339ae7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d40012a83f87 ------------------------------- Matthew pointed out that embedding struct ida into the struct is better than having a pointer to it. This patch initialise it statically using DEFINE_IDA() or ida_init() and remove ksmbd_ida_alloc/free(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/connection.c | 3 +-- fs/cifsd/connection.h | 2 +- fs/cifsd/ksmbd_work.c | 2 +- fs/cifsd/mgmt/ksmbd_ida.c | 45 ++++++++++-------------------------- fs/cifsd/mgmt/ksmbd_ida.h | 17 ++++---------- fs/cifsd/mgmt/user_session.c | 29 +++++------------------ fs/cifsd/mgmt/user_session.h | 7 +----- fs/cifsd/server.c | 7 ------ fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/transport_ipc.c | 34 +++++++++------------------ 10 files changed, 40 insertions(+), 110 deletions(-) diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index e1814492fb58..4785dd59fcc5 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -38,7 +38,6 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) write_unlock(&conn_list_lock); kvfree(conn->request_buf); - ksmbd_ida_free(conn->async_ida); kfree(conn->preauth_info); kfree(conn); } @@ -70,7 +69,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) INIT_LIST_HEAD(&conn->async_requests); spin_lock_init(&conn->request_lock); spin_lock_init(&conn->credits_lock); - conn->async_ida = ksmbd_ida_alloc(); + ida_init(&conn->async_ida); write_lock(&conn_list_lock); list_add(&conn->conns_list, &conn_list); diff --git a/fs/cifsd/connection.h b/fs/cifsd/connection.h index 021dada3d76d..00ede7a67199 100644 --- a/fs/cifsd/connection.h +++ b/fs/cifsd/connection.h @@ -101,7 +101,7 @@ struct ksmbd_conn { struct sockaddr_storage peer_addr; /* Identifier for async message */ - struct ksmbd_ida *async_ida; + struct ida async_ida; __le16 cipher_type; __le16 compress_algorithm; diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index 33ee52c1829f..eb8c8a34acab 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -53,7 +53,7 @@ void ksmbd_free_work_struct(struct ksmbd_work *work) kfree(work->tr_buf); kvfree(work->request_buf); if (work->async_id) - ksmbd_release_id(work->conn->async_ida, work->async_id); + ksmbd_release_id(&work->conn->async_ida, work->async_id); kmem_cache_free(work_cache, work); } diff --git a/fs/cifsd/mgmt/ksmbd_ida.c b/fs/cifsd/mgmt/ksmbd_ida.c index cbc9fd049852..3dbc27cb5385 100644 --- a/fs/cifsd/mgmt/ksmbd_ida.c +++ b/fs/cifsd/mgmt/ksmbd_ida.c @@ -5,65 +5,44 @@ #include "ksmbd_ida.h" -struct ksmbd_ida *ksmbd_ida_alloc(void) +static inline int __acquire_id(struct ida *ida, int from, int to) { - struct ksmbd_ida *ida; - - ida = kmalloc(sizeof(struct ksmbd_ida), GFP_KERNEL); - if (!ida) - return NULL; - - ida_init(&ida->map); - return ida; -} - -void ksmbd_ida_free(struct ksmbd_ida *ida) -{ - if (!ida) - return; - - ida_destroy(&ida->map); - kfree(ida); -} - -static inline int __acquire_id(struct ksmbd_ida *ida, int from, int to) -{ - return ida_simple_get(&ida->map, from, to, GFP_KERNEL); + return ida_simple_get(ida, from, to, GFP_KERNEL); } -int ksmbd_acquire_smb2_tid(struct ksmbd_ida *ida) +int ksmbd_acquire_smb2_tid(struct ida *ida) { int id; - do { + id = __acquire_id(ida, 0, 0); + if (id == 0xFFFF) id = __acquire_id(ida, 0, 0); - } while (id == 0xFFFF); return id; } -int ksmbd_acquire_smb2_uid(struct ksmbd_ida *ida) +int ksmbd_acquire_smb2_uid(struct ida *ida) { int id; - do { + id = __acquire_id(ida, 1, 0); + if (id == 0xFFFE) id = __acquire_id(ida, 1, 0); - } while (id == 0xFFFE); return id; } -int ksmbd_acquire_async_msg_id(struct ksmbd_ida *ida) +int ksmbd_acquire_async_msg_id(struct ida *ida) { return __acquire_id(ida, 1, 0); } -int ksmbd_acquire_id(struct ksmbd_ida *ida) +int ksmbd_acquire_id(struct ida *ida) { return __acquire_id(ida, 0, 0); } -void ksmbd_release_id(struct ksmbd_ida *ida, int id) +void ksmbd_release_id(struct ida *ida, int id) { - ida_simple_remove(&ida->map, id); + ida_simple_remove(ida, id); } diff --git a/fs/cifsd/mgmt/ksmbd_ida.h b/fs/cifsd/mgmt/ksmbd_ida.h index b075156adf23..2bc07b16cfde 100644 --- a/fs/cifsd/mgmt/ksmbd_ida.h +++ b/fs/cifsd/mgmt/ksmbd_ida.h @@ -9,13 +9,6 @@ #include <linux/slab.h> #include <linux/idr.h> -struct ksmbd_ida { - struct ida map; -}; - -struct ksmbd_ida *ksmbd_ida_alloc(void); -void ksmbd_ida_free(struct ksmbd_ida *ida); - /* * 2.2.1.6.7 TID Generation * The value 0xFFFF MUST NOT be used as a valid TID. All other @@ -23,7 +16,7 @@ void ksmbd_ida_free(struct ksmbd_ida *ida); * The value 0xFFFF is used to specify all TIDs or no TID, * depending upon the context in which it is used. */ -int ksmbd_acquire_smb2_tid(struct ksmbd_ida *ida); +int ksmbd_acquire_smb2_tid(struct ida *ida); /* * 2.2.1.6.8 UID Generation @@ -32,10 +25,10 @@ int ksmbd_acquire_smb2_tid(struct ksmbd_ida *ida); * valid UID.<21> All other possible values for a UID, excluding * zero (0x0000), are valid. */ -int ksmbd_acquire_smb2_uid(struct ksmbd_ida *ida); -int ksmbd_acquire_async_msg_id(struct ksmbd_ida *ida); +int ksmbd_acquire_smb2_uid(struct ida *ida); +int ksmbd_acquire_async_msg_id(struct ida *ida); -int ksmbd_acquire_id(struct ksmbd_ida *ida); +int ksmbd_acquire_id(struct ida *ida); -void ksmbd_release_id(struct ksmbd_ida *ida, int id); +void ksmbd_release_id(struct ida *ida, int id); #endif /* __KSMBD_IDA_MANAGEMENT_H__ */ diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 52c5c036ecf9..739588a6c96a 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -17,7 +17,7 @@ #include "../buffer_pool.h" #include "../vfs_cache.h" -static struct ksmbd_ida *session_ida; +static DEFINE_IDA(session_ida); #define SESSION_HASH_BITS 3 static DEFINE_HASHTABLE(sessions_table, SESSION_HASH_BITS); @@ -172,9 +172,7 @@ void ksmbd_session_destroy(struct ksmbd_session *sess) ksmbd_session_rpc_clear_list(sess); free_channel_list(sess); kfree(sess->Preauth_HashValue); - ksmbd_release_id(session_ida, sess->id); - - ksmbd_ida_free(sess->tree_conn_ida); + ksmbd_release_id(&session_ida, sess->id); kfree(sess); } @@ -254,7 +252,7 @@ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) static int __init_smb2_session(struct ksmbd_session *sess) { - int id = ksmbd_acquire_smb2_uid(session_ida); + int id = ksmbd_acquire_smb2_uid(&session_ida); if (id < 0) return -EINVAL; @@ -294,9 +292,7 @@ static struct ksmbd_session *__session_create(int protocol) if (ret) goto error; - sess->tree_conn_ida = ksmbd_ida_alloc(); - if (!sess->tree_conn_ida) - goto error; + ida_init(&sess->tree_conn_ida); if (protocol == CIFDS_SESSION_FLAG_SMB2) { down_write(&sessions_table_lock); @@ -320,7 +316,7 @@ int ksmbd_acquire_tree_conn_id(struct ksmbd_session *sess) int id = -EINVAL; if (test_session_flag(sess, CIFDS_SESSION_FLAG_SMB2)) - id = ksmbd_acquire_smb2_tid(sess->tree_conn_ida); + id = ksmbd_acquire_smb2_tid(&sess->tree_conn_ida); return id; } @@ -328,18 +324,5 @@ int ksmbd_acquire_tree_conn_id(struct ksmbd_session *sess) void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id) { if (id >= 0) - ksmbd_release_id(sess->tree_conn_ida, id); -} - -int ksmbd_init_session_table(void) -{ - session_ida = ksmbd_ida_alloc(); - if (!session_ida) - return -ENOMEM; - return 0; -} - -void ksmbd_free_session_table(void) -{ - ksmbd_ida_free(session_ida); + ksmbd_release_id(&sess->tree_conn_ida, id); } diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index ad5c0430b62a..72b40348bdc4 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -16,7 +16,6 @@ #define PREAUTH_HASHVALUE_SIZE 64 -struct ksmbd_ida; struct ksmbd_file_table; struct channel { @@ -52,7 +51,7 @@ struct ksmbd_session { struct hlist_node hlist; struct list_head ksmbd_chann_list; struct xarray tree_conns; - struct ksmbd_ida *tree_conn_ida; + struct ida tree_conn_ida; struct list_head rpc_handle_list; @@ -101,8 +100,4 @@ void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id); int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id); int get_session(struct ksmbd_session *sess); void put_session(struct ksmbd_session *sess); - -int ksmbd_init_session_table(void); -void ksmbd_free_session_table(void); - #endif /* __USER_SESSION_MANAGEMENT_H__ */ diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 04f959a88a1a..4aff89ce1464 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -537,7 +537,6 @@ static int ksmbd_server_shutdown(void) ksmbd_workqueue_destroy(); ksmbd_ipc_release(); ksmbd_conn_transport_destroy(); - ksmbd_free_session_table(); ksmbd_crypto_destroy(); ksmbd_free_global_file_table(); destroy_lease_table(NULL); @@ -566,10 +565,6 @@ static int __init ksmbd_server_init(void) if (ret) goto err_unregister; - ret = ksmbd_init_session_table(); - if (ret) - goto err_destroy_pools; - ret = ksmbd_ipc_init(); if (ret) goto err_free_session_table; @@ -600,8 +595,6 @@ static int __init ksmbd_server_init(void) err_ipc_release: ksmbd_ipc_release(); err_free_session_table: - ksmbd_free_session_table(); -err_destroy_pools: ksmbd_destroy_buffer_pools(); err_unregister: class_unregister(&ksmbd_control_class); diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index c1f6361603b9..cc4e8f11c487 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -517,7 +517,7 @@ int init_smb2_rsp_hdr(struct ksmbd_work *work) work->syncronous = true; if (work->async_id) { - ksmbd_release_id(conn->async_ida, work->async_id); + ksmbd_release_id(&conn->async_ida, work->async_id); work->async_id = 0; } @@ -685,7 +685,7 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) rsp_hdr = work->response_buf; rsp_hdr->Flags |= SMB2_FLAGS_ASYNC_COMMAND; - id = ksmbd_acquire_async_msg_id(conn->async_ida); + id = ksmbd_acquire_async_msg_id(&conn->async_ida); if (id < 0) { ksmbd_err("Failed to alloc async message id\n"); return id; diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index 60c0289402c1..78061fecf816 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -35,7 +35,7 @@ static DEFINE_HASHTABLE(ipc_msg_table, IPC_MSG_HASH_BITS); static DECLARE_RWSEM(ipc_msg_table_lock); static DEFINE_MUTEX(startup_lock); -static struct ksmbd_ida *ida; +static DEFINE_IDA(ipc_ida); static unsigned int ksmbd_tools_pid; @@ -247,7 +247,7 @@ static void ipc_msg_free(struct ksmbd_ipc_msg *msg) static void ipc_msg_handle_free(int handle) { if (handle >= 0) - ksmbd_release_id(ida, handle); + ksmbd_release_id(&ipc_ida, handle); } static int handle_response(int type, void *payload, size_t sz) @@ -512,7 +512,7 @@ struct ksmbd_login_response *ksmbd_ipc_login_request(const char *account) msg->type = KSMBD_EVENT_LOGIN_REQUEST; req = KSMBD_IPC_MSG_PAYLOAD(msg); - req->handle = ksmbd_acquire_id(ida); + req->handle = ksmbd_acquire_id(&ipc_ida); strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); resp = ipc_msg_send_request(msg, req->handle); @@ -535,7 +535,7 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) msg->type = KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST; req = KSMBD_IPC_MSG_PAYLOAD(msg); - req->handle = ksmbd_acquire_id(ida); + req->handle = ksmbd_acquire_id(&ipc_ida); req->spnego_blob_len = blob_len; memcpy(req->spnego_blob, spnego_blob, blob_len); @@ -568,7 +568,7 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, msg->type = KSMBD_EVENT_TREE_CONNECT_REQUEST; req = KSMBD_IPC_MSG_PAYLOAD(msg); - req->handle = ksmbd_acquire_id(ida); + req->handle = ksmbd_acquire_id(&ipc_ida); req->account_flags = sess->user->flags; req->session_id = sess->id; req->connect_id = tree_conn->id; @@ -646,7 +646,7 @@ ksmbd_ipc_share_config_request(const char *name) msg->type = KSMBD_EVENT_SHARE_CONFIG_REQUEST; req = KSMBD_IPC_MSG_PAYLOAD(msg); - req->handle = ksmbd_acquire_id(ida); + req->handle = ksmbd_acquire_id(&ipc_ida); strscpy(req->share_name, name, KSMBD_REQ_MAX_SHARE_NAME); resp = ipc_msg_send_request(msg, req->handle); @@ -785,7 +785,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa msg->type = KSMBD_EVENT_RPC_REQUEST; req = KSMBD_IPC_MSG_PAYLOAD(msg); - req->handle = ksmbd_acquire_id(ida); + req->handle = ksmbd_acquire_id(&ipc_ida); req->flags = rpc_context_flags(sess); req->flags |= KSMBD_RPC_RAP_METHOD; req->payload_sz = payload_sz; @@ -842,18 +842,17 @@ static void ipc_timer_heartbeat(struct work_struct *w) int ksmbd_ipc_id_alloc(void) { - return ksmbd_acquire_id(ida); + return ksmbd_acquire_id(&ipc_ida); } void ksmbd_rpc_id_free(int handle) { - ksmbd_release_id(ida, handle); + ksmbd_release_id(&ipc_ida, handle); } void ksmbd_ipc_release(void) { cancel_delayed_work_sync(&ipc_timer_work); - ksmbd_ida_free(ida); genl_unregister_family(&ksmbd_genl_family); } @@ -867,7 +866,7 @@ void ksmbd_ipc_soft_reset(void) int ksmbd_ipc_init(void) { - int ret; + int ret = 0; ksmbd_nl_init_fixup(); INIT_DELAYED_WORK(&ipc_timer_work, ipc_timer_heartbeat); @@ -875,19 +874,8 @@ int ksmbd_ipc_init(void) ret = genl_register_family(&ksmbd_genl_family); if (ret) { ksmbd_err("Failed to register KSMBD netlink interface %d\n", ret); - goto cancel_work; + cancel_delayed_work_sync(&ipc_timer_work); } - ida = ksmbd_ida_alloc(); - if (!ida) { - ret = -ENOMEM; - goto unregister; - } - return 0; - -unregister: - genl_unregister_family(&ksmbd_genl_family); -cancel_work: - cancel_delayed_work_sync(&ipc_timer_work); return ret; } From patchwork Mon Nov 14 12:49:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183137 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 040/308] cifsd: add the check if parent is stable by unexpected rename Date: Mon, 14 Nov 2022 20:49:09 +0800 Message-ID: <20221114125337.1831594-41-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8944c1d3-c0d5-4de0-a8bc-08dac63c4c0a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7155905 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit ff1d57272552e4d48e0aab015a457d0297915e0b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ff1d57272552 ------------------------------- This patch add the check if parent is stable by unexpected rename. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 12 +++--- fs/cifsd/vfs.c | 98 +++++++++++++++++++++++++++++++++++----------- 2 files changed, 80 insertions(+), 30 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index cc4e8f11c487..3fbd8e4925bb 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2844,12 +2844,10 @@ int smb2_open(struct ksmbd_work *work) * is already granted. */ if (daccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_READ_CONTROL_LE)) { - if (ksmbd_vfs_inode_permission(path.dentry, - open_flags & O_ACCMODE, - may_delete)) { - rc = -EACCES; + rc = ksmbd_vfs_inode_permission(path.dentry, + open_flags & O_ACCMODE, may_delete); + if (rc) goto err_out; - } } } @@ -3260,7 +3258,7 @@ int smb2_open(struct ksmbd_work *work) rsp->hdr.Status = STATUS_INVALID_PARAMETER; else if (rc == -EOPNOTSUPP) rsp->hdr.Status = STATUS_NOT_SUPPORTED; - else if (rc == -EACCES) + else if (rc == -EACCES || rc == -ESTALE) rsp->hdr.Status = STATUS_ACCESS_DENIED; else if (rc == -ENOENT) rsp->hdr.Status = STATUS_OBJECT_NAME_INVALID; @@ -5938,7 +5936,7 @@ int smb2_set_info(struct ksmbd_work *work) rsp->hdr.Status = STATUS_DIRECTORY_NOT_EMPTY; else if (rc == -EAGAIN) rsp->hdr.Status = STATUS_FILE_LOCK_CONFLICT; - else if (rc == -EBADF) + else if (rc == -EBADF || rc == -ESTALE) rsp->hdr.Status = STATUS_INVALID_HANDLE; else if (rc == -EEXIST) rsp->hdr.Status = STATUS_OBJECT_NAME_COLLISION; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 5985d2d1f276..f818aeff244f 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -70,7 +70,7 @@ static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) { - int mask; + int mask, ret = 0; mask = 0; acc_mode &= O_ACCMODE; @@ -86,24 +86,39 @@ int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) return -EACCES; if (delete) { - struct dentry *parent; + struct dentry *child, *parent; parent = dget_parent(dentry); - if (!parent) - return -EINVAL; + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + child = lookup_one_len(dentry->d_name.name, parent, + dentry->d_name.len); + if (IS_ERR(child)) { + ret = PTR_ERR(child); + goto out_lock; + } + + if (child != dentry) { + ret = -ESTALE; + dput(child); + goto out_lock; + } + dput(child); if (inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) { - dput(parent); - return -EACCES; + ret = -EACCES; + goto out_lock; } +out_lock: + inode_unlock(d_inode(parent)); dput(parent); } - return 0; + return ret; } int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) { - struct dentry *parent; + struct dentry *parent, *child; + int ret = 0; *daccess = cpu_to_le32(FILE_READ_ATTRIBUTES | READ_CONTROL); @@ -120,13 +135,28 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) *daccess |= FILE_EXECUTE_LE; parent = dget_parent(dentry); - if (!parent) - return 0; + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + child = lookup_one_len(dentry->d_name.name, parent, + dentry->d_name.len); + if (IS_ERR(child)) { + ret = PTR_ERR(child); + goto out_lock; + } + + if (child != dentry) { + ret = -ESTALE; + dput(child); + goto out_lock; + } + dput(child); if (!inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) *daccess |= FILE_DELETE_LE; + +out_lock: + inode_unlock(d_inode(parent)); dput(parent); - return 0; + return ret; } /** @@ -726,7 +756,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, { struct path dst_path; struct dentry *src_dent_parent, *dst_dent_parent; - struct dentry *src_dent, *trap_dent; + struct dentry *src_dent, *trap_dent, *src_child; char *dst_name; int err; @@ -735,11 +765,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, return -EINVAL; src_dent_parent = dget_parent(fp->filp->f_path.dentry); - if (!src_dent_parent) - return -EINVAL; - src_dent = fp->filp->f_path.dentry; - dget(src_dent); err = kern_path(newname, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &dst_path); if (err) { @@ -747,20 +773,36 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, goto out; } dst_dent_parent = dst_path.dentry; - dget(dst_dent_parent); trap_dent = lock_rename(src_dent_parent, dst_dent_parent); + dget(src_dent); + dget(dst_dent_parent); + src_child = lookup_one_len(src_dent->d_name.name, src_dent_parent, + src_dent->d_name.len); + if (IS_ERR(src_child)) { + err = PTR_ERR(src_child); + goto out_lock; + } + + if (src_child != src_dent) { + err = -ESTALE; + dput(src_child); + goto out_lock; + } + dput(src_child); + err = __ksmbd_vfs_rename(work, src_dent_parent, src_dent, dst_dent_parent, trap_dent, dst_name); - unlock_rename(src_dent_parent, dst_dent_parent); +out_lock: + dput(src_dent); dput(dst_dent_parent); + unlock_rename(src_dent_parent, dst_dent_parent); path_put(&dst_path); out: - dput(src_dent); dput(src_dent_parent); return err; } @@ -1050,23 +1092,33 @@ int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name) int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) { + struct dentry *child; int err = 0; - dget(dentry); inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); - if (!d_inode(dentry) || !d_inode(dentry)->i_nlink) { - err = -ENOENT; + dget(dentry); + child = lookup_one_len(dentry->d_name.name, dir, + dentry->d_name.len); + if (IS_ERR(child)) { + err = PTR_ERR(child); goto out; } + if (child != dentry) { + err = -ESTALE; + dput(child); + goto out; + } + dput(child); + if (S_ISDIR(d_inode(dentry)->i_mode)) err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); else err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); out: - inode_unlock(d_inode(dir)); dput(dentry); + inode_unlock(d_inode(dir)); if (err) ksmbd_debug(VFS, "failed to delete, err %d\n", err); From patchwork Mon Nov 14 12:49:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183138 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 041/308] cifsd: get parent dentry from child in ksmbd_vfs_remove_file() Date: Mon, 14 Nov 2022 20:49:10 +0800 Message-ID: <20221114125337.1831594-42-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 01ce8f9b-4b4f-4ee3-acd2-08dac63c4c53 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6905770 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 7c3d3e99ca29f0abd5443353fe018a1368f08c43 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7c3d3e99ca29 ------------------------------- To remove the file, We have parsed full pathname to divide parent path and filename. It is a better way to get parent dentry from child dentry that obtained by lookup with given pathname. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index f818aeff244f..010dfddb6240 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -578,31 +578,28 @@ int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) */ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) { - struct path parent; - struct dentry *dentry; - char *last; + struct path path; + struct dentry *dentry, *parent; int err; - last = extract_last_component(name); - if (!last) - return -EINVAL; - if (ksmbd_override_fsids(work)) return -ENOMEM; - err = kern_path(name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &parent); + err = kern_path(name, LOOKUP_FOLLOW, &path); if (err) { ksmbd_debug(VFS, "can't get %s, err %d\n", name, err); ksmbd_revert_fsids(work); - rollback_path_modification(last); return err; } - inode_lock_nested(d_inode(parent.dentry), I_MUTEX_PARENT); - dentry = lookup_one_len(last, parent.dentry, strlen(last)); + parent = dget_parent(path.dentry); + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + dentry = lookup_one_len(path.dentry->d_name.name, parent, + strlen(path.dentry->d_name.name)); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); - ksmbd_debug(VFS, "%s: lookup failed, err %d\n", last, err); + ksmbd_debug(VFS, "%s: lookup failed, err %d\n", + path.dentry->d_name.name, err); goto out_err; } @@ -613,12 +610,12 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) } if (S_ISDIR(d_inode(dentry)->i_mode)) { - err = vfs_rmdir(&init_user_ns, d_inode(parent.dentry), dentry); + err = vfs_rmdir(&init_user_ns, d_inode(parent), dentry); if (err && err != -ENOTEMPTY) ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, err); } else { - err = vfs_unlink(&init_user_ns, d_inode(parent.dentry), dentry, NULL); + err = vfs_unlink(&init_user_ns, d_inode(parent), dentry, NULL); if (err) ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, err); @@ -626,9 +623,9 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) dput(dentry); out_err: - inode_unlock(d_inode(parent.dentry)); - rollback_path_modification(last); - path_put(&parent); + inode_unlock(d_inode(parent)); + dput(parent); + path_put(&path); ksmbd_revert_fsids(work); return err; } From patchwork Mon Nov 14 12:49:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183139 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 042/308] cifsd: re-implement ksmbd_vfs_kern_path Date: Mon, 14 Nov 2022 20:49:11 +0800 Message-ID: <20221114125337.1831594-43-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d9bcfa1a-7e5d-4194-8aee-08dac63c4c9c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7289007 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 3c20378325c710e7257b22ba333310771be51192 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3c20378325c7 ------------------------------- re-implement ksmbd_vfs_kern_path() to change recursion to iteration. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 103 +++++++++++++++++++++++++++++-------------------- 1 file changed, 61 insertions(+), 42 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 010dfddb6240..d8259ca2493e 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -50,14 +50,6 @@ static char *extract_last_component(char *path) return p; } -static void rollback_path_modification(char *filename) -{ - if (filename) { - filename--; - *filename = '/'; - } -} - static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, struct inode *parent_inode, struct inode *inode) { @@ -1231,44 +1223,32 @@ static int __caseless_lookup(struct dir_context *ctx, const char *name, /** * ksmbd_vfs_lookup_in_dir() - lookup a file in a directory - * @dirname: directory name - * @filename: filename to lookup + * @dir: path info + * @name: filename to lookup + * @namelen: filename length * * Return: 0 on success, otherwise error */ -static int ksmbd_vfs_lookup_in_dir(char *dirname, char *filename) +static int ksmbd_vfs_lookup_in_dir(struct path *dir, char *name, size_t namelen) { - struct path dir_path; int ret; struct file *dfilp; int flags = O_RDONLY | O_LARGEFILE; - int dirnamelen = strlen(dirname); struct ksmbd_readdir_data readdir_data = { .ctx.actor = __caseless_lookup, - .private = filename, - .used = strlen(filename), + .private = name, + .used = namelen, + .dirent_count = 0, }; - ret = ksmbd_vfs_kern_path(dirname, 0, &dir_path, true); - if (ret) - goto error; - - dfilp = dentry_open(&dir_path, flags, current_cred()); - if (IS_ERR(dfilp)) { - path_put(&dir_path); - ksmbd_err("cannot open directory %s\n", dirname); - ret = -EINVAL; - goto error; - } + dfilp = dentry_open(dir, flags, current_cred()); + if (IS_ERR(dfilp)) + return PTR_ERR(dfilp); ret = ksmbd_vfs_readdir(dfilp, &readdir_data); if (readdir_data.dirent_count > 0) ret = 0; - fput(dfilp); - path_put(&dir_path); -error: - dirname[dirnamelen] = '/'; return ret; } @@ -1284,30 +1264,69 @@ static int ksmbd_vfs_lookup_in_dir(char *dirname, char *filename) int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, bool caseless) { - char *filename = NULL; int err; + if (name[0] != '/') + return -EINVAL; + err = kern_path(name, flags, path); if (!err) - return err; + return 0; if (caseless) { - filename = extract_last_component(name); - if (!filename) - goto out; + char *filepath; + struct path parent; + size_t path_len, remain_len; - /* root reached */ - if (strlen(name) == 0) - goto out; + filepath = kstrdup(name, GFP_KERNEL); + if (!filepath) + return -ENOMEM; + + path_len = strlen(filepath); + remain_len = path_len - 1; - err = ksmbd_vfs_lookup_in_dir(name, filename); + err = kern_path("/", flags, &parent); if (err) goto out; - err = kern_path(name, flags, path); - } + while (d_can_lookup(parent.dentry)) { + char *filename = filepath + path_len - remain_len; + char *next = strchrnul(filename, '/'); + size_t filename_len = next - filename; + bool is_last = !next[0]; + + if (filename_len == 0) + break; + + err = ksmbd_vfs_lookup_in_dir(&parent, filename, + filename_len); + if (err) { + path_put(&parent); + goto out; + } + + path_put(&parent); + next[0] = '\0'; + + err = kern_path(filepath, flags, &parent); + if (err) + goto out; + + if (is_last) { + path->mnt = parent.mnt; + path->dentry = parent.dentry; + goto out; + } + + next[0] = '/'; + remain_len -= filename_len + 1; + } + + path_put(&parent); + err = -EINVAL; out: - rollback_path_modification(filename); + kfree(filepath); + } return err; } From patchwork Mon Nov 14 12:49:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183140 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 043/308] cifsd: fix reference count decrement of unclaimed file in __ksmbd_lookup_fd Date: Mon, 14 Nov 2022 20:49:12 +0800 Message-ID: <20221114125337.1831594-44-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e6d9c7db-3e1a-41d9-1d0e-08dac63c4ce5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6958624 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 24b626967d9574a477acf2ab94f55c847d04939a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/24b626967d95 ------------------------------- __ksmbd_lookup_fd could decrement the reference count of unclaimed ksmbd_file to 0 but not release this ksmbd_file. ksmbd_file cannot be unclaimed except ksmbd_close_inode_fds(), because ksmbd_file is only removed from the m_fp_list list after the reference count of ksmbd_file becomes 0. And if the count is 0, __ksmbd_lookup_fd does not use ksmbd_file found from idr due to atomic_inc_not_zero. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 5 ----- fs/cifsd/vfs_cache.c | 53 -------------------------------------------- 2 files changed, 58 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3fbd8e4925bb..08b06ec97e22 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2779,11 +2779,6 @@ int smb2_open(struct ksmbd_work *work) goto err_out; } - if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && - file_present) - file_present = ksmbd_close_inode_fds(work, - d_inode(path.dentry)); - daccess = smb_map_generic_desired_access(req->DesiredAccess); if (file_present && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index f2a863542dc7..3ab06e0b723c 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -328,25 +328,13 @@ static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, unsigned int id) { - bool unclaimed = true; struct ksmbd_file *fp; read_lock(&ft->lock); fp = idr_find(ft->idr, id); if (fp) fp = ksmbd_fp_get(fp); - - if (fp && fp->f_ci) { - read_lock(&fp->f_ci->m_lock); - unclaimed = list_empty(&fp->node); - read_unlock(&fp->f_ci->m_lock); - } read_unlock(&ft->lock); - - if (fp && unclaimed) { - atomic_dec(&fp->refcount); - return NULL; - } return fp; } @@ -754,47 +742,6 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp) return 0; } -static void close_fd_list(struct ksmbd_work *work, struct list_head *head) -{ - while (!list_empty(head)) { - struct ksmbd_file *fp; - - fp = list_first_entry(head, struct ksmbd_file, node); - list_del_init(&fp->node); - - __ksmbd_close_fd(&work->sess->file_table, fp); - } -} - -int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode) -{ - struct ksmbd_inode *ci; - bool unlinked = true; - struct ksmbd_file *fp, *fptmp; - LIST_HEAD(dispose); - - ci = ksmbd_inode_lookup_by_vfsinode(inode); - if (!ci) - return true; - - if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) - unlinked = false; - - write_lock(&ci->m_lock); - list_for_each_entry_safe(fp, fptmp, &ci->m_fp_list, node) { - if (fp->conn) - continue; - - list_del(&fp->node); - list_add(&fp->node, &dispose); - } - atomic_dec(&ci->m_count); - write_unlock(&ci->m_lock); - - close_fd_list(work, &dispose); - return unlinked; -} - int ksmbd_file_table_flush(struct ksmbd_work *work) { struct ksmbd_file *fp = NULL; From patchwork Mon Nov 14 12:49:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183141 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 044/308] cifsd: Remove smb2_put_name() Date: Mon, 14 Nov 2022 20:49:13 +0800 Message-ID: <20221114125337.1831594-45-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 60945999-a68b-4633-fad9-08dac63c4d2d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6929266 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 915f570a971b4e5abd95e8b169dd41c120ab5a5b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/915f570a971b ------------------------------- smb2_put_name() is called twice, and both call sites do the IS_ERR() check before. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 08b06ec97e22..1ff0b20ff7b8 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -666,16 +666,6 @@ smb2_get_name(struct ksmbd_share_config *share, const char *src, return unixname; } -/** - * smb2_put_name() - free memory allocated for filename - * @name: filename pointer to be freed - */ -static void smb2_put_name(void *name) -{ - if (!IS_ERR(name)) - kfree(name); -} - int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) { struct smb2_hdr *rsp_hdr; @@ -5418,7 +5408,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, out: kfree(pathname); if (!IS_ERR(new_name)) - smb2_put_name(new_name); + kfree(new_name); return rc; } @@ -5483,7 +5473,7 @@ static int smb2_create_link(struct ksmbd_work *work, rc = -EINVAL; out: if (!IS_ERR(link_name)) - smb2_put_name(link_name); + kfree(link_name); kfree(pathname); return rc; } From patchwork Mon Nov 14 12:49:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183142 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 045/308] cifsd: remove unused smberr.h Date: Mon, 14 Nov 2022 20:49:14 +0800 Message-ID: <20221114125337.1831594-46-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: af7dda38-2b9a-46a7-1a5f-08dac63c4d76 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7110645 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 7e8094a73e522635a85fb5ad82847b544f4448bf category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7e8094a73e52 ------------------------------- smberr.h is a leftover of SMB1. This patch remove unused smberr.h. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/glob.h | 1 - fs/cifsd/netmisc.c | 1 - fs/cifsd/smberr.h | 235 --------------------------------------------- 3 files changed, 237 deletions(-) delete mode 100644 fs/cifsd/smberr.h diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index 9d70093a837a..ffeaf8aa5595 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -11,7 +11,6 @@ #include "unicode.h" #include "vfs_cache.h" -#include "smberr.h" #define KSMBD_VERSION "3.1.9" diff --git a/fs/cifsd/netmisc.c b/fs/cifsd/netmisc.c index 5d0327d87397..8f052434b64c 100644 --- a/fs/cifsd/netmisc.c +++ b/fs/cifsd/netmisc.c @@ -8,7 +8,6 @@ */ #include "glob.h" -#include "smberr.h" #include "nterr.h" #include "smb_common.h" diff --git a/fs/cifsd/smberr.h b/fs/cifsd/smberr.h deleted file mode 100644 index ce842303ae1f..000000000000 --- a/fs/cifsd/smberr.h +++ /dev/null @@ -1,235 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1+ */ -/* - * Copyright (c) International Business Machines Corp., 2002,2004 - * Author(s): Steve French (sfrench(a)us.ibm.com) - * - * See Error Codes section of the SNIA CIFS Specification - * for more information - */ -#ifndef __KSMBD_SMBERR_H -#define __KSMBD_SMBERR_H - -#define SUCCESS 0x00 /* The request was successful. */ -#define ERRDOS 0x01 /* Error is from the core DOS operating system set */ -#define ERRSRV 0x02 /* Error is generated by the file server daemon */ -#define ERRHRD 0x03 /* Error is a hardware error. */ -#define ERRCMD 0xFF /* Command was not in the "SMB" format. */ - -/* The following error codes may be generated with the SUCCESS error class.*/ - -/*#define SUCCESS 0 The request was successful. */ - -/* The following error codes may be generated with the ERRDOS error class.*/ - -#define ERRbadfunc 1 /* - * Invalid function. The server did not - * recognize or could not perform a - * system call generated by the server, - * e.g., set the DIRECTORY attribute on - * a data file, invalid seek mode. - */ -#define ERRbadfile 2 /* - * File not found. The last component - * of a file's pathname could not be - * found. - */ -#define ERRbadpath 3 /* - * Directory invalid. A directory - * component in a pathname could not be - * found. - */ -#define ERRnofids 4 /* - * Too many open files. The server has - * no file handles available. - */ -#define ERRnoaccess 5 /* - * Access denied, the client's context - * does not permit the requested - * function. This includes the - * following conditions: invalid rename - * command, write to Fid open for read - * only, read on Fid open for write - * only, attempt to delete a non-empty - * directory - */ -#define ERRbadfid 6 /* - * Invalid file handle. The file handle - * specified was not recognized by the - * server. - */ -#define ERRbadmcb 7 /* Memory control blocks destroyed. */ -#define ERRnomem 8 /* - * Insufficient server memory to - * perform the requested function. - */ -#define ERRbadmem 9 /* Invalid memory block address. */ -#define ERRbadenv 10 /* Invalid environment. */ -#define ERRbadformat 11 /* Invalid format. */ -#define ERRbadaccess 12 /* Invalid open mode. */ -#define ERRbaddata 13 /* - * Invalid data (generated only by - * IOCTL calls within the server). - */ -#define ERRbaddrive 15 /* Invalid drive specified. */ -#define ERRremcd 16 /* - * A Delete Directory request attempted - * to remove the server's current - * directory. - */ -#define ERRdiffdevice 17 /* - * Not same device (e.g., a cross - * volume rename was attempted - */ -#define ERRnofiles 18 /* - * A File Search command can find no - * more files matching the specified - * criteria. - */ -#define ERRwriteprot 19 /* media is write protected */ -#define ERRgeneral 31 -#define ERRbadshare 32 /* - * The sharing mode specified for an - * Open conflicts with existing FIDs on - * the file. - */ -#define ERRlock 33 /* - * A Lock request conflicted with an - * existing lock or specified an - * invalid mode, or an Unlock requested - * attempted to remove a lock held by - * another process. - */ -#define ERRunsup 50 -#define ERRnosuchshare 67 -#define ERRfilexists 80 /* - * The file named in the request - * already exists. - */ -#define ERRinvparm 87 -#define ERRdiskfull 112 -#define ERRinvname 123 -#define ERRinvlevel 124 -#define ERRdirnotempty 145 -#define ERRnotlocked 158 -#define ERRcancelviolation 173 -#define ERRnoatomiclocks 174 -#define ERRalreadyexists 183 -#define ERRbadpipe 230 -#define ERRpipebusy 231 -#define ERRpipeclosing 232 -#define ERRnotconnected 233 -#define ERRmoredata 234 -#define ERReasnotsupported 282 -#define ErrQuota 0x200 /* - * The operation would cause a quota - * limit to be exceeded. - */ -#define ErrNotALink 0x201 /* - * A link operation was performed on a - * pathname that was not a link. - */ - -/* - * Below errors are used internally (do not come over the wire) for passthrough - * from STATUS codes to POSIX only - */ -#define ERRsymlink 0xFFFD -#define ErrTooManyLinks 0xFFFE - -/* Following error codes may be generated with the ERRSRV error class.*/ - -#define ERRerror 1 /* - * Non-specific error code. It is - * returned under the following - * conditions: resource other than disk - * space exhausted (e.g. TIDs), first - * SMB command was not negotiate, - * multiple negotiates attempted, and - * internal server error. - */ -#define ERRbadpw 2 /* - * Bad password - name/password pair in - * a TreeConnect or Session Setup are - * invalid. - */ -#define ERRbadtype 3 /* - * used for indicating DFS referral - * needed - */ -#define ERRaccess 4 /* - * The client does not have the - * necessary access rights within the - * specified context for requested - * function. - */ -#define ERRinvtid 5 /* - * The Tid specified in a command was - * invalid. - */ -#define ERRinvnetname 6 /* - * Invalid network name in tree - * connect. - */ -#define ERRinvdevice 7 /* - * Invalid device - printer request - * made to non-printer connection or - * non-printer request made to printer - * connection. - */ -#define ERRqfull 49 /* - * Print queue full (files) -- returned - * by open print file. - */ -#define ERRqtoobig 50 /* Print queue full -- no space. */ -#define ERRqeof 51 /* EOF on print queue dump */ -#define ERRinvpfid 52 /* Invalid print file FID. */ -#define ERRsmbcmd 64 /* - * The server did not recognize the - * command received. - */ -#define ERRsrverror 65 /* - * The server encountered an internal - * error, e.g., system file - * unavailable. - */ -#define ERRbadBID 66 /* (obsolete) */ -#define ERRfilespecs 67 /* - * The Fid and pathname parameters - * contained an invalid combination of - * values. - */ -#define ERRbadLink 68 /* (obsolete) */ -#define ERRbadpermits 69 /* - * The access permissions specified for - * a file or directory are not a valid - * combination. - */ -#define ERRbadPID 70 -#define ERRsetattrmode 71 /* attribute (mode) is invalid */ -#define ERRpaused 81 /* Server is paused */ -#define ERRmsgoff 82 /* reserved - messaging off */ -#define ERRnoroom 83 /* reserved - no room for message */ -#define ERRrmuns 87 /* reserved - too many remote names */ -#define ERRtimeout 88 /* operation timed out */ -#define ERRnoresource 89 /* No resources available for request */ -#define ERRtoomanyuids 90 /* - * Too many UIDs active on this session - */ -#define ERRbaduid 91 /* - * The UID is not known as a valid user - */ -#define ERRusempx 250 /* temporarily unable to use raw */ -#define ERRusestd 251 /* - * temporarily unable to use either raw - * or mpx - */ -#define ERR_NOTIFY_ENUM_DIR 1024 -#define ERRnoSuchUser 2238 /* user account does not exist */ -#define ERRaccountexpired 2239 -#define ERRbadclient 2240 /* can not logon from this client */ -#define ERRbadLogonTime 2241 /* logon hours do not allow this */ -#define ERRpasswordExpired 2242 -#define ERRnetlogonNotStarted 2455 -#define ERRnosupport 0xFFFF - -#endif /* __KSMBD_SMBERR_H */ From patchwork Mon Nov 14 12:49:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183143 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 046/308] cifsd: remove unused nterr.c file Date: Mon, 14 Nov 2022 20:49:15 +0800 Message-ID: <20221114125337.1831594-47-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: bddb25dd-168f-46bd-913e-08dac63c4dbf X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7262994 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 2efec2dee861000263d255a24f7a7c6d82c749d1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2efec2dee861 ------------------------------- Remove unused nterr.c file. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/nterr.c | 674 ----------------------------------------------- fs/cifsd/nterr.h | 7 - 2 files changed, 681 deletions(-) delete mode 100644 fs/cifsd/nterr.c diff --git a/fs/cifsd/nterr.c b/fs/cifsd/nterr.c deleted file mode 100644 index 358a766375b4..000000000000 --- a/fs/cifsd/nterr.c +++ /dev/null @@ -1,674 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Unix SMB/Netbios implementation. - * Version 1.9. - * RPC Pipe client / server routines - * Copyright (C) Luke Kenneth Casson Leighton 1997-2001. - */ - -/* NT error codes - see nterr.h */ -#include <linux/types.h> -#include <linux/fs.h> -#include "nterr.h" - -const struct nt_err_code_struct nt_errs[] = { - {"NT_STATUS_OK", NT_STATUS_OK}, - {"NT_STATUS_UNSUCCESSFUL", NT_STATUS_UNSUCCESSFUL}, - {"NT_STATUS_NOT_IMPLEMENTED", NT_STATUS_NOT_IMPLEMENTED}, - {"NT_STATUS_INVALID_INFO_CLASS", NT_STATUS_INVALID_INFO_CLASS}, - {"NT_STATUS_INFO_LENGTH_MISMATCH", NT_STATUS_INFO_LENGTH_MISMATCH}, - {"NT_STATUS_ACCESS_VIOLATION", NT_STATUS_ACCESS_VIOLATION}, - {"NT_STATUS_BUFFER_OVERFLOW", NT_STATUS_BUFFER_OVERFLOW}, - {"NT_STATUS_IN_PAGE_ERROR", NT_STATUS_IN_PAGE_ERROR}, - {"NT_STATUS_PAGEFILE_QUOTA", NT_STATUS_PAGEFILE_QUOTA}, - {"NT_STATUS_INVALID_HANDLE", NT_STATUS_INVALID_HANDLE}, - {"NT_STATUS_BAD_INITIAL_STACK", NT_STATUS_BAD_INITIAL_STACK}, - {"NT_STATUS_BAD_INITIAL_PC", NT_STATUS_BAD_INITIAL_PC}, - {"NT_STATUS_INVALID_CID", NT_STATUS_INVALID_CID}, - {"NT_STATUS_TIMER_NOT_CANCELED", NT_STATUS_TIMER_NOT_CANCELED}, - {"NT_STATUS_INVALID_PARAMETER", NT_STATUS_INVALID_PARAMETER}, - {"NT_STATUS_NO_SUCH_DEVICE", NT_STATUS_NO_SUCH_DEVICE}, - {"NT_STATUS_NO_SUCH_FILE", NT_STATUS_NO_SUCH_FILE}, - {"NT_STATUS_INVALID_DEVICE_REQUEST", - NT_STATUS_INVALID_DEVICE_REQUEST}, - {"NT_STATUS_END_OF_FILE", NT_STATUS_END_OF_FILE}, - {"NT_STATUS_WRONG_VOLUME", NT_STATUS_WRONG_VOLUME}, - {"NT_STATUS_NO_MEDIA_IN_DEVICE", NT_STATUS_NO_MEDIA_IN_DEVICE}, - {"NT_STATUS_UNRECOGNIZED_MEDIA", NT_STATUS_UNRECOGNIZED_MEDIA}, - {"NT_STATUS_NONEXISTENT_SECTOR", NT_STATUS_NONEXISTENT_SECTOR}, - {"NT_STATUS_MORE_PROCESSING_REQUIRED", - NT_STATUS_MORE_PROCESSING_REQUIRED}, - {"NT_STATUS_NO_MEMORY", NT_STATUS_NO_MEMORY}, - {"NT_STATUS_CONFLICTING_ADDRESSES", - NT_STATUS_CONFLICTING_ADDRESSES}, - {"NT_STATUS_NOT_MAPPED_VIEW", NT_STATUS_NOT_MAPPED_VIEW}, - {"NT_STATUS_UNABLE_TO_FREE_VM", NT_STATUS_UNABLE_TO_FREE_VM}, - {"NT_STATUS_UNABLE_TO_DELETE_SECTION", - NT_STATUS_UNABLE_TO_DELETE_SECTION}, - {"NT_STATUS_INVALID_SYSTEM_SERVICE", - NT_STATUS_INVALID_SYSTEM_SERVICE}, - {"NT_STATUS_ILLEGAL_INSTRUCTION", NT_STATUS_ILLEGAL_INSTRUCTION}, - {"NT_STATUS_INVALID_LOCK_SEQUENCE", - NT_STATUS_INVALID_LOCK_SEQUENCE}, - {"NT_STATUS_INVALID_VIEW_SIZE", NT_STATUS_INVALID_VIEW_SIZE}, - {"NT_STATUS_INVALID_FILE_FOR_SECTION", - NT_STATUS_INVALID_FILE_FOR_SECTION}, - {"NT_STATUS_ALREADY_COMMITTED", NT_STATUS_ALREADY_COMMITTED}, - {"NT_STATUS_ACCESS_DENIED", NT_STATUS_ACCESS_DENIED}, - {"NT_STATUS_BUFFER_TOO_SMALL", NT_STATUS_BUFFER_TOO_SMALL}, - {"NT_STATUS_OBJECT_TYPE_MISMATCH", NT_STATUS_OBJECT_TYPE_MISMATCH}, - {"NT_STATUS_NONCONTINUABLE_EXCEPTION", - NT_STATUS_NONCONTINUABLE_EXCEPTION}, - {"NT_STATUS_INVALID_DISPOSITION", NT_STATUS_INVALID_DISPOSITION}, - {"NT_STATUS_UNWIND", NT_STATUS_UNWIND}, - {"NT_STATUS_BAD_STACK", NT_STATUS_BAD_STACK}, - {"NT_STATUS_INVALID_UNWIND_TARGET", - NT_STATUS_INVALID_UNWIND_TARGET}, - {"NT_STATUS_NOT_LOCKED", NT_STATUS_NOT_LOCKED}, - {"NT_STATUS_PARITY_ERROR", NT_STATUS_PARITY_ERROR}, - {"NT_STATUS_UNABLE_TO_DECOMMIT_VM", - NT_STATUS_UNABLE_TO_DECOMMIT_VM}, - {"NT_STATUS_NOT_COMMITTED", NT_STATUS_NOT_COMMITTED}, - {"NT_STATUS_INVALID_PORT_ATTRIBUTES", - NT_STATUS_INVALID_PORT_ATTRIBUTES}, - {"NT_STATUS_PORT_MESSAGE_TOO_LONG", - NT_STATUS_PORT_MESSAGE_TOO_LONG}, - {"NT_STATUS_INVALID_PARAMETER_MIX", - NT_STATUS_INVALID_PARAMETER_MIX}, - {"NT_STATUS_INVALID_QUOTA_LOWER", NT_STATUS_INVALID_QUOTA_LOWER}, - {"NT_STATUS_DISK_CORRUPT_ERROR", NT_STATUS_DISK_CORRUPT_ERROR}, - {"NT_STATUS_OBJECT_NAME_INVALID", NT_STATUS_OBJECT_NAME_INVALID}, - {"NT_STATUS_OBJECT_NAME_NOT_FOUND", - NT_STATUS_OBJECT_NAME_NOT_FOUND}, - {"NT_STATUS_OBJECT_NAME_COLLISION", - NT_STATUS_OBJECT_NAME_COLLISION}, - {"NT_STATUS_HANDLE_NOT_WAITABLE", NT_STATUS_HANDLE_NOT_WAITABLE}, - {"NT_STATUS_PORT_DISCONNECTED", NT_STATUS_PORT_DISCONNECTED}, - {"NT_STATUS_DEVICE_ALREADY_ATTACHED", - NT_STATUS_DEVICE_ALREADY_ATTACHED}, - {"NT_STATUS_OBJECT_PATH_INVALID", NT_STATUS_OBJECT_PATH_INVALID}, - {"NT_STATUS_OBJECT_PATH_NOT_FOUND", - NT_STATUS_OBJECT_PATH_NOT_FOUND}, - {"NT_STATUS_OBJECT_PATH_SYNTAX_BAD", - NT_STATUS_OBJECT_PATH_SYNTAX_BAD}, - {"NT_STATUS_DATA_OVERRUN", NT_STATUS_DATA_OVERRUN}, - {"NT_STATUS_DATA_LATE_ERROR", NT_STATUS_DATA_LATE_ERROR}, - {"NT_STATUS_DATA_ERROR", NT_STATUS_DATA_ERROR}, - {"NT_STATUS_CRC_ERROR", NT_STATUS_CRC_ERROR}, - {"NT_STATUS_SECTION_TOO_BIG", NT_STATUS_SECTION_TOO_BIG}, - {"NT_STATUS_PORT_CONNECTION_REFUSED", - NT_STATUS_PORT_CONNECTION_REFUSED}, - {"NT_STATUS_INVALID_PORT_HANDLE", NT_STATUS_INVALID_PORT_HANDLE}, - {"NT_STATUS_SHARING_VIOLATION", NT_STATUS_SHARING_VIOLATION}, - {"NT_STATUS_QUOTA_EXCEEDED", NT_STATUS_QUOTA_EXCEEDED}, - {"NT_STATUS_INVALID_PAGE_PROTECTION", - NT_STATUS_INVALID_PAGE_PROTECTION}, - {"NT_STATUS_MUTANT_NOT_OWNED", NT_STATUS_MUTANT_NOT_OWNED}, - {"NT_STATUS_SEMAPHORE_LIMIT_EXCEEDED", - NT_STATUS_SEMAPHORE_LIMIT_EXCEEDED}, - {"NT_STATUS_PORT_ALREADY_SET", NT_STATUS_PORT_ALREADY_SET}, - {"NT_STATUS_SECTION_NOT_IMAGE", NT_STATUS_SECTION_NOT_IMAGE}, - {"NT_STATUS_SUSPEND_COUNT_EXCEEDED", - NT_STATUS_SUSPEND_COUNT_EXCEEDED}, - {"NT_STATUS_THREAD_IS_TERMINATING", - NT_STATUS_THREAD_IS_TERMINATING}, - {"NT_STATUS_BAD_WORKING_SET_LIMIT", - NT_STATUS_BAD_WORKING_SET_LIMIT}, - {"NT_STATUS_INCOMPATIBLE_FILE_MAP", - NT_STATUS_INCOMPATIBLE_FILE_MAP}, - {"NT_STATUS_SECTION_PROTECTION", NT_STATUS_SECTION_PROTECTION}, - {"NT_STATUS_EAS_NOT_SUPPORTED", NT_STATUS_EAS_NOT_SUPPORTED}, - {"NT_STATUS_EA_TOO_LARGE", NT_STATUS_EA_TOO_LARGE}, - {"NT_STATUS_NONEXISTENT_EA_ENTRY", NT_STATUS_NONEXISTENT_EA_ENTRY}, - {"NT_STATUS_NO_EAS_ON_FILE", NT_STATUS_NO_EAS_ON_FILE}, - {"NT_STATUS_EA_CORRUPT_ERROR", NT_STATUS_EA_CORRUPT_ERROR}, - {"NT_STATUS_FILE_LOCK_CONFLICT", NT_STATUS_FILE_LOCK_CONFLICT}, - {"NT_STATUS_LOCK_NOT_GRANTED", NT_STATUS_LOCK_NOT_GRANTED}, - {"NT_STATUS_DELETE_PENDING", NT_STATUS_DELETE_PENDING}, - {"NT_STATUS_CTL_FILE_NOT_SUPPORTED", - NT_STATUS_CTL_FILE_NOT_SUPPORTED}, - {"NT_STATUS_UNKNOWN_REVISION", NT_STATUS_UNKNOWN_REVISION}, - {"NT_STATUS_REVISION_MISMATCH", NT_STATUS_REVISION_MISMATCH}, - {"NT_STATUS_INVALID_OWNER", NT_STATUS_INVALID_OWNER}, - {"NT_STATUS_INVALID_PRIMARY_GROUP", - NT_STATUS_INVALID_PRIMARY_GROUP}, - {"NT_STATUS_NO_IMPERSONATION_TOKEN", - NT_STATUS_NO_IMPERSONATION_TOKEN}, - {"NT_STATUS_CANT_DISABLE_MANDATORY", - NT_STATUS_CANT_DISABLE_MANDATORY}, - {"NT_STATUS_NO_LOGON_SERVERS", NT_STATUS_NO_LOGON_SERVERS}, - {"NT_STATUS_NO_SUCH_LOGON_SESSION", - NT_STATUS_NO_SUCH_LOGON_SESSION}, - {"NT_STATUS_NO_SUCH_PRIVILEGE", NT_STATUS_NO_SUCH_PRIVILEGE}, - {"NT_STATUS_PRIVILEGE_NOT_HELD", NT_STATUS_PRIVILEGE_NOT_HELD}, - {"NT_STATUS_INVALID_ACCOUNT_NAME", NT_STATUS_INVALID_ACCOUNT_NAME}, - {"NT_STATUS_USER_EXISTS", NT_STATUS_USER_EXISTS}, - {"NT_STATUS_NO_SUCH_USER", NT_STATUS_NO_SUCH_USER}, - {"NT_STATUS_GROUP_EXISTS", NT_STATUS_GROUP_EXISTS}, - {"NT_STATUS_NO_SUCH_GROUP", NT_STATUS_NO_SUCH_GROUP}, - {"NT_STATUS_MEMBER_IN_GROUP", NT_STATUS_MEMBER_IN_GROUP}, - {"NT_STATUS_MEMBER_NOT_IN_GROUP", NT_STATUS_MEMBER_NOT_IN_GROUP}, - {"NT_STATUS_LAST_ADMIN", NT_STATUS_LAST_ADMIN}, - {"NT_STATUS_WRONG_PASSWORD", NT_STATUS_WRONG_PASSWORD}, - {"NT_STATUS_ILL_FORMED_PASSWORD", NT_STATUS_ILL_FORMED_PASSWORD}, - {"NT_STATUS_PASSWORD_RESTRICTION", NT_STATUS_PASSWORD_RESTRICTION}, - {"NT_STATUS_LOGON_FAILURE", NT_STATUS_LOGON_FAILURE}, - {"NT_STATUS_ACCOUNT_RESTRICTION", NT_STATUS_ACCOUNT_RESTRICTION}, - {"NT_STATUS_INVALID_LOGON_HOURS", NT_STATUS_INVALID_LOGON_HOURS}, - {"NT_STATUS_INVALID_WORKSTATION", NT_STATUS_INVALID_WORKSTATION}, - {"NT_STATUS_PASSWORD_EXPIRED", NT_STATUS_PASSWORD_EXPIRED}, - {"NT_STATUS_ACCOUNT_DISABLED", NT_STATUS_ACCOUNT_DISABLED}, - {"NT_STATUS_NONE_MAPPED", NT_STATUS_NONE_MAPPED}, - {"NT_STATUS_TOO_MANY_LUIDS_REQUESTED", - NT_STATUS_TOO_MANY_LUIDS_REQUESTED}, - {"NT_STATUS_LUIDS_EXHAUSTED", NT_STATUS_LUIDS_EXHAUSTED}, - {"NT_STATUS_INVALID_SUB_AUTHORITY", - NT_STATUS_INVALID_SUB_AUTHORITY}, - {"NT_STATUS_INVALID_ACL", NT_STATUS_INVALID_ACL}, - {"NT_STATUS_INVALID_SID", NT_STATUS_INVALID_SID}, - {"NT_STATUS_INVALID_SECURITY_DESCR", - NT_STATUS_INVALID_SECURITY_DESCR}, - {"NT_STATUS_PROCEDURE_NOT_FOUND", NT_STATUS_PROCEDURE_NOT_FOUND}, - {"NT_STATUS_INVALID_IMAGE_FORMAT", NT_STATUS_INVALID_IMAGE_FORMAT}, - {"NT_STATUS_NO_TOKEN", NT_STATUS_NO_TOKEN}, - {"NT_STATUS_BAD_INHERITANCE_ACL", NT_STATUS_BAD_INHERITANCE_ACL}, - {"NT_STATUS_RANGE_NOT_LOCKED", NT_STATUS_RANGE_NOT_LOCKED}, - {"NT_STATUS_DISK_FULL", NT_STATUS_DISK_FULL}, - {"NT_STATUS_SERVER_DISABLED", NT_STATUS_SERVER_DISABLED}, - {"NT_STATUS_SERVER_NOT_DISABLED", NT_STATUS_SERVER_NOT_DISABLED}, - {"NT_STATUS_TOO_MANY_GUIDS_REQUESTED", - NT_STATUS_TOO_MANY_GUIDS_REQUESTED}, - {"NT_STATUS_GUIDS_EXHAUSTED", NT_STATUS_GUIDS_EXHAUSTED}, - {"NT_STATUS_INVALID_ID_AUTHORITY", NT_STATUS_INVALID_ID_AUTHORITY}, - {"NT_STATUS_AGENTS_EXHAUSTED", NT_STATUS_AGENTS_EXHAUSTED}, - {"NT_STATUS_INVALID_VOLUME_LABEL", NT_STATUS_INVALID_VOLUME_LABEL}, - {"NT_STATUS_SECTION_NOT_EXTENDED", NT_STATUS_SECTION_NOT_EXTENDED}, - {"NT_STATUS_NOT_MAPPED_DATA", NT_STATUS_NOT_MAPPED_DATA}, - {"NT_STATUS_RESOURCE_DATA_NOT_FOUND", - NT_STATUS_RESOURCE_DATA_NOT_FOUND}, - {"NT_STATUS_RESOURCE_TYPE_NOT_FOUND", - NT_STATUS_RESOURCE_TYPE_NOT_FOUND}, - {"NT_STATUS_RESOURCE_NAME_NOT_FOUND", - NT_STATUS_RESOURCE_NAME_NOT_FOUND}, - {"NT_STATUS_ARRAY_BOUNDS_EXCEEDED", - NT_STATUS_ARRAY_BOUNDS_EXCEEDED}, - {"NT_STATUS_FLOAT_DENORMAL_OPERAND", - NT_STATUS_FLOAT_DENORMAL_OPERAND}, - {"NT_STATUS_FLOAT_DIVIDE_BY_ZERO", NT_STATUS_FLOAT_DIVIDE_BY_ZERO}, - {"NT_STATUS_FLOAT_INEXACT_RESULT", NT_STATUS_FLOAT_INEXACT_RESULT}, - {"NT_STATUS_FLOAT_INVALID_OPERATION", - NT_STATUS_FLOAT_INVALID_OPERATION}, - {"NT_STATUS_FLOAT_OVERFLOW", NT_STATUS_FLOAT_OVERFLOW}, - {"NT_STATUS_FLOAT_STACK_CHECK", NT_STATUS_FLOAT_STACK_CHECK}, - {"NT_STATUS_FLOAT_UNDERFLOW", NT_STATUS_FLOAT_UNDERFLOW}, - {"NT_STATUS_INTEGER_DIVIDE_BY_ZERO", - NT_STATUS_INTEGER_DIVIDE_BY_ZERO}, - {"NT_STATUS_INTEGER_OVERFLOW", NT_STATUS_INTEGER_OVERFLOW}, - {"NT_STATUS_PRIVILEGED_INSTRUCTION", - NT_STATUS_PRIVILEGED_INSTRUCTION}, - {"NT_STATUS_TOO_MANY_PAGING_FILES", - NT_STATUS_TOO_MANY_PAGING_FILES}, - {"NT_STATUS_FILE_INVALID", NT_STATUS_FILE_INVALID}, - {"NT_STATUS_ALLOTTED_SPACE_EXCEEDED", - NT_STATUS_ALLOTTED_SPACE_EXCEEDED}, - {"NT_STATUS_INSUFFICIENT_RESOURCES", - NT_STATUS_INSUFFICIENT_RESOURCES}, - {"NT_STATUS_DFS_EXIT_PATH_FOUND", NT_STATUS_DFS_EXIT_PATH_FOUND}, - {"NT_STATUS_DEVICE_DATA_ERROR", NT_STATUS_DEVICE_DATA_ERROR}, - {"NT_STATUS_DEVICE_NOT_CONNECTED", NT_STATUS_DEVICE_NOT_CONNECTED}, - {"NT_STATUS_DEVICE_POWER_FAILURE", NT_STATUS_DEVICE_POWER_FAILURE}, - {"NT_STATUS_FREE_VM_NOT_AT_BASE", NT_STATUS_FREE_VM_NOT_AT_BASE}, - {"NT_STATUS_MEMORY_NOT_ALLOCATED", NT_STATUS_MEMORY_NOT_ALLOCATED}, - {"NT_STATUS_WORKING_SET_QUOTA", NT_STATUS_WORKING_SET_QUOTA}, - {"NT_STATUS_MEDIA_WRITE_PROTECTED", - NT_STATUS_MEDIA_WRITE_PROTECTED}, - {"NT_STATUS_DEVICE_NOT_READY", NT_STATUS_DEVICE_NOT_READY}, - {"NT_STATUS_INVALID_GROUP_ATTRIBUTES", - NT_STATUS_INVALID_GROUP_ATTRIBUTES}, - {"NT_STATUS_BAD_IMPERSONATION_LEVEL", - NT_STATUS_BAD_IMPERSONATION_LEVEL}, - {"NT_STATUS_CANT_OPEN_ANONYMOUS", NT_STATUS_CANT_OPEN_ANONYMOUS}, - {"NT_STATUS_BAD_VALIDATION_CLASS", NT_STATUS_BAD_VALIDATION_CLASS}, - {"NT_STATUS_BAD_TOKEN_TYPE", NT_STATUS_BAD_TOKEN_TYPE}, - {"NT_STATUS_BAD_MASTER_BOOT_RECORD", - NT_STATUS_BAD_MASTER_BOOT_RECORD}, - {"NT_STATUS_INSTRUCTION_MISALIGNMENT", - NT_STATUS_INSTRUCTION_MISALIGNMENT}, - {"NT_STATUS_INSTANCE_NOT_AVAILABLE", - NT_STATUS_INSTANCE_NOT_AVAILABLE}, - {"NT_STATUS_PIPE_NOT_AVAILABLE", NT_STATUS_PIPE_NOT_AVAILABLE}, - {"NT_STATUS_INVALID_PIPE_STATE", NT_STATUS_INVALID_PIPE_STATE}, - {"NT_STATUS_PIPE_BUSY", NT_STATUS_PIPE_BUSY}, - {"NT_STATUS_ILLEGAL_FUNCTION", NT_STATUS_ILLEGAL_FUNCTION}, - {"NT_STATUS_PIPE_DISCONNECTED", NT_STATUS_PIPE_DISCONNECTED}, - {"NT_STATUS_PIPE_CLOSING", NT_STATUS_PIPE_CLOSING}, - {"NT_STATUS_PIPE_CONNECTED", NT_STATUS_PIPE_CONNECTED}, - {"NT_STATUS_PIPE_LISTENING", NT_STATUS_PIPE_LISTENING}, - {"NT_STATUS_INVALID_READ_MODE", NT_STATUS_INVALID_READ_MODE}, - {"NT_STATUS_IO_TIMEOUT", NT_STATUS_IO_TIMEOUT}, - {"NT_STATUS_FILE_FORCED_CLOSED", NT_STATUS_FILE_FORCED_CLOSED}, - {"NT_STATUS_PROFILING_NOT_STARTED", - NT_STATUS_PROFILING_NOT_STARTED}, - {"NT_STATUS_PROFILING_NOT_STOPPED", - NT_STATUS_PROFILING_NOT_STOPPED}, - {"NT_STATUS_COULD_NOT_INTERPRET", NT_STATUS_COULD_NOT_INTERPRET}, - {"NT_STATUS_FILE_IS_A_DIRECTORY", NT_STATUS_FILE_IS_A_DIRECTORY}, - {"NT_STATUS_NOT_SUPPORTED", NT_STATUS_NOT_SUPPORTED}, - {"NT_STATUS_REMOTE_NOT_LISTENING", NT_STATUS_REMOTE_NOT_LISTENING}, - {"NT_STATUS_DUPLICATE_NAME", NT_STATUS_DUPLICATE_NAME}, - {"NT_STATUS_BAD_NETWORK_PATH", NT_STATUS_BAD_NETWORK_PATH}, - {"NT_STATUS_NETWORK_BUSY", NT_STATUS_NETWORK_BUSY}, - {"NT_STATUS_DEVICE_DOES_NOT_EXIST", - NT_STATUS_DEVICE_DOES_NOT_EXIST}, - {"NT_STATUS_TOO_MANY_COMMANDS", NT_STATUS_TOO_MANY_COMMANDS}, - {"NT_STATUS_ADAPTER_HARDWARE_ERROR", - NT_STATUS_ADAPTER_HARDWARE_ERROR}, - {"NT_STATUS_INVALID_NETWORK_RESPONSE", - NT_STATUS_INVALID_NETWORK_RESPONSE}, - {"NT_STATUS_UNEXPECTED_NETWORK_ERROR", - NT_STATUS_UNEXPECTED_NETWORK_ERROR}, - {"NT_STATUS_BAD_REMOTE_ADAPTER", NT_STATUS_BAD_REMOTE_ADAPTER}, - {"NT_STATUS_PRINT_QUEUE_FULL", NT_STATUS_PRINT_QUEUE_FULL}, - {"NT_STATUS_NO_SPOOL_SPACE", NT_STATUS_NO_SPOOL_SPACE}, - {"NT_STATUS_PRINT_CANCELLED", NT_STATUS_PRINT_CANCELLED}, - {"NT_STATUS_NETWORK_NAME_DELETED", NT_STATUS_NETWORK_NAME_DELETED}, - {"NT_STATUS_NETWORK_ACCESS_DENIED", - NT_STATUS_NETWORK_ACCESS_DENIED}, - {"NT_STATUS_BAD_DEVICE_TYPE", NT_STATUS_BAD_DEVICE_TYPE}, - {"NT_STATUS_BAD_NETWORK_NAME", NT_STATUS_BAD_NETWORK_NAME}, - {"NT_STATUS_TOO_MANY_NAMES", NT_STATUS_TOO_MANY_NAMES}, - {"NT_STATUS_TOO_MANY_SESSIONS", NT_STATUS_TOO_MANY_SESSIONS}, - {"NT_STATUS_SHARING_PAUSED", NT_STATUS_SHARING_PAUSED}, - {"NT_STATUS_REQUEST_NOT_ACCEPTED", NT_STATUS_REQUEST_NOT_ACCEPTED}, - {"NT_STATUS_REDIRECTOR_PAUSED", NT_STATUS_REDIRECTOR_PAUSED}, - {"NT_STATUS_NET_WRITE_FAULT", NT_STATUS_NET_WRITE_FAULT}, - {"NT_STATUS_PROFILING_AT_LIMIT", NT_STATUS_PROFILING_AT_LIMIT}, - {"NT_STATUS_NOT_SAME_DEVICE", NT_STATUS_NOT_SAME_DEVICE}, - {"NT_STATUS_FILE_RENAMED", NT_STATUS_FILE_RENAMED}, - {"NT_STATUS_VIRTUAL_CIRCUIT_CLOSED", - NT_STATUS_VIRTUAL_CIRCUIT_CLOSED}, - {"NT_STATUS_NO_SECURITY_ON_OBJECT", - NT_STATUS_NO_SECURITY_ON_OBJECT}, - {"NT_STATUS_CANT_WAIT", NT_STATUS_CANT_WAIT}, - {"NT_STATUS_PIPE_EMPTY", NT_STATUS_PIPE_EMPTY}, - {"NT_STATUS_CANT_ACCESS_DOMAIN_INFO", - NT_STATUS_CANT_ACCESS_DOMAIN_INFO}, - {"NT_STATUS_CANT_TERMINATE_SELF", NT_STATUS_CANT_TERMINATE_SELF}, - {"NT_STATUS_INVALID_SERVER_STATE", NT_STATUS_INVALID_SERVER_STATE}, - {"NT_STATUS_INVALID_DOMAIN_STATE", NT_STATUS_INVALID_DOMAIN_STATE}, - {"NT_STATUS_INVALID_DOMAIN_ROLE", NT_STATUS_INVALID_DOMAIN_ROLE}, - {"NT_STATUS_NO_SUCH_DOMAIN", NT_STATUS_NO_SUCH_DOMAIN}, - {"NT_STATUS_DOMAIN_EXISTS", NT_STATUS_DOMAIN_EXISTS}, - {"NT_STATUS_DOMAIN_LIMIT_EXCEEDED", - NT_STATUS_DOMAIN_LIMIT_EXCEEDED}, - {"NT_STATUS_OPLOCK_NOT_GRANTED", NT_STATUS_OPLOCK_NOT_GRANTED}, - {"NT_STATUS_INVALID_OPLOCK_PROTOCOL", - NT_STATUS_INVALID_OPLOCK_PROTOCOL}, - {"NT_STATUS_INTERNAL_DB_CORRUPTION", - NT_STATUS_INTERNAL_DB_CORRUPTION}, - {"NT_STATUS_INTERNAL_ERROR", NT_STATUS_INTERNAL_ERROR}, - {"NT_STATUS_GENERIC_NOT_MAPPED", NT_STATUS_GENERIC_NOT_MAPPED}, - {"NT_STATUS_BAD_DESCRIPTOR_FORMAT", - NT_STATUS_BAD_DESCRIPTOR_FORMAT}, - {"NT_STATUS_INVALID_USER_BUFFER", NT_STATUS_INVALID_USER_BUFFER}, - {"NT_STATUS_UNEXPECTED_IO_ERROR", NT_STATUS_UNEXPECTED_IO_ERROR}, - {"NT_STATUS_UNEXPECTED_MM_CREATE_ERR", - NT_STATUS_UNEXPECTED_MM_CREATE_ERR}, - {"NT_STATUS_UNEXPECTED_MM_MAP_ERROR", - NT_STATUS_UNEXPECTED_MM_MAP_ERROR}, - {"NT_STATUS_UNEXPECTED_MM_EXTEND_ERR", - NT_STATUS_UNEXPECTED_MM_EXTEND_ERR}, - {"NT_STATUS_NOT_LOGON_PROCESS", NT_STATUS_NOT_LOGON_PROCESS}, - {"NT_STATUS_LOGON_SESSION_EXISTS", NT_STATUS_LOGON_SESSION_EXISTS}, - {"NT_STATUS_INVALID_PARAMETER_1", NT_STATUS_INVALID_PARAMETER_1}, - {"NT_STATUS_INVALID_PARAMETER_2", NT_STATUS_INVALID_PARAMETER_2}, - {"NT_STATUS_INVALID_PARAMETER_3", NT_STATUS_INVALID_PARAMETER_3}, - {"NT_STATUS_INVALID_PARAMETER_4", NT_STATUS_INVALID_PARAMETER_4}, - {"NT_STATUS_INVALID_PARAMETER_5", NT_STATUS_INVALID_PARAMETER_5}, - {"NT_STATUS_INVALID_PARAMETER_6", NT_STATUS_INVALID_PARAMETER_6}, - {"NT_STATUS_INVALID_PARAMETER_7", NT_STATUS_INVALID_PARAMETER_7}, - {"NT_STATUS_INVALID_PARAMETER_8", NT_STATUS_INVALID_PARAMETER_8}, - {"NT_STATUS_INVALID_PARAMETER_9", NT_STATUS_INVALID_PARAMETER_9}, - {"NT_STATUS_INVALID_PARAMETER_10", NT_STATUS_INVALID_PARAMETER_10}, - {"NT_STATUS_INVALID_PARAMETER_11", NT_STATUS_INVALID_PARAMETER_11}, - {"NT_STATUS_INVALID_PARAMETER_12", NT_STATUS_INVALID_PARAMETER_12}, - {"NT_STATUS_REDIRECTOR_NOT_STARTED", - NT_STATUS_REDIRECTOR_NOT_STARTED}, - {"NT_STATUS_REDIRECTOR_STARTED", NT_STATUS_REDIRECTOR_STARTED}, - {"NT_STATUS_STACK_OVERFLOW", NT_STATUS_STACK_OVERFLOW}, - {"NT_STATUS_NO_SUCH_PACKAGE", NT_STATUS_NO_SUCH_PACKAGE}, - {"NT_STATUS_BAD_FUNCTION_TABLE", NT_STATUS_BAD_FUNCTION_TABLE}, - {"NT_STATUS_DIRECTORY_NOT_EMPTY", NT_STATUS_DIRECTORY_NOT_EMPTY}, - {"NT_STATUS_FILE_CORRUPT_ERROR", NT_STATUS_FILE_CORRUPT_ERROR}, - {"NT_STATUS_NOT_A_DIRECTORY", NT_STATUS_NOT_A_DIRECTORY}, - {"NT_STATUS_BAD_LOGON_SESSION_STATE", - NT_STATUS_BAD_LOGON_SESSION_STATE}, - {"NT_STATUS_LOGON_SESSION_COLLISION", - NT_STATUS_LOGON_SESSION_COLLISION}, - {"NT_STATUS_NAME_TOO_LONG", NT_STATUS_NAME_TOO_LONG}, - {"NT_STATUS_FILES_OPEN", NT_STATUS_FILES_OPEN}, - {"NT_STATUS_CONNECTION_IN_USE", NT_STATUS_CONNECTION_IN_USE}, - {"NT_STATUS_MESSAGE_NOT_FOUND", NT_STATUS_MESSAGE_NOT_FOUND}, - {"NT_STATUS_PROCESS_IS_TERMINATING", - NT_STATUS_PROCESS_IS_TERMINATING}, - {"NT_STATUS_INVALID_LOGON_TYPE", NT_STATUS_INVALID_LOGON_TYPE}, - {"NT_STATUS_NO_GUID_TRANSLATION", NT_STATUS_NO_GUID_TRANSLATION}, - {"NT_STATUS_CANNOT_IMPERSONATE", NT_STATUS_CANNOT_IMPERSONATE}, - {"NT_STATUS_IMAGE_ALREADY_LOADED", NT_STATUS_IMAGE_ALREADY_LOADED}, - {"NT_STATUS_ABIOS_NOT_PRESENT", NT_STATUS_ABIOS_NOT_PRESENT}, - {"NT_STATUS_ABIOS_LID_NOT_EXIST", NT_STATUS_ABIOS_LID_NOT_EXIST}, - {"NT_STATUS_ABIOS_LID_ALREADY_OWNED", - NT_STATUS_ABIOS_LID_ALREADY_OWNED}, - {"NT_STATUS_ABIOS_NOT_LID_OWNER", NT_STATUS_ABIOS_NOT_LID_OWNER}, - {"NT_STATUS_ABIOS_INVALID_COMMAND", - NT_STATUS_ABIOS_INVALID_COMMAND}, - {"NT_STATUS_ABIOS_INVALID_LID", NT_STATUS_ABIOS_INVALID_LID}, - {"NT_STATUS_ABIOS_SELECTOR_NOT_AVAILABLE", - NT_STATUS_ABIOS_SELECTOR_NOT_AVAILABLE}, - {"NT_STATUS_ABIOS_INVALID_SELECTOR", - NT_STATUS_ABIOS_INVALID_SELECTOR}, - {"NT_STATUS_NO_LDT", NT_STATUS_NO_LDT}, - {"NT_STATUS_INVALID_LDT_SIZE", NT_STATUS_INVALID_LDT_SIZE}, - {"NT_STATUS_INVALID_LDT_OFFSET", NT_STATUS_INVALID_LDT_OFFSET}, - {"NT_STATUS_INVALID_LDT_DESCRIPTOR", - NT_STATUS_INVALID_LDT_DESCRIPTOR}, - {"NT_STATUS_INVALID_IMAGE_NE_FORMAT", - NT_STATUS_INVALID_IMAGE_NE_FORMAT}, - {"NT_STATUS_RXACT_INVALID_STATE", NT_STATUS_RXACT_INVALID_STATE}, - {"NT_STATUS_RXACT_COMMIT_FAILURE", NT_STATUS_RXACT_COMMIT_FAILURE}, - {"NT_STATUS_MAPPED_FILE_SIZE_ZERO", - NT_STATUS_MAPPED_FILE_SIZE_ZERO}, - {"NT_STATUS_TOO_MANY_OPENED_FILES", - NT_STATUS_TOO_MANY_OPENED_FILES}, - {"NT_STATUS_CANCELLED", NT_STATUS_CANCELLED}, - {"NT_STATUS_CANNOT_DELETE", NT_STATUS_CANNOT_DELETE}, - {"NT_STATUS_INVALID_COMPUTER_NAME", - NT_STATUS_INVALID_COMPUTER_NAME}, - {"NT_STATUS_FILE_DELETED", NT_STATUS_FILE_DELETED}, - {"NT_STATUS_SPECIAL_ACCOUNT", NT_STATUS_SPECIAL_ACCOUNT}, - {"NT_STATUS_SPECIAL_GROUP", NT_STATUS_SPECIAL_GROUP}, - {"NT_STATUS_SPECIAL_USER", NT_STATUS_SPECIAL_USER}, - {"NT_STATUS_MEMBERS_PRIMARY_GROUP", - NT_STATUS_MEMBERS_PRIMARY_GROUP}, - {"NT_STATUS_FILE_CLOSED", NT_STATUS_FILE_CLOSED}, - {"NT_STATUS_TOO_MANY_THREADS", NT_STATUS_TOO_MANY_THREADS}, - {"NT_STATUS_THREAD_NOT_IN_PROCESS", - NT_STATUS_THREAD_NOT_IN_PROCESS}, - {"NT_STATUS_TOKEN_ALREADY_IN_USE", NT_STATUS_TOKEN_ALREADY_IN_USE}, - {"NT_STATUS_PAGEFILE_QUOTA_EXCEEDED", - NT_STATUS_PAGEFILE_QUOTA_EXCEEDED}, - {"NT_STATUS_COMMITMENT_LIMIT", NT_STATUS_COMMITMENT_LIMIT}, - {"NT_STATUS_INVALID_IMAGE_LE_FORMAT", - NT_STATUS_INVALID_IMAGE_LE_FORMAT}, - {"NT_STATUS_INVALID_IMAGE_NOT_MZ", NT_STATUS_INVALID_IMAGE_NOT_MZ}, - {"NT_STATUS_INVALID_IMAGE_PROTECT", - NT_STATUS_INVALID_IMAGE_PROTECT}, - {"NT_STATUS_INVALID_IMAGE_WIN_16", NT_STATUS_INVALID_IMAGE_WIN_16}, - {"NT_STATUS_LOGON_SERVER_CONFLICT", - NT_STATUS_LOGON_SERVER_CONFLICT}, - {"NT_STATUS_TIME_DIFFERENCE_AT_DC", - NT_STATUS_TIME_DIFFERENCE_AT_DC}, - {"NT_STATUS_SYNCHRONIZATION_REQUIRED", - NT_STATUS_SYNCHRONIZATION_REQUIRED}, - {"NT_STATUS_DLL_NOT_FOUND", NT_STATUS_DLL_NOT_FOUND}, - {"NT_STATUS_OPEN_FAILED", NT_STATUS_OPEN_FAILED}, - {"NT_STATUS_IO_PRIVILEGE_FAILED", NT_STATUS_IO_PRIVILEGE_FAILED}, - {"NT_STATUS_ORDINAL_NOT_FOUND", NT_STATUS_ORDINAL_NOT_FOUND}, - {"NT_STATUS_ENTRYPOINT_NOT_FOUND", NT_STATUS_ENTRYPOINT_NOT_FOUND}, - {"NT_STATUS_CONTROL_C_EXIT", NT_STATUS_CONTROL_C_EXIT}, - {"NT_STATUS_LOCAL_DISCONNECT", NT_STATUS_LOCAL_DISCONNECT}, - {"NT_STATUS_REMOTE_DISCONNECT", NT_STATUS_REMOTE_DISCONNECT}, - {"NT_STATUS_REMOTE_RESOURCES", NT_STATUS_REMOTE_RESOURCES}, - {"NT_STATUS_LINK_FAILED", NT_STATUS_LINK_FAILED}, - {"NT_STATUS_LINK_TIMEOUT", NT_STATUS_LINK_TIMEOUT}, - {"NT_STATUS_INVALID_CONNECTION", NT_STATUS_INVALID_CONNECTION}, - {"NT_STATUS_INVALID_ADDRESS", NT_STATUS_INVALID_ADDRESS}, - {"NT_STATUS_DLL_INIT_FAILED", NT_STATUS_DLL_INIT_FAILED}, - {"NT_STATUS_MISSING_SYSTEMFILE", NT_STATUS_MISSING_SYSTEMFILE}, - {"NT_STATUS_UNHANDLED_EXCEPTION", NT_STATUS_UNHANDLED_EXCEPTION}, - {"NT_STATUS_APP_INIT_FAILURE", NT_STATUS_APP_INIT_FAILURE}, - {"NT_STATUS_PAGEFILE_CREATE_FAILED", - NT_STATUS_PAGEFILE_CREATE_FAILED}, - {"NT_STATUS_NO_PAGEFILE", NT_STATUS_NO_PAGEFILE}, - {"NT_STATUS_INVALID_LEVEL", NT_STATUS_INVALID_LEVEL}, - {"NT_STATUS_WRONG_PASSWORD_CORE", NT_STATUS_WRONG_PASSWORD_CORE}, - {"NT_STATUS_ILLEGAL_FLOAT_CONTEXT", - NT_STATUS_ILLEGAL_FLOAT_CONTEXT}, - {"NT_STATUS_PIPE_BROKEN", NT_STATUS_PIPE_BROKEN}, - {"NT_STATUS_REGISTRY_CORRUPT", NT_STATUS_REGISTRY_CORRUPT}, - {"NT_STATUS_REGISTRY_IO_FAILED", NT_STATUS_REGISTRY_IO_FAILED}, - {"NT_STATUS_NO_EVENT_PAIR", NT_STATUS_NO_EVENT_PAIR}, - {"NT_STATUS_UNRECOGNIZED_VOLUME", NT_STATUS_UNRECOGNIZED_VOLUME}, - {"NT_STATUS_SERIAL_NO_DEVICE_INITED", - NT_STATUS_SERIAL_NO_DEVICE_INITED}, - {"NT_STATUS_NO_SUCH_ALIAS", NT_STATUS_NO_SUCH_ALIAS}, - {"NT_STATUS_MEMBER_NOT_IN_ALIAS", NT_STATUS_MEMBER_NOT_IN_ALIAS}, - {"NT_STATUS_MEMBER_IN_ALIAS", NT_STATUS_MEMBER_IN_ALIAS}, - {"NT_STATUS_ALIAS_EXISTS", NT_STATUS_ALIAS_EXISTS}, - {"NT_STATUS_LOGON_NOT_GRANTED", NT_STATUS_LOGON_NOT_GRANTED}, - {"NT_STATUS_TOO_MANY_SECRETS", NT_STATUS_TOO_MANY_SECRETS}, - {"NT_STATUS_SECRET_TOO_LONG", NT_STATUS_SECRET_TOO_LONG}, - {"NT_STATUS_INTERNAL_DB_ERROR", NT_STATUS_INTERNAL_DB_ERROR}, - {"NT_STATUS_FULLSCREEN_MODE", NT_STATUS_FULLSCREEN_MODE}, - {"NT_STATUS_TOO_MANY_CONTEXT_IDS", NT_STATUS_TOO_MANY_CONTEXT_IDS}, - {"NT_STATUS_LOGON_TYPE_NOT_GRANTED", - NT_STATUS_LOGON_TYPE_NOT_GRANTED}, - {"NT_STATUS_NOT_REGISTRY_FILE", NT_STATUS_NOT_REGISTRY_FILE}, - {"NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED", - NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED}, - {"NT_STATUS_DOMAIN_CTRLR_CONFIG_ERROR", - NT_STATUS_DOMAIN_CTRLR_CONFIG_ERROR}, - {"NT_STATUS_FT_MISSING_MEMBER", NT_STATUS_FT_MISSING_MEMBER}, - {"NT_STATUS_ILL_FORMED_SERVICE_ENTRY", - NT_STATUS_ILL_FORMED_SERVICE_ENTRY}, - {"NT_STATUS_ILLEGAL_CHARACTER", NT_STATUS_ILLEGAL_CHARACTER}, - {"NT_STATUS_UNMAPPABLE_CHARACTER", NT_STATUS_UNMAPPABLE_CHARACTER}, - {"NT_STATUS_UNDEFINED_CHARACTER", NT_STATUS_UNDEFINED_CHARACTER}, - {"NT_STATUS_FLOPPY_VOLUME", NT_STATUS_FLOPPY_VOLUME}, - {"NT_STATUS_FLOPPY_ID_MARK_NOT_FOUND", - NT_STATUS_FLOPPY_ID_MARK_NOT_FOUND}, - {"NT_STATUS_FLOPPY_WRONG_CYLINDER", - NT_STATUS_FLOPPY_WRONG_CYLINDER}, - {"NT_STATUS_FLOPPY_UNKNOWN_ERROR", NT_STATUS_FLOPPY_UNKNOWN_ERROR}, - {"NT_STATUS_FLOPPY_BAD_REGISTERS", NT_STATUS_FLOPPY_BAD_REGISTERS}, - {"NT_STATUS_DISK_RECALIBRATE_FAILED", - NT_STATUS_DISK_RECALIBRATE_FAILED}, - {"NT_STATUS_DISK_OPERATION_FAILED", - NT_STATUS_DISK_OPERATION_FAILED}, - {"NT_STATUS_DISK_RESET_FAILED", NT_STATUS_DISK_RESET_FAILED}, - {"NT_STATUS_SHARED_IRQ_BUSY", NT_STATUS_SHARED_IRQ_BUSY}, - {"NT_STATUS_FT_ORPHANING", NT_STATUS_FT_ORPHANING}, - {"NT_STATUS_PARTITION_FAILURE", NT_STATUS_PARTITION_FAILURE}, - {"NT_STATUS_INVALID_BLOCK_LENGTH", NT_STATUS_INVALID_BLOCK_LENGTH}, - {"NT_STATUS_DEVICE_NOT_PARTITIONED", - NT_STATUS_DEVICE_NOT_PARTITIONED}, - {"NT_STATUS_UNABLE_TO_LOCK_MEDIA", NT_STATUS_UNABLE_TO_LOCK_MEDIA}, - {"NT_STATUS_UNABLE_TO_UNLOAD_MEDIA", - NT_STATUS_UNABLE_TO_UNLOAD_MEDIA}, - {"NT_STATUS_EOM_OVERFLOW", NT_STATUS_EOM_OVERFLOW}, - {"NT_STATUS_NO_MEDIA", NT_STATUS_NO_MEDIA}, - {"NT_STATUS_NO_SUCH_MEMBER", NT_STATUS_NO_SUCH_MEMBER}, - {"NT_STATUS_INVALID_MEMBER", NT_STATUS_INVALID_MEMBER}, - {"NT_STATUS_KEY_DELETED", NT_STATUS_KEY_DELETED}, - {"NT_STATUS_NO_LOG_SPACE", NT_STATUS_NO_LOG_SPACE}, - {"NT_STATUS_TOO_MANY_SIDS", NT_STATUS_TOO_MANY_SIDS}, - {"NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED", - NT_STATUS_LM_CROSS_ENCRYPTION_REQUIRED}, - {"NT_STATUS_KEY_HAS_CHILDREN", NT_STATUS_KEY_HAS_CHILDREN}, - {"NT_STATUS_CHILD_MUST_BE_VOLATILE", - NT_STATUS_CHILD_MUST_BE_VOLATILE}, - {"NT_STATUS_DEVICE_CONFIGURATION_ERROR", - NT_STATUS_DEVICE_CONFIGURATION_ERROR}, - {"NT_STATUS_DRIVER_INTERNAL_ERROR", - NT_STATUS_DRIVER_INTERNAL_ERROR}, - {"NT_STATUS_INVALID_DEVICE_STATE", NT_STATUS_INVALID_DEVICE_STATE}, - {"NT_STATUS_IO_DEVICE_ERROR", NT_STATUS_IO_DEVICE_ERROR}, - {"NT_STATUS_DEVICE_PROTOCOL_ERROR", - NT_STATUS_DEVICE_PROTOCOL_ERROR}, - {"NT_STATUS_BACKUP_CONTROLLER", NT_STATUS_BACKUP_CONTROLLER}, - {"NT_STATUS_LOG_FILE_FULL", NT_STATUS_LOG_FILE_FULL}, - {"NT_STATUS_TOO_LATE", NT_STATUS_TOO_LATE}, - {"NT_STATUS_NO_TRUST_LSA_SECRET", NT_STATUS_NO_TRUST_LSA_SECRET}, - {"NT_STATUS_NO_TRUST_SAM_ACCOUNT", NT_STATUS_NO_TRUST_SAM_ACCOUNT}, - {"NT_STATUS_TRUSTED_DOMAIN_FAILURE", - NT_STATUS_TRUSTED_DOMAIN_FAILURE}, - {"NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE", - NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE}, - {"NT_STATUS_EVENTLOG_FILE_CORRUPT", - NT_STATUS_EVENTLOG_FILE_CORRUPT}, - {"NT_STATUS_EVENTLOG_CANT_START", NT_STATUS_EVENTLOG_CANT_START}, - {"NT_STATUS_TRUST_FAILURE", NT_STATUS_TRUST_FAILURE}, - {"NT_STATUS_MUTANT_LIMIT_EXCEEDED", - NT_STATUS_MUTANT_LIMIT_EXCEEDED}, - {"NT_STATUS_NETLOGON_NOT_STARTED", NT_STATUS_NETLOGON_NOT_STARTED}, - {"NT_STATUS_ACCOUNT_EXPIRED", NT_STATUS_ACCOUNT_EXPIRED}, - {"NT_STATUS_POSSIBLE_DEADLOCK", NT_STATUS_POSSIBLE_DEADLOCK}, - {"NT_STATUS_NETWORK_CREDENTIAL_CONFLICT", - NT_STATUS_NETWORK_CREDENTIAL_CONFLICT}, - {"NT_STATUS_REMOTE_SESSION_LIMIT", NT_STATUS_REMOTE_SESSION_LIMIT}, - {"NT_STATUS_EVENTLOG_FILE_CHANGED", - NT_STATUS_EVENTLOG_FILE_CHANGED}, - {"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT", - NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT}, - {"NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT", - NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT}, - {"NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT", - NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT}, - {"NT_STATUS_DOMAIN_TRUST_INCONSISTENT", - NT_STATUS_DOMAIN_TRUST_INCONSISTENT}, - {"NT_STATUS_FS_DRIVER_REQUIRED", NT_STATUS_FS_DRIVER_REQUIRED}, - {"NT_STATUS_NO_USER_SESSION_KEY", NT_STATUS_NO_USER_SESSION_KEY}, - {"NT_STATUS_USER_SESSION_DELETED", NT_STATUS_USER_SESSION_DELETED}, - {"NT_STATUS_RESOURCE_LANG_NOT_FOUND", - NT_STATUS_RESOURCE_LANG_NOT_FOUND}, - {"NT_STATUS_INSUFF_SERVER_RESOURCES", - NT_STATUS_INSUFF_SERVER_RESOURCES}, - {"NT_STATUS_INVALID_BUFFER_SIZE", NT_STATUS_INVALID_BUFFER_SIZE}, - {"NT_STATUS_INVALID_ADDRESS_COMPONENT", - NT_STATUS_INVALID_ADDRESS_COMPONENT}, - {"NT_STATUS_INVALID_ADDRESS_WILDCARD", - NT_STATUS_INVALID_ADDRESS_WILDCARD}, - {"NT_STATUS_TOO_MANY_ADDRESSES", NT_STATUS_TOO_MANY_ADDRESSES}, - {"NT_STATUS_ADDRESS_ALREADY_EXISTS", - NT_STATUS_ADDRESS_ALREADY_EXISTS}, - {"NT_STATUS_ADDRESS_CLOSED", NT_STATUS_ADDRESS_CLOSED}, - {"NT_STATUS_CONNECTION_DISCONNECTED", - NT_STATUS_CONNECTION_DISCONNECTED}, - {"NT_STATUS_CONNECTION_RESET", NT_STATUS_CONNECTION_RESET}, - {"NT_STATUS_TOO_MANY_NODES", NT_STATUS_TOO_MANY_NODES}, - {"NT_STATUS_TRANSACTION_ABORTED", NT_STATUS_TRANSACTION_ABORTED}, - {"NT_STATUS_TRANSACTION_TIMED_OUT", - NT_STATUS_TRANSACTION_TIMED_OUT}, - {"NT_STATUS_TRANSACTION_NO_RELEASE", - NT_STATUS_TRANSACTION_NO_RELEASE}, - {"NT_STATUS_TRANSACTION_NO_MATCH", NT_STATUS_TRANSACTION_NO_MATCH}, - {"NT_STATUS_TRANSACTION_RESPONDED", - NT_STATUS_TRANSACTION_RESPONDED}, - {"NT_STATUS_TRANSACTION_INVALID_ID", - NT_STATUS_TRANSACTION_INVALID_ID}, - {"NT_STATUS_TRANSACTION_INVALID_TYPE", - NT_STATUS_TRANSACTION_INVALID_TYPE}, - {"NT_STATUS_NOT_SERVER_SESSION", NT_STATUS_NOT_SERVER_SESSION}, - {"NT_STATUS_NOT_CLIENT_SESSION", NT_STATUS_NOT_CLIENT_SESSION}, - {"NT_STATUS_CANNOT_LOAD_REGISTRY_FILE", - NT_STATUS_CANNOT_LOAD_REGISTRY_FILE}, - {"NT_STATUS_DEBUG_ATTACH_FAILED", NT_STATUS_DEBUG_ATTACH_FAILED}, - {"NT_STATUS_SYSTEM_PROCESS_TERMINATED", - NT_STATUS_SYSTEM_PROCESS_TERMINATED}, - {"NT_STATUS_DATA_NOT_ACCEPTED", NT_STATUS_DATA_NOT_ACCEPTED}, - {"NT_STATUS_NO_BROWSER_SERVERS_FOUND", - NT_STATUS_NO_BROWSER_SERVERS_FOUND}, - {"NT_STATUS_VDM_HARD_ERROR", NT_STATUS_VDM_HARD_ERROR}, - {"NT_STATUS_DRIVER_CANCEL_TIMEOUT", - NT_STATUS_DRIVER_CANCEL_TIMEOUT}, - {"NT_STATUS_REPLY_MESSAGE_MISMATCH", - NT_STATUS_REPLY_MESSAGE_MISMATCH}, - {"NT_STATUS_MAPPED_ALIGNMENT", NT_STATUS_MAPPED_ALIGNMENT}, - {"NT_STATUS_IMAGE_CHECKSUM_MISMATCH", - NT_STATUS_IMAGE_CHECKSUM_MISMATCH}, - {"NT_STATUS_LOST_WRITEBEHIND_DATA", - NT_STATUS_LOST_WRITEBEHIND_DATA}, - {"NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID", - NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID}, - {"NT_STATUS_PASSWORD_MUST_CHANGE", NT_STATUS_PASSWORD_MUST_CHANGE}, - {"NT_STATUS_NOT_FOUND", NT_STATUS_NOT_FOUND}, - {"NT_STATUS_NOT_TINY_STREAM", NT_STATUS_NOT_TINY_STREAM}, - {"NT_STATUS_RECOVERY_FAILURE", NT_STATUS_RECOVERY_FAILURE}, - {"NT_STATUS_STACK_OVERFLOW_READ", NT_STATUS_STACK_OVERFLOW_READ}, - {"NT_STATUS_FAIL_CHECK", NT_STATUS_FAIL_CHECK}, - {"NT_STATUS_DUPLICATE_OBJECTID", NT_STATUS_DUPLICATE_OBJECTID}, - {"NT_STATUS_OBJECTID_EXISTS", NT_STATUS_OBJECTID_EXISTS}, - {"NT_STATUS_CONVERT_TO_LARGE", NT_STATUS_CONVERT_TO_LARGE}, - {"NT_STATUS_RETRY", NT_STATUS_RETRY}, - {"NT_STATUS_FOUND_OUT_OF_SCOPE", NT_STATUS_FOUND_OUT_OF_SCOPE}, - {"NT_STATUS_ALLOCATE_BUCKET", NT_STATUS_ALLOCATE_BUCKET}, - {"NT_STATUS_PROPSET_NOT_FOUND", NT_STATUS_PROPSET_NOT_FOUND}, - {"NT_STATUS_MARSHALL_OVERFLOW", NT_STATUS_MARSHALL_OVERFLOW}, - {"NT_STATUS_INVALID_VARIANT", NT_STATUS_INVALID_VARIANT}, - {"NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND", - NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND}, - {"NT_STATUS_ACCOUNT_LOCKED_OUT", NT_STATUS_ACCOUNT_LOCKED_OUT}, - {"NT_STATUS_HANDLE_NOT_CLOSABLE", NT_STATUS_HANDLE_NOT_CLOSABLE}, - {"NT_STATUS_CONNECTION_REFUSED", NT_STATUS_CONNECTION_REFUSED}, - {"NT_STATUS_GRACEFUL_DISCONNECT", NT_STATUS_GRACEFUL_DISCONNECT}, - {"NT_STATUS_ADDRESS_ALREADY_ASSOCIATED", - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED}, - {"NT_STATUS_ADDRESS_NOT_ASSOCIATED", - NT_STATUS_ADDRESS_NOT_ASSOCIATED}, - {"NT_STATUS_CONNECTION_INVALID", NT_STATUS_CONNECTION_INVALID}, - {"NT_STATUS_CONNECTION_ACTIVE", NT_STATUS_CONNECTION_ACTIVE}, - {"NT_STATUS_NETWORK_UNREACHABLE", NT_STATUS_NETWORK_UNREACHABLE}, - {"NT_STATUS_HOST_UNREACHABLE", NT_STATUS_HOST_UNREACHABLE}, - {"NT_STATUS_PROTOCOL_UNREACHABLE", NT_STATUS_PROTOCOL_UNREACHABLE}, - {"NT_STATUS_PORT_UNREACHABLE", NT_STATUS_PORT_UNREACHABLE}, - {"NT_STATUS_REQUEST_ABORTED", NT_STATUS_REQUEST_ABORTED}, - {"NT_STATUS_CONNECTION_ABORTED", NT_STATUS_CONNECTION_ABORTED}, - {"NT_STATUS_BAD_COMPRESSION_BUFFER", - NT_STATUS_BAD_COMPRESSION_BUFFER}, - {"NT_STATUS_USER_MAPPED_FILE", NT_STATUS_USER_MAPPED_FILE}, - {"NT_STATUS_AUDIT_FAILED", NT_STATUS_AUDIT_FAILED}, - {"NT_STATUS_TIMER_RESOLUTION_NOT_SET", - NT_STATUS_TIMER_RESOLUTION_NOT_SET}, - {"NT_STATUS_CONNECTION_COUNT_LIMIT", - NT_STATUS_CONNECTION_COUNT_LIMIT}, - {"NT_STATUS_LOGIN_TIME_RESTRICTION", - NT_STATUS_LOGIN_TIME_RESTRICTION}, - {"NT_STATUS_LOGIN_WKSTA_RESTRICTION", - NT_STATUS_LOGIN_WKSTA_RESTRICTION}, - {"NT_STATUS_IMAGE_MP_UP_MISMATCH", NT_STATUS_IMAGE_MP_UP_MISMATCH}, - {"NT_STATUS_INSUFFICIENT_LOGON_INFO", - NT_STATUS_INSUFFICIENT_LOGON_INFO}, - {"NT_STATUS_BAD_DLL_ENTRYPOINT", NT_STATUS_BAD_DLL_ENTRYPOINT}, - {"NT_STATUS_BAD_SERVICE_ENTRYPOINT", - NT_STATUS_BAD_SERVICE_ENTRYPOINT}, - {"NT_STATUS_LPC_REPLY_LOST", NT_STATUS_LPC_REPLY_LOST}, - {"NT_STATUS_IP_ADDRESS_CONFLICT1", NT_STATUS_IP_ADDRESS_CONFLICT1}, - {"NT_STATUS_IP_ADDRESS_CONFLICT2", NT_STATUS_IP_ADDRESS_CONFLICT2}, - {"NT_STATUS_REGISTRY_QUOTA_LIMIT", NT_STATUS_REGISTRY_QUOTA_LIMIT}, - {"NT_STATUS_PATH_NOT_COVERED", NT_STATUS_PATH_NOT_COVERED}, - {"NT_STATUS_NO_CALLBACK_ACTIVE", NT_STATUS_NO_CALLBACK_ACTIVE}, - {"NT_STATUS_LICENSE_QUOTA_EXCEEDED", - NT_STATUS_LICENSE_QUOTA_EXCEEDED}, - {"NT_STATUS_PWD_TOO_SHORT", NT_STATUS_PWD_TOO_SHORT}, - {"NT_STATUS_PWD_TOO_RECENT", NT_STATUS_PWD_TOO_RECENT}, - {"NT_STATUS_PWD_HISTORY_CONFLICT", NT_STATUS_PWD_HISTORY_CONFLICT}, - {"NT_STATUS_PLUGPLAY_NO_DEVICE", NT_STATUS_PLUGPLAY_NO_DEVICE}, - {"NT_STATUS_UNSUPPORTED_COMPRESSION", - NT_STATUS_UNSUPPORTED_COMPRESSION}, - {"NT_STATUS_INVALID_HW_PROFILE", NT_STATUS_INVALID_HW_PROFILE}, - {"NT_STATUS_INVALID_PLUGPLAY_DEVICE_PATH", - NT_STATUS_INVALID_PLUGPLAY_DEVICE_PATH}, - {"NT_STATUS_DRIVER_ORDINAL_NOT_FOUND", - NT_STATUS_DRIVER_ORDINAL_NOT_FOUND}, - {"NT_STATUS_DRIVER_ENTRYPOINT_NOT_FOUND", - NT_STATUS_DRIVER_ENTRYPOINT_NOT_FOUND}, - {"NT_STATUS_RESOURCE_NOT_OWNED", NT_STATUS_RESOURCE_NOT_OWNED}, - {"NT_STATUS_TOO_MANY_LINKS", NT_STATUS_TOO_MANY_LINKS}, - {"NT_STATUS_QUOTA_LIST_INCONSISTENT", - NT_STATUS_QUOTA_LIST_INCONSISTENT}, - {"NT_STATUS_FILE_IS_OFFLINE", NT_STATUS_FILE_IS_OFFLINE}, - {"NT_STATUS_NO_MORE_ENTRIES", NT_STATUS_NO_MORE_ENTRIES}, - {"NT_STATUS_MORE_ENTRIES", NT_STATUS_MORE_ENTRIES}, - {"NT_STATUS_SOME_UNMAPPED", NT_STATUS_SOME_UNMAPPED}, - {NULL, 0} -}; diff --git a/fs/cifsd/nterr.h b/fs/cifsd/nterr.h index 9f5004b69d30..a66100e74741 100644 --- a/fs/cifsd/nterr.h +++ b/fs/cifsd/nterr.h @@ -14,13 +14,6 @@ #ifndef _NTERR_H #define _NTERR_H -struct nt_err_code_struct { - char *nt_errstr; - __u32 nt_errcode; -}; - -extern const struct nt_err_code_struct nt_errs[]; - /* Win32 Status codes. */ #define NT_STATUS_MORE_ENTRIES 0x0105 #define NT_ERROR_INVALID_PARAMETER 0x0057 From patchwork Mon Nov 14 12:49:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183144 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 047/308] cifsd: move nt time functions to misc.c Date: Mon, 14 Nov 2022 20:49:16 +0800 Message-ID: <20221114125337.1831594-48-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2c9230ed-8060-4d1d-6f13-08dac63c4e08 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6923692 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 5626518ecaa50ffa5797e516a47a0b1392db1aa9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5626518ecaa5 ------------------------------- Move nt time functions in netmisc.c to misc.c to remove netmisc.c file. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/misc.c | 46 ++++++++++++++++++++++++++++++++++ fs/cifsd/misc.h | 6 +++++ fs/cifsd/netmisc.c | 58 ------------------------------------------- fs/cifsd/smb_common.h | 6 ----- fs/cifsd/vfs.c | 1 + 5 files changed, 53 insertions(+), 64 deletions(-) delete mode 100644 fs/cifsd/netmisc.c diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index cbaaecf2eca1..7fa6649fadfd 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -292,3 +292,49 @@ char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, conv[*conv_len + 1] = 0x00; return conv; } + +/* + * Convert the NT UTC (based 1601-01-01, in hundred nanosecond units) + * into Unix UTC (based 1970-01-01, in seconds). + */ +struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc) +{ + struct timespec64 ts; + + /* Subtract the NTFS time offset, then convert to 1s intervals. */ + s64 t = le64_to_cpu(ntutc) - NTFS_TIME_OFFSET; + u64 abs_t; + + /* + * Unfortunately can not use normal 64 bit division on 32 bit arch, but + * the alternative, do_div, does not work with negative numbers so have + * to special case them + */ + if (t < 0) { + abs_t = -t; + ts.tv_nsec = do_div(abs_t, 10000000) * 100; + ts.tv_nsec = -ts.tv_nsec; + ts.tv_sec = -abs_t; + } else { + abs_t = t; + ts.tv_nsec = do_div(abs_t, 10000000) * 100; + ts.tv_sec = abs_t; + } + + return ts; +} + +/* Convert the Unix UTC into NT UTC. */ +inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) +{ + /* Convert to 100ns intervals and then add the NTFS time offset. */ + return (u64)t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; +} + +inline long long ksmbd_systime(void) +{ + struct timespec64 ts; + + ktime_get_real_ts64(&ts); + return ksmbd_UnixTimeToNT(ts); +} diff --git a/fs/cifsd/misc.h b/fs/cifsd/misc.h index 73b21709b6c9..e4bd02a8d45f 100644 --- a/fs/cifsd/misc.h +++ b/fs/cifsd/misc.h @@ -35,4 +35,10 @@ struct ksmbd_dir_info; char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, const struct nls_table *local_nls, int *conv_len); + +#define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) + +struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); +u64 ksmbd_UnixTimeToNT(struct timespec64 t); +long long ksmbd_systime(void); #endif /* __KSMBD_MISC_H__ */ diff --git a/fs/cifsd/netmisc.c b/fs/cifsd/netmisc.c deleted file mode 100644 index 8f052434b64c..000000000000 --- a/fs/cifsd/netmisc.c +++ /dev/null @@ -1,58 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Copyright (c) International Business Machines Corp., 2002,2008 - * Author(s): Steve French (sfrench(a)us.ibm.com) - * - * Error mapping routines from Samba libsmb/errormap.c - * Copyright (C) Andrew Tridgell 2001 - */ - -#include "glob.h" -#include "nterr.h" -#include "smb_common.h" - -/* - * Convert the NT UTC (based 1601-01-01, in hundred nanosecond units) - * into Unix UTC (based 1970-01-01, in seconds). - */ -struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc) -{ - struct timespec64 ts; - - /* Subtract the NTFS time offset, then convert to 1s intervals. */ - s64 t = le64_to_cpu(ntutc) - NTFS_TIME_OFFSET; - u64 abs_t; - - /* - * Unfortunately can not use normal 64 bit division on 32 bit arch, but - * the alternative, do_div, does not work with negative numbers so have - * to special case them - */ - if (t < 0) { - abs_t = -t; - ts.tv_nsec = do_div(abs_t, 10000000) * 100; - ts.tv_nsec = -ts.tv_nsec; - ts.tv_sec = -abs_t; - } else { - abs_t = t; - ts.tv_nsec = do_div(abs_t, 10000000) * 100; - ts.tv_sec = abs_t; - } - - return ts; -} - -/* Convert the Unix UTC into NT UTC. */ -inline u64 ksmbd_UnixTimeToNT(struct timespec64 t) -{ - /* Convert to 100ns intervals and then add the NTFS time offset. */ - return (u64)t.tv_sec * 10000000 + t.tv_nsec / 100 + NTFS_TIME_OFFSET; -} - -inline long long ksmbd_systime(void) -{ - struct timespec64 ts; - - ktime_get_real_ts64(&ts); - return ksmbd_UnixTimeToNT(ts); -} diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h index 2e171c9002b2..2d7b1c693ff4 100644 --- a/fs/cifsd/smb_common.h +++ b/fs/cifsd/smb_common.h @@ -541,10 +541,4 @@ static inline void inc_rfc1001_len(void *buf, int count) { be32_add_cpu((__be32 *)buf, count); } - -#define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) - -struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); -u64 ksmbd_UnixTimeToNT(struct timespec64 t); -long long ksmbd_systime(void); #endif /* __SMB_COMMON_H__ */ diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index d8259ca2493e..7c8ab19ab014 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -29,6 +29,7 @@ #include "smbacl.h" #include "ndr.h" #include "auth.h" +#include "misc.h" #include "smb_common.h" #include "mgmt/share_config.h" From patchwork Mon Nov 14 12:49:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183145 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 048/308] cifsd: Fix potential null-ptr-deref in smb2_open() Date: Mon, 14 Nov 2022 20:49:17 +0800 Message-ID: <20221114125337.1831594-49-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3592b69e-6196-4767-7e9e-08dac63c4e52 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6844183 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit e6b1059ffaeac794bf1a76fd35947c7c6ac4cb57 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e6b1059ffaea ------------------------------- Fix potential null-ptr-deref in smb2_open(). Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 1ff0b20ff7b8..ba552b8f2127 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2918,13 +2918,16 @@ int smb2_open(struct ksmbd_work *work) fattr.cf_gid = inode->i_gid; fattr.cf_mode = inode->i_mode; fattr.cf_dacls = NULL; + ace_num = 0; fattr.cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); - ace_num = fattr.cf_acls->a_count; + if (fattr.cf_acls) + ace_num = fattr.cf_acls->a_count; if (S_ISDIR(inode->i_mode)) { fattr.cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); - ace_num += fattr.cf_dacls->a_count; + if (fattr.cf_dacls) + ace_num += fattr.cf_dacls->a_count; } pntsd = kmalloc(sizeof(struct smb_ntsd) + From patchwork Mon Nov 14 12:49:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183146 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 049/308] cifsd: use d_inode() Date: Mon, 14 Nov 2022 20:49:18 +0800 Message-ID: <20221114125337.1831594-50-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9ed89f24-2fbf-4908-ea39-08dac63c4e9a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7098137 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit fba08fa005e44b18d6956de3abbe104f45e74697 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fba08fa005e4 ------------------------------- Use d_inode(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/smbacl.c | 6 +++--- fs/cifsd/vfs.c | 10 +++++----- fs/cifsd/vfs_cache.h | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index ba552b8f2127..7d6013ea23e7 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2890,9 +2890,9 @@ int smb2_open(struct ksmbd_work *work) /* Set default windows and posix acls if creating new file */ if (created) { int posix_acl_rc; - struct inode *inode = path.dentry->d_inode; + struct inode *inode = d_inode(path.dentry); - posix_acl_rc = ksmbd_vfs_inherit_posix_acl(inode, path.dentry->d_parent->d_inode); + posix_acl_rc = ksmbd_vfs_inherit_posix_acl(inode, d_inode(path.dentry->d_parent)); if (posix_acl_rc) ksmbd_debug(SMB, "inherit posix acl failed : %d\n", posix_acl_rc); diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index a3675aa837b9..d65e853ab00f 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -950,7 +950,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; int rc = -ENOENT, num_aces, dacloffset, pntsd_type, acl_len; char *aces_base; - bool is_dir = S_ISDIR(dentry->d_inode->i_mode); + bool is_dir = S_ISDIR(d_inode(dentry)->i_mode); acl_len = ksmbd_vfs_get_sd_xattr(conn, parent, &parent_pntsd); if (acl_len <= 0) @@ -1198,7 +1198,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, granted = GENERIC_ALL_FLAGS; } - posix_acls = ksmbd_vfs_get_acl(dentry->d_inode, ACL_TYPE_ACCESS); + posix_acls = ksmbd_vfs_get_acl(d_inode(dentry), ACL_TYPE_ACCESS); if (posix_acls && !found) { unsigned int id = -1; @@ -1263,7 +1263,7 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, { int rc; struct smb_fattr fattr = {{0}}; - struct inode *inode = dentry->d_inode; + struct inode *inode = d_inode(dentry); fattr.cf_uid = INVALID_UID; fattr.cf_gid = INVALID_GID; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 7c8ab19ab014..29f31db4e07e 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1461,11 +1461,11 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, struct ndr sd_ndr = {0}, acl_ndr = {0}; struct xattr_ntacl acl = {0}; struct xattr_smb_acl *smb_acl, *def_smb_acl = NULL; - struct inode *inode = dentry->d_inode; + struct inode *inode = d_inode(dentry); acl.version = 4; acl.hash_type = XATTR_SD_HASH_TYPE_SHA256; - acl.current_time = ksmbd_UnixTimeToNT(current_time(dentry->d_inode)); + acl.current_time = ksmbd_UnixTimeToNT(current_time(inode)); memcpy(acl.desc, "posix_acl", 9); acl.desc_len = 10; @@ -1486,9 +1486,9 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, return rc; } - smb_acl = ksmbd_vfs_make_xattr_posix_acl(dentry->d_inode, ACL_TYPE_ACCESS); + smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, ACL_TYPE_ACCESS); if (S_ISDIR(inode->i_mode)) - def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(dentry->d_inode, + def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, ACL_TYPE_DEFAULT); rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); @@ -1531,7 +1531,7 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, rc = ksmbd_vfs_getxattr(dentry, XATTR_NAME_SD, &n.data); if (rc > 0) { - struct inode *inode = dentry->d_inode; + struct inode *inode = d_inode(dentry); struct ndr acl_ndr = {0}; struct xattr_ntacl acl; struct xattr_smb_acl *smb_acl = NULL, *def_smb_acl = NULL; diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 8226fdf882e4..ce2047dda36a 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -26,8 +26,8 @@ #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) #define FP_FILENAME(fp) fp->filp->f_path.dentry->d_name.name -#define FP_INODE(fp) fp->filp->f_path.dentry->d_inode -#define PARENT_INODE(fp) fp->filp->f_path.dentry->d_parent->d_inode +#define FP_INODE(fp) d_inode(fp->filp->f_path.dentry) +#define PARENT_INODE(fp) d_inode(fp->filp->f_path.dentry->d_parent) #define ATTR_FP(fp) (fp->attrib_only && \ (fp->cdoption != FILE_OVERWRITE_IF_LE && \ From patchwork Mon Nov 14 12:49:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183147 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 050/308] cifsd: remove the dead code of unimplemented durable handle Date: Mon, 14 Nov 2022 20:49:19 +0800 Message-ID: <20221114125337.1831594-51-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 1508bf2e-b339-4aa1-86f3-08dac63c4ee4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6999668 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 73f9dad511e8c5d53a6565192eb0b3a213863563 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/73f9dad511e8 ------------------------------- Remove the dead code of unimplemented durable handle. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/ksmbd_server.h | 1 - fs/cifsd/oplock.c | 2 - fs/cifsd/smb2pdu.c | 246 +--------------------------------------- fs/cifsd/smb_common.c | 5 - fs/cifsd/vfs_cache.c | 100 +--------------- fs/cifsd/vfs_cache.h | 6 - 6 files changed, 2 insertions(+), 358 deletions(-) diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index e46be4084087..442077a1e77b 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -33,7 +33,6 @@ struct ksmbd_heartbeat { #define KSMBD_GLOBAL_FLAG_CACHE_TBUF BIT(1) #define KSMBD_GLOBAL_FLAG_CACHE_RBUF BIT(2) #define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(3) -#define KSMBD_GLOBAL_FLAG_DURABLE_HANDLE BIT(4) struct ksmbd_startup_request { __u32 flags; diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 4ff23aee69fa..e77f1385a8c1 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -1482,8 +1482,6 @@ void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp) buf->Name[3] = 'Q'; buf->Timeout = cpu_to_le32(fp->durable_timeout); - if (fp->is_persistent) - buf->Flags = SMB2_FLAGS_REPLAY_OPERATIONS; } /** diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 7d6013ea23e7..343e96ccdd4c 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1946,173 +1946,6 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) return err; } -#define DURABLE_RECONN_V2 1 -#define DURABLE_RECONN 2 -#define DURABLE_REQ_V2 3 -#define DURABLE_REQ 4 -#define APP_INSTANCE_ID 5 - -struct durable_info { - struct ksmbd_file *fp; - int type; - int reconnected; - int persistent; - int timeout; - char *CreateGuid; - char *app_id; -}; - -static int parse_durable_handle_context(struct ksmbd_work *work, - struct smb2_create_req *req, struct lease_ctx_info *lc, - struct durable_info *d_info) -{ - struct ksmbd_conn *conn = work->conn; - struct create_context *context; - int i, err = 0; - u64 persistent_id = 0; - int req_op_level; - static const char * const durable_arr[] = {"DH2C", "DHnC", "DH2Q", - "DHnQ", SMB2_CREATE_APP_INSTANCE_ID}; - - req_op_level = req->RequestedOplockLevel; - for (i = 1; i <= 5; i++) { - context = smb2_find_context_vals(req, durable_arr[i - 1]); - if (IS_ERR(context)) { - err = PTR_ERR(context); - if (err == -EINVAL) { - ksmbd_err("bad name length\n"); - goto out; - } - err = 0; - continue; - } - - switch (i) { - case DURABLE_RECONN_V2: - { - struct create_durable_reconn_v2_req *recon_v2; - - recon_v2 = - (struct create_durable_reconn_v2_req *)context; - persistent_id = le64_to_cpu(recon_v2->Fid.PersistentFileId); - d_info->fp = ksmbd_lookup_durable_fd(persistent_id); - if (!d_info->fp) { - ksmbd_err("Failed to get Durable handle state\n"); - err = -EBADF; - goto out; - } - - if (memcmp(d_info->fp->create_guid, recon_v2->CreateGuid, - SMB2_CREATE_GUID_SIZE)) { - err = -EBADF; - goto out; - } - d_info->type = i; - d_info->reconnected = 1; - ksmbd_debug(SMB, - "reconnect v2 Persistent-id from reconnect = %llu\n", - persistent_id); - break; - } - case DURABLE_RECONN: - { - struct create_durable_reconn_req *recon; - - if (d_info->type == DURABLE_RECONN_V2 || - d_info->type == DURABLE_REQ_V2) { - err = -EINVAL; - goto out; - } - - recon = - (struct create_durable_reconn_req *)context; - persistent_id = le64_to_cpu(recon->Data.Fid.PersistentFileId); - d_info->fp = ksmbd_lookup_durable_fd(persistent_id); - if (!d_info->fp) { - ksmbd_err("Failed to get Durable handle state\n"); - err = -EBADF; - goto out; - } - d_info->type = i; - d_info->reconnected = 1; - ksmbd_debug(SMB, - "reconnect Persistent-id from reconnect = %llu\n", - persistent_id); - break; - } - case DURABLE_REQ_V2: - { - struct create_durable_req_v2 *durable_v2_blob; - - if (d_info->type == DURABLE_RECONN || - d_info->type == DURABLE_RECONN_V2) { - err = -EINVAL; - goto out; - } - - durable_v2_blob = - (struct create_durable_req_v2 *)context; - ksmbd_debug(SMB, "Request for durable v2 open\n"); - d_info->fp = ksmbd_lookup_fd_cguid(durable_v2_blob->CreateGuid); - if (d_info->fp) { - if (!memcmp(conn->ClientGUID, d_info->fp->client_guid, - SMB2_CLIENT_GUID_SIZE)) { - if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATIONS)) { - err = -ENOEXEC; - goto out; - } - - d_info->fp->conn = conn; - d_info->reconnected = 1; - goto out; - } - } - if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) || - req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) { - d_info->CreateGuid = - durable_v2_blob->CreateGuid; - d_info->persistent = - le32_to_cpu(durable_v2_blob->Flags); - d_info->timeout = - le32_to_cpu(durable_v2_blob->Timeout); - d_info->type = i; - } - break; - } - case DURABLE_REQ: - if (d_info->type == DURABLE_RECONN) - goto out; - if (d_info->type == DURABLE_RECONN_V2 || - d_info->type == DURABLE_REQ_V2) { - err = -EINVAL; - goto out; - } - - if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) || - req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) { - ksmbd_debug(SMB, "Request for durable open\n"); - d_info->type = i; - } - break; - case APP_INSTANCE_ID: - { - struct create_app_inst_id *inst_id; - - inst_id = (struct create_app_inst_id *)context; - ksmbd_close_fd_app_id(work, inst_id->AppInstanceId); - d_info->app_id = inst_id->AppInstanceId; - break; - } - default: - break; - } - } - -out: - - return err; -} - /** * smb2_set_ea() - handler for setting extended attributes using set * info command @@ -2431,7 +2264,6 @@ int smb2_open(struct ksmbd_work *work) char *name = NULL; char *stream_name = NULL; bool file_present = false, created = false, already_permitted = false; - struct durable_info d_info; int share_ret, need_truncate = 0; u64 time; umode_t posix_mode = 0; @@ -2509,36 +2341,8 @@ int smb2_open(struct ksmbd_work *work) } req_op_level = req->RequestedOplockLevel; - memset(&d_info, 0, sizeof(struct durable_info)); - if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE && - req->CreateContextsOffset) { + if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) lc = parse_lease_state(req); - rc = parse_durable_handle_context(work, req, lc, &d_info); - if (rc) { - ksmbd_err("error parsing durable handle context\n"); - goto err_out1; - } - - if (d_info.reconnected) { - fp = d_info.fp; - rc = smb2_check_durable_oplock(d_info.fp, lc, name); - if (rc) - goto err_out1; - rc = ksmbd_reopen_durable_fd(work, d_info.fp); - if (rc) - goto err_out1; - if (ksmbd_override_fsids(work)) { - rc = -ENOMEM; - goto err_out1; - } - file_info = FILE_OPENED; - fp = d_info.fp; - goto reconnected; - } - } else { - if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) - lc = parse_lease_state(req); - } if (le32_to_cpu(req->ImpersonationLevel) > le32_to_cpu(IL_DELEGATE_LE)) { ksmbd_err("Invalid impersonationlevel : 0x%x\n", @@ -3083,25 +2887,6 @@ int smb2_open(struct ksmbd_work *work) memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); - if (d_info.type) { - if (d_info.type == DURABLE_REQ_V2 && d_info.persistent) - fp->is_persistent = 1; - else - fp->is_durable = 1; - - if (d_info.type == DURABLE_REQ_V2) { - memcpy(fp->create_guid, d_info.CreateGuid, - SMB2_CREATE_GUID_SIZE); - if (d_info.timeout) - fp->durable_timeout = d_info.timeout; - else - fp->durable_timeout = 1600; - if (d_info.app_id) - memcpy(fp->app_instance_id, d_info.app_id, 16); - } - } - -reconnected: generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); rsp->StructureSize = cpu_to_le16(89); @@ -3150,35 +2935,6 @@ int smb2_open(struct ksmbd_work *work) next_off = conn->vals->create_lease_size; } - if (d_info.type == DURABLE_REQ || d_info.type == DURABLE_REQ_V2) { - struct create_context *durable_ccontext; - - durable_ccontext = (struct create_context *)(rsp->Buffer + - le32_to_cpu(rsp->CreateContextsLength)); - contxt_cnt++; - if (d_info.type == DURABLE_REQ) { - create_durable_rsp_buf(rsp->Buffer + - le32_to_cpu(rsp->CreateContextsLength)); - le32_add_cpu(&rsp->CreateContextsLength, - conn->vals->create_durable_size); - inc_rfc1001_len(rsp_org, - conn->vals->create_durable_size); - } else { - create_durable_v2_rsp_buf(rsp->Buffer + - le32_to_cpu(rsp->CreateContextsLength), - fp); - le32_add_cpu(&rsp->CreateContextsLength, - conn->vals->create_durable_v2_size); - inc_rfc1001_len(rsp_org, - conn->vals->create_durable_v2_size); - } - - if (next_ptr) - *next_ptr = cpu_to_le32(next_off); - next_ptr = &durable_ccontext->Next; - next_off = conn->vals->create_durable_size; - } - if (maximal_access_ctxt) { struct create_context *mxac_ccontext; diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index b0510213eb6d..985171cbf192 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -497,11 +497,6 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) if (strcmp(prev_fp->stream.name, curr_fp->stream.name)) continue; - if (prev_fp->is_durable) { - prev_fp->is_durable = 0; - continue; - } - if (prev_fp->attrib_only != curr_fp->attrib_only) continue; diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 3ab06e0b723c..3286e74e2a56 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -449,30 +449,6 @@ struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id) return __ksmbd_lookup_fd(&global_ft, id); } -int ksmbd_close_fd_app_id(struct ksmbd_work *work, char *app_id) -{ - struct ksmbd_file *fp = NULL; - unsigned int id; - - read_lock(&global_ft.lock); - idr_for_each_entry(global_ft.idr, fp, id) { - if (!memcmp(fp->app_instance_id, - app_id, - SMB2_CREATE_GUID_SIZE)) { - if (!atomic_dec_and_test(&fp->refcount)) - fp = NULL; - break; - } - } - read_unlock(&global_ft.lock); - - if (!fp) - return -EINVAL; - - __put_fd_final(work, fp); - return 0; -} - struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) { struct ksmbd_file *fp = NULL; @@ -492,23 +468,6 @@ struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) return fp; } -struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, char *filename) -{ - struct ksmbd_file *fp = NULL; - unsigned int id; - - read_lock(&work->sess->file_table.lock); - idr_for_each_entry(work->sess->file_table.idr, fp, id) { - if (!strcmp(fp->filename, filename)) { - fp = ksmbd_fp_get(fp); - break; - } - } - read_unlock(&work->sess->file_table.lock); - - return fp; -} - struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode) { struct ksmbd_file *lfp; @@ -617,32 +576,6 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) return fp; } -static inline bool is_reconnectable(struct ksmbd_file *fp) -{ - struct oplock_info *opinfo = opinfo_get(fp); - bool reconn = false; - - if (!opinfo) - return false; - - if (opinfo->op_state != OPLOCK_STATE_NONE) { - opinfo_put(opinfo); - return false; - } - - if (fp->is_resilient || fp->is_persistent) - reconn = true; - else if (fp->is_durable && opinfo->is_lease && - opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) - reconn = true; - - else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) - reconn = true; - - opinfo_put(opinfo); - return reconn; -} - static int __close_file_table_ids(struct ksmbd_file_table *ft, struct ksmbd_tree_connect *tcon, bool (*skip)(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp)) @@ -672,13 +605,7 @@ static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_fil static bool session_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) { - if (!is_reconnectable(fp)) - return false; - - fp->conn = NULL; - fp->tcon = NULL; - fp->volatile_id = KSMBD_NO_FID; - return true; + return false; } void ksmbd_close_tree_conn_fds(struct ksmbd_work *work) @@ -717,31 +644,6 @@ void ksmbd_free_global_file_table(void) ksmbd_destroy_file_table(&global_ft); } -int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp) -{ - if (!fp->is_durable || fp->conn || fp->tcon) { - ksmbd_err("Invalid durable fd [%p:%p]\n", - fp->conn, fp->tcon); - return -EBADF; - } - - if (HAS_FILE_ID(fp->volatile_id)) { - ksmbd_err("Still in use durable fd: %u\n", fp->volatile_id); - return -EBADF; - } - - fp->conn = work->sess->conn; - fp->tcon = work->tcon; - - __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); - if (!HAS_FILE_ID(fp->volatile_id)) { - fp->conn = NULL; - fp->tcon = NULL; - return -EBADF; - } - return 0; -} - int ksmbd_file_table_flush(struct ksmbd_work *work) { struct ksmbd_file *fp = NULL; diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index ce2047dda36a..5638641dd0cf 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -90,9 +90,6 @@ struct ksmbd_file { __u64 create_time; __u64 itime; - bool is_durable; - bool is_resilient; - bool is_persistent; bool is_nt_open; bool attrib_only; @@ -154,17 +151,14 @@ struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, unsigned int pid); void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp); -int ksmbd_close_fd_app_id(struct ksmbd_work *work, char *app_id); struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id); struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid); -struct ksmbd_file *ksmbd_lookup_fd_filename(struct ksmbd_work *work, char *filename); struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode); unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp); struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp); void ksmbd_close_tree_conn_fds(struct ksmbd_work *work); void ksmbd_close_session_fds(struct ksmbd_work *work); int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode); -int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp); int ksmbd_init_global_file_table(void); void ksmbd_free_global_file_table(void); int ksmbd_file_table_flush(struct ksmbd_work *work); From patchwork Mon Nov 14 12:49:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183148 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 051/308] cifsd: Update access check in set_file_allocation_info/set_end_of_file_info Date: Mon, 14 Nov 2022 20:49:20 +0800 Message-ID: <20221114125337.1831594-52-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5bef3da9-5ad1-4fe1-f33c-08dac63c4f2c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6891068 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit a299669b2c3d26cdb787ba4a87603f6de4fd7714 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a299669b2c3d ------------------------------- [MS-SMB2] 3.3.5.21.1 If the object store supports security and FileInfoClass is FileAllocationInformation, FileEndOfFileInformation, or FileValidDataLengthInformation, and Open.GrantedAccess does not include FILE_WRITE_DATA, the server MUST fail the request with STATUS_ACCESS_DENIED. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 343e96ccdd4c..73c6154170cf 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -5352,7 +5352,7 @@ static int set_file_allocation_info(struct ksmbd_work *work, struct inode *inode; int rc; - if (!is_attributes_write_allowed(fp)) + if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; file_alloc_info = (struct smb2_file_alloc_info *)buf; @@ -5396,7 +5396,7 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, struct inode *inode; int rc; - if (!is_attributes_write_allowed(fp)) + if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; file_eof_info = (struct smb2_file_eof_info *)buf; From patchwork Mon Nov 14 12:49:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183149 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:36 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:36 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 052/308] cifsd: Remove is_attributes_write_allowed() wrapper Date: Mon, 14 Nov 2022 20:49:21 +0800 Message-ID: <20221114125337.1831594-53-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 52689609-f20e-4942-849c-08dac63c4f75 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6991101 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 7adfd4f6f78eb1c2561bcfdc20f7cc39f2d89437 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7adfd4f6f78e ------------------------------- Inline it in the only place it is used and remove it. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 73c6154170cf..eeb3f09e8765 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -5237,11 +5237,6 @@ static int smb2_create_link(struct ksmbd_work *work, return rc; } -static bool is_attributes_write_allowed(struct ksmbd_file *fp) -{ - return fp->daccess & FILE_WRITE_ATTRIBUTES_LE; -} - static int set_file_basic_info(struct ksmbd_file *fp, char *buf, struct ksmbd_share_config *share) { @@ -5252,7 +5247,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, struct inode *inode; int rc; - if (!is_attributes_write_allowed(fp)) + if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; file_info = (struct smb2_file_all_info *)buf; From patchwork Mon Nov 14 12:49:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183150 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:36 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:36 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:36 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 053/308] cifsd: Fix regression in smb2_get_info Date: Mon, 14 Nov 2022 20:49:22 +0800 Message-ID: <20221114125337.1831594-54-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2e550a78-de3b-4ff8-174f-08dac63c4fbe X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6872460 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Sebastian Gottschall <s.gottschall(a)dd-wrt.com> mainline inclusion from mainline-5.15-rc1 commit ced2b26a76cd1db0b6ccb39e0bc873177c9bda21 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ced2b26a76cd ------------------------------- a Windows 10 client isn't able to store files from ksmbd servers due unknown local permission problems (code 0x8007003A) if smb3 encryption is enabled. Windows 10 is requesting for ATTRIBUTE_SECINFO (mask 0x20) which is not yet handled by ksmbd, this leads to a invalid response. For now we just reintroduce the old check to avoid processing of unhandled flags until ATTRIBUTE_SECINFO is properly handled. Signed-off-by: Sebastian Gottschall <s.gottschall(a)dd-wrt.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index eeb3f09e8765..3b8da5dfd4a1 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -4791,6 +4791,24 @@ static int smb2_get_info_sec(struct ksmbd_work *work, int addition_info = le32_to_cpu(req->AdditionalInformation); int rc; + if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO)) { + ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n", + addition_info); + + pntsd->revision = cpu_to_le16(1); + pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED); + pntsd->osidoffset = 0; + pntsd->gsidoffset = 0; + pntsd->sacloffset = 0; + pntsd->dacloffset = 0; + + secdesclen = sizeof(struct smb_ntsd); + rsp->OutputBufferLength = cpu_to_le32(secdesclen); + inc_rfc1001_len(rsp_org, secdesclen); + + return 0; + } + if (work->next_smb2_rcv_hdr_off) { if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", From patchwork Mon Nov 14 12:49:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183151 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:36 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 054/308] cifsd: Call smb2_set_err_rsp() in smb2_read/smb2_write error path Date: Mon, 14 Nov 2022 20:49:23 +0800 Message-ID: <20221114125337.1831594-55-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5f28818a-ddd6-4aae-f449-08dac63c5006 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6973526 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit a4382db9bac314440f662be91ec8010465e67603 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a4382db9bac3 ------------------------------- Call smb2_set_err_rsp() in smb2_read/smb2_write error path. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3b8da5dfd4a1..e5aff1ca11e1 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -5820,8 +5820,8 @@ int smb2_read(struct ksmbd_work *work) le64_to_cpu(req->VolatileFileId), le64_to_cpu(req->PersistentFileId)); if (!fp) { - rsp->hdr.Status = STATUS_FILE_CLOSED; - return -ENOENT; + err = -ENOENT; + goto out; } if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { @@ -6057,7 +6057,7 @@ int smb2_write(struct ksmbd_work *work) { struct smb2_write_req *req; struct smb2_write_rsp *rsp, *rsp_org; - struct ksmbd_file *fp = NULL; + struct ksmbd_file *fp; loff_t offset; size_t length; ssize_t nbytes; @@ -6082,8 +6082,8 @@ int smb2_write(struct ksmbd_work *work) fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), le64_to_cpu(req->PersistentFileId)); if (!fp) { - rsp->hdr.Status = STATUS_FILE_CLOSED; - return -ENOENT; + err = -ENOENT; + goto out; } if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { From patchwork Mon Nov 14 12:49:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183152 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 055/308] cifsd: Handle ksmbd_session_rpc_open() failure in create_smb2_pipe() Date: Mon, 14 Nov 2022 20:49:24 +0800 Message-ID: <20221114125337.1831594-56-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8f7591f7-16ad-4875-5fff-08dac63c504f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6984349 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 79caa9606df1504b3b5104457cbb5d759f0e5fae category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/79caa9606df1 ------------------------------- Currently, a SMB2 client does not receive an error message if ksmbd_session_rpc_open() fails when opening a pipe. Fix this by responding with STATUS_NO_MEMORY or STATUS_INVALID_PARAMETER depending on the error that occurred. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index e5aff1ca11e1..fec385318ff3 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1917,9 +1917,13 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) } id = ksmbd_session_rpc_open(work->sess, name); - if (id < 0) + if (id < 0) { ksmbd_err("Unable to open RPC pipe: %d\n", id); + err = id; + goto out; + } + rsp->hdr.Status = STATUS_SUCCESS; rsp->StructureSize = cpu_to_le16(89); rsp->OplockLevel = SMB2_OPLOCK_LEVEL_NONE; rsp->Reserved = 0; @@ -1942,6 +1946,19 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) return 0; out: + switch (err) { + case -EINVAL: + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + break; + case -ENOSPC: + case -ENOMEM: + rsp->hdr.Status = STATUS_NO_MEMORY; + break; + } + + if (!IS_ERR(name)) + kfree(name); + smb2_set_err_rsp(work); return err; } From patchwork Mon Nov 14 12:49:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183153 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 056/308] cifsd: Update out_buf_len in smb2_populate_readdir_entry() Date: Mon, 14 Nov 2022 20:49:25 +0800 Message-ID: <20221114125337.1831594-57-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: da713069-2842-46b8-f1c3-08dac63c5097 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6914779 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit e7735c854880084a6d97e60465f19daa42842eff category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e7735c854880 ------------------------------- When processing a SMB2 QUERY_DIRECTORY request, smb2_populate_readdir_entry() is called first to fill the dot/dotdot entries. This moves the d_info->wptr pointer but out_buf_len remains unchanged. As a result, reserve_populate_dentry() may end up writing past the end of the buffer since the bounds checking is done on invalid values. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index fec385318ff3..54df9a30bd23 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -3333,6 +3333,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, d_info->last_entry_offset = d_info->data_count; d_info->data_count += next_entry_offset; + d_info->out_buf_len -= next_entry_offset; d_info->wptr += next_entry_offset; kfree(conv_name); From patchwork Mon Nov 14 12:49:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183154 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 057/308] cifsd: Fix potential null-ptr-deref in destroy_previous_session() Date: Mon, 14 Nov 2022 20:49:26 +0800 Message-ID: <20221114125337.1831594-58-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cc2f5a90-8d61-4c5e-8e8b-08dac63c50e1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7068411 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 1fca8038e9f10bc14eb3484d212b3f03b49ac3f5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1fca8038e9f1 ------------------------------- The user field in the session structure is allocated when the client is authenticated. If the client explicitly logs off, the user field is freed, but the session is kept around in case the user reconnects. If the TCP connection hasn't been closed and the client sends a session setup with a PreviousSessionId set, destroy_previous_session() will be called to check if the session needs to be cleaned up. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 54df9a30bd23..ebae992f88a0 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -619,7 +619,8 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) prev_user = prev_sess->user; - if (strcmp(user->name, prev_user->name) || + if (!prev_user || + strcmp(user->name, prev_user->name) || user->passkey_sz != prev_user->passkey_sz || memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) { put_session(prev_sess); From patchwork Mon Nov 14 12:49:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183155 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:39 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 058/308] cifsd: add support for AES256 encryption Date: Mon, 14 Nov 2022 20:49:27 +0800 Message-ID: <20221114125337.1831594-59-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 16761a57-423a-41c0-92e5-08dac63c512a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6717882 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 5a0ca7700591a5275875920cf0c3113435e4b6f7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5a0ca7700591 ------------------------------- Now that 256 bit encryption can be negotiated, update names of the nonces to match the updated official protocol documentation (e.g. AES_GCM_NONCE instead of AES_128GCM_NONCE) since they apply to both 128 bit and 256 bit encryption. update smb encryption code to set 32 byte key length and to set gcm256/ccm256 when requested on mount. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 53 +++++++++++++++++++++++++----------- fs/cifsd/crypto_ctx.c | 8 +++--- fs/cifsd/crypto_ctx.h | 8 +++--- fs/cifsd/mgmt/user_session.h | 4 +-- fs/cifsd/smb2pdu.c | 11 +++++--- fs/cifsd/smb2pdu.h | 18 +++++++++--- 6 files changed, 68 insertions(+), 34 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 437e58a0826d..6b90aac86fcc 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -835,7 +835,8 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, { unsigned char zero = 0x0; __u8 i[4] = {0, 0, 0, 1}; - __u8 L[4] = {0, 0, 0, 128}; + __u8 L128[4] = {0, 0, 0, 128}; + __u8 L256[4] = {0, 0, 1, 0}; int rc = -EINVAL; unsigned char prfhash[SMB2_HMACSHA256_SIZE]; unsigned char *hashptr = prfhash; @@ -890,7 +891,11 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, goto smb3signkey_ret; } - rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L, 4); + if (sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L256, 4); + else + rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L128, 4); if (rc) { ksmbd_debug(AUTH, "could not update with L\n"); goto smb3signkey_ret; @@ -981,24 +986,33 @@ static int generate_smb3encryptionkey(struct ksmbd_session *sess, rc = generate_key(sess, ptwin->encryption.label, ptwin->encryption.context, sess->smb3encryptionkey, - SMB3_SIGN_KEY_SIZE); + SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; rc = generate_key(sess, ptwin->decryption.label, ptwin->decryption.context, - sess->smb3decryptionkey, SMB3_SIGN_KEY_SIZE); + sess->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; ksmbd_debug(AUTH, "dumping generated AES encryption keys\n"); + ksmbd_debug(AUTH, "Cipher type %d\n", sess->conn->cipher_type); ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); ksmbd_debug(AUTH, "Session Key %*ph\n", SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); - ksmbd_debug(AUTH, "ServerIn Key %*ph\n", - SMB3_SIGN_KEY_SIZE, sess->smb3encryptionkey); - ksmbd_debug(AUTH, "ServerOut Key %*ph\n", - SMB3_SIGN_KEY_SIZE, sess->smb3decryptionkey); + if (sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) { + ksmbd_debug(AUTH, "ServerIn Key %*ph\n", + SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey); + ksmbd_debug(AUTH, "ServerOut Key %*ph\n", + SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3decryptionkey); + } else { + ksmbd_debug(AUTH, "ServerIn Key %*ph\n", + SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3encryptionkey); + ksmbd_debug(AUTH, "ServerOut Key %*ph\n", + SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey); + } return rc; } @@ -1136,7 +1150,7 @@ static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, ses_enc_key = enc ? sess->smb3encryptionkey : sess->smb3decryptionkey; - memcpy(key, ses_enc_key, SMB3_SIGN_KEY_SIZE); + memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE); return 0; } @@ -1224,7 +1238,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, int rc = 0; struct scatterlist *sg; u8 sign[SMB2_SIGNATURE_SIZE] = {}; - u8 key[SMB3_SIGN_KEY_SIZE]; + u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; char *iv; unsigned int iv_len; @@ -1241,7 +1255,8 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, return 0; } - if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) ctx = ksmbd_crypto_ctx_find_gcm(); else ctx = ksmbd_crypto_ctx_find_ccm(); @@ -1250,12 +1265,17 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, return -EINVAL; } - if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) tfm = CRYPTO_GCM(ctx); else tfm = CRYPTO_CCM(ctx); - rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE); + if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) + rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); + else + rc = crypto_aead_setkey(tfm, key, SMB3_GCM128_CRYPTKEY_SIZE); if (rc) { ksmbd_err("Failed to set aead key %d\n", rc); goto free_ctx; @@ -1294,11 +1314,12 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, goto free_sg; } - if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM) { - memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES128GCM_NONCE); + if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) { + memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE); } else { iv[0] = 3; - memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES128CCM_NONCE); + memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES_CCM_NONCE); } aead_request_set_crypt(req, sg, sg, crypt_len, iv); diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 8322b0f7a7fc..1830ae1b5ed3 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -42,10 +42,10 @@ static struct crypto_aead *alloc_aead(int id) struct crypto_aead *tfm = NULL; switch (id) { - case CRYPTO_AEAD_AES128_GCM: + case CRYPTO_AEAD_AES_GCM: tfm = crypto_alloc_aead("gcm(aes)", 0, 0); break; - case CRYPTO_AEAD_AES128_CCM: + case CRYPTO_AEAD_AES_CCM: tfm = crypto_alloc_aead("ccm(aes)", 0, 0); break; default: @@ -248,12 +248,12 @@ static struct ksmbd_crypto_ctx *____crypto_aead_ctx_find(int id) struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void) { - return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES128_GCM); + return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES_GCM); } struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void) { - return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES128_CCM); + return ____crypto_aead_ctx_find(CRYPTO_AEAD_AES_CCM); } void ksmbd_crypto_destroy(void) diff --git a/fs/cifsd/crypto_ctx.h b/fs/cifsd/crypto_ctx.h index 64a11dfd6c83..b0d3cd650485 100644 --- a/fs/cifsd/crypto_ctx.h +++ b/fs/cifsd/crypto_ctx.h @@ -21,8 +21,8 @@ enum { }; enum { - CRYPTO_AEAD_AES128_GCM = 16, - CRYPTO_AEAD_AES128_CCM, + CRYPTO_AEAD_AES_GCM = 16, + CRYPTO_AEAD_AES_CCM, CRYPTO_AEAD_MAX, }; @@ -55,8 +55,8 @@ struct ksmbd_crypto_ctx { #define CRYPTO_MD4_TFM(c) ((c)->desc[CRYPTO_SHASH_MD4]->tfm) #define CRYPTO_MD5_TFM(c) ((c)->desc[CRYPTO_SHASH_MD5]->tfm) -#define CRYPTO_GCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES128_GCM]) -#define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES128_CCM]) +#define CRYPTO_GCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_GCM]) +#define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_CCM]) void ksmbd_release_crypto_ctx(struct ksmbd_crypto_ctx *ctx); diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 72b40348bdc4..1709563d718b 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -56,8 +56,8 @@ struct ksmbd_session { - __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE]; - __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; + __u8 smb3encryptionkey[SMB3_ENC_DEC_KEY_SIZE]; + __u8 smb3decryptionkey[SMB3_ENC_DEC_KEY_SIZE]; __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; struct list_head sessions_entry; diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index ebae992f88a0..d07d7c45f899 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -904,7 +904,9 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, for (i = 0; i < cph_cnt; i++) { if (pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_GCM || - pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_CCM) { + pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_CCM || + pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES256_CCM || + pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES256_GCM) { ksmbd_debug(SMB, "Cipher ID = 0x%x\n", pneg_ctxt->Ciphers[i]); conn->cipher_type = pneg_ctxt->Ciphers[i]; @@ -7979,10 +7981,11 @@ static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, char *old_buf, tr_hdr->ProtocolId = SMB2_TRANSFORM_PROTO_NUM; tr_hdr->OriginalMessageSize = cpu_to_le32(orig_len); tr_hdr->Flags = cpu_to_le16(0x01); - if (cipher_type == SMB2_ENCRYPTION_AES128_GCM) - get_random_bytes(&tr_hdr->Nonce, SMB3_AES128GCM_NONCE); + if (cipher_type == SMB2_ENCRYPTION_AES128_GCM || + cipher_type == SMB2_ENCRYPTION_AES256_GCM) + get_random_bytes(&tr_hdr->Nonce, SMB3_AES_GCM_NONCE); else - get_random_bytes(&tr_hdr->Nonce, SMB3_AES128CCM_NONCE); + get_random_bytes(&tr_hdr->Nonce, SMB3_AES_CCM_NONCE); memcpy(&tr_hdr->SessionId, &hdr->SessionId, 8); inc_rfc1001_len(tr_hdr, sizeof(struct smb2_transform_hdr) - 4); inc_rfc1001_len(tr_hdr, orig_len); diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index 156ff6a2968b..c5c32610aafe 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -77,6 +77,13 @@ #define SMB2_SIGNATURE_SIZE 16 #define SMB2_HMACSHA256_SIZE 32 #define SMB2_CMACAES_SIZE 16 +#define SMB3_GCM128_CRYPTKEY_SIZE 16 +#define SMB3_GCM256_CRYPTKEY_SIZE 32 + +/* + * Size of the smb3 encryption/decryption keys + */ +#define SMB3_ENC_DEC_KEY_SIZE 32 /* * Size of the smb3 signing key @@ -151,8 +158,8 @@ struct smb2_pdu { __le16 StructureSize2; /* size of wct area (varies, request specific) */ } __packed; -#define SMB3_AES128CCM_NONCE 11 -#define SMB3_AES128GCM_NONCE 12 +#define SMB3_AES_CCM_NONCE 11 +#define SMB3_AES_GCM_NONCE 12 struct smb2_transform_hdr { __be32 smb2_buf_length; /* big endian on wire */ @@ -283,13 +290,16 @@ struct smb2_preauth_neg_context { /* Encryption Algorithms Ciphers */ #define SMB2_ENCRYPTION_AES128_CCM cpu_to_le16(0x0001) #define SMB2_ENCRYPTION_AES128_GCM cpu_to_le16(0x0002) +#define SMB2_ENCRYPTION_AES256_CCM cpu_to_le16(0x0003) +#define SMB2_ENCRYPTION_AES256_GCM cpu_to_le16(0x0004) struct smb2_encryption_neg_context { __le16 ContextType; /* 2 */ __le16 DataLength; __le32 Reserved; - __le16 CipherCount; /* AES-128-GCM and AES-128-CCM */ - __le16 Ciphers[1]; /* Ciphers[0] since only one used now */ + /* CipherCount usally 2, but can be 3 when AES256-GCM enabled */ + __le16 CipherCount; /* AES-128-GCM and AES-128-CCM by default */ + __le16 Ciphers[1]; } __packed; #define SMB3_COMPRESS_NONE cpu_to_le16(0x0000) From patchwork Mon Nov 14 12:49:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183156 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:39 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 059/308] cifsd: fix invalid memory access in smb2_write() Date: Mon, 14 Nov 2022 20:49:28 +0800 Message-ID: <20221114125337.1831594-60-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f8697506-7de9-4994-249b-08dac63c5173 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6920488 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit bcd62a368314deeea8bd0823399b649a236b7d5b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/bcd62a368314 ------------------------------- Add missing fp initialzation to prevent invalid memory access in smb2_write(). Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index d07d7c45f899..18de8a763209 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -6078,7 +6078,7 @@ int smb2_write(struct ksmbd_work *work) { struct smb2_write_req *req; struct smb2_write_rsp *rsp, *rsp_org; - struct ksmbd_file *fp; + struct ksmbd_file *fp = NULL; loff_t offset; size_t length; ssize_t nbytes; From patchwork Mon Nov 14 12:49:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183157 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:40 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 060/308] cifsd: decoding gss token using lib/asn1_decoder.c Date: Mon, 14 Nov 2022 20:49:29 +0800 Message-ID: <20221114125337.1831594-61-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: efd33fd1-b9aa-4163-cc89-08dac63c51bd X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7155463 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit fad4161b5cd01a24202234976ebbb133f7adc0b5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fad4161b5cd0 ------------------------------- Decode gss token of SMB2_SESSSION_SETUP using lib/asn1_decoder.c Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 614 +++++++----------------------- fs/cifsd/smb2pdu.c | 4 +- fs/cifsd/spnego_negtokeninit.asn1 | 43 +++ fs/cifsd/spnego_negtokentarg.asn1 | 19 + 4 files changed, 196 insertions(+), 484 deletions(-) create mode 100644 fs/cifsd/spnego_negtokeninit.asn1 create mode 100644 fs/cifsd/spnego_negtokentarg.asn1 diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index aa702b665849..aa6ea855c422 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -11,61 +11,15 @@ #include <linux/kernel.h> #include <linux/mm.h> #include <linux/slab.h> +#include <linux/oid_registry.h> #include "glob.h" #include "asn1.h" #include "connection.h" #include "auth.h" - -/***************************************************************************** - * - * Basic ASN.1 decoding routines (gxsnmp author Dirk Wisse) - * - *****************************************************************************/ - -/* Class */ -#define ASN1_UNI 0 /* Universal */ -#define ASN1_APL 1 /* Application */ -#define ASN1_CTX 2 /* Context */ -#define ASN1_PRV 3 /* Private */ - -/* Tag */ -#define ASN1_EOC 0 /* End Of Contents or N/A */ -#define ASN1_BOL 1 /* Boolean */ -#define ASN1_INT 2 /* Integer */ -#define ASN1_BTS 3 /* Bit String */ -#define ASN1_OTS 4 /* Octet String */ -#define ASN1_NUL 5 /* Null */ -#define ASN1_OJI 6 /* Object Identifier */ -#define ASN1_OJD 7 /* Object Description */ -#define ASN1_EXT 8 /* External */ -#define ASN1_ENUM 10 /* Enumerated */ -#define ASN1_SEQ 16 /* Sequence */ -#define ASN1_SET 17 /* Set */ -#define ASN1_NUMSTR 18 /* Numerical String */ -#define ASN1_PRNSTR 19 /* Printable String */ -#define ASN1_TEXSTR 20 /* Teletext String */ -#define ASN1_VIDSTR 21 /* Video String */ -#define ASN1_IA5STR 22 /* IA5 String */ -#define ASN1_UNITIM 23 /* Universal Time */ -#define ASN1_GENTIM 24 /* General Time */ -#define ASN1_GRASTR 25 /* Graphical String */ -#define ASN1_VISSTR 26 /* Visible String */ -#define ASN1_GENSTR 27 /* General String */ - -/* Primitive / Constructed methods*/ -#define ASN1_PRI 0 /* Primitive */ -#define ASN1_CON 1 /* Constructed */ - -/* - * Error codes. - */ -#define ASN1_ERR_NOERROR 0 -#define ASN1_ERR_DEC_EMPTY 2 -#define ASN1_ERR_DEC_EOC_MISMATCH 3 -#define ASN1_ERR_DEC_LENGTH_MISMATCH 4 -#define ASN1_ERR_DEC_BADVALUE 5 +#include "spnego_negtokeninit.asn1.h" +#include "spnego_negtokentarg.asn1.h" #define SPNEGO_OID_LEN 7 #define NTLMSSP_OID_LEN 10 @@ -81,212 +35,49 @@ static unsigned long MSKRB5_OID[7] = { 1, 2, 840, 48018, 1, 2, 2 }; static char NTLMSSP_OID_STR[NTLMSSP_OID_LEN] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a }; -/* - * ASN.1 context. - */ -struct asn1_ctx { - int error; /* Error condition */ - unsigned char *pointer; /* Octet just to be decoded */ - unsigned char *begin; /* First octet */ - unsigned char *end; /* Octet after last octet */ -}; - -/* - * Octet string (not null terminated) - */ -struct asn1_octstr { - unsigned char *data; - unsigned int len; -}; - -static void -asn1_open(struct asn1_ctx *ctx, unsigned char *buf, unsigned int len) -{ - ctx->begin = buf; - ctx->end = buf + len; - ctx->pointer = buf; - ctx->error = ASN1_ERR_NOERROR; -} - -static unsigned char -asn1_octet_decode(struct asn1_ctx *ctx, unsigned char *ch) -{ - if (ctx->pointer >= ctx->end) { - ctx->error = ASN1_ERR_DEC_EMPTY; - return 0; - } - *ch = *(ctx->pointer)++; - return 1; -} - -static unsigned char -asn1_tag_decode(struct asn1_ctx *ctx, unsigned int *tag) -{ - unsigned char ch; - - *tag = 0; - - do { - if (!asn1_octet_decode(ctx, &ch)) - return 0; - *tag <<= 7; - *tag |= ch & 0x7F; - } while ((ch & 0x80) == 0x80); - return 1; -} - -static unsigned char -asn1_id_decode(struct asn1_ctx *ctx, - unsigned int *cls, unsigned int *con, unsigned int *tag) -{ - unsigned char ch; - - if (!asn1_octet_decode(ctx, &ch)) - return 0; - - *cls = (ch & 0xC0) >> 6; - *con = (ch & 0x20) >> 5; - *tag = (ch & 0x1F); - - if (*tag == 0x1F) { - if (!asn1_tag_decode(ctx, tag)) - return 0; - } - return 1; -} - -static unsigned char -asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len) -{ - unsigned char ch, cnt; - - if (!asn1_octet_decode(ctx, &ch)) - return 0; - - if (ch == 0x80) - *def = 0; - else { - *def = 1; - - if (ch < 0x80) - *len = ch; - else { - cnt = (unsigned char) (ch & 0x7F); - *len = 0; - - while (cnt > 0) { - if (!asn1_octet_decode(ctx, &ch)) - return 0; - *len <<= 8; - *len |= ch; - cnt--; - } - } - } - - /* don't trust len bigger than ctx buffer */ - if (*len > ctx->end - ctx->pointer) - return 0; - - return 1; -} - -static unsigned char -asn1_header_decode(struct asn1_ctx *ctx, - unsigned char **eoc, - unsigned int *cls, unsigned int *con, unsigned int *tag) -{ - unsigned int def = 0; - unsigned int len = 0; - - if (!asn1_id_decode(ctx, cls, con, tag)) - return 0; - - if (!asn1_length_decode(ctx, &def, &len)) - return 0; - - /* primitive shall be definite, indefinite shall be constructed */ - if (*con == ASN1_PRI && !def) - return 0; - - if (def) - *eoc = ctx->pointer + len; - else - *eoc = NULL; - return 1; -} - -static unsigned char -asn1_eoc_decode(struct asn1_ctx *ctx, unsigned char *eoc) -{ - unsigned char ch; - - if (!eoc) { - if (!asn1_octet_decode(ctx, &ch)) - return 0; - - if (ch != 0x00) { - ctx->error = ASN1_ERR_DEC_EOC_MISMATCH; - return 0; - } - - if (!asn1_octet_decode(ctx, &ch)) - return 0; - - if (ch != 0x00) { - ctx->error = ASN1_ERR_DEC_EOC_MISMATCH; - return 0; - } - } else { - if (ctx->pointer != eoc) { - ctx->error = ASN1_ERR_DEC_LENGTH_MISMATCH; - return 0; - } - } - return 1; -} - -static unsigned char -asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid) +static bool +asn1_subid_decode(const unsigned char **begin, const unsigned char *end, + unsigned long *subid) { + const unsigned char *ptr = *begin; unsigned char ch; *subid = 0; do { - if (!asn1_octet_decode(ctx, &ch)) - return 0; + if (ptr >= end) + return false; + ch = *ptr++; *subid <<= 7; *subid |= ch & 0x7F; } while ((ch & 0x80) == 0x80); - return 1; + + *begin = ptr; + return true; } -static int -asn1_oid_decode(struct asn1_ctx *ctx, - unsigned char *eoc, unsigned long **oid, unsigned int *len) +static bool asn1_oid_decode(const unsigned char *value, size_t vlen, + unsigned long **oid, size_t *oidlen) { - unsigned long subid; - unsigned int size; + const unsigned char *iptr = value, *end = value + vlen; unsigned long *optr; + unsigned long subid; - size = eoc - ctx->pointer + 1; - - /* first subid actually encodes first two subids */ - if (size < 2 || size > UINT_MAX/sizeof(unsigned long)) - return 0; + vlen += 1; + if (vlen < 2 || vlen > UINT_MAX/sizeof(unsigned long)) + return false; - *oid = kmalloc(size * sizeof(unsigned long), GFP_KERNEL); + *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL); if (!*oid) - return 0; + return false; optr = *oid; - if (!asn1_subid_decode(ctx, &subid)) { + if (!asn1_subid_decode(&iptr, end, &subid)) { kfree(*oid); *oid = NULL; - return 0; + return false; } if (subid < 40) { @@ -300,285 +91,55 @@ asn1_oid_decode(struct asn1_ctx *ctx, optr[1] = subid - 80; } - *len = 2; + *oidlen = 2; optr += 2; - while (ctx->pointer < eoc) { - if (++(*len) > size) { - ctx->error = ASN1_ERR_DEC_BADVALUE; + while (iptr < end) { + if (++(*oidlen) > vlen) { kfree(*oid); *oid = NULL; - return 0; + return false; } - if (!asn1_subid_decode(ctx, optr++)) { + if (!asn1_subid_decode(&iptr, end, optr++)) { kfree(*oid); *oid = NULL; - return 0; + return false; } } - return 1; + return true; } -static int -compare_oid(unsigned long *oid1, unsigned int oid1len, - unsigned long *oid2, unsigned int oid2len) +static bool +oid_eq(unsigned long *oid1, unsigned int oid1len, + unsigned long *oid2, unsigned int oid2len) { unsigned int i; if (oid1len != oid2len) - return 0; + return false; for (i = 0; i < oid1len; i++) { if (oid1[i] != oid2[i]) - return 0; + return false; } - return 1; + return true; } -/* BB check for endian conversion issues here */ - int ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { - struct asn1_ctx ctx; - unsigned char *end; - unsigned char *sequence_end; - unsigned long *oid = NULL; - unsigned int cls, con, tag, oidlen, rc, mechTokenlen; - unsigned int mech_type; - - ksmbd_debug(AUTH, "Received SecBlob: length %d\n", length); - - asn1_open(&ctx, security_blob, length); - - /* GSSAPI header */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); - return 0; - } else if ((cls != ASN1_APL) || (con != ASN1_CON) - || (tag != ASN1_EOC)) { - ksmbd_debug(AUTH, "cls = %d con = %d tag = %d\n", cls, con, - tag); - return 0; - } - - /* Check for SPNEGO OID -- remember to free obj->oid */ - rc = asn1_header_decode(&ctx, &end, &cls, &con, &tag); - if (rc) { - if ((tag == ASN1_OJI) && (con == ASN1_PRI) && - (cls == ASN1_UNI)) { - rc = asn1_oid_decode(&ctx, end, &oid, &oidlen); - if (rc) { - rc = compare_oid(oid, oidlen, SPNEGO_OID, - SPNEGO_OID_LEN); - kfree(oid); - } - } else - rc = 0; - } - - /* SPNEGO OID not present or garbled -- bail out */ - if (!rc) { - ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); - return 0; - } - - /* SPNEGO */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); - return 0; - } else if ((cls != ASN1_CTX) || (con != ASN1_CON) - || (tag != ASN1_EOC)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", - cls, con, tag, end, *end); - return 0; - } - - /* negTokenInit */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); - return 0; - } else if ((cls != ASN1_UNI) || (con != ASN1_CON) - || (tag != ASN1_SEQ)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", - cls, con, tag, end, *end); - return 0; - } - - /* sequence */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); - return 0; - } else if ((cls != ASN1_CTX) || (con != ASN1_CON) - || (tag != ASN1_EOC)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", - cls, con, tag, end, *end); - return 0; - } - - /* sequence of */ - if (asn1_header_decode - (&ctx, &sequence_end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); - return 0; - } else if ((cls != ASN1_UNI) || (con != ASN1_CON) - || (tag != ASN1_SEQ)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", - cls, con, tag, end, *end); - return 0; - } - - /* list of security mechanisms */ - while (!asn1_eoc_decode(&ctx, sequence_end)) { - rc = asn1_header_decode(&ctx, &end, &cls, &con, &tag); - if (!rc) { - ksmbd_debug(AUTH, - "Error decoding negTokenInit hdr exit2\n"); - return 0; - } - if ((tag == ASN1_OJI) && (con == ASN1_PRI)) { - if (asn1_oid_decode(&ctx, end, &oid, &oidlen)) { - if (compare_oid(oid, oidlen, MSKRB5_OID, - MSKRB5_OID_LEN)) - mech_type = KSMBD_AUTH_MSKRB5; - else if (compare_oid(oid, oidlen, KRB5U2U_OID, - KRB5U2U_OID_LEN)) - mech_type = KSMBD_AUTH_KRB5U2U; - else if (compare_oid(oid, oidlen, KRB5_OID, - KRB5_OID_LEN)) - mech_type = KSMBD_AUTH_KRB5; - else if (compare_oid(oid, oidlen, NTLMSSP_OID, - NTLMSSP_OID_LEN)) - mech_type = KSMBD_AUTH_NTLMSSP; - else { - kfree(oid); - continue; - } - - conn->auth_mechs |= mech_type; - if (conn->preferred_auth_mech == 0) - conn->preferred_auth_mech = mech_type; - kfree(oid); - } - } else { - ksmbd_debug(AUTH, - "Should be an oid what is going on?\n"); - } - } - - /* sequence */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); - return 0; - } else if ((cls != ASN1_CTX) || (con != ASN1_CON) - || (tag != ASN1_INT)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", - cls, con, tag, end, *end); - return 0; - } - - /* sequence of */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding 2nd part of negTokenInit\n"); - return 0; - } else if ((cls != ASN1_UNI) || (con != ASN1_PRI) - || (tag != ASN1_OTS)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", - cls, con, tag, end, *end); - return 0; - } - - mechTokenlen = ctx.end - ctx.pointer; - conn->mechToken = kmalloc(mechTokenlen + 1, GFP_KERNEL); - if (!conn->mechToken) { - ksmbd_err("memory allocation error\n"); - return 0; - } - - memcpy(conn->mechToken, ctx.pointer, mechTokenlen); - conn->mechToken[mechTokenlen] = '\0'; - - return 1; + return asn1_ber_decoder(&spnego_negtokeninit_decoder, conn, + security_blob, length); } int ksmbd_decode_negTokenTarg(unsigned char *security_blob, int length, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { - struct asn1_ctx ctx; - unsigned char *end; - unsigned int cls, con, tag, mechTokenlen; - - ksmbd_debug(AUTH, "Received Auth SecBlob: length %d\n", length); - - asn1_open(&ctx, security_blob, length); - - /* GSSAPI header */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit header\n"); - return 0; - } else if ((cls != ASN1_CTX) || (con != ASN1_CON) - || (tag != ASN1_BOL)) { - ksmbd_debug(AUTH, "cls = %d con = %d tag = %d\n", cls, con, - tag); - return 0; - } - - /* SPNEGO */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); - return 0; - } else if ((cls != ASN1_UNI) || (con != ASN1_CON) - || (tag != ASN1_SEQ)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", - cls, con, tag, end, *end); - return 0; - } - - /* negTokenTarg */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); - return 0; - } else if ((cls != ASN1_CTX) || (con != ASN1_CON) - || (tag != ASN1_INT)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", - cls, con, tag, end, *end); - return 0; - } - - /* negTokenTarg */ - if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { - ksmbd_debug(AUTH, "Error decoding negTokenInit\n"); - return 0; - } else if ((cls != ASN1_UNI) || (con != ASN1_PRI) - || (tag != ASN1_OTS)) { - ksmbd_debug(AUTH, - "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", - cls, con, tag, end, *end); - return 0; - } - - mechTokenlen = ctx.end - ctx.pointer; - conn->mechToken = kmalloc(mechTokenlen + 1, GFP_KERNEL); - if (!conn->mechToken) { - ksmbd_err("memory allocation error\n"); - return 0; - } - - memcpy(conn->mechToken, ctx.pointer, mechTokenlen); - conn->mechToken[mechTokenlen] = '\0'; - - return 1; + return asn1_ber_decoder(&spnego_negtokentarg_decoder, conn, + security_blob, length); } static int compute_asn_hdr_len_bytes(int len) @@ -700,3 +261,92 @@ int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, *buflen = total_len; return 0; } + +int gssapi_this_mech(void *context, size_t hdrlen, + unsigned char tag, const void *value, size_t vlen) +{ + unsigned long *oid; + size_t oidlen; + int err = 0; + + if (!asn1_oid_decode(value, vlen, &oid, &oidlen)) { + err = -EBADMSG; + goto out; + } + + if (!oid_eq(oid, oidlen, SPNEGO_OID, SPNEGO_OID_LEN)) + err = -EBADMSG; + kfree(oid); +out: + if (err) { + char buf[50]; + + sprint_oid(value, vlen, buf, sizeof(buf)); + ksmbd_debug(AUTH, "Unexpected OID: %s\n", buf); + } + return err; +} + +int neg_token_init_mech_type(void *context, size_t hdrlen, + unsigned char tag, const void *value, size_t vlen) +{ + struct ksmbd_conn *conn = context; + unsigned long *oid; + size_t oidlen; + int mech_type; + + if (!asn1_oid_decode(value, vlen, &oid, &oidlen)) { + char buf[50]; + + sprint_oid(value, vlen, buf, sizeof(buf)); + ksmbd_debug(AUTH, "Unexpected OID: %s\n", buf); + return -EBADMSG; + } + + if (oid_eq(oid, oidlen, NTLMSSP_OID, NTLMSSP_OID_LEN)) + mech_type = KSMBD_AUTH_NTLMSSP; + else if (oid_eq(oid, oidlen, MSKRB5_OID, MSKRB5_OID_LEN)) + mech_type = KSMBD_AUTH_MSKRB5; + else if (oid_eq(oid, oidlen, KRB5_OID, KRB5_OID_LEN)) + mech_type = KSMBD_AUTH_KRB5; + else if (oid_eq(oid, oidlen, KRB5U2U_OID, KRB5U2U_OID_LEN)) + mech_type = KSMBD_AUTH_KRB5U2U; + else + goto out; + + conn->auth_mechs |= mech_type; + if (conn->preferred_auth_mech == 0) + conn->preferred_auth_mech = mech_type; + +out: + kfree(oid); + return 0; +} + +int neg_token_init_mech_token(void *context, size_t hdrlen, + unsigned char tag, const void *value, size_t vlen) +{ + struct ksmbd_conn *conn = context; + + conn->mechToken = kmalloc(vlen + 1, GFP_KERNEL); + if (!conn->mechToken) + return -ENOMEM; + + memcpy(conn->mechToken, value, vlen); + conn->mechToken[vlen] = '\0'; + return 0; +} + +int neg_token_targ_resp_token(void *context, size_t hdrlen, + unsigned char tag, const void *value, size_t vlen) +{ + struct ksmbd_conn *conn = context; + + conn->mechToken = kmalloc(vlen + 1, GFP_KERNEL); + if (!conn->mechToken) + return -ENOMEM; + + memcpy(conn->mechToken, value, vlen); + conn->mechToken[vlen] = '\0'; + return 0; +} diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 18de8a763209..92b5020ae778 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1194,8 +1194,8 @@ static int decode_negotiation_token(struct ksmbd_work *work, req = work->request_buf; sz = le16_to_cpu(req->SecurityBufferLength); - if (!ksmbd_decode_negTokenInit((char *)negblob, sz, conn)) { - if (!ksmbd_decode_negTokenTarg((char *)negblob, sz, conn)) { + if (ksmbd_decode_negTokenInit((char *)negblob, sz, conn)) { + if (ksmbd_decode_negTokenTarg((char *)negblob, sz, conn)) { conn->auth_mechs |= KSMBD_AUTH_NTLMSSP; conn->preferred_auth_mech = KSMBD_AUTH_NTLMSSP; conn->use_spnego = false; diff --git a/fs/cifsd/spnego_negtokeninit.asn1 b/fs/cifsd/spnego_negtokeninit.asn1 new file mode 100644 index 000000000000..1b153cb6a39e --- /dev/null +++ b/fs/cifsd/spnego_negtokeninit.asn1 @@ -0,0 +1,43 @@ +GSSAPI ::= + [APPLICATION 0] IMPLICIT SEQUENCE { + thisMech + OBJECT IDENTIFIER ({gssapi_this_mech}), + negotiationToken + NegotiationToken + } + +MechType ::= OBJECT IDENTIFIER ({neg_token_init_mech_type}) + +MechTypeList ::= SEQUENCE OF MechType + +NegTokenInit ::= + SEQUENCE { + mechTypes + [0] MechTypeList, + reqFlags + [1] BIT STRING OPTIONAL, + mechToken + [2] OCTET STRING OPTIONAL ({neg_token_init_mech_token}), + mechListMIC + [3] OCTET STRING OPTIONAL + } + +NegTokenTarg ::= + SEQUENCE { + negResult + [0] ENUMERATED OPTIONAL, + supportedMech + [1] OBJECT IDENTIFIER OPTIONAL, + responseToken + [2] OCTET STRING OPTIONAL ({neg_token_targ_resp_token}), + mechListMIC + [3] OCTET STRING OPTIONAL + } + +NegotiationToken ::= + CHOICE { + negTokenInit + [0] NegTokenInit, + negTokenTarg + [1] ANY + } diff --git a/fs/cifsd/spnego_negtokentarg.asn1 b/fs/cifsd/spnego_negtokentarg.asn1 new file mode 100644 index 000000000000..8324bcd1bbd7 --- /dev/null +++ b/fs/cifsd/spnego_negtokentarg.asn1 @@ -0,0 +1,19 @@ +GSSAPI ::= + CHOICE { + negTokenInit + [0] ANY, + negTokenTarg + [1] NegTokenTarg + } + +NegTokenTarg ::= + SEQUENCE { + negResult + [0] ENUMERATED OPTIONAL, + supportedMech + [1] OBJECT IDENTIFIER OPTIONAL, + responseToken + [2] OCTET STRING OPTIONAL ({neg_token_targ_resp_token}), + mechListMIC + [3] OCTET STRING OPTIONAL + } From patchwork Mon Nov 14 12:49:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183158 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:40 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 061/308] cifsd: fix WARNING: Possible unnecessary 'out of memory' message Date: Mon, 14 Nov 2022 20:49:30 +0800 Message-ID: <20221114125337.1831594-62-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 94ed6599-4603-4e69-3849-08dac63c5206 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7055836 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 63c454f8392832a770d9cfcf9baa1733959b71e3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/63c454f83928 ------------------------------- WARNING: Possible unnecessary 'out of memory' message 902: FILE: fs/cifsd/smb2pdu.c:569: + if (!work->response_buf) { + ksmbd_err("Failed to allocate %zu bytes buffer\n", sz); Fix a warning from checkpatch.pl. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 92b5020ae778..a18792ce96be 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -565,10 +565,8 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) else work->response_buf = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); - if (!work->response_buf) { - ksmbd_err("Failed to allocate %zu bytes buffer\n", sz); + if (!work->response_buf) return -ENOMEM; - } work->response_sz = sz; return 0; From patchwork Mon Nov 14 12:49:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183159 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:41 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:41 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:40 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 062/308] cifsd: fix WARNING: Too many leading tabs Date: Mon, 14 Nov 2022 20:49:31 +0800 Message-ID: <20221114125337.1831594-63-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 747a8fb0-630e-4469-fb2d-08dac63c524f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7309682 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 3d47e54623897020e996b952bdf3ed9df447b5bf category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3d47e5462389 ------------------------------- WARNING: Too many leading tabs - consider code refactoring 3066: FILE: fs/cifsd/smb2pdu.c:2733: + if (fattr.cf_dacls) Fix a warning from checkpatch.pl. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index a18792ce96be..18576148f530 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2250,6 +2250,19 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, return rc; } + +static void ksmbd_acls_fattr(struct smb_fattr *fattr, struct inode *inode) +{ + fattr->cf_uid = inode->i_uid; + fattr->cf_gid = inode->i_gid; + fattr->cf_mode = inode->i_mode; + fattr->cf_dacls = NULL; + + fattr->cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + fattr->cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); +} + /** * smb2_open() - handler for smb file open request * @work: smb work containing request buffer @@ -2734,23 +2747,13 @@ int smb2_open(struct ksmbd_work *work) KSMBD_SHARE_FLAG_ACL_XATTR)) { struct smb_fattr fattr; struct smb_ntsd *pntsd; - int pntsd_size, ace_num; - - fattr.cf_uid = inode->i_uid; - fattr.cf_gid = inode->i_gid; - fattr.cf_mode = inode->i_mode; - fattr.cf_dacls = NULL; - ace_num = 0; + int pntsd_size, ace_num = 0; - fattr.cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); + ksmbd_acls_fattr(&fattr, inode); if (fattr.cf_acls) ace_num = fattr.cf_acls->a_count; - if (S_ISDIR(inode->i_mode)) { - fattr.cf_dacls = - ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); - if (fattr.cf_dacls) - ace_num += fattr.cf_dacls->a_count; - } + if (fattr.cf_dacls) + ace_num += fattr.cf_dacls->a_count; pntsd = kmalloc(sizeof(struct smb_ntsd) + sizeof(struct smb_sid) * 3 + @@ -2768,6 +2771,7 @@ int smb2_open(struct ksmbd_work *work) rc = ksmbd_vfs_set_sd_xattr(conn, path.dentry, pntsd, pntsd_size); + kfree(pntsd); if (rc) ksmbd_err("failed to store ntacl in xattr : %d\n", rc); @@ -4847,14 +4851,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, return -ENOENT; inode = FP_INODE(fp); - fattr.cf_uid = inode->i_uid; - fattr.cf_gid = inode->i_gid; - fattr.cf_mode = inode->i_mode; - fattr.cf_dacls = NULL; - - fattr.cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); - if (S_ISDIR(inode->i_mode)) - fattr.cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); + ksmbd_acls_fattr(&fattr, inode); if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_ACL_XATTR)) From patchwork Mon Nov 14 12:49:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183160 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:41 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:41 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:40 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 063/308] cifsd: fix boolreturn.cocci warnings Date: Mon, 14 Nov 2022 20:49:32 +0800 Message-ID: <20221114125337.1831594-64-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7912e75c-3e26-4c86-8cfe-08dac63c5298 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7179997 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: kernel test robot <lkp(a)intel.com> mainline inclusion from mainline-5.15-rc1 commit 5616015f548a9beda791d8d607e1b17ebdc1e09d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5616015f548a ------------------------------- fs/cifsd/smb2pdu.c:8098:8-9: WARNING: return of 0/1 in function 'smb2_is_sign_req' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 18576148f530..e17ad2032fc7 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -7713,7 +7713,7 @@ bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) command != SMB2_OPLOCK_BREAK_HE) return true; - return 0; + return false; } /** From patchwork Mon Nov 14 12:49:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183161 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:42 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:41 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:41 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 064/308] cifsd: fix xfstests generic/504 test failure Date: Mon, 14 Nov 2022 20:49:33 +0800 Message-ID: <20221114125337.1831594-65-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a27db963-bf77-4401-0eb6-08dac63c52e3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6973391 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 50bf80a553ccb5eca0bc2426e5a082eaf65cb602 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/50bf80a553cc ------------------------------- If lock length in smb2 lock request from client is over flock max length size, lock length is changed to flock max length and don't return error response. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index e17ad2032fc7..3fd266a94996 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -6422,7 +6422,7 @@ int smb2_lock(struct ksmbd_work *work) int flags = 0; int cmd = 0; int err = 0, i; - u64 lock_length; + u64 lock_start, lock_length; struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp; int nolock = 0; LIST_HEAD(lock_list); @@ -6461,25 +6461,22 @@ int smb2_lock(struct ksmbd_work *work) cmd = smb2_set_flock_flags(flock, flags); - flock->fl_start = le64_to_cpu(lock_ele[i].Offset); - if (flock->fl_start > OFFSET_MAX) { + lock_start = le64_to_cpu(lock_ele[i].Offset); + lock_length = le64_to_cpu(lock_ele[i].Length); + if (lock_start > U64_MAX - lock_length) { ksmbd_err("Invalid lock range requested\n"); rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; goto out; } + if (lock_start > OFFSET_MAX) + flock->fl_start = OFFSET_MAX; + else + flock->fl_start = lock_start; + lock_length = le64_to_cpu(lock_ele[i].Length); - if (lock_length > 0) { - if (lock_length > OFFSET_MAX - flock->fl_start) { - ksmbd_debug(SMB, - "Invalid lock range requested\n"); - lock_length = OFFSET_MAX - flock->fl_start; - rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; - goto out; - } - } else { - lock_length = 0; - } + if (lock_length > OFFSET_MAX - flock->fl_start) + lock_length = OFFSET_MAX - flock->fl_start; flock->fl_end = flock->fl_start + lock_length; From patchwork Mon Nov 14 12:49:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183162 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:42 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:42 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:41 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 065/308] cifsd: Do not use 0 or 0xFFFFFFFF for TreeID Date: Mon, 14 Nov 2022 20:49:34 +0800 Message-ID: <20221114125337.1831594-66-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fbf9362f-74df-4896-a179-08dac63c532b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6964179 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 8602c3e2ceef5f50f5718e8442a8ea17530101b4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8602c3e2ceef ------------------------------- Returning TreeID=0 is valid behaviour according to [MS-SMB2] 2.2.1.2: TreeId (4 bytes): Uniquely identifies the tree connect for the command. This MUST be 0 for the SMB2 TREE_CONNECT Request. The TreeId can be any unsigned 32-bit integer that is received from a previous SMB2 TREE_CONNECT Response. TreeId SHOULD be set to 0 for the following commands: [...] However, some client implementations reject it as invalid. Windows10 assigns ids starting from 1, and samba4 returns a random uint32_t which suggests there may be other clients that consider it is invalid behaviour. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/ksmbd_ida.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/cifsd/mgmt/ksmbd_ida.c b/fs/cifsd/mgmt/ksmbd_ida.c index 3dbc27cb5385..54194d959a5e 100644 --- a/fs/cifsd/mgmt/ksmbd_ida.c +++ b/fs/cifsd/mgmt/ksmbd_ida.c @@ -14,9 +14,7 @@ int ksmbd_acquire_smb2_tid(struct ida *ida) { int id; - id = __acquire_id(ida, 0, 0); - if (id == 0xFFFF) - id = __acquire_id(ida, 0, 0); + id = __acquire_id(ida, 1, 0xFFFFFFFF); return id; } From patchwork Mon Nov 14 12:49:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183163 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:43 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:42 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:42 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 066/308] cifsd: add support for FSCTL_DUPLICATE_EXTENTS_TO_FILE Date: Mon, 14 Nov 2022 20:49:35 +0800 Message-ID: <20221114125337.1831594-67-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 1c46c516-ae47-4a7c-5874-08dac63c5374 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6884650 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit eb817368f50c1cbe1bd07044124aad7db6330e3a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/eb817368f50c ------------------------------- Add support for FSCTL_DUPLICATE_EXTENTS_TO_FILE in smb2 ioctl. Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 52 ++++++++++++++++++++++++++++++++++++++++++++- fs/cifsd/smb2pdu.h | 8 +++++++ fs/cifsd/smbfsctl.h | 1 + fs/cifsd/vfs.c | 2 +- fs/cifsd/vfs.h | 3 ++- 5 files changed, 63 insertions(+), 3 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3fd266a94996..e5d3a5790a81 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -4622,7 +4622,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, FILE_PERSISTENT_ACLS | FILE_UNICODE_ON_DISK | FILE_CASE_PRESERVED_NAMES | - FILE_CASE_SENSITIVE_SEARCH); + FILE_CASE_SENSITIVE_SEARCH | + FILE_SUPPORTS_BLOCK_REFCOUNTING); info->Attributes |= cpu_to_le32(server_conf.share_fake_fscaps); @@ -7330,6 +7331,55 @@ int smb2_ioctl(struct ksmbd_work *work) nbytes = sizeof(struct reparse_data_buffer); break; } + case FSCTL_DUPLICATE_EXTENTS_TO_FILE: + { + struct ksmbd_file *fp_in, *fp_out = NULL; + struct duplicate_extents_to_file *dup_ext; + loff_t src_off, dst_off, length, cloned; + + dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0]; + + fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, + dup_ext->PersistentFileHandle); + if (!fp_in) { + ksmbd_err("not found file handle in duplicate extent to file\n"); + ret = -ENOENT; + goto out; + } + + fp_out = ksmbd_lookup_fd_fast(work, id); + if (!fp_out) { + ksmbd_err("not found fp\n"); + ret = -ENOENT; + goto dup_ext_out; + } + + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); + length = le64_to_cpu(dup_ext->ByteCount); + cloned = vfs_clone_file_range(fp_in->filp, src_off, fp_out->filp, + dst_off, length, 0); + if (cloned == -EXDEV || cloned == -EOPNOTSUPP) { + ret = -EOPNOTSUPP; + goto dup_ext_out; + } else if (cloned != length) { + cloned = ksmbd_vfs_copy_file_range(fp_in->filp, src_off, + fp_out->filp, dst_off, length); + if (cloned != length) { + if (cloned < 0) + ret = cloned; + else + ret = -EINVAL; + } + } + +dup_ext_out: + ksmbd_fd_put(work, fp_in); + ksmbd_fd_put(work, fp_out); + if (ret < 0) + goto out; + break; + } default: ksmbd_debug(SMB, "not implemented yet ioctl command 0x%x\n", cnt_code); diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index c5c32610aafe..1a8da2122b75 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -851,6 +851,14 @@ struct smb2_write_rsp { #define SMB2_0_IOCTL_IS_FSCTL 0x00000001 +struct duplicate_extents_to_file { + __u64 PersistentFileHandle; /* source file handle, opaque endianness */ + __u64 VolatileFileHandle; + __le64 SourceFileOffset; + __le64 TargetFileOffset; + __le64 ByteCount; /* Bytes to be copied */ +} __packed; + struct smb2_ioctl_req { struct smb2_hdr hdr; __le16 StructureSize; /* Must be 57 */ diff --git a/fs/cifsd/smbfsctl.h b/fs/cifsd/smbfsctl.h index 908c4e68a479..b98418aae20c 100644 --- a/fs/cifsd/smbfsctl.h +++ b/fs/cifsd/smbfsctl.h @@ -64,6 +64,7 @@ #define FSCTL_SET_SHORT_NAME_BEHAVIOR 0x000901B4 /* BB add struct */ #define FSCTL_QUERY_ALLOCATED_RANGES 0x000940CF /* BB add struct */ #define FSCTL_SET_DEFECT_MANAGEMENT 0x00098134 /* BB add struct */ +#define FSCTL_DUPLICATE_EXTENTS_TO_FILE 0x00098344 #define FSCTL_SIS_LINK_FILES 0x0009C104 #define FSCTL_PIPE_PEEK 0x0011400C /* BB add struct */ #define FSCTL_PIPE_TRANSCEIVE 0x0011C017 /* BB add struct */ diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 29f31db4e07e..cdbb844fddad 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1789,7 +1789,7 @@ int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, return 0; } -static int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, +int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, struct file *file_out, loff_t pos_out, size_t len) { struct inode *inode_in = file_inode(file_in); diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 0163be4297de..2d19e2bac33a 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -218,7 +218,8 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, struct srv_copychunk *chunks, unsigned int chunk_count, unsigned int *chunk_count_written, unsigned int *chunk_size_written, loff_t *total_size_written); - +int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, size_t len); ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list); ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, char **xattr_buf); From patchwork Mon Nov 14 12:49:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183164 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:43 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:43 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:42 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 067/308] cifsd: add goto fail in asn1_oid_decode() Date: Mon, 14 Nov 2022 20:49:36 +0800 Message-ID: <20221114125337.1831594-68-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 27604c49-17d9-43b3-3701-08dac63c53bd X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6995817 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit cdd10398e71a1843ef99ed545bbb872b6cb9d249 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/cdd10398e71a ------------------------------- Add goto fail in asn1_oid_decode() to clean-up exception handling code. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index aa6ea855c422..f2628dc3490f 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -74,11 +74,8 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, optr = *oid; - if (!asn1_subid_decode(&iptr, end, &subid)) { - kfree(*oid); - *oid = NULL; - return false; - } + if (!asn1_subid_decode(&iptr, end, &subid)) + goto fail; if (subid < 40) { optr[0] = 0; @@ -95,19 +92,18 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, optr += 2; while (iptr < end) { - if (++(*oidlen) > vlen) { - kfree(*oid); - *oid = NULL; - return false; - } + if (++(*oidlen) > vlen) + goto fail; - if (!asn1_subid_decode(&iptr, end, optr++)) { - kfree(*oid); - *oid = NULL; - return false; - } + if (!asn1_subid_decode(&iptr, end, optr++)) + goto fail; } return true; + +fail: + kfree(*oid); + *oid = NULL; + return false; } static bool From patchwork Mon Nov 14 12:49:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183165 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:44 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:43 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:43 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 068/308] cifsd: use memcmp instead of for loop check in oid_eq() Date: Mon, 14 Nov 2022 20:49:37 +0800 Message-ID: <20221114125337.1831594-69-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f33574dd-7653-498c-c8cb-08dac63c5405 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6857101 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 3566a2b0f73a46eb93beafd70b8386a3b59d5acb category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3566a2b0f73a ------------------------------- Use memcmp instead of for loop check in oid_eq(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index f2628dc3490f..a7db37eef2a9 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -110,16 +110,10 @@ static bool oid_eq(unsigned long *oid1, unsigned int oid1len, unsigned long *oid2, unsigned int oid2len) { - unsigned int i; - if (oid1len != oid2len) return false; - for (i = 0; i < oid1len; i++) { - if (oid1[i] != oid2[i]) - return false; - } - return true; + return memcmp(oid1, oid2, oid1len) == 0; } int From patchwork Mon Nov 14 12:49:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183166 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:44 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:44 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:43 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 069/308] cifsd: add goto fail in neg_token_init_mech_type() Date: Mon, 14 Nov 2022 20:49:38 +0800 Message-ID: <20221114125337.1831594-70-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a2e7cc01-03c3-43bd-edd6-08dac63c5451 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7080949 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 8bae4419ce636f6f8414193a206a2dc2e6dd37db category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8bae4419ce63 ------------------------------- Add goto fail in neg_token_init_mech_type(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index a7db37eef2a9..769fa328c020 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -284,14 +284,10 @@ int neg_token_init_mech_type(void *context, size_t hdrlen, unsigned long *oid; size_t oidlen; int mech_type; + char buf[50]; - if (!asn1_oid_decode(value, vlen, &oid, &oidlen)) { - char buf[50]; - - sprint_oid(value, vlen, buf, sizeof(buf)); - ksmbd_debug(AUTH, "Unexpected OID: %s\n", buf); - return -EBADMSG; - } + if (!asn1_oid_decode(value, vlen, &oid, &oidlen)) + goto fail; if (oid_eq(oid, oidlen, NTLMSSP_OID, NTLMSSP_OID_LEN)) mech_type = KSMBD_AUTH_NTLMSSP; @@ -302,15 +298,20 @@ int neg_token_init_mech_type(void *context, size_t hdrlen, else if (oid_eq(oid, oidlen, KRB5U2U_OID, KRB5U2U_OID_LEN)) mech_type = KSMBD_AUTH_KRB5U2U; else - goto out; + goto fail; conn->auth_mechs |= mech_type; if (conn->preferred_auth_mech == 0) conn->preferred_auth_mech = mech_type; -out: kfree(oid); return 0; + +fail: + kfree(oid); + sprint_oid(value, vlen, buf, sizeof(buf)); + ksmbd_debug(AUTH, "Unexpected OID: %s\n", buf); + return -EBADMSG; } int neg_token_init_mech_token(void *context, size_t hdrlen, From patchwork Mon Nov 14 12:49:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183170 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:46 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:44 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 070/308] cifsd: move fips_enabled check before the str_to_key() Date: Mon, 14 Nov 2022 20:49:39 +0800 Message-ID: <20221114125337.1831594-71-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c64d4b58-3d4f-4b69-b27f-08dac63c549a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.4638033 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 94096702376ecb99c86cbee9dd95fc3675231b8a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/94096702376e ------------------------------- Move fips_enabled check before the str_to_key(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 6b90aac86fcc..9263c9ce2dd2 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -92,14 +92,13 @@ smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) unsigned char key2[8]; struct des_ctx ctx; - str_to_key(key, key2); - if (fips_enabled) { ksmbd_debug(AUTH, "FIPS compliance enabled: DES not permitted\n"); return -ENOENT; } + str_to_key(key, key2); des_expand_key(&ctx, key2, DES_KEY_SIZE); des_encrypt(&ctx, out, in); memzero_explicit(&ctx, sizeof(ctx)); From patchwork Mon Nov 14 12:49:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183167 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:45 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:45 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:44 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 071/308] cifsd: just return smbhash() instead of using rc return value Date: Mon, 14 Nov 2022 20:49:40 +0800 Message-ID: <20221114125337.1831594-72-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7db09d26-64a7-4cf3-01b8-08dac63c54e5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6919793 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit fd43cbbe0af5e528ec7e1f85e6e942d1b77ff781 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fd43cbbe0af5 ------------------------------- Just return smbhash() instead of using rc return value. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 9263c9ce2dd2..ab698093f728 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -115,8 +115,7 @@ static int ksmbd_enc_p24(unsigned char *p21, const unsigned char *c8, unsigned c rc = smbhash(p24 + 8, c8, p21 + 7); if (rc) return rc; - rc = smbhash(p24 + 16, c8, p21 + 14); - return rc; + return smbhash(p24 + 16, c8, p21 + 14); } /* produce a md4 message digest from data of length n bytes */ From patchwork Mon Nov 14 12:49:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183168 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:45 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:45 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:45 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 072/308] cifsd: move ret check before the out label Date: Mon, 14 Nov 2022 20:49:41 +0800 Message-ID: <20221114125337.1831594-73-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 22fadc25-052c-4aa3-9e4d-08dac63c552e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6993107 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 7e38ea254c8274ea25ffc28df65ac2683c5f8a72 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7e38ea254c82 ------------------------------- Move ret check before the out label. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index ab698093f728..092db15e4234 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -311,9 +311,9 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, } ret = crypto_shash_final(CRYPTO_HMACMD5(ctx), ntlmv2_hash); -out: if (ret) ksmbd_debug(AUTH, "Could not generate md5 hash\n"); +out: kfree(uniname); kfree(domain); ksmbd_release_crypto_ctx(ctx); From patchwork Mon Nov 14 12:49:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183169 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:46 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:45 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 073/308] cifsd: simplify error handling in ksmbd_auth_ntlm() Date: Mon, 14 Nov 2022 20:49:42 +0800 Message-ID: <20221114125337.1831594-74-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 609c437e-22b4-4e48-ae04-08dac63c5578 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6414094 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 4a6b02282632f0b4e88a85f26266f7674e0ce288 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4a6b02282632 ------------------------------- simplify error handling in ksmbd_auth_ntlm(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 092db15e4234..7771429f55a4 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -351,12 +351,11 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { ksmbd_debug(AUTH, "ntlmv1 authentication failed\n"); - rc = -EINVAL; - } else { - ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); + return -EINVAL; } - return rc; + ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); + return 0; } /** From patchwork Mon Nov 14 12:49:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183171 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:46 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:46 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 074/308] cifsd: remove unneeded type casting Date: Mon, 14 Nov 2022 20:49:43 +0800 Message-ID: <20221114125337.1831594-75-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7e20588a-d509-4f03-4a69-08dac63c55c2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.5915361 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 192cc732c65a7c22da77cf21baba5e8a3efdea29 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/192cc732c65a ------------------------------- Remove unneeded type casting. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 7771429f55a4..ed32052fbf93 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -410,8 +410,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, } memcpy(construct, sess->ntlmssp.cryptkey, CIFS_CRYPTO_KEY_SIZE); - memcpy(construct + CIFS_CRYPTO_KEY_SIZE, - (char *)(&ntlmv2->blob_signature), blen); + memcpy(construct + CIFS_CRYPTO_KEY_SIZE, &ntlmv2->blob_signature, blen); rc = crypto_shash_update(CRYPTO_HMACMD5(ctx), construct, len); if (rc) { From patchwork Mon Nov 14 12:49:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183172 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:47 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:47 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:46 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 075/308] cifsd: set error return value for memcmp() difference Date: Mon, 14 Nov 2022 20:49:44 +0800 Message-ID: <20221114125337.1831594-76-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2f9e8ba8-6510-47dc-236d-08dac63c560e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7062463 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit b72802aa77dc2729b848057e96b6a2126182f75e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b72802aa77dc ------------------------------- Set error return value for memcmp() difference. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index ed32052fbf93..adfb3b33f2e5 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -430,7 +430,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, goto out; } - rc = memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE); + if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0) + rc = -EINVAL; out: ksmbd_release_crypto_ctx(ctx); kfree(construct); @@ -469,7 +470,8 @@ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, goto out; } - rc = memcmp(ntlm_resp, key, CIFS_AUTH_RESP_SIZE); + if (memcmp(ntlm_resp, key, CIFS_AUTH_RESP_SIZE) != 0) + rc = -EINVAL; out: return rc; } From patchwork Mon Nov 14 12:49:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183173 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:47 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:47 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:47 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 076/308] cifsd: return zero in always success case Date: Mon, 14 Nov 2022 20:49:45 +0800 Message-ID: <20221114125337.1831594-77-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3455cb64-529c-460d-01a5-08dac63c5657 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6947272 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 876edcc4cffd26f83eae591e906384dab7f25a51 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/876edcc4cffd ------------------------------- Return zero in always success case. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index adfb3b33f2e5..a89de24aa576 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -943,7 +943,7 @@ static int generate_smb3signingkey(struct ksmbd_session *sess, SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); ksmbd_debug(AUTH, "Signing Key %*ph\n", SMB3_SIGN_KEY_SIZE, key); - return rc; + return 0; } int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess) @@ -1011,7 +1011,7 @@ static int generate_smb3encryptionkey(struct ksmbd_session *sess, ksmbd_debug(AUTH, "ServerOut Key %*ph\n", SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey); } - return rc; + return 0; } int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess) From patchwork Mon Nov 14 12:49:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183174 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:48 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:48 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:47 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 077/308] cifsd: never return 1 on failure Date: Mon, 14 Nov 2022 20:49:46 +0800 Message-ID: <20221114125337.1831594-78-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d15b2eb7-e1cb-455e-1c1c-08dac63c56a2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6901303 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 522dcc76269fcc27a3a0128ca7699270fae61b60 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/522dcc76269f ------------------------------- Never return 1 on failure. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index a89de24aa576..7e56966f87d4 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1144,7 +1144,7 @@ static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, sess = ksmbd_session_lookup(conn, ses_id); if (!sess) - return 1; + return -EINVAL; ses_enc_key = enc ? sess->smb3encryptionkey : sess->smb3decryptionkey; From patchwork Mon Nov 14 12:49:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183175 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:48 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:48 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:48 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 078/308] cifsd: add the check if nvec is zero Date: Mon, 14 Nov 2022 20:49:47 +0800 Message-ID: <20221114125337.1831594-79-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a539fd86-a490-4465-b9a6-08dac63c56eb X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6895444 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 41a7848a01b3f4401b8b87815e643584b86895f2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/41a7848a01b3 ------------------------------- Dan Carpenter pointed out that memory can be corrupted when nvec is zero. This patch add the check to prevent it. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 7e56966f87d4..9f957c8c123c 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1172,6 +1172,9 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; int i, nr_entries[3] = {0}, total_entries = 0, sg_idx = 0; + if (!nvec) + return NULL; + for (i = 0; i < nvec - 1; i++) { unsigned long kaddr = (unsigned long)iov[i + 1].iov_base; From patchwork Mon Nov 14 12:49:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183176 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:49 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:49 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:48 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 079/308] cifsd: len can never be negative in ksmbd_init_sg() Date: Mon, 14 Nov 2022 20:49:48 +0800 Message-ID: <20221114125337.1831594-80-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cab09624-1388-4b6b-ee50-08dac63c5735 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7059040 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 08591ccfdd4f237b3d931e0ebf05690b1ab91399 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/08591ccfdd4f ------------------------------- Dan pointed out len can not be negative. This patch remove unneeded negative check in loop. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 9f957c8c123c..9af1b334be82 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1207,7 +1207,7 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, for (j = 0; j < nr_entries[i]; j++) { unsigned int bytes = PAGE_SIZE - offset; - if (len <= 0) + if (!len) break; if (bytes > len) From patchwork Mon Nov 14 12:49:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183177 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:49 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:49 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:49 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 080/308] cifsd: remove unneeded initialization of rc variable in ksmbd_crypt_message() Date: Mon, 14 Nov 2022 20:49:49 +0800 Message-ID: <20221114125337.1831594-81-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b7a334d5-02b2-4c48-d723-08dac63c577f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7033106 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 03f1c3d38887803266ec4d5a820b08b01b2766d8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/03f1c3d38887 ------------------------------- Remove unneeded initialization of rc variable in ksmbd_crypt_message(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 9af1b334be82..711f8dec38e1 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1236,7 +1236,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)iov[0].iov_base; unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; - int rc = 0; + int rc; struct scatterlist *sg; u8 sign[SMB2_SIGNATURE_SIZE] = {}; u8 key[SMB3_ENC_DEC_KEY_SIZE]; From patchwork Mon Nov 14 12:49:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183178 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:50 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:50 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:49 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 081/308] cifsd: fix wrong return value in ksmbd_crypt_message() Date: Mon, 14 Nov 2022 20:49:50 +0800 Message-ID: <20221114125337.1831594-82-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e900da02-a24b-4af5-32f2-08dac63c57ca X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7106455 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 27aa646db0f0465c5abf8e5cd545e070e7f14120 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/27aa646db0f0 ------------------------------- Change error return instead of returning always success return. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 711f8dec38e1..5a56dd65fa06 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1253,7 +1253,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, key); if (rc) { ksmbd_err("Could not get %scryption key\n", enc ? "en" : "de"); - return 0; + return rc; } if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM || From patchwork Mon Nov 14 12:49:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183179 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:50 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:50 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:50 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 082/308] cifsd: change success handling to failure handling Date: Mon, 14 Nov 2022 20:49:51 +0800 Message-ID: <20221114125337.1831594-83-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cc95641d-3680-4e1f-a979-08dac63c5813 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6989097 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 73b8b08539423a888ed76b53401a6366e0e2af2b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/73b8b0853942 ------------------------------- Change success handling to failure handling in ksmbd_crypt_message(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 5a56dd65fa06..b0a9e4591fa5 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1331,9 +1331,13 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, rc = crypto_aead_encrypt(req); else rc = crypto_aead_decrypt(req); - if (!rc && enc) + if (rc) + goto free_iv; + + if (enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); +free_iv: kfree(iv); free_sg: kfree(sg); From patchwork Mon Nov 14 12:49:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183180 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:51 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:51 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:50 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 083/308] cifsd: add default case in switch statment in alloc_shash_desc() Date: Mon, 14 Nov 2022 20:49:52 +0800 Message-ID: <20221114125337.1831594-84-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e34523eb-96b9-4fbf-9381-08dac63c585d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6950911 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 533a45da1a8900267a667648450976bc334b71a8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/533a45da1a89 ------------------------------- Add default case in switch statment in alloc_shash_desc(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/crypto_ctx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 1830ae1b5ed3..dbfe36ee9be1 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -88,6 +88,8 @@ static struct shash_desc *alloc_shash_desc(int id) case CRYPTO_SHASH_MD5: tfm = crypto_alloc_shash("md5", 0, 0); break; + default: + return NULL; } if (IS_ERR(tfm)) From patchwork Mon Nov 14 12:49:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183181 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:51 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:51 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:51 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 084/308] cifsd: call kzalloc() directly instead of wrapper Date: Mon, 14 Nov 2022 20:49:53 +0800 Message-ID: <20221114125337.1831594-85-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 22403bcf-0c5d-4e81-569f-08dac63c58a7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7145683 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 12fc704441ad86a0a29e60708490109954f097fa category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/12fc704441ad ------------------------------- Call kzalloc() directly instead of wrapper function. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/crypto_ctx.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index dbfe36ee9be1..9685bf963702 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -104,11 +104,6 @@ static struct shash_desc *alloc_shash_desc(int id) return shash; } -static struct ksmbd_crypto_ctx *ctx_alloc(void) -{ - return kzalloc(sizeof(struct ksmbd_crypto_ctx), GFP_KERNEL); -} - static void ctx_free(struct ksmbd_crypto_ctx *ctx) { int i; @@ -145,7 +140,7 @@ static struct ksmbd_crypto_ctx *ksmbd_find_crypto_ctx(void) ctx_list.avail_ctx++; spin_unlock(&ctx_list.ctx_lock); - ctx = ctx_alloc(); + ctx = kzalloc(sizeof(struct ksmbd_crypto_ctx), GFP_KERNEL); if (!ctx) { spin_lock(&ctx_list.ctx_lock); ctx_list.avail_ctx--; @@ -280,7 +275,7 @@ int ksmbd_crypto_create(void) init_waitqueue_head(&ctx_list.ctx_wait); ctx_list.avail_ctx = 1; - ctx = ctx_alloc(); + ctx = kzalloc(sizeof(struct ksmbd_crypto_ctx), GFP_KERNEL); if (!ctx) return -ENOMEM; list_add(&ctx->list, &ctx_list.idle_ctx); From patchwork Mon Nov 14 12:49:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183182 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:52 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:52 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:51 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 085/308] cifsd: simplify error handling in ksmbd_gen_preauth_integrity_hash() Date: Mon, 14 Nov 2022 20:49:54 +0800 Message-ID: <20221114125337.1831594-86-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 0f9d4860-ef25-4e0f-5ab2-08dac63c58f0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6243256 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit d3cd8c491559ca9eb7ce81242df3b3927466e6d9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d3cd8c491559 ------------------------------- Simplify error handling in ksmbd_gen_preauth_integrity_hash(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index b0a9e4591fa5..1d4c4e6d28cd 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -1063,14 +1063,13 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, int msg_size = be32_to_cpu(rcv_hdr->smb2_buf_length); struct ksmbd_crypto_ctx *ctx = NULL; - if (conn->preauth_info->Preauth_HashId == - SMB2_PREAUTH_INTEGRITY_SHA512) { - ctx = ksmbd_crypto_ctx_find_sha512(); - if (!ctx) { - ksmbd_debug(AUTH, "could not alloc sha512 rc %d\n", rc); - goto out; - } - } else { + if (conn->preauth_info->Preauth_HashId != + SMB2_PREAUTH_INTEGRITY_SHA512) + return -EINVAL; + + ctx = ksmbd_crypto_ctx_find_sha512(); + if (!ctx) { + ksmbd_debug(AUTH, "could not alloc sha512 rc %d\n", rc); goto out; } From patchwork Mon Nov 14 12:49:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183183 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:52 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:52 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:52 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 086/308] cifsd: return -ENOMEM about error from ksmbd_crypto_ctx_find_xxx calls Date: Mon, 14 Nov 2022 20:49:55 +0800 Message-ID: <20221114125337.1831594-87-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6085825d-bd03-4193-5f10-08dac63c5939 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6988805 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 0e579cd17f8e9c2e70a68edb66a1457b2c6e9926 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0e579cd17f8e ------------------------------- Return -ENOMEM about error from ksmbd_crypto_ctx_find_xxx calls. And remove unneeded return value print in debug message. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 56 ++++++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 1d4c4e6d28cd..cc13d0eedd80 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -128,7 +128,7 @@ static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, ctx = ksmbd_crypto_ctx_find_md4(); if (!ctx) { ksmbd_debug(AUTH, "Crypto md4 allocation error\n"); - return -EINVAL; + return -ENOMEM; } rc = crypto_shash_init(CRYPTO_MD4(ctx)); @@ -160,7 +160,7 @@ static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, ctx = ksmbd_crypto_ctx_find_md5(); if (!ctx) { ksmbd_debug(AUTH, "Crypto md5 allocation error\n"); - return -EINVAL; + return -ENOMEM; } rc = crypto_shash_init(CRYPTO_MD5(ctx)); @@ -200,11 +200,13 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, char *hmac) { struct ksmbd_crypto_ctx *ctx; - int rc = -EINVAL; + int rc; ctx = ksmbd_crypto_ctx_find_hmacmd5(); - if (!ctx) - goto out; + if (!ctx) { + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n"); + return -ENOMEM; + } rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx), hash, @@ -244,7 +246,7 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, char *dname) { - int ret = -EINVAL, len; + int ret, len; wchar_t *domain = NULL; __le16 *uniname = NULL; struct ksmbd_crypto_ctx *ctx; @@ -252,7 +254,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, ctx = ksmbd_crypto_ctx_find_hmacmd5(); if (!ctx) { ksmbd_debug(AUTH, "can't generate ntlmv2 hash\n"); - goto out; + return -ENOMEM; } ret = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx), @@ -374,12 +376,12 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; struct ksmbd_crypto_ctx *ctx; char *construct = NULL; - int rc = -EINVAL, len; + int rc, len; ctx = ksmbd_crypto_ctx_find_hmacmd5(); if (!ctx) { - ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); - goto out; + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n"); + return -ENOMEM; } rc = calc_ntlmv2_hash(sess, ntlmv2_hash, domain_name); @@ -731,13 +733,12 @@ int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; - int rc = -EINVAL; - int i; + int rc, i; ctx = ksmbd_crypto_ctx_find_hmacsha256(); if (!ctx) { - ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); - goto out; + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n"); + return -ENOMEM; } rc = crypto_shash_setkey(CRYPTO_HMACSHA256_TFM(ctx), @@ -783,13 +784,12 @@ int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; - int rc = -EINVAL; - int i; + int rc, i; ctx = ksmbd_crypto_ctx_find_cmacaes(); if (!ctx) { - ksmbd_debug(AUTH, "could not crypto alloc cmac rc %d\n", rc); - goto out; + ksmbd_debug(AUTH, "could not crypto alloc cmac\n"); + return -ENOMEM; } rc = crypto_shash_setkey(CRYPTO_CMACAES_TFM(ctx), @@ -835,7 +835,7 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, __u8 i[4] = {0, 0, 0, 1}; __u8 L128[4] = {0, 0, 0, 128}; __u8 L256[4] = {0, 0, 1, 0}; - int rc = -EINVAL; + int rc; unsigned char prfhash[SMB2_HMACSHA256_SIZE]; unsigned char *hashptr = prfhash; struct ksmbd_crypto_ctx *ctx; @@ -845,8 +845,8 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, ctx = ksmbd_crypto_ctx_find_hmacsha256(); if (!ctx) { - ksmbd_debug(AUTH, "could not crypto alloc hmacmd5 rc %d\n", rc); - goto smb3signkey_ret; + ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n"); + return -ENOMEM; } rc = crypto_shash_setkey(CRYPTO_HMACSHA256_TFM(ctx), @@ -1057,7 +1057,7 @@ int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, __u8 *pi_hash) { - int rc = -1; + int rc; struct smb2_hdr *rcv_hdr = (struct smb2_hdr *)buf; char *all_bytes_msg = (char *)&rcv_hdr->ProtocolId; int msg_size = be32_to_cpu(rcv_hdr->smb2_buf_length); @@ -1069,8 +1069,8 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, ctx = ksmbd_crypto_ctx_find_sha512(); if (!ctx) { - ksmbd_debug(AUTH, "could not alloc sha512 rc %d\n", rc); - goto out; + ksmbd_debug(AUTH, "could not alloc sha512\n"); + return -ENOMEM; } rc = crypto_shash_init(CRYPTO_SHA512(ctx)); @@ -1104,13 +1104,13 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, __u8 *pi_hash) { - int rc = -1; + int rc; struct ksmbd_crypto_ctx *ctx = NULL; ctx = ksmbd_crypto_ctx_find_sha256(); if (!ctx) { - ksmbd_debug(AUTH, "could not alloc sha256 rc %d\n", rc); - goto out; + ksmbd_debug(AUTH, "could not alloc sha256\n"); + return -ENOMEM; } rc = crypto_shash_init(CRYPTO_SHA256(ctx)); @@ -1262,7 +1262,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, ctx = ksmbd_crypto_ctx_find_ccm(); if (!ctx) { ksmbd_err("crypto alloc failed\n"); - return -EINVAL; + return -ENOMEM; } if (conn->cipher_type == SMB2_ENCRYPTION_AES128_GCM || From patchwork Mon Nov 14 12:49:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183184 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:53 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:53 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:52 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 087/308] cifsd: alignment match open parenthesis Date: Mon, 14 Nov 2022 20:49:56 +0800 Message-ID: <20221114125337.1831594-88-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6543fd4d-a026-4d77-165c-08dac63c5982 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6909241 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 70478059762688d9a975477cf6903cc170901c4c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/704780597626 ------------------------------- Alignment match open parenthesis. Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index cc13d0eedd80..8c80f918c8d7 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -596,7 +596,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, if (cflags & NTLMSSP_NEGOTIATE_SIGN) { flags |= NTLMSSP_NEGOTIATE_SIGN; flags |= cflags & (NTLMSSP_NEGOTIATE_128 | - NTLMSSP_NEGOTIATE_56); + NTLMSSP_NEGOTIATE_56); } if (cflags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) @@ -641,7 +641,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, chgblob->TargetInfoArray.Length = 0; /* Add target info list for NetBIOS/DNS settings */ for (type = NTLMSSP_AV_NB_COMPUTER_NAME; - type <= NTLMSSP_AV_DNS_DOMAIN_NAME; type++) { + type <= NTLMSSP_AV_DNS_DOMAIN_NAME; type++) { tinfo->Type = cpu_to_le16(type); tinfo->Length = cpu_to_le16(len); memcpy(tinfo->Content, name, len); From patchwork Mon Nov 14 12:49:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183185 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:53 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:53 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:53 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 088/308] cifsd: add the check to prevent potential overflow with smb_strtoUTF16() and UNICODE_LEN() Date: Mon, 14 Nov 2022 20:49:57 +0800 Message-ID: <20221114125337.1831594-89-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: da6c2e6d-f770-404d-5bcd-08dac63c59ca X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6959082 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a2d0b5034a5fff029ec1be08d3264f8407d47602 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a2d0b5034a5f ------------------------------- Add the check to prevent potential overflow with smb_strtoUTF16() and UNICODE_LEN(). Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 50 ++++++++++++++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 8c80f918c8d7..f742870a930b 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -246,7 +246,7 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, char *dname) { - int ret, len; + int ret, len, conv_len; wchar_t *domain = NULL; __le16 *uniname = NULL; struct ksmbd_crypto_ctx *ctx; @@ -279,15 +279,17 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, goto out; } - if (len) { - len = smb_strtoUTF16(uniname, user_name(sess->user), len, + conv_len = smb_strtoUTF16(uniname, user_name(sess->user), len, sess->conn->local_nls); - UniStrupr(uniname); + if (conv_len < 0 || conv_len > len) { + ret = -EINVAL; + goto out; } + UniStrupr(uniname); ret = crypto_shash_update(CRYPTO_HMACMD5(ctx), (char *)uniname, - UNICODE_LEN(len)); + UNICODE_LEN(conv_len)); if (ret) { ksmbd_debug(AUTH, "Could not update with user\n"); goto out; @@ -301,12 +303,16 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, goto out; } - len = smb_strtoUTF16((__le16 *)domain, dname, len, + conv_len = smb_strtoUTF16((__le16 *)domain, dname, len, sess->conn->local_nls); + if (conv_len < 0 || conv_len > len) { + ret = -EINVAL; + goto out; + } ret = crypto_shash_update(CRYPTO_HMACMD5(ctx), (char *)domain, - UNICODE_LEN(len)); + UNICODE_LEN(conv_len)); if (ret) { ksmbd_debug(AUTH, "Could not update with domain\n"); goto out; @@ -584,6 +590,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, wchar_t *name; __u8 *target_name; unsigned int len, flags, blob_off, blob_len, type, target_info_len = 0; + unsigned int uni_len, conv_len; int cflags = sess->ntlmssp.client_flags; memcpy(chgblob->Signature, NTLMSSP_SIGNATURE, 8); @@ -611,19 +618,24 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, chgblob->NegotiateFlags = cpu_to_le32(flags); len = strlen(ksmbd_netbios_name()); - name = kmalloc(2 + (len * 2), GFP_KERNEL); + name = kmalloc(2 + UNICODE_LEN(len), GFP_KERNEL); if (!name) return -ENOMEM; - len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, + conv_len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, sess->conn->local_nls); - len = UNICODE_LEN(len); + if (conv_len < 0 || conv_len > len) { + kfree(name); + return -EINVAL; + } + + uni_len = UNICODE_LEN(conv_len); blob_off = sizeof(struct challenge_message); - blob_len = blob_off + len; + blob_len = blob_off + uni_len; - chgblob->TargetName.Length = cpu_to_le16(len); - chgblob->TargetName.MaximumLength = cpu_to_le16(len); + chgblob->TargetName.Length = cpu_to_le16(uni_len); + chgblob->TargetName.MaximumLength = cpu_to_le16(uni_len); chgblob->TargetName.BufferOffset = cpu_to_le32(blob_off); /* Initialize random conn challenge */ @@ -635,18 +647,18 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, chgblob->TargetInfoArray.BufferOffset = cpu_to_le32(blob_len); target_name = (__u8 *)chgblob + blob_off; - memcpy(target_name, name, len); - tinfo = (struct target_info *)(target_name + len); + memcpy(target_name, name, uni_len); + tinfo = (struct target_info *)(target_name + uni_len); chgblob->TargetInfoArray.Length = 0; /* Add target info list for NetBIOS/DNS settings */ for (type = NTLMSSP_AV_NB_COMPUTER_NAME; type <= NTLMSSP_AV_DNS_DOMAIN_NAME; type++) { tinfo->Type = cpu_to_le16(type); - tinfo->Length = cpu_to_le16(len); - memcpy(tinfo->Content, name, len); - tinfo = (struct target_info *)((char *)tinfo + 4 + len); - target_info_len += 4 + len; + tinfo->Length = cpu_to_le16(uni_len); + memcpy(tinfo->Content, name, uni_len); + tinfo = (struct target_info *)((char *)tinfo + 4 + uni_len); + target_info_len += 4 + uni_len; } /* Add terminator subblock */ From patchwork Mon Nov 14 12:49:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183186 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:54 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:54 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:53 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 089/308] cifsd: braces {} should be used on all arms of this statement Date: Mon, 14 Nov 2022 20:49:58 +0800 Message-ID: <20221114125337.1831594-90-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: abd2cc08-1afb-4e9c-144d-08dac63c5a13 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6960865 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a2d6321b459aee5f2b4380271a79668c24165c56 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a2d6321b459a ------------------------------- Fix "CHECK: braces {} should be used on all arms of this statement" from checkpatch.pl --strict. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 8 ++++---- fs/cifsd/vfs.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 769fa328c020..479a9c1fcbbe 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -160,9 +160,9 @@ static void encode_asn_tag(char *buf, /* insert tag */ buf[index++] = tag; - if (!hdr_len) + if (!hdr_len) { buf[index++] = len; - else { + } else { buf[index++] = 0x80 | hdr_len; for (i = hdr_len - 1; i >= 0; i--) buf[index++] = (len >> (i * 8)) & 0xFF; @@ -172,9 +172,9 @@ static void encode_asn_tag(char *buf, len = len - (index - *ofs); buf[index++] = seq; - if (!hdr_len) + if (!hdr_len) { buf[index++] = len; - else { + } else { buf[index++] = 0x80 | hdr_len; for (i = hdr_len - 1; i >= 0; i--) buf[index++] = (len >> (i * 8)) & 0xFF; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index cdbb844fddad..e1295b72c410 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -212,9 +212,9 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) mode |= S_IFDIR; err = vfs_mkdir(&init_user_ns, d_inode(path.dentry), dentry, mode); - if (err) + if (err) { goto out; - else if (d_unhashed(dentry)) { + } else if (d_unhashed(dentry)) { struct dentry *d; d = lookup_one_len(dentry->d_name.name, From patchwork Mon Nov 14 12:49:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183187 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:54 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:54 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:53 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 090/308] cifsd: spaces preferred around that '/' Date: Mon, 14 Nov 2022 20:49:59 +0800 Message-ID: <20221114125337.1831594-91-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 92ac1ff5-30e0-453f-a5be-08dac63c5a5b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6931512 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c8ed11522b4acbe378687b6388ceffd72e72d736 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c8ed11522b4a ------------------------------- Fix "CHECK: paces preferred around that '/' from checkpatch.pl --strict. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 479a9c1fcbbe..846f4e73abbf 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -65,7 +65,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, unsigned long subid; vlen += 1; - if (vlen < 2 || vlen > UINT_MAX/sizeof(unsigned long)) + if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long)) return false; *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL); From patchwork Mon Nov 14 12:50:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183188 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:55 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:54 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:54 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 091/308] cifsd: don't use multiple blank lines Date: Mon, 14 Nov 2022 20:50:00 +0800 Message-ID: <20221114125337.1831594-92-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 98b516f1-96f2-46f0-b565-08dac63c5aa5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6984750 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 2f5205c2377c0a3c501a33092c91a45e074bfc04 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2f5205c2377c ------------------------------- don't use multiple blank lines. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/nterr.h | 2 -- fs/cifsd/smb2pdu.c | 1 - 2 files changed, 3 deletions(-) diff --git a/fs/cifsd/nterr.h b/fs/cifsd/nterr.h index a66100e74741..2f358f88a018 100644 --- a/fs/cifsd/nterr.h +++ b/fs/cifsd/nterr.h @@ -9,8 +9,6 @@ * Copyright (C) Paul Ashton 1998-2000 */ - - #ifndef _NTERR_H #define _NTERR_H diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index e5d3a5790a81..c0c0cf600ce7 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2250,7 +2250,6 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, return rc; } - static void ksmbd_acls_fattr(struct smb_fattr *fattr, struct inode *inode) { fattr->cf_uid = inode->i_uid; From patchwork Mon Nov 14 12:50:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183189 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:55 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:55 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:54 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 092/308] cifsd: No space is necessary after a cast Date: Mon, 14 Nov 2022 20:50:01 +0800 Message-ID: <20221114125337.1831594-93-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d59663df-2d6d-4f2b-c4ca-08dac63c5aef X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7188527 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 10268f7d5755f42e50e862505e7bac992d284546 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/10268f7d5755 ------------------------------- No space is necessary after a cast. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index c0c0cf600ce7..bdaa69facee5 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -976,7 +976,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, break; ctxt_size = decode_compress_ctxt(conn, - (struct smb2_compression_ctx *) pneg_ctxt); + (struct smb2_compression_ctx *)pneg_ctxt); pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; } else if (*ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { ksmbd_debug(SMB, From patchwork Mon Nov 14 12:50:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183190 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:56 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:55 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:55 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 093/308] cifsd: Blank lines aren't necessary after an open brace '{' Date: Mon, 14 Nov 2022 20:50:02 +0800 Message-ID: <20221114125337.1831594-94-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: abd7e39e-9841-4828-ae0a-08dac63c5b39 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7071205 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit fe30ea69ff81f99607b0e4002ef9ae12e4694b31 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fe30ea69ff81 ------------------------------- Blank lines aren't necessary after an open brace '{'. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index bdaa69facee5..16290ad710fa 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2388,7 +2388,6 @@ int smb2_open(struct ksmbd_work *work) rc = -EINVAL; goto err_out1; } else { - if (req->CreateOptions & FILE_SEQUENTIAL_ONLY_LE && req->CreateOptions & FILE_RANDOM_ACCESS_LE) req->CreateOptions = ~(FILE_SEQUENTIAL_ONLY_LE); From patchwork Mon Nov 14 12:50:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183191 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:56 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:56 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:55 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 094/308] cifsd: Alignment should match open parenthesis Date: Mon, 14 Nov 2022 20:50:03 +0800 Message-ID: <20221114125337.1831594-95-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 36e2b19a-714c-43cf-3673-08dac63c5b88 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0745227 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 070fb21e5912b6aa22509083aaca030d1f4e7d57 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/070fb21e5912 ------------------------------- Fix warnings "Alignment should match open parenthesis" from checkpatch.pl --strict. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 38 +- fs/cifsd/asn1.h | 18 +- fs/cifsd/auth.c | 115 +++---- fs/cifsd/auth.h | 57 +-- fs/cifsd/buffer_pool.c | 3 +- fs/cifsd/buffer_pool.h | 3 - fs/cifsd/connection.c | 24 +- fs/cifsd/connection.h | 22 +- fs/cifsd/crypto_ctx.c | 4 +- fs/cifsd/crypto_ctx.h | 3 - fs/cifsd/ksmbd_work.c | 8 +- fs/cifsd/misc.c | 12 +- fs/cifsd/misc.h | 9 - fs/cifsd/ndr.c | 7 +- fs/cifsd/ndr.h | 3 +- fs/cifsd/oplock.c | 108 +++--- fs/cifsd/oplock.h | 13 +- fs/cifsd/server.c | 32 +- fs/cifsd/smb2misc.c | 42 +-- fs/cifsd/smb2pdu.c | 707 +++++++++++++++++++------------------- fs/cifsd/smb_common.c | 37 +- fs/cifsd/smbacl.c | 106 +++--- fs/cifsd/transport_ipc.c | 21 +- fs/cifsd/transport_ipc.h | 13 +- fs/cifsd/transport_rdma.c | 358 +++++++++---------- fs/cifsd/transport_tcp.c | 26 +- fs/cifsd/unicode.c | 17 +- fs/cifsd/unicode.h | 9 +- fs/cifsd/vfs.c | 196 ++++++----- fs/cifsd/vfs.h | 65 ++-- fs/cifsd/vfs_cache.c | 14 +- fs/cifsd/vfs_cache.h | 2 +- 32 files changed, 1021 insertions(+), 1071 deletions(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 846f4e73abbf..1be3072fee1a 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -37,7 +37,7 @@ static char NTLMSSP_OID_STR[NTLMSSP_OID_LEN] = { 0x2b, 0x06, 0x01, 0x04, 0x01, static bool asn1_subid_decode(const unsigned char **begin, const unsigned char *end, - unsigned long *subid) + unsigned long *subid) { const unsigned char *ptr = *begin; unsigned char ch; @@ -58,7 +58,7 @@ asn1_subid_decode(const unsigned char **begin, const unsigned char *end, } static bool asn1_oid_decode(const unsigned char *value, size_t vlen, - unsigned long **oid, size_t *oidlen) + unsigned long **oid, size_t *oidlen) { const unsigned char *iptr = value, *end = value + vlen; unsigned long *optr; @@ -106,9 +106,8 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, return false; } -static bool -oid_eq(unsigned long *oid1, unsigned int oid1len, - unsigned long *oid2, unsigned int oid2len) +static bool oid_eq(unsigned long *oid1, unsigned int oid1len, + unsigned long *oid2, unsigned int oid2len) { if (oid1len != oid2len) return false; @@ -118,7 +117,7 @@ oid_eq(unsigned long *oid1, unsigned int oid1len, int ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { return asn1_ber_decoder(&spnego_negtokeninit_decoder, conn, security_blob, length); @@ -126,7 +125,7 @@ ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, int ksmbd_decode_negTokenTarg(unsigned char *security_blob, int length, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { return asn1_ber_decoder(&spnego_negtokentarg_decoder, conn, security_blob, length); @@ -146,10 +145,7 @@ static int compute_asn_hdr_len_bytes(int len) return 0; } -static void encode_asn_tag(char *buf, - unsigned int *ofs, - char tag, - char seq, +static void encode_asn_tag(char *buf, unsigned int *ofs, char tag, char seq, int length) { int i; @@ -184,7 +180,7 @@ static void encode_asn_tag(char *buf, } int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, u16 *buflen, - char *ntlm_blob, int ntlm_blob_len) + char *ntlm_blob, int ntlm_blob_len) { char *buf; unsigned int ofs = 0; @@ -225,7 +221,7 @@ int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, u16 *buflen, } int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, - int neg_result) + int neg_result) { char *buf; unsigned int ofs = 0; @@ -252,8 +248,8 @@ int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, return 0; } -int gssapi_this_mech(void *context, size_t hdrlen, - unsigned char tag, const void *value, size_t vlen) +int gssapi_this_mech(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) { unsigned long *oid; size_t oidlen; @@ -277,8 +273,8 @@ int gssapi_this_mech(void *context, size_t hdrlen, return err; } -int neg_token_init_mech_type(void *context, size_t hdrlen, - unsigned char tag, const void *value, size_t vlen) +int neg_token_init_mech_type(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) { struct ksmbd_conn *conn = context; unsigned long *oid; @@ -314,8 +310,8 @@ int neg_token_init_mech_type(void *context, size_t hdrlen, return -EBADMSG; } -int neg_token_init_mech_token(void *context, size_t hdrlen, - unsigned char tag, const void *value, size_t vlen) +int neg_token_init_mech_token(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) { struct ksmbd_conn *conn = context; @@ -328,8 +324,8 @@ int neg_token_init_mech_token(void *context, size_t hdrlen, return 0; } -int neg_token_targ_resp_token(void *context, size_t hdrlen, - unsigned char tag, const void *value, size_t vlen) +int neg_token_targ_resp_token(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) { struct ksmbd_conn *conn = context; diff --git a/fs/cifsd/asn1.h b/fs/cifsd/asn1.h index ff2692b502d6..ce105f4ce305 100644 --- a/fs/cifsd/asn1.h +++ b/fs/cifsd/asn1.h @@ -10,20 +10,12 @@ #ifndef __ASN1_H__ #define __ASN1_H__ -int ksmbd_decode_negTokenInit(unsigned char *security_blob, - int length, +int ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, struct ksmbd_conn *conn); - -int ksmbd_decode_negTokenTarg(unsigned char *security_blob, - int length, +int ksmbd_decode_negTokenTarg(unsigned char *security_blob, int length, struct ksmbd_conn *conn); - -int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, - u16 *buflen, - char *ntlm_blob, - int ntlm_blob_len); - -int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, - u16 *buflen, +int build_spnego_ntlmssp_neg_blob(unsigned char **pbuffer, u16 *buflen, + char *ntlm_blob, int ntlm_blob_len); +int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, int neg_result); #endif /* __ASN1_H__ */ diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index f742870a930b..9b86cf4fd73f 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -93,8 +93,7 @@ smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) struct des_ctx ctx; if (fips_enabled) { - ksmbd_debug(AUTH, - "FIPS compliance enabled: DES not permitted\n"); + ksmbd_debug(AUTH, "FIPS compliance enabled: DES not permitted\n"); return -ENOENT; } @@ -120,7 +119,7 @@ static int ksmbd_enc_p24(unsigned char *p21, const unsigned char *c8, unsigned c /* produce a md4 message digest from data of length n bytes */ static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, - int link_len) + int link_len) { int rc; struct ksmbd_crypto_ctx *ctx; @@ -152,7 +151,7 @@ static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, } static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, - char *server_challenge, int len) + char *server_challenge, int len) { int rc; struct ksmbd_crypto_ctx *ctx; @@ -197,7 +196,7 @@ static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, * */ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, - char *hmac) + char *hmac) { struct ksmbd_crypto_ctx *ctx; int rc; @@ -226,15 +225,13 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, hmac, SMB2_NTLMV2_SESSKEY_SIZE); if (rc) { - ksmbd_debug(AUTH, "Could not update with response error %d\n", - rc); + ksmbd_debug(AUTH, "Could not update with response error %d\n", rc); goto out; } rc = crypto_shash_final(CRYPTO_HMACMD5(ctx), sess->sess_key); if (rc) { - ksmbd_debug(AUTH, "Could not generate hmacmd5 hash error %d\n", - rc); + ksmbd_debug(AUTH, "Could not generate hmacmd5 hash error %d\n", rc); goto out; } @@ -244,7 +241,7 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, } static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, - char *dname) + char *dname) { int ret, len, conv_len; wchar_t *domain = NULL; @@ -280,7 +277,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, } conv_len = smb_strtoUTF16(uniname, user_name(sess->user), len, - sess->conn->local_nls); + sess->conn->local_nls); if (conv_len < 0 || conv_len > len) { ret = -EINVAL; goto out; @@ -304,7 +301,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, } conv_len = smb_strtoUTF16((__le16 *)domain, dname, len, - sess->conn->local_nls); + sess->conn->local_nls); if (conv_len < 0 || conv_len > len) { ret = -EINVAL; goto out; @@ -350,11 +347,10 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) return rc; } - ksmbd_enc_md4(sess->sess_key, - user_passkey(sess->user), - CIFS_SMB1_SESSKEY_SIZE); + ksmbd_enc_md4(sess->sess_key, user_passkey(sess->user), + CIFS_SMB1_SESSKEY_SIZE); memcpy(sess->sess_key + CIFS_SMB1_SESSKEY_SIZE, key, - CIFS_AUTH_RESP_SIZE); + CIFS_AUTH_RESP_SIZE); sess->sequence_number = 1; if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { @@ -376,7 +372,7 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) * Return: 0 on success, error number on error */ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, - int blen, char *domain_name) + int blen, char *domain_name) { char ntlmv2_hash[CIFS_ENCPWD_SIZE]; char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; @@ -455,7 +451,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, * Return: 0 on success, error number on error */ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, - char *ntlm_resp) + char *ntlm_resp) { char sess_key[CIFS_SMB1_SESSKEY_SIZE] = {0}; int rc; @@ -494,7 +490,7 @@ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, * Return: 0 on success, error number on error */ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, - int blob_len, struct ksmbd_session *sess) + int blob_len, struct ksmbd_session *sess) { char *domain_name; unsigned int lm_off, nt_off; @@ -503,13 +499,13 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, if (blob_len < sizeof(struct authenticate_message)) { ksmbd_debug(AUTH, "negotiate blob len %d too small\n", - blob_len); + blob_len); return -EINVAL; } if (memcmp(authblob->Signature, "NTLMSSP", 8)) { ksmbd_debug(AUTH, "blob signature incorrect %s\n", - authblob->Signature); + authblob->Signature); return -EINVAL; } @@ -538,11 +534,10 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, /* process NTLMv2 authentication */ ksmbd_debug(AUTH, "decode_ntlmssp_authenticate_blob dname%s\n", - domain_name); - ret = ksmbd_auth_ntlmv2(sess, - (struct ntlmv2_resp *)((char *)authblob + nt_off), - nt_len - CIFS_ENCPWD_SIZE, - domain_name); + domain_name); + ret = ksmbd_auth_ntlmv2(sess, (struct ntlmv2_resp *)((char *)authblob + nt_off), + nt_len - CIFS_ENCPWD_SIZE, + domain_name); kfree(domain_name); return ret; } @@ -556,17 +551,17 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, * */ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, - int blob_len, struct ksmbd_session *sess) + int blob_len, struct ksmbd_session *sess) { if (blob_len < sizeof(struct negotiate_message)) { ksmbd_debug(AUTH, "negotiate blob len %d too small\n", - blob_len); + blob_len); return -EINVAL; } if (memcmp(negblob->Signature, "NTLMSSP", 8)) { ksmbd_debug(AUTH, "blob signature incorrect %s\n", - negblob->Signature); + negblob->Signature); return -EINVAL; } @@ -584,7 +579,7 @@ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, */ unsigned int ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, - struct ksmbd_session *sess) + struct ksmbd_session *sess) { struct target_info *tinfo; wchar_t *name; @@ -623,7 +618,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, return -ENOMEM; conv_len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, - sess->conn->local_nls); + sess->conn->local_nls); if (conv_len < 0 || conv_len > len) { kfree(name); return -EINVAL; @@ -641,7 +636,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, /* Initialize random conn challenge */ get_random_bytes(sess->ntlmssp.cryptkey, sizeof(__u64)); memcpy(chgblob->Challenge, sess->ntlmssp.cryptkey, - CIFS_CRYPTO_KEY_SIZE); + CIFS_CRYPTO_KEY_SIZE); /* Add Target Information to security buffer */ chgblob->TargetInfoArray.BufferOffset = cpu_to_le32(blob_len); @@ -676,7 +671,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, #ifdef CONFIG_SMB_SERVER_KERBEROS5 int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, - int in_len, char *out_blob, int *out_len) + int in_len, char *out_blob, int *out_len) { struct ksmbd_spnego_authen_response *resp; struct ksmbd_user *user = NULL; @@ -696,7 +691,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, if (*out_len <= resp->spnego_blob_len) { ksmbd_debug(AUTH, "buf len %d, but blob len %d\n", - *out_len, resp->spnego_blob_len); + *out_len, resp->spnego_blob_len); retval = -EINVAL; goto out; } @@ -717,7 +712,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, memcpy(sess->sess_key, resp->payload, resp->session_key_len); memcpy(out_blob, resp->payload + resp->session_key_len, - resp->spnego_blob_len); + resp->spnego_blob_len); *out_len = resp->spnego_blob_len; retval = 0; out: @@ -726,7 +721,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, } #else int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, - int in_len, char *out_blob, int *out_len) + int in_len, char *out_blob, int *out_len) { return -EOPNOTSUPP; } @@ -742,7 +737,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, * */ int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, - int n_vec, char *sig) + int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; int rc, i; @@ -793,7 +788,7 @@ int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, * */ int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, - int n_vec, char *sig) + int n_vec, char *sig) { struct ksmbd_crypto_ctx *ctx; int rc, i; @@ -841,7 +836,7 @@ struct derivation { }; static int generate_key(struct ksmbd_session *sess, struct kvec label, - struct kvec context, __u8 *key, unsigned int key_size) + struct kvec context, __u8 *key, unsigned int key_size) { unsigned char zero = 0x0; __u8 i[4] = {0, 0, 0, 1}; @@ -914,7 +909,7 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, rc = crypto_shash_final(CRYPTO_HMACSHA256(ctx), hashptr); if (rc) { ksmbd_debug(AUTH, "Could not generate hmacmd5 hash error %d\n", - rc); + rc); goto smb3signkey_ret; } @@ -926,7 +921,7 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, } static int generate_smb3signingkey(struct ksmbd_session *sess, - const struct derivation *signing) + const struct derivation *signing) { int rc; struct channel *chann; @@ -942,7 +937,7 @@ static int generate_smb3signingkey(struct ksmbd_session *sess, key = sess->smb3signingkey; rc = generate_key(sess, signing->label, signing->context, key, - SMB3_SIGN_KEY_SIZE); + SMB3_SIGN_KEY_SIZE); if (rc) return rc; @@ -952,9 +947,9 @@ static int generate_smb3signingkey(struct ksmbd_session *sess, ksmbd_debug(AUTH, "dumping generated AES signing keys\n"); ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); ksmbd_debug(AUTH, "Session Key %*ph\n", - SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); + SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); ksmbd_debug(AUTH, "Signing Key %*ph\n", - SMB3_SIGN_KEY_SIZE, key); + SMB3_SIGN_KEY_SIZE, key); return 0; } @@ -990,19 +985,19 @@ struct derivation_twin { }; static int generate_smb3encryptionkey(struct ksmbd_session *sess, - const struct derivation_twin *ptwin) + const struct derivation_twin *ptwin) { int rc; rc = generate_key(sess, ptwin->encryption.label, - ptwin->encryption.context, sess->smb3encryptionkey, - SMB3_ENC_DEC_KEY_SIZE); + ptwin->encryption.context, sess->smb3encryptionkey, + SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; rc = generate_key(sess, ptwin->decryption.label, - ptwin->decryption.context, - sess->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE); + ptwin->decryption.context, + sess->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; @@ -1010,18 +1005,18 @@ static int generate_smb3encryptionkey(struct ksmbd_session *sess, ksmbd_debug(AUTH, "Cipher type %d\n", sess->conn->cipher_type); ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); ksmbd_debug(AUTH, "Session Key %*ph\n", - SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); + SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); if (sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) { ksmbd_debug(AUTH, "ServerIn Key %*ph\n", - SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey); + SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey); ksmbd_debug(AUTH, "ServerOut Key %*ph\n", - SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3decryptionkey); + SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3decryptionkey); } else { ksmbd_debug(AUTH, "ServerIn Key %*ph\n", - SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3encryptionkey); + SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3encryptionkey); ksmbd_debug(AUTH, "ServerOut Key %*ph\n", - SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey); + SMB3_GCM128_CRYPTKEY_SIZE, sess->smb3decryptionkey); } return 0; } @@ -1067,7 +1062,7 @@ int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) } int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, - __u8 *pi_hash) + __u8 *pi_hash) { int rc; struct smb2_hdr *rcv_hdr = (struct smb2_hdr *)buf; @@ -1114,7 +1109,7 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, } int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, - __u8 *pi_hash) + __u8 *pi_hash) { int rc; struct ksmbd_crypto_ctx *ctx = NULL; @@ -1148,7 +1143,7 @@ int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, } static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, - int enc, u8 *key) + int enc, u8 *key) { struct ksmbd_session *sess; u8 *ses_enc_key; @@ -1165,7 +1160,7 @@ static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, } static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, - unsigned int buflen) + unsigned int buflen) { void *addr; @@ -1177,7 +1172,7 @@ static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, } static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, - u8 *sign) + u8 *sign) { struct scatterlist *sg; unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; @@ -1242,7 +1237,7 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, } int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, - unsigned int nvec, int enc) + unsigned int nvec, int enc) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)iov[0].iov_base; diff --git a/fs/cifsd/auth.h b/fs/cifsd/auth.h index 6fcfad5e7e1f..650bd7dd6750 100644 --- a/fs/cifsd/auth.h +++ b/fs/cifsd/auth.h @@ -35,56 +35,31 @@ struct ksmbd_session; struct ksmbd_conn; struct kvec; -int ksmbd_crypt_message(struct ksmbd_conn *conn, - struct kvec *iov, - unsigned int nvec, - int enc); - +int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, + unsigned int nvec, int enc); void ksmbd_copy_gss_neg_header(void *buf); - -int ksmbd_auth_ntlm(struct ksmbd_session *sess, - char *pw_buf); - -int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, - struct ntlmv2_resp *ntlmv2, - int blen, - char *domain_name); - +int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf); +int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, + int blen, char *domain_name); int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, - int blob_len, - struct ksmbd_session *sess); - + int blob_len, struct ksmbd_session *sess); int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, - int blob_len, - struct ksmbd_session *sess); - + int blob_len, struct ksmbd_session *sess); unsigned int ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, - struct ksmbd_session *sess); - -int ksmbd_krb5_authenticate(struct ksmbd_session *sess, - char *in_blob, int in_len, - char *out_blob, int *out_len); - -int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, - char *key, - struct kvec *iov, - int n_vec, - char *sig); -int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, - char *key, - struct kvec *iov, - int n_vec, - char *sig); - + struct ksmbd_session *sess); +int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, + int in_len, char *out_blob, int *out_len); +int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, + int n_vec, char *sig); +int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, + int n_vec, char *sig); int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess); int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess); int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess); int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess); - -int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, - char *buf, +int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, __u8 *pi_hash); int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, - __u8 *pi_hash); + __u8 *pi_hash); #endif diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c index 1ee1feef1bb4..ea7d2d1a056a 100644 --- a/fs/cifsd/buffer_pool.c +++ b/fs/cifsd/buffer_pool.c @@ -251,7 +251,8 @@ int ksmbd_init_buffer_pools(void) goto out; filp_cache = kmem_cache_create("ksmbd_file_cache", - sizeof(struct ksmbd_file), 0, SLAB_HWCACHE_ALIGN, NULL); + sizeof(struct ksmbd_file), 0, + SLAB_HWCACHE_ALIGN, NULL); if (!filp_cache) goto out; diff --git a/fs/cifsd/buffer_pool.h b/fs/cifsd/buffer_pool.h index f7157144a92f..088aa07ba09b 100644 --- a/fs/cifsd/buffer_pool.h +++ b/fs/cifsd/buffer_pool.h @@ -8,12 +8,9 @@ void *ksmbd_find_buffer(size_t size); void ksmbd_release_buffer(void *buffer); - void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz); - void ksmbd_free_file_struct(void *filp); void *ksmbd_alloc_file_struct(void); - void ksmbd_destroy_buffer_pools(void); int ksmbd_init_buffer_pools(void); diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index 4785dd59fcc5..06c42309be72 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -201,30 +201,30 @@ int ksmbd_conn_write(struct ksmbd_work *work) } int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len) + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len) { int ret = -EINVAL; if (conn->transport->ops->rdma_read) ret = conn->transport->ops->rdma_read(conn->transport, - buf, buflen, - remote_key, remote_offset, - remote_len); + buf, buflen, + remote_key, remote_offset, + remote_len); return ret; } int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len) + unsigned int buflen, u32 remote_key, + u64 remote_offset, u32 remote_len) { int ret = -EINVAL; if (conn->transport->ops->rdma_write) ret = conn->transport->ops->rdma_write(conn->transport, - buf, buflen, - remote_key, remote_offset, - remote_len); + buf, buflen, + remote_key, remote_offset, + remote_len); return ret; } @@ -250,7 +250,7 @@ bool ksmbd_conn_alive(struct ksmbd_conn *conn) if (server_conf.deadtime > 0 && time_after(jiffies, conn->last_active + server_conf.deadtime)) { ksmbd_debug(CONN, "No response from client in %lu minutes\n", - server_conf.deadtime / SMB_ECHO_INTERVAL); + server_conf.deadtime / SMB_ECHO_INTERVAL); return false; } return true; @@ -390,7 +390,7 @@ static void stop_sessions(void) task = conn->transport->handler; if (task) ksmbd_debug(CONN, "Stop session handler %s/%d\n", - task->comm, task_pid_nr(task)); + task->comm, task_pid_nr(task)); conn->status = KSMBD_SESS_EXITING; } read_unlock(&conn_list_lock); diff --git a/fs/cifsd/connection.h b/fs/cifsd/connection.h index 00ede7a67199..1658442b27b0 100644 --- a/fs/cifsd/connection.h +++ b/fs/cifsd/connection.h @@ -118,13 +118,13 @@ struct ksmbd_transport_ops { void (*disconnect)(struct ksmbd_transport *t); int (*read)(struct ksmbd_transport *t, char *buf, unsigned int size); int (*writev)(struct ksmbd_transport *t, struct kvec *iovs, int niov, - int size, bool need_invalidate_rkey, - unsigned int remote_key); + int size, bool need_invalidate_rkey, + unsigned int remote_key); int (*rdma_read)(struct ksmbd_transport *t, void *buf, unsigned int len, - u32 remote_key, u64 remote_offset, u32 remote_len); + u32 remote_key, u64 remote_offset, u32 remote_len); int (*rdma_write)(struct ksmbd_transport *t, void *buf, - unsigned int len, u32 remote_key, u64 remote_offset, - u32 remote_len); + unsigned int len, u32 remote_key, u64 remote_offset, + u32 remote_len); }; struct ksmbd_transport { @@ -139,24 +139,20 @@ struct ksmbd_transport { bool ksmbd_conn_alive(struct ksmbd_conn *conn); void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); - struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); int ksmbd_conn_write(struct ksmbd_work *work); int ksmbd_conn_rdma_read(struct ksmbd_conn *conn, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len); + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len); int ksmbd_conn_rdma_write(struct ksmbd_conn *conn, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len); - + unsigned int buflen, u32 remote_key, u64 remote_offset, + u32 remote_len); void ksmbd_conn_enqueue_request(struct ksmbd_work *work); int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work); void ksmbd_conn_init_server_callbacks(struct ksmbd_conn_ops *ops); - int ksmbd_conn_handler_loop(void *p); - int ksmbd_conn_transport_init(void); void ksmbd_conn_transport_destroy(void); diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 9685bf963702..cfea4c4db30f 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -123,8 +123,8 @@ static struct ksmbd_crypto_ctx *ksmbd_find_crypto_ctx(void) spin_lock(&ctx_list.ctx_lock); if (!list_empty(&ctx_list.idle_ctx)) { ctx = list_entry(ctx_list.idle_ctx.next, - struct ksmbd_crypto_ctx, - list); + struct ksmbd_crypto_ctx, + list); list_del(&ctx->list); spin_unlock(&ctx_list.ctx_lock); return ctx; diff --git a/fs/cifsd/crypto_ctx.h b/fs/cifsd/crypto_ctx.h index b0d3cd650485..ef11154b43df 100644 --- a/fs/cifsd/crypto_ctx.h +++ b/fs/cifsd/crypto_ctx.h @@ -59,7 +59,6 @@ struct ksmbd_crypto_ctx { #define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_CCM]) void ksmbd_release_crypto_ctx(struct ksmbd_crypto_ctx *ctx); - struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacmd5(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacsha256(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_cmacaes(void); @@ -67,10 +66,8 @@ struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha256(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void); - struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void); - void ksmbd_crypto_destroy(void); int ksmbd_crypto_create(void); diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index eb8c8a34acab..f284a2a803d6 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -39,13 +39,13 @@ void ksmbd_free_work_struct(struct ksmbd_work *work) { WARN_ON(work->saved_cred != NULL); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && - work->set_trans_buf) + work->set_trans_buf) ksmbd_release_buffer(work->response_buf); else kvfree(work->response_buf); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF && - work->set_read_buf) + work->set_read_buf) ksmbd_release_buffer(work->aux_payload_buf); else kvfree(work->aux_payload_buf); @@ -65,8 +65,8 @@ void ksmbd_work_pool_destroy(void) int ksmbd_work_pool_init(void) { work_cache = kmem_cache_create("ksmbd_work_cache", - sizeof(struct ksmbd_work), 0, - SLAB_HWCACHE_ALIGN, NULL); + sizeof(struct ksmbd_work), 0, + SLAB_HWCACHE_ALIGN, NULL); if (!work_cache) return -ENOMEM; return 0; diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index 7fa6649fadfd..1c6ed20f4a18 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -135,7 +135,7 @@ int parse_stream_name(char *filename, char **stream_name, int *s_type) } ksmbd_debug(SMB, "stream name : %s, stream type : %s\n", s_name, - stream_type); + stream_type); if (!strncasecmp("$data", stream_type, 5)) *s_type = DATA_STREAM; else if (!strncasecmp("$index_allocation", stream_type, 17)) @@ -267,7 +267,8 @@ char *convert_to_unix_name(struct ksmbd_share_config *share, char *name) } char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, - const struct nls_table *local_nls, int *conv_len) + const struct nls_table *local_nls, + int *conv_len) { char *conv; int sz = min(4 * d_info->name_len, PATH_MAX); @@ -280,11 +281,8 @@ char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, return NULL; /* XXX */ - *conv_len = smbConvertToUTF16((__le16 *)conv, - d_info->name, - d_info->name_len, - local_nls, - 0); + *conv_len = smbConvertToUTF16((__le16 *)conv, d_info->name, + d_info->name_len, local_nls, 0); *conv_len *= 2; /* We allocate buffer twice bigger than needed. */ diff --git a/fs/cifsd/misc.h b/fs/cifsd/misc.h index e4bd02a8d45f..af8717d4d85b 100644 --- a/fs/cifsd/misc.h +++ b/fs/cifsd/misc.h @@ -12,32 +12,23 @@ struct kstat; struct ksmbd_file; int match_pattern(const char *str, size_t len, const char *pattern); - int ksmbd_validate_filename(char *filename); - int parse_stream_name(char *filename, char **stream_name, int *s_type); - char *convert_to_nt_pathname(char *filename, char *sharepath); - int get_nlink(struct kstat *st); - void ksmbd_conv_path_to_unix(char *path); void ksmbd_strip_last_slash(char *path); void ksmbd_conv_path_to_windows(char *path); - char *ksmbd_extract_sharename(char *treename); - char *convert_to_unix_name(struct ksmbd_share_config *share, char *name); #define KSMBD_DIR_INFO_ALIGNMENT 8 - struct ksmbd_dir_info; char *ksmbd_convert_dir_info_name(struct ksmbd_dir_info *d_info, const struct nls_table *local_nls, int *conv_len); #define NTFS_TIME_OFFSET ((u64)(369 * 365 + 89) * 24 * 3600 * 10000000) - struct timespec64 ksmbd_NTtimeToUnix(__le64 ntutc); u64 ksmbd_UnixTimeToNT(struct timespec64 t); long long ksmbd_systime(void); diff --git a/fs/cifsd/ndr.c b/fs/cifsd/ndr.c index 1838fc2b1d7c..14189832c65e 100644 --- a/fs/cifsd/ndr.c +++ b/fs/cifsd/ndr.c @@ -185,7 +185,7 @@ int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) version2 = ndr_read_int32(n); if (da->version != version2) { ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", - da->version, version2); + da->version, version2); return -EINVAL; } @@ -235,7 +235,8 @@ static int ndr_encode_posix_acl_entry(struct ndr *n, struct xattr_smb_acl *acl) } int ndr_encode_posix_acl(struct ndr *n, struct inode *inode, - struct xattr_smb_acl *acl, struct xattr_smb_acl *def_acl) + struct xattr_smb_acl *acl, + struct xattr_smb_acl *def_acl) { int ref_id = 0x00020000; @@ -315,7 +316,7 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) version2 = ndr_read_int32(n); if (acl->version != version2) { ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", - acl->version, version2); + acl->version, version2); return -EINVAL; } diff --git a/fs/cifsd/ndr.h b/fs/cifsd/ndr.h index a9db968b78ac..77b2d1ac93a0 100644 --- a/fs/cifsd/ndr.h +++ b/fs/cifsd/ndr.h @@ -15,7 +15,8 @@ struct ndr { int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da); int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da); int ndr_encode_posix_acl(struct ndr *n, struct inode *inode, - struct xattr_smb_acl *acl, struct xattr_smb_acl *def_acl); + struct xattr_smb_acl *acl, + struct xattr_smb_acl *def_acl); int ndr_encode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl); int ndr_encode_v3_ntacl(struct ndr *n, struct xattr_ntacl *acl); int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl); diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index e77f1385a8c1..56c68e9cb7ff 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -29,7 +29,7 @@ static DEFINE_RWLOCK(lease_list_lock); * Return: allocated opinfo object on success, otherwise NULL */ static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, - u64 id, __u16 Tid) + u64 id, __u16 Tid) { struct ksmbd_session *sess = work->sess; struct oplock_info *opinfo; @@ -153,7 +153,7 @@ static struct oplock_info *opinfo_get_list(struct ksmbd_inode *ci) rcu_read_lock(); opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info, - op_entry); + op_entry); if (opinfo && !atomic_inc_not_zero(&opinfo->refcount)) opinfo = NULL; rcu_read_unlock(); @@ -269,8 +269,7 @@ int opinfo_write_to_none(struct oplock_info *opinfo) opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { ksmbd_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) - ksmbd_err("lease state(0x%x)\n", - lease->state); + ksmbd_err("lease state(0x%x)\n", lease->state); return -EINVAL; } opinfo->level = SMB2_OPLOCK_LEVEL_NONE; @@ -312,8 +311,7 @@ int lease_read_to_write(struct oplock_info *opinfo) struct lease *lease = opinfo->o_lease; if (!(lease->state & SMB2_LEASE_READ_CACHING_LE)) { - ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", - lease->state); + ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", lease->state); return -EINVAL; } @@ -338,8 +336,7 @@ static int lease_none_upgrade(struct oplock_info *opinfo, __le32 new_state) struct lease *lease = opinfo->o_lease; if (!(lease->state == SMB2_LEASE_NONE_LE)) { - ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", - lease->state); + ksmbd_debug(OPLOCK, "bad lease state(0x%x)\n", lease->state); return -EINVAL; } @@ -399,7 +396,7 @@ void close_id_del_oplock(struct ksmbd_file *fp) * Return: 0 */ static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -410,8 +407,7 @@ static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, if (lctx) { lease->state = lctx->req_state; - memcpy(lease->lease_key, lctx->lease_key, - SMB2_LEASE_KEY_SIZE); + memcpy(lease->lease_key, lctx->lease_key, SMB2_LEASE_KEY_SIZE); } } @@ -423,7 +419,7 @@ static void grant_write_oplock(struct oplock_info *opinfo_new, int req_oplock, * Return: 0 */ static void grant_read_oplock(struct oplock_info *opinfo_new, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -433,8 +429,7 @@ static void grant_read_oplock(struct oplock_info *opinfo_new, lease->state = SMB2_LEASE_READ_CACHING_LE; if (lctx->req_state & SMB2_LEASE_HANDLE_CACHING_LE) lease->state |= SMB2_LEASE_HANDLE_CACHING_LE; - memcpy(lease->lease_key, lctx->lease_key, - SMB2_LEASE_KEY_SIZE); + memcpy(lease->lease_key, lctx->lease_key, SMB2_LEASE_KEY_SIZE); } } @@ -446,7 +441,7 @@ static void grant_read_oplock(struct oplock_info *opinfo_new, * Return: 0 */ static void grant_none_oplock(struct oplock_info *opinfo_new, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct lease *lease = opinfo_new->o_lease; @@ -454,13 +449,12 @@ static void grant_none_oplock(struct oplock_info *opinfo_new, if (lctx) { lease->state = 0; - memcpy(lease->lease_key, lctx->lease_key, - SMB2_LEASE_KEY_SIZE); + memcpy(lease->lease_key, lctx->lease_key, SMB2_LEASE_KEY_SIZE); } } static inline int compare_guid_key(struct oplock_info *opinfo, - const char *guid1, const char *key1) + const char *guid1, const char *key1) { const char *guid2, *key2; @@ -483,7 +477,8 @@ static inline int compare_guid_key(struct oplock_info *opinfo, * Return: oplock(lease) object on success, otherwise NULL */ static struct oplock_info *same_client_has_lease(struct ksmbd_inode *ci, - char *client_guid, struct lease_ctx_info *lctx) + char *client_guid, + struct lease_ctx_info *lctx) { int ret; struct lease *lease; @@ -517,7 +512,7 @@ static struct oplock_info *same_client_has_lease(struct ksmbd_inode *ci, if ((atomic_read(&ci->op_count) + atomic_read(&ci->sop_count)) == 1) { if (lease->state == - (lctx->req_state & lease->state)) { + (lctx->req_state & lease->state)) { lease->state |= lctx->req_state; if (lctx->req_state & SMB2_LEASE_WRITE_CACHING_LE) @@ -526,13 +521,13 @@ static struct oplock_info *same_client_has_lease(struct ksmbd_inode *ci, } else if ((atomic_read(&ci->op_count) + atomic_read(&ci->sop_count)) > 1) { if (lctx->req_state == - (SMB2_LEASE_READ_CACHING_LE | - SMB2_LEASE_HANDLE_CACHING_LE)) + (SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)) lease->state = lctx->req_state; } if (lctx->req_state && lease->state == - SMB2_LEASE_NONE_LE) + SMB2_LEASE_NONE_LE) lease_none_upgrade(opinfo, lctx->req_state); } read_lock(&ci->m_lock); @@ -547,9 +542,9 @@ static void wait_for_break_ack(struct oplock_info *opinfo) int rc = 0; rc = wait_event_interruptible_timeout(opinfo->oplock_q, - opinfo->op_state == OPLOCK_STATE_NONE || - opinfo->op_state == OPLOCK_CLOSING, - OPLOCK_WAIT_TIME); + opinfo->op_state == OPLOCK_STATE_NONE || + opinfo->op_state == OPLOCK_CLOSING, + OPLOCK_WAIT_TIME); /* is this a timeout ? */ if (!rc) { @@ -664,8 +659,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) inc_rfc1001_len(rsp, 24); ksmbd_debug(OPLOCK, - "sending oplock break v_id %llu p_id = %llu lock level = %d\n", - rsp->VolatileFid, rsp->PersistentFid, rsp->OplockLevel); + "sending oplock break v_id %llu p_id = %llu lock level = %d\n", + rsp->VolatileFid, rsp->PersistentFid, rsp->OplockLevel); ksmbd_fd_put(work, fp); ksmbd_conn_write(work); @@ -815,7 +810,7 @@ static int smb2_lease_break_noti(struct oplock_info *opinfo) struct ksmbd_work *in_work; in_work = list_entry(tmp, struct ksmbd_work, - interim_entry); + interim_entry); setup_async_work(in_work, NULL, NULL); smb2_send_interim_resp(in_work, STATUS_PENDING); list_del(&in_work->interim_entry); @@ -843,7 +838,8 @@ static void wait_lease_breaking(struct oplock_info *opinfo) int ret = 0; ret = wait_event_interruptible_timeout(opinfo->oplock_brk, - atomic_read(&opinfo->breaking_cnt) == 0, HZ); + atomic_read(&opinfo->breaking_cnt) == 0, + HZ); if (!ret) atomic_set(&opinfo->breaking_cnt, 0); } @@ -855,8 +851,8 @@ static int oplock_break(struct oplock_info *brk_opinfo, int req_op_level) /* Need to break exclusive/batch oplock, write lease or overwrite_if */ ksmbd_debug(OPLOCK, - "request to send oplock(level : 0x%x) break notification\n", - brk_opinfo->level); + "request to send oplock(level : 0x%x) break notification\n", + brk_opinfo->level); if (brk_opinfo->is_lease) { struct lease *lease = brk_opinfo->o_lease; @@ -939,7 +935,7 @@ void destroy_lease_table(struct ksmbd_conn *conn) again: rcu_read_lock(); list_for_each_entry_rcu(opinfo, &lb->lease_list, - lease_entry) { + lease_entry) { rcu_read_unlock(); lease_del_list(opinfo); goto again; @@ -952,7 +948,7 @@ void destroy_lease_table(struct ksmbd_conn *conn) } int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { struct oplock_info *opinfo; int err = 0; @@ -978,20 +974,18 @@ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, found: rcu_read_lock(); - list_for_each_entry_rcu(opinfo, &lb->lease_list, - lease_entry) { + list_for_each_entry_rcu(opinfo, &lb->lease_list, lease_entry) { if (!atomic_inc_not_zero(&opinfo->refcount)) continue; rcu_read_unlock(); if (opinfo->o_fp->f_ci == ci) goto op_next; - err = compare_guid_key(opinfo, - sess->conn->ClientGUID, - lctx->lease_key); + err = compare_guid_key(opinfo, sess->conn->ClientGUID, + lctx->lease_key); if (err) { err = -EINVAL; ksmbd_debug(OPLOCK, - "found same lease key is already used in other files\n"); + "found same lease key is already used in other files\n"); opinfo_put(opinfo); goto out; } @@ -1014,7 +1008,7 @@ static void copy_lease(struct oplock_info *op1, struct oplock_info *op2) op2->level = op1->level; lease2->state = lease1->state; memcpy(lease2->lease_key, lease1->lease_key, - SMB2_LEASE_KEY_SIZE); + SMB2_LEASE_KEY_SIZE); lease2->duration = lease1->duration; lease2->flags = lease1->flags; } @@ -1040,7 +1034,7 @@ static int add_lease_global_list(struct oplock_info *opinfo) return -ENOMEM; memcpy(lb->client_guid, opinfo->conn->ClientGUID, - SMB2_CLIENT_GUID_SIZE); + SMB2_CLIENT_GUID_SIZE); INIT_LIST_HEAD(&lb->lease_list); spin_lock_init(&lb->lb_lock); opinfo->o_lease->l_lb = lb; @@ -1050,7 +1044,7 @@ static int add_lease_global_list(struct oplock_info *opinfo) } static void set_oplock_level(struct oplock_info *opinfo, int level, - struct lease_ctx_info *lctx) + struct lease_ctx_info *lctx) { switch (level) { case SMB2_OPLOCK_LEVEL_BATCH: @@ -1079,8 +1073,8 @@ static void set_oplock_level(struct oplock_info *opinfo, int level, * Return: 0 on success, otherwise error */ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, - struct ksmbd_file *fp, __u16 tid, struct lease_ctx_info *lctx, - int share_ret) + struct ksmbd_file *fp, __u16 tid, + struct lease_ctx_info *lctx, int share_ret) { struct ksmbd_session *sess = work->sess; int err = 0; @@ -1122,7 +1116,7 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, /* is lease already granted ? */ m_opinfo = same_client_has_lease(ci, sess->conn->ClientGUID, - lctx); + lctx); if (m_opinfo) { copy_lease(m_opinfo, opinfo); if (atomic_read(&m_opinfo->breaking_cnt)) @@ -1208,7 +1202,7 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, * @is_trunc: truncate on open */ static void smb_break_all_write_oplock(struct ksmbd_work *work, - struct ksmbd_file *fp, int is_trunc) + struct ksmbd_file *fp, int is_trunc) { struct oplock_info *brk_opinfo; @@ -1235,7 +1229,7 @@ static void smb_break_all_write_oplock(struct ksmbd_work *work, * @is_trunc: truncate on open */ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, - int is_trunc) + int is_trunc) { struct oplock_info *op, *brk_op; struct ksmbd_inode *ci; @@ -1257,18 +1251,18 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, (~(SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_HANDLE_CACHING_LE)))) { ksmbd_debug(OPLOCK, "unexpected lease state(0x%x)\n", - brk_op->o_lease->state); + brk_op->o_lease->state); goto next; } else if (brk_op->level != SMB2_OPLOCK_LEVEL_II) { ksmbd_debug(OPLOCK, "unexpected oplock(0x%x)\n", - brk_op->level); + brk_op->level); goto next; } /* Skip oplock being break to none */ - if (brk_op->is_lease && (brk_op->o_lease->new_state == - SMB2_LEASE_NONE_LE) && + if (brk_op->is_lease && + (brk_op->o_lease->new_state == SMB2_LEASE_NONE_LE) && atomic_read(&brk_op->breaking_cnt)) goto next; @@ -1573,9 +1567,9 @@ void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) buf->reparse_tag = cpu_to_le32(fp->volatile_id); buf->mode = cpu_to_le32(inode->i_mode); id_to_sid(from_kuid(&init_user_ns, inode->i_uid), - SIDNFS_USER, (struct smb_sid *)&buf->SidBuffer[0]); + SIDNFS_USER, (struct smb_sid *)&buf->SidBuffer[0]); id_to_sid(from_kgid(&init_user_ns, inode->i_gid), - SIDNFS_GROUP, (struct smb_sid *)&buf->SidBuffer[20]); + SIDNFS_GROUP, (struct smb_sid *)&buf->SidBuffer[20]); } /* @@ -1590,7 +1584,7 @@ void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) * Return: opinfo if found matching opinfo, otherwise NULL */ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, - char *lease_key) + char *lease_key) { struct oplock_info *opinfo = NULL, *ret_op = NULL; struct lease_table *lt; @@ -1619,7 +1613,7 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, SMB2_LEASE_WRITE_CACHING_LE))) goto op_next; ret = compare_guid_key(opinfo, conn->ClientGUID, - lease_key); + lease_key); if (ret) { ksmbd_debug(OPLOCK, "found opinfo\n"); ret_op = opinfo; @@ -1637,7 +1631,7 @@ struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, } int smb2_check_durable_oplock(struct ksmbd_file *fp, - struct lease_ctx_info *lctx, char *name) + struct lease_ctx_info *lctx, char *name) { struct oplock_info *opinfo = opinfo_get(fp); int ret = 0; diff --git a/fs/cifsd/oplock.h b/fs/cifsd/oplock.h index f8b4b486eb93..0abd26123f6d 100644 --- a/fs/cifsd/oplock.h +++ b/fs/cifsd/oplock.h @@ -96,11 +96,10 @@ struct oplock_break_info { }; int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, - u64 pid, struct ksmbd_file *fp, __u16 tid, - struct lease_ctx_info *lctx, int share_ret); + u64 pid, struct ksmbd_file *fp, __u16 tid, + struct lease_ctx_info *lctx, int share_ret); void smb_break_all_levII_oplock(struct ksmbd_work *work, - struct ksmbd_file *fp, int is_trunc); - + struct ksmbd_file *fp, int is_trunc); int opinfo_write_to_read(struct oplock_info *opinfo); int opinfo_read_handle_to_read(struct oplock_info *opinfo); int opinfo_write_to_none(struct oplock_info *opinfo); @@ -124,10 +123,10 @@ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); struct create_context *smb2_find_context_vals(void *open_req, const char *str); struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, - char *lease_key); + char *lease_key); int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, - struct lease_ctx_info *lctx); + struct lease_ctx_info *lctx); void destroy_lease_table(struct ksmbd_conn *conn); int smb2_check_durable_oplock(struct ksmbd_file *fp, - struct lease_ctx_info *lctx, char *name); + struct lease_ctx_info *lctx, char *name); #endif /* __KSMBD_OPLOCK_H */ diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 4aff89ce1464..87838f76a348 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -106,7 +106,7 @@ static inline int check_conn_state(struct ksmbd_work *work) #define TCP_HANDLER_ABORT 1 static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, - uint16_t *cmd) + uint16_t *cmd) { struct smb_version_cmds *cmds; uint16_t command; @@ -159,7 +159,7 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, } static void __handle_ksmbd_work(struct ksmbd_work *work, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { u16 command = 0; int rc; @@ -222,8 +222,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, } } - if (work->sess && (work->sess->sign || - smb3_11_final_sess_setup_resp(work) || + if (work->sess && + (work->sess->sign || smb3_11_final_sess_setup_resp(work) || conn->ops->is_sign_req(work, command))) conn->ops->set_sign_rsp(work); } while (is_chained_smb2_message(work)); @@ -416,7 +416,7 @@ int server_queue_ctrl_reset_work(void) } static ssize_t stats_show(struct class *class, struct class_attribute *attr, - char *buf) + char *buf) { /* * Inc this each time you change stats output format, @@ -430,19 +430,15 @@ static ssize_t stats_show(struct class *class, struct class_attribute *attr, "shutdown" }; - ssize_t sz = scnprintf(buf, - PAGE_SIZE, - "%d %s %d %lu\n", - stats_version, - state[server_conf.state], - server_conf.tcp_port, - server_conf.ipc_last_active / HZ); + ssize_t sz = scnprintf(buf, PAGE_SIZE, "%d %s %d %lu\n", stats_version, + state[server_conf.state], server_conf.tcp_port, + server_conf.ipc_last_active / HZ); return sz; } static ssize_t kill_server_store(struct class *class, - struct class_attribute *attr, const char *buf, - size_t len) + struct class_attribute *attr, const char *buf, + size_t len) { if (!sysfs_streq(buf, "hard")) return len; @@ -458,11 +454,11 @@ static ssize_t kill_server_store(struct class *class, } static const char * const debug_type_strings[] = {"smb", "auth", "vfs", - "oplock", "ipc", "conn", - "rdma"}; + "oplock", "ipc", "conn", + "rdma"}; static ssize_t debug_show(struct class *class, struct class_attribute *attr, - char *buf) + char *buf) { ssize_t sz = 0; int i, pos = 0; @@ -486,7 +482,7 @@ static ssize_t debug_show(struct class *class, struct class_attribute *attr, } static ssize_t debug_store(struct class *class, struct class_attribute *attr, - const char *buf, size_t len) + const char *buf, size_t len) { int i; diff --git a/fs/cifsd/smb2misc.c b/fs/cifsd/smb2misc.c index 5a50c4ec43f2..c4b870dbf683 100644 --- a/fs/cifsd/smb2misc.c +++ b/fs/cifsd/smb2misc.c @@ -178,19 +178,19 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) */ if (*off > 4096) { ksmbd_debug(SMB, "offset %d too large, data area ignored\n", - *off); + *off); *len = 0; *off = 0; } else if (*off < 0) { ksmbd_debug(SMB, - "negative offset %d to data invalid ignore data area\n", - *off); + "negative offset %d to data invalid ignore data area\n", + *off); *off = 0; *len = 0; } else if (*len < 0) { ksmbd_debug(SMB, - "negative data length %d invalid, data area ignored\n", - *len); + "negative data length %d invalid, data area ignored\n", + *len); *len = 0; } else if (*len > 128 * 1024) { ksmbd_debug(SMB, "data area larger than 128K: %d\n", *len); @@ -228,7 +228,7 @@ static unsigned int smb2_calc_size(void *buf) smb2_get_data_area_len(&offset, &data_length, hdr); ksmbd_debug(SMB, "SMB2 data length %d offset %d\n", data_length, - offset); + offset); if (data_length > 0) { /* @@ -239,8 +239,8 @@ static unsigned int smb2_calc_size(void *buf) */ if (offset + 1 < len) ksmbd_debug(SMB, - "data area offset %d overlaps SMB2 header %d\n", - offset + 1, len); + "data area offset %d overlaps SMB2 header %d\n", + offset + 1, len); else len = offset + data_length; } @@ -321,11 +321,11 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); if (!credit_charge && max_len > SMB2_MAX_BUFFER_SIZE) { ksmbd_err("credit charge is zero and payload size(%d) is bigger than 64K\n", - max_len); + max_len); return 1; } else if (credit_charge < calc_credit_num) { ksmbd_err("credit charge : %d, calc_credit_num : %d\n", - credit_charge, calc_credit_num); + credit_charge, calc_credit_num); return 1; } @@ -357,7 +357,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { ksmbd_debug(SMB, "Illegal structure size %u\n", - le16_to_cpu(hdr->StructureSize)); + le16_to_cpu(hdr->StructureSize)); return 1; } @@ -372,8 +372,8 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) (hdr->Status == 0 || pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { /* error packets have 9 byte structure size */ ksmbd_debug(SMB, - "Illegal request size %u for command %d\n", - le16_to_cpu(pdu->StructureSize2), command); + "Illegal request size %u for command %d\n", + le16_to_cpu(pdu->StructureSize2), command); return 1; } else if (command == SMB2_OPLOCK_BREAK_HE && hdr->Status == 0 && @@ -381,8 +381,8 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) { /* special case for SMB2.1 lease break message */ ksmbd_debug(SMB, - "Illegal request size %d for oplock break\n", - le16_to_cpu(pdu->StructureSize2)); + "Illegal request size %d for oplock break\n", + le16_to_cpu(pdu->StructureSize2)); return 1; } } @@ -408,9 +408,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) */ if (clc_len < len) { ksmbd_debug(SMB, - "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n", - len, clc_len, command, - le64_to_cpu(hdr->MessageId)); + "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n", + len, clc_len, command, + le64_to_cpu(hdr->MessageId)); return 0; } @@ -418,9 +418,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 0; ksmbd_debug(SMB, - "cli req too short, len %d not %d. cmd:%d mid:%llu\n", - len, clc_len, command, - le64_to_cpu(hdr->MessageId)); + "cli req too short, len %d not %d. cmd:%d mid:%llu\n", + len, clc_len, command, + le64_to_cpu(hdr->MessageId)); return 1; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 16290ad710fa..84b243b3895a 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -296,7 +296,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) } static int smb2_consume_credit_charge(struct ksmbd_work *work, - unsigned short credit_charge) + unsigned short credit_charge) { struct ksmbd_conn *conn = work->conn; unsigned int rsp_credits = 1; @@ -336,8 +336,8 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) conn->total_credits = min_credits; } - rsp_credit_charge = smb2_consume_credit_charge(work, - le16_to_cpu(req_hdr->CreditCharge)); + rsp_credit_charge = + smb2_consume_credit_charge(work, le16_to_cpu(req_hdr->CreditCharge)); if (rsp_credit_charge < 0) return -EINVAL; @@ -373,9 +373,9 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) } out: ksmbd_debug(SMB, - "credits: requested[%d] granted[%d] total_granted[%d]\n", - credits_requested, credits_granted, - conn->total_credits); + "credits: requested[%d] granted[%d] total_granted[%d]\n", + credits_requested, credits_granted, + conn->total_credits); return 0; } @@ -420,9 +420,9 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->next_smb2_rcv_hdr_off += next_hdr_offset; work->next_smb2_rsp_hdr_off += new_len; ksmbd_debug(SMB, - "Compound req new_len = %d rcv off = %d rsp off = %d\n", - new_len, work->next_smb2_rcv_hdr_off, - work->next_smb2_rsp_hdr_off); + "Compound req new_len = %d rcv off = %d rsp off = %d\n", + new_len, work->next_smb2_rcv_hdr_off, + work->next_smb2_rsp_hdr_off); rsp_hdr = RESPONSE_BUF_NEXT(work); rcv_hdr = REQUEST_BUF_NEXT(work); @@ -640,7 +640,7 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) */ static char * smb2_get_name(struct ksmbd_share_config *share, const char *src, - const int maxlen, struct nls_table *local_nls) + const int maxlen, struct nls_table *local_nls) { char *name, *unixname; @@ -684,8 +684,8 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) rsp_hdr->Id.AsyncId = cpu_to_le64(id); ksmbd_debug(SMB, - "Send interim Response to inform async request id : %d\n", - work->async_id); + "Send interim Response to inform async request id : %d\n", + work->async_id); work->cancel_fn = fn; work->cancel_argv = arg; @@ -759,7 +759,7 @@ static int smb2_get_dos_mode(struct kstat *stat, int attribute) } static void build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt, - __le16 hash_id) + __le16 hash_id) { pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES; pneg_ctxt->DataLength = cpu_to_le16(38); @@ -771,7 +771,7 @@ static void build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt, } static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt, - __le16 cipher_type) + __le16 cipher_type) { pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; pneg_ctxt->DataLength = cpu_to_le16(4); @@ -781,7 +781,7 @@ static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt, } static void build_compression_ctxt(struct smb2_compression_ctx *pneg_ctxt, - __le16 comp_algo) + __le16 comp_algo) { pneg_ctxt->ContextType = SMB2_COMPRESSION_CAPABILITIES; pneg_ctxt->DataLength = @@ -817,7 +817,7 @@ static void build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) } static void assemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_rsp *rsp) + struct smb2_negotiate_rsp *rsp) { /* +4 is to account for the RFC1001 len field */ char *pneg_ctxt = (char *)rsp + @@ -826,9 +826,9 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, int ctxt_size; ksmbd_debug(SMB, - "assemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); + "assemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); build_preauth_ctxt((struct smb2_preauth_neg_context *)pneg_ctxt, - conn->preauth_info->Preauth_HashId); + conn->preauth_info->Preauth_HashId); rsp->NegotiateContextCount = cpu_to_le16(neg_ctxt_cnt); inc_rfc1001_len(rsp, AUTH_GSS_PADDING); ctxt_size = sizeof(struct smb2_preauth_neg_context); @@ -838,9 +838,9 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, if (conn->cipher_type) { ctxt_size = round_up(ctxt_size, 8); ksmbd_debug(SMB, - "assemble SMB2_ENCRYPTION_CAPABILITIES context\n"); + "assemble SMB2_ENCRYPTION_CAPABILITIES context\n"); build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt, - conn->cipher_type); + conn->cipher_type); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); ctxt_size += sizeof(struct smb2_encryption_neg_context); /* Round to 8 byte boundary */ @@ -852,10 +852,10 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, if (conn->compress_algorithm) { ctxt_size = round_up(ctxt_size, 8); ksmbd_debug(SMB, - "assemble SMB2_COMPRESSION_CAPABILITIES context\n"); + "assemble SMB2_COMPRESSION_CAPABILITIES context\n"); /* Temporarily set to SMB3_COMPRESS_NONE */ build_compression_ctxt((struct smb2_compression_ctx *)pneg_ctxt, - conn->compress_algorithm); + conn->compress_algorithm); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); ctxt_size += sizeof(struct smb2_compression_ctx); /* Round to 8 byte boundary */ @@ -865,7 +865,7 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, if (conn->posix_ext_supported) { ctxt_size = round_up(ctxt_size, 8); ksmbd_debug(SMB, - "assemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); + "assemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); build_posix_ctxt((struct smb2_posix_neg_context *)pneg_ctxt); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); ctxt_size += sizeof(struct smb2_posix_neg_context); @@ -875,12 +875,11 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, } static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, - struct smb2_preauth_neg_context *pneg_ctxt) + struct smb2_preauth_neg_context *pneg_ctxt) { __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; - if (pneg_ctxt->HashAlgorithms == - SMB2_PREAUTH_INTEGRITY_SHA512) { + if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) { conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512; err = STATUS_SUCCESS; @@ -890,7 +889,7 @@ static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, } static int decode_encrypt_ctxt(struct ksmbd_conn *conn, - struct smb2_encryption_neg_context *pneg_ctxt) + struct smb2_encryption_neg_context *pneg_ctxt) { int i; int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); @@ -906,7 +905,7 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES256_CCM || pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES256_GCM) { ksmbd_debug(SMB, "Cipher ID = 0x%x\n", - pneg_ctxt->Ciphers[i]); + pneg_ctxt->Ciphers[i]); conn->cipher_type = pneg_ctxt->Ciphers[i]; break; } @@ -922,7 +921,7 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, } static int decode_compress_ctxt(struct ksmbd_conn *conn, - struct smb2_compression_ctx *pneg_ctxt) + struct smb2_compression_ctx *pneg_ctxt) { int algo_cnt = le16_to_cpu(pneg_ctxt->CompressionAlgorithmCount); @@ -937,7 +936,7 @@ static int decode_compress_ctxt(struct ksmbd_conn *conn, } static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_req *req) + struct smb2_negotiate_req *req) { int i = 0; __le32 status = 0; @@ -953,16 +952,16 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, while (i++ < neg_ctxt_cnt) { if (*ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { ksmbd_debug(SMB, - "deassemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); + "deassemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); if (conn->preauth_info->Preauth_HashId) break; status = decode_preauth_ctxt(conn, - (struct smb2_preauth_neg_context *)pneg_ctxt); + (struct smb2_preauth_neg_context *)pneg_ctxt); pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_preauth_neg_context), 8) * 8; } else if (*ContextType == SMB2_ENCRYPTION_CAPABILITIES) { ksmbd_debug(SMB, - "deassemble SMB2_ENCRYPTION_CAPABILITIES context\n"); + "deassemble SMB2_ENCRYPTION_CAPABILITIES context\n"); if (conn->cipher_type) break; @@ -971,7 +970,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; } else if (*ContextType == SMB2_COMPRESSION_CAPABILITIES) { ksmbd_debug(SMB, - "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); + "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); if (conn->compress_algorithm) break; @@ -980,14 +979,14 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; } else if (*ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { ksmbd_debug(SMB, - "deassemble SMB2_NETNAME_NEGOTIATE_CONTEXT_ID context\n"); + "deassemble SMB2_NETNAME_NEGOTIATE_CONTEXT_ID context\n"); ctxt_size = sizeof(struct smb2_netname_neg_context); ctxt_size += DIV_ROUND_UP(le16_to_cpu(((struct smb2_netname_neg_context *) - pneg_ctxt)->DataLength), 8) * 8; + pneg_ctxt)->DataLength), 8) * 8; pneg_ctxt += ctxt_size; } else if (*ContextType == SMB2_POSIX_EXTENSIONS_AVAILABLE) { ksmbd_debug(SMB, - "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); + "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); conn->posix_ext_supported = true; pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_posix_neg_context), 8) * 8; } @@ -1033,7 +1032,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) case SMB311_PROT_ID: conn->preauth_info = kzalloc(sizeof(struct preauth_integrity_info), - GFP_KERNEL); + GFP_KERNEL); if (!conn->preauth_info) { rc = -ENOMEM; rsp->hdr.Status = STATUS_INVALID_PARAMETER; @@ -1043,7 +1042,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) status = deassemble_neg_contexts(conn, req); if (status != STATUS_SUCCESS) { ksmbd_err("deassemble_neg_contexts error(0x%x)\n", - status); + status); rsp->hdr.Status = status; rc = -EINVAL; goto err_out; @@ -1056,8 +1055,8 @@ int smb2_handle_negotiate(struct ksmbd_work *work) } ksmbd_gen_preauth_integrity_hash(conn, - work->request_buf, - conn->preauth_info->Preauth_HashValue); + work->request_buf, + conn->preauth_info->Preauth_HashValue); rsp->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT); assemble_neg_contexts(conn, rsp); @@ -1082,7 +1081,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) case BAD_PROT_ID: default: ksmbd_debug(SMB, "Server dialect :0x%x not supported\n", - conn->dialect); + conn->dialect); rsp->hdr.Status = STATUS_NOT_SUPPORTED; rc = -EINVAL; goto err_out; @@ -1098,7 +1097,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) if (conn->dialect > SMB20_PROT_ID) { memcpy(conn->ClientGUID, req->ClientGUID, - SMB2_CLIENT_GUID_SIZE); + SMB2_CLIENT_GUID_SIZE); conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); } @@ -1112,17 +1111,17 @@ int smb2_handle_negotiate(struct ksmbd_work *work) rsp->SystemTime = cpu_to_le64(ksmbd_systime()); rsp->ServerStartTime = 0; ksmbd_debug(SMB, "negotiate context offset %d, count %d\n", - le32_to_cpu(rsp->NegotiateContextOffset), - le16_to_cpu(rsp->NegotiateContextCount)); + le32_to_cpu(rsp->NegotiateContextOffset), + le16_to_cpu(rsp->NegotiateContextCount)); rsp->SecurityBufferOffset = cpu_to_le16(128); rsp->SecurityBufferLength = cpu_to_le16(AUTH_GSS_LENGTH); ksmbd_copy_gss_neg_header(((char *)(&rsp->hdr) + - sizeof(rsp->hdr.smb2_buf_length)) + - le16_to_cpu(rsp->SecurityBufferOffset)); + sizeof(rsp->hdr.smb2_buf_length)) + + le16_to_cpu(rsp->SecurityBufferOffset)); inc_rfc1001_len(rsp, sizeof(struct smb2_negotiate_rsp) - - sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + - AUTH_GSS_LENGTH); + sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + + AUTH_GSS_LENGTH); rsp->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED_LE; conn->use_spnego = true; @@ -1147,13 +1146,13 @@ int smb2_handle_negotiate(struct ksmbd_work *work) } static int alloc_preauth_hash(struct ksmbd_session *sess, - struct ksmbd_conn *conn) + struct ksmbd_conn *conn) { if (sess->Preauth_HashValue) return 0; sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue, - PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); + PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); if (!sess->Preauth_HashValue) return -ENOMEM; @@ -1180,7 +1179,7 @@ static int generate_preauth_hash(struct ksmbd_work *work) } static int decode_negotiation_token(struct ksmbd_work *work, - struct negotiate_message *negblob) + struct negotiate_message *negblob) { struct ksmbd_conn *conn = work->conn; struct smb2_sess_setup_req *req; @@ -1203,7 +1202,7 @@ static int decode_negotiation_token(struct ksmbd_work *work, } static int ntlm_negotiate(struct ksmbd_work *work, - struct negotiate_message *negblob) + struct negotiate_message *negblob) { struct smb2_sess_setup_req *req = work->request_buf; struct smb2_sess_setup_rsp *rsp = work->response_buf; @@ -1247,10 +1246,8 @@ static int ntlm_negotiate(struct ksmbd_work *work, goto out; } - rc = build_spnego_ntlmssp_neg_blob(&spnego_blob, - &spnego_blob_len, - neg_blob, - sz); + rc = build_spnego_ntlmssp_neg_blob(&spnego_blob, &spnego_blob_len, + neg_blob, sz); if (rc) { rc = -ENOMEM; goto out; @@ -1267,7 +1264,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, } static struct authenticate_message *user_authblob(struct ksmbd_conn *conn, - struct smb2_sess_setup_req *req) + struct smb2_sess_setup_req *req) { int sz; @@ -1280,7 +1277,7 @@ static struct authenticate_message *user_authblob(struct ksmbd_conn *conn, } static struct ksmbd_user *session_user(struct ksmbd_conn *conn, - struct smb2_sess_setup_req *req) + struct smb2_sess_setup_req *req) { struct authenticate_message *authblob; struct ksmbd_user *user; @@ -1396,7 +1393,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) rc = conn->ops->generate_encryptionkey(sess); if (rc) { ksmbd_debug(SMB, - "SMB3 encryption key generation failed\n"); + "SMB3 encryption key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; return rc; } @@ -1473,7 +1470,7 @@ static int krb5_authenticate(struct ksmbd_work *work) ksmbd_free_user(sess->user); retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, - out_blob, &out_len); + out_blob, &out_len); if (retval) { ksmbd_debug(SMB, "krb5 authentication failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; @@ -1491,7 +1488,7 @@ static int krb5_authenticate(struct ksmbd_work *work) retval = conn->ops->generate_encryptionkey(sess); if (retval) { ksmbd_debug(SMB, - "SMB3 encryption key generation failed\n"); + "SMB3 encryption key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; return retval; } @@ -1565,7 +1562,7 @@ int smb2_sess_setup(struct ksmbd_work *work) ksmbd_session_register(conn, sess); } else { sess = ksmbd_session_lookup(conn, - le64_to_cpu(req->hdr.SessionId)); + le64_to_cpu(req->hdr.SessionId)); if (!sess) { rc = -ENOENT; rsp->hdr.Status = STATUS_USER_SESSION_DELETED; @@ -1673,7 +1670,8 @@ int smb2_tree_connect(struct ksmbd_work *work) int rc = -EINVAL; treename = smb_strndup_from_utf16(req->Buffer, - le16_to_cpu(req->PathLength), true, conn->local_nls); + le16_to_cpu(req->PathLength), true, + conn->local_nls); if (IS_ERR(treename)) { ksmbd_err("treename is NULL\n"); status.ret = KSMBD_TREE_CONN_STATUS_ERROR; @@ -1687,7 +1685,7 @@ int smb2_tree_connect(struct ksmbd_work *work) } ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", - name, treename); + name, treename); status = ksmbd_tree_conn_connect(sess, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) @@ -1772,7 +1770,7 @@ int smb2_tree_connect(struct ksmbd_work *work) * Return: file open flags */ static int smb2_create_open_flags(bool file_present, __le32 access, - __le32 disposition) + __le32 disposition) { int oflags = O_NONBLOCK | O_LARGEFILE; @@ -1910,7 +1908,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) char *name; name = smb_strndup_from_utf16(req->Buffer, le16_to_cpu(req->NameLength), - 1, work->conn->local_nls); + 1, work->conn->local_nls); if (IS_ERR(name)) { rsp->hdr.Status = STATUS_NO_MEMORY; err = PTR_ERR(name); @@ -1987,20 +1985,20 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) goto next; ksmbd_debug(SMB, - "name : <%s>, name_len : %u, value_len : %u, next : %u\n", - eabuf->name, eabuf->EaNameLength, - le16_to_cpu(eabuf->EaValueLength), - le32_to_cpu(eabuf->NextEntryOffset)); + "name : <%s>, name_len : %u, value_len : %u, next : %u\n", + eabuf->name, eabuf->EaNameLength, + le16_to_cpu(eabuf->EaValueLength), + le32_to_cpu(eabuf->NextEntryOffset)); if (eabuf->EaNameLength > - (XATTR_NAME_MAX - XATTR_USER_PREFIX_LEN)) { + (XATTR_NAME_MAX - XATTR_USER_PREFIX_LEN)) { rc = -EINVAL; break; } memcpy(attr_name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN); memcpy(&attr_name[XATTR_USER_PREFIX_LEN], eabuf->name, - eabuf->EaNameLength); + eabuf->EaNameLength); attr_name[XATTR_USER_PREFIX_LEN + eabuf->EaNameLength] = '\0'; value = (char *)&eabuf->name + eabuf->EaNameLength + 1; @@ -2017,8 +2015,8 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) if (rc < 0) { ksmbd_debug(SMB, - "remove xattr failed(%d)\n", - rc); + "remove xattr failed(%d)\n", + rc); break; } } @@ -2027,11 +2025,11 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) rc = 0; } else { rc = ksmbd_vfs_setxattr(path->dentry, attr_name, value, - le16_to_cpu(eabuf->EaValueLength), 0); + le16_to_cpu(eabuf->EaValueLength), 0); if (rc < 0) { ksmbd_debug(SMB, - "ksmbd_vfs_setxattr is failed(%d)\n", - rc); + "ksmbd_vfs_setxattr is failed(%d)\n", + rc); break; } } @@ -2061,7 +2059,8 @@ static inline int check_context_err(void *ctx, char *str) } static noinline int smb2_set_stream_name_xattr(struct path *path, - struct ksmbd_file *fp, char *stream_name, int s_type) + struct ksmbd_file *fp, + char *stream_name, int s_type) { size_t xattr_stream_size; char *xattr_stream_name; @@ -2142,13 +2141,13 @@ static int smb2_create_truncate(struct path *path) rc = 0; if (rc) ksmbd_debug(SMB, - "ksmbd_truncate_stream_name_xattr failed, rc %d\n", - rc); + "ksmbd_truncate_stream_name_xattr failed, rc %d\n", + rc); return rc; } static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, struct path *path, - struct ksmbd_file *fp) + struct ksmbd_file *fp) { struct xattr_dos_attrib da = {0}; int rc; @@ -2169,7 +2168,7 @@ static void smb2_new_xattrs(struct ksmbd_tree_connect *tcon, struct path *path, } static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, - struct path *path, struct ksmbd_file *fp) + struct path *path, struct ksmbd_file *fp) { struct xattr_dos_attrib da; int rc; @@ -2190,7 +2189,7 @@ static void smb2_update_xattrs(struct ksmbd_tree_connect *tcon, } static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, - int open_flags, umode_t posix_mode, bool is_dir) + int open_flags, umode_t posix_mode, bool is_dir) { struct ksmbd_tree_connect *tcon = work->tcon; struct ksmbd_share_config *share = tcon->share_conf; @@ -2220,14 +2219,15 @@ static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, rc = ksmbd_vfs_kern_path(name, 0, path, 0); if (rc) { ksmbd_err("cannot get linux path (%s), err = %d\n", - name, rc); + name, rc); return rc; } return 0; } static int smb2_create_sd_buffer(struct ksmbd_work *work, - struct smb2_create_req *req, struct dentry *dentry) + struct smb2_create_req *req, + struct dentry *dentry) { struct create_context *context; int rc = -ENOENT; @@ -2241,10 +2241,10 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, struct create_sd_buf_req *sd_buf; ksmbd_debug(SMB, - "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); + "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; rc = set_info_sec(work->conn, work->tcon, dentry, &sd_buf->ntsd, - le32_to_cpu(sd_buf->ccontext.DataLength), true); + le32_to_cpu(sd_buf->ccontext.DataLength), true); } return rc; @@ -2353,7 +2353,7 @@ int smb2_open(struct ksmbd_work *work) if (ksmbd_share_veto_filename(share, name)) { rc = -ENOENT; ksmbd_debug(SMB, "Reject open(), vetoed file: %s\n", - name); + name); goto err_out1; } } else { @@ -2376,7 +2376,7 @@ int smb2_open(struct ksmbd_work *work) if (le32_to_cpu(req->ImpersonationLevel) > le32_to_cpu(IL_DELEGATE_LE)) { ksmbd_err("Invalid impersonationlevel : 0x%x\n", - le32_to_cpu(req->ImpersonationLevel)); + le32_to_cpu(req->ImpersonationLevel)); rc = -EIO; rsp->hdr.Status = STATUS_BAD_IMPERSONATION_LEVEL; goto err_out1; @@ -2384,7 +2384,7 @@ int smb2_open(struct ksmbd_work *work) if (req->CreateOptions && !(req->CreateOptions & CREATE_OPTIONS_MASK)) { ksmbd_err("Invalid create options : 0x%x\n", - le32_to_cpu(req->CreateOptions)); + le32_to_cpu(req->CreateOptions)); rc = -EINVAL; goto err_out1; } else { @@ -2392,8 +2392,9 @@ int smb2_open(struct ksmbd_work *work) req->CreateOptions & FILE_RANDOM_ACCESS_LE) req->CreateOptions = ~(FILE_SEQUENTIAL_ONLY_LE); - if (req->CreateOptions & (FILE_OPEN_BY_FILE_ID_LE | - CREATE_TREE_CONNECTION | FILE_RESERVE_OPFILTER_LE)) { + if (req->CreateOptions & + (FILE_OPEN_BY_FILE_ID_LE | CREATE_TREE_CONNECTION | + FILE_RESERVE_OPFILTER_LE)) { rc = -EOPNOTSUPP; goto err_out1; } @@ -2409,23 +2410,23 @@ int smb2_open(struct ksmbd_work *work) } if (le32_to_cpu(req->CreateDisposition) > - le32_to_cpu(FILE_OVERWRITE_IF_LE)) { + le32_to_cpu(FILE_OVERWRITE_IF_LE)) { ksmbd_err("Invalid create disposition : 0x%x\n", - le32_to_cpu(req->CreateDisposition)); + le32_to_cpu(req->CreateDisposition)); rc = -EINVAL; goto err_out1; } if (!(req->DesiredAccess & DESIRED_ACCESS_MASK)) { ksmbd_err("Invalid desired access : 0x%x\n", - le32_to_cpu(req->DesiredAccess)); + le32_to_cpu(req->DesiredAccess)); rc = -EACCES; goto err_out1; } if (req->FileAttributes && !(req->FileAttributes & ATTR_MASK_LE)) { ksmbd_err("Invalid file attribute : 0x%x\n", - le32_to_cpu(req->FileAttributes)); + le32_to_cpu(req->FileAttributes)); rc = -EINVAL; goto err_out1; } @@ -2447,23 +2448,23 @@ int smb2_open(struct ksmbd_work *work) } context = smb2_find_context_vals(req, - SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); + SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); if (IS_ERR(context)) { rc = check_context_err(context, - SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); + SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); if (rc < 0) goto err_out1; } else { ksmbd_debug(SMB, - "get query maximal access context\n"); + "get query maximal access context\n"); maximal_access_ctxt = 1; } context = smb2_find_context_vals(req, - SMB2_CREATE_TIMEWARP_REQUEST); + SMB2_CREATE_TIMEWARP_REQUEST); if (IS_ERR(context)) { rc = check_context_err(context, - SMB2_CREATE_TIMEWARP_REQUEST); + SMB2_CREATE_TIMEWARP_REQUEST); if (rc < 0) goto err_out1; } else { @@ -2474,10 +2475,10 @@ int smb2_open(struct ksmbd_work *work) if (tcon->posix_extensions) { context = smb2_find_context_vals(req, - SMB2_CREATE_TAG_POSIX); + SMB2_CREATE_TAG_POSIX); if (IS_ERR(context)) { rc = check_context_err(context, - SMB2_CREATE_TAG_POSIX); + SMB2_CREATE_TAG_POSIX); if (rc < 0) goto err_out1; } else { @@ -2516,7 +2517,7 @@ int smb2_open(struct ksmbd_work *work) if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); rc = -EACCES; path_put(&path); goto err_out; @@ -2546,11 +2547,11 @@ int smb2_open(struct ksmbd_work *work) if (rc) { if (rc == -EACCES) { ksmbd_debug(SMB, - "User does not have right permission\n"); + "User does not have right permission\n"); goto err_out; } ksmbd_debug(SMB, "can not get linux path for %s, rc = %d\n", - name, rc); + name, rc); rc = 0; } else { file_present = true; @@ -2582,7 +2583,7 @@ int smb2_open(struct ksmbd_work *work) if (file_present && req->CreateOptions & FILE_NON_DIRECTORY_FILE_LE && S_ISDIR(stat.mode) && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { ksmbd_debug(SMB, "open() argument is a directory: %s, %x\n", - name, req->CreateOptions); + name, req->CreateOptions); rsp->hdr.Status = STATUS_FILE_IS_A_DIRECTORY; rc = -EIO; goto err_out; @@ -2606,7 +2607,7 @@ int smb2_open(struct ksmbd_work *work) if (file_present && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { rc = smb_check_perm_dacl(conn, path.dentry, &daccess, - sess->user->uid); + sess->user->uid); if (rc) goto err_out; } @@ -2624,13 +2625,13 @@ int smb2_open(struct ksmbd_work *work) maximal_access = daccess; } - open_flags = smb2_create_open_flags(file_present, - daccess, req->CreateDisposition); + open_flags = smb2_create_open_flags(file_present, daccess, + req->CreateDisposition); if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { if (open_flags & O_CREAT) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); rc = -EACCES; goto err_out; } @@ -2639,7 +2640,7 @@ int smb2_open(struct ksmbd_work *work) /*create file if not present */ if (!file_present) { rc = smb2_creat(work, &path, name, open_flags, posix_mode, - req->CreateOptions & FILE_DIRECTORY_FILE_LE); + req->CreateOptions & FILE_DIRECTORY_FILE_LE); if (rc) goto err_out; @@ -2663,7 +2664,8 @@ int smb2_open(struct ksmbd_work *work) */ if (daccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_READ_CONTROL_LE)) { rc = ksmbd_vfs_inode_permission(path.dentry, - open_flags & O_ACCMODE, may_delete); + open_flags & O_ACCMODE, + may_delete); if (rc) goto err_out; } @@ -2689,8 +2691,8 @@ int smb2_open(struct ksmbd_work *work) else file_info = FILE_OVERWRITTEN; - if ((req->CreateDisposition & FILE_CREATE_MASK_LE) - == FILE_SUPERSEDE_LE) + if ((req->CreateDisposition & FILE_CREATE_MASK_LE) == + FILE_SUPERSEDE_LE) file_info = FILE_SUPERSEDED; } else if (open_flags & O_CREAT) { file_info = FILE_CREATED; @@ -2732,7 +2734,7 @@ int smb2_open(struct ksmbd_work *work) if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_ACL_XATTR)) { rc = smb_inherit_dacl(conn, path.dentry, sess->user->uid, - sess->user->gid); + sess->user->gid); } if (rc) { @@ -2762,17 +2764,21 @@ int smb2_open(struct ksmbd_work *work) goto err_out; rc = build_sec_desc(pntsd, NULL, - OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO, - &pntsd_size, &fattr); + OWNER_SECINFO | + GROUP_SECINFO | + DACL_SECINFO, + &pntsd_size, &fattr); posix_acl_release(fattr.cf_acls); posix_acl_release(fattr.cf_dacls); rc = ksmbd_vfs_set_sd_xattr(conn, - path.dentry, pntsd, pntsd_size); + path.dentry, + pntsd, + pntsd_size); kfree(pntsd); if (rc) ksmbd_err("failed to store ntacl in xattr : %d\n", - rc); + rc); } } } @@ -2829,8 +2835,8 @@ int smb2_open(struct ksmbd_work *work) if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) { req_op_level = smb2_map_lease_to_oplock(lc->req_state); ksmbd_debug(SMB, - "lease req for(%s) req oplock state 0x%x, lease state 0x%x\n", - name, req_op_level, lc->req_state); + "lease req for(%s) req oplock state 0x%x, lease state 0x%x\n", + name, req_op_level, lc->req_state); rc = find_same_lease_key(sess, fp->f_ci, lc); if (rc) goto err_out; @@ -2859,12 +2865,11 @@ int smb2_open(struct ksmbd_work *work) if (req->CreateContextsOffset) { struct create_alloc_size_req *az_req; - az_req = (struct create_alloc_size_req *) - smb2_find_context_vals(req, - SMB2_CREATE_ALLOCATION_SIZE); + az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req, + SMB2_CREATE_ALLOCATION_SIZE); if (IS_ERR(az_req)) { rc = check_context_err(az_req, - SMB2_CREATE_ALLOCATION_SIZE); + SMB2_CREATE_ALLOCATION_SIZE); if (rc < 0) goto err_out; } else { @@ -2872,13 +2877,13 @@ int smb2_open(struct ksmbd_work *work) int err; ksmbd_debug(SMB, - "request smb2 create allocate size : %llu\n", - alloc_size); + "request smb2 create allocate size : %llu\n", + alloc_size); err = ksmbd_vfs_alloc_size(work, fp, alloc_size); if (err < 0) ksmbd_debug(SMB, - "ksmbd_vfs_alloc_size is failed : %d\n", - err); + "ksmbd_vfs_alloc_size is failed : %d\n", + err); } context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); @@ -2897,8 +2902,8 @@ int smb2_open(struct ksmbd_work *work) else fp->create_time = ksmbd_UnixTimeToNT(stat.ctime); if (req->FileAttributes || fp->f_ci->m_fattr == 0) - fp->f_ci->m_fattr = cpu_to_le32(smb2_get_dos_mode(&stat, - le32_to_cpu(req->FileAttributes))); + fp->f_ci->m_fattr = + cpu_to_le32(smb2_get_dos_mode(&stat, le32_to_cpu(req->FileAttributes))); if (!created) smb2_update_xattrs(tcon, &path, fp); @@ -2942,7 +2947,7 @@ int smb2_open(struct ksmbd_work *work) struct create_context *lease_ccontext; ksmbd_debug(SMB, "lease granted on(%s) lease state 0x%x\n", - name, opinfo->o_lease->state); + name, opinfo->o_lease->state); rsp->OplockLevel = SMB2_OPLOCK_LEVEL_LEASE; lease_ccontext = (struct create_context *)rsp->Buffer; @@ -3170,7 +3175,8 @@ static int dentry_name(struct ksmbd_dir_info *d_info, int info_level) * Return: 0 on success, otherwise error */ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, - struct ksmbd_dir_info *d_info, struct ksmbd_kstat *ksmbd_kstat) + struct ksmbd_dir_info *d_info, + struct ksmbd_kstat *ksmbd_kstat) { int next_entry_offset = 0; char *conv_name; @@ -3323,9 +3329,9 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, if (d_info->hide_dot_file && d_info->name[0] == '.') posix_info->DosAttributes |= ATTR_HIDDEN_LE; id_to_sid(from_kuid(&init_user_ns, ksmbd_kstat->kstat->uid), - SIDNFS_USER, (struct smb_sid *)&posix_info->SidBuffer[0]); + SIDNFS_USER, (struct smb_sid *)&posix_info->SidBuffer[0]); id_to_sid(from_kgid(&init_user_ns, ksmbd_kstat->kstat->gid), - SIDNFS_GROUP, (struct smb_sid *)&posix_info->SidBuffer[20]); + SIDNFS_GROUP, (struct smb_sid *)&posix_info->SidBuffer[20]); memcpy(posix_info->name, conv_name, conv_len); posix_info->name_len = cpu_to_le32(conv_len); posix_info->NextEntryOffset = cpu_to_le32(next_entry_offset); @@ -3341,9 +3347,9 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, kfree(conv_name); ksmbd_debug(SMB, - "info_level : %d, buf_len :%d, next_offset : %d, data_count : %d\n", - info_level, d_info->out_buf_len, - next_entry_offset, d_info->data_count); + "info_level : %d, buf_len :%d, next_offset : %d, data_count : %d\n", + info_level, d_info->out_buf_len, + next_entry_offset, d_info->data_count); return 0; } @@ -3392,8 +3398,8 @@ static int process_query_dir_entries(struct smb2_query_dir_private *priv) if (IS_ERR(dent)) { ksmbd_debug(SMB, "Cannot lookup `%s' [%ld]\n", - priv->d_info->name, - PTR_ERR(dent)); + priv->d_info->name, + PTR_ERR(dent)); continue; } if (unlikely(d_is_negative(dent))) { @@ -3421,7 +3427,7 @@ static int process_query_dir_entries(struct smb2_query_dir_private *priv) } static int reserve_populate_dentry(struct ksmbd_dir_info *d_info, - int info_level) + int info_level) { int struct_sz; int conv_len; @@ -3528,7 +3534,7 @@ static int reserve_populate_dentry(struct ksmbd_dir_info *d_info, } static int __query_dir(struct dir_context *ctx, const char *name, int namlen, - loff_t offset, u64 ino, unsigned int d_type) + loff_t offset, u64 ino, unsigned int d_type) { struct ksmbd_readdir_data *buf; struct smb2_query_dir_private *priv; @@ -3612,17 +3618,18 @@ int smb2_query_dir(struct ksmbd_work *work) } dir_fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!dir_fp) { rc = -EBADF; goto err_out2; } if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || - inode_permission(&init_user_ns, file_inode(dir_fp->filp), MAY_READ | MAY_EXEC)) { + inode_permission(&init_user_ns, file_inode(dir_fp->filp), + MAY_READ | MAY_EXEC)) { ksmbd_err("no right to enumerate directory (%s)\n", - FP_FILENAME(dir_fp)); + FP_FILENAME(dir_fp)); rc = -EACCES; goto err_out2; } @@ -3635,8 +3642,8 @@ int smb2_query_dir(struct ksmbd_work *work) srch_flag = req->Flags; srch_ptr = smb_strndup_from_utf16(req->Buffer, - le16_to_cpu(req->FileNameLength), 1, - conn->local_nls); + le16_to_cpu(req->FileNameLength), 1, + conn->local_nls); if (IS_ERR(srch_ptr)) { ksmbd_debug(SMB, "Search Pattern not found\n"); rc = -EINVAL; @@ -3657,8 +3664,8 @@ int smb2_query_dir(struct ksmbd_work *work) d_info.wptr = (char *)rsp->Buffer; d_info.rptr = (char *)rsp->Buffer; d_info.out_buf_len = (work->response_sz - (get_rfc1002_len(rsp_org) + 4)); - d_info.out_buf_len = min_t(int, d_info.out_buf_len, - le32_to_cpu(req->OutputBufferLength)) - sizeof(struct smb2_query_directory_rsp); + d_info.out_buf_len = min_t(int, d_info.out_buf_len, le32_to_cpu(req->OutputBufferLength)) - + sizeof(struct smb2_query_directory_rsp); d_info.flags = srch_flag; /* @@ -3666,7 +3673,8 @@ int smb2_query_dir(struct ksmbd_work *work) * in first response */ rc = ksmbd_populate_dot_dotdot_entries(work, req->FileInformationClass, - dir_fp, &d_info, srch_ptr, smb2_populate_readdir_entry); + dir_fp, &d_info, srch_ptr, + smb2_populate_readdir_entry); if (rc == -ENOSPC) rc = 0; else if (rc) @@ -3762,7 +3770,7 @@ int smb2_query_dir(struct ksmbd_work *work) * Return: 0 on success, otherwise error */ static int buffer_check_err(int reqOutputBufferLength, - struct smb2_query_info_rsp *rsp, int infoclass_size) + struct smb2_query_info_rsp *rsp, int infoclass_size) { if (reqOutputBufferLength < le32_to_cpu(rsp->OutputBufferLength)) { if (reqOutputBufferLength < infoclass_size) { @@ -3797,8 +3805,7 @@ static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp) inc_rfc1001_len(rsp, sizeof(struct smb2_file_standard_info)); } -static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, - u64 num) +static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, u64 num) { struct smb2_file_internal_info *file_info; @@ -3812,8 +3819,8 @@ static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, } static int smb2_get_info_file_pipe(struct ksmbd_session *sess, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp) { u64 id; int rc; @@ -3827,22 +3834,22 @@ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, return -ENOENT; ksmbd_debug(SMB, "FileInfoClass %u, FileId 0x%llx\n", - req->FileInfoClass, le64_to_cpu(req->VolatileFileId)); + req->FileInfoClass, le64_to_cpu(req->VolatileFileId)); switch (req->FileInfoClass) { case FILE_STANDARD_INFORMATION: get_standard_info_pipe(rsp); rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, FILE_STANDARD_INFORMATION_SIZE); + rsp, FILE_STANDARD_INFORMATION_SIZE); break; case FILE_INTERNAL_INFORMATION: get_internal_info_pipe(rsp, id); rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, FILE_INTERNAL_INFORMATION_SIZE); + rsp, FILE_INTERNAL_INFORMATION_SIZE); break; default: ksmbd_debug(SMB, "smb2_info_file_pipe for %u not supported\n", - req->FileInfoClass); + req->FileInfoClass); rc = -EOPNOTSUPP; } return rc; @@ -3859,8 +3866,8 @@ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, * Return: 0 on success, otherwise error */ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct smb2_ea_info *eainfo, *prev_eainfo; char *name, *ptr, *xattr_list = NULL, *buf; @@ -3883,8 +3890,8 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, /* need to send all EAs, if no specific EA is requested*/ if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY) ksmbd_debug(SMB, - "All EAs are requested but need to send single EA entry in rsp flags 0x%x\n", - le32_to_cpu(req->Flags)); + "All EAs are requested but need to send single EA entry in rsp flags 0x%x\n", + le32_to_cpu(req->Flags)); } buf_free_len = work->response_sz - @@ -3966,7 +3973,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) memcpy(eainfo->name, &name[XATTR_USER_PREFIX_LEN], - name_len); + name_len); else memcpy(eainfo->name, name, name_len); @@ -4008,7 +4015,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, } static void get_file_access_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_access_info *file_info; @@ -4020,7 +4027,7 @@ static void get_file_access_info(struct smb2_query_info_rsp *rsp, } static int get_file_basic_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_all_info *basic_info; struct kstat stat; @@ -4028,7 +4035,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { ksmbd_err("no right to read the attributes : 0x%x\n", - fp->daccess); + fp->daccess); return -EACCES; } @@ -4051,7 +4058,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, } static unsigned long long get_allocation_size(struct inode *inode, - struct kstat *stat) + struct kstat *stat) { unsigned long long alloc_size = 0; @@ -4066,7 +4073,7 @@ static unsigned long long get_allocation_size(struct inode *inode, } static void get_file_standard_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_standard_info *sinfo; unsigned int delete_pending; @@ -4091,7 +4098,7 @@ static void get_file_standard_info(struct smb2_query_info_rsp *rsp, } static void get_file_alignment_info(struct smb2_query_info_rsp *rsp, - void *rsp_org) + void *rsp_org) { struct smb2_file_alignment_info *file_info; @@ -4104,8 +4111,9 @@ static void get_file_alignment_info(struct smb2_query_info_rsp *rsp, } static int get_file_all_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_all_info *file_info; @@ -4118,7 +4126,7 @@ static int get_file_all_info(struct ksmbd_work *work, if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n", - fp->daccess); + fp->daccess); return -EACCES; } @@ -4157,11 +4165,8 @@ static int get_file_all_info(struct ksmbd_work *work, file_info->CurrentByteOffset = cpu_to_le64(fp->filp->f_pos); file_info->Mode = fp->coption; file_info->AlignmentRequirement = 0; - conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, - filename, - PATH_MAX, - conn->local_nls, - 0); + conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename, + PATH_MAX, conn->local_nls, 0); conv_len *= 2; file_info->FileNameLength = cpu_to_le32(conv_len); rsp->OutputBufferLength = @@ -4172,8 +4177,9 @@ static int get_file_all_info(struct ksmbd_work *work, } static void get_file_alternate_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_alt_name_info *file_info; @@ -4192,8 +4198,9 @@ static void get_file_alternate_info(struct ksmbd_work *work, } static void get_file_stream_info(struct ksmbd_work *work, - struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, - void *rsp_org) + struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, + void *rsp_org) { struct ksmbd_conn *conn = work->conn; struct smb2_file_stream_info *file_info; @@ -4236,15 +4243,12 @@ static void get_file_stream_info(struct ksmbd_work *work, break; streamlen = snprintf(stream_buf, streamlen + 1, - ":%s", &stream_name[XATTR_NAME_STREAM_LEN]); + ":%s", &stream_name[XATTR_NAME_STREAM_LEN]); - file_info = (struct smb2_file_stream_info *) - &rsp->Buffer[nbytes]; + file_info = (struct smb2_file_stream_info *)&rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, - stream_buf, - streamlen, - conn->local_nls, - 0); + stream_buf, streamlen, + conn->local_nls, 0); streamlen *= 2; kfree(stream_buf); file_info->StreamNameLength = cpu_to_le32(streamlen); @@ -4260,7 +4264,7 @@ static void get_file_stream_info(struct ksmbd_work *work, file_info = (struct smb2_file_stream_info *) &rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, - "::$DATA", 7, conn->local_nls, 0); + "::$DATA", 7, conn->local_nls, 0); streamlen *= 2; file_info->StreamNameLength = cpu_to_le32(streamlen); file_info->StreamSize = S_ISDIR(stat.mode) ? 0 : @@ -4280,7 +4284,7 @@ static void get_file_stream_info(struct ksmbd_work *work, } static void get_file_internal_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_internal_info *file_info; struct kstat stat; @@ -4294,7 +4298,7 @@ static void get_file_internal_info(struct smb2_query_info_rsp *rsp, } static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_ntwrk_info *file_info; struct inode *inode; @@ -4342,7 +4346,7 @@ static void get_file_ea_info(struct smb2_query_info_rsp *rsp, void *rsp_org) } static void get_file_position_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_pos_info *file_info; @@ -4354,7 +4358,7 @@ static void get_file_position_info(struct smb2_query_info_rsp *rsp, } static void get_file_mode_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_mode_info *file_info; @@ -4366,7 +4370,7 @@ static void get_file_mode_info(struct smb2_query_info_rsp *rsp, } static void get_file_compression_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_comp_info *file_info; struct kstat stat; @@ -4387,7 +4391,7 @@ static void get_file_compression_info(struct smb2_query_info_rsp *rsp, } static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb2_file_attr_tag_info *file_info; @@ -4402,13 +4406,12 @@ static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, file_info->ReparseTag = 0; rsp->OutputBufferLength = cpu_to_le32(sizeof(struct smb2_file_attr_tag_info)); - inc_rfc1001_len(rsp_org, - sizeof(struct smb2_file_attr_tag_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_attr_tag_info)); return 0; } static int find_file_posix_info(struct smb2_query_info_rsp *rsp, - struct ksmbd_file *fp, void *rsp_org) + struct ksmbd_file *fp, void *rsp_org) { struct smb311_posix_qinfo *file_info; struct inode *inode = FP_INODE(fp); @@ -4436,8 +4439,8 @@ static int find_file_posix_info(struct smb2_query_info_rsp *rsp, } static int smb2_get_info_file(struct ksmbd_work *work, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_file *fp; int fileinfoclass = 0; @@ -4454,7 +4457,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, if (work->next_smb2_rcv_hdr_off) { if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", - work->compound_fid); + work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; } @@ -4569,8 +4572,8 @@ static int smb2_get_info_file(struct ksmbd_work *work, } static int smb2_get_info_filesystem(struct ksmbd_work *work, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_session *sess = work->sess; struct ksmbd_conn *conn = sess->conn; @@ -4801,8 +4804,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, } static int smb2_get_info_sec(struct ksmbd_work *work, - struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp, void *rsp_org) { struct ksmbd_file *fp; struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; @@ -4815,7 +4818,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO)) { ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n", - addition_info); + addition_info); pntsd->revision = cpu_to_le16(1); pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED); @@ -4834,7 +4837,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, if (work->next_smb2_rcv_hdr_off) { if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", - work->compound_fid); + work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; } @@ -4901,7 +4904,7 @@ int smb2_query_info(struct ksmbd_work *work) break; default: ksmbd_debug(SMB, "InfoType %d not supported yet\n", - req->InfoType); + req->InfoType); rc = -EOPNOTSUPP; } @@ -4917,7 +4920,7 @@ int smb2_query_info(struct ksmbd_work *work) smb2_set_err_rsp(work); ksmbd_debug(SMB, "error while processing smb2 query rc = %d\n", - rc); + rc); return rc; } rsp->StructureSize = cpu_to_le16(9); @@ -5008,8 +5011,8 @@ int smb2_close(struct ksmbd_work *work) goto out; } else { ksmbd_debug(SMB, "Compound request set FID = %u:%u\n", - work->compound_fid, - work->compound_pfid); + work->compound_fid, + work->compound_pfid); volatile_id = work->compound_fid; /* file closed, stored id is not valid anymore */ @@ -5086,8 +5089,8 @@ int smb2_echo(struct ksmbd_work *work) } static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, - struct smb2_file_rename_info *file_info, - struct nls_table *local_nls) + struct smb2_file_rename_info *file_info, + struct nls_table *local_nls) { struct ksmbd_share_config *share = fp->tcon->share_conf; char *new_name = NULL, *abs_oldname = NULL, *old_name = NULL; @@ -5111,7 +5114,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, old_name++; } else { ksmbd_debug(SMB, "can't get last component in path %s\n", - abs_oldname); + abs_oldname); rc = -ENOENT; goto out; } @@ -5154,7 +5157,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, NULL, 0, 0); if (rc < 0) { ksmbd_err("failed to store stream name in xattr: %d\n", - rc); + rc); rc = -EINVAL; goto out; } @@ -5182,7 +5185,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, if (rc != -ENOTEMPTY) rc = -EINVAL; ksmbd_debug(SMB, "cannot delete %s, rc %d\n", - new_name, rc); + new_name, rc); goto out; } } @@ -5191,7 +5194,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, strncmp(old_name, path.dentry->d_name.name, strlen(old_name))) { rc = -EEXIST; ksmbd_debug(SMB, - "cannot rename already existing file\n"); + "cannot rename already existing file\n"); goto out; } } @@ -5205,9 +5208,10 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, } static int smb2_create_link(struct ksmbd_work *work, - struct ksmbd_share_config *share, - struct smb2_file_link_info *file_info, struct file *filp, - struct nls_table *local_nls) + struct ksmbd_share_config *share, + struct smb2_file_link_info *file_info, + struct file *filp, + struct nls_table *local_nls) { char *link_name = NULL, *target_name = NULL, *pathname = NULL; struct path path; @@ -5248,7 +5252,7 @@ static int smb2_create_link(struct ksmbd_work *work, if (rc) { rc = -EINVAL; ksmbd_debug(SMB, "cannot delete %s\n", - link_name); + link_name); goto out; } } @@ -5271,7 +5275,7 @@ static int smb2_create_link(struct ksmbd_work *work, } static int set_file_basic_info(struct ksmbd_file *fp, char *buf, - struct ksmbd_share_config *share) + struct ksmbd_share_config *share) { struct smb2_file_all_info *file_info; struct iattr attrs; @@ -5335,7 +5339,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, rc = ksmbd_vfs_set_dos_attrib_xattr(filp->f_path.dentry, &da); if (rc) ksmbd_debug(SMB, - "failed to restore file attribute in EA\n"); + "failed to restore file attribute in EA\n"); rc = 0; } @@ -5367,7 +5371,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, } static int set_file_allocation_info(struct ksmbd_work *work, - struct ksmbd_file *fp, char *buf) + struct ksmbd_file *fp, char *buf) { /* * TODO : It's working fine only when store dos attributes @@ -5417,7 +5421,7 @@ static int set_file_allocation_info(struct ksmbd_work *work, } static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + char *buf) { struct smb2_file_eof_info *file_eof_info; loff_t newsize; @@ -5440,11 +5444,11 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, */ if (inode->i_sb->s_magic != MSDOS_SUPER_MAGIC) { ksmbd_debug(SMB, "filename : %s truncated to newsize %lld\n", - fp->filename, newsize); + fp->filename, newsize); rc = ksmbd_vfs_truncate(work, NULL, fp, newsize); if (rc) { ksmbd_debug(SMB, "truncate failed! filename : %s err %d\n", - fp->filename, rc); + fp->filename, rc); if (rc != -EAGAIN) rc = -EBADF; return rc; @@ -5454,7 +5458,7 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, } static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + char *buf) { struct ksmbd_file *parent_fp; @@ -5518,7 +5522,7 @@ static int set_file_position_info(struct ksmbd_file *fp, char *buf) (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && current_byte_offset & (sector_size - 1))) { ksmbd_err("CurrentByteOffset is not valid : %llu\n", - current_byte_offset); + current_byte_offset); return -EINVAL; } @@ -5561,7 +5565,8 @@ static int set_file_mode_info(struct ksmbd_file *fp, char *buf) * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH */ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, - int info_class, char *buf, struct ksmbd_share_config *share) + int info_class, char *buf, + struct ksmbd_share_config *share) { switch (info_class) { case FILE_BASIC_INFORMATION: @@ -5576,20 +5581,20 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, case FILE_RENAME_INFORMATION: if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); return -EACCES; } return set_rename_info(work, fp, buf); case FILE_LINK_INFORMATION: return smb2_create_link(work, work->tcon->share_conf, - (struct smb2_file_link_info *)buf, fp->filp, - work->sess->conn->local_nls); + (struct smb2_file_link_info *)buf, fp->filp, + work->sess->conn->local_nls); case FILE_DISPOSITION_INFORMATION: if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); return -EACCES; } return set_file_disposition_info(fp, buf); @@ -5618,7 +5623,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, } static int smb2_set_info_sec(struct ksmbd_file *fp, int addition_info, - char *buffer, int buf_len) + char *buffer, int buf_len) { struct smb_ntsd *pntsd = (struct smb_ntsd *)buffer; @@ -5650,7 +5655,7 @@ int smb2_set_info(struct ksmbd_work *work) rsp = RESPONSE_BUF_NEXT(work); if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", - work->compound_fid); + work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; } @@ -5680,8 +5685,9 @@ int smb2_set_info(struct ksmbd_work *work) case SMB2_O_INFO_SECURITY: ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); rc = smb2_set_info_sec(fp, - le32_to_cpu(req->AdditionalInformation), req->Buffer, - le32_to_cpu(req->BufferLength)); + le32_to_cpu(req->AdditionalInformation), + req->Buffer, + le32_to_cpu(req->BufferLength)); break; default: rc = -EOPNOTSUPP; @@ -5716,8 +5722,7 @@ int smb2_set_info(struct ksmbd_work *work) rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; smb2_set_err_rsp(work); ksmbd_fd_put(work, fp); - ksmbd_debug(SMB, "error while processing smb2 query rc = %d\n", - rc); + ksmbd_debug(SMB, "error while processing smb2 query rc = %d\n", rc); return rc; } @@ -5753,7 +5758,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) } memcpy(work->aux_payload_buf, rpc_resp->payload, - rpc_resp->payload_sz); + rpc_resp->payload_sz); nbytes = rpc_resp->payload_sz; work->resp_hdr_sz = get_rfc1002_len(rsp) + 4; @@ -5778,7 +5783,8 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) } static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, - struct smb2_read_req *req, void *data_buf, size_t length) + struct smb2_read_req *req, void *data_buf, + size_t length) { struct smb2_buffer_desc_v1 *desc = (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; @@ -5797,8 +5803,9 @@ static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, work->remote_key = le32_to_cpu(desc->token); err = ksmbd_conn_rdma_write(work->conn, data_buf, length, - le32_to_cpu(desc->token), le64_to_cpu(desc->offset), - le32_to_cpu(desc->length)); + le32_to_cpu(desc->token), + le64_to_cpu(desc->offset), + le32_to_cpu(desc->length)); if (err) return err; @@ -5831,9 +5838,8 @@ int smb2_read(struct ksmbd_work *work) return smb2_read_pipe(work); } - fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!fp) { err = -ENOENT; goto out; @@ -5857,7 +5863,7 @@ int smb2_read(struct ksmbd_work *work) } ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", FP_FILENAME(fp), - offset, length); + offset, length); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) { work->aux_payload_buf = @@ -5890,13 +5896,14 @@ int smb2_read(struct ksmbd_work *work) } ksmbd_debug(SMB, "nbytes %zu, offset %lld mincount %zu\n", - nbytes, offset, mincount); + nbytes, offset, mincount); if (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE || req->Channel == SMB2_CHANNEL_RDMA_V1) { /* write data to the client using rdma channel */ remain_bytes = smb2_read_rdma_channel(work, req, - work->aux_payload_buf, nbytes); + work->aux_payload_buf, + nbytes); if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) ksmbd_release_buffer(work->aux_payload_buf); else @@ -5972,7 +5979,8 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { ksmbd_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), get_rfc1002_len(req)); + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); err = -EINVAL; goto out; } @@ -6016,8 +6024,9 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) } static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, - struct smb2_write_req *req, struct ksmbd_file *fp, - loff_t offset, size_t length, bool sync) + struct smb2_write_req *req, + struct ksmbd_file *fp, + loff_t offset, size_t length, bool sync) { struct smb2_buffer_desc_v1 *desc; char *data_buf; @@ -6046,9 +6055,9 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, return -ENOMEM; ret = ksmbd_conn_rdma_read(work->conn, data_buf, length, - le32_to_cpu(desc->token), - le64_to_cpu(desc->offset), - le32_to_cpu(desc->length)); + le32_to_cpu(desc->token), + le64_to_cpu(desc->offset), + le32_to_cpu(desc->length)); if (ret < 0) { kvfree(data_buf); return ret; @@ -6095,7 +6104,7 @@ int smb2_write(struct ksmbd_work *work) } fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->PersistentFileId)); if (!fp) { err = -ENOENT; goto out; @@ -6123,14 +6132,14 @@ int smb2_write(struct ksmbd_work *work) if (req->Channel != SMB2_CHANNEL_RDMA_V1 && req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { if (le16_to_cpu(req->DataOffset) == - (offsetof(struct smb2_write_req, Buffer) - 4)) { + (offsetof(struct smb2_write_req, Buffer) - 4)) { data_buf = (char *)&req->Buffer[0]; } else { if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { ksmbd_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); err = -EINVAL; goto out; } @@ -6144,7 +6153,7 @@ int smb2_write(struct ksmbd_work *work) writethrough = true; ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", - FP_FILENAME(fp), offset, length); + FP_FILENAME(fp), offset, length); err = ksmbd_vfs_write(work, fp, data_buf, length, &offset, writethrough, &nbytes); if (err < 0) @@ -6154,8 +6163,8 @@ int smb2_write(struct ksmbd_work *work) * write the data. */ nbytes = smb2_write_rdma_channel(work, req, fp, offset, - le32_to_cpu(req->RemainingBytes), - writethrough); + le32_to_cpu(req->RemainingBytes), + writethrough); if (nbytes < 0) { err = (int)nbytes; goto out; @@ -6209,7 +6218,7 @@ int smb2_flush(struct ksmbd_work *work) WORK_BUFFERS(work, req, rsp); ksmbd_debug(SMB, "SMB2_FLUSH called for fid %llu\n", - le64_to_cpu(req->VolatileFileId)); + le64_to_cpu(req->VolatileFileId)); err = ksmbd_vfs_fsync(work, le64_to_cpu(req->VolatileFileId), @@ -6248,7 +6257,7 @@ int smb2_cancel(struct ksmbd_work *work) struct list_head *command_list; ksmbd_debug(SMB, "smb2 cancel called on mid %llu, async flags 0x%x\n", - hdr->MessageId, hdr->Flags); + hdr->MessageId, hdr->Flags); if (hdr->Flags & SMB2_FLAGS_ASYNC_COMMAND) { command_list = &conn->async_requests; @@ -6256,7 +6265,7 @@ int smb2_cancel(struct ksmbd_work *work) spin_lock(&conn->request_lock); list_for_each(tmp, command_list) { cancel_work = list_entry(tmp, struct ksmbd_work, - async_request_entry); + async_request_entry); chdr = cancel_work->request_buf; if (cancel_work->async_id != @@ -6264,9 +6273,9 @@ int smb2_cancel(struct ksmbd_work *work) continue; ksmbd_debug(SMB, - "smb2 with AsyncId %llu cancelled command = 0x%x\n", - le64_to_cpu(hdr->Id.AsyncId), - le16_to_cpu(chdr->Command)); + "smb2 with AsyncId %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->Id.AsyncId), + le16_to_cpu(chdr->Command)); canceled = 1; break; } @@ -6277,7 +6286,7 @@ int smb2_cancel(struct ksmbd_work *work) spin_lock(&conn->request_lock); list_for_each(tmp, command_list) { cancel_work = list_entry(tmp, struct ksmbd_work, - request_entry); + request_entry); chdr = cancel_work->request_buf; if (chdr->MessageId != hdr->MessageId || @@ -6285,9 +6294,9 @@ int smb2_cancel(struct ksmbd_work *work) continue; ksmbd_debug(SMB, - "smb2 with mid %llu cancelled command = 0x%x\n", - le64_to_cpu(hdr->MessageId), - le16_to_cpu(chdr->Command)); + "smb2 with mid %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->MessageId), + le16_to_cpu(chdr->Command)); canceled = 1; break; } @@ -6346,13 +6355,13 @@ static int smb2_set_flock_flags(struct file_lock *flock, int flags) break; case SMB2_LOCKFLAG_SHARED | SMB2_LOCKFLAG_FAIL_IMMEDIATELY: ksmbd_debug(SMB, - "received shared & fail immediately request\n"); + "received shared & fail immediately request\n"); cmd = F_SETLK; flock->fl_type = F_RDLCK; break; case SMB2_LOCKFLAG_EXCLUSIVE | SMB2_LOCKFLAG_FAIL_IMMEDIATELY: ksmbd_debug(SMB, - "received exclusive & fail immediately request\n"); + "received exclusive & fail immediately request\n"); cmd = F_SETLK; flock->fl_type = F_WRLCK; break; @@ -6367,7 +6376,8 @@ static int smb2_set_flock_flags(struct file_lock *flock, int flags) } static struct ksmbd_lock *smb2_lock_init(struct file_lock *flock, - unsigned int cmd, int flags, struct list_head *lock_list) + unsigned int cmd, int flags, + struct list_head *lock_list) { struct ksmbd_lock *lock; @@ -6430,11 +6440,11 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "Received lock request\n"); fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!fp) { ksmbd_debug(SMB, "Invalid file id for lock : %llu\n", - le64_to_cpu(req->VolatileFileId)); + le64_to_cpu(req->VolatileFileId)); rsp->hdr.Status = STATUS_FILE_CLOSED; goto out2; } @@ -6444,7 +6454,7 @@ int smb2_lock(struct ksmbd_work *work) lock_ele = req->locks; ksmbd_debug(SMB, "lock count is %d\n", lock_count); - if (!lock_count) { + if (!lock_count) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; goto out2; } @@ -6481,8 +6491,8 @@ int smb2_lock(struct ksmbd_work *work) if (flock->fl_end < flock->fl_start) { ksmbd_debug(SMB, - "the end offset(%llx) is smaller than the start offset(%llx)\n", - flock->fl_end, flock->fl_start); + "the end offset(%llx) is smaller than the start offset(%llx)\n", + flock->fl_end, flock->fl_start); rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; goto out; } @@ -6621,9 +6631,9 @@ int smb2_lock(struct ksmbd_work *work) void **argv; ksmbd_debug(SMB, - "would have to wait for getting lock\n"); + "would have to wait for getting lock\n"); list_add_tail(&smb_lock->glist, - &global_lock_list); + &global_lock_list); list_add(&smb_lock->llist, &rollback_list); argv = kmalloc(sizeof(void *), GFP_KERNEL); @@ -6634,7 +6644,8 @@ int smb2_lock(struct ksmbd_work *work) argv[0] = flock; err = setup_async_work(work, - smb2_remove_blocked_lock, argv); + smb2_remove_blocked_lock, + argv); if (err) { rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES; @@ -6661,7 +6672,7 @@ int smb2_lock(struct ksmbd_work *work) STATUS_CANCELLED; kfree(smb_lock); smb2_send_interim_resp(work, - STATUS_CANCELLED); + STATUS_CANCELLED); work->send_no_response = 1; goto out; } @@ -6681,7 +6692,7 @@ int smb2_lock(struct ksmbd_work *work) goto retry; } else if (!err) { list_add_tail(&smb_lock->glist, - &global_lock_list); + &global_lock_list); list_add(&smb_lock->llist, &rollback_list); ksmbd_debug(SMB, "successful in taking lock\n"); } else { @@ -6734,7 +6745,7 @@ int smb2_lock(struct ksmbd_work *work) } static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_rsp *rsp) { struct copychunk_ioctl_req *ci_req; struct copychunk_ioctl_rsp *ci_rsp; @@ -6785,10 +6796,10 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, } src_fp = ksmbd_lookup_foreign_fd(work, - le64_to_cpu(ci_req->ResumeKey[0])); + le64_to_cpu(ci_req->ResumeKey[0])); dst_fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); ret = -EINVAL; if (!src_fp || src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { @@ -6805,16 +6816,17 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, * FILE_READ_DATA should only be included in * the FSCTL_COPYCHUNK case */ - if (cnt_code == FSCTL_COPYCHUNK && !(dst_fp->daccess & - (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE))) { + if (cnt_code == FSCTL_COPYCHUNK && + !(dst_fp->daccess & (FILE_READ_DATA_LE | FILE_GENERIC_READ_LE))) { rsp->hdr.Status = STATUS_ACCESS_DENIED; goto out; } ret = ksmbd_vfs_copy_file_ranges(work, src_fp, dst_fp, - chunks, chunk_count, - &chunk_count_written, &chunk_size_written, - &total_size_written); + chunks, chunk_count, + &chunk_count_written, + &chunk_size_written, + &total_size_written); if (ret < 0) { if (ret == -EACCES) rsp->hdr.Status = STATUS_ACCESS_DENIED; @@ -6862,7 +6874,8 @@ static __be32 idev_ipv4_address(struct in_device *idev) } static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, - struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) { struct network_interface_info_ioctl_rsp *nii_rsp = NULL; int nbytes = 0; @@ -6905,7 +6918,7 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, speed = cmd.base.speed; } else { ksmbd_err("%s %s\n", netdev->name, - "speed is unknown, defaulting to 1Gb/sec"); + "speed is unknown, defaulting to 1Gb/sec"); speed = SPEED_1000; } @@ -6969,14 +6982,14 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, } static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, - struct validate_negotiate_info_req *neg_req, - struct validate_negotiate_info_rsp *neg_rsp) + struct validate_negotiate_info_req *neg_req, + struct validate_negotiate_info_rsp *neg_rsp) { int ret = 0; int dialect; dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects, - neg_req->DialectCount); + neg_req->DialectCount); if (dialect == BAD_PROT_ID || dialect != conn->dialect) { ret = -EINVAL; goto err_out; @@ -7006,9 +7019,9 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, } static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, - struct file_allocated_range_buffer *qar_req, - struct file_allocated_range_buffer *qar_rsp, - int in_count, int *out_count) + struct file_allocated_range_buffer *qar_req, + struct file_allocated_range_buffer *qar_rsp, + int in_count, int *out_count) { struct ksmbd_file *fp; loff_t start, length; @@ -7026,7 +7039,7 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, length = le64_to_cpu(qar_req->length); ret = ksmbd_vfs_fqar_lseek(fp, start, length, - qar_rsp, in_count, out_count); + qar_rsp, in_count, out_count); if (ret && ret != -E2BIG) *out_count = 0; @@ -7035,15 +7048,15 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, } static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, - int out_buf_len, struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + int out_buf_len, struct smb2_ioctl_req *req, + struct smb2_ioctl_rsp *rsp) { struct ksmbd_rpc_command *rpc_resp; char *data_buf = (char *)&req->Buffer[0]; int nbytes = 0; rpc_resp = ksmbd_rpc_ioctl(work->sess, id, data_buf, - le32_to_cpu(req->InputCount)); + le32_to_cpu(req->InputCount)); if (rpc_resp) { if (rpc_resp->flags == KSMBD_RPC_SOME_NOT_MAPPED) { /* @@ -7079,7 +7092,7 @@ static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, } static inline int fsctl_set_sparse(struct ksmbd_work *work, u64 id, - struct file_sparse *sparse) + struct file_sparse *sparse) { struct ksmbd_file *fp; int ret = 0; @@ -7116,14 +7129,14 @@ static inline int fsctl_set_sparse(struct ksmbd_work *work, u64 id, } static int fsctl_request_resume_key(struct ksmbd_work *work, - struct smb2_ioctl_req *req, - struct resume_key_ioctl_rsp *key_rsp) + struct smb2_ioctl_req *req, + struct resume_key_ioctl_rsp *key_rsp) { struct ksmbd_file *fp; fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId)); if (!fp) return -ENOENT; @@ -7157,7 +7170,7 @@ int smb2_ioctl(struct ksmbd_work *work) rsp = RESPONSE_BUF_NEXT(work); if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", - work->compound_fid); + work->compound_fid); id = work->compound_fid; } } else { @@ -7233,7 +7246,7 @@ int smb2_ioctl(struct ksmbd_work *work) } ret = fsctl_request_resume_key(work, req, - (struct resume_key_ioctl_rsp *)&rsp->Buffer[0]); + (struct resume_key_ioctl_rsp *)&rsp->Buffer[0]); if (ret < 0) goto out; rsp->PersistentFileId = req->PersistentFileId; @@ -7244,7 +7257,7 @@ int smb2_ioctl(struct ksmbd_work *work) case FSCTL_COPYCHUNK_WRITE: if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); ret = -EACCES; goto out; } @@ -7259,7 +7272,7 @@ int smb2_ioctl(struct ksmbd_work *work) break; case FSCTL_SET_SPARSE: ret = fsctl_set_sparse(work, id, - (struct file_sparse *)&req->Buffer[0]); + (struct file_sparse *)&req->Buffer[0]); if (ret < 0) goto out; break; @@ -7271,7 +7284,7 @@ int smb2_ioctl(struct ksmbd_work *work) if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, - "User does not have write permission\n"); + "User does not have write permission\n"); ret = -EACCES; goto out; } @@ -7338,7 +7351,7 @@ int smb2_ioctl(struct ksmbd_work *work) dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0]; fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, - dup_ext->PersistentFileHandle); + dup_ext->PersistentFileHandle); if (!fp_in) { ksmbd_err("not found file handle in duplicate extent to file\n"); ret = -ENOENT; @@ -7356,13 +7369,13 @@ int smb2_ioctl(struct ksmbd_work *work) dst_off = le64_to_cpu(dup_ext->TargetFileOffset); length = le64_to_cpu(dup_ext->ByteCount); cloned = vfs_clone_file_range(fp_in->filp, src_off, fp_out->filp, - dst_off, length, 0); + dst_off, length, 0); if (cloned == -EXDEV || cloned == -EOPNOTSUPP) { ret = -EOPNOTSUPP; goto dup_ext_out; } else if (cloned != length) { cloned = ksmbd_vfs_copy_file_range(fp_in->filp, src_off, - fp_out->filp, dst_off, length); + fp_out->filp, dst_off, length); if (cloned != length) { if (cloned < 0) ret = cloned; @@ -7380,7 +7393,7 @@ int smb2_ioctl(struct ksmbd_work *work) } default: ksmbd_debug(SMB, "not implemented yet ioctl command 0x%x\n", - cnt_code); + cnt_code); ret = -EOPNOTSUPP; goto out; } @@ -7508,7 +7521,7 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) break; default: ksmbd_err("unknown oplock change 0x%x -> 0x%x\n", - opinfo->level, rsp_oplevel); + opinfo->level, rsp_oplevel); } if (ret < 0) { @@ -7573,7 +7586,7 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) struct lease *lease; ksmbd_debug(OPLOCK, "smb21 lease break, lease state(0x%x)\n", - le32_to_cpu(req->LeaseState)); + le32_to_cpu(req->LeaseState)); opinfo = lookup_lease_in_table(conn, req->LeaseKey); if (!opinfo) { ksmbd_debug(OPLOCK, "file not opened\n"); @@ -7585,7 +7598,7 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) if (opinfo->op_state == OPLOCK_STATE_NONE) { ksmbd_err("unexpected lease break state 0x%x\n", - opinfo->op_state); + opinfo->op_state); rsp->hdr.Status = STATUS_UNSUCCESSFUL; goto err_out; } @@ -7593,8 +7606,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) if (check_lease_state(lease, req->LeaseState)) { rsp->hdr.Status = STATUS_REQUEST_NOT_ACCEPTED; ksmbd_debug(OPLOCK, - "req lease state: 0x%x, expected state: 0x%x\n", - req->LeaseState, lease->new_state); + "req lease state: 0x%x, expected state: 0x%x\n", + req->LeaseState, lease->new_state); goto err_out; } @@ -7604,23 +7617,23 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) } /* check for bad lease state */ - if (req->LeaseState & (~(SMB2_LEASE_READ_CACHING_LE | - SMB2_LEASE_HANDLE_CACHING_LE))) { + if (req->LeaseState & + (~(SMB2_LEASE_READ_CACHING_LE | SMB2_LEASE_HANDLE_CACHING_LE))) { err = STATUS_INVALID_OPLOCK_PROTOCOL; if (lease->state & SMB2_LEASE_WRITE_CACHING_LE) lease_change_type = OPLOCK_WRITE_TO_NONE; else lease_change_type = OPLOCK_READ_TO_NONE; ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", - le32_to_cpu(lease->state), - le32_to_cpu(req->LeaseState)); + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); } else if (lease->state == SMB2_LEASE_READ_CACHING_LE && req->LeaseState != SMB2_LEASE_NONE_LE) { err = STATUS_INVALID_OPLOCK_PROTOCOL; lease_change_type = OPLOCK_READ_TO_NONE; ksmbd_debug(OPLOCK, "handle bad lease state 0x%x -> 0x%x\n", - le32_to_cpu(lease->state), - le32_to_cpu(req->LeaseState)); + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); } else { /* valid lease state changes */ err = STATUS_INVALID_DEVICE_STATE; @@ -7654,8 +7667,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) break; default: ksmbd_debug(OPLOCK, "unknown lease change 0x%x -> 0x%x\n", - le32_to_cpu(lease->state), - le32_to_cpu(req->LeaseState)); + le32_to_cpu(lease->state), + le32_to_cpu(req->LeaseState)); } lease_state = lease->state; @@ -7709,7 +7722,7 @@ int smb2_oplock_break(struct ksmbd_work *work) break; default: ksmbd_debug(OPLOCK, "invalid break cmd %d\n", - le16_to_cpu(req->StructureSize)); + le16_to_cpu(req->StructureSize)); rsp->hdr.Status = STATUS_INVALID_PARAMETER; smb2_set_err_rsp(work); } @@ -7999,7 +8012,7 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE) ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, - conn->preauth_info->Preauth_HashValue); + conn->preauth_info->Preauth_HashValue); if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && sess && sess->state == SMB2_SESSION_IN_PROGRESS) { @@ -8007,12 +8020,12 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) hash_value = sess->Preauth_HashValue; ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, - hash_value); + hash_value); } } static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, char *old_buf, - __le16 cipher_type) + __le16 cipher_type) { struct smb2_hdr *hdr = (struct smb2_hdr *)old_buf; unsigned int orig_len = get_rfc1002_len(old_buf); @@ -8100,14 +8113,14 @@ int smb3_decrypt_req(struct ksmbd_work *work) sess = ksmbd_session_lookup(conn, le64_to_cpu(tr_hdr->SessionId)); if (!sess) { ksmbd_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); + le64_to_cpu(tr_hdr->SessionId)); return -ECONNABORTED; } - if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + - sizeof(struct smb2_hdr)) { + if (pdu_length + 4 < + sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { ksmbd_err("Transform message is too small (%u)\n", - pdu_length); + pdu_length); return -ECONNABORTED; } diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index 985171cbf192..039030968b50 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -98,7 +98,7 @@ int ksmbd_lookup_protocol_idx(char *str) while (offt >= 0) { if (!strncmp(str, smb_protos[offt].prot, len)) { ksmbd_debug(SMB, "selected %s dialect idx = %d\n", - smb_protos[offt].prot, offt); + smb_protos[offt].prot, offt); return smb_protos[offt].index; } offt--; @@ -156,7 +156,7 @@ static bool supported_protocol(int idx) return true; return (server_conf.min_protocol <= idx && - idx <= server_conf.max_protocol); + idx <= server_conf.max_protocol); } static char *next_dialect(char *dialect, int *next_off) @@ -179,12 +179,12 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) do { dialect = next_dialect(dialect, &next); ksmbd_debug(SMB, "client requested dialect %s\n", - dialect); + dialect); if (!strcmp(dialect, smb_protos[i].name)) { if (supported_protocol(smb_protos[i].index)) { ksmbd_debug(SMB, - "selected %s dialect\n", - smb_protos[i].name); + "selected %s dialect\n", + smb_protos[i].name); if (smb_protos[i].index == SMB1_PROT) return seq_num; return smb_protos[i].prot_id; @@ -207,14 +207,14 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) count = le16_to_cpu(dialects_count); while (--count >= 0) { ksmbd_debug(SMB, "client requested dialect 0x%x\n", - le16_to_cpu(cli_dialects[count])); + le16_to_cpu(cli_dialects[count])); if (le16_to_cpu(cli_dialects[count]) != smb_protos[i].prot_id) continue; if (supported_protocol(smb_protos[i].index)) { ksmbd_debug(SMB, "selected %s dialect\n", - smb_protos[i].name); + smb_protos[i].name); return smb_protos[i].prot_id; } } @@ -269,9 +269,12 @@ bool ksmbd_pdu_size_has_room(unsigned int pdu) } int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, - struct ksmbd_file *dir, struct ksmbd_dir_info *d_info, - char *search_pattern, int (*fn)(struct ksmbd_conn *, int, - struct ksmbd_dir_info *, struct ksmbd_kstat *)) + struct ksmbd_file *dir, + struct ksmbd_dir_info *d_info, + char *search_pattern, + int (*fn)(struct ksmbd_conn *, int, + struct ksmbd_dir_info *, + struct ksmbd_kstat *)) { int i, rc = 0; struct ksmbd_conn *conn = work->conn; @@ -297,8 +300,8 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, ksmbd_kstat.kstat = &kstat; ksmbd_vfs_fill_dentry_attrs(work, - dir->filp->f_path.dentry->d_parent, - &ksmbd_kstat); + dir->filp->f_path.dentry->d_parent, + &ksmbd_kstat); rc = fn(conn, info_level, d_info, &ksmbd_kstat); if (rc) break; @@ -327,7 +330,7 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, * but the result is different with Windows 7's one. need to check. */ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, - char *shortname) + char *shortname) { const char *p; char base[9], extension[4]; @@ -390,7 +393,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, else out[baselen + 4] = '\0'; smbConvertToUTF16((__le16 *)shortname, out, PATH_MAX, - conn->local_nls, 0); + conn->local_nls, 0); len = strlen(out) * 2; return len; } @@ -398,7 +401,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, static int __smb2_negotiate(struct ksmbd_conn *conn) { return (conn->dialect >= SMB20_PROT_ID && - conn->dialect <= SMB311_PROT_ID); + conn->dialect <= SMB311_PROT_ID); } static int smb_handle_negotiate(struct ksmbd_work *work) @@ -467,11 +470,11 @@ static const char * const shared_mode_errors[] = { }; static void smb_shared_mode_error(int error, struct ksmbd_file *prev_fp, - struct ksmbd_file *curr_fp) + struct ksmbd_file *curr_fp) { ksmbd_debug(SMB, "%s\n", shared_mode_errors[error]); ksmbd_debug(SMB, "Current mode: 0x%x Desired mode: 0x%x\n", - prev_fp->saccess, curr_fp->daccess); + prev_fp->saccess, curr_fp->daccess); } int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index d65e853ab00f..63db8c015f9d 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -131,7 +131,7 @@ static void smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src) * bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007 */ static umode_t access_flags_to_mode(struct smb_fattr *fattr, __le32 ace_flags, - int type) + int type) { __u32 flags = le32_to_cpu(ace_flags); umode_t mode = 0; @@ -166,7 +166,7 @@ static umode_t access_flags_to_mode(struct smb_fattr *fattr, __le32 ace_flags, * with either owner or group or everyone. */ static void mode_to_access_flags(umode_t mode, umode_t bits_to_use, - __u32 *pace_flags) + __u32 *pace_flags) { /* reset access mask */ *pace_flags = 0x0; @@ -187,12 +187,12 @@ static void mode_to_access_flags(umode_t mode, umode_t bits_to_use, *pace_flags |= SET_FILE_EXEC_RIGHTS; ksmbd_debug(SMB, "mode: %o, access flags now 0x%x\n", - mode, *pace_flags); + mode, *pace_flags); } static __u16 fill_ace_for_sid(struct smb_ace *pntace, - const struct smb_sid *psid, int type, int flags, - umode_t mode, umode_t bits) + const struct smb_sid *psid, int type, int flags, + umode_t mode, umode_t bits) { int i; __u16 size = 0; @@ -255,7 +255,7 @@ void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid) } static int sid_to_id(struct smb_sid *psid, uint sidtype, - struct smb_fattr *fattr) + struct smb_fattr *fattr) { int rc = -EINVAL; @@ -265,7 +265,7 @@ static int sid_to_id(struct smb_sid *psid, uint sidtype, */ if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) { ksmbd_err("%s: %u subauthorities is too many!\n", - __func__, psid->num_subauth); + __func__, psid->num_subauth); return -EIO; } @@ -299,7 +299,7 @@ static int sid_to_id(struct smb_sid *psid, uint sidtype, } void posix_state_to_acl(struct posix_acl_state *state, - struct posix_acl_entry *pace) + struct posix_acl_entry *pace) { int i; @@ -364,8 +364,8 @@ void free_acl_state(struct posix_acl_state *state) } static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - struct smb_sid *pownersid, struct smb_sid *pgrpsid, - struct smb_fattr *fattr) + struct smb_sid *pownersid, struct smb_sid *pgrpsid, + struct smb_fattr *fattr) { int i, ret; int num_aces = 0; @@ -388,8 +388,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, } ksmbd_debug(SMB, "DACL revision %d size %d num aces %d\n", - le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), - le32_to_cpu(pdacl->num_aces)); + le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), + le32_to_cpu(pdacl->num_aces)); acl_base = (char *)pdacl; acl_size = sizeof(struct smb_acl); @@ -401,8 +401,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) return; - ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), - GFP_KERNEL); + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); if (!ppace) return; @@ -433,7 +432,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, break; } else if (!compare_sids(&ppace[i]->sid, pownersid)) { acl_mode = access_flags_to_mode(fattr, - ppace[i]->access_req, ppace[i]->type); + ppace[i]->access_req, + ppace[i]->type); acl_mode &= 0700; if (!owner_found) { @@ -445,7 +445,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, ppace[i]->sid.sub_auth[ppace[i]->sid.num_subauth - 1] == DOMAIN_USER_RID_LE) { acl_mode = access_flags_to_mode(fattr, - ppace[i]->access_req, ppace[i]->type); + ppace[i]->access_req, + ppace[i]->type); acl_mode &= 0070; if (!group_found) { mode &= ~(0070); @@ -454,7 +455,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, group_found = true; } else if (!compare_sids(&ppace[i]->sid, &sid_everyone)) { acl_mode = access_flags_to_mode(fattr, - ppace[i]->access_req, ppace[i]->type); + ppace[i]->access_req, + ppace[i]->type); acl_mode &= 0007; if (!others_found) { mode &= ~(0007); @@ -471,12 +473,12 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, struct smb_fattr temp_fattr; acl_mode = access_flags_to_mode(fattr, ppace[i]->access_req, - ppace[i]->type); + ppace[i]->type); temp_fattr.cf_uid = INVALID_UID; ret = sid_to_id(&ppace[i]->sid, SIDOWNER, &temp_fattr); if (ret || uid_eq(temp_fattr.cf_uid, INVALID_UID)) { ksmbd_err("%s: Error %d mapping Owner SID to uid\n", - __func__, ret); + __func__, ret); continue; } @@ -553,7 +555,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, } static void set_posix_acl_entries_dacl(struct smb_ace *pndace, - struct smb_fattr *fattr, u32 *num_aces, u16 *size, u32 nt_aces_num) + struct smb_fattr *fattr, u32 *num_aces, + u16 *size, u32 nt_aces_num) { struct posix_acl_entry *pace; struct smb_sid *sid; @@ -665,8 +668,9 @@ static void set_posix_acl_entries_dacl(struct smb_ace *pndace, } static void set_ntacl_dacl(struct smb_acl *pndacl, struct smb_acl *nt_dacl, - const struct smb_sid *pownersid, const struct smb_sid *pgrpsid, - struct smb_fattr *fattr) + const struct smb_sid *pownersid, + const struct smb_sid *pgrpsid, + struct smb_fattr *fattr) { struct smb_ace *ntace, *pndace; int nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0; @@ -711,7 +715,7 @@ static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) else sid = &sid_unix_users; ace_size = fill_ace_for_sid(pace, sid, ACCESS_ALLOWED, 0, - fattr->cf_mode, 0700); + fattr->cf_mode, 0700); pace->sid.sub_auth[pace->sid.num_subauth++] = cpu_to_le32(uid); pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; pace->size = cpu_to_le16(ace_size + 4); @@ -720,7 +724,7 @@ static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) /* Group RID */ ace_size = fill_ace_for_sid(pace, &sid_unix_groups, - ACCESS_ALLOWED, 0, fattr->cf_mode, 0070); + ACCESS_ALLOWED, 0, fattr->cf_mode, 0070); pace->sid.sub_auth[pace->sid.num_subauth++] = cpu_to_le32(from_kgid(&init_user_ns, fattr->cf_gid)); pace->size = cpu_to_le16(ace_size + 4); @@ -733,20 +737,20 @@ static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) /* creator owner */ size += fill_ace_for_sid(pace, &creator_owner, ACCESS_ALLOWED, - 0x0b, fattr->cf_mode, 0700); + 0x0b, fattr->cf_mode, 0700); pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; pace = (struct smb_ace *)((char *)pndace + size); /* creator group */ size += fill_ace_for_sid(pace, &creator_group, ACCESS_ALLOWED, - 0x0b, fattr->cf_mode, 0070); + 0x0b, fattr->cf_mode, 0070); pace = (struct smb_ace *)((char *)pndace + size); num_aces = 5; } /* other */ size += fill_ace_for_sid(pace, &sid_everyone, ACCESS_ALLOWED, 0, - fattr->cf_mode, 0007); + fattr->cf_mode, 0007); out: pndacl->num_aces = cpu_to_le32(num_aces); @@ -769,7 +773,7 @@ static int parse_sid(struct smb_sid *psid, char *end_of_acl) /* Convert CIFS ACL to POSIX form */ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, - struct smb_fattr *fattr) + struct smb_fattr *fattr) { int rc = 0; struct smb_sid *owner_sid_ptr, *group_sid_ptr; @@ -788,10 +792,10 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, dacloffset = le32_to_cpu(pntsd->dacloffset); dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); ksmbd_debug(SMB, - "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n", - pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset), - le32_to_cpu(pntsd->gsidoffset), - le32_to_cpu(pntsd->sacloffset), dacloffset); + "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n", + pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset), + le32_to_cpu(pntsd->gsidoffset), + le32_to_cpu(pntsd->sacloffset), dacloffset); pntsd_type = le16_to_cpu(pntsd->type); if (!(pntsd_type & DACL_PRESENT)) { @@ -811,7 +815,7 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, rc = sid_to_id(owner_sid_ptr, SIDOWNER, fattr); if (rc) { ksmbd_err("%s: Error %d mapping Owner SID to uid\n", - __func__, rc); + __func__, rc); owner_sid_ptr = NULL; } } @@ -820,19 +824,18 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, rc = parse_sid(group_sid_ptr, end_of_acl); if (rc) { ksmbd_err("%s: Error %d mapping Owner SID to gid\n", - __func__, rc); + __func__, rc); return rc; } rc = sid_to_id(group_sid_ptr, SIDUNIX_GROUP, fattr); if (rc) { ksmbd_err("%s: Error %d mapping Group SID to gid\n", - __func__, rc); + __func__, rc); group_sid_ptr = NULL; } } - if ((pntsd_type & - (DACL_AUTO_INHERITED | DACL_AUTO_INHERIT_REQ)) == + if ((pntsd_type & (DACL_AUTO_INHERITED | DACL_AUTO_INHERIT_REQ)) == (DACL_AUTO_INHERITED | DACL_AUTO_INHERIT_REQ)) pntsd->type |= cpu_to_le16(DACL_AUTO_INHERITED); if (pntsd_type & DACL_PROTECTED) @@ -840,7 +843,7 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, if (dacloffset) { parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr, group_sid_ptr, - fattr); + fattr); } return 0; @@ -848,7 +851,8 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, /* Convert permission bits from mode to equivalent CIFS ACL */ int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, - int addition_info, __u32 *secdesclen, struct smb_fattr *fattr) + int addition_info, __u32 *secdesclen, + struct smb_fattr *fattr) { int rc = 0; __u32 offset; @@ -929,7 +933,7 @@ int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, } static void smb_set_ace(struct smb_ace *ace, const struct smb_sid *sid, u8 type, - u8 flags, __le32 access_req) + u8 flags, __le32 access_req) { ace->type = type; ace->flags = flags; @@ -939,7 +943,7 @@ static void smb_set_ace(struct smb_ace *ace, const struct smb_sid *sid, u8 type, } int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, - unsigned int uid, unsigned int gid) + unsigned int uid, unsigned int gid) { const struct smb_sid *psid, *creator = NULL; struct smb_ace *parent_aces, *aces; @@ -1003,7 +1007,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, if (is_dir && creator && flags & CONTAINER_INHERIT_ACE) { smb_set_ace(aces, psid, parent_aces->type, inherited_flags, - parent_aces->access_req); + parent_aces->access_req); nt_size += le16_to_cpu(aces->size); ace_cnt++; aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); @@ -1014,7 +1018,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, } smb_set_ace(aces, psid, parent_aces->type, flags | inherited_flags, - parent_aces->access_req); + parent_aces->access_req); nt_size += le16_to_cpu(aces->size); aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); ace_cnt++; @@ -1107,7 +1111,7 @@ bool smb_inherit_flags(int flags, bool is_dir) } int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, - __le32 *pdaccess, int uid) + __le32 *pdaccess, int uid) { struct smb_ntsd *pntsd = NULL; struct smb_acl *pdacl; @@ -1243,10 +1247,10 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, } check_access_bits: - if (granted & ~(access_bits | FILE_READ_ATTRIBUTES | - READ_CONTROL | WRITE_DAC | DELETE)) { + if (granted & + ~(access_bits | FILE_READ_ATTRIBUTES | READ_CONTROL | WRITE_DAC | DELETE)) { ksmbd_debug(SMB, "Access denied with winACL, granted : %x, access_req : %x\n", - granted, le32_to_cpu(ace->access_req)); + granted, le32_to_cpu(ace->access_req)); rc = -EACCES; goto err_out; } @@ -1258,8 +1262,8 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, } int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, - struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, - bool type_check) + struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + bool type_check) { int rc; struct smb_fattr fattr = {{0}}; @@ -1284,10 +1288,10 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, /* Update posix acls */ if (fattr.cf_dacls) { rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, - fattr.cf_acls); + fattr.cf_acls); if (S_ISDIR(inode->i_mode) && fattr.cf_dacls) rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, - fattr.cf_dacls); + fattr.cf_dacls); } /* Check it only calling from SD BUFFER context */ diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index 78061fecf816..b09df832431f 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -269,7 +269,7 @@ static int handle_response(int type, void *payload, size_t sz) */ if (entry->type + 1 != type) { ksmbd_err("Waiting for IPC type %d, got %d. Ignore.\n", - entry->type + 1, type); + entry->type + 1, type); } entry->response = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); @@ -315,9 +315,8 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) req->ifc_list_sz); if (ret) { ksmbd_err("Server configuration error: %s %s %s\n", - req->netbios_name, - req->server_string, - req->work_group); + req->netbios_name, req->server_string, + req->work_group); return ret; } @@ -547,9 +546,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) struct ksmbd_tree_connect_response * ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, - struct ksmbd_share_config *share, - struct ksmbd_tree_connect *tree_conn, - struct sockaddr *peer_addr) + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr) { struct ksmbd_ipc_msg *msg; struct ksmbd_tree_connect_request *req; @@ -588,7 +587,7 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, } int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, - unsigned long long connect_id) + unsigned long long connect_id) { struct ksmbd_ipc_msg *msg; struct ksmbd_tree_disconnect_request *req; @@ -700,7 +699,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, int handle } struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle, - void *payload, size_t payload_sz) + void *payload, size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -748,7 +747,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle) } struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle, - void *payload, size_t payload_sz) + void *payload, size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; @@ -773,7 +772,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle } struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload, - size_t payload_sz) + size_t payload_sz) { struct ksmbd_ipc_msg *msg; struct ksmbd_rpc_command *req; diff --git a/fs/cifsd/transport_ipc.h b/fs/cifsd/transport_ipc.h index c3744ed7a085..523b4df2c783 100644 --- a/fs/cifsd/transport_ipc.h +++ b/fs/cifsd/transport_ipc.h @@ -23,31 +23,24 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, struct ksmbd_share_config *share, struct ksmbd_tree_connect *tree_conn, struct sockaddr *peer_addr); - int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, unsigned long long connect_id); int ksmbd_ipc_logout_request(const char *account); - struct ksmbd_share_config_response * ksmbd_ipc_share_config_request(const char *name); - struct ksmbd_spnego_authen_response * ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len); - int ksmbd_ipc_id_alloc(void); void ksmbd_rpc_id_free(int handle); - struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, int handle); struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, int handle); - struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle, - void *payload, size_t payload_sz); + void *payload, size_t payload_sz); struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle); struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle, - void *payload, size_t payload_sz); + void *payload, size_t payload_sz); struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload, - size_t payload_sz); - + size_t payload_sz); void ksmbd_ipc_release(void); void ksmbd_ipc_soft_reset(void); int ksmbd_ipc_init(void); diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index 8174a97bade4..efaa9776841f 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -212,8 +212,9 @@ struct smb_direct_rdma_rw_msg { static void smb_direct_destroy_pools(struct smb_direct_transport *transport); static void smb_direct_post_recv_credits(struct work_struct *work); static int smb_direct_post_send_data(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct kvec *iov, int niov, int remaining_data_length); + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, + int remaining_data_length); static inline void *smb_direct_recvmsg_payload(struct smb_direct_recvmsg *recvmsg) @@ -222,7 +223,7 @@ static inline void } static inline bool is_receive_credit_post_required(int receive_credits, - int avail_recvmsg_count) + int avail_recvmsg_count) { return receive_credits <= (smb_direct_receive_credit_max >> 3) && avail_recvmsg_count >= (receive_credits >> 2); @@ -245,10 +246,10 @@ smb_direct_recvmsg *get_free_recvmsg(struct smb_direct_transport *t) } static void put_recvmsg(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, - recvmsg->sge.length, DMA_FROM_DEVICE); + recvmsg->sge.length, DMA_FROM_DEVICE); spin_lock(&t->recvmsg_queue_lock); list_add(&recvmsg->list, &t->recvmsg_queue); @@ -263,7 +264,7 @@ smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t) spin_lock(&t->empty_recvmsg_queue_lock); if (!list_empty(&t->empty_recvmsg_queue)) { recvmsg = list_first_entry(&t->empty_recvmsg_queue, - struct smb_direct_recvmsg, list); + struct smb_direct_recvmsg, list); list_del(&recvmsg->list); } spin_unlock(&t->empty_recvmsg_queue_lock); @@ -271,10 +272,10 @@ smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t) } static void put_empty_recvmsg(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, - recvmsg->sge.length, DMA_FROM_DEVICE); + recvmsg->sge.length, DMA_FROM_DEVICE); spin_lock(&t->empty_recvmsg_queue_lock); list_add_tail(&recvmsg->list, &t->empty_recvmsg_queue); @@ -282,7 +283,8 @@ static void put_empty_recvmsg(struct smb_direct_transport *t, } static void enqueue_reassembly(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg, int data_length) + struct smb_direct_recvmsg *recvmsg, + int data_length) { spin_lock(&t->reassembly_queue_lock); list_add_tail(&recvmsg->list, &t->reassembly_queue); @@ -398,9 +400,9 @@ static void free_transport(struct smb_direct_transport *t) ksmbd_debug(RDMA, "wait for all send posted to IB to finish\n"); wait_event(t->wait_send_payload_pending, - atomic_read(&t->send_payload_pending) == 0); + atomic_read(&t->send_payload_pending) == 0); wait_event(t->wait_send_pending, - atomic_read(&t->send_pending) == 0); + atomic_read(&t->send_pending) == 0); cancel_work_sync(&t->disconnect_work); cancel_delayed_work_sync(&t->post_recv_credits_work); @@ -454,18 +456,18 @@ static struct smb_direct_sendmsg } static void smb_direct_free_sendmsg(struct smb_direct_transport *t, - struct smb_direct_sendmsg *msg) + struct smb_direct_sendmsg *msg) { int i; if (msg->num_sge > 0) { ib_dma_unmap_single(t->cm_id->device, - msg->sge[0].addr, msg->sge[0].length, - DMA_TO_DEVICE); + msg->sge[0].addr, msg->sge[0].length, + DMA_TO_DEVICE); for (i = 1; i < msg->num_sge; i++) ib_dma_unmap_page(t->cm_id->device, - msg->sge[i].addr, msg->sge[i].length, - DMA_TO_DEVICE); + msg->sge[i].addr, msg->sge[i].length, + DMA_TO_DEVICE); } mempool_free(msg, t->sendmsg_mempool); } @@ -479,24 +481,24 @@ static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) struct smb2_hdr *hdr = (struct smb2_hdr *)(recvmsg->packet + le32_to_cpu(req->data_offset) - 4); ksmbd_debug(RDMA, - "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemainingDataLength: %u, SMB: %x, Command: %u\n", - le16_to_cpu(req->credits_granted), - le16_to_cpu(req->credits_requested), - req->data_length, req->remaining_data_length, - hdr->ProtocolId, hdr->Command); + "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemainingDataLength: %u, SMB: %x, Command: %u\n", + le16_to_cpu(req->credits_granted), + le16_to_cpu(req->credits_requested), + req->data_length, req->remaining_data_length, + hdr->ProtocolId, hdr->Command); break; } case SMB_DIRECT_MSG_NEGOTIATE_REQ: { struct smb_direct_negotiate_req *req = (struct smb_direct_negotiate_req *)recvmsg->packet; ksmbd_debug(RDMA, - "MinVersion: %u, MaxVersion: %u, CreditRequested: %u, MaxSendSize: %u, MaxRecvSize: %u, MaxFragmentedSize: %u\n", - le16_to_cpu(req->min_version), - le16_to_cpu(req->max_version), - le16_to_cpu(req->credits_requested), - le32_to_cpu(req->preferred_send_size), - le32_to_cpu(req->max_receive_size), - le32_to_cpu(req->max_fragmented_size)); + "MinVersion: %u, MaxVersion: %u, CreditRequested: %u, MaxSendSize: %u, MaxRecvSize: %u, MaxFragmentedSize: %u\n", + le16_to_cpu(req->min_version), + le16_to_cpu(req->max_version), + le16_to_cpu(req->credits_requested), + le32_to_cpu(req->preferred_send_size), + le32_to_cpu(req->max_receive_size), + le32_to_cpu(req->max_fragmented_size)); if (le16_to_cpu(req->min_version) > 0x0100 || le16_to_cpu(req->max_version) < 0x0100) return -EOPNOTSUPP; @@ -525,8 +527,8 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { if (wc->status != IB_WC_WR_FLUSH_ERR) { ksmbd_err("Recv error. status='%s (%d)' opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); smb_direct_disconnect_rdma_connection(t); } put_empty_recvmsg(t, recvmsg); @@ -534,11 +536,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } ksmbd_debug(RDMA, "Recv completed. status='%s (%d)', opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); ib_dma_sync_single_for_cpu(wc->qp->device, recvmsg->sge.addr, - recvmsg->sge.length, DMA_FROM_DEVICE); + recvmsg->sge.length, DMA_FROM_DEVICE); switch (recvmsg->type) { case SMB_DIRECT_MSG_NEGOTIATE_REQ: @@ -580,10 +582,10 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) t->recv_credit_target = le16_to_cpu(data_transfer->credits_requested); atomic_add(le16_to_cpu(data_transfer->credits_granted), - &t->send_credits); + &t->send_credits); if (le16_to_cpu(data_transfer->flags) & - SMB_DIRECT_RESPONSE_REQUESTED) + SMB_DIRECT_RESPONSE_REQUESTED) queue_work(smb_direct_wq, &t->send_immediate_work); if (atomic_read(&t->send_credits) > 0) @@ -591,7 +593,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) if (is_receive_credit_post_required(receive_credits, avail_recvmsg_count)) mod_delayed_work(smb_direct_wq, - &t->post_recv_credits_work, 0); + &t->post_recv_credits_work, 0); break; } default: @@ -600,14 +602,14 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } static int smb_direct_post_recv(struct smb_direct_transport *t, - struct smb_direct_recvmsg *recvmsg) + struct smb_direct_recvmsg *recvmsg) { struct ib_recv_wr wr; int ret; recvmsg->sge.addr = ib_dma_map_single(t->cm_id->device, - recvmsg->packet, t->max_recv_size, - DMA_FROM_DEVICE); + recvmsg->packet, t->max_recv_size, + DMA_FROM_DEVICE); ret = ib_dma_mapping_error(t->cm_id->device, recvmsg->sge.addr); if (ret) return ret; @@ -624,8 +626,8 @@ static int smb_direct_post_recv(struct smb_direct_transport *t, if (ret) { ksmbd_err("Can't post recv: %d\n", ret); ib_dma_unmap_single(t->cm_id->device, - recvmsg->sge.addr, recvmsg->sge.length, - DMA_FROM_DEVICE); + recvmsg->sge.addr, recvmsg->sge.length, + DMA_FROM_DEVICE); smb_direct_disconnect_rdma_connection(t); return ret; } @@ -633,7 +635,7 @@ static int smb_direct_post_recv(struct smb_direct_transport *t, } static int smb_direct_read(struct ksmbd_transport *t, char *buf, - unsigned int size) + unsigned int size) { struct smb_direct_recvmsg *recvmsg; struct smb_direct_data_transfer *data_transfer; @@ -692,14 +694,14 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, data_read = 4; recvmsg->first_segment = false; ksmbd_debug(RDMA, - "returning rfc1002 length %d\n", - rfc1002_len); + "returning rfc1002 length %d\n", + rfc1002_len); goto read_rfc1002_done; } to_copy = min_t(int, data_length - offset, to_read); memcpy(buf + data_read, (char *)data_transfer + data_offset + offset, - to_copy); + to_copy); /* move on to the next buffer? */ if (to_copy == data_length - offset) { @@ -736,23 +738,24 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, if (is_receive_credit_post_required(st->recv_credits, st->count_avail_recvmsg)) { spin_unlock(&st->receive_credit_lock); mod_delayed_work(smb_direct_wq, - &st->post_recv_credits_work, 0); + &st->post_recv_credits_work, 0); } else { spin_unlock(&st->receive_credit_lock); } st->first_entry_offset = offset; ksmbd_debug(RDMA, - "returning to thread data_read=%d reassembly_data_length=%d first_entry_offset=%d\n", - data_read, st->reassembly_data_length, - st->first_entry_offset); + "returning to thread data_read=%d reassembly_data_length=%d first_entry_offset=%d\n", + data_read, st->reassembly_data_length, + st->first_entry_offset); read_rfc1002_done: return data_read; } ksmbd_debug(RDMA, "wait_event on more data\n"); rc = wait_event_interruptible(st->wait_reassembly_queue, - st->reassembly_data_length >= size || st->status != SMB_DIRECT_CS_CONNECTED); + st->reassembly_data_length >= size || + st->status != SMB_DIRECT_CS_CONNECTED); if (rc) return -EINTR; @@ -823,13 +826,13 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc) t = sendmsg->transport; ksmbd_debug(RDMA, "Send completed. status='%s (%d)', opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { ksmbd_err("Send error. status='%s (%d)', opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); smb_direct_disconnect_rdma_connection(t); } @@ -845,7 +848,7 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc) * is invalid. */ for (pos = &sendmsg->list, prev = pos->prev, end = sendmsg->list.next; - prev != end; pos = prev, prev = prev->prev) { + prev != end; pos = prev, prev = prev->prev) { sibling = container_of(pos, struct smb_direct_sendmsg, list); smb_direct_free_sendmsg(t, sibling); } @@ -867,7 +870,7 @@ static int manage_credits_prior_sending(struct smb_direct_transport *t) } static int smb_direct_post_send(struct smb_direct_transport *t, - struct ib_send_wr *wr) + struct ib_send_wr *wr) { int ret; @@ -892,8 +895,9 @@ static int smb_direct_post_send(struct smb_direct_transport *t, } static void smb_direct_send_ctx_init(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - bool need_invalidate_rkey, unsigned int remote_key) + struct smb_direct_send_ctx *send_ctx, + bool need_invalidate_rkey, + unsigned int remote_key) { INIT_LIST_HEAD(&send_ctx->msg_list); send_ctx->wr_cnt = 0; @@ -902,7 +906,8 @@ static void smb_direct_send_ctx_init(struct smb_direct_transport *t, } static int smb_direct_flush_send_list(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, bool is_last) + struct smb_direct_send_ctx *send_ctx, + bool is_last) { struct smb_direct_sendmsg *first, *last; int ret; @@ -911,11 +916,11 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, return 0; first = list_first_entry(&send_ctx->msg_list, - struct smb_direct_sendmsg, - list); + struct smb_direct_sendmsg, + list); last = list_last_entry(&send_ctx->msg_list, - struct smb_direct_sendmsg, - list); + struct smb_direct_sendmsg, + list); last->wr.send_flags = IB_SEND_SIGNALED; last->wr.wr_cqe = &last->cqe; @@ -927,12 +932,13 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, ret = smb_direct_post_send(t, &first->wr); if (!ret) { smb_direct_send_ctx_init(t, send_ctx, - send_ctx->need_invalidate_rkey, send_ctx->remote_key); + send_ctx->need_invalidate_rkey, + send_ctx->remote_key); } else { atomic_add(send_ctx->wr_cnt, &t->send_credits); wake_up(&t->wait_send_credits); list_for_each_entry_safe(first, last, &send_ctx->msg_list, - list) { + list) { smb_direct_free_sendmsg(t, first); } } @@ -940,7 +946,7 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, } static int wait_for_credits(struct smb_direct_transport *t, - wait_queue_head_t *waitq, atomic_t *credits) + wait_queue_head_t *waitq, atomic_t *credits) { int ret; @@ -950,8 +956,8 @@ static int wait_for_credits(struct smb_direct_transport *t, atomic_inc(credits); ret = wait_event_interruptible(*waitq, - atomic_read(credits) > 0 || - t->status != SMB_DIRECT_CS_CONNECTED); + atomic_read(credits) > 0 || + t->status != SMB_DIRECT_CS_CONNECTED); if (t->status != SMB_DIRECT_CS_CONNECTED) return -ENOTCONN; @@ -961,12 +967,12 @@ static int wait_for_credits(struct smb_direct_transport *t, } static int wait_for_send_credits(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx) + struct smb_direct_send_ctx *send_ctx) { int ret; - if (send_ctx && (send_ctx->wr_cnt >= 16 || - atomic_read(&t->send_credits) <= 1)) { + if (send_ctx && + (send_ctx->wr_cnt >= 16 || atomic_read(&t->send_credits) <= 1)) { ret = smb_direct_flush_send_list(t, send_ctx, false); if (ret) return ret; @@ -976,8 +982,8 @@ static int wait_for_send_credits(struct smb_direct_transport *t, } static int smb_direct_create_header(struct smb_direct_transport *t, - int size, int remaining_data_length, - struct smb_direct_sendmsg **sendmsg_out) + int size, int remaining_data_length, + struct smb_direct_sendmsg **sendmsg_out) { struct smb_direct_sendmsg *sendmsg; struct smb_direct_data_transfer *packet; @@ -1004,12 +1010,12 @@ static int smb_direct_create_header(struct smb_direct_transport *t, packet->padding = 0; ksmbd_debug(RDMA, - "credits_requested=%d credits_granted=%d data_offset=%d data_length=%d remaining_data_length=%d\n", - le16_to_cpu(packet->credits_requested), - le16_to_cpu(packet->credits_granted), - le32_to_cpu(packet->data_offset), - le32_to_cpu(packet->data_length), - le32_to_cpu(packet->remaining_data_length)); + "credits_requested=%d credits_granted=%d data_offset=%d data_length=%d remaining_data_length=%d\n", + le16_to_cpu(packet->credits_requested), + le16_to_cpu(packet->credits_granted), + le32_to_cpu(packet->data_offset), + le32_to_cpu(packet->data_length), + le32_to_cpu(packet->remaining_data_length)); /* Map the packet to DMA */ header_length = sizeof(struct smb_direct_data_transfer); @@ -1069,8 +1075,8 @@ static int get_sg_list(void *buf, int size, struct scatterlist *sg_list, int nen } static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, - struct scatterlist *sg_list, int nentries, - enum dma_data_direction dir) + struct scatterlist *sg_list, int nentries, + enum dma_data_direction dir) { int npages; @@ -1081,15 +1087,15 @@ static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, } static int post_sendmsg(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct smb_direct_sendmsg *msg) + struct smb_direct_send_ctx *send_ctx, + struct smb_direct_sendmsg *msg) { int i; for (i = 0; i < msg->num_sge; i++) ib_dma_sync_single_for_device(t->cm_id->device, - msg->sge[i].addr, msg->sge[i].length, - DMA_TO_DEVICE); + msg->sge[i].addr, msg->sge[i].length, + DMA_TO_DEVICE); msg->cqe.done = send_done; msg->wr.opcode = IB_WR_SEND; @@ -1119,8 +1125,9 @@ static int post_sendmsg(struct smb_direct_transport *t, } static int smb_direct_post_send_data(struct smb_direct_transport *t, - struct smb_direct_send_ctx *send_ctx, - struct kvec *iov, int niov, int remaining_data_length) + struct smb_direct_send_ctx *send_ctx, + struct kvec *iov, int niov, + int remaining_data_length) { int i, j, ret; struct smb_direct_sendmsg *msg; @@ -1148,8 +1155,9 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES - 1); sg_cnt = get_mapped_sg_list(t->cm_id->device, - iov[i].iov_base, iov[i].iov_len, - sg, SMB_DIRECT_MAX_SEND_SGES - 1, DMA_TO_DEVICE); + iov[i].iov_base, iov[i].iov_len, + sg, SMB_DIRECT_MAX_SEND_SGES - 1, + DMA_TO_DEVICE); if (sg_cnt <= 0) { ksmbd_err("failed to map buffer\n"); ret = -ENOMEM; @@ -1182,8 +1190,8 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, } static int smb_direct_writev(struct ksmbd_transport *t, - struct kvec *iov, int niovs, int buflen, - bool need_invalidate, unsigned int remote_key) + struct kvec *iov, int niovs, int buflen, + bool need_invalidate, unsigned int remote_key) { struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); int remaining_data_length; @@ -1217,8 +1225,8 @@ static int smb_direct_writev(struct ksmbd_transport *t, remaining_data_length -= (buflen - iov[i].iov_len); ret = smb_direct_post_send_data(st, &send_ctx, - &iov[start], i - start, - remaining_data_length); + &iov[start], i - start, + remaining_data_length); if (ret) goto done; } else { @@ -1232,11 +1240,10 @@ static int smb_direct_writev(struct ksmbd_transport *t, j * max_iov_size; vec.iov_len = min_t(int, max_iov_size, - buflen - max_iov_size * j); + buflen - max_iov_size * j); remaining_data_length -= vec.iov_len; - ret = smb_direct_post_send_data(st, - &send_ctx, &vec, 1, - remaining_data_length); + ret = smb_direct_post_send_data(st, &send_ctx, &vec, 1, + remaining_data_length); if (ret) goto done; } @@ -1252,8 +1259,8 @@ static int smb_direct_writev(struct ksmbd_transport *t, /* send out all remaining vecs */ remaining_data_length -= buflen; ret = smb_direct_post_send_data(st, &send_ctx, - &iov[start], i - start, - remaining_data_length); + &iov[start], i - start, + remaining_data_length); if (ret) goto done; break; @@ -1272,20 +1279,20 @@ static int smb_direct_writev(struct ksmbd_transport *t, */ wait_event(st->wait_send_payload_pending, - atomic_read(&st->send_payload_pending) == 0); + atomic_read(&st->send_payload_pending) == 0); return ret; } static void read_write_done(struct ib_cq *cq, struct ib_wc *wc, - enum dma_data_direction dir) + enum dma_data_direction dir) { struct smb_direct_rdma_rw_msg *msg = container_of(wc->wr_cqe, - struct smb_direct_rdma_rw_msg, cqe); + struct smb_direct_rdma_rw_msg, cqe); struct smb_direct_transport *t = msg->t; if (wc->status != IB_WC_SUCCESS) { ksmbd_err("read/write error. opcode = %d, status = %s(%d)\n", - wc->opcode, ib_wc_status_msg(wc->status), wc->status); + wc->opcode, ib_wc_status_msg(wc->status), wc->status); smb_direct_disconnect_rdma_connection(t); } @@ -1293,7 +1300,7 @@ static void read_write_done(struct ib_cq *cq, struct ib_wc *wc, wake_up(&t->wait_rw_avail_ops); rdma_rw_ctx_destroy(&msg->rw_ctx, t->qp, t->qp->port, - msg->sg_list, msg->sgt.nents, dir); + msg->sg_list, msg->sgt.nents, dir); sg_free_table_chained(&msg->sgt, SG_CHUNK_SIZE); complete(msg->completion); kfree(msg); @@ -1310,8 +1317,8 @@ static void write_done(struct ib_cq *cq, struct ib_wc *wc) } static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, - int buf_len, u32 remote_key, u64 remote_offset, u32 remote_len, - bool is_read) + int buf_len, u32 remote_key, u64 remote_offset, + u32 remote_len, bool is_read) { struct smb_direct_rdma_rw_msg *msg; int ret; @@ -1324,7 +1331,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, /* TODO: mempool */ msg = kmalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) + - sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL); + sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL); if (!msg) { atomic_inc(&t->rw_avail_ops); return -ENOMEM; @@ -1332,8 +1339,8 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, msg->sgt.sgl = &msg->sg_list[0]; ret = sg_alloc_table_chained(&msg->sgt, - BUFFER_NR_PAGES(buf, buf_len), - msg->sg_list, SG_CHUNK_SIZE); + BUFFER_NR_PAGES(buf, buf_len), + msg->sg_list, SG_CHUNK_SIZE); if (ret) { atomic_inc(&t->rw_avail_ops); kfree(msg); @@ -1347,9 +1354,9 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, } ret = rdma_rw_ctx_init(&msg->rw_ctx, t->qp, t->qp->port, - msg->sg_list, BUFFER_NR_PAGES(buf, buf_len), - 0, remote_offset, remote_key, - is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); + msg->sg_list, BUFFER_NR_PAGES(buf, buf_len), + 0, remote_offset, remote_key, + is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); if (ret < 0) { ksmbd_err("failed to init rdma_rw_ctx: %d\n", ret); goto err; @@ -1359,7 +1366,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, msg->cqe.done = is_read ? read_done : write_done; msg->completion = &completion; first_wr = rdma_rw_ctx_wrs(&msg->rw_ctx, t->qp, t->qp->port, - &msg->cqe, NULL); + &msg->cqe, NULL); ret = ib_post_send(t->qp, first_wr, NULL); if (ret) { @@ -1374,29 +1381,29 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, atomic_inc(&t->rw_avail_ops); if (first_wr) rdma_rw_ctx_destroy(&msg->rw_ctx, t->qp, t->qp->port, - msg->sg_list, msg->sgt.nents, - is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); + msg->sg_list, msg->sgt.nents, + is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); sg_free_table_chained(&msg->sgt, SG_CHUNK_SIZE); kfree(msg); return ret; } static int smb_direct_rdma_write(struct ksmbd_transport *t, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len) + unsigned int buflen, u32 remote_key, + u64 remote_offset, u32 remote_len) { return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, - remote_key, remote_offset, - remote_len, false); + remote_key, remote_offset, + remote_len, false); } static int smb_direct_rdma_read(struct ksmbd_transport *t, void *buf, - unsigned int buflen, u32 remote_key, u64 remote_offset, - u32 remote_len) + unsigned int buflen, u32 remote_key, + u64 remote_offset, u32 remote_len) { return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, - remote_key, remote_offset, - remote_len, true); + remote_key, remote_offset, + remote_len, true); } static void smb_direct_disconnect(struct ksmbd_transport *t) @@ -1407,17 +1414,17 @@ static void smb_direct_disconnect(struct ksmbd_transport *t) smb_direct_disconnect_rdma_connection(st); wait_event_interruptible(st->wait_status, - st->status == SMB_DIRECT_CS_DISCONNECTED); + st->status == SMB_DIRECT_CS_DISCONNECTED); free_transport(st); } static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, - struct rdma_cm_event *event) + struct rdma_cm_event *event) { struct smb_direct_transport *t = cm_id->context; ksmbd_debug(RDMA, "RDMA CM event. cm_id=%p event=%s (%d)\n", - cm_id, rdma_event_msg(event->event), event->event); + cm_id, rdma_event_msg(event->event), event->event); switch (event->event) { case RDMA_CM_EVENT_ESTABLISHED: { @@ -1440,8 +1447,8 @@ static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, } default: ksmbd_err("Unexpected RDMA CM event. cm_id=%p, event=%s (%d)\n", - cm_id, rdma_event_msg(event->event), - event->event); + cm_id, rdma_event_msg(event->event), + event->event); break; } return 0; @@ -1452,7 +1459,7 @@ static void smb_direct_qpair_handler(struct ib_event *event, void *context) struct smb_direct_transport *t = context; ksmbd_debug(RDMA, "Received QP event. cm_id=%p, event=%s (%d)\n", - t->cm_id, ib_event_msg(event->event), event->event); + t->cm_id, ib_event_msg(event->event), event->event); switch (event->event) { case IB_EVENT_CQ_ERR: @@ -1465,7 +1472,7 @@ static void smb_direct_qpair_handler(struct ib_event *event, void *context) } static int smb_direct_send_negotiate_response(struct smb_direct_transport *t, - int failed) + int failed) { struct smb_direct_sendmsg *sendmsg; struct smb_direct_negotiate_resp *resp; @@ -1498,9 +1505,9 @@ static int smb_direct_send_negotiate_response(struct smb_direct_transport *t, } sendmsg->sge[0].addr = ib_dma_map_single(t->cm_id->device, - (void *)resp, sizeof(*resp), DMA_TO_DEVICE); - ret = ib_dma_mapping_error(t->cm_id->device, - sendmsg->sge[0].addr); + (void *)resp, sizeof(*resp), + DMA_TO_DEVICE); + ret = ib_dma_mapping_error(t->cm_id->device, sendmsg->sge[0].addr); if (ret) { smb_direct_free_sendmsg(t, sendmsg); return ret; @@ -1517,7 +1524,7 @@ static int smb_direct_send_negotiate_response(struct smb_direct_transport *t, } wait_event(t->wait_send_pending, - atomic_read(&t->send_pending) == 0); + atomic_read(&t->send_pending) == 0); return 0; } @@ -1529,13 +1536,13 @@ static int smb_direct_accept_client(struct smb_direct_transport *t) int ret; memset(&conn_param, 0, sizeof(conn_param)); - conn_param.initiator_depth = min_t(u8, - t->cm_id->device->attrs.max_qp_rd_atom, - SMB_DIRECT_CM_INITIATOR_DEPTH); + conn_param.initiator_depth = min_t(u8, t->cm_id->device->attrs.max_qp_rd_atom, + SMB_DIRECT_CM_INITIATOR_DEPTH); conn_param.responder_resources = 0; t->cm_id->device->ops.get_port_immutable(t->cm_id->device, - t->cm_id->port_num, &port_immutable); + t->cm_id->port_num, + &port_immutable); if (port_immutable.core_cap_flags & RDMA_CORE_PORT_IWARP) { ird_ord_hdr[0] = conn_param.responder_resources; ird_ord_hdr[1] = 1; @@ -1590,9 +1597,9 @@ static int smb_direct_negotiate(struct smb_direct_transport *t) ksmbd_debug(RDMA, "Waiting for SMB_DIRECT negotiate request\n"); ret = wait_event_interruptible_timeout(t->wait_status, - t->negotiation_requested || - t->status == SMB_DIRECT_CS_DISCONNECTED, - SMB_DIRECT_NEGOTIATE_TIMEOUT * HZ); + t->negotiation_requested || + t->status == SMB_DIRECT_CS_DISCONNECTED, + SMB_DIRECT_NEGOTIATE_TIMEOUT * HZ); if (ret <= 0 || t->status == SMB_DIRECT_CS_DISCONNECTED) { ret = ret < 0 ? ret : -ETIMEDOUT; goto out; @@ -1604,9 +1611,9 @@ static int smb_direct_negotiate(struct smb_direct_transport *t) req = (struct smb_direct_negotiate_req *)recvmsg->packet; t->max_recv_size = min_t(int, t->max_recv_size, - le32_to_cpu(req->preferred_send_size)); + le32_to_cpu(req->preferred_send_size)); t->max_send_size = min_t(int, t->max_send_size, - le32_to_cpu(req->max_receive_size)); + le32_to_cpu(req->max_receive_size)); t->max_fragmented_send_size = le32_to_cpu(req->max_fragmented_size); @@ -1618,7 +1625,7 @@ static int smb_direct_negotiate(struct smb_direct_transport *t) } static int smb_direct_init_params(struct smb_direct_transport *t, - struct ib_qp_cap *cap) + struct ib_qp_cap *cap) { struct ib_device *device = t->cm_id->device; int max_send_sges, max_pages, max_rw_wrs, max_send_wrs; @@ -1650,30 +1657,30 @@ static int smb_direct_init_params(struct smb_direct_transport *t, if (max_send_wrs > device->attrs.max_cqe || max_send_wrs > device->attrs.max_qp_wr) { ksmbd_err("consider lowering send_credit_target = %d, or max_outstanding_rw_ops = %d\n", - smb_direct_send_credit_target, - smb_direct_max_outstanding_rw_ops); + smb_direct_send_credit_target, + smb_direct_max_outstanding_rw_ops); ksmbd_err("Possible CQE overrun, device reporting max_cqe %d max_qp_wr %d\n", - device->attrs.max_cqe, device->attrs.max_qp_wr); + device->attrs.max_cqe, device->attrs.max_qp_wr); return -EINVAL; } if (smb_direct_receive_credit_max > device->attrs.max_cqe || smb_direct_receive_credit_max > device->attrs.max_qp_wr) { ksmbd_err("consider lowering receive_credit_max = %d\n", - smb_direct_receive_credit_max); + smb_direct_receive_credit_max); ksmbd_err("Possible CQE overrun, device reporting max_cpe %d max_qp_wr %d\n", - device->attrs.max_cqe, device->attrs.max_qp_wr); + device->attrs.max_cqe, device->attrs.max_qp_wr); return -EINVAL; } if (device->attrs.max_send_sge < SMB_DIRECT_MAX_SEND_SGES) { ksmbd_err("warning: device max_send_sge = %d too small\n", - device->attrs.max_send_sge); + device->attrs.max_send_sge); return -EINVAL; } if (device->attrs.max_recv_sge < SMB_DIRECT_MAX_RECV_SGES) { ksmbd_err("warning: device max_recv_sge = %d too small\n", - device->attrs.max_recv_sge); + device->attrs.max_recv_sge); return -EINVAL; } @@ -1731,29 +1738,29 @@ static int smb_direct_create_pools(struct smb_direct_transport *t) snprintf(name, sizeof(name), "smb_direct_rqst_pool_%p", t); t->sendmsg_cache = kmem_cache_create(name, - sizeof(struct smb_direct_sendmsg) + - sizeof(struct smb_direct_negotiate_resp), - 0, SLAB_HWCACHE_ALIGN, NULL); + sizeof(struct smb_direct_sendmsg) + + sizeof(struct smb_direct_negotiate_resp), + 0, SLAB_HWCACHE_ALIGN, NULL); if (!t->sendmsg_cache) return -ENOMEM; t->sendmsg_mempool = mempool_create(t->send_credit_target, - mempool_alloc_slab, mempool_free_slab, - t->sendmsg_cache); + mempool_alloc_slab, mempool_free_slab, + t->sendmsg_cache); if (!t->sendmsg_mempool) goto err; snprintf(name, sizeof(name), "smb_direct_resp_%p", t); t->recvmsg_cache = kmem_cache_create(name, - sizeof(struct smb_direct_recvmsg) + - t->max_recv_size, - 0, SLAB_HWCACHE_ALIGN, NULL); + sizeof(struct smb_direct_recvmsg) + + t->max_recv_size, + 0, SLAB_HWCACHE_ALIGN, NULL); if (!t->recvmsg_cache) goto err; t->recvmsg_mempool = mempool_create(t->recv_credit_max, mempool_alloc_slab, - mempool_free_slab, t->recvmsg_cache); + mempool_free_slab, t->recvmsg_cache); if (!t->recvmsg_mempool) goto err; @@ -1775,7 +1782,7 @@ static int smb_direct_create_pools(struct smb_direct_transport *t) } static int smb_direct_create_qpair(struct smb_direct_transport *t, - struct ib_qp_cap *cap) + struct ib_qp_cap *cap) { int ret; struct ib_qp_init_attr qp_attr; @@ -1789,7 +1796,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, } t->send_cq = ib_alloc_cq(t->cm_id->device, t, - t->send_credit_target, 0, IB_POLL_WORKQUEUE); + t->send_credit_target, 0, IB_POLL_WORKQUEUE); if (IS_ERR(t->send_cq)) { ksmbd_err("Can't create RDMA send CQ\n"); ret = PTR_ERR(t->send_cq); @@ -1798,8 +1805,8 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, } t->recv_cq = ib_alloc_cq(t->cm_id->device, t, - cap->max_send_wr + cap->max_rdma_ctxs, - 0, IB_POLL_WORKQUEUE); + cap->max_send_wr + cap->max_rdma_ctxs, + 0, IB_POLL_WORKQUEUE); if (IS_ERR(t->recv_cq)) { ksmbd_err("Can't create RDMA recv CQ\n"); ret = PTR_ERR(t->recv_cq); @@ -1896,8 +1903,8 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) if (!rdma_frwr_is_supported(&new_cm_id->device->attrs)) { ksmbd_debug(RDMA, - "Fast Registration Work Requests is not supported. device capabilities=%llx\n", - new_cm_id->device->attrs.device_cap_flags); + "Fast Registration Work Requests is not supported. device capabilities=%llx\n", + new_cm_id->device->attrs.device_cap_flags); return -EPROTONOSUPPORT; } @@ -1906,7 +1913,8 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) return -ENOMEM; KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, - KSMBD_TRANS(t)->conn, "ksmbd:r%u", SMB_DIRECT_PORT); + KSMBD_TRANS(t)->conn, "ksmbd:r%u", + SMB_DIRECT_PORT); if (IS_ERR(KSMBD_TRANS(t)->handler)) { int ret = PTR_ERR(KSMBD_TRANS(t)->handler); @@ -1919,7 +1927,7 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) } static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, - struct rdma_cm_event *event) + struct rdma_cm_event *event) { switch (event->event) { case RDMA_CM_EVENT_CONNECT_REQUEST: { @@ -1931,13 +1939,12 @@ static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, } ksmbd_debug(RDMA, "Received connection request. cm_id=%p\n", - cm_id); + cm_id); break; } default: ksmbd_err("Unexpected listen event. cm_id=%p, event=%s (%d)\n", - cm_id, - rdma_event_msg(event->event), event->event); + cm_id, rdma_event_msg(event->event), event->event); break; } return 0; @@ -1954,10 +1961,9 @@ static int smb_direct_listen(int port) }; cm_id = rdma_create_id(&init_net, smb_direct_listen_handler, - &smb_direct_listener, RDMA_PS_TCP, IB_QPT_RC); + &smb_direct_listener, RDMA_PS_TCP, IB_QPT_RC); if (IS_ERR(cm_id)) { - ksmbd_err("Can't create cm id: %ld\n", - PTR_ERR(cm_id)); + ksmbd_err("Can't create cm id: %ld\n", PTR_ERR(cm_id)); return PTR_ERR(cm_id); } @@ -1993,7 +1999,7 @@ int ksmbd_rdma_init(void) * for lack of credits */ smb_direct_wq = alloc_workqueue("ksmbd-smb_direct-wq", - WQ_HIGHPRI | WQ_MEM_RECLAIM, 0); + WQ_HIGHPRI | WQ_MEM_RECLAIM, 0); if (!smb_direct_wq) return -ENOMEM; @@ -2006,7 +2012,7 @@ int ksmbd_rdma_init(void) } ksmbd_debug(RDMA, "init RDMA listener. cm_id=%p\n", - smb_direct_listener.cm_id); + smb_direct_listener.cm_id); return 0; } diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 040881893417..5bd332a58596 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -113,7 +113,7 @@ static void free_transport(struct tcp_transport *t) * Return: Number of IO segments */ static unsigned int kvec_array_init(struct kvec *new, struct kvec *iov, - unsigned int nr_segs, size_t bytes) + unsigned int nr_segs, size_t bytes) { size_t base = 0; @@ -197,8 +197,9 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk) } KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, - KSMBD_TRANS(t)->conn, - "ksmbd:%u", ksmbd_tcp_get_port(csin)); + KSMBD_TRANS(t)->conn, + "ksmbd:%u", + ksmbd_tcp_get_port(csin)); if (IS_ERR(KSMBD_TRANS(t)->handler)) { ksmbd_err("cannot start conn thread\n"); rc = PTR_ERR(KSMBD_TRANS(t)->handler); @@ -230,7 +231,7 @@ static int ksmbd_kthread_fn(void *p) break; } ret = kernel_accept(iface->ksmbd_socket, &client_sk, - O_NONBLOCK); + O_NONBLOCK); mutex_unlock(&iface->sock_release_lock); if (ret) { if (ret == -EAGAIN) @@ -265,8 +266,8 @@ static int ksmbd_tcp_run_kthread(struct interface *iface) int rc; struct task_struct *kthread; - kthread = kthread_run(ksmbd_kthread_fn, (void *)iface, - "ksmbd-%s", iface->name); + kthread = kthread_run(ksmbd_kthread_fn, (void *)iface, "ksmbd-%s", + iface->name); if (IS_ERR(kthread)) { rc = PTR_ERR(kthread); return rc; @@ -287,7 +288,7 @@ static int ksmbd_tcp_run_kthread(struct interface *iface) * otherwise return error number */ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig, - unsigned int nr_segs, unsigned int to_read) + unsigned int nr_segs, unsigned int to_read) { int length = 0; int total_read; @@ -353,7 +354,8 @@ static int ksmbd_tcp_read(struct ksmbd_transport *t, char *buf, unsigned int to_ } static int ksmbd_tcp_writev(struct ksmbd_transport *t, struct kvec *iov, - int nvecs, int size, bool need_invalidate, unsigned int remote_key) + int nvecs, int size, bool need_invalidate, + unsigned int remote_key) { struct msghdr smb_msg = {.msg_flags = MSG_NOSIGNAL}; @@ -401,7 +403,7 @@ static int create_socket(struct interface *iface) if (ret) { ksmbd_err("Can't create socket for ipv6, try ipv4: %d\n", ret); ret = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, - &ksmbd_socket); + &ksmbd_socket); if (ret) { ksmbd_err("Can't create socket for ipv4: %d\n", ret); goto out_error; @@ -432,10 +434,10 @@ static int create_socket(struct interface *iface) if (ipv4) ret = kernel_bind(ksmbd_socket, (struct sockaddr *)&sin, - sizeof(sin)); + sizeof(sin)); else ret = kernel_bind(ksmbd_socket, (struct sockaddr *)&sin6, - sizeof(sin6)); + sizeof(sin6)); if (ret) { ksmbd_err("Failed to bind socket: %d\n", ret); goto out_error; @@ -467,7 +469,7 @@ static int create_socket(struct interface *iface) } static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, - void *ptr) + void *ptr) { struct net_device *netdev = netdev_notifier_info_to_dev(ptr); struct interface *iface; diff --git a/fs/cifsd/unicode.c b/fs/cifsd/unicode.c index 38bba50c4f16..a0db699ddafd 100644 --- a/fs/cifsd/unicode.c +++ b/fs/cifsd/unicode.c @@ -27,7 +27,7 @@ * Return: string length after conversion */ static int smb_utf16_bytes(const __le16 *from, int maxbytes, - const struct nls_table *codepage) + const struct nls_table *codepage) { int i; int charlen, outlen = 0; @@ -65,7 +65,7 @@ static int smb_utf16_bytes(const __le16 *from, int maxbytes, */ static int cifs_mapchar(char *target, const __u16 src_char, const struct nls_table *cp, - bool mapchar) + bool mapchar) { int len = 1; @@ -156,7 +156,7 @@ static inline int is_char_allowed(char *ch) * Return: string length after conversion */ static int smb_from_utf16(char *to, const __le16 *from, int tolen, int fromlen, - const struct nls_table *codepage, bool mapchar) + const struct nls_table *codepage, bool mapchar) { int i, charlen, safelen; int outlen = 0; @@ -210,7 +210,7 @@ static int smb_from_utf16(char *to, const __le16 *from, int tolen, int fromlen, * Return: string length after conversion */ int smb_strtoUTF16(__le16 *to, const char *from, int len, - const struct nls_table *codepage) + const struct nls_table *codepage) { int charlen; int i; @@ -224,7 +224,7 @@ int smb_strtoUTF16(__le16 *to, const char *from, int len, * in destination len is length in wchar_t units (16bits) */ i = utf8s_to_utf16s(from, len, UTF16_LITTLE_ENDIAN, - (wchar_t *)to, len); + (wchar_t *)to, len); /* if success terminate and exit */ if (i >= 0) @@ -267,7 +267,8 @@ int smb_strtoUTF16(__le16 *to, const char *from, int len, * Return: destination string buffer or error ptr */ char *smb_strndup_from_utf16(const char *src, const int maxlen, - const bool is_unicode, const struct nls_table *codepage) + const bool is_unicode, + const struct nls_table *codepage) { int len, ret; char *dst; @@ -279,7 +280,7 @@ char *smb_strndup_from_utf16(const char *src, const int maxlen, if (!dst) return ERR_PTR(-ENOMEM); ret = smb_from_utf16(dst, (__le16 *)src, len, maxlen, codepage, - false); + false); if (ret < 0) { kfree(dst); return ERR_PTR(-EINVAL); @@ -318,7 +319,7 @@ char *smb_strndup_from_utf16(const char *src, const int maxlen, * Return: char length after conversion */ int smbConvertToUTF16(__le16 *target, const char *source, int srclen, - const struct nls_table *cp, int mapchars) + const struct nls_table *cp, int mapchars) { int i, j, charlen; char src_char; diff --git a/fs/cifsd/unicode.h b/fs/cifsd/unicode.h index 68f1c8290911..5593024230ae 100644 --- a/fs/cifsd/unicode.h +++ b/fs/cifsd/unicode.h @@ -63,11 +63,12 @@ extern const struct UniCaseRange CifsUniLowerRange[]; #ifdef __KERNEL__ int smb_strtoUTF16(__le16 *to, const char *from, int len, - const struct nls_table *codepage); + const struct nls_table *codepage); char *smb_strndup_from_utf16(const char *src, const int maxlen, - const bool is_unicode, const struct nls_table *codepage); + const bool is_unicode, + const struct nls_table *codepage); int smbConvertToUTF16(__le16 *target, const char *source, int srclen, - const struct nls_table *cp, int mapchars); + const struct nls_table *cp, int mapchars); char *ksmbd_extract_sharename(char *treename); #endif @@ -198,7 +199,7 @@ static inline int UniStrncmp(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) /* * UniStrncmp_le: Compare length limited string - native to little-endian */ - static inline int +static inline int UniStrncmp_le(const wchar_t *ucs1, const wchar_t *ucs2, size_t n) { if (!n) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index e1295b72c410..355e1a5a893b 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -52,7 +52,8 @@ static char *extract_last_component(char *path) } static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, - struct inode *parent_inode, struct inode *inode) + struct inode *parent_inode, + struct inode *inode) { if (!test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_INHERIT_OWNER)) @@ -84,7 +85,7 @@ int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) parent = dget_parent(dentry); inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); child = lookup_one_len(dentry->d_name.name, parent, - dentry->d_name.len); + dentry->d_name.len); if (IS_ERR(child)) { ret = PTR_ERR(child); goto out_lock; @@ -130,7 +131,7 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) parent = dget_parent(dentry); inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); child = lookup_one_len(dentry->d_name.name, parent, - dentry->d_name.len); + dentry->d_name.len); if (IS_ERR(child)) { ret = PTR_ERR(child); goto out_lock; @@ -171,7 +172,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) err = PTR_ERR(dentry); if (err != -ENOENT) ksmbd_err("path create failed for %s, err %d\n", - name, err); + name, err); return err; } @@ -179,7 +180,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) err = vfs_create(&init_user_ns, d_inode(path.dentry), dentry, mode, true); if (!err) { ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), - d_inode(dentry)); + d_inode(dentry)); } else { ksmbd_err("File(%s): creation failed (err:%d)\n", name, err); } @@ -206,7 +207,7 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) err = PTR_ERR(dentry); if (err != -EEXIST) ksmbd_debug(VFS, "path create failed for %s, err %d\n", - name, err); + name, err); return err; } @@ -217,9 +218,8 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) } else if (d_unhashed(dentry)) { struct dentry *d; - d = lookup_one_len(dentry->d_name.name, - dentry->d_parent, - dentry->d_name.len); + d = lookup_one_len(dentry->d_name.name, dentry->d_parent, + dentry->d_name.len); if (IS_ERR(d)) { err = PTR_ERR(d); goto out; @@ -230,8 +230,7 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) goto out; } - ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), - d_inode(d)); + ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(d)); dput(d); } out: @@ -242,7 +241,7 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) } static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, char *attr_name, - int attr_name_len, char **attr_value) + int attr_name_len, char **attr_value) { char *name, *xattr_list = NULL; ssize_t value_len = -ENOENT, xattr_list_len; @@ -271,14 +270,14 @@ static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, char *attr_name, } static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, - size_t count) + size_t count) { ssize_t v_len; char *stream_buf = NULL; int err; ksmbd_debug(VFS, "read stream data pos : %llu, count : %zd\n", - *pos, count); + *pos, count); v_len = ksmbd_vfs_getcasexattr(fp->filp->f_path.dentry, fp->stream.name, @@ -304,7 +303,7 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, * Return: 0 on success, otherwise error */ static int check_lock_range(struct file *filp, loff_t start, loff_t end, - unsigned char type) + unsigned char type) { struct file_lock *flock; struct file_lock_context *ctx = file_inode(filp)->i_flctx; @@ -348,7 +347,7 @@ static int check_lock_range(struct file *filp, loff_t start, loff_t end, * Return: number of read bytes on success, otherwise error */ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, - loff_t *pos) + loff_t *pos) { struct file *filp; ssize_t nbytes = 0; @@ -377,8 +376,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, if (!work->tcon->posix_extensions) { int ret; - ret = check_lock_range(filp, *pos, *pos + count - 1, - READ); + ret = check_lock_range(filp, *pos, *pos + count - 1, READ); if (ret) { ksmbd_err("unable to read due to lock\n"); return -EAGAIN; @@ -388,7 +386,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, nbytes = kernel_read(filp, rbuf, count, pos); if (nbytes < 0) { ksmbd_err("smb read failed for (%s), err = %zd\n", - fp->filename, nbytes); + fp->filename, nbytes); return nbytes; } @@ -397,14 +395,14 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, } static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, - size_t count) + size_t count) { char *stream_buf = NULL, *wbuf; size_t size, v_len; int err = 0; ksmbd_debug(VFS, "write stream data pos : %llu, count : %zd\n", - *pos, count); + *pos, count); size = *pos + count; if (size > XATTR_SIZE_MAX) { @@ -464,8 +462,8 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, * Return: 0 on success, otherwise error */ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf, size_t count, loff_t *pos, bool sync, - ssize_t *written) + char *buf, size_t count, loff_t *pos, bool sync, + ssize_t *written) { struct ksmbd_session *sess = work->sess; struct file *filp; @@ -514,7 +512,7 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, err = vfs_fsync_range(filp, offset, offset + *written, 0); if (err < 0) ksmbd_err("fsync failed for filename = %s, err = %d\n", - FP_FILENAME(fp), err); + FP_FILENAME(fp), err); } out: @@ -588,11 +586,11 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) parent = dget_parent(path.dentry); inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); dentry = lookup_one_len(path.dentry->d_name.name, parent, - strlen(path.dentry->d_name.name)); + strlen(path.dentry->d_name.name)); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); ksmbd_debug(VFS, "%s: lookup failed, err %d\n", - path.dentry->d_name.name, err); + path.dentry->d_name.name, err); goto out_err; } @@ -606,12 +604,12 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) err = vfs_rmdir(&init_user_ns, d_inode(parent), dentry); if (err && err != -ENOTEMPTY) ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, - err); + err); } else { err = vfs_unlink(&init_user_ns, d_inode(parent), dentry, NULL); if (err) ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, - err); + err); } dput(dentry); @@ -631,7 +629,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) * Return: 0 on success, otherwise error */ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, - const char *newname) + const char *newname) { struct path oldpath, newpath; struct dentry *dentry; @@ -643,12 +641,12 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, err = kern_path(oldname, LOOKUP_FOLLOW, &oldpath); if (err) { ksmbd_err("cannot get linux path for %s, err = %d\n", - oldname, err); + oldname, err); goto out1; } dentry = kern_path_create(AT_FDCWD, newname, &newpath, - LOOKUP_FOLLOW | LOOKUP_REVAL); + LOOKUP_FOLLOW | LOOKUP_REVAL); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); ksmbd_err("path create err for %s, err %d\n", newname, err); @@ -662,7 +660,7 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, } err = vfs_link(oldpath.dentry, &init_user_ns, d_inode(newpath.dentry), - dentry, NULL); + dentry, NULL); if (err) ksmbd_debug(VFS, "vfs_link failed err %d\n", err); @@ -676,9 +674,11 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, } static int __ksmbd_vfs_rename(struct ksmbd_work *work, - struct dentry *src_dent_parent, struct dentry *src_dent, - struct dentry *dst_dent_parent, struct dentry *trap_dent, - char *dst_name) + struct dentry *src_dent_parent, + struct dentry *src_dent, + struct dentry *dst_dent_parent, + struct dentry *trap_dent, + char *dst_name) { struct dentry *dst_dent; int err; @@ -742,7 +742,7 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, } int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, - char *newname) + char *newname) { struct path dst_path; struct dentry *src_dent_parent, *dst_dent_parent; @@ -768,7 +768,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, dget(src_dent); dget(dst_dent_parent); src_child = lookup_one_len(src_dent->d_name.name, src_dent_parent, - src_dent->d_name.len); + src_dent->d_name.len); if (IS_ERR(src_child)) { err = PTR_ERR(src_child); goto out_lock; @@ -807,7 +807,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, * Return: 0 on success, otherwise error */ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, - struct ksmbd_file *fp, loff_t size) + struct ksmbd_file *fp, loff_t size) { struct path path; int err = 0; @@ -816,13 +816,13 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, err = kern_path(name, 0, &path); if (err) { ksmbd_err("cannot get linux path for %s, err %d\n", - name, err); + name, err); return err; } err = vfs_truncate(&path, size); if (err) ksmbd_err("truncate failed for %s err %d\n", - name, err); + name, err); path_put(&path); } else { struct file *filp; @@ -837,10 +837,10 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, if (size < inode->i_size) { err = check_lock_range(filp, size, - inode->i_size - 1, WRITE); + inode->i_size - 1, WRITE); } else { err = check_lock_range(filp, inode->i_size, - size - 1, WRITE); + size - 1, WRITE); } if (err) { @@ -852,7 +852,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, err = vfs_truncate(&filp->f_path, size); if (err) ksmbd_err("truncate failed for filename : %s err %d\n", - fp->filename, err); + fp->filename, err); } return err; @@ -904,7 +904,7 @@ static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, char *xattr_name) * Return: read xattr value length on success, otherwise error */ ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, - char **xattr_buf) + char **xattr_buf) { ssize_t xattr_len; char *buf; @@ -938,7 +938,7 @@ ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, * Return: 0 on success, otherwise error */ int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, - const void *attr_value, size_t attr_size, int flags) + const void *attr_value, size_t attr_size, int flags) { int err; @@ -988,8 +988,7 @@ void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option) * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_lock(struct file *filp, int cmd, - struct file_lock *flock) +int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock) { ksmbd_debug(VFS, "calling vfs_lock_file\n"); return vfs_lock_file(filp, cmd, flock, NULL); @@ -1001,26 +1000,27 @@ int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata) } int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t len) + loff_t len) { smb_break_all_levII_oplock(work, fp, 1); return vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, len); } int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t off, loff_t len) + loff_t off, loff_t len) { smb_break_all_levII_oplock(work, fp, 1); if (fp->f_ci->m_fattr & ATTR_SPARSE_FILE_LE) return vfs_fallocate(fp->filp, - FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, off, len); + FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, + off, len); return vfs_fallocate(fp->filp, FALLOC_FL_ZERO_RANGE, off, len); } int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, - struct file_allocated_range_buffer *ranges, - int in_count, int *out_count) + struct file_allocated_range_buffer *ranges, + int in_count, int *out_count) { struct file *f = fp->filp; struct inode *inode = FP_INODE(fp); @@ -1087,8 +1087,7 @@ int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); dget(dentry); - child = lookup_one_len(dentry->d_name.name, dir, - dentry->d_name.len); + child = lookup_one_len(dentry->d_name.name, dir, dentry->d_name.len); if (IS_ERR(child)) { err = PTR_ERR(child); goto out; @@ -1143,7 +1142,7 @@ unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode) * @fs_ss: fs sector size struct */ void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss) + struct ksmbd_fs_sector_size *fs_ss) { struct request_queue *q; @@ -1169,7 +1168,7 @@ void ksmbd_vfs_smb2_sector_size(struct inode *inode, } static int __dir_empty(struct dir_context *ctx, const char *name, int namlen, - loff_t offset, u64 ino, unsigned int d_type) + loff_t offset, u64 ino, unsigned int d_type) { struct ksmbd_readdir_data *buf; @@ -1206,7 +1205,8 @@ int ksmbd_vfs_empty_dir(struct ksmbd_file *fp) } static int __caseless_lookup(struct dir_context *ctx, const char *name, - int namlen, loff_t offset, u64 ino, unsigned int d_type) + int namlen, loff_t offset, u64 ino, + unsigned int d_type) { struct ksmbd_readdir_data *buf; @@ -1263,7 +1263,7 @@ static int ksmbd_vfs_lookup_in_dir(struct path *dir, char *name, size_t namelen) * Return: 0 on success, otherwise error */ int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, - bool caseless) + bool caseless) { int err; @@ -1346,7 +1346,7 @@ int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) } for (name = xattr_list; name - xattr_list < xattr_list_len; - name += strlen(name) + 1) { + name += strlen(name) + 1) { ksmbd_debug(SMB, "%s, len %zd\n", name, strlen(name)); if (!strncmp(name, XATTR_NAME_POSIX_ACL_ACCESS, @@ -1356,7 +1356,7 @@ int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) err = ksmbd_vfs_remove_xattr(dentry, name); if (err) ksmbd_debug(SMB, - "remove acl xattr failed : %s\n", name); + "remove acl xattr failed : %s\n", name); } } out: @@ -1394,7 +1394,7 @@ int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry) } static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, - int acl_type) + int acl_type) { struct xattr_smb_acl *smb_acl = NULL; struct posix_acl *posix_acls; @@ -1455,7 +1455,7 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, } int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, - struct smb_ntsd *pntsd, int len) + struct smb_ntsd *pntsd, int len) { int rc; struct ndr sd_ndr = {0}, acl_ndr = {0}; @@ -1489,7 +1489,7 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, ACL_TYPE_ACCESS); if (S_ISDIR(inode->i_mode)) def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, - ACL_TYPE_DEFAULT); + ACL_TYPE_DEFAULT); rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); if (rc) { @@ -1498,7 +1498,7 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, } rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, - acl.posix_acl_hash); + acl.posix_acl_hash); if (rc) { ksmbd_err("failed to generate hash for ndr acl\n"); goto out; @@ -1511,7 +1511,7 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, } rc = ksmbd_vfs_setxattr(dentry, XATTR_NAME_SD, sd_ndr.data, - sd_ndr.offset, 0); + sd_ndr.offset, 0); if (rc < 0) ksmbd_err("Failed to store XATTR ntacl :%d\n", rc); @@ -1524,7 +1524,7 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, } int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, - struct smb_ntsd **pntsd) + struct smb_ntsd **pntsd) { int rc; struct ndr n; @@ -1543,10 +1543,10 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, return rc; smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, - ACL_TYPE_ACCESS); + ACL_TYPE_ACCESS); if (S_ISDIR(inode->i_mode)) def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, - ACL_TYPE_DEFAULT); + ACL_TYPE_DEFAULT); rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); if (rc) { @@ -1555,7 +1555,7 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, } rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, - cmp_hash); + cmp_hash); if (rc) { ksmbd_err("failed to generate hash for ndr acl\n"); goto out; @@ -1587,7 +1587,7 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, } int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, - struct xattr_dos_attrib *da) + struct xattr_dos_attrib *da) { struct ndr n; int err; @@ -1596,11 +1596,8 @@ int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, if (err) return err; - err = ksmbd_vfs_setxattr(dentry, - XATTR_NAME_DOS_ATTRIBUTE, - (void *)n.data, - n.offset, - 0); + err = ksmbd_vfs_setxattr(dentry, XATTR_NAME_DOS_ATTRIBUTE, + (void *)n.data, n.offset, 0); if (err) ksmbd_debug(SMB, "failed to store dos attribute in xattr\n"); kfree(n.data); @@ -1609,14 +1606,13 @@ int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, } int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, - struct xattr_dos_attrib *da) + struct xattr_dos_attrib *da) { struct ndr n; int err; - err = ksmbd_vfs_getxattr(dentry, - XATTR_NAME_DOS_ATTRIBUTE, - (char **)&n.data); + err = ksmbd_vfs_getxattr(dentry, XATTR_NAME_DOS_ATTRIBUTE, + (char **)&n.data); if (err > 0) { n.length = err; if (ndr_decode_dos_attr(&n, da)) @@ -1648,7 +1644,7 @@ struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type) } int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, - struct posix_acl *acl) + struct posix_acl *acl) { #if IS_ENABLED(CONFIG_FS_POSIX_ACL) return set_posix_acl(&init_user_ns, inode, type, acl); @@ -1690,7 +1686,7 @@ void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat) } int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, - struct ksmbd_kstat *ksmbd_kstat) + struct ksmbd_kstat *ksmbd_kstat) { u64 time; int rc; @@ -1726,7 +1722,7 @@ int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, } ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, - int attr_name_len) + int attr_name_len) { char *name, *xattr_list = NULL; ssize_t value_len = -ENOENT, xattr_list_len; @@ -1751,7 +1747,7 @@ ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, } int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, - size_t *xattr_stream_name_size, int s_type) + size_t *xattr_stream_name_size, int s_type) { int stream_name_size; char *xattr_stream_name_buf; @@ -1767,18 +1763,15 @@ int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, stream_name_size = strlen(stream_name); *xattr_stream_name_size = stream_name_size + XATTR_NAME_STREAM_LEN + 1; xattr_stream_name_buf = kmalloc(*xattr_stream_name_size + type_len, - GFP_KERNEL); + GFP_KERNEL); if (!xattr_stream_name_buf) return -ENOMEM; - memcpy(xattr_stream_name_buf, - XATTR_NAME_STREAM, - XATTR_NAME_STREAM_LEN); + memcpy(xattr_stream_name_buf, XATTR_NAME_STREAM, XATTR_NAME_STREAM_LEN); if (stream_name_size) { memcpy(&xattr_stream_name_buf[XATTR_NAME_STREAM_LEN], - stream_name, - stream_name_size); + stream_name, stream_name_size); } memcpy(&xattr_stream_name_buf[*xattr_stream_name_size - 1], type, type_len); *xattr_stream_name_size += type_len; @@ -1790,7 +1783,7 @@ int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, } int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, size_t len) + struct file *file_out, loff_t pos_out, size_t len) { struct inode *inode_in = file_inode(file_in); struct inode *inode_out = file_inode(file_out); @@ -1820,7 +1813,7 @@ int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, * in do_splice_direct */ ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out, - len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0); + len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0); if (ret > 0) { fsnotify_access(file_in); add_rchar(current, ret); @@ -1836,10 +1829,13 @@ int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, } int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, - struct ksmbd_file *src_fp, struct ksmbd_file *dst_fp, - struct srv_copychunk *chunks, unsigned int chunk_count, - unsigned int *chunk_count_written, - unsigned int *chunk_size_written, loff_t *total_size_written) + struct ksmbd_file *src_fp, + struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, + unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, + loff_t *total_size_written) { unsigned int i; loff_t src_off, dst_off, src_file_size; @@ -1890,7 +1886,7 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, return -E2BIG; ret = ksmbd_vfs_copy_file_range(src_fp->filp, src_off, - dst_fp->filp, dst_off, len); + dst_fp->filp, dst_off, len); if (ret < 0) return ret; @@ -1949,13 +1945,13 @@ int ksmbd_vfs_set_init_posix_acl(struct inode *inode) rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", - rc); + rc); else if (S_ISDIR(inode->i_mode)) { posix_state_to_acl(&acl_state, acls->a_entries); rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", - rc); + rc); } free_acl_state(&acl_state); posix_acl_release(acls); @@ -1983,12 +1979,12 @@ int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", - rc); + rc); if (S_ISDIR(inode->i_mode)) { rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", - rc); + rc); } posix_acl_release(acls); return rc; diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 2d19e2bac33a..5db1e9e2a754 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -191,84 +191,85 @@ struct ksmbd_fs_sector_size { }; int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, - bool delete); + bool delete); int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode); int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode); int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, - size_t count, loff_t *pos); + size_t count, loff_t *pos); int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf, size_t count, loff_t *pos, bool sync, - ssize_t *written); + char *buf, size_t count, loff_t *pos, bool sync, + ssize_t *written); int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id); int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name); int ksmbd_vfs_link(struct ksmbd_work *work, - const char *oldname, const char *newname); + const char *oldname, const char *newname); int ksmbd_vfs_getattr(struct path *path, struct kstat *stat); - int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, - char *newname); - + char *newname); int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, - struct ksmbd_file *fp, loff_t size); - + struct ksmbd_file *fp, loff_t size); struct srv_copychunk; int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, - struct ksmbd_file *src_fp, struct ksmbd_file *dst_fp, - struct srv_copychunk *chunks, unsigned int chunk_count, - unsigned int *chunk_count_written, - unsigned int *chunk_size_written, loff_t *total_size_written); + struct ksmbd_file *src_fp, + struct ksmbd_file *dst_fp, + struct srv_copychunk *chunks, + unsigned int chunk_count, + unsigned int *chunk_count_written, + unsigned int *chunk_size_written, + loff_t *total_size_written); int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, size_t len); + struct file *file_out, loff_t pos_out, + size_t len); ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list); ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, - char **xattr_buf); + char **xattr_buf); ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, - int attr_name_len); + int attr_name_len); int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, - const void *attr_value, size_t attr_size, int flags); + const void *attr_value, size_t attr_size, int flags); int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, - size_t *xattr_stream_name_size, int s_type); + size_t *xattr_stream_name_size, int s_type); int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, - bool caseless); + bool caseless); int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option); int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock); int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata); int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t len); + loff_t len); int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t off, loff_t len); + loff_t off, loff_t len); struct file_allocated_range_buffer; int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, - struct file_allocated_range_buffer *ranges, - int in_count, int *out_count); + struct file_allocated_range_buffer *ranges, + int in_count, int *out_count); int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode); void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss); + struct ksmbd_fs_sector_size *fs_ss); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, - struct ksmbd_kstat *ksmbd_kstat); + struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_posix_lock_wait(struct file_lock *flock); int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout); void ksmbd_vfs_posix_lock_unblock(struct file_lock *flock); int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry); int ksmbd_vfs_remove_sd_xattrs(struct dentry *dentry); int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, - struct smb_ntsd *pntsd, int len); + struct smb_ntsd *pntsd, int len); int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, - struct smb_ntsd **pntsd); + struct smb_ntsd **pntsd); int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, - struct xattr_dos_attrib *da); + struct xattr_dos_attrib *da); int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, - struct xattr_dos_attrib *da); + struct xattr_dos_attrib *da); struct posix_acl *ksmbd_vfs_posix_acl_alloc(int count, gfp_t flags); struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type); int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, - struct posix_acl *acl); + struct posix_acl *acl); int ksmbd_vfs_set_init_posix_acl(struct inode *inode); int ksmbd_vfs_inherit_posix_acl(struct inode *inode, - struct inode *parent_inode); + struct inode *parent_inode); #endif /* __KSMBD_VFS_H__ */ diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 3286e74e2a56..6ea09fe82814 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -255,7 +255,7 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp) fp->stream.name); if (err) ksmbd_err("remove xattr failed : %s\n", - fp->stream.name); + fp->stream.name); } if (atomic_dec_and_test(&ci->m_count)) { @@ -326,7 +326,7 @@ static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) } static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, - unsigned int id) + unsigned int id) { struct ksmbd_file *fp; @@ -350,7 +350,7 @@ static void set_close_state_blocked_works(struct ksmbd_file *fp) spin_lock(&fp->f_lock); list_for_each_entry_safe(cancel_work, ctmp, &fp->blocked_works, - fp_entry) { + fp_entry) { list_del(&cancel_work->fp_entry); cancel_work->state = KSMBD_WORK_CLOSED; cancel_work->cancel_fn(cancel_work->cancel_argv); @@ -420,7 +420,7 @@ struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id } struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, - unsigned int pid) + unsigned int pid) { struct ksmbd_file *fp; @@ -577,8 +577,10 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) } static int -__close_file_table_ids(struct ksmbd_file_table *ft, struct ksmbd_tree_connect *tcon, - bool (*skip)(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp)) +__close_file_table_ids(struct ksmbd_file_table *ft, + struct ksmbd_tree_connect *tcon, + bool (*skip)(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp)) { unsigned int id; struct ksmbd_file *fp; diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 5638641dd0cf..823fcb257a42 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -149,7 +149,7 @@ int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id); struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id); struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int id); struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, - unsigned int pid); + unsigned int pid); void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp); struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id); struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid); From patchwork Mon Nov 14 12:50:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183192 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:57 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:57 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:56 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 095/308] cifsd: remove unnecessary parentheses around Date: Mon, 14 Nov 2022 20:50:04 +0800 Message-ID: <20221114125337.1831594-96-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cd8aabf0-f149-401e-e5a4-08dac63c5be4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7059632 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c986ed981ae6a622a453c533389994b6aed6359b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c986ed981ae6 ------------------------------- Fix warnings from checkpatch.pl --strict : CHECK: Unnecessary parentheses around 'brk_op->o_lease->new_state == SMB2_LEASE_NONE_LE' #1511: FILE: oplock.c:1511: + if (brk_op->is_lease && + (brk_op->o_lease->new_state == SMB2_LEASE_NONE_LE) && + atomic_read(&brk_op->breaking_cnt)) Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 56c68e9cb7ff..f76de7861e7b 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -1262,7 +1262,7 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, /* Skip oplock being break to none */ if (brk_op->is_lease && - (brk_op->o_lease->new_state == SMB2_LEASE_NONE_LE) && + brk_op->o_lease->new_state == SMB2_LEASE_NONE_LE && atomic_read(&brk_op->breaking_cnt)) goto next; From patchwork Mon Nov 14 12:50:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183193 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:57 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:57 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:57 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 096/308] cifsd: Prefer kernel type 'u16' over 'uint16_t' Date: Mon, 14 Nov 2022 20:50:05 +0800 Message-ID: <20221114125337.1831594-97-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 08b78a66-3a01-4957-cdea-08dac63c5c2e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7374899 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit fc2d1b58c4f2c7240093d738ca99cfcf7a8b3107 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fc2d1b58c4f2 ------------------------------- Fix a warning from checkpatch.pl --strict: CHECK: Prefer kernel type 'u16' over 'uint16_t' #112: FILE: server.c:112: + uint16_t command; Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/server.c | 4 ++-- fs/cifsd/smb2pdu.c | 2 +- fs/cifsd/smb_common.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 87838f76a348..a71fafa176b3 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -106,10 +106,10 @@ static inline int check_conn_state(struct ksmbd_work *work) #define TCP_HANDLER_ABORT 1 static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, - uint16_t *cmd) + u16 *cmd) { struct smb_version_cmds *cmds; - uint16_t command; + u16 command; int ret; if (check_conn_state(work)) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 84b243b3895a..212cdffd27bc 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -193,7 +193,7 @@ int is_smb2_rsp(struct ksmbd_work *work) * * Return: smb2 request command value */ -uint16_t get_smb2_cmd_val(struct ksmbd_work *work) +u16 get_smb2_cmd_val(struct ksmbd_work *work) { struct smb2_hdr *rcv_hdr; diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h index 2d7b1c693ff4..6e7404b8db96 100644 --- a/fs/cifsd/smb_common.h +++ b/fs/cifsd/smb_common.h @@ -469,7 +469,7 @@ struct filesystem_posix_info { } __packed; struct smb_version_ops { - uint16_t (*get_cmd_val)(struct ksmbd_work *swork); + u16 (*get_cmd_val)(struct ksmbd_work *swork); int (*init_rsp_hdr)(struct ksmbd_work *swork); void (*set_rsp_status)(struct ksmbd_work *swork, __le32 err); int (*allocate_rsp_buf)(struct ksmbd_work *work); From patchwork Mon Nov 14 12:50:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183194 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:58 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:58 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:57 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 097/308] cifsd: lookup a file with LOOKUP_FOLLOW only if 'follow symlinks = yes' Date: Mon, 14 Nov 2022 20:50:06 +0800 Message-ID: <20221114125337.1831594-98-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f9ff9ffe-defe-46a0-86ab-08dac63c5c77 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6873815 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit a6a5fa77805b291afc90291a6ae705b1759b9735 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a6a5fa77805b ------------------------------- Some vfs help functions lookup a file with LOOKUP_FOLLOW regardless of the "follow symlinks" option. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 6 +++++- fs/cifsd/vfs.c | 24 ++++++++++++++++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 212cdffd27bc..f68e2638d629 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -4583,8 +4583,12 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, struct path path; int rc = 0, len; int fs_infoclass_size = 0; + int lookup_flags = 0; - rc = ksmbd_vfs_kern_path(share->path, LOOKUP_FOLLOW, &path, 0); + if (test_share_config_flag(share, KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) + lookup_flags = LOOKUP_FOLLOW; + + rc = ksmbd_vfs_kern_path(share->path, lookup_flags, &path, 0); if (rc) { ksmbd_err("cannot create vfs path\n"); return -EIO; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 355e1a5a893b..291953eff5fa 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -572,11 +572,16 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) struct path path; struct dentry *dentry, *parent; int err; + int flags = 0; if (ksmbd_override_fsids(work)) return -ENOMEM; - err = kern_path(name, LOOKUP_FOLLOW, &path); + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) + flags = LOOKUP_FOLLOW; + + err = kern_path(name, flags, &path); if (err) { ksmbd_debug(VFS, "can't get %s, err %d\n", name, err); ksmbd_revert_fsids(work); @@ -634,11 +639,16 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, struct path oldpath, newpath; struct dentry *dentry; int err; + int flags = 0; if (ksmbd_override_fsids(work)) return -ENOMEM; - err = kern_path(oldname, LOOKUP_FOLLOW, &oldpath); + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) + flags = LOOKUP_FOLLOW; + + err = kern_path(oldname, flags, &oldpath); if (err) { ksmbd_err("cannot get linux path for %s, err = %d\n", oldname, err); @@ -646,7 +656,7 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, } dentry = kern_path_create(AT_FDCWD, newname, &newpath, - LOOKUP_FOLLOW | LOOKUP_REVAL); + flags | LOOKUP_REVAL); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); ksmbd_err("path create err for %s, err %d\n", newname, err); @@ -749,6 +759,7 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, struct dentry *src_dent, *trap_dent, *src_child; char *dst_name; int err; + int flags; dst_name = extract_last_component(newname); if (!dst_name) @@ -757,7 +768,12 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, src_dent_parent = dget_parent(fp->filp->f_path.dentry); src_dent = fp->filp->f_path.dentry; - err = kern_path(newname, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &dst_path); + flags = LOOKUP_DIRECTORY; + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) + flags |= LOOKUP_FOLLOW; + + err = kern_path(newname, flags, &dst_path); if (err) { ksmbd_debug(VFS, "Cannot get path for %s [%d]\n", newname, err); goto out; From patchwork Mon Nov 14 12:50:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183195 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:58 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:58 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:57 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 098/308] cifsd: fix Control flow issues in ksmbd_build_ntlmssp_challenge_blob() Date: Mon, 14 Nov 2022 20:50:07 +0800 Message-ID: <20221114125337.1831594-99-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b5eb0e7d-dae6-43b8-a556-08dac63c5cbf X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7095314 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 152de8c68d13845592e8e511136842bcdb691063 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/152de8c68d13 ------------------------------- Fix a defect reported by Coverity Scan. *** CID 1504970: Control flow issues (NO_EFFECT) /fs/cifsd/auth.c: 622 in ksmbd_build_ntlmssp_challenge_blob() 616 name = kmalloc(2 + UNICODE_LEN(len), GFP_KERNEL); 617 if (!name) 618 return -ENOMEM; 619 620 conv_len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, 621 sess->conn->local_nls); >>> CID 1504970: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. 622 if (conv_len < 0 || conv_len > len) { 623 kfree(name); 624 return -EINVAL; 625 } 626 627 uni_len = UNICODE_LEN(conv_len); Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 9b86cf4fd73f..5f47de49c05d 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -584,8 +584,8 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, struct target_info *tinfo; wchar_t *name; __u8 *target_name; - unsigned int len, flags, blob_off, blob_len, type, target_info_len = 0; - unsigned int uni_len, conv_len; + unsigned int flags, blob_off, blob_len, type, target_info_len = 0; + int len, uni_len, conv_len; int cflags = sess->ntlmssp.client_flags; memcpy(chgblob->Signature, NTLMSSP_SIGNATURE, 8); From patchwork Mon Nov 14 12:50:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183196 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:59 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:58 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:58 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 099/308] cifsd: enclose macro variables in parenthesis Date: Mon, 14 Nov 2022 20:50:08 +0800 Message-ID: <20221114125337.1831594-100-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a214912b-7281-4cec-1121-08dac63c5d08 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6021188 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 40c594b647660bf91bc95fe7c9358bff7f56cf2e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/40c594b64766 ------------------------------- checkpatch.pl complains as the following: CHECK: Macro argument 'fp' may be better as '(fp)' to avoid precedence issues. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs_cache.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 823fcb257a42..635eedbd497c 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -25,14 +25,14 @@ #define KSMBD_NO_FID (UINT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) -#define FP_FILENAME(fp) fp->filp->f_path.dentry->d_name.name -#define FP_INODE(fp) d_inode(fp->filp->f_path.dentry) -#define PARENT_INODE(fp) d_inode(fp->filp->f_path.dentry->d_parent) - -#define ATTR_FP(fp) (fp->attrib_only && \ - (fp->cdoption != FILE_OVERWRITE_IF_LE && \ - fp->cdoption != FILE_OVERWRITE_LE && \ - fp->cdoption != FILE_SUPERSEDE_LE)) +#define FP_FILENAME(fp) ((fp)->filp->f_path.dentry->d_name.name) +#define FP_INODE(fp) d_inode((fp)->filp->f_path.dentry) +#define PARENT_INODE(fp) d_inode((fp)->filp->f_path.dentry->d_parent) + +#define ATTR_FP(fp) ((fp)->attrib_only && \ + ((fp)->cdoption != FILE_OVERWRITE_IF_LE && \ + (fp)->cdoption != FILE_OVERWRITE_LE && \ + (fp)->cdoption != FILE_SUPERSEDE_LE)) struct ksmbd_conn; struct ksmbd_session; From patchwork Mon Nov 14 12:50:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183197 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:32:59 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:59 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:58 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 100/308] cifsd: make alignment match open parenthesis Date: Mon, 14 Nov 2022 20:50:09 +0800 Message-ID: <20221114125337.1831594-101-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5dc90734-022a-45ec-a328-08dac63c5d50 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6975243 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit d7e5852b4deb121e2c929b2bb7440c5db3e2f90a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d7e5852b4deb ------------------------------- checkpatch.pl complains as the following: Alignment should match open parenthesis. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2ops.c | 2 +- fs/cifsd/smb2pdu.c | 2 +- fs/cifsd/smb2pdu.h | 4 ++-- fs/cifsd/smbacl.h | 15 ++++++++------- fs/cifsd/transport_ipc.h | 6 +++--- fs/cifsd/transport_tcp.c | 8 ++++---- fs/cifsd/vfs.c | 4 ++-- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/fs/cifsd/smb2ops.c b/fs/cifsd/smb2ops.c index 945bc6a78d3c..c47d60bce9d4 100644 --- a/fs/cifsd/smb2ops.c +++ b/fs/cifsd/smb2ops.c @@ -227,7 +227,7 @@ void init_smb3_0_server(struct ksmbd_conn *conn) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && - conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index f68e2638d629..3e112fbdc2d9 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -560,7 +560,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) sz = large_sz; if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && - work->set_trans_buf) + work->set_trans_buf) work->response_buf = ksmbd_find_buffer(sz); else work->response_buf = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index 1a8da2122b75..b3d3365d7070 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -1623,10 +1623,10 @@ void smb2_set_sign_rsp(struct ksmbd_work *work); int smb3_check_sign_req(struct ksmbd_work *work); void smb3_set_sign_rsp(struct ksmbd_work *work); int find_matching_smb2_dialect(int start_index, __le16 *cli_dialects, - __le16 dialects_count); + __le16 dialects_count); struct file_lock *smb_flock_init(struct file *f); int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), - void **arg); + void **arg); void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); struct channel *lookup_chann_list(struct ksmbd_session *sess); void smb3_preauth_hash_rsp(struct ksmbd_work *work); diff --git a/fs/cifsd/smbacl.h b/fs/cifsd/smbacl.h index 032b6a3ec6f4..fb5480f0aa89 100644 --- a/fs/cifsd/smbacl.h +++ b/fs/cifsd/smbacl.h @@ -180,22 +180,23 @@ struct posix_acl_state { }; int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, - struct smb_fattr *fattr); + struct smb_fattr *fattr); int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, - int addition_info, __u32 *secdesclen, struct smb_fattr *fattr); + int addition_info, __u32 *secdesclen, + struct smb_fattr *fattr); int init_acl_state(struct posix_acl_state *state, int cnt); void free_acl_state(struct posix_acl_state *state); void posix_state_to_acl(struct posix_acl_state *state, - struct posix_acl_entry *pace); + struct posix_acl_entry *pace); int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); bool smb_inherit_flags(int flags, bool is_dir); int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, - unsigned int uid, unsigned int gid); + unsigned int uid, unsigned int gid); int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, - __le32 *pdaccess, int uid); + __le32 *pdaccess, int uid); int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, - struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, - bool type_check); + struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + bool type_check); void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); void ksmbd_init_domain(u32 *sub_auth); #endif /* _SMBACL_H */ diff --git a/fs/cifsd/transport_ipc.h b/fs/cifsd/transport_ipc.h index 523b4df2c783..9eacc895ffdb 100644 --- a/fs/cifsd/transport_ipc.h +++ b/fs/cifsd/transport_ipc.h @@ -20,9 +20,9 @@ struct sockaddr; struct ksmbd_tree_connect_response * ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, - struct ksmbd_share_config *share, - struct ksmbd_tree_connect *tree_conn, - struct sockaddr *peer_addr); + struct ksmbd_share_config *share, + struct ksmbd_tree_connect *tree_conn, + struct sockaddr *peer_addr); int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, unsigned long long connect_id); int ksmbd_ipc_logout_request(const char *account); diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 5bd332a58596..d6d5c0038dea 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -423,10 +423,10 @@ static int create_socket(struct interface *iface) ksmbd_tcp_reuseaddr(ksmbd_socket); ret = sock_setsockopt(ksmbd_socket, - SOL_SOCKET, - SO_BINDTODEVICE, - KERNEL_SOCKPTR(iface->name), - strlen(iface->name)); + SOL_SOCKET, + SO_BINDTODEVICE, + KERNEL_SOCKPTR(iface->name), + strlen(iface->name)); if (ret != -ENODEV && ret < 0) { ksmbd_err("Failed to set SO_BINDTODEVICE: %d\n", ret); goto out_error; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 291953eff5fa..cd037594f486 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -934,8 +934,8 @@ ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, if (!buf) return -ENOMEM; - xattr_len = vfs_getxattr(&init_user_ns, dentry, xattr_name, (void *)buf, - xattr_len); + xattr_len = vfs_getxattr(&init_user_ns, dentry, xattr_name, + (void *)buf, xattr_len); if (xattr_len > 0) *xattr_buf = buf; else From patchwork Mon Nov 14 12:50:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183198 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:00 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:59 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:59 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 101/308] cifsd: fix memleak in ksmbd_vfs_stream_write() Date: Mon, 14 Nov 2022 20:50:10 +0800 Message-ID: <20221114125337.1831594-102-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 763a1acf-0e4a-48ab-5a78-08dac63c5d99 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7197834 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Yingliang <yangyingliang(a)huawei.com> mainline inclusion from mainline-5.15-rc1 commit 113ef68d47f5d36611c16a6ef4bd2a837aa344ab category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/113ef68d47f5 ------------------------------- Before assigning wbuf to stream_buf, memory allocate in ksmbd_vfs_getcasexattr() need be freed. Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index cd037594f486..e70b67e41cd4 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -429,6 +429,7 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, if (v_len > 0) memcpy(wbuf, stream_buf, v_len); + kvfree(stream_buf); stream_buf = wbuf; } From patchwork Mon Nov 14 12:50:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183199 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:00 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:00 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:32:59 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 102/308] cifsd: fix memleak in ksmbd_vfs_stream_read() Date: Mon, 14 Nov 2022 20:50:11 +0800 Message-ID: <20221114125337.1831594-103-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c543fa15-71f1-4349-1d3f-08dac63c5de3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7080445 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Yingliang <yangyingliang(a)huawei.com> mainline inclusion from mainline-5.15-rc1 commit 673b9ba7a1404fa5beda936b8ad509b70a516b52 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/673b9ba7a140 ------------------------------- Before ksmbd_vfs_stream_read() return, memory allocate in ksmbd_vfs_getcasexattr() need be freed. Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index e70b67e41cd4..85872416bf9b 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -290,6 +290,7 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, } memcpy(buf, &stream_buf[*pos], count); + kvfree(stream_buf); return v_len > count ? count : v_len; } From patchwork Mon Nov 14 12:50:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183200 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:01 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:00 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:00 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 103/308] cifsd: check return value of ksmbd_vfs_getcasexattr() correctly Date: Mon, 14 Nov 2022 20:50:12 +0800 Message-ID: <20221114125337.1831594-104-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 71188157-21f1-43cb-2c9a-08dac63c5e2d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7023299 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Yingliang <yangyingliang(a)huawei.com> mainline inclusion from mainline-5.15-rc1 commit fd6de099d7fabc2b86f51dc622453eb279f7cce9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fd6de099d7fa ------------------------------- If ksmbd_vfs_getcasexattr() returns -ENOMEM, stream_buf is NULL, it will cause null-ptr-deref when using it to copy memory. So we need check the return value of ksmbd_vfs_getcasexattr() by comparing with 0. Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 85872416bf9b..56b1091473b9 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -274,7 +274,6 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, { ssize_t v_len; char *stream_buf = NULL; - int err; ksmbd_debug(VFS, "read stream data pos : %llu, count : %zd\n", *pos, count); @@ -283,11 +282,8 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, fp->stream.name, fp->stream.size, &stream_buf); - if (v_len == -ENOENT) { - ksmbd_err("not found stream in xattr : %zd\n", v_len); - err = -ENOENT; - return err; - } + if ((int)v_len <= 0) + return (int)v_len; memcpy(buf, &stream_buf[*pos], count); kvfree(stream_buf); @@ -415,9 +411,9 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, fp->stream.name, fp->stream.size, &stream_buf); - if (v_len == -ENOENT) { + if ((int)v_len < 0) { ksmbd_err("not found stream in xattr : %zd\n", v_len); - err = -ENOENT; + err = (int)v_len; goto out; } From patchwork Mon Nov 14 12:50:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183201 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:01 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:01 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:00 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 104/308] cifsd: fix potential read overflow in ksmbd_vfs_stream_read() Date: Mon, 14 Nov 2022 20:50:13 +0800 Message-ID: <20221114125337.1831594-105-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 39e76e5a-bb8c-405f-bf0b-08dac63c5e75 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7154502 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 2ae1a6cc43027d84e33819ac4376c5e5e11b4152 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2ae1a6cc4302 ------------------------------- If *pos or *pos + count is greater than v_len, It will read beyond the stream_buf buffer. This patch add the check and cut down count with size of the buffer. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 56b1091473b9..9111b485d611 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, if ((int)v_len <= 0) return (int)v_len; + if (v_len <= *pos) { + count = -EINVAL; + goto free_buf; + } + + if (v_len - *pos < count) + count = v_len - *pos; + memcpy(buf, &stream_buf[*pos], count); + +free_buf: kvfree(stream_buf); - return v_len > count ? count : v_len; + return count; } /** From patchwork Mon Nov 14 12:50:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183202 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:02 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:01 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:01 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 105/308] cifsd: fix additional warnings from checkpatch.pl --strict Date: Mon, 14 Nov 2022 20:50:14 +0800 Message-ID: <20221114125337.1831594-106-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4e566618-29dc-47cb-f42c-08dac63c5ebf X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7108502 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 97d7f3d3e0e719db42c4f413531e4e417fadf0c1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/97d7f3d3e0e7 ------------------------------- Fix additional warnings from checkpatch.pl --strict. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/share_config.c | 2 +- fs/cifsd/mgmt/share_config.h | 6 +++--- fs/cifsd/mgmt/tree_connect.c | 2 +- fs/cifsd/mgmt/user_session.h | 4 +--- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index 910d03516b73..bcc4ae4381b9 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -157,7 +157,7 @@ static struct ksmbd_share_config *share_config_request(char *name) ret = kern_path(share->path, 0, &share->vfs_path); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", - share->path); + share->path); /* Avoid put_path() */ kfree(share->path); share->path = NULL; diff --git a/fs/cifsd/mgmt/share_config.h b/fs/cifsd/mgmt/share_config.h index 49ca89667991..953befc94e84 100644 --- a/fs/cifsd/mgmt/share_config.h +++ b/fs/cifsd/mgmt/share_config.h @@ -34,7 +34,7 @@ struct ksmbd_share_config { #define KSMBD_SHARE_INVALID_GID ((__u16)-1) static inline int share_config_create_mode(struct ksmbd_share_config *share, - umode_t posix_mode) + umode_t posix_mode) { if (!share->force_create_mode) { if (!posix_mode) @@ -46,7 +46,7 @@ static inline int share_config_create_mode(struct ksmbd_share_config *share, } static inline int share_config_directory_mode(struct ksmbd_share_config *share, - umode_t posix_mode) + umode_t posix_mode) { if (!share->force_directory_mode) { if (!posix_mode) @@ -64,7 +64,7 @@ static inline int test_share_config_flag(struct ksmbd_share_config *share, return share->flags & flag; } -extern void __ksmbd_share_config_put(struct ksmbd_share_config *share); +void __ksmbd_share_config_put(struct ksmbd_share_config *share); static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) { diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index b9cd8fc46e5e..029a9e81e844 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -62,7 +62,7 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) status.tree_conn = tree_conn; ret = xa_err(xa_store(&sess->tree_conns, tree_conn->id, tree_conn, - GFP_KERNEL)); + GFP_KERNEL)); if (ret) { status.ret = -ENOMEM; goto out_error; diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 1709563d718b..761bf4776cf1 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -12,7 +12,7 @@ #include "../smb_common.h" #include "../ntlmssp.h" -#define CIFDS_SESSION_FLAG_SMB2 (1 << 1) +#define CIFDS_SESSION_FLAG_SMB2 BIT(1) #define PREAUTH_HASHVALUE_SIZE 64 @@ -54,8 +54,6 @@ struct ksmbd_session { struct ida tree_conn_ida; struct list_head rpc_handle_list; - - __u8 smb3encryptionkey[SMB3_ENC_DEC_KEY_SIZE]; __u8 smb3decryptionkey[SMB3_ENC_DEC_KEY_SIZE]; __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; From patchwork Mon Nov 14 12:50:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183203 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:02 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:02 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:01 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 106/308] cifsd: fix list_add double add BUG_ON trap in setup_async_work() Date: Mon, 14 Nov 2022 20:50:15 +0800 Message-ID: <20221114125337.1831594-107-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: da7b2b30-6622-4110-452d-08dac63c5f09 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6879579 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 6c4e675ad3594526d6604a7d30f1defdd08a42e4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6c4e675ad359 ------------------------------- BUG_ON trap is coming when running xfstests generic/591 and smb2 leases = yes in smb.conf. [ 597.224978] list_add double add: new=ffff9110d292bb20, prev=ffff9110d292bb20, next=ffff9110d6c389e8. [ 597.225073] ------------[ cut here ]------------ [ 597.225077] kernel BUG at lib/list_debug.c:31! [ 597.225090] invalid opcode: 0000 [#1] SMP PTI [ 597.225095] CPU: 2 PID: 501 Comm: kworker/2:3 Tainted: G OE 5.13.0-rc1+ #2 [ 597.225099] Hardware name: SAMSUNG ELECTRONICS CO., LTD. Samsung DeskTop System/SAMSUNG_DT1234567890, BIOS P04KBM.022.121023.SK 10/23/2012 [ 597.225102] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 597.225125] RIP: 0010:__list_add_valid+0x66/0x70 [ 597.225132] Code: 0b 48 89 c1 4c 89 c6 48 c7 c7 c8 08 c0 95 e8 fd 54 66 00 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 20 09 c0 95 e8 e6 54 66 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 8b 07 48 b9 00 01 00 00 00 00 [ 597.225136] RSP: 0018:ffffb9c9408dbac0 EFLAGS: 00010282 [ 597.225139] RAX: 0000000000000058 RBX: ffff9110d292ba40 RCX: 0000000000000000 [ 597.225142] RDX: 0000000000000000 RSI: ffff9111da328c30 RDI: ffff9111da328c30 [ 597.225144] RBP: ffffb9c9408dbac0 R08: 0000000000000001 R09: 0000000000000001 [ 597.225147] R10: 0000000003dd35ed R11: ffffb9c9408db888 R12: ffff9110d6c38998 [ 597.225149] R13: ffff9110d6c38800 R14: ffff9110d292bb20 R15: ffff9110d292bb20 [ 597.225152] FS: 0000000000000000(0000) GS:ffff9111da300000(0000) knlGS:0000000000000000 [ 597.225155] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 597.225157] CR2: 00007fd1629f84d0 CR3: 00000000c9a12006 CR4: 00000000001706e0 [ 597.225160] Call Trace: [ 597.225163] setup_async_work+0xa2/0x120 [ksmbd] [ 597.225191] oplock_break+0x396/0x5d0 [ksmbd] [ 597.225206] smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225218] ? smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225231] smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225243] ? smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225257] ? find_held_lock+0x35/0xa0 [ 597.225261] ? xa_load+0xaf/0x160 [ 597.225268] handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225280] ? handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225292] process_one_work+0x25a/0x5d0 [ 597.225298] worker_thread+0x3f/0x3a0 [ 597.225302] ? __kthread_parkme+0x6f/0xa0 [ 597.225306] ? process_one_work+0x5d0/0x5d0 [ 597.225309] kthread+0x142/0x160 [ 597.225313] ? kthread_park+0x90/0x90 [ 597.225316] ret_from_fork+0x22/0x30 same work struct can be add to list in smb_break_all_write_oplock() and smb_grant_oplock(). If client send invalid lease break ack to server, This issue can occur by calling both functions. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3e112fbdc2d9..5b92e00881bb 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -690,9 +690,11 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) work->cancel_fn = fn; work->cancel_argv = arg; - spin_lock(&conn->request_lock); - list_add_tail(&work->async_request_entry, &conn->async_requests); - spin_unlock(&conn->request_lock); + if (list_empty(&work->async_request_entry)) { + spin_lock(&conn->request_lock); + list_add_tail(&work->async_request_entry, &conn->async_requests); + spin_unlock(&conn->request_lock); + } return 0; } From patchwork Mon Nov 14 12:50:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183204 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:02 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:02 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:02 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 107/308] cifsd: set epoch in smb2_lease_break response Date: Mon, 14 Nov 2022 20:50:16 +0800 Message-ID: <20221114125337.1831594-108-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ad7ab8b8-3800-4d93-d5dc-08dac63c5f51 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7001781 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit ade62d8b429fe49325593785316bdee3cabaec44 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ade62d8b429f ------------------------------- When running generic/591 after smb2 leases is enable, all smb2 lease ack requests failed in ksmbd. because cifs client seems to support only smb2 v2 lease. So cifs doesn't update lease state in ack request if epoch is not set in smb2 lease break request from ksmbd. epoch is used for smb2 v2 leases. So this patch add smb2 create v2 lease context and set increased epoch in smb2 lease break response. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/oplock.c | 95 +++++++++++++++++++++++++++++++++------------- fs/cifsd/oplock.h | 15 +++++--- fs/cifsd/smb2ops.c | 6 +-- fs/cifsd/smb2pdu.h | 21 +++++++++- 4 files changed, 102 insertions(+), 35 deletions(-) diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index f76de7861e7b..5868cdca7187 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -102,6 +102,9 @@ static int alloc_lease(struct oplock_info *opinfo, struct lease_ctx_info *lctx) lease->new_state = 0; lease->flags = lctx->flags; lease->duration = lctx->duration; + memcpy(lease->parent_lease_key, lctx->parent_lease_key, SMB2_LEASE_KEY_SIZE); + lease->version = lctx->version; + lease->epoch = 0; INIT_LIST_HEAD(&opinfo->lease_entry); opinfo->o_lease = lease; @@ -750,7 +753,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) rsp = work->response_buf; rsp->StructureSize = cpu_to_le16(44); - rsp->Reserved = 0; + rsp->Epoch = br_info->epoch; rsp->Flags = 0; if (br_info->curr_state & (SMB2_LEASE_WRITE_CACHING_LE | @@ -798,6 +801,10 @@ static int smb2_lease_break_noti(struct oplock_info *opinfo) br_info->curr_state = lease->state; br_info->new_state = lease->new_state; + if (lease->version == 2) + br_info->epoch = cpu_to_le16(++lease->epoch); + else + br_info->epoch = 0; memcpy(br_info->lease_key, lease->lease_key, SMB2_LEASE_KEY_SIZE); work->request_buf = (char *)br_info; @@ -1084,11 +1091,8 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, __le32 prev_op_state = 0; /* not support directory lease */ - if (S_ISDIR(file_inode(fp->filp)->i_mode)) { - if (lctx) - lctx->dlease = 1; + if (S_ISDIR(file_inode(fp->filp)->i_mode)) return 0; - } opinfo = alloc_opinfo(work, pid, tid); if (!opinfo) @@ -1328,24 +1332,48 @@ __u8 smb2_map_lease_to_oplock(__le32 lease_state) */ void create_lease_buf(u8 *rbuf, struct lease *lease) { - struct create_lease *buf = (struct create_lease *)rbuf; char *LeaseKey = (char *)&lease->lease_key; - memset(buf, 0, sizeof(struct create_lease)); - buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); - buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); - buf->lcontext.LeaseFlags = lease->flags; - buf->lcontext.LeaseState = lease->state; - buf->ccontext.DataOffset = cpu_to_le16(offsetof - (struct create_lease, lcontext)); - buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context)); - buf->ccontext.NameOffset = cpu_to_le16(offsetof + if (lease->version == 2) { + struct create_lease_v2 *buf = (struct create_lease_v2 *)rbuf; + char *ParentLeaseKey = (char *)&lease->parent_lease_key; + + memset(buf, 0, sizeof(struct create_lease_v2)); + buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); + buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); + buf->lcontext.LeaseFlags = lease->flags; + buf->lcontext.LeaseState = lease->state; + buf->lcontext.ParentLeaseKeyLow = *((__le64 *)ParentLeaseKey); + buf->lcontext.ParentLeaseKeyHigh = *((__le64 *)(ParentLeaseKey + 8)); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_lease_v2, lcontext)); + buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context_v2)); + buf->ccontext.NameOffset = cpu_to_le16(offsetof + (struct create_lease_v2, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + buf->Name[0] = 'R'; + buf->Name[1] = 'q'; + buf->Name[2] = 'L'; + buf->Name[3] = 's'; + } else { + struct create_lease *buf = (struct create_lease *)rbuf; + + memset(buf, 0, sizeof(struct create_lease)); + buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); + buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); + buf->lcontext.LeaseFlags = lease->flags; + buf->lcontext.LeaseState = lease->state; + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_lease, lcontext)); + buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context)); + buf->ccontext.NameOffset = cpu_to_le16(offsetof (struct create_lease, Name)); - buf->ccontext.NameLength = cpu_to_le16(4); - buf->Name[0] = 'R'; - buf->Name[1] = 'q'; - buf->Name[2] = 'L'; - buf->Name[3] = 's'; + buf->ccontext.NameLength = cpu_to_le16(4); + buf->Name[0] = 'R'; + buf->Name[1] = 'q'; + buf->Name[2] = 'L'; + buf->Name[3] = 's'; + } } /** @@ -1382,12 +1410,27 @@ struct lease_ctx_info *parse_lease_state(void *open_req) } while (next != 0); if (found) { - struct create_lease *lc = (struct create_lease *)cc; - *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; - *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; - lreq->req_state = lc->lcontext.LeaseState; - lreq->flags = lc->lcontext.LeaseFlags; - lreq->duration = lc->lcontext.LeaseDuration; + if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) { + struct create_lease_v2 *lc = (struct create_lease_v2 *)cc; + + *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; + *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; + lreq->req_state = lc->lcontext.LeaseState; + lreq->flags = lc->lcontext.LeaseFlags; + lreq->duration = lc->lcontext.LeaseDuration; + *((__le64 *)lreq->parent_lease_key) = lc->lcontext.ParentLeaseKeyLow; + *((__le64 *)(lreq->parent_lease_key + 8)) = lc->lcontext.ParentLeaseKeyHigh; + lreq->version = 2; + } else { + struct create_lease *lc = (struct create_lease *)cc; + + *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; + *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; + lreq->req_state = lc->lcontext.LeaseState; + lreq->flags = lc->lcontext.LeaseFlags; + lreq->duration = lc->lcontext.LeaseDuration; + lreq->version = 1; + } return lreq; } diff --git a/fs/cifsd/oplock.h b/fs/cifsd/oplock.h index 0abd26123f6d..9fb7ea74e86c 100644 --- a/fs/cifsd/oplock.h +++ b/fs/cifsd/oplock.h @@ -37,11 +37,12 @@ #define SMB2_LEASE_KEY_SIZE 16 struct lease_ctx_info { - __u8 lease_key[SMB2_LEASE_KEY_SIZE]; - __le32 req_state; - __le32 flags; - __le64 duration; - int dlease; + __u8 lease_key[SMB2_LEASE_KEY_SIZE]; + __le32 req_state; + __le32 flags; + __le64 duration; + __u8 parent_lease_key[SMB2_LEASE_KEY_SIZE]; + int version; }; struct lease_table { @@ -57,6 +58,9 @@ struct lease { __le32 new_state; __le32 flags; __le64 duration; + __u8 parent_lease_key[SMB2_LEASE_KEY_SIZE]; + int version; + unsigned short epoch; struct lease_table *l_lb; }; @@ -86,6 +90,7 @@ struct oplock_info { struct lease_break_info { __le32 curr_state; __le32 new_state; + __le16 epoch; char lease_key[SMB2_LEASE_KEY_SIZE]; }; diff --git a/fs/cifsd/smb2ops.c b/fs/cifsd/smb2ops.c index c47d60bce9d4..8999c3faf4fc 100644 --- a/fs/cifsd/smb2ops.c +++ b/fs/cifsd/smb2ops.c @@ -57,7 +57,7 @@ static struct smb_version_values smb30_server_values = { .cap_unix = 0, .cap_nt_find = SMB2_NT_FIND, .cap_large_files = SMB2_LARGE_FILES, - .create_lease_size = sizeof(struct create_lease), + .create_lease_size = sizeof(struct create_lease_v2), .create_durable_size = sizeof(struct create_durable_rsp), .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), .create_mxac_size = sizeof(struct create_mxac_rsp), @@ -83,7 +83,7 @@ static struct smb_version_values smb302_server_values = { .cap_unix = 0, .cap_nt_find = SMB2_NT_FIND, .cap_large_files = SMB2_LARGE_FILES, - .create_lease_size = sizeof(struct create_lease), + .create_lease_size = sizeof(struct create_lease_v2), .create_durable_size = sizeof(struct create_durable_rsp), .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), .create_mxac_size = sizeof(struct create_mxac_rsp), @@ -109,7 +109,7 @@ static struct smb_version_values smb311_server_values = { .cap_unix = 0, .cap_nt_find = SMB2_NT_FIND, .cap_large_files = SMB2_LARGE_FILES, - .create_lease_size = sizeof(struct create_lease), + .create_lease_size = sizeof(struct create_lease_v2), .create_durable_size = sizeof(struct create_durable_rsp), .create_durable_v2_size = sizeof(struct create_durable_v2_rsp), .create_mxac_size = sizeof(struct create_mxac_rsp), diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index b3d3365d7070..0d5349e75dd9 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -735,12 +735,31 @@ struct lease_context { __le64 LeaseDuration; } __packed; +struct lease_context_v2 { + __le64 LeaseKeyLow; + __le64 LeaseKeyHigh; + __le32 LeaseState; + __le32 LeaseFlags; + __le64 LeaseDuration; + __le64 ParentLeaseKeyLow; + __le64 ParentLeaseKeyHigh; + __le16 Epoch; + __le16 Reserved; +} __packed; + struct create_lease { struct create_context ccontext; __u8 Name[8]; struct lease_context lcontext; } __packed; +struct create_lease_v2 { + struct create_context ccontext; + __u8 Name[8]; + struct lease_context_v2 lcontext; + __u8 Pad[4]; +} __packed; + /* Currently defined values for close flags */ #define SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB cpu_to_le16(0x0001) struct smb2_close_req { @@ -1249,7 +1268,7 @@ struct smb2_oplock_break { struct smb2_lease_break { struct smb2_hdr hdr; __le16 StructureSize; /* Must be 44 */ - __le16 Reserved; + __le16 Epoch; __le32 Flags; __u8 LeaseKey[16]; __le32 CurrentLeaseState; From patchwork Mon Nov 14 12:50:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183205 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:03 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:03 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:02 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 108/308] cifsd: remove duplicated argument Date: Mon, 14 Nov 2022 20:50:17 +0800 Message-ID: <20221114125337.1831594-109-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b1f515fc-c5c2-4059-b421-08dac63c5f9a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6922287 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Wan Jiabing <wanjiabing(a)vivo.com> mainline inclusion from mainline-5.15-rc1 commit 3aefd54da5ec6e7ec1f1e682007f5819c99d8588 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3aefd54da5ec ------------------------------- Fix the following coccicheck warning: ./fs/cifsd/smb2pdu.c:1713:27-41: duplicated argument to & or | FILE_DELETE_LE is duplicated. Remove one and reorder argument to make coding style reasonable. Signed-off-by: Wan Jiabing <wanjiabing(a)vivo.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 5b92e00881bb..ac15a9287310 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -1712,10 +1712,10 @@ int smb2_tree_connect(struct ksmbd_work *work) KSMBD_TREE_CONN_FLAG_WRITABLE)) { rsp->MaximalAccess |= FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE | FILE_WRITE_EA_LE | - FILE_DELETE_CHILD_LE | FILE_DELETE_LE | - FILE_WRITE_ATTRIBUTES_LE | FILE_DELETE_LE | - FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE | - FILE_WRITE_OWNER_LE | FILE_SYNCHRONIZE_LE; + FILE_DELETE_LE | FILE_WRITE_ATTRIBUTES_LE | + FILE_DELETE_CHILD_LE | FILE_READ_CONTROL_LE | + FILE_WRITE_DAC_LE | FILE_WRITE_OWNER_LE | + FILE_SYNCHRONIZE_LE; } } From patchwork Mon Nov 14 12:50:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183206 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:03 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:03 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:03 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 109/308] cifsd: append ksmbd prefix into names for asn1 decoder Date: Mon, 14 Nov 2022 20:50:18 +0800 Message-ID: <20221114125337.1831594-110-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fe9a06e0-f525-48e3-2a7b-08dac63c5fe4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7173989 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 99f45259fe121a10881f486e075019260f403b6a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/99f45259fe12 ------------------------------- Because functions and variables generated from ASN1 compiler aren't static, append ksmbd prefix into thoses to avoid link errors. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 27 ++++++------ fs/cifsd/ksmbd_spnego_negtokeninit.asn1 | 31 +++++++++++++ ...rg.asn1 => ksmbd_spnego_negtokentarg.asn1} | 2 +- fs/cifsd/spnego_negtokeninit.asn1 | 43 ------------------- 4 files changed, 47 insertions(+), 56 deletions(-) create mode 100644 fs/cifsd/ksmbd_spnego_negtokeninit.asn1 rename fs/cifsd/{spnego_negtokentarg.asn1 => ksmbd_spnego_negtokentarg.asn1} (80%) delete mode 100644 fs/cifsd/spnego_negtokeninit.asn1 diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 1be3072fee1a..2c63a3e5618b 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -18,8 +18,8 @@ #include "asn1.h" #include "connection.h" #include "auth.h" -#include "spnego_negtokeninit.asn1.h" -#include "spnego_negtokentarg.asn1.h" +#include "ksmbd_spnego_negtokeninit.asn1.h" +#include "ksmbd_spnego_negtokentarg.asn1.h" #define SPNEGO_OID_LEN 7 #define NTLMSSP_OID_LEN 10 @@ -119,7 +119,7 @@ int ksmbd_decode_negTokenInit(unsigned char *security_blob, int length, struct ksmbd_conn *conn) { - return asn1_ber_decoder(&spnego_negtokeninit_decoder, conn, + return asn1_ber_decoder(&ksmbd_spnego_negtokeninit_decoder, conn, security_blob, length); } @@ -127,7 +127,7 @@ int ksmbd_decode_negTokenTarg(unsigned char *security_blob, int length, struct ksmbd_conn *conn) { - return asn1_ber_decoder(&spnego_negtokentarg_decoder, conn, + return asn1_ber_decoder(&ksmbd_spnego_negtokentarg_decoder, conn, security_blob, length); } @@ -248,8 +248,8 @@ int build_spnego_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen, return 0; } -int gssapi_this_mech(void *context, size_t hdrlen, unsigned char tag, - const void *value, size_t vlen) +int ksmbd_gssapi_this_mech(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) { unsigned long *oid; size_t oidlen; @@ -273,8 +273,9 @@ int gssapi_this_mech(void *context, size_t hdrlen, unsigned char tag, return err; } -int neg_token_init_mech_type(void *context, size_t hdrlen, unsigned char tag, - const void *value, size_t vlen) +int ksmbd_neg_token_init_mech_type(void *context, size_t hdrlen, + unsigned char tag, const void *value, + size_t vlen) { struct ksmbd_conn *conn = context; unsigned long *oid; @@ -310,8 +311,9 @@ int neg_token_init_mech_type(void *context, size_t hdrlen, unsigned char tag, return -EBADMSG; } -int neg_token_init_mech_token(void *context, size_t hdrlen, unsigned char tag, - const void *value, size_t vlen) +int ksmbd_neg_token_init_mech_token(void *context, size_t hdrlen, + unsigned char tag, const void *value, + size_t vlen) { struct ksmbd_conn *conn = context; @@ -324,8 +326,9 @@ int neg_token_init_mech_token(void *context, size_t hdrlen, unsigned char tag, return 0; } -int neg_token_targ_resp_token(void *context, size_t hdrlen, unsigned char tag, - const void *value, size_t vlen) +int ksmbd_neg_token_targ_resp_token(void *context, size_t hdrlen, + unsigned char tag, const void *value, + size_t vlen) { struct ksmbd_conn *conn = context; diff --git a/fs/cifsd/ksmbd_spnego_negtokeninit.asn1 b/fs/cifsd/ksmbd_spnego_negtokeninit.asn1 new file mode 100644 index 000000000000..0065f191b54b --- /dev/null +++ b/fs/cifsd/ksmbd_spnego_negtokeninit.asn1 @@ -0,0 +1,31 @@ +GSSAPI ::= + [APPLICATION 0] IMPLICIT SEQUENCE { + thisMech + OBJECT IDENTIFIER ({ksmbd_gssapi_this_mech}), + negotiationToken + NegotiationToken + } + +MechType ::= OBJECT IDENTIFIER ({ksmbd_neg_token_init_mech_type}) + +MechTypeList ::= SEQUENCE OF MechType + +NegTokenInit ::= + SEQUENCE { + mechTypes + [0] MechTypeList, + reqFlags + [1] BIT STRING OPTIONAL, + mechToken + [2] OCTET STRING OPTIONAL ({ksmbd_neg_token_init_mech_token}), + mechListMIC + [3] OCTET STRING OPTIONAL + } + +NegotiationToken ::= + CHOICE { + negTokenInit + [0] NegTokenInit, + negTokenTarg + [1] ANY + } diff --git a/fs/cifsd/spnego_negtokentarg.asn1 b/fs/cifsd/ksmbd_spnego_negtokentarg.asn1 similarity index 80% rename from fs/cifsd/spnego_negtokentarg.asn1 rename to fs/cifsd/ksmbd_spnego_negtokentarg.asn1 index 8324bcd1bbd7..1151933e7b9c 100644 --- a/fs/cifsd/spnego_negtokentarg.asn1 +++ b/fs/cifsd/ksmbd_spnego_negtokentarg.asn1 @@ -13,7 +13,7 @@ NegTokenTarg ::= supportedMech [1] OBJECT IDENTIFIER OPTIONAL, responseToken - [2] OCTET STRING OPTIONAL ({neg_token_targ_resp_token}), + [2] OCTET STRING OPTIONAL ({ksmbd_neg_token_targ_resp_token}), mechListMIC [3] OCTET STRING OPTIONAL } diff --git a/fs/cifsd/spnego_negtokeninit.asn1 b/fs/cifsd/spnego_negtokeninit.asn1 deleted file mode 100644 index 1b153cb6a39e..000000000000 --- a/fs/cifsd/spnego_negtokeninit.asn1 +++ /dev/null @@ -1,43 +0,0 @@ -GSSAPI ::= - [APPLICATION 0] IMPLICIT SEQUENCE { - thisMech - OBJECT IDENTIFIER ({gssapi_this_mech}), - negotiationToken - NegotiationToken - } - -MechType ::= OBJECT IDENTIFIER ({neg_token_init_mech_type}) - -MechTypeList ::= SEQUENCE OF MechType - -NegTokenInit ::= - SEQUENCE { - mechTypes - [0] MechTypeList, - reqFlags - [1] BIT STRING OPTIONAL, - mechToken - [2] OCTET STRING OPTIONAL ({neg_token_init_mech_token}), - mechListMIC - [3] OCTET STRING OPTIONAL - } - -NegTokenTarg ::= - SEQUENCE { - negResult - [0] ENUMERATED OPTIONAL, - supportedMech - [1] OBJECT IDENTIFIER OPTIONAL, - responseToken - [2] OCTET STRING OPTIONAL ({neg_token_targ_resp_token}), - mechListMIC - [3] OCTET STRING OPTIONAL - } - -NegotiationToken ::= - CHOICE { - negTokenInit - [0] NegTokenInit, - negTokenTarg - [1] ANY - } From patchwork Mon Nov 14 12:50:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183207 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:04 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:04 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:03 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 110/308] ksmbd: fix kfree of uninitialized pointer oid Date: Mon, 14 Nov 2022 20:50:19 +0800 Message-ID: <20221114125337.1831594-111-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ed5f9bb2-8ae9-4e99-a1d5-08dac63c602d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6907132 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Colin Ian King <colin.king(a)canonical.com> mainline inclusion from mainline-5.15-rc1 commit 5fb68864674faa3e0a4fc767c4a87f51ece218c6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5fb68864674f ------------------------------- Currently function ksmbd_neg_token_init_mech_type can kfree an uninitialized pointer oid when the call to asn1_oid_decode fails when vlen is out of range. All the other failure cases in function asn1_oid_decode set *oid to NULL on an error, so fix the issue by ensuring the vlen out of range error also nullifies the pointer. Addresses-Coverity: ("Uninitialized pointer read") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/asn1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 2c63a3e5618b..b014f4638610 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, vlen += 1; if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long)) - return false; + goto fail_nullify; *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL); if (!*oid) @@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, fail: kfree(*oid); +fail_nullify: *oid = NULL; return false; } From patchwork Mon Nov 14 12:50:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183208 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:04 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:04 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:04 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 111/308] ksmbd: add support for SMB3 multichannel Date: Mon, 14 Nov 2022 20:50:20 +0800 Message-ID: <20221114125337.1831594-112-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7662d1f4-6c6a-465a-7f0d-08dac63c6076 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7189979 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f5a544e3bab78142207e0242d22442db85ba1eff category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f5a544e3bab7 ------------------------------- Add support for SMB3 multichannel. It will be enable by setting 'server multi channel support = yes' in smb.conf. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 30 +++++-- fs/cifsd/auth.h | 6 +- fs/cifsd/connection.h | 1 + fs/cifsd/ksmbd_server.h | 1 + fs/cifsd/mgmt/user_session.c | 49 ++++++++++- fs/cifsd/mgmt/user_session.h | 11 ++- fs/cifsd/smb2ops.c | 9 ++ fs/cifsd/smb2pdu.c | 165 ++++++++++++++++++++++++++--------- fs/cifsd/smb2pdu.h | 3 +- fs/cifsd/smb_common.h | 2 +- 10 files changed, 220 insertions(+), 57 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 5f47de49c05d..1ba03a7c3201 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -921,13 +921,14 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, } static int generate_smb3signingkey(struct ksmbd_session *sess, + struct ksmbd_conn *conn, const struct derivation *signing) { int rc; struct channel *chann; char *key; - chann = lookup_chann_list(sess); + chann = lookup_chann_list(sess, conn); if (!chann) return 0; @@ -953,7 +954,8 @@ static int generate_smb3signingkey(struct ksmbd_session *sess, return 0; } -int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess) +int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess, + struct ksmbd_conn *conn) { struct derivation d; @@ -961,22 +963,32 @@ int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess) d.label.iov_len = 12; d.context.iov_base = "SmbSign"; d.context.iov_len = 8; - d.binding = false; + d.binding = conn->binding; - return generate_smb3signingkey(sess, &d); + return generate_smb3signingkey(sess, conn, &d); } -int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess) +int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess, + struct ksmbd_conn *conn) { struct derivation d; d.label.iov_base = "SMBSigningKey"; d.label.iov_len = 14; - d.context.iov_base = sess->Preauth_HashValue; + if (conn->binding) { + struct preauth_session *preauth_sess; + + preauth_sess = ksmbd_preauth_session_lookup(conn, sess->id); + if (!preauth_sess) + return -ENOENT; + d.context.iov_base = preauth_sess->Preauth_HashValue; + } else { + d.context.iov_base = sess->Preauth_HashValue; + } d.context.iov_len = 64; - d.binding = false; + d.binding = conn->binding; - return generate_smb3signingkey(sess, &d); + return generate_smb3signingkey(sess, conn, &d); } struct derivation_twin { @@ -1148,7 +1160,7 @@ static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, struct ksmbd_session *sess; u8 *ses_enc_key; - sess = ksmbd_session_lookup(conn, ses_id); + sess = ksmbd_session_lookup_all(conn, ses_id); if (!sess) return -EINVAL; diff --git a/fs/cifsd/auth.h b/fs/cifsd/auth.h index 650bd7dd6750..9c2d4badd05d 100644 --- a/fs/cifsd/auth.h +++ b/fs/cifsd/auth.h @@ -54,8 +54,10 @@ int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, int n_vec, char *sig); int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, int n_vec, char *sig); -int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess); -int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess); +int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess, + struct ksmbd_conn *conn); +int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess, + struct ksmbd_conn *conn); int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess); int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess); int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, diff --git a/fs/cifsd/connection.h b/fs/cifsd/connection.h index 1658442b27b0..98108b41f739 100644 --- a/fs/cifsd/connection.h +++ b/fs/cifsd/connection.h @@ -106,6 +106,7 @@ struct ksmbd_conn { __le16 cipher_type; __le16 compress_algorithm; bool posix_ext_supported; + bool binding; }; struct ksmbd_conn_ops { diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index 442077a1e77b..5ae3fe91bfb4 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -33,6 +33,7 @@ struct ksmbd_heartbeat { #define KSMBD_GLOBAL_FLAG_CACHE_TBUF BIT(1) #define KSMBD_GLOBAL_FLAG_CACHE_RBUF BIT(2) #define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(3) +#define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL BIT(4) struct ksmbd_startup_request { __u32 flags; diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 739588a6c96a..c3487b1a004c 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -207,7 +207,8 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) } } -bool ksmbd_session_id_match(struct ksmbd_session *sess, unsigned long long id) +static bool ksmbd_session_id_match(struct ksmbd_session *sess, + unsigned long long id) { return sess->id == id; } @@ -250,6 +251,52 @@ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) return sess; } +struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn, + unsigned long long id) +{ + struct ksmbd_session *sess; + + sess = ksmbd_session_lookup(conn, id); + if (!sess && conn->binding) + sess = ksmbd_session_lookup_slowpath(id); + return sess; +} + +struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn, + u64 sess_id) +{ + struct preauth_session *sess; + + sess = kmalloc(sizeof(struct preauth_session), GFP_KERNEL); + if (!sess) + return NULL; + + sess->id = sess_id; + memcpy(sess->Preauth_HashValue, conn->preauth_info->Preauth_HashValue, + PREAUTH_HASHVALUE_SIZE); + list_add(&sess->preauth_entry, &conn->preauth_sess_table); + + return sess; +} + +static bool ksmbd_preauth_session_id_match(struct preauth_session *sess, + unsigned long long id) +{ + return sess->id == id; +} + +struct preauth_session *ksmbd_preauth_session_lookup(struct ksmbd_conn *conn, + unsigned long long id) +{ + struct preauth_session *sess = NULL; + + list_for_each_entry(sess, &conn->preauth_sess_table, preauth_entry) { + if (ksmbd_preauth_session_id_match(sess, id)) + return sess; + } + return NULL; +} + static int __init_smb2_session(struct ksmbd_session *sess) { int id = ksmbd_acquire_smb2_uid(&session_ida); diff --git a/fs/cifsd/mgmt/user_session.h b/fs/cifsd/mgmt/user_session.h index 761bf4776cf1..82289c3cbd2b 100644 --- a/fs/cifsd/mgmt/user_session.h +++ b/fs/cifsd/mgmt/user_session.h @@ -26,8 +26,8 @@ struct channel { struct preauth_session { __u8 Preauth_HashValue[PREAUTH_HASHVALUE_SIZE]; - u64 sess_id; - struct list_head list_entry; + u64 id; + struct list_head preauth_entry; }; struct ksmbd_session { @@ -82,13 +82,18 @@ struct ksmbd_session *ksmbd_smb2_session_create(void); void ksmbd_session_destroy(struct ksmbd_session *sess); -bool ksmbd_session_id_match(struct ksmbd_session *sess, unsigned long long id); struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id); struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, unsigned long long id); void ksmbd_session_register(struct ksmbd_conn *conn, struct ksmbd_session *sess); void ksmbd_sessions_deregister(struct ksmbd_conn *conn); +struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn, + unsigned long long id); +struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn, + u64 sess_id); +struct preauth_session *ksmbd_preauth_session_lookup(struct ksmbd_conn *conn, + unsigned long long id); int ksmbd_acquire_tree_conn_id(struct ksmbd_session *sess); void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id); diff --git a/fs/cifsd/smb2ops.c b/fs/cifsd/smb2ops.c index 8999c3faf4fc..f7e5f21d4ae2 100644 --- a/fs/cifsd/smb2ops.c +++ b/fs/cifsd/smb2ops.c @@ -229,6 +229,9 @@ void init_smb3_0_server(struct ksmbd_conn *conn) if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; } /** @@ -250,6 +253,9 @@ void init_smb3_02_server(struct ksmbd_conn *conn) if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION && conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; + + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; } /** @@ -271,6 +277,9 @@ int init_smb3_11_server(struct ksmbd_conn *conn) if (conn->cipher_type) conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; + INIT_LIST_HEAD(&conn->preauth_sess_table); return 0; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index ac15a9287310..12c954dac51a 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -64,21 +64,21 @@ static inline int check_session_id(struct ksmbd_conn *conn, u64 id) if (id == 0 || id == -1) return 0; - sess = ksmbd_session_lookup(conn, id); + sess = ksmbd_session_lookup_all(conn, id); if (sess) return 1; ksmbd_err("Invalid user session id: %llu\n", id); return 0; } -struct channel *lookup_chann_list(struct ksmbd_session *sess) +struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn) { struct channel *chann; struct list_head *t; list_for_each(t, &sess->ksmbd_chann_list) { chann = list_entry(t, struct channel, chann_list); - if (chann && chann->conn == sess->conn) + if (chann && chann->conn == conn) return chann; } @@ -600,7 +600,7 @@ int smb2_check_user_session(struct ksmbd_work *work) sess_id = le64_to_cpu(req_hdr->SessionId); /* Check for validity of user session */ - work->sess = ksmbd_session_lookup(conn, sess_id); + work->sess = ksmbd_session_lookup_all(conn, sess_id); if (work->sess) return 1; ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); @@ -1165,18 +1165,30 @@ static int generate_preauth_hash(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; + u8 *preauth_hash; if (conn->dialect != SMB311_PROT_ID) return 0; - if (!sess->Preauth_HashValue) { - if (alloc_preauth_hash(sess, conn)) - return -ENOMEM; + if (conn->binding) { + struct preauth_session *preauth_sess; + + preauth_sess = ksmbd_preauth_session_lookup(conn, sess->id); + if (!preauth_sess) { + preauth_sess = ksmbd_preauth_session_alloc(conn, sess->id); + if (!preauth_sess) + return -ENOMEM; + } + + preauth_hash = preauth_sess->Preauth_HashValue; + } else { + if (!sess->Preauth_HashValue) + if (alloc_preauth_hash(sess, conn)) + return -ENOMEM; + preauth_hash = sess->Preauth_HashValue; } - ksmbd_gen_preauth_integrity_hash(conn, - work->request_buf, - sess->Preauth_HashValue); + ksmbd_gen_preauth_integrity_hash(conn, work->request_buf, preauth_hash); return 0; } @@ -1383,15 +1395,19 @@ static int ntlm_authenticate(struct ksmbd_work *work) * that it is reauthentication. And the user/password * has been verified, so return it here. */ - if (sess->state == SMB2_SESSION_VALID) + if (sess->state == SMB2_SESSION_VALID) { + if (conn->binding) + goto binding_session; return 0; + } if ((conn->sign || server_conf.enforced_signing) || (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) sess->sign = true; if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && - conn->ops->generate_encryptionkey) { + conn->ops->generate_encryptionkey && + !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { rc = conn->ops->generate_encryptionkey(sess); if (rc) { ksmbd_debug(SMB, @@ -1409,8 +1425,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) } } +binding_session: if (conn->dialect >= SMB30_PROT_ID) { - chann = lookup_chann_list(sess); + chann = lookup_chann_list(sess, conn); if (!chann) { chann = kmalloc(sizeof(struct channel), GFP_KERNEL); if (!chann) @@ -1423,7 +1440,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) } if (conn->ops->generate_signingkey) { - rc = conn->ops->generate_signingkey(sess); + rc = conn->ops->generate_signingkey(sess, conn); if (rc) { ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; @@ -1500,7 +1517,7 @@ static int krb5_authenticate(struct ksmbd_work *work) } if (conn->dialect >= SMB30_PROT_ID) { - chann = lookup_chann_list(sess); + chann = lookup_chann_list(sess, conn); if (!chann) { chann = kmalloc(sizeof(struct channel), GFP_KERNEL); if (!chann) @@ -1513,7 +1530,7 @@ static int krb5_authenticate(struct ksmbd_work *work) } if (conn->ops->generate_signingkey) { - retval = conn->ops->generate_signingkey(sess); + retval = conn->ops->generate_signingkey(sess, conn); if (retval) { ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); rsp->hdr.Status = STATUS_LOGON_FAILURE; @@ -1562,12 +1579,59 @@ int smb2_sess_setup(struct ksmbd_work *work) } rsp->hdr.SessionId = cpu_to_le64(sess->id); ksmbd_session_register(conn, sess); + } else if (conn->dialect >= SMB30_PROT_ID && + (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && + req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) { + u64 sess_id = le64_to_cpu(req->hdr.SessionId); + + sess = ksmbd_session_lookup_slowpath(sess_id); + if (!sess) { + rc = -ENOENT; + goto out_err; + } + + if (conn->dialect != sess->conn->dialect) { + rc = -EINVAL; + goto out_err; + } + + if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) { + rc = -EINVAL; + goto out_err; + } + + if (strncmp(conn->ClientGUID, sess->conn->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) { + rc = -ENOENT; + goto out_err; + } + + if (sess->state == SMB2_SESSION_IN_PROGRESS) { + rc = -EACCES; + goto out_err; + } + + if (sess->state == SMB2_SESSION_EXPIRED) { + rc = -EFAULT; + goto out_err; + } + + if (ksmbd_session_lookup(conn, sess_id)) { + rc = -EACCES; + goto out_err; + } + + conn->binding = true; + } else if ((conn->dialect < SMB30_PROT_ID || + server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && + (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + rc = -EACCES; + goto out_err; } else { sess = ksmbd_session_lookup(conn, le64_to_cpu(req->hdr.SessionId)); if (!sess) { rc = -ENOENT; - rsp->hdr.Status = STATUS_USER_SESSION_DELETED; goto out_err; } } @@ -1585,15 +1649,15 @@ int smb2_sess_setup(struct ksmbd_work *work) } if (server_conf.auth_mechs & conn->auth_mechs) { + rc = generate_preauth_hash(work); + if (rc) + goto out_err; + if (conn->preferred_auth_mech & (KSMBD_AUTH_KRB5 | KSMBD_AUTH_MSKRB5)) { - rc = generate_preauth_hash(work); - if (rc) - goto out_err; - rc = krb5_authenticate(work); if (rc) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; goto out_err; } @@ -1602,10 +1666,6 @@ int smb2_sess_setup(struct ksmbd_work *work) kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { - rc = generate_preauth_hash(work); - if (rc) - goto out_err; - if (negblob->MessageType == NtLmNegotiate) { rc = ntlm_negotiate(work, negblob); if (rc) @@ -1625,6 +1685,16 @@ int smb2_sess_setup(struct ksmbd_work *work) ksmbd_conn_set_good(work); sess->state = SMB2_SESSION_VALID; + if (conn->binding) { + struct preauth_session *preauth_sess; + + preauth_sess = + ksmbd_preauth_session_lookup(conn, sess->id); + if (preauth_sess) { + list_del(&preauth_sess->preauth_entry); + kfree(preauth_sess); + } + } kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; } @@ -1632,15 +1702,24 @@ int smb2_sess_setup(struct ksmbd_work *work) /* TODO: need one more negotiation */ ksmbd_err("Not support the preferred authentication\n"); rc = -EINVAL; - rsp->hdr.Status = STATUS_INVALID_PARAMETER; } } else { ksmbd_err("Not support authentication\n"); rc = -EINVAL; - rsp->hdr.Status = STATUS_INVALID_PARAMETER; } out_err: + if (rc == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (rc == -ENOENT) + rsp->hdr.Status = STATUS_USER_SESSION_DELETED; + else if (rc == -EACCES) + rsp->hdr.Status = STATUS_REQUEST_NOT_ACCEPTED; + else if (rc == -EFAULT) + rsp->hdr.Status = STATUS_NETWORK_SESSION_EXPIRED; + else if (rc) + rsp->hdr.Status = STATUS_LOGON_FAILURE; + if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; @@ -7883,7 +7962,7 @@ void smb2_set_sign_rsp(struct ksmbd_work *work) */ int smb3_check_sign_req(struct ksmbd_work *work) { - struct ksmbd_conn *conn; + struct ksmbd_conn *conn = work->conn; char *signing_key; struct smb2_hdr *hdr, *hdr_org; struct channel *chann; @@ -7906,13 +7985,11 @@ int smb3_check_sign_req(struct ksmbd_work *work) if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { signing_key = work->sess->smb3signingkey; - conn = work->sess->conn; } else { - chann = lookup_chann_list(work->sess); + chann = lookup_chann_list(work->sess, conn); if (!chann) return 0; signing_key = chann->smb3signingkey; - conn = chann->conn; } if (!signing_key) { @@ -7943,7 +8020,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) */ void smb3_set_sign_rsp(struct ksmbd_work *work) { - struct ksmbd_conn *conn; + struct ksmbd_conn *conn = work->conn; struct smb2_hdr *req_hdr; struct smb2_hdr *hdr, *hdr_org; struct channel *chann; @@ -7970,13 +8047,11 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { signing_key = work->sess->smb3signingkey; - conn = work->sess->conn; } else { - chann = lookup_chann_list(work->sess); + chann = lookup_chann_list(work->sess, work->conn); if (!chann) return; signing_key = chann->smb3signingkey; - conn = chann->conn; } if (!signing_key) @@ -8020,11 +8095,21 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, conn->preauth_info->Preauth_HashValue); - if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && - sess && sess->state == SMB2_SESSION_IN_PROGRESS) { + if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && sess) { __u8 *hash_value; - hash_value = sess->Preauth_HashValue; + if (conn->binding) { + struct preauth_session *preauth_sess; + + preauth_sess = ksmbd_preauth_session_lookup(conn, sess->id); + if (!preauth_sess) + return; + hash_value = preauth_sess->Preauth_HashValue; + } else { + hash_value = sess->Preauth_HashValue; + if (!hash_value) + return; + } ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, hash_value); } @@ -8116,7 +8201,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); int rc = 0; - sess = ksmbd_session_lookup(conn, le64_to_cpu(tr_hdr->SessionId)); + sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); if (!sess) { ksmbd_err("invalid session id(%llx) in transform header\n", le64_to_cpu(tr_hdr->SessionId)); diff --git a/fs/cifsd/smb2pdu.h b/fs/cifsd/smb2pdu.h index 0d5349e75dd9..0eac40e1ba65 100644 --- a/fs/cifsd/smb2pdu.h +++ b/fs/cifsd/smb2pdu.h @@ -1647,7 +1647,8 @@ struct file_lock *smb_flock_init(struct file *f); int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg); void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); -struct channel *lookup_chann_list(struct ksmbd_session *sess); +struct channel *lookup_chann_list(struct ksmbd_session *sess, + struct ksmbd_conn *conn); void smb3_preauth_hash_rsp(struct ksmbd_work *work); int smb3_is_transform_hdr(void *buf); int smb3_decrypt_req(struct ksmbd_work *work); diff --git a/fs/cifsd/smb_common.h b/fs/cifsd/smb_common.h index 6e7404b8db96..084166ba7654 100644 --- a/fs/cifsd/smb_common.h +++ b/fs/cifsd/smb_common.h @@ -479,7 +479,7 @@ struct smb_version_ops { bool (*is_sign_req)(struct ksmbd_work *work, unsigned int command); int (*check_sign_req)(struct ksmbd_work *work); void (*set_sign_rsp)(struct ksmbd_work *work); - int (*generate_signingkey)(struct ksmbd_session *sess); + int (*generate_signingkey)(struct ksmbd_session *sess, struct ksmbd_conn *conn); int (*generate_encryptionkey)(struct ksmbd_session *sess); int (*is_transform_hdr)(void *buf); int (*decrypt_req)(struct ksmbd_work *work); From patchwork Mon Nov 14 12:50:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183209 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:05 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:05 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:04 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 112/308] ksmbd: remove cache read/trans buffer support Date: Mon, 14 Nov 2022 20:50:21 +0800 Message-ID: <20221114125337.1831594-113-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6c35187d-9762-47c8-831f-08dac63c60bf X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6729074 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c30f4eb84badf7476824c38f874542a2e653b46b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c30f4eb84bad ------------------------------- As vmalloc performance improvement patch for big allocation is merged into linux kernel, This feature is no longer not needed. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 1 - fs/cifsd/buffer_pool.c | 265 ----------------------------------- fs/cifsd/buffer_pool.h | 17 --- fs/cifsd/connection.c | 1 - fs/cifsd/crypto_ctx.c | 1 - fs/cifsd/ksmbd_server.h | 6 +- fs/cifsd/ksmbd_work.c | 14 +- fs/cifsd/ksmbd_work.h | 2 - fs/cifsd/mgmt/share_config.c | 1 - fs/cifsd/mgmt/tree_connect.c | 1 - fs/cifsd/mgmt/user_config.c | 1 - fs/cifsd/mgmt/user_session.c | 1 - fs/cifsd/oplock.c | 1 - fs/cifsd/server.c | 18 ++- fs/cifsd/smb2pdu.c | 34 +---- fs/cifsd/transport_ipc.c | 1 - fs/cifsd/transport_rdma.c | 1 - fs/cifsd/transport_tcp.c | 1 - fs/cifsd/vfs.c | 1 - fs/cifsd/vfs_cache.c | 34 ++++- fs/cifsd/vfs_cache.h | 2 + 21 files changed, 51 insertions(+), 353 deletions(-) delete mode 100644 fs/cifsd/buffer_pool.c delete mode 100644 fs/cifsd/buffer_pool.h diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index 1ba03a7c3201..daf31c9f0880 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -29,7 +29,6 @@ #include "mgmt/user_config.h" #include "crypto_ctx.h" #include "transport_ipc.h" -#include "buffer_pool.h" /* * Fixed format data defining GSS header and fixed string diff --git a/fs/cifsd/buffer_pool.c b/fs/cifsd/buffer_pool.c deleted file mode 100644 index ea7d2d1a056a..000000000000 --- a/fs/cifsd/buffer_pool.c +++ /dev/null @@ -1,265 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Copyright (C) 2018 Samsung Electronics Co., Ltd. - */ - -#include <linux/kernel.h> -#include <linux/wait.h> -#include <linux/sched.h> -#include <linux/mm.h> -#include <linux/slab.h> -#include <linux/vmalloc.h> -#include <linux/rwlock.h> - -#include "glob.h" -#include "buffer_pool.h" -#include "connection.h" -#include "mgmt/ksmbd_ida.h" - -static struct kmem_cache *filp_cache; - -struct wm { - struct list_head list; - unsigned int sz; - char buffer[0]; -}; - -struct wm_list { - struct list_head list; - unsigned int sz; - - spinlock_t wm_lock; - int avail_wm; - struct list_head idle_wm; - wait_queue_head_t wm_wait; -}; - -static LIST_HEAD(wm_lists); -static DEFINE_RWLOCK(wm_lists_lock); - -static struct wm *wm_alloc(size_t sz, gfp_t flags) -{ - struct wm *wm; - size_t alloc_sz = sz + sizeof(struct wm); - - if (sz > SIZE_MAX - sizeof(struct wm)) - return NULL; - - wm = kvmalloc(alloc_sz, flags); - if (!wm) - return NULL; - wm->sz = sz; - return wm; -} - -static int register_wm_size_class(size_t sz) -{ - struct wm_list *l, *nl; - - nl = kmalloc(sizeof(struct wm_list), GFP_KERNEL); - if (!nl) - return -ENOMEM; - - nl->sz = sz; - spin_lock_init(&nl->wm_lock); - INIT_LIST_HEAD(&nl->idle_wm); - INIT_LIST_HEAD(&nl->list); - init_waitqueue_head(&nl->wm_wait); - nl->avail_wm = 0; - - write_lock(&wm_lists_lock); - list_for_each_entry(l, &wm_lists, list) { - if (l->sz == sz) { - write_unlock(&wm_lists_lock); - kfree(nl); - return 0; - } - } - - list_add(&nl->list, &wm_lists); - write_unlock(&wm_lists_lock); - return 0; -} - -static struct wm_list *match_wm_list(size_t size) -{ - struct wm_list *l, *rl = NULL; - - read_lock(&wm_lists_lock); - list_for_each_entry(l, &wm_lists, list) { - if (l->sz == size) { - rl = l; - break; - } - } - read_unlock(&wm_lists_lock); - return rl; -} - -static struct wm *find_wm(size_t size) -{ - struct wm_list *wm_list; - struct wm *wm; - - wm_list = match_wm_list(size); - if (!wm_list) { - if (register_wm_size_class(size)) - return NULL; - wm_list = match_wm_list(size); - } - - if (!wm_list) - return NULL; - - while (1) { - spin_lock(&wm_list->wm_lock); - if (!list_empty(&wm_list->idle_wm)) { - wm = list_entry(wm_list->idle_wm.next, - struct wm, - list); - list_del(&wm->list); - spin_unlock(&wm_list->wm_lock); - return wm; - } - - if (wm_list->avail_wm > num_online_cpus()) { - spin_unlock(&wm_list->wm_lock); - wait_event(wm_list->wm_wait, - !list_empty(&wm_list->idle_wm)); - continue; - } - - wm_list->avail_wm++; - spin_unlock(&wm_list->wm_lock); - - wm = wm_alloc(size, GFP_KERNEL); - if (!wm) { - spin_lock(&wm_list->wm_lock); - wm_list->avail_wm--; - spin_unlock(&wm_list->wm_lock); - wait_event(wm_list->wm_wait, - !list_empty(&wm_list->idle_wm)); - continue; - } - break; - } - - return wm; -} - -static void release_wm(struct wm *wm, struct wm_list *wm_list) -{ - if (!wm) - return; - - spin_lock(&wm_list->wm_lock); - if (wm_list->avail_wm <= num_online_cpus()) { - list_add(&wm->list, &wm_list->idle_wm); - spin_unlock(&wm_list->wm_lock); - wake_up(&wm_list->wm_wait); - return; - } - - wm_list->avail_wm--; - spin_unlock(&wm_list->wm_lock); - kvfree(wm); -} - -static void wm_list_free(struct wm_list *l) -{ - struct wm *wm; - - while (!list_empty(&l->idle_wm)) { - wm = list_entry(l->idle_wm.next, struct wm, list); - list_del(&wm->list); - kvfree(wm); - } - kfree(l); -} - -static void wm_lists_destroy(void) -{ - struct wm_list *l; - - while (!list_empty(&wm_lists)) { - l = list_entry(wm_lists.next, struct wm_list, list); - list_del(&l->list); - wm_list_free(l); - } -} - -void *ksmbd_find_buffer(size_t size) -{ - struct wm *wm; - - wm = find_wm(size); - - WARN_ON(!wm); - if (wm) - return wm->buffer; - return NULL; -} - -void ksmbd_release_buffer(void *buffer) -{ - struct wm_list *wm_list; - struct wm *wm; - - if (!buffer) - return; - - wm = container_of(buffer, struct wm, buffer); - wm_list = match_wm_list(wm->sz); - WARN_ON(!wm_list); - if (wm_list) - release_wm(wm, wm_list); -} - -void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz) -{ - size_t sz = min(old_sz, new_sz); - void *nptr; - - nptr = kvmalloc(new_sz, GFP_KERNEL | __GFP_ZERO); - if (!nptr) - return ptr; - memcpy(nptr, ptr, sz); - kvfree(ptr); - return nptr; -} - -void ksmbd_free_file_struct(void *filp) -{ - kmem_cache_free(filp_cache, filp); -} - -void *ksmbd_alloc_file_struct(void) -{ - return kmem_cache_zalloc(filp_cache, GFP_KERNEL); -} - -void ksmbd_destroy_buffer_pools(void) -{ - wm_lists_destroy(); - ksmbd_work_pool_destroy(); - kmem_cache_destroy(filp_cache); -} - -int ksmbd_init_buffer_pools(void) -{ - if (ksmbd_work_pool_init()) - goto out; - - filp_cache = kmem_cache_create("ksmbd_file_cache", - sizeof(struct ksmbd_file), 0, - SLAB_HWCACHE_ALIGN, NULL); - if (!filp_cache) - goto out; - - return 0; - -out: - ksmbd_err("failed to allocate memory\n"); - ksmbd_destroy_buffer_pools(); - return -ENOMEM; -} diff --git a/fs/cifsd/buffer_pool.h b/fs/cifsd/buffer_pool.h deleted file mode 100644 index 088aa07ba09b..000000000000 --- a/fs/cifsd/buffer_pool.h +++ /dev/null @@ -1,17 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Copyright (C) 2018 Samsung Electronics Co., Ltd. - */ - -#ifndef __KSMBD_BUFFER_POOL_H__ -#define __KSMBD_BUFFER_POOL_H__ - -void *ksmbd_find_buffer(size_t size); -void ksmbd_release_buffer(void *buffer); -void *ksmbd_realloc_response(void *ptr, size_t old_sz, size_t new_sz); -void ksmbd_free_file_struct(void *filp); -void *ksmbd_alloc_file_struct(void); -void ksmbd_destroy_buffer_pools(void); -int ksmbd_init_buffer_pools(void); - -#endif /* __KSMBD_BUFFER_POOL_H__ */ diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index 06c42309be72..a0d15093dd6f 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -9,7 +9,6 @@ #include <linux/module.h> #include "server.h" -#include "buffer_pool.h" #include "smb_common.h" #include "mgmt/ksmbd_ida.h" #include "connection.h" diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index cfea4c4db30f..7b727fe141a6 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -12,7 +12,6 @@ #include "glob.h" #include "crypto_ctx.h" -#include "buffer_pool.h" struct crypto_ctx_list { spinlock_t ctx_lock; diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index 5ae3fe91bfb4..c2467a709144 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -30,10 +30,8 @@ struct ksmbd_heartbeat { */ #define KSMBD_GLOBAL_FLAG_INVALID (0) #define KSMBD_GLOBAL_FLAG_SMB2_LEASES BIT(0) -#define KSMBD_GLOBAL_FLAG_CACHE_TBUF BIT(1) -#define KSMBD_GLOBAL_FLAG_CACHE_RBUF BIT(2) -#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(3) -#define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL BIT(4) +#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(1) +#define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL BIT(2) struct ksmbd_startup_request { __u32 flags; diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index f284a2a803d6..a88c25965012 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -11,7 +11,6 @@ #include "server.h" #include "connection.h" #include "ksmbd_work.h" -#include "buffer_pool.h" #include "mgmt/ksmbd_ida.h" /* @FIXME */ @@ -38,18 +37,9 @@ struct ksmbd_work *ksmbd_alloc_work_struct(void) void ksmbd_free_work_struct(struct ksmbd_work *work) { WARN_ON(work->saved_cred != NULL); - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && - work->set_trans_buf) - ksmbd_release_buffer(work->response_buf); - else - kvfree(work->response_buf); - - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF && - work->set_read_buf) - ksmbd_release_buffer(work->aux_payload_buf); - else - kvfree(work->aux_payload_buf); + kvfree(work->response_buf); + kvfree(work->aux_payload_buf); kfree(work->tr_buf); kvfree(work->request_buf); if (work->async_id) diff --git a/fs/cifsd/ksmbd_work.h b/fs/cifsd/ksmbd_work.h index 28a1692ed37f..0e2d4f3fc49f 100644 --- a/fs/cifsd/ksmbd_work.h +++ b/fs/cifsd/ksmbd_work.h @@ -70,8 +70,6 @@ struct ksmbd_work { /* Is this SYNC or ASYNC ksmbd_work */ bool syncronous:1; bool need_invalidate_rkey:1; - bool set_trans_buf:1; - bool set_read_buf:1; unsigned int remote_key; /* cancel works */ diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index bcc4ae4381b9..fac6034b97a9 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -15,7 +15,6 @@ #include "share_config.h" #include "user_config.h" #include "user_session.h" -#include "../buffer_pool.h" #include "../transport_ipc.h" #define SHARE_HASH_BITS 3 diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/cifsd/mgmt/tree_connect.c index 029a9e81e844..0d28e723a28c 100644 --- a/fs/cifsd/mgmt/tree_connect.c +++ b/fs/cifsd/mgmt/tree_connect.c @@ -7,7 +7,6 @@ #include <linux/slab.h> #include <linux/xarray.h> -#include "../buffer_pool.h" #include "../transport_ipc.h" #include "../connection.h" diff --git a/fs/cifsd/mgmt/user_config.c b/fs/cifsd/mgmt/user_config.c index 7f898c5bda25..d21629ae5c89 100644 --- a/fs/cifsd/mgmt/user_config.c +++ b/fs/cifsd/mgmt/user_config.c @@ -7,7 +7,6 @@ #include <linux/mm.h> #include "user_config.h" -#include "../buffer_pool.h" #include "../transport_ipc.h" struct ksmbd_user *ksmbd_login_user(const char *account) diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index c3487b1a004c..77bdf3642f72 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -14,7 +14,6 @@ #include "tree_connect.h" #include "../transport_ipc.h" #include "../connection.h" -#include "../buffer_pool.h" #include "../vfs_cache.h" static DEFINE_IDA(session_ida); diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 5868cdca7187..1ef2acbea2bb 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -11,7 +11,6 @@ #include "smb_common.h" #include "smbstatus.h" -#include "buffer_pool.h" #include "connection.h" #include "mgmt/user_session.h" #include "mgmt/share_config.h" diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index a71fafa176b3..93402c56b8ff 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -16,7 +16,6 @@ #include "server.h" #include "smb_common.h" #include "smbstatus.h" -#include "buffer_pool.h" #include "connection.h" #include "transport_ipc.h" #include "mgmt/user_session.h" @@ -536,7 +535,8 @@ static int ksmbd_server_shutdown(void) ksmbd_crypto_destroy(); ksmbd_free_global_file_table(); destroy_lease_table(NULL); - ksmbd_destroy_buffer_pools(); + ksmbd_work_pool_destroy(); + ksmbd_exit_file_cache(); server_conf_free(); return 0; } @@ -557,13 +557,17 @@ static int __init ksmbd_server_init(void) if (ret) goto err_unregister; - ret = ksmbd_init_buffer_pools(); + ret = ksmbd_work_pool_init(); if (ret) goto err_unregister; + ret = ksmbd_init_file_cache(); + if (ret) + goto err_destroy_work_pools; + ret = ksmbd_ipc_init(); if (ret) - goto err_free_session_table; + goto err_exit_file_cache; ret = ksmbd_init_global_file_table(); if (ret) @@ -590,8 +594,10 @@ static int __init ksmbd_server_init(void) ksmbd_free_global_file_table(); err_ipc_release: ksmbd_ipc_release(); -err_free_session_table: - ksmbd_destroy_buffer_pools(); +err_exit_file_cache: + ksmbd_exit_file_cache(); +err_destroy_work_pools: + ksmbd_work_pool_destroy(); err_unregister: class_unregister(&ksmbd_control_class); diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 12c954dac51a..345c4c75da9a 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -19,7 +19,6 @@ #include "auth.h" #include "asn1.h" -#include "buffer_pool.h" #include "connection.h" #include "transport_ipc.h" #include "vfs.h" @@ -538,10 +537,8 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) size_t sz = small_sz; int cmd = le16_to_cpu(hdr->Command); - if (cmd == SMB2_IOCTL_HE || cmd == SMB2_QUERY_DIRECTORY_HE) { + if (cmd == SMB2_IOCTL_HE || cmd == SMB2_QUERY_DIRECTORY_HE) sz = large_sz; - work->set_trans_buf = true; - } if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; @@ -549,22 +546,15 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) req = work->request_buf; if (req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || - req->FileInfoClass == FILE_ALL_INFORMATION)) { + req->FileInfoClass == FILE_ALL_INFORMATION)) sz = large_sz; - work->set_trans_buf = true; - } } /* allocate large response buf for chained commands */ if (le32_to_cpu(hdr->NextCommand) > 0) sz = large_sz; - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_TBUF && - work->set_trans_buf) - work->response_buf = ksmbd_find_buffer(sz); - else - work->response_buf = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); - + work->response_buf = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); if (!work->response_buf) return -ENOMEM; @@ -5950,13 +5940,7 @@ int smb2_read(struct ksmbd_work *work) ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", FP_FILENAME(fp), offset, length); - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) { - work->aux_payload_buf = - ksmbd_find_buffer(conn->vals->max_read_size); - work->set_read_buf = true; - } else { - work->aux_payload_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); - } + work->aux_payload_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); if (!work->aux_payload_buf) { err = -ENOMEM; goto out; @@ -5969,10 +5953,7 @@ int smb2_read(struct ksmbd_work *work) } if ((nbytes == 0 && length != 0) || nbytes < mincount) { - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) - ksmbd_release_buffer(work->aux_payload_buf); - else - kvfree(work->aux_payload_buf); + kvfree(work->aux_payload_buf); work->aux_payload_buf = NULL; rsp->hdr.Status = STATUS_END_OF_FILE; smb2_set_err_rsp(work); @@ -5989,10 +5970,7 @@ int smb2_read(struct ksmbd_work *work) remain_bytes = smb2_read_rdma_channel(work, req, work->aux_payload_buf, nbytes); - if (server_conf.flags & KSMBD_GLOBAL_FLAG_CACHE_RBUF) - ksmbd_release_buffer(work->aux_payload_buf); - else - kvfree(work->aux_payload_buf); + kvfree(work->aux_payload_buf); work->aux_payload_buf = NULL; nbytes = 0; diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index b09df832431f..2bcc1cad6037 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -16,7 +16,6 @@ #include "vfs_cache.h" #include "transport_ipc.h" -#include "buffer_pool.h" #include "server.h" #include "smb_common.h" diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index efaa9776841f..52237f023b66 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -33,7 +33,6 @@ #include "connection.h" #include "smb_common.h" #include "smbstatus.h" -#include "buffer_pool.h" #include "transport_rdma.h" #define SMB_DIRECT_PORT 5445 diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index d6d5c0038dea..16702b7874f4 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -9,7 +9,6 @@ #include "smb_common.h" #include "server.h" #include "auth.h" -#include "buffer_pool.h" #include "connection.h" #include "transport_tcp.h" diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 9111b485d611..fb31c1ccb1bd 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -23,7 +23,6 @@ #include "glob.h" #include "oplock.h" #include "connection.h" -#include "buffer_pool.h" #include "vfs.h" #include "vfs_cache.h" #include "smbacl.h" diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 6ea09fe82814..dcac1f0a29e4 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -10,7 +10,6 @@ #include "glob.h" #include "vfs_cache.h" -#include "buffer_pool.h" #include "oplock.h" #include "vfs.h" #include "connection.h" @@ -29,6 +28,7 @@ static DEFINE_RWLOCK(inode_hash_lock); static struct ksmbd_file_table global_ft; static atomic_long_t fd_limit; +static struct kmem_cache *filp_cache; void ksmbd_set_fd_limit(unsigned long limit) { @@ -315,7 +315,7 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) kfree(fp->filename); if (ksmbd_stream_fd(fp)) kfree(fp->stream.name); - ksmbd_free_file_struct(fp); + kmem_cache_free(filp_cache, fp); } static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) @@ -539,10 +539,10 @@ unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp) struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) { - struct ksmbd_file *fp; + struct ksmbd_file *fp; int ret; - fp = ksmbd_alloc_file_struct(); + fp = kmem_cache_zalloc(filp_cache, GFP_KERNEL); if (!fp) { ksmbd_err("Failed to allocate memory\n"); return ERR_PTR(-ENOMEM); @@ -561,14 +561,14 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) fp->f_ci = ksmbd_inode_get(fp); if (!fp->f_ci) { - ksmbd_free_file_struct(fp); + kmem_cache_free(filp_cache, fp); return ERR_PTR(-ENOMEM); } ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); if (ret) { ksmbd_inode_put(fp->f_ci); - ksmbd_free_file_struct(fp); + kmem_cache_free(filp_cache, fp); return ERR_PTR(ret); } @@ -640,7 +640,7 @@ void ksmbd_free_global_file_table(void) idr_for_each_entry(global_ft.idr, fp, id) { __ksmbd_remove_durable_fd(fp); - ksmbd_free_file_struct(fp); + kmem_cache_free(filp_cache, fp); } ksmbd_destroy_file_table(&global_ft); @@ -683,3 +683,23 @@ void ksmbd_destroy_file_table(struct ksmbd_file_table *ft) kfree(ft->idr); ft->idr = NULL; } + +int ksmbd_init_file_cache(void) +{ + filp_cache = kmem_cache_create("ksmbd_file_cache", + sizeof(struct ksmbd_file), 0, + SLAB_HWCACHE_ALIGN, NULL); + if (!filp_cache) + goto out; + + return 0; + +out: + ksmbd_err("failed to allocate file cache\n"); + return -ENOMEM; +} + +void ksmbd_exit_file_cache(void) +{ + kmem_cache_destroy(filp_cache); +} diff --git a/fs/cifsd/vfs_cache.h b/fs/cifsd/vfs_cache.h index 635eedbd497c..745855367106 100644 --- a/fs/cifsd/vfs_cache.h +++ b/fs/cifsd/vfs_cache.h @@ -182,4 +182,6 @@ void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp); void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp); void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, int file_info); +int ksmbd_init_file_cache(void); +void ksmbd_exit_file_cache(void); #endif /* __VFS_CACHE_H__ */ From patchwork Mon Nov 14 12:50:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183210 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:05 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:05 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:05 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 113/308] ksmbd: initialize variables on the declaration Date: Mon, 14 Nov 2022 20:50:22 +0800 Message-ID: <20221114125337.1831594-114-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 15664d23-9515-4690-3acb-08dac63c6108 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6881488 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit afa8f016c5a527bd004042ea47ca8b8007e4185f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/afa8f016c5a5 ------------------------------- Initialize variables on the declaration. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index fb31c1ccb1bd..4e0cf1b95419 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -355,14 +355,11 @@ static int check_lock_range(struct file *filp, loff_t start, loff_t end, int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, loff_t *pos) { - struct file *filp; + struct file *filp = fp->filp; ssize_t nbytes = 0; - char *rbuf; - struct inode *inode; + char *rbuf = work->aux_payload_buf; + struct inode *inode = file_inode(filp); - rbuf = work->aux_payload_buf; - filp = fp->filp; - inode = file_inode(filp); if (S_ISDIR(inode->i_mode)) return -EISDIR; From patchwork Mon Nov 14 12:50:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183211 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:06 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:06 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:05 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 114/308] ksmbd: remove ksmbd_vfs_copy_file_range Date: Mon, 14 Nov 2022 20:50:23 +0800 Message-ID: <20221114125337.1831594-115-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a9204477-decb-46af-4a77-08dac63c6152 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6202081 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f8524776f1bbf2895de757438b41915a9b3d9bbc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f8524776f1bb ------------------------------- vfs_copy_file_range and cifs client already does this type of fallback, so this is dead code. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/vfs.c | 50 ++-------------------------------------------- fs/cifsd/vfs.h | 3 --- 3 files changed, 4 insertions(+), 53 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 345c4c75da9a..2df8217c7395 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -7437,8 +7437,8 @@ int smb2_ioctl(struct ksmbd_work *work) ret = -EOPNOTSUPP; goto dup_ext_out; } else if (cloned != length) { - cloned = ksmbd_vfs_copy_file_range(fp_in->filp, src_off, - fp_out->filp, dst_off, length); + cloned = vfs_copy_file_range(fp_in->filp, src_off, + fp_out->filp, dst_off, length, 0); if (cloned != length) { if (cloned < 0) ret = cloned; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 4e0cf1b95419..ef74e56cd05f 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1802,52 +1802,6 @@ int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, return 0; } -int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, size_t len) -{ - struct inode *inode_in = file_inode(file_in); - struct inode *inode_out = file_inode(file_out); - int ret; - - ret = vfs_copy_file_range(file_in, pos_in, file_out, pos_out, len, 0); - /* do splice for the copy between different file systems */ - if (ret != -EXDEV) - return ret; - - if (S_ISDIR(inode_in->i_mode) || S_ISDIR(inode_out->i_mode)) - return -EISDIR; - if (!S_ISREG(inode_in->i_mode) || !S_ISREG(inode_out->i_mode)) - return -EINVAL; - - if (!(file_in->f_mode & FMODE_READ) || - !(file_out->f_mode & FMODE_WRITE)) - return -EBADF; - - if (len == 0) - return 0; - - file_start_write(file_out); - - /* - * skip the verification of the range of data. it will be done - * in do_splice_direct - */ - ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out, - len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0); - if (ret > 0) { - fsnotify_access(file_in); - add_rchar(current, ret); - fsnotify_modify(file_out); - add_wchar(current, ret); - } - - inc_syscr(current); - inc_syscw(current); - - file_end_write(file_out); - return ret; -} - int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, struct ksmbd_file *src_fp, struct ksmbd_file *dst_fp, @@ -1905,8 +1859,8 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, if (src_off + len > src_file_size) return -E2BIG; - ret = ksmbd_vfs_copy_file_range(src_fp->filp, src_off, - dst_fp->filp, dst_off, len); + ret = vfs_copy_file_range(src_fp->filp, src_off, + dst_fp->filp, dst_off, len, 0); if (ret < 0) return ret; diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 5db1e9e2a754..03b877e6520b 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -218,9 +218,6 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, unsigned int *chunk_count_written, unsigned int *chunk_size_written, loff_t *total_size_written); -int ksmbd_vfs_copy_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, - size_t len); ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list); ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, char **xattr_buf); From patchwork Mon Nov 14 12:50:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183212 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:06 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:06 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:06 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 115/308] ksmbd: use list_for_each_entry instead of list_for_each Date: Mon, 14 Nov 2022 20:50:24 +0800 Message-ID: <20221114125337.1831594-116-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 797c5c3e-094e-4d99-1d93-08dac63c619a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6894166 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 6f3d5eeec744727bf017be3bb12e7fbf1c4438ed category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6f3d5eeec744 ------------------------------- Use list_for_each_entry instead of list_for_each. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 14 ++++---------- fs/cifsd/smb_common.c | 4 +--- fs/cifsd/vfs_cache.c | 4 +--- 3 files changed, 6 insertions(+), 16 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 2df8217c7395..f1642fffe4e1 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -73,10 +73,8 @@ static inline int check_session_id(struct ksmbd_conn *conn, u64 id) struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn) { struct channel *chann; - struct list_head *t; - list_for_each(t, &sess->ksmbd_chann_list) { - chann = list_entry(t, struct channel, chann_list); + list_for_each_entry(chann, &sess->ksmbd_chann_list, chann_list) { if (chann && chann->conn == conn) return chann; } @@ -6315,7 +6313,6 @@ int smb2_cancel(struct ksmbd_work *work) struct smb2_hdr *hdr = work->request_buf; struct smb2_hdr *chdr; struct ksmbd_work *cancel_work = NULL; - struct list_head *tmp; int canceled = 0; struct list_head *command_list; @@ -6326,9 +6323,8 @@ int smb2_cancel(struct ksmbd_work *work) command_list = &conn->async_requests; spin_lock(&conn->request_lock); - list_for_each(tmp, command_list) { - cancel_work = list_entry(tmp, struct ksmbd_work, - async_request_entry); + list_for_each_entry(cancel_work, command_list, + async_request_entry) { chdr = cancel_work->request_buf; if (cancel_work->async_id != @@ -6347,9 +6343,7 @@ int smb2_cancel(struct ksmbd_work *work) command_list = &conn->requests; spin_lock(&conn->request_lock); - list_for_each(tmp, command_list) { - cancel_work = list_entry(tmp, struct ksmbd_work, - request_entry); + list_for_each_entry(cancel_work, command_list, request_entry) { chdr = cancel_work->request_buf; if (chdr->MessageId != hdr->MessageId || diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index 039030968b50..d74b2ce08187 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -481,15 +481,13 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) { int rc = 0; struct ksmbd_file *prev_fp; - struct list_head *cur; /* * Lookup fp in master fp list, and check desired access and * shared mode between previous open and current open. */ read_lock(&curr_fp->f_ci->m_lock); - list_for_each(cur, &curr_fp->f_ci->m_fp_list) { - prev_fp = list_entry(cur, struct ksmbd_file, node); + list_for_each_entry(prev_fp, &curr_fp->f_ci->m_fp_list, node) { if (file_inode(filp) != FP_INODE(prev_fp)) continue; diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index dcac1f0a29e4..3f18018668b6 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -472,15 +472,13 @@ struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode) { struct ksmbd_file *lfp; struct ksmbd_inode *ci; - struct list_head *cur; ci = ksmbd_inode_lookup_by_vfsinode(inode); if (!ci) return NULL; read_lock(&ci->m_lock); - list_for_each(cur, &ci->m_fp_list) { - lfp = list_entry(cur, struct ksmbd_file, node); + list_for_each_entry(lfp, &ci->m_fp_list, node) { if (inode == FP_INODE(lfp)) { atomic_dec(&ci->m_count); read_unlock(&ci->m_lock); From patchwork Mon Nov 14 12:50:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183213 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:07 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:07 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:06 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 116/308] ksmbd: use goto instead of duplicating the resoure cleanup in ksmbd_open_fd Date: Mon, 14 Nov 2022 20:50:25 +0800 Message-ID: <20221114125337.1831594-117-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ab40349f-c4d3-4e4f-fb91-08dac63c61e2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6814626 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 1dfb8242e8d982d036399766c4af62ddc221e38d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1dfb8242e8d9 ------------------------------- Use goto instead of duplicating the resoure cleanup in ksmbd_open_fd. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs_cache.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 3f18018668b6..71a11128d908 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -559,19 +559,22 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) fp->f_ci = ksmbd_inode_get(fp); if (!fp->f_ci) { - kmem_cache_free(filp_cache, fp); - return ERR_PTR(-ENOMEM); + ret = -ENOMEM; + goto err_out; } ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); if (ret) { ksmbd_inode_put(fp->f_ci); - kmem_cache_free(filp_cache, fp); - return ERR_PTR(ret); + goto err_out; } atomic_inc(&work->conn->stats.open_files_count); return fp; + +err_out: + kmem_cache_free(filp_cache, fp); + return ERR_PTR(ret); } static int From patchwork Mon Nov 14 12:50:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183214 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:07 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:07 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:07 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 117/308] ksmbd: fix overly long line Date: Mon, 14 Nov 2022 20:50:26 +0800 Message-ID: <20221114125337.1831594-118-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: acc8b47c-01f4-4832-d8e7-08dac63c622b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7027237 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 79a8a71db4084d7536fc45ed2a33ce7b451ba127 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/79a8a71db408 ------------------------------- Fix overly long line. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs_cache.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 71a11128d908..4cf14c247e9e 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -601,12 +601,14 @@ __close_file_table_ids(struct ksmbd_file_table *ft, return num; } -static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) +static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp) { return fp->tcon != tcon; } -static bool session_fd_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) +static bool session_fd_check(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp) { return false; } From patchwork Mon Nov 14 12:50:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183215 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:08 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:08 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:07 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 118/308] ksmbd: remove unneeded FIXME comment Date: Mon, 14 Nov 2022 20:50:27 +0800 Message-ID: <20221114125337.1831594-119-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3c3b3c06-1335-4102-9bc3-08dac63c6275 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7020223 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 9c78ad067faf605e0cd16d557859310e5f5312be category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9c78ad067faf ------------------------------- Remove unneeded FIXME comment. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/glob.h | 2 -- fs/cifsd/ksmbd_work.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index ffeaf8aa5595..da8f804a3ee2 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -14,8 +14,6 @@ #define KSMBD_VERSION "3.1.9" -/* @FIXME clean up this code */ - extern int ksmbd_debug_types; #define DATA_STREAM 1 diff --git a/fs/cifsd/ksmbd_work.c b/fs/cifsd/ksmbd_work.c index a88c25965012..7c914451bbe1 100644 --- a/fs/cifsd/ksmbd_work.c +++ b/fs/cifsd/ksmbd_work.c @@ -12,8 +12,6 @@ #include "connection.h" #include "ksmbd_work.h" #include "mgmt/ksmbd_ida.h" - -/* @FIXME */ #include "ksmbd_server.h" static struct kmem_cache *work_cache; From patchwork Mon Nov 14 12:50:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183216 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:08 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:08 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:08 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 119/308] ksmbd: remove ____ksmbd_align in ksmbd_server.h Date: Mon, 14 Nov 2022 20:50:28 +0800 Message-ID: <20221114125337.1831594-120-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 96ea0a85-2b59-4a34-8535-08dac63c62bf X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6923966 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 9f88af04f03d585b8257740745d19897b48a9795 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9f88af04f03d ------------------------------- None of structures needs the attribute. So remove ____ksmbd_align in ksmbd_server.h. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/ksmbd_server.h | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index c2467a709144..a915ca5596dc 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -13,10 +13,6 @@ #define KSMBD_GENL_NAME "SMBD_GENL" #define KSMBD_GENL_VERSION 0x01 -#ifndef ____ksmbd_align -#define ____ksmbd_align __aligned(4) -#endif - #define KSMBD_REQ_MAX_ACCOUNT_NAME_SZ 48 #define KSMBD_REQ_MAX_HASH_SZ 18 #define KSMBD_REQ_MAX_SHARE_NAME 64 @@ -51,19 +47,19 @@ struct ksmbd_startup_request { __u32 share_fake_fscaps; __u32 sub_auth[3]; __u32 ifc_list_sz; - __s8 ____payload[0]; -} ____ksmbd_align; + __s8 ____payload[]; +}; #define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload) struct ksmbd_shutdown_request { __s32 reserved; -} ____ksmbd_align; +}; struct ksmbd_login_request { __u32 handle; __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; -} ____ksmbd_align; +}; struct ksmbd_login_response { __u32 handle; @@ -73,12 +69,12 @@ struct ksmbd_login_response { __u16 status; __u16 hash_sz; __s8 hash[KSMBD_REQ_MAX_HASH_SZ]; -} ____ksmbd_align; +}; struct ksmbd_share_config_request { __u32 handle; __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; -} ____ksmbd_align; +}; struct ksmbd_share_config_response { __u32 handle; @@ -90,8 +86,8 @@ struct ksmbd_share_config_response { __u16 force_uid; __u16 force_gid; __u32 veto_list_sz; - __s8 ____payload[0]; -} ____ksmbd_align; + __s8 ____payload[]; +}; #define KSMBD_SHARE_CONFIG_VETO_LIST(s) ((s)->____payload) #define KSMBD_SHARE_CONFIG_PATH(s) \ @@ -111,43 +107,43 @@ struct ksmbd_tree_connect_request { __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; __s8 share[KSMBD_REQ_MAX_SHARE_NAME]; __s8 peer_addr[64]; -} ____ksmbd_align; +}; struct ksmbd_tree_connect_response { __u32 handle; __u16 status; __u16 connection_flags; -} ____ksmbd_align; +}; struct ksmbd_tree_disconnect_request { __u64 session_id; __u64 connect_id; -} ____ksmbd_align; +}; struct ksmbd_logout_request { __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; -} ____ksmbd_align; +}; struct ksmbd_rpc_command { __u32 handle; __u32 flags; __u32 payload_sz; - __u8 payload[0]; -} ____ksmbd_align; + __u8 payload[]; +}; struct ksmbd_spnego_authen_request { __u32 handle; __u16 spnego_blob_len; __u8 spnego_blob[0]; -} ____ksmbd_align; +}; struct ksmbd_spnego_authen_response { __u32 handle; struct ksmbd_login_response login_response; __u16 session_key_len; __u16 spnego_blob_len; - __u8 payload[0]; /* session key + AP_REP */ -} ____ksmbd_align; + __u8 payload[]; /* session key + AP_REP */ +}; /* * This also used as NETLINK attribute type value. From patchwork Mon Nov 14 12:50:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183217 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:09 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:09 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:08 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 120/308] ksmbd: replace KSMBD_SHARE_CONFIG_PATH with inline function Date: Mon, 14 Nov 2022 20:50:29 +0800 Message-ID: <20221114125337.1831594-121-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: edec0764-ca0a-4611-3d3d-08dac63c6308 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6953785 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 3fbe43c9f577cadd6b5136fda2e6a6c0b4e0651e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3fbe43c9f577 ------------------------------- replace KSMBD_SHARE_CONFIG_PATH with inline function. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/ksmbd_server.h | 18 +++++++++++------- fs/cifsd/mgmt/share_config.c | 2 +- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/cifsd/ksmbd_server.h b/fs/cifsd/ksmbd_server.h index a915ca5596dc..55b7602b79bd 100644 --- a/fs/cifsd/ksmbd_server.h +++ b/fs/cifsd/ksmbd_server.h @@ -90,13 +90,17 @@ struct ksmbd_share_config_response { }; #define KSMBD_SHARE_CONFIG_VETO_LIST(s) ((s)->____payload) -#define KSMBD_SHARE_CONFIG_PATH(s) \ - ({ \ - char *p = (s)->____payload; \ - if ((s)->veto_list_sz) \ - p += (s)->veto_list_sz + 1; \ - p; \ - }) + +static inline char * +ksmbd_share_config_path(struct ksmbd_share_config_response *sc) +{ + char *p = sc->____payload; + + if (sc->veto_list_sz) + p += sc->veto_list_sz + 1; + + return p; +} struct ksmbd_tree_connect_request { __u32 handle; diff --git a/fs/cifsd/mgmt/share_config.c b/fs/cifsd/mgmt/share_config.c index fac6034b97a9..cb72d30f5b71 100644 --- a/fs/cifsd/mgmt/share_config.c +++ b/fs/cifsd/mgmt/share_config.c @@ -139,7 +139,7 @@ static struct ksmbd_share_config *share_config_request(char *name) share->name = kstrdup(name, GFP_KERNEL); if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { - share->path = kstrdup(KSMBD_SHARE_CONFIG_PATH(resp), + share->path = kstrdup(ksmbd_share_config_path(resp), GFP_KERNEL); if (share->path) share->path_sz = strlen(share->path); From patchwork Mon Nov 14 12:50:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183218 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:09 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:09 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:08 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 121/308] ksmbd: remove ksmbd_err/info Date: Mon, 14 Nov 2022 20:50:30 +0800 Message-ID: <20221114125337.1831594-122-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 097176d4-c6f1-4364-25f8-08dac63c6352 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.8272490 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit bde1694aecdb535970787b4f1d07ddb317e191e3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/bde1694aecdb ------------------------------- Use the pr_fmt built into pr_*. and use pr_err/info after removing wrapper ksmbd_err/info. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/auth.c | 18 ++-- fs/cifsd/connection.c | 15 ++- fs/cifsd/crypto_ctx.c | 4 +- fs/cifsd/glob.h | 24 ++--- fs/cifsd/mgmt/user_session.c | 4 +- fs/cifsd/misc.c | 2 +- fs/cifsd/ndr.c | 14 +-- fs/cifsd/oplock.c | 20 ++-- fs/cifsd/server.c | 6 +- fs/cifsd/smb2misc.c | 8 +- fs/cifsd/smb2pdu.c | 204 +++++++++++++++++------------------ fs/cifsd/smb_common.c | 2 +- fs/cifsd/smbacl.c | 26 ++--- fs/cifsd/transport_ipc.c | 30 +++--- fs/cifsd/transport_rdma.c | 106 +++++++++--------- fs/cifsd/transport_tcp.c | 20 ++-- fs/cifsd/vfs.c | 88 +++++++-------- fs/cifsd/vfs_cache.c | 10 +- 18 files changed, 294 insertions(+), 307 deletions(-) diff --git a/fs/cifsd/auth.c b/fs/cifsd/auth.c index daf31c9f0880..de36f12070bf 100644 --- a/fs/cifsd/auth.c +++ b/fs/cifsd/auth.c @@ -342,7 +342,7 @@ int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); rc = ksmbd_enc_p24(p21, sess->ntlmssp.cryptkey, key); if (rc) { - ksmbd_err("password processing failed\n"); + pr_err("password processing failed\n"); return rc; } @@ -461,7 +461,7 @@ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, client_nonce, (char *)sess->ntlmssp.cryptkey, 8); if (rc) { - ksmbd_err("password processing failed\n"); + pr_err("password processing failed\n"); goto out; } @@ -469,7 +469,7 @@ static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); rc = ksmbd_enc_p24(p21, sess_key, key); if (rc) { - ksmbd_err("password processing failed\n"); + pr_err("password processing failed\n"); goto out; } @@ -1269,7 +1269,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, enc, key); if (rc) { - ksmbd_err("Could not get %scryption key\n", enc ? "en" : "de"); + pr_err("Could not get %scryption key\n", enc ? "en" : "de"); return rc; } @@ -1279,7 +1279,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, else ctx = ksmbd_crypto_ctx_find_ccm(); if (!ctx) { - ksmbd_err("crypto alloc failed\n"); + pr_err("crypto alloc failed\n"); return -ENOMEM; } @@ -1295,19 +1295,18 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, else rc = crypto_aead_setkey(tfm, key, SMB3_GCM128_CRYPTKEY_SIZE); if (rc) { - ksmbd_err("Failed to set aead key %d\n", rc); + pr_err("Failed to set aead key %d\n", rc); goto free_ctx; } rc = crypto_aead_setauthsize(tfm, SMB2_SIGNATURE_SIZE); if (rc) { - ksmbd_err("Failed to set authsize %d\n", rc); + pr_err("Failed to set authsize %d\n", rc); goto free_ctx; } req = aead_request_alloc(tfm, GFP_KERNEL); if (!req) { - ksmbd_err("Failed to alloc aead request\n"); rc = -ENOMEM; goto free_ctx; } @@ -1319,7 +1318,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, sg = ksmbd_init_sg(iov, nvec, sign); if (!sg) { - ksmbd_err("Failed to init sg\n"); + pr_err("Failed to init sg\n"); rc = -ENOMEM; goto free_req; } @@ -1327,7 +1326,6 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, iv_len = crypto_aead_ivsize(tfm); iv = kzalloc(iv_len, GFP_KERNEL); if (!iv) { - ksmbd_err("Failed to alloc IV\n"); rc = -ENOMEM; goto free_sg; } diff --git a/fs/cifsd/connection.c b/fs/cifsd/connection.c index a0d15093dd6f..928e22e19def 100644 --- a/fs/cifsd/connection.c +++ b/fs/cifsd/connection.c @@ -160,7 +160,7 @@ int ksmbd_conn_write(struct ksmbd_work *work) ksmbd_conn_try_dequeue_request(work); if (!rsp_hdr) { - ksmbd_err("NULL response header\n"); + pr_err("NULL response header\n"); return -EINVAL; } @@ -192,7 +192,7 @@ int ksmbd_conn_write(struct ksmbd_work *work) ksmbd_conn_unlock(conn); if (sent < 0) { - ksmbd_err("Failed to send message: %d\n", sent); + pr_err("Failed to send message: %d\n", sent); return sent; } @@ -315,24 +315,23 @@ int ksmbd_conn_handler_loop(void *p) */ size = t->ops->read(t, conn->request_buf + 4, pdu_size); if (size < 0) { - ksmbd_err("sock_read failed: %d\n", size); + pr_err("sock_read failed: %d\n", size); break; } if (size != pdu_size) { - ksmbd_err("PDU error. Read: %d, Expected: %d\n", - size, - pdu_size); + pr_err("PDU error. Read: %d, Expected: %d\n", + size, pdu_size); continue; } if (!default_conn_ops.process_fn) { - ksmbd_err("No connection request callback\n"); + pr_err("No connection request callback\n"); break; } if (default_conn_ops.process_fn(conn)) { - ksmbd_err("Cannot handle request\n"); + pr_err("Cannot handle request\n"); break; } } diff --git a/fs/cifsd/crypto_ctx.c b/fs/cifsd/crypto_ctx.c index 7b727fe141a6..5f4b1008d17e 100644 --- a/fs/cifsd/crypto_ctx.c +++ b/fs/cifsd/crypto_ctx.c @@ -48,12 +48,12 @@ static struct crypto_aead *alloc_aead(int id) tfm = crypto_alloc_aead("ccm(aes)", 0, 0); break; default: - ksmbd_err("Does not support encrypt ahead(id : %d)\n", id); + pr_err("Does not support encrypt ahead(id : %d)\n", id); return NULL; } if (IS_ERR(tfm)) { - ksmbd_err("Failed to alloc encrypt aead : %ld\n", PTR_ERR(tfm)); + pr_err("Failed to alloc encrypt aead : %ld\n", PTR_ERR(tfm)); return NULL; } diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index da8f804a3ee2..8119cb7ddbed 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -31,32 +31,22 @@ extern int ksmbd_debug_types; KSMBD_DEBUG_IPC | KSMBD_DEBUG_CONN | \ KSMBD_DEBUG_RDMA) -#ifndef ksmbd_pr_fmt +#ifdef pr_fmt +#undef pr_fmt +#endif + #ifdef SUBMOD_NAME -#define ksmbd_pr_fmt(fmt) "ksmbd: " SUBMOD_NAME ": " fmt +#define pr_fmt(fmt) "ksmbd: " SUBMOD_NAME ": " fmt #else -#define ksmbd_pr_fmt(fmt) "ksmbd: " fmt -#endif +#define pr_fmt(fmt) "ksmbd: " fmt #endif #define ksmbd_debug(type, fmt, ...) \ do { \ if (ksmbd_debug_types & KSMBD_DEBUG_##type) \ - pr_info(ksmbd_pr_fmt("%s:%d: " fmt), \ - __func__, \ - __LINE__, \ - ##__VA_ARGS__); \ + pr_info(fmt, ##__VA_ARGS__); \ } while (0) -#define ksmbd_info(fmt, ...) \ - pr_info(ksmbd_pr_fmt(fmt), ##__VA_ARGS__) - -#define ksmbd_err(fmt, ...) \ - pr_err(ksmbd_pr_fmt("%s:%d: " fmt), \ - __func__, \ - __LINE__, \ - ##__VA_ARGS__) - #define UNICODE_LEN(x) ((x) * 2) #endif /* __KSMBD_GLOB_H */ diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 77bdf3642f72..615b46f0762b 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -87,7 +87,7 @@ static int __rpc_method(char *rpc_name) if (!strcmp(rpc_name, "\\lsarpc") || !strcmp(rpc_name, "lsarpc")) return KSMBD_RPC_LSARPC_METHOD_INVOKE; - ksmbd_err("Unsupported RPC: %s\n", rpc_name); + pr_err("Unsupported RPC: %s\n", rpc_name); return 0; } @@ -232,7 +232,7 @@ int get_session(struct ksmbd_session *sess) void put_session(struct ksmbd_session *sess) { if (atomic_dec_and_test(&sess->refcnt)) - ksmbd_err("get/%s seems to be mismatched.", __func__); + pr_err("get/%s seems to be mismatched.", __func__); } struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) diff --git a/fs/cifsd/misc.c b/fs/cifsd/misc.c index 1c6ed20f4a18..0b307ca28a19 100644 --- a/fs/cifsd/misc.c +++ b/fs/cifsd/misc.c @@ -107,7 +107,7 @@ static int ksmbd_validate_stream_name(char *stream_name) stream_name++; if (c == '/' || c == ':' || c == '\\') { - ksmbd_err("Stream name validation failed: %c\n", c); + pr_err("Stream name validation failed: %c\n", c); return -ENOENT; } } diff --git a/fs/cifsd/ndr.c b/fs/cifsd/ndr.c index 14189832c65e..46cc01475d38 100644 --- a/fs/cifsd/ndr.c +++ b/fs/cifsd/ndr.c @@ -178,14 +178,14 @@ int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) da->version = ndr_read_int16(n); if (da->version != 3 && da->version != 4) { - ksmbd_err("v%d version is not supported\n", da->version); + pr_err("v%d version is not supported\n", da->version); return -EINVAL; } version2 = ndr_read_int32(n); if (da->version != version2) { - ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", - da->version, version2); + pr_err("ndr version mismatched(version: %d, version2: %d)\n", + da->version, version2); return -EINVAL; } @@ -309,14 +309,14 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) n->offset = 0; acl->version = ndr_read_int16(n); if (acl->version != 4) { - ksmbd_err("v%d version is not supported\n", acl->version); + pr_err("v%d version is not supported\n", acl->version); return -EINVAL; } version2 = ndr_read_int32(n); if (acl->version != version2) { - ksmbd_err("ndr version mismatched(version: %d, version2: %d)\n", - acl->version, version2); + pr_err("ndr version mismatched(version: %d, version2: %d)\n", + acl->version, version2); return -EINVAL; } @@ -329,7 +329,7 @@ int ndr_decode_v4_ntacl(struct ndr *n, struct xattr_ntacl *acl) ndr_read_bytes(n, acl->desc, 10); if (strncmp(acl->desc, "posix_acl", 9)) { - ksmbd_err("Invalid acl description : %s\n", acl->desc); + pr_err("Invalid acl description : %s\n", acl->desc); return -EINVAL; } diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 1ef2acbea2bb..9027cb7d970f 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -230,9 +230,9 @@ int opinfo_write_to_read(struct oplock_info *opinfo) if (!(opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { - ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + pr_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) - ksmbd_err("lease state(0x%x)\n", lease->state); + pr_err("lease state(0x%x)\n", lease->state); return -EINVAL; } opinfo->level = SMB2_OPLOCK_LEVEL_II; @@ -269,9 +269,9 @@ int opinfo_write_to_none(struct oplock_info *opinfo) if (!(opinfo->level == SMB2_OPLOCK_LEVEL_BATCH || opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)) { - ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + pr_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) - ksmbd_err("lease state(0x%x)\n", lease->state); + pr_err("lease state(0x%x)\n", lease->state); return -EINVAL; } opinfo->level = SMB2_OPLOCK_LEVEL_NONE; @@ -291,9 +291,9 @@ int opinfo_read_to_none(struct oplock_info *opinfo) struct lease *lease = opinfo->o_lease; if (opinfo->level != SMB2_OPLOCK_LEVEL_II) { - ksmbd_err("bad oplock(0x%x)\n", opinfo->level); + pr_err("bad oplock(0x%x)\n", opinfo->level); if (opinfo->is_lease) - ksmbd_err("lease state(0x%x)\n", lease->state); + pr_err("lease state(0x%x)\n", lease->state); return -EINVAL; } opinfo->level = SMB2_OPLOCK_LEVEL_NONE; @@ -622,7 +622,7 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) } if (allocate_oplock_break_buf(work)) { - ksmbd_err("smb2_allocate_rsp_buf failed! "); + pr_err("smb2_allocate_rsp_buf failed! "); atomic_dec(&conn->r_count); ksmbd_fd_put(work, fp); ksmbd_free_work_struct(work); @@ -1680,18 +1680,18 @@ int smb2_check_durable_oplock(struct ksmbd_file *fp, if (opinfo && opinfo->is_lease) { if (!lctx) { - ksmbd_err("open does not include lease\n"); + pr_err("open does not include lease\n"); ret = -EBADF; goto out; } if (memcmp(opinfo->o_lease->lease_key, lctx->lease_key, SMB2_LEASE_KEY_SIZE)) { - ksmbd_err("invalid lease key\n"); + pr_err("invalid lease key\n"); ret = -EBADF; goto out; } if (name && strcmp(fp->filename, name)) { - ksmbd_err("invalid name reconnect %s\n", name); + pr_err("invalid name reconnect %s\n", name); ret = -EINVAL; goto out; } diff --git a/fs/cifsd/server.c b/fs/cifsd/server.c index 93402c56b8ff..c9a3a459f3e6 100644 --- a/fs/cifsd/server.c +++ b/fs/cifsd/server.c @@ -277,7 +277,7 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) work = ksmbd_alloc_work_struct(); if (!work) { - ksmbd_err("allocation for work failed\n"); + pr_err("allocation for work failed\n"); return -ENOMEM; } @@ -442,7 +442,7 @@ static ssize_t kill_server_store(struct class *class, if (!sysfs_streq(buf, "hard")) return len; - ksmbd_info("kill command received\n"); + pr_info("kill command received\n"); mutex_lock(&ctrl_lock); WRITE_ONCE(server_conf.state, SERVER_STATE_RESETTING); __module_get(THIS_MODULE); @@ -547,7 +547,7 @@ static int __init ksmbd_server_init(void) ret = class_register(&ksmbd_control_class); if (ret) { - ksmbd_err("Unable to register ksmbd-control class\n"); + pr_err("Unable to register ksmbd-control class\n"); return ret; } diff --git a/fs/cifsd/smb2misc.c b/fs/cifsd/smb2misc.c index c4b870dbf683..e412d69690ed 100644 --- a/fs/cifsd/smb2misc.c +++ b/fs/cifsd/smb2misc.c @@ -320,12 +320,12 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) max_len = max(req_len, expect_resp_len); calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); if (!credit_charge && max_len > SMB2_MAX_BUFFER_SIZE) { - ksmbd_err("credit charge is zero and payload size(%d) is bigger than 64K\n", - max_len); + pr_err("credit charge is zero and payload size(%d) is bigger than 64K\n", + max_len); return 1; } else if (credit_charge < calc_credit_num) { - ksmbd_err("credit charge : %d, calc_credit_num : %d\n", - credit_charge, calc_credit_num); + pr_err("credit charge : %d, calc_credit_num : %d\n", + credit_charge, calc_credit_num); return 1; } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index f1642fffe4e1..84f4cd7f545f 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -66,7 +66,7 @@ static inline int check_session_id(struct ksmbd_conn *conn, u64 id) sess = ksmbd_session_lookup_all(conn, id); if (sess) return 1; - ksmbd_err("Invalid user session id: %llu\n", id); + pr_err("Invalid user session id: %llu\n", id); return 0; } @@ -109,7 +109,7 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); if (!work->tcon) { - ksmbd_err("Invalid tid %d\n", tree_id); + pr_err("Invalid tid %d\n", tree_id); return -1; } @@ -329,7 +329,7 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) min_credits = conn->max_credits >> 4; if (conn->total_credits >= conn->max_credits) { - ksmbd_err("Total credits overflow: %d\n", conn->total_credits); + pr_err("Total credits overflow: %d\n", conn->total_credits); conn->total_credits = min_credits; } @@ -634,7 +634,7 @@ smb2_get_name(struct ksmbd_share_config *share, const char *src, name = smb_strndup_from_utf16(src, maxlen, 1, local_nls); if (IS_ERR(name)) { - ksmbd_err("failed to get name %ld\n", PTR_ERR(name)); + pr_err("failed to get name %ld\n", PTR_ERR(name)); return name; } @@ -645,7 +645,7 @@ smb2_get_name(struct ksmbd_share_config *share, const char *src, unixname = convert_to_unix_name(share, name); kfree(name); if (!unixname) { - ksmbd_err("can not convert absolute name\n"); + pr_err("can not convert absolute name\n"); return ERR_PTR(-ENOMEM); } @@ -664,7 +664,7 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) id = ksmbd_acquire_async_msg_id(&conn->async_ida); if (id < 0) { - ksmbd_err("Failed to alloc async message id\n"); + pr_err("Failed to alloc async message id\n"); return id; } work->syncronous = false; @@ -1005,13 +1005,13 @@ int smb2_handle_negotiate(struct ksmbd_work *work) ksmbd_debug(SMB, "Received negotiate request\n"); conn->need_neg = false; if (ksmbd_conn_good(work)) { - ksmbd_err("conn->tcp_status is already in CifsGood State\n"); + pr_err("conn->tcp_status is already in CifsGood State\n"); work->send_no_response = 1; return rc; } if (req->DialectCount == 0) { - ksmbd_err("malformed packet\n"); + pr_err("malformed packet\n"); rsp->hdr.Status = STATUS_INVALID_PARAMETER; rc = -EINVAL; goto err_out; @@ -1031,8 +1031,8 @@ int smb2_handle_negotiate(struct ksmbd_work *work) status = deassemble_neg_contexts(conn, req); if (status != STATUS_SUCCESS) { - ksmbd_err("deassemble_neg_contexts error(0x%x)\n", - status); + pr_err("deassemble_neg_contexts error(0x%x)\n", + status); rsp->hdr.Status = status; rc = -EINVAL; goto err_out; @@ -1293,7 +1293,7 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, true, conn->local_nls); if (IS_ERR(name)) { - ksmbd_err("cannot allocate memory\n"); + pr_err("cannot allocate memory\n"); return NULL; } @@ -1438,7 +1438,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (conn->dialect > SMB20_PROT_ID) { if (!ksmbd_conn_lookup_dialect(conn)) { - ksmbd_err("fail to verify the dialect\n"); + pr_err("fail to verify the dialect\n"); rsp->hdr.Status = STATUS_USER_SESSION_DELETED; return -EPERM; } @@ -1528,7 +1528,7 @@ static int krb5_authenticate(struct ksmbd_work *work) if (conn->dialect > SMB20_PROT_ID) { if (!ksmbd_conn_lookup_dialect(conn)) { - ksmbd_err("fail to verify the dialect\n"); + pr_err("fail to verify the dialect\n"); rsp->hdr.Status = STATUS_USER_SESSION_DELETED; return -EPERM; } @@ -1688,11 +1688,11 @@ int smb2_sess_setup(struct ksmbd_work *work) } } else { /* TODO: need one more negotiation */ - ksmbd_err("Not support the preferred authentication\n"); + pr_err("Not support the preferred authentication\n"); rc = -EINVAL; } } else { - ksmbd_err("Not support authentication\n"); + pr_err("Not support authentication\n"); rc = -EINVAL; } @@ -1742,7 +1742,7 @@ int smb2_tree_connect(struct ksmbd_work *work) le16_to_cpu(req->PathLength), true, conn->local_nls); if (IS_ERR(treename)) { - ksmbd_err("treename is NULL\n"); + pr_err("treename is NULL\n"); status.ret = KSMBD_TREE_CONN_STATUS_ERROR; goto out_err1; } @@ -1986,7 +1986,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) id = ksmbd_session_rpc_open(work->sess, name); if (id < 0) { - ksmbd_err("Unable to open RPC pipe: %d\n", id); + pr_err("Unable to open RPC pipe: %d\n", id); err = id; goto out; } @@ -2120,7 +2120,7 @@ static inline int check_context_err(void *ctx, char *str) ksmbd_debug(SMB, "find context %s err %d\n", str, err); if (err == -EINVAL) { - ksmbd_err("bad name length\n"); + pr_err("bad name length\n"); return err; } @@ -2159,7 +2159,7 @@ static noinline int smb2_set_stream_name_xattr(struct path *path, rc = ksmbd_vfs_setxattr(path->dentry, xattr_stream_name, NULL, 0, 0); if (rc < 0) - ksmbd_err("Failed to store XATTR stream name :%d\n", rc); + pr_err("Failed to store XATTR stream name :%d\n", rc); return 0; } @@ -2201,7 +2201,7 @@ static int smb2_create_truncate(struct path *path) int rc = vfs_truncate(path, 0); if (rc) { - ksmbd_err("vfs_truncate failed, rc %d\n", rc); + pr_err("vfs_truncate failed, rc %d\n", rc); return rc; } @@ -2287,8 +2287,8 @@ static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, rc = ksmbd_vfs_kern_path(name, 0, path, 0); if (rc) { - ksmbd_err("cannot get linux path (%s), err = %d\n", - name, rc); + pr_err("cannot get linux path (%s), err = %d\n", + name, rc); return rc; } return 0; @@ -2387,7 +2387,7 @@ int smb2_open(struct ksmbd_work *work) if (req->NameLength) { if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && *(char *)req->Buffer == '\\') { - ksmbd_err("not allow directory name included leading slash\n"); + pr_err("not allow directory name included leading slash\n"); rc = -EINVAL; goto err_out1; } @@ -2444,16 +2444,16 @@ int smb2_open(struct ksmbd_work *work) lc = parse_lease_state(req); if (le32_to_cpu(req->ImpersonationLevel) > le32_to_cpu(IL_DELEGATE_LE)) { - ksmbd_err("Invalid impersonationlevel : 0x%x\n", - le32_to_cpu(req->ImpersonationLevel)); + pr_err("Invalid impersonationlevel : 0x%x\n", + le32_to_cpu(req->ImpersonationLevel)); rc = -EIO; rsp->hdr.Status = STATUS_BAD_IMPERSONATION_LEVEL; goto err_out1; } if (req->CreateOptions && !(req->CreateOptions & CREATE_OPTIONS_MASK)) { - ksmbd_err("Invalid create options : 0x%x\n", - le32_to_cpu(req->CreateOptions)); + pr_err("Invalid create options : 0x%x\n", + le32_to_cpu(req->CreateOptions)); rc = -EINVAL; goto err_out1; } else { @@ -2480,22 +2480,22 @@ int smb2_open(struct ksmbd_work *work) if (le32_to_cpu(req->CreateDisposition) > le32_to_cpu(FILE_OVERWRITE_IF_LE)) { - ksmbd_err("Invalid create disposition : 0x%x\n", - le32_to_cpu(req->CreateDisposition)); + pr_err("Invalid create disposition : 0x%x\n", + le32_to_cpu(req->CreateDisposition)); rc = -EINVAL; goto err_out1; } if (!(req->DesiredAccess & DESIRED_ACCESS_MASK)) { - ksmbd_err("Invalid desired access : 0x%x\n", - le32_to_cpu(req->DesiredAccess)); + pr_err("Invalid desired access : 0x%x\n", + le32_to_cpu(req->DesiredAccess)); rc = -EACCES; goto err_out1; } if (req->FileAttributes && !(req->FileAttributes & ATTR_MASK_LE)) { - ksmbd_err("Invalid file attribute : 0x%x\n", - le32_to_cpu(req->FileAttributes)); + pr_err("Invalid file attribute : 0x%x\n", + le32_to_cpu(req->FileAttributes)); rc = -EINVAL; goto err_out1; } @@ -2750,7 +2750,7 @@ int smb2_open(struct ksmbd_work *work) filp = dentry_open(&path, open_flags, current_cred()); if (IS_ERR(filp)) { rc = PTR_ERR(filp); - ksmbd_err("dentry open for dir failed, rc %d\n", rc); + pr_err("dentry open for dir failed, rc %d\n", rc); goto err_out; } @@ -2846,8 +2846,8 @@ int smb2_open(struct ksmbd_work *work) pntsd_size); kfree(pntsd); if (rc) - ksmbd_err("failed to store ntacl in xattr : %d\n", - rc); + pr_err("failed to store ntacl in xattr : %d\n", + rc); } } } @@ -3697,14 +3697,14 @@ int smb2_query_dir(struct ksmbd_work *work) if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || inode_permission(&init_user_ns, file_inode(dir_fp->filp), MAY_READ | MAY_EXEC)) { - ksmbd_err("no right to enumerate directory (%s)\n", - FP_FILENAME(dir_fp)); + pr_err("no right to enumerate directory (%s)\n", + FP_FILENAME(dir_fp)); rc = -EACCES; goto err_out2; } if (!S_ISDIR(file_inode(dir_fp->filp)->i_mode)) { - ksmbd_err("can't do query dir for a file\n"); + pr_err("can't do query dir for a file\n"); rc = -EINVAL; goto err_out2; } @@ -3805,7 +3805,7 @@ int smb2_query_dir(struct ksmbd_work *work) return 0; err_out: - ksmbd_err("error while processing smb2 query dir rc = %d\n", rc); + pr_err("error while processing smb2 query dir rc = %d\n", rc); kfree(srch_ptr); err_out2: @@ -3843,7 +3843,7 @@ static int buffer_check_err(int reqOutputBufferLength, { if (reqOutputBufferLength < le32_to_cpu(rsp->OutputBufferLength)) { if (reqOutputBufferLength < infoclass_size) { - ksmbd_err("Invalid Buffer Size Requested\n"); + pr_err("Invalid Buffer Size Requested\n"); rsp->hdr.Status = STATUS_INFO_LENGTH_MISMATCH; rsp->hdr.smb2_buf_length = cpu_to_be32(sizeof(struct smb2_hdr) - 4); return -EINVAL; @@ -3946,8 +3946,8 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, struct path *path; if (!(fp->daccess & FILE_READ_EA_LE)) { - ksmbd_err("Not permitted to read ext attr : 0x%x\n", - fp->daccess); + pr_err("Not permitted to read ext attr : 0x%x\n", + fp->daccess); return -EACCES; } @@ -4103,8 +4103,8 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, u64 time; if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { - ksmbd_err("no right to read the attributes : 0x%x\n", - fp->daccess); + pr_err("no right to read the attributes : 0x%x\n", + fp->daccess); return -EACCES; } @@ -4375,8 +4375,8 @@ static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, u64 time; if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { - ksmbd_err("no right to read the attributes : 0x%x\n", - fp->daccess); + pr_err("no right to read the attributes : 0x%x\n", + fp->daccess); return -EACCES; } @@ -4465,8 +4465,8 @@ static int get_file_attribute_tag_info(struct smb2_query_info_rsp *rsp, struct smb2_file_attr_tag_info *file_info; if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { - ksmbd_err("no right to read the attributes : 0x%x\n", - fp->daccess); + pr_err("no right to read the attributes : 0x%x\n", + fp->daccess); return -EACCES; } @@ -4620,7 +4620,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, break; case SMB_FIND_FILE_POSIX_INFO: if (!work->tcon->posix_extensions) { - ksmbd_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); + pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); rc = -EOPNOTSUPP; } else { rc = find_file_posix_info(rsp, fp, rsp_org); @@ -4659,13 +4659,13 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, rc = ksmbd_vfs_kern_path(share->path, lookup_flags, &path, 0); if (rc) { - ksmbd_err("cannot create vfs path\n"); + pr_err("cannot create vfs path\n"); return -EIO; } rc = vfs_statfs(&path, &stfs); if (rc) { - ksmbd_err("cannot do stat of path %s\n", share->path); + pr_err("cannot do stat of path %s\n", share->path); path_put(&path); return -EIO; } @@ -4846,7 +4846,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, unsigned short logical_sector_size; if (!work->tcon->posix_extensions) { - ksmbd_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); + pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); rc = -EOPNOTSUPP; } else { info = (struct filesystem_posix_info *)(rsp->Buffer); @@ -5213,7 +5213,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, len = strlen(new_name); if (new_name[len - 1] != '/') { - ksmbd_err("not allow base filename in rename\n"); + pr_err("not allow base filename in rename\n"); rc = -ESHARE; goto out; } @@ -5229,8 +5229,8 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, xattr_stream_name, NULL, 0, 0); if (rc < 0) { - ksmbd_err("failed to store stream name in xattr: %d\n", - rc); + pr_err("failed to store stream name in xattr: %d\n", + rc); rc = -EINVAL; goto out; } @@ -5389,7 +5389,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (file_info->Attributes) { if (!S_ISDIR(inode->i_mode) && file_info->Attributes & ATTR_DIRECTORY_LE) { - ksmbd_err("can't change a file to a directory\n"); + pr_err("can't change a file to a directory\n"); return -EINVAL; } @@ -5467,7 +5467,7 @@ static int set_file_allocation_info(struct ksmbd_work *work, if (alloc_blks > inode->i_blocks) { rc = ksmbd_vfs_alloc_size(work, fp, alloc_blks * 512); if (rc && rc != -EOPNOTSUPP) { - ksmbd_err("ksmbd_vfs_alloc_size is failed : %d\n", rc); + pr_err("ksmbd_vfs_alloc_size is failed : %d\n", rc); return rc; } } else if (alloc_blks < inode->i_blocks) { @@ -5483,8 +5483,8 @@ static int set_file_allocation_info(struct ksmbd_work *work, size = i_size_read(inode); rc = ksmbd_vfs_truncate(work, NULL, fp, alloc_blks * 512); if (rc) { - ksmbd_err("truncate failed! filename : %s, err %d\n", - fp->filename, rc); + pr_err("truncate failed! filename : %s, err %d\n", + fp->filename, rc); return rc; } if (size < alloc_blks * 512) @@ -5536,7 +5536,7 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, struct ksmbd_file *parent_fp; if (!(fp->daccess & FILE_DELETE_LE)) { - ksmbd_err("no right to delete : 0x%x\n", fp->daccess); + pr_err("no right to delete : 0x%x\n", fp->daccess); return -EACCES; } @@ -5546,7 +5546,7 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, parent_fp = ksmbd_lookup_fd_inode(PARENT_INODE(fp)); if (parent_fp) { if (parent_fp->daccess & FILE_DELETE_LE) { - ksmbd_err("parent dir is opened with delete access\n"); + pr_err("parent dir is opened with delete access\n"); return -ESHARE; } } @@ -5562,7 +5562,7 @@ static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) struct inode *inode; if (!(fp->daccess & FILE_DELETE_LE)) { - ksmbd_err("no right to delete : 0x%x\n", fp->daccess); + pr_err("no right to delete : 0x%x\n", fp->daccess); return -EACCES; } @@ -5594,8 +5594,8 @@ static int set_file_position_info(struct ksmbd_file *fp, char *buf) if (current_byte_offset < 0 || (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && current_byte_offset & (sector_size - 1))) { - ksmbd_err("CurrentByteOffset is not valid : %llu\n", - current_byte_offset); + pr_err("CurrentByteOffset is not valid : %llu\n", + current_byte_offset); return -EINVAL; } @@ -5614,7 +5614,7 @@ static int set_file_mode_info(struct ksmbd_file *fp, char *buf) if ((mode & ~FILE_MODE_INFO_MASK) || (mode & FILE_SYNCHRONOUS_IO_ALERT_LE && mode & FILE_SYNCHRONOUS_IO_NONALERT_LE)) { - ksmbd_err("Mode is not valid : 0x%x\n", le32_to_cpu(mode)); + pr_err("Mode is not valid : 0x%x\n", le32_to_cpu(mode)); return -EINVAL; } @@ -5675,8 +5675,8 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, case FILE_FULL_EA_INFORMATION: { if (!(fp->daccess & FILE_WRITE_EA_LE)) { - ksmbd_err("Not permitted to write ext attr: 0x%x\n", - fp->daccess); + pr_err("Not permitted to write ext attr: 0x%x\n", + fp->daccess); return -EACCES; } @@ -5691,7 +5691,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, return set_file_mode_info(fp, buf); } - ksmbd_err("Unimplemented Fileinfoclass :%d\n", info_class); + pr_err("Unimplemented Fileinfoclass :%d\n", info_class); return -EOPNOTSUPP; } @@ -5919,7 +5919,7 @@ int smb2_read(struct ksmbd_work *work) } if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { - ksmbd_err("Not permitted to read : 0x%x\n", fp->daccess); + pr_err("Not permitted to read : 0x%x\n", fp->daccess); err = -EACCES; goto out; } @@ -6039,9 +6039,9 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) } else { if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { - ksmbd_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + pr_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); err = -EINVAL; goto out; } @@ -6172,7 +6172,7 @@ int smb2_write(struct ksmbd_work *work) } if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_READ_ATTRIBUTES_LE))) { - ksmbd_err("Not permitted to write : 0x%x\n", fp->daccess); + pr_err("Not permitted to write : 0x%x\n", fp->daccess); err = -EACCES; goto out; } @@ -6198,9 +6198,9 @@ int smb2_write(struct ksmbd_work *work) } else { if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { - ksmbd_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + pr_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(req)); err = -EINVAL; goto out; } @@ -6530,7 +6530,7 @@ int smb2_lock(struct ksmbd_work *work) lock_start = le64_to_cpu(lock_ele[i].Offset); lock_length = le64_to_cpu(lock_ele[i].Length); if (lock_start > U64_MAX - lock_length) { - ksmbd_err("Invalid lock range requested\n"); + pr_err("Invalid lock range requested\n"); rsp->hdr.Status = STATUS_INVALID_LOCK_RANGE; goto out; } @@ -6560,7 +6560,7 @@ int smb2_lock(struct ksmbd_work *work) cmp_lock->fl->fl_end >= flock->fl_end) { if (cmp_lock->fl->fl_type != F_UNLCK && flock->fl_type != F_UNLCK) { - ksmbd_err("conflict two locks in one request\n"); + pr_err("conflict two locks in one request\n"); rsp->hdr.Status = STATUS_INVALID_PARAMETER; goto out; @@ -6633,7 +6633,7 @@ int smb2_lock(struct ksmbd_work *work) if (cmp_lock->zero_len && !smb_lock->zero_len && cmp_lock->start > smb_lock->start && cmp_lock->start < smb_lock->end) { - ksmbd_err("previous lock conflict with zero byte lock range\n"); + pr_err("previous lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; } @@ -6641,7 +6641,7 @@ int smb2_lock(struct ksmbd_work *work) if (smb_lock->zero_len && !cmp_lock->zero_len && smb_lock->start > cmp_lock->start && smb_lock->start < cmp_lock->end) { - ksmbd_err("current lock conflict with zero byte lock range\n"); + pr_err("current lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; } @@ -6650,7 +6650,7 @@ int smb2_lock(struct ksmbd_work *work) cmp_lock->end > smb_lock->start) || (cmp_lock->start < smb_lock->end && cmp_lock->end >= smb_lock->end)) && !cmp_lock->zero_len && !smb_lock->zero_len) { - ksmbd_err("Not allow lock operation on exclusive lock range\n"); + pr_err("Not allow lock operation on exclusive lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; @@ -6658,7 +6658,7 @@ int smb2_lock(struct ksmbd_work *work) } if (smb_lock->fl->fl_type == F_UNLCK && nolock) { - ksmbd_err("Try to unlock nolocked range\n"); + pr_err("Try to unlock nolocked range\n"); rsp->hdr.Status = STATUS_RANGE_NOT_LOCKED; goto out; } @@ -6787,7 +6787,7 @@ int smb2_lock(struct ksmbd_work *work) err = ksmbd_vfs_lock(filp, 0, rlock); if (err) - ksmbd_err("rollback unlock fail : %d\n", err); + pr_err("rollback unlock fail : %d\n", err); list_del(&smb_lock->llist); list_del(&smb_lock->glist); locks_free_lock(smb_lock->fl); @@ -6974,8 +6974,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, netdev->ethtool_ops->get_link_ksettings(netdev, &cmd); speed = cmd.base.speed; } else { - ksmbd_err("%s %s\n", netdev->name, - "speed is unknown, defaulting to 1Gb/sec"); + pr_err("%s %s\n", netdev->name, + "speed is unknown, defaulting to 1Gb/sec"); speed = SPEED_1000; } @@ -7387,7 +7387,7 @@ int smb2_ioctl(struct ksmbd_work *work) reparse_ptr = (struct reparse_data_buffer *)&rsp->Buffer[0]; fp = ksmbd_lookup_fd_fast(work, id); if (!fp) { - ksmbd_err("not found fp!!\n"); + pr_err("not found fp!!\n"); ret = -ENOENT; goto out; } @@ -7410,14 +7410,14 @@ int smb2_ioctl(struct ksmbd_work *work) fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, dup_ext->PersistentFileHandle); if (!fp_in) { - ksmbd_err("not found file handle in duplicate extent to file\n"); + pr_err("not found file handle in duplicate extent to file\n"); ret = -ENOENT; goto out; } fp_out = ksmbd_lookup_fd_fast(work, id); if (!fp_out) { - ksmbd_err("not found fp\n"); + pr_err("not found fp\n"); ret = -ENOENT; goto dup_ext_out; } @@ -7514,7 +7514,7 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) opinfo = opinfo_get(fp); if (!opinfo) { - ksmbd_err("unexpected null oplock_info\n"); + pr_err("unexpected null oplock_info\n"); rsp->hdr.Status = STATUS_INVALID_OPLOCK_PROTOCOL; smb2_set_err_rsp(work); ksmbd_fd_put(work, fp); @@ -7577,8 +7577,8 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) rsp_oplevel = SMB2_OPLOCK_LEVEL_NONE; break; default: - ksmbd_err("unknown oplock change 0x%x -> 0x%x\n", - opinfo->level, rsp_oplevel); + pr_err("unknown oplock change 0x%x -> 0x%x\n", + opinfo->level, rsp_oplevel); } if (ret < 0) { @@ -7654,8 +7654,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) lease = opinfo->o_lease; if (opinfo->op_state == OPLOCK_STATE_NONE) { - ksmbd_err("unexpected lease break state 0x%x\n", - opinfo->op_state); + pr_err("unexpected lease break state 0x%x\n", + opinfo->op_state); rsp->hdr.Status = STATUS_UNSUCCESSFUL; goto err_out; } @@ -7868,7 +7868,7 @@ int smb2_check_sign_req(struct ksmbd_work *work) return 0; if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { - ksmbd_err("bad smb2 signature\n"); + pr_err("bad smb2 signature\n"); return 0; } @@ -7965,7 +7965,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) } if (!signing_key) { - ksmbd_err("SMB3 signing key is not generated\n"); + pr_err("SMB3 signing key is not generated\n"); return 0; } @@ -7978,7 +7978,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) return 0; if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { - ksmbd_err("bad smb2 signature\n"); + pr_err("bad smb2 signature\n"); return 0; } @@ -8175,20 +8175,20 @@ int smb3_decrypt_req(struct ksmbd_work *work) sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); if (!sess) { - ksmbd_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); + pr_err("invalid session id(%llx) in transform header\n", + le64_to_cpu(tr_hdr->SessionId)); return -ECONNABORTED; } if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { - ksmbd_err("Transform message is too small (%u)\n", - pdu_length); + pr_err("Transform message is too small (%u)\n", + pdu_length); return -ECONNABORTED; } if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { - ksmbd_err("Transform message is broken\n"); + pr_err("Transform message is broken\n"); return -ECONNABORTED; } diff --git a/fs/cifsd/smb_common.c b/fs/cifsd/smb_common.c index d74b2ce08187..5bf644d7e321 100644 --- a/fs/cifsd/smb_common.c +++ b/fs/cifsd/smb_common.c @@ -447,7 +447,7 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) return smb_handle_negotiate(work); } - ksmbd_err("Unknown SMB negotiation command: %u\n", command); + pr_err("Unknown SMB negotiation command: %u\n", command); return -EINVAL; } diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 63db8c015f9d..23c952612db4 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -264,8 +264,8 @@ static int sid_to_id(struct smb_sid *psid, uint sidtype, * Just return an error. */ if (unlikely(psid->num_subauth > SID_MAX_SUB_AUTHORITIES)) { - ksmbd_err("%s: %u subauthorities is too many!\n", - __func__, psid->num_subauth); + pr_err("%s: %u subauthorities is too many!\n", + __func__, psid->num_subauth); return -EIO; } @@ -383,7 +383,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, /* validate that we do not go past end of acl */ if (end_of_acl <= (char *)pdacl || end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { - ksmbd_err("ACL too small to parse DACL\n"); + pr_err("ACL too small to parse DACL\n"); return; } @@ -477,8 +477,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, temp_fattr.cf_uid = INVALID_UID; ret = sid_to_id(&ppace[i]->sid, SIDOWNER, &temp_fattr); if (ret || uid_eq(temp_fattr.cf_uid, INVALID_UID)) { - ksmbd_err("%s: Error %d mapping Owner SID to uid\n", - __func__, ret); + pr_err("%s: Error %d mapping Owner SID to uid\n", + __func__, ret); continue; } @@ -764,7 +764,7 @@ static int parse_sid(struct smb_sid *psid, char *end_of_acl) * bytes long (assuming no sub-auths - e.g. the null SID */ if (end_of_acl < (char *)psid + 8) { - ksmbd_err("ACL too small to parse SID %p\n", psid); + pr_err("ACL too small to parse SID %p\n", psid); return -EINVAL; } @@ -808,14 +808,14 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, if (pntsd->osidoffset) { rc = parse_sid(owner_sid_ptr, end_of_acl); if (rc) { - ksmbd_err("%s: Error %d parsing Owner SID\n", __func__, rc); + pr_err("%s: Error %d parsing Owner SID\n", __func__, rc); return rc; } rc = sid_to_id(owner_sid_ptr, SIDOWNER, fattr); if (rc) { - ksmbd_err("%s: Error %d mapping Owner SID to uid\n", - __func__, rc); + pr_err("%s: Error %d mapping Owner SID to uid\n", + __func__, rc); owner_sid_ptr = NULL; } } @@ -823,14 +823,14 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, if (pntsd->gsidoffset) { rc = parse_sid(group_sid_ptr, end_of_acl); if (rc) { - ksmbd_err("%s: Error %d mapping Owner SID to gid\n", - __func__, rc); + pr_err("%s: Error %d mapping Owner SID to gid\n", + __func__, rc); return rc; } rc = sid_to_id(group_sid_ptr, SIDUNIX_GROUP, fattr); if (rc) { - ksmbd_err("%s: Error %d mapping Group SID to gid\n", - __func__, rc); + pr_err("%s: Error %d mapping Group SID to gid\n", + __func__, rc); group_sid_ptr = NULL; } } diff --git a/fs/cifsd/transport_ipc.c b/fs/cifsd/transport_ipc.c index 2bcc1cad6037..13eacfda64ac 100644 --- a/fs/cifsd/transport_ipc.c +++ b/fs/cifsd/transport_ipc.c @@ -43,11 +43,11 @@ static unsigned int ksmbd_tools_pid; static bool ksmbd_ipc_validate_version(struct genl_info *m) { if (m->genlhdr->version != KSMBD_GENL_VERSION) { - ksmbd_err("%s. ksmbd: %d, kernel module: %d. %s.\n", - "Daemon and kernel module version mismatch", - m->genlhdr->version, - KSMBD_GENL_VERSION, - "User-space ksmbd should terminate"); + pr_err("%s. ksmbd: %d, kernel module: %d. %s.\n", + "Daemon and kernel module version mismatch", + m->genlhdr->version, + KSMBD_GENL_VERSION, + "User-space ksmbd should terminate"); return false; } return true; @@ -267,8 +267,8 @@ static int handle_response(int type, void *payload, size_t sz) * request message type + 1. */ if (entry->type + 1 != type) { - ksmbd_err("Waiting for IPC type %d, got %d. Ignore.\n", - entry->type + 1, type); + pr_err("Waiting for IPC type %d, got %d. Ignore.\n", + entry->type + 1, type); } entry->response = kvmalloc(sz, GFP_KERNEL | __GFP_ZERO); @@ -313,9 +313,9 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req), req->ifc_list_sz); if (ret) { - ksmbd_err("Server configuration error: %s %s %s\n", - req->netbios_name, req->server_string, - req->work_group); + pr_err("Server configuration error: %s %s %s\n", + req->netbios_name, req->server_string, + req->work_group); return ret; } @@ -353,7 +353,7 @@ static int handle_startup_event(struct sk_buff *skb, struct genl_info *info) mutex_lock(&startup_lock); if (!ksmbd_server_configurable()) { mutex_unlock(&startup_lock); - ksmbd_err("Server reset is in progress, can't start daemon\n"); + pr_err("Server reset is in progress, can't start daemon\n"); return -EINVAL; } @@ -363,7 +363,7 @@ static int handle_startup_event(struct sk_buff *skb, struct genl_info *info) goto out; } - ksmbd_err("Reconnect to a new user space daemon\n"); + pr_err("Reconnect to a new user space daemon\n"); } else { struct ksmbd_startup_request *req; @@ -384,7 +384,7 @@ static int handle_startup_event(struct sk_buff *skb, struct genl_info *info) static int handle_unsupported_event(struct sk_buff *skb, struct genl_info *info) { - ksmbd_err("Unknown IPC event: %d, ignore.\n", info->genlhdr->cmd); + pr_err("Unknown IPC event: %d, ignore.\n", info->genlhdr->cmd); return -EINVAL; } @@ -827,7 +827,7 @@ static int __ipc_heartbeat(void) WRITE_ONCE(server_conf.state, SERVER_STATE_RESETTING); server_conf.ipc_last_active = 0; ksmbd_tools_pid = 0; - ksmbd_err("No IPC daemon response for %lus\n", delta / HZ); + pr_err("No IPC daemon response for %lus\n", delta / HZ); mutex_unlock(&startup_lock); return -EINVAL; } @@ -871,7 +871,7 @@ int ksmbd_ipc_init(void) ret = genl_register_family(&ksmbd_genl_family); if (ret) { - ksmbd_err("Failed to register KSMBD netlink interface %d\n", ret); + pr_err("Failed to register KSMBD netlink interface %d\n", ret); cancel_delayed_work_sync(&ipc_timer_work); } diff --git a/fs/cifsd/transport_rdma.c b/fs/cifsd/transport_rdma.c index 52237f023b66..bd7a090d5350 100644 --- a/fs/cifsd/transport_rdma.c +++ b/fs/cifsd/transport_rdma.c @@ -525,9 +525,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { if (wc->status != IB_WC_WR_FLUSH_ERR) { - ksmbd_err("Recv error. status='%s (%d)' opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + pr_err("Recv error. status='%s (%d)' opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); smb_direct_disconnect_rdma_connection(t); } put_empty_recvmsg(t, recvmsg); @@ -623,7 +623,7 @@ static int smb_direct_post_recv(struct smb_direct_transport *t, ret = ib_post_recv(t->qp, &wr, NULL); if (ret) { - ksmbd_err("Can't post recv: %d\n", ret); + pr_err("Can't post recv: %d\n", ret); ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr, recvmsg->sge.length, DMA_FROM_DEVICE); @@ -645,7 +645,7 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, again: if (st->status != SMB_DIRECT_CS_CONNECTED) { - ksmbd_err("disconnected\n"); + pr_err("disconnected\n"); return -ENOTCONN; } @@ -794,7 +794,7 @@ static void smb_direct_post_recv_credits(struct work_struct *work) ret = smb_direct_post_recv(t, recvmsg); if (ret) { - ksmbd_err("Can't post recv: %d\n", ret); + pr_err("Can't post recv: %d\n", ret); put_recvmsg(t, recvmsg); break; } @@ -829,9 +829,9 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc) wc->opcode); if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { - ksmbd_err("Send error. status='%s (%d)', opcode=%d\n", - ib_wc_status_msg(wc->status), wc->status, - wc->opcode); + pr_err("Send error. status='%s (%d)', opcode=%d\n", + ib_wc_status_msg(wc->status), wc->status, + wc->opcode); smb_direct_disconnect_rdma_connection(t); } @@ -880,7 +880,7 @@ static int smb_direct_post_send(struct smb_direct_transport *t, ret = ib_post_send(t->qp, wr, NULL); if (ret) { - ksmbd_err("failed to post send: %d\n", ret); + pr_err("failed to post send: %d\n", ret); if (wr->num_sge > 1) { if (atomic_dec_and_test(&t->send_payload_pending)) wake_up(&t->wait_send_payload_pending); @@ -1158,11 +1158,11 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, sg, SMB_DIRECT_MAX_SEND_SGES - 1, DMA_TO_DEVICE); if (sg_cnt <= 0) { - ksmbd_err("failed to map buffer\n"); + pr_err("failed to map buffer\n"); ret = -ENOMEM; goto err; } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES - 1) { - ksmbd_err("buffer not fitted into sges\n"); + pr_err("buffer not fitted into sges\n"); ret = -E2BIG; ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt, DMA_TO_DEVICE); @@ -1290,8 +1290,8 @@ static void read_write_done(struct ib_cq *cq, struct ib_wc *wc, struct smb_direct_transport *t = msg->t; if (wc->status != IB_WC_SUCCESS) { - ksmbd_err("read/write error. opcode = %d, status = %s(%d)\n", - wc->opcode, ib_wc_status_msg(wc->status), wc->status); + pr_err("read/write error. opcode = %d, status = %s(%d)\n", + wc->opcode, ib_wc_status_msg(wc->status), wc->status); smb_direct_disconnect_rdma_connection(t); } @@ -1348,7 +1348,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, ret = get_sg_list(buf, buf_len, msg->sgt.sgl, msg->sgt.orig_nents); if (ret <= 0) { - ksmbd_err("failed to get pages\n"); + pr_err("failed to get pages\n"); goto err; } @@ -1357,7 +1357,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, 0, remote_offset, remote_key, is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); if (ret < 0) { - ksmbd_err("failed to init rdma_rw_ctx: %d\n", ret); + pr_err("failed to init rdma_rw_ctx: %d\n", ret); goto err; } @@ -1369,7 +1369,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, ret = ib_post_send(t->qp, first_wr, NULL); if (ret) { - ksmbd_err("failed to post send wr: %d\n", ret); + pr_err("failed to post send wr: %d\n", ret); goto err; } @@ -1445,9 +1445,9 @@ static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, break; } default: - ksmbd_err("Unexpected RDMA CM event. cm_id=%p, event=%s (%d)\n", - cm_id, rdma_event_msg(event->event), - event->event); + pr_err("Unexpected RDMA CM event. cm_id=%p, event=%s (%d)\n", + cm_id, rdma_event_msg(event->event), + event->event); break; } return 0; @@ -1557,7 +1557,7 @@ static int smb_direct_accept_client(struct smb_direct_transport *t) ret = rdma_accept(t->cm_id, &conn_param); if (ret) { - ksmbd_err("error at rdma_accept: %d\n", ret); + pr_err("error at rdma_accept: %d\n", ret); return ret; } @@ -1581,14 +1581,14 @@ static int smb_direct_negotiate(struct smb_direct_transport *t) ret = smb_direct_post_recv(t, recvmsg); if (ret) { - ksmbd_err("Can't post recv: %d\n", ret); + pr_err("Can't post recv: %d\n", ret); goto out; } t->negotiation_requested = false; ret = smb_direct_accept_client(t); if (ret) { - ksmbd_err("Can't accept client\n"); + pr_err("Can't accept client\n"); goto out; } @@ -1635,7 +1635,7 @@ static int smb_direct_init_params(struct smb_direct_transport *t, t->max_send_size = smb_direct_max_send_size; max_send_sges = DIV_ROUND_UP(t->max_send_size, PAGE_SIZE) + 2; if (max_send_sges > SMB_DIRECT_MAX_SEND_SGES) { - ksmbd_err("max_send_size %d is too large\n", t->max_send_size); + pr_err("max_send_size %d is too large\n", t->max_send_size); return -EINVAL; } @@ -1655,31 +1655,31 @@ static int smb_direct_init_params(struct smb_direct_transport *t, max_send_wrs = smb_direct_send_credit_target + max_rw_wrs; if (max_send_wrs > device->attrs.max_cqe || max_send_wrs > device->attrs.max_qp_wr) { - ksmbd_err("consider lowering send_credit_target = %d, or max_outstanding_rw_ops = %d\n", - smb_direct_send_credit_target, - smb_direct_max_outstanding_rw_ops); - ksmbd_err("Possible CQE overrun, device reporting max_cqe %d max_qp_wr %d\n", - device->attrs.max_cqe, device->attrs.max_qp_wr); + pr_err("consider lowering send_credit_target = %d, or max_outstanding_rw_ops = %d\n", + smb_direct_send_credit_target, + smb_direct_max_outstanding_rw_ops); + pr_err("Possible CQE overrun, device reporting max_cqe %d max_qp_wr %d\n", + device->attrs.max_cqe, device->attrs.max_qp_wr); return -EINVAL; } if (smb_direct_receive_credit_max > device->attrs.max_cqe || smb_direct_receive_credit_max > device->attrs.max_qp_wr) { - ksmbd_err("consider lowering receive_credit_max = %d\n", - smb_direct_receive_credit_max); - ksmbd_err("Possible CQE overrun, device reporting max_cpe %d max_qp_wr %d\n", - device->attrs.max_cqe, device->attrs.max_qp_wr); + pr_err("consider lowering receive_credit_max = %d\n", + smb_direct_receive_credit_max); + pr_err("Possible CQE overrun, device reporting max_cpe %d max_qp_wr %d\n", + device->attrs.max_cqe, device->attrs.max_qp_wr); return -EINVAL; } if (device->attrs.max_send_sge < SMB_DIRECT_MAX_SEND_SGES) { - ksmbd_err("warning: device max_send_sge = %d too small\n", - device->attrs.max_send_sge); + pr_err("warning: device max_send_sge = %d too small\n", + device->attrs.max_send_sge); return -EINVAL; } if (device->attrs.max_recv_sge < SMB_DIRECT_MAX_RECV_SGES) { - ksmbd_err("warning: device max_recv_sge = %d too small\n", - device->attrs.max_recv_sge); + pr_err("warning: device max_recv_sge = %d too small\n", + device->attrs.max_recv_sge); return -EINVAL; } @@ -1788,7 +1788,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, t->pd = ib_alloc_pd(t->cm_id->device, 0); if (IS_ERR(t->pd)) { - ksmbd_err("Can't create RDMA PD\n"); + pr_err("Can't create RDMA PD\n"); ret = PTR_ERR(t->pd); t->pd = NULL; return ret; @@ -1797,7 +1797,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, t->send_cq = ib_alloc_cq(t->cm_id->device, t, t->send_credit_target, 0, IB_POLL_WORKQUEUE); if (IS_ERR(t->send_cq)) { - ksmbd_err("Can't create RDMA send CQ\n"); + pr_err("Can't create RDMA send CQ\n"); ret = PTR_ERR(t->send_cq); t->send_cq = NULL; goto err; @@ -1807,7 +1807,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, cap->max_send_wr + cap->max_rdma_ctxs, 0, IB_POLL_WORKQUEUE); if (IS_ERR(t->recv_cq)) { - ksmbd_err("Can't create RDMA recv CQ\n"); + pr_err("Can't create RDMA recv CQ\n"); ret = PTR_ERR(t->recv_cq); t->recv_cq = NULL; goto err; @@ -1825,7 +1825,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, ret = rdma_create_qp(t->cm_id, t->pd, &qp_attr); if (ret) { - ksmbd_err("Can't create RDMA QP: %d\n", ret); + pr_err("Can't create RDMA QP: %d\n", ret); goto err; } @@ -1861,25 +1861,25 @@ static int smb_direct_prepare(struct ksmbd_transport *t) ret = smb_direct_init_params(st, &qp_cap); if (ret) { - ksmbd_err("Can't configure RDMA parameters\n"); + pr_err("Can't configure RDMA parameters\n"); return ret; } ret = smb_direct_create_pools(st); if (ret) { - ksmbd_err("Can't init RDMA pool: %d\n", ret); + pr_err("Can't init RDMA pool: %d\n", ret); return ret; } ret = smb_direct_create_qpair(st, &qp_cap); if (ret) { - ksmbd_err("Can't accept RDMA client: %d\n", ret); + pr_err("Can't accept RDMA client: %d\n", ret); return ret; } ret = smb_direct_negotiate(st); if (ret) { - ksmbd_err("Can't negotiate: %d\n", ret); + pr_err("Can't negotiate: %d\n", ret); return ret; } @@ -1917,7 +1917,7 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) if (IS_ERR(KSMBD_TRANS(t)->handler)) { int ret = PTR_ERR(KSMBD_TRANS(t)->handler); - ksmbd_err("Can't start thread\n"); + pr_err("Can't start thread\n"); free_transport(t); return ret; } @@ -1933,7 +1933,7 @@ static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, int ret = smb_direct_handle_connect_request(cm_id); if (ret) { - ksmbd_err("Can't create transport: %d\n", ret); + pr_err("Can't create transport: %d\n", ret); return ret; } @@ -1942,8 +1942,8 @@ static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, break; } default: - ksmbd_err("Unexpected listen event. cm_id=%p, event=%s (%d)\n", - cm_id, rdma_event_msg(event->event), event->event); + pr_err("Unexpected listen event. cm_id=%p, event=%s (%d)\n", + cm_id, rdma_event_msg(event->event), event->event); break; } return 0; @@ -1962,13 +1962,13 @@ static int smb_direct_listen(int port) cm_id = rdma_create_id(&init_net, smb_direct_listen_handler, &smb_direct_listener, RDMA_PS_TCP, IB_QPT_RC); if (IS_ERR(cm_id)) { - ksmbd_err("Can't create cm id: %ld\n", PTR_ERR(cm_id)); + pr_err("Can't create cm id: %ld\n", PTR_ERR(cm_id)); return PTR_ERR(cm_id); } ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin); if (ret) { - ksmbd_err("Can't bind: %d\n", ret); + pr_err("Can't bind: %d\n", ret); goto err; } @@ -1976,7 +1976,7 @@ static int smb_direct_listen(int port) ret = rdma_listen(cm_id, 10); if (ret) { - ksmbd_err("Can't listen: %d\n", ret); + pr_err("Can't listen: %d\n", ret); goto err; } return 0; @@ -2006,7 +2006,7 @@ int ksmbd_rdma_init(void) if (ret) { destroy_workqueue(smb_direct_wq); smb_direct_wq = NULL; - ksmbd_err("Can't listen: %d\n", ret); + pr_err("Can't listen: %d\n", ret); return ret; } diff --git a/fs/cifsd/transport_tcp.c b/fs/cifsd/transport_tcp.c index 16702b7874f4..56ec11ff5a9f 100644 --- a/fs/cifsd/transport_tcp.c +++ b/fs/cifsd/transport_tcp.c @@ -190,7 +190,7 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk) csin = KSMBD_TCP_PEER_SOCKADDR(KSMBD_TRANS(t)->conn); if (kernel_getpeername(client_sk, csin) < 0) { - ksmbd_err("client ip resolution failed\n"); + pr_err("client ip resolution failed\n"); rc = -EINVAL; goto out_error; } @@ -200,7 +200,7 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk) "ksmbd:%u", ksmbd_tcp_get_port(csin)); if (IS_ERR(KSMBD_TRANS(t)->handler)) { - ksmbd_err("cannot start conn thread\n"); + pr_err("cannot start conn thread\n"); rc = PTR_ERR(KSMBD_TRANS(t)->handler); free_transport(t); } @@ -380,7 +380,7 @@ static void tcp_destroy_socket(struct socket *ksmbd_socket) ret = kernel_sock_shutdown(ksmbd_socket, SHUT_RDWR); if (ret) - ksmbd_err("Failed to shutdown socket: %d\n", ret); + pr_err("Failed to shutdown socket: %d\n", ret); else sock_release(ksmbd_socket); } @@ -400,11 +400,11 @@ static int create_socket(struct interface *iface) ret = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket); if (ret) { - ksmbd_err("Can't create socket for ipv6, try ipv4: %d\n", ret); + pr_err("Can't create socket for ipv6, try ipv4: %d\n", ret); ret = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, &ksmbd_socket); if (ret) { - ksmbd_err("Can't create socket for ipv4: %d\n", ret); + pr_err("Can't create socket for ipv4: %d\n", ret); goto out_error; } @@ -427,7 +427,7 @@ static int create_socket(struct interface *iface) KERNEL_SOCKPTR(iface->name), strlen(iface->name)); if (ret != -ENODEV && ret < 0) { - ksmbd_err("Failed to set SO_BINDTODEVICE: %d\n", ret); + pr_err("Failed to set SO_BINDTODEVICE: %d\n", ret); goto out_error; } @@ -438,7 +438,7 @@ static int create_socket(struct interface *iface) ret = kernel_bind(ksmbd_socket, (struct sockaddr *)&sin6, sizeof(sin6)); if (ret) { - ksmbd_err("Failed to bind socket: %d\n", ret); + pr_err("Failed to bind socket: %d\n", ret); goto out_error; } @@ -447,14 +447,14 @@ static int create_socket(struct interface *iface) ret = kernel_listen(ksmbd_socket, KSMBD_SOCKET_BACKLOG); if (ret) { - ksmbd_err("Port listen() error: %d\n", ret); + pr_err("Port listen() error: %d\n", ret); goto out_error; } iface->ksmbd_socket = ksmbd_socket; ret = ksmbd_tcp_run_kthread(iface); if (ret) { - ksmbd_err("Can't start ksmbd main kthread: %d\n", ret); + pr_err("Can't start ksmbd main kthread: %d\n", ret); goto out_error; } iface->state = IFACE_STATE_CONFIGURED; @@ -540,7 +540,7 @@ static void tcp_stop_kthread(struct task_struct *kthread) ret = kthread_stop(kthread); if (ret) - ksmbd_err("failed to stop forker thread\n"); + pr_err("failed to stop forker thread\n"); } void ksmbd_tcp_destroy(void) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index ef74e56cd05f..ad08bad8df4e 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -45,7 +45,7 @@ static char *extract_last_component(char *path) p++; } else { p = NULL; - ksmbd_err("Invalid path %s\n", path); + pr_err("Invalid path %s\n", path); } return p; } @@ -170,8 +170,8 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) if (IS_ERR(dentry)) { err = PTR_ERR(dentry); if (err != -ENOENT) - ksmbd_err("path create failed for %s, err %d\n", - name, err); + pr_err("path create failed for %s, err %d\n", + name, err); return err; } @@ -181,7 +181,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(dentry)); } else { - ksmbd_err("File(%s): creation failed (err:%d)\n", name, err); + pr_err("File(%s): creation failed (err:%d)\n", name, err); } done_path_create(&path, dentry); return err; @@ -235,7 +235,7 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) out: done_path_create(&path, dentry); if (err) - ksmbd_err("mkdir(%s): creation failed (err:%d)\n", name, err); + pr_err("mkdir(%s): creation failed (err:%d)\n", name, err); return err; } @@ -259,7 +259,7 @@ static ssize_t ksmbd_vfs_getcasexattr(struct dentry *dentry, char *attr_name, name, attr_value); if (value_len < 0) - ksmbd_err("failed to get xattr in file\n"); + pr_err("failed to get xattr in file\n"); break; } @@ -324,7 +324,7 @@ static int check_lock_range(struct file *filp, loff_t start, loff_t end, if (flock->fl_end >= start && end >= flock->fl_start) { if (flock->fl_type == F_RDLCK) { if (type == WRITE) { - ksmbd_err("not allow write by shared lock\n"); + pr_err("not allow write by shared lock\n"); error = 1; goto out; } @@ -332,7 +332,7 @@ static int check_lock_range(struct file *filp, loff_t start, loff_t end, /* check owner in lock */ if (flock->fl_file != filp) { error = 1; - ksmbd_err("not allow rw access by exclusive lock from other opens\n"); + pr_err("not allow rw access by exclusive lock from other opens\n"); goto out; } } @@ -368,7 +368,7 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, if (work->conn->connection_type) { if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { - ksmbd_err("no right to read(%s)\n", FP_FILENAME(fp)); + pr_err("no right to read(%s)\n", FP_FILENAME(fp)); return -EACCES; } } @@ -381,15 +381,15 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, ret = check_lock_range(filp, *pos, *pos + count - 1, READ); if (ret) { - ksmbd_err("unable to read due to lock\n"); + pr_err("unable to read due to lock\n"); return -EAGAIN; } } nbytes = kernel_read(filp, rbuf, count, pos); if (nbytes < 0) { - ksmbd_err("smb read failed for (%s), err = %zd\n", - fp->filename, nbytes); + pr_err("smb read failed for (%s), err = %zd\n", + fp->filename, nbytes); return nbytes; } @@ -418,7 +418,7 @@ static int ksmbd_vfs_stream_write(struct ksmbd_file *fp, char *buf, loff_t *pos, fp->stream.size, &stream_buf); if ((int)v_len < 0) { - ksmbd_err("not found stream in xattr : %zd\n", v_len); + pr_err("not found stream in xattr : %zd\n", v_len); err = (int)v_len; goto out; } @@ -476,7 +476,7 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, if (sess->conn->connection_type) { if (!(fp->daccess & FILE_WRITE_DATA_LE)) { - ksmbd_err("no right to write(%s)\n", FP_FILENAME(fp)); + pr_err("no right to write(%s)\n", FP_FILENAME(fp)); err = -EACCES; goto out; } @@ -494,7 +494,7 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, if (!work->tcon->posix_extensions) { err = check_lock_range(filp, *pos, *pos + count - 1, WRITE); if (err) { - ksmbd_err("unable to write due to lock\n"); + pr_err("unable to write due to lock\n"); err = -EAGAIN; goto out; } @@ -515,8 +515,8 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, if (sync) { err = vfs_fsync_range(filp, offset, offset + *written, 0); if (err < 0) - ksmbd_err("fsync failed for filename = %s, err = %d\n", - FP_FILENAME(fp), err); + pr_err("fsync failed for filename = %s, err = %d\n", + FP_FILENAME(fp), err); } out: @@ -537,7 +537,7 @@ int ksmbd_vfs_getattr(struct path *path, struct kstat *stat) err = vfs_getattr(path, stat, STATX_BTIME, AT_STATX_SYNC_AS_STAT); if (err) - ksmbd_err("getattr failed, err %d\n", err); + pr_err("getattr failed, err %d\n", err); return err; } @@ -555,12 +555,12 @@ int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) fp = ksmbd_lookup_fd_slow(work, fid, p_id); if (!fp) { - ksmbd_err("failed to get filp for fid %llu\n", fid); + pr_err("failed to get filp for fid %llu\n", fid); return -ENOENT; } err = vfs_fsync(fp->filp, 0); if (err < 0) - ksmbd_err("smb fsync failed, err = %d\n", err); + pr_err("smb fsync failed, err = %d\n", err); ksmbd_fd_put(work, fp); return err; } @@ -654,8 +654,8 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, err = kern_path(oldname, flags, &oldpath); if (err) { - ksmbd_err("cannot get linux path for %s, err = %d\n", - oldname, err); + pr_err("cannot get linux path for %s, err = %d\n", + oldname, err); goto out1; } @@ -663,13 +663,13 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, flags | LOOKUP_REVAL); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); - ksmbd_err("path create err for %s, err %d\n", newname, err); + pr_err("path create err for %s, err %d\n", newname, err); goto out2; } err = -EXDEV; if (oldpath.mnt != newpath.mnt) { - ksmbd_err("vfs_link failed err %d\n", err); + pr_err("vfs_link failed err %d\n", err); goto out3; } @@ -730,7 +730,7 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, dst_dent = lookup_one_len(dst_name, dst_dent_parent, strlen(dst_name)); err = PTR_ERR(dst_dent); if (IS_ERR(dst_dent)) { - ksmbd_err("lookup failed %s [%d]\n", dst_name, err); + pr_err("lookup failed %s [%d]\n", dst_name, err); goto out; } @@ -747,7 +747,7 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, err = vfs_rename(&rd); } if (err) - ksmbd_err("vfs_rename failed err %d\n", err); + pr_err("vfs_rename failed err %d\n", err); if (dst_dent) dput(dst_dent); out: @@ -835,14 +835,14 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, if (name) { err = kern_path(name, 0, &path); if (err) { - ksmbd_err("cannot get linux path for %s, err %d\n", - name, err); + pr_err("cannot get linux path for %s, err %d\n", + name, err); return err; } err = vfs_truncate(&path, size); if (err) - ksmbd_err("truncate failed for %s err %d\n", - name, err); + pr_err("truncate failed for %s err %d\n", + name, err); path_put(&path); } else { struct file *filp; @@ -864,15 +864,15 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, } if (err) { - ksmbd_err("failed due to lock\n"); + pr_err("failed due to lock\n"); return -EAGAIN; } } err = vfs_truncate(&filp->f_path, size); if (err) - ksmbd_err("truncate failed for filename : %s err %d\n", - fp->filename, err); + pr_err("truncate failed for filename : %s err %d\n", + fp->filename, err); } return err; @@ -1458,7 +1458,7 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, xa_entry->type = SMB_ACL_MASK; break; default: - ksmbd_err("unknown type : 0x%x\n", pa_entry->e_tag); + pr_err("unknown type : 0x%x\n", pa_entry->e_tag); goto out; } @@ -1502,7 +1502,7 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, rc = ksmbd_gen_sd_hash(conn, acl.sd_buf, acl.sd_size, acl.hash); if (rc) { - ksmbd_err("failed to generate hash for ndr acl\n"); + pr_err("failed to generate hash for ndr acl\n"); return rc; } @@ -1513,27 +1513,27 @@ int ksmbd_vfs_set_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); if (rc) { - ksmbd_err("failed to encode ndr to posix acl\n"); + pr_err("failed to encode ndr to posix acl\n"); goto out; } rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, acl.posix_acl_hash); if (rc) { - ksmbd_err("failed to generate hash for ndr acl\n"); + pr_err("failed to generate hash for ndr acl\n"); goto out; } rc = ndr_encode_v4_ntacl(&sd_ndr, &acl); if (rc) { - ksmbd_err("failed to encode ndr to posix acl\n"); + pr_err("failed to encode ndr to posix acl\n"); goto out; } rc = ksmbd_vfs_setxattr(dentry, XATTR_NAME_SD, sd_ndr.data, sd_ndr.offset, 0); if (rc < 0) - ksmbd_err("Failed to store XATTR ntacl :%d\n", rc); + pr_err("Failed to store XATTR ntacl :%d\n", rc); kfree(sd_ndr.data); out: @@ -1570,19 +1570,19 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); if (rc) { - ksmbd_err("failed to encode ndr to posix acl\n"); + pr_err("failed to encode ndr to posix acl\n"); goto out; } rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, cmp_hash); if (rc) { - ksmbd_err("failed to generate hash for ndr acl\n"); + pr_err("failed to generate hash for ndr acl\n"); goto out; } if (memcmp(cmp_hash, acl.posix_acl_hash, XATTR_SD_HASH_SIZE)) { - ksmbd_err("hash value diff\n"); + pr_err("hash value diff\n"); rc = -EINVAL; goto out; } @@ -1821,11 +1821,11 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, *total_size_written = 0; if (!(src_fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { - ksmbd_err("no right to read(%s)\n", FP_FILENAME(src_fp)); + pr_err("no right to read(%s)\n", FP_FILENAME(src_fp)); return -EACCES; } if (!(dst_fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) { - ksmbd_err("no right to write(%s)\n", FP_FILENAME(dst_fp)); + pr_err("no right to write(%s)\n", FP_FILENAME(dst_fp)); return -EACCES; } diff --git a/fs/cifsd/vfs_cache.c b/fs/cifsd/vfs_cache.c index 4cf14c247e9e..c88210b15289 100644 --- a/fs/cifsd/vfs_cache.c +++ b/fs/cifsd/vfs_cache.c @@ -185,7 +185,7 @@ static struct ksmbd_inode *ksmbd_inode_get(struct ksmbd_file *fp) rc = ksmbd_inode_init(ci, fp); if (rc) { - ksmbd_err("inode initialized failed\n"); + pr_err("inode initialized failed\n"); kfree(ci); return NULL; } @@ -254,8 +254,8 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp) err = ksmbd_vfs_remove_xattr(filp->f_path.dentry, fp->stream.name); if (err) - ksmbd_err("remove xattr failed : %s\n", - fp->stream.name); + pr_err("remove xattr failed : %s\n", + fp->stream.name); } if (atomic_dec_and_test(&ci->m_count)) { @@ -542,7 +542,7 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) fp = kmem_cache_zalloc(filp_cache, GFP_KERNEL); if (!fp) { - ksmbd_err("Failed to allocate memory\n"); + pr_err("Failed to allocate memory\n"); return ERR_PTR(-ENOMEM); } @@ -698,7 +698,7 @@ int ksmbd_init_file_cache(void) return 0; out: - ksmbd_err("failed to allocate file cache\n"); + pr_err("failed to allocate file cache\n"); return -ENOMEM; } From patchwork Mon Nov 14 12:50:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183219 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:10 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:10 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:09 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 122/308] ksmbd: opencode to avoid trivial wrappers Date: Mon, 14 Nov 2022 20:50:31 +0800 Message-ID: <20221114125337.1831594-123-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: bac2f3f1-84fc-4865-7d56-08dac63c639f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6846293 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e8c061917133dd77410239bfc0fae151b1955af2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e8c061917133 ------------------------------- Opencode to avoid trivial wrappers that just make the code hard to follow. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 19 ++++++++++++------- fs/cifsd/vfs.c | 30 ++---------------------------- fs/cifsd/vfs.h | 4 ---- 3 files changed, 14 insertions(+), 39 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 84f4cd7f545f..96a0cb512882 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -10,6 +10,7 @@ #include <linux/namei.h> #include <linux/statfs.h> #include <linux/ethtool.h> +#include <linux/falloc.h> #include "glob.h" #include "smb2pdu.h" @@ -2948,10 +2949,12 @@ int smb2_open(struct ksmbd_work *work) ksmbd_debug(SMB, "request smb2 create allocate size : %llu\n", alloc_size); - err = ksmbd_vfs_alloc_size(work, fp, alloc_size); + smb_break_all_levII_oplock(work, fp, 1); + err = vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, + alloc_size); if (err < 0) ksmbd_debug(SMB, - "ksmbd_vfs_alloc_size is failed : %d\n", + "vfs_fallocate is failed : %d\n", err); } @@ -3762,7 +3765,7 @@ int smb2_query_dir(struct ksmbd_work *work) dir_fp->readdir_data.private = &query_dir_private; set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir); - rc = ksmbd_vfs_readdir(dir_fp->filp, &dir_fp->readdir_data); + rc = iterate_dir(dir_fp->filp, &dir_fp->readdir_data.ctx); if (rc == 0) restart_ctx(&dir_fp->readdir_data.ctx); if (rc == -ENOSPC) @@ -5465,9 +5468,11 @@ static int set_file_allocation_info(struct ksmbd_work *work, inode = file_inode(fp->filp); if (alloc_blks > inode->i_blocks) { - rc = ksmbd_vfs_alloc_size(work, fp, alloc_blks * 512); + smb_break_all_levII_oplock(work, fp, 1); + rc = vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, + alloc_blks * 512); if (rc && rc != -EOPNOTSUPP) { - pr_err("ksmbd_vfs_alloc_size is failed : %d\n", rc); + pr_err("vfs_fallocate is failed : %d\n", rc); return rc; } } else if (alloc_blks < inode->i_blocks) { @@ -6672,7 +6677,7 @@ int smb2_lock(struct ksmbd_work *work) flock = smb_lock->fl; list_del(&smb_lock->llist); retry: - err = ksmbd_vfs_lock(filp, smb_lock->cmd, flock); + err = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); skip: if (flags & SMB2_LOCKFLAG_UNLOCK) { if (!err) { @@ -6785,7 +6790,7 @@ int smb2_lock(struct ksmbd_work *work) rlock->fl_start = smb_lock->start; rlock->fl_end = smb_lock->end; - err = ksmbd_vfs_lock(filp, 0, rlock); + err = vfs_lock_file(filp, 0, rlock, NULL); if (err) pr_err("rollback unlock fail : %d\n", err); list_del(&smb_lock->llist); diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index ad08bad8df4e..1ba3fd95ba6b 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1000,32 +1000,6 @@ void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option) } } -/** - * ksmbd_vfs_lock() - vfs helper for smb file locking - * @filp: the file to apply the lock to - * @cmd: type of locking operation (F_SETLK, F_GETLK, etc.) - * @flock: The lock to be applied - * - * Return: 0 on success, otherwise error - */ -int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock) -{ - ksmbd_debug(VFS, "calling vfs_lock_file\n"); - return vfs_lock_file(filp, cmd, flock, NULL); -} - -int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata) -{ - return iterate_dir(file, &rdata->ctx); -} - -int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t len) -{ - smb_break_all_levII_oplock(work, fp, 1); - return vfs_fallocate(fp->filp, FALLOC_FL_KEEP_SIZE, 0, len); -} - int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, loff_t off, loff_t len) { @@ -1216,7 +1190,7 @@ int ksmbd_vfs_empty_dir(struct ksmbd_file *fp) set_ctx_actor(&readdir_data.ctx, __dir_empty); readdir_data.dirent_count = 0; - err = ksmbd_vfs_readdir(fp->filp, &readdir_data); + err = iterate_dir(fp->filp, &readdir_data.ctx); if (readdir_data.dirent_count > 2) err = -ENOTEMPTY; else @@ -1266,7 +1240,7 @@ static int ksmbd_vfs_lookup_in_dir(struct path *dir, char *name, size_t namelen) if (IS_ERR(dfilp)) return PTR_ERR(dfilp); - ret = ksmbd_vfs_readdir(dfilp, &readdir_data); + ret = iterate_dir(dfilp, &readdir_data.ctx); if (readdir_data.dirent_count > 0) ret = 0; fput(dfilp); diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 03b877e6520b..e1021f579f37 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -232,10 +232,6 @@ int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, bool caseless); int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option); -int ksmbd_vfs_lock(struct file *filp, int cmd, struct file_lock *flock); -int ksmbd_vfs_readdir(struct file *file, struct ksmbd_readdir_data *rdata); -int ksmbd_vfs_alloc_size(struct ksmbd_work *work, struct ksmbd_file *fp, - loff_t len); int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, loff_t off, loff_t len); struct file_allocated_range_buffer; From patchwork Mon Nov 14 12:50:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183222 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:11 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:10 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:09 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 123/308] ksmbd: factor out a ksmbd_validate_entry_in_use helper from __ksmbd_vfs_rename Date: Mon, 14 Nov 2022 20:50:32 +0800 Message-ID: <20221114125337.1831594-124-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: aefc6c77-c939-4cf9-3483-08dac63c63e8 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6823187 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 4b637fc18902600dfe722f9b1a45950bfc8bc7b5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4b637fc18902 ------------------------------- Factor out a self-contained helper to find sub file/dir in use. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/vfs.c | 41 ++++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 1ba3fd95ba6b..ca4c6c020a8e 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -687,6 +687,29 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, return err; } +static int ksmbd_validate_entry_in_use(struct dentry *src_dent) +{ + struct dentry *dst_dent; + + spin_lock(&src_dent->d_lock); + list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) { + struct ksmbd_file *child_fp; + + if (d_really_is_negative(dst_dent)) + continue; + + child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent)); + if (child_fp) { + spin_unlock(&src_dent->d_lock); + ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n"); + return -EACCES; + } + } + spin_unlock(&src_dent->d_lock); + + return 0; +} + static int __ksmbd_vfs_rename(struct ksmbd_work *work, struct dentry *src_dent_parent, struct dentry *src_dent, @@ -698,21 +721,9 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, int err; if (!work->tcon->posix_extensions) { - spin_lock(&src_dent->d_lock); - list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) { - struct ksmbd_file *child_fp; - - if (d_really_is_negative(dst_dent)) - continue; - - child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent)); - if (child_fp) { - spin_unlock(&src_dent->d_lock); - ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n"); - return -EACCES; - } - } - spin_unlock(&src_dent->d_lock); + err = ksmbd_validate_entry_in_use(src_dent); + if (err) + return err; } if (d_really_is_negative(src_dent_parent)) From patchwork Mon Nov 14 12:50:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183220 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:11 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:10 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:10 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 124/308] ksmbd: opencode posix acl functions instead of wrappers Date: Mon, 14 Nov 2022 20:50:33 +0800 Message-ID: <20221114125337.1831594-125-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f8778257-b983-4a41-599e-08dac63c6426 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7031082 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 67d1c432994cbf30f63ec35abba493b027f0c910 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/67d1c432994c ------------------------------- Add select FS_POSIX_ACL in Kconfig and then opencode posix acl functions instead of wrappers Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 4 ++-- fs/cifsd/smbacl.c | 14 +++++++------- fs/cifsd/vfs.c | 44 +++++++++----------------------------------- fs/cifsd/vfs.h | 4 ---- 4 files changed, 18 insertions(+), 48 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 96a0cb512882..0d004c6d1c63 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -2327,9 +2327,9 @@ static void ksmbd_acls_fattr(struct smb_fattr *fattr, struct inode *inode) fattr->cf_mode = inode->i_mode; fattr->cf_dacls = NULL; - fattr->cf_acls = ksmbd_vfs_get_acl(inode, ACL_TYPE_ACCESS); + fattr->cf_acls = get_acl(inode, ACL_TYPE_ACCESS); if (S_ISDIR(inode->i_mode)) - fattr->cf_dacls = ksmbd_vfs_get_acl(inode, ACL_TYPE_DEFAULT); + fattr->cf_dacls = get_acl(inode, ACL_TYPE_DEFAULT); } /** diff --git a/fs/cifsd/smbacl.c b/fs/cifsd/smbacl.c index 23c952612db4..958937a548a1 100644 --- a/fs/cifsd/smbacl.c +++ b/fs/cifsd/smbacl.c @@ -532,7 +532,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, if (acl_state.users->n || acl_state.groups->n) { acl_state.mask.allow = 0x07; - fattr->cf_acls = ksmbd_vfs_posix_acl_alloc(acl_state.users->n + + fattr->cf_acls = posix_acl_alloc(acl_state.users->n + acl_state.groups->n + 4, GFP_KERNEL); if (fattr->cf_acls) { cf_pace = fattr->cf_acls->a_entries; @@ -543,7 +543,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, if (default_acl_state.users->n || default_acl_state.groups->n) { default_acl_state.mask.allow = 0x07; fattr->cf_dacls = - ksmbd_vfs_posix_acl_alloc(default_acl_state.users->n + + posix_acl_alloc(default_acl_state.users->n + default_acl_state.groups->n + 4, GFP_KERNEL); if (fattr->cf_dacls) { cf_pdace = fattr->cf_dacls->a_entries; @@ -1202,7 +1202,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, granted = GENERIC_ALL_FLAGS; } - posix_acls = ksmbd_vfs_get_acl(d_inode(dentry), ACL_TYPE_ACCESS); + posix_acls = get_acl(d_inode(dentry), ACL_TYPE_ACCESS); if (posix_acls && !found) { unsigned int id = -1; @@ -1287,11 +1287,11 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, ksmbd_vfs_remove_acl_xattrs(dentry); /* Update posix acls */ if (fattr.cf_dacls) { - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, - fattr.cf_acls); + rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, + fattr.cf_acls); if (S_ISDIR(inode->i_mode) && fattr.cf_dacls) - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, - fattr.cf_dacls); + rc = set_posix_acl(&init_user_ns, inode, + ACL_TYPE_DEFAULT, fattr.cf_dacls); } /* Check it only calling from SD BUFFER context */ diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index ca4c6c020a8e..e34e536dc9ce 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1407,7 +1407,7 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, struct xattr_acl_entry *xa_entry; int i; - posix_acls = ksmbd_vfs_get_acl(inode, acl_type); + posix_acls = get_acl(inode, acl_type); if (!posix_acls) return NULL; @@ -1630,34 +1630,6 @@ int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, return err; } -struct posix_acl *ksmbd_vfs_posix_acl_alloc(int count, gfp_t flags) -{ -#if IS_ENABLED(CONFIG_FS_POSIX_ACL) - return posix_acl_alloc(count, flags); -#else - return NULL; -#endif -} - -struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type) -{ -#if IS_ENABLED(CONFIG_FS_POSIX_ACL) - return get_acl(inode, type); -#else - return NULL; -#endif -} - -int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, - struct posix_acl *acl) -{ -#if IS_ENABLED(CONFIG_FS_POSIX_ACL) - return set_posix_acl(&init_user_ns, inode, type, acl); -#else - return -EOPNOTSUPP; -#endif -} - /** * ksmbd_vfs_init_kstat() - convert unix stat information to smb stat format * @p: destination buffer @@ -1895,19 +1867,20 @@ int ksmbd_vfs_set_init_posix_acl(struct inode *inode) acl_state.group.allow; acl_state.mask.allow = 0x07; - acls = ksmbd_vfs_posix_acl_alloc(6, GFP_KERNEL); + acls = posix_acl_alloc(6, GFP_KERNEL); if (!acls) { free_acl_state(&acl_state); return -ENOMEM; } posix_state_to_acl(&acl_state, acls->a_entries); - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); + rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", rc); else if (S_ISDIR(inode->i_mode)) { posix_state_to_acl(&acl_state, acls->a_entries); - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); + rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT, + acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", rc); @@ -1923,7 +1896,7 @@ int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) struct posix_acl_entry *pace; int rc, i; - acls = ksmbd_vfs_get_acl(parent_inode, ACL_TYPE_DEFAULT); + acls = get_acl(parent_inode, ACL_TYPE_DEFAULT); if (!acls) return -ENOENT; pace = acls->a_entries; @@ -1935,12 +1908,13 @@ int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) } } - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_ACCESS, acls); + rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", rc); if (S_ISDIR(inode->i_mode)) { - rc = ksmbd_vfs_set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); + rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT, + acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", rc); diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index e1021f579f37..29352c227028 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -258,10 +258,6 @@ int ksmbd_vfs_set_dos_attrib_xattr(struct dentry *dentry, struct xattr_dos_attrib *da); int ksmbd_vfs_get_dos_attrib_xattr(struct dentry *dentry, struct xattr_dos_attrib *da); -struct posix_acl *ksmbd_vfs_posix_acl_alloc(int count, gfp_t flags); -struct posix_acl *ksmbd_vfs_get_acl(struct inode *inode, int type); -int ksmbd_vfs_set_posix_acl(struct inode *inode, int type, - struct posix_acl *acl); int ksmbd_vfs_set_init_posix_acl(struct inode *inode); int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode); From patchwork Mon Nov 14 12:50:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183221 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:11 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:11 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:10 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 125/308] ksmbd: change stream type macro to enumeration Date: Mon, 14 Nov 2022 20:50:34 +0800 Message-ID: <20221114125337.1831594-126-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d7c47fe4-9458-41e6-3654-08dac63c646f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6459776 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit ee2033e9c64139c4f052bed52e72eba44a08b40a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ee2033e9c641 ------------------------------- Change stream type macro to enumeration and move it to vfs.h. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/glob.h | 3 --- fs/cifsd/vfs.h | 8 ++++++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/cifsd/glob.h b/fs/cifsd/glob.h index 8119cb7ddbed..49a5a3afa118 100644 --- a/fs/cifsd/glob.h +++ b/fs/cifsd/glob.h @@ -16,9 +16,6 @@ extern int ksmbd_debug_types; -#define DATA_STREAM 1 -#define DIR_STREAM 2 - #define KSMBD_DEBUG_SMB BIT(0) #define KSMBD_DEBUG_AUTH BIT(1) #define KSMBD_DEBUG_VFS BIT(2) diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 29352c227028..a9c14c5dee8d 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -101,6 +101,14 @@ struct xattr_ntacl { #define XATTR_NAME_SD_LEN \ (sizeof(XATTR_SECURITY_PREFIX SD_PREFIX) - 1) +/* + * Enumeration for stream type. + */ +enum { + DATA_STREAM = 1, /* type $DATA */ + DIR_STREAM /* type $INDEX_ALLOCATION */ +}; + /* CreateOptions */ /* Flag is set, it must not be a file , valid for directory only */ #define FILE_DIRECTORY_FILE_LE cpu_to_le32(0x00000001) From patchwork Mon Nov 14 12:50:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183223 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:11 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:11 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 126/308] ksmbd: use f_bsize instead of q->limits.logical_block_size Date: Mon, 14 Nov 2022 20:50:35 +0800 Message-ID: <20221114125337.1831594-127-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 00ab0595-730e-40d6-1436-08dac63c64b8 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6963437 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit ee81cae1a6323fa4489313dfd9de436da7ff8519 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ee81cae1a632 ------------------------------- Use f_bsize instead of q->limits.logical_block_size. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 25 +++++++------------------ fs/cifsd/vfs.c | 23 ----------------------- fs/cifsd/vfs.h | 1 - 3 files changed, 7 insertions(+), 42 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 0d004c6d1c63..341d51e711a5 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -4739,16 +4739,12 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, case FS_SIZE_INFORMATION: { struct filesystem_info *info; - unsigned short logical_sector_size; info = (struct filesystem_info *)(rsp->Buffer); - logical_sector_size = - ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); - info->TotalAllocationUnits = cpu_to_le64(stfs.f_blocks); info->FreeAllocationUnits = cpu_to_le64(stfs.f_bfree); - info->SectorsPerAllocationUnit = cpu_to_le32(stfs.f_bsize >> 9); - info->BytesPerSector = cpu_to_le32(logical_sector_size); + info->SectorsPerAllocationUnit = cpu_to_le32(1); + info->BytesPerSector = cpu_to_le32(stfs.f_bsize); rsp->OutputBufferLength = cpu_to_le32(24); inc_rfc1001_len(rsp_org, 24); fs_infoclass_size = FS_SIZE_INFORMATION_SIZE; @@ -4757,19 +4753,15 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, case FS_FULL_SIZE_INFORMATION: { struct smb2_fs_full_size_info *info; - unsigned short logical_sector_size; info = (struct smb2_fs_full_size_info *)(rsp->Buffer); - logical_sector_size = - ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); - info->TotalAllocationUnits = cpu_to_le64(stfs.f_blocks); info->CallerAvailableAllocationUnits = cpu_to_le64(stfs.f_bavail); info->ActualAvailableAllocationUnits = cpu_to_le64(stfs.f_bfree); - info->SectorsPerAllocationUnit = cpu_to_le32(stfs.f_bsize >> 9); - info->BytesPerSector = cpu_to_le32(logical_sector_size); + info->SectorsPerAllocationUnit = cpu_to_le32(1); + info->BytesPerSector = cpu_to_le32(stfs.f_bsize); rsp->OutputBufferLength = cpu_to_le32(32); inc_rfc1001_len(rsp_org, 32); fs_infoclass_size = FS_FULL_SIZE_INFORMATION_SIZE; @@ -4846,16 +4838,13 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, case FS_POSIX_INFORMATION: { struct filesystem_posix_info *info; - unsigned short logical_sector_size; if (!work->tcon->posix_extensions) { pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); rc = -EOPNOTSUPP; } else { info = (struct filesystem_posix_info *)(rsp->Buffer); - logical_sector_size = - ksmbd_vfs_logical_sector_size(d_inode(path.dentry)); - info->OptimalTransferSize = cpu_to_le32(logical_sector_size); + info->OptimalTransferSize = cpu_to_le32(stfs.f_bsize); info->BlockSize = cpu_to_le32(stfs.f_bsize); info->TotalBlocks = cpu_to_le64(stfs.f_blocks); info->BlocksAvail = cpu_to_le64(stfs.f_bfree); @@ -5588,13 +5577,13 @@ static int set_file_position_info(struct ksmbd_file *fp, char *buf) { struct smb2_file_pos_info *file_info; loff_t current_byte_offset; - unsigned short sector_size; + unsigned long sector_size; struct inode *inode; inode = file_inode(fp->filp); file_info = (struct smb2_file_pos_info *)buf; current_byte_offset = le64_to_cpu(file_info->CurrentByteOffset); - sector_size = ksmbd_vfs_logical_sector_size(inode); + sector_size = inode->i_sb->s_blocksize; if (current_byte_offset < 0 || (fp->coption == FILE_NO_INTERMEDIATE_BUFFERING_LE && diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index e34e536dc9ce..9c594e88b2c7 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -12,7 +12,6 @@ #include <linux/xattr.h> #include <linux/falloc.h> #include <linux/genhd.h> -#include <linux/blkdev.h> #include <linux/fsnotify.h> #include <linux/dcache.h> #include <linux/slab.h> @@ -1119,28 +1118,6 @@ int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) return err; } -/* - * ksmbd_vfs_get_logical_sector_size() - get logical sector size from inode - * @inode: inode - * - * Return: logical sector size - */ -unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode) -{ - struct request_queue *q; - unsigned short ret_val = 512; - - if (!inode->i_sb->s_bdev) - return ret_val; - - q = inode->i_sb->s_bdev->bd_disk->queue; - - if (q && q->limits.logical_block_size) - ret_val = q->limits.logical_block_size; - - return ret_val; -} - /* * ksmbd_vfs_get_smb2_sector_size() - get fs sector sizes * @inode: inode diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index a9c14c5dee8d..751bb6ea6e12 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -247,7 +247,6 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, int in_count, int *out_count); int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); -unsigned short ksmbd_vfs_logical_sector_size(struct inode *inode); void ksmbd_vfs_smb2_sector_size(struct inode *inode, struct ksmbd_fs_sector_size *fs_ss); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); From patchwork Mon Nov 14 12:50:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183224 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:11 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 127/308] ksmbd: remove unneeded NULL check in the list iterator Date: Mon, 14 Nov 2022 20:50:36 +0800 Message-ID: <20221114125337.1831594-128-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e049cc7b-cc75-4f16-f297-08dac63c6500 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6873968 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 560ac05130696de2491881bbc2a5024c94bc3912 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/560ac0513069 ------------------------------- Remove unneeded NULL check in the list iterator. And use list_for_each_entry_safe instead of list_for_each_safe. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/mgmt/user_session.c | 15 ++++++--------- fs/cifsd/smb2pdu.c | 2 +- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/fs/cifsd/mgmt/user_session.c b/fs/cifsd/mgmt/user_session.c index 615b46f0762b..c5ba9694e1f1 100644 --- a/fs/cifsd/mgmt/user_session.c +++ b/fs/cifsd/mgmt/user_session.c @@ -30,15 +30,12 @@ struct ksmbd_session_rpc { static void free_channel_list(struct ksmbd_session *sess) { - struct channel *chann; - struct list_head *tmp, *t; - - list_for_each_safe(tmp, t, &sess->ksmbd_chann_list) { - chann = list_entry(tmp, struct channel, chann_list); - if (chann) { - list_del(&chann->chann_list); - kfree(chann); - } + struct channel *chann, *tmp; + + list_for_each_entry_safe(chann, tmp, &sess->ksmbd_chann_list, + chann_list) { + list_del(&chann->chann_list); + kfree(chann); } } diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 341d51e711a5..bbb35e68abc4 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -76,7 +76,7 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn struct channel *chann; list_for_each_entry(chann, &sess->ksmbd_chann_list, chann_list) { - if (chann && chann->conn == conn) + if (chann->conn == conn) return chann; } From patchwork Mon Nov 14 12:50:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183225 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 128/308] ksmbd: use f_bsize in FS_SECTOR_SIZE_INFORMATION Date: Mon, 14 Nov 2022 20:50:37 +0800 Message-ID: <20221114125337.1831594-129-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d8dab6c1-934e-4c03-ab21-08dac63c6549 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6835615 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 131bac1ece2e16201674b2f29b64d2044c826b56 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/131bac1ece2e ------------------------------- Use f_bsize in FS_SECTOR_SIZE_INFORMATION to avoid the access the block layer. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/cifsd/smb2pdu.c | 12 ++++-------- fs/cifsd/vfs.c | 31 ------------------------------- fs/cifsd/vfs.h | 8 -------- 3 files changed, 4 insertions(+), 47 deletions(-) diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index bbb35e68abc4..1327ae806b17 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -4791,19 +4791,15 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, case FS_SECTOR_SIZE_INFORMATION: { struct smb3_fs_ss_info *info; - struct ksmbd_fs_sector_size fs_ss; info = (struct smb3_fs_ss_info *)(rsp->Buffer); - ksmbd_vfs_smb2_sector_size(d_inode(path.dentry), &fs_ss); - info->LogicalBytesPerSector = - cpu_to_le32(fs_ss.logical_sector_size); + info->LogicalBytesPerSector = cpu_to_le32(stfs.f_bsize); info->PhysicalBytesPerSectorForAtomicity = - cpu_to_le32(fs_ss.physical_sector_size); - info->PhysicalBytesPerSectorForPerf = - cpu_to_le32(fs_ss.optimal_io_size); + cpu_to_le32(stfs.f_bsize); + info->PhysicalBytesPerSectorForPerf = cpu_to_le32(stfs.f_bsize); info->FSEffPhysicalBytesPerSectorForAtomicity = - cpu_to_le32(fs_ss.optimal_io_size); + cpu_to_le32(stfs.f_bsize); info->Flags = cpu_to_le32(SSINFO_FLAGS_ALIGNED_DEVICE | SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE); info->ByteOffsetForSectorAlignment = 0; diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 9c594e88b2c7..fddabb4c7db6 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -1118,37 +1118,6 @@ int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) return err; } -/* - * ksmbd_vfs_get_smb2_sector_size() - get fs sector sizes - * @inode: inode - * @fs_ss: fs sector size struct - */ -void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss) -{ - struct request_queue *q; - - fs_ss->logical_sector_size = 512; - fs_ss->physical_sector_size = 512; - fs_ss->optimal_io_size = 512; - - if (!inode->i_sb->s_bdev) - return; - - q = inode->i_sb->s_bdev->bd_disk->queue; - - if (q) { - if (q->limits.logical_block_size) - fs_ss->logical_sector_size = - q->limits.logical_block_size; - if (q->limits.physical_block_size) - fs_ss->physical_sector_size = - q->limits.physical_block_size; - if (q->limits.io_opt) - fs_ss->optimal_io_size = q->limits.io_opt; - } -} - static int __dir_empty(struct dir_context *ctx, const char *name, int namlen, loff_t offset, u64 ino, unsigned int d_type) { diff --git a/fs/cifsd/vfs.h b/fs/cifsd/vfs.h index 751bb6ea6e12..49f0558ace32 100644 --- a/fs/cifsd/vfs.h +++ b/fs/cifsd/vfs.h @@ -192,12 +192,6 @@ struct ksmbd_kstat { __le32 file_attributes; }; -struct ksmbd_fs_sector_size { - unsigned short logical_sector_size; - unsigned int physical_sector_size; - unsigned int optimal_io_size; -}; - int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete); int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); @@ -247,8 +241,6 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, int in_count, int *out_count); int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); -void ksmbd_vfs_smb2_sector_size(struct inode *inode, - struct ksmbd_fs_sector_size *fs_ss); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, struct ksmbd_kstat *ksmbd_kstat); From patchwork Mon Nov 14 12:50:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183226 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 129/308] cifsd: fix WARNING: Title overline too short Date: Mon, 14 Nov 2022 20:50:38 +0800 Message-ID: <20221114125337.1831594-130-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7de38c99-0ba8-4ad3-2104-08dac63c6593 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7068281 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c0e8110e6c75758c4567f8e713f26e5dbd88cc7c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c0e8110e6c75 ------------------------------- Stephen reported a warning message from cifsd.rst file. Documentation/filesystems/cifs/cifsd.rst:3: WARNING: Title overline too short. Reported-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index e0c33d03f290..af3589da6923 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -1,8 +1,8 @@ .. SPDX-License-Identifier: GPL-2.0 -========================= +========================== CIFSD - SMB3 Kernel Server -========================= +========================== CIFSD is a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network. From patchwork Mon Nov 14 12:50:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183227 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 130/308] cifsd: update cifsd.rst document Date: Mon, 14 Nov 2022 20:50:39 +0800 Message-ID: <20221114125337.1831594-131-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8527599b-62ec-4df8-e414-08dac63c65dc X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6951034 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 04bee6e336be1accb7f28d8e86454f42b58a860f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/04bee6e336be ------------------------------- Add work flow of cifsd and feature stats table. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 96 +++++++++++++++++------- 1 file changed, 70 insertions(+), 26 deletions(-) diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index af3589da6923..7eac7e459c2d 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -10,6 +10,34 @@ for sharing files over network. CIFSD architecture ================== + |--- ... + --------|--- ksmbd/3 - Client 3 + |-------|--- ksmbd/2 - Client 2 + | | ____________________________________________________ + | | |- Client 1 | +<--- Socket ---|--- ksmbd/1 <<= Authentication : NTLM/NTLM2, Kerberos | + | | | | <<= SMB engine : SMB2, SMB2.1, SMB3, SMB3.0.2, | + | | | | SMB3.1.1 | + | | | |____________________________________________________| + | | | + | | |--- VFS --- Local Filesystem + | | +KERNEL |--- ksmbd/0(forker kthread) +---------------||--------------------------------------------------------------- +USER || + || communication using NETLINK + || ______________________________________________ + || | | + ksmbd.mountd <<= DCE/RPC(srvsvc, wkssvc, smar, lsarpc) | + ^ | <<= configure shares setting, user accounts | + | |______________________________________________| + | + |------ smb.conf(config file) + | + |------ ksmbdpwd.db(user account/password file) + ^ + ksmbd.adduser ---------------| + The subset of performance related operations belong in kernelspace and the other subset which belong to operations which are not really related with performance in userspace. So, DCE/RPC management that has historically resulted @@ -59,32 +87,48 @@ dozen) that are most important for file server from NetShareEnum and NetServerGetInfo. Complete DCE/RPC response is prepared from the user space and passed over to the associated kernel thread for the client. -Key Features -============ - -The supported features are: - * SMB3 protocols for basic file sharing - * Auto negotiation - * Compound requests - * Oplock/Lease - * Large MTU - * NTLM/NTLMv2 - * HMAC-SHA256 Signing - * Secure negotiate - * Signing Update - * Pre-authentication integrity(SMB 3.1.1) - * SMB3 encryption(CCM, GCM) - * SMB direct(RDMA) - * SMB3.1.1 POSIX extension support - * ACLs - * Kerberos - -The features that are planned or not supported: - * SMB3 Multi-channel - * Durable handle v1,v2 - * Persistent handles - * Directory lease - * SMB2 notify + +CIFSD Feature Status +==================== + +============================== ================================================= +Feature name Status +============================== ================================================= +Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects + excluding security vulnerable SMB1. +Auto Negotiation Supported. +Compound Request Supported. +Oplock Cache Mechanism Supported. +SMB2 leases(v1 lease) Supported. +Directory leases(v2 lease) Planned for future. +Multi-credits Supported. +NTLM/NTLMv2 Supported. +HMAC-SHA256 Signing Supported. +Secure negotiate Supported. +Signing Update Supported. +Pre-authentication integrity Supported. +SMB3 encryption(CCM, GCM) Supported. +SMB direct(RDMA) Partial Supported. SMB3 Multi-channel is required + to connect to Windows client. +SMB3 Multi-channel In Progress. +SMB3.1.1 POSIX extension Supported. +ACLs Partial Supported. only DACLs available, SACLs is + planned for future. ksmbd generate random subauth + values(then store it to disk) and use uid/gid + get from inode as RID for local domain SID. + The current acl implementation is limited to + standalone server, not a domain member. +Kerberos Supported. +Durable handle v1,v2 Planned for future. +Persistent handle Planned for future. +SMB2 notify Planned for future. +Sparse file support Supported. +DCE/RPC support Partial Supported. a few calls(NetShareEnumAll, + NetServerGetInfo, SAMR, LSARPC) that needed as + file server via netlink interface from + ksmbd.mountd. +============================== ================================================= + How to run ========== From patchwork Mon Nov 14 12:50:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183228 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 131/308] cifsd: fix build warnings from cifsd.rst Date: Mon, 14 Nov 2022 20:50:40 +0800 Message-ID: <20221114125337.1831594-132-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3a505631-b82d-4a58-c267-08dac63c6625 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6981843 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 269d3feec1b0f0c286ff3cc3eef43416614ee261 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/269d3feec1b0 ------------------------------- Stephen reported a build warnings from cifsd.rst: Documentation/filesystems/cifs/cifsd.rst:13: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:18: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:23: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:23: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:24: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:25: WARNING: Definition list ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:28: WARNING: Unexpected indentation. Documentation/filesystems/cifs/cifsd.rst:31: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:38: WARNING: Unexpected indentation. Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:39: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Undefined substitution referenced: "--- ksmbd/3 - Client 3 |-------". Documentation/filesystems/cifs/cifsd.rst:0: WARNING: Undefined substitution referenced: "____________________________________________________". Documentation/filesystems/cifs/cifsd.rst:25: WARNING: Undefined substitution referenced: "--- ksmbd/0(forker kthread) ---------------|". Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Undefined substitution referenced: "______________________________________________". Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 28 ------------------------ 1 file changed, 28 deletions(-) diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index 7eac7e459c2d..48ae58f2a53c 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -10,34 +10,6 @@ for sharing files over network. CIFSD architecture ================== - |--- ... - --------|--- ksmbd/3 - Client 3 - |-------|--- ksmbd/2 - Client 2 - | | ____________________________________________________ - | | |- Client 1 | -<--- Socket ---|--- ksmbd/1 <<= Authentication : NTLM/NTLM2, Kerberos | - | | | | <<= SMB engine : SMB2, SMB2.1, SMB3, SMB3.0.2, | - | | | | SMB3.1.1 | - | | | |____________________________________________________| - | | | - | | |--- VFS --- Local Filesystem - | | -KERNEL |--- ksmbd/0(forker kthread) ----------------||--------------------------------------------------------------- -USER || - || communication using NETLINK - || ______________________________________________ - || | | - ksmbd.mountd <<= DCE/RPC(srvsvc, wkssvc, smar, lsarpc) | - ^ | <<= configure shares setting, user accounts | - | |______________________________________________| - | - |------ smb.conf(config file) - | - |------ ksmbdpwd.db(user account/password file) - ^ - ksmbd.adduser ---------------| - The subset of performance related operations belong in kernelspace and the other subset which belong to operations which are not really related with performance in userspace. So, DCE/RPC management that has historically resulted From patchwork Mon Nov 14 12:50:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183229 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 132/308] doc: cifsd: change the reference to configuration.txt Date: Mon, 14 Nov 2022 20:50:41 +0800 Message-ID: <20221114125337.1831594-133-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7f952bc3-cd14-409c-bb64-08dac63c666d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6781884 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> mainline inclusion from mainline-5.15-rc1 commit 9cca7516f4c6373223d6059f1a69548fed74c5ed category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9cca7516f4c6 ------------------------------- added documentation for cifsd. There, it points to a file named: Documentation/configuration.txt This confuses Kernel scripts, as they think that this is a document within the Kernel tree, instead of a file from some other place. Replace it by an hyperlink to the ksmbd-tools tree, in order to avoid false-positives. Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index 48ae58f2a53c..cb9f87b8529f 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -114,8 +114,8 @@ How to run # ksmbd.adduser -a <Enter USERNAME for SMB share access> 3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file - - Refer smb.conf.example and Documentation/configuration.txt - in ksmbd-tools + - Refer smb.conf.example and + https://github.com/cifsd-team/ksmbd-tools/blob/master/Documentation/configu… 4. Insert ksmbd.ko module From patchwork Mon Nov 14 12:50:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183230 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 133/308] cifsd: add ksmbd/nfsd interoperability to feature table Date: Mon, 14 Nov 2022 20:50:42 +0800 Message-ID: <20221114125337.1831594-134-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f3738148-efe5-46c2-bf8b-08dac63c66b6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7063584 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 204fcceb7ccf43034da8e97078153c7c6d0bc84d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/204fcceb7ccf ------------------------------- Add ksmbd/nfsd interoperability to feature table and sync with a table in patch cover letter. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/cifsd.rst | 32 ++++++++++++++++-------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index cb9f87b8529f..01a0be272ce6 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -67,7 +67,8 @@ CIFSD Feature Status Feature name Status ============================== ================================================= Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects - excluding security vulnerable SMB1. + (intentionally excludes security vulnerable SMB1 + dialect). Auto Negotiation Supported. Compound Request Supported. Oplock Cache Mechanism Supported. @@ -79,26 +80,37 @@ HMAC-SHA256 Signing Supported. Secure negotiate Supported. Signing Update Supported. Pre-authentication integrity Supported. -SMB3 encryption(CCM, GCM) Supported. -SMB direct(RDMA) Partial Supported. SMB3 Multi-channel is required - to connect to Windows client. +SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in + progress) +SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is + required to connect to Windows client. SMB3 Multi-channel In Progress. SMB3.1.1 POSIX extension Supported. -ACLs Partial Supported. only DACLs available, SACLs is - planned for future. ksmbd generate random subauth +ACLs Partially Supported. only DACLs available, SACLs + (auditing) is planned for the future. For + ownership (SIDs) ksmbd generates random subauth values(then store it to disk) and use uid/gid get from inode as RID for local domain SID. The current acl implementation is limited to standalone server, not a domain member. + Integration with Samba tools is being worked on + to allow future support for running as a domain + member. Kerberos Supported. Durable handle v1,v2 Planned for future. Persistent handle Planned for future. SMB2 notify Planned for future. Sparse file support Supported. -DCE/RPC support Partial Supported. a few calls(NetShareEnumAll, - NetServerGetInfo, SAMR, LSARPC) that needed as - file server via netlink interface from - ksmbd.mountd. +DCE/RPC support Partially Supported. a few calls(NetShareEnumAll, + NetServerGetInfo, SAMR, LSARPC) that are needed + for file server handled via netlink interface + from ksmbd.mountd. Additional integration with + Samba tools and libraries via upcall is being + investigated to allow support for additional + DCE/RPC management calls (and future support + for Witness protocol e.g.) +ksmbd/nfsd interoperability Planned for future. The features that ksmbd + support are Leases, Notify, ACLs and Share modes. ============================== ================================================= From patchwork Mon Nov 14 12:50:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183231 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 134/308] cifsd: fix WARNING: document isn't included in any toctree Date: Mon, 14 Nov 2022 20:50:43 +0800 Message-ID: <20221114125337.1831594-135-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 67e4c679-c1c5-4488-776a-08dac63c66ff X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6934990 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 42da4086b987fbb35562e93e534e57ad3f81f855 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/42da4086b987 ------------------------------- Stephen reported a warning message from cifsd.rst file. Documentation/filesystems/cifs/cifsd.rst: WARNING: document isn't included in any toctree Reported-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/Documentation/filesystems/index.rst b/Documentation/filesystems/index.rst index 757684537248..fa9a4a5a15ba 100644 --- a/Documentation/filesystems/index.rst +++ b/Documentation/filesystems/index.rst @@ -71,6 +71,7 @@ Documentation for filesystem implementations. befs bfs btrfs + cifs/cifsd cifs/cifsroot ceph coda From patchwork Mon Nov 14 12:50:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183232 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 135/308] cifsd: add index.rst in cifs documentation Date: Mon, 14 Nov 2022 20:50:44 +0800 Message-ID: <20221114125337.1831594-136-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ff866611-bdec-444a-60c2-08dac63c6749 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6717174 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 04165366515a2ba36c78540da776d3a12164f824 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/04165366515a ------------------------------- Since more than one file is in the cifs document directory, This patch add an index.rst. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/index.rst | 10 ++++++++++ Documentation/filesystems/index.rst | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 Documentation/filesystems/cifs/index.rst diff --git a/Documentation/filesystems/cifs/index.rst b/Documentation/filesystems/cifs/index.rst new file mode 100644 index 000000000000..e762586b5dc7 --- /dev/null +++ b/Documentation/filesystems/cifs/index.rst @@ -0,0 +1,10 @@ +=============================== +CIFS +=============================== + + +.. toctree:: + :maxdepth: 1 + + cifsd + cifsroot diff --git a/Documentation/filesystems/index.rst b/Documentation/filesystems/index.rst index fa9a4a5a15ba..fe691c6c83fd 100644 --- a/Documentation/filesystems/index.rst +++ b/Documentation/filesystems/index.rst @@ -71,8 +71,7 @@ Documentation for filesystem implementations. befs bfs btrfs - cifs/cifsd - cifs/cifsroot + cifs/index ceph coda configfs From patchwork Mon Nov 14 12:50:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183233 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 136/308] ksmbd: move fs/cifsd to fs/ksmbd Date: Mon, 14 Nov 2022 20:50:45 +0800 Message-ID: <20221114125337.1831594-137-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 64cc95a4-3aea-4fdb-654f-08dac63c6792 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7210761 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 1a93084b9a89818aec0ac7b59a5a51f2112bf203 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1a93084b9a89 ------------------------------- Move fs/cifsd to fs/ksmbd and rename the remaining cifsd name to ksmbd. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- Documentation/filesystems/cifs/index.rst | 2 +- .../filesystems/cifs/{cifsd.rst => ksmbd.rst} | 10 +++++----- fs/{cifsd => ksmbd}/asn1.c | 0 fs/{cifsd => ksmbd}/asn1.h | 0 fs/{cifsd => ksmbd}/auth.c | 0 fs/{cifsd => ksmbd}/auth.h | 0 fs/{cifsd => ksmbd}/connection.c | 0 fs/{cifsd => ksmbd}/connection.h | 0 fs/{cifsd => ksmbd}/crypto_ctx.c | 0 fs/{cifsd => ksmbd}/crypto_ctx.h | 0 fs/{cifsd => ksmbd}/glob.h | 0 fs/{cifsd => ksmbd}/ksmbd_server.h | 0 fs/{cifsd => ksmbd}/ksmbd_spnego_negtokeninit.asn1 | 0 fs/{cifsd => ksmbd}/ksmbd_spnego_negtokentarg.asn1 | 0 fs/{cifsd => ksmbd}/ksmbd_work.c | 0 fs/{cifsd => ksmbd}/ksmbd_work.h | 0 fs/{cifsd => ksmbd}/mgmt/ksmbd_ida.c | 0 fs/{cifsd => ksmbd}/mgmt/ksmbd_ida.h | 0 fs/{cifsd => ksmbd}/mgmt/share_config.c | 0 fs/{cifsd => ksmbd}/mgmt/share_config.h | 0 fs/{cifsd => ksmbd}/mgmt/tree_connect.c | 0 fs/{cifsd => ksmbd}/mgmt/tree_connect.h | 0 fs/{cifsd => ksmbd}/mgmt/user_config.c | 0 fs/{cifsd => ksmbd}/mgmt/user_config.h | 0 fs/{cifsd => ksmbd}/mgmt/user_session.c | 0 fs/{cifsd => ksmbd}/mgmt/user_session.h | 0 fs/{cifsd => ksmbd}/misc.c | 0 fs/{cifsd => ksmbd}/misc.h | 0 fs/{cifsd => ksmbd}/ndr.c | 0 fs/{cifsd => ksmbd}/ndr.h | 0 fs/{cifsd => ksmbd}/nterr.h | 0 fs/{cifsd => ksmbd}/ntlmssp.h | 0 fs/{cifsd => ksmbd}/oplock.c | 0 fs/{cifsd => ksmbd}/oplock.h | 0 fs/{cifsd => ksmbd}/server.c | 0 fs/{cifsd => ksmbd}/server.h | 0 fs/{cifsd => ksmbd}/smb2misc.c | 0 fs/{cifsd => ksmbd}/smb2ops.c | 0 fs/{cifsd => ksmbd}/smb2pdu.c | 0 fs/{cifsd => ksmbd}/smb2pdu.h | 0 fs/{cifsd => ksmbd}/smb_common.c | 0 fs/{cifsd => ksmbd}/smb_common.h | 0 fs/{cifsd => ksmbd}/smbacl.c | 0 fs/{cifsd => ksmbd}/smbacl.h | 0 fs/{cifsd => ksmbd}/smbfsctl.h | 0 fs/{cifsd => ksmbd}/smbstatus.h | 0 fs/{cifsd => ksmbd}/transport_ipc.c | 0 fs/{cifsd => ksmbd}/transport_ipc.h | 0 fs/{cifsd => ksmbd}/transport_rdma.c | 0 fs/{cifsd => ksmbd}/transport_rdma.h | 0 fs/{cifsd => ksmbd}/transport_tcp.c | 0 fs/{cifsd => ksmbd}/transport_tcp.h | 0 fs/{cifsd => ksmbd}/unicode.c | 0 fs/{cifsd => ksmbd}/unicode.h | 0 fs/{cifsd => ksmbd}/uniupr.h | 0 fs/{cifsd => ksmbd}/vfs.c | 0 fs/{cifsd => ksmbd}/vfs.h | 0 fs/{cifsd => ksmbd}/vfs_cache.c | 0 fs/{cifsd => ksmbd}/vfs_cache.h | 0 59 files changed, 6 insertions(+), 6 deletions(-) rename Documentation/filesystems/cifs/{cifsd.rst => ksmbd.rst} (98%) rename fs/{cifsd => ksmbd}/asn1.c (100%) rename fs/{cifsd => ksmbd}/asn1.h (100%) rename fs/{cifsd => ksmbd}/auth.c (100%) rename fs/{cifsd => ksmbd}/auth.h (100%) rename fs/{cifsd => ksmbd}/connection.c (100%) rename fs/{cifsd => ksmbd}/connection.h (100%) rename fs/{cifsd => ksmbd}/crypto_ctx.c (100%) rename fs/{cifsd => ksmbd}/crypto_ctx.h (100%) rename fs/{cifsd => ksmbd}/glob.h (100%) rename fs/{cifsd => ksmbd}/ksmbd_server.h (100%) rename fs/{cifsd => ksmbd}/ksmbd_spnego_negtokeninit.asn1 (100%) rename fs/{cifsd => ksmbd}/ksmbd_spnego_negtokentarg.asn1 (100%) rename fs/{cifsd => ksmbd}/ksmbd_work.c (100%) rename fs/{cifsd => ksmbd}/ksmbd_work.h (100%) rename fs/{cifsd => ksmbd}/mgmt/ksmbd_ida.c (100%) rename fs/{cifsd => ksmbd}/mgmt/ksmbd_ida.h (100%) rename fs/{cifsd => ksmbd}/mgmt/share_config.c (100%) rename fs/{cifsd => ksmbd}/mgmt/share_config.h (100%) rename fs/{cifsd => ksmbd}/mgmt/tree_connect.c (100%) rename fs/{cifsd => ksmbd}/mgmt/tree_connect.h (100%) rename fs/{cifsd => ksmbd}/mgmt/user_config.c (100%) rename fs/{cifsd => ksmbd}/mgmt/user_config.h (100%) rename fs/{cifsd => ksmbd}/mgmt/user_session.c (100%) rename fs/{cifsd => ksmbd}/mgmt/user_session.h (100%) rename fs/{cifsd => ksmbd}/misc.c (100%) rename fs/{cifsd => ksmbd}/misc.h (100%) rename fs/{cifsd => ksmbd}/ndr.c (100%) rename fs/{cifsd => ksmbd}/ndr.h (100%) rename fs/{cifsd => ksmbd}/nterr.h (100%) rename fs/{cifsd => ksmbd}/ntlmssp.h (100%) rename fs/{cifsd => ksmbd}/oplock.c (100%) rename fs/{cifsd => ksmbd}/oplock.h (100%) rename fs/{cifsd => ksmbd}/server.c (100%) rename fs/{cifsd => ksmbd}/server.h (100%) rename fs/{cifsd => ksmbd}/smb2misc.c (100%) rename fs/{cifsd => ksmbd}/smb2ops.c (100%) rename fs/{cifsd => ksmbd}/smb2pdu.c (100%) rename fs/{cifsd => ksmbd}/smb2pdu.h (100%) rename fs/{cifsd => ksmbd}/smb_common.c (100%) rename fs/{cifsd => ksmbd}/smb_common.h (100%) rename fs/{cifsd => ksmbd}/smbacl.c (100%) rename fs/{cifsd => ksmbd}/smbacl.h (100%) rename fs/{cifsd => ksmbd}/smbfsctl.h (100%) rename fs/{cifsd => ksmbd}/smbstatus.h (100%) rename fs/{cifsd => ksmbd}/transport_ipc.c (100%) rename fs/{cifsd => ksmbd}/transport_ipc.h (100%) rename fs/{cifsd => ksmbd}/transport_rdma.c (100%) rename fs/{cifsd => ksmbd}/transport_rdma.h (100%) rename fs/{cifsd => ksmbd}/transport_tcp.c (100%) rename fs/{cifsd => ksmbd}/transport_tcp.h (100%) rename fs/{cifsd => ksmbd}/unicode.c (100%) rename fs/{cifsd => ksmbd}/unicode.h (100%) rename fs/{cifsd => ksmbd}/uniupr.h (100%) rename fs/{cifsd => ksmbd}/vfs.c (100%) rename fs/{cifsd => ksmbd}/vfs.h (100%) rename fs/{cifsd => ksmbd}/vfs_cache.c (100%) rename fs/{cifsd => ksmbd}/vfs_cache.h (100%) diff --git a/Documentation/filesystems/cifs/index.rst b/Documentation/filesystems/cifs/index.rst index e762586b5dc7..1c8597a679ab 100644 --- a/Documentation/filesystems/cifs/index.rst +++ b/Documentation/filesystems/cifs/index.rst @@ -6,5 +6,5 @@ CIFS .. toctree:: :maxdepth: 1 - cifsd + ksmbd cifsroot diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/ksmbd.rst similarity index 98% rename from Documentation/filesystems/cifs/cifsd.rst rename to Documentation/filesystems/cifs/ksmbd.rst index 01a0be272ce6..1e111efecd45 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/ksmbd.rst @@ -1,13 +1,13 @@ .. SPDX-License-Identifier: GPL-2.0 ========================== -CIFSD - SMB3 Kernel Server +KSMBD - SMB3 Kernel Server ========================== -CIFSD is a linux kernel server which implements SMB3 protocol in kernel space +KSMBD is a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network. -CIFSD architecture +KSMBD architecture ================== The subset of performance related operations belong in kernelspace and @@ -60,7 +60,7 @@ NetServerGetInfo. Complete DCE/RPC response is prepared from the user space and passed over to the associated kernel thread for the client. -CIFSD Feature Status +KSMBD Feature Status ==================== ============================== ================================================= @@ -138,7 +138,7 @@ How to run 6. Access share from Windows or Linux using CIFS -Shutdown CIFSD +Shutdown KSMBD ============== 1. kill user and kernel space daemon diff --git a/fs/cifsd/asn1.c b/fs/ksmbd/asn1.c similarity index 100% rename from fs/cifsd/asn1.c rename to fs/ksmbd/asn1.c diff --git a/fs/cifsd/asn1.h b/fs/ksmbd/asn1.h similarity index 100% rename from fs/cifsd/asn1.h rename to fs/ksmbd/asn1.h diff --git a/fs/cifsd/auth.c b/fs/ksmbd/auth.c similarity index 100% rename from fs/cifsd/auth.c rename to fs/ksmbd/auth.c diff --git a/fs/cifsd/auth.h b/fs/ksmbd/auth.h similarity index 100% rename from fs/cifsd/auth.h rename to fs/ksmbd/auth.h diff --git a/fs/cifsd/connection.c b/fs/ksmbd/connection.c similarity index 100% rename from fs/cifsd/connection.c rename to fs/ksmbd/connection.c diff --git a/fs/cifsd/connection.h b/fs/ksmbd/connection.h similarity index 100% rename from fs/cifsd/connection.h rename to fs/ksmbd/connection.h diff --git a/fs/cifsd/crypto_ctx.c b/fs/ksmbd/crypto_ctx.c similarity index 100% rename from fs/cifsd/crypto_ctx.c rename to fs/ksmbd/crypto_ctx.c diff --git a/fs/cifsd/crypto_ctx.h b/fs/ksmbd/crypto_ctx.h similarity index 100% rename from fs/cifsd/crypto_ctx.h rename to fs/ksmbd/crypto_ctx.h diff --git a/fs/cifsd/glob.h b/fs/ksmbd/glob.h similarity index 100% rename from fs/cifsd/glob.h rename to fs/ksmbd/glob.h diff --git a/fs/cifsd/ksmbd_server.h b/fs/ksmbd/ksmbd_server.h similarity index 100% rename from fs/cifsd/ksmbd_server.h rename to fs/ksmbd/ksmbd_server.h diff --git a/fs/cifsd/ksmbd_spnego_negtokeninit.asn1 b/fs/ksmbd/ksmbd_spnego_negtokeninit.asn1 similarity index 100% rename from fs/cifsd/ksmbd_spnego_negtokeninit.asn1 rename to fs/ksmbd/ksmbd_spnego_negtokeninit.asn1 diff --git a/fs/cifsd/ksmbd_spnego_negtokentarg.asn1 b/fs/ksmbd/ksmbd_spnego_negtokentarg.asn1 similarity index 100% rename from fs/cifsd/ksmbd_spnego_negtokentarg.asn1 rename to fs/ksmbd/ksmbd_spnego_negtokentarg.asn1 diff --git a/fs/cifsd/ksmbd_work.c b/fs/ksmbd/ksmbd_work.c similarity index 100% rename from fs/cifsd/ksmbd_work.c rename to fs/ksmbd/ksmbd_work.c diff --git a/fs/cifsd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h similarity index 100% rename from fs/cifsd/ksmbd_work.h rename to fs/ksmbd/ksmbd_work.h diff --git a/fs/cifsd/mgmt/ksmbd_ida.c b/fs/ksmbd/mgmt/ksmbd_ida.c similarity index 100% rename from fs/cifsd/mgmt/ksmbd_ida.c rename to fs/ksmbd/mgmt/ksmbd_ida.c diff --git a/fs/cifsd/mgmt/ksmbd_ida.h b/fs/ksmbd/mgmt/ksmbd_ida.h similarity index 100% rename from fs/cifsd/mgmt/ksmbd_ida.h rename to fs/ksmbd/mgmt/ksmbd_ida.h diff --git a/fs/cifsd/mgmt/share_config.c b/fs/ksmbd/mgmt/share_config.c similarity index 100% rename from fs/cifsd/mgmt/share_config.c rename to fs/ksmbd/mgmt/share_config.c diff --git a/fs/cifsd/mgmt/share_config.h b/fs/ksmbd/mgmt/share_config.h similarity index 100% rename from fs/cifsd/mgmt/share_config.h rename to fs/ksmbd/mgmt/share_config.h diff --git a/fs/cifsd/mgmt/tree_connect.c b/fs/ksmbd/mgmt/tree_connect.c similarity index 100% rename from fs/cifsd/mgmt/tree_connect.c rename to fs/ksmbd/mgmt/tree_connect.c diff --git a/fs/cifsd/mgmt/tree_connect.h b/fs/ksmbd/mgmt/tree_connect.h similarity index 100% rename from fs/cifsd/mgmt/tree_connect.h rename to fs/ksmbd/mgmt/tree_connect.h diff --git a/fs/cifsd/mgmt/user_config.c b/fs/ksmbd/mgmt/user_config.c similarity index 100% rename from fs/cifsd/mgmt/user_config.c rename to fs/ksmbd/mgmt/user_config.c diff --git a/fs/cifsd/mgmt/user_config.h b/fs/ksmbd/mgmt/user_config.h similarity index 100% rename from fs/cifsd/mgmt/user_config.h rename to fs/ksmbd/mgmt/user_config.h diff --git a/fs/cifsd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c similarity index 100% rename from fs/cifsd/mgmt/user_session.c rename to fs/ksmbd/mgmt/user_session.c diff --git a/fs/cifsd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h similarity index 100% rename from fs/cifsd/mgmt/user_session.h rename to fs/ksmbd/mgmt/user_session.h diff --git a/fs/cifsd/misc.c b/fs/ksmbd/misc.c similarity index 100% rename from fs/cifsd/misc.c rename to fs/ksmbd/misc.c diff --git a/fs/cifsd/misc.h b/fs/ksmbd/misc.h similarity index 100% rename from fs/cifsd/misc.h rename to fs/ksmbd/misc.h diff --git a/fs/cifsd/ndr.c b/fs/ksmbd/ndr.c similarity index 100% rename from fs/cifsd/ndr.c rename to fs/ksmbd/ndr.c diff --git a/fs/cifsd/ndr.h b/fs/ksmbd/ndr.h similarity index 100% rename from fs/cifsd/ndr.h rename to fs/ksmbd/ndr.h diff --git a/fs/cifsd/nterr.h b/fs/ksmbd/nterr.h similarity index 100% rename from fs/cifsd/nterr.h rename to fs/ksmbd/nterr.h diff --git a/fs/cifsd/ntlmssp.h b/fs/ksmbd/ntlmssp.h similarity index 100% rename from fs/cifsd/ntlmssp.h rename to fs/ksmbd/ntlmssp.h diff --git a/fs/cifsd/oplock.c b/fs/ksmbd/oplock.c similarity index 100% rename from fs/cifsd/oplock.c rename to fs/ksmbd/oplock.c diff --git a/fs/cifsd/oplock.h b/fs/ksmbd/oplock.h similarity index 100% rename from fs/cifsd/oplock.h rename to fs/ksmbd/oplock.h diff --git a/fs/cifsd/server.c b/fs/ksmbd/server.c similarity index 100% rename from fs/cifsd/server.c rename to fs/ksmbd/server.c diff --git a/fs/cifsd/server.h b/fs/ksmbd/server.h similarity index 100% rename from fs/cifsd/server.h rename to fs/ksmbd/server.h diff --git a/fs/cifsd/smb2misc.c b/fs/ksmbd/smb2misc.c similarity index 100% rename from fs/cifsd/smb2misc.c rename to fs/ksmbd/smb2misc.c diff --git a/fs/cifsd/smb2ops.c b/fs/ksmbd/smb2ops.c similarity index 100% rename from fs/cifsd/smb2ops.c rename to fs/ksmbd/smb2ops.c diff --git a/fs/cifsd/smb2pdu.c b/fs/ksmbd/smb2pdu.c similarity index 100% rename from fs/cifsd/smb2pdu.c rename to fs/ksmbd/smb2pdu.c diff --git a/fs/cifsd/smb2pdu.h b/fs/ksmbd/smb2pdu.h similarity index 100% rename from fs/cifsd/smb2pdu.h rename to fs/ksmbd/smb2pdu.h diff --git a/fs/cifsd/smb_common.c b/fs/ksmbd/smb_common.c similarity index 100% rename from fs/cifsd/smb_common.c rename to fs/ksmbd/smb_common.c diff --git a/fs/cifsd/smb_common.h b/fs/ksmbd/smb_common.h similarity index 100% rename from fs/cifsd/smb_common.h rename to fs/ksmbd/smb_common.h diff --git a/fs/cifsd/smbacl.c b/fs/ksmbd/smbacl.c similarity index 100% rename from fs/cifsd/smbacl.c rename to fs/ksmbd/smbacl.c diff --git a/fs/cifsd/smbacl.h b/fs/ksmbd/smbacl.h similarity index 100% rename from fs/cifsd/smbacl.h rename to fs/ksmbd/smbacl.h diff --git a/fs/cifsd/smbfsctl.h b/fs/ksmbd/smbfsctl.h similarity index 100% rename from fs/cifsd/smbfsctl.h rename to fs/ksmbd/smbfsctl.h diff --git a/fs/cifsd/smbstatus.h b/fs/ksmbd/smbstatus.h similarity index 100% rename from fs/cifsd/smbstatus.h rename to fs/ksmbd/smbstatus.h diff --git a/fs/cifsd/transport_ipc.c b/fs/ksmbd/transport_ipc.c similarity index 100% rename from fs/cifsd/transport_ipc.c rename to fs/ksmbd/transport_ipc.c diff --git a/fs/cifsd/transport_ipc.h b/fs/ksmbd/transport_ipc.h similarity index 100% rename from fs/cifsd/transport_ipc.h rename to fs/ksmbd/transport_ipc.h diff --git a/fs/cifsd/transport_rdma.c b/fs/ksmbd/transport_rdma.c similarity index 100% rename from fs/cifsd/transport_rdma.c rename to fs/ksmbd/transport_rdma.c diff --git a/fs/cifsd/transport_rdma.h b/fs/ksmbd/transport_rdma.h similarity index 100% rename from fs/cifsd/transport_rdma.h rename to fs/ksmbd/transport_rdma.h diff --git a/fs/cifsd/transport_tcp.c b/fs/ksmbd/transport_tcp.c similarity index 100% rename from fs/cifsd/transport_tcp.c rename to fs/ksmbd/transport_tcp.c diff --git a/fs/cifsd/transport_tcp.h b/fs/ksmbd/transport_tcp.h similarity index 100% rename from fs/cifsd/transport_tcp.h rename to fs/ksmbd/transport_tcp.h diff --git a/fs/cifsd/unicode.c b/fs/ksmbd/unicode.c similarity index 100% rename from fs/cifsd/unicode.c rename to fs/ksmbd/unicode.c diff --git a/fs/cifsd/unicode.h b/fs/ksmbd/unicode.h similarity index 100% rename from fs/cifsd/unicode.h rename to fs/ksmbd/unicode.h diff --git a/fs/cifsd/uniupr.h b/fs/ksmbd/uniupr.h similarity index 100% rename from fs/cifsd/uniupr.h rename to fs/ksmbd/uniupr.h diff --git a/fs/cifsd/vfs.c b/fs/ksmbd/vfs.c similarity index 100% rename from fs/cifsd/vfs.c rename to fs/ksmbd/vfs.c diff --git a/fs/cifsd/vfs.h b/fs/ksmbd/vfs.h similarity index 100% rename from fs/cifsd/vfs.h rename to fs/ksmbd/vfs.h diff --git a/fs/cifsd/vfs_cache.c b/fs/ksmbd/vfs_cache.c similarity index 100% rename from fs/cifsd/vfs_cache.c rename to fs/ksmbd/vfs_cache.c diff --git a/fs/cifsd/vfs_cache.h b/fs/ksmbd/vfs_cache.h similarity index 100% rename from fs/cifsd/vfs_cache.h rename to fs/ksmbd/vfs_cache.h From patchwork Mon Nov 14 12:50:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183234 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 137/308] ksmbd: factor out a ksmbd_vfs_lock_parent helper Date: Mon, 14 Nov 2022 20:50:46 +0800 Message-ID: <20221114125337.1831594-138-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a913d36a-52d7-47b5-6969-08dac63c67db X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7191504 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 333111a6dc32a2768f581876bdb5ef4231f5084e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/333111a6dc32 ------------------------------- Factor out a self-contained helper to get stable parent dentry. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs.c | 125 ++++++++++++++++++++++++------------------------- 1 file changed, 62 insertions(+), 63 deletions(-) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index fddabb4c7db6..e64eab7a58a8 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -60,6 +60,41 @@ static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, i_uid_write(inode, i_uid_read(parent_inode)); } +/** + * ksmbd_vfs_lock_parent() - lock parent dentry if it is stable + * + * the parent dentry got by dget_parent or @parent could be + * unstable, we try to lock a parent inode and lookup the + * child dentry again. + * + * the reference count of @parent isn't incremented. + */ +static int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child) +{ + struct dentry *dentry; + int ret = 0; + + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + dentry = lookup_one_len(child->d_name.name, parent, + child->d_name.len); + if (IS_ERR(dentry)) { + ret = PTR_ERR(dentry); + goto out_err; + } + + if (dentry != child) { + ret = -ESTALE; + dput(dentry); + goto out_err; + } + + dput(dentry); + return 0; +out_err: + inode_unlock(d_inode(parent)); + return ret; +} + int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) { int mask, ret = 0; @@ -78,29 +113,18 @@ int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) return -EACCES; if (delete) { - struct dentry *child, *parent; + struct dentry *parent; parent = dget_parent(dentry); - inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); - child = lookup_one_len(dentry->d_name.name, parent, - dentry->d_name.len); - if (IS_ERR(child)) { - ret = PTR_ERR(child); - goto out_lock; - } - - if (child != dentry) { - ret = -ESTALE; - dput(child); - goto out_lock; + ret = ksmbd_vfs_lock_parent(parent, dentry); + if (ret) { + dput(parent); + return ret; } - dput(child); - if (inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) { + if (inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) ret = -EACCES; - goto out_lock; - } -out_lock: + inode_unlock(d_inode(parent)); dput(parent); } @@ -109,7 +133,7 @@ int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) { - struct dentry *parent, *child; + struct dentry *parent; int ret = 0; *daccess = cpu_to_le32(FILE_READ_ATTRIBUTES | READ_CONTROL); @@ -127,25 +151,15 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) *daccess |= FILE_EXECUTE_LE; parent = dget_parent(dentry); - inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); - child = lookup_one_len(dentry->d_name.name, parent, - dentry->d_name.len); - if (IS_ERR(child)) { - ret = PTR_ERR(child); - goto out_lock; - } - - if (child != dentry) { - ret = -ESTALE; - dput(child); - goto out_lock; + ret = ksmbd_vfs_lock_parent(parent, dentry); + if (ret) { + dput(parent); + return ret; } - dput(child); if (!inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) *daccess |= FILE_DELETE_LE; -out_lock: inode_unlock(d_inode(parent)); dput(parent); return ret; @@ -573,7 +587,7 @@ int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) { struct path path; - struct dentry *dentry, *parent; + struct dentry *parent; int err; int flags = 0; @@ -592,35 +606,32 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) } parent = dget_parent(path.dentry); - inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); - dentry = lookup_one_len(path.dentry->d_name.name, parent, - strlen(path.dentry->d_name.name)); - if (IS_ERR(dentry)) { - err = PTR_ERR(dentry); - ksmbd_debug(VFS, "%s: lookup failed, err %d\n", - path.dentry->d_name.name, err); - goto out_err; + err = ksmbd_vfs_lock_parent(parent, path.dentry); + if (err) { + dput(parent); + path_put(&path); + ksmbd_revert_fsids(work); + return err; } - if (!d_inode(dentry) || !d_inode(dentry)->i_nlink) { - dput(dentry); + if (!d_inode(path.dentry)->i_nlink) { err = -ENOENT; goto out_err; } - if (S_ISDIR(d_inode(dentry)->i_mode)) { - err = vfs_rmdir(&init_user_ns, d_inode(parent), dentry); + if (S_ISDIR(d_inode(path.dentry)->i_mode)) { + err = vfs_rmdir(&init_user_ns, d_inode(parent), path.dentry); if (err && err != -ENOTEMPTY) ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, err); } else { - err = vfs_unlink(&init_user_ns, d_inode(parent), dentry, NULL); + err = vfs_unlink(&init_user_ns, d_inode(parent), path.dentry, + NULL); if (err) ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, err); } - dput(dentry); out_err: inode_unlock(d_inode(parent)); dput(parent); @@ -1086,30 +1097,18 @@ int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name) int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) { - struct dentry *child; int err = 0; - inode_lock_nested(d_inode(dir), I_MUTEX_PARENT); + err = ksmbd_vfs_lock_parent(dir, dentry); + if (err) + return err; dget(dentry); - child = lookup_one_len(dentry->d_name.name, dir, dentry->d_name.len); - if (IS_ERR(child)) { - err = PTR_ERR(child); - goto out; - } - - if (child != dentry) { - err = -ESTALE; - dput(child); - goto out; - } - dput(child); if (S_ISDIR(d_inode(dentry)->i_mode)) err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); else err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); -out: dput(dentry); inode_unlock(d_inode(dir)); if (err) From patchwork Mon Nov 14 12:50:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183235 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 138/308] ksmbd: set MAY_* flags together with open flags Date: Mon, 14 Nov 2022 20:50:47 +0800 Message-ID: <20221114125337.1831594-139-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3f875ef2-7d55-4569-22e1-08dac63c6824 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6872233 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-v5.15-rc1 commit 6c5e36d13e2a338ed611d2bcc6c615dd0550b17d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6c5e36d13e2a set MAY_* flags together with open flags and remove ksmbd_vfs_inode_permission(). Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 38 ++++++++++++++++++++++++-------------- fs/ksmbd/vfs.c | 42 +++++++++++++----------------------------- fs/ksmbd/vfs.h | 3 +-- 3 files changed, 38 insertions(+), 45 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 1327ae806b17..25715d57c2bb 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1836,21 +1836,27 @@ int smb2_tree_connect(struct ksmbd_work *work) * @file_present: is file already present * @access: file access flags * @disposition: file disposition flags + * @may_flags: set with MAY_ flags * * Return: file open flags */ static int smb2_create_open_flags(bool file_present, __le32 access, - __le32 disposition) + __le32 disposition, + int *may_flags) { int oflags = O_NONBLOCK | O_LARGEFILE; if (access & FILE_READ_DESIRED_ACCESS_LE && - access & FILE_WRITE_DESIRE_ACCESS_LE) + access & FILE_WRITE_DESIRE_ACCESS_LE) { oflags |= O_RDWR; - else if (access & FILE_WRITE_DESIRE_ACCESS_LE) + *may_flags = MAY_OPEN | MAY_READ | MAY_WRITE; + } else if (access & FILE_WRITE_DESIRE_ACCESS_LE) { oflags |= O_WRONLY; - else + *may_flags = MAY_OPEN | MAY_WRITE; + } else { oflags |= O_RDONLY; + *may_flags = MAY_OPEN | MAY_READ; + } if (access == FILE_READ_ATTRIBUTES_LE) oflags |= O_PATH; @@ -1884,6 +1890,7 @@ static int smb2_create_open_flags(bool file_present, __le32 access, break; } } + return oflags; } @@ -2355,7 +2362,7 @@ int smb2_open(struct ksmbd_work *work) struct create_ea_buf_req *ea_buf = NULL; struct oplock_info *opinfo; __le32 *next_ptr = NULL; - int req_op_level = 0, open_flags = 0, file_info = 0; + int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; int rc = 0, len = 0; int contxt_cnt = 0, query_disk_id = 0; int maximal_access_ctxt = 0, posix_ctxt = 0; @@ -2696,7 +2703,8 @@ int smb2_open(struct ksmbd_work *work) } open_flags = smb2_create_open_flags(file_present, daccess, - req->CreateDisposition); + req->CreateDisposition, + &may_flags); if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { if (open_flags & O_CREAT) { @@ -2723,21 +2731,23 @@ int smb2_open(struct ksmbd_work *work) goto err_out; } } else if (!already_permitted) { - bool may_delete; - - may_delete = daccess & FILE_DELETE_LE || - req->CreateOptions & FILE_DELETE_ON_CLOSE_LE; - /* FILE_READ_ATTRIBUTE is allowed without inode_permission, * because execute(search) permission on a parent directory, * is already granted. */ if (daccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_READ_CONTROL_LE)) { - rc = ksmbd_vfs_inode_permission(path.dentry, - open_flags & O_ACCMODE, - may_delete); + rc = inode_permission(&init_user_ns, + d_inode(path.dentry), + may_flags); if (rc) goto err_out; + + if ((daccess & FILE_DELETE_LE) || + (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { + rc = ksmbd_vfs_may_delete(path.dentry); + if (rc) + goto err_out; + } } } diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index e64eab7a58a8..6181a58e8a33 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -95,39 +95,23 @@ static int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child) return ret; } -int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, bool delete) +int ksmbd_vfs_may_delete(struct dentry *dentry) { - int mask, ret = 0; - - mask = 0; - acc_mode &= O_ACCMODE; - - if (acc_mode == O_RDONLY) - mask = MAY_READ; - else if (acc_mode == O_WRONLY) - mask = MAY_WRITE; - else if (acc_mode == O_RDWR) - mask = MAY_READ | MAY_WRITE; - - if (inode_permission(&init_user_ns, d_inode(dentry), mask | MAY_OPEN)) - return -EACCES; - - if (delete) { - struct dentry *parent; - - parent = dget_parent(dentry); - ret = ksmbd_vfs_lock_parent(parent, dentry); - if (ret) { - dput(parent); - return ret; - } - - if (inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) - ret = -EACCES; + struct dentry *parent; + int ret; - inode_unlock(d_inode(parent)); + parent = dget_parent(dentry); + ret = ksmbd_vfs_lock_parent(parent, dentry); + if (ret) { dput(parent); + return ret; } + + ret = inode_permission(&init_user_ns, d_inode(parent), + MAY_EXEC | MAY_WRITE); + + inode_unlock(d_inode(parent)); + dput(parent); return ret; } diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index 49f0558ace32..ae8eff1f0315 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -192,8 +192,7 @@ struct ksmbd_kstat { __le32 file_attributes; }; -int ksmbd_vfs_inode_permission(struct dentry *dentry, int acc_mode, - bool delete); +int ksmbd_vfs_may_delete(struct dentry *dentry); int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode); int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode); From patchwork Mon Nov 14 12:50:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183236 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 139/308] ksmbd: remove macros in transport_ipc.c Date: Mon, 14 Nov 2022 20:50:48 +0800 Message-ID: <20221114125337.1831594-140-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2905400f-6411-4d5e-ff8d-08dac63c686c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6852905 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit b622948789a96a8f347c8e77e18d100c7f1a78fa category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b622948789a9 ------------------------------- Remove macros in transport_ipc.c Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_ipc.c | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c index 13eacfda64ac..ca5099118fdf 100644 --- a/fs/ksmbd/transport_ipc.c +++ b/fs/ksmbd/transport_ipc.c @@ -38,8 +38,6 @@ static DEFINE_IDA(ipc_ida); static unsigned int ksmbd_tools_pid; -#define KSMBD_IPC_MSG_HANDLE(m) (*(unsigned int *)m) - static bool ksmbd_ipc_validate_version(struct genl_info *m) { if (m->genlhdr->version != KSMBD_GENL_VERSION) { @@ -56,12 +54,9 @@ static bool ksmbd_ipc_validate_version(struct genl_info *m) struct ksmbd_ipc_msg { unsigned int type; unsigned int sz; - unsigned char ____payload[0]; + unsigned char payload[]; }; -#define KSMBD_IPC_MSG_PAYLOAD(m) \ - ((void *)(((struct ksmbd_ipc_msg *)(m))->____payload)) - struct ipc_msg_table_entry { unsigned int handle; unsigned int type; @@ -251,7 +246,7 @@ static void ipc_msg_handle_free(int handle) static int handle_response(int type, void *payload, size_t sz) { - int handle = KSMBD_IPC_MSG_HANDLE(payload); + unsigned int handle = *(unsigned int *)payload; struct ipc_msg_table_entry *entry; int ret = 0; @@ -432,7 +427,7 @@ static int ipc_msg_send(struct ksmbd_ipc_msg *msg) if (!nlh) goto out; - ret = nla_put(skb, msg->type, msg->sz, KSMBD_IPC_MSG_PAYLOAD(msg)); + ret = nla_put(skb, msg->type, msg->sz, msg->payload); if (ret) { genlmsg_cancel(skb, nlh); goto out; @@ -509,7 +504,7 @@ struct ksmbd_login_response *ksmbd_ipc_login_request(const char *account) return NULL; msg->type = KSMBD_EVENT_LOGIN_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_login_request *)msg->payload; req->handle = ksmbd_acquire_id(&ipc_ida); strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); @@ -532,7 +527,7 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) return NULL; msg->type = KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_spnego_authen_request *)msg->payload; req->handle = ksmbd_acquire_id(&ipc_ida); req->spnego_blob_len = blob_len; memcpy(req->spnego_blob, spnego_blob, blob_len); @@ -564,7 +559,7 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, return NULL; msg->type = KSMBD_EVENT_TREE_CONNECT_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_tree_connect_request *)msg->payload; req->handle = ksmbd_acquire_id(&ipc_ida); req->account_flags = sess->user->flags; @@ -597,7 +592,7 @@ int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, return -ENOMEM; msg->type = KSMBD_EVENT_TREE_DISCONNECT_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_tree_disconnect_request *)msg->payload; req->session_id = session_id; req->connect_id = connect_id; @@ -620,7 +615,7 @@ int ksmbd_ipc_logout_request(const char *account) return -ENOMEM; msg->type = KSMBD_EVENT_LOGOUT_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_logout_request *)msg->payload; strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); ret = ipc_msg_send(msg); @@ -643,7 +638,7 @@ ksmbd_ipc_share_config_request(const char *name) return NULL; msg->type = KSMBD_EVENT_SHARE_CONFIG_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_share_config_request *)msg->payload; req->handle = ksmbd_acquire_id(&ipc_ida); strscpy(req->share_name, name, KSMBD_REQ_MAX_SHARE_NAME); @@ -664,7 +659,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_open(struct ksmbd_session *sess, int handle) return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= KSMBD_RPC_OPEN_METHOD; @@ -686,7 +681,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_close(struct ksmbd_session *sess, int handle return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= KSMBD_RPC_CLOSE_METHOD; @@ -709,7 +704,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= rpc_context_flags(sess); @@ -733,7 +728,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle) return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= rpc_context_flags(sess); @@ -757,7 +752,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)req->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= rpc_context_flags(sess); @@ -782,7 +777,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = KSMBD_IPC_MSG_PAYLOAD(msg); + req = (struct ksmbd_rpc_command *)req->payload; req->handle = ksmbd_acquire_id(&ipc_ida); req->flags = rpc_context_flags(sess); req->flags |= KSMBD_RPC_RAP_METHOD; From patchwork Mon Nov 14 12:50:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183237 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 140/308] ksmbd: replace BUFFER_NR_PAGES with inline function Date: Mon, 14 Nov 2022 20:50:49 +0800 Message-ID: <20221114125337.1831594-141-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: aea11117-421f-4433-70da-08dac63c68b2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6526816 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 8ad8dc34211742c816d45dd2ce62aa103a82f4c2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8ad8dc342117 ------------------------------- Replace BUFFER_NR_PAGES with inline function Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index bd7a090d5350..b3af474d4cad 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -204,9 +204,11 @@ struct smb_direct_rdma_rw_msg { struct scatterlist sg_list[0]; }; -#define BUFFER_NR_PAGES(buf, len) \ - (DIV_ROUND_UP((unsigned long)(buf) + (len), PAGE_SIZE) \ - - (unsigned long)(buf) / PAGE_SIZE) +static inline int get_buf_page_count(void *buf, int size) +{ + return DIV_ROUND_UP((uintptr_t)buf + size, PAGE_SIZE) - + (uintptr_t)buf / PAGE_SIZE; +} static void smb_direct_destroy_pools(struct smb_direct_transport *transport); static void smb_direct_post_recv_credits(struct work_struct *work); @@ -1048,7 +1050,7 @@ static int get_sg_list(void *buf, int size, struct scatterlist *sg_list, int nen int offset, len; int i = 0; - if (nentries < BUFFER_NR_PAGES(buf, size)) + if (nentries < get_buf_page_count(buf, size)) return -EINVAL; offset = offset_in_page(buf); @@ -1338,7 +1340,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, msg->sgt.sgl = &msg->sg_list[0]; ret = sg_alloc_table_chained(&msg->sgt, - BUFFER_NR_PAGES(buf, buf_len), + get_buf_page_count(buf, buf_len), msg->sg_list, SG_CHUNK_SIZE); if (ret) { atomic_inc(&t->rw_avail_ops); @@ -1353,7 +1355,7 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t, void *buf, } ret = rdma_rw_ctx_init(&msg->rw_ctx, t->qp, t->qp->port, - msg->sg_list, BUFFER_NR_PAGES(buf, buf_len), + msg->sg_list, get_buf_page_count(buf, buf_len), 0, remote_offset, remote_key, is_read ? DMA_FROM_DEVICE : DMA_TO_DEVICE); if (ret < 0) { From patchwork Mon Nov 14 12:50:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183238 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 141/308] ksmbd: replace KSMBD_ALIGN with kernel ALIGN macro Date: Mon, 14 Nov 2022 20:50:50 +0800 Message-ID: <20221114125337.1831594-142-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9a2e3233-4656-439f-2215-08dac63c68f7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7062487 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit c2220322b4577fc32ad3b7b4ddb856bd1f8c7461 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c2220322b457 ------------------------------- Replace KSMBD_ALIGN with kernel ALIGN macro Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ndr.c | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/fs/ksmbd/ndr.c b/fs/ksmbd/ndr.c index 46cc01475d38..db2ec07e076e 100644 --- a/fs/ksmbd/ndr.c +++ b/fs/ksmbd/ndr.c @@ -11,21 +11,6 @@ #define PAYLOAD_HEAD(d) ((d)->data + (d)->offset) -#define KSMBD_ALIGN_MASK(x, mask) (((x) + (mask)) & ~(mask)) - -#define KSMBD_ALIGN(x, a) \ - ({ \ - typeof(x) ret = (x); \ - if (((x) & ((typeof(x))(a) - 1)) != 0) \ - ret = KSMBD_ALIGN_MASK(x, (typeof(x))(a) - 1); \ - ret; \ - }) - -static void align_offset(struct ndr *ndr, int n) -{ - ndr->offset = KSMBD_ALIGN(ndr->offset, n); -} - static int try_to_realloc_ndr_blob(struct ndr *n, size_t sz) { char *data; @@ -85,7 +70,7 @@ static int ndr_write_string(struct ndr *n, void *value, size_t sz) strncpy(PAYLOAD_HEAD(n), value, sz); sz++; n->offset += sz; - align_offset(n, 2); + n->offset = ALIGN(n->offset, 2); return 0; } @@ -96,7 +81,7 @@ static int ndr_read_string(struct ndr *n, void *value, size_t sz) memcpy(value, PAYLOAD_HEAD(n), len); len++; n->offset += len; - align_offset(n, 2); + n->offset = ALIGN(n->offset, 2); return 0; } @@ -210,20 +195,20 @@ static int ndr_encode_posix_acl_entry(struct ndr *n, struct xattr_smb_acl *acl) int i; ndr_write_int32(n, acl->count); - align_offset(n, 8); + n->offset = ALIGN(n->offset, 8); ndr_write_int32(n, acl->count); ndr_write_int32(n, 0); for (i = 0; i < acl->count; i++) { - align_offset(n, 8); + n->offset = ALIGN(n->offset, 8); ndr_write_int16(n, acl->entries[i].type); ndr_write_int16(n, acl->entries[i].type); if (acl->entries[i].type == SMB_ACL_USER) { - align_offset(n, 8); + n->offset = ALIGN(n->offset, 8); ndr_write_int64(n, acl->entries[i].uid); } else if (acl->entries[i].type == SMB_ACL_GROUP) { - align_offset(n, 8); + n->offset = ALIGN(n->offset, 8); ndr_write_int64(n, acl->entries[i].gid); } From patchwork Mon Nov 14 12:50:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183239 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 142/308] ksmbd: replace PAYLOAD_HEAD with inline function Date: Mon, 14 Nov 2022 20:50:51 +0800 Message-ID: <20221114125337.1831594-143-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4bc71723-86bc-4a47-2643-08dac63c6940 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6863670 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit cb5b047f8e14e91774f68625dafb130fb160b4eb category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/cb5b047f8e14 ------------------------------- Replace PAYLOAD_HEAD with inline function. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ndr.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/fs/ksmbd/ndr.c b/fs/ksmbd/ndr.c index db2ec07e076e..bcf13a2aa9d4 100644 --- a/fs/ksmbd/ndr.c +++ b/fs/ksmbd/ndr.c @@ -9,7 +9,10 @@ #include "glob.h" #include "ndr.h" -#define PAYLOAD_HEAD(d) ((d)->data + (d)->offset) +static inline char *ndr_get_field(struct ndr *n) +{ + return n->data + n->offset; +} static int try_to_realloc_ndr_blob(struct ndr *n, size_t sz) { @@ -30,7 +33,7 @@ static void ndr_write_int16(struct ndr *n, __u16 value) if (n->length <= n->offset + sizeof(value)) try_to_realloc_ndr_blob(n, sizeof(value)); - *(__le16 *)PAYLOAD_HEAD(n) = cpu_to_le16(value); + *(__le16 *)ndr_get_field(n) = cpu_to_le16(value); n->offset += sizeof(value); } @@ -39,7 +42,7 @@ static void ndr_write_int32(struct ndr *n, __u32 value) if (n->length <= n->offset + sizeof(value)) try_to_realloc_ndr_blob(n, sizeof(value)); - *(__le32 *)PAYLOAD_HEAD(n) = cpu_to_le32(value); + *(__le32 *)ndr_get_field(n) = cpu_to_le32(value); n->offset += sizeof(value); } @@ -48,7 +51,7 @@ static void ndr_write_int64(struct ndr *n, __u64 value) if (n->length <= n->offset + sizeof(value)) try_to_realloc_ndr_blob(n, sizeof(value)); - *(__le64 *)PAYLOAD_HEAD(n) = cpu_to_le64(value); + *(__le64 *)ndr_get_field(n) = cpu_to_le64(value); n->offset += sizeof(value); } @@ -57,7 +60,7 @@ static int ndr_write_bytes(struct ndr *n, void *value, size_t sz) if (n->length <= n->offset + sz) try_to_realloc_ndr_blob(n, sz); - memcpy(PAYLOAD_HEAD(n), value, sz); + memcpy(ndr_get_field(n), value, sz); n->offset += sz; return 0; } @@ -67,7 +70,7 @@ static int ndr_write_string(struct ndr *n, void *value, size_t sz) if (n->length <= n->offset + sz) try_to_realloc_ndr_blob(n, sz); - strncpy(PAYLOAD_HEAD(n), value, sz); + strncpy(ndr_get_field(n), value, sz); sz++; n->offset += sz; n->offset = ALIGN(n->offset, 2); @@ -76,9 +79,9 @@ static int ndr_write_string(struct ndr *n, void *value, size_t sz) static int ndr_read_string(struct ndr *n, void *value, size_t sz) { - int len = strnlen(PAYLOAD_HEAD(n), sz); + int len = strnlen(ndr_get_field(n), sz); - memcpy(value, PAYLOAD_HEAD(n), len); + memcpy(value, ndr_get_field(n), len); len++; n->offset += len; n->offset = ALIGN(n->offset, 2); @@ -87,7 +90,7 @@ static int ndr_read_string(struct ndr *n, void *value, size_t sz) static int ndr_read_bytes(struct ndr *n, void *value, size_t sz) { - memcpy(value, PAYLOAD_HEAD(n), sz); + memcpy(value, ndr_get_field(n), sz); n->offset += sz; return 0; } @@ -96,7 +99,7 @@ static __u16 ndr_read_int16(struct ndr *n) { __u16 ret; - ret = le16_to_cpu(*(__le16 *)PAYLOAD_HEAD(n)); + ret = le16_to_cpu(*(__le16 *)ndr_get_field(n)); n->offset += sizeof(__u16); return ret; } @@ -105,7 +108,7 @@ static __u32 ndr_read_int32(struct ndr *n) { __u32 ret; - ret = le32_to_cpu(*(__le32 *)PAYLOAD_HEAD(n)); + ret = le32_to_cpu(*(__le32 *)ndr_get_field(n)); n->offset += sizeof(__u32); return ret; } @@ -114,7 +117,7 @@ static __u64 ndr_read_int64(struct ndr *n) { __u64 ret; - ret = le64_to_cpu(*(__le64 *)PAYLOAD_HEAD(n)); + ret = le64_to_cpu(*(__le64 *)ndr_get_field(n)); n->offset += sizeof(__u64); return ret; } From patchwork Mon Nov 14 12:50:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183240 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 143/308] ksmbd: remove getting worker state macros Date: Mon, 14 Nov 2022 20:50:52 +0800 Message-ID: <20221114125337.1831594-144-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2e1806f8-d635-4735-de7b-08dac63c6988 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6523287 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit d4075abbc6b571e9d03d7a742e53fd6085223649 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d4075abbc6b5 ------------------------------- Remove getting worker state macros Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_work.h | 4 ---- fs/ksmbd/smb2pdu.c | 4 ++-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index 0e2d4f3fc49f..a91abd438a85 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -86,10 +86,6 @@ struct ksmbd_work { struct list_head interim_entry; }; -#define WORK_CANCELLED(w) ((w)->state == KSMBD_WORK_CANCELLED) -#define WORK_CLOSED(w) ((w)->state == KSMBD_WORK_CLOSED) -#define WORK_ACTIVE(w) ((w)->state == KSMBD_WORK_ACTIVE) - #define RESPONSE_BUF_NEXT(w) \ (((w)->response_buf + (w)->next_smb2_rsp_hdr_off)) #define REQUEST_BUF_NEXT(w) \ diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 25715d57c2bb..38a36390b64d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6716,12 +6716,12 @@ int smb2_lock(struct ksmbd_work *work) err = ksmbd_vfs_posix_lock_wait(flock); - if (!WORK_ACTIVE(work)) { + if (work->state != KSMBD_WORK_ACTIVE) { list_del(&smb_lock->llist); list_del(&smb_lock->glist); locks_free_lock(flock); - if (WORK_CANCELLED(work)) { + if (work->state == KSMBD_WORK_CANCELLED) { spin_lock(&fp->f_lock); list_del(&work->fp_entry); spin_unlock(&fp->f_lock); From patchwork Mon Nov 14 12:50:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183241 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 144/308] ksmbd: remove and replace macros with inline functions in smb_common.h Date: Mon, 14 Nov 2022 20:50:53 +0800 Message-ID: <20221114125337.1831594-145-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d1dfc558-cf4a-4dc9-e279-08dac63c69d1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7036974 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit d8fb29980cb5369c4ea520c0b4e1a8893e88f14c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d8fb29980cb5 ------------------------------- Remove and replace macros with inline functions in smb_common.h Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/user_session.c | 8 +++----- fs/ksmbd/oplock.c | 6 ++++-- fs/ksmbd/smb2pdu.c | 5 +++-- fs/ksmbd/smb_common.h | 12 ++++++------ 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index c5ba9694e1f1..8d8ffd8c6f19 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -154,11 +154,9 @@ void ksmbd_session_destroy(struct ksmbd_session *sess) list_del(&sess->sessions_entry); - if (IS_SMB2(sess->conn)) { - down_write(&sessions_table_lock); - hash_del(&sess->hlist); - up_write(&sessions_table_lock); - } + down_write(&sessions_table_lock); + hash_del(&sess->hlist); + up_write(&sessions_table_lock); if (sess->user) ksmbd_free_user(sess->user); diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 9027cb7d970f..71e15a591582 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -631,7 +631,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) rsp_hdr = work->response_buf; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->smb2_buf_length = + cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->CreditRequest = cpu_to_le16(0); @@ -737,7 +738,8 @@ static void __smb2_lease_break_noti(struct work_struct *wk) rsp_hdr = work->response_buf; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->smb2_buf_length = + cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->CreditRequest = cpu_to_le16(0); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 38a36390b64d..ece03135127c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -243,7 +243,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); rsp_hdr->smb2_buf_length = - cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; @@ -497,7 +497,8 @@ int init_smb2_rsp_hdr(struct ksmbd_work *work) struct ksmbd_conn *conn = work->conn; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = cpu_to_be32(HEADER_SIZE_NO_BUF_LEN(conn)); + rsp_hdr->smb2_buf_length = + cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); rsp_hdr->ProtocolId = rcv_hdr->ProtocolId; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->Command = rcv_hdr->Command; diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 084166ba7654..8489b92229fa 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -50,12 +50,6 @@ extern struct list_head global_lock_list; -#define IS_SMB2(x) ((x)->vals->protocol_id != SMB10_PROT_ID) - -#define HEADER_SIZE(conn) ((conn)->vals->header_size) -#define HEADER_SIZE_NO_BUF_LEN(conn) ((conn)->vals->header_size - 4) -#define MAX_HEADER_SIZE(conn) ((conn)->vals->max_header_size) - /* RFC 1002 session packet types */ #define RFC1002_SESSION_MESSAGE 0x00 #define RFC1002_SESSION_REQUEST 0x81 @@ -490,6 +484,12 @@ struct smb_version_cmds { int (*proc)(struct ksmbd_work *swork); }; +static inline size_t +smb2_hdr_size_no_buflen(struct smb_version_values *vals) +{ + return vals->header_size - 4; +} + int ksmbd_min_protocol(void); int ksmbd_max_protocol(void); From patchwork Mon Nov 14 12:50:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183242 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 145/308] ksmbd: replace SMB_DIRECT_TRANS macro with inline function Date: Mon, 14 Nov 2022 20:50:54 +0800 Message-ID: <20221114125337.1831594-146-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: abce3903-68ac-49ee-4e51-08dac63c6a1a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6897192 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 02d4b4aa6d3b135b00f20da9d623d2bbae63768f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/02d4b4aa6d3b ------------------------------- replace SMB_DIRECT_TRANS macro with inline function. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index b3af474d4cad..171fb3dd018a 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -158,8 +158,6 @@ struct smb_direct_transport { }; #define KSMBD_TRANS(t) ((struct ksmbd_transport *)&((t)->transport)) -#define SMB_DIRECT_TRANS(t) ((struct smb_direct_transport *)container_of(t, \ - struct smb_direct_transport, transport)) enum { SMB_DIRECT_MSG_NEGOTIATE_REQ = 0, @@ -217,6 +215,12 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, struct kvec *iov, int niov, int remaining_data_length); +static inline struct smb_direct_transport * +smb_trans_direct_transfort(struct ksmbd_transport *t) +{ + return container_of(t, struct smb_direct_transport, transport); +} + static inline void *smb_direct_recvmsg_payload(struct smb_direct_recvmsg *recvmsg) { @@ -643,7 +647,7 @@ static int smb_direct_read(struct ksmbd_transport *t, char *buf, int to_copy, to_read, data_read, offset; u32 data_length, remaining_data_length, data_offset; int rc; - struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + struct smb_direct_transport *st = smb_trans_direct_transfort(t); again: if (st->status != SMB_DIRECT_CS_CONNECTED) { @@ -1194,7 +1198,7 @@ static int smb_direct_writev(struct ksmbd_transport *t, struct kvec *iov, int niovs, int buflen, bool need_invalidate, unsigned int remote_key) { - struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + struct smb_direct_transport *st = smb_trans_direct_transfort(t); int remaining_data_length; int start, i, j; int max_iov_size = st->max_send_size - @@ -1393,7 +1397,7 @@ static int smb_direct_rdma_write(struct ksmbd_transport *t, void *buf, unsigned int buflen, u32 remote_key, u64 remote_offset, u32 remote_len) { - return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, + return smb_direct_rdma_xmit(smb_trans_direct_transfort(t), buf, buflen, remote_key, remote_offset, remote_len, false); } @@ -1402,14 +1406,14 @@ static int smb_direct_rdma_read(struct ksmbd_transport *t, void *buf, unsigned int buflen, u32 remote_key, u64 remote_offset, u32 remote_len) { - return smb_direct_rdma_xmit(SMB_DIRECT_TRANS(t), buf, buflen, + return smb_direct_rdma_xmit(smb_trans_direct_transfort(t), buf, buflen, remote_key, remote_offset, remote_len, true); } static void smb_direct_disconnect(struct ksmbd_transport *t) { - struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + struct smb_direct_transport *st = smb_trans_direct_transfort(t); ksmbd_debug(RDMA, "Disconnecting cm_id=%p\n", st->cm_id); @@ -1857,7 +1861,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, static int smb_direct_prepare(struct ksmbd_transport *t) { - struct smb_direct_transport *st = SMB_DIRECT_TRANS(t); + struct smb_direct_transport *st = smb_trans_direct_transfort(t); int ret; struct ib_qp_cap qp_cap; From patchwork Mon Nov 14 12:50:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183243 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 146/308] ksmbd: replace request and respone buffer macro with inline functions Date: Mon, 14 Nov 2022 20:50:55 +0800 Message-ID: <20221114125337.1831594-147-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 380343e2-ea7a-43fc-2c48-08dac63c6a63 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7079599 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 8a893315dc06158ce33d1a3292e07170ce2fcd64 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8a893315dc06 ------------------------------- replace request and respone buffer macro with inline functions. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_work.h | 21 ++++++++++++++++---- fs/ksmbd/smb2misc.c | 2 +- fs/ksmbd/smb2pdu.c | 46 +++++++++++++++++++++---------------------- 3 files changed, 41 insertions(+), 28 deletions(-) diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index a91abd438a85..c655bf371ce5 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -86,10 +86,23 @@ struct ksmbd_work { struct list_head interim_entry; }; -#define RESPONSE_BUF_NEXT(w) \ - (((w)->response_buf + (w)->next_smb2_rsp_hdr_off)) -#define REQUEST_BUF_NEXT(w) \ - (((w)->request_buf + (w)->next_smb2_rcv_hdr_off)) +/** + * ksmbd_resp_buf_next - Get next buffer on compound response. + * @work: smb work containing response buffer + */ +static inline void *ksmbd_resp_buf_next(struct ksmbd_work *work) +{ + return work->response_buf + work->next_smb2_rsp_hdr_off; +} + +/** + * ksmbd_req_buf_next - Get next buffer on compound request. + * @work: smb work containing response buffer + */ +static inline void *ksmbd_req_buf_next(struct ksmbd_work *work) +{ + return work->request_buf + work->next_smb2_rcv_hdr_off; +} struct ksmbd_work *ksmbd_alloc_work_struct(void); void ksmbd_free_work_struct(struct ksmbd_work *work); diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index e412d69690ed..730d68032c46 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -341,7 +341,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) __u32 len = get_rfc1002_len(pdu); if (work->next_smb2_rcv_hdr_off) { - pdu = REQUEST_BUF_NEXT(work); + pdu = ksmbd_req_buf_next(work); hdr = &pdu->hdr; } diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ece03135127c..42fc3bd2d464 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -40,8 +40,8 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) { if (work->next_smb2_rcv_hdr_off) { - *req = REQUEST_BUF_NEXT(work); - *rsp = RESPONSE_BUF_NEXT(work); + *req = ksmbd_req_buf_next(work); + *rsp = ksmbd_resp_buf_next(work); } else { *req = work->request_buf; *rsp = work->response_buf; @@ -126,7 +126,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) struct smb2_err_rsp *err_rsp; if (work->next_smb2_rcv_hdr_off) - err_rsp = RESPONSE_BUF_NEXT(work); + err_rsp = ksmbd_resp_buf_next(work); else err_rsp = work->response_buf; @@ -196,7 +196,7 @@ u16 get_smb2_cmd_val(struct ksmbd_work *work) struct smb2_hdr *rcv_hdr; if (work->next_smb2_rcv_hdr_off) - rcv_hdr = REQUEST_BUF_NEXT(work); + rcv_hdr = ksmbd_req_buf_next(work); else rcv_hdr = work->request_buf; return le16_to_cpu(rcv_hdr->Command); @@ -212,7 +212,7 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) struct smb2_hdr *rsp_hdr; if (work->next_smb2_rcv_hdr_off) - rsp_hdr = RESPONSE_BUF_NEXT(work); + rsp_hdr = ksmbd_resp_buf_next(work); else rsp_hdr = work->response_buf; rsp_hdr->Status = err; @@ -315,8 +315,8 @@ static int smb2_consume_credit_charge(struct ksmbd_work *work, */ int smb2_set_rsp_credits(struct ksmbd_work *work) { - struct smb2_hdr *req_hdr = REQUEST_BUF_NEXT(work); - struct smb2_hdr *hdr = RESPONSE_BUF_NEXT(work); + struct smb2_hdr *req_hdr = ksmbd_req_buf_next(work); + struct smb2_hdr *hdr = ksmbd_resp_buf_next(work); struct ksmbd_conn *conn = work->conn; unsigned short credits_requested = le16_to_cpu(req_hdr->CreditRequest); unsigned short credit_charge = 1, credits_granted = 0; @@ -383,8 +383,8 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) */ static void init_chained_smb2_rsp(struct ksmbd_work *work) { - struct smb2_hdr *req = REQUEST_BUF_NEXT(work); - struct smb2_hdr *rsp = RESPONSE_BUF_NEXT(work); + struct smb2_hdr *req = ksmbd_req_buf_next(work); + struct smb2_hdr *rsp = ksmbd_resp_buf_next(work); struct smb2_hdr *rsp_hdr; struct smb2_hdr *rcv_hdr; int next_hdr_offset = 0; @@ -422,8 +422,8 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) new_len, work->next_smb2_rcv_hdr_off, work->next_smb2_rsp_hdr_off); - rsp_hdr = RESPONSE_BUF_NEXT(work); - rcv_hdr = REQUEST_BUF_NEXT(work); + rsp_hdr = ksmbd_resp_buf_next(work); + rcv_hdr = ksmbd_req_buf_next(work); if (!(rcv_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS)) { ksmbd_debug(SMB, "related flag should be set\n"); @@ -462,7 +462,7 @@ bool is_chained_smb2_message(struct ksmbd_work *work) if (hdr->ProtocolId != SMB2_PROTO_NUMBER) return false; - hdr = REQUEST_BUF_NEXT(work); + hdr = ksmbd_req_buf_next(work); if (le32_to_cpu(hdr->NextCommand) > 0) { ksmbd_debug(SMB, "got SMB2 chained command\n"); init_chained_smb2_rsp(work); @@ -5725,8 +5725,8 @@ int smb2_set_info(struct ksmbd_work *work) rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { - req = REQUEST_BUF_NEXT(work); - rsp = RESPONSE_BUF_NEXT(work); + req = ksmbd_req_buf_next(work); + rsp = ksmbd_resp_buf_next(work); if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", work->compound_fid); @@ -7224,8 +7224,8 @@ int smb2_ioctl(struct ksmbd_work *work) rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { - req = REQUEST_BUF_NEXT(work); - rsp = RESPONSE_BUF_NEXT(work); + req = ksmbd_req_buf_next(work); + rsp = ksmbd_resp_buf_next(work); if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { ksmbd_debug(SMB, "Compound request set FID = %u\n", work->compound_fid); @@ -7848,7 +7848,7 @@ int smb2_check_sign_req(struct ksmbd_work *work) hdr_org = hdr = work->request_buf; if (work->next_smb2_rcv_hdr_off) - hdr = REQUEST_BUF_NEXT(work); + hdr = ksmbd_req_buf_next(work); if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) len = be32_to_cpu(hdr_org->smb2_buf_length); @@ -7892,9 +7892,9 @@ void smb2_set_sign_rsp(struct ksmbd_work *work) hdr_org = hdr = work->response_buf; if (work->next_smb2_rsp_hdr_off) - hdr = RESPONSE_BUF_NEXT(work); + hdr = ksmbd_resp_buf_next(work); - req_hdr = REQUEST_BUF_NEXT(work); + req_hdr = ksmbd_req_buf_next(work); if (!work->next_smb2_rsp_hdr_off) { len = get_rfc1002_len(hdr_org); @@ -7946,7 +7946,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) hdr_org = hdr = work->request_buf; if (work->next_smb2_rcv_hdr_off) - hdr = REQUEST_BUF_NEXT(work); + hdr = ksmbd_req_buf_next(work); if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) len = be32_to_cpu(hdr_org->smb2_buf_length); @@ -8005,9 +8005,9 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) hdr_org = hdr = work->response_buf; if (work->next_smb2_rsp_hdr_off) - hdr = RESPONSE_BUF_NEXT(work); + hdr = ksmbd_resp_buf_next(work); - req_hdr = REQUEST_BUF_NEXT(work); + req_hdr = ksmbd_req_buf_next(work); if (!work->next_smb2_rsp_hdr_off) { len = get_rfc1002_len(hdr_org); @@ -8217,7 +8217,7 @@ bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work) return false; if (work->next_smb2_rcv_hdr_off) - rsp = RESPONSE_BUF_NEXT(work); + rsp = ksmbd_resp_buf_next(work); if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && rsp->Status == STATUS_SUCCESS) From patchwork Mon Nov 14 12:50:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183244 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 147/308] ksmbd: allow PROTECTED_DACL_SECINFO and UNPROTECTED_DACL_SECINFO addition information in smb2 set info security Date: Mon, 14 Nov 2022 20:50:56 +0800 Message-ID: <20221114125337.1831594-148-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3f802545-648c-416f-0a49-08dac63c6aac X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6889757 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e294f78d34785151cb6d7199ff61d110f9520e65 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e294f78d3478 ------------------------------- "cifsd: Fix regression in smb2_get_info" patch cause that dacl doesn't work. windows send smb2 set info security with PROTECTED_DACL_SECINFO to control dacl. But previous patch doesn't allow it. This patch add PROTECTED_DACL_SECINFO and UNPROTECTED_DACL_SECINFO addtional information flags in check. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 42fc3bd2d464..7d8bec07630b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4888,9 +4888,11 @@ static int smb2_get_info_sec(struct ksmbd_work *work, int addition_info = le32_to_cpu(req->AdditionalInformation); int rc; - if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO)) { - ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n", - addition_info); + if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO | + PROTECTED_DACL_SECINFO | + UNPROTECTED_DACL_SECINFO)) { + pr_err("Unsupported addition info: 0x%x)\n", + addition_info); pntsd->revision = cpu_to_le16(1); pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED); From patchwork Mon Nov 14 12:50:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183245 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 148/308] ksmbd: Relax credit_charge check in smb2_validate_credit_charge() Date: Mon, 14 Nov 2022 20:50:57 +0800 Message-ID: <20221114125337.1831594-149-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7ac33388-4d4a-43c5-c240-08dac63c6af4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7001877 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit a5a25a114ab2412831f063361360eb1192ca6151 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a5a25a114ab2 ------------------------------- smb2_validate_credit_charge() checks the CreditCharge field in the request is valid with regards to the payload size. The current implementation rejects requests with CreditCharge = 0 and a payload < 64K, even though they should be accepted. Set CreditCharge to a minimum value of 1 to avoid rejecting such requests. This matches what samba4 does. Fixes share enumeration for jcifs-ng clients. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 730d68032c46..4508631c5706 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -317,14 +317,12 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) return 0; } + credit_charge = max(1, credit_charge); max_len = max(req_len, expect_resp_len); calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); - if (!credit_charge && max_len > SMB2_MAX_BUFFER_SIZE) { - pr_err("credit charge is zero and payload size(%d) is bigger than 64K\n", - max_len); - return 1; - } else if (credit_charge < calc_credit_num) { - pr_err("credit charge : %d, calc_credit_num : %d\n", + + if (credit_charge < calc_credit_num) { + pr_err("Insufficient credit charge, given: %d, needed: %d\n", credit_charge, calc_credit_num); return 1; } From patchwork Mon Nov 14 12:50:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183246 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 149/308] ksmbd: fix dentry racy with rename() Date: Mon, 14 Nov 2022 20:50:58 +0800 Message-ID: <20221114125337.1831594-150-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e81b44de-ed59-4f42-7a7b-08dac63c6b3d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7012721 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 493fa2fbe4597db474e43d38fb8805cbaef654ac category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/493fa2fbe459 ------------------------------- Using ->d_name can be broken due to races with rename(). So use %pd with ->d_name to print filename and In other cases, use it under ->d_lock. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 19 ++++++++++--------- fs/ksmbd/vfs.c | 14 ++++++++------ fs/ksmbd/vfs_cache.h | 1 - 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7d8bec07630b..70e6d6e3e84b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3711,8 +3711,8 @@ int smb2_query_dir(struct ksmbd_work *work) if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || inode_permission(&init_user_ns, file_inode(dir_fp->filp), MAY_READ | MAY_EXEC)) { - pr_err("no right to enumerate directory (%s)\n", - FP_FILENAME(dir_fp)); + pr_err("no right to enumerate directory (%pd)\n", + dir_fp->filp->f_path.dentry); rc = -EACCES; goto err_out2; } @@ -4266,14 +4266,15 @@ static void get_file_alternate_info(struct ksmbd_work *work, { struct ksmbd_conn *conn = work->conn; struct smb2_file_alt_name_info *file_info; + struct dentry *dentry = fp->filp->f_path.dentry; int conv_len; - char *filename; - filename = (char *)FP_FILENAME(fp); + spin_lock(&dentry->d_lock); file_info = (struct smb2_file_alt_name_info *)rsp->Buffer; conv_len = ksmbd_extract_shortname(conn, - filename, + dentry->d_name.name, file_info->FileName); + spin_unlock(&dentry->d_lock); file_info->FileNameLength = cpu_to_le32(conv_len); rsp->OutputBufferLength = cpu_to_le32(sizeof(struct smb2_file_alt_name_info) + conv_len); @@ -5938,8 +5939,8 @@ int smb2_read(struct ksmbd_work *work) goto out; } - ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", FP_FILENAME(fp), - offset, length); + ksmbd_debug(SMB, "filename %pd, offset %lld, len %zu\n", + fp->filp->f_path.dentry, offset, length); work->aux_payload_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); if (!work->aux_payload_buf) { @@ -6216,8 +6217,8 @@ int smb2_write(struct ksmbd_work *work) if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH) writethrough = true; - ksmbd_debug(SMB, "filename %s, offset %lld, len %zu\n", - FP_FILENAME(fp), offset, length); + ksmbd_debug(SMB, "filename %pd, offset %lld, len %zu\n", + fp->filp->f_path.dentry, offset, length); err = ksmbd_vfs_write(work, fp, data_buf, length, &offset, writethrough, &nbytes); if (err < 0) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 6181a58e8a33..ed1c0626e205 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -365,7 +365,8 @@ int ksmbd_vfs_read(struct ksmbd_work *work, struct ksmbd_file *fp, size_t count, if (work->conn->connection_type) { if (!(fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { - pr_err("no right to read(%s)\n", FP_FILENAME(fp)); + pr_err("no right to read(%pd)\n", + fp->filp->f_path.dentry); return -EACCES; } } @@ -473,7 +474,8 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, if (sess->conn->connection_type) { if (!(fp->daccess & FILE_WRITE_DATA_LE)) { - pr_err("no right to write(%s)\n", FP_FILENAME(fp)); + pr_err("no right to write(%pd)\n", + fp->filp->f_path.dentry); err = -EACCES; goto out; } @@ -512,8 +514,8 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, if (sync) { err = vfs_fsync_range(filp, offset, offset + *written, 0); if (err < 0) - pr_err("fsync failed for filename = %s, err = %d\n", - FP_FILENAME(fp), err); + pr_err("fsync failed for filename = %pd, err = %d\n", + fp->filp->f_path.dentry, err); } out: @@ -1707,11 +1709,11 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, *total_size_written = 0; if (!(src_fp->daccess & (FILE_READ_DATA_LE | FILE_EXECUTE_LE))) { - pr_err("no right to read(%s)\n", FP_FILENAME(src_fp)); + pr_err("no right to read(%pd)\n", src_fp->filp->f_path.dentry); return -EACCES; } if (!(dst_fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) { - pr_err("no right to write(%s)\n", FP_FILENAME(dst_fp)); + pr_err("no right to write(%pd)\n", dst_fp->filp->f_path.dentry); return -EACCES; } diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 745855367106..03c36906cab0 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -25,7 +25,6 @@ #define KSMBD_NO_FID (UINT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) -#define FP_FILENAME(fp) ((fp)->filp->f_path.dentry->d_name.name) #define FP_INODE(fp) d_inode((fp)->filp->f_path.dentry) #define PARENT_INODE(fp) d_inode((fp)->filp->f_path.dentry->d_parent) From patchwork Mon Nov 14 12:50:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183247 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 150/308] ksmbd: opencode to remove FP_INODE macro Date: Mon, 14 Nov 2022 20:50:59 +0800 Message-ID: <20221114125337.1831594-151-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 52d0e3db-2307-46cb-7f1d-08dac63c6b86 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7123858 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit ab0b263b749ade964db46b148a965eb88bd644be category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ab0b263b749a ------------------------------- Opencode to remove FP_INODE macro. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 2 +- fs/ksmbd/smb2pdu.c | 26 +++++++++++++------------- fs/ksmbd/smb_common.c | 2 +- fs/ksmbd/vfs.c | 2 +- fs/ksmbd/vfs_cache.c | 6 +++--- fs/ksmbd/vfs_cache.h | 1 - 6 files changed, 19 insertions(+), 20 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 71e15a591582..3f0dd9b35c78 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1579,7 +1579,7 @@ void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id) void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp) { struct create_posix_rsp *buf; - struct inode *inode = FP_INODE(fp); + struct inode *inode = file_inode(fp->filp); buf = (struct create_posix_rsp *)cc; memset(buf, 0, sizeof(struct create_posix_rsp)); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 70e6d6e3e84b..2d515e44d48e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2908,7 +2908,7 @@ int smb2_open(struct ksmbd_work *work) if (!test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_OPLOCKS) || (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && !(conn->vals->capabilities & SMB2_GLOBAL_CAP_LEASING))) { - if (share_ret < 0 && !S_ISDIR(FP_INODE(fp)->i_mode)) { + if (share_ret < 0 && !S_ISDIR(file_inode(fp->filp)->i_mode)) { rc = share_ret; goto err_out; } @@ -2995,7 +2995,7 @@ int smb2_open(struct ksmbd_work *work) memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); - generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); rsp->StructureSize = cpu_to_le16(89); rcu_read_lock(); @@ -4123,7 +4123,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, } basic_info = (struct smb2_file_all_info *)rsp->Buffer; - generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); basic_info->CreationTime = cpu_to_le64(fp->create_time); time = ksmbd_UnixTimeToNT(stat.atime); basic_info->LastAccessTime = cpu_to_le64(time); @@ -4163,7 +4163,7 @@ static void get_file_standard_info(struct smb2_query_info_rsp *rsp, struct inode *inode; struct kstat stat; - inode = FP_INODE(fp); + inode = file_inode(fp->filp); generic_fillattr(&init_user_ns, inode, &stat); sinfo = (struct smb2_file_standard_info *)rsp->Buffer; @@ -4218,7 +4218,7 @@ static int get_file_all_info(struct ksmbd_work *work, if (!filename) return -ENOMEM; - inode = FP_INODE(fp); + inode = file_inode(fp->filp); generic_fillattr(&init_user_ns, inode, &stat); ksmbd_debug(SMB, "filename = %s\n", filename); @@ -4294,7 +4294,7 @@ static void get_file_stream_info(struct ksmbd_work *work, ssize_t xattr_list_len; int nbytes = 0, streamlen, stream_name_len, next, idx = 0; - generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); file_info = (struct smb2_file_stream_info *)rsp->Buffer; xattr_list_len = ksmbd_vfs_listxattr(path->dentry, &xattr_list); @@ -4373,7 +4373,7 @@ static void get_file_internal_info(struct smb2_query_info_rsp *rsp, struct smb2_file_internal_info *file_info; struct kstat stat; - generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); file_info = (struct smb2_file_internal_info *)rsp->Buffer; file_info->IndexNumber = cpu_to_le64(stat.ino); rsp->OutputBufferLength = @@ -4397,7 +4397,7 @@ static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, file_info = (struct smb2_file_ntwrk_info *)rsp->Buffer; - inode = FP_INODE(fp); + inode = file_inode(fp->filp); generic_fillattr(&init_user_ns, inode, &stat); file_info->CreationTime = cpu_to_le64(fp->create_time); @@ -4459,7 +4459,7 @@ static void get_file_compression_info(struct smb2_query_info_rsp *rsp, struct smb2_file_comp_info *file_info; struct kstat stat; - generic_fillattr(&init_user_ns, FP_INODE(fp), &stat); + generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); file_info = (struct smb2_file_comp_info *)rsp->Buffer; file_info->CompressedFileSize = cpu_to_le64(stat.blocks << 9); @@ -4498,7 +4498,7 @@ static int find_file_posix_info(struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, void *rsp_org) { struct smb311_posix_qinfo *file_info; - struct inode *inode = FP_INODE(fp); + struct inode *inode = file_inode(fp->filp); u64 time; file_info = (struct smb311_posix_qinfo *)rsp->Buffer; @@ -4927,7 +4927,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, if (!fp) return -ENOENT; - inode = FP_INODE(fp); + inode = file_inode(fp->filp); ksmbd_acls_fattr(&fattr, inode); if (test_share_config_flag(work->tcon->share_conf, @@ -5109,7 +5109,7 @@ int smb2_close(struct ksmbd_work *work) goto out; } - inode = FP_INODE(fp); + inode = file_inode(fp->filp); rsp->Flags = SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB; rsp->AllocationSize = S_ISDIR(inode->i_mode) ? 0 : cpu_to_le64(inode->i_blocks << 9); @@ -7397,7 +7397,7 @@ int smb2_ioctl(struct ksmbd_work *work) } reparse_ptr->ReparseTag = - smb2_get_reparse_tag_special_file(FP_INODE(fp)->i_mode); + smb2_get_reparse_tag_special_file(file_inode(fp->filp)->i_mode); reparse_ptr->ReparseDataLength = 0; ksmbd_fd_put(work, fp); nbytes = sizeof(struct reparse_data_buffer); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 5bf644d7e321..b573575a1de5 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -488,7 +488,7 @@ int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp) */ read_lock(&curr_fp->f_ci->m_lock); list_for_each_entry(prev_fp, &curr_fp->f_ci->m_fp_list, node) { - if (file_inode(filp) != FP_INODE(prev_fp)) + if (file_inode(filp) != file_inode(prev_fp->filp)) continue; if (filp == prev_fp->filp) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index ed1c0626e205..40783bb414d6 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1024,7 +1024,7 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, int in_count, int *out_count) { struct file *f = fp->filp; - struct inode *inode = FP_INODE(fp); + struct inode *inode = file_inode(fp->filp); loff_t maxbytes = (u64)inode->i_sb->s_maxbytes, end; loff_t extent_start, extent_end; int ret = 0; diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c index c88210b15289..5c9efcfaeb5c 100644 --- a/fs/ksmbd/vfs_cache.c +++ b/fs/ksmbd/vfs_cache.c @@ -83,7 +83,7 @@ static struct ksmbd_inode *__ksmbd_inode_lookup(struct inode *inode) static struct ksmbd_inode *ksmbd_inode_lookup(struct ksmbd_file *fp) { - return __ksmbd_inode_lookup(FP_INODE(fp)); + return __ksmbd_inode_lookup(file_inode(fp->filp)); } static struct ksmbd_inode *ksmbd_inode_lookup_by_vfsinode(struct inode *inode) @@ -156,7 +156,7 @@ static void ksmbd_inode_unhash(struct ksmbd_inode *ci) static int ksmbd_inode_init(struct ksmbd_inode *ci, struct ksmbd_file *fp) { - ci->m_inode = FP_INODE(fp); + ci->m_inode = file_inode(fp->filp); atomic_set(&ci->m_count, 1); atomic_set(&ci->op_count, 0); atomic_set(&ci->sop_count, 0); @@ -479,7 +479,7 @@ struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode) read_lock(&ci->m_lock); list_for_each_entry(lfp, &ci->m_fp_list, node) { - if (inode == FP_INODE(lfp)) { + if (inode == file_inode(lfp->filp)) { atomic_dec(&ci->m_count); read_unlock(&ci->m_lock); return lfp; diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 03c36906cab0..b01192ebd86b 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -25,7 +25,6 @@ #define KSMBD_NO_FID (UINT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) -#define FP_INODE(fp) d_inode((fp)->filp->f_path.dentry) #define PARENT_INODE(fp) d_inode((fp)->filp->f_path.dentry->d_parent) #define ATTR_FP(fp) ((fp)->attrib_only && \ From patchwork Mon Nov 14 12:51:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183248 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 151/308] ksmbd: use ksmbd_vfs_lock_parent to get stable parent dentry Date: Mon, 14 Nov 2022 20:51:00 +0800 Message-ID: <20221114125337.1831594-152-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 56dd4e96-17f9-484c-ea96-08dac63c6bce X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7055434 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 12202c0594b18218e1645fd0fad92cf77a1f3145 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/12202c0594b1 ------------------------------- Use ksmbd_vfs_lock_parent to get stable parent dentry and remove PARENT_INODE macro. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 15 ++++++++++++++- fs/ksmbd/vfs.c | 2 +- fs/ksmbd/vfs.h | 1 + fs/ksmbd/vfs_cache.h | 2 -- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 2d515e44d48e..bf798ee65b25 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5538,6 +5538,9 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, char *buf) { struct ksmbd_file *parent_fp; + struct dentry *parent; + struct dentry *dentry = fp->filp->f_path.dentry; + int ret; if (!(fp->daccess & FILE_DELETE_LE)) { pr_err("no right to delete : 0x%x\n", fp->daccess); @@ -5547,7 +5550,17 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, if (ksmbd_stream_fd(fp)) goto next; - parent_fp = ksmbd_lookup_fd_inode(PARENT_INODE(fp)); + parent = dget_parent(dentry); + ret = ksmbd_vfs_lock_parent(parent, dentry); + if (ret) { + dput(parent); + return ret; + } + + parent_fp = ksmbd_lookup_fd_inode(d_inode(parent)); + inode_unlock(d_inode(parent)); + dput(parent); + if (parent_fp) { if (parent_fp->daccess & FILE_DELETE_LE) { pr_err("parent dir is opened with delete access\n"); diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 40783bb414d6..702166266f91 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -69,7 +69,7 @@ static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work, * * the reference count of @parent isn't incremented. */ -static int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child) +int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child) { struct dentry *dentry; int ret = 0; diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index ae8eff1f0315..ba12fea004b5 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -192,6 +192,7 @@ struct ksmbd_kstat { __le32 file_attributes; }; +int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child); int ksmbd_vfs_may_delete(struct dentry *dentry); int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess); int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode); diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index b01192ebd86b..752cbdab3522 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -25,8 +25,6 @@ #define KSMBD_NO_FID (UINT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) -#define PARENT_INODE(fp) d_inode((fp)->filp->f_path.dentry->d_parent) - #define ATTR_FP(fp) ((fp)->attrib_only && \ ((fp)->cdoption != FILE_OVERWRITE_IF_LE && \ (fp)->cdoption != FILE_OVERWRITE_LE && \ From patchwork Mon Nov 14 12:51:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183249 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 152/308] ksmbd: opencode to remove ATTR_FP macro Date: Mon, 14 Nov 2022 20:51:01 +0800 Message-ID: <20221114125337.1831594-153-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5cb7dfcd-0ff9-4d86-ef72-08dac63c6c17 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6925793 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 849fbc549d4cca576d659d7df139c5f04104cb48 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/849fbc549d4c ------------------------------- Opencode to remove ATTR_FP macro. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 4 +++- fs/ksmbd/vfs_cache.h | 5 ----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 3f0dd9b35c78..43c8b7ce6095 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1111,7 +1111,9 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, goto set_lev; /* grant none-oplock if second open is trunc */ - if (ATTR_FP(fp)) { + if (fp->attrib_only && fp->cdoption != FILE_OVERWRITE_IF_LE && + fp->cdoption != FILE_OVERWRITE_LE && + fp->cdoption != FILE_SUPERSEDE_LE) { req_op_level = SMB2_OPLOCK_LEVEL_NONE; goto set_lev; } diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 752cbdab3522..543494f664cb 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -25,11 +25,6 @@ #define KSMBD_NO_FID (UINT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) -#define ATTR_FP(fp) ((fp)->attrib_only && \ - ((fp)->cdoption != FILE_OVERWRITE_IF_LE && \ - (fp)->cdoption != FILE_OVERWRITE_LE && \ - (fp)->cdoption != FILE_SUPERSEDE_LE)) - struct ksmbd_conn; struct ksmbd_session; From patchwork Mon Nov 14 12:51:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183250 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 153/308] ksmbd: remove SMB1 oplock level macros Date: Mon, 14 Nov 2022 20:51:02 +0800 Message-ID: <20221114125337.1831594-154-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c32dfd8a-718f-402d-804a-08dac63c6c60 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6787077 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 0ae941ef2e481e478a4b6c52a16e73c7bb4b9e3e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0ae941ef2e48 ------------------------------- ksmbd does not support SMB1. This patch remove SMB1 oplock level macros. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 2 +- fs/ksmbd/oplock.h | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 43c8b7ce6095..a9f171ccf770 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -39,7 +39,7 @@ static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, opinfo->sess = sess; opinfo->conn = sess->conn; - opinfo->level = OPLOCK_NONE; + opinfo->level = SMB2_OPLOCK_LEVEL_NONE; opinfo->op_state = OPLOCK_STATE_NONE; opinfo->pending_break = 0; opinfo->fid = id; diff --git a/fs/ksmbd/oplock.h b/fs/ksmbd/oplock.h index 9fb7ea74e86c..119b8047cfbd 100644 --- a/fs/ksmbd/oplock.h +++ b/fs/ksmbd/oplock.h @@ -11,12 +11,6 @@ #define OPLOCK_WAIT_TIME (35 * HZ) -/* SMB Oplock levels */ -#define OPLOCK_NONE 0 -#define OPLOCK_EXCLUSIVE 1 -#define OPLOCK_BATCH 2 -#define OPLOCK_READ 3 /* level 2 oplock */ - /* SMB2 Oplock levels */ #define SMB2_OPLOCK_LEVEL_NONE 0x00 #define SMB2_OPLOCK_LEVEL_II 0x01 From patchwork Mon Nov 14 12:51:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183251 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 154/308] ksmbd: change ACE types to enumeration Date: Mon, 14 Nov 2022 20:51:03 +0800 Message-ID: <20221114125337.1831594-155-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3154eab9-fd7a-4e88-3847-08dac63c6ca9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7057713 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 6128468da50c790f56d0aed2f604333fb324f897 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6128468da50c ------------------------------- Change ACE types to enumeration. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smbacl.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h index fb5480f0aa89..baa9b9b47a07 100644 --- a/fs/ksmbd/smbacl.h +++ b/fs/ksmbd/smbacl.h @@ -17,8 +17,13 @@ #define NUM_AUTHS (6) /* number of authority fields */ #define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ -#define ACCESS_ALLOWED 0 -#define ACCESS_DENIED 1 +/* + * ACE types - see MS-DTYP 2.4.4.1 + */ +enum { + ACCESS_ALLOWED, + ACCESS_DENIED, +}; #define SIDOWNER 1 #define SIDGROUP 2 From patchwork Mon Nov 14 12:51:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183252 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 155/308] ksmbd: change sid types to enumeration Date: Mon, 14 Nov 2022 20:51:04 +0800 Message-ID: <20221114125337.1831594-156-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d55fbeea-8680-458a-2228-08dac63c6cf3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6971527 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 12411ad59d49e415f987719b8f676e2c6b99be37 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/12411ad59d49 ------------------------------- Change sid types to enumeration. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smbacl.h | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h index baa9b9b47a07..3e1345e9f24f 100644 --- a/fs/ksmbd/smbacl.h +++ b/fs/ksmbd/smbacl.h @@ -25,15 +25,20 @@ enum { ACCESS_DENIED, }; -#define SIDOWNER 1 -#define SIDGROUP 2 -#define SIDCREATOR_OWNER 3 -#define SIDCREATOR_GROUP 4 -#define SIDUNIX_USER 5 -#define SIDUNIX_GROUP 6 -#define SIDNFS_USER 7 -#define SIDNFS_GROUP 8 -#define SIDNFS_MODE 9 +/* + * Security ID types + */ +enum { + SIDOWNER = 1, + SIDGROUP, + SIDCREATOR_OWNER, + SIDCREATOR_GROUP, + SIDUNIX_USER, + SIDUNIX_GROUP, + SIDNFS_USER, + SIDNFS_GROUP, + SIDNFS_MODE, +}; /* Revision for ACLs */ #define SD_REVISION 1 From patchwork Mon Nov 14 12:51:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183253 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 156/308] ksmbd: change server state type macro to enumeration Date: Mon, 14 Nov 2022 20:51:05 +0800 Message-ID: <20221114125337.1831594-157-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7e19073a-4a16-4e71-311c-08dac63c6d3d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6854174 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit b9cbfb524d73ca953604dc421098b4a3aa14d095 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b9cbfb524d73 ------------------------------- Change server state type macro to enumeration. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/server.h | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/server.h b/fs/ksmbd/server.h index b682d28963e8..2fce06e8b833 100644 --- a/fs/ksmbd/server.h +++ b/fs/ksmbd/server.h @@ -8,10 +8,15 @@ #include "smbacl.h" -#define SERVER_STATE_STARTING_UP 0 -#define SERVER_STATE_RUNNING 1 -#define SERVER_STATE_RESETTING 2 -#define SERVER_STATE_SHUTTING_DOWN 3 +/* + * Server state type + */ +enum { + SERVER_STATE_STARTING_UP, + SERVER_STATE_RUNNING, + SERVER_STATE_RESETTING, + SERVER_STATE_SHUTTING_DOWN, +}; #define SERVER_CONF_NETBIOS_NAME 0 #define SERVER_CONF_SERVER_STRING 1 From patchwork Mon Nov 14 12:51:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183254 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 157/308] ksmbd: change server config string index to enumeration Date: Mon, 14 Nov 2022 20:51:06 +0800 Message-ID: <20221114125337.1831594-158-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: be24a884-d554-43c3-f3ae-08dac63c6d86 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7027841 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c63ee4a521e766da6ec5ee1d2058d1ec06216214 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c63ee4a521e7 ------------------------------- Change server config string index to enumeration. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/server.h | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/server.h b/fs/ksmbd/server.h index 2fce06e8b833..ac9d932f8c8a 100644 --- a/fs/ksmbd/server.h +++ b/fs/ksmbd/server.h @@ -18,9 +18,14 @@ enum { SERVER_STATE_SHUTTING_DOWN, }; -#define SERVER_CONF_NETBIOS_NAME 0 -#define SERVER_CONF_SERVER_STRING 1 -#define SERVER_CONF_WORK_GROUP 2 +/* + * Server global config string index + */ +enum { + SERVER_CONF_NETBIOS_NAME, + SERVER_CONF_SERVER_STRING, + SERVER_CONF_WORK_GROUP, +}; struct ksmbd_server_config { unsigned int flags; From patchwork Mon Nov 14 12:51:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183255 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 158/308] ksmbd: reorder and document on-disk and netlink structures in headers Date: Mon, 14 Nov 2022 20:51:07 +0800 Message-ID: <20221114125337.1831594-159-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 37b20f09-a7ec-48c8-9baa-08dac63c6dd1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7232750 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 8b758859dfbe9598ba41e8b9b01e44edcc0c2fc1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8b758859dfbe ------------------------------- Reorder and document on-disk and netlink structures in headers. This is a userspace ABI to communicate data between ksmbd and user IPC daemon using netlink. This is added to track and cache user account DB and share configuration info from userspace. - KSMBD_EVENT_HEARTBEAT_REQUEST(ksmbd_heartbeat) This event is to check whether user IPC daemon is alive. If user IPC daemon is dead, ksmbd keep existing connection till disconnecting and new connection will be denied. - KSMBD_EVENT_STARTING_UP(ksmbd_startup_request) This event is to receive the information that initializes the ksmbd server from the user IPC daemon and to start the server. The global section parameters are given from smb.conf as initialization information. - KSMBD_EVENT_SHUTTING_DOWN(ksmbd_shutdown_request) This event is to shutdown ksmbd server. - KSMBD_EVENT_LOGIN_REQUEST/RESPONSE(ksmbd_login_request/response) This event is to get user account info to user IPC daemon. - KSMBD_EVENT_SHARE_CONFIG_REQUEST/RESPONSE (ksmbd_share_config_request/response) This event is to get net share configuration info. - KSMBD_EVENT_TREE_CONNECT_REQUEST/RESPONSE (ksmbd_tree_connect_request/response) This event is to get session and tree connect info. - KSMBD_EVENT_TREE_DISCONNECT_REQUEST(ksmbd_tree_disconnect_request) This event is to send tree disconnect info to user IPC daemon. - KSMBD_EVENT_LOGOUT_REQUEST(ksmbd_logout_request) This event is to send logout request to user IPC daemon. - KSMBD_EVENT_RPC_REQUEST/RESPONSE(ksmbd_rpc_command) This event is to make DCE/RPC request like srvsvc, wkssvc, lsarpc, samr to be processed in userspace. - KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST/RESPONSE (ksmbd_spnego_authen_request/response) This event is to make kerberos authentication to be processed in userspace. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/{ksmbd_server.h => ksmbd_netlink.h} | 177 +++++++++++++++---- fs/ksmbd/ksmbd_work.c | 1 - fs/ksmbd/mgmt/tree_connect.h | 2 +- fs/ksmbd/smb2ops.c | 1 - fs/ksmbd/smbacl.c | 1 - fs/ksmbd/vfs.h | 87 +-------- fs/ksmbd/xattr.h | 122 +++++++++++++ 7 files changed, 269 insertions(+), 122 deletions(-) rename fs/ksmbd/{ksmbd_server.h => ksmbd_netlink.h} (55%) create mode 100644 fs/ksmbd/xattr.h diff --git a/fs/ksmbd/ksmbd_server.h b/fs/ksmbd/ksmbd_netlink.h similarity index 55% rename from fs/ksmbd/ksmbd_server.h rename to fs/ksmbd/ksmbd_netlink.h index 55b7602b79bd..2fbe2bc1e093 100644 --- a/fs/ksmbd/ksmbd_server.h +++ b/fs/ksmbd/ksmbd_netlink.h @@ -10,6 +10,49 @@ #include <linux/types.h> +/* + * This is a userspace ABI to communicate data between ksmbd and user IPC + * daemon using netlink. This is added to track and cache user account DB + * and share configuration info from userspace. + * + * - KSMBD_EVENT_HEARTBEAT_REQUEST(ksmbd_heartbeat) + * This event is to check whether user IPC daemon is alive. If user IPC + * daemon is dead, ksmbd keep existing connection till disconnecting and + * new connection will be denied. + * + * - KSMBD_EVENT_STARTING_UP(ksmbd_startup_request) + * This event is to receive the information that initializes the ksmbd + * server from the user IPC daemon and to start the server. The global + * section parameters are given from smb.conf as initialization + * information. + * + * - KSMBD_EVENT_SHUTTING_DOWN(ksmbd_shutdown_request) + * This event is to shutdown ksmbd server. + * + * - KSMBD_EVENT_LOGIN_REQUEST/RESPONSE(ksmbd_login_request/response) + * This event is to get user account info to user IPC daemon. + * + * - KSMBD_EVENT_SHARE_CONFIG_REQUEST/RESPONSE(ksmbd_share_config_request/response) + * This event is to get net share configuration info. + * + * - KSMBD_EVENT_TREE_CONNECT_REQUEST/RESPONSE(ksmbd_tree_connect_request/response) + * This event is to get session and tree connect info. + * + * - KSMBD_EVENT_TREE_DISCONNECT_REQUEST(ksmbd_tree_disconnect_request) + * This event is to send tree disconnect info to user IPC daemon. + * + * - KSMBD_EVENT_LOGOUT_REQUEST(ksmbd_logout_request) + * This event is to send logout request to user IPC daemon. + * + * - KSMBD_EVENT_RPC_REQUEST/RESPONSE(ksmbd_rpc_command) + * This event is to make DCE/RPC request like srvsvc, wkssvc, lsarpc, + * samr to be processed in userspace. + * + * - KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST/RESPONSE(ksmbd_spnego_authen_request/response) + * This event is to make kerberos authentication to be processed in + * userspace. + */ + #define KSMBD_GENL_NAME "SMBD_GENL" #define KSMBD_GENL_VERSION 0x01 @@ -17,6 +60,9 @@ #define KSMBD_REQ_MAX_HASH_SZ 18 #define KSMBD_REQ_MAX_SHARE_NAME 64 +/* + * IPC heartbeat frame to check whether user IPC daemon is alive. + */ struct ksmbd_heartbeat { __u32 handle; }; @@ -29,53 +75,79 @@ struct ksmbd_heartbeat { #define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(1) #define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL BIT(2) +/* + * IPC request for ksmbd server startup + */ struct ksmbd_startup_request { - __u32 flags; - __s32 signing; - __s8 min_prot[16]; - __s8 max_prot[16]; + __u32 flags; /* Flags for global config */ + __s32 signing; /* Signing enabled */ + __s8 min_prot[16]; /* The minimum SMB protocol version */ + __s8 max_prot[16]; /* The maximum SMB protocol version */ __s8 netbios_name[16]; - __s8 work_group[64]; - __s8 server_string[64]; - __u16 tcp_port; - __u16 ipc_timeout; - __u32 deadtime; - __u32 file_max; - __u32 smb2_max_write; - __u32 smb2_max_read; - __u32 smb2_max_trans; - __u32 share_fake_fscaps; - __u32 sub_auth[3]; - __u32 ifc_list_sz; + __s8 work_group[64]; /* Workgroup */ + __s8 server_string[64]; /* Server string */ + __u16 tcp_port; /* tcp port */ + __u16 ipc_timeout; /* + * specifies the number of seconds + * server will wait for the userspace to + * reply to heartbeat frames. + */ + __u32 deadtime; /* Number of minutes of inactivity */ + __u32 file_max; /* Limits the maximum number of open files */ + __u32 smb2_max_write; /* MAX write size */ + __u32 smb2_max_read; /* MAX read size */ + __u32 smb2_max_trans; /* MAX trans size */ + __u32 share_fake_fscaps; /* + * Support some special application that + * makes QFSINFO calls to check whether + * we set the SPARSE_FILES bit (0x40). + */ + __u32 sub_auth[3]; /* Subauth value for Security ID */ + __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; }; #define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload) +/* + * IPC request to shutdown ksmbd server. + */ struct ksmbd_shutdown_request { __s32 reserved; }; +/* + * IPC user login request. + */ struct ksmbd_login_request { __u32 handle; - __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ }; +/* + * IPC user login response. + */ struct ksmbd_login_response { __u32 handle; - __u32 gid; - __u32 uid; - __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; + __u32 gid; /* group id */ + __u32 uid; /* user id */ + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ __u16 status; - __u16 hash_sz; - __s8 hash[KSMBD_REQ_MAX_HASH_SZ]; + __u16 hash_sz; /* hash size */ + __s8 hash[KSMBD_REQ_MAX_HASH_SZ]; /* password hash */ }; +/* + * IPC request to fetch net share config. + */ struct ksmbd_share_config_request { __u32 handle; - __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; + __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; /* share name */ }; +/* + * IPC response to the net share config request. + */ struct ksmbd_share_config_response { __u32 handle; __u32 flags; @@ -102,6 +174,10 @@ ksmbd_share_config_path(struct ksmbd_share_config_response *sc) return p; } +/* + * IPC request for tree connection. This request include session and tree + * connect info from client. + */ struct ksmbd_tree_connect_request { __u32 handle; __u16 account_flags; @@ -113,21 +189,34 @@ struct ksmbd_tree_connect_request { __s8 peer_addr[64]; }; +/* + * IPC Response structure for tree connection. + */ struct ksmbd_tree_connect_response { __u32 handle; __u16 status; __u16 connection_flags; }; +/* + * IPC Request struture to disconnect tree connection. + */ struct ksmbd_tree_disconnect_request { - __u64 session_id; - __u64 connect_id; + __u64 session_id; /* session id */ + __u64 connect_id; /* tree connection id */ }; +/* + * IPC Response structure to logout user account. + */ struct ksmbd_logout_request { - __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; + __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ }; +/* + * RPC command structure to send rpc request like srvsvc or wkssvc to + * IPC user daemon. + */ struct ksmbd_rpc_command { __u32 handle; __u32 flags; @@ -135,18 +224,36 @@ struct ksmbd_rpc_command { __u8 payload[]; }; +/* + * IPC Request Kerberos authentication + */ struct ksmbd_spnego_authen_request { __u32 handle; - __u16 spnego_blob_len; - __u8 spnego_blob[0]; + __u16 spnego_blob_len; /* the length of spnego_blob */ + __u8 spnego_blob[0]; /* + * the GSS token from SecurityBuffer of + * SMB2 SESSION SETUP request + */ }; +/* + * Response data which includes the GSS token and the session key generated by + * user daemon. + */ struct ksmbd_spnego_authen_response { __u32 handle; - struct ksmbd_login_response login_response; - __u16 session_key_len; - __u16 spnego_blob_len; - __u8 payload[]; /* session key + AP_REP */ + struct ksmbd_login_response login_response; /* + * the login response with + * a user identified by the + * GSS token from a client + */ + __u16 session_key_len; /* the length of the session key */ + __u16 spnego_blob_len; /* + * the length of the GSS token which will be + * stored in SecurityBuffer of SMB2 SESSION + * SETUP response + */ + __u8 payload[]; /* session key + AP_REP */ }; /* @@ -185,6 +292,9 @@ enum ksmbd_event { KSMBD_EVENT_MAX }; +/* + * Enumeration for IPC tree connect status. + */ enum KSMBD_TREE_CONN_STATUS { KSMBD_TREE_CONN_STATUS_OK = 0, KSMBD_TREE_CONN_STATUS_NOMEM, @@ -262,6 +372,9 @@ enum KSMBD_TREE_CONN_STATUS { #define KSMBD_RPC_LSARPC_METHOD_INVOKE BIT(11) #define KSMBD_RPC_LSARPC_METHOD_RETURN (KSMBD_RPC_LSARPC_METHOD_INVOKE | KSMBD_RPC_METHOD_RETURN) +/* + * RPC status definitions. + */ #define KSMBD_RPC_OK 0 #define KSMBD_RPC_EBAD_FUNC 0x00000001 #define KSMBD_RPC_EACCESS_DENIED 0x00000005 diff --git a/fs/ksmbd/ksmbd_work.c b/fs/ksmbd/ksmbd_work.c index 7c914451bbe1..fd58eb4809f6 100644 --- a/fs/ksmbd/ksmbd_work.c +++ b/fs/ksmbd/ksmbd_work.c @@ -12,7 +12,6 @@ #include "connection.h" #include "ksmbd_work.h" #include "mgmt/ksmbd_ida.h" -#include "ksmbd_server.h" static struct kmem_cache *work_cache; static struct workqueue_struct *ksmbd_wq; diff --git a/fs/ksmbd/mgmt/tree_connect.h b/fs/ksmbd/mgmt/tree_connect.h index 4e40ec3f4774..18e2a996e0aa 100644 --- a/fs/ksmbd/mgmt/tree_connect.h +++ b/fs/ksmbd/mgmt/tree_connect.h @@ -8,7 +8,7 @@ #include <linux/hashtable.h> -#include "../ksmbd_server.h" +#include "../ksmbd_netlink.h" struct ksmbd_share_config; struct ksmbd_user; diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index f7e5f21d4ae2..8262908e467c 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -12,7 +12,6 @@ #include "connection.h" #include "smb_common.h" #include "server.h" -#include "ksmbd_server.h" static struct smb_version_values smb21_server_values = { .version_string = SMB21_VERSION_STRING, diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 958937a548a1..d385c7045cc0 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -14,7 +14,6 @@ #include "smb_common.h" #include "server.h" #include "misc.h" -#include "ksmbd_server.h" #include "mgmt/share_config.h" static const struct smb_sid domain = {1, 4, {0, 0, 0, 0, 0, 5}, diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index ba12fea004b5..e30174a0e5a1 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -14,92 +14,7 @@ #include <linux/posix_acl.h> #include "smbacl.h" - -/* STREAM XATTR PREFIX */ -#define STREAM_PREFIX "DosStream." -#define STREAM_PREFIX_LEN (sizeof(STREAM_PREFIX) - 1) -#define XATTR_NAME_STREAM (XATTR_USER_PREFIX STREAM_PREFIX) -#define XATTR_NAME_STREAM_LEN (sizeof(XATTR_NAME_STREAM) - 1) - -enum { - XATTR_DOSINFO_ATTRIB = 0x00000001, - XATTR_DOSINFO_EA_SIZE = 0x00000002, - XATTR_DOSINFO_SIZE = 0x00000004, - XATTR_DOSINFO_ALLOC_SIZE = 0x00000008, - XATTR_DOSINFO_CREATE_TIME = 0x00000010, - XATTR_DOSINFO_CHANGE_TIME = 0x00000020, - XATTR_DOSINFO_ITIME = 0x00000040 -}; - -struct xattr_dos_attrib { - __u16 version; - __u32 flags; - __u32 attr; - __u32 ea_size; - __u64 size; - __u64 alloc_size; - __u64 create_time; - __u64 change_time; - __u64 itime; -}; - -/* DOS ATTRIBUITE XATTR PREFIX */ -#define DOS_ATTRIBUTE_PREFIX "DOSATTRIB" -#define DOS_ATTRIBUTE_PREFIX_LEN (sizeof(DOS_ATTRIBUTE_PREFIX) - 1) -#define XATTR_NAME_DOS_ATTRIBUTE \ - (XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) -#define XATTR_NAME_DOS_ATTRIBUTE_LEN \ - (sizeof(XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) - 1) - -#define XATTR_SD_HASH_TYPE_SHA256 0x1 -#define XATTR_SD_HASH_SIZE 64 - -#define SMB_ACL_READ 4 -#define SMB_ACL_WRITE 2 -#define SMB_ACL_EXECUTE 1 - -enum { - SMB_ACL_TAG_INVALID = 0, - SMB_ACL_USER, - SMB_ACL_USER_OBJ, - SMB_ACL_GROUP, - SMB_ACL_GROUP_OBJ, - SMB_ACL_OTHER, - SMB_ACL_MASK -}; - -struct xattr_acl_entry { - int type; - uid_t uid; - gid_t gid; - mode_t perm; -}; - -struct xattr_smb_acl { - int count; - int next; - struct xattr_acl_entry entries[0]; -}; - -struct xattr_ntacl { - __u16 version; - void *sd_buf; - __u32 sd_size; - __u16 hash_type; - __u8 desc[10]; - __u16 desc_len; - __u64 current_time; - __u8 hash[XATTR_SD_HASH_SIZE]; - __u8 posix_acl_hash[XATTR_SD_HASH_SIZE]; -}; - -/* SECURITY DESCRIPTOR XATTR PREFIX */ -#define SD_PREFIX "NTACL" -#define SD_PREFIX_LEN (sizeof(SD_PREFIX) - 1) -#define XATTR_NAME_SD \ - (XATTR_SECURITY_PREFIX SD_PREFIX) -#define XATTR_NAME_SD_LEN \ - (sizeof(XATTR_SECURITY_PREFIX SD_PREFIX) - 1) +#include "xattr.h" /* * Enumeration for stream type. diff --git a/fs/ksmbd/xattr.h b/fs/ksmbd/xattr.h new file mode 100644 index 000000000000..8857c01093d9 --- /dev/null +++ b/fs/ksmbd/xattr.h @@ -0,0 +1,122 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2021 Samsung Electronics Co., Ltd. + */ + +#ifndef __XATTR_H__ +#define __XATTR_H__ + +/* + * These are on-disk structures to store additional metadata into xattr to + * reproduce windows filesystem semantics. And they are encoded with NDR to + * compatible with samba's xattr meta format. The compatibility with samba + * is important because it can lose the information(file attribute, + * creation time, acls) about the existing files when switching between + * ksmbd and samba. + */ + +/* + * Dos attribute flags used for what variable is valid. + */ +enum { + XATTR_DOSINFO_ATTRIB = 0x00000001, + XATTR_DOSINFO_EA_SIZE = 0x00000002, + XATTR_DOSINFO_SIZE = 0x00000004, + XATTR_DOSINFO_ALLOC_SIZE = 0x00000008, + XATTR_DOSINFO_CREATE_TIME = 0x00000010, + XATTR_DOSINFO_CHANGE_TIME = 0x00000020, + XATTR_DOSINFO_ITIME = 0x00000040 +}; + +/* + * Dos attribute structure which is compatible with samba's one. + * Storing it into the xattr named "DOSATTRIB" separately from inode + * allows ksmbd to faithfully reproduce windows filesystem semantics + * on top of a POSIX filesystem. + */ +struct xattr_dos_attrib { + __u16 version; /* version 3 or version 4 */ + __u32 flags; /* valid flags */ + __u32 attr; /* Dos attribute */ + __u32 ea_size; /* EA size */ + __u64 size; + __u64 alloc_size; + __u64 create_time; /* File creation time */ + __u64 change_time; /* File change time */ + __u64 itime; /* Invented/Initial time */ +}; + +/* + * Enumeration is used for computing posix acl hash. + */ +enum { + SMB_ACL_TAG_INVALID = 0, + SMB_ACL_USER, + SMB_ACL_USER_OBJ, + SMB_ACL_GROUP, + SMB_ACL_GROUP_OBJ, + SMB_ACL_OTHER, + SMB_ACL_MASK +}; + +#define SMB_ACL_READ 4 +#define SMB_ACL_WRITE 2 +#define SMB_ACL_EXECUTE 1 + +struct xattr_acl_entry { + int type; + uid_t uid; + gid_t gid; + mode_t perm; +}; + +/* + * xattr_smb_acl structure is used for computing posix acl hash. + */ +struct xattr_smb_acl { + int count; + int next; + struct xattr_acl_entry entries[0]; +}; + +/* 64bytes hash in xattr_ntacl is computed with sha256 */ +#define XATTR_SD_HASH_TYPE_SHA256 0x1 +#define XATTR_SD_HASH_SIZE 64 + +/* + * xattr_ntacl is used for storing ntacl and hashes. + * Hash is used for checking valid posix acl and ntacl in xattr. + */ +struct xattr_ntacl { + __u16 version; /* version 4*/ + void *sd_buf; + __u32 sd_size; + __u16 hash_type; /* hash type */ + __u8 desc[10]; /* posix_acl description */ + __u16 desc_len; + __u64 current_time; + __u8 hash[XATTR_SD_HASH_SIZE]; /* 64bytes hash for ntacl */ + __u8 posix_acl_hash[XATTR_SD_HASH_SIZE]; /* 64bytes hash for posix acl */ +}; + +/* DOS ATTRIBUITE XATTR PREFIX */ +#define DOS_ATTRIBUTE_PREFIX "DOSATTRIB" +#define DOS_ATTRIBUTE_PREFIX_LEN (sizeof(DOS_ATTRIBUTE_PREFIX) - 1) +#define XATTR_NAME_DOS_ATTRIBUTE (XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) +#define XATTR_NAME_DOS_ATTRIBUTE_LEN \ + (sizeof(XATTR_USER_PREFIX DOS_ATTRIBUTE_PREFIX) - 1) + +/* STREAM XATTR PREFIX */ +#define STREAM_PREFIX "DosStream." +#define STREAM_PREFIX_LEN (sizeof(STREAM_PREFIX) - 1) +#define XATTR_NAME_STREAM (XATTR_USER_PREFIX STREAM_PREFIX) +#define XATTR_NAME_STREAM_LEN (sizeof(XATTR_NAME_STREAM) - 1) + +/* SECURITY DESCRIPTOR(NTACL) XATTR PREFIX */ +#define SD_PREFIX "NTACL" +#define SD_PREFIX_LEN (sizeof(SD_PREFIX) - 1) +#define XATTR_NAME_SD (XATTR_SECURITY_PREFIX SD_PREFIX) +#define XATTR_NAME_SD_LEN \ + (sizeof(XATTR_SECURITY_PREFIX SD_PREFIX) - 1) + +#endif /* __XATTR_H__ */ From patchwork Mon Nov 14 12:51:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183256 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 159/308] ksmbd: replace struct dentry with struct path in some function's arguments Date: Mon, 14 Nov 2022 20:51:08 +0800 Message-ID: <20221114125337.1831594-160-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 25094655-d530-4567-9fe9-08dac63c6e1a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6874381 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit ef24c962d0f29036041a007a75bcd0f50233c83e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ef24c962d0f2 ------------------------------- For user namespace support, we need to pass struct user_namespace with struct dentry to some functions. For reducing the number of arguments, replace the struct dentry with struct path in these functions. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 21 +++++++++++---------- fs/ksmbd/smbacl.c | 25 +++++++++++++------------ fs/ksmbd/smbacl.h | 6 +++--- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index bf798ee65b25..d79ea3eb57a7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2172,13 +2172,13 @@ static noinline int smb2_set_stream_name_xattr(struct path *path, return 0; } -static int smb2_remove_smb_xattrs(struct dentry *dentry) +static int smb2_remove_smb_xattrs(struct path *path) { char *name, *xattr_list = NULL; ssize_t xattr_list_len; int err = 0; - xattr_list_len = ksmbd_vfs_listxattr(dentry, &xattr_list); + xattr_list_len = ksmbd_vfs_listxattr(path->dentry, &xattr_list); if (xattr_list_len < 0) { goto out; } else if (!xattr_list_len) { @@ -2196,7 +2196,7 @@ static int smb2_remove_smb_xattrs(struct dentry *dentry) strncmp(&name[XATTR_USER_PREFIX_LEN], STREAM_PREFIX, STREAM_PREFIX_LEN)) continue; - err = ksmbd_vfs_remove_xattr(dentry, name); + err = ksmbd_vfs_remove_xattr(path->dentry, name); if (err) ksmbd_debug(SMB, "remove xattr failed : %s\n", name); } @@ -2214,7 +2214,7 @@ static int smb2_create_truncate(struct path *path) return rc; } - rc = smb2_remove_smb_xattrs(path->dentry); + rc = smb2_remove_smb_xattrs(path); if (rc == -EOPNOTSUPP) rc = 0; if (rc) @@ -2305,7 +2305,7 @@ static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, static int smb2_create_sd_buffer(struct ksmbd_work *work, struct smb2_create_req *req, - struct dentry *dentry) + struct path *path) { struct create_context *context; int rc = -ENOENT; @@ -2321,7 +2321,8 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, ksmbd_debug(SMB, "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; - rc = set_info_sec(work->conn, work->tcon, dentry, &sd_buf->ntsd, + rc = set_info_sec(work->conn, work->tcon, + path, &sd_buf->ntsd, le32_to_cpu(sd_buf->ccontext.DataLength), true); } @@ -2684,7 +2685,7 @@ int smb2_open(struct ksmbd_work *work) daccess = smb_map_generic_desired_access(req->DesiredAccess); if (file_present && !(req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) { - rc = smb_check_perm_dacl(conn, path.dentry, &daccess, + rc = smb_check_perm_dacl(conn, &path, &daccess, sess->user->uid); if (rc) goto err_out; @@ -2814,12 +2815,12 @@ int smb2_open(struct ksmbd_work *work) if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_ACL_XATTR)) { - rc = smb_inherit_dacl(conn, path.dentry, sess->user->uid, + rc = smb_inherit_dacl(conn, &path, sess->user->uid, sess->user->gid); } if (rc) { - rc = smb2_create_sd_buffer(work, req, path.dentry); + rc = smb2_create_sd_buffer(work, req, &path); if (rc) { if (posix_acl_rc) ksmbd_vfs_set_init_posix_acl(inode); @@ -5719,7 +5720,7 @@ static int smb2_set_info_sec(struct ksmbd_file *fp, int addition_info, fp->saccess |= FILE_SHARE_DELETE_LE; - return set_info_sec(fp->conn, fp->tcon, fp->filp->f_path.dentry, pntsd, + return set_info_sec(fp->conn, fp->tcon, &fp->filp->f_path, pntsd, buf_len, false); } diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index d385c7045cc0..e0825d3771a1 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -941,7 +941,8 @@ static void smb_set_ace(struct smb_ace *ace, const struct smb_sid *sid, u8 type, ace->size = cpu_to_le16(1 + 1 + 2 + 4 + 1 + 1 + 6 + (sid->num_subauth * 4)); } -int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, +int smb_inherit_dacl(struct ksmbd_conn *conn, + struct path *path, unsigned int uid, unsigned int gid) { const struct smb_sid *psid, *creator = NULL; @@ -949,11 +950,11 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, struct smb_acl *parent_pdacl; struct smb_ntsd *parent_pntsd = NULL; struct smb_sid owner_sid, group_sid; - struct dentry *parent = dentry->d_parent; + struct dentry *parent = path->dentry->d_parent; int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; int rc = -ENOENT, num_aces, dacloffset, pntsd_type, acl_len; char *aces_base; - bool is_dir = S_ISDIR(d_inode(dentry)->i_mode); + bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); acl_len = ksmbd_vfs_get_sd_xattr(conn, parent, &parent_pntsd); if (acl_len <= 0) @@ -1086,7 +1087,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, pntsd_size += sizeof(struct smb_acl) + nt_size; } - ksmbd_vfs_set_sd_xattr(conn, dentry, pntsd, pntsd_size); + ksmbd_vfs_set_sd_xattr(conn, path->dentry, pntsd, pntsd_size); kfree(pntsd); rc = 0; } @@ -1109,7 +1110,7 @@ bool smb_inherit_flags(int flags, bool is_dir) return false; } -int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, +int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, __le32 *pdaccess, int uid) { struct smb_ntsd *pntsd = NULL; @@ -1127,7 +1128,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, char *end_of_acl; ksmbd_debug(SMB, "check permission using windows acl\n"); - acl_size = ksmbd_vfs_get_sd_xattr(conn, dentry, &pntsd); + acl_size = ksmbd_vfs_get_sd_xattr(conn, path->dentry, &pntsd); if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) { kfree(pntsd); return 0; @@ -1201,7 +1202,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, granted = GENERIC_ALL_FLAGS; } - posix_acls = get_acl(d_inode(dentry), ACL_TYPE_ACCESS); + posix_acls = get_acl(d_inode(path->dentry), ACL_TYPE_ACCESS); if (posix_acls && !found) { unsigned int id = -1; @@ -1261,12 +1262,12 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, } int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, - struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + struct path *path, struct smb_ntsd *pntsd, int ntsd_len, bool type_check) { int rc; struct smb_fattr fattr = {{0}}; - struct inode *inode = d_inode(dentry); + struct inode *inode = d_inode(path->dentry); fattr.cf_uid = INVALID_UID; fattr.cf_gid = INVALID_GID; @@ -1283,7 +1284,7 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, inode->i_gid = fattr.cf_gid; mark_inode_dirty(inode); - ksmbd_vfs_remove_acl_xattrs(dentry); + ksmbd_vfs_remove_acl_xattrs(path->dentry); /* Update posix acls */ if (fattr.cf_dacls) { rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, @@ -1299,8 +1300,8 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, if (test_share_config_flag(tcon->share_conf, KSMBD_SHARE_FLAG_ACL_XATTR)) { /* Update WinACL in xattr */ - ksmbd_vfs_remove_sd_xattrs(dentry); - ksmbd_vfs_set_sd_xattr(conn, dentry, pntsd, ntsd_len); + ksmbd_vfs_remove_sd_xattrs(path->dentry); + ksmbd_vfs_set_sd_xattr(conn, path->dentry, pntsd, ntsd_len); } out: diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h index 3e1345e9f24f..4ee7bda32e5f 100644 --- a/fs/ksmbd/smbacl.h +++ b/fs/ksmbd/smbacl.h @@ -200,12 +200,12 @@ void posix_state_to_acl(struct posix_acl_state *state, struct posix_acl_entry *pace); int compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); bool smb_inherit_flags(int flags, bool is_dir); -int smb_inherit_dacl(struct ksmbd_conn *conn, struct dentry *dentry, +int smb_inherit_dacl(struct ksmbd_conn *conn, struct path *path, unsigned int uid, unsigned int gid); -int smb_check_perm_dacl(struct ksmbd_conn *conn, struct dentry *dentry, +int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, __le32 *pdaccess, int uid); int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, - struct dentry *dentry, struct smb_ntsd *pntsd, int ntsd_len, + struct path *path, struct smb_ntsd *pntsd, int ntsd_len, bool type_check); void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); void ksmbd_init_domain(u32 *sub_auth); From patchwork Mon Nov 14 12:51:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183257 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 160/308] ksmbd: adapt vfs api to 5.10 Date: Mon, 14 Nov 2022 20:51:09 +0800 Message-ID: <20221114125337.1831594-161-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e6ae0d0d-61ae-4a33-7e2b-08dac63c6e63 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6965482 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA ------------------------------- These vfs apis have not supported user namespace in 5.10, so we need to adapt these apis to remove all user namespace parameters. Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 31 +++++++++++++------------- fs/ksmbd/smbacl.c | 4 ++-- fs/ksmbd/vfs.c | 54 +++++++++++++++++++++------------------------- 3 files changed, 41 insertions(+), 48 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index d79ea3eb57a7..dedd00379fde 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2634,7 +2634,7 @@ int smb2_open(struct ksmbd_work *work) rc = 0; } else { file_present = true; - generic_fillattr(&init_user_ns, d_inode(path.dentry), &stat); + generic_fillattr(d_inode(path.dentry), &stat); } if (stream_name) { if (req->CreateOptions & FILE_DIRECTORY_FILE_LE) { @@ -2738,8 +2738,7 @@ int smb2_open(struct ksmbd_work *work) * is already granted. */ if (daccess & ~(FILE_READ_ATTRIBUTES_LE | FILE_READ_CONTROL_LE)) { - rc = inode_permission(&init_user_ns, - d_inode(path.dentry), + rc = inode_permission(d_inode(path.dentry), may_flags); if (rc) goto err_out; @@ -2895,7 +2894,7 @@ int smb2_open(struct ksmbd_work *work) rc = ksmbd_vfs_getattr(&path, &stat); if (rc) { - generic_fillattr(&init_user_ns, d_inode(path.dentry), &stat); + generic_fillattr(d_inode(path.dentry), &stat); rc = 0; } @@ -2996,7 +2995,7 @@ int smb2_open(struct ksmbd_work *work) memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); - generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); + generic_fillattr(file_inode(fp->filp), &stat); rsp->StructureSize = cpu_to_le16(89); rcu_read_lock(); @@ -3710,7 +3709,7 @@ int smb2_query_dir(struct ksmbd_work *work) } if (!(dir_fp->daccess & FILE_LIST_DIRECTORY_LE) || - inode_permission(&init_user_ns, file_inode(dir_fp->filp), + inode_permission(file_inode(dir_fp->filp), MAY_READ | MAY_EXEC)) { pr_err("no right to enumerate directory (%pd)\n", dir_fp->filp->f_path.dentry); @@ -4124,7 +4123,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, } basic_info = (struct smb2_file_all_info *)rsp->Buffer; - generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); + generic_fillattr(file_inode(fp->filp), &stat); basic_info->CreationTime = cpu_to_le64(fp->create_time); time = ksmbd_UnixTimeToNT(stat.atime); basic_info->LastAccessTime = cpu_to_le64(time); @@ -4165,7 +4164,7 @@ static void get_file_standard_info(struct smb2_query_info_rsp *rsp, struct kstat stat; inode = file_inode(fp->filp); - generic_fillattr(&init_user_ns, inode, &stat); + generic_fillattr(inode, &stat); sinfo = (struct smb2_file_standard_info *)rsp->Buffer; delete_pending = ksmbd_inode_pending_delete(fp); @@ -4220,7 +4219,7 @@ static int get_file_all_info(struct ksmbd_work *work, return -ENOMEM; inode = file_inode(fp->filp); - generic_fillattr(&init_user_ns, inode, &stat); + generic_fillattr(inode, &stat); ksmbd_debug(SMB, "filename = %s\n", filename); delete_pending = ksmbd_inode_pending_delete(fp); @@ -4295,7 +4294,7 @@ static void get_file_stream_info(struct ksmbd_work *work, ssize_t xattr_list_len; int nbytes = 0, streamlen, stream_name_len, next, idx = 0; - generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); + generic_fillattr(file_inode(fp->filp), &stat); file_info = (struct smb2_file_stream_info *)rsp->Buffer; xattr_list_len = ksmbd_vfs_listxattr(path->dentry, &xattr_list); @@ -4374,7 +4373,7 @@ static void get_file_internal_info(struct smb2_query_info_rsp *rsp, struct smb2_file_internal_info *file_info; struct kstat stat; - generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); + generic_fillattr(file_inode(fp->filp), &stat); file_info = (struct smb2_file_internal_info *)rsp->Buffer; file_info->IndexNumber = cpu_to_le64(stat.ino); rsp->OutputBufferLength = @@ -4399,7 +4398,7 @@ static int get_file_network_open_info(struct smb2_query_info_rsp *rsp, file_info = (struct smb2_file_ntwrk_info *)rsp->Buffer; inode = file_inode(fp->filp); - generic_fillattr(&init_user_ns, inode, &stat); + generic_fillattr(inode, &stat); file_info->CreationTime = cpu_to_le64(fp->create_time); time = ksmbd_UnixTimeToNT(stat.atime); @@ -4460,7 +4459,7 @@ static void get_file_compression_info(struct smb2_query_info_rsp *rsp, struct smb2_file_comp_info *file_info; struct kstat stat; - generic_fillattr(&init_user_ns, file_inode(fp->filp), &stat); + generic_fillattr(file_inode(fp->filp), &stat); file_info = (struct smb2_file_comp_info *)rsp->Buffer; file_info->CompressedFileSize = cpu_to_le64(stat.blocks << 9); @@ -5433,14 +5432,14 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) return -EACCES; - rc = setattr_prepare(&init_user_ns, dentry, &attrs); + rc = setattr_prepare(dentry, &attrs); if (rc) return -EINVAL; inode_lock(inode); - setattr_copy(&init_user_ns, inode, &attrs); + setattr_copy(inode, &attrs); attrs.ia_valid &= ~ATTR_CTIME; - rc = notify_change(&init_user_ns, dentry, &attrs, NULL); + rc = notify_change(dentry, &attrs, NULL); inode_unlock(inode); } return 0; diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index e0825d3771a1..b1e9473a732a 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -1287,10 +1287,10 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, ksmbd_vfs_remove_acl_xattrs(path->dentry); /* Update posix acls */ if (fattr.cf_dacls) { - rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, + rc = set_posix_acl(inode, ACL_TYPE_ACCESS, fattr.cf_acls); if (S_ISDIR(inode->i_mode) && fattr.cf_dacls) - rc = set_posix_acl(&init_user_ns, inode, + rc = set_posix_acl(inode, ACL_TYPE_DEFAULT, fattr.cf_dacls); } diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 702166266f91..63aea927d71e 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -107,7 +107,7 @@ int ksmbd_vfs_may_delete(struct dentry *dentry) return ret; } - ret = inode_permission(&init_user_ns, d_inode(parent), + ret = inode_permission(d_inode(parent), MAY_EXEC | MAY_WRITE); inode_unlock(d_inode(parent)); @@ -122,16 +122,16 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) *daccess = cpu_to_le32(FILE_READ_ATTRIBUTES | READ_CONTROL); - if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_WRITE)) + if (!inode_permission(d_inode(dentry), MAY_OPEN | MAY_WRITE)) *daccess |= cpu_to_le32(WRITE_DAC | WRITE_OWNER | SYNCHRONIZE | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES | FILE_DELETE_CHILD); - if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_READ)) + if (!inode_permission(d_inode(dentry), MAY_OPEN | MAY_READ)) *daccess |= FILE_READ_DATA_LE | FILE_READ_EA_LE; - if (!inode_permission(&init_user_ns, d_inode(dentry), MAY_OPEN | MAY_EXEC)) + if (!inode_permission(d_inode(dentry), MAY_OPEN | MAY_EXEC)) *daccess |= FILE_EXECUTE_LE; parent = dget_parent(dentry); @@ -141,7 +141,7 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) return ret; } - if (!inode_permission(&init_user_ns, d_inode(parent), MAY_EXEC | MAY_WRITE)) + if (!inode_permission(d_inode(parent), MAY_EXEC | MAY_WRITE)) *daccess |= FILE_DELETE_LE; inode_unlock(d_inode(parent)); @@ -173,7 +173,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) } mode |= S_IFREG; - err = vfs_create(&init_user_ns, d_inode(path.dentry), dentry, mode, true); + err = vfs_create(d_inode(path.dentry), dentry, mode, true); if (!err) { ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(dentry)); @@ -208,7 +208,7 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) } mode |= S_IFDIR; - err = vfs_mkdir(&init_user_ns, d_inode(path.dentry), dentry, mode); + err = vfs_mkdir(d_inode(path.dentry), dentry, mode); if (err) { goto out; } else if (d_unhashed(dentry)) { @@ -606,12 +606,12 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) } if (S_ISDIR(d_inode(path.dentry)->i_mode)) { - err = vfs_rmdir(&init_user_ns, d_inode(parent), path.dentry); + err = vfs_rmdir(d_inode(parent), path.dentry); if (err && err != -ENOTEMPTY) ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name, err); } else { - err = vfs_unlink(&init_user_ns, d_inode(parent), path.dentry, + err = vfs_unlink(d_inode(parent), path.dentry, NULL); if (err) ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name, @@ -669,7 +669,7 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, goto out3; } - err = vfs_link(oldpath.dentry, &init_user_ns, d_inode(newpath.dentry), + err = vfs_link(oldpath.dentry, d_inode(newpath.dentry), dentry, NULL); if (err) ksmbd_debug(VFS, "vfs_link failed err %d\n", err); @@ -743,15 +743,9 @@ static int __ksmbd_vfs_rename(struct ksmbd_work *work, err = -ENOTEMPTY; if (dst_dent != trap_dent && !d_really_is_positive(dst_dent)) { - struct renamedata rd = { - .old_mnt_userns = &init_user_ns, - .old_dir = d_inode(src_dent_parent), - .old_dentry = src_dent, - .new_mnt_userns = &init_user_ns, - .new_dir = d_inode(dst_dent_parent), - .new_dentry = dst_dent, - }; - err = vfs_rename(&rd); + err = vfs_rename(d_inode(src_dent_parent), src_dent, + d_inode(dst_dent_parent), dst_dent, + NULL, 0); } if (err) pr_err("vfs_rename failed err %d\n", err); @@ -919,7 +913,7 @@ ssize_t ksmbd_vfs_listxattr(struct dentry *dentry, char **list) static ssize_t ksmbd_vfs_xattr_len(struct dentry *dentry, char *xattr_name) { - return vfs_getxattr(&init_user_ns, dentry, xattr_name, NULL, 0); + return vfs_getxattr(dentry, xattr_name, NULL, 0); } /** @@ -945,7 +939,7 @@ ssize_t ksmbd_vfs_getxattr(struct dentry *dentry, char *xattr_name, if (!buf) return -ENOMEM; - xattr_len = vfs_getxattr(&init_user_ns, dentry, xattr_name, + xattr_len = vfs_getxattr(dentry, xattr_name, (void *)buf, xattr_len); if (xattr_len > 0) *xattr_buf = buf; @@ -969,7 +963,7 @@ int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, { int err; - err = vfs_setxattr(&init_user_ns, dentry, + err = vfs_setxattr(dentry, attr_name, attr_value, attr_size, @@ -1078,7 +1072,7 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name) { - return vfs_removexattr(&init_user_ns, dentry, attr_name); + return vfs_removexattr(dentry, attr_name); } int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) @@ -1091,9 +1085,9 @@ int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry) dget(dentry); if (S_ISDIR(d_inode(dentry)->i_mode)) - err = vfs_rmdir(&init_user_ns, d_inode(dir), dentry); + err = vfs_rmdir(d_inode(dir), dentry); else - err = vfs_unlink(&init_user_ns, d_inode(dir), dentry, NULL); + err = vfs_unlink(d_inode(dir), dentry, NULL); dput(dentry); inode_unlock(d_inode(dir)); @@ -1599,7 +1593,7 @@ int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, u64 time; int rc; - generic_fillattr(&init_user_ns, d_inode(dentry), ksmbd_kstat->kstat); + generic_fillattr(d_inode(dentry), ksmbd_kstat->kstat); time = ksmbd_UnixTimeToNT(ksmbd_kstat->kstat->ctime); ksmbd_kstat->create_time = time; @@ -1804,13 +1798,13 @@ int ksmbd_vfs_set_init_posix_acl(struct inode *inode) return -ENOMEM; } posix_state_to_acl(&acl_state, acls->a_entries); - rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, acls); + rc = set_posix_acl(inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", rc); else if (S_ISDIR(inode->i_mode)) { posix_state_to_acl(&acl_state, acls->a_entries); - rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT, + rc = set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", @@ -1839,12 +1833,12 @@ int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) } } - rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_ACCESS, acls); + rc = set_posix_acl(inode, ACL_TYPE_ACCESS, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_ACCESS) failed, rc : %d\n", rc); if (S_ISDIR(inode->i_mode)) { - rc = set_posix_acl(&init_user_ns, inode, ACL_TYPE_DEFAULT, + rc = set_posix_acl(inode, ACL_TYPE_DEFAULT, acls); if (rc < 0) ksmbd_debug(SMB, "Set posix acl(ACL_TYPE_DEFAULT) failed, rc : %d\n", From patchwork Mon Nov 14 12:51:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183258 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 161/308] ksmbd: fix kernel oops in ksmbd_rpc_ioctl/rap() Date: Mon, 14 Nov 2022 20:51:10 +0800 Message-ID: <20221114125337.1831594-162-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b758bf36-af31-407e-5cf9-08dac63c6eac X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7047542 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 690f969705138b235b9fa4c4d19e5129ed54a845 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/690f96970513 ------------------------------- "ksmbd: remove macros in transport_ipc.c" commit change msg to req in ksmbd_rpc_ioctl/rap(). This will cause kernel oops when running smbclient -L test. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_ipc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c index ca5099118fdf..44aea33a67fa 100644 --- a/fs/ksmbd/transport_ipc.c +++ b/fs/ksmbd/transport_ipc.c @@ -752,7 +752,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = (struct ksmbd_rpc_command *)req->payload; + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = handle; req->flags = ksmbd_session_rpc_method(sess, handle); req->flags |= rpc_context_flags(sess); @@ -777,7 +777,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa return NULL; msg->type = KSMBD_EVENT_RPC_REQUEST; - req = (struct ksmbd_rpc_command *)req->payload; + req = (struct ksmbd_rpc_command *)msg->payload; req->handle = ksmbd_acquire_id(&ipc_ida); req->flags = rpc_context_flags(sess); req->flags |= KSMBD_RPC_RAP_METHOD; From patchwork Mon Nov 14 12:51:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183259 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 162/308] ksmbd: Fix read on the uninitialized pointer sess Date: Mon, 14 Nov 2022 20:51:11 +0800 Message-ID: <20221114125337.1831594-163-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ce8da284-f311-4264-ee26-08dac63c6ef4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6968047 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Colin Ian King <colin.king(a)canonical.com> mainline inclusion from mainline-5.15-rc1 commit 4951a84f61d6de4ab5aca1d49a6b6ee2ad2d1eec category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4951a84f61d6 ------------------------------- There is a error handling case that passes control to label out_err without pointer sess being assigned a value. The unassigned pointer may be any garbage value and so the test of rc < 0 && sess maybe true leading to sess being passed to the call to ksmbd_session_destroy. Fix this by setting sess to NULL in this corner case. Addresses-Coverity: ("Uninitialized pointer read") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index dedd00379fde..986ba0632dcc 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1615,6 +1615,7 @@ int smb2_sess_setup(struct ksmbd_work *work) } else if ((conn->dialect < SMB30_PROT_ID || server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + sess = NULL; rc = -EACCES; goto out_err; } else { From patchwork Mon Nov 14 12:51:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183260 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 163/308] ksmbd: remove unneeded NULL check in for_each_netdev Date: Mon, 14 Nov 2022 20:51:12 +0800 Message-ID: <20221114125337.1831594-164-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d12aa288-5677-446d-cc21-08dac63c6f3d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7039113 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 6cfbcf2f40e371ce36c030addc539597d058b3a9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6cfbcf2f40e3 ------------------------------- netdev can never be NULL in for_each_netdev loop. This patch remove unneeded NULL check. Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 986ba0632dcc..381ee5a812fc 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6961,11 +6961,6 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, rtnl_lock(); for_each_netdev(&init_net, netdev) { - if (unlikely(!netdev)) { - rtnl_unlock(); - return -EINVAL; - } - if (netdev->type == ARPHRD_LOOPBACK) continue; From patchwork Mon Nov 14 12:51:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183261 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 164/308] ksmbd: fix read on the uninitialized send_ctx Date: Mon, 14 Nov 2022 20:51:13 +0800 Message-ID: <20221114125337.1831594-165-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d022e6f3-669d-4b59-db23-08dac63c6f87 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7043174 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit b8fc94cdb144467d88f35344076fd3621af93a17 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b8fc94cdb144 ------------------------------- If st->status is not SMB_DIRECT_CS_CONNECTED, It will jump done label and accessing the uninitialized send_ctxi by smb_direct_flush_send_list will cause kernel oops. This patch just return -ENOTCONN to avoid it. Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 171fb3dd018a..d5728c84a15a 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -1207,10 +1207,8 @@ static int smb_direct_writev(struct ksmbd_transport *t, struct kvec vec; struct smb_direct_send_ctx send_ctx; - if (st->status != SMB_DIRECT_CS_CONNECTED) { - ret = -ENOTCONN; - goto done; - } + if (st->status != SMB_DIRECT_CS_CONNECTED) + return -ENOTCONN; //FIXME: skip RFC1002 header.. buflen -= 4; From patchwork Mon Nov 14 12:51:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183262 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 165/308] ksmbd: fix memory leak smb2_populate_readdir_entry() Date: Mon, 14 Nov 2022 20:51:14 +0800 Message-ID: <20221114125337.1831594-166-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fc0fb736-7335-4cf8-9e92-08dac63c6fd1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6825508 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit dac0ec6e1b4a876abb61b6cd2ec589f8e87e95c9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/dac0ec6e1b4a ------------------------------- Add missing kfree(conv_name) on error path. Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 381ee5a812fc..7f665a82d5b4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3266,7 +3266,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, char *conv_name; int conv_len; void *kstat; - int struct_sz; + int struct_sz, rc = 0; conv_name = ksmbd_convert_dir_info_name(d_info, conn->local_nls, @@ -3276,8 +3276,8 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, /* Somehow the name has only terminating NULL bytes */ if (conv_len < 0) { - kfree(conv_name); - return -EINVAL; + rc = -EINVAL; + goto free_conv_name; } struct_sz = readdir_info_level_struct_sz(info_level); @@ -3286,7 +3286,8 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, if (next_entry_offset > d_info->out_buf_len) { d_info->out_buf_len = 0; - return -ENOSPC; + rc = -ENOSPC; + goto free_conv_name; } kstat = d_info->wptr; @@ -3428,14 +3429,15 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, d_info->data_count += next_entry_offset; d_info->out_buf_len -= next_entry_offset; d_info->wptr += next_entry_offset; - kfree(conv_name); ksmbd_debug(SMB, "info_level : %d, buf_len :%d, next_offset : %d, data_count : %d\n", info_level, d_info->out_buf_len, next_entry_offset, d_info->data_count); - return 0; +free_conv_name: + kfree(conv_name); + return rc; } struct smb2_query_dir_private { From patchwork Mon Nov 14 12:51:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183263 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 166/308] ksmbd: fix memory leak in smb_inherit_dacl() Date: Mon, 14 Nov 2022 20:51:15 +0800 Message-ID: <20221114125337.1831594-167-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 082f282e-a33c-4d55-5686-08dac63c701a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6996852 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a9071e3c8659d777eb6527e1d377021381d1b5ec category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9071e3c8659 ------------------------------- Add two labels to fix memory leak in smb_inherit_dacl(). Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smbacl.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index b1e9473a732a..f6019f0dc8fd 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -952,24 +952,28 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, struct smb_sid owner_sid, group_sid; struct dentry *parent = path->dentry->d_parent; int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; - int rc = -ENOENT, num_aces, dacloffset, pntsd_type, acl_len; + int rc = 0, num_aces, dacloffset, pntsd_type, acl_len; char *aces_base; bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); acl_len = ksmbd_vfs_get_sd_xattr(conn, parent, &parent_pntsd); if (acl_len <= 0) - return rc; + return -ENOENT; dacloffset = le32_to_cpu(parent_pntsd->dacloffset); - if (!dacloffset) - goto out; + if (!dacloffset) { + rc = -EINVAL; + goto free_parent_pntsd; + } parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); num_aces = le32_to_cpu(parent_pdacl->num_aces); pntsd_type = le16_to_cpu(parent_pntsd->type); aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL); - if (!aces_base) - goto out; + if (!aces_base) { + rc = -ENOMEM; + goto free_parent_pntsd; + } aces = (struct smb_ace *)aces_base; parent_aces = (struct smb_ace *)((char *)parent_pdacl + @@ -1049,7 +1053,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, nt_size, GFP_KERNEL); if (!pntsd) { rc = -ENOMEM; - goto out; + goto free_aces_base; } pntsd->revision = cpu_to_le16(1); @@ -1089,11 +1093,12 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, ksmbd_vfs_set_sd_xattr(conn, path->dentry, pntsd, pntsd_size); kfree(pntsd); - rc = 0; } +free_aces_base: kfree(aces_base); -out: +free_parent_pntsd: + kfree(parent_pntsd); return rc; } From patchwork Mon Nov 14 12:51:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183264 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 167/308] ksmbd: change data type of volatile/persistent id to u64 Date: Mon, 14 Nov 2022 20:51:16 +0800 Message-ID: <20221114125337.1831594-168-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a47a0195-0b12-4b69-0e24-08dac63c7063 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7228413 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 3867369ef8f760155da684e10d29e0bf9b733b48 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/3867369ef8f7 ------------------------------- This patch change data type of volatile/persistent id to u64 to make issue from idr_find and idr_remove(). !HAS_FILE_ID check will protect integer overflow issue from idr_find and idr_remove(). Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_work.h | 6 +++--- fs/ksmbd/smb2pdu.c | 37 +++++++++++++++++++------------------ fs/ksmbd/vfs_cache.c | 32 ++++++++++++++++---------------- fs/ksmbd/vfs_cache.h | 20 +++++++++----------- 4 files changed, 47 insertions(+), 48 deletions(-) diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index c655bf371ce5..f7156bc50049 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -43,9 +43,9 @@ struct ksmbd_work { * Current Local FID assigned compound response if SMB2 CREATE * command is present in compound request */ - unsigned int compound_fid; - unsigned int compound_pfid; - unsigned int compound_sid; + u64 compound_fid; + u64 compound_pfid; + u64 compound_sid; const struct cred *saved_cred; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7f665a82d5b4..56759c254962 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2793,7 +2793,7 @@ int smb2_open(struct ksmbd_work *work) /* Get Persistent-ID */ ksmbd_open_durable_fd(fp); - if (!HAS_FILE_ID(fp->persistent_id)) { + if (!has_file_id(fp->persistent_id)) { rc = -ENOMEM; goto err_out; } @@ -4542,15 +4542,15 @@ static int smb2_get_info_file(struct ksmbd_work *work, } if (work->next_smb2_rcv_hdr_off) { - if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { - ksmbd_debug(SMB, "Compound request set FID = %u\n", + if (!has_file_id(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %llu\n", work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; } } - if (!HAS_FILE_ID(id)) { + if (!has_file_id(id)) { id = le64_to_cpu(req->VolatileFileId); pid = le64_to_cpu(req->PersistentFileId); } @@ -4913,15 +4913,15 @@ static int smb2_get_info_sec(struct ksmbd_work *work, } if (work->next_smb2_rcv_hdr_off) { - if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { - ksmbd_debug(SMB, "Compound request set FID = %u\n", + if (!has_file_id(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %llu\n", work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; } } - if (!HAS_FILE_ID(id)) { + if (!has_file_id(id)) { id = le64_to_cpu(req->VolatileFileId); pid = le64_to_cpu(req->PersistentFileId); } @@ -5044,7 +5044,7 @@ static noinline int smb2_close_pipe(struct ksmbd_work *work) */ int smb2_close(struct ksmbd_work *work) { - unsigned int volatile_id = KSMBD_NO_FID; + u64 volatile_id = KSMBD_NO_FID; u64 sess_id; struct smb2_close_req *req; struct smb2_close_rsp *rsp; @@ -5080,15 +5080,16 @@ int smb2_close(struct ksmbd_work *work) } if (work->next_smb2_rcv_hdr_off && - !HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { - if (!HAS_FILE_ID(work->compound_fid)) { + !has_file_id(le64_to_cpu(req->VolatileFileId))) { + if (!has_file_id(work->compound_fid)) { /* file already closed, return FILE_CLOSED */ ksmbd_debug(SMB, "file already closed\n"); rsp->hdr.Status = STATUS_FILE_CLOSED; err = -EBADF; goto out; } else { - ksmbd_debug(SMB, "Compound request set FID = %u:%u\n", + ksmbd_debug(SMB, + "Compound request set FID = %llu:%llu\n", work->compound_fid, work->compound_pfid); volatile_id = work->compound_fid; @@ -5100,7 +5101,7 @@ int smb2_close(struct ksmbd_work *work) } else { volatile_id = le64_to_cpu(req->VolatileFileId); } - ksmbd_debug(SMB, "volatile_id = %u\n", volatile_id); + ksmbd_debug(SMB, "volatile_id = %llu\n", volatile_id); rsp->StructureSize = cpu_to_le16(60); rsp->Reserved = 0; @@ -5746,8 +5747,8 @@ int smb2_set_info(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) { req = ksmbd_req_buf_next(work); rsp = ksmbd_resp_buf_next(work); - if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { - ksmbd_debug(SMB, "Compound request set FID = %u\n", + if (!has_file_id(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %llu\n", work->compound_fid); id = work->compound_fid; pid = work->compound_pfid; @@ -5757,7 +5758,7 @@ int smb2_set_info(struct ksmbd_work *work) rsp = work->response_buf; } - if (!HAS_FILE_ID(id)) { + if (!has_file_id(id)) { id = le64_to_cpu(req->VolatileFileId); pid = le64_to_cpu(req->PersistentFileId); } @@ -7240,8 +7241,8 @@ int smb2_ioctl(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) { req = ksmbd_req_buf_next(work); rsp = ksmbd_resp_buf_next(work); - if (!HAS_FILE_ID(le64_to_cpu(req->VolatileFileId))) { - ksmbd_debug(SMB, "Compound request set FID = %u\n", + if (!has_file_id(le64_to_cpu(req->VolatileFileId))) { + ksmbd_debug(SMB, "Compound request set FID = %llu\n", work->compound_fid); id = work->compound_fid; } @@ -7250,7 +7251,7 @@ int smb2_ioctl(struct ksmbd_work *work) rsp = work->response_buf; } - if (!HAS_FILE_ID(id)) + if (!has_file_id(id)) id = le64_to_cpu(req->VolatileFileId); if (req->Flags != cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL)) { diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c index 5c9efcfaeb5c..f9012016bada 100644 --- a/fs/ksmbd/vfs_cache.c +++ b/fs/ksmbd/vfs_cache.c @@ -276,7 +276,7 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp) static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) { - if (!HAS_FILE_ID(fp->persistent_id)) + if (!has_file_id(fp->persistent_id)) return; write_lock(&global_ft.lock); @@ -286,7 +286,7 @@ static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) { - if (!HAS_FILE_ID(fp->volatile_id)) + if (!has_file_id(fp->volatile_id)) return; write_lock(&fp->f_ci->m_lock); @@ -326,10 +326,13 @@ static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) } static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, - unsigned int id) + u64 id) { struct ksmbd_file *fp; + if (!has_file_id(id)) + return NULL; + read_lock(&ft->lock); fp = idr_find(ft->idr, id); if (fp) @@ -358,12 +361,12 @@ static void set_close_state_blocked_works(struct ksmbd_file *fp) spin_unlock(&fp->f_lock); } -int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id) +int ksmbd_close_fd(struct ksmbd_work *work, u64 id) { struct ksmbd_file *fp; struct ksmbd_file_table *ft; - if (!HAS_FILE_ID(id)) + if (!has_file_id(id)) return 0; ft = &work->sess->file_table; @@ -403,12 +406,12 @@ static bool __sanity_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *f return true; } -struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int id) +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id) { return __ksmbd_lookup_fd(&work->sess->file_table, id); } -struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id) +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id) { struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id); @@ -419,19 +422,16 @@ struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id return NULL; } -struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, - unsigned int pid) +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, u64 id, + u64 pid) { struct ksmbd_file *fp; - if (!HAS_FILE_ID(id)) { + if (!has_file_id(id)) { id = work->compound_fid; pid = work->compound_pfid; } - if (!HAS_FILE_ID(id)) - return NULL; - fp = __ksmbd_lookup_fd(&work->sess->file_table, id); if (!__sanity_check(work->tcon, fp)) { ksmbd_fd_put(work, fp); @@ -493,7 +493,7 @@ struct ksmbd_file *ksmbd_lookup_fd_inode(struct inode *inode) #define OPEN_ID_TYPE_VOLATILE_ID (0) #define OPEN_ID_TYPE_PERSISTENT_ID (1) -static void __open_id_set(struct ksmbd_file *fp, unsigned int id, int type) +static void __open_id_set(struct ksmbd_file *fp, u64 id, int type) { if (type == OPEN_ID_TYPE_VOLATILE_ID) fp->volatile_id = id; @@ -504,7 +504,7 @@ static void __open_id_set(struct ksmbd_file *fp, unsigned int id, int type) static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp, int type) { - unsigned int id = 0; + u64 id = 0; int ret; if (type == OPEN_ID_TYPE_VOLATILE_ID && fd_limit_depleted()) { @@ -514,7 +514,7 @@ static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp, idr_preload(GFP_KERNEL); write_lock(&ft->lock); - ret = idr_alloc_cyclic(ft->idr, fp, 0, INT_MAX, GFP_NOWAIT); + ret = idr_alloc_cyclic(ft->idr, fp, 0, INT_MAX - 1, GFP_NOWAIT); if (ret >= 0) { id = ret; ret = 0; diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 543494f664cb..70e987293564 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -22,7 +22,7 @@ #define FILE_GENERIC_EXECUTE 0X1200a0 #define KSMBD_START_FID 0 -#define KSMBD_NO_FID (UINT_MAX) +#define KSMBD_NO_FID (INT_MAX) #define SMB2_NO_FID (0xFFFFFFFFFFFFFFFFULL) struct ksmbd_conn; @@ -62,8 +62,8 @@ struct ksmbd_inode { struct ksmbd_file { struct file *filp; char *filename; - unsigned int persistent_id; - unsigned int volatile_id; + u64 persistent_id; + u64 volatile_id; spinlock_t f_lock; @@ -122,10 +122,8 @@ struct ksmbd_file_table { struct idr *idr; }; -static inline bool HAS_FILE_ID(unsigned long long req) +static inline bool has_file_id(u64 id) { - unsigned int id = (unsigned int)req; - return id < KSMBD_NO_FID; } @@ -136,11 +134,11 @@ static inline bool ksmbd_stream_fd(struct ksmbd_file *fp) int ksmbd_init_file_table(struct ksmbd_file_table *ft); void ksmbd_destroy_file_table(struct ksmbd_file_table *ft); -int ksmbd_close_fd(struct ksmbd_work *work, unsigned int id); -struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, unsigned int id); -struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, unsigned int id); -struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, unsigned int id, - unsigned int pid); +int ksmbd_close_fd(struct ksmbd_work *work, u64 id); +struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id); +struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id); +struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, u64 id, + u64 pid); void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp); struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id); struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid); From patchwork Mon Nov 14 12:51:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183265 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 168/308] ksmbd: delete some stray tabs Date: Mon, 14 Nov 2022 20:51:17 +0800 Message-ID: <20221114125337.1831594-169-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 52de56c8-5ca7-42b0-a011-08dac63c70ab X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6998343 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 0f6619aee86f11cee0c5063777c4febdf18cb28b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0f6619aee86f ------------------------------- These lines are intended one tab too far. Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 56759c254962..a1c284c49e41 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6656,7 +6656,7 @@ int smb2_lock(struct ksmbd_work *work) cmp_lock->start < smb_lock->end) { pr_err("previous lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; + goto out; } if (smb_lock->zero_len && !cmp_lock->zero_len && @@ -6664,7 +6664,7 @@ int smb2_lock(struct ksmbd_work *work) smb_lock->start < cmp_lock->end) { pr_err("current lock conflict with zero byte lock range\n"); rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; + goto out; } if (((cmp_lock->start <= smb_lock->start && From patchwork Mon Nov 14 12:51:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183266 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 169/308] ksmbd: use kasprintf() in ksmbd_vfs_xattr_stream_name() Date: Mon, 14 Nov 2022 20:51:18 +0800 Message-ID: <20221114125337.1831594-170-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 91da31ca-86c7-479e-a423-08dac63c70f4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7261156 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 07781de9051859d2f38a9e199384c64bb1924c47 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/07781de90518 ------------------------------- Simplify the code by using kasprintf(). This also silences a Smatch warning: fs/ksmbd/vfs.c:1725 ksmbd_vfs_xattr_stream_name() warn: inconsistent indenting Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs.c | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 63aea927d71e..f6eb746fbd03 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1651,35 +1651,20 @@ ssize_t ksmbd_vfs_casexattr_len(struct dentry *dentry, char *attr_name, int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, size_t *xattr_stream_name_size, int s_type) { - int stream_name_size; - char *xattr_stream_name_buf; - char *type; - int type_len; + char *type, *buf; if (s_type == DIR_STREAM) type = ":$INDEX_ALLOCATION"; else type = ":$DATA"; - type_len = strlen(type); - stream_name_size = strlen(stream_name); - *xattr_stream_name_size = stream_name_size + XATTR_NAME_STREAM_LEN + 1; - xattr_stream_name_buf = kmalloc(*xattr_stream_name_size + type_len, - GFP_KERNEL); - if (!xattr_stream_name_buf) + buf = kasprintf(GFP_KERNEL, "%s%s%s", + XATTR_NAME_STREAM, stream_name, type); + if (!buf) return -ENOMEM; - memcpy(xattr_stream_name_buf, XATTR_NAME_STREAM, XATTR_NAME_STREAM_LEN); - - if (stream_name_size) { - memcpy(&xattr_stream_name_buf[XATTR_NAME_STREAM_LEN], - stream_name, stream_name_size); - } - memcpy(&xattr_stream_name_buf[*xattr_stream_name_size - 1], type, type_len); - *xattr_stream_name_size += type_len; - - xattr_stream_name_buf[*xattr_stream_name_size - 1] = '\0'; - *xattr_stream_name = xattr_stream_name_buf; + *xattr_stream_name = buf; + *xattr_stream_name_size = strlen(buf) + 1; return 0; } From patchwork Mon Nov 14 12:51:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183267 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 170/308] ksmbd: fix the running request count decrement Date: Mon, 14 Nov 2022 20:51:19 +0800 Message-ID: <20221114125337.1831594-171-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d1ac6dbb-d5ff-4009-35fb-08dac63c713d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7061228 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 4b92841ef27b56883fa4491a3d51db3eef68c481 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4b92841ef27b ------------------------------- decrement the count of running requests after sending the last response for multi-response requests. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 928e22e19def..6e51e08addee 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -120,7 +120,8 @@ int ksmbd_conn_try_dequeue_request(struct ksmbd_work *work) list_empty(&work->async_request_entry)) return 0; - atomic_dec(&conn->req_running); + if (!work->multiRsp) + atomic_dec(&conn->req_running); spin_lock(&conn->request_lock); if (!work->multiRsp) { list_del_init(&work->request_entry); From patchwork Mon Nov 14 12:51:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183268 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 171/308] ksmbd: free ksmbd_lock when file is closed Date: Mon, 14 Nov 2022 20:51:20 +0800 Message-ID: <20221114125337.1831594-172-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 58de7972-4510-414d-91e9-08dac63c7187 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6764265 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit d63528eb0d43c4796c42aad56889dec12cf4e122 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d63528eb0d43 ------------------------------- Append ksmbd_lock into the connection's lock list and the ksmbd_file's lock list. And when a file is closed, detach ksmbd_lock from these lists and free it. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 7 +- fs/ksmbd/connection.h | 6 ++ fs/ksmbd/smb2pdu.c | 154 ++++++++++++++++++++++++++---------------- fs/ksmbd/smb_common.c | 2 - fs/ksmbd/smb_common.h | 2 - fs/ksmbd/vfs_cache.c | 16 +++++ fs/ksmbd/vfs_cache.h | 4 +- 7 files changed, 125 insertions(+), 66 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 6e51e08addee..8430848bea45 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -19,8 +19,8 @@ static DEFINE_MUTEX(init_lock); static struct ksmbd_conn_ops default_conn_ops; -static LIST_HEAD(conn_list); -static DEFINE_RWLOCK(conn_list_lock); +LIST_HEAD(conn_list); +DEFINE_RWLOCK(conn_list_lock); /** * ksmbd_conn_free() - free resources of the connection instance @@ -70,6 +70,9 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) spin_lock_init(&conn->credits_lock); ida_init(&conn->async_ida); + spin_lock_init(&conn->llist_lock); + INIT_LIST_HEAD(&conn->lock_list); + write_lock(&conn_list_lock); list_add(&conn->conns_list, &conn_list); write_unlock(&conn_list_lock); diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index 98108b41f739..487c2024b0d5 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -79,6 +79,9 @@ struct ksmbd_conn { char *ntlmssp_cryptkey; }; + spinlock_t llist_lock; + struct list_head lock_list; + struct preauth_integrity_info *preauth_info; bool need_neg; @@ -138,6 +141,9 @@ struct ksmbd_transport { #define KSMBD_TCP_SEND_TIMEOUT (5 * HZ) #define KSMBD_TCP_PEER_SOCKADDR(c) ((struct sockaddr *)&((c)->peer_addr)) +extern struct list_head conn_list; +extern rwlock_t conn_list_lock; + bool ksmbd_conn_alive(struct ksmbd_conn *conn); void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); struct ksmbd_conn *ksmbd_conn_alloc(void); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index a1c284c49e41..3cff00fed97e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6470,8 +6470,9 @@ static struct ksmbd_lock *smb2_lock_init(struct file_lock *flock, lock->flags = flags; if (lock->start == lock->end) lock->zero_len = 1; + INIT_LIST_HEAD(&lock->clist); + INIT_LIST_HEAD(&lock->flist); INIT_LIST_HEAD(&lock->llist); - INIT_LIST_HEAD(&lock->glist); list_add_tail(&lock->llist, lock_list); return lock; @@ -6510,7 +6511,8 @@ int smb2_lock(struct ksmbd_work *work) int cmd = 0; int err = 0, i; u64 lock_start, lock_length; - struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp; + struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp, *tmp2; + struct ksmbd_conn *conn; int nolock = 0; LIST_HEAD(lock_list); LIST_HEAD(rollback_list); @@ -6619,72 +6621,89 @@ int smb2_lock(struct ksmbd_work *work) if (!(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) && !(smb_lock->flags & SMB2_LOCKFLAG_FAIL_IMMEDIATELY)) - goto no_check_gl; + goto no_check_cl; nolock = 1; - /* check locks in global list */ - list_for_each_entry(cmp_lock, &global_lock_list, glist) { - if (file_inode(cmp_lock->fl->fl_file) != - file_inode(smb_lock->fl->fl_file)) - continue; + /* check locks in connection list */ + read_lock(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + spin_lock(&conn->llist_lock); + list_for_each_entry_safe(cmp_lock, tmp2, &conn->lock_list, clist) { + if (file_inode(cmp_lock->fl->fl_file) != + file_inode(smb_lock->fl->fl_file)) + continue; - if (smb_lock->fl->fl_type == F_UNLCK) { - if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file && - cmp_lock->start == smb_lock->start && - cmp_lock->end == smb_lock->end && - !lock_defer_pending(cmp_lock->fl)) { - nolock = 0; - locks_free_lock(cmp_lock->fl); - list_del(&cmp_lock->glist); - kfree(cmp_lock); - break; + if (smb_lock->fl->fl_type == F_UNLCK) { + if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file && + cmp_lock->start == smb_lock->start && + cmp_lock->end == smb_lock->end && + !lock_defer_pending(cmp_lock->fl)) { + nolock = 0; + list_del(&cmp_lock->flist); + list_del(&cmp_lock->clist); + spin_unlock(&conn->llist_lock); + read_unlock(&conn_list_lock); + + locks_free_lock(cmp_lock->fl); + kfree(cmp_lock); + goto out_check_cl; + } + continue; } - continue; - } - if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file) { - if (smb_lock->flags & SMB2_LOCKFLAG_SHARED) - continue; - } else { - if (cmp_lock->flags & SMB2_LOCKFLAG_SHARED) - continue; - } + if (cmp_lock->fl->fl_file == smb_lock->fl->fl_file) { + if (smb_lock->flags & SMB2_LOCKFLAG_SHARED) + continue; + } else { + if (cmp_lock->flags & SMB2_LOCKFLAG_SHARED) + continue; + } - /* check zero byte lock range */ - if (cmp_lock->zero_len && !smb_lock->zero_len && - cmp_lock->start > smb_lock->start && - cmp_lock->start < smb_lock->end) { - pr_err("previous lock conflict with zero byte lock range\n"); - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; - } + /* check zero byte lock range */ + if (cmp_lock->zero_len && !smb_lock->zero_len && + cmp_lock->start > smb_lock->start && + cmp_lock->start < smb_lock->end) { + spin_unlock(&conn->llist_lock); + read_unlock(&conn_list_lock); + pr_err("previous lock conflict with zero byte lock range\n"); + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } - if (smb_lock->zero_len && !cmp_lock->zero_len && - smb_lock->start > cmp_lock->start && - smb_lock->start < cmp_lock->end) { - pr_err("current lock conflict with zero byte lock range\n"); - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; - } + if (smb_lock->zero_len && !cmp_lock->zero_len && + smb_lock->start > cmp_lock->start && + smb_lock->start < cmp_lock->end) { + spin_unlock(&conn->llist_lock); + read_unlock(&conn_list_lock); + pr_err("current lock conflict with zero byte lock range\n"); + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + goto out; + } - if (((cmp_lock->start <= smb_lock->start && - cmp_lock->end > smb_lock->start) || - (cmp_lock->start < smb_lock->end && cmp_lock->end >= smb_lock->end)) && - !cmp_lock->zero_len && !smb_lock->zero_len) { - pr_err("Not allow lock operation on exclusive lock range\n"); - rsp->hdr.Status = - STATUS_LOCK_NOT_GRANTED; - goto out; + if (((cmp_lock->start <= smb_lock->start && + cmp_lock->end > smb_lock->start) || + (cmp_lock->start < smb_lock->end && + cmp_lock->end >= smb_lock->end)) && + !cmp_lock->zero_len && !smb_lock->zero_len) { + spin_unlock(&conn->llist_lock); + read_unlock(&conn_list_lock); + pr_err("Not allow lock operation on exclusive lock range\n"); + rsp->hdr.Status = + STATUS_LOCK_NOT_GRANTED; + goto out; + } } + spin_unlock(&conn->llist_lock); } - + read_unlock(&conn_list_lock); +out_check_cl: if (smb_lock->fl->fl_type == F_UNLCK && nolock) { pr_err("Try to unlock nolocked range\n"); rsp->hdr.Status = STATUS_RANGE_NOT_LOCKED; goto out; } -no_check_gl: +no_check_cl: if (smb_lock->zero_len) { err = 0; goto skip; @@ -6710,8 +6729,10 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "would have to wait for getting lock\n"); - list_add_tail(&smb_lock->glist, - &global_lock_list); + spin_lock(&work->conn->llist_lock); + list_add_tail(&smb_lock->clist, + &work->conn->lock_list); + spin_unlock(&work->conn->llist_lock); list_add(&smb_lock->llist, &rollback_list); argv = kmalloc(sizeof(void *), GFP_KERNEL); @@ -6739,7 +6760,9 @@ int smb2_lock(struct ksmbd_work *work) if (work->state != KSMBD_WORK_ACTIVE) { list_del(&smb_lock->llist); - list_del(&smb_lock->glist); + spin_lock(&work->conn->llist_lock); + list_del(&smb_lock->clist); + spin_unlock(&work->conn->llist_lock); locks_free_lock(flock); if (work->state == KSMBD_WORK_CANCELLED) { @@ -6763,14 +6786,21 @@ int smb2_lock(struct ksmbd_work *work) } list_del(&smb_lock->llist); - list_del(&smb_lock->glist); + spin_lock(&work->conn->llist_lock); + list_del(&smb_lock->clist); + spin_unlock(&work->conn->llist_lock); + spin_lock(&fp->f_lock); list_del(&work->fp_entry); spin_unlock(&fp->f_lock); goto retry; } else if (!err) { - list_add_tail(&smb_lock->glist, - &global_lock_list); + spin_lock(&work->conn->llist_lock); + list_add_tail(&smb_lock->clist, + &work->conn->lock_list); + list_add_tail(&smb_lock->flist, + &fp->lock_list); + spin_unlock(&work->conn->llist_lock); list_add(&smb_lock->llist, &rollback_list); ksmbd_debug(SMB, "successful in taking lock\n"); } else { @@ -6809,8 +6839,14 @@ int smb2_lock(struct ksmbd_work *work) err = vfs_lock_file(filp, 0, rlock, NULL); if (err) pr_err("rollback unlock fail : %d\n", err); + list_del(&smb_lock->llist); - list_del(&smb_lock->glist); + spin_lock(&work->conn->llist_lock); + if (!list_empty(&smb_lock->flist)) + list_del(&smb_lock->flist); + list_del(&smb_lock->clist); + spin_unlock(&work->conn->llist_lock); + locks_free_lock(smb_lock->fl); locks_free_lock(rlock); kfree(smb_lock); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index b573575a1de5..61686d739ffc 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -23,8 +23,6 @@ static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) #define KSMBD_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr)) -LIST_HEAD(global_lock_list); - struct smb_protocol { int index; char *name; diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 8489b92229fa..95f297177c1a 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -48,8 +48,6 @@ #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ -extern struct list_head global_lock_list; - /* RFC 1002 session packet types */ #define RFC1002_SESSION_MESSAGE 0x00 #define RFC1002_SESSION_REQUEST 0x81 diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c index f9012016bada..f5b3f94b7f9b 100644 --- a/fs/ksmbd/vfs_cache.c +++ b/fs/ksmbd/vfs_cache.c @@ -301,6 +301,7 @@ static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) { struct file *filp; + struct ksmbd_lock *smb_lock, *tmp_lock; fd_limit_close(); __ksmbd_remove_durable_fd(fp); @@ -312,6 +313,20 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) __ksmbd_inode_close(fp); if (!IS_ERR_OR_NULL(filp)) fput(filp); + + /* because the reference count of fp is 0, it is guaranteed that + * there are not accesses to fp->lock_list. + */ + list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) { + spin_lock(&fp->conn->llist_lock); + list_del(&smb_lock->clist); + spin_unlock(&fp->conn->llist_lock); + + list_del(&smb_lock->flist); + locks_free_lock(smb_lock->fl); + kfree(smb_lock); + } + kfree(fp->filename); if (ksmbd_stream_fd(fp)) kfree(fp->stream.name); @@ -548,6 +563,7 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) INIT_LIST_HEAD(&fp->blocked_works); INIT_LIST_HEAD(&fp->node); + INIT_LIST_HEAD(&fp->lock_list); spin_lock_init(&fp->f_lock); atomic_set(&fp->refcount, 1); diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 70e987293564..70dfe6a99f13 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -30,7 +30,8 @@ struct ksmbd_session; struct ksmbd_lock { struct file_lock *fl; - struct list_head glist; + struct list_head clist; + struct list_head flist; struct list_head llist; unsigned int flags; int cmd; @@ -91,6 +92,7 @@ struct ksmbd_file { struct stream stream; struct list_head node; struct list_head blocked_works; + struct list_head lock_list; int durable_timeout; From patchwork Mon Nov 14 12:51:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183269 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 172/308] ksmbd: uninterruptible wait for a file being unlocked Date: Mon, 14 Nov 2022 20:51:21 +0800 Message-ID: <20221114125337.1831594-173-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 72a4f653-8c20-43ff-238b-08dac63c71d0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7377165 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 45a64e8b08493b768fa029a5508cec8cf2b89f2d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/45a64e8b0849 ------------------------------- the wait can be canceled by SMB2_CANCEL, SMB2_CLOSE, SMB2_LOGOFF, disconnection or shutdown, we don't have to use wait_event_interruptible. And this remove the warning from Coverity: CID 1502834 (#1 of 1): Unused value (UNUSED_VALUE) returned_value: Assigning value from ksmbd_vfs_posix_lock_wait(flock) to err here, but that stored value is overwritten before it can be used. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- fs/ksmbd/vfs.c | 4 ++-- fs/ksmbd/vfs.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 3cff00fed97e..91c199af51b7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6756,7 +6756,7 @@ int smb2_lock(struct ksmbd_work *work) smb2_send_interim_resp(work, STATUS_PENDING); - err = ksmbd_vfs_posix_lock_wait(flock); + ksmbd_vfs_posix_lock_wait(flock); if (work->state != KSMBD_WORK_ACTIVE) { list_del(&smb_lock->llist); diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index f6eb746fbd03..53fbcb95f3b3 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1737,9 +1737,9 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, return 0; } -int ksmbd_vfs_posix_lock_wait(struct file_lock *flock) +void ksmbd_vfs_posix_lock_wait(struct file_lock *flock) { - return wait_event_interruptible(flock->fl_wait, !flock->fl_blocker); + wait_event(flock->fl_wait, !flock->fl_blocker); } int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout) diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index e30174a0e5a1..319316f49aee 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -159,7 +159,7 @@ int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, struct ksmbd_kstat *ksmbd_kstat); -int ksmbd_vfs_posix_lock_wait(struct file_lock *flock); +void ksmbd_vfs_posix_lock_wait(struct file_lock *flock); int ksmbd_vfs_posix_lock_wait_timeout(struct file_lock *flock, long timeout); void ksmbd_vfs_posix_lock_unblock(struct file_lock *flock); int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry); From patchwork Mon Nov 14 12:51:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183270 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 173/308] ksmbd: make smb2_find_context_vals return NULL if not found Date: Mon, 14 Nov 2022 20:51:22 +0800 Message-ID: <20221114125337.1831594-174-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 915634cf-87b8-422d-014f-08dac63c7219 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6284011 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit ce154c32af3c60727171ff28ae97bcceda63b1c6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ce154c32af3c ------------------------------- instead of -ENOENT, make smb2_find_context_vals return NULL if the given context cannot be found. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 2 +- fs/ksmbd/smb2pdu.c | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index a9f171ccf770..96e486ebf2e1 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1472,7 +1472,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) next = le32_to_cpu(cc->Next); } while (next != 0); - return ERR_PTR(-ENOENT); + return NULL; } /** diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 91c199af51b7..f158b7e104da 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2127,7 +2127,7 @@ static inline int check_context_err(void *ctx, char *str) int err; err = PTR_ERR(ctx); - ksmbd_debug(SMB, "find context %s err %d\n", str, err); + ksmbd_debug(SMB, "find context %s err %d\n", str, err ? err : -ENOENT); if (err == -EINVAL) { pr_err("bad name length\n"); @@ -2514,7 +2514,7 @@ int smb2_open(struct ksmbd_work *work) if (req->CreateContextsOffset) { /* Parse non-durable handle create contexts */ context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER); - if (IS_ERR(context)) { + if (IS_ERR_OR_NULL(context)) { rc = check_context_err(context, SMB2_CREATE_EA_BUFFER); if (rc < 0) goto err_out1; @@ -2529,7 +2529,7 @@ int smb2_open(struct ksmbd_work *work) context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); - if (IS_ERR(context)) { + if (IS_ERR_OR_NULL(context)) { rc = check_context_err(context, SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); if (rc < 0) @@ -2542,7 +2542,7 @@ int smb2_open(struct ksmbd_work *work) context = smb2_find_context_vals(req, SMB2_CREATE_TIMEWARP_REQUEST); - if (IS_ERR(context)) { + if (IS_ERR_OR_NULL(context)) { rc = check_context_err(context, SMB2_CREATE_TIMEWARP_REQUEST); if (rc < 0) @@ -2556,7 +2556,7 @@ int smb2_open(struct ksmbd_work *work) if (tcon->posix_extensions) { context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX); - if (IS_ERR(context)) { + if (IS_ERR_OR_NULL(context)) { rc = check_context_err(context, SMB2_CREATE_TAG_POSIX); if (rc < 0) @@ -2949,7 +2949,7 @@ int smb2_open(struct ksmbd_work *work) az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req, SMB2_CREATE_ALLOCATION_SIZE); - if (IS_ERR(az_req)) { + if (IS_ERR_OR_NULL(az_req)) { rc = check_context_err(az_req, SMB2_CREATE_ALLOCATION_SIZE); if (rc < 0) @@ -2971,7 +2971,7 @@ int smb2_open(struct ksmbd_work *work) } context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); - if (IS_ERR(context)) { + if (IS_ERR_OR_NULL(context)) { rc = check_context_err(context, SMB2_CREATE_QUERY_ON_DISK_ID); if (rc < 0) goto err_out; From patchwork Mon Nov 14 12:51:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183271 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 174/308] ksmbd: handle error cases first in smb2_create_sd_buffers Date: Mon, 14 Nov 2022 20:51:23 +0800 Message-ID: <20221114125337.1831594-175-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9f940df1-25e4-4cb2-47cb-08dac63c7261 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7007338 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 21dd1fd6d718ac59841c3ee3d0b1d82508ef24dc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/21dd1fd6d718 ------------------------------- For code cleanup, handle error cases first in smb2_create_sd_buffers(). Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f158b7e104da..b842768fc209 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2309,25 +2309,23 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, struct path *path) { struct create_context *context; - int rc = -ENOENT; + struct create_sd_buf_req *sd_buf; if (!req->CreateContextsOffset) - return rc; + return -ENOENT; /* Parse SD BUFFER create contexts */ context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER); - if (context && !IS_ERR(context)) { - struct create_sd_buf_req *sd_buf; - - ksmbd_debug(SMB, - "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); - sd_buf = (struct create_sd_buf_req *)context; - rc = set_info_sec(work->conn, work->tcon, - path, &sd_buf->ntsd, - le32_to_cpu(sd_buf->ccontext.DataLength), true); - } + if (!context) + return -ENOENT; + else if (IS_ERR(context)) + return PTR_ERR(context); - return rc; + ksmbd_debug(SMB, + "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); + sd_buf = (struct create_sd_buf_req *)context; + return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd, + le32_to_cpu(sd_buf->ccontext.DataLength), true); } static void ksmbd_acls_fattr(struct smb_fattr *fattr, struct inode *inode) From patchwork Mon Nov 14 12:51:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183272 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 175/308] ksmbd: remove unneeded check_context_err Date: Mon, 14 Nov 2022 20:51:24 +0800 Message-ID: <20221114125337.1831594-176-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8f76db5b-f95c-4c36-4b54-08dac63c72aa X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7089439 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f19b3967fb0967aa02b8bfe26ce186ca7525dff7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f19b3967fb09 ------------------------------- Coverity Scan seems to report false alarm. *** CID 1505930: (USE_AFTER_FREE) /fs/ksmbd/smb2pdu.c: 2527 in smb2_open() >>> CID 1505930: (USE_AFTER_FREE) >>> Passing freed pointer "context" as an argument to >>> "check_context_err". This patch remove unneeded check_context_err to make coverity scan happy. Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 3 +- fs/ksmbd/smb2pdu.c | 73 +++++++++++++++------------------------------- 2 files changed, 26 insertions(+), 50 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 96e486ebf2e1..8bb62aae6e32 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1446,7 +1446,8 @@ struct lease_ctx_info *parse_lease_state(void *open_req) * @open_req: buffer containing smb2 file open(create) request * @tag: context name to search for * - * Return: pointer to requested context, NULL if @str context not found + * Return: pointer to requested context, NULL if @str context not found + * or error pointer if name length is invalid. */ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) { diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b842768fc209..73958167c4f4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2122,21 +2122,6 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) return rc; } -static inline int check_context_err(void *ctx, char *str) -{ - int err; - - err = PTR_ERR(ctx); - ksmbd_debug(SMB, "find context %s err %d\n", str, err ? err : -ENOENT); - - if (err == -EINVAL) { - pr_err("bad name length\n"); - return err; - } - - return 0; -} - static noinline int smb2_set_stream_name_xattr(struct path *path, struct ksmbd_file *fp, char *stream_name, int s_type) @@ -2512,11 +2497,10 @@ int smb2_open(struct ksmbd_work *work) if (req->CreateContextsOffset) { /* Parse non-durable handle create contexts */ context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER); - if (IS_ERR_OR_NULL(context)) { - rc = check_context_err(context, SMB2_CREATE_EA_BUFFER); - if (rc < 0) - goto err_out1; - } else { + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; + } else if (context) { ea_buf = (struct create_ea_buf_req *)context; if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { rsp->hdr.Status = STATUS_ACCESS_DENIED; @@ -2527,12 +2511,10 @@ int smb2_open(struct ksmbd_work *work) context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); - if (IS_ERR_OR_NULL(context)) { - rc = check_context_err(context, - SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); - if (rc < 0) - goto err_out1; - } else { + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; + } else if (context) { ksmbd_debug(SMB, "get query maximal access context\n"); maximal_access_ctxt = 1; @@ -2540,12 +2522,10 @@ int smb2_open(struct ksmbd_work *work) context = smb2_find_context_vals(req, SMB2_CREATE_TIMEWARP_REQUEST); - if (IS_ERR_OR_NULL(context)) { - rc = check_context_err(context, - SMB2_CREATE_TIMEWARP_REQUEST); - if (rc < 0) - goto err_out1; - } else { + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; + } else if (context) { ksmbd_debug(SMB, "get timewarp context\n"); rc = -EBADF; goto err_out1; @@ -2554,12 +2534,10 @@ int smb2_open(struct ksmbd_work *work) if (tcon->posix_extensions) { context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX); - if (IS_ERR_OR_NULL(context)) { - rc = check_context_err(context, - SMB2_CREATE_TAG_POSIX); - if (rc < 0) - goto err_out1; - } else { + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; + } else if (context) { struct create_posix *posix = (struct create_posix *)context; ksmbd_debug(SMB, "get posix context\n"); @@ -2947,12 +2925,10 @@ int smb2_open(struct ksmbd_work *work) az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req, SMB2_CREATE_ALLOCATION_SIZE); - if (IS_ERR_OR_NULL(az_req)) { - rc = check_context_err(az_req, - SMB2_CREATE_ALLOCATION_SIZE); - if (rc < 0) - goto err_out; - } else { + if (IS_ERR(az_req)) { + rc = PTR_ERR(az_req); + goto err_out; + } else if (az_req) { loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); int err; @@ -2969,11 +2945,10 @@ int smb2_open(struct ksmbd_work *work) } context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); - if (IS_ERR_OR_NULL(context)) { - rc = check_context_err(context, SMB2_CREATE_QUERY_ON_DISK_ID); - if (rc < 0) - goto err_out; - } else { + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out; + } else if (context) { ksmbd_debug(SMB, "get query on disk id context\n"); query_disk_id = 1; } From patchwork Mon Nov 14 12:51:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183273 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 176/308] ksmbd: fix memory leak in ksmbd_vfs_get_sd_xattr() Date: Mon, 14 Nov 2022 20:51:25 +0800 Message-ID: <20221114125337.1831594-177-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 51812b92-5d4a-40db-03fd-08dac63c72f3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6969799 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 78ad2c277af4cf503f985fd506fbb1f8576460f2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/78ad2c277af4 ------------------------------- Add free acl.sd_buf and n.data on error handling in ksmbd_vfs_get_sd_xattr(). Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs.c | 99 ++++++++++++++++++++++++++------------------------ 1 file changed, 52 insertions(+), 47 deletions(-) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 53fbcb95f3b3..f10dfdb596e4 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1458,61 +1458,66 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, struct dentry *dentry, { int rc; struct ndr n; + struct inode *inode = d_inode(dentry); + struct ndr acl_ndr = {0}; + struct xattr_ntacl acl; + struct xattr_smb_acl *smb_acl = NULL, *def_smb_acl = NULL; + __u8 cmp_hash[XATTR_SD_HASH_SIZE] = {0}; rc = ksmbd_vfs_getxattr(dentry, XATTR_NAME_SD, &n.data); - if (rc > 0) { - struct inode *inode = d_inode(dentry); - struct ndr acl_ndr = {0}; - struct xattr_ntacl acl; - struct xattr_smb_acl *smb_acl = NULL, *def_smb_acl = NULL; - __u8 cmp_hash[XATTR_SD_HASH_SIZE] = {0}; - - n.length = rc; - rc = ndr_decode_v4_ntacl(&n, &acl); - if (rc) - return rc; - - smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, - ACL_TYPE_ACCESS); - if (S_ISDIR(inode->i_mode)) - def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, - ACL_TYPE_DEFAULT); - - rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); - if (rc) { - pr_err("failed to encode ndr to posix acl\n"); - goto out; - } + if (rc <= 0) + return rc; - rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, - cmp_hash); - if (rc) { - pr_err("failed to generate hash for ndr acl\n"); - goto out; - } + n.length = rc; + rc = ndr_decode_v4_ntacl(&n, &acl); + if (rc) + goto free_n_data; - if (memcmp(cmp_hash, acl.posix_acl_hash, XATTR_SD_HASH_SIZE)) { - pr_err("hash value diff\n"); - rc = -EINVAL; - goto out; - } + smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, + ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + def_smb_acl = ksmbd_vfs_make_xattr_posix_acl(inode, + ACL_TYPE_DEFAULT); + + rc = ndr_encode_posix_acl(&acl_ndr, inode, smb_acl, def_smb_acl); + if (rc) { + pr_err("failed to encode ndr to posix acl\n"); + goto out_free; + } - *pntsd = acl.sd_buf; - (*pntsd)->osidoffset = - cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) - NDR_NTSD_OFFSETOF); - (*pntsd)->gsidoffset = - cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) - NDR_NTSD_OFFSETOF); - (*pntsd)->dacloffset = - cpu_to_le32(le32_to_cpu((*pntsd)->dacloffset) - NDR_NTSD_OFFSETOF); + rc = ksmbd_gen_sd_hash(conn, acl_ndr.data, acl_ndr.offset, + cmp_hash); + if (rc) { + pr_err("failed to generate hash for ndr acl\n"); + goto out_free; + } - rc = acl.sd_size; -out: - kfree(n.data); - kfree(acl_ndr.data); - kfree(smb_acl); - kfree(def_smb_acl); + if (memcmp(cmp_hash, acl.posix_acl_hash, XATTR_SD_HASH_SIZE)) { + pr_err("hash value diff\n"); + rc = -EINVAL; + goto out_free; } + *pntsd = acl.sd_buf; + (*pntsd)->osidoffset = + cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) - NDR_NTSD_OFFSETOF); + (*pntsd)->gsidoffset = + cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) - NDR_NTSD_OFFSETOF); + (*pntsd)->dacloffset = + cpu_to_le32(le32_to_cpu((*pntsd)->dacloffset) - NDR_NTSD_OFFSETOF); + + rc = acl.sd_size; +out_free: + kfree(acl_ndr.data); + kfree(smb_acl); + kfree(def_smb_acl); + if (rc < 0) { + kfree(acl.sd_buf); + *pntsd = NULL; + } + +free_n_data: + kfree(n.data); return rc; } From patchwork Mon Nov 14 12:51:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183274 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:36 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:36 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 177/308] ksmbd: fix unused err value in smb2_lock Date: Mon, 14 Nov 2022 20:51:26 +0800 Message-ID: <20221114125337.1831594-178-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2616f0b4-83f4-4cd8-e168-08dac63c733b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1497548 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 96ad4ec51c06c6fafc10b4e3a20753e127ce27d4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/96ad4ec51c06 ------------------------------- CID 1502845 (#1 of 1): Unused value (UNUSED_VALUE) value_overwrite: Overwriting previous write to err with value from vfs_lock_file(filp, 0U, rlock, NULL). 6880 err = vfs_lock_file(filp, 0, rlock, NULL); 6881 if (err) 6882 pr_err("rollback unlock fail : %d\n", err); Reported-by: Coverity Scan <scan-admin(a)coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 73958167c4f4..e63079e3459d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6792,7 +6792,7 @@ int smb2_lock(struct ksmbd_work *work) rsp->Reserved = 0; inc_rfc1001_len(rsp, 4); ksmbd_fd_put(work, fp); - return err; + return 0; out: list_for_each_entry_safe(smb_lock, tmp, &lock_list, llist) { @@ -6803,15 +6803,16 @@ int smb2_lock(struct ksmbd_work *work) list_for_each_entry_safe(smb_lock, tmp, &rollback_list, llist) { struct file_lock *rlock = NULL; + int rc; rlock = smb_flock_init(filp); rlock->fl_type = F_UNLCK; rlock->fl_start = smb_lock->start; rlock->fl_end = smb_lock->end; - err = vfs_lock_file(filp, 0, rlock, NULL); - if (err) - pr_err("rollback unlock fail : %d\n", err); + rc = vfs_lock_file(filp, 0, rlock, NULL); + if (rc) + pr_err("rollback unlock fail : %d\n", rc); list_del(&smb_lock->llist); spin_lock(&work->conn->llist_lock); @@ -6828,7 +6829,7 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "failed in taking lock(flags : %x)\n", flags); smb2_set_err_rsp(work); ksmbd_fd_put(work, fp); - return 0; + return err; } static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, From patchwork Mon Nov 14 12:51:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183275 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:36 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 178/308] ksmbd: set RDMA capability for FSCTL_QUERY_NETWORK_INTERFACE_INFO Date: Mon, 14 Nov 2022 20:51:27 +0800 Message-ID: <20221114125337.1831594-179-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d44b2bce-c27d-46ef-cde1-08dac63c73c7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6762099 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 03d8d4f1896eba2240aa946ce591e86e538504cd category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/03d8d4f1896e ------------------------------- set RDMA capability for FSCTL_QUERY_NETWORK_INTERFACE_INFO. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 9 +++++---- fs/ksmbd/transport_rdma.c | 14 ++++++++++++++ fs/ksmbd/transport_rdma.h | 2 ++ 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e63079e3459d..681b78caa333 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -22,6 +22,7 @@ #include "asn1.h" #include "connection.h" #include "transport_ipc.h" +#include "transport_rdma.h" #include "vfs.h" #include "vfs_cache.h" #include "misc.h" @@ -6985,11 +6986,11 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, &rsp->Buffer[nbytes]; nii_rsp->IfIndex = cpu_to_le32(netdev->ifindex); - /* TODO: specify the RDMA capabilities */ + nii_rsp->Capability = 0; if (netdev->num_tx_queues > 1) - nii_rsp->Capability = cpu_to_le32(RSS_CAPABLE); - else - nii_rsp->Capability = 0; + nii_rsp->Capability |= cpu_to_le32(RSS_CAPABLE); + if (ksmbd_rdma_capable_netdev(netdev)) + nii_rsp->Capability |= cpu_to_le32(RDMA_CAPABLE); nii_rsp->Next = cpu_to_le32(152); nii_rsp->Reserved = 0; diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index d5728c84a15a..f818fe358f31 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -2033,6 +2033,20 @@ int ksmbd_rdma_destroy(void) return 0; } +bool ksmbd_rdma_capable_netdev(struct net_device *netdev) +{ + struct ib_device *ibdev; + bool rdma_capable = false; + + ibdev = ib_device_get_by_netdev(netdev, RDMA_DRIVER_UNKNOWN); + if (ibdev) { + if (rdma_frwr_is_supported(&ibdev->attrs)) + rdma_capable = true; + ib_device_put(ibdev); + } + return rdma_capable; +} + static struct ksmbd_transport_ops ksmbd_smb_direct_transport_ops = { .prepare = smb_direct_prepare, .disconnect = smb_direct_disconnect, diff --git a/fs/ksmbd/transport_rdma.h b/fs/ksmbd/transport_rdma.h index da60fcec3ede..72e2574079f3 100644 --- a/fs/ksmbd/transport_rdma.h +++ b/fs/ksmbd/transport_rdma.h @@ -53,9 +53,11 @@ struct smb_direct_data_transfer { #ifdef CONFIG_SMB_SERVER_SMBDIRECT int ksmbd_rdma_init(void); int ksmbd_rdma_destroy(void); +bool ksmbd_rdma_capable_netdev(struct net_device *netdev); #else static inline int ksmbd_rdma_init(void) { return 0; } static inline int ksmbd_rdma_destroy(void) { return 0; } +static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; } #endif #endif /* __KSMBD_TRANSPORT_RDMA_H__ */ From patchwork Mon Nov 14 12:51:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183276 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 179/308] ksmbd: fix an error message in ksmbd_conn_trasnport_init Date: Mon, 14 Nov 2022 20:51:28 +0800 Message-ID: <20221114125337.1831594-180-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 12a8f6fa-6a8b-42ed-1393-08dac63c7410 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7003726 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 0a427cc638ada13a703b044f38f4b01628c4e620 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0a427cc638ad ------------------------------- Fix an error message in ksmbd_conn_transport_init(). Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 8430848bea45..d7ee0bfb5838 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -372,7 +372,7 @@ int ksmbd_conn_transport_init(void) ret = ksmbd_rdma_init(); if (ret) { - pr_err("Failed to init KSMBD subsystem: %d\n", ret); + pr_err("Failed to init RDMA subsystem: %d\n", ret); goto out; } out: From patchwork Mon Nov 14 12:51:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183277 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 180/308] ksmbd: fix typo in comment Date: Mon, 14 Nov 2022 20:51:29 +0800 Message-ID: <20221114125337.1831594-181-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6436a593-a006-4f86-4977-08dac63c745a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7047933 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a9c241d01d0a80209cb7dde76a89f450b0d5a78d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9c241d01d0a ------------------------------- Fix typo "openning" -> "opening". Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index d7ee0bfb5838..af086d35398a 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -247,7 +247,7 @@ bool ksmbd_conn_alive(struct ksmbd_conn *conn) /* * Stop current session if the time that get last request from client - * is bigger than deadtime user configured and openning file count is + * is bigger than deadtime user configured and opening file count is * zero. */ if (server_conf.deadtime > 0 && From patchwork Mon Nov 14 12:51:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183278 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 181/308] ksmbd: fix wrong compression context size Date: Mon, 14 Nov 2022 20:51:30 +0800 Message-ID: <20221114125337.1831594-182-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 88bb725a-a747-445b-31d5-08dac63c74a4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6840309 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e4b60e92d4f878b774eca22fa4c00fa04f6354b4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e4b60e92d4f8 ------------------------------- Use smb2_compression_ctx instead of smb2_encryption_neg_context. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 681b78caa333..685ef11cb8f7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -924,7 +924,7 @@ static int decode_compress_ctxt(struct ksmbd_conn *conn, * Return compression context size in request. * So need to plus extra number of CompressionAlgorithms size. */ - return sizeof(struct smb2_encryption_neg_context) + + return sizeof(struct smb2_compression_ctx) + ((algo_cnt - 1) * 2); } From patchwork Mon Nov 14 12:51:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183279 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:39 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 182/308] ksmbd: fix wrong error status return on session setup Date: Mon, 14 Nov 2022 20:51:31 +0800 Message-ID: <20221114125337.1831594-183-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 41b52b78-74d2-44bc-674f-08dac63c74ee X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6884486 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 58090b175271870842d823622013d4499f462a10 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/58090b175271 ------------------------------- When user insert wrong password, ksmbd return STATUS_INVALID_PARAMETER error status to client. It will make user confusing whether it is not password problem. This patch change error status to STATUS_LOGON_FAILURE. and return STATUS_INSUFFICIENT_RESOURCES if memory allocation failed on session setup. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 685ef11cb8f7..f65e518759a5 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1338,8 +1338,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) user = session_user(conn, req); if (!user) { ksmbd_debug(SMB, "Unknown user name or an error\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return -EINVAL; + return -EPERM; } /* Check for previous session */ @@ -1363,8 +1362,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (user_guest(sess->user)) { if (conn->sign) { ksmbd_debug(SMB, "Guest login not allowed when signing enabled\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return -EACCES; + return -EPERM; } rsp->SessionFlags = SMB2_SESSION_FLAG_IS_GUEST_LE; @@ -1377,8 +1375,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (rc) { set_user_flag(sess->user, KSMBD_USER_FLAG_BAD_PASSWORD); ksmbd_debug(SMB, "authentication failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return -EINVAL; + return -EPERM; } /* @@ -1403,8 +1400,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (rc) { ksmbd_debug(SMB, "SMB3 encryption key generation failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return rc; + return -EINVAL; } sess->enc = true; rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; @@ -1434,16 +1430,14 @@ static int ntlm_authenticate(struct ksmbd_work *work) rc = conn->ops->generate_signingkey(sess, conn); if (rc) { ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return rc; + return -EINVAL; } } if (conn->dialect > SMB20_PROT_ID) { if (!ksmbd_conn_lookup_dialect(conn)) { pr_err("fail to verify the dialect\n"); - rsp->hdr.Status = STATUS_USER_SESSION_DELETED; - return -EPERM; + return -ENOENT; } } return 0; @@ -1483,8 +1477,7 @@ static int krb5_authenticate(struct ksmbd_work *work) out_blob, &out_len); if (retval) { ksmbd_debug(SMB, "krb5 authentication failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return retval; + return -EINVAL; } rsp->SecurityBufferLength = cpu_to_le16(out_len); inc_rfc1001_len(rsp, out_len - 1); @@ -1499,8 +1492,7 @@ static int krb5_authenticate(struct ksmbd_work *work) if (retval) { ksmbd_debug(SMB, "SMB3 encryption key generation failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return retval; + return -EINVAL; } sess->enc = true; rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; @@ -1524,16 +1516,14 @@ static int krb5_authenticate(struct ksmbd_work *work) retval = conn->ops->generate_signingkey(sess, conn); if (retval) { ksmbd_debug(SMB, "SMB3 signing key generation failed\n"); - rsp->hdr.Status = STATUS_LOGON_FAILURE; - return retval; + return -EINVAL; } } if (conn->dialect > SMB20_PROT_ID) { if (!ksmbd_conn_lookup_dialect(conn)) { pr_err("fail to verify the dialect\n"); - rsp->hdr.Status = STATUS_USER_SESSION_DELETED; - return -EPERM; + return -ENOENT; } } return 0; @@ -1709,6 +1699,8 @@ int smb2_sess_setup(struct ksmbd_work *work) rsp->hdr.Status = STATUS_REQUEST_NOT_ACCEPTED; else if (rc == -EFAULT) rsp->hdr.Status = STATUS_NETWORK_SESSION_EXPIRED; + else if (rc == -ENOMEM) + rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES; else if (rc) rsp->hdr.Status = STATUS_LOGON_FAILURE; From patchwork Mon Nov 14 12:51:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183280 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 183/308] ksmbd: set STATUS_INVALID_PARAMETER error status if credit charge is invalid Date: Mon, 14 Nov 2022 20:51:32 +0800 Message-ID: <20221114125337.1831594-184-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6809e2d8-bd4a-4d7f-d3d5-08dac63c7536 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0829146 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 67307023d02b1339e0b930b742fe5a9cd81284ca category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/67307023d02b ------------------------------- MS-SMB2 specification describe : If the calculated credit number is greater than the CreditCharge, the server MUST fail the request with the error code STATUS_INVALID_PARAMETER. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/server.c | 20 ++++++++++---------- fs/ksmbd/smb2misc.c | 9 +++++++-- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index c9a3a459f3e6..8db739283d76 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -101,8 +101,8 @@ static inline int check_conn_state(struct ksmbd_work *work) return 0; } -#define TCP_HANDLER_CONTINUE 0 -#define TCP_HANDLER_ABORT 1 +#define SERVER_HANDLER_CONTINUE 0 +#define SERVER_HANDLER_ABORT 1 static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, u16 *cmd) @@ -112,10 +112,10 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, int ret; if (check_conn_state(work)) - return TCP_HANDLER_CONTINUE; + return SERVER_HANDLER_CONTINUE; if (ksmbd_verify_smb_message(work)) - return TCP_HANDLER_ABORT; + return SERVER_HANDLER_ABORT; command = conn->ops->get_cmd_val(work); *cmd = command; @@ -123,21 +123,21 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, andx_again: if (command >= conn->max_cmds) { conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return TCP_HANDLER_CONTINUE; + return SERVER_HANDLER_CONTINUE; } cmds = &conn->cmds[command]; if (!cmds->proc) { ksmbd_debug(SMB, "*** not implemented yet cmd = %x\n", command); conn->ops->set_rsp_status(work, STATUS_NOT_IMPLEMENTED); - return TCP_HANDLER_CONTINUE; + return SERVER_HANDLER_CONTINUE; } if (work->sess && conn->ops->is_sign_req(work, command)) { ret = conn->ops->check_sign_req(work); if (!ret) { conn->ops->set_rsp_status(work, STATUS_ACCESS_DENIED); - return TCP_HANDLER_CONTINUE; + return SERVER_HANDLER_CONTINUE; } } @@ -153,8 +153,8 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, } if (work->send_no_response) - return TCP_HANDLER_ABORT; - return TCP_HANDLER_CONTINUE; + return SERVER_HANDLER_ABORT; + return SERVER_HANDLER_CONTINUE; } static void __handle_ksmbd_work(struct ksmbd_work *work, @@ -203,7 +203,7 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, do { rc = __process_request(work, conn, &command); - if (rc == TCP_HANDLER_ABORT) + if (rc == SERVER_HANDLER_ABORT) break; /* diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 4508631c5706..e68aa7d718ed 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -423,8 +423,13 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - return work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU ? - smb2_validate_credit_charge(hdr) : 0; + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + + return 0; } int smb2_negotiate_request(struct ksmbd_work *work) From patchwork Mon Nov 14 12:51:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183281 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:40 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 184/308] ksmbd: move credit charge verification over smb2 request size verification Date: Mon, 14 Nov 2022 20:51:33 +0800 Message-ID: <20221114125337.1831594-185-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a0bd70af-831b-43e5-8c0d-08dac63c757f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7427916 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit d347d745f06c7e6503abc08f68dc3b71da71596d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d347d745f06c ------------------------------- Move credit charge verification over smb2 request size verification to avoid being skipped. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index e68aa7d718ed..9aa46bb3e10d 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -385,6 +385,12 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } } + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + clc_len = smb2_calc_size(hdr); if (len != clc_len) { /* server can return one byte more due to implied bcc[0] */ @@ -423,12 +429,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(hdr)) { - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return 1; - } - return 0; } From patchwork Mon Nov 14 12:51:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183282 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:40 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:40 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 185/308] ksmbd: fix typo of MS-SMBD Date: Mon, 14 Nov 2022 20:51:34 +0800 Message-ID: <20221114125337.1831594-186-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 31d70f0b-313a-485a-03a7-08dac63c75d7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6854108 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 9223958816f9df133ae936c9371378ba1203e0da category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9223958816f9 ------------------------------- Fix typo : "MS-KSMBD" => "MS-SMBD". Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 2 +- fs/ksmbd/transport_rdma.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index f818fe358f31..f2ae6bae83f1 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -58,7 +58,7 @@ /* * User configurable initial values per SMB_DIRECT transport connection - * as defined in [MS-KSMBD] 3.1.1.1 + * as defined in [MS-SMBD] 3.1.1.1 * Those may change after a SMB_DIRECT negotiation */ /* The local peer's maximum number of credits to grant to the peer */ diff --git a/fs/ksmbd/transport_rdma.h b/fs/ksmbd/transport_rdma.h index 72e2574079f3..0fa8adc0776f 100644 --- a/fs/ksmbd/transport_rdma.h +++ b/fs/ksmbd/transport_rdma.h @@ -9,7 +9,7 @@ #define SMB_DIRECT_PORT 5445 -/* SMB DIRECT negotiation request packet [MS-KSMBD] 2.2.1 */ +/* SMB DIRECT negotiation request packet [MS-SMBD] 2.2.1 */ struct smb_direct_negotiate_req { __le16 min_version; __le16 max_version; @@ -20,7 +20,7 @@ struct smb_direct_negotiate_req { __le32 max_fragmented_size; } __packed; -/* SMB DIRECT negotiation response packet [MS-KSMBD] 2.2.2 */ +/* SMB DIRECT negotiation response packet [MS-SMBD] 2.2.2 */ struct smb_direct_negotiate_resp { __le16 min_version; __le16 max_version; @@ -37,7 +37,7 @@ struct smb_direct_negotiate_resp { #define SMB_DIRECT_RESPONSE_REQUESTED 0x0001 -/* SMB DIRECT data transfer packet with payload [MS-KSMBD] 2.2.3 */ +/* SMB DIRECT data transfer packet with payload [MS-SMBD] 2.2.3 */ struct smb_direct_data_transfer { __le16 credits_requested; __le16 credits_granted; From patchwork Mon Nov 14 12:51:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183283 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:41 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:41 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:40 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 186/308] ksmbd: add negotiate context verification Date: Mon, 14 Nov 2022 20:51:35 +0800 Message-ID: <20221114125337.1831594-187-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3227e8aa-1db0-4bc4-07d8-08dac63c7620 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6995386 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit af320a739029f6f8c5c05e769fadaf88e9b7d34f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/af320a739029 ------------------------------- This patch add negotiate context verification code to check bounds. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 118 ++++++++++++++++++++++++--------------------- fs/ksmbd/smb2pdu.h | 6 +-- 2 files changed, 65 insertions(+), 59 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f65e518759a5..30bc210ce40b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -835,10 +835,10 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt, conn->cipher_type); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); - ctxt_size += sizeof(struct smb2_encryption_neg_context); + ctxt_size += sizeof(struct smb2_encryption_neg_context) + 2; /* Round to 8 byte boundary */ pneg_ctxt += - round_up(sizeof(struct smb2_encryption_neg_context), + round_up(sizeof(struct smb2_encryption_neg_context) + 2, 8); } @@ -850,9 +850,10 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, build_compression_ctxt((struct smb2_compression_ctx *)pneg_ctxt, conn->compress_algorithm); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); - ctxt_size += sizeof(struct smb2_compression_ctx); + ctxt_size += sizeof(struct smb2_compression_ctx) + 2; /* Round to 8 byte boundary */ - pneg_ctxt += round_up(sizeof(struct smb2_compression_ctx), 8); + pneg_ctxt += round_up(sizeof(struct smb2_compression_ctx) + 2, + 8); } if (conn->posix_ext_supported) { @@ -881,16 +882,23 @@ static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, return err; } -static int decode_encrypt_ctxt(struct ksmbd_conn *conn, - struct smb2_encryption_neg_context *pneg_ctxt) +static void decode_encrypt_ctxt(struct ksmbd_conn *conn, + struct smb2_encryption_neg_context *pneg_ctxt, + int len_of_ctxts) { - int i; int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); + int i, cphs_size = cph_cnt * sizeof(__le16); conn->cipher_type = 0; + if (sizeof(struct smb2_encryption_neg_context) + cphs_size > + len_of_ctxts) { + pr_err("Invalid cipher count(%d)\n", cph_cnt); + return; + } + if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)) - goto out; + return; for (i = 0; i < cph_cnt; i++) { if (pneg_ctxt->Ciphers[i] == SMB2_ENCRYPTION_AES128_GCM || @@ -903,90 +911,88 @@ static int decode_encrypt_ctxt(struct ksmbd_conn *conn, break; } } - -out: - /* - * Return encrypt context size in request. - * So need to plus extra number of ciphers size. - */ - return sizeof(struct smb2_encryption_neg_context) + - ((cph_cnt - 1) * 2); } -static int decode_compress_ctxt(struct ksmbd_conn *conn, - struct smb2_compression_ctx *pneg_ctxt) +static void decode_compress_ctxt(struct ksmbd_conn *conn, + struct smb2_compression_ctx *pneg_ctxt) { - int algo_cnt = le16_to_cpu(pneg_ctxt->CompressionAlgorithmCount); - conn->compress_algorithm = SMB3_COMPRESS_NONE; - - /* - * Return compression context size in request. - * So need to plus extra number of CompressionAlgorithms size. - */ - return sizeof(struct smb2_compression_ctx) + - ((algo_cnt - 1) * 2); } static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, struct smb2_negotiate_req *req) { - int i = 0; - __le32 status = 0; /* +4 is to account for the RFC1001 len field */ - char *pneg_ctxt = (char *)req + - le32_to_cpu(req->NegotiateContextOffset) + 4; - __le16 *ContextType = (__le16 *)pneg_ctxt; + struct smb2_neg_context *pctx = (struct smb2_neg_context *)((char *)req + 4); + int i = 0, len_of_ctxts; + int offset = le32_to_cpu(req->NegotiateContextOffset); int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount); - int ctxt_size; + int len_of_smb = be32_to_cpu(req->hdr.smb2_buf_length); + __le32 status = STATUS_INVALID_PARAMETER; + + ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt); + if (len_of_smb <= offset) { + ksmbd_debug(SMB, "Invalid response: negotiate context offset\n"); + return status; + } + + len_of_ctxts = len_of_smb - offset; - ksmbd_debug(SMB, "negotiate context count = %d\n", neg_ctxt_cnt); - status = STATUS_INVALID_PARAMETER; while (i++ < neg_ctxt_cnt) { - if (*ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { + int clen; + + /* check that offset is not beyond end of SMB */ + if (len_of_ctxts == 0) + break; + + if (len_of_ctxts < sizeof(struct smb2_neg_context)) + break; + + pctx = (struct smb2_neg_context *)((char *)pctx + offset); + clen = le16_to_cpu(pctx->DataLength); + if (clen + sizeof(struct smb2_neg_context) > len_of_ctxts) + break; + + if (pctx->ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_PREAUTH_INTEGRITY_CAPABILITIES context\n"); if (conn->preauth_info->Preauth_HashId) break; status = decode_preauth_ctxt(conn, - (struct smb2_preauth_neg_context *)pneg_ctxt); - pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_preauth_neg_context), 8) * 8; - } else if (*ContextType == SMB2_ENCRYPTION_CAPABILITIES) { + (struct smb2_preauth_neg_context *)pctx); + if (status != STATUS_SUCCESS) + break; + } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_ENCRYPTION_CAPABILITIES context\n"); if (conn->cipher_type) break; - ctxt_size = decode_encrypt_ctxt(conn, - (struct smb2_encryption_neg_context *)pneg_ctxt); - pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; - } else if (*ContextType == SMB2_COMPRESSION_CAPABILITIES) { + decode_encrypt_ctxt(conn, + (struct smb2_encryption_neg_context *)pctx, + len_of_ctxts); + } else if (pctx->ContextType == SMB2_COMPRESSION_CAPABILITIES) { ksmbd_debug(SMB, "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); if (conn->compress_algorithm) break; - ctxt_size = decode_compress_ctxt(conn, - (struct smb2_compression_ctx *)pneg_ctxt); - pneg_ctxt += DIV_ROUND_UP(ctxt_size, 8) * 8; - } else if (*ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { + decode_compress_ctxt(conn, + (struct smb2_compression_ctx *)pctx); + } else if (pctx->ContextType == SMB2_NETNAME_NEGOTIATE_CONTEXT_ID) { ksmbd_debug(SMB, "deassemble SMB2_NETNAME_NEGOTIATE_CONTEXT_ID context\n"); - ctxt_size = sizeof(struct smb2_netname_neg_context); - ctxt_size += DIV_ROUND_UP(le16_to_cpu(((struct smb2_netname_neg_context *) - pneg_ctxt)->DataLength), 8) * 8; - pneg_ctxt += ctxt_size; - } else if (*ContextType == SMB2_POSIX_EXTENSIONS_AVAILABLE) { + } else if (pctx->ContextType == SMB2_POSIX_EXTENSIONS_AVAILABLE) { ksmbd_debug(SMB, "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); conn->posix_ext_supported = true; - pneg_ctxt += DIV_ROUND_UP(sizeof(struct smb2_posix_neg_context), 8) * 8; } - ContextType = (__le16 *)pneg_ctxt; - if (status != STATUS_SUCCESS) - break; + /* offsets must be 8 byte aligned */ + clen = (clen + 7) & ~0x7; + offset = clen + sizeof(struct smb2_neg_context); + len_of_ctxts -= clen + sizeof(struct smb2_neg_context); } return status; } diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 0eac40e1ba65..21cb93e771f7 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -299,7 +299,7 @@ struct smb2_encryption_neg_context { __le32 Reserved; /* CipherCount usally 2, but can be 3 when AES256-GCM enabled */ __le16 CipherCount; /* AES-128-GCM and AES-128-CCM by default */ - __le16 Ciphers[1]; + __le16 Ciphers[]; } __packed; #define SMB3_COMPRESS_NONE cpu_to_le16(0x0000) @@ -314,7 +314,7 @@ struct smb2_compression_ctx { __le16 CompressionAlgorithmCount; __u16 Padding; __le32 Reserved1; - __le16 CompressionAlgorithms[1]; + __le16 CompressionAlgorithms[]; } __packed; #define POSIX_CTXT_DATA_LEN 16 @@ -329,7 +329,7 @@ struct smb2_netname_neg_context { __le16 ContextType; /* 0x100 */ __le16 DataLength; __le32 Reserved; - __le16 NetName[0]; /* hostname of target converted to UCS-2 */ + __le16 NetName[]; /* hostname of target converted to UCS-2 */ } __packed; struct smb2_negotiate_rsp { From patchwork Mon Nov 14 12:51:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183284 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:41 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:41 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:41 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 187/308] ksmbd: add support for negotiating signing algorithm Date: Mon, 14 Nov 2022 20:51:36 +0800 Message-ID: <20221114125337.1831594-188-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d683d679-23cb-4ea9-bfc1-08dac63c7668 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7067457 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 378087cd17eea71c4e78e6053597e38429ccee0f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/378087cd17ee ------------------------------- Support for faster packet signing (using GMAC instead of CMAC) can now be negotiated to some newer servers, including Windows. See MS-SMB2 section 2.2.3.17. This patch adds support for sending the new negotiate context with two supported signing algorithms(AES-CMAC, HMAC-SHA256). If client add support for AES_GMAC, Server will be supported later depend on it. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.h | 2 ++ fs/ksmbd/smb2ops.c | 4 +++ fs/ksmbd/smb2pdu.c | 58 +++++++++++++++++++++++++++++++++++++++++++ fs/ksmbd/smb2pdu.h | 14 +++++++++++ 4 files changed, 78 insertions(+) diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index 487c2024b0d5..e5403c587a58 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -109,6 +109,8 @@ struct ksmbd_conn { __le16 cipher_type; __le16 compress_algorithm; bool posix_ext_supported; + bool signing_negotiated; + __le16 signing_algorithm; bool binding; }; diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index 8262908e467c..197473871aa4 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -204,6 +204,7 @@ void init_smb2_1_server(struct ksmbd_conn *conn) conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); conn->max_credits = SMB2_MAX_CREDITS; + conn->signing_algorithm = SIGNING_ALG_HMAC_SHA256; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; @@ -221,6 +222,7 @@ void init_smb3_0_server(struct ksmbd_conn *conn) conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); conn->max_credits = SMB2_MAX_CREDITS; + conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; @@ -245,6 +247,7 @@ void init_smb3_02_server(struct ksmbd_conn *conn) conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); conn->max_credits = SMB2_MAX_CREDITS; + conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; @@ -269,6 +272,7 @@ int init_smb3_11_server(struct ksmbd_conn *conn) conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); conn->max_credits = SMB2_MAX_CREDITS; + conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 30bc210ce40b..f6a09c1eb1d2 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -786,6 +786,18 @@ static void build_compression_ctxt(struct smb2_compression_ctx *pneg_ctxt, pneg_ctxt->CompressionAlgorithms[0] = comp_algo; } +static void build_sign_cap_ctxt(struct smb2_signing_capabilities *pneg_ctxt, + __le16 sign_algo) +{ + pneg_ctxt->ContextType = SMB2_SIGNING_CAPABILITIES; + pneg_ctxt->DataLength = + cpu_to_le16((sizeof(struct smb2_signing_capabilities) + 2) + - sizeof(struct smb2_neg_context)); + pneg_ctxt->Reserved = cpu_to_le32(0); + pneg_ctxt->SigningAlgorithmCount = cpu_to_le16(1); + pneg_ctxt->SigningAlgorithms[0] = sign_algo; +} + static void build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) { pneg_ctxt->ContextType = SMB2_POSIX_EXTENSIONS_AVAILABLE; @@ -863,6 +875,18 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, build_posix_ctxt((struct smb2_posix_neg_context *)pneg_ctxt); rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); ctxt_size += sizeof(struct smb2_posix_neg_context); + /* Round to 8 byte boundary */ + pneg_ctxt += round_up(sizeof(struct smb2_posix_neg_context), 8); + } + + if (conn->signing_negotiated) { + ctxt_size = round_up(ctxt_size, 8); + ksmbd_debug(SMB, + "assemble SMB2_SIGNING_CAPABILITIES context\n"); + build_sign_cap_ctxt((struct smb2_signing_capabilities *)pneg_ctxt, + conn->signing_algorithm); + rsp->NegotiateContextCount = cpu_to_le16(++neg_ctxt_cnt); + ctxt_size += sizeof(struct smb2_signing_capabilities) + 2; } inc_rfc1001_len(rsp, ctxt_size); @@ -919,6 +943,34 @@ static void decode_compress_ctxt(struct ksmbd_conn *conn, conn->compress_algorithm = SMB3_COMPRESS_NONE; } +static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, + struct smb2_signing_capabilities *pneg_ctxt, + int len_of_ctxts) +{ + int sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount); + int i, sign_alos_size = sign_algo_cnt * sizeof(__le16); + + conn->signing_negotiated = false; + + if (sizeof(struct smb2_signing_capabilities) + sign_alos_size > + len_of_ctxts) { + pr_err("Invalid signing algorithm count(%d)\n", sign_algo_cnt); + return; + } + + for (i = 0; i < sign_algo_cnt; i++) { + if (pneg_ctxt->SigningAlgorithms[i] == SIGNING_ALG_HMAC_SHA256 || + pneg_ctxt->SigningAlgorithms[i] == SIGNING_ALG_AES_CMAC) { + ksmbd_debug(SMB, "Signing Algorithm ID = 0x%x\n", + pneg_ctxt->SigningAlgorithms[i]); + conn->signing_negotiated = true; + conn->signing_algorithm = + pneg_ctxt->SigningAlgorithms[i]; + break; + } + } +} + static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, struct smb2_negotiate_req *req) { @@ -987,6 +1039,12 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, ksmbd_debug(SMB, "deassemble SMB2_POSIX_EXTENSIONS_AVAILABLE context\n"); conn->posix_ext_supported = true; + } else if (pctx->ContextType == SMB2_SIGNING_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_SIGNING_CAPABILITIES context\n"); + decode_sign_cap_ctxt(conn, + (struct smb2_signing_capabilities *)pctx, + len_of_ctxts); } /* offsets must be 8 byte aligned */ diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 21cb93e771f7..89019f67234c 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -268,6 +268,7 @@ struct preauth_integrity_info { #define SMB2_ENCRYPTION_CAPABILITIES cpu_to_le16(2) #define SMB2_COMPRESSION_CAPABILITIES cpu_to_le16(3) #define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID cpu_to_le16(5) +#define SMB2_SIGNING_CAPABILITIES cpu_to_le16(8) #define SMB2_POSIX_EXTENSIONS_AVAILABLE cpu_to_le16(0x100) struct smb2_neg_context { @@ -332,6 +333,19 @@ struct smb2_netname_neg_context { __le16 NetName[]; /* hostname of target converted to UCS-2 */ } __packed; +/* Signing algorithms */ +#define SIGNING_ALG_HMAC_SHA256 cpu_to_le16(0) +#define SIGNING_ALG_AES_CMAC cpu_to_le16(1) +#define SIGNING_ALG_AES_GMAC cpu_to_le16(2) + +struct smb2_signing_capabilities { + __le16 ContextType; /* 8 */ + __le16 DataLength; + __le32 Reserved; + __le16 SigningAlgorithmCount; + __le16 SigningAlgorithms[]; +} __packed; + struct smb2_negotiate_rsp { struct smb2_hdr hdr; __le16 StructureSize; /* Must be 65 */ From patchwork Mon Nov 14 12:51:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183285 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:42 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:42 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:41 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 188/308] ksmbd: Fix potential memory leak in tcp_destroy_socket() Date: Mon, 14 Nov 2022 20:51:37 +0800 Message-ID: <20221114125337.1831594-189-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 007bea80-cbe3-40d5-062f-08dac63c76b1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6877498 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit 654c8876f93677915b1a009bc7f2421ab8750bf1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/654c8876f936 ------------------------------- ksmbd_socket must be freed even if kernel_sock_shutdown() somehow fails. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_tcp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_tcp.c b/fs/ksmbd/transport_tcp.c index 56ec11ff5a9f..dc15a5ecd2e0 100644 --- a/fs/ksmbd/transport_tcp.c +++ b/fs/ksmbd/transport_tcp.c @@ -381,8 +381,7 @@ static void tcp_destroy_socket(struct socket *ksmbd_socket) ret = kernel_sock_shutdown(ksmbd_socket, SHUT_RDWR); if (ret) pr_err("Failed to shutdown socket: %d\n", ret); - else - sock_release(ksmbd_socket); + sock_release(ksmbd_socket); } /** From patchwork Mon Nov 14 12:51:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183286 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:42 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:42 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:41 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 189/308] ksmbd: fix -Wstringop-truncation warnings Date: Mon, 14 Nov 2022 20:51:38 +0800 Message-ID: <20221114125337.1831594-190-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 95e4f5b5-7eab-402c-60e0-08dac63c76fb X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7452644 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 1d904eaf3f99565bdeffbed359e44dd88efbef02 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1d904eaf3f99 ------------------------------- Kernel test bot reports the following warnings: In function 'ndr_write_string', inlined from 'ndr_encode_dos_attr' at fs/ksmbd/ndr.c:136:3: >> fs/ksmbd/ndr.c:70:2: warning: 'strncpy' destination unchanged after copying no bytes [-Wstringop-truncation] 70 | strncpy(PAYLOAD_HEAD(n), value, sz); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'ndr_write_string', inlined from 'ndr_encode_dos_attr' at fs/ksmbd/ndr.c:134:3: >> fs/ksmbd/ndr.c:70:2: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] 70 | strncpy(PAYLOAD_HEAD(n), value, sz); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/ksmbd/ndr.c: In function 'ndr_encode_dos_attr': fs/ksmbd/ndr.c:134:3: note: length computed here 134 | ndr_write_string(n, hex_attr, strlen(hex_attr)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ndr.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/ndr.c b/fs/ksmbd/ndr.c index bcf13a2aa9d4..50872377608d 100644 --- a/fs/ksmbd/ndr.c +++ b/fs/ksmbd/ndr.c @@ -65,13 +65,15 @@ static int ndr_write_bytes(struct ndr *n, void *value, size_t sz) return 0; } -static int ndr_write_string(struct ndr *n, void *value, size_t sz) +static int ndr_write_string(struct ndr *n, char *value) { + size_t sz; + + sz = strlen(value) + 1; if (n->length <= n->offset + sz) try_to_realloc_ndr_blob(n, sz); - strncpy(ndr_get_field(n), value, sz); - sz++; + memcpy(ndr_get_field(n), value, sz); n->offset += sz; n->offset = ALIGN(n->offset, 2); return 0; @@ -134,9 +136,9 @@ int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) if (da->version == 3) { snprintf(hex_attr, 10, "0x%x", da->attr); - ndr_write_string(n, hex_attr, strlen(hex_attr)); + ndr_write_string(n, hex_attr); } else { - ndr_write_string(n, "", strlen("")); + ndr_write_string(n, ""); } ndr_write_int16(n, da->version); ndr_write_int32(n, da->version); From patchwork Mon Nov 14 12:51:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183287 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:43 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:42 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:42 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 190/308] ksmbd: Return STATUS_OBJECT_PATH_NOT_FOUND if smb2_creat() returns ENOENT Date: Mon, 14 Nov 2022 20:51:39 +0800 Message-ID: <20221114125337.1831594-191-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a3ce36b7-2a79-4740-18eb-08dac63c7744 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7162412 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit d337a44e429e6de23ed3d73fcb81ec44f7b05522 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d337a44e429e ------------------------------- Both Windows 10's SMB server and samba return STATUS_OBJECT_PATH_NOT_FOUND when trying to access a nonexistent path. This fixes Windows 10 File History tool. The latter relies on the server returning STATUS_OBJECT_PATH_NOT_FOUND to figure out what part of the target path needs to be created. Returning STATUS_OBJECT_NAME_INVALID will make it stop and display an error to the user. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f6a09c1eb1d2..4c9f3e6abf0f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2755,8 +2755,13 @@ int smb2_open(struct ksmbd_work *work) if (!file_present) { rc = smb2_creat(work, &path, name, open_flags, posix_mode, req->CreateOptions & FILE_DIRECTORY_FILE_LE); - if (rc) + if (rc) { + if (rc == -ENOENT) { + rc = -EIO; + rsp->hdr.Status = STATUS_OBJECT_PATH_NOT_FOUND; + } goto err_out; + } created = true; if (ea_buf) { From patchwork Mon Nov 14 12:51:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183288 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:43 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:43 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:42 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 191/308] ksmbd: don't set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO Date: Mon, 14 Nov 2022 20:51:40 +0800 Message-ID: <20221114125337.1831594-192-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 0b009830-f6ba-487b-aaa1-08dac63c778c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6973514 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 9fb8fac08f6670c9bba70d6c616ad84dd7a45528 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9fb8fac08f66 ------------------------------- ksmbd does not support RSS mode stably. RSS mode enabling will be set later. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4c9f3e6abf0f..65367958f569 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7048,8 +7048,6 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, nii_rsp->IfIndex = cpu_to_le32(netdev->ifindex); nii_rsp->Capability = 0; - if (netdev->num_tx_queues > 1) - nii_rsp->Capability |= cpu_to_le32(RSS_CAPABLE); if (ksmbd_rdma_capable_netdev(netdev)) nii_rsp->Capability |= cpu_to_le32(RDMA_CAPABLE); From patchwork Mon Nov 14 12:51:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183289 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:44 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:43 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:43 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 192/308] ksmbd: use channel signingkey for binding SMB2 session setup Date: Mon, 14 Nov 2022 20:51:41 +0800 Message-ID: <20221114125337.1831594-193-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 0093ca04-7469-453c-a9df-08dac63c77d8 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7006651 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 08bdbc6ef46ad522a24dc6b8e01c039cb0c7e761 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/08bdbc6ef46a ------------------------------- Windows client disconnect connection by wrong signed SMB2 session setup response on SMB3 multichannel mode. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 65367958f569..4b3df48df7a4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8103,7 +8103,8 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) len = ALIGN(len, 8); } - if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { + if (conn->binding == false && + le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { signing_key = work->sess->smb3signingkey; } else { chann = lookup_chann_list(work->sess, work->conn); From patchwork Mon Nov 14 12:51:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183290 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:44 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:44 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:43 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 193/308] ksmbd: fix missing error code in smb2_lock Date: Mon, 14 Nov 2022 20:51:42 +0800 Message-ID: <20221114125337.1831594-194-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2208543c-0b4e-4ddd-4718-08dac63c7822 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6772324 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 6c99dfc4c5f6fa1f5a90c068be6201d7a0cebff1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6c99dfc4c5f6 ------------------------------- Dan report a warning that is missing error code in smb2_lock from static checker. This patch add error code to avoid static checker warning. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 66 ++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4b3df48df7a4..32a66f37e008 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6544,7 +6544,7 @@ int smb2_lock(struct ksmbd_work *work) int lock_count; int flags = 0; int cmd = 0; - int err = 0, i; + int err = -EIO, i, rc = 0; u64 lock_start, lock_length; struct ksmbd_lock *smb_lock = NULL, *cmp_lock, *tmp, *tmp2; struct ksmbd_conn *conn; @@ -6560,7 +6560,7 @@ int smb2_lock(struct ksmbd_work *work) if (!fp) { ksmbd_debug(SMB, "Invalid file id for lock : %llu\n", le64_to_cpu(req->VolatileFileId)); - rsp->hdr.Status = STATUS_FILE_CLOSED; + err = -ENOENT; goto out2; } @@ -6570,7 +6570,7 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "lock count is %d\n", lock_count); if (!lock_count) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out2; } @@ -6578,10 +6578,8 @@ int smb2_lock(struct ksmbd_work *work) flags = le32_to_cpu(lock_ele[i].Flags); flock = smb_flock_init(filp); - if (!flock) { - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + if (!flock) goto out; - } cmd = smb2_set_flock_flags(flock, flags); @@ -6619,8 +6617,7 @@ int smb2_lock(struct ksmbd_work *work) if (cmp_lock->fl->fl_type != F_UNLCK && flock->fl_type != F_UNLCK) { pr_err("conflict two locks in one request\n"); - rsp->hdr.Status = - STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out; } } @@ -6628,19 +6625,19 @@ int smb2_lock(struct ksmbd_work *work) smb_lock = smb2_lock_init(flock, cmd, flags, &lock_list); if (!smb_lock) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out; } } list_for_each_entry_safe(smb_lock, tmp, &lock_list, llist) { if (smb_lock->cmd < 0) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out; } if (!(smb_lock->flags & SMB2_LOCKFLAG_MASK)) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out; } @@ -6648,7 +6645,7 @@ int smb2_lock(struct ksmbd_work *work) smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) || (prior_lock == SMB2_LOCKFLAG_UNLOCK && !(smb_lock->flags & SMB2_LOCKFLAG_UNLOCK))) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; + err = -EINVAL; goto out; } @@ -6701,8 +6698,7 @@ int smb2_lock(struct ksmbd_work *work) spin_unlock(&conn->llist_lock); read_unlock(&conn_list_lock); pr_err("previous lock conflict with zero byte lock range\n"); - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; + goto out; } if (smb_lock->zero_len && !cmp_lock->zero_len && @@ -6711,8 +6707,7 @@ int smb2_lock(struct ksmbd_work *work) spin_unlock(&conn->llist_lock); read_unlock(&conn_list_lock); pr_err("current lock conflict with zero byte lock range\n"); - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; - goto out; + goto out; } if (((cmp_lock->start <= smb_lock->start && @@ -6723,8 +6718,6 @@ int smb2_lock(struct ksmbd_work *work) spin_unlock(&conn->llist_lock); read_unlock(&conn_list_lock); pr_err("Not allow lock operation on exclusive lock range\n"); - rsp->hdr.Status = - STATUS_LOCK_NOT_GRANTED; goto out; } } @@ -6747,19 +6740,19 @@ int smb2_lock(struct ksmbd_work *work) flock = smb_lock->fl; list_del(&smb_lock->llist); retry: - err = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); + rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); skip: if (flags & SMB2_LOCKFLAG_UNLOCK) { - if (!err) { + if (!rc) { ksmbd_debug(SMB, "File unlocked\n"); - } else if (err == -ENOENT) { + } else if (rc == -ENOENT) { rsp->hdr.Status = STATUS_NOT_LOCKED; goto out; } locks_free_lock(flock); kfree(smb_lock); } else { - if (err == FILE_LOCK_DEFERRED) { + if (rc == FILE_LOCK_DEFERRED) { void **argv; ksmbd_debug(SMB, @@ -6777,12 +6770,11 @@ int smb2_lock(struct ksmbd_work *work) } argv[0] = flock; - err = setup_async_work(work, - smb2_remove_blocked_lock, - argv); - if (err) { - rsp->hdr.Status = - STATUS_INSUFFICIENT_RESOURCES; + rc = setup_async_work(work, + smb2_remove_blocked_lock, + argv); + if (rc) { + err = -ENOMEM; goto out; } spin_lock(&fp->f_lock); @@ -6829,7 +6821,7 @@ int smb2_lock(struct ksmbd_work *work) list_del(&work->fp_entry); spin_unlock(&fp->f_lock); goto retry; - } else if (!err) { + } else if (!rc) { spin_lock(&work->conn->llist_lock); list_add_tail(&smb_lock->clist, &work->conn->lock_list); @@ -6839,7 +6831,6 @@ int smb2_lock(struct ksmbd_work *work) list_add(&smb_lock->llist, &rollback_list); ksmbd_debug(SMB, "successful in taking lock\n"); } else { - rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; goto out; } } @@ -6865,7 +6856,6 @@ int smb2_lock(struct ksmbd_work *work) list_for_each_entry_safe(smb_lock, tmp, &rollback_list, llist) { struct file_lock *rlock = NULL; - int rc; rlock = smb_flock_init(filp); rlock->fl_type = F_UNLCK; @@ -6888,7 +6878,19 @@ int smb2_lock(struct ksmbd_work *work) kfree(smb_lock); } out2: - ksmbd_debug(SMB, "failed in taking lock(flags : %x)\n", flags); + ksmbd_debug(SMB, "failed in taking lock(flags : %x), err : %d\n", flags, err); + + if (!rsp->hdr.Status) { + if (err == -EINVAL) + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (err == -ENOMEM) + rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES; + else if (err == -ENOENT) + rsp->hdr.Status = STATUS_FILE_CLOSED; + else + rsp->hdr.Status = STATUS_LOCK_NOT_GRANTED; + } + smb2_set_err_rsp(work); ksmbd_fd_put(work, fp); return err; From patchwork Mon Nov 14 12:51:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183291 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:45 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:44 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:44 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 194/308] ksmbd: add ipv6_addr_v4mapped check to know if connection from client is ipv4 Date: Mon, 14 Nov 2022 20:51:43 +0800 Message-ID: <20221114125337.1831594-195-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 57cacf3a-e852-4588-d875-08dac63c786a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6752932 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f1abdb78a1080a49deac6e91e1675525d1d3dfbe category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f1abdb78a108 ------------------------------- ksmbd create socket with IPv6 to listen both IPv4 and IPv6 connection from client. Server should send IP addresses of NICs through network interface info response. If Client connection is IPv4, Server should fill IPv4 address in response buffer. But ss_family is always PF_INET6 on IPv6 socket. So This patch add ipv6_addr_v4mapped check to know client connection is IPv4. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 32a66f37e008..d2fc945c38ec 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7035,6 +7035,7 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, struct sockaddr_storage_rsp *sockaddr_storage; unsigned int flags; unsigned long long speed; + struct sockaddr_in6 *csin6 = (struct sockaddr_in6 *)&conn->peer_addr; rtnl_lock(); for_each_netdev(&init_net, netdev) { @@ -7074,7 +7075,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, nii_rsp->SockAddr_Storage; memset(sockaddr_storage, 0, 128); - if (conn->peer_addr.ss_family == PF_INET) { + if (conn->peer_addr.ss_family == PF_INET || + ipv6_addr_v4mapped(&csin6->sin6_addr)) { struct in_device *idev; sockaddr_storage->Family = cpu_to_le16(INTERNETWORK); From patchwork Mon Nov 14 12:51:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183292 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:45 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:45 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:44 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 195/308] ksmbd: fix an oops in error handling in smb2_open() Date: Mon, 14 Nov 2022 20:51:44 +0800 Message-ID: <20221114125337.1831594-196-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2f6f4378-0c55-42f2-4435-08dac63c78b3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7094897 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc1 commit 8b99f3504b688e3b55380521b6bf68c3d0c485d6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8b99f3504b68 ------------------------------- If smb2_get_name() then name is an error pointer. In the clean up code, we try to kfree() it and that will lead to an Oops. Set it to NULL instead. Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index d2fc945c38ec..8155a282c151 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2451,6 +2451,7 @@ int smb2_open(struct ksmbd_work *work) rc = PTR_ERR(name); if (rc != -ENOMEM) rc = -ENOENT; + name = NULL; goto err_out1; } From patchwork Mon Nov 14 12:51:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183293 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:45 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:45 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 196/308] ksmbd: Fix multi-protocol negotiation Date: Mon, 14 Nov 2022 20:51:45 +0800 Message-ID: <20221114125337.1831594-197-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 150149f0-50ef-4826-79d5-08dac63c78fd X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7077887 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc1 commit eebff916f07775b2ecd9186439e69a70af24630b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/eebff916f077 ------------------------------- To negotiate either the SMB2 protocol or SMB protocol, a client must send a SMB_COM_NEGOTIATE message containing the list of dialects it supports, to which the server will respond with either a SMB_COM_NEGOTIATE or a SMB2_NEGOTIATE response. The current implementation responds with the highest common dialect, rather than looking explicitly for "SMB 2.???" and "SMB 2.002", as indicated in [MS-SMB2]: [MS-SMB2] 3.3.5.3.1: If the server does not implement the SMB 2.1 or 3.x dialect family, processing MUST continue as specified in 3.3.5.3.2. Otherwise, the server MUST scan the dialects provided for the dialect string "SMB 2.???". If the string is not present, continue to section 3.3.5.3.2. If the string is present, the server MUST respond with an SMB2 NEGOTIATE Response as specified in 2.2.4. [MS-SMB2] 3.3.5.3.2: The server MUST scan the dialects provided for the dialect string "SMB 2.002". If the string is present, the client understands SMB2, and the server MUST respond with an SMB2 NEGOTIATE Response. This is an issue if a client attempts to negotiate SMB3.1.1 using a SMB_COM_NEGOTIATE, as it will trigger the following NULL pointer dereference: 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 1917455e [00000000] *pgd=00000000 Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 60 Comm: kworker/0:1 Not tainted 5.4.60-00027-g0518c02b5c5b #35 Hardware name: Marvell Kirkwood (Flattened Device Tree) Workqueue: ksmbd-io handle_ksmbd_work PC is at ksmbd_gen_preauth_integrity_hash+0x24/0x190 LR is at smb3_preauth_hash_rsp+0x50/0xa0 pc : [<802b7044>] lr : [<802d6ac0>] psr: 40000013 sp : bf199ed8 ip : 00000000 fp : 80d1edb0 r10: 80a3471b r9 : 8091af16 r8 : 80d70640 r7 : 00000072 r6 : be95e198 r5 : ca000000 r4 : b97fee00 r3 : 00000000 r2 : 00000002 r1 : b97fea00 r0 : b97fee00 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 3e7f4000 DAC: 00000055 Process kworker/0:1 (pid: 60, stack limit = 0x3dd1fdb4) Stack: (0xbf199ed8 to 0xbf19a000) 9ec0: b97fee00 00000000 9ee0: be95e198 00000072 80d70640 802d6ac0 b3da2680 b97fea00 424d53ff be95e140 9f00: b97fee00 802bd7b0 bf10fa58 80128a78 00000000 000001c8 b6220000 bf0b7720 9f20: be95e198 80d0c410 bf7e2a00 00000000 00000000 be95e19c 80d0c370 80123b90 9f40: bf0b7720 be95e198 bf0b7720 bf0b7734 80d0c410 bf198000 80d0c424 80d116e0 9f60: bf10fa58 801240c0 00000000 bf10fa40 bf1463a0 bf198000 bf0b7720 80123ed0 9f80: bf077ee4 bf10fa58 00000000 80127f80 bf1463a0 80127e88 00000000 00000000 9fa0: 00000000 00000000 00000000 801010d0 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<802b7044>] (ksmbd_gen_preauth_integrity_hash) from [<802d6ac0>] (smb3_preauth_hash_rsp+0x50/0xa0) [<802d6ac0>] (smb3_preauth_hash_rsp) from [<802bd7b0>] (handle_ksmbd_work+0x348/0x3f8) [<802bd7b0>] (handle_ksmbd_work) from [<80123b90>] (process_one_work+0x160/0x200) [<80123b90>] (process_one_work) from [<801240c0>] (worker_thread+0x1f0/0x2e4) [<801240c0>] (worker_thread) from [<80127f80>] (kthread+0xf8/0x10c) [<80127f80>] (kthread) from [<801010d0>] (ret_from_fork+0x14/0x24) Exception stack(0xbf199fb0 to 0xbf199ff8) 9fa0: 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e1855803 e5d13003 e1855c03 e5903094 (e1d330b0) ---[ end trace 8d03be3ed09e5699 ]--- Kernel panic - not syncing: Fatal exception smb3_preauth_hash_rsp() panics because conn->preauth_info is only allocated when processing a SMB2 NEGOTIATE request. Fix this by splitting the smb_protos array into two, each containing only SMB1 and SMB2 dialects respectively. While here, make ksmbd_negotiate_smb_dialect() static as it not called from anywhere else. Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb_common.c | 53 +++++++++++++++++++++++++++++-------------- fs/ksmbd/smb_common.h | 1 - 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 61686d739ffc..b2370d0f08c6 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -30,7 +30,7 @@ struct smb_protocol { __u16 prot_id; }; -static struct smb_protocol smb_protos[] = { +static struct smb_protocol smb1_protos[] = { { SMB21_PROT, "\2SMB 2.1", @@ -43,6 +43,15 @@ static struct smb_protocol smb_protos[] = { "SMB2_22", SMB2X_PROT_ID }, +}; + +static struct smb_protocol smb2_protos[] = { + { + SMB21_PROT, + "\2SMB 2.1", + "SMB2_10", + SMB21_PROT_ID + }, { SMB30_PROT, "\2SMB 3.0", @@ -90,14 +99,24 @@ inline int ksmbd_max_protocol(void) int ksmbd_lookup_protocol_idx(char *str) { - int offt = ARRAY_SIZE(smb_protos) - 1; + int offt = ARRAY_SIZE(smb1_protos) - 1; int len = strlen(str); while (offt >= 0) { - if (!strncmp(str, smb_protos[offt].prot, len)) { + if (!strncmp(str, smb1_protos[offt].prot, len)) { + ksmbd_debug(SMB, "selected %s dialect idx = %d\n", + smb1_protos[offt].prot, offt); + return smb1_protos[offt].index; + } + offt--; + } + + offt = ARRAY_SIZE(smb2_protos) - 1; + while (offt >= 0) { + if (!strncmp(str, smb2_protos[offt].prot, len)) { ksmbd_debug(SMB, "selected %s dialect idx = %d\n", - smb_protos[offt].prot, offt); - return smb_protos[offt].index; + smb2_protos[offt].prot, offt); + return smb2_protos[offt].index; } offt--; } @@ -169,7 +188,7 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) int i, seq_num, bcount, next; char *dialect; - for (i = ARRAY_SIZE(smb_protos) - 1; i >= 0; i--) { + for (i = ARRAY_SIZE(smb1_protos) - 1; i >= 0; i--) { seq_num = 0; next = 0; dialect = cli_dialects; @@ -178,14 +197,14 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) dialect = next_dialect(dialect, &next); ksmbd_debug(SMB, "client requested dialect %s\n", dialect); - if (!strcmp(dialect, smb_protos[i].name)) { - if (supported_protocol(smb_protos[i].index)) { + if (!strcmp(dialect, smb1_protos[i].name)) { + if (supported_protocol(smb1_protos[i].index)) { ksmbd_debug(SMB, "selected %s dialect\n", - smb_protos[i].name); - if (smb_protos[i].index == SMB1_PROT) + smb1_protos[i].name); + if (smb1_protos[i].index == SMB1_PROT) return seq_num; - return smb_protos[i].prot_id; + return smb1_protos[i].prot_id; } } seq_num++; @@ -201,19 +220,19 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) int i; int count; - for (i = ARRAY_SIZE(smb_protos) - 1; i >= 0; i--) { + for (i = ARRAY_SIZE(smb2_protos) - 1; i >= 0; i--) { count = le16_to_cpu(dialects_count); while (--count >= 0) { ksmbd_debug(SMB, "client requested dialect 0x%x\n", le16_to_cpu(cli_dialects[count])); if (le16_to_cpu(cli_dialects[count]) != - smb_protos[i].prot_id) + smb2_protos[i].prot_id) continue; - if (supported_protocol(smb_protos[i].index)) { + if (supported_protocol(smb2_protos[i].index)) { ksmbd_debug(SMB, "selected %s dialect\n", - smb_protos[i].name); - return smb_protos[i].prot_id; + smb2_protos[i].name); + return smb2_protos[i].prot_id; } } } @@ -221,7 +240,7 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) return BAD_PROT_ID; } -int ksmbd_negotiate_smb_dialect(void *buf) +static int ksmbd_negotiate_smb_dialect(void *buf) { __le32 proto; diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 95f297177c1a..a4a765440ea3 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -498,7 +498,6 @@ bool ksmbd_smb_request(struct ksmbd_conn *conn); int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); -int ksmbd_negotiate_smb_dialect(void *buf); int ksmbd_init_smb_server(struct ksmbd_work *work); bool ksmbd_pdu_size_has_room(unsigned int pdu); From patchwork Mon Nov 14 12:51:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183294 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:46 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:45 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 197/308] ksmbd: change int data type to boolean Date: Mon, 14 Nov 2022 20:51:46 +0800 Message-ID: <20221114125337.1831594-198-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ce55e28c-ae8c-4a42-7f39-08dac63c7946 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6889075 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit f4228b678b410a401148f9ad9911d0013fa0f24e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f4228b678b41 ------------------------------- Change data type of function that return only 0 or 1 to boolean. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 32 ++++++++++++++++---------------- fs/ksmbd/smb2pdu.h | 6 +++--- fs/ksmbd/smb_common.h | 2 +- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 8155a282c151..5684841450d6 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -58,18 +58,18 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) * * Return: 1 if valid session id, otherwise 0 */ -static inline int check_session_id(struct ksmbd_conn *conn, u64 id) +static inline bool check_session_id(struct ksmbd_conn *conn, u64 id) { struct ksmbd_session *sess; if (id == 0 || id == -1) - return 0; + return false; sess = ksmbd_session_lookup_all(conn, id); if (sess) - return 1; + return true; pr_err("Invalid user session id: %llu\n", id); - return 0; + return false; } struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn) @@ -145,45 +145,45 @@ void smb2_set_err_rsp(struct ksmbd_work *work) * is_smb2_neg_cmd() - is it smb2 negotiation command * @work: smb work containing smb header * - * Return: 1 if smb2 negotiation command, otherwise 0 + * Return: true if smb2 negotiation command, otherwise false */ -int is_smb2_neg_cmd(struct ksmbd_work *work) +bool is_smb2_neg_cmd(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->request_buf; /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) - return 0; + return false; /* make sure it is request not response message */ if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) - return 0; + return false; if (hdr->Command != SMB2_NEGOTIATE) - return 0; + return false; - return 1; + return true; } /** * is_smb2_rsp() - is it smb2 response * @work: smb work containing smb response buffer * - * Return: 1 if smb2 response, otherwise 0 + * Return: true if smb2 response, otherwise false */ -int is_smb2_rsp(struct ksmbd_work *work) +bool is_smb2_rsp(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->response_buf; /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) - return 0; + return false; /* make sure it is response not request message */ if (!(hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)) - return 0; + return false; - return 1; + return true; } /** @@ -8244,7 +8244,7 @@ int smb3_encrypt_resp(struct ksmbd_work *work) return rc; } -int smb3_is_transform_hdr(void *buf) +bool smb3_is_transform_hdr(void *buf) { struct smb2_transform_hdr *trhdr = buf; diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 89019f67234c..bcec845b03f3 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1638,8 +1638,8 @@ void init_smb2_max_read_size(unsigned int sz); void init_smb2_max_write_size(unsigned int sz); void init_smb2_max_trans_size(unsigned int sz); -int is_smb2_neg_cmd(struct ksmbd_work *work); -int is_smb2_rsp(struct ksmbd_work *work); +bool is_smb2_neg_cmd(struct ksmbd_work *work); +bool is_smb2_rsp(struct ksmbd_work *work); u16 get_smb2_cmd_val(struct ksmbd_work *work); void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err); @@ -1664,7 +1664,7 @@ void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status); struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn); void smb3_preauth_hash_rsp(struct ksmbd_work *work); -int smb3_is_transform_hdr(void *buf); +bool smb3_is_transform_hdr(void *buf); int smb3_decrypt_req(struct ksmbd_work *work); int smb3_encrypt_resp(struct ksmbd_work *work); bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work); diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index a4a765440ea3..57c667c1be06 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -473,7 +473,7 @@ struct smb_version_ops { void (*set_sign_rsp)(struct ksmbd_work *work); int (*generate_signingkey)(struct ksmbd_session *sess, struct ksmbd_conn *conn); int (*generate_encryptionkey)(struct ksmbd_session *sess); - int (*is_transform_hdr)(void *buf); + bool (*is_transform_hdr)(void *buf); int (*decrypt_req)(struct ksmbd_work *work); int (*encrypt_resp)(struct ksmbd_work *work); }; From patchwork Mon Nov 14 12:51:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183295 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:46 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:46 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:46 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 198/308] ksmbd: update the comment for smb2_get_ksmbd_tcon() Date: Mon, 14 Nov 2022 20:51:47 +0800 Message-ID: <20221114125337.1831594-199-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ca02e44b-4286-4abb-a982-08dac63c798f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6750505 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 5ec3df8e98f51e21fe1f46633b6085897f9b040e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5ec3df8e98f5 ------------------------------- Update the comment for smb2_get_ksmbd_tcon(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 5684841450d6..711aac6f4e1b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -85,10 +85,11 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn } /** - * smb2_get_ksmbd_tcon() - get tree connection information for a tree id + * smb2_get_ksmbd_tcon() - get tree connection information using a tree id. * @work: smb work * - * Return: matching tree connection on success, otherwise error + * Return: 0 if there is a tree connection matched or these are + * skipable commands, otherwise error */ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { From patchwork Mon Nov 14 12:51:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183296 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:47 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:47 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:46 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 199/308] ksmbd: use proper errno instead of -1 in smb2_get_ksmbd_tcon() Date: Mon, 14 Nov 2022 20:51:48 +0800 Message-ID: <20221114125337.1831594-200-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cfa04750-3ef0-43b1-29e8-08dac63c79da X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.9975978 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit c6ce2b5716b04cc6ec36fa7e3c3b851368e6ee7c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c6ce2b5716b0 ------------------------------- Use proper errno instead of -1 in smb2_get_ksmbd_tcon(). Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 711aac6f4e1b..adab4a138648 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -106,14 +106,14 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) if (xa_empty(&work->sess->tree_conns)) { ksmbd_debug(SMB, "NO tree connected\n"); - return -1; + return -ENOENT; } tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); if (!work->tcon) { pr_err("Invalid tid %d\n", tree_id); - return -1; + return -EINVAL; } return 1; From patchwork Mon Nov 14 12:51:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183297 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:48 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:48 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:47 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 200/308] ksmbd: smbd: fix kernel oops during server shutdown Date: Mon, 14 Nov 2022 20:51:49 +0800 Message-ID: <20221114125337.1831594-201-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: baa9ce82-ef9a-4b5b-7005-08dac63c7a4f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6805813 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 323b1ea10263e5f11c9fb12e25f6d8beb327228c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/323b1ea10263 ------------------------------- if server shutdown happens in the situation that there are connections, workqueue could be destroyed before queueing disconnect work. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index f2ae6bae83f1..58f530056ac0 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -329,7 +329,8 @@ static void smb_direct_disconnect_rdma_work(struct work_struct *work) static void smb_direct_disconnect_rdma_connection(struct smb_direct_transport *t) { - queue_work(smb_direct_wq, &t->disconnect_work); + if (t->status == SMB_DIRECT_CS_CONNECTED) + queue_work(smb_direct_wq, &t->disconnect_work); } static void smb_direct_send_immediate_work(struct work_struct *work) @@ -1415,7 +1416,7 @@ static void smb_direct_disconnect(struct ksmbd_transport *t) ksmbd_debug(RDMA, "Disconnecting cm_id=%p\n", st->cm_id); - smb_direct_disconnect_rdma_connection(st); + smb_direct_disconnect_rdma_work(&st->disconnect_work); wait_event_interruptible(st->wait_status, st->status == SMB_DIRECT_CS_DISCONNECTED); free_transport(st); From patchwork Mon Nov 14 12:51:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183298 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:48 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:48 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:48 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 201/308] ksmbd: don't set FILE DELETE and FILE_DELETE_CHILD in access mask by default Date: Mon, 14 Nov 2022 20:51:50 +0800 Message-ID: <20221114125337.1831594-202-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 009ce3d1-f361-47a3-2870-08dac63c7a98 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6988343 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a9a27d4ab3de2a6a81bad4b158c74a554d78e89b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9a27d4ab3de ------------------------------- When there is no dacl in request, ksmbd send dacl that coverted by using file permission. This patch don't set FILE DELETE and FILE_DELETE_CHILD in access mask by default. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smbacl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index f6019f0dc8fd..49411e791b08 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -716,7 +716,6 @@ static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) ace_size = fill_ace_for_sid(pace, sid, ACCESS_ALLOWED, 0, fattr->cf_mode, 0700); pace->sid.sub_auth[pace->sid.num_subauth++] = cpu_to_le32(uid); - pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; pace->size = cpu_to_le16(ace_size + 4); size += le16_to_cpu(pace->size); pace = (struct smb_ace *)((char *)pndace + size); @@ -737,7 +736,6 @@ static void set_mode_dacl(struct smb_acl *pndacl, struct smb_fattr *fattr) /* creator owner */ size += fill_ace_for_sid(pace, &creator_owner, ACCESS_ALLOWED, 0x0b, fattr->cf_mode, 0700); - pace->access_req |= FILE_DELETE_LE | FILE_DELETE_CHILD_LE; pace = (struct smb_ace *)((char *)pndace + size); /* creator group */ From patchwork Mon Nov 14 12:51:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183299 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:49 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:49 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:48 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 202/308] ksmbd: fix permission check issue on chown and chmod Date: Mon, 14 Nov 2022 20:51:51 +0800 Message-ID: <20221114125337.1831594-203-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4ed1c8c5-b4e0-4fe3-93b6-08dac63c7ae0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7039227 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit e70e392fa768d46ca59f2f8c0e7374099c980622 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e70e392fa768 ------------------------------- When commanding chmod and chown on cifs&ksmbd, ksmbd allows it without file permissions check. There is code to check it in settattr_prepare. Instead of setting the inode directly, update the mode and uid/gid through notify_change. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 5 +++++ fs/ksmbd/smbacl.c | 24 ++++++++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index adab4a138648..ecfa8264e926 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5815,10 +5815,15 @@ int smb2_set_info(struct ksmbd_work *work) break; case SMB2_O_INFO_SECURITY: ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); + if (ksmbd_override_fsids(work)) { + rc = -ENOMEM; + goto err_out; + } rc = smb2_set_info_sec(fp, le32_to_cpu(req->AdditionalInformation), req->Buffer, le32_to_cpu(req->BufferLength)); + ksmbd_revert_fsids(work); break; default: rc = -EOPNOTSUPP; diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 49411e791b08..321676a74b48 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -1271,6 +1271,7 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, int rc; struct smb_fattr fattr = {{0}}; struct inode *inode = d_inode(path->dentry); + struct iattr newattrs; fattr.cf_uid = INVALID_UID; fattr.cf_gid = INVALID_GID; @@ -1280,12 +1281,23 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, if (rc) goto out; - inode->i_mode = (inode->i_mode & ~0777) | (fattr.cf_mode & 0777); - if (!uid_eq(fattr.cf_uid, INVALID_UID)) - inode->i_uid = fattr.cf_uid; - if (!gid_eq(fattr.cf_gid, INVALID_GID)) - inode->i_gid = fattr.cf_gid; - mark_inode_dirty(inode); + newattrs.ia_valid = ATTR_CTIME; + if (!uid_eq(fattr.cf_uid, INVALID_UID)) { + newattrs.ia_valid |= ATTR_UID; + newattrs.ia_uid = fattr.cf_uid; + } + if (!gid_eq(fattr.cf_gid, INVALID_GID)) { + newattrs.ia_valid |= ATTR_GID; + newattrs.ia_gid = fattr.cf_gid; + } + newattrs.ia_valid |= ATTR_MODE; + newattrs.ia_mode = (inode->i_mode & ~0777) | (fattr.cf_mode & 0777); + + inode_lock(inode); + rc = notify_change(path->dentry, &newattrs, NULL); + inode_unlock(inode); + if (rc) + goto out; ksmbd_vfs_remove_acl_xattrs(path->dentry); /* Update posix acls */ From patchwork Mon Nov 14 12:51:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183300 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:49 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:49 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:48 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 203/308] ksmbd: fix __write_overflow warning in ndr_read_string Date: Mon, 14 Nov 2022 20:51:52 +0800 Message-ID: <20221114125337.1831594-204-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2789b849-fee6-42ad-25a2-08dac63c7b29 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6237250 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 7d5d8d7156892f82cf40b63228ce788248cc57a3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7d5d8d715689 ------------------------------- Dan reported __write_overflow warning in ndr_read_string. CC [M] fs/ksmbd/ndr.o In file included from ./include/linux/string.h:253, from ./include/linux/bitmap.h:11, from ./include/linux/cpumask.h:12, from ./arch/x86/include/asm/cpumask.h:5, from ./arch/x86/include/asm/msr.h:11, from ./arch/x86/include/asm/processor.h:22, from ./arch/x86/include/asm/cpufeature.h:5, from ./arch/x86/include/asm/thread_info.h:53, from ./include/linux/thread_info.h:60, from ./arch/x86/include/asm/preempt.h:7, from ./include/linux/preempt.h:78, from ./include/linux/spinlock.h:55, from ./include/linux/wait.h:9, from ./include/linux/wait_bit.h:8, from ./include/linux/fs.h:6, from fs/ksmbd/ndr.c:7: In function memcpy, inlined from ndr_read_string at fs/ksmbd/ndr.c:86:2, inlined from ndr_decode_dos_attr at fs/ksmbd/ndr.c:167:2: ./include/linux/fortify-string.h:219:4: error: call to __write_overflow declared with attribute error: detected write beyond size of object __write_overflow(); ^~~~~~~~~~~~~~~~~~ This seems to be a false alarm because hex_attr size is always smaller than n->length. This patch fix this warning by allocation hex_attr with n->length. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ndr.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/ndr.c b/fs/ksmbd/ndr.c index 50872377608d..039ed7884aeb 100644 --- a/fs/ksmbd/ndr.c +++ b/fs/ksmbd/ndr.c @@ -160,11 +160,16 @@ int ndr_encode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) int ndr_decode_dos_attr(struct ndr *n, struct xattr_dos_attrib *da) { - char hex_attr[12] = {0}; + char *hex_attr; int version2; + hex_attr = kzalloc(n->length, GFP_KERNEL); + if (!hex_attr) + return -ENOMEM; + n->offset = 0; - ndr_read_string(n, hex_attr, n->length - n->offset); + ndr_read_string(n, hex_attr, n->length); + kfree(hex_attr); da->version = ndr_read_int16(n); if (da->version != 3 && da->version != 4) { From patchwork Mon Nov 14 12:51:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183301 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:50 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:49 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:49 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 204/308] ksmbd: ensure error is surfaced in set_file_basic_info() Date: Mon, 14 Nov 2022 20:51:53 +0800 Message-ID: <20221114125337.1831594-205-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: b5d854dc-c74a-4163-7a20-08dac63c7b68 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6984457 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Christian Brauner <christian.brauner(a)ubuntu.com> mainline inclusion from mainline-5.15-rc1 commit eb5784f0c6efbe0db720ad7e34e097cea51c1afc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/eb5784f0c6ef ------------------------------- It seems the error was accidently ignored until now. Make sure it is surfaced. Cc: Steve French <stfrench(a)microsoft.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Namjae Jeon <namjae.jeon(a)samsung.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: linux-cifs(a)vger.kernel.org Signed-off-by: Christian Brauner <christian.brauner(a)ubuntu.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ecfa8264e926..d51b436af523 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5483,7 +5483,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, rc = notify_change(dentry, &attrs, NULL); inode_unlock(inode); } - return 0; + return rc; } static int set_file_allocation_info(struct ksmbd_work *work, From patchwork Mon Nov 14 12:51:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183302 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:50 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:50 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:49 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 205/308] ksmbd: remove setattr preparations in set_file_basic_info() Date: Mon, 14 Nov 2022 20:51:54 +0800 Message-ID: <20221114125337.1831594-206-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c32e9ab9-f4a5-42bc-3d1c-08dac63c7bb2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6917202 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Christian Brauner <christian.brauner(a)ubuntu.com> mainline inclusion from mainline-5.15-rc1 commit db7fb6fe3d7a8eb05f2b74c6252771c9362f3b74 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/db7fb6fe3d7a ------------------------------- Permission checking and copying over ownership information is the task of the underlying filesystem not ksmbd. The order is also wrong here. This modifies the inode before notify_change(). If notify_change() fails this will have changed ownership nonetheless. All of this is unnecessary though since the underlying filesystem's ->setattr handler will do all this (if required) by itself. Cc: Steve French <stfrench(a)microsoft.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Namjae Jeon <namjae.jeon(a)samsung.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: linux-cifs(a)vger.kernel.org Signed-off-by: Christian Brauner <christian.brauner(a)ubuntu.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index d51b436af523..445fa0843232 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5395,7 +5395,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, { struct smb2_file_all_info *file_info; struct iattr attrs; - struct iattr temp_attrs; + struct timespec64 ctime; struct file *filp; struct inode *inode; int rc; @@ -5417,11 +5417,11 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, } if (file_info->ChangeTime) { - temp_attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); - attrs.ia_ctime = temp_attrs.ia_ctime; + attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); + ctime = attrs.ia_ctime; attrs.ia_valid |= ATTR_CTIME; } else { - temp_attrs.ia_ctime = inode->i_ctime; + ctime = inode->i_ctime; } if (file_info->LastWriteTime) { @@ -5459,13 +5459,6 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, rc = 0; } - /* - * HACK : set ctime here to avoid ctime changed - * when file_info->ChangeTime is zero. - */ - attrs.ia_ctime = temp_attrs.ia_ctime; - attrs.ia_valid |= ATTR_CTIME; - if (attrs.ia_valid) { struct dentry *dentry = filp->f_path.dentry; struct inode *inode = d_inode(dentry); @@ -5473,14 +5466,12 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) return -EACCES; - rc = setattr_prepare(dentry, &attrs); - if (rc) - return -EINVAL; - inode_lock(inode); - setattr_copy(inode, &attrs); - attrs.ia_valid &= ~ATTR_CTIME; rc = notify_change(dentry, &attrs, NULL); + if (!rc) { + inode->i_ctime = ctime; + mark_inode_dirty(inode); + } inode_unlock(inode); } return rc; From patchwork Mon Nov 14 12:51:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183303 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:51 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:50 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:50 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 206/308] ksmbd: Reduce error log 'speed is unknown' to debug Date: Mon, 14 Nov 2022 20:51:55 +0800 Message-ID: <20221114125337.1831594-207-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4695ffb0-a760-4115-8319-08dac63c7bfa X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7057338 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Per Forlin <perfn(a)axis.com> mainline inclusion from mainline-5.15-rc1 commit d475866eeed89cc44ed54e0cd296537a68667b1b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d475866eeed8 ------------------------------- This log happens on servers with a network bridge since the bridge does not have a specified link speed. This is not a real error so change the error log to debug instead. Signed-off-by: Per Forlin <perfn(a)axis.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 445fa0843232..33e77ef0dbb5 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7061,8 +7061,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, netdev->ethtool_ops->get_link_ksettings(netdev, &cmd); speed = cmd.base.speed; } else { - pr_err("%s %s\n", netdev->name, - "speed is unknown, defaulting to 1Gb/sec"); + ksmbd_debug(SMB, "%s %s\n", netdev->name, + "speed is unknown, defaulting to 1Gb/sec"); speed = SPEED_1000; } From patchwork Mon Nov 14 12:51:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183304 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:51 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:51 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:50 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 207/308] ksmbd: smbd: fix dma mapping error in smb_direct_post_send_data Date: Mon, 14 Nov 2022 20:51:56 +0800 Message-ID: <20221114125337.1831594-208-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c432b5ec-11bd-4f52-91de-08dac63c7c44 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6939956 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc1 commit 72d6cbb533d4309734606027fe083c4edb0aa7aa category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/72d6cbb533d4 ------------------------------- Becase smb direct header is mapped and msg->num_sge already is incremented, the decrement should be removed from the condition. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 58f530056ac0..52b2556e76b1 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -1168,7 +1168,7 @@ static int smb_direct_post_send_data(struct smb_direct_transport *t, pr_err("failed to map buffer\n"); ret = -ENOMEM; goto err; - } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES - 1) { + } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES) { pr_err("buffer not fitted into sges\n"); ret = -E2BIG; ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt, From patchwork Mon Nov 14 12:51:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183305 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:52 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:51 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:51 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 208/308] ksmbd: remove unused ksmbd_file_table_flush function Date: Mon, 14 Nov 2022 20:51:57 +0800 Message-ID: <20221114125337.1831594-209-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 552636e5-7de6-478b-c7b4-08dac63c7c8e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7044455 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc1 commit 687c59e702f48e0eca91455d3ef3197b7b8a8314 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/687c59e702f4 ------------------------------- ksmbd_file_table_flush is a leftover from SMB1. This function is no longer needed as SMB1 has been removed from ksmbd. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs_cache.c | 16 ---------------- fs/ksmbd/vfs_cache.h | 1 - 2 files changed, 17 deletions(-) diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c index f5b3f94b7f9b..cc9c8b46827d 100644 --- a/fs/ksmbd/vfs_cache.c +++ b/fs/ksmbd/vfs_cache.c @@ -665,22 +665,6 @@ void ksmbd_free_global_file_table(void) ksmbd_destroy_file_table(&global_ft); } -int ksmbd_file_table_flush(struct ksmbd_work *work) -{ - struct ksmbd_file *fp = NULL; - unsigned int id; - int ret; - - read_lock(&work->sess->file_table.lock); - idr_for_each_entry(work->sess->file_table.idr, fp, id) { - ret = ksmbd_vfs_fsync(work, fp->volatile_id, KSMBD_NO_FID); - if (ret) - break; - } - read_unlock(&work->sess->file_table.lock); - return ret; -} - int ksmbd_init_file_table(struct ksmbd_file_table *ft) { ft->idr = kzalloc(sizeof(struct idr), GFP_KERNEL); diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 70dfe6a99f13..448576fbe4b7 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -152,7 +152,6 @@ void ksmbd_close_session_fds(struct ksmbd_work *work); int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode); int ksmbd_init_global_file_table(void); void ksmbd_free_global_file_table(void); -int ksmbd_file_table_flush(struct ksmbd_work *work); void ksmbd_set_fd_limit(unsigned long limit); /* From patchwork Mon Nov 14 12:51:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183306 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:52 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:52 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:51 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 209/308] ksmbd: fix read of uninitialized variable ret in set_file_basic_info Date: Mon, 14 Nov 2022 20:51:58 +0800 Message-ID: <20221114125337.1831594-210-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 085e4b21-7ee6-4a9f-7fca-08dac63c7cd7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6774280 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc1 commit 4ffd5264e8ecb20e1826b9474c19738fdecd67e6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4ffd5264e8ec ------------------------------- Addresses-Coverity reported Uninitialized variables warninig : /fs/ksmbd/smb2pdu.c: 5525 in set_file_basic_info() 5519 if (!rc) { 5520 inode->i_ctime = ctime; 5521 mark_inode_dirty(inode); 5522 } 5523 inode_unlock(inode); 5524 } >>> CID 1506805: Uninitialized variables (UNINIT) >>> Using uninitialized value "rc". 5525 return rc; 5526 } 5527 5528 static int set_file_allocation_info(struct ksmbd_work *work, 5529 struct ksmbd_file *fp, char *buf) 5530 { Addresses-Coverity: ("Uninitialized variable") Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 33e77ef0dbb5..2fa4584df93e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5398,7 +5398,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, struct timespec64 ctime; struct file *filp; struct inode *inode; - int rc; + int rc = 0; if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; From patchwork Mon Nov 14 12:51:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183307 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:52 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:52 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:52 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 210/308] ksmbd: transport_rdma: Don't include rwlock.h directly Date: Mon, 14 Nov 2022 20:51:59 +0800 Message-ID: <20221114125337.1831594-211-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fdb88533-b5a3-4fe7-3749-08dac63c7d20 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6826270 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Mike Galbraith <efault(a)gmx.de> mainline inclusion from mainline-5.15-rc3 commit a9b3043de47b7f8cbe38c36aee572526665b6315 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a9b3043de47b ------------------------------- rwlock.h specifically asks to not be included directly. In fact, the proper spinlock.h include isn't needed either, it comes with the huge pile that kthread.h ends up pulling in, so just drop it entirely. Signed-off-by: Mike Galbraith <efault(a)gmx.de> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 52b2556e76b1..3a7fa23ba850 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -20,7 +20,6 @@ #define SUBMOD_NAME "smb_direct" #include <linux/kthread.h> -#include <linux/rwlock.h> #include <linux/list.h> #include <linux/mempool.h> #include <linux/highmem.h> From patchwork Mon Nov 14 12:52:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183308 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:53 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:53 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:52 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 211/308] ksmbd: prevent out of share access Date: Mon, 14 Nov 2022 20:52:00 +0800 Message-ID: <20221114125337.1831594-212-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e41faa1f-4c82-46e8-4697-08dac63c7d6a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7341143 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc3 commit f58eae6c5fa882d6d0a6b7587a099602a59d57b5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f58eae6c5fa8 ------------------------------- Because of .., files outside the share directory could be accessed. To prevent this, normalize the given path and remove all . and .. components. In addition to the usual large set of regression tests (smbtorture and xfstests), ran various tests on this to specifically check path name validation including libsmb2 tests to verify path normalization: ./examples/smb2-ls-async smb://172.30.1.15/homes2/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/..bar/ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar../ ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar.. ./examples/smb2-ls-async smb://172.30.1.15/homes2/foo/bar../../../../ Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/misc.c | 76 ++++++++++++++++++++++++++++++++++++++++------ fs/ksmbd/misc.h | 3 +- fs/ksmbd/smb2pdu.c | 14 ++++++--- 3 files changed, 77 insertions(+), 16 deletions(-) diff --git a/fs/ksmbd/misc.c b/fs/ksmbd/misc.c index 0b307ca28a19..3eac3c01749f 100644 --- a/fs/ksmbd/misc.c +++ b/fs/ksmbd/misc.c @@ -191,19 +191,77 @@ int get_nlink(struct kstat *st) return nlink; } -void ksmbd_conv_path_to_unix(char *path) +char *ksmbd_conv_path_to_unix(char *path) { + size_t path_len, remain_path_len, out_path_len; + char *out_path, *out_next; + int i, pre_dotdot_cnt = 0, slash_cnt = 0; + bool is_last; + strreplace(path, '\\', '/'); -} + path_len = strlen(path); + remain_path_len = path_len; + if (path_len == 0) + return ERR_PTR(-EINVAL); -void ksmbd_strip_last_slash(char *path) -{ - int len = strlen(path); + out_path = kzalloc(path_len + 2, GFP_KERNEL); + if (!out_path) + return ERR_PTR(-ENOMEM); + out_path_len = 0; + out_next = out_path; + + do { + char *name = path + path_len - remain_path_len; + char *next = strchrnul(name, '/'); + size_t name_len = next - name; + + is_last = !next[0]; + if (name_len == 2 && name[0] == '.' && name[1] == '.') { + pre_dotdot_cnt++; + /* handle the case that path ends with "/.." */ + if (is_last) + goto follow_dotdot; + } else { + if (pre_dotdot_cnt) { +follow_dotdot: + slash_cnt = 0; + for (i = out_path_len - 1; i >= 0; i--) { + if (out_path[i] == '/' && + ++slash_cnt == pre_dotdot_cnt + 1) + break; + } + + if (i < 0 && + slash_cnt != pre_dotdot_cnt) { + kfree(out_path); + return ERR_PTR(-EINVAL); + } + + out_next = &out_path[i+1]; + *out_next = '\0'; + out_path_len = i + 1; - while (len && path[len - 1] == '/') { - path[len - 1] = '\0'; - len--; - } + } + + if (name_len != 0 && + !(name_len == 1 && name[0] == '.') && + !(name_len == 2 && name[0] == '.' && name[1] == '.')) { + next[0] = '\0'; + sprintf(out_next, "%s/", name); + out_next += name_len + 1; + out_path_len += name_len + 1; + next[0] = '/'; + } + pre_dotdot_cnt = 0; + } + + remain_path_len -= name_len + 1; + } while (!is_last); + + if (out_path_len > 0) + out_path[out_path_len-1] = '\0'; + path[path_len] = '\0'; + return out_path; } void ksmbd_conv_path_to_windows(char *path) diff --git a/fs/ksmbd/misc.h b/fs/ksmbd/misc.h index af8717d4d85b..b7b10139ada2 100644 --- a/fs/ksmbd/misc.h +++ b/fs/ksmbd/misc.h @@ -16,8 +16,7 @@ int ksmbd_validate_filename(char *filename); int parse_stream_name(char *filename, char **stream_name, int *s_type); char *convert_to_nt_pathname(char *filename, char *sharepath); int get_nlink(struct kstat *st); -void ksmbd_conv_path_to_unix(char *path); -void ksmbd_strip_last_slash(char *path); +char *ksmbd_conv_path_to_unix(char *path); void ksmbd_conv_path_to_windows(char *path); char *ksmbd_extract_sharename(char *treename); char *convert_to_unix_name(struct ksmbd_share_config *share, char *name); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 2fa4584df93e..acb13fbc7713 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -634,7 +634,7 @@ static char * smb2_get_name(struct ksmbd_share_config *share, const char *src, const int maxlen, struct nls_table *local_nls) { - char *name, *unixname; + char *name, *norm_name, *unixname; name = smb_strndup_from_utf16(src, maxlen, 1, local_nls); if (IS_ERR(name)) { @@ -643,11 +643,15 @@ smb2_get_name(struct ksmbd_share_config *share, const char *src, } /* change it to absolute unix name */ - ksmbd_conv_path_to_unix(name); - ksmbd_strip_last_slash(name); - - unixname = convert_to_unix_name(share, name); + norm_name = ksmbd_conv_path_to_unix(name); + if (IS_ERR(norm_name)) { + kfree(name); + return norm_name; + } kfree(name); + + unixname = convert_to_unix_name(share, norm_name); + kfree(norm_name); if (!unixname) { pr_err("can not convert absolute name\n"); return ERR_PTR(-ENOMEM); From patchwork Mon Nov 14 12:52:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183309 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:53 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:53 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:53 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 212/308] ksmbd: add validation for FILE_FULL_EA_INFORMATION of smb2_get_info Date: Mon, 14 Nov 2022 20:52:01 +0800 Message-ID: <20221114125337.1831594-213-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 314bb48b-f891-4b62-8c34-08dac63c7db2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7070937 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc3 commit 6d56262c3d224699b29b9bb6b4ace8bab7d692c2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6d56262c3d22 ------------------------------- Add validation to check whether req->InputBufferLength is smaller than smb2_ea_info_req structure size. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Steve French <smfrench(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index acb13fbc7713..ddae30487a48 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4012,6 +4012,10 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, path = &fp->filp->f_path; /* single EA entry is requested with given user.* name */ if (req->InputBufferLength) { + if (le32_to_cpu(req->InputBufferLength) < + sizeof(struct smb2_ea_info_req)) + return -EINVAL; + ea_req = (struct smb2_ea_info_req *)req->Buffer; } else { /* need to send all EAs, if no specific EA is requested*/ From patchwork Mon Nov 14 12:52:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183310 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:54 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:54 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:53 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 213/308] ksmbd: log that server is experimental at module load Date: Mon, 14 Nov 2022 20:52:02 +0800 Message-ID: <20221114125337.1831594-214-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c5d556c3-e3b4-4fb4-c1f3-08dac63c7dfc X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7324846 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Steve French <stfrench(a)microsoft.com> mainline inclusion from mainline-5.15-rc3 commit e44fd5081c50b0ffdb75ce6c83452e60173d791b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e44fd5081c50 ------------------------------- While we are working through detailed security reviews of ksmbd server code we should remind users that it is an experimental module by adding a warning when the module loads. Currently the module shows as experimental in Kconfig and is disabled by default, but we don't want to confuse users. Although ksmbd passes a wide variety of the important functional tests (since initial focus had been largely on functional testing such as smbtorture, xfstests etc.), and ksmbd has added key security features (e.g. GCM256 encryption, Kerberos support), there are ongoing detailed reviews of the code base for path processing and network buffer decoding, and this patch reminds users that the module should be considered "experimental." Reviewed-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Paulo Alcantara (SUSE) <pc(a)cjr.nz> Reviewed-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 8db739283d76..9e635aa25c13 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -584,6 +584,9 @@ static int __init ksmbd_server_init(void) ret = ksmbd_workqueue_init(); if (ret) goto err_crypto_destroy; + + pr_warn_once("The ksmbd server is experimental, use at your own risk.\n"); + return 0; err_crypto_destroy: From patchwork Mon Nov 14 12:52:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183311 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:54 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:54 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:54 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 214/308] ksmbd: add default data stream name in FILE_STREAM_INFORMATION Date: Mon, 14 Nov 2022 20:52:03 +0800 Message-ID: <20221114125337.1831594-215-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 0abe1f4d-51d4-4fbb-e0df-08dac63c7e44 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6994469 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc3 commit 9f6323311c7064414bfd1edb28e0837baf6b3c7f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9f6323311c70 ------------------------------- Windows client expect to get default stream name(::DATA) in FILE_STREAM_INFORMATION response even if there is no stream data in file. This patch fix update failure when writing ppt or doc files. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-By: Tom Talpey <tom(a)talpey.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ddae30487a48..0fe4d2c5bea1 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4392,17 +4392,15 @@ static void get_file_stream_info(struct ksmbd_work *work, file_info->NextEntryOffset = cpu_to_le32(next); } - if (nbytes) { + if (!S_ISDIR(stat.mode)) { file_info = (struct smb2_file_stream_info *) &rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, "::$DATA", 7, conn->local_nls, 0); streamlen *= 2; file_info->StreamNameLength = cpu_to_le32(streamlen); - file_info->StreamSize = S_ISDIR(stat.mode) ? 0 : - cpu_to_le64(stat.size); - file_info->StreamAllocationSize = S_ISDIR(stat.mode) ? 0 : - cpu_to_le64(stat.size); + file_info->StreamSize = 0; + file_info->StreamAllocationSize = 0; nbytes += sizeof(struct smb2_file_stream_info) + streamlen; } From patchwork Mon Nov 14 12:52:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183312 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:55 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:55 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:54 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 215/308] ksmbd: check protocol id in ksmbd_verify_smb_message() Date: Mon, 14 Nov 2022 20:52:04 +0800 Message-ID: <20221114125337.1831594-216-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 168759f9-783d-4ac4-0b54-08dac63c7e8e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6804545 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc3 commit 18a015bccf9e8927008d0a255c9f14b8ec15a648 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/18a015bccf9e ------------------------------- When second smb2 pdu has invalid protocol id, ksmbd doesn't detect it and allow to process smb2 request. This patch add the check it in ksmbd_verify_smb_message() and don't use protocol id of smb2 request as protocol id of response. Reviewed-by: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Reviewed-by: Ralph B��hme <slow(a)samba.org> Reported-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- fs/ksmbd/smb_common.c | 13 +++++++++---- fs/ksmbd/smb_common.h | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 0fe4d2c5bea1..e816f9ce77a7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -433,7 +433,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->compound_pfid = KSMBD_NO_FID; } memset((char *)rsp_hdr + 4, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->ProtocolId = rcv_hdr->ProtocolId; + rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->Command = rcv_hdr->Command; diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index b2370d0f08c6..7ea15d77d50e 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -129,16 +129,22 @@ int ksmbd_lookup_protocol_idx(char *str) * * check for valid smb signature and packet direction(request/response) * - * Return: 0 on success, otherwise 1 + * Return: 0 on success, otherwise -EINVAL */ int ksmbd_verify_smb_message(struct ksmbd_work *work) { - struct smb2_hdr *smb2_hdr = work->request_buf; + struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off; + struct smb_hdr *hdr; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) return ksmbd_smb2_check_message(work); - return 0; + hdr = work->request_buf; + if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER && + hdr->Command == SMB_COM_NEGOTIATE) + return 0; + + return -EINVAL; } /** @@ -265,7 +271,6 @@ static int ksmbd_negotiate_smb_dialect(void *buf) return BAD_PROT_ID; } -#define SMB_COM_NEGOTIATE 0x72 int ksmbd_init_smb_server(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 57c667c1be06..0a6af447cc45 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -210,6 +210,7 @@ FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES) #define SMB1_PROTO_NUMBER cpu_to_le32(0x424d53ff) +#define SMB_COM_NEGOTIATE 0x72 #define SMB1_CLIENT_GUID_SIZE (16) struct smb_hdr { From patchwork Mon Nov 14 12:52:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183313 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:56 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:56 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:55 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 216/308] ksmbd: remove follow symlinks support Date: Mon, 14 Nov 2022 20:52:05 +0800 Message-ID: <20221114125337.1831594-217-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 675f048a-1c5d-4d5b-50e1-08dac63c7ed6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.3941435 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc3 commit 4ea477988c423a57241ea4840b12832de6fabdfd category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4ea477988c42 ------------------------------- Use LOOKUP_NO_SYMLINKS flags for default lookup to prohibit the middle of symlink component lookup and remove follow symlinks parameter support. We re-implement it as reparse point later. Test result: smbclient -Ulinkinjeon%1234 //172.30.1.42/share -c "get hacked/passwd passwd" NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \hacked\passwd Cc: Ralph B��hme <slow(a)samba.org> Cc: Steve French <smfrench(a)gmail.com> Acked-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 43 ++++++++++--------------------------------- fs/ksmbd/vfs.c | 32 +++++++++----------------------- 2 files changed, 19 insertions(+), 56 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e816f9ce77a7..9a919b6590c7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2616,13 +2616,9 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } - if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) { - /* - * On delete request, instead of following up, need to - * look the current entity - */ - rc = ksmbd_vfs_kern_path(name, 0, &path, 1); - if (!rc) { + rc = ksmbd_vfs_kern_path(name, LOOKUP_NO_SYMLINKS, &path, 1); + if (!rc) { + if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) { /* * If file exists with under flags, return access * denied error. @@ -2641,25 +2637,10 @@ int smb2_open(struct ksmbd_work *work) path_put(&path); goto err_out; } - } - } else { - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) { - /* - * Use LOOKUP_FOLLOW to follow the path of - * symlink in path buildup - */ - rc = ksmbd_vfs_kern_path(name, LOOKUP_FOLLOW, &path, 1); - if (rc) { /* Case for broken link ?*/ - rc = ksmbd_vfs_kern_path(name, 0, &path, 1); - } - } else { - rc = ksmbd_vfs_kern_path(name, 0, &path, 1); - if (!rc && d_is_symlink(path.dentry)) { - rc = -EACCES; - path_put(&path); - goto err_out; - } + } else if (d_is_symlink(path.dentry)) { + rc = -EACCES; + path_put(&path); + goto err_out; } } @@ -4713,12 +4694,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, struct path path; int rc = 0, len; int fs_infoclass_size = 0; - int lookup_flags = 0; - - if (test_share_config_flag(share, KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) - lookup_flags = LOOKUP_FOLLOW; - rc = ksmbd_vfs_kern_path(share->path, lookup_flags, &path, 0); + rc = ksmbd_vfs_kern_path(share->path, LOOKUP_NO_SYMLINKS, &path, 0); if (rc) { pr_err("cannot create vfs path\n"); return -EIO; @@ -5288,7 +5265,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, } ksmbd_debug(SMB, "new name %s\n", new_name); - rc = ksmbd_vfs_kern_path(new_name, 0, &path, 1); + rc = ksmbd_vfs_kern_path(new_name, LOOKUP_NO_SYMLINKS, &path, 1); if (rc) file_present = false; else @@ -5362,7 +5339,7 @@ static int smb2_create_link(struct ksmbd_work *work, } ksmbd_debug(SMB, "target name is %s\n", target_name); - rc = ksmbd_vfs_kern_path(link_name, 0, &path, 0); + rc = ksmbd_vfs_kern_path(link_name, LOOKUP_NO_SYMLINKS, &path, 0); if (rc) file_present = false; else diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index f10dfdb596e4..3b656274375f 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -163,7 +163,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) struct dentry *dentry; int err; - dentry = kern_path_create(AT_FDCWD, name, &path, 0); + dentry = kern_path_create(AT_FDCWD, name, &path, LOOKUP_NO_SYMLINKS); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); if (err != -ENOENT) @@ -198,7 +198,8 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) struct dentry *dentry; int err; - dentry = kern_path_create(AT_FDCWD, name, &path, LOOKUP_DIRECTORY); + dentry = kern_path_create(AT_FDCWD, name, &path, + LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); if (err != -EEXIST) @@ -575,16 +576,11 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) struct path path; struct dentry *parent; int err; - int flags = 0; if (ksmbd_override_fsids(work)) return -ENOMEM; - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) - flags = LOOKUP_FOLLOW; - - err = kern_path(name, flags, &path); + err = kern_path(name, LOOKUP_NO_SYMLINKS, &path); if (err) { ksmbd_debug(VFS, "can't get %s, err %d\n", name, err); ksmbd_revert_fsids(work); @@ -639,16 +635,11 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, struct path oldpath, newpath; struct dentry *dentry; int err; - int flags = 0; if (ksmbd_override_fsids(work)) return -ENOMEM; - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) - flags = LOOKUP_FOLLOW; - - err = kern_path(oldname, flags, &oldpath); + err = kern_path(oldname, LOOKUP_NO_SYMLINKS, &oldpath); if (err) { pr_err("cannot get linux path for %s, err = %d\n", oldname, err); @@ -656,7 +647,7 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, } dentry = kern_path_create(AT_FDCWD, newname, &newpath, - flags | LOOKUP_REVAL); + LOOKUP_NO_SYMLINKS | LOOKUP_REVAL); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); pr_err("path create err for %s, err %d\n", newname, err); @@ -764,7 +755,6 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, struct dentry *src_dent, *trap_dent, *src_child; char *dst_name; int err; - int flags; dst_name = extract_last_component(newname); if (!dst_name) @@ -773,12 +763,8 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, src_dent_parent = dget_parent(fp->filp->f_path.dentry); src_dent = fp->filp->f_path.dentry; - flags = LOOKUP_DIRECTORY; - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_FOLLOW_SYMLINKS)) - flags |= LOOKUP_FOLLOW; - - err = kern_path(newname, flags, &dst_path); + err = kern_path(newname, LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY, + &dst_path); if (err) { ksmbd_debug(VFS, "Cannot get path for %s [%d]\n", newname, err); goto out; @@ -834,7 +820,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, int err = 0; if (name) { - err = kern_path(name, 0, &path); + err = kern_path(name, LOOKUP_NO_SYMLINKS, &path); if (err) { pr_err("cannot get linux path for %s, err %d\n", name, err); From patchwork Mon Nov 14 12:52:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183314 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:57 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:56 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:56 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 217/308] ksmbd: use LOOKUP_BENEATH to prevent the out of share access Date: Mon, 14 Nov 2022 20:52:06 +0800 Message-ID: <20221114125337.1831594-218-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 154bd8a9-7bee-43cc-b5a4-08dac63c7f8c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6975964 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc3 commit 265fd1991c1db85fbabaad4946ca0e63e2ae688d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/265fd1991c1d ------------------------------- instead of removing '..' in a given path, call kern_path with LOOKUP_BENEATH flag to prevent the out of share access. ran various test on this: smb2-cat-async smb://127.0.0.1/homes/../out_of_share smb2-cat-async smb://127.0.0.1/homes/foo/../../out_of_share smbclient //127.0.0.1/homes -c "mkdir ../foo2" smbclient //127.0.0.1/homes -c "rename bar ../bar" Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph Boehme <slow(a)samba.org> Tested-by: Steve French <smfrench(a)gmail.com> Tested-by: Namjae Jeon <linkinjeon(a)kernel.org> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/misc.c | 100 ++++++----------------------- fs/ksmbd/misc.h | 7 +- fs/ksmbd/smb2pdu.c | 74 ++++++++------------- fs/ksmbd/vfs.c | 156 ++++++++++++++++++++++++--------------------- fs/ksmbd/vfs.h | 9 ++- 5 files changed, 140 insertions(+), 206 deletions(-) diff --git a/fs/ksmbd/misc.c b/fs/ksmbd/misc.c index 3eac3c01749f..6a19f4bc692d 100644 --- a/fs/ksmbd/misc.c +++ b/fs/ksmbd/misc.c @@ -158,25 +158,21 @@ int parse_stream_name(char *filename, char **stream_name, int *s_type) * Return : windows path string or error */ -char *convert_to_nt_pathname(char *filename, char *sharepath) +char *convert_to_nt_pathname(char *filename) { char *ab_pathname; - int len, name_len; - name_len = strlen(filename); - ab_pathname = kmalloc(name_len, GFP_KERNEL); - if (!ab_pathname) - return NULL; - - ab_pathname[0] = '\\'; - ab_pathname[1] = '\0'; + if (strlen(filename) == 0) { + ab_pathname = kmalloc(2, GFP_KERNEL); + ab_pathname[0] = '\\'; + ab_pathname[1] = '\0'; + } else { + ab_pathname = kstrdup(filename, GFP_KERNEL); + if (!ab_pathname) + return NULL; - len = strlen(sharepath); - if (!strncmp(filename, sharepath, len) && name_len != len) { - strscpy(ab_pathname, &filename[len], name_len); ksmbd_conv_path_to_windows(ab_pathname); } - return ab_pathname; } @@ -191,77 +187,19 @@ int get_nlink(struct kstat *st) return nlink; } -char *ksmbd_conv_path_to_unix(char *path) +void ksmbd_conv_path_to_unix(char *path) { - size_t path_len, remain_path_len, out_path_len; - char *out_path, *out_next; - int i, pre_dotdot_cnt = 0, slash_cnt = 0; - bool is_last; - strreplace(path, '\\', '/'); - path_len = strlen(path); - remain_path_len = path_len; - if (path_len == 0) - return ERR_PTR(-EINVAL); - - out_path = kzalloc(path_len + 2, GFP_KERNEL); - if (!out_path) - return ERR_PTR(-ENOMEM); - out_path_len = 0; - out_next = out_path; - - do { - char *name = path + path_len - remain_path_len; - char *next = strchrnul(name, '/'); - size_t name_len = next - name; - - is_last = !next[0]; - if (name_len == 2 && name[0] == '.' && name[1] == '.') { - pre_dotdot_cnt++; - /* handle the case that path ends with "/.." */ - if (is_last) - goto follow_dotdot; - } else { - if (pre_dotdot_cnt) { -follow_dotdot: - slash_cnt = 0; - for (i = out_path_len - 1; i >= 0; i--) { - if (out_path[i] == '/' && - ++slash_cnt == pre_dotdot_cnt + 1) - break; - } - - if (i < 0 && - slash_cnt != pre_dotdot_cnt) { - kfree(out_path); - return ERR_PTR(-EINVAL); - } - - out_next = &out_path[i+1]; - *out_next = '\0'; - out_path_len = i + 1; - - } - - if (name_len != 0 && - !(name_len == 1 && name[0] == '.') && - !(name_len == 2 && name[0] == '.' && name[1] == '.')) { - next[0] = '\0'; - sprintf(out_next, "%s/", name); - out_next += name_len + 1; - out_path_len += name_len + 1; - next[0] = '/'; - } - pre_dotdot_cnt = 0; - } +} - remain_path_len -= name_len + 1; - } while (!is_last); +void ksmbd_strip_last_slash(char *path) +{ + int len = strlen(path); - if (out_path_len > 0) - out_path[out_path_len-1] = '\0'; - path[path_len] = '\0'; - return out_path; + while (len && path[len - 1] == '/') { + path[len - 1] = '\0'; + len--; + } } void ksmbd_conv_path_to_windows(char *path) @@ -298,7 +236,7 @@ char *ksmbd_extract_sharename(char *treename) * * Return: converted name on success, otherwise NULL */ -char *convert_to_unix_name(struct ksmbd_share_config *share, char *name) +char *convert_to_unix_name(struct ksmbd_share_config *share, const char *name) { int no_slash = 0, name_len, path_len; char *new_name; diff --git a/fs/ksmbd/misc.h b/fs/ksmbd/misc.h index b7b10139ada2..253366bd0951 100644 --- a/fs/ksmbd/misc.h +++ b/fs/ksmbd/misc.h @@ -14,12 +14,13 @@ struct ksmbd_file; int match_pattern(const char *str, size_t len, const char *pattern); int ksmbd_validate_filename(char *filename); int parse_stream_name(char *filename, char **stream_name, int *s_type); -char *convert_to_nt_pathname(char *filename, char *sharepath); +char *convert_to_nt_pathname(char *filename); int get_nlink(struct kstat *st); -char *ksmbd_conv_path_to_unix(char *path); +void ksmbd_conv_path_to_unix(char *path); +void ksmbd_strip_last_slash(char *path); void ksmbd_conv_path_to_windows(char *path); char *ksmbd_extract_sharename(char *treename); -char *convert_to_unix_name(struct ksmbd_share_config *share, char *name); +char *convert_to_unix_name(struct ksmbd_share_config *share, const char *name); #define KSMBD_DIR_INFO_ALIGNMENT 8 struct ksmbd_dir_info; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 9a919b6590c7..bb78a28af101 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -634,7 +634,7 @@ static char * smb2_get_name(struct ksmbd_share_config *share, const char *src, const int maxlen, struct nls_table *local_nls) { - char *name, *norm_name, *unixname; + char *name; name = smb_strndup_from_utf16(src, maxlen, 1, local_nls); if (IS_ERR(name)) { @@ -642,23 +642,9 @@ smb2_get_name(struct ksmbd_share_config *share, const char *src, return name; } - /* change it to absolute unix name */ - norm_name = ksmbd_conv_path_to_unix(name); - if (IS_ERR(norm_name)) { - kfree(name); - return norm_name; - } - kfree(name); - - unixname = convert_to_unix_name(share, norm_name); - kfree(norm_name); - if (!unixname) { - pr_err("can not convert absolute name\n"); - return ERR_PTR(-ENOMEM); - } - - ksmbd_debug(SMB, "absolute name = %s\n", unixname); - return unixname; + ksmbd_conv_path_to_unix(name); + ksmbd_strip_last_slash(name); + return name; } int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) @@ -2342,7 +2328,7 @@ static int smb2_creat(struct ksmbd_work *work, struct path *path, char *name, return rc; } - rc = ksmbd_vfs_kern_path(name, 0, path, 0); + rc = ksmbd_vfs_kern_path(work, name, 0, path, 0); if (rc) { pr_err("cannot get linux path (%s), err = %d\n", name, rc); @@ -2411,7 +2397,7 @@ int smb2_open(struct ksmbd_work *work) struct oplock_info *opinfo; __le32 *next_ptr = NULL; int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0; - int rc = 0, len = 0; + int rc = 0; int contxt_cnt = 0, query_disk_id = 0; int maximal_access_ctxt = 0, posix_ctxt = 0; int s_type = 0; @@ -2483,17 +2469,11 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } } else { - len = strlen(share->path); - ksmbd_debug(SMB, "share path len %d\n", len); - name = kmalloc(len + 1, GFP_KERNEL); + name = kstrdup("", GFP_KERNEL); if (!name) { - rsp->hdr.Status = STATUS_NO_MEMORY; rc = -ENOMEM; goto err_out1; } - - memcpy(name, share->path, len); - *(name + len) = '\0'; } req_op_level = req->RequestedOplockLevel; @@ -2616,7 +2596,7 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } - rc = ksmbd_vfs_kern_path(name, LOOKUP_NO_SYMLINKS, &path, 1); + rc = ksmbd_vfs_kern_path(work, name, LOOKUP_NO_SYMLINKS, &path, 1); if (!rc) { if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) { /* @@ -2645,11 +2625,8 @@ int smb2_open(struct ksmbd_work *work) } if (rc) { - if (rc == -EACCES) { - ksmbd_debug(SMB, - "User does not have right permission\n"); + if (rc != -ENOENT) goto err_out; - } ksmbd_debug(SMB, "can not get linux path for %s, rc = %d\n", name, rc); rc = 0; @@ -3133,7 +3110,7 @@ int smb2_open(struct ksmbd_work *work) rsp->hdr.Status = STATUS_INVALID_PARAMETER; else if (rc == -EOPNOTSUPP) rsp->hdr.Status = STATUS_NOT_SUPPORTED; - else if (rc == -EACCES || rc == -ESTALE) + else if (rc == -EACCES || rc == -ESTALE || rc == -EXDEV) rsp->hdr.Status = STATUS_ACCESS_DENIED; else if (rc == -ENOENT) rsp->hdr.Status = STATUS_OBJECT_NAME_INVALID; @@ -4242,8 +4219,7 @@ static int get_file_all_info(struct ksmbd_work *work, return -EACCES; } - filename = convert_to_nt_pathname(fp->filename, - work->tcon->share_conf->path); + filename = convert_to_nt_pathname(fp->filename); if (!filename) return -ENOMEM; @@ -4695,7 +4671,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, int rc = 0, len; int fs_infoclass_size = 0; - rc = ksmbd_vfs_kern_path(share->path, LOOKUP_NO_SYMLINKS, &path, 0); + rc = kern_path(share->path, LOOKUP_NO_SYMLINKS, &path); if (rc) { pr_err("cannot create vfs path\n"); return -EIO; @@ -5238,7 +5214,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, goto out; len = strlen(new_name); - if (new_name[len - 1] != '/') { + if (len > 0 && new_name[len - 1] != '/') { pr_err("not allow base filename in rename\n"); rc = -ESHARE; goto out; @@ -5265,11 +5241,14 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, } ksmbd_debug(SMB, "new name %s\n", new_name); - rc = ksmbd_vfs_kern_path(new_name, LOOKUP_NO_SYMLINKS, &path, 1); - if (rc) + rc = ksmbd_vfs_kern_path(work, new_name, LOOKUP_NO_SYMLINKS, &path, 1); + if (rc) { + if (rc != -ENOENT) + goto out; file_present = false; - else + } else { path_put(&path); + } if (ksmbd_share_veto_filename(share, new_name)) { rc = -ENOENT; @@ -5339,11 +5318,14 @@ static int smb2_create_link(struct ksmbd_work *work, } ksmbd_debug(SMB, "target name is %s\n", target_name); - rc = ksmbd_vfs_kern_path(link_name, LOOKUP_NO_SYMLINKS, &path, 0); - if (rc) + rc = ksmbd_vfs_kern_path(work, link_name, LOOKUP_NO_SYMLINKS, &path, 0); + if (rc) { + if (rc != -ENOENT) + goto out; file_present = false; - else + } else { path_put(&path); + } if (file_info->ReplaceIfExists) { if (file_present) { @@ -5500,7 +5482,7 @@ static int set_file_allocation_info(struct ksmbd_work *work, * inode size is retained by backup inode size. */ size = i_size_read(inode); - rc = ksmbd_vfs_truncate(work, NULL, fp, alloc_blks * 512); + rc = ksmbd_vfs_truncate(work, fp, alloc_blks * 512); if (rc) { pr_err("truncate failed! filename : %s, err %d\n", fp->filename, rc); @@ -5537,7 +5519,7 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, if (inode->i_sb->s_magic != MSDOS_SUPER_MAGIC) { ksmbd_debug(SMB, "filename : %s truncated to newsize %lld\n", fp->filename, newsize); - rc = ksmbd_vfs_truncate(work, NULL, fp, newsize); + rc = ksmbd_vfs_truncate(work, fp, newsize); if (rc) { ksmbd_debug(SMB, "truncate failed! filename : %s err %d\n", fp->filename, rc); @@ -5812,7 +5794,7 @@ int smb2_set_info(struct ksmbd_work *work) return 0; err_out: - if (rc == -EACCES || rc == -EPERM) + if (rc == -EACCES || rc == -EPERM || rc == -EXDEV) rsp->hdr.Status = STATUS_ACCESS_DENIED; else if (rc == -EINVAL) rsp->hdr.Status = STATUS_INVALID_PARAMETER; diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 3b656274375f..2887995b2c47 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -19,6 +19,8 @@ #include <linux/sched/xacct.h> #include <linux/crc32c.h> +#include "../internal.h" /* for vfs_path_lookup */ + #include "glob.h" #include "oplock.h" #include "connection.h" @@ -44,7 +46,6 @@ static char *extract_last_component(char *path) p++; } else { p = NULL; - pr_err("Invalid path %s\n", path); } return p; } @@ -152,7 +153,7 @@ int ksmbd_vfs_query_maximal_access(struct dentry *dentry, __le32 *daccess) /** * ksmbd_vfs_create() - vfs helper for smb create file * @work: work - * @name: file name + * @name: file name that is relative to share * @mode: file create mode * * Return: 0 on success, otherwise error @@ -163,7 +164,8 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) struct dentry *dentry; int err; - dentry = kern_path_create(AT_FDCWD, name, &path, LOOKUP_NO_SYMLINKS); + dentry = ksmbd_vfs_kern_path_create(work, name, + LOOKUP_NO_SYMLINKS, &path); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); if (err != -ENOENT) @@ -187,7 +189,7 @@ int ksmbd_vfs_create(struct ksmbd_work *work, const char *name, umode_t mode) /** * ksmbd_vfs_mkdir() - vfs helper for smb create directory * @work: work - * @name: directory name + * @name: directory name that is relative to share * @mode: directory create mode * * Return: 0 on success, otherwise error @@ -198,8 +200,9 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *work, const char *name, umode_t mode) struct dentry *dentry; int err; - dentry = kern_path_create(AT_FDCWD, name, &path, - LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY); + dentry = ksmbd_vfs_kern_path_create(work, name, + LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY, + &path); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); if (err != -EEXIST) @@ -567,7 +570,7 @@ int ksmbd_vfs_fsync(struct ksmbd_work *work, u64 fid, u64 p_id) /** * ksmbd_vfs_remove_file() - vfs helper for smb rmdir or unlink - * @name: absolute directory or file name + * @name: directory or file name that is relative to share * * Return: 0 on success, otherwise error */ @@ -580,7 +583,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) if (ksmbd_override_fsids(work)) return -ENOMEM; - err = kern_path(name, LOOKUP_NO_SYMLINKS, &path); + err = ksmbd_vfs_kern_path(work, name, LOOKUP_NO_SYMLINKS, &path, false); if (err) { ksmbd_debug(VFS, "can't get %s, err %d\n", name, err); ksmbd_revert_fsids(work); @@ -625,7 +628,7 @@ int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name) /** * ksmbd_vfs_link() - vfs helper for creating smb hardlink * @oldname: source file name - * @newname: hardlink name + * @newname: hardlink name that is relative to share * * Return: 0 on success, otherwise error */ @@ -646,8 +649,9 @@ int ksmbd_vfs_link(struct ksmbd_work *work, const char *oldname, goto out1; } - dentry = kern_path_create(AT_FDCWD, newname, &newpath, - LOOKUP_NO_SYMLINKS | LOOKUP_REVAL); + dentry = ksmbd_vfs_kern_path_create(work, newname, + LOOKUP_NO_SYMLINKS | LOOKUP_REVAL, + &newpath); if (IS_ERR(dentry)) { err = PTR_ERR(dentry); pr_err("path create err for %s, err %d\n", newname, err); @@ -757,14 +761,17 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, int err; dst_name = extract_last_component(newname); - if (!dst_name) - return -EINVAL; + if (!dst_name) { + dst_name = newname; + newname = ""; + } src_dent_parent = dget_parent(fp->filp->f_path.dentry); src_dent = fp->filp->f_path.dentry; - err = kern_path(newname, LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY, - &dst_path); + err = ksmbd_vfs_kern_path(work, newname, + LOOKUP_NO_SYMLINKS | LOOKUP_DIRECTORY, + &dst_path, false); if (err) { ksmbd_debug(VFS, "Cannot get path for %s [%d]\n", newname, err); goto out; @@ -807,61 +814,43 @@ int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, /** * ksmbd_vfs_truncate() - vfs helper for smb file truncate * @work: work - * @name: old filename * @fid: file id of old file * @size: truncate to given size * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, +int ksmbd_vfs_truncate(struct ksmbd_work *work, struct ksmbd_file *fp, loff_t size) { - struct path path; int err = 0; + struct file *filp; - if (name) { - err = kern_path(name, LOOKUP_NO_SYMLINKS, &path); - if (err) { - pr_err("cannot get linux path for %s, err %d\n", - name, err); - return err; - } - err = vfs_truncate(&path, size); - if (err) - pr_err("truncate failed for %s err %d\n", - name, err); - path_put(&path); - } else { - struct file *filp; - - filp = fp->filp; - - /* Do we need to break any of a levelII oplock? */ - smb_break_all_levII_oplock(work, fp, 1); + filp = fp->filp; - if (!work->tcon->posix_extensions) { - struct inode *inode = file_inode(filp); + /* Do we need to break any of a levelII oplock? */ + smb_break_all_levII_oplock(work, fp, 1); - if (size < inode->i_size) { - err = check_lock_range(filp, size, - inode->i_size - 1, WRITE); - } else { - err = check_lock_range(filp, inode->i_size, - size - 1, WRITE); - } + if (!work->tcon->posix_extensions) { + struct inode *inode = file_inode(filp); - if (err) { - pr_err("failed due to lock\n"); - return -EAGAIN; - } + if (size < inode->i_size) { + err = check_lock_range(filp, size, + inode->i_size - 1, WRITE); + } else { + err = check_lock_range(filp, inode->i_size, + size - 1, WRITE); } - err = vfs_truncate(&filp->f_path, size); - if (err) - pr_err("truncate failed for filename : %s err %d\n", - fp->filename, err); + if (err) { + pr_err("failed due to lock\n"); + return -EAGAIN; + } } + err = vfs_truncate(&filp->f_path, size); + if (err) + pr_err("truncate failed for filename : %s err %d\n", + fp->filename, err); return err; } @@ -1171,22 +1160,25 @@ static int ksmbd_vfs_lookup_in_dir(struct path *dir, char *name, size_t namelen) /** * ksmbd_vfs_kern_path() - lookup a file and get path info - * @name: name of file for lookup + * @name: file path that is relative to share * @flags: lookup flags * @path: if lookup succeed, return path info * @caseless: caseless filename lookup * * Return: 0 on success, otherwise error */ -int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, - bool caseless) +int ksmbd_vfs_kern_path(struct ksmbd_work *work, char *name, + unsigned int flags, struct path *path, bool caseless) { + struct ksmbd_share_config *share_conf = work->tcon->share_conf; int err; - if (name[0] != '/') - return -EINVAL; - - err = kern_path(name, flags, path); + flags |= LOOKUP_BENEATH; + err = vfs_path_lookup(share_conf->vfs_path.dentry, + share_conf->vfs_path.mnt, + name, + flags, + path); if (!err) return 0; @@ -1200,11 +1192,10 @@ int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, return -ENOMEM; path_len = strlen(filepath); - remain_len = path_len - 1; + remain_len = path_len; - err = kern_path("/", flags, &parent); - if (err) - goto out; + parent = share_conf->vfs_path; + path_get(&parent); while (d_can_lookup(parent.dentry)) { char *filename = filepath + path_len - remain_len; @@ -1217,21 +1208,21 @@ int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, err = ksmbd_vfs_lookup_in_dir(&parent, filename, filename_len); - if (err) { - path_put(&parent); + path_put(&parent); + if (err) goto out; - } - path_put(&parent); next[0] = '\0'; - err = kern_path(filepath, flags, &parent); + err = vfs_path_lookup(share_conf->vfs_path.dentry, + share_conf->vfs_path.mnt, + filepath, + flags, + &parent); if (err) goto out; - - if (is_last) { - path->mnt = parent.mnt; - path->dentry = parent.dentry; + else if (is_last) { + *path = parent; goto out; } @@ -1247,6 +1238,23 @@ int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, return err; } +struct dentry *ksmbd_vfs_kern_path_create(struct ksmbd_work *work, + const char *name, + unsigned int flags, + struct path *path) +{ + char *abs_name; + struct dentry *dent; + + abs_name = convert_to_unix_name(work->tcon->share_conf, name); + if (!abs_name) + return ERR_PTR(-ENOMEM); + + dent = kern_path_create(AT_FDCWD, abs_name, path, flags); + kfree(abs_name); + return dent; +} + int ksmbd_vfs_remove_acl_xattrs(struct dentry *dentry) { char *name, *xattr_list = NULL; diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index 319316f49aee..ef4a89cf0221 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -124,7 +124,7 @@ int ksmbd_vfs_link(struct ksmbd_work *work, int ksmbd_vfs_getattr(struct path *path, struct kstat *stat); int ksmbd_vfs_fp_rename(struct ksmbd_work *work, struct ksmbd_file *fp, char *newname); -int ksmbd_vfs_truncate(struct ksmbd_work *work, const char *name, +int ksmbd_vfs_truncate(struct ksmbd_work *work, struct ksmbd_file *fp, loff_t size); struct srv_copychunk; int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, @@ -145,8 +145,13 @@ int ksmbd_vfs_setxattr(struct dentry *dentry, const char *attr_name, int ksmbd_vfs_xattr_stream_name(char *stream_name, char **xattr_stream_name, size_t *xattr_stream_name_size, int s_type); int ksmbd_vfs_remove_xattr(struct dentry *dentry, char *attr_name); -int ksmbd_vfs_kern_path(char *name, unsigned int flags, struct path *path, +int ksmbd_vfs_kern_path(struct ksmbd_work *work, + char *name, unsigned int flags, struct path *path, bool caseless); +struct dentry *ksmbd_vfs_kern_path_create(struct ksmbd_work *work, + const char *name, + unsigned int flags, + struct path *path); int ksmbd_vfs_empty_dir(struct ksmbd_file *fp); void ksmbd_vfs_set_fadvise(struct file *filp, __le32 option); int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, From patchwork Mon Nov 14 12:52:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183315 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:57 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:57 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:56 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 218/308] ksmbd: remove RFC1002 check in smb2 request Date: Mon, 14 Nov 2022 20:52:07 +0800 Message-ID: <20221114125337.1831594-219-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 1b4fecaf-80ee-4e2a-796c-08dac63c7fd6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6927731 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Ronnie Sahlberg <lsahlber(a)redhat.com> mainline inclusion from mainline-5.15-rc4 commit 18d46769d54aba03c2c3fa666fe810f264b5d7b8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/18d46769d54a ------------------------------- In smb_common.c you have this function : ksmbd_smb_request() which is called from connection.c once you have read the initial 4 bytes for the next length+smb2 blob. It checks the first byte of this 4 byte preamble for valid values, i.e. a NETBIOSoverTCP SESSION_MESSAGE or a SESSION_KEEP_ALIVE. We don't need to check this for ksmbd since it only implements SMB2 over TCP port 445. The netbios stuff was only used in very old servers when SMB ran over TCP port 139. Now that we run over TCP port 445, this is actually not a NB header anymore and you can just treat it as a 4 byte length field that must be less than 16Mbyte. and remove the references to the RFC1002 constants that no longer applies. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Steve French <smfrench(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb_common.c | 15 +-------------- fs/ksmbd/smb_common.h | 8 -------- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 7ea15d77d50e..98c22a3abf92 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -155,20 +155,7 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work) */ bool ksmbd_smb_request(struct ksmbd_conn *conn) { - int type = *(char *)conn->request_buf; - - switch (type) { - case RFC1002_SESSION_MESSAGE: - /* Regular SMB request */ - return true; - case RFC1002_SESSION_KEEP_ALIVE: - ksmbd_debug(SMB, "RFC 1002 session keep alive\n"); - break; - default: - ksmbd_debug(SMB, "RFC 1002 unknown request type 0x%x\n", type); - } - - return false; + return conn->request_buf[0] == 0; } static bool supported_protocol(int idx) diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 0a6af447cc45..994abede27e9 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -48,14 +48,6 @@ #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ -/* RFC 1002 session packet types */ -#define RFC1002_SESSION_MESSAGE 0x00 -#define RFC1002_SESSION_REQUEST 0x81 -#define RFC1002_POSITIVE_SESSION_RESPONSE 0x82 -#define RFC1002_NEGATIVE_SESSION_RESPONSE 0x83 -#define RFC1002_RETARGET_SESSION_RESPONSE 0x84 -#define RFC1002_SESSION_KEEP_ALIVE 0x85 - /* Responses when opening a file. */ #define F_SUPERSEDED 0 #define F_OPENED 1 From patchwork Mon Nov 14 12:52:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183316 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:58 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:57 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:57 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 219/308] ksmbd: fix invalid request buffer access in compound Date: Mon, 14 Nov 2022 20:52:08 +0800 Message-ID: <20221114125337.1831594-220-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 47707e44-a9e0-4afb-e403-08dac63c801e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7159297 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit d72a9c158893d537d769a669a5837bc80b0f851c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d72a9c158893 ------------------------------- Ronnie reported invalid request buffer access in chained command when inserting garbage value to NextCommand of compound request. This patch add validation check to avoid this issue. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Tested-by: Steve French <smfrench(a)gmail.com> Reviewed-by: Steve French <smfrench(a)gmail.com> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index bb78a28af101..f124482fcccd 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) bool is_chained_smb2_message(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->request_buf; - unsigned int len; + unsigned int len, next_cmd; if (hdr->ProtocolId != SMB2_PROTO_NUMBER) return false; hdr = ksmbd_req_buf_next(work); - if (le32_to_cpu(hdr->NextCommand) > 0) { + next_cmd = le32_to_cpu(hdr->NextCommand); + if (next_cmd > 0) { + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd + + __SMB2_HEADER_STRUCTURE_SIZE > + get_rfc1002_len(work->request_buf)) { + pr_err("next command(%u) offset exceeds smb msg size\n", + next_cmd); + return false; + } + ksmbd_debug(SMB, "got SMB2 chained command\n"); init_chained_smb2_rsp(work); return true; From patchwork Mon Nov 14 12:52:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183317 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:58 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:58 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:57 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 220/308] ksmbd: fix documentation for 2 functions Date: Mon, 14 Nov 2022 20:52:09 +0800 Message-ID: <20221114125337.1831594-221-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a1cea009-d32e-4cf7-c234-08dac63c8067 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6798768 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-5.15-rc4 commit 1018bf24550fd0feec14648309a0aeb62401f4dc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1018bf24550f ------------------------------- ksmbd_kthread_fn() and create_socket() returns 0 or error code, and not task_struct/ERR_PTR. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_tcp.c b/fs/ksmbd/transport_tcp.c index dc15a5ecd2e0..c14320e03b69 100644 --- a/fs/ksmbd/transport_tcp.c +++ b/fs/ksmbd/transport_tcp.c @@ -215,7 +215,7 @@ static int ksmbd_tcp_new_connection(struct socket *client_sk) * ksmbd_kthread_fn() - listen to new SMB connections and callback server * @p: arguments to forker thread * - * Return: Returns a task_struct or ERR_PTR + * Return: 0 on success, error number otherwise */ static int ksmbd_kthread_fn(void *p) { @@ -387,7 +387,7 @@ static void tcp_destroy_socket(struct socket *ksmbd_socket) /** * create_socket - create socket for ksmbd/0 * - * Return: Returns a task_struct or ERR_PTR + * Return: 0 on success, error number otherwise */ static int create_socket(struct interface *iface) { From patchwork Mon Nov 14 12:52:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183318 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:58 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:58 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:58 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 221/308] ksmbd: remove NTLMv1 authentication Date: Mon, 14 Nov 2022 20:52:10 +0800 Message-ID: <20221114125337.1831594-222-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 1453a236-03ef-4473-54c1-08dac63c80b0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6991293 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit ce812992f239f45e13c820a52455fec6eacbce1e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ce812992f239 ------------------------------- Remove insecure NTLMv1 authentication. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Reviewed-by: Tom Talpey <tom(a)talpey.com> Acked-by: Steve French <smfrench(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 205 ------------------------------------------ fs/ksmbd/crypto_ctx.c | 16 ---- fs/ksmbd/crypto_ctx.h | 8 -- 3 files changed, 229 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index de36f12070bf..71c989f1568d 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -68,125 +68,6 @@ void ksmbd_copy_gss_neg_header(void *buf) memcpy(buf, NEGOTIATE_GSS_HEADER, AUTH_GSS_LENGTH); } -static void -str_to_key(unsigned char *str, unsigned char *key) -{ - int i; - - key[0] = str[0] >> 1; - key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2); - key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3); - key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4); - key[4] = ((str[3] & 0x0F) << 3) | (str[4] >> 5); - key[5] = ((str[4] & 0x1F) << 2) | (str[5] >> 6); - key[6] = ((str[5] & 0x3F) << 1) | (str[6] >> 7); - key[7] = str[6] & 0x7F; - for (i = 0; i < 8; i++) - key[i] = (key[i] << 1); -} - -static int -smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) -{ - unsigned char key2[8]; - struct des_ctx ctx; - - if (fips_enabled) { - ksmbd_debug(AUTH, "FIPS compliance enabled: DES not permitted\n"); - return -ENOENT; - } - - str_to_key(key, key2); - des_expand_key(&ctx, key2, DES_KEY_SIZE); - des_encrypt(&ctx, out, in); - memzero_explicit(&ctx, sizeof(ctx)); - return 0; -} - -static int ksmbd_enc_p24(unsigned char *p21, const unsigned char *c8, unsigned char *p24) -{ - int rc; - - rc = smbhash(p24, c8, p21); - if (rc) - return rc; - rc = smbhash(p24 + 8, c8, p21 + 7); - if (rc) - return rc; - return smbhash(p24 + 16, c8, p21 + 14); -} - -/* produce a md4 message digest from data of length n bytes */ -static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, - int link_len) -{ - int rc; - struct ksmbd_crypto_ctx *ctx; - - ctx = ksmbd_crypto_ctx_find_md4(); - if (!ctx) { - ksmbd_debug(AUTH, "Crypto md4 allocation error\n"); - return -ENOMEM; - } - - rc = crypto_shash_init(CRYPTO_MD4(ctx)); - if (rc) { - ksmbd_debug(AUTH, "Could not init md4 shash\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD4(ctx), link_str, link_len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with link_str\n"); - goto out; - } - - rc = crypto_shash_final(CRYPTO_MD4(ctx), md4_hash); - if (rc) - ksmbd_debug(AUTH, "Could not generate md4 hash\n"); -out: - ksmbd_release_crypto_ctx(ctx); - return rc; -} - -static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, - char *server_challenge, int len) -{ - int rc; - struct ksmbd_crypto_ctx *ctx; - - ctx = ksmbd_crypto_ctx_find_md5(); - if (!ctx) { - ksmbd_debug(AUTH, "Crypto md5 allocation error\n"); - return -ENOMEM; - } - - rc = crypto_shash_init(CRYPTO_MD5(ctx)); - if (rc) { - ksmbd_debug(AUTH, "Could not init md5 shash\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD5(ctx), server_challenge, len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with challenge\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD5(ctx), nonce, len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with nonce\n"); - goto out; - } - - rc = crypto_shash_final(CRYPTO_MD5(ctx), md5_hash); - if (rc) - ksmbd_debug(AUTH, "Could not generate md5 hash\n"); -out: - ksmbd_release_crypto_ctx(ctx); - return rc; -} - /** * ksmbd_gen_sess_key() - function to generate session key * @sess: session of connection @@ -324,43 +205,6 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, return ret; } -/** - * ksmbd_auth_ntlm() - NTLM authentication handler - * @sess: session of connection - * @pw_buf: NTLM challenge response - * @passkey: user password - * - * Return: 0 on success, error number on error - */ -int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) -{ - int rc; - unsigned char p21[21]; - char key[CIFS_AUTH_RESP_SIZE]; - - memset(p21, '\0', 21); - memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); - rc = ksmbd_enc_p24(p21, sess->ntlmssp.cryptkey, key); - if (rc) { - pr_err("password processing failed\n"); - return rc; - } - - ksmbd_enc_md4(sess->sess_key, user_passkey(sess->user), - CIFS_SMB1_SESSKEY_SIZE); - memcpy(sess->sess_key + CIFS_SMB1_SESSKEY_SIZE, key, - CIFS_AUTH_RESP_SIZE); - sess->sequence_number = 1; - - if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { - ksmbd_debug(AUTH, "ntlmv1 authentication failed\n"); - return -EINVAL; - } - - ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); - return 0; -} - /** * ksmbd_auth_ntlmv2() - NTLMv2 authentication handler * @sess: session of connection @@ -441,44 +285,6 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, return rc; } -/** - * __ksmbd_auth_ntlmv2() - NTLM2(extended security) authentication handler - * @sess: session of connection - * @client_nonce: client nonce from LM response. - * @ntlm_resp: ntlm response data from client. - * - * Return: 0 on success, error number on error - */ -static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, - char *ntlm_resp) -{ - char sess_key[CIFS_SMB1_SESSKEY_SIZE] = {0}; - int rc; - unsigned char p21[21]; - char key[CIFS_AUTH_RESP_SIZE]; - - rc = ksmbd_enc_update_sess_key(sess_key, - client_nonce, - (char *)sess->ntlmssp.cryptkey, 8); - if (rc) { - pr_err("password processing failed\n"); - goto out; - } - - memset(p21, '\0', 21); - memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); - rc = ksmbd_enc_p24(p21, sess_key, key); - if (rc) { - pr_err("password processing failed\n"); - goto out; - } - - if (memcmp(ntlm_resp, key, CIFS_AUTH_RESP_SIZE) != 0) - rc = -EINVAL; -out: - return rc; -} - /** * ksmbd_decode_ntlmssp_auth_blob() - helper function to construct * authenticate blob @@ -512,17 +318,6 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, nt_off = le32_to_cpu(authblob->NtChallengeResponse.BufferOffset); nt_len = le16_to_cpu(authblob->NtChallengeResponse.Length); - /* process NTLM authentication */ - if (nt_len == CIFS_AUTH_RESP_SIZE) { - if (le32_to_cpu(authblob->NegotiateFlags) & - NTLMSSP_NEGOTIATE_EXTENDED_SEC) - return __ksmbd_auth_ntlmv2(sess, (char *)authblob + - lm_off, (char *)authblob + nt_off); - else - return ksmbd_auth_ntlm(sess, (char *)authblob + - nt_off); - } - /* TODO : use domain name that imported from configuration file */ domain_name = smb_strndup_from_utf16((const char *)authblob + le32_to_cpu(authblob->DomainName.BufferOffset), diff --git a/fs/ksmbd/crypto_ctx.c b/fs/ksmbd/crypto_ctx.c index 5f4b1008d17e..81488d04199d 100644 --- a/fs/ksmbd/crypto_ctx.c +++ b/fs/ksmbd/crypto_ctx.c @@ -81,12 +81,6 @@ static struct shash_desc *alloc_shash_desc(int id) case CRYPTO_SHASH_SHA512: tfm = crypto_alloc_shash("sha512", 0, 0); break; - case CRYPTO_SHASH_MD4: - tfm = crypto_alloc_shash("md4", 0, 0); - break; - case CRYPTO_SHASH_MD5: - tfm = crypto_alloc_shash("md5", 0, 0); - break; default: return NULL; } @@ -214,16 +208,6 @@ struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void) return ____crypto_shash_ctx_find(CRYPTO_SHASH_SHA512); } -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void) -{ - return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD4); -} - -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void) -{ - return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD5); -} - static struct ksmbd_crypto_ctx *____crypto_aead_ctx_find(int id) { struct ksmbd_crypto_ctx *ctx; diff --git a/fs/ksmbd/crypto_ctx.h b/fs/ksmbd/crypto_ctx.h index ef11154b43df..4a367c62f653 100644 --- a/fs/ksmbd/crypto_ctx.h +++ b/fs/ksmbd/crypto_ctx.h @@ -15,8 +15,6 @@ enum { CRYPTO_SHASH_CMACAES, CRYPTO_SHASH_SHA256, CRYPTO_SHASH_SHA512, - CRYPTO_SHASH_MD4, - CRYPTO_SHASH_MD5, CRYPTO_SHASH_MAX, }; @@ -43,8 +41,6 @@ struct ksmbd_crypto_ctx { #define CRYPTO_CMACAES(c) ((c)->desc[CRYPTO_SHASH_CMACAES]) #define CRYPTO_SHA256(c) ((c)->desc[CRYPTO_SHASH_SHA256]) #define CRYPTO_SHA512(c) ((c)->desc[CRYPTO_SHASH_SHA512]) -#define CRYPTO_MD4(c) ((c)->desc[CRYPTO_SHASH_MD4]) -#define CRYPTO_MD5(c) ((c)->desc[CRYPTO_SHASH_MD5]) #define CRYPTO_HMACMD5_TFM(c) ((c)->desc[CRYPTO_SHASH_HMACMD5]->tfm) #define CRYPTO_HMACSHA256_TFM(c)\ @@ -52,8 +48,6 @@ struct ksmbd_crypto_ctx { #define CRYPTO_CMACAES_TFM(c) ((c)->desc[CRYPTO_SHASH_CMACAES]->tfm) #define CRYPTO_SHA256_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA256]->tfm) #define CRYPTO_SHA512_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA512]->tfm) -#define CRYPTO_MD4_TFM(c) ((c)->desc[CRYPTO_SHASH_MD4]->tfm) -#define CRYPTO_MD5_TFM(c) ((c)->desc[CRYPTO_SHASH_MD5]->tfm) #define CRYPTO_GCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_GCM]) #define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_CCM]) @@ -64,8 +58,6 @@ struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacsha256(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_cmacaes(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha256(void); -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void); -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void); void ksmbd_crypto_destroy(void); From patchwork Mon Nov 14 12:52:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183319 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:59 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:59 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:58 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 222/308] ksmbd: use correct basic info level in set_file_basic_info() Date: Mon, 14 Nov 2022 20:52:11 +0800 Message-ID: <20221114125337.1831594-223-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 34bf3152-0885-49ac-3d7f-08dac63c80fa X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7094602 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit 88d300522cbb2827b679359e98cbadfb46e8226c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/88d300522cbb ------------------------------- Use correct basic info level in set/get_file_basic_info(). Reviewed-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 ++++++------- fs/ksmbd/smb2pdu.h | 9 +++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f124482fcccd..f96aff7f54f4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4127,7 +4127,7 @@ static void get_file_access_info(struct smb2_query_info_rsp *rsp, static int get_file_basic_info(struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, void *rsp_org) { - struct smb2_file_all_info *basic_info; + struct smb2_file_basic_info *basic_info; struct kstat stat; u64 time; @@ -4137,7 +4137,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, return -EACCES; } - basic_info = (struct smb2_file_all_info *)rsp->Buffer; + basic_info = (struct smb2_file_basic_info *)rsp->Buffer; generic_fillattr(file_inode(fp->filp), &stat); basic_info->CreationTime = cpu_to_le64(fp->create_time); time = ksmbd_UnixTimeToNT(stat.atime); @@ -4149,9 +4149,8 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, basic_info->Attributes = fp->f_ci->m_fattr; basic_info->Pad1 = 0; rsp->OutputBufferLength = - cpu_to_le32(offsetof(struct smb2_file_all_info, AllocationSize)); - inc_rfc1001_len(rsp_org, offsetof(struct smb2_file_all_info, - AllocationSize)); + cpu_to_le32(sizeof(struct smb2_file_basic_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_basic_info)); return 0; } @@ -5367,7 +5366,7 @@ static int smb2_create_link(struct ksmbd_work *work, static int set_file_basic_info(struct ksmbd_file *fp, char *buf, struct ksmbd_share_config *share) { - struct smb2_file_all_info *file_info; + struct smb2_file_basic_info *file_info; struct iattr attrs; struct timespec64 ctime; struct file *filp; @@ -5377,7 +5376,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; - file_info = (struct smb2_file_all_info *)buf; + file_info = (struct smb2_file_basic_info *)buf; attrs.ia_valid = 0; filp = fp->filp; inode = file_inode(filp); diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index bcec845b03f3..261825d06391 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1464,6 +1464,15 @@ struct smb2_file_all_info { /* data block encoding of response to level 18 */ char FileName[1]; } __packed; /* level 18 Query */ +struct smb2_file_basic_info { /* data block encoding of response to level 18 */ + __le64 CreationTime; /* Beginning of FILE_BASIC_INFO equivalent */ + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le32 Attributes; + __u32 Pad1; /* End of FILE_BASIC_INFO_INFO equivalent */ +} __packed; + struct smb2_file_alt_name_info { __le32 FileNameLength; char FileName[0]; From patchwork Mon Nov 14 12:52:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183320 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:33:59 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:59 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:59 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 223/308] ksmbd: add request buffer validation in smb2_set_info Date: Mon, 14 Nov 2022 20:52:12 +0800 Message-ID: <20221114125337.1831594-224-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 25125c33-316e-4fb3-1bcf-08dac63c8143 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6815507 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit 9496e268e3af78a92778bf635488a8ec2dca8996 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9496e268e3af ------------------------------- Add buffer validation in smb2_set_info, and remove unused variable in set_file_basic_info. and smb2_set_info infolevel functions take structure pointer argument. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Reviewed-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 149 ++++++++++++++++++++++++++++++++------------- 1 file changed, 107 insertions(+), 42 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f96aff7f54f4..7ce7fa898a42 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2102,15 +2102,21 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) * smb2_set_ea() - handler for setting extended attributes using set * info command * @eabuf: set info command buffer + * @buf_len: set info command buffer length * @path: dentry path for get ea * * Return: 0 on success, otherwise error */ -static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) +static int smb2_set_ea(struct smb2_ea_info *eabuf, unsigned int buf_len, + struct path *path) { char *attr_name = NULL, *value; int rc = 0; - int next = 0; + unsigned int next = 0; + + if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + + le16_to_cpu(eabuf->EaValueLength)) + return -EINVAL; attr_name = kmalloc(XATTR_NAME_MAX + 1, GFP_KERNEL); if (!attr_name) @@ -2172,7 +2178,13 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) next: next = le32_to_cpu(eabuf->NextEntryOffset); + if (next == 0 || buf_len < next) + break; + buf_len -= next; eabuf = (struct smb2_ea_info *)((char *)eabuf + next); + if (next < (u32)eabuf->EaNameLength + le16_to_cpu(eabuf->EaValueLength)) + break; + } while (next != 0); kfree(attr_name); @@ -2738,7 +2750,15 @@ int smb2_open(struct ksmbd_work *work) created = true; if (ea_buf) { - rc = smb2_set_ea(&ea_buf->ea, &path); + if (le32_to_cpu(ea_buf->ccontext.DataLength) < + sizeof(struct smb2_ea_info)) { + rc = -EINVAL; + goto err_out; + } + + rc = smb2_set_ea(&ea_buf->ea, + le32_to_cpu(ea_buf->ccontext.DataLength), + &path); if (rc == -EOPNOTSUPP) rc = 0; else if (rc) @@ -5296,7 +5316,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, static int smb2_create_link(struct ksmbd_work *work, struct ksmbd_share_config *share, struct smb2_file_link_info *file_info, - struct file *filp, + unsigned int buf_len, struct file *filp, struct nls_table *local_nls) { char *link_name = NULL, *target_name = NULL, *pathname = NULL; @@ -5304,6 +5324,10 @@ static int smb2_create_link(struct ksmbd_work *work, bool file_present = true; int rc; + if (buf_len < (u64)sizeof(struct smb2_file_link_info) + + le32_to_cpu(file_info->FileNameLength)) + return -EINVAL; + ksmbd_debug(SMB, "setting FILE_LINK_INFORMATION\n"); pathname = kmalloc(PATH_MAX, GFP_KERNEL); if (!pathname) @@ -5363,10 +5387,10 @@ static int smb2_create_link(struct ksmbd_work *work, return rc; } -static int set_file_basic_info(struct ksmbd_file *fp, char *buf, +static int set_file_basic_info(struct ksmbd_file *fp, + struct smb2_file_basic_info *file_info, struct ksmbd_share_config *share) { - struct smb2_file_basic_info *file_info; struct iattr attrs; struct timespec64 ctime; struct file *filp; @@ -5376,7 +5400,6 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; - file_info = (struct smb2_file_basic_info *)buf; attrs.ia_valid = 0; filp = fp->filp; inode = file_inode(filp); @@ -5451,7 +5474,8 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, } static int set_file_allocation_info(struct ksmbd_work *work, - struct ksmbd_file *fp, char *buf) + struct ksmbd_file *fp, + struct smb2_file_alloc_info *file_alloc_info) { /* * TODO : It's working fine only when store dos attributes @@ -5459,7 +5483,6 @@ static int set_file_allocation_info(struct ksmbd_work *work, * properly with any smb.conf option */ - struct smb2_file_alloc_info *file_alloc_info; loff_t alloc_blks; struct inode *inode; int rc; @@ -5467,7 +5490,6 @@ static int set_file_allocation_info(struct ksmbd_work *work, if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; - file_alloc_info = (struct smb2_file_alloc_info *)buf; alloc_blks = (le64_to_cpu(file_alloc_info->AllocationSize) + 511) >> 9; inode = file_inode(fp->filp); @@ -5503,9 +5525,8 @@ static int set_file_allocation_info(struct ksmbd_work *work, } static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + struct smb2_file_eof_info *file_eof_info) { - struct smb2_file_eof_info *file_eof_info; loff_t newsize; struct inode *inode; int rc; @@ -5513,7 +5534,6 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; - file_eof_info = (struct smb2_file_eof_info *)buf; newsize = le64_to_cpu(file_eof_info->EndOfFile); inode = file_inode(fp->filp); @@ -5540,7 +5560,8 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, } static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + struct smb2_file_rename_info *rename_info, + unsigned int buf_len) { struct ksmbd_file *parent_fp; struct dentry *parent; @@ -5552,6 +5573,10 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, return -EACCES; } + if (buf_len < (u64)sizeof(struct smb2_file_rename_info) + + le32_to_cpu(rename_info->FileNameLength)) + return -EINVAL; + if (ksmbd_stream_fd(fp)) goto next; @@ -5573,14 +5598,13 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, } } next: - return smb2_rename(work, fp, - (struct smb2_file_rename_info *)buf, + return smb2_rename(work, fp, rename_info, work->sess->conn->local_nls); } -static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) +static int set_file_disposition_info(struct ksmbd_file *fp, + struct smb2_file_disposition_info *file_info) { - struct smb2_file_disposition_info *file_info; struct inode *inode; if (!(fp->daccess & FILE_DELETE_LE)) { @@ -5589,7 +5613,6 @@ static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) } inode = file_inode(fp->filp); - file_info = (struct smb2_file_disposition_info *)buf; if (file_info->DeletePending) { if (S_ISDIR(inode->i_mode) && ksmbd_vfs_empty_dir(fp) == -ENOTEMPTY) @@ -5601,15 +5624,14 @@ static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) return 0; } -static int set_file_position_info(struct ksmbd_file *fp, char *buf) +static int set_file_position_info(struct ksmbd_file *fp, + struct smb2_file_pos_info *file_info) { - struct smb2_file_pos_info *file_info; loff_t current_byte_offset; unsigned long sector_size; struct inode *inode; inode = file_inode(fp->filp); - file_info = (struct smb2_file_pos_info *)buf; current_byte_offset = le64_to_cpu(file_info->CurrentByteOffset); sector_size = inode->i_sb->s_blocksize; @@ -5625,12 +5647,11 @@ static int set_file_position_info(struct ksmbd_file *fp, char *buf) return 0; } -static int set_file_mode_info(struct ksmbd_file *fp, char *buf) +static int set_file_mode_info(struct ksmbd_file *fp, + struct smb2_file_mode_info *file_info) { - struct smb2_file_mode_info *file_info; __le32 mode; - file_info = (struct smb2_file_mode_info *)buf; mode = file_info->Mode; if ((mode & ~FILE_MODE_INFO_MASK) || @@ -5660,40 +5681,74 @@ static int set_file_mode_info(struct ksmbd_file *fp, char *buf) * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH */ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, - int info_class, char *buf, + struct smb2_set_info_req *req, struct ksmbd_share_config *share) { - switch (info_class) { + unsigned int buf_len = le32_to_cpu(req->BufferLength); + + switch (req->FileInfoClass) { case FILE_BASIC_INFORMATION: - return set_file_basic_info(fp, buf, share); + { + if (buf_len < sizeof(struct smb2_file_basic_info)) + return -EINVAL; + return set_file_basic_info(fp, (struct smb2_file_basic_info *)req->Buffer, share); + } case FILE_ALLOCATION_INFORMATION: - return set_file_allocation_info(work, fp, buf); + { + if (buf_len < sizeof(struct smb2_file_alloc_info)) + return -EINVAL; + return set_file_allocation_info(work, fp, + (struct smb2_file_alloc_info *)req->Buffer); + } case FILE_END_OF_FILE_INFORMATION: - return set_end_of_file_info(work, fp, buf); + { + if (buf_len < sizeof(struct smb2_file_eof_info)) + return -EINVAL; + return set_end_of_file_info(work, fp, + (struct smb2_file_eof_info *)req->Buffer); + } case FILE_RENAME_INFORMATION: + { if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; } - return set_rename_info(work, fp, buf); + if (buf_len < sizeof(struct smb2_file_rename_info)) + return -EINVAL; + + return set_rename_info(work, fp, + (struct smb2_file_rename_info *)req->Buffer, + buf_len); + } case FILE_LINK_INFORMATION: + { + if (buf_len < sizeof(struct smb2_file_link_info)) + return -EINVAL; + return smb2_create_link(work, work->tcon->share_conf, - (struct smb2_file_link_info *)buf, fp->filp, + (struct smb2_file_link_info *)req->Buffer, + buf_len, fp->filp, work->sess->conn->local_nls); - + } case FILE_DISPOSITION_INFORMATION: + { if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; } - return set_file_disposition_info(fp, buf); + if (buf_len < sizeof(struct smb2_file_disposition_info)) + return -EINVAL; + + return set_file_disposition_info(fp, + (struct smb2_file_disposition_info *)req->Buffer); + } case FILE_FULL_EA_INFORMATION: { if (!(fp->daccess & FILE_WRITE_EA_LE)) { @@ -5702,18 +5757,29 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, return -EACCES; } - return smb2_set_ea((struct smb2_ea_info *)buf, - &fp->filp->f_path); - } + if (buf_len < sizeof(struct smb2_ea_info)) + return -EINVAL; + return smb2_set_ea((struct smb2_ea_info *)req->Buffer, + buf_len, &fp->filp->f_path); + } case FILE_POSITION_INFORMATION: - return set_file_position_info(fp, buf); + { + if (buf_len < sizeof(struct smb2_file_pos_info)) + return -EINVAL; + return set_file_position_info(fp, (struct smb2_file_pos_info *)req->Buffer); + } case FILE_MODE_INFORMATION: - return set_file_mode_info(fp, buf); + { + if (buf_len < sizeof(struct smb2_file_mode_info)) + return -EINVAL; + + return set_file_mode_info(fp, (struct smb2_file_mode_info *)req->Buffer); + } } - pr_err("Unimplemented Fileinfoclass :%d\n", info_class); + pr_err("Unimplemented Fileinfoclass :%d\n", req->FileInfoClass); return -EOPNOTSUPP; } @@ -5774,8 +5840,7 @@ int smb2_set_info(struct ksmbd_work *work) switch (req->InfoType) { case SMB2_O_INFO_FILE: ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); - rc = smb2_set_info_file(work, fp, req->FileInfoClass, - req->Buffer, work->tcon->share_conf); + rc = smb2_set_info_file(work, fp, req, work->tcon->share_conf); break; case SMB2_O_INFO_SECURITY: ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); From patchwork Mon Nov 14 12:52:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183321 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:00 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:00 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:33:59 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 224/308] ksmbd: add validation in smb2 negotiate Date: Mon, 14 Nov 2022 20:52:13 +0800 Message-ID: <20221114125337.1831594-225-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 464f98c4-e4cc-46f1-6bbf-08dac63c818c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6886603 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit 442ff9ebeb0129e90483356f3d79c732e632a7a6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/442ff9ebeb01 ------------------------------- This patch add validation to check request buffer check in smb2 negotiate and fix null pointer deferencing oops in smb3_preauth_hash_rsp() that found from manual test. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 42 +++++++++++++++++++++++++++++++++++++++++- fs/ksmbd/smb_common.c | 32 +++++++++++++++++++++++++++----- 2 files changed, 68 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7ce7fa898a42..00dcd10a9d69 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1067,6 +1067,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) struct smb2_negotiate_req *req = work->request_buf; struct smb2_negotiate_rsp *rsp = work->response_buf; int rc = 0; + unsigned int smb2_buf_len, smb2_neg_size; __le32 status; ksmbd_debug(SMB, "Received negotiate request\n"); @@ -1084,6 +1085,44 @@ int smb2_handle_negotiate(struct ksmbd_work *work) goto err_out; } + smb2_buf_len = get_rfc1002_len(work->request_buf); + smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects) - 4; + if (smb2_neg_size > smb2_buf_len) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (conn->dialect == SMB311_PROT_ID) { + unsigned int nego_ctxt_off = le32_to_cpu(req->NegotiateContextOffset); + + if (smb2_buf_len < nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (smb2_neg_size > nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + } else { + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + smb2_buf_len) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + } + conn->cli_cap = le32_to_cpu(req->Capabilities); switch (conn->dialect) { case SMB311_PROT_ID: @@ -8190,7 +8229,8 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) WORK_BUFFERS(work, req, rsp); - if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE) + if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE && + conn->preauth_info) ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, conn->preauth_info->Preauth_HashValue); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 98c22a3abf92..02f17d5b8656 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -169,10 +169,12 @@ static bool supported_protocol(int idx) idx <= server_conf.max_protocol); } -static char *next_dialect(char *dialect, int *next_off) +static char *next_dialect(char *dialect, int *next_off, int bcount) { dialect = dialect + *next_off; - *next_off = strlen(dialect); + *next_off = strnlen(dialect, bcount); + if (dialect[*next_off] != '\0') + return NULL; return dialect; } @@ -187,7 +189,9 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) dialect = cli_dialects; bcount = le16_to_cpu(byte_count); do { - dialect = next_dialect(dialect, &next); + dialect = next_dialect(dialect, &next, bcount); + if (!dialect) + break; ksmbd_debug(SMB, "client requested dialect %s\n", dialect); if (!strcmp(dialect, smb1_protos[i].name)) { @@ -235,13 +239,22 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) static int ksmbd_negotiate_smb_dialect(void *buf) { - __le32 proto; + int smb_buf_length = get_rfc1002_len(buf); + __le32 proto = ((struct smb2_hdr *)buf)->ProtocolId; - proto = ((struct smb2_hdr *)buf)->ProtocolId; if (proto == SMB2_PROTO_NUMBER) { struct smb2_negotiate_req *req; + int smb2_neg_size = + offsetof(struct smb2_negotiate_req, Dialects) - 4; req = (struct smb2_negotiate_req *)buf; + if (smb2_neg_size > smb_buf_length) + goto err_out; + + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + smb_buf_length) + goto err_out; + return ksmbd_lookup_dialect_by_id(req->Dialects, req->DialectCount); } @@ -251,10 +264,19 @@ static int ksmbd_negotiate_smb_dialect(void *buf) struct smb_negotiate_req *req; req = (struct smb_negotiate_req *)buf; + if (le16_to_cpu(req->ByteCount) < 2) + goto err_out; + + if (offsetof(struct smb_negotiate_req, DialectsArray) - 4 + + le16_to_cpu(req->ByteCount) > smb_buf_length) { + goto err_out; + } + return ksmbd_lookup_dialect_by_name(req->DialectsArray, req->ByteCount); } +err_out: return BAD_PROT_ID; } From patchwork Mon Nov 14 12:52:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183322 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:00 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:00 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:00 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 225/308] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Date: Mon, 14 Nov 2022 20:52:14 +0800 Message-ID: <20221114125337.1831594-226-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d588bcc5-5c42-430e-4a1d-08dac63c81d5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6647644 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc4 commit 8f77150c15f87796570125a43509f9a81a3d9e49 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8f77150c15f8 ------------------------------- Add buffer validation for SMB2_CREATE_CONTEXT. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Reviewed-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 41 +++++++++++++++++++++++++++++++---------- fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++- fs/ksmbd/smbacl.c | 21 +++++++++++++++++++-- 3 files changed, 74 insertions(+), 13 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 8bb62aae6e32..95e8c53a5cf3 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1451,26 +1451,47 @@ struct lease_ctx_info *parse_lease_state(void *open_req) */ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) { - char *data_offset; struct create_context *cc; unsigned int next = 0; char *name; struct smb2_create_req *req = (struct smb2_create_req *)open_req; + unsigned int remain_len, name_off, name_len, value_off, value_len, + cc_len; - data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); - cc = (struct create_context *)data_offset; + /* + * CreateContextsOffset and CreateContextsLength are guaranteed to + * be valid because of ksmbd_smb2_check_message(). + */ + cc = (struct create_context *)((char *)req + 4 + + le32_to_cpu(req->CreateContextsOffset)); + remain_len = le32_to_cpu(req->CreateContextsLength); do { - int val; - cc = (struct create_context *)((char *)cc + next); - name = le16_to_cpu(cc->NameOffset) + (char *)cc; - val = le16_to_cpu(cc->NameLength); - if (val < 4) + if (remain_len < offsetof(struct create_context, Buffer)) return ERR_PTR(-EINVAL); - if (memcmp(name, tag, val) == 0) - return cc; next = le32_to_cpu(cc->Next); + name_off = le16_to_cpu(cc->NameOffset); + name_len = le16_to_cpu(cc->NameLength); + value_off = le16_to_cpu(cc->DataOffset); + value_len = le32_to_cpu(cc->DataLength); + cc_len = next ? next : remain_len; + + if ((next & 0x7) != 0 || + next > remain_len || + name_off != offsetof(struct create_context, Buffer) || + name_len < 4 || + name_off + name_len > cc_len || + (value_off & 0x7) != 0 || + (value_off && (value_off < name_off + name_len)) || + ((u64)value_off + value_len > cc_len)) + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; + if (memcmp(name, tag, name_len) == 0) + return cc; + + remain_len -= next; } while (next != 0); return NULL; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 00dcd10a9d69..67a14c2a1262 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2417,6 +2417,10 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, ksmbd_debug(SMB, "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_sd_buf_req)) + return -EINVAL; return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd, le32_to_cpu(sd_buf->ccontext.DataLength), true); } @@ -2605,6 +2609,12 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } else if (context) { ea_buf = (struct create_ea_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_ea_buf_req)) { + rc = -EINVAL; + goto err_out1; + } if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { rsp->hdr.Status = STATUS_ACCESS_DENIED; rc = -EACCES; @@ -2643,6 +2653,12 @@ int smb2_open(struct ksmbd_work *work) } else if (context) { struct create_posix *posix = (struct create_posix *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix)) { + rc = -EINVAL; + goto err_out1; + } ksmbd_debug(SMB, "get posix context\n"); posix_mode = le32_to_cpu(posix->Mode); @@ -3023,9 +3039,16 @@ int smb2_open(struct ksmbd_work *work) rc = PTR_ERR(az_req); goto err_out; } else if (az_req) { - loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); + loff_t alloc_size; int err; + if (le16_to_cpu(az_req->ccontext.DataOffset) + + le32_to_cpu(az_req->ccontext.DataLength) < + sizeof(struct create_alloc_size_req)) { + rc = -EINVAL; + goto err_out; + } + alloc_size = le64_to_cpu(az_req->AllocationSize); ksmbd_debug(SMB, "request smb2 create allocate size : %llu\n", alloc_size); diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 321676a74b48..40a1e7bc9f16 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -368,7 +368,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, { int i, ret; int num_aces = 0; - int acl_size; + unsigned int acl_size; char *acl_base; struct smb_ace **ppace; struct posix_acl_entry *cf_pace, *cf_pdace; @@ -380,7 +380,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, return; /* validate that we do not go past end of acl */ - if (end_of_acl <= (char *)pdacl || + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { pr_err("ACL too small to parse DACL\n"); return; @@ -419,8 +419,22 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, * user/group/other have no permissions */ for (i = 0; i < num_aces; ++i) { + if (end_of_acl - acl_base < acl_size) + break; + ppace[i] = (struct smb_ace *)(acl_base + acl_size); acl_base = (char *)ppace[i]; + acl_size = offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth); + + if (end_of_acl - acl_base < acl_size || + ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || + (end_of_acl - acl_base < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || + (le16_to_cpu(ppace[i]->size) < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) + break; + acl_size = le16_to_cpu(ppace[i]->size); ppace[i]->access_req = smb_map_generic_desired_access(ppace[i]->access_req); @@ -782,6 +796,9 @@ int parse_sec_desc(struct smb_ntsd *pntsd, int acl_len, if (!pntsd) return -EIO; + if (acl_len < sizeof(struct smb_ntsd)) + return -EINVAL; + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + le32_to_cpu(pntsd->osidoffset)); group_sid_ptr = (struct smb_sid *)((char *)pntsd + From patchwork Mon Nov 14 12:52:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183323 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:01 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:01 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:00 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 226/308] ksmbd: fix transform header validation Date: Mon, 14 Nov 2022 20:52:15 +0800 Message-ID: <20221114125337.1831594-227-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: ea43fd7c-cae2-420d-dc51-08dac63c821d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6517898 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc4 commit 4227f811cdeb4d85db91ea6b9adf9ac049cec12e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4227f811cdeb ------------------------------- Validate that the transform and smb request headers are present before checking OriginalMessageSize and SessionId fields. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reviewed-by: Tom Talpey <tom(a)talpey.com> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 67a14c2a1262..525089577d3b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8360,16 +8360,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) unsigned int buf_data_size = pdu_length + 4 - sizeof(struct smb2_transform_hdr); struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; - unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); int rc = 0; - sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); - if (!sess) { - pr_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); - return -ECONNABORTED; - } - if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { pr_err("Transform message is too small (%u)\n", @@ -8377,11 +8369,19 @@ int smb3_decrypt_req(struct ksmbd_work *work) return -ECONNABORTED; } - if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { + if (pdu_length + 4 < + le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) { pr_err("Transform message is broken\n"); return -ECONNABORTED; } + sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); + if (!sess) { + pr_err("invalid session id(%llx) in transform header\n", + le64_to_cpu(tr_hdr->SessionId)); + return -ECONNABORTED; + } + iov[0].iov_base = buf; iov[0].iov_len = sizeof(struct smb2_transform_hdr); iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr); From patchwork Mon Nov 14 12:52:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183324 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:01 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:01 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:01 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 227/308] ksmbd: missing check for NULL in convert_to_nt_pathname() Date: Mon, 14 Nov 2022 20:52:16 +0800 Message-ID: <20221114125337.1831594-228-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e48c5b5b-1672-4963-fb60-08dac63c8265 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6699282 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.15-rc4 commit 87ffb310d5e8a441721a9d04dfa7c90cd9da3916 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/87ffb310d5e8 ------------------------------- The kmalloc() does not have a NULL check. This code can be re-written slightly cleaner to just use the kstrdup(). Fixes: 265fd1991c1d ("ksmbd: use LOOKUP_BENEATH to prevent the out of share access") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/misc.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/fs/ksmbd/misc.c b/fs/ksmbd/misc.c index 6a19f4bc692d..60e7ac62c917 100644 --- a/fs/ksmbd/misc.c +++ b/fs/ksmbd/misc.c @@ -162,17 +162,14 @@ char *convert_to_nt_pathname(char *filename) { char *ab_pathname; - if (strlen(filename) == 0) { - ab_pathname = kmalloc(2, GFP_KERNEL); - ab_pathname[0] = '\\'; - ab_pathname[1] = '\0'; - } else { - ab_pathname = kstrdup(filename, GFP_KERNEL); - if (!ab_pathname) - return NULL; + if (strlen(filename) == 0) + filename = "\\"; - ksmbd_conv_path_to_windows(ab_pathname); - } + ab_pathname = kstrdup(filename, GFP_KERNEL); + if (!ab_pathname) + return NULL; + + ksmbd_conv_path_to_windows(ab_pathname); return ab_pathname; } From patchwork Mon Nov 14 12:52:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183325 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:02 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:02 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:01 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 228/308] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Date: Mon, 14 Nov 2022 20:52:17 +0800 Message-ID: <20221114125337.1831594-229-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: bd439118-7db3-45bc-4b9f-08dac63c82af X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6850454 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit 363999901116ffa9a5462215fef25ea9c7f2823c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/363999901116 ------------------------------- This patch add MAX_STREAM_PROT_LEN macro and check if stream protocol length exceeds maximum value. opencode pdu size check in ksmbd_pdu_size_has_room(). Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 10 ++++++---- fs/ksmbd/smb_common.c | 6 ------ fs/ksmbd/smb_common.h | 4 ++-- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index af086d35398a..48b18b4ec117 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -296,10 +296,12 @@ int ksmbd_conn_handler_loop(void *p) pdu_size = get_rfc1002_len(hdr_buf); ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size); - /* make sure we have enough to get to SMB header end */ - if (!ksmbd_pdu_size_has_room(pdu_size)) { - ksmbd_debug(CONN, "SMB request too short (%u bytes)\n", - pdu_size); + /* + * Check if pdu size is valid (min : smb header size, + * max : 0x00FFFFFF). + */ + if (pdu_size < __SMB2_HEADER_STRUCTURE_SIZE || + pdu_size > MAX_STREAM_PROT_LEN) { continue; } diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 02f17d5b8656..8658cb7c9b33 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -21,7 +21,6 @@ static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; #define MAGIC_CHAR '~' #define PERIOD '.' #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) -#define KSMBD_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr)) struct smb_protocol { int index; @@ -294,11 +293,6 @@ int ksmbd_init_smb_server(struct ksmbd_work *work) return 0; } -bool ksmbd_pdu_size_has_room(unsigned int pdu) -{ - return (pdu >= KSMBD_MIN_SUPPORTED_HEADER_SIZE - 4); -} - int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, struct ksmbd_file *dir, struct ksmbd_dir_info *d_info, diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 994abede27e9..6e79e7577f6b 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -48,6 +48,8 @@ #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ +#define MAX_STREAM_PROT_LEN 0x00FFFFFF + /* Responses when opening a file. */ #define F_SUPERSEDED 0 #define F_OPENED 1 @@ -493,8 +495,6 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); int ksmbd_init_smb_server(struct ksmbd_work *work); -bool ksmbd_pdu_size_has_room(unsigned int pdu); - struct ksmbd_kstat; int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, From patchwork Mon Nov 14 12:52:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183326 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:02 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:02 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:02 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 229/308] ksmbd: check strictly data area in ksmbd_smb2_check_message() Date: Mon, 14 Nov 2022 20:52:18 +0800 Message-ID: <20221114125337.1831594-230-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 3786245c-5fb4-4ee7-dd8f-08dac63c82f7 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7002918 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit c2e99d47973796c3fafd13079337dcadecd49d8a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c2e99d479737 ------------------------------- When invalid data offset and data length in request, ksmbd_smb2_check_message check strictly and doesn't allow to process such requests. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Reviewed-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 98 ++++++++++++++++++++++----------------------- 1 file changed, 47 insertions(+), 51 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9aa46bb3e10d..9edd9c161b27 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -80,18 +80,21 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { }; /* - * Returns the pointer to the beginning of the data area. Length of the data - * area and the offset to it (from the beginning of the smb are also returned. + * Set length of the data area and the offset to arguments. + * if they are invalid, return error. */ -static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) +static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, + struct smb2_hdr *hdr) { + int ret = 0; + *off = 0; *len = 0; /* error reqeusts do not have data area */ if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) - return NULL; + return ret; /* * Following commands have data areas so we have to get the location @@ -165,69 +168,60 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) case SMB2_IOCTL: *off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset); *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); - break; default: ksmbd_debug(SMB, "no length check for command\n"); break; } - /* - * Invalid length or offset probably means data area is invalid, but - * we have little choice but to ignore the data area in this case. - */ if (*off > 4096) { - ksmbd_debug(SMB, "offset %d too large, data area ignored\n", - *off); - *len = 0; - *off = 0; - } else if (*off < 0) { - ksmbd_debug(SMB, - "negative offset %d to data invalid ignore data area\n", - *off); - *off = 0; - *len = 0; - } else if (*len < 0) { - ksmbd_debug(SMB, - "negative data length %d invalid, data area ignored\n", - *len); - *len = 0; - } else if (*len > 128 * 1024) { - ksmbd_debug(SMB, "data area larger than 128K: %d\n", *len); - *len = 0; + ksmbd_debug(SMB, "offset %d too large\n", *off); + ret = -EINVAL; + } else if ((u64)*off + *len > MAX_STREAM_PROT_LEN) { + ksmbd_debug(SMB, "Request is larger than maximum stream protocol length(%u): %llu\n", + MAX_STREAM_PROT_LEN, (u64)*off + *len); + ret = -EINVAL; } - /* return pointer to beginning of data area, ie offset from SMB start */ - if ((*off != 0) && (*len != 0)) - return (char *)hdr + *off; - else - return NULL; + return ret; } /* * Calculate the size of the SMB message based on the fixed header * portion, the number of word parameters and the data portion of the message. */ -static unsigned int smb2_calc_size(void *buf) +static int smb2_calc_size(void *buf, unsigned int *len) { struct smb2_pdu *pdu = (struct smb2_pdu *)buf; struct smb2_hdr *hdr = &pdu->hdr; - int offset; /* the offset from the beginning of SMB to data area */ - int data_length; /* the length of the variable length data area */ + unsigned int offset; /* the offset from the beginning of SMB to data area */ + unsigned int data_length; /* the length of the variable length data area */ + int ret; + /* Structure Size has already been checked to make sure it is 64 */ - int len = le16_to_cpu(hdr->StructureSize); + *len = le16_to_cpu(hdr->StructureSize); /* * StructureSize2, ie length of fixed parameter area has already * been checked to make sure it is the correct length. */ - len += le16_to_cpu(pdu->StructureSize2); + *len += le16_to_cpu(pdu->StructureSize2); + /* + * StructureSize2 of smb2_lock pdu is set to 48, indicating + * the size of smb2 lock request with single smb2_lock_element + * regardless of number of locks. Subtract single + * smb2_lock_element for correct buffer size check. + */ + if (hdr->Command == SMB2_LOCK) + *len -= sizeof(struct smb2_lock_element); if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false) goto calc_size_exit; - smb2_get_data_area_len(&offset, &data_length, hdr); - ksmbd_debug(SMB, "SMB2 data length %d offset %d\n", data_length, + ret = smb2_get_data_area_len(&offset, &data_length, hdr); + if (ret) + return ret; + ksmbd_debug(SMB, "SMB2 data length %u offset %u\n", data_length, offset); if (data_length > 0) { @@ -237,16 +231,19 @@ static unsigned int smb2_calc_size(void *buf) * for some commands, typically those with odd StructureSize, * so we must add one to the calculation. */ - if (offset + 1 < len) + if (offset + 1 < *len) { ksmbd_debug(SMB, - "data area offset %d overlaps SMB2 header %d\n", - offset + 1, len); - else - len = offset + data_length; + "data area offset %d overlaps SMB2 header %u\n", + offset + 1, *len); + return -EINVAL; + } + + *len = offset + data_length; } + calc_size_exit: - ksmbd_debug(SMB, "SMB2 len %d\n", len); - return len; + ksmbd_debug(SMB, "SMB2 len %u\n", *len); + return 0; } static inline int smb2_query_info_req_len(struct smb2_query_info_req *h) @@ -391,9 +388,11 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - clc_len = smb2_calc_size(hdr); + if (smb2_calc_size(hdr, &clc_len)) + return 1; + if (len != clc_len) { - /* server can return one byte more due to implied bcc[0] */ + /* client can return one byte more due to implied bcc[0] */ if (clc_len == len + 1) return 0; @@ -418,9 +417,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 0; } - if (command == SMB2_LOCK_HE && len == 88) - return 0; - ksmbd_debug(SMB, "cli req too short, len %d not %d. cmd:%d mid:%llu\n", len, clc_len, command, From patchwork Mon Nov 14 12:52:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183327 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:03 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:03 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:02 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 230/308] ksmbd: remove the leftover of smb2.0 dialect support Date: Mon, 14 Nov 2022 20:52:19 +0800 Message-ID: <20221114125337.1831594-231-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 1b3fe46d-19fa-48b5-07ca-08dac63c8341 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6994706 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit 51a1387393d98c2ba52d53d089720fa9f1463178 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/51a1387393d9 ------------------------------- Although ksmbd doesn't send SMB2.0 support in supported dialect list of smb negotiate response, There is the leftover of smb2.0 dialect. This patch remove it not to support SMB2.0 in ksmbd. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2ops.c | 5 ----- fs/ksmbd/smb2pdu.c | 34 +++++++++------------------------- fs/ksmbd/smb2pdu.h | 1 - fs/ksmbd/smb_common.c | 6 +++--- 4 files changed, 12 insertions(+), 34 deletions(-) diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index 197473871aa4..b06456eb587b 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -187,11 +187,6 @@ static struct smb_version_cmds smb2_0_server_cmds[NUMBER_OF_SMB2_COMMANDS] = { [SMB2_CHANGE_NOTIFY_HE] = { .proc = smb2_notify}, }; -int init_smb2_0_server(struct ksmbd_conn *conn) -{ - return -EOPNOTSUPP; -} - /** * init_smb2_1_server() - initialize a smb server connection with smb2.1 * command dispatcher diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 525089577d3b..dae9366120ff 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -236,9 +236,6 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) if (conn->need_neg == false) return -EINVAL; - if (!(conn->dialect >= SMB20_PROT_ID && - conn->dialect <= SMB311_PROT_ID)) - return -EINVAL; rsp_hdr = work->response_buf; @@ -1166,13 +1163,6 @@ int smb2_handle_negotiate(struct ksmbd_work *work) case SMB21_PROT_ID: init_smb2_1_server(conn); break; - case SMB20_PROT_ID: - rc = init_smb2_0_server(conn); - if (rc) { - rsp->hdr.Status = STATUS_NOT_SUPPORTED; - goto err_out; - } - break; case SMB2X_PROT_ID: case BAD_PROT_ID: default: @@ -1191,11 +1181,9 @@ int smb2_handle_negotiate(struct ksmbd_work *work) rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size); rsp->MaxWriteSize = cpu_to_le32(conn->vals->max_write_size); - if (conn->dialect > SMB20_PROT_ID) { - memcpy(conn->ClientGUID, req->ClientGUID, - SMB2_CLIENT_GUID_SIZE); - conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); - } + memcpy(conn->ClientGUID, req->ClientGUID, + SMB2_CLIENT_GUID_SIZE); + conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); rsp->StructureSize = cpu_to_le16(65); rsp->DialectRevision = cpu_to_le16(conn->dialect); @@ -1537,11 +1525,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } @@ -1623,11 +1609,9 @@ static int krb5_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 261825d06391..a6dec5ec6a54 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1637,7 +1637,6 @@ struct smb2_posix_info { } __packed; /* functions */ -int init_smb2_0_server(struct ksmbd_conn *conn); void init_smb2_1_server(struct ksmbd_conn *conn); void init_smb3_0_server(struct ksmbd_conn *conn); void init_smb3_02_server(struct ksmbd_conn *conn); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 8658cb7c9b33..bd836a30ae89 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -88,7 +88,7 @@ unsigned int ksmbd_server_side_copy_max_total_size(void) inline int ksmbd_min_protocol(void) { - return SMB2_PROT; + return SMB21_PROT; } inline int ksmbd_max_protocol(void) @@ -425,7 +425,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, static int __smb2_negotiate(struct ksmbd_conn *conn) { - return (conn->dialect >= SMB20_PROT_ID && + return (conn->dialect >= SMB21_PROT_ID && conn->dialect <= SMB311_PROT_ID); } @@ -455,7 +455,7 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) } } - if (command == SMB2_NEGOTIATE_HE) { + if (command == SMB2_NEGOTIATE_HE && __smb2_negotiate(conn)) { ret = smb2_handle_negotiate(work); init_smb2_neg_rsp(work); return ret; From patchwork Mon Nov 14 12:52:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183328 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:03 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:03 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:03 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 231/308] ksmbd: use buf_data_size instead of recalculation in smb3_decrypt_req() Date: Mon, 14 Nov 2022 20:52:20 +0800 Message-ID: <20221114125337.1831594-232-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: d9e95537-8f6a-4115-bfc8-08dac63c8389 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7055730 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit c7705eec78c999485609274c7ac5c27def8b84f1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c7705eec78c9 ------------------------------- Tom suggested to use buf_data_size that is already calculated, to verify these offsets. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Suggested-by: Tom Talpey <tom(a)talpey.com> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index dae9366120ff..55d39459437d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8341,20 +8341,18 @@ int smb3_decrypt_req(struct ksmbd_work *work) struct smb2_hdr *hdr; unsigned int pdu_length = get_rfc1002_len(buf); struct kvec iov[2]; - unsigned int buf_data_size = pdu_length + 4 - + int buf_data_size = pdu_length + 4 - sizeof(struct smb2_transform_hdr); struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; int rc = 0; - if (pdu_length + 4 < - sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { + if (buf_data_size < sizeof(struct smb2_hdr)) { pr_err("Transform message is too small (%u)\n", pdu_length); return -ECONNABORTED; } - if (pdu_length + 4 < - le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) { + if (buf_data_size < le32_to_cpu(tr_hdr->OriginalMessageSize)) { pr_err("Transform message is broken\n"); return -ECONNABORTED; } From patchwork Mon Nov 14 12:52:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183329 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:04 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:04 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:03 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 232/308] ksmbd: fix version mismatch with out of tree Date: Mon, 14 Nov 2022 20:52:21 +0800 Message-ID: <20221114125337.1831594-233-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 9e1e37b9-a069-417b-c40a-08dac63c83d2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7036407 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit 2db72604f3eaebd6175548bf64372e163724ebe3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2db72604f3ea ------------------------------- Fix version mismatch with out of tree, This updated version will be matched with ksmbd-tools. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Steve French <smfrench(a)gmail.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/glob.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/glob.h b/fs/ksmbd/glob.h index 49a5a3afa118..5b8f3e0ebdb3 100644 --- a/fs/ksmbd/glob.h +++ b/fs/ksmbd/glob.h @@ -12,7 +12,7 @@ #include "unicode.h" #include "vfs_cache.h" -#define KSMBD_VERSION "3.1.9" +#define KSMBD_VERSION "3.4.2" extern int ksmbd_debug_types; From patchwork Mon Nov 14 12:52:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183330 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:04 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:04 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:04 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 233/308] ksmbd: fix oops from fuse driver Date: Mon, 14 Nov 2022 20:52:22 +0800 Message-ID: <20221114125337.1831594-234-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: a626f202-8f84-486d-86d6-08dac63c841c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6789696 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc5 commit 64e7875560270b8f669fca9fcd6a689fea56fbeb category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/64e787556027 ------------------------------- Marios reported kernel oops from fuse driver when ksmbd call mark_inode_dirty(). This patch directly update ->i_ctime after removing mark_inode_ditry() and notify_change will put inode to dirty list. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Reported-by: Marios Makassikis <mmakassikis(a)freebox.fr> Tested-by: Marios Makassikis <mmakassikis(a)freebox.fr> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 55d39459437d..ec07cc459f4f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5438,7 +5438,6 @@ static int set_file_basic_info(struct ksmbd_file *fp, struct ksmbd_share_config *share) { struct iattr attrs; - struct timespec64 ctime; struct file *filp; struct inode *inode; int rc = 0; @@ -5458,13 +5457,11 @@ static int set_file_basic_info(struct ksmbd_file *fp, attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET); } - if (file_info->ChangeTime) { + attrs.ia_valid |= ATTR_CTIME; + if (file_info->ChangeTime) attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); - ctime = attrs.ia_ctime; - attrs.ia_valid |= ATTR_CTIME; - } else { - ctime = inode->i_ctime; - } + else + attrs.ia_ctime = inode->i_ctime; if (file_info->LastWriteTime) { attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime); @@ -5509,11 +5506,9 @@ static int set_file_basic_info(struct ksmbd_file *fp, return -EACCES; inode_lock(inode); + inode->i_ctime = attrs.ia_ctime; + attrs.ia_valid &= ~ATTR_CTIME; rc = notify_change(dentry, &attrs, NULL); - if (!rc) { - inode->i_ctime = ctime; - mark_inode_dirty(inode); - } inode_unlock(inode); } return rc; From patchwork Mon Nov 14 12:52:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183331 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:05 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:05 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:04 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 234/308] ksmbd: add validation in smb2_ioctl Date: Mon, 14 Nov 2022 20:52:23 +0800 Message-ID: <20221114125337.1831594-235-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 91dee71a-1a61-49fd-f38f-08dac63c8464 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7021221 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc7 commit f7db8fd03a4bc5baf70ccf8978fe17cb54368b97 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f7db8fd03a4b ------------------------------- Add validation for request/response buffer size check in smb2_ioctl and fsctl_copychunk() take copychunk_ioctl_req pointer and the other arguments instead of smb2_ioctl_req structure and remove an unused smb2_ioctl_req argument of fsctl_validate_negotiate_info. Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Ralph B��hme <slow(a)samba.org> Cc: Steve French <smfrench(a)gmail.com> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 113 +++++++++++++++++++++++++++++++++------------ fs/ksmbd/vfs.c | 2 +- fs/ksmbd/vfs.h | 2 +- 3 files changed, 86 insertions(+), 31 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ec07cc459f4f..2a4647273549 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6973,24 +6973,26 @@ int smb2_lock(struct ksmbd_work *work) return err; } -static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, +static int fsctl_copychunk(struct ksmbd_work *work, + struct copychunk_ioctl_req *ci_req, + unsigned int cnt_code, + unsigned int input_count, + unsigned long long volatile_id, + unsigned long long persistent_id, struct smb2_ioctl_rsp *rsp) { - struct copychunk_ioctl_req *ci_req; struct copychunk_ioctl_rsp *ci_rsp; struct ksmbd_file *src_fp = NULL, *dst_fp = NULL; struct srv_copychunk *chunks; unsigned int i, chunk_count, chunk_count_written = 0; unsigned int chunk_size_written = 0; loff_t total_size_written = 0; - int ret, cnt_code; + int ret = 0; - cnt_code = le32_to_cpu(req->CntCode); - ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0]; ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; - rsp->VolatileFileId = req->VolatileFileId; - rsp->PersistentFileId = req->PersistentFileId; + rsp->VolatileFileId = cpu_to_le64(volatile_id); + rsp->PersistentFileId = cpu_to_le64(persistent_id); ci_rsp->ChunksWritten = cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); ci_rsp->ChunkBytesWritten = @@ -7000,12 +7002,13 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; chunk_count = le32_to_cpu(ci_req->ChunkCount); + if (chunk_count == 0) + goto out; total_size_written = 0; /* verify the SRV_COPYCHUNK_COPY packet */ if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || - le32_to_cpu(req->InputCount) < - offsetof(struct copychunk_ioctl_req, Chunks) + + input_count < offsetof(struct copychunk_ioctl_req, Chunks) + chunk_count * sizeof(struct srv_copychunk)) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; return -EINVAL; @@ -7026,9 +7029,7 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, src_fp = ksmbd_lookup_foreign_fd(work, le64_to_cpu(ci_req->ResumeKey[0])); - dst_fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + dst_fp = ksmbd_lookup_fd_slow(work, volatile_id, persistent_id); ret = -EINVAL; if (!src_fp || src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { @@ -7103,8 +7104,8 @@ static __be32 idev_ipv4_address(struct in_device *idev) } static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, - struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_rsp *rsp, + unsigned int out_buf_len) { struct network_interface_info_ioctl_rsp *nii_rsp = NULL; int nbytes = 0; @@ -7116,6 +7117,12 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, rtnl_lock(); for_each_netdev(&init_net, netdev) { + if (out_buf_len < + nbytes + sizeof(struct network_interface_info_ioctl_rsp)) { + rtnl_unlock(); + return -ENOSPC; + } + if (netdev->type == ARPHRD_LOOPBACK) continue; @@ -7195,11 +7202,6 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, if (nii_rsp) nii_rsp->Next = 0; - if (!nbytes) { - rsp->hdr.Status = STATUS_BUFFER_TOO_SMALL; - return -EINVAL; - } - rsp->PersistentFileId = cpu_to_le64(SMB2_NO_FID); rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); return nbytes; @@ -7207,11 +7209,16 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, struct validate_negotiate_info_req *neg_req, - struct validate_negotiate_info_rsp *neg_rsp) + struct validate_negotiate_info_rsp *neg_rsp, + unsigned int in_buf_len) { int ret = 0; int dialect; + if (in_buf_len < sizeof(struct validate_negotiate_info_req) + + le16_to_cpu(neg_req->DialectCount) * sizeof(__le16)) + return -EINVAL; + dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects, neg_req->DialectCount); if (dialect == BAD_PROT_ID || dialect != conn->dialect) { @@ -7245,7 +7252,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, struct file_allocated_range_buffer *qar_req, struct file_allocated_range_buffer *qar_rsp, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct ksmbd_file *fp; loff_t start, length; @@ -7272,7 +7279,8 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, } static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, - int out_buf_len, struct smb2_ioctl_req *req, + unsigned int out_buf_len, + struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) { struct ksmbd_rpc_command *rpc_resp; @@ -7382,8 +7390,7 @@ int smb2_ioctl(struct ksmbd_work *work) { struct smb2_ioctl_req *req; struct smb2_ioctl_rsp *rsp, *rsp_org; - int cnt_code, nbytes = 0; - int out_buf_len; + unsigned int cnt_code, nbytes = 0, out_buf_len, in_buf_len; u64 id = KSMBD_NO_FID; struct ksmbd_conn *conn = work->conn; int ret = 0; @@ -7412,7 +7419,11 @@ int smb2_ioctl(struct ksmbd_work *work) cnt_code = le32_to_cpu(req->CntCode); out_buf_len = le32_to_cpu(req->MaxOutputResponse); - out_buf_len = min(KSMBD_IPC_MAX_PAYLOAD, out_buf_len); + out_buf_len = + min_t(u32, work->response_sz - work->next_smb2_rsp_hdr_off - + (offsetof(struct smb2_ioctl_rsp, Buffer) - 4), + out_buf_len); + in_buf_len = le32_to_cpu(req->InputCount); switch (cnt_code) { case FSCTL_DFS_GET_REFERRALS: @@ -7440,6 +7451,7 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_PIPE_TRANSCEIVE: + out_buf_len = min_t(u32, KSMBD_IPC_MAX_PAYLOAD, out_buf_len); nbytes = fsctl_pipe_transceive(work, id, out_buf_len, req, rsp); break; case FSCTL_VALIDATE_NEGOTIATE_INFO: @@ -7448,9 +7460,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) + return -EINVAL; + + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) + return -EINVAL; + ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0], - (struct validate_negotiate_info_rsp *)&rsp->Buffer[0]); + (struct validate_negotiate_info_rsp *)&rsp->Buffer[0], + in_buf_len); if (ret < 0) goto out; @@ -7459,9 +7478,10 @@ int smb2_ioctl(struct ksmbd_work *work) rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); break; case FSCTL_QUERY_NETWORK_INTERFACE_INFO: - nbytes = fsctl_query_iface_info_ioctl(conn, req, rsp); - if (nbytes < 0) + ret = fsctl_query_iface_info_ioctl(conn, rsp, out_buf_len); + if (ret < 0) goto out; + nbytes = ret; break; case FSCTL_REQUEST_RESUME_KEY: if (out_buf_len < sizeof(struct resume_key_ioctl_rsp)) { @@ -7486,15 +7506,33 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct copychunk_ioctl_req)) { + ret = -EINVAL; + goto out; + } + if (out_buf_len < sizeof(struct copychunk_ioctl_rsp)) { ret = -EINVAL; goto out; } nbytes = sizeof(struct copychunk_ioctl_rsp); - fsctl_copychunk(work, req, rsp); + rsp->VolatileFileId = req->VolatileFileId; + rsp->PersistentFileId = req->PersistentFileId; + fsctl_copychunk(work, + (struct copychunk_ioctl_req *)&req->Buffer[0], + le32_to_cpu(req->CntCode), + le32_to_cpu(req->InputCount), + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId), + rsp); break; case FSCTL_SET_SPARSE: + if (in_buf_len < sizeof(struct file_sparse)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_set_sparse(work, id, (struct file_sparse *)&req->Buffer[0]); if (ret < 0) @@ -7513,6 +7551,11 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct file_zero_data_information)) { + ret = -EINVAL; + goto out; + } + zero_data = (struct file_zero_data_information *)&req->Buffer[0]; @@ -7532,6 +7575,11 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_QUERY_ALLOCATED_RANGES: + if (in_buf_len < sizeof(struct file_allocated_range_buffer)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_query_allocated_ranges(work, id, (struct file_allocated_range_buffer *)&req->Buffer[0], (struct file_allocated_range_buffer *)&rsp->Buffer[0], @@ -7572,6 +7620,11 @@ int smb2_ioctl(struct ksmbd_work *work) struct duplicate_extents_to_file *dup_ext; loff_t src_off, dst_off, length, cloned; + if (in_buf_len < sizeof(struct duplicate_extents_to_file)) { + ret = -EINVAL; + goto out; + } + dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0]; fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, @@ -7642,6 +7695,8 @@ int smb2_ioctl(struct ksmbd_work *work) rsp->hdr.Status = STATUS_OBJECT_NAME_NOT_FOUND; else if (ret == -EOPNOTSUPP) rsp->hdr.Status = STATUS_NOT_SUPPORTED; + else if (ret == -ENOSPC) + rsp->hdr.Status = STATUS_BUFFER_TOO_SMALL; else if (ret < 0 || rsp->hdr.Status == 0) rsp->hdr.Status = STATUS_INVALID_PARAMETER; smb2_set_err_rsp(work); diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 2887995b2c47..7f6a53ddf8a1 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -990,7 +990,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct file *f = fp->filp; struct inode *inode = file_inode(fp->filp); diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index ef4a89cf0221..51ff1f63965c 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -159,7 +159,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, struct file_allocated_range_buffer; int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count); + unsigned int in_count, unsigned int *out_count); int ksmbd_vfs_unlink(struct dentry *dir, struct dentry *dentry); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); int ksmbd_vfs_fill_dentry_attrs(struct ksmbd_work *work, struct dentry *dentry, From patchwork Mon Nov 14 12:52:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183332 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:05 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:05 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:04 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 235/308] ksmbd: improve credits management Date: Mon, 14 Nov 2022 20:52:24 +0800 Message-ID: <20221114125337.1831594-236-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 19cff0c2-39bd-44b6-3829-08dac63c84ad X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7031939 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc7 commit bf8acc9e10e21c28452dfa067a7d31e6067104b1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/bf8acc9e10e2 ------------------------------- * Requests except READ, WRITE, IOCTL, INFO, QUERY DIRECOTRY, CANCEL must consume one credit. * If client's granted credits are insufficient, refuse to handle requests. * Windows server 2016 or later grant up to 8192 credits to clients at once. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 2 ++ fs/ksmbd/smb2misc.c | 38 ++++++++++++++------ fs/ksmbd/smb2pdu.c | 81 ++++++++++++++++--------------------------- 3 files changed, 59 insertions(+), 62 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 48b18b4ec117..b57a0d8a392f 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -61,6 +61,8 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) conn->local_nls = load_nls_default(); atomic_set(&conn->req_running, 0); atomic_set(&conn->r_count, 0); + conn->total_credits = 1; + init_waitqueue_head(&conn->req_running_q); INIT_LIST_HEAD(&conn->conns_list); INIT_LIST_HEAD(&conn->sessions); diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9edd9c161b27..e7e441c8f050 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -284,11 +284,13 @@ static inline int smb2_ioctl_resp_len(struct smb2_ioctl_req *h) le32_to_cpu(h->MaxOutputResponse); } -static int smb2_validate_credit_charge(struct smb2_hdr *hdr) +static int smb2_validate_credit_charge(struct ksmbd_conn *conn, + struct smb2_hdr *hdr) { - int req_len = 0, expect_resp_len = 0, calc_credit_num, max_len; - int credit_charge = le16_to_cpu(hdr->CreditCharge); + unsigned int req_len = 0, expect_resp_len = 0, calc_credit_num, max_len; + unsigned short credit_charge = le16_to_cpu(hdr->CreditCharge); void *__hdr = hdr; + int ret; switch (hdr->Command) { case SMB2_QUERY_INFO: @@ -310,21 +312,37 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) req_len = smb2_ioctl_req_len(__hdr); expect_resp_len = smb2_ioctl_resp_len(__hdr); break; - default: + case SMB2_CANCEL: return 0; + default: + req_len = 1; + break; } - credit_charge = max(1, credit_charge); - max_len = max(req_len, expect_resp_len); + credit_charge = max_t(unsigned short, credit_charge, 1); + max_len = max_t(unsigned int, req_len, expect_resp_len); calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); if (credit_charge < calc_credit_num) { - pr_err("Insufficient credit charge, given: %d, needed: %d\n", - credit_charge, calc_credit_num); + ksmbd_debug(SMB, "Insufficient credit charge, given: %d, needed: %d\n", + credit_charge, calc_credit_num); + return 1; + } else if (credit_charge > conn->max_credits) { + ksmbd_debug(SMB, "Too large credit charge: %d\n", credit_charge); return 1; } - return 0; + spin_lock(&conn->credits_lock); + if (credit_charge <= conn->total_credits) { + conn->total_credits -= credit_charge; + ret = 0; + } else { + ksmbd_debug(SMB, "Insufficient credits granted, given: %u, granted: %u\n", + credit_charge, conn->total_credits); + ret = 1; + } + spin_unlock(&conn->credits_lock); + return ret; } int ksmbd_smb2_check_message(struct ksmbd_work *work) @@ -383,7 +401,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(hdr)) { + smb2_validate_credit_charge(work->conn, hdr)) { work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); return 1; } diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 2a4647273549..f081f1735c5a 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -292,22 +292,6 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) return 0; } -static int smb2_consume_credit_charge(struct ksmbd_work *work, - unsigned short credit_charge) -{ - struct ksmbd_conn *conn = work->conn; - unsigned int rsp_credits = 1; - - if (!conn->total_credits) - return 0; - - if (credit_charge > 0) - rsp_credits = credit_charge; - - conn->total_credits -= rsp_credits; - return rsp_credits; -} - /** * smb2_set_rsp_credits() - set number of credits in response buffer * @work: smb work containing smb response buffer @@ -317,49 +301,43 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) struct smb2_hdr *req_hdr = ksmbd_req_buf_next(work); struct smb2_hdr *hdr = ksmbd_resp_buf_next(work); struct ksmbd_conn *conn = work->conn; - unsigned short credits_requested = le16_to_cpu(req_hdr->CreditRequest); - unsigned short credit_charge = 1, credits_granted = 0; - unsigned short aux_max, aux_credits, min_credits; - int rsp_credit_charge; + unsigned short credits_requested; + unsigned short credit_charge, credits_granted = 0; + unsigned short aux_max, aux_credits; - if (hdr->Command == SMB2_CANCEL) - goto out; + if (work->send_no_response) + return 0; - /* get default minimum credits by shifting maximum credits by 4 */ - min_credits = conn->max_credits >> 4; + hdr->CreditCharge = req_hdr->CreditCharge; - if (conn->total_credits >= conn->max_credits) { + if (conn->total_credits > conn->max_credits) { + hdr->CreditRequest = 0; pr_err("Total credits overflow: %d\n", conn->total_credits); - conn->total_credits = min_credits; - } - - rsp_credit_charge = - smb2_consume_credit_charge(work, le16_to_cpu(req_hdr->CreditCharge)); - if (rsp_credit_charge < 0) return -EINVAL; + } - hdr->CreditCharge = cpu_to_le16(rsp_credit_charge); + credit_charge = max_t(unsigned short, + le16_to_cpu(req_hdr->CreditCharge), 1); + credits_requested = max_t(unsigned short, + le16_to_cpu(req_hdr->CreditRequest), 1); - if (credits_requested > 0) { - aux_credits = credits_requested - 1; - aux_max = 32; - if (hdr->Command == SMB2_NEGOTIATE) - aux_max = 0; - aux_credits = (aux_credits < aux_max) ? aux_credits : aux_max; - credits_granted = aux_credits + credit_charge; + /* according to smb2.credits smbtorture, Windows server + * 2016 or later grant up to 8192 credits at once. + * + * TODO: Need to adjuct CreditRequest value according to + * current cpu load + */ + aux_credits = credits_requested - 1; + if (hdr->Command == SMB2_NEGOTIATE) + aux_max = 0; + else + aux_max = conn->max_credits - credit_charge; + aux_credits = min_t(unsigned short, aux_credits, aux_max); + credits_granted = credit_charge + aux_credits; - /* if credits granted per client is getting bigger than default - * minimum credits then we should wrap it up within the limits. - */ - if ((conn->total_credits + credits_granted) > min_credits) - credits_granted = min_credits - conn->total_credits; - /* - * TODO: Need to adjuct CreditRequest value according to - * current cpu load - */ - } else if (conn->total_credits == 0) { - credits_granted = 1; - } + if (conn->max_credits - conn->total_credits < credits_granted) + credits_granted = conn->max_credits - + conn->total_credits; conn->total_credits += credits_granted; work->credits_granted += credits_granted; @@ -368,7 +346,6 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) /* Update CreditRequest in last request */ hdr->CreditRequest = cpu_to_le16(work->credits_granted); } -out: ksmbd_debug(SMB, "credits: requested[%d] granted[%d] total_granted[%d]\n", credits_requested, credits_granted, From patchwork Mon Nov 14 12:52:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183333 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:05 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:05 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:05 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 236/308] ksmbd: fix potencial 32bit overflow from data area check in smb2_write Date: Mon, 14 Nov 2022 20:52:25 +0800 Message-ID: <20221114125337.1831594-237-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5a54f8e0-21f5-4f87-f161-08dac63c84f5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.5607664 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc7 commit 9a63b999ae5435d82a5c353c6b1467100f857742 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9a63b999ae54 ------------------------------- DataOffset and Length validation can be potencial 32bit overflow. This patch fix it. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f081f1735c5a..32e7d107fa0c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6147,8 +6147,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) (offsetof(struct smb2_write_req, Buffer) - 4)) { data_buf = (char *)&req->Buffer[0]; } else { - if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || - (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { + if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) { pr_err("invalid write data offset %u, smb_len %u\n", le16_to_cpu(req->DataOffset), get_rfc1002_len(req)); @@ -6306,8 +6305,7 @@ int smb2_write(struct ksmbd_work *work) (offsetof(struct smb2_write_req, Buffer) - 4)) { data_buf = (char *)&req->Buffer[0]; } else { - if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) || - (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) { + if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) { pr_err("invalid write data offset %u, smb_len %u\n", le16_to_cpu(req->DataOffset), get_rfc1002_len(req)); From patchwork Mon Nov 14 12:52:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183334 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:06 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:06 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:05 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 237/308] ksmbd: validate compound response buffer Date: Mon, 14 Nov 2022 20:52:26 +0800 Message-ID: <20221114125337.1831594-238-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ac4a83db-3cf5-42f8-0f96-08dac63c8537 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7039663 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc7 commit dbad63001eac3abeeb2b66ddf71504e8ab128c5c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/dbad63001eac ------------------------------- Add the check to validate compound response buffer. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 32e7d107fa0c..7da58e4e4abf 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -449,6 +449,12 @@ bool is_chained_smb2_message(struct ksmbd_work *work) return false; } + if ((u64)get_rfc1002_len(work->response_buf) + MAX_CIFS_SMALL_BUFFER_SIZE > + work->response_sz) { + pr_err("next response offset exceeds response buffer size\n"); + return false; + } + ksmbd_debug(SMB, "got SMB2 chained command\n"); init_chained_smb2_rsp(work); return true; From patchwork Mon Nov 14 12:52:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183335 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:07 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:06 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:06 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 238/308] ksmbd: limit read/write/trans buffer size not to exceed 8MB Date: Mon, 14 Nov 2022 20:52:27 +0800 Message-ID: <20221114125337.1831594-239-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3c673f50-a99b-4445-b717-08dac63c8581 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7164264 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc7 commit 4bc59477c3298b191c72b5d99feb54a1dc8c254d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4bc59477c329 ------------------------------- ksmbd limit read/write/trans buffer size not to exceed maximum 8MB. And set the minimum value of max response buffer size to 64KB. Windows client doesn't send session setup request if ksmbd set max trans/read/write size lower than 64KB in smb2 negotiate. It means windows allow at least 64 KB or more about this value. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2ops.c | 3 +++ fs/ksmbd/smb2pdu.c | 2 +- fs/ksmbd/smb2pdu.h | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index b06456eb587b..fb6a65d23139 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -284,6 +284,7 @@ int init_smb3_11_server(struct ksmbd_conn *conn) void init_smb2_max_read_size(unsigned int sz) { + sz = clamp_val(sz, SMB3_MIN_IOSIZE, SMB3_MAX_IOSIZE); smb21_server_values.max_read_size = sz; smb30_server_values.max_read_size = sz; smb302_server_values.max_read_size = sz; @@ -292,6 +293,7 @@ void init_smb2_max_read_size(unsigned int sz) void init_smb2_max_write_size(unsigned int sz) { + sz = clamp_val(sz, SMB3_MIN_IOSIZE, SMB3_MAX_IOSIZE); smb21_server_values.max_write_size = sz; smb30_server_values.max_write_size = sz; smb302_server_values.max_write_size = sz; @@ -300,6 +302,7 @@ void init_smb2_max_write_size(unsigned int sz) void init_smb2_max_trans_size(unsigned int sz) { + sz = clamp_val(sz, SMB3_MIN_IOSIZE, SMB3_MAX_IOSIZE); smb21_server_values.max_trans_size = sz; smb30_server_values.max_trans_size = sz; smb302_server_values.max_trans_size = sz; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7da58e4e4abf..2e4380cffac5 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -524,7 +524,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->request_buf; size_t small_sz = MAX_CIFS_SMALL_BUFFER_SIZE; - size_t large_sz = work->conn->vals->max_trans_size + MAX_SMB2_HDR_SIZE; + size_t large_sz = small_sz + work->conn->vals->max_trans_size; size_t sz = small_sz; int cmd = le16_to_cpu(hdr->Command); diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index a6dec5ec6a54..ff5a2f01d34a 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -113,6 +113,8 @@ #define SMB21_DEFAULT_IOSIZE (1024 * 1024) #define SMB3_DEFAULT_IOSIZE (4 * 1024 * 1024) #define SMB3_DEFAULT_TRANS_SIZE (1024 * 1024) +#define SMB3_MIN_IOSIZE (64 * 1024) +#define SMB3_MAX_IOSIZE (8 * 1024 * 1024) /* * SMB2 Header Definition From patchwork Mon Nov 14 12:52:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183336 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:07 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:07 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:06 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 239/308] ksmbd: add buffer validation for smb direct Date: Mon, 14 Nov 2022 20:52:28 +0800 Message-ID: <20221114125337.1831594-240-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 61be61e5-4e5d-4329-07c0-08dac63c85cb X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6814979 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc7 commit 2ea086e35c3d726a3bacd0a971c1f02a50e98206 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2ea086e35c3d ------------------------------- Add buffer validation for smb direct. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 3a7fa23ba850..a2fd5a4d4cd5 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -549,6 +549,10 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) switch (recvmsg->type) { case SMB_DIRECT_MSG_NEGOTIATE_REQ: + if (wc->byte_len < sizeof(struct smb_direct_negotiate_req)) { + put_empty_recvmsg(t, recvmsg); + return; + } t->negotiation_requested = true; t->full_packet_received = true; wake_up_interruptible(&t->wait_status); @@ -556,10 +560,23 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - int data_length = le32_to_cpu(data_transfer->data_length); + unsigned int data_length; int avail_recvmsg_count, receive_credits; + if (wc->byte_len < + offsetof(struct smb_direct_data_transfer, padding)) { + put_empty_recvmsg(t, recvmsg); + return; + } + + data_length = le32_to_cpu(data_transfer->data_length); if (data_length) { + if (wc->byte_len < sizeof(struct smb_direct_data_transfer) + + (u64)data_length) { + put_empty_recvmsg(t, recvmsg); + return; + } + if (t->full_packet_received) recvmsg->first_segment = true; @@ -568,7 +585,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) else t->full_packet_received = true; - enqueue_reassembly(t, recvmsg, data_length); + enqueue_reassembly(t, recvmsg, (int)data_length); wake_up_interruptible(&t->wait_reassembly_queue); spin_lock(&t->receive_credit_lock); From patchwork Mon Nov 14 12:52:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183337 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:07 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:07 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:07 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 240/308] ksmbd: validate credit charge after validating SMB2 PDU body size Date: Mon, 14 Nov 2022 20:52:29 +0800 Message-ID: <20221114125337.1831594-241-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 195e35af-f5be-4edc-9913-08dac63c8613 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6937221 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Ralph Boehme <slow(a)samba.org> mainline inclusion from mainline-5.15-rc7 commit 7a33488705008b5bb5f8d95d05326dcc64fc55f4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7a3348870500 ------------------------------- smb2_validate_credit_charge() accesses fields in the SMB2 PDU body, but until smb2_calc_size() is called the PDU has not yet been verified to be large enough to access the PDU dynamic part length field. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index e7e441c8f050..030ca57c3784 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -400,26 +400,20 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } } - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(work->conn, hdr)) { - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return 1; - } - if (smb2_calc_size(hdr, &clc_len)) return 1; if (len != clc_len) { /* client can return one byte more due to implied bcc[0] */ if (clc_len == len + 1) - return 0; + goto validate_credit; /* * Some windows servers (win2016) will pad also the final * PDU in a compound to 8 bytes. */ if (ALIGN(clc_len, 8) == len) - return 0; + goto validate_credit; /* * windows client also pad up to 8 bytes when compounding. @@ -432,7 +426,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n", len, clc_len, command, le64_to_cpu(hdr->MessageId)); - return 0; + goto validate_credit; } ksmbd_debug(SMB, @@ -443,6 +437,13 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } +validate_credit: + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(work->conn, hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + return 0; } From patchwork Mon Nov 14 12:52:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183338 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:08 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:08 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:07 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 241/308] ksmbd: validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests Date: Mon, 14 Nov 2022 20:52:30 +0800 Message-ID: <20221114125337.1831594-242-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 54e0e9f8-6d7b-47c5-9d84-08dac63c865c X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6747344 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.15-rc7 commit 34061d6b76a41b1e43c19e1e50d98e5d77f77d4e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/34061d6b76a4 ------------------------------- Validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests and check the free size of response buffer for these requests. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 68 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 52 insertions(+), 16 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 2e4380cffac5..71aade05a587 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3731,6 +3731,24 @@ static int verify_info_level(int info_level) return 0; } +static int smb2_calc_max_out_buf_len(struct ksmbd_work *work, + unsigned short hdr2_len, + unsigned int out_buf_len) +{ + int free_len; + + if (out_buf_len > work->conn->vals->max_trans_size) + return -EINVAL; + + free_len = (int)(work->response_sz - + (get_rfc1002_len(work->response_buf) + 4)) - + hdr2_len; + if (free_len < 0) + return -EINVAL; + + return min_t(int, out_buf_len, free_len); +} + int smb2_query_dir(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; @@ -3806,9 +3824,13 @@ int smb2_query_dir(struct ksmbd_work *work) memset(&d_info, 0, sizeof(struct ksmbd_dir_info)); d_info.wptr = (char *)rsp->Buffer; d_info.rptr = (char *)rsp->Buffer; - d_info.out_buf_len = (work->response_sz - (get_rfc1002_len(rsp_org) + 4)); - d_info.out_buf_len = min_t(int, d_info.out_buf_len, le32_to_cpu(req->OutputBufferLength)) - - sizeof(struct smb2_query_directory_rsp); + d_info.out_buf_len = + smb2_calc_max_out_buf_len(work, 8, + le32_to_cpu(req->OutputBufferLength)); + if (d_info.out_buf_len < 0) { + rc = -EINVAL; + goto err_out; + } d_info.flags = srch_flag; /* @@ -4041,12 +4063,11 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, le32_to_cpu(req->Flags)); } - buf_free_len = work->response_sz - - (get_rfc1002_len(rsp_org) + 4) - - sizeof(struct smb2_query_info_rsp); - - if (le32_to_cpu(req->OutputBufferLength) < buf_free_len) - buf_free_len = le32_to_cpu(req->OutputBufferLength); + buf_free_len = + smb2_calc_max_out_buf_len(work, 8, + le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + return -EINVAL; rc = ksmbd_vfs_listxattr(path->dentry, &xattr_list); if (rc < 0) { @@ -4355,6 +4376,8 @@ static void get_file_stream_info(struct ksmbd_work *work, struct path *path = &fp->filp->f_path; ssize_t xattr_list_len; int nbytes = 0, streamlen, stream_name_len, next, idx = 0; + int buf_free_len; + struct smb2_query_info_req *req = ksmbd_req_buf_next(work); generic_fillattr(file_inode(fp->filp), &stat); file_info = (struct smb2_file_stream_info *)rsp->Buffer; @@ -4367,6 +4390,12 @@ static void get_file_stream_info(struct ksmbd_work *work, goto out; } + buf_free_len = + smb2_calc_max_out_buf_len(work, 8, + le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + goto out; + while (idx < xattr_list_len) { stream_name = xattr_list + idx; streamlen = strlen(stream_name); @@ -4391,6 +4420,10 @@ static void get_file_stream_info(struct ksmbd_work *work, streamlen = snprintf(stream_buf, streamlen + 1, ":%s", &stream_name[XATTR_NAME_STREAM_LEN]); + next = sizeof(struct smb2_file_stream_info) + streamlen * 2; + if (next > buf_free_len) + break; + file_info = (struct smb2_file_stream_info *)&rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, stream_buf, streamlen, @@ -4401,12 +4434,13 @@ static void get_file_stream_info(struct ksmbd_work *work, file_info->StreamSize = cpu_to_le64(stream_name_len); file_info->StreamAllocationSize = cpu_to_le64(stream_name_len); - next = sizeof(struct smb2_file_stream_info) + streamlen; nbytes += next; + buf_free_len -= next; file_info->NextEntryOffset = cpu_to_le32(next); } - if (!S_ISDIR(stat.mode)) { + if (!S_ISDIR(stat.mode) && + buf_free_len >= sizeof(struct smb2_file_stream_info) + 7 * 2) { file_info = (struct smb2_file_stream_info *) &rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, @@ -7399,11 +7433,13 @@ int smb2_ioctl(struct ksmbd_work *work) } cnt_code = le32_to_cpu(req->CntCode); - out_buf_len = le32_to_cpu(req->MaxOutputResponse); - out_buf_len = - min_t(u32, work->response_sz - work->next_smb2_rsp_hdr_off - - (offsetof(struct smb2_ioctl_rsp, Buffer) - 4), - out_buf_len); + ret = smb2_calc_max_out_buf_len(work, 48, + le32_to_cpu(req->MaxOutputResponse)); + if (ret < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; + } + out_buf_len = (unsigned int)ret; in_buf_len = le32_to_cpu(req->InputCount); switch (cnt_code) { From patchwork Mon Nov 14 12:52:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183339 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:08 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:08 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:08 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 242/308] ksmbd: throttle session setup failures to avoid dictionary attacks Date: Mon, 14 Nov 2022 20:52:31 +0800 Message-ID: <20221114125337.1831594-243-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: ca3309e7-4ac2-4c03-55de-08dac63c86a5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7060263 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.15-rc7 commit 621be84a9d1fbf0097fd058e249ec5cc4f35f3c5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/621be84a9d1f ------------------------------- To avoid dictionary attacks (repeated session setups rapidly sent) to connect to server, ksmbd make a delay of a 5 seconds on session setup failure to make it harder to send enough random connection requests to break into a server if a user insert the wrong password 10 times in a row. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_netlink.h | 2 ++ fs/ksmbd/mgmt/user_config.c | 2 +- fs/ksmbd/mgmt/user_config.h | 1 + fs/ksmbd/smb2pdu.c | 27 ++++++++++++++++++++++++--- fs/ksmbd/transport_ipc.c | 3 ++- fs/ksmbd/transport_ipc.h | 2 +- 6 files changed, 31 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/ksmbd_netlink.h b/fs/ksmbd/ksmbd_netlink.h index 2fbe2bc1e093..c6718a05d347 100644 --- a/fs/ksmbd/ksmbd_netlink.h +++ b/fs/ksmbd/ksmbd_netlink.h @@ -211,6 +211,7 @@ struct ksmbd_tree_disconnect_request { */ struct ksmbd_logout_request { __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ + __u32 account_flags; }; /* @@ -317,6 +318,7 @@ enum KSMBD_TREE_CONN_STATUS { #define KSMBD_USER_FLAG_BAD_UID BIT(2) #define KSMBD_USER_FLAG_BAD_USER BIT(3) #define KSMBD_USER_FLAG_GUEST_ACCOUNT BIT(4) +#define KSMBD_USER_FLAG_DELAY_SESSION BIT(5) /* * Share config flags. diff --git a/fs/ksmbd/mgmt/user_config.c b/fs/ksmbd/mgmt/user_config.c index d21629ae5c89..1019d3677d55 100644 --- a/fs/ksmbd/mgmt/user_config.c +++ b/fs/ksmbd/mgmt/user_config.c @@ -55,7 +55,7 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp) void ksmbd_free_user(struct ksmbd_user *user) { - ksmbd_ipc_logout_request(user->name); + ksmbd_ipc_logout_request(user->name, user->flags); kfree(user->name); kfree(user->passkey); kfree(user); diff --git a/fs/ksmbd/mgmt/user_config.h b/fs/ksmbd/mgmt/user_config.h index b2bb074a0150..aff80b029579 100644 --- a/fs/ksmbd/mgmt/user_config.h +++ b/fs/ksmbd/mgmt/user_config.h @@ -18,6 +18,7 @@ struct ksmbd_user { size_t passkey_sz; char *passkey; + unsigned int failed_login_count; }; static inline bool user_guest(struct ksmbd_user *user) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 71aade05a587..82677e282af0 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1779,9 +1779,30 @@ int smb2_sess_setup(struct ksmbd_work *work) conn->mechToken = NULL; } - if (rc < 0 && sess) { - ksmbd_session_destroy(sess); - work->sess = NULL; + if (rc < 0) { + /* + * SecurityBufferOffset should be set to zero + * in session setup error response. + */ + rsp->SecurityBufferOffset = 0; + + if (sess) { + bool try_delay = false; + + /* + * To avoid dictionary attacks (repeated session setups rapidly sent) to + * connect to server, ksmbd make a delay of a 5 seconds on session setup + * failure to make it harder to send enough random connection requests + * to break into a server. + */ + if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) + try_delay = true; + + ksmbd_session_destroy(sess); + work->sess = NULL; + if (try_delay) + ssleep(5); + } } return rc; diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c index 44aea33a67fa..1acf1892a466 100644 --- a/fs/ksmbd/transport_ipc.c +++ b/fs/ksmbd/transport_ipc.c @@ -601,7 +601,7 @@ int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, return ret; } -int ksmbd_ipc_logout_request(const char *account) +int ksmbd_ipc_logout_request(const char *account, int flags) { struct ksmbd_ipc_msg *msg; struct ksmbd_logout_request *req; @@ -616,6 +616,7 @@ int ksmbd_ipc_logout_request(const char *account) msg->type = KSMBD_EVENT_LOGOUT_REQUEST; req = (struct ksmbd_logout_request *)msg->payload; + req->account_flags = flags; strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ); ret = ipc_msg_send(msg); diff --git a/fs/ksmbd/transport_ipc.h b/fs/ksmbd/transport_ipc.h index 9eacc895ffdb..5e5b90a0c187 100644 --- a/fs/ksmbd/transport_ipc.h +++ b/fs/ksmbd/transport_ipc.h @@ -25,7 +25,7 @@ ksmbd_ipc_tree_connect_request(struct ksmbd_session *sess, struct sockaddr *peer_addr); int ksmbd_ipc_tree_disconnect_request(unsigned long long session_id, unsigned long long connect_id); -int ksmbd_ipc_logout_request(const char *account); +int ksmbd_ipc_logout_request(const char *account, int flags); struct ksmbd_share_config_response * ksmbd_ipc_share_config_request(const char *name); struct ksmbd_spnego_authen_response * From patchwork Mon Nov 14 12:52:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183340 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:09 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:09 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:08 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 243/308] ksmbd: add buffer validation in session setup Date: Mon, 14 Nov 2022 20:52:32 +0800 Message-ID: <20221114125337.1831594-244-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6bb722ce-fb1e-44b9-80b4-08dac63c86ee X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6911622 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.15-rc7 commit 0d994cd482ee4e8e851388a70869beee51be1c54 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/0d994cd482ee ------------------------------- Make sure the security buffer's length/offset are valid with regards to the packet length. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 16 ++++++++------- fs/ksmbd/smb2pdu.c | 51 ++++++++++++++++++++++++++++------------------ 2 files changed, 40 insertions(+), 27 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index 71c989f1568d..30a92ddc1817 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -298,8 +298,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, int blob_len, struct ksmbd_session *sess) { char *domain_name; - unsigned int lm_off, nt_off; - unsigned short nt_len; + unsigned int nt_off, dn_off; + unsigned short nt_len, dn_len; int ret; if (blob_len < sizeof(struct authenticate_message)) { @@ -314,15 +314,17 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, return -EINVAL; } - lm_off = le32_to_cpu(authblob->LmChallengeResponse.BufferOffset); nt_off = le32_to_cpu(authblob->NtChallengeResponse.BufferOffset); nt_len = le16_to_cpu(authblob->NtChallengeResponse.Length); + dn_off = le32_to_cpu(authblob->DomainName.BufferOffset); + dn_len = le16_to_cpu(authblob->DomainName.Length); + + if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len) + return -EINVAL; /* TODO : use domain name that imported from configuration file */ - domain_name = smb_strndup_from_utf16((const char *)authblob + - le32_to_cpu(authblob->DomainName.BufferOffset), - le16_to_cpu(authblob->DomainName.Length), true, - sess->conn->local_nls); + domain_name = smb_strndup_from_utf16((const char *)authblob + dn_off, + dn_len, true, sess->conn->local_nls); if (IS_ERR(domain_name)) return PTR_ERR(domain_name); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 82677e282af0..37da97576669 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1257,19 +1257,13 @@ static int generate_preauth_hash(struct ksmbd_work *work) return 0; } -static int decode_negotiation_token(struct ksmbd_work *work, - struct negotiate_message *negblob) +static int decode_negotiation_token(struct ksmbd_conn *conn, + struct negotiate_message *negblob, + size_t sz) { - struct ksmbd_conn *conn = work->conn; - struct smb2_sess_setup_req *req; - int sz; - if (!conn->use_spnego) return -EINVAL; - req = work->request_buf; - sz = le16_to_cpu(req->SecurityBufferLength); - if (ksmbd_decode_negTokenInit((char *)negblob, sz, conn)) { if (ksmbd_decode_negTokenTarg((char *)negblob, sz, conn)) { conn->auth_mechs |= KSMBD_AUTH_NTLMSSP; @@ -1281,9 +1275,9 @@ static int decode_negotiation_token(struct ksmbd_work *work, } static int ntlm_negotiate(struct ksmbd_work *work, - struct negotiate_message *negblob) + struct negotiate_message *negblob, + size_t negblob_len) { - struct smb2_sess_setup_req *req = work->request_buf; struct smb2_sess_setup_rsp *rsp = work->response_buf; struct challenge_message *chgblob; unsigned char *spnego_blob = NULL; @@ -1292,8 +1286,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, int sz, rc; ksmbd_debug(SMB, "negotiate phase\n"); - sz = le16_to_cpu(req->SecurityBufferLength); - rc = ksmbd_decode_ntlmssp_neg_blob(negblob, sz, work->sess); + rc = ksmbd_decode_ntlmssp_neg_blob(negblob, negblob_len, work->sess); if (rc) return rc; @@ -1361,12 +1354,23 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, struct authenticate_message *authblob; struct ksmbd_user *user; char *name; - int sz; + unsigned int auth_msg_len, name_off, name_len, secbuf_len; + secbuf_len = le16_to_cpu(req->SecurityBufferLength); + if (secbuf_len < sizeof(struct authenticate_message)) { + ksmbd_debug(SMB, "blob len %d too small\n", secbuf_len); + return NULL; + } authblob = user_authblob(conn, req); - sz = le32_to_cpu(authblob->UserName.BufferOffset); - name = smb_strndup_from_utf16((const char *)authblob + sz, - le16_to_cpu(authblob->UserName.Length), + name_off = le32_to_cpu(authblob->UserName.BufferOffset); + name_len = le16_to_cpu(authblob->UserName.Length); + auth_msg_len = le16_to_cpu(req->SecurityBufferOffset) + secbuf_len; + + if (auth_msg_len < (u64)name_off + name_len) + return NULL; + + name = smb_strndup_from_utf16((const char *)authblob + name_off, + name_len, true, conn->local_nls); if (IS_ERR(name)) { @@ -1612,6 +1616,7 @@ int smb2_sess_setup(struct ksmbd_work *work) struct smb2_sess_setup_rsp *rsp = work->response_buf; struct ksmbd_session *sess; struct negotiate_message *negblob; + unsigned int negblob_len, negblob_off; int rc = 0; ksmbd_debug(SMB, "Received request for session setup\n"); @@ -1692,10 +1697,16 @@ int smb2_sess_setup(struct ksmbd_work *work) if (sess->state == SMB2_SESSION_EXPIRED) sess->state = SMB2_SESSION_IN_PROGRESS; + negblob_off = le16_to_cpu(req->SecurityBufferOffset); + negblob_len = le16_to_cpu(req->SecurityBufferLength); + if (negblob_off < (offsetof(struct smb2_sess_setup_req, Buffer) - 4) || + negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) + return -EINVAL; + negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId + - le16_to_cpu(req->SecurityBufferOffset)); + negblob_off); - if (decode_negotiation_token(work, negblob) == 0) { + if (decode_negotiation_token(conn, negblob, negblob_len) == 0) { if (conn->mechToken) negblob = (struct negotiate_message *)conn->mechToken; } @@ -1719,7 +1730,7 @@ int smb2_sess_setup(struct ksmbd_work *work) sess->Preauth_HashValue = NULL; } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { if (negblob->MessageType == NtLmNegotiate) { - rc = ntlm_negotiate(work, negblob); + rc = ntlm_negotiate(work, negblob, negblob_len); if (rc) goto out_err; rsp->hdr.Status = From patchwork Mon Nov 14 12:52:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183341 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:09 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:09 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:09 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 244/308] ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() Date: Mon, 14 Nov 2022 20:52:33 +0800 Message-ID: <20221114125337.1831594-245-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e3d6108c-8de0-4dcc-eb7b-08dac63c8736 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6972547 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Ralph Boehme <slow(a)samba.org> mainline inclusion from mainline-5.16-rc1 commit a088ac859f8124d491f02a19d080fc5ee4dbd202 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a088ac859f81 ------------------------------- Use ksmbd_req_buf_next() in ksmbd_verify_smb_message(). Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index bd836a30ae89..f3f1953b2bcf 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -132,7 +132,7 @@ int ksmbd_lookup_protocol_idx(char *str) */ int ksmbd_verify_smb_message(struct ksmbd_work *work) { - struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off; + struct smb2_hdr *smb2_hdr = ksmbd_req_buf_next(work); struct smb_hdr *hdr; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) From patchwork Mon Nov 14 12:52:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183342 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:10 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:10 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:09 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 245/308] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Date: Mon, 14 Nov 2022 20:52:34 +0800 Message-ID: <20221114125337.1831594-246-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 31644803-a809-48b1-93f2-08dac63c8781 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6725800 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Ralph Boehme <slow(a)samba.org> mainline inclusion from mainline-5.16-rc1 commit b83b27909e74d27796de19c802fbc3b65ab4ba9a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b83b27909e74 ------------------------------- Use ksmbd_req_buf_next() in ksmbd_smb2_check_message(). Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Steve French <smfrench(a)gmail.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 030ca57c3784..2385622cc3c8 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -347,17 +347,12 @@ static int smb2_validate_credit_charge(struct ksmbd_conn *conn, int ksmbd_smb2_check_message(struct ksmbd_work *work) { - struct smb2_pdu *pdu = work->request_buf; + struct smb2_pdu *pdu = ksmbd_req_buf_next(work); struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(pdu); - if (work->next_smb2_rcv_hdr_off) { - pdu = ksmbd_req_buf_next(work); - hdr = &pdu->hdr; - } - if (le32_to_cpu(hdr->NextCommand) > 0) { len = le32_to_cpu(hdr->NextCommand); } else if (work->next_smb2_rcv_hdr_off) { From patchwork Mon Nov 14 12:52:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183343 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:10 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:10 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:10 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 246/308] ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Date: Mon, 14 Nov 2022 20:52:35 +0800 Message-ID: <20221114125337.1831594-247-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 34a18c8d-ca10-4a3d-fefd-08dac63c87c9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6987538 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Ralph Boehme <slow(a)samba.org> mainline inclusion from mainline-5.16-rc1 commit 341b16014bf871115f0883e831372c4b76389d03 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/341b16014bf8 ------------------------------- Use cmd helper variable in smb2_get_ksmbd_tcon(). Cc: Tom Talpey <tom(a)talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Cc: Steve French <smfrench(a)gmail.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Ralph Boehme <slow(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 37da97576669..ed08697ec56c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -94,12 +94,13 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { struct smb2_hdr *req_hdr = work->request_buf; + unsigned int cmd = le16_to_cpu(req_hdr->Command); int tree_id; work->tcon = NULL; - if (work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE || - work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE || - work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE) { + if (cmd == SMB2_TREE_CONNECT_HE || + cmd == SMB2_CANCEL_HE || + cmd == SMB2_LOGOFF_HE) { ksmbd_debug(SMB, "skip to check tree connect request\n"); return 0; } From patchwork Mon Nov 14 12:52:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183344 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:11 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:11 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:10 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 247/308] ksmbd: Remove redundant 'flush_workqueue()' calls Date: Mon, 14 Nov 2022 20:52:36 +0800 Message-ID: <20221114125337.1831594-248-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 60937ae3-17b7-476c-4f9c-08dac63c8813 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6919144 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mainline inclusion from mainline-5.16-rc1 commit e8d585b2f68c0b10c966ee55146de043429085a3 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e8d585b2f68c ------------------------------- 'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_work.c | 1 - fs/ksmbd/transport_rdma.c | 1 - 2 files changed, 2 deletions(-) diff --git a/fs/ksmbd/ksmbd_work.c b/fs/ksmbd/ksmbd_work.c index fd58eb4809f6..14b9caebf7a4 100644 --- a/fs/ksmbd/ksmbd_work.c +++ b/fs/ksmbd/ksmbd_work.c @@ -69,7 +69,6 @@ int ksmbd_workqueue_init(void) void ksmbd_workqueue_destroy(void) { - flush_workqueue(ksmbd_wq); destroy_workqueue(ksmbd_wq); ksmbd_wq = NULL; } diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index a2fd5a4d4cd5..6330dfc302ff 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -2043,7 +2043,6 @@ int ksmbd_rdma_destroy(void) smb_direct_listener.cm_id = NULL; if (smb_direct_wq) { - flush_workqueue(smb_direct_wq); destroy_workqueue(smb_direct_wq); smb_direct_wq = NULL; } From patchwork Mon Nov 14 12:52:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183345 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:11 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:11 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:11 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 248/308] ksmbd: Fix buffer length check in fsctl_validate_negotiate_info() Date: Mon, 14 Nov 2022 20:52:37 +0800 Message-ID: <20221114125337.1831594-249-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: aedc835b-4363-4e82-e1a0-08dac63c885b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6429262 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.16-rc1 commit 78f1688a64cca77758ceb9b183088cf0054bfc82 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/78f1688a64cc ------------------------------- The validate_negotiate_info_req struct definition includes an extra field to access the data coming after the header. This causes the check in fsctl_validate_negotiate_info() to count the first element of the array twice. This in turn makes some valid requests fail, depending on whether they include padding or not. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ed08697ec56c..bec55e1f08dc 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7263,7 +7263,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, int ret = 0; int dialect; - if (in_buf_len < sizeof(struct validate_negotiate_info_req) + + if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) + le16_to_cpu(neg_req->DialectCount) * sizeof(__le16)) return -EINVAL; From patchwork Mon Nov 14 12:52:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183346 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:11 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 249/308] ksmbd: don't need 8byte alignment for request length in ksmbd_check_message Date: Mon, 14 Nov 2022 20:52:38 +0800 Message-ID: <20221114125337.1831594-250-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 21519b03-337c-4ddc-9997-08dac63c88a4 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6940747 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc1 commit b53ad8107ee873795ecb5039d46b5d5502d404f2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b53ad8107ee8 ------------------------------- When validating request length in ksmbd_check_message, 8byte alignment is not needed for compound request. It can cause wrong validation of request length. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 2385622cc3c8..0239fa96926c 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -353,12 +353,10 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(pdu); - if (le32_to_cpu(hdr->NextCommand) > 0) { + if (le32_to_cpu(hdr->NextCommand) > 0) len = le32_to_cpu(hdr->NextCommand); - } else if (work->next_smb2_rcv_hdr_off) { + else if (work->next_smb2_rcv_hdr_off) len -= work->next_smb2_rcv_hdr_off; - len = round_up(len, 8); - } if (check_smb2_hdr(hdr)) return 1; From patchwork Mon Nov 14 12:52:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183347 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:12 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:12 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 250/308] ksmbd: remove smb2_buf_length in smb2_hdr Date: Mon, 14 Nov 2022 20:52:39 +0800 Message-ID: <20221114125337.1831594-251-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6046a616-8344-4d8b-5c29-08dac63c88ee X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.8239436 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc1 commit cb4517201b8acdb5fd5314494aaf86c267f22345 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/cb4517201b8a ------------------------------- To move smb2_hdr to smbfs_common, This patch remove smb2_buf_length variable in smb2_hdr. Also, declare smb2_get_msg function to get smb2 request/response from ->request/response_buf. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 4 +- fs/ksmbd/connection.c | 9 +- fs/ksmbd/ksmbd_work.h | 4 +- fs/ksmbd/oplock.c | 24 +-- fs/ksmbd/smb2misc.c | 2 +- fs/ksmbd/smb2pdu.c | 440 +++++++++++++++++++------------------- fs/ksmbd/smb2pdu.h | 20 +- fs/ksmbd/smb_common.c | 11 +- fs/ksmbd/smb_common.h | 6 - fs/ksmbd/transport_rdma.c | 2 +- 10 files changed, 260 insertions(+), 262 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index 30a92ddc1817..c69c5471db1c 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -873,9 +873,9 @@ int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, __u8 *pi_hash) { int rc; - struct smb2_hdr *rcv_hdr = (struct smb2_hdr *)buf; + struct smb2_hdr *rcv_hdr = smb2_get_msg(buf); char *all_bytes_msg = (char *)&rcv_hdr->ProtocolId; - int msg_size = be32_to_cpu(rcv_hdr->smb2_buf_length); + int msg_size = get_rfc1002_len(buf); struct ksmbd_crypto_ctx *ctx = NULL; if (conn->preauth_info->Preauth_HashId != diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index b57a0d8a392f..12f710ccbdff 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -158,14 +158,13 @@ void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb_hdr *rsp_hdr = work->response_buf; size_t len = 0; int sent; struct kvec iov[3]; int iov_idx = 0; ksmbd_conn_try_dequeue_request(work); - if (!rsp_hdr) { + if (!work->response_buf) { pr_err("NULL response header\n"); return -EINVAL; } @@ -177,7 +176,7 @@ int ksmbd_conn_write(struct ksmbd_work *work) } if (work->aux_payload_sz) { - iov[iov_idx] = (struct kvec) { rsp_hdr, work->resp_hdr_sz }; + iov[iov_idx] = (struct kvec) { work->response_buf, work->resp_hdr_sz }; len += iov[iov_idx++].iov_len; iov[iov_idx] = (struct kvec) { work->aux_payload_buf, work->aux_payload_sz }; len += iov[iov_idx++].iov_len; @@ -185,8 +184,8 @@ int ksmbd_conn_write(struct ksmbd_work *work) if (work->tr_buf) iov[iov_idx].iov_len = work->resp_hdr_sz; else - iov[iov_idx].iov_len = get_rfc1002_len(rsp_hdr) + 4; - iov[iov_idx].iov_base = rsp_hdr; + iov[iov_idx].iov_len = get_rfc1002_len(work->response_buf) + 4; + iov[iov_idx].iov_base = work->response_buf; len += iov[iov_idx++].iov_len; } diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index f7156bc50049..5ece58e40c97 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -92,7 +92,7 @@ struct ksmbd_work { */ static inline void *ksmbd_resp_buf_next(struct ksmbd_work *work) { - return work->response_buf + work->next_smb2_rsp_hdr_off; + return work->response_buf + work->next_smb2_rsp_hdr_off + 4; } /** @@ -101,7 +101,7 @@ static inline void *ksmbd_resp_buf_next(struct ksmbd_work *work) */ static inline void *ksmbd_req_buf_next(struct ksmbd_work *work) { - return work->request_buf + work->next_smb2_rcv_hdr_off; + return work->request_buf + work->next_smb2_rcv_hdr_off + 4; } struct ksmbd_work *ksmbd_alloc_work_struct(void); diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 95e8c53a5cf3..e529bc11b04b 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -629,10 +629,10 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) return; } - rsp_hdr = work->response_buf; + rsp_hdr = smb2_get_msg(work->response_buf); memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = - cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); + *(__be32 *)work->response_buf = + cpu_to_be32(conn->vals->header_size); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->CreditRequest = cpu_to_le16(0); @@ -645,7 +645,7 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = work->response_buf; + rsp = smb2_get_msg(work->response_buf); rsp->StructureSize = cpu_to_le16(24); if (!br_info->open_trunc && @@ -659,7 +659,7 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) rsp->PersistentFid = cpu_to_le64(fp->persistent_id); rsp->VolatileFid = cpu_to_le64(fp->volatile_id); - inc_rfc1001_len(rsp, 24); + inc_rfc1001_len(work->response_buf, 24); ksmbd_debug(OPLOCK, "sending oplock break v_id %llu p_id = %llu lock level = %d\n", @@ -736,10 +736,10 @@ static void __smb2_lease_break_noti(struct work_struct *wk) return; } - rsp_hdr = work->response_buf; + rsp_hdr = smb2_get_msg(work->response_buf); memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = - cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); + *(__be32 *)work->response_buf = + cpu_to_be32(conn->vals->header_size); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->CreditRequest = cpu_to_le16(0); @@ -752,7 +752,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = work->response_buf; + rsp = smb2_get_msg(work->response_buf); rsp->StructureSize = cpu_to_le16(44); rsp->Epoch = br_info->epoch; rsp->Flags = 0; @@ -768,7 +768,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) rsp->AccessMaskHint = 0; rsp->ShareMaskHint = 0; - inc_rfc1001_len(rsp, 44); + inc_rfc1001_len(work->response_buf, 44); ksmbd_conn_write(work); ksmbd_free_work_struct(work); @@ -1398,7 +1398,7 @@ struct lease_ctx_info *parse_lease_state(void *open_req) if (!lreq) return NULL; - data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); + data_offset = (char *)req + le32_to_cpu(req->CreateContextsOffset); cc = (struct create_context *)data_offset; do { cc = (struct create_context *)((char *)cc + next); @@ -1462,7 +1462,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) * CreateContextsOffset and CreateContextsLength are guaranteed to * be valid because of ksmbd_smb2_check_message(). */ - cc = (struct create_context *)((char *)req + 4 + + cc = (struct create_context *)((char *)req + le32_to_cpu(req->CreateContextsOffset)); remain_len = le32_to_cpu(req->CreateContextsLength); do { diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 0239fa96926c..0aba1c91fd37 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -351,7 +351,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ - __u32 len = get_rfc1002_len(pdu); + __u32 len = get_rfc1002_len(work->request_buf); if (le32_to_cpu(hdr->NextCommand) > 0) len = le32_to_cpu(hdr->NextCommand); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index bec55e1f08dc..ae906e78616e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -44,8 +44,8 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) *req = ksmbd_req_buf_next(work); *rsp = ksmbd_resp_buf_next(work); } else { - *req = work->request_buf; - *rsp = work->response_buf; + *req = smb2_get_msg(work->request_buf); + *rsp = smb2_get_msg(work->response_buf); } } @@ -93,7 +93,7 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn */ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { - struct smb2_hdr *req_hdr = work->request_buf; + struct smb2_hdr *req_hdr = smb2_get_msg(work->request_buf); unsigned int cmd = le16_to_cpu(req_hdr->Command); int tree_id; @@ -131,7 +131,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) err_rsp = ksmbd_resp_buf_next(work); else - err_rsp = work->response_buf; + err_rsp = smb2_get_msg(work->response_buf); if (err_rsp->hdr.Status != STATUS_STOPPED_ON_SYMLINK) { err_rsp->StructureSize = SMB2_ERROR_STRUCTURE_SIZE2_LE; @@ -151,7 +151,7 @@ void smb2_set_err_rsp(struct ksmbd_work *work) */ bool is_smb2_neg_cmd(struct ksmbd_work *work) { - struct smb2_hdr *hdr = work->request_buf; + struct smb2_hdr *hdr = smb2_get_msg(work->request_buf); /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -175,7 +175,7 @@ bool is_smb2_neg_cmd(struct ksmbd_work *work) */ bool is_smb2_rsp(struct ksmbd_work *work) { - struct smb2_hdr *hdr = work->response_buf; + struct smb2_hdr *hdr = smb2_get_msg(work->response_buf); /* is it SMB2 header ? */ if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -201,7 +201,7 @@ u16 get_smb2_cmd_val(struct ksmbd_work *work) if (work->next_smb2_rcv_hdr_off) rcv_hdr = ksmbd_req_buf_next(work); else - rcv_hdr = work->request_buf; + rcv_hdr = smb2_get_msg(work->request_buf); return le16_to_cpu(rcv_hdr->Command); } @@ -217,7 +217,7 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) if (work->next_smb2_rcv_hdr_off) rsp_hdr = ksmbd_resp_buf_next(work); else - rsp_hdr = work->response_buf; + rsp_hdr = smb2_get_msg(work->response_buf); rsp_hdr->Status = err; smb2_set_err_rsp(work); } @@ -238,13 +238,11 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) if (conn->need_neg == false) return -EINVAL; - rsp_hdr = work->response_buf; + *(__be32 *)work->response_buf = + cpu_to_be32(conn->vals->header_size); + rsp_hdr = smb2_get_msg(work->response_buf); memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - - rsp_hdr->smb2_buf_length = - cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); - rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->CreditRequest = cpu_to_le16(2); @@ -257,7 +255,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) rsp_hdr->SessionId = 0; memset(rsp_hdr->Signature, 0, 16); - rsp = work->response_buf; + rsp = smb2_get_msg(work->response_buf); WARN_ON(ksmbd_conn_good(work)); @@ -278,12 +276,12 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) rsp->SecurityBufferOffset = cpu_to_le16(128); rsp->SecurityBufferLength = cpu_to_le16(AUTH_GSS_LENGTH); - ksmbd_copy_gss_neg_header(((char *)(&rsp->hdr) + - sizeof(rsp->hdr.smb2_buf_length)) + + ksmbd_copy_gss_neg_header((char *)(&rsp->hdr) + le16_to_cpu(rsp->SecurityBufferOffset)); - inc_rfc1001_len(rsp, sizeof(struct smb2_negotiate_rsp) - - sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + - AUTH_GSS_LENGTH); + inc_rfc1001_len(work->response_buf, + sizeof(struct smb2_negotiate_rsp) - + sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + + AUTH_GSS_LENGTH); rsp->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED_LE; if (server_conf.signing == KSMBD_CONFIG_OPT_MANDATORY) rsp->SecurityMode |= SMB2_NEGOTIATE_SIGNING_REQUIRED_LE; @@ -388,8 +386,8 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) next_hdr_offset = le32_to_cpu(req->NextCommand); new_len = ALIGN(len, 8); - inc_rfc1001_len(work->response_buf, ((sizeof(struct smb2_hdr) - 4) - + new_len - len)); + inc_rfc1001_len(work->response_buf, + sizeof(struct smb2_hdr) + new_len - len); rsp->NextCommand = cpu_to_le32(new_len); work->next_smb2_rcv_hdr_off += next_hdr_offset; @@ -407,7 +405,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->compound_fid = KSMBD_NO_FID; work->compound_pfid = KSMBD_NO_FID; } - memset((char *)rsp_hdr + 4, 0, sizeof(struct smb2_hdr) + 2); + memset((char *)rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->Command = rcv_hdr->Command; @@ -433,7 +431,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) */ bool is_chained_smb2_message(struct ksmbd_work *work) { - struct smb2_hdr *hdr = work->request_buf; + struct smb2_hdr *hdr = smb2_get_msg(work->request_buf); unsigned int len, next_cmd; if (hdr->ProtocolId != SMB2_PROTO_NUMBER) @@ -484,13 +482,13 @@ bool is_chained_smb2_message(struct ksmbd_work *work) */ int init_smb2_rsp_hdr(struct ksmbd_work *work) { - struct smb2_hdr *rsp_hdr = work->response_buf; - struct smb2_hdr *rcv_hdr = work->request_buf; + struct smb2_hdr *rsp_hdr = smb2_get_msg(work->response_buf); + struct smb2_hdr *rcv_hdr = smb2_get_msg(work->request_buf); struct ksmbd_conn *conn = work->conn; memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2); - rsp_hdr->smb2_buf_length = - cpu_to_be32(smb2_hdr_size_no_buflen(conn->vals)); + *(__be32 *)work->response_buf = + cpu_to_be32(conn->vals->header_size); rsp_hdr->ProtocolId = rcv_hdr->ProtocolId; rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE; rsp_hdr->Command = rcv_hdr->Command; @@ -523,7 +521,7 @@ int init_smb2_rsp_hdr(struct ksmbd_work *work) */ int smb2_allocate_rsp_buf(struct ksmbd_work *work) { - struct smb2_hdr *hdr = work->request_buf; + struct smb2_hdr *hdr = smb2_get_msg(work->request_buf); size_t small_sz = MAX_CIFS_SMALL_BUFFER_SIZE; size_t large_sz = small_sz + work->conn->vals->max_trans_size; size_t sz = small_sz; @@ -535,7 +533,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; - req = work->request_buf; + req = smb2_get_msg(work->request_buf); if (req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || req->FileInfoClass == FILE_ALL_INFORMATION)) @@ -562,7 +560,7 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) */ int smb2_check_user_session(struct ksmbd_work *work) { - struct smb2_hdr *req_hdr = work->request_buf; + struct smb2_hdr *req_hdr = smb2_get_msg(work->request_buf); struct ksmbd_conn *conn = work->conn; unsigned int cmd = conn->ops->get_cmd_val(work); unsigned long long sess_id; @@ -643,7 +641,7 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) struct ksmbd_conn *conn = work->conn; int id; - rsp_hdr = work->response_buf; + rsp_hdr = smb2_get_msg(work->response_buf); rsp_hdr->Flags |= SMB2_FLAGS_ASYNC_COMMAND; id = ksmbd_acquire_async_msg_id(&conn->async_ida); @@ -675,7 +673,7 @@ void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status) { struct smb2_hdr *rsp_hdr; - rsp_hdr = work->response_buf; + rsp_hdr = smb2_get_msg(work->response_buf); smb2_set_err_rsp(work); rsp_hdr->Status = status; @@ -803,11 +801,11 @@ static void build_posix_ctxt(struct smb2_posix_neg_context *pneg_ctxt) } static void assemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_rsp *rsp) + struct smb2_negotiate_rsp *rsp, + void *smb2_buf_len) { - /* +4 is to account for the RFC1001 len field */ char *pneg_ctxt = (char *)rsp + - le32_to_cpu(rsp->NegotiateContextOffset) + 4; + le32_to_cpu(rsp->NegotiateContextOffset); int neg_ctxt_cnt = 1; int ctxt_size; @@ -816,7 +814,7 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, build_preauth_ctxt((struct smb2_preauth_neg_context *)pneg_ctxt, conn->preauth_info->Preauth_HashId); rsp->NegotiateContextCount = cpu_to_le16(neg_ctxt_cnt); - inc_rfc1001_len(rsp, AUTH_GSS_PADDING); + inc_rfc1001_len(smb2_buf_len, AUTH_GSS_PADDING); ctxt_size = sizeof(struct smb2_preauth_neg_context); /* Round to 8 byte boundary */ pneg_ctxt += round_up(sizeof(struct smb2_preauth_neg_context), 8); @@ -870,7 +868,7 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, ctxt_size += sizeof(struct smb2_signing_capabilities) + 2; } - inc_rfc1001_len(rsp, ctxt_size); + inc_rfc1001_len(smb2_buf_len, ctxt_size); } static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, @@ -953,14 +951,14 @@ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, } static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, - struct smb2_negotiate_req *req) + struct smb2_negotiate_req *req, + int len_of_smb) { /* +4 is to account for the RFC1001 len field */ - struct smb2_neg_context *pctx = (struct smb2_neg_context *)((char *)req + 4); + struct smb2_neg_context *pctx = (struct smb2_neg_context *)req; int i = 0, len_of_ctxts; int offset = le32_to_cpu(req->NegotiateContextOffset); int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount); - int len_of_smb = be32_to_cpu(req->hdr.smb2_buf_length); __le32 status = STATUS_INVALID_PARAMETER; ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt); @@ -1045,8 +1043,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, int smb2_handle_negotiate(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_negotiate_req *req = work->request_buf; - struct smb2_negotiate_rsp *rsp = work->response_buf; + struct smb2_negotiate_req *req = smb2_get_msg(work->request_buf); + struct smb2_negotiate_rsp *rsp = smb2_get_msg(work->response_buf); int rc = 0; unsigned int smb2_buf_len, smb2_neg_size; __le32 status; @@ -1067,7 +1065,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) } smb2_buf_len = get_rfc1002_len(work->request_buf); - smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects) - 4; + smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects); if (smb2_neg_size > smb2_buf_len) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; rc = -EINVAL; @@ -1116,7 +1114,8 @@ int smb2_handle_negotiate(struct ksmbd_work *work) goto err_out; } - status = deassemble_neg_contexts(conn, req); + status = deassemble_neg_contexts(conn, req, + get_rfc1002_len(work->request_buf)); if (status != STATUS_SUCCESS) { pr_err("deassemble_neg_contexts error(0x%x)\n", status); @@ -1136,7 +1135,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) conn->preauth_info->Preauth_HashValue); rsp->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT); - assemble_neg_contexts(conn, rsp); + assemble_neg_contexts(conn, rsp, work->response_buf); break; case SMB302_PROT_ID: init_smb3_02_server(conn); @@ -1184,10 +1183,9 @@ int smb2_handle_negotiate(struct ksmbd_work *work) rsp->SecurityBufferOffset = cpu_to_le16(128); rsp->SecurityBufferLength = cpu_to_le16(AUTH_GSS_LENGTH); - ksmbd_copy_gss_neg_header(((char *)(&rsp->hdr) + - sizeof(rsp->hdr.smb2_buf_length)) + - le16_to_cpu(rsp->SecurityBufferOffset)); - inc_rfc1001_len(rsp, sizeof(struct smb2_negotiate_rsp) - + ksmbd_copy_gss_neg_header((char *)(&rsp->hdr) + + le16_to_cpu(rsp->SecurityBufferOffset)); + inc_rfc1001_len(work->response_buf, sizeof(struct smb2_negotiate_rsp) - sizeof(struct smb2_hdr) - sizeof(rsp->Buffer) + AUTH_GSS_LENGTH); rsp->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED_LE; @@ -1279,7 +1277,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, struct negotiate_message *negblob, size_t negblob_len) { - struct smb2_sess_setup_rsp *rsp = work->response_buf; + struct smb2_sess_setup_rsp *rsp = smb2_get_msg(work->response_buf); struct challenge_message *chgblob; unsigned char *spnego_blob = NULL; u16 spnego_blob_len; @@ -1387,8 +1385,8 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, static int ntlm_authenticate(struct ksmbd_work *work) { - struct smb2_sess_setup_req *req = work->request_buf; - struct smb2_sess_setup_rsp *rsp = work->response_buf; + struct smb2_sess_setup_req *req = smb2_get_msg(work->request_buf); + struct smb2_sess_setup_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; struct channel *chann = NULL; @@ -1411,7 +1409,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); kfree(spnego_blob); - inc_rfc1001_len(rsp, spnego_blob_len - 1); + inc_rfc1001_len(work->response_buf, spnego_blob_len - 1); } user = session_user(conn, req); @@ -1523,8 +1521,8 @@ static int ntlm_authenticate(struct ksmbd_work *work) #ifdef CONFIG_SMB_SERVER_KERBEROS5 static int krb5_authenticate(struct ksmbd_work *work) { - struct smb2_sess_setup_req *req = work->request_buf; - struct smb2_sess_setup_rsp *rsp = work->response_buf; + struct smb2_sess_setup_req *req = smb2_get_msg(work->request_buf); + struct smb2_sess_setup_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; char *in_blob, *out_blob; @@ -1539,8 +1537,7 @@ static int krb5_authenticate(struct ksmbd_work *work) out_blob = (char *)&rsp->hdr.ProtocolId + le16_to_cpu(rsp->SecurityBufferOffset); out_len = work->response_sz - - offsetof(struct smb2_hdr, smb2_buf_length) - - le16_to_cpu(rsp->SecurityBufferOffset); + (le16_to_cpu(rsp->SecurityBufferOffset) + 4); /* Check previous session */ prev_sess_id = le64_to_cpu(req->PreviousSessionId); @@ -1557,7 +1554,7 @@ static int krb5_authenticate(struct ksmbd_work *work) return -EINVAL; } rsp->SecurityBufferLength = cpu_to_le16(out_len); - inc_rfc1001_len(rsp, out_len - 1); + inc_rfc1001_len(work->response_buf, out_len - 1); if ((conn->sign || server_conf.enforced_signing) || (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) @@ -1613,8 +1610,8 @@ static int krb5_authenticate(struct ksmbd_work *work) int smb2_sess_setup(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_sess_setup_req *req = work->request_buf; - struct smb2_sess_setup_rsp *rsp = work->response_buf; + struct smb2_sess_setup_req *req = smb2_get_msg(work->request_buf); + struct smb2_sess_setup_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_session *sess; struct negotiate_message *negblob; unsigned int negblob_len, negblob_off; @@ -1626,7 +1623,7 @@ int smb2_sess_setup(struct ksmbd_work *work) rsp->SessionFlags = 0; rsp->SecurityBufferOffset = cpu_to_le16(72); rsp->SecurityBufferLength = 0; - inc_rfc1001_len(rsp, 9); + inc_rfc1001_len(work->response_buf, 9); if (!req->hdr.SessionId) { sess = ksmbd_smb2_session_create(); @@ -1700,7 +1697,7 @@ int smb2_sess_setup(struct ksmbd_work *work) negblob_off = le16_to_cpu(req->SecurityBufferOffset); negblob_len = le16_to_cpu(req->SecurityBufferLength); - if (negblob_off < (offsetof(struct smb2_sess_setup_req, Buffer) - 4) || + if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer) || negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) return -EINVAL; @@ -1740,7 +1737,8 @@ int smb2_sess_setup(struct ksmbd_work *work) * Note: here total size -1 is done as an * adjustment for 0 size blob */ - inc_rfc1001_len(rsp, le16_to_cpu(rsp->SecurityBufferLength) - 1); + inc_rfc1001_len(work->response_buf, + le16_to_cpu(rsp->SecurityBufferLength) - 1); } else if (negblob->MessageType == NtLmAuthenticate) { rc = ntlm_authenticate(work); @@ -1829,8 +1827,8 @@ int smb2_sess_setup(struct ksmbd_work *work) int smb2_tree_connect(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_tree_connect_req *req = work->request_buf; - struct smb2_tree_connect_rsp *rsp = work->response_buf; + struct smb2_tree_connect_req *req = smb2_get_msg(work->request_buf); + struct smb2_tree_connect_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_session *sess = work->sess; char *treename = NULL, *name = NULL; struct ksmbd_tree_conn_status status; @@ -1895,7 +1893,7 @@ int smb2_tree_connect(struct ksmbd_work *work) rsp->Reserved = 0; /* default manual caching */ rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING; - inc_rfc1001_len(rsp, 16); + inc_rfc1001_len(work->response_buf, 16); if (!IS_ERR(treename)) kfree(treename); @@ -2000,17 +1998,18 @@ static int smb2_create_open_flags(bool file_present, __le32 access, */ int smb2_tree_disconnect(struct ksmbd_work *work) { - struct smb2_tree_disconnect_rsp *rsp = work->response_buf; + struct smb2_tree_disconnect_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_session *sess = work->sess; struct ksmbd_tree_connect *tcon = work->tcon; rsp->StructureSize = cpu_to_le16(4); - inc_rfc1001_len(rsp, 4); + inc_rfc1001_len(work->response_buf, 4); ksmbd_debug(SMB, "request\n"); if (!tcon) { - struct smb2_tree_disconnect_req *req = work->request_buf; + struct smb2_tree_disconnect_req *req = + smb2_get_msg(work->request_buf); ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; @@ -2032,11 +2031,11 @@ int smb2_tree_disconnect(struct ksmbd_work *work) int smb2_session_logoff(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_logoff_rsp *rsp = work->response_buf; + struct smb2_logoff_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_session *sess = work->sess; rsp->StructureSize = cpu_to_le16(4); - inc_rfc1001_len(rsp, 4); + inc_rfc1001_len(work->response_buf, 4); ksmbd_debug(SMB, "request\n"); @@ -2049,7 +2048,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_wait_idle(conn); if (ksmbd_tree_conn_session_logoff(sess)) { - struct smb2_logoff_req *req = work->request_buf; + struct smb2_logoff_req *req = smb2_get_msg(work->request_buf); ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; @@ -2076,8 +2075,8 @@ int smb2_session_logoff(struct ksmbd_work *work) */ static noinline int create_smb2_pipe(struct ksmbd_work *work) { - struct smb2_create_rsp *rsp = work->response_buf; - struct smb2_create_req *req = work->request_buf; + struct smb2_create_rsp *rsp = smb2_get_msg(work->response_buf); + struct smb2_create_req *req = smb2_get_msg(work->request_buf); int id; int err; char *name; @@ -2115,7 +2114,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) rsp->CreateContextsOffset = 0; rsp->CreateContextsLength = 0; - inc_rfc1001_len(rsp, 88); /* StructureSize - 1*/ + inc_rfc1001_len(work->response_buf, 88); /* StructureSize - 1*/ kfree(name); return 0; @@ -2449,7 +2448,7 @@ int smb2_open(struct ksmbd_work *work) struct ksmbd_session *sess = work->sess; struct ksmbd_tree_connect *tcon = work->tcon; struct smb2_create_req *req; - struct smb2_create_rsp *rsp, *rsp_org; + struct smb2_create_rsp *rsp; struct path path; struct ksmbd_share_config *share = tcon->share_conf; struct ksmbd_file *fp = NULL; @@ -2474,7 +2473,6 @@ int smb2_open(struct ksmbd_work *work) umode_t posix_mode = 0; __le32 daccess, maximal_access = 0; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (req->hdr.NextCommand && !work->next_smb2_rcv_hdr_off && @@ -3114,7 +3112,7 @@ int smb2_open(struct ksmbd_work *work) rsp->CreateContextsOffset = 0; rsp->CreateContextsLength = 0; - inc_rfc1001_len(rsp_org, 88); /* StructureSize - 1*/ + inc_rfc1001_len(work->response_buf, 88); /* StructureSize - 1*/ /* If lease is request send lease context response */ if (opinfo && opinfo->is_lease) { @@ -3129,7 +3127,8 @@ int smb2_open(struct ksmbd_work *work) create_lease_buf(rsp->Buffer, opinfo->o_lease); le32_add_cpu(&rsp->CreateContextsLength, conn->vals->create_lease_size); - inc_rfc1001_len(rsp_org, conn->vals->create_lease_size); + inc_rfc1001_len(work->response_buf, + conn->vals->create_lease_size); next_ptr = &lease_ccontext->Next; next_off = conn->vals->create_lease_size; } @@ -3148,7 +3147,8 @@ int smb2_open(struct ksmbd_work *work) le32_to_cpu(maximal_access)); le32_add_cpu(&rsp->CreateContextsLength, conn->vals->create_mxac_size); - inc_rfc1001_len(rsp_org, conn->vals->create_mxac_size); + inc_rfc1001_len(work->response_buf, + conn->vals->create_mxac_size); if (next_ptr) *next_ptr = cpu_to_le32(next_off); next_ptr = &mxac_ccontext->Next; @@ -3166,7 +3166,8 @@ int smb2_open(struct ksmbd_work *work) stat.ino, tcon->id); le32_add_cpu(&rsp->CreateContextsLength, conn->vals->create_disk_id_size); - inc_rfc1001_len(rsp_org, conn->vals->create_disk_id_size); + inc_rfc1001_len(work->response_buf, + conn->vals->create_disk_id_size); if (next_ptr) *next_ptr = cpu_to_le32(next_off); next_ptr = &disk_id_ccontext->Next; @@ -3180,15 +3181,15 @@ int smb2_open(struct ksmbd_work *work) fp); le32_add_cpu(&rsp->CreateContextsLength, conn->vals->create_posix_size); - inc_rfc1001_len(rsp_org, conn->vals->create_posix_size); + inc_rfc1001_len(work->response_buf, + conn->vals->create_posix_size); if (next_ptr) *next_ptr = cpu_to_le32(next_off); } if (contxt_cnt > 0) { rsp->CreateContextsOffset = - cpu_to_le32(offsetof(struct smb2_create_rsp, Buffer) - - 4); + cpu_to_le32(offsetof(struct smb2_create_rsp, Buffer)); } err_out: @@ -3786,7 +3787,7 @@ int smb2_query_dir(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; struct smb2_query_directory_req *req; - struct smb2_query_directory_rsp *rsp, *rsp_org; + struct smb2_query_directory_rsp *rsp; struct ksmbd_share_config *share = work->tcon->share_conf; struct ksmbd_file *dir_fp = NULL; struct ksmbd_dir_info d_info; @@ -3796,7 +3797,6 @@ int smb2_query_dir(struct ksmbd_work *work) int buffer_sz; struct smb2_query_dir_private query_dir_private = {NULL, }; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (ksmbd_override_fsids(work)) { @@ -3916,7 +3916,7 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->OutputBufferOffset = cpu_to_le16(0); rsp->OutputBufferLength = cpu_to_le32(0); rsp->Buffer[0] = 0; - inc_rfc1001_len(rsp_org, 9); + inc_rfc1001_len(work->response_buf, 9); } else { ((struct file_directory_info *) ((char *)rsp->Buffer + d_info.last_entry_offset)) @@ -3925,7 +3925,7 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->StructureSize = cpu_to_le16(9); rsp->OutputBufferOffset = cpu_to_le16(72); rsp->OutputBufferLength = cpu_to_le32(d_info.data_count); - inc_rfc1001_len(rsp_org, 8 + d_info.data_count); + inc_rfc1001_len(work->response_buf, 8 + d_info.data_count); } kfree(srch_ptr); @@ -3968,26 +3968,28 @@ int smb2_query_dir(struct ksmbd_work *work) * Return: 0 on success, otherwise error */ static int buffer_check_err(int reqOutputBufferLength, - struct smb2_query_info_rsp *rsp, int infoclass_size) + struct smb2_query_info_rsp *rsp, + void *rsp_org, int infoclass_size) { if (reqOutputBufferLength < le32_to_cpu(rsp->OutputBufferLength)) { if (reqOutputBufferLength < infoclass_size) { pr_err("Invalid Buffer Size Requested\n"); rsp->hdr.Status = STATUS_INFO_LENGTH_MISMATCH; - rsp->hdr.smb2_buf_length = cpu_to_be32(sizeof(struct smb2_hdr) - 4); + *(__be32 *)rsp_org = cpu_to_be32(sizeof(struct smb2_hdr)); return -EINVAL; } ksmbd_debug(SMB, "Buffer Overflow\n"); rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; - rsp->hdr.smb2_buf_length = cpu_to_be32(sizeof(struct smb2_hdr) - 4 + + *(__be32 *)rsp_org = cpu_to_be32(sizeof(struct smb2_hdr) + reqOutputBufferLength); rsp->OutputBufferLength = cpu_to_le32(reqOutputBufferLength); } return 0; } -static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp) +static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp, + void *rsp_org) { struct smb2_file_standard_info *sinfo; @@ -4000,10 +4002,11 @@ static void get_standard_info_pipe(struct smb2_query_info_rsp *rsp) sinfo->Directory = 0; rsp->OutputBufferLength = cpu_to_le32(sizeof(struct smb2_file_standard_info)); - inc_rfc1001_len(rsp, sizeof(struct smb2_file_standard_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_standard_info)); } -static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, u64 num) +static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, u64 num, + void *rsp_org) { struct smb2_file_internal_info *file_info; @@ -4013,12 +4016,13 @@ static void get_internal_info_pipe(struct smb2_query_info_rsp *rsp, u64 num) file_info->IndexNumber = cpu_to_le64(num | (1ULL << 63)); rsp->OutputBufferLength = cpu_to_le32(sizeof(struct smb2_file_internal_info)); - inc_rfc1001_len(rsp, sizeof(struct smb2_file_internal_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_internal_info)); } static int smb2_get_info_file_pipe(struct ksmbd_session *sess, struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp) + struct smb2_query_info_rsp *rsp, + void *rsp_org) { u64 id; int rc; @@ -4036,14 +4040,16 @@ static int smb2_get_info_file_pipe(struct ksmbd_session *sess, switch (req->FileInfoClass) { case FILE_STANDARD_INFORMATION: - get_standard_info_pipe(rsp); + get_standard_info_pipe(rsp, rsp_org); rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, FILE_STANDARD_INFORMATION_SIZE); + rsp, rsp_org, + FILE_STANDARD_INFORMATION_SIZE); break; case FILE_INTERNAL_INFORMATION: - get_internal_info_pipe(rsp, id); + get_internal_info_pipe(rsp, id, rsp_org); rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, FILE_INTERNAL_INFORMATION_SIZE); + rsp, rsp_org, + FILE_INTERNAL_INFORMATION_SIZE); break; default: ksmbd_debug(SMB, "smb2_info_file_pipe for %u not supported\n", @@ -4651,7 +4657,7 @@ static int find_file_posix_info(struct smb2_query_info_rsp *rsp, static int smb2_get_info_file(struct ksmbd_work *work, struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_rsp *rsp) { struct ksmbd_file *fp; int fileinfoclass = 0; @@ -4662,7 +4668,8 @@ static int smb2_get_info_file(struct ksmbd_work *work, if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_PIPE)) { /* smb2 info file called for pipe */ - return smb2_get_info_file_pipe(work->sess, req, rsp); + return smb2_get_info_file_pipe(work->sess, req, rsp, + work->response_buf); } if (work->next_smb2_rcv_hdr_off) { @@ -4687,77 +4694,77 @@ static int smb2_get_info_file(struct ksmbd_work *work, switch (fileinfoclass) { case FILE_ACCESS_INFORMATION: - get_file_access_info(rsp, fp, rsp_org); + get_file_access_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_ACCESS_INFORMATION_SIZE; break; case FILE_BASIC_INFORMATION: - rc = get_file_basic_info(rsp, fp, rsp_org); + rc = get_file_basic_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_BASIC_INFORMATION_SIZE; break; case FILE_STANDARD_INFORMATION: - get_file_standard_info(rsp, fp, rsp_org); + get_file_standard_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_STANDARD_INFORMATION_SIZE; break; case FILE_ALIGNMENT_INFORMATION: - get_file_alignment_info(rsp, rsp_org); + get_file_alignment_info(rsp, work->response_buf); file_infoclass_size = FILE_ALIGNMENT_INFORMATION_SIZE; break; case FILE_ALL_INFORMATION: - rc = get_file_all_info(work, rsp, fp, rsp_org); + rc = get_file_all_info(work, rsp, fp, work->response_buf); file_infoclass_size = FILE_ALL_INFORMATION_SIZE; break; case FILE_ALTERNATE_NAME_INFORMATION: - get_file_alternate_info(work, rsp, fp, rsp_org); + get_file_alternate_info(work, rsp, fp, work->response_buf); file_infoclass_size = FILE_ALTERNATE_NAME_INFORMATION_SIZE; break; case FILE_STREAM_INFORMATION: - get_file_stream_info(work, rsp, fp, rsp_org); + get_file_stream_info(work, rsp, fp, work->response_buf); file_infoclass_size = FILE_STREAM_INFORMATION_SIZE; break; case FILE_INTERNAL_INFORMATION: - get_file_internal_info(rsp, fp, rsp_org); + get_file_internal_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_INTERNAL_INFORMATION_SIZE; break; case FILE_NETWORK_OPEN_INFORMATION: - rc = get_file_network_open_info(rsp, fp, rsp_org); + rc = get_file_network_open_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_NETWORK_OPEN_INFORMATION_SIZE; break; case FILE_EA_INFORMATION: - get_file_ea_info(rsp, rsp_org); + get_file_ea_info(rsp, work->response_buf); file_infoclass_size = FILE_EA_INFORMATION_SIZE; break; case FILE_FULL_EA_INFORMATION: - rc = smb2_get_ea(work, fp, req, rsp, rsp_org); + rc = smb2_get_ea(work, fp, req, rsp, work->response_buf); file_infoclass_size = FILE_FULL_EA_INFORMATION_SIZE; break; case FILE_POSITION_INFORMATION: - get_file_position_info(rsp, fp, rsp_org); + get_file_position_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_POSITION_INFORMATION_SIZE; break; case FILE_MODE_INFORMATION: - get_file_mode_info(rsp, fp, rsp_org); + get_file_mode_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_MODE_INFORMATION_SIZE; break; case FILE_COMPRESSION_INFORMATION: - get_file_compression_info(rsp, fp, rsp_org); + get_file_compression_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_COMPRESSION_INFORMATION_SIZE; break; case FILE_ATTRIBUTE_TAG_INFORMATION: - rc = get_file_attribute_tag_info(rsp, fp, rsp_org); + rc = get_file_attribute_tag_info(rsp, fp, work->response_buf); file_infoclass_size = FILE_ATTRIBUTE_TAG_INFORMATION_SIZE; break; case SMB_FIND_FILE_POSIX_INFO: @@ -4765,7 +4772,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); rc = -EOPNOTSUPP; } else { - rc = find_file_posix_info(rsp, fp, rsp_org); + rc = find_file_posix_info(rsp, fp, work->response_buf); file_infoclass_size = sizeof(struct smb311_posix_qinfo); } break; @@ -4776,7 +4783,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, } if (!rc) rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, + rsp, work->response_buf, file_infoclass_size); ksmbd_fd_put(work, fp); return rc; @@ -4784,7 +4791,7 @@ static int smb2_get_info_file(struct ksmbd_work *work, static int smb2_get_info_filesystem(struct ksmbd_work *work, struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_rsp *rsp) { struct ksmbd_session *sess = work->sess; struct ksmbd_conn *conn = sess->conn; @@ -4820,7 +4827,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->DeviceType = cpu_to_le32(stfs.f_type); info->DeviceCharacteristics = cpu_to_le32(0x00000020); rsp->OutputBufferLength = cpu_to_le32(8); - inc_rfc1001_len(rsp_org, 8); + inc_rfc1001_len(work->response_buf, 8); fs_infoclass_size = FS_DEVICE_INFORMATION_SIZE; break; } @@ -4846,7 +4853,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->FileSystemNameLen = cpu_to_le32(len); sz = sizeof(struct filesystem_attribute_info) - 2 + len; rsp->OutputBufferLength = cpu_to_le32(sz); - inc_rfc1001_len(rsp_org, sz); + inc_rfc1001_len(work->response_buf, sz); fs_infoclass_size = FS_ATTRIBUTE_INFORMATION_SIZE; break; } @@ -4867,7 +4874,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->Reserved = 0; sz = sizeof(struct filesystem_vol_info) - 2 + len; rsp->OutputBufferLength = cpu_to_le32(sz); - inc_rfc1001_len(rsp_org, sz); + inc_rfc1001_len(work->response_buf, sz); fs_infoclass_size = FS_VOLUME_INFORMATION_SIZE; break; } @@ -4881,7 +4888,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->SectorsPerAllocationUnit = cpu_to_le32(1); info->BytesPerSector = cpu_to_le32(stfs.f_bsize); rsp->OutputBufferLength = cpu_to_le32(24); - inc_rfc1001_len(rsp_org, 24); + inc_rfc1001_len(work->response_buf, 24); fs_infoclass_size = FS_SIZE_INFORMATION_SIZE; break; } @@ -4898,7 +4905,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->SectorsPerAllocationUnit = cpu_to_le32(1); info->BytesPerSector = cpu_to_le32(stfs.f_bsize); rsp->OutputBufferLength = cpu_to_le32(32); - inc_rfc1001_len(rsp_org, 32); + inc_rfc1001_len(work->response_buf, 32); fs_infoclass_size = FS_FULL_SIZE_INFORMATION_SIZE; break; } @@ -4919,7 +4926,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->extended_info.rel_date = 0; memcpy(info->extended_info.version_string, "1.1.0", strlen("1.1.0")); rsp->OutputBufferLength = cpu_to_le32(64); - inc_rfc1001_len(rsp_org, 64); + inc_rfc1001_len(work->response_buf, 64); fs_infoclass_size = FS_OBJECT_ID_INFORMATION_SIZE; break; } @@ -4940,7 +4947,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->ByteOffsetForSectorAlignment = 0; info->ByteOffsetForPartitionAlignment = 0; rsp->OutputBufferLength = cpu_to_le32(28); - inc_rfc1001_len(rsp_org, 28); + inc_rfc1001_len(work->response_buf, 28); fs_infoclass_size = FS_SECTOR_SIZE_INFORMATION_SIZE; break; } @@ -4962,7 +4969,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->DefaultQuotaLimit = cpu_to_le64(SMB2_NO_FID); info->Padding = 0; rsp->OutputBufferLength = cpu_to_le32(48); - inc_rfc1001_len(rsp_org, 48); + inc_rfc1001_len(work->response_buf, 48); fs_infoclass_size = FS_CONTROL_INFORMATION_SIZE; break; } @@ -4983,7 +4990,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, info->TotalFileNodes = cpu_to_le64(stfs.f_files); info->FreeFileNodes = cpu_to_le64(stfs.f_ffree); rsp->OutputBufferLength = cpu_to_le32(56); - inc_rfc1001_len(rsp_org, 56); + inc_rfc1001_len(work->response_buf, 56); fs_infoclass_size = FS_POSIX_INFORMATION_SIZE; } break; @@ -4993,7 +5000,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, return -EOPNOTSUPP; } rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), - rsp, + rsp, work->response_buf, fs_infoclass_size); path_put(&path); return rc; @@ -5001,7 +5008,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, static int smb2_get_info_sec(struct ksmbd_work *work, struct smb2_query_info_req *req, - struct smb2_query_info_rsp *rsp, void *rsp_org) + struct smb2_query_info_rsp *rsp) { struct ksmbd_file *fp; struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; @@ -5027,7 +5034,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, secdesclen = sizeof(struct smb_ntsd); rsp->OutputBufferLength = cpu_to_le32(secdesclen); - inc_rfc1001_len(rsp_org, secdesclen); + inc_rfc1001_len(work->response_buf, secdesclen); return 0; } @@ -5066,7 +5073,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, return rc; rsp->OutputBufferLength = cpu_to_le32(secdesclen); - inc_rfc1001_len(rsp_org, secdesclen); + inc_rfc1001_len(work->response_buf, secdesclen); return 0; } @@ -5079,10 +5086,9 @@ static int smb2_get_info_sec(struct ksmbd_work *work, int smb2_query_info(struct ksmbd_work *work) { struct smb2_query_info_req *req; - struct smb2_query_info_rsp *rsp, *rsp_org; + struct smb2_query_info_rsp *rsp; int rc = 0; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); ksmbd_debug(SMB, "GOT query info request\n"); @@ -5090,15 +5096,15 @@ int smb2_query_info(struct ksmbd_work *work) switch (req->InfoType) { case SMB2_O_INFO_FILE: ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); - rc = smb2_get_info_file(work, req, rsp, (void *)rsp_org); + rc = smb2_get_info_file(work, req, rsp); break; case SMB2_O_INFO_FILESYSTEM: ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILESYSTEM\n"); - rc = smb2_get_info_filesystem(work, req, rsp, (void *)rsp_org); + rc = smb2_get_info_filesystem(work, req, rsp); break; case SMB2_O_INFO_SECURITY: ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); - rc = smb2_get_info_sec(work, req, rsp, (void *)rsp_org); + rc = smb2_get_info_sec(work, req, rsp); break; default: ksmbd_debug(SMB, "InfoType %d not supported yet\n", @@ -5123,7 +5129,7 @@ int smb2_query_info(struct ksmbd_work *work) } rsp->StructureSize = cpu_to_le16(9); rsp->OutputBufferOffset = cpu_to_le16(72); - inc_rfc1001_len(rsp_org, 8); + inc_rfc1001_len(work->response_buf, 8); return 0; } @@ -5136,8 +5142,8 @@ int smb2_query_info(struct ksmbd_work *work) static noinline int smb2_close_pipe(struct ksmbd_work *work) { u64 id; - struct smb2_close_req *req = work->request_buf; - struct smb2_close_rsp *rsp = work->response_buf; + struct smb2_close_req *req = smb2_get_msg(work->request_buf); + struct smb2_close_rsp *rsp = smb2_get_msg(work->response_buf); id = le64_to_cpu(req->VolatileFileId); ksmbd_session_rpc_close(work->sess, id); @@ -5152,7 +5158,7 @@ static noinline int smb2_close_pipe(struct ksmbd_work *work) rsp->AllocationSize = 0; rsp->EndOfFile = 0; rsp->Attributes = 0; - inc_rfc1001_len(rsp, 60); + inc_rfc1001_len(work->response_buf, 60); return 0; } @@ -5168,14 +5174,12 @@ int smb2_close(struct ksmbd_work *work) u64 sess_id; struct smb2_close_req *req; struct smb2_close_rsp *rsp; - struct smb2_close_rsp *rsp_org; struct ksmbd_conn *conn = work->conn; struct ksmbd_file *fp; struct inode *inode; u64 time; int err = 0; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, @@ -5265,7 +5269,7 @@ int smb2_close(struct ksmbd_work *work) rsp->hdr.Status = STATUS_FILE_CLOSED; smb2_set_err_rsp(work); } else { - inc_rfc1001_len(rsp_org, 60); + inc_rfc1001_len(work->response_buf, 60); } return 0; @@ -5279,11 +5283,11 @@ int smb2_close(struct ksmbd_work *work) */ int smb2_echo(struct ksmbd_work *work) { - struct smb2_echo_rsp *rsp = work->response_buf; + struct smb2_echo_rsp *rsp = smb2_get_msg(work->response_buf); rsp->StructureSize = cpu_to_le16(4); rsp->Reserved = 0; - inc_rfc1001_len(rsp, 4); + inc_rfc1001_len(work->response_buf, 4); return 0; } @@ -5894,14 +5898,13 @@ static int smb2_set_info_sec(struct ksmbd_file *fp, int addition_info, int smb2_set_info(struct ksmbd_work *work) { struct smb2_set_info_req *req; - struct smb2_set_info_rsp *rsp, *rsp_org; + struct smb2_set_info_rsp *rsp; struct ksmbd_file *fp; int rc = 0; unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; ksmbd_debug(SMB, "Received set info request\n"); - rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { req = ksmbd_req_buf_next(work); rsp = ksmbd_resp_buf_next(work); @@ -5912,8 +5915,8 @@ int smb2_set_info(struct ksmbd_work *work) pid = work->compound_pfid; } } else { - req = work->request_buf; - rsp = work->response_buf; + req = smb2_get_msg(work->request_buf); + rsp = smb2_get_msg(work->response_buf); } if (!has_file_id(id)) { @@ -5953,7 +5956,7 @@ int smb2_set_info(struct ksmbd_work *work) goto err_out; rsp->StructureSize = cpu_to_le16(2); - inc_rfc1001_len(rsp_org, 2); + inc_rfc1001_len(work->response_buf, 2); ksmbd_fd_put(work, fp); return 0; @@ -5993,12 +5996,12 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) int nbytes = 0, err; u64 id; struct ksmbd_rpc_command *rpc_resp; - struct smb2_read_req *req = work->request_buf; - struct smb2_read_rsp *rsp = work->response_buf; + struct smb2_read_req *req = smb2_get_msg(work->request_buf); + struct smb2_read_rsp *rsp = smb2_get_msg(work->response_buf); id = le64_to_cpu(req->VolatileFileId); - inc_rfc1001_len(rsp, 16); + inc_rfc1001_len(work->response_buf, 16); rpc_resp = ksmbd_rpc_read(work->sess, id); if (rpc_resp) { if (rpc_resp->flags != KSMBD_RPC_OK) { @@ -6017,7 +6020,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) rpc_resp->payload_sz); nbytes = rpc_resp->payload_sz; - work->resp_hdr_sz = get_rfc1002_len(rsp) + 4; + work->resp_hdr_sz = get_rfc1002_len(work->response_buf) + 4; work->aux_payload_sz = nbytes; kvfree(rpc_resp); } @@ -6028,7 +6031,7 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) rsp->DataLength = cpu_to_le32(nbytes); rsp->DataRemaining = 0; rsp->Reserved2 = 0; - inc_rfc1001_len(rsp, nbytes); + inc_rfc1001_len(work->response_buf, nbytes); return 0; out: @@ -6078,14 +6081,13 @@ int smb2_read(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; struct smb2_read_req *req; - struct smb2_read_rsp *rsp, *rsp_org; + struct smb2_read_rsp *rsp; struct ksmbd_file *fp; loff_t offset; size_t length, mincount; ssize_t nbytes = 0, remain_bytes = 0; int err = 0; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, @@ -6167,10 +6169,10 @@ int smb2_read(struct ksmbd_work *work) rsp->DataLength = cpu_to_le32(nbytes); rsp->DataRemaining = cpu_to_le32(remain_bytes); rsp->Reserved2 = 0; - inc_rfc1001_len(rsp_org, 16); - work->resp_hdr_sz = get_rfc1002_len(rsp_org) + 4; + inc_rfc1001_len(work->response_buf, 16); + work->resp_hdr_sz = get_rfc1002_len(work->response_buf) + 4; work->aux_payload_sz = nbytes; - inc_rfc1001_len(rsp_org, nbytes); + inc_rfc1001_len(work->response_buf, nbytes); ksmbd_fd_put(work, fp); return 0; @@ -6205,8 +6207,8 @@ int smb2_read(struct ksmbd_work *work) */ static noinline int smb2_write_pipe(struct ksmbd_work *work) { - struct smb2_write_req *req = work->request_buf; - struct smb2_write_rsp *rsp = work->response_buf; + struct smb2_write_req *req = smb2_get_msg(work->request_buf); + struct smb2_write_rsp *rsp = smb2_get_msg(work->response_buf); struct ksmbd_rpc_command *rpc_resp; u64 id = 0; int err = 0, ret = 0; @@ -6217,13 +6219,14 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) id = le64_to_cpu(req->VolatileFileId); if (le16_to_cpu(req->DataOffset) == - (offsetof(struct smb2_write_req, Buffer) - 4)) { + offsetof(struct smb2_write_req, Buffer)) { data_buf = (char *)&req->Buffer[0]; } else { - if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) { + if ((u64)le16_to_cpu(req->DataOffset) + length > + get_rfc1002_len(work->request_buf)) { pr_err("invalid write data offset %u, smb_len %u\n", le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + get_rfc1002_len(work->request_buf)); err = -EINVAL; goto out; } @@ -6255,7 +6258,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) rsp->DataLength = cpu_to_le32(length); rsp->DataRemaining = 0; rsp->Reserved2 = 0; - inc_rfc1001_len(rsp, 16); + inc_rfc1001_len(work->response_buf, 16); return 0; out: if (err) { @@ -6323,7 +6326,7 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, int smb2_write(struct ksmbd_work *work) { struct smb2_write_req *req; - struct smb2_write_rsp *rsp, *rsp_org; + struct smb2_write_rsp *rsp; struct ksmbd_file *fp = NULL; loff_t offset; size_t length; @@ -6332,7 +6335,6 @@ int smb2_write(struct ksmbd_work *work) bool writethrough = false; int err = 0; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); if (test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_PIPE)) { @@ -6375,13 +6377,14 @@ int smb2_write(struct ksmbd_work *work) if (req->Channel != SMB2_CHANNEL_RDMA_V1 && req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { if (le16_to_cpu(req->DataOffset) == - (offsetof(struct smb2_write_req, Buffer) - 4)) { + offsetof(struct smb2_write_req, Buffer)) { data_buf = (char *)&req->Buffer[0]; } else { - if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) { + if ((u64)le16_to_cpu(req->DataOffset) + length > + get_rfc1002_len(work->request_buf)) { pr_err("invalid write data offset %u, smb_len %u\n", le16_to_cpu(req->DataOffset), - get_rfc1002_len(req)); + get_rfc1002_len(work->request_buf)); err = -EINVAL; goto out; } @@ -6419,7 +6422,7 @@ int smb2_write(struct ksmbd_work *work) rsp->DataLength = cpu_to_le32(nbytes); rsp->DataRemaining = 0; rsp->Reserved2 = 0; - inc_rfc1001_len(rsp_org, 16); + inc_rfc1001_len(work->response_buf, 16); ksmbd_fd_put(work, fp); return 0; @@ -6453,10 +6456,9 @@ int smb2_write(struct ksmbd_work *work) int smb2_flush(struct ksmbd_work *work) { struct smb2_flush_req *req; - struct smb2_flush_rsp *rsp, *rsp_org; + struct smb2_flush_rsp *rsp; int err; - rsp_org = work->response_buf; WORK_BUFFERS(work, req, rsp); ksmbd_debug(SMB, "SMB2_FLUSH called for fid %llu\n", @@ -6470,7 +6472,7 @@ int smb2_flush(struct ksmbd_work *work) rsp->StructureSize = cpu_to_le16(4); rsp->Reserved = 0; - inc_rfc1001_len(rsp_org, 4); + inc_rfc1001_len(work->response_buf, 4); return 0; out: @@ -6491,7 +6493,7 @@ int smb2_flush(struct ksmbd_work *work) int smb2_cancel(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_hdr *hdr = work->request_buf; + struct smb2_hdr *hdr = smb2_get_msg(work->request_buf); struct smb2_hdr *chdr; struct ksmbd_work *cancel_work = NULL; int canceled = 0; @@ -6506,7 +6508,7 @@ int smb2_cancel(struct ksmbd_work *work) spin_lock(&conn->request_lock); list_for_each_entry(cancel_work, command_list, async_request_entry) { - chdr = cancel_work->request_buf; + chdr = smb2_get_msg(cancel_work->request_buf); if (cancel_work->async_id != le64_to_cpu(hdr->Id.AsyncId)) @@ -6525,7 +6527,7 @@ int smb2_cancel(struct ksmbd_work *work) spin_lock(&conn->request_lock); list_for_each_entry(cancel_work, command_list, request_entry) { - chdr = cancel_work->request_buf; + chdr = smb2_get_msg(cancel_work->request_buf); if (chdr->MessageId != hdr->MessageId || cancel_work == work) @@ -6660,8 +6662,8 @@ static inline bool lock_defer_pending(struct file_lock *fl) */ int smb2_lock(struct ksmbd_work *work) { - struct smb2_lock_req *req = work->request_buf; - struct smb2_lock_rsp *rsp = work->response_buf; + struct smb2_lock_req *req = smb2_get_msg(work->request_buf); + struct smb2_lock_rsp *rsp = smb2_get_msg(work->response_buf); struct smb2_lock_element *lock_ele; struct ksmbd_file *fp = NULL; struct file_lock *flock = NULL; @@ -6968,7 +6970,7 @@ int smb2_lock(struct ksmbd_work *work) ksmbd_debug(SMB, "successful in taking lock\n"); rsp->hdr.Status = STATUS_SUCCESS; rsp->Reserved = 0; - inc_rfc1001_len(rsp, 4); + inc_rfc1001_len(work->response_buf, 4); ksmbd_fd_put(work, fp); return 0; @@ -7437,13 +7439,12 @@ static int fsctl_request_resume_key(struct ksmbd_work *work, int smb2_ioctl(struct ksmbd_work *work) { struct smb2_ioctl_req *req; - struct smb2_ioctl_rsp *rsp, *rsp_org; + struct smb2_ioctl_rsp *rsp; unsigned int cnt_code, nbytes = 0, out_buf_len, in_buf_len; u64 id = KSMBD_NO_FID; struct ksmbd_conn *conn = work->conn; int ret = 0; - rsp_org = work->response_buf; if (work->next_smb2_rcv_hdr_off) { req = ksmbd_req_buf_next(work); rsp = ksmbd_resp_buf_next(work); @@ -7453,8 +7454,8 @@ int smb2_ioctl(struct ksmbd_work *work) id = work->compound_fid; } } else { - req = work->request_buf; - rsp = work->response_buf; + req = smb2_get_msg(work->request_buf); + rsp = smb2_get_msg(work->response_buf); } if (!has_file_id(id)) @@ -7734,7 +7735,7 @@ int smb2_ioctl(struct ksmbd_work *work) rsp->Reserved = cpu_to_le16(0); rsp->Flags = cpu_to_le32(0); rsp->Reserved2 = cpu_to_le32(0); - inc_rfc1001_len(rsp_org, 48 + nbytes); + inc_rfc1001_len(work->response_buf, 48 + nbytes); return 0; @@ -7761,8 +7762,8 @@ int smb2_ioctl(struct ksmbd_work *work) */ static void smb20_oplock_break_ack(struct ksmbd_work *work) { - struct smb2_oplock_break *req = work->request_buf; - struct smb2_oplock_break *rsp = work->response_buf; + struct smb2_oplock_break *req = smb2_get_msg(work->request_buf); + struct smb2_oplock_break *rsp = smb2_get_msg(work->response_buf); struct ksmbd_file *fp; struct oplock_info *opinfo = NULL; __le32 err = 0; @@ -7869,7 +7870,7 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work) rsp->Reserved2 = 0; rsp->VolatileFid = cpu_to_le64(volatile_id); rsp->PersistentFid = cpu_to_le64(persistent_id); - inc_rfc1001_len(rsp, 24); + inc_rfc1001_len(work->response_buf, 24); return; err_out: @@ -7905,8 +7906,8 @@ static int check_lease_state(struct lease *lease, __le32 req_state) static void smb21_lease_break_ack(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_lease_ack *req = work->request_buf; - struct smb2_lease_ack *rsp = work->response_buf; + struct smb2_lease_ack *req = smb2_get_msg(work->request_buf); + struct smb2_lease_ack *rsp = smb2_get_msg(work->response_buf); struct oplock_info *opinfo; __le32 err = 0; int ret = 0; @@ -8018,7 +8019,7 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) memcpy(rsp->LeaseKey, req->LeaseKey, 16); rsp->LeaseState = lease_state; rsp->LeaseDuration = 0; - inc_rfc1001_len(rsp, 36); + inc_rfc1001_len(work->response_buf, 36); return; err_out: @@ -8039,8 +8040,8 @@ static void smb21_lease_break_ack(struct ksmbd_work *work) */ int smb2_oplock_break(struct ksmbd_work *work) { - struct smb2_oplock_break *req = work->request_buf; - struct smb2_oplock_break *rsp = work->response_buf; + struct smb2_oplock_break *req = smb2_get_msg(work->request_buf); + struct smb2_oplock_break *rsp = smb2_get_msg(work->response_buf); switch (le16_to_cpu(req->StructureSize)) { case OP_BREAK_STRUCT_SIZE_20: @@ -8092,7 +8093,7 @@ int smb2_notify(struct ksmbd_work *work) */ bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) { - struct smb2_hdr *rcv_hdr2 = work->request_buf; + struct smb2_hdr *rcv_hdr2 = smb2_get_msg(work->request_buf); if ((rcv_hdr2->Flags & SMB2_FLAGS_SIGNED) && command != SMB2_NEGOTIATE_HE && @@ -8111,22 +8112,22 @@ bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command) */ int smb2_check_sign_req(struct ksmbd_work *work) { - struct smb2_hdr *hdr, *hdr_org; + struct smb2_hdr *hdr; char signature_req[SMB2_SIGNATURE_SIZE]; char signature[SMB2_HMACSHA256_SIZE]; struct kvec iov[1]; size_t len; - hdr_org = hdr = work->request_buf; + hdr = smb2_get_msg(work->request_buf); if (work->next_smb2_rcv_hdr_off) hdr = ksmbd_req_buf_next(work); if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) - len = be32_to_cpu(hdr_org->smb2_buf_length); + len = get_rfc1002_len(work->request_buf); else if (hdr->NextCommand) len = le32_to_cpu(hdr->NextCommand); else - len = be32_to_cpu(hdr_org->smb2_buf_length) - + len = get_rfc1002_len(work->request_buf) - work->next_smb2_rcv_hdr_off; memcpy(signature_req, hdr->Signature, SMB2_SIGNATURE_SIZE); @@ -8154,25 +8155,26 @@ int smb2_check_sign_req(struct ksmbd_work *work) */ void smb2_set_sign_rsp(struct ksmbd_work *work) { - struct smb2_hdr *hdr, *hdr_org; + struct smb2_hdr *hdr; struct smb2_hdr *req_hdr; char signature[SMB2_HMACSHA256_SIZE]; struct kvec iov[2]; size_t len; int n_vec = 1; - hdr_org = hdr = work->response_buf; + hdr = smb2_get_msg(work->response_buf); if (work->next_smb2_rsp_hdr_off) hdr = ksmbd_resp_buf_next(work); req_hdr = ksmbd_req_buf_next(work); if (!work->next_smb2_rsp_hdr_off) { - len = get_rfc1002_len(hdr_org); + len = get_rfc1002_len(work->response_buf); if (req_hdr->NextCommand) len = ALIGN(len, 8); } else { - len = get_rfc1002_len(hdr_org) - work->next_smb2_rsp_hdr_off; + len = get_rfc1002_len(work->response_buf) - + work->next_smb2_rsp_hdr_off; len = ALIGN(len, 8); } @@ -8208,23 +8210,23 @@ int smb3_check_sign_req(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; char *signing_key; - struct smb2_hdr *hdr, *hdr_org; + struct smb2_hdr *hdr; struct channel *chann; char signature_req[SMB2_SIGNATURE_SIZE]; char signature[SMB2_CMACAES_SIZE]; struct kvec iov[1]; size_t len; - hdr_org = hdr = work->request_buf; + hdr = smb2_get_msg(work->request_buf); if (work->next_smb2_rcv_hdr_off) hdr = ksmbd_req_buf_next(work); if (!hdr->NextCommand && !work->next_smb2_rcv_hdr_off) - len = be32_to_cpu(hdr_org->smb2_buf_length); + len = get_rfc1002_len(work->request_buf); else if (hdr->NextCommand) len = le32_to_cpu(hdr->NextCommand); else - len = be32_to_cpu(hdr_org->smb2_buf_length) - + len = get_rfc1002_len(work->request_buf) - work->next_smb2_rcv_hdr_off; if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { @@ -8265,8 +8267,7 @@ int smb3_check_sign_req(struct ksmbd_work *work) void smb3_set_sign_rsp(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_hdr *req_hdr; - struct smb2_hdr *hdr, *hdr_org; + struct smb2_hdr *req_hdr, *hdr; struct channel *chann; char signature[SMB2_CMACAES_SIZE]; struct kvec iov[2]; @@ -8274,18 +8275,19 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) size_t len; char *signing_key; - hdr_org = hdr = work->response_buf; + hdr = smb2_get_msg(work->response_buf); if (work->next_smb2_rsp_hdr_off) hdr = ksmbd_resp_buf_next(work); req_hdr = ksmbd_req_buf_next(work); if (!work->next_smb2_rsp_hdr_off) { - len = get_rfc1002_len(hdr_org); + len = get_rfc1002_len(work->response_buf); if (req_hdr->NextCommand) len = ALIGN(len, 8); } else { - len = get_rfc1002_len(hdr_org) - work->next_smb2_rsp_hdr_off; + len = get_rfc1002_len(work->response_buf) - + work->next_smb2_rsp_hdr_off; len = ALIGN(len, 8); } @@ -8338,7 +8340,7 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE && conn->preauth_info) - ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, + ksmbd_gen_preauth_integrity_hash(conn, work->response_buf, conn->preauth_info->Preauth_HashValue); if (le16_to_cpu(rsp->Command) == SMB2_SESSION_SETUP_HE && sess) { @@ -8356,7 +8358,7 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) if (!hash_value) return; } - ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, + ksmbd_gen_preauth_integrity_hash(conn, work->response_buf, hash_value); } } @@ -8438,7 +8440,6 @@ int smb3_decrypt_req(struct ksmbd_work *work) struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess; char *buf = work->request_buf; - struct smb2_hdr *hdr; unsigned int pdu_length = get_rfc1002_len(buf); struct kvec iov[2]; int buf_data_size = pdu_length + 4 - @@ -8473,8 +8474,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) return rc; memmove(buf + 4, iov[1].iov_base, buf_data_size); - hdr = (struct smb2_hdr *)buf; - hdr->smb2_buf_length = cpu_to_be32(buf_data_size); + *(__be32 *)buf = cpu_to_be32(buf_data_size); return rc; } @@ -8482,7 +8482,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; - struct smb2_hdr *rsp = work->response_buf; + struct smb2_hdr *rsp = smb2_get_msg(work->response_buf); if (conn->dialect < SMB30_PROT_ID) return false; diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index ff5a2f01d34a..a70f5461bffe 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -130,11 +130,6 @@ cpu_to_le16(__SMB2_HEADER_STRUCTURE_SIZE) struct smb2_hdr { - __be32 smb2_buf_length; /* big endian on wire */ - /* - * length is only two or three bytes - with - * one or two byte type preceding it that MBZ - */ __le32 ProtocolId; /* 0xFE 'S' 'M' 'B' */ __le16 StructureSize; /* 64 */ __le16 CreditCharge; /* MBZ */ @@ -253,14 +248,14 @@ struct preauth_integrity_info { __u8 Preauth_HashValue[PREAUTH_HASHVALUE_SIZE]; }; -/* offset is sizeof smb2_negotiate_rsp - 4 but rounded up to 8 bytes. */ +/* offset is sizeof smb2_negotiate_rsp but rounded up to 8 bytes. */ #ifdef CONFIG_SMB_SERVER_KERBEROS5 -/* sizeof(struct smb2_negotiate_rsp) - 4 = +/* sizeof(struct smb2_negotiate_rsp) = * header(64) + response(64) + GSS_LENGTH(96) + GSS_PADDING(0) */ #define OFFSET_OF_NEG_CONTEXT 0xe0 #else -/* sizeof(struct smb2_negotiate_rsp) - 4 = +/* sizeof(struct smb2_negotiate_rsp) = * header(64) + response(64) + GSS_LENGTH(74) + GSS_PADDING(6) */ #define OFFSET_OF_NEG_CONTEXT 0xd0 @@ -1705,4 +1700,13 @@ int smb2_ioctl(struct ksmbd_work *work); int smb2_oplock_break(struct ksmbd_work *work); int smb2_notify(struct ksmbd_work *ksmbd_work); +/* + * Get the body of the smb2 message excluding the 4 byte rfc1002 headers + * from request/response buffer. + */ +static inline void *smb2_get_msg(void *buf) +{ + return buf + 4; +} + #endif /* _SMB2PDU_H */ diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index f3f1953b2bcf..be9701273c71 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -239,14 +239,14 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) static int ksmbd_negotiate_smb_dialect(void *buf) { int smb_buf_length = get_rfc1002_len(buf); - __le32 proto = ((struct smb2_hdr *)buf)->ProtocolId; + __le32 proto = ((struct smb2_hdr *)smb2_get_msg(buf))->ProtocolId; if (proto == SMB2_PROTO_NUMBER) { struct smb2_negotiate_req *req; int smb2_neg_size = - offsetof(struct smb2_negotiate_req, Dialects) - 4; + offsetof(struct smb2_negotiate_req, Dialects); - req = (struct smb2_negotiate_req *)buf; + req = (struct smb2_negotiate_req *)smb2_get_msg(buf); if (smb2_neg_size > smb_buf_length) goto err_out; @@ -443,11 +443,12 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) struct ksmbd_conn *conn = work->conn; int ret; - conn->dialect = ksmbd_negotiate_smb_dialect(work->request_buf); + conn->dialect = + ksmbd_negotiate_smb_dialect(work->request_buf); ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect); if (command == SMB2_NEGOTIATE_HE) { - struct smb2_hdr *smb2_hdr = work->request_buf; + struct smb2_hdr *smb2_hdr = smb2_get_msg(work->request_buf); if (smb2_hdr->ProtocolId != SMB2_PROTO_NUMBER) { ksmbd_debug(SMB, "Downgrade to SMB1 negotiation\n"); diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 6e79e7577f6b..35ca9b7d9979 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -477,12 +477,6 @@ struct smb_version_cmds { int (*proc)(struct ksmbd_work *swork); }; -static inline size_t -smb2_hdr_size_no_buflen(struct smb_version_values *vals) -{ - return vals->header_size - 4; -} - int ksmbd_min_protocol(void); int ksmbd_max_protocol(void); diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 6330dfc302ff..7e57cbb0bb35 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -484,7 +484,7 @@ static int smb_direct_check_recvmsg(struct smb_direct_recvmsg *recvmsg) struct smb_direct_data_transfer *req = (struct smb_direct_data_transfer *)recvmsg->packet; struct smb2_hdr *hdr = (struct smb2_hdr *)(recvmsg->packet - + le32_to_cpu(req->data_offset) - 4); + + le32_to_cpu(req->data_offset)); ksmbd_debug(RDMA, "CreditGranted: %u, CreditRequested: %u, DataLength: %u, RemainingDataLength: %u, SMB: %x, Command: %u\n", le16_to_cpu(req->credits_granted), From patchwork Mon Nov 14 12:52:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183348 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:12 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 251/308] ksmbd: remove smb2_buf_length in smb2_transform_hdr Date: Mon, 14 Nov 2022 20:52:40 +0800 Message-ID: <20221114125337.1831594-252-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f0488c85-2bb2-42d8-0a21-08dac63c893d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6434101 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc1 commit 2dd9129f7dec1de369e4447a54ea2edf695f765b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2dd9129f7dec ------------------------------- To move smb2_transform_hdr to smbfs_common, This patch remove smb2_buf_length variable in smb2_transform_hdr. Cc: Ronnie Sahlberg <ronniesahlberg(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 7 +++---- fs/ksmbd/connection.c | 2 +- fs/ksmbd/smb2pdu.c | 37 +++++++++++++++++-------------------- fs/ksmbd/smb2pdu.h | 5 ----- 4 files changed, 21 insertions(+), 30 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index c69c5471db1c..3503b1c48cb4 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -983,7 +983,7 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, u8 *sign) { struct scatterlist *sg; - unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; + unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20; int i, nr_entries[3] = {0}, total_entries = 0, sg_idx = 0; if (!nvec) @@ -1047,9 +1047,8 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, unsigned int nvec, int enc) { - struct smb2_transform_hdr *tr_hdr = - (struct smb2_transform_hdr *)iov[0].iov_base; - unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24; + struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base); + unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20; int rc; struct scatterlist *sg; u8 sign[SMB2_SIGNATURE_SIZE] = {}; diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 12f710ccbdff..83a94d0bb480 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -171,7 +171,7 @@ int ksmbd_conn_write(struct ksmbd_work *work) if (work->tr_buf) { iov[iov_idx] = (struct kvec) { work->tr_buf, - sizeof(struct smb2_transform_hdr) }; + sizeof(struct smb2_transform_hdr) + 4 }; len += iov[iov_idx++].iov_len; } diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ae906e78616e..bbf9f04ee2fb 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8363,13 +8363,13 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) } } -static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, char *old_buf, - __le16 cipher_type) +static void fill_transform_hdr(void *tr_buf, char *old_buf, __le16 cipher_type) { - struct smb2_hdr *hdr = (struct smb2_hdr *)old_buf; + struct smb2_transform_hdr *tr_hdr = tr_buf + 4; + struct smb2_hdr *hdr = smb2_get_msg(old_buf); unsigned int orig_len = get_rfc1002_len(old_buf); - memset(tr_hdr, 0, sizeof(struct smb2_transform_hdr)); + memset(tr_buf, 0, sizeof(struct smb2_transform_hdr) + 4); tr_hdr->ProtocolId = SMB2_TRANSFORM_PROTO_NUM; tr_hdr->OriginalMessageSize = cpu_to_le32(orig_len); tr_hdr->Flags = cpu_to_le16(0x01); @@ -8379,14 +8379,13 @@ static void fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, char *old_buf, else get_random_bytes(&tr_hdr->Nonce, SMB3_AES_CCM_NONCE); memcpy(&tr_hdr->SessionId, &hdr->SessionId, 8); - inc_rfc1001_len(tr_hdr, sizeof(struct smb2_transform_hdr) - 4); - inc_rfc1001_len(tr_hdr, orig_len); + inc_rfc1001_len(tr_buf, sizeof(struct smb2_transform_hdr)); + inc_rfc1001_len(tr_buf, orig_len); } int smb3_encrypt_resp(struct ksmbd_work *work) { char *buf = work->response_buf; - struct smb2_transform_hdr *tr_hdr; struct kvec iov[3]; int rc = -ENOMEM; int buf_size = 0, rq_nvec = 2 + (work->aux_payload_sz ? 1 : 0); @@ -8394,15 +8393,15 @@ int smb3_encrypt_resp(struct ksmbd_work *work) if (ARRAY_SIZE(iov) < rq_nvec) return -ENOMEM; - tr_hdr = kzalloc(sizeof(struct smb2_transform_hdr), GFP_KERNEL); - if (!tr_hdr) + work->tr_buf = kzalloc(sizeof(struct smb2_transform_hdr) + 4, GFP_KERNEL); + if (!work->tr_buf) return rc; /* fill transform header */ - fill_transform_hdr(tr_hdr, buf, work->conn->cipher_type); + fill_transform_hdr(work->tr_buf, buf, work->conn->cipher_type); - iov[0].iov_base = tr_hdr; - iov[0].iov_len = sizeof(struct smb2_transform_hdr); + iov[0].iov_base = work->tr_buf; + iov[0].iov_len = sizeof(struct smb2_transform_hdr) + 4; buf_size += iov[0].iov_len - 4; iov[1].iov_base = buf + 4; @@ -8422,15 +8421,14 @@ int smb3_encrypt_resp(struct ksmbd_work *work) return rc; memmove(buf, iov[1].iov_base, iov[1].iov_len); - tr_hdr->smb2_buf_length = cpu_to_be32(buf_size); - work->tr_buf = tr_hdr; + *(__be32 *)work->tr_buf = cpu_to_be32(buf_size); return rc; } bool smb3_is_transform_hdr(void *buf) { - struct smb2_transform_hdr *trhdr = buf; + struct smb2_transform_hdr *trhdr = smb2_get_msg(buf); return trhdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM; } @@ -8442,9 +8440,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) char *buf = work->request_buf; unsigned int pdu_length = get_rfc1002_len(buf); struct kvec iov[2]; - int buf_data_size = pdu_length + 4 - - sizeof(struct smb2_transform_hdr); - struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; + int buf_data_size = pdu_length - sizeof(struct smb2_transform_hdr); + struct smb2_transform_hdr *tr_hdr = smb2_get_msg(buf); int rc = 0; if (buf_data_size < sizeof(struct smb2_hdr)) { @@ -8466,8 +8463,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) } iov[0].iov_base = buf; - iov[0].iov_len = sizeof(struct smb2_transform_hdr); - iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr); + iov[0].iov_len = sizeof(struct smb2_transform_hdr) + 4; + iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr) + 4; iov[1].iov_len = buf_data_size; rc = ksmbd_crypt_message(conn, iov, 2, 0); if (rc) diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index a70f5461bffe..f418b001b999 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -159,11 +159,6 @@ struct smb2_pdu { #define SMB3_AES_GCM_NONCE 12 struct smb2_transform_hdr { - __be32 smb2_buf_length; /* big endian on wire */ - /* - * length is only two or three bytes - with - * one or two byte type preceding it that MBZ - */ __le32 ProtocolId; /* 0xFD 'S' 'M' 'B' */ __u8 Signature[16]; __u8 Nonce[16]; From patchwork Mon Nov 14 12:52:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183349 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:13 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:13 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 252/308] ksmbd: change LeaseKey data type to u8 array Date: Mon, 14 Nov 2022 20:52:41 +0800 Message-ID: <20221114125337.1831594-253-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d3602676-ccbc-4a0f-9c04-08dac63c8985 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6906586 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc1 commit 2734b692f7b8167b93498dcd698067623d4267ca category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2734b692f7b8 ------------------------------- cifs define LeaseKey as u8 array in structure. To move lease structure to smbfs_common, ksmbd change LeaseKey data type to u8 array. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/oplock.c | 24 +++++++++--------------- fs/ksmbd/oplock.h | 2 -- fs/ksmbd/smb2pdu.h | 11 +++++------ 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index e529bc11b04b..3162bdcdb255 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1335,19 +1335,16 @@ __u8 smb2_map_lease_to_oplock(__le32 lease_state) */ void create_lease_buf(u8 *rbuf, struct lease *lease) { - char *LeaseKey = (char *)&lease->lease_key; - if (lease->version == 2) { struct create_lease_v2 *buf = (struct create_lease_v2 *)rbuf; - char *ParentLeaseKey = (char *)&lease->parent_lease_key; memset(buf, 0, sizeof(struct create_lease_v2)); - buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); - buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); + memcpy(buf->lcontext.LeaseKey, lease->lease_key, + SMB2_LEASE_KEY_SIZE); buf->lcontext.LeaseFlags = lease->flags; buf->lcontext.LeaseState = lease->state; - buf->lcontext.ParentLeaseKeyLow = *((__le64 *)ParentLeaseKey); - buf->lcontext.ParentLeaseKeyHigh = *((__le64 *)(ParentLeaseKey + 8)); + memcpy(buf->lcontext.ParentLeaseKey, lease->parent_lease_key, + SMB2_LEASE_KEY_SIZE); buf->ccontext.DataOffset = cpu_to_le16(offsetof (struct create_lease_v2, lcontext)); buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context_v2)); @@ -1362,8 +1359,7 @@ void create_lease_buf(u8 *rbuf, struct lease *lease) struct create_lease *buf = (struct create_lease *)rbuf; memset(buf, 0, sizeof(struct create_lease)); - buf->lcontext.LeaseKeyLow = *((__le64 *)LeaseKey); - buf->lcontext.LeaseKeyHigh = *((__le64 *)(LeaseKey + 8)); + memcpy(buf->lcontext.LeaseKey, lease->lease_key, SMB2_LEASE_KEY_SIZE); buf->lcontext.LeaseFlags = lease->flags; buf->lcontext.LeaseState = lease->state; buf->ccontext.DataOffset = cpu_to_le16(offsetof @@ -1416,19 +1412,17 @@ struct lease_ctx_info *parse_lease_state(void *open_req) if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) { struct create_lease_v2 *lc = (struct create_lease_v2 *)cc; - *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; - *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); lreq->req_state = lc->lcontext.LeaseState; lreq->flags = lc->lcontext.LeaseFlags; lreq->duration = lc->lcontext.LeaseDuration; - *((__le64 *)lreq->parent_lease_key) = lc->lcontext.ParentLeaseKeyLow; - *((__le64 *)(lreq->parent_lease_key + 8)) = lc->lcontext.ParentLeaseKeyHigh; + memcpy(lreq->parent_lease_key, lc->lcontext.ParentLeaseKey, + SMB2_LEASE_KEY_SIZE); lreq->version = 2; } else { struct create_lease *lc = (struct create_lease *)cc; - *((__le64 *)lreq->lease_key) = lc->lcontext.LeaseKeyLow; - *((__le64 *)(lreq->lease_key + 8)) = lc->lcontext.LeaseKeyHigh; + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); lreq->req_state = lc->lcontext.LeaseState; lreq->flags = lc->lcontext.LeaseFlags; lreq->duration = lc->lcontext.LeaseDuration; diff --git a/fs/ksmbd/oplock.h b/fs/ksmbd/oplock.h index 119b8047cfbd..0cf7a2b5bbc0 100644 --- a/fs/ksmbd/oplock.h +++ b/fs/ksmbd/oplock.h @@ -28,8 +28,6 @@ #define OPLOCK_WRITE_TO_NONE 0x04 #define OPLOCK_READ_TO_NONE 0x08 -#define SMB2_LEASE_KEY_SIZE 16 - struct lease_ctx_info { __u8 lease_key[SMB2_LEASE_KEY_SIZE]; __le32 req_state; diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index f418b001b999..829f44569077 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -733,22 +733,21 @@ struct create_posix_rsp { #define SMB2_LEASE_FLAG_BREAK_IN_PROGRESS_LE cpu_to_le32(0x02) +#define SMB2_LEASE_KEY_SIZE 16 + struct lease_context { - __le64 LeaseKeyLow; - __le64 LeaseKeyHigh; + __u8 LeaseKey[SMB2_LEASE_KEY_SIZE]; __le32 LeaseState; __le32 LeaseFlags; __le64 LeaseDuration; } __packed; struct lease_context_v2 { - __le64 LeaseKeyLow; - __le64 LeaseKeyHigh; + __u8 LeaseKey[SMB2_LEASE_KEY_SIZE]; __le32 LeaseState; __le32 LeaseFlags; __le64 LeaseDuration; - __le64 ParentLeaseKeyLow; - __le64 ParentLeaseKeyHigh; + __u8 ParentLeaseKey[SMB2_LEASE_KEY_SIZE]; __le16 Epoch; __le16 Reserved; } __packed; From patchwork Mon Nov 14 12:52:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183350 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:13 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 253/308] ksmbd: Fix an error handling path in 'smb2_sess_setup()' Date: Mon, 14 Nov 2022 20:52:42 +0800 Message-ID: <20221114125337.1831594-254-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4062c24c-9bfb-4694-a0be-08dac63c89ce X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6938450 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mainline inclusion from mainline-5.16-rc3 commit f8fbfd85f5c95fff477a7c19f576725945891d0c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f8fbfd85f5c9 ------------------------------- All the error handling paths of 'smb2_sess_setup()' end to 'out_err'. All but the new error handling path added by the commit given in the Fixes tag below. Fix this error handling path and branch to 'out_err' as well. Fixes: 0d994cd482ee ("ksmbd: add buffer validation in session setup") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index bbf9f04ee2fb..27307cc0722b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1698,8 +1698,10 @@ int smb2_sess_setup(struct ksmbd_work *work) negblob_off = le16_to_cpu(req->SecurityBufferOffset); negblob_len = le16_to_cpu(req->SecurityBufferLength); if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer) || - negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) - return -EINVAL; + negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) { + rc = -EINVAL; + goto out_err; + } negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId + negblob_off); From patchwork Mon Nov 14 12:52:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183351 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:14 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:14 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 254/308] ksmbd: downgrade addition info error msg to debug in smb2_get_info_sec() Date: Mon, 14 Nov 2022 20:52:43 +0800 Message-ID: <20221114125337.1831594-255-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 516ee83a-de11-401b-3206-08dac63c8a17 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6889079 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc3 commit 8e537d1465e7401f352a6e0a728a93f8cad5294a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8e537d1465e7 ------------------------------- While file transfer through windows client, This error flood message happen. This flood message will cause performance degradation and misunderstand server has problem. Fixes: e294f78d3478 ("ksmbd: allow PROTECTED_DACL_SECINFO and UNPROTECTED_DACL_SECINFO addition information in smb2 set info security") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 27307cc0722b..0b2d2904f7e7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5024,7 +5024,7 @@ static int smb2_get_info_sec(struct ksmbd_work *work, if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO | PROTECTED_DACL_SECINFO | UNPROTECTED_DACL_SECINFO)) { - pr_err("Unsupported addition info: 0x%x)\n", + ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n", addition_info); pntsd->revision = cpu_to_le16(1); From patchwork Mon Nov 14 12:52:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183352 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 255/308] ksmbd: contain default data stream even if xattr is empty Date: Mon, 14 Nov 2022 20:52:44 +0800 Message-ID: <20221114125337.1831594-256-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2e3d8b5c-b171-49a0-c437-08dac63c8a5f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6970114 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc3 commit 1ec72153ff434ce75bace3044dc89a23a05d7064 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1ec72153ff43 ------------------------------- If xattr is not supported like exfat or fat, ksmbd server doesn't contain default data stream in FILE_STREAM_INFORMATION response. It will cause ppt or doc file update issue if local filesystem is such as ones. This patch move goto statement to contain it. Fixes: 9f6323311c70 ("ksmbd: add default data stream name in FILE_STREAM_INFORMATION") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 0b2d2904f7e7..96a7a2bcd878 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4423,6 +4423,12 @@ static void get_file_stream_info(struct ksmbd_work *work, generic_fillattr(file_inode(fp->filp), &stat); file_info = (struct smb2_file_stream_info *)rsp->Buffer; + buf_free_len = + smb2_calc_max_out_buf_len(work, 8, + le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + goto out; + xattr_list_len = ksmbd_vfs_listxattr(path->dentry, &xattr_list); if (xattr_list_len < 0) { goto out; @@ -4431,12 +4437,6 @@ static void get_file_stream_info(struct ksmbd_work *work, goto out; } - buf_free_len = - smb2_calc_max_out_buf_len(work, 8, - le32_to_cpu(req->OutputBufferLength)); - if (buf_free_len < 0) - goto out; - while (idx < xattr_list_len) { stream_name = xattr_list + idx; streamlen = strlen(stream_name); @@ -4480,6 +4480,7 @@ static void get_file_stream_info(struct ksmbd_work *work, file_info->NextEntryOffset = cpu_to_le32(next); } +out: if (!S_ISDIR(stat.mode) && buf_free_len >= sizeof(struct smb2_file_stream_info) + 7 * 2) { file_info = (struct smb2_file_stream_info *) @@ -4488,14 +4489,13 @@ static void get_file_stream_info(struct ksmbd_work *work, "::$DATA", 7, conn->local_nls, 0); streamlen *= 2; file_info->StreamNameLength = cpu_to_le32(streamlen); - file_info->StreamSize = 0; - file_info->StreamAllocationSize = 0; + file_info->StreamSize = cpu_to_le64(stat.size); + file_info->StreamAllocationSize = cpu_to_le64(stat.blocks << 9); nbytes += sizeof(struct smb2_file_stream_info) + streamlen; } /* last entry offset should be 0 */ file_info->NextEntryOffset = 0; -out: kvfree(xattr_list); rsp->OutputBufferLength = cpu_to_le32(nbytes); From patchwork Mon Nov 14 12:52:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183353 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:15 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:14 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 256/308] ksmbd: fix memleak in get_file_stream_info() Date: Mon, 14 Nov 2022 20:52:45 +0800 Message-ID: <20221114125337.1831594-257-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9536ecea-0828-4c24-2fce-08dac63c8aa8 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7000964 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc3 commit 178ca6f85aa3231094467691f5ea1ff2f398aa8d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/178ca6f85aa3 ------------------------------- Fix memleak in get_file_stream_info() Fixes: 34061d6b76a4 ("ksmbd: validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests") Cc: stable(a)vger.kernel.org # v5.15 Reported-by: Coverity Scan <scan-admin(a)coverity.com> Acked-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 96a7a2bcd878..44f7a219c525 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4462,8 +4462,10 @@ static void get_file_stream_info(struct ksmbd_work *work, ":%s", &stream_name[XATTR_NAME_STREAM_LEN]); next = sizeof(struct smb2_file_stream_info) + streamlen * 2; - if (next > buf_free_len) + if (next > buf_free_len) { + kfree(stream_buf); break; + } file_info = (struct smb2_file_stream_info *)&rsp->Buffer[nbytes]; streamlen = smbConvertToUTF16((__le16 *)file_info->StreamName, From patchwork Mon Nov 14 12:52:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183354 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:15 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 257/308] ksmbd: remove select FS_POSIX_ACL in Kconfig Date: Mon, 14 Nov 2022 20:52:46 +0800 Message-ID: <20221114125337.1831594-258-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fa188aad-794b-43f5-9b47-08dac63c8af0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7021712 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit 777cad1604d68ed4379ec899d1f7d2f6a29f01f0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/777cad1604d6 ------------------------------- ksmbd is forcing to turn on FS_POSIX_ACL in Kconfig to use vfs acl functions(posix_acl_alloc, get_acl, set_posix_acl). OpenWRT and other platform doesn't use acl and this config is disable by default in kernel. This patch use IS_ENABLED() to know acl config is enable and use acl function if it is enable. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 9 ++++-- fs/ksmbd/smbacl.c | 80 ++++++++++++++++++++++++++-------------------- fs/ksmbd/vfs.c | 9 ++++++ 3 files changed, 61 insertions(+), 37 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 44f7a219c525..81a56d78fc2d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2431,11 +2431,14 @@ static void ksmbd_acls_fattr(struct smb_fattr *fattr, struct inode *inode) fattr->cf_uid = inode->i_uid; fattr->cf_gid = inode->i_gid; fattr->cf_mode = inode->i_mode; + fattr->cf_acls = NULL; fattr->cf_dacls = NULL; - fattr->cf_acls = get_acl(inode, ACL_TYPE_ACCESS); - if (S_ISDIR(inode->i_mode)) - fattr->cf_dacls = get_acl(inode, ACL_TYPE_DEFAULT); + if (IS_ENABLED(CONFIG_FS_POSIX_ACL)) { + fattr->cf_acls = get_acl(inode, ACL_TYPE_ACCESS); + if (S_ISDIR(inode->i_mode)) + fattr->cf_dacls = get_acl(inode, ACL_TYPE_DEFAULT); + } } /** diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 40a1e7bc9f16..7d8f9d03fb64 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -545,22 +545,29 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, if (acl_state.users->n || acl_state.groups->n) { acl_state.mask.allow = 0x07; - fattr->cf_acls = posix_acl_alloc(acl_state.users->n + - acl_state.groups->n + 4, GFP_KERNEL); - if (fattr->cf_acls) { - cf_pace = fattr->cf_acls->a_entries; - posix_state_to_acl(&acl_state, cf_pace); + + if (IS_ENABLED(CONFIG_FS_POSIX_ACL)) { + fattr->cf_acls = + posix_acl_alloc(acl_state.users->n + + acl_state.groups->n + 4, GFP_KERNEL); + if (fattr->cf_acls) { + cf_pace = fattr->cf_acls->a_entries; + posix_state_to_acl(&acl_state, cf_pace); + } } } if (default_acl_state.users->n || default_acl_state.groups->n) { default_acl_state.mask.allow = 0x07; - fattr->cf_dacls = - posix_acl_alloc(default_acl_state.users->n + - default_acl_state.groups->n + 4, GFP_KERNEL); - if (fattr->cf_dacls) { - cf_pdace = fattr->cf_dacls->a_entries; - posix_state_to_acl(&default_acl_state, cf_pdace); + + if (IS_ENABLED(CONFIG_FS_POSIX_ACL)) { + fattr->cf_dacls = + posix_acl_alloc(default_acl_state.users->n + + default_acl_state.groups->n + 4, GFP_KERNEL); + if (fattr->cf_dacls) { + cf_pdace = fattr->cf_dacls->a_entries; + posix_state_to_acl(&default_acl_state, cf_pdace); + } } } free_acl_state(&acl_state); @@ -1222,29 +1229,34 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, granted = GENERIC_ALL_FLAGS; } - posix_acls = get_acl(d_inode(path->dentry), ACL_TYPE_ACCESS); - if (posix_acls && !found) { - unsigned int id = -1; - - pa_entry = posix_acls->a_entries; - for (i = 0; i < posix_acls->a_count; i++, pa_entry++) { - if (pa_entry->e_tag == ACL_USER) - id = from_kuid(&init_user_ns, pa_entry->e_uid); - else if (pa_entry->e_tag == ACL_GROUP) - id = from_kgid(&init_user_ns, pa_entry->e_gid); - else - continue; - - if (id == uid) { - mode_to_access_flags(pa_entry->e_perm, 0777, &access_bits); - if (!access_bits) - access_bits = SET_MINIMUM_RIGHTS; - goto check_access_bits; + if (IS_ENABLED(CONFIG_FS_POSIX_ACL)) { + posix_acls = get_acl(d_inode(path->dentry), ACL_TYPE_ACCESS); + if (posix_acls && !found) { + unsigned int id = -1; + + pa_entry = posix_acls->a_entries; + for (i = 0; i < posix_acls->a_count; i++, pa_entry++) { + if (pa_entry->e_tag == ACL_USER) + id = from_kuid(&init_user_ns, pa_entry->e_uid); + else if (pa_entry->e_tag == ACL_GROUP) + id = from_kgid(&init_user_ns, pa_entry->e_gid); + else + continue; + + if (id == uid) { + mode_to_access_flags(pa_entry->e_perm, + 0777, + &access_bits); + if (!access_bits) + access_bits = + SET_MINIMUM_RIGHTS; + goto check_access_bits; + } } } + if (posix_acls) + posix_acl_release(posix_acls); } - if (posix_acls) - posix_acl_release(posix_acls); if (!found) { if (others_ace) { @@ -1318,9 +1330,9 @@ int set_info_sec(struct ksmbd_conn *conn, struct ksmbd_tree_connect *tcon, ksmbd_vfs_remove_acl_xattrs(path->dentry); /* Update posix acls */ - if (fattr.cf_dacls) { - rc = set_posix_acl(inode, ACL_TYPE_ACCESS, - fattr.cf_acls); + if (IS_ENABLED(CONFIG_FS_POSIX_ACL) && fattr.cf_dacls) { + rc = set_posix_acl(inode, + ACL_TYPE_ACCESS, fattr.cf_acls); if (S_ISDIR(inode->i_mode) && fattr.cf_dacls) rc = set_posix_acl(inode, ACL_TYPE_DEFAULT, fattr.cf_dacls); diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index 7f6a53ddf8a1..fff5f8674ad0 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1326,6 +1326,9 @@ static struct xattr_smb_acl *ksmbd_vfs_make_xattr_posix_acl(struct inode *inode, struct xattr_acl_entry *xa_entry; int i; + if (!IS_ENABLED(CONFIG_FS_POSIX_ACL)) + return NULL; + posix_acls = get_acl(inode, acl_type); if (!posix_acls) return NULL; @@ -1759,6 +1762,9 @@ int ksmbd_vfs_set_init_posix_acl(struct inode *inode) struct posix_acl *acls; int rc; + if (!IS_ENABLED(CONFIG_FS_POSIX_ACL)) + return -EOPNOTSUPP; + ksmbd_debug(SMB, "Set posix acls\n"); rc = init_acl_state(&acl_state, 1); if (rc) @@ -1805,6 +1811,9 @@ int ksmbd_vfs_inherit_posix_acl(struct inode *inode, struct inode *parent_inode) struct posix_acl_entry *pace; int rc, i; + if (!IS_ENABLED(CONFIG_FS_POSIX_ACL)) + return -EOPNOTSUPP; + acls = get_acl(parent_inode, ACL_TYPE_DEFAULT); if (!acls) return -ENOENT; From patchwork Mon Nov 14 12:52:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183355 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:16 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:15 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 258/308] ksmbd: fix uninitialized symbol 'pntsd_size' Date: Mon, 14 Nov 2022 20:52:47 +0800 Message-ID: <20221114125337.1831594-259-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e64c942f-0d0d-430e-2d85-08dac63c8b39 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7012424 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc7 commit f2e78affc48dee29b989c1d9b0d89b503dcd1204 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/f2e78affc48d ------------------------------- No check for if "rc" is an error code for build_sec_desc(). This can cause problems with using uninitialized pntsd_size. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org # v5.15 Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 81a56d78fc2d..80142d420660 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2941,6 +2941,10 @@ int smb2_open(struct ksmbd_work *work) &pntsd_size, &fattr); posix_acl_release(fattr.cf_acls); posix_acl_release(fattr.cf_dacls); + if (rc) { + kfree(pntsd); + goto err_out; + } rc = ksmbd_vfs_set_sd_xattr(conn, path.dentry, From patchwork Mon Nov 14 12:52:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183356 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:16 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 259/308] ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 Date: Mon, 14 Nov 2022 20:52:48 +0800 Message-ID: <20221114125337.1831594-260-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 03333e29-5186-4dcb-f0ea-08dac63c8b82 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6965283 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marcos Del Sol Vives <marcos(a)orca.pet> mainline inclusion from mainline-5.16-rc7 commit 83912d6d55be10d65b5268d1871168b9ebe1ec4b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/83912d6d55be ------------------------------- According to the official Microsoft MS-SMB2 document section 3.3.5.4, this flag should be used only for 3.0 and 3.0.2 dialects. Setting it for 3.1.1 is a violation of the specification. This causes my Windows 10 client to detect an anomaly in the negotiation, and disable encryption entirely despite being explicitly enabled in ksmbd, causing all data transfers to go in plain text. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org # v5.15 Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Marcos Del Sol Vives <marcos(a)orca.pet> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2ops.c | 3 --- fs/ksmbd/smb2pdu.c | 25 +++++++++++++++++++++---- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index fb6a65d23139..2a6205103df2 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -272,9 +272,6 @@ int init_smb3_11_server(struct ksmbd_conn *conn) if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; - if (conn->cipher_type) - conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; - if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 80142d420660..c03b454d0200 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -916,6 +916,25 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn, } } +/** + * smb3_encryption_negotiated() - checks if server and client agreed on enabling encryption + * @conn: smb connection + * + * Return: true if connection should be encrypted, else false + */ +static bool smb3_encryption_negotiated(struct ksmbd_conn *conn) +{ + if (!conn->ops->generate_encryptionkey) + return false; + + /* + * SMB 3.0 and 3.0.2 dialects use the SMB2_GLOBAL_CAP_ENCRYPTION flag. + * SMB 3.1.1 uses the cipher_type field. + */ + return (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) || + conn->cipher_type; +} + static void decode_compress_ctxt(struct ksmbd_conn *conn, struct smb2_compression_ctx *pneg_ctxt) { @@ -1470,8 +1489,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) sess->sign = true; - if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && - conn->ops->generate_encryptionkey && + if (smb3_encryption_negotiated(conn) && !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { rc = conn->ops->generate_encryptionkey(sess); if (rc) { @@ -1560,8 +1578,7 @@ static int krb5_authenticate(struct ksmbd_work *work) (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) sess->sign = true; - if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) && - conn->ops->generate_encryptionkey) { + if (smb3_encryption_negotiated(conn)) { retval = conn->ops->generate_encryptionkey(sess); if (retval) { ksmbd_debug(SMB, From patchwork Mon Nov 14 12:52:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183357 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:17 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:16 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 260/308] ksmbd: Remove unused parameter from smb2_get_name() Date: Mon, 14 Nov 2022 20:52:49 +0800 Message-ID: <20221114125337.1831594-261-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 21554939-4b2c-45a9-819d-08dac63c8bcb X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6956031 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.17-rc1 commit 80917f17e3f99027661a45262c310139e53a9faa category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/80917f17e3f9 ------------------------------- The 'share' parameter is no longer used by smb2_get_name() since commit 265fd1991c1d ("ksmbd: use LOOKUP_BENEATH to prevent the out of share access"). Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c03b454d0200..b8c931140b14 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -611,7 +611,6 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) /** * smb2_get_name() - get filename string from on the wire smb format - * @share: ksmbd_share_config pointer * @src: source buffer * @maxlen: maxlen of source string * @nls_table: nls_table pointer @@ -619,8 +618,7 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) * Return: matching converted filename on success, otherwise error ptr */ static char * -smb2_get_name(struct ksmbd_share_config *share, const char *src, - const int maxlen, struct nls_table *local_nls) +smb2_get_name(const char *src, const int maxlen, struct nls_table *local_nls) { char *name; @@ -2518,8 +2516,7 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } - name = smb2_get_name(share, - req->Buffer, + name = smb2_get_name(req->Buffer, le16_to_cpu(req->NameLength), work->conn->local_nls); if (IS_ERR(name)) { @@ -5350,8 +5347,7 @@ static int smb2_rename(struct ksmbd_work *work, struct ksmbd_file *fp, goto out; } - new_name = smb2_get_name(share, - file_info->FileName, + new_name = smb2_get_name(file_info->FileName, le32_to_cpu(file_info->FileNameLength), local_nls); if (IS_ERR(new_name)) { @@ -5461,8 +5457,7 @@ static int smb2_create_link(struct ksmbd_work *work, if (!pathname) return -ENOMEM; - link_name = smb2_get_name(share, - file_info->FileName, + link_name = smb2_get_name(file_info->FileName, le32_to_cpu(file_info->FileNameLength), local_nls); if (IS_ERR(link_name) || S_ISDIR(file_inode(filp)->i_mode)) { From patchwork Mon Nov 14 12:52:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183358 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:17 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 261/308] ksmbd: Remove unused fields from ksmbd_file struct definition Date: Mon, 14 Nov 2022 20:52:50 +0800 Message-ID: <20221114125337.1831594-262-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 390ce115-d3c2-49d9-ed56-08dac63c8c13 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6846320 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Marios Makassikis <mmakassikis(a)freebox.fr> mainline inclusion from mainline-5.17-rc1 commit 305f8bda15ebbe4004681286a5c67d0dc296c771 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/305f8bda15eb ------------------------------- These fields are remnants of the not upstreamed SMB1 code. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Marios Makassikis <mmakassikis(a)freebox.fr> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs_cache.h | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/fs/ksmbd/vfs_cache.h b/fs/ksmbd/vfs_cache.h index 448576fbe4b7..36239ce31afd 100644 --- a/fs/ksmbd/vfs_cache.h +++ b/fs/ksmbd/vfs_cache.h @@ -96,16 +96,6 @@ struct ksmbd_file { int durable_timeout; - /* for SMB1 */ - int pid; - - /* conflict lock fail count for SMB1 */ - unsigned int cflock_cnt; - /* last lock failure start offset for SMB1 */ - unsigned long long llock_fstart; - - int dirent_offset; - /* if ls is happening on directory, below is valid*/ struct ksmbd_readdir_data readdir_data; int dot_dotdot[2]; From patchwork Mon Nov 14 12:52:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183359 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:18 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:17 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 262/308] ksmbd: set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO Date: Mon, 14 Nov 2022 20:52:51 +0800 Message-ID: <20221114125337.1831594-263-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9bf56580-7e3d-4c70-b062-08dac63c8c5d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6909522 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit a58b45a4dbfd0bf2ebb157789da4d8e6368afb1b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a58b45a4dbfd ------------------------------- Set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO if netdev has multi tx queues. And add ksmbd_compare_user() to avoid racy condition issue in ksmbd_free_user(). because windows client is simultaneously used to send session setup requests for multichannel connection. Tested-by: Ziwei Xie <zw.xie(a)high-flyer.cn> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/user_config.c | 10 ++++++++++ fs/ksmbd/mgmt/user_config.h | 1 + fs/ksmbd/smb2pdu.c | 15 ++++++++++----- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/mgmt/user_config.c b/fs/ksmbd/mgmt/user_config.c index 1019d3677d55..279d00feff21 100644 --- a/fs/ksmbd/mgmt/user_config.c +++ b/fs/ksmbd/mgmt/user_config.c @@ -67,3 +67,13 @@ int ksmbd_anonymous_user(struct ksmbd_user *user) return 1; return 0; } + +bool ksmbd_compare_user(struct ksmbd_user *u1, struct ksmbd_user *u2) +{ + if (strcmp(u1->name, u2->name)) + return false; + if (memcmp(u1->passkey, u2->passkey, u1->passkey_sz)) + return false; + + return true; +} diff --git a/fs/ksmbd/mgmt/user_config.h b/fs/ksmbd/mgmt/user_config.h index aff80b029579..6a44109617f1 100644 --- a/fs/ksmbd/mgmt/user_config.h +++ b/fs/ksmbd/mgmt/user_config.h @@ -64,4 +64,5 @@ struct ksmbd_user *ksmbd_login_user(const char *account); struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp); void ksmbd_free_user(struct ksmbd_user *user); int ksmbd_anonymous_user(struct ksmbd_user *user); +bool ksmbd_compare_user(struct ksmbd_user *u1, struct ksmbd_user *u2); #endif /* __USER_CONFIG_MANAGEMENT_H__ */ diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b8c931140b14..c4df4edf879d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1449,10 +1449,16 @@ static int ntlm_authenticate(struct ksmbd_work *work) ksmbd_free_user(user); return 0; } - ksmbd_free_user(sess->user); + + if (!ksmbd_compare_user(sess->user, user)) { + ksmbd_free_user(user); + return -EPERM; + } + ksmbd_free_user(user); + } else { + sess->user = user; } - sess->user = user; if (user_guest(sess->user)) { if (conn->sign) { ksmbd_debug(SMB, "Guest login not allowed when signing enabled\n"); @@ -2056,9 +2062,6 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_debug(SMB, "request\n"); - /* Got a valid session, set connection state */ - WARN_ON(sess->conn != conn); - /* setting CifsExiting here may race with start_tcp_sess */ ksmbd_conn_set_need_reconnect(work); ksmbd_close_session_fds(work); @@ -7208,6 +7211,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, nii_rsp->IfIndex = cpu_to_le32(netdev->ifindex); nii_rsp->Capability = 0; + if (netdev->real_num_tx_queues > 1) + nii_rsp->Capability |= cpu_to_le32(RSS_CAPABLE); if (ksmbd_rdma_capable_netdev(netdev)) nii_rsp->Capability |= cpu_to_le32(RDMA_CAPABLE); From patchwork Mon Nov 14 12:52:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183360 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:18 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 263/308] ksmbd: set both ipv4 and ipv6 in FSCTL_QUERY_NETWORK_INTERFACE_INFO Date: Mon, 14 Nov 2022 20:52:52 +0800 Message-ID: <20221114125337.1831594-264-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: af850026-a2ef-4371-68b9-08dac63c8ca6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7030730 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit 71cd9cb680cb5d536c0dcbddb1c1d0010d79b214 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/71cd9cb680cb ------------------------------- Set ipv4 and ipv6 address in FSCTL_QUERY_NETWORK_INTERFACE_INFO. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c4df4edf879d..c7b7d7f841e7 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7189,15 +7189,10 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, struct sockaddr_storage_rsp *sockaddr_storage; unsigned int flags; unsigned long long speed; - struct sockaddr_in6 *csin6 = (struct sockaddr_in6 *)&conn->peer_addr; rtnl_lock(); for_each_netdev(&init_net, netdev) { - if (out_buf_len < - nbytes + sizeof(struct network_interface_info_ioctl_rsp)) { - rtnl_unlock(); - return -ENOSPC; - } + bool ipv4_set = false; if (netdev->type == ARPHRD_LOOPBACK) continue; @@ -7205,6 +7200,12 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, flags = dev_get_flags(netdev); if (!(flags & IFF_RUNNING)) continue; +ipv6_retry: + if (out_buf_len < + nbytes + sizeof(struct network_interface_info_ioctl_rsp)) { + rtnl_unlock(); + return -ENOSPC; + } nii_rsp = (struct network_interface_info_ioctl_rsp *) &rsp->Buffer[nbytes]; @@ -7237,8 +7238,7 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, nii_rsp->SockAddr_Storage; memset(sockaddr_storage, 0, 128); - if (conn->peer_addr.ss_family == PF_INET || - ipv6_addr_v4mapped(&csin6->sin6_addr)) { + if (!ipv4_set) { struct in_device *idev; sockaddr_storage->Family = cpu_to_le16(INTERNETWORK); @@ -7249,6 +7249,9 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, continue; sockaddr_storage->addr4.IPv4address = idev_ipv4_address(idev); + nbytes += sizeof(struct network_interface_info_ioctl_rsp); + ipv4_set = true; + goto ipv6_retry; } else { struct inet6_dev *idev6; struct inet6_ifaddr *ifa; @@ -7270,9 +7273,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, break; } sockaddr_storage->addr6.ScopeId = 0; + nbytes += sizeof(struct network_interface_info_ioctl_rsp); } - - nbytes += sizeof(struct network_interface_info_ioctl_rsp); } rtnl_unlock(); From patchwork Mon Nov 14 12:52:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183361 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:18 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 264/308] ksmbd: fix multi session connection failure Date: Mon, 14 Nov 2022 20:52:53 +0800 Message-ID: <20221114125337.1831594-265-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c0b633d4-b7cf-4e28-b954-08dac63c8cef X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6831906 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit ce53d365378cde71bb6596d79c257e600d951d29 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ce53d365378c ------------------------------- When RSS mode is enable, windows client do simultaneously send several session requests to server. There is racy issue using sess->ntlmssp.cryptkey on N connection : 1 session. So authetication failed using wrong cryptkey on some session. This patch move cryptkey to ksmbd_conn structure to use each cryptkey on connection. Tested-by: Ziwei Xie <zw.xie(a)high-flyer.cn> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 27 ++++++++++++++------------- fs/ksmbd/auth.h | 10 +++++----- fs/ksmbd/connection.h | 7 +------ fs/ksmbd/mgmt/user_session.h | 1 - fs/ksmbd/smb2pdu.c | 8 ++++---- 5 files changed, 24 insertions(+), 29 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index 3503b1c48cb4..dc3d061edda9 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -215,7 +215,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, * Return: 0 on success, error number on error */ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, - int blen, char *domain_name) + int blen, char *domain_name, char *cryptkey) { char ntlmv2_hash[CIFS_ENCPWD_SIZE]; char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; @@ -256,7 +256,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, goto out; } - memcpy(construct, sess->ntlmssp.cryptkey, CIFS_CRYPTO_KEY_SIZE); + memcpy(construct, cryptkey, CIFS_CRYPTO_KEY_SIZE); memcpy(construct + CIFS_CRYPTO_KEY_SIZE, &ntlmv2->blob_signature, blen); rc = crypto_shash_update(CRYPTO_HMACMD5(ctx), construct, len); @@ -295,7 +295,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, * Return: 0 on success, error number on error */ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, - int blob_len, struct ksmbd_session *sess) + int blob_len, struct ksmbd_conn *conn, + struct ksmbd_session *sess) { char *domain_name; unsigned int nt_off, dn_off; @@ -324,7 +325,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, /* TODO : use domain name that imported from configuration file */ domain_name = smb_strndup_from_utf16((const char *)authblob + dn_off, - dn_len, true, sess->conn->local_nls); + dn_len, true, conn->local_nls); if (IS_ERR(domain_name)) return PTR_ERR(domain_name); @@ -333,7 +334,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, domain_name); ret = ksmbd_auth_ntlmv2(sess, (struct ntlmv2_resp *)((char *)authblob + nt_off), nt_len - CIFS_ENCPWD_SIZE, - domain_name); + domain_name, conn->ntlmssp.cryptkey); kfree(domain_name); return ret; } @@ -347,7 +348,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, * */ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, - int blob_len, struct ksmbd_session *sess) + int blob_len, struct ksmbd_conn *conn) { if (blob_len < sizeof(struct negotiate_message)) { ksmbd_debug(AUTH, "negotiate blob len %d too small\n", @@ -361,7 +362,7 @@ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, return -EINVAL; } - sess->ntlmssp.client_flags = le32_to_cpu(negblob->NegotiateFlags); + conn->ntlmssp.client_flags = le32_to_cpu(negblob->NegotiateFlags); return 0; } @@ -375,14 +376,14 @@ int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, */ unsigned int ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, - struct ksmbd_session *sess) + struct ksmbd_conn *conn) { struct target_info *tinfo; wchar_t *name; __u8 *target_name; unsigned int flags, blob_off, blob_len, type, target_info_len = 0; int len, uni_len, conv_len; - int cflags = sess->ntlmssp.client_flags; + int cflags = conn->ntlmssp.client_flags; memcpy(chgblob->Signature, NTLMSSP_SIGNATURE, 8); chgblob->MessageType = NtLmChallenge; @@ -403,7 +404,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, if (cflags & NTLMSSP_REQUEST_TARGET) flags |= NTLMSSP_REQUEST_TARGET; - if (sess->conn->use_spnego && + if (conn->use_spnego && (cflags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) flags |= NTLMSSP_NEGOTIATE_EXTENDED_SEC; @@ -414,7 +415,7 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, return -ENOMEM; conv_len = smb_strtoUTF16((__le16 *)name, ksmbd_netbios_name(), len, - sess->conn->local_nls); + conn->local_nls); if (conv_len < 0 || conv_len > len) { kfree(name); return -EINVAL; @@ -430,8 +431,8 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, chgblob->TargetName.BufferOffset = cpu_to_le32(blob_off); /* Initialize random conn challenge */ - get_random_bytes(sess->ntlmssp.cryptkey, sizeof(__u64)); - memcpy(chgblob->Challenge, sess->ntlmssp.cryptkey, + get_random_bytes(conn->ntlmssp.cryptkey, sizeof(__u64)); + memcpy(chgblob->Challenge, conn->ntlmssp.cryptkey, CIFS_CRYPTO_KEY_SIZE); /* Add Target Information to security buffer */ diff --git a/fs/ksmbd/auth.h b/fs/ksmbd/auth.h index 9c2d4badd05d..95629651cf26 100644 --- a/fs/ksmbd/auth.h +++ b/fs/ksmbd/auth.h @@ -38,16 +38,16 @@ struct kvec; int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, unsigned int nvec, int enc); void ksmbd_copy_gss_neg_header(void *buf); -int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf); int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, - int blen, char *domain_name); + int blen, char *domain_name, char *cryptkey); int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, - int blob_len, struct ksmbd_session *sess); + int blob_len, struct ksmbd_conn *conn, + struct ksmbd_session *sess); int ksmbd_decode_ntlmssp_neg_blob(struct negotiate_message *negblob, - int blob_len, struct ksmbd_session *sess); + int blob_len, struct ksmbd_conn *conn); unsigned int ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, - struct ksmbd_session *sess); + struct ksmbd_conn *conn); int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob, int in_len, char *out_blob, int *out_len); int ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov, diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index e5403c587a58..72dfd155b5bf 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -72,12 +72,7 @@ struct ksmbd_conn { int connection_type; struct ksmbd_stats stats; char ClientGUID[SMB2_CLIENT_GUID_SIZE]; - union { - /* pending trans request table */ - struct trans_state *recent_trans; - /* Used by ntlmssp */ - char *ntlmssp_cryptkey; - }; + struct ntlmssp_auth ntlmssp; spinlock_t llist_lock; struct list_head lock_list; diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h index 82289c3cbd2b..e241f16a3851 100644 --- a/fs/ksmbd/mgmt/user_session.h +++ b/fs/ksmbd/mgmt/user_session.h @@ -45,7 +45,6 @@ struct ksmbd_session { int state; __u8 *Preauth_HashValue; - struct ntlmssp_auth ntlmssp; char sess_key[CIFS_KEY_SIZE]; struct hlist_node hlist; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c7b7d7f841e7..bf1b744acba4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1302,7 +1302,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, int sz, rc; ksmbd_debug(SMB, "negotiate phase\n"); - rc = ksmbd_decode_ntlmssp_neg_blob(negblob, negblob_len, work->sess); + rc = ksmbd_decode_ntlmssp_neg_blob(negblob, negblob_len, work->conn); if (rc) return rc; @@ -1312,7 +1312,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, memset(chgblob, 0, sizeof(struct challenge_message)); if (!work->conn->use_spnego) { - sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->sess); + sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->conn); if (sz < 0) return -ENOMEM; @@ -1328,7 +1328,7 @@ static int ntlm_negotiate(struct ksmbd_work *work, return -ENOMEM; chgblob = (struct challenge_message *)neg_blob; - sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->sess); + sz = ksmbd_build_ntlmssp_challenge_blob(chgblob, work->conn); if (sz < 0) { rc = -ENOMEM; goto out; @@ -1471,7 +1471,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) authblob = user_authblob(conn, req); sz = le16_to_cpu(req->SecurityBufferLength); - rc = ksmbd_decode_ntlmssp_auth_blob(authblob, sz, sess); + rc = ksmbd_decode_ntlmssp_auth_blob(authblob, sz, conn, sess); if (rc) { set_user_flag(sess->user, KSMBD_USER_FLAG_BAD_PASSWORD); ksmbd_debug(SMB, "authentication failed\n"); From patchwork Mon Nov 14 12:52:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183362 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:19 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:19 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 265/308] ksmbd: Fix buffer_check_err() kernel-doc comment Date: Mon, 14 Nov 2022 20:52:54 +0800 Message-ID: <20221114125337.1831594-266-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 411a2a50-e513-41e8-251b-08dac63c8d38 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6703241 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Li <yang.lee(a)linux.alibaba.com> mainline inclusion from mainline-5.17-rc1 commit e230d013378489bcd4b5589ca1d2a5b91ff8d098 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e230d0133784 ------------------------------- Add the description of @rsp_org in buffer_check_err() kernel-doc comment to remove a warning found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:4028: warning: Function parameter or member 'rsp_org' not described in 'buffer_check_err' Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Fixes: cb4517201b8a ("ksmbd: remove smb2_buf_length in smb2_hdr") Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Yang Li <yang.lee(a)linux.alibaba.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index bf1b744acba4..dad7e8edd09b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3989,6 +3989,7 @@ int smb2_query_dir(struct ksmbd_work *work) * buffer_check_err() - helper function to check buffer errors * @reqOutputBufferLength: max buffer length expected in command response * @rsp: query info response buffer contains output buffer length + * @rsp_org: base response buffer pointer in case of chained response * @infoclass_size: query info class response buffer size * * Return: 0 on success, otherwise error From patchwork Mon Nov 14 12:52:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183363 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:19 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 266/308] ksmbd: Fix smb2_set_info_file() kernel-doc comment Date: Mon, 14 Nov 2022 20:52:55 +0800 Message-ID: <20221114125337.1831594-267-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d8b2436f-81ba-4133-dcc7-08dac63c8d80 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6863491 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Li <yang.lee(a)linux.alibaba.com> mainline inclusion from mainline-5.17-rc1 commit 4bfd9eed15e163969156e976c62db5ef423e5b0f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4bfd9eed15e1 ------------------------------- Fix argument list that the kdoc format and script verified in smb2_set_info_file(). The warnings were found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:5862: warning: Function parameter or member 'req' not described in 'smb2_set_info_file' fs/ksmbd/smb2pdu.c:5862: warning: Excess function parameter 'info_class' description in 'smb2_set_info_file' Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Fixes: 9496e268e3af ("ksmbd: add request buffer validation in smb2_set_info") Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Yang Li <yang.lee(a)linux.alibaba.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index dad7e8edd09b..af6465ab7388 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -5796,7 +5796,7 @@ static int set_file_mode_info(struct ksmbd_file *fp, * smb2_set_info_file() - handler for smb2 set info command * @work: smb work containing set info command buffer * @fp: ksmbd_file pointer - * @info_class: smb2 set info class + * @req: request buffer pointer * @share: ksmbd_share_config pointer * * Return: 0 on success, otherwise error From patchwork Mon Nov 14 12:52:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183364 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:20 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:20 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 267/308] ksmbd: Fix smb2_get_name() kernel-doc comment Date: Mon, 14 Nov 2022 20:52:56 +0800 Message-ID: <20221114125337.1831594-268-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 0ae4b73e-fe1c-47eb-94fb-08dac63c8dc9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6915486 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yang Li <yang.lee(a)linux.alibaba.com> mainline inclusion from mainline-5.17-rc1 commit d4eeb82674acadf789277b577986e8e7d3faf695 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d4eeb82674ac ------------------------------- Remove some warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:623: warning: Function parameter or member 'local_nls' not described in 'smb2_get_name' fs/ksmbd/smb2pdu.c:623: warning: Excess function parameter 'nls_table' description in 'smb2_get_name' Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Yang Li <yang.lee(a)linux.alibaba.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index af6465ab7388..e0cd70b6829d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -613,7 +613,7 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) * smb2_get_name() - get filename string from on the wire smb format * @src: source buffer * @maxlen: maxlen of source string - * @nls_table: nls_table pointer + * @local_nls: nls_table pointer * * Return: matching converted filename on success, otherwise error ptr */ From patchwork Mon Nov 14 12:52:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183365 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:20 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 268/308] ksmbd: register ksmbd ib client with ib_register_client() Date: Mon, 14 Nov 2022 20:52:57 +0800 Message-ID: <20221114125337.1831594-269-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cca4f28d-84f3-4ac7-268c-08dac63c8e12 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7086800 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit 31928a001bed0d9642711d2eba520fc46d41c376 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/31928a001bed ------------------------------- Register ksmbd ib client with ib_register_client() to find the rdma capable network adapter. If ops.get_netdev(Chelsio NICs) is NULL, ksmbd will find it using ib_device_get_by_netdev in old way. Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 107 ++++++++++++++++++++++++++++++++++---- fs/ksmbd/transport_rdma.h | 2 +- 2 files changed, 98 insertions(+), 11 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 7e57cbb0bb35..339fa4f025f7 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -79,6 +79,14 @@ static int smb_direct_max_read_write_size = 1024 * 1024; static int smb_direct_max_outstanding_rw_ops = 8; +static LIST_HEAD(smb_direct_device_list); +static DEFINE_RWLOCK(smb_direct_device_lock); + +struct smb_direct_device { + struct ib_device *ib_dev; + struct list_head list; +}; + static struct smb_direct_listener { struct rdma_cm_id *cm_id; } smb_direct_listener; @@ -2007,12 +2015,61 @@ static int smb_direct_listen(int port) return ret; } +static int smb_direct_ib_client_add(struct ib_device *ib_dev) +{ + struct smb_direct_device *smb_dev; + + if (!ib_dev->ops.get_netdev || + !rdma_frwr_is_supported(&ib_dev->attrs)) + return 0; + + smb_dev = kzalloc(sizeof(*smb_dev), GFP_KERNEL); + if (!smb_dev) + return -ENOMEM; + smb_dev->ib_dev = ib_dev; + + write_lock(&smb_direct_device_lock); + list_add(&smb_dev->list, &smb_direct_device_list); + write_unlock(&smb_direct_device_lock); + + ksmbd_debug(RDMA, "ib device added: name %s\n", ib_dev->name); + return 0; +} + +static void smb_direct_ib_client_remove(struct ib_device *ib_dev, + void *client_data) +{ + struct smb_direct_device *smb_dev, *tmp; + + write_lock(&smb_direct_device_lock); + list_for_each_entry_safe(smb_dev, tmp, &smb_direct_device_list, list) { + if (smb_dev->ib_dev == ib_dev) { + list_del(&smb_dev->list); + kfree(smb_dev); + break; + } + } + write_unlock(&smb_direct_device_lock); +} + +static struct ib_client smb_direct_ib_client = { + .name = "ksmbd_smb_direct_ib", + .add = smb_direct_ib_client_add, + .remove = smb_direct_ib_client_remove, +}; + int ksmbd_rdma_init(void) { int ret; smb_direct_listener.cm_id = NULL; + ret = ib_register_client(&smb_direct_ib_client); + if (ret) { + pr_err("failed to ib_register_client\n"); + return ret; + } + /* When a client is running out of send credits, the credits are * granted by the server's sending a packet using this queue. * This avoids the situation that a clients cannot send packets @@ -2036,30 +2093,60 @@ int ksmbd_rdma_init(void) return 0; } -int ksmbd_rdma_destroy(void) +void ksmbd_rdma_destroy(void) { - if (smb_direct_listener.cm_id) - rdma_destroy_id(smb_direct_listener.cm_id); + if (!smb_direct_listener.cm_id) + return; + + ib_unregister_client(&smb_direct_ib_client); + rdma_destroy_id(smb_direct_listener.cm_id); + smb_direct_listener.cm_id = NULL; if (smb_direct_wq) { destroy_workqueue(smb_direct_wq); smb_direct_wq = NULL; } - return 0; } bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { - struct ib_device *ibdev; + struct smb_direct_device *smb_dev; + int i; bool rdma_capable = false; - ibdev = ib_device_get_by_netdev(netdev, RDMA_DRIVER_UNKNOWN); - if (ibdev) { - if (rdma_frwr_is_supported(&ibdev->attrs)) - rdma_capable = true; - ib_device_put(ibdev); + read_lock(&smb_direct_device_lock); + list_for_each_entry(smb_dev, &smb_direct_device_list, list) { + for (i = 0; i < smb_dev->ib_dev->phys_port_cnt; i++) { + struct net_device *ndev; + + ndev = smb_dev->ib_dev->ops.get_netdev(smb_dev->ib_dev, + i + 1); + if (!ndev) + continue; + + if (ndev == netdev) { + dev_put(ndev); + rdma_capable = true; + goto out; + } + dev_put(ndev); + } + } +out: + read_unlock(&smb_direct_device_lock); + + if (rdma_capable == false) { + struct ib_device *ibdev; + + ibdev = ib_device_get_by_netdev(netdev, RDMA_DRIVER_UNKNOWN); + if (ibdev) { + if (rdma_frwr_is_supported(&ibdev->attrs)) + rdma_capable = true; + ib_device_put(ibdev); + } } + return rdma_capable; } diff --git a/fs/ksmbd/transport_rdma.h b/fs/ksmbd/transport_rdma.h index 0fa8adc0776f..ab9250a7cb86 100644 --- a/fs/ksmbd/transport_rdma.h +++ b/fs/ksmbd/transport_rdma.h @@ -52,7 +52,7 @@ struct smb_direct_data_transfer { #ifdef CONFIG_SMB_SERVER_SMBDIRECT int ksmbd_rdma_init(void); -int ksmbd_rdma_destroy(void); +void ksmbd_rdma_destroy(void); bool ksmbd_rdma_capable_netdev(struct net_device *netdev); #else static inline int ksmbd_rdma_init(void) { return 0; } From patchwork Mon Nov 14 12:52:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183366 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:21 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:21 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 269/308] ksmbd: set 445 port to smbdirect port by default Date: Mon, 14 Nov 2022 20:52:58 +0800 Message-ID: <20221114125337.1831594-270-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 69d9440d-172e-4668-b875-08dac63c8e5a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7007305 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit cb097b3dd5ece9596a0a0b7e33893c02a9bde8c6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/cb097b3dd5ec ------------------------------- When SMB Direct is used with iWARP, Windows use 5445 port for smb direct port, 445 port for SMB. This patch check ib_device using ib_client to know if NICs type is iWARP or Infiniband. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 15 ++++++++++++--- fs/ksmbd/transport_rdma.h | 2 -- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 339fa4f025f7..f89b64e27836 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -34,7 +34,8 @@ #include "smbstatus.h" #include "transport_rdma.h" -#define SMB_DIRECT_PORT 5445 +#define SMB_DIRECT_PORT_IWARP 5445 +#define SMB_DIRECT_PORT_INFINIBAND 445 #define SMB_DIRECT_VERSION_LE cpu_to_le16(0x0100) @@ -60,6 +61,10 @@ * as defined in [MS-SMBD] 3.1.1.1 * Those may change after a SMB_DIRECT negotiation */ + +/* Set 445 port to SMB Direct port by default */ +static int smb_direct_port = SMB_DIRECT_PORT_INFINIBAND; + /* The local peer's maximum number of credits to grant to the peer */ static int smb_direct_receive_credit_max = 255; @@ -1942,7 +1947,7 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, KSMBD_TRANS(t)->conn, "ksmbd:r%u", - SMB_DIRECT_PORT); + smb_direct_port); if (IS_ERR(KSMBD_TRANS(t)->handler)) { int ret = PTR_ERR(KSMBD_TRANS(t)->handler); @@ -2019,6 +2024,10 @@ static int smb_direct_ib_client_add(struct ib_device *ib_dev) { struct smb_direct_device *smb_dev; + /* Set 5445 port if device type is iWARP(No IB) */ + if (ib_dev->node_type != RDMA_NODE_IB_CA) + smb_direct_port = SMB_DIRECT_PORT_IWARP; + if (!ib_dev->ops.get_netdev || !rdma_frwr_is_supported(&ib_dev->attrs)) return 0; @@ -2080,7 +2089,7 @@ int ksmbd_rdma_init(void) if (!smb_direct_wq) return -ENOMEM; - ret = smb_direct_listen(SMB_DIRECT_PORT); + ret = smb_direct_listen(smb_direct_port); if (ret) { destroy_workqueue(smb_direct_wq); smb_direct_wq = NULL; diff --git a/fs/ksmbd/transport_rdma.h b/fs/ksmbd/transport_rdma.h index ab9250a7cb86..5567d93a6f96 100644 --- a/fs/ksmbd/transport_rdma.h +++ b/fs/ksmbd/transport_rdma.h @@ -7,8 +7,6 @@ #ifndef __KSMBD_TRANSPORT_RDMA_H__ #define __KSMBD_TRANSPORT_RDMA_H__ -#define SMB_DIRECT_PORT 5445 - /* SMB DIRECT negotiation request packet [MS-SMBD] 2.2.1 */ struct smb_direct_negotiate_req { __le16 min_version; From patchwork Mon Nov 14 12:52:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183367 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:21 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 270/308] ksmbd: smbd: call rdma_accept() under CM handler Date: Mon, 14 Nov 2022 20:52:59 +0800 Message-ID: <20221114125337.1831594-271-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: f225667f-7d27-4e6f-e3b4-08dac63c8ea3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7791870 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit 99b7650ac51847e81b4d5139824e321e6cb76130 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/99b7650ac518 ------------------------------- if CONFIG_LOCKDEP is enabled, the following kernel warning message is generated because rdma_accept() checks whehter the handler_mutex is held by lockdep_assert_held. CM(Connection Manager) holds the mutex before CM handler callback is called. [ 63.211405 ] WARNING: CPU: 1 PID: 345 at drivers/infiniband/core/cma.c:4405 rdma_accept+0x17a/0x350 [ 63.212080 ] RIP: 0010:rdma_accept+0x17a/0x350 ... [ 63.214036 ] Call Trace: [ 63.214098 ] <TASK> [ 63.214185 ] smb_direct_accept_client+0xb4/0x170 [ksmbd] [ 63.214412 ] smb_direct_prepare+0x322/0x8c0 [ksmbd] [ 63.214555 ] ? rcu_read_lock_sched_held+0x3a/0x70 [ 63.214700 ] ksmbd_conn_handler_loop+0x63/0x270 [ksmbd] [ 63.214826 ] ? ksmbd_conn_alive+0x80/0x80 [ksmbd] [ 63.214952 ] kthread+0x171/0x1a0 [ 63.215039 ] ? set_kthread_struct+0x40/0x40 [ 63.215128 ] ret_from_fork+0x22/0x30 To avoid this, move creating a queue pair and accepting a client from transport_ops->prepare() to smb_direct_handle_connect_request(). Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 102 ++++++++++++++++++++++---------------- 1 file changed, 59 insertions(+), 43 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index f89b64e27836..0fd706d01790 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -568,6 +568,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } t->negotiation_requested = true; t->full_packet_received = true; + enqueue_reassembly(t, recvmsg, 0); wake_up_interruptible(&t->wait_status); break; case SMB_DIRECT_MSG_DATA_TRANSFER: { @@ -1594,19 +1595,13 @@ static int smb_direct_accept_client(struct smb_direct_transport *t) pr_err("error at rdma_accept: %d\n", ret); return ret; } - - wait_event_interruptible(t->wait_status, - t->status != SMB_DIRECT_CS_NEW); - if (t->status != SMB_DIRECT_CS_CONNECTED) - return -ENOTCONN; return 0; } -static int smb_direct_negotiate(struct smb_direct_transport *t) +static int smb_direct_prepare_negotiation(struct smb_direct_transport *t) { int ret; struct smb_direct_recvmsg *recvmsg; - struct smb_direct_negotiate_req *req; recvmsg = get_free_recvmsg(t); if (!recvmsg) @@ -1616,44 +1611,20 @@ static int smb_direct_negotiate(struct smb_direct_transport *t) ret = smb_direct_post_recv(t, recvmsg); if (ret) { pr_err("Can't post recv: %d\n", ret); - goto out; + goto out_err; } t->negotiation_requested = false; ret = smb_direct_accept_client(t); if (ret) { pr_err("Can't accept client\n"); - goto out; + goto out_err; } smb_direct_post_recv_credits(&t->post_recv_credits_work.work); - - ksmbd_debug(RDMA, "Waiting for SMB_DIRECT negotiate request\n"); - ret = wait_event_interruptible_timeout(t->wait_status, - t->negotiation_requested || - t->status == SMB_DIRECT_CS_DISCONNECTED, - SMB_DIRECT_NEGOTIATE_TIMEOUT * HZ); - if (ret <= 0 || t->status == SMB_DIRECT_CS_DISCONNECTED) { - ret = ret < 0 ? ret : -ETIMEDOUT; - goto out; - } - - ret = smb_direct_check_recvmsg(recvmsg); - if (ret == -ECONNABORTED) - goto out; - - req = (struct smb_direct_negotiate_req *)recvmsg->packet; - t->max_recv_size = min_t(int, t->max_recv_size, - le32_to_cpu(req->preferred_send_size)); - t->max_send_size = min_t(int, t->max_send_size, - le32_to_cpu(req->max_receive_size)); - t->max_fragmented_send_size = - le32_to_cpu(req->max_fragmented_size); - - ret = smb_direct_send_negotiate_response(t, ret); -out: - if (recvmsg) - put_recvmsg(t, recvmsg); + return 0; +out_err: + put_recvmsg(t, recvmsg); return ret; } @@ -1890,6 +1861,47 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, static int smb_direct_prepare(struct ksmbd_transport *t) { struct smb_direct_transport *st = smb_trans_direct_transfort(t); + struct smb_direct_recvmsg *recvmsg; + struct smb_direct_negotiate_req *req; + int ret; + + ksmbd_debug(RDMA, "Waiting for SMB_DIRECT negotiate request\n"); + ret = wait_event_interruptible_timeout(st->wait_status, + st->negotiation_requested || + st->status == SMB_DIRECT_CS_DISCONNECTED, + SMB_DIRECT_NEGOTIATE_TIMEOUT * HZ); + if (ret <= 0 || st->status == SMB_DIRECT_CS_DISCONNECTED) + return ret < 0 ? ret : -ETIMEDOUT; + + recvmsg = get_first_reassembly(st); + if (!recvmsg) + return -ECONNABORTED; + + ret = smb_direct_check_recvmsg(recvmsg); + if (ret == -ECONNABORTED) + goto out; + + req = (struct smb_direct_negotiate_req *)recvmsg->packet; + st->max_recv_size = min_t(int, st->max_recv_size, + le32_to_cpu(req->preferred_send_size)); + st->max_send_size = min_t(int, st->max_send_size, + le32_to_cpu(req->max_receive_size)); + st->max_fragmented_send_size = + le32_to_cpu(req->max_fragmented_size); + + ret = smb_direct_send_negotiate_response(st, ret); +out: + spin_lock_irq(&st->reassembly_queue_lock); + st->reassembly_queue_length--; + list_del(&recvmsg->list); + spin_unlock_irq(&st->reassembly_queue_lock); + put_recvmsg(st, recvmsg); + + return ret; +} + +static int smb_direct_connect(struct smb_direct_transport *st) +{ int ret; struct ib_qp_cap qp_cap; @@ -1911,13 +1923,11 @@ static int smb_direct_prepare(struct ksmbd_transport *t) return ret; } - ret = smb_direct_negotiate(st); + ret = smb_direct_prepare_negotiation(st); if (ret) { pr_err("Can't negotiate: %d\n", ret); return ret; } - - st->status = SMB_DIRECT_CS_CONNECTED; return 0; } @@ -1933,6 +1943,7 @@ static bool rdma_frwr_is_supported(struct ib_device_attr *attrs) static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) { struct smb_direct_transport *t; + int ret; if (!rdma_frwr_is_supported(&new_cm_id->device->attrs)) { ksmbd_debug(RDMA, @@ -1945,18 +1956,23 @@ static int smb_direct_handle_connect_request(struct rdma_cm_id *new_cm_id) if (!t) return -ENOMEM; + ret = smb_direct_connect(t); + if (ret) + goto out_err; + KSMBD_TRANS(t)->handler = kthread_run(ksmbd_conn_handler_loop, KSMBD_TRANS(t)->conn, "ksmbd:r%u", smb_direct_port); if (IS_ERR(KSMBD_TRANS(t)->handler)) { - int ret = PTR_ERR(KSMBD_TRANS(t)->handler); - + ret = PTR_ERR(KSMBD_TRANS(t)->handler); pr_err("Can't start thread\n"); - free_transport(t); - return ret; + goto out_err; } return 0; +out_err: + free_transport(t); + return ret; } static int smb_direct_listen_handler(struct rdma_cm_id *cm_id, From patchwork Mon Nov 14 12:53:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183368 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:22 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:22 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 271/308] ksmbd: smbd: create MR pool Date: Mon, 14 Nov 2022 20:53:00 +0800 Message-ID: <20221114125337.1831594-272-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 56213196-fb07-45f6-747b-08dac63c8eec X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7070150 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit c9f189271cff85d5d735e25dfa4bc95952ec12d8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/c9f189271cff ------------------------------- Create a memory region pool because rdma_rw_ctx_init() uses memory registration if memory registration yields better performance than using multiple SGE entries. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 0fd706d01790..f0b17da1cac2 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -428,6 +428,7 @@ static void free_transport(struct smb_direct_transport *t) if (t->qp) { ib_drain_qp(t->qp); + ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); ib_destroy_qp(t->qp); } @@ -1708,7 +1709,9 @@ static int smb_direct_init_params(struct smb_direct_transport *t, cap->max_send_sge = SMB_DIRECT_MAX_SEND_SGES; cap->max_recv_sge = SMB_DIRECT_MAX_RECV_SGES; cap->max_inline_data = 0; - cap->max_rdma_ctxs = 0; + cap->max_rdma_ctxs = + rdma_rw_mr_factor(device, t->cm_id->port_num, max_pages) * + smb_direct_max_outstanding_rw_ops; return 0; } @@ -1790,6 +1793,7 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, { int ret; struct ib_qp_init_attr qp_attr; + int pages_per_rw; t->pd = ib_alloc_pd(t->cm_id->device, 0); if (IS_ERR(t->pd)) { @@ -1837,6 +1841,23 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, t->qp = t->cm_id->qp; t->cm_id->event_handler = smb_direct_cm_handler; + pages_per_rw = DIV_ROUND_UP(t->max_rdma_rw_size, PAGE_SIZE) + 1; + if (pages_per_rw > t->cm_id->device->attrs.max_sgl_rd) { + int pages_per_mr, mr_count; + + pages_per_mr = min_t(int, pages_per_rw, + t->cm_id->device->attrs.max_fast_reg_page_list_len); + mr_count = DIV_ROUND_UP(pages_per_rw, pages_per_mr) * + atomic_read(&t->rw_avail_ops); + ret = ib_mr_pool_init(t->qp, &t->qp->rdma_mrs, mr_count, + IB_MR_TYPE_MEM_REG, pages_per_mr, 0); + if (ret) { + pr_err("failed to init mr pool count %d pages %d\n", + mr_count, pages_per_mr); + goto err; + } + } + return 0; err: if (t->qp) { From patchwork Mon Nov 14 12:53:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183369 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:22 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 272/308] ksmbd: smbd: change the default maximum read/write, receive size Date: Mon, 14 Nov 2022 20:53:01 +0800 Message-ID: <20221114125337.1831594-273-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d98ed25b-5b7c-4282-5283-08dac63c8f35 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6870156 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit 4d02c4fdc0e256b493f9a3b604c7ff18f0019f17 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/4d02c4fdc0e2 ------------------------------- Due to restriction that cannot handle multiple buffer descriptor structures, decrease the maximum read/write size for Windows clients. And set the maximum fragmented receive size in consideration of the receive queue size. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index f0b17da1cac2..86fd64511512 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -80,7 +80,7 @@ static int smb_direct_max_fragmented_recv_size = 1024 * 1024; /* The maximum single-message size which can be received */ static int smb_direct_max_receive_size = 8192; -static int smb_direct_max_read_write_size = 1024 * 1024; +static int smb_direct_max_read_write_size = 1048512; static int smb_direct_max_outstanding_rw_ops = 8; @@ -1908,7 +1908,9 @@ static int smb_direct_prepare(struct ksmbd_transport *t) st->max_send_size = min_t(int, st->max_send_size, le32_to_cpu(req->max_receive_size)); st->max_fragmented_send_size = - le32_to_cpu(req->max_fragmented_size); + le32_to_cpu(req->max_fragmented_size); + st->max_fragmented_recv_size = + (st->recv_credit_max * st->max_recv_size) / 2; ret = smb_direct_send_negotiate_response(st, ret); out: From patchwork Mon Nov 14 12:53:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183370 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:23 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:23 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 273/308] ksmbd: add smb-direct shutdown Date: Mon, 14 Nov 2022 20:53:02 +0800 Message-ID: <20221114125337.1831594-274-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 94120031-d911-425f-be2b-08dac63c8f7d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6882045 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Yufan Chen <wiz.chen(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit 136dff3a6b71dc16c30b35cc390feb0bfc32ed50 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/136dff3a6b71 ------------------------------- When killing ksmbd server after connecting rdma, ksmbd threads does not terminate properly because the rdma connection is still alive. This patch add shutdown operation to disconnect rdma connection while ksmbd threads terminate. Signed-off-by: Yufan Chen <wiz.chen(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 9 ++++++++- fs/ksmbd/connection.h | 1 + fs/ksmbd/transport_rdma.c | 10 ++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 83a94d0bb480..6f4cee9beaa9 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -386,17 +386,24 @@ int ksmbd_conn_transport_init(void) static void stop_sessions(void) { struct ksmbd_conn *conn; + struct ksmbd_transport *t; again: read_lock(&conn_list_lock); list_for_each_entry(conn, &conn_list, conns_list) { struct task_struct *task; - task = conn->transport->handler; + t = conn->transport; + task = t->handler; if (task) ksmbd_debug(CONN, "Stop session handler %s/%d\n", task->comm, task_pid_nr(task)); conn->status = KSMBD_SESS_EXITING; + if (t->ops->shutdown) { + read_unlock(&conn_list_lock); + t->ops->shutdown(t); + read_lock(&conn_list_lock); + } } read_unlock(&conn_list_lock); diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index 72dfd155b5bf..d85f0122edc9 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -117,6 +117,7 @@ struct ksmbd_conn_ops { struct ksmbd_transport_ops { int (*prepare)(struct ksmbd_transport *t); void (*disconnect)(struct ksmbd_transport *t); + void (*shutdown)(struct ksmbd_transport *t); int (*read)(struct ksmbd_transport *t, char *buf, unsigned int size); int (*writev)(struct ksmbd_transport *t, struct kvec *iovs, int niov, int size, bool need_invalidate_rkey, diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 86fd64511512..3c1ec1ac0b27 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -1453,6 +1453,15 @@ static void smb_direct_disconnect(struct ksmbd_transport *t) free_transport(st); } +static void smb_direct_shutdown(struct ksmbd_transport *t) +{ + struct smb_direct_transport *st = smb_trans_direct_transfort(t); + + ksmbd_debug(RDMA, "smb-direct shutdown cm_id=%p\n", st->cm_id); + + smb_direct_disconnect_rdma_work(&st->disconnect_work); +} + static int smb_direct_cm_handler(struct rdma_cm_id *cm_id, struct rdma_cm_event *event) { @@ -2201,6 +2210,7 @@ bool ksmbd_rdma_capable_netdev(struct net_device *netdev) static struct ksmbd_transport_ops ksmbd_smb_direct_transport_ops = { .prepare = smb_direct_prepare, .disconnect = smb_direct_disconnect, + .shutdown = smb_direct_shutdown, .writev = smb_direct_writev, .read = smb_direct_read, .rdma_read = smb_direct_rdma_read, From patchwork Mon Nov 14 12:53:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183371 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:23 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 274/308] ksmbd: smbd: fix missing client's memory region invalidation Date: Mon, 14 Nov 2022 20:53:03 +0800 Message-ID: <20221114125337.1831594-275-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 430bb79d-f128-43d7-76b2-08dac63c8fc6 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7032252 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc1 commit 2fd5dcb1c8ef96c9f0fa8bda53ca480524b80ae7 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/2fd5dcb1c8ef ------------------------------- if the Channel of a SMB2 WRITE request is SMB2_CHANNEL_RDMA_V1_INVALIDTE, a client does not invalidate its memory regions but ksmbd must do it by sending a SMB2 WRITE response with IB_WR_SEND_WITH_INV. But if errors occur while processing a SMB2 READ/WRITE request, ksmbd sends a response with IB_WR_SEND. So a client could use memory regions already in use. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 73 +++++++++++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 27 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e0cd70b6829d..2ec206d22946 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6068,25 +6068,33 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) return err; } -static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, - struct smb2_read_req *req, void *data_buf, - size_t length) +static int smb2_set_remote_key_for_rdma(struct ksmbd_work *work, + struct smb2_buffer_desc_v1 *desc, + __le32 Channel, + __le16 ChannelInfoOffset, + __le16 ChannelInfoLength) { - struct smb2_buffer_desc_v1 *desc = - (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; - int err; - if (work->conn->dialect == SMB30_PROT_ID && - req->Channel != SMB2_CHANNEL_RDMA_V1) + Channel != SMB2_CHANNEL_RDMA_V1) return -EINVAL; - if (req->ReadChannelInfoOffset == 0 || - le16_to_cpu(req->ReadChannelInfoLength) < sizeof(*desc)) + if (ChannelInfoOffset == 0 || + le16_to_cpu(ChannelInfoLength) < sizeof(*desc)) return -EINVAL; work->need_invalidate_rkey = - (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); + (Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); work->remote_key = le32_to_cpu(desc->token); + return 0; +} + +static ssize_t smb2_read_rdma_channel(struct ksmbd_work *work, + struct smb2_read_req *req, void *data_buf, + size_t length) +{ + struct smb2_buffer_desc_v1 *desc = + (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; + int err; err = ksmbd_conn_rdma_write(work->conn, data_buf, length, le32_to_cpu(desc->token), @@ -6109,7 +6117,7 @@ int smb2_read(struct ksmbd_work *work) struct ksmbd_conn *conn = work->conn; struct smb2_read_req *req; struct smb2_read_rsp *rsp; - struct ksmbd_file *fp; + struct ksmbd_file *fp = NULL; loff_t offset; size_t length, mincount; ssize_t nbytes = 0, remain_bytes = 0; @@ -6123,6 +6131,18 @@ int smb2_read(struct ksmbd_work *work) return smb2_read_pipe(work); } + if (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE || + req->Channel == SMB2_CHANNEL_RDMA_V1) { + err = smb2_set_remote_key_for_rdma(work, + (struct smb2_buffer_desc_v1 *) + &req->Buffer[0], + req->Channel, + req->ReadChannelInfoOffset, + req->ReadChannelInfoLength); + if (err) + goto out; + } + fp = ksmbd_lookup_fd_slow(work, le64_to_cpu(req->VolatileFileId), le64_to_cpu(req->PersistentFileId)); if (!fp) { @@ -6308,21 +6328,6 @@ static ssize_t smb2_write_rdma_channel(struct ksmbd_work *work, desc = (struct smb2_buffer_desc_v1 *)&req->Buffer[0]; - if (work->conn->dialect == SMB30_PROT_ID && - req->Channel != SMB2_CHANNEL_RDMA_V1) - return -EINVAL; - - if (req->Length != 0 || req->DataOffset != 0) - return -EINVAL; - - if (req->WriteChannelInfoOffset == 0 || - le16_to_cpu(req->WriteChannelInfoLength) < sizeof(*desc)) - return -EINVAL; - - work->need_invalidate_rkey = - (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); - work->remote_key = le32_to_cpu(desc->token); - data_buf = kvmalloc(length, GFP_KERNEL | __GFP_ZERO); if (!data_buf) return -ENOMEM; @@ -6369,6 +6374,20 @@ int smb2_write(struct ksmbd_work *work) return smb2_write_pipe(work); } + if (req->Channel == SMB2_CHANNEL_RDMA_V1 || + req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE) { + if (req->Length != 0 || req->DataOffset != 0) + return -EINVAL; + err = smb2_set_remote_key_for_rdma(work, + (struct smb2_buffer_desc_v1 *) + &req->Buffer[0], + req->Channel, + req->WriteChannelInfoOffset, + req->WriteChannelInfoLength); + if (err) + goto out; + } + if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); err = -EACCES; From patchwork Mon Nov 14 12:53:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183372 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:24 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:24 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 275/308] ksmbd: uninitialized variable in create_socket() Date: Mon, 14 Nov 2022 20:53:04 +0800 Message-ID: <20221114125337.1831594-276-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9b07eb75-e8cf-4b2e-0849-08dac63c900f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6773112 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Dan Carpenter <dan.carpenter(a)oracle.com> mainline inclusion from mainline-5.17-rc1 commit b207602fb04537cb21ac38fabd7577eca2fa05ae category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b207602fb045 ------------------------------- The "ksmbd_socket" variable is not initialized on this error path. Cc: stable(a)vger.kernel.org Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_tcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/transport_tcp.c b/fs/ksmbd/transport_tcp.c index c14320e03b69..82a1429bbe12 100644 --- a/fs/ksmbd/transport_tcp.c +++ b/fs/ksmbd/transport_tcp.c @@ -404,7 +404,7 @@ static int create_socket(struct interface *iface) &ksmbd_socket); if (ret) { pr_err("Can't create socket for ipv4: %d\n", ret); - goto out_error; + goto out_clear; } sin.sin_family = PF_INET; @@ -462,6 +462,7 @@ static int create_socket(struct interface *iface) out_error: tcp_destroy_socket(ksmbd_socket); +out_clear: iface->ksmbd_socket = NULL; return ret; } From patchwork Mon Nov 14 12:53:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183373 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:24 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 276/308] ksmbd: fix guest connection failure with nautilus Date: Mon, 14 Nov 2022 20:53:05 +0800 Message-ID: <20221114125337.1831594-277-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 831bc2f8-88a8-48cc-f17e-08dac63c9058 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6986920 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit ac090d9c90b087d6fb714e54b2a6dd1e6c373ed6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/ac090d9c90b0 ------------------------------- MS-SMB2 describe session sign like the following. Session.SigningRequired MUST be set to TRUE under the following conditions: - If the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request. - If the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field and Session.IsAnonymous is FALSE and either Connection.ShouldSign or global RequireMessageSigning is TRUE. When trying guest account connection using nautilus, The login failure happened on session setup. ksmbd does not allow this connection when the user is a guest and the connection sign is set. Just do not set session sign instead of error response as described in the specification. And this change improves the guest connection in Nautilus. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org # v5.15+ Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 62 ++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 33 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 2ec206d22946..7bf9f85cd021 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1460,11 +1460,6 @@ static int ntlm_authenticate(struct ksmbd_work *work) } if (user_guest(sess->user)) { - if (conn->sign) { - ksmbd_debug(SMB, "Guest login not allowed when signing enabled\n"); - return -EPERM; - } - rsp->SessionFlags = SMB2_SESSION_FLAG_IS_GUEST_LE; } else { struct authenticate_message *authblob; @@ -1477,38 +1472,39 @@ static int ntlm_authenticate(struct ksmbd_work *work) ksmbd_debug(SMB, "authentication failed\n"); return -EPERM; } + } - /* - * If session state is SMB2_SESSION_VALID, We can assume - * that it is reauthentication. And the user/password - * has been verified, so return it here. - */ - if (sess->state == SMB2_SESSION_VALID) { - if (conn->binding) - goto binding_session; - return 0; - } + /* + * If session state is SMB2_SESSION_VALID, We can assume + * that it is reauthentication. And the user/password + * has been verified, so return it here. + */ + if (sess->state == SMB2_SESSION_VALID) { + if (conn->binding) + goto binding_session; + return 0; + } - if ((conn->sign || server_conf.enforced_signing) || - (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) - sess->sign = true; + if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE && + (conn->sign || server_conf.enforced_signing)) || + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; - if (smb3_encryption_negotiated(conn) && - !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { - rc = conn->ops->generate_encryptionkey(sess); - if (rc) { - ksmbd_debug(SMB, - "SMB3 encryption key generation failed\n"); - return -EINVAL; - } - sess->enc = true; - rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; - /* - * signing is disable if encryption is enable - * on this session - */ - sess->sign = false; + if (smb3_encryption_negotiated(conn) && + !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + rc = conn->ops->generate_encryptionkey(sess); + if (rc) { + ksmbd_debug(SMB, + "SMB3 encryption key generation failed\n"); + return -EINVAL; } + sess->enc = true; + rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE; + /* + * signing is disable if encryption is enable + * on this session + */ + sess->sign = false; } binding_session: From patchwork Mon Nov 14 12:53:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183374 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:25 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:25 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 277/308] ksmbd: fix SMB 3.11 posix extension mount failure Date: Mon, 14 Nov 2022 20:53:06 +0800 Message-ID: <20221114125337.1831594-278-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 44f7cc44-db5e-4d53-5cf7-08dac63c90a1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6907406 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc4 commit 9ca8581e79e51c57e60b3b8e3b89d816448f49fe category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/9ca8581e79e5 ------------------------------- cifs client set 4 to DataLength of create_posix context, which mean Mode variable of create_posix context is only available. So buffer validation of ksmbd should check only the size of Mode except for the size of Reserved variable. Fixes: 8f77150c15f8 ("ksmbd: add buffer validation for SMB2_CREATE_CONTEXT") Cc: stable(a)vger.kernel.org # v5.15+ Reported-by: Steve French <smfrench(a)gmail.com> Tested-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7bf9f85cd021..98f2805bf092 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2671,7 +2671,7 @@ int smb2_open(struct ksmbd_work *work) (struct create_posix *)context; if (le16_to_cpu(context->DataOffset) + le32_to_cpu(context->DataLength) < - sizeof(struct create_posix)) { + sizeof(struct create_posix) - 4) { rc = -EINVAL; goto err_out1; } From patchwork Mon Nov 14 12:53:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183375 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 278/308] ksmbd: smbd: validate buffer descriptor structures Date: Mon, 14 Nov 2022 20:53:07 +0800 Message-ID: <20221114125337.1831594-279-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d0b5a431-b977-449e-3b69-08dac63c90ea X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6938225 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.17-rc4 commit 6d896d3b44cf64ab9b2483697e222098e7b72f70 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/6d896d3b44cf ------------------------------- Check ChannelInfoOffset and ChannelInfoLength to validate buffer descriptor structures. And add a debug log to print the structures' content. Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 98f2805bf092..53f263742b0f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6070,13 +6070,26 @@ static int smb2_set_remote_key_for_rdma(struct ksmbd_work *work, __le16 ChannelInfoOffset, __le16 ChannelInfoLength) { + unsigned int i, ch_count; + if (work->conn->dialect == SMB30_PROT_ID && Channel != SMB2_CHANNEL_RDMA_V1) return -EINVAL; - if (ChannelInfoOffset == 0 || - le16_to_cpu(ChannelInfoLength) < sizeof(*desc)) + ch_count = le16_to_cpu(ChannelInfoLength) / sizeof(*desc); + if (ksmbd_debug_types & KSMBD_DEBUG_RDMA) { + for (i = 0; i < ch_count; i++) { + pr_info("RDMA r/w request %#x: token %#x, length %#x\n", + i, + le32_to_cpu(desc[i].token), + le32_to_cpu(desc[i].length)); + } + } + if (ch_count != 1) { + ksmbd_debug(RDMA, "RDMA multiple buffer descriptors %d are not supported yet\n", + ch_count); return -EINVAL; + } work->need_invalidate_rkey = (Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE); @@ -6129,9 +6142,15 @@ int smb2_read(struct ksmbd_work *work) if (req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE || req->Channel == SMB2_CHANNEL_RDMA_V1) { + unsigned int ch_offset = le16_to_cpu(req->ReadChannelInfoOffset); + + if (ch_offset < offsetof(struct smb2_read_req, Buffer)) { + err = -EINVAL; + goto out; + } err = smb2_set_remote_key_for_rdma(work, (struct smb2_buffer_desc_v1 *) - &req->Buffer[0], + ((char *)req + ch_offset), req->Channel, req->ReadChannelInfoOffset, req->ReadChannelInfoLength); @@ -6372,11 +6391,16 @@ int smb2_write(struct ksmbd_work *work) if (req->Channel == SMB2_CHANNEL_RDMA_V1 || req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE) { - if (req->Length != 0 || req->DataOffset != 0) - return -EINVAL; + unsigned int ch_offset = le16_to_cpu(req->WriteChannelInfoOffset); + + if (req->Length != 0 || req->DataOffset != 0 || + ch_offset < offsetof(struct smb2_write_req, Buffer)) { + err = -EINVAL; + goto out; + } err = smb2_set_remote_key_for_rdma(work, (struct smb2_buffer_desc_v1 *) - &req->Buffer[0], + ((char *)req + ch_offset), req->Channel, req->WriteChannelInfoOffset, req->WriteChannelInfoLength); From patchwork Mon Nov 14 12:53:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183376 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:26 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:25 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 279/308] ksmbd: fix same UniqueId for dot and dotdot entries Date: Mon, 14 Nov 2022 20:53:08 +0800 Message-ID: <20221114125337.1831594-280-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2191281a-5600-4be6-cca7-08dac63c9132 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6819616 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc4 commit 97550c7478a2da93e348d8c3075d92cddd473a78 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/97550c7478a2 ------------------------------- ksmbd sets the inode number to UniqueId. However, the same UniqueId for dot and dotdot entry is set to the inode number of the parent inode. This patch set them using the current inode and parent inode. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb_common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index be9701273c71..2476ba92b475 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -307,14 +307,17 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, for (i = 0; i < 2; i++) { struct kstat kstat; struct ksmbd_kstat ksmbd_kstat; + struct dentry *dentry; if (!dir->dot_dotdot[i]) { /* fill dot entry info */ if (i == 0) { d_info->name = "."; d_info->name_len = 1; + dentry = dir->filp->f_path.dentry; } else { d_info->name = ".."; d_info->name_len = 2; + dentry = dir->filp->f_path.dentry->d_parent; } if (!match_pattern(d_info->name, d_info->name_len, @@ -325,7 +328,7 @@ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, ksmbd_kstat.kstat = &kstat; ksmbd_vfs_fill_dentry_attrs(work, - dir->filp->f_path.dentry->d_parent, + dentry, &ksmbd_kstat); rc = fn(conn, info_level, d_info, &ksmbd_kstat); if (rc) From patchwork Mon Nov 14 12:53:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183377 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:26 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 280/308] ksmbd: don't align last entry offset in smb2 query directory Date: Mon, 14 Nov 2022 20:53:09 +0800 Message-ID: <20221114125337.1831594-281-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: d0cc8882-d53d-4c81-8508-08dac63c917b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7000995 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc4 commit 04e260948a160d3b7d622bf4c8a96fa4577c09bd category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/04e260948a16 ------------------------------- When checking smb2 query directory packets from other servers, OutputBufferLength is different with ksmbd. Other servers add an unaligned next offset to OutputBufferLength for the last entry. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 7 ++++--- fs/ksmbd/vfs.h | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 53f263742b0f..f118cbf00cac 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3393,9 +3393,9 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, goto free_conv_name; } - struct_sz = readdir_info_level_struct_sz(info_level); - next_entry_offset = ALIGN(struct_sz - 1 + conv_len, - KSMBD_DIR_INFO_ALIGNMENT); + struct_sz = readdir_info_level_struct_sz(info_level) - 1 + conv_len; + next_entry_offset = ALIGN(struct_sz, KSMBD_DIR_INFO_ALIGNMENT); + d_info->last_entry_off_align = next_entry_offset - struct_sz; if (next_entry_offset > d_info->out_buf_len) { d_info->out_buf_len = 0; @@ -3943,6 +3943,7 @@ int smb2_query_dir(struct ksmbd_work *work) ((struct file_directory_info *) ((char *)rsp->Buffer + d_info.last_entry_offset)) ->NextEntryOffset = 0; + d_info.data_count -= d_info.last_entry_off_align; rsp->StructureSize = cpu_to_le16(9); rsp->OutputBufferOffset = cpu_to_le16(72); diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index 51ff1f63965c..edaf12ced841 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -86,6 +86,7 @@ struct ksmbd_dir_info { int last_entry_offset; bool hide_dot_file; int flags; + int last_entry_off_align; }; struct ksmbd_readdir_data { From patchwork Mon Nov 14 12:53:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183378 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:27 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:26 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 281/308] ksmbd: reduce smb direct max read/write size Date: Mon, 14 Nov 2022 20:53:10 +0800 Message-ID: <20221114125337.1831594-282-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 56754099-5497-41d3-ca2e-08dac63c91c3 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7001672 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc4 commit deae24b0b13ff5f46022124fbfc2c72fc534bc6a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/deae24b0b13f ------------------------------- ksmbd does not support more than one Buffer Descriptor V1 element in an smbdirect protocol request. Reducing the maximum read/write size to about 512KB allows interoperability with Windows over a wider variety of RDMA NICs, as an interim workaround. Reviewed-by: Tom Talpey <tom(a)talpey.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index 3c1ec1ac0b27..ba5a22bc2e6d 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -80,7 +80,7 @@ static int smb_direct_max_fragmented_recv_size = 1024 * 1024; /* The maximum single-message size which can be received */ static int smb_direct_max_receive_size = 8192; -static int smb_direct_max_read_write_size = 1048512; +static int smb_direct_max_read_write_size = 524224; static int smb_direct_max_outstanding_rw_ops = 8; From patchwork Mon Nov 14 12:53:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183379 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:27 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 282/308] ksmbd: fix reference count leak in smb_check_perm_dacl() Date: Mon, 14 Nov 2022 20:53:11 +0800 Message-ID: <20221114125337.1831594-283-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7d3bcc32-5661-4969-8d48-08dac63c920d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6924425 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Xin Xiong <xiongx18(a)fudan.edu.cn> mainline inclusion from mainline-5.19-rc1 commit d21a580dafc69aa04f46e6099616146a536b0724 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d21a580dafc6 ------------------------------- The issue happens in a specific path in smb_check_perm_dacl(). When "id" and "uid" have the same value, the function simply jumps out of the loop without decrementing the reference count of the object "posix_acls", which is increased by get_acl() earlier. This may result in memory leaks. Fix it by decreasing the reference count of "posix_acls" before jumping to label "check_access_bits". Fixes: 777cad1604d6 ("ksmbd: remove select FS_POSIX_ACL in Kconfig") Signed-off-by: Xin Xiong <xiongx18(a)fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smbacl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 7d8f9d03fb64..aa2c76e1bcbe 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -1250,6 +1250,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, if (!access_bits) access_bits = SET_MINIMUM_RIGHTS; + posix_acl_release(posix_acls); goto check_access_bits; } } From patchwork Mon Nov 14 12:53:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183380 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:28 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:27 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 283/308] ksmbd: smbd: fix connection dropped issue Date: Mon, 14 Nov 2022 20:53:12 +0800 Message-ID: <20221114125337.1831594-284-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c6527e00-d62c-42f6-1eed-08dac63c9256 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7065658 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-5.19-rc1 commit 5366afc4065075a4456941fbd51c33604d631ee5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5366afc40650 ------------------------------- When there are bursty connection requests, RDMA connection event handler is deferred and Negotiation requests are received even if connection status is NEW. To handle it, set the status to CONNECTED if Negotiation requests are received. Reported-by: Yufan Chen <wiz.chen(a)gmail.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Tested-by: Yufan Chen <wiz.chen(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/transport_rdma.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c index ba5a22bc2e6d..d3b60b833a81 100644 --- a/fs/ksmbd/transport_rdma.c +++ b/fs/ksmbd/transport_rdma.c @@ -569,6 +569,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } t->negotiation_requested = true; t->full_packet_received = true; + t->status = SMB_DIRECT_CS_CONNECTED; enqueue_reassembly(t, recvmsg, 0); wake_up_interruptible(&t->wait_status); break; From patchwork Mon Nov 14 12:53:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183381 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:28 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 284/308] ksmbd: add channel rwlock Date: Mon, 14 Nov 2022 20:53:13 +0800 Message-ID: <20221114125337.1831594-285-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 47db2fea-44fc-4910-54d4-08dac63c92a0 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6827952 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit 8e06b31e348107c5d78e2c90bb7e69388cb97fb6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/8e06b31e3481 ------------------------------- Add missing rwlock for channel list in session. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/user_session.c | 3 +++ fs/ksmbd/mgmt/user_session.h | 1 + fs/ksmbd/smb2pdu.c | 20 ++++++++++++++++++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index 8d8ffd8c6f19..e963433a645c 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -32,11 +32,13 @@ static void free_channel_list(struct ksmbd_session *sess) { struct channel *chann, *tmp; + write_lock(&sess->chann_lock); list_for_each_entry_safe(chann, tmp, &sess->ksmbd_chann_list, chann_list) { list_del(&chann->chann_list); kfree(chann); } + write_unlock(&sess->chann_lock); } static void __session_rpc_close(struct ksmbd_session *sess, @@ -320,6 +322,7 @@ static struct ksmbd_session *__session_create(int protocol) INIT_LIST_HEAD(&sess->rpc_handle_list); sess->sequence_number = 1; atomic_set(&sess->refcnt, 1); + rwlock_init(&sess->chann_lock); switch (protocol) { case CIFDS_SESSION_FLAG_SMB2: diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h index e241f16a3851..67f5c4106528 100644 --- a/fs/ksmbd/mgmt/user_session.h +++ b/fs/ksmbd/mgmt/user_session.h @@ -48,6 +48,7 @@ struct ksmbd_session { char sess_key[CIFS_KEY_SIZE]; struct hlist_node hlist; + rwlock_t chann_lock; struct list_head ksmbd_chann_list; struct xarray tree_conns; struct ida tree_conn_ida; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index f118cbf00cac..39a49010e3b9 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1509,7 +1509,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) binding_session: if (conn->dialect >= SMB30_PROT_ID) { + read_lock(&sess->chann_lock); chann = lookup_chann_list(sess, conn); + read_unlock(&sess->chann_lock); if (!chann) { chann = kmalloc(sizeof(struct channel), GFP_KERNEL); if (!chann) @@ -1517,7 +1519,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) chann->conn = conn; INIT_LIST_HEAD(&chann->chann_list); + write_lock(&sess->chann_lock); list_add(&chann->chann_list, &sess->ksmbd_chann_list); + write_unlock(&sess->chann_lock); } } @@ -1591,7 +1595,9 @@ static int krb5_authenticate(struct ksmbd_work *work) } if (conn->dialect >= SMB30_PROT_ID) { + read_lock(&sess->chann_lock); chann = lookup_chann_list(sess, conn); + read_unlock(&sess->chann_lock); if (!chann) { chann = kmalloc(sizeof(struct channel), GFP_KERNEL); if (!chann) @@ -1599,7 +1605,9 @@ static int krb5_authenticate(struct ksmbd_work *work) chann->conn = conn; INIT_LIST_HEAD(&chann->chann_list); + write_lock(&sess->chann_lock); list_add(&chann->chann_list, &sess->ksmbd_chann_list); + write_unlock(&sess->chann_lock); } } @@ -8303,10 +8311,14 @@ int smb3_check_sign_req(struct ksmbd_work *work) if (le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { signing_key = work->sess->smb3signingkey; } else { + read_lock(&work->sess->chann_lock); chann = lookup_chann_list(work->sess, conn); - if (!chann) + if (!chann) { + read_unlock(&work->sess->chann_lock); return 0; + } signing_key = chann->smb3signingkey; + read_unlock(&work->sess->chann_lock); } if (!signing_key) { @@ -8366,10 +8378,14 @@ void smb3_set_sign_rsp(struct ksmbd_work *work) le16_to_cpu(hdr->Command) == SMB2_SESSION_SETUP_HE) { signing_key = work->sess->smb3signingkey; } else { + read_lock(&work->sess->chann_lock); chann = lookup_chann_list(work->sess, work->conn); - if (!chann) + if (!chann) { + read_unlock(&work->sess->chann_lock); return; + } signing_key = chann->smb3signingkey; + read_unlock(&work->sess->chann_lock); } if (!signing_key) From patchwork Mon Nov 14 12:53:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183382 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:28 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 285/308] ksmbd: handle smb2 query dir request for OutputBufferLength that is too small Date: Mon, 14 Nov 2022 20:53:14 +0800 Message-ID: <20221114125337.1831594-286-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 56048b9f-f006-4299-32a9-08dac63c92e9 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6848766 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.19-rc1 commit 65ca7a3ffff811d6c0d4342d467c381257d566d4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/65ca7a3ffff8 ------------------------------- We found the issue that ksmbd return STATUS_NO_MORE_FILES response even though there are still dentries that needs to be read while file read/write test using framtest utils. windows client send smb2 query dir request included OutputBufferLength(128) that is too small to contain even one entry. This patch make ksmbd immediately returns OutputBufferLength of response as zero to client. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 39a49010e3b9..8d51cfc3f04a 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3922,6 +3922,12 @@ int smb2_query_dir(struct ksmbd_work *work) set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir); rc = iterate_dir(dir_fp->filp, &dir_fp->readdir_data.ctx); + /* + * req->OutputBufferLength is too small to contain even one entry. + * In this case, it immediately returns OutputBufferLength 0 to client. + */ + if (!d_info.out_buf_len && !d_info.num_entry) + goto no_buf_len; if (rc == 0) restart_ctx(&dir_fp->readdir_data.ctx); if (rc == -ENOSPC) @@ -3948,10 +3954,12 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->Buffer[0] = 0; inc_rfc1001_len(work->response_buf, 9); } else { +no_buf_len: ((struct file_directory_info *) ((char *)rsp->Buffer + d_info.last_entry_offset)) ->NextEntryOffset = 0; - d_info.data_count -= d_info.last_entry_off_align; + if (d_info.data_count >= d_info.last_entry_off_align) + d_info.data_count -= d_info.last_entry_off_align; rsp->StructureSize = cpu_to_le16(9); rsp->OutputBufferOffset = cpu_to_le16(72); From patchwork Mon Nov 14 12:53:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183383 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:29 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:29 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 286/308] ksmbd: fix incorrect handling of iterate_dir Date: Mon, 14 Nov 2022 20:53:15 +0800 Message-ID: <20221114125337.1831594-287-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9e971fb7-20d3-4d9e-5262-08dac63c9331 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6909730 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.1-rc1 commit 88541cb414b7a2450c45fc9c131b37b5753b7679 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/88541cb414b7 ------------------------------- if iterate_dir() returns non-negative value, caller has to treat it as normal and check there is any error while populating dentry information. ksmbd doesn't have to do anything because ksmbd already checks too small OutputBufferLength to store one file information. And because ctx->pos is set to file->f_pos when iterative_dir is called, remove restart_ctx(). And if iterate_dir() return -EIO, which mean directory entry is corrupted, return STATUS_FILE_CORRUPT_ERROR error response. This patch fixes some failure of SMB2_QUERY_DIRECTORY, which happens when ntfs3 is local filesystem. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 8d51cfc3f04a..9695661f4cc0 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -3772,11 +3772,6 @@ static int __query_dir(struct dir_context *ctx, const char *name, int namlen, return 0; } -static void restart_ctx(struct dir_context *ctx) -{ - ctx->pos = 0; -} - static int verify_info_level(int info_level) { switch (info_level) { @@ -3881,7 +3876,6 @@ int smb2_query_dir(struct ksmbd_work *work) if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) { ksmbd_debug(SMB, "Restart directory scan\n"); generic_file_llseek(dir_fp->filp, 0, SEEK_SET); - restart_ctx(&dir_fp->readdir_data.ctx); } memset(&d_info, 0, sizeof(struct ksmbd_dir_info)); @@ -3928,11 +3922,9 @@ int smb2_query_dir(struct ksmbd_work *work) */ if (!d_info.out_buf_len && !d_info.num_entry) goto no_buf_len; - if (rc == 0) - restart_ctx(&dir_fp->readdir_data.ctx); - if (rc == -ENOSPC) + if (rc > 0 || rc == -ENOSPC) rc = 0; - if (rc) + else if (rc) goto err_out; d_info.wptr = d_info.rptr; @@ -3989,6 +3981,8 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->hdr.Status = STATUS_NO_MEMORY; else if (rc == -EFAULT) rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; + else if (rc == -EIO) + rsp->hdr.Status = STATUS_FILE_CORRUPT_ERROR; if (!rsp->hdr.Status) rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; From patchwork Mon Nov 14 12:53:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183384 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:29 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 287/308] ksmbd: use wait_event instead of schedule_timeout() Date: Mon, 14 Nov 2022 20:53:16 +0800 Message-ID: <20221114125337.1831594-288-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e6730972-d602-48c2-bdbc-08dac63c9379 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7101074 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit a14c573870a664386adc10526a6c2648ea56dae1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a14c573870a6 ------------------------------- ksmbd threads eating masses of cputime when connection is disconnected. If connection is disconnected, ksmbd thread waits for pending requests to be processed using schedule_timeout. schedule_timeout() incorrectly is used, and it is more efficient to use wait_event/wake_up than to check r_count every time with timeout. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 6 +++--- fs/ksmbd/connection.h | 1 + fs/ksmbd/oplock.c | 35 ++++++++++++++++++++++------------- fs/ksmbd/server.c | 8 +++++++- 4 files changed, 33 insertions(+), 17 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 6f4cee9beaa9..41e9c2d6c3b1 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -64,6 +64,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) conn->total_credits = 1; init_waitqueue_head(&conn->req_running_q); + init_waitqueue_head(&conn->r_count_q); INIT_LIST_HEAD(&conn->conns_list); INIT_LIST_HEAD(&conn->sessions); INIT_LIST_HEAD(&conn->requests); @@ -163,7 +164,6 @@ int ksmbd_conn_write(struct ksmbd_work *work) struct kvec iov[3]; int iov_idx = 0; - ksmbd_conn_try_dequeue_request(work); if (!work->response_buf) { pr_err("NULL response header\n"); return -EINVAL; @@ -345,8 +345,8 @@ int ksmbd_conn_handler_loop(void *p) out: /* Wait till all reference dropped to the Server object*/ - while (atomic_read(&conn->r_count) > 0) - schedule_timeout(HZ); + wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0); + unload_nls(conn->local_nls); if (default_conn_ops.terminate_fn) diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index d85f0122edc9..e330e1f87dbe 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -65,6 +65,7 @@ struct ksmbd_conn { unsigned short max_credits; spinlock_t credits_lock; wait_queue_head_t req_running_q; + wait_queue_head_t r_count_q; /* Lock to protect requests list*/ spinlock_t request_lock; struct list_head requests; diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 3162bdcdb255..f6f1adf94673 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -615,18 +615,13 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) struct ksmbd_file *fp; fp = ksmbd_lookup_durable_fd(br_info->fid); - if (!fp) { - atomic_dec(&conn->r_count); - ksmbd_free_work_struct(work); - return; - } + if (!fp) + goto out; if (allocate_oplock_break_buf(work)) { pr_err("smb2_allocate_rsp_buf failed! "); - atomic_dec(&conn->r_count); ksmbd_fd_put(work, fp); - ksmbd_free_work_struct(work); - return; + goto out; } rsp_hdr = smb2_get_msg(work->response_buf); @@ -667,8 +662,16 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) ksmbd_fd_put(work, fp); ksmbd_conn_write(work); + +out: ksmbd_free_work_struct(work); - atomic_dec(&conn->r_count); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it + * uses atomic operation for condition. + */ + if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) + wake_up(&conn->r_count_q); } /** @@ -731,9 +734,7 @@ static void __smb2_lease_break_noti(struct work_struct *wk) if (allocate_oplock_break_buf(work)) { ksmbd_debug(OPLOCK, "smb2_allocate_rsp_buf failed! "); - ksmbd_free_work_struct(work); - atomic_dec(&conn->r_count); - return; + goto out; } rsp_hdr = smb2_get_msg(work->response_buf); @@ -771,8 +772,16 @@ static void __smb2_lease_break_noti(struct work_struct *wk) inc_rfc1001_len(work->response_buf, 44); ksmbd_conn_write(work); + +out: ksmbd_free_work_struct(work); - atomic_dec(&conn->r_count); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it + * uses atomic operation for condition. + */ + if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) + wake_up(&conn->r_count_q); } /** diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 9e635aa25c13..72d8fd1c4d43 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -261,7 +261,13 @@ static void handle_ksmbd_work(struct work_struct *wk) ksmbd_conn_try_dequeue_request(work); ksmbd_free_work_struct(work); - atomic_dec(&conn->r_count); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it + * uses atomic operation for condition. + */ + if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) + wake_up(&conn->r_count_q); } /** From patchwork Mon Nov 14 12:53:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183385 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:30 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:30 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 288/308] ksmbd: replace sessions list in connection with xarray Date: Mon, 14 Nov 2022 20:53:17 +0800 Message-ID: <20221114125337.1831594-289-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 29ae969c-b4f0-4fb8-e813-08dac63c93c2 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7062858 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit e4d3e6b524c0c928f7fc9e03e047885c4951ae60 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e4d3e6b524c0 ------------------------------- Replace sessions list in connection with xarray. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 3 ++- fs/ksmbd/connection.h | 2 +- fs/ksmbd/mgmt/user_session.c | 31 +++++++------------------------ fs/ksmbd/mgmt/user_session.h | 5 ++--- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 5 files changed, 21 insertions(+), 33 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 41e9c2d6c3b1..cdb029e4fae5 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -36,6 +36,7 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) list_del(&conn->conns_list); write_unlock(&conn_list_lock); + xa_destroy(&conn->sessions); kvfree(conn->request_buf); kfree(conn->preauth_info); kfree(conn); @@ -66,12 +67,12 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) init_waitqueue_head(&conn->req_running_q); init_waitqueue_head(&conn->r_count_q); INIT_LIST_HEAD(&conn->conns_list); - INIT_LIST_HEAD(&conn->sessions); INIT_LIST_HEAD(&conn->requests); INIT_LIST_HEAD(&conn->async_requests); spin_lock_init(&conn->request_lock); spin_lock_init(&conn->credits_lock); ida_init(&conn->async_ida); + xa_init(&conn->sessions); spin_lock_init(&conn->llist_lock); INIT_LIST_HEAD(&conn->lock_list); diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index e330e1f87dbe..aeef0a74c1dd 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -55,7 +55,7 @@ struct ksmbd_conn { struct nls_table *local_nls; struct list_head conns_list; /* smb session 1 per user */ - struct list_head sessions; + struct xarray sessions; unsigned long last_active; /* How many request are running currently */ atomic_t req_running; diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index e963433a645c..25e9ba3b7550 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -154,8 +154,6 @@ void ksmbd_session_destroy(struct ksmbd_session *sess) if (!atomic_dec_and_test(&sess->refcnt)) return; - list_del(&sess->sessions_entry); - down_write(&sessions_table_lock); hash_del(&sess->hlist); up_write(&sessions_table_lock); @@ -183,42 +181,28 @@ static struct ksmbd_session *__session_lookup(unsigned long long id) return NULL; } -void ksmbd_session_register(struct ksmbd_conn *conn, - struct ksmbd_session *sess) +int ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess) { sess->conn = conn; - list_add(&sess->sessions_entry, &conn->sessions); + return xa_err(xa_store(&conn->sessions, sess->id, sess, GFP_KERNEL)); } void ksmbd_sessions_deregister(struct ksmbd_conn *conn) { struct ksmbd_session *sess; + unsigned long id; - while (!list_empty(&conn->sessions)) { - sess = list_entry(conn->sessions.next, - struct ksmbd_session, - sessions_entry); - + xa_for_each(&conn->sessions, id, sess) { + xa_erase(&conn->sessions, sess->id); ksmbd_session_destroy(sess); } } -static bool ksmbd_session_id_match(struct ksmbd_session *sess, - unsigned long long id) -{ - return sess->id == id; -} - struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, unsigned long long id) { - struct ksmbd_session *sess = NULL; - - list_for_each_entry(sess, &conn->sessions, sessions_entry) { - if (ksmbd_session_id_match(sess, id)) - return sess; - } - return NULL; + return xa_load(&conn->sessions, id); } int get_session(struct ksmbd_session *sess) @@ -316,7 +300,6 @@ static struct ksmbd_session *__session_create(int protocol) goto error; set_session_flag(sess, protocol); - INIT_LIST_HEAD(&sess->sessions_entry); xa_init(&sess->tree_conns); INIT_LIST_HEAD(&sess->ksmbd_chann_list); INIT_LIST_HEAD(&sess->rpc_handle_list); diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h index 67f5c4106528..1ec659f0151b 100644 --- a/fs/ksmbd/mgmt/user_session.h +++ b/fs/ksmbd/mgmt/user_session.h @@ -58,7 +58,6 @@ struct ksmbd_session { __u8 smb3decryptionkey[SMB3_ENC_DEC_KEY_SIZE]; __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; - struct list_head sessions_entry; struct ksmbd_file_table file_table; atomic_t refcnt; }; @@ -85,8 +84,8 @@ void ksmbd_session_destroy(struct ksmbd_session *sess); struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id); struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, unsigned long long id); -void ksmbd_session_register(struct ksmbd_conn *conn, - struct ksmbd_session *sess); +int ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess); void ksmbd_sessions_deregister(struct ksmbd_conn *conn); struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn, unsigned long long id); diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 9695661f4cc0..7dba9a84cb5e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -587,7 +587,8 @@ int smb2_check_user_session(struct ksmbd_work *work) return -EINVAL; } -static void destroy_previous_session(struct ksmbd_user *user, u64 id) +static void destroy_previous_session(struct ksmbd_conn *conn, + struct ksmbd_user *user, u64 id) { struct ksmbd_session *prev_sess = ksmbd_session_lookup_slowpath(id); struct ksmbd_user *prev_user; @@ -606,6 +607,7 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id) } put_session(prev_sess); + xa_erase(&conn->sessions, prev_sess->id); ksmbd_session_destroy(prev_sess); } @@ -1438,7 +1440,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) /* Check for previous session */ prev_id = le64_to_cpu(req->PreviousSessionId); if (prev_id && prev_id != sess->id) - destroy_previous_session(user, prev_id); + destroy_previous_session(conn, user, prev_id); if (sess->state == SMB2_SESSION_VALID) { /* @@ -1564,7 +1566,7 @@ static int krb5_authenticate(struct ksmbd_work *work) /* Check previous session */ prev_sess_id = le64_to_cpu(req->PreviousSessionId); if (prev_sess_id && prev_sess_id != sess->id) - destroy_previous_session(sess->user, prev_sess_id); + destroy_previous_session(conn, sess->user, prev_sess_id); if (sess->state == SMB2_SESSION_VALID) ksmbd_free_user(sess->user); @@ -1657,7 +1659,9 @@ int smb2_sess_setup(struct ksmbd_work *work) goto out_err; } rsp->hdr.SessionId = cpu_to_le64(sess->id); - ksmbd_session_register(conn, sess); + rc = ksmbd_session_register(conn, sess); + if (rc) + goto out_err; } else if (conn->dialect >= SMB30_PROT_ID && (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) { @@ -1835,6 +1839,7 @@ int smb2_sess_setup(struct ksmbd_work *work) if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) try_delay = true; + xa_erase(&conn->sessions, sess->id); ksmbd_session_destroy(sess); work->sess = NULL; if (try_delay) From patchwork Mon Nov 14 12:53:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183386 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:30 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 289/308] ksmbd: fix kernel oops from idr_remove() Date: Mon, 14 Nov 2022 20:53:18 +0800 Message-ID: <20221114125337.1831594-290-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a771a888-9105-4f91-ec3a-08dac63c940b X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6872937 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit 17ea92a9f6d0b9a97aaec5ab748e4591d70a562c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/17ea92a9f6d0 ------------------------------- There is a report that kernel oops happen from idr_remove(). kernel: BUG: kernel NULL pointer dereference, address: 0000000000000010 kernel: RIP: 0010:idr_remove+0x1/0x20 kernel: __ksmbd_close_fd+0xb2/0x2d0 [ksmbd] kernel: ksmbd_vfs_read+0x91/0x190 [ksmbd] kernel: ksmbd_fd_put+0x29/0x40 [ksmbd] kernel: smb2_read+0x210/0x390 [ksmbd] kernel: __process_request+0xa4/0x180 [ksmbd] kernel: __handle_ksmbd_work+0xf0/0x290 [ksmbd] kernel: handle_ksmbd_work+0x2d/0x50 [ksmbd] kernel: process_one_work+0x21d/0x3f0 kernel: worker_thread+0x50/0x3d0 kernel: rescuer_thread+0x390/0x390 kernel: kthread+0xee/0x120 kthread_complete_and_exit+0x20/0x20 kernel: ret_from_fork+0x22/0x30 While accessing files, If connection is disconnected, windows send session setup request included previous session destroy. But while still processing requests on previous session, this request destroy file table, which mean file table idr will be freed and set to NULL. So kernel oops happen from ft->idr in __ksmbd_close_fd(). This patch don't directly destroy session in destroy_previous_session(). It just set to KSMBD_SESS_EXITING so that connection will be terminated after finishing the rest of requests. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/user_session.c | 2 ++ fs/ksmbd/smb2pdu.c | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index 25e9ba3b7550..b9acb6770b03 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -239,6 +239,8 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn, sess = ksmbd_session_lookup(conn, id); if (!sess && conn->binding) sess = ksmbd_session_lookup_slowpath(id); + if (sess && sess->state != SMB2_SESSION_VALID) + sess = NULL; return sess; } diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7dba9a84cb5e..efdba70ad240 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -592,6 +592,7 @@ static void destroy_previous_session(struct ksmbd_conn *conn, { struct ksmbd_session *prev_sess = ksmbd_session_lookup_slowpath(id); struct ksmbd_user *prev_user; + struct channel *chann; if (!prev_sess) return; @@ -607,8 +608,11 @@ static void destroy_previous_session(struct ksmbd_conn *conn, } put_session(prev_sess); - xa_erase(&conn->sessions, prev_sess->id); - ksmbd_session_destroy(prev_sess); + prev_sess->state = SMB2_SESSION_EXPIRED; + write_lock(&prev_sess->chann_lock); + list_for_each_entry(chann, &prev_sess->ksmbd_chann_list, chann_list) + chann->conn->status = KSMBD_SESS_EXITING; + write_unlock(&prev_sess->chann_lock); } /** From patchwork Mon Nov 14 12:53:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183387 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:31 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:31 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 290/308] ksmbd: remove unused ksmbd_share_configs_cleanup function Date: Mon, 14 Nov 2022 20:53:19 +0800 Message-ID: <20221114125337.1831594-291-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 3c528bce-95fc-47fc-57ca-08dac63c9454 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6944937 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit 1c90b54718fdea4f89e7e0c2415803f33f6d0b00 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/1c90b54718fd ------------------------------- remove unused ksmbd_share_configs_cleanup function. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/share_config.c | 14 -------------- fs/ksmbd/mgmt/share_config.h | 2 -- 2 files changed, 16 deletions(-) diff --git a/fs/ksmbd/mgmt/share_config.c b/fs/ksmbd/mgmt/share_config.c index cb72d30f5b71..70655af93b44 100644 --- a/fs/ksmbd/mgmt/share_config.c +++ b/fs/ksmbd/mgmt/share_config.c @@ -222,17 +222,3 @@ bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, } return false; } - -void ksmbd_share_configs_cleanup(void) -{ - struct ksmbd_share_config *share; - struct hlist_node *tmp; - int i; - - down_write(&shares_table_lock); - hash_for_each_safe(shares_table, i, tmp, share, hlist) { - hash_del(&share->hlist); - kill_share(share); - } - up_write(&shares_table_lock); -} diff --git a/fs/ksmbd/mgmt/share_config.h b/fs/ksmbd/mgmt/share_config.h index 953befc94e84..28bf3511763f 100644 --- a/fs/ksmbd/mgmt/share_config.h +++ b/fs/ksmbd/mgmt/share_config.h @@ -76,6 +76,4 @@ static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) struct ksmbd_share_config *ksmbd_share_config_get(char *name); bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, const char *filename); -void ksmbd_share_configs_cleanup(void); - #endif /* __SHARE_CONFIG_MANAGEMENT_H__ */ From patchwork Mon Nov 14 12:53:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183388 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:31 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 291/308] ksmbd: use vfs_llseek instead of dereferencing NULL Date: Mon, 14 Nov 2022 20:53:20 +0800 Message-ID: <20221114125337.1831594-292-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6ad09d78-ce5f-4a79-1065-08dac63c949d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7025897 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: "Jason A. Donenfeld" <Jason(a)zx2c4.com> mainline inclusion from mainline-5.19-rc5 commit 067baa9a37b32b95fdeabccde4b0cb6a2cf95f96 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/067baa9a37b3 ------------------------------- By not checking whether llseek is NULL, this might jump to NULL. Also, it doesn't check FMODE_LSEEK. Fix this by using vfs_llseek(), which always does the right thing. Fixes: f44158485826 ("cifsd: add file operations") Cc: stable(a)vger.kernel.org Cc: linux-cifs(a)vger.kernel.org Cc: Ronnie Sahlberg <lsahlber(a)redhat.com> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Reviewed-by: Namjae Jeon <linkinjeon(a)kernel.org> Acked-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/vfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index fff5f8674ad0..d6665b03dc18 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1016,7 +1016,7 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, *out_count = 0; end = start + length; while (start < end && *out_count < in_count) { - extent_start = f->f_op->llseek(f, start, SEEK_DATA); + extent_start = vfs_llseek(f, start, SEEK_DATA); if (extent_start < 0) { if (extent_start != -ENXIO) ret = (int)extent_start; @@ -1026,7 +1026,7 @@ int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, if (extent_start >= end) break; - extent_end = f->f_op->llseek(f, extent_start, SEEK_HOLE); + extent_end = vfs_llseek(f, extent_start, SEEK_HOLE); if (extent_end < 0) { if (extent_end != -ENXIO) ret = (int)extent_end; From patchwork Mon Nov 14 12:53:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183389 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:32 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:32 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 292/308] ksmbd: fix racy issue while destroying session on multichannel Date: Mon, 14 Nov 2022 20:53:21 +0800 Message-ID: <20221114125337.1831594-293-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 4348e66d-5c27-4b70-c80d-08dac63c94e5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7267599 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit af7c39d971e43cd0af488729bca362427ad99488 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/af7c39d971e4 ------------------------------- After multi-channel connection with windows, Several channels of session are connected. Among them, if there is a problem in one channel, Windows connects again after disconnecting the channel. In this process, the session is released and a kernel oop can occurs while processing requests to other channels. When the channel is disconnected, if other channels still exist in the session after deleting the channel from the channel list in the session, the session should not be released. Finally, the session will be released after all channels are disconnected. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 56 ++++++++++++++++-------------- fs/ksmbd/auth.h | 11 +++--- fs/ksmbd/connection.h | 7 ---- fs/ksmbd/mgmt/tree_connect.c | 5 +-- fs/ksmbd/mgmt/tree_connect.h | 4 ++- fs/ksmbd/mgmt/user_session.c | 67 ++++++++++++++++++++++++------------ fs/ksmbd/mgmt/user_session.h | 7 ++-- fs/ksmbd/oplock.c | 11 +++--- fs/ksmbd/smb2pdu.c | 21 +++++------ fs/ksmbd/smb_common.h | 2 +- fs/ksmbd/vfs.c | 3 +- fs/ksmbd/vfs_cache.c | 2 +- 12 files changed, 110 insertions(+), 86 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index dc3d061edda9..c85205b37c18 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -120,8 +120,8 @@ static int ksmbd_gen_sess_key(struct ksmbd_session *sess, char *hash, return rc; } -static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, - char *dname) +static int calc_ntlmv2_hash(struct ksmbd_conn *conn, struct ksmbd_session *sess, + char *ntlmv2_hash, char *dname) { int ret, len, conv_len; wchar_t *domain = NULL; @@ -157,7 +157,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, } conv_len = smb_strtoUTF16(uniname, user_name(sess->user), len, - sess->conn->local_nls); + conn->local_nls); if (conv_len < 0 || conv_len > len) { ret = -EINVAL; goto out; @@ -181,7 +181,7 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, } conv_len = smb_strtoUTF16((__le16 *)domain, dname, len, - sess->conn->local_nls); + conn->local_nls); if (conv_len < 0 || conv_len > len) { ret = -EINVAL; goto out; @@ -214,8 +214,9 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, * * Return: 0 on success, error number on error */ -int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, - int blen, char *domain_name, char *cryptkey) +int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, + struct ntlmv2_resp *ntlmv2, int blen, char *domain_name, + char *cryptkey) { char ntlmv2_hash[CIFS_ENCPWD_SIZE]; char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE]; @@ -229,7 +230,7 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, return -ENOMEM; } - rc = calc_ntlmv2_hash(sess, ntlmv2_hash, domain_name); + rc = calc_ntlmv2_hash(conn, sess, ntlmv2_hash, domain_name); if (rc) { ksmbd_debug(AUTH, "could not get v2 hash rc %d\n", rc); goto out; @@ -332,7 +333,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, /* process NTLMv2 authentication */ ksmbd_debug(AUTH, "decode_ntlmssp_authenticate_blob dname%s\n", domain_name); - ret = ksmbd_auth_ntlmv2(sess, (struct ntlmv2_resp *)((char *)authblob + nt_off), + ret = ksmbd_auth_ntlmv2(conn, sess, + (struct ntlmv2_resp *)((char *)authblob + nt_off), nt_len - CIFS_ENCPWD_SIZE, domain_name, conn->ntlmssp.cryptkey); kfree(domain_name); @@ -632,8 +634,9 @@ struct derivation { bool binding; }; -static int generate_key(struct ksmbd_session *sess, struct kvec label, - struct kvec context, __u8 *key, unsigned int key_size) +static int generate_key(struct ksmbd_conn *conn, struct ksmbd_session *sess, + struct kvec label, struct kvec context, __u8 *key, + unsigned int key_size) { unsigned char zero = 0x0; __u8 i[4] = {0, 0, 0, 1}; @@ -693,8 +696,8 @@ static int generate_key(struct ksmbd_session *sess, struct kvec label, goto smb3signkey_ret; } - if (sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || - sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) + if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L256, 4); else rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L128, 4); @@ -729,17 +732,17 @@ static int generate_smb3signingkey(struct ksmbd_session *sess, if (!chann) return 0; - if (sess->conn->dialect >= SMB30_PROT_ID && signing->binding) + if (conn->dialect >= SMB30_PROT_ID && signing->binding) key = chann->smb3signingkey; else key = sess->smb3signingkey; - rc = generate_key(sess, signing->label, signing->context, key, + rc = generate_key(conn, sess, signing->label, signing->context, key, SMB3_SIGN_KEY_SIZE); if (rc) return rc; - if (!(sess->conn->dialect >= SMB30_PROT_ID && signing->binding)) + if (!(conn->dialect >= SMB30_PROT_ID && signing->binding)) memcpy(chann->smb3signingkey, key, SMB3_SIGN_KEY_SIZE); ksmbd_debug(AUTH, "dumping generated AES signing keys\n"); @@ -793,30 +796,31 @@ struct derivation_twin { struct derivation decryption; }; -static int generate_smb3encryptionkey(struct ksmbd_session *sess, +static int generate_smb3encryptionkey(struct ksmbd_conn *conn, + struct ksmbd_session *sess, const struct derivation_twin *ptwin) { int rc; - rc = generate_key(sess, ptwin->encryption.label, + rc = generate_key(conn, sess, ptwin->encryption.label, ptwin->encryption.context, sess->smb3encryptionkey, SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; - rc = generate_key(sess, ptwin->decryption.label, + rc = generate_key(conn, sess, ptwin->decryption.label, ptwin->decryption.context, sess->smb3decryptionkey, SMB3_ENC_DEC_KEY_SIZE); if (rc) return rc; ksmbd_debug(AUTH, "dumping generated AES encryption keys\n"); - ksmbd_debug(AUTH, "Cipher type %d\n", sess->conn->cipher_type); + ksmbd_debug(AUTH, "Cipher type %d\n", conn->cipher_type); ksmbd_debug(AUTH, "Session Id %llu\n", sess->id); ksmbd_debug(AUTH, "Session Key %*ph\n", SMB2_NTLMV2_SESSKEY_SIZE, sess->sess_key); - if (sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || - sess->conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) { + if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM || + conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM) { ksmbd_debug(AUTH, "ServerIn Key %*ph\n", SMB3_GCM256_CRYPTKEY_SIZE, sess->smb3encryptionkey); ksmbd_debug(AUTH, "ServerOut Key %*ph\n", @@ -830,7 +834,8 @@ static int generate_smb3encryptionkey(struct ksmbd_session *sess, return 0; } -int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess) +int ksmbd_gen_smb30_encryptionkey(struct ksmbd_conn *conn, + struct ksmbd_session *sess) { struct derivation_twin twin; struct derivation *d; @@ -847,10 +852,11 @@ int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess) d->context.iov_base = "ServerIn "; d->context.iov_len = 10; - return generate_smb3encryptionkey(sess, &twin); + return generate_smb3encryptionkey(conn, sess, &twin); } -int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) +int ksmbd_gen_smb311_encryptionkey(struct ksmbd_conn *conn, + struct ksmbd_session *sess) { struct derivation_twin twin; struct derivation *d; @@ -867,7 +873,7 @@ int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess) d->context.iov_base = sess->Preauth_HashValue; d->context.iov_len = 64; - return generate_smb3encryptionkey(sess, &twin); + return generate_smb3encryptionkey(conn, sess, &twin); } int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, diff --git a/fs/ksmbd/auth.h b/fs/ksmbd/auth.h index 95629651cf26..25b772653de0 100644 --- a/fs/ksmbd/auth.h +++ b/fs/ksmbd/auth.h @@ -38,8 +38,9 @@ struct kvec; int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, unsigned int nvec, int enc); void ksmbd_copy_gss_neg_header(void *buf); -int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, - int blen, char *domain_name, char *cryptkey); +int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, + struct ntlmv2_resp *ntlmv2, int blen, char *domain_name, + char *cryptkey); int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, int blob_len, struct ksmbd_conn *conn, struct ksmbd_session *sess); @@ -58,8 +59,10 @@ int ksmbd_gen_smb30_signingkey(struct ksmbd_session *sess, struct ksmbd_conn *conn); int ksmbd_gen_smb311_signingkey(struct ksmbd_session *sess, struct ksmbd_conn *conn); -int ksmbd_gen_smb30_encryptionkey(struct ksmbd_session *sess); -int ksmbd_gen_smb311_encryptionkey(struct ksmbd_session *sess); +int ksmbd_gen_smb30_encryptionkey(struct ksmbd_conn *conn, + struct ksmbd_session *sess); +int ksmbd_gen_smb311_encryptionkey(struct ksmbd_conn *conn, + struct ksmbd_session *sess); int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf, __u8 *pi_hash); int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index aeef0a74c1dd..6aa72b17c3eb 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -20,13 +20,6 @@ #define KSMBD_SOCKET_BACKLOG 16 -/* - * WARNING - * - * This is nothing but a HACK. Session status should move to channel - * or to session. As of now we have 1 tcp_conn : 1 ksmbd_session, but - * we need to change it to 1 tcp_conn : N ksmbd_sessions. - */ enum { KSMBD_SESS_NEW = 0, KSMBD_SESS_GOOD, diff --git a/fs/ksmbd/mgmt/tree_connect.c b/fs/ksmbd/mgmt/tree_connect.c index 0d28e723a28c..b35ea6a6abc5 100644 --- a/fs/ksmbd/mgmt/tree_connect.c +++ b/fs/ksmbd/mgmt/tree_connect.c @@ -16,7 +16,8 @@ #include "user_session.h" struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) +ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, + char *share_name) { struct ksmbd_tree_conn_status status = {-EINVAL, NULL}; struct ksmbd_tree_connect_response *resp = NULL; @@ -41,7 +42,7 @@ ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name) goto out_error; } - peer_addr = KSMBD_TCP_PEER_SOCKADDR(sess->conn); + peer_addr = KSMBD_TCP_PEER_SOCKADDR(conn); resp = ksmbd_ipc_tree_connect_request(sess, sc, tree_conn, diff --git a/fs/ksmbd/mgmt/tree_connect.h b/fs/ksmbd/mgmt/tree_connect.h index 18e2a996e0aa..71e50271dccf 100644 --- a/fs/ksmbd/mgmt/tree_connect.h +++ b/fs/ksmbd/mgmt/tree_connect.h @@ -12,6 +12,7 @@ struct ksmbd_share_config; struct ksmbd_user; +struct ksmbd_conn; struct ksmbd_tree_connect { int id; @@ -40,7 +41,8 @@ static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, struct ksmbd_session; struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_session *sess, char *share_name); +ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, + char *share_name); int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, struct ksmbd_tree_connect *tree_conn); diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index b9acb6770b03..3fa2139a0b30 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -151,9 +151,6 @@ void ksmbd_session_destroy(struct ksmbd_session *sess) if (!sess) return; - if (!atomic_dec_and_test(&sess->refcnt)) - return; - down_write(&sessions_table_lock); hash_del(&sess->hlist); up_write(&sessions_table_lock); @@ -184,16 +181,58 @@ static struct ksmbd_session *__session_lookup(unsigned long long id) int ksmbd_session_register(struct ksmbd_conn *conn, struct ksmbd_session *sess) { - sess->conn = conn; + sess->dialect = conn->dialect; + memcpy(sess->ClientGUID, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); return xa_err(xa_store(&conn->sessions, sess->id, sess, GFP_KERNEL)); } +static int ksmbd_chann_del(struct ksmbd_conn *conn, struct ksmbd_session *sess) +{ + struct channel *chann, *tmp; + + write_lock(&sess->chann_lock); + list_for_each_entry_safe(chann, tmp, &sess->ksmbd_chann_list, + chann_list) { + if (chann->conn == conn) { + list_del(&chann->chann_list); + kfree(chann); + write_unlock(&sess->chann_lock); + return 0; + } + } + write_unlock(&sess->chann_lock); + + return -ENOENT; +} + void ksmbd_sessions_deregister(struct ksmbd_conn *conn) { struct ksmbd_session *sess; - unsigned long id; - xa_for_each(&conn->sessions, id, sess) { + if (conn->binding) { + int bkt; + + down_write(&sessions_table_lock); + hash_for_each(sessions_table, bkt, sess, hlist) { + if (!ksmbd_chann_del(conn, sess)) { + up_write(&sessions_table_lock); + goto sess_destroy; + } + } + up_write(&sessions_table_lock); + } else { + unsigned long id; + + xa_for_each(&conn->sessions, id, sess) { + if (!ksmbd_chann_del(conn, sess)) + goto sess_destroy; + } + } + + return; + +sess_destroy: + if (list_empty(&sess->ksmbd_chann_list)) { xa_erase(&conn->sessions, sess->id); ksmbd_session_destroy(sess); } @@ -205,27 +244,12 @@ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, return xa_load(&conn->sessions, id); } -int get_session(struct ksmbd_session *sess) -{ - return atomic_inc_not_zero(&sess->refcnt); -} - -void put_session(struct ksmbd_session *sess) -{ - if (atomic_dec_and_test(&sess->refcnt)) - pr_err("get/%s seems to be mismatched.", __func__); -} - struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) { struct ksmbd_session *sess; down_read(&sessions_table_lock); sess = __session_lookup(id); - if (sess) { - if (!get_session(sess)) - sess = NULL; - } up_read(&sessions_table_lock); return sess; @@ -306,7 +330,6 @@ static struct ksmbd_session *__session_create(int protocol) INIT_LIST_HEAD(&sess->ksmbd_chann_list); INIT_LIST_HEAD(&sess->rpc_handle_list); sess->sequence_number = 1; - atomic_set(&sess->refcnt, 1); rwlock_init(&sess->chann_lock); switch (protocol) { diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h index 1ec659f0151b..8934b8ee275b 100644 --- a/fs/ksmbd/mgmt/user_session.h +++ b/fs/ksmbd/mgmt/user_session.h @@ -33,8 +33,10 @@ struct preauth_session { struct ksmbd_session { u64 id; + __u16 dialect; + char ClientGUID[SMB2_CLIENT_GUID_SIZE]; + struct ksmbd_user *user; - struct ksmbd_conn *conn; unsigned int sequence_number; unsigned int flags; @@ -59,7 +61,6 @@ struct ksmbd_session { __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; struct ksmbd_file_table file_table; - atomic_t refcnt; }; static inline int test_session_flag(struct ksmbd_session *sess, int bit) @@ -100,6 +101,4 @@ void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id); int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name); void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id); int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id); -int get_session(struct ksmbd_session *sess); -void put_session(struct ksmbd_session *sess); #endif /* __USER_SESSION_MANAGEMENT_H__ */ diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index f6f1adf94673..3721fd44a43a 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -30,6 +30,7 @@ static DEFINE_RWLOCK(lease_list_lock); static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, u64 id, __u16 Tid) { + struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess = work->sess; struct oplock_info *opinfo; @@ -38,7 +39,7 @@ static struct oplock_info *alloc_opinfo(struct ksmbd_work *work, return NULL; opinfo->sess = sess; - opinfo->conn = sess->conn; + opinfo->conn = conn; opinfo->level = SMB2_OPLOCK_LEVEL_NONE; opinfo->op_state = OPLOCK_STATE_NONE; opinfo->pending_break = 0; @@ -981,7 +982,7 @@ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, } list_for_each_entry(lb, &lease_table_list, l_entry) { - if (!memcmp(lb->client_guid, sess->conn->ClientGUID, + if (!memcmp(lb->client_guid, sess->ClientGUID, SMB2_CLIENT_GUID_SIZE)) goto found; } @@ -997,7 +998,7 @@ int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, rcu_read_unlock(); if (opinfo->o_fp->f_ci == ci) goto op_next; - err = compare_guid_key(opinfo, sess->conn->ClientGUID, + err = compare_guid_key(opinfo, sess->ClientGUID, lctx->lease_key); if (err) { err = -EINVAL; @@ -1131,7 +1132,7 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid, struct oplock_info *m_opinfo; /* is lease already granted ? */ - m_opinfo = same_client_has_lease(ci, sess->conn->ClientGUID, + m_opinfo = same_client_has_lease(ci, sess->ClientGUID, lctx); if (m_opinfo) { copy_lease(m_opinfo, opinfo); @@ -1249,7 +1250,7 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp, { struct oplock_info *op, *brk_op; struct ksmbd_inode *ci; - struct ksmbd_conn *conn = work->sess->conn; + struct ksmbd_conn *conn = work->conn; if (!test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_OPLOCKS)) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index efdba70ad240..8a47738bedbb 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -602,12 +602,9 @@ static void destroy_previous_session(struct ksmbd_conn *conn, if (!prev_user || strcmp(user->name, prev_user->name) || user->passkey_sz != prev_user->passkey_sz || - memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) { - put_session(prev_sess); + memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) return; - } - put_session(prev_sess); prev_sess->state = SMB2_SESSION_EXPIRED; write_lock(&prev_sess->chann_lock); list_for_each_entry(chann, &prev_sess->ksmbd_chann_list, chann_list) @@ -1498,7 +1495,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) if (smb3_encryption_negotiated(conn) && !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { - rc = conn->ops->generate_encryptionkey(sess); + rc = conn->ops->generate_encryptionkey(conn, sess); if (rc) { ksmbd_debug(SMB, "SMB3 encryption key generation failed\n"); @@ -1589,7 +1586,7 @@ static int krb5_authenticate(struct ksmbd_work *work) sess->sign = true; if (smb3_encryption_negotiated(conn)) { - retval = conn->ops->generate_encryptionkey(sess); + retval = conn->ops->generate_encryptionkey(conn, sess); if (retval) { ksmbd_debug(SMB, "SMB3 encryption key generation failed\n"); @@ -1677,7 +1674,7 @@ int smb2_sess_setup(struct ksmbd_work *work) goto out_err; } - if (conn->dialect != sess->conn->dialect) { + if (conn->dialect != sess->dialect) { rc = -EINVAL; goto out_err; } @@ -1687,7 +1684,7 @@ int smb2_sess_setup(struct ksmbd_work *work) goto out_err; } - if (strncmp(conn->ClientGUID, sess->conn->ClientGUID, + if (strncmp(conn->ClientGUID, sess->ClientGUID, SMB2_CLIENT_GUID_SIZE)) { rc = -ENOENT; goto out_err; @@ -1889,7 +1886,7 @@ int smb2_tree_connect(struct ksmbd_work *work) ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", name, treename); - status = ksmbd_tree_conn_connect(sess, name); + status = ksmbd_tree_conn_connect(conn, sess, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); else @@ -4839,7 +4836,7 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, struct smb2_query_info_rsp *rsp) { struct ksmbd_session *sess = work->sess; - struct ksmbd_conn *conn = sess->conn; + struct ksmbd_conn *conn = work->conn; struct ksmbd_share_config *share = work->tcon->share_conf; int fsinfoclass = 0; struct kstatfs stfs; @@ -5737,7 +5734,7 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, } next: return smb2_rename(work, fp, rename_info, - work->sess->conn->local_nls); + work->conn->local_nls); } static int set_file_disposition_info(struct ksmbd_file *fp, @@ -5871,7 +5868,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, return smb2_create_link(work, work->tcon->share_conf, (struct smb2_file_link_info *)req->Buffer, buf_len, fp->filp, - work->sess->conn->local_nls); + work->conn->local_nls); } case FILE_DISPOSITION_INFORMATION: { diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 35ca9b7d9979..da3dd29079a2 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -467,7 +467,7 @@ struct smb_version_ops { int (*check_sign_req)(struct ksmbd_work *work); void (*set_sign_rsp)(struct ksmbd_work *work); int (*generate_signingkey)(struct ksmbd_session *sess, struct ksmbd_conn *conn); - int (*generate_encryptionkey)(struct ksmbd_session *sess); + int (*generate_encryptionkey)(struct ksmbd_conn *conn, struct ksmbd_session *sess); bool (*is_transform_hdr)(void *buf); int (*decrypt_req)(struct ksmbd_work *work); int (*encrypt_resp)(struct ksmbd_work *work); diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index d6665b03dc18..bf0fdf90bbfa 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -471,12 +471,11 @@ int ksmbd_vfs_write(struct ksmbd_work *work, struct ksmbd_file *fp, char *buf, size_t count, loff_t *pos, bool sync, ssize_t *written) { - struct ksmbd_session *sess = work->sess; struct file *filp; loff_t offset = *pos; int err = 0; - if (sess->conn->connection_type) { + if (work->conn->connection_type) { if (!(fp->daccess & FILE_WRITE_DATA_LE)) { pr_err("no right to write(%pd)\n", fp->filp->f_path.dentry); diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c index cc9c8b46827d..26db346c5c4f 100644 --- a/fs/ksmbd/vfs_cache.c +++ b/fs/ksmbd/vfs_cache.c @@ -568,7 +568,7 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) atomic_set(&fp->refcount, 1); fp->filp = filp; - fp->conn = work->sess->conn; + fp->conn = work->conn; fp->tcon = work->tcon; fp->volatile_id = KSMBD_NO_FID; fp->persistent_id = KSMBD_NO_FID; From patchwork Mon Nov 14 12:53:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183390 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:32 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 293/308] ksmbd: fix memory leak in smb2_handle_negotiate Date: Mon, 14 Nov 2022 20:53:22 +0800 Message-ID: <20221114125337.1831594-294-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: a1277807-bfae-47c5-a656-08dac63c952e X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6876974 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit aa7253c2393f6dcd6a1468b0792f6da76edad917 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/aa7253c2393f ------------------------------- The allocated memory didn't free under an error path in smb2_handle_negotiate(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-17815 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 8a47738bedbb..de7deb3147a2 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1141,12 +1141,16 @@ int smb2_handle_negotiate(struct ksmbd_work *work) status); rsp->hdr.Status = status; rc = -EINVAL; + kfree(conn->preauth_info); + conn->preauth_info = NULL; goto err_out; } rc = init_smb3_11_server(conn); if (rc < 0) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; + kfree(conn->preauth_info); + conn->preauth_info = NULL; goto err_out; } From patchwork Mon Nov 14 12:53:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183391 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:33 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:33 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 294/308] ksmbd: fix use-after-free bug in smb2_tree_disconect Date: Mon, 14 Nov 2022 20:53:23 +0800 Message-ID: <20221114125337.1831594-295-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 1265f856-a290-47b6-68eb-08dac63c9578 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6841000 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc1 commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/cf6531d98190 ------------------------------- smb2_tree_disconnect() freed the struct ksmbd_tree_connect, but it left the dangling pointer. It can be accessed again under compound requests. This bug can lead an oops looking something link: [ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807 ... [ 1685.468130 ] Call Trace: [ 1685.468132 ] <TASK> [ 1685.468135 ] dump_stack_lvl+0x49/0x5f [ 1685.468141 ] print_report.cold+0x5e/0x5cf [ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468157 ] kasan_report+0xaa/0x120 [ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20 [ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] [ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd] [ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 1685.468247 ] process_one_work+0x778/0x11c0 [ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0 [ 1685.468289 ] worker_thread+0x544/0x1180 [ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4 [ 1685.468297 ] kthread+0x282/0x320 [ 1685.468301 ] ? process_one_work+0x11c0/0x11c0 [ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30 [ 1685.468309 ] ret_from_fork+0x1f/0x30 Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-17816 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index de7deb3147a2..e6a35294ba54 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2056,6 +2056,7 @@ int smb2_tree_disconnect(struct ksmbd_work *work) ksmbd_close_tree_conn_fds(work); ksmbd_tree_conn_disconnect(sess, tcon); + work->tcon = NULL; return 0; } From patchwork Mon Nov 14 12:53:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183392 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:33 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 295/308] ksmbd: Fix user namespace mapping Date: Mon, 14 Nov 2022 20:53:24 +0800 Message-ID: <20221114125337.1831594-296-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain; charset="UTF-8" X-MS-Exchange-Organization-Network-Message-Id: 545e4012-1b53-4693-6d01-08dac63c95c1 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6942101 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Micka��l Sala��n <mic(a)digikod.net> mainline inclusion from mainline-6.1-rc1 commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/7c88c1e0ab17 ------------------------------- A kernel daemon should not rely on the current thread, which is unknown and might be malicious. Before this security fix, ksmbd_override_fsids() didn't correctly override FS UID/GID which means that arbitrary user space threads could trick the kernel to impersonate arbitrary users or groups for file system access checks, leading to file system access bypass. This was found while investigating truncate support for Landlock: https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVX… Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: Hyunchul Lee <hyc.lee(a)gmail.com> Cc: Steve French <smfrench(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Micka��l Sala��n <mic(a)digikod.net> Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net Acked-by: Christian Brauner (Microsoft) <brauner(a)kernel.org> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb_common.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 2476ba92b475..8ea2cdda0984 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -4,6 +4,8 @@ * Copyright (C) 2018 Namjae Jeon <linkinjeon(a)kernel.org> */ +#include <linux/user_namespace.h> + #include "smb_common.h" #include "server.h" #include "misc.h" @@ -621,8 +623,8 @@ int ksmbd_override_fsids(struct ksmbd_work *work) if (!cred) return -ENOMEM; - cred->fsuid = make_kuid(current_user_ns(), uid); - cred->fsgid = make_kgid(current_user_ns(), gid); + cred->fsuid = make_kuid(&init_user_ns, uid); + cred->fsgid = make_kgid(&init_user_ns, gid); gi = groups_alloc(0); if (!gi) { From patchwork Mon Nov 14 12:53:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183393 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:34 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:34 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 296/308] ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT Date: Mon, 14 Nov 2022 20:53:25 +0800 Message-ID: <20221114125337.1831594-297-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: e6bd7f0e-793b-4372-d8d6-08dac63c9609 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7395479 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Hyunchul Lee <hyc.lee(a)gmail.com> mainline inclusion from mainline-6.0-rc1 commit 824d4f64c20093275f72fc8101394d75ff6a249e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/824d4f64c200 ------------------------------- if Status is not 0 and PathLength is long, smb_strndup_from_utf16 could make out of bound read in smb2_tree_connnect. This bug can lead an oops looking something like: [ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805 ... [ 1553.882095] Call Trace: [ 1553.882098] <TASK> [ 1553.882101] dump_stack_lvl+0x49/0x5f [ 1553.882107] print_report.cold+0x5e/0x5cf [ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882122] kasan_report+0xaa/0x120 [ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882139] __asan_report_load_n_noabort+0xf/0x20 [ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] [ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd] [ 1553.882166] ? __kmalloc_node+0x185/0x430 [ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd] [ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 1553.882197] process_one_work+0x778/0x11c0 [ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0 [ 1553.882206] worker_thread+0x544/0x1180 [ 1553.882209] ? __cpuidle_text_end+0x4/0x4 [ 1553.882214] kthread+0x282/0x320 [ 1553.882218] ? process_one_work+0x11c0/0x11c0 [ 1553.882221] ? kthread_complete_and_exit+0x30/0x30 [ 1553.882225] ret_from_fork+0x1f/0x30 [ 1553.882231] </TASK> There is no need to check error request validation in server. This check allow invalid requests not to validate message. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-17818 Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 0aba1c91fd37..faaeacd8ea55 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -91,11 +91,6 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, *off = 0; *len = 0; - /* error reqeusts do not have data area */ - if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && - (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) - return ret; - /* * Following commands have data areas so we have to get the location * of the data buffer offset and data buffer length for the particular From patchwork Mon Nov 14 12:53:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183394 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:34 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 297/308] ksmbd: return STATUS_BAD_NETWORK_NAME error status if share is not configured Date: Mon, 14 Nov 2022 20:53:26 +0800 Message-ID: <20221114125337.1831594-298-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8eeaf90f-2fb1-4934-90a7-08dac63c9652 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6632466 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.0-rc2 commit fe54833dc8d97ef387e86f7c80537d51c503ca75 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/fe54833dc8d9 ------------------------------- If share is not configured in smb.conf, smb2 tree connect should return STATUS_BAD_NETWORK_NAME instead of STATUS_BAD_NETWORK_PATH. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Reviewed-by: Hyunchul Lee <hyc.lee(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/mgmt/tree_connect.c | 2 +- fs/ksmbd/smb2pdu.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/mgmt/tree_connect.c b/fs/ksmbd/mgmt/tree_connect.c index b35ea6a6abc5..dd262daa2c4a 100644 --- a/fs/ksmbd/mgmt/tree_connect.c +++ b/fs/ksmbd/mgmt/tree_connect.c @@ -19,7 +19,7 @@ struct ksmbd_tree_conn_status ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, char *share_name) { - struct ksmbd_tree_conn_status status = {-EINVAL, NULL}; + struct ksmbd_tree_conn_status status = {-ENOENT, NULL}; struct ksmbd_tree_connect_response *resp = NULL; struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e6a35294ba54..5a41d5a00db4 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1942,8 +1942,9 @@ int smb2_tree_connect(struct ksmbd_work *work) rsp->hdr.Status = STATUS_SUCCESS; rc = 0; break; + case -ENOENT: case KSMBD_TREE_CONN_STATUS_NO_SHARE: - rsp->hdr.Status = STATUS_BAD_NETWORK_PATH; + rsp->hdr.Status = STATUS_BAD_NETWORK_NAME; break; case -ENOMEM: case KSMBD_TREE_CONN_STATUS_NOMEM: From patchwork Mon Nov 14 12:53:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183395 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:35 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:35 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 298/308] ksmbd: fix endless loop when encryption for response fails Date: Mon, 14 Nov 2022 20:53:27 +0800 Message-ID: <20221114125337.1831594-299-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: c7951670-d48c-4f85-d63e-08dac63c969a X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6945350 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.1-rc1 commit 360c8ee6fefdb496fffd2c18bb9a96a376a1a804 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/360c8ee6fefd ------------------------------- If ->encrypt_resp return error, goto statement cause endless loop. It send an error response immediately after removing it. Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable(a)vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/server.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 72d8fd1c4d43..90aeb8a835f7 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -235,10 +235,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); - if (rc < 0) { + if (rc < 0) conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); - goto send; - } } ksmbd_conn_write(work); From patchwork Mon Nov 14 12:53:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183396 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:36 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:36 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 299/308] ksmbd: fix encryption failure issue for session logoff response Date: Mon, 14 Nov 2022 20:53:28 +0800 Message-ID: <20221114125337.1831594-300-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 5ff708a0-23c3-455c-0bcc-08dac63c96e5 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7027668 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.1-rc1 commit af705ef2b0ded0d8f54c238fdf3c17a1d47ad924 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/af705ef2b0de ------------------------------- If client send encrypted session logoff request on seal mount, Encryption for that response fails. ksmbd: Could not get encryption key CIFS: VFS: cifs_put_smb_ses: Session Logoff failure rc=-512 Session lookup fails in ksmbd_get_encryption_key() because sess->state is set to SMB2_SESSION_EXPIRED in session logoff. There is no need to do session lookup again to encrypt the response. This patch change to use ksmbd_session in ksmbd_work. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 12 ++++++++---- fs/ksmbd/auth.h | 3 ++- fs/ksmbd/smb2pdu.c | 7 +++---- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index c85205b37c18..dbd3038c61e0 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -957,13 +957,16 @@ int ksmbd_gen_sd_hash(struct ksmbd_conn *conn, char *sd_buf, int len, return rc; } -static int ksmbd_get_encryption_key(struct ksmbd_conn *conn, __u64 ses_id, +static int ksmbd_get_encryption_key(struct ksmbd_work *work, __u64 ses_id, int enc, u8 *key) { struct ksmbd_session *sess; u8 *ses_enc_key; - sess = ksmbd_session_lookup_all(conn, ses_id); + if (enc) + sess = work->sess; + else + sess = ksmbd_session_lookup_all(work->conn, ses_id); if (!sess) return -EINVAL; @@ -1051,9 +1054,10 @@ static struct scatterlist *ksmbd_init_sg(struct kvec *iov, unsigned int nvec, return sg; } -int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, +int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, unsigned int nvec, int enc) { + struct ksmbd_conn *conn = work->conn; struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base); unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20; int rc; @@ -1067,7 +1071,7 @@ int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); struct ksmbd_crypto_ctx *ctx; - rc = ksmbd_get_encryption_key(conn, + rc = ksmbd_get_encryption_key(work, le64_to_cpu(tr_hdr->SessionId), enc, key); diff --git a/fs/ksmbd/auth.h b/fs/ksmbd/auth.h index 25b772653de0..362b6159a6cf 100644 --- a/fs/ksmbd/auth.h +++ b/fs/ksmbd/auth.h @@ -33,9 +33,10 @@ struct ksmbd_session; struct ksmbd_conn; +struct ksmbd_work; struct kvec; -int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov, +int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, unsigned int nvec, int enc); void ksmbd_copy_gss_neg_header(void *buf); int ksmbd_auth_ntlmv2(struct ksmbd_conn *conn, struct ksmbd_session *sess, diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 5a41d5a00db4..27f3465e6f73 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8517,7 +8517,7 @@ int smb3_encrypt_resp(struct ksmbd_work *work) buf_size += iov[1].iov_len; work->resp_hdr_sz = iov[1].iov_len; - rc = ksmbd_crypt_message(work->conn, iov, rq_nvec, 1); + rc = ksmbd_crypt_message(work, iov, rq_nvec, 1); if (rc) return rc; @@ -8536,7 +8536,6 @@ bool smb3_is_transform_hdr(void *buf) int smb3_decrypt_req(struct ksmbd_work *work) { - struct ksmbd_conn *conn = work->conn; struct ksmbd_session *sess; char *buf = work->request_buf; unsigned int pdu_length = get_rfc1002_len(buf); @@ -8556,7 +8555,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) return -ECONNABORTED; } - sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); + sess = ksmbd_session_lookup_all(work->conn, le64_to_cpu(tr_hdr->SessionId)); if (!sess) { pr_err("invalid session id(%llx) in transform header\n", le64_to_cpu(tr_hdr->SessionId)); @@ -8567,7 +8566,7 @@ int smb3_decrypt_req(struct ksmbd_work *work) iov[0].iov_len = sizeof(struct smb2_transform_hdr) + 4; iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr) + 4; iov[1].iov_len = buf_data_size; - rc = ksmbd_crypt_message(conn, iov, 2, 0); + rc = ksmbd_crypt_message(work, iov, 2, 0); if (rc) return rc; From patchwork Mon Nov 14 12:53:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183397 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:36 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:36 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:35 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 300/308] ksmbd: set NTLMSSP_NEGOTIATE_SEAL flag to challenge blob Date: Mon, 14 Nov 2022 20:53:29 +0800 Message-ID: <20221114125337.1831594-301-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 7569e9bd-5943-44f0-c3ec-08dac63c972d X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6638118 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-6.1-rc1 commit 5bedae90b369ca1a7660b9af39591ed19009b495 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5bedae90b369 ------------------------------- If NTLMSSP_NEGOTIATE_SEAL flags is set in negotiate blob from client, Set NTLMSSP_NEGOTIATE_SEAL flag to challenge blob. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/auth.c | 3 +++ fs/ksmbd/smb2pdu.c | 2 +- fs/ksmbd/smb2pdu.h | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index dbd3038c61e0..fc87c9913c8d 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -400,6 +400,9 @@ ksmbd_build_ntlmssp_challenge_blob(struct challenge_message *chgblob, NTLMSSP_NEGOTIATE_56); } + if (cflags & NTLMSSP_NEGOTIATE_SEAL && smb3_encryption_negotiated(conn)) + flags |= NTLMSSP_NEGOTIATE_SEAL; + if (cflags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 27f3465e6f73..8ac88c0eacce 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -923,7 +923,7 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn, * * Return: true if connection should be encrypted, else false */ -static bool smb3_encryption_negotiated(struct ksmbd_conn *conn) +bool smb3_encryption_negotiated(struct ksmbd_conn *conn) { if (!conn->ops->generate_encryptionkey) return false; diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 829f44569077..940ec510d3e2 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1668,6 +1668,7 @@ int smb3_decrypt_req(struct ksmbd_work *work); int smb3_encrypt_resp(struct ksmbd_work *work); bool smb3_11_final_sess_setup_resp(struct ksmbd_work *work); int smb2_set_rsp_credits(struct ksmbd_work *work); +bool smb3_encryption_negotiated(struct ksmbd_conn *conn); /* smb2 misc functions */ int ksmbd_smb2_check_message(struct ksmbd_work *work); From patchwork Mon Nov 14 12:53:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183398 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:36 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 301/308] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Date: Mon, 14 Nov 2022 20:53:30 +0800 Message-ID: <20221114125337.1831594-302-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: cdc27931-54cd-400c-571d-08dac63c9776 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6890753 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> mainline inclusion from mainline-6.1-rc1 commit b1763d265af62800ec96eeb79803c4c537dcef3a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b1763d265af6 ------------------------------- Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") use the defination of 'struct validate_negotiate_info_req' in smbfs_common, the array length of 'Dialects' changed from 1 to 4, but the protocol does not require the client to send all 4. This lead the request which satisfied with protocol and server to fail. So just ensure the request payload has the 'DialectCount' in smb2_ioctl(), then fsctl_validate_negotiate_info() will use it to validate the payload length and each dialect. Also when the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Cc: stable(a)vger.kernel.org Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 8ac88c0eacce..7a6a2942f72a 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7604,11 +7604,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0], From patchwork Mon Nov 14 12:53:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183399 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:37 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:36 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 302/308] cifsd: add Kconfig and Makefile Date: Mon, 14 Nov 2022 20:53:31 +0800 Message-ID: <20221114125337.1831594-303-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 9f062df2-ee76-4ab0-7510-08dac63c97be X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6990773 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <namjae.jeon(a)samsung.com> mainline inclusion from mainline-5.15-rc1 commit a848c4f15ab6d5d405dbee7de5da71839b2bf35e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a848c4f15ab6 ------------------------------- This adds the Kconfig and Makefile for cifsd. Signed-off-by: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Hyunchul Lee <hyc.lee(a)gmail.com> Acked-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/Kconfig | 1 + fs/Makefile | 1 + fs/ksmbd/Kconfig | 67 +++++++++++++++++++++++++++++++++++++++++++++++ fs/ksmbd/Makefile | 20 ++++++++++++++ fs/ksmbd/server.c | 2 -- 5 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 fs/ksmbd/Kconfig create mode 100644 fs/ksmbd/Makefile diff --git a/fs/Kconfig b/fs/Kconfig index aa097ca64ef6..a5ed26b093b7 100644 --- a/fs/Kconfig +++ b/fs/Kconfig @@ -370,6 +370,7 @@ config NFS_COMMON source "net/sunrpc/Kconfig" source "fs/ceph/Kconfig" source "fs/cifs/Kconfig" +source "fs/ksmbd/Kconfig" source "fs/coda/Kconfig" source "fs/afs/Kconfig" source "fs/9p/Kconfig" diff --git a/fs/Makefile b/fs/Makefile index 73acb48ce6bc..d91d30ba8b4e 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -100,6 +100,7 @@ obj-$(CONFIG_NLS) += nls/ obj-$(CONFIG_UNICODE) += unicode/ obj-$(CONFIG_SYSV_FS) += sysv/ obj-$(CONFIG_CIFS) += cifs/ +obj-$(CONFIG_SMB_SERVER) += ksmbd/ obj-$(CONFIG_HPFS_FS) += hpfs/ obj-$(CONFIG_NTFS_FS) += ntfs/ obj-$(CONFIG_NTFS3_FS) += ntfs3/ diff --git a/fs/ksmbd/Kconfig b/fs/ksmbd/Kconfig new file mode 100644 index 000000000000..c893ba4490e4 --- /dev/null +++ b/fs/ksmbd/Kconfig @@ -0,0 +1,67 @@ +config SMB_SERVER + tristate "SMB3 server support (EXPERIMENTAL)" + depends on INET + depends on MULTIUSER + depends on FILE_LOCKING + select NLS + select NLS_UTF8 + select CRYPTO + select CRYPTO_MD5 + select CRYPTO_HMAC + select CRYPTO_ECB + select CRYPTO_LIB_DES + select CRYPTO_SHA256 + select CRYPTO_CMAC + select CRYPTO_SHA512 + select CRYPTO_AEAD2 + select CRYPTO_CCM + select CRYPTO_GCM + select ASN1 + select OID_REGISTRY + default n + help + Choose Y here if you want to allow SMB3 compliant clients + to access files residing on this system using SMB3 protocol. + To compile the SMB3 server support as a module, + choose M here: the module will be called ksmbd. + + You may choose to use a samba server instead, in which + case you can choose N here. + + You also need to install user space programs which can be found + in ksmbd-tools, available from + https://github.com/cifsd-team/ksmbd-tools. + More detail about how to run the ksmbd kernel server is + available via README file + (https://github.com/cifsd-team/ksmbd-tools/blob/master/README) + + ksmbd kernel server includes support for auto-negotiation, + Secure negotiate, Pre-authentication integrity, oplock/lease, + compound requests, multi-credit, packet signing, RDMA(smbdirect), + smb3 encryption, copy-offload, secure per-user session + establishment via NTLM or NTLMv2. + +config SMB_SERVER_SMBDIRECT + bool "Support for SMB Direct protocol" + depends on SMB_SERVER=m && INFINIBAND && INFINIBAND_ADDR_TRANS || SMB_SERVER=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y + select SG_POOL + default n + + help + Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1. + + SMB Direct allows transferring SMB packets over RDMA. If unsure, + say N. + +config SMB_SERVER_CHECK_CAP_NET_ADMIN + bool "Enable check network administration capability" + depends on SMB_SERVER + default y + + help + Prevent unprivileged processes to start the ksmbd kernel server. + +config SMB_SERVER_KERBEROS5 + bool "Support for Kerberos 5" + depends on SMB_SERVER + default n diff --git a/fs/ksmbd/Makefile b/fs/ksmbd/Makefile new file mode 100644 index 000000000000..7d6337a7dee4 --- /dev/null +++ b/fs/ksmbd/Makefile @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# Makefile for Linux SMB3 kernel server +# +obj-$(CONFIG_SMB_SERVER) += ksmbd.o + +ksmbd-y := unicode.o auth.o vfs.o vfs_cache.o server.o ndr.o \ + misc.o oplock.o connection.o ksmbd_work.o crypto_ctx.o \ + mgmt/ksmbd_ida.o mgmt/user_config.o mgmt/share_config.o \ + mgmt/tree_connect.o mgmt/user_session.o smb_common.o \ + transport_tcp.o transport_ipc.o smbacl.o smb2pdu.o \ + smb2ops.o smb2misc.o ksmbd_spnego_negtokeninit.asn1.o \ + ksmbd_spnego_negtokentarg.asn1.o asn1.o + +$(obj)/asn1.o: $(obj)/ksmbd_spnego_negtokeninit.asn1.h $(obj)/ksmbd_spnego_negtokentarg.asn1.h + +$(obj)/ksmbd_spnego_negtokeninit.asn1.o: $(obj)/ksmbd_spnego_negtokeninit.asn1.c $(obj)/ksmbd_spnego_negtokeninit.asn1.h +$(obj)/ksmbd_spnego_negtokentarg.asn1.o: $(obj)/ksmbd_spnego_negtokentarg.asn1.c $(obj)/ksmbd_spnego_negtokentarg.asn1.h + +ksmbd-$(CONFIG_SMB_SERVER_SMBDIRECT) += transport_rdma.o diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 90aeb8a835f7..ad742ac28f1d 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -624,10 +624,8 @@ MODULE_AUTHOR("Namjae Jeon <linkinjeon(a)kernel.org>"); MODULE_VERSION(KSMBD_VERSION); MODULE_DESCRIPTION("Linux kernel CIFS/SMB SERVER"); MODULE_LICENSE("GPL"); -MODULE_SOFTDEP("pre: arc4"); MODULE_SOFTDEP("pre: ecb"); MODULE_SOFTDEP("pre: hmac"); -MODULE_SOFTDEP("pre: md4"); MODULE_SOFTDEP("pre: md5"); MODULE_SOFTDEP("pre: nls"); MODULE_SOFTDEP("pre: aes"); From patchwork Mon Nov 14 12:53:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183400 Return-Path: <yanaijie(a)huawei.com> Received: from dggems706-chm.china.huawei.com (10.3.19.183) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems706-chm.china.huawei.com (10.3.19.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:37 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 303/308] ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION Date: Mon, 14 Nov 2022 20:53:32 +0800 Message-ID: <20221114125337.1831594-304-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 09ecea80-0134-4ac5-06b2-08dac63c9807 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7031601 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.16-rc1 commit 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5d2f0b1083eb ------------------------------- Steve French reported ksmbd set fixed value to volume serial field in FS_VOLUME_INFORMATION. Volume serial value needs to be set to a unique value for client fscache. This patch set crc value that is generated with share name, path name and netbios name to volume serial. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org # v5.15 Reported-by: Steve French <smfrench(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/Kconfig | 1 + fs/ksmbd/server.c | 1 + fs/ksmbd/smb2pdu.c | 9 ++++++++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/Kconfig b/fs/ksmbd/Kconfig index c893ba4490e4..e1fe17747ed6 100644 --- a/fs/ksmbd/Kconfig +++ b/fs/ksmbd/Kconfig @@ -18,6 +18,7 @@ config SMB_SERVER select CRYPTO_GCM select ASN1 select OID_REGISTRY + select CRC32 default n help Choose Y here if you want to allow SMB3 compliant clients diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index ad742ac28f1d..8cd93052cfab 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -635,5 +635,6 @@ MODULE_SOFTDEP("pre: sha512"); MODULE_SOFTDEP("pre: aead2"); MODULE_SOFTDEP("pre: ccm"); MODULE_SOFTDEP("pre: gcm"); +MODULE_SOFTDEP("pre: crc32"); module_init(ksmbd_server_init) module_exit(ksmbd_server_exit) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7a6a2942f72a..31947a994a8d 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4909,11 +4909,18 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, { struct filesystem_vol_info *info; size_t sz; + unsigned int serial_crc = 0; info = (struct filesystem_vol_info *)(rsp->Buffer); info->VolumeCreationTime = 0; + serial_crc = crc32_le(serial_crc, share->name, + strlen(share->name)); + serial_crc = crc32_le(serial_crc, share->path, + strlen(share->path)); + serial_crc = crc32_le(serial_crc, ksmbd_netbios_name(), + strlen(ksmbd_netbios_name())); /* Taking dummy value of serial number*/ - info->SerialNumber = cpu_to_le32(0xbc3ac512); + info->SerialNumber = cpu_to_le32(serial_crc); len = smbConvertToUTF16((__le16 *)info->VolumeLabel, share->name, PATH_MAX, conn->local_nls, 0); From patchwork Mon Nov 14 12:53:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183401 Return-Path: <yanaijie(a)huawei.com> Received: from dggems705-chm.china.huawei.com (10.3.19.182) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:38 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems705-chm.china.huawei.com (10.3.19.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:37 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 304/308] ksmbd: add support for smb2 max credit parameter Date: Mon, 14 Nov 2022 20:53:33 +0800 Message-ID: <20221114125337.1831594-305-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 6f73e789-fa72-4762-e4c1-08dac63c984f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7353506 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit 004443b3f6d722b455cf963ed7c3edd7f4772405 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/004443b3f6d7 ------------------------------- Add smb2 max credits parameter to adjust maximum credits value to limit number of outstanding requests. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.h | 1 - fs/ksmbd/ksmbd_netlink.h | 1 + fs/ksmbd/smb2misc.c | 2 +- fs/ksmbd/smb2ops.c | 16 ++++++++++++---- fs/ksmbd/smb2pdu.c | 8 ++++---- fs/ksmbd/smb2pdu.h | 1 + fs/ksmbd/smb_common.h | 1 + fs/ksmbd/transport_ipc.c | 2 ++ 8 files changed, 22 insertions(+), 10 deletions(-) diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index 6aa72b17c3eb..b50c33bd1315 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -55,7 +55,6 @@ struct ksmbd_conn { /* References which are made for this Server object*/ atomic_t r_count; unsigned short total_credits; - unsigned short max_credits; spinlock_t credits_lock; wait_queue_head_t req_running_q; wait_queue_head_t r_count_q; diff --git a/fs/ksmbd/ksmbd_netlink.h b/fs/ksmbd/ksmbd_netlink.h index c6718a05d347..a5c2861792ae 100644 --- a/fs/ksmbd/ksmbd_netlink.h +++ b/fs/ksmbd/ksmbd_netlink.h @@ -103,6 +103,7 @@ struct ksmbd_startup_request { * we set the SPARSE_FILES bit (0x40). */ __u32 sub_auth[3]; /* Subauth value for Security ID */ + __u32 smb2_max_credits; /* MAX credits */ __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; }; diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index faaeacd8ea55..df09a1bd4981 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -322,7 +322,7 @@ static int smb2_validate_credit_charge(struct ksmbd_conn *conn, ksmbd_debug(SMB, "Insufficient credit charge, given: %d, needed: %d\n", credit_charge, calc_credit_num); return 1; - } else if (credit_charge > conn->max_credits) { + } else if (credit_charge > conn->vals->max_credits) { ksmbd_debug(SMB, "Too large credit charge: %d\n", credit_charge); return 1; } diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index 2a6205103df2..f0a5b704f301 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -20,6 +20,7 @@ static struct smb_version_values smb21_server_values = { .max_read_size = SMB21_DEFAULT_IOSIZE, .max_write_size = SMB21_DEFAULT_IOSIZE, .max_trans_size = SMB21_DEFAULT_IOSIZE, + .max_credits = SMB2_MAX_CREDITS, .large_lock_type = 0, .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, .shared_lock_type = SMB2_LOCKFLAG_SHARED, @@ -45,6 +46,7 @@ static struct smb_version_values smb30_server_values = { .max_read_size = SMB3_DEFAULT_IOSIZE, .max_write_size = SMB3_DEFAULT_IOSIZE, .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .max_credits = SMB2_MAX_CREDITS, .large_lock_type = 0, .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, .shared_lock_type = SMB2_LOCKFLAG_SHARED, @@ -71,6 +73,7 @@ static struct smb_version_values smb302_server_values = { .max_read_size = SMB3_DEFAULT_IOSIZE, .max_write_size = SMB3_DEFAULT_IOSIZE, .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .max_credits = SMB2_MAX_CREDITS, .large_lock_type = 0, .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, .shared_lock_type = SMB2_LOCKFLAG_SHARED, @@ -97,6 +100,7 @@ static struct smb_version_values smb311_server_values = { .max_read_size = SMB3_DEFAULT_IOSIZE, .max_write_size = SMB3_DEFAULT_IOSIZE, .max_trans_size = SMB3_DEFAULT_TRANS_SIZE, + .max_credits = SMB2_MAX_CREDITS, .large_lock_type = 0, .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE, .shared_lock_type = SMB2_LOCKFLAG_SHARED, @@ -198,7 +202,6 @@ void init_smb2_1_server(struct ksmbd_conn *conn) conn->ops = &smb2_0_server_ops; conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); - conn->max_credits = SMB2_MAX_CREDITS; conn->signing_algorithm = SIGNING_ALG_HMAC_SHA256; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) @@ -216,7 +219,6 @@ void init_smb3_0_server(struct ksmbd_conn *conn) conn->ops = &smb3_0_server_ops; conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); - conn->max_credits = SMB2_MAX_CREDITS; conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) @@ -241,7 +243,6 @@ void init_smb3_02_server(struct ksmbd_conn *conn) conn->ops = &smb3_0_server_ops; conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); - conn->max_credits = SMB2_MAX_CREDITS; conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) @@ -266,7 +267,6 @@ int init_smb3_11_server(struct ksmbd_conn *conn) conn->ops = &smb3_11_server_ops; conn->cmds = smb2_0_server_cmds; conn->max_cmds = ARRAY_SIZE(smb2_0_server_cmds); - conn->max_credits = SMB2_MAX_CREDITS; conn->signing_algorithm = SIGNING_ALG_AES_CMAC; if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) @@ -305,3 +305,11 @@ void init_smb2_max_trans_size(unsigned int sz) smb302_server_values.max_trans_size = sz; smb311_server_values.max_trans_size = sz; } + +void init_smb2_max_credits(unsigned int sz) +{ + smb21_server_values.max_credits = sz; + smb30_server_values.max_credits = sz; + smb302_server_values.max_credits = sz; + smb311_server_values.max_credits = sz; +} diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 31947a994a8d..e397476641ee 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -309,7 +309,7 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) hdr->CreditCharge = req_hdr->CreditCharge; - if (conn->total_credits > conn->max_credits) { + if (conn->total_credits > conn->vals->max_credits) { hdr->CreditRequest = 0; pr_err("Total credits overflow: %d\n", conn->total_credits); return -EINVAL; @@ -330,12 +330,12 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) if (hdr->Command == SMB2_NEGOTIATE) aux_max = 0; else - aux_max = conn->max_credits - credit_charge; + aux_max = conn->vals->max_credits - credit_charge; aux_credits = min_t(unsigned short, aux_credits, aux_max); credits_granted = credit_charge + aux_credits; - if (conn->max_credits - conn->total_credits < credits_granted) - credits_granted = conn->max_credits - + if (conn->vals->max_credits - conn->total_credits < credits_granted) + credits_granted = conn->vals->max_credits - conn->total_credits; conn->total_credits += credits_granted; diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 940ec510d3e2..9018d919cdd8 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1636,6 +1636,7 @@ int init_smb3_11_server(struct ksmbd_conn *conn); void init_smb2_max_read_size(unsigned int sz); void init_smb2_max_write_size(unsigned int sz); void init_smb2_max_trans_size(unsigned int sz); +void init_smb2_max_credits(unsigned int sz); bool is_smb2_neg_cmd(struct ksmbd_work *work); bool is_smb2_rsp(struct ksmbd_work *work); diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index da3dd29079a2..fe498fd6343c 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -412,6 +412,7 @@ struct smb_version_values { __u32 max_read_size; __u32 max_write_size; __u32 max_trans_size; + __u32 max_credits; __u32 large_lock_type; __u32 exclusive_lock_type; __u32 shared_lock_type; diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c index 1acf1892a466..3ad6881e0f7e 100644 --- a/fs/ksmbd/transport_ipc.c +++ b/fs/ksmbd/transport_ipc.c @@ -301,6 +301,8 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) init_smb2_max_write_size(req->smb2_max_write); if (req->smb2_max_trans) init_smb2_max_trans_size(req->smb2_max_trans); + if (req->smb2_max_credits) + init_smb2_max_credits(req->smb2_max_credits); ret = ksmbd_set_netbios_name(req->netbios_name); ret |= ksmbd_set_server_string(req->server_string); From patchwork Mon Nov 14 12:53:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183402 Return-Path: <yanaijie(a)huawei.com> Received: from dggems701-chm.china.huawei.com (10.3.19.178) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:39 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems701-chm.china.huawei.com (10.3.19.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:38 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 305/308] ksmbd: move credit charge deduction under processing request Date: Mon, 14 Nov 2022 20:53:34 +0800 Message-ID: <20221114125337.1831594-306-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 19cfa166-1c27-453c-0f44-08dac63c9899 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6612780 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit 914d7e5709ac59ded70bea7956d408fe2acd7c3c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/914d7e5709ac ------------------------------- Moves the credit charge deduction from total_credits under the processing a request. When repeating smb2 lock request and other command request, there will be a problem that ->total_credits does not decrease. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/smb2misc.c | 7 ++----- fs/ksmbd/smb2pdu.c | 16 ++++++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index df09a1bd4981..5dd91879e3d9 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -285,7 +285,7 @@ static int smb2_validate_credit_charge(struct ksmbd_conn *conn, unsigned int req_len = 0, expect_resp_len = 0, calc_credit_num, max_len; unsigned short credit_charge = le16_to_cpu(hdr->CreditCharge); void *__hdr = hdr; - int ret; + int ret = 0; switch (hdr->Command) { case SMB2_QUERY_INFO: @@ -328,10 +328,7 @@ static int smb2_validate_credit_charge(struct ksmbd_conn *conn, } spin_lock(&conn->credits_lock); - if (credit_charge <= conn->total_credits) { - conn->total_credits -= credit_charge; - ret = 0; - } else { + if (credit_charge > conn->total_credits) { ksmbd_debug(SMB, "Insufficient credits granted, given: %u, granted: %u\n", credit_charge, conn->total_credits); ret = 1; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e397476641ee..1370fc6f1f0b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -300,9 +300,8 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) struct smb2_hdr *req_hdr = ksmbd_req_buf_next(work); struct smb2_hdr *hdr = ksmbd_resp_buf_next(work); struct ksmbd_conn *conn = work->conn; - unsigned short credits_requested; + unsigned short credits_requested, aux_max; unsigned short credit_charge, credits_granted = 0; - unsigned short aux_max, aux_credits; if (work->send_no_response) return 0; @@ -317,6 +316,13 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) credit_charge = max_t(unsigned short, le16_to_cpu(req_hdr->CreditCharge), 1); + if (credit_charge > conn->total_credits) { + ksmbd_debug(SMB, "Insufficient credits granted, given: %u, granted: %u\n", + credit_charge, conn->total_credits); + return -EINVAL; + } + + conn->total_credits -= credit_charge; credits_requested = max_t(unsigned short, le16_to_cpu(req_hdr->CreditRequest), 1); @@ -326,13 +332,11 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) * TODO: Need to adjuct CreditRequest value according to * current cpu load */ - aux_credits = credits_requested - 1; if (hdr->Command == SMB2_NEGOTIATE) - aux_max = 0; + aux_max = 1; else aux_max = conn->vals->max_credits - credit_charge; - aux_credits = min_t(unsigned short, aux_credits, aux_max); - credits_granted = credit_charge + aux_credits; + credits_granted = min_t(unsigned short, credits_requested, aux_max); if (conn->vals->max_credits - conn->total_credits < credits_granted) credits_granted = conn->vals->max_credits - From patchwork Mon Nov 14 12:53:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183403 Return-Path: <yanaijie(a)huawei.com> Received: from dggems702-chm.china.huawei.com (10.3.19.179) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:39 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:38 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 306/308] ksmbd: limits exceeding the maximum allowable outstanding requests Date: Mon, 14 Nov 2022 20:53:35 +0800 Message-ID: <20221114125337.1831594-307-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: fac8ea7a-568b-47d9-02bc-08dac63c98dd X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7177478 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit b589f5db6d4af8f14d70e31e1276b4c017668a26 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/b589f5db6d4a ------------------------------- If the client ignores the CreditResponse received from the server and continues to send the request, ksmbd limits the requests if it exceeds smb2 max credits. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/connection.c | 1 + fs/ksmbd/connection.h | 3 ++- fs/ksmbd/smb2misc.c | 9 +++++++++ fs/ksmbd/smb2pdu.c | 1 + 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index cdb029e4fae5..8e15ec9e8f43 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -63,6 +63,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) atomic_set(&conn->req_running, 0); atomic_set(&conn->r_count, 0); conn->total_credits = 1; + conn->outstanding_credits = 1; init_waitqueue_head(&conn->req_running_q); init_waitqueue_head(&conn->r_count_q); diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index b50c33bd1315..f803e3e60d34 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -54,7 +54,8 @@ struct ksmbd_conn { atomic_t req_running; /* References which are made for this Server object*/ atomic_t r_count; - unsigned short total_credits; + unsigned int total_credits; + unsigned int outstanding_credits; spinlock_t credits_lock; wait_queue_head_t req_running_q; wait_queue_head_t r_count_q; diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 5dd91879e3d9..81b227034865 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -333,7 +333,16 @@ static int smb2_validate_credit_charge(struct ksmbd_conn *conn, credit_charge, conn->total_credits); ret = 1; } + + if ((u64)conn->outstanding_credits + credit_charge > conn->vals->max_credits) { + ksmbd_debug(SMB, "Limits exceeding the maximum allowable outstanding requests, given : %u, pending : %u\n", + credit_charge, conn->outstanding_credits); + ret = 1; + } else + conn->outstanding_credits += credit_charge; + spin_unlock(&conn->credits_lock); + return ret; } diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 1370fc6f1f0b..5a7eab3991db 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -323,6 +323,7 @@ int smb2_set_rsp_credits(struct ksmbd_work *work) } conn->total_credits -= credit_charge; + conn->outstanding_credits -= credit_charge; credits_requested = max_t(unsigned short, le16_to_cpu(req_hdr->CreditRequest), 1); From patchwork Mon Nov 14 12:53:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183404 Return-Path: <yanaijie(a)huawei.com> Received: from dggems703-chm.china.huawei.com (10.3.19.180) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems703-chm.china.huawei.com (10.3.19.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:39 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 307/308] ksmbd: add reserved room in ipc request/response Date: Mon, 14 Nov 2022 20:53:36 +0800 Message-ID: <20221114125337.1831594-308-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 8cb41985-87f4-403c-9450-08dac63c9925 X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.7238442 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-5.17-rc1 commit 41dbda16a0902798e732abc6599de256b9dc3b27 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/41dbda16a090 ------------------------------- Whenever new parameter is added to smb configuration, It is possible to break the execution of the IPC daemon by mismatch size of request/response. This patch tries to reserve space in ipc request/response in advance to prevent that. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/ksmbd/ksmbd_netlink.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/ksmbd_netlink.h b/fs/ksmbd/ksmbd_netlink.h index a5c2861792ae..71bfb7de4472 100644 --- a/fs/ksmbd/ksmbd_netlink.h +++ b/fs/ksmbd/ksmbd_netlink.h @@ -104,6 +104,7 @@ struct ksmbd_startup_request { */ __u32 sub_auth[3]; /* Subauth value for Security ID */ __u32 smb2_max_credits; /* MAX credits */ + __u32 reserved[128]; /* Reserved room */ __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; }; @@ -114,7 +115,7 @@ struct ksmbd_startup_request { * IPC request to shutdown ksmbd server. */ struct ksmbd_shutdown_request { - __s32 reserved; + __s32 reserved[16]; }; /* @@ -123,6 +124,7 @@ struct ksmbd_shutdown_request { struct ksmbd_login_request { __u32 handle; __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ + __u32 reserved[16]; /* Reserved room */ }; /* @@ -136,6 +138,7 @@ struct ksmbd_login_response { __u16 status; __u16 hash_sz; /* hash size */ __s8 hash[KSMBD_REQ_MAX_HASH_SZ]; /* password hash */ + __u32 reserved[16]; /* Reserved room */ }; /* @@ -144,6 +147,7 @@ struct ksmbd_login_response { struct ksmbd_share_config_request { __u32 handle; __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; /* share name */ + __u32 reserved[16]; /* Reserved room */ }; /* @@ -158,6 +162,7 @@ struct ksmbd_share_config_response { __u16 force_directory_mode; __u16 force_uid; __u16 force_gid; + __u32 reserved[128]; /* Reserved room */ __u32 veto_list_sz; __s8 ____payload[]; }; @@ -188,6 +193,7 @@ struct ksmbd_tree_connect_request { __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; __s8 share[KSMBD_REQ_MAX_SHARE_NAME]; __s8 peer_addr[64]; + __u32 reserved[16]; /* Reserved room */ }; /* @@ -197,6 +203,7 @@ struct ksmbd_tree_connect_response { __u32 handle; __u16 status; __u16 connection_flags; + __u32 reserved[16]; /* Reserved room */ }; /* @@ -205,6 +212,7 @@ struct ksmbd_tree_connect_response { struct ksmbd_tree_disconnect_request { __u64 session_id; /* session id */ __u64 connect_id; /* tree connection id */ + __u32 reserved[16]; /* Reserved room */ }; /* @@ -213,6 +221,7 @@ struct ksmbd_tree_disconnect_request { struct ksmbd_logout_request { __s8 account[KSMBD_REQ_MAX_ACCOUNT_NAME_SZ]; /* user account name */ __u32 account_flags; + __u32 reserved[16]; /* Reserved room */ }; /* From patchwork Mon Nov 14 12:53:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Yan <yanaijie(a)huawei.com> X-Patchwork-Id: 183405 Return-Path: <yanaijie(a)huawei.com> Received: from dggems704-chm.china.huawei.com (10.3.19.181) by dggems702-chm.china.huawei.com (10.3.19.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Mailbox Transport; Mon, 14 Nov 2022 20:34:40 +0800 Received: from canpemm500004.china.huawei.com (7.192.104.92) by dggems704-chm.china.huawei.com (10.3.19.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:40 +0800 Received: from huawei.com (10.175.127.227) by canpemm500004.china.huawei.com (7.192.104.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 14 Nov 2022 20:34:39 +0800 From: Jason Yan <yanaijie(a)huawei.com> To: <yanaijie(a)huawei.com>, <zhengzengkai(a)huawei.com>, <xiexiuqi(a)huawei.com>, <yi.zhang(a)huawei.com>, <patchwork(a)huawei.com>, <kernel.openeuler(a)huawei.com>, <houtao1(a)huawei.com> Subject: [PATCH OLK-5.10 v2 308/308] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Mon, 14 Nov 2022 20:53:37 +0800 Message-ID: <20221114125337.1831594-309-yanaijie(a)huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221114125337.1831594-1-yanaijie(a)huawei.com> References: <20221114125337.1831594-1-yanaijie(a)huawei.com> Content-Type: text/plain X-MS-Exchange-Organization-Network-Message-Id: 2f26f158-a78f-4901-0b11-08dac63c996f X-MS-Exchange-Organization-AuthSource: canpemm500004.china.huawei.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 07 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500004.china.huawei.com (7.192.104.92) X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6968201 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.031 MIME-Version: 1.0 From: David Howells <dhowells(a)redhat.com> mainline inclusion from mainline-6.0-rc1 commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/e2ebff9c57fe ------------------------------- If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells <dhowells(a)redhat.com> Reported-by: Jeff Layton <jlayton(a)kernel.org> Tested-by: Jeff Layton <jlayton(a)kernel.org> Reviewed-by: Namjae Jeon <linkinjeon(a)kernel.org> Cc: stable(a)kernel.org Acked-by: Alexander Viro <viro(a)zeniv.linux.org.uk> cc: Steve French <sfrench(a)samba.org> cc: Hyunchul Lee <hyc.lee(a)gmail.com> cc: Chuck Lever <chuck.lever(a)oracle.com> cc: Dave Wysochanski <dwysocha(a)redhat.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Jason Yan <yanaijie(a)huawei.com> --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/attr.c b/fs/attr.c index b4bbdbd4c8ca..848ffe6e3c24 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -134,6 +134,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;

1 0

[PATCH openEuler-1.0-LTS] block: check flags of claimed slave bdev to fix uaf for bd_holder_dir
by Yongqiang Liu 15 Nov '22

15 Nov '22

From: Li Lingfeng <lilingfeng3(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QE9 CVE: NA -------------------------------- As explained in 0eb440122f89 ("block: fix use after free for bd_holder_dir"), we should make sure the "disk" is still live and then grab a reference to 'bd_holder_dir'. However, the "disk" should be "the claimed slave bdev" rather than "the holding disk". Fixes: 0eb440122f89 ("block: fix use after free for bd_holder_dir") Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/block_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/block_dev.c b/fs/block_dev.c index f2932e84055d..2680092c022d 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1310,7 +1310,7 @@ int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk) * the holder directory. Hold on to it. */ down_read(&bdev->bd_disk->lookup_sem); - if (!(disk->flags & GENHD_FL_UP)) { + if (!(bdev->bd_disk->flags & GENHD_FL_UP)) { up_read(&bdev->bd_disk->lookup_sem); return -ENODEV; } -- 2.25.1

1 0

[PATCH OLK-5.10 00/14]arm64: add machine checksafe support
by Tong Tiangen 15 Nov '22

15 Nov '22

With the increase of memory capacity and density, the probability of memory error increases. The increasing size and density of server RAM in the data center and cloud have shown increased uncorrectable memory errors. Currently, the kernel has a mechanism to recover from hardware memory errors. This patchset provides an new recovery mechanism. For arm64, the hardware memory error handling is do_sea() which divided into two cases: 1. The user state consumed the memory errors, the solution is kill the user process and isolate the error page. 2. The kernel state consumed the memory errors, the solution is panic. For case 2, Undifferentiated panic maybe not the optimal choice, it can be handled better, in some scenarios, we can avoid panic, such as uaccess, if the uaccess fails due to memory error, only the user process will be affected, kill the user process and isolate the user page with hardware memory errors is a better choice. Tong Tiangen (14): Revert "arm64: ras: copy_from_user scenario support uce kernel recovery" Revert "arm64: config: enable CONFIG_ARM64_UCE_KERNEL_RECOVERY" uaccess: add generic fallback version of copy_mc_to_user() arm64: extable: add new extable type "__mc_ex_table" arm64: add support for machine check error safe arm64: copy_form/to_user support machine check safe arm64: get/put_user support machine check safe arm64: add cow to machine check safe arm64: introduce copy_mc_to_kernel() implementation arm64: add dump_user_range() to machine check safe arm64: add machine check safe sysctl interface arm64/__mc_ex_table: search_module_mc_extables should not use num_exentries arm64/__mc_ex_table: fix compile error when CONFIG_ARCH_HAS_COPY_MC=n arm64/__mc_ex_table: fix __mc_ex_table do_sort() issue Documentation/admin-guide/sysctl/kernel.rst | 38 ++-- arch/arm64/Kconfig | 14 +- arch/arm64/configs/openeuler_defconfig | 1 - arch/arm64/include/asm/asm-uaccess.h | 5 + arch/arm64/include/asm/assembler.h | 26 ++- arch/arm64/include/asm/exception.h | 13 -- arch/arm64/include/asm/extable.h | 1 + arch/arm64/include/asm/mte.h | 4 + arch/arm64/include/asm/page.h | 10 + arch/arm64/include/asm/processor.h | 2 + arch/arm64/include/asm/string.h | 5 + arch/arm64/include/asm/uaccess.h | 70 +++++-- arch/arm64/lib/Makefile | 10 +- arch/arm64/lib/copy_from_user.S | 19 +- arch/arm64/lib/copy_page_mc.S | 80 ++++++++ arch/arm64/lib/copy_to_user.S | 10 +- arch/arm64/lib/memcpy_mc.S | 73 ++++++++ arch/arm64/lib/mte.S | 19 ++ arch/arm64/mm/Makefile | 2 - arch/arm64/mm/copypage.c | 37 +++- arch/arm64/mm/extable.c | 12 ++ arch/arm64/mm/fault.c | 36 +++- arch/arm64/mm/uce_kernel_recovery.c | 198 -------------------- arch/powerpc/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 1 + fs/coredump.c | 2 + include/asm-generic/vmlinux.lds.h | 19 +- include/linux/extable.h | 23 +++ include/linux/highmem.h | 8 + include/linux/module.h | 11 ++ include/linux/sched.h | 1 + include/linux/uaccess.h | 9 + kernel/extable.c | 29 +++ kernel/module.c | 38 ++++ kernel/sysctl.c | 11 ++ lib/iov_iter.c | 12 +- mm/memory.c | 2 +- scripts/sorttable.h | 27 +++ 38 files changed, 583 insertions(+), 296 deletions(-) create mode 100644 arch/arm64/lib/copy_page_mc.S create mode 100644 arch/arm64/lib/memcpy_mc.S delete mode 100644 arch/arm64/mm/uce_kernel_recovery.c -- 2.25.1

1 14

[PATCH OLK-5.10 0/9] hulk backport patchs for ascend feature
by Wang Wensheng 14 Nov '22

14 Nov '22

From: Zhang Jian <zhangjian210(a)huawei.com> It includes these patches: Six patches for sharepool bugfix and ascend feature One patch for gic bugfix One patch for adding ascend characteristic switch One patch for export some interface for ascend Guo Mengqi (1): sharepool: fix sp_alloc_populate no fallocate bug Wang Wensheng (1): ascend/arm64: Add ascend_enable_all kernel parameter Xu Qiang (2): irq-gic-v3: Fix too large cpu_count mm/sharepool: Fix add group failed with errno 28 Yuan Can (1): ascend: export interfaces required by ascend drivers Zhang Zekun (2): mm/sharepool: Use "tgid" instead of "pid" to find a task mm: sharepool: Fix static check warning Zhou Guanghui (2): mm: fix alloc CDM node memory for MPOL_BIND mm: fix ignore cpuset enforcement arch/arm64/kernel/cpufeature.c | 2 +- arch/arm64/mm/init.c | 42 ++++++++++ drivers/irqchip/irq-gic-v3-its.c | 10 +++ include/linux/share_pool.h | 28 +++---- kernel/exit.c | 8 ++ kernel/fork.c | 4 - kernel/power/autosleep.c | 1 + kernel/workqueue.c | 3 + mm/hugetlb.c | 2 +- mm/memcontrol.c | 2 +- mm/oom_kill.c | 1 + mm/page_alloc.c | 6 +- mm/share_pool.c | 136 ++++++++++++++----------------- mm/vmalloc.c | 3 + 14 files changed, 152 insertions(+), 96 deletions(-) -- 2.17.1

1 9

openEuler Kernel SIG 双周例会
by openEuler conference 14 Nov '22

14 Nov '22

您好！ Kernel SIG 邀请您参加 2022-11-18 14:00 召开的Zoom会议(自动录制) 会议主题：openEuler Kernel SIG 双周例会会议内容： 1. 进展update 2. 议题征集中欢迎大家积极申报议题~（新增议题可以回复邮件反馈，或者录入会议看板）会议链接：https://us06web.zoom.us/j/87237435945?pwd=OGJBQS9OYnNuNEpHRmZLZ2ptcENZUT09 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 温馨提醒：建议接入会议后修改参会人的姓名，也可以使用您在gitee.com的ID 更多资讯尽在：https://openeuler.org/zh/ Hello! openEuler Kernel SIG invites you to attend the Zoom conference(auto recording) will be held at 2022-11-18 14:00, The subject of the conference is openEuler Kernel SIG 双周例会, Summary: 1. 进展update 2. 议题征集中欢迎大家积极申报议题~（新增议题可以回复邮件反馈，或者录入会议看板） You can join the meeting at https://us06web.zoom.us/j/87237435945?pwd=OGJBQS9OYnNuNEpHRmZLZ2ptcENZUT09. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. Note: You are advised to change the participant name after joining the conference or use your ID at gitee.com. More information: https://openeuler.org/en/

1 0

[PATCH openEuler-1.0-LTS 1/2] Revert "block: Fix UAF in bd_link_disk_holder()"
by Yongqiang Liu 14 Nov '22

14 Nov '22

From: Yu Kuai <yukuai3(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QE9 CVE: NA -------------------------------- This reverts commit 01b1ec1d028fdd78d0c763578e4b804240283b24. Official solution will be applied to mainline, and this solution can't fix uaf for 'bd_holder_dir' thoroughly. hence revert this temporary solution. Officail solution will be backported in the next patch. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/block_dev.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/block_dev.c b/fs/block_dev.c index 7e891e08d0ce..9868b21b8ef9 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1650,7 +1650,6 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) } } bdev->bd_openers++; - kobject_get(bdev->bd_part->holder_dir); if (for_part) bdev->bd_part_count++; if (mode & FMODE_WRITE) @@ -1926,7 +1925,6 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part) if (for_part) bdev->bd_part_count--; - kobject_put(bdev->bd_part->holder_dir); if (!--bdev->bd_openers) { WARN_ON_ONCE(bdev->bd_holders); sync_blockdev(bdev); -- 2.25.1

1 1

[PATCH openEuler-5.10 00/19] Backport 5.10.136 LTS
by Zheng Zengkai 10 Nov '22

10 Nov '22

Backport 5.10.136 LTS patches from upstream. git cherry-pick v5.10.135..v5.10.136~1 -s Already merged(-4): a01a4e9f5dc9 tun: avoid double free in tun_free_netdev 3c77292d52b3 crypto: arm64/poly1305 - fix a read out-of-bound 509c2c9fe75e x86/speculation: Add RSB VM Exit protections 1bea03b44ea2 x86/speculation: Add LFENCE to RSB fill sequence Total patches: 23 - 4 = 19 Aaron Ma (1): Bluetooth: btusb: Add support of IMC Networks PID 0x3568 Ahmad Fatoum (1): Bluetooth: hci_bcm: Add BCM4349B1 variant Ben Hutchings (1): x86/speculation: Make all RETbleed mitigations 64-bit only Dmitry Klochkov (1): tools/kvm_stat: fix display of error when multiple processes are found Hakan Jansson (1): Bluetooth: hci_bcm: Add DT compatible for CYW55572 Hilda Wu (5): Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04CA:0x4007 Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04C5:0x1675 Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0CB8:0xC558 Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3587 Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3586 Jakub Sitnicki (2): selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads selftests/bpf: Check dst_port only on the client socket Ning Qiang (1): macintosh/adb: fix oob read in do_adb_query() function Raghavendra Rao Ananta (1): selftests: KVM: Handle compiler optimizations in ucall Tetsuo Handa (2): ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep() ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() Tony Luck (1): ACPI: APEI: Better fix to avoid spamming the console with old error logs Werner Sembach (2): ACPI: video: Force backlight native for some TongFang devices ACPI: video: Shortening quirk list by identifying Clevo by board_name only arch/x86/Kconfig | 8 +- drivers/acpi/apei/bert.c | 31 +++++-- drivers/acpi/video_detect.c | 55 ++++++++----- drivers/bluetooth/btbcm.c | 2 + drivers/bluetooth/btusb.c | 15 ++++ drivers/bluetooth/hci_bcm.c | 2 + drivers/macintosh/adb.c | 2 +- drivers/net/wireless/ath/ath9k/htc.h | 2 + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 13 +++ drivers/net/wireless/ath/ath9k/wmi.c | 4 + tools/include/uapi/linux/bpf.h | 3 +- tools/kvm/kvm_stat/kvm_stat | 3 +- .../selftests/bpf/prog_tests/sock_fields.c | 60 +++++++++----- .../selftests/bpf/progs/test_sock_fields.c | 45 +++++++++++ tools/testing/selftests/bpf/verifier/sock.c | 81 ++++++++++++++++++- .../testing/selftests/kvm/lib/aarch64/ucall.c | 9 +-- 16 files changed, 273 insertions(+), 62 deletions(-) -- 2.20.1

1 19

[PATCH openEuler-5.10 00/52] Backport 5.10.135 LTS
by Zheng Zengkai 10 Nov '22

10 Nov '22

Backport 5.10.135 LTS patches from upstream. git cherry-pick v5.10.134..v5.10.135~1 -s Already merged(-10): 8008e797ec6f ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr 440dccd80f62 netfilter: nf_queue: do not allow packet truncation below transport header offset 41fbfdaba94a xfs: refactor xfs_file_fsync 6d3605f84edd xfs: xfs_log_force_lsn isn't passed a LSN eccacbcbfd70 xfs: fix log intent recovery ENOSPC shutdowns when inactivating inodes d8f5bb0a09b7 xfs: force the log offline when log intent item recovery fails c85cbb0b21a1 xfs: hold buffer across unpin and potential shutdown processing c1268acaa0dd xfs: remove dead stale buf unpin handling code e5f9d4e0f895 xfs: logging the on disk inode LSN can make it go backwards 14b494b7aaf2 xfs: Enforce attr3 buffer recovery order Context Conflict and Defered(-3): 6aad811b37ee bpf: Consolidate shared test timing code 6d3fad2b44eb bpf: Add PROG_TEST_RUN support for sk_lookup programs 4bfc9dc60873 selftests: bpf: Don't run sk_lookup in verifier tests Total patches: 65 - 13 = 52 Alejandro Lucero (1): sfc: disable softirqs for ptp TX Alistair Popple (1): nouveau/svm: Fix to migrate all requested pages ChenXiaoSong (1): ntfs: fix use-after-free in ntfs_ucsncmp() Darrick J. Wong (1): xfs: prevent UAF in xfs_log_item_in_current_chkpt David Howells (1): watch_queue: Fix missing rcu annotation Duoming Zhou (1): sctp: fix sleep in atomic context bug in timer handlers Eiichi Tsukata (1): docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed Florian Fainelli (1): ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow Greg Kroah-Hartman (1): ARM: crypto: comment out gcc warning that breaks clang builds Harald Freudenberger (1): s390/archrandom: prevent CPACF trng invocations in interrupt context Jaewon Kim (1): page_alloc: fix invalid watermark check on a negative value Jason Wang (1): virtio-net: fix the race between refill work and close Jianglei Nie (1): net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa() Junxiao Bi (1): Revert "ocfs2: mount shared volume without ha stack" Kuniyuki Iwashima (19): tcp: Fix data-races around sysctl_tcp_dsack. tcp: Fix a data-race around sysctl_tcp_app_win. tcp: Fix a data-race around sysctl_tcp_adv_win_scale. tcp: Fix a data-race around sysctl_tcp_frto. tcp: Fix a data-race around sysctl_tcp_nometrics_save. tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save. tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. net: ping6: Fix memleak in ipv6_renew_options(). igmp: Fix data-races around sysctl_igmp_qrv. tcp: Fix a data-race around sysctl_tcp_min_tso_segs. tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. tcp: Fix a data-race around sysctl_tcp_autocorking. tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns. tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. tcp: Fix data-races around sysctl_tcp_reflect_tos. Leo Yan (1): perf symbol: Correct address for bss symbols Liang He (2): scsi: ufs: host: Hold reference returned by of_parse_phandle() net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Linus Torvalds (1): watch_queue: Fix missing locking in add_watch_to_object() Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Maciej Fijalkowski (2): ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) ice: do not setup vlan for loopback VSI Maxim Mikityanskiy (1): net/tls: Remove the context from the list in tls_device_down Michal Maloszewski (1): i40e: Fix interface init with MSI interrupts (no MSI-X) Sabrina Dubroca (4): macsec: fix NULL deref in macsec_add_rxsa macsec: fix error message in macsec_add_rxsa and _txsa macsec: limit replay window size with XPN macsec: always read MACSEC_SA_ATTR_PN as a u64 Thadeu Lima de Souza Cascardo (1): x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available Toshi Kani (1): EDAC/ghes: Set the DIMM label unconditionally Wei Mingzhi (1): mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. Wei Wang (1): Revert "tcp: change pingpong threshold to 3" Xin Long (2): Documentation: fix sctp_wmem in ip-sysctl.rst sctp: leave the err path free in sctp_stream_init to sctp_stream_free .../admin-guide/kernel-parameters.txt | 2 + Documentation/networking/ip-sysctl.rst | 9 ++- arch/arm/include/asm/dma.h | 2 +- arch/arm/lib/xor-neon.c | 3 +- arch/s390/include/asm/archrandom.h | 9 ++- arch/x86/kernel/cpu/bugs.c | 1 + drivers/edac/ghes_edac.c | 11 +++- drivers/gpu/drm/nouveau/nouveau_dmem.c | 6 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++ drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 +- drivers/net/ethernet/intel/ice/ice_main.c | 8 ++- drivers/net/ethernet/sfc/ptp.c | 22 +++++++ drivers/net/macsec.c | 33 ++++++---- drivers/net/sungem_phy.c | 1 + drivers/net/virtio_net.c | 37 ++++++++++- drivers/net/wireless/mediatek/mt7601u/usb.c | 1 + drivers/scsi/ufs/ufshcd-pltfrm.c | 15 ++++- fs/ntfs/attrib.c | 8 ++- fs/ocfs2/ocfs2.h | 4 +- fs/ocfs2/slot_map.c | 46 ++++++-------- fs/ocfs2/super.c | 21 ------- fs/xfs/xfs_log_cil.c | 6 +- include/net/bluetooth/l2cap.h | 1 + include/net/inet_connection_sock.h | 10 +-- include/net/tcp.h | 2 +- kernel/watch_queue.c | 58 +++++++++++------- mm/page_alloc.c | 12 ++-- net/bluetooth/l2cap_core.c | 61 +++++++++++++++---- net/ipv4/igmp.c | 24 ++++---- net/ipv4/tcp.c | 2 +- net/ipv4/tcp_input.c | 24 ++++---- net/ipv4/tcp_ipv4.c | 4 +- net/ipv4/tcp_metrics.c | 10 +-- net/ipv4/tcp_output.c | 19 +++--- net/ipv6/ping.c | 6 ++ net/ipv6/tcp_ipv6.c | 4 +- net/mptcp/protocol.c | 2 +- net/sctp/associola.c | 5 +- net/sctp/stream.c | 19 +----- net/sctp/stream_sched.c | 2 +- net/tls/tls_device.c | 7 ++- tools/perf/util/symbol-elf.c | 45 ++++++++++++-- 42 files changed, 364 insertions(+), 205 deletions(-) -- 2.20.1

1 52

[PATCH openEuler-5.10 00/89] Backport 5.10.134 LTS
by Zheng Zengkai 10 Nov '22

10 Nov '22

Backport 5.10.134 LTS patches from upstream. git cherry-pick v5.10.133..v5.10.134~1 -s Already merged(-12): ab5050fd7430 lockdown: Fix kexec lockdown bypass with ima policy 2ee0cab11f66 io_uring: Use original task for req identity in io_identity_cow() ed6964ff4714 net: make free_netdev() more lenient with unregistering devices 2e11856ec379 net: make sure devices go through netdev_wait_all_refs 47b696dd6544 xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() 0adf21eec590 watchqueue: make sure to serialize 'wqueue->defunct' properly 6a8184825286 tty: drivers/tty/, stop using tty_schedule_flip() 4d374625cca2 tty: the rest, stop using tty_schedule_flip() c84986d09745 tty: drop tty_schedule_flip() a4bb7ef2d6f6 tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() 08afa87f58d8 tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() bb1990a3005e watch-queue: remove spurious double semicolon Context Conflict: 2686f62fa78c docs: net: explain struct net_device lifetime bf2f3d1970c0 net: move rollback_registered_many() b7b9e5cc8b24 x86/amd: Use IBPB for firmware calls Total patches: = 101 - 12 = 89 Alex Deucher (1): drm/amdgpu/display: add quirk handling for stutter mode Alexander Aring (1): dlm: fix pending remove if msg allocation fails Alexey Kardashevskiy (1): KVM: Don't null dereference ops->destroy Ben Dooks (1): riscv: add as-options for modules with assembly compontents Biao Huang (1): net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow Dawid Lukwinski (1): i40e: Fix erroneous adapter reinitialization during recovery process Demi Marie Obenour (1): xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Eric Dumazet (1): bpf: Make sure mac_header was set before using it Fabien Dessenne (1): pinctrl: stm32: fix optional IRQ support to gpios Greg Kroah-Hartman (1): Revert "m68knommu: only set CONFIG_ISA_DMA_API for ColdFire sub-arch" Haibo Chen (3): gpio: pca953x: only use single read/write for No AI mode gpio: pca953x: use the correct range when do regmap sync gpio: pca953x: use the correct register address when regcache sync during init Hristo Venev (1): be2net: Fix buffer overflow in be_get_module_eeprom Ido Schimmel (1): mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication Jakub Kicinski (5): docs: net: explain struct net_device lifetime net: move net_set_todo inside rollback_registered() net: inline rollback_registered() net: move rollback_registered_many() net: inline rollback_registered_many() Jeffrey Hugo (4): PCI: hv: Fix multi-MSI to allow more than one MSI vector PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() PCI: hv: Fix interrupt mapping for multi-MSI Jose Alonso (1): net: usb: ax88179_178a needs FLAG_SEND_ZLP Junxiao Chang (1): net: stmmac: fix dma queue left shift overflow issue Juri Lelli (1): sched/deadline: Fix BUG_ON condition for deboosted tasks Kees Cook (1): x86/alternative: Report missing return thunk details Kuniyuki Iwashima (37): ip: Fix data-races around sysctl_ip_no_pmtu_disc. ip: Fix data-races around sysctl_ip_fwd_use_pmtu. ip: Fix data-races around sysctl_ip_fwd_update_priority. ip: Fix data-races around sysctl_ip_nonlocal_bind. ip: Fix a data-race around sysctl_ip_autobind_reuse. ip: Fix a data-race around sysctl_fwmark_reflect. tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. tcp: Fix data-races around sysctl_tcp_mtu_probing. tcp: Fix data-races around sysctl_tcp_base_mss. tcp: Fix data-races around sysctl_tcp_min_snd_mss. tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. tcp: Fix a data-race around sysctl_tcp_probe_threshold. tcp: Fix a data-race around sysctl_tcp_probe_interval. igmp: Fix data-races around sysctl_igmp_llm_reports. igmp: Fix a data-race around sysctl_igmp_max_memberships. igmp: Fix data-races around sysctl_igmp_max_msf. tcp: Fix data-races around keepalive sysctl knobs. tcp: Fix data-races around sysctl_tcp_syncookies. tcp: Fix data-races around sysctl_tcp_reordering. tcp: Fix data-races around some timeout sysctl knobs. tcp: Fix a data-race around sysctl_tcp_notsent_lowat. tcp: Fix a data-race around sysctl_tcp_tw_reuse. tcp: Fix data-races around sysctl_max_syn_backlog. tcp: Fix data-races around sysctl_tcp_fastopen. tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. ip: Fix data-races around sysctl_ip_prot_sock. udp: Fix a data-race around sysctl_udp_l3mdev_accept. tcp: Fix data-races around sysctl knobs related to SYN option. tcp: Fix a data-race around sysctl_tcp_early_retrans. tcp: Fix data-races around sysctl_tcp_recovery. tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. tcp: Fix a data-race around sysctl_tcp_retrans_collapse. tcp: Fix a data-race around sysctl_tcp_stdurg. tcp: Fix a data-race around sysctl_tcp_rfc1337. tcp: Fix data-races around sysctl_tcp_max_reordering. Lennert Buytenhek (1): igc: Reinstate IGC_REMOVED logic and implement it properly Liang He (1): drm/imx/dcss: Add missing of_node_put() in fail path Luiz Augusto von Dentz (7): Bluetooth: Add bt_skb_sendmsg helper Bluetooth: Add bt_skb_sendmmsg helper Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Bluetooth: Fix passing NULL to PTR_ERR Bluetooth: SCO: Fix sco_send_frame returning skb->len Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Marc Kleine-Budde (1): spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers Miaoqian Lin (1): power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Pali Rohár (1): serial: mvebu-uart: correctly report configured baudrate value Pawan Gupta (1): x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts Peter Zijlstra (3): perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() bitfield.h: Fix "type of reg too small for mask" test x86/amd: Use IBPB for firmware calls Piotr Skajewski (1): ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero Przemyslaw Patynowski (1): iavf: Fix handling of dummy receive descriptors Robert Hancock (1): i2c: cadence: Change large transfer count reset logic to be unconditional Takashi Iwai (1): ALSA: memalloc: Align buffer allocations in page size Tariq Toukan (1): net/tls: Fix race in TLS device down flow Wang Cheng (1): mm/mempolicy: fix uninit-value in mpol_rebind_policy() Wang ShaoBo (1): drm/imx/dcss: fix unused but set variable warnings William Dean (1): pinctrl: ralink: Check for null return of devm_kcalloc Documentation/networking/netdevices.rst | 171 +++++++++++++- arch/m68k/Kconfig.bus | 2 +- arch/riscv/Makefile | 1 + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/mshyperv.h | 7 - arch/x86/include/asm/nospec-branch.h | 2 + arch/x86/kernel/alternative.c | 4 +- arch/x86/kernel/cpu/bugs.c | 14 +- drivers/gpio/gpio-pca953x.c | 22 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 33 +++ drivers/gpu/drm/imx/dcss/dcss-dev.c | 3 + drivers/gpu/drm/imx/dcss/dcss-plane.c | 2 - drivers/i2c/busses/i2c-cadence.c | 30 +-- .../chelsio/inline_crypto/chtls/chtls_cm.c | 6 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 10 +- drivers/net/ethernet/emulex/benet/be_cmds.h | 2 +- .../net/ethernet/emulex/benet/be_ethtool.c | 31 ++- drivers/net/ethernet/intel/i40e/i40e_main.c | 13 +- drivers/net/ethernet/intel/iavf/iavf_txrx.c | 5 +- drivers/net/ethernet/intel/igc/igc_main.c | 3 + drivers/net/ethernet/intel/igc/igc_regs.h | 5 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 + .../net/ethernet/intel/ixgbe/ixgbe_sriov.c | 6 + .../ethernet/mellanox/mlxsw/spectrum_router.c | 5 +- .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +- .../ethernet/stmicro/stmmac/stmmac_platform.c | 8 +- drivers/net/usb/ax88179_178a.c | 20 +- drivers/pci/controller/pci-hyperv.c | 99 ++++++-- drivers/pinctrl/stm32/pinctrl-stm32.c | 18 +- drivers/power/reset/arm-versatile-reboot.c | 1 + drivers/spi/spi-bcm2835.c | 12 +- .../staging/mt7621-pinctrl/pinctrl-rt2880.c | 2 + drivers/tty/serial/mvebu-uart.c | 25 ++- drivers/xen/gntdev.c | 3 +- fs/dlm/lock.c | 3 +- include/linux/bitfield.h | 19 +- include/net/bluetooth/bluetooth.h | 65 ++++++ include/net/inet_sock.h | 5 +- include/net/ip.h | 6 +- include/net/tcp.h | 18 +- include/net/udp.h | 2 +- kernel/bpf/core.c | 8 +- kernel/events/core.c | 45 ++-- kernel/sched/deadline.c | 5 +- mm/mempolicy.c | 2 +- net/bluetooth/rfcomm/core.c | 50 ++++- net/bluetooth/rfcomm/sock.c | 46 +--- net/bluetooth/sco.c | 30 +-- net/core/dev.c | 212 ++++++++---------- net/core/filter.c | 4 +- net/core/secure_seq.c | 4 +- net/ipv4/af_inet.c | 4 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/icmp.c | 2 +- net/ipv4/igmp.c | 25 ++- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_forward.c | 2 +- net/ipv4/ip_sockglue.c | 6 +- net/ipv4/route.c | 2 +- net/ipv4/syncookies.c | 9 +- net/ipv4/sysctl_net_ipv4.c | 6 +- net/ipv4/tcp.c | 10 +- net/ipv4/tcp_fastopen.c | 9 +- net/ipv4/tcp_input.c | 51 +++-- net/ipv4/tcp_ipv4.c | 2 +- net/ipv4/tcp_metrics.c | 3 +- net/ipv4/tcp_minisocks.c | 2 +- net/ipv4/tcp_output.c | 29 +-- net/ipv4/tcp_recovery.c | 6 +- net/ipv4/tcp_timer.c | 20 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/syncookies.c | 3 +- net/sctp/protocol.c | 2 +- net/smc/smc_llc.c | 2 +- net/tls/tls_device.c | 8 +- net/xfrm/xfrm_state.c | 2 +- sound/core/memalloc.c | 1 + virt/kvm/kvm_main.c | 5 +- 80 files changed, 877 insertions(+), 454 deletions(-) -- 2.20.1

1 89

[PATCH openEuler-5.10-LTS 01/12] scsi: libsas: Resume SAS host for phy reset or enable via sysfs
by Zheng Zengkai 10 Nov '22

10 Nov '22

From: Xiang Chen <chenxiang66(a)hisilicon.com> mainline inclusion from mainline-v5.19-rc7 commit 1e82e4627a795 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5M9GC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- Currently if a phy reset or enable phy is issued via sysfs when controller is suspended, those operations will be ignored as SAS_HA_REGISTERED is cleared. If RPM is enabled then we may aggressively suspend automatically. In this case it may be difficult to enable or reset a phy via sysfs, so resume the host in these scenarios. Link: https://lore.kernel.org/r/1657823002-139010-6-git-send-email-john.garry@hua… Signed-off-by: Xiang Chen <chenxiang66(a)hisilicon.com> Signed-off-by: John Garry <john.garry(a)huawei.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: xiabing <xiabing12(a)h-partners.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- drivers/scsi/libsas/sas_init.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/libsas/sas_init.c b/drivers/scsi/libsas/sas_init.c index f1989a98f511..58ffcecf1a2f 100644 --- a/drivers/scsi/libsas/sas_init.c +++ b/drivers/scsi/libsas/sas_init.c @@ -528,6 +528,7 @@ static int queue_phy_reset(struct sas_phy *phy, int hard_reset) if (!d) return -ENOMEM; + pm_runtime_get_sync(ha->dev); /* libsas workqueue coordinates ata-eh reset with discovery */ mutex_lock(&d->event_lock); d->reset_result = 0; @@ -541,6 +542,7 @@ static int queue_phy_reset(struct sas_phy *phy, int hard_reset) if (rc == 0) rc = d->reset_result; mutex_unlock(&d->event_lock); + pm_runtime_put_sync(ha->dev); return rc; } @@ -555,6 +557,7 @@ static int queue_phy_enable(struct sas_phy *phy, int enable) if (!d) return -ENOMEM; + pm_runtime_get_sync(ha->dev); /* libsas workqueue coordinates ata-eh reset with discovery */ mutex_lock(&d->event_lock); d->enable_result = 0; @@ -568,6 +571,7 @@ static int queue_phy_enable(struct sas_phy *phy, int enable) if (rc == 0) rc = d->enable_result; mutex_unlock(&d->event_lock); + pm_runtime_put_sync(ha->dev); return rc; } -- 2.20.1

3 13

在openeuler上我如何使用firewalld/nftables/iptables构建本机端口镜像
by wangpengyuan＠bjca.org.cn 10 Nov '22

10 Nov '22

iptables 版本为v1.8.7 不支持 --destination-to 和 --port-to 我如何解决这个问题？ wangpengyuan(a)bjca.org.cn

1 0

[PATCH OLK-5.10,v1,0/9] ROH: Support ROH basic functions and adapt ROH mode for RDMA/hns driver
by Ke Chen 09 Nov '22

09 Nov '22

[Description] The ROH module driver consists of the ROH Core and ROH DRV modules, which work with hardware to implement communication between nodes through HCCS packets. ROH Core is a protocol stack of the ROH architecture. It provides related services for upper layers by invoking operation interfaces provided by the ROH DRV. The ROH DRV implements the lower layer functions of the ROH featureand provides a series of interfaces for operating hardware for the ROH Core. This patch supports basic ROH functions, such as: sysfs file node query, abnormal interrupt handling, reset capability and dfx information query. RDMA/hns supports ROH mode, mainly adapted to the device id of ROH, and the different capabilities and features of RDMA/hns in ROH mode. [Testing] kernel options: CONFIG_ROH=m CONFIG_ROH_HNS=m Test passed with below step: 1. Using a hardware environment that supports ROH, insmod net/hns, RDMA/hns and ROH related drivers: insmod hnae3.ko insmod hclge.ko insmod hns3.ko insmod roh_core.ko insmod hns-roh-v1.ko insmod hns-roce-hw-v2.ko 2. Check whether ROH generates the corresponding sysfs node: ls /sys/class/roh/hns3_0/ 3. Check whether the abnormal interrupt information of roh is correct. The down or up of the network device link corresponding to roh will cause the roh abnormal interrupt count to increase. cat /proc/interrupts | grep roh 4. Configure the network port ip and check whether the ip/mac has the correct mapping relationship. 5. Query eid to check whether it complies with ip conversion rules: cat /sys/class/roh/hns3_0/node_eid 6. Use ping to check Ethernet communication is normal. 7. Use perftest to check RDMA communication is normal. 8. Use the "ethtool --reset eth1 all" command to trigger a reset. Ke Chen (9): roh/core: Add roh device sysfs node roh/hns3: Add support for roh abnormal interruption roh/core: Add support for inetaddr notifier roh/hns3: Add support for roh reset roh/hns3: Add support for roh dfx(debugfs) RDMA/hns: Add new device ID RDMA/hns: Add ROH basic configuration and check RDMA/hns: Support RDMA_CM in ROH mode RDMA/hns: Pass mac type to user driver for ROH mode drivers/infiniband/hw/hns/hns_roce_device.h | 1 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 35 ++ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + drivers/infiniband/hw/hns/hns_roce_main.c | 12 +- drivers/roh/core/Makefile | 2 +- drivers/roh/core/core.c | 205 ++++++++++ drivers/roh/core/core.h | 24 ++ drivers/roh/core/core_priv.h | 9 + drivers/roh/core/sysfs.c | 270 +++++++++++++ drivers/roh/hw/hns3/Makefile | 2 + drivers/roh/hw/hns3/hns3_cmdq.c | 135 +++++++ drivers/roh/hw/hns3/hns3_cmdq.h | 46 +++ drivers/roh/hw/hns3/hns3_common.h | 32 ++ drivers/roh/hw/hns3/hns3_device.h | 40 ++ drivers/roh/hw/hns3/hns3_intr.c | 136 +++++++ drivers/roh/hw/hns3/hns3_intr.h | 13 + drivers/roh/hw/hns3/hns3_main.c | 406 +++++++++++++++++++- drivers/roh/hw/hns3/hns3_verbs.c | 270 +++++++++++++ drivers/roh/hw/hns3/hns3_verbs.h | 16 + include/uapi/rdma/hns-abi.h | 2 + 20 files changed, 1651 insertions(+), 6 deletions(-) create mode 100644 drivers/roh/core/sysfs.c create mode 100644 drivers/roh/hw/hns3/hns3_device.h create mode 100644 drivers/roh/hw/hns3/hns3_intr.c create mode 100644 drivers/roh/hw/hns3/hns3_intr.h create mode 100644 drivers/roh/hw/hns3/hns3_verbs.c create mode 100644 drivers/roh/hw/hns3/hns3_verbs.h -- 2.30.0

1 9

[PATCH openEuler-5.10 1/3] Fix the header file location error and adjust the function and structure version.
by Zheng Zengkai 08 Nov '22

08 Nov '22

From: Wangming Shao <shaowangming(a)h-partners.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5WGEF ------------------------------------------------------------------- Fixed the header file location error. Rectify the missing member and function name errors in the structure. Signed-off-by: Wangming Shao <shaowangming(a)h-partners.com> Reviewed-by: Yicong Yang <yangyicong(a)huawei.com> Reviewed-by: Yang Jihong <yangjihong1(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- tools/perf/arch/arm/util/auxtrace.c | 6 +++--- tools/perf/arch/arm/util/pmu.c | 2 +- tools/perf/arch/arm64/util/hisi-ptt.c | 7 +++---- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/tools/perf/arch/arm/util/auxtrace.c b/tools/perf/arch/arm/util/auxtrace.c index e282fcea5e05..a4e4bb1a5711 100644 --- a/tools/perf/arch/arm/util/auxtrace.c +++ b/tools/perf/arch/arm/util/auxtrace.c @@ -10,10 +10,10 @@ #include <linux/zalloc.h> #include <api/fs/fs.h> -#include "../../util/auxtrace.h" -#include "../../util/debug.h" +#include "../../../util/auxtrace.h" +#include "../../../util/debug.h" #include "../../util/evlist.h" -#include "../../util/pmu.h" +#include "../../../util/pmu.h" #include "cs-etm.h" #include "arm-spe.h" #include "hisi-ptt.h" diff --git a/tools/perf/arch/arm/util/pmu.c b/tools/perf/arch/arm/util/pmu.c index 2223083c6825..887c8addc491 100644 --- a/tools/perf/arch/arm/util/pmu.c +++ b/tools/perf/arch/arm/util/pmu.c @@ -11,7 +11,7 @@ #include "arm-spe.h" #include "hisi-ptt.h" -#include "../../util/pmu.h" +#include "../../../util/pmu.h" struct perf_event_attr *perf_pmu__get_default_config(struct perf_pmu *pmu __maybe_unused) diff --git a/tools/perf/arch/arm64/util/hisi-ptt.c b/tools/perf/arch/arm64/util/hisi-ptt.c index ba97c8a562a0..110b2edf3e6b 100644 --- a/tools/perf/arch/arm64/util/hisi-ptt.c +++ b/tools/perf/arch/arm64/util/hisi-ptt.c @@ -113,7 +113,6 @@ static int hisi_ptt_recording_options(struct auxtrace_record *itr, } evsel->core.attr.freq = 0; evsel->core.attr.sample_period = 1; - evsel->needs_auxtrace_mmap = true; hisi_ptt_evsel = evsel; opts->full_auxtrace = true; } @@ -126,16 +125,16 @@ static int hisi_ptt_recording_options(struct auxtrace_record *itr, * To obtain the auxtrace buffer file descriptor, the auxtrace event * must come first. */ - evlist__to_front(evlist, hisi_ptt_evsel); + perf_evlist__to_front(evlist, hisi_ptt_evsel); evsel__set_sample_bit(hisi_ptt_evsel, TIME); /* Add dummy event to keep tracking */ - err = parse_event(evlist, "dummy:u"); + err = parse_events(evlist, "dummy:u", NULL); if (err) return err; tracking_evsel = evlist__last(evlist); - evlist__set_tracking_event(evlist, tracking_evsel); + perf_evlist__set_tracking_event(evlist, tracking_evsel); tracking_evsel->core.attr.freq = 0; tracking_evsel->core.attr.sample_period = 1; -- 2.20.1

1 2

[PATCH openEuler-1.0-LTS 01/26] of: fdt: fix off-by-one error in unflatten_dt_nodes()
by Yongqiang Liu 08 Nov '22

08 Nov '22

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> stable inclusion from stable-v4.19.260 commit 2566706ac6393386a4e7c4ce23fe17f4c98d9aa0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZXGL CVE: NA -------------------------------- [ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Signed-off-by: Rob Herring <robh(a)kernel.org> Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/of/fdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c index 800ad252cf9c..50b67e65159b 100644 --- a/drivers/of/fdt.c +++ b/drivers/of/fdt.c @@ -391,7 +391,7 @@ static int unflatten_dt_nodes(const void *blob, for (offset = 0; offset >= 0 && depth >= initial_depth; offset = fdt_next_node(blob, offset, &depth)) { - if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) + if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) continue; if (!IS_ENABLED(CONFIG_OF_KOBJ) && -- 2.25.1

1 25

[PATCH openEuler-5.10-LTS] libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
by Zheng Zengkai 07 Nov '22

07 Nov '22

From: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> maillist inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WLXN CVE: CVE-2022-3606 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/… -------------------------------- When there are no program sections, obj->programs is left unallocated, and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL, and will cause null-pointer dereference in the following access to prog->sec_idx. Guard the search with obj->nr_programs similar to what's being done in __bpf_program__iter() to prevent null-pointer access from happening. Fixes: db2b8b06423c ("libbpf: Support CO-RE relocations for multi-prog sections") Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Reviewed-by: Kuohai Xu <xukuohai(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- tools/lib/bpf/libbpf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 314fb1202d08..2b997a981052 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -3479,6 +3479,9 @@ static struct bpf_program *find_prog_by_sec_insn(const struct bpf_object *obj, int l = 0, r = obj->nr_programs - 1, m; struct bpf_program *prog; + if (!obj->nr_programs) + return NULL; + while (l < r) { m = l + (r - l + 1) / 2; prog = &obj->programs[m]; -- 2.20.1

1 0

[PATCH openEuler-1.0-LTS 1/3] tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent
by Yongqiang Liu 07 Nov '22

07 Nov '22

From: Lu Wei <luwei32(a)huawei.com> maillist inclusion category: bugfix bugzilla: 187792, https://gitee.com/openeuler/kernel/issues/I5ZG7O Reference: https://www.spinics.net/lists/netdev/msg856902.html -------------------------------- If setsockopt with option name of TCP_REPAIR_OPTIONS and opt_code of TCPOPT_SACK_PERM is called to enable sack after data is sent and dupacks are received , it will trigger a warning in function tcp_verify_left_out() as follows: ============================================ WARNING: CPU: 8 PID: 0 at net/ipv4/tcp_input.c:2132 tcp_timeout_mark_lost+0x154/0x160 tcp_enter_loss+0x2b/0x290 tcp_retransmit_timer+0x50b/0x640 tcp_write_timer_handler+0x1c8/0x340 tcp_write_timer+0xe5/0x140 call_timer_fn+0x3a/0x1b0 __run_timers.part.0+0x1bf/0x2d0 run_timer_softirq+0x43/0xb0 __do_softirq+0xfd/0x373 __irq_exit_rcu+0xf6/0x140 The warning is caused in the following steps: 1. a socket named socketA is created 2. socketA enters repair mode without build a connection 3. socketA calls connect() and its state is changed to TCP_ESTABLISHED directly 4. socketA leaves repair mode 5. socketA calls sendmsg() to send data, packets_out and sack_outs(dup ack receives) increase 6. socketA enters repair mode again 7. socketA calls setsockopt with TCPOPT_SACK_PERM to enable sack 8. retransmit timer expires, it calls tcp_timeout_mark_lost(), lost_out increases 9. sack_outs + lost_out > packets_out triggers since lost_out and sack_outs increase repeatly In function tcp_timeout_mark_lost(), tp->sacked_out will be cleared if Step7 not happen and the warning will not be triggered. As suggested by Denis and Eric, TCP_REPAIR_OPTIONS should be prohibited if data was already sent. socket-tcp tests in CRIU has been tested as follows: $ sudo ./test/zdtm.py run -t zdtm/static/socket-tcp* --keep-going \ --ignore-taint socket-tcp* represent all socket-tcp tests in test/zdtm/static/. Fixes: b139ba4e90dc ("tcp: Repair connection-time negotiated parameters") Signed-off-by: Lu Wei <luwei32(a)huawei.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/ipv4/tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 094cd93e50c2..6f71b6cfc1b2 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2916,7 +2916,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, case TCP_REPAIR_OPTIONS: if (!tp->repair) err = -EINVAL; - else if (sk->sk_state == TCP_ESTABLISHED) + else if (sk->sk_state == TCP_ESTABLISHED && !tp->bytes_sent) err = tcp_repair_options_est(sk, (struct tcp_repair_opt __user *)optval, optlen); -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS] ext4: fix bad checksum after online resize
by Yongqiang Liu 07 Nov '22

07 Nov '22

From: Baokun Li <libaokun1(a)huawei.com> hulk inclusion category: bugfix bugzilla: 187935,https://gitee.com/src-openeuler/kernel/issues/I5ZR8Z CVE: NA -------------------------------- When online resizing is performed twice consecutively, the error message "Superblock checksum does not match superblock" is displayed for the second time. Here's the reproducer: mkfs.ext4 -F /dev/sdb 100M mount /dev/sdb /tmp/test resize2fs /dev/sdb 5G resize2fs /dev/sdb 6G To solve this issue, we moved the update of the checksum after the es->s_overhead_clusters is updated. Fixes: 026d0d27c488 ("ext4: reduce computation of overhead during resize") Fixes: de394a86658f ("ext4: update s_overhead_clusters in the superblock during an on-line resize") Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/ext4/resize.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index bc870561e394..f2b881aaf0b1 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -1442,8 +1442,6 @@ static void ext4_update_super(struct super_block *sb, * active. */ ext4_r_blocks_count_set(es, ext4_r_blocks_count(es) + reserved_blocks); - ext4_superblock_csum_set(sb); - unlock_buffer(sbi->s_sbh); /* Update the free space counts */ percpu_counter_add(&sbi->s_freeclusters_counter, @@ -1471,6 +1469,8 @@ static void ext4_update_super(struct super_block *sb, ext4_calculate_overhead(sb); es->s_overhead_clusters = cpu_to_le32(sbi->s_overhead); + ext4_superblock_csum_set(sb); + unlock_buffer(sbi->s_sbh); if (test_opt(sb, DEBUG)) printk(KERN_DEBUG "EXT4-fs: added group %u:" "%llu blocks(%llu free %llu reserved)\n", flex_gd->count, -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/3] blktrace: introduce 'blk_trace_{start,stop}' helper
by Yongqiang Liu 07 Nov '22

07 Nov '22

From: Ye Bin <yebin10(a)huawei.com> mainline inclusion from mainline-v6.1-rc2 commit 60a9bb9048f9e95029df10a9bc346f6b066c593c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z7DK CVE: NA -------------------------------- Introduce 'blk_trace_{start,stop}' helper. No functional changed. Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20221019033602.752383-2-yebin@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> conflicts: kernel/trace/blktrace.c Signed-off-by: Ye Bin <yebin(a)huaweicloud.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- kernel/trace/blktrace.c | 74 ++++++++++++++++++++--------------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index b1aa8c74442c..9cc04b09c42f 100644 --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -334,6 +334,37 @@ static void put_probe_ref(void) mutex_unlock(&blk_probe_mutex); } +static int blk_trace_start(struct blk_trace *bt) +{ + if (bt->trace_state != Blktrace_setup && + bt->trace_state != Blktrace_stopped) + return -EINVAL; + + blktrace_seq++; + smp_mb(); + bt->trace_state = Blktrace_running; + spin_lock_irq(&running_trace_lock); + list_add(&bt->running_list, &running_trace_list); + spin_unlock_irq(&running_trace_lock); + trace_note_time(bt); + + return 0; +} + +static int blk_trace_stop(struct blk_trace *bt) +{ + if (bt->trace_state != Blktrace_running) + return -EINVAL; + + bt->trace_state = Blktrace_stopped; + spin_lock_irq(&running_trace_lock); + list_del_init(&bt->running_list); + spin_unlock_irq(&running_trace_lock); + relay_flush(bt->rchan); + + return 0; +} + static void blk_trace_cleanup(struct blk_trace *bt) { synchronize_rcu(); @@ -652,7 +683,6 @@ static int compat_blk_trace_setup(struct request_queue *q, char *name, static int __blk_trace_startstop(struct request_queue *q, int start) { - int ret; struct blk_trace *bt; bt = rcu_dereference_protected(q->blk_trace, @@ -660,36 +690,10 @@ static int __blk_trace_startstop(struct request_queue *q, int start) if (bt == NULL) return -EINVAL; - /* - * For starting a trace, we can transition from a setup or stopped - * trace. For stopping a trace, the state must be running - */ - ret = -EINVAL; - if (start) { - if (bt->trace_state == Blktrace_setup || - bt->trace_state == Blktrace_stopped) { - blktrace_seq++; - smp_mb(); - bt->trace_state = Blktrace_running; - spin_lock_irq(&running_trace_lock); - list_add(&bt->running_list, &running_trace_list); - spin_unlock_irq(&running_trace_lock); - - trace_note_time(bt); - ret = 0; - } - } else { - if (bt->trace_state == Blktrace_running) { - bt->trace_state = Blktrace_stopped; - spin_lock_irq(&running_trace_lock); - list_del_init(&bt->running_list); - spin_unlock_irq(&running_trace_lock); - relay_flush(bt->rchan); - ret = 0; - } - } - - return ret; + if (start) + return blk_trace_start(bt); + else + return blk_trace_stop(bt); } int blk_trace_startstop(struct request_queue *q, int start) @@ -1657,13 +1661,7 @@ static int blk_trace_remove_queue(struct request_queue *q) if (bt == NULL) return -EINVAL; - if (bt->trace_state == Blktrace_running) { - bt->trace_state = Blktrace_stopped; - spin_lock_irq(&running_trace_lock); - list_del_init(&bt->running_list); - spin_unlock_irq(&running_trace_lock); - relay_flush(bt->rchan); - } + blk_trace_stop(bt); put_probe_ref(); synchronize_rcu(); -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS 1/2] io_uring/af_unix: defer registered files gc to io_uring release
by Yongqiang Liu 07 Nov '22

07 Nov '22

From: Pavel Begunkov <asml.silence(a)gmail.com> mainline inclusion from mainline-v6.1-rc1 commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WFKI CVE: CVE-2022-2602 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?h… -------------------------------- Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring can't register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free(). Cc: stable(a)vger.kernel.org Fixes: 6b06314c47e1 ("io_uring: add file set registration") Reported-and-tested-by: David Bouman <dbouman03(a)gmail.com> Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> [axboe: add kerneldoc comment to skb, fold in skb leak fix] Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: fs/io_uring.c include/linux/skbuff.h Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/io_uring.c | 1 + include/linux/skbuff.h | 3 +++ net/unix/garbage.c | 20 ++++++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index d4e430b51098..7d7af6a0ef96 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6835,6 +6835,7 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset) } skb->sk = sk; + skb->scm_io_uring = 1; nr_files = 0; fpl->user = get_uid(ctx->user); diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index dbdb03ac557f..4524bef053b8 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -654,6 +654,7 @@ typedef unsigned char *sk_buff_data_t; * @transport_header: Transport layer header * @network_header: Network layer header * @mac_header: Link layer header + * @scm_io_uring: SKB holds io_uring registered files * @tail: Tail pointer * @end: End pointer * @head: Head of buffer @@ -800,6 +801,8 @@ struct sk_buff { __u8 decrypted:1; #endif + __u8 scm_io_uring:1; + #ifdef CONFIG_NET_SCHED __u16 tc_index; /* traffic control index */ #endif diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 4d283e26d816..5c9ff8df9136 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -209,6 +209,7 @@ void wait_for_unix_gc(void) /* The external entry point: unix_gc() */ void unix_gc(void) { + struct sk_buff *next_skb, *skb; struct unix_sock *u; struct unix_sock *next; struct sk_buff_head hitlist; @@ -302,11 +303,30 @@ void unix_gc(void) spin_unlock(&unix_gc_lock); + /* We need io_uring to clean its registered files, ignore all io_uring + * originated skbs. It's fine as io_uring doesn't keep references to + * other io_uring instances and so killing all other files in the cycle + * will put all io_uring references forcing it to go through normal + * release.path eventually putting registered files. + */ + skb_queue_walk_safe(&hitlist, skb, next_skb) { + if (skb->scm_io_uring) { + __skb_unlink(skb, &hitlist); + skb_queue_tail(&skb->sk->sk_receive_queue, skb); + } + } + /* Here we are. Hitlist is filled. Die. */ __skb_queue_purge(&hitlist); spin_lock(&unix_gc_lock); + /* There could be io_uring registered files, just push them back to + * the inflight list + */ + list_for_each_entry_safe(u, next, &gc_candidates, link) + list_move_tail(&u->link, &gc_inflight_list); + /* All candidates should have been detached by now. */ BUG_ON(!list_empty(&gc_candidates)); -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS 1/3] nbd: remove the call to set_blocksize
by Yongqiang Liu 07 Nov '22

07 Nov '22

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v5.11-rc1 commit ee4bf648635055d2b76afadaf34236c8b2d852a7 category: bugfix bugzilla: 187706,https://gitee.com/openeuler/kernel/issues/I5XEBX CVE: NA ---------------------------------------- Block driver have no business setting the file system concept of a block size. Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> conflicts: drivers/block/nbd.c Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/block/nbd.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 6834ba0e7e2c..4d162a92dffc 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -298,7 +298,7 @@ static void nbd_size_clear(struct nbd_device *nbd) } } -static void nbd_size_update(struct nbd_device *nbd, bool start) +static void nbd_size_update(struct nbd_device *nbd) { struct nbd_config *config = nbd->config; struct block_device *bdev = bdget_disk(nbd->disk, 0); @@ -312,11 +312,9 @@ static void nbd_size_update(struct nbd_device *nbd, bool start) blk_queue_physical_block_size(nbd->disk->queue, config->blksize); set_capacity(nbd->disk, config->bytesize >> 9); if (bdev) { - if (bdev->bd_disk) { + if (bdev->bd_disk) bd_set_size(bdev, config->bytesize); - if (start) - set_blocksize(bdev, config->blksize); - } else + else bdev->bd_invalidated = 1; bdput(bdev); } @@ -330,7 +328,7 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize, config->blksize = blocksize; config->bytesize = blocksize * nr_blocks; if (nbd->pid) - nbd_size_update(nbd, false); + nbd_size_update(nbd); } static void nbd_complete_rq(struct request *req) @@ -1333,7 +1331,7 @@ static int nbd_start_device(struct nbd_device *nbd) args->index = i; queue_work(nbd->recv_workq, &args->work); } - nbd_size_update(nbd, true); + nbd_size_update(nbd); return error; } -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS 1/2] fs: fix UAF/GPF bug in nilfs_mdt_destroy
by Yongqiang Liu 04 Nov '22

04 Nov '22

From: Dongliang Mu <mudongliangabcd(a)gmail.com> mainline inclusion from mainline-v6.1-rc1 commit 2e488f13755ffbb60f307e991b27024716a33b29 category: bugfix bugzilla: 187543, https://gitee.com/src-openeuler/kernel/issues/I5NZ98 CVE: CVE-2022-2978 ------------------------------- In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1v… Reported-by: butt3rflyh4ck <butterflyhuangxx(a)gmail.com> Reported-by: Hao Sun <sunhao.th(a)gmail.com> Reported-by: Jiacheng Xu <stitch(a)zju.edu.cn> Reviewed-by: Christian Brauner (Microsoft) <brauner(a)kernel.org> Signed-off-by: Dongliang Mu <mudongliangabcd(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: stable(a)vger.kernel.org Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/inode.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index c9eb5041ffae..5df2e8ee23ed 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -166,8 +166,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_wb_frn_history = 0; #endif - if (security_inode_alloc(inode)) - goto out; spin_lock_init(&inode->i_lock); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); @@ -195,11 +193,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_fsnotify_mask = 0; #endif inode->i_flctx = NULL; + + if (unlikely(security_inode_alloc(inode))) + return -ENOMEM; this_cpu_inc(nr_inodes); return 0; -out: - return -ENOMEM; } EXPORT_SYMBOL(inode_init_always); -- 2.25.1

1 1

[PATCH] RDMA/hns: support RoCE bonding
by Chengchang Tang 04 Nov '22

04 Nov '22

From: Junxian Huang <huangjunxian6(a)hisilicon.com> driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z6L8 ---------------------------------------------------------- Support hns roce bonding Signed-off-by: Junxian Huang <huangjunxian6(a)hisilicon.com> Signed-off-by: ChunZhi Hu <huchunzhi(a)huawei.com> Reviewed-by: Yangyang Li <liyangyang20(a)huawei.com> --- drivers/infiniband/hw/hns/Makefile | 3 +- drivers/infiniband/hw/hns/hns_roce_bond.c | 670 ++++++++++++++++++++ drivers/infiniband/hw/hns/hns_roce_bond.h | 64 ++ drivers/infiniband/hw/hns/hns_roce_device.h | 10 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 63 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 17 + drivers/infiniband/hw/hns/hns_roce_main.c | 26 +- 7 files changed, 846 insertions(+), 7 deletions(-) create mode 100644 drivers/infiniband/hw/hns/hns_roce_bond.c create mode 100644 drivers/infiniband/hw/hns/hns_roce_bond.h diff --git a/drivers/infiniband/hw/hns/Makefile b/drivers/infiniband/hw/hns/Makefile index a7d259238305..8ffbf009b948 100644 --- a/drivers/infiniband/hw/hns/Makefile +++ b/drivers/infiniband/hw/hns/Makefile @@ -7,7 +7,8 @@ ccflags-y := -I $(srctree)/drivers/net/ethernet/hisilicon/hns3 hns-roce-objs := hns_roce_main.o hns_roce_cmd.o hns_roce_pd.o \ hns_roce_ah.o hns_roce_hem.o hns_roce_mr.o hns_roce_qp.o \ - hns_roce_cq.o hns_roce_alloc.o hns_roce_db.o hns_roce_srq.o hns_roce_restrack.o + hns_roce_cq.o hns_roce_alloc.o hns_roce_db.o hns_roce_srq.o hns_roce_restrack.o \ + hns_roce_bond.o ifdef CONFIG_INFINIBAND_HNS_HIP08 hns-roce-hw-v2-objs := hns_roce_hw_v2.o $(hns-roce-objs) diff --git a/drivers/infiniband/hw/hns/hns_roce_bond.c b/drivers/infiniband/hw/hns/hns_roce_bond.c new file mode 100644 index 000000000000..14255685a59f --- /dev/null +++ b/drivers/infiniband/hw/hns/hns_roce_bond.c @@ -0,0 +1,670 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2016-2022 Hisilicon Limited. + * + * This software is available to you under a choice of one of two + * licenses. You may choose to be licensed under the terms of the GNU + * General Public License (GPL) Version 2, available from the file + * COPYING in the main directory of this source tree, or the + * OpenIB.org BSD license below: + * + * Redistribution and use in source and binary forms, with or + * without modification, are permitted provided that the following + * conditions are met: + * + * - Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include <linux/pci.h> +#include "hnae3.h" +#include "hns_roce_device.h" +#include "hns_roce_hw_v2.h" +#include "hns_roce_bond.h" + +static DEFINE_MUTEX(roce_bond_mutex); + +static struct hns_roce_dev *hns_roce_get_hrdev_by_netdev(struct net_device *net_dev) +{ + struct hns_roce_dev *hr_dev; + struct ib_device *ibdev; + + ibdev = ib_device_get_by_netdev(net_dev, RDMA_DRIVER_HNS); + if (!ibdev) + return NULL; + + hr_dev = container_of(ibdev, struct hns_roce_dev, ib_dev); + ib_device_put(ibdev); + + return hr_dev; +} + +bool hns_roce_bond_is_active(struct hns_roce_dev *hr_dev) +{ + struct net_device *upper_dev; + struct net_device *net_dev; + + if (!netif_is_lag_port(hr_dev->iboe.netdevs[0])) + return false; + + rcu_read_lock(); + upper_dev = netdev_master_upper_dev_get_rcu(hr_dev->iboe.netdevs[0]); + for_each_netdev_in_bond_rcu(upper_dev, net_dev) { + hr_dev = hns_roce_get_hrdev_by_netdev(net_dev); + if (hr_dev && hr_dev->bond_grp && + hr_dev->bond_grp->bond_state == HNS_ROCE_BOND_IS_BONDED) { + rcu_read_unlock(); + return true; + } + } + rcu_read_unlock(); + + return false; +} + +struct net_device *hns_roce_get_bond_netdev(struct hns_roce_dev *hr_dev) +{ + struct hns_roce_bond_group *bond_grp = hr_dev->bond_grp; + struct net_device *net_dev = NULL; + int i; + + if (!(hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_BOND)) + return NULL; + + if (!netif_is_lag_port(hr_dev->iboe.netdevs[0])) + return NULL; + + if (!bond_grp) + return NULL; + + mutex_lock(&bond_grp->bond_mutex); + + if (bond_grp->bond_state != HNS_ROCE_BOND_IS_BONDED) + goto out; + + if (bond_grp->tx_type == NETDEV_LAG_TX_TYPE_ACTIVEBACKUP) { + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev && + bond_grp->bond_func_info[i].state.tx_enabled) + break; + } + } else { + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev && get_port_state(net_dev) == IB_PORT_ACTIVE) + break; + } + } + +out: + mutex_unlock(&bond_grp->bond_mutex); + + return net_dev; +} + +static void hns_roce_queue_bond_work(struct hns_roce_dev *hr_dev, + unsigned long delay) +{ + schedule_delayed_work(&hr_dev->bond_work, delay); +} + +static void hns_roce_bond_get_active_slave(struct hns_roce_bond_group *bond_grp) +{ + struct net_device *net_dev; + u32 active_slave_map = 0; + u8 active_slave_num = 0; + bool active; + u8 i; + + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev) { + active = (bond_grp->tx_type == NETDEV_LAG_TX_TYPE_ACTIVEBACKUP) ? + bond_grp->bond_func_info[i].state.tx_enabled : + bond_grp->bond_func_info[i].state.link_up; + if (active) { + active_slave_num++; + active_slave_map |= (1 << i); + } + } + } + + bond_grp->active_slave_num = active_slave_num; + bond_grp->active_slave_map = active_slave_map; +} + +static struct hns_roce_dev + *hns_roce_bond_init_client(struct hns_roce_bond_group *bond_grp, + int func_idx) +{ + struct hnae3_handle *handle; + int ret; + + handle = bond_grp->bond_func_info[func_idx].handle; + ret = hns_roce_hw_v2_init_instance(handle); + if (ret) + return NULL; + + return handle->priv; +} + +static void hns_roce_bond_uninit_client(struct hns_roce_bond_group *bond_grp, + int func_idx) +{ + struct hnae3_handle *handle; + + handle = bond_grp->bond_func_info[func_idx].handle; + hns_roce_hw_v2_uninit_instance(handle, 0); +} + +static void hns_roce_set_bond(struct hns_roce_bond_group *bond_grp) +{ + u8 main_func_idx = PCI_FUNC(bond_grp->main_hr_dev->pci_dev->devfn); + struct net_device *main_net_dev = bond_grp->main_net_dev; + struct hns_roce_dev *hr_dev; + struct net_device *net_dev; + int ret; + int i; + + hns_roce_bond_get_active_slave(bond_grp); + /* bond_grp will be kfree during uninit_instance of main_hr_dev. + * Thus the main_hr_dev is switched before the uninit_instance + * of the previous main_hr_dev. + */ + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev && net_dev != main_net_dev) + hns_roce_bond_uninit_client(bond_grp, i); + } + + bond_grp->bond_state = HNS_ROCE_BOND_IS_BONDED; + + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev && net_dev != main_net_dev) { + hr_dev = hns_roce_bond_init_client(bond_grp, i); + if (hr_dev) { + bond_grp->bond_id = + hr_dev->ib_dev.name[ROCE_BOND_NAME_ID_IDX] + - '0'; + bond_grp->main_hr_dev->bond_grp = NULL; + bond_grp->main_hr_dev = hr_dev; + bond_grp->main_net_dev = net_dev; + hr_dev->bond_grp = bond_grp; + break; + } + } + } + + if (!hr_dev) + return; + + hns_roce_bond_uninit_client(bond_grp, main_func_idx); + ret = hns_roce_cmd_bond(hr_dev, HNS_ROCE_SET_BOND); + if (ret) { + ibdev_err(&hr_dev->ib_dev, "failed to set RoCE bond!\n"); + return; + } + + ibdev_info(&hr_dev->ib_dev, "RoCE set bond finished!\n"); +} + +static void hns_roce_clear_bond(struct hns_roce_bond_group *bond_grp) +{ + u8 main_func_idx = PCI_FUNC(bond_grp->main_hr_dev->pci_dev->devfn); + struct net_device *main_net_dev = bond_grp->main_net_dev; + struct hnae3_handle *handle; + struct hns_roce_dev *hr_dev; + struct net_device *net_dev; + int ret; + int i; + + bond_grp->bond_state = HNS_ROCE_BOND_NOT_BONDED; + + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (net_dev && net_dev != main_net_dev) + hns_roce_bond_init_client(bond_grp, i); + } + + ret = hns_roce_cmd_bond(bond_grp->main_hr_dev, HNS_ROCE_CLEAR_BOND); + if (ret) + return; + handle = bond_grp->bond_func_info[main_func_idx].handle; + + /* bond_grp will be freed in uninit_instance(main_net_dev) */ + hns_roce_bond_uninit_client(bond_grp, main_func_idx); + + ret = hns_roce_hw_v2_init_instance(handle); + if (ret) { + ibdev_err(&hr_dev->ib_dev, "failed to clear RoCE bond!\n"); + return; + } + + hr_dev = handle->priv; + + ibdev_info(&hr_dev->ib_dev, "RoCE clear bond finished!\n"); +} + +static void hns_roce_slave_changestate(struct hns_roce_bond_group *bond_grp) +{ + int ret; + + hns_roce_bond_get_active_slave(bond_grp); + bond_grp->bond_state = HNS_ROCE_BOND_IS_BONDED; + + ret = hns_roce_cmd_bond(bond_grp->main_hr_dev, HNS_ROCE_CHANGE_BOND); + if (ret) { + ibdev_err(&bond_grp->main_hr_dev->ib_dev, + "failed to change RoCE bond slave state!\n"); + return; + } + + ibdev_info(&bond_grp->main_hr_dev->ib_dev, + "RoCE slave changestate finished!\n"); +} + +static void hns_roce_slave_inc(struct hns_roce_bond_group *bond_grp) +{ + u32 inc_slave_map = bond_grp->slave_map_diff; + u8 inc_func_idx = 0; + int ret; + + hns_roce_bond_get_active_slave(bond_grp); + + while (inc_slave_map > 0) { + if (inc_slave_map & 1) + hns_roce_bond_uninit_client(bond_grp, inc_func_idx); + inc_slave_map >>= 1; + inc_func_idx++; + } + + bond_grp->bond_state = HNS_ROCE_BOND_IS_BONDED; + + ret = hns_roce_cmd_bond(bond_grp->main_hr_dev, HNS_ROCE_CHANGE_BOND); + if (ret) { + ibdev_err(&bond_grp->main_hr_dev->ib_dev, + "failed to increase RoCE bond slave!\n"); + return; + } + + ibdev_info(&bond_grp->main_hr_dev->ib_dev, + "RoCE slave increase finished!\n"); +} + +static void hns_roce_slave_dec(struct hns_roce_bond_group *bond_grp) +{ + u32 dec_slave_map = bond_grp->slave_map_diff; + struct hns_roce_dev *hr_dev; + struct net_device *net_dev; + u8 main_func_idx = 0; + u8 dec_func_idx = 0; + int ret; + int i; + + hns_roce_bond_get_active_slave(bond_grp); + + bond_grp->bond_state = HNS_ROCE_BOND_IS_BONDED; + + main_func_idx = PCI_FUNC(bond_grp->main_hr_dev->pci_dev->devfn); + if (dec_slave_map & (1 << main_func_idx)) { + hns_roce_cmd_bond(hr_dev, HNS_ROCE_CLEAR_BOND); + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + net_dev = bond_grp->bond_func_info[i].net_dev; + if (!(dec_slave_map & (1 << i)) && net_dev) { + hr_dev = hns_roce_bond_init_client(bond_grp, i); + if (hr_dev) { + bond_grp->main_hr_dev = hr_dev; + bond_grp->main_net_dev = net_dev; + hr_dev->bond_grp = bond_grp; + break; + } + } + } + hns_roce_bond_uninit_client(bond_grp, main_func_idx); + } + + while (dec_slave_map > 0) { + if (dec_slave_map & 1) { + hns_roce_bond_init_client(bond_grp, dec_func_idx); + bond_grp->bond_func_info[dec_func_idx].net_dev = NULL; + } + dec_slave_map >>= 1; + dec_func_idx++; + } + + if (bond_grp->slave_map_diff & (1 << main_func_idx)) + ret = hns_roce_cmd_bond(hr_dev, HNS_ROCE_SET_BOND); + else + ret = hns_roce_cmd_bond(bond_grp->main_hr_dev, + HNS_ROCE_CHANGE_BOND); + if (ret) { + ibdev_err(&bond_grp->main_hr_dev->ib_dev, + "failed to decrease RoCE bond slave!\n"); + return; + } + + ibdev_info(&bond_grp->main_hr_dev->ib_dev, + "RoCE slave decrease finished!\n"); +} + +static void hns_roce_do_bond(struct hns_roce_bond_group *bond_grp) +{ + enum hns_roce_bond_state bond_state; + bool bond_ready; + + bond_ready = bond_grp->bond_ready; + bond_state = bond_grp->bond_state; + ibdev_info(&bond_grp->main_hr_dev->ib_dev, + "do_bond: bond_ready - %d, bond_state - %d.\n", + bond_ready, bond_grp->bond_state); + + if (bond_ready && bond_state == HNS_ROCE_BOND_NOT_BONDED) + hns_roce_set_bond(bond_grp); + else if (bond_ready && bond_state == HNS_ROCE_BOND_SLAVE_CHANGESTATE) + hns_roce_slave_changestate(bond_grp); + else if (bond_ready && bond_state == HNS_ROCE_BOND_SLAVE_INC) + hns_roce_slave_inc(bond_grp); + else if (bond_ready && bond_state == HNS_ROCE_BOND_SLAVE_DEC) + hns_roce_slave_dec(bond_grp); + else if (!bond_ready && bond_state != HNS_ROCE_BOND_NOT_BONDED) + hns_roce_clear_bond(bond_grp); +} + +void hns_roce_do_bond_work(struct work_struct *work) +{ + struct delayed_work *delayed_work; + struct hns_roce_dev *hr_dev; + int status; + + delayed_work = to_delayed_work(work); + hr_dev = container_of(delayed_work, struct hns_roce_dev, bond_work); + status = mutex_trylock(&roce_bond_mutex); + if (!status) { + /* delay 1 sec */ + hns_roce_queue_bond_work(hr_dev, HZ); + return; + } + + hns_roce_do_bond(hr_dev->bond_grp); + mutex_unlock(&roce_bond_mutex); +} + +int hns_roce_bond_init(struct hns_roce_dev *hr_dev) +{ + int ret; + + INIT_DELAYED_WORK(&hr_dev->bond_work, hns_roce_do_bond_work); + + hr_dev->bond_nb.notifier_call = hns_roce_bond_event; + ret = register_netdevice_notifier(&hr_dev->bond_nb); + if (ret) { + ibdev_err(&hr_dev->ib_dev, + "failed to register notifier for RoCE bond!\n"); + hr_dev->bond_nb.notifier_call = NULL; + } + + return ret; +} + +void hns_roce_cleanup_bond(struct hns_roce_dev *hr_dev) +{ + unregister_netdevice_notifier(&hr_dev->bond_nb); + cancel_delayed_work(&hr_dev->bond_work); + + if (hr_dev->bond_grp && hr_dev == hr_dev->bond_grp->main_hr_dev) + kfree(hr_dev->bond_grp); + + hr_dev->bond_grp = NULL; +} + +static bool hns_roce_bond_lowerstate_event(struct hns_roce_dev *hr_dev, + struct netdev_notifier_changelowerstate_info *info) +{ + struct hns_roce_bond_group *bond_grp = hr_dev->bond_grp; + struct netdev_lag_lower_state_info *bond_lower_info; + struct net_device *net_dev; + int i; + + net_dev = netdev_notifier_info_to_dev((struct netdev_notifier_info *)info); + if (!netif_is_lag_port(net_dev)) + return false; + + bond_lower_info = info->lower_state_info; + if (!bond_lower_info) + return false; + + if (!bond_grp) { + hr_dev->slave_state = *bond_lower_info; + return false; + } + + mutex_lock(&bond_grp->bond_mutex); + + for (i = 0; i < ROCE_BOND_FUNC_MAX; i++) { + if (net_dev == bond_grp->bond_func_info[i].net_dev) { + bond_grp->bond_func_info[i].state = *bond_lower_info; + break; + } + } + + if (bond_grp->bond_ready && + bond_grp->bond_state == HNS_ROCE_BOND_IS_BONDED) + bond_grp->bond_state = HNS_ROCE_BOND_SLAVE_CHANGESTATE; + + mutex_unlock(&bond_grp->bond_mutex); + + return true; +} + +static inline bool hns_roce_bond_mode_is_supported(enum netdev_lag_tx_type tx_type) +{ + if (tx_type != NETDEV_LAG_TX_TYPE_ACTIVEBACKUP && + tx_type != NETDEV_LAG_TX_TYPE_HASH) + return false; + + return true; +} + +static void hns_roce_bond_info_record(struct hns_roce_bond_group *bond_grp, + struct net_device *upper_dev) +{ + struct hns_roce_v2_priv *priv; + struct hns_roce_dev *hr_dev; + struct net_device *net_dev; + u8 func_idx; + + bond_grp->slave_num = 0; + bond_grp->slave_map = 0; + + rcu_read_lock(); + for_each_netdev_in_bond_rcu(upper_dev, net_dev) { + hr_dev = hns_roce_get_hrdev_by_netdev(net_dev); + if (hr_dev) { + func_idx = PCI_FUNC(hr_dev->pci_dev->devfn); + bond_grp->slave_map |= (1 << func_idx); + bond_grp->slave_num++; + if (!bond_grp->bond_func_info[func_idx].net_dev) { + priv = hr_dev->priv; + + bond_grp->bond_func_info[func_idx].net_dev = + net_dev; + + bond_grp->bond_func_info[func_idx].handle = + priv->handle; + + bond_grp->bond_func_info[func_idx].state = + hr_dev->slave_state; + } + } + } + rcu_read_unlock(); +} + +static bool hns_roce_bond_upper_event(struct hns_roce_dev *hr_dev, + struct netdev_notifier_changeupper_info *info) +{ + struct hns_roce_bond_group *bond_grp = hr_dev->bond_grp; + struct net_device *upper_dev = info->upper_dev; + struct netdev_lag_upper_info *bond_upper_info; + u32 pre_slave_map = bond_grp->slave_map; + u8 pre_slave_num = bond_grp->slave_num; + bool changed = false; + + if (!upper_dev || !netif_is_lag_master(upper_dev)) + return false; + + if (info->linking) + bond_upper_info = info->upper_info; + + mutex_lock(&bond_grp->bond_mutex); + + if (bond_upper_info) + bond_grp->tx_type = bond_upper_info->tx_type; + + hns_roce_bond_info_record(bond_grp, upper_dev); + + bond_grp->bond = netdev_priv(upper_dev); + if (!hns_roce_bond_mode_is_supported(bond_grp->tx_type) || + bond_grp->slave_num <= 1) { + changed = bond_grp->bond_ready; + bond_grp->bond_ready = false; + goto out; + } + + if (bond_grp->bond_state == HNS_ROCE_BOND_NOT_BONDED) { + bond_grp->bond_ready = true; + changed = true; + } else if (bond_grp->bond_state == HNS_ROCE_BOND_IS_BONDED && + bond_grp->slave_num != pre_slave_num) { + bond_grp->bond_state = bond_grp->slave_num > pre_slave_num ? + HNS_ROCE_BOND_SLAVE_INC : + HNS_ROCE_BOND_SLAVE_DEC; + bond_grp->slave_map_diff = pre_slave_map ^ bond_grp->slave_map; + bond_grp->bond_ready = true; + changed = true; + } + +out: + mutex_unlock(&bond_grp->bond_mutex); + + return changed; +} + +static struct hns_roce_bond_group *hns_roce_alloc_bond_grp(struct hns_roce_dev *main_hr_dev, + struct net_device *upper_dev) +{ + struct hns_roce_bond_group *bond_grp; + + bond_grp = kzalloc(sizeof(*bond_grp), GFP_KERNEL); + if (!bond_grp) + return NULL; + + mutex_init(&bond_grp->bond_mutex); + bond_grp->upper_dev = upper_dev; + bond_grp->main_hr_dev = main_hr_dev; + bond_grp->main_net_dev = main_hr_dev->iboe.netdevs[0]; + bond_grp->bond_ready = false; + bond_grp->bond_state = HNS_ROCE_BOND_NOT_BONDED; + + hns_roce_bond_info_record(bond_grp, upper_dev); + + return bond_grp; +} + +static bool hns_roce_is_slave(struct net_device *bond, + struct net_device *net_dev) +{ + struct net_device *upper_dev; + + rcu_read_lock(); + upper_dev = netdev_master_upper_dev_get_rcu(net_dev); + rcu_read_unlock(); + + return bond == upper_dev; +} + +static bool hns_roce_is_bond_grp_exist(struct net_device *upper_dev) +{ + struct hns_roce_dev *hr_dev; + struct net_device *net_dev; + + rcu_read_lock(); + for_each_netdev_in_bond_rcu(upper_dev, net_dev) { + hr_dev = hns_roce_get_hrdev_by_netdev(net_dev); + if (hr_dev && hr_dev->bond_grp) { + rcu_read_unlock(); + return true; + } + } + rcu_read_unlock(); + + return false; +} + +int hns_roce_bond_event(struct notifier_block *self, + unsigned long event, void *ptr) +{ + struct net_device *net_dev = netdev_notifier_info_to_dev(ptr); + struct hns_roce_dev *hr_dev = + container_of(self, struct hns_roce_dev, bond_nb); + struct net_device *upper_dev; + bool changed; + + if (event != NETDEV_CHANGEUPPER && event != NETDEV_CHANGELOWERSTATE) + return NOTIFY_DONE; + + rcu_read_lock(); + upper_dev = netdev_master_upper_dev_get_rcu(net_dev); + rcu_read_unlock(); + if (event == NETDEV_CHANGELOWERSTATE && !upper_dev && + hr_dev != hns_roce_get_hrdev_by_netdev(net_dev)) + return NOTIFY_DONE; + + if (upper_dev) { + if (!hns_roce_is_slave(upper_dev, hr_dev->iboe.netdevs[0])) + return NOTIFY_DONE; + + mutex_lock(&roce_bond_mutex); + if (!hr_dev->bond_grp) { + if (hns_roce_is_bond_grp_exist(upper_dev)) { + mutex_unlock(&roce_bond_mutex); + return NOTIFY_DONE; + } + hr_dev->bond_grp = hns_roce_alloc_bond_grp(hr_dev, + upper_dev); + if (!hr_dev->bond_grp) { + ibdev_err(&hr_dev->ib_dev, + "failed to alloc RoCE bond_grp!\n"); + mutex_unlock(&roce_bond_mutex); + return NOTIFY_DONE; + } + } + mutex_unlock(&roce_bond_mutex); + } + + changed = (event == NETDEV_CHANGEUPPER) ? + hns_roce_bond_upper_event(hr_dev, ptr) : + hns_roce_bond_lowerstate_event(hr_dev, ptr); + + if (changed) + hns_roce_queue_bond_work(hr_dev, HZ); + + return NOTIFY_DONE; +} diff --git a/drivers/infiniband/hw/hns/hns_roce_bond.h b/drivers/infiniband/hw/hns/hns_roce_bond.h new file mode 100644 index 000000000000..3b00f6061a9d --- /dev/null +++ b/drivers/infiniband/hw/hns/hns_roce_bond.h @@ -0,0 +1,64 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +#ifndef _HNS_ROCE_BOND_H +#define _HNS_ROCE_BOND_H + +#include <linux/netdevice.h> +#include <net/bonding.h> + +#define ROCE_BOND_FUNC_MAX 4 +#define ROCE_BOND_NAME_ID_IDX 9 + +enum { + BOND_MODE_1, + BOND_MODE_2_4, +}; + +enum hns_roce_bond_state { + HNS_ROCE_BOND_NOT_BONDED, + HNS_ROCE_BOND_IS_BONDED, + HNS_ROCE_BOND_SLAVE_INC, + HNS_ROCE_BOND_SLAVE_DEC, + HNS_ROCE_BOND_SLAVE_CHANGESTATE, +}; + +enum hns_roce_bond_cmd_type { + HNS_ROCE_SET_BOND, + HNS_ROCE_CHANGE_BOND, + HNS_ROCE_CLEAR_BOND, +}; + +struct hns_roce_func_info { + struct net_device *net_dev; + struct hnae3_handle *handle; + struct netdev_lag_lower_state_info state; +}; + +struct hns_roce_bond_group { + struct net_device *upper_dev; + struct net_device *main_net_dev; + struct hns_roce_dev *main_hr_dev; + u8 slave_num; + u8 active_slave_num; + u32 slave_map; + u32 active_slave_map; + u32 slave_map_diff; + u8 bond_id; + struct bonding *bond; + bool bond_ready; + enum hns_roce_bond_state bond_state; + enum netdev_lag_tx_type tx_type; + /* + * A mutex which protect bond_grp info + */ + struct mutex bond_mutex; + struct hns_roce_func_info bond_func_info[ROCE_BOND_FUNC_MAX]; +}; + +int hns_roce_bond_init(struct hns_roce_dev *hr_dev); +int hns_roce_bond_event(struct notifier_block *self, + unsigned long event, void *ptr); +void hns_roce_cleanup_bond(struct hns_roce_dev *hr_dev); +bool hns_roce_bond_is_active(struct hns_roce_dev *hr_dev); +struct net_device *hns_roce_get_bond_netdev(struct hns_roce_dev *hr_dev); + +#endif diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h index 51e59084f875..eb4582ce9c5c 100644 --- a/drivers/infiniband/hw/hns/hns_roce_device.h +++ b/drivers/infiniband/hw/hns/hns_roce_device.h @@ -35,6 +35,7 @@ #include <rdma/ib_verbs.h> #include <rdma/hns-abi.h> +#include "hns_roce_bond.h" #define PCI_REVISION_ID_HIP08 0x21 #define PCI_REVISION_ID_HIP09 0x30 @@ -147,6 +148,7 @@ enum { HNS_ROCE_CAP_FLAG_STASH = BIT(17), HNS_ROCE_CAP_FLAG_CQE_INLINE = BIT(19), HNS_ROCE_CAP_FLAG_RQ_INLINE = BIT(20), + HNS_ROCE_CAP_FLAG_BOND = BIT(21), }; #define HNS_ROCE_DB_TYPE_COUNT 2 @@ -898,6 +900,9 @@ struct hns_roce_hw { u8 *tc_mode, u8 *priority); const struct ib_device_ops *hns_roce_dev_ops; const struct ib_device_ops *hns_roce_dev_srq_ops; + int (*bond_init)(struct hns_roce_dev *hr_dev); + bool (*bond_is_active)(struct hns_roce_dev *hr_dev); + struct net_device *(*get_bond_netdev)(struct hns_roce_dev *hr_dev); }; struct hns_roce_dev { @@ -961,6 +966,11 @@ struct hns_roce_dev { u32 is_vf; u32 cong_algo_tmpl_id; u64 dwqe_page; + + struct notifier_block bond_nb; + struct delayed_work bond_work; + struct hns_roce_bond_group *bond_grp; + struct netdev_lag_lower_state_info slave_state; }; static inline struct hns_roce_dev *to_hr_dev(struct ib_device *ib_dev) diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index bd45d07619e9..25800d5965bb 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -1350,6 +1350,61 @@ static int hns_roce_cmq_send(struct hns_roce_dev *hr_dev, return ret; } +static inline enum hns_roce_opcode_type + get_bond_opcode(enum hns_roce_bond_cmd_type bond_type) +{ + if (bond_type == HNS_ROCE_SET_BOND) + return HNS_ROCE_OPC_SET_BOND_INFO; + else if (bond_type == HNS_ROCE_CHANGE_BOND) + return HNS_ROCE_OPC_CHANGE_ACTIVE_PORT; + else + return HNS_ROCE_OPC_CLEAR_BOND_INFO; +} + +int hns_roce_cmd_bond(struct hns_roce_dev *hr_dev, + enum hns_roce_bond_cmd_type bond_type) +{ + enum hns_roce_opcode_type opcode = get_bond_opcode(bond_type); + struct hns_roce_bond_info *slave_info; + struct hns_roce_cmq_desc desc = { 0 }; + int ret; + + slave_info = (struct hns_roce_bond_info *)desc.data; + hns_roce_cmq_setup_basic_desc(&desc, opcode, false); + + slave_info->bond_id = cpu_to_le32(hr_dev->bond_grp->bond_id); + if (bond_type == HNS_ROCE_CLEAR_BOND) + goto out; + + if (hr_dev->bond_grp->tx_type == NETDEV_LAG_TX_TYPE_ACTIVEBACKUP) { + slave_info->bond_mode = cpu_to_le32(BOND_MODE_1); + if (hr_dev->bond_grp->active_slave_num != 1) + ibdev_err(&hr_dev->ib_dev, + "active slave cnt(%d) in Mode 1 is invalid.\n", + hr_dev->bond_grp->active_slave_num); + } else { + slave_info->bond_mode = cpu_to_le32(BOND_MODE_2_4); + slave_info->hash_policy = + cpu_to_le32(hr_dev->bond_grp->bond->params.xmit_policy); + } + + slave_info->active_slave_cnt = + cpu_to_le32(hr_dev->bond_grp->active_slave_num); + slave_info->active_slave_mask = + cpu_to_le32(hr_dev->bond_grp->active_slave_map); + slave_info->slave_mask = + cpu_to_le32(hr_dev->bond_grp->slave_map); + +out: + ret = hns_roce_cmq_send(hr_dev, &desc, 1); + if (ret) + ibdev_err(&hr_dev->ib_dev, + "cmq bond type(%d) failed, ret = %d.\n", + bond_type, ret); + + return ret; +} + static int config_hem_ba_to_hw(struct hns_roce_dev *hr_dev, dma_addr_t base_addr, u8 cmd, unsigned long tag) { @@ -6781,6 +6836,9 @@ static const struct hns_roce_hw hns_roce_hw_v2 = { .get_dscp = hns_roce_hw_v2_get_dscp, .hns_roce_dev_ops = &hns_roce_v2_dev_ops, .hns_roce_dev_srq_ops = &hns_roce_v2_dev_srq_ops, + .bond_init = hns_roce_bond_init, + .bond_is_active = hns_roce_bond_is_active, + .get_bond_netdev = hns_roce_get_bond_netdev, }; static const struct pci_device_id hns_roce_hw_v2_pci_tbl[] = { @@ -6903,7 +6961,7 @@ static void __hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, ib_dealloc_device(&hr_dev->ib_dev); } -static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) +int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) { const struct hnae3_ae_ops *ops = handle->ae_algo->ops; const struct pci_device_id *id; @@ -6946,8 +7004,7 @@ static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) return -EBUSY; } -static void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, - bool reset) +void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, bool reset) { if (handle->rinfo.instance_state != HNS_ROCE_STATE_INITED) return; diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h index 39641b449a42..7da410ecb966 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h @@ -252,6 +252,9 @@ enum hns_roce_opcode_type { HNS_ROCE_OPC_EXT_CFG = 0x8512, HNS_ROCE_QUERY_RAM_ECC = 0x8513, HNS_SWITCH_PARAMETER_CFG = 0x1033, + HNS_ROCE_OPC_SET_BOND_INFO = 0x8601, + HNS_ROCE_OPC_CLEAR_BOND_INFO = 0x8602, + HNS_ROCE_OPC_CHANGE_ACTIVE_PORT = 0x8603, }; enum { @@ -1464,11 +1467,25 @@ struct hns_roce_sccc_clr_done { __le32 rsv[5]; }; +struct hns_roce_bond_info { + __le32 bond_id; + __le32 bond_mode; + __le32 active_slave_cnt; + __le32 active_slave_mask; + __le32 slave_mask; + __le32 hash_policy; +}; + +int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle); +void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, bool reset); + int hns_roce_v2_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata); int hns_roce_v2_destroy_qp_common(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp, struct ib_udata *udata); +int hns_roce_cmd_bond(struct hns_roce_dev *hr_dev, + enum hns_roce_bond_cmd_type bond_type); static inline void hns_roce_write64(struct hns_roce_dev *hr_dev, __le32 val[2], void __iomem *dest) diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c index cdb6def7923e..00138fa10f0b 100644 --- a/drivers/infiniband/hw/hns/hns_roce_main.c +++ b/drivers/infiniband/hw/hns/hns_roce_main.c @@ -37,9 +37,12 @@ #include <rdma/ib_smi.h> #include <rdma/ib_user_verbs.h> #include <rdma/ib_cache.h> + +#include "hnae3.h" #include "hns_roce_common.h" #include "hns_roce_device.h" #include "hns_roce_hem.h" +#include "hns_roce_hw_v2.h" static int hns_roce_set_mac(struct hns_roce_dev *hr_dev, u32 port, const u8 *addr) @@ -259,7 +262,9 @@ static int hns_roce_query_port(struct ib_device *ib_dev, u8 port_num, spin_lock_irqsave(&hr_dev->iboe.lock, flags); - net_dev = hr_dev->iboe.netdevs[port]; + net_dev = hr_dev->hw->get_bond_netdev(hr_dev); + if (!net_dev) + net_dev = hr_dev->iboe.netdevs[port]; if (!net_dev) { spin_unlock_irqrestore(&hr_dev->iboe.lock, flags); dev_err(dev, "Find netdev %u failed!\n", port); @@ -534,6 +539,9 @@ static void hns_roce_unregister_device(struct hns_roce_dev *hr_dev) { struct hns_roce_ib_iboe *iboe = &hr_dev->iboe; + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_BOND) + hns_roce_cleanup_bond(hr_dev); + hr_dev->active = false; unregister_netdevice_notifier(&iboe->nb); ib_unregister_device(&hr_dev->ib_dev); @@ -706,7 +714,12 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev) return ret; } dma_set_max_seg_size(dev, UINT_MAX); - ret = ib_register_device(ib_dev, "hns_%d", dev); + + if ((hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_BOND) && + (hr_dev->hw->bond_is_active(hr_dev))) + ret = ib_register_device(ib_dev, "hns_bond_%d", dev); + else + ret = ib_register_device(ib_dev, "hns_%d", dev); if (ret) { dev_err(dev, "ib_register_device failed!\n"); return ret; @@ -725,8 +738,15 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev) goto error_failed_setup_mtu_mac; } + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_BOND) { + ret = hr_dev->hw->bond_init(hr_dev); + if (ret) + dev_err(dev, "roce bond init failed, ret = %d\n", ret); + } + hr_dev->active = true; - return 0; + + return ret; error_failed_setup_mtu_mac: ib_unregister_device(ib_dev); -- 2.30.0

1 0

[PATCH openEuler-1.0-LTS] dm: Fix UAF in run_timer_softirq()
by Yongqiang Liu 03 Nov '22

03 Nov '22

From: Luo Meng <luomeng12(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5WBID CVE: NA -------------------------------- When dm_resume() and dm_destroy() are concurrent, it will lead to UAF. One of the concurrency UAF can be shown as below: use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3 The root cause of UAF bugs is that dm_resume() adds timer after dm_destroy() skips cancel timer beause of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen. Therefore, canceling timer is moved after md->holders is zero. Signed-off-by: Luo Meng <luomeng12(a)huawei.com> Reviewed-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/md/dm.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 4c46f030eed2..288dab0ab226 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2411,6 +2411,19 @@ static void __dm_destroy(struct mapped_device *md, bool wait) if (dm_request_based(md) && md->kworker_task) kthread_flush_worker(&md->kworker); + /* + * Rare, but there may be I/O requests still going to complete, + * for example. Wait for all references to disappear. + * No one should increment the reference count of the mapped_device, + * after the mapped_device state becomes DMF_FREEING. + */ + if (wait) + while (atomic_read(&md->holders)) + msleep(1); + else if (atomic_read(&md->holders)) + DMWARN("%s: Forcibly removing mapped_device still in use! (%d users)", + dm_device_name(md), atomic_read(&md->holders)); + /* * Take suspend_lock so that presuspend and postsuspend methods * do not race with internal suspend. @@ -2427,19 +2440,6 @@ static void __dm_destroy(struct mapped_device *md, bool wait) dm_put_live_table(md, srcu_idx); mutex_unlock(&md->suspend_lock); - /* - * Rare, but there may be I/O requests still going to complete, - * for example. Wait for all references to disappear. - * No one should increment the reference count of the mapped_device, - * after the mapped_device state becomes DMF_FREEING. - */ - if (wait) - while (atomic_read(&md->holders)) - msleep(1); - else if (atomic_read(&md->holders)) - DMWARN("%s: Forcibly removing mapped_device still in use! (%d users)", - dm_device_name(md), atomic_read(&md->holders)); - dm_sysfs_exit(md); dm_table_destroy(__unbind(md)); free_dev(md); -- 2.25.1

1 0

[PATCH openEuler-5.10 01/52] block: fix null-deref in percpu_ref_put
by Zheng Zengkai 03 Nov '22

03 Nov '22

From: Zhang Wensheng <zhangwensheng5(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5N162 CVE: NA -------------------------------- In the use of q_usage_counter of request_queue, blk_cleanup_queue using "wait_event(q->mq_freeze_wq, percpu_ref_is_zero(&q->q_usage_counter))" to wait q_usage_counter becoming zero. however, if the q_usage_counter becoming zero quickly, and percpu_ref_exit will execute and ref->data will be freed, maybe another process will cause a null-defef problem like below: CPU0 CPU1 blk_cleanup_queue blk_freeze_queue blk_mq_freeze_queue_wait scsi_end_request percpu_ref_get ... percpu_ref_put atomic_long_sub_and_test percpu_ref_exit ref->data -> NULL ref->data->release(ref) -> null-deref Fix it by setting flag(QUEUE_FLAG_USAGE_COUNT_SYNC) to add synchronization mechanism, when ref->data->release is called, the flag will be setted, and the "wait_event" in blk_mq_freeze_queue_wait must wait flag becoming true as well, which will limit percpu_ref_exit to execute ahead of time. Signed-off-by: Zhang Wensheng <zhangwensheng5(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- block/blk-core.c | 4 +++- block/blk-mq.c | 7 +++++++ include/linux/blk-mq.h | 1 + include/linux/blkdev.h | 2 ++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/block/blk-core.c b/block/blk-core.c index 0b496dabc5ac..448e4d70af7f 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -385,7 +385,8 @@ void blk_cleanup_queue(struct request_queue *q) * prevent that blk_mq_run_hw_queues() accesses the hardware queues * after draining finished. */ - blk_freeze_queue(q); + blk_freeze_queue_start(q); + blk_mq_freeze_queue_wait_sync(q); rq_qos_exit(q); @@ -502,6 +503,7 @@ static void blk_queue_usage_counter_release(struct percpu_ref *ref) struct request_queue *q = container_of(ref, struct request_queue, q_usage_counter); + blk_queue_flag_set(QUEUE_FLAG_USAGE_COUNT_SYNC, q); wake_up_all(&q->mq_freeze_wq); } diff --git a/block/blk-mq.c b/block/blk-mq.c index e1fcdbefcac0..ab1b0bfc64f9 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -193,6 +193,7 @@ void blk_freeze_queue_start(struct request_queue *q) { mutex_lock(&q->mq_freeze_lock); if (++q->mq_freeze_depth == 1) { + blk_queue_flag_clear(QUEUE_FLAG_USAGE_COUNT_SYNC, q); percpu_ref_kill(&q->q_usage_counter); mutex_unlock(&q->mq_freeze_lock); if (queue_is_mq(q)) @@ -203,6 +204,12 @@ void blk_freeze_queue_start(struct request_queue *q) } EXPORT_SYMBOL_GPL(blk_freeze_queue_start); +void blk_mq_freeze_queue_wait_sync(struct request_queue *q) +{ + wait_event(q->mq_freeze_wq, percpu_ref_is_zero(&q->q_usage_counter) && + test_bit(QUEUE_FLAG_USAGE_COUNT_SYNC, &q->queue_flags)); +} + void blk_mq_freeze_queue_wait(struct request_queue *q) { wait_event(q->mq_freeze_wq, percpu_ref_is_zero(&q->q_usage_counter)); diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h index ac83257972a0..e4e46229d0eb 100644 --- a/include/linux/blk-mq.h +++ b/include/linux/blk-mq.h @@ -574,6 +574,7 @@ void blk_mq_freeze_queue(struct request_queue *q); void blk_mq_unfreeze_queue(struct request_queue *q); void blk_freeze_queue_start(struct request_queue *q); void blk_mq_freeze_queue_wait(struct request_queue *q); +void blk_mq_freeze_queue_wait_sync(struct request_queue *q); int blk_mq_freeze_queue_wait_timeout(struct request_queue *q, unsigned long timeout); diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index 49540ce9e325..4c046530edb9 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -643,6 +643,8 @@ struct request_queue { #define QUEUE_FLAG_NOWAIT 29 /* device supports NOWAIT */ /*at least one blk-mq hctx can't get driver tag */ #define QUEUE_FLAG_HCTX_WAIT 30 +/* sync for q_usage_counter */ +#define QUEUE_FLAG_USAGE_COUNT_SYNC 31 #define QUEUE_FLAG_MQ_DEFAULT ((1 << QUEUE_FLAG_IO_STAT) | \ (1 << QUEUE_FLAG_SAME_COMP) | \ -- 2.20.1

1 51

[PATCH openEuler-1.0-LTS] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
by Yongqiang Liu 03 Nov '22

03 Nov '22

From: Takashi Iwai <tiwai(a)suse.de> stable inclusion from stable-v4.19.218 commit c1c913f797f3d2441310182ad75b7bd855a327ff category: bugfix bugzilla: 187908, https://gitee.com/src-openeuler/kernel/issues/I44HKK CVE: CVE-2021-3640 -------------------------------- The sco_send_frame() also takes lock_sock() during memcpy_from_msg() call that may be endlessly blocked by a task with userfaultd technique, and this will result in a hung task watchdog trigger. Just like the similar fix for hci_sock_sendmsg() in commit 92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves the memcpy_from_msg() out of lock_sock() for addressing the hang. This should be the last piece for fixing CVE-2021-3640 after a few already queued fixes. Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Marcel Holtmann <marcel(a)holtmann.org> Signed-off-by: Baisong Zhong <zhongbaisong(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/bluetooth/sco.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 1d740bbcdb01..608de7e66132 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -282,7 +282,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) return err; } -static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) +static int sco_send_frame(struct sock *sk, void *buf, int len, + unsigned int msg_flags) { struct sco_conn *conn = sco_pi(sk)->conn; struct sk_buff *skb; @@ -294,15 +295,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) BT_DBG("sk %p len %d", sk, len); - skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); + skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); if (!skb) return err; - if (memcpy_from_msg(skb_put(skb, len), msg, len)) { - kfree_skb(skb); - return -EFAULT; - } - + memcpy(skb_put(skb, len), buf, len); hci_send_sco(conn->hcon, skb); return len; @@ -718,6 +715,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) { struct sock *sk = sock->sk; + void *buf; int err; BT_DBG("sock %p, sk %p", sock, sk); @@ -729,14 +727,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, if (msg->msg_flags & MSG_OOB) return -EOPNOTSUPP; + buf = kmalloc(len, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + if (memcpy_from_msg(buf, msg, len)) { + kfree(buf); + return -EFAULT; + } + lock_sock(sk); if (sk->sk_state == BT_CONNECTED) - err = sco_send_frame(sk, msg, len); + err = sco_send_frame(sk, buf, len, msg->msg_flags); else err = -ENOTCONN; release_sock(sk); + kfree(buf); return err; } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/2] livepatch/core: Fix livepatch/state leak on error path
by Yongqiang Liu 03 Nov '22

03 Nov '22

From: Zheng Yejian <zhengyejian1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5WF0G CVE: NA -------------------------------- File '/proc/livepatch/state' should be removed before removing '/proc/livepatch', otherwise following log will appear: remove_proc_entry: removing non-empty directory '/proc/livepatch', leaking at least 'state' Fixes: 19190325e604 ("livepatch/core: Allow implementation without ftrace") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Reviewed-by: Kuohai Xu <xukuohai(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- kernel/livepatch/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index 89b31e827425..af077abe099b 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -1489,10 +1489,12 @@ static int __init klp_init(void) klp_root_kobj = kobject_create_and_add("livepatch", kernel_kobj); if (!klp_root_kobj) - goto error_remove; + goto error_remove_state; return 0; +error_remove_state: + remove_proc_entry("livepatch/state", NULL); error_remove: remove_proc_entry("livepatch", NULL); error_out: -- 2.25.1

1 1

申请议题：增加cgroupv1 writeback功能特性
by lujialin (A) 03 Nov '22

03 Nov '22

cgroup writeback功能主线只在cgroupv2中才会使能，在cgroupv1中由于cgroupv1多层级的关系导致无法使能。从而对于memcg中dirty的及时回写以及buffer I/O的限速都是无法做到的。 cgroupv1 writeback特性在cgroupv1中使能了cgroup writeback解决了v1中的memcg中dirty的及时回写以及buffer I/O的限速的问题。

1 0

[PATCH] cgroup: Support iocost for cgroup v1
by Li Nan 03 Nov '22

03 Nov '22

1 0

[PATCH] cgroup: Support iocost for cgroup v1
by Li Nan 03 Nov '22

03 Nov '22

1 0

[PATCH OLK-5.10 v2 00/35] sharepool: Update patches from hulk
by Wang Wensheng 03 Nov '22

03 Nov '22

This patch set contains code optimizations and bugfixes for the sharepool. v1->v2: 1. Reorganize commit messages. 2. Drop a fix patch and merge it into the original one. Chen Jun (5): mm/sharepool: Make the definitions of MMAP_SHARE_POOL_{START|16G_START} more readable mm/sharepool: Rename sp_mapping.flag to sp_mapping.type mm/sharepool: replace spg->{dvpp|normal} with spg->mapping[SP_MAPPING_{DVPP|NORMAL}] mm/sharepool: Extract sp_mapping_find mm/sharepool: Support alloc ro mapping Guo Mengqi (14): mm/sharepool: remove deprecated interfaces mm/sharepool: proc_sp_group_state bugfix mm/sharepool: fix dvpp spm redundant print error mm/sharepool: fix statistics error mm/sharepool: fix static code-check errors mm/sharepool: delete redundant codes mm/sharepool: fix softlockup in high pressure use case. mm/sharepool: fix deadlock in spa_stat_of_mapping_show mm/sharepool: fix deadlock in sp_check_mmap_addr mm/sharepool: delete unused codes mm/sharepool: fix potential AA deadlock mm/sharepool: check size=0 in mg_sp_make_share_k2u() mm/sharepool: fix hugepage_rsvd count increase error mm/sharepool: Fix sharepool hugepage cgroup uncount error. Wang Wensheng (3): mm/sharepool: Delete unused sysctl interface mm/sharepool: Fix UAF reported by KASAN mm/sharepool: Rebind the numa node when fallback to normal pages Zhang Zekun (7): mm/sharepool: Remove unused sp_dev_va_start and sp_dev_va_size mm/sharepool: Remove sp_device_number_detect function mm/sharepool: Remove enable_mdc_default_group and change the definition of is_process_in_group() mm/sharepool: Remove the comment and fix a bug in mg_sp_group_id_by_pid() mm/sharepool: Add a read lock in proc_usage_show() mm/sharepool: Fix code-style warnings mm/sharepool: Remove the leading double underlines for function name Zhou Guanghui (6): mm/sharepool: delete unnecessary judgment mm/sharepool: Avoid UAF on spa mm/sharepool: Check the maximum value of spg_id mm/sharepool: Avoid UAF on mm mm/sharepool: bugfix for 2M U2K mm/sharepool: fix the incorrect judgement of the addr range fs/hugetlbfs/inode.c | 19 +- include/linux/hugetlb.h | 6 +- include/linux/share_pool.h | 164 ++----- kernel/sysctl.c | 67 --- mm/hugetlb.c | 3 + mm/share_pool.c | 882 +++++++++++++------------------------ 6 files changed, 361 insertions(+), 780 deletions(-) -- 2.17.1

1 35

[PATCH] Add openEuler Kernel PR guide
by Zheng Zengkai 03 Nov '22

03 Nov '22

Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- ...\344\275\234\347\256\200\344\273\213.pptx" | Bin 0 -> 2725673 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 "openEuler kernel\344\273\223PR\346\223\215\344\275\234\347\256\200\344\273\213.pptx" diff --git "a/openEuler kernel\344\273\223PR\346\223\215\344\275\234\347\256\200\344\273\213.pptx" "b/openEuler kernel\344\273\223PR\346\223\215\344\275\234\347\256\200\344\273\213.pptx" new file mode 100644 index 0000000000000000000000000000000000000000..b6b601ba7e7117be479bc767c080648aadb21a6e GIT binary patch literal 2725673 zcmc$`Q*@>4)-4>fV%x0Pwr!(g+qPM;ZQFJ#wv&o&`(&-X|I@y;_g?!ucmKtlt-YD^ zs?X8;=zToniJT-b2r>W=00e;Lj|U|s`}{0@AOHXiA^-p+00aO{K^tpFBWp)pB{y3m z2W=WxD@$c17yxjnxK;iC?=_LOX1zlPAAG60>Jn-n5n9XMM0lqUr|MB6^a!|a=zB)m zgo4%7@y-EhHD|4n6YFjb&oj=O4f$*p#nst1reFiyDpLUAg?Z-*Cq%p}L?!sSG_iCs z@Yt|Tcu<NA|Drklv2eB<ay+5p_h8vDo!iYIqK%lBk7B3=uHaWg1f6QKzHHn@94_kf zga~nZFG3vG=S!!pX!=xtY@&AMWZpsR($r2UuYc^3UFIfSHZ5C6*mXn}h0u+{6p{cu zLC;?BqW(>lQku~EjBO?KX+@*0-3f%HE+bzxY!-)eJLucs$QY!v9q&2tNIZInMOHc< zSABh`LU0LoL)7;}u<Gy3Ill%8!|;=4IO+-bwW%btnF1oo^6J4wikogZmxeynPhi}w z>(U-HQ&TL8aHKiAC+I=O+4;BFdwbY>r`dZ)*n5}Rdk5HigB*ZX9b$eDp#(AITt0?t z?4B_(pHBi}y*be&S{t~~20bEJB0jA_^#)w=02xe0%6VmdkV~X?Vmw<xIn+yUpOsgM z<K0Pk?rOHOv~8Lmo|iOi{ThI0xJO`sfoFh0V2FZeh(chHhG)>mH#9$1av($&AuC3& z%+SBH51$#Q5MeDwKmU4g2%njz5D_&&$H~m)N;hzH44#?6_{X!}|9zmr=~S80yHuKT z8(;Rxjx-9h(OF=^>uy#Q&%o1Ke}fCv13obT#{2<{sSk{)2aIU|oYn$ZH)G_LDZ~)6 zi*P~9fIOpZ6ok(@da8UH5~=dC$1G?kN*MgKygs9Wm71B+6=x<U^DBb7-bd~)H7eST zISmB}0N?}+008|}qq_D+mJYNuf4u)&ZC1vwNeui^o1j|+d*106?tF%God|lDLMOnH zqYY6k;BlpAU7fkVbLGl^>lhzo$Jij&ZQxi=ZPJnMX6~Kl?S0F<S#43dDSq*G>Q^VU z#dN=vyCEX&DxaKcidhEU&z(<=RV!*Cb`wRm4iYO9gf6`T)V^Ti(a7<Ptc1wX$rY}p z7_&g=W^`rNtLseSy0`~5xu^gAx!gzS2L_buIiMWs#t}E#UW2J0LEQRqLXbR{Le7vH z;g&mL7F2?DRu4QkRpR*&p6q)rD{$Hk{ai#3b=iSQ#gTTKM%tAjfR8{}q=h{v$?E7N zLBLFW^N>u2#V9F}T&&awoI6*NT!<eCM@0WjwZQpT4Echhb1nb?0Jgrkj{k+Bt*s-i zgQc0Fkpt~N;QaG}=?}jDXJ9+yCM1CAkwqT;FX1mX4H-~S%!<+#$XjM#0QBt1kTTw4 z3wAm>5fI4a28HcXX;}|BZR<BXR>C^;rG_{GGg$bh?{zSWLAmgpRbBWLl4M3lIg#lM z{H0yoYP|=<4{pe#NQo85X&})ZU>_q3y@kFb-2-a3Vt6(%Bpb|AjeH238(Ph+*R&Y& zsnU<?K!$oW0@<eke*~R}^xn1Hzt7~2kx{197PbQz&8L9M{i32I;&qrbv&CFCi+RYv zoive>jhAm6cj>@ZpXvJ)kH}X1?lsRnvV!NZ-#AiE;QgAudjDxv^}dQ--evR%`&aOY ztzNzze1WI>U%_Mid+;jbq$U5XO8-xS@r{DY9K!SqVN_JE;}_sy<20~zxVSU@&oA(> z)O!1I4>Lz^c|t6k@SKgw!be@na`$2A>;qJX%ph$-HYR{;5@skeI*A~mNtPd$RMXMY z=#xdw7zk<w?8N&L99)qJVUX0N*1_$K7+*~3lj+S7Y+XgA^DNRh5thCkeJ5S}4ry0y z?T3@Z_o?@4#{|s%ylpzV&xq2uJge=C&TIsk0WJCKx639A7aPn@hp3A<+#zG((n^WO z0jo~7W5?C!tT}CIV%JHQ-Sx1RTjkA3N$00L(t^toFW_H6<0xTf`vWwU{|Xwze+Lbi z{)@_gf@aw4k5{;&Qy_O$a1S0hVad{x8c0li(alP@14ik3WVe~hb?Go-{JKr*+?P^8 z21#w>OK`8F$$+>C+nx^ogW~(F`As0Au~f}@RW%DOTd5Xq;Y{!VR8U+X{b3C%;XM&Y zVhfy@5#!U55{&^9VabO!26A~(E0W!)Z<YQRli?p<P?z;!pYWRSz}9x-FJoXSvP<C? z6EA?2W_~2~wAz+bzD(k|;REk<44uSb?lBfEjh?LTv+86u{14C;&SF|`H1-zcJwEeE z%eJPyfc^^F-V8B+`xj_zUvl^NG^PK0(4wX~&HL%#!LPWdUErHl>jWVQ)Fu_6f@KKY zd<8ky2%Cr<B}%q<Fs+Vaue-c`s@Oj#;$0Q=(K>=PRPaaAe`Mk@tyl48i^6BjXlD46 z!9dezti@<M<U%^I@5~6J3SU>~jk9MZ=rhhnQVA04l6r|T9w-#?3p2T3i=CIB<jk)6 zIva#fnu}#t@@plFT`uQdX69c0z-4@XlMUP%Reu>I;j-7Ghe==-YrU{ZI-yl(;A@Op zeOv1S_$w0kyUfb}yI?W@Jre&SSVcHW5{w(6a<+x{fC7IfSR0-H6f9V3E8m>>FTrBx z!n^pQO952|V!X?U-VjLp$Bq7LX#B{&Jf^f*ft=P3-2paBBnf*SO4y5U)%rIcjh|!m z=BR<52$(BnW>xB13^~;)hSh8Xof^RG<A9%i5B)!gH{IMCj&8!Bj4h98_z;+lVG|f4 zeuYkTXwUs-s+q$rcW`IRrstLxSzy?@wlByJ`ixickg2?rf5bQT8BbgytPWmH-<ogx zT+@1NWLNPT`@s1tc+9Jj8~;0atpD%e{rdj{JPy?4KNM@_JFH!Gl^^zjuaDlV9v$Lk z2bYH9vk)j_lOtMAC?+GgM5?gSfXSva6C2D~!|=&p)c)9X`?Fvn>rb^0{ioXJI=`o{ zPJCKfzyC+@WV2<})xP-02?YRv_s>@Oj~;1jZ{+ahjrAPOY^?ttyTPO_^8h;Jp-XTN z@X`0k)y1a#)pYu!!5@|zz=rN`{Y;SJixbVdrXeK>{WQewT-l?^cw6GI7Y|!jyP15) z8drgV-h5oYQ%5XxNcYa4T$>59SRxNA5U>$v{YYQ$9*iG>U>Kd_tISKePy3t%C=K?w z3pvVjj8@SQTiz8Q78nd9l@&(o;8cL3{PBy-kN9VQ7Q2if<-xXce=dtZMKqI#a|D3@ z^lIvvNF*w;KEbXaP$WqS%ox*UeyGICT_WfUA_}JyqBn-=uXzO1kzQI(dY}VFAhJsW z2di}ksTJ@*Yz-&m`{VQFPT)ufH-wqsalApKIk0)+*a$Wagxr+@2m4I(CwCPASX^n^ zT;xww*wy;wnS1TLmB487CiKBy2m?S-`YKSRe6lnaUtjRcr(!`LoJ9cP;BJb>Uo_=4 zj`D{FcIV&*+c6d9<vuz}rhWgH_5$ia`_lGLr6l-ULqq@nB9)#0kV?)3IVulGK*6F| zo*sfsD+EnM4)%E)yeN9Z5m()A-X+J+F{+D%Wzg!}Bov4nQnf=-7@wuNB|s39JJiG9 z;{77uv|pcRv`mMzqFwEO3d?g@q}WGyOVp;C@+T3*(Z&-LfI3jjl@O+3MHh6HpNJNk z0Iz0JxR(>$H-Xu05Ox}b=-CEG_f|kZzYz*tpHXGnL0iyJ75%IOqsV@3FMPq51S@Hh zZ}(XP|0~(ezcn4uebuWn2mru;L4xk@E4DLXOQN3+IpoVU=k9G5oH|C<TI-b1O=G3P z*-FXG)x1%NQ>M$>sL89U3F}=jkdbXY<98c&tz%|(=ED72iHkIqVQ5%~G%^y`S%gzn zj0=KL@pVR(tn24XiWrM{W;72ymMc+4suQZsC3cFOh^+0gV1h5Pm@dlv<pxYo-DwDO z1tVrCoF$vWYZxmWlUgYx{w5JA-n7a5gw<3|Ie0yJy_gdvDpJGovqQx>KIb>d5G)qr zV`Ji_gvD||?ZVOH_|y;?SzP}+OI~vhBqxn#hPX;us8}oG*;tZQ9EN$3fax60ySRs= z#Cc9)kLYqMi+6;gyV@mlR1wnzx<Yz}f^;f!XI27#ZcaIx!Kxbjo}B|v%nn)1sgFzw zU}1i`lV00-XVA7(?WRf1)4z18p$8tNhp$RB`HClh-?Q2O3;gk8e^~3_Kdkj+*Xa1X zWTJ5!Lhf&gQ{ce8aVcAS0`WmN4<bUD98|Qzu{ZYT4>(wL8=i5oO?shos*p4lzG;c# zhI96g3tY7C`1FwF14mT$DRg~BogHetyW|Sq$l&KhqsUn7-zc6vhVrndL&Y*h(``7= zBE_E3-4B91k+|!M%B<B=7;~so49nR9D>Z;tq;Ws{owbWec-UH5P3Qceili?l`4HTt zu*r?U5>dC@yhJ<C{cs*kWsdc<`<@ugm4Cer-Tp+Gc<XLBQ8XW{ZX=^_^`h)BcB5C? z!c}bNSvyF3Sw5(mJd}TTt=aKt$o^{)8zEq??SFyz-z_%V--Gyv#r~ge5tMq?l9mwJ zef9-dfFT`b!!uTV@cmH)WFrU)*FD39bm|qmZo}*8XQu%vT0meDYY*L#sa6f*X7rQ` z)(<5mI`c?C5-G8oQ)`<hTDCF;yqVvKwGxoTdgLVBQ2g$E)uF?Ixz;Z!os>@FD#V4d zzw*?WCpt$Qz#O4T*RUYnY!-W>75hGG47NC<WaYEDgY9z#*mT>!%Na!o10D9|+nsRQ zuyTPy@6-*Sq~Q{v7A(!A7LMC+@w)v^{7hEykfweq<1C@b8tb!2qK#g~W3GLI-5~ob zW}!{)+W&hjVflZ@OaaBLDOrKs^$W8;V-~FSe_|%I&Iby|J;@n==mooC$-6$VN&gc@ zM_>%=$I)v}B`cy%%<GrKPDorbhr%Tp7yHv;PyOMrXH1D|1+Iy|93u}D|9hwm0vv+Z z$~OY`#Icmf&@vxIu)#933n2}Lobr^j9Fl^7E>PzTqK^=q;NFK8==agwDHF;-r>{t- z%#cE2OM`7*-gWCdk<W@h=}|#*ye%l=o?205<h{E;nuhkFt8q@!cvOBNKCzwfy;@iY zr}2^3Jn!Y-K+};T2cP<iBs;JG0LcIB8~@tZ|81&po_uP(hL1elExXF8_Q6pI+eKEU z$b8NveNt3%jO)8vP#fM06i1r*aKXve728(!0`P(S+lMU~FSuuaA-7;L3qsvCY57Rs zTr<#!i*{L2|I<y3tkz0ANIjaugt#_FXjL_$T9>BWjU<#<N)J?#+O~fWo9scQ)ck^t zVJ!}E3|a>PY&AFn@%vFY85!CW=z8+JUGdyBg<bENao5whXV(fcM(h4cRp1pFng28g zTq`x@ihDWF?nK277fINoVW&reP+<lIq~jTA0=3x(w50IB)SFBhE0M}ivZjc)k(f?8 zkQDtYQ9k~r+n<$qSWQ(;PMgq!Erd7u^h7yZu5LE4t~@r`agfF$s5;4Z-?LHn;Pyr` zaK7zfFznfqr%&eRo?+N?C3p#D!R$|Kg&)hoN#VdqGHwvL<bWUC5LD~(#^1aw{DQs0 zXf*}P#z;uVLE?-IP;<$!rogIKDXBCbdE_k5u)K;c1Gks6a4Img3%g%7CrMj;mrz4K z#d&MXTz{*or<Xp;%7e0$pt?ZB68P}~(w@DFy3F-^_}&5wp-iEHh2SZgda!;IG-=bK z;@H0-NUkPVl{2Yyj^?;7_BZ6<>J%fwi?3gwg|@xMo*BQ{#>`s$x}4rQy^tdKe1WI2 zvS{Oct^W-pTX<KZr9fiSfP?=Q1W0zER2Krn%5KXNTSl~Kz|i^36Mq2`?(@7HCXdck zaS+|jwL6dZ6u27#lqer{BADC{fbb1AT);*pOg=rh5vN^S4j}VVCSO8exjm0vj174+ zfI)72X%nsjPD+@ZR6z1?dDpQQCG)IH+bH#Eg6*wi0%NOTgtedEvek2ir*83PM}<gR z+F<eMA9tknYx9!84ILtLr#>$$fk0lsAGP1@fn-*}F`>X@8|p?tl0EZj7<5={xQlma zg_Jr<vOPw)xu<1ZEJq68E9)I5@roio|0*L9P9gfdU%d++8~_02uTJXEq0pbA`)`zp zQXaF$VnyCSJK}|3ADibQjtLs^D-_}fV5PS_1U7};C+H)9j8iE<)#jX_90O1<I5KJA z`y8TpLF?S(B4)S#J#jU;?}dx2!{gRgMWSJM8mOX}f&GnsC;V8U<dnkOp%on&on2O0 zyimn6oOOM>c$oL&YCtN33c>X|Yp$Y}n+<6oo62=s8?aT2e`jG6^Zk`YwYb?aXQ+l` z9Bhbzf?}@isSVz4b+Tmd6XS%nd6g&9fW0`k(gmfS7TN?CX<F?%f67s(>MXtE5RD;* ziU|$%A-_U7+M-qpBUZC+<s=m%$?u?_dCWcj;_WkOKZhuw_Of1`$Yw{~%}#3sY)rWa z0X|4Q#iy?uMJwd%DwC9}@oJ0~Zow<WlYP&KVYHbCz1C#1oZda(-ygPkd2+eVu}&qN z50vVgVJTp!K|#`BJtB(EYto>eqx^p8xQ^O|2rU!0KX3H^*n4J^yjeEV*n6g12_X@$ zD;Sw8ICkLzT08TetD5+|#HelU|A<l{%>ru3)_Uzu;knzm5jUy(6tzd64Vhii<QrG8 ztz*mV>fncv_`&q?sReUTO-C7YkKnOq&YPT3_Tl?>z2YXeV?g=JH_jr0S3hyRk>Ya6 zyY+s5xb%p3$>Z6ImRWuisp0-{^aKMzy0f?~%u$ElyBd#j#$z@c&FGT-`El5+nQ)h2 z7G-98DaKfh&&g{S%-B7g#dC8}d7P-KkP;NjkVP;uBID{cNYLq}ZVZDvsd=G}GC-1& zB^X>(>K$+f_M*EJRY!%#vQ$o9XPI$<ba_NKA!<uccqt+p!Z)WM<2qgK^Z~lW3<Z<` zk@!2OxLk2*aX$6zDxrZbexnyyy|*}VItoScZOqb{N#=0Sl1}nw5Z}kyk&R6~QZ!(Y zeC+nQf-Ti#$_FNZYLsmJhHY2JxgIlNYkXLPt~^uc1-R(cc^WZ)%g&-9w4Mc{3D`q; zAK65mgAx&d&}s_K{B%)`dSz0M^jvnnLr1uPAob80R~Za9;Nh;Bw1->1UnD_ktu+^B zpGKM0aSY3qA&~M}fqa`?gl>Yn(YJBuDg}_pX_Pj7TQS?>e2v3^cs7J|&5^jvWcc%6 z!VL40%F*5z1-qdCGX?*g%l;b$J5@Aou!NDlMR#~3A0TlvR?2P4v<I!Vm7%PVi+O+4 zaYl=-WMWK6X|+Ryf#)cBSr!sPAPU?S3IJUL5Qx2Dt_At@uB6*U<%v061su8_WL#!k zuC44koIbFH&4f};fY_){Mq3g55=5Z)Ua!N&d7yNHHWPFe((g4JOOvzOu=aWCrCyo0 z3&c-5B{fqQG%!Rmz=1UrxQmWW=wIP02}FM?jkYToG2oNdKU;N1Aq%uC4^>?XLkj?e zKE^@FB27rg7Me*xFVTWaohM1_fK5|U0+vGUR8hc633_LfP^E@LDJ&fneM~qT^Gd|w zML+*OKsY@nkU@+e5fl;72Xn}u>c`p_BN@*$44hc--Bxfn33Nwx)+Xa(rj}o?3xmd` zf4g7OvwwR-vcoPFpqf}(eSff1a`;h#=N2#P<8_yH#072OS6t&d(sr1L7C@nrU&eMH zQE_IKedxFlP>LRDkxHqMd#LK|>Db`ad)eU=hGg@_Yg0W<#ICE%hD&CK4KskQO?(3l zLyDcKP(0HM#3C0~$XJbs`G7A56a4y}AfjL;3>FXQ<ShGQkqs&R1ZC{8YEva&b4q~? z)PAC<7xd5NGo$Y8Z{Ih-QNvRhR_6GWN(HE9na+2SHx0$-J#q*#Q>>*Rb+tg|j1RbL zX?unAUTy-UPWH^NfGh!Zh}#i8-9J1(-cOsiyy>}p7&}{1yxtey_G#A+uVx;;e;z)c zo-d_}djU6kf0%!qJg&&v6#00wbNjIKzPdR-oSwyO9hgitO>GBK%IspbQ2KPHXm>1o zcjDRbDd3(X3By)tTW-=CE;{})4j7a9uCCS~jB4$y)oj^PfBE74dPZT7`rc$qYUa9P z*Dg3B<I-4=t8UQ=y|>VvF?b+9ZWuFYw+PTHQYIcx1a-XdJ~AdeEh3KutLOkw1s+R4 z*2vaV&bM^D3R8{x^dYj;lo_n(V&S&r%(Yd&@uSiTSg&w`n-VbrQ;sM>zwp(tp*SK> zA~}&J22DV>u(>(6`L+A>d@E(MY6$|Ux{1cM6T#I_TM9IK3*wFXG)i@tcm#?*C`bmy zLOt7=BdTnz(uERd_)__eGfKm#Srvw|v*-5Ry0~lY{=z#cT045{8_EP}-Rr&~WcsC) z10;0fwEhogfuG0*1W7ye$_h1>431~|9oRqFGI24PyAPCb+FgC+G+T`qcJ>F*hE9+O z@uC?@2~u;*(yheNwIhbR9sQCsNo-@)JATlJdmqBOu@j0EU)fB!3V}y53Q~jA7ZX4= z93YF>w8RnSg*=xeU_<DIb1)Kj_zsOZvZZ&e{i{yUzJixFe(A(L<bT$QKgXf}K_{eb zu$j@jh_3M}T5UQQIbTby%g&lKzjPv@fVU_0+L+4Na?H7@9UoR~y2u|G92UYKM64A+ z!6T9q#D_FJ0m;X2DJ$mvs4N`c7NgssTX)K!`@!Szf=O~F@Jl8xJw8-61QSFFjo(@> zx!JK7IB;i!uTl#9=ek()SKHg)KRjFvWsB*7EUG*TE=h()aECY~OhxXJzGPxmtt1lt zNqLw}WskyjLIHdJlsW@psIyOJV?ZZzm@4m4$T3dd+MX=DXn^m4Lr)=jb5FWMT$s7V zZt**X6>!}Ve$;u%es12pgy#+4C~#}>`c3|5mH-u47uSF|Sc7Ye8u`4f^&UuvvA0%u z0V_`Vc(gB!^eb*GZ@sSN;n92!d3Gdfz5I=9fOW$9R!-CyfGb6ba3a|wOGb_SPV39| zb2hJ6Kwl1!N>RmrRVdGVD73F3#t4E6Cc7o)FObw!5R>541a}f7X9U{erSwsVewBVW zoL@Oe!A?G3G1=xRlkUo)qmuN9Ws(1s&_5Mch^u~4l&(#hpi?Owm{GFy_2<KGom`Kw z#M$vDc_|E@TWEpt(z~LLhyCx|6pCGR5e~-w1VkOHfEDlC-RJ$m;@fJO!|d!erASFJ zt1BJX@(#2a)Xh?b3ty{H`|<H^$F5$AaLb_XwM*XIy_=ng^2@2}?)S5sox`!E>gq}F z%<RszY@YU)mwnxCuP|%8P_CKL^Zu0VF8ABvm3vxR2XuDdM!JMy522s$Sm3{=${j-* zxe8h;<VN%IGSnJ$O8M1GZZEyNy|1yKl`~O)4WuO}a!BEGY|O-o7#A9TpBhtDW_C+p zVAnT0fdV%yaA)GogV*7X#A2skB{$C-2se=12!UWPF$bjOY!h#E(VQR+Enm>F2_ev$ zb!&9N+{oFlR^t4vyvmhBD5&C#On@{s89!P@V^67^L<6pM{YKM<W#I_^$+@xZBhtK8 z8glOJka#ImkLCEjV{f$>U|j6c?zy|agp%hkO^}N;__8@1z~7AWjWb}i2Tru{N~c+S z4WluwQNA7_xS!v|WVz)t%&YRf294qb_a?+h5GdY;84x2PVOrm^iSQ@N21wElg|Y(O zlHAjM-uKj4<cE$8Yo}9hP9Nafu}W<1Cf6Bqq0$%MkzpiJW)Matn2m(M=;Gy%AgFnc zu^+wS9eiKRKY(>xQ6C_?0-(d4qu(8ugX1654+W}X4~m9~E(kr=`{*-%6-XhJJ%m)P zx+cVSmR@_<`m0Abh|yK{|02E>#D6CKpCSL>h+nBP@#WFsyU>m};XSAg%^SbFQ47IR zkw5{pgyD0-@m(tD<Y~o`PzamPNYaW-0r~@2`LPt|73)AXuuK=%B0f=b?0twi&-a-+ zsDDg&GH%%h*Tdn`Ku4o0VUZ5vLp-hm<`E`hARPw$9z1SI1Q}5yWaul*3HTu_eRXv; zCyQIswT%H}rT1b8zqeS%GekOJ#y_5=q|~z_b>gq4cH)p>c7rGf9nE>}42KpNmNUEb zIFnqDA$d%cItfi_37JPhhRVgtu2>|Z_{guAhUt5~+N{L^VtfoawQf3JS~Nc~uoI?2 zW}f$cT|X#9l*HcwL@WlV2Wjgh7q+c1Dtm=<f9o#sGL}lS4zWIM56^d{dJ(aKtF4ic zlzwc?I+1-DD}6i6Szu=cV1waQA#uo4@bxQZyYOnScX$Qt$Ou+Auap?1dh5l;@{J1T z7%qz?G;EaE8>&L}P}OIEIT5cDY&O|AgA+x2$fJ8CWfDiPZJ*Z!>LHWbkx@NAwBciI zkXTVdJF_RO{4&e#J)#Y|Ypo@79xT-*f4tT)4Fx5mdF}qCnQsC}xQ_eEj8ch42KXzb ziKlM_*?E8hVS;(N{~oTJ4X)x*@DiYs4|Dq02v~yo`K>wl6MKEa2j`p5_47-NZZ$1! zb+t|<t?tI#+v`M(&6dyW;mgj658{g6as6n915=^yWN9s4_DK6ucV#sVZ`WG<F^&{v z9psFmyN%6QhY}CPso{VV31yOsQU7c^%1SA;{rkJ_Wp_KDo?=WQo!yC(aI}4mOiW~6 zX{T};%*{jmyk(YM(NLs=E<T-Tn`{Il)WQ866=nX9iXxVY4M(s%#TvOdbJ#1EX<ikl z=B2fm2QOtjq1O$zF6{+yJJv9cjk=Ou;^WpqXJuert1~1@=snWkgszA!UUh6NiL#9& zi$uQVY`f>GI2Haf%z_RRV7*KI+x*px62X;v=rNkt`2p{XGc8M2QSI{BF~OrV<nC`# zr-*v%vds4|duAIDdba@wiZx1-L?+I(iNXtmHF311Dsj&us7>Y8E%?|~9azqs;&Bb} zCm%h{?suCz(g6~!9~mWw(0FEa#-+H=)S#J7ZSPSKd$`|!_e=>5YW-x`ml58WsblZp zlQMK10_k7_^j9$p3s!@M@_~x|$&g>XKc*v9*pQfw3&}d|Y5@D19n|0bFE+oDbk(;0 zYf9e>_n%q(=Yib6v3NmM(*jEr*_-x`_uDJYrE+;<DE1eJ0a@vrZh?o|i7bvcIT(}n zlLQnH*K%`NtjH@jLfT@dXCr|9b~Mv@cN5Qw--5C-Hxfw(?WD^=D!?bsv?iY?n;j0; z9M0W`ALY{J4ubiW708ewfA+xQu&Px^JRV?yN(w~o_VntY$Cfn+q&Rxr^utvNqa3h9 zID=RCmn%fvmJp7OTO;7rhtUxNjx!6M7{JCj$~%+mfR%TVS%mBV;&BG1Sd*o#=e1<f zPG5&OC&>okVipJsVaGS2X4P+PJYrZRlt52GXb-`c7BGCsI3%WyIG`X9r#0Qmo6%wt z9K6eX_$FKh>?uy(!!u1dx+2shCBqsP%~j_`f4L)3EdE{)v@BOl3Hbbdv^yj6C#<M5 zhiP`yYGwOjMWZI`lsfex>>gmTxDrJRYd`%RSJp+0MKP~e$hS&7HP}?)x!iYpL4F7V zl5YhF52^)vWLEP6o+Lm9>-)Gr?MdUr-KKdtv%mGzIW54;n<wd!pU_d4m6a#umYQ`K zBP^ce^Vg39U(O4dkgRk9RJu~M?9lTJt8x+I=IzPm<n#oE#Ls=2mCJP#5u9C{T}%1* zb+SXU)9m}}4S4E2LcqRM`^jc)`mDd-B!hsU$sMsfGje*hr)EQ+Pmb$Y-gf_pa(Ubh zDDJEb*$9|$^=f=|Wc_#%w|RwgeLUVh%_qD5$iAMezCL+WB`S#DIPC0S*j44+00(-1 zarSh*!p({AN$o|R(!um}mm{*1xSgXoEX8PbP7<x+PRo1$7S;TD!L1``0+~iVH2T0L zd`f*KQ=}$j$&*m-H5TBa<YU|GkRN>NMre=|V;b}X4YEGB7M)es!$z`hO|n5sl?e)G zCif2MHa)F5*I}w*yn<|Iomys%-fyPEkdT*aZkB{LmZpz9k;@d~O0nB4c9dTL3=bHV z5V`xnG)A{C31$u2I&~}Th(+XhdYNf$Fz%Q<QJ17$-d2TSZnvky%q;y~-B_YUg%V9# z5r=Wx1}#Tl*QZPS^y5m?#RLUI5GpXv@Yrx2cJ7(hUZIXk5F7!)U7tL>Fbbq9Su)(% zkgT%exUK3fyTy(KBHo2Sw?xP^RbNj2VHB}QNFc%Eep-?yRLQ(Ji4A?!vY2y-R=ZF6 zs8z-r3`1M1!~?mJp3jU4`N>G?8&!Nz_Z`n!*IVnW?e6`|;(}b565dYKhSI8xa~94e zH`|8Jxz*)hjE?gq9`5J8w2Q&+-U9S=?DxF=^waBnlj{T3VNuQN&0E*^K@<eb-uI{4 zmq41h>;7}ETDUFA-4KhAu1otpq@k<!9<PqaSI#&6pWxp~T4c6a#@$WB+LVv$H7YI5 zoyt{8N=5R2tdl20DZ<pNnIiLFo-$jMRc*a-m3AoQ>njq5*R8qPK?c|$J9b&j#Rf_9 z0FE0a=3)np1&ZW;4;NG(rIfM@J8n~+XA=H?no0`X)PZ8UU!OPia3spswuZ{&$0%c} z{Y_Y|(>UC_31r09D+Rt2KZ2{Tv}yv}E%AtoKk5_=)~wBMEIvJpPg$B@7zk*AbwuYV z_PIgh#-u;ige{1q)kcHIfh+>Z^9Jv)=4E!cF#P1pypVkzsQ;${<DZLD|0a8lDv~z; zFfTs%4>XFeaU=xxKPcqkd&Ix3v7_D56q0mE))7-n(zt)$0c%ASo&ldmJt`!hwulw< ziOSFU%oDumk2^0D*}x^XAKf1J?6(QN{k`2WG86d~S@2vxRMrF&$Ow%*Ij(eYqcpYQ zz9t(I_PxhFnsVpd>(5X5;C0ov$h~G&uZF*khDLaXI7UtR|BNh~LM8s_PfCgzl=fg6 z5!m48&fsW)cGVo!7xp?*q*S>vLiQSR))FM)2Lrx`90m$Yt9#lFUy-H6u6Rjn70_^0 zFKbnPj7YdN^Lhn|1a7~}er?L+6{;3_XP-a@3L+w;JWAqQa>zP}E+<cAaRG03N#9py znE=NH@zMLN)y{Vah_k0})sU`3YaSt8+132RzEq<(mPj00_l5OgPTdSg@cMj!3G)M2 zIIE9w|I9EQ0OhMgAV*+9B>BoL-%^7>jDk}$+?|NeNOc;kZQw+ZodkI8$pfsB8{hA1 zp1hA-@_T5no%Lg3ssk1iK^gJF9ra}K`j2RW?i{ROCkTr#1Xp<vgZ$O@2I{hJ7RLnP zey*RjUfxzPyI<rcQ0x*$mMBC6wbA8gAZ}`ftfVp+aMMrX-P<H=<sp->fFn#l8P?xO zsONVuG|4~jud$Bdc|TvBqb1w;bb3BsyeC&D>ArhUeA_?fk>C408T{)t_JZL=vWFR% zM3S<tW{(4DH!bwC`*pYf6dIYCt0FLrTZhpu!Oy9!oJ4vYlLTv`ymXlg_fRTYJ&RMn z2fLJqI+`LyRd%lCTO><(8gcy`WGJq05Ta7OpDM~bb$S3>=vz;1E1LDNyko$`2Ed{u zizvP&ugdW^-$WMK67twg-<aRwCQGB1vZ^u*gx}AGrE^&Kyy72pb*Z{Pt)Az;BUh2| z)Frc43$)`-_>AnJtlJgWYv*c!;=b~u2a;UX%t816=4lbnhW0>lH2~x@3Fo_>&CWs; z<}Q%pL2M<lRNr=%g&{9>OeXu73ztU=^GFJXxj*dMH|gA2K2+-WfKrZ{trS9j;>!1Q zhwVn{yMk2CILHRktcm#;j`LI1HN=P4@?jP%4u|QO3hvh-Lw5?P%*Bh+oXOvGws2Vw z)7)i?%$uoc=Y+!ZvDS6vJs}Hk8~!xg80guF8p{0<hNvMG39RjmuNKZ&R`8<=@_J2~ zjFE^hXZdny&AVDv8ULyRH?#VwtWnJVK5_(&5sjG6s06c>1d>}pxw}dTAGyL8hIJRk zTKpFi&yEvqTow=ky6kbFT?-{XOVFk?|Ew((H?Co;*s=UGDH^yy$}ibsNY=9JME0}Q zj?C_VIZoH3dLwiGQVYMoi8_C74E_hT_(#+M|0C)omo8KxtA}E%g`<GjBK14t`W`6g z^l8Q6QwU4USj_3Ti^BohoBlMQX$6CdEv{9(`!nY>CH5Rm8I9shdNSUge>1`3(n1EB zNUhZx)kD5)AQ~W6#z;QwKYBhcScr*r5;7Jd9}S*~TRGa^ba})*@<YJ@vM>WTMBkr0 z1{_K{sK9p?H6z`&ER*8L?nraUz_<aDgZBGJ&>1VKV|A%joueo|`<YkoFRtp3P8u38 zVl~-VIdi8y-Jpm1!~ec9_5q*Kosgkh!^<4~mXqDb@-B>rVf*R$Z3I6HP!}Pt06>FK z3rESkg$WAFv;VDQGp<+P9I9Ku+LS)h_pQ)JpVk06#FV1If?^`uYNqhH7u8COvj<DY zOU1~xc}_f@Bb(Nz<K=V%E5SK!;3T$^N9nGQuoRzUiZ4|!U%u#EHIt}$9^jw_iK;C1 zD#UfJdqYMf?IDg0M!j$8c<9<mV}~v5)r^eh_S}h|wKcV&lB;D<%t+G43(VqJT7dp+ zDkIHaRiiQ{(22~NLhY*fohTHhhB)*xBH7L2jY&YLrT=Qu@bp<ckilB(H||Pb6ev;M zGoSV4$>YNQiR$GDsEaYQb<o^z74OBC@f0~n%`2}cym1i5&)Gp#Q^(#&!=1IB&%pRG z+3ISQ>KPwAddHW+Pxy=B$K>*bg(+UI=ktCTN78yC{gLa;>#?-CT&dHW0Vf-CnR1bx zJL4D@YWMqx+wATRfm7JZgfP}>566rEmnIwL{0ohGmXY*iB_b{)E!h_MT%#W`<Gv^+ z-`3N~)D>>@GWDVlyg5M^46fuz7qEXz=Ttwq&5FCkTOZxBSr@mTKU9ibI&qje)$*qo zXX<=v6blXwwGB(5jM(6dg_7LZGw?PjD>eQa8ua~MbbTNVXWd)0nwz@ae-tuf+PsAE zC|W6>A)|4ezwui6E?&Ks<`~a}6Z7)AyZ2j^mwm^P4+dIrUz{78-_-&iB?HrFVg6iB zSt%aI;@%&l(iPp>u01W*fzUU=`qTRxmE$QbMD2n_C~9>GD$0RJUiJj=((iG4Mp#0a zx#pJ-3zQNbogV(>QA!8tUwNE~_X%Uhw%4|)wG_$gwGh2ejspNoalKo>^98?_&D_?| zh9z1lCw&94Ogo%I`r!sP|7A!)o;<)i_(!~f|IdB?&t0s4WA3@y{~c0LJ!p)qYoDJC z|C74dz4o}iI|{RlTK4=3;b%E~w8C)wu);K;tAaD&Vt74b*+bH&%}2583)wy=$Va&% zp3`ytsoUej+qOe7xU}{M6QxS2zj1iiAw6U431=f^IX=eXy({-UBn-0jN!iYyOq8Bu z9=qOl<ZH{-PW+fu+go;J8)=*o6bvOCDx8J**(;)g#%qI1Gjf!6RCAb3$f5kfe%TGZ zE9h*BevKzFa%DkM_Y*9Ng%pCB)vAirb1AI`y&6#BDCG<aS*2Eir$%B656Z)l#7i-* zpB2@=Mff$0iQf9%)gfQqa7R1%4vOvzj0R`K;^a_Yi!%?jN7Rl_pn2Y+;^6i0GIozl z9|?F2AdH4f6wzA$CYcMsYLRaQ)L5H$-H&X)km<BP+@;;peSgVEquD6?rZSj|U;Jwq z2%F)9^D_y1((IPHD2wMiU-BeVKF<;O=}rkwGuA{&<`W8CFji%HzV#5PStFL+1_us_ z9emSiI$aPyB5734UH43ATBR)(h_ZDqn)c5ujAI1P4QFhB1D~QnwmBK|#(@Of6GoA9 z*U7%wo`mQaKsG1Xo|Pz3F!+eLAL^@9==DhK822f62PuF6;`LkQuqFW$APmj1QS^Yz zA5ULn1w8Nem*e*G2t3c~9xd`5F!^bixE$Cm^3V<13ga}XSGFni79DV)RQ=MDi>F4q zaEXj7pCW8!wdHL@f`%|HJ#Q*oL^*?HV)S1Yv>{y~sXPt0w`P?tdmd(_jWGH#5@t53 zzno&^$6;nlQp7rhtn*+Koq?<2%k)=zxFH{Rb-J0H^A=nCd)~CsO2O}SI5m*?Ei~!b zzFW`-=Ak?y_eK^iB&s#TtH(qoY%-=E{TM1?QaWG!fT4i{g}Y3UkXhL<P1vNJA)j$` zHPzDTc*RCT4ePx=jIH7G^n84{>7VlH`h2+AnLs5@C<dmwzV76I#@ng6nUR5hjZ~dt zEi+GD`=0hR89v0AhB~IYw!p%w!gSOnEHN8Rq*}lfZ#>^tF9vxkAIEfpr402%p6D$h ze38mOoSa~4ftv*!7~QDfT3<r1%snC-#P!Ji5ZNEr*v}T+*_g>kf!HflRUOHq!gLC0 zY=d+Fa_8uoSNM56h$yrNLPHoJSFnr3g_)I%)h4|z7z5{~nzcH-nIy1}oKyr)JI(gZ zIOFJ~0v!)^00$ET{v4><3iuaB!{l_~uGOLuWRn)oM08Fse>0l%L#aQ%(%_rOPZJK9 zwhkb71fCj9IQMUjMQ`PAr<n5DYH!+-YRz0GU{B;UesE2Q%e=kTc3JyV!Y8Jc1>c|~ zStjC1LPjZ7k~ErR&$1vPDqX^D7p%(aiEK#gqd(i$tXT7O$~8}e?YdEU%~&m7-$fKo z$?n-MoHSoMUwT=KZolnn6P8*@WGhcF!&fsmxQP_V=~uXfj*LyBqwJt028~!cV1pTj zoOi$kkXwUA)yO|+|IoZ|T+CCRlT7i9jzDwpNY`VOHkyiqY6&#5*Qy0TSBHgm9*~@Z zKAXLQtZv(L1Y056g{Q!nVrmGO_O`IRK`M?d#+Qsp$ZGMX=S3ArcGi$KEyb*C5`4ge z_wWJ!Yv9?sIs1Y5WnoCaHY!m6!$!qFwo?C12{)7{tTE}~yHrm&)w+=C&u9RV6?#dP z5@(srM}X0*0n2sP>R^JDxF1p6D_(39Ur=#8T>O~W@3dkUd3T?md8Q(1H_s@;n$|gT z7tqN}v?E*e+mOwfhv072O?-deDkUnJ4-UId;dnbdzbph{u&WbJt5^#SyPkJqAnYus zsm^Db^`nd=t*XrT&sK?<9h=l>h|iunzZT>PY>RAtM0DxUfbOcMSy5JbTK%y~A#}0W z*Rq)QjAk)p4{n_I5Fbkeh|!*Ggr1qIIoU5|wWZ-;b76_RWqtXzN^$kIN`W%%FHU3{ z{ZoTNW<>X-+*v}jy|A(mVtLv+((lddDXwPN1-I5c9>-<nr61a4<>e)4uE2>;CId{# z$#!bHfI35$x9k1m8Rs6hX4N;db>=KyPy#r|w|mHiO+ElNU!AC%^~V@AExWZFgn<3Y zMyJ#uK2A@jP-G_)&bN?&;tJvouF=;GFzdL7n~v-cm{n$;H|w%7FFD;Fh#v&o+=gLI zG3cW%zoM?`Mj7Z1b_vI(JZfr+;|7t!l7o_dT9u(MV;CGz!{Q<nuNdy$D?D+ets23L zA6~xe+&~Nj%C0xT#}?#nww!RS2Z$fr?7Y}*P*~@F;BK1}E(%MvDyZRIvYA#>QJV<- zVsl}gTtYHzu!v!6*FZ*;Q-olbB~_=lNYQAWn-gb!%PKF}Xh46EQ5p&RPJtZWd!Sw! zjh!EtY-OJzB1X8Jvrl_yQO1+oxf!UfJGKK_eiN<na?K|p*yooJT<{r|Ky=W;MDMm% zK;kqQH|GqZ49`7?v8qNtq+2wn*RA@kDAO!%f@5Xjs)I50{&tc|w!R_-mQ>jNow=cz z7>j<);Lu~q*>>4;k@<UXg|qwdR7zFagJk5#c;yVC^Y4PShU?&;ANa@F{oSR`p_MoW z4SUP#sSTH<&oxo1u#;TP!s`rILQLHIt{@}uC=feR%p)+B?MqsXl`ZRhI8e$rg>rok z<chGeswIwtxjVV7$8l4qMM_@ttE_e+l6ybWus41_{nGyUm+`3udhqX$FIu(z&6dQU zE4Kf}s?M)D!aB<zhaf)ij=G9)CygT<SJpfDzVYZ^^HamHQxeLbAmY_7NOy8M{27E| z>x$6mrV&8W9<*|IL2v1e>588MqElYWFp-Pb{Di`j<E*zo8PhbI$=r-1!;}*0v&^d1 zi}=<06o0|GAMAEc$e3bE3{yohPKr%sAR2Azd_LuC=9SmY16UQc*-c@aQMW;q8VcR0 zRod~RpTV?_8^C1W02DIt0F}E1V~^d)<0=|2zT8m0c(N5hw)V&OXV7V5{3MQGcC8Xo zDj7;^31=n<17a+Eh?6{pSFcMi94r~gA}&a&z2>HH9&Dm&#*1z)<X8MX#-x@3OifzG zYEG|2k%-ig=RGa8dtpd^s~@-=DLw^qQ#^=;VqusURiGhtP(FGzLsB<-bU`v(0>}rQ zBdnC@fY#q@jWo65GPULP+31(aQZr;k(&Ty*#(*9Y3k6mNp&3SbrjJY{C<}@{r(`l< znL^GoL)g`p@h#G8X~-x+CbZUwc20k-3P*pqYUiFi)=4!$h1oyr&W(e*;Zd(*8eJ<m zN^l}XNmb*vQtDWndqOOXEL^pf%CC@$=ElEfa#wpUl(AFUn-{|g430oH%eQ>lpGd59 zexCxJaw#Bkpn{vSv#V3F=NM5*N58XaQKNdM%GAr*ljC*wv3@sx1#N3mM(6$gaID+g zlhNaSzrEU<!{>Hog*ChX!fBf|w)_2tfQZB6`r++vX{A1U3-0C<b{}xBD>y`q>9?Cq zBk63cq15OMICo{dYJL3fN<E$mAB1GH0mkK9vmpO|qwsA+Oj-pRQ>kJCDOz2(_{Yle z+AZ1?O!LIM1{=+M`Waqi4_sX?i1?iXhAA~|Quo)5;(YyhWA)TXI#$Evy;qRm`|tCW zrt%tynUUeg@Io#Cxlm;rd=bGPjsC7(IH1a)Ve38puC4x0dPgEvnkev7E?VDvBvC+i z5+$~XxLCs>TOhJh2Hm+f6&huuMg)5Ksi!XU*EDmnw%9hF+>c>>ZKmML!mZeIQG&+; z4X|6A(3Aqf{dS)oU~bN<ug*8vwl<k>qlkv#I$q!~+`1ZP*?+XmqefG9Z9A{!o@;&I zHmwx~QkpI`8Okl-zBTK{d!EEUb9rIeJp0WlKfSVi*Ev~qsLyp2f(86|Q7k-Wv};W$ zz7n-z(<Y(TF+IA^^i%6PS4YxSr#VpUiii-j*htk>)5(H8nlY3koC|Gs{rVIMWGk)q z4t1ivlQ<qu|Jqc`9_GgtIC_F4(CXsL+aaNxmKiM8e&oW>h?X`-j|wxmIYCov3dzw} zhO#ioPh`_#659!gh7DUXH;IQb7K*KHttIcIBsmMriEX(Rx9ZP-Y0U3Q&m0n8a|K0{ zziG^WUXu7X2|3qZvtARy?79H*0{4G}q6kM8&XrhFIm7pDhS@>(;4TtDMaXhyvp+)y z%>b~1O>e|R7DF>b#WKOM45!Wjl1^WI;6U?=Urg95?+`F?ogS?t)Rb@$j7Ach&tUr; z{$wi7zU=HaPhE!+%GzEg;qegJV>dmO8LUZ`d=pJRWCYE+rK|bg<7lb2vy?O3?enm~ z+i{4>UElX}wMi9(q${{q6B$IdnjhNL1RHIYxcUSi`o|3tH8cuHRh$a7VyqB7ty)jb za|sV-ahGBxCI{EykrVVPn<WT8(vMk(YU382^)yZy3mSi1Gt!ccrNa6^2CtclX`89e zNc;lThhJ`cG;L_|vG2XVga<HC{L!XXdI)Q-1QHNXkoqKggXrYE*t<Xm7bxqFSaYK^ zsjoram|rNSnOefxxuxdYOWn`=35@Pn*JEb|Jb`l$ixSFe97IRu_3br2-&Q{_4P-82 znG=ev0|ZNd8ma#}46vqb^^~Ewn@dD#q@u_T#!=bJAf|ZkvJS|L;PS-fKozBx;PU4< zFyl~Dzp_<hqCvbHjc^ZCHOc&iN!=>c1?i-UfN#0|UI+{SP2*}kmBaZUswA-neS(g= zBXmg${cZt<N6ZU4CkT-i1zDK@0?Rq*N+xVd2$G-MV`ia0={|zvK*d+wR7vOt4Pk+z zRw>)Xa(tT^O~p^<_Xp!oXiB@lAnhNVxZ;QbY41M7OFiyZxN5=T`0)_-%)VTq$Bpn! zTBH>G_F<oHv~6~Gu6=L<k&q>}f}FQAgj0Y>v>@Hp3k>^kp*6Zh8<TVC)Sz$L^zg9g z;Q<gc3BGECtj=(NA6qPGk2X!tyqxQuOM(H!#=^4+<nfnBTM(EG>J)^){;Ug4@c4X} zep3pSbgHZbd8KUQ=|D1Jy&>&DKVhV;+pY#I2i#C;(&3lG`Ycy^;AJpsgn;fbtHSw? zeUbf=7-C_ayRTfj(D|TN6C(ipBqMXliM5#o6qhU-Wet;J8sqcT<cqFIGa%DBv+>S8 z%I}X}T-Vunv?A|yhTZdtIbkXuVR44tidl<CcbZ|T3=KJ{r4Y}8GG}lkb9i_Pc)H*@ z>b+W|i5vLCQYoXy^l2%-J4p<IrkJr$HhA8)yxZ^IW&IG?U)y?V?tTyGzW04QOnJcK zGeH0zP%{QdQ1x&T^uESoh4o%HwK{)wae3=>>b9$nU-0f)X=~ru^t8X)y*C3)k?OoV zeTh<pZJT8s*%?P+#CNq-NGRuE$)Zn&1d{9tcpI%erK*5UI;XGPSjYX&RiKsd>MYwv zsyIpYBc*72`*;$RL<}ZVPPW*Aa^|Xo!*DK4@pth&EhKeqWAt@z8LckS30BSVu{d|} zCz+@jlmp5rMhI&b&KVE8md~`e+wIlRL+=ILM<wlAx-8jjKIEXe08xgVQqc&-XnkY< zIXDtYbl41n@OtLFxec$C&85_iV}S`uoEy5$AduLlr_ab{h^{pr&j)8_tJS)Nl_%B* zaqGm;p(Vd>EAIIH6Sr23e7(h}A!csGph8<OJO@MpBA8r7YOq(KCFTnXEXwf;fMc$` zP_+L!yD&eScXtpxxk*f`g+Z%@O;CE$(1dXRJ^`x|Zi){J&kswowd2}|%oIkPOi8#V zY1z3V6WkA<TxZ#O?N~@bs&6+rbb*^gcw4dLHSe63pOa!);tOq;hKHncc5T!g9IdX~ zZ^y>Bihgn3-CkGr^=>Ae&sQr<auSoR-I<jKk4qT4*dekOJ`os?d*kE<w$5GeXTrA+ zK50?GTTfMPpTz;0?Ufscm7<oqA4mIjXzd@FqL!s5)6w2*KRg)`b2xQbZ9bVDSyQ&f zZYTW$PX;v~*G{vWy4*L{T@g>j@(|rqKNdEri<o1gc~Ta!*`eH8k6Cp(Rz2v>y+B4Y zQT^hB;w6Apje@ZUO!8dz*e<P_BH11`6B7LBFE$hA-JUgB)3>;dR$Y)qx+{1M(;n{? zt1I6tbr(PR*UkM^*?4h^;)R-eCc)w%v#H$nd|m<#(nGeimX`}~wbC3H7-vMe-Nzv` zyD`n!1FZpU2w+t&Fx`>8*QdezlgjOu?LW)k7thnRx{#W<D8HHBgNk<V*fl9uA@FTS z9tz+n4kC*%UZP&a*lmhyF~GQN(oOsT5U65T3S30|_DDqGiM-<3+iw?n%fTS=Hmsm0 zg3N5jqNp-pFM_(zIvz<{j-i~PXe3W#IJR;_*5Ir{v&b#R0Xgnag#f-d^-I)$MKd@W zd#ZHDw%-XJg%`GpcDfioXz{Y%y+H8VWm=ekn2;_Go&P4`$S85zC9DTg{TG|yQQ^n3 z?PVG97&|l8fX9@0I5FA{FyIz+nt&<nZl_6O2eIUh(oQEd&I21ygBQU8LSOqt$QBbT z@9uop(F3+o>q01j4Dz9lvO}K0aw;N?Ss5YPymudT9=TCtthM-rMH&m_N{%V#ojk;@ zP)9Qk)(v)_@d~|xk)8kaBbnTq0_MSrhvO5moh?aG&ugF}rrht9Ep0#1GINbKy6gpF z@i9<Jer0BLEZ1Vus+@z{GQ`do0VEXRj51PW_bqM2Q_tpMs)<R&cTJjcW8?Z8PZ6Ht z($v)Fj<{4+`#P;G>hS~zhk2^j0jgsNuxjyE`0k5AoF&TEN##(jVF;b2S(_Alb!t(F zsnMXL=OEOwFYEM*iMk==19TDc9dLHf7(LHEc26N54fPzApu<Fsn5d<W=$AHp-MSH{ zw~b_>OfZS#l*K{~j8r1=9UUKt1y&WG5Zi2N&zO*@1XmLcJ8bj|Mgy^98fsfJlE3Os z#yiYk=LGa0r^r)Zm)^R*Zf{cm&pCmVo|}!6<6r(Y$3Ol=|6lHGSH^PxANIZ~st#<+ z76~rFg1ZHW5Zv9}-3jjQ!6mr6OK`W~?(XivA-KakN!67~r>pCZ_ufa}?mswVBp-{j z=AL`5x#kvs1;|Tq>v%!PXRfaI57M~CL@cX_x`2Qk0OTdy;Uo7v+z6RlZa~8f-MOv? zF5tCp7I8I-^$)a5z0PD=IO018UzHkjdYzdoYg_ZR8+???I?>YVy1ZHLP`JvEut+`{ zT}6#DB1jJ{oR|$w%7cCvv+%0QmC9gk;C*<Pb;MOP@Kiuy_$UwO7sTm(ja%9yj<Jq& z`8vEP`6eW9g6kvr+=E7paZI8np0+31gl*t*v!iEu{@L|g|6H4uevM0J@thMx?hg%j z_m@AF%4_>W$q1lSZGciy{9Y<cD|<sb`F{>E`Nt=Jwka4{X$txdHsFSDt;4w7BY~iX zq?L*!l0Y1wD9?XkpJHE75i?ok3aE?pg~eezNVweRPdT3BD3qqcMpiX;0EHeXKrpHJ z=DEnp>8odhvK$LZtr4la#K~nI&ca$K&e1zuBo{;-N_aPeeoZtQ?l34)J5@l>UTBCR z;rQGIXRIVy&9oB_yy8=M-NCmI_~!Ez$(Htf;b~4^{r1@V=w()2=MZ4Z@i^cfpV_qm z=`BHJ{KN;`V=q@3q-|gQj;e~r0W|*O@+8&fmZqQLBY4_EnKuE;ZCT*|SY7`|P3&m@ z@$-LT7*v$BnxgyR6ee7I&n!8cKe1RSs_e&5XR_k?QFNJ<urln};dmTAsH<CdF$@L` z9@2(qvmKa#%M&io3$#ykvC_djP}6j`cJ0O^eOEHW++3<^8eN|TNo=uQtr!?ICQ=9r zqqbv%cg@}#fJumA<Q*1tJs{?exLor(xLHVm*#`1P7E@530j?ims7*jOreWgeYJwe% z=!2*To$iUsqLjP}tzt%<03?t>ch3ZOHf&OYlZkI+T>_|rEK*Sl^Ma{#vWogng}p4O zMWLh55OTscFc2oO<vuvpp%*w9+?(d@*9}~&7^gNw!LfSn_+;{(Kq|Pgb2?GE%-_WB zKQ9tm(Qm7^Qdsup!o@yLJ)(Vm#}Or@@~X>_A=F8E8E&ieO}*|6kd|q3HATB-fqePi zaH~f~+argU2b0@_+4X^*<MYYQ*u`DJ>wsE(HCY7nlz=fm-p|=8WPCS;R8G91{g6&z zU0LvNY^f$;!p`G*0#fN`)N&`b%wJKgoXb07l<LHN28&2pn1^9H9eZ}aYao_wOY1&n z$(S^TR>&AQzaKG9di%Cjtlw=Xm@TMTq2D_-Uxk~F(;n%VApH7`Kgy05pTuw%Fr5rV z{ndr2IXHWJ5E9K*B3#q}eoqjU(I`Ve(FTs6Ek#yH(wJ9slBT=npy67ehG_}AaFUPP zB=}eaLPDbQ!OV$tt1hOA5G|(WkmU@{n)#*sn!QiDg<}f!oc%o<b47C9&a7I2jyH8M zo$TH@k~@J1`4!*2EsF9h;q)U0yM;VduSE8~5Y{r9>kRLXq3fJx9rb=&BkVH)*~=%T z9NdQ1eRZidd)LzZg=6N~k>@YREZ(P%pl*i@_3wwy_`++aIKwF-YEsQ;l1K;&eBgJ~ zM5-q(33B=p-zOXQ)tcs6M93B`ciOJxZ%rRMvhw(ssxhiH*iX{!NFyxa9L@<d%5S~4 z4=R-AySt_;Z$H17yo32804sH4=Ki&Q`L(mY^rwD_ul+^8IR2OYqW5t1aK<r~(!8*o zY*6^FSA#gV=3}iAC^#uW7!tj?cTQLO0#HC?kN{cUtNL~nn2H(CTb&peKQSuUH`0EA zYWVTdE(jrXy%<PlvAWqO;IT#`MMQX=K{@(y%;LH&N_M*6+r`;4!I=%6nBZj6I#!qP z6ESvy2*nYhRO08V$|eJSY?wG9;TO=t(gy!0hC$^Hc-G##@K8LPS)&IH?bGm^#wY=? zcRC2M<hnpqv|`LEulC`Zk+@3g`cq(?<I6)*-kAWCyfAomE(g4wgoM#=s0lb*g<hju z)!Kk72Kgp8k*WxM!j|SLXmox2@VEn5OQ~L1(ymrUtG;k*^GXNIYw1eBCPI94*cseO zVfo(l@FBYL7&gM_2?R6{p~Ke}M(QJK8ON4WF>S{dP7;RU8u82Q$FFq`8G{uIP&+RV z_i9zRcwO%f^^pYM9}`>l-Ng#YXC6qzpD^bbrl;Og;Frfim=c}K5j@x?>v`yW*(Y8U z#>OFoCLiPmbW08wpj(_S?}(XvHFX4_626QC^czI#3B+?6Ve%_}gXd$7lMx)-<z5}8 zX{FhzI_0OCnO%|1Ur(=Tzd+nXx)5twd>UXDAsX59U#dL%uyQ6@fB2A(Y;RFrJz<_G zHD>W@Ho$_>bVR<QJzgM@%-#jMHL^9<mB3>mgwlsdx^6|ov9JekJ4Rm+Px<YGbl3XM zS<Z)!@W`D}^dH@lul^eId$)|)e;I+Rp0b-8S^eHEYkRM*uT8i{srq18XJbxm6h=gb z8ktC{iMJKTy)|G=l)}~f_uhRCC3W3YtF<);v`cHb>qr^<$(I!}tj`sS#X>L%F$@xS z$lcey_gAt#3J;(bdIt$It(@X$D$iPrUOy?Y_|SFvbAVG=5OBu)MZ)rD2|ZE2uk7=^ z@F%*(9ET8oU)jH0&zr`hBd%Up|LQA&@^FfEHtA1@+r8z^c?w#+;t`<gE~A@~9T0ZJ zBf~IozsJywn=$tqzd^5tr9cEzs=ES9iFpZhL}dw4nycD4wjVQJ?IK6coD{mB-Y~?1 zJ|C%~u8JjYqB)Cb#%ZO6A^{d1Rid&Ub8vOlhb5i<DIl$P0?SqGE2m6}GGXj%>L%by zmLkkt1@Dr+Q%_nu`^+-4%a?qco0#6Ow2aQz@mi6TasI=CUX{~BsAq=xsAG7ee}tHf z?eb554Pt)n{{4RhG5>TVTT1?ZB&+@7NUm$2&>b@e;ujGhjFt0I*9ifeH|2J(7~tR| zK@Avu+sRLjAU?nWDTuxW8_YOJCu;;c_?~#?H;hsICye=VB>w|r2>*^TMU_no0E|%- zGWt(22Ja_~c|B-WAu@^OOyZ$p5yg!0jY|6sv;HKA*fU^z{Q^B*gow&#gC4Wjjq)Vm z>^fwr!W4*>aYXgadf8N=vi*m()-i3*^fs=PmM2Cxhj;8=HxIjak5dp`Y6zudkahfB zMxFQyvQ#Kp5DM{4_(BFj>^>VZfzYg|`~E_AgL?c@Nv713dp1n3;w<mTn?sc<#HM}v zM$C`EQf`dATHQ6GKd(t`I;KjSFn|?}8Mr)ss2Pqy)+X6*ITyeY(4sKVmXa^QOT=Xh zzD5*=2;mDk=O!TiDvO6s7RP@7caU)%{vBlA13+fxH<0NW{%4S3{J#SksNX?`^*4~g zYCMwr#ND5!--E4;_Au7IZulUpRY7FX_+E%Z7R94&f7Um^>OOwzeVV0R*U{y&Lv_6+ zyVN=}n|F&x@>0@{GeO_tKCW<_u-YhN!f<q?JTHVTb*`#OedL7xFotB!mRjv(T_2gE zW#z`AL%pTC)K5n;)~}A_=bw&bmaUNKbpXT+|8<D@)6~K-K(q=%;3*(l<*Q}Y3M!&W z9U7wRH^M9600Th6#UlZ7PiqS>;uo17-^;{-;hP8a4^0n{)y@T-T!L_v3*MQ=(N_~D z&a51(%iilD6Pu}oCM-x@mJO|oTvMU7aA(`^KM4hw=oT@qQTBYu{zxUCKkwPA05W?` zC1uD^z9({}=~O&O4jKR^e^eS!Rd0q6sGr|fF~#D_|9YSqEaXbU?>x(p86Q<x(KnVN z^6FMmdk7on^9ANp55xT$gVIZ3M|J(BpGF~-fz-jLe66~mjA14;_3^K6yrwq3T|Wha zm{VUb|BJQzlXQ@l=s(m>GcSZ;=@TTUbJRT$KOj-X@;NeCZ*BD>q~_;MUe{rRuMZxu z)eD|}s?GA>@j34A_<V#{e!^qjV{9W8#ef~8%dVkio^H~+7~p)KB$y*GOE;5z8mISO zmM5NE-ke*X0@%zAwSYcZ**^EaOug84_@izI3VU(Z(Gg?N6Ty`Bya{$oR-nNuNRKNa z-`#i>7Q&~TB3`jK{jQHiYlDE=O<_JQFwC}@lswD(8d>c_HOi^>W6z*TwwNPwC#|Gf z@IKx6OmBh*O8*h3ckW6B{~AvJIuGF|oVHl})z#@=qk{Rt?>aQPV{5!?Wr4v-f#LM& zO?`8^TKB)hG+(TY&yr36*!%$p0H!s*!*s~oPC*L<(E$xeL4*yIU^oCwJMj<76VCu{ zPW=;=gDIpHYK06sA$lMoKd2yfFYw8PPO2W^1u^#9?^G}(iLCmcsbEe6m@o0L(swGj z5H5jh!=&?_3QAo!A_o4Tf)oHMNCVBB2=RjoQq=dS!Mh}v0;r$`D9H<zTjy{<!6c-u zenl1d#46?*{-V|v+|YL_7^(;lpn|5NM$g9&n>)Kbht+pW+84@b7eA;VEf;_al1xN@ zr-IHusG!DoDp+|zBp}p4i4I>wo}iDBZWdcgMZX;ipn_0%1w=9j@hjh{Af@1l%kpr3 zox#QP(O5zRCDP22=yLc4Ih+yCOj6mhmC%p|>y-kJ5+%&E&^9R_{5Dm`eY^dXXhQ@G zn+yt4tcPD>qA;jVrohSGg{Z-OQ#+(SjYA4tlo)qMP>Czx;#9Sc<5wk~b)HV^*_@>9 zt~sFC^tw?&-Knqe$Hl2HNPJlQisI(&8XXj44q8~5qM4$_nE55gSk05x$PtrzxXBGx zxD}&Wyu3-84@n(Mw?NjA+_$_-|7r34Pf8ky*o{?Fg9Zs|kGf2(vzIm=RWA&%TDaV% zs7H{hN1^W`-UyDFF&4FMC8ZnQNH)!xCa-wrSY978E?sjL9M08ASKEA8uxzhPw~y$u z6;ivdB~R)F{(f^30>mjS^9e<~Gh&!Uo-0Dpck@BI@?cDMD9~~^xXSj1R&O+|v1SzY z_2cF>x60PWQ<SJ(n<LHlgz8zUw)O5g&AUMRW4}B(hZfcWaGLqAYgc~~fdz=Igzo$v zTdDaCr}LO}hF2ij5wW8~@DezDdl7tzcsqM<DP_XPcgy4HS!1O&UzUTs5=N`*_sq&u z#^tiU8Tju(Y<++rwiNWm4~?H`8T4p`IU4%2$<i5NS^HY#%)yf*4TH9aa$!t5H3p}P zgT97y7D_5wDBd$=CM9heFy_W+`Zlx@J?RIQ*#*FNaFCwg3HxnMsIn0miTU?T%g^HP zIC<68M3I0f$QLg(jr^3u_ODlj{!h|R{~an)HcnKq0XWAq|4TXQ*DD}DVX9<&-7l`! z|8L|dbCBP;@6vbfdjtU0j=ytXi=VhJ|8Ly418~3o58U^E<*5Jfa@2B}Vf{h4)fdh+ z=Cn+slog?36E=@}3>CN~)BjwKV)?;+hkxR})Bx@q?wn0_?>SToA-Q%*U0}u5qSSSC zz2Z>a_JjL2dAB(Hn)?R+iu+oCI<*)wA6VvKw)rTPVp3^fnk1gT4LT0LTFP-P+=pQ6 zo<_@ZcZpZlxpUZm1pB{*RQf-UxBQ<7secl4`R@R!Bekone~qU8Iy0zLvB`3Y4rK-A z67SUsG>N*SIf0|jfDIzPqz}s-kWw~v7Scd;jsDwy8GA^!R|{Y4_hnFUpzZf$P(0iv zHD83t#j2*dP3R2}2ZkP4b~W}*_3ffbd(rI><tIU|lfhsmKrnj^=0Su5IjezT2@s)V z`JgPl$x(HxpKd3>?V#dR&?(X((Q0{!N$dzvc>UywX93dv3LKeql!7pqAAxWmg;jEU zh~bRxZ!|RnpjdVTpG@k+{zOwB{#mgEd-^*~4b8CryJGnZnu^Lr1)!<0&Od1C55@93 zO$8{H0Ge6@psCORnyR+(ou-QYpsA#3VxoUnEH8d2mI>9L0E(s7FhH?90{fk&(tKAe z|4vhXD3;%8D&p@n^}AvTRX;^Q<}hTrp;+S+m;IH)(nwwtpjbZtP%H;mh);U&LIZwN zEbDU&%Tk>w@QdTXOo?ofzblqHKNQR5ABrW^AlL7TCE<6)lKx3k$M4;D#Zn|ML+3Ze zQuP}yA8VeB%WsNh8_iA;m!C#aX;Y3u2d9ZQ8c{dN*F4wRE`VamH?mi=T3I|2vXyjI zwwn~bR+^l4^`Xn&^(w%sT=_U)h65DF+$JcPFClLoW*?>yZ4#}tft1D8uql3kruNp? z+_q$I>%ic}1ihKfbDC-%v1%TJ2$wP>eXd0LF~G>R?uVMNa&&pXSgl;l7Jkae=IL-q zg=JK?1&)0vT8|U|e$vrWVt@gj<&8c597r<i7An1KC~Hn-dPALJ=<z$T=^H~vGpQU) z){(!_RMzh_RnXk3<c~Df{yR;5`iZ6zl&;JCi;Cr+j1F7=rda+KN#6uU{wu{Y%z2-W zoHM8oFk^)Ps0q;3x4C~*6WCih%>Q;HP7Ts!US6|!&7f}~%yBoIElX&YXgVSdhz%yg zABrWf8%PvuUmV<25V{BtS6Fk1C`x^=qe9oSYD(tT1a8A&_{IN+Vkz~NNTvksC&hB@ zhhj<dU9qfe%&)u`hf8nCQ{EOcB(R&+rn;&Ud`v9txd^oS<1sWd5q<VIW>58(rqX{> zv7a!v)HjI1;Xftz)n1Z0e+Z-hjo739gV<jm+X51ny8#Ky);|)K(QU)o^X6e02!;>_ z5=7A^{TgEnl@Uj9+~f|67C&EF@UXw{888)jtNs^=y}}R@aFNCI(aQBtuEBpU$X`^w zfAHB~Kcw;RP?4*OP9QYE#qR~+rToKJL{itz-q7|B#)aQL`V*qkGdlu!vH%w1+k?(2 zz@eR*Yq1#4))LCATQI@-F*xpZ{CtOF-}&`>tWfZfdEHF$b}6c-+o3@0@QkfU_sokH zMx=8F-&c|r4pwSVR=c}_IK*6JIWszNVu=%7m0#M}n>RE0IJTQS&qYi0n*C_}_GKZp zomeO`7NI2Fr&O4W5E9DX#1yS5e#-8zl504`l%X~yeM{YuW`E?B{`OJaVu`^cOuDW$ z)VMPYwexjLFB;>Lc#vV7**g)Dsl%rp;U<PUARG1gau$=jkgCc_k%f5qI+9)0iqYy! z^AZNR`04<m0Wm36(GR^?m`RHPF?9s;Ln`t^WJ}30b@>KvQVZ#+yKMoeo2nX_txf>Z znpum=Q@x1xk4@=B_+IZVpyJDb9s0jk@jtm+_QVf;e<VWi#{b!OqBTB`SW1r2NFLg| zOza-G6O;QhHHIkp)tYjRj2<LEn*Rdi<rh1a>PYy$F`Is__P|xu9s#WiSo32EEA^h$ z(XrR;@&2DnCw!|j=V85ZiXWP~C}G+1#j_3zBJ)tNP!9D{aamtGK;*zTrnKj$_1?+$ zF<en+*guu2uUC<Yos_><sqG(@5_;!FU-;~jzD~PPW^#|2uHk{v(ThdmjP43b>*|=0 zs8?%6KoP$?cle24Zo3eCtA3(8B(}7BUS#4`NF7P7QYKDZt~plhv35(3JsPUQ8YOp5 zH;c#{C=FTB#a7Nip(2a0tSB|)21Ypxq?tN`nL7U3s4CIaQhY;oU30U^c*}P+oP~^+ zf(W^b+vQBHw=qiEfBXv&8cL#i0dm*y#D0od|J!%|M_B4_zx;Yf`B+2UYPt7~C++wP zPenvea_R;wtxukg(~cw@S-1{4_eVmb+LA{8_|!NOG++(<V6#ji%uLBoi##}87TQOc zWHPx9G~B&G#E07UADmaN%9N^VYInXFvT|_PeH~_9OJ%i-qG_vVhmFID&gB(IP_!0R ze#6(&|9bDb>VD!wxnZ%`pvFOyuE0Rm7h$=pmbi@PZQJJ9fM*EHL6K~03<gcxgc)G{ zv*`T1)sL_%mvSh`gKbwi27C0+$>wIBo2%PZfmz@VE7Jj%JTuLnw$b;pZFtTGjORl9 ze5$0x1X)83&-?g6Q+#UfNG3LXax_A-xbi0cH)BhX9%svoqn_n4tw^^`%VJ;PSpu7g zNn$J$$=EF$N-Qlv71bL{c7|O<6{NOC{19Zb*-zh|2{otpqm~_)ywxB@E2Nmlv3-CB zKIb3JH;gmjP5IoaiL#Qn;z^GpZHen|*5A_b){~K!s7d0CK3iF~r6W+@xuqkHd|7Sc zqmr4zC58OS%t?DTJH+c#Y|i_O=axWjcc;^D18Z+&uFJ<c!sY;xqebIEHxlTChsFa@ zS6Uof-ksNaG_hb*#HP9kXR^h`QBw867W2z(Rn-B(z};K3z--|2(-)SYpnB$*`e{xH zo5Y5vF~*;RI;)ZqB1Ewp*v-g?RA5jG<&(|29oeJW-m=u+#w-QBX3_FOAgNa%X%?F@ zoB@VBt4ng{o%eYpDfC*veCX`7L=k)2IK5>XuNXlhhc>vef?N3+ZyVE4GDKQ;kZE2^ z#Gp<8jA#H#nasY&xsB1-q1+~lKt1Nvua0X`<_)(<qMuJRyecy>4fR>4()H<+&C4h= zgf!kM_w)9*C0cFIm!6Jlw?HSa6qo1qjk$+4Pnu~RIgADTtmiK&4Rg}VmX>NJQ=Rc@ z-fatH3}PsrF1za;G0^_sIAq9<ioODGQ0cs4>i&9WEC3E3pxgFj%)tnx@9mvd(LFT) z<bsJVHYe?!rDRN(56+T<87Q6p`0ddtaO}m#r*56K<|?D<t=SNZoBG4eX+{aPJucH@ zmx20Qc&u^^Dj5u_=gWFu2(MBfe;eG6PNU}H`dfUvE>B#Bbyc4LlWz-9(h}ds`M|04 zgc$oYGod7kg`reep}c|Ou`KO^{Nz+KF2TV4SiSek>_t()J!v7k$W1VoMyeQ5W#VP2 zN)CHU<mip8;;>7NMN#bpt868Cp`JYV#9^N>b@+wDS1fAZflwRhE}LSF8+TByD28Ig z@XNobP}6PDclr?QgDvIwxw8yvoUsvsA0U{<gX=Qt-4i-#UM6<*B(mNgtkH7ci8Fo} zcL`16g7CXMFBh`xOu)Encqhea8EHBH)dmy-_~Vh2%R0)y#uBqVDvV4u(B6hsI?ifK z7qaiuSX-G+$QWq8JBGUjLu!D6{XL`=$jYN^;BEbz0>hxw8g_KHev>OD?^V8H&iN{w zrm3nW9Atg0Et;x9gpBii$elgsmHy|=YcH?s&FhO7JB|85jlHv}Cx{I4uk$SA^~ABV zV$n0*Eux3wnXCxALACa8`&gzc^+8y|ZKkYY{pf>sck~IQI_ZMs>9KZV=0)r3#kN0E z;<N%$ev~tUF{w*NJY6v2EeuPn5ul^44_F8ILFX<Y4e#P7+OI@~P$ARcWyxi-!|OFI z*m2&nBgb5bn_WM+?<K@t-Ng-IR_z2S#RURuPfH>rC{Y_dCVA6$Nd%L>4TjqK)MffS zi5lVN268idx4Bx0*p76A&I^lu0k?^($$MP4vfkRk+1K*k+s#e(Y_;NJFwP~ZO+=}d zvX%APx>o9!J>+&L)HmM{g;eU#uwHqpTWwvNf<A)Zg52tW-12CnoJ;ce1z5HWpsX>Z zh0ox(@wW1Cr3!GV%x})tS!7~aA>D=RstNf%g5QDMA@^-SXxn^?$nc}&)38bR$k)|D zC#{olYz=b&3Jul;`e@1O4xD<b&lUhYRu!Qdc>Yd3nHiZ`OUXoFU^~kJ^ApkGYWAsw zNH7h|=ViR3Cfu9e=bIPzyOrvkhYVbg3;&{SnlL%3nXJ``O3QC=r)95)+Q5ggE|+x? zpaD5r^wu%4)(<s6RCN=}{!nuUebs3LIl`~CR-fiNP67Yk^|a)Mou*Z_h-M5oRqY8E z9S;(_&qWl2#Cu-tgoX5IF--{~Qwye)O{sY0y-ji89mB-&{BfDhj=l{eTqX%E!TIc> zVq3#0_&6o=YJhiwfXTE`LbGwAcG}eD9;xUiS!Dh0$8_zEA)h)E)p7f(FmlNvC62r* zH3#xhn3&hgDhrF?s+rqaz6p<5%{8@fU~tfwC=6PIzBX^-?4YU0NFroqLVbLop()53 zGS_|dP*HH@z;$`7tkr`8i!O7%p<!f^8Fo;^Juy1bVpbM=o&;f%G<AbV`kS-*QVc|A z5-WRr6FauiD(;2Z{kF)cr4LVAa+b~7{2>etZ|qYlX1NOo?W|ezEVh=+R_*S$*@v&g z8#ovKT!9!fNxRPQTWlBDa~ofRJFwR_*ht&4cQ@F`+ObbJzTEJ<Gu0Mkf^m)}qRpmH zj?rTlf6ZiK^D>Qh=0}prwGY9dqZdF-Zr6i>Pr|+_5hKL4FifKZUoMO|loAtN1IU%1 zT`o)In38}(jZQ*iM_E0|Z>qJS<dztQN7#8Kw#>LFYAHgpLlxC_E)B|+_AP%_cv@c& z9%C|We(0;c)yhx=Xqp<En$eyClx|w>u-Z_$dX5=~;W#Ng>3b5ZNWb*WNLw`uu6Jio z?zclq{rM7Vo1iuqZeRAhA!tVor8&p3>piJ1Qj|5`*~c)3Qzx#(A&6w^MN>jrMHHwc z(^{E|hbC9Ma;TT97NothWO+A`a(4;8D}8<^do=rbh&;Nvq_yEmB+U=B1`P~?4F=vG z6?^Z@I#N)jak-|_gI6PbjWi+$X5B``W%)A)JP`e5?@obJqbIP2r2>sGV}jjHC*T7| z)&@u$97USG+Cq&!R8x&-%P-i<G|Xl+eL$MAm!&p$<eHXBH1(!5PE_N$R;QnbN(Xlw zcWgm<3q;peWfPX-hSHLUESAhC>z$@|q$<VbmlA>#2$}Fj8^ycKN{rh3-ITf2$o<O_ z<_j(Msa_GIjr2~{b8W9tFkB}!%F3W;RgQ%!);3Hmq8ndhqRfxiVS(aQ>%~kt>t`+; zrff>DVggJ*aMlhf_#PT3=6c0YlUqq2I2)%AAZpc)@z_frU;mNL4Z>qA{mpy*2SWXy zdawV)X7H2s+U;MlUVny=Ni}yQZ~?U{*lmK4nIvOXv(p1LLS>PtXMRxDD!d|6<pZoC ziNaEq#t92l!U!X!!4z;M*@aEJs&b-Moo-_|{n2_27=br_)1G%p_uVNl=O!$0Bmv<+ zTEG#Rv3sA%DCFqv`H(|10ID^I{_@wX*Z+E@{^YXvzm>B4?cL4azGi=NN&C01)IUoq zf35re#7Fq=ps4)o1^E-_&i~AU{K;y}zgt26q6+yZ=<+|bB7br+{SU3kU!Rx$x7Y6f z+ClTzT}uBg3-ZN%_u{V&kbf;={_M$_&HIHX=fCzj{uMv^-&e$_zpseZ;&IIz{C!0X z^`{jv;2$euuXTU5BKE(2^#9*}bio|`g^@2?DPd)&DN^ILBcno7jA>e3a3yd{wr2lW zdilwZe*D|g%V?!uc=4wvBb{$mPh_-!3Gy-qQ94;j>zesA=p3`h(0-CseWR|UYuN98 z^rp1-Rj!faVcX_N{bT!xoIxV$-DL3(qWy)LppB@LB{jeAye!(3s+lb5#};+W90wfE zkK}8@%jgy>g`v`<{bS{2Wcn5qNADm8u<|lQS@GCh^YYV5Wx(q>_)>uEpDFQQ%l<!3 zm;aa^qH$;mko}*vGf#OcxIZznc426}8tOP1OhJ#t`JQn2L-r>YA03ST1Vj@#%_u_z zH=ZwOfgiq6N2W8!<4stKysH~3Qni|Gw_%}7c{~_RHMEnlV-0w*De11&?kk1nqmCUq z1s3s$4~v>Y2biX!$aaq>LMd%g#`0dRx#GZQtUF6|VFTF}!le6-Jb>)4R~701tjL^0 zte6;1rf!Wk1DrSDlW+K4_CMlFjSTWQ?AssDJ7UzFdz=Q$Q(p7K9egQ-TfvvRIN#^k z+4AK6)-QJy7C@XWCo0C5P<3zQi$4HuF~G4H9cv&FM#iZ{az?VELk)gFGOJ?6czI`M zq4})!)`R35^MaA)F4Bn)9sd{IBJ+lg>@Rij3dfUz)M%sf&DQbDB2XKJ##>zss**}_ zx*LnVVuSX!pTxG|lT6BZ-1~bNR7Hquf;SHZCpG7f3izK5Jn||q=|$>q%X=^SNfkMg z_7xjf*SE;4R@cu_OiJl8XF|`F1_qC<!sQu^ZVtW7+uTd$4Xb+>b3;`EY2Ue8;}!|R zP+ncs!||-skzI(TFxB0Ow;Y`CMSlQ1-SqlRx{8AQrmS~%Q)Q|wxmpmU^%mVXH(qop z-egNL5Wk#_nfU}4rcucd^VLQ|to0(&Jk&cSjPa1!s<$i9!7@m3e!f%lUtMvxY^1uq z50R5bMkMRsqS)?pRjWqb(XGfy($L;Ftr@K-q0Sni(TGD1*(kih1qZ}`$|ESn=QSVU zFT5K7Svl%{My0LqO%D|$hikGSOWY7z#s47NlVbueD5UJddlnspr_>2Imy?VT{P>31 zp}d+lYba;^n77z1%mik?%K5GAVT_^!Dkby_USM6BR<r~|fw8~R?L^1wD;TRq7kj7E zvyA#v?)$Tyr<DRP`SwKhU`&#sN~ibo*@->DgN0&H`%aHZuqa>R=<*mc3CPo=r)}VA zYv8aBCf~pzg9g2Ql<fmb@#hBlJ__kO>q`zi>dFW+EaB*Ssw?tS&JOLt`-o62*#pyw zYCvo9G_*LMu>ZJ$iq0Q+j2QO7t3_mD%T_Jm$mS~$f|slCijD+p(o$skbLfZ5$?GR> z%e5!V-G!Lrw;9KtFEfXDt;;T+UN@^&B<JiAtt-#ZFj{aF6fwBo&2gH?BPzzRRF4NI zqg@4WU^YZ6B5#V-1akEw5$6$70;>@*(9r{)PO8uPUu|bmFGGrRjR^PWjLYzF`v<7W z`c|5L)K}8K*`LDGezd&lS=+4ulWw2&IvFt<VreZshIsw8+FvUB^$VSe*-6D&KnF-% z$ELK`ip#CT8>-M4NK`IE$(E7SVYmm=cY<s}<8*LLY#YJkBsG!1pAu!mY<7)-uu_16 zFNGkB_NB=v4r91>flj5`Qy%hTunUEy81gWZ%97B!PXb$Y`pbcs?6>Dvl(2}#`A~aH z>wv>ho0l~^`zz@fuB2x`Y!Z+#VMS?G@bb2|qK@`*9(*-Ctc5?a`6cJ^s@w@?l;21# zy|>=La9ewPxH9r8<N!_cGrGh$0vXZ{Uyd!EvOA><Kf)1VHou^|;Q_*b@NkUKgTAf9 z*|y&|il@BL=3Z-YN`O0A(soymLdbXpRXyIugekQ}z~&mu<Zbz^9k_pK-eq5~(lO2} zRb2n-5>@S>BmQ_kEq>)B5q$~WDM~S5KQxIDvFo{E;%+AG<@snP4b6&`X=$fqXQ28x zuuZlEdAUxnxyJsj5&e%L#HhjdA;dWjRT5WhKQXK?G10}TZr-6833vMrygJ2k0puEK z^dbCn*$$TQ2>i_5e3mQ!DyWCg?dSl~8enALbNgdt02>@ZljFE#8MKCwfs7}CfVWrh z<{S<tah}&`z}@`ni)+_oz+LK{b@bhOjUHDg<RKFm|JV8}CQDkzVXMTkBr6GeymZuy z9}|PL9flth1G+X{E+ejFgH{_;7>%VmZ_8AY3!JW+(11I*3)YLX+l{MH=FrD2tP^Nu z<y0=bAvoBsZq(?42^EO;L~BqW`ypMkb@#r>cd*XQDPnKpUN1B^$9);d#_T~%;?NsK z@@!vbKgNRR%Mte#IeK%g8Ie`_)Wxmc=H7a<e$jH;su0&5wi&u}AalB>!aR?BAo5&Q z4txd9>4fgryyT3I(O@E^^74ITFu5!*UltrNv@+1r_gZ`HVQ%y^<JiOVrJ?@as8{{4 zU5jY(nzuoCyK`zmtSsg?i?8AOon<Q~4nPOB<I(!Hi=4>yu8DBSE8#0Am<ilFbM(M! z-{c6(thCNPeaZkjZn|fMZDttV<Z4;(>3W1OjPI@&N$&P;5Q4sZ+$?}ytn)RWeO?|@ z9SJG;T&%PLan*TQltN~9$kQu|%BnKhHXvtq7`e-v4&j0;zEjx%J?H{YWh;h})Bi36 zTVXqs5CV<0q5s_{Y*blrU4#__%?`Yx$%w891EHwsN@|!VLnlhy2};j!ern-W7SMja zI^E<F%YBeB(ehgz?frMExPUx)=Y|p})2d$BmIl&KANCkctDFPOTUx)uF1X^9U{rmO zoJ}V%n=weksB*-C@d&7pM@#ol)j~@LPE!noM}Zi6AQuE>YD7rLFo`uHDZ`Gp66i@Y z^6Dmq=G~6*L;#D8kRZ;X;Wqr#56;aPs+X}GIfoKBx0U$ys~>5pLTOmi5{j=9DJ3tz z?fMmj|3b?~S?TI%#Njq#8hS%e6Sl)-N_I3M+iv;M)JK1t52l7FE;Wfw{u8E~1C`V2 zXP-mKq%1I1(DwR+RWxf-spGZhgy!aDN+q$M2E<m0P3%+k+n+#3#{%1o{p|;JI=B&- z+py9l-M>|7+)VTLoUKZCH|yb{@H1<ESoS$D12*F8hDadXTHy`(a95ShR9o&nqhGzP zc3Lyl4)+#Z`8}S}#!&|&H@qg6gKBucmV)+*ONrDZ@M3{r;2u7k0K^0VTPi#u6lMR; zn<qP9R?h?k;awmb6#`3zAkdGnE#8lNk%zlLwmCl7Gx$c|I>FD0_~A$SHH6=6H!#H> z&hx=-pT6C0@L4Y54F_hUovOEkV|^*^s)uV-<+Yr_2aE_L)>h^FOQCI>e3p5}P4cZy z$+sQB8s&YL>qb7@U#Ih(pfoYmdL$VT<by`XH!+lShY$;`ez}hlDzwkrma-7vRS>aV zy?4H!4ZJn`nC}I@Oh(3*wVwg1H1kMdGQ|r~&g%_l(X^k*uVk)=ZpF5@ekFM(Y$yqV zQ-P^7W8rhDYiES4E*XiNVKVzRLG3A1srbpLQv5&U#r?}mF7$uh`Sss&$)$;iOoj%K z!TAmlZHxDd9F~71jQpAmmny!CSYkq1h1uqYTy}`1S}?*o1B<7j0nwldY<iW15mM(T zLM%QR?jabE%|A}iKrJ2*D;Pz<69CH_StI@;w(@}GkxTp#E$+%J;48v;&e?kUfSX~t zs-~1zuOo)$6Cu-pj2~e`QROoxwAb+zye6E^<Y$zNk{UK1Vq$N0+WVS$ClaQs2I5)c z^#J5fZ$CkA^4AhVS7DJ}T?+~YL0I=9j8PO95SwBoC!fqfN;&K4+v3C9Py02Q=Gx;f zJq?AvWJ*Y&jfc&VU&2VsktHee2|_QPsq#46g`@|E!_`)mLl-c#A3tvgbI4iVS=;0` z6N2_e_KAXZ<1bS&ELk6KlitGIsIrrE?I<WZzA|66_51i7=b>+=FTORgC{nMKy!J4t zmAv*mXt|90krvxjc4j~`V9I2pgxj6tW#{<LYHXJFMeW74&hz;ogF7Rm?XC-knMWN` z4HxoW#Z3dKI~mc2O5(k^U8j+G2}#bV!c?VAIcrtUFlTkNbq!55`wVPt^Ma!LJ9TPx zIWz1vA!Lj3$LFIpr}BDyHf7%iwlQHsbpjTn#+Bz|^PO=jWa|neRbeCIF1ZxsYKkPl zV;o?O$^tk%<12J0KFMHXnNq_2R<JbP?t~3C!4gpZ2DqI)RSBpkABi=L>A+UjCqaw- zv+n#91RHH_r&7sALesX`=*jX^UHqOsXB1?+khT^OWw+67se+FY3K}zT2_s^^wtKuk z;b!60QX;d<0?*sZC0WPp>?yT&fJ^sst>kiRi=(~AJ?Blr8KvB_EFiiB{I^{S#UH*s zZKuX3@n70mVGH?6rQWtY5ua_@bD#G$`L^OoyFM{2hjn_=IfpPczR6@YFyjAQJU<&J zDlT-JkCE6Cp0~nsUQidKss7~!5mwtga6ARR#^l4Q#v7n_qTnr3i_(w8p>I8#x#zF? zVzlNm>~mP8VxC#TEV*ls8AAgV-p#q38d!|MZ;5L*QG5oxs4)WnMse!75=A;OI@{Xo zBb~7)5sX}?$0@9jC5li>10sU0nQ#L2s-vS?QIo)`dc(PQ7tix_67h0&zH6Pj^+nUt z!%rhiQZYFLbwKY?16-E`zcS|jaG?D*So(DqZmpv9rzIhjHne-3?#mJ!(RlNrZY=ZT zFDP|Q;*J-<q?5+fgd-A0z2RvU75;qt1edeXGRC&X1PJ})u>mIus>uycs2=a5k1VS5 zvW~P$CZ<xDPjC7zELXG?^4=H7y-9_OYTF?Qtco=PW5>vD>O-!Nz|Mmj5*fh2$tF?U zyT0zjTR{R<{NQFVV6^CsDFN4yAX$qF8mh>a_eNG-Lk4`!mWDEWLot0_A{s)biNa>x zMN=cnC+kDoW8@RZ*r(W&Z}v*E`G<tj@dErWrfQHgO2~L}k|IT!p({@}@t1Nyi*6*k zH&Oai+t?sni{RV)vPrC=3J5AK&eg8AmN{bB;$kBqBiwPDBG_Un&D`9vQc-|g8L3~& zYe~#9<^{0lzUvrAQSeV1N?)O{Sw0bf6vlr=OF`E(ep~9hPns<Cx~yNaph?+a>l(;? zU&gn{^2CFM7iM?mhP&lqqpv<9<H_^c`Rd%LPkYOZU0E-p;3lq%1^>OkG|wCcqw59A zRKUH2?-{O7Q0_2dD#Xe?t|=7#z^$!%QJySqFNb<E|7ph*_&}z@y$G$iskYzU0531- zW)z-7Gu_GC6EbKI<|Dx<_JdbA%=40t*>op@ymRapPmzd{4zd%XHuN!<I{8tBB;E*g z(2u&fQY!{{thv)}*J<=OCy48x?d9Y;XQB6w+hIVKyLfe+=i)t#2Pg)r_z4HnUdYra zNvYtdKP(Skon||zO#t2$zK<wRw-kUW<FC;eQmdu?AYe+NzVUd7d;)lXQQcKZyH(BO z;_9IObk*}=C?I##A@bGD*XNQi(FN<^uw1xdIr#AUPE}iOmJRQrmOYp8nw};aumqpT z#5z|O*Ndp=2Q!;q4i7(7YjZcUxY>c0^(I)UG@M+=S}Ki7pn~tQoPa~&V?AuV`q<0q z#IP@PLVVz-OMem(J$h2uSomZeDP~IhG*;!Pal7FLnnNKs@Mi2vX|VXixlRY347syz zV8kiomY$TD{sn#rdnMWxCPr5MwMkRY)m{ZE#m=q(_Hb$NIvpLa9zRIF{#KSGbfm1p zw~jIuUyaDc=Dw0Nng!So#vSy@XeHw)taSAZ=;lG_X;=yG(kJvOYsyZn%Tl;3NSbNF znEN)w^*tYcvg^)5=x!YWp27%61_C1dFIx58uR~`?R4lBP1hBm#x}7S9&Bm_pMqke? zl8a*bDJ+^EbA2?^#`Mi#(XKL>$|ZmkBN_C21zIVJ!muu>TRvV#e@iDnWxnQfu@FAR zV8NFx)*L*xyY_P9)%>D)avvtO4r3vKL<@~3c$G{D&0<eD2jhg=qpt2Sfa34Bm}T}L z8-&(FBh`&1e%flssU_m>G;<<EO+gn<r&@v5Lz;KyL-ke)8N$()I>e^Gm5~r>KDH$q zXMyC}q8I0uUIs-I-kcW2&V@eAecIR=UMoCR=_7w~6vEL`>_P@Z3k&)DrpdgX53*2K zo^*;p)4L0%#b@JUB4})(MRUG435mO-`KQoXI2FOGyBSx{&MuFe#WB7s_1s=#+;7iN zJ6Lf1k8ebqF{}`1YG+sReRlJy8f(aQ@oW=Qq0YQH2wUZ0kNu^5U+u?$@$XTEP#LXU zDogEJ2SQ6R?Z;M2*?GXunv{j|4*7$)h?pEGepps@;@OZw1?9zQP()AdE{?jeA@oDE zBfH|hu=?1aDwSdL{x#>-=ZGFc_<dm)6*qb=l>84E`2!w){W^CXI4C2NK;xmqs*1|7 z*zb;Pqs=nYOt&57_bsjs$`-SxLRF$HjZ!`Nm`&#T+?TIsmhsV;E$OXo15GFwAb{>_ zbW)$KSv&pQ*)<)UlI1KUQOq;S&YiHu>X{Y*F_I&Fjx7DSng_>TOG{6O+cyO*1+VYR zaa-<o4`YlTo?2+DI8w1WPFq|PO>;G9m3{f0x=61_pcd(i^>HH!5o~2aca?oe)74O0 zo_x33ZXN>Lpx13lHX75A=sg(mXQro{v8kp$0;SPFXfpC76KTPZGca)SOUT0~d<N!v zWmMUY-Rpx?9M;jPTcV`5fnGu%>Q90y*_n-0EZqqZ_Y(aW#Y$MA%;HtdkY?GO!g@?P z>Yq9`lU|bDYTVAZt%s9iU|^(@va}{cpEownCK8@<*7C=}zGfcwtlEF689F@R^yEmR zVTnNZd|z}}<VK8r6yK~jh+8<Kza)_o)2}Qvb&aJr%i3XhEt`oCs?`u>nqNd1&}y)Y z0+Ld4o)d)j<wzkOzEQy}42N?k%0J^|b(d*2m4X{Yq7Q=BxRo^{kB@~BuOX9n*S+Y2 zHFG{u^XE@!ex!6G3y{KU9#W7W3n{A+!;c`qvVa-sur~Vhqmc8>t(iKb((>@9qu%Mu zJ-025d6~%?k7u_&>}(H27=H4(FqWm^oXS+#*@P#NJ|a5DpN6|$qjK0R3t<3L`yg3_ z|5<FDN2JJ@C#GG@0)uymhe!G3&C8`mirxWO!^v?Cq?VPe%`7Z17|=o_FxgbQ#Fu*y zLE7l+>jLgIj@v8=%w*w7%vb}}hg?JC5YZ?W2hZT9#c$|>&i5Hyho{F?wNq}l&9Kp2 z5%?snO|#Iwy-*sw-pZ7Uuc(YguM8EV)@^Y_@(q<ps^w-7=@E-~^<~zBPb(dJOHyjf zwAZ}uRu3P9m1Snmzr{hZ>z0r*;6YJu=7lR!<4h+SDZZIa%84gXJYb7H5b>>0Vx(lW z*wJ#m%I*XU)bUKa@K)D&RrqaKQD&W$SS%a7<*NX%X902FgoVUr|JIyXQMC4}+T+XI zLc&Z_R34>tp%3b3+p~iUc?h%w8Sch?hZb4_5*U;|m>D50)^E$RkO*I|<WN8T6amw% zWq5TA08h%l0-nFVX0)gb0TR1WR?zmi5ss2^N38>16WQVqD9N_h!Y$na1z@WR+#Oiw zijafk@&GZzFz;oXOn`q@&(+N9FA~8s;UWz>+NNd0j?UIt0z6B+5|p#ivdgs_**sSk zkt2g48xJPBEVmI-1~8`~aR<FtI|zG9|4=N}yE5<8MVwFV!1w;@e(~W{Q(U=ve9ivt zKqMsy(Wuf&Jli^lCK&z&ID>6<9C2PHz;LayZF`o01C-HN|H=^sB=?XsXc=Eg+@mhY zbMh1dS5vxKS3qCuBOT@!joS=3ABN)bNx^YBq4&T<wPRnp-xdZj!8Jcs7KyxLLc)^K zM2>QE%PQ}-BxcHAYh!8gx;?m|l@5Qs_IO#^oR;?xI_dr<g3DlE>q}Se?5uGhxpziR z>>>r3Rjgj7Of<|l+ACkv{j%@}s=;zXjKPMykYveo?a0%KcgoFrQ^ig#9oJx0t2$dC zCNda6c0w1Qp?60EeT%F^u*s}Zm3FM-ElF43CLz5g%;b0`Y)ukCwD**RFg$Q+=Py!n z>9_K6Ib7%|tbpsQvcMoBjsLv6kc%Gf9jW`K0}wkc9()&BJqd#6gya=%wuYjNScK)~ zE5NWn0`h+N7B|CBp-h;73g_I!OBvFr-oF;pgA{0#BL6O8TAz>H{zBf#Ez_Z1p$G0R z|4~~1xHp}}AMrF`I?QNh%WNvAydcmk?Gd0A+^+6l1eR;NJDgwcT|T1;;z)&ONM>;N zQ`?#-Cudc*ZP7d3;LJjo%O^!rAZ8wT53zU1jA4J;pExUSi;&8A%+4fL<4YA%OvIR* z{KO3IT?afgYHbcfWLx)M!Z@p0qw0Ny1;z)0N)aQCS$MJSDoK|*pLsNf7}~s9YjJCG zl}z<*q!}4QX<EO)BNq;ZEeytV(05wsug3sC;g+3c>h2Vn^744#BFud>fFBpCYr)1Z z1RlXeAXu7C0A(=aF@qoP1XqI}F9JTsq!aEM0$yayd=FuaWHyk^l3+VKa}Jr#DT|An z&fzL|5j62CV!J>oZUTO}LR${{o^}i~7a6AQN>_g#0g2$LO)iAv6Pz4$_lO*{0GvFu zd9s|&R4hnJKFT~pUVA<{7>x)yYcoP(%NoOr8u7rk&s?@4S;#QiK}v=+?vso>iltAs zyJvW2=Cfk}$mupBow$Rxd)qdzJ9u!Ge&30yg-=!hHD67gH!Pfm{T!4dm5;=e)D`1) zQ|dW>cFVd>|K4?E@sJYaJ|r*<zCr?TgZ<Umn`(;16g)3CkJF|v#<{`SSFDsp*Zbp! zsZ~YR6^)&m7Oo`}oCO)&Z^}<Mk0kIoien6zqH?J&>jNhIUHFv8*V7yW@gdmNtZ)u6 zwN42}9FM|3)U%TkFcD~)k6?1Zfbtr3HW@zL@2qfhIlJ79QSO=2aVsHMp{HQbDi212 zxn$z>31}j!LTsi(PFL1AjuERxprbpnJ2sh_FAww~Bb2*_4o39}dooga-!3;0LvzF% zh-Q>Kiz<w2@+2>3Q%Qobx_Y~^Qeiau)WUUO#p^G!kq?o%7ne<{%fLz*!1y2OGq2zd zkRtU8AlvUKVRl0pzMdf@#NZ{i>{rwfO8+8wand&<(t{Tgaq;Lq{d)7GyrM3{R(6M) zsf4ggLQk;t&8H2%niS&ZOL;<X42I7m-i-uvi`;)SwkofkLYD&2GY9D}P|sh__>Wc8 ztpFm8Ctk%1zVR5egQR(mlrH-j9lp2^@e2Ffi8{LANwURSc9gx3@Twm_2!5i*i3b@9 zuyj-T!U4B3ITS%|%6^B&o=ePb`JT$`xV|}Pn!tr-jg|QISX}W6oeY~FiKoC&(Yu0T z=q$_ayBbxca*LT-pCV#x`PUGLB!;!ZNLL4&0Q?LV7hNx1*P8wc{Vh`zDq#k7*9I!9 z+ae0#t(~j{StuhRsvdk>Niau1Ip`@JPkz~04#I=N$ZYkek_b$=H4^ctC3vVEa%3Tp zVcwVAoj%b~>Q>15#Hd&E{WCEXXIikcAaw4<#T2%<hd@0tXdU)W@4umh@Z-b6*GYRl zw|c#de!FSuV7`HHTYBnyy`4+Es^=Gkd+gr7IpUl)P+Oelkbj%L9(N`q%M>ZezfZWp zTTX5DRa4`DNrg<UU0^?6(OOg5Jt{MbMtM1QFTBvw>^Qa2((EpEfeh{ADC8TZyulWe z@Ion`Y;>Y(TmKkm5?gL@6ijd4&gbdYiO^}|iQdv-(B)lVSv%}*d^SqXfr-r()9ow2 zNa?IN0S#!R)&V!*DDKKz5k_<}Y#qdPW;HbnMMdj&<!$b)#ac<o+sHW(pM6Mz*7>!k zvbHDtZ@0296UQ6XEiq^};KEH^Y31_j5D?P$V<*u44X>m^2&UEhV67elYfuhUFyqy| zZBt)xEGUH^%$Kj6UTbl#;ov?OB~Afp^Au7bUg$>TrtpF-tekDWY$4hV0-^bEBf675 z5<R4~_cL6H=o3w`Lc5orKzKhQJ|s?qtown=l$jXJOAaFm1IOJnSHLh`YCqbXKknJT z6i*f0=n&~+lJLw(wiK~{0V^$B+D8-eIH@~exdfemg^I9@`T+{Kl(CDUI?Ugw7duQ+ z82Ka5TyysaBrLnoFo)m~Vy0PitOukNQS+mBOrs=BG4r_}GY5QCS5qn*y4gDR_)?!a zztnR&J3EhZhS<W9PSdT*hHY$Y6mPM2ZLQJZ52gB)v^mm{4!Jt1K0Q5s8mKDp-l#7h zN_JS)kEj}kXoJOlW*K!ZF)`r4HDDQlb7ou5jM`<pznmNc=fLtq)J6}_Tk7GHEM}?8 zT7U`9QKXuh9Nt-s)<;9bw$o}$YUAS=hPvUGyGgMSnqAcJP*3QX(8&ffNY+pA7OQqj zj$uE(EZ~;5e4%qp=7cL?WD#$<cENftrE<ce?;4&$&2f>V@jR5XG0K$s>8VM&7oT+s z2uka)`1qSf>M+JD=UO?3;cU(61Mz^e1#t&?N)#ByQklY0cBu{<)9X&McH{<WD6r#I zrZVl-`v>2I`fwwJnY|-+T-+H-s4-Wul)KJxQ=8QiZ$rhdGT*Eouu{1Ur<yPN3y!5~ zpQlT9QnGP%=1CF|RZVaEhd!YMJP9QcUTUI}$oh^o$|laR%V2B1r3!afJ*T@Y5h1uh zQl~|s5}w1Mv?JP!ua{GgouxE@1Uu5lE_X0M@TP<GNha>$viR_hAss~LmH@UNcZ4d! z2D4e6p<LJ5LP^O3y3kMBLrTFv%1{4nHYb-TJ5&gFK}`E%LkQ(eLV5ryOeLq1#Xi5G z=JqFz%-N?imk5A<u5f<={eGP~RI7XnxOk&Khj+i|xFD@9SC6%J!;2RXTaf0Kl^XZm zbhR>|KKI;3lkmqdF_0GvFnebT+WYu`yJt?deq<V4k4Q>3c%W^#h{zqOLaf{VG{)6- z(>nIRaeBzE-8_8;$ec1h3gA_pjaN`5^u}SctdNf{x14(;AFmex3gM>9GiaO8eV(`D zwAP3or#GhBwNlYTd_oi?-ay5S@ktD*+cD;rMGKk;>6=qn<bC3q@E1_*kaC-~R*1|Z z)Q=G>JfpKys<VM%0cJ6A<Cb^CI)%t$9K$Tn4f{eiC)CM3>H?y}E5yZP{CX=vMnl26 zOEecEB-VB8Rk8C^OkOzyL#ZHcLw3195ANA7PrF@RYY<Lt2Wzb8*jHMQm&f}tO{bcB z3afZWH{drB$PX-w`F=r7nI1_(>Jy}r%O&;9h1+bM7GI^n7d{Qc=6;ICqN{X&+t!mO z<$JHU%^;dqH9T_^LWy9P+eOTtR?}DQXr~`ix}uS$2X_v%E+G@82z|0+uaiFdt=>aQ za`01bSoDx?--Md67m_${{}d8cu4*{d<a7@@<9n0DNWpl%16yGEyzNvhUFcE5kb)_F z)GXaXlTBA(6NEG)Xw=N4W;9rQ`6-E&)NO)Mz6vQu`!9M|eeT<LFam~2>k;$@4ck5D zpBy-&IRrMNKV~n_cV(}YF~==_q0)^gB^e`@DYHC#zEB+@VnHwLihpohyL9t{!{yrJ zZs2tP^75EL3lVW0(Bvc+03jUlAbkpzNClkYN8nu@O#b|hJ3DV*P}I^z3V-f)M(hw- z?EjGWPEmq($+l=#rEOH&wr$(CZQIUDXQgf1wkvJhHgEpjqt8D5-`<V$aL2f3KYibG zj1_A|#GEnb<>L!1?2Cs;k<TS`v`_37Cn0LTH0h*)%V5N3$W1G_4uNM)F~$piP;?-K zl}-N98zkQIkt7*V3;`>sfQJNH-|p^gJWVi3*CZU|B;G>&`m+A94NjSlE2{>j0XC*L z*AI*7D2u%)4%R0(+s_cYv6EX<wU8!L&kUP^C5yd@(#}qep87&}Aq=Lc2a32SNr6^# zRb#0VTmgkhe137Ekk;=i78JwP;b16p7|)d#y28n)@vUvMxrTWIdn}1irEvcEzP6M< zLh4<oWvN#pa6VnVU)yR-2RQ{TXj4lc%petnO{vqFdA3m`Wc2EPth+O=onK$-e{Ss3 ziJ4*(Ue8{-k7bP_YV!W2U#04kKcPr1MWb*kPEJx&8W(TyjR}*TApHr!`JfpBgt?x! za9@|^qwVT^YxqqGdJ^0J*|`m+?o8TTPK8jt0it@4q0C%3gTx#;QM|)9fqe!#?~jJn z>pqxO(n5HokdUp_XKOFSd&2d2>9UO(dbheK>1^uv2M#ZiHUT5V`W`C3LY;sQM#OnZ zwnkDgqoEPKz2$RqHt=x^4;fyxcF(jh2N^zgBq|?OO866xw6cH!qU}MJ+4G+^!>_^w zGyfBBf`7V5)bocHLhxlkN5Hg~v-}ZSo-|F~lmJbE2Y>-Zm>NEY1lH;5Vl_1SkzNSa zy~N91&cuU7<{Syi&oIjR)^9<33Zaaut~}?N+PpQa5Z2;>DAdE%=h!&RBI)UKMA!z# zN@V>g!m)4WP_OVNL+nQRE5`~c8FRHz#2la7AdF>&ZvTllfk6cY+_+ct0}mG|_)SlZ zuG-StUPR8r;yC5ThSs07qoud4P({Dc3*|2bgMT>^{m0@(=gJd5SN~$=#{t%AAtqk$ z9q9_V+6MF8G7Wb*6EZk=QIIGu+tdV=@Aq-0yUhk}$Oa^kTPk(j&~Rwn+oDiSNN&rX ze)Mq4Hp`}G?!ol#X)6SCFSC4^n5eWZ8rXmn+59}=+p#_TzTOmTp}4Xc5%G4EY41?c zrqAPWWLjyvE{ps5_u-sWy0k!w!*R5n;3~n1R79&l|Bix2CWkB2Dp|8-i(xGl(m_@s zrg-wR-E)DRdwa4L)>%(2$o*DAWySGtAI3yd42BG_BgW;XxKYvEfqO1zAmqe))gZS} zzD-a;MY8NZYKeaOPHpeEhfSB4A8)&tUDiD7AI^{4E|*iu5)^_KB@>7i+Np;NL+{OQ z)_`g+<yxMhFHsxNPJA1@BHJnfBZG?)8cm<wBDP%MIaVy^H0F!_4Un!)!!Bi>_h;BT zo$Osh7|@{E9Rd?eq8oYfZ_U}Rq(>L)Lo!V^fVEWRF2+_*K?hxoelxeo3M%?5XgyjI z!YXHzEqPlpPku2KV`bv0LFJ{)E*7B9lqV|RyO)ZLFdq~(8Le@Rto8{#5f2q2BV17? zL|n1u(lbP6{f*^<e=~%eNgo(~SYSvUp#cCGDrfv)D^8#CAuUT<I}xT?2VZoendUpj zCHMD`vr=s!Km&mO#Ku1fH?3iwgcwq(XbF7L1`yL4cLqFH*&IFBRzh;iECjxPm$s7x z8-YbeFi72DJY~-^zDmHX$8k5tcoaNhH-*MU$#&IW2H|z742Te!$K%tecuO;!AsC75 ztTl|Yi386|CT2UY3=Q40%f!(lC+v}>y|9U(#3N{C`V^Ta6v++isx{p@-?{R0^c_|$ zS!00?N{~-S(&n#6i}lCUV$W;FZSHcs3Dgz;RCv#R|9vT2xP01gshoe!nI*))j|$I4 zQES>NDl)B~Aj_V$KkH_{;oQqh(v0lQ?y3&sFd%@TcW0p&mE<kXb|xfmXqGxtPU>Fc zB(<C)v>v)0q_vEb?ACZK*rzAG)S^Rg^^0RMBjN{#T3>LJqE3t6I)`IP@N}MLUp0{u zS(3aMNiRSl))1v_1rSugRrs;I<^~#ELz#~0xqCV{;!2@#+wRl`r|Zj~WalW9&WwP+ z5)<kRR{WQV`Hy`N&Xszs=V;+N2(Dq}E=uApnMW#@l-tajN)=6k_ailjRvSbu#~!RT z@FojLF0Mc^n+fnbgCV#BYU0nVC4$^}cY29ZmKb(fY%&>SoT*PnHRKCYwg`AuAiTbO zyTu283xD}`o5j3lGAI9PMo9npCQ<sHaXu8CIh<2DD&R?mG8llV341-9g+UMkW=3Dc zw4lK+597g*V{W;nkdY(5?eIrV!t^1{C);&JslbMz*8L!GREZIiYB7r=Ro4T2x=$Bd zH;RWHAx55$85G(K-gBNqAphxU^X-5dpb6@ERhHdNE)jc($?{SAz5T`U_POtoW|60I zbKTSH60@FDE<rtl<}uL|FFG;8qmfe?n?h@Wcthk|_%t{b*Cd-`+ax0_1eHN)mE~$% zE7H?+wZIF%O_(N9Bvq(Zo9H&r!*j&*65D1D%a<7@QD8(g;%96d@PHN{3r^R2bLUO2 zl3oQv<93LD`vNxV0Ol<N`$8Oo!H8+N76%K`8gVCq;l8~(9h;Gok%Pvnf`EFKJU|}I z=#otd>s%p$QO?q^58~l2EoOgw_ECsXOyIIMEjFQAOpu2f0<oK-;D81O7Lfn|K#W}j zg<8=K>9dp?6M?uX9fOA8T!kP<K|pbCHS#=yiiQ6-*+*wMIfcN1(x}|v@d~zpmrOu0 zsc~~aD`lJg2U{gUJ4S$<rgQ0AZ)+arG?)zel`{o7j|BksZ@zhmG~dj3S6WypC!S3U zVt62ky7CfOUx(z6-+zVk4Bs+h5lYjVp^3;PY$i!z5}PF(SD4d3oxCeeXHR4qs}!#t z4H(jk?&4<w#gnFhj9lPC4$ju&NWOLuk`X^QADu62iyi^X&ArdUj#{I0)+5WOD-Z!Y z)a^U7>=fgexTOP1M0KV%mQUvz)3Q>joRB4nNQf|D8W)qV#npRRYc5jTo2o)%Ozv3i zBe0+z2D$*|X?BMiw&ybprsQ;jGK}g1YdSy>U{)rQ9*-0RmKmKK@+YGdjRh)~Ouw+! z(+xEJ*(!m$<7OQ3E2|j)o#*Z!yYYNIcYkD6C&4w$U$QDSOR33}<s3i%hCqFC*r{DB zqQBAdat6XKIJ3DA!*=UupeuUm4O(P|p^FCG$+r?r_hreml<TjzZex5hV7BlfNzsh> zX*jx(e={#VH2gX~_H)M+eXp|!`T)5SxQO60()_dM;@yM8zWDS6AS*2B8W(g?fb-_? zizUOKI&KzlpA?hOw;@>!g5jz}QY`<(v}bLO6rvZ7KHj`JP?pvou^b8CN-~_AvsN#L zR8jNo&3!WeqHZM3Fh1N|bT_w(-=4!999g8Z3BUo?S0ngMi!=jsA#unKaCKxX>ylf? z^Z9A_^m+gJHNplbJs?RWT;Ae(Uw{a9pJ9I|lQN4eT8Y{M<1)`W&q2T{hGDAVDt@EC zZ#KpJ4DsnoT7<j)eEj1ptz@D^R{oM!MLt(Vx9>czc^?4vcEy<D!t9Qbnlz?UsE*gi zulvs&G}_1uYz7$KxWg3Zc5;(+JUIqbWOPZ9jY|y<5<N;g9{kGGLrn1s%8SfR4O~q5 z6Li3|CvwQISjeC&clne^7|%94o|wTxoZzG9)lhM?tFVJYalmTLSwwnqB1Vdx4byV; zU#;kmMUS|9^60qDgn8QBKoo{LA;DR(dKLCiatIDND!UG1G=O^<Q1}KR)$$cm^Wn8r zhT==Mn7P4n<|*TQWos4{AtVuCunr5CRGY&Gqq^fMvVsW#a`fNmyd(g&jypuWR$3mY zAq8AG6-YNMIfRRW^vy;&P#1wWJ`hBcRi6chO_Ygy(&XN;hi2-3OER6rzb09RIlU{! zo5EL;Raxl#CCTLT?NVg?#S$a~46BCyuNl{23ReRN$w;1?G0#^2nq*#YI7;tJwzJBj z*Qw-W$r${V&IAFa5%@Ga(%M!k3%YU~ysTu4Cv-_NzkZsrj>#&u5}B>8wN`5FO;v+1 zrw_FC5?NnPz+Zw!n19Pd+C|Qwn}oXON;ZO0=4C3PJ?W`HK;~kPx2==B)dZW}c1)Qf zXHv%rVJ_@g|5M>Dmk{ut`jun3U;7#ViV*XURofes*R8)Mot-$<E^y5jL2;DNuuc%G zVIkkt5EzdEs}YbP<3)ewYqbga!5qch<C8kq;6MSV!mL*^-<gv(I(sDNHm)`;!4oZS zr0NN6uZ7NSKfiW5g!WOWkf@nQl_-LnVC`A64d+ts$@NOJAH7_6TjNWZ_2S3b3v-x? zBe%A`Z-c4`Y7|Ukr`*Igc7rNd&F~3S2w@l?!<Y%rp`a%8sEr#5Gro-?Vv5-#dYX_u zU>5ykh@(|p8FQ&Qv`Y_k3<=4Lq}O7NWh6qsQRx#b9!+yawc(cswvN2#QJ7KqX6lry z;NCq$RvTH0889WZ>dVb3P7o0b1yq&k!^Xqob-Vj`z#C>DX4Yx28(qMP5HfRg84X*I zDA?j<7GmorTe{slY<bl+E>lWnCZnISPa&%(#STW!JkiDaYdWm4mmjS%fBS0d`?_tj zhaYq0_pOF(wo?3-rfpZ`bbr7xt=>`uW&P-oEV2kYfP`I|D=H?4sb})w)Be2hkT<w0 z5fx+&_nF;kMp%15Wdg!;#bW|4sgh^-=b?N&yzPWNFE0zz$H!P9`3{p0vbri9zATg0 zEcxCfsN?f5E9bh|!&{xK@ys=i_NRw?9i87<nN$}(O1c?YJZT-SF$#sycEnId(|ECa zE1!ZC#V8=ELElw4KUr2Ah*me>8GW8iot-~Ue%B4q@Mvrhn?^HM+d^8yh#3G~XR~OU zI2eU)kM7}GxA9F}YfN;mLwhbhVDRa>SZGf?IKOiEZJGmVueT^@^@f_3#z(@$#mDA@ z5=3n@rDpEBHT!YdDA9`^-$Wd!2zlH-H7!1Rt0Gr4hUE^ZqbR+43g#EqlBc(Q!5Y+D zd_uo>B8nnji)?=z!)8{9-mvf?K$X4AIpfJ}5HY$|twOdZZPtQvR2sZ;0RFaaOyz1@ zKA#WB{sH9GRby$JNDOZjv;O*UKi1aeb9Zxr^J{9})hn~dc3GiyO^qOBkJqE3brIB% zYY_)vO1bX>=ERQ+%)E2+lBw-|<s!qAy49N_VNP;ICf8iJ?L$L>U4nlEIr?6CxXymf zpvOj@%vGPb^E83MT~Z#6CsU)Ujc<!-l%C&u-n@2Tpq!a1VN@oJ6)la}Uv~<~>uW4U zNakT$@ZFH`2WB!BMJ%K|<0W00u^Xd*h(s?wItk@8lG>H*)RZn({}JmY{UCw6rewnz z`eEz%tZT2tqAM~?RYyhRC&=G}8g9wM3L?M&0H^5xI@ABLkIuQ8h7E=glDEhXPkGYe z`NjC;8IigCfOJ$0zdX}1?9$oK-JlLS4(Ie-aUmprqFjg)BtZ%}S-)SrS+Zti?{rF5 zO`rZL*OiMc4c2F1;QK@znHkTM`y7W)tcPzw)|g~i{I|4H2THb+vdD2yW^lx5w<n4B z!3V|SlkJ38xr}(XC(I-BkdR-D8t$~QJl*A0=~c;XG%@bOi889eS~jiU?<ip%Z<?vG zfn64bj1Op^qAd5m?i!dJKOIfclCVAWa#0?S2_I*T8SX~pPnrzks`0>xVuzYP+$hFx z5UA3CsPYI8X>T696PKI^D~vRb-CevWwAP<QmG<;jwpV$zwjN$B<gy91$5~!rZMr-k zTGl4&oWw&_i83C|8k4kgZ?41-5tMp)HL0mf+^=(43t?$Sg1on0j9cywTBXn<NFD=c zGE~^~R(GnXA4GqVeb~-cIlnKQz?-};3=l}4765oj7FU}Wujx7Hnn{0tOqOMJsdNvQ z%WrdPNWVur5Q(*X0UJ49d58je0}K|4-mq$db2G3z1>DqJJS)gQk5_&YSTRyT;ci?a z>FWAY<yE63!x@ZmnmTBQ>aMG!TSlB>ypge8ALOQ2)SQP7!=^kD%xAA5$C4l%m`jvZ z6^EnN7(J&Dt|T&L^3s)w^h*eLnm~4}+jxB0|M>V!dDt3U-A#^}Y~JBqz*u`T-RXaR z<ZaAq@Y4~`$LotCXx<dNJVVa}gBZ=E&Ome+Ub$jVz(>0{zdSy;w>|2-)p0DnD*4sn zDzeJ$+qceNBVI#Lg8JfFAlIZTuR5RMRlzW70gx0ZT_bcQ-i+4eTo|ZUa=>pbCM@NR z(TnvGZVm8L67hNjsR+7J;7av~dnXnFB7AF<OJ(CH1JDBwt%i;glZ)yruI6W=P(;OL zBqO(l$xB5hFO~H(1GLarJ*A~A)xAb52gEW#SJmuMN2Uz?X(S0~p;Y~VRvsnE3SF+% z!;W0uEjZi#_2B@q(DNW4)dVlQ{0**l7YOIAt2kk-17rlwo(q<lU!7B1ec$<(`#7{) zTAebB%)H%{gvu0A3sOX80f(_veQhzCYQ_e3J3H&8^}aZcr3fflGN@~FIS^k3D&w8T zi<0hF-eoOKJeIDle0i}xVwj`$boIceR<v%twYvh%*yb!?ctm0qP0t@e$h65WMx`sD zb{B2Kjfoh_$Zf$rnHpVpuv`ATq;gQcn+nV6bz9R_pHm{fN(VixYQ|x~JBc3isQ{=S zjUIF9eZ2WvGb(9;0xjA-7r+DOd;J16zlk4}Du)~OgrqymTdA;!LiZiLmTmz>%GCTy z-wT{zad3*hGVyZ)ic?q>Enc{JxzMm-VlG}D1RBgqBcwVvvdr-%pN+_@%KPPZKMIF@ z=1eVS!SJrQ5Z-qg-lg@zPT~=Y+k>^arSDY#av^V2Y?3lPL8M2VgL_8i3h8@$qiWxj zQ00Q^_u$|pbXf<@qC&O^CP)L&UG`d$Z<!)^HZ0A~BvGe_i#T16Z!hr*q2^wm^xa*$ zzZ{gy6PTfca+ntVovhWMvq4zq8X5+IgBn1X;Y%0O2U^{(Q<G@{7!MWjMNn{n_NxK2 z1$KY3-kGHqNjXo-?CM+RnjE9#sG*NegVToVi3}m?1QAzTMPl}mo9?wH%9K=aW4aB) zg&&1zH?G9;^?%jyUs6nzlFSikr9W*=0_lA4RK)b$4xj^ExX6m|`O-d-5TFehB>9CE zgW}S!0n$_uXW-?M^1rF!OoHx=nT<kl5yf%)FHqRMEX9~_|EU0DB4Dy%|0;2R!~N@P z`M>FLRM)M)uH{aV9W3Rsd*k*lZ4D>#)i8K@(OhCL-{T8b?WGJX<Ds8giY1~2W`wz5 z;1IcqV5Hqr*($|Wq@0q-tLGZD9Bl@NLvm6EI@1`x&)za_y$(6r96Zn6Ss)T&a>d|w z!%Jz96oK_<9st{w<ZP^&8C8@JKx$z7(DK4p1j5|CuHPRkW9<=MD5_DLQhI-Pi~UfZ zLovvQ;@xSG1&R+!#vMOQrHjJdjdp~5LbATC%Y#D;@(096(`DL}DO$#1N%IRy(yzk8 z8?O~0g}~eWAgS;rykVrDFbm8L#369batgZ#6B%pVZP3Un4p$Z7@Dx-*WplJ4xI=~_ z;I_Rvv$d_>?D{nNj6T$-#!ExWsSn}6k+0=jC|RmqQ7aPPDiYb#P>PY+8{=&hbL?(8 z*QkXYTPKd1Nm9shq#%!0rFjQFMmwP&7z63JE?!hmt6s36l2L`u|7JUC8cyzTfsZNB z`vdc={o~m~2&X3whQyHQfm;d*(}9=l18UP$2!!2AOacL?8m=TR#1SFAF;lcrwF%|5 zV{VvgBb-ka2C=cn9S;GP@EzV-_QDoSL2J|6>|RO94^IRBH<$$rOY<awGAw*QLGY5k z&*kdJq)xyl>}$wlFb#I+%i(EHe8=`h0MzN$mf7ckxA+glesBh`*VC9@44djCIVm98 zu<xRoG$yMFmL}n+mssg<9W0zLN_3UN9`<R6kWgvlO*2?Doq@05^o~-$ilV1}U7$A_ zESVsiomO5T*%zo4R-_erXxoTc>yH-4CG1GELM)!;z1f;vJ(=<+_}y(qV!R-)qhVuZ zVEQm|epo?h3_@9Qt!7LnxjAXPi$oXJ8BO^2*-Wmcx+tsvGAdx3Eoc02P-b_ZcKwxf zIdk)wlJsz7ezQ&!FvRn7b|!TIYry0r=(n++vr7_jmwq8G_o7vuZsJ<2as!oCU3lY{ zKtkVK<o-*XRbqJKHqyl~Mj7l6eZD~S9_6&$24;m#W<%i~T3&dxK~}@Hf@jc)SU!*U z*{rIIcUqWKu83@=9}~F`Y8djt#Zc+oZQT>UGIR4yo(AH#FJOFV9v-uPirE|UAyl0y zuTBeQMzVpmD_1NFkC2;15p`s%Nk9uYNLWiblrar8YOPjk48(TF(_X<JY;;t70l!`! zJ!5S{4zf(FT5s2|XX3p#nKOla5cSITk?bPMvlSqq>g4A0!3Gx4tM%pX6BP>+`y6KQ zB^pN2_;N|!dt?5}P1FhXa$D1^VQH2<5qa&*AcPyj3H^Sg(f9n?Q_i|CWQ-O1v0V(9 zCEqX7EQ6YG%dCO|`CsS=EwJ$Lts^6{se{3)HXWd&e%aFdhsuOvPsSo9hq)k*^)A}n zlJj(Pn}e|GiYmG4O*D6tlM81k8nHf18!LYoX4y&J_YRNmJ~E|c29<t?uX*|t;rf~y z!F2q~j_BX@hyEvGK^1@VhvxmOKXgtYoK6zL@Dx!#tghvH#&L!vWdWg$j)2B6UogyH zF_`rac9|1I$RR-#^>ttV8!|z3%JwYS-x#u#KmF4Xa)L1E&)SOSF9PG^Tl)>h%gKY5 zdP(D&2CH%GoXZu2OEb6=m&K^YbZc*Mta<CKQ&ANzeoRp%pP*4D7^nuYZ_<ARWxQ~^ zdrE!K6O05P1{a}Kf7kjUOKJL^@y5v9`n`wq!Sr)BAP%>S4TTait<95e?jtp2V72W} zL8?GsoA^(Fs(&Ie^}mAjHxq5D|5Fp~4&VPTOtjVheG_ehsbcW|<S6|UWwQT@(#Bt{ z#uE_!c9d}ca+Iw8dX&`v>nNRH(94`eK!hMseZhG`(?mEsy4$<;KHgt$;M2Pa_-f4v zeU%zqR?&<(UvQql7n~RSSF3Snf{9^vqwqhh#`FGw^YUK%{l;6(m<!h!vNdSudo)Nv zyFi>;jb9)+?!9d9lGfY`NnxeYGX0An`srg-r(Tl&x1&TrjOQ(aLjJ!WC7Zu*$XM8_ zX8(|p+4^eA{?+K^A5(Or6eYf#NZ`IGx>!Kx$nxQa%fjj1N$1(TD?noI0KvIdxd>u0 z^<N|FT4)Hzc_lyVaO~_?YxlJJBP#Y>LZ2DR+M2<1*v)p9zJR>6+AC#A4C;Yy*vINi zIzFSx0ne?j&U6s1O@^e<bR_v|KcBHkAIGP+Wxta&d>*_edo!+LJjpDmx1fg7=$ITx zWrR8sWW=pBF)aj0pL@*xR84{NT3+};EJXzBH)0(gBArR&^xB&Iu{dxI)ai0ul&dsg zmBNa`OnE6Y<Lt<>ji5bFcVMiL&L$uSsBVhjHv!WOZKM_wQSgh+&5IB3Py5g3+4qpg zM;>qXCb?g!HKPb+1{KtEDb8wD$|ftjEoEvZuf=wZdd1TAAnq~THc~TPDaW-h-!V2O zx<RL{%XAboYA{ZxUt+AKk9Y23Ra=ue5u#QgrxprIt5~h3>|UyK>aC7GPOEruF54$t zYlxE-k4fS>=`v%M{X^L>&<BbuhKtkIffkX@W;PINVOq$WQ*UyM%~cwUUd!9{0ff7T z3A%E2`j?Ut3Jw52t>&=w*CK@ZlC~&A?byMCJ6NIRImHYxUHT};H<Xt3*1pz1Q;-Y> zR)4_mejb$WDM}ESI7g4x{+M!})XV2zi<}Eb!uY}qUY+3N)&+y+RVOI56c3<YI6&i0 z(i;G+Ty&yV^AzCqF`ag$&wymyJ6H#&FG2&k(skEFvxw!=i8)>ZOjni+h$X7%ebu^m zl8GpIwL%*4V3eVOnfm-2RdUW1t-|Qg@7d)Ruz>SuGeNGKe}VLwk$@MDcw?I6UC^#( zDe9BL1(+W^+zD-1KPfcG-lUolwRq4t?}NoNiqpZxGXg4~*78N17`gOm9{m!`sKi{f zO)+A35Gh4yg;@_Q?%XG0O(#m7L@s$ekgxyE+ZkvQ9g#lKyp{Bf-OiC@x}{F*nxt1@ zI7w}TT%JVryPzIgS_Qm9B5%UU^wfy^?N9b_pCIx%H($d_-+yC!?;q1L8@}*>wZFmN zV+r*uI)+%TMmBKWQc$aI0O~vHf@E>HEoti@Tqu<?La@N$FY<Rw0Up#VduAu>-Vrcl z<~|5Gp2tGDe*oYNI6NoIw_l|Xuv{txH%xp7D-;-wpxE<1tEU5Z6o_6n^Z}8vf4p5Y zKD%e<=RWH1J<+-ww5t9!Ah>{2c<hiwI{UyFYI1pl4iducYG%aJK@jeFB64JJ$Qp~_ z8P<y&bOmg8pL--9x-Z{8%y4~eMC(-Ca9T@%uFB#$E5_#pQ+ar3z4S+F!lqo57&`Rt!RRC`yjjgUjRKtNlZsZGvQfHhFga!vuY%4$DWzl?;|Gizi?w<5 zH55gnRr8zy>l;cYO20k2v74n$c6DiUy*)U@l+T)fvv8vfuX5@JCN#XYxzW&I6kBa7 z|6UgdHzwOBil(S~=wK!2l`BX!G1z3syBg}K!B>|aYH!5S>D!dnPf$3KqDHqf2$|$+ zN|ch}9^*g#C34_^lf*=5LawUI3`0YWsFR9CA;Eb8@Z0uV_9ge4x98_j--HXS&pQ}l zucm2o)T}Fl%Pvg&EUQIkwYZd=l%3QMq)tFYp`b+K82yC&5*y-=P5(Tp6VozW(<a#& zZcQg7#xy+&$W2AL4{|74hM|kJtD^}uv;@T;B00Q^#3n$uOuxrJ-Y3r2U$ZP7cOPu= zz-eTvdy8a#u5~9>o?AuBjY*0@$`Go1j!tQhO|_-LJ}#>8xlG8~L{@l=O}G26kN73! z({dPUi8Su5CI&H)X~aVc8%ZE?z|4itp#pUm|1v^<$#XB4@-RIN|JmnqyoLKS<d|@@ z%?{hh?vs=q&G@|-2j{+y6@$<%&c~u7-twzuq&E(UYeY{s%sSSVf+VU>PU+yE)8^H{ z0vVCer*ZpvXchH!dwijd@qrvagyC_2VNK$8DUinT{5b!<GTF(N6kV*0Fm#N2Y9t-g z+NTGyx1LyS2-g3zgYmx2Y~k|a2$50B?AAY&y&ABXQr9kV0Fw87c}I#<q1}|VHruMi znjukRB3UxHgAqqES1e8{@62{78m6$rn(^GZmNE+p=4LY1Dmc&>DZJTZ&uDprSLQqj z$tEn$zxCC!3CnEZ)VYok+mW*;wbODc_kiBs(D;OcQin#fLXSZ}@uD!_%F&>e&JR$~ zLe-Ywg5g&)8_QvPN8u=&=2$|2ysR|z5#3q@2t_dy$<->rka)sgJN(&;BG|57tEed! zx>ciqh7Zi^=bsof+jtYvIA8CrDeS*~bN?~5abHF1i`b3U3A^M2=jd{8CB~P5ue_7X zn*<{E0%#i67$k<oH&eN;7xE3G7Bf621RBttELgh<GXziTBP#wt=ZuI*%{~>ytS-8b z8b#{H>*<TvD74{2`<uZk_=gPS%xr~6VWl1ds+jm7*ZatHHsTRFYA7Ko1=z(g<oG>k zT9%J<mh~0ovQUIRIb%1jC*b{E7@T7ttt)2_+s-3IICyy!L=wR_pXDV{G<S$4H{+$k zWhVOsgpN3qrdS%`JjTIQA<hXpcp|XA9|+kzS@{WzrgzMy33@QJ;_g~RHQBlqqC&w= zQdR~G$<=pK)tubp2vOOX#MIhYI`22PH_>%tHqu`!G4u3AB2Wfw_;n$X*fU;*`47gg zk`jnv@?xjL4YF1Y;&@E7m0{7Rcq_@#s?=S)!OWM(TXjKiOnaD_kW|zpyT;6!oSk|$ zoXahGO>#K8^)QLbiK87BKP#$YbJQs6%!An0sdi{ugdu1}S9DgIR^-sBx*X-@a3G!Y zm#Ru)PK7nTc{5;G!+~U0jXQb`)de_dQ;soHEtW$)yj8C{RcTC=A@;ZH5JHl11=6TS zh;owQN{6(j6T*pUD9A<1%Y9F1+mjz0$Wb*^jWS6QDzIe^MjA^n^%nu99mx9T;iqV< zI*1~xWN1b&S||Cgx2u;xXBA9eJ$MT$cb?N=MgJDIV-={sW$pH{y2>L{rS0wF^zc0w zHP*kc+$_y&mI3Q&rBLIe*PMK31Yq9`#F3R2UIuPg_3rMc(JHdb5e^`WIrUt1ZYgFH zY5vWZOuBCa)X2`A<xJRvqps3f>1VQICgzEH9DNSH+HOlIedI9t+Q7lhbM)A5U4)Jf zjgF7U^FdM5Aq};3mQJRp4#>qo+2$`B?-&!v0zY=RctadIN83{eiM(Qne0JYRcCU>r zLFo*^vG`f?=(8?@=qE?j1Nd}$8$oXREY3ukq;uB7-Hl{f<rLY<;}Ace)xeiP%2D`L zr3)#s?*$srt0_$B7kqj2l|(7?@4Rs%AHFJP%$ORV(U=MXZQDpE5mp<5lnFbqvXJyn zQ!1{=^|QPoNvGc5>yhhoGC)?WvZ;n>GG1$z)|neubv>xgx?%h|3_PHnn|d10vn@7$ zw5{sCQdw>~opBhvLOW0CO6WdLF7X9mHCDG}`nc!>e+q%BDV_V|giSG4ihH5!*br=& zMzwQ>ycVOByNfpb5W8-T5JY6fvat&{s9BI!9<G%!RcL;<?i<J`zmIkwqm?kzBHC9q zz+lDEmks6;x9m7UZquC8G8mo7{7A&IOffcn<cKv9#yY~_$f%gQ=jd$NZ7al3jYamN zDxh)!L;^^ZYm}OOsnKh>)V#W7GzO*--qF_Fo0rJ(w(VZupf79dAirfA%9edsB1bQP zFQo$u&S@Oo20P;bh$|hGr9rbg-CX6Pnym*!txTy6an}QDnCe^*5GX#q&zO6(Tzp(m zCuNPYyM{w;AqMTHJjzWLVwh?TPx_k5@1iSJqn(S0S&><><!!>YIV0V1c#UB>uANU^ zT0*yKn{2UFV%!H*3@^t{W^Y9%>)q?RC(OxItiJf8$k62pm10|;UVu@NHg0(rg;&i` zMb!#FpUBsw*U-RuaVjYGseP{#m6AI?w6~}Oz9E^=<BJkCVihu4!Hj+3N|M}Grx}|h zB`Wb<Mc{k}(&uIBx#A2iCr9v9<c7En$c0PHgcwof!<euWJ`HMr{*!fFBmD1~rLTgG z_TMPj{xM%MN@>D+_pb#TTq{L_;Yd=H6G~$oC5os^K)(kyT3BOPfvA6e$2AI95!=0b z{jc01Y<C*juVJtCD+&>rd`%r$Oavps;bB^eO)!o2Mm>^cjbdP(Spqf@e0TW)v|gFn zowXgxFL+t>8W6e3E5;Q)<POe{n+R0>TvLai&YpRG*FAGUQh5yv`rmU(7n_AnLLtY; zm*d7z%x=k4s$-7=uGi(0iALZWL#u~Z#}1cn_v7ZC0vFRz7}nWhlku&t%9!BET@im@ z6B8;AM%8_h6{YtU4AX^m4f+uQ*OW=wnM)Q`>c2rXJUpHHSo?H*o)2|-cfC43uD|1K zasU&dAQ({8oKuih_6IpS+ccsg#0<KfpAj6vwxgd#rUT%lRQZPzvq&tjG?johrwA8X zal8gT;B-!BUwALT`kdack~p5;A0w{N0{MFISt(;R|DGM;XZQK^e7&UM@vWDk08rjZ zU%W)tUHdB6E^khmTJz5}%KbLLcO?*|?0^<Tl`sn2Jn-Bo?gFe#03P8>ipCUR#Ah{r zea-INQj<aw#pCg*g2QO|*oVXQSzR^3_6?5G*le5^-d5VR@}>gGy$W2AINT%@qVsyj zBouNj@@a{jz2k<F0~BV`;l<ZO_DL#>fiwh*rtit`V;}2vZTI`R0XU&3&-w-uiAjZ= zgXtnRwS)lVye>L<DtAw$fY9+9PMKvZDoKUQivqc|%i%p>$4yrOR)Xxb=`5&Y1b=ln zT$a0B1l&)yaRyT8kYYe_BIG|<k=z?_Ljz`A_`KZCu2Ye^bGsQCPJHPe1h@p5h;OOm z$d)}?me{inas~O1G7;g|_mA>Q+j>Mnqdm8d;LH4SC;+r$j+4x@skKic+_l735t1Kp zqi2sY+4V$<j+>Rs+%r-ym~UEOpCAG8^@}_T!__k>d^YhYC2H6Ur@5D#(CE7A-C(33 zmwF4gw*+Tm_U&Ee3)DjRsiUs1RaMc<_^g$R@8%r@*qrtL2_u(EsFnijz#=^0ntmwu zU>Z3n78^*0j;zK_4ih}gC`JAbaf_nbqqy)@m<eeFtkeyZolRig8T!3OFd33Rq|#+Y zho~t{?z*LB4LpyyBK@8W7V=bvx@k}SRcCH%o`xsMU>>%<;j<oyvD?xC_Xe2ckLdD= z*+?J((pOJ8YIy{{aKHbJ>Wmsz#F)H`f9HH*eg$Y&Rr%sqb<~9-j^a2#>;fih*z-8> z$$@cCZ^4Y^IFop?8cHC%Rbx@h5Mx~70#usCMkKP$Rjx+WInm+Du4AU|B|3LtfCtO_ zwa?#=LP`MVh{wMwTAHtgyMHwb`N#Ch2~{1Nbw(r~ksS`fZ8oQ~rDuh6=aY{0AhCjs zg$qE}FdG}e9iXAd3un_A-uTg&(lAgE{&-T;E5>>f#%}?z4Aai9D6G=<4yz3sN)1Xn z2t(XMhc1)PY(o!;W$}!3gOW&ggB--^by5M>v=RE9({wf!k5rqC5MpkE@sV{uTSg#m zPkKXeG)E322-OSImPOIcVYJ6*f3hXeXMtveg-{j@XeKdK4uYhJmMCWF0}A?Y$T<{& z^ERIQCk(EY-w%l0)%D=QEX$+(lpi!=3eyEogz%w@yv<Fa;u*1Q(G5x!w!jG_WO3NH z>gkn1i;@(846ixyKk&cd(v-jtm{oLY|2Qb?$f#iHddmh4_tc_QZhU$&h^^XZ2~5)Y zu?Z)PnfTI>34Y?I4y7pG`VFSUhEa;0=SOJ0XBjVA{Lhk`1~qQJ<ssr3u(HYObLfyV zk>TJz3lY(PL4agBb$2B{k5#O>W`%)nUxg<0ZlTWfpe$sN-w6T*pNT#SVWY=48L+3- zW2(gCmOHXA{%WTK(>YgINAaT~N6UVPPoR0<t-gm@EMDMe;r_mc;n136-pfxDN-KD= zx>uf*$A)1LnqHmH7sFfJGwyZtNbg3M?+0N?w6$w8AeWF5E&9Hdt*^~ppD8O2PPMqU zo-?mO2c0@>^ghw-WFb}2qxgUz{LJWMujlgGwqDWo=<U<`de`$YHdOWb?tJ<D@X=RQ zCV6(=zU1{>Tu<7dWfgpV1cH2b;8Ctr?0^+R4419fbFFDxsOj3?@VK{p@i6K0X?e-> zI>Bqg7fugbSj%8GATt0h`3BH7+1C6m%u3+1e~tAgoUr&nt+ozb^qfthrFq44_{%SU zfiE+%%HRmfusrW{!k4@^w;FByNII#x(PUmK0t4zY?C5&VGzb-)bI$A<$C#h3Ve0wG zuEX49ny=rtb5Sa1d!ca$NrE8XAp=kAZS5dY*|8mEA{RS&+nWa@jIUmXA8ClRXLg)4 z+QFV*vOJ!zTB)>cK&nEp9LcWTskFNWH2epCAyjSdKpS7R_P3><Qn5NS$mXhipC$Ks zNCVVLjb6e`FWlNS>-qdx>>%N30N!Ma@W&BTC^8m}=Tmq(cTw@a+PHx#%)u_k@;vTG zjbUYmdCP1NrLC_P32ivS9pYbfmjD9A=BxCoVuKe{r2kP=j$;!Eq=6-NTmOTfnZFwl ztien+X42=EaB6<X^K<kfthZ%+@NaxGK(f+uFYa7^`e{O#Os$<s7EWu#%y*isOP)1( z3zNs`2xieeO8<Q6Ns7F?Vb&Z6TvwMG30YsjvMwMiNSgcDeNgYk8`L&xJZ?O$GbwQG z;!TuYh;=i!_mht-oQ~GdMYd}6aqO!3Nw1a|r!lm!X2*Jr=HepGQ~ouTpCFkHOD<va zBrt;=m0e2?mFpDI$8f(x{ErPj?~7Y#eV-~Q0vKV0lnnvdP>s#J9szF7U=ZC<PESEi z7g0f4F}u6{q_+&3#PWI<+L_d4wXjSfh;|fGt9~+tCC~}^XI_jNbjmptBg^%KDllbh zv_EhbA-gTQIW)jU&A~U6y96W;#ia!61}OraCZ|V9BwbVLpU&fPbfg&74wjgFpDp3D zfEm}kqx`eW4m}Rdf+z?8fDXpL!7cyqi93H=Mm}1fe@B@k(<dT>$Ty44=kbj_QcbqT zHDfuhZgNud1s3qDKuh965~%qmu)uBI@sY~@1v$cyjl>}qIh^LhYP{*n?QOeQa~{g> z&0DOBQ9{$^$R#xzorjZ4utL|;iZ`v?WJK*JQAi}@Fbdiw?KHLrlz3Ww-2SdSaA1T{ znUY>GLD0>2glX8vHh50YoyrbD6s$62lh!Lwiv^-{CDITVozm)-))!Jy(h!qP7~S`z zpLi=@jr!i64EzpMR1Sd0Dh#z()InN=tj-OsE=>!JM(3ePNXHM7T|+G4WlHV8wZ?zL zS&Usil#`GP6#O+hrt`eHO*8Qr^4NsY@umqj>*S+7sBpB+*gJi;!Z)sfu|_0=05+!6 zP#*P*lO!V!3%1vPQJxocSk;QVB2g7su^!v1$NH$c;%=YF&pv`W*~oUW_--|&k;+@4 z2$cY$P^pBsX6AG!o{=ZgcIo{tHY04V^nKQo2(mL<KGlz3^OL^|UMPpr=YT8he9w0P zAH|@h77#}<b?w+tA-T}Xv~X&gR&uC%Fe=w9_#m}a+0;UV*CJgpB?)uMnFP}1=}gMi zzZ8xbN?A$xVnp7PpulQ*RuYkNs6WDtjlDhQVEAAOEaIIKrBT=nfYpjkSMUH+UNr&I zE6IsKSyZ8VPk_$o)RJT{mn*bE{u0h*k+%@-nzv)o;<?Nhy$<>M=j=j;6WE%^7KX~c zeJB&Ea3DB|gD;hT?>^~Ip|na_WyXBYJY;YpjWlnlaDteX85BvM7RCh>D|rj@&x}m{ z;^52UC^GQ?CCq|2xCQ!%V+3f~$UbwYNQq$rPGpL_i0`UceTy<1o$fCeTOVzxu(;}S zsd7h3P7QhLrQc+<m?C`8qEx3egvF3<mA+x|!NQ04{GyUt90T^JhSDtgnjaIOlJ8bd z4B)sj@)-)1!)Idxm)f#Dv-m{6QA`Iu(+MAg`A)z-`e0skvcBA2UtKQ_(cpA?y>A^I za}!qJ8%JZm120EF4g{L|<4O0ehGsXEJfo}};768T$(4@VIe*xezR|rMd|ZvxZGYsk zR6Rt)`o!NYBZwhcFB0M;3sA-iFb*kDEv6(3jwYC)CmEw%)T<d5njU_uNKq;_vSSQ~ zmD{@_y;*7`Hr?^IXMl|0Ufq!^OjvKnMB-C-qJU1=sTkSnLiNop(LsOu4pqJg!b}bA z`3;2G95C${NGAYbT7zGO1fY(uU&W)fKll8`;r7KeO$g!xw>Z&QGVe+YxTB}*)4{XL z&~KkC|1$4N&CiXrpJjHLnjxT|vvy3s7khcq_g;=4>Mu-X+8*oQC>MV3)+Il%u=M}3 zYiVOLUfysoEGrp&b#6*3#R#^uOIv+$AQ2ZxuiZIi-T1CDi0@(jpi+lKL4s)euJlT0 zwv?70{Q1bSJ%h2+t{*2+x*I+sJ#BHDu>qJgwWGP$mlM>L$l%OFRBz0h`cAjxjQA?J zT~)2M?qo99Xl~gyxZt#?{Pk;LS>$(~9L&wos9?~>#0<)8GU#k!S><P?F?rT`H@RjY zsiMoROF}n#Q-_(~-ZZx-CyNqD%IcKK$u5hH-OjzSn#ky+Xd!Oj|E<(~_tBR^JDUw= zNp<;$-mN{o_XQU@1M-M5=Dw2jo>kcRwqZQZRxCyi^)IFZ&hy>*0-4;#w}K1m;?g1) z_0ED9Dg~z`b;!))dQ7JgIwexk&I6wT6N>{(FaZ2KSGwp@36Kd+r|K-hZzHA)Mk@Z4 zWHw->5g<Y;Obwi~sBE3;*toLyNciMI2)Vwr{&?{>#;A81fCPy`Iq0&fD_Lr$T#F4> zRjiSXN?NmwF70#t3yn&vWUzTyt{7GITMYcmPU%DlHokg%NP4PYD;{I}@^Oq1b@G)c z1#ZZ4WT`Bk)5orj7i}5JA`HJY4ss9cQIf368Z3Vl9=ogoZ>sKe4)>sb>)FZN6INZX zmOKsTY>N=f6x!)DUc-RfZ#-?zRH3fwrD&)Yw_C(dvX`{ZeOusFMR%o>^qfv~U_s4i z0tb>!==L=&DA-{m-!Ueru-5D4HXGv{a?E4YuP(t)rtgn_R^aRg$|Z-q7PiBQEjRi> zv5zD=3Z`DNOcoVU^Xvog_eDE29qA>*SJ8g<@2qG1WA6AL>lyzGj-hzbs&I~V+Dh!; z17M-EJk*>*Sj6X#1sYj*)wok_=0@&7o+vn~3Axj(pO~GKdPBjI-??y)N8zqNDnK<8 zoP;vzd}d7ziKf;#q57l855wUJ^@ObpUkuced^<F$%f8|&fG>mJhmv_iR{qHAh~{x8 z9SmO(F&#i%0mPAvn(nu$N7<!SR0`0@$F}wRaW>In85=C)2ETyN0kla49Zx#ihXQ}_ z_;ADh;K@yb%)K?AJ0R&IO;{)@@K%b)&t|j3y%E?Cv8H<3hPRB>5*TT)sp0Di;D-_T z#wFUpUeGWk3%NQ{bXn=$?)JWZ`6W@^@o{pnSXJSVV1i&kP_u79COz<_nj-USXojHS zer5SpuWPz2C?giR7wZ<1B=>q>v+)4h)%6!5&S)e3@2T=_iF2iO{RXv)R1=)3iqt+> z(~t{a+f!LOl>C!Cf_ZEH6p5pQ`Lw1*7425(auwmhw@?+Dgdx{uTxY+>#O_39UB?mY z1P-u^@0S2-W$6m|#)0y?tHYU?yAPNGv^QcIPh3bM;vBLlaguMp<MnyMg+~}kLFIlJ zPG8Y3;TZMlqG7?*ky7l?Q+LrW*f9qK;2H|T0@+bU*F7fB$BEky9KP@ktY+r^JmxKB zJrQdVbOfXY+S_36ua@ZTFRkxyHIHNsd6NdnpET}(w>Ggka`sW~7vub%`?x<D!KcUF z7y*+QC(bk2ejf>7%MXAeT^}gRp;V-Aa6AdS2ql+GvHjXEgDLg#^l|bKV$<O&g*aqM zgem6x?9#m5{=;0AojFq*{Hh?VaOn{}e>7;Oohzvw`31(rkcJh<$4@mDMQpAoiO?=~ zU;xH-8W(#Hrkzy^B!F|hgRYcEKu6lGqxLMYsbktyGLd_pBD|tKpYF&#R2!g=f{JRG zDKo2khfO{iVb+15&C(sS4*a*A(ZzDw;-&ZN@x%PDrY=vwcL=)5NNWVCJidfpj<DJb z@HQY-1_7!ZI41~5rGWfi0691ku`K+T#q<zrGKvQ^mm3uHq?blggqfn@H$Pg)%&ZrH z81CB5EGE9^xkq#S2BXFzbuIbGrPKrWODOj-NLX*l1K$gMwW{R#A<^9UhTDzh6*r%y z6*n124F#34so2*`cfHnG$oS7@)WXk4eji07H}281`N=%OpDtC*wrtTidYdRASBW2a zT6Alf5SqFAWhk@9q%x!W=#smZD2AYUdeuB*pgoo`#%gR-4`X*zbNswi<YDJiH~G%H zlU@>dPZE^CB+jm_8d0tZD1G?SSRJjUmj2LfJwx&-qcSnBjrF2^YUpD#)ZhvS(oT8b z7enf+^@tWosAXL&CX+EjPk<wR1Nq8uBTY?@Xamd$znKT?2?j|FSa>cty*&gvtPh!S z1z9X^A2i!qd`TB0{{0>F{40_;`|A$!`oeSm<>KXkBj~E~U;8Wd7C{I?@2tfNOVXTB z!*RG`IDaXR1<jDoSFj))dHpC+`D!BGb<wIVkDMFuR0O6QR{M|~W;zE%#cR{EoJ%s+ zR2c_uuRRYvId@tdToU?MVyZdC%@mrFB((?_Mf*Z8SnfUAwE7ks(hbmeSPSw?qQxpV zwVtm6IF{|PLrz`OVVa3)O*<pg+_P>ifB149#RDBmm<boVE=s8Rw>*tK@C{#i`DOG2 zq!vOVV9IsWn=IDIcyy5BmYLCtg6#u?5zrm<ezxNnxdkO@fl?U|qSB7Ov`cuVgEw;S z&`mQnL_!Y)7F2;9^hjfxBa!Iu+&yhg&}_<NcCo(R?44clc1+f335Q}%Zx2zfjx;9M zuAo`dQ9%%in^gqd2(>^V37Z2@Cts=vv~!-+2yzS2*2^iNvSEzr;2sW#TJX{Rn5*OS zxeagN^EnTn&t3r-w<K3Xp42J?ym#oCDkrNL{bI7q1pKy-D)f)p)458kBo!SqS)dWX zv285N)d}M71g(SFQxWO2$EBa}FEZjYZF_hgW~5Z4jET%S_o#FWbJ4!&5jkhXlsM(O zM)IVCekqYX(f0ds=ou1ikUQA7G`bh(nnnKU#D)>K(U?4r!|1e_Zmn2JHOPRL@+McF zOdDRq83g+xY$AYK?Wy%nGS}RcXQ9{MES{1?(vFBIS>(1)5uay63`!&Y>B{c*@^rS} zRQ37%a<_MMc2$NiP&D+Lm?mquqveLzO4PJD=*LFqLnm;&<Um<CVzJ|mbHh@iI&la| zf$o+R7%|QnvOj!Vq<Q>vpg|ikqtz!?Z;j^AwWh1qcDoW4xbZ1@1U$45nS9?Z#0rLG z=nN!vsMw3UoTNFJh2oy;R65{Gy0jj&)#8*8<p##ejY-ZqI{N%n(z)6N=h6iwb7@V+ z4@;bvkKQHesPly-xR;Yan&7XW4XDNt%Vyd}6@yo%Mj&CxuaC0<$f{HOfWxwCwPL4; zUph*GkojJEBD_>r-sZde%dSj(-mcFlH~Z^5%S30`3!1%FP-FD2wi3aF3#!;vS0a=o z!!)7_zSs`rSdG-&6^HN`Uy>i^5S==6J#_Penv-mwL$(EXIkhU@L7)iuvG6OPFf*uT z7E8`lAe<{eFS}81!KzHE0@3-zZ=X)@H-QXBM?|sHFooROhi8B<iJnB((*p#Twr#tz zE2KvQyE$T+%y~Y0>%B3Y5R8DmQPv&}IM=p$XI((1$cs`Vbkhb%=&tQ1=&pGbm+zZ) z?89jgoY4ewPk}DCCol7Phd3SXcZ*cT=;O}hJ3s3(Z|(D;RSClyF{sbLjIAJ@fTx2^ z>RT%f9I-HRq*ra6&Kg2$cWb8XyF*WMxxvdm#`u4+R}(_0rWSE^BIS!MkNQz|$fza> zm!{Q?*M6e!sHRgj;c=J1JsY6}S<EZ2L53?!l93u`?N~Y#GZH=^pdS^NNIIq!1fCG# zqsZZF7sFG9nKVybP*<eZ+u~Zk+>FgfnD!4$$lv*C9+j0S&?n&MnTa|_NYgD#D`>xz z#B?K}&#n5UG`j8c{QZT8%6V@7pYRX=LW7~UH?nm2f0-&(#QdF5#!T=3Jwh2N4=I)Z z3IFgf^tyj5N^xI|cWD}fzsiZ|QG}W4V@P0}|5;9?ef;nFho;-RPak*R!-4aL*o10r z@q(>BpQ_oWBISR%LZm1a2!5%-?Wq_nN!8<?CXg*m#*F&QkI|<_UIY@PRGMW<wHWbs z>6d0Sec7l3I<*^q@eiQ|{@@=T^2=SM({h5!Acq<e)@0wi+{_+10{gdIPJa}MNb<LT z@ee7|(ma{|pt8=dzEb@CQF{N+of-apW554jIy3wqMC31h%|AXle{#e8pAwOOLJR*N z8j*j(0skKwk$=MX{vR5Ve<Eo0e?vsP1!&d(ld|QXSOER0Y>^-Rzo%^J)p-)c|LSJ{ z9py#(|E`<;v+|<zPGEsT95bT)qH_K2tDX)z<mb-CKT%#h`6tSY_gp0b;7)zn_!bhS zl-u1fUnUwQ!zxV};Y43>PdA@7+E(~lpJHeI+XV+|9{qhf(;Vcg<PP_Dbz$U|0aZm1 z-xaDef>tD9)~(A_yleQ~XhTp|Ag$d_FIZkBDgc}ozw`={x^mbwsl`Exob?C0Zg~<Q zk5Id}`h8)>N0f;jD*R-7mXVX&7*(2`WqbXl#xYJ!==AeSN}`ASzD?5``l9ZQ8%#1@ z?yS(R&##gB>(+(Jbw)ss+~<JIW+r#b>qe0E{d<qMkL@RGP0=)SkLnt5#u(vBIJ4M} zaYvmP;Uc^>gA4tzwxKbuR>GQZ*gnTI6}d}VKPo|y*om@XrLl~rUvi%o@$zv#S7w6- zhJxk!!U>W^3@Ct!e|WjPElm;Ntz&T4xr4d9HlbC5CQO>JMb0~TqJK;gk*a7NrdobU z1f99j3@u&+Wl;bA_d@XzHkMwbbRoen-9_XaIr-WCd;b!?TTX>)fQr2i-R^qEiJ1y9 zY*Q3}CySif|A(=64vzfo)_&t;Voq$^6WdNEwr$&XCbn&7V%xTDTc>|}@3-EwpYzn& zyQ-_Y>s!_Tbl1IV-D_Rf=R&FAJ0hOeB`6=k@J=KYGLEgMUAnisLkyP!iLf(72={5< z`h9j@AH?09%)QUw+BWz;ZR(6rpjQa58S~r~{{9blF${kLk9X7eYdR%R%(H)!ixOb| z7`~nN1R;~^A=9_pu_6lK{fIR)_fUw}%tjeu^=X=W3z~cXeAyM~aCLfn-nw}~|1l-x zAaD`1$L-?U@#0HSqj|&HhaTCMNB{dpymaPPG-9e7F+O%GQ4okDz>%S`C5VxmmzU?& z!0qlFwr&T<fM+#}Hu>wRZm++8)d2H;=jMD=Ez(Ad*mk40cRKK$FG^D-M{Jz4L*&%C z3yruYjjiJC%?5lv{S3`|;b6T+e2;l@LAk(aF{#|#EJA@rrl?#<+rQ!wZJq*6Mor%K zpuH^+!=ySE`${%rC;C^ywh~jRAXEfUU!4)o+@1)t<E+ld%kcgBcC-ld5urxHAEhR_ z^)Lo$huy~4A1!Jg&;^qxO9i_&Ilk!op0UFuY4-%-IX=tlUrO0KAkYA}U|OwFV&YIl zG1ZVHD3!`+Ii*UI3WLlz%ekn%($0b-E{>g(t;X`S&6oS`>SO}A5-YnW)Y1ASmho!V z0$H_qqY70I=X7N;CS0~zS*a2>xT1M#oBo2ON>g>s7GkLRB*i)yx!5y8=EqD8COz)E z_c9qFT!z&s{O83tu<$OcbpDKt4<QRH*Mn=^N_MVs816O;6DCKqm-I})!$wYGoLF_P zSwR9S62eeqZnm_@2R?a4UfmD&`{~AyfAO>Zh(kL3N1+!F`#%rRnEw3`ze)A~Vj)6~ zCodM+7RxSVqT&RR|0F)^yW-TWj59F1TmqmF<wiuTN=k7=8sUD>+;Qb{rHIgc#b;}m z-FhbU&GW^5jpr#@tE*{_Q_tR}CQ~|X+_0d=ew6q7r9U26;V9T045wq^(|5*v#HxUU z?NQw+!iYD(h$ngu9|53OfM4*Yd4}T3QDh}d4U|<N)^W}+u9XLesQD)fPPpx6YDie5 zss|8HL^brfJ`kKtMGxXD(#Z0>@zU^S_4Qu#%4I0~UK&ya=zz#a<uQti8u7RqF)Fh@ znYK4C2`>>y6+y@~f`9x}0VrdBpfm91CJZ;JU>-(lW|Z#7gSNx*(nHJssH!X3@czN> zrV}#pJF4MoB*e91y_k!6n~P_y6xwz|vjaBJ5&oSygJz=3j?_3p1f2zJJ4<5Kjxgpg z|2P|x9Ql}CLe&kcnXK5h&McUtw$4cylm0$nEjua&<K9l_VW49Qg$K+^B0bS&gJ;EJ z;W{9aThkX4W~P~X(oQYlt9zip0LWJ)IuBEDO|O-h&Oc6f;b!v!3s4x_`vpKH^uoMz z45d)){7k(yk4mQ46cjs}r(7`$)Sg7ULRVlIBFrH#9u5!IOkb9FHv)G%M-QX7_r6_# zbzC~0Pnv#KCbw+%Msnh9;@<_hm=0~>S+Vb3+Jf}L9%$6so!3XJ4Dj_x_Y|Bg?)P^y zkGDvJM1ihCWD3T|LA=plpom?e_k-VJNbX}$)EM40mmQ+`M59<>%zNX@=Wg7sz8?NM zwP8D27;l;(j66KvE-scHPv^*8QOI7O_J1?!?=QVcpRZ_-$EgDQZFQcS&OVJNWgFW0 z<gUIMw$)8AxyDhr!nILUQK8!gv**URj@tG-;{P!gD>j_5idnBFS8FJ*t7sPMmk$*; z=xaWfTPro54_Y4+#<b$^#rV#YxRp%zW=NWtg#cH~FdW5)$Enb#Yll7U4R7acfB4X) zD~FhA%Q7$Wo)eET(gw|squ4Y(D4Dnpp~n`78rsv5wct-n)Q=NLC<U*7-Uwz#p^*Rv zR?X3E%Bo!0ZN(bcxI$Hnmex&67OGb5ChIZES)}YRUI=1DZETb0C2U__fF*hZnh~p3 zCA!FM^Pt<7;@d(B|N3LZE|ih=<{4D(WBJ;dl2wyoM)F~!CGGG=2i>{sro~^>64FaZ z9R=9)CF(=FlXeyp`;?ki`_$#dxB*p0(z=}FrM6`Beo&H{zKCko%5-zh)+nOpe3^n^ zb?wYzKya_Hk!c*+A3L)69*NMf($9OGbUA;RZ{+iT4e^d8=dbz4do}yNDHQ)cj;RSS zY5zZ<g8oMnm*w^^#jG(GgCNxSQVD#$Hm(?S7t@f{I!knAs^5gd7E1oP1pkzZ4KR;j zNugc+^6JelaOQ?~mpO<<iwo@OZ;s>lskGJU6gq_c5e&WTphOnGP6J?2lpF}cRZG8$ zcH9Q&C}9HR+%V(~AmU8F@d^MrCVVl0Vuhc04Lzh$AfD60FB`EEUVrb|E-D^vjNy-^ z_Lw2bLELq(U%~mD3y#2W{TPENA@Hj^@3i~cWeBfMfe+u1u#qTxOkCV8d1oAHFzc^a z)**YM$&-0gA!K5***QymU?JN*P>#ml@`1~1VSfR68uB5rcY5D1-p@DLx5496e7OgQ zJ{OLmaxsW&$L9X#R^BF#l_OCM3hGyLp!;Ai><Rc&c(213omr7b{gmPIBqfY~h&W8_ zGTqXn8+i<$U#HV1pIb{Do}XK99PRqMK-muE@__mPKMZU-!f-)ZNwgDWE&shgK%fNj z`-RzS9v9PWv0g{E14<-Fpf^w>sHBq|T+?7BzgL{2l}wW-{7iw!Wq_j3qh}!&K5*QR zxbW;vblS=m1XRR8D3+12=4ym9R)niBOd1op;&iv=^lN*68^0LARxW$X^Y&VGUo12s zke<16zhL-uzCD5|FMQsH;YTx)nCjLJpgfrCfkUg^e0*D_KsPr;NFl^#e><{sd@b71 ziF#tdnri;+VOP9?oJ|}XG~L<ydg;C8!1NOVGwrLT#~3<zd3hbp8XdKDd~x`>b6ykp z>Xk%yMcwJ^%d2}u#Qt%ltUKPtc=h1@c9n7)h;PbP+!z*0g@}9x_gW>OfPT<2qOrkx zHYOJha$9zpMAM>Togp*bB-66zZqjg&C~ex=dDPkzahzC{F=$H74-&~Rlx0^leXFAD z*CLZ<$N^u;Kb%%19n$zw=q@s+^Yw5Xxz0Bce?&)QuHD;E={+Z=rKdw;<A1&Fa7u~( zAkFK^!m*NaZQ${I8%1J^L?YqdvKl*mII1q_-;z!{UDnFl&|soj+`eQ#VNnH0n3_~s zy)VyRcA=gJk;`Z35f*)JcK*CrN_fuR<Wv__?w^O2AFGQNKHw>s76NZnrslE^uQYDQ z{n4nxn2}X)>e3N^-mJN3(%$H!NGY*i^^Rj{{U#t^s<G}3=%Dka%>~;H221Se;s^_t z8BJLhuvVKLl)3oNFzG#wD^w;ODL|<;aH%H1s;hIte8X0j_*LT`NT_qGN>Y_>+<_;X z#mV~A=uYrP^_dfuujnWXZD&$A`AC4TLP$_CFn(*psB6RV-|#14<N<F@3hQ|V|Nb*v zM%!Cv&h7{)_lc(diSXYCjxQbJ)PDfin`Wf{MX&Mi9nX^h*2({Y&Hcx+?u`7OWnBl_ zO?<97zF!hR%l0KYTfLdb&xSg}NdSP&*<e7^V7F;IpDfB-oj)-QUKH9gM#R&Q%V-eW z1#F0;I>S!`WWFOpcWaLds8m8@^#tMA<#qWL(9xX(2z#3$9`7n*j!LBaBu^5l1C4nx z=EXX??>B*#rxriow3%cfw2%x3R;kQOy{G1tftYIKh~ukBD5D3vb^3_<2FcgKd5K*I zR}`Rft2GIT1S*r?tdKqnmtnZuvfTp1hB`2UX5;Mq`OYEDRicyWm^8-B$U^?C4HMql zQ*}(1KK~%?Di;^{g{mFWM&|YGBB&cKLBbi+^=jc!`+Sswe-KO4IY=?7d3$4+d{wwE zJ!T8vl7{@!>Qhz{a3@9y0ZqCJM84o!L8gxTsFv6*LXfB+g!YPcEEo4Yi=^6-KVRY5 z`L#q@uj9Lq`k#qJjy2GBw(X$Qt`Qg%LlafdcF8U%*A3F)D7*4kzPsDf`F5PXC7(<e z+&hHI73>Fmy&aDi5Ay8AyE}bi{Y%>GPBCJGGj;y7olfYS7;DAebElP!y<$}Z_{V3i z1Dfno1~oZQ5nGfHaLir(!-Pqf`euo7UTf`?K@Fa8%4+3;oG3uUX!9S0kE!y|0It{7 zW7AV{d0d?9AzO6QI+p>wXb0|Z<mtQNWwQ5enWwMpuP>{+3qS$|x!AW4mv^1-%gH$r z%6wo-f@-W|q}E!JiP?oMil|N3u!cWp5^xy^FxAh@NpQ!ZU~<p-l4<gH$nVbv-<JDn9NNgxBy7~!M`~IFb8+I7SeHuXuBz<j;Za@;zxb#+{Mxaa`KrQd( zFHY}cDuMBmMF4v!*5x+qGLlI6V{ifk6F{<Or1!AWy0;?J@><;Y8=JG|93!jzLu4i7 zt?>7av@e)dt0CkZ3yKzc*^UmWTD@O{Rja=d&QiZ)iF8kdRfjut*+0gS^mY%cMtMJY z=8xsoV!!30+a*WGFQ(n30n25#EG%32pV|@~veC;~{g(Rg7E^4`6O;TgI#3hkA9rk! z^(;B{9PDzvVhsV`pEdI(e2d`QTB5zrtyGHh<oY#KA8+l{d~UYx5DoIr1Ms}AdoZ9G zoDNydO9LY_anW^4EO}+U(NCPB)zNuH+cmOayt|2zNS9#kprS1hT0FKPx$uOwz(LMf zV1<#}MY~kywmx6`C%duEb2CiwOZ$~0Ysa8{?8eG~*mcq?gMLHhU5<~t!QBELMpv>} z-6es(aj1B94qNzq#eFb(znv-*7$Njl4b#mT*2XRW^nFg+N%Ll!DBLK376pkLW&CF} zc-#Hm+hZUfpU3A;4U8UZDxXedmM7c3u@q)4fotQTMlCJ3C1xoxj<a>uYF+J8FPY$F z^1M|B_Vc}Ao4*Q==waP=h^{sU#tA^>OL3zXPs-D^N2=id3^aE@XKao<at<j(PY-Lv z;RhvXAJ2fRRji;_v4u=aQ4LQLEciqz(Gn6b+?Prqpy^U1(4py2`V-jknbz`O!>;`! zN;AIzO_B-#=JY?w5t#nHL;auNp#KZmo4lC1s$5q2uP!O9k?%jcq$j3{DBSka-+$IZ z#D$TN0hB!?dB1-sd+YKqjLKF3%HC>5RwS|XKKCr(Le=^oG^Z_&E|*Sp2+0(Nt6>FY z)}KzwgnzI-eHzu3ZMV!UV#@9Oi4h>}h085+>>l6t+OM?=(D2--|Khs_5lx4=fvYYy zBQ}BnxvrB8co7zp#5-1{2CI#zHvixbX*pQc2g<EpCm8T4JbGWHdEZwVcOCtG;Ub6} zet{?oLR0wNajB@2DQe0Q&D3|uczQKY7tWhxHmK6!a&D+Bv0PV;!?+;wV{;RVo3t+v zhuz18VPhMc`!C<ir#t8HDV(VITx8odbDO}jdYf@m`xNT7RLn?AIYG`yioccO8n9`z z?N4p3(<Zgl#(3x=Rb}IWw^0-l!$NXYHf$&I0vk{3F^!f^ZevyoSU(g|6s0uB<J}&R zDLdcyN4agvAq<sWh7#(!_aCbHY9Nv~rY}R(OfwQv>)^LtP+=N3anb<^OYXhNCyRzP zIT)>^>rRNOAauWk`3O#7Wbn$cr8#kSgqK^^H4Fi<K?EvuuE^$WY=u)ovrtemL$Kk4 zy;p33mwch!xUle7(K_5-kI$<8<n0An^h}lgpCy6lo<EF<Na<LGh-`70KW4kt#!HJS zYeB#%+`3W$P$VwJ4L#TImzvGlU3%yaoXd~q33QxBCG#RSbuZv&MWd6{80j1(-4M_} zaI@wjME#6bJgVu&MExvT4IcZg;g|)IC=u<w>{|D+cm0>U`~8#(5W$co8w_-(Lnk*k zFDK)(vo*{s0gkngR;Ir+j}EQj@OaWElUWhqyLm0o%Nyp}D5xh}O-Mhc)y=U<Uw+YU z7ax8z)6TwF++9xh5A#XS&7}|H4x*g3P8aibb4f|*FrpylV2&(Q)z8mZj4-iO1jVT^ z1FFg45OVz(DVQ|?HgEV?OVEcPF~5DmP``w9mJtGbh8TeCXNSymI=2WpNf+?+Hq589 z`R;?v!V;U?1U8=kWDdzJpoYY5=;Pn6;UNhQ=!bHmT$&HB_w=q$gGfB_NJhtOnowj9 zf9Ux4oHua>7*|xXrod`9B&W+ej>&2}S~z19Lgs}iW5HxXc8L+4Zf2YTLd=e@J3Bm` zz{?@XBl%wawRefGDRGa;`Ol59f05L;>9dl~I7n2mS{JhZF;|anQ?yJSca0~StEHkN zHdlZ1S4C|Majq_e^G+G$wh0GkgTG(Hm~o3_z<M`#w>ohbSRWic9<9%d&h7Ydpr6=< zW_?CGVzI6y2>gyX-(*8YWG)?%`v+b@z55s|od%fv3qkE)c^3-_s?*Q_x4HuW+4(<~ zlYehlzf@nh*$~F~2M$N$c)7-$T{o<dK-GRqR2U~r;te$XWCF*_n7wHgL4~FOl@vx* z_#3fGSODAxq*Jh{=s~~y3Sgt0m{>cXEVF9BCd}KYyu6)w#_xLN`ySQmScoPrLYd)~ zPH;!lVo)L#?^r-csB(WC6BQyZk7s7P-K3BSaCasjS(JjY?RI9&7$^2!-IVw*X6Mv@ zF*`d|5ZhmaSzwUAs?+9Hj6eR^obo!iaJb-{&M?sMxbzFtF3n3Ul}wtPfJ>Dv#{>q! z378?aM!n~>^wH4I)=SJVVIAOzR`Z@9uaCMlT5)Zj*jSZRWZ;)aWJ+^+VU)sf``Gf_ zB@INs@_+AMrcCoD6u37F1oCf?X1SU-XICk3xED2uCe5HnMv9c{bWjwZ_KVz!@&Rm7 z9nQ!9Ks%|Y{}bBDwWo@1D3C(AWj9kH+PQSb=-9b*XlQa?1nfOg8fI~_F>9xX34nH9 zRpfLj_E1#L{R8dnjCCNDaOWrb()TLB?9Ux!wM=qHP)98_#v73G-th48q6#}*2^ztW zfdLIeAOpw1&>N@72PYd?VL}+rL?=^gNq*xpcqQwWl-+2hFa^l?p$~+}d<wA>ONbmq zdbO<0AJLTUiJNJ10)^Y_r(h^d9x3b+6s}eUZLc%7u5>@Q@gDFtFt|JK?^c&TLp=jC zbm1FTy1z@GACm2&B%TY?2yU0P&U|j@mqLJznbMj5fp!}GC$#hZ`N`800PXB#Tlp6G z2ii%ZaOl#u_@D@Yc7pW8HASe&R#>BWj!^p-gYFbIQrYY^{jTQDI0Ftj^d<-KN<(gU zQvWHD`l3ZMPz7dIV<(bW@sUfZHd=G%z;6&}ova@t56!Oz4Csmse=F@%P*uuLLN5YC z$wWYpC@3`uil9+3SnJ8aTH*$apwZw3lE%fE>)C??Se=N-<Eao!<$9NlYS?LZSZeJ7 zr2on6jE7#r3~Z|9K{JjCT0~e1Lgmp9lEWxly%3R?oM9w#!_pTj0w6nII-cM6C08a+ zgJce>4n-#gmv&g{A?p0$u)9T<q$3F?Oy!<i-)hphE+A6pqI<u-BFS~(vOhTeY1u(F zeYY|vk~uo7wl>=nRs|bIb}##zr`k4q$eXauTrNXOXJXgsjDcw*7QFU}n*893PI5N9 z5K+RIcx`#7GGgzK_B&qL2^^OsCLyx{a%Bo@Gb(egJYdX(=6i^P4&YZlR)VKe;Mb?) zuTK2(u||_wzZYqq4@eLO9o@V)>_i3TJ7dHgAS<j9LT76v;#@*(L+ja~VhH->6b1(? zSlWG!*KO%-V_=y5TqK(&^V&6&Gjqy7h@iGAAvJ{|ZBEZQaf!7GK<JSB{(A(A=g&e` zOrC0UFg=%nENhQUCZ0e!e0ZBH2knbZ4<*v@2_gyigPO*D!+Wr4y};$4mKdBPvsh9+ zGc&(IEd~f#qiL3CqJ9iH8^!)|!wc@%+}X-<(dFy@ddWIo&dKbpUK*Bzc!6}`FdfXA zE6#&zJW{KjBCY^l*zxCVZeFRaUFsnde8f_(%t)yTM}hD=;>H>wj(q;O0}wljhjHys zW?AGiE&@`923y0ki`IcB=j8FSfC|_zPX6xQ8>Rkafy4e2AbO?gp0st=PmItSO!U^3 zQRQ+#wm0-bRyv+XBi$Uqqa-ssJQeZt>t8@1e-~*UbOD_jC4hVWKbF>iZ%qe)&tv9A z0o=_qF14#BSF2&!i!d6=4(y=Di)uADzcQXxHQd+|=7cyJ!F=S!zCmbv0Zrwkwkoq4 z4SVIh<eX3e691NyTXxysYG8t^*wZf)|A5bjhSBMxnJi$#<IJZt0F%lL2z~qP!i!qt zt-o7MAoFq14Pf(`f08-K<~kZ*2ZJL!D9!5whhO<IcLGPrY|^}o+)xNHpCv*LMW=oQ zHt5hXRqiO`<O}a)>~Ix~G+lCz*^N!KcD|s#cPvX8)+Y@IMlmRJA_W<MzmEHi86QUb zMzGO^fw8T<eN&b(LN-z<Ctfge{(`Hb3L$Wskm1M2pBd0&2kkvK-IkGy-Trzi;Enre zBPd*{+coY*c<GvXYw!2gFO<;dYhj-K(5nuSB<>WrPQ_Qz+`xGhR;lC<X0%9?ud}}u z4vvaSL`vy%ql|v{G(8#myku@vKm)1*qm@q@?L-)^+DXL0m;zBrsy*Ox|7c=SgZG2} zAnghk{n4i8?wjP+u$RX!Trq1rn2hCoXQT!83avsrAVan2kENKe>vlV14keztmtPb6 zrqXDMm0FJbDVyrN5A?>Zh(wx7i}5=nAweu*-*mnkPY!Q8i|6}may)dNoV?-vS+a6| zz9iuo0eUQvOg5B|W_1`u_g%a(-lE!HnL>W>K6JI3cI9jL`E<HlT2@xKn?3FGHFUQ+ z@JSdLM$FEU;W7;o!K1%!Sv3StD-C3TcDQC$2SZq8{TXN6@}+CBx|MZ&Gp5;#-s;6> zvrAjM4~#m0F3M@X-=Dw})Y!*{ReRl80krk1-Y9PF6@9WI;^}F*dwb*4T)lCPGh#_G zzjBQYlm-<^c{lSB?aJ%)mfFK)n>THfFU0eg`;C)Cd<%TMp4ugRJ+r&RbY3slWz2Pm zj+t`{&iY+*TQypcz%cY$R@*gX7ruM6NT5_YS&)EB&iZoA)yMr|1=n}BkZQrAJ4C;+ zSo!M|Mpz@z+K+P^uo2FfW$;}6ehb(0uEj^oY;@-U7p3(s?Fo@#%b|c12~W~8lg9l{ zwxR}>pRE&~7Q|BxuYbk3yCuM;6?txPJ$Va4Q~MwpOCht-m-@=1;xwDitQ0sZoM9B~ z(e69*Y>1#BWDw1fLUrTa5oncX#^|Sx{>34#Ql-|83plTh0BYL*cwYa#MZ8IQ(_(=i zwF})V6tQMr!X)9dV7)%WMWoca?h;fwVb#Wr3DeZ1r9DXyT%dzui!vfthXN`<mFVX? z)1b>EEq5A;brV`-BU{?&D2FLvMMdsdY$_&U1zQ%UFs4z=Y@7jMEPy3yRbX6Q<x<sV zE-s=bzLz+g%uzg-nbqoUn9gR5Ll<YyDGza=S1+MqqD#3YEDqtFj>wVZFt(#fkM=|1 zhU%9*#mLVCS%V<!_6THT#)dHTl<<G#-MNkcc{hckJF<Xbey-1I>|dIO+i|1)07>zJ z0$+NGXpUU%*dOaGaF=8udUg|-{CJfEdA;HwA)}$6qmiK2NnXnG>6a@v%{$ay>So7- zyY&qD3@~&7(n?+w8}fLCY$vfd(GF7S1=-^DXzUE4v?zsGrgDj^C*qg_Hn6f)0=}mp z+qrzc{%lkT{HE}e@`r<2p@CBD!_(Wi-5%bJ&qwdQTL=4|{T#ijDs-=cSXPpOMSe8I zM35ePe+s5mw&+U{&{(#9g^BNF|2P(Cim^@xGoCuJQm-#mh~_kBpMuv8RmPTJPPPz< zHZ0e5dphwCzzl<oQLWn)-E3LQK3B7uysvZtSEb>;o_4n>INB}mRD2Q=M^#o3Y@Z$C zpDFTZYS03K@)z~TH)*$hjVu;0Xv*EDY*<nO63hQcMRv*eOYi+PR2srC<))hMO(8)& z+Gk8O(&<YwiMF2}g3L^H_||Tg^t&;~mhao`;ZBLg3oZXKaYVVDk3djC0s2@g%WhdJ zR&$Qo{l)z5;Pzm>p`b)pR-#-BT*A(l4n7{ny>I!S_~hY!xE6iqW1Mw|<F=J@wlmy{ ztt%y-nk)A%O)hggOff=Z`OWXA$K9)C&CvGu<rzSLC>+f4W`NQl;IvVIu9+*<AplO> zI(Tk$`r?%ePsO>i*7Ehjx{t9Bd3zad3no-K{U?_`2OZAyMvr(te<9OlSs8&$#Au*f zn+UiZF^?BcI|jNCa(}n7xso>ee!A)iR8vw#_0Pisp%!_XE95Sg1sSkV0hE`u0e#M& zJWgi;Q_|~cy8nGrtA9xP^8zrbjrm{1$20wVD)pqAH6Q{M$2WGswRXbt`r`hzOoNNm zJTOjDvuYF4?o!I|2IW{P*(#l-P@qgWEl!W%S9kzK2jvCYnhFHIiADOQrXBCPeR{Es zxMDcl?d!+;_gCz5_qcZV><_QJXo)?M-TYFm1QFm+*#nQ=seCuf3c9rXIC(B7Yd+}P z{FT9QH^b9S*Xm)I@ayWe%~BEYAtW-Gr~H*d79Ai0`*il&1WSb|p{FXOKRv}4Nf$sV zD=nC=JD?QfoKRNusE+PT(OwH?ZtyxWnJRul>3<L}))QBASUTA$SN6<T3<6L@`-|i< zgxeYKf31C)RS-kth^|=)BBi7rPZeK7=i%0dZyo16e!01S>{TQLZnp6GPV<r9{_JJP z4ZeJq=)kl^q-$E*A_zDxrfF@2x<lZAH4^j!5*=`j$m^Ujk0bD|*MrIu`EyvA@fF|% z?^?QJlpxD-&aynLmvuCT!9s!RM_5#*nr3gh=^xCc4hv?yqoQwzTq8O)9F8bDk+<+Y z(G5)G$mu;a$^EcU!22_jy%4{*_Q}YLLVA%&I^jKxCGhaxNnS}RSe}*16iqwXaiDfw zqT1i3{Li{fQOjyVt3{|Rvw=ukmi^n0%|dPbd;4`&hd`~3zoR{)xW!dQ_&`18z3iX6 z4naR&UE0pBSc=xtDOPy353ku1ZLI5+F=o<ZFYV%Z+7{Non_J$ON3Z2P<?tVLc|7i? zm&vD}-aU1V+}SzYwmcsh7R6h2sv$zJLS!y7P#TR@hPequ2>2C1k5vPxvNe8oeg^J$ zKfi}|L*F=%?zUzjGkLR`MU+vwbEp;j=eo4vI1T!l$GCA2%*#K*GRkmh<wLw6W)BKF zV!%jMazaFg)LDd!7}nk~{7h1_MpmJ&dn2jTF^HB>D;P*ms5J?1BGa#OTvp5c>9vke zll@xLD%MUe2R~fNA+KgP274H9@_>L48{2h(|M@GJjvZ2){;7DrNJmHY`gZ@+DbIc2 zCPP76b(45jujK$u@k!hnZ{1`qQ@D#My?Gn4Vd@8cL#&`W^Gq;ynFUqE&`iojrl4Me zvJdL5U`p259ASz@Rb2r&hWg9tmA8%IWZ4~YkCWF)z){A%I<%nTeJ>1_(^N?*gsUNE zUu2t`fSKTYX0%=5;&BjSdK)+P?ud^(B9?e?15%6?7Ki>=hzT*yD&ULS%qG%f->&bk zwzQJijiuK<9PW39tNAnB8i`WVEEFPLe}(+Ry}@7wH}$?Jf0JKPrBe})S4yD4Q6e+3 z$ds4LC+$dDs|zLP321kze#|>sN0g!Ow6)9=xpj&RsxyNbL-_*}(9HKpx4n6b(8oVL zmGEtIzvM}$|B5YSr5LS$k{BmLO(3!#`#^SW+GUKmdEoP2+Fm!dEP1|h$0YH_6Oic_gTEYIb1Twp4c)Lt%ZD<)E^NKZ;{bD;0^ zP?!l2V(6ZF?V+U$Ky^BzqPW392IMa5IOYS0h#>Y(*a_@+FHP}8$LIpqTs(^w$%8Hy z&FDwwM$Kq)Hnbyj!EQfZ4}`dMZ10H-#?+7&UX(6^x!mEB5E-0en;-r~QgfW$2UQO! zp7sBW^mwL!4{YfCZ|U(7!VwFkX21W_la?#t>qj+P$FTXIYc5FCk+-;?-fC=C;K^{C z*_;pNCv@7r(h6Lc-53%Q$qgh`yOf@PD9$pkZ?s;*IaRA;_QWxf(?iYciv!Svl*RW- z1X6J-%a)(p(+j9L?&EtR=YlHB4C5<Qm-#++B%9O4dXw2?A^(Y4={l<_^B$^K2E?rJ zhIe|APKx(!KmNw@jN+RE<;mTWiNO`)WPz26?PO4p@@@<BSvwErT^0WnkVaPVlSg)s zs^Pm1RoBTgj?6Vq1War!a&(ZfO*htQ9-hU@i3U&N<ba&BJg=@r{Nvpib5gy&?+&(h z&$qATViC5#9;&>uOy3g`86`vT=dI}1i+)>r{*_8%K%^*YE>EGCWbBlW2mRDNgIt`^ z#C<fQx#GqcGm|;wz>ch-I~ob2^kF<*Zt(Fv#!>I?c8_V)!JIjcg06`e%yNcQxk6=> z@0qBw=yh*SddoSKjCTkP`VRJG4(~I!pMEnwQ6C}7SFuN=e{?^8ea*9zUIvV&i2Hs` zAD`x?R{zK|N1p;2XOIkcPr081!ETz@qiM9g;c{J+`tTWxd=T}=JhY09CMFv0hf0Kj z7Qe<qpR%>LWPOw7=c`H$k6b9wqP!cZZeLvHTrb}fv6A9V5N_`pcGaKYM7oVve_DAv zI5{8P)t%SPk<Q-WalbwJ=b~aNM*iGIb;rQt!|Q&_uVyq?%_0=9w_LE*^sGj$k~Qk5 z<Udn^_4hBb^y5NvDh_V<*ZaxADLu4RKFN!XQfrz5ZKs>Q-cD+6CG2t?(m)AyKgciC z)A%HRob^WNa1pBgd<S`hSewyKG&0~4Oh&-U%X+Hl4P=ohv^Ipw(u0uuWMaP;Yr67Q z%WtO7%?uClNj@4<TJxeD95~vYUkP-NgCCM}%E9k1M56^i6z;eh{7gCUB?muXUc<rP z4&h|M?;ny33V3scpXqywm$0Wls2o2;VtLQ!=FH^v(YOy=1&a;Su8_2S*IA&Z1pi90 zg=49W-g>QL#06qV`O>8nxf+C^1kW|01n&u<1ZR<<%r%z;mQjQ@OaIM3p9u1^5EXbD z+~hdpC{`q1dWz#Gt&oD7sKWLKxA%vTj6&&;2<R2e0Fa?}Oi5q**b~4S?BzSsZV$#! z2DDXH%u*kW#mKO-N!rZ9uA#yIkENj*W=lnPUXNi=Fym<mB&ehdgtYcAp&38<7H6n) zmK##-FW13xKouO`-rD%Amc_CmGUpME1ki47D2N*+am?uKQ?T*cp{GYvreAKeuCqo1 zkDcQx$pQe0C{F~uY_d1V&>fo=h9^X-=Qcn>LfG1+9M$tnfK;5mmEOOB7wZ1U3L~dc zH8!hlKF-Inu{xWt_sHcMIkwa{C_^e!V}F=(^XwWgHER2LEI}6zW7?XR&NS4{4Nw5~ zHgo5R$@P35;F)r{a4UB&WTi=Dzo|y4y_pj8?5CB8oFU_Fk?FaNAQN*6P5K^+3{oL_ z<WSHlw3S*JrQ$y|Rc+&oXCnK;$@0Q{kM&u3G=LNWbOAA0V|@qtC3)KX>Bsb?f5ohh z!DFsZ1EK`FfPsK$fRKRf?40Nwt;~&#rS;uyot+%%b^mds{l6dm{|df&q`(*vLp*!G z5sTRxJcGlup0JRrYyaFs!j4+~`uj?NGWh;1YGtzv4Kx1gu@$<C-?dlH+bTIS+EWTC zpK0Yn=niUIa@-CnKS#l#;b;JA`jcI{h3#Ecr|gkfT@Y!JQUaEyDoISZ4n_<)3#NoO z%`tkxL!IYm{q+H+YrkFWV?6MDNLkDjKTjKO>3r*r?uvVM;9-dsA5n=5DTvU;Dz5mV zBXcgRsEfbPdjZ`jsLnFRx1!L}&P#Bi{pN_)1DjOA6%wDxUx1Ai?!R~1J!QLl5y8Mf z;SIn*X#e#~SsNRf>(iTC>zf)ga?sh?nErpPdzGJtZYDA<tgyq)*3MR3rz_2ib=DcU z>&@1H*ZHMo_w@UPr*7xB*YNG9q{C9{Z^x<fbjzr8%V_9?1f<~Lz5oDs-VY5OMFsFD z-2yfY)j>dS_u&mTse?KAe(=!w0YJ)%>?J@z+lG66Ad=Ob=xK2t6p=ao#q-GqUCsHB zd0%P`$WVtZvsCeLRIhSvo_`n3EwS!?D#Y#{v=~=QhHx8X<&D8g0dt_XkYL$!@ZW)m zD}HnlJf(1NFP~PVrTwHUwmN04z!%{gS+j25;ws@uy=uSWsm>|V)7Nh;+2(Oa5%o1S z*5+twDepDTT&Z_-un!m22Y($9kPQc0#v?ehC?(i|eitMFLcR?Q0wF*K`n(Ut&$UB{ zGAV*iy15nzoNs8j5gC4(JbBY&-}p6uT6tpj_iZuq_&Fz)Xy^Ml;Jd>EEWQhH)7?}g zRoSL1c}5j@Cj<JKFngj$LWj^^|2LJpZ4c~_kL$h0@^$jh>AS4}62hgXqsQ^l5iFJY z-$y4G?_2$~TwQD|>}VP3khvY0(eJY=KkVA<Pi%ouP7@4ww`h|9?9ky({Vx{8%=A<Y zwLXU;(eF?z)S{K{Hc)<8xSPR)BC5QMU@>eTky?pUxX0Dcvw{XV(!zX*NP^-$*f&*a zpm2j_{?Y{J4Jpm7+-XgydN|}qL$_>|wVHPBDalAUyaYwR*f20dJa;T-2%SkMoRZgM zV>du>Sz9`0Mch(+Np~n**GyV=UoM<uCR_^MD6$G&Rd?i+18dhK<vkAwOJ+q!EW5~% ziN&$=Ho}qds}62c=)>ldM1n)fD;+a8&vE9bDvNi?S139L5CP@#3?W9AL$LO5%r@Kh zIm~&`_O=q9WqKDI?AQL;&b~gR0^H;Z=anT|AL&yRs+p6GlM)-n-Bm9Ayh{_a$50&U zj_EQsmKmYE`h|^R&oh|-kcGl{6nHbm5Kr8Ij!Fr}g7X=;lzlI(rsZy7;~Jm*aL;sV z8Wn4?&pC4@>{w|(gtCUGW_7EXM)$+Jue$*Y-q9FwY@?=^U$606DehuE-)aHB9y?Uk zIy{N$k`1EXrvD=22o@5wJza0NnOlp99^LJ&vs63YtJLHymq}!CmXL3Cw>zqg+~!gK zqK_?6aaez$e}wx$g}dT&PWR$*y)*C3S1f~6#%N03N)fEU%j9Yz4nh!M#c#jplr_Ms z4qwk4^KjFPk+9Lp$hfJ_-r`Hud)!#_p3yVNRFc5ZF~))_F|pO*UCtqIBgshj$YTE- z<YcYkiz3cOoPjm1^c^I82j+Tr-mc^b+8$tY`h6yu@AcZ8=1?fT7{GyW7kT`skB1RH zzSsVJT6>C2D1V68$+*c9s6KmV*r=AVYS)oQ4=nD0xOOf5!nc%+RJL{Q<APSva{=Fn z6hIKd|50894dy=4cDw0W8~%s6By?)Laa#GzQ!c0c%5*h_<gv4T*#^Is$4iJ1eQVv$ z_s|2yXYv_@z3W_-bp1)w(z0yS3XjI6Z31<Bqm{Yp{LqLCE&F`2+}w5aS%+l4aq-CF zcloHb<@@vJ+UtmMh53`K*s^Ma`H_dF&w{rnROU<PxFgK;l29gR*Yx~O{@Jm4!P)bt z0)7U~w51*$na17Q@x^WP)xAU8)Usorv+1V{mjUCM2vb$&;=2S|<JIJW%(K+U>#XVR z`d-VvQG{ybt@+Vy%e>0#_@|w9CoJrb2tmiDsnD+mpEwG)Sx4)NMJKk_#JTnY7o>X* zT<?HIfxigPv|sZ??qdY%Z9h3wIZ!+eE-g#Mo`!3<+Dc-UQ}?Y0`w9Qlq>vl$<C}J8 zIxuP%Q|WgvC-9O=dB$Yd94SK0uE<7uhb@`P|6QO*_-#4$x7+!Ik?Uo*#9Qf9WDaDc zF7>xFAO8f7F}r6w5&7|7>L>D7Qus1=F8hOKrR7jNU(^DqJ(EAN8OwK!--#9C#isS% zItiDYGyx`W;ptdJe>zb9RC>gIeOhEyooHtlNh3w>3K|HmD1G|u_7`A)cDMcZT+BK7 zSYfbOC}Wa*=bNL1_Rk&($wj_#LjXa{XML@zwxj}qCUVNKp0<dqpK>1VjH<7%Pnb7+ zdLF)I=!!jdLx$rr!|6byZjM0MT@))GPi_n7+x&aAtesyjTk)*4Pr1Rv!0j5Hb#(KR zAN@RUlcNv&E|5GOIw&P&{w=b2v)D51t=K5{yuO6<@oQS~jywDPhtJoHv4={st_96= zQ=t{}=J9C9u(C?~rH$@=GS@@P^K*&&#M}LX2Uzy7*oK;YvqtE-HJCOeK*_zhC>Gw> zN^c?koch!`V$?P%%(nVyoFxQSReS}x`u>TI@-sX1m>zl~FCmN!XYGf(QIR^mx&=)N zyT|J|sf<R{QNrx<C4>Z<C14cEl;?j&wN>g+(>aA_p>kYQ_eGzXSXDfpQ-QONEBTqm z!i2Z7X>&K{akWD5ndJn3(u*7?CJMg&VU0a4Oy_fPs_O0%B;D+4<&@Onufr+cT!Q-Z zAXF1y^9Lm*ojv8B0^DCWBg0%dMa`$#cA65FjI_dXHav82o`F_XkAbF)>(1l}VCIN8 zsEObo3ctKtCIUbtL~62lrDkV%Fl7X#I8)Xaa>%mVVa<zzqZZ4h$X&3-Br;$n3<~tW z?_(Ar1^6()q)Bcy$q^`btfv<Vtrc^Wy*FRy-aFql#!VGlnsXR&Ql>LJr_*+N6-B^l zM>TV!ZeXRy6LC=;Ldp5*d+t6T+1uYQE4@0}K%p_mBVATa(m(ILDY&91k5XhC?k(%9 zr&PsTf7(9Z5ngj>ws;hb8vSwN?3A+h^n7D%ah~`*zrAg42M@J7Is;@Zp~OrNTbqzg zyCPoPIZ?H1L-tZT*Pn%s?sQF}`{TCn&Qsh%^VUf(m6$lSZ5~ju7t&SlhseO3xjTyY zkEF@Kn249|_9wvAh|*U-U)AUg@VOGUMQOCGa&G?+@RfF|dqYd0xdNJ8W2xz-q{(Sg z<{vRCLBB=JP&KuV#nGi#rz#W;dX9SJG>>97Blu#x=L*>?wM99MSA$N+UpTTxHR*>8 zk)JM2fU=84mLWS!`RaCA+Cb{<8l;ZUpeTJ1r~12y*<;+~CT@?WcD9J;kKNA%LPtZ5 zx%T%S-RU}OtEBRm&cz#K$!Li_16x}qLPAG`P(=LQQ#Kp-O{e>C8#|>>V@$}w4w=+L zr}WnXOYUg4&{s~a35<U?XmMv@B*Aqt7BQGxL_mN*rIUr^5X#lEP|y|RjM<d5?B<kI z&Z8RzOwNAzhD6fxJQaKYkKGx#;bD5;Jt*udPorQOW!mA@-2I7?2W#zN^+OlHQe-jO zq0*^h{-ex_K4F$%-pclmy1dh+DCFYZAY<dehQGFRUgN{zkO?_v7tA_LIvGOBGv?=l zTBuaT<m1seY>R(r1x@zYm}FxZ#l@2~#`${z4t6A=Z9gb#Jxn=rh=icb9>4Utvx)>L zB_;fH6a*_&&bX6S6mdBns3P?vr1}!4lPy4!1bwPD9*uk^8JM(I>YW6SL-}&y%yRxn zY1&_!2U>g7Dd6*XJo$dwG`b~J*2I%2df=)3_zs+30l{m();9S_=CQghih`sh>K3#& zPLRA}g_XYIfK&&J28|VhV59a9g)C6I*4*#2X{bPY_De#xTA#df<Mgm<Skr@5p<pl$ z7RO)adRXR%6K2@Yn(l@#az76!h`-O9k2HDkMaTsv{KR)p1%X#ve^?3<V^R4@F7}Ra z<uP++S6~Q#hHIHS=AX%rpoib3s9!&riH42#nHssUYf>23oqBNI%N=>Pra@{~7Teq6 zF}bs_M(EsPo;Q_cEqS+|#!}KRUw$L{=klp-w%A&A;bHgQP7~J3iuy(acvMbKQ_EvI zS4&xMRhw5IPx^2mm!<+4gP4pW&f)W^4%^2gmctd@LO$`JNxbXIl`_QVjyh1J6)*2L z7(8BhY<~2-GK3XsP2PY>d7z_(-tzTg0Xms(L0j?^F8uG(Id=a;9sk8i9aTLYgKPxn z<U_VrevI8Qc|2VC#yGdJ;`f)DFRctQ{m>tHzG=R@M}%Rh@K3T}16BNw@;Ep=OJSwQ z>#$ytKFb#hDBPlA1$n2g=pQYz^JsN<qpz<%?JlOA*SN9I_}pgs=9?jwVue5RSC;}H z1qb2HH<h~~tU9Dg=9_sS1ta0d&)Za<ENz<7&yV*56u3j!?Nf!jY}-PKN;qsa7#kuv z3S-Kdo{tM_%6GVz4$9#gsIl@>bwJy)!-L)9Iteu7)aG*R*0Z#Rb+Ixqf*vHr*ywU_ zmQpHQv-O_kj><WBB<4bI)g{VwsE(T<-J@Hm43|YL7YDZbn6ck=<iW^=qoxX!ry!Pw z>eP&4{yqyxCu}1gfkdu|OrU1bfx>JVpRD=FC3`Yu&luclI2Jqyh8b`5;vA_7-;E&` zus83xr8G~>fRJ=n_xDQ8(uAOHI0X(Zmx>L@Fmn=*DSpWXRX=0vZKha6`JcRjGpoW+ zLgyU2kbVp)!L~ui+-Fr+cNLY*1V5*xMw;xaO+1x3Yv}rLun^+>G3>s=c<Jz_4QCTZ zXou}W<I5NmQr-t^LN>d8jS{g#C^v$T#WQ&LwY60Okwj-Sts&jgjJKOmT7+dxh4*0* zLK$XaDC2KYTWnh8*FBnT@=AR+-l?aQ2rV8<Ks|sBrt=mr>`;{Z>C)cMxc;kxELt*L z7VcY1SY`mPk0D;gWe@jAb$dQ9TA=Zk|I75Pp&LKLv4QkJiuL}rP|qs!jYlDvuaWdw zI&@{LRzT3GZw~3G_2&A<x2ncWm%nERuhFE-^`U}c)O_nG0S1!On)ia8p+s6;z)u_< zTVN<(biFA0k}3@L5c28xz}^j&a>cX-ncMF2B!NI+3%v!FP9f}UBPAp9VacwUI>^To z)<$45R4)y6y2ZMUrEd%il&@3>a>q1V%9qPap2d~ATIzoOZq~qH3}?8AIj@8A?uRU` zSRO<9SyiB2Zcq&;JMW|#(txqSXP(RqV#aTJ0ovM~^qya2wPKEUB7=!QH|o%3XeZ1e ztEh)@JqwtyeD~m)ys!s)^F`qvJDwxwOUDY-4%(W_ptTZHu`48g3J)d=H4Ce0i_|gq z8Qh(ZGUzYPZ17E^vj!WSV_3H89Z^0!ciaWvqsWf&0$(@!RQ;o!ar<RsRp*OIkgL#! z$g+5WyB?j?e~jt+Ql5jXF<)w_b{~SW5CWmCeI=Cl4HPLi+xZvOW{NPZZ^^N0>n6T2 zZ&1MAczOV?ICKewb5Z(X(^E?xaL}`=Jz2~waTl-lQp_w92-}?(reirvj1wEdO;#sf zg{dH4I4np#ARRcLU(4?b%r`T`v*_5k_2cCOCcL-^mSrT-$3`c0*+q(&^S&Sm+a$Wc z{C^UBQPzAvtRTV@k^k2AIURiJy0y{+k$hsVY-??2h|8_8JzAqiGric3aX}*g5CB{e zDP3RibLQrSN)<8|YOpZ15E$)*e7BrVd`3KH<MUo&mC!$IxE}Yawz{rj0r@q^L7w5` zWJM^6L^A|gOH5O&_t9`6@AKeXN;&*Tz8WAnK=OW2C`tifzUP7}r*E&2Hz&wWUn(y^ zkLWd}_LH8aUv@8q@A~o;M-=YoTbOcGKWU7zFmyZu-ztV|U3`q9Qk1SQe+3m8F7#~q zw{X9{^m~qd=*+X~ubZV1dpfZ{_K_I4#hO2xnl(QaIQH$`RQ*U0TiN=mn%a5r3?@&G zp6`@>I|KJXQwHJg3Je!nJDIhneuUY4titkqJNxsg2+tKhUNw;@kp;nezO-6h!q#!h zE5>ZLD~k@q!b(48^GOZ)h8EA3DM$CIB;B#e@JZ!4@bswoRx+wWg3>ajls<Z?Nu~~a zLg_hh<J_PjG9H#9d;g0aO-%TE_O?WFsi7T}dKs<5aUdG_g&Dr9P(oY7bm&Q-pbA<S z^P=?uY^Zl}Ht4?ZZdVaH8Y|&+eqC%R_q709Y^3;`DOC3T32(d|RpZlX1r**Ji{HpQ zM;cO28^QMRL2vmIu7W7JOuH@RereE<&v(MDn{0|6&CQY;<-<@Ep-JWmq*zJrD&ZM^ z%R@e+17;~qB#<0|9<$BpJm-u`5n|fbp=Xrw(W2VR)yl@k>vGbMyBWB0+0`6?Bz{jq zPex)KUNAb01T{{0nsonL4gQYSp@p|EaC%sA97}&EJ=q_K#lOH(DY3emQE#K9I!-(9 z{)Xm_x8UGBcvg`B1A6<V@KW1ZqeJgCEZ2Hwvzf4u*W&rd{?p57@kNho1vjzBgi(JI zui9#rOy-hBbz(JR|1xJv+IiyHP7(dH9H0-NPoUEJ<;|k$Iqe>XhC5#@ZoH4x9}3?J z`<F^O)BS~d&ZLmihn+d8p|(zK4e_rYcTdt!J-)aa1x#0}nVXK}=bS|{yQN<-kcK<$ ztaKAVL<U!j3$w3iwKA7HoU`21!qWIGRGAfG#O{x&3v6x*5Q^Hf#;HrxHwMM~p}(8t zh9XnzVy|7_z;>R=CxeoHXN}}>=o^&gXK@?i&;3$s31LChVdaxqiSeZiNLCt2RiD#_ zf#o}xpYTw8SlMvU=eOLwFRsC3FRBk*=RPDc+sme?<D@^z%IZlga}6{pUT(MFr+s*b zgo%V6=j~b%IXpg|oe-348c?|@mv3%&n4vtF6*~WWbULlsmv-a4*{EY;6_QwnFm)OX z(OPJcU@Vut*{*zJBT`yh3_3OVGIK)Hx$7P>CLF-lpHMvdZB!93hkO^E{G*!*<kx_T z+Tn=ow$qncT~4&7z!r|<eDhRx^TqRSspz4<O0<x5s(;R9)~4aKk$HgkU*mmY8PNHB zLd$J<o8dM@)AA%?%Q?i6m5XCtmP*ZxPgZw>K`fLa+PwRPAiDZ_a)9Ku3{u5-GkPp! zSanGZCS<2p%92VPedSau%i`_F+{@o(<ArZGGmX{u>x*fMj^6?%L%UG9gO33_EJnfg z!j-QCg4+okrmL~GKM=)*FQt_a`&_EE`ZDmtvO*=E`V2b-sOclT&~icH<{hE%^cM#* zJFIBxy}qaBiAH95%&9;+sU|D1KzSGX&8Wjnk%2E3(eeJ^C2<iq_QIQ2j(YC}I$CXC zwE<6U)_V+Vc0(_?#_wiX){&8yp{)uMnl^zQYIov%C1G0W^kd(^FHJQoqMh(iwtzk| zZ!gAFd`;T8xi$>y!qj-M7Gu11gjTw56>rH(ce_~kzxU1}!PYQOtoY*IpP5RXRf8eQ zN5`GyI_z-8eNMJphh26(`-Ej-(rzlRk1pwayOD6Dp6Z!|#EskWnl)U>3wH|zjdL}n zsq__x&vzkr$@ud8rNObxwrlXt5eBX1LLK}{utknT&V=FoTAA1B&?zwM%l?)pqgamx zyTQQt718Fb$2j?;!|Fz28%q2k>OlrJ=IL>KXyg3j0_R4{nXCKFxu9{hjOG=^w+=>8 zUB<Q4UF2!Uz{670ciIi-lgGmy74uyI`I<_pliP=+>#*{rkc7z=T5D`lP%_u_XbJYf zllYfM)iy{gs#9L9&bL-}{G#dXV;4B+-}}O}akm5}X&@*o5JSn44x(oiq0!o&ZFs4| z0JNc0pE7!VPp?lE%avaZyr0Mg(%(ILYE~Z5)7m8%cvKyzneAU8fNLQfh#u7nJqUL8 zXAoY<MS%0znBH3nw0JERM7sV(53hj{-SuMb`HGDt3E|)jF2wygG}F%x4HBi{;wVgT zG>rQ5*{@YZ2UHYBQ0JQ6Aa})1-utv1iXSe{RoqR(VLU@UJ~q-gKh$7?`7+is(_O4I zI^$HeX=R{@9G44pL~K<^M1`XFOs#+*szMtpN<`^Kp!p!0NU>mX2ucaPNC-O%7;LoW z=pz#6bLJjo0*EjmPGN6%PO=3${lU^({>Yf)SpBMh4B60A@X1DFZpG++@qBa<Tnfhq z>fvNew!ADYws9;XTCExg>G8;<L`5eE*N^NtJ^lPFRDybN75A+<V{=#A6S0{dcw^hZ zV0u=w)f*@p)6X=U(vFMPqa=)w@@7=jX79L>hxOlZB>>Y$Y_tBlvkBdTEZ74F`;Eou zT>U77lt#YdJNLJA<$_?|mYuiR8$l%=DvseabV)4iZ!nC_V6BGX$O#&DGki0+p;c}% zo7bviSxbR*KS8pUS%7Yu@h;@f$>51jOu8u$G6<ydr`xEO!T$qGK(xQ+`fZuE2^j28 zY2<~xlS>ju+<tF(W7G?=4fHusPzv79K6TC}@O&%RD|UXYjn^UA<2z>}gk+{5#x1p{ zNB2%Y7R(B0QVtC=Gfw|9<O>T-i7%Xw+BSLRpbr6_+h2tOQ!V8j**s}Y6&|>YkhvGS z-M8wua^R<eLZ%Nuh)r&Q0EV48LxG`Ij}B*fanfKAJ8r~>J;wwZ4vre!bJC(?lDcR< zOn~V%f4uX-lYy#UyG-bMx3?CAB$VLG6K_Brh9;2Cj*HpvI~<`RaOt{`6<~fxzX_gV zQVnhox$h;0a3WYF(hG`Cv(>%Rt)jJdkqFR^y3-fbBObB>sM-)4)d_IpwwjKtrNgQ< zM4P@H?4ZW=zHu=L_9f^N$nLMy2Z1tbHIqfgG~u`_)lj@`>B7&k%3u`qlk5TUNun<} zg7GFkDC%~0X~z#bwA7M7C~T(R3_Oxe4|<_+GMs9ev_mbZ6#z0fhAVI|_~=gEcGup! zefyw65Ot4nXz|dbn?7t<XP~B*FI~4E?3IjsEo)RsUkkQKMe7#@kP8vlKsazXnipbc z?<jNVYV`T!q3E+H+fWO>^pGR#8|xL>iJP?}M<|gaXh*wk`U^9@$7}#Pg%nSo&PBYR zqro!A6?lsrAe45$iO?+B1BDU@XilDWN4UR2?W)zqP(YWj0M7!Y2ka0nIvMZkIHQ~~ zc@K_OLhM2duwY%<jHxY^Nqv}Fx<EpX%_}t=SD9Zq)Mmn_k6sO`J$f_m31>a1HUb@j zr#1Wm!p*H~Bfw(JGiwFzDmDRG?aE`IhCm~G&!~ZOu4Fx%+{GaBl@KqS4dG26$aN|K z=6uHzUPo<D(5`WH>k1b}7kCWZ#?RYeNE;1L*Tue^079LXoI2NJzc>2ZXt+@&+IT>C zW=aZ%t&2$j5JpAW64V*SpCenXwE&8)z`c01n|K>CtLZ;zCwl{NbZ{8mhPTdg40qS= zcM{PRo#`Q5e$rtN>~R_*!F(Gp)3?ER^zR;8sU#q?fjr=UL<|G8Q9ZQpc=VK0MylBb z^s`tBwiBasi`)P~7`b(9^)Nv->v2EY8s}8+01jLo)}Su4MdlUL^8`il1=*#JZ|cTN z^;yYQIUIP?hzpE1B3qNitHpE8Z&*7^CU?bqo4T+>wZmlZ=u}Yk2&<+ziaGCL3d`#M zlV(>IR$9PpelV;_1lZSda9i@j76zI!>de>G!hz*rP-@Oux(-k4{C0Ok=f=3`;qqX0 z*1P7NySX^zwr+{x#vtEuGmu~^)IWiD^6iZu-q;_kK_W)b#quzYOg_QT+y`X{X2Sq; zOMQnH@@TQA57vjL;>NojLXBpN!M+~4WgetQ7P9SdeBOf#KyrI3n-9Oc;UADxf4WPE z+S6whM#DC)>qR*pz!<x})vMSsv9VdT(2E316=Yyo1ZBg;i%07yGunrODY}K)jt=4c zz{7Cg#ij5NGt7w)<?~Q8G&1kcfy`Gy-a<3nG47v9P>%!z^%#c-M|6nN-|*c?O@_%g z<I3>Cpe4>7H5?4Zoni)y>@*pKNSz#Hy~l$=TETXLQDZ0=ez%wkK%bgeB#tc7tKJ5B zsDbueiB0SLG&bFXjNYYjAj_@g#;6zYTv-hz28I(MyQe>6<p62y@r=CiDql<rRtYlg z2?E4L7IFQKPTo_Al%6%YNv@U07kQuH@biO3P#5L{ri__IdIKJMo$;F(40<y_8N`Xi zu*i{t>);J}2BS=Y#4;fbrnMeHHnTNzd+Ni2$A~ol+|-FdMMC1A0kPdzv!usUNuww7 z&$W(p=v@ejVGth583(a58YTgcEST*nX#zL!Z*2p?3?3TxP2ixpvCnif+({0Uw*~FJ z9d3Z~Y(wag({iPn9Qrn+Oo8`_faSroiXlt@E$}?T^I-#XJ#itcAC5-f$N=5fi#(fk zVsGCZ8o<WpG{k_tgg!3hfDO_^fKvRtNbBKpVnuuERX6WD!T1TUzoo^@?s3~Q^k7+& z5!?*v3pJjDH4{3a46wx8ycoR|vP<JJ9=#N#0s#I1{8WaU3^df!BB-X@OMrj5XKD?q z1fdFaKq@g{77gh^q7SUAW#CFt$A*BQY&%Im|6xtO5!G@xqw@>lUdpbPOwZ7y1GHy^ z2{swzew8s3;(X?l9>W9(!iH#vUk_N8o$W@~(N2FR<}7Vj!4GmmU{Z$#Vv5oPlu>A_ zPc54Ru~KTeF9PBjQ}G~U`8=>EsIQ?=fUux;nJ%_gC3|=fY}C00qJvh;_hN2f641Cu z{jjlx0AzN8K5-LbN7rb}{Af*&*7WG!BpKLYPQb3Nnc92AqC-i~+F)1EL|b*nR*rr` zdva(2gDqc7>i{o%+IkoQpNhcNIG-(mCgD=5)G#*6JBX0^t$Eq9*+GWfp&E#hmX6K? z5xB2qN{(Z<2p}0pk<a!-FLt^k{DjLkxS;kN`r38J$&eC^5_}oPq0Eoc<Hte0APIeK zz{5-Ut0?z{7gS`U=3HgRys=5Nva_f#yipqVtAM%#0dQ%E<iwQ|*Q}&%aUW=y1%Jy} zET$U6X{fVIfa4GefUiAM48}(EOH${hzn(rX4_QYi8971zQ>?p5HZ~g?*^wQt=G;wL zU?-bCdK{$JNWg+r90NHq*1FY`-WZ4?BRjMgP7|=-YQ)$*!fy(t6Md-zfASbGKXlGb zBjYJjyGF<Y^edVY7*67LomDBI4a7}rbPRfMESxid$t|Ydh|}7A8E6Yzae?@HFoQ9U zNl@eAE%F?BwaeMpKo)ALTVm4=dw#SQoljab-Xqo?SX39j4eJV>T~K&DA=jYZj<1V0 zW1DYV@zmWM^sTDeQ7}t$06db4Grt8X^VEyelk$n<%-~^+t@WB_n%LTl(*7ge94dxp zwgrr|AdY^i2^QEz@qcpU@C^!Fy(_-9`c;#G5NWUI<kd}I?wyu^nRpg+2Gtn_j%8n< zt(Xk!Y;$mN&B<&$i8_JMM$#jk{7%^E;dkBh*#k;Z@lB2oRQeK2<#Q{yYxUV6f-h|D zYP-yn^GtLxm`4-SF!WZ~y(M=K7{`Sl*~EsgLr+LAiK8F(HSemVz|pThIUu^aRdh@4 zD3>S<lVbfLgsgh+4&?@W+M@lNkKqq4R-s{F>A|D-9?2mR3^41LNVn*fbI+Ig4%*$| zz9O;O2@d?Clbl8RE8l+De&i1JCqcvA+DLHRdZcR`hP{K`X~QpE)?YzU0IQEvLzxrW zzJT;nzQR4wQoB(<uoVQ183BWqpD*MgvJpgxN~p+U^$G$^>(Sx0xU|qLk5G#~YScwi zU`!gr=v){y>h&-J*m`(7B8NvpMq%}z@WAeEU+JgOECU%#xVu-+J-~Hf4EZPY*#laY ze_=q?H&>;Y1ul2Fvc7x5@ui~%h;pU(L5TNt$eW?D4v(Am4agL!q&fr%^!7wZ%P<zN z-r{;(S_!1ry%QGDrl$uq-}JF(!^&gAkU<m3uXJ#AgbG?f<4Hvttf&RTmalS?NA?m_ z<^owxSi|t&^0`LI+4YY1w}G06xlCbf7-}60<L*-OAJ^v0ZcI1<-JQ^-aEx%GX+c>2 z4i+fd31Ti5knFAZO}gbb>Tx(cNX;=xXj&<WfmK*3;8%ii3iR%)2kfpt<(oJKb}3pu zHL^+VJkdmB#(gV}fHlaCsK5}e`;j<;mzF(>*Fi}y1f)rA+qE*|LO7J_Exc|>0=`Ya z4Er1CEg`W}&J+lO_~+4(A9xJx#cb(J<?WMfio5Y6=O3(N&7p6PL}}8j$4IcnTjM4x z1zekIaABZlvj=(|NN+a__Y*32WFZ7z(T&F&Jw0UXh^aOXFL-ET83rBL2#rj1w~+@V z6?&h!D4bABxL6Ns-tbon;5b*xb~K<-mFQCy0B6Lp_QY*}J*3f%ww`DBsIyQAX9{Eg zp-FukH!T^wEmFGS_yVj4nPE<NIciGEh!C=xJ2$T@{>oslCc~3RZ>*qHP`w|CL+HMQ zQ74GEom7a>d%X*&l+vFVUIy%-+^g@Bh+gX9kk!?4)FA}Sbk+>OEF;eI+5XJo-#|?X zK)a@%Q6!ur6q{i#VM3mhx_#YLVTPgfwSdx_-*GV(f_AiZ<Z%`?NbFC?A{cb_cVXx~ zXiA-@!O&TmSErnaG|WVv3oGUK^q0up&h76n4o8QPJDb=ax)QTQBBO<KbfnVBu8D(i zC%yNlAI44tV7cL%<=YAB>jZelbhTX(!(xMX{??mMAQVnX)2}bFn`A(5&3pw9dL6;I z%_pxf4Qs*fE2WySGTO2P@HH~>{*6cRlbJWYZMX`c$ccdqc^Tu%uO(g`(d0qo=?Su# zi<LCpiIR+1fH2DKc$P|yNf0<q+f2RX*KBtn?U{oR4`VS#8-QmNHC2)6EKtiaM7_hR zG};^7#_9y97JBRtOJ|@e!Y4+^jFkoe=Lp04=$!;Z#sz5amK%9sN3)6R{?6b{o7oN> zav|tpS$IxXm>!2<alVXT%US)6ymh>zy7V79jr61Y0qcwKLE+RX9fK9n6EY_EOnM>o zsaP>EB1qRuEA4=0_9??#tuO8=$^cQXA(nN;=r%yJeYQXHF*jeJ<yIXPp861Nl;kjU zPzqlO#kErsd$|Ks=E7WJYa$)?3Lz6>DoEui{-D~az>d`rOCV~TD%ZGyg+_WS^hCk@ zol6{@k(%gH=B^$f8<8CA+caod@CL#+#4O_%ST^Pf(%?NqX_0>tEVd6+{Z)lasN&Z_ zG##tE!8zyyYC5h>{6i6zgd(_dP^d)@2@B~c2fj$4dkAG`!A9Wf;(z5-y+1iMiB7l5 z<8UVAf9y?<{`BpfU*HhlCE*jE?BCL-@{-F7jW13fXYIgIC};0YAcLZ;1dpsFndKUg zI_RqAr{rZGWN7V)XA#c9hfKMP{!r#a6a9(!pF7$E;sA;PD`U3$S+Q5$H?!f{^=?8b z!Gy>r_OB%H@r1fcWT3~f7s%6d?nA<1r0y#XNi~J={z36Pd)Fyh_@<Mm%tWz*AY#6S za)t`Z|Gk6$o6PsMo0^qElg0dEd#8-%*IZ7hC~C0IM{Mi3|19)v@rDm+CN0O(K}zFO zjrs+Go&kwsYNH^%4rgeO9yvddWz91{8Q*_zuggK`9oiZx9tujTjg-`HCzDhu#c>?; zNyQuO(XEXJQvNKilen@<Fdamzo)-WC;{im{3+RGI0QkS2>iHt*A-_MsWxfOo*4Z+O zqnN~3#LFbh3M`B<Roc%((X{F%P$$+QvBnn$K)^Tyk@SFhz~{XEceNZi#J3Avinc+? zqSFWw0(eiF4I+djLn)2&4y(p?qYqLL4Kxmpi2ejJ76AJ}+ZO=APe5dczxm#!eVxqU zx$2A4S%X?O2BUs97<TOR|E+X{1FX~0B?VmO%qD}cSJEXBYb^|@-Q_e0>-8Y#6vhH~ zL6-j45DDjGFQQvwAKq&(bWxEJ|6us9=ft=HXTz9nzYCj4fdVoCAZvQJfJ?rF^=c4L zWVe$CoU2hdS2U8&BtgKy0lRDHK6*Y~Y#Wdk;~|7e_!SXa5qar~NG{KBBcIwtU%iMs zx0tuO=M6TE8?P8On^!IQR&ghpT|#L|h+-*0vewo*RLky$y~wT;?MvnUL_{GBz$V%X zR#{h80AxMIgfPtvzeedSS}EBT5=IA*b#<RJw|pO<*&%WoJ27kC=xa2qiJNDC{9&Rb z><8dKGg*ot5}@5^&82y5i%;(mHvV!=*0Eff!AnTzxS-Ez_Dl+h8jJAlpL#hlh=Jz9 zVlh*u!MwlU*kFs<1O$?V5C|BSUoS<Eh+C(rO9SrKJSMHPd7#LKL1QPYrIDe=+m_Wy zt`HNn47<q(@2X}~(}LICPf^k1t;P@uav<PPUlm{D?lx{y4GVa-q5F}E#p!X-6<zj0 z@(Ze@mlOTC^K)(I>E-(GN(mt#O8_S%#zY7b20#c52z&@Cq3<*|%ixRSw+r2FeMx`T z1OUmssh>rU=zhJVJ;5)Z#V$>mD~rDl4Ltk`%%fSHMJHzvu`fKxi!dFRnPhnaeSVhb z^oG+>lEN<OCc`8$?LeMD)!3!u-G6WrG#7b3%%_x|nLl-qIYjelrGNV<_W8*b{3ay= zWZh|pQ}%@*0R;@qWh3bn?(GLrqdtw2<YFk?MzQ$n#PTKm2_1{*k=S#ys}7Er!eu`& z!eBUjsVwBK{6c`F2iN^Q)^s_)F{J|towZ@z#LZ%V5!_kJdQr9h{j|RQp`jC@T87U1 zGLisUif$|jqLB3`N<UDR*VxWvX^{!^pz@-@BfaizFA<T^K)ke2=eyHuF457OAdU&j zCs6O)A_+4{dK9`W<Uzyu`4DzEn&4B!Vf;okSG&oY;(?%RU8kt4UXZ$3BDTT&NuLsb z=|2TU%VktoOXYfk0|J&*=SOoEm7X3yo-ey`XZdOF_Y(C4zjrKOtu@84#YrC?N!{0r zuoaj-INbBSFZ46PXVcO-zOqqOzZjYwO7N`<4I=va{p2U^5e9wi6_dBNqr;W={>^SF zk4w0W=GFtIl913SOb`U&I?0+I)SUX6+0GThE@B8{E_wgPUcDX}7K~QEZNB?SmN2}> zrtX<iZ1|MQ^L4QHp2Ds7V*&TQld}86`0Hx(lJ9F}<(ibdrH5BLBUMjxf66+3Sh>m2 z!e9|Svew}Pe@#>NVhy=j|2DJ5_?&eyOxLGgA$?I<RqMlgQj)4m>n;ZTY9OulWh}2g zlz$9)#QSmKVM#jgI~;df_vNtw_^dGdj_%ePa}GLtWY57??GRP!US#@;F5UlBbGe9{ zzKr0{0`f@o9bK4RT->+kWDJJE<z${T8D{3MUWUy^&ye4X*?HXCg*^{J2=zz=Mddw# zh{Rw(>Z(R5aXy2l$G+|^@e)nymety78PBXQw)zH<wqRb#re8;(rTf9)?bGU>d$z$e zoucf1IJn1In;^se<iF<tV<I#9CpQz%FnXBSP7$&lv}ND%mB}HvdMB7ZC$BTZnVioy zAKAQ!zi_a5y~uO;Z9AdGz_Mm3>Hf(VZ@+yvO&r*RQzn|KuCkVJY4BW3(-I}?Qzkn` z2a-G(UP(`AyQe4K4I<UIi<1<Ogma!jhN5xVa!m0gKomTo^1_a*Ep0M)FRr{2L`QP_ zEwi}XJ=1@>EGg(FdJagjLL=6)dB4aXO9L#RbL%Or%JRJn9x~BAB>wnKhln8u^3XR^ zA9~*(%p|)!h7Hthan@ie+sZAH_t0qxyJAd-YlqwXqXkbY5x5c%TW&Kjk`zc>qQ|E0 z)+Axl`k2RhYSEDCmKA&Z(%$W&--|2)Q*yvHJJCfT<hDaPG`4p@jZrzch=5Gd0)|<W zw&P|lStpHeredj<Z4h*2RvQ=ndKEJ_GgyktRqZPdbH1ohdSltu;mX}deB43#?xFl5 znp_054+(3!_*$WCDJ%})oNM9ty)SVNnx3V=athC3jNS5S@P^#L3cqoFNG^QPty~S^ zpM1~;g((FRAM3knaP92D)4{?s8Gp2H6|%I4XvEu@j=jgSiWmzFL_K-!e`23b(-9VQ zC{`C1O41WwqX~<VAm$6}TO@J+er>(UyionU2R=u29IY9Qn~AS0eMVl|uf)e|aA7_i z`(n>^((@xVHB}Uc7nk9%c0iK1pS}yGT-OuJP2v~}CLy%YfXNicdB)GLO#fG^ounL& zU;xadQN*NN#NoDQgwH-x))WztmjuCw$b<kOTC7oCw<Jvu0+8Js%+ykw9`bWC<c6Ux z9q(i4T|hhO@rp6(d^K0HqU8xr2`pp{ua(MJ1_TTe5N)!H+7d<aFNovoS}r!O3G3>F z=9LhaJ4^(<j!}z4o;&~tjY-~w(KGl!5h*O*KW-NN0Lvl#b0g=^N4;ESp^^%ODXA9H z@mgi%9<we(q%1|%)2wW27mXRlvD`N!aGlEbf<rU=2^(Mgus>b>y^d=zB^KF&C1<gh z9V@O1CPZK`yPVm)P2p8&F^cQL_p<GRR^BC;<&$|YT7jeJ75yVxO%DuQBT#~ntgB&5 zDhq~{?_ordq(AZ*Tw;|EBoCT?rI#6FnX}Y3Q^j{T0k+tE%=9X)F$0pmY1e)S8G@BC z?~`*^_)!3;!e=d6LL3$-m2A9%aQ_ZRU9l2#waKwo!D17ahIiR?lZ(&g>g3?v=$Fgg zykR<}W{BnX{`3TMjJO3$JD2nIT_jGz{BE6qul{UukOP+|?bgA0oda*eYV`Mef_X0= zWX-{~@u-FV7(`7$8yWKI7P046LVrnh1LXUYg4ZclI7I~cAQB>CTJhVUgjjOP8T24w zESUFzeQxyuQpD$v3h;iv4We?o0>2rBRruq@cAKsOWnD3__1NRg=FJj|0t(Pty3_`$ z25wV~NT@MfyD-ZglBx5ucAM5Rwxdk<OQva_r)%<R<+9y~<1^0^)kxR3&0JJpL8AWR z=b<~b=|wgc4O-QWyX#{-kE0@>q^kuWxiqJ;oAxWa!9g=<LV?~2MdBi*Om89mPKrF* zbUj5+&`KxT=QMK$wbe243*?e&#LDM|?xCpF8qYQ3S<1ZUPh}Urr|aX$XZ&1sWh<JS zRF9v5bI?_7dHliAapJ2&Tbc@a@%7g3>{9P&AD`m4UA^9rS_FvY)JBgt+X;1#beOEa z1fJr2@E9Ij9%kd;1g(nJLiQ5s<iUBEo^JMW^1(b4ww}0&Q0Y2o%z38VOh)5Tb$NY? zW9c_dF0al~n19V_yKFY@B%;%`opd}*L{3?g=S}Yq<E#KmP0UY|s{*{0uoQy)0dNRn z>VUx~H)HyWB|ja;Y%Zg&p)ngfzx}MiIZ%Nj*&fWn=MGcJ@s}29cH6Q@{D{QTZr_Es zQM5=4W3i8@M9}=Gi}I)oLW~F(l1ZSQCeg}&3F{ZlfV$XCz1R&0qWBYp5Pg?`%_J~g zRykE`eU|h|yPbv3W*mpGCE}k&@5rX~$#h3?&{VgbYM8+bj98u6+G%!$dAs|t4k*(n zu0I9onMV#cRbN*l%cOp_ALCJ_P=8gqFvqYHrRW{4#(ZAgtc>~Pj16b$-4Q(EG^h~Z zd5ssTs8b80A=*u((6RLr4h^JRw?v;5@_mkSva!*U$9u+`5;0rUBkj~b>nL<uKg=RB ztKqV}X82@JZmm&gd0up9bFqqkdk=*feyV}!KR^wo2+F1O#Yo9RNDzmQ!2EVtJh0nH zs;-84NWy@Y9Xp6{x!Th@Kg(KVlW7?`zw&Uvb=k4Wrz{_Q-o6=&*$^---+H__H1EHC zoLIpm?YC#7+0ELW5G<){7sZb^#qUa<j4FS*&#q9vHJ)Uu=eQbfg0t>-abfa$98Ey< zN0r57`F*bT70nJiWVuK0c;AvajFXzoOHz3?FFVJ`xJo<W4S#%&$vEH_#*VwGty8^h z-njP0#;vBseL_MsLk=><{<$zt%W>^n`abG_&&T`Tckdlijif;GfuF4P;-QQP<{-05 zfa7Ah{rl3;qrV)krQ5{ww)R6PaDL@&!*jW45-jeg%u`Rv#iO(6LWPn%R2*J;C4DM_ zMak4MH0Jld?0L;1BN+%$;nN0Hb=U6sAvOIc=-~0!BWGiPr18Z1b(hb(Hhd_)AXe{l zA*xtrrgm!T8EjDmU7G}+oxBAY<HlN@Rkmd##P4K`M5#IwUxy-$yPlES%ZTx7FO5Vw zZd}0==_{APgeBE&TV3182!YF2aC^QHUdRlrCSgLKjuE~N#mX_qihkcm2<uf{Ym<GZ zNX2Omv*YDt`k;Pq{I{qVH+!6t+1U;B@fJgvMM;x-*SwJo0mU8VW$7e<slp5s5rPSn z0p8)fG=B(>XiR*~+$(%^%0}TAlSIWil)mtzz-T~TQ-^A3bKR5FGQ#SWW<-U@pyKz^ z;~F^X{5%&s2A3<u{pL_y%|(X1Za;;LJnwlzEyk5L*1cL%Td%<-XGlrh4pdvt%R<Fa zBdf^I$$W<x2{l|IV~|Hswq)+X<4vw5_x2m{qESvNL#-kX6k814%{B|C?v=%KL2Ip- zL+U|{*!`vM`vVsom*JRUZ~M>CLQ!pJ@Zq^gov#B()pE8(eb8xd_LRs^<Hv^^l@P0! zK$or8=O!mzUH8$T_IBL<kSJUe+4HNj)ze!JoM^`>i~7`cHy6<u2embXH2;<Kr+kNm zaNpY>p>pa%bMxQ#Lq3O3LcW=vdv@4tR$njk#%1mTqPRYmU6W{}1+PamG}j&I?pAJl zx1z^*%&7R@^EbHmQzH-)$xDKYnJH;NmKnp^U4{|XF{51_B!BMrh1EG-X;&TOeqQIB z6T8<ixQHx5mT}ZBJ_23>x?!fJ!YEyRL%MN^F(f^<oZK2Cfai4wtf6Oc*#!91lkr`1 z;S@h~h?G{NmbGc7MXU1lxQo!o60u44oY=Mqt6uyyVWt>LQBH=oGrV$3@W2mpF~{q2 z&kkT`4-ib87io@^pa6+Gw(V_#A5y?Vz5VF}$R7#9Fq2vt+35$_o!mwFPf1e&48=sl ziMjPRx+O&ig3qZKAn94v;Q3=gR(RIeMPA=Lz8|Dj);kRi7Bpw8(cJ1qkl`5zk<Q2| z0nyI5XUDJZQKYy{y(_<+iSy3jG|=W!y{s+x&=8)qrG8szxjDpkXU<~aM|*BB*BPxG zNCrzMjh#Mt*sRx<^>%8$ft>edjb{B|J1CIOe(2Qhq}lygw?4S?zCn!+xIQ0}&z?^C z)FTiLszY+rnBSXeR;W!Wbv?m4y=S&b<}p06@o~9b^y#Q^|Jwg{zfw>3!nr;Sd1w%F zw>rIx#%hmg&fh#dyVV=6nSkk@my}2FSPyjco<pFg?IDO7iozv^tl7@?I0{AV*KBI+ zTb!L;<uG}mhzODfw*1hqREZ3uWfV6ntyAdrE#bOt$xmmqT=VH3jc*8WxbXe)?(?x) zN2B>bJXd&xGSG2@?V}#@1IXq=1IOe}x<lJ4t$ui<v}`m)lJ859^St|-vM3AJwFhN0 zv#T%Bf1nH}7U>N7-FH{Cs_UjzqL|PmxIr7^0Vxn)OJ6~N37${t?Q??3n?_aF)>D9A z;+9noYL8YTEY4o98pPtt5&M^tQyS+|E3er)p(kF(WYF_@Q$V<J0+RAQyliF{ezQJ@ zQM$ntY7vW|#phxCxDa3U$H{I}#cv!7K|*x&5grUxDV%9><J#x9{TMi1Yi`uYXPly( zAuDw>x!e?RC&&*yMAP4sZF>ezo*0{barc`kPMCu==yl<q??GU0w<^TJ_s$yBbVfnC z)kIZ6(9iiguoN$!Kw(0YZxhlRUaC~?p&iXN+xw|!m_oSkbU%(x?Ax71IvujzFA-bJ zdBY6-Exwftn@NATM;~D=KjD;iP(|}lNc%k56rd({vapT4rg*wq2k(&%eztqZmeXax ztFEwCGuewU%>{38n@`-oM}Ap;%V%F_-wrBSEDB#|%vO0-c+i*)Q~AGzJ9E2E@u7XY z=*y);mR@_JN_Hnzup1&JGevy%d7FQ!x&L%AT|e#SU0R=ac*U3C(|wv8&hGlYt%FbU z`h2xw`!+TUHdI}Q!=E;V!Ob#pc+n0{`YBu=)kO{joZ`!VX}kWkRGjT~>oblmm+<to zIX&fr>C@C0v~@k8EhJU}`t4T#t6zixJhZvIss%z|Fa&n|qw<E!yCDHjQPKDESO7pp zXgKSQ4z`df!z_N;inR$wDyxuNDQ8S^!3Da6Ae@<#{s1Syt&euvf|Tnp3|a<47zDBV zr`pfN)x3Ub&b(kS1{n5HWF2l*+)pCCnil(g)Kvezl$QvajCO~B4vBiW>;aZ)tqG%a z(@!=hziNU)E$k#Jkqjw|QnYU^r)JM9w2(!*lv*^LAi590h@hlVuoI78>{I?y^pAxZ zFqm3R1&};M0PK%z+qhoBetyRCmc7$26Sh=oBvX8A<SrlgyHV(}Lm53^udPlOfl*B( zOzZT^GNQZ;sg*put`B4Ud)2!q=;_L7X(JHeT!aaq`kY4bx?+eE$VpCCO0sXt*>X3} z^~EcTHWXmih5BxKhuF0Ev{qxUQht0NE>BnjXB=Y|o~x|NRt}7XuZ8H-Kgn=3%gPcz zd!6EmMSpt4#o49}7skX_ziS*{eN2?rM;%vksc1KQ6+RHN0V7#&r2ropA7><SJoq*+ zM~lNFPv5(KGJ6CbPkyeOnmUneT<93Tm`A(>)7o~t?ci2Z-o5Lal7nZj$QOh7pj8h) zd#jqX9mWQbHCeCQE==S{b6%;=$8fzLap50P%RnzjNvF=w&2yv=o;tg=b)pUA9xFN& zEK}V%+MgjI9HKG9n}GEl2I+cpFjdo)Mff|a`sj1RXoEYEf9l=kF8MBWP=~zkdCsy> zf0sZyRE50-1R3qF&H1~Xfk`BLB*i8YmFd$L=<7P7yJgLJ>&}IwU|@O<lXd;l^snqZ zC>GmAQ^u?OGq=>7@;spobX7^h?z#;IPUJ<+fFf3dv7DMwCNd_19944+EE`CMrV%#G z1Vg!xHrJL&bdwwgX@(=8Emx6ns-dgDS=29;l?1ul42SA(4Qzj;u@|B2)j;O$MP&Ak zC_Em01&Hc?&oX`8l;i^KkOyMTRt!V80oLwF+yI8_Z~yil=@DZVC+-WfVns{)=?1aM zZ~so+<#U*HD|%u<?-{LOSeVD2hVGR1l6zLnN18Ds4#a1PSfoV~TB%5H{+sM76l|s< z-FrOA{!~SDqMMH@F=f1pc4s%R4yt3Ub+^mJh=x$Xy(eWr0Y`S5%w1p=s%<t`l_~zh z^o^!wBvv~Tu}GY}h<8n^XbnZO8%yiWrf3%=KvU{1?#}N`BbLWO<W25`HlYO{<{e$L zzvk72>?3C18e`dREA*+W%-6ar#R%g@t5)<Ziiyd%i`vt_Q9ohoHz`7PLEJu(yVsS+ zRa+DjhfVt_C-&Aw3J!02|Kx4g6>jBvdRzPR1ADtC1Vk{v16lc|5nBR$g>HHV)cQEc zPK^7n-g5-L6io^!!r60B9xw*y8v*d0=LbjdJ%=4xiiVcSpBwGSF??VK@DeboIa<wJ z!LJHGD0@C`A?PjPSTFhLWLv)0O87!(+_?k;VA<r_oGEiktO7q<s*+4~p2f|a4K_N3 zpM{ADk&%`2R4zy<kH1Djf=Dkc85QR0V|2oP>5V(<$LGpmob-5{&j6^R2KYr`F?`Fh zG(%-&(=b+&cD;v;i#4$ZL)Pc-Uc0x`)=bfs>U@uHZ5U$48;Hwp%5>}`wf<PasCCcO z1R#Ykm<kkL`%NK3Ur7PWoI2J@5>3reh<ru7Iw14g!pI;!&Kf}$%gZH@j53(Wf-sVV z&AYDQ&^Ko>z=12MfNsO{wGaPBfj^(kXiHung4SKQ*^@@f>L(NE(4hvo6?Y<&H{AJ( zUmoancE@F4a6ir_^I<u-)sgB3k?p(-Wq6k9BcdBx$<@V-QJk#^kDg#6@U3LkM%YR6 zog{S)iRE>0M25Mdu($awX4*6z%OSBL9JYC59VCUERv$OYuI|Uw0y<qw|IIaO{(5kl z6Obe3bwO>R=VLIk;8(dKo>tYPnUnV?{Ae%g%V9=4F>1Wa3SBhU>%h?AxbyYe)%}ah z<yDg@%(ZPR4JK=MvxQnwzh$j08WUW^DBLr;TaSSSqeNyNNX{_9(9*{Z^4aqIzUS9A zv^xhV;_NkjOs&`R)x7Da#GP#Djqr5(Lw$A5jFPB1*siOkMZI*(x_J!b@+T<Y-0|J# z@7*td0H&4O25bgNa^C-UhiK%L->g&hzK(S+=ZV_Q7xs1?LLOld<OCezi*{N9s*><q zjxACjq<*)NtMdfNu8dG;788V&tpBVoxqLhH^mk{n8fwU73Sn7_CB)YkAd&43L@?=r zV;_b=(+Xmyf>t~IA*CVtN3@5gOKf21z4SBR7*PJ{u>8un0DBD^mP`6hIutbkG<$Dk zh&V*y0(@UDWs7b-rC830k3j-wtPla?@DwtT9iqArW)#z}3cd$XN|lINS_;^h%yoi+ z^^CsKev)wKl72A3S_>`(0<nH_;)0e?4;ELG8+$n&^;|I|)s4G}l4++Z(At2{7V8H; zcR+3s91)Mr(&Z^0&%?=4v_73Jd17!2<v~}J5qc-w6mMz~D?jh`6yleGr>Zx>_6cmS z6-Ut|$5Xxd+y(&4(?H}tZH4a54-RLeFYTijK4a-a_UhG(w01-7gl25{RR-0VPkQi_ z?`lJ>5SUZeR4uZE`zspatu1686%}2rfinUe9H1Fpp0j;L;laVK%+~X6Y6^p$nF7(A zXv1#rqaPDg7mls8tq-!<-d~?A%^USh4hJ^gP6G~XnfHB$@O;l#WtHt-n9iZ{OvfSw z?(OL=ZwVG`^!B5VKaa7f-G;CNfhD`^>Vk=HL|R?~4G`ceX6F*c+thgQu8XsmzZ;S! zA(HSz@BQ{}!nj|+zm$R=5M;%r;ZsyoylR@G#XOQhto$Qe_hOdI$%xEhgRK$w$DgPD z#DYVUOWuJ+H=KOhd9+A`Kz1Qqh<HOju-VU`3wD|1s)isZU*kH{RcTHXXiA|<s#Dga zb*d&fh{rL@*)I}`&x7+_-@Xpk_9d0?i+?_%vgf(cKh)I1)(y$Rw>QS^U_e^KnV@(m z7Mnhl05LpP$P;g>d6_;e3=}{In}jtfX1Ehm_wJ+@#cbCBHh<%8Z}b#dXH9x(ciuQ% zHHSlH_*sRr)zDhmF5)lY7a1RcoU#2fQ*u!>5G!#IxD>HjJvwT#+C8}9nwW*9_7e73 zh38gj+;45^LzwDJ?-mGtlliHSS3#J+tB2#W!y)3#%=%kfmz41W5V<oV*V>mOD#aN> z!t(MYI@8I^IA_=M@J!Mh=?G0^1o#YkJ1f0+2~=;4utSH>BQwhS8LQbeYQ1@Avf9qh zLhDGzjDZz84)(MD(p{1Yc0DyVkh*OsK4khB%^H%%f$O*cm}$8iSwVLfijj+L+UKaY zSjY8z{b(};-)Z9@LwxH>`<FNRuqI7Wu64|+0p8w?=7e?i_TD9f6M5>J1O(q$AOr>x zfGkSGjHb<UcmmSx{gVg2qtj#P7X7U#j9;j4$eprgN;`!t@uUgLe2+(wvTiU;JgI~< zVADFzsW)zPoW*>R+U;r4wsDK2U0UE3APva2YMx`nRrGWjJ0|`9;aL!bNy)pzW>oWd zApuJAhGhjE%%8zeCZZw(vH3Rj&&6x5r)kRN*pdn{p>X3&TYceeanxY|oz3DHwT)Ui zL#MTxn>dNs7g}EiQ(Z74D!4p^bv8~^p<aOOhB^;OJlAgegrl1o460>(-aqE_!(5^K zvC6O2+GcsnhTW2r6V$TFWhf_YhUWAj_{8Z8x-N$UA?3e$zzf-tsjtXZ?fvj;#QRWd z(smtziS*C#&6!iZTFQ3#nyn#iKw>?>$aJx6gu#*;HLgECl25E|Ij%3O4WY>igl-Ol zJ`w16ey=0I*Ws40N~uy%1(HCz+Z&|%m#|2}<f-9?TN{krb!LjW=k~xrLjG!0mnyB} z0$9h6ePq)=zT)>0ODavwIQU94ABP!Mjtqqe3ie99g-*AksQQ}2*~6k22moCQxNK}f z+QZBmrOC1zgN29+rN@59bth&zYGR7sQR%A6^u!4Fp{T;#$6@UrU)_I5$@aN@e9+%W zRMp|-p4{sx84ei@hO3TXdY8g6Djl8H{K#01;Ym9s015~PAoJI@I|WsH0L2ZWe^5|^ zn}8Hn6Kv@lc+`8Dy;^{g6SHZ?UWZWWff`2lE~uv;o*Y3LSU}Ok4JM845H+AXLLJU% zd3#1T^YL!ki|OJK$tTB*^D)DlK>AIDvt{=jVC&qg7>NH7O%r3P>#7XorQ0^%+3=dp z_l^^gTymxbf{3}|cSNk5-sz}1NEs;s*$Z>IPhPit-%Afkz0yWzuidb-lNXJYXI)c~ zl3+TXR6`_ek~kC=62xCd5jufk)e&C8avlIuhbo#ZtnoID7J14A055tF260ur!><(% zJ&g4;)NrbUCoktGK#c2$J!C(kHEg^T!`Op<Ad5HMMu(*)y<S+2hd>JZMK6n9g<&YT zQtHa|E(XeSBB+5qSw%b;lR@J;B2-bIISG3^)R*@QdunpsRhLac8j<PIv|Aykyk?Xx zck<-1r)JZnQ17-){L&g`h1fQ^;Vff8dCJdIghBHA3IiX9RZu)7Ex<&li4uO{C4Tk{ zIW1}ZK|R~abcNJsFQ>lW0Hnc_T?5%ZO(8({L~aoTJtRRxdscyNl|QNgk)wOuYrLys zFyyj8cM<Zjz?y+PjL&JUm7ZQ#LSG}r&-qN^rM%4Y2%4_1FnG)-5Ioj~C6m3M_m@8Q zqtockE9$M_i<ndAEHjo(_j5a4n_i&f*aM;dd13+{P?(JSV&)fL<tL^!Rqc|28e9w1 zO}@QD<$J66`S=({pU%n1eu8LD$R5Jn{&A5>Mo`pXTU$G+DOPwwAK}=uHJXFuKgj^e z82{XsBDWVIMdy9~=?h%DTowDY%k_LA?6G<_n#qSr5>FRTe`EIosrjt$n!)O$kVc}s z0%1a~kzbA*+JkCbHY8N=K`^l$2H#w0*P<CKAWP|zGT2i=Fi{^(rD7KZbdrqI$jAdt zANRMx5Xw^6FDyECa@Yiagd$lO6*LSz2Ki>={mJZ#eP*WWygxkSRp;UUq=l$kK9EFy zS>?Q6KZ*#CZsBtT*RgM~&#|i{Zt@)|zvk9=O2wwlxK28w@7nh9qSI1jZxg-V3bJol zf4Suy<h#rkq86E99a$6C%+UUc6ol}){EAo9-T@Q}S!l}4G?lmAE~1Z+`l2H_REYn% z(Lfp{1s}t4fHW_3>o|8#>24*F8cdx2Am)VIh{-hoH}WUjEC>ix>safIHD<3_VJ91F z7EaA^-BW{9y+O23glz3$qyW5H#QKP!pR45(2RR1l?SwoPKDPu!UoPjBPQCZZ19lKi z3i0q(?34ox=GN@u<=Itj8qGA{H}}?prqoew{;;hHmnoy6k|~4!X*$AJ-0>%Gye_1< z#F&XMf^SYAiooU8SS<gIg?NB|#rWCP=`5KL4I&%dEexy-<A54EArJix9&g4aQ-{Yh z-t0G-)klzSfmoP*VCjz@R&`__kI59)NwMv9y~g)`DZkikUdNKXS^HxvHna>|7^C=) zVzx6-CJf~zK?3FO7v_gVZq3Vso&*_gwBD1ryVPR5p=okS^PBf}o36m=L(IH#eY@m3 zkyMw>FSZP-tWeznPdOIijd)gA?6mUdop6(in$gl0ys$}b6i|TlS>`K@RH6Mc<S7o_ zJ8MYDns!<d8Gj3+8ZaqV5E$!^$KHHh8%!6eIVt4uAp;v9{5cImNws{C!z7H7PfylN zo1Kf5aS-tWid|Xg`KN>1lf+4cIgPsMLpm%FZ4Dgp?nmkN@Og-4uUz8#pT*e{B!*1| zux}iZ40ct3{gMbr1PU~%$W3MYa35AH%AsCDB!X2JULf~|bRWCJatji(lT#!rw&oT) zczNN})wWzz%`Vr^;bNd=&T6z1Ghx_CR(2z>mbX9Hj7=<h9;gs*d?9t|u4m(%y_Bz2 zZPebPckYnLaL#byyWo_UYVUe;WU0$Y$)={>Y5GNsI5IbNy`KhWyQx=d>z$6LSf^~R z%&(u)Iq<dgQ=&%GCz;>rDWxUoQy><68o8f)fMvM9%r;9fh#*}XhN3ZPhUP-u_11O= zAm78o>W8C(kj~Gp1Q2h!#cAn2{KdkCalHyCoBt$t*jaxB5#urm`n~01jo_drim)25 z`>~dA-up=P7;e|)dRZRoZ$J0mNKi2{?PKKw%8zH<APY$;m{U+(((PPmIF$+41(TrP zDaxVvv(G_3we!i8tAB8xP$Loy<P8}=x4eCRu6d_?d~K7G|9pKT1*;uAZGQ;8JY@}D zSSgwQ911oskznSAU%>4=daOb`3G@`uT*S{{zaJi?bX~D%A<N?U*gf<$T~Z~@-m<3f z=UvRbYFm~n1@0DgBMc|R2jg2<HP!uL$VH7cwDR5q_j$c)lLq3XGQ<m0k*NERrx)jg zeZN8-yquz2mV9dwo;KiZ&b03=`8ZD$3h}v;&K|`zdRdCQ1KhHIFNdTqIa4K}Wpg=h zJ20W#D%@T47q72!nVg<H)Z1baVxl?0ri?z^W<Ah^Vz0%7TnVXA>V|rzjKXGqwXa96 z8P%J#Y<OzE<Bd>FuuRl&-8Av?7(yH$HCvkB-gcmW_rnP5_hS3cVoxT|A^Iti`?iK+ zvsn!R)z|{U=XOQ&vEn1%Ir124aDz+rmPuU|JDoGgg#fJ2&&s==iMQY>7yHcL;AYsU zk&{gmvQ$r4v3f+*s)w#PaM=6wAL)rX%+$+{CbY6z!?`S-F|#@_p8@)zuz=*HK$0M5 zsM_<*B~^wO|F%|7nJIDd5BrfS5`Xy^i5U}z55K3LnRyn5OdV@@3cD*2CZR__qIb@J zA+Tz=pr`Mi(gIvZ54ZL7$Tpwt7Cl+!u8lnXcDj!C)g#TJ+jw2mR-o5#GDGENrz~|h zY|1oNF+F!$u|1B6MOqWWa?i<V{0@b!M&*om&Xmw+grgCdAK6pNb;uZRXSqp`fUxLq zBW$W^Ylm*552<w$yM<B{L*Fbt;&=MtjlX&>LtLS`g#)8m9IXzdTg#0iYO_|kQ`Wxf z?Y<{s-UdhsDxP8VWlGqTTNCigzb>LRuTt$|sd22rZT7`&KnXNMhw&`=5s@uAB!eDc zB_<k>V6_w(7D|<Qxfg<f_Z*e=G4>)3{WPgVuRl<Z%&3!T_Bl=RO*f~m1m*cDW?@@p zWy2|HF!dAWjg$?q1x^v!w4+|Xn`z)Pc{L=P`-f&sC1l_1>fsa)D<cmRaJ|)B1#9+r zRPAO8gCRno;rY>}NqNxm2N@FxM&I>)0{}IH)z4NKexSKKOlru0IwTjJ;C?7Sgxds` z46DVUR)2#Jm<9Om3@uw6u;bA6+_EZXQaB_%YOkJ!&)rSIjG&HwxXt?F{HM>tl+Vz4 z`8;lLJH#}~^@R;^m_^#PdJC0hJgX4-OJFqJ7{T9g+T<90Hov1Xdjxl}*muzVW5)UW z_>q1I(LV&J>bkpUU)b%T$MT0Vm%t*#7{zegk{>abh4XK7eyN(4@&+=n>9{nq)~3KP zoZx>9C$ya-%8!8#9&5>YR$XP8)WFu`D7VXCSKn<({kTfaUlSuYLs*YAy9-uzB$wD# z{*-B&hm$0pAUDFJvD2*SInwLR>;-XANg=M0U%cyAC+kb9!)o@;3fg63XH+oTzJ+tA zH=rO?I~?J{JvF7^bD4WP+p*+{!+>i-odcUKMKU8GwDvo(6U6BB)_g<iA_k>$9voC9 zWQ_sP4~f>VyWAv^TZ^g>bQkXwTNN)T>V;~+zDlPiiht9zWvZe_7lgUQ6jgW)w%L`< zb~5kXgFjo?X2M$Y>Vc|i^Y?gLZKF>Pv!+|rau=kFZ<EGZJiGkyrUqq_86E`=ybfOn zWq@Xk@ks0B<R$qep$RT6z}@d=SR`8;0_#Ds8u=QI+U^bUQ=-9yKg&3+76huiFN3Up zJkUp4X6k@BU2CrUxnX5{bw1`EKHvy!Lu)S^qO6wwJ>k5#UYzBHhy7kI2~3j-UHg?% zGGYdoTF1c5nP?rnV)xW%^Erlmo(!j>ef|9OY-|E&?((_w<AaHbEb0gEdj>2|5nQng z#J$fgZ8p3+OdNv8`Z<y(FO8%m{ft0jW}H_KK_Nm2g4%(HXIOW+S{Rp0Shi5`p;X$- z&(H4$ZU$pS|I7RszJTBHKG51B93d|V$3zez4VEzVIJ>6zuOG16-uSe6I%7~Z@;cMn zmFbNxnOo5GAP4+%!kbq*38{^)W=U~Wfd0o*>tAT|8{DrZW3fDQt#JXQ;q!32kN*52 z=P*Q2Q_Z%y+QP>e3I>2gD7f*vC?mzT>ptQvK|BTo!Uw+FJ}+@Uv%=(J5rsWiqUf(+ z_z)nux*#tZBXhS3<P$`xyQNu^e-w}g_F4z}0{$WNE&X*@IAWJGOmzT~!JR7a_3Ddv zWDNn8><dc`KuA(sW{%wz!V4sK{OS|}YgwAIf#A)r)@jriR;W$GW6irN;&!X5XHo8h zSVX-xt!%{3%fdM`qx~rW^K{%3tpb;bmq3wf#K4tHqQYuTf~d}?9dYsxNi*r7l|OPP zD_FLF`Vh~Aus|DYGg{j3#@g*ygdgh6E!#RTIyWyk+o-Pk=itUfeh$h-ptniB#5t<M zdv71vZ8j`E<#SB|Xm?hz1tJrTg#1Q5Sh{XP`}K$G809DPx%DkV4<bE+tW?0VRByRI ze`apXOvoF4tG`Z{zQ;7)<EZp&d+%OrYHGSTzqyt78yt4(&?WixavVLmegx}4Ker`` zFcAQn{6;C9N1`X{0Rw6NjjEU9qw^k(?7o0}?Ea&tO|@G6@%`ROXzsc}ZG8A5!oz1F zI7C=L4SF>9hpNh6tDFEhF8yQm@(&}tb*R^&^?VZ<$p3mKIu0_jp2MZ#aukQ@muc~Q z#xJ(}3>VX5xsb&;>ofZ&*G`rC&D~~uj2?BKj79TDdv4gB62(U*K!`H#VcQ=U`Vq~= zgXi&DI&DKee$E<4CHr$B6Bq`_+<H}LHZB46ra|-f)}nQ8etW~>%QhbuClh|M1jZn0 zXB+VinP-`~#5a3X@|m!C7W2e0UYalKw%Goi=?oj8Z~i=G7!PZ(ak~qBM6`+9;*M0a z0{=Y4eM0J|-QIpF6zs&AX_Ed+R+Gy>O>@42ETYj6zKAhZij|7ave1uy2`vKj`=O4V zGZSJ!K(Dg-{Bep#*&}TbzomnyoDOAn^j+tC#ryK92szE0v+LKs-Ffr3wc#;OWtWnI zZV8!ox1A$7XAlGlwx80Iuiqmku2uJ`QG{b5a4*br>&Kj0dT-;e`Km#D;gtxth(+h= zliL-SezB=SRUK-0$`WiaV8~dhENo}ftHUon5zBn$|I&2zi&Jq(9-a@1-EeO2&pL8y zujGw(X{YBIw`^>)A{&sqf8PbJ7YyH}$qadp2d6&t09CflLC86G$!S1YT}1~`7y?e( z1DY6mKfc&#>K3h4HSFU8A>-txH_xtQ&5yG}Ox14WLd($R`)H8Snk1dzQ@Zww#7(g2 zKKBdMl)*#-B%+6aRBO|gNyr`-+oxH|br!W4kKXNPMC7EIga#dQS$o0jUOqauBugK( zd8&2#AVbm%sL7T~Oh^FG?jBvGHB$aY5W@sC8QpUE{t{?XmFUeHSxKRqUd`-%e;)w| zZ2CMNv72=MJnU-=BC7kjTP=%~h6(lXJIMqcSPz1MzV5d8L%8Cr?fJ`XMJ*?$jDPhX zn@S*z*n>6ZFE(|Or?2l@I!~QL77bY4ykgaP6IKoH2>lxu4I1_C2yLE(eATH@Cf(&8 z5y~tXk#o-3QZ+*?&n<vLa9Q`)ZLr_ketVDb4T54oxJw-=|2k#L*o2#CJ`LF4R?qKt z8bDh@Q!qar*8Q+QdXUc-5ov<p!u{v*zL?K@bp>6o8OPtGh!_PRoSg18J>w?L1U<na z`<2e^gQra|uHB1AL8cQE>k}s3ptT%QDtsNfWEam8K$fvjsAbM~h<|K(T??c>;{#e< z-Dk5j>mzynqN=lzknjQov)(ir|DIziYSAYCxKSm&IAKox=CHS{IFqFA%CEnF47%1! zr*2*k2r{%M4fbm5diR#z9M%9;K&ro;@X3AK3U_O`qSA*I!9)ZkB0w0yU~Cw^6!wHI zUN@F>u=UQK3|I|S*)qAe_l|zHBilL-IUl!qG{jAroc74=J^AMi15AjS$8?xVe%1>b zAY##I30eF)hvVo@WB$A`>01^(dnvRmKAYz$Ll(c&eW6u@T3%j8k7OqsD@vs7MMt!M zUQz%6L0F0H<VDfal+(m{G7swO`w+Ty_!zI>URAXXBwYofH(_riLc|yVIeEh!h~hgb z=k;`5k{89DUwF8GdpzgHo9;Pe2n9)55u4ZIIlfqJtY-US6*7A#O;yJ?f-$V3;{1PK z&WP#Z?{<j;z;^YDrk240Z1YAQj<?711<C1!<ED2R2#qrwj>h&q0++&b1cG^Fb@23- zUAB2{Fdk$lM!ZMo!;gQRnu)_bQrhCP+Icdm%YZ-tGz2jNFpWemBmx>0^R3!8vP7*5 zgBTFjqlcnLjEy?>S)C692<x_e6#m)NYa+@#_|3tnQQ7o=UT_d5XoZ{splw|bsUQZ5 z`x8gW&j1J*SD*k@UvcT<n|FBUN2!~ZkUQQF-hpZ22m6@S4J*d|ZEZBF0`xE38)<3O z|9V9P1Y!mtx(x^sqvf9fwOENJA^YtZvR{wrBEtM1xnrq6X0oMdq@Sgk|M`w|BU<4b zj37`$(k}#7PUX~pD_eC6`GTx$?aCA){Y%#B&*Fv&k4gd8Z&yeR`<ITEm>|#rpk$v2 zVZy%^w#1}?NO~0NwM$k0Euuw22#BO7zCvMy^l#m*QgL4pHS;E_#qfU{M?#{v=f(>; zNtE!nl2@syFSlOla*-18zlE~ne*-|)kXT_bM*RE#EfDhqQ9rKzHW&W4w01la0bo)A ztdI%fztz3m|9O{5CtV@xFIN@*xEkM}KSKR)0~BKZ7_eZWScdp-qs1luxEjw2llt@D z2Am=OF~HqQf`#Z`qGSZ(kg))gbHRl5e;L5@Ppqq@OGW;Q^^bpIy+&_@_P<2!&+W4D z$71MTu_pZ!8*%L5iN6eZg!p4XCu<?rU$H6p6C2WB{jutQDURd)G2s7?gM(24bP@9W z+HGpD%Zn{r?|8lETm|hy^esg={u=VUKdR1MT%5UHpJ?$Jw_X>&-jMMbv3(on;PT-{ zc9<&3r~c%Ft{vs$@hdZB`fMoMJvGL)ZT#@+;>_A&d$Y}Ox#_a<1-*M8*)uElBY_Ed zCL*6k$Gh<;#=&~Eq41|p=@wf^8RQI98(%=dulV}@Smpn=Z39G#dwSUG&X+gN#{v!{ z<upEML!f(z?!!V=q)g_BeV!%TA-|}G*<dfgB(<tSIlImQ_xq)GW5#kGpKmWXGBP!$ zIAncsz^$!6%M80OYGT*&l;JqzH@V)-w}O-ODy$C<D>E|K-Za;hm$1d@i9E6O>pBba zkf~@12y;&-Jh%78Y<GvAv;2nBqkE?ZCnpb{YzvMhE4EalMx`Bk+yr^v6)HTR(?~Bk zh7kp0cTt0p#uea;*K}4i<ogvcuh}puzSmR8__Rww;h@HLi8MWXI+;r3e<+iRnE(YW z0uR|0)gRft;||lcq_oyYxAi?B;J^JDkQT3^^s6<@w}KARoUWM^G0%GqYX@N6tV-vg zO6{@B^kLZXBfb`@BbAUCi}f?HGiVOMbV68#q7%E1*>2C<RZ$&}Tk+H5xOW@;I2LYm zC&KBg?)RgkC{3lUloE0Y$esPQ)^ZyEH-i@*yaEA<{Z+V}-!n1@{pCv^Al*rb^*$Qy zUpv6XSKZqrB*Aa)9d%GhQzK!!a~Qw;ZI6qb=O2P8GbR6fVPO09o&y@v0ER5azf09; zD>g%UYGv~v4n{0?M);f=Ss$<Y!b?wF>efpgbB{)4A-#Zhu>^oKFJ{qz&DR;JBezb} zG8D*;6==YxEI9xPJRWrGw7kKiOXAT_*m~Thq8paYEUM}_&OwTbvV#hJS5?vOy9t&T z6c>l$&$(6}{>W|2a(xSmnC26;L}wmLs$3UdR`<lKQA;PtSY2SgWueIY@67P<$5@&k zk_k1WrW^Ble6$cUObH+<6pfpdpXth>i@F;tT1RUAfRN26OEVRNBbQ;RAvYGK(bpC) zq|bUyxu<OK_8hOAn33tM{KrJ$ip$OymI<n5Cy~0-Dc)imiU=MKy?Sfd9~xyiO-;_8 zx6<{?=l#dvS8OIj4Yy?=`6AI6Ee?oI=>&{I?Bs{_P`NE%^*6Y7<|XroZ_5tVo^2OC zZ5$Y>0%hwU_&$#gk`~~14H`7VIJ|Dz3_^n+K3gs4KHJs{-n5ClIq5}gJgHNp|94G; zf&9r2ekKNYzhou(jYoO(W=x=I88e@WG%3-(^r*&`mPUW35%rIF>91pbriM&ye)v?g z;kp%e0rb1q*nz``%Aie+ym0H?Z8VH02{X`}FF*u9r^aIYTb7vMg`Yv^S$u~PZ{mH= zy)_z&8kaF+ECod2#IfYOin8itgqB3eFW9`Opy<8a2dSccy_Q83HhR`p0nW1mE}-A> z-Hv?z9BedrM3WELeZKaw<ly-Boq$RIaB$OB==!D5vMj&&{|ylg7*K#6EC#gFi>l%d zc%L}C)bU5cx!G*h<{sZGINLtAxYv)VAQR+he(o41yjbupdhHvi_cOm=h=OEw35fUf zf(ua)UI?bU8v>sE7RsG38c!>;$7q>k`uscK?B>o_mhT>~0U}8xggaTzo9H-n`Jym> zZ-PzE>94*Sv+FL-f?=cj`xPjm5fH)vg|GyWO?nX71x-G?<v}bFHE$MsfnI|)d|wUT zcLTS1Z{hnhtbic4qRkdZgvf&%GYBt;o%-0#P5AD5tP9C69BJYo+>dEwaPf{%{|y5O zAYeoQgHM8}+lI8c)C;06gn%!Z&BIR{Jk<2u-9X$vT3dS^H&_%jDW`ZYTyV%Jcr%9c zeq^!0-*T^9LnzSU35ldxoAFD*d0#0V!9u&}ed%wA+Dt{Y&+xL_?P@j}+`vc~wx5Kb zBfx9FwO$pqBY^5?7M+~-9j}>r%;@>FzRfAh@?I6KABjYb?%ujLro!W&(JM%9Iz(lp zaR16l1Au~~y7{g7c>f0bq6kw%$VaepmG-VS{)BrB@{?|0-E{oRW$)I#-Y9BOF`{<( z6qA!gT1kD+4{de+bb#(AEUZuME3qj9#SF{vh644!9l!a<akQpHZ#y`)&*zN+VjxK8 zuSh4YjmSN@524A_3B#pXgEoCqwnq}rUz}IdgybnT+8D@|=%1nw!Ke7NkMHjoobrD> z%}wEzdYf;1OxFEumQHUrC`8Ch9pA^7=;mX&)=`FWAEAU`N>R3-{kGbwleWMwnkFP0 zxSr+!9woYlFT#G3!`U-j!~VLwxcgXW*k9>?4xo}!mOF?I^Ae-URmb;Q*d4K1P2L`H z(5|&#q=TDW9EuCkYyXp!w7o|yN4JAi=2_*Wz|0x^yV+mmICoysT4a+bHEaEp+@+)v zu%wZZMI@yDZ_a^1`GYBpXh5?UFOG$v%oo0j?vnWBqUbNfY~n;jb0KrNcHRwW8&AK{ zf63Cj&>5t`8^L2}(b{(So@X{|fzzRFsM`-GKe_zsHnD@kY5MR_haS7k70p&@ZM``z zW8v!~4;TrN<*|oH5ezJ!-JiYn)o;q3Km4@wIxoMj@@%$tGHq_pPjA&#3c<)T%)ysa zFV679Au<=kxP=CKo6fj}-YgS<k)3rNat9V@hCIL&G|S~6GYSF0IHKsPeeqzPiEgs~ z$SRYb$1ZcE{cohw00L%*04G4qkgdE#^0j?zdu1j+a>zv|d5q`uGv`+jP0A{Xh$qq2 zLgZ`IED(8}0~?#IXNsNY0RayCvXTCJG;D+6<{RwvXZu^RleAli^!eFY9IHXnGB7PQ zHGg<T=D-7j$+p)vg|skAF<GAnGRIYi($dpXCU>>kMo={Zpn*$>V&p^4ry}RF5n~K4 zlX=eWax*#x-^&S8L(rx*6ObH~P|Rje<OLLhJ~_Z9S!~5`(M`Ej+9A>25b{G=<yUgW z(q9Vs0rE8ejhJRI;*Vbi!iA{vND$<o0ilU|TJo#+l6WS6&$48TrnHm*Y`qbqTa)Q4 z0Vc8j#&+28wcw51MC1mp2jA^>FKsJI27*~k9zO5C4#msW#z2ckLQ84gw0><)aZr2i zZe)T_B^cyE2Y-VY%uTyAX<m=AMB<Udf;g#xzDH#8_Hzz{l52!d>4>hq0xq%w`oZSf z+@;ZaJ93I#*d*60Z0Pkh=`MwkNQWVmhGLQCHy1P_^M3(f4+LPE|41!A7DRllLnflm z+b>oy7yh>w{dqUK6IltEWG-Q)|C1(kvO^DrQg}*W(?a~-@sBr%qyzi2^yY*IhO;uN z!;uJ^f#eYg+j8)ChWrA38|G<spiEf=ldww>n(`!EN))lUm&LwDW5E!Q;W=J>t5rSG zk$bi@@!;}RyaXV9S}ZfKGK3N_e=IR~hDdSzhqQu_9s+bt7VE(D&W>>(?>N_z{pMMv zD=bSq0%+X#bmHErWv|-6WuN0+Lm@V$7~4M!y?ddH(_#Gy7b2Z-aJ^@Z{s$a5h$e_M zX;2nA`RpJH{H94`*%`3zSeIdl&w7h;I9IpjPvj(zsIf7*m^+r^C)BjAY4kTVO4SEn zLTZVF5z;Ug(RGj!-Hq@|ba3NwFWnSVc6-;h1!gmXmhPIL>0_Tk^G^3t6|29o{{t`Y z5z~i)u0%U!v?utyS8vo<&QDqh^}@pj9He*cT&E7mh_<{E62oK{OQmED>PsH7!({|H zC?5I(^eE7}Q9$go1nfiip2vB2XM`cZ??nm+h-##1pVRbajbkizzkazu^!ec%v7EmE zE0;&wqD`@=NyL)}Yyk0J=y>VAMjdA;zicGH>zSAIMlHDOvREPOZ7!4Re!|SYciXUq zOZ#RIW`98plG<P~$2tdC7Ii6<{Bn;;w*L=?5Y@8-+t*u!`&E;|^`()?9wNW&`+4I{ zU>)Mv#tjit5vTscLnBXkpP#<ps@(7jbHB(Acmp`tuDbzDN{iibqqf`gbMohnLFeZd z60ra~K_>zr5aET*AK09CE(O!)_c;*F_m(V=&KNe)sdGK0&G61A8ik{e`+`TWH>@Pf z!C#6WuDdJSLew}bhtvW_eMJW0GFl)qKj0~pgZv-oKMCsHK+!jyoWEmT4PZCW40f}G zXv*Uf#)2g%pYt(k*U>ZY$|2~jFiR002ik@feR~84i9~u{td3pkr(<FA)REbz8b*=H z)H%+Gt#nvSoW%XX>4`kf%tmw3nO4udH!m!Oq!=fnc+dHiT+SD3U53Rau#SlVTESt; z%ZUi~l$qL_+S;>ydSfy@)WZ)CIup2?<upKFHVf2!SED_6sL=~JWxv(Rp8pR<EpIXt zVpP_W2ylvOgzPis%1Iw0ppp>z@6>Mw6rkoCWYb&%B=xN1yi^=h);;%FbDCwN6##4W zNUEZJ)w)(+3~VleT7)wXVX@_=J9X;&<2~%WeZZlRk671xi1-c@9pDH3Kny|l!@G&- z@mh8|T()<~gOw2=+OPrlfn^7zm>29xF&w7s|EIzci~NW8O5p-HAiA*FW!-2p8E!6* zWccyk)2D_~S@voPPgLBya_>?P>=Bhzqola8+ot=bk^Neah9UmHGX~}lc{f2&;v+l% zb(}L$!;#XSemNVtnRF?{E}StOUX2poHXFllNHun7@6n+%LLW06!IM^7SUqVH^dP9$ z`8%u)5j)OXw$j|+_E2&D!DC#`@4pEi&_C=KKzPjmFX3;!z#alPAsZ0*Lc+g<#7Uz6 z(A<IAf{ed6E)f6l`FuFRzfRjaA^&sheS>6175b}*08qrs_pknEWdG3bM`W}AMU$K# zDDv%p(LT@q<I6euj1tV>(&r!;kAQ!lIL7y<>m}KoQjEWv{t-$C{@;Ys`GG33`4t)d zYWf5C7r_6H#^;}|)%g614E}B+=_!H#%Q29*us@OY29h59yXg-TFUAA?sxDe6SHfXo z<oWF%g$)k=?^DW1AOY`uNyUX?G5^}N;PqR0@GbOimxulLju(b6h=QW8)moPYKoe-H z)W73okC;O5Y~&ByhgH*S>)H5r%=^Y5W3w(=&G)b(xmX@xYWe-38`Jqv9i!pz)7-)L zU3eCAvwMDR1D_0*?W6m-A_?Dl+o@C)YjyJbdMoz$N09-?I8=B%a5bw`BA!ohxME@z zBmB^aH0-#9HW6JN(iCcq*o=~T4KliN{_odpYiRF5C@;%dm%87xBNm95Hp&c#Pt8Xg zUr96Zn%k|NI}9eY-mm*y>#s?qJ{k2!<qyT&hMs>ib$AbXIX;???rVl?n=J?*jEzjr zZ?(%qx9<AU@5RzDQn>GB{P)ccpL?GVe2x$N&(-eMVSEp3FT3Dxs*vyUx2_S6U-w4J zUvQbEr!kqZ@Va&ay>5xw)@JUPL(ouFU)N<xML(alwdGuU@pV5-1CF^=y6LgI={7C| zm1AG_prNKZeP+R)l3iOgx?1kJGg|bNL&{$>-(_h!?xxx<aj}!M-q)dJI*r90DD*oh zY)xY~k%3xk)`KptusE(4BaEJ<NCv%R?NlLk^2>}a3^!~WnyEcss@c$Xv#MK3n>xOS z@~(L`NV>xYHLW;f{>)Hb(i*2;s~BpC=$R((n-O(<kgJuu?S74#&&zsi4^8I?)dRFa z>&I62QPs)gDJs>E(81B^#e@0_b?0!UIK3`;%YOAUMY*;-XANl82_8CO*~dmiUy-?i z^$*<ftW2&d%ieIAtnH7di-_YXE3*hTs{G@^B5)}xg=J=&%L`{RwGR7@&|FMK^2jK{ z^`+^oQtK^b_Fg-++t%XfxT&otfyH=jQEmG79p!4?tr~GY>7Ds&^sWw9hns=i1UgC% zS~TL7uvz=q^&Y$TqfOf>!rr?Z<$bZ%!*B^ZWElZe1AZi_v9fQg5XZd|^<@;iv9I`= zlf%*QD{ibG%L}|6My3Qow6S6bz=h1xyoX~6LxcL9&zJY)UY-wg7H~&RUan5!_xNbq zNyBzD*IRbz&&T9GOhvo5(0rV?h3D{^_c8NHnbe-7crPEi?|l9seY(9iaf{OUqn7Ni zh^s#|)(aH&=+j+T9JX~vFJFH<e55+?_NG?vz`4g_UyDUUu<G97quDCDOL5pOSmtE) zebZ%1>e_HJdjKf)Y_>V)Tg?qzt!aKgiLF<x)8gJQjzf22F?eiUcBdH~b1rwd4n9VR ze(n0XnZ`6bY*bb2R+Q9cx-D`HOAqMo?drTAb*g?@^wU*$KR@*^sc1FNXfwaJ3?<{e zx_>yuY`7kw{7~;8vF+?0&n)a<u-1JWn!9j_+RU^~UUwDSK_gkoNzS$1UE-Z*+#gG5 zfk*pd{><p{Qfnsgd_i;3TH%7Z($h5=vLlZ{N5~ZYv+{93uqdZ|&W}!xVRdg#GWKRp zXkGixC>0-1DqS)WI|iGTwsj`8^OF@ch0nQu#yBMAIy^@5e~sV0jNb!oix*Q&SNdE{ zwdG$^qz~;T=kpyLeVN})PS%`-wykIL+E@j)N$WgGh<o37WN0$HmZd2g$x=C8HmLjQ zXh+jx!lWimP#uP&VxFz^y*M;8?yuIim6=KEHz?*ctI+>6{dAB;sdPH9vP09-)nMfr ze@VS9#GwYV>~G3kcLoiT^(=Xq!eX;uDX_~&`mHNm7?;CHk<Lpn^R|7SwKI0b?SLb! z^teFz(FYY*fauL}eQYpNpM!)fr6(8x9Y#gb40ZJ+>YYgQiz7*_a<yUTS;UvHITlQk z_Hhxsk{O{6M+`{n;B@Ow7ox_h9`E(|r(3FZ^SU*9f#Pv9osONNnD6L{i`9$4tNC<_ zIC8M<dY6}%_<LM2KF^Q-{U_V2s76#->gH_QU+S|9Qd9L7?@8LkaJ;WI44p{^wQSrT z>GOr2Tx1Y6vZ7j;?(nD+Nsu)Y`rB*{b?CBoP&F*b#@DR|Z0Y|T2bnVs$q&GcLXS)I zX&}b|kq^{36iU<+>z#e<5>lFwHN-^LvtVKtggkEg;D6Mpb-Qq8jBHNwlbq?NuJ7i2 zMcq@y_yG}(Gay<+6mYm~5#uEkgWKiWo^LpCPjR`d+*yy#qu<mUdf8dAE_?CyBKial zwLC%yoZUm2d|$?f=;~8Y>2FhfL^IcqHqjR3XrsLIopW@C$Hlv=5ZIQ*uMQb%hIcj> z#$$}(Lv3I_jCT+T80)I-Ejri!oEDk(n}T>*sB!NgRdE{Z!)H1pjJuT4OY{ie{>v(I zpuz!FF2yyYs~Yr{uxk4dvY2bCuCjtY^&;IT7?@{O2-bNSoZ+u&I|SWIe4fvdjPA|% z<`BL$vX4rRHq~yn@2_x=?}uZ}FURL{$z+<Y@1{FGZJ%o=woQ+D<ni^He7;nl&Btaf zH?LP|)bFx4*NFCRP1NY><W%xAtY6mtH;~?C&4)O2lRyxukDqCo9$nYm2UtPtJ|5|} zt7xv*WCz_w$AJM(ch@!mN_hX^ABYC)vTROH(Nu!>-yFu1vZ@s((@){|*VGzwNMr%Q zWyh_1rwmfI{8JxPE+F1`nQlu9shWj+x(r8b^Gt=M92q6Z3PQUZ{WR?#5Kr$ZOk*w0 zeam7A?R|nKZgiW9kK<|6oV%d_b)(2DbcRzU9g*caKLn>}yUr^<j(@&DaxmW0eK~xW z(4}yxaqC%E+Z@VbBhB&NNfqJKk6Jg9P-y;v2M|U+ru9X;>jC#5#;Dvot!>Yj8<OZf z`HP}MHLcP2%l!AB>S+TjqNMUo!UWuYQ;pwkRh|Otx6j|_WyC>`qgPhh8}5hQU&p(Q z_NIx6lf2d$5`nFnOI9n!a;nDBS)2?Obgn%mz5j(X+CT(pi(<j0#749jjw_X=<`j*4 zHq`Ur$sc~=O9?2w=H!G5S0ko(vFA!;@cr<nNF{vs-F^003wlk6w-Q_=%SKIGrO3dz zMi~%8W>36gL_xYsVQ`-WrNnMoyjF_g$ZtVqWt&bsB8AJS;!*>_&;S8~VWjqx20jG^ zOzMI8LG=%Y>G36+S*)`YE%p$58em8zNd!|GkE{JhZBBx}h!Y4XvY(NXmOy3zGoVd^ z|0R5$8s;1r&_oY5rESR{K-0M|I$SnwTZ3xS^7lHL+AA5l*ez6zm_?5gk|eFV6DWpe zKUt5>FRM|!dDZH6!%LE(dHAFsp#*i?u9x9r`#FvZWZeBa>O$oIrLXsv&M)#bFsfJ_ z`*vn?^<T5*Q(DhyaTZ^O7P(KRfx5Ik)q?lU6Kzt^ejI`cY<lmib>8tSv*;KL=&1Mo z&u{K$5ytZ<WGA2npyR?{4wrY$OSIdfkGrq;Wty;hW}CN3-jpR3T)Vt`WU?cCq;%PC zH;$&PM~R*G!*$~(Dq}*{7!)d*Ajs^7oEC2j#)E*e+D|XkSN+XOQZqQ?fsem{<-K|@ z1P%a&tdLJYh@VxZmJvzG{sR$GBA9s<w>?H0Freu!7&-}kHgNy&&Y^B)EYe-@+>=4z z;mu{WV7;#?Wyi3Q`|Ol?fbJbnCXM-x(cBquFwjfdvw?R#)`*Qf*Wd;&RYz+1s47UE zC-qke&>1Me42meN&$@o7$x1clh|5fYwY1vkdd&#`U*F^f3Xt^m<7<+cS~YdF!2&9V z9~ZlphWn3Avi}2w0}^_6()=kJ?KDM~*QD3?&Fo*g#JmQ3qh$U~a{xfVN&$o>d33hV z9@C@1i$oWqe!X8xGQpqL{rjr~*8fzx!$zJQA1k)!u+)PE+zI!%IlA_)j2wynZ2^&A zFKv%7)J?F{6FXO1hMYl4W~gk95=@(gSuiovrhpDzo5o*}fcQf&AbZ79|E2|b$QX|D z2>HahD1Y;nF2X;2#im7}>TkXR`wwIJ@&6-ZS@6=^EV5dl`Mb?a;Ll~ca)sPse>HLb z;c@cKf1gJ6fc(dVPmr|mzxm}K3dzg=zfnlCtmF665<mqQe_N?kdfM6{1-+PoyMm2> z5teTRu@+_mz#{9GE(E>Ld5)65j+>6p0FV}tx&tG+|0~qE|J0p}X-didV!a&y)Sb8Z zjqv`eI}80&cWxkE4E(F^OwJEPJ&GMVLHzG2<Ma>n&TJ}3`|HH5gMaGIZoqMFe=#_? zf9lTjNlM87i#w1tBsK($F@M#a|4adDr?q%<!N2Ox|Ljd1zzQGzRru!oFRm$LRYLan zlp-PH$EzW+#`&M8IR95qf5<U)<646GzZpJ1(my>7L<trB)sx0Qj~}RbC|Lb93I=~h z0VS%weDiVf8T$vlIMTD)zq^Fd14031m~q96vDu9;a-;iP*gE~{Zw1%!p8D!%yaaC1 zA9egIP%(d~{nX_x3v(0C!!?Ty&E~~ZP0oi(G?(>IN*z@(E}MgtNE^+oMilkGpA^vJ zN5Z%Os&JD$4*1r29C}}Gy0(9Jt6nv_OP`75m71Iw6XWCX*`QIC86Tg-inWpyLH@V9 zMj&9-02Z5vp7;Gx@X9Pzn;ju+sq9-5w^AOvd^p}Wh&G3lMe^#umQk*KZq*aWFPR1c zjU4}8^LwQ97@#S``##6}lklB2?t^L0#pBcIt|he2H)sOx0=@!fsS_Qmbe@*=8gLmI zc8?dIv>XoIk%Y{|3|n0y$NzI2`~+n6Y$54mmb=f2n?!ZLP8SEId93k~HS!cAUb~F8 zXcF_G>yf0r(-Yqp5m(u?lROq4W>4X$k@Exo+L}SY_7foKX|lY|dcG?=b78Yyy}Gs2 z5wH~pf}y4VLBu!ROHRhOgS?-+^g+gJ^+5mri#+mm{V+r-oiW3NWN2wwf%dVA*5&i< z>5(gQQ)=RQmtnwq)kn$w>r0(@1aLhh<%h+8<`8f{0m2^VOJ|xlqx%h?O7+c+-gJ=T z#8Kj6i`o<~-tJYSC#FhLDS_W~&wUE?)R6r@Iza1D-RfOF%+?>#kFs3eyx${x`)a<- z$SH|eAsU?9wk=nj*9h}P;cATw9xFu~#t%0a58Z5(&#z64V)8Z-<149RdH(Yl`5^u? z=o->-jVq6<cDnBM-3!+GAZ;9B6i=-i-!Q5U+ZT>4+!Q~EM`IBTIO>OZ*ivcUBjo$^ zN$(7cy*Tje=JkmXsnHaNUBBb(rtZb?K|@CvBA^?u&Mt#>{OI(RX(#Wu`KWqR6Vo{S zitJWJyZ>AzIDRPTdQ?jdnRg+wE|;hLMs5k))_Xa>3Hn|67SQ|f_H<d-XRPX-kMWbd z=4wMCaoLJ)hqHCP&eJp7cOU&X45sJ>ob57(O@b39jQo;eilLCEOqtS;ww*3OyI1M# zXc%Yg?VFk#xNy~1)uX-Za6mcbGjx7UJryN6i#p3VS6kUNG1n^C_br@lUN_6)^Evj7 zJb0Hm)TF?+yQ^4Ta$m+Wd}`66ivEvfKmjz@S1fFtqV@XG(Q3GimmF4KhhLO75v${! z0B=n#oXU2~O4iH%-0*`qi{g87n=Z@!*X~XG7x!m%;qcT*<1{<{<-`6n*KTNSKBG2S zHTrnZ4tD*WPWiS)a6ZiHEo=7hogvf0<_?d>8I@$X1m(Hr8@Panm+>!sd3kl|1R1xf zp|iWaJvS%!?LiYA#m$bry}L6J)0Fu%XHHS0iy+q&VkXOTmxlorbP4JIVY(EEf|hUX zqgJ2aPwf}g2eaDBt_j|RQR7E0E3Ib;(PhXGQ{$MXDx1?6*Vm=CLz?1jX75=CbkCdX zRU2-*51(vW&xa|85V%^k)+$1k<r%51D_f0LYeJcjFeVSB@zMBFJH;8a;(AbpX~<$t zcB=)tM3IH4E}iE>&6o*h3srpZ5BedS^(U3iz{>R|Y_4pD|5(d<Ge}}~fM{LX9wIQC zc70OA7xPc8pVj2aI`Z`2kBg?dx7qjK3J$B=TOZ?-(9ezz{c|gv^xZ-C8U(BE;ohCs z_3$5Oi^JZZb9^%2pP1l<#T-FA>8UB$4V}f`R9V_`D(cGW+Vb)1=jy?qh97t6e4PbV ziJFg-E$Q9rRW$KlU!_~q=r%)?#u|JcN4LrN-XDjm%O&CJk7YL;@1<|l=2hEtp0B$> z<!Wda=D^)%lREW#gJ)~k%Gt!9#au%oy-<c*FZ`+<kFp+eKmKE$udIVmA08fhtOxT_ z`#es!>w5Uqhh5&2T31`@M|9CY&Rn%!AN92#9c161mogPcovzKRJIhY4B{kq>FJ3lT zo3D0OmG<{@seEoceqcw%@IHRYi{jnBY$W(_IIaA?6)KXN;@%qx`+m1Jy)Tl9ZbqA! zpk-%Vt6|bY)x<ha>d?{toQiLI8*;WWah@_0S8Z5O=8@OF&ZJ+QRr+>!QkJ&LWR)gZ ze=2HQOG`6PD##rjHI`0^MTH@pQ&Lq|?_A>4_iwK4ddfUo-d0!GKAFg%XW>%RS9rnE zI4jR~J*}UD43SB^J7~$V5<M_-V)as~FZgl%J8$0}NS!ksi?_T||7R(zby<LO+4k<H zyzZyMq^a~q;0BI*k%Y*Iu{dmeu8d$MjyiIk`d(7CMR~I4^p8u(j5Dj(w@eo-Mrd!B zlE&Nmvt%8AP%MI8g}!)GRPU$EHd1LWXJ#vN^>?oXL-Q>VQkv-Zz2hgt;z;^AyGpBc zz8#TFuY(0__;t5?o^-Ozx@p(fUzM8pchRfPURzPcQc0h#^Sl>W-VXx-OpX!|nvO#S zsiL^7miI1|hHzZW4I(i9#eQ6e{!~5=D-3@c8ZUk5ygMw+w@5l8gX;cFlJob9?Q9ni zNqQ5r<>c*;j_ZaWX$#vvZH)VDrg)WK9mb2n52@gyU1%DrUW@hL;)?s7dXWUh%>S7K z&4GU41@1q>vwm#rb{pBjsV~4HN0j%1q?opJe&&DwmdQ4&B^Ux5c6oToa(@hIt8Omf z3XYt@x>vjp{`Oiw*~cME=s&K#*U{}|;E?5WeBkY4->}+aZD^CIs{A~9hnq6${)C^u z`k2qHWvfHBFUYGX6Ywq~?rzAdAmK~*T2j*1;I1YlXKOE&ukE5N&uQ?KA%Kl<WK)`^ z%2q8Gi&s=r(NP)j6rKtmo0}_3>iD<_ejAb#R}VT&G!Ej(TZzaJQnXUHbCVP|HvXkE za!j%^l&CUEHELB|PVu9hs-%RH%6GLy$=FT3v4R36R+q850wvL&Re4$<5y<2qX(C-U zExQnWYE?;7UPWiU;DffkrXsImM84QimLOMceJBH`O5BZ>%SlGwI;UpjAl-Z{oa#*Q z=W(*~G}V}V>gx{pxed26`5n}Uc5!v|20G(by2p#u4@hpkZJ2H6S(HPLbG&x9^?~zf z4o%sjKq`$1z^`&;a9#TM9X;<GiON*hevS~3?|=4oO*d?&cvz%RV$6!6R|%#`xdJdb z;i%w_z|c2}iK}1|NlAJ`7AHN32;&YBQgOT_{{w{lCZLBXnr7%ut^tAJa<$83b&%y; zW;rhb9*$zIwz_<|R@Kz;^x037Zm({A*-7)sdOH&u=Jh`JgU;qST%(fN`Cu&`J`;j) z=TrS&j3Hg__`Vs()_t+P2maRaxNXF*(3&4g{pq8@jSE;-jB^HUUY6I^geOW<w0P+7 znCL)>l8c|yWgjtKZhlt4JjGd1>X#pZ3xOsN_L!*4S*;-^udAsnp8@@;prgJ`ySlg~ zH;oE9R$49K|Fl+?26pRV$bnIwCs%qlw2^m5nJe??w0M7nVzQ_j1Y?4Eh@zUqtE|6( zzF~2n@-{|8Sq`IARt45LW>H#MQeqy;o`gPWY3>hHi9+KGxf8B<3}WaYOq{K#B(JNh zt<z)IN}A|frmTyoCzWB=df2z$Jel~Zl_JkhrTP>m<rRimxs{jd-*Tv9*n^y5E`4c0 zOGmO5``*h0w?3bfG2e0-K-UgO)wL6BF_7&bdkCb6j~_g<wt<jxP9bA}5|f)i2Sp<C z)&aRuq8`qNtOYq1{oj?L3J~WC&+?<NVhf#51MOrWf#Wwi^K73tzUl5p^JFCH<rw_# zn+=~VjT^iCyTC3mb_fs*gg1o#8RMsG%+nRc*krrq$Kfp}(cTc<%ePJCYHiQUKE7=Y zhgV&l@2?Q&_U!%`SU}{-jV|P&8r-DSg`XwV?dw+GcjuKZd~zO}+go45hLT;H_4C7p zsnmA!7Um_T<_C8Y$BD@(2S&9bQ)7On(0HU(U1b_*3JCT&1~U3p7^>QtL#uL{%IjI$ z105!SE-EV4y%~3Rf})B}(q0J*Zg&#nM<8Rnb<pAAcdbRiLuh8~{TvvlAqM{scmEV$ z*|v2Lpp{gNif!ArZD+-{Z5tKaPF8H&wrwXByXx-!>3_~X_vt>~xAmJ?ea<oa9JBY< zTJNLe{xrGYpg=yGgre8u$BMP%)3Q)MWVoiIlF%#X-Hdp|Ai4T=Lt&R-3GRBin%Gm< z#C>9y;XK{Ad2R#mJZQS2q87WtTy`^jdA;HN{3KImp<7WtcB{Yt_;emWISTpJpvVu6 z^5%G_MR$KJI%R41UqjGYA~04T3$s1PBXX<m{?%Tt&>S+yy$2&X?^)yCsUfM}^|;*G zyXrI;DUryP9`|*=59!oArmC7e+MCaC)5UM$Osyn2|1TsKC8@g$j!U&Ub87Eor~7je z?Aov-K<{n+HpAXpW-BsSNniu#TYq}Vfo^Yg{p@nP_ITspyMssf2h5M4HAFHW-Zw90 z-K5p!>m=l^mQVYALZ$a(Q7rs5r>B#kT<<BVwbI-s&3dTg+7fnWd#h`*b8(oh^@IP@ z>QrTx)~%yU(V%Pml;y1pJ!#a$^#fOaRxyoY@id&#_=9WIvx#+inWufA5Y&`1vZ`y~ zK)9y6zNdmO-qB8|fRjjxJ09Y_q6F!Ee0^yxVBC+6%~b5|zNoDWUAm~Jhl-Pdi9?`# zHpB)O008L7z=Eak<HjthRH14J)D{cc$q|u*3%@W1hw3;v1$lck_gz!)SmC61)4`Xk z*a;;7H)MTJAi*=@6=c4nXNLaV=m=1WpJY%h7FoFJ3i{NkK_Yhu8^@`rx6Aa_PYkkx z3S=EwgVpx_wR>IpvLui52g8z?P#&EWkWPsEs>5I*F=d9w+=&T8ou8)nxx=+ze)#wp z*QQ#fXij~demKM3WbMe<GP;&DgNCc`i6T0$R+y!&Nz>}zYpWpfpzN9+pKdKi@h|C< zpjdw8Cd%hfueJ8rYO}XQ8pErYd+XHlu~SDe?NRRw-+Dh$pU0mB7IHox@BRATx;V)P z<3FV{csYF6wr(=5vDVHGx^~X9&h|@rPvNWPvv0Gve;!W=YAOK_NvkGdo8yyNx_;4< z_Rq$rjBO)p+|1~U_&D6oUAqM4-??&T+~{$HC4K!;2NQ;ghP)U@I(B}K#4AV+9@Oz{ z0y?rkg||ue_=TfrO=xJw`(X^r2EU`TL6W*fl!)<!NIU+p5bq}8C?`?!Ft`TD_%8FV zgNzbXD)TUpPpD&7X*4XZYpM|ObT;r4_6bU$5GGus#17k4VT+GTRNAiHmQY39%AqX8 z$mOkH?2I-0{f5`zl4)Lny|)>1zkiD=*d5(PZUqOTjN-bNFdo~l^x(GEI)xRaCx$B6 ztT~@ig;znpHy4*j4lvj|j`nwwy#x<iZ?vRLZy64k#e6E`0GW1Z&w2kPZ-fGKip#`J zr!pmQJ$g()PT5~XNH@Uv(}0)gE*P<r{{06`m@1Cr9>^D$h&dt@V;j)tvxy2t+-!Xd z_f`n?hX9A~#+ms|@2kDW@wV4=jA!fbjy8v=ahrF$>eInmzDbSio%+$4%`ldN(6{gi zvDq?5UWg~lD|cDh80-18gM|Reu@fz@>H^N}YdShbv-Lz~Ys-P%Ojgb~Dwh7F;bYWf zgN1_obQNVSbhwkiMz$c*^rApqux9e4kSkSk<8%_aio_6U!yv<ojm!pR%?QiLLM)-L zVbkO33Sec*Pi~^AaLN=dY_?_fT`gR$HAgNNFWskX(Cmn!?g}Zzl>4HRihAgub=kD) zhQ>$B$HSlQmtpFoq;6CSTyB}pBHJSiOouMPR$wf4z7GV#eee9-bv@P(l+$n`1&l%k zx}FPdBD03v*M%Z@DDnxZ9`ypjmZE>sF_(G_RU{swuP_YV3ST>$AZSqwMU=2)^=&eJ zwknKAa<o9<#rw}b%1fxU{|}E%5qx&k_-(ktWuB|(<+)#QuQ`nsKGpMC^)SQxydaRR z&6&Za6g1j~LjT#j@P}u=YjURjD&6r*itY&<Gg`?0zW1xY)tz^qvDNBYpWywz9z*^1 z{8x_CXK_{yeY*2-0$K0wpZP3>jHgO{2X&lNg>X^EjB8w-6wPlV*}8r+F#^9x-aA7y zpRXX#M7`=i`s<V{3BxNzUSr)njY&Yg<oME(FfxV1OLP{NxS32*v`I#eVHWQin3fUd zk&i38<3X9gPE%0P(pK5TZYAfP$0o!Tg@!`XXo$};#K(sAR0jl^(n-=8RH+enNPanb z`>Fw$PKX-7H7`Ww;sZ(YPZ}OHbF6^YI4S3wIDnacsT5&xS)8z$R8=!$*XBfkw}`E) z9Bf)10z>v+pOp3UlC?G^C&%!fT+g;5mwJ`auaX&}Lk4ieLX;76xii|T+YK%u_pk!; z(`(zUvH2*4aMMY9sqm>(1)(l+MN{#Wfa(h0de1EYMI^w`a=oq8YQdn}R)ah5|33MO zh>|$nyGM~&{nzQj`T&+ug&C|2at-~1wC9+s$U_#!-?ytIPvGfTlWnpm)tznr>eXGR z`?J5_oDOsTXnvk};~@6U1rn4~qHvH-^BQ?@n>%HFbzYb9u{-maZy2My!5LQv;&SF? zJisPSh7g=!8PC+W`5FS=#K=Mcv1-mI$r`I{?E4l~mDCJ$m6j9qv~-D(=6}V)xhj#{ zRiKs=(vw!&PEpcPnu;D0@`jF5HH|H}?MtxjtZalWU$|8ulOn~j*=Ky?f<J=9t*hws zG{~?w6nSd9x_+P#JPe-^6_D`swiWlyYlh}y2n8cKJI-VSN3I4AKmn*9l5YKli3_|f ziB(O7;y_i`;q1f)&tt}ZLDZq=jr#+x2dhgl6SiY#X&RiiPvsCE5SGKEqQ%AHfYnK6 zrJ{mV|KRnJLJr!`dS7jL^E^z63<&u*Kf^)t?eTE#(;BU238WHZZ|$b>GKc&M^&mVQ zN?4ybX6`ig?oUQypRuI+5>u>Bw<avcyu^RSic6r1d%mHVB&Ix+Ir{OKJ307tZ1R3~ z!pn2m4@A*J(Q>#cY_y$5GpKWab}I1L?Y5hm^ZU%&|M6JATPNuvpBW}{<J10)*17_- zsH<7*GNf)_m7}4q98&}qxTt+EO?{Hm&q0o-NJ0iqr)FA03oWB^N=uoeL3GtV{Ilva z@jeP!)FO{VVyvW1bqZo04IU=9oQu;b>O>XwxMfK_Dl9csgTtt|p<y8(p2(UgccQLW z(@n&6&R{6deu|1VyuU$OtUaLNUV7p*MR;7O3!H{6&XlFBp^B5k3w20GlzCiC@RN(U zAxbM-YXp?iED{`tgkV*z$K2RpgJ@=_Q3+Ai#+=da(|fT4AEgw-ZkImGg!6gMU*Eqx ze^P7Lr^5E6N@UbXyDn=uGD77y@h&|ry>$?UkcwQ7B;JmqfP^HQ{9og~xx)7&MMT!` z<hi7oKs1jn!&4dhgcV5Q6T?^G@Z2B9-gu*SeQxrvh(A`~(r!fiYnbUTlef@1tOLUX z?`JGquf0^2haY3V?s~$Sa}d<&H`^Q^p8PpWT%MZ}<}A#1E;)SPd!Hxm{mdWalh$oc z>+NLS4AcwLk-Cgq|LpJa)bi8rnAzG}S@dx;&|VDa2u$%!B{IX<x@9l^r1FoAh#4#W zesUZZWG!h4ppUg_$5dB5J~9I8S}bE|BOi|?5+lHran?6YosZ2Zk-}z)?4gS4*cj0) z8Hm<wDPoQ?Pr_&1*g%&|&rBzIPHbpv(j||CkWkEu&4@GN6Ih7Y)}<2%5UN&{RNxCC zWEifuw|m}aLQKLc=n12iqWaYK;xHdA8hyC0mTBxxvEL6o>-(>-d3aq$+@?>!TvhX0 z-j(GM_;nGZ6VG^6z!vZnBebsi-bD}dXaBbE#)?efF#6d_aKMWWg;c;<hbfy1&2Fbx zuMo-3eE`&`+z|g^{X2CMmaB8XcIcDdU46|UlG5dn2-|igT5GQ2AMBrKfTQ0OE*zd+ z(t3*JOB{CY$U{#HUri1EW=3!3tIKdj(H?0q5V`#ERnEW5eR$HoiuDeQS3PLl#~>2L zVE;oxGJwi>nZi2`8}<3Tf>3ncVvAE|K}k_Z`$jB&Fd$9_iu;eGHeK3X?%sw`Zv8SS zjVCr1FHvC0J@-?XfiF>CkN)fZ!Sv6;s98QXPJiXs5CDrT-8dM^>JtAHdWvrTS~C_w zO-6aP4`qnv5{kiQT2Em5D=m!;p4k)+2PHSUTH^mprNF?H^#i_kWA&k~DOVNr`pF=A z(MySlg~P{ho_3fi{)A1wgr7?4JRhHa>1Myhz4$cm#om7Ugh7W_aWJ}LmXc?B4xP4r zO^Dol8gJn<A{%_aC;m7c#gV=rH7~YY^?0^*<<{N7xM<b!Jt*#>3v;6QH};GLl&Tj( z*8VzmeIUceMwuwcx{fX-!~bfNfW5Vo3xWSp#MhC&(Npa3W|m+3I{e;932`}#-q<vK zkH#2>`DJ{6Y=(haxN5MD>FA?abz%uI@Jqbp_9Bt}gT+N!82S3@{z{;u_xls+kkiD! z@nC|a@du!^EZYZ+fN4cQlt=^v0q-Yy@8(4Xpy9osOoIe_wA5`CVY5^JkIAIIopzTm zj%sSku+$RQ8YttGEH1Yw&O9?xH%(`LF<b(@6LJE^ae@J;#BJWw4iFD|W=YWP)^|6m z5T3M{^dIG@gu`WoZf>48AFIGJJ?+(<>t$OI^qqJngTRyUwa(Gl7C1QtXD=T*+nJy8 zS?gKnY{pM%yCI6t_fjzqnT}=>nQvPv&lPQM?;$pCX7*AW3nuDD&{tPZz0Y!!mf<n@ zDTcFGhwTyRo>051g}2)N0xaGp;sy*aL+as9|3>(o5r9(B_kEi`eeiEF@*aK=@M$rU zFptv;6H;d~4F%UFM*wvq)Fb}jtGjL(9^&#ylA!DJn6YcbbDR5h$&l;xTuZ)T>w5@t znfF|#>?M@nz4<UaYb(c-qidJ*mFAsL|Gos*Y1%t~K6;hM#=D)`XY=2(hyO!YepAH1 zgUXt8bPhiJZkR@!t+jkLjN3)<Peb$%o)$G(gk5K*M>(+D<8bsgZR=Vi=o+><=+?X( zRu6(+WV_qV_Fbs$J<H$C;b!uNs~$Q3gD*q&?<LiNAhHH^P>l7FTJBH0J$s`VyLzpj zS&QGn$wQJb+@J?>MTo#Z5SFmaJokA*#@PWruOTlPj+zn(t+{|Yh4o`dxeQESfjy8d zs<Hnd?cT%s_K*z>&Ys@=EjGShgPIxWw04)TMSOmEbf&w@z%&uH4Px51ykL~33KhLo zn=PJ?%J-Z%1e?j@B$$<Ph5IgIQEB{xin{=V$oYnXgW8BF@Ch`%X^hqP>n$2RK3VTz z@D!A6nNQ=yn78A=Yxq;gg@McJz2ZmOt^DPb|Nal^tcQ$I5<DHsRio2-{xs{>`=)bQ zz<m-NQ^$z5uWMYuk2KXA&tvEO<CeuN!ieIe#};)W=Rb&3QpR%d^tEE`7WY~2w^8uu z%+@CEdT^GN5P-*G1nuQHh1ssE(^&rp0!zZP^z@8E^FOG`FS!6POp=?sca2(W|Hoqj zeP93J(aF5~Nhbf!$GxH-I7v5k&+fsB|4As*gCH9ev^;ryy8f~LUC@5K&}e1`S8#2o z(z>cL{qLM?pB}Lws4TqScB!ojdCaEFw9xQBi|XSi{-$%CE|s_cgU+P}y<fYOGR4ID zPx-eb+uwwHwO9rJe-Q3;e-rMTtR|TMLAZ+tfN27oDVM|lIhe&{e_iD^YeZ0bQ?*#w zKM7~X{J+<$oST*y`6oBa7!UQ=9?5F47UciGItOiA-CRaRMJ1ZWYd}?Qe&$=#s4kEB zq(K-42RnDdzm8rX<zJ&MF7;&JF#`PjZ0OJo4QVU@R<*Si)>zh2*QIt$EF2sF-%H!H zDl1yL%FD}L^n9zf4yoYjaJ|2eswfW3Sk}^9mW)r}uIa1ALbEV<G8<vkJ~OH=^Pi(( zd&6ZU^76uK4!kE;vD9Oi>5;)Z<p0ln%_#WSwQj<~qnVM?e6)3ge_!k<O~s70wzRQ1 za&mTV#AC`$CmzrFHaBn#BFKwoWeGH2m`q4vle`=L9y>Enp{S)+%PsBn0!ky~ox-ZV zG!au#Z9&^#_FeY3MA+(r>ZoHZ-PhfT2}2Vxn$&;aE!E$h0+iV;)rG*tW$S;eYh_~N zv{hwyT~!rVspjE;e=UCl$;2r8Hcg+d0s#C?ddYxR&2C1)oOy#P>XW6&LaU>W-9ima zmjIh;s))@nymvQo&7s@L+VrU_vCQRNu>Y@SfY9K;vxguGOHiz8v&nWM#L?G^QAanl zIkfrWPB=Yoxs)@@suFmyJi{d6)_)GUy6dMRX9rNTw39LR6%kSCWT9!zFE1yQAfn8s zgTHe1_^y3*G&asaOFIVZHMN0b4Fuve!bZb3WMU7T_BC@XFR!vKH8!go{aBY<R&%}f z942dzUG8W>OM_D9+&3ARU;Ei$sBI_|cvNLoQCkDF9jBw7ImE_sU~T4UxQB^?c}Q7t zri-Q2ZpuAYOh2_Kuc<k`kCuUL`z!sq4=aqCXaMa8Us+I8(cPSzF+IgVM?0yH+fee; z?Y7|jXd>(cmrCCU=b8!21ZI|A6($~Zi9&0x6q>pQLeQ2gHgSrNs&N7N31iYrp4D@{ zU6PoL_E=L_FzgEh49@5zJpeWRamCEUrWH3H?_Vm0jpY8O_!GE6<mQvWk|ZHo@&<DD zZ&Vs~O%RO+&LLJ}%~?5<;CrJUB=e6^zm|~<)zMZ`^P|sIg8(3_X@+V>VA=aSXyp=m z!7d<RbjfH%3jA>Ogc+%dkO=;M3|fRE5JgA-r>P+R1|lAw-M0}-=L=tKdoCxj-P9zf z8}n)W{PD@w5mu$|aIJJ<yn<(6W3PR;ME2_QOxB3Do9i)J_@vCQtwGy%NV`0KwS`Y4 z78i)SvC_qrhE~K$-wu}X*C7kl`!*uK`7YCDdM#5ghSr_aAY!bw+0(Gdk4SlDGCN(Y z$KFk0Zxq#U%8Sf&ouHZdtZy3F{VtVLLp62PGXu^O+oM;YiZ@qi7nnY^mQ2y%5Y&GI z!9mci9<5IZN-P`M9+s;qWrnqWQF`J4o%-^k8rN5&$T3*r7s`7udQwaYU2?NbzN94? z{VTdEBMGFssWU^F!Hks8p-u|eg;l~8(Yd*xe0}(VbQ#6Wh_UG4g?cm<*5yIPqR5oO z>pz9rRLd%yVl6m$1g3^7?OY4YCpIMSe2+FDBQCZigEGQcgil)%&vu3{0(USQ1h2ki zj!jT8L|GYmWf=W?K1VA2dlXU5zv0Q1MSWM$7eJ!)|DTxH2CS`LeZTxk&I^Q`0HYRB zbwuq!L(mv(c(y9*gaJiOboQMil*vahP$-}A+-003dc_6}4dZc5jsj*uDqcv**+QG# zq6?+g*UFL*7AmK#205H(l^&598sFAw^YtnECP1D$DhEmhd~*oJoaLO<QsC2fG>b;` zG9CnZDicQ$_}3%JiG4KRW+E_!1%!~IE&74Hc`OI9X|FQ)iq@S2B~l@dRQoUsJ_T>A zQ~8k*6G8KG06##$zn@?oX2=w(5y#JPFNg}wJf>iSMdx+4mGZ8<JvRiMx)UBV*$Q={ z_#;%UiL#4VkOJdC7YI8-tspL5AiOeFDOqF46{X?vT+zxcJov~pi#b%|z!O(^$zZmz z$Mhr4Si9x~6SpIg4Cb*V%Z5$q(EB0ec5i}rN>UEEmj<Y3145&Ilr3f*>k6&YBsXiY z{#;TUkUVlo6Y!P)U%(&`%mQ9h$8T^aFXT<+LeR2c-72hMRCUPnIOT~;4DFaKot1+2 z+aYeKY05EKpr!ZEt883$NV$l}HB}9O(qg(cv;9u?z#ehMRafD{0`JVa=4@)M#AHE< zot~$fv7MvXQ<t(V9_k4jw-b!?2_dX}#23+eb<^~^Dobrw3!lHd8khVOvhx1Wf$~(m zweT9;8bt`genT`h^+Yr%3vr`?FZ-zr%n8S`dg?OkamrLBH3PJ~_S6I&EgjuVf2(IZ z*ZKh{;|xHbtE{c6gQynFYzE0(zhzZJ4JzLx%=q2t9M>>RPY*xJ5Q5cVJ>ekj=)`zk zHWszHw!5IECO<#Ff&WoTSItzYfYD#+wV_ZF&yA?HJSfSOXy0gDMg|qub?Ek6%9q4z zk90RFV`YAoupU1KC2zW|n|$Do#K9_)7G(zZdr5syLw=#Gt&1JBI!3)`-pCKO;;Jhh zs#M_^a_rFJW&jBC@<Eerf|{bTRwSUMUrVe(TT*5GKxZsY(^wC)($@}j#Ty%(!p&Bs zTSihfli~JHmFW{d^NPZd>V=yS0ta#hB~5Le;Esomu^b?0p+mDOzv+MHBd@=LI?Y<7 zku;DMhVsE;!}hSdE<}g!uC5h;raF^^=C6=tIe2;c+Tu3F7BgT8_&lm}1CyjP`;z*y z(d(Kfn*`A(Ow=hGV<<#UQI-hL^D@lQoND;8a=W730VvJ61LqncBM*lHwWg^ykGlIZ ziRV`rve<fPiEyz6D&CwQIN2~bS3yk9H60ypu^PGx?6Rv4KB@|TRASon1-X@gkWfKT zgo!4jxt^S<rNem^N|*-6F>1d9;6(CbY$kNvXl^XE6e63>s@?(eNJa7%%D63&d3{X2 zv~aC9`{&S%Ikq;1I*w5rnkXdzGy2k(A&sU^%bd05Awkiv3f(G$v7nIWlY^5Q-Faz} zh_UqN{E(jDfR(V+OTCrlG72o2CKZAVcE4S{Q6^<X*s4+FDNdztu^vhf2~F=gc$-7F z45i>Gdrn*oRC#`PM>8Apd;Iw6++>p5bD`*m+Ylv#^#4kd@?ZY0Gt4#obGm0!RYO^6 zH$_vOu0lG2Z?5tkwofk~3J_@U9Gm@pf)ZArMFAdGtH8NV5@Y?Hi%`2P{yW$YQfWKC zKyqR5CRpk5NeS$J<YwDzD5wQcmVxAH;ed#Z+I&I=i4o;F(RHqP2`HQ(;(J)tdC_?G zz1E;-6f{(x`>1Hx2UBhs5UC5m^l=_EbYR&y6+|p6das^G61`U!*o%Tv4Pyh!7hllt z#O{YxrM1F?m7hbQa**$TBKik@bI8*=-lmts6A^f5AX{rL=owwgU1xl#oa9`WkbVE{ zvObwqcXI-wF9rNx*(C1YtG&x>gVPQ__C#?#Tri<2rh8H1d+`L+OL@u-Jn~w=x0GoL z-DNv1GnF+pRdvDb6k2d`?#C^N9NSb?Rv3EQL*rxfZEkFCX0=rfBr@BsGnQ463Y32( z-;}uteL#2oFlCASo|m!^^!&bYp{4W@2@^FrzTXx$5#{MBrz~yGQ_0Q#qO2W<8JVsa zk;F7RZ}9oPC(8Q#gO3r9nzIrSpGn@Uat4>0scXZ0fL{5&Zk_2EeV4QelWxh<lYL)h;^QlR5we6a8P}+ZW{>&+YMnv(_5~fs?sUS(|!Mn8HS$e+rY6ArfjyE z<RYTwyJ0riIqUzV9i)GSyOG7~2%b`lA9dN(M<?^!AhN1x0}Hg_go614YhJ*;z;;ix z5;3uol&N48Hb~m>i399QtII55&nDJB6b^(%*kR>ITjzWS%06^-FFkI=Up-xI<qq<$ zBv}FFjs8utd`<vBJEHnib92Mq2b6`rn%>9>V;FkCaq3h>IW<jRP<=xbaF3aE30KV? z@iC+8ra1*IJ;~AqMDv$y3u0AEsrbni^0txMuZZ!LF(`&DQ<*T(vPN6SP|Gx+$XJo+ zDUP8j?ys=%8VnhLQIq1R*>F>h;$Rs1z|*r;#Jp&5yh}^3Rc&Sb3K*4n<v36+H9jX= zElE7|bDexZ3k%Qqy16cN*~2u{>kB>-paDlK!va;)I*s+_b7*kTL^4-*C0ueI?#Nuc z_&=W&!@rfuaHaw#OEX{!t|V#jacai8zbrzcrT!*UxC%tF2Po*LCnlyxui8d{QBj%i z<hZf$uFGgp>Pm~r`rP5y-e_!)Hl@QYXI4Neny}d_(0=9#8Q5s)(`9Deq@=t!+ong` zU}*64FO9eWqGovE^(WWmV`ph<tM-A01!5a7T)7XTKV5}JX1}wEU*|RFP04<psI9O_ zrKQE;^#l>IBDxe?%<xX3T9*%TGb&M=8Q&0x(+y0VE<+!4u&t=2U|^6?M^NG}!}irF zDTUOtKX|CAhh^&;OdhbPLhu=Z{HCq>KKd*uOcY2`M^|&h%6=8Atrpb=e?QNRL!6cz zK}{c@bLDMDws}Hz18`*0DqrkehazB~ynsrAoph=+(z!u>9*CS5HIA32sq;>qGBebt zmWN<gqywmcC0c;~9C99pEzmImLV2d0$pm3q*KP`~*=LA-SBhjTFdru_$NY|=U~9}d z%9)PItVW6!Vpeh>7Ws>Bu;4?FbSLQS|2WKfs5$W|E8+2aBxi@l)vb6>8!!C|LLAia zqPjw0d3{&Y1XG!n9@C@jo<(h*26q{GYhj1ZV{$WxYD)h)nLygK5vs8oCl0kt(Mg{h zdreI?M=kr_pb+9fVb}9U)Wvh*$DiERNBfQz=wT8+BP^7k1%nCtph)D&+j{y+pdyo% zG%(J^V05m>!=~_|55NgfLk>;KSm4CO202mW_kEmbrz{|i72<V%18HSXVN(@(ZC8iR z7_lUEtB2k&ZiGN~^u6_vN+?Nd9cOKKX$MkASr;LV;@gGiaGgYW7cwWZpf;5#M3}?V z+d<7}lt_ImUGyZOOyXW_`mz|#Cr@IiSM&T00sbHHDPIHP%TwPvBxhM3h)Q<HA1lhK z;m94t4`Vn?l^yXy0TXg1>rx$0k&c7bMWLgK^q}b$>y-VW>k)t#<N7(wEY3`>N520} z)*}9L@QS;~;BV2j3fyWeP{Hjc$90IPbn;+17$Sp^KdL^gBw`{3ZQ%ArPEM_cOaw)J zMO>o03|PH<NKEkgA&2T}|IU`g#*b_)9bxt%#SD)rtAUg*lxCO{HX_V!P?J@enOYl- z4GoP>CGmJcYC#3*`{gaUlfqD<=Ek<Bt|ICnG}@9|2V-VWHb9y@74<A_bzP<8q9ieI z6%`)s_u(K)h>6-!)*-iSI1T{4Hd|P;;lXOdMB{wAy2;S0fs1+rQUrBP(zHPXMFQC4 zjwdOz|HS_`qYF^_yN07UQ9S_5cA-a-qHPhFwZ}|DgWj?qlsh0hFyYxOXX9Rb(08Ke ztHi3R=P8BdhD6h!Jq}7vfs`9OonKXT2s24Dd1UzVQS39pYWjBxLq=&#H}Rt#nVXpl z#Q%u0(f*oQN&DcQ=&osnvr|<x)%hX&*Wiy4{fXz-OP~sgz)C3*Y?^TWXIxJ5i3LGz z6xmw48U{oMb%sgzgeHTi|0j&~&ie+<h-?t%Z75@`YfNIs#BSI?Y@~lgMUIR;Lsk>A z1_Ref!4zE|dc8Fq_2c>jS0l{jAMF>{aQ=Fr3EwtxzJ5-S{-Y2m@mpvCLGrYG3i&^U z{`QE3AT1o_DjEL-q~N6g{&bo)s+9b*%;mofUBh3flK)4+QQ|k~I-&I|Rm*?En$Hk_ zjgxmUcZ$?MFtNUT(!WQAokuP6KN?yJ{oT+qU*7aTkRZyxk)Zz{Zs%FJkwg9XRD%r$ zymd7N-2b|psKEzd_S#rg)BUmz;bhQ0`BM<wXhP34|6nU5F=8C(Co=_1Z(F(HXe2=& zx+q?pRIUN`@62}aeRQ{KsE0(WgtGQyh=az&xnNP0Yfwi^224XY(B#@6Zv`-ABA$S< zrOVhHd26H!CBc!&#FI^2yj+J`mg{xPp$5vB4+e$Hp6;@oMx%=n>F&;cOy-o*0FgNp z&uq!ge2C+z|3(<4Wu9gDq$@9mi&_fni&ul^{Ft~RVJt0ygJ<1jj+va$7pZ@T<QnP) zUc4MD$;&C~DM#difzV6^-8DevtB-OOZ&*=H-6W^%#CW53qNG5JPr;^kg3JbjD9ocH zNYAH_f?y>iQ3FL3LJ;=yEP<N|bF^eN)TL$i;^g#*tgwC*XBozzTFNozbe{myNxBMU zsk#wh;zUqXVRC{#F66mRd=j2Td{q#PQY8G4F(I}9qAh-euZZ;nA%(zLWgfO~x|I-E zV%lGh(Y?tISa0u7&~+${vH|KlWaiCCFs0M+Xqz7-8<`pMKENEOk`l5Q-fQj6Ws>|+ zKMq7Orvs;r&#~MpRg_li-<N^cuvj{QmKTcN;v7I#Bm4PEkt%M0vAh)los2A-tZz!4 zlkqx$#&sck9TP$CQ7?95J714EC1EY|ShY-5m~PdTC4(iw#;<C!hLv`ZT`FFmHNwuI z!d2FeaSE(iDNj>hyVMEfRgR05map|JVl_CZjfe8BV(^k_I~YhaJxZl}gxv;Ycb^N? z>-+7`GP)o{zMSJ**T#!L$JMwm-`Z#av;hEs(+dh2+U$(>y{k$ZM|^>|t(>Xp`C+Zb zpH^VgLFB?|Dr=N}yEZnzU-!X2#Tpetuj-Q+$wu;zzr2+*_Xk;EGmiE<_IT!-1Rk4z zY)5iS2?w6*qTK7B1@=3d=YFM!w1&780!#U0&s5Vh#KptLtdrTa9J=Dfdt?<#engq2 z@!X7}1}zoneG|Zq@QJdS7X&p_-QwwNT9T4B$tN9$0w6~a8s@>cJYTU#({;TzP#sDe z*rC{63cnoOESXPL#37&WDg1==07C4EGSL|Y+(-RPt|oe>Gc~q!LgO~6I~8juFK$@U zmE~mE53QU=(EBE&d2u@oq=het-q|dMiQcAnfZ|=!B{QmB&R<z07OAA9nOlWV#}?s; z>-SKzhu=|2e#r<JF7PXC^9WK~)IkU0BXvz_vU9t`nC2$fv(Ddm@7Fk+LdGo^!#7D$ z3XnvSq?EZ!RcF-pFuN+BKb7t|lU>DXjrTifAgHJx<zhXj(sf3{>Y7`gozQMz6#NOP zCsnLnGmu`6dl*o43)0NHQNs7g)Na6zLe@2*=iRM8NP%pBxaoO*sE&%^>GeL!bh^2J z3xo``{wg$2sM5Jpd0z@5SdR$CK!NP#yQnbL*7ccv{=?^##r)-Y47vTZ(ZH^d91i0v z2d13!*Uaq-d#eUgiv0^npdUz~0EaBa7nBMQWOb4yEa34=%=Nqnsc`~Bbla;&_t}qG z<+W8Ep*#v%vX~Gml;*qGK&=UKVxBlHRZk3Cuz~;$x>74g2LxJKs|8aISG?a#lu1O4 zSXGu_^H^FHd;@BD`@#-vBMloe=@FL0F4(r|q19l`Kq6KFNMb-Ad0OsmMVfX>fhEXs znN`4%sM5LX;7ksJr~}olqD*WR4h>jFSLe_e4nGP-7mw}5WIFU3<7xm&xA0spVwb&W z@BEoANfZtHhIZ%~AG=l77!Iq|LHTh-t$Ysdlf8Z*PVhT^6-fTBOiF7?`7)xtu+pUR z4noS8!XNTl`gOrSkq);};H3>Lqh5wq+=0&t6%TzHU7`!TbR;c}&r+tSc(Q2Vns05^ z`0YnEqap&Wd>)8kYJvgH;0s$V2InU~gdA;k-X{)e``HvN@TCIq9_Ju0dAz-JUXRMa z-I<=)F4qxOT$qQK8-0g^!cPuRiUWCzf}!BdKv}_=D!TH)Lp=e^!41wZoH=nujO|UL zTxf7y5QC7cD;iE0wOl{J)ym;;?#mlQvk^2j)kmp>83<Xfn^@%2v(N{HnVtrSWar=@ zsx9oxs}}(p$=a&@Da#Q^WR4-|7khDQ)MH~7K~k91YD$!8S#fAeMA4i?_+mXbK?P8; zB)O$lyi3qebaS@9tGWh2#X83)Oq=Jzh7eQl)K+A!jLy`&q=wZ3T{DA__1orFUDVS} zk56DQ;`}<T=f%!!nd&2w<CL@uQ8B%d5^4_>9rvBhF!W6$3#7)|*Y7*kSv`c~=G<&u zZnn-YFW`182K2Q$R@(<mg8A4>Z&0WlAMaIPQ1@$8347fD@tDiO#IiJ)M;Iqp=@&Lv z5VXDCVeQ)uJ+v(48efpzvYx>=@UpxPsvN}YC^FHErDdH35(?#T#%G1PnXi7EKezwr zHL^T5wp>D<SFP022wWY6Db)0wxPu?EtdC-$z|3^k0U3ig=XIW*$ju2&N3vNSoSAWd z@T~ScH+ovPjfdl@dCpU{W2yVxVkT+mym!8-v=gLqEZLp28X%Dofl|r*%}B6S&q#`& zk{kv;CT|cbs@=J;vkrZeLDJHDEh=XAiQu4uA&w4)>IWqnxkqMR#0wn<%LAG70z`Nv z@aYr2!LXe$Q(+zu%@U5l81=Kkk_RFS8_OG)0ISTfsfw)!D!`Yhgb$$-o?T3Fyaz7v zjW`GL?@`1}0{a7h*`x|fj>-Sz)MA{|0g}pow~CSX*@u%WM(Q<m+4t7AagB?QGt@3j z#w>`y>}>DIhvGU--NQC_kFc0*bm7r>#ik<8917bwizOc@DRIxCiDBF@Hoo9bc#jC2 zRB=>5+MP}w*J}$&A;s?K?ot|6H8<u{$tAnQn$U<3gsJ05SeVcHJ;*GDDVv%$QyE?d zqHOHhf#dy1Ss*H5zGs!C%WFNH)3^%eufE0lut9WSxs!TQ+F|!|bK7U3`6Y9vm*w^0 zY`$6dwZl)2vFA3vDw{UkLE8LqB9(!w=53SVg(hKP*RtdOSZ4KLv!<i@8iKZvRFu&4 z@AlK{rEH2!8M!baX$YUAf)N~sgoDEeyUYfPL!{tn&C)c%{-Fr8nA+fg<bl3)7SaJD z2DK9(#DTQS?yFlm*zO0@@34m?4Lyv-_7A8*Z;M0}h}s++Gx8Cj6g{aC<O4D0)I-lZ zmEkw8JsNaTT5WrK=-tbK8r%c07>;g%4$YT5>qTZ;qtNg9=FdHU;84@+1-!g=GgGhT zxjZ3{P9Xg6OHYo#z%Wsh(p+2ju^JKZT_aD*3^+$U!M@w9(Be3|2{m$c0uX-&KV#L% z`H%M>I@#{zFIK&zs{9Z&*hBg&i21ca%Y@#T7B!-4*<otLEYSx*XK&o;sfJ6P%w}V< z>qgZFUr$epWHdxK!!3b<fHZFxP4~krK^o*PBZe0!wv3o?8e9=Rk%^jC!4g4`_1Ujl z6}xB~SmNr=Na-eMA6B$yvJ_ZD*5`;TAeXISL?X{p$2q?$xBKfYH||OnIVQUjFKU}X zdtzEJHtxe<tEj&ZvUfG9bqQLmb!>JP=kS%p>@8nDXj}6p?}R;{(M;=gIam7wt&<w) z`P?0186dPJW#s#aDU8v|b`bfK7P94l^X^QA+Wx~i<@5Btuwjy+s*6)#lf1YQfOo*a zY0Rl(m`W_GqMEA=(9-milUk4DDlCinLCnbcca)rcO;7*4fTb2`Sh5MPWJsdr*r2dB z6+<r<p_RM0GhZWz@*V3k7tbGDWbyN_XU!_+BCZw+s6uUSF#3^gCWWo%Z~U(Gy7*m9 zJq@P@y<yqXYtW4SBGT41F4r`YK_|ZTqB>8>#k&Y|n^QPae2jt>UL|_NZc|SKsRGNm zf$+B-z6etkm4VXC;{1I94mgj7heCd9TU9+1(4Mw{Ba?B_6aH}xb52abs*ZQ%+S=O6 zWQKk|X|Tp^d)(ZMj3QY-892PdLZV4QQ_1l~kuE1}Aa1{*R~&ISZw#l)aJA2Ay>hfQ zu)j5$x3p@Tz*FP4)T`wCOFu9DA+!lXmYST!{5=GaU3=e~$JPLd>MyFSf4@t6>3m+l zAa@FQ0!p171<L=GW(eB%zh0XYG1m==l<MdAz}&H`b%!VUA;qfQHw8|aY`|}n*U`38 zE8!qC5+Y<boyjsnlO?NK70F1Rj3^7O%d_00T{|XIqcU{W)x;Q@6dU4}9*qPANz&2t zwy+&T+$YxB1<%l1R+XomWWoST6<a>5Yh>HA8tVFE3gY3YKaiE$m}OcxrIyh&AJ9^h zBlNK8xC>mJsgGpd4twp4xLFJ;k$nwq4MA-qOR`1{I&B8q(|OwuUNs#_`h?})M0E_G z8}4TYYmPq?6YJ*vh2386#ZgYUH5{1cjE(m&`6~MF*LX4}q}v;59MU2!6P+2}#A;({ z#jf~Nydk_}Skb735uSj5z@}v2rqV5j(m7Wo;)q<BHu8H?PE&Gutejq28gKnt?k{g~ zvaoT~S2g(b)B@NHlAL8q73Mk`8%oiqxHcNRuO|jRDy=m*8dQ2}s@wjkRe|u_g?tVK ze3xCjnmV)I-BAmiAqSNbGhhr4SgQWegB98RNQFYl<#8Gjo--R}moQwQL2f{C0iB>( zu;`7O6qJj&iErN*-k_0Z(h_1as&y!TNbxPvx92mV)W}g-!yGWol2mFy9M+`JmUDe- zw|G!StE?(zPw#O;;i{hA|DFc<;+c3`iYBt(;gP%&7Trgiin)O~yVqkTJ~)TdWpUgh z-b^M8bqzH<yf6)~%W*#q-h9_sWKz%tIHOQ6jZ_V3F&1l|7qv=-TJ?O@mTMY&g7^p& z>KxFuVAM7Ls2!6l*v*Q$k9Lu|-2K*69P>P-=y%T&vJtwyNw`%s*~exAW;Vq52yO9j z1{iujiwvR%#W4N|xU;3%@wV!4BB<Lpg-x})HFQOK0qHy$M$2i)bp8E!VoZC}^?5o} z#;;2dCB%Sj`>O^u2djh-^m}LkbQpOG;nwBI{}Aln+i=VV4k!jQV;jO%;*-iweX#pL z-0M;0LW^AlJD{rff9Jq+M0+;&R#q=&vE$?D2g8tYGpTfR*Edty**4?-$2MO*cE=m! zvZ7NHQyG~WjB@wB(2?y^*>?p)!u&I-dDs`Lc2-tmzl)s92oePJo^*=Pi9mxB{tkRA zlfL1^tO_Boa4{07(zmQ-%S_?G2~@IV+sF)DBuM>h<Gtel!Y6Qwb^QrdwGj<n6H6jw za4n^B;<;OaJALG!-wW<dNd9&4g~b2DM5xy5E0q7yPy!2D5q0Rlm+klmXpl@Q2ue$q zl|ua=>oPDS=Tk*os7DGwg^wr4(8;p@M~4On&^w4E3Ixr8tRQC6|7g^4hC+y-S;%K_ zCvA99@E`EPH_(HjR*&$nBM_W#a<b(AAs52_JDC^fQT~s9BADO)+5;aTPK@#&YjeQ= zEfy-mt3dz%VvV#9LXadO@;_8gf8#6_^FLK#|B1jreES=LDM-Msynm>~E(zMaoVZ_C zQeW-Ch=E2QuZqWN#-PJ;5u<qzp2JD(ATqewxdwXI2ba@tivk9)`9M{cS0j5>0nMP{ zTQR@Pz;6K^Wnu*j@AC71H{v<2&;r``F1md1&_y0#8S~T0oMhx$N8A;IQ4k1fsMWQe z?UcNC)sm<4j1Iev#yVA8XkuvphOX5cf&<J7{F#}HJD@huFr7!978|eG<)Kl3$tr+H z>lm)CVUBD~7}^N7`OZPCUL*hXQN1$)YeZ=hYw;?s^=B*Rss{t#K!(QpOOW~Sc_@>) z@Jkq@8i;Xkl8RZABSaIF7Vs!(bUowoJc$wrmfml6(P<LPW~w7*>+9<)CZxWbBFu$= z2udgCio3eDz%MvO#sbL;0*5Gr9m=EV>uU?Hp^gdo1A90=(6B|lAJV6k61{lf6CMJ& zvv?}UAKiNya|JT%gs7U|T?1@TwfIcjN-nq4-*x=p{=<nQgz1*%H2g{99^&`Yu5XTo zvZf(Anxgl~r}<tNTI0{|vHjOYRfDA?I?jisCs`VN?^|vkBCm&+jH~MdAPo&8F7Vst z9eUV_HuBeVsVfS^mpvN=_vYFq!5y3s9qptF>j9fih2go!%8`xT6c$^ne9s$x^G3)9 zl`a;g&&|B2RW-d-j~-Rw*)s>*?TAbw`SU<cNkzut%8i9I>EPepxxnKNkkbd>ktZ~j z-5+XajCdJlWlXpX?}<TH5aLPD=XVyyj?I!DH#V>1X^&4+<IxpTTQE`GnmCqLQc}V6 zew(1FF0HJD5dcJd(V}jnlPyE^wAHjU)RBsC2oUyK*S^>4=eh+K@_lq9&Y^&FRgk89 zy#L%>eH&feQ`C=hPO05ea*k>sD@!pr1Ju!$_m`&7ek|WS;HR~hYG~kn?f(Kde;!>^ z1!_D~4a1hQ6VN?KHqln_+g~3s&wKQnxr!YG7V<(i6!(hn-(g2*nTrIjNcP`L*Kh+r z=*{nc3C<gMTuvRFUrciQ`<x|Rshs?Zo8gr~r3lQcM3=?u*~@Ix&&FyH_~RsnXNs{K zx+`;kcwFL)pR^9(3VK9FIO8Li{<tIrS<x^4D90Vv$rqi1OENEK85Ly*NM*C49r~1O zUaJ*jTqR5|L#N^mn;o8cYxB%^%@u%RHn60oMupIF2gdV>pRh?+R}dkA6b7=#!m-n0 zeCMjXQl5@gS#5Wx9b{r$vPH!sAxh#TasSX<8|SM5008?J>v|gfOB$RSd^nb2J=Rsx zrNe7HudNphoze=v;HQC5w*a(<oFS~3%Jq+rKHTEHDk63vvR``YY{Lm^l6MfT9QL*( zEpESVP|cLh<Ex%q(2vPeB81_0AxX9e;miwV)AM_<`)DTVJSdjmB+Z0|Mk8o*`cD=G zB^`bn;s|DcTc@PgLaeOue~9sTYE~8KDUx;Jg!N;*16F9pa)nRLC;PtvbX)~p_Fvkq z)6yWwiP=@RP#$^4k;cm6p*2!%<QcL?$7=KeLS9LoAyQ*RGVwe&-xk!eb$zC%8u@)_ z90)9Y%O2mho$Z%#B1Ro)5MA)>@RW{WfN0~A>O$fQetGj*<y5_mQYw^czxhNk0AJ3o zTyar|!k&fbPqXzl1zOPp6=>!+k!Y&2DyWLL51%)!x&GY0-uNbGJJ~n7I+@Iq9sAV{ z*s5#zg&c%OT!&2j+mKP+UB61<{!m6vUV-HeEf$d0xf#o3OLG1kjSDoM{w(^L*&9Y? z(km7Is&r<czthx2HxNE>Ua+{4x>L;gUEg}f+>(``fp`t$;Z!CSoIl|hzfRq(L@}=9 zinoIKf*Xn)TmbcV{As!NprY^c6OyeyHc-tZtLR~IPaTJ%GDk5L7#i}d0+O((wv<cu zBQecS&E?yjwP~f8<pE_iIg8e+pPV_Gay@y<Q$ob{gkTmBNGJ^Jila;4e}f@nkJMS$ z;2iA{Ot-|7$}LBxJFw3HlTe2pXaO{+eAQmd3fNhlXHffIUDz?@Vh;n%3I(=GbS+Yi z(<IvYe^fo-1L|P@q~<;KtLNybPoJXd+v+-KbG=+e2}-+pafRcyKq`p6Z=TF{%cbH> z3Z({MIC0wlX0Bi~4XP&KMV=7wY9?-G@ANvIP16_1+*DlJ%-jgFz=(GM4`pC&`N*GH zuIUMe<gUDF6x&Wg+0p>W*(dTThtSA)kcZr$Uc8GRS9dUllVP1G%W3{@@D6={uJj3+ zpjYn>mv+!8@YDh4UID%ZUdp#6pVS}=pw}d9?w~V_RTE65)iAiZLaoj;n2SIc^H1=r z>H{7yLg*<|ueZz{`J^@S?w!oAs?(!sv^x64WO8!^G#sI2N-lHpyVi<!VM2UNAflVI zK5Ty7^gAIEL8U_O{p#wIcI!3T&3)?MBq9NTrp8^!qfLMSfGmb+0+;J=oJ=m(Q67Jw zeIu(theBk7IF!Y%)u+>>M^9m7K&x@jdnj@WdDGBF8-hUkcZ}vto>cnszY5TWT9a|A z&gzBBe8Fs61+69+`$XVLc`bqjEI{v=kY4Bg*)1!rJl1Mu#^Vhl!fylk%Jji8DaEic zt<jRNP>#>|`?T*2r$A*3$W>d;(J?UjC&b$(${M<y-m%WsF})BiO9~k=q5Z0`%z-vP z#}wv8idN}6zAfUNg~-G1&P@c`%F5w}3VL)H*38B;Ld8*J2EssNQE1j1pF`_yw?a;> zG2Z9fPG_<|yFN~mY1uDOk$PQ&l3fD2&0>pB)ubi1If1oBSl9$S>#k_D`T#pr5;buW z*K`mAL7`A3{Q(QvhhItXVN1c7xf-zSX3!Au%H#`B%7#X3r(SCkX$dRpTX~>dR5ile zogw9OgFTpwdQcPeh}DXRFGAmq=qC6|>_327(GWG(WQ3v65FRvQF{OCPXzKdl&@;Pz zBBEbTvbW5z{!imWXgF2jCUHhCG#Ca#w$Bl=)!<$&zf;Kc_5!onZuvn6jY9Dkf4G4Y z5&4G)Er#$6+Rn*r%$kDAI=?9H!ZbAq`F)?qFzDbQQ<?;iR$tN@p%CSy)J5gM<l`5I zm=$s)1OA-zrd_v%=NK6SjoIc3KCxVO#RNf*PsmhfG-{%ab^I9IDtFa~q|5{Fs4o3f zjGuOTqPe9D11|A^h^ru?Tq(&~xV67&swt7grD>`G6w}j&VUSYoR4X*BP5x$2R9C{~ zBgb=tqKJn(E~>7!40xf`v)`?ca?})+v8jb^84jYCQcj`)VdI3YP?Nt+)smU5t7?ym zOQ;%%qo`p}U84+GFe3AaQAC=fgOqm-Aj%t}rqK);X=GxizQduL)J2jYj?GX-_yXjG z#4@;XWz+4@y5-;lmXDG7%w4U&^~(PNd*0G<>we5Fk$=D`*UdlL!=~{hZ*T90GD7?) z!G4wwmP_Z2hz!L=_Yi~X>kop))US?OHc1F(g<GZPGH_An*qQ>@a1XJl_xQ#ESthn` z{B{6Fl=6;BYY#=AZ(s3Y^72=R0@U~+OQX|AR~to?o>j17)>3Y-eMM~pLwmyErJc0< zy>Q392+iu1pHfFOvr?cHtn$MO#{nVwR?<fQI7k6?9@Fh(?t{|6s;aAqH4j2C=ppVI z5osb#H)J25I-#bg)U2KiAo(3kBVI#F>no_%1lBkNE5O>_+Q>eny@65bS_4M$qSAgU z<Wo=+T<5mAU|FXj>3%lbGZouSZ@oHcS1a0@>%OTKsufgJXN|8_v(XH?HK+oqv*ov3 z<RWH;9$p$Bf3)=usopzn$KX;1*~K2&)eQQm>2d>^16Ko^3<Yk1W)rJt(5v|*x+jSf zR3lPmDCJB)KFfPmfG4~wffKh0F`(t6>ks>oVY`Pk?la9KjB#BT)x4F8xjImt%So8w z{pgYux<(k3_J)3mfWl}_mGH;zI?-81pQ1b_{8@EqYGi3T-4c!-c-Rk{b63H4s>b0n z;>SRPTGBs9#ztnfjD0Eup{A~0LVq-EkdKqt6{CLjrQjjij1*DR3Ye0`EYlM!JfDU1 zEi5tg7AK-$ounGXPby>Td^2nM%Srm2)5XNUJz<9A-4JTmYGYZbkQlhOVU7WoF_nzg zNdrpcFL5gHM!0;Dnh1T0MrY*9u{xp%2dHHRTov3(E<;aM>FronmcwSh(A;;LxoMg& z(un5N9_H`MCk}33SSJtk;nNth%vKcea*AvT9Bt;`U7xh*o0f=@9~MumW2rnc3s%Gf zJ6eywaSpaN8`vT%mG6HLc7~tpeK|p6J*bFr$lRr3D(ElwS3W51)uXZ8j!l<Uc>m=H zzY&#QYBdR{IR(s}QtfbzC<#1j=ilYQ)5<&ynNA`ODy*7ENVl}URw)b4eh5otu9Cgl zv?8v`V@CXu2BccxqF81cYwhUJPetQU*%oVq5Yx-j&qeO0=b$KoVX-SC%@7$VF<RyQ zREAk{X%e>*?;S~RTI4aXQWWD*^=0l5Y!S4+sqWvyiYOrxLZ3!yiW0}Qf<;_W(d{gX z0pD-45_-^XV`*%5uBNNM$l$!v&>Rdh7qygrri8Xq8g7rzf&Ni~+1))*LI{E`(D|D) ziAynvfnc!v@D_n5CKbu))xeQ)0F7qnlVl*1*Twbhr3bcexA$}CY>Hc=52FvFUAU@E zxQKX)^5xgLrb$S^uV|qVEP4(iTi_&FOLnN{?6^lAkybB3eSOjt$|JX4(pfmO3AWBG z60xW!3PR~#3?7&H%(_=b55ysAV2cS;!(p61n+_Cf)kD(jp5+K|cempGg&$Mp`rxXP zDTOH>S;9M_{1W*=gv^^)qZ|4A$yE@F@cuT^)VF>3b#HhkL1Hm7xqE&VGncOhh_!V8 zCY#EDWwnS(qA^{fK7+?tz6R$~_En-+Y1hV;uh3t?3ufP+w6R0JkwSeC4HKanA@g%5 ziD1V4X`$3{5T7F(@gpH4bHzqBklN;Dr04VvImgOCkj8`uKW!enBy<LUyy-4MhMSae zN00J4!fDdr|3U<WHgmxF8`_2Ls7`1?HW|JS>vUS=4m<n?k^5TnNQq?Z_DqW!63<-I zyoLAR5bjxuC_A?kE<H75o+}OOjAewEKQJORS3{edN^nz<!IklB7q?1F(ZI|MFso|! zN~3mjyT4DL)%-I;{H{d&tleKwaM`+2iF|<FNVvL6O&n0~e%dd^(|w4@o7F9i&}Db4 z8z!#BqXo^hyYiP;8zd)u7_50~?s_;H`%{Y!R=)9@?J%Xr?|s4xh%T97`<2(Bl%Yl4 z-G#t1?%C4Y&TvN$4ttbAU(mew>CzGmzHA4jst^q9$c6oQBjp>09$?pj=08#)Km)+y z$c74}ClIiot)WCGG)T=)B!>7-8S!fh4sf@KZ8jnA%cU~P8DMdwp_E}0^ZLFzTvIab zVH**5^>n=R(kFhvN>`mE^N!IK5SsRlv;{xCjQI5#$w8l&52IU6)WspI>aWUSJL8b< zfgu|}2duRMA{NhpRwkWKb)YGYm!v319TEyGLoM+nsx13xKy_9|Ksm676TV)$o0KBE zJ7S~eG9yy4cg-Vwzidntlg!$BRWtN0xL-tKhFJ|c`!_N=Vl>WH4Kskrp2fx$j<wzq z^`atce|G6Epzif>!K!C2V}5hVqZP?1rA>4eVB5>sx8%6p#KF$|4sD7>yQz4sxx1kI zvAVX#(NmwkR{s{9dC9QFuW+E;=irPQDqq<7gTY3But*mZGz|Y@y$qG`s@cpE9rl|o zp?s5_(13VN!;^8KD6N~D?0g=4vs)8vVmIYn4;0eed2VLBaA-FC79<I3slXpzE!!eL z0u}w(%q;n!5I*q%)ZDdCW3PyEI_76ZB)i7p)tDMY?%uj_<d2H>t`J-A(7aA^)e3e$ zs7c+e3NF-3-grb7Oaay{^#SE6gY=I%fK8|QpeLq$gf>Xo+KMc1Qng5QI;1vWNe3xn zn4m1-YKB~F0pYm6OCju9gLJC5D_<&oc-rj@dGqET+0cp54<-whLv{>#y2+M^#bUB` z#fj<axP(WawFYL$sJA7+!Tm{5CCoS30M>pP*xq)fFeXLXha6O|z=Cu$k&<!&!iWR! z7^U`LBN3lC5;eyU9LR5CWbF|SLjF<&hoJ6DH8KWIvS|wI*EUosFk4Args)e=sX=i< zSfkM(8OtwL#*q?b70=RJE2b_JMt>R%SU1W?#Pf@C4jtDh&za&j!_`0n=5WTVllHx{ zt&_^o5n@iYRHJD$Pd+oKctQ@Y3<#n~kP=>B47)`q@F)&nn`}HO&{tDdiA@*Ve{Y`K z%v}}C62E4D*MU2#YRIh)>w6-sMXxk7l#1N5zM_-yRadg6NTz+JYo9UfC@U7#+O{kw zz>!CV<uUw*b+H_)Ho;#_pJcm4yXC41lq00uC6Qgr85=Vi{hX}ND$@zB7hCX%q}ddP zytuUNDq5y3V}}W`J({4~mFRiFSX$+qe%FSE=6O4xU13|;n2&*RQ2{_-y#wjsytQRS z3j%Sh9zP878INu2>S$YmwPul{3mQcQ%U}G4aS4ni6r6u35s;dZ4DqRzYWX?o@k1e0 zdY2I0)Qr48q@8CA8O?dvX!P<O+8S!Mm3#mW;k#$HBg8%i*jb-XFznUb9iASzG)0A} z=qKuPe(FbrxUvnv7}RHuEM63Rib07s9_`o6uwFFi(36yIQ25gIuIO$p;7Lt_y?pGl zSBF{DJ;N0k$nuS0`tF$T*otpOuxE%6qGLKz(ib<lMONa|&c!^eFo*$YpQ$b^3rilq z{XIa6^<hh~c(^~AGGk!wGCX(%0t&&drx0UQ6HXJCN=&wzW(ed5uJGrk!~Xi<P`-L5 zid|V^ywv@p(UZ}SYWfXKcAxgH_xlZKigIfTg?topT~-F%n>h_><AJaO3^^4-7FBp% zALf;Pk^`At3(1iCCDwpI_SiMs-@V=Lfk}nj55Ft1YJvh_m@!?*g^`6+)t9D7M-1j9 zkq<E&r67#mBz#Hi)HRa2ZXtG_dX7R(IF$Z$bQ-CWb6_<}rQRhPfQhkYL`MC@=o{*1 zluq9#=4c<3{gdYm1b(Qxy1J_=%(~1zwz~5JuJ~Q)cbzYm-f~X46iN;cti7xlZvql7 zt7Rt0whb$!VSl<3T$KL$k+ZbQW^%SZceo0MT&S^iB)-hsEU90E(D?G?M_;~&Biai$ ziXpl2bJ)hOLLVOWDTNlxoEeXK)8|r#x%u>o8E~4W*qvjl9LrmMTr@ZLkZ)cN(Ur@* zNV>FW%(k#doxn+QTg7+NTdlmA*Zb)Tz``f~{R}Ce`<%9(SHu0-<ychWkCXdSqS+&z zeyg%zI6c^_IXg}DgeJ@Uy|@QYrsq)(FHvYOEn_6IY?(XE`(91seCK=VJqwMc28q-B zjLfXgNrrwonwx>wjyc+|8g{;8azp8d>$X47-cT`u&)3(HX*3Xb(QDP`X;@ezaq)NE z6oiK#!c#S}tP>yV-)D=4{xCNQhZmgk8T<}hfd!?#U?F`J{F&((S$qr8Yp0{t<iJ9g z@NVoK-9l2Xd4~k0zBa5et7A1Zode5ObFKsmvdPrJ`{1kYSsC#4e6*C-dzxQVxGFVX z9DqSzrpES`6}3f-47%{5bv@Ks{e4$8)y9$(By~|<7I7IL3wpkjVH<7R8$naH0p3=a zE;8hj!!DQ8P={VFc6dqc?X<#o|00W}SB)YKCT)yud%tWen0+bb$A_}DedHD>D+=gD zbK)t~Vg4CZ#Oc~=comuZu4Yz5Mh$O>yI0S+Mm5>UA$(<Z<q4*|#X;)I+SMDme(2kS zQcVgCb!N;j%#Q1#Y5RNq7CWb9xiIYtx4sr~IeP_hZ6(ALsr8$*4&eUffu-u}q;N^{ z273$>5c{HVM`o$pQ~-2pS7n&IZ^>9?#`P%~!S5D+2{dJi&##1BQo6bu96K2mHc*dz zuG_ONjYh_iOk6NJ#AFFRj(v;=#<!H!lU#a7$<U&=EA3=*4qYHJuFI*25b4kHw65`F zcl{xFbT;m#7%GvXbzp}~cX}~lvhdQJa6o7QD!*JkblopD3NkRlZy->D-#`%qzJU?W z9fEaG^hE@%9pZ_C{MVNMx6=j`icuW&-wyv4s7D;|?UHN`_4~hU{QD=!2<E?^O*kh5 zhG@_YmTB~Fe*gkS*oXQ3AC|l#zkybz397*TyD<<jOyhsG@z+m51|-3NCuEDLz<)Ou z@XZ)b@ZXO;BLju1(*u=b`iC(@12H}b?$lkh&d=wg-C(-k7d6#!o;_C<ZO6}RbaCz` zmZ|coZHmn8pEY6CBWxABoB}{tjGAjH3!p{O`1&SsiY36~?K+MAwyuTWucDUd+#0yP z!V&(h#HmF9Xh)S+<@>n+*$6tT69ep>x3bqKWtd)QpGLs;-AK|+PU~unyY50=gv}^d zS{>vNlcv$}IuDa(VC6AE@|wdQ<oUXqU&v0^T$m9E44t@6@*=79p3qQ#aJu!SF7YVE zXeSlmWr@4q`*5+Am?*BEBcsTR@9NB&x?%_hVjls_CvQ@1XOBiK&O?z=P`ty!<zEB$ z`6Fp*wjRiYXx|KCJq+omyd7@feMC=`N8wgYa+SNRvqahFOOs8`LEJ0#3Xg2jj`BjC z0#a~Yxpb-+pao<;WFpvgimK+EY-RE~=x0V{@}IVU;wEUS>-@fdTEEwvzS^|PwR$;f zHLGX)XaTpLy4^_I^2vJYqnXi2+&dY4WUHl3_st@e|4p`VRxF3$@i0H!&Q-~)B2(XM z>9sdQrk#ze`s9+bkb;a9R@2y;dnfqgx6iR~nL3dFM<8uztAJ}+Z&d&dSZG$`Cw0aL zu#C$aAZFd<62j)~m~=|KU1q6Ouu%4AoW+2ZTj3V$ciB9#ZpKlboyLS<BG^7u890)g zjRXmxZs{HU*DjDx8^^fs#YSj*LU-FJ5@&Im%A)UbcWRt&Q}+s|+-mN^aI1%m$*`2T zL88I2_RZd0YOfQeh(lm%?T1xP)0jYrs`|(gN;f^1PC;J>N>JF9x}aL=rbC0q7)uVs z&%7&7Q5mF@0+e^R#xfoFIS~f$l*HMs2n@5?jU?i!*T*g3c`l))xY@*-e79QXLmM1h zi3d81o3SdxDZ5yfdq}2X&`DE-@19()ZOvqEJJUr2g}f9JdWHY7vH6j%zZVNf$4(A+ zF)(sC*!=vAT+)x~`;?|PZ{1pN{xWRJO-u={Cb-T*x2gYcFcCj3l~<i8;ed=mR`5uD z9x@6H6}t53NL8T};=UN=qcGVFASvYO4<_(*?5`1G^6X-%)!__vfn4f0QhkWn{S4-y zkdQwcOX1S!An0{AQOqGK9Sd!o*O(UetDtM2YnL<mKV?c2^^+Ra+yGe?9@4!gxY_I4 z1hzKjv$d!yj|*09+7>K7N0zd-c_c!0lRfMeX3Kx*vGP>LvgLL|XWVp64(XUGjMd}i zS3O=GZLUJW7HDrDb+18Ar(1bhj=eoME|rhjZsY!t9t)SZ070)=%2x%MJ=<cDaW@^i zJJ-wojV_NsY8tnYCDodV<tIJg>gm)g_+?&`6;}FfviBW%3A}BZuQKTICGGU)7qk)u z?DqC~D$~tNEp6LdJ^3<8X?m~oxJu-;O%b7a#0E;|gRf%m%K#nL&F{<HZ-e0VP}eDV z@Gmx5-lN0E%52x$CY>g<Iy7cR$B9a=uCdDo?+db7-Y?l7^pv-nJ97?tw%2RP=(fHU z{h4|kWNjsW_92t@1b^mgM#9nCL&XnOR0^ze2Fu?1Q&QYl)hcL`^e7Mf7C-ZyV5ocZ zTilkJM|B;fbwBsHWXJ(*8q<*iK9#>K0S2*JPOV?J+MBi5&3oiux0PjBY#HpUQrWU* z(^Zbn>5Db=y-ZTGM7<Vnmo@7gTYl%kPe78BRsan)8rG(_v#qb|rVCM?i1+m*hWb=S z<%ifC*BTxjzmoN3%I^GH^es<qvmTErnZKGPdTcMzK3&n?SnZQ`<7&ZY5RN&k)Nl8S zur1^5mtWN~&NZGt;a6&Y%#XN*B=V8~+~eaN`Py_42oA&U-)}a+J$ad$lB7ItNs54G zRQ$E<t0|LJw(%U%=g}o!2Mr$qo?ES-JMKSVNaO;X?Q=63NdKBaZ8zb(1F-0-?Nimu zYckkh$gK?r8a1|IC(T;59!@&HYuh!gEFTti5XW_UoDVu%Y0ypVwNSVRc1)K^PG}#x zE7Z=j1S~aPSb1YtSSUA!Fd>Ly1sIM#uQggxTw8f8J8<c2GAqDX+3H%p26AvT1JF>q zINU~*_TQPY7RBNvO3n|fM*}YMiwQnz;K#X>)5>_|8e%qSGcLWS9xD-!4R0=kWe<6U z-7DUR9z`gWd(M%=0}eZva{8HfTZm{@gPrXS;4=xPDj_YCsY*VBuwbj$&BGF42{xMZ z)fvh=?h<-1|ID40W|KqCqVPTuM%Jjk*llKGqk~sW#mlJ|xm(!+IQ>r(WlAg1&Od2q zHdCw)mQ`+w&##|xy@l7f?JXLuX3xxSL+L8h7K!@2usk9TR_Luc?Nbwp8#LPuT~n&b z@N-qx>nvK>N|j9+t8cn&-<7UsCOK#mhogwHc{xNLiYlugW~4d%CKWJkr>h*mV!XXs zr<<yz&|t}9fwKGoo4_Zpa<5Qi(su%)4P@r=l~D{WmZsMPbT;<R2`jtJ!V9z_SG);p z>*|#8M)Tul_bsoyWy0lOGf-CGTs^iUaFt}`M*+q}@(s<CqRSpDRaQ)8bqpEB#oG&& zmrMRTs{0l#m1PyCLq3(`E931x+}PMv?OvhOEVWQvd^FqGwcG4|e%i~>7v7#xnsPuQ zFW0j-l!OZFMAMQpl~v%RmOGpD&yx%GYwR&{27<Cnyhx8hs}vEtJO^X%^M$2D&zYNG zrK<DG+7I7l((r<aUr{N<rW~)->#78uhFO(^r?i&Vk5-IW_|aw>q->t1!H%UfE2<-n zDgq4GIMXx>CK)MRw#Nx96+&QLRP40YCA^cHW}LoWFOMg0JN0D~(mUXH;pR5+xcJ*A zKh;wFix#PFkR__Gr({ezB)JgRTCNr*O^46nic6!G55Fk#7dQlr+&Kg`w7kbz+a<;G z^_tIwZ}A&{g)OIcOR$)#+iuGI1WS0H2;Qnrm!{&#e8_eS_g%x0GYiWEhNFX9Y*f=t zpD<}u46fMzPT(ESHE@0p!P)fMq0e*NDIaMG`Ic0XFV~WkX_g7BGChW|7HT$1zj~R( zp*wXX)Lbgpd<E75H!qH3>_R(PTo=#QIXrT~y;hhNCvBYHbf0V^WlN{iD@+_Z9_TVg zt2;<cq-Cd6sUO}`c3?UxHQh0;y3{KIPG9ROd`H97Cv)L);{L3}r|8!}>XQh#sG@Zl zEmtHv%8qf8T=Q+BK*%=~P2;dk+TwUsiDTx;=i+Q6YS-rmucvVUzd&b4b)!h1DNRG? zR$@D;N&xevsLjJF^RJ2`gX#%6l{n@rYdAUYC{1Ol*EWe>;<fSHSl)4*Z{zIvOYsTj zD)(={>k^r$D8?JNTGk;Heo{P;5U03CZ0tBuKvJoel6Zp?vw!oPGF>uw{;ry<^SnV4 z3j>cmjfb<bq&$RJ?uqtXV4t5W8S(8B8n`{tXq-gyBF2e@67FSIW)neP&D}uEK`VUH zp@V;f_AI=c<BR)N{E~HRwU*rGzhy|LKtBK7eF`YsA_9${2NC~=mAu)G4WKTp=2bCY z?{nNGC6%SD)?78XAb;S+vYBdl&s%3&V6k+5t)WnvS?DD521WnWClAm&i_Pu~&LkNb zTsZ=k8!yUJ%r-xH0V>K4aTQ+NY|7KkCa*$i#Od01(416CBQe=s?6vBMVq-_j75OL^ zHkc5&tq;!G%%I2lw3xou1xQCU2lySVd9SS2^xxu*y&p%d(`2n!9$RdQ9Nk&3b<|c> zSuIJ-AA&n}W3?*kl{#%(+~W*(U;udJx%tP<s|vM%`2%r7r8tz5&m?sfwv(*CCaj7A zFwf~Av>Wt%Oo8PGPO)z^bo1mPNv&Zz9xpDFB+#U@nI=L;7hP6Mywy!lWn!vPHl3Ky zQs+Tj&9=5bwGd(JY?3)!uvaa3^{e+{Ws2{m4Kqc$9fxN&I+M^+Z70E{l4M#=BszO} z*fo>P&c2ep*1dbiO>1ZccAlCh)T`sGDuZNSEMes^!EnDf8*{rIXqF>oakH@rY-nCn z?k5i)&^^Jb6~~WwM#e^-rDnt%Z`vhoJWI#$053q$zp*7sjHB1ey2m24yZx@l$*PXR zic~YcXjA4m$(~T#*^XanIeCaNWGtB>xyS}gVm4XP%30~v(+Fv;XddX~<HLi{6w4l} zs~7%815WtJ4vLIVsVt89Zuq6JeT4O)rLd6m$(SSk%5|(MeLT{|vP?dCoQqTyCU(T+ zJa?M$*c309FTS%p&FZ)_uLAK=$@@r`yix*kQOD&;szlLiApBnE7(?CXC3mWwjv5hs zLL(nsGEZVAo3^QBH&2ggwRMM37{L~op#Io%UsI{v%8JIGLHUE{uA<F%0@{MjhbDPd zF-}-7&?2A|kjqh%bgopJOig1mOAZKs%tHXJI(v5#*_79%nE%?rQ=F8pYCkSxw00RU zdFvnXWO)+aed9za=|psg?{9$VvWzKlkI<O7aTP{b(|99B;jR&Si^MF=ynw-3cdER@ zy40b-_4Heldj`1HG+Xh}N33eEa^q(O^3iCsEoLP}>!yhF6oO?Xa_iaJHi-j%s;G=k zsCAl5D6YUALu6=vM0rHtG!~<4zLRYJO1fIMIylVCZLxEi0tY6N+g3<v7WoWhE$s}T zl4vf>Pwph#J4$z$0wJ(B<qMtQRWw8Js!Tu%Mq4)Q(#>Djqj=P(i<M$4b+RH=Wo;GK zzH4v7DD%mdP9>HUzg4tL<D{bG)uRBba()h`AbXtfhbEO@AUk92-vFhzWJ(%7I}5BF zCIarRS}uG(k*$;4Y}3({ChuBeTZD#of+Za>(P8U8=A`jfCj#l3?=O&(3fLCenJM^> zQ<8N28x^M&=s34ItZtME@}d;=$=ETD?(9ESE5f}*?KPcM`kwfD4iDhtqDTZcq@=3J zn~{55Jlk!-)!h8Nn|75rG}zN08~WDkB6@}qy=<(Rt@4J~jpmHS-D7WMjBlk%pxLND z2L;vXYAU8%8a?en_&85tAdOYaeIeh(SH%6$G7YzY?M&Jy)N&WPBsa%B+vx5=%HDz- z5&P=$BklEkr+$^U(#B>`T(Ts5F2W}n<bc0?QD)3xQ@ldG>5hsEQsA*s^b!qN!4o{f zLRnvnQF1|TTTC@Pu5-;)!NYAjB|)dN;Ek@dUz=v0RNr}_ce?$VXwS0ULUdF0>xoI_ zBuKSpRR*-A=dsw<-s%#dajO*d5-3pYRyZ~EoSH6m9oM)vR$kF!CsP&VWNpr*ANq}^ zW2d4D6Hk)@iQ*?q*nN(ojKX658gE+(-UIta##(NtAzaU~3VqGOWh0hG*%)*QhYvbq zyE!tw)wXFldcF{WF}r<*KHG>o)j|4d^5dYAOzTNA-FPM5YQMHQYlaNdV7MM>_>Mc0 z(KCeXK!vglYTk^}W^426WYfZ2ojN<vbRykOb3diW_GgRd?TTvk?_mB0Ggl0~10u!q z4t@<?qs-S~77E%=3-r2t>~?gPLD1B-{;0Kw{m~Yu1BEs7ri8j@uQ#)1UrPCCdUr0& zx{21sWDPI2=+U(CiuNMGB`exrNSBx7-Wskwvt?vLLbXjnKZP=pCt<oAwOVcG*1@iX z*4E?jlI$b^c<A@-ksI2i7o;gk)h39V^(S)DFQK-6Yd6nH?zJ*MwdXTZnY}&+33zhl zE6n?{<p|;`L?hKq-`#EiboER0HXBg$UQP}}x!9^`GEJ4h)Sf~G6AH3Pqz1Te197%F zkxtKxznT-~9NDtfPuGN>1ese32YyBg`h!Sp!upt+%h(1*u<oWs6>l9j7~Eeqf=zSH ze1lDBXMY60#sSV7#ff|vr=Jburd{pki#Xm?8^%1u2eU4SP?+ReCWZzi^#s7R+7@ex z;pR;Q9eJKnDBO~&gBrHt#hS-A)Sf&-3zU#HYIM$~T6nAivsL;ph`EZ0WI}PDahF## z_mVc&J`+D5TsFmR^nXY$yL2~b;ibQDT0~Sn6wy65mA<qrz{RM-YNlf=WT>P0dXveH z497!&sKa&dRfxPnr}F1j$9{Xr0S{*vxhzY2EtCWUzos<xfGYQ#cA?Yu>JJeuov0kT zj4??qThaSTwDxOmxgVeOcZee)4_dM@AJjQ)8ua5DQ;V83&wiVB?u6mUN;YwxmKo_w z@$leWQU+zll4Z>V35hQfXL71$;ZG&G);JGvZ}kX3zA*CI;zVqUTxF%%M3i4pTg`g2 zn%};<+|cxg==3DbX49W68}HVdo)s>V;;mWi=6MBXeSod3iPd$vf^P(9f+gQ$m<}my zx;f*~d5)x+Mkv9iSLg+&e+PNc(7h_kuPk`)bMY39N>9v(w`%(ZyYo#-XvW3k)}#Eb z2^u;)1>rZ`7BwDNjAJEs1qL<~c9g+pH&dxQ+m=<&cepj=yv{1GrmShCbE8OIm+|cz zU!u2hTc@Pe8;mWj&Dq8pb)CH#>+WZCE@w*bjsu8uTq4-JFhTzwrID5n_4QH{!-DEG zXpO;p7V_mPO)5x@g~*cJTb|YsD%XqrbC@^`>)Vu@<l+wFz+-sL#9C=l@3W)IrJ!RJ zSDzF0`6G5myVbI8>d)i@vx2T6Q>XY6B_o)LcKM%W*7Vr4r_A1;1Gw=MQIa{O+MaQz z%Rk5WOfnGMOSJk1+6aO1kn*ez_!0}3;Dmi%c%Cbu#~vL&UnzdyO=xJ^f9Y+qcZ~3# zkY3RA@rmQ9=cchE%0;mxDnWjbs&({+{ORUE)L*dW@T8@-?qnuK<iM0k#j{$KBY>W3 zbx$Ju{e1(k#8lj9|2UGtd`K3y=^I!t-8?_97Kg~P#8R?NMj2P&++0ikJ8jv@yN-@- z^KXVb%A{Clrkr*PPZPA1tzP&^p-{AW!^~ujVh{22?my_0Zok`gmNYK7&`;sAxW#Xu z3?~)M{(7)Xm|i1`+!Jf)F9I^QdO+8fZ9P-;#Yq*%Qt5YGYLb+fzVzTh*LtXV5<S=y zN1*|grQh=4OAV=8q-ZR>MTz6fxrInNL~p?za-T@oL6xSjF`g*J;xP{X8kuuX25|E$ z0i=dm1l;bXb!y&)ULe=Jra0`9d`~QzOB$KBu&(%36Hnwhj*%f0QkTk<C$%S)W=lY7 z%ie>KLEzPvxdWjKIil;%Z0?rH)ULa)?Z<Xxk;(<VHOxK3^ujx(v33fLR%P?kMi_hC z`SOo=k2uX|UYygPS~Ar_?@9@YE1l<dpR~~@eWmA$PWYRuUZB*@3OW)Tmdwtsc@Q^e z6(6i)+_vTgvZ2p>DQ?*`3^!+Y_yYniF=l1mD$MXd5gmkg0qqnqocv$l&_`D+=}gCA z(gX!;NM)#-`|9=;<&8Zj{K6YJM8>vDq$F>z15~D12otvbPfjmKHEx;%ImGAv{U~@9 z-M^rILghbOo7_&Jcx_lTUS}rP6>W_F<wh4MjU!m+P{yUNNyL3ob#W#Wn2o=jcn-Qq zVzViIF4_h{-c@xAWQo}}zR0J&#K?ml<*_Rg&TJ(JcXbY-clNL|ADR!<T$^o-H<3<t zg*;qyaO&(<!nC(0+VI07BOaW9qFHs>4xw&Cl6We5UnSYY3b^>LAG)>~+RIcc_>t!f zj(A%|oL0SCF{D(d=$Up--`U3sef)}6H7K_7GnFX}@vkEuxDN_9_VO;DJ+@0bm1hjf zk0Us#0R5Ng0m9ufG<Y=Q@IHC6Ic^4=GJ-FXVU7^A`-6Bj1t*~718XbKNht`KBlNcD z-Yyv-yOJXmbF#eQIal{CCJ%K4T#RO9SMlS~OHz$T{_Xq3rIKqgdt)FMQ|XBjJw|dI zjkIhF#4O8K`70>rHA^>{(5F+P)XUpgpbg$mu*;uyv})YmNdrGQZ)2`;PW7(0He?hu z(JhRWAy=M$R6Zz~pDu`6C`x;{Ft@~S32C`tsQ`!><NTU~vr2p=XW@4aul8cnC>uC9 z8FuF6$NX@-+fpU6Tboy`Y@YC{7C?}--QRGH7Tp~GawTQ+Zurv<RZ@Son)GLXaD?>7 zg)v$oQ~bTllqnr#^EQR)&2<gO=F(R987#tAg&*OUb#(}MEUf_)mJMN+QSjd>bYeSG zs2^WtTPHJqB};wyLCvFq=w`&R82pt#KE29kpD&l;#zKbd9;*qd;b5(Iy>B~6=Ss0X zcqoe9I&DA1Kt^((UGlu<xVa%Xnjdr15>GEo5RJJ<tx>N2_=WOyW>XIAym|4WO2iIi zQN<t5fC5pE_gimwvRmFt;aN<rwsV~~`2Ccmrx(FBRz}k#Bq)zWNtb}^?op}bUG8df zfxl0VhPlMgu-}-pX1_QQQ|j4HYkjni;zTk!v0?@&r_vzqP0_~#x2vmpAy{nH&|0lY zltcAajxUQY5-`Q$;GZim$)$-LED}F-p=9LZHbSREuH?gt9P(Vubd>X4M*Uz7?WW`? zI>oBksj3A6{aN@Vkk$(OmC=hXhB9I36S;HN7qdAW+9yc&$n2?6pxgJoU*C9<T@iow z(RG-VsLTYIJ|E7m%p#4n=rPwY#^^SX5t-Ga*`~heG;@#Idj<h3_vabKeb$8im&7Z6 z&c!#GUaWqPk<RXFU~B){;NWozxYRL6J+Oc{#7xBD<Z&5OL{sg<fzi3fo@z;Cld@Fp zkQwMLruTkOfthA*Qw!iRrF^!9J{QrKTkM(%p|(FYh1-Ew#UryfpZFcIgLoGMavERu zW8C=G6!R8Bc1I$NO|9FH<ZdD`1Xj>&&>nxZ1zYqY#%O|js)ffBbdH9%Lbqxsvu?kO zvi@WVTHLXM5$^Z99K{N$H?Y+;h+@h`kvE;SRn_X`!WVASD)uzOIS(7nVep{LHMu!> zto>HYg%FdY;^88q$!`w;Vc8V^)2jVi&05k+Z7~0p4_}sOFC@2unRIIL_3_4uyVhRW zP~(dN&*dA=p&0E1%a(nV>L^B%{ngax)!1UPQSa*{qtRtP#`qVT??S(aO6U(JY-;uJ zXNOelBofBWzueCIaGlfM2&z`CgU#bUWQm{n@~+boklqH1D#$Y6;1oeln$*=VY<o#D zFvoM(8Vu2RpC}1ttrU&2&enM75E31feoa3%nv+_~Yjodo>T|p-a1ZEpd>Dd0bh4D8 zEv<nWR1qJmf_I&EEi<7J?-d*Ug^++I5*512ADR5Br*Cxbj5Og~yD%;^CHgLyz>A7< z0$Y#KxjB-nyrq>9SpAeh+CAs)tk^pt?>3k&`fC4SA(3frc*dT^mYms^;zDhjN-tyh zrU00NMu`;UYw6nZjZJU;frqC(Yz^36F!ON$m);ppKB`D-H)6R<rqqx6be=ULi*iPS zMz5zT@&24V($H_W*^ilDe+P7bO?fm%Z322GRX4XIqOFdXti;jMny}tF%OJlVdieFz z?!8dHesFu5rk;+;5u3tr7ZnzKa80eb{ruwz+`mRDGGP(%J~O+?$(MH=4fri*zF^p@ zwJYJI?Ww<f4K|$0x+9qBrF)q<v+!t^%CwJ#Y_;`sIa~nc*8Jt=r^#vi5KapJ<~J8V zh0V`^0477oRtkj=B5aGa=PpUXunu=4C6r{IkBXnE?mbkfmXN`v3CP<^Q!5;^q|ha| zwY+h*Y-xHOmg*N*L_`W4I>;XJ+gC<k>V*LxtlIkC*fq=v^*PzC(*-z>ZR3fZ8SOp1 zt~I~5UVF~BdBW5HAg+?_Y@jW9*;ZkA#Tf+LRK`-hXw*UjK77g8*Em+&kR?oEY8SE& z%zEk7GC8{s{QTEGe6!fTJd=~i!MxMF54IDH%<B;@!R$8nrn$-sOLIP6+_BPL946^> zzL%9I0@x%hUmgzF*HZC=wrGC8Uc;pA2~$c+y#x&VvIMfliX@w3T_Y*dK2TXwX-0^L zG74w4Dpqt8A12I>$@A@)XzIb#Y~eC@u3N%;V1;+o0Ewac&yZ%MpfPb$|HbSDM!YJ& z(_EU5vh2Q{x#zAYu<53Q$suf+P3vtP$!+wM@ZtNL3QfFlt9>Lw;wR-zD}1Q9ukap! z(BFJD_>NC2$N%=;LwnJBIu2qR&ptway38CF$39*4X<4u8pqEME;Q^q02u!0>NpnCp zaX07Q(Z$g*X%#zc`<y1y*(KzbT9Qj)Q*Aff-AM>^c<83<!6k@uOq56J5U1R^)w8lR z6XbNY@~R(pZv7VOQ6Ne>@y1fR!BqV7OT9GwgA1(ShD>Tyf)MilT+cG2M*du#r{3B5 zNwGa4E3dZy`Umx{Z*r9GGNbE~r@aCK?)W-~s2X7WjoKn}VbN@_FSW|s>c?dPz1+0A zTrkK(ia+*k^ZTQR&>MC!61A3KIv*qdbr$`v`3gJn+W`?W_8z4N&0p2YX1M72t;8-i zd9s-j#kH)SD`L>NR?2d%7x6#YSHpW;L+>i<HC@g8yp0rEBT}*#<d*mxFidXV>n4Bi z>C^?hnOfRw_T7_oH!uE-dPuUXWgTlkQf=Br-!GN2gDu(6zKUI7J*mi-yWwqKPl|0s zL2vUd!8z`s;nJ<-L$B+@#>Po{rcbu9((_*l)4%}|DCeTJhY7}r4({Ad8%WOMNIE4> zf4~?-&giqb6&Xj}JtlXOnDP*Uw+z@>UbozhI5ISLhoKQGYe#X^TXVDDknfgS+Ar(w zuAa1XG}xNqPi@y~?Pu;Tbg>^#rL2Oc_P8R^8u$UZH2XRf+WWZ9GKLyK^2YO(_9mXk z54vZg`Pad`bqzJPSzzC^4#^i0$Z7VJ676&oxHfyntCFp+vnvsr(Hnw2qS<8SdZBBF zS?xI8Uaj-I<rhTrEFGTp{9R^2!@gY(g3=xm%5ao^r-yl5nmCv(U6Pb(>?$mH5%&_5 z!kZ-6b?6^%UnWW-&~2b>HjzqS#akx2_4?uPjfNEJL+Nz2+ba@_GAu`;X!p<PGyD8c ztO|j*O^Tm6$H%!CALxmKeiP4aKf(gz^NhYb-Hiutb*UGw)L3K^Xzi5g-$J~dW%4d; z{XXZ@E*zj;dDL^S5R98Ms`jd1rMZ*`)N|x(KhXp|3ASF$4!5H~b>GG#8aSP4ut${1 zI+qspLF)X%wabfe`#F20ckH7Z`E3$IiYJfX1Z2{Fa2)>MqzYs5`QD&0lo9LDNudAG zJLo|X_T2|1$o@k_VL}n`ZE_|8^&i@Xd*N>&sTeUPp#QGUAmjl7({vLr{)a*%9s?Ar zuFHTF<=>?opzF|teGM$c;Qx?*bRh}`9D|c&{6l9kCjXbs93-lLT;WmZH&9vz%yF=P z+>qN}Hm_nNLH==t3}A=`p8ab%vfS8q?R;*Y_xAf6vhA+4wf1Y7nS!Q?Z^9p$Cy@4W z+xH$4?iX23wxjo*Mro@Yr);xl8DfK&e1AZ7>!0pqItSHt@vRJs?e!*wjU7hlduc3Q zOS-jUIb7TSP`~|NIL<X(+fJy^rZ#<Rn6BP@jAy@@fYf%Hq&TDIQ%riv=d*k8{s`&C z7;wGWcn6CO&~p~d(5<32D816$Omv(%KZ8nNBqrvduCT)KOI^e;%j6BVCk~|_G*CI@ za#)kJ^Td(g?_hu%vzuW_Rl`*XoRXW4k@1UVZx7wSD3vm^lXWr7+fahJXl^2+z}j^= zt<~$ZEetaflqd&DZN-rQCLHfb`3fKB*tipTde$n|nqs=vsGmQ4M8N3@d*=c?@$D`5 zM&3N2n|d}ANRTI^CiRp5o_@6&Z*>}mo#ht4w*ne5IKWRAdyY;vt048H-jsZM4dhlD zo{lY9X5HRWN3E2tXjac)KC~0)YJGm=;~DeI+^%<_KDY!EiH=*NYd6|gdII@G7XnCy zM3fK;vIrhd%VA+&oky&^7qNHIdJ0}Ag6gK57-YYkDVu9O$wpT;zM=j?HR^E9{h-nH z?nZ-cBkRVa7FoT<BSQ4BmbmQr^%8WWV_)R5`ITe6^W+BV{#(hkokS=tYfSDbf$QRE z6|Pa`L|>#y04k@KpnGrxvu}Xt0lrXBEYInf+CE8*?1^JP+^e)yqK!iYacQsz=Rp>U z7o5438I1lsE!R7WjG5!KJ6_?M@oTlxazKIEtr_)mNh0h+Wn$ZWi*TflwN(1gBXaW{ z5kxT1d1iLn;pu$Gh*k${IE{KrCr9g2k<U(GzTtPtxjNN=^9Rl$9m(+7q#sMCMNq+O z2g@I}3pS9{`rt+0;v7@`i=+mP(tB1=+CRRCWTQHa;^V!2mYv;<6YamLXe3D}DpGC( zsYzI-N!V4umps&i*Y$cJf0xLn@o_DwY??0Zd?zjG214hWdO7e-?`LwmbiOSi_%oQS z9p6=_eqL`Z++1k;f8T5+O|JdpnPCWC3NGco!kzIL<34}FtIu{cn!F|Va*8#6em~3n z<EvG{$>P}Xn?xtape#semifR^O_t@r{skV089NyQNkNv0QycFmsj<n<&ds)IYTng3 zF(pUsH<lKUEpwsPwon|nZo)n%gWXjIXf6#%HkJd>L5kJj);|N+h1_wGE|Xa|(2P2W z-qTkXbQYI~t1Z)-UPA3Y)~`Iv96Ud$7f*If=pNrKqz1ym*saZmK`ZHw%W$>!-v!!w zv?uJ#Hp%@~9qiX$zWW67?!a!mQE0rx=`f!3Q4f;gD?sFtsBmJRd~@g^T>jJV5(Rr` zy|FD`Q?0MbWPXF15_>6LzTL61Lc{X)-vR~xqFS4B7}<(w0UZspoY%Rt(s27&$glMm z$yy(7?3;D=m!HvUo+EPg4%KiP$A1+6mS@b#y=<qxhgWT|Ok97C3N%&T6^NDA8b86v z^o-a05AMQRUsh_wXgRs-sv)ibD^F?b)%C6A`E7BMeuNlLPXD&pN&YPHvFXUYSer8g zR9Ak7lpVcKd7!PVr;}(sJAu?t=Z2TsiDVYdB2d+nJ;qpCsnI%l`e_GfFEqLV$Czz~ z+>}FGDL%jM2{exb`AWC|a9AoXn6_@2cD7&iiZyCidp^JmsPWB{-Kd;Pzi6;|aO>GN z&+y2YYx5s=DLrIrIT0-IdD@%hn)BAQV`cLuwJOYVJ%ygE;^|luaPZc!$UPNUqa-s< zl5mQ&6A>JMd+d?tVZWPU`HLLLD~SmERqtk68tv9S-<{lal9dho<i+f$PjuY&diZrU z!$va;U#a1qpi48|zs^UnJ?Gp!%cB~X{bqX)hIPvYU(kziYn985xpYrbf05p3lE{ma z6dnIuDZZ@3Mv>9yLFsa7_M*GB%I3OrxyyrIR|=VZt=au@tJTD7$8s%$|BKtJ-B0nH z5}beR+qXtrDN!L+xHGL|$PKF`@2L^LmK|}gJ|-cHnDb8@-H~%zgOQVv4P8Hj`tyqP zhPUfRq0LbGndvVQT5<T5Uf9G}W(#Msb3M~eUC%$+)ttS-c?1Sf*e&197m6+8!oi{c zKz6gx{mE#m@z_9a!$@~<OZ+)$tF6)C3OqXJkE7V3ft3wbD24|XqYdNLb3khKf${}) zG=F8R<DR-$!x#?E+tnX3W+#D9IjqRFccQROF3;dT>(%iEf%;s)vDcU?`=XttS<GT= z*kK*b?`MTB5$gOBT+pAV9RH$n_FZtzTAFU3GZuf?Qn5zwL@C0TUtle&I&y0>m&Inu z?YzrijuUGLc>C1uI1I(S-_gO^tI8cRl|T0~nqr<Ue-vU#aSSKFg)*LT>}3`2q37P8 zyl}O0l~GzR?IztI5g@J6_*5zB=E=pR_KRByDASyv_x{C;dyRx!x<!j{C(P>*{65xH zLUF@W3qI8&x3pb9<VFeQ^|~>8fCx#iOoQadXaTEvk|G<Q)W}}l$syL_J@F0sG5z_& z&s-A%Y!?}jiXLeFeRpy6)ce-nDOsCoK<9d#y^1EkmA-)1V8=<e)pPlSgF+tC#D*Nb z&gWuYZ=%vTn9XuTlS<ZY$epgvUGtdbxoSg7eHpr+M`T*gwgI5cF%0Z5@rqq;VP5;K zsOSCVa!GVsdb^S8nN+%q@mI9gI$(v260&IJYC9d3Y8SR>p;O=Ze1l`HcDW>R1p%w2 zt-;+1Xh2(Cqy2!<P;iz?TitQAPFg1K+?y9DV2T<(q5f0TcqPR#Q&k_!o563)pl4+h z&oSLpjKMmU8v3wl5;w#+FR6V(YiZ3&hlyob{&j!Bz8;{kK|I0G#^jeo_GRP)CNGz$ zsi@u1OmuOJheKVu-uWALSk<Z98Zn*OHjoXta1HP;4a89$r>i_7+W4t~v!tHd?cVIR zeifBj(p<#XDF@>*9rW1ztckDeHtf_$=xVdjLbXofE;nA|-8Opk|T$zIFZphlN% z&{os)ZdPQIFTZpiZ*g@z9~|GLaG4G5!JuUV0l)%LI1Ch_jYpR>c{tWys+J_CM1js< zD{xqqPCS$(dMCDHf3w^3EH%0Hgu_s!Q~E6CQ`Pvk8R9K-wk<7ol?(7nZ<s1NYRzlS zBdQR`B#q_sZl>^AL@WV)y{9F~M@C4x+h;#7F3`~Akl2OLj*2s6Alg~>H$!DBJFU!J zf8Ib4-A*f2B(-C&(Wqw%xpX-jlzNI!s|xq=s5I-FPWKQUJ9ORHnWx6{nZZ|ITxiD* z!Bm+FfG=6p0_qCqxqjE!G%817|FL9%7T{H#h;QS~pziGd%(3Fx@|16;?GjR3OTQ?a zW~;=jmd;(mBIqxem`)c7#BZ|<SW-2~k;q9<@$8QQXI7`19b9!u82i2Vqg<q^KmKk# zXM@d(jHT7K*_|wD)ZD$PYJiT8`G-!u@3g(P!(z46l2hvr-Q;Ap4{PD<veGTE$uTY_ zrpb_fj#gg}kl-Saz}B+N?PWLXy}K8L*_`%}sP}O+Cc#(v2t)WLMeATHW=i|9q`ao3 zSeZ6p%#h2on3*<%BVEC{D51nfzrwl0@Oxrahi&pOjMYt8&1gTxS;TxsvYa7D!t=OT zcg9E_ow)ko&tYC@bMe$Z3W)I=R+1HOGy<J33xkM?waJIwdXT6|b;?HS{l*52!m3HW z;iP@1!t`u1KqlL?<LkPdEKQchpFx0V72H~K#7cAH&{_MC)VqxE&M{40n?tLo%o0em zy1i(fsP83qGT7RZw+dW&G`=)RS**7#qZfotM1)oGr1tni<NN)ci!ZAh-c}y(Xy*|= zW~f8RPr6cor7?x9hj+@#T#Y<Q${2$!o1?74=*h#f!6`glrIR`<T}oRz#GB}YQt=_c zdsf=2BFm+u+4>p&w?&{=3a|8J<D(LAi4vKM6lk36zT$K%H1A!#$!=1cDiF$JQ+(_8 zR>rBp5?#aIA$wjpBw?cMYy=87w`L_)5}px5FJqsSQKRFBA*%Ac>6gN0OVeDV$Wqrc z&6Byxott`W<$DhNDG86@Z~smJw(zXPmgL6PmHF%WaXJv|B;#jFWlXGa>%hT&yNU9I zdOkL<ZN>e9Jnb%rK$}I2sU1{Qudmpl2t2&?HFzGEQgJ6KYs0U$En3q^c0Er~oGikA zp7f55O1+7B_Z2$&MG{V(b}VPgweK1m=A9s&1X#i|KQ!KFF4yKVUmZ7MD#@qUGGlr# zpk=bOWxL9Qi58{Ff1TUg|IEtc<^L;TMsu=EIOm7iDVTBn!||?z_m1z50_^s?g;0@3 zxB8)Dln%KCHgT>rqcdi6ON+0{;;w$mK2@lS3xXc1zOz8xjQ5xTJqFkVHbRE+DrTjH zsj6sqS<a}IPd{lL_SZd?gb_{~r{SB}vY_j6HFG$mP4d$e+6`oEG#z}Do4ftUqr^<H z+GhKhNAJY+p46F&RN`+LuUtt@n;@jRj8QE!Ij+jqku%FjBJI7tc-=U*!f&kMqSG8? zXV-Nf`#!}+%PO#;RdFrG<)2(Vt9g7@V38$)0=t+WcB-S-0!u?94oRLc-0hq-Mjl}r zqgOku@WTZ_gB`0Dq?J!0pmMQs>o&7g(O>kupZu=nHNb2N>dL;M_JF60{q`x6>`jCN z!^hlRDsNh$$ZfLo`Hd$%)!cU3^2*?%X7ygY;)n5y^iFX5%}04oM1EZI*^WEiQ{@OI z57dN%A(vb{n{*qWylwF^!bu1zEN897m|x06P=>l%b+%v<i=VXpSw*Sw@u%3$?}4Uv zD~5KW1sOb5ZIZ35T*$yuzH@$0R?<(B$M>D|?~Ai67evSw@9IS}ypZMIB5c*-+ps+a zM&6pN<S%u|z8obrQsk#^rN`?T(2IJBu5g>s#CwTLR?+>ZiTO9`85iGe_uB1n(_LqO zLHz*Oh2g@y^`$HilONyY>oZIIipR)A!%>S*XXIJTcA%O8|Z9^ocf>WJdNsq?Ed zd-}LZj8hw!@3t2#RPn0RSMa3?g0^4(5znhkQoGMdcEfJ~iNjexY(%#13Lvk*<1qh9 zeN`h!vd*~sRo%0A(!!9awHLaE^n(khgj^)xIHraNBUM9dgGRw#xg#rdLc1?Fz(iKZ zdO1_UrQ6Y(_Qf>C9*ds7ry~M-*y(3iv{R#xS&bsvOK$MhjMS*&@Np_7ws<qoF{kDQ z{I=?%%7_-L0A=^#(@{161(QP<Jaw#EXxK^3(=_W@6fJLXMU)rf*k!&PgSe1DUHua8 zU<i7<kEJ1T=QJ&yJI!*HM~MNtR+tA-?CO5Rb0*-n#QF1>LUV&N-<WjD{fcYjL7IWD zq~t~Og-q8xg#w7xC4?2kdnh!H_Fz0x9xsS-?LHZ^OO&|d-s0i238#`4hL5y=8*0fi z<d@3@6|z=^tY<Qg9q}1oGF!9$QY=dBxQ)tJzyk`j!|tEr(;Ae-@93xAUt^l?AZj2g zk)>?0($!`dl&Y0BMYhh^f5AZ=9JcV3tlZ>cDw1ZvJXpURpx&fcPg=iSw<`alE}K>y zPX=qCU3FK2#n-U0-ks6$krUa?n)$Ns^zUTJZK&a4rvdDiJ;aQy4B7Nrx7wCe*!}9E zo(6zG(vto4en^#q!1g?*nN)^+d86vQ2jv<e*K`c$P=AsZZ5D*}$H2F&>p=ML?NqKC ztQt0t5{lx(@u?^Im|b~Wo7&;OzEvq2=(SHRQ<EHT8$b-soeC{2vRf#KdZT-ERmFC^ zx^LOo9d3%tXm$qVxbWPMPMtfIi^}xidm>?hR*gdH8Gu+hO9G4^Ge<n1Ic(y?<MryI z-kFcvy49`_mP_2Q7U9{tBTxy%e8Wch*OBi?w1-FN?L!6;GA5)t-4lPoM`%t;V%oM> zf=XH`j1`}nr^m`JzA0)bS7SQyv?W>?Z^Zhq=FsxQ_TimfrJ2eQ!AkHzm31rFOI%pj zAAM%wSJG4_rFuOC=wNeM!I9nytA}g}%ZL#t7Ku{ng*L3DEfP9aU&AJ^AxTE^pN15x zRCc@E!p^MdeSIVY+=h64o5nK|YHe|BJ9mafeUH!S=R#A`;!@DrwD9$%uO-i2IpEct zb0|N%^RG@bbl92}oqpBCDl3)-asc?QIdCwi6#0a7?UzH4XqUlqj3lAwU6`!3y?&s6 zFXE0Xh7?R9D}!v#P4k`3uSRU&-DFqSvxSr4Ix>qeUkp`q(OQsGvO0={M(5m7&7U-( z*l^@`Rav@gjL6~_f)d`%x-fE=(ZmyOjMc4)Yw}_R^9Y6%d1)^uN2$o5-Yzh8R7fFA zk_yh+XtT`bXcXVp>50WegIv~fQVEb^ye1<O5BDt!&6!X&a#R3TB%aS`cQ>hYA8J=h zLpOkhRU37<5KT-giv|+3d4XAFHCCCrpRhK*>AzH&d#rPhU!zzunotV|!t>JQ9ZHk0 z;!%1>(C8-~*_4*nD#}Dpg<h~I3H4i|;KR?q6SlT<`(jznpp>!%Rg_hmlPfrMcFX`S zz2s#%nQKcAXs;vaaZ33bDt~^9W{<j0)$)<0QNM`fCvvsR_HK42i8M|mYFk!!>}$zR zM3Ktl)*pTpE^Gd+6v?vBlaSJiew3KNK3!s$WDPl)&5y*$9gP4$q)o2YclO0%)gA}V zuNmEO5^SJ7y{WV}YaqZq_+DUXmrz8jdIv3p8(NNuYzWAdzQ=`5Pf2o=*x79obC8Gd zwXaUQu2#8b-Av%R6HPg4qU{&a?Sq)|aGG*{KiNi-L}}!|!=0e==x&pY1(b7iENv)Z z)IVNuOBn7j73ggZbrN{$v#faA7xp0EI6SApH_~)Cwubd$*u>Q?{eteW%O&BS;Lm7y zD64)9)Wv;Ne5{_gC0Wy5^^zAT^<6W^Ygf~lMDN6N+|dms#V<#g-H1OndyL^&rqWaC zZSmiD)+}j$ye6Dkc<u?HFsOI@h#rBu5H)V{o*gl<HIfdZd@1Gs*eEpX8e%dqU1=eJ z7uwnDUzXzQEn9qZYf!FLo7dTj!!tO%uzW8M^ZY&ib6iQAM{GvdqsXhcn-r#rvhDFu z6I_{DLU^NMhf`-8<-sA{sWE`^*Z0+$oSkN-*<|r^zUn9yK0jw&cnKW1a~dGsc!mA< z30E={(!JnqMBxV5#-=gl@@Gux?St9#UtKk>^3JZm(BrgnOWw*Mg#reHv;<55XiyHd zYSWZr?6M+>aj9@1=&>63DwBei81N_V$*a~urIwMtD!#cq4wcFut;O(K<u`qvG=-xX zW5%%G8ybRHFH*Wc5>j+rH~-2<Isb=swrv(Ra;aH;IN|M8Q_ODQy;Rz~qpdf_*z+mR zqj7@LX5WYvYlo@a<I~R#E#*$PtH!sd|4?lT%VE>IZH8+<15a(woc|eQsOpYhBOMX} zAp`KIkxACHxZX3Hk;nk&{TbANdsj8Af;<*_Uj=l61BH&xbB3U;oRI>2$y5(`Kwar@ zwOZXw<XCzFDHRI)Kasij$^Sp?y=7RHUDq}$h$1Q=Al)rp(xuYf-QCTiVSy+mA>A$A z-67rGwWPaY0Sgvu<8$B7``-Be+267EvEw@)|G5~~yyi9Lm}8DSXPTB<#MGK~4YO+q z4$iU>`hbJ2GlyDT^YW{ShT7Osf6ZjqDcl6%?Y&z{_j)PMt9erbsGBSbALZib(WHTS z)X`JYmg1%99ezIx&x~h2m6wTp8nMaIASFGC-sk%s$3nBUdJ@9CC8E`9GCkNTadNyQ zA-AVC41w~OtkiO-3%hD~orH&L%-lSw5P;;!dP~7b>p-ZPz{dkIe}mjtEZe*f?tFYh zCcIKy$ETIlG3O5oT3ZGD^qlPh_yD1%&_Z2%BS#8&zz$wcOP3yqZ%t8SU%xiZVm@&% ztT#@Y>znemDrbiB(YZa<_59%Q4B)HJFG=V@;^EQma8H#YzjhX3`^d~#*Rea%>)ipF zXGNfXRTh4sla<#tW3p4C&L0W=n8WZty?bjAho$jS#qV8=*2gp4%q=<0ZXO-brc-IH zR-(^0>eN;Kx2YMz1C)yxYV^_Wg4>E-*gX_o-mPbQ#5cvDdiS+24h_|mSW0RlTLo%| z0o|P#S4!@>1!(D8^JQf!RzZ$8y#boXKTOj#Pa!h>N=k&R!Hz#jgFmsxbhjXep-9uq zEd{Xji)gvHq*3jQ9}(_Vi)OTaAIiIo9mE>JNu^vI!imPFYcUfAxB?Z7DZ)RWO9Tv@ z`W)X`3#Y3Q#+(G5h~|u<bjYsKeDabxu6Oh2F~+<{+br;R%#{R}-BH*TBEPUAiYp@W z3m6n@B>9wfRE5fd=dYUH!*Z(@mSf|TYIo<o4YzF(4iTYq5u)H?t3hEi?-`QmW*QCD zz~4*Sm+hZnyO)(K@PDa&M0if)8fO^;i&Lf&P<Xa-WN%9+7kd2bWx!!o`PFBagQ0~6 zym}12vDw?6O^>C<q$Q-2{O7)T*{P;TMGy?z3%>5j5z@?C>E1+X$MY$%Wn-T++Ll{% zl$*K(_kt!W`&OBg7=ff(R+C&w+{2M~GAkW4B~qNP<}XnfM^_u=!c_7AjA<ESLbaY` zZn=_29XK}9C^&i87hI<+!aOqF>uQJ1>M5whNRl9w85OodqNr@=EoIY)PTxfex%xY$ zoaL8BlBY}bAC+YC-MJv-TviPlO{Mmz+AZlj7iD|%s^^&O;HpvAUme_yiC*u2NGEtu zJeU5#?{IAV(du)}c270x(p1VF`Ol`-0UL%@I?CG#GONrq1V1^LaN<o;5e6>aD4JX+ ze0s^s+kS^w{))y4FM|4r0%xNkCB^VTA8J&D1X$}104@#yJ`h9toU3nkfhfi0UOS_4 zNg6j~Kq`_z+-aKV+30*OHLAussttwECO?sywSQ_d*0GHCy1=oofl)uzY$Kltb<p(d z*qH&(RNa!Clf(e+aGR|?(f7R{$CmS7`>)4_ozlNrnEagFC>xbN1BcA04<w^^CuF04 zB3q{A`$=81?wo;F6Np~#pUos)l|<9+bJX+UsoHb5XWqZ|B9B#OX$G|cuj@PN+N=d+ zCW_OZ#tkNYO2>OWp5u1C_~VJxx4YqK7dAp*Rz@n+_gPehR6=T$U1M$DPD~(RpwvOX z=SBHJbM}u9z9N~J+%`!P^UD<9QuL}{Deo3hiLlIw3<^40nl;UO!JE{&i!x?%GQMCA z%f(98KHg&?v0Fd_uOF-5UkAKmEWNml(GteOkGH`%(Gv9V{peC;_iN&#Ah&JO6bV}0 zp=1tDxV4d+Zmpna#=JMD)G?c<jnw(uZI$&kDtWC6k6HuF<GBTcfZ~g4?y!$cCfIt3 zRw=QY3lJ&JVM&0&yT*q6V=x1|oLt5SRBg`)a{r&gWww+<u7!)Audt-*%16K?J5P<W zsGlXEU~d3D-O@EQxsp{|x9b~r6J0PkG~1e*jCww>OCnvq74;PnN@HM$r^nB<g&k>? zU3EClmsT>?(N@K4*5PCGKTYpcH>Cq!9DG{~u}_weRZ)8V7IGV2b5^@%!HsZ1|ME$H zE=|N3ZrMy3U-rmt>zQGpsbH~`W|5<*-3P&7{Z4DzvNs$nJ}(lfFe&{$@!PX?h#R?- z6Hofcb!T-glt|8Zuuh>1UO7TeCdeik)sH^Fmmb)Dd{N%)68QDWAd{S<|36cVZDeEo zaH4O!eAsc!AGegt4<WqK?_T1adYpgVQG56qTF7hhzZbRYzjCCYv^&poN*w@{hN-Q{ zpeV66do^wmyHsXz?%(-TaU3n;whKq<I&<uRAwkW`xUW=Xz)p4{y-8;%lMYdBL)<1- zWE!xV_DXxN<}wWqqgAd-MFO=PvK3>z+d3MjcXGUn*xcx2<9+fS>&1;#y^;dIsdTME zkDM*@C*4^0JF|w<$(YDy+BPVDr38N*JtrQ&Dq*Zc+^!V$$&zcMnAfD|2juA?0y2&E zSg`!@&j#7c&+c^3K;4CS_of_zILyxyW#mg_OB#|et1w<I4{J0H_0hnbB4db_;+mHV z-TNun`pu)8qt!T%wWm$Mq06t3U-N%gM8~6}gC@J@{Rs71*GNBOmefr!n8waY)97uE z*&&Q;^q7~r;^dahfuGn5xcap;J-nBrO|-pEIR>#63m2!SV+7tntlf)E!8Yu2HJ)c$ zRdY$+i=Ww7Se+%Uz-v_JR;d%$zYAVyu&E}C^q}0v=0PLcvkYrrZ$7VYO<sJktO3N@ z`q0CbLJN3@VWEhuL+UKColna)nvUE@k7J)rthahR4<nl<VCP`H$9)12p>#Ta!q(U> zNaAFraSdk&Zf#40aPF?PA3GH#u=RP@MdYS>1a7GdhsS@#fhF4AId4*xO^7Tt7)yn- z(^n2UW{)d{y%_f{H23bLIugKjlXcx09Bzx@RR$@64{^O_sq<c$@fE#3^fZ(5Y&thS zm3zC~00OYzb<za+EB~s%yJD18_W7Bl7RNVj`<@SA{M@-h`v@4dwU9&FM4#xLwoT?q zi_%J*y<Ax6^z<w^PC_|!oZ7wa%h7TJSbQeC#S9+@Gl<FC(Im%Kqb5pXDRYlHyNwUF zE0Z{+v^=%kpmmti5q=Xxo0I77mCe{tEuJ_Qnn?YVl$%CE01Q!rau2_!3bS<)nHy}X zI~YyZf1w33lv8^PPruF_WsuZd0B`m_u)<x-#qOSVK=$1JWP0rCM3%lcyNJmXeqi>z zsrN%JrZ{+k&IoE^ZLDE%t7^xNN<Wh%_=`zQeihN{a|Rn4;xu3SH=?$*tBZ`|%sHbL z`~-*k)AYr#^hK4H#d~c@x-6Hk`vQ59mKIsmEa$o$PJN9MF-asR=*QY<%tgk9F11Ac zTxdBlCL>6W*|=I#wuD2$gKxfXHUG$vsQfjYZGCwOBPtk7`F75YJ+G0AsXv|+{h&Sv zDHQhzsBVn!MVz-qEuBY#q4>REq7WzSAGAg73XzC#SQbOnbs?enGfuOJODIHeaXO4V z*?p~7sajfUtTa6-u@cADNv?9ftDh6>q78}8_RZ_f7MFM#8RLsz_vU@I>TWC?8dFi5 zRY$IE%J`wZ%vEK&`;69RAg>u5uC=ZvckX59p=k1c%Hs~fS@QH~CvGv8R&yFO#NG6j zhfvNz@Ik;_Lm(Qwi#vi2d|Fy%wA|pe+Yzght48fY$L(Wn$Ey;sibcg2C)LvvBzuR~ zlZunYWy4pDS^56?|L$iWjB<Y&xP_=v`&TN|)Dx9TgOYF$YuI*~{q}i;()X=h2%ok0 z-9jM!Di(0=M#}@RtauCJR8eQMLI({BPQ30OLVhXuEBfZWU}K|$V)ti>CR4$}=Vo#6 z(rPR3R)Pr!@lCZR7Y~zJF4=Mz?@z*NjH)p0?v7SLgmS?<>w+5JN+LLaT#1g1;kZ6$ z?y)gVICA6AJVc@G1XAgvGxJ*j(Dq#RQA%Hzyp-s?q-0x|KrX8dT2=#GrhxaE7~^>z zrhnYRo8E@U78O&*OIK+nI!3r=r=bP7)c#Pssl^4~=}V_w4zr3YkIE){M%T#m26JDw z832s-_fEHjV|H=h+Z=V)aST^uEo}@b9IAy?Qtk4(9#+nm*i0{95r@y2>^gi&2DglC zXrwh;5nrWo*}ojU_&zYBb92uhFCmbDl8McXwwLZu8_c(B!Z5c!oOZMl!|S0o>~5Ag zn)+AcMgfn9%^+WqVSpJfn@!J<d_+fa%{fI7*Op1nc<Br&!>esAnbz1mes=a6hI{~V zE(*BEJ+77ioVg`Jli4YziX<{tLhqWSJ)|uDuQqZ`>A^6M&OO@gVAi}!gK=vs>72sj z>c;ch66LE*K21@|w5EBjiGOuc^W|TJxQ|5D_H<=jmD<G+A6~0OFDyTE_3V}$=fID8 zMzK5=_R8ODQt9qmO~CE;x)ygN3i{x+oC~=jA-*rp&it8Fl)lL-s9GoETBzA%b9Yx; zh%t4wi9J-Fw9#<n#X;X@)vSmHH)t~bg~E)K&8QO@sh~h!xvU(ISd${D%loCJ0BV@6 z<4sr2(%bpCoSYD8qjMD}?aQoJ-p*QJS!tPy%hRtjuNj{HcopS7Vxy(pV(6R$X>G2Z z(cCR<z_5B-x5F((6~=lQd*5p6r}LfY%Zy5mK;kOj!uD^x1dLv8$EocHRgrZ#v4N>N z>|V7uf^RZE`lC8MG&R<7soT>rH|IW6ryo%?w-t#mD??Q?pmEHIhDFt+#T==T-b`~M z2G{+L_h#;}r8g?j_1EsOFOzqm`a+zJM?=21S>mE{g@+f`$0n!D6oC@^9`{=n-Xf+l zyYIZE2BA))xzg~3C}(%zCGAT(oi~1BT<Chw_o{z6eFV?BSnPOGo3L!8x7JSM+XRE& zdw`J}ERtU=Zx<GbtebqJD3ECOG&mzEry92BgfA?WJ&FyYDv)S!cS<yF^p-i#E~(KZ zlO(339&PHSkJ-)nRK}J!RA}QV@isvTsPQTIvtnoail(Cg_=4!Vpi!9U9T=I?^=OBx z#*Qq1v6(Gx$Qlz|MLt0NDc)p2m4OGJL5*@@H0f&@r0fI)k2+eQLy4M^@zb=-Fqta< zX5OhNz(f3*GJB##0yo3^j_=WT$@kf{Jw~&Y6HNNeHm;T?1Tc<;wbU`zQ4U#A3+k4Q z@k)vpp0DQaaKzrQF>*}R1I#kRkxQ~IM^C~hD$J&37itWOrYkJ+*qxHxmHJ{;rZH6) zdrr0&gf6tdupCQz^ULTQS<<E#E6UjjaTXp*dFCi&ntH00=X_xc${40)Du^|)Ia-8} zW^8aG!PB?#oqyNrr5bEKog#t_;mv9*2?)(3VPXvNDlP{`M~yBQn~Z9a4kmSV7B_<- zyX<tDik-CY1>Z@IR_*Kg{0z%tF)i!U{4|4Lb6%YELqYaHSuHHdtnWwhY!ea>hw=`R z`0_+{T;EDLv@^!yRk4Dmqnlt!QPE^RQ~#=_hB3%EsoR*XCU-CMc}uaHs&Gq?0-d<) zZLNVzku+{k<%e8!jj&}SQI`It2`mklplXf-5yhR9h1%Mlu@_NDb+$!?X;iTJe|4Zw zV&HFBil!OUxqy247Lwia^SF<B!D~4q>w*SkPVD}(;GEhNC&(A#li&khT^pOJqIZ$= zuZne$%W}Ps-eIT)j3|~A{Z8My8<&=p>5}sA7haU$CqE5Tk{y<ADKXBRe_vI?6C%Rc zdupdgwg1F3`y>8E*Z0<p8kNI!3PA?C;U=2=#4tLS8N4Q(kBQfeizca@)GQ+aV9jvc zaOxKYhl6e>GtFR$4{5E9ubMe$myPg<7EHG3l8dFNYA9VWE?h0^+<wZWnRtL1&nEiP zbQP;>+3{^Ea;Mmbhu(uHws8$0l7$6Ld9z%fg?H&Drw-=TIHY2CD;T&*6Fey^O9_w3 zRMhI5&dzdL=419}J~WEDTH8}(txSnK$7w2Q`Xx!?ncVc6)#@su#-t8}*4F0S(AET7 zfSdtJ#o;v!gj&4SG=LnaQkUEpMyceg4{2pn8LOW&bD;w&MZ*?)%kY-TJp`i=7U$@e z!MHmLFP=Le#==AcB1JS@XL9#BiF>ZZ@BE91WE~iC)!$zwoJ<e#EY4}<q+fJdYmL`S z9^%y#Q(of}JKo70Fqu&BCX;Aj;b+pWG}E;7SuWR-Die`nh~S)C2Jbkh(B&V%-XG|n zP1Sx{@(@)$5<kJ6j4{w&ayd|ax1VSo*+e{VRa#-=&knAYbpXE67nv2rUvSyu0a%+? zVeNbctVQD}o+<eb_07cKfp&;_GY1xE@M%{f=sSvibzn4Aanb{-AHX0exbX}_bi2|f zTeSyL1<=aY`@FzGd}EPaRbiPYovl2r=o97f$y0E0ue5UFy4C{ZJLN8XtzLwj*DK9X z6RRkh$?Cdc$f?Go4dkf4NyS1B(MbdL_>Q+0j5sGUBPHoUW-1|h8<0`xbh-D<tkb;M zCsvUQxUw00TWoQ;urvOX(2h>$IG>=96<sT)h|t=>oyw)vw>csoE&OX_Uch0*Xk45U zZvgkNG{-wx7XwD5LA2$~igp9JuxqdbWlI7he<^z`Cem(NZd<julb|J?W!k!bNt;sm z6M?`K`j*&!eD28{pTXd%<_ZQ#uG7WQpfXL1)vrsj%II&CYF0LePLi#C<wjX9WK${M z=d2Z7s8!_J&eJMpf}N%EdlMn~eBL!O)``L5QU}b1z28j^&yFl}7+6*TyD$1~DqpCw zR`OJ2mRoFId+JU^|EOxiEdVzzxIl#j9TZ=RpBJCX+<I`5uI8E;E3%s;CFZ=>z(;?o zlhHZkIsU|%4R9f$YlB1CB!^9G``}9D8kpjzY6VEhfxWcCw(n=+@ifJz6L^I^BIZ^U zBg*H*LpkNF2Iwx~KN4NQg%R-PQh7~w{ut^_kc-PkWxclXFer>n5<L_OUJQr&SEltB z$KFXRXq}UJuq6yQ(bZCye)7FUn6};2&|u*?@o3mjA<fYqxqH6DEb=_8FQ!|m{prNW zV#7`6+ZX|vF-ML-8+=Mae*s1J*)4J+rdXs`tpr$=05?F$zwq8UQ*W)gsgd~tGp4}y z86WkA%frR8sDCxBM6tN!vDUo*Kr>&`Z-Jsh#<4@*F{E<vJGVPWBw3j$;3|ppD#3c# zl#OPiA07+PPM4}r8GkvzwqjW&7jZ2}$}5%3YC6h^JQ92)zMMIhOEDT5^~UzgfR&*9 zpa~}PM;&~JyU}FgW>t)MhHZI2T8fx9lV7!lxia$^s)*9UBQ01PZrN}+WHRp9_}_?X zHVMi}qkK>##mH}mu*~H~ejZYLT_utap9ofuHrbY26%QT9ak+SS<8Bbujk*Njr1Zzp z%||bd*sCPE_bJ^I+6Qp(HaSP2?mBF@e!pFiwB`yyvNHXueix@)+&bfAg~-iC(Ts(> zE-~;tn*6q?G~C5}(n8~!Q7VFLsk+S8&$_8-ug^9lcIX|~Mss}2>{%Sy9z|Ko=~hz! zc^y_J7BgBQfn{yv9jmN|B_gvy`>d`M+Yy^fP|S|wg;q?r=!u(?3(HVH^SpMAPQt9* zHOn#gwCOdmr4U52Ns%>iiNAm}Y_v9Iww(HXVoJ;COcyW!0Iuc7nLLo#jFl5$74qHm zH`G0UC-`%MQN<&B_S9U>=e!dC$Ce51{+0TbMRKvGyBJ`i&r0Q0yoS3;vP;_3t=tiY z=FKI$C6mlNp|*yNfO+rKGK(0!vfs9f^;L&&n{y_1@f3!Vt#e49*sC)?`-242!yX!e zz=0^EWb&DrZvj(s^bT}(iK`ahM&YSoG{vmy?GwtZa#-ajPjzR71bd9F_|Vved32hE z`Fu!BzX}23pyKC(=F=GO`g(^Pbk$PRs@6@ecm(#Y<7JjI81PLr9P!_wv$WIVXC|%8 zp&F#eqrDWTV#ngQEWw3}%aMeo6h=*oWHya*P7E<b@G_Q4$MEOK5|&D(7^>}Oid50% z7FDHkhDls4<WD8hT{TN&TbgQulY2kIgXi`$33%$7CnoMo2e!+HOA7P5dfYW<2A&>i z7R|)ER9>%WXz`0$a;-=0#?5BZ@!NxnLb96YSv{Eojw%l{Or+7QAusB?%tU1+&@5N> zO-(xWh#aEgE2y7#o}?k`DVF6;Rj?dn6D$m`Mp<|S_JNOPz|x%&G!Vm1P?~f=>MsmL zZVV*;t>M(9jd2-I1!Ychg;t95^r`ZvA=T`Iqz3$%1?x$rWns8Vy%-0yC9kqHG3(Q& z2b|N_GcQv7MB3iKVWn!w>5-a60)}`_zp97{U+CV}*koHBh~(v$bs1_lJlo>E2-9?i zgsaaXyLgLFa0uqL+z}WQ=A$p{u-F_epM9xCWvEs+44x^}Hv#N%l)QM&eNpMrOg$IA z5FfTB`~!Ov*SoZmlcr=_(KcDVGPKs2<Yf&?6@kfwvBX>Cmh>ssPP;)#jRH5JFE?1~ zBbn+(Pgl4%lBi!L@OTkBw!hLmw2KQJ`+ma93H=bo=2JgX*~zy;@w7j-Oco^(il4e& zG{a#@V#10*vuOIAMaH)10Dq-`oOa<_&ptZ59>aM~`kPClO*LWvK5l|Hfu~YJ1##B% zKxZdKC-Gmw0_n3dWF!eIj<S}6%#6bp=5KE<a-iYpftX4V(UO}K^Y^sxODU5j)zWhm z=kZ5fevA$AQt@=HEuD82n9V4%6fB>)nXo1VGRev@ivB2+I<VYvpDU2)d_I3YhVmk- z6+LeuCYX2iB4@@05W8kl!qmU@#3CO>qlc2F0ATMSw#iJ+zd(qckevj6dKElm0Ya|+ zULiXn&7ITy&gNIW7vB%-^!U)8L*}KW_v2LVZRZByDC5sz2a*^rwf%~X3q6XAI6d`% z2<H49uHdTYky!X2CnLdjF*?`n8nUU07d<cfP#B~_w0oL)-mL1G;CACsvqw2JPat$h znnm;9-DPG*F$SGoNY|4j@%Dvt0_u=1+@8NEClVuQd4d!{x)|rubraJLa+S`P3s9|k zYEe&$a7VcbR<!5FHFOVG-?6^TTp5x<N-8^d59!f@#P9^4nTe&iMjXxz101Gp8tKd% z3bL&7&Dt`5HtVVflX;!)4`p2*HMt{n-z#vx`g#c-FUpxx=eI;7@UG6MD=dvO*L3M} zzoI{w2H4gQYT(;SEWc#E67w!9`r=xngiS3+{@k}pA@xBzG^4)~p5Q6?-jKPC6}n~4 z^A75k&&<e1V%(AG@u!*xdWmCG3xVE_7_>c6u<1D&tIeHK`kEQ8^DI2rd|i)tEk5XL zfsnGzS~Y{0y#}MpkEQ2UxkXd%3BF$|Q9O2UxcK%D8MZg%;P#nooHlA~o=?0x+m+&& zH7Ur<TFsfCktv>2-siLP|BgE$(4A({E4=(nrKVIxhTg7nIR1kEths=!*V`ocJL$Od zVbJ*z+*E@a@A>ouMjZEfUJJe<xWFZRI`=6zDE&q{7sPyo^14P|%dmI5?*`*A+$ltY zU@R5}ZXBW7TTKS@r!kqDB+tHV>=F|>7OyKpw_O=TAsbAI<A2H~axEdye#7jk@DXug zI!%O12Hm5!U$uFmN3*7Qh1q4^wBjqePv_ipNadV3_pT)|X%#1x7viY$CBeE@ZIb96 z|5?K9ac8|2;x#e~U3!Y?ri=R8(v(YyaTb^d6i#SV;!&{rkx-bkgjX>a3lqk|jG*3y zmYBZ5t2R=S)Z}QkFf>)0W6lg~)Hucs`q;^QoFB7*@b-k3*4<JSp*4)uiF_lKZ9r>O zy{Mr5XAu<xiyY5$lT6o1Y)T{Fy$rd?a5FbY@2b|q!u#P1fJ$%TLKk>5nqQK)-^VhE zS5;$3xRS~Y5tB<QZaG&e?B$jK6E1K<?`h4uD|faK$XT~tAFHhLFGLnOccU1o_ELr2 zk#SRemNPz8v@mE@TGUtMnahH*ZC1UzO;1#HvR3)p3ZicKxSV@ZL@&q{W4@WzcV63> zkxI~o3F3m|M%=8ZrWJ3Q2mC-$-d7*Yk7wP_A;DI*U(Ey6*Dq>A>PVlC*2|?DUF;Gu z+z`QJ$3$SzEHzTP1!-Qz+VJCk(6l=r%Pl@<%}cfV5)R6qT;1X7o9uu&B3q(9OFU_0 z-ZaVVggmB}hSJw1h63o5fnxBxzkI-S5|ychl8X+(=6-2!`&$@BiDV$IP!rtB%Gm4` z^R+AeDg3W8lPUJ+h4SfNWso>j^3S3GosAs9lkt7Ddfz70+c!EACoP#0R(on?I!T#a zQ&dZix=M459Ffv^4hO4D#{<r#jdVKByS+*a0yQtaK(`#m%s(!RMtP3EHUw6USgc4_ z@@IF*oHg(e?|uK&15Wg|Bp;OW_%zC)VNcT;-o?)WZ)H(6*NnN6NIhWKdGvDwP8^U+ zQo&+?`lIW`cxm&!IH`e$`h+p=#ki`*(Jk{7-h|s=WMK%u%x=khHSB%{i|4e`4XIxZ zy7!Q$SEj!m>?UXNaFe>BnhIXm>y1#l8{_Ab_HUAFNb63eMtDKwi2e<~d>Gt4rDEVV z@Fbxov$WwT#=3h)Ef)vP&bS}{!h^Sl=ptuorFvCPs%UWYQrmP$o=r%nv>4lj?vtSR zraQ?oykdj|>?@>3A-FT6(k5{-*&P!*5oeDso*{*W2cM!OJ}P(v_rTp}ac}&bQKu;i zY{hf<s%09S$%dCk-}7n-pNm&3Y#GGQuJ$#28u1QZbt6+OH12c%*)RuHn~Y2Py=<-> zngx=1E6kax3YB=TvB0$~$CLV_eXzlPx<mVZJv^p`9o%-9{oZuZ<sQ4z^B(8aoVKf0 z!V&jlje+{h@HfvWf0<sObZ0b8`!hlhQ`%0;GHmi?WS?=o91SZ-nz4KyKP%MHLi@~g zZhSe_d5d`_Mv?m6ZHeodWX_bv2(Q4fCmVj)T5{`K5s^+e{~%srlUs=!&A}g;c}p?< zGfw1)qbDoeAfNDr6<=H8+(Zm79Rinu+NWPAm{5F_aWTSEmD3MYmP=p?M#EQ^t;Zip zBJB=w1-ND5)1HZ9bg1f?C9DRoyC)$G1#WG6*cYP2UO9RA6S<o?W;=OT)v@8z1*p!s zGhIgJvFr?7A733fCHXTS5TsYCvgH1pG6^*%^1)nfS<*%_P8s_&%%PE6<%=&?8Ef-( z>X}w<x9DCrw?p2KVwO<LK(P%w(YcT5HbYXa_uD~Lkqn-U9+JEEM|dzLxpW22WBBtP zxdwLakvPrj6iyG9WU`b5+|ZeZ`CPEpjvwA05|+<AaYE_~W&tX{8CPCM1hO@$-Lm3z z!cnj7Y>>OD*o<>`T*j{7ztDxJ3!w$PC5XEHK$TgB`yDatvO!>LcjS6f_sl`J3=Kd6 zkqtz?75nUW9~`BE*KJfX+g)C=^`H?uCzG!IxsB~GCB_x#Ec)(ttM|^ov*kVLk||vF zU|jQJ?fSStt6uCze9I9dhuD!{$1U#ee9qglwBF_?o}Hi8!lrIC(mbq%I(EBN_HeV^ zC!R@(`o?XEQv{(_Ai`$mrU;3eJ12jk5tf*{x?&+CBgxt;Ic&$4Chsxxl7Qo;)W=Uu z-ws=E!>JkXIj&vY%9aYj=BC})KD#e)Z){RIiG~vHgRMjjmZYrMNLZPz$}a1rw_`&V zbryS6N#i^=-!ExZIE+sVc|xs-mUAXR`#>YO^TCOga^J6tGa~WtN=V<C;MeRF>Uv>L zBwwWQGqiY89|QWa?)Xt{B<5+s+q-pS3yY(Mmz7tAPhX3zAh_p~Yh0lFRlEGqr4{To zoQiYtztP+vIHx%pyr6PzJUq<s)~n(^Ds8hOlbTc>9Zp;7yPBWy#x{GuvK44yc&?>8 zHcLX)`lItxZ9voJqRffPbgkgUC+NA5pZ3|Oc00(3RIc&bn?5(W9F{`rUlvNS!cYg0 z!V!dtVw-ZY++xm+5~X8cAeoAN2*jZlzW44HXh^fEIqT2w;E~bWXa*<bOWNLnGN24+ z3ZiXDZtIL&lAFAV<7%m+I^nHwyD@d(9N6eldgEH-!^7i|ry<ccyh6hymvgaZE0Sip z^mN{MlC*)IXWFfN!s7<~fqcR&@j_tF-0dU>SFP!2Er7|e2U1P%Ri0C67<ZK-QC92Q z5#sOLvWin)q)srszg;8F)UI8z0V0cBPn|5hu#&oMM}&(5$#%fU>7{Kv|7T0AkH}w* zyHHE!F`P#Ytr-bOB<&#$uKD<nLD9=zkhDWoTqpjwq3&8cbz_+=yV|eyS>FoA=-E`X zrOz!58LG-&jT5QTihjmezdO^Q)Vx_%5;1I7)mGSGIWqBTz^Op@zSP3!1iXjo;*uS= z<ZX1Q4jnCt(DUfrE1Vk0i&?C=D?LR$RMZ<S4%XvmxM>>6WTEt~?0=33t7)hi8IpHQ zc;5mI|91XbEyNrrnq8~=hfP2h8lDjZ%Zx~Y;T4lz%67{fX>rI3$JJ_M;gUYMOQq1i zI5&p20BtUp$IAaUV#$-?9Op$RMNQO^IAcH)yJa1Po!qVDs7zs?>es8<*!Lmrviz9& z<I^dF1k*y?x1vofdJWp>Ml@HXZ!uYRN&m$G;x~N`^T)N?2sp&iANHFFx#7`Hb1u}r z{G%&Z;_t3p%GSj*bs4fS$d%2^(=y?A<RA%^R6Czy9kZf+;NoX?h~Nx;9B`J;1QrF& zPD(5x<pE-U9RbnM5vj#DP50@le+W^-`Vlqd*2zh#+@N^)=2DrV#zMGjr${It%|v^h zv^dG`b+i2N{;u$$l&vf-bwBSXSdwR|P^cfXv~s+AegCha^LKj|LoWAz>mX0iyajq) zW~;P;^TJ{(5-o^(KX^(@rO6}hwjx<5-<2mo@vk+$ej%&}PPPf6!U-w6yeU&CLt@sr z&DG24PwLT_pp4%dAuHf7?&=rB?^h^M8`@O6jUy<+_~cvgHB~E)cJ`Z;&!yGu7=!GZ zObdlk+ZRUCNan&P-*i8%g?uL;n9?IEH0ToLER0{zxd*s^rx>K%w>KhrjnVex97NtQ zReDtx8J7#9`QF6tFzYGY)ba|$@EfVL|5-v65P$Gp>!K&8LDDC@zp5dQf8S-m^;DIF zd}pS&%qH1@7b9d;?%-_kQqQ}Ji-~{EP~%@ctJ*88%B42hw@ib0T0}D{qLopvZ4gPR zVT(p}d}%|p^Ue-a6?7T*Sf%U<`BwYMsRYipansE-iDEZ%<<r408;x!T+@o`6xmOZ? zBO&jdwk$PP%rDd!SWRgIpv2l5?sbRe@z&QlgS<(^%|!-9Dn1`=4hv0Oq*5cu5;riE z2sdtU_!GkI881U!WPYHTn6<dfAIvD!m|c60S%;f3bE(|~MoS*Eq6IRNT6{((a3nH> zXkK;1h(@$rw-$*GCm)Blgl{5OY0)J~k4~E>q)aLFe!!w4-6KJkUJ2NGqnN#48c+kq zQ6e9M2C1bTm&UAGQjPhv^+)bPX@p}#DgK3NZgmU7b7$111ITX_m6lfEr4(fU4PNaM zrEoP?`m6?*z;$wzfrdRa!3l!(uk64|z|WCt6}3?f!;)4GmL}1sB9?#G+z7n5aP`J( z@NO}Jv+`)KSov}7OL@R|C`B}u<^yNT=8_H1xqw_0xzen+ww#V)uW)|b?9T8SqBhw% z;KKX5a=C%3;4LRb3qIk7MPmQ6@%O+Smn;{e!Qm_E!tEHVdf9n_uz;p)*EW!nd%9J$ zUD>kST#fII%T+3)vo}35uUU9p%M0>>pNWQ&6HiV3cJY$dFt<4A&DSIFjBM3tkDCy& zs8db-Q$+lO3LM$+zFd~kT%Ill3auQi{$?GR%NZ6!+IJpi(Z)V3Oau>xuC;yiI*N2L zW8f%hB|_AnwjXsvk?4@9HLchc!cjj2=RJ&<qtZ4g6KNTCAuE}<9oJ49(9hjhXpOg4 zsWpq7Z4xf@4o^=}=&y<-a^Gk4#5~pU=R0%yGD(?+YSmMN_op&PvWLH6$~9D|-5Ah~ zm~=gqzD_rKG~1o?D#tFGmL(aB`o3%X)dManp6BEOBbXE<fVPk^NosSsr55mHCdDcP z;&6g&t&=R+1*+eLvB+3EV>5ZzoBj+DwLww<*ZpqwLv5<y`J|#%{5kh#u(@YNKAssp z%1m~ZtoC17B<=-~rESso1%;*MRAB`dDt0!|>p;<4T0OvJ$sy<TTrM|D=*|qKRn(`s zeudXoQdBi1?@PX^_713s9tV;~Q>nx}h;PMZPJpVFpQwS?!j^_;(6dFz)RZB$xJ@y8 z4x`Ui!gJmqA-5LV6;&K)Nh0`iSk<+q&d9v97{TeQlvr*3N!wolNY?2%U+D0NE$c7R zro$w%%{kpf@SdtZr<&Xn@Uqgjm1D=V3!{4#<;7;!Pa*Ybw~N>%Yxn){7O>6WV=|$9 z3sbEcgYeRZ!WksfYzfY#tWO#^q?R$y>LsSTpmVv@azpqujla`vodH-_3cXZ=9A7wo zml&9a;UnaG^|)sjhakam9MJ$|*j$HOKV~7Cl#2!=Y2B&3j&<5{sVUZu<SB274<%GG zIvg7IA&R5f{rhm-Mf&ww{rmWM#ZMH={JR}mQ#V7R@WN{UmztG7T;c^R6M0*DqA(+7 z1(`jU#TXh^jtMsu;H|WT`-d(ARp`q~N)om`2qf}_>Lg{|CH=J7C9OKXd_Py|)?lIQ zExfVG^%>MPiT$)cq2ET;vf-^>rZ*XvR`5MshW9X?v-+@*`<Q-oZ9>Otz+=kR(J4BA zQlmftZZJ=J68kw_K1m5>@U-JhhNb5dh=(9Sny)gNSWL?l${V)qIBnM9q1L-E<8kY7 zMR@ohjD9ESJm}s#1!PhxchXT)rie^l9K>jlX|j4>G&WbT>+@~<(of*XX9`TRA}Q7H z`1xAiIv1ENilBzZG))vX3RA&tPo7#@$zRD7MIXkBX>}+MN>^nLx6(|#JF_@Tdby1i znLgzHVOsB*335GeN{Y}h104Hsn$y%)PA)NTCaoIc))BTW%D*puQUBQU!9B-136U{d zOKh=-pkh=#7w{=Dc4`FDd=n|_!PVgYO)+P2yIxpdJ?<Uux^oEBF4zOqXyfms@qx;4 zdpv2Z>f13*_ey`7oo#-g$nu^3dh-T{*NKWI!cnm-cX({g>zsG+<8}+XrR-XJYGLDG zi5j9ye2QVKShW5!*~?>z4pT=!R}KKsVuY}7ZvH~mRU`RL49Qy10_6Hr1v-NGQU=_5 z=$CNhkBB`#SYt7>hiEC|4z}V)8h-i`BJ!#<La5Kjs3aF{mzL#XSV&Av^wG1ZBm;jm zAV)V&v4zA4q;NC*GI=7&F-J@paETHG8&P3$V~z+7$j><X`78Mo2TjT;)6<?aWr^h< zaq1l{d6Z#m9S=;q987Ym=Wtgl@m?~*QC??085yRuEB*UA9AQe|C*LILnRW;17!G4{ zyigXkF*EPNw=9^r93~rQ3NPD`htN4G<^e10w`uJk@ETO5SI)C-Bx!*21b5n?KIh)~ zLxB4)M?NK;SdNoL0{F@Jbd~~Bk#E$RqBzfudf!{6^Jt8HQ%kO*S1JtvYbt3IXqj@^ zJ;mrpqv}1e==!kgaY1v6rN8+iJ)YB~8ZGC5+Go<Ll=7;3pDfgG%_hwa1rgLR4l+^m z`8<76c+h7~Zo|3~Tt90WOJ=}*RB^=iG@VO<(OBvoi}y3X0Rvm4M5kQaL=L0e*pp-c zx-9o#<2Km%I;CV0&tJvi)P<A%UxlB3_rg!$R1;Q;8;uqH&)!ZXS&C$%M9h?beEV%> z8tXE4%VyB>+3`Z|=VAI4FhZJ>IG#(4Xh^GG8vQ5FaQ50~&s3Gol#3}jW$MU?B**jQ zy#%b?56K-8t5j*1*>hxx11CAYP)XetYz@Z)>xRUM<P_<+**3D<h%5*bCz3|0&6RWZ zO`mIUJK9*qpyk{>VdIW?Hv7>Xeb1y3M(z?-UZdJI5#C>(=q#x7g=OrpV}giN5lbZ9 zsZ1wf6}-!!GjEeZVc3PzdhA$q9HZf~A?MvO$r7x$$g$w!86FHd3*uRHqYIoFuqsQ} zt?F>neXrmn>m-$*!tgPvdKB@!I<C~Ej;U8lqAIcUaM>w0=bHAje`zO5nFqFH9L1kJ z$E3RqFLuhOxjzYWDr+5Inb7s<V8y)CDKr)HyP6&k!z7g=fRPOyYhvg#Ry}oJL>z6F zbqF?8zO$nK5>RK3DaqTt&(zmL`C#E`RSGAQDG&@L5YL<Eu>t2Z8(ThZU$P{`l;h4z zeg_qmrd6yy=Ur=l%I5<}^{%GBKPg5QUF26~CEpIOVbBaR|E79Yo{~(~xylGIw46N< z+n;VAIquJTgE^W&u@O|69f3e_H>lalgNyUaF}DR*2zWu7ql{5XhQ$-%Me$njd81a+ z<ho;?rvT4$X}k!@`PmmC(WSyo$$>nmTeCQ4$uAW!PPTjxY~IkYn`Wk2b~Vf<el0E4 zvIM<#mCom^tf79h9h4*hhhzUrI9=;UIH^<ZXXECDXX0J29LU_SO=WNO_p;_TX{jX1 zAhIqT{{~IkNPYrO4-yvI&g<9=ety3H5_*=NYvHhnk}WOW!%cTc6VKI{JxpU;{!ztt zumj&~D?5a8yC$6Tb4jq%x*Ll$CFpxL7Ny}03zm(dU-hfEEeBF@`5jHqZpI6~#x!+R zkSl)SEzU94D!-BXx_<tGJCBrxRMh(JzoNFSZ^r5H=tZPy8y59-?3(R|Dxz*cBkz5D zvb|%ZYDUfw$Q77EliJvpd4o34hszlb*LWwd-T#WyR?~b6dv|*+Z`;FJQ+nAWfM&>P zU4&U=y%Qlc<VBon%nCG<*&-pxJeQ*wTEq#`tv-H<sq(3KNi^DoTu5YAdY>+zUTQ|@ z+mOtgh98YK%49DByYQx6zi_jPc$;wXC58pMy#+Dg4Yi$T>G@Kb8c=6t*OTw<e3O6~ z6UtDW)M$=x#ffu|%Cq1^LnM2*FAmJP9H_h<l{LsWqtoRXmx-{A|2j@{q)4a?Zlvli zKQie34Sr~V{;i;h?0o8T@7(=WK%A;ZVNJY|@%OrKkhO+=6}7BJ#~m^UWuanGPU~d4 zPqGa5hxy;)*!wY17F$N5gE?uvX_3e)s5x(Rb?v>@L)C1;%%+s4g<l&wO<b$siS%jQ zRA74=?N9=zvj#6+UfBkvs?Q`<aZIt#rbd<E%dlFk?yxauSwAJ+XJS*4e(*GnT9G~^ z)8H}4J#k1CT713iiqiAsMONG20ZOSV*6??F(E!x~Ax0%6QxuP8+}P3QOHlsUxd22v zJ&nWCv!_)^Bo>b6I?=~0-!n~K2AMR6d^iQk@7sNIz}AX$PtP5mpNxQ%9>^oU9j;?? z6En^Ac|F`Y$*#yLrviwj4VCCAZH^m*#L3xs_BBvCj;wg(%7(fOH&130?E#XF@giNN zxbRp5$MIcaqEY_kszX@(2;!kAXb1^F^NYqO`xO<5Z}j<9KRK8d$0ZG#etkpxtkCEC z_ZJG7k$M1C?-we#WMv(c3i}5E=ZZOQ9`lJxI^Vos8{5V-I%y5N7I61F5pX*KKwFWM zZ~B}gIjEo8ifp#LWBu}1NJR1pTpTD|#CJ2Ey1^akhY|^8Crvv+;n3T&mDPji6H$H} zjW6*{H-5wx7{42n|J!{SNB`ivS!eY||7KIdmI|(=T((g#mX;tr+L#Acq1bIyx43<s z)W2O@{c+sm??;X?9v+EzhoL<@^U3xR$e8b&owO(9FUkC0{9m~}?n~yC|Ira{x$Yj< z9}m0~BRSg#rWP8)(P^hEus$xnH$*7+-5iBiH53Zm`t)c}1tfjAZ<3)Ge}J|*Qusa@ zL?ej*_;?0E4~)c$#rZ4D@DE%y@dy5rb20iq{)9KN59*1QWkTo=aJI;YpT+F8pZ@{3 zM*Co5DI5L>`~wh<{Nd;DU-hs5V4E`hi}L&~anwHs5qtQV;HLxbA2@OO2ygTif+LCk z7$p4RXYSAItbc&bDIk%wXQ7kx|1k)`!_STgy(WL~D(gW`L?}f){uqS&xA?pWAN&J@ zPMGq|x88MyvR%;btlbiyLr49J)q3P1P@~Rec(JL@`C#4*S)kTyV=h`wz|3(o->*gO zD-r!}Uz*M>ipVhV*LQ`^z!;I1kVh-_&IkSlGm!W)>&fCYWT?=@?m)mCnagx3K|#n_ z2Ia`x^?XIvYHY4x(rP4~tMFP(J{PYP=%sL;PPWg~@329Ae}BFmdaxLl2ma@%;t!S^ z-S;PpO+NFm_hs`e)s8(4?0I45Nlhp=?$G(3SS=S~w$(}|uQUJ7+oO7&^FDq%BCXr* zSG}T^pKR4cXg_y7n&fM^5ns$Nx4C)uP42^yNbx$C-As___$jlK(>$H)%c4SA{>sx? z81ybzH~-hnHqd#rlG7tI<1=;z;5_d0tl!IjurY@DK`f44ea!YTMq6D@>c6$dj5o4- ztrauLB-@uC&dN2%N@312+<t_f8+7;7@;5~gIe0O4UzAvJ2wrxbr3ds*)ZvNQ{6ml- z@Nn91pe<ADX6;=|Qzu7rqdqqi!6tSb_jkcp-aY|Mny_-n^s>Jke;y>pXt4NFZuvHO znHXuc`>Ll5c)y{?7E!;>*yuAel|iAEcB7IFIGP<D_1uYEN<r$>jcw^CP5>Vc%F0x$ zC*4ePq8RJHU;SL>W8$b+Z&g7451CAV;QGD|9Qa77?YeslqpUd#qE6#}1u==>D4XX! zI~dh*UitF#tQ#yyuXESP?sI()_NVr`*^^5%x6!+-0=04+t<UPH<JyD<KeJvA&b?!1 z1l=h^&t_LflR#sWLND4v8{B?OMYc4Bzb0m%YREWmUx7XijIc*-BV1^zbGkk;fb_nA zw;tZ8j*{pvA<Uyd3Oe%cC@kQuLwN12;TebUk41e({xDe+xZ0aU$Yu$(-pS>;wUg2| zcsAY3Z4+f*NM&|7=^bnt(iPQHVkDr@deu-D;By4g$P1#-x-9CpOSd;k#j;Km$kNi} z$dzMu+<W$ugE7()NN`%y=u~3nb18j;eQpWQ`Xh#Q(}vsaqF=A52n*?l^VVLAkZjU@ zo24wSWw6{96CUV@#}r~#3Q4GDg~3ZN4um)5y9g@@EgtC$FRLX#YYL>n`A38p742Qq zVeKMB9^jc-$m?><@3Ij@M3;Z~b(<$3MU`I#@wwMkqTc=8S7@&+tSfd~Z6WV89NO*+ zo}F#0oyXJD0o)@M;&p;sCNH*rIuNJE3_CmBO+}>LS9F2;WMmKp&kh?CgY9yG%;gGJ zL>A^{&DJx!oh7Tpe5KG}YS4XqOtAa6rh35etHl7BY1|{X+pl$C7Zd`Yfy7vJE#P8u zS;_p&H1|b<lPsa&7|(TlTn#>0^Qma6eeKI;JMGvC{Muqq@BO*Syl_l^-SvrWT|1AT z&|9ndUMk`?*UrXSl+Z|^I8m=07Hf1k=xSupCcBMqd+n8s{2s{UxV0R%abAUfRPpg+ z&p(!uQs~L6gtj8j>(>dDN*YHR*)2d@O{b{~r|NTqg$VWhIIZ1qJ8rdt_s3sxs#}fp z2e2J(#hAFj5rcYFv|TS;yv+BNf+{J3Ee6rkJ9Scp!U>PK2#FS&Jc09lU&Pk#Tbg(S zL#z4G$+g;7t}n|L1XrIoVXJj+hu=U<@*p~ID2)IR#?)u@hj0z{43wDv)Ucn>NM0Jg zlfIF9?-i3@LZ0dp&`Fn@qDl0lHQXB1x+q~pxLf%gb?{7dtG}w%8>+V4_DWVzlVGnE za`-B|isI#0DD>GRqauv?vwi;9c~<Mj>*@Me`wxGOIJzka5eDw5l?s}8c8&rshPLk5 z=SK>xcTT=QqF@Akd<Cr=f`Q1cQ);c>E;n7ByJw>^(7SSFc2*7h9~~wf59)|1;){b( zM8yKgeUb5U*dzjURb>XNoYe|!v15Rq+F=W>3#Z$8o5cf$PR7buRYgmXF}Dj{iRJE- zCtcf$Ku0xOk(&&1_a0$7p$P##_M@Y~vGRt>nIQd4iWG)XVSgR@`C9FX3*XoKCJQv( zEg-OxMH5VJWaQ8Wq`A|mAn*?*g7l{S**K`5|KPJZq4~`)@XnxJL~S&Qr>j!fioLnq z2Q-GHL?_FC(`6K4ZRu^bo>b>@%-a(t1GFC|N3C`CIj9`Wn@59Z^NIPkycJ1Y?n1oY z6Qfq~Ml7Y(v+9z2R!GjI{3Z-AGu2P~GH5;TDwuFBnUfXvajugG!$S)bOp8>KnN5<5 z0GJxzeyaTjz(NG<wido2{3pw9{!(<N8u)Si*SBpc7pFjbvcY4ItDNc4=0^AZR>lI! zc?ELnRHu>R$)4Rw`P5^9%ObsIHrd|n(Tn*?z;KaVbu+k?r_Z_hDn~a<F)3Uk4EQc< z(_O*DtU1!_sXAFs2yXqN0Q$_ZoI1@kKOB~J{|C4@u!{Z)X8@pTUK{0~r@Qm-tAUx? z>7gE*Hb!P%V7fdLuEptw{mVR`M#o+R=)e{|x!ZCjG2kwY&}7A{=qwIkRori+8(ZhY z&BBpljlM>)OqZbYxz=HMMt`4JZ|W{jhz20IcRf0->lPAHQ*SXHWu~{38<Tg%c7_3j z-8hMwT2x!Xy`pQ6DX*rL1ucUYZi6$<U2xD>+J;^u{c&sY*EjmA+qr^wTeC%1p(!4+ z!#A{N9s_1-`)oyVEfr=P7jpN@y|O{?v0`!;Se79Bo_k-_N)5!?UJO=JAbg#x2`vvP zfTy=W^fXOm2gDIF3SN!=)M-L#92ZW}2H#uEpN}4LZGC1+t=!~n10Mc5#nxek3ZM48 z7c?OkMIOb$Rit*oi_LTl(2*))+Dyuirf$Y^hpHWU561q}=6UnM_a^i50++e2c|-^3 z1ICuCJtpG2BhO3q*uuq-#bL~Arck}j4J&J{*}DW21_t<SWW8d%w~spsykFprobmr$ zXy<)jV6&~uHSZ+yT}qb;!5DODxgI?T;->$6GN_i~nT3%caJCbs4|k53ai!j_>nW(< z%v8<q$ky=BB%t7fRgEd>yXzQX?X%vXmNe56AH-eON{`QDa8|GlT#H$EQlauT@I7)r zN3{#To6{J7(5RUPQ)vH`P}~<J?JsHDmpUR2mRo1RQ?ItYdlLd48GjHmxRs}>Z(BI* zuPd@e_uAf=rH5qoC_jcw4w8K^n^SSs{zNGbelUcot+f&Uuwi)~bcwU6_MdRX)DNa@ zO1T5tA6DtkgK&%|I{b-@oboVt$BrJ6KaJG~4@JbR2lG#RpX|ZjN5aSc)87Bj#Q#?& z{yXn1iw$1<HuINdf5#zrHe?sD@z~S3fcI;bdWw+HHtX@p_p+le<Hh6r_4V)g{hhZk z@*^+H&*#$<xEVQ~DAUK^)GhY}PWAuW)FfCDy|)rd=Fk6N*cz4Zv*P;Oz=g+)2Mu}x zUrY?3l6malh9p1y{J%o|kxLmyz%$Ws-2QXf6O}-~(fIbL<!rcuJP;L+%YNe|vojC{ z_kDSBJ#XY6V|x34D0o$Vbw%jrIXNQ~7-76q`qTe;npekMb_Cu6XJd@!V<);>GQ(Nt z4JrZ8o#lR$U2Tn-s@{Nr%XJV%beG{fx*4Azx^LcL!E4<+@BF|<ZAnoAOw}+EuaM2Q zx?TfY+;+yVhO~Kzz2~9qc|%R^k%f!+i7u9niGuO}cAVwO5G0j-58Z&r`}>@xvASC% z-@D3MFGoiBZzYY5$E06ui0ZE!0G34~TwW$BnVswIPj(^_5P!ex1Gdh&FaLr&PT_vH zGyDA}`oF#Cw`m_}UY3{eg6x*_Ip&?Nn=g;HY<NMVs~tYh{Yhd+H`7X5o+Td@m;PlH z{W_}^fMt8ewL}IsTKg0Vc+<G|wY{k1nrPUP3v9g%f!X~`4?o~Z8Lg{G=LVecnxVFC z)bGgnl<kkp?nki{h%t(I0~iQ6ex(*X%{J3~t#+V&J7t6l8x6^uJq}e)K4fC>ye^nI z3>^A~0?22YZK>)#xA|c$@%rBejR8_j$`g#m*#NN3vfq6?*d|KC)$!ND3xwLEIU9{8 zSLdQZvbXU<6T@_^r-^}@j`i}4?uVJ@f=>I{7E>m+8o4cdAMRpXW|$(>JJ?R=mo1>P zN2Rc)RyH$a@EQKVsyx)he$=y9hP=Nz&>({s6lZe^itR4+8j!gmb7|qLq?h-ml)6%B z2kU!@LCdCO8dxO>oyWH*b+N@ny20tr_ts{8US8nl+5@pGLGb6J9U)Kf^KW@Vp8SQD zqm6;s&;v2S=BxX7mp$5pLpRq+@ZqAaI;1bcr+#O3x=ESJv$nOWwFEV&q9pmLgzfwS zuaF?IjyTcZJLL}TT?q++<B=2}>iMVRP}J1-^}^ZYArgDTMpkWZt8>l12f9>-a8`3l z-q7NL<-wlHF8Eq6q3&mTf<SFX?%;69$YgX`)48A^XYFPhUF%J92A{w!)2O!KJj_3+ z?&}PL>j*unn&rY!OZ+1HsaeBz-{}2P4Kvp5A<a`c0xTz=Wv7k)OC3EyWAFPNIGCN` zeE!FytJOVn$Iar-S_4TGbAT-Y+ciG5ML`t<IBK6Rf8wC_h=0B&xW6p9q@lC;Yusp- z$p%Tzx6dBDKK=D`*~#lOeU*p;Q9bmkTTJG=^ZujGOt92V2G?YEHH0~PPEMU@<8Eh+ z(*5cb0tyT}`0R?+9SWsGo!c=RSiSQFCu|+2?U;2r0`s~$KGq|S=}us}KWUnkAu0v( zOhE);;IP|S3)hh@v%BrGl#7nF?dC$0v3U^W{_a&TO1NeLV9=*r`^)awr1w?jdCP$9 z##FKEm!anjGtcy(1IGJddN8kH<I9Mth`Wm)?1zi-sh0OKq~5HF%3BfSt*Wk!K6wgF z@fZKbwvd$aE%<<k`;;i)m=-C_t>*_uXP&Df?awhPs-V@Upv5{^A7wmrSt8b`3o3<G zZZflyet!{9%ypR6pBE1sjff{&X`0_#;v~T;D@f#D?K-_hA;#r1&iGM{Aqcr%KW@D} z@`Zc4mZ~F0?CrcfTRK;>4;{}Ak5lxyU8F|rdhWCLIZ@E_x(&8a0k|&D%nn3_EHVKt zPJ%LZ;@F3Dmo#R|;so5yuRIrPZHaiiHg=49bUo%N{hw>F?4M+k2L`-WmTK<|Y<iAT z{k-Qnfxr^C+gK#O=T#VvOQ;v{$GJW<0$XM3PD#<XA#B3kbH)kWu}@aC+25u)gLp^B z%*0RWrz_>*O6015qp|t2d_DbUS`NhZ%h=6Xq&<YeoAOd+8AG2ouq49gydwIj*-|r0 zC2Jt91m%s6X%+d)@}c#T^<XVCP}BW6=ytwN7F81GT|0#V=lcZp=zAym5FXZN2{X(R z5=OI9--<vt+AqCn4&TRJ?&@FWyw->(k}PE6UH>6E5$_q3JOYYO)&Od~gA`d-Q|iGN zucJoX+3)hgiI)E~G97MkoC%hcumKjV=JFEhaUNZ;p|pVa;uOsEc=l7)5p94?yW^Yt zS43<#cS<e-lT!ja8*+Dt&oFy6{RiaAcwDm>7PEYe=LGG%N9Lpz_68m8S`Ik7<IH@f z%~SWSwfY#qUsNzi;%4|1+t%-5jyD&~2HJ4m%|#7=hZOUU=PhM%MExDO^D`uu{{(M+ zwE_it<dH`Zo<v3uh@sSB%G5`!Xr^VjenTZ*z^;3Ke-e0=>akG$O~7?!<?4#S$$7pE z2<?hQBeq;FKaDycO}xvjcv@VV%Ik7>m)FJx*t6L7+0%~HMMNRQ<#YQLK@2$!LL+Bv z+#$OGeKb)$C)V@0+*B)V*xG-Js2+#{;J-bn;&nNgtF&3nGxM%>Tthfz(YasT)T*_< z88WFMk04^^vL&3WJML|BvpyLk)w>>g)*DJh>PM*OeOMA(<Rf@{*2WLnxgPu2=>wS* zlM`@XYakXB(xi;<U7uNLStJ79app<$+>#UD^ktAD#=XBYzB4PWd6rO|C44g%HbGoN z-nzKVr3O#mbb)@F<y>H5TerA)B3TuNW>5>w{>i%!>EI_9JXsMn0_tGzEzffH74dj{ zt4jX9^C_EQwUJ$hHd4q{efF7pmNEn&csJxqEY%=yK`n(l8LB4$*tSDfh;J2L;EH3Z zkn<%xvW8mC_Ef^DtPchd^^K!!)!EKZONC&WD0#d$aA2h^+lZcp--7jE>IZxsux{qT zG!2`4&N(XPE%>q6CJtTSED7oJkBrgJ*vivCbQlrgTy~aK1huD{&6cjw>;$13$zrMA zKQGXDT?lXI=}K?Zsr;wY01?o0S0W8FnfqQ|ySu4yvHRI!IpW)##iPb4kL#_)xMu$Q zZ!iecY)WOxJ#QVuJRfumcHJu%_RSi?>U;An0Yn?CszhlEc9mo2kc1D@9HG$HGq4Uv zc*zVJ#$jH0TBp_s$a7@*+kUJ=iW$Q#Z?hh7`t^eQHCASmG0l1*Q-kG)d6G!QS#M~e z>xyR8QJ7#DpU0PJ6GA>WduVc*9(ewhpj%Wv(~V*Kj#2pSp4vS)EG{18X0yBk4SbG5 zaJ>;di1_+l)AiaYF`HyT*@$e>Uba~(U}jz_j*o0UE;jh*p14@=mPVDS_lZBo!PrY; zn7Yb*``rE0TkuhxA<O<%8w|SI8Q3Q8w7WA--q@&&l9zIpc|HQYE{vrMM8Wf@-#_{O z^Ql<4d{6b&)d9a37h^mDU`k=J&W`xK`Itf{VwWLH!;;1I%r-v%o>Z&ACEctX{!P!h zXiWGz<5?q7&Ihe?aiPV&SFL*vuw=gd#hOV*$d_I-8f2RYNYr~JrrW*QT+K56(`KiG zE-76TR`62Utg5;leY{AiSGXYT8>sdE^JIi7iW;a@AZ+5*^rRs|)7srA7tk<N)Ag7W z17-nR$CsP)w?C`%xvetWD7zo%&(m%YhTV>gHkt%gWkL7tV4LTe1DM>d-JA>!v@yz) z8ZI{OdFT6D>%iIZo52#DnIJ!G8G@7SpEE|sV!Ws>cVf?(2u*daTpFM1pN9SX$X<-( z?}f}e(F{uBogg+6;=`mopNiI;;njJ?V6|$x-W=y-FXi1f&Y#Ks(+rFDn~eCT`@7QY zm7;6nw#DT{z9(D8`6=jnE9vXE)F_7*RvOTSW8nElwA}zh)qeM;oM4s5<-)LT+b6wP zltb-X534}-y*oQS_x`Tc-Za*8JGt5!!P~x$uUCxji<RL82`*<lKgneqHwIOD4{W^e zYiyo{cAxf?b>EDwLwPSTFq`5%{nxC$TP<9>XG>v)OB#D+N80;|deC2K>4WJ99@g5W z_oP5@syXmraqOn)7gx<IqkFS_-p|5+>%lB4d0KdB-PPEuI=5g>qiepp<_h;K#9Ycd z8=h|T8XzoaTu4v>U^+NhWD@G^qLEcL!e?_9y#5@O*ct%n5pf8f{Ke8s$a@~WUE6$j zc4FX<*i{UcNtP4zUieOGxp>=$W|9^)ikm05c)v1I2fDY?NMzS<Z;zJcu~_Sh?#djy zC*XJN^7Fn0*?L=bG4KDne`;f6V<ycHxK>czHfYe+5p*lRTtx+%&z9<x04*@<L~jVV zvu1+CB5(xE<%{W7Fu%nH?|ti?X05KOQi@4Pt+JdN$K1Y^^G@+--AUh`sqc>HbM!G< zZo+@cik9fSHznUY6p)sdHTfWPF-XUC{Ml*%fiu~Xo-{2sz)laqmeQ$JLIok5ZltYO zS1`O~Lsp9mYTXaOU=R~qz8O}c@~K+65eWN8zrDs#QI!fyJk|u=YGCP!)qPoZ*v}{# zTwZ1Ax~EY?&NU=TBe=b|FHHeKb0lX!7Y^8sR8oZ!-%a$r#~V^S`iySNa>>+9kA+pH zz6j6un#T`|b`&kTZH8n$^Yj+PCu5r!40Aiq>OE>P>^c*H-Hn1;SbiPPwB16kh?l*l zxb^OP5q+E&>jd0CH};E#!lq)?wBKi4UX|J5`wWp-iJiAxaqzYHfGVcd?l;<wn>RnD zQUTKoq9Ya)l;xAtJ+g)iujNmmO}2?{*tdi)rfq7j`t_)7>0&#Nt`>a?RpRdESEX%& zFKY^fx)<nS^*c{3@XK?Ij{A&yHp;v={`TYFy@bypYX=|6K@v96ymqWP+ZJ5fwIyPZ z3En%;m3Q*4@LJr>m3E>N2v;wmq3Meu6S+-&DB71doA;d?Gw_cHg8v3UCgu@_Sb)+- zT<<6DSK_XGU|y3j*DD}&M@;ZG0#*+k2MV0%T?sgYyajn6I|`mFAnarGP1E2HQPVZ= zsFAcYFjZ$Odc#*5obv9ZUTd610QP5=-DkbeZpO22_lfWNTdw%Z-5j8v$1QbspnFD^ z5REfI2yA~84f=3UpQL$vHc`~6YiPSu4T!N1u&Szo@dj5G<J!N5!&z>yBtD#%6~)#T ztbqCP^^q527DnOx3k%DnMf`#{!m7RTsB)^T+bk@$TfmSdo`#RbT7q7~!<#jMrc8o% z!5EH0${IFSIy3TtS|E4NwI3;DzT$mhzl8K!MUjJLBBwpf?!a}tbp)Y=z=?J-S%Q-b z#KG40BdG|E)A}<G{zP0&2P>@mg0PLMx7}1Rl!pqYfCJaBlmbkH6@3Ozl}|!r<U0Dc z+^fz{=JK4prqz?u1Q@AusHM%gQ3Kmwq1xzPRag3!z#@nRW-2?)Zwy#mN<1$wOFWkb zpQ94}csBjZs5gv|H1B-H`*QUejP-Uao&V<OdUO=(BLr;`Y`s}K<0OX7?w2+lBwx)6 z-YzV-P9i7|HNZuidCR<waUvf~99l1Y+Bq>N*8Q1&u{RxfwA-ZR^Q)P_aOo>xArA1< zp>`((XG3(kxe4S(Nqn5xm-qtvZy)|lE<+h%?)KJ0*mpDKko5Gfs`z8J*wJF07`?2C ziOJdmHDeHYI38_jpyX-Lc{;jaYF2<K0lW13*n~9E{ZYZY&e^uh65#coTAN2F@~k!x z3WM};mO}D?5J-I6-DZK3AjQK*ix#Rxhf-(|ak&XwYoC$_@}LqEu;xn>?(Ff=i*>gu z-safdPu9%pxE`i(JC)Y2z3ks;w43riPlh=|3i71-v!05yAdd+NT`XpNG*N_<XBr~o zQ|N`DFV->La9BpP$#*D;-{R%$F>)hEy|ECq*Q2U65$h{eU_y}6)jjsWX>Fs{tLSiQ zZ5a@BZBlQs#-uQ-7}3+N*ceG9EGtn0?(sTsy+w{=j=|luw$*YyLn0L-+0y3U?)Ye8 zCQE<YFTXzz)dBewIZ2rvT%Y+xZ{%og5oEB>wJcztj<{+g5f%QbM1reLsFdn?C-yPI zC2DDf_b&Z*SlS<oib2!WM-?6(-)g?$w3J~N<Z5_}rZ=tp=7zwi7xiv2a;C$E#$g-q z#2W||f|H=&xsaU<QL~x91h2c^8IG}onxLgxrOjIq{5Ie@W;&iNa+1&d-3`p_o&mO9 zdJMX62YNZp1grK!)Z(FQnaTI3Nuzq_c7mGIjI*ig-VljJJuPsT6O%QOw`@&Fbp6%g zbX((9DX`geL?pdo3tv#Z!o{<i$3(n@-%*5J2E%n2Nf%Y<mX<sB(tp!au8iLy%w3QQ z#-PC8)o8Nt)3Ic6rjA1$Q?H0{JSN>0x~Yj=`d7)HkHoK%fI@d<hFv{+fPUx1LK{p& zYP7oLLB3X=@;j=omB08QpYE_O=AmoKE}rtN1P;-)kEO_8C;~6{Ku0K`>v<O^ps!;N zkIy<NpQOSN8JB*4z0#HA{&Fl+C|eYHrOj>>d{uii*LwcT?^;2OTfo@!s<3<cWc4XZ zNN-jb3!kI>l-iIY(Em9K4n<(?^H@T@dJvd{Z!5tlhQVr-DAMvlZIz9<B0Kf?ro3CM zaJp6S4@4&5(m&q<!#Na5X%najoVMJ8?Y!-ply}ESxka$(=&E$yK*I(kKgpU=MmT97 zcj;o3<=Mx*<JK|NPJ8R-x%d?2%4YHYer%w?P(f0w|44I1QL9LI56}&z2Hk|B(COXV zb`l<kJ9NkLT;w2|G_<nN(=9P01;h>~7@ITq;*K}7wpxjK<t)*$6nVJKe7``?SQ`Vj zW;4wu(f%SFpw2O;<`u}qRnfge9W(?cuK~?f_lF7wI!rCg+44{l=zJo2276P2NHF~! zUupQ<i47dpteGW3hQkvCWqWHzZ>qePnc^2hd(wd`!uyx$%hmM-oAc?*Zo?^UO?3_H z-vMrRi<5%a@q?`m*EhpQ1U07(x7dQv+qwvz+X*_@rB?d)k9S9fy|DHBbZGA=aU={n zZZ~sSBdX(keg(X1u`*RlfA2MxZ-K2U!_Bb`d8YSnyNLsjanh8mWNc%r=2(oIj|NT( zgEN;$iiSA0r#2$EM7nzZ?8>FBLK`aNNxcA*O@UK#@PHRsYpriMbJ`{<leG>vm$a_m zXvj21{HqF0@|O@ch~1*I_~s{`^px6iiJk22O!uV6bGd>S<^23caEq<H2l$DbZjipV zR*NsW<tVO1xQ;_}f~|K85||h&oX$iCJQMTa*|t(otEv>ls^?uBgZ_x9hs!Njn`)p0 zAMk@^MJ0{ndDKAcxmQ5_;2L80vRHME`zIyoX*$D%Is=g3w0&eLka!n9_hj7Y7BLQa z=V0%E&)IxuEYt7}24aVS5F+rpli25IUd7N4-{FGUK|DHYU91>e*UNi6D=?gpf9uz( zzflhn^$Z8MK2=;fBbotZDSoH!biLOV(A_OeMaAp+K9@rhSR$>mRREzEay<)n)GbmV zMmhDWEp;bXo{M?fe{Onosg>sLl)aynP#QHVe*L}Q;Ir44rgM%mD_qyuxu5WI?!g+; z1aE6HhcKwK*OzPisjrUE;-&HETlbgA>s-5lG-abn%qLlA#nD3Zl$aIqY<)v;CQkTf zY)&$<ZQD*JwylY6+nCt4ZQHhO8()&||2ynf?bhz058c(LzP!~B!w<RmaQmoq^!Bv4 zZ+-KQCjZEFj5c1`I)ea%92tZw=Ok$)hA-I`BO#;`=`FK3ibuY1HQV!K;G~#A`bFQm z)!m@E)u#CFCWmjj%^q$C?dfSlNksxS%DC;dYMs>;s^-;74;Zo`(49(7vvlny7t=J| z9JarCSw|_cb?D-aUvOFrzn7kg;HwCWGH{;fXuf0w+$PC&Ri&Ocz3^>)Q)tz&VIK+U ztV}{ZgYs#vc=9<U<Fh`+G+qJ0V(Z@tRRNR`nBFIuvt38Ugd*W!FF1GGn7Hztp{SsY zLM7W@u3VU15iQhXC{-EUcK4^oHR@H0+JEg?juc!n^a1fJG&ry}pKk7%w86C{XC-y* z|9JrH9;c^nQs&`)CPPr(3o6PlR(des?ANypESTWMBQ-V@SJTzvT{hpVk^9b8Jt{8p z=;`S!j%?Rx&zynui&Aln_VK;Kny;+HUCxA4okE@mGo@D|I}Q0g_aUsrZ{h%LugbN4 z)xbpEWB8yZvAm37A=N_b1o_hJn_yIh@!F^rS=Q*47%8H=QVqPWr&)JF;F+*l)t>(% zhkxdqS!^<?^&ZG5Lv0(N0ak>*J)vI@%eMPjQ?0t8Yq;KPyg74sMl~0NJSJkLn=yS; z(x1(i`*J9dV58Cj>bW05O^$u!s@6}JDnIM6{BForB0?jI%4J^;@5cIWH1+9C;!4Gg z7uKNPVYh8VhT0?3a&hpl?;ZS5(u?)&=88&C)7ps;mjE38piZ(`oYIRhU!{O!t-Y87 zG)%^N&uoL<Zh@ghd}zn<Q-OUDg-(y`tKM(h=jP{S+i=hGWPh<<@aHkda=_8;jr+$4 zZq)^QFTEp=#aQw<8#<+!F&(^`0KBM)W*S4K6C=0{^A=y0uDB14t@^!_5UT!R%m|s> z0y~%Zg-GZTqAqUEuzDc5HI`W6NJ80=4SJ(5L{7NR^pcX=(b`IZh>3j<JcsmaAV%m% zd@;AJ@@c5NgS@F2W-2*Ixcj$8H^*RChE4s(sh=9vM5<#)wrN<FQE;tFJa$i`jfB6M zpdiOvFM?lv`LYj0sXS%2#Fq9gKzKyJ+}Me0U#qveB@<*WEK5Q|V~*}DU+z|8nC^hH zF)tV~HM=~1n`5N*u?{8avuu=>l;4_jc4K0mC_(UN(sGKJI6duZ@@hZ>f0<$P_Uz9S zGGp^NzxDM~a@787do9sj^KY@x@2E&ATf0sCJ#}0DK-J$RGbweYlZY#K>#_GRzGgmE zY!__^&-FplD9(H4_EXwBpsPtWF0R@*_8dnqcB}O@5R4=#gDb9Is0n>4ki=TTzbLtF zFc>g|W7_6T)+he+|J4V-T~>LJ?B|Hq%<f{w5bQ&7KLjh2_WL)jLjYc`iuxQv+P1{< z`&~;Rv~Hara^%~if+lpkO0GyLd0I}p*ef_{ye~>n?skOvB`AdJzd5KAY157*{KV~t zZ-|E3XU0raDq-B5+_Pu<KFLj0=c)|tI-})E7bjnPn@GHxMUb^448V7M1#%QzxwBve z|Ml{ZVdUOIUX-v@HBPLh%5@UDYs#)!_Uxa==C0_N?o4g|wNhTS?Bt25>PkF1JR{Mu zc4bF`%4EnIF0$~rbp1uBJ%hv{=2RxiGJ00AZPGUQ6$zgY{?OPk9Wj8~OtHng;Mw26 zyUN?<ISyGbp6jm@g_X7pa)AZMX2lO#K~31MW2-*nP<7GaY6vs?B;3~k+lefP($;9e zgX$cCWM|8cng(BQzokZ5_b^E>e7Co!Yg_R_*MY?ly-~iLdTn<E-{~ty-oX)NaCP>N zL0D{-vOWNbQ16PU78KJ)+0#<Z8X16<ScQC%NzC|rw03PR6az=+YT_<@jhXM`EsXtd zLZrMrSQ%G~I?|m4$r%hY6tB9NlmW{yza|@4y_*HDX}!oDPBldrOm7Jks)bjbd~7;u znQjhzVd;*+$_1#`X-MKyAauEqF2^~oO<oS+z_3{Ke#!a5>85YN4SE?n;8%w50=jEz zOJcW2U|5tn%%~gA)r*E=#p~ltWp*34&7<@^oeZRdpPJiW-7<Iu@<k1#>(K0O{1)j9 zTP>&D%TRoLCTBmpA489n@-(cqZ7ugbMMGyNBVpg8i{ci+^9@pHKuh9T)3t|DH~&_U zph@u1;!Pzd7V<E7d>W{;hpf7TCf=-Hb&<NW5GZ9kB<H&FgLJvS+6NCYU)qtAwne?A zwbRy(r&>DZ-!o6lL_SjQs;JI+t8e177@Mh-qMF&Bi|Et+jtynV4m^U_Fl!rFVTZ_} zKOJyt3^%8YO`0IYNLTW_Npn4hb-KadAPiwt(w^^u`w;!M&5Vh7DFG21KLDhxWeC)G z4MOSWsX7A(sexivgf^mr{<SH!+9KhqWAxD(1|ECXoKQsOND@|tLc_PIpFlAXIHZq+ zV<yl)_$=$vdRa-n4NJ3cd2Lh>?bWN;ywxGvHU9w~7zO=-OVX<<ekUKhh<jq380d7W zN~!sVy#EC;I%uF5;v1DNWHdxt<7*N1sl$FLP@74a)Tp_34rGr1BMzb@!{L{S*p;Hl zQ3K4BQgS}2llq!u6;}q?X-rZZy8Ns?G`xNd#?l%)7VJ&qdFrwvDQpqsh%`z1lj8_U zsY5bpj~1_>H#)C4>2{CXwWkv1_9DdniwY1*Wiy|BhRE`zxYQ2hCh+@f$ZoUqADrbf zX4FyRV%5FXP@{VYKzM_dWw(`#XMHtN(5t#4&>;D@G{=P1wlUCAg=w=L(Lm){yRmE3 zFi;WuM#JN1W^MW1!V<}({AM*7<_t4>n4waKDabpgT@<-bfHb9r1-&B|A3ag3aJ$0^ z+G$ni`Lt|`^itgxD>=9|i-YRAcL0Rj=IP_AzvtFUScFT~b6Lg2r#Jqr_%nq?Msf0$ zbnZo3Vp`isd-b@hPBV4G-jfI}W%|l45Z+8|KCXY<u^H_8`kJU5sE5UiRka9XZ8rz! zau>_Mz{U<wQ4C25=k6bFq<=arE1CHB#SR6!5T$S>{a4?}8SCBDf8tBkJi;j?u86ii zQrrXTiEBI<A>!h?{z+m-#;TZt@9`#3cp-}E*vKx-zsPfcm&#_wf7NEOFK`X9n0@$s znAWp<I!hpQ%>sPxV~TKyG^<DSo57COxuQ!kKrp+MrgjxFN&rIZSHGs-8N-D2z5f&; zz6DNXvs*@0UB;T)3U6D@mdJ+v7bhbNN!<f?BIg+z$FT}k@-Bdei-n8*@J|32NoU+V zXD#?juz?bi?ZG2hq<GZd6~1$c#u5^9%TpJ9*m`!k8LOh$;=z0F+HJMPvr}$3ZD&@| z;6bz!B+#jZPXm@`Y{ZSHEh;I+T)Uwu%uHa`2QBDe?a#Y$57<7K=+)b5Nge+-@jC#W z(Q7GL`?_5T_AUj}${vnSd8<~uO+HO_O2CX2_}h*p)S%yu%X-aX!YT(&O9(d47Hyhj zyS}Trk(7rg!syjjJM!-++kaF@AsuNHcqXoCqKhq)g|x))K_p6w-8AE{(qXCGeJkhe z2>ZH53F#6ND54|oTvtS_cR@;&dzM||fog^~vQ?&1=p9--UI={KSGhKy_j_&dV^>=2 z=`1_oYyXU5vHO;4(z&G%!G=D%6hD3{My+r5e76ycZrK<Oub|ClX_Ai?%YG0C_R~@+ zSpE_!PT8@`i8ha*nsb**#~Z1>!Rx5LFxsvPyfrpo_R-#@vke;K+iFkgZKKdNj3x}e zP6D;HZG%%6diP#LQ?vILwTlnuC0tiu-!y`BS2X#nfI$51z85|d3d5H{D7~(qlKpd& zv{I+E)lj0aP<q=?z%T0Ns<qZ{aPtazCo$G;Hm!{|z8r<#@khb5w3Aj=-ZiVI>ff%) z-lCCg5V}#JqK8Y=pssVvq`KU>dfl(!Ovw|)Czk{EA1)<%Y~sbW)amW4R?^HF<+o=d zP}x?WSbc5rhJb9QKsE@sUf5lH&{rx~L{?jSPQ5!$NDbp!fs$<lj%h1^(6lf`E-go{ zIjRQ5QkMx8n73e11?#56HV{b!9_Fu)aJqFU)F4rltt9Q)+ewu-&2?M3*tszn2WBE; zy8ZGjM-|4c?B-xQoHULn$*1bDB8;QQ_GoW@n6U}`oBwjo2iykQqXO+$GHSdFQy-hk zLiCt&rnn*#d%I}xqdR^$X3+8JRfsv|69c4w6eG6oyW@`axgg@n+18)hVw7MO+(P9F zuqMu5sx1d<IiOTQsUIJ*bOIprW*;r*tgmwlD6?b&U+Led*#@WL5);qvmJkt-?jSk( z8xMe=Y>`$AEYJ%Yxiw6;2L|#Mz9*3b;$og_QF-ghl*(*TQjE)C9}4&5jR*M#ML#AD zAoL`ahE62rIGBI3np$CxXi(8+lGli#>q1-SE?QJo+=vb`fC+cQQknTJ<i5$_uC6y4 z4#Ba`!QVyD`{Uy?YL|)O&&J%ZONNA3eg9`ZAL1m*@HC9OL)*r<I2HRchih2vo9m!h z$hN<JY}iX@2NR3>1tAAqvN?v&!xH-)V<Bwji&x0+>8%6gg+EGcY#~I{gJ@(?1jNU= zzKNh35BK_XyB(AXo8SUV$%WI=RHXvv1kV-|oo~ehJ*e-w?yyJJLwDDw4^sOzTfRHZ z8pfTdz;iIiz%nuK(*Erg^xYPv+DiUItnPddb5B=qc<t(SU<(cU_*Qen#>4($V-}s8 z(!FQagHlS*dss3Di8m?c^$$avbf7L<vZQmbE2+0g5NeOl2?Yh2xh9dumm~iMva%<O z#{~vMEZrfBuZ!I)!qpwZ1XajyyjE{rnOj^+sM~8;j=9$b(h3o%g}Ea<trU3M&)%dc zafd&HT|J{a`-Aq|cKDe?{sT6EcB9ba6a)0k-q}G^a~J$3YvdAV*3O0gGrXvG)=R7V z1Co1<E<$uv9|)%ue_JUA3{-Nz$lK~IX4&i_4HY^EZMZRI7BYOsL^FG!WY^qfbb3Bz zQj9RTg3|=vF0oRq4?dBGM@_WI4L!q659s!>8WXp5Q4UPIJ6M6u3tm*8VXktOJ4%T! zTL<#D5%z<HhDi0lHQ2)#<I-gG%Fy0(a*zY0u^b-%Oqpqq{CD^Rm4!FaP9;?GCCr}2 zZ~xkOYM;2GA~DdV(=wmH?W{o>>g_yew{x>jF)p<O2tHG(@XIsn-Vc=r=U{62uwR0B zh*m2>n)|?Wr9+W_*I{#VzOWv&Hck}mMBZ@~S<&2B6+w0`dy<=m-&f#^Zy}$czo#Jo zs2FzC1uvVZTM&(e@NMiJ6{USEgTAr7wj`&+`1Q18Di)vg_kIyUyR<pg7@HO^4G#ko zOAn#(x%s{YV7a$R7rtLeP;vkl(+B(*<Z2))#eue-@4UBZqiy37iQga~#BD_n6LooT z)no|q!gdh`!y$aMsc)sKTols<TZh>YYU3v6mVyk}%|N}b?GoHd1#iOf2X-tyxU#9D z{+oED29!O@`w{bQ!iyJx^rBdCJV8t9!w-Rx?#w;Mq~ga7Zt;>VHaHqu5(cDsl3>(V zNM8SpYRf;X+cp4y4<zAZXO1ZffqMtc6Sb3SR!^amFJFT=1dUeqhNysmZsKc`Fb9J? z^nn$3{=f^tqw=(%dwAZ#o$>t#8=C_A6dEyy_MH-4N70ya|6^C7#)Lcp-~soUsduc8 z2Uz5J8@UHJG2}7+U#m&7i=T(^V%*agve_BxSAY6DvUI$CwI^73fXVYQP`YV1+DXp? zJ5^BsRYDN`HeS9Vb&oG)GT-y(-ArL$REuEhK0M|<{KK25=kDjojL=6b7g*rTIPdRH z_I`5s_0Whp&F}vxopv3lk!)h0_ruKGPLMt34AhIX^SE5aBTNiE0v^=*KdhO&_MW_E zp*gPAklOomcgU~$wf+LGfKi|2wIpI+obwKlbjJuQo<06&=eX22`051_VE{UI+@$0E z`olY1=zi$0I7Y@7`AQCbHFDR}9au678e$Z(GNN!~WlpQtY;H#!loc$3(h>QEoIIc& z-tX1Z=5-Nu96yEvT&q<#rN`UO3b^=IoB&S;Ke{u_ab)*$iQ&vGO2NZnEeuX|9jS0+ zFH%Inps~qx6dE<Gstky$Y;~B#?@ugvQ!p#}1TYyjAm+ke&@<G~sr8{56ppyprtOxP zIJRk7HDy(sakaj7YMT?ux>;86e!1el<NXdFvZYg`Yle`NF>HYkmcJjKGb-ICLQ=F1 z@=>*wQm53#$NYjiB3*6sGxYz`TF2iJB4GC^V3PBCIdV4{c+yB`B_5bTCnDQV<|wo% zZq$T~{7)FlUZP_y<P9m4N;^~gCBcI~k1nga^6qo``u?7-#y$OVrXf>DD!Dyv4nPPg zA9CbI&Kqrn<r1+N_x=|g;n;A$XUiOKEtvC*8GX0T=SREupTO~lpTpJY(_H-Ukt|;@ z&J|O5bx*2C;M#k!?&_sRJkXer_qx|m{cYE3^{xWz5zf`Np)<{|spb0%I#o(Y0S)dF zH^$Sz_3CwHF+rNMu3;RNjajt8WcLlpmsh?y$UUnLVgs(`X^*+cQt<Z!;wb*$BIT7| z(Ve`5;n#JZ$QSHUFk?PU0`xW*-zXtQNbVBxqYK(dO;*NSTiZ@<K<YJd4}Tr(QcOKj ziY0Hbq)MQAyaJ4IAKS~N#{}oWPld4nrT1A-rbbw;$^&NLra-;Kb!!#q=Fgo2Bd{Dr z5@`ECfHvDPD+xdNx%3j$rwEJvD$_WsnKzcW%eU*vO~_(cHyNs|^1?@K>jnRBgEx)O z<fV$3V)BVsrDAMnkPxC`)Nt<9aJQ;f{EWN?+Mx{J(MahwNDShR(4cK)?D%YGy%)M_ zb-Hn<UtU(0!yLV1zIV^#TN7JxNR-{jR{gT|sQ#!n`zDpxnlX6ll)||eUSQXzoRMLA zzu(OatoB5_r|9(8rd}@56TcX-VCC4}AY&4!msXsQkB@KBNIxM557-p==8q5aP?o~e zwGz4OVmOEFcT+~Aa+|qEghjc)wclO0I4teigTw9v;kib$h4Z0f4|0H{wry@MY@T@! zhqq=33E2^Tne$e+8$1>JELz9xDMXJtW)xr{fp66bL%pP&nvfHI%<o^3LHmri8`GrD zo0=9ffi&WCdq<s7XYX6!aYbNc$HkUSLY<YIg{c7&qfd!P^)4BjVE^uAo2Nl+?W4XI z3;M<<7u$CGuJptNDoE<&_t#xj&Z|s1*kGe0+^Br%1Yw`o^zBF}-u5&TB^r#^XH7Y0 z%PvH!dC92Vl)<c}jXKBPq%9rxOPkVxl(HSPl^p*j!4&%8u0`3`6nA}icy3=VtIQO1 zC*vu@cc-8^Zs6>-9oo&!&cy<#&h6wY?+p4!yx*~EO0SeniGCu=VB*IV%JzbY<^!J{ zsBpY)hIZYWy7uRXf8~;MJKl7Uv6a9dN1TBZM-FJM!WExyex(*nOg%07{<M=W+nL%c z+No_!Ku@rX7~%;7;dzBiaPLfWZvia2`~Ks&F-cw=pej`32MN>%AqequCr__sKs%X{ zv+x9BHhdkT&cE;%H(~=w0l<r>?&+YtohxfZTckfZh`^Mjx4!=V<0{8RFU;=W^m10X z=PQW^R$Lv7Ko&ekNGW;p-vXZ+l&Jgl7TO_=V=iX!Pa81q0zB_5<8lu)0!~+v&Lynf z_LNiqh8t0y30RMX+ku*pT5kP336MMe3q5y;f&`!@(bZjNL!W?_Z&bvup_QjDO?4!g z3>Q7ez1rMldK#L_Oumn`z?-wsSBFmz0XnDu7|OXVA=L$T(5WQm>1PfpOzqd{hB-$` z#s!fClt`+O;vAcl>$)f&lf)#@&c?1QePKGqa5c-|@)rH%BPUW2wfkGLIALq>W+<27 z>(h&mZ5#7walD%w&+FgEsGbHfO;|4$T@2u>hX&=q7LA7Q#ocpJN>}wdM4kyj7T>F0 z!LbPBp!~Vuu8K%W0WTRYs%|(H3=trFzV%zISC+z*uAIi?NddltlG>dSJ+F4Hdgipm zl0;AII)eMcOQ*RjKe8|rRr#!21_wQg&Y0)d8?g7mJj0ntj{4p-ed+7xR{i0>E`pO& zFs^Ls{V1`+kk2E5;Qf?`Rg?2ya~mxK?^6efZ6$fYpqhk*Jo**X|B7?3z{XgzUYsW% za{Pz`L^cgInDpXzvM(+yMXO7D1`DAtNWLd_LQD5)e~`>{2|b>O@V5E^yMTZ`-PX2c zzqjTa)61I}NNW9@uHgq8iTdsxo-Wb<B<*=f?_3-NqkZ$(C|{+~%e@!Zl7E;NnV45v zM&7S-LuXo~4P39~PbbJ5?c%`hs(y7M#~?P?C2iRy9=-T%Q#!-0=E?ScTA%fZ1RV1p z^kh2|<)j^O>Rm?6``Yi`M#DUA#<p3D^3vLH>ifD<$rOEG)`caQ?pYr?_{eYdR0J8S zOjOk8{X|^6;!Bn01cQS&H#g&Yk~S{$G8=I8ZK07AqD-?>>Qe{BYYE%{Pm5$nhkCK) zI`qGLeO8s<>GAeVtfscm8qPj;e)wMFy)AgMKya)VCe{K9?neD>v*%!%U0jmUKy|TH z;bXi3lvO#=u5Q^F!WU4+#({%Zd!+gF`o}tE#Uh~gU`?oC31(oqL_)joJ4?;*_nsjf zV~c;BdrM2AIZFNLVg3|uNVLBRTtgTuq6%6t9iNxK`RDo7p>|%%pT>}MbCQg7B8{2q ztp-&<b1l53YuN5ygqjkBIM$NgcjUc@Clcc1o!G(d))Z!za6!aW3bcLD7K_6pn|beu zEOr8ZL$Dj9T3rOPVU#;e4kXvD@r^gi)>4xFSV>){{uoM;O;8R${@$eaI74nR?HrLj z47`~HW#a>>*!g;#47AHvZ9zpvr{+j6bV@M4(e^*2gKFMCIZ@YT;<#4NezqX+)X z_A>SFGDZaaB0>?-_eEzHbi?7J$ec+&@500Q@Lh)h@my-?Bw0biqs&*RmE{)+jHN#% z?;(K~f(<MFXqCfxThyMcKJpoVXZA|8zbH(%4(097`TPSU>~~7gb=ya?kZNzzt5fjo z>Jk%gltL|Y9rnE+;Xd}V6y}W<J<-f7;qY6))PFsM4<#0ZEr^2`yp!)!jIfdhN9d?O zJe*4V&8h&*Eov{XDE3OMECm5aQYCyrEQt9kxyvk`>{3G2F=SqrDCJ6codaWr(5*;# zo|!EYv8TEl0Dv}7^HYv01okbs{;t+VgV)|cYg*wvAa}}FFm&96l3-Z}lux|hU`KIz zZ)|y<JyZa(1l*i$ywaa8U$Rc{oSB@Gl9INnu<J%qmt(XPTpcpW4khCxdT-At{Pm5N zB6E|^Zs_{GcA8Xowx`XN$Uw;~m_77_LAKPR7r0V}mw3y&Cf2anL_j>AzJ@2?Z(Ckj z%Ue`aDB>A|rDrye==HRgF58Fbq9APZ9clE_lMexWlKp84Puh2*Cw4z(RE?+F`)Y(H zw{KFd6AEb65~LN*k#>xV8fYXn{k*7qqLO-VBYxM(4`MWW8!8AzS}wc~sV?&bdrcV? ztET(*C(NEICL6<XRJdR3?TmG>FKegM%pWS!lSeE4wyrWCCl%Vvoj+g&J|-<e0&3zk zsdM>*eI}5`HZd;GmWE=z@NjT=C89nKgNLkdI3o4nY#SL>Br>*_gX8}DcZu>o1%Gkz zauh!hYypR{`igWFX9-vPHdO<3a%tAbg?D0;D&jcHLxaw8P<I=vp&P;cuVR5BxkL{t zVoUBBIS(9R=oBfw!P=9&b3e~j0ab<aW-)8g=*f#>A_vl+WuT{JQsi~8j5naDlee%z zx8lRzb;x4H4!HjFQWn3Pzfz3EQ;=@@?VQtZ%%X6wmw!Uu!spZjKtK<L!nAMK4hIMC z|7z3N7G_y*xA_a$ijaT#IhI-tA{xJ)<2u7Bw7H*`W?a7zb7M>vQ7mm+MY8xkco3Li z?e#~ke;Pa-zmFaDY4>jW9OqnoTR#ABrTT*t2%8AKBf$s>yHzho4JXEW>=pZ<&$RA? zrcWE_A%#601ee^)EfNTD3nP&AAHLVytlGzBSw@2mu5(hd6(0WH9}T>r8E1O@c<dY# z;O$NsZdI3$aj@RE&Bbq$!~ub!k-%F>$js;qEm;2diMPKQwg7eZj+*#;MX7_xp4ST6 z-VLP951<6X;K}}fPbf%0$N7OvcCnYtDDbnZ@InTva6Au0iOmYPClEvD1`H|rKYhUR z@q>vk=Y7{jAQMvFGr&E>!}Mo`*AbCNioFk|{q`^fZj4Fw3J!H3-}yjl2$2|#E0g&E zADzF-{JoSP840*v{s<_1K4dC=jXKzA>$+2sgc&(`X_Ndseb4kcCc#)b5Z29SVXF2j z#KZsz5vsZ1S?qpm#9qIon(FW!ZrP)dkOWgr3%*l)d%x85RP!Sfsg(#>*DT@?QWa`l zmH?|&;N!dGuQqDqW%o!UAAWXfqu?S`pe*DFD1XCU-k)vCQPT7M+!sURaGQp}w><Mp zY)Wp1zZ(&Fd7Oj3rSMpIJ=Cv9tepGQm0?}%NrE{{q36z&ZFRy1Py<St2)V6|k!>6r z1r(|>=c{PC9xek??t(4?G`c8c=`qp13^o2Z=7g!OOx1gTZlPHyFrkU6RkRj_sa^o6 zPv~i*gb^{>N>eXCS?>>@tyUQ8nts3ZIkfytY53k3y?Uw;|AXP}B0Ik|J(pqs7oKA5 zG1Vie*UeJy2s0Dm#$$x8>dF*cJ$j@pu%TVZXU3ntJeb05P@!VB^wC}JB(gHqU>5SG z=XJF-UM$IT0kFRhCLD%@ZtCx>ZR%-c#EatOy%;}(t<Zoi^0LYOp5LLPS;A1UOv1}9 zP#~x-OdTJHKW09DBRQEC=uzxKxGrg>d#aH0J(0WaH$ilKTrNXfbki=6Hdv*r*!C%` z4F}l49r=UBhjR#QQAhu21amcwS)FK(#LKcsE`W`)<Cx~&TZFGdJ6fa$K2f*rDXeTD zl4r<X)xcYAtxxxG`*3t?m)7s#JRPnET9~;;E@}L^Oz`@saXmf`=U-xDID$lC`qN98 zZlKL&t*SF(Q70HT#SJYW1$`Gf)_dB%>$20+7QRoJ6EU%h(YBe4t<JJUB=swQLQM5h zB-T0sf5(x0wKf29tm&NP^rEQLreLpUlLs;UciY2czeKJIOi~=`{<k5@S_4<p(AFiD zU@d&-X_sN$&_zNWhM9$5C0n4aiZT7?a}G|5b<bhESNF-zKJE6qOC7t3OTyZ*dVQvw zRSEJ?SJ@<m2lOB{xn-Yk8Tm)CVVIvN0Wi^+*r;9yu%Nq0)#n|L*5a{n6;G*8V8lT2 zF+GYk_?l{Y@<71*HjIo5oc+lc1~g$d{=M)X8<RpH*du%oYR4J*kwoYGH0sKWyXbdD z<KJkjng5|QOgFf?%W;H+9q~p`I>motQVoG0cqY_D7DJ9cc1VdZ^xTHOCXn}DW|w#R zA~L@<P6YKYFPZBL1vT83Oe1PhD!sk9dhkCjcm!h4`Qko7RDC^Z=YE^?{C>)BBZI%B zJ0}3|oe-?Q6dVQ;{~$m3M*u~?2oHfM!0`9~|4|nja8`JJdAWjdA9T(N5nf+kAdW?@ z8+I{r1L}S-T%8X{cyMo!clHBRPJEZ>gCw4~k5A+G;a%HmLMGD;7Ev9AI{zH476T%j zpbjoviOQ7F?ed+PKHNqBf}5^3IEbL&1d1@Nn8k^FN)`jqYw-0~rT{AIM;kxA2F4O` zoU_l43l44TXzf7Ua^F43j=Px?z|QLKLbHA`Cj21QNoQTJmP#yyXCB<Ofn@m+&NIlI z)2Vvx>g$qwgDn=cScwY4zer}gEW;RZa5y&LOf?VLe;5=s(I)Fl*YC1l$E`{wp66Z1 z7NFf*-8F0Xiz*M-|7y9V2f&$eM{~Csj4gC$I%d6HF_>8P_e%V*QL%33XmU{w@$S?Z z$$FC81V?(gKVOwO3|&Sj`efZDpECfCHMd<vjlfgwfxF3_82zF$@DV#J2S)6>iB(rW zL6FEBD98^gxCsOCaA5y;oe<^g9n}@N@yrp94$RchT#)4EpLp>XApa$~z^f?2EMlfj zo&`2DV+BXF#yBv4OX(x0<WfKN6VCMzJS`S(>Bc0ca%i`^s+At|UY%EJ3<H;LL+SWB zv}19PH~RbjTz+k&pstp_){gvV6@yxFBtTbFFchR0Obhaay}Pe(oco4ApBM^3^aX>= zV^t{l(&&&pnGX1Grjb*4=c=pnhdxTcmJMA~nnh|{x^n3&diLnEa@W1hD$@&Ry}ONh zmSU%g$oc&Gakm=Jw<Z9|EyXH62ZT!dJ9^aN98bMcIwOrZrrfUZsfPYWQo<N=)lv;# zAnpRC)B&*y77dd0{9}0Ak`z~J$H%K#+A!f<y@Ob3iR+R@E4i&a(?b_6*>Anji}|3{ z9<f=EI3lXXPDO<p6&h;k)JIi?)7otAY~tvgfu0~h<t%wGbu1bv>6E$rHj$r*=k}OH zLr0%ps|7Fr8x{VCmtPGrz3d1Kx|-ETKHYAF{+Wf`lhjv_ed7zZnZD+|Iy#Ug14dNv zwy|ueW(2~k3LiAiY*8k1d4`3P$++A?ZF8+;xM{qD&%CJ5Mu+;fvBFS+Dzh4$@w}2c z1_#L>6&zi)-a}@+g$;1Ktwcf({ck)NinE9;`S9fqZ;Ur9yydtHB94^#?-du+jq{cb zHO696>yQaWh7hk36mGayFQfs+UrV}H<?Pep1%w=5BSQrWud2Phh6jn70rM+azSE&K zT>%SAxr(Ry0weVJRpYC(3n`@FIux%{_?l0WUTrV?NR)n<Pqr5&3}w;zB#otYbfBK@ z7Rl*U>E7bjxa=R%?FCic*P|O>n}cm%x@-&Bm@;Uhi<P0K^YM6X^%`#!Ha%I&SjSQm z&o*l{r)e@oCL~+$@L%m1?cTUcTb=sj$3%)bVoaM_`>Kt0rLKY%1tJnoRPA+iDeJ8e z@S$E3SrFi{tM`=rhndi1&zGAInVn>=(UY^=^J?s|)lu*fLcaR)ra?eOMfX1EwhIix zoL!m`4%d~0tcQ+P`89=my3>-))U(n8aNdu2swJ?5)0dL<9!4mBJQ_x3?mMsXqO~{Z zSVP)~YuHOa^aFzePlf+FVysGuR@J<^IWSIGpHHZ-I{9i0a*QX+7)Pfp-pD&1+8C~p zp>(T@LH;m0=<N1gR~l!WQB$2Aw#l_PwrM9QPYiz${<)dLgJaLNA4}`L8gtc6UmtJD zvOl5XnQFd}=PqoWG~_FkwFX?VPOu(lUov&WWXcF}bV)bVp9^D^-H;J{OW*xv*;p== zOQKNU_S_Qs13bvYJ~8b}yK*`dEikYvj&f!97NvSi4i+>wGg{Kuj~l(c89wrIn>`0K z<a0Rcgs1h4ju*L1G%)>?rsxln*oNUIAeTSBQ$BvV$3VN1@Iq_-N;nv1_1N((6M>L9 z(Pb(}cU-ZejoP37ZhQ`7XvkG-iYqnNg-4u0>!Ilbv56ra25Vl>l(AAlIIz#5ZcY@l z8rOAyT!cq%7K$P!XH7mjkEsP1qdEWjoU^O`7xEw6FWkM1N+X|lbJnh5lUmc&UV_bm zdtUf^S2m4a(NPt~@*ST{S7eRJL!(^)q}%4)u`Ppjn-)$rg3p8|c<6HQMkHTO-e=Kk zBmZLt0QOKdrE3T^*xJFegj+#~M2Z?Ic_3+a{?=KSBW^3X`SqfI+*?VC+{qjNh<)Y< z+-pC_)V?1i3{N(1Xx@c;qNqL`!(8pi(5#(EykldHY`ae8z;?64YMdzEIEy)bHBY$z z@`=UfH<iY?Mw`G&6fQ5IHOze8l^8Gr%+q^_*_iYe$yA1~G-%s1u14#M`q7&+EH7x3 znjju&iPx=n{RPsaw<1%%BLr)-DTqsTiM9r|i|9Ky$=FyhH1Tdua1NdSly7q@xA|Ug zQQI%L=h>MYI?{+1r8t@)98!6fFP*kH8{j9e*>$twCpT|~Gt%JC>wY51<s4tY!C}j{ zPcYl1e{=%pf;=iH9UQ$ZNgOBmUO=)C2_iA|YPiCuC%f5^x(0L}F^mS!@9Dx;a>l_8 zIJ|Fz&|5~jX)<+oY%e;(w7H(jv4?uq%!t|aV9z9}4z<2Wk1kPx^-;CA8krczs0S=F zE)03aw*gKEl^tlSNhADsE1%K7jM5@c+clL_;RfSi)Mr326%N8C<MSw*)6LoFLxv1U z`m@2Oj1`{h2{~L}X-|JG%RPx<-lSs&Iwmg*9=Ni%?&`B2ukVV77$`_rJ_k(i8P&-0 ze@pH@y8jL~e6Ny%6`k`GKjg5>`I<#gGh7ubxqerOTf4}SaGO^0b`9jngkMkCSy!$z z5S5E<Gka!vm={7@C66Sx|4orjbGp{@s1b2ED}ZehHZf!{2L+K-h6&B1EO&!A=`HnH z_Bh^R@$)FFD}l>)NuO28H5E68EDZBQ=^yIz2gXi)hPh=oWQzWxD+%>317mh^#QH`X zcMyhzjbUjwJIOW%#zl}l95MYb^CKNv&uux15|SmL*`3?)h>d$q+=yPA)rcPFIIe<v zIWR9-Ks!2*yh>7n59hA&tjopmWHB5erD+L;yrsr<nIMjB>HWBYm9`W3U1&f9k1{{T zANxIb<N69HWWG$ct8{xm#tRAYvY`v`SsyxhPO3kak>YQqR%Xqdcq3A#rOvslK&Vh4 zK#$=Hq~`BRZH6)TgsgbgeDgly{Dh0G0Pd^_i#+7x51*VBF(m9CO3!yH@MY+y;AZmj zO!xOFyMy#qelT`bBOI++yY?K#d&k!eclP^obwg07CGQE;7H$CbelG-R-b;c9Y}`fB zTCziij!F1oLruUpu*EYc$K@@f!dN@dnGDpCj%=b;?Sq<SbdUkngb5!Zs`#wtFzy^D zwztaNuxOOW6Ig<exTccA{eO`(4wmFS3jzrhWxyfOLBK#@Kx_<ORT~{5C>|g|Kw=2~ zV-`VBK^z=h813v`%$((noL$VEod3@aGlPe%jhZSV2sB*crt$w?H(EOOXp-oDb<4o| zO#$_(UB);E#cRVTbRv>_@X;<4@01=_w_k~>QmW$8r0gOo+BCn5l_T{Dlphq;l4U-a zVYZ$Po~LhP*4!3<B?d&@%e-D^u>PI>IL$ixFRAM<$Dx$=7#Z?XF~e0Eo7P}t9+c5y z&6Gx6GrB^mQ&b{|xMk4QBgO0q>l2}$15cKWa?}$%Rav^!KKaC%qTa1i=1hgv?VCf) zql#r18rD@YnFPB29}Ps9PN>}@DR#CQB@=WCmOKR{R>2z=5kkh&AMF@4Z60DS5p<Su zZ=+Or`wgRRGl;YO(sX{*MLyH>Ix$f1)~=Jisdm!P0jT|AOCHVqjzLyC2{CO+B|STL zSFIeu8YdHmh6zu%P{ZkB({H>9^+q%0Y6nN(i~t1(Y8lulP@~g)tbKDU?h2IUiVHpB z!j4#^$PKjp1R|03F}YU_GoEf?@;=qil+`;up8nOl9R7ao-|*!o(T&xU`>$mt5iUPJ z5Ag>(IX|~OnEp3NZ+@xIN`54dd^*zKE4tFk<1wI06g-VoO@HUADHmoCvR}c#nzt*b z@@k2}zLFq0rseVDsr(T=Vlu0|aTK;1`PZH(oFtvGCoZ_NM}MJRvJ42&TLi48IcaCY zC6UBsOA2%1Sk_O_ZQVme><<ro=}WhoQuE{;yLOc7V9?1$V@|mtdJrFx-bA9}urFC8 z3nwrA?!-P2(T{i0R2Nagly^}b#@wGZQ)C`?$>*Aj(n)<x53dFxhfPHlw$TpJWM03d zo{45@FOeDHl~1ms-BwXIrEOG&Wd6w^D9s<+@5+O6_b)#;%7)+vqj_@v+#F`&pL23~ z@-2Yors3yNQnWe#TdLI5lX*oGR>X;JJzz`CUbLc`>Go88!u?;R(yptP4MJgh7_(jI z4to$|P0Ia04F}mtlg$_=X$jZ`Pf=Ec6*a_Qami>b-fGQ0%R}v;_HRjruslJmTbs8# zzAJynD&zVOE2v->?h;+AS0bA3e}DT^hZcC_gPt7IRJJ{Aqj+=m=CL%ZuTm>4RruPB zw&(_&Ri5zlmf}QRAaX=#V+s?aB3)t|rXlknIV{nkY*gE8{A5Uv>mFUls<E(>+FZTJ zlHd2s7y!w#1mrLDzoos0+W=d^d;T>R<~d>orU7z4|5A%t;zemdRGV&qWGO|KsWm+& zD@~hD>VgG4adhKKRhs^9TR*Q!1NLu#H+!VKUB8d(tAXI1gW0s;t*ziL?_h6afP%dm zWE>2fTzCN?Ys|s!ZuFP|A|cQzq9q1R^J*?<sK$)Izvd^0H(Y0m2Nt0(L;p%H4f=2O zjGyNdpptK$Qi*^k8BZ0znzVI`03BA8(_lrd0|@M7`qZ=NEBbDu^-y_bQuO|8BT&C~ zln>&cFV)qJMke{^TiyEQTfFc9aQQ3DX&ttrm^}jZd@&=gqUB(nYutiYSJ6e0uYvn= z!QHIG6*$9d#qQ&Gv>-WW&*uj|)4}7H2G)g~HAZe38}iShNXa>-bWIVbb49s&B(sXH z8BfP@qtuKYcUNSI&pSu&?tC>{!NKv#SpdadqO;|0l?ur>@zgRr_i-uRK(Io~3o(ff zF&dXj?`Ta^{K)De^Fq6`hCBNdCCdY2p>ky=kuU+CDrr*>Um7y>4zv?gxgJir%bF=? zzy)e4FvN$D5}mG{h%IbB#zwY)Idt?Fj*Nv(K||;$D$cv!g}6~8oMC-9o$KOxk}`2| zqZoQx06+?tv{Cg}Hs*hAzuu578m;dMRPn+_K?}-@L{%eeC|x5m@3aUFj73Zr40Yru zWedW8g|tV=4jy}vqbjbrLEM4RkYY3H^yz!T0`<TnE+vx5EBH*D{)oM#6BTg3S>H5N zd4d@cHX4g4Wu~F<;K2uGS|11)R-b7&!m2?@PQ9HBP%^~>kPQ<M&#<!@kYD8v0oiaw zL-%;LQ2&HN!H?rWkF`&$CF1|P<M~?%AxA5LpkNTRG8XiB{kB>vUXi-*dGu4<_0WI( z2?+9k4-n;g=|f32NDw1)ND%b@H9&05Of8KVEp3hdnsG8X*!}%~W`^z;q^jx;kOK)h zKfr|(fnE=8QOZ5o#ofJZ5nox_-QB%yac75m2IcOdZS~3DzR!B*7nFmG|7;52npjp? z9uGSZ1QY^{SVlU6Dp06CPnalO$U}3V7P)bbn+SzkN?A;Cg#V`4*Jazh&oj+e0dV_1 zJ2qwA!NU*coafX8Lwt|Oe1aQ8)%j~d#5t<h=Rh@vs({`}E;7CWE~<`*=9UP8t)LAH z4Iz*`*>ig+aaY&q#;q;3RfDk;!&d(H%?0HR_DaG9yzWuT`j8vsfAraA#)rABL;?c1 zM;Z*{gr9=CLVH~g*bdlRc^$-G1FIFRj@nfNFGw%Q+wXU1{W@F&-55;3(_Py4tO2xD zY#|TvS>5wQ`}~_7qe-2?9AtAFq`tC&_ov?YaBiV~-WL=PVS3(!zCEwKHEFfPSu2eJ zyaBbo-CCXl<Cy`$tZOrIQLux8b{%KkLY?;&O3T#4S@g`$=UVhM<@(xzYs5SMv8z)L zEoTei`{Csk;vw3-<Y_9Q=@%sT;~dpN&F)l_LGj+p&-=)ywP#r!IP*E|tUa)0j?1X) zY2n7zy_Y1$l{WwWJ5GXWeQf$_(HUtL@WbP<#`D<S(^*t;5HtQZNowPXIc1lU&=I5% z$`za*;BI-X3>5vlWLu*YFnet7717K->k^V8<Xr*=J?rW1+s3XVvt(Pl;qAH|opz$o zeic-3Zs^DGsMOlJwzc=I4$+R8)Pl~nr^T!P_S%{%eR=0z%Ontc=&tLlU;dQ@>@Mz7 z??5IFNPd3IpQUH&9?N<AK0<~1(sZXes2jB1H+XdWauavjy*NHupk9WiB;;3(cG>;o znCRnd@3)umX2X5brLDB@x9!{9(yYC0&mo0klGS`N)mA;3A=G`UvUYQ^zi{Eb^6Hra zxHwF1$UnO+_0BrPtpr?Et|HyuSV&RP2<8dgjgyCpmrX05#2#>R*3ZHd%KN^(wxioG z#otUU?K~Z&WyI3v1xO^a09H@SM$?S)h)zc27<scU*?KTl{0t;fS@rj>SS2oR%05ko z#sRT+==rf{Pwb1U@Jye~jKC$=^Frr+z5ULG%Fm^u(Y0k<I$p89S)B!#Cf?VU(&d}- zWu@`hmdu2_lM^ilUdfB{J@>t{r2f=PfL!h<x|Vq#@&Pv+aL+`{cDqvX;${2x^{1LM zVU)A(=hpAjhu#Jr>A9I*_Rt;t&#garrSYa>Qd(cxosRa~>I}EheUILWBNsmAK3HIY zLJOWetFP5CtL$yKPSSymSDLnca|1+as-X|zoEs$2BYU$0td5)S2V?oeMb3+YtHLw> zRB>x`3*xBG1{};1J6D}>hP2;>HO)u^MR`4qIQoPHU+{W0et<mr&D+`Jc?`kf5MSeJ z^0|Y0dLS{fCf^l`s?Un^l^#2PGfcp_3Z)6r6BXy>x5m*8hx3os@m!<nHh@6#2*AwW zAA0PeVOGKt4xUTrm;HTgowe)NlTxz-eMEuS6NkbE*YRoR9`<Ak{VVOLvKeb(N>`_l zZ8#K8W!p~`rHrP*hzOCfyy^(X^v+D-NfTJ5wBvaW_h%}<2{9#%VShfI1<$5Q@Z;#S zjUy}o=voE75q1%-j$`nTOqp!lO@KQBwfUb-V5Tx*B55X@4LROqh8W*J8PgWeTwS?C zW7Qmzy2s)G^2&E00WwpX%n&Qs+$eL7|K>sKE?nsDoBdF?1<Y?pFmxVbpF(mKPabVC z!eDRZgJFr%?hvpZGQ;|=%Bl2-p@3Wr_?}!23L{iRfhQ|UlckSdgd`Zn9XI~>tA_`B z^jGc&*y(u-$N*G$XX9VuNerQ4tkW3#-iZCj2hN|{WJdZ;nas|)W`Okn!V?`jDAaKU zu+)>0%4oEU<MzBN6-1E0tFomwixCsPLp3HwHzs#)p@~H@iU*M-zseVJ$7@4zd=;T3 z^n8U&8GTs{ATcX`KrIpT*g>;q6-(dLm`P=kya`K9h4TFW(=}&Bm?W!LcStinH0KFL z{9=4}7;W1PN)RCrY?puvm#0c*MNLmeh*QgWucQEHC^g2e`Awog<sILyg6&S2D{4;# zuq(u*dd{*k)nJDw=rl@(PmV;Cv2yvXy*G!E2A;v7;$|aQH2BNN!=>$n@GT^SM4WG@ z3z7{8+SjI#b+p(lA&VgR9jd*)mNp=(`}8>A_<k&4p7`ee{dga>1;`MiBPGlo)TG!y z{LOIY=TG|2+cWbNJRoP*lf+j;tz2#dZs+1AhcnFxo5-KxySb={*}0E7Mu76i#r|pj z@XffPnQp(qpLK3F*>&_E+jkt#nf_jX*;LB!@7iLi)ULjwP|lMYJ2Y~+SI#pB#V$5a zkX?71f?ng*WGUvCz3D4AbDzvHHEJi{Ny<uzhc`89Qk0bu9)3%`(9&%k+S#cFiaHNh zxCMYW+einQY!!<UZ6WtCwA92LenLqU{>j=v0^iA6i1rdBmI^Pu3F2iG)hc}`Ve;4g z6*q%oWfh-e;A9=c*yk$rH^fkLn8h($TGp%5rMwbc)T}5wi>CVSFDJ*L>|kXJ_3f>s zSy`j&ts)e)-}qzqjqWRuEG7`fyYTH8<$pb_63;Xp?Rn;(xx~3YS2KXXboJp){#{vB z0@QnF^gv0>du38f?-h`xU0G77Z9V#lA_gYKy}W_vciqmh?V7gyaIDuye(^%150%u0 z@sU_hF9Y4^Y&XnSV=?Yyp?u-q>ihL8Q+wkX3r7R!o9Ed$p&zd=-Oug!teSSqn9%KU z<JbhaDD8ZPV`R^i#)DHV=K&8SvvF{Og{FjpQ%N!Jr4<j1N``Pv6cyoOkE%PTmGnI? z60&pGDFhnrIlw_!FcYFU#e?baeV<Pii!_?S2@NZI=U4IcEP5$<jnZg|)dH-nROcVK zIxmHSQN`A(bb4|xrh?Y}<Tv<3<Mc@c`L^~JZMmCVFqTf6Vi9+UO0Cv^CLRXm36L`I zo^g<ZMj-{)B#C&RLzEg&5qkBa?Ht&G_o_wGlPI3JQ-OIhE{uxY$bzxDo#E<{+V`6; zqDDyAul}PMir9q|XZzkANB-m7SZEd&Qk&D;pbN+}e<w(Cy}7wp8p(P%rpRbI%b=40 zySm}#txL$A*>U?Zl1+dgVd1;n*!SzVvOwXJi#hU&$$5N;`(?rI9(}hVZgAqq$6Gl; zbnmVgAASIl8;94FZbLj_%}^xMqGBj3boGW;^8*PtR3kMJ;SlsVAWTfKaxn2yaVESF zDNYxYA%wjI`ClAw3gia8;CtF~={Pc06jhy51sVr`8WUWC7b;|xhH;a$Djk4@AkFsm zTlFXBhw4tW-_ZmVd0K2ouOfyP7K0y2@;6yqfI>)(a%rm+hdjot093fz-W?t?!t4aQ z&-lH20|K)sDX~V}NDsBXQywVJj$)6*V(Gf?Rqg%6)*=_*;0IwcCeli0y-BFkxpT9K z(KYCO;f%7Nd-^!7G*AP?Z+8;j!IqDc!$yr*1_rb^9{f*ssA=KE2%>|)OIDBX0Cc`5 zUtD>w0z4<nt?L>x?DP)K9GQqHW9{8@Eq3$qoxWR<J69-fTG!pI86C>x5QwK>imR~O zst=>v*Il{-1SUK8fEtezujs~(YEWdx9ent@I5HYK`du!ym#&Y9rLv&(dE@Wi<hL-w zAo_nH`)c~(i9^%QgS?U-wxaVjbfHPCNkyNC7bNRuNs_Gs--HOh1nsR4=Ru+sbLJ3I zcOk-wW<!op&&GsLUBtKD+~|UR5fM~q&7fCp?fYjVBX+K--v_NQH58A`G;GOUS!s4r z>VN*?Uj36?epSg=`-AH#-2RmPMpjcK`N4cR+Uvwxe&kSso%~>^@tjwW@^f~ojD|$; zw4qrBZ^w5^kQcMJwX&!`rzUQeij5$_I_-^q@0)L9uJ0Xdt_Yfr3r97!<7LA`su}P> z(vxC!n}zXl$=wO^GWGOV5;GN#TCR@HmWGJe>(Vx=&YO>s`ia~lW)P2hOBNG=UC)<z zHh;K_=nVEVXJ}shek{xp9>&lG3}QI;HC)amQQEAsqJqyYmSu%_`yT$A?X6-?^R$oJ zo4xbar0!Y9CIZd#BY^SxHCJ}$3&Gu|y))?FQ&lRVe{|HoD|OcKpfVGphu$9{6a0jQ z0;B@uMo;0Z<#=L}Q-=q9{S7xi_$PsSffw1WU_|v_m|A%wB>aP491FSI+79QnT=iv> za@##x2W2AgFj6AE;|ctCkNWVZ^drB(=}!w3dcSamVi3qUr;FQO8bEP(0p7^zl9c`9 zoFaA)v%v#T;LS|0{EGH~NxIlb^(@_I7^5tl`wi2^5Hz=Dpnp+UW)y+xK!s`(bMLHm zj>Nb8YL`=H<541L4TJRp6p2jxm^+*%#NO&S_Ijx2uP;mpVSD+hc?5K83pT_tA~1;J zsljRbSeaLaZn@pbv`~?0MlWBDX1;%kd3%@X5>EQL>p;xFVnBwF?A@UgW<oLOLa)Wg zPGvw0SJnnk1uF`=#Q-8hN*flg^k_sIU!|{%q?7KGvZ_aQ!o|tjalODx3Q@LvKE?Z= z6QR58pJ1N;tklb)Cxg_3s9xj>U7F$f=w|ksV{&!q{dN~8mk1{-9MAZ=QOdJ>sRcXg z5ukbASorgSrMbd`-^Y9!6~BN0(H6vEPq%<iS$~GP9x3befj>7a-`N_6p~ztRDQPE@ z@?)={M})H~sB2_AX|l)v08K!$zqkFJmE}>3JSzLq*mj6W<H+DR0;mgBm%`HfQa9## zNlnkqUb1RZ8PqohM;b<ePby}D9B`+YVZirZuB{R0YFNVi)n(p|0&RC+H2qQBwh|qj zB6P)uyq2$g0;;Oi-1*Vg$bUWd(;+&MMa0HN&sXl&qH64?Fqd;x)fNoCg=kXXV23hg zf7ZKd-LYItnR6`kjvpK@Ro0>1km{p&ebF1?i>=;8)gE{r(Q_;VZc(~1+9_8Oo&73Z z85Z;v^}>-Zi2pJ>nR>b?k8V-cn^NTvBFD1i&K}^W+LU)xZobW$-Y!MwU$rOMfRFRf zQ2*-+cF>*l{=EG931;r+alCo2v)?J!R+y^LbF4udy=L#94$6^L{a?DLF^Oq!_T}a7 zSvRrXk!>;a)6-P%D7XOea?MX#7lJ$fUEz|1OvU?t2cFc?>aF6o3BT_beOBV_-^;u7 zuMgF1#VH!@@)j2va?i{`L)l}Vb#n%?*A`giUr{B!vqr|DR?yQ?do>HL9~o3wOx9%Q z?<^$VufZHeV_KEW^|VNYu`{QU_mLz3p0N|=b}bi|M$|SBJ3WlO3LjC->t1Pdgr)Jj z4;ZQiTHIzddiDrC?74{}?yA&Tj_(COzL~QK<~~++Re-X{lW7I>)gHoco)+aDg=;zV z%~Vznmv9DCqhDryB%Cp)p45n6Or&{4Z$)81?p0KGpg(IUUMwWLDrQmtO4=0<W<F|0 z`bEGe4i%4M=1dYAzyd0w@4~tTVsq+Kj!8;T21|M&fkl_Y6@e~aH37$j#`nJ?8NP#D zYJkWB!^aUK#ktmeNn7;+Iqd8Gopwa}aB=u<-OK1%%7IMuqv#3)wd2?`_U^u#i*drr zQfS8z_o&Dv@SPu6laz@bgmBvu)uwoDn1-^BKrzWh_+3eVHI~936|0T$U6Co-<4!Ja zS0-ApRM#~;)Q6x=**NsbFc4vm3f(BYm_S)BZX($uhNdvI8Y*=ci()fX@|$X&DE0<D z(-mwLbG(*VcpX6+d2JZc<cu>)xkH-1DnX!AA-o!Byou7aU4bl&ofR6Q{J88uaZ-K- zRY>=I8teN>_ISb-B{iQY#Ep*U4cNZ*M}$|_f2Hop_ddONE@T|>DFurih#4Y@F<Rh@ z;pm7kPuC(vw`fedj7&7BrvpX}@B5;dgvT{PE5IY=QHN@f*1aeZvB7)-2DK?lFdH!$ zB$v;?<l%<JfriPy*#qS-&(D0hX0^76nEef3A@$>DW4Sie05`#`!!mIjqAwq~YzwWC zv?ZV;8Rix`p3=~;r1+sv7*r$-e>eXk{Ik)1uKz>cQL(I86LDMUXc|qftq>*Y+BTp0 z=w~<ND^VMa<jj!cqQ<tc#5&R@)?uW$8PS)%jrJl&?a+maux`jky#5NC8Ui*xx($v{ zU-ie7NVYP{!q8?Qj^T6S(iBS2T}3x7qE!_07aT#IVh#7%Q3r+^oyW&=i$+Se(?v9| z(8hbJLfg)LxI90uK8ZJPY|l|PZbh3vgYfB-Ph<U;wCkvPDNMm=m&cHA;hCPU)(S4s zN3Zwy9$(SOeMLl6eP(#*d__3vU<+X>u)Ob|LU*krKiTaF&WVpBdhgqkW!%5@kIBru zAR+4lNwPe?P-yr=`Rn<8QJ}g2T?|)rx#>Bq;_mKKJk0ndOND)k2qS8oPR>-`>ecX% zOJ@kNN+YLI^F0%G440v%P%N{E6y68MYkP4vE{AS<AQO&?y`F1dB;y#)QmtFxonjx3 zx33r{7gtklU%~8;8!`rH649iHsHV#hsotl7P~}B~k0Vvs9iqq3BS6U`4nvo9x$2=M zZ;ps&PV|ueHp`w)UZ+f1K<1ONZ<v?pLc3(mL2N_@|HZ{<a&aeK|8B#Uf~TxQCi@|s zlpiT*FH*~t=3}O;$z+8sL!`q(SwRZgndCpc;;t8$nmy)@y$mrScWZlG4n(eYuo^+| zYY8<o9dPUWF{?)g-MvqDZ`ay1LJN<k`4aA52-6fUFRw7E=0L?Tfi9Ln^4Q|rY5^jM ztL5dHum;1!(?ZsVmqe==pUsch%BmXv+O3sHH4K>jA<1y(N)OEr!?ZPN@d0jN``QHQ zuxTezx`HEh-AP&{mm##UZXVCVP@>5l@6WTEzY1%V^A3r)Q{T{A9C$~Y8>W%>y9Dil z=6M{79;Yuwpq`55-d-5~XuLF+rK?FAZL^`P(UlJiE#Tl1g}*d#!?EH_77@F)xJR=u z<CaNbvjgfENomjt7MH3H-N*G`A|bQcZjut;pf3zjNvwg=S}dGoGDDJ9a!m|WwmLZP z?B+tm-ywYZIW6vuk^e{@WE)Yr7d0~z1QN(=VV2tQh(7111pJlWzBbK}{+b(9{C?XD zb$-hp0mSeAW#Vr!h*5dq1bJW7b=`#?bAvCg6_lUBgG*VK#A{Ty$BP|ek?7|bI%J&> zZErwrPIsc+G{|d=Vj9#*nOa~4j^bZh1a0%_(sJlI^4lj^29F<M@8DE@`LBi1P!d{l z`w0GT2ZA>#oxI!uXyEZtH-Bj7BIvHDDSqDelCV5eBnpb*bb;Zz!|ARX)PKFNQ{D+a zz~WNz;YHu}rg6U{>sK+^S_@7wEExz??rX~arR5r);1bTUT#>?dP7lbby(G~HS%K6G zO0bX<?cAvP-=y-3+B^F}>P(d@sW|3<em$ULCY}DH-FG92g-Qd|z1nwsA2cG>{>xTh zzo#USl0G}(_T(25N}ubeK)16bm6gGeaXI&xNZ-c`kFVfZtJkes=<{~kN@TLFPj^%u z^4ER|<)VvtmZ#G`QE23A&EMzwJ1S#MvgUj}*CPl5VRoi<G$E_&E$dq=g=EQ@nREf6 zLoUWDZPHr`1je!3m16;SyuHEp;VR|5-)OIF8Pl#7m<kM;yNab?)Ji7W)?v7FXt%e* zDja|nGpoOYncu;3P{+I!F)JL3k2KGrD1YR9Pn!X6@i`q+4t-x)WZIcw5R*M!*o=2B zLAkFhBvh+FIj`xjmT8%108>N>+MA{yX`3dIFj><pm`J-{jTI85`)KD?2(M_a>pFi5 z1$;<=?G`VY;Prt+cM~ZL{TExih|^s$0`wQpA!)f=^LJEhMyt5vF$u~P1C(V?8_0{r zif$;aIsJE`5FcO54evaJ3Gg``sEY@6r@r%S6*sbU`?5nM5_rCAUMU~qMOpzF-ly7| zo;(++BsvoGj)gl9@x5Sbrc9Gxh5s-`JH-|ATj)%T<|vu`CuO0;x|hSChzoMBhFDS4 z0PPf>j5xk3XdN$R*IR~DG+3Rv8T6u1VE*B#8K_Q5MMJS+OlcE?DnKbJ81wwtt}McE zRiVr~nM89%a_b*vzJ!|w`aaj7BBBhBJ~*P!Hd0Nkjj=D}RQ#)zV5DtW$f-(bWnRTx z_fOECs#SHGe8;1ZlQyohi@1o(sT|`j)+O1NdIMgJ_yU6}=%1`xaLI$NUIqa~OR8j| zwU$I46?u)qlZ~IAz<EyjETWsLTSS#_Z5HJ3_D*s8vO?(11rvn|k{mL5$<Z_fVcH>B zT<f7l-W8j~7B>YEX1lIopcS>F39fg;hn>)fF43cLPc$=FWl!hFNB2T*(Iz3MtaB`~ zx!{!Gv0UC>%~0jqzq?U;B85X6Sc|c8aa{u{$N_GqHUe2mu;;8|L_jb#)cHKg`K!<f zP_}xeeoRHtIapT8#>fR)N2V*&bn-a+(Y$U5%{b5<RLpHzQ%7unv=Afw-sJ<5q)=$n zs!TuMg3r4`_*%H)3GHZesi3{X#tT)PpP9ku`aH>qzejQK-MhmzQW1VP^RbNOmLTud zRv+NeSs@znHI)8%(xRDmyYOFt`B(18JzBQCyX?-SpZw9VTumZs>SvY)AqcF{>l7knF1? zUW$}onum~E(dHC4(5~6YCU~eZl9TUxFX&8CIh+`k<b_g$$>r2=e||Sv^HIT7GY6W* z^*WTYd4@KINOe0Z&B#n;Z4!`mLkeou8N>K!kiFrXmVW`$&ez4Bd;1228b~ul*;UsL z%Ke{KK)!EryzPSw)X)o9#WtUDL~ME3ySKAuiWD&CMMGCecB?}HEx-(y`;n~3YRsEL z&Q}<VF>c?thKF}T$0P3AY&B0UVZ_*SLG2u752P}e1G+Y|fc0Bg<l}65uOkOK-1#oM zT-;KDISHU6%mQZGR1h|7JSUSi;y;Q^KqR^{D-7Lfq9sH;rr?MO15`Uf$1!|j3~mEz z6ZrhlnOAwsy99ZF3tfJPcVsS)4=v}nF4ITcyDX{vv$U&Cgk+Jpl{ZS_1I-g@_M>>I z<Uet0S@#S@z6Uvwq$ak(>6HKyWjfYLm^1OD4$#oVrby^2hr@oXFokZIaT@oh^fzeG zN@hi9F+m3mT>;%Y2g1!%AoQ)Om*F_7%onpAHdg(JSpWKuhJ|cWLFGZmDzYld-wNkp zk*S<m8RK7YY?`|}7FGR}wWmO`hT8b96L!ABAUY3<?F(^xcPFl?r8NE)^q0sT6rxd( zKW=FRm7O67>tt`x_F>NC8P~iITMA7>&ExwsoU$K)GLWF0CnGvHwefs{g+B_^W+#?0 zBR;bn4+elgS|f6CJ^~U+BgIhq;sad$DQWB;8DZ;=N2=AsjKT>XjdMorY5GEam=9?7 z!c8V)al&fw*i#c+1055*W{AIeWQO<-th+q9b`gIUv)RE^p?r19gjF_Q(@{0&HyUk| z4KL0?`0e8;DdA=Rf)dJh{v5{8aIS-akFMq#UHtP8t7<B}VM$6+1w<JJ)I`zuQ)On% z=imEA;Navpu^;a}LeS{=7gdYhQ}GA{*3{hVbV6a40XbUEQ@A|Djt-Z1qgo>)qUm+% z6b>gCM`d3l4+=Lcgtfz{)*NgRUghE??~5OgVKjWR=6UFQXR=;MhV|#MW5|;Y2m?0f zSQ_YZaXGB^WE-ZU2_ARp<ZeB*uB6Co-&6e~ibqn+GteALl*6v1?8BYsa@kQze*oD# zjoc@@`2g!s2SY_={w8QIM>y*hWgz$XuQ;(>@awmd-)0@f-`fXi1#4>670&>03=G}o zDmV%kaxy>-KN9_Mr>1elFXE!es_IkRdQA)jFuK-`Us}<{mOK%&hEn}1K|q#R2zV}D zhY|D6GAgl;E{-Q(E<>cD4>(l8$vzs$`Oty8wNpX;k9wi@;u4YCS(|R@V@j;zT8sC8 z_i+h=<h1noIQ(|88c{?S>Z|n;4I?nIQf$DnTN~<a8J9;k4Arx@Y>W1ZBYJ0tF{wKq zJsfsrD)6QZ=r%A7(p))*DsJ$sy12^y@YsNP5lj`bokt&GRWoHBG3-sF;|Pf;&uXgg zSN|AICodeiPA7M&9(pVhx}r-*O1?eb<y(M{PFLAGogzUC+S~gnbd{~PyCt>3f|Oo~ zMhEaH`&TOM$4W-i>9myq%C3u`y+0&vXyALY=T))jVs0$$;?`;slWB1mR#w$HqtQMU zY(4UVaCM#&Tufyby6<?j?^x0$$!9Fb`czzeWM*Zet?A>lWN!MeQSeMV|LH*jM0#kS z*E)9lLgZbamgMi)*9?quTvwLRDEN6Cqr+RAIA?<~=rX{{s3R1nr(|5FYYQWH7ajr( zUUiA0QTy#hm!U1Tbnd=0=e;jP7X3|>N?}(?4&fhRr!OU(!#`4sUX{^at<?U%vjF>; zTp2}Y+hIu}ypzfH@GOSEvyWm;xOTB<H6w;O2Q3A0evS{S{Afgta~wT^3jwK`ueniF zK}4~CiW6ByT&nXE``KhSqi!Jl4ynK*FR>E8wGe3|nxz_4Nv{Ym{<DCF^3`auJH%Z_ z278v)QB+2Cl6=(3I%xejnld|uQAyd&LfLRi$xy$_sT{Ju#DI#+FcgK$UZ8Fufyo~d zyqFSJ^<RT2h(c-qiqbA`qNn4A7h47~;ZpIXyPC40q!pj5i8L3OU!eYiY)e*1!F}m2 zk(YeS5H=fl=I!ozu!<|Aq8itSAy&1h#^|#O$q@`jLT#-5m~ujtB=W;;Qe7RlDnGo8 zrw^|<r34qKeHXr>VNN!&F>KaFLQWwM&O!+ugzD$jREWRfk^}o#^32l6CH>>>j<wDC z<GoasvYY$82Tr~QU6Fi3JmdKsX?#5cbetjMY;q*gxjqtrm9~sYfU~2~(7_xlsUh4E z+XwB<bBS_~u<rPD6(5bZ{YWX9GptXuXI16ja1{<!$SZ<w!&0U?5sd8GoFN}~q$?;X zVkiiNS4}r6F(zZW2?V(<2hj+v;xhWntb+e5N$b$Mj{f#%5p$ktmcpV^KDu=*W7~{E zGwyArAb$+@3^1Iape|%F3>U0hW>TRwZ3U+WO_h{3Wgo?L=;vq2N*q&_CaVkBclHBI z7B#|e2%8;k!4a@fd;?LepKfDDwfcr7Ks{}4gKM1v4TXkMQ$hhXMAA!NxtK@U+?IC^ zv0=j7epFlgv4`yQZ6HVu=O?0<6_BHxQ{;B}iZtPjU^t}N3QBOnDSRN#%S{DfM%ps7 z?vy;i6;Z`COn@{QmOOT(9B(zIWW?^o$BF>H9W8nku?WAeX2$z-&VVaZ380$ziZwi0 zg*m$5SvMeC04G;49qGN{#^A8>yPe7J`v2LI_H%b6MaCuErpewq%ogj5SPPTpT~r+c zF)1A_@PJd!BG!DmwePNc(T2*1S8(mnh59QbdO(<iR}aPA-fS4@_=hcwXQ5jMS4%h7 zM9S>=yXw-HBEs1Z+Wgo$AB+1QTqV<xzzDzJL7D0mV4kZycmNWPyyg>1Q^D|2FFt5* z?0sV-(d5U37C+>my&V$D!XbFV?1?s36j`(CpYr{DoU=eq3NJ3vBz0s}^{P=eM$@lB z@|M9ypH*$7t*~wfX6}h@Ng>`)J*nKggwzGYRzNo%7D~OZSjDOu6;zL6l|#SF$(dc0 zQj+~Xa3KH__ZWK&S|+&s;&)yOUBqr0T6PJ_oT&A@a^#;;uPWwvM2Y`_4T>Xavj9kL z1`k+1ixq?nZ`y~oi5V|@%VNFr5(kr3wIL<a(UKIhSezfc^*KD#P;LkHuImZ%bq5sZ z$)&3c(XZ{QmMh#o|AN^()IuaR@*w0itm<f!?XgIm{6@{3BwkqrPbP!zI}x<VkGl=; ztibT_llV~dkd|J~@ha@T5G>{0s+3_MyBHa0cOh>kaUt;`^f{$>!q838^{a#_>HsZ* zpk!!iLB+T|1(Q{^{_7R`Co8rBgv*goYQxU(XjiCox`1JK$}_>~W?UUw85z~kG<enP zbS`6YSbIQznC|+4Sp*y=L>AYOq|OE&OObgA1?Swt_4&!Wwm02=MzazM<;-Z&^;f(L z`LD@0ekB5BoG3qGQK<0pM4*a@i~5bEYqVBQ9X`XUxCur4HWYh@orz7{KrdIckVuSO z4xI<JOx%21Yb1^Q^Q*JtPxNH}I<rruv?z(98JmFd%&MuI>wbJbyvJ5H_wC<EKfwwE z-MWPE!VoL76Yu{axn@-@4QhiMw50jCPXx{C$VcWaquQ6<MqW^I#*#XO@)ej>wa!>y zQH5}#Css;I$ts$%3*h935nKtd+q{FfB`GDNUJ5g?10L42$$^5AaTuz)eJXLno<mIU z1f28Hpk=H8A{jPs7?z~PG%cc$&v1Q<bn*kK^{JS&fj*?}rGcg$pnn<Al&+7M-29Vx zJ_Qhg_?fvu_*B3!IPhW|E!|t`d8~09`%q#Hb4aXrzPEqIU{A>iaYkiaBZYMU+51`A z3%4+zjYbo!q1@R^bALV?O`=<d^*5T`G-VCCfzqlOdR!865(8!ji*H;gLHAK!C|SjP zO(UkIRvj(>%*1FzyUSG)$&7yb9P0A<R)-c9SaOLliU(?NN(tapKSPU4S}BEwSygfP zs~k+yO5eI$NXQSU>{`pH+OYf>f;swo6oNFOOm->Y_qA16ar|6CN=bBdF`d=upbA$E zGNCdy+Xz)PSQ{f!Iq$$<=IqyH_PG?knTou`s%9AuX3P7Xq=R>hxHcGgVf#zzcb_rz z$!`bOpoCxUME)tXz29LhCR%ldgujp?AAr%{w?S=mm=`N|9g-lio5KcYAnDHNzXjq> zZh!o0akgQeKP3yFaivz>R;<H@y4$|;sC70Mw(>4a_?#gJz5#7obR~B(xpgS{v60@M zk2t3z>^{uZGm<SdYYwd#(YT_Hqm1gT`maK38SF+l+5$Qkzaa;c=Z$nnNlJ8O$MAdp z0!tAfb#NdT;W~MI=Ic|*Cwa^DmoODrLRFsV%KbNiGJpl|0dVnO{+$+441FBG5g3j~ zfl`R#0nkN#UvUQKLrz(THA5u6HiowR(5kE8bs*&@G76znIU5X(w~fCPX83>XEFi24 zE_=*G^;(h*R;7>d2S=gl{}XNOP}*Vg`U#EGruW~jn^l);@*1}?hg$`PCq<VmB@%-L zT!QZHiz3}E-Szbvn$Tg(KNCzOm-l|*#7517YOjXc9)>SnROco3J3{<zhZoX?wk?dh zw##-Nx)YDLs~saWNtqmorL1}f{mYZTTLo_{qav~xdLgBRUK^vAgaweuerIyjB4wGx zUQ;e~qmt;^hzvBvz@u~nH6OS@co!OEv1TGQ(=zc{&R=E}40+_oOI_|91tseNR#GGQ zp9B}lM%h?PMnhs-lm@uwdPwTh#iu<q{T=wR>!mv{bta*FGK2dz;@u_SSs;M^x;Kg@ zzQG%QtHJ?0@YZ@xS<#;hi+PQau`AXq)<j$T$3KbYHyPLGicqH|wWp<VIpWj!1)c2< z8XoSFqbtn!3xToWZ9l#?x<I90Eg-PU0aFP<>;Jy@neG|ZpWR_qIeo6e)M$yU3(2fk zVNZ5IMYX)&kz+vH5&jw)33t{6tvme@oQ7(h?U7`nEu(70iXX?SI$*>H2K4ip_Rp>g zk;1uGavwV}ek7=t*&|uRK~*Mk&~q3|1BlSAQ7gIju28J&g5Av~hLH<*D0q^AQmm@5 zSBvVdP_sC5j?lld@jQk0auCh&rapW-uaFS-oP4_jBPWWX&(UL-eMq#F<kodB=nv>D z&E;l_FCuCXA3W=py(KFFIv*LwyU5xf3|(0DU#p=~6B)YxG3<2)$E@>ofGjz==>(9H z?c5TC3P{hRe+_$r`c%peN-XT!XGe)Zynb^^5GO}5*hrX@eJp1n4gE8bKMewESA=bF z>h2qQpzG?_>Jvdf`~M6tZUNfy&y<oDH%R~y>AlwRz!YHT^7#OBH9V1CWv=jEgz61r zpYi9uR@BLrVX7f9EHTCWRp|Jm@eXPkdoov{Ajeh8n{zM`omJI@U`l$cHzI{jDDa4g zV7p3Jrl0J&TE;7u2)c(PEjR;B&RfE2_uNabPFp_ohK4ZNaN!NEf+D^;VYS96^skQB z4zM*oRB+Tf^qG8n7tP7nE2u#_uC^k0w!g2%Vgmf1`hIKT=(`qjgwcJ91WiNZU&I~^ zDgBpL9U5uGq*I5QSpo)HE=^P`NESo0iZC-Zvcw3H>W(GIpyokn2?qgC6}n-9Kd#VQ z3QH^(f~U$K^}p>`M`3;$*aSyvLJm8iL2WLr81prkBIwLKZ$hD5zI$TL$;c#Lss9cI z#uZbni2-voMVb5t)1>cAFp^V+`V<OXS(O9F35apE8Ccoz_g$e1A-)%5h}b_4%HFYV zsk`C<*;(xyyos{f$TtV5SzydiH#BA<G#y~**taR6lzqE_n3ibz)ZfuLzJZh*QEc{= z6nSPb<3+H!fM}@NV2mn9{fZ+L$%!MWZS*FkqyZ=g?^x=;Ized(0c;{R3{_EtoGo-} z2^NL2y5#Tlk=(y@%6<^?FXoAu%k#}V6#1Wg!{K-gEf>{KOh!XgvJ<cWDCDXd0<W-& z+sfY)g8n6ZfE0!%S!B`EU-uYfFBfIR?9b98<q-svXU#}n&CwSMd2xOu>=`}*oL5OE zktL0h0OlCRHpy5<HPW3FN%1Q^;_uOpla#RH5@hOanMfq7NMR%1Bo&#&AXKPN^h^bG zqAoh<%2ddQkdzXJ5WMa0A~X?)#*vAnKWEE@&4@Xqxd!&t2?F6)(3rwjvCm!Y8N>L< zvd`b)n=D}HVC<sxQr`rsz|MKd`O|tP_hFCU=sPWvp|Ltkimcd%lB7*3F@*sp#~pKH z_=`(lC@*};tx#8`xjCmuC%hN|J*1}BoIyO+rNFOInflwWuKU=va?-97IUC1Mt0U3T zt7Jawk;?yC*<Rc^-I*~j;OQWRXTlIVlRqDzCBl8<;TF3h&Jg9i57G(L;IV(X$Opg# zhSeW2_(wV>%`omWaD9O-m;Lrz2@mP4l&l~eoo-5#y1<g=Dk->@wqV4NgT#PL<YS_b z{E(?&8u>Xfw2F+XgJ|-bMcOUlzG{vXG#y$SW})&uOpU-2<(Qt|j?{xH*xvFI82GzF zSCn0O->;P@({G?eO<1VBgfuag6kAn{bzFSpLm9eOz6ZEvoxdAqQ}n(dGt_g%i*i)- zKm4`f|3d*f@(LZm%_6R(cCJXTlT0FM7ZOvL_8JU;377K=jE?h?`r*~OpN8a3l+jeL zw&OV?<xjTfF_N5#9WX%q*hTAfc}P8#IpWm({XXU0*}r=lsgf@b_H?NS!$5Y{GEC9q zu=qTV^iqiqj;=q{!FY1{QS%2EUA?RbiY}O5=TrP$>a8`uN4o-AoJiCdwc99_V)uhV z=nrL9)pCagh5`{8Rljg=b_#6_NtMkNuy&!uNyO3>k)cYm3zW$*OKPM@b&(};<dus2 zP_>(|4z6<li6FNNv#0<vAK7-?3EDxV_-f0JKN%41z=kDna3{D5!toSv0i?=MZEC<) z7p=DV=QO0q4&;E8*>Tbx)EVEWNQs^%N}|g~!kD@<Q5PIB%%Pn(98e6wC-+_0QbFyh zxY#ponD)c7Frrc5cDkIr70Y>Vtmh0=;1$_+(1*;(DvTFb)pF5&UfVApB1PSl;lPhC zn1`#kms+Urpv3;cm1#U~d#Nx18&p@ZgQT~<NR(};?-tyv%w2yq33*jTXeN0D&r0RY zE(jDQxz!sv6bR0c<-S1yiTZUWzX{E8lk5xiJv|P|2pPFXm-UuOoQYy7`&|<mQEZ7c zkPB2O%ko}Jj!nZ7Ui((#Hz_Ee^H#vZSg9Yg04*0YmLDpvPLU7Gh#lxwk71m|bS&Zy zOj+SJjOk(bnn1k<G|E2Smv>B*tm*@a>~R(8n-t~Q?gxJWI+EzdaS^1)nbJqx;jD&! zmT|j3@B~fM#WftDWfs-(2&*(?S>oQLu(dDqm`eCrLQ?2@pq!3kcYn~#-A^PZ#5h_9 z@tO0){N1=VPVOsa+jkpHND#Llckw$|1%Cr!KDv#<OV3e5nX-Q0Zu~boF?q0uqDDe; zVnz)`qOM%tWpACtldj;(f}i_BS#Ge&Wo9)=M~mvC@V5%x(StR#*m3ZgB3J@)4beX1 zRC3)AKeC-GGT{yoCfD5JPO~Nn$*4}M<0X3v?WB}+yf<b~HYyp4|5Mi>nlx<qo2$Sw z&4{sY_2U5G-d|MYL%$+IHHyd&RhR=S()Ew?5_%*F(q_8i7|Sg}HvL{r)0Obty2@1O zsOSYYac<2BhyKM!%MW7S8Zm~V-cWZ<i4-%GQC+4=e#4V@$G>6QD;g_me-=YFc9?w- zFCqLm8Hza{K48cn*I!@Lz%sUN%8t#$h9c_N#oMG2+PO^ppbe_x;TWosasBi_*=0|) z+wNpD+-H~X-rQQg;^$cT?>@f(!k?N}A&|xWpYyGsFHs%uw|}aavQzP2$0_wFytZ+O zvA(>M5dH)*%!C1{JZDG>yO4^05f%BRi}_X64JG|Xef)iBJM^CxGoD%4ju>-8qY}eUoB~rf&@Qt6C~x<rFY-lzFTP+%gzy7vmid>f1oPeZ@JPS_?UpLzo8o<|4i@ zt3zE;I3)be#JSru>ciDXf8}+mYMeJI*S5{^f0QjYgdZFF)=$xjMVlz&l_`6PH{&@I zXf<V@R+s#1B$>jRFIpKb|9a9~4XBnLfb|=^FhGC9*N-6blxFh4M;3~$|3MbVgX$`- zT9asSePofM+wemdJc95O7ACDrbS4I@?dR|$XeM!~^z&@DB$m60TOH!aDkWDG{F?a+ zpXP}tZ`4YU1|N%97(<yv#7k{ghGrMb?TIump+GVpoA1K@VZ}%C&jNX#LQT<;xF~qd zLra`7H8I8UTek5q14h!E`nNz#Bq^&z(+}m7KsWA6C*|jSB_A<oOv|(5j+t{W+rxB_ z5P)ZKOD)DTac0U|N9(m#@_)yg(Mkz~{b~|bqpB3yDzrB#IUH3S`mNM!HWp}xj((x% zw;!F2;i+~dykgC|7!Tu9qMas@KQ&P{AZn;fF@^bS6};{sK<&MBg(>ih5QU>)<}6cl zc{KquHrdejWEx(q<)NBSY7zJ+Xg%+kn6cvT&-iz+qKqD@6L~^^HesOh1$~~(J0J_* zOyCusy}VOsd|Ik;xz_Z@{0ggkXFcGd;v+L_$Sw9p7eXQz_4Sghe-%x1j!cYKzeNCH z>iH|yeqUOi8~?_Pa|#9@nMEvN)z27FKyC5exeLPG{7yzY?EEqGr($)n^iN2;hJ0W| zZ43Y!I!NdtQ|<nV^&NCICiQ_kT-DV*_WpYUTTW~N9wnv4#XM@zlNOPsaEdfA6pk>5 zVjBp(<nN@XV)^?*jV9eBB~VgcR@ta_O>Fdi`j9{5oo61CZNG3j3iYFPChj-WbgARo zmvH|osF5abZU6?;OG;q7UsJn31Jci+KNS>%FI+1$uct-t%>U;Y@zwC?oMJQzh^EC^ zDkIyHakmW=uh0$8^4XEB$|~wAAr}TDv_nJ;bFx%&bIsl!Q~7Mx`X>kiBOx?#{K$Q4 zLKmJ)1l=3!%S#?!b{dfp8-zytWv=+--V}HZSakfep#xfwJ839gwcaQq3(oh;P;SX} zJRtCp^XNa4JrkpwIOFKkz{z0f;{l{QVIeVTA_IbBy-&jA?mitr4QSi>v?dOC77S-e zt|?#EGt^_4@DT;7T~(t=R}w-t-%&UP;YWy-HpX+T?juU@%lAVX%yd4R{rINV6hk^^ z<1{+N`Mb=jOD&))380|h3928hf^!v_k`fB<8Kn~wlB2%5@V}E*dYYs4sYSIl8I1q8 z=e_R~^EQvleH&EcqH->(X?1waLF|XBIx3KQ1NGsS1nJc}H13EL%71P_En~)w|C&|x zVNrIgx3oXLq}IHA(3C%J+m;Rn{1}Z?{hl&C+RU)zY*@$%Opf9bqKIPsHsrIJa@>s} z2gci!963O8lt`w|M^O%pN+^TL+OM@)sqaLSMxi5bpbDv*DMg?PTn-`un25&`kDz3q z$Lnijfac?>nIEA&9VEaGG{^%+LfRilRF`olJ}8RuZ@4nHQlf~4gi5pud=5or6(f3# zceIeO)A_8Z^~+4AQT9lnS;LWPmkioXt02!C4Gcedk;2Vp`zbkd6yh(OXm}+u|HVq# znnYD;ts73xf03B$4i0pJV)JU7e_tN^C_m7Ap#E>SA>L6ntHua+f{D7kUaG0zny~9? z`aCFtzuy@zQM_JI+os&BV{iGyfsU3NuDhpN@k1>!K?|(=@VbustmzP&s*T~n#PcSY z?Ae%da8;%JbRB*2lfq5F3O26En<`dS<XDqF$;TPY9!`DDZABN9(jO=Ov_}Br(DYGE z;6&D*p@zs+A`e?Um~iWtb+uFF#SD>jX1SdUm}zl44vl8>0cdF}`RZL)8-5c8N%#<G zz^)){^|JiRh!i(WP@LwPDepBEyv|I39TT^e@XLq5Y-nRZa(YujzZ^%3FXA!mV>ait zu~qT+t3>@7J->aKfo4@YLw#&E<mK_|vztR%KS=>Z`vm(^%OG?;-iYL%cR$$ido2Em zQ~Hg4smw33q-c;{xLp&8h!(@w>5Mx6t2%|;os^4BeWb%Uqr1uf&@SB{tc|hF+k2Z2 z`7rky-8G>ZGs0O`U{tNpVgC62TKa+Vxg&-xM|z|?Ee{SwmChUIEgr5y9Zs#}81kWw z1PY#ogdRa3C#OCWQ-8;fR2o!A(Q3&59rp{qPM1VUVQ0+~n6;4bYt5K`dmVXi?`K)G zFQtP)EJjh2*VZt+NO7BattfVkulU(cDFOZJcSaMLPo$6J15IxfR{7pktS<+C*f*P5 zP3O5nU0haQdY9W3MPmFmfM*3moWr#7+-&i9BYk$r>9X;)g+-5lZf;~wQn-1lZA0C> z4$}GZs`@y+{<St#4;vy=qp@N|!kEQCtz+RVqa5<jZV`ca{hKeJS1&7~t%yj=eSBUA zUctI9sDs%<kJ#@I_d9QxV3YgO(F|Zfcl+d4hm<~j#T+S-PKu<KK%XN@nhv{<maG4Y znDrJ<WbC<`2NAn3w&RFp#K}YAoHx89FD-)YPZOEc2<oiDX8~OHcE~qOeI;=*jHJ9G zrhS-bRd6|VpB;O;G%>!&tK`v;1k<~@MW@C@9^7Eg_tcuF>es6rLa1_Pyd?t$^|9NH z;k8wiJYKG%>r{e$cBezpk$8}3q=MJJw^&i#-|kH#2C|%(ngv7*ikWFU$sXmSfkAVL z8WKIqvngsj?Z-PVE-KgKFyeQ*(D1y;45X6$sPYfP_;x@CMRXwbcT~dw$?BAI*-5O6 zRAw)Ck3a_<Xxr{;a3D{KJ>mN)LrH=u!kxuZqY`a*hw*{83FWeiVzr~aCpq9LyJW|N z$!s<YiOzVq46mu@xVeJOqJ>Xr<k9ur#%W>APf-r$Eh<1gwHqAi3GrW^O>mP$<0A`z z*^@(~1NwbJ@x_Cw%R_VI&3=!WBn^WVA|TW$(UCP^Q_Kn+P5&^9&Of}p<)r-T$x<VQ z%H+PK)htQ$v;s-6{9?QdLt`1W(%&3z(=>N9s1aHCH&pOt#A|8`597^K()j*3HKTo( z7CIR+{|djtdKM!LXN-SFc_%KhZjF%?I7YIq*obqrs2;suqIcv1q<7_zQ2G{uu70~y zc^@LuOG35(8JEj`_t85Ot2nc^`zjpROPDdZFZ595C8RfmRnYMMrCT)%{j&Rg63O!p zWg+o@)KCvo$I@T#I!@pMWPZ5mnKP9mvl{Bv4>=i1oO?5Ou`s=Z**0>Ng!h3Fe!`i5 z?tX`j?jz|zeTU2mwlA{@XCs#y(b}%kk?SvN61LdzIZ5YBlinhuRWT+-Jdh3;rWq6q zCAEqYU*#;r0j@#u(S~=|Ul){pcx?Wqg*Gn~xq!>K8}F{6t_cq<qezH{TcsmQlPnS% zhXHmq78i@OxX;9Vd(FJnII#68b*qu60Z~j{iWonkwh%WdB_men91Hy|9@w5iEApK| zG09eAsNJo4!F_paIRgRRKYJ@of6yKPMzKW4BtVn4;K2TjKA$-#`;L24H!yhzB9*0- z)WxA=`c8KIHX~HUHv=J4j}MP%u7Iq)+d9pN0{IYvxu4q1n<t=3jjd6cLgquKXXYt% z7Quwf8)o22M?2mZ|7XlIA*$DszbB1`wsCCRl?s)2I+j2FQY#OHNpWiu&K6HT6nRBs z8Svm7n9q{O?3LW-O66vp)=J6oK~ZT1Tlj$+v(qHLijvbS4V6=snEHF%$;n|*{!RRW z06wrX@?)JzYKN%9_=C}Ts_KD|>)&#YTdC|Ms{2)xX?&tK`Y`(^9_Y&beRd82cBRQj zohGRatUqfI{wgqH2zvQW$>3pKtecENMy)6sxz7C&1k|6t(ADbvk@<gh8_WfAxcE4s zDW9CBhe@mIau#mrq%U|Iq#b~Y&UBG8pgP|n#DGsj07IXUFv!n&qJY2jd`X@o$wa%Z zDx45E@o57lyrI{cw<ny|+Z8G`2(TcU@1U!am+$L)C)A`t;S8hp;@6pZ_vPqwB2Qmd zHOlt?#J;F6s@%85<wl|e)P^`nBJECmyN})aKE*%q|IPw5A`N&j;Y<)71Epm20ndr- zrJ@Ka?aD_y_~b+|p;LIH<-S~J((wA{P*bu4Q&th9sq#ZAV<jUks<z|<pN102WGf}x zBGk6t(NL_^$njYADbbe*TI^12p{`Xi*V`5F_xmn*mb;Lh7qlQMusx}l&eB-6h4MoS zR;LS)q8bUge5L={Cb*4DW;`#t;Gcko2XQ~r>e8Y~^v*I%Te%O0I=6W1Gh&5wM*I9A z!mcEol7CNOJcJgExt}W&8Dvo|J_`U#MM?Lg57Vm>i8~6bY9wS^^aNc?i3zn9pk@EZ z!Edy*jU>x|XU8wuX{wE(ou({8XKBXGHb%AU{FF3k%0(qL(mLZ;^CNuy@|m4gRTK^l zU6%h15kkNu4XzG`&HiK^%4oB;QpQ#zxh+Rz?LNZYpaWV`sBUsco;Uq~T@Y3$JMnOw zL;crFs87-!5}iEx>sza?Oun@N(%)$H)-yGYJ*Ydhc$x&LjV|rhH~N;!ObsO;(C7z} zDq*^MwH}&X3$L||13CZMXIdVdcipM4&tQ7(m;+xrKHO1NNIHRIDn@-@x!cGi4&hCV z#@>(FB~^l_<R8iIvX2lmD+#8)v#QE$I-LVONNlUC_Kb+&7?4D~srShuKv@bJ-{05N z)`mlZc}7A_>Dez4aFFY>`@g#g09@!`_MvURD07XN9|$z}P?3cx0KpF-APsoN;XA4s zb80EY<<*sxfNLxcJLMK@R*8!YrzF|j@0?~N>|I-axq!wLCOkQ4hd!2JATfRum^Z}v zkc!NSvR+0?fN~bI>rKw>g~AN<xx2v)%Vw&U&}g5=s0&-4gCMG{W&j|TjQcMKei276 z|GYbVn+lcHkbg5U+{!*9rmJND6i=4O<~OU|2#4R399kcbCz9eMGn)_PA~VU`TGGoo zZVyOIy7(digP9RSUUcL@*CS<@ccSp4lQ=ATXX41b$z8||l&BGF>W=z5;l~!2gR<PM z#^^*zVtlneJ4KWfN4zP_9;HPCwj{*N<+0pDqB%rr-_foh|JL6sL{sO8Fd_|k-u99# zRJ+7~(AAW5fp*r%vfSc-`qN$#$rjq+0;Nq`X$)Rk_@QMbPVpn`)iAtO1BDSg=62(4 zAquO%qa@Nem5XuP$xCd9h80YBN$v{R#AwPc&fbqG{Pw9sg!LN0*R$fkJKBCHfFD)3 z3RHbG&cphV@OI<aL08*vHS{r@&2|5wv=t3d)$b7wM!lf*Odhr!1J_7xdHCZO_;zVS zwvoQ?*X1`wAw6crLoFOt{98%r`r*3%WGw<`5&VBb!q(|{B2%J~_7yo`uZnr|n2)ma zw4>L#6BvbLgu;L}E-F6Iao~A3xLZF5mlk}_nEje(NzA>iEZMwsLW^t|>RuHmJ#sFu zeU0V+G0%)hntwyxG0s7DU%{<dS}1&-I|-IaWCeq2m!}4(e`l!vPJTpEW6yEiY}V&5 zv4Qy=mBHvq75087C~Xj<bvHkWZyIL2Bi&)5yvhIe@|XJu&G!N?R&>~Az2(%~=uh)# z$?TZHZOpYlqb3P-8Sp(ND6<VYWGlzi#S;@UAIbQXm2A@nO_{{;PwBr0U(;{(c?b~s zNMP3&8t!Oi|5|>SNKV*akf7R47dGOZi+E@H4dhfLb2Oxm&J?ChM_ZUl4|DeBvO5Hz zIVF!i_xG(voZ4!lPE|s6uzhV(P=4=(Ur&>!oOZH^`><?RQssC7MHx<f)r^~Q8FdOg zQ&=rz+q4@9K*ad1%119~JZ#!s#b>Kvp-Sn+y!9<tF6_)>g1bS!(-#S=THfAt(k@P* ziZfCNLUJvY`oO0z@Ws<2(b!fXV|UUPfeAOio&Vtm#d|m<k|(t&tkXXxaVs#)ABbZP z46hV3CLysEqy6@~8nDNlWahjhab&&T+!!I(b5sUqACg0^_d}_tfX2fVhDL#+3Vx_< zd8**qS9C?W8kTUC{D?C*IO9j2unLx1n{|v{$Cw*PF>Ghcp)f*AD)^56rH94KUeY?$ z;I{f`L%8oR>eE^UfCz_!Z=4)>1r<_)oAf3-=a6VA8Z#++7YM)B$#2k=UHndB$uNmo ziYX|X1ycUpbU%~17z5#KV+A}&dFF72I!4O|Z(2;T{l{&=73Bt-7=I1&(!BG>rH>|@ zZofV@C?8Ep?{`Y5^xrzg$*^x!t<q71Ty`4t*~Ral_h>18j}hnEn#W=2uTG0HVA!9* zi@B=I_cLN8?A3Evwc?hG-0q9-W~E3R6bE@^z~J{8v=9bgZ)@{9=(?elyDa=F#NBT6 zpP|}>v2TpuZiI!}LoSfck$^EgG;Tosdw#{8AvvLOFW=DEz)rsY>lIWZy+=wr^U~UL zcb^^AT?l0t5;1-*?;zu3oFYdw9W65*%=XlTTKM`B?rKE*p9p%7Y;u%UFqdM-TB|@o zpmdHoQsiBehTKkcWDn_^sb>enRq(J+oY{{9b%GV}hpFdDjj?A38ty(chej&ji1vHZ zFgo=4W`XF$Zeuo#bafZ2NmrEPT@hEm1WEXv6>ysR$0p4`GSS$||FfkPK~IFOw=8Rn zU$!6dyOjR%(@2tAV--s5FijybY41f%ZSs8Q)3|s~Rb>(KfJZRWVZt@lZN4D9_Z=K* z1S+f8NhwM$k>gX6G}Z2vBooTv=s>p9S2|jO1fB2!4cXm$#<}OoN?9EY$EUgCnv_V# zYKmN2;-xiNQh<sf9U_ts7ab(FxVZCBk~2f3xcm?_ha%Wd-MjU&`xA92rTr;KLl+(A z+OgUgy-x2G#XcVm4aIKCoy1EJ<9|mdOL2J#(x+|`kW2iE4AppCd=S5Ix7E9<cJi`- z3-nG6mg8Rvbj+;+;UjGaFZT$m;5(nf;oj8Ib!&L^5M}XZfk@;c0<Uz4aO=N{qGW&b zrs&K)JBK12^>a9;VM>(v)`XuvTgw<D#&G@BA$;@+4nC~ofR1h_eQPaGHg;dU&SH8{ zqO{?}Mtl}RW|XiI!<X83ib}Sd-hIE7qS-vj_|Zh?W)=2+_u2j6_myVSV<wDvtE{Ap z&$(Z%12|-j@aMm8mt>+fYoWaDztFCc&MEp{RTsYkuK#;SWlp40`uxSc>BnR{6Dmh? z$RaR!iMtRNsQ!%?G{fr=YQA|_S~owUk+tV)DsHyFvMI;-C-P*dh+Afm!n&`ijvla+ zBTIu7uvv28Ox)KxxJXDZ#D6;3-cRQ3-C*^}MsU-|!)6p@@|oxCf0)Ch_Kvi6I1~qK zuJ&CT%e5c=oFXf6%tWkQ6cDpZc2|JRfk)Ns%9Tkf92|UrtMO|};bMv}b&ZO(Z!4kP z<8&#fo`oqbqOKGXC0W=)Nd%KMZ#@nGGgVx0s8Vv^4eg(h@O4W_{GSIr<!s{@7H7$_ z-OYoHlOd2lq()eT8bv%El`{!;TagJ-I$e00tHS#^KN@L{s@vHZSmXH%4bRB)r0d^b zTB99lk}Pum(qzER27CF{-fsmw?Ih{75yBM4i^;<ltmHBB%-WZaeioxMc_ZwZQyJ{+ z7l`LTx;-^^hB`o{h|fuAUrU~GobV>4a_PBRzy)s~-!`z5HT{z2e`eAa?44ldEHh)A zkV`GyA2%!){I%a1>3BHjf~YDFV#qsk;QHN!S;f6ahwT{dIufn+P<~$zL+!R*dTY`Z zja|3%cBQa79cD<EJ}D5bx{@cd21#qv*wu=!WXzB?U7yU^7_0tJdgMoRr0>C~vvEQ| z>SvP2v(X*u*cEWPZ13cQGlQG)49;9W)4NHk$yNc9GLui;`*o?Le7L(W_RK3_LvgY5 zmxYSZeY!^jj?I@QW&%)`@Z@t`U_Q_c-a8xrH540+Ux3hBO*VgS5#YW@yVwY(NfdDV zIV804vLG<eeugT@QmPp-=U#@ZeJ2jzH1;g${1;R;GC0sa%x`>c&SJ_>SOBd$SMb*R z9|Mw>WJ(lz<%s;u(lwwNCH`X}j+G@ddNR&7ZrAx+xN`&pWO^;q$e82r%__K|<D8N* zR89`q>B|FN8Q=8M+#{urW2UU#u3UnV=r>kpcMAA{DcTs;k`FMOSRNur=|gOx@5ca8 zaNvA*0N|0z)GYAjsv57;#Z|JbKt+<PE3xuDRIn2!QR&W0?3<K=EAvO-0zYqhAHC?W zfYH++6sJ(<FL<?QF#rNoh}#HT1Spe5m~j+|@&Eq%Bs2gH4?Zr`{rQY$+S)&FGTi(` z01<;4>f^&(0dFhbCbkNcAvbBrizfFyv%WKp%(731<of9W{%lQzQ;VMTO~2sZTT-2A zJ0OKvl-P&Bn9QHDVk#n7AcjIC^%`blF7WhN{H%2(lD5So3!bq^)TT2x<`0*SGpk#7 zJ=f1~NURH(%YANK&gGd$+CD|Rt2voHXX*>pS#@KQ5Z2pQYyfg39=&Pk0Zap8v$Wy7 z8z!%|-eepZJoewWE>%ePaK<PDnb!Uc)rimbU2<Q=2^#tS%fjR;7`UK{4rehn)#f&i zek|37mkcR7+K*e!cz5F6tpd^Y{ehv<rJBhZ5e|MTu>7#RO=Q{_@8$f%4&J6z_CLpM zO;INIWgl$7*w<#f2(Ey~-V)IV468?fZC!gtw{J`zc@`SP!4JKgZ53eqA1ltMkj)*^ zjTufk2WiL++8dY68gd8<w{Y)mqict<1nSpl%AmzPQc)(=&KwJJefFG}k$p$sUb};B z1zhu)XEX=aenWoW)1?yW-V>K|>IH_WiE2yVPteB-H$mgl%@juS5p<|;LqM_Q@ij7M z?;JY7rZF{FJ{{2oPDPM2)X8VX8>V+7&)ov^K8w&A!90Tgf8U$tnu2x~bGyqFcDTFG zeLL>bnt?WMVtzL`@l4jv3?{!7jZn<k4tB;=IEz`*-h7b|+7Rxca#%<05WN#WX{D^G z9DH`TQf(EG158+q%bvb%xpMTmn#bjHq)*vGf4<or-1gkV>w;G;b#oMhmKzj2=^pF% ztD<-*C5scIeeKrQ*XGk}(nJ-dL~3A6@%WeppbdYBkG;4t^$&b6@p^OD^19AJwsUh% z3MEvp&E;cGh;a5`oq*+D`x`;D|L+m#$M~ekEHa{tIcu<p1)4Z_jaC<!?XD=v=6WWy zl^8o@#OH(wbaI_RG|*T7GPuy5?OWvk^n`!1So%e^e0l`MM_k7p6s!n$;ctAmw_kxl z=v>!(!lAxkoD73zgY@Oc>5Kj%m}>fEL6zpmt+*AYJ;OWOyO8FIXTfE#>+_dSCshn# zQtT<WKUTp5`eV(wt&rY|;y-+-A9CpP858#xz#59nE*9bo;0RVT9ZiT2`YoI_Xd9vp z+2)1k6|wS*gw#D(%Z=oopeD)sJ3#`Fpsk`fOVw{f>M4Kbp2RGspm5&Z!WB;M*erpc z(R9e+>+ZIe!JzRMbsNO4?V#Xqr11aWqo)(+Me(>W2W5E%&y|NE6`IrcIRTE;ERC4R zz!J%e*vg+}Ozv^8yz9?~L8>0V*YJzIaNq5^!FTNBu|1P09aW<l#Ji+GWCLF7t5E<{ zK&!u~Ar9q<C4G)O#6Y!bAD(n0$uf+!iN?u+HTnw{vf$j-5;0v4JXZ^dkypaABB<h5 zs^O0Xrgw7Uu=6i8F?9keMl6I*C#Vn~#R3FS*%t8y&PmM2Mh?NuDuMVFU%lzcb1T2H zlw0v>S3j2180*3bfw`9~hOk@6ma}mkH4f{9U0uCqbhUuzDvFJyF?LC#g`fRd;)4Ix zU4uZvR7zCK0ovCe|5^OEi^>pz16OqeXpl1x|EMQu%!`dPTZ~Y}9{RiBd`10M8gYvO z_4}fO5Mn&Mxo0sx9)(p?yNXQDbO(WNUj@?=lV9%Yy^cHT1wacga90Jh)z;D@%t*XG z>%Cda-M2ma1V&Y3WwI>qgF95q<B||oQ3hWWXsn`!(Uaa(Qf&YB(g|YiqWgR0xR+jv zSn);bsNxpAe&Z42pWcZsfkAV{kPf`tL5|W1WS<%petJu++2vXR&M%`QE=+BVkbpYM zDU2oaU(|MmkN_*cKw_}bmffW~M3|6p!Qm8@PW|yU;JI2>s<pwc2i_K#FK<laHyO15 zaN&Nw7c2s$w5M6BJM-1@qe}U3ZSUEQ4~|{hX}#cEV*W^oO*NNK1Nbs?b7f{DhycV4 z`hiU0eo-YgKHiWd^1g}pI%);Y-HB{wXp|tR#oDj#m-wpB*Crp5AWgzwT({ze(j)Tt zc7>JG-)5gD%>!fy8U<=<2C9}9{p9D-_py&OjX1JSQLQj9PGVFod2l&zLr%3X4(km| z1V`!ww(7o>#MBBDsT%m}@V#Z}tn?ds$?9aD#ghqXi;grpLG`!uyU&Qhubs{ttP<Gr z>v>U^8G{)+HV4-3&G||UJ-t5p5<1;z<(Kx${Z`yw<W9VEuu1L9lH7L(wHAT@YQjs_ zeSj^T=xo)<?-1Kl<o7I#m6?VWVbJb^qE>o+t?``ikaS)LsQ0fu7sho8-#SbMvw+a{ zuRl2Vf>tL6Z+jM9G`S%Zo<^aZgrW<&@X~-*ge=w?;8wS$vci^@eeS9gh|e)x1Z!j~ z&_p@JGzf42^gd3o^JAFC=#Z~0R*Dj918^X&J3~`S@Exi*-u`wl%|LR&puxcTC#ba1 z)NcmQp)9GcW_|wL#;>of>%?XmeD$t3KJ*7M{uuSedi*o%iHm#Eo9P#I;L<y_J);MC zLyUOg(G`zR)1JEzU({_^?)qy4q}=&^nE$izH=BC6uinpCgB_tO8Us?r?LLBT!ARsh zGf{4JimZnrECX$m#SYk~XRpW<Gbu5er2#-m?FccEf+Gdlb040UM~e}beX#PAfwe=~ z+sj?!Cu%a6)SiuV;65};UG%3MD}U}jdXadz9bEKH@p0cMiaB_pQ3<HyoO?N#x)t~K zQNQLklZ3MJv$y_cbP_Y-BFWMs5M3o;pZ6??&tf<IQlte5Fp%t;*o3)AI*kcMf!;0? zS~Zthi+^_D=Fz6JV+;$o@w;FQLnz?~Uh+HC{vv<T#!9IO+Wk&@c#YVXCNK2PUK`D& zSKH8Mvj0*)WMKWym`L&EHv)T0Ih9}t!KudWBkj0RWhS&gdu=HN(v$RYA&Q@C@=cq6 zJ@=AsjPNa-KHPjcqhZ8gCHP=m44uHHN=k}BIpaB-Aj){KUcfS;zFvSl=d*iyl6hUX z_t4?XM!7k6qrd^XYB_K{I_N_?Gn@;V7Qi9r^?XY&AUXV7@zyVqR(>K#5Q^1eK*`<z zY6<6^CKc6&huz={Jns~>1mew?Q&dY)Wv@y=+hZF9YKS`_y-Q%&E6EreKYNBS7ws-H zbqq^8zc+P3b;>lQu-gVAYgWXKe;uIj*$4e@YT)D)wIo37U*Zpdo7fc(qpN*O2)kjJ z%AHzn%Lpqf@xJzWn}^s{Cj04$@~r5xmPId4Xu_nS!B&0k`HAnJCgWMQ|JHxn0eqad zpoKBN2tNHVA2o2L8r)XG8d}jviDT>jGChh{&yj+1fXz1O?8oqZRq<B*{RIm#2}$&e z(=A*sq<0bgUL*^YmYm?!A}}ZJ>UWK=gW&}+5?KcfyVr&3Y3+7UE*soV1u<HpU<{kx zJ6!|^Fxg<LLwbo!{L<tOyz0N=tM08Xfz!Jv&Q%kTr*xtOne!OK%A9ZEY$O>PgHGqj zGO(*|L*P7hG^fq2zhk8PzYqg%)uw=VEp%PvMMd>f%!uhW<i9=$&Ui*(7?Ub?5D0`~ zE=p;J5_r#0ZKvwR05Rl0fgY$rioJdM*<5mDykZnWb!C7%>ORQLLnu~c8TGzW$=s*? z8ET>a3v3rEv!P@9^zZ_ThMy;X@0~U6BiSu6e)>ky87d(06XpT^RpMG0<<Ek=#{xEf zEI<&r<YogbYb;H+t6rdKeZJu|UVo)jWpEjsC%e&;^EOv{OC3USG@*lGkzE$#9Qa(# zSpW%`ri#P5@Oji7Sp+K{81>arQo{_iZ&5H%y55C!dmg`ZP>YzwPD%VhSfwF7PuxLB zv}7R=gAemsoS4#QeSYSat>aK1yw&}1`0@`bdbgMBzmU)uaW*m^)ShY`r0JV*n5(Hy zW)ix3M|zU2AK|$!ei?K|+r<6=h(QaDYCzzmRt?@A6zct<s^i3qdFDLKg?Bq})lw@y z>HkOoWIAv?u6m_%eQN=H#%S9EWFq#OoPjLD3+r!<=6-2to4u^J;)?7;;RHSd?V1oH z?(hk+H93Js0l)<9x?gBCApu5`Ps+D&t8orx&*&^CF*&@A0z>NtU$R}-aaZFM7uLxJ z<Mk_wE$arT8PQ=$rsInMC6tgh{0_+cLsLZ8`?LC0s7SBHtxICwaf*2r_9(HmFYwUd z@0*+J*19w&;RLz-(=Yb)^+m6?@c)fQuaEcdw@E+&>=X(q$R`M8O<Cg&R^^<V!tXCw z2?I~$qWX*WrOLR>S|N>Bv~mMJJikn@v+IrvIWzgdqW(~Gl3)9wATXSb26K{vC>?f9 z-!@&8hz$JhA#9N2q3|VFCIHPWt(2ePum=`me_sJAQPPl3Exrs6q?%j;*P?HiLw4{W zxx8a9`p%M1A8rS~8Tg&>u!Vj)9Oq#>5OQ*vd?ED>vB*}K1so$+n%v=bFyWFX5)niq z7y8ZCD6&0y{GOODic)zlK8xGjF-Xcn29`|d=$yVH3z;Qz!gbbid5POuJh-0nVC%BP zGIkGP)z+WPp^~yPD`CJHFI#xUs@X+HLRriV?Ml}MthC{k!YU;EuXlj`j)Di$Zj=G5 zgKew%GdHu56fPgK`n>#r6`_bL4FrpaqL4Bb;Hqzz5&x{WGXrl06ArX5O$|tBIkykf z$%G{eV17E0Llkv2zV1N*p?YKwHKr$Dvfjc~<~^B1a(9-&C6g(RCoy^Mt+#N!@tk8X zRq2Qc&(-1ORFf546yrVHi(uOIm!XKCvlcat0%Az1q)h4@Q1+8AS!X7UVbNfHsX)=z zDNPAr3cWck)ns@sl_uI<{^&T}K<Mr|crhP4jd|x#=_LKFW8Om?_W5qMVkRdN#mX<? zf)~|kYdx!ieXCBS5VI<L%PqfNpauQXhYA;Aw*MdIpn>jBH{3^Q1i^R0fnUcpzrJ1g zY|xLyE;sN5;G`+SSS?!x`Pd06qj>UGsm+*oFzOIQ;;$AtPVCI%4~L~H+tI)3Vs~NI zzj@w^mt{>Lk}dy2s8%ngbg|abY3)Zu!r7q;fpG>Y&k|h9X-ID|E`ZabBXdtt*Ns+6 z1=Fs|layxhP=){K9?zhJ;-)c$HB1Mp^O;0;TOM=E;w6cs(K`!g)=|dm1eMI;p^^tv zIjm6$YGJe`YL-)>-;>&WlVX=}4ASkZqGa=`d^Z?xE-W2PRn0pPA9{L3d!%cl=v}$o z?SFt&Q`$oyBX-?B78T8OtV`nmebGRx(BdOUb-h4=NEhvY`Sav(0k?{h6Fq)5oPtVG zmU3KZD*W<T{7@AkYr7s>Xg)9R&=ay)gosL_%O(@`-NDM`0vYYdH;N-P2SoDuHt0nA z^VB)4dp*}vn}cm{$g~Bxv-~Q+Z21gz1Puh3=#JLi+zY%n>i0$iKO}r&{KM+okh?D} z0-QR4ys{Dol~v&2Z3N;?!MIAGOk_*tA~#5evA|0}jMV0UunGe#?>CmE4GZCPI^yWU zPgLVePXF0~x27}aRg(+G*xbJU?+ny-MWfoRS$5Phm{yEdBXoFC%9eB7lc*HQj@%if zb7%-7ABm^p7pSQs8*brDB-83)$0C_j^!n#sNY%1vqd4i&gP{ic?h^M9OlE_VW)MC$ zF4-*MLWKW|oP})|SN}HSJLBsMw!I*#!d#}gAH?R$zgF~rDhsW->e-L2{k#Q=XgXP= z84O7O2TkKD;V|>uVz<+Aoru6m7Ov~XaX1PcXk*MeR1ej=g0*W(1LF=yxNT)`{)G@o z0hJKp)6*Cx3%`Y$&Hf^BO^m@MaL4{>Z_zQ}T{acbM=vQz=73ygEQ3$ZP@}2h)FDQ4 zPlPJ<_3v8Hd*g?&>1OrW@@&#or`G5V7r-|6pS3U=Aic}4&${CIAE(lVJ|VG?TYu{d z(kGHO#BS8VKuXnLw-D08IBu%a!RTurDG_WbojisG23CSx(91Ob;(z?Y>5jqVt*?%u zX_TID0n-A>rLj6e2-2+#5WKr+ZzvYpK0&Rac@cWx0kR!*ZNcOMbr7QpnArErKk^e3 zgu0-rnpQ6l1T+qfuRqZ(WkPg7rUEqlfyB{X3`RRigxBd*X<0qN1ZGGuJ7YZ=K5}^2 z{--wwZ}@%r>>DOwkAGF9HhZ!4UCrKPi&;qm5_Fb<<j}xafy`d^oXtw?>~L-jkB7=! z;SoLevf<*#z>Syk|IPv|G&T)4p4C^|t-|q}T0;Wnsel}ap9?Wc$GJdi_e9`q6xi!q z1mf}Z)avm?XLp75SSw|b?YBB0zcQ#N1=b7T%t$eE=Jw>ybFoJaaMa%p1~#eb&H-X6 z)*jn7-%KUwr)N_+W;k#h?=Svpdc1_)@6<vW4hUH*WrIbSSimfmgRS2L*+TQP!@UO3 zFpX{B5;!nhNq)q;!A}y=?ye)o7kRXIB`e|#Tw9N55TMJC+exeyz%z)mWFc`K_A1}P zSX$_WInw=SM*xgS=#SK@o{wF}vGdv;C299s!0*#g&&_!&3eJFQGYlkXq~-v5G-nIk zjah?G*SfQEOgK(*z%J@g@Sv46<clZ&*=o7f<-=TfHyoI@m9q-u=r3Vj5ne0(r~PP4 zDfGg~Mo3A;gn7}eO>S(^peIk!CdagA2bsH&`gZ^vNrM*$7P5Zb@zzN9xEj-lD0bCR zTAE2JSUI0amG_7G^0Xtb7lFhG2}|B|h~qe`l?eW%zXqD4Rxvw1kZ~H%lEa>f$KI!n zz5R4=S~jEEJofeoLRSjwVQ?BlR;r+5G*B;~54S$E;MMHnr)Ml4JiuM7o&2U6x|~<< zD@WFstbA-0Ei8E-y=5omAR|9egZws{4Lr^pe$&48KQ&^CGY5A<kGhgU1(PY!hhFvh zx9@+U{emGbnW+~`Q-Oy8D_8$hEd%E-ptN4fqq@T<VH~~e^jKt~irMLOSx+M7X571v z)~m)Z($odsF3f7KPIR)7HvQq+dk#1*WOAgLX)^bdfkU?)hh-Vq=*M0q`MZBIdm!!_ z>uKiO9#-=^!ROdl-{xEE`?Hfjzs+>1TtCZ{e}_K#ynf}bgOU0RnJDb*OGVx7VAZmq z05`A1sxdYoc;G3H?hc9o&EmIBRYMd};VppNA*6Tp{>9$RLL#ylU$m@3w#A7QqntP_ zh=Dpp4Ikf$Bt>ykc-6dbEI#XOw&L^l%JEhSONH!b)Q;b4FQkaGRyGk^Jaw|MXPVOF zls4aF4Ffjb_Qo%Sh>F~2MV%&I^2OBsMc*ERBA&j;id83c)MQ+BxU`wy^}&Q=@A1dU zC7gapN6f?hMf*t!OOWl1L9ka8@|{F!exO*ZlJp7cKfGt-*Dpu$*LdM`y?twzKVxk^ z&NgRNe_ZHm6o^{5P2#=IW3H#Yb7mO2&e2xeXeQjYa5BMSodSs<tK)F@=<i(SF2B7E z+4pGr(D;g@7Q|7hh2f?H`g3fR9SpSfUm6${safowGcxj%#{gACk~S<<pgTQ5HH<xK zp~RsGmW{<pK64>nO7XdaTcw&LU8Hr+1?9eMDo_p6(|jT=U<hk3|FE|JJ|%oak|w9! zgd=&Fd+v}XM_@TYPZIeeG)pk8nB1mjC7CAE!XOR3;bLqZT}A0?5=Al?KXhW*xEMQ0 zHMwRr(weL@DN>2BoQKT~<x}aS$ZJ%;%t5R83AR=-uxsDd7;RuCsMcxATB~U7@J$|7 z94>;W#c2$QLnQ~pPu3GuTXo~pn4TqYpGN-228*C7;YtL|fA&05?m_m;KM2yYwhC&Q zb?wWdoB1G-=qhQEo(FG8j?2!yn%GabxjxOLpe$q$toDO6^=vHL<OuoO)=mvhQJ1M$ zi5JK+kllHCwRC;=R)CUruoB<2+mkgf9M%5J%G>zvjLEv{&(-M8)S`(}7l<?ei#(J% zm-IJ+1E4cfH{K2!f3BPy9)-=-h2tA}vDd*Mf^7d<1kW7N8jbPDN~Crzg3|;o8%h;b zkO!X8baE7YQn^y~`>Ng<`X=|$6_-5=A|0xhSO2CL`5FVHvV5MPnua^_R>~!`$jN4V zoU0ykBLKzj4PF3$lSTU8-8lx8*s_pJ+-Wv{eess5bmcK}^;3uB)@+g(_@!xKT(@sU z&`%W2+E&o`vSy#xuPk&Bjm%Y(slQvlW1#|?M_JstH9SWizyJh7a5c1zR7mx|%83cC z;=>22C-uqR;oMY4*1pdr>FF{nFR2-4HNLZ3`GI_~Ol@|Pw32~3Vcx6NU#}-1DsYwF zkCp-VRMSSJQpV)$R~Nw5IybU0d@LyXw5N4<Cnt8%HkuvWVeY4mH|5p~`ef$A>*4Z( zWU@-ih~=3M>LuYLWl9{#186PS(@2>#W|{p(zP^9EjOpDhsT0f=l!@dH_EAfB!epF* znk851?uH~GgGW|*lGt*+I8-k+4c#);<T-2^Q&>y&t$0Ws<yb_Sg>+86OG;AUxe+(- z)ACXx5C!m(`UYIkev9c$#j6hhX-FMobir58I9bGqF|2CaKuTSrnO+5a%YEPyrfT4D zD1;sTy!m1}R0XeYCq37$VxyMj!YO)btGZy1mLp#FS*!8xC(D=CdQ)^G)df1Hl@b;) z_`UG0;#u2&2a0Ru{|j;f;x&8o=2JmKSz4{{$dz?gmyW87*%&JOS$ZTeN6r4(V1jYH z>;ap`lA{}i?GZC|Bz>fdtJ15i9#=^f!0V|4uE^E`2r1k%LiCu_i8VBG71)DU(b^F? z1euZSy*Rq$arxc8*C&bKzF5Hwihmk(uO3q@f%QjLU8)xksWQ2>-59E(Y~Tqh+Wwx7 zsG(@2Hj8(|w0=y-VG%aa<i%?9jj)f7VmZ#BJc+AbX%sn>D`3WXpPTKGjC@P?xXySP zY<BiZraXfUqH5qQ>5>0&D_scd9`8H-1f5FMfHB%sI$|=y?2n{34$L-VHqfrgB6zVJ zf?8MtBoj$}bgt>tm;(rP97TZ6BF|a89S6YJ!K_tOaf0wM_*wB2!FO~U$+AYO$W0B5 zm8=|#j}4Oj2zRa~0XmAg>&IF0K}p3zfO>hpB^d8Q|3?58?)`P%W4$5qHCezl*w`M( z8|OykR5of2;E23Y9-HAbD%)ytn{u_B7<ah)nW!|+2LpO~ig%df>mA2EiD-aqJ9~R< z;JH8pz`mS*TWWOJLRmpz`g(Ya#r%n5X2LfA%ZA=6)#bq+-T<gGE&uPnU)dxo3{q<! zDSIVQTb0Gc#jN}ofX=oN8Xf8KMaQc$0!uZZO@HZ)Mp(;aN)-80ytyoPjsh`f<2&`z zo+$*ujoKDKDFXy!%p^ZXbtfnmbx5W3Z*zjZuOha5WN1^f$`rpKKk6*StG}lruwgNA zHa>}>l}i@U?ty7v`mKrK`j()6iE)`$MKwUNQ&<xtwGStTdEnaelj~iG7WSS85=7Xd zuR<ZcMj(D=&5Ad2$leaSkxczOisd${c16`-Nxz-3?A?F{c2cvdfe0S`KaHpQ5~}M? zyAak%b$0au#LU4(KhyL9oMrn_msKcAtGu|IMeM9uVf!7$OjD!1=w{^sgs+YD+quX6 zkIUxgq5!Qc{tQlK;d)|xV(>OSY;lZT%!OlWuEMR&xf1)lCWcMX<uyb1l8fZ8ifT%d zbpjYrMw^UIa-e~WaosK4ER`Zq4l9Hjw~d65h_s{)rw}JkCj!nJ6w+6z1lLCOw-ILd zMT!)Q2V5ls>t+pGDL+yNz@xiV)-9oSNJ^9M0f~Jsp0q5f#!>V#9Yo>yR`czwxeOfH zXna?P^wx%A8ON<|Az+57UoL!5KWyoWE|S_YzT47uFg<6-4{l?6H*X=d1h##~VV|(8 z8=x-UfaACD+o@1!pFh?AykeC~_YsJvrS2<uR(?dBjm#={2V0i~lcCB%av>;pe{u#Y zidavk$rk2rK)*Rldkl4(-v6^51Cg9QT?CEKbK(7fJ<CJ_vi66&qz5wF-_{Rzm5~a$ z^~@RebMn8%FE*;nqB&;V|Im?*i=~5r2s)?H1&htx$b(hFbw1QoAiZ@NHM};%>9p7F zqJx2I7rhB}e<&I*YvreXg>%=N$^m*fdw|u@Dw1=NG_J6A@2aLmXcY^A2m2$gf`19! zjD7X0KN*2-t#M6yL(H!Z37C|PZCL-iXW!{!DXP3`ZaqDM5*iZnid>V!e;%J@{jGr} z!=bW$wx^o1VJ==B4N6AGs?Vc!DM}rCuczIBStR)=USb4z@xJyHgSh4iD#0bNO}6KO zk&N@tyykBub@VEQ+-zm<8t}x8n;N-uD2z_eL^UvG`-NQSRz~S)@>z*5g;;u#yQ4L* zaavyo6ia(bU^Q%ISxVp}{@J9sovvuTf;t-5P!&oguu-_Q_J}MNghN1;D=WVIK;hlw z#{Gu37lE#)YcRbZB=8{v3iRS^^$pj`%2I*1gEe@vD~8$7+6_BL&i>T@{<8cXXk*z- z3n+>L6}9iy9KH;$XH=9?v7YGgNceb9`<{K0{{-SqL$jMoZBSS(Y!w)35o}XF2##b5 z)6Om<l!45zmzpFt+=|CEP-0{}XaC*k$4mgy{4!G*daje;EWvj&8^5x63|N4VN80)* z*Mv4aY|xo%MHx5<?Xe94TW#N_8Xy4(-ANAbSXwE+5bA=a%?WW9yFazlF)$NeQ+Qsq z|E8N+(&x@=rA(?uzLN{hx%bI#8LSdu3f9k~%2r5Vhi#8VVf>B|1#4;~r`Yz~F@$Yy z1Hb2yg89l=WEE9jD{vrmLm;YQ^f6Dk%4Q0u1YG^UY4mINTbMjle_YEI7tzhM&zqBn zco}fKd`1<SfB1L}%1SIFdbnWWL2XV>k+`YE^fT`6mc1c`l?UU#&eLn>$Awlrr2H%* z-p<poynbFS(Dv?GuLlEouw8DQ1Fjc78>iQYEIq?bA@7+nkXoQ}DRPBY@qWQZ+CtAa z+jF0RdCfo!%FA)AX3mn<wFqRn(&WsRpGf!AF{qZ~7gFi^CgyQUl0kT)m-X#x?>DeZ zk}H7xg$B4UYm2~AG}2MIm(j1amknoQ%GP7GRvpSkRgRV8kOMZxu!o&T`^tWl4rKfi z^ZB^$8p;IzM#>=}m$&)%K}Y*ZZ_dvn7)aK&Fi3lIYAj=S5uQniai}zcTINzB-AjA) zk>pITOR9Vn1cSVy2DmFG-to!|gmebvSjV1QBH_{3{}-2UpqkM9S2CA3c?V~j)_)R2 zDr~<T{tZQaG}x#x;JZEHFR!rr!r#_8WR!a~FgjWIA(Q2-pmQaIhk7#|wL!P>#<>?x z76~8c+S4NmmNW5C6eJ?ZDvGTP#N9Kgh9L~@Q?U8~&vjUKEeCAr%+ec`WRYwF${-=; zYt}s2VjFQ-2j;FNFc92Cto+j07{cn0<FmfVW2**4a^0_)y5`S0<JE+3LAB0B5~01P z+L*NJXIcWQD7Mv8Vm&It2|K?1DP&`<$h%7A(EY+`KL%3o$L^}9teL{;$1E-UQ!`Lu z$#TF3#GTR}JROYDQxujiS|ImuHzd7jUMimptwk^hVImoKMG!4!JrYNf&iTf{ITEiQ zq+iWmP^2$O8^u|UCJI%`Tv$dRBZl5{ap6{_hs}{MTvdyF{!e%RHc^u)$JfF74eH`5 z-oUa+A)wXw=*4h|gPmlRlNsUtct*4hDts@1!QNmFfwrv72YIHV`^`p1kK4=NVeHzv z`AvdI;$Dhy@4u5|bVyZ`_Jp)dHn9`x<DXBE!De`9Y)2#JXP~dIw=fctIJQtO%_;{z z8(516?@z9ROR8ZEza;lnh-t9nu~~nU-J3gzG%w9Ry~>K%LjDp)=#6<RuKFp|X>FsG z7%k@U+A~X4NeD)rg&}P2B`Y$zoeIkHR5AbKRL<WWr8DKbk}Q>gcZ2Z~Qp@zcf0eT< zJ7SR8S&}7uYnr&yeWl`aEsT$DHa9U&y&2S6NtLWp4yJobw7E3-GCSVwVMm%xiNZXA zvYh%%g%yP`w*D$k$%mdCo1<Ukds5|_q?EEO|3#pnIoGGpa>4N4G4*qFM?{UjN0-0f z=??H<VG~=nZTG;9nF+Y^;R~?IM7gCw{du-y^>Edr8{;H&^=1&`<K-D;p@c1#)ZGL+ zr^}ZdrJL^B(!9Q2LZ(m;hkLHEc<4Jjb*tSFy-HM@Iu3}?4VNmf?yN+_($bs2XY_q+ z6{AzssrXPtyoDP*WAOog|Ll1foA_|{`?W;mKRLwS(>fSYb15i?fO_4tn5tt)TC`Gz zLRFu}(@c_m$$~1UQZ$+{ahA-(CdmCkUmxE7>;P|6_PptFty$fogFTn67Gx46)UA!( zAS?ZGK%f6CKB>>qYQA2vv@ntt$Vt5Gz2DUN@-3q%OVNVrsDPGkVggYk52nigVK6zh z2zDYbstP)y@?L)*F*pk7GwpQ?F%sljs$5E=HWU{J{}+Bc+i80d=$|``XiPPk3NFy# zJ6ssv&0vC01MbzkK?E^&4fM6{=>(t)KGthE|B%94r%t030#v)m4G-SZTwK^D_VaDX z{`I1&(pGmA`kcmBV>KPGF}w{1+B@nIw@w}KQjwTZYpFJROUOA&Ac2Nrt^xsgB^8?G z{;cam<x+Gc86T<byov+DY;tiuWl>g63Hw$$y<)-K!3h@KtUj+kFs2|K)Q?9~fA5t~ z4Cp7S@Ir*y8>GLn-Z#K(!EQt86m`f*;Q_YJbI+eIlsFfE;q93J#lt`q5Bsd&BdEpJ zTD`AIK;K&6jfo^f<5)bYT9$=%JOc4RNfl5Kaer-H&bS)ee+epYphDv1R{7eV49Bfr zk_x<z#9whf35V^4%4L3EG4YY$>Rm2es0Qy^#mpbPXL>0MN{b*Gz-K7cib`O&6-9zY z|KYZMob+^F2r$TcM)hnlo*}a!0)V_PZ;5HzoO*u}2(X+)xY@}^Be2_!!<JR``QBoU z=Jj#VSMn*VAlE2uUNSB*g*jPaKJC7&WbmP>)V*DOy*)z)apL*c!92^8FrfuObv&Cm z?KX=MTK_@#Dv#RXW)f9aG#LX8AVJ|1L9L*KCPpdZCJeCd?>#QY6EIt{n%S8CZGZQT znuT0E`C^|t_QbJbl%W)~ipDgszqG0vkQu3}f1$xD=`IqloLS1l{s@>(@H5m#!ZcM} z)0TsnqW7<QN>_x$DZCGiVFP%k>U~;#CTc;8y7<vlaXSd@6)|KQMY@8l5rgx#`E%Yq zRg@fWEB$u2q!@cFtLf`4uQmKWAjp=p5`OSB(Zq~IQuS9|einTC{ZDl4IoAHERKJQV zz}CV?(wIFU&0XZa5=;>J64mfAz1Ft`>|$@mub=+bUtsm8VPe8U-h2oFBY-L>PHRgB zWuCOB`%R*`nWjgsNLEg#q`p_*J6K+jpP#FX0uZ@}D})Xp_gAa51J7vdPc<EXtZS5M zETbI8lY~3{?1I6*5sJE#nKe?@;sb_QlSzS)yG@`x&!BV^vz?dN#-1b)dn?0iX)i)u zl2S5;xoGy_L0&Tnyfax(W5kwo+}H0|DAwedRRii24n(22?xR;Xytt3pz65DNwgXx3 zb#0c<P))PBdtYeiTInKHc{3Kf?-G=Y)`CTeq`xg%7$VNni$K|6?gaHzl(C+CU<k|m zHb-#f5Q7qNn~gxhu=GcWMb*k$xxa>TDN%Eqj2OpeYvgv<-qR$dw6Kmt-R`uc3g4j; zaCnn32E$;{Y1UPGihqV%>12^}eK6x9$08I3%nw@M)p7-|$0*}82<q%tNEx;|=wj`Z zmO~?monq#G)Q8a0p1&3ObHxXCSJkLCl><>??<akzu8s3fU1Ak$r?=(o1<&wq^1&%6 zt@FVIkTt|cl7j%R4^P+R-4!h>_=cb|rFo-`HM!S|7b01sHTS)i$%VZJ_cVfoeUqp* zV2P6f=TWtkrov0qoK_)=6pvBoCWhytL3AaP3#JGLgGTBYxCpbwOkrh?2I#dEFkQ6h z{CELAMKz>7aH>Eo4=Tdcm%;AGMG#%RXrTnc=KzlL2e|c_Bid7LHqImwz@W6V30?4f zxDcc)=A_C^w1o%*9ug+$w|hdqTfA;G&&9(-gQqVy%~qQeHJ@$$p)NmR79zM9sngdt z6@-69>`pPAq^|DY#*AiF1sKrtV%|$GSNV&-isA(Iw1+&?;h*C<f=%J`(6J4f-;7)$ zHy|W0-JFC#-%dwe$R5bFldm2g@xikXy*sNrE<Bk10zkGWAjFSIowi=UYaW)=@Abw~ zdHYv+F?YJNgBxpK74BAQp<Tx8z(UrRP;wu{t<e3EuD_y<$nx*qo}7)9c=y*Aq$rO2 zvxi;3RzQX<102p*;_olIkuEL<2+C9~r4!`EBD>uPyU+xK=3uSViaJO=g`{Rl>8;g2 zl1n9Qw+XE-bbm6DEW@<gVBicovQg-!QPF!(1-(9)U?6F%EltjN+Rmwi5vGMIg46-U zBXhg48Cavaq-wz5u2jmX0=~r$IG=Hm1oZRN1{#o5n@xsya+giOwF16hMiBYvoZPph zfe`_~uy#p{G4iXgcGun4|3j#@I+lK46(yaCpH>1@bu_)d7Vnrg-|R;YhMJ%wz^%Ls zCyrf)Zaf`w6s)Xd6#YK@tFG9|JfG#nFZfUeSiXhZ;%#gWhtAGIfzH=c4N}$06t;W4 zyjyoxmv2u5@Pc;F*VCa`?r-sZTv^YyoTqx{<<~#5|Cw@?yv{{|RfNkhJB=tD#d@&H z9^fdw?cWCKQUJus-00$N{#(jie3QEIb9Xxz??yc9)DpOB_vSO0zwViQ{mI++3m1gK zP!pqd#8pz^`0JcSKa<M(GPp0cqn?s?9Oow(@Uw<yAuP`nd)RfGOU}RANEq;)6;N4k z+hd}hV0~=p@!a$Lk6YT=xUhI}Ng_ctf0F}Kn5q&q3+E<MM`N4UshZ{6$f_diF)x#$ zM9p3FBoV0Twc{=Txfi@KAL)LIQOMCdFC>W=saYx-C~9X<c3IDeZcNipfaKJ7zR0uo z<^Xv#m|vr)gP8<8H88_np<jorTJ(xz?<G}-NbWOE(M$d>hNGpGn~Ju#yARRUKeTXz zw1h~`>DnUQb{6M~+*gg8!Ufi=%`~!uc_6>p(+O~YAh$Mg5o-g{HEO)$Q*W(FuyG;N z^SN2Y(4%2;ADmku%ibR+bDOG>6VI%Nps(8yrj3WaL(A7r>=B%jyPS<F&#X>ubjv=C zx3hRMaGO-pTWf}aip+iMOn9WFbMbhr3}HLJ6?W;Yvpp@;EFD@XrGk7L1EAPR$AI<< zb{!VFanXbhMp5+#YO4`W$+DMhaLD*xkPi01yND$rmod*QpCTbw$tD*$Ala&(ehGTZ zFQx*&*FzpnRqfEu<`hiT-JZ+=d%RG=mt*}+$-=loE!a%*V+xY+RJ?jWRbBNSj9ETT zR~2R5v&~y1h>;%e8nT46VJck_MGtvhX%9-;2hiMdPx%b@lg})ZN;TQS<~b>|C6;QG zU`(x2sk7gQ>wgY3zuDwoOJQjDa|^ChaBt2Rj&ieW1oS{*`<ch};FS@O-7I8yyzGG} z3)CycK5oQ?M5Xb0uB|rmao+>a&mHX-iyGMqD(u0lqXFlgyeTjMu!WjxTy-!iwJ^Xd zwb=uWooTOH43&pNP3*@;+$U%An)onfY<B~9RvcgV7rS;2OWz#IW&cfDLdhnQGc+mz z76Ky4io9#)0sXNg-cAvN^{fj`LO1vpk{?5zf^2ub2b^=d9e;&IC%3#v|H3k`Vf+iv zyEOwtPTg3|(xa@3hB1LXLIUVPQ*GUi_3w~yBD?Qc`?pi;geERoi7^7sfl6h~a`JX( z!z(obxT4~9RMkMalEY8xqpR5PAlZxDy5v-5kT&d8im;G0k6LeZe==16n6GAO0+462 zv?spqn-amcVqh$M_ZNun50YkGyZTL+pC2m<DKC6#)c#GfD3=4y$Gxq#`B)S)?&nF! zpF2#PE!+GWk=e~5hEp;2Zv1`gDcJ)dcYE&Diw55(MGwF$>Ch}?T|3WSAKWWlEYql{ zcwc`*UFw}NgWT^2(rp;Sy6)C!NIHRWaztKy!c96UA@InbK&&M3_H*|O)*Dl@o<dkI zs{uwdnV8f!7=r`y@8s8L-lVi=<JP`M0!hy+v%UZJfA{XNd%6Y_@X*fx?nn*98b|_v zvz{a6L-^o0hLxW}b~vl+XDf)>!OiF8I-!|O<PJo&BDu;Lx=Fl%{uC1LOdF4&BgmEm z$Vu$dy{2^HH0^FgTl^=zic7$-{}}*R++K3ataVKcKtNqIHKf16cLO=0y(j>xnvP)% z>!_vM+4*Mum*^KQE17hegG9~puTDZYBOh-YXW#KAQFS9na8wlb{S=Kv`!&(O&A~vo z`9NY(Pm>>)hutIR&x-ynzgei*G7|Pz)ezpV_t#R4{|E<XAE9zBs%>kc(tLuS9``X) zSSPDc6hP(n2mjelD0QP9hPBgHCX~x$$f=Wk<^yjLr~9pKtM2F;GvkTB`%2VW6{TDu zAH#so({GpHGG(<K-WJb`=gD47UcFuQfwxJL@48xNo*m-k*SVlT-Z#c!s$aSUCgLuK zd*34YGyC!iE74pFWipV+JGS1MPod%`i5zmX{axj=AWCpp%l7{}3lLi0&AqFIadPun z<E^UIFT8;B{No|@NK`Eh|9VRGTk+g#*`=yb1Iap5^j!Bg*V4i!`g)w5jpd9R-hqwQ zxzH<&bh*#LqKh5wZNexWr&5gi9Hv0kMV!3}`udWl$eVGZeaUGeX<SZ)K9wYLGB+U` z4Icpy$(;l=+b2eiH{&XNu(4QZ+FVzC=A|K27vG3!0i2eo`9mmV@_+IgmYqz~S}Whz zbC2XXex1LE`NmkY2im!kEWUn_GaEv;s^WL1&wm+v_ZcX<pTtmy3|IQ2BvJL6U!rRB z>bx#1@elm|T)bg!<l)sjPkY`p@|4~0c|SIDKMo$NDkVT_A->Kn4fzgkC5e57Jkz(5 zn7co3KypJ6-(-Zmz8F}{!vOkgV#)Z9?r*C^Pz=${{eE`R@#+9b29WN5Agk_Cyht&Y z{5{5Aa$mM}2`j0aO*nNIUON)3-wTgkO=tZhVS+`yit$~H2CpsRtcHQ2!S5V0qx>(c zf48fRE^Oc)3jqPBU3mE&duIul-F3UQ`p%1Kkr!2ipUD_4iJK{UeU62lB+<Q{U<7*v zpf#ah`OSzCe{XW(a}r5!6(wp)z8k+A&WNx1zjJX_z3>rOD%1LGM>Rd<Hb`;>&Rul> zJJeiHMSr+L;W<tEu3Ka4KjE|Zf4*u3^nYS^hmz2ud$}2poG@MJPk%tu6WGPh_Io;b zQ(D*M)@hS{1pD3hPE$GuneOHJoLN7z`|vAM7zgMf=3Ebo1+F&)75r-xj=#gZMrZ@( z3MODiureUz(;$%1aM~v*S}C_yP_8Srie2JVwbLs3xZVG>Dfo126eoUZP)OG<Ry9)l zh<6Qr4Fuj9lxvM7k*Ql<mY$qIHD23w<HlRKW~EXEK(8G-18hZ-JC|=hPo7%>=?xbL z{We6W*rb(mXzNm2Lpn!Z3uCmYW)r42UY+&49yP)ntQ<@gw>!r`fRQAUMmJMmo%F^) zraqkxQB1wg@fOad@)5`uq8dgl`YECgZ&%GtU&FoT@QHECx1lrkjRXVffV!*E8hm!~ zua$l6O;oNxJsYd~P0y=mwgczwp4{ncsTVi~uXgfCi>fD(FW|;;u=O&GruSO&jdjPt z`^o&P&6myO50Ac?ymf;8ov+)!G%?_MLgYynRaNzPHL@}9@$`)RKpY!~Z}>YNOac^{ zMb7=HCS$nWy`3W8cT(Zqkx#|D-;KRVw5*au#cd}vs*;hu?+{119$l({I|_167HK<= z&r-9jhk5P~CGqYI_aMfP;!w{Y>mut3$+3(*!}3Hox=2q1jK~F@?TaP;LgU$RmAO`r z({Uq;gD%RmY2~luI{JFfq(18Uq&{a6)Q<6npwoELZx}|_`g<PN8mi0PZiU-MjvIEc z<`A`yVm@NYB8Ct(PBQh@u`naavUrRRRG@2o<T1?uV$%sz;%7pv#sb<?24-!6Ohm^p zwU9^kt!ux0h7QYf70qWrs=S3YC5rq_nm;xPe#t*bg-*7Dj&*&;B3AJ}kcqPUkxrHY zm*m5G6y)x16j<q}A^brpDhA9DdxGWbn;35<;7~9yFRyk|yUwp=B&Ci41YdFlZ|^(r z2<05<970%kXQ#+ay@HfmR8%4>n~VEBJk`|=>}q~%wK;ctD<shU=EEjA#KlSyi4$fE zgW&pz)=Cm<ES}T*3p>H`uO%>MjeDDzhQ%_KVEK&WGkvXM-`NmnIuTR&{DA%s6`=BO znw2Mr#jClh;#o*GC29u1qt}zrSa@M^($}Yb?bR%vy{!a{#Y3^R>foZiLBoVGjLb%| zY%Aif<t5F*tofO~`a=Xz+jKwT-SX5?#i^M8qzE4rBqScdD{HjP#{uHXt*$|c0nTZ} zAce?`RJqODZBLUT|Jj!Y-X(@9*wh8sGG)0}DcxM~TRe>a=?q=FN1!}LA-^$J_JRwL zcRxIkp-|SESqJ9F=O%ulu=D#=eb%Mp^^go9IDIUx^vf0oMyp=BJ^KE7@$O6p9TuwN z)h6OCD=7zyyS-DSo-S4112FitW<If1^QVh%@O1GQ=W90e-o(CpwRv5wZe@H|^O;HW z8PiMp=^B3zQY5Pe<S878|2>7cS0QbP6_?aEqJg2J{suH^Y_@J(_(h(b;J8lYeb#wm zGW(yJdP=~%G_8J#>9i>DF{M2VYGD8>G1;kPW&I&YZeub@#6bEqq#cbfm?}G}+q#cg z<u9f-yy~bFX`?=>g_38U=mC*gHn?re!NxkP>qzhNb5iH0rKBY|s9JY#wcK??Kra?F zFqEUICi&@|@^K1hI&7ELzxcnq`J_BUBc-cu3{gYcGZI5<b}8L84T0hL*YAVr3vJF< ze~@1AJ>8gb&j2fHbMyLU=ewF?5J&(PP|qqN@Rmn<hT5ROwR}o6vAp;jcI78xxXUJ} z7ia$x+RO~Uq=n1f^+$sH`7KsG$NgUNaTJ~wukOYw2QN38Ws#WCcQuGyLZxrZ%a7We z0Xd7O!#TWK#lT9GC#|xnDU|miK*jv=fxAfPM!J7nxW%1!j6N_@=!R3RD509Z9v)(p zzT{{=CRP6YITJ8+V*IqN%NgvL7<g&&G5Vt5c`AoV>a3A$wG|;3vyC?$<MbrV%P-iL zr;0%ZP^Hp_i>^SqwQSxLm{rcPjN)|a-_Fx8ju;&LwRI^*$UqGQS;LnGXRV?$uN3q< zx@8v|vRpqZ<%U}GA?;!lr1Qpl3m#eb{M+;{qnpZ;aDrzNViAOY_PSWLx$uvJpw>D+ z^si^yWf92w4vC}g(WnOau|&o-JV8qJ4lXvo!y$r5It<^i#@I!(9t4*u^xpA3?RFyx zbVSA_9xXX(5|-6q_;q{=;(+zzL9@gfLFo`^69|CYs05Uivogyv;Ps}EkcE@TvhM9F zP?0yCrv~*hwe4Kes9K*rv*bzAH~Kvr!GHAfT(hO#XThzvwo{?U_YOyC6|)mh1s$EX z7b*1P=_f8Qy&LJOP72gP6{(z2qA7vR<+lM6><CVb6T<(GthWw}vhBitDM1=(kPw)W zZcwD9JBIF-5(K0h=^Pkg2$622yStT;5|A8`jzPNIH}AK<<Jdm?&j)9Sb**)--?^@J z&ogVH;W}Ck(sjkAry~bgM&#ur^IRdA;zkeXEY8Q@3`+;tW8U@Ubz{9RgddnuX;^6L z=33l0>edLxlFR%ZZ2|XGOHju<l@WQ0o;0OU2zttf_5{~J*c<m20VxjDp|nuk*K+`P zbZx&ckEc6|g|3OcfjTbo^qu4KO6;Gd#pAF4`dA^jW3fKHM4I$0b&xG7Jm@-+-of90 z)qqxgyN*y@KJ8Q*j=JGTCmtv?^f8qcw!D7wuA7=k4&Cgpe?UpiIGbHQ^4(D;$}s^o z*}>Y)-+;g5!Fv@6jov^11YbBqT^;9!%&J})wQL|u5Eguokt6w!Oa~qX8g0GHRCNol zeL;C4<t~CM?(??m<KO%B{rI}_`mnh<Sk8*I#QWEe8uAn!Lsj3jfqwU|wYkG(UgGiW zlDv5RrY~=Y2efK!RtS!(S!SB~v_BTs<Xh(a_Er5vJ?I3|QXSO@a&Y<r?$IxOL{kHa ztvMei==>Zajd#j#s~C4py9iTIvUB3ZALUq#WCO6OVGs5!c1R~wpeYyUY)PpWC#5zQ z=V~d&<gwgoGRjbx?85*o+eY!1Y`nOm$*0At+<ZL;vS40)jV?~$`;UdQeGY!%a+25h z8r1jiK1!HXi>L5;5-yv5QH011cuE}=<w89o4ZrO&W@>ibr`zms0y)Ol_ndv?k5ki- zp8Af|Ih39Y<>)#mZwhm-U1sg-GH9g@8)Y7o%twc*>aG0X@<-G|4$OH&_D?FgQ<(gE zCHFu~=M+P1$AIYB9xUe9aBkn9ekSoo>AXeOKKfocbK*j$?GL~&%Gy{qmqeX|Kx2y( z<z*VN3Gx5degI3EvXEj}2lSXsaHGssat)o`XY%8K#9XC9>i%@8m#4f8dJZ}oqm^PC zl{1zG4^R4dDpG#=I2tYsIH)f!o0EWC6us(&xm*aljCbD=hzXbcs1n=tPJ;lhR!(!4 z@>I$*HSB<OeSv<aE+e2s>LR(`LX-65YhIZH58V_%s1;coUuFzj8{TMZ<i@i%5Q=_{ za;f@4UC_ebP~4lR{d%@BDBN(q(fL~*6%z-5zfb<twT>rT4nTV(^Ibg#tR8;i-IhOW zK0o^M=*0iCReF0%){cj`linL%@g?%yPobZwIqAjHXgS_By$ERl{m$p2%Zxidn<lIG zsoVM`T2d`NuTGa`{wd{Ma??_ZVJg;jcEjrd$6UEwYHOQ#=WVNBO34y`r)P8JGWANR zL+$_mgkApWpt{z?GHZVm{Ke9*iX;L&<@xX&ko2<MTdhN-iouE*9G+(!*liHpwD|3i z`<BvPgHoLu&S)pY+-dCX9<PT{#bCg->bZwu9xrArFK`l02dl#$NXT2VV6S*Do%I|% z`UsZ6Q{+%WZ#YI=fG!({q0@wjD#4T;f&-iIVKmD*in%a;-^c<;HUR%}CX2AB3Imx4 zw&rR`>?OhCeG1QGp69yi2b|G?l2wkefPM={{S3kaM98&=&n5YL)b!}0i40Nt?}rDg zsAR26JD&Zs2*htJ;?eqQ2l2aLqE;BiQM)|`w>`!yuI`2LRYo1(UWifpz&7gDb`M_X zmWiW-vGq^r@$n#~*<JgGz>4-|Lt-+thq3D^5^bb%P@VguvTdDI?!$nFDBxwLXcISA zB=z3cg8}+XLgpouUtMOnlH<lg?lnvZ^`_@Q{@l)oYvh}hZX!-51&_u2Pwf)2O`j{c zExm`#;afKO#x#O{y1;A{lRd?V91G!f5>Y_?RB9|=@G#-b#sW%zlce4`LT5|1+eni^ z?avJEt_GppM06gQS&%}R$$Go{lBxYuJ&(oAzlbdskWp9ogdQ>JI#gILb-DG{fKG5M zwm%l0Q^XD_Dl^)P@Ldidv|oF*LD-MQzDCVz*~~usM(S$<m<OG4*jn<Uo~Ox@fF*o! znn6E*>Dl)_cbQ08A5E*td_SdqCC*SPz}B_hJMvn6aa;lrnji@4Ke_DYl5vLYdo^be zzWU;wr&{|svy(;-kD$0~d703|Oy<pTfa#O#>ZcpX3hW2^m+P{3XdmB#swe6RcHSJg zO^mSB?1iWeZLu4R`@Ic~;a+*n_R}{9cfGF|x{4?0;8g8NOGUvMJ@k^9@+@E3Vx;m* z4g1s6{4sdgk>BO%6pi`><Sk_BeeH;GYCoAHR6J;lbPy%TBYSy~9x$&n_{`CDHz|g+ zzJ<E2j;q$T?uyop%9gx&W4T5jx2?ZRc&i=V=!u@--zf<yoZx8w=t-*wu^EYuZ^QJT zg9Y|S=@(&kp*X@Eiv?gbIdw%%L4{={&e86LH)OjRFE34pz~<eCr44TE4c-F?uy7pY zru}VV>Q~53fz<L3al+lEhLzOCKe`S+bknfmOSnv_z+hiuJ!sCT;mB;A9I6F0Jg4et zW!tq$G4O&~?&^X0B-4lCddrLCe{awv#(GAknF%lViWgDB-k*oIX@!MM)G7m&9Mmb+ zvzk?rORbvq_jU@ct*oc1>$}*q?3TP^ZmuuMWtm`ra|bCfud~H`|GcfO3q5k>mb&-= zMjj77{-a4@X8c%iE}DIt?u@Hr<j`l1(x-9s!e-uf=hOMn{i~H%4HHO2x(Q%sABz&k zvd?J;xb<+cmSHMd_$fv7ySRPQ)9|o*NVU9b_69jXVs)NsSH}#I35N{nm+CNaQ{(w% zx^3gMPNng4MBDTlP0f%)Z!)Dk^az#@E>i=I^pePN!oPbKk_%pX7M{~6TaMuAoU=Fh zCz=qad{=M_cP2F-HYpvb1^ryb%lGzgXxLjE){r$qk91VDZleypKXO$3VqDV8O@~D; zbE$Epd=L;9?PtRkMMKEQ7xi<nGAO*J(y3!}SsCcf5QDb=ZnAT_xj-(a?x;}Kl;uj0 z_n%pN69C0%wE%cP9SPksA}wQ>2)aJTD4V<dO-1Wae?CAVF||IrvfE6g&9S_gKaJdc zxp0()=PJCj9-9p~<p16K>k)QJ1o(eQ{X}c}#cK}sBgOMziY)YKV#NSua4nWTbvTAv zwvcz<v(o=#he`U`fV%RRX`Fc8G-w`s<VSk3Ou#Z<o(yfSz=XgN3xH9A%!6N(LFe%| zj2Upy-3~M}*^?U@*&Br0Qw(Ey@1EZn04`NaGz)&54wq@v+V+sf!~P!(51I?V`GTc1 zj@1tsE1iAJRSxAmDdxxe0|+2XO1#eA?J+LZOHEUn>i5(5KSj*F@}YY*smH~!aohO) zb1nLvML!$e{Nj(JU@g({OM-gmzK7KflXz1ZBVxs}{daq5)ppcVU7Q!RUyCEN8|(#M zq#vB8Lta~JGI2ZN-ME(qWa{5oi5DGk{X=n=*)A?+=RmAmExK_8dlR69M_-RGRvUll z2>RUr8N!{3AAH$0nLD_3l-b?)=`*z+@||87^}Or*#i4^86f@BPQ9!Q08Vki->ViV4 zrs<xNi{F!Hb@I$Wsb+EV_lt=1e>$x?gk9cBY1Fu%4|%}*i;ptVvLd+y4YRz0jQQQ~ z*6#6^dAfuCHunm1Pa(y=R#ExOe@3AfPeXjNefnh@FmI8Om3u%?>;RMI?!O|L-2h={ z)!&@_-}R;DP=4%?*9#76!d_*}ah<o2mzQ+%_28*Wu{_MxL36Uy$D)%KnvRNL_bFW! zu^^vtrG@G!4mx$?Qn5amer+3QU-Ds;yO`hZ;s`CNW~u9{c*VpaJP6ZwULv6Bh1m%- zmez`awe_`USVpPyQB53zN{hp&$fw>U0sX|U`>osMg=LVDU~7_k<%|;F(g8p1_pS;L z;~oH@L**}Mg|xHf^9AQh@pYc}Ux5F8npTTIts8B%PyXV~CDP_Yy~eM|fOBuu3VcWW zIY5n3ye~JfX|?@-D^361lV9A`k85jgqg)$fX19~R2=+f8NBi`pf1>I;F8W=0<j22r zmC0_o5nF!x#{AFjZ$FbzqWnEWP{HzqFQ4DscolC)qTc_x;n!|3@pJzS=#RL#KhMy` zMAL9AHFJL7yV{@=Z`Aw{`mA@ZQW#{5XUUhHK~5##Emy7ewq5lc1RIOPv_zdzGUNQ* zk>0g+@3!l79a0{n(QD;th;cjaD}`G?4`DyvkU6|TUh@5}$l}A)f1X17T+2eUVgXaF zQHzDF$-6!5MWgbEr{tRGcd<YREP?3afB#7a)q;ny(`6?#4<I6J);OBLqS>}<Z@<sM zgl=j7w^Q0vO)<&dKs<lIpFl+P`j>;_jh+zZxUb{iHrey!87CqtbI}4nrLwXfJ4%MU z-n<HYoi}mMApcxf+!rSv)MbkqN<Qsld--=i_h97mh}m5OITHFvbRq(qblQS~@Lk;T z?6jaj-A~a4R#Bhy+Hv3G<D=CM8B^BNzP(lJzcU^Yx2s2{xl`1CUSGs-AmI|r8RkE5 zk=YWNsF*^uCK8tf{)F^mhHG1TtS68p6XI-f!*0sZY_sPDU}Ub5)j1-TQmhxIZ}Y!i zw+a{(iz)ox=Rdp@s~^y=oZ_1Di3zc5r3Pyo9ZTMdwL0L3tiO7H?4aF#&k@}$6$!ki z!~ov^qDo_ak)V?b9>#lm&5gds(fDp#tBbSkd>Fo{9+d@auZQ<nPt<`Hxv&As<LyF6 z;L)t+w}IFSlYnX=P3)==XoB~9OQtSXA$FzIv0b_KM8&thI4ZNb`ya;)#ZuonceByy z#Sgw6W@%W}J&x<K^t}8V^t7z|kHSs<LH7=Z`1AhNxPR%6E)jLOm}}<p!xIPpYZuhj zKgVFielz_BKwp>Fsrb}yN|I7>R`1BCZ9kVH&Ei}(r{&N0gZ$sMiK!9dnb5Chn$JLw z=b70tuyoZ?g8_=z?xC4TeWmR*{BmI_XJer}xgJEfOx+h6NgotD@^axFH|DYE8ohcG z*2L@$7dAcrM*NY<!ZTY#;!iW3BjWV5nxf-|rJKThQLoD!#&Y|DO-prHl6B&d!BgNQ zxLsV&2OGs>UnMR>Vtz&rwiLNqt?h8sh+j&a1C1cK>!W7BsR2YIQ|O`D)DKXKpbO>0 zIL&HOB+on3Lh*}L6I<M@7NiG3aQZ&H1Ysp(K-@+h{+$wE*j=AgZxS<&H_(XP8QENu z8*_A%Mto6=sTS@$ldF8df3uW<Cw<b?;EbP1b+<(PkJDR4=R>)=?4b#nz!k(?CRk|` z>(QH-(};f#bUT+2DZxv)mh*iHz9l7l9o=UXx`zPwJ!Mjfd;%a`yyi<$J4J80<J24e z_Mg9bFoBdi{LG88ws2A%Z5h`S`t*GNLZ(}57XR>b91*7Yy^=q(VkOGzQ1+23@*7aU zqkFhp^XZ&)5>yx48?JA1eT_uvE}wBm*E%GU3t~P&sCqV?+ljZXblV#=(o*%;p*czP z%>qPgPaUtCNA!qp4CtuwoRM$BWWNO-Jn<?dF9zrXlOW$)bY!{pg~M@&7EAfyc`}j3 zRN%2#H1H$5xZTdQm$Z6W=(v9>RRlu0=%D<MW`88$)y@Q(i3WNX!b6P29=$0I(9I>8 zq!sdc7{X;%vsC6hjlU8C1sUzV&`wACDv3gYgJq5Hf0U%H9{q1hnkJ$uaN`{VO|8?X zQ#QAfKBvk5+zwUe&*(Ra_ql_q64UFWfXW^i$PvBw;_V)3j^z#%Wtu?i&OTD9QBt1y zW<gRog$Z?D$k`~ShzyNsFGG%3u%fIv=E($pWEE|HB{hRRY%3nC>@F-W?#<J8(dC>( zrbjXU6rDrMh~O^h-k-$q>FpUcQxPW}p-3E8be>#I6DTSq@J$<tJfH6Bx!=<=4M%7_ zuYMuef0ao(MXBLk?X)8l*8ZXFX%;x?;X+5HimRc^-E;47;BoAW(gx6*{x!dOLt>NG z8Q@n~>f+ml!TawGN>dDr8YD#BK5LmQg@_k>i?TbA7K#J8I<NITgH8K#l3J+q$U-i& zp{s(rV{)iE=u$+1KOE?*KT`~u<2GC?@22cJ{yMqpI&8|u2UdlO=NA{)3lwE~IDNGx z`!`2Pg7i$pB)f*UpyVY_<KIyhMR2~v>hvGQ7Bsef%v93+>R^5DZSddwq(<SzEg@wk zQKL6l6W}(Spialon5w8}Z&Kiw$160!k$-RRkNLSj5<{Kir;a?2=~ug2&ok#R%fHCH z#5*2AJn9Uhv-+r`m&K_a`sK?M6z%rt!ddcZ=-=!0-HC)hI6C>fv~rhbM_Fiel>rGU zbs#mW0fen0>ck%xsV{bACa>Hnz0)A?YEuPIzITkMkwJ^eb_dOQE%k|=O79ASjx%}B zodPG?I%hg%Tj)YfxBqZp7xDsLu8L%-%hFG&BmvJ<<Ke@ZHgp}HgdTlAOFm^>gee%S zkGPX2VUDx8K3XP`D-93<ZRr!UP5`-&@2L}Sk!_&}0=%Dze!sDpAmThZn2S!&3E8Y} zNNgY2|89&7Izc4{9>agB&HDp{(|I(FskZQJmGv}_fQlUZA7^nCJ;C-eXa@d?Us#at zE9%-`tD}zAUoUE%ma#vrq%wgs*nF8Fq>4Uu7k5h+S??PS9eko;+Z_s;dF4u2A5qYv znh8;@b!zzdKUifR!Uy$Nt-KP^h!g4NdNb(*=k&GR_iWmyDmE66&|PxRgWEkyVl~s& zkjf1|Zx8xvG559}jgg_6Pb<4@#CryQ`!i7+XGQw_hkixAsjG`k&)rC}OoZ<2z||QY zUDxU6GjGh$XX!CRtFPF!xVpsC0%(m^JTr2HZvNbL%=d(M!|D6@@Z9&n?F}p8j-Q&{ z-W{!eDxhk|mL6%))Wc&QYN2V>nZ1N9PfXL}$0zsecR|Xt2|JC1H;~xUI$O%;Jg+lc zS-0m(#Xit%b4y7QjNns_h6HBJ)4ghpj_3tHk;D54k~WbR6+f}EHqM!zJWjSNl4vH{ zhLWTe<$jrgHOO<Qua&HF4hk7oCBe4s3P6o=nx<lfu*LUy{;Un}1ZT2f&qg&^4R*cQ zFOutbg&}?|m)e~4p1KaDa5j6k>=3I@b}YB-Js{c4f)aa>iyQ(Y^L_oN%32(aCP?f* znsfio>b^`<!sE9jRzxnd)Vp~lp_y{T^+)mMqMtuM@rZi=W}WD)W0(d@j4O)m|LTn} zCc3RRFXbg5DG==|MW?NIJnYq$PXf?W*X7=YFv$7Jn>X{TXxpYdgkYIPwF;3+r5vA( zi+9rb7dU{Wy_5YEDqChBr99JGO;@K((aDfKeSVT>T1aozB9QS?Z)qs)&rh1^4Gm0p zHIEs7p$!V)xs&cdK`Cansc%VCXH)k{BJ8fgHygQo-Knh6m4lK&bqb0shp~U8L@O(^ z*!mG<^AM$jj%TQ2LWUmlpJBr$#2vpaQ!!B9CXi50Dg>#J2t79}D^%hzA)bZhgXtz> zY?8if!ITe-cD?55{O<nmE`TEs4B}^_#HhX|l(5o9R)^<7TY4uHvgW&i<TOEE3WT8B zoM~rTA2Z|G%tMMmqGod$9SPp;`Nzp9OAT*Yv1x#pgOqrq&kD}}xf(?VJ^iB>o{ff* zK}NARhX2!>PqL_PM*oO0O6zBUFeHmJ;$Gr!QDskSbtj&rU7<1o$862dlC{yeFpOvA z_Koe7Z%nsN#|QaL6PWqg>tF(XLY6L0JFsSNkXhwd{WQ`B`HC3a`4={Kq`~xWX4J`) zQ%p^YKx*v^at-@y#eRMh&cCr?&RH-Q4iZ~JkK?rkO6j0BK6Z9ETa^&s%1UC2fd~b! zrnq|roJLzG^yrzoqTL)Fc1Zvonp>&mesh&i!PVq!jcTE{aVrQiBLE@plboaTsK>na z%_3&#uZNW9H&=no%93fc`m`8HguZ2zt0<m!U>Hl5pO=)phhWbZrx;R)9_5`Y41swG zVDk!!zmDK?N_i4W)@brI{tB^$F;01<Dr>{;dL4O{j!%8D`3Nd(G$qvCw-pcmc$F6> zb&nLDmnm^_o11fd%px`^4cHT8YarFJ_&3Z|-R)OHD2k&gSQE6njFwc+4&IV0;_Vpd z-4oO)2Jg1Ui9Qz&8W!`N1=|U{SwD!U!+b4J$LC1NWBnmtE2VFwY2J_MeWlfOEGk2F zGGXWHiawh8zH2HeD|TP^4A|A$jO47gjv2L=FJTH4(#8a~NXHzfJzT%|X0B%gr!S1s zk9f22+Fo91V`GX;a=$Yngr13{7UH;-x_?Atgc)qYnrc~^SN4#waQhrBt+CvW4P{SR zB}*ER0_4@Dr}nItX%@`RZiX(NshdZDhKdHAJE9^9#?p@vj1RfzG50x3jwmir2m;jM zI!i^d1oN5?%&^K?I3upED8S~B8b%5oyMe?E{jo`ch>qhTg-%7m7BMhgw8#*fbX}!9 zeR7Xam2hw4=Q;vn;G$eL#eS;iu0<)Z#4O?v&t*-egPZ)HU3n#0i)w3>hFLJz#NH|W zvdgR9%F1=t|L-TTJ&Ou@^j!Isv#4gVWXwz-8NS7p$etJqW}tRdFRFQq!QdxlL1Ulh zLY;Jv^<h3aiw`#wGdnQcJz1N%!#&`yDY8)0B7RpjR`^Z5Dl=X`;+bVh^9u*?D|fN> z?=t1T4@=9a!?E?BPgcT<Sh1&hTmm~HC2kl@6B^m;8VB8kt{h~im!68Dph;{+CozIi z_i3MZbxehJdzLYM6N-3^HqSTZ3kJKMNInHG^`?lL5X-SX=bd&_#Jdv(YjU&R+&87N zQM=ihJ$GpxRjR-<9bRkQ4e5M2qD8EORoQXbd2M<RZj)28)Z)KOB1<uxJH#00$Sd$} z;?P!(#k$UahN}E(QP4xl(otT?a>@joR8Z%-LB7$6Z2)nyJgQMHyqg@xtwk)1of&9a z+E4(fxjKmu@HP71*fgq0Z)tf^@o^F%YS!q$ESLr-Js%g(F{R41q_V3g8y$CP;klJr zQCmg^HqGM%HAiHv!sDx_-8_>F7g+zKI(;w3DU5oHz|(@Vd!nm!qR|mdV`{&)dlXPH z`o)WYn;|Y;*Jf_OzZCiBodf-d$Wy+v<3D}NDUi@-s1#@&w5-wSV;&rWV}6;`b;iUI z475xWktDZMsVN4sO1%P2)AZAO!>RHTzsDleY>pWtY8~_LM_o>OpZI)}?SND8fmr3s zTVH}*Z@&>Z*kDQgObR-JQ-q>#&t4RPXvX@N<l)E1>5-h=y+zDe{bKmYOF+1>Q<$uX zZ6D{6&cY(Rf2KCbe{MBZvYe~k)(Pvb_f_&Rvp0+y;uIiFF%0Y{Vy2?j!2-{&EkS$2 zi@e*tn@D#ExiBJp(26UXtI}LCNFr*ja&_lQ#FScqZ$fjVPtGaImYtegDL5uHG^uQE zu$wGHYMUlQ#b%>Cq1F3nksAH3N9Y3)^@b}0dxHx4Xd#aBt3ifPM<C$$pl@Pe>e%7l zt=x~@Q)kJKLqbx!c~t8G9Sw6$?`B;XZG9n;2)TKq`uULY-!dR8vZub>3GpqR`qKPE z-+trzBPvWlD=X;6g-{c={+q<ZX70-4&VA&nuZ3R*v2R!$GpkG1bvu`>`=&6{ifFJl z<9ABW#nl-Y@7CKeovferIfrb;ubh*ISVySD-NLxpex>fCEgSl%1Lf;*oB4O#NLDGY z)9W|@P^0*=*zCiOWG?Kk60t>*;d&KxiWl(Xp*O)2jc9Q|lUmC71oPhd!H0p-*?N!1 ztGt=IACoM@J9#uG2qE@?*eDu^fhR9WUQOy1fC^}YWm^jLN>hrA$G|ly^BJWOVo6?= z7c=O0aaO;0f1IyijF*SGX2Dp>O^63-ODbwOcA+Qri3!S#UTZAu4f^7fURzy8k4%RX zK~&V#8^|7^Br;W1y#pBKrZQQ)m*X~=2R|M|Ewd-vnkALPLy6JcJe_8HFM23MZAs_3 z3ueoWbo%|Ubw#=pwH@0b`&U|_*_eo#z|3G<n$JapZGs#yyV$>1e0RB9|J5S!@8|%| zpSSO$qDoV#DPF>f>hN9)z^RYk4i`k|+UN$JGvgBuyOqbi^aE6>x>PT{p(ac-aqa#O zZ!pl3e7Q|Ox0wE5`Sn{ij}guME6sLSM-8XcM05AEua3|+{>T9D!VtBJF#4m8evsmm ze%3NDZVFX{e38Z4XC`Iu7kI9JMu_YOr%F@IC#cj+MH|sjE;n|y4E*ZN6@rjI`0yw% z59e?zc3E|`9TwoV=PbjUlkua@>LVNxuVH>lGiJ5#e#1_|vS*|ee5IBdn8HAx8(a^^ z1JBEuq`)4Nq<5FT0>VkzOXQmc)5M_6NHH`;TjHC9;B_*)#_*_VvhHX*@D?oWam3Dy zVKD^X3x(v?XtVYs8l7@-k<J4g(iN8MTEtB1okpJ{%D*_Wvo&Z}QUbLUUR=;}84yik zFt6*z(UB}OIyLFtRHU2&zh2%Y+^j7rF3B1d8XC6!9+F?ffs?PIbkM-ofMJL)-=h8h zJAkD~KXdzty{>YxXB2K0SKQQs`dfr&);91#v;q_M^+_dkJ^CG;Hzq&yr6`LH0g<_z z;U;{MR6v7>cDEK_^TP@}+ShluB#978*+3ewMu(1he5q%@MBYDdY=4}I-m$o!9A<%% zn!sr_7JED<ZLr)>GQRV@hK!Qu`0Sf)i?{#1%gJ}wbgnDpin2DD+je}zbK!X6O0h#n zo$1q#_VW^;*}aY5%#%uiDex!cW_Q=%)ssq{@u)qKb33j;z!F)p8<Z^##R_S*W9<v! z3EuvszZ&G(Qu{$(irN71tT<{r#K(km`j+yY5~mgU9&-*LRM<lhkFdWBNGofJCbau1 zafjq5{htKRSlmEnM0oq}gB5%<=Zj3WDHHEgWFIq_YKe}o{h&@Uw1^3Fohh#bz8eg3 z(<oPw?pa8l+7(i&Isfne@?VFqmZiwh!Mu(A9xj!>ZgpzgPh=EN%T<ko_-4w!wz@P& zvM9Rl5uP#rJ~(4E$usRY9^PvR^skQQR3FVv{f+l~PFSaXs(if|>y!7Z1alS#C>Nc{ zAWM|%*%V5G6NieTu_zk_ncm^MJkv%^(?nQva&`yOE?CW}#``wj6u;vQRZ})zax?)K zhFa&sppXL3IU?Ma1a3j|oaGfcbqx2y5QB7P8^{<C>eTy`N;N==dw9r;4TJr2j>eK@ zj5c8k1;quB+F91<L?=CU`=}ucJG@R!Z>8WY%j3^)!i)Q5v@}b}WK@bkqYkP4C5ekK z1stG*zRF}=7}uuam%1Em#DnWtcnOYdTEwPl#h@~3>`Y_PN}W={<RiGD=s553pIz1g zV&MJOXvGj+KP3p)WZ5g<4cBcSB}^tCGZWb}?F?-1*EmL2rNn9w8P}w41OEzXZp<yT z&qcTcl~MmXqs_E;wEMj^oE6&g9s6tj_vFsExq9hm<E>x5wqCWh@|Eio-Flk^&;lxB zPT5U(VahVW1$3Nt<DrzuPm~e7qvw{dP6zVG9y3OWsLS&YAnGcwejlNq?rw&g)l%5L z6Qg3WS?SQFV*iZeEJ2m0X&_pV-Os8<yZ<b$;L>W^%-eIDS;!{`-Q1{F9Lgzynp2rY zjJEBU1i)TdF=U6=#Yu~kE}N$xTfSqXTSwag|JHxIED82wrb283Ewtv#%=eRI8NjZ% zn)=O@wN$5szBBMEV4^#MlAuJmp?=)NrWxa#dQgrlNwYEVI=^+gq%u=Tew+3asT>I< zw~I*O5X9yNvK1oAMIv+-li-~h@;+yIh63sZ5MzXWPGNJE&<K$VB$)<Ra3Bb`V1~|a zZuV%-Jh`~dovk6pHs{L>@%Ip`QZewqWPa4mAwsTp_-_4t`bn>l&V5J|;YFei&3v|< z_L~X{XF~jzt6VxD!J&kvY!i(RU>XC*^?CV#3ipx1eD)|9-bJ?0XwSt!ybTJb^X-Zr z!RZ9;VQ;W;a0!IC(#j&JDMBO&Zx&siyQdW0L<L6LMAn(2$~_1e%Wjm;F8;qwV}P1R zxxNT`F0t}C=!FvB<wqHA@Dq@Ex}>~qPBycPZ~VX*BkIoQNyVT7s-a<Z^SuI)C2Qnd z=?pan#9`HbTiaoWQ>SRdby`wB>A3=B<jX1LHE#y#UOoX22(f9ciDMC9;<Jc#?ow&C zhpIVpmNh^w8+aC64OMIqVni?l!p)%IBaCR6mI`+qdpM+1?V9Nug=d0|gNRERnMdK= z@W)xL&#j9|45@4pZdcDRcxaegie=s#{4y-jn*}(;#t=KRN1@Y*Ha?v8pF6Qz5gt?n zl7W_PZs^QTZ0|=TBH%1<<DgGWzbJ&Bu7u)Qd`u|GyLwl|1?ux?-zV>PhKcnDk$X&l zWbEe>;GtY(6KHx+5Z=zsXYk;odu7EX_l<x^gsQ)HcSuA=QGhJN5~a?jvD%`jhT`S# zT5Jslc{4ylO)HO3ZmZ2T*VQ2^`Vq=QsTP#6snns8MIeGIf$EyM{wl)8!~*}{3*V&f zD;3II7$z^Qc33qFLHd~QdNn*bXUNQIp`jQYo8PtanCK|nu5!qsV-~f$oqXfGUxBJA zI2TFpXYB>aHds$2FCNMGDm8zZft;eB4JEa6$1mo0QlJZSMJM;+Qqn9z+Ca})H$c)I zKp`9xyAV`hjMtAVvWI-^7Qm|~!%Y(!SyP83(`sEg`vCY@iWojV!B891=`;$>bq})h zQS!$e6PSejOg&9@F(@rmSyRAL(<+{Oo2Gm~CTJk_OO2#YQXWZHYwU0&w2MLTZ}8iA zP}err8B23bgWElFaF<>n^Yf&zQP?Wu`LTqX&#WIySdRWlP2d2GN#MQH{Rea3^B*{P z+q32!Q{{aE_%>t|TWGEs7FHD@Z9!aW{iIycO#~O+kc4tvwtl%>K%T`LF(lU_{r&{C z-Rl!DO9<6qP7D0z62u7Rl=y(XHtB{gf6?T6r%CTx>-D6LA3Rmo((La42z$)MY48t0 zKIumx*^Ujn=plZtY5G`EaIlIyiUt?G%sPx`Mwtxm7AK9V#|-8LoR8qs1c+!>F(`wY z75kfTaj%x80p?<i!0Tk|<9t%G`R__=1+1wXt`!&wi3xF!wlGdECMQ2GLT_bux>0|% z6@G$I{;o{ZHCfgA?o_&3(Zdp9kM{ZZ#s%1dCXgjn)+1#`+*;u~-dRRId=ctZ1R`IZ z&q-Wl|4yGdb{c8(x+Cf<d&8&=u1@$&APvuzvmnh6_+W$D-_Hi#$^QzpQyPlPwIr6! zQ11nGX#&h@{bvZ*p%}ddB?q}ZdiMa6@|u(#_82#9$__E$^^LGZTsV|lqOch;QP(az z$q&V7d$K|AC(hAdxd&`*^YL*V|M~E1w1^%RMO?fAr;q3OE>l)E3C5#}PXBoYYlv^F zNZ1nScD#Vzm4C)jqu*W|JVFnfT9H*@h;*K{7W~#Wq?h;xP4A6pUnhMiu7Y|rYP+B1 zBb4KVgO090Ma){nVnDWr(DyY0ydgcW$dM}B0IN6y`whM_q^1k4aK+dz0u9!jCIeoc zb!gJoML-n%x}T^9@2oZyW_c`jYSqF~#tmOYuk{@b&IQxa|K30*Y;;<}dk8n%3Q3_9 zS;U`{We!>G_dqTJ)AUrS%4F%V$&#5E{%^@L40Q8=97{G;s3{IBae7oN2!vRr+s#m{ z>hUN(0n?nt6dIQ)AieMLNH>rbNu3%2`a&)OyNe%qWJek_w6q=mS@G-dA|XKmtlgEg znCRkZ&8F<Ag!|4gU-P7LoUu4#<biOCLGkK-&i<m|4)J`W%e@Q5MRq(7-fwO})88YZ z7YS9txFOkeUps#%zsC!uY_#9#`{;NjIMJEFqsAM}Kcn=5i^kwX+p{P9s*2hs+R87+ zX?8cpv!&zuI-=7KlEY}!OobcKdL9L~H{CRmNSTkNnr(YIoa}FsuoDsai9Q<<09)jx z2aN=JcEl=;3|=&Oa!a;j|Bp?Kq(!-colQ*qwA;1V<mCn*U3b!KI~D?>F$#Vv_%MEX zK5diaR=P2Oa>Bhpkx7z>9)M1LA*iZYGJvqiEC!9jBfO0}jhtwamkReHd364`r|<v9 z)IwqvQ^V>I%NddMd_04iRl7x?Q=kWibdI+Po)TB=mX;Rx191e%q{5)?clVqDc~9a7 z^3j$|AbD`DFB<}lDZ8f;UqHvhNi&9JlthTS;f=xbNr$p&lRJwVZ3g74e>&*ArEpD~ zzcm#~z5fG!SfKb}{;3nH=?eE<=<%YqbsFmrKcl1TIIVf5%WcW^dtUTi3ttw<oJziY zW1~a#?6@y;Z`%(W1H<=>c${uO$FO!QYx%T*rgffUME0vMAz@a6HKPR<6$NFO&w*wZ ztl8h6N(x2d=W>UC8i@6SkZeP}iQnnU2pI}yXUCoY{DMU{(7z98H<0{TB6i6p{x_o# ztFez<(Vu6v5^Oelr))$6cMw<RXy!{`3%eP*nm8*;o@U_<B+CG3M59WG<yB0sV^;T$ z!wenS7-I_P^A>u*v_>%q=ATo=NvGb@=$#3CrNLX2VgNvId{N9X!0{AdKL;Gon+%BG zbF5Wr)@V-dK)_Mvfwk4&r-nJDE2%5;DB7SE=bb0Vwfh?stPfMhok56=AL9*S<4sE% z0ien3gEl0X!ip_nu8?M2#<E(W*~#HhCI-Gs^2aRO8u(+A)Pd+S`jggA^;|Q?Z9z`9 zhT}hu|K;?~;=oyZppq4;n|np{o7q`m#|%uaFWl=3&-$ldmxu<H>i64$<hVHXgC8^O zWybk$`}&(bJ&O@}Z~w6XB6?^@o}u&VSx5C$A0kyetHbTvJxKPe5VZ|fp(xn(s@b^G z-^=#mB=<-e>D|<L2fpze(nEdh@3%E8D=R)(^^UL;diXBa#LKHtScrlWgBSS2ni|E1 z1ys=~pxg-HcR1n>Kmm?W;70lUfSRMlm?|6_rp={8Lz@~#v_0qH06jU4bU6O(8h1+x z2aADYA0tRVvdA`kshpv{K2i4k+;cIrm75OZ$*lx{1_pFqZPw_YTHhxX6-g&@)*YgT z{+vd>QR)@Q`63nr!?Q@s)8+#L%5BaE*3>BmU7NaA2%`t2cWZL$;2@i=(y7Pt@IDGj zH+(ryR!L>^kY{b6k83(|e6qCRnv<`fO`2j@nQuydwca>my3<X?j6z}9@CN;x66Zh5 zf|u$%pTlTPORY*xd!ZLE8TvOQtSP$-<89h$<h|Q>*#9!5zHb_W3h%&}#!xT<Crf%3 z^&Rs}IM;8el;bti2${>lKZ>xY1zZ67$vV_0A|-8*R~Cs_IHENR4_Q{mM>U_$?&k4i zCR`EgMC;@6<P_8&<i#nZX>DKv*8nsFDgQu!*p4z0v~91HSKpQ~D1c`y-udC%6b4~d zJSs})vjx+#cD_k&IQ8nLGxXb|4dllDMboAS-YsPjs{3wPvP^{Qu!g6~reqKeUw@0T zluqgFg^g0)yvtcXV$d;aNcAjrAL1~fF{`3j0F>-ui578-a$Ye5UG_?9g12a5gS>;f zVhoF-CVP3|d3aFaw1%DozQE>@XzF4gPjZT3xcAQn)k5!|xKuFz(mejjEva9u*aK}T z^RG%P1rguL@^wm6tRLs&rND&2yabfrRffHk&+uY4L+2o}MLF7nI`)I>S9pyTre$Ft zNnJVE8<Z-g#HIfAqNtv#6<l-%z0cy1YghVLSlpd&Akrw8&Iz}E%#rXteP`Wc#9iw2 zqaIN_X<a2JpSG&>tpvPjp2_8;=iXHc4*Mn9F$S0tY8tgpGowrBU0#3cRu2`-00x2M z)U&l|5o5u3_4l-q(|4)E&Fyc}VL!;BN57V>*eNlw5AR>0Rd<x6ZSn%b^oR$~-|J>z zMvIY_$}jSx$VV0+!6=JM#-Bi|>e+?r7rRsZKK-DPRp4jc*2Oo8bvzi?FWWCDnc>5i zz6uY7xp}|N1JhkFMF@>dmH-+b$`~>|<D&RWkxWPF!`6w{7|*0GN9+bDRKkKqWUkW7 zksJVc)khgRdY@sGW4oo!(s$v3K^%qWqo?wRtTn1Yt4+>@Od*qbT*ez9#CIE1+aMP? zzS6wY<N_K5Pl__|eHqo)X3BS!D%R6pyM%aZ0iG)zw$@GrMRzKk$?D6tW@&p~Mi!4j zfUujHC7>}V1y9=Bw;P4)6{+qJ{(nnhqiUqm{zqYaJ7hOkIKb6D0J~K&KHxLkoG_WO zPc!y78Il+!70PKv*$*59<BCWln&iHc1K#az?2#UXI2C$WQMTwWD{5N3Sh;rWfUbAg zg`wO+(|Y{`?|q~4MhAlZaUSVB{Y6p%)!-B95nkI?5Dxu_SCeV?CmxV}#2cGN@7oik zO<E#uVkh&>y<hyvSMG(jc;W=W+U<sN-YyWnS(#T`5v%#YGID(PnW8EQrl2{SC=GRc z<?a|+Y)yyGePJpf(2rmeQ&$wO5aUbEf|bs6=BX*-p#`M&!;6%q9*2Zb^i3L&^Ad2Y z*c>FODdhp6$ll<l9<8QiNxCUcxU9q(@5K&hjjnafE&B*tqfy0IkN)y^6zdwWRw$vG zXwpojd}ql&$TP}X8(CyY-_NkY`M|uVB-X}U5~OW;rQXJ1MG7<#QSh#fCJ|3_Wq50^ z*2W{eIGYkjZ>4`$-!>!$4l#x!zLZ^?GR@ZfWJ3VJtw-k^QfTaRA8J*8%oOod9doqq z`$vnlB|Vw-x@LE4sv?VxB~cTYYlsD9-;47iQ0qf<9M`v28v(4dfHA62mL>4loo}Di z*vN47&B_~5{+<>1T!!m6xaOD9*?fog>5Af7B!Et&#oL++&YDVXgoE_1+ui8zc~N;c zH}q#6qtPa>#r*j0aD)uRI>b%bbdubE8xp7)dbSrTF6<GX9F}?`>JI2UhMGL@Wr6|b zJH`QoN1?YUs`BQV5hvXQEfuv{?Ynp!^=MP2UcNI?uq>LqPASj}e3YbKO=f44FDe4) zNVQ$(pL6u%Id#m<2{S7!EWhX@Y&iRMaZ6L>flkZ~;0WSK0GWR%6ltD-CIJ9o<)x(^ zB#zVko7@Kw8r(g6Ts-3gh{Y@ztk8We?!>FSu%?<F&Q_N3#YsIn*SPy1dFc;=nSAV2 zs|d4lRJ}cEhDO<pO88%u7!%!IH&==Ky?unqW1`Kmu^~qYx3~N3q-&DtpC9fBZ6fMd zi5dFin`3}}cLA;XP)H*o@gq4Fhw^>o$WgZbBNYGldylSPV*nN}o&Q;<i#2wF)5fQz zi6{N6Y`75O+1mKJ$kyg7>nIDNd>s=Gx}c*=Ha-TIJtT^9OtMT(RLgxev@$PmXQqc> zv@+bW>&#Zy;Q$l`33H7wT+l57MRcAfyYE&p(CHDJKDtH#)S+JnG#9>*y2~#wEuyIA zl@))D<oO)Usl_ZZ%?6NV5l;&=kO=v*Mq}8+b4!!DcK|5+b@Dm|whguF){Y&*Rgbnw zw<|Ly2B2_?6ncZrmz&z19y8=YER?Tb)RqxjB?x$`M7u)JEst!k5VfFDi#Aol9}G3= z4s9yZ6EE2_(k-+;-cb9U4x@FDY|ED|))7d;o4ybyRxbFzUMh4yeY7L!?IZh9<ezuD z4&@in5sRCb)Qa)AdtyS3En{80P{WZPBOpF!)={o$EE8S8F;HQ3c0JrNs=jwVnA${) zq2S&A`Tf4%KEik8wU3(8#(pjr;C`##NnmaL&?;^CSZlR@dreFye!+udX_K*bf+TzV z5MGUzl4ci~=kF`UcG>@@{3UQFW51cma>~{OW^6V3-HidB{-aMly>)k@cQqvt+(h)d z*GVu9JQG}XMOkKW60^%<JPhtlBb8IGP^KaVE?P`VDslr77VefqFN61FOry%K0OY2w zSiH`rMQp_MEjf&c(i>Z4T2h`F{A9HCg@+R3>x|zUt~yGVnSgK8RgyaTd-s0n|Ly{G z*2Y<FGgqsktHvkGAe~FKi1DZ>>}F@MGkb(09;_HQxhL&F0Km2TV;E{Cu4WIL7cMhw zjcyh%Pl+FoPdT^pkaFsTik5!YER+!9q1j9^jPd%<BF6MSRjkSQ=I_-N9d5}L;UBUK zHTA!K1LpRsPwZ!au+%CvWouQe6%92PY!LJ}>@?Wl6_NfO?D|_0>#SDHq@Tl3TL>PF zD-S;&(hasC0wVeD-6;x+*I%044KBLp*}{{kC_k?Qa&BQA(;T@59<FEWb5gwRL};PU z28|-yeo)IdcXj8&0I_H26Om6vLG}0hbM>=sC5$1X2t=BICsCE<P_j8`R8^;qwA^9U z)E1Bp_crd+;v;Cnx-LuZhclZHcSMu}yiGzGA$QG$puENd)TvNOv44pbdsZ@No7Xxs zzk;EG`#XIH+`$0EL&@JA>{i-K8Trz}#i^mVpO6aH?yGdbYC$9=>|H;Ah>->Qx+S$8 zYpN_w4@kPDKyA&tWu{X{uNV}wDcw{W*i;l7)5sXo_h^tV)Tx|A2w+#z!V+Eg?<O_L zi!Wz!Mg9Yhb+#MczyEhjxw@joEJ(BTKcDpO+WST3LqcnF>2-D$n>w`nwd?nnOwcXQ zOO+e;rbK>XS*RO8JSwtZyY(gfl>hj3GLS{K1fJ%Um~^5~**7QUFB(u#Uea+^VvIFQ z=I`dsb09`TRjqORk2PTy#Kp}n)>H_do`coM_Y(x@5y`mz-oE&l!BrF-f{kvu*S1@$ z!S>Xb*Ms|8CIz5^93ueqSrmXC*9%UXr<-MOlv84?nsF$>x?V~#6wV@M-Od6xtSa^j z-72EZ&mof)N(1uC5Ufe8(Q0)C{!OOE5XWCbK4`Yc207OV#bk$8&@V_~Arsw20lK{W z<T5?8p>m4A<}n&;!@Ck<p^v1zA0d9TZGtC&D3{i7Q16KF{enCiO_l+E08jW{MoB4K z1CF}lHv|22tl<m}hA@?&ZC@pT)d7DPZ&Q)Zwk-RPcn3W?SD8|o?%s^I5v470ObP~^ z$7euL5)_LE=e>Rt{>DxC@}g#@WUZ}@o1%ygrCR{+VVx^CyZcjhxNSI!TKhr>ipv)C zY77HK0g}LUV@M>mwuKc-!V8$AHq+jFXM8=nw+sf)B98ocn~A)S`f+Zt`x;h%bE~}g zliY8+b&iVC*~)v<gfKQ=8>+@b&;GnjIL5cdC286C8TMnobnUc<pi*Mjie|s!=~KWE zCFd9Nx~FU)MMLt5p%k$(gB!8~_2<KU^$_9*v$7BHcOY7pYrTLd_!GhyR*8TeTc+_$ zY88SY39iFy!qorA6P1Wj|2oob0%UyTNLgnJq(uyIsG{DMSBx-+<rRGF#-{upm#^bt z!9IZSIeE=HN%1gRi1@C>Sa=T9NsfV$f5pcV?<NjTEVT^mdI5)T*WnY=`4GoM=2(Eq zIW~_&NfWGqQV2|AROFj++znrL$+Y9v`Ik|uy1z!xw++DytBsi+og6xPOA>I*R?n5L z4c)|Q5sFj+EZBVG9+*Ocq5>mjUbRCHcGKj=A;}b<3_)G{WE4xmYh)UymLGQ3@I0`! zD_RjYF3ODZ_8O?@5U5&(1+3ums%P$N9S4F^l^9T)iIqh{^FRpGuoiJcZ9Jjcm+l%) zf3d9$tdL}BuU)QP9jvXFzRiEE1w6d=t@+KwIX1^4FVw3(;D#JI9|cAj4;RMRQvz1K zm(Lq8LV}YQ&+$0E)f*EVb*hxP3qpunrOx7T<Iu#AmmoNHX3T@QpkcyY>vtVeWrAql ziSUtUF73c3k;!oZm`jb58X%Vs3ay}e2dF6P_S_Tbg<v)+h0j^CMNS119ii6Fum)!= z@O~RRZ6~2J8%^=ad8IWwoY_}EB5(GpvC={LRTvFQ3&C^~7#SY&oI&*9?;-g~+Ej7Y zt>x2(w{1mKLqF6lmWtd;|FuIwWN*|SuZq;-q1v^G%`KAA7?&YN`#7r~l}3KJfL1U@ zQC9x#Y<`Y|vLXUlN|esd2Je>IodKbM687>;=LrdRN2q1J1D6_|9bz$G{Da*&gvpZX zHZ6Bw|MJ%<^>>xENWZ#Nc0^)GA=<Z?P^el}Z*WM}JMm9Gp0-LGw{nEDu=pzHZ{lq` zWUSG|#zVaW`O23EEs<NHF7qt{2ue)eecFV$3-!uT@Wi*}F8Q>vT(4G;xR6ffa)&Y1 zrdh3*0EF1+s=<>int<U~UT?SMU!25Z&<Bi4D;BJ4(|#gmn)tGK*uzS+XeEvR*drKZ zvV$pP`u{aXikfa5Goxin6*8ShI`Zi-7Js_sh)!?gGrU@r(Nzz&hUcykB?^ix#6k$5 zPRc~8RpM=)xR({nWWjhQH9>6pqwC?U#zRsjOyDQXG-qX5-tGG2tl2%Mo!ZJ|>76{P z=uQKFVn`C6sc5n-l&}HiVm~@nQcf!r`UE{pvba#q>)+v|S$Mium0Cv_;>PfD6G_ep zXZ;KFf^q^O4Ga(!IjjD7kucUjoF^;WQ^=(3!a-uToYnCRCHR@zlNvnsZ+zo)`y0PM zqRR1?Wulm`ZLvlhV$**%mL7c6*};D!920U6=?DX2DfO85eJMj&H=MqQr;rKpwTFvZ z$M!dbNs&K}8L!eQS2HOElA2JpHt~%JYIfZ=K3W)~qS)+NQ=*Sv{gRjOv84;D``(gS zZ4l54c!J-VDaO4WCxX%&+nWbfMbIC<{b1u3o#GnuI#B`HysLZ;k|ruFdDsT)m6@ZP zRbJ$Zc7ESEL&pN3eR7zkWab+h#4`#gK-3nX)e6G}%_5Lo;D<QeisXLXtmoUTnAgUS zPdhM*BAA#gXiU@WbR2vv4q+t^>q)7_*cp|L#WI`PBh6m~>+l-9{WD-Ls)gSEzxWF> z^9{6^U97LAfs;27OL_A!r<_tyd>9OT)vVBGX^AOR>a2ErY0Tm&OG!E*Ii$r0XJz?p zlSB`Asc67U{ijgCzZ0fcL|XCSIDkWKhTx!x3um>7IhT_#QOx<Vh>&-t*LnX?9B4p} z4-y}WJw*)Iy-Ojf76BuXr8<vM{XP8NscMftim*t6xg7T>wnU{jl%#=JA7Y}T^g?a_ zUH&`^Vo8Mi{89naM^LqRxAz5pT2Y7>w95QFDPm<BSy^W^y<2*Kio{~xeAmPuz<^P` zITjLVE1$7;r*(B=H)H@G<vyhylc{SI8#X@BcJVF@0S<$4Bvl{iKAF~b+BC_T%YeO5 zuV9R$3~b>})erU0SuIbkHz5|@K)ybNZL`4Hct4tLryApWd`p%oFRGk@Vbdh(IdF;! z2bh)>D#2axLNOZc)kuW?Bxb=#XJP(L<h&=FZG{~iAFinsQe`*>5Y(YZu0ZLHKFsZ_ z$_5a9yyz5Y2SwM*Y!G5Lb?hw>wg!O##3rm%Me(xJm|W1KA7Pb#2=P%uxl^hD6jSVB zL^`9erosrgvR5vHfsCsa5&7rIc(IP)|ICsvEDvR>T>Q2{f)Ar$Q%~~ef;h%Yy@mN> z-lyM(vhOr}?(cToY>ps(|Ht(&ydG&hzQ^`CFQ>|i3o$DIjq>25@0F{5X=J}V93K-C zhgp_FIN0#ez5n*(M7;iBq~18NlZlJ>ff8<?Q)hL2XVE$Hqvhe$K6t-V+PM2zUfb$8 zw4j;xY)mLa&})9O0XV|TPn@?WE^V!jV^D?@#{iGGtDYUfYJt8BFEc5WA18S&tkKZ% zQTGvvDzP#42A~twIF|CoK2zcy5d#amZO7rdQ-c9i$B<+(A(nc4I#i>g2po%Ir?#sT zNqo$r7C^bwWO@dEGZ!Q-3`feJVZ)Il08$P<k_-IbPJkwG1}U(32Ls+q0=L&*-*o2a z&N?uN+^%xe6iKmZWR(~<DI>Apj>%}Hz=p-ZDYX?}W~hBmsO)@{<b0LM7_89-1wtBi zl^A75G>bv)!6Cc}t%JSJY0Nsph7E68SUM}TO2MgYoU@F4BSdPD<S_?z?0+v4XVXLi zMDE@^JpfGJVP~+$<*3tGzn^?6(p{*hk0R@Y{@S9ZB&}w~JB9G1ZnfP__i;-JPqo-& zP@P_1NTD#$yj#ZPd-)PH)4F+81-xd^16<tjU-!G5O*KM6!;a8hFxDn5Ycyf(bt&yw zN@q5ZcNO(}?7L$_y5>f0snkaI&Peaqb-Ms8y{MFc&zgi6_w(SnJNjXz(`Ok=!(IKo zwjL3~d$M_wX>iY|(C?t*!_;56tHk?+tO07%oedGO+V=gefpy@EZMNziQNakFVkwWT z^eKdY2lqUR=u}axCk;JP%w&k;*B)~~Uh<eL@aN3Bq_AQeI6eo^3nJ>wLO}-n)G5ks ztS8c6`DWM~g~97&V~l!t;hn{)+DX_n23rMyy8r;|+L;wX{Mxis$8{Dx;GO(g@^4AA z7LHM&2-HxU?Lv^$x8!~nb2o#6^=?);8&Ibf_jt+JnQ?u8sA!fX|BqiIem~<b1~$%_ zb+=$)Yq-vrDGFz~`}a)n(?#z2@X?Rxjb5+Dy53AAopAg94I{PR;}BdCdA|8u*jCTb zhQ`2Yqd4+Y8fdBa#5L{NCQZfeVRC;YvmUP^<o4EONxpV-Bw6Mt1^Ai|zHZG75z33Z z$H6tWIe*8Kz|D=}Rqso^GhFfdFdD(^4W1CrC84gBz5|H}z@PaXXht~Ldn#?@Pv3Nh zch5IvS@D>ZeWhy+%w!hqY`-V{wBmVfMLx7*XVIe5^Ah;y_oSP%T6Gf{5g~+XRe47P zmz($GO5=w%QylGy3~#=J*M(yvM*<|^tkFe=qMe)eIIS&TW@=Sf%8T<r(v*s&9iw1g zE>W;f1C1dUJ>IFiDA?+iiZ0G9e}ZOCIxLF+%2{WIH99v{Pu(8m5_1|^mZ$jK1qXS# z;iyVEB&4#wNWL56H8ueh<pwfjsHovhnU`aZf!M$+9_k@Of=r?H$IMhpU=Jm!m?2p% zIy3)@z9*r<Z_wo5YbLpd)J&K!MVu^W$m}%EnATMP^Z9pCU5vQQvGiGqxF6mfI&cUk zaP{%v`&X==Z_g+TUCBMwqd$8hqvCU)|IyLBv>SR+2o1vx;WV40^Dv{@rcjFy`t1yT zSY~}ucfS487XT<RlVEQjr96X$PcW8O<Xm(ny?qo`w+n>To6JN~IeOd^U&OArRXR(W zk#AFrt$*Kb+IBUc<MllYX))jS^==4x33s?WpHq%Qi--}C09#N(A`a#8UeXgzR&vvA zk8Q?;WFI-@%}**Qk}8tXBAc_j8&w6^W3lQ3lNptO)P@78&Adiqm|_^NoL9cd%4$p; zd&F)*a}O|89kGxIQYs?MRiK<Y3zm1Tpe$PXse7IB$}MO0d&x{jKPwv`c3~5Vt_h6^ z-anPiCDkWQIM}pLE(A!9-LMiywTRVzNp_h6eftudkE^^2II@l9@2WwRqc@hUk@QMP zZ&l6GO)R`PYypQx;SheMXU&Nhg$iqUawlEiXa{QlvlmsykqI~XssF(${Zgq9{d<X! zkXLo=Cv{B9M>Qw6^31xx(H$L@4(u%Ty0w&0V&bI}ZEIf;bWYH1=V-bj&zuaFbqcWI zws=6B?ccN-yUeHGSbtAw6o`S2>H8i|NdMU|92Gs=%r6EBN>WaF1t3zU-kZB@vus9- zmSSr)CCi|unD_^OazXqNB&)|j_xJLvc)wzdQP;&*kwnqFzb{#ENH+c3Jbu7EF&7iK zYr1mY`UW`y=SGg;K~;WbSmmwsW@;5^jib4-Hd7n2vT#>}QX8sKr3xN3piH%u5(XtD zlF$R<7xPPR0W9S`KBb`o9N2TbN;x$7n4wsV1k*F^;#{VN`S;e=#^%4kwZ2NOW}1gE zmX@NE<&%@$(l_5iDk!%J2a%piQqrQ%+eIMJD`!?MVpqU}PWm*N>WNm?X^$M0S2T0O zUE=_2mv2h`D164$%0T8{V$va3Yh<f@7{mSadoeh6tNcgS-`$c-it_Th(zg_O4_Lf} zBgcFr?)AMT?rsRz0Ag@IIn18=a;=}uG~s#kbu;vtqNeK?pk=D79igM#26c(P9(}Yp zd*!wbRXYf^K>6EzPD<paAn`74!4dAdD~a`z?&3+mih<whdZ}Om)lkI{dVN_eR{9Z* z37YxZVqa%%#_#wPYHAy-u9a2oB5b*j7`Ah5-mhYg*LM6<V^5PofXEw)iW3wnOL5Yv zTcgP{gKNgXxvBU1-+_?aVZiO#HYYy{jTN3dsE-I$i8;*AX2Ciswk`_E-7h=_5L83M zw$&6I`#2w1==~iP4u%3hs65^=)5JTCL|~xp-fUdeKE|BX)pi(34ohAv??(WZ*n-9* z-pjF>J*4iq<V)5EVQ^2&muE)Fhip+K2|S}3b0ss>TLhVJ`a&vvF_|zW=O*p-92!Rc zBk%#5fr~di$e$lw<vU8eB_zu0W`5{9nOB(fG<lgae!J|gi(r_hK=1(nX%>uI!vjW+ z*tZy8nRVTxn!9GKEhE@nRM5><eJg3UUzQWB2+s^GOGHNL$Fy1s`Rx247NTgr*wRmj z3B7MdM`^w{GJEBI(7<LlZ({6IjXl2gbaz@sm|~oE$6}4S`RvC0aDiu>XpnV9tN~4O zEqgv|T#UWTdR|5G7tH-kQo>6SW!t_0B*zfCM`_0bm%Y~(J#=V(7;;J<u<k%@3>9|% ztf8Ts&1ICr*<4{ggj&fa0O$ZNOvgjXa+l8D4(~J;P;3ahS=q2nk}#NoR%kc5|A*}w zjom!0e$hs!oLlMl>5`dUC`nrDhAY6bLW)nA(~G=CS1Pl<f0_ASit}{yV%E9jjy;g8 zK~Klw(Q6!C4o0%S%m3bzckzwx%ta3UDTs(zLVPpD$4cG3T)$WD=g`XfdpSe>A#Ht> zz~U;e4&@m7RDC_|cW-h(0H1&ecedRSH^AaYKX5NN+B~%-^g?cjM+%UPhTOND(P0F) zsguX9w-5>W<lv%QzVb@_3Ro}qT`)%z+vQHrbC~<RlpPHpz>IA}dTZf$dK9;wp~j;3 zI}3u8DEB^h3qR`y@;16A4k8_mE>9Ns>!>IwSwz8)G+_);)=GIr3W{-3m~ia+2WM=` z@o1UaZM))OH3!b-X3$^YZCs;`olp7%VaOVtG?8fIR+<N<!<wAdCs$O*p49!BO5?v5 zJM=L*-&9l20pBgRHKEwLRa=we;Q^1YN6H->8;==VIKGoW-wO!#BSMqhZ``SOlVxhE zr^%sv+77a;d1;Q(L-M8{R3ytG4^N`qs5v4fx{j;TB67dX{3pJ`qmLdo+O2LfnonGC zJ0q%Z5nAO@FgyuSebG~_V0E>s*N<6o^js}EB9%r4Q?Nd5vvyi@zan1|{?Yg6brg#t z#eD}Wg^*tfE+uB=edA>Yvun&WmN1X`ngCWnslUj8lpQ5#TTof38Zt!aWyYxVn>!3g zeI&AYo=9%zXLvMGH=NrMdcSuoPKnalE-vEqv4AF@C)_dp@^W8XTZy2vS@_25oEc9O zmaFM8S=Q3*??%-H*t(0<`>Z;23Dhk#vG8IHloz<!k!9ymV~b4F!L<<fH=^o_X(g$% z8%Tk_Fq3rH@vpVE@=e%q;XE~fZi(IBkCSCwBY2cFIhUxpuy=+h4ao7^DP<3)7-N#d zR2qO{V2z}B?!tkKpQ6mD^n{saHl`wZ5qe@+r`x9^!iR%wmQ%9a2J@(%)kYQ4^ne2J zkwWqvMF85T7y_Vj-%JGM?$jL*S6QPxxiFMT9`;ghg0PPXQG3X@{1-!nf3v70M~aKL z;J{ruEv}fE=TRsxHwJHU3P13_^PH?~x!gT}@50+PijC5YGETb-K$!Q7Ob*dKRpQL0 z?Ov4Q3aK^mW6MmVqh21oO~yCV&`JAb7xy4siRB>dAU?kqNCAjry1TgeBE*Jfbpn}3 z`f%5Y01_7q#h<r0(1CP#w^aArfQWpmW|h$8#`Sc1m&q!3Kf<QDF&corHG7HvWeHDa zJ&a#yg8;zqx#j%bX}LqeyG6_|&-VZZA#pfa#tAto7^NknSe62#!~__@G1Ywl0l>&r z03aS;D7Tj!)T1RVqO=l<-Y7}AB<ZQ|L=WkRL!H#4TOsA%O-c!Bh2+wse;zicV3Lo~ zKf~*Iz^KC+WqE;)PYecmaVR;I>mckS><t3MLaY?m%4E5$bQi>w)U4QWS8s73>6x+R zP0As$A-Fk(JFHWRWsezBH6rX;Qf2>L9ro&;DQ&#IEclXry-_4w>gpea%U;3P+4;wK z=lp+rdiv6<P?tX={t}O#MV@ZW`=JDLQy538D1wB7nz5z@j-iiYDS>|b9B<i|%9ha6 z1%X774my__hC*bp<@4Vn>i8YkXfEF*>{+i3tr_QNv9EuuJ88PvI$M~pNiUXwQ-d>w zf5=s7_NKnfI=DJ$CZfauRAJ^<-Wr16aog{S^KIizQ>+1I5G-#$twitF+D+H^0oJo~ z4#B|?QfN~d!B0^za%DuPxv^zy|KS1F6~_V)`ITPqK}e^QR5~oJ6*T&%@cdE!t@632 zD!?xp+5oow64WV^k<9=&0VAQ}JQ+hXhGpb`&z8w#b=yCzM7fg)NewSDQ35E}E7Xo1 zx|dc`4wv;oE7q)8FM-QiVLsle)zEVov7MYHf<i@GI2_o?JzaaBsGasBOt~7~&7Jil z&?ZTsTNkssGuk%B<}^G%icAZ2X>9on3X;0l(}&p`$mziUrv9U%afnqwVaQ8g9e=;0 zM?cVjpoeeLXX%H(R7CC}I!})7f4Q%prv=eI8Cx5|OHJVFsp0gm>9*m;A*qhD0=lZm zQ|0DALyx(CgX9|9DbdiB&-lb&bwsE<_V;i+TIJLt*1QM%QPF2FV3~V*=w&FrZgNVu zo2Q{!UhTbCBQsm}PxwW~t&~;_idiqPr+m<yOOgoosu^?qI}9ocx14N36A2$jiD$tR zRfne9!#8NYB5WBeuNvbV7J4K+Gs&dP*M|Il9i_m+z0@n#rug3(hNcuywLc3fPl6r0 zA-(G!wur4<7^VS6Zl-ws`15Y5l&G^q^iU{Esx&)WLqSk@zRomoJ`M7p-xxR=SW`;s zxmG|#EA>is3P5aNkHWbhw!;|m%F?3Z$HbIUCLeX0K{@NJ7U{-iKN?HF%-}G)8E8M; zP2N%(tpCx#JH@JEprcpQA_jzxCw$MaL`R?>p^{@zH=AOZ4=}r85YJ=u(E=sSQX9kF zAlrXu|3@FL5Phj>ETU8>$0H*FElbiSp=b7;Gy2IhEX~y`(iOkf#y-_elXiOo2wfaA zCZCGjE{t4#87j7Q>7GOAzE@Z(beGK!r{*17lf?rY6@kQGaek(*BW5z?igeaB1_T9N z*@MQ^X{~LE`~23^D2o(&v0J#4x}Tl34CPTo9(-QzS{As|T&3F%I-d*lp%w9`rK0!_ zM#gyG_9oFekYSmbE>-r#!0=vY=I$P<DgIBQDmLsTx<9vLI+7|Nz1t2CA3m5I{sqAX zc^1GO66|}$Lk2~kR;uuM*u}SX;gIH}gKDW*CK$>hl+T}`ZqXdHCU_fjgBb=8zA1*X zN_oH1>{u{YO@|YC5+Za9b;U0M_S@}JD}<+Z^UZ`Fv5Y?qT#QL{@Ka?nusQ#Z@~8(r zTr~t70pz(`I0{lK9$~aG`IP<aQxOP=K1yqhwrULrpUPR@2OAm$Pq@{ml37ya6du`L zKF-oR7mmF}Yc$(+&3~^Nm&|LE5leo;g8Jov1ikxarcIhD@<X<K7dV2691Xwj8dYQQ z#<=28BEl@_#qHnMnU=7ElGYb&m13%K{;#YwdGUw~q;j-U$TYJvSFomej<4dbODpWp zlE2s)+UvROetS{*b2W^@d2Gd|P#2?*XL5=6*?m>hIRHWa?;UTNlpzVO{Q$_cik;r> zSNONMolWfg{jL7X1wzo-6j^CY;4$e0M^4ZR>hpmaCVgZ@osFK0ziJ~iG8L`pSv)OZ z%71C4iCkzAZ8<47PCI>{Dq|}rHtEN#XTA7)ce))Co4arLa4Oywi~|TkJ!w&{j}L>D z3QfGe%m6cy5$_~eB6g;%$_AcAW}acKrY4|L=#8JdHT`o}FD%owHMw+7WWsYbOH<t9 z`WV5vl`}C05r(q)kTK<M2KI(z^nfbL?Q-@8IiLlxHRzA7N2<gOksZP5i_GKla~bHe zpSuWPUf=Pe<K^UknIWe1!z*g=d-4jGm2N_VE8TDdnT#vo=zzR*NmKs*DfW&X4bsUa z29C{soq_EgvhrU`tCogxJn-REwx{&vqP|0NVRa_=iUX-LRF!+MLV~;v)58k)|Ly{a zp{z}7Iig_P+eX~_IYu&}qlgRDpp6L}U$NsRmU{pEL8sQZ$2DGc;c}oE#5RE$tO#RN zI0tG;tc{+Eq7CCPp9lCI>dV`-h_g4bqbIzK->=46JbqQM`YKcOTn_g}Sm$9)g&6)? z5@*(8UsW+JB1C=sOHVea*)0grHrNJoE-tx0DBBM`xLcx9T$ZRX4McPHD&X%Cjgef% z{@R~%^*>6S32IK~Yi*EPm#bfVfquW&7n!c`bi@f+>D0}sBWlN^3s02KVNPZ24bSm- zKXPGzPR5`>`z)s@Et-WpE6COm5r{S|ko@5g_=6gfS+TiQPLwJ-uru{`{1mfbEUW{F z+VPP|3h1Zj88HGqpmCyshi7Z6AhEa=N)>@gFb!}lfMTfiWMhnQ*UJzU#qH=JK`mms zkIvZ<S>7}neo6p@*_V~~5)ZyF?HH^bR_}o%`08|UP$v{F6<27M{^v@W`D?&u>dt9* zKYw>OG6c_*o1cI3y!zb)&DDk4!<y!NBM^RPLJ7;LX}tK_P)HWcPTSb{hkoy}g#2Y4 zz1jqU|EtTxP8jTR|Eu`pnkC-a&8;)Zvt{(V3Ad&piIY7R2yszM)A@Ec1b@$QNl;%? zvvgCxWP;K^$k$WiImdvPm#JmuSgw%{#W)cBV%fWy+2ZXRpNt%F5wL4ueyr!W0gCx7 zOGla>l*v#03LZ`*N7;r0(}7WDbj~A%qaS1kY`1=S-2R!j^-+>adj6Q|;VyWd2)Y$p zk?`>02MHD#y9_=VPQ{>%m_nsQKP3m70Hn8kKBQbhkz*%nNDOnDryg@PaCl947bAh5 z50w68CgaTcpi>tUHKbCla89AfLpUSFun4uD)D{uO6bDH*!A&{YuwC1HcvhK{jy{g~ z@na`svzn5nVX4hifbBHDYH}K}w8Uoj3@azP=9uWk4#gHK$-7o)sYee6j9{qY3^i)# zarFGB$wXWsM+7lkBiOr~*a(9%xCPz&cT!)#HP{y}Z?Cm%@O1|okoPrYx1F1ap7(^3 z40Nen(JSn%(SNrpUZT7$=KdaMB^14`KbV!=&s==bBY^K8XfmfBUZbKoqeRYDh1VHN z{U!UbD~y5<?-nCHku};N^k`yyl=@51ig!Y1w%J~0a@dz1zGDf!zsa`o3$t3mUwU>o z1@+Ohdumh#%ImPwi|hdyyP3SOG!7C?PBA>cwK%ceDzN$$X~aEM(S|#KIQne(dZgy~ z?to%+mvy|5sgDo8o{UV@wRc_p*P7p4tsOH$5e@#E3p+kJ4DickN)@hX-2gt>(DViO z%n?B&UD?<hMtwJsJGBZe+R=d3b~H%t4h~6>J4>eE6N0}{`rtal-l$s$C*mv2O<q(7 z8p{p!?-9n&Hkv|;>$?RYG`OC_PVCSU^$zr2e@@$D$#=tbNnmp3xJqS1g)5fS!wF$& zpgmtQLk$il8ZE^6cT7RcD>0TzoxQ5TEjUiUo2$dVPX97nwQ%W=%UcrqEaQP#%>tcJ zodWLrtqfyrZ;KD0j~ht6F6#%kO*7WN_43z3CwJt>Wka6{ms%4q<hd{5JRM=RV1o4- z>F+jB3=nGLpcsp^ZoY3V=yy{3_gz6gAD$^`vM!X2Q~AG}Hy0ZMy}@;asz`GQ-eUJv ztYVGsmO}sZ4-+<JvpYh^-<@i3id?QAD$kIyM#tf{H>~uHX@<#j--g>pzGkGQI)k}w z8x}}tk6|%jU?MQ!HY^{pus@;)%)dyv*i@y|&j7sQS_xZ&zX9P)DbNCn67aq$agOm# z&XvxLrpoHbDoM41PLjhMa*lu>Fpy%1=2nV^uRc-_dARgCu98t?pwlY=`CmEPM-L6P z=*hh=wWI`408UZlLL=S5fujY&mhW(2ClQi{zJ8ojxXwxy7kfIi;Ydb9>4O(x&qgAI zjd=W=RjD$*%<{kEIQg$y@9Jy5vms)amcAdfM5>}^XBx|{#=5HJWA1g0??+lZJkS+n z*@mh7YgQ|Q*DuYOeW}^ooyzMk&H6>E_~1v3N~c3&=+Up~=^GT(+pezrkTh(8(HBbZ zA;bfWzk~i>M}C<p`}P-h2WU~`JoV+yJ$atcGUCsV_q4Y2MEnU)p^@8c5aR62l-Sbj z!%poY(45|$ovw*-OH<*gbR1Je6ZDkl6iEJhZ{CJY*=B!Bs_wrND}Hy1t_6Fo?^;hP z@$26uh7qmwJ!ZhIWwL+sO?+$hr|la7rmCcu!N<?y@Or(hTHn6WDU21ONHUmRwqf-B zThA?boi*0*!IVm;&;uE8)y{pq(9(uJ5gwQ85Ss;SAcGRpZx0P1@@NcAMF~)>a6*sV z1TNv6u^)nS$vqT@Euop7!HpC+%2IRSC-|rGZYLW^H?dj?YfJ)YUUAMFMFB%`Sdn3Y zE)k2I!)!n>)9!F0Hyer%hT&U9%GMVGmH6A_&|;E^)23M$e+*Q4hIga*nHl=pC9)1z zlkO}O(5Dfikn#nBHDA2+0;vM{K}a}FVLK~yrmT$fKPxg_WG2(W6pd;<&X0urtQ4;a zO@E3%3Pwm!94SszieWm^9&#)+yOg74^Ct6+g!ugB26`4I{!w-tI)OPyDz#9izw;8Q zyJ{Z=1w~$3S&#JmS)oAVSGdd08>%e&b51(5aekxcPa<gM59fRt8+7abj+~(czn`a9 z#9Fl)5EzVQ&AhR}&Y~v}9eO3-uw(J}w};E3`1q};(CAlODS-^}tc4fYl22P_>;wY5 z#rtwA_L3&_FHdfJCHIPHE~;4YIz`SSt&eH>5|pG*tA-gHHUQQstYT?6irhBCPGM>w z^0LMgV<jh}Cf$c7<~sXT<C#ps%!fg<j15wi<fS@?KQJ6H2?TNqh)ZXQ@7URr3@e8c zb=c@Gx~cSHvUWYK6%Gd`@0=9j@T`e70dx=v@Cwx1M22k5sF^ZcN7X`&4r*D4c;K9< zfS8Y+Q5rf2Yk!wvV_iu8&k`@IFiLwhXG}JPM{tAkOI76xmemR6mp=6hG0Z&)ibE;- z?@6dA6K@R&`zDdgv$6%4q|l*cH|)2cxYvursXrttMt;P4Q6W7XJl4eaef`(?&>)J7 z|6fFC?pD}HV)v;Xrfpy#Mlmg(=#ras{ZAD2cj=O2_%64*Yh5PqMKSQa?V(XU*ZV)$ z24*1A{jX?O8tL-GL7lCWtJmu^Ng??b?P<M#L}Z7C!}mJo)QR|JXrG9ss1wq+E;`nL zGKGAVEOO{Mb>wjS@_Q+_O8W2EVY0IGFpa1ghwEds=Zp;n0|+|(nIr}i@&R}lU=R;_ zCf!N@z!W%N%1oanso^C!#+Hhp_9n8+I_OZ-b%$sUY`99A{svC26(Rld7p5BfwG%5D zRHO!61K)5}Jk>5P#!yN!%=0!*C5MWrPIbXl$Cw%%@aZ#AAEhX84*31M<`Tp&jMC4m zZ)Vn3MH8y?UNp0-)G{urr`-V$ZsQ<y_D4F-I?_wgT8rFs9J+QcZCk>C8ufC)OX3A4 z!P;$A-`Gk=u*H@YViLuloz?GMy?=5owkWSj|J9yy$>K_Poz2ptEgJ6qj0k!j{{Wxk zttS`B?VUjclfe_?7iJDT&+~fm@P#ga39BT$IbPnpap_o@=sT1C!AZXp7Gk{EtK3#> z(d3_bU32lru3q%=b(GZH2b*ng*I~E9pDy_?7d8hFuKP(!NN=$iEC?&zyA}pMMW205 zPPRzXX^1Q@L^-m(xSx=6S5?zNf~Ask(B2Dcm2ChKhpQ~5E6U}o^lO4z-oc)_0LWen zIe1v^8$}GftL-MiQ-eLaZowyFg&LxjukQnR2Q?i_42VA~R1{Q_mXdMD{u)5^ZYLTD z(&RB?B+5I4$K^ZU@aSCYEix=RN2x3(bH)BgEvRTwfaH}MGn2-HFG3LAB)h!&*wft! zSG+%~8Z~N+q$e8NQT(zfv9N}`<_`(QjGV52TwDrMQXgN1uTPn5M#Ngq^`7JBH@nw; zz-qXk=t1R>ebH01%>Q}gH1Lu^x?`tDz@ugc1$g<r?PpJvdE6vbgCC+s{Z=H8GTX0n zs(2wDqG2?jxuWy^il$Da{Jjb<{^&b2Yu=_-gG?7`xdn9x&0WW9W{z_l4U4C(Zw8;l zQA}T6e`mbSX?ynPLy7m#?@4+rbYAEYA7a2$(K9d#XzHHBd1N)nn6fn?PpUw-j`o=i z6;6^N-3JZ4QymWM@es}M4WzdLXpc2Ic1YDk{<S5Ez%mghw|2}-nV>(<pe970TqlpA z;|u8XdnA<|PWW!%u(^o1in25pQw_)vRa8PoH@CQ8@wkUFnX#d)q2$)Y0{eN)5QCu0 ztt2UwnZu_5PQo3_cVeU2Ku1wlF7Gg+LiVqLepk$|W8{aYi)Ln`8QbIQxd)<~Gciu; zH&1aQ#CjS1{Xm_YASeO6G>|nkm?WU;&)1!ZlJ|pYNS4cKeeL5Oa$1Vki*6xcqVbLh ze_no+?|65G%7wuHg}J6CbTk*23Rm81LULZfUwG{mTVpk7&`nVV`li~ZGK^nBLTc92 z?}*IHS|;=ei1|8yL={(se?qXUHVt7>f|~r`lo&sXH<b6go3zjYQMz`M_wC36W6`{g z>&YmfLzTRc2C*;(Bi_q7L45AR^bgZGE+<Ma6UvR>#om)CW@Bw>%11n>-^NM;TTo|w z0I&DOb7DWlJBOQ_j^g=5$(Ni@@3pBrqa3wZ=$eegVb~^s3&Rz{p#tioa6L3s9v=4P z>(ZmVy1vI$^54j5sUC$ZROpIGD)n^R%V4U#wkd^NJo&^{d!M4T9Eqtq0<-%eu0nG1 zpi9a%-tEpez}t8o6@!dEZ@8x4J&|>=M~Q*ey&kp@5$Dj7=3+MZ&>&S~{*Chc{r~?= zP-CsCJKJkdIRAG3RhU1%ol~5lQ6Hi7u`jO1zvu7oJeH0y92@9l9!yd-ygdEh5i%Hs zxVH0QkbAF4v%nW3qWmJzu;fC_s75Rdk8<R>>)TZC1a&M?c^W@~Eai<BC#`Bc+H8|; zPMobw+#6{MF|gGY$WuZ*VytP@Tf@XY&ii$g@55e;FuWfqp|woJA06c^xv@x!uwh#c zkP5F#pzDP|x1Uuto2NC&uU2^f&sLfjsuZr*L-Hje%R-ff5m7USv|=9a7XpTX!BzR2 zI94<|L!p&>Vgrbw^O((1X4`?Sbzg>k&tUCd8QmV(u{7^9I5~95*|wDNsXzCuiKJHS zOxY_s6=}WLnG>{vk3~QaJb%JhWUZL|)OjX}_ow!{zkz%NP*(XneSGe}Kx2$;WZn2u zzrMrW4YVD-*Se`08-9&3j)#;T$PXagl=Bww%ndSTV0HrNfJ_?e7JC1rxMNp>hZ)La zT1CNSB{g+L5BY)m8wpD|O&n*GlnH;t0R76SSfIO%zLl|^LgmYM?PO2AK>tsBp#L!5 zuK|EglWLzUdgiT-w>l<DI}JAp7XdUGEf^gN%}-NY`$JETNzJrrmm{I6vfkoE;;rGd z{{7&7a2PVvz?-GMR=E92yzNI@36L=jR7S+)1VD=&<-6vRG&DsS!cA19RA5&9#ZOKk z+Cm_~J>z<lRJZYV7TF^e0eL<}wLO#sDgS#85xArq^T6uo-p~9{Y0nO)&Qq4cJC#rU z{F$Y&CZLaH+{|qE2ScF1WD_2K_}9_bzo*2eA4^4W=WWJJ6HK1yYm0We<@`Olr$Td($G{&el@NjGs}=ZVtz4}e+&Gk| znhsIUbM`amh{=LICYv3;PvoQ*K979fByk(u;~ZgW0E)$N#5@j&Fdj_2e<}SBEOlY& zs`MlrM8UCBeN(Z^7sN%_;*!R2l?I2EMT#^$j580lqz)h9#ls`Ra`O|_*0#r~>?V)x z>2LC;aMrFFa9AxAX@1rdv=oF-aIK&l6~-kyQN*F=F94t_Eo`xIJcs?$z|G~r*=b<m zP_pYL;(p4m<z%Eq<nv!DD;k?($Dn@Et^k~(T*UOBWn0fXA~g|7J`2XS{rICKV`9IT z@rcn1wnI)q)P8uFe%Y76k9V6L{N|a6={m1GKUwq*@d1SVMU+tG-^`Y$%jNhcdvXq( zwr-$M+NW|Zhu2I$s{}Obn3OGpRgX_P4KU&mh@+#toyxcwY8g)I?Q(r$q*sn5Niu>9 zTSvK90B9NQ&tzT{l9!UXB|LegoHwnNSItqj=rDj_hsy$eDsVU%F6){NbTDgP9oNi{ zU%ZX+PVr4Xo>zH`OP5#JDGCH!qDnK^vKbOjbwp&5iZM_JKT#|ox1tdgF(qe}3HM=u zVEbt6FF#2#R0`kq7`P{knvk3p*nx!qGZqZw{*o3U{z|9&)|-6QxD5)QH)`#mQAJNU z%#1)p2;EPI=GvmVl5f*XG|Ujy$RnnLy^pM{ST>0-H%`z#RJR$gql|h!rLG_6S>W>! zZ3-YJ+;cK+T@aMJP0XD;Wm3))ITmTv(kIO3^dl&y&Do3`2CEjp4TvL~)Si9jK`sn9 zhxiR3yQzlkUbJkep1&RK&(1Q8e0uTp5*&l@C6#wLqw?=+*ApEYvONlRO>h&vJhW15 zuXe<NS0WH~Uh9t-s8#6|>w=J%3gXcL>IsP51GdWL${zg77=?<gtsfG&F8D{En`r^_ zM(5vEZ%Z9f>0wz7=Z?L80=SF5@LY7TqNoN?C+_naqI5hB3KbF65^`jit7Xgd7Q-4| z{%H}N8%?v&A25YtfU8_n!wiw$?fx39bWr6g8xvwn18eHmdZzpZ0-019Lua5>Om#uN zGUq7wqfcq&1#+uSYiR3#SWwjz<>J(Shv^a!kty|8sUg=?)HIrc45m<_mfPCfA)4J| zAFiM;%(t`N#i>~`o}?Fr^Y10>Dz4ba>U@zmYme|&jXSvShUA&7eoZR_Uc;%5DUIXJ z@wZvo=D;TRwu8uO6MEKZ$rmwV-#zdFV@FKO)a5B6x2sBTI;`<kpFP4`{>D8nIlpjJ z-?<R%dOYI#YZ}|%bKRLa!EwYB)lSS+jdiR$$?2oMzQe}o0nP^&i1JJK<ZHYrvlV_U zNlGT5$ByAADrP7!`$m40Z&YLaEO0!s&{iT$CpE|eQ|;a7zZ@^*q*-|p^6A1U^GepA zuJ7#!tDAne%}}kTflvF=aKed$%nvrZmm3>W){1!IMx)^Bn`qvj`fqclPG@3<TJ%R1 zIHLy_Ij~KRx;PBgioJgdB<|I57$!u`SPt9%g3HXF_XrIss5vVplU2YIU8j<AN1V{+ zW4|(vNy=F&0tWL#Vs1_~$L^`=FHW#BT86)752bv?dLNH_3wS-;t_82O0I)RCQXUDG zYTsaM#<|`!NQf+*7#Uwe1WC7mz%Lt3i>X=#zy{7mrOFn$8_ZmFYU9j~-2XdL4?d0i zk>CWi%qDFW%Sz)g?`x&$Y&$1PV1FrRy7=nR5Wb6LI`8-BEJML(;*H99NQr1Tb>{oz z1J6~i=w)cUg+OXAMXC%<Dn*!GJvvCWVhF~APs@FnCbi({`um!gnv>p{C@+!k#*nz` z@W}*nYC)vr2bU0na_pSmpWfGj7H0=TT&yV=3q5AY3WAM3;gsEfr-WM^=noprjqFG7 zpy3o0mk1&(4eMltI10))sy_Q%@3OHQnq@QPP|Hg4pm~8U;Y#_OwEpzo4zwt1U!i?| zmaPMb#cqX)G+k1{WHrD7htm{(u|x_5PvwCixHXy#N5hYW@7P-f{x^$gWvB%#%M_%r zfM*gKpTJuR?vYK!$k7&Ev3msQj+!#w>3cxVbe7Qb{1iE(7Y)CV6Gl7-AP_DStSu!k zM@;sd13SWBu291yO_nWux8_b0!m91{p+rv(QgX;Eu!L6{mf-Gi8N~0J>&xJ%6lC=8 zZMk2b?dVH>c#jspY-Y>-W5J=6`;b&GwLV-a|Mwo6zKzodPsrR~cA%(oOFp+?{HXsb z^QW*;?^ioO?4Gz9&o(PFPCF`YXGElWsrNbG2q6*Z9I~5}RxS5WRI3g@qvoswB2#VM z#{Mwn*ox+jqkvuBZlI0gQxuh609IZ<B7wq7HGiX7=w_Pf*LPiY<fWVG!b@C0K+Rg9 zNjgb}<*$x^3IEa}S2OX8+8|O!C#o?A;+|{l<?5vqa^uh*Y_a;=6{WjL0<S3$IPj$x z3C}+AAg@~d&~Xn?pO6g-MaVe}Bx7;(=#o%C_gW)96e#ze8O*~HWgG;7JeT|iD{+q* z+6+B%>mvc6+1uYIHSCMVa(rGdF~D7i7|UGP;eMz%PgJK2R6qW|W^hu~r$BcMf87_) zK1J%R#JfGQ=~t4W2chx00irObazuIbPD94QpeW%>|Gix!8qjfG<P(w29e1Z27U<63 zYp}=6d(=w&qfZia0nBdlP3lb6G-k$0+=8Zyy!fi<_xa{=qT)$I2$DxMf03xvobL>f z-hX>8#@cKr&(Q$S{UoIb*GlIhXwfS1gySnA2bc;*p`6hb@0rr5#@0Tu$5tENYbZ<2 z3(zcyp%>Gx{X8qodJy)gRx!0(Z~A;#R8hrKCCU-7>veJD@M-jjVFJC&evkt#5KBF0 zortUoVLAe5148`npmBn~roh1&{Z?jqLvp$Cb4|*RfOoP<g?8d7y%(}Pke+>Q^z8Mp zMqPk@QG~zmWpLvTrrixgt)dUodl{K5!Z&(0+^ty+V#BA%D6)_lfZ1Iu;BA{3BrM~s zUG>5e@jJ`$328P=PfDtri)AcH`p+XV2e`0nIH=!{qXsYIt=-_giZ;M-j~$Xv=D=FQf3rJQT8$u#bWru$X3ZF8G^%0suS*#^x|f|GsMq0wBd24GJKp# zQW=HIGO}@G^G9;&|MT(m8y5<zI}6H70}#YV@$k*^bh>ZmOZ$(<jm>sB1R{_pmG&46 zeOR_fIR`)wt{@vgjQN0LdVDXw(uT!Zf%t#Gyx#_(s;iK@oD5+BLGLb9+Ir<V(S0VJ z+13d%(QdDI#6dZ}gAx{m9_`d{JXf|iZZ@TBR*5PV5hoC9pmUPwM>_V!{z|2Gy0ss} zKv_fZdtqf+#pQ2Y0#3j8I!U0jvpyL9^jvIDj+SbnAUySAB4_2)<<{-*mYsmuWfB-U z$S~z`GIep6&D02z`_q>yi=t6k?hzCgmrpJ4!0N6juq*^o)-B<}><@n{H3C~pyzp^n zY9QT*HfxxqdIi=0By!@Gd2Yi9Hb|SzSE$I7($>HI!uKcSy^J!MYHP`3DK4B@Rp2n| zXuJQU8RoVgFj#BEWf^_~=kA=yhSNvcX!d?j(qYlQK#wriH7zkMzcDvPnrdq6YkG1& z55&rlDj@&&l7enWB<1NCbIlRb_12~BL)&K2DYU)Sk2>zXznjIex%lr*6aLSeF-7=| z5-8>l0-;WSm@e1fP{qSno4oyBaUW))A-cn#Dl0HY5Hb@2F$|743i4&4C9<8y{#rG$ z{=EXnA>rjQO(cu9M7<4~Y4`DFVR(q`-2+*<Sl@t9*7B!AB}4$MI^ci%ncJdIhHllQ z6Y5*{_q{f)W}aw9-SO_dL4602nd$ytn$418Yk};3N36WU!BUZqi;Z>?KY<KY^FME& zJbiv56u9|%;yr+rs#7qRMe(1(45^T6P~MOHycn>iUK5b?W~WsO`%nN^V1S*!kR~O? znVlysCF6{>E{XwSmgD$;9ml>*xMC|vSkvN!D_Ut8y*Xk^N@^LV5jVq!Ka4w@Z<-zl z(N0^9#`$PKJZm_APl*}HVm2>OGea4nPyUDpUxBH?@PMdtB2hC62QUfx!<yRvKNw;{ zAF`~HJ0BRrQI1b-RPX!l;qPu5=n4FJhw)aIHZ=row9go*i0BviPzlz0<7?}cE$6MQ zCI#2R`ismn`vmacW^p~R4V|_T`h;)b<F-x2a3eO)AaaL@y@(F~fpqXq(8YzP+kpHA zS}s=OcuKWR<HO*jKi~K77R!>Wwmw?bQMNRZo4;r0#VbqY-bq2yI_&n^Aaa!BshyQA zJ3od@&tUiOGSBVJolVG>UL?B!3gxZuc=2<LFn_yr80LM@jrSpOeVU&=J6}tb%TI*1 z8`55)Q4MlPz?z;Zykk~<DLIClsLG~KoIp631_Nt00_xm<zvlWdTk*%ji+_VMHVHuK z0SXW;<xdJqhdOn#r`o*SX5>0#Obz`Vc{WM?bJ3jGW8V`~$e>Ld3Y>t`c*0E|*tX$1 z-oL67J#(^QN);~Uv4p)ANz)SdXgV<fYxkneyA*5q|Ly|J1=yj;#q<Sna~P6SMYQWh z{A(Yo@G^zO+iZwS!$P3kKOfQm^uR|MF60!woALeW{iAy#_AJ--RdDF1IaCz2zqc;i z1`^gkUPz#gO(JKBKA{nX9);PPZw>O^dRIjl5gvrtvNvwSyzMUpgs|?XZPSVVuo#NB z*8~x?7Om&k-KA1z#>$2l+5ZsG>0V(TMD~5dIXq=$xIl~WotEzvNSx3IVoF1~6_8)C z52y6snkFYM3bFDlvY@0EzXVRH%oXXai`O}y3i)wieM(a<4h_6xucAo<auk|s@GS1V z_FKXTf@Jtv70t2){`90?=9zzl9J}P`_ax;JVLty$2CX_!UdX+I+5jxd3QEe@@RqQ( zGM|N=?m|kyNF0LQ0-mzFek|1>b>=p7uK*kzod61WBvIU21+UWsU)DZVCJO$P@w0Y4 zNGd`~t-_nen8BA#yc}>IVKn$dk)_of4h^zZD$nf|{A?VOcy+#le_fQ7%7@RA#%|mt z_IRS{7d>x~$Sk`2`^aF{<_Us@h2uXrKNq9jtcGkBYgYijf2nub@ie%OG+m}$z$C^k zm^!Vt>SKXmlVqE=zjSYb)QA;upkrmz41JS-5!kNx)Z24}e6DxzrvJUaf92ozfbK4m z!u$7b-XzuI`Fo$Mt!~-*Fl1C#gNo$%gxYPy0u4$KTjCR%j=qnjBOotOrzerV)@J@c zhB`}RlvAcMDgC>e-{UAwcgq+1rK)ajn=(zUwWTSq?QrfP_bkyRmJh@uS?DNeslshy zW9Ee?rtU;DoPhv6Yb#UU2sint@Ep(IzxBpvhKBz2u;y2=o<4E73R=)&<H@U0e7$~a zR(;~l2=*20RJ_wr4USk9EqT*fn8FC|tRqk_LQ1cc9Tc@KZ=@~7-Sc||>}4RvqFFp1 zzpP)pW)G%#d?RgIau~|gh;6NDp;-Xmzp?CPn_{Z7qs*F^d>gI+a<>NlAp!bqZP-?& z6s+keqZ<qKlfpx3EFQKRi7@b!?#WGf*j~+eEeog7hgaesh?F!f8hlYCD*)5*I0u!5 zJR+!)0b%z86;C>qyo}_Z!PQZE?zDEz%$m}aZsd#jhhfKb>;+Nny%GL+2zW_)^gHsl zQSoP0qs#i6znd}iJTpdg#6<}bN7+~?{_c%`-~Tv3amr@O=0o<LEB=CziwpZ<eVKT# z4fyJo<nXN~^^HSVsPfBH-*L~p;yl>t{CRX%9HFkP5%0LBYk#m%BPeU(MYOSS2y|k_ z0O{lXI!f+;1IN%KmC^q9BE>FMKl=x4vgJE=`W|Moj<VW69I<>;*~x~`(RpAdubu_^ zE@7P5<7Q_bipw(>v1J>&LfyXu?__rE`q>+9HfA1|@6eWXHzo2c@SvMR!0vMUrp={; zDB<Zd8>(T2n4zbfHQJhupysH*kQz`9DicoluHaIr^Y)39$4eRZ7@Utr#Hdn(8ea{0 zK*FyF4n2eL03;9qx<@F`fBX$*++<T_bS(_DJ!CZfd8^D7zvOziFGdOTfgYOUIz}~z zPj2fp&Kf3Odh!RbMJ!mK_Z_Q@dg&7VSp=a;XnoKCA?5y?-~uUt0XW#TQ*U2tmEWvo z#unoIcfgpI`>}rcsa#EG;vj_tM>p<|NeOFe;e>+>xdB(?9rs;+g@Y;~sufGoM{g%} z0a1y035dgpXAf%JCPb*&o>uNXtH0Yi*RA+OjdfG*YYw&tJ!&hev2GK(njYPHOex*K z$`NfT@GL<!{z8va&=5#}if46Sls6`Sdr*D@BX_Rajz3iURk6^OB=2}Cf>daSJk@i5 zx*+eM%Uk*}!W0{YN^#x<354p)m_#02KkhiA(bX&a^ckWj#-q26^Lv^aM(?At5!+ez z+D?S4W_~C`_yBnWPGz;{q8uy#FjdP-!$UMog@g3kfcPehrca+2c<V}EhZ1gPxdBjL zxF*vD=aKY0H5_~%zd+%;p30<U6r>!{N`2^CH2JR{DKi?9kH85T*}jHX?tJIMepxF4 zgIDU7(DD7^Cs!Gf>{=x1pkR7*wPxf2m~f3IF-n{<#(68d2I&GAfD%t4Xs$8~%@t(= z=y2dNg0&J#u!K0CS_u_tX;Zf<T~e|lh^T2(00y3>c3MA2*;UdM1GjdSU|t=pP>IOx zhZ@TCOwzZc|2*STLnZueS`eT6C_`=<7x``W=DP$rMRCxNVrFT5;^m%;O8opZnkQo^ zMNhv7?LESaZ-ge>JWD0!<*V9Hk61oOeoGl3vwg~Gq4;ZhnJaoekMav(O-x-Ii5D>P z7p!fMJKpzE77f*2?tUNLifWS>Oyy*AH|b-)c{A|dm^>THYQuDp?}q7lLiY9A3@1wP zUL-(NFzkHbjaCS|Q<_-2M)a9abhnB5X{x8~NLq==X#(W8!W$O(7d>{JL8<+FSd8yC zf6*rIX{yWy%MK*O=ck!v_vvj>xLhRFSsK(+o6H|C_Pnb9iLz>J3;>1_)@nl$G|`om zAFzBsiA;#UD^zTMDH>sF=uOO>I+Ybo`~aRhm$Lp2uh%g7fg!1Bkz;m1I>1g^HdHu| z^Wt^>PM?6gHTc4z5v@5e>aF2Q7o?#>O*_rMl<`mp(yTX|uurIXs{K|G#9?AuvVyl3 z$;hTM3u9p;hoZaPNOQ#cQwkR(8D??AWk<piR2(kfjk%&>FvxSULvhOG!*^xFZJzvl zLMuraizrq5S&z25BhgjjHy?NmdFJDPg8(A467$#O8}bQH0z_AzI0Li2(Uu%=7Zl|< z<Me{9v{bzB`jz8tCZ<^Fuy|VE9(VY(Mh!6o0DFMykl;-qVO`ST57_eFTGW~%)T)Ee zA$$D(fr`nwv0Tw8Ey>Yg4Q@hLzBHj^>D03&GA+rf=k3T2`_?E`tw)*7=R{;n2c%Hw zmad%ozy$L8-T;Wl#Q16~&g_l6I%;=$67R|3MU(l<0FVm)6)L>nO3UYM7W>AphDe~> zCaN>*$~aW~K9hcbEFE#gCD9#KpuEu_T{kI+ziO=CUjmTx>v;jNa<B8vE?lM_<Ksht zQTjvK@H$g>kw+T3qT`x%0aHo28YPGI(ghC&e&zHDk7kLp0_OFs-28T;T)4-0nLe>N zo|axMXpu`=xReQ82cn_pAf3`;gJY16_P+{NdaGDMTJ{oMzbGNIfGK~L05F*8^$dcs zyN%F9)JNe`XWpfZ{K7&Mwt}k8F@Q@|$`$_ibe<$~N&X(H`@#G2!*rK;Z>XWsHI~_` zNaQnXc3){qM2Ub2Wky8O*V+$<9hTnrD|}k{2aztu54Ym`wOr8)H8h@Ip=)2cp~pFk zXecvA;_VtgFv?di1Finj^d_z&{#aT-ocoguJJ2`uF1|_4w<^bj+q_Uo`1#>I3HbR! z7kk8qDW6INWJM=)WCt8?wutx=2-Q{(Ny`YS{kv-4kw;Xnn=!v*wB9ByyRh=*2o+P0 zLqt9$<Ipvv9J}Dsf&bZ({<D^exZJ$?9&#TG@E?_M=gqqKN$I*RzaohU-P4`}EP_K( z_lT?mawu~FT&8fnY=OSrF(?j*EvIHlmKI=W7?q_AMV<Z3Gc7==i4<jC*LuHz1|Pw^ zkqL?gPuN!L;Ld)^(-2$T>PnxTp{DD8CHLS&nXC$gZcXD*&mx#Puv4Tw^kl*TAVJ4q zkmhn^B`uRbmsewel#{SOZ<3%^dmDror0bP_m!w-QAvKsZ1~fRUn|#UhfBx4uuTfA= zji3>P6{u@x9sEg;+>CtBQ%r!k_ta8;ahR4K7LwC7Al}1arSZ0;(R-)ox|f8HLaS`) zAs^vQV3F_deweTgSh`6;^MZ*5tF|}hRKnt-@3Bm~HQvRdx=JWpie~qQFwY})KT}u! ztn9^=`UPO~o4@P79B+Pizd9a|e!3PXKY+NCPmuRgXR_G!{yTGEhsy6QDVm|aF{!oZ zYE=^=LU@p+P%+!ys_suWRP{5}@S&B+^I5Dt96{4zN20~VM})VA{d(lnJLO#~_%0p6 zQ6>h~&<!)@Uva5H%?2^b*5}-GP@LImY#=|2ShTsz42d%d<8X}BUNuU9#v*yFOGHpr zOypmm%mpmrPq|U?DM}lbnAYW&@D$o4`M&m=J<oalF$<qkei_?5P1p_R;qw329s5~{ zUQv#A37uC^33-_#OR2lH%z5Njm|bIkM=g~!HCf}&`$W!IhXz4^Gkn3DK0*WQpy3Mg zfA56zbAocJXS^+zNFmth^jTfF<B{2%*2LbwOR*n3PJ^EyfXW*(1Bd|3QrChRKU?Sg z%|~{=sNb<kc4Ur-j>2iR6qr@~U35v^u^2SIg3QmUh$#5TvlfIyo)W(Gr%%Zx1Zt#F z{WP`x{mF9yJIWCP@tcit)?bk4;$lrGs?!=@@#w67^OGmM{ojDMiT=lTuIMc<71T+W zlSTBMHNQW`Pg?53Nm7ppIZL;UDe)s4zmOE}&tIp`pi2^YD7IJoQKKC9jP!I74w0D< zM`jsDo)rpoigpFhm5HaOWgLXKS_G9C5;Nhz!&vCBl!(g*{^Uz}j3pWp$Lpd<n6vxZ zU}`pmt7^bx!cmtuv%Y9_kdzkM1KoZecj|3bu7;TTu<f_bzu!2D4JpR*Af`ZySCW@D z<S|L>mK^c}eTr4tS@Fj=6b3667JcHHyIk#(m2G$xVZLLKo!d>Hm0b(oNI`<O+vPh) z)pL0<qGkF=hJpWF9?HbsPldNVUO29hdv3omP@$z?BH()X8+HoqtkFC5Xb(Dn!8Wz# z2l}`#aw*>KBZfl-&}mz2qz6TCL=9@_k$Z1H?h=5fi@i<rbdPVWqQJ=OP9GE+`mDCt zf<mU3){_3-V;D*c7@ciy^rd0E^-N6mRNilvKxGNBW)yqhUv?6{OGiQRzw6tWd>`lf zHtnmGKz6@Z>QVk?1o}i{2T|q3@qWU?ieG1kKyyLo$_Y^zO%;6_7D~H>b*W~ftmbV` z1>&KN&!>|6T^kGAI$B=w=qhY9gw_GBs#B<G@;w(Gm4hmMQ6(XVHq^d_A%jl(`9mkT zd@NNW>#*Q3hBXCd2#l=#k^juP<dryw^hfftm-$@LZ%1VywHS^<;=L?+iiRc5Lr+x8 z1`ruDC6CjpK`P4f5Bn;MsG?AYPcHz+f(Vg4j}(A7;=^S)Yb9`MAJ->(91t#a7&3^O zeY-DN=yhP-+ysQq&Y-}#fn||C=HlN+F(rt72RvOjwtD0wzXH}U$6o)5lVH@HdYqLB zL%2HkN?)JcQ+Op|J%~eVsK$i9M3_$P_L68JETmr0Tk`fg&?3(Nst--BwhwFdCX2GK z)snh6$TuoZ(4WU{TbSV8Cz)ydf*SR}VVCXFGnC*7uAfhR=j^f4Oi~B-y~&v?#U%x) z`!Di0qBb9RYw|?u*46+z>M%OBdbKzG6b0odAgKK4)%Ytme8N_O{Xk37Pg^lU9tTh8 z&UfA;8E=^EcZQ2O+5=t4Uk@WkN>@Y{Iq99d6Jt4|^$5m$CxgA97hHO5YV{ae)u2&) z3Y1jOplTL~vR*xQrf#rx??XWpL7$nkyr~GeW9R+6;Tj$iShy|~+InZf@`L_h_+9~w zw^KXpeEk?O_`1#{?r{W<Zt|@ZOBU%Pp8xF>jcBA`v>D0o-GB2eW<zHm>N{Bj0Lv0R z4ZcWlspI$U(uN=Op4LIX$U3Wh#ZZR-y>E)5bC*n`=JWg-Z|NxzTUE)?Yk$-Cx1?x& zcDc^36;<u-_HjPU`1WO9;owU>3d}`%UL#wjG`epaw^eQ=17}nO@6v-Q!Y<EuU2Xub zaJei!vmAN<<`P!?whefd`Pf@*;3$5u+8hnR4$!ENfA{!c#3Aze?^3Bz5hcQTG}l#; zFMB5i+k<NVLV&cld)Q|~hpKMYcufm&-5U-bV0lg~7|tYVjy|{8rd|;hfF|<$Uj`g` z(NPQxjYa0)*d|uv-QM(bR@*Gt(&Tv?&o`*a4+37L52#G5slm;sDTf_W5x&!r_NPZ? z25QrQRgt#-_#6h~iq2pXrjXOdoy~=aa>1!HigG~);uxsX9jv}KwSar9<mSLOkeBO2 z_AuT^latM{ZtK=yGv4I0MC1IC#w@1l77(-sYg#zgNH{cBOT;*`Xs2@Oz=O<WAKmoX zKdM%dUbr8&B|Drw?h(?^u9gs%MULv?CLh`W6h;28C&Z|sz8fh;Q@cIQA$cMY_wsza z2Up4;R6~cdHY>(IiQ*q%gL=h4ONCMmct*s>N4G9@AIhdBoLP%DyuCe_KvIK9WJ^y3 z#xqMO&;YQd=Z{xP@5eAuG;>=cJqiWR#l;hpUye0jReJ$)V@l-N3R)4aM~y>2%HHjg z{D0W`>$s@8_x%G!Q4uNW21)7e8YQK>yBnmN0qHL3l9cZ5PU-IM?id)(_W8bk=XIXv zbN&LivnTew?(2GAYpp$4)OfnKQ7M6))(B$laNRR|DlIVh*;6D904>@mJ+kx4^0lll z<~L2W(zoq_eFhPy_`O3qE7M3~8kG+T?U$U;ykk605fn)8@c3*)_P)85q-;#D-d{R8 zBDDX?9D(s9xy#QU{dYP4;cD?gCkpNdbB6$mi`fnC@86#wOQ#M>n;z6ag4(>;2n+qb zQ1#6Oy(dAKhdOH70{AHkL<4FffJ^zzqVIk>9;0Xr$#+7{8aE-antwI_V_{x{(m~pc z(lH9r0x{2J=&hIn@c&%dRBh4hS(42l1Bg%?dBHTl8J=8pnsIo}M!^EHbz;^DOKu!b zEId0TC%Sg~t|)AjQ2pgUcMG6SytKF=lWe)Zr132t*78>~ArYRX6SYVMGb6z+?TUW) zs`SOb!xtK3SYXIl6M#ovUm*eW8WGIo2a#z~M%N&=xE#)QDBLDscU%Zc#ZPjz7{8vw z#&2-0|62v+ez5@@iR3q{d{pi%??fcxtx?vq<(>o5;|B8RJY64UWTQR=F^RBA)3Mu| zqmP{>^$0eGILxUo(s~cbS%zlc3)av*UXff7yzo?Ba;KcYl=Vl8Cw~)_*AJ?f)}zbp z`D}Wcb>ie9R5an!@Ke(9UE!d=uj=jCFAI-*6Ls5fZazQ_0C6+Bzq7j_NDIpg%s0nT zXCGg?xTo5k+dE%DL6I|WNEdXH?1X+_^bMYtP*;%5KE2nILOjR=68rURtI@+JI{3eQ z(^EyIe>f?41L%yMyeISLs1KT9&+;K3W{eS%fMYU}^TgZ~kZ$a^E8L1im{^)<A~&Zf z3sqEYs$H>5#4@Zt#KD_(l2vbxmL+?k!B{4}>`o~F#Des`r;wn*6CPZj|2OKPPDGug zeH~)CI9*txHHdr!)ZzS(BKrM}J}hXt5Rq^1ZvYQUbe2LO(;HCewt4&A?<1p4rl^4R z#xtvnN)r4q^%4UPoJn7mt6e|asd5Sz<S3`jG;wqCNDIwYbZ715w0c@E4FE9MXRFsi z^(Fn^I6|VvRs*n0=tx|iKROQsAR5YIIovVqkzYCe-R|ko4@mdY#NHip1LQn@)Ai7r zR|Flr{kA1sn(8Lt9>3{Uz|Gw0!WbFpN~lPp&e-d$lC1afbU<uDCcGWLO#{-qal}S$ z^$zhui&vY#N9TNwgz0&rO9&gn3Bo2bns-sMdzDT?@TT6L{sDPdc=V`+>;ti`kaNBt z(OZ7#F2Y$nKJtU(*!z7-gIJiA&-!>@zM}EZ+zQrYdkk9raGwI~$bTAIz|qrcBr^NO z2>nYbB*zAh$&v7Fq4X!x@kwzJNm8Q$Q~Lex@)`A_@S<hfDv;6J6+qn<ZQjoz#7N*M zND5-~3JpRFW_z;*Yav3t(Dyl~DBW_^AT1F{4(bvy_uFC$;H3Y4eQZv)X&j}_B6C2m z1iC4PJNxP?V*>nH2GKIULY+ur&jg_&&hYQ^OoY4f+wKepf{xg!!2DO}c^Eni{9&Od zo6VLe?xXKWgi3e1S=cZpu~vDg+=U+L*;8zM68fVh@xFaVJO&#ODCVepI@`UH;Z?J% zGx#TA(bB<BjbAK6)#t5=Gj+Ap?3}5q;QQ>gB{xfj@PEC!pSwt1@wk|Wew2()qIaOM zN}*ZrsSQd;vuFHBhzqYM=DqMmcgm+eGb0F_$<tM0o?C|3XRZ=n1-WgFiwzDCSsSBp zB|>77J)FTC4K&3Z++z=Wf<#-D@6S3yYV<IoaCF40e0(UQzITypg1ydJS#!`}H@h>o zNpW=Iv<APFtxgulZ3T;4F#-Dee=I}-K;@?APF_OX_Pl5P`q!=#tx7yBT&~kGBu8u) zFyF(!g>G_Vx5H9E$b#wN331;-$j-@tI>h?mOb+w1c*5XG&?NYu2+e(}2fYq7p$$J} z_f)T;1ZqRCtaOS=pYZbp(9f?MIx@7vq*?!&;Q9zV{%XC{%VC_&x}XrX+H?yiUyS8` z^HOk)#c>X0;=5O_6l{Rh08c=$ziZoL^kIKS?|pg_TQ)D(S3)EdbRnE5e_rns`zh-f zi(4gAZ(I!WwY9ppqpxA0Yog^$WD8FD0FUUr67p;)Ip>d@W?>`DGY$)_M;;NHV{389 zZl3<AjV7Q_Oc(NS!+q>-g<)C_>MAYZ%q4PSz+er*1bpv&t{cAt=j_@^DeW}c`-b3V zr<L`a`ny$r>f<!~J)Ks+=?PCXF=wgux!!jST8ue|4NOkfzbGztr|^NeIc94s!ON1d z!tATS;fo@>CQ?n9orJ$k5hH`gRR{jC6Bvfj{xcp3+JDFNN5Ii5KngT}v)%{wc)^V-x)8A(9Jmmuu?WjYbZsQ#owjm)AtY|8*%^d&mRl@mtzZf1q9zw zNM<hvV=)0wrPRi_gnBEcG6;PiBSWo5Ux(7i6{@cI==I+M*gJmGpp?QmUtxE{ZOVUT zdzu<_6m);@X^Z=4A-NgR3Y6yhI`BL4PeSab*^~773Wlh3e9`Z_k7!s!Bctjdy@Gl# zaw%(|r8MDsSOB40$qSr99>2xC9JCR82h&pLf|XFXwYKIWIY1i;x7r`8rYp5|@OyTv zzu8HvmCRjeNQQua1~U7syO|LlSKq-c)@uiGHiGF0<NX~isqXp$Su$%P!K-|p_)SKZ zSa&{|VNREjdVjb{%9lx!SQ*U(LAhRY*O=!9zwExliAtb>)sY3=PjgX<vEE;Hz1Fbt zsU)cs%g@@H@nbcs^Gtibm<TnN2kC&wkJHM>7$r_nnoqhB8nY=j{E8QeBi2@-=h@l! zK#)p&L^_EI1p32G86q?iTd*kLs67HTs{^pizC7|d%R;;Yu$jwV1uOA=z~-Njd2fTL z>p@nZzkK|@%}OZ+1je>^5VAwI7|dRTVhW#p%K_Ra<aCu_awqV=Z@rP@LH|>KJ3_i` zNh_pF=r?mK#FY_MV@w){;Wr(kfCtA}+P$-+tktf2mR4Htc~2t5obKOvOn+LB{GN3~ z_jeOQT-C`B2R*t}4Sn&J7Res^R*ysH-~KJf4ddfWhH`%>&$}Ycm)*>^jv1qPIDE5? zsBSCap_jjrV0^&o4Y&)$F%&WTgj__cJiZqOXvCR~evn#@AJJKC9hBeH-svoX!ZfD3 z#Y}rl`K`Xa+)m;DGRK2r-Z+IL;y#|vbA?94xurGTew0}vw)ngMNEPKz7Xr@c)Ajp8 zfjf;+hvs|$p@D=>RZFfwjlRT@aDKJI<K3o7>|Up(s;T7I#^_KngGR=~^3R2xhf)>I z6HnO7=0O0GeUEDqiK3{B>pL4&hn;=GY!n+f4gHwlU!mbm3-JRo_W%|q$(9+L7tY@q zLf00|1>%F;e|iBY>Le;ltob&`>cPkC;n%BxwQ;CftxyAyM6JK&tl-Jlq^3Nhf_1xJ z&i=iiMVvlbK+hlqJ`2~teXQ1`JU{B@VOTy+$YNx7M`(Jr&Is4bvXM@88{!aIH5CYq zXIF0sc_@HXAP4+1;w}^%yb~CB#iIkQZ=a=Gnmpb`9a?+3+z1@27=d&Dv?cWDB9DlT z*;QMDjUY>JJTh_mmtC<kbu~Ihf+F^Ho_VnmwYxJ>{s5ume*KzIA01I$spaOHj}7Vm zd^+9tR_xD~q8lH(X3tJ4CRf>h22S7K{nxntcdA6+tbaVG_Qx<ed3v7`;ov`|JB()G zcAQFYHCzpJK4cEVj=8_`Te-A5?m&cD*VSDkaGkXYqfjHUmY@$QI`OUCP>~F`xP#jw zm<g;PH_}GiEcMU_8|B>w1v?L$Zr_T{L_U&S+Nb_PV+>Q`WpP9j5x;P?0+VANqcl?= zM|t*XRMs5#FVex^oJKWeKTlMW(-9{B%!PEre|*zr5wl1<43ODf5qs0x2@{SGhVMHH zNX~-EH%iA`^8e;?p7aAN4)e|VQEIwb4X%ePvIEf5urJd1uZ{GxUZ3WZAhX9;lL;Y? z20Nc_#^a8d)Frm!5L`BDV5k3Xm&{2z@H$#$acpS>%lwSi)!4@<irP`|%G?@WKWzJd zdjU>B)^A{*u6m^DdT;xEM0yhz&^X4h0H6|DZdk)H1H+IW9+e7Rox?`Hq-lPkG)Ah0 zU*%!~?DwKKAmDEqroX*w=7`*w>*YBdJs)6(arNFK=Yng~Q66ebiMBg-^~6a286Z2h z;zwNJYpQAUUV7^M&n-M(NuAx3gzbf=R4MK!MDA4qJ`|s=blZ1~?3??ArggG<-d@PM z+6_?>IWL5?PWs~E-@-#9DJp4Rml9i6fk-6<XQ1PN&2lx}#o}V>56G$3fKtjTKvmR@ z(iMQ?qEC>wt6C$i5J%*rOaX)hC}g@)b7Ipo>Jm?T`ZKCOfitU*`F?xj^TY`ouKUm9 zfBk`)A8N3)eb%;TnQ(g@ptg3B=b&be@Xd=5zP3n-0pi|Uu{M{7UzR``=0ce>y<b1J zR{Hze?^=4FcYWRVn*zaU4I!euUo5`ubv?OaH523aKHwWKyX%o<;@O}-?To);8olVv z`{(Kvdzi*lA$mS{zZPZbhU+0~d~<7q*DbivSqgVMUaj+SbKq7SrUUMGpjafkhJZ64 zM<C#|FWep|(wsQ10B8ZBsQfrpbmaEp;h_^D&fZA;>0}{d{iE^zGr-RV&Erl;5YDKL z!bUV19k1YkJe5ojW`M`U6~!2=H&4hM-U|laMc%DePF!vT#7KWSh%K1^XSgHsFE*;S zXW!4<h0=%o=!rdlvJngX1O1*N@DxqEVo851_FGc0&PUzvnZ)X~zIZN$$c3|_8XC>5 zSnVlnXo7J4Uq|j)Ar={QS^C=m=E@K<+IrAo%#6aH)M%~Z>H@hc5W&AU9KPRtc}GiG zlS+v&&#c>Za1{03RvrG~)2aYd)F-3+{yWZzOIRa1bo1gDz0)y|J-uWesM{sh(<|UI zJ{o)o%1rAR3v&X@q2H{oeFF6g6!Z3S2L%E4Br0jIPL?#4<zi(AGC&@PQthPO-8ph} zUa+xwe6yh<HFI&%HA?LRdqzNP^$o`0Tf0;Ddy_u<`=_qgMX-qQ$iEDlnH-U9LHtn( z`0L%T5YY9}U73)Oz#g~Em0$4mENVz4NfS9L&GUT#*}3R0$9%FcpKz$#z1IuRNs|6D z$NqE^Oy&8ani(K&1rEpRaXFt{HQ#2z65z5k4T$K<sm6Q6?k#Uq%_%hbXTuw(Fr_ug z1O5{6@ELn>1DT=pZ4gO4NLVZ|<yk)LEIw|DcqY)`f~)89t6~M{M|8K%0}~?Q!rC<S zyrZ##Emsm#8R7>EXcx#REOZ`PfpHvVLi^apl5c+}Mq)ZdR(m*MD|t!yFXw$jvY$Nq zEUP349WC4t@`T~4v&2g_n#S*P)rFAdM^~P2-cr*kr8GGI=BfFE53|b01n0ArI((OB zyK<I9EJB^wabbCf>hEWm3De;WOR&HZBD&PSmw1ZAuUV(v(qQ=k&!-*iVz|!T$6XW| z_BkJ6o=>q0IHgkVfSnvhA3RU5UkeOer1wIR;LMhpJFA?7ZWOK$xCpia{6YTa>*;4U zw<l(WTmm@$4;5`cyJ85@8!G2J0(3nfJey?+F=p!5iQU;bJDF=GEjbN|aN2Wnp@G+8 z&L#b7Bq6dgE86-wu5AETCiqGzc<TO*;wYopCLZ@sT63b6nw1p#(7Ic(J)NT4Ack7d z@;vn006n}um`a0w;!@uTkP#M$AM-C057I?x03&Bjz(#Z9&oTA63Bo`@F?JG!yOH(G z<f@$(5exl)JWn8g3`Be=q1OHZNX6G)=)NNu@#RI+vKFLa9cZK=Mnk<|^{;zk-@N)Y z_Ii7vG!AEw{Gzk5*$lEV4o;Iv;;M7NQ||AMUsBF}H&4tg<{|?N)7EOQ%kw==J+a$} zIxG$Z5}vtum$3y?B#km=n<}_u==yTJ{;kl5c{)`f@-!o`%<>-M;+M$xcY{Adg?Ul1 zS8AW##vDr-<18ct({=?mPwF+8w+b~4_J!cQz8O^-;3m^|jWr?Q%myS|W!<0(P<E#a zgRdu#Z;nU4UHfELh_V+UkZ*DEF3p+AUyfMiFP>-+au42_d63wfqYv(%TmxOeT+I;1 zIL4T5;Q~6ExrKwl35?`K8Oz#X_H@0pxzoA0)Srolo|x|H;o(6aX6U~&oGRN0uMo$I zh*T^?<toYf0{>KbAZ42%NM`>8#{0z{GmlXt-22pD%ja1_-NDn8dg+njB~{NP_3!`} zjdF$3^lla1!eNUBR8dTXo>BZWJDy1r$C4{@;nWYi^~D=0Mx#mx*NzbkRFi~GF$<DI zQIcR~;)+3B;S7O=3FSWg_r&abWp_%)gsiPGhza1Qp5ErJ2OKa23oNgYI<P^Apkc0l zGm?-9bhos|HvisNfp0!Fk*7KPB)Z6wy~l;}_lSlxlLI~(<X^az*$=@-gOLj{aLh=e zTOUY(*U~N7>Wa`2dJRLgApcvO!MB}o_5GLbHAs&@?`=>SY@XHYG3(3@HGv2e*%i@Y z?Zz+m&jZkJ!3-fvT^&boyK)YEo^JYfJFWlR6A@jhC&J;YW?^=}S5F%eV{ZlCj!XY~ zIQ#I|$G<-v!qO!)XF73*!r`f7Vdk56=w>YVeA>QOy{=cCC;mIvu_asmjRLXdYDC&U zy!!^1fKyE$+!Kze=xQ@ZZUd^Y+wB*t(7b4!)dO#%Pu8C*pF~C5O%o6YmgRiHH7W0f z2Dg`c&ia!aLDg&k+gPXtiDK}u97g`OsjY#{MGO4#yg`P@b*V1dL>GF367S)J%>+2` z|80=w$s(h!B=>*roYMoJv(FPRzF<PgzOMXda+dN@27YZ3gdz<GwX=6cOxSuywTm{- z!TBSsp634Mt8I{Qcm+AvDi0G}-@|x2p%`1MlO9py&k(Q|7{NQ!tav_l{L|2Q)JaC4 zU}FgS9MNqWlAt~~DKJoQv1={E4UynEr!>Xp{TxcPv<86r$b8(93zc*N&91fqBonQP z6(C1#Kl6Q8i0qY_8;Jm4^`xk}4Y;S}*-_~pdQx6|x^t_BhEHif59ukWkjFY)@!%#x z3yfSYiVS~ob0+JUICy<v3Ov5b_FX_pz@5x;;88$<=&cxas!!YD&9&BISLO4RtCGXT zOn`_I(C6uUt~&EnFZY-E6(BaZJF$-}^D)nrk2=NXz)32dP=M*xmSafVP6SS4<^FH- zTOwBfRs)cE-jBCp8aC)9gV12ITJmAIQ4x8F#xcsUQZ>jkvwRRrwY`ICR$HK?qk$1+ za~D+goTXP=vqYkmNtT+hR=iQN0;Lj9p!wI;|5}oJ_R~h2B*2uTyr1z7zrnSb<(xQ? zOmg$Z%bg5n{e{;%=M0c_8fp36=f@27@ZGrk^*`1%Ex-0kj)E#yU=I8vD?QQ5&r*eY zZ_j&sb-KyxKp)KY#h>WiBirxXBIltvBk+<25Ks8j-(g+R1!Z)ex*8^67@sop`=hC= z_pc*eWSveB`nYH!5y+}Q20&NQeppMqacb~>|C|0eYA2!RQ2}qvDz$?V0ZFTcM8HxX z{X0fg2$AF_I5L<QdRE>`I9vx82~Fs!=B2DG``Ok1`z(9nGG|BV#n-!Q@?sA((rNQ} ze}An#O$srTOYB+8Sb@=og+g~C{t}v@qTBH*TOh(5ZA0Vu7ZS31@}^rc1sm}6oB`NX z;#O=4A%G(0rzYBq7$EjGwRD^!ft4x{AhrNal}j#i0my#GPVZL7OY(C}qNi>)giKhX z7y5m6@j1%`td#Rs>T6ZOI$u*F&?j*6cX0n*nJ{@L^Wi1)H!&>C({oQm+lxm((m1l9 z5js|+ReHxCvv-+VEkPQYZIKp6;GZnw<n*w%#A!iW@9xi+S2C(4D=A_yg&y09mSLo) z+!JVrPoiAUpXY^%Jcx+98;>OKZ@lM3FMzln`NWdCZX3k;!!FV#(j^hE@;OEl9zwP| z<5fM7EA<4~K8cJ_aN=Wn_p@qHM(iC7Ms;?%Vb*d_NO6}aFt{Bvwvr>p*^pi!#kwMi z{wIP{<LLZvVc<B*y8}ZA+FB}tdnM2T6fcf?egzX)w!tWC`(+8`BC6c>J%r4dlzIK+ zx;`U0$oTLcqRRO(u%!GMm6bWAZ{r00-YLsB(`GI=q34CK{uQ3j*cgKzd9evtEg?|L z{hn#TJZv;TOJg-gK8jab=@^AK@<W`9__P&q%HPY`1+9?Mb}z48BK{&i2$j<m0A9@} z-~4ceI6tyvTc`9z62R3BAy~Peo^S+T=$jJ%K;JL0K!oa;EQ7vlM@nfVLXo#lqdZl5 zp&um;)c<p<z{gg^wCR&H;?Dd*zP83&n6R1Ew#ZACzc;o#os5gVdDY)Owya|p$^5rA zJ+RO9cVS;4AlZ`RqwmijWq?B*o!j5=#Og}=#}J&fG)!`)Q@fy43`YYnJ}*wLKx>`# zH=}AQi>aaIG{)PmfZ7d#U&sZxyx^>5ubp~s`}d1FU1;>zBc7`Z*p^>1TkqWCas=jT z&pxC#e-_6xXUj>J|MG^c%Ksx3NtHBmpUHxb<w?7x?b#RyN0MGRQc^A*x&Ie(U-F+0 zY01blS(`3$%5gkO=D4>L9>irwt$kNVSV!w#d)`EK-d+N(i6Qxuld-OpR3u=py$f*& zS)7%%_%hpMw{$oEF~4K-nXL3W7m@aY2?X}3E%NsnVW$(n&YJTwST!gzTucQiM%ujP z>cCuUEU&&hEBkYzQMWa$7GAmC`n{_rglrqz66@86rS_JO=HhgO#|B?@1D`=!>Bl7I z{jS^<8kZBd{jTR;H$4>~N*b(`{7J%YXu%BOBz1(N6eNe1*cyy6d_kJBzIYsEuXlt& z+Qv9#U&wx(bSvg5Nm>KSjzn1(ll|HP`=@rExVA}%CM!0if*i5CuTJ|?oxZR6xC0tI zVXgp=f;n+UqippPIInj1+g;GVh~Nq3prO)h_f%eMZtKLnQg(fbIHCjk?QKGjP(4yC z@ag!A%MG&+mxx;zrnhxhT=rtEG?)h#nEhHoTFGhY)?k1C2^HH@fmipEJ$Btu4u|Q+ zN+lWsQNC?-sqL56Kb>#k?gP%E%JDkQ=3DB|Fho}}szBGf0b7ceqT@;doX&)%%S?We z;YyOJdb#Z#LpxXZr`ueagtu$+gR!o=ZSs6$Tei(I_h*L{f7)K^0<L!ztsV~f%8oc% zEqRiEj>5ViDwJt>dO4PqKBHD0jDE$ysPl3Yn2b%DN;etodc8(OyfvLCvBW**m#uIA zqK#mu?P_TXfnpCkQ_mf%CHTv`Fpaq0_6zq$u^bM5miM-T2+8k90@tnV`5v&d{n+3c zpl{uW>d8x7Z-ejwV&!46Kw6s}%-wV}ng=Ythfm;p#BGp%j^&3&tGz9u){RNChB+g! z<BsF>XpZ8on9ecEzgp}*bKLH2{l@MqcYE>G^qD!-gr8%{w~5CKKS#;xQJ7V1DxRAW zI;0?mb<*e8hre)mgXfFjZpG>XC@Kwdql{r!Jnhd(vHLB5T3{t?O{R<g8hfO*QI>bz z&5)N`+BnP1xNZiS)qw=PD=m^71$RbPJ~t{A!H(RD4YZUY9@*%0goGJ8gTaM6&G}c$ z8X(c*^w!@4xoj+i&_nN=h-bR};i|oLk@I~s^!=2fK3*&ZPC|i~4U475Xm(I)R6dR8 zb+39pJf}2QnHWc@!&R(6WE%a&^I%9_wbNAAVujoGDan_O2<y*_qX|X8JFL8@d$sHQ z`+mRL;b)P`@WSAh5Tc|(%Onhi`>Y+mL|{NZwWA28x^B+1J~u;vRSgC61^NOpMYo`G z{J<$nI~iHqvwri%>dq1|G>d#PwjuDoRAE6_`Pat_FZDXfR-67RP|*xEL}+evp7;V; zGS7bg`C@9GI5~Wt_+Qf>=b)^uSL9iReBN_RqAR;O<)g3krs<{nNirp(Q;fy=S}ia{ zd^!DcL}?*pMuShU>mx@u!VFcpoGbsRH9B1@4OHLVSIXKR3rx&H-@D!4l6*)ew>{$@ zj92jUFPog{i`^fhbls06VZgQol%o(Bj+e_`VPAbw+PPMMGa8-jh{>Mcw()QT8aG<+ z!C>fZl_J<_MG>y)>~mQzFwmA~im_x}LRY7_Y#_yf6BUEGjw&njW66^5G6|cOot?Xw z?D(U8&ql7hoj=xXS)2Cz3H3H<!r^3O8ZISbH}J{Zrd;v8>=k{ucKYpVaq=E%Y9n3y zcdCi$Jn;e0`aBsF8*Znv2H*nbCXiMC8FaiBhY%NO5AOu!Eaf=LHNk()9Ic#;tcE;$ zb>|TvuCO|CMEw4%s5cTnDdg)eg1uF_@aLdRi1^xMRgj#C?}hAIRp#+ZJ<T+M{0q;h z=HQ=zq5S_ki9a|om_2Q6F3a+R?K>|*Ro<U&jQb<s&u*Rx1T;5~&<&-O@b@)5BsUv9 zuwXxwpK=B2^BBbe3H>Nw?J*TDX)b-El~G2%ghOMInB*Y0Z>u<vdWKGb-!X){arEuV z*fMMAYtN^hg@m(|(fy~_oQOB}`%*EL_E%kC9;Ye&?owFSjQ-|KcE+dQibWbFE&4<c zjz3)PGE$Do&3ha4V<iu)TAWA{!<_28yxLBV)dm@rz;@kezn<j{n<y$T9~+ms7Q0R1 z7#%JR9BP!!!1w8tcw=Q(Ig_i)-r44LTGbVVQKwdD(#o#icRmGJ{csWBmM&$!ia?Ja z_YAfL_Z&c}@F-J?L>J#g{E{S1pEPs<W7tou5Kl!!4#>pCa&s@ik2O0($l~S5nl&it zL&8^Y+si+$LC*~qh<ktC<$WG)ehncz)NZ5DkDE4h1S?sW0Cg-p?zipbro#llw?YnM zKa|TtEmE@fF#22YGs(ZA-V5^Kbz7v$^=_P%MrAas;kzZ|w9FdNqLVmZb6=F#<5VP> zHIRCg=SB=&Z6Z(B(oMU}Y5=T@@^U{sMa4@PE`!A;L%{^KTfWy;UU-_ptwJ515abvv zmE8M&XdiGU8|9Lg&LqXLTJ=#x-qmm}B(mBt{+$b5>hSU@8?m={VD?1Q)6x}R9}Ok7 z_Rhsjw~__N8Q432r^Fb-@l{aO?E;!tP}F6q8C4%%ciF7*6d7&or~S7~Yw2n09fP}^ zfwy9|3<23xeD$j@M4E(BeV^&!UwGAAmSC>jCp~LyO={xz9z+9*q%e(s$KkcBRR>Fq zZ2Gk-+SU*zO3cTg>VuVjFA&RfbSjC7vQ$lx1C|*cd63Y<zCgS%S{(=UL=!OHK}}_a z5V9_dPLLpVsGy6mRQ#6v&teV@#Ns^tCbmD8^`K2Pv^fhf#)ovUDyOR|9i%(W1WeBR zQWdDb#g+9u@qj>^_}u;LzjAYyWy3qZO7z~10e}nZJNRF<&#3lS**Z1^hr7dus*MU3 z<16|H#Z>3pMW_UGhI_sUf6D=}Nt5L%th(voUY0S&x*uL{PP}udR5Kmxlq57QSHZJt za{B1Q3F4k`9<}4AETW`MxMrRN6o7NDQOU~M_dda2h$QFgxHV^*J_zi+xcHh{*^eqm zEB5nTc(g>pll2~a8diUyonaAKPCM^Npe7ubQ(@OCmMsBoDwR|(H-Eb~^ZLc&Y_b^A z+zpkosk2c@i#JjC)z$I+<Lkt}->Y0J(D&A_fidrXLY04V8KwQ3(sY=;9g-6*{bxVc z^*BQ$HxBP*-VKk}b<4H4i;Ty8D6<s{(k-Zn*_55IprVH^<)O+OZdm~eohnIaxD`{9 z9WZ)IC>qDKQ>r`$4qI>}IMCmUEnhmlXs^fzQJ_d*qAQ2gY0#MtK?g+D&}LHnjGMQs z@Ir#mij^uav<wInB#aT>g6q&T;6%Db<%9V;<|BjTZw%L~P<M|0RgzDRqR&UCv$q|N zq7a1THX~$E8l!!qnyn?+pU-pYBT>akN8`X~0A?73$_UMh_j`s$w+-)}8<EqJ@rg97 zl#*1Pr&rmD)jY+;dAbl)$5Cd@SyjQb72VRtY_Hcc+w$=5AO^cj1&3pFpbUFmX<D(S zXPQ5@npzsGZ^no+Yv2|5?B__Es^C{w9jd4ohpzON&tDGPJ}2hVrfzRE2R3MxR2!?* z#Pg3psdAt5j;_8=JX$W9LWxAX^Yyv6e>?pp)8R2u_XU^z5B-c%t#+hb9sU4d^%w5V z()T%R*z(Fqjf_@-1c@}bzmXJQjoN?~X=*?iZ{1Dls}UC7pser@#2fgP>S~>zL>2A0 zi1!=}FlpOY{+|W36>PyW5#5>#)3p)y=UL7BKBHDc$O0*t&B5E*^dSwv3yC2Gm_fRo z;Ez!PJe5k44isz~j1(pkgy&;oq9$VGKO9Gu1^c~za~6uqztaRg`(+6|8;1v=bw*o( zI$nvU3tF(qRVOAOTIl(JxB9PduzxRTI&GLZ<mvq+vAy1xiv9Y0L)Dabl)J3|Mrh^F zkwo=YbC^_3h}Y|aWR8TBi*;*19Hdm2yZT74*HkL>R&!f}&0+vg&H<fq`<>N>?fl&O zCm?NG9ffvny!;dP&VS5cKJYhUFqUY)rh0PfuLNA9AjOv=MsJHA_S(hNtzD!>dByR^ zrCo%S!WFN$3W{Qx`jh3_AI^j#%18jSQme=_+H9Gd^3NY{w^*eT4*;Gzf8ujln;+{` zMECSCusYN>Mt_@kAa}9s-j1*xv97oIju5v^n#tjy>2~(*pCj?BjkanGq_Du9$1@9k zadLDT*%I7*je0kiu>)~{_fyTx0Sd9125-%xYtbjSJ<ER+(LgiYdH2y8+@LdVeyIrP z)*E-FJF(ub?yKQBUKts6GypVv_6L|OI0kWUgXF832@|zM!|FgZCRPx#W9WY51H;e# z{omq}q%wt`E1fmkRm>7Qw1ELz?{<!un?c#$swh;-X==AYNA7?;Hx>QYL_n`;IxL%) z@X=u6n|hsK--_<;EI93xV)t1B0D=Tge(otk{RcYJtw8usGtbp`bd>4it`2wb1oaO^ z8*W5f%I%T{2R|4%mRq9Z5{HiYmkA&ki^TBS6qyrl`X>r7It$)4=CcJ$Np(W1qMr+k zms?vhW8Anoz+RD(y~(z8@BW%VNH!I~qO4zQW<Ubz4}BM*#Qg01G{+asV&6WqL2n1) zyH+vRpiHn3LyP2<wRDr`&{s0L9QW7j#vNy|RLb<RQ^!%!*gx7LnHDXEpyMf4>CI)C z!}~v8^R~5h1XM2OK2M;xSn{M4o&R~1r(4=N<CSG1vh%!uND(no<awEQN*V5TmxPez z)<<vqHot4+QURE2Z-PC*Qwl<sIw20!i9^Or{0Z>qkLH-lyZq+heT!TQc}~K^d`S)! zvA`EEOoMsijaY$0m$#rtagrw4Zl~uAWa$Wfu$s4+C{N(CzLNEe_QHN-xWdARCJ?}~ zZOT~eM~OpAW<_gL6Y#^%g)>^Q)bWnO?Q*q;dP@wAB}B!ZD_2i~HwAvl|DNQXD5#J8 z^Os$@ohz4}_bqzgVCbk-znQynbvO%2aELsTFG=1n8j5p4QXC+6^{@p5>&uEglT?tF zf}xITikJ=Yrb1<3f^AApX{a*((#8HL<%CjzZrKfepsEW;Dqhwz^XENcVwLb~`>AZ5 zTcWl<A?gz<s<fSgpd@7sSN#<QEo_}kEbE=X+n}LvnK-dif^6Ej^%MTzlxy?vkE0y* z!2XVVv3xC)QFV)t@x<23WyxGw6wH>X&&y2|R3BREM!;K2xhhw&(7+8M8@!X9E8;Ty zYpvu9j@$lid``MPC;ruWZ_i2SzKuhH>w4r@_e*MMBZN&g)M*kv!m8-z2UnuZ`TQXX z<q%TcS^M~3V0X^3y|RKHd(!<Ao!tes#&Xn{4b{<1%)sP8Y1r|XB2B><K=vJ=*h>7_ zUrCM#8ZBJ8!!+P#h)<Cw&5Dhni@!thU8o^iiP2ATCBnFLFNs7vN7&~@O&H3#AAXSm zK0;QZQ4X>sQexmvbc8&OF0$m1VT<Ku0h%4vtCxy5a#W7c`klmbUb7-Wng51Dc{$yN z{(3m*V&Ch+X?nW;tZ13<FC(yjj%2P@p;JI|nmTUK-*g{Om5voZ;A^z-SD4vsWlR}v zH)X8O)UCz=EZJ%Aj||$FUq}aZf8?P$=h;n#{w}Aqjh|hB+mf3VfD7z7`p)jH8S@F1 ztmhcn&n9YU_$r9wYw5eKUWyYc=z$?ek3q2q3Bo*u7d`wrKP|D&POjFtOxTu)No31$ zMO2k_*6axSZ*YqL9_fDOK5fg&6#5<J>2^(%S0o~+IB2TD7!1Z0)_iumLOrwwdJdxU z$MhHDa8PFEmPMtEY?&88Vp*5RkMel=!?)!Oe}dO6dbcdazEQH(dD~@Z^=!75M{h?S z?R~dv=~ET!;~AZOfxGR$R;zTDB1$k&LyKcpmR}(*+gp00QS-c^iH4l~6YHT&Vy4S( zbAdQdPn`Is`G;+&t51`7(Er;DAPjz&0k;zxQG`b8U992qjY4@6l@NEPC}PWXn{|Q^ zH?JyS?_okw9<F-aCxoZy{;Wz)nW~42ZpH#RBv*n`=AmgPHbTBlr)=IeLrgUsHvHes zb|I%qpW1)E%%|DTJC<kAYOY5|*E&iu!5(jVrX#iDcn@hyu9Q{04PyDL?iN2C1-EKf z`YZkBKPOdzs>CCtCUrmF-5E82dj(~57^+P*YLp92fF!J)oIHGt-ECG(__s7)pH$4i z{v}OinG?|0n(gVKbxjuca7k_I;PkS>4`XZfZ-$-SEXM}TZ^bMnH$$3(2FaaP=be5? ztn?Ku<;MOkKJ=6g-<ELw8q;q?H{)**Sa`D`zlB0f`08oCz`1#XH*w7PL5?%i3!EIb z#qRDf0+;krS>Dxq%YdNY_$YCY%=!mXJxcV*z7^z9u%G+Iw7ZpdSCNgb?gX@E=e%6u zs<-p0sOWrlHqM$?TklYAf<b|{=Za54ln>HfrCr1xWF#2DH;dzhKkQ6xgtm{$@wM<! z4EJU`yO}({36!09-5W~iXylktt3AdTKWFG@#72NuC&_@h5+lz-r-jmF;AkY(Ll+uU z=psT$lTR12uka9fpuo9Bn1I;b=lrx^yx$$WMXXoW2@MWiv)86lCR9=mq0`0w_lmGU zQFaI899^FspUxWV)NAHLto*HLS!s2&s1;^m7mmTTyNq0u#klI;qJSf}Ym?ti<N&V` zwK|}xN;uVdveqJ^oJ1}32kEZvF+S-o91yeT^RSqOIy^3XXXHe=yI9zuC1_Xc`@qAZ zfk{UDp{2rk(5Obac0*6YMi0zJOheS@5G}~j2@>ER3<%NC1J~4%e^_`EwaVV3R@e!; zO+#Frf!?1F--Nx2nsX+A6**`a*A<u^IT_xyKc9Z{n^AcY$ilL#yg%TqpqpAoi9LjK zBYEYtBd4&5&k9G#(|E}Ew)nqhzq{JHK(gHdy7YdwM)-C}V{65~P&M`T2USkd$PaGZ zQ|*bd$}3|52-JRfq3Pg0L0E%qX0w7V-Tq_ZZhxrAPq#$+j<9gEALa<pT!gro2-1qA z)~{JB$S1|)9ebL?QzA|p9E}Y%(0YJ$<Oue^4a&ZM+2v(^uJ{?UKk(kL*FG6=GJ{^^ zp}DOdrCvx|mm0IOZyC<c(Tv4MS}asW<#OI6lc!6kv77xNa|7_dI;txw_`^TacOr3h z`d9iChtG@kxvy&iyeSK>wuhJ&hjarW3Bs__@+OW(Fnlg!R4MtFhh>Hh8FQ1+_qfT4 zdl^T2SI-CVZQR@(=3qxt^nLn-wsx)NHyG^*KniqUaul~}aPxUs!Ci$s(e*RN`?=KW zcz#C58(Za-$TPXR<Ny8lI*+Z^C;69Mu9}*D+oxGT)<#3v+iuwFdz;p1@cr1c(opPO z$Jm*U|7*{RGb^L*vB^#btkL1hvvK25?b5pRE50a&k<CtCIA;2wdgofkqI#=DiIq(# z@4JCKc4*xdd9A3!Z-je0bEJOb?>dn|r$pPA!s*r!O--`iP%zWcAcY$g+DjGMRZN_2 zX720Xy9Fp;1{^vjf{1)JJ$!$jmTjb@WdNATVW3ydB(WGPa<AX^S#5=Qy?wZzoM()u zOsvr&%MzgT6-P5Q<m6nU98Z3#_%Sg}wBB*gU^^dp`j9f51mWKEt@>;_cvd=HS&Pb{ zIl`rvWci(=onN^v(P5|iR5ESFS0#I27rx6)@BbGx<^n(bvZP@w(UI!5cXKFjN3=Bt zqEw^3zmmev4gco~g2WKLgC*W#GT2}3yxq?r{PpSh4<5+c8R63wE}pK;HD8<wQma6V zJ=~=&Hbh|%1S`nxYq8P9Z)P+B90|f|88!>ZFN-cIo*K61VE-qBo%ahrNBbdTvC@{- zyeu$}AE-|u3$M$59(sCYJ0!mC@N+@VhB-SnKNU@m+-mxBHvD}>j#HPIcxzxmVQE35 zJIki&$>4?*pp%tFt&hYCMT-q({oTdylBWO*<TurDZt76Fp6+T?&uDP*x1ZTuSt$jd zg;cG9C*x$#ubWU~;p6A(2yCmq5X|K$)dF!tP{mXp9O<EY?a&hNc9Kck!YNfsBCLj- zhMl$o1Z1X=s<#=~!?8(+&|p=CGU|)X`tT-cnyfxX-LZXo6yGUo<+4_?oMzg^SgN-> zN7{{}nZ75kIPCb^s)M3VM$>+g;ZkXTgRtFZeHS#23ex@3*fxXa<O3f;A+0(fLZFA2 zFWK!lm|Hv0t&n%P-XJ$%L4_Jb@$VI#vWUU>rJQ<{iFoPrD6ijz$sDQ?CIHLQrmk1= zV%g=X?QNBh*4Baqz1`N(Fhn*Oc_R(jtXRZr2chp9?c`DF!*4GZVrU7P<+6FF7NIbp z#Y5Gjgmrf!;$zU#U$ol4{o3RpUI+Fdv5!fUwzO(7CW#O1ErZ489Zjk04qSQ%T&Z@j zJzBj`vPh#1Gay%g_3Yj%W(?dg>Fi9Z_6W6qM&m<)R_&NAEnKWa79AmifsfUI(Y#Ll zoWiU9q*nQ^sAydE+r^(n{lkQAO<ozck;O<`Fu7B_mBe0%2X>6)!ISk~AtgfYVuks< zcZ`#uYVuV4=7zGLR)dCR)fb7Gap*TGqCYzGH8>)^?W0v+x?Dtvh|lTal|$qeP8*bd zP<Szrjt(;Fx(t{AoS{rxK@Jc_D0a1HD_Z%VC8sQ_`wPv7U>A0}b~3W~V8u2YI3PhC zM^(Kgx)$yc_a&Zr3$R26Ts)IE?dJV=>765XxTVX1Uaq7Eik<QJFaf#%xTJ!dP`IDN zo%+;$d;bo<UA4@OBvPN*Gc>pb3r#NTTR$^f2WcTd$hH@nv2)BnlzZAEF5R3&IVbd- zxA5K3o$ZY`lERIJPt9fh!e8%&JpH)3697re_UNXqIc#}iT^r4N+@sx?r<0df5Jth- z5a;T1x7@i2CkE(O-X^@wb&8mCA?mNu>=$?yu1x3dK+Un-6wRuN=<K=FM(4=~6lB-e zn5x5aDY8DzK`SbIBeA@^&5nqZ?r?X?FOl25Y?)1ylduRW$V!4Nb@E}RFOMs7?$R{T z5-W0R0&sD@Dtpw{2lAI?ucpD*xaCQ%8M<xA(UPBCpW5_?l;d1X7ic${^NDFP)Iky~ zSr>CrQHHz>FlBoW=?K-NU{3@iXgI^iDf`0N9|{j@3I1T8kWkFj0yS6PXVlt1$WbWr zA{Y8k2}M+nB2GqJZO<{^3XI5x=86Hfuz&7WK$Psd3C3*4BqDatK1TVGMAKW($g|Pl z`}`NrH|y~j@^@lo`VR&w{4Q_yPoori`^a>}-I)1`gnN_%E;LiHv=vVKZ6APo-Ir?2 zbUKq{PLOWZ|9b;LgR_a%K2R<xfR$%WKUZo;wITNh0gQE5t~Rhxtb9w{ya@CLJi;jG z{*rD%X^&#_#&0G3cJJY^M|m`&_N)qqN=2He#rl2!jjNN`k)hx~(!}~|D%N<s^yTbn z9L~)w9QxQ5@R%kRcp_c?Kd!yo-Oqa(Ku3ki*MFl>@^00K2XO0fc8k85F1#tim=~i8 zzKr;Iw`}L?ezyl_jlec?ghs^+lEZnHIP~)9{X%t}I5L9u%}o6I-P)WN?Jnzd=1%w6 z*l5KUKE0O7FX<*n<mfbGWyDBy(S-~j`|YUbtlE_X_-|HZG(Pd>(?wf!=i6{^Pc4S~ zsoRnab{AvW+hqf4JPO+xyL!XRVnX~!$5jtQS(%bPI^>ggF((jv;U#M1H(ZS7%~J5x zY0eVMmy9Oe9iLQY&IW>w#gzmlNoAf?o><OeQF}srgV%~UtYY0AOVrq@bQz5dewM=} z2&dhbD!8hJG7<CH9>Sm-ga1zLIRS2*9DHBuzS7B}&4NpRS)s&ir8W1m7A4Se{~|4{ zPS4c(S@^&CiaM$Cfz~LN&wlCS7G|6mNQ)$XzeV_|SG&6)v`b7kT_{A&?RHmjxuzgU z$TZB;!=h#DI7$C<KRpb_)lCyJ|GVP+Ap;+RyFYT?39Z(m=hPUTl@3Zd7>|>@JWi1h zZ|YsjtYdg#P^Pz<%i&GkPG-*`XNy;@C+z+}7kD6r(?&57C&@gXXgpPlz-?FfC&Mo> zWli}4Tz@WiQ5*r4-`a^XZJW5^3&mvJA2?53aAC+Cz7bkE=5{p?d^=g8749xaL#&2Y zlr5$4i4p8+WY2LtKxKr^N(aC8TKr;^4WTD$?Q);~PdMgq9y*`h8dH1`J3tKy!m?ov zHNWSgVyBf?=iOfqI|Cykf`XZivHx)i>-&>ufNWc%aGp(^lruv-T*0)p)NnoMno5$i z0@MVcTfkYUAsB~}Mk1Hm08SgtU62ABh(eZJNePl1ffO4{#DJxR#sNy0crDR#Un=q4 zCxk|qlRnYCn<PF|UE$OnqiTX;C+=1ZDCGJ5$1NDeNcA=wUZR;4X_l<m$a_xBVqUd6 zF@~J1|DizHuT!^n-DB?n7&toxttjd66OLVd`>cGb#S?^{IOJ(x;3XSq-mG-UA-l%^ zp(C@t9%KRhBmbmo_t856*|GAu!);W{+S)f9pRx?j;gUL|-331X<a}{-7HdFl-aJ<F za{CbV!vZ;Y$t$*rn{{#MY~XyjrP)E;{fe4MvoUx$kB8XP&bhAyQw>dAJMSZ1wJsuE zbRs8l`ovoW>-i-8pYj!d+Vtf)U9>n8ZDqs9D!zn%6%%z4;O>q!Gxn9jfyx`#Nv~^u z;;!>{^L6Ol<J94h$H+6!%9JX2vfnZ|%(wOBDif;&AdTk1@oE!t0r;4-c}wjU20CV3 z%0aYb?P=_L`e@qTcW0*pTP{Z1Xx7$0_D+dKls6cOiD2h)II|(Jzqm?0Tha9&nu>}X zMd%LjRn*$b#2Bh0Qcj2y?CpTj0S)H)*>No-LICL&H9pjvMP9mKI`pMLMQv9`kQj2n zCFC~{*Ubno3<ZcV5@m%MG3i`RKA3B^p)5$gc7mOv%Cl9!X&Rp)xdu;L!RG$?^8=2F zY$L&0!RskxrvE8gUwFLEOpQ2&6323j&u}jfvDXUEE&LNj>xui<PVOh;y~?`kt-uht z<yuFE`ta+@vwckDjAS!bd^NNO48~H;z`agd-V|^hKHUNPOq7HB`R&(Tr#!c_Fjfpd zL$P3UZY6w<<Xqy1I2j8*w>zf1qTaQ;KQ&*5YCE6<((&c(70%4!tqZRKwmsmd$a-sk zEEtl$CgtQC9%Ls|{V1!`1jc1D_5}h9U>;+kW=#$cS~fU``m*D14Hg*UQ-mn9IC?`1 zL%YK86W5!Fz$@-)5-VLFvcomh(NIbWjBM&{ebXAP?r+5e7VMJ=H9qYCZ=ep6srx(j za{RTMM?W<||4G9WaZ;TAiZyInyTaBmao-@|QfvfL!(@peb>u_JOHpe>vhn5hIXIrW zb_v%a-GU@dWZh2BYhULuFHvvB)D$wrMH0&)7n(Lt_w)vBM|cKBLtkIS(_$|db16{u z!P5j*{bZRllrNfAVvT47dYe5;@mujj9$yB(%K=Q<V+y?U_)jbhhcJqq+Iab59Hp`2 z|6QBS48_GC_%8lZ3`xkgqyewGVblk_-E?D;ze&92WIQxJi9q1;EE_NtW8fUoh?H!! ziJ8Q-H&0))Imd>UA6p1m;5el=?I?UZ0uYRy^O}{9ajaiA)B5mrazP68g5=1>2v9%W zQca1KnujAggzdxJXJ#i)*T)R`OY?M25I3{AudCDoG5<ngfVVD5uc6CZtO4(}*Oi2c z_A{heoG&xaVfYEZs6H^-at9u{O-lte0sX+qSZ%8|JyL`Zd7!NLGQ^J1k8~V`CAp@% z(*EY{{cu8#w>bCsR6ZG5&6he)w~X%JlD^Lq?kaOi87OqooOS8KbNM9+DtvBhOaW3q zP;N8cMn!6)wFZ!*l;Ih*7+m&d6~`p>kQHNR7k(f<;a{2%{85+@4N&(Lpvvu@{6o+R zE9@MTI4R-8a#dJE>dXnUM4)_K4*X437luXIP2|8h5BPyroZF&MJE0t4HT|m3(L4$0 z9IWEp<qN(K%#uSSk7{qA@^6Fr1pJwm-NTb;{%>`pa6k6aVy3fF`x2La@tAtaRp&bE z%`c@Y`C#wFe`l^2qB#7HrX9Izt4a8D5if3{M(bz?L*+WJIRb0tBK7$)Nf(}we3~bV z69qmLoz;o#U(K5?M%TNOFv~29{nA4G#{#Y)WY`j{ro~y$8;l3aA{%)(!{4=|K(?7Y zNevnO!e(HpYIve1!)Rz3qU{-fuNu%Bi^!rYl<bzt>5@l$)h7O%YzVmuS3rKWsv3-S z^*%9(ZR#u5j56eAK>sSGEXy!6?Tx1K>32EK@zd_>t*>`t&0F1)_|G|gnF0cMJxUXG zN&?5PAFd(81bo`pD3aC^JHP2Z-tV0%Zj&{U6E!%Hcxh7$Jlv9&9XZvIvrwnQsUj(` z5;}W(Wu0gZw9-BflC!TaIi$FEoAd595H*!m?aq2LM9e+hS6^A19w7yZcI!@xsiU<$ zZ%oEZ3p<Nzg;6leUz|i0sDs6Avn+r*_<^hKB!=kwDKaB)+eJPq&e*ZEz1ni~eU$@1 z<xM6Rk?4r%Tn>GR#!7DuUsduxtkgn<9Us+pHi~54;C-npvvMdJq2f*|KXTLGZ9gu_ z31Bq|iX0TCf3G+`c}Ur;_x%XiOIyD`?@H<QPV9{&V{M}2)5~7`@-;b}U!(3<N6OLO z)ye^U8<(@O{j9T=gj3jd$v|e}ECg#HvrZb*Q5BzqeTpJ;Qv5(svd0OOdZzhFH$AoH zOK9MZ7_KoID-R1=%23!*g5JVu?pqd!_LQ5+h(S|zh&X}~ACrhiybkb0A5|rsR$rc^ z#$&R^<IP*IpJzltc*i^R{ROkuRfV_1$9V|N4Uj%><g~wQ?{-ZNgOS6>Ykd1)@0WS6 zs?ujv`?b&qy2G){hb&qp3zdF#Wo6gvQ<3?)VUMq!ZoE=UJEy6;6Y-Mgs~N0uI|rpq zha7{seXz7})VLgH#{yH%b!wI8KBgSuvEu-T*rQEZFl55DyAo{96L)3_hUklP*?d&Y z6YW!)!9$L)q^3rBl=Y^Az&?#hehuMMYA6F!0U^>eJoZwfn}V=AmdS#nY)gK?BIZI< z|3$ndGW=W(ozYuTG5Z8%*sgGfAXYrykw-?nQIaD^Ea9grBEp!TCn9XV)@>A6J7Dw$ z@}DX}3Sf|ivn(`n9n+;IbxD!0P2BW)VSY2<Tk-yNiv(ekxFpnvt5hU!-Tt%sC#DB5 zJ_?p!>q2ru&ycZ0qg#VZ;9E2zVv|H2S&dH_w!W?zoVe{XLj|t;k$`>ub~9ZwXONjL zn0{{aT_D6=@8{sJHu<SAvstU%&upDoCiO!&EE4gYKH9(Ra;VO5K0(N~%t`E>l=>&r zG8|94Z5sXurK3(CU0baWL@o7qQi^x|RyIT@`U_nQ$Qd;Dj|zEPR^5(nt~(!z&JPoA z`RQTuihzs_Nm@(X*cuyiXp?^6yASj!E9R@V@ee#WUrd<Yxnjapyg3d80O$>P$r~-l zhI1r<Vkf1j!b~Tye-_cMR&B3aHnrIdZz?-Hn+`t5W`m0%04JeGxc7C-K+XrLWKuh1 zCW>xBdCVq*pFdR(IYRs;I7G!8%{{g!H5|p=W<Ye9298D;5#zDJ48Itat>k`vbo03= zP$E=Prod+PrcDoJpyn*%sFN&-y_8t!yb3<1_PwXr$$-P`{;HVu(N3+3Fv?<uBu4I= zm~b)tfA&`7bWLCA*HK&?)efi7MOQNATg+bQFZ_6Yrvu6qGJOW(%MI0x6k3X4R<GcT z3w}8)2DIknJ^NI?1<!UY-huFy!S|K1T~<EM{(jx`9Ux50jOUEg3{hnjwlp~ZrNm2> zHKv2%T95!=qq~2Z)sJ>B`!tPi8*{M#HKxLo!47HP5R$W(3$uOl^RmWTwwvjhc`Rz+ z7qD*1Qo_haPXG%9S@(d8SH9NObA)OA;x|gFVZX^AJW5W+)2*gX8)xE%p31A81PAY* zF(GAzE!Q0i1pPa;^q)0G7Xi05iJMgNt~5b)XjW`#zoS!?jL2UYj~)2!)MO8zp}{Ly zdU`&48z)`8^GT(Ickix=uhu5Xil_5PQ--bABmh;q8pVVj<QMvunGU}H#uFl>I4DMt zg_j^X;y6H_vsF){jNgAjWn`G}(}Q`do>Dpn2QG<el$ypH=$%<0gZ+uMU!q8yAVUEP zjJ%53{+WE#RF1_;DI3DJ{Od({O1TP^Svl_cGc|ox?s5UoJi|5%o<xs}CPUEk=gI$W zLt>PZUdo%S_;#QXN5MP~<e$)2GCE}yCmkX*|EvY%#?jM<yuAM~`qFSh1)$;4S6hY| z`wh2YGvfO2d#r&rGH6$OeFQ}o%?CznwZNlJ+NG#0su8%PgL|xRf%LkWzh^53UG60x z9Tm1hX2<|k&|cI2ROq4;DPTYManOG#2r{O(Selb8s30CO!+GnFr)GGSID*yfNI8TR zRYoAFj0vrI*bkqtJOF5XqC$;FZhiD`hQ8;5fEyO=>+~Cyq=T#!w(3zH)<%d0xF+rE z6zVGo+sU@tH1}9}<n)H24rz@>Y%gVi_qmYxmK8o7cIK%i4C{hy>b_7?Hj_V{9qm~L z?o*RL?3J;GCyoqq1IZp23&?U%3NMnx^$;f^r6Md_YY;oPB|xD~LM(;C2|w|H%kx2E zXeo)G#JIcbim#oFY$&#%hfiRgI6*EO`w{x8Pw=lrH64ssXjc{DQ0yq<&t2_@>Vtm{ z&B-a)sQu~*D=bp7n&x6wu9GZ1?N`bpMP`~w@w4{WHb~;%360qMswxw93<|LX`-3=j zWP^j`9md%Pgs(H-|GV9`eg)o&>8AR1mCrGx*L>-taRS$k=&mqo%IS?<J`nI}8r@|{ z0?`N3yKei#Z!oo4Hdflgh({Q=6tdtcy1R3KJ#HMHGGn)qJg$_X#vZ=Y;CXKhX$y(= zusQx6Eq>XFZTf8NgwHqDeapwO!tt%r;Nmtz(c08{DNmu^^)dq$t*LJ~HOhdu6opc> zyRU|@4FA|*3*hS(HIupek)10*?}%w<(`7GH;S#c77{QJ|RqkRhB<5pcwr7pKmRlMU zpM%OTp9e#B7pg+Csjj!5bmDdSE8dLd3^LhiMcI##W>Lo_^Z<#NX*zQ&XKZXFc%&#b z(pEgzNx_#QMyjBt!JIk&;Bs*nJ+68uC4w-Cf2w^+w?ti7mZTTtl9s{8gF%ZGip`i! zZIjh_^bkZLtxT2^o-Z*p6ZvA&$w*yq&8YIEGV%U6DvhW$7X=v;5YIR-Jk;But#^Rx z09Qb$ze+F|h_5keOHEOr=e*<^%s1HavUF_;r6tjHi@y5sFxp<c_du~zl;6YE;W~XN z11P4&N~b-aJ#J}U1V_4kZ`4|-;upsMtfKh2*G_)QGT)voP0aE0QYTWYj8;rU65#es z_AK)H$6a3LU1Bpzh>fQsHANu}`V~QEvQZ9&YDZ6DG#@~^+~Gm}pxZhSpHKThtJeX+ zV>7E2^pG!+_vyIlVBMVvq+1)@ba4JycB_q*_v`$jaE5GqlE?O#PbP16+4vQc&Q0P1 z*_8udokcJZ1kb!?A8}Zp<t{b@^UR8dh(SC*wnkel8Zv+YoLx8`FJ0lN@9P1c9ot|P z5qO49hN}-d7jjrlHu0E?Kiy^>!Q6L4Sm{6J5ZyNIn{~Q)+(le9=r^SD!!g+1JKEXT znW;5oyfg={mE_a3T(6^Pp+N7U)1BmW)Mx3nuI(>nuiovN{N01B)u7Q$Mn&Bp^({q) zC+}kUIfsodagH;y!%mCl@5DP#3jfC*+hpX0a3WkqWsc)txmsco^OHgEq>eK_QY;pn zYrV+*GXL-pY{ou(JCfljn9fI6n}bJ?@N{2VkW|!h9Af85B}1f4dW`bpo|eLW7M>1X zTXmq1uOoNLq6Jn;Zkp&01|75TtzwLde09d2CRfpi#^8JUf6v)_^G&C(>6!tJ`PAP8 zT(7R?%*<?F1MX%=?+i^b2$x-9S61~%ey1Y<UK7078?V3%tBu3i3iXZV4T-(aZ=Jot zzBzl6)}~>BwyZ4`&hT|x7eOPXhMAv^LGrE^H}9{SCR<wfFbsEg84ysCnDBm4AzmB1 z>aU<lD2KJ5*_>8=CvagIqRNyx-+ZLVMaL_*;SDq&srk}H;l)rIH?92ck%iB7@6%qt zg=Y)c#7d>nVuNcuUQ&kPKzDKbuIA~YJGoN*Z_vNS%5Pi34{TO<>gH?X<?b{M%6Av- z^J55E$h&O!y63?V*+6-@1cBzRsFbB0m9v<Jj~gNR-U%qqm3tk=k!jTW8VoZ{LOg}+ z@joq#x+GEPJMH+OPo2y(>>e!Ml9uwZ7ac=y>Gp@uCswZr_%%DP42X!sJD|Z##FUal zm;r*8StOzVZ!bVk385OAIKQa4TX$!TR+V|{*2G88>V8m1Pw*N|P=7WKAucoaqrOyp zKGn7X4$}=&KFv_<`$yT!O1co>cNuZF?>-?sbgwA7zshgk_~Wn#`Ip5?_wU13@>Nl@ ztH=f)2{PbYcl=jAv)W!}k_Xy<oeol{J9vSx`z(*|%beI0zg1dX^%Uu2@Il+@K{eqf zA8<LP5|AD3mSVX*ojk+KWx}1(lzrB$n?|Ed78f52HZ;+^g=ceIkXiT`0dUFO`ZEKR zZ_1eokK@2!)P-a4ZwTOKD7WIBWz#HFpRXgH$hD-2TH}|J6&Os-B(Mz~Nhw%#%@DKI z6L&O@<MTRukB(V=pvR(r-=A>MAEaxoB`B!)aJ8Eg2Zui92j4BIoNVWhcQ{sga2t@; zW>oPIcIBh1pi{U&&Yo8|x5J6TC?vlgbq49Zoe7lgb{_bRF8zXRqp{qrJvX+~5duUS z&-hsVjV9<<{knx5s`DkW#MkG)@1kU!!Phk*g&JNCAW1j`&&v^GWP&Rc;}fjMl>E!# zAW=Jlzbz>|6$~IE;XjLNwmcnw@)Zyuve|}3628x<n4jM&CJ0Yg_JKO)zrKiv!%D5_ zPMVS?T-OHrnfLQ{C?VowQ}yhF8fRneeFTNY0{0#h{PWR{U=)j+FAR!`kR!KZqYOKg zo?dLW=85&+sBbr)zl>0Qa1;@C`VVYwWhWG2y*xcR_GdA7Z*TCvn_!OzopAk_$sg{5 zr7S|ix;0riuMQw+RWs>#!Tt+yYcVm?%FsF3;aB${VnQ2kO=~VTx*$&t)0>;;WxmP& zQ=vpI*Zc)0Y885du^ir1VMS%=k?&4JSwFF++NZ5JRB31|G>bP#Z9H+Ob!_ardA5L| zGbvToDLmHNL2e(yQG%Q$S4*8C4acw(zeHe2ej!GFZz#Xh8C8JQk2z<8-wJowTS&us zi)MA?j~}Qr8cdUl^WMEYO~2SY#o9-8l|&-?=vr$CDyTjT@8+o04f~^tvau5r2SOaI zTD(X;Gpfu(civJ`CSI4KU^4R8V2JpFyuSa0?-oYdtk<}x?rmMJ^hDMrCNzE7V2*{4 zw@Qt*7x7)=Yr;5pwOkUvJQ$_exm#t)jPd2uCBidonGUWa4|iQ5o-)m`dOa6lKO?G$ zd5KD~lfR>2%VngXVf2(BU;RwsCG$G~hSl#J2K{q>5!(V7%^Lg@5do7FA}a_h8fE8G z$f-p)OqM!9io&#06mj&}dp7}x0~gGo3kO=1dUY8PobeHxMj1|8890M(DQ`B|#RrIj z1VL*2B>%~K4FwB7M`@cQ<ykdd)Pd5Zm{(VD_HVf$Iq0|aK_I}vpO#n&M-%blm(3A# z4--<FQR_`3cmu98XR-Sul<I92sU9}_d+W*Yw?u8reE4c;8(Ew6_|F+JFU=1@xDFY6 z{knx8uHQ&L&dl9aTm1?<fn)f7+@)ldu+#AK?|$r$#<_(bUMlse>$WcY%|S~AOGycm z4E)tE+k3@W%<Z4MK_LE-yln8_A)+;wV>(O9nK|p`y@FQcl-h1{g+iJ2JdrBP-ulpZ zle0Yq4{e$OCHeD{w9-eSI5bZ^J!O!TVc<VGjF}IyBWNoxYM`~RZsSveANQ%^Q$#rO z>Q7>Ew4+T|N@3HuboJLdivcwt#BOBdZ+Ii(3qIu`#7(R-FlXcpzx}=~l^nN6OK94; zH313y;>*e5a_UoQjh%BEEoBBofRh3a0=i*}OmRoP4j<yLyY4!A9ga}z&jzAwzF;4D zgKPhWud=~qG)7wldQypwf)RWj!25jABE5uBEW2Ofu!}@dWLBPlORCb(p#q?HsZ6Za zBIolap`O$dMO+An-V<!N7zy?Yx&jRxTv9L)JP9qcrBMIlmY&mlDvbGR>~33AfFLGS zkw4mtdpDXe1I;qb8#!5#mcI~EM65UyCs|R!INV*2Y<DOT5Y?8kV7$>l^v~8cYM@px zi!}tmFt+99BjYHx;Rcd~l>}M*Id)`y_^sXCWTU6sF^w)^X6Ojb44u_nJ*bPKHM;}M z|D7ME{l)CCfSGw1`hMa2FiaRW#{GS<Lt2AUa@vhgn|h@fy!1|<^l*h$Vj?FbMnR-o zSUEl+p@&h0-ayAC5PZr#5^#}1tQbG8p@H_`_+xK2!eE+SXT_6X`1UC{pCfE}Z;p{N zb<)ji$u7K!H7D1T<H~)Kug*P~799wo4wZ!vLyq><8XRdwSC>0;7F6(sK+C7GbU=fb z<7psm?UQzOHavWFChtY$?}vl>Qzh1ZD;6%$>By}o7`GDesT-a7-h!IV)YjcDj-w>_ z6nj8r>Shv0XU;rzTk@q#<meXLukuyyP?#EPB8g^V<kLgfLfQ0wBo&njrol?JWPE&q z+4@yP)2Q|?T#^RU%ZJ$_at%E;f<uqSc<BX^R0=bRrvrmD`#0Yhh_0|mP=Ivtj}yOz z6JVag-t|sXy;Xn}V``&A{{3fIp}IK&_3r+sR<Uz;1pNhLHD9FuFG%7o{5%z7EhX5s zXq>=EHJ-M{tCQ4Ep}3fAqS#Lv8eWPV4F-HJ1@JjpXNwqK7RIs1RBZcW&*YOSgX;X_ zsN{s6GY)OIj+cl1k3gr|KJ4s`<juJ-q;{9)cpdZF2iVGl>o+sxrHBYx){!fTY=DRx zkof{$ARGFJ`9l13)Us@hd}r-WJ~2?f)Vs{R^#jt#qY3`fTu&Y#ZkC_v{y1oO+7JT8 z7S~H(V{~j42PG?hyBJ+%{aIwvFC-!mw|-Ddrewjfbem~QL!CLIc!v}xQ|NjBz^zs8 zl&k)YAyw}r^dUSR|LJJTfzVV^IZW&fmo%&R>7m<@?a!`|`Zpk@GJWoTT-tLu%<fDW z8>>%GfA5areRuWuj+)FDCxYK17^(l<#?pk<np>WVd=n_mQ7Xo8K+C@NabVB!XE23V zrNNKC(=dD;!UQxX*Z#ulXq~Spv--I^8r13}1<?0kwp@%HcXEbX%JV+w5?sNsE}&-@ zZdawR881R#QKri+ElQKrHu;@=VJPhl{&W?#xOMHX^dlqMGhF?Dx>HJFua`ZH`H%zr zU}W-e_mkr9T7cb%!sWr6^5ZnzRCX2XUrbX4`)8x)_u63%O!8Z;j8F3=6}c_(6c^1A z!{hAnfUv?5%w0(i9eIn1nyAFwI3YBvyG+3Zjbc4)uZsZeK4o_>L_V%*#r$&A`O9>> zyBh-uVazYXswj`5(&B;7hUmojEQ|J--;?4VQG=NHpSm_7V@H9!J>Q7P^N500z)ONy zBO{epOJQ2{oCCj?7{%h?<M(D6`>F^9mR&fiO1!sDU>*0+tQNqL7xp<@C0m`aF31X{ z3oUhdwa@4*@|E*779@ZNbJh|4R;tw)b;}T&sMtS}xVZNU!=X)XX)ShY4>xYcaY|JZ z+{p_{jFz!zx!iz1jM()Hk*}|`j?xk}op>TZDb*NwC{`A@uX)f@;3&}(&or~_@V}o> zl=#D9iy)U0X<2RO#{k3%GQ%Rg1j!Z0f!ynXv)O_`xFj4@=?!@b8QE{=Ypx|pMWGSd zR1^Fpkz(u><dcP?XO|v=T2<=wld<P0Og*86G^zx0n<BFDG|naJW3V}gzlwx!{pah% zN;hJ|C(ud%v$p5=0jN&*^=@3t^TOa@8T^tR^~`fp(ShWnr|8~-hbZ-o)aty~Yafm7 ze4EDYSe`-kux0Ey28wv4hpXG1X{jYfY8QU@s*!}At~R=;Rqmd~V&zrH=CzWzTiwmY zh6{>TP*KqnG^aaU8Sm?p%F)6RTyx`H-va@kq7kGXdqOGCFnkou?@G9SF-O>+A~9rI zefa361)3h2>+f&i(y<1bDKejiuiBZpZ0}<9bW|G)rk*i%_-Pff8Ch$4JMWesm&iM_ z*U*Kr%U%n5zcEo)Ei(?be<4Ijo{QT}=l|Wvren#i$@={Iu~FOH+wH|5ys5jGnAnzE z6PYeVkfXEuNNj)fvzz4-HRX`WREezs)%AAVHCF83`8R{!&C-*R%t2uas$W3BAG5|I ziJNq@z8b`xjXiQ}qsS_Xk#q+#?d(%hk<1$Xms%T0g0RZb{mPHES6dqs@l!bf*0>Vl zGL;ta&%UDEhYz_&?8=Cik_Z#%n6}cIi!ko^N$Y%^5p6$@j%HVK;ZwCi%zlY_X785~ z?T=;MF)fWfbvclijlv{4)9Lj5^1Kf#WmYSE=l`EHGWF|qE*f6DdUJTw!R4h4*iJyc z7A9)d%HiuBt4q{)s^rDu=@tf(!=c;+>1g5S#O((UELM4DH-|fM$|5WaILXbqql8#- zizo9V<~|xEv?-tttn-OL3=QP+s2!TM9gUN8Vc><1NzY}`e6R(({}80~ozxF=+sY=g z(d9`r+><2WR<+>8zPvv~#aNF>|7_xz^r!EJFM*!!?;HSQq}EO<`j)k+^l+Zd0$;l~ zd<H`M%N&ZeX++Z+xawdu05C4Sqr|<x+mP(*)NYWH8ds>jug(?dmUd9i>IIT8XuV&= zT^Ksair?WT#qB)Hj@d&kYR#Rq4IV{B7`_6je=}bmFTb0Xc!V#>9}Y)bk+OZM{|rC7 zoOW=DSJt7H%eZ_RA36UZMp~BspxGWiW0grN&*Ew}fx0_aq1I08<$j#zht+QLQ?G|C zBE-;OvLHCJkOsePMJX7Ff&_^cWID3nYHbX8i5|j<+<f3Y1V1#I!RBKK%Zd;xe^T40 zo%^VWnNzS*rEP(f=*ZIaIakHuJ0YluRz)ga&`1gAiyKQm&7<4~KGVeC`|y}7kW;X< zry2g!j{Vy-7nQtN%;Sk0D~vJ@yG36sO|lCWDR!m?$(_7govEFsc2G2<^wf|S{6(8Y z#NKr{Sc*~`p|`X_xI}Wkss@SJ=nC{s6^r4Nv&}!<Jk;Ha4M-j(#!j=ZuDGOFRb6#C ze3yy*%eh^y5o5^Or(Bl23?SXw_sa6FZo@H=Z&zjlyU$w){%(Kp`yJ+axsq2`omUia z<o<N)dvxye^1PZ=2Zs*&A+^zl`Mg|JlgNmyYy1*ZTxv=?YxHIT3~D0a3s`G+X)qtX zd3x=xtw?3$I9sOHQI++&xvh0zV~Q1pABYInTt=^9Mdy^fA?IiWV_PU^K-F+MW4#|; zn$33v-|g+pKRvj~XtPn8hAFoXG`TEZki<{BUUc@VCG^u0%MeOYhR^l~iOnIh)PL^v z$V}Urbmiaox$qFowtC%f$9#w!;xAe!^aj^I&_|L(R7#oR-UeY|KlV~VPrN5|?E}Kd zR*w=c#|PnlrA8vrku&%ZOhw~nBf~rY`=HnceiFM!HlR&CNkp^UX1*%_9LV^%bX$<h zP?(E`tGILL?`p(~XVGIS$4tP7(qyl(jVke<h4{$9(#(9Cr@OwL`N;kk=>7Ncm>8?( z9?$DYl6US^EzK{8hIyh(k%;e+DUT8qfZW&qBGu1g>tm`C6)XGs-t46@lH)C4!qwir zuO*b@T<&U5Q{NX((-Udd2LCL(xJ<~I=EZQ7RifX$Gii9K3rK5J*wKZI)?^}uF1|pr zcFa<`&OluLE7`x6uJYYK+h{KKKWbuq-_}Yl)#Y?i_fHU3P#wr~gwEy6<xsV~-5h<C zD?$niJc*S&+HV@7m-J|Kcpzxw7w9yFEB}*3ACMqC%c+O)_C@bU*V$USc@hR}^>5RZ zh3dy$ZySQsjj6Np^OeDn!m&@mGO6AL<4OU4bK{&J2s#W(x@T6#N;&K=ls0`PyuwwF zHiSSW)3{VSYqS7bR4U^BL6<D|aMK-DX_W|iIpX?TjX_hVn)f2VjP8wB)0;H%O}dkc zZ~}H`#tVW&&0gnN^d7=9(<cV*#EOgdD=Aw-T{MI76-EAJL|cXyRvGpxar;ta9Ze(% zcRMmmCrW7?nYn)bsJP>{U2W$sxQU&TNDF-_4`$QjE5NB+17z3d-(PXI@!PnM!)_%4 zL5)LhJq}3q4m0}=pJdEv7)y13Y`M2UUaIf%SL}WUEuJbX^P}L=FC@@eUcY}A{>l%I z$<OrD7qm|#f1-^{&#s6^ZMlwCc**q#U`R+v-c&?HT)_0{nXuxFCGZVYQ`9y!H#PO$ z2|3kIpV}xNl%z+O+-MP36Ac~4UhXtP+RDdd(GX-knOz}2IPl^~R+n5NH~#eeu<3SI ztF1^+)4%+EXW2{#BdV0Hj9?la{?={h89FKAIa95k-lP`nk?3egopUj_0;@c>P`4B- zXB5(ZmLx)+d%hW&Q{Yy;X|-B0xI>?<A5c~ZKdTM$tM10b7brqBWO0L?suJ(}K~>e0 zLkoFN&BAEIA8PXxj<UOG$%HBpWn~I&xvnC@w;Hz&tV5La^GB#%=cJ*f3CS>8`wGjf zjvaxjyH}%+x3?;6*k1kjb>UEyHoGO-1mn0_DZy9C^Tz1XQKd()1m4XX?<2QHm3AU3 zVNCeuMyyS~+QRA*;B6j}b>}LhFZnjP78v}HN+2gvp9|aSI9uaUxzu5sPBPPQSEl7> zMf1F$dD|wi8OWRwYu~T0#2#Zjcon-^VWm{M4}bBVm<@fZM*K0Yu!^uC?BU!WqYDm{ zcwJ~!DZjx#6F-PY73%_Hn8cy6ij>u2QZ$_wV%$jbb52T`$B-0L15HP&j+&Ijt<E@< zRr!_3C1%IAQ>vL7B~H>kXZ|i7-BNt6M}XXG-!Gp&zJK%o{jp9gxqz8Y-Wio}yAFd7 z;y*Z$Z)hqGiQL8UK+f2kZ#--ZAvGUaA3fr!q)WxFn{!s@Le5o6*Tj}GwGjHr3F011 z-jG;((||ploF=Z#*CVTPowX~iv+S08sLpO1%cvy>s%S~g7fw=LJ2R!y#_el}L{yz# zO+vit7+DE7LDE@JrhXx!4nQfR-RZBtMT>gl>ShYU9iakgHvF-n)0(X35N<rmPfnBF zaWzc)xKbBJ4<90Ibj$+z>~f8UOw-a}UDBG3&rxK9ia_n(uPx_N)2H585YdUCz6v$^ z_#K}qa7PXsNkwZC)Kr8b5_8|3kdu@!@~w_*LTO<(c}2dz>a8NTJI@G2H=Xw0zyc04 zs^mZ<cHPC6kRpC!CAkQ1qg&Z4f-Y^UhqGVw{(33w4J=wE9`<zXo2arg*!44B*#@Ln zW63nCyXn^?RSY~VErOUhbFt^B0^yI>{z(abMe6>q1&mhXk_v~6R^Y3|N0c5e%#DDL zah6<EqG2WO8YGuug8E^w&7=r%nDW#xpC;YOufeFxBcDdm3``yiO(8{tcH#Y}ZePx$ z@-{{7OeABuPi{Q9nR-^Chi&lRKU+<v40>@o!=4}2qs;OZ<6;%rRBjHLUrU!8_N$t5 zdGaXVSn-(ZEg(w|GRdwo<4;w&Ia}Uz7?B@+Xu>xnnbn=^4By2`72xe13|k1TrjYlb z69(FEz}jnDI(5yK5k)HWRXBM>E%|9{VI1|1zRt_~n?13bN%g6!L9=&RzZ5LQ$#cFE zHRJ_Zjjrzy_Dh(~w1n8G0moi%nRt4;N^&|)d;+_bXZ}2dh8L#MQkO?1Hj}3ubuCvr zQVQj`>3F=jF6<RKi@)S7c?1Vy>a5x!vfE;j@63$JWTF|LY~rTj4^<v?E9N@zgp$S- zYz*8F9umE-`V*!Z$(+I*9Ej1Cb%?#TVl8gd=#B?#%6h!u(pgP$5y!qVP}S47^81^s z{~L$q!v+f#blBh31pDPsPWB9?*)IvkvKRH*Kiz0oS!`8RY|)W`{@a$K8+LMZWq%`a zrRi-_<eB00!IXkrR(9Y%xk!UVDP~hjneGrMn5DtesZ@e0Oq@8jAf~ROHc+xi*o6{h zr@#|?x?z&U`uC4!ugsh91x0c`gpwW;|ECE%U8ENxbW~WG>B2JUT-qyNic8^WJ<&xJ zihPmi(s|=WT1Px5z#&m6x+U&)T#_?C-(O5AJJ|W?wrf-Gzr#^kk$enPi{82V&Fmry z+kBU4ycQBu<&ba^J&OAVGg){;@Oe<#;k%XVZI$UBQdk<$DRA#Gg->X)>!ub`*3%i^ z9e@(4)9K$a-BjuwXl`fy>dL7f6Xc}#Znvfj#~sC6|I%%|_Sg>TL(b<AT{xeh9z|?C ziI15~Q*_HAMTI}lS#p=Z!eX>NV{{dCGzzIoE+W07Kg%XT-K@Qfa$wGjnUN9<RdV`K z0vu^G)($t3g0{30x9-Ci+I{tUDb?;FeWkO&{e{w00p$Cqxt4k8F^{z&dZ_YfxLP@t zbn9WF$mU1rpI!dnA+A!?we@`s`rfSAf$ReFnwnH7r@~Vy6xP7!RINjf&g?jfrT?SU zn-f}|T$KH}=S(Vo?ilS$(<h5NKvcDp>q$M}m;w(*D?|kC)e#EtPKD!y`0`!Hl#Hdn z6X?E@az~Snk)N^WC&^${w$aO_Vwu?Qc_r0Iy92h(FWQE`V4jH=#}+;j82#|(-!=RJ z<};oHcNZalqdT_Qt$S-tz@KWOiTSnuge$zj4MRMe0c-sr-XWSI#B_~Y?ot|KLONAy zl^pG7NZ@O&nVA7;2aSiv`;S2JXn9j-q!6bVYRSprGjzD&eAZgLDx`ul6r8Mrst^uS zckAqpRmq5nn>rF<g$y$-wIDgyoyH-*RmS@4$TOAzFT))?{PqnK8i%PWn^RvJnXa3@ zbFMdpq^ATc5;JU41oJxdk0GsTql2z3F@vk1RQARf<*2U3qa}08$cx#}zn4ulqr>5f zWuis8KcK9vO0HHsoFtHO{gfPH-18VVnN-3y*vg0tH*&-?s2!s;{OVnijlgbN^&H2V zfi8Ww%opcMK5#oWs)tkS2j}C;))8v?n>l61%_}jeM8LG_u+Q0G0|va}-7;-c&}TOL ztB~POQEEObThY~Hb8RMn3VRIspu^;lot_eVGzBrMa-EP0EBqrMo;&o8QzTgOe5OT{ zMYI;OeV<tscK}x$#mjpr4*5>t@+h8Qtjnr=NN!S8(xsHB`aWKM1-DLk*&}}_eJz%6 zuYS4Ogv9@H0%K5pfTf4;HO`d%z>am7!0LaM_0#>HTvOrj0al7W8p7N6Z;dh<oUpQd z{vhxo$Fv{Y^QJr8T^;3|Qh2#o#>T7GJ3I*{(0jlQk75zxM!W^WjUufn*)ZCeEpNDa z#9(_60=gX17DIY@(n80`)o;6VrO><E^tT;$1PX7(A9m<NeyfhXg3DMru2Ti%KPOrE zheYq&o9s4fx?}6ju$;vE;{lPXln|Q*^6Yqecy*dLlpPM5$jm9Uu7aC0_^*e{(uUF^ z-38`dGGtL2N0Kxm5k+F$JZI<#mNx2bn~~!B;2BoW)TaCXBycsiarZxLXo<kEX2{9y ziq+rfr66kx2<*6VdmMF{v&{y~-^4?XLn`Qk*g5NR4zL(oy{x*b3rjjn!}2Gzh)udr z71QvGo{uL=zLKJ?2i3a(jSX#a`t{gu%bTkl=R<1uG9>dC`j*)T9`s8$OKj%N+~UmU zm(XKp`ixeAo(i}P0?7t16%^cAfY;wKp}D?eI+cnS|8l{tXgm+dz*#cQOpmh_r|0=M z;>ovSf#vz%I*S$dcHlda*vSVyiiYb5r_)5_VuD@$<=j^Km<Y1<fm4)gE3D@fHy@Bc zC~9Xvll;4wAD@oon%>gal7B##roTZwZLW-yJm4!o<<@ybA<z>ZA(I!_yPhxg5*GZ> zzUJnicB*5K#ZS`dqqQ5GG(oTjfDcYfZq)(n9X=$*ChGv}qC${L&O7A3hp-x+iiNSo z;eB@v?nv^flyXfK1#@$0q-J@>Xbh`)9oQ`&qhor`?C-`c<XG~H<pd!_Q-sXozPu~t z6=}K*)`0RTl<K2YhXLi+Nu;rFWXqC~Vta;pqtFm(lue65m$}*l+*pqu^1(@p*sN6O zT5_~iJt(S<zFQR=-RK#K)v9;w6RT)@anIP?t_B9OqN3FemV;7sOS=yd=!1uZqRM_0 z2pR`zc&7b(rd;kc+BYTUi$?5WKuhLWdN9)mty%MF+?1r$Gf4#rvvnL&SpPALs5*&b zMNAu2N^{aglfy<qgQtEn(&o%JznaXKQ1_y-Y|u%3k<My7fg*;|q2IA8=4lEGO3Yx5 zyG}2w!EBl44|SG*&iyEG&rd6!5vLM)0&NK;bsJT}&6gIiMMoaaAW>p4)z{>>NQwgV zd3vRPj|P6ki%monK^k?eqR&}~RU{$U-T!|nH8Thi7$`-l!arVRZwb$$Fq~uwU~P^y zLvR^f`Ltw%g;>z&QY*|Q0v|S{wGmA(TdF)@zAq8iZ7HQ|yYKJnZ0ZMKuklN$u;NnJ zf%@1*LZvLj?eCBX)9@!;w{o_^3wVH!TTW!b=j}n9<<n(bPiR6_iXNSpQnhtj2!E<J z-*<6^>+I>2U}p9QT_NJL3Lu~0wG~-Dv;rPQWh3aHcV(IE0lp5n$XdHhg?+8VO)w$t zCwK)1I<GkW57QEiPXD}XJ0RZ8dB(QLsI>~>=84(;e|rJKP3&Jj+%1gR@Mv8vq}ar8 z(%Cds#TUEdKRm5d2!I?54;LJn{X>IXFUuCVkooE_m}ZF5X{6L<J`2*Rj}JYSy%Sgf zhcKd`C}+?=rO))Pw3myW9e3NU2Ox<JXPj`Irp3`ITD+%gEQ()9ck*mGBZWjpw%S&I zx<Y=)D74o^TV+-5%QY=}auuW`yBaN^3?+{_Hxo~)19HyWmd`0QEfMC8f({@+i%$Yk zfG);;5xjCF@wu>2`su%m)?<jCNr;{zxq9}co>@A`OqjaS$0BA#ovZE${^F7MKi&BL z%?qCq)u<A;aU`OT8dpa*=Up}~Wjpxp{dyhfm%=X6xnF9NxrD!)(-;i40$yPnuVQ=& zn!t3w&~kf8kmKlfp5S```;A}yarJg|U<@(yNnATJCC`Zqe`~2DS3fP*=rSn9kjK8d z!23;zj%{P-n5_N=^}~?W<GugyUmkrwafZv2h8|EOP}=!9H`JHx)S6x2g_2+F5%!NG zHSemg)R<d`+iyK#J&qa8KOP*Um@1DT5qsN<F^1AzJZT0o|2Z5ZQbr<xD@$Jab6Kpx zZBNrX$~daRula#y^J|9M+2~LH`by7yt0#5w*n+6H4cX1Usby9><010SC-mSt+G0+4 z8ng>Rg#8O%2!I3F97Mf%cgHP&v~WzEt4VGawTYHxuKnrs#US?NrxYHuc$dEe<Yb9| z635C+7`gb9P4`4>RG(8Y7j%(WM7>oE0;{LwlulZ!@kPW6zbe4xW0;iZLnfycrw=?W zP%aA+|Iq%YKT65pxS-@a>geY-V4o$Q7;-+?q)lGA*Q@mKD-{z?so%a`+Ju^6<tu(n zfw;nzjW3HS8leeZN%aZFeqz`y{~zF?HX3&Rwukg1RIBM1(O8oRp(9)WLW@hZ-*2%A z#8lT#bbIcY=q|(h5mH+<zUC9Xk-u2TkRdLq?av7k80~fR7X0c$inlJtc^5l^Zv{Oz z`uhlw)}k~E+GcvIA9@`%%%Q<ooA#!3`5C>b&%Y`8QinB5nrz-peD_IoAtFmJrr(#@ zLrjU&pVa~RT@@05Y1s^mVrZnC_?zspVk){Mmm*_lia;K@<FQFg@?(#^K)VlJ^qopP zxY*?v;Ry2A<wt#I>L9Ko5E)4|HeE@kiTnPI1Wh4{n|<`K_av<~$*>!4=d35auu5F` z=cLjcnWa1YJ7Z|Y4vvQRAKW+<ZC$AqE>(%SYc5*bq|t*b?z&@K1b2miko;jUyr_~h z3LH7tgHms{6)$HR!ym#T1rsX?>vc!@c9&X_E&@D?7UBa{+x&{g3)`1i8^4bE74wpl z-s*<$NyS^}ZJk{CRNjhp$;xG=lzr|An&vOo7>Jen)6YA8iIw$BYJQ7wn+;*gF<1<9 z%ta0(#p8kR*C)0_@>p^3nPgY{xYh+38|O2^h=UtK&UnIwMd<tgsUX8;MmM%rvP+4* z`v<MHo+;Wry(NyZHV2pj`m1+pZcg|srQ)m4yNG^?RnxNH5AZ+G@Y!1u=buz;Y@xFQ z4ppKvFXN!?uMHWs*JlI$(@Y-Eh?jvQlDx$b%FtXTzooKd8AH;Z;${dpr-J4<fA%3c z+1FFuRUr=3%gMUMF&X3KgdQQ6>&cHO7m0W88j^}I9I;J{UWW=pe&XD%O-j=gU-c8l z8`w$L52SKbe)rM)0&vS6;7pf^E)ZOa#P&GH(ViN@LxWQ#RYh(8v$e^=Zz_9?OK?LV z)jEaU=k*hQ@~yAXrY%=$N8iedd~Yp;f;{G~R?aaauAHm6^fJ~yyXAMGbn+9g-M<@S zUlerFE=9%-;ix4<6eR;LtbtFq+}M(y^>g&-EJJu$b3ag;FI#Eg@RfH%Rh*jeM){J= z_ge+zCFdpL3?$!JvTj+$o=n;9^h1^yuYnf&rLXi{4lVgjp@LUt<X<|3cKIpU?ntf} zMs1}9%}#Lzn6NBdIYqRx+&+Cmy?9T2*%V>JBMhw%*i9C%0r@{^{TECVMW836-QU<v zibCl!X1bKMr9GWIgL6#9LIN!^<0(RdRIfKaT|D;p7wgDH?JcfSJ4%IIU2I$t2%M1Y zkK!*^Hy{i<yPlp1p=S^d9@3?AMnooXX$pXPE30STuGDQsD<EZWz{r-RMA$6yH8(z1 zJ534BNRg5RcqESImU8#y%gVBRFH;y#A56tbkY>U9gbRPUU!=aDKZ2l1)4N&NC8cbq za_qr5Vx*z?Q`$qu?$YzNYD_uFj7Dp+zv~r|&P-6g=9BkuOsLDJuj=oe#;THQI7H_w z_Avagm41Ef*hYN4Wm5EOys0q<Uz*eH!kTk`0;!$?6$y?;1MQA3Q(V%^KjJKN^H?sj z#6;zfQhWv>!es~HN`YG#sC{azfT!{g#G~GET#4AAyX@;Dg5b5rl;TauCs0FcT#3bH zqV?x!Pk$7OtVU9|dU7dz>H6Tn*Fb71+6|P0&t$Q^U&BuMJ+qk`kCI$(ku?x&D%r(k zUDG1{R|f}M{085Tw36>IQL@QCqNQlI`R@iE{5s%>iFPsk_UXUSc@-0tIaXn-=PH=Y z*#Rrr6cg=w(;f151xC9RzHHyj=w%R9fJaGl{Ddod2zR+Y7hgQ~erFd}nPL$p-#BhC zd6~)dgQ_#f<%X|=r}wtOOm$<+Qfxuk+lPn6MzzRp*3?^7FJ}#QEqM>NfzaZ`q`8R> zxV4PEVyMJd7i!OM{_m++K-!#eOV0N*eSYz#tO3;l>g7x2=7!E5glAq3kzTOfTdTg^ zW-4L{)a-gcUL}8?8|kYf%vfQ=>Pt$9Na2KsGa}v6qORBFO<%1eKRe~`??kr=&fV2k z_aa538d1W`eC}CPS4$XiNL^;4jB_w8I_w9Is=I09r%%PUKzh|9)9~o8{Iz7LsIJaa zh@^l#f*;9L)MRS;7LyiR_ID0@U!Ck&75GyCouWfN4Vr?hnKfsi`PJOX=l4NIr06x| zDl2U12Z{!s*E1rbqE52OE<Af5Mve^P&(`fl5!yA|zXtFs?#P-kNUkbs=buE=))+s% zA3>U;JXJJ1T~{>|c*qYX&T<o_zh?u|-mtyg6;@V<%V)MRj8syA*Es((p*ALlJit=! zIUl7Xl#OH~^otpHw{M}8pgmguD6#hKN{W6K9u`Pr)sI~A$^GbSI1QS$Pq>MJI!D-J ziaL)i4MaAwV(aK|Os4Q1vdyn^V#_^JNwoGw&kFJ;qOpoY88-HwA9Tm&CWFg`$Gps4 z9uS(HHL{|}aA9pefAY?;xskVn8_5wnW6qjrl)gSve8)PE3@PjZ_$Kw|BOM=`?;_xv z*jFgaQ+r4akzR@a$Slo-?I`CY>S5sH%}G|{nC=xcCYeTZ&}eX;#c1QQ4~e>MCQ+dF zY>*nKmqe2-%|z<3<sh`zq|f`6Jy~4k>WzTlp7Qt088V4lzDdl)P<#`n_4}Zn;CeYK zKmg>??@5mO+0-gzo@!OU;vZI!Je|J>mq#L^M^UlkzXn+7KHY1*W6dSw6K>&27_~ri zc}}F4m>8FnOsQMh{c*Exy6;xUT3vbpZV4u?a)h8_kEU71VDcM`g=&&$POHm6TBkd- z6jKDjEB~mlJIB7H3VPNI`I{FpxeZCP(@~`dH@GGn^pJbAP%|J}bwy3{^J2}q#w7RT zD)Su4nw@fpSiP<i?%5*zA6q+n=QhKBk|t~3a(i)+5+v$yDm*2ta*c{S)Kc**7a-jH zZ34wkL=4u2{!s7SAYl%~BY$%oTtp^rQ}B0M?fqMfj3xI5@+JlYUgW~GuU`_riTYhj z6&sFZ<EFJF?TkbX@2oYMXYER7zXe)bv3T#}`vJa}TawGZ`D)g@kbJ#^r3)`>r;?_+ z^sPNsE2yIsl)tD6$#?kqvutU)U-kfB`_8APjd%Qo3NVU90)H~($4=&?_U0QAZNa<m z_{nf##eY1~tUZG5Pv|g2HXEf+$I?fWsj7tewA{o&<<-7Bs?t0Ag>0H2{)i$?VLu7! zm>WfxQNaY`j3rkbdfS-bca|J)c3s#jwue-ZGbOGTpa|&h+AtXn)hOyeI9GYUE^pc2 z53Rn#x@Nb3vPvkALXvfz?bLs+ayC-mm9@PyoP9sr5%1<A6XtMp{4O$0>gsfF&mu#a z9ev92+kLd#Z{?Q_p{8++WU2f09b)PaBbbBzN{Plf=9F2#HiZst8Wpt#0(K*1v)m|; zpf4km)5y@ha)N#*cdFR>@#QK4Ku`yQ#+R)_=i@9w$u~nyHAVj`pPrlpQOnDcUVJ^o zE`&P@O$v0UT&DqT<X>eif50W)GNsKtY?VoTtv6rDML?GZxBxJ|nDBRQ2dz1XQE_Il z+m2x^`lu*y?`c>R@w1=4i*qKj;4!wVLXYKVzKhIO${nO`L@m#X@u98frHkPVMxr}n zn<O6g2cS&h=PY|De#RDM*IAeWomzd}^;!@)HFWtyiiLa*u@+lKu<iFM(|WJhH#JMJ zm62*<?=8Gl-V9ekml|&J@dJ&r$ZS+uiU?iF`DR^?mXtYQlTUvqL|HX9mz@;h_C(oq z+~(4Wio<3S+(3W%^V?>gOJvqgX%VZk2#>~AiT3hnBT0m|Zbs@kT}OAZ2mCuD4lk~6 zpO`M<&%zU^!pf~Sy1r$cWUAEJ^yTc(&(f!UW%_hAx$CVoQsl;wlOkmqX+PYhGO9B@ zUtw9XyO2$`mF2YJFT?`&KH^%?x*4}|MB5P3U|-4q7GL+rm2QcoSY0{qG%@FZqsbgS z><yo3QB_gM4i~xSw-wgEix&47DSi-SqXmF$zK$fn`N0x%-m~FnGru1wL{8`NVZ<RN z;Glt3eN`G20j^$ov)3qvG`S>zoI67r^?xLGg@lu$o3AZ9D$V9%`4-^t{7-geVGZcg zYweX`<~Q<C=!M<8AO`fm5SVRq9}SfBx=wxjl5)(J*L6Xi(+YPjwgIe;UFw7ituysu z?QWcW$r!@aK-)@zyQ%z$vbHFu!urtdtO~VWKt4$Odd>p0sNb-MnT)8b)1BRD<n}lc z0^s@qul--|BqrTld<3=C29=mxLQcd6wvp(DDRGMhCayc^`PnGDTbe9=a!jk&m0XNq z*eC^;!IGRgMWbO$k(dIKC&SlpwkKHvM4KZhGAt=GmXB;ODTiI2U^mW#lFqs@8FV0n zef3%!N$<&dRp;d#C>8Pj*Ecr2^*YPnF{5}bRn~f4)zmXaHxVb~hJX2#OQ>*2&-%FJ zD}c)@!@S>&5p@<cAPc8bm`|?O*iIpzz)N<qVcqd#b=I6zau^}Evp9DvtDOZF=X><= z^uM#m`Ou2^XOx9!r2hPvU#<VMBqo`?KXuM)zQZH(^uT7Me*2ki&bo^vlT|rih;H*4 znWgA0GC3dA3ug}F0=>hCp8V5>-K=$J(m<Sf=$mJD5yVWH|9|y^Em7z4Q=dATzr8WP zMadsR4&VOpRb)dDM4;sAzC(aGyqlQXFNm~chckjp6)SAN%r@3!X*$kNKgg?_u{&;l zw-9KYV*#Wc1<EUAILr(!cDO0~`<q=@7^5r7K=Zf~mWdkZBeF>y`TWxZb!3J(w*Rgi zF_QA1Nnybc0GI~oFY?tteC!UW$XAiGo7+TQ{M|GEwD4(-NY;0oN2CZ9iI%Ua3Z=Wk z&3p+JL!FfS>-~9astHRgb>C>KX#-nPe5>DZNB}IKt0kvfx4~3~BEapKb22%F41YXy zGmOuldNL5F?ElURq}W_EkBEKd<4s{#tNhMWDvb&>;y{SQLeU;UKS?PbdG;$JjVZr` z`iGPJ!!Zu&yR%OiKO4_xkr(rY7cM8v-^rNLj25{ebbk*Pdks{XNMq~61h~GkD&!}1 z@JX29RjuTbxn)S@^HwzhJ{|a0SmAESWnI@Sg8|@74Yd4|U%SunBUeqdY*C^>K?n$R z1+NtD*DWWD<}of%Eef!{q1l0CP)A6AeG}$e_0>5q67FJoMJ$avY^q2eSNoj+d=h2V z=cViYzpE8z$hcY|w~Q)du<MDMw}#l^6Q@$~(tH?Haa@e4obdtLBcATtuQLhS-ZvPS zE!h=By^HBv;TWpw0hc5PZFRh~IKlMWtq_Z3J?t#o_p+58TN#aIA$U4(8<<ZPWesgd zlS)2$o)8eMC)Xo0#X1<T)(X$oYjLOlozK*JaT5S}hD2}5I4P6;8hElg(IQyd*dY`P z34(n?`B8n%*$KbZTKq4<OeNYIpZ!{_CT_^X@AsW^o^dY6P@kU@7L!biLeW}Z+9E^G z7}>EtZEZv!w!fbV^kW}WuM-kwRd-gVtu~qdyMV+_NZ__&Jv>eEgU@Tu%4%tY)0Uu! z25Za$E8(OLY}4$FS8YnUa5W;*#-s3XEbm0;36Qhw@=VxPhl4Fasq3v7NdeWU5`A-i zyqoro=i>>50EkJ+o5M5#egso}GsMFkCS>nL;P#j~xgK!0R@eGqf7lE`2W5wVT{~iy zvvAq7x8d+3M^7~pO6bvizcZKfgF{H&5Jr%ODHHG3Fe;@|8)SdK7w8U>%6i_I@$nsG z7pW==po5r&&LcOrNK;X{y;J$0>CompM?V*UVQ6<{x7H6ZG~4OkH-)jB(X2(jJft)Z zRP`{{6LeHqiQ4m^&FrO>9a?Sg(&pQ(D}`F?W}2|=jiOUn)R22uIx|#}U;NpH&2@M; zA?G7k@z}e~&OfruRv+*6Ip|@3{cY@o+=y+zB-&GdliRlrAjVrlAtGfbmb-_il#yxT z)njC?(c}%bZk#aSMK_G4vRGt{3c{e%I`S(X{Cg9<q!q~M9G_(p2Y2`1*iI^rHr8VI zvAD0g+6}$CPMy#8!`z6uiSEn$=C&e+7a8ol(~ys#R!ff9H)CyXIK`oAEf|8mKj_j{ zdNye_=E0sn?`~Bd`4!af&VDfveTiK^Xf`DqK3~QcWBOBRx)dp-Q7dO8;b4sLh}US> ziGiF+V7zB)2&&g#+-3{==2}8QB7T0q(n?j;bH;I<n2|n3CpA?T?KXB)W;!@SkBDfp z0Ih^Ln0`3>H7Z1jyhX7i@FP^5O@t*N|J(AGX@ymgmW{o1jGEHL0*0^f#vMCqvJ{D2 zlD{JPMh<nXGJW*9CtTgh&?0Q8a8GyfCXa{}DM_X@>JkajjW^r^@I-I^XWdtFLHbb9 z<qrvgoU1p4L{!<&YL%2AIwX*Wk+N9>ZMm_)uQQ9T+>`0cYK^$mc&w|%j+Nl6<h?o~ z(nQX`dlM2PRutn(w5LZ4C27u1cr_i|iw33uBK>I$g>Kl960J#{B_|jSJ{6|n4qZU& zYyIG0hN~Kn@?`+9%mXYBKYrs&jMi#)DfLh+?QfRv9Nqb{76?sK-01zj{VI2;N&pKx z;?V1AL$xt#b*JVA2<PhTHa!y}h%<`3ITYX1Y?5TOIdFUx*{!!F{5p~d;qQ}NL7#wW zJrP$~8y_vaqA5RP0M{8Wl>OnQN@PeU)?AY0DmV|Se;i&W(O4z5<?11oI5_*|;GQ-U zw#3Ez)36(2I5vufCzL3;LaaU~L|$^<PycLWf4WCq2V$_jb(D&zbT;S34rGJ2O?f$2 zD#w<fE%Mj2g_)^s#MjF*r7#0H?BBnZXx+?^=7W;eXw!r)JrTXxOdWeZgJEa9+LlIo zNd81t)Xx36-wteAwOLM`y<;s%k{sRtLR{MtV9rfW8fO-IpK?g!$pBK+R_FA&;5p*5 zfyoA<$p2=Ij4Imxgr@f>3`hFHGY=<`-9AEI@c`~cl_ZI1)Ai^&-?0`QPWM`7T9-!I zzf3ZSR`F=I;iSnuA)SxYd-Zg^T7A4G7mZixa!uJJv1x9Kh$$IeyOrXjj-NoBr9b_I zr{Zb{K~+$1-Ca-`&CL_|^LS+XT_Aoh{*J~AJ+C_8*Jg;a7hput^HEe$3qIcXnHch< z8J+&SL>GH=rLCRxXUsjV!sZZC$)4`N(=U=Nc-uRK{Wy5^iQuC^>CuW{OrzD(2>CX! z<mYbObdW7A*qOuDKplB-KWX||jMk$-_RYgl<ST~AxP+)(sd@_L)4Q2ToDDcy6PE15 zr-SrL(?rTr2FQv)Lse>^aB%wx-{6D(2*0M4xR!JBiW2s2P`y*EytK|LpU(-Gkv*0K zW+i`zSH07?8n!{VhhJLTuLR1JBJGyB&p)2@cBHCOdWqNYI<EOA*nsq2E?zvj5c1N# z&Le_YPrYgPV7q{9F-ppnod2!IRI#T|RZY>+=-v(PKu`|#Zfli_Lxj(ywJ(LVsyzRj zPJPIudFVF16u$11$^Q!I@6Et#I8NsY4PxUf?B5McMKR&iZE4cNuza49j43vi8*y>M zmVcBm)m@&Y@V4}wy}be*3YU98$=ed64o$shb;QZ%`@u!k_WHadAxvP19sr}Yndu5h zu`!=eRu&~ySl#rGHvW==KAYvQ0Tz_CSxHN;r1lem(ZaBJ1G}lJ!CmRDuK}}xRG`LI z6n5Lor`;jbVz=t^2p3hOXTQ{DGwa~<UAWI&Zf#n0I#!|6*gx``)S`n_?_!5FTPhl# z(lKC@E?CYy632|(6@MZTBe8sU2BKyPdvvaSqA)4i`UZRJe&7fK{z~Rj*7pk?v(WIp zGGkV=Of<uzep4=I9z}~#f4}%E;fac_ZcC4G>992$zR-mF@i6Q&WeqgTgc@c;i|~`o zjGfdRviUk878S1yDquWrj}jqH?LN#!#jh&TtE_URj~3dku6e|un@-0n8j*@Rh-5Xo zD3Yf-d`{s@C(Y-bz(AtSz&^9k&!(2&A`I`h7T}7r484b^u@6Y_&r~l@+bO0t(1={Z zfS2(90i=jw`y~+_Uu6~gKT2+IDAqZ6U^cz;n?7_#s=|={cQFadUeF+c_|}N1H4kOj zckUL^Ri}X=V@1NlAshuIZEs!AqN_T^#{MiKJt<+NoO2G#k+;G6$IjL7$(a<rVeH>r z--{lr>6b`KlYt)cu5)GxG`|{-fU|glluh$v$v1dhNHzVYoPX>!M@}ob_Ap{YAFeD6 zdm9o6%hzgxoWFA}6>l0<@Q%x-8%A&B=H$9|rgCeT)ss~YaI<&~G@Am{4?|DKW!!3Y z-K@4mbaCJ)tQ68gyNzzbIT_Q@a2{tbugLPqrm;E%!K+_d3{EKTj53-WI3khSy{F<6 zjshd{HHEt+0tVcB*{70tt23h7S_f9Ug$h#eXUTJX6%=#7eTi{9JXN2M?6%bb2^X!$ z7GMg{wHC$GHsRf0cThNk9bQp#6%U}vF0UXUKj|BSkVpOhKWx1PP?TZ!2daXEl#<ed z3nD4qAOh0O(%oH4r?h~yEZx#2-QBfFcP-sZFMZeV-v7*<&u@ld;N{(6d7g8Aan5;O zpeMcRTp&|@q*V%;%BMNBO7tb>DomW!<zVEN#&f{)=xtGE{TL647j3jDHvL6O`^9~K zJzdx8j~!V8yFx0~u>9{h$!>b}tS+gA75U$TH@s%7aZlbI*cX?;*(E;<aGmZr*$i0K zk!pBwh|5ljOp;Smg?;`!CHzkZ0=0PMHN>vM+|El-9~<+0d>w=H$#~ImU{j7lX9lU` z$wuhgkt&h%L4I&by#`xF!prnXZ)f-mO7h~z!%{ON4KA#(*X<hoIQ{-l^EK`J)e=DR ze*Y$mm@ReLt&|KiAwj2DoGbNP!LQ+LCjoR1?Z+vo9Zw!0zhDh-fb}!n%V5}g{!JNU z%JfKLe~9~2DyvBS2G1`bl6b6C&~k*mW*j`4f2V=^n!EqkR=#Qcu(nu$^gQ=UMXF#h z>9+iO>PC0Vbppe#+Bt2$;0*ppY8hPNW-sh;!07=NDl1c}Go;707^8^@Vg>DE$ah$S zqw%-#sJt@RFP2Ru$lHp;9JAx;$?F<XE6XwxQ9zO*s&O#+G|HcuCX(^lgh>k4v+P5M zdw-d}A^B-tV7#T=6Rfj5gdkOYvbW_6_{3vKC4A^~xTLOFIeXJS^x|5n?-^58d*)?G z>|6ajyQ*{J8-6L2ps=kRM^@#3@9%9kT(D@8;~;~%hHo<3EM9S|0MYQ{e9c<JGhS1c z#o2VCZxnpYDJBdLLV#=4a=zpzIxjBqv!+PHM#IR%H#2|34sPlE^9uo$FwuW!qHSS= z+{hknljZq9xSok7R9zd}C~2CUEH~J`g=IgzYZS31YX;#=UM0ir{oIs~05d?$zt+p% z_?pl}d-BiR^eiPZ=DAda&YVt*KwB~)!6EHTFh&#ky9CfOTCdElerc+VVk~@mJJ6J9 zJ^v_XS~kGHQf8--9II4k?(0({CaEy5CSS?l0>+zmo1DF!gYDO7lJ{okB2F(YJ-)Ip zhvi!|j(A=D@Kn>Eg@j>f>OH~4=68w-RRvmC2>!JH-uh&<Vp8)-L6xa+H#x&(`tk@< zPu1fgFy2lDS@LTMDuF_2x;W1-*d3EZ<ENZAXp%ivIxTMU5!H`<#A&U+Dm})syiSGu z2X4n*e8fawrMhN*i7Q0lt@&5$AN=L^#&l)X)+aqLJilEIFN6i*bF~T&NH*1#yj=QN zno1;x2{Q-(-z<PBz!tV&hsQa_8?`v4(OeqYr15>WE)xosY}?oTJFq18CGn-&^uQJq z<}gB6&f+_g^@Ef#5S-_`oyHd2o-EcSkxOmf<ew1zn>LYM=|9yPN?C3j=Ve+bLZuFC zYhd?yzgp|u;ZKrP0a#N>tz?I6G(7*#=oQNO4@>HYhLeu2mwHM0iA%h{))9{HG)!ps z*7&%KBDv*k0@ybe@ojQqM(_v5B6gz5oVZPYf(I&ovOAz-1k7{2GB<ehvoCX%l8(P5 zm5_HCK#2WQY(}9hO-_JpGuU>^=+wqC$5M7%&{#U{4(#kmm3Ml^W9iYfJJ7%ga5tJ} zj2nN=V#nX5*eA%I!jRU==$$l!zY#jzL@d4I;ZbmR_|xhe@+FWtj<PK`(S)NT)0J$) zNcw#`dyMJ#PzIJZZBpuc7?}Ah8y}0EV90+u8eN>sE0lWEqCV6;4E(pei4&4~Gl)F; zdHd;lbwQ5L`uAS9O2&&@RJ)UWDhi|i9rJO)1^mdt*VcAc5~Ha$-cM6O=Hv#wE|UmZ zG=JauE|7>Gk#~%XU%@mpOrXq%(8%d0l;>w5k#>Bg+6#R(+i0o6Jl!38veVV`X`~vp zT;lN4Ci%0F(UX<J$HN+{hR(Q(FxtuMdFS$`XOB)~{SO{URk9-+(B<DYXHDXOU+!Gu zPALdc+CwdrMqP}K4aj};AsLi<Ng$*}Q%tJr-ioy7I$%jC(yRTff|Sdnn-&+`+D$Ur zMR*4K@6B9|s?z?_U8Up_FR4h2tLhF1>yd0w>G`&2f)c}e|4!-7=Y{2ebTOo8%ZpZ; zUb{I89fCv^qttCE5@9K~2z&2t>*WKw@3#VdQ9}EeyZRR>jT0{-!(K-(%^ZaH)>9M< zc+HES1#-JhYEiD&;zWb?jb?1a3(MhmPQs!HF`Vmmk+V-YX79LD%*GpU@R^FFxW(aN z{fs%E^Q*^0_XZh-Z2T+}bp4q>eIjJgBBoz`?8_vRZ|&*3x}!(0T4tpaO}_ZL?YF7I zyuEu7^KmM_NGct^^{X{boN=!Ri|DpgePqjMP8`Xq{Wz3i4*~f~rowD^0HB>JY}v`} zy!vQ4cQtMsyM~<Lx{s``zK&53{nlOvs-p>E!VOgzldkSpClZB~Nne}ZRq55b^ZAfV z3Ekhm(5E0N_jIj!y}&sg>VEGfxYhyk6An?yYuF3{;SRcg%frx4TGbv~3GDVh8_lZ% z_2z$PY|dU5OR5V@sYm-eKf|%y#bK*27hAe7pL&y=L67oEFB1FPkNtL<*pCBatr-Wm z9E|wlv`|ssjK3ASd6j3G!`gFo48n;5tBH|;V`D&XeW6t9cbhx^?H}7oP1VD5^I%k% z4T*=s+PtXUH8&?rcf*g}s^xEme&|m4orEO6w7fA$el3^)>JB|Me@_)$pgz|5+a_av zQ>b|kADuoS5#pw|Dl#^OeB$kq;`1RyMlRNZ?lYaDFDo%N{k`|H4&(54JNMy-l4K1o zQ@PmFQoSk2VVx&J5rYL$$2QhfZJoa{5I*fSHO_I}TWvfBz?)s+4tHH#+arZL8%RXF z?rcD(@G0-B+j)dc(O)HhN0`!3RO#HQ>bVf-4YEnHzby$x5_g_lU)f@J{I+Vt6J$Fp zN#U>)TfT2?qNk3ePuA2Ex;k~$@eAk{a2UpKj<E5m?Ua2rRtovg8Jn9D4t6-J{oeIL z5G$1i3Li_LiK~33;8%g833gu}&E5TaQ*FB_GR+w9JWNt@eP{&*tT*}P$snZuI_;w$ zDk4|s5GGX0_YuA<h)j^YYEMQtn&Q96T=n#v?ZkPeU7_1HT=MZl3g9IFyCwhT86j1s z5Z3VTup4x1Co?JEWARg;oAja=ej?)eYkS{4YJg;<Q&IzC=S`v-17k1$Tk-I3=4dQA zzRTMiU<338<J2=JL8f)(5Tb_K>(zu4B0bM(W4|rpf6N)ceH!Ca*Lr-iy`M?{HK_eI zUzh3}MMKDse)fvve12S}rTvL)FF@s2dHC=bFwLX&gEwH!kL%c+PKCJR$4(zFlMc7_ zD}5}?bI8hMaP>4xx~UXYcxFr-ycS%Kv%ypAL-K5PETc>AT#Luq>L*K-PU+s{Gxf)Z zsfBq--20=4=d=Ul&vtDqHuhJ{qB4i89wNeCF7Ksv`f$5Z591<~i>zJ+g}^sbyUWo+ z<D2P89=@dQvgnd#t#ET1Dd^7i2rYh$hv7zSl|$Bmh5=1wR)v4UY(1;H$kr&mibj)V z?tjklD1P2P<@X8;B6w_Q%)Bs-xBTl9C|ty6*bDkK>wl%6i;`3v323@<m8Be?STCJi zW!LKV<UW7Ag`kIgy>v8R_A|eqw^X5CYBfSBQVMKu5!}Z9s5{}sN%=}R5Fo|*5{7_h z5rkrR?uRGWv_8~=l)+|?w^->T$6@*bucPpBnRGtwWz{CJ)z85(!LHE3ficeIz8aex zrC#<@CD6;8#>{8=Fl;FL_~Sq3V>yP~=U7jzna#d1LRFsQVQ0Yu5kTg3hZ5|JUx7%W z(h?{g1ni`Z55-(j8FJO9)$zZ=g(593!96T9jbo3O+kt76qf}BqgSHdd>vJ=vG0gw? z33Z1=E4)_xg}xK!+h#|R{jDo=l|Lj%WgJ0MrB{4*?fL1TZW2mwFT1~k1rPNXuQ3N& z9y_I~JV0I5kuHW{UEYNAZp50EGwq^qdpDTx{T<&}ZS@IKohkH$I4*^J_L50!w%cD@ za)?rQ#a0!x*5a~Sp(ayy_ts?zvxrHo$9DJ#{P;9;M%ZMC7fn|q7v{Lil#W^8^4L)8 z^orrHuZv@KTR7}5X)aO-ad+uQhhQZr<m*xhac~EDtVPLB6c0w&V@>h!U%9~^7WtDV zUYq@O`h3D%$zVvbBrc%urJ76FJDl=8Kw>?-JLGZVZfKkFMYxXRY1<=sPc{?RbTI>T zkvU|PgkUsk+*fdzWrJL-`;>%=7!x1ceGrb_UH9yLg4Oetb)<%NcFlkW2^pi7`z3vi zjn`O>{?lTcHGV(t1^9`TnyecA6Z+?ks=vk}Xz`zRMnz~`rpwM#^HmD*4=cX>qffO$ z%Hvao(ZK_Igp`zR-!?ifw%_97svNwR1lqAy>{=L{6BW!Y`h|(Nsz~;I;rP%E^!wIi z@w&U}X7|ra%*pj8%~8BMmTlLm>YHj2Y^;2Z#^34rVwXDsi_n2>%&RLLs$tyOu@tuT z;Us0E^#`9F_*D;Dy)JvYd&AWh=qpGxy5cT$aEqxtRrg^YeB|KBf!K6UAwhTlR*6uJ zHUq8cu_SJr5OzMf!B3+uhC&N|v9UiOk>}d<5HrreA7;vw7*0o}A6u@cdH>eWd(X8k zB!7m=6_tv}*IP=56h^$1>I*o$xq7h^dd{f(N6XcfE;l!oOJ%<s89#ZR{Qz#UDt<*l zVYHrRma^Zsa^0&+u^2KF^16!g4dwvHZ0OC}0S0EqnB#d@(KDW??%<zM04doboJ8g} zuf_QPObB3Ov9~v8fcwz$O+l8bAIN@M%0~G_eWRY_qUpQyVsU`}7-EXZ&mkt<E0q!` zj%g_M8Rr!2tnXL$cHt3s^9m3X_+FemMH3*#3~HvU66>#d+bq=l`N;rmz0GBq#Dz7O zWqxkpKGjh}mO}a^gY8J>y$2a;K1a}pmU}m{29BIuI$XI+ys<1|@aRCH2%uDvC=*^< ztZAYe;m)|mn~(rW**xdE4EtvOEKWN0ZN8|n&$rJV8$NlmjEmWgteeDO%*Y>&y0o79 zbw{7l*wE<Nuw3v^zc#IZN~!z)wWT{R%`AJ{2G=oIvL{!K`X5BtieXRbtf-^-%x+_Z z=e_Zey(L&PCGPGr_RKs)Roy~wL#>L60y?g3p1n_4am1@f%Tdu6INW4e6!H7vV3Gz$ zifP}N>R5Lo%uM6nL;Wep+_vBFCcv_WOU(UXQsp9Zc<OI8Jq~kKe@1HM_swX2Am^Cb z-@X}WR*rqoBJ6yo-~+D!kJjHaUTZv`YFWEf4z{yWxyD*Nvi9edrfr9(dIL)J1p+hn zq+E{$hiCigA1K5#zv^;G@&L{!o6U?DVI!oWzx$JW$qhKn-wnTJ(eYeuv*0^7n>jyy z#PIf9GukUP<u~D+#ZkgUe-S=1xtbce(NUqt9|W9(4IL07AhsyM(T`n*u*ShfA5Wj0 z-0WKY*hEVWBtA1}k#$I|4W`LxGbgNKJpEg@mrZqE2LY|6bOZ}xdofaYosE8yXJ(MQ z)t#Nl#I1#Sc`BN~ms1~fr1!q5R{OBlH%D#F*8L5l8A0<{)8r(a8;`+)b;r}pVIuR^ z`=PP)K?I6#*DvkJ=g_dC-!v9$(uIrlL@RW|?Y4I2rO?)Z)9F9){)afmYi#Bm<k!#4 ze$q(^A(>QJlOFbK^JLE7f(;!%rW{97AC#wy^#9~Rz(U9Ad2Jx7154M5_C&BPzd-%v zYY1}2k2E{Shf+e%e46>%6GpGQP^%2N9a((M?eRtP^*QXPRzp8co=+J$Q$C}Y<T~^7 z9iewDuyOzWvlAo9$uzX{h~^#W9L!H|RsR(#voM2H%nxJ@S5t-vGw$l^xz{JYE_H`# zM?5AR@!uHVU^J_IX@{?n0i+NHnxf}Z|2;*BWiBz{c#QIG-$Ty)C}U$)g6Icjn>!oX z$8?0}1M|NDrd`GX;PZmjO8Cj<+!P{{%QEY-ke(u_LGmha?C&8R2j<~E92AVq5?45E z^ZFL;CBAR{DP3|JuVLZ%VuryqbT6%~@buQJV4#rp3|S~LboTl+7AkxajHmN<0_`P$ znv>+!5fkgN&I%+iRv^_a)3rMVT?-YbJY9+r*I+Sp=M&~)`~8xFV(j_J%D`s$x%yMY z8E6>Gy35y_#DjGB;-l~^BN-|#MZDHCVi&fv^Dpo<_9=(09lWRCQAmwx;-5o)C;Ig` zJ-ny-U-gIBC(x+Cv&WXZx9e*?i2)Iw1)uD{3ZkN@9P+yRc2yVKIX+EL0M^=9iz%@2 ziGf&uo0dwe_-%)jMmw|Sh}|N15v*UD9!foUKNj+^YnGR_=u^H}sKM2qkf$zd`ZV~a z&Rgx{lPlRkAxb!7JQ^yzSNB{IKg^tqf-x9Ld?etR5ScRCOVjdQ8<VXZE)<BV`$o4@ zyTqyXQ<!8H$MyL+|ITY{I)VC|Pnx!+N6-+Q7&30-sYSK^TT*j}?VO>K6LJ<WeZ@U# z52t0uoY-f6b51{0zp{9tx+K1Q^>==xx->B2JxPTPC7ocs8XPu|LJ>Fq4Ds#S{qL`8 z?C5mLz~}c<eQ3fBW$~&rYk8v&7EKJoI5QSfOYK$h`6e;5ZW++SnC+o4>t8qsQ+r*J z5|+X~*I@nI>KS{6mtCp|NHhtjy<q^xL*>aCclz$YJ|oI-p{1@&c~dAuYIqFvxV7Wa zO|}1K=G$V6Ln^h<=1wrIvt<1FMmLG@dSJU^_w%W=BN<=2MQp7V>en!A>;Ke_s@(M- z-;f$PzO0aZukDWdKThb}QIA<ffhN-k<@J<3&a30`DCCP!a2O99^R~2c;)d06D4r?v zrkBqkGgMgaz=JXURzWTMyr^%dG4VB_!n0%V$yDLfi>QN}^u5qyv3L=>ckF&<NN&r2 zI@e-`^j9bgc~ZF<ohPX%&|fQ>_|}<WpE`V7wG$k1XwrF1A0*X?64e#i7ObX$Tqn9X zI;w8u9Z3vBqPArn=&U;g>Z}M|D&P4n`ToFoztB+KD^<dpC~htK6V>j>jKdn%%p}nV zAry@qW}fu(_QH{KG1T)p;Rz%H{+$u{JGOPmCLv|a_IJuTW?ELy{Q&K6A#qXc%QQ=z z-|w9GA~_{4Z=Qipyxh0>ass%8o~Ie#UwSy(vUn_SbK8^kxh_4G5xOzk8gC;Mm9X$| zSoJ)*HtzWEu3Wb(qXn*tcCRW~3%$sMh=NHWCP-rFR~{}N$7Z^$fu+_Qa?;R5F6_0r z+A)&+(S+)Qz0~B*64CeG7t?tu=1)pzpn95h`^RE@D|lR{c6?kWs&^1)$llP{d&3i$ z2m&_hM5p@ih6wWu?vXzgYhlv2kdx0(=p?nHgag*+OW*u+vZHArmp9$ZZWr(d8+Jz? zN(@nb0=L-mo1D>3k{U0y*Q8?PdOX68V~fpQCY?T{biMjp4Dw;@i8!Iy@}^gJRGXHS z9i}42Vr!)u60N_88`>ARhGd6V=N9`T(G(1H*I%*bF?S(0)BvVjcW7gk_8uwgBk}e) z|LuSk?U)^}>Z#84;auK%Ah#QP*~dOo%Jj|MJr2eDnRb6hnV$X|s<`oY(G?k6w}M<v zzBt3Ke<wn}$-=8(>lvwhyEc*4Th)_?!m-p9i@W)9jAWl1Z9soJ9-a?2vcucS+)D-n zmzKySdVq?y?8vq&<mNWMu?!y~$3h{Mmk1ete^IVES2t?EB7hmizE1NnIxA}`qJX4N zL1DH!Zn#g|AgP9*TyT8c>j=<W^a%JJ`hH`fF>>UnbZ55+lhP05*j1fk=y(#2Z6Xd0 z=8noHtyPJXh5R!A8bDfZVP^1YcpJy6K4PMnU+{8ZIX&nF8;c!}-Ya7I3~fwK=;IeG zVta+qjn7=>crm6q>tU;jmb?~C2a|<cM}Iq<h;=1IcMrj_qH@0=z?G%<hMi2(-Adfc zY89o3f4*9$tR&-DraCm9ke;+<MBICM75(pl0bP@Br=*qF8>fqAvC~YxH?A%sZdwd* zDryl5jRkRSl^?UhLY=YI31=rc3b{fg)Wle4lhdF-m=RCID_*{X9+~DTv!wL>5Z>(Z zXC(gLf4ut`fIjjIpj~IG`CePCig64wpI*(M8q$1+^MgsIibk`_WSB(T-w2-_J?@?4 zi`}m_K~WaJAPF0(SKZpvyT`@*^cn1wvgxarZ+1i~Z;xIG3%ChhU#2HY>o@agW6}$O zyl{L*ef21sx(1w`r)>m`XY~nKkOi27D}-B!M?c*x?u;=ti^@(?Cr?Y$r%<fS4sJtU zhsuwA;;{2;)}NHC@<6JXY{UNuRWxn8ffLG3LYrCA`fC^`c*&PPp_jre@p*q&N2cEH z^SC<3;(Xnf#HTNtnNjs8$M)U`V;YF-xy}$&0GR6k`kDH&!PXj&+ujm-sQPpEm2b2` zaMl+vpzU;%&_okjP!VNJLi^~_*4qX$7IZtd*q)G$!x>{@9v&N}l7jVy-YF3z@2oa| z(bJchdEv})*WjX!#2%rk$D^YqSQjUzwKM3&=g5!$cvG*^6SvS*T^30}(bO6lED6?c z;nMZs%JT=D_I|j9c>#TIZcVq}H^%Yud;f_w4Leq&%xr6q7n9!DX=n1W&7~7oFF_!^ z2j23h)2X#dNpqVU4>?Ytc(NPQaime9l1v^ja$4c)oGoT+fxe9GCV;UmM4CaA`*g|y z7&l0gMCfkqj>63>Zk5Co#JNHeK>m;EIw2xH?7e&M#Wz3k2Kr|Jv%gQK#Lp;M;N2S- zpF{DhRZkO!e9KdAmMDXAm{$_GmXVT0Pl{}Ar4Q2PDMXUK(+a8{MkGqy;9f)e{u#Aq zEY0J7r7dEu>-7af?dFCDoFSjtWnb9!7l-FB)^mUsw`t||!(n}c*3STJDda+>MapqB zVeQ^V3<wR{N(70Y9oc$jmgki_P>yxER9&4Ap>EuAF`ht>NS#+5hrH_Uje!l^zH4tC z&|y?TvmRopu6GW0cd+N5JpZW2<CKR8^#OGX(vB@f_$7bhCpl}NMm2baOBiQ)0;0^= zpN&^732eK1O7`+}Y*y9te0n7V6d)Fg9uoA@{!YXBxHUcKVvc8-9(ru?;m{3sP|wU> zt?2n2`N~v|txSc;;j|I8Ny?1F_ZBKPuQ^#mv?>pTf^eKCC)U=tuFaDeRe}>{BN91Z zQMCuM2+Ty}C*N<_ORu^$DOv(AECp)X6INV>Pq3IAToFX(s=2KT$^#zdIEQJKWZFD^ zuO9-2=~|k4|Bz<Dt1oHt1EjKll7lr`mp-euYNo&85$Scx1Ipz%<7t*tfHi{05{spQ znTh|Lm%ffXR5lgB*5-Q<7Hq;22g4UvqhcoQ;DT%(fh~4Ww~vLvy}QS4p4f*L8_;PU z7P97bY$>xN`%2X1{VEHMxHau)o8Igp@00o+DWWB+FwO)u@jApJTPUC=ZpYp4e?P+3 zyt4d>PTBSdBV57`rfhSH)u6Z64_9ovEvo1pQ>njp5R6;jIgw=?9`h+bi`WzvZa{CB z*vedaYfc+i*`4xg)yUo+b~fMasTscGehf3!_HBc>!Xt3(0GlA#er3t#S%MG!GdU`5 zh2s<I^huBPhs&4C&#qUO<ayRMYjbClGGxm58Khuy<m4tGlqXo1MKAAUm87`~MMGnH z6fH}Ik8^s&WFFCHgHW9L77^W!-b}%j==@agCvM|mbv}l{P0Wh`g^jf%TbsjIu+BYk zd7bY+M`$tD!K)>I(dAxM7;JjlZBF}Xmcx)K6el=lEh;^7spjLzUM1ZL7E7szE>a8_ zi9r(#pD_1~1;7XG^VOzpXfS}930-B>;Fm?E{>4+Th2GLOwuCLx<kC-fp;p6MHur@h ze?*DfCQ|o)&IUiD)r2|2tqPyXm|`v#C^31{scH>Y1vP_TeH!gLDqQ#2I(qd<0n1R1 z&)Puqi!bwk>on$fsDj+c%Lqsn0$Jm*k7Ek^UH5UrHj>X0arAv0*q=uS`gvRb=nc?l zc`H;}2HLlPorT`rX-IFw2UBxPHg|m8_HZx9j#tIfR|m&%<Qz;{<>(7Gl((t~<Pb~m z=WQ<>_M`7wzwxtPy$`BYuzjW9V+IyS@Y4M)jHaA9KXGek3+*P&d(Z#*1aF{zD?hN( zvv}ZSbzT&d9(oNKVWVU!)6xnXD?8h3_8d5%eLC~Ji3p_zn>wD)(DIS^w1BKa*yG2; ztD6jsQeddpSB6Q1e%GlHNn3HKhxTXIO@sb|wwPDJynIyyq3^fI$%=kNS<Y8oR`_{7 z`_}HaO`W2*zoy|q<2YRR^$KeSWJeFt?l&JAAuM+ga5cD?R<IWXuS<+Y#_Qr?(oEhK zlhl-v26$W9vnQ4pxSuYQa%zK3LrKD^H}sUAUlk}^t-I3Q-{;A=3KC|e63(YZO;T-W zC|OP~Zf|7sYbWauou+ah%`!7jTAzykVso|CVe<c?bbnML(&UpnQCtV>%qYvAptq(T zb^>OGSZbM^qsWH_<%TP~PvjnVDN(enee@c|?+%TAGc)D<5PSQ!Jg&wkSY^2Mf8;Nj z#yQg!%hIv}XrQ~DJQ+ISZKdgZtZ33=T@L6H`k>$Dhqspoxz-c%6ZJh-9STqO^Yf!z zj`Y>zaZOf<ml-}gcUm2~Y6P~qI<TkMouv~&2<Xew@&aFGG~}f|*1faOOfkLCYB|i4 zd{eKo&O%Z9K=E`7LH1{RJ|ayqH!0$mnyG^K1|p}9P4Nt%3B5kv@2y%xWzp^V#Nfr| z<Po3BHC0{vVI=Gn?IbOwj3;$yPqHIZXsP`W`y-LSvpPTI23u`BHye8>G=Yc3&%Lbc z5bOE<Y$jPpw)B1XdG4>Oyt5Ore0Qbn-$ncbf%P?xrc|TVCpvnZ=9>6ce|~KZrwIGB zP)5san^(x<$}JVnv&qIg*S(8i3DQm<)ysgZ63L8{JzeeRZOyls#j#Y&KHYZ<2B(xU zj4+!$m)vodo$T3BQVZ6`G9+rhHXs_TfsE<Z==0ag=S>%!9Q-O;867?ub=dQ?;+-oR zEjVQj2#;2>On|)QQ6*L<$o#5T%}^$Ayq}<!T&m=*H(enOW+=0QH%|0^Uf)0_;2g<k zr>#QHp!bi}O*VrTW=}}ZGM#x~B+8WUQ~s;MA7f|LI2y@c`Q7|^hhWlKmNc5SFTQ$F zfz5n#Gr<1!a}XJyH4BX4B>{rhSSZPRs@9rWGW$8oTmr+J>+7q`jgdYSfZtN+o7iep z<08;}J6Agf5T@V4AC@c41c6{(9xf@4ZOX>g%j@d9amCNxJT%`SjBvZ(p3xw%OB$Cr zJ(67HcwxM&=Ms60vQfvePUGORwx4^$dEma=ULp}GEN)hAe)xji$3?(Z`@?Kv)%`Vh z0eu^)W>p1x+x_m>dx``<58HrX3)ks1OU++ZS8U5i$`<w)XY*d3-)T90uZH#`@a5_m zQUvT?=DoIi7!UNBLe&)j?XszFPcUR8`dez1+`qmQA<7h<li{;I+aT&oG><1nicps5 zQ@M8jv#`59jZ@C<%3FC4QZk#_QM!R{`0S<(M*Fhc>HC##thle$sc|{q!q=v#3nYvI zY<zKm#8xpUK9jZ!RU8diuD)E{$Sz%YkU6=gz+8gbd<)ZgxpP>}eTx(A*T@95y)O2` zqKSRu?-SOo_?j6B9ojVB8s#<0fF%SfcT*Q6H&~U`ural8s%n{5UF{rfpsfY}zlS|P zPML`Q-z>oYKSP(Z4)agI{$G#DYz#N0Yu2t~hHg1Jt|acKjkT3b;HRm%Z$oMsg<1Ne zGWd?0iz0{5KVoNQYJ)S?p$NDQQc1YEyi+kLc4yN%5Ll`$3r>~{(Wl7Ja^uPvhmWKS zx~I_#d%FCPtg5=_kDak7JBMu^Essc4-=C*$96+RTy|-fJg1oUGw?@&;s1d1T1kW14 z6&w{3@;gC+evG7is+;P}CZ#1F?Ko0&C}i_<enLs<w#)GGODRg8K0A?xd}g`FHj$#< z1)Wi1U&W7--Wx=&zE7_7VPXi(`*5=VtGRdhK%#=3%|-N)Tz_No8LR>S@&5F=^Ca|c zEQ)#7hUQg*+9PLX@|~TXG05#(^j9zsSCvJ3XpPT2R2$EZ7eBee+w8pttlPYA94lV+ ztAx_w)3KJ_{7T1hr{`B%C>bA@46VAmo+)!IfVk~G84IBoqcf7<rH>z(dIm>BXC7bQ zxp6yr(00eJ2QLI|_sYc56OqGCnZ@IVWo{R`P{qN;YFfnk;#}rGRlg<VYFKW$JmHkr z&?7{yR=My*Eh<5;G($zftqq?o^&ldF|C#mu5E!oAX-~EkFk5tXfRq184zz4vdChU- ze!p!8#^u!$bo`H!JUKe)-BI&+?6%zA$XoA_7GO>Y^x_LE;Pk!sG!^0gOkHw5$CN&W zns$HCtfHey$MRJ7@S5+^ms`KZ?|o4z1V^t;(RJpNoH8#`f#`ZPj!jl;XEz3=j@gA( z(LH}E_a98WOc@%4=Glq1K?I`r_53-_*@>zWp*|WqMSE-f<JB|!%%t_rxrzNu>(Q;i zVXE`U58TEngsV4^K2jj#s}RJS6l~U>uguQK#*iTs60E=98T_H!T;rssWYYGyH#$(& zv-)I)FUO7Hi$<=Q{|m+T1ng<IIx`Tw$5TPx8fBPdQiZ}SVJRLD=v2>K_)af#55IBD z2@~*G?m18!R^zZeMt3@4D$_}pJ3rvAFi7EEqTGT{;Q6>Oy%P4j!5yq=v&;H358WDX zUepNR@i-4`th!WZxakgUhI!(z+&V-#n?1aPbh&!c#i?FOL%-%FsJ2c>*E5v0a3Z$Q ztP`j#_froI-wK^Re7(EBv9QpTE1mVIB#z!NlKgP)Nw`?e()2B%$7t79jAF4)!sZ!m zh|(f3>>t)NQFIKPd+l&K&+jR<<Lv8UQoN5L*iaJRmzA0rTF%CssN**C1v*)O88?mD zcBg!^_WaO3zrcwE=jbS_d2no4RGo*P{3CzrET&V6l+T}DeF3)b2*G%F6C1bo{9VE< zt1JdW!p5fZ&rJ|Rm)WbmoekSexMIgUtI#}vWW^)(8E<=fpo{Iqou5WHt9xOcdK0Uy zxxuZeBs{#0J=!1ChuiV2nduSsGF8D=1WeO*xAf8}rO`?a{0o@K$$xjyU~Z0qHyhXD zzWK^vxJX44seryLu2%-v`>05chm1|w)A5IxmgxWMf)Bpt0b?V{pHnoI1s+6L`d(gf zB)9k*&W)8UIl*P3uQos>_xA}O%SX(AKl2M74!xpf$!sf#ko>ZNVASVZ%cSCuyV-jC z0rGm@*YxMHhfQBjZ?odZ1m{HgtYH&gv-EAD)X{#$fqgL%IPy#mwswdu-23SPFXwXZ zhGu5At6qVCfK*OaS-i~pTeb(pyJ5<RSqKbQtyA;^s=y7NO+UPMeXZ6&UxX`^lrPR~ z{+A|)uqh9lep?ycK!H+nMC6=$!{2-!p0B;RRR8bnJi#QW_sKVPJjkc@OnuP;as{ss z_J*?{cnWiPGXj;%NDGGGQQdM;Eg3%ZEK=I*6T6N46;Giio-wbTq2cy;Vyxi+zRdV1 zI9%=bntg__y4oW-i)3@49cn!em*brQo;i!Shv}~LpiO1Y$6d#FGPtXrPOl57&s&Mc z;vsw1W=9O@ex3eRW%W_0*Uk=>%)RU<3KgDugQZdQG9~mWZKrTE0qg|IRsm^7(^;Fn zrbfmHb@d<|pEBQ!rPWbyj_$G5q=wTL#QJC(mQ`%Y;NZN572n^FqHj|Z$7yQ&>Om4F zw05>}urF{GEblM2!nUMKq=^Xp-1S)^sffnf_(y|fTnW^&x@-`JCj!U*T`D(x&;G-( znpWB7U^D-&&6yLtM<CIB^1%0Cbwe56mFts~-wO&Y&r;jdU1%?f&ETReVEIbirYOY7 z5H~58!Sl!e<^67Qm`m{G;19@^|LaAr5FT!do!0f>q3Zdk(*!jGmJ8D&&%6YLbgixh zYHe}i$#I`HY!xF2Rp)43^z=42|C!lM@h@;nakQg<9M{op35hOE_?Kw|iGL1^Iu$k? z$(Y%4ch6!kxJa)0?ve49d0#5DINUhg<(pyK*l%@B^NjhZ>OJb>`-LuHw_VP?L&%>K zJw65cl0=A^3t&)h!hY}7>D=hDj;7>k#ff}*N;Tu%?U&e2?S?pbghbsMh#x*)V$4Y6 zG+Z5G7zddrkQ0BBbc>H3TbUj<66hChb?iQg9VOkw>b|lpEhM|02t=B?(Y?PvLN8}p zK!B`Te-)i$9>UIeuRme|*hz#L;expHLjlLa4F%CNC@d`A4#}t1=yBHN(rUODeDJgP zNSkK}gK{sfy)Cz89ngQ}HnF(9bF@w@|AQ%ezzLD^N6PRaJftMr`@;k&vf?06dU(FV zk)5Hn{r76TH_SRw724y!=-Bk#YjDurw?{2GaykBJ4Q{Wz3ncB5)s;Kl9zQeGj8*-* zGl-PVqney4#4Sau-dIkbFtc|AJ1uIJ(@7qMP4Le$KnS}-Sp?@J7K>mJt9rB<j1MCz zv?gqP*ue7r`f<$WiJ_z7?1|!c(iKG$#TtUZz~LNs8l_2~RNteZhjq~qy{Z=Q+){(k zq>8qRalM#kZg4R{t+?q?bYO?cxx1@1YB5ie*4!Yu_J2H~G(PYw^YQ%Y@nWdy7xj4< zS(9aD5tAgdJ#2jUMZRT~muPn}FGf<tPRuuOOa%F|OADKKWcJ`ogbc#UJm`b2d}7+( z&`iS)Mrki`@TUT8c9B)q^x3ASg3UoGoyu&{V`aGXj8FA0v!^pf)?}3WMo$LpRGE0c zyF*RXK5V)$^3x+o_?yHQY=9AAdEM;oU%ms64{T!XBgyMTkqTcMn1Aoy*?vo+ZQ|yK z6iLM$Ym$*>H}Te?;+D2mCBd=?bPn0m%r}c)YA#9d6{A@GZGqjW7EJSuls^D7nu%4Q zuIID)Yw_4vKv;ejhUF-iwi2Kz)u+Y9C}h0E(bdkTBX0<yZcY9C1(|%A^};|-9A5@b zOpGP6a(?T90bH)g?#31&gC*$4tFv|Gf11lWyDx0Q&s7`|V2k4Qg}|H!J>_7z#m_UN zat|5xs<xaoN#nCXo}(fC^SGWmtOR{8DsVyl^6)9>4J4{}uD!Xa6m7Z6fEE1Vt;5r|qulc^I*Sb)kes>7bGpTs0# zRrq6-_FfOg^QvDzq_d;lkO9dF!hVV{+vC3CnekD3R{1L=UwbN;49Jj|<A~K=Q&<54 z>tL0cvRZ}yaG~01>I}E+Qr78Sk3oA$@1^mKW0^YR&uPQY;zW}977;$<wev#vr32wW zlOaGNH#!`cHl1NR@vcHMC_s9eA<2E|^DNVTcT}8T^S_Z4asM#O0=_rY;~um`(F+X_ zjlGHYy0t6=otNM+vkJv)aHc|t-{wno<WfuFQf0<hP%Mct+n*f~jg_Uy;nSA|Fz66w zw&sRnF+JBKZyPEqB0W1vNKg|OU=D6~cYeM6>E>YPE7-aYcV79FyQ5Pu-R7ihW8lVP zMc90}{YaVt)~r5O{IVUjqdt?Isv;Rs&4(?{+-%eCW6fS~XZN=>oEWV~lgjN-QB<Sl zi_oatnPg(IG;P;Q9uvGs?b=M}!r_N=iv6w4+Q}(WXIHSxaR0Bd6~dM1^`hH1-HDYN z67tV&EN~o7GSmn+c=c{z`%Tr)qL=5x`paO4*$g8RAc7sn;jRN$SO?Qlj|z#fmq!(} z)Go=y2_<@US=?t}5ERM`GG*3v<x1rqcZt~c#PM_f9V!c1D;P`kJ91X*uQ|Le>ld2- z>Qx=eEu3cR%%{ZHe7K?rYXUxQp6WR-Z}yMLf?pjZRsasiMtth)|IBV}>=vOFFpJHO zEU5F;N_8E1)@sqGun{8xi<qUKc+_d;)50uMIK$c}HIYj9U6dWVfzYy|iJ?-TIt?PV zynx}VLrw7jr}blL*-7eDcE>3P;6IZWLYj0Fbp;s|hiKz^C%TW_lJp8{>=tMZj>T-n z)RT+&YnSn}4eo-FPF?chRYra3?EzBS(dXA^XMUnG->MUHG36M?$JcV}=W#l8s6#C^ zYk~xZ{q(^Alm*ciKJSF;L}P)P0wm42<OowGM4rZ^CRh(fp-`$5Dq}{nAh3GR9_#n( zu?^ROsT*~DDM?&R*I<t=H~~afyunL?VJ}UjBbS+9P;CO=2~TE=m#ZnrQp=h14(%q* zot{yt{wm1BWtYBymU^kBF}BXrzIP$__gI*r7FlzHm^^!fwbyXd>gMVU>GoyzL0V>% zqk$V~r^}bu6*4sG+&uhmXkup?Y^_y#HM?uj?sU`0w4oPbKU-4|iZFh*GY?wQ?v;ud z4~+f^rYUDKX|Og2&Cjbs-X)CBuMioTu=Nc_C?Q~iW42kwY{N3$W+jVtGpByEe?1;U zR#(PxYy})A?#);fJ1e^%D9`2kl82jk=R)IWxf&(8Tn4Z@HYmhSgCiuJ2R}K3i{%7+ z6yd4|3$8fJULg}2doar6upWMi%W9qP-b&^$|7si*DDTPd-4R)W3ydwqSs;>#Lw?Zp z#U|HXgPO!OUvp*`<2D(-3A1+B8EQ)8G>B-&`$(QCQKa=T0kZoGL@VNVSrTU={Q;5p zGY&vpx&7THDISf7VgT;sCq@fQetHx)ad3|7JI!IB6reo2m@T{Gc1&iH2`YtDFH^j) zR#_o!gYHvX5~sR=5R>RA#rg^Vbh#7=hw|^*;TL;*bT}u+V!%ycg4(Fa_1TN+T1dAn zWA|z0OK&^W!1Q%e1cT{X*2dW`8~XBlC*a}92sD%+eUoI1UM<7b*{DW@pQNcvR1~v; z)~7#&fY@m?kM!XLHHP^W-G1v2<?I5L18x4a04eH2H>m4R=D4G^&(Pcm3^81iz-2>{ zKxQ&iX3h?5&J{k^?!iGCS33&>(UNu}rl?s{)Q^;Dsm32;cRE|i5175VU4nR=JwwhX zS?%VRBt?U@7)a5@!91*l>t{OQUaqxj-bb=4@5r24U1>UtD$!D#0&2M2haj}<e43*M zS?mL`ljpKJGEN5e*7L=`G^F1bBp>eLusbph4pySsM(Q<bd(%|Mic!ebTfAz1yZh?w z>Qs|iCmgieruLI__%c|7Vz>tJ6HDte2V0@;qH((C71Dm{1|E<q11hj6IGf4@l>lk^ z`HB!%|A1JU*A*wrEGcn*uMuPPFcsd}VrE51OoZ6N+Ga3aIAe7l3))<#yg<>$d11*C zQK}~r!nuzPxTo=7b3k1`{;K9f1arrZ1`Q?7EqM}cngAtD0rBA+K6UKO-}7{j`|F|t zh*)LZ4}cUWqK<$0twQOlR%W3UzV}UB)cpb0S#_u=3N-ENykz;|+)WMs<H&D%-)6NQ zC`E6(c24JBjKYsHUmCVrpoZi6DnYF?ORIK*KK9eNbA-cy(%HPW42PXT3gPAY5RvA; z>=JgS{}}yruovC8jmWyYTT+BAgc3()&4$^_!GE`wM9s?UZouKx*EaUO98~Gth39-S z#b)<*sPf|51Hm5DgJjxG-J3PanO|dV5i-WdHDtpW!{!Kk!?B1Xbjj4(dr3a{_w1n8 zdytN<Y_(ffEckab^abcQd(Yj@HV<cQ54ikODqjEr<#*8pOKdOqoeM^G8B2<V*~(+1 zn%43DKXcSX%>DC!whO8&ImqbZAO}G{%u#w8n_US!ILEdn4S%BY&VrDbw{tb+qa`db zo9F%z((#i@ZH{9`v?95*@CtM{$~Yb`PKIc0^Ro1vzooS~!m4~b%ql?AxuHD2)Owq& zF}EHF5HbGKYoHJ_8$Ie^CNR|MrR`9TmZ}zlv;Hl<DJxzUVgNTn?hYV-;3gyUSO$P6 zPMfApXZsB7W9p;F9L)s!9(Co0sqbXvKO|RnhZ<pNb{ssDg7!3`4c0)8nOwg4+{Ang z!eL0<OZ9xw;%DSPnagUoqNad|iZ=Qp3_dj<LP6%2nf;xAB!hw_qYw&(B@_qC(0tIm zvc13ml>Lpo{*P)O<JWlTj23h{394OHhYaYN;6j`-N};#;;(+{hry=B$Ae_b)DYm?g zvc2M-ck!GsFW^$SmM#r_lvStv7kzBXV%>xuqoyPJqR!SgVGGknE>se>ol(?pUX?$! zV0Kdz&N}j%-V0HE{_i;@-&sZ9Q=F%xJ<<2<2(7uf9qH;4XO_hAQinzeBT+P)b$9#E zJaPVxip`022b;ROR+)*4#P{6XbHvTRs>c;%=0sJ3OHhHadv+J6eS-(GBec8@Dh!v8 zLqxbfWzXdmm>jp2e;%7rYV*;{)R=1Kw2lui7ML}1#II%hq#xYA@uomksg{Ds^`qUT zVV2@0i79*Vk+hKUa*rh!(cv80R=}|?d)+g>jXekV{+Yu?q-0sW>L096l*334{WG+B zlueMLQ#4f9dN8tFz9lQ=*oG>Nr}o2cQ}3T%8mFega{uW7J2`Gm={cjDZ?l~S3g7GH zN1U7(yB<?hPAeP=@q1UFM~BarLC*_$fWgK);O_uVyZMFR0;#e@J*&R`XLpNBc$*I@ z=V@e-Rc<nZ>)&)K31loyFmP|7ASYge0AEzfbWI~O)?spf(j)WK-@U7m+0*OYpWVJ~ zyniDf^>u!M=vO7A*GRVe_aVm51WNHx`pJp4?SVmYW?co)&M_?*>H*Nqq1t5hIBq=> zf<%7cVJFPZosXFOxS`_+tilxs?^<0tA@bCC@}nIIW};5Q&-dw^lIB?VLbav(W;BC8 zMY!y7&q}5%q;dH?mP_}F0fZHQIjDYF@RCz6VIW*gH=zV~vgUiAOB#0aH@}B0>dbn{ zd@KQqyyB<#@$3U8vfe^@R=?wik~W=aJHIJk&j0g-4h4##r|YLjVTEhXJCDmvPKbVF zWkLI!`rMj{VoCez%!pYirW~{K4ydY8P*vFyD28wXF329HyCk`@8v-o_@t=b=ztwrN zByOvuWrQmt?#nGGhn50FtXmUB&C5aS(mzn$+}7w-{DD1H0H|dodt#1()KX3Mne|wI z)kXbFIP6~F11*^6cXgQ!L87JRNIxjZTmFmQ2MHF&n4$f{#VHN85>ncTFae5!uChS6 z79S%po^ixdTWwgD{Ux<fJo|TZj(ZAJIYVx}#G%j~LXGcR4aSRB?Gn`1F%aS)A6NMA zybnF=lc2P>5x>2%GHwa{Ra#yPO}$Lx0TLI8W>al$Kd_(cB+G!VA*9&Y{NBHpNqgVf z7@L1vkNCUKb4%n|c`N1fTCx^NA>t~#eQdfw6TZ~e7B8cy!IHs%RZ$}<utZ!oRRdq) zuH~hpBVXrUC7rDt1z$=FBYr@-k-IWt(Qf&?TR`3!<1$iLCw730nbW3(t&+He8cxp! zuEg~V3(RQkY}UiB6DCR_NnD%5E70zoz|IG}!(}ZAp8?IvoFb}20C)-!K@wnqt1bFQ zA)ye!#d#SKUWN4Z`r(!uU~%KZTZ9^UWG$D5lE{b3{?>wLB?ID6^xP0yhV(dcU!A6? zMvBWE7pCrJ4^ZyCWyrI705aMkXz=d~8S{;`6p8enipBn^d9cMkx7#n;Su2;P-HB`Q z-QRDbdf8D=LEe)`e}DTRqXB$GdMFd2SXzcCQ}=@?<<xyd6_#g2JC4?fPUKigN7d4* z85cWGcSm)5lu3j=U234EhDj!8D4FxCqACNUEI0~ImRy>DoxmT=_!)!~aCP`5yRvqo z-=gTsl|ET1i{?(|eN}Gfnex!$bV0I{Z%k7i_5=HKM+wxW$oq2qIma^8YfQIC>-=^6 ze3#8S^~M_0k<I?A)5m1qC|wO5&eS0b$#3n7q+5!nZKqSTjKk2AjMndlN!%-<Y7((D z-VB6KcWxY&=2;n&cyF+=#$LGoj)&~=s9H|<hB3-`Uk*M8ptn68zHMyr&rjVvL$Rw5 zsM<EN=<oaFc4TD+)rw1u*7*?6{s#*$Q=3VXM+VpXW)O=980P2c7(Opa$f%~9S85_! zkcnz<Z)nEaU9r;e>YHEs%Lhu~nZVhyvk_AD?*%ngB2uw+wA|6FlL%RIzJFH@Wa0BY zF(7)LIpoz(_`UD^0Fpv$QiUQPs_K$lu}7O?2X*`?3B<;C;$1XdcTul!8ZyC*`ITZe zNsN@WzxDDnpY4oLD(kbN{CU|vF)&@DuU3TV7iRMudgW=1x68i=tO=P5elSM;b6R>; z3asv@-|B}aQW2OKQXVr<+TLS}+2nD*Z8zbOp4q}%cU)?yCGfjBemg65CtA<!(6a?< zBhT)@XY#mqjJ4?;Xy5Ko4z-~#FxG_ilnEk|-2I`4Q(m4qAzcptMQ~qMguPJR%kH3d zk7KfYO_EjoZq)Y0&WGm3`El)j2_ixs0XB6uQiWACdR6glQUx27K`8%NhQ#D35V7qc z0IA_bKs`2><DvoH4zsw&(Om7;-w_Ej7qY6B7FYsJn7vRVaVYiq!;Zw@=3!n9!gZd} z+U@Ma46W^x?yl=t1yiB(-RjTy=f*FM;J-b2?{}i@dp1<z1&JTN=W$GEA`QRrOMX{c zzudp!=E_DndTMVk8$W`dsebc$9Ruh3Z^^9pU{ZE0KNe7AR5-44vR!@c5-(|azgUv^ z`Nb-qNU!<HNj}vkbQH%tS$hcj5tOF_*mQ%T;<&^Pr?$B7l0fL!y94jEE$kdvow>T^ zoUN8Mr2-^`rb8^dgdcB}rLt<{oY&8{%3v*Oqh^O=F$E!6)Co)|1e`%6nn;Wonf2iL zFL1@Y;^C@ysqBiXjaKPD4K+47@e);vJ@aBmQ{UzX_m`=*P7G{fGIs2g(WrhDs30+W z`A@G1Z)>k0)0d>9tE-5Pj8uPf!aMHH-m0R(LDt-bBtV{7CxTs|u?HOW`si|{s`|9% zt33PM(i`Y<HM>p&;m+D|R23w~LhF4A@!@`nxi{?~tcTjxh2mCAdTTWzj4Z`)9M`on z?|l!#g*ckg4|TSt)0}NJx?>}BJa*%r#f6g#)hG;(>l;0^4Iw>#JzRBAfv=fgq{z!L zN3fl+q0TEvyw%xyG#mly{-i0p?Z}V+CHPfIUreglSL0nMZX7cI?O{rp&B{CQ49rXQ z{+Kkot8V4BJ*MtXk64hGTP@VF=$8{h$;<!Q>8OU1o`_^3O;+)E8v4tw7>wnkAlOKD z<rn0nr`BvwV2%{}2Zs5fpL(gXmAJcRz>*g0xq2Ac@`0KoKTwE7(}WdloW=hgVM2j0 zQJZ7zv(CMj2zJ;#!F+weYl+D}JOtIn4o2us90;S6Eme108P*i4^fIY9mn+I!KFaka zlQjSGXRSvGd1uAc<ElH*fufgYL{(%Bji$>q9-;%i!9_d>A+V4t;9TQQk1$OrmsB4< zKziS%$~#@R^@Y0tD}R0MsECu?`|;xg8XS1bH{5<=@ui+2Wk1dI39HoPV@5yQQA$~{ z@}&lacx*`%xAP=5$*cn}!9AzcbY#k}eevs%Rqa5p_qK7v+Q`<h6a+W?{f9tB(|P;B zw<S#^`xQB?{GZDzsDb}2CXq9Bz(_F`((e!5*eJ)GjGV&yvQi^$x3*SgKJt4vxESMA zWVG}R%DkbNpVXw5LrqfH{KOP-wCpm{Urk1--E*WkH`A*1X!{&g$yfy#$9JkOYmQP6 zDR;7R3cGWwttf71m5m5?$1V`fUpdJUTB9x@CL`DF_$23Q-$1nsv8IhxrD)gIEx%eA zC*7W2KS+D45ABdE8(!^G*m1!nj{G)T>0R^&#-~V-jKjkCT4t-!CE{r9ySXzPZ=gd* z<B(ugE&oWi3Oi;b(_hq}%8a-8>prJYbxN$F1(*ri`#VwJV~jAHHi9JBWljYUfs5~) zz_`Ti@{*UWsv~Ti#`S8}Sn4XUx;tgMS{|5R1nFK^IoC;%tF#p*52qei6#25cy1p}& zbaZWD3;Q#V2nE-f96H=|CcPEn40BJeUO_MInKHQpyGzG)<+O7Z#|2VBn?pvdns7;6 z4(<jXC#TpV>yO8+jW12pd+Ueu9DIbjdu61&?GhrFAH%B=Tdy6TnhkmbiR^FmvRCPS zd9N(neFDm&!!2OxW0jj*(7!z~G=)2yU-7L7)^#+VBG(@kvotP!l8um*?cV!|u7*x| zmLi4lyO(r8hK4HMK<7TXAe@7-{0Z8hnR6TeHw!S|qG=4zil1fd5|NmeE^_bsJbMJo zPMHM|&a%oDRzO#NGk*WdX@b6A>@FvZm*d!6$Mja?X@0*+T)=Sca=_iXA>f}ukxW@I zch+EO6r<GrbguSk1HLc(R-Afpf}U}*2BCIU#m%w=2X>Bkjj1xWC|Bvrx`qyDc}F`A zl$A`vg#8TgTzo$~ok5Uisgr@#$!Y$ET5v&ZKo-s6wgUDA-mt~}TJ5xNw8_{07Xb`b zK|)VOST!Mn0_Tq$8?$)BeiUO?9af2Ae-1VoP*DfAu^z8(&WHUn2Ii_ouJ=t3RNR~= z7oi)Mh?vUwfxi+M0`Rw&JBsVigH88yWs|xRfDN^Ny*kFSPu{vf@>-mq!Gm_6W3>3W zX2`B|Y|*iJxfZhdoo<>jGPd0vzI5V6s*ovimvUH~`D#aDV_-txhibmfFr(_PTYXvk z0AWC$zX4UzB+MK~E>|^H-e&dn_RLYFj{X2_C2Yd;cdhqT8#6-0>$mdCQRkKMFTQrJ z^i#*f7$<A@&aL9^tFlS#*~r{~x2tlqb&!}Gy*UI)$rq<JpIF#kpS*T`t+020ojBa? z>Kp8}!H!d-Lg@rMYi8GJ%wSF)-NwWm?mAFHy9EkeJD?_~b&h2;>#%8;>YhzQSLjr= zZmf&ihrEB>mi)j52lwlW%BjwX#TL?iV=+p;YS#xQl)PGVSuSsP;?FBSj?`J{`Q4$? zJ(e)IaH(F4Od?(p)*NE~?w>ko<G{1zmMFUv<RyB!=R|(4C(nvXA#VCY`e#IOn&cP} zpQ!-w?q<(D8`$a6xFxfWF4L1d;fr9XO~=NXH7a-fB<AB)a4fJq$Vl;xM&&O*D3}># zA+W_~pRd2)ZlE1cQ~Ul%+tFpsiSB-DBQPnyw?31!lMXHzm;9H~Z~P3*N%^^_*g5J3 z_zTQGz3Plo0ZO+KR}B1ZhcZ+FPSbZ-Vuq|XF)+@YR$bdYRNlMU+HZFy@Qk(kA<!Qj zylou|fZyV2JJ8_@dprJ=m9OBz_?^c;(3#5Lz?Zo_nw?zSb;}~m_ieEVHW53#Yuy5{ z-m^M&Ty5jZk%}aGbsTf)zI)~RLJxJU4U~}FJJjXbUE{zHq-e`cckWyJz#^}fHtihW zVtBf%dsM^K;IRe6j8`A#=c)4G=ddmYo!&@z4p`GZ!EJ74>yTbzWNL4%J#u+2w6<{9 zbPTu`#pl1JgA2T}E9mlbFGiiLf{(MSXjoGivNiKf&9xWAc49r3*ZqDzzBetO61}x2 zNh%o^RDyE-HUH~%h@Hl!3x-?p*pakQxffDNT_!_3>+_<%temyaMN%Dl?sW*6vG*ek zFuSexZ!+tc{60uq3mLeL6->7|dUd+es2Qb`q<=|-+nbg1`<GksE5FNKHAalb#q*s% zSfJiga-q_exCSq6hI%_I=%z`~to*{6{oj#R&a~nmUgGIL8D;MK`|GKPaaTRo$>v*> z8t5y#QC&uH-DX2Pj~AyQaM?I>;Urq!2Kv)R;Lwr7(^(i(1KBHKcaI;*7Bkqc^g%eJ zi%0^#+C=O!mcCcp$j>@mx<Xlm**+s;Nq;qiI&PrC$*(jocf9*#by9{gVW;=K`YG^@ ziQl?ER?xlt3Rx56OQ{p=*=uYb_lqm+D&F|a7J<s+()`q=)`H}1PwomI=g9Hlu<*a| zGfZ{fc<1%UIi6C0Urp&To!OiJsdI4wp#vN?FJ5%-yf-zE@c+WIwx*DI*k8r?xX!(i zWLlM)qqwxA)M#w}o*(5)8gazw3hc|?0kcd6feG>B#iY+b)rf*GyOf^x19a~Pxsdy- z_3kVG*Yzh>2De%vvr!|=W155})mK}htllvIczl7UA`pIqktmgSbX}NA_@7Z+bu3D! zlrTFjxD`5Ol`DL$#PU?%>skCq<X0KdZ&cl_(dd;mkpSRKTbl4Owb;C3BD#Fb*jdIj zY|G^)j^8Yb&dXgJ#g8`sibT?_r^kw?%RPi}1IAjuYIq(42<wD=V!_ehy12l_IXdpi z9<m4-G-3-~EP8#l0u!wXS{76Bh>B#&8hFL;xj(Rpm9r-x5}j+3-QLPSQqrx?%iGxF z!@oF=6=4E-cj!`%>xVRTlfKCjpPP$;_#A2byedU1eHBRkh%&c=w_Uq#jTy~S+1$SJ z*cfnJ^}@7$(O)Iu26itHaZ0v`$g7|wf|o;q%T(Cu85<X3LFA<S^M6PR8^m1r2?F#` zCBANJN^iOw*xxm^f5)<Yz9P&%b~DWCdNDgr=Bl2?DT|S)V(9K1Hh3U~eQ3$V@D9~$ zoeaC7fg>Jz;U2WYMM*BV6?_?1Bd^C!e2C=)pAsNq>F51jUwhak1g@ztsJjgQ3kg#i zKbyYAW0B`!M@dpg|7}+2*c_w7W==IB3cb9)EAo0stKU{z&yt8TryS@qemzekiG(Ve za$T=DIA{<u_Hf{fYk`aHk1?Efcgf!4IUX-8x3utZBM4j|dbo(OnY-&bs>kT&X7Ae+ zyGkEpwBOyK?$X^mO6rZ=T$jl1Ztk(M<8SK^OZ#_}q|C9DHPaEQNc#ThoQ?;W9RHrx zNGg3<yZe`N$k7U{h^K_{VngcgS~0@weae)ztGyVMBp>}Un_k)F9d0$lsg>j3E7+m3 zfAkT8v1r5fBfJ=yp|M4Z-WXaUQk(%vGI65yZP(&tl*+?$;*I$Hxl?J&=-<a{S1COv zK3zU}^CeHBd61P@<$Tfm0DeiSllCEDvcWVfOyjS2nDWpq=~;cY*tGBdFy#_LOVns> z%@AT5J1I+oWJhKVUeZep?=L!gyz$uH(5!O~9mk5_j%hx`b+dN+ehq;*dV9x4l8bZ+ znQNYM&jB^$M7U2f(znjM!xvGsEiiv3dLUssBlCJX`cKBc;c^M44_|$*DxQzf56kS; zI_V0I4*C+kYtOSj9&V4A1Yt}%@{#yB*TWGKyqYi4kef1Hf33^;2kKRwx{gJE90^r> zygU6^Q5YJ+9s5JhPWa<Sa`y=9F}coW{$QHZ8ZR~16POeC4;TrAT6S)izYF`>2kS)( zXRNMesj-4o8L(zZ#M&0!f-~OPlV@&?xc_W+<F3GUB+c(t*6H4gLBAnG_QA%)3mFqf zm^WA3V(pC41KP@;QL|-h3_4JoJ&ZHRAAy2?=u%TFMf<GYfcZJfV2yl739~+)`*I!f zJzO%VS0f{}es*z;%Qj||ILJE+h;b$-=qtq6+Orqo=xT@l2Af9;Kj_lsc|Sc)#N<a6 zN@u4F*&u6nV!PGp&y0D9KL^XSE3{3XvVggVm!G7deKB-D2BFYHewXZTbt=n>f{$Q^ ztxCf|dF~X`RCs3<l&ZT;;-#;J;MQoAal}Y}8)<k6gCr(Zw9oaK)&r%O?cbDAc}xDn z<QS!Xt2!K#$Pm_#<=maaT&RZ05+P=c0yb5m)Y9)@{zpdK(D~g6KiMl-hlqoIb9lc! z#B_w;3-tFB%}vifs|qsx0-DpUg1Z&7*<Mnt2nlxg*u<s#TozWz8vg-a2@Cw8*zD=S z6~&9F32wdMxI?=eLL~@ioSZ}`KD^oF6e*|G<13eg0#B{`w07K`kvz0?EIlr_5PHZ^ zoS1fCqG*A6QbWet+6u&lsNAk#XgZi<C*K$@fX(Fw^gWVP&aIvwme?WU5qz`W)@n=B zsT3RRp7Bk+mr4dRn%OXgko$5rAw4~MCk8OrUKYk3YR<z+xK*C21uJi?`H$nFNL0x$ z8H@mQR-Q)yCi(8_I7(ASt!c-9g^ZO!uZwN=uufM7dF3O&Hkew!7g>$mNgpHyOk8aR z_UElR79k7JQ${he5e+)tMfGjXt1i5Y=SI6x)d@bx@IQVgApz#$Br)~!OA3j3AP&oO z=J$rJqEV6+%c`WO{+)gE;Ob6qPK^P4r*S!Jk`n#XSbSw6T9C=U;RyNhb?*o^xv*=7 zFqNOOSr2tC8-XTa5H*(2P$J^?H0ZI990DICmFF1{7jf{^m4E!8u|VTL^-@(06>E@% zzmvlC(G@~Ck%8VKz#?}j%wsC0D^yGifla3fCo++|&>d>B@Gg-X{bqW9T~zr)g?3Ot z6ymE1jkeE4ghD+~zK}5TLsfLj93?Exoc)*Kre8S9Hxy|C{4ZG)|I_z4ZP-d71N_?@ zi#&^by3o&X<u%#&$rA~tma(zHg6)S{|ImqY9R7^-yuw)1stsKJl`_6sDufn{<_@fL zn@t$#kC2S(0YhH1;OH7(X#EKEYMM##s}B;?(Uk_>DkHZqcFMJGb^BA7xlmxICvV+5 z|G0CjUw2j0bKlSRQF7Q;4r(#0@-i0foxjnDdW?G4&&>Qupsr_`U+Xl{V>REhGG^e- z8LuT;0~~h$V%#J{8#PthjB^<fH?rYUwA7Lp>!vWu%F))tq)mc;rylwxIZcE*7Z1i$ zh{1z?mqy0h+)>-h;kG<gWyO`iDY=E&C4`F5e);9kB*vH=oovEvTd7j^?WSyKCP?O6 zq<9Qw19(-FXHalX($mcMJ>wLPEH$xlau7cMHVf3)Rb0P3HX!yxWkabc#mAXrkyBeH zOd!N^{H-e$(PJC6%teidhq*<@_#X20q4n2T8o~|N2cW3MWrCPQb?9C)hk0L45R$y- zq7P#qh%Q`gIpu&tDj@Q2gFSVpOEuu3nM5kzWl28xTgAool*W$HNAS*}1{uJ@(xHM> z$YviMc3k-q68WLQ@(;HC5<yp}Vuydec3RtO32sJLoRH%1A-tk555O$X2cSSv?tz)y zrTTb7h?3|70scY7J2D;N!rzQ{TH?U1g|5&b|HY5%=hKRQ30$Y{_yWKs+FlI&c7-Be z|2WpcE!h{odHW|K{}9ueQrlVC)4j7whc4?oi&sry<{VLxEbpWo4nBkCZ+}rQHXp!` zU_fS_Fpz^As=o^}=NF+5<Ej~xDsM0+H@E%!!mFQMJ}08oOWK)I4Qj5deSHD;v;9vM zvPC|4J&cAB%6nyR%gq0u)&<$3*FFzxThE_4>N_qjW&Ld@n*X#dNM0~ErFfGGvG-qi zhkMysF=^s|sOBpw)orfHt%%yljX=OiWg~-_b*uTb4Ru-UAnDZ0Lz1d;Gs;l;5jIz* zK_BaTig8scZ?w5}QH7FBj6~zKw-J9<c6EW(1XA1Mm=XCgc$(lC)38TuVSB7m$4BL~ zyX$3`7h?~|VE#A~>Q~V^-i<)Dg0H#AE%IEhD8Csaf;A|_D-SBdC2?)`vCpnfdB4(b zELGPNYX(SmmA7koh`eweh?U$&s26Ig$<?h7ZTXK@G^t)lWPCzn^ObMC>ShezzJ~Ei zr?Ec!TW_oRJJ`imR-HYmFmO`XaIvzqvjc-szc+TQ!wRyncd96E*9z+|n|n+Eu|lQN zAG{7`u_(E&;P5rEpfH(_S9Umf*yVoXufr@Q<HU63)<r4A6VOp-{N%c8zSBA{VH5k+ z!bI4m^08X%@`@P+Q`rZmcJ~_I2o(amLsf^~6=((pyxQk`s(3C5kmcy6CUaIL$m-uf z$+uJ@QkyL+$NO)C(@siP=5{|md3|i5?H1NtRuZMIpl7`46y#M`4=gQy;lN997BUzX zCQfLidAu^C<*3Fk+a*L)kPm*Fp<{9#f|BxOYisrI0Gaup`L&I1jB{BCZG*kJ*F23Q zoB42&n_c0?z4OoPQ<~ewKxdAhL+u;H{N5I5O>cM6&icZLnf1a>*D|i+q%$=Zu0%PI zbuQ{r-?pZ#^~_N-8RGcZmTaxY28I0X<mwiNk9;<dnGGptcltPl<h7_i*iK}`E30vp zQZwU~6lucCS{Kw`#yD%E3D)%kI@^CE7qHnwKkYjumXDTbbW>np4h=BWV(dF_AZN=a zXs@`<ig1=UheL5g3@dZnqteW9Wvtwntp+)V4eY<yhi>z*Qy4zUjlPotu=9yz8qc>X z0oH2M3HrxaVkHj{S-qf6<13+Q_^`e5E>wZp!HT2HK>u}tXtvNABdL(P&MV*OuJKqJ zGa``90nYeaC$;+}yTenEw@Fy+DbIthFPHNzJ##BLf}dI=qUD)b>ytLxv{Mk#;K|>D z87)SfDPLK+r~neZNvWqsVBg?5Ykq}k1IS*q_d0fVWb1Vy7)F)Oite5Ogd{lqnxLKc zwp|xx%gePS%>Je&=q*WN(In1OsD?!ueyM)R8H5vC7=;{EqH3xMW-?GG2vc-;z`&oZ zIjGQ)Z$uEzKV$gIpB<Mk_6pptIsf2ZsgkiVVI+z^Jk5JmaPvYA^sdW_A&nn)kTKa} zJD=eqC%ydk&XPf+Q}s8E{d`rcJ>)zs0@N+MPUf|^0A`ZOVH_MXdWMb?^G+n-xyNgi z4&-NnpLm^*hjwy2joij+n6I!dTNBS2y-SOV*L!cLwO9&JXy3k-Kkb>xuaX=2VTFs~ z)yNtLJ-qzLchFrk^Aqe>;1s3mW9;?gnmNj03(U@`TwElmi$=*++utY{yMDOF0i?ny zNe$mxo&1=fSuuE9$77$~+TBaaE>PK8RM;q#p<2mU7;$Uy{VrK{n|D$;c#)~PQjkl1 zCkV&GL@MPx#l|A~Y<sWyLML;3{H1l>NY^bxg?5IvApwrZAFPN;AC<zU-n!|iEbU3A ze0CC%3hVKjk&r05lMLc@ohJ?)+w%9DZt;_{AH2~Ru_?d!64@n=3^K%z{NgxXRurW* z=NY5kWIl^3wT^&^jJ@5t#XHo|j--~^<TTHlp19jMrxO#U5NhNYOb=tccJ6(3P|-s3 z@Ort7O8#2jvCTfD?)F`5OlV4>x!uF`mnG)p5PHfFp0vaygH<3=;P`Dxa1D3xF1hT4 zm!K4=ER*wSeIgkDp2Fq1kN|(@(YQeLvcCEmiCIyY#~!IPJI~K-zU}O?A|A$6ngXpJ zV?BsoM)t|q6hVILp(eH}O}q+qs#NYqwwSIHpvJV?_6e1BmQ~a@pF9{<GS@g(NzP!X z*pLJAq0;pbLee}Vg))>5RoR+ri7S~H5d`6|OW{RpQ>z+b&3|!TrcGcyz1d6<eK(5k zPoMmGaGTK_s3zH2-Brx^&yn`|&zk3R+<FZh9HWm%Os4JmnUMXS06SdG$m-bww7ca} zYi6dW4C#{H{9YvM1NZY5JZyp5vc}DY(y*W5mW!qKVX;H|X@{9&;9qgR(UoEd(q1Tx zmOBErxLh%tqZYV3%WP1OeSiPx+7;?P;AoOmH(H?nVW5bXpQv<x0xP1ZW<Llg*hPz! zAKC)4OJaYB7pO59Rg(uTk;Z=WI&LSrXoPv`crWpHihVJ?{%Ss|#%CS_l*<tr%b7Mh zSj_Qucl-hJQL#BG&!>md#JYURD*kRhE_l{NQ2bs`sD%eoc8cj$&k;k{z+Eg8gtN?K z2+>J}BBIAytJ{5v8FMn93;Hp|#PK5=lZ(iTF!#{fGX8aG`4=OEIyq&xwMTQZrIQ-_ z9AGgZD$|--?6CLoohEqK3j1_rkF|Vt6!vFkAubN4Nn(A!L^1p~6gW1`MAaR$I3oZe zGNRvbAW@(VyAU6K>*4a^7v?0E-dcI~bci4<Jz}Ix0#u`5aq2;IGuF=x;!x{nf9hf+ zN|H7#<LcFS<+TBt467@fFI>icVPQ_1?d0=Nrl&)d^~3M#)DoP3$UeMT?^d1o9Ggd= zZlwtxbsp;2h?C({B+Mb^+WX<(9)OMytRFCwLx4dq`cE4Ob%j<C{m<Hi6gfaC<DJd( z3CogC{>q)VC8{Db6reIX>wh~mSU;Z*o*w=5cz8dBS<c%WFfu(+$P`O<bRUqqA1vuY zFy+s7x4#C+An$-}*}<x(4fqSzfdg?pAJqG$Ok9rjn>8NGhza8@6TZ!gbF7&eYyU7N z3gH#})O+kw8!=<UdyFM<Pkzz#>L6w*t%0p?z&Rt7dvv&+-NQH*PHNyI^Ak^<mS<Ub zaHhPtkyAUYR9=rgEL6~4SH7&DMuqYmbPuKD{;DF-G_6_9nLeHdqdL^a7b>;Go@D3g zZG8OLMAFSMi<~5F`8HopcdEH?zIXta{E})#kh`mPQ7U6@Wk7Z4jo<9o7IFQZ`f1d? z_V{h@Ck_`@%Fb`3iPQ<0lmMxmW|}Vk0*MCa_k%OX^Z~xXlF2Tnmp~y}GgZi?+=e3q z0>Qw}_B`g@O;>0V3egjO481G1mtu+NoX|HoVKtCEe`MyDb<Qj-rS_$l=Z<5@5A_oQ z4YhR^wKHEBhdtcNbrj-&a&_fQepj;61w|`k!Pe-^*B|B^D~oN=KBZ4NHWTcZw4}AB z8SrISf>ciDA)A3AIRl4t_!}l;9ErDaHhQE?uii5bpE|n>uuZe#RDKU-Co+FaJPcZ$ zDHgA7GK`fag+ILNOz1)#rH<!B2mXGfPpuv(B3zg53jN`qzbN*loZzpl`OIyT^Tus{ zFHtj23aQ(9M!yVSXas;|^A~B_UnFIW$C`c@PsDMx!7#%`p@^2{0nF&5|5wEL(GRS8 zn{ZyT3b#MNX_4L+<pi{t8EF!VWJb6Tbk}EUi0X0Q>~yz^*Cw}wMamVv{^9-T?~0(C z7LO}zLGFC;6v?w7Z+Y8}1Lz5MdH*M-$GrqS#>I>hxuOW`=NSttBl&eal=|cwxhs{8 znFZ&)wakel!UEOU-~4>{*g_0>XJgo7V!{K`P`Rd@o^G|6S7p!o_W0+xOjMB)sn@k9 z#K1IR?ff;^;$V2^y7jN~D3zWaHN~G$+Oxi>w+e?ACKim{_A8WMxS3w)<sDk(oRIDJ zodDsdq(}hvsDfOwBP@{&kHUnoWC43`Pq%Rs*^e21#qo+AquQC+V}j96Q++;UOUtsf z_OOZ5#o?J30<QW<mA_N#g^AZ^EL`Wc5Wjcn`0H75Z$yQTejQgl_k43MIG<1WB!g^Y zLGhFyLmnP8%SbK4Jtn*yWu|eznMca#Ubg)Q3uE~=%!`1cwLJ<l^XvnQEa+6Ls!(m3 zQFf7b4MdBd;a85eSa-8WX=kVzfip&MY?<|1d8wWT5;ASbd|d$FyuXOkvQ|2BG6B)9 zq0Ot8rVGy2pDh%m?N2cieP$|6FtzMe?5%rOvFN@u5w1cKVrfjmr59ag1kbi21nbTV z4p`FGVF_g>-T(94z@IU#cENrEzbS^RZv1fc`*bFH<cj#7QB|C~+-;<$&dn(G7Wtz` z>5^%xrZP{3V8kOci*Nf;EPP{>x<4;zwP<S0n)w_@h)QtnItzp4dzP<AIlzBSn$-Kt z>PaYdv>VXG0y<YIwW76SZyv4H2MVKh-W8<4m(HjMc{-ZFbf~Vi4qnv#6;Z37xfwYo z0lO;FO;nHDYg#Xaf-_q<JC+9->$XZ;=*6vdV^|LN4A_d!Hr^vW8%7}*6Rr$*pBp|| zp)~U5(|01DV60VQ(f4VIw^>=s!wEqv|C9FE)y8GDAtZE2Z0t;5Z(~chw%sVmv>P%w zwxT2C{@Y)dwAiu;!y(5!EdnX5susM((I)()L7M;a=`_?ot`q5-oz`ytXrQ*W<}C5{ zNCL6EUJAWt>ZB~=FfEz$d6{{0ObmRSvOG6c&Czz{nav9!B7UyE`ARBCZR*FUOk$Se z(e3nWwlxsR$*Olbk|r2FILxiYX)RTTmoh3;?V@YwYF}Yy!85%0p^tDH^70i1EnnNM z4FhvxPlbN7D6KUk&#YM7BTf)bN?1Qo6K?R9t4+Eab-1rRzzr$QJY+OH3j3S)N*BsK z0W!f&SL>ykVo5P%SbeaS;2$y||4F3hz8>7?{w+3{tN@i3-CftlB0147ng)o#$?|uP zV8GlI;m*K3e;R4p=3v>V`|_)NQ}&FJ4VRBSM5VgL*j|HHC?D=<S#48ob*C+=kFhc% zzWbdnWO*$>TQp%_0!|7@aR7owZnH4trGcuEf>~Ng6K90j94Mq6e|b<rSXIf?=Ovh% zcAUAEQO;wR`2J(2u3zozb_uFOxAXBW$B+*o8%?0N%bYfT=}1*MXIFnK-UX)o_%fNP z9H`;2i85LyU+8!T9;}48^RT_%LsR6sc>7bPUh?Kb8NgcWJ;(G<B4?Rzt2^5l2~sF0 z`5w*^qVv@*-Ca8_j&9WbTL<X-CEhjMKM9>nir*XPFA{F&V&LhJN}moy-Nr>;%C0zO zIdi^DmbTK_%|yJX%HrC&&R7V^CZ{#z$?@>wZR>3O;iA&vwWKMg>N0|P)NdrsoIT5F z9X_%hfZ>9;AIX<%iozR}Ou~+@UY}&9tet%>9yno5|HEoq__2YTnu<HbauUSpU%qIg zwRW8(yNj@|K<CHSBRd>N=m>t|oyy??w3MRSHYsJ?q4}5iLDvgkbEi#j`v8+ZlY?8j z5KH#>iPJm$0RMzp{k&>gk@hO+g{V9y`Dy)Xuv_pm>iB9!PIDl*zjdOR5l^oE`&S)? zp#>GoY9j>+YEz@+r~+de%{$6!dTX=3&tO0fLW1J{6DLgniIbP#<jNdZ_8spjymA!f zhyQODfO`h-s(H|ob};Sh+=*5VE&V2F!)4Ih+a;i=rtjFr#pDdda{3)1j4@^E*#~zX zSIeNu2bHBo-3Xaj#H)ZJIC|GmtxO3j!ZTRsmXe)<$y{AA39!Bp+siQ#jdG?|>}GSH z#~g*$vI64`mS^}9X?24x+bHMrsLLO0JZal)E-q93-lnN#x{-#=D{0v~w;YHca@F-q z&-lN8I<`SOh0Gh;MVZdEmo%2DQe;sbZw!?I)a_{squ?6Ts(OFQ_6etzSTgl8eqEad z^w)EPZ3WC#5z3pYf<)(STIWHm=B%2QM&=M=&*N>ap)G#CX)=N6SGE-_p0v-xenb^( zJ98k9JEvCrs3Z|CRTslEMt-HkvibH6jm>{vLw-0qe(DsZxu;N(!Wwp>)$I}~NcK4% z!klmEovDo&%aFA|?6}Jm`rJ%SD6gY$9LB8KTy0Uf!yj}K8&cYMK8i#EA|ZI|E8mK) zy_MvE)ow=zMoh{t{x@#kF4{5iMC9%Lg4Sg1p~afNs!+0N)&u*QR0u8|_Mw<={Z0bE zYr}0;0IA&QsLSHklYH7QbQ)5i6Sepy`~mRRp{1tsgl^RS$v0Syj*Z}x`>{}*@>hU$ z2r>{j)oKKfktEh2@Z!TX(WE9R>X?jm-aN}DFgXgbjF(M@3!H`f$L7z=8{jL#fWJ{> z|EZn1CLN%CePP#jx2dJNyqSr8ZM1mKQ1&ImX#KMKx^8?Ke>)wcJ8eJnoo?48Ys73B z3<ouxQ~T-Oie)e@3ZOKjbP5O4*0}&do(6FUjj3c(M5mf89!v9h`p45m6WW{m@J-iM z8p*)ijnj*38U$h-{h;0lPH%|;z^@+dbi#Y=qgHjs<HwbWOs?}i`|{84w;xi6XUtUN zg%>A7R&!yK+^ES?)?3!+w3m*;p|16xVij+0#!0uVK@d*g2av8<0EO@Q@$1~lo48ud zY0c&-Wui5i=-Sw!-TRBniIU${#bMMk@RnEl-lYi(Nr~N*D~1+;>Ox3edaZ<=cvsng z*cZFDruM)Vv$J>_U!3l$akE)w0*d)gK{<}uJCEzBx3hMTJ3-auE{-EaUf=5l@8HxK zC&6-G`bL*p87y-7)3BXN9G4gaWnvUq<Ux<c)m_#I-x_DocNBNi$4;)n)dCNtLhw#W z%1HUN)=>GVBbRgN9=YWC;Em;(Rp+FV(b*R;P1}_YLmcDjdE#*ly#Tx4ORU=#Gyk4& zJo2^DA!U>Qh=jDe1J^+Y=^?qvud__v6paXQpy?Eq2OX=^)ZPTl{))RxU=RqEKK}Pv zTQ;oR&tLpeBFeGn>D}v;+RyRrdX9suh<908Gy72r_dv^tjMpnPg4=wqv5ByKR(v|( zQXRwc2kKjf(s`#rw$ufv*o)rIAx6>#qZY?)W_9}y9?qcmr;2-^=fz!mxWtj5z)8BQ z9>{Tuso!2*)9ZfEue;>ZumNz0sSi2WHkXu;sA4PzLVT#D{dl-n^A#lb?HoxZ?I3g8 zAFEbuXeoN|XNXL!MLGJJ)CsaNdcrcPwakn>00=-oUR3OsNbKWX6&|gd2C5Rw#Elv) za^XptA1UjONXYdJhed2GkqlS4SwG}xb=M?GTOqPA_FL-os3GJ^4%B9!;&Sw6zt|g8 z>oE#QW<|TvLH1_W36}-ge%sjTZ}jEvZaZ=TsUY!Azf(!_PQof%APLZEOy2zB7XaoH z9(94ds&JlpSD+~tXx9=<+sY_a!;S3zbjb6-t#Y^w45gL{wj_vfpKG<?R5LEi)PAqY zeEA_PblI5$RVp9Lxtp5ek};(#7N9Xr2!$7+moH16!yqIRnt0tcMNuB%UB6QrLic|4 z1-Ak8qQA(E1lr03e++}}Of6F&ZkH<8Q>eC-L$1)KCH(jh)!$|3#2X(m8>aylbCZaX zd>M}u_S1jt1Kx%DZ+ZrE+>7!SdIo)s1cD0&h9*8IkBAnlH`rx}YpJYCE~%0lAGOTu zemXCFLD&s~(jn>mG;_k}MljZ==eSaMi&bI$Y8n4yLWC*2DbBCmkNkN>grDC53HwV0 ziN-cV3El53hj!+S$vX-0qCrEl&Ld~D3Z+y~xAWV*#a~XhRkc{G!kMef@(4YCfMZ_@ zk06_ymUfvNj-7OSOD4~x%`l8Rc5ElgDf@W6ZaqAc4?>Bywa#f3>d`JZaoXFK9pqbd zrA6-Y<@N(PV1-zoKO|Np{PauB4=zrH3%*h~wldMx4vJ=p1nm!*C><ScivBt1+K9V3 zW?!DG8-4O^tdP{mWbk$r=GUyg%h0NGQ~!(acROE+rp++)`%p1P9TAc))x0^DAo<C? zkrJ3nG&3eA1>ea$*`8*lSkmcUOXslnWfQnQm-RhuTtmk3yBwik3LjC>Yn8A2Bvq{_ z)D|;sYe>;vpRpcB7P?BxJVi2qOS8;8MrqZ*1B7p-)=T|zaVieWk#v{lSWZ2-KU|&c zQ2nxTZNE%aq3OQtH1A@n?_M12(9t`5g2~QWwtk+F>0KD*!E+&rRP>{Bkus`+XVhW0 z62<5ZH)VRV7C?+ef>}L@UQ@&u`#c^;$nRxsa9DUaE$3N+g4HGmM$rhnwzQBv_3)Y_ zOQ!OOLW$&Xc@okmrslOqO%E;ce}MmrZr^C;tM~nMZpmOFO1qF_U{?M8Pm~VzE9Z&V z=jSVVO2_i1;Ic^MC2vawq9)7Jjru#85F`u_10QnRS}LIij-h#fsDl9^VxvgfZY7Dp zFQ3l#2^dQ**7HqcXJxN!ip^!r2?}m$;cF8XgId7)PqwKstG(A5ni#m=PYES&Lx8FX zL2k21y9=tcw#B-xsK|4p>r5>;A)Gc-#Y0ECO=FpB_p)HJ6W?CNxgIN%PbpyvdReVP zPs(Q`(9{~6nro?d1G|DQbkXOn1%!dyeLXpa>boK&%Hu~yLgkZjOEURL0?FL7!p8Rm z+WB3rk9Rbu#lXLE`tHu}_|b24@Ar?WXz})!eCP;-I8^W4k7Lc^hy$N|L1-m^2CjZu zn)t1ssufe~>3KY1*MF^g8xlEI^3%qozl)*`Zi3O+(y5@|7-l*zULG4P&{`3DYsGTn z%?BB9x0^=~%hF$G!LG?7C9G%{MwmHRPhc&_lsm7NN60#>%e+>m`u18bR#JZNuzh4H z{5od#RY|5=(&Mv%l3>N$IG9Ln42`ATs{*n*ERWH?YFPu0h-&)bz5}otCMCycUzMh# z^2;<!Kyz2ER&`00T8h=bi7O}VigImlpIt)L(|DkAu|!8H@T`F#m_>LAy>7I<&6S{= z5gXNvl`++8!Pv&G0@^id8Fhu3SO#>#8xF7+Y9v7<NTPa0&VJq)#475ihlCqew2fWX ziCwt5P^)egmkQe3FG9iXKAwpESr^tj`4G>NAvwqlODVOCa#&j-JeJ*rU!IbR*Y4dz zVe9;;&FFBQ`-?J>e3b~&_3G@ezyJKQFT#K=WvJ1{d-(b~SAKY3LL!M9K}I(wJT1kz zxjx%($HtbR?LaBJbO!zEDmOBmNMZdUecI!6;N3H@X|5G5MRY(_PvTjygjP|+o%>}E zxgECo|7X~@sCiuhyW7^82cM^zeDC+)d5m^dh5L|HlX(}0ZS(b?j86&&VwuiH-?YBc z7oPIBT)2mC9n1x1CTzs&x|CXBfo{(@9z=_BisFJ1Le|ft5No)~<EV9=Ks4a4UbV8A zMsjtOL%pIxK=<Mz7fVv|{%RmS=VN-FbM4FBV>HJj&k%(%g~T#Y7b-?{bHE_#<kw7> zlG4q+KTM2^%zN~j(t7Njbqr^gBPgE|f=ECa*sDXvBsVP};Y2SYuwGzHCdPkPcv5~I zVv^+ds#ENLLCCAifrLgEsk{LzT3sx|tL4do(Nm80JNH5xTUvXA_ouT8t{dlc_pnhR z+~kR~llhpxMLpr>_Q-LusLXb5#r(S8u7d~AicBrJxf7`Q2{s#;4(x|emdqq2_ud}* zsO-d%l&zZHu6*r0-tb|G=E5-dn`KndB@%6cqd1_P4n|j~`&{>I<}P(AH~hNW2jl`a zjh~biDDPeG&OEWq&7&QNRXF+M$B+KakVg;sDekN5pB<?7oq9GYp|E>n#UC<mR;FeX z`0uB-uY9SZ-VVNL8UD##HACLds$W+~tS^SD8EeA=6K@Ac%5~`{9agGqqvUjzAUf&W z-RB#hZ=U^q!okBKJpkSJY5|LJSdXi4u8tW}cj<^?m&fa7>N&3^6<{wg=@00%K8Y@U zi)*7nU<h*i$#3i-#KT`{Q)b(}bH$Z4fZOhUbfsh5iXUP+skmXhBdB!zW1IJO-F<#x z{?cqraQa(6(|PLbN!%d#QG2+Ac5baC>oik^Au$NS7pe%}&Abz?re~<&GrArs0CsF> z8Un#bQ%wXO;sxLTm0?wq0YWm=B^$~nFZ75CP-qADXq(j%5esj^soD+gtgR($<{2vT zm!eqFQ0UQb;j^YM%TDDwsuc;)BcjwLH)qSM^zzYFI&zopt;^<unu=<tU9&_wHTi{m z%}yy2=rKM~C=}CGiOJ0&q`D#j!mH)69?P1{)i)ZJL#k|O<LHIzzm&fFpudQ_HOa7% zMx3;n0pW3Bm3S;8C7k?w>R7xG){F@FNTBb^0rA$YWQasP=Q}A}-cdlpH2Tdl=n?B% zdEX}@6muS79&vTi@7pQQG^Y{P<va3H1W8*s<M_<$&E@L%7t2zo@GF$6Vkvp{un+<9 zgD|aw08H!xgpQN*8Ib@^$>`O84;2*evXqM3wF`5&xIk04qn&STBblr!3U_x%u)s!` z^tY))lZZTBJVG0@&Y{@E%?<!`rqrRGWRPs^E5_-PS{Fv&4arleiVFhR_=xUs-Irc1 z&h*I;5$@VyIUY{&%$^|r^lI!AHip80=S1=B^s{#PvEMFrW2<V5k0mF@t{@JkpGE^0 zi-$unc&E{S2v8&s`+VeBHd1lhtFG3JPqV6Yl=~S^l)rnV0D78nAC&qoJ0mvDxL?wW za1?^AQdJ)DqX*$*@_C~HfF<BrG7~^4CP-a;nL(yY1qE!1uz00BOl;{Kv4Ajl6OY+w z+iuy3j-xoVP;f;pW2(tS&qgdd3K-`zW;bm*>**c-Jp(dVlU@8^3i6984S$;dew1pM zaus`$nj8SoR#y-|v;V9jqe=Ya2$A2iD;+e$s==-I(PL$upKKmy*H@@B{VnG=Igm27 z`^pB$mgc{>sRaFPCwhjhil(M}!{|YF0Vjg3*u!-Z_Y{qdgP}KH58i8&%uf*PI6ndU ziQs}&O?#!fXUy0XkB{@0193g=ZB8#+*RBVwdZRGE=~`RQwN^%z)SI~<)Kqsds3UZz z2DN`80KRBGvld6=3)7<1oPL*@*%|`vgN0ntMW5K1Sa5U?f3S-mHydMG?szx|EIIYW z_dV--x54gVQq=OUxs_^w9jES-Q2NFej(slOFh6D6Riiv&>nbuEMD;i$)J&OvwGH)W z3(EbfMmh22t1^23Fz>^JjKsXc%R4l8ah8GEKGysGdM17}^?rX;dw6EsiT2KQT7}>g zc8i+3L_U^KF`A0FJ;SFaxy9;iwIV^7Uq8u==XXIy6A8<SuK?uFvdta{BO|IfDV62O zUSyKV_i;acqPBQXva9t~w4jElN_sSof;{Ud)x(KFOTx2PW0+|$k?E0ez`B|U?y*Y+ zBl;{B>2M9qLp>v3(PjA5`Tk8w6@3Q&^A-Y~?j<dzH@^Q()qYj@E~x3S&Ylw>tbyS1 zbPsEe>wa>bLEJYw&5SP&)-`+NH8Tr3Ng?sH8-dN-^dj)QVmC0jubolmzI*aO$t3KA z@>qO&6rl(?ff+Y32G-^T2(JF+$1^yb$xP_necxE^eX{4`zWnORcax+jVD){o!Nc?y zHSS>Y_I?vr$O-EQN|raO-d=v(2%VqV#@XR4?ec3ou4Z78RYu14+nDeYL{)i<NWwm5 zI;~?sB|r8dQNj5Qh6jAQl5~k;80s=i=d`zwQkYmFFe5^14ZFLxCr~p@u*ZJ7Sy8hx z5<)=kS8AZ=<s4&dR;uvoY)HN~*<+S7k{{KbD~BTK`I+GuPoUcb!wjYS?>F7QJx&u2 zhG(`^<L^$2a`J>aP|f=qJ#$+E-xs7Hut{HVF2qu+1%5VKWpt{u;$arOqA#Ov9TT6J z-#C}ZsF@06!WXB0>u{PFs#VDZ-;=2iht%1c=l$$w+K8h$UM4fwRsSBL9+%emQ$y8S ziz~%$)Pv7N6IwD>`%VfLkx1Aq%CX$VX6wy>HkbWc=(Bk3`Fi(INr7suQ+C6x1TsPK z{(T04?g=Fo=d3CzdQlGOpD}B5JdYy8A_KhV=14X=t_ba-3T{RvxMgNg1kMl2+v@$8 zd@H*A+FIvMScOMFt=b%w;+&e})Ufl#@3gOw>nLg`wP{cfJYK0Ri{0D#UO}E2v)?pY z$0SO2Jtu+sw%t2?2&;iauO6~Y@nu9QuXpPUEr{Fp^q&ZmLANzXfc3DZpK<!*{h}0Y zkDK&W#hvZs#~{G^Fj~RWAyxm$>1{!MqfnZj+8WtKBYehx`YrAK<3o0pP^6}in?0WG zr3geX)yU$PyORNxUUZkfz)F<q{Qa55je`N0{Giyv8q@J=0pGkFOynF`&32gF%7h5m z-8_-QvlL7x-oR07sErmub^%Lg0a3xwj2RFwQG2^0^FS<a?L);<2OSk*W_(aHz}4n^ zwU1AlHTQ(KyIob`44teHyoD{C@$}Ms0fCp9t!y0J&p9IUwKZm10N%RlNnZ78tj^s1 zl?sG+f@dkgqb&fPxV4h88mN=h{XQ&R{5Yo3>@fhvM_v2dGJi<}f67ie&Q2@fMwr@r zV62gwJ~8NtRry>R>9v&8O1(5BfySX(-PN<ODOlNmvb*Z@q-_g@W$z&2zm0lv%Y}yo zqT{2CYcE+d)xVAF{nT?*8=J_}tDEMuMxnuOQj+a^3cQa5q=k_q{FDf8NBEF124h*k zxj;i3#kW%v3UP3eCiG<P5AGH`Pe~p}zN(}dtTE6nrrdh~-Vq?LM&#ycOd^hFe}iE1 zRyLN4Y#!$ep<oB}oq+`~U8YXz+DHe!b;^6hZB*^e7B7%H@&-7jk=-lIe?G2r@Xx5e zL2r_gclow)-QaE<a*i~~F^jA*iQ9L;%<^<xh;s^Qd}9}F?qQ{_GOy)uPmyRp;;^L_ zP`B`!JTkkgHV*Ix#|yqYfjk>JDNvVdI6p1HEWUj#7RA6FuPV{%%#|SQ#g;w3@_KVp zCjM{PeK*QehepkCo=Y~LV;`z_mNIzLMjYTvRHEH2UK?V{o<4)_PEc1Kd3s#L>S+(~ zFfrGSZ5EqkLfEUARdJQ{OtHSTu3BONyJXIzh%rbBZE~6v-EP;8(ykrG>EoWGC#uTf zyk4NW$e)<eWD{V#WJl!edpz_;CC-QpYY6hdZTU?#J8yi8*&Fo6opO5@?e91Wa)0<^ z%&xDBdEF%Wth4qAD}Q@ICf~ej_|2G_!64<_ZDw2#a-}ymc*|8;=rw+>wM?<uGjCab zQP5bwhAoxvf{6zu;1M)aMyY#w`rXU4K%(n&9KZ;1DL)>?u3na>p=#2Y))IOtNx(1Y zjkv73Or2Ou@8r3u8n3fL{Z<j|()Z6}fyTIA9c20#YO8bBzR7%#u3(8!D5o9X@HNLl zj-H1WH^-j`#+DSTOF@R3vIKy2neNczd^B?u+P|&(rfoVP6-!vDNP`$Wi;m6Kg(@n8 zGT)D<_xSP>u_PABu<U9ov6CZYbJYC8C^+KdJE|ZJ(o0Q*p!xy3ns2^Xk#>4&;wyen zAy7UcH=e)$to}n)+DRrgnL~A1N%7(Ab{w*`7Ill`E%V=f_t9s!Q@;tZw;k#KqY=U& zDn%{AeV~<VYW>`ZiX~GgCF|NOuHTj8XRFz89jk0=i<Q&O*B6P@)!Dfh^C6b3=@Xi> z6k8jJ_#jC$Jh{3RXS>ooOOax;R@C3>E*nT|<%+cI6f7|kujQQv#B-y+T(Z$5-)NmQ z)*+GoJIj${nJ5bZ6r_j+*cDS##H=kP5T6wff;l6`<aaPtN2y7i)?EinEioML50Mj5 z;+FgrI7OcBn|}_GSTqR|3Bi3{*(Hw5uMjJ1rrRFum>z`H_#0~U5C!3sEQ)$N*@Z{= zNV(el7~{M(pFqiP)WAKy96$&Gh>rZH^gr{JgN?_@KmBb*r{fT-%Gt3OfzEtgFxMpX z1+ZzxSM+|6tr7-pC$C>bH-YHMeoFW=*Y>ebb)sVfOpigSjMDZh2-;*A4<U(C^bWRs z^PlOD7rv%jFe>}lVeO!RzkPmL$QK~f7plBN>4wII(y;vbpl;@+@~!xE*}gB6<c9as zlhpsrKUYUo-Hz|*H#mJ5R9Q?JJRl?net=%%2jkdsilBtVr;(@SaP8+Z@4qie?vW0{ zi33#D@eYxipEx*Lq%0pCjLW4K8|=ZdsgBJVV|P@a0CwW}wOo=eb1F^?&kRJZe{e%q zwk9HpkG0ihRF<N3%=WYCp)~32JnWys7^MV$x4CL6^xf9Im5^V~JCTnoaOFzCL^VU~ zoGdM;r#<Z_#<`~AVw*BUt)BNn^18`u&^1i2x+%Pi1Urk8lwiAszZ&^r(gYYtZe1)h zv&|8qx?*r%%!7!fwXP1#=93~CRU>NJc<zB>+Dk{4*qGG#!~#hZXV)?oA^vpE0c*n3 z-=SFKZ{&3xAS<=mDUuGS^MhTRqQE)PjvZ=z2hiCWAfBD%+E&ZkmAWi9m23J9P8DNi zF=tN!LJ9oIG#E~Kdph6^<BDhd#FV=Kok;3My-Ys+{?;Uh$`9FX4};<Rc@?Stb7g{L z9D0NYO>1WB?rp<AXr@-}7Xa0UGcvuR)cN~ZmP7^5{08<E<7=*+!=j+5eieb6KQnLF zl>OpX9`Q>S0#$njMgT7NLcv*nr~J7CxRJGbLPGqbN8<v`T>X-!m;t6;q1&F6>L`;s zdoq(#yC2q6UafbZiHI}X$Eq-W@lWUu)qzk~Xa)r`FEIq+?EMJK*A}BLZyW?W{bKw3 z4>d6=$b^1P(B@m>MK^&TQjsO||Msyd%1o+y#a<YVZy~+^m$beL{ca7;4#R90as(l8 zka5!Dp&97_=0)J^enIk{-2)&k)AgKh|BJV;8~;X_K)Zm@cgFeQCYHzjQ@fn!-0e@h zv|*)9hv9{{4Ve`JOHzFHu!X@zI@5qS%||19)XJ>T+?^2O<Pj$AgX;z!cYSt`X{fON ziGCedMY2F!ZfwfmUd!rspM}Sbn;IvA4%#jxQ9YJ*t`2S1dC3-*zkqDN)hk5)aVx30 z_fk8gz-hkO_6P3fkK*W)(`lwM!1eC+f<L%%PE6xN;Ww<zx(fKyW}N*SYv%**g0EJ+ zn=ra-Zq|nb5wxFXMJ+Sp)7$RmMQ*)Foz^1IJ72;Ma^Zpqf<8{@yk9OG@IF^Wt+PGP zO{^Ge6eZgU4C|+<{`1^#RS;;SL%we07ZCr_?YrT^+mQF@`g3H7rtm({k!0Lx1j}kq zjg17ZohHo(;=0m^DqEi)kEz5$d&!91`lid~9s_{yQ%Pt&u2!tj#xpf=4+Wtgs0Gir zvG%PghTx3x2qid8;>RKD3r+n1bW=uQ8mHt{7=HBo$?yxttO~%NWsCu|Fd);c!G(WH zr&FW^L*s@*600@9k>%R%i2|$2Z}TH9HR0YymkIy9zXefesg#d?EM!N-+as4!T(!Mu zcY@*>QJM(x;Ts)+r{0$=xz%Vd$5i>Pz=WwIWQOiUpJbzJl-RYjJinG!qi*KFRe<6{ z`486Q33nTrjVhuQEz-?ghK&nsnz;p_xb2jBo!T^$Hw6)bjv6_^>#<CcrldthY4UO- z5>LzcJE-|{e+YAhj#)JM<HtYAre4~zMqU4K@&SzIE|N(5jtZsEu*yapm6YtZCa*1Z zaFAabrdT8O)_%kqt}2T3*t0-8J)VDad-BWOM#4B2$%rkFib@IZazdFX>&Z171BsnO z?as0!vwfB8Q?jb#N4ClsRH?XKn^%s9BX4KzczvViT@>>XN@MEOgP`lVxpYqU!q`zI zqu>L3&-)DCzq>i|%LNfaiiR`^fX?EX*C!cdx%PCu@A(gu@X_V!B~7scd}pZ}y=<3; zdusZEef!C)iaEvfv=1*dB;B-=uH~a9z21+mq}T2?vERIAX1#eG?VcocpmQh#Js;wj zxgE5ojg4vE<d`U)dDky5?{M@rg`Ctli7+CK0wXMB`4<~s;;r%k8^`n=QQ5SXw7JZ; zjSmHHTapbI^XY1VD^(|kfKBRn&c>z8&ZF4*7Urt6P0@+ZV1UuObQ%R8vpS7DPLkA~ z`!YktG#h5BYG2PzJUU!muOwku3z<Q)Bu{IT!P#^3jL>768ehkw4E%4k={;)8t5qK> zrY6JF>htMOo&Prra9xp@{+P721_AT-_jfor&1*%=tfxko_0`$>KCZl*nHcw{In>b| zP1&X+DpvsIxY^7vq?w)e3Z_fq-XE+pB;^C^xN=FBCW*~=_N|zglD0L*BySd4CdD3C zvTG%)dfMAOv6kt4T-7)c-c;AR*uz1E+^0Ui#l^GXZ{u|kwLWLfY0!ITkFx<k`N_N0 z?^xzu)2sl$g#w{oG*&6L#*eTtBh5UHa`_{yuyTLXTZ^c`wG}G5j^f~hu?HrvCaInk zn;B`Y=_@WG;9>BN<ZbfE=@9C<`3@%rX)~QW{Pt1)o`UG<VMZ>F*nDfMt0*p*V-|%6 zruZI@ouu9G`U<*$Yu(#+ugXBxp1MlWDoR~OWR(}kFkn^ELgw8NE2g!9bFz}oU%#aO zl<C)!tk}`ZaDvUwm(1dY^$f_0gL=&wCwtKH_()d;V8ShA*-GwDL3^p&az2hcpQZ$G z()YZ2Y;`elqNPkr)8Uv`4u81YM}rf{r==O?|Av;3H5nRfMXUxp6?z&f{|Z=WF$)-_ z<n~wYya-k+y!2Feb+#xze~Oe2+AcOjiu<=1{KDiL>g;r7Zb^!NEFe=aRpXIT5_jxG zH<()Lely*dV_B!Jt%PbMYPuFP>X*mEMY^dqd&*$ql`~Y?#25CJQgfP4I~9nf#vS6} zt&JyYO#BEtJ&JRw!{Qy)%)3|)v_5Sj@Vzh-F4A!nov*RsnC#kd9iM)?{l|ythx`_N z^fdMFfTN+-mCpMI?M!XCjvc7EJx<(!MTFIPQ<&{o#WU+7EZAWnlPuuue!sQXoZmXJ zqkXLeULiOy#j^%g?+;0mECdOUSwdQI7#+f<`hD(i+FX^1BlTN+j31Z2bkDc<@So*L zEQSROwm9E&y;qUviD6i}&cix$@98F@w11z<e$z`T8oV&^9IXR%r&So~!Rus{#J|ya zla(U|e~sOA1I1%1Oc`W}!sNBCH5n?`U1%@xUucM~7bY>b0EEiKIwWca6J9jK@9{O}j%sP!{KL9dB)bR7QR|gRRF=A6|_K%zQVTYXKSEw3B}mY%VSeZ{nSg zUxN&s9n1lwps}dM<5;PyZF)jAfx=D?z_zojFQY_Vp|1j70q@=iB+NfENd~%|?<^>G zYB4zk5Qx8+eU;<<FJ+sTtK0-Hle_D%3H#W8GjYAC7%h3PM=`(DF(;d$@9ofPlWw|b z!WqvZI3@Du0NO8cmn>gIV~sWZb&_epI?($x+m$xX!`HR+Vm?I=jS`Xk-rfY`-%_7^ z{bB%9K&-zilf9K}_1G(I3q<ruFHg68(gFVuTW=W@=hg*{;t3WK+$A^+?(XjH5Znj% z!2<*c?jAh2ySux)ySu}kb8mfB_dVyUnm<r81G9Vg>h8VP^GppcL%ZJT&>+StUX9T) z!^KG+_x9EU(H95v?=64XOXz^F{~RFPYhtCec11-3_<000cs8)#yL--9RiC(Cr)+`0 zP4+9Yzw$rw-3W;-UhF?nwkWd25w)@Vy1D{$j2wENCeJCrMIWD!P5R?(cJ*$Yn-6pQ zfd*vkOWACAlU0F)ejdoOq)hYI{dygaJ53m0fTMpdTQz3Jn1rxl)PT@ppw>nov=>|x zHmb)DT5QRUj4U9|x|N;srEM#{={k#jTJB=E8QH(|>Ipx$rM^G?o887WnBNZ55E8x- zCuUB|?0YYYR*zgkh)3_32{1i*rjkSEr`MHpbg8T@F~#hu^)ON(s5iX{*Epy5a@DU{ ztfd$B3eT!ZLcP6DavL3mGY5w~Dk6G1(K$LYsbY(a_yR4e>e`&w)%uK3j3gal?Jdob zY9=Jas21jr5W^++pbwFMcUl!c3nI;Y-*viLZ9B`m<`&>x*0?A7+Z<}S1afertWzTD zc(M4UgO(Co=P}k@pG~sAqZ8#8w;=0txnCDsR}=B!r?Dl2;yS5|u{oz;$Hb_+syKcW z6x~_!^}6Y)gtBGIIo#Ll%u4CZM)4aJ48p|fhP0R7uZD4?887RqS1(s#62(WFwF|Y! zdw(|Ug0T*Q_WHkCd>SppWbTgUq-$f}A`P(f&Fwvv%Fy^n7n=2$H$0m0MgoXhr#Tu3 z0VOF^<P=2rz%p}ViQg(36kJO@TyDO6VLz>hb^~(;K`)b5m0KGI=L4(&*0pX8&62wK z7xwwee4hS%e;7)7S@fUV`5mK4CXf3w<HuD*ZOp$6=@}X}>gmT5*&ICW$eI?jG+h&7 z$+{M@&N~xrzH|t*Zaa4-vMI5bN80bm2g^W@d_swZnc!Rg3DfF)ORxSEVF}?}2dB06 zZTnd<QNgR=pO$6#1fOmcnbhm{TuZY0ld8xZK)vD9Vl&C`reb0oAIqM#3#H=YFpC@& z>g#hQsVGB``sW;V)UXwHi{PMvI>$eZc>Jo>^23Za0L0b=7{=zk(z#;ye6=7ns$y74 zcba7M|MpkCO_EXIznt0Rm++73@VPZHsx~w6=-?rGKCVoZ^)S-CFKp40cbH^l{Qc~% z%iB~I<3gttX+XGh+i9}o^hP)kcjfkJ!Dxy7!|_o%hKH<#{tMf^E%1kvM7oN1TzVs~ zzB4lF&6xT>--}nc@LlHeO{0R|F~md-&2(tt{Gp=6@F4Xc>D_9}RQhqHO=l|fNGyZ; zu``KlqP4xDf0U*Zm#{F#RX8AAUmA9^$yax~CVzcj^sR6mK)^4F3VJzGYeWwv>fo1T zE-_wW_p!4Ky=%Vz?A5T~V9h#WoyDnwv?q-0XLowhoiF)%I*9DtqwShwq$cyrd*!5w zFLftQ2F=tPw}#jE4?&X5b_7~aDI>n1hD`JeyE+Sh{`FSV)n2$iGz!N*r*rRzXHAO5 z_;YH6^|rrRn2Q{5b20E)iu=0Skg0&78?6rJK+_pzn{*d>I%J>w(_$kN-MtL7{EC%& zgsniGeZ-eE`xY{vkAC~18swRNR-0DB(0OqIly#lH#h=4GlwlvP;JsJfrLiUYsj_sz zByp)Ib{JgL>Jlo3uT{4{l66Yzu8RS34UjE4)Y$*6yAr`qf4-k;JcdA@M3X-zEqG4J z{OZGk!+0n!+VXdC(Zx^QI?FTy#~79v#5j~{GB9%U*@LJXzGqfo<O*@A!bs&mElz9o zwR_<nwxsRWsob1LH(hqo<pLg;-&#H`fK~V1+n>ioovPjW+EC9rp0b|jJUR*C{OedH z<Jt5K(#Fz8#02@x4#y|SgWGQHvgx`EWRlGGilCSy{0=^TQGJ#eDu%W9{R8!_2kO`D zLl<#G+ScJ9+_5^yFT9i8qQZL(7i%=LiFQc7cUNDa_^~>CKQL3$+fT6`kmvZn@Gp+a zO7E<x<c?$_UiJ;>z(1l#`Y<yus4__CB}BEYoJbb9=<_JOW&-x6UQRBbO!T?fWtsKX zp^aA}H+HrN>cH_<pUbturp(koTL<60(f^OZ)}Gr%tYiYe4hJ1zq#(P0#GmhuYzD4^ zkk)%G6==A^t{*kZ62*p!G}!8CQ<_(+oAFQ6NwshFbVEboyQ%$S#?<z*mW23L8`rHn zU-qAH(hJNiJ^^wiAw{MGgd&riZmtCtp}#R2bT%|dGG_Vv7>@$i#cEX_B4aC!CQ^_8 zzSAKTWaSSi(L_^T`k*>FrF%O&LyPY{7yR0Q!+IM$HI}Q!_@>LP7KO5|3#G@2h8N5x z5u_2}Ik{ItQ{bGux%V&g3u{wniUEemjpUL!XSA8rti$BJ6$KYGaFspcftD>KsCq1& zF}AdIa`9t0wKQi=IXJlB2IG9EL7w_FA+Rn6*xgFHSo>i^A;5snprnI$bA=U!zDi<; z96Mt!@@HD8FX`Szk>Kh&1O>>%nyOXLj(L5#C&43mfb4Tu?$iN2!Wtvc(U4I5E2KgG z3ky>&J)V_l0I>a56R)YY4=?LW#UsWW3knAsqSs@kd3q?0?b5P+=h)7}eB1)S=SjVa z%!j1F^k#D&w>XDzos+5i(%s{!0m$h;*A<dFSVGYOa{6miR?I^?pSi5308TwRl>Lo5 z`=?qcGQ8VcHwvsV;J10}Kbt-%zKKIoI4jC!Ki@hGg%2JGTO)Du50Ie1R(!mnOjT41 z-@vE-Vtkz%itL0Y9>u3BXPXe>CXl*&zG%cTzA7q4^7r#2dZu>{p<09cQAD5rQ2NYH z)U~fFvy#%Kuj*GTi_{2Zp~oL9<4yEQwWYrZ5wa5ucgi|H3{%;IO}EN7wg1yk$%3mc zPSZ@3vlrU=NPAI7L-Bm<`?P?QnQ2G$kK<3<3=sE}>m69Qca0gQcMaK{eUgd^0-bHq zTaogEt?k!_{tSEKlBDtoI9|}rmD;Xq98v3eqsV>+VIT4;1OKADike>!r5y`nI)#BS z6~D~j!M=_{srZcC`;O!WRJQw3|7G@zjztNg<L&BajbO8AvLc(uO|X;M38hDx**=i4 zBOaNq?mjAXWt-9`+TM}bK~gaLC-#L+<X*n2WF#k!l~4i`oIL?17xkXFR-p9bjJ%8a z>r5m+XcTtv=VoYUZ?w_VXIW~hN=<BrAWFvryTxiynbkHpC%so;%8u-J=+hD<kCq26 zx8w##7C=yr%TK!1+`5zmxshPoUnM}7X(o<M7__MsxbpvXw~#<SlY`_xO4(kHFsf>7 zCRVg>F?rt>L`<~33GeCi4=v_FL#Wy6IVVtau7%<BX6mXtIm&S&xAc+jE*k`0{U8Oq zqLqbn%naHgRKkS-7n_xxTDGTuTyKBbX^xX#SgpnPV)Xj6^b^-1jKP5n#^I9~P0P$~ zMqAmDa*Jo<`46Qk+MmM|is|MQYPA6}|8_;Mmc$cfwT=@ZFhW`39UhK!sfJf?q#FA^ z{4F%rM_~o#=eGGZ{Jm2*J-V$&jUv@S6xY*#x=)lISKh3dWW#+u#vDRM;rnDteLRhH z(5!VxL5n>7Deu$+M<fZDR4uy9z7MzB0K9hJN1BvY|7zLCN;fCI2j^Zc50_XL?>KjK zocvMqqcFf##@jz5gT6#9{tM)Ec>KKX3Iuq|#<yR_Cf!;<oQz)g3t7i7WIhk?iZM4P z)H*FChrlmRE>uH9w0-iwf)0cGYEbI@kOe?45Y}8m4Zx~wmf?bODn4(P^j6*X(^epf z4C(~Yp<pbTJ}(HmWt5^6lpW)J(QkFGg|WB&BOnf|FtP0JNtf66FSJxZ79k-GHC>io z)b0(HjUJZqO)6Depp?8GATjZPZ6?KxN)`=tcEnD$c~J2MV=b=LjAR7$T==WY#Pa8~ z1<^)VK0W99V(rF+Cl{Mo7z2-H9H{_<4p+DF2o|2FO6OF=nbgmC%{{sVgOg5u9tyG} z{fyzzuu=gNL>4fc4HXeaD}V6V3v3ziD#w`ds8nkUq&YJF<Ul?2ulCB4%cHbi*J<Az zs56%3aJ@%K`*8e6NelhcGcXbuESb;OG$-!Mt>jT;9bT(z94S>SzP}`vPAHj#`f@fB zN(K0OydgAO#>_bDhW#w;EzZ!hwpwf}kCYLCU*{K)ZT~rAd=5n(dO@Ij@vG0ELz-Qn zMZLrs+QrE{J%oLJ%9mp(bp0xpwhZ$+1A2{$`Srb5PIp9BAHwGJSCy9tUBduNdb4)3 ze@Ao$-+U-Q=5@a<&1vkwv3Bm$QhPyI_7swYLIgl3Z9z8E<1dC-qQ}+XX0`c&THJl` zR}^5msfEc?jroG8_uCIjda?bE$W<zEHgH*`z~j#4Z7oa8j<H#)xhW3S{Y;c8uox<n z`1BN$M!rT;Y?ecX3KYvJAs-Z3v1(#V-^)<Is_;(DFuSC>DT#0QtVC{**-w%HGH|a{ z3og*LW<FhJ*N}H+p0TYGj5wXngf?lf)e?Mri-iwjAg~Zp+H|u+%EcRBiUhSb9<8sR z9<<Xr0Hb!f9L$O@y)Y<<q*)I;?Eid|N_>2a`Gz!;Y4@6Rsb6Y^Qt7P{f6`Es-X5Kt zWmEJc=exkk`rqD<m<GtA?xXPTrUV$;rzffOgk(e+noD1BH71k7XcC6`zZG2__f_ek z%Pp^$g)IlE*A=`4$$e*M<0^1KvrZ*F-B|A~3myHKSod;ia41-5R)B>G;5x{&kg9jg zp;A&!OgCQ1SfkCX`k2%=E}LsvDOs^?Sdogg6$?X9l~2Sdl~o$$ii4mz3l}CsAm$zC z(s<9rLv|XyYEq<HZLQhoc{+V%aYkcaEzkSd@m*_xsgT*4po>aDz>cIX>z++8xn34; z(R`gn;k&_f{+L-8bJs=K&^_;ER4$}04rf`aD+t)Sf}rDwOR@;@u(qbtZy3fp;7(4J z12jjH3k>wsCrRVrqFk!!T+<^~s(kvyuCeVx`&yRISFS*=WUZ*Yxs?!%05<@I&wJ2% z4=*f*jN{YNk%<)5y`huI!gL0z7qF<1C<fd+{E*@5*%A7Zc_crnm8ge%p=>L%^~T5c z*ou(V;7p!wn~a(IO^zxa)01;jv;XjCfA-9kxpi=;A*y+0TT5Z;C{j>`cJmIxRABSk z$2Xow2KviNUmcuWG@*7LG&(vIJRYY{w{~Ym#62bUm31LUI4`F^s3LYV;{H<6+t;*Y z|BSgJrW{9sVk)V|4}P*cr|vmR<aE!$^6mURMZw>a-$$6rzR$vlzInR0^-C*ubk^O; zfEuW_y;<c$QFwMDS6C>5xDmqoA`qS9O-@}WgeLaA?Ak$&MF}0AE5b$3Rb%k=jVRHQ z(l8zAzm0|)v3dZaL9D-phY#EZ2mKFc?m>ydOo*$J>iz2%0>q)4rl;#|r~U$HYPpCU ze3T2j5@Sd4ofg^*DVgq`S4S^CE`AP5yL(2q+`?H*GcR`+V+<C^j6f_EJQRo*4%O%# zCx=5LtT*FOv4yHeJ?58r4Mw(-D+d`b=`sVB#fGZ%02`D~6K+h5$DsNkzC4D}tIKc# z7ugqNeoK%2zif2jerDSa)U9o8!2$RjA<NB&Zk#KOvaCI1J!R2pd)sY#b)%2S@9VLP zUEgM9WoN=#Q$G6dX%HM&L2lV0?^};GZ`zBX%8re6S*(lGVzcFno25{97782w-uA1H z=X>dvuWultx1OnMJ6~cZg6O#X>-%yVGiW%2dS`NrgH#j-J6ckKfw3w?=$P*h_P8cM zc#wL*aLL%-=qN5ew{4*Y6g5I0iVXuP&rIJ`4fJmXt9o@ub{fYTy;D0HQ%CKC!4#jC z3Q_6ISa%Nz>J%KBjk+()%;h9fo6<)7=(|meOPallKgXA3dR(6xW5tz8O{hjS_zBq? zSBqIIo_+++yEIKph8+e6S>~G;TQp-xkLJa^PtpM-PjLUk_=!(A=`9@Htu^_<!%##6 z9T(Z=CKP+pMY0vcM6L`Je{ewFS6nzZtqJe@`&QC7%$y%P5PYOF)OGw(!)ZEJlg{BC zKSz^QZM2kxrS#zj>~1I5lQf+PC|0K~=jXLq*LI^Mh{)%bE#czUtZDwz5AF8e5oX?U zVmVtkhZ-jDnl?YZt;52&1PTy%pZ-OLvlSufDYO5f0z22ouWfgG)ku4FIyg+4WQ3J- zq336&`TDfd>&1*m9bDfL!iP8fm-^1(SzI8hW&1*E_OIgik9SXBf>gunDYvu8<;4rP z2hW$&8jeryt2lf-%{kQ1tKjX_v1||s)CM`$k_z!GfGpM(g-t`FoH*b-)_KsTgDW`R zmt0y*)|XU5%hNzUt+d6+Wt*uZk#c=tE^~RCMz;(3)_#b{&3f`N+nv&rVzWLyH)fnl zs`0nCRQ>Aa<tW1nJ|aTcl#ekRyrph!ErIFS*u3pC<OPzOK0Rg@e0Qu-qu;<L{VH9S zCybZ^lgX-#d%w&=U8X9f$Py#T;E#$_U|>Z!Utnw{+AKHCsQ!OJ>`7=sRJc$A09LAv z2fD6Wz`H{`sWMW=?+k{7sy~1<oiox^5B|hwUwWC=wtP51_y^~8wCdVMuw|8%5M=mp zO_Q^4G+tDkn>~yO0dmJu6U0ow$K$=wbPaT>Kdg;c)z3YbCS5Pi(L0Ipy^Sp+3xnWp z0V2)crd__?4}(>;t3+|!7NDY^SSL4)_dkB(p`cCNTPxiN#gM;0&50#rzFxHqz?;7W zUQvezV})xfWeq$;^*8btCYh8MfkU*fy9;C@tnd51)asJc1ngpMPBa$QuH(xUCkK(} zNC)(nl6W#4pNC?--S?}Q$icVBvyWe<Z(&gSe@C`nKJBb}GZQwUgvoZZP>fu5`O^Rp z`T3?p#r}SXB;d~=rKw{o8YB$W@#OM?*u@yZ)!LDnNL6fm%^O3L0_2&8x0d}un%K`4 zq?+i_<ZK;(?!Od&lBZidn&ve!g%qcP6}*2oXtAs*=#ZUuaS_SFjVW1l*JygrijjSU zSvXF~P=bQSM&u*>Ag;YHqL~&6d5u=<`B#H%3`6%vzDwJG`uPWeuYG-AkXT%V9)_Di z>hpUywRQpXD{bJKySAA@=R(}&i|_4cMkc`Xl~qeQW#pM$jQ2G4&t1qa>{^Xbi}OoQ zTX?i-=m+ofS3L#g$ub;C)KV=?!JTU(LT3g0<HQ@639BvE!0rwL%>Y0bQ53H$uNQkd z$ey}YHA`YAoSgSKb#r#C_oRO86SWcl>kQ;e^T$L?VGQb7(}AZ5^y*$+lZ{u=&q6+x z+V$TIANSVx-oFS6K4xeUqfH+VB|#+31}ri8k0jUAsra}Wm^14vV<~vh4htnT%EI4X zFZ9bL61R4Y2@VS|=!o1Hi4x~cY8*Tu6`BhgAA7zQz;`Krgv?kxC%u%!kUg%%$Ooi` z8gjasK$L1Gj|`K0@Vc`PC9L!$7u=-Mbe@wh8NmKTMx#Ayf+#T<+zEQN@d5D;#T}?L z5=;}t)R?+o2*PUG=h#9#@P>xDFzhSo?Co^TP;+~kt5}(8ZSN7}|LBTg5uvVwpiMGW z(LUXJX^G=Kk@db;U=~z%P9w8`cC99x;|sT7LnO1$j}wMp%-^@X3xlCk70YbU_|Nxd zytYPrNtkoGlY4}+FCO_da4c*pW4te3|FZPG{_@3l@=x{TKxP7lGs=YhrSf%+dEh;l z?_wKvl+3;YB@q*WJwJ~PDxiFDZ|^SQHgfdRG}b3-$<NSDwGsWj((RjmQnv(U7UP)$ z;N$*Nj%9FatgQZ$s@%mPz`#JV^?b?CpG+#I;ay<0<!c4_bH<&)2OYlq`2!?A^{|nr zw6+$-zE^2|$-D@gfeV16R}&6(K=-Lxpr`v-2{o4;TYl)R1-uGDH^_)bhO($)zHm+| zc5PbtUC=N0Z3kQC9I5N(kd9W|&u+U8f#$FAeLE}1KFxgZ=_30}HU49uS@}7{oXevr zN-*!E$HR8{#mm~hh&e0c@HcuBC0^cwx=FQ*+&4bxn)GI?G$yB!0pq71zHH!V)prF% znvqWVqNy6!*Pn!Nc$%>n@(JzcUjB7k5JS>_`<3{Zx91fL)1=16fqkvb=bX<$-yc&v zc2iIV9wJ2kzEGA6a#ro-Z^`}D;}L7aMIk@WU#-(+?a!T98+ZA<;2$LOEcq=k!{R}8 z8m;r9a<RRkebuK>&KkJ+`vsPU*k;;qM8SsHY2V*S{(biZ)EFmb-Pbc+o}RcNjq_0} zZrCNlb?Z`75clB5IG<c`20Zy!p9Uuqusg}h^ctT0d9zfLohNQ;2sSx$OzZ@^JL(5D zZ$hN8W{-1`u)9yIpsD#Scd#S;6YPl}=GfZ0pgOYqyMLhUN)Hp$^`B53V|ekhVm&nB zc=Ocs1<n{@N^a)6MY6lz6eLh6GUTCt#oX8NSWC17kD}R<0vn;jqMV#zW-RF-lZ6#% z;HJpJB=Sa7wQJtuQCJjQq?IwDW1CBfUHgKW{yVIpVIexM$njE_!&pW8?+0nsBOWo> z-&*U?rX<gEx|fgWpNU=H_O<YoTzROqbFYm_9yYhpANV^tw1>PQ=l_<6;c{)~a0Xr< zJ+`!zTzZ<cbFEmX@le;Ais`!oX$(zx2NQ^b59C-{TN+T4Xq=9(1*HiD)l!n~Xs@ve zksXg-o;0M-tN`M%<X^H*Wh8G$^BV_yWEgfQ*A5P*$EM<!|Cm)b6k$u%KOS2U6&#&f zX(q0*)colmNX4o-I?UYbKXWiIgHJUqsFNRNr9+yL9Z{Tg;rSLXU*wTjxI<YwCtdhK z`X@zFvN4u7>c3?*{B<i*42<E2_qCyNj4i)p>w=<$n157{2G0?;Gd<?RCl}o?QT>86 z6gPUZKPj&dSG`78hcx6oW0(8;xHO2~Ag{7;^S3K=yaF*rj;r9XY!*HmqI11p1}u*| z={0O?q8w$7T_1R9B}G)X4!7DM5>H|aBg2?)DwAh7e_w$Q!U4@gS&?GleQ(+CQBA?! z)@igwH1`g#+6)BQC;vzmc~9<T8sD8o@Q{H*y~IS{5{R?1DPS7JFi?Is$-<j<tNYT7 zvA&`uLu_&RkQjN0n@iSnq=83EJ$h%qYsA1O@;=GNX<Y-Nv18L<I$Pj!uID+r6F(oi zmv*eyO>do^*sV>hHm2Yh>7$jykexV8Z{g>>pvhlI9T^%_<nl89wX`(bFCtW)7R&}K zi<Tgb|9@ry<WABXqnBZ-{A}^UE*nkTEzit7**&TnO@-tOq<fY@!2_)FdXnws!;ExD zYbFLN@W7<r>^Sd7=<$UzJj?=1C9QqalVD-Ekihh&Q=4QMml=J&y;yf+JDlS0PLGce zshJkZFv4&Vsr}L=f{hS-$SS0lA8|$Bv=$Qj*(`)c^c^S=CjWEZhrioaLaV7AGqU9M zw(6P4X)}k6HU=(ANi;VXFNsE}m>(~aMpf>L9E^ZL`<0Uz*NWmFmTL3|zNZHvT;?xq zUUF)jV}EFvKk9wq6Q#PBs`v;DQw?a$wdClr&XF(QW~LgQ{5e%b)J)#bI*kA$+X5Zo ziDd(cQ3KW9rqm3o2aZSY#0@KFHE&X=7-8RUw%)}w6Z^6vmyZ&b{MJ6URHN5wtK-Em zmUJ6g1_KY!rg9uZAj^vfUtR6^3gCUYmI<Y-$ncOZbakX%EGf)^_cwW7!{-Q6Ibb)* zzo-&kkOp!oK-5Z9PDSxzPf*fN?&>27#wJ9}(~a5%M^Ga-Hlelc**$*`4Z^b(U1^`l zG?|8A9Be7Q_lzwiOML@b;vbhT)(X;PW|}rydXn;q!&UW=;{5?bb<Lp@C6zVV$wyil zb~<qnQ!s2Rpv4(YVb_9TaJrC{<*ESA1Yi;?#b20R)T2^RxI|_VIP-H@1eiQHw>Fo+ zRA}r=o<P*Ri?WC#;vf)4$r`qY7sx&RmbFN4VcoU|N~T3VeSL(7J={{hVU0kLteE9} zU0Suw<7OR0h5!2Rbh!BoAcOj0{h>@Iwe3sf<p&(4JFNfU=`l^iJ;B7R_OOI^%Zzf^ z2WI8Y<KgDXpuSc>%fyg}esH4t)(gyje6yx1)zg&hLF{{7<RaAgMaTx9qb(KiVcy|= z?@QqE>l?QhyG6y^aI!IfskWkEPqopxTjY$Z8}U)oR?Wv==XWyr_lYXX<bt&}|6Sfr zy*9?IIvIq<7n^w6hmg<56w0V&WL+UISVo3d2e}HD))Zmsn*4-jJ=MbMvwMy^Q=bKR z2}IQ5+*k&ydoRAs2ErO-ob{f?#wa(UATwZAHPWQ5L`fVGCQB7VE1HC&+|U1jl3?J( z8Xl;=$`>9EZ(Rj3N_#ChOP9f)T2l2fZq*nUy;wk{b}eH(#bcP--!FgF^Bx-M2oyp~ zqPdcG;z|Wx_Fe4;OEJa|FIF`rZ$qJ!C50T~IkFo=384W7$CN#6HK_gn3}wfSKlI8= zX@UccS3O2d+RpZDA4z{d8u-n#H=;(!w?-5fJKB<$v;vL41RXl5pn9c+UwU9fW)PT| zMH(_2;8Mw#y#2flGQ(rH!rd1EXAN@2_}l64)#>_0O$Azi!O3xm;@^tt<1+{mKH{|4 zQ4o6|q5?J`K5OhW%trGEuP2%0jcP#xneL;q#N0L+E|LZSs*(N9W@+vaGfq%Gt+@4r z)+ig%yT^vnYVl~64q-?vdcBe%9>Udfb2Z?;qU4XcN$^GaQqP&-q-f$PxPrd=ObCN* zxPd$`$=?(hR_G)E4=w`YaLrOx@$ZATne^5r2|*4AT4~)U_thmYERqq_52tNv79T#- zi@xb&{Q7py?zl|q@>RS{H^#Ruf7n4(eBeoUKA8a}Y-J9A5}VA8$2`keo9lu6FUDAy zjzvA_&TOZ(<QrD!4#lLgoMOPao9yLVPt`xd<@l!x-!Cf4IS+971x7BBVboMfj)H^e z_tnnK?%oFE*t^dLI3Jp7fjr5Y3{eU9Im+qt+L_}@+{8Vmk6N4QTE~ZyNN&#C5x`|8 z+;}`#N->Ipt-hQ#uXS;xFU|NC=@G4tB(8HO(V>XB;*3UYM)pg?EoIxfJ!+w)6UkE( z{kT4^nKNLW5#E9#j4V4C2{uc^&`#x>Pe<R?d^XpCHkCk^qJ6$0)gl2I$r-P?c7dLH zdBKtpxJm*aT9uJ{x+}jPq5OxLk|y7uUiO1_pI1SS?HMu2!naG&*<Y>s<M%y0Dyo93 zjv#z_@aX8G;-e;{SY8V}z)mPZVZ5G&8{?OSo>k71V(iJ@TEBLGLEvld8BT%ex7kxD z^TO=Y3Rghqfzs2hERXSwPyqFCrpyhqySEctAR1)5%}HlvX}ow}g&SSxj{4)SDo+h0 zfgOUasS?}^hx)Vtv&>2cB(IfK?)E~<33xdM%AE^kEg@#(&8lrpsiAXy=r>&Sv(QIY z#@Gg#@wpec?1bFJs-os(5Dt&CwpPbx%|Ee*Lq}i?#`bPRy8a-eK7{j1HqeO~YBqi1 zJx|@f&e-kSHoVzN`eY>-pb*JFAnmxc#oBY6?@_9oI`Vc;4P18vb1l`MY{?t5!@UXB z&lms5fz=osRPa4rH5f)rm25E^h<@MvC1q+u{ha!@I-@tn#NEjbClS_wNI^FZV^UVv z>UL?Zl_G1n8mW90H@8K=Dp?Z~#)US1x$0wInOuKOPg=2o6GXFYXq4h=@XLDKX?<2v zP$)CJCP@Mt9)|+#TeZ!!Px8RHA-(w?h;RTT8zA^@kqYY6X=|kb1S+JhG&0!4|29FL zp@X-~JUx9EX;@5njE}}6#+~%`^Ugh0m(Ll&+W(x@fa>DTw{TcVt3bT6>cPWy^$aHL z7MDr$g)m@aITTjA0sNcKIndKZo8gQ+_5*T#5}~}w#Jthn*Ncw@G9yaImW4v?=$=Q% zdT7M)>aI_|zmRnxGm`O13%I_f-P8NKe+aLQ8u_cAflUPoZI9f@9e;r5HL9&&jxLJV zd=d+PnZxz+D{a0$@NegdGN*HUxMhdahG;T=R(O9xA5zpOE=Q)jCCITK8wJd(^eGeC znG*8>TvmZ_`LOz~<qX+&ixWd5Ltf0?Qt1ZgC0+T0uRHFJEEIonsF(qNM@>$Szc)Xd z$E7mWXA_f*T)w~4km2wP%tvq?Sd1X#;|K?L=Ntp(0V6w>3#=Tzzd2-OXXIHLjoUZe z9@HREvxv?jS!9uBx*2!s80f|f9WtVLP$)eX3E5;>dwQ8ePt;?`+>N7blks^8<@|qM zM0iC$RT`?%tL^ERui+N9Ot8xaG-qU{zQieFglf1Z{J_3E3+;+#H$fd$p(o<Ul4Mj* zpR7G>E`O@qvX+#vPO2>QYC}CrVf?R`l~~=izc_ZpOfYwP1`<6q_mkS~dl5_{0oAs$ zTp79<0q-ZhJ=kS8jE)z}2v#!8mQ8abZ|Cq3%*yD_AFc=AS=V-RRTLnUDcJP241_#< z;OIDB4)N{^S=pF*5jvKu{QS(W*AmL(&EPw&k=4+5-8tP_vZ_LR*Ml{g+vva86chh* z%t!B%1S@!xs_Y1&Z*Q3$n{+?Ewo8&RJ9uU;Fh}MWc;n4y|C4gMswfZk6<tnxzvaj~ z&IKp)h!=Wjb!f4(ra7JKSCq^t(QR(FGBV~KTWJh3&JC?7rhZoezDuR&fKXm=rExMp zJKlnF42_a8o4*klb=0(=HpuLksPM&@)BG+-OE$aJqN2T>t}Xx7P9k7lF`@O6m!_E* zL}@1Yalej$uC-l)*5+`O@b~GfcmHuQs8lagM&bd$aUrG=Du&Q}z<XeKQ6dP{&byAs zB-`D$;q>W)HqoRik3Y^Uio)a4nZ_A;JZL)>T{<}#(}3tCYJvNeV!muNyLxowZe{28 z_9=HEx?j5J*F9wl?oAqsXY54ct1j)BHAJ{5spNmYBk4yZ<ae;uX*Y+5`0#!u@fm9( z;~h=Jl6Eg*&$5mRX?k|&%vX;ge>c4_k{t<4#ibq%Ib%qyuKk{5jS}KM%^@WoCRCC$ z2x>I{Rsb79&!5$xV!V*bTpR|{_2nGBf&53Q=+*Y?#?+E2K&#7{%7~R)LEojX+tQnt z6eN7X@c3!etL7Y05M@dF)SGHqqz*;a<)a^XaQfsYWf~q_+x65=B89igCb*?pUw%S< zU*EP#wrCDD)OOcpu3%G-&Dz;I?9+#nKpVrB;~*`{0Avm8tk9-hoq)V4rWoM`IJO|) zz}dp&MHjR%KeFrGii39E_E`Y2NsIp8mf9F3z2mOak;^_0a`%?t(r@U_2IGk8@JouS z*Fpx7&t^qY^rJGXMk6;^s`in`=kR@g-4Pw9oqNi-0wnE-3{jVWQ|d*Xbg)*V+rfv~ zY(5kb#_^B<X@9BdOI2o+b)ri3-kl?x2pHXd-?1bV$Ph<N&F=EuZi<DeIHm5d-b{-V znYvT4#Kwp@k)!m^)*{X~PyAUYtquPbk-A{TgukpfTD>9kKQq!#F^osL`WXZDrun?5 zDVw(hFA;C5!QCC_I={)JK#up+iI(}G5ib{SNW3KUtG`|WJOsJapUPrkKAL@*AU-kh zOQf0)HaS>+lcA~cm}DCtqa>xSLq)Y?UGzrt<$fnK6>2clF8w=UZ0NzRagO5fqIG?3 zx5n5N;MTBUq>bsze@|A#{&y+3dmbxXOEG4wk4J>}*qQ$03ndA28%@WOMwDf@K@`7C z(Oo0DYbkAh@#4VJ#V7aqlS$KW@@I`0;7W<&y6|;Y?tSY=vgkxzM~z;Z4E4~%q+?x_ zf6U|c#U<kg8m_y!JNmjsc_$Gompga6=IRhQeb)V61*|ZpB!^MRem_Y!%B)%iV7=5Q zGBcGq0VoVnWn;PBZM|^7KsJ=UJwltUvW*h#V_~^lENhNV{t{oA+nQ`5$?eXb*uGmc zrK;}TQhCEJz|f=KyG&nDHK{!B)8+Oue|lg4X^R@Y3f>b6@DQIAkiO2AO(FmeHhROz zwE(4e4i{bM6PXj=WtgR#g9B_Tu+j{ybEqui^NrKY>D4kj0BcZs3KbQ-NDqJV42%DB zbzK%^WbU}YsrE0Kgr{wzPl;l}N*(}2>6)dQ;`H?xt#W=`;Y{=I&mn8!V0Rvv#4~k3 zeW(x4am!+2V2PW27P)SRuM8=*W1S_ILG|Uo0;A<7$fBi~GL{+yyLyqn+1=(JuMPjW zH_lB4&(D1i!xCzY`Wd-ufsX#iSPs-VFTu_-G?-bwhc#aRoEI4Q!GfGmi*j+$tgUQx z)d#Dab%Ff2TjMjLEEL$rs^C?!yI(NYx@_1Xh+MXp;_OUJ5SvXhceuL$dd7DZEajd| z#4f0+wcWNhmkjrso6oYP3*jc)UFabKpASo@U4c9)fNwu3P9#>LvtM_%2g4R8!W1ku zs~PHR^T3uEo0jj`YU_73*~}ovA}D<tJ2<Yq)KK?x2q$Cbpocd9v>i1m_R-1R)C-=l zVYI;<?lX*BKy%P{nZI8;LUTYIIty5goH-8f&!1Dxvi}Yt2Whw^eIG*INIxAQI%b!; zzbPsk{V{iKlj$<%cri8GT2iRLrV|h(X1yY*O`9W&<~$=T*Q3aYgg7G2Ky7rmRej5f zlpJlj7ax!k{*G4rU!@D(fvI8T2wdQpXXGcyyK}YLf!utvy#v>ykcv@*NxkGf(~~ge z;QlxK*4SoBV|5M>TVo8M+CBr_88u?_TdI(j5ZqXa^buj|)}Yz}J))oB-#@P$Etr3X z!D-;y(&TH_ALKG8ZS9PaNHx>i2RVo1f*ZcjQXgeg{?!f$t;ENyoikTvlP_J9=2wj- ziSxUYmqy>Bnkl$^DXU(2tgIG$);G>dBx1?lJzuo~a99=;-7O92X|eVkAC9mEcq2Jv zZB%-~kgCby`4@GdI}4qV;(iQ%RyLLmh@eF%su<iJ&iJ<6QfOR@d7aKCUJST8Kev)a z;}^hrTMujw0#K&fjGf3((cL=kFB5x<OkLZlB}DJ@)`7t};h_bG(GZ=pX*ao=(^>x> z5Xj9Ko=b~{asq{!DIaY%)=l2TwD=SVFtXC#*?kiFt(Z!J^Qj(d$5jU3lAxD}Q8^W+ z4;F|!zdt2_zIopk>hb@=`DYOIfIfmEK7YbgNDgiU%Y16?<UlJ)ARp7nQxQLw&MA~k zXL>4F!z*9UFH>KuInLofDG;WLEQ7GUxqX=auzh`O(&RV*SRrFLkt$8`CdAK`)J)k^ zfp@B-BNaK(XKqXITkcbw6?Cc;upn)LLxY7KWAo-FlsZ@w9J?#(7j|y`f;{U3sXLsW z+!iH^=<lzN_i2Lrq4Aq{ZTfr5eV*sWxtUjKvTEyD&?H$s14xYf&SHxI*Hv~Rux+F@ z_#Mk9f9fhYcyHh5%DGj=wlC-=P?6AdXvIcDny+Q+%K<sLcBwZFJ0l&?&7s@_ijQ+Z zp0?|u&`8c6vcD;RrCX&cjfCh+Fb^CmyaO(XBE{d!k3!*Lr2<gy)u1nr;Js|s8zI&# zlRJPO{D{TOO|EwFg=;gK*=*uYXao?|Hdr}n1${|$YuE)rhGYr^Haa?@mi{453n521 zx5nB-3#1-kX|-V>{gVRn>SwP}MxK6PO^iNra=7j$W~nigz9FGp=_?--`>k-K+rr0g zcfGYoK;EdDg18{AattvX##idW6p}p!;YL_+UJki9r|Jh&n~5jiw2y2gJvJj{@Y6@# z5+mV6U`uxm3RQ(CQo9EM$MHMl_kUxSE~V6Mc(wd&1@?vtbWtjV+Y3mk27r73N1$DW z%M1&1oGRWV67woT$Etpmz>mv?`NE+I<YURsmWVoZ6E9BpsyKh9gNCIZaWTX4B(T3X zwNl@inVG<^6Iv6EIc4o>S+N=%bG}kraS|^?9ZUXWwjF!sqWrW(xW1}A_E_8BbrTva zC0H{9xyAP50$4#ZlY9NNbRhe(Geax17KXQ<wClChP!-Ts1u;-Aii|c=J?YG1DEP4+ zsjXYwYfd-u-R=UfAP7iyUpX89wAfsoeBeD(yH<@x(QIg>J^n_2aZx6gxLFgI;VR@N zd18Xvs+iPsOzyF2m$muw$#{y)zo%0tcJr-m&ac;efE)g>Xk*);g*WTD7yw))*t@zZ z$~y?KO>V7gftso1bRX7FODJwJJ9!okLtL%Z!!t8dR!HH#Y&891!_Y;<*yQd+Rvy?J zx~3C;>0wH*PZUvVB`prD4-c+;l9jar+n0aLnYRo{HJQWlE2CK$n;k^Z6EG1lp65n9 zct)gxNAWFpn=(GXWtx%bccoUWcrj`9JdIpge1ZCZx=y@O+-JAe6nIIPReyQYSlpgH zCi!A+qy5Y(o}Ui*!l#hq1TrOo$&VsMfp6BdMbuXg+b{adFX<sQU6Z)ENDbW=4*;^i zX`tCyO#l#5sHZcRMzWI@kEV!faC5K@=o!2-hCNd~i9|cCumxu0q;7}-%VRAYf7?H% z9K(*kwZ19r6@U`L;L61OjZM}W9ENt#5V-iU?0{uPj_m7<Q_f(xP^XdXIMjA-Xh1II zEY;Eg-F-d|a;5YG!;OA~;QqjGJ!GxIgVf|#>*ct*#iIi9E~vAztZR;~aDK<AL^>K+ zGjjqWD-VHF7`nx=e_$W`)^W+Cwr>*Up|YLjs)e3omu=MPhxWQ^sDT3bD3%!^i?Jq! zf_}e>VrYu0fMWb}d;IMk9P%5AjQQ$nWcn*gkwESAChmU@zzZT^cg;$4J6MKCZLZa9 zAaL}9Z1E7_;pE2kUC#YN^9@D#2^*wkR=)cGIMz=eMG9i0b;Kr|Yjo$Uf~LUKYgnx2 zCz1*vEre4k5Ud>xt8pIvghn<^qmF{>IxQtXMT*Y1z+OE~ZMfhPJws*qpBwoL7~o4p zB$`qZwbCc}uC!oRK2GeQ5PbSuVET;}z)K$#j1}eq4hXbS!H@0UWJ1;zOx53E*FIX^ zm=aB|HU@|&EY5xgV0eUgSc*~0lsIzv+WEccUD*v=r-ow0nJHqVY+UI7vebT6kO6g* z{UygmXqk^!(c0aaE#q&7Gj0K(q9G6_jeg=e{%15}fK2wgcwf5E^GF&E_2AXzSw1kB z@>I=eC>BKvhsMsf#L!Cppv0-(FehJ9s&z?KtUzOLQ>(>`+!L6iq?CMOxUugjJ`jlC zv5KdSLqSgP+EG)3n?!RXW{t&?eJfqPD`M&Z7f}*+c$&2}P2jb8;Xs)MPIV=yQUQVH z!Uf_8XVtJv0G;HX9&;7vTiHTc14-1@HZbP`W;EdT<ydTVQxq(-lU7hDv2o?v!;t^E z#f2SxH{+(Lj*-HM?tELkjC#Rv%1Do_T;X}25=JO;iBn1@6Q>u~l^a@kd78~qbd*j4 zr;qFB9?5en3+{OI7Of7Nw03{ujSVTF5w5r=?BRXW&_Z~hk=A|F4Y^sj_8Q|14@WIG zU52CE|7Eag9v`8ZZ4JWa#?Zrsa3wM6`j1xtiyPWVN6+4(p~#lOJ-vABW=E8OwB{7r zN+D!rbGu)JOjzR#Q~zGbl^*6hSD-IgOCA8CQ2g9DSy1rU;^~+_W)Q_%6*ETmUPN9W zd99LR2x`LsS1W6XjB<}MGOVzu?CATcxIF3!%6g}{cQ5>zD6%2^I<*jdm~MlN@W*gj zb*`f4DRG!THu@bAoOr=t3{1KcJ5Hq6rsyX$)N3&DS=(RgYRE$Mdi;8Qu9s$RMF?5( z1Sj%S7|GZzXQ9Y6Jv<p492EQgV7^PY<Kxda_mR@7V*7_rK7gL?e6odkaD}~9hU9~; zS@q%uSF+3TOd1GzJzUY0gM<$(tOG@jqaB9<R)rSj3h!7li*?nXu=qAor<N%r*J4ZP z`%O*u#y`7aX4^Q4ryAS+esu1Nt|%(2Es|MiW+{jV3xlclPDcH8q*|`GRX2g|<OUmW zp~<<23)U$0hc*Shn9;@kcN6%?4A*lgCOO8^+i9X;Lw{H++>+{?<&UTZ1018be_snt zoJ{nTW~~SB`#TvWo8%y*1#?T8{N4HZn-HDPn}Q%m6@;4w-*mt<z_p_IkFkAfBGEQ- z+@C<H%NM=yXtK~K?aUv&*c35!GSaMLm95-K5i;SARZi*Q0^%FpC_j}6&bb0_H!ie3 zFH%QeZgQkNRT@ft8?kb1ythyGA^@}HXuKd8AoJ?!#s?<t)zJN;69H1tS&8&tx}ojS zGM~%`g~HQz`xcY+4W&S{WYGF^`VYx8z*wcZH&;*-FjDW>)PmO!K)zt+siwc8JydH@ zxMxLFOf!&>Ke1OAZ8+_ik1|smtvuR_c*A?Ts@Q!g>X(Mnzpp2EyB{fSf+Md-*eTm~ z7rN|7G=jN5$;UWS_Ni!rUyI^&RTXK}&MKJ#P&|}ZFgj57g2sE1Ay>>MizpS4fh?9> z&=)fUEmhZSSb=4&nWi9Ap2m_Cl9D_dYwdrE6vVd@mYm6C!FOSk{BuUIzDVi!0J+oc ztm5v4!*X<0Q8B7m5RkoeDBqWH@J=U`k2J<<hMJ9InuErtSzTJ;1#J}d|3azvyt0hY zl*cU__d`OToetK85j;F=?99)OmsX%BH$fC~L8IWpjwSu574n;;8HMjdpDSM=j3!|J z(qC73xp3);%+#)ieJKs}G*X7%bZf!<4i0X77;LiN`-kz*5Y?JkTNS(C#vSO_8j#Vv z?&4~se&A7DPF+!ICfb$`#{N8xR@7|Bi{5kbSaoOZZi{pX2oBAWj0_F{NP+PqD1gn% z^b9UY`CE)mEt54euSTwlX>NZX0?GZ!%)V(iFE{}FZ^=8cr5ZZiI$pHuVZLxA#U<_K zoXr#a3m(&l+hh&D|G$HMx{o9tVI-seWqXZkDf8CQ-$bZzU_F5IfDv<dfaJ>9EN#AX zPo9S{Q!I=@!)?KNHKQzzOdFtVVq541{b7YN&RS&R>0Eq;@u|K};EC;L@VT}6uCn^> z-Y|->lnSw7*#KRQo7cByphM1B6QU>z9tM3%fgG&Kv#K^jB=d>FEATctd(&~q#FWNn zC4Hi|cKnGpv>^H$Jq^km{R10T&Y=CNtPuiPY`bLPhX`UC%8j(IQIW?je_n}PVWr-G zYzQc(@C`Rh&mHqYf+w3;Oql@U!nTNf;b1=;abgE4uJUO!YzouF%iUT9*;qxWy&auR z_BA#1J0&hc2T<QnBH>BLn&(|H)K!p03CxXQVIr>u)kzlSkt;mc5K%=A2kPqF?8`L0 zJ8(oc(8)ByrV#4sEgR&FFu~H;uQb(Sit?gpdfXuv>XB`_KWb>fg1B6WJ3DN4%63m? z3rEycj~lrQ$>lxEkoG7CNVRt4VvYnDYj`SWB39bE!0!d=mw#|}_nI8jBR0tF&y^*> zxWuU}#G$<Qfaw%AQD}eP4-v;w)B*roVC0gp<n(z?2kN_}X5e&dIgDBir*i?;n(Vn1 z_*FT)C?^`bGklCab3D0Hb*|ik+X)1F5Fi(34+JtBzt%?1G_ksr)n);CuY=ke_H<@t zQ~edSFw1U^!gK*+GNo*3)>1lRfd#RZIYaRQG!^14C%xjIU@*OONPIfFj>1Frhz)Oq z;BgRm@DLqZOyuj3Df0xo4}#?)UU{+7=J%LcORwHC+*PQIO7je<Ude1n&C@jSJZtff zt?|pd-Z==+#Q!hg$vClag37|*s}7&D{+Mm5@2GqNs|8B^920?-*vhZ}GYc^J<h8;A z0XW^Nm5^gaUkCmrA2`?^2`7*pg<+yYTw^2%dHUzH-{!BOGk0f~Oa?gj05##)@C?^C z^g|Z%ua}n0WuMt(X`7xDl@5(JxK|jtTzlkE@}#9+t<3qV0arss=E-K)kw|`G2}?HG z>b<$;@aL|-$E;Of9W@9rF(nutM$={&D@&tc_q4$3BY*MZdQSF-TXO4^YLKNC$jjlK zK75P;Qz?39{}n|9DKh`OI@&a}fQ=j`5ObscE^qd@xi3*I$i!VWQvWbKSxercSqy9$ z>g)P`|Ng|~#^=#Z#)~gdS%)r___Qy3jV|eartBRQH8<jDd6Bw*PI_>CaTrFCvf!2o zc_|k=r(Q*yug)-$-#j`}x3Y8lg<`#9aW}A7vbDMfMy`R=m4fLAbv{@w;4BSsXjqlg z+kuP(7PWoden6%`A=}c4e@BHItD>)>-jSKc)rMLycJncvKKhqd?D#YF7!>tb?Jq;? z1n1gkg_+^%Hyeb1&vpti?{2U&h;qojAKa>R65dj<px;-N<pCH1FM!TdJlx?0c&;BI zJ=QDyQQe<bj+2qGL5}x0slcGoPX`*U8}Q_^?X8dL*$x7Nx=`eauK<n;4%L4KmnOwp zdV1rw=dRou=3=+h9|xAcu=2SS=e9BiW>^m&;$&_;_hfs>MWDFOW=k>;l;4iN6ucm^ zag}N(D|lUyJ!DZDjG^z3QMA0ioYePbCN{O!5@&@O5iMMx+>|bG^?mKH2DsW%^)Sk| zb7wr;j8!f+=0v~ZV^Nmhvas*1nnK=(u|(-?2^!<5uy9LEP%8NUL_=h-qwU#I<^(kl zRE>OB*U?YyN>qcr{qo%8Ov^+9$y5@r8mf^t5<?y;Qsx~QEVT%-r)8EouGUme>T8pT zt92VEn`;*C-yGqQ?gG1YG=W^RWRkc}A6NGB;oQc~vA(oics=4R{_xAqjeP0TRpr4_ z5d_f%I<maRu8;A4VP0U0%0bB4^i{Hxsg!u62Phn2t<)exWa9@TJ#5YiW-(xFWd(Jf z=E#Z-ja+JZ_()d+cmLDkN!v7&^nYh^@tQouaKeYHxttoJ2HN6c&fzM0z<+n}6*v$O zZFv3D&kT!`^8Z7VS0K=s!}Ab39csHp*yySmW8JQ}hlus@74#{ZyXZ<?1bGREzP)9- zuXaPyQgzq7$-~r`d}l^z`5bA~+N!mq4Ks<x>D6<iHE_Myh$t-)Yg&MLWR57qi_plU zE*ljmlwpEbVaXIyQ6sZ&yV%AD#NO3*-+O(m>D*&7(a$WnJ;HL6hD(dJr=*lFw1OgX z8}%4x?b5QcJ7<e=*xc7(I|L5dKoV##_N16S6)uOOD4dR)Wq@2mv|oTOM+-X!3xB@T zbFmZFFW_PuT`}P5InohbZ2R&^f8g4ghu}wrd<pf$kF_w~OqU7!lXjJ-hM;1}7{`Z( z`*=vq4bD{DM7~iJJ``Gm!R+GEkvpDH>aTJQ$jO!JiRAY-wEe88ErP5)(v0Kvwltkd z*^{0QFush>By4N4l9ndV=(zI-Ozh=OPr+-jMp~}V-Fubat?X1tVoe;jProK&Os8T> zwf1uY5M^hiY2OUBerR**_vp&b%+p$0$<emu{r3jF9;7m;uQTIfnw?qld<b{GWC~U` zdg{a5*Z9ll$d{FF-SmPAMpS>pM(sp`hXj^wRC;pBvTDzDbcD3@;piHku`>|19jJ&< zc3fy%8_FV6{&W>xc#&HB$6l!$BZEt>3Wpcz$?sUD=(B7OHJqI|A^ElR4oc&VU<7or z{cxuV(){@$s-cM=bK4;9=fXyJ4wt6}v*gnaT}VxkXEkY^dV{8RT+j5f4RDoc%RwXT z`eHKe>EirvKQmpsjT|u9qIs>a+FK7Ewh5?Rfy~IfwaStc6t>C2%lv{jl5&NI-;tb0 z*;6@@;P)0`+Nj68QFq5vAjrz6y{{L2Vs?@$94sEF`%1!3Vi<HTQYv+6<%AOpvypio zzM!4GD>7Q6V~{Zv`)rS3!Yyx&ZKf+M6uY^Xk^e&qUjXloP;Q1DUe^FMK+3-<b1kCe zMp%!SGzJ}<Of}VC+5Ge}+r6wwAUmX1Oj|B`8RH%-PptsGd$F88^YZ@51+bijWMN>w z>7|I+`9||R6bfrAP9NSf{=U^P4XShE0V!L}FtUALhz>R+{m)R!`XEHfF`{NiWwg#j zf8*6GAq}OBlq4#s(diq6ufPh>T7`@aHz}$54<L;eCHRmaQ%Wndl!m!uRX@a18^2{e zgAqG(#NP!2Of4>7H@~W*-I5dt5Mjca^+*abZcLq4k%hiq@B-<L+R9D59wvkqKbDR@ zz|4MB;e<Chv>@$tL)9NJ0&-|ZV-Z6VodH;lFl#l``bn(Ct$L>Cysj`h6fs|%{e|2N zCo3uIwtH<+3q>A5D54wL-OeEK#P<~MmV#1?Q8W#8b5+f@qzD-&bM@CO;7kAF+u_BL z6rFaqy%^+EupeKzLLuawoVBO2w4yoO8!vv6;I1OcQ3fNjwO7ClX57k*w*&Rpwa;Z* z;W(2?SYBEU-=hxNYF53`Ywm{_A!!YhKct<Euq16hBmlHY`-)2YTgzuma1u~g%UsZ& zYB7r|s=v!6z=q^bL%!#=EDhn((^Pvo7#?P95P_aDj+j!%RE7%H@oru;??Xh+i1>V6 z{TEqRXid))VZ3uQ$9FR+?l&T{XYCtGY+{l!0P24R6n+qXN1NVYV-Sr6v^UOz*Nl2& zRbMM<;<y>)bBcRld67pzDiuK1b>T`6vAJ@hcT*m3<yjP84Mns-h&;oV+&m(zW_n*y zA;=-i&+`Jf>k{m#Ms@V2Z*Q9IJB)V<gZzb_f1$6^wfj4Bnh|VQdMXz?vY{$;_HLXq zV%UtFm}C)qYN;3o|5%#B>xr<Wcbw_I+y0z}1gh<??c)k=htJC&&?ENr)^?Uj0!l`< zf|~Jx0)$So{)fS#reZCCb*u93>P?wXJ!HJSU(yV9)G?KmH@8;DNP-7;7WiS2(ZVf` z>SYo<nyS(TCwC8n9&g1M<FD=eu+3j^r7u0vBh#Z4{732FKk>j$Hx~GHO+h3XDHF$B zUvUL~K(9#0ka4c!>TO`K6Yby21Bxb09P}t22<5I@2iSvtlW9u@ysb!A%5r*oGRmKr z@UxbVQ3`16b>Ar!nExJR+>knP8DZr>XXGn!Iv+l4Jqjm?fTdzi=jOp@lZh>jr=fMI zan!=pTk|30uYZwOhN=1fQ$Q!|hx+ftEFU1QHs6rje+HysoI-yyV<no_*lJN{1kSAb z?CUZTj9j<^M4`UuxeyKyRC@|RB97EFE-;NpWq{2y08wAxAk<RpwXTjYf1Xixo}MPB zlsHhO;rWn2N|x#86f&Axf`^L=hS1vX$xVh-oi-IgrMVv05`TgngA2=<o4o(ePe-s^ zg!i^o=FZ<cL-EG>aJIVI!E0L41g94B^m=<UNX(m3U(OphMvLGv%QtlQDRe`QOzJB$ z(fWpIq2RmEwMPKE#m`TJ^{!{rpkrF*CP%yEgSV@_jc>W%^Ab$m+lo-v7`Z^~?<~O; z9PCn+#v)8yOEiV$NWCuphcQmM+F2T=2f;=Zg{<Sc5vjtdnEV_*$At3!__ileyuQKb z>9c=nMt;mq>;5BW4^uzOB1-k7)Au{3brCw<ve6}rZ~K<9oT%yU?e{{Mg2e--Zi51q zvZ+v8aKqu@<g~|8#E{d-3dEg6APE~rQxJP#pv<PNAqGbrstn}_p-F{+YiY7Yu!~J) z5PmFJ;s<lVQ!1-9Ft&@UF}~eaWvt_G)F;*d^&4r8p*x>+PX2L68axCc*HyEa=GE2w zS>|slx;~r=NkPD?;b1EWe(pOH!m^>TWnN6RUHhjl;;800H!T<!M6F;BykaJ~@Qy5x zL}6=`=roN4<@lYw#XCZA3h2n?OWa&=usuOm8-;OhZ#zwgg16Qy9<|mfzHG+$l5ycE z3&w2_s8&F=&=bi<ej7FJcpl;pQ^sx{{SI_OjwQS5I}+`YN{joeshcq-6Mo(JVG~P~ zCD&^Zh}o|HqAL~P=B6G98#3WK!NuW>%p?`juO=3c>CWlq1U6r&?>1Gm<K5I>eLHu1 z`wq>2BMlssa;_|BhOLxc>ggElvWV4PL0^E)NSem}4A17lvR=!pj!c#GQ38Rh&}$6K zKbNO)=aD7S59YKF51^n>9G+&#H9bqkZg$=q0np?#iNaoivH3Xlr4y7qGTCRxR5La8 zMFkX6I;QRz^+3Q6(D3Fm%KbyKmD=2S8LT8~dW%IGZjmx7TLKP1KU&Ib0LlBUi`9$o z)HmaN>4VnxurOA>LgG=^(C<GD>!)97f>>r=7Vg=<+NZR%fn0^y-7v`ENedbzQkMc{ z3M#HzFvx+;(*Q7cHV4KXfV?>J#mIOF7j`AEn|9`z1)K}>KrMY?JuOW0i`$tL6I*r8 zr|2!E$3IP&avV<sOT9l~M8{CoVz?@+Vp{<mA@t5HOmT}WsD!gE7@_!C;Tr53%<MS3 zhY7uzzc<t4d(&2m9jFluGLK}b6i_IMx{tz#w~=tw(Wj;aGNPeEv5A=iZ{1Q$ARf1! zLDOPRj6~}6!@1?W;k0fN+s%UA3+OzONv7`JUgXV&S8Gr0*kwVYIZ9Kt<;j4o;ZT{k z7<5TzHMLguk-}<gV<t2e?gP6o65}q@0U1y+rlCEBULs<9LkpyH@#dA+LHLAj@;8@D zs?Kk!u|K;@c+SuVuj;!jgh@hO&%&F~_gb26->7nTv=2Qq>gd&SnzDasb#(3F)jPyl zC3oazL#QQi`r4w8NbAw)s~(!oUE6qmg5vc$m&h#i1G&XzKs9+91Inr$^*Ds2D;9MZ z=%SM!aEWW7X!Xi0Nu=(bsQyy`i+<seS_Kcivn4dDrYMZpq0Po7`C2ziS?a^d(MliT zrf#jS?e1-Ck#)VS978<r%6d)LY57OHs(C}wTHQ20nfwe{LyKJg`$T*rq(YDgo0V}U zS>!^^EJrItO*{B!&x}E2=N-n@T`W!~0ZgU!Mdb*C87@#Zj}Tr<F~a6tFbzmQp<=>~ zJibt(oFk8J_^#5+n;P2KXM8<OVag&#RLq&`_5R+9Ec7S3<l^kFIr`$^{d}>ef3Bn2 zDKAQ%FhhwxDEP9zs2^(DrD2|v#bjeOO5kp%r6uanp2Wfdhm$s)a}euZzCc&gQS}?A z<C~N}84uPE1rh3EneCQ(ALp5FM%g?vk%w3)6y%cYBfLwen*pYmRrJ7HXdM{{PERuk zy@qI0>LX(BryQGN={DUCp7Bn}uUgXO38tZII*3zj;o%(OF{ad}3uE=jPws69NgYHz z)sjVHL+VSl+(}bR5g`f%2WOK@YpTD<q;#9O_$yqmpomQK2?^^aCIymP(I|f#7MT0^ z*^1}a&>)_gQ)ZyLR*uCwht2)_ngM@epfC<Az!5~RuV*l}De9NYfu@3_RK_>@ad!_( z71ldoz8qIRhJf;prLjBN*!nYsFHYCzQ1`v;q~3B<ncSz%7?SuZN&Ns_GA~y+VX-pr zR}jWhdIv{m&3iBUuY$Dfp8<N8@8|QlNHg0vPG9(Nnu7pRF%6Fo<+PLnBV#coeDKs? z$10<D4}WmZlw4jHNEev7MCyksOdXoJ9}*I5wy$dj>BMl&&SSWJIQP`nF{zw_*~ZSm zkdw>651WIBS&THD9{PYMmjD66iGyMiJ{Tv6tk6qUkn^C>I7gb{Va4OpP(rP%Myg;< z%s#;coA;mmX`$&RzuKIP;kEb^5^13y11Xv<$>sQVO^R467>rB+gMDc|hvNU7xx8fu z+~giSp9y(}CCJ>(r2xuCwg(F1obR6w2%0Z!Y2Ze-U+cC!H0W)$;}l#IhwD~$u)my4 z7!6(0*sMfP+}3ujeHzke4O*Jh`~~PrNZYx&KT}QcDk>S@^jH88=ne5Wbld30A!4TU z3#2NWYyBvATu-kpXI0nM!c128JgES5vd+-{w?`K62=fd0o#aYigigPqTY%n~OwQk; z`OVD7!w1ewJ!y)Ed*o=vJ97CCFlP`o3~)7Kdnbwd`c~?MK=xPXZ`f~u6rf_<bgUZ$ zY>09!By|uh!J#MykV@T0zb}m4X<~woCt-7rD2l&-BisNQs7bpxP|$5WOmP(QuCb%% zH1wavdel^<`k9gCfurW{(jtVL>wRfvK7<g4UN`?k@$IzprzK#jdeXGOap74=7iZZF z-t89p;8uNdp7>$rn5m`Q7lv8Wo1UF3Nd!?2x`A<csep!5+O7b*@jD~K3Owoi{*QW> zKJ?v2%Qp7G$M|4NP51|r-(b>JWXBh2Wz5q;V}E%dNqmcN?Rtu-=SS+1Euy2nt~T=^ zoM<+8pXTDTJN~i3&I9YX)qmLvH`t8ffxhR}c((&nQ&S{|oJ3P&>_n1k=J0mzE=?ym zL*Z37*LRYed~<t-zT2YN${5$)1@S<{Q{j$ioQ#P#ze_BIT4oD=;Y_V&ZKs4!X4**u zMRK})<|8v5V(BaanS-{Z)vrFIpju_zAyiuDtZA(T^8eJvEBLQ#o%zGNkGiex*<n>j z#2fkwx-TZya;w>fH(n8Ujp!)~6E33Myxp2VWdkO4Ug!Gw>**QxEI-gS_VWY*r@JCH zAw3KY3((2|MTT1Ul^pdWMq@cpiK_edd+%S*yj8BW!y6&n08$@GZ4V$IsX~o&mO=Md z7{kw=q#DfehkVq-Nk`0Ud~?RGt`F-S_HM@JW?s!DB_$(LYRq|(O1J3Lc2Z&Mcn~QM zBHb~AqQYn`4g#kyqRx!H{L*jCkh38Vo2?-q&UY}uUwm7W=s6dV0~=%boIm6w*!mz* zd<mor1)Y03Cu<h?F`jf^?~UlvT9|y?f20aG1OKcfqxkyXVFQ!;JKl^ECk9-gdn)JW z6S1bfv*Ri48nC^q#dQ~$DjBBV2k-`jx;oZCa=hin*!Q7fkvHG0h7p@s>IYY+f%0WK zDzE2O7*omPZV&roEW5|mht!3WC);)pn7@vi<RZ5Jgvi*E1IkZX-kfLd*JD90bEhYb zJgujHZ8`CF-Camn6gafj2G5;`M5!Ndm2sLO-%vChtsv=LMX4^WR`K-Z%DiiGD<{Qf zo`|jSm<Z+f<^4r>;P}q^AYPpZ+66wz?ws~k2^Z6}{Z_E6ZZ-0as^a|fr-D|N*UY|f zW1UedG0K`qQ8iORL85r})wf3dD~!<p??J*Q{rd#2*)Xpe@LqI5CI$<9KUhoB(!(5b zJk5JjB&6AF$fyI9o?Y(@Zq+FaWqTDoU4G~b1Qn!|lrfLY>^L|jXBCx|AWylJ#}6f) zgeViM!>&Pm+&xnxZFZPD`{#{&iFy@Pr5{fV`{1T1xcKKGR7A;YsZd7;a&FwF6(}~3 z@_2oJ5mR6bBE<4-H7*cTHeElrvDIqyJF&$8l%6v&HpNeS+Kh&DbeLhLf1Hdh6bZFt zC@J~U^ajNViD#8wovziNd351Fer$=;H3KitGMdu0{jAUSe!dd=5NexT5H}QUJv22< z>5V_T#!ns9r7yrf9!q0THNM#oG0izt_fI@U1+==i^t3!IWzb7J<yGKA_b~)EjlnRg z5JPsP`B$;Ix}Kq-{%F@HkRx$*b$KS@E@Wt4?xxx_|D+<afLuJ>md?Lre!uj^?%=_; z&P=*{Q`!w?%}?jybRtGJ)44YI@`ddjsT?g_8;_$I=o5S`WpGFoJuCT~|CA@@3|#}@ zn`r+k^gqD7Ur?}V$*01st0o1dRd_{KRpISTh}eC3%hz0Gj0pP;c_46?(YZ7KNaTi6 zC}@NkEG!qA1(uywt>yi7XKq;32pyE0kDIwTh}Q<4lmhYV=8!rw1hT=m6moqAAW{2y zj8Jm{`iJ`-%vEDo$GT6(q&6OHw5-4T6Y!8=#mm8{`3?s{*ayYnR<)+yr4t2ZUq!p* z1nTuI!Pp{o+rZZ&jyo_T+rGH@*Z9r1%=R^-<0o->y3PfSQTk}R^HgtwCS_DU<b2fx zOh-3RXjz7)eAz(Rm6!pB*Na0ig$Di$3I9b&@0s!{fu1Yiu$+qe&l!jbQRao$yDmWo z2?VM_f(}f3*x<3kn}DH4_HyTJ>Q5CxfcaBcmTWP*d9QemE~y(5xz7lcyP9d+OZO)5 z#Q$!Hg6txs-?p-Mbd&MV7QiB<ax4@ajsKZbMlH#?yZ?UKT;>pWntt_!p5z&}v=qt0 zXw%kC`xG-yTNKj>^jSt>RNvmmrB9kkllWhj_#;7+S)!Wwth}S}QGR~pebxCW5uuK@ zSY<@)W2ue#0cqeeTUpya5tVy{E;(y<`H@wTDQp?`;qhQ<rHDUM_UXf=j$~OriSfxX zA~eZ5q*gt+Tfl$^w(~<0J^f%>-@5!yb+4>Hzz+Yb%$iR9{K?d#tsOFt7t{On2Rkji zQ~ZWOao>T%)q$6t%EScylcKtA=Uk%WI^Egj=9KjRyY5kj5WZ4*N{;zt+T)l`)y2QI zBuW4k7YD2|tjO)Hs&c$=5B-Ubn9<OnRlUdx!CYSu4yl_Q+?HQRW&x@?N6v2n*Ylyr z#zK6*i<b<!h?xQCS#@;gEBCmk{8j3&1U0q1<#?~F9mzV@*tK&ZRF_mfgp!3$fVyU( z&WnOvuF>slNHi{l@i>aEyYO!iK7*!KWSQ1)O%Mrt`r`c@S~?Bvz}q~fE%nvI@Jgb& zCYHuTl@iM^+P1#N)i8tS1waJen@B7!by*E`?Cdh==a+9Y$cmf8#>h#;p9B7X4`FpE zGN(7yn29lgTS9Xu4p%Bz)P_l@*O~k{Glbpoky$?uQ&fCvn7@(ej!o?W2RAyaS$eV- z$TD=DA5J^y5Fd^!vi_n@7CaM)_QlMdYeleNIuy=pHvwwt$4;R_`&{0gFI;HWjLi8# zOL`)elRX^Jc1z3Q<l{g1(7!zKf#%i5uKW2L1~v|6p+Mey*wS4F&l`|5h4(hLe!(gv z1qL?E4UIdC-dA^X+Ri<j_k%gPMGkdszkkG}bq!(Ud}`7|?wF7>aKh2yVS=Mb_hK%0 zP0U3H`MQyq3qy?t+{_GwyI(toW7+*vaSEWHm!%nz9=Cu%6;eVD3vR6Mn!Ec8pJ-1H z8V592|8$l(6xIA38{-t&nKu)@Zie7^mR9O~Xh_1ZGndD7IBv`;8b|{G2o^2IZklw% zq8O6CE+G5hRO;I%_*Br+yJGCzSgjrz$h`5#?H1EC6nutTb*}rVsm=YvioL~xuV{?Y zJDYMMT0)W3V+|xd>9Qv4x0{RcKhzMCq!hH7#_BlX4({k2>$vNX&&SSTFUk52X-5O= z=mhGTT`nz#dSuX$&yMf%ec6Kzjya#Ll(w3k3$}Qp>OQPdGur?z-h28jnO+%GWc4y` z`mXyVRLu`RljvI06!Pxw*rDueF7Z~%`9VCk()+kwVS{<$<HKp^6-?G~QPOp$3=-fp zPYgSloR7zxcFB%kKwRPVs5!Dw1$p<KLN#$+uPd$0C`x-Q4qT4Xr14axYe&iKNb7KY zQp(Wj0atmy5nIzny|9bt1C@=#hFr44>@DYC3y3YUd@F-R5qOge>Ij`~ZkYJBa0d#X zs3Y8ui1bXYSKbL-dOG)%buXw*-4qVSp}lq}mXw@wE0FRx2U=w6`{lNcyQ-v#kPiZQ zee1?#@OCJQTr4k#_LLbn4_fA_qh)P1tdj*}!o5UJ68q&=B`dP7F)VaX5o)S14z}Fy zajP`((T}RHX}$aYY|8uA55>_CPZYxNd8~tKhkB(6we=)Wi39$J8@mzpRmSDhRVTAl z*G*3%6HM%`D3AMHX+P)JL60xtl=dyG?*kbJy)LA8XD%h8eOHbGNq96K{2fD=Gp0Gs zk=;HSGrrB9sL+pg4f=WNYD<<aC&Q0_nL9Iv9!ASf_h*}RaeW&d(=B8VLPDIV(97{R zm_Kq_f}tw<CwdTjkx2{LQEwgF>SFuqyeSMyxm*ceNer!4akT`U9_zhtQWytlUuF69 z%ni97mMQZ$wasC{YTe*<!&L{-HkOa>&h|dvA;`KP4Mpud<I3MXeaw$i0OkjMT@vJ_ z2Biuq(0*U@+d#=Hl0rpItyxAi1dGcb>OQ+?nqU3S!1alYc13B2wicu)i7S;4Wtz|* zE_!~|Mkrv(-p9Q6xE*bdBU>|v%+jTSL>E}C_aVIMebJafFS{#nVBxGDzjt*tkhn%l zEwFDv*YNy)dftbFKcr7;W?}(Zek-ns;6pITAL5Ybn_E!qH&ggJ%DZM}cy(DLpDDB# z1HtqTtzG!wxsP)_h48<aSbQ-5D31^8L)J|-<I;U?KH&6+Lh;3S9}{AgXD!dQoDUqV zR)ox|Q)B9=9vHiV&2hL{xp!q5`EcAL`}26w(MpWT0><sMKTVD@+>%#obZ`bkzjdQO zf5|!_z_$?u)#G;&a)7TP>OHM3#<{sS?gQId^M7Umdc6kxePbs2lGfO4PDMR9Pg?J( zEv;7Z$N4Tlaq6LMo>mbnYyhusGrU7YW3A6HAV5wB8M*as^um7!d!j@TPfz#c{lUx# zA2YQ%7j0s(+E9Sp-~6x&Nr`^E&kQWe#>1}w?7kKe&nR$sv{a_4lr*7d85DO;y7;u3 zZ@{81AhRNa(Nk1C+~41fJv+hX7)2NQGdPxCkE%Y8;?8NCA<k4+;Bar5wIp@jQ!!tJ ztw(7ZoFPE)r(k&C@D{GbddZuhIfk7uKEN7F28{AKZ>6LGc8E+jgPVkX6RS_%;mI!| zYIueScZ*Wm?Yk9k{dTU`(jCux^T*>pBM2Z0KEK2&W0oENx`^y2xxK<U7nP)>d5G)T zf1|X4)MjW*Da~50Q=SRM0()(0j%>a1>Gf`l$H;-S<byQMw;hC#By+{!X7Dwl&$a^5 zzP0sN=8frS``YGInv3q2KFAN}BN&Jc0r#XDGW<Uk?dipmB!Mh4HblFGk6wJZ9VbPm z7sTUj)GxP!u^alOeP`2;Pg|hki{8lLUr~uH-`45R7_WPqTS($g&Jz5#H+;QM{+0>g z<N%aA&#K7PIsQ?DFOe0s301y-Zf*is`?ehj=<5=<9jV_v?fA_NLdr$NdL>?-J~ONX zZywdoukGYiKn_KyjF0E#ZH74m$WCV}PCvJ!lU7g?mzGB4CH<Omz{Lp6x^kC<>L!9* z-`;1f6DCqqD$uHVfs#+7vAGpCSz8ENT~IooTJLC$?LOuM-T9a<U&8KAcs_P>S4H3w zMT&>r(Zh4!xDiMntKp);Bwy*a(P0n*9!}Sp6;?}=`^Wy#R(qs7el00&PWgR`*h$Aa zkB!yg)$MZ$*%%g-Xg6UnA&}5>zB$wPAvhb)!`g-PLo~$D<n$Ene?`V#aE0gB&4ow> z6H<?>7<#9`ZRVfOlWl|Z_U{EJTy=ZdQ2fC1?XzL}+zAb*RC0(9&=VPi!0*-(%S4D; zN`&!&%(BYn6uzJ1z4_EWzE{{)ja>}6<455NJSCSNx~upZ2gIp7u&CEwhr9;e*U$XW zGfl{GjX?X{GAQ)dm$lUbaa|5h6|_zF{H#wbw4(=_wipY@ieXVaG+@Wj-eK3VEWI!W zdA*l--D_3iVZ`1aksWA=Eh?=4oGO!Iux#o)-~775IQr4V`nau34hQGkX8Tqer`=Fs zQG}?Xwr~6clu$Qz`cqW7#1a>5X^;94zT|LsAejlA)Uq2|-6rn1TE5!5F^x1b{TBTs zDXgQVEqL=p%&>8G`FbZ`ug>u$#gT(PHG{0-If<@LyWgv=rthDWS?hWDW`aE=D)!vW zUm>pGl^hX)ovRXpOt!{YjVinF{N1ms%!^i{mRq7Nq=x9JsPvMVyJ@Ijefcvh5-F`* zHf!Umjx1|2%Oi0{7!&hvV#?nrOfpC}8?PJQdjFeOVCZ%qt_xo(mZFZ`9g(m^z{#O* zp}M(k;%zA(?8SXgdHkV#a5MhFBORO;-K&$AIPhAvYUv}!cTupSj3G8qcq+V`=T+tZ zPWFHcq3gX<p&*D5%Nu!rxiIZZu#_%G<GOOFa+tunPn=503EZ5i4}JP)mOG;e^NUg* zvRG}!*Mbs+H9x!ar43_d>d6&N>B)=zfiBqlds|f0U@kut^ya21rLN<BNa&sUk}@Os zG8q++M-i@{ovo*c(GVegQqH+(^h_P3IAKLqWxVYwSsZhDFHQaggBoho$t!1cM!Td{ zT;NAZMm{>a#Vg2{y2OI7jO_#eOY;$s-ptS=tB5jW?5DGo`}5n2R7KPBaiM?DzH~JN zA4~S6C%>pvRme-O_33GUO>N41#z0x)s#^CwFg<(9*&rmQ^*ko3Z*CnGX*21)wkW1` zAy>Tb3YVxb66^YK=!?wAr_d9qzkoPF>c(XqS=|sG=p&~?Omm3CGo-C6i&a8R1suuX z7=ywPk2MrV8Pt-x>$%})+W$r9TI@w+!lC|QXEjs5^Nca{^<{mhk*!a`_$Cs1d|6q5 z?_k)yt+pq3VgATpw*8#%OJ{?~xOG<ZM3OS*wS(KSH=%VFYk9qDweQ!1m6xUpf^a-t z%c9<$>BpTmj{3gEALZmU$XJs~8r|VRbp2Ui6nK@^U%|ot&*Kf>i&JtBC@``abvPXH z(R7zDjb{lyv=$RwHad=q%*+MGD{|*c(oywp_n(Wx)htr`8y@ycFX%+PN^_zMSPab! zY_4C|>dV+IslbpSh=g?9nO7`IXKKha!g!aF!-Vs`GS?<2G)h^bE!@56-qs~n*E@7x z-lj&dzrD+);f7>MR7>*AKydkT3(5sWg`l03+U8}s6d1;dTH4nY{<N6=^I_=Or~aHm z(0)L>_DwgnzYIx*)RG4O4M{E0qewubw??C-HH8J4EYKvIQ%koaS<{xSGPSY1t-gg$ zHd`V0qYJkgm`qz%$<Fo~M8BL0Ra!2V;$5A=ZKt2VzrVs^r$Xux*;*_45%Rxz<|+5B z{RTToAB%$$6Tbx@9RRCqTWVry9Q8>dW2D1(!8p<P!-LUH80ycKNwTr27!sfU{+i=C z`Y#|hXjNNGHbmgQ!*%w4E=lFk<z{TNB^~ylIU5b&>{L`0@KEA~#9Phq5lLRqZE!#T z1N*Yj$4iB@$d*@aG}KW5dS(Prrd4sl9DxutQ1*CigglizjuJR;89xg7X1<mHR(`vS zF&$hEPu`4UDq8wKE$u%SZg^yQN9aEyDQkyr`!te@As$cGPSJl^p66*uyUa^~pSC%E zh`Q1eg2plAL@v|J2aGt;Gd(@+J0jw#9;P-e&GUV*G~l9oyjstxV>jmX$tj2iN1kNQ z>Y<l}+Zy&bq@}=Hyf)KAxL59YLsb)Op%mR?s;;wO9cWr=xn&S%Dcu(j3u`2B$eK81 znGp;tM1rkuoYx710<P)sIonB0Kuj)UlcC##O<mW!zx=i70ssITB{8*zY34*bzBsEs ztXb7e-<hAu2=M^NVS`4i4vN-_m2KGlh9!kVYvlJo=mbPlYJ;O@A>AC<Ks~uEH&O1C zjBBG`UOYJAp+HcMgmW6;89mQ&*VvtfS9Rg<`!1_TK)#-|tu90!O{!@~JH&)s5RLEY z+G5NgBec@<+g2DE^9+|&;peZw-)uFsu~EVLjvHE$g*=&C2h3)DW_dPA(732ULru|c zkhyx1sXJ`$YIrEq&^anfP{!q0rn!941#xhiTdtZ=5DAMBme(iNG}aGH=Gr*X`1C4D zrr=^yN9Qj0vlvFIVKQ^p#U?a{QmVU>*QJ^jFytr&8iYiZ#!uILI$CHMnM8kG^qrj@ zB%IWUN1t?N@2y$TX-$<$Ga0&5k!T^~Z_*4i?3}>yCU96|d=ZXBn)cETyLw^uA<!jB zb%!W2e2+O$*>#&*!8A0b8(tjkH!KU1vTtjEL3%Xp1nD7#d&wyKmj9|oWgv~i16Mt? zhXTMDs+@}M>F1i33Kr%n%NP7u-DCJ%#Z>}bg)|=a;O;AJqB=Hy3iEm`t?<2Bvsl`o z*!(`hE6DyZ5`uqcohZ0VEo(MlQh!#kK2L$*urR;20L@n43te#5G9_6jexC2NnX4oi zilnAG2Mc~RS(n~{vMLYthBNSDI@BaTkCbb>J{W@pY}$sYi(ns%OW?r%uJD~ht8Y=t z2;SB<B`ebDo7sj9;|(_tNlcLob>D_wF)Y$M^AB6AUR1SjsR1%_rlJA*KAx4GkzxiC zyrg5BwDwn88W?FSOu#79iu!3ZUp`Z-TQzXHU$Kjsl`LRD-3H6cu{;cpZ}s@<ba_6z zQ~s<uU&0~xE3f+_zWPu|$(gA;AFjZffh_VeNzKIfvIv+qXLeEdhQ^UxbIZ6<VD!6# zW1X6Ba8r&>Ap<w=cTr)&^9VpqgKzIFr=wnl#Ezpmybcdj@W28}R+rJC51&%-`^Z~D zZ=2~u5ZTk=&#Yx!q8%2UQaf=bI^>i1pUU<{BLI?)55}b~Lrs0GO(SzAghp>)ww~F_ zdG&Y?uA7)B$_Y13O>W86w0v|wnKeVCp3V2m;9U05HBSaw=fK$-`}T53Y1IGX^A&Jw zUse7)sE+TPxB5I<5*!EktxJTmA2~wqR2=jUbX|VUs0qQDVW#M;jTNa$UxD>VbO+9N zXlfw_u>PJ?)30mm@?mRb8#m_yIot!Q3#2+Yo2KtkD2+%n`3RN?taurfj}=&}(cehW zKG+Qai;I=?>nrztW?h-h4n@i_ILU$c2iDr$so2gdtBI*<o`#zL65jSS`o{f)DGrAO zVq3`wf+d&AXxu_tYcfx|_!J%7Ovh0f6p{}%@9IL#t2uL>H(fsZ)7mP&r!Q4REUvrx zuW*Dlu)I{Z`gHcBfR!7V4f|MH0i_r+Jn52V=(Dr*HNli0j#7PTHH@ICp+{RT(3;Qm z^a5{{K)!%MHm-}t+o7xwU5*-<FB@@s5S`cD>Q_VgHp;(Z=J3>conq=(M;l;>y(;Hy zPc~sLW+%Z!*wDX5Vs4waD7W(jVYh$p@#e}<h`Fik#su*eSTGc4t)}MX^wq#WylV^D zd2P_TOl^2~cmVM9)i$!u@P9%1tZwn+%ew%uTv+6);;ktTtXTG?vkD_cpN%IpJh;Io zmL`Sl@ueLN8}8Ms!y8Ld`31}|l8%rLe)oZOAy?t<*;E0rvm<Iyudc0{$gnKDwu=zZ z9k#W~Ti~)}O-FJnpy+%{G2N&8o#y-zEUXd+PCDd-9FM?BtNht5=T37yHFS5@cD&K^ z6V7FxZ}1*Rwp4p-+w>|E3sDv|DyUfx>e-4Q4*NyjDrpwyxumb~nD$;KF>AkBrH`9& z0xiM&TihHcjmP16V1~B7^f!jzgeNV;qXV&Rd0sPFq=f<z?Y3$}*3^;<=7KCV^^<Dk zmw|+UD6ipP1IRu&`urfcaG~e9NK{?=z6y~MZ1Mf((o-o<%c`V;X0Vq&zxD)j)cFk4 zD>>x1!1%3*&_)J+j3+X-Lq&LrSQm*#uQ7HEUgXp<4Zh@iXYy`z0b$i+NBH1XjNSPT za3HjCp<tltg9kXcejRb4Vdz)nl<*DitN$)!xWCr%Pk2mmGvxLt9~mZ){a3ab{BG)} ziitJtmYrUBllHq!v+fO%X-$y&F+@~&+xM<xxX8saY~*e)J_z*6%093UoK?nKkYma2 zEV)wCKwj};@~J;Mk@UgSqke1&A8?>HwJz^<fu>XP^sdhNl{nKU+p2kRw3;~PG6TKT z(c+HO(+MsiIrL;~hi&WHLVqTEqEPm0p1EVKePRp5!D=^`h>$q{fSt;v{BCPV1)8#U z%>}vnj*F*Za%52#6pu=L^fKe=9GPcGqnZHlr&%9sTLRvoGge5C5|o4Ga<=2jrQ-vL zm}Qam8radTh7pSd2zIB!<<<eG6y??%N>@^LT)~hWXw+ZV`T>xQv-;Bh8Z2_id~f)r z<#<$%GfUWJK9*Sn3=J%Bw@cc7C3@t3T?`Kzj`yArwQN5>KkD70RG>y2hn{E~G<KFu zt!a-go5ddu=wL5a6hk$xqCuj+p=8KK+?a<^MYv;UEgSh7OjuG`q~<iRjIR5nFBS4c z?)UVKGa@7>uMdy>mBf)9pGKK}8~FGaSw0$KnFV!Iw~0Izl1s|qPBnD;TnHKprrwpP zDTm)yGqu4kZA08T6_;M_%8hSeF{=ORB-%wm{2B?O<BUIerR;I1^JG?#O(re5Umf%1 zu#92n=@oNlVxhXW8Mrx&o%&8<xcX{JyuvsY(F51j7tAaTRue)k&iH6aeGVtii#rR@ zw9-(&d^``Dgco!5ryYZP^<2eQm(9OLF>B@y_nLk)Y>>g`8d|z?0@fL)%(nTPH<>is z4uM2OdB|ifb}Ji)fB)$a`TQWsmr6mAC>YB(WFWu_^I+>3J1rUei77+ZS;%LGuzT<l z9#V%HcUxXy6d(pXkEBP7IH~VPNH!C;lleIpL1kQX64|$+(IUen7m@$F{EM}1PZM!| zpFZ5c0$N3rp*4S_Zdm*HXC5zZ<C!$B2?+aq9;nXFOYI!!Uj3J;D`Bf*1b5b!zI#`I zd5$o(Q=J;C86(??jq0rnW?;b35uJoccJcH`6)q8j!9`8gw-LH`l*{a{FIxWO|9kY` zPKNZAAgKWCxweIEe`OcSwCXR{zan~e&nhCk+h4&n11}4Otb0TkB4+L1Z|-r!K!oi$ zo-%;MwFN`$qnv}vjh=`CX-svuCV{wre$}6y{jtzC0P(oro>1h_*z#x3`R6jTKm#R~ zmVk0C5PzzfwNHbO?UbnZ$zk_Wn)+=J2ZH~iSbPTEcTC#K1ZB#4<drppdVgvJS%2Kl z+@h@G?8Czj1N*X}>y`_NPtPxNC}G|a0a5pr^)^$}XtM$jU%G(|9<!-wQFr)dj!)c7 z4w`y_yKv)H9qLl0dv?&2zjh8o1^1qrvAz4;XSIF-x^ri`aaDhKUOxR3nl)DhhM%>b z8P0QA*WT<feT!({5}Meo>NB=SZCAf5z`<@_JAYGJ1Agl7c;FRs`n-bP5seUaU+19q zI17ZT2D<(8&n)wbdM&-ErA(5cy>cUG0t&Nw{6LhoGQ)W0<mCGIRWnp-S10h(8k}BA zOEoF0nJw**jj*{%cb1BZJ_vR_&7@3V6aSYdL}7`?g_20dA6MJ(5bsH12)h=(-QaZ& zgNA*zb&t#-g@^BvOvT;LLPXRBt?Q31-$Qaxq9g$WQ;rAm8-2Z}WUXG8`ez5z2^I(t z9m*+sCwDORH6FfX1@>4X<ZqT_;)1ty2j3t&P2{~KXjv&@;B33)#VKT(O1&tu+8$ER zCBHR!V|%Iuti}#xbg{ePnO2*ZR<wLQpNI1*s^aZCN6NMyPRTRtfY^zF4p|yI+Fo2I zI!bVbu|ezi<ntXz;BB2Ia)Gu`M<kskfRR^F8vSXe#KuNKC4XDpF~6&BoY@s+`!=e~ zBu@vxFjiO293P+~A`|)cb)XoO&VO!xd;~Xgvj0_Jf%r|^oZ54BvrDu4@1P;|ZJmUD z6MCTWJ`HDrh>r4U_Peehhf_<d!MfY&P~$W~7bE)4%>5dd6t|9uJ8xLk5#2zZDC6dK z_tJOFB$VVd0eeLe3G1(ZUEdCzSUF%W8`;3>a>M?e-$d_U7<7NY*XD{%@VS`IiodR= zYyPl3xg=(LDtq0Prf!hganob7xfpmf?Db4gF_Yc~SF1_ZgoIhi2fn<zf#KKM40^-k zIc|pa!VV80_76>Tm5=g5%pO0xPa9?#PZr8M;xgp#P#nH^sg#%sg-S@IUTn&hlVb@5 zj+p8X?vL(lBG$I5AeSj!+dJEStCGebEvQMK^5n2zQ9L^`HfQ~g`U_{%kF_<i8E>3! z14+scX69C)`3y-bBsvq_1?AyT8i7LVaBQ#Y{_AI-?}o-@u#b%`0q(1t_dR=}-TnGr zb-74M1&v&d$&Bi!b$fmKxD!9!pFPu_9=z)NrDMVQ5<7VNJ=yYlcly3QVe`%cDYAm= z%T*vGhb^)YcqQFg8csMzJEkq~U4F}PrNNgWlYn4x(OA-oTy$L@5p-EIQL5X&?LCF- z4Ollc{Dj2DU9z8LPp9qH*feq;eZmJz`FUwp-5ixd<^jLN@zQWH&A*!UzTzwz*!dwl zsmh==@AN>;^bRB<CbZZ#BpkG@3U2GGX1!OB!?Bp3qV@FvO~H*IW_^GS(-jT42rb?+ zzt)#v`q`ZqdWoDW!+77BqJQFjeYE#)3w$Iwn>u;^|6-%<iyu#%Oz4e~j_jM79Wum* zS*Az>;r>F_XQ$%gUoTPWn%Wx*eBrqiNTI$b;h8i!Oc`k?Sknu2Oho+WrGhh?A)*Z- z**XSTf2w;WW{wzH7&tsy8pDBC_{>jvC8#}qSs|EcL$Ua<Yqt6BZMYmn01D~-v$`$6 zkjUrHb{iL0*K3h)kf^#B^w8)Jl<JQ6`Vh|S!SIiINDAd>Zmejmp4wqr8^5nl>ztk* z_99Us#0xnb`4Rp4n<2!+=nDw#zD4ZuhYXZil%rI)p&d-29k{3wjFCXVNh}b=+uxgz zKz4-3gv#Yitsa0mb9WH7xEjjDwe#A{s!s*=;|J9P*YBU%sSHHNahz?G|LdQ=##-#J zKHBGO&m_`7@uT<>_(<F;3V-LB`vy)RZAAg#1VYHGCH1yme);USHoyp8>yEK`!jwt3 zOxkSb?VY4hSa#PO9P>fK*A_io1LxUFudh4%n#;tD6Vcu~26wZ6&|leNu&Zc@6da4I ze+9>p^k<e`xmr?!3rstGCpchW2X`s-Antoah%SY}E`U?IC#w&(wjjsvUMo6lTe8Fa z8xVZOft&lQC(A)Gjh{jbtx{){$VJVwT;%kMuCP*enn5sDXy0wRnUtY__<8|qqWXi! z>vR*=wzvikL?9Y%eXv~Yyp!Q~5)M)pJbclb79-}XMz-f=>BXf8mY41){3IS3Cdp*n zFHX13QBb1Y`evE7h3b(@*_L7V!Czlqj+k$Co!NsR17Aq3BbU+Y_`e&X>_pWst~v2b z>;yr0y>REojZfqjb+NLY3)r)3Sd}1B(cLg})s3zDoG<M4l#Ja-oTB{uJW&QqrO;Pv z)8#5ny{2O4UbVS`)Yb~WeQ?7ijeIx7^iX{P)`F98KereHx<&?IdrHuJJ_XrUfZlOZ zPL4bC<l|1i(>&}b_~D^}3=V1ra2tl$_Y_EiVpUP)PWikZ4SjJ9X-B<bV}9==ge<Vv zZ-Gy>-%MD<F05$=3^w-%J|Px~`ei&R?mEpZX!dU(^Y18RyioI>6!${-$d=YC5Bn^x z>SK|h-a2|Yhqih16+&)1Sn68RnLF|H&pI7oNE5kfK-l{__EkM>zZMaznetO)*;LkG zjTEWj>K;+;YzmrRhu(0N=f&cVi@e6w1*s-tTt4=(r|En-P@J5{W*(WO%&1sfw<yoT z9qgI?TYjsorQex5uwrAg$Ib?kdIBwK42RN>KZ*e>cL%SslYPTAEYmit{*vrdJ+@!} z#`U|`yeXGU5&&dmJ~z4EwNt@AJFF6U7XIJu{iw)VqNWD%PlH|ga!j$gqGud}OAY7G zkqJ}o#DaTWW85Ug%=e{_!wnaro=N0(0#7$hYo^a{d36X`3w;eD7r#!#<!v2eLPn5H zTlJO=U!PKKtI3A2)<RLQv$=G7D5Tu<;K_v;8pJnh@WyQYzzMCqLA|odsdMtTlR%&O znwnqAto<}Q2)&@Vcc62Yx#guQy~kKC@PuIR^lSjf>y-EFM_vm)bYNGgn#5U=l>pHk zCew>!T*R4$e3`O+S#G@M>JOX#C0VeO34jtW$e7SoJKqtNBbhL;tEt}CeP3Hr{SCxk zC30$a^%D6Uzr9{rQxDkQ(yWW3WN_8g9(&_OB1ol&2|anr7sQ?TG|7q$UhdB!yddZ5 zXvzsUEv*^>iD~&m3wWbLI24JDv4X?`2<fiNUn<SLgDX%<A@arw*ERdKk+T09eG4^9 ziv0_?pYpE%z2ufQ+R7G^tKPRS<&!1p4`MMX5OhA33n+=e_!-^``mm3D`<tmb0h210 z+6CTxJBiZj><>8Udh&&0r?I$eY*d>qpDw01a2uH5wfVyoaj19KXHj)RO#(6?w;e4( ztLj7JKEJ)<!ojh{nj~ZPajUDfjjAgp6{4^>9NVY0`*~hS9$J+8v9=^u6Q6LjlzTkV z&RIRjl99D7R_C*7;<Lpo)o8fe3V`xi#?hgy1|J%Gyyx$sHC<mmHQ{bH9lRHpQ}r*7 zo0d_AbFSkRyf7xe7Si#DMP;n+GU{_A9%~UHl)|VNk2}|-h6^VF6le>}&)In5`r=|c zO%Q}h+wUUgB7X-j3eIb@I4<tBG@aQ!nzaKVcn1xw$OLf9B7|7wm{_-4n`!Y~9iCOe z(4ALTC(;V#@>{^qhy3K(4xV|Y`&UN@ZLFLMfAb{Mm}*lY&<vrs7=};kqDh&io8N~} z=ZBYonN~n%FF2pbd9kInD4ol8Py&-h6kGE8lQQ<7i!OrKW6~d2JYZbvNaWQqnK)ZU zm*@S@+EUB|CwNLYfAu}NfV%d>Ecs7Lg|i=-P*ig3M-_U87-tw3v~)KnmgXSgdwPiz zu!s8Q>K#|<vD39(SJ~0wJuNE285<f$RvyMp7c_WAAhCzR%V-<6>0*r}SHb<IDo_ka zpN>%7SUnNWJ3PsA5)S!zw^f~6e`WKvLSyIrGHi$IHHiM0pT@}066~fkCZ?8uBu1kk z9mw|`!p&yft0?|)@a=u_Ku5P=)&E>wSvyhE&=PrY2xQZ+L5}3aqma83;yqt25Wi;G zda%~z)aY$_^4`ZP9ZR^?(U@8SrqYU_WT25g5r>!ks}2YRC9<-Wj)o+ve3Os=)X4I- z&WaXm`7OMtrGUEq^zRmN!OhKL>yC8M#7c>h^wrtqlkbYw|Ct5Q=^RY)<kZ&}?Fls! z&#I`dw4#7=9DD0HEf!ip_QB0?n_agk`v(mN_jLzs9bB3}x%B@ua@Og&Q6_w6)L^OL zD3b889&XtZlnz~(I5Xs%7QazB&!`v-5BEb(taB&n8CWZ%;*OV;ai5T)KkFhXlznyM z{55fsb0zz$E`lm5lZWy%H!f;H|7C1${kdv%w=mWlDQz$Q_|}~TYdU;&HKFNq$_>{t zt}M$|rU*hWBhq-rEgF?06J!1UBQGy70<2^ucn*Xei>|y9ZZgxe_UvfKCt*~VR!9-R z#WdQ`4KKd1{bz{qkx#9lxD{O{q(dv2WL($KZwa%wwXASgp6DnN9CQ<g?`~uQI;2_W zQMLDjhX1k>_>yeSixC*UD@r1|9FIUUQg1`j_tG+ihJwcvdu?k8k41@vCDhFJmF>QO zo39_?^kCr&`BsCZr{x?@*0ikZKXI}>e+bnK+~t)Tyx21G#<?l+;`KV<<^5=_!G%7| z(sl%VoVP0q{~a9bSyIb!FlX6PmcdEmQ7X{q^d0#SZ_yH77uZUVw&22}*mPrgwMei4 zJRp!n$xJ!YkM7I=p3*u%mz3~^fd=o&oZS1-P>5{55dSN+``o69Ek~h~AVwV?hkn96 zCE@k2;*f4Pnzk;-nj|rmAzMQ(0|(ixVj50NJUk8snTs6?aap19MNG$_{bm-Q07wp$ zeh%d$8lF{PMC3m4Ng5NOKm*eT^LkW<ElIp`q!coAU_T<{%q{L3*+MXNj~`S;P8CV# zv}1fy#o2sZQToCVZ~1l)!Z<Reo8rF;t<bP|CEosqMS0HT$#zSKQ!l<*lwn6wJK|oe z*7DYr^#SDN0l~gi36aG97=|WS`?qzs?BA6eBNb?fz1vNNCHxiPcytM+HiV3CG*M2@ zsbJb$?YgpQkE5#)(*L+UqVf6!{`9Vvy0+Bj2gLn{Xa~1_ck>A7VJ~qWWMuNeRLCAU z;B;~B!&|5>GUbr{vn>$&fieR*AQJH#gpc<jC=zYXhbFA;pUI-Ov=Xdt{67r_RAwK7 z2VHqLHx?BPa6OynA_puB>X^z}>Yaz9a9&<bS)ZspwZESd9R8MH!Gjt4DXc(KWN7!9 zTtL!X0plCI7k0|>ZfF0l)cryutC+b{az+Mc9LxN^^!`CLZ55pLV88AV=tQ4WMU)Dh zG91GjgPszLTw2iS<RIDEjYs)M*fk=3zH{q9Q{`h5jIbl!(6N0e#s(jR+y?z`i|W#s zW4S#rMNxBe+fxN&1n=cHzZ0RT@0=Q9XVlI(9}a=J3>Cxult5dr4{N4VQ^ZRCm8BQP zN{fSd7MR*91^u;7%v-NlU%^38wp~*uA$uj8y00z~0h}N{v5X&uThk>#tY+Br4-C-= zsO1OA@~-@_rA<|_#^%nzlK$0)d>+Yzhe2>a`lFM9bo}5i;Lf46I=X7$q|}x>T_j|@ z|MOI%{D<cGLx?gQ!CjwUR|c<aL|818{M=)TXY<g$`uPIvpN6uZnxj7~m>Z5vvEkav z_PNXbl@8)Zs;p*oak7?77P`P}4$PcqeEGz^Gt-17<^bKiG8!2ply;{gh1Nfb%+IYP zX;~FgHAHt$H`=g!Fwn`0w45elb8#p;W>&GITvVsNKQXR;gKvzsBrZE$DOJEdo^iFq zFpZtEIxOv(43{%ZI~T((l4<!Zdi-CL*w+$xpi?k^nPX-jxxg~B<(|B==MzlCP*aCB zmhyKpe*5O$>Wh&>uvx~~&kbkQT=Z41+jS+coSa`yY$Rp|c9qShdgtjw;0?Lm+|?#! z9=Itj154F+=3s8C78<3Z1_^#nbz}3z--~9&0I&}tbZV5yw-7K0P`0;TeDVOh`Eh(i z<{P89AdHqdF$%cJHN}8zyj7gBw`Qs_+20lj=aJkv#9@+)B5Om$H5K)m`Zd0Kv4J1q zw&aJ+U2j+T1sdCQ^DC%A)Y#ZA?1MBT2%K6vgSnJCHoL~<wU}t(ct{G|4=!X2Kah8o zG<`~kC0xWHRcdrjIg@Fng*2>xz5N~U&DAXkwnVFKfD!8Y6;#yq4SF{hjX$ghC{Ee% zi$LmkUU}MMO+g9)>B@>jChtbw{Qj1z1yS^|B#zMbe_E=`6FW|kIWq~6<3xx|??wrG zW8MR}+ZEhap+}PfJ2vH@dHo<6l~u3Z(lW3+v#(B0LR=Z8JD_)iYn)exqyj2%;=y<$ z?=|Y-Hrz;B#ly7fa$@fGy<%2u@FZos8Bp~>03!jrvq#*u8MOUn)IdIGey7Qcf_K$l zSWY~x+V=bscE<1!4HD^DE+bDyU}b6Xuz2Igk~8mVO<pkrGBq^ioJ=lgL&0&OkxHj5 zpBH>iEjT2q;b3FUXGEfc_u_P`{zX|)uT{;Y!Q5i(sY7~*jTEU>C^)Sgcs|cag^gXs zFJUEyrl_>PH(MoamStOG81rYU*0~t^PYazaz>JaGvP${*SJBjz5d|Azq&Xgw1RBPG zH3AjG6(d_sMglfhu^NJQS^(Hxr+9-N+v24SOd3%L=!68Bn0+2ckD+sLB_a}9YyU4R zyVE4MubvTdU{JS^ytly;9?6Hpky--Iqi|-4_#tWFqFc{G4k$gpb{=m+dJ{LwpJmt? zhZ9<OLTx3CSlPKC(71*{;A721x&eBGEOCr)T!S}dnDEt2&uRgj;7tl6e^j_mZaCLO zw&mtcvt=3BOSKM+(!MxZgjU`56);2i45<lcx;Ldx1W{i$H}ce{-=y6lP~A3L@EDA) zUK37im=z*NPA@1Ubha@akSS=0z(naxT|{F;enxMy<i*>*Tcy8PUrD1KdTClTOXYna z06##$zfjjX;&x^acAz%xfTO)yb%qWTAso-5*?v0FOH`+u4=}aplJ&=iLpoq)L-hsP zA>{alpkZpCRo3T>%Gf4ErBL#mo)XIc*34&EP7T1vKa?fX3QTxKGH*v-P78!UB09RC z1WaQU%0GXGU6YlyC6fLPl7u2lIi9@H@=vgkosgjY-$jP_LyhiMh^6B7e%83EC=@d> z);Wsm!1v%hW3ZX?qKiYD_9ENnc&^zvuNvy#RR$LL>@!*TcPNeq$_=!MT%@)==b!lz z-W2+rS-CuhR<E3=pvdPqL#QC24}q5gAn^sCFiCtN=rb+2kn_3l5A?y!%s#rzuFp!g zYu`}@!n^{XDNhZOb`_V;rVoL?DqGtpMn~}XrMKJci^g~d*6<6&9XZ#1NMsHD!@Z1Y z>w7MCbw)M*O!;Id2km)hcGR(NsD7V=w6B^2m|iq!*(Nke7q#*K9w@`EWYVZrm1_|C zGblIn^z{Ps-u;2!i!a61Bza>FRUR8-siaJqLTH=K!Wt<%UQRi1*G0}YZ?UH+E{NBo zzUNtdR6Feo)7tI}>WoW&Aqrlw`o4%nNfX>j*I`Va_%)Zwuc$e6MfGD-E7y>~KqM8? zClJf{AM{!_tg4nmmKPI_od<Xo(g~PfLeD8&+0_3z{eQPG><H<i9Kq*Ax@rSPgddD7 zu0~vMY7y>jL|{Oy;*XG$I20$_$0T{pgr7<{W%ZmXJ7>_ET66SI?ySN?A&XtWI{o_C zsdVxkT3RM1Ct-LfNL=I@TpRdf8MfZfe1l&zE*0D^s=Twnbbz5_9tBGU|NpS{mSIt~ z-~0E_h;%cgG=lWdB^?6N-90o&Nh;Fa4bmXp-7qL!64D?c-5t-q|Hturq2K2n;{nKC z*IMWKIj?=~83HGNXb?ikf7oQCMnbyC0n7Q#qlJ!8S)absd^mBKyN^6-)%)ea;Yhjs zH+RPe1R;lMeVygdv)vZA+a}dNuRa=;rOh<+nm!(=!>Zf1#6!h%BJRz~_)*q^<Jh(K zBD}g>y3gkbw}({J@|nKC38jAbbN{mv_N8<ZyLU?!J<5WVYEL$gTKjk2(FYv1m4jLz zS`O2nzLP8Xz3k}HG5E#IFYRU2u!Dx=q1u<`>WN;Zr6-){AMW3O@;*ZcMCDKsE)PXO zjq6Xp>=dfNosykB8VH$Y(}srL&Cx3z%=+fO)t#}B7LNMwQm<I2>@&~D!2aYoQ;Znd zm&32^Z~%Q=$s;K>KiEA&t>@jMP?V&4F_To|jlFa9;pnHP{M+kWPIPoX;vc@4g=>-) zIFLd=WUJ(br3P(-L@~8(epcS(IuGp4l|<ibsk6nWlrwfneBY*865Kb1mn0wSd&fE( zTH?u!nUS<~hvpYz&W&M3_tZ4it}PAdNJ~HBX4u*6ou14?r<~v<)XF67-&OtQJ%?a? z%urZZ3gft%Z=De2;`>ngrUrQ!ra#G@#EAzU|ALCVw3MUWz^%nOjSftemRaiMC?gkJ z?OXw!5tgut=m!W<egKM^rgYFPS4(*Lt#~MW3@p&u+kWc(2|=?pAF1)tBgJ{dJ<qR; zj(T3YI|2IW0x_0&@L|-e#3Et}!SV)OJOZXGr@Yz0=^a5khvHQQ);DRLd=Em4dgA?? z>>^1fQ0)Q%kS?BWHH?0GT!&n)iI(4QL`JTEI6tk=wwn9RvxbJenvPYq#B}Yk;@{ZZ zgLw$`4YHw+6iCUXWMkg&^up;=*3w?CWlb9^xb`8LZ0=#h8)J$+5&-(TPh!VaJqh2X z==JyS2?WW!wOT~vTToYi6ldY8&#tbIi5n>#JJE4NvagE2Aw-JkSePvW07~3!Wc!8z zJl!H{VUJDQfoKrI{AP=Bt#K4wK0{>`G7XVZPq`<~*0Goaikc`shmrVM;Z5NIc|UP_ zBh!U+A@XR-;>g@U=OT?gG*g)3Yx(?e;2#L7t5hK_u6$s25vpLDGd-mhgLFL7?;l<s zR%(a{#M$-oP}+u~=5;%ee{Mu>*a6U+w6aeto3qxP*rqm@0V$5|ST+@!@@_mKaKs{} zsoErH_84#VS(7X(X|*CP(h++CBDg3C&dx4b%WVH#tG@Pi?)TZX!^lOTA?bKEME`Sg z);t}YPgn$-eB+`)VEFoV`@3<6;#uRZy;bXP*L6)*T=%qDjVkh64e&2<i=>4_Yl=V; zv&Jv}Hd9Jni-K6!pReeRs<@h3Gt>^I)=UjZkWV(X9rDGQc7^o971SQsH_G2&c-iog zSl(SCA15D<#~rXX&+31ITN=tof84lr(NEvdq}Xqkmq6mqMCZ74$tr}{y3*AlJn1SR zIWMn`eQ`6Dv<PM6P0Gh_+?KBm82~|t(D)71`seE)vrXlr1YD(Y?5}l)!UoXq80<#~ zl8!8zr*tvrJ-p4`-(;4&E@*9!olJ96aHTt6e3F0b==uU+WEw91DWVs?9tkbTw$`r~ zL*;Dnu05XA1Dq!M0)I4=_sa_88b2)*GX2``v$KPFo}D?}Hfa<~Yt^OA5N8YdY!~Rn z-yTD<u{JKD=nJXfv|#bv@qwT^sdl}2D-$MrVhUeOIf0D6ug0E2_E7CKI#9(W9DWE! zta;ZDmAV4jjcw0{m_g;~fj^pINwjY+rTR@_xf>rwEg#ht)Ib4Yf9huoeLbsWM2dp9 zYn7V+_E#$HTsZx5E|iVi0x^NH<PA5Q2R_aeSL@OM<J^!dE;^x%)s2OAH#WqAkQ%Lw z*Ko~gW&@gMq^AaM7M@GsuHTGG%9yY~DGFU>8P79^geC<ba((On6#&E-<L)Xv9%(5T z&vH_Ihu3|DOnwbq5L{6=@}cmTC89VRlfxJau3OgpS6j(06YCC`u5|q0yOwm30l@xc zEqAS^o=oV}%G3RO8e{l(xcpJK{KTB9Jd49gH#J8dT|_zFT{eAPwa<6z(zw?I%K8r% z9HJIDY*@u}b+|P0f<hx&XaeBgg9Dh?#l;D@TwR`ebHqS#Ai#82wrOy3A6}m?K{hh7 zit?kfRp*!-nh-e3?QODVUVHYUf-RnC3>eMejiu@Dx6+QXP>r8BGP#8!0YyyGMN_ub z(UsToxM(f>Zh5gpRqkrG)rpqbn<a4Y6H~-uyv85tvt}j|YxPBEr&75goUOw8Luajn zw!U9JJJ1)qt3G!XrAbeOq=Gf2-zD>;IsGsgr}>9?XwhSn)o>n=SpA4I>d0IyH_n@P zOPRNp_gJSL%e`N5wyc;Z=RRlB_{P0+`;h%6x4L_vBJ7&KbITt3@}>TV9OkXjDNN<n zg+zx0ib_MrQc1Ndrq~fT86wi5lU9gB)Grb$n>t$c-?^9Xz7V-Cwi}GFF3+l#VxId| zHl~elUNv7rnH3eVqVLn?C%Fd>^^2s%^>Hs;*3Cl~wDef2tg0BM69u?qJLmO3n-Dkt zi5S^goi<JfUo%wHhiJ+F)Wmlw&x@@|Ymg{h{NWwghj3R}WQvLT0cMHiVPq|%N)8ep z9oXiFVdeCF^K3g(4|qQ@+E;ohA>pTWhE6ixyE$dufo<x`1)J6)L4Ny9ZSzD}FAba? zR0BVuP1L=q2}sfl!eESmt_i7S8&SuV!~dk_HG!i&x+w@xjf4psNU5WjQlQ9p6g-gf zJKk?)XpBt%k-h|rrQt|L+O_+|lziIU%0k5XL5mG)>2p9S&UoKUwL;(jOh!v$@BVD_ z)cc;jSvahms`&`Kz(rd{4aP#3<Xnc3q*2Nw>@)8hx3i9|rcth{eRrD+14b)n-<VP@ zU<xe5E-#bO@ULvEIZ;NJ-3o8oSsh~7bkmvBm_GrFD=?nI-c&n0-L$YhG)a9}R<T7) z{1BgCMUxcU{9gXk;6N6Kw;GMt^4C>~;RRE}QOEN!>XtmF@0m!~kPN!t2zUS=ax0Rz z9v{I}-y;JrtD0_q6>3o=rQkc=Y2&Dk^UTjjlTW6LZjvNi92J?GI@8!<XuckeJ-zV; z{1KS}GXu;T0Z}Q2MleQslK9p;GXkt*mCL<bf>qanXSJ>4em$U)pC`C*$YEmwCG+Z< z$-!7-o*>Rp>f+Vsc_c+LjC#2PKhm|TP|+hVV#Iu&+afYK7iR)(P8{0XV{fojHDfV* zOavrHHZjGk^xMhF%>w2<%Eyh?tNj99QUo9zjEF!mauZ8UPDvb~+@nd8KMrTyUWw+5 zPbV(0#mngS+t<YZa}%K_+I)_Cj`SPo#%l>+bj%pi=n%%2gicm_9f}KX0>0~0YfuTK z{Y4e&>|bfjf3hP<-)w_ffI>FNgf&j%eD=d?VpzdzO2sbj6m|@l%b%QkKehp*n6Bcf zZIB5*pVJ#HfW3+Msag6#d}BPzjSl~AX(_9oOAG%;_D(N6QI=a#%h|)Sd-7F@%H&)k zJA|cGnEUWVH}B{UH60m&kZxaIaH#?Ng=dK<$;RpaD4_kXOXF-(xg{suh_gk~JF8`( z+(`kd=wx!xg3*wRV<@w)deS|ye|yi0UvR03i3lT-LDawjWq(?#@KQpq`ju0sU>q?? z_J}sq)=(#JfNL>4{;ffzl6^sT+_2?V{9>VX$;;~ckFmOeg)Rknx}+lo(nX~vm0`7e ztEhQQ#G>_nLwBul)fspVK|+3wS$kLCEuh@Ih+(h`^(L8bYJEd9vb54L+^{(PBG{jV zAjEL}cS??C#DDg6(|Ba$F3W$be0h2`_s=t^6Y+fyTpDko3J(|KtTkpT?ieKd(E<C4 zNe5*8B&iMi#q9ojtvylOuklan6pdso^YYduQ_ren+NLAOB<mQm(sWZ4Hlb=r8Eq;Q zB6Vz2N|hTeEBc?ron2|~$z)KD-W1b(2^U(*&}}4Bw*nJTG)X)9G7ayejC77EMOvo| zaA$VSr?NweYICw|pasuMDnvb-?#|<{f9B3S53YE-@y1*1G`b$MpL|7ldn}w*WT)k! zATxElb&V<areP@K!^Mi_6dsjWYBLrNh#Xt+W2CpCQsu4cGQYc&J;+?7Jj~HI=8jkO zMMjERmK`M_zfU}|jn7zv3{$Lw5SE{($L!fbK17?XRR!(o>3*{gWAgH(rDK@`hLX^} z+PqQZnL}Ljt32#(Izs6iL5xw#@x4I$p9qG))2b8!6-Gb5>uR+=f2{1WiNTNr^E#d` z-)3lMv1V+iXRC{xji+$V`dRDHwqfi?>rN}7&0(o7zQ-6Uq`c2oO?Nt8{3)<n?k>@T ztBDFV@;`|K{nno=mh~ztAFh?ku1Z6+BAE78d|$Mnl`9TY#17!24ICfCmrl|*!231H zSQU@9S#&MtzoOK=RVp;G5gAa-g<Uz6-tueF$YPW+L8vqB3!;9>YW=+<_a(%dLiY3X zV{J|wG^@)OmF*c8=<mHC8(E(W#!?ut3g$%Lihrnfk+0GBb)Wq>as4%E!^r4&%NwoR z&LI6s<<77tHnzZi*$4-$ikW=X-JnTKmj&Wgwj5Po-Bxm;`=`a{@GjOX7lZN>%R0B* z>%Ld#Mue^bgZ^FiZdRAF*zMUzv^aG)RlLRH;d!JU)(_4?mZw|#3?apIjWHA+kpSTO zT<4+a%0*eKZho54-h)luEr3~;O$*hnU?%P?qrZ+YcC@a;aLS~rP`aDgT1)1H{XWi# zLuYanFanISWidQiDW#EdFFp)<)_qi@YyN6+`y#e@Tm!8$^Z2W$o`u`~c8~43ZV_## z_JJ7F%^Pe2d891x8|2%UTsC$xfIIz!#!|-Uj407A2(vhUJo50?-t&6#F>p?SWRK#Z zhHQzSw)7Orp&fYHBWlZw%UaPYd}sQ*m3*ZNzjT&DK5CYEJ$ZX-X=QePiFMhZ!hVD3 zWt|*IgoP+WwQq(25vx!-u`V8j^Y<pdz}@;@vA^#+QP8uf<1bl^qXamb7Fw=A62E1> z&Af@$4{fLV0l+fJ6l(4`9%o;hFI~&tgghT=<mAj)(?P%z6Ke-EV(C5Ew4xQ+YOUT6 z4Socuu`r#&wH%`h7rn~UbKQOM<B+_KDg}PfQ(4lCXZ(yO$K+f3tuxVMr5p^u2ETUd zp&H2Q*tOF~4NJFUXVZe)&IZ}YhetWI0u7mgxpRa0#_g^rPZkK6Ig$c1M(st$zz=ji z6r||!p_rrn)%DYY+cu(Q&+Zt<<3efI`A1rn(@|3f#sM};3bfcYOl8aE#}>Z8TSUj% zs*FecYl-Kb>7y#b+QeaqNI6PbW_oXtl*)}bVKWhdV(H|@!H9W$YT519@@A4wg?ZS% zwc&{Qji>JVjT(Qm%zf@NkwO}kuk+*DWkcs+Sr9r}x>ZJ4IAP$ke$%kA2y96A)0siX zE!U(xG@$F(H`P<^Wkyq^+JY<}?ab>r;|>E>W1aMn4tC|V3?<XW@TTE`XERlaTdh!9 z&42D`ec)1A_quTF*8v~?KD^>*NGaS2$tg#?n<Mg_*`s)VYSd7MJ-Wg@L1dv1_Zd4@ zIfQChSF~wlvgeE2NW6ve!-7KiXwMJS%7wZ+_gjR^MDoJ&Iu915M5qbi>kzAux(jnt zpXVnpQ_20oT1nf193t=L*P5Pnx6KcWXsRe!C>N`5-1FBKpk<m&VQiLdvi&Si_oKx! zRfTbxUd>}nN6^mH!{56X$sGyz{jzFg!fD3Ow-&r;12M-(L9xq;STU<PRoiV7jDB|~ zLO)f!sb91TE*WFYLV~14r7{{cK}IYe-dB8lsQGw#)6kIW=3lc`m2*cYo5J|BQ_aks zMUmd(ba3d>w{;NO;Wt#nUA0}CX{0$X+>CKlzF6t<u_3nST*wbYK$>OPNNyG?_UytM zs2aYyA{qyN(>Us8{^$_XP(eMQI+|MISrc2Nd#<hHPX+n4<mEi39NBKfx&%y!Pw$Lp zruN9jVTd>tq`gtK&mEsj?M1ZmkUnx*+mo^^hJvV(5&hphH-Yx}VeP5Q=q7LD***?_ zQdt1u$$}}Skl=YzK0wIJftA$EuOP5VkSKFmNGY-&-2YTnD0JC6xT+f(UMw~KT)(Rj z)z#sZ%~~_F*&vDc$b|e67f`)B77kNkIb=p8f8V&xt4bJ~GA>Q>F*ik34;n6wzyH)> z?&Z1TeOKxMZN`UeI_aY>9RFvl=)#+ioe_0qf;?A_*+NZjstEY2qS}FOt6irzkGH0c zcohVqon4}3dP{Ir8MSE?igk^yqg#qwKghGOs=IV|`_I>!wuT3*Dx~r@GNk-5W~+`V zX(1o>-#*>E4<Ew}Sxv4=_wadL1!lwm%CB#zwJ^`beLU$9`UHK2(9QPtuGgV%<K^0b zK6ucN5%Qn`t@tAM+Jb{W+t}(jc|YS<hdESDyOTSox2*4;z*W`EX6*RtL`v$O(>)+8 zj_=2pfeaL@Md7(xeAnq0W8-B$0+*u4?4>n)If(ejTH(1isaDTf{$fyV-G3ick<72L zDd7)&9QI+0uDHD>g#Z0#!ES2nrzcSviWXT`6YH`c-`ZnJp-?u8zwN7cGkCWrb3tVC zJ^mezHJtllGsFjS><c*?b5Z9zVK|RI-yf6}I@G_p`RRK7N?7-B6cTz);jyhQ??x7G zA3Tr^&bEs@Ud>VQiY2z8gRoTGSmtJwi3eTlX<<EOt{rU7J?sp8<$HW|Ej_(B7%o*J zQ#kDlRF`S1{bSx<gIxCg&z8Z7NWBr$<)|r<n{{PlEvc0rdNt`Xg=m+5?9BUbg)_u^ z5z~uXXZJ%I=N)zBv+$BkH>Q<=8}<o1V3q$n3lOz6DxK@Gua4496rqEEvL8~0QZ;US zdzWm<#TUKZ1X~ajsgDPrrVd<qhCk+W?xZ9cE2`g14h%1FyJ4+VtZ?TnDv7kGo=c6i zC6St`nt8G-@l<#<sWv|!{Gt_0yt)^ttSlqTT0*kY6D4|pXlL)7niTF{mw&;}U>ms= zraBhEpS%*Kf|T#7N`w^H{UcWtc|Q}@p|35^N7b>~a>DJh@F~bO-*g^6vnhB5STV)k zR|egS-VcjoDlk8tFT28>ahJyJhjNK#ZXI4B?YzOIQ7(iT5uO9m=I`%+cTm0~oD6<` z=v9t<*h%OQU5*7~1-B<4*dVv!J+!-AF>*}F<60NqIMjrgwhSGUZi^ou6Z({%Zl3jB zNU=-$pAkF_{J_NJh{ypffJc?)2x>U~!R4m3f4z9I@!I}mRGdhDnW%X2mBa-bk-+=z z7_2#Erjo{LtlLUriCe_u*-8pG?|RZP|Bm?|28Cnym%%d=_JuGlHUZGhrEj&LJoAZe zS7*x)?$hR<EWB8Hcw6(~w?DWkMVC)cFDjW@f5}IQska++a#ZGg#3|3Y+w5zoxi|ef zURXE1{kZpdY^+zB`|wjUXc6p<^0e0qZMbxWBivDCTw8YOIsX14?!`HmT>WhO<NN;F z55q|Y7_~MT>+8g%dUUS|*wmASXv=>;GL7bV=>-10+x{8Oz9AO;Y+HkMa&z4jqei96 zgdZa{khASFpS&%qmzZ(CI@Be)827<Tcx7O(=duo{tT^=H{G}+z88=d1L*A1*6j2V4 zCtsJw(~1X%u(;Dse1AKACs%J#rdj(bB7dDBXRXVd%N}q!tTn%wYf+T#>T5vGe~lM| z#TIGxgVx^f!D+?k%^@xoAWo)55ivv-jhHV-uX{un#nneVazp7MovHhhOapAkIUk_) ze2ZCbX=L(swZ4k4JdexQ&aDULBC^!?PwvCnzSs>vr&+r_3?msqxsOb2fTEVJ<EJH# z9#dAHw1)(q?pVF4&`wu!b=O&6D=^o`yM&5h6EM%=%qk;Ur5q=K4{6_44i;9;Sy<$U z68Wq&#Ad0o?Qkt6L+y@v3#7f@P8?impB74&o!ub2PRp?<oIA8&zb*i&%0-+`@(JG4 z4Q+wls#ebGY*);9<T{RO+VsLRXRIGaLVhF_TlE!0{e7AnK44b<)91awPa93s!u<vj zT@AXTmj$-32<mPvTQd%0c<n^xBDHmeKeBckk<$G>&bc<95w7AVM!p#qXVWdUl8e$T zoM?&WbM4bvaWHVvXf_J8Xu?7BHvmdrc7CoKksZlEy*>VtUr4CaKbF;|0sf^ilwHD# z9)?9Zmfm-`J#qEptB&n}R-Hkn(P~Yjch}GhU53}4I=k>k_X52IFfG?C?c|M}E$`Av z2Ss(BEq2~?OW&&QfrjT59r*?pDik9qFn*%`*0LB~jO~RpsmF-zK<Z^KP&2b*m$QNa z+P!yu_U-2#Q{noSUGQ)QnjlKk^|(Ekq(8?#1B9Z8?N?F;+nBjnPezDp{%ChcS)WO> zDD0PJ?k)d}L;-9{KfSF@fON4Fgs#BJGFk{Y^j3z|BR9Z8@*DHvyp&+o{72VKj?v$q zpF8?+3m03Tz2~0z0EiVDH}h^nr0@*xNA<L`TSoR}e1(N+U1Ud1D-B*|YKZ+3@$XUu z@9Y=r%bf4D7)Fmd>a28qykOIwJ<ojx`Zf3c!%kg6u;{MeF5VMoPG1f8^C_*t6f{ds zW@>#)k^yiKpH`OT9Q!(v-719+PtS+PzG6Zv%GKMpTQal(|1Muo9^z(Ee!*WU1y#&r z<F-WCkNBgG6`~?#_zyOn8RDhA_lI9)7olvB&X>3}qR3%!mi+D!BzHtyS^ajSSjXcT z&u=QS73c#bM@*fChObQG63$)DJ4zblkbN2^f_8ewDIcu#-g17`khz{a&kER>`-)N! z7jF&udfg^$+HTNRq<ej|y2-OlQMFTxui!R&jmC!zBm<rZ@zehtWT!Z*L_7V**M^Pj zEoPQBUl-&D4W-RK=h>!+(Vqq;eYb_T=ndd<JHo)7M&VxvSDtP9sG9u^{zn&{pS4Gb zsD7dOSK2dg7sZqLw{C71fxq`(?GRZeFdDlKK6jucF;Dw74Q@Ajb<9o}M}8Qxbghe& zxo<E4u<yApEB52}#~rdW%YXL3Ca|ey&wFm3buZe4pRS&qjY59DgDyQU<XC=mG8pw2 zVp3|-yU?LE<Edh3o9Ab$eJ;J(ZJEe>@D@R#c(}gTRNXvXKi>X$B6O33g%uChv@PYB zNHC_&SsUH9s9W3=DLwURzS{{R+iC;*+aYePjwUI*DS(M%eZ9${;=rA~uI7uQ!>LQ( z+LmXkcM$&WVK+Mb2Qykp;lTd_53$if^!u}A&C7rs3fU+qY3b>x_<QZAbw3RPA>}^M zh5I1!Uevk6dAfXqpJ<{3SGS*VO5q1BD<IB^#7#>>+cQVuPZmR%6Mx>hI<Si-^)wRr z`!qurL#C+Gs#C#=wXROX_BDh{uOy)(<|jfiTNt80)iKhVx-v&W6pkrXi^=W0sl-aL z^1AIhEiXiNuEu}ra)>5uACwQ>TKqI3C)_~Ywo(;SFU84RMk`PZogv=!_+e?!!=vD7 z==}q+vp+pe-pNgEYubh`9#kV9|89JY$6GT}2I=o}h$E*+vhVSqoSN^pB#F|#^!c~n z-&mtM0De)Kf9u{Fk{^M)FEe+I)r2oEOnLS+Egn0g-I)S@5-8rG-Ud2fo~hFac<r9y zc)ufHI)Z88Rp-{D_{T2^uO5fsoc{=*Cqv)NPHRZ$BM&3Xv$q<w-tZF=yI}mQjQU%q z-K+QVCJi_QjfJ<+#)!IMK^`o$9`D>mcZmm^Qqlm*Ro;SN2SMUzm&)PeE7V!z1>M`i zxi^>|mijQ{1QtglSG`J-LKu-Nx%z9jl}aOF&zQv*u}c3@&@f8ST!qo<l6iV+{;luU zS<lYW86$@l7jL%ZadZDqMaTsv2!K~liuRZCvwa_F4d2{QZy(lnaWdOg{5%oMwEMNa z422`0F6cH|Zs1GU-fQjsv#?zEWk!t<{3n9k$TLVT>Na==b=EeB?)4deNF{4Z)FJR% zS$#x_j&Wu7=H>?rWZM!KWOtnSl&dbI-COu+_Gy(##XRh9QOe={1hOfhJz|JWF1&T9 z45{1aWJbBRt+reK$oQ!IvV(EWpCS}(Q1wkn+3MKUn)co4w{JYE`80p3+0(cBR_J!- zJf3t2zK3Y$nO26h?wt0yNI-A=SD@JU22>C*;72eZhi8`$k2CMgKrg>CwqM>cRS>L> zdARDdn^{~7c={d|!gybH&fL7x4z$qmEA=evx!JerTHH)Y5)0t&6kgqMqPOAVinp}C z4$d%z)H9N;MJ!<ML1K7qwP220UD@Y&G*5R-&*Q%^o~)#&X*US{%X#9#-zsLDSVnu* z(>JFDmDnD}1??VZhGFuh8g(<C{FIpnEmwk8;@N@|r1@>r>&w5QM4hlm#+Z>J>TJ*k zz=Ju|vQcUHp4Bbhw(aLY3gc-UQOz%#E~*-|a4nXs*e0RtdHC?zr3KcbvXEM$oq8!X zGCNkG6Y!2f1+CFz*nTcWSkm_CRjJ9Jlf-`w84;egMADPz_ha#`VdCd!KdRRUJc2h} z>3cmjm-$ILt%}dmoR;UN<q1*wq)MM1umlT8H^yIfcxG?hCrz(m)(hXy4Um0Jx2*=u z(^_OeOc@BE<1J+~8B*&N1;MH(hdx+As!6<ho!HO|^ZJd9TZ$73S&YN3t_tK$wqgP2 z1HftD<<;|LhU$#OSj-DCI{B%EQ9%Ssy-)V{f^sfi2nz00jojI9<=K142mZ*#UnuBv zWKLo1)2Ub=co(cp<U!_#Hp>-69Hdo84zS^#+pa5|;n=NQ6fd*ZuJM4Dpo;<PV~4XS z+(uAU4t!TtzWNoP5UY$Vv;fWsJM~CNG)vq@d+};cIcS+bp@!rjrl!F|p%9u3cCC{; zdhK?FH4Kvs>f%(W>Cns5!~hJy9JdgEQP5H+US0<sqxFC?x#f-2{$4eUMY{yTBJ{b9 z_Ma@=O+<Bdj)>Y_R>K-!IqL7*%*N};OB}<WURB)2&(~pbJVSXP@Je;F>SYJ$L6}jg z>v+}rmDu(}fpk6!?K|j&+W^TZ!>#XQrfJLUJ7_(r?6Xa0h-xA1_-&KSeADoAJvM$a z3KNmueq-QiVHnG4>ZMTWr0LK1Ba`i^yT-=_-v`gnI{2W>5FeG({UI-|IK1S&_uW7Z zwKc2Z%SOF9e&u{+-aotFqx;4*pqryHWW?m=rDpPc!}FgiSP3GOt`Fz4-=08u5YW1+ zmpBV3YBBpBUug2YoY^<D{)S*|L$BDdSL3gKHXgEM=J#6G=pa>UVCe%|1;M`Fb{&vl zzZ-vEe&pP0YgK`=j1-h;2wz<*Se9}miRaG$0@j*7-nwG`7mp|}&Rk?vKfe&G8siuI zVD2N1jNURYJEZ;QciM#ZYRco|(#Pn3@64^A7cRiTkB2NbR@_e8MaQIA%wjz{Zidi7 z0BAv2>w;G?K`FEU_NJ(8b>!-660}GGY_U~=e6*ZKTqi-YVsGT)tM`_vTI1gF{@LP{ zOvBOXux>T7LX+qsqtdg<t=hTWsO=lbb}&}~E>Bl^_NEtBfno$xtG$h(qPvUFHc|4T z=KVFs+VBFa*r_XG>FLk%F2B8$t@HbOSyB~_ScQo>^3BmZI>Y62JgQfJzOY#eGA_-| z|Ki0uGaA2j*&5x`DA9(~P9Fm>WX{+^^G$z1ff~=IgxswAOZ74ejXtX90lQ$`QM2o> zvdc8;P?mSaJ%N|xU5<qYJp$bal4y&n<&f}R2}7f$pOILD3xcnm^`hw^du}lukE+&i z{M`?M6xh?=9FXkp8iK{PCUp!sj5&>Wkpuj<9|kWQbf6=nv?oIIznDnJ$KJtC1F||e z4ZmQ27ghh_!249mE~@qS-t;(;C>$=Q&x1oF%1JsCwjgck>E(y~#Xiw8i2`YvDHEIW zz@LG(V~$7f0}8)RS$?}s2_kbF-yAf?NN)U9EYOJofL<l{tTNM{eF5yZad2h*aMeE1 zj4&H_X>P;Da2o4a<<UGpD>0BET@AjjrTnZzsV&%2=|nGpRh3x+Q8<!gD&_a%wwtSg zR#}4q#(!~Dud=4oNGxcHXf49)nZj|FEvf@OB0<Ma=G=SYP~`>57{eyvbUsrfR(Rs^ z9&G(#I1Sx!+3dbLbSEgqpG~p&^hDc{79tM#f;R4;7ZpT&`>8TNjZDGCNww&GImuSv z#=G>^5H?D5k=%vD8dqBuv>akZ><F7icLjTIbMSnlDO6~zxb8JkO45nK$=4Y3Hgh3C zE`r32<79C<yzX6DvO&#*qa=v|6@=kv!!Iijf{YtOEPrnch$ufG%6_MM-Y=yvjUHIl zdiWwK0j&pf7MlX7*E%oMxxV`_n*!DiDPVK)q<B!K@iqC=*f-^9`FN=&TE0{)@K69d zKR3I@2ZB*od6r7qPs;Yr9S=>k&h$SUweL;rkGDG`JM8az*;t;Pw+{RWlm$yUrh}x< zr_a20$w2~Ktau1aD~<-vTBqacy^;g(7?O0ew(LdI)G*}KefW>7a_;Oe;S1Gwsr(&; zBt|A5T3!BJ=YCmwwQapU$az3Pz_g+nwYuWZku`8`>{?~~E{{dg;yt4#?_+`VyfA&R z8tsPWx!t_+QVq8&o{iGjkp8lI)R~D55SHebxFW)D|KOu_EiKW$mPWxVz$Mhf8G}}& zX1#Oq(^<a|l2_dn;V?D*$QcXv1~h|{n1OKm;4mptwXYUGKi^qNxlCU_{dg(S52rwS z^P2VGTH^1!m~ZdPGV#Ca7Eu66=TaT(zF5j#gfLQda~z20l;EH(lSk4zKh@3RpVB5R zXIjJn>LDz@K>is2(CMsHsOt#iHH_u1tiwF*$}^MWyC>33`=e7gDu|!1U<VO_eQ-|| zgJ2EIfby`_=<j!erEyC0BasC<i*32;mBA}SYh|~rdlc=fooK$SH(@yA=Y_%a`q(4U zH)U;pwz5&Na!qDTg!EiwzOS7P%HO}7wQMl65eP)FJ4l<8e4}WkB45*JmJH4hl#7>( zXs|!msW9>594(Fz9Ajga#^ItYU~6=b$UR0{Vu0{?gv0#ea-aCp>PKg@y)=@h*ag#m z-xUoFPPa|efn3!l3t=N){CBdJRjpl+jh(2ZsdE>WnMqc83r*~3$8If>>QJd+Da;hM zq}zh43K*`4{f&?Q@+hHy<ATZVWxg%`Q_~2ueQ=?F_Gs>VpDq`+*T06o{Bfw)^y!-2 zy*imwZioj9FA#6~+C0s-fBm4<_DtxhS30TKqPjD>jnugHtkWjwFT9Ar=%+8zW~A|R z`(QXsiA>@A{ET18m0WxOtsS*x4PUawes#CTq!9-`Pv$eUGDCpEk%u+Psw?xw(5TjU z;8Eh06+_6Bxf)MbmBE)v1Oy{&7DY?`4n|jJx4FjVj-H4=n4nn?$CGxa($iWdh(lzR zBO_%ojYVCp1rS16lq{OtD^LEE+mX4mDc#FOU1o{z3a|$hrlGH;WXz$LHQ#xgeQ>)` zrLh~(+8jGqV?ql8hft0Rlhmm(8Bs{Zg6k6G#E|5oPP{L+45s8pkNg&zq3@W8DWhE7 z47PqJ==8r+gsF7zNl*H?Q)4pnG>z;x9N|&H@~tZ(_ZR-z7`(tLi@H>MRk%34%vgBS z>DAaVv-_@P1l`iB%Udc}9YXlgUvN>PP;;kg^n5}?AGA7hBNs)fc?^{L9{G90I{Az3 z>E@6P5GTAV_pJ?;-D|H)zu%4;?CPN6(xCaRHitSjzC?Ox{}?^HZa{AKDA&q~36#yG z)TuNVzddtr?X0Nxk5?Kr%c+#(Cmf^Z^@!@G29=m*6M_m3=gskcSi-)O&O&R^Q4mow z^A>}&L%2q?vI5LaCSv+i$viXhobnr`d*-^vt8iGZf8{XU+*WOe$FRZoy=vr_YButP z0{0BtZ=Vj-(caq~t_0Itb*F&Q{2vo-3e_tI3u(;i>WntVs9q#~4y!@r9RSM=TH<gC zuNN!K($GRI;c@C}Z2Z`yL(KX&UaNM6&Jq`{O4u>`BxU^FnxCKUp=KIMu=DohRaWIe zdqSDoa&kjwm1bK%y|(4*v&A$Dz!-C8l{5ZCxZmGpsG8lP4^jc<URQv}BU+UWz%hX~ z5WP%WBN8HTWrzwV1VKLhi$N$4t?m@<jaPxERhF&Cf{=Q&Brt-o^GCtW_Qm$IdtP*A zKSM<~7gxRY-E#AHK+-*XIjrRl6fSut^|TN+q&Y!?duDj?q4narUuT)=ec4<TIf25o zPPm5~X7s3Sq9I~f+|R?$&bwXQNpMK}f>N6cmF0cLMv;e)dP5$_2=D+hF=_1|P)H_$ zt6O|Y@4P@G$ebqLs}F`BJOn<t&mT}Gma30XTS8fs{xpvD<lc^9l;Y5pa*!rwRM}@B zeShE8#c9hNKl45kbFjJnoAXCYR`aIAld-g7t9=UC3hqB<WOOlmijh+}1cRvfr(eDt z_SY4Rq7s8It#NVh`c*Vq;POpWLQ4RqT$Y0x-RN668(wAgk*|Zb?)eAhfu^|S^6JP3 z6xBX9B`nh4ynu1<?`Xf;?*_SKaRh%%XkWG~Z$QiG?aV$Z(5|fUS1mAfTy~xk62y~@ z%KC~zYu<Zr`V9e}MJ5)UWfKzjgt&i?^jc%wb0>w1Jn<NMK)wpbBVa481C<{VL}r1{ z6G#$2j~bkR`}XdaWwU6{%ITW{z4HQZzt@U|do^{A6l3Ek!X$d$1E{KfqHP`iw)h<6 zBpLcmeMdd^bt58?e@^iWU81rAQRSk3&{9-4l1M=jOQTWq^4KV8vKkkDF_EmkEHwE* ztCahGYm=dFhL}__0A)V|$6HJ&lDRY8DlD7$Umle}@aejHQ9N0S6Tf#do-GnfSAo)= z-@){;j>B((Ponf>=k-=Zc-i7>(!uTCeQDF*DPqts7-wCnN77~9r8qoJ$MS8FmxZ2P zzH%K7M?{{GpFa#5U@OjWRVxDg=O--PLzOz}EYVhz@~5xFi=}}qI+<g7eiGc)md;Un z>e3o0UpRJU(lhUSYAS$m6SQ^sTO;r`482ja{CLH9uUd(Yg+4gGbA~ZJ0UV)50)@m> zAe>M5J1iZ;EzG}JBRS#_PDYzmUIvHk{wa|17lA#gge|(@m&Scn4b#*<^6-{afQ~5M zd#r>~K|Z=-X6a-sFUOyDyhnotZ!Qtql96Y4i@{{f#JEc*`Py1+2!)~ybD&=+u!|Q+ zsNp65#>rXhlN*!6`h~7Zhk4<NBxBl?jq6d@_BGoL6XwDv?u>lx%Gy>US`u;k&DD`R zm#vfrSNwH}XRU-RZLps~Tleg1b#-%Gp6Ni6<m<}P*^$x^wxYI@S)oSEN0EqX$9sPq z*(fZ*$%5btg5##ge%bk~1m}#jb#A>7B!^+hrqk2UcMO+cyMqjGPD3TPn-`xATvg2+ zSOU$MXWbnm4PJ6+aS6w7@0x|}lb&CE^rH^kVdA+$+pbG^t7_I{t?$9jl`U>FFVb9S zdQ+b8A|lr(^D!THApUlY%S`Us%8cQ23F=XMBf+{|wV|!=FbiI*fL&{wU8B1rO(Csx z$mUY={sCqBR^N>^SwIx(H8JVw@Mu12tk24;xCuK+?JA4Kb=yM<(}hmZi+e%Ye@L8E zcp+syrXs@fBbD9Po6&bzh4N8YZJjfy3S>Tbw9-JUVGTts8f|QO5;a!bcs<S-i4vSG znU7dH6a-%OF%SI|Am~$nxKt;)6evG7A|38BQbty#5eKfHJHpIX#Ew@}qd}C^<IVP9 z?LpR(YI8;UoU)?Znis{sH*eg3XC$WcZ8kVY?+kkwA!K@7g30TfI%&h7y?#zUNd8J; z_T~l3WFsWRb2YL|kwC*_r%>beo?SjFwTy&R*2z<UgI>JV+>%pjIj{kky)-dsx#WL_ z%9Qvy3Uz$6;LS%@jw>wrxLN+FDB9*S&jV@gG>AyL7>;5k5MET|r35m@+h}R70{9v& zow~O+YGGR%&DPNJ;W9~CH|{Cw|J_z%xKrj5R)@Mh&GTIA_$(%Ztr*oySaiULRF--V zwd+L5A;P@d*2&U>3nHxVS+q(?!cjXj56)2L0Oma1QYTtF%}tZE@ppIUlc2Udb!V1^ zei53hfhgdSlVuXNu&7ffX58nQ(#ht3IsI7l5~=*ikTgdSl1fj|q`k}`IyW1BTZ5j% zDxYbPu0{Uloh3+nxr4)9;>L;~<6g?FY4Eo!+MuT0F;NsX%#GVDP%c_DnWj*|l40s; z9Oj<*A&kv*mS@yzr%2TriFDBtE?!>uVoU!DQ$Fsa7%+J1-`w1<M#N1_X`@xETXEh( zBVi|@$$Ps;?y?MTcxYrX7FE$PVJ)qd&h8YfgLVoW+`FH5YFY@M>=v({Nu&^UlFz11 zYvC3C?lGQSM=KZ5L+c-fsEL_A<7D-b^&PjaC82|IApS;s{6`pWHR7XXcs$=8OuxMh zNa|oVf_`!LzOh<8*3Uy#u6T!8BsWODf&?HGpQBDX5nh&0JEOCon-wcB7A{R$n@T+R zX`!Kmbdz^U=04s$L8+i1c&eH`dkcV(LD%z>kIqwUEJn)_R1kVjPYS!Ev_ja8ad>mt z!Y?ib3_a$eV71K5q?Tr$VxUl}okG9Dsb14RW=H-+m0DLblOwCpj;Wq~eFR0m-ykDP zVO#}%yx)52m^CaGo`g~n^m=Nj{Pe534_9win*g~0C!t>3wu|ecCOXCdBfc#R_)--e zqZwpJTo`QXM1?6&(xy<a>8Hz*H&bm-_pg*S?*4e<UMT1rCoR@?_xvVdJFp+7r1al< zr<DHO&kg)pRn)4&C;~LOk)m5Ze*5aBl+?U1?98ThiuJgW?F7}oQZrmjEi2Pt)!D_c zNEf1j5oGFhJ;eAL$hdIfKxsFr+-Y+Pm^W)XJroD1@De`<g|TQ2pvmNnsG6B<P{skJ z92IuO`flwXZ{BNZ+hy&uS|3~*$6cJ_;UmCXtguZ#6=3Sc)jL#PN)?9t>L&*zxwjFr z-?m)`$lL_w&Pjn}jkzH(WtrXQp)*z-B4pQd%2IrS{OO=PI*33W&vF)~p5T8K3SRHw z8(0JnGOXu>nK2=weC~A#tgo>jnE2{HTaT<@yE`n{936gfXD6s%E+VXV9Xb>8_cJ)X zJ0Y|3r(5Q{#abSj`b(<3@=+8*Ykez)Y?R``yGBZG2q%6!@Te)^z7|>_(H?tLmUtWP zIvFyFa=2)eJDvQQ)&BBe5lgJI(#DzHp`4dGr+n!)@WW$ZUWlbPpyTWRods~R;(K{w znirU%n)HZw-gKP;RyBKuX+L#vufO~}`uO>DOrqljr(8x<AnG4nq`G`2*2-f(el8EC zk(gpQ?Uh!ZZ2R&#-RRi8RIt*zK>8(l9g8!|z<1-!glSG*r1PQjuytCr0qHN212?j< zGoe(b^wK^6c>Ro%)4TW}7&kQfW|4@XuuUN3ze?HL1|vT}v@?)#%yh!n#h|IG<np(w zG!)Y?b(Da8M&vsKk!*EF{9b<%d%aIY6^nf@!Y9hMV|4z}eQb=ApXNmJr(YTJA7jrh z3)oOsju7RdVqbkUvda9Fjd<))Rr0eh=cQlMpkit7%3vOc@9BU#uRN3H)u>#Q7GBS{ zZyn5Laqh}8kv-Xn86ikRICrFkg941n-|Q%*;=tsL`1|*~u(RWVFia57m1Cq_)RX?_ zvHIa{!%uDDI?$0Qi)JQu{u^rw!||B=yp6sh9Vig?A1>7vEmb%~5@~U!%a7B?p%{RO zDUCDhOYOp?k;%bV6TXFVPZ5>jNDlPN;uhw~MSU2`<K3xseb0$`Zm+;0L|m+TIxmWz z0*<aA#*7CS^|}bgg8gs@SRfz0^*5YHEx!~5n=#*^=qo8R!yJ+=O(mHc-A9<~sD6RV zrENa`JmF&dr^mvOZ(M3gk=nyzXTDpQM((Jw92==rc&VfJ-LlcQGA;j{7vj7&=S~2( zrAVusLThOl(Yo?<v5bsn(%eZ#85RUubA7A~-Rij~dzKBND)Pmx9ba@utWoTv%;lCf zg9rz?0tWA%FbMkOOIOB-g~?enP=aKoew}ZUpcR6>ai-{AZu+(UmiSTtn^GryUoI(Y zgnmgUOK&&pKJwy4p|Ks~k1dU)bJU;%jMAD~i_SryF7L~w8F_Pv!&xD!a*9S{7S~_R zkN9f{`VgGI{S;_JS(or1oQ*3CE`0p*Qc`c==k#X$J6%|VCMY_ecrV7;PiJd`Qy;3` zXxiLWgUqb|OS>_zYg`IWunoBfPZlF#=8LzEsl40Yj{==|<-rNWvnD)}%wkryl+6Na zQX3)PFm|`z;CyrAR;>zkdmd`0-y6_o&}G)d8mXlv_ekAUuJcv>s?DPiMYNfv4h2er zWTp%oK2;I|7M2K)-19~bW7>N%D=O|dx{iRupq4!u2zoVc))ZrGN;iKZuJyEFb!<hx zaJB7bgj5I}&YW@)QNrisiJyP0(`p61rlh$Dc!znfN;3p5{}G1|vc(xwLZ_>)u-@7Z z`!XOVGWO*BgE8GsflCOx*f6A`!zp)70mDeWob-42EITK@Y!pE7ZNu~lwbU=L2hXO7 zw6rwF#uVi+h{-O7N1Hq_reJ4yR3Jg`bt?nC$sCWjJ&kVz9wc7GZtI*M$NvKkl&z<t zo#_Wfx>a=_o$Md3F16k^4GujeIo~w%&4$@CX=08@t^Y_Jy)X{WN`U9ZkuNoR_u+ko zcRA(K8c8{9*tl@!F1KaT%tR;xeioRgV=4MS>`VK_3i2M?Zx5zCQMTl>MiI`b{B5SX z&O=aD&1{B<I8<hpFWm=rhnnpU(k-yNf6Jz4m?rfBy@Ds<S1g@a0GqLX-CTFuK}`D2 zcu`<Vw=C6`V}fXNtw8d}iL3cyc-$wx%hthdhc8L02$PaQs_Z-mRdc#ARFKwM9&&P? zjKwC{cz+E<0>RlK9HJx=6hXiEsppCK>pV{=8sLD4rI-nz8gj+Xxwp3SJmn3wc0rr} z-PP*|RJ9%tvydX9lD`d04gc`ZGujiMz2P{2Mv0%AJP)y;1`9ZmM>P1l!qaYBZwJ>N z__uEDHJY|h4A-#kWe@)9GzzBp=)QD(73vZ*Fo{{OT7GPhF-`X(W3m%paBx8OPyE0s z%g@*42kAiI`|NV=0nkFiWCD0uCuOCQm=r~-9n~n5l2YDTud?QOQYbTrOg=ZX(GP0L z@)74w+y8TF8I4>9fSY>}t{0_}r?XTLvH@#<`0+pt3Dv$@FmoZk?c%!2R_;t_yyTzn z^FWfeJ4%cMboy2`-;-1d${38Sk3W>!S^Z`}%!mqtp4VH$eVZ9rr~wF(|Bla!#q%0# z{Z4-)J|pq2N2$6HX3VcHk-~>@+Heq@lU>Qr4q0mDf3!QI2$V)Xg6qm{8!`ub!dRST zLAT=PV|GztuM+skKN+^;RetpUP+SplnF1%C(UpdLUboKOIQhTxYLfox%P~@wG@+@5 zVVF?2n51RKyga;<n`$$WHonPEn$@^(q2_9sw?}+{sH5xs0HqSYQ|&CPakT?NFfwyt zUSh_0<gHxP7HXa;A0-3DG=PpvVo)EUw#_2!Cy3vmW+Xaow_5pea0Hqjvos3n*7o}K zdm&jUF(RrMy+y*l`~0sC3`NcW(eIRdF>0^p_#UixJDu<YKb6dL(y7?(jt`!kM3!O> z&i;1gi6(dhXQ~t4+1}S<!mlo_t(yzE*f9XY=A#6F3i!TnvA$nrdtqoU_uV}4jEUF( z`@R$+Z0Yd*Q{hBrS(*BYd>v?%@8R3iPuhevF)K?*iq6>v11VyG>u_KMvWmY((s~Pr z43}`?_S!}AaGp+oJMp;c^_nl@?TJeso{(n~xyj><HesQ90ivvc$@FT1@lJs(q&L6= z%BWbVYPCrverL*!(A_4hN+S!Ej0eAncaFF;IM<n*1S-PUQR3uf77I?cw3|4F<EZGF z(&gYu?Cvvzh~rv(VEm+7jbmb=`PwAm*m>a>uL8#6=iDd0r0~HW=bPiO{hL28gIc)y z8!2fa|Jkp8OoZ*eY!+De{%n1%`d#7F)1?iDt_|{?*~}h=cgVKY^(B%p6)Xv;+{)TP z^jl;|o3MDytrhumRW<bcKJGtT4U(b{qE)cg2c=*HS3rI_{2yobI{8aExKdvo>6Vl0 zOUb8<U|R6=b!;8H4xc%hrUOVb%E|~S=-}96#EJ-3YmLF|ZJCB0qZ9dC?SO))RFcs= zn?gyg;-^l;$-%-Tw>;B|j5ZU5YeOOGCm^Y!L<|WZv{$)u8tez=#p3JA(5zC59PezU z?@3i@9v0;9mnlHDZ8#srf^oHVNdblZ(JbZf7<m||w>h3^#vF`ds?JQ&7M$C)X^nip z>6uy>Y{86t|1cK&CV{G&KzJFmGJiA+oZLG#u}ZYL+x(8dz`JNN0T8zQqn?${KbLPi zn^e9y5E3AG5yhYu{%OoB8>Ww&H~`~PMdK9+P|ITMP%<hK{ZpikFwm(Me+7jhi6Dgj zeyU)Drwm0)9bFDXftgTRfUkw|lu5kx_f~Tk^1eMHzyZBP9LF@YknLbjzGTxky%VC_ z*3$Q?2mUOo;S&g)kjy;8YwAn45%hbxC`MH?R#`VmowT2G<i#|H)!_AVGh1ntc>NW1 z03&^-SEnK|Z}LnBXd(FT&}9_dK#>^qHTDF5?0OrBzYop}Gm=Opm@y-tzW@fK1L551 z$xxkm)>bF{lW|gl9F(u|KMy0Ewv%Dho<jqAgv`G^-#i|i%tpD_UCG3;VSVRK9)QYR z_b`Woqe|YGM`N2HuXB)EAWii;7}+#4TZ0iFkfh?4*&!A@d%fI%Hu*2)&VQdc^3fE+ zr82waPHP?>>TE%gv>n)xMJd*@08>D$zra-PLn&M%N@m9Qw=*Ih_v849(S47a1?G|< z(H}ImSQWZxIuwHf!IvrRdVd7Huyk%+;tNIWLY&=iLAJ<SRWq+epB;Ux$jb8JUq=l! zyDhIEXiaXIq9nm{zm(lT<wwK?$n5+F9>J1wP+-WMvv#+(0Svf`k<XPw1`VD`Np&36 z;Jt;SU*0np@?4LenXpsFe3-3)ER$n~rSdR{)%Q-NfAWb;m=-kiY6H0NoHcugWGisr z`tBYqhmlYc@C5g4mq;s5Z<Zjp02Abkh9Lx_nCa`!G-K*`&BlTsAD@JK3lcA}E<Qfw z7ykLDDk4Bt<ZtsfYCQ*6ici*AZ-lAP1~Re$bFQuN1FVhyPPN}a)WEcNDm?57pJAs- zpI~%r+qI8G2unm#HgY5eh`hZEL2<jP`GWiL`=K??PJvc88?ClBu)Bn%m7fc|KJ>}K zVLkY-H-wAeOHJh6K<L+Wq5SDdsE?!^G8{8RJ11&ks{9W~t;wb(Y@c>|#y-6j;Y-gA zE@7vGP!tF>Vpx&uO{X=;(Y<MO?>+tsv92K5jdA_xKB(A33$eZmAXfNJ?z@U$8p|B* zn)9E<0pBSgU<a7-?hG+mq_da7)}FvS=#5J`+i|hN71pmRnL3sr)!1PqD+&2&f~OrK zjsF^uu!h^<9}`1)yudO<VJ>`{7vX&x#wa~CnQQ+BE#Q@-wydFe3$?CD-BUh4&FjC7 zYC$mv1RAA%fpgW&VI~Fam|s2u9{c=x3w3Lo+$O}wBXhKm6bhrZAH5L^pE8KbN;p|> zpJL}H#!q%kI~Iauo_Xt|mtqFwb|Qu~lQaDUBG`H-qD-*`S`lqvA@R`QsnGn=OaI10 z>tJ}58WRCq=HNS006f3FR+NFgN~m98|BhJrFw^tiDDu2aes_YhyMf@*w?<Z&s*&6P z+B{1Af#6js+>b9(S|OuK>ZNfWEiI+aUKUDFZnWX+tHtLhn~I5K>N$W=pRxdTYV@C- zm&!X4Dk0H4g^a<gQzsU^{2QfjPu>NzgU<_LE&z8)2+K{q2)XPdeP<?LfzK64qEvOn z*TP*jl1}~u6fVj$`X|06js<NX1ocn+Z5&JT=byso3wA@6j48(FCopX^N4@m0Pxu~5 z0vRFefj)&krMd6p;u+QYm`;rOKhF@4(8&(G(WJS^Y)-c1%UQcA?^opT`FNn+2|7KQ zU&8YDjm{@Ix)zk+xqA2K<$#k~K&qC8#Wc@Cq`gn2>Y6q?ANJ11x84B_Pl4|>kjJPG zVJc8Y<a<*_e7#@?tT`3*-)4*iCXb2vvi%U@Wt@WG!{@!L>jB24*_LLz=i7y3HdOG| zw&1I?w@m)Rx{g(BuipWJj3F$HxmIHv4}ObFmr=8@{4#|uYL3VPBYBxoJm!5m>puyt zj|+}-BIzs5pIUb(sbzHmxDiZCKDH%iPpDxUgqN&<jhYrhDE&Zv!T3n(N~6P~AR~~W zq>X+_zaZ3_YsaY6_-548KU{v)?6I2#QWQM()tFA))ZCIUN~T^z13}n%>W8%)h7lv+ z;mw<SFzySj$cx)N(`71%{-BXY;d|-ZwO{F<ir%4$+S*9bTL9y<z?m6z-x<BX|GJoH zy=uG>64>FF*Gmh@q=JLTi3cmi&b(K_r3%-6H$A;oTW5rJ=<IACgmSTCwv@b=nH{2l zG2p9eCRl)K!1PSf;pO^_d_zq?clb4+L!xd*7WR0lORqB(3zk4&)tb|&bo|8-Mz-4Z zp2M-hmR{_r0Og-8B@`jRLF*()Djk^*e7Ug-b^_0i8HK47^2tH%i(%E@pnQR5wt(C~ zY0U`xS`gb9kmNnq_tRJ^(sq?qs`~Ce>4?0;vUty!{NFt^fR`AvUUe)x*UE)7pvqwk z&PHC*@wc(MIwXSA*G2xj`3`wdiV_PT{vB>_6a3M)w8lYOqY&RbfoB;=w)aS`UTyg# z2MSIGC1<B2ndsK#Bb+brid#5`&A7x>^Sk0^LV>dCO)hR$dtkFd(&eJs6-xDYxPM>T zR8%KY=bTFobmrm>G!ooy-!V<gGc60XS!ru*@nOg4eQ;}r?fi<m)O}=~E4tMERPy~A zVrX=4#XF}<LQ99pDJvz&{7>UZD8SY79Ylol;<O4IM&4$<I;JkqNv9au5J=zhJzr?H z<;Ya1y)KolA?wWkF%|yf6So^y@^xMTTV6`WI0lL;jrg~G2GV@y&Dt7Di^oLMdeI*i zxxIgqY^V;azNvQqa=57@H6RaAspLz}0jbE7-18=Wem7K9JZ-`JZRYzRQ{rA`W||tJ zgs=1a?fy{P`xn^kRdX)nibkx#v*Cxn5&*jb;@Kn!J2GLa&+L2!K|XgrIua7e4wl2{ z0=2X46f3x6grO}4uZRWMk^Tm3%cY|-XNLU+w%&Sc_>sdR3&ak?^WwT~3IAK}e#4Tq zm8=@H-k%NpNZrBjY85(*R*_%P4HatBy^Iu1`PaPa@qs4!1T2Uc{rz-5dBlHu3-Iwu z%J#`ca)zpB{9ERM3u9!qyqQ!CNvTANSlEI^;5*RnNb3hHgW2n<Q3-!Nu6X7Dw%U9s zIxWAuansxem!SIlRu+=j6bPWJ_DzMy`M_5sa+JcwzMKEuW@<-{FA?&zh6M|`-&jiC zC-dX<P`_EGpdbzY5N39}-#{g9B})ZiQK+$q1vlnbvq<@~{&!#L<M;hKyCBu@Pa-L8 z@>%)QC)w!3Kzd-MsJ7K++S2~Uf5DsW_OSDMq!e>ev!6_=axt1p?7`^rQz!AjqQH)c zYM)9#p6D?sd>LECWDyPjf@hlU)v+E`;K$ay%Lu;cJk4`)(WZMrTcNy{c>jI`d2t~q zZC4@g1Gy&9J1+L4=Kkpk=X$JY>#7n=so-}Alejb(DyP6wm|BL^F&gvtW(iJXc4Rrv zVpT>7GgMZPj507KLdmkzf}g_UI`OgTe4W`Kv*>x^w#0uFzBX`XBgxX)oh@@TVui!j zYi#e&a`j7VJWRFmELN*VIO(LpsuH>X#ihxM%jS7aAXHXlgoQtDI+dE(2F->)tpL#s zon&mYN)-xZ2TTn3Va?G3Smk>8=8aWSufD?(<FikUtzp#`_pI#zQ!+F&D@YFGIp;Pw z^hJwIz7cK8`S9qqL_w75Q&w9W*?SdDXC_l;MVZ;{wUg&A>JM{q)F1wNG-+BjU_RLr zN;NQ8#+g&uhmsDOMj#P86#*nwM7!!zL>%k;!F$3Ab=uN6MS<UK8|9Qs@2f})g10=N zOUbsdGxs^o$lnMmHI&&iPIjZ#RsQZjsl*aL$34*|&z8%`=Fx8QJPJEEV!c$ys2X?1 z@4H1z`ZhQgSIQv4HTB<qC(ve(lZc`Fj6l)I^lEH&Yn|+)RNty@-X!aO-=7B87w#TM zsa1R=3zo$=DO49B>O*kH9NBNUbK$@b&x%!ber`$Ej|rUJp87DT!uQtH{JF%AQGCv? z#mgw4tDr;O4*k*F8_+d8>emlRs_C68VkfDywk_e=4x(_ij`#%Op6{j?Oq@OKbax2L zM~2$;4SzOw*gIA)Sz?9iK)E9(r2g6Nz@AVI0F9vE36oH|1BB|=4<HVpwM8gXjD^}f z-w^}eO%-(sj=?4sci)peNDf#V{YN<+%G>=t)+@@;a^hBDI|Z)URUl#)Aa~AG+mC(( z82XDXM`}c!uYQ5*%NQtMbeCb7?)kh3ce{uJ7v}_{I4`ZrXLy%@3IvI7eVP{^TAQOS zZABk28w)4pCsQI^oqR~|?h?<`P##<O8U)D5GNy@qg`cQa)xY?$K>$0|SF9XVhNfz2 zv{d%iz?VAv5VeYo*waHymzIA@2ud7C7fZ*ozEH?x+^R~1CKizv2Iuc$&MF^Lrbz|u zTMG!1MWc7nMLEQDwh#Z*h%)5>5b{_`B$g-S)pc_Uc$-}N35}~ny%6<pYDCOwgg5u= zC!%s}WQ)W~qj+a#Lr}UTlu%7_AXn}7L1L8s!sE@Tw#a}%;n-LhzcV{P=)p=rLZiP^ z^X!Hqs&J$$Z)*Qa1;NPz5S)#;I4Cs~+*4s|D}9ICIm2FnN2UN79#vEYdI)grZ+*0{ z_4VS0f!YiN16X5MK{7JHf1`~_&cmxobGc(W(}4;|$LNR8rHg$H5CpI1gR$K8^86py z&Dy#_^t9cSzZb!G-Ujafr4j0`heb0g%KVR7JACh;+GrK{x7o%Pn%c_2XUB2-?vYkK z{=PtRMdK6VsmM7SP}C|OU010ei|uUh`>7Zuo=bS9|7^#)vj&IqYTVuDS={5~4pSU4 z)B@>06Ovf(a!d*jF&F#$G*AFG9492Ur$)WN<-EX_D^a1^*Tw7sxzX(QPXs_a=kx8^ zrLQ2G7-xWx_lt4E!Lu)A&~8IDY0BrqThiBkJ})Qe$$K24^k5e#+^KrH#f%~ZmQ+Lf zZec?#5;(1!t8m8C^?pNBA3XY<3`UDy{WP%&vcK>BeWSL(XrC#jJ|i5nOyjC*MimQQ z#F;h5xPYCU0O?vvxj4|C$?RL7`@^NKZwoQX;FeSA=~uOU%}c(!c|X2YZKj`#?~GD^ zqg^0>?)IFWyg<x)bx*IdUP867F3CqK8)X=>pYeL`m1=&C-|IO%;ZmT0-7iJU0u7TZ zm4<JYV0E?-Hg1z?A=`VY-6@2>ZyLdWL5(di1B|`K+f<3O-)_L#F<h5?HU^zJ#covc zJ$|RDY$PL60)n5-U9E`*!Hp^nPMvmG?2Hq6*V4mUy<`m;D*z}!BW-w9JLu!NvAv!J zgdcpQ08gQZGpp-nVMc38s3)`T@gA&SL42g>^g)wHfmDxc0uQSon295gWcSo4r_=}- zazEUGL?>r*Mdg$TGv<6y4LNyY#vmUbYfz<(E6aa&)=8WM&3a5Yxd^hi{pbzO0$buF z?7P2}ViLbj0P8a4mpG9J*)q2Zl4HKxFNVL39p_)dhw86>!Ova12Ha=BM7BxBtWaGd zfb7c$Z$_lXO$LR;&-tjTG#L%fWESu8xC>?s5~)A%ezf}MaNhIvv}Qo_+q=9YuX0Kf zO?jR4FcBkl$v7-E1QMZfE;Q_bT>W_SB_4V)kZEHME5A_3)?MQxRkO2u^IQtpw&)_L zg5-|^T(<M0`iN#EqSP+%FJ?@woUEnIecQQjp^Q#%wiqB|LrdU-s7>oT@69zSY=Y>I zRIf*v3-8XOG&GQHHlZH{^i88J7pWj*gGP9e3DTWsv*V6rTHaa<d#o36y6Tz@RQy&M zS=avA=Zo1S@e+-US-Ni@h;TlsgQz`uY3Dp@?3J&nUk8lrMQk};SH;}Vj$zY9My&aP zUkxkx*f{4k%a*?O8^Wt9w6j9R-soIQN}V9QM@+RUrycYxfY1A;uN(~fm|<39hX)xs zSXK}0p=25$Y1-O8jMG8i<|4sRwA2Vy%U?~JNN)(I3&43z%q2{<niEZ-rPN%qZh1`` z@V9n-B82<m8vI<7CoS7F`21)tAR&$zi<N-bA-VpHB&lKZ<8;#iWp$-V+b%j==M$wB zIXkS~ms~!*<TdDKZZ4qYTdA|~!!VvL9pYeh@uXsb){N8K6JOLRF%{H$^wc^1E6ciD zr1g(e6R5YC&(TX8wC`}9FJ~J}Q!fZ`-@sQ6!@*9Rh&D5dxg?#Cdlao?4HIuRa9)h0 z8DPnZ+1zo%ck7Z<1-L;Y-#sK6&9IMU{*Y}5XFqBMIr$gYENrK;rAuLG@IxZ4r|F?i z4%y3|C7|kAoo@Gl$cIPLfZK9!;TIJ_TJ@9Rq$+0L5G11#x)ZGEva>V%tFp>yfG8u6 zJQmRRDSYDZ+eX$nVgaJ`P$6`h3*4~h>%}F(GP*(KYjPpBD^ESI<m&j%;*e?zZ2M&* z3mxQeFs$^ni$W#PHCV+cfAv%l0@4!CUi;%4(=Zt3VyOL8wJN+!F{PgZceCJ%Suw6p zZm1$*EHoiY{mI`uVuGKKcT%%+411^3DG%ldeBtI|bYohbXqu{6uGXhk?I4MP)U!_T zy52MvzM0ha*sV<JN!_fC?euD;{d>xkq_blA&53u$eXmGUn46I&O&#~3ISX9kTdCd0 zY_WnCEpyfMK)B`{IUj#?Cn)>cky7q=1tF1!P_X72NlaE-f!C~CFd3#vWwhuNiTGc= z(QlNY3HRFp+hqRdTTJXX{7<J71N(acDTT*}zIYk~YeZVqKTZM(UO)Z8d7b$CW}Owz z4E^~+KZV11MveGGpJbG*i%%x4r_Mpmg@8(=S|CTTzn5usz4?tfO<j9lFo9+ONJRoI z@}uU=2_K}uc#Z7FlW6nQEyQ=2^um&V{FFWFePXxcs?XLogUY7pica)>7><4CjU>ho zXI@q8Os^n<!Vz3w0nR+>g<6Fw>Oy*OoA0MNLKTVmt%v1#K8UUq21qwAJm;)cfxC)~ z%1<RQcQrwJ=A=~<k@%g}_vvXIouinX^k{<cy#DJ!_fIJ3sgds{@0*TC>moCv<0i#E ze`*jA1JP^~NG-hX&K$D~pO6rc_?wb$Y^PrbNQQ3~w_&bmp$Luna!A07E=WB+pNE0N zweo_;OJ5-l#&|Fh6F+S+JtGIGi1wD0omPpdY@TxuES?2iYuw{%YHT2!qtWX+`*bS2 zPcHP}Q6<YMSKHhPP(6LCm5Zm~h?rbGDVt*{_ueWr86JzraDOg<n1$g>llR2`odr;T z*u#V14?fbu1HXw%UZ5Dc&mTS$9O=5GC@zH&yujV-XSCtAvdstj!aaxdAReiC@Z0>v z&4|%3j7}t1oGI8)iz+Ng6mw+2c9c6iJLbD?^7F4<wp1lZ_!JEk6;FXDjgcL+O0gI* zkz~G$g$P=^PY^Y<<xXV$G|QE$qxXek4L+Cp!{1qr><~V5?Z(;i3!48!;-5WGfWNPO z&Q|0)C6>t}DTw_58tDywe!!h2IlE=;x!(?*EA)T$_y_2s?yj!ep;3MjMK#cqXN4@M zPc0^PPMHK+w4YXPhWx{Ua|F93TDRy@+F0!9nAXM9V5{)a;nefo@e?pcdnf#2i5sct zkS`Z98aDQ11a&nqqL`9gT9ln`JKS|A#*?#^&dj-R6X-Hgmv?`XEa$sGZ_Y^VUiiu~ zZiy!5SXw_78i9zpk5}Pf%Rm0SDvU$!r=MJrd-&-kT>XJ!*#w)cq7lI5!930TzaGEA z#O_`)igzhs8uX}g`u$PtNeoBe@^6vtU(MEpla!0ju`EJ;^cRK)uJF0#_!HbsiWMOU zxwN-{5@{5iA{jog9lFyZYPhfVwXI)DBZ=;_K6y?#LO+o$T_FzSW9ffWRMK;50{%tP zdt#CfVmz%YW{_b1gtF6#iVexsKGPGs9x(r!OM5*g9S%%eoAZ~|oU4kwU}o{I3`ssR z1);9nOe}`nUIr2Cfw3i`Y_9zT1X{`ZKSj85y&WnVaUysS!{`cDBqkE#clasFGfp+; zG|bR?eh5fR23>+#UFZ%Gn;FUuiV-Oe-j>Dt#Es*5k@>d8vm&f_cpt}00Y4=JgNb+N zO7H_M+?T&v;pwU#jS6%kT37j}_M}+=^fg8P9ZF4883KEpLQXML@*)kzs?V_Pr||@K zp!j%VPltG7Gd8nxB-DI;U-Q|~56~xvLYb=~5Rx+js4r}+(UYsik@_5C)>SlCWSQQu z?=dq&Z}PwCUk{`d8`!SbM@Xkfabt#%#Z>vJY&w*y<n=pt?lSza#}PPh6W|`S+c@3> zfl7%5O2rtGR&?e_I5Vt;I>`01P?Xlvq9H@I{nu7GvfUiDQoDdw*Fk52iv3`($qQ!l zdp$+w%o1CKyXrevA&C)|a_z1n@oVbhR5p)g@)tsHD$W;7orTw5HFhS@y}~r-(EpC1 z{=V(-vb-A2l(3ssN9N-*4q()aU(DX4ulnQ#|Gu#klz93Rm1Fv|e4HZ>e{e?*9y!?m zBO>+~aWHw1voe6TkJNE)k?klSg84jNfF3ql8a2r%890c~1tHX<r|gY+!H$|QBJaWS z91nvGP*h|lKFdvFBMJ{jp}b&CGGG$cwb$;;#*up2>y+@T)FfP%l$Xo9jQUZj==}UI zuFVU=#CS1wXJX0F(LL~@fU)Um(HV=8L1X+R6H~I@$`-(04C^2JnEwsGufNr#Q}|X8 zqLde093cr-F%wGm^c~feLVES?%Yrqd3L%9G!nO`N%GDG65*=e-tMG>C#Qzu!k)fx0 z)OR$rHi>9Q$LyebYz?gMqQcQ}5!4rshjpq>59}{p1K2@<*{}ji%`Zp#ROgpC$ACwU zo|>3SV&vRlGk?OG^*xOk{E5R%Ba~<nW`qzvG3bj_!RL1w3eL=+-oJPL!lt~ase-_M z&6{CORtLXo^uVEgoj@EJBxO08i8tW7Et?bG+i~=AG`1gpIr>6cL#{0om={k!(fV+3 zB*|M70d>aVDK@A!Tt9x${n$vw`<|1>AIHHYi&m$jG=TWiMDw?nqJ}rXmzSK*vH}>g z1kTSD*MW}_ahB5KKsCvO@v(<9Px*gEp{*6BQvag#cT3pb5UnoW$8Vk+pjhZ^_zMFo zb?|P+n&>s6)lE-0-K#iN-#HT8_vuHO;NejmwwL}3_4}PSx8C>s)IUzy!{Cq~Hqs!b zVFq{JdEXL$6Jycz>v~#6-HWgJnMy{rpP*`|oAE@)?$C9Lc=x0Ha29pXdL?p=)MsZG zG2vU6u7$MUC3-gyPfNJ#7BmM(%@>H>ZAZ4gbr_meeEn9=K|n&@bF;X9BQ=_Un7H#} z$~l=Dv-*vt#!o%fj|Sv%8=*9KgIjo-1?Fp!CfxC!-nMLt9)%~Hx#B9xH!B-6>^sK9 zSV;1To>wE#0S+`mh$mgLkGEY+SQ%n$fCJV!ORweM=ykK->wEN4?aK<B*~tFhTI721 zePtE~lXyxqX@8H@E+7_~iz9&F*hFJ(;?o5fA(-ZgL`IeM@s<(r))o3|x&)t6iI;zw zdjn5=YQhtJvSqVF0I4@^rW{~&S=)CNE12OM@pV3$ISB*DajIxo{5d94iKmH1L^k*n z)y-LWQiSr`&9C2KwX=UV+>EpS^JiY<VVESxTG_a7E(yKT%t<KEHy1aMGKC49Dw#_E z<e|JHBH<3Ycq&&{N0T6ABrU32?Te)IpK}-2u5%kso;neRa4!eVnVX}CFf&=fZLfCE z%Kf2H2`P*UzS?%l^;?6#gWyKh%jf4#7F`tLfSjXN;QIX$zJwc6bCCAm>@*cNaY-_N zQpTf!3UxHG6`0YTOv02O&vreaKAHW-Aiv8I=#SG$G^%GWXbwT<x&!g6=m#Z??r_9S z;x5r+Cp)Gu$dT5rqG2kDz__19V2w3wMD&Dn5BAZHl;V^osPzF>gCv3b0{tG>h+?tI z_Kt$@2!^vl2(<7A^Rb7^AFFJpOGN0a*}}crA6%d}{qeG{ks&-oKbkI5(4A=~4pDtB zLtj+l`*Es!`igoAzM&rFsF7NKl?P+2Mk#1zg+Ef}iX7x=9Cr1W=lGx+%}8k2gt}?z z$DQcuC;aib<9&KADhqE6_y71O`BN91Qj`O=vuNbWaX0ma@-*V2Z**~sqn9u4YriXi zwKj8Ip!MUgz4rEQ7B)ML(Nm+TX?54El%Iq7QTqD$U@0kYqIK@6MOEpM%NP}WPQ$=w zES$rxm^9E-#>!QnN&=fN1l`A=b+TPr+`!J><5%!8+s&jfPd$p7g{{N7a5DiH4wa|l zpp3_DgS(tT<=f#=1_=i2`f;?eSbF%Z=o0~8?G>*F7KQrOcW(_P>F-KebiS6D<OJ=I z#ciZU638Pq3*c9MROs~X$7LdJB@biV@cify^Ubt64<@#D`$lZ$J$hfRST=&=@!?$b zb3jRM*>@IPvA>(+814Di8OaFeV;;YVlE6H<tB?Qnn=>Slcew1JXFoe4tw@k*-Z#J7 zqhs`2A1lcye{V!=P&1{pEX{gHC4U_berLzg!>}!LKfYJk>VKX9k9DPUBbgzaBc<U* zMj(Hp_8dI!+Y?#Ballli)|Z*K=}>Um`TYSfr&P=+uI`=AiSQiiLZ7<0{U0ZT$~ImA zU59})5wg_tR^wI}8C)%0qpt@hpF1WreE`oeQVxEDW`%AzC|eMzhHxSXN#s0Li{x;8 zM&1$YV!)AtA7?w<akHYpq%$-G{*PJo{7;hENuC+^t-^f42(JEYY=?D9GpJ0wTH&AI z=DkID{|3yb){{q$!6sgRoI9De%xiu~{l*QqQeb#5zuAq6WjG*jAa>GzS+oBpdk6c5 zUFr1D{@CENbo%Bd?OPQfxM>tiw<%C3lU?)p4H0S3@%4q+pu--JeuE|yqDpW$No}SN zO)|mRO$P*n2G$RW+o{nsAi7SkR$0?g4sz&p*ZTep_PUiZ`mP85oxvXhF_7MqFy|w+ zw{nhTIX^v(y(D0vH(yEUB{05T5GKnsHuZ<nJ-M8>l|~$%4ccC|!aMh$;8Q~xgV(9v z&s3{ucp0uOGec3)%dI#6o6Ek5R+nsH2VyOU&TGjMxZ=F)%^JzKVAQ{u;^ECY=sX;( z>g1DN1Oh@Ydbg-0`By|gOl(MzZ<Jx)$uUTUMzyHwzht%CL)mg+691J&;bG?o9upn^ z(clYW?e|vSL*(FL#D1p(w$5wkS<V4p@N=(K!&H<vn*wf1wVg+#aR_a@N^qE_4SI=B z=p<)|gQYZV++6Z}PFWuLQ7DQ`@{mCnt+<cby&mJLWYq(UG*NRNzz;}~dC&yavUJR8 zrke@4D<xLnFm)f#tYw<;Z~;WGhX_Iz4&&SK^gADyPB&qX^~3~%KJ8gMIyMAYemIcf zU?`pfXl=mNKa=Yn1Ltll=qpWhJ7b)efE(ysCq>N3S>PYMdc*gA!%A750Q4~KON5U8 zjL9gTgGv2CjRaqVfC+F6;uuFkyK8_6O~~>Q+v$GC)e4h<{BE~_aXCQD4j7B2v}Ecg z_QSw_-CEjTLb-lz)ul$G316r3WsAP=<9-AJZZm1xJ&^5c2vc<#0@?iJe<YNgdI#KZ z^vz_w8foC%eSJ&<qWSeM7|rn*rK=>jq6BWOtqRp(@#rNCUO*zU8vaHK0~T;!%4Bxk zA_X#@P-|49dACM_Ntd1Tm?w?@A~FQc3$C3_C{Mbd;~*pq%xd`3c!i4#`5l8a`p2_= zUAS&LOH0a}hq@YoCA?pYGyEkGdE}Vv56ogS#MjgpxFiQNH{3^SUNwU-8fd@jT3>%C zR+q@_W`l^5B39^l7{Jz8)A*osAmgr`vmjadnIN$P)}7s(vI8m(7UG8hOsex+h7ryY zKPBRusj(rPq*E}K2fg9`bpS=IGS_*eZwCcv;!qa74b4axM?1ioAyp{~T~IkPZng-u z<4e~fO}y13HAQjo8akICDYb}CYMPFb4!?00SbzlpX<*uW&-JzmAiy+Hyf&8#YZ))i zB}Vq$Eb%;RW<#_}ReEQq6^ggz@a=QuOAywz<_s!h?6EuI$E<GF`0p112jbph#MLw? z|1%GP>PT)-$tnEgE|#nL17QVioA6$^8=6A9a)LD?2%p)_dZk&_J`tr~yYegTc{^T0 zVl3(h3aVsDfRw^(^sTgSC8K25R{m2)47!%EZ{ph51I2=yohLvNTASuZmLO68vZ6?b zEKC5jm2LDN#$LUzB^;$24L(ONquXkb1C2sW$o|{Dp%JV1N|oxVlh~g*adQKSk-0`n zqbak6P^t8}L4jXh_+RW?qKky96J$`o83<XJX<>V)yS^^!+dBQhrhXxSyIk3SZfk6( zWn?Te9_yV~QDBZu#)o(v;ABqnKPHLuWD~z((K7f8SnWIg5^JIt1#34#kY%DyKOE4_ zpB_FjKg``9H#W(ix%{<IKp)J)oJG-G0Dv{)iL73-)OHXW7;W@N0QsHk>$wD{y-|GL z2<tHgi7eB(^N7t<*L5L<f;-erC#G+3-{Vu*Mg#e>X`qK0DjB}%P!cFfO2=o}i2rmS zVYKE|eX9FvYn#%FgSb~RYEtagtPtZjc^UN0Prbw5Vh;eNV$z1gd**mA5q&nX8}7<6 zeB5cyX!gVD`pRBc_y^#HzQCwMG;D>B<ewa5*0z39Y82x4RkLvz{Wkn>pY60?GPR@q zwyL7x5bnnVYpga`VgRr7-*5dA+C{Mx27Z28p$Hrx>5G|GnqUDv<lJM*gSrq$p1Aiv zpR=pvCosN426rKS`0pD0@XZ>8kwd}obtb855<sW(gbx#mB7sCldV|6#kD{C|yaQ|t zQ_#@8ag8LhgWmAwpd=RAGC<k42~7D=jt+W-3l=v`z`2rPRoPP?KsTP0aFIyiU|bb4 zdMMCY-0FbN2}0^Q>%25S0vez);4X~Z&(EK`v40J^9(b28N%C9r_GE2|{go2NCx_Q3 zXTK;kP>8PwoET3j)@F>+iIowDaNmCZ;b~{uCQe-k#HqtvH%}|ne<kon)KYrphW~5z zLotdV>HGAj&GMIHpNtTeh-_$`=3-9tWQ&70QZew#JxG9zCLtFcqJln+u;FaPzLx(+ z9E*wNd423E84;C0bg9@la$R&)Vxt%zSvY7lPym8>1Xw}Y2s4z?%ca7{`&3e1=UPf9 z`G%0{q?!66_ItT<9U?kQiIF+?`%vz|>$%ve51*WkHX+@muPW}T#~+n2kk=dz&}IRq zEp_YjxfYEG5!9-tph6br(+V+qw_60ioVW=Q^8_q{J2{o@0q~VbX<YOtpq`D~<Tn&l z(B`R&ogENL=sw&FY)HN38oD9FKR3Vqg>OWU+CaVf<f1EX-7TV5FF*piYn7BJVPJY` zCYWW)y6+)d%@ZHT%j;NI9~W_{ZaX?CqNMYqXAbC7;l?tM^8CF{$6-Sk5iIbT;0+c- z=6>JP9=Bj2WR{)cMs8uTnHwKRg=yhlG*Dy+Zrrvf8t|6@!3$!D0H6m7Jx!3A=Ef)u z6jVGG%LX@md*6l{Swl59)Yn1q8Xoa;45b~3cfk8expKA5QGY{Nz~p<g&XLcic`zEJ zM2q(=w=>cjK^Fn3^Oc+>_<lTUAi$tQ@zGV;53u~^&_MmVRKp79aPa?prn5hJGY*9K z36Dzs0}TW8hUiw;c?rwR?wWr^C=b~RJ*Nmpg1ymsBc!O3Y!Pd_HJBEbc&9Ae^*zuT z`bAR14KK`@?cK~o{H7n7S;LR&g$6eJ@isQ`{*V}Vp5G&s_Exf?ptH>m=Kvopr#xV0 zY6#yN5Xz?lYpw*?*&o?g!!O(0pK(<B*wmL6Z%VO4h6mFk63<pw2fa6IU*O=ye+LAw z>Ln<l2IdmC>2$$%#$Xm!i`a>B5%6x%zrd&;=(q?ls!LufSE8r)xC(MAgnCpZ(S$=g z&MopiI^o|E-?2u{41IXoAVMuz^CYI5Cj(Lr=*FC;@CgqW52C1&*FU~0zR@5+ull<C z=c$ZkTUdWV)#>HWF8q`YT4;IG6VfrtzU~Vz!lXVr^VwE`&#kgYqvcfrWFTpTC_Y?I zbSE;t>w)3>6=o=?dl|Sm1tApu`<3J({}<SvB1>rtRsX#!Pns9utF2Y6I#kACDi85; z{#No&JD^V}AbOgpt=ewZuLa&hiHz8q4oB356bN5Z+vI0Z+06W3coJ6retaCItV*IK z({*LpCb^P%t_!Uw!BKU1lA*5qXMcIW8-Q8%=o;ahEO3Cc5y&L#mFO?oQhz{;MVCo) zH;9zAP>j)L`BR(9$v^@?&V1VYZ;usN#uk3#h8H-H$o!2IkjD=hy>trd0H0O`P&Jjx z=Aid^WLHoq*mr*hHBzOORN6C*@;zdEoIh`P>`wP}0CBnZj?;_1AEEDxrQh4M5<uVy zZ?U+DM7NB7%cSQo#(8=PQnB??7bXv*FLsFL*>J`)4sn(|EGCWmV>ub|sciC#fzsyT z&*rrJXXZW4D+T?>+m9l+w?gZ?eUi*5sYHOmiI9qZWbOW$%TL_fDqLV3J0)ouhxqpf zkv}D$6E5V5e512EPg>UMyK<xPqo}f9&2P$U1JX|f@4ryI0Gu@fjNaYH*W<F!ric;% zgkzD1hf)9SaSvDnF8(5f3tm=MYY^-DMF8*zdQWJCHguo2`4fVUq`_<v2+?r9sC8k| z*-39VhWcp5!#HK@OEba1vR>CPQDI?gTH*oiy~EpePpwMU5#7K45GoO{Y0RmrUFl-i z1XpJkREz$>=-oS;kFr*wu5RsLLcugN(Du<7!)qxzD2r=VKDA<$8jU$2d*Po5DT?1t zY3~Ry2XT)Tx^BMneZ}uP)kc2tp=O&AZH*W^P3oV`F$7G|b2W#`^T&$_@bkH`{Iov? z4&=bC3z21lW`KiS^5(7<BOLRNU9Nh?!qXsF(s{rb{pQxTL@ghEkN=iCs;Bz|@|9sT zB+V5Vy~SfjAP+OKt3m~)JiSB_rBFs;IA`Uk0_Po38+W+aOqb4<IZ}W%5QtGAAZ9Pj zqas!v%T(P{*Pg059uI!C;vkXVoSDD1DmIJCV>uQ6T4lzA8IzM9`L6UvA;6l80<5y> z8|URM2B;Xaam`2vYnX$K7<2R%^-CA^$dLcwojr|_><WqSWf!R>cOpo>y>t6*(3W$* z3OpZTD6@(kO&$E$yZ@gOxUNd*B)?UPqAX?t&<%GYA(wV=nW}fL$^QL^iDJ3Wmm+=V zoZTes99!F6fQ+Y2eOPM(8s3Uj^b#Uge`_ZdRRxzP&6Xrf{b{GgKMo57(EQxMD@N%* zCg4}YeVJfNJ1bf3TMy5!P}cyVPKx%3hqf9VF~b!sKJ&wuHZ)Mi_72KG!lUUpm`{>P z+ofpJA3kxF<hLB!YWwk?XuIenG2EcwIS+qx&8^N<D?^!qel+IuApgciocG}i`*&TA z`8ECb)OPNiJb5q|4bPXugA#Bc&zyUjIv5RHfJw`DC)CIucx?PC0vk*iapMfaKSMyu z2YO(aqiS}B-pmGy6RT`4?i0$4pMgOlimG<*B-unjo=G^Ixq$%2WRjeRctR)Ub7N=L z)`=)->6;EV*;?Gk46;gCRiL9DRg6^au1k$FZD$3@SX?rSSVwciJ759`g#k$J!9JNV z)I%b#)P7@7HUi--m!9U+o!<rP4$bJ~zI;1d^gL2C8@)u(t-v79dk|ANyUM0R0f=3w z<1ULw+Q-;3?$|lyUAdYW#ac;fq<OVk{v6Kxc#|3-WPXxNHJW;Vvo5ykh2JaR%j2Tv zbdgax%=VqqQ2LFd>}>8_lFYnMo};Ztsfa&Iio*i5xyWLW!a;C<Kd%-lDoVzl2YY1i z`ET_rpNr+fM@60y@{s$gV&If8_DgQw05#y_5tou}pOqoqx_ETkG5CG08bpihnRXnQ zJ@Ci}JNF@~&wOSNa~g^G>JSrB^9Bv;&rJ38^`#B)tr^;7xZ~%6THWbU5cyP!7ppEJ zQ)C_L>%Pw2tj1o#<j{6D&I9<oZ-9768LrW-wJ4V7Qx{Y}^!l#z4_aGO7j6&dYrSVT zm9vq;7{9Jyenr>kLqaSHiBDyFd4L6X6j9UbU}W4h-f{HudTIM*7d96dEfGWrXGL*= zL>zGWOLVcRE<-W;F&91DKf>%&J19C^mK_vIy-B=))U5E2HJtY?KcAbBnR%n)K}3|J z)HYKBzOyhuA1J7ykxEA|SI^Ejx!=B6JN4ahGrCX>;*R$;II6+GhFInkvz=EjD0`HK z<)Ar1g|tJ4kCmUSPEGbCGdeutj#~u`2~iHB4>$TA`QW=xctky=GGtvp;Dt49amdaz zyPm4S0V5J8ZJ6lkbuMGsvh`padoPXv+AbT}k7tLM4ZGIZcFW__8Z=Gw&XKC3d4<&H z6Ss~{3uR;>BspupAWFu9G%k{bnEfG$f$b>akEh8<Y)a}>a8_A!kr8uPH?X$X1%Bf1 zbJwF1Os+VJFfqzQtX?1#Bbh(MNppz7KK*_f@MYxh$AwOJigCsKQr$sck}~|W3qV7F z$@P6_dF%o@c1$X&!zyl7SyAO?*oU${vx{;7u)FF7s}-OIFKXNSuLHi9hd7&OGLAo; zx$j7NeO&ckCQ_R5%)0j$vox!_@HhIx4{0s!zvn!c#)WHCGxI{ng#dHF!gktt(gsWf z5_0ghh1m7L_i(Vn^P{3&<kWqyza?)QswZJ!_Gj#FQ;UzBzm|w1NmR@_g{awv1CCw> zMd1PYdUPI*BLdw!#+s`Z{yS97_}Ez(9Yx89F{-V=!e@f3gQBe?ECK3j#0O{I!C__Z zYE(duNk^>7eD1r7%m?J=9&CE3Y|mHP!7*3=zfV~`KuQp?0S4{rx+S`$gjrqzZ2<H) zYB_Gqc^2<nSI+Bx-8GAvL3&_d*p)`?#8A3-Y(AS&%$7Qf*2byA<&B2OMdEe?40JF3 z^hk@0z;%Q>-s{d24nl5c#Wegx6^1Af*1dQZV9;IXlo#wci9uW}olKxz$yGINDKG^J z#L;SBCfdnUyiY5ZSnR4n!%@gAiSxFKD(R`#-u_;j_tUqBn4N-ggh*QKoZlXR=27}V z4(1N{ELSLtW{bxk(F4J^udWF{VwLBcHjO%eADTUO>2j2eI;2OCuNP_i^oD1ZFE?-N zeBYh#i@Elj<#GmOTdHdP-)k)IW{k-u!q<15Q}{MQb6I+q=>929ODSS3O525h`f>a4 zatz+)j3@AwxRj`dEOl6lly<?)pd7Byy-oaDDv_rT)^2BY7C7eE`<VK9lNOoyL}=Ap zD&xM!xmkz}b7i3|mkG_^h`ggtj&>ppX(i=pAD%&FGq#DX70y^-g3l5u+1B5rB`nd@ z)9CKyaB)5=<0r2GJPQG#76G4}20R6TpxVsZ?oH=;0dvU8WgMElcg=&D+MrE$97V*z zpb49)1oQU7QtJ{g0!$h%25m7a6o7ivi2klv-J0x{)UfxU3(r%ym=^uNvjEm^M(BqJ zMJ`6%IcB@m)$o>W<S$r>lgr?ZPu%k^KH`?SVZKV!`mp~2X*PpQV8hTOj3!!<A&f10 zctjQJpS=`=62w^LS-3O&wHe|9v@F>TFN(&@XFjD9vfY^*ZY8JhXhI$L%S6|WYMXz2 zV>))oDCs$f#igQ%8Kdrdca%~Wq@KJ3?x~}YrexQAz51VaJ&fLkaIB=r;3GW%gZ-ti zrr$Edd)%2f{5`xU7B=OPv~<0f9$7nP%4=2V)^Vnj0r{|7Fbi8;Lo-|OY-x@Dme|5k zCwpEnV5s^t+Lf-qTUN8!8>xFNv%G2Qq!G?p8t>s{V(xoiP-RrKR5e=hR%6B<!p0gi z7e*`Rj#@{pcHL<CthB3KoW^vmNDu&I|4IMS#pptSY*-_jZ=+~2UutI8jqj{(an*aH z545=l>XpPOB<8bP(dPeW^Z7v?{yUY1EP#`yl=Wmj#Dc}r_oVv)&Ti&9VRMCD)ek0_ z+PNER24nujgCOE;A{0BJx@($EU5>n9t3RUL09L`lzXdB4)b#tf^>Z+{=Z!8i!WO6S z{qGTj+Hzs*+QuE1GV=T$a^KUArNQXcL0gAej7lZijxGn+Qf2q1AL*gLrMx4jN~*f~ z*^PiqKsX4uY56o7243lPi5eKnd{xh7-qCP9x7W#D*A|Gwef1`1wc08u+~7#~{HxVK zd_|g#t9o-~^iP;j6VGJP9Dy;qc7-eBfbMY&2h|}eizZ24XzusLWulJCewQ?wXgf;T zh?|K&PUeHSpX(y-%X1*(qmOpi55HpL-=YN@bazQb!pYf5CS!ZN_$Qkh-rPR3XMs@; z&X?N0dniRU{p=x4yEHNX$O)9Cifb(}>f1-1gX(jZo#V2?XNpC$`-AfE9L^nky+n7s zFu=Tx(m0O;wMs%yTKPZ$tG*mF^OP^`+|#tITd_@j>Kajfaa8d|*z3ydgISoJ?VOF? z*+0yfCgmdPE_3B~BJZG|Z{dtguXppYQ&_i;N0qF*ZoPvQsgp5wz>fn8+-9&&P^e!F zTYvvm(%UE`&Elu(3WGYx>QwE`cyE?T%UBPIErG&aV}MV~YiyZzK)LuO7;v;%xFpka z(VdLS=eAorxjY2PLL}fUqE}w`UsMp+uim!_x02u2H6c;kFVS`SM}TOciFDOiyBN;V zaTPMMe}7Wr#`tIu=*&6OG-oRn<%7CU^)k^I(o`^zC`LS1h|BNeT8{S50-|KJ(-v0Z zZ}&n2tyF#~(&D~hHzEfH&2@W$y;3qN)*<Hc)u3gLcNQa&QdB_6Yk)0(RErWa0@j1z zx_o&R+Rma!lU`)T)uv4{X}x-u{McO8(-Jle{|kv?EJ|U+-UJbQ^-(bx?OX%7hvX`x zcG=g&0QX+vlaLJ1Z|}pvjh<~4_jy&UmbwEWop_MUvi#epk*ThJXqLo~`*jdAl@Y6J zKZnf9)c>mxfp&$9WI6()-tqVcD84KJhHdstEXVS8jr@t#ajI`j#fxp9{>&esx%$6Z zrm%rp@gi-^fAA&)=T(eZCCs-f2>CL1>om!TVaeh<v%_RTum0ZO<I{o<Wxl|~hDdV| z*KMt4OI-&NKvw2t4uqD8V5NY~P{!?8*qUpysf6MWE^@vrNsXdze}Gdl^I)uA-s#!e z9&W&i{-s&1CfK%+eiWg39puJYKFf2oJ8|GrDnC$BGD&|Dd5;#!)xNkhOaIHsLGp9c zEsi)SBf#bS+5(x5KiVs-Tq+TKndD4IhNfqF=pon4``}xLUM^sJU#?SIHA}*`Q?X1W z!3+h!#}x3e^kt&HPDC^Ga|_F*7uL~;37=m@0|}c<&qF*zff_K+QMb`YNKT8R!ayM+ zqE$s*mU=)>|0k(ggLqya(KhnU;DvHm*X`O{{^Bt9y2U))*Xc*&%L!?2<GqxDg#>|X zuq-^>Kmr+b9Zl+CM&!Rg5#i~ZJ}T8UjT-(_qrgoTxR2Q41q&}Ql2@s(h(sH-Dc>g_ za!5R?znX=2EE5JjpPl;=Z!Uy`NtKPdm#JXxj%cmE0QQ+6B2PC|3)ZjZxI)Vt`Q?>) z`$v+)*?24O^KM6^wV61KZeMmVNMMW+uMna*&8}oo@%1$qpFFq+%(h=1`gVu%I1ba8 zj;i1v9!02(hk|vsJ=E3nf?c8YKC@$`H49rSo)x)n5iAwh)9(J2{+qsOuVzO=9Wbuv z>Qs~>+zj9BW#}WSaxxB7uVh}E*N1uue;VMFDVN%JgZsKjpk1Y?)1pb%mh6zM1g&gZ z!4IXeq+SL~W*ep;7{f|c1|)xu({muaH?0$PP2mm$hovn$yxi0^86BrqR8}Gw8|4xr z8`8X1yL6?F?!`NI6Yy^~`|?i&VMu}hKJmeAgjWXNVsfuD6{Di8k9CLl&CwUXZ`d}5 zEo?j@#W1SgX&)>?PQmb+1ybIiabJ!)4wVdpU>4p-?5MgvRJwpmRsdtJl$JEMRvX9j zEaLomoeXG?S{nEu<t3-Je5p-~dX`95#8-5N+cE&DtvMS-hJeot)7}i%{&Z&FW5$;X z%lFmmw4V(FD+SmHo>y0O6Zb*Y0$l51?)-4(oqW_&?U1t({Gb%+nNY8?-PuFkPsT|! za{2}8k8Wn8uV~wxjOt$yJpL!`Z<&$DboO2M3*a*pO_pE4>u6Hhx)^;x8k&-HCXtbH zWedl{=gEMV+xQZGXB9^aPX~;!=9<YUyun^&!<(=8f!OHx1|1XlIl|1Y{$yT;$DN^g z%<txR_Drikw+hFr`G;Z=1^%R$$N2}@w^czT#3<kIhuGB71?m0v+(@=(QZdYg*sj(h zkwz;$_`|1~5p<V{D(_9LT7|FPSXC|&=@Bt)xf+2YhI}VkPL?nfiGD0@7`Gv%R|%5X zII*|4ALGcafM3w__kArpJ@XSIyIm&Q?1TZFs@)Rg>TTj>n3#k*GkeHUKNd2|Q+E_` zwGZFzllIoDl?{dvRm*bP$VW9<bf5R<DcBbYd9zbicte60vSZ-LN!vK#y;zN}YzD_f zvb~R9Luee?v|?1{demt=PoCbU(^}dMwXaN?KZ+<KF89--8h>f$am#d9`hyO~wcA~r zHoNyM;e7(>t6)eQ#YSr2CzCejsC)5RSZdWb*S>6y=yZkI@c~>=@p!>DnQn&nsvgb| zzX}hWc+l+jlQ?x9AByRyT`_vgKL-M;z6XIg_n?eFPHUGCj8|k!?@b~HZz<AU?XH0V zYkT|UClA7A_vB`$)8}5xlw8TS`(A?FDxO)D$+M#7wj-ZEmW%zkG{_ySSlFMv$f$6- z1B!1cYPR{drSk84L&0clFKM8}9&+ABgZF0vGk9Ex0Oe;R=r~yZ8WTEV2BDX^A-~ez zuOq%}z=08xY<zEKOJ91C|H%!?5+h4v(k8rDwS1gD7Pj?T2Aq){T2$y?MWX_*U0Ghz z^9vChZj2<kj7--V)#OV!EdEH+xMS>_L#WxTk3Z0srdyI2r1n35v;L7aZ^02(qFcVS zs_YN3*O8KkgoDFC@|!dNaYyuW<I_`QS&&H^<S2r1`#WhX+tMRnE_HO!;Z;eRqLKl5 z%Jbo2ozqxk$0J4m&m9lJeMC}*FLFPW==LcvzVx8#dVK=cAi{OvYJr>2@1Kb6+E?}5 z9R`lWpSPm89$<&Lcq5vLMPF?kqL8LF)Gia*AH{nE;by5-w$$=^zz$nyE}UORPo)_! zZkDUi#6Q7|;KmIPgiUi#pT$>Eh-dBm(sF3QZ)Miq{P-?k)wi%Aqp_U_8r(H?)rcI~ zswHP9Z9ln>Uh_5{MGOc8Cc}PA)N}JJ6Va_C%h1MIyQMTMMcuxZ$Xi^d6W;ICwo~Fz zQFJ`M7T9i$ND6D%cyko*K;2DTy+V8~RY2@M=zcvgl|0B0=VrvcwEC5~=2vDWc>5{+ zWd|2CD9ducOTxybRkNVkSrnpwE#w#OD#je$ms{dylu1T4ONYai$XHXQb62cUu4O13 zfqUu8FV_ol$9)|?6sAf8o%a^~W%aEg?DiX;LL%p!^AR@eldS7GS=AR}`(=fNg^mIa z$2U5FM^7Eyv~;4thQ5Ah`3InVme8mIi6cgFdY=?C1lRqDfuXQSIRhM%RTb*Wy-bn4 zfZM&l0b=spC($qeS?6kGZm|{6oYr9FnRy&%J-Npk7oWe%p%evZ!A40cI=A7t<>Ha! zR7C7Tt$mO1QN$<aKRmwVgYEq_KYUG)Vw(nj_)gMtV|W+&o3#jJk1f%vf2b&_5ulEu zBTmm^^c8H=-Fgo&&*UL$07p4b(Y(+U*&tcN5fv;dzqiF>LpC63G*7RJrbgdL0P+h+ zqGNpMN_4*!g-ME$+VIOE+ssNzm8h_hUg2>CGF#KU%AgdUSM+jG2>mT@UNgvNy~i<F z@g{R-F8GN`5O2UIQov64`#v4lg(<4Unbor&un41+In8)DV?M(OFvwkN$I0|Zi#CDx zmwH#~Q7Z5f-CQa$OY~z+i(}9~mc+&j|9!bzTK<p|M8{(f1gl6~y6t@gzF$PQ*F1iE z7M(H${8xkRSBLH%2FPotz9H%vvKd8E*E8AIHk~pIwFU$jJMZK3Q(m_l@IiFR2!x~N z25@S&jh8m}c5M#o;O`|cD-hiW+b6TwYlBuCBWR}Pfk8*>9u%g5rV^I}efHJXn^QB* zfSq?R6{8K!!bYDwZhNhL!DjkcTcxiRkJ^5j3nFt=1p854eH6is%Q$p*^s<LU;6+s? zxcJ^Sv{4>W)BR5lZ0yH-(M37Q%gm9-Q)!g9U{{)<!!sz8AK$Epk$NS$_aWalBUpa6 ztTO(!>d=+W06jp$zl@LQ^vzkFVmu*Se;CSD8gzh)Z?K3SnK?Z2#)-W_q!{-sotTB8 zfDBV>Ln7*)x-sWxVTlT5Ai>;4Vl#31{&Dd>h@VLMNftf1Ev8+vf@T{`B<%jCANwDp z+L?vp42MfBy6<)O=3XZwP(Jo9NZ)+V?cqIw4106NxB6-l*W!g8DRr2B&F%TpaY-n? z46mlAL8fFB&nwHNX-@+RY$kvV(lvAPJA0o}0RoMc?ER3!-K-$ZL%-+dCCPx>xR`JF zo>=2lZF|H%nwUW(wd9-oC#wmFFv<BPj=T#aTpf3%t5E^GSXkj<r!2Qj^3OK5C6et% z>?i#E58nRrE(N;kDpr*zt$#+c)U(5T59_S&#tKVIlJ`~FcL}eh;!zW~m{gf3(Y*|3 zV8(P|&Uu++1fv^)dS`6|zL$?nJZ%C?<xDzO4X5u^=tNTYQOCX-ywh_&EMdpd9<1}0 z!zBuI^RnM5X-<vWH>*x`SJ5b5P>Y<~vMY$}cIU%W`9@s6yk&*EFkgSZSYleecPC5i zAd7bzVpc7lSFtgF756`P@wQ41L2!}xd3Z1It=)}A%I`PseY84+SMXc7$y4)AUaI8x z_~O`pqD}VHIl{4p8w+SCW_)mS4p=L9Vc>R4iS!09`bIB{$S@Ex4sEZz*y;4tA&V^e zba#ZvJ8YcyZK+P1x0Q_>6b$4gZ4wW;X}9}E2D64Ak%DiX$)Yc>=M)u%G`32r9ed|m z6p#%_KW%*pZ{|l<V8*OaR*Ir^-de>tir`Y|Yi84qxEEJ<)^%X=`~F^!+Obtz>E#{Y zwzO>7?Za!1k)#jBqa50E*M={MAVDifE6b})15{ES*k+kn<u26fM-l17<+3fEQ39vy zXCuFMRfsBs3UVb4nY6_G{&bc^^r-U8?k)X%b>oFT`)9nx3!SJJ&DgAZNNp9xSVZe< z|IwaZ6o>YiCS2(f7o7M2WlWDL-^@kazb(2g4dTdy{V0V4?IV9O{w10eUi^z?H6!^+ zjuzWCdhREMt_$Oj8j;@(j>j3cw(V~)VOiKO%yq&f0^7`&Vyb_UJM$50TuUWH7%$Bg z8JYj_NZ|u0Qh@sBl;jmRKcuxX-~pA6IB_j%nW%`dz2C)biKvv2G5qeHRQ-`OMO<px zWsV<`Y`Zh#M7Q50u2#TbV6368ftwb8TC_78X3?OZlKGZ7_^?wXz9b>^<y(eHGB02d zljz|?%v4@bB$=73;o&6_&kYrY_dp3D0)GncssB5w$)UQ(0t<JwY<o3Cn#(jbrs90H z%0OnJh@RXy7SflbhS2;-@#niFhk+m@V6m{vl`m69!)Ac0#W^L@e@8!Y_O?#+n1<iz zuC3(T!`|dzjT?8?3xdqKdF~0aK#dSrBmL)$9;B|@%FH|2^oZl}QqyX9GMXQhj7kju z<nz8L5ND0T^Uf`W9BnsTIce)Fff`9#B*SEwFAno3-(;ZG=pRw5UaCpQLO<1(94mnW z<am2cz56+s$6AH=#yOnDM>xAnC!3U_8kh)(%3Ip{Ti6IQXoyiv>A=fGfze-F-9VOb zdOV3Auv+&l2}_6|A4~cB9)6XoxNa*^_we<(xa!_1tmtd6$eGj8^Lg~HYtO=b3SSJ~ z*_CEVZ$Isg#r4B4KFTf0Cv4xBZ4~h^sN|QLcYIX3I!-i?o$9AHc&Vu5<1~gxQ}A=p znE!gf&;O{T#3-EEi&;cH=v<3Kd(7AQ=!!kMXpy+QB>Y<|K1sdXLuMOWeaF$|HM<hA z{8vru*Oe6S!6ersqsK4WJ~)EJ()m1wY-Ziu^fyhb8{78Bf4e`m$NZkcQJY1xEv~(G zQpsmcKS<|mB<F*x`)3o@s~Jb^W7y|-^r|uh;sDzC?Ze05&S)Fa-hERn&~CGoQ{a1! zL#foNnD4cDE=Jrf3NT-q{&rTZ|Br3I0E+s3-}uobrKH=H2I-Jmy1TnuLb|(~r4a$? z5Lk(&yBj5?k?!tJ&wkF#|D5yncV?Jj*im%vxUSdryq}e||1?ozmMn6d0V*AML}37> zep(>A$||mE>%#5cteBu;`?Z?^;VhtXz|m>_!Gy+pw;GdmR%LBXq&zb@81UP3rJ)15 zjUi9!CAX4w{&|!Q`ehJa&zM~2YyT!yBy$HizO~triY=RF*5IlkVl|yZttP&w?CF_b zCx;aJ=_Tpw@a0m9<KV)8!OIVVOz1?i4bh7`oh^uR_wd#I6Tj$qMA*?QW|UiSwu~=> zr9vwVh$;d3?HNK|CfVq3)&F27mao;d5;IehsIE%$6mxS}scVWnTnbZR8smj|2>5_| zT3I65?EHA*sCU()V+vcD^3uDWq~3n$uRvI))z7l2b)$r$e&`2Y)gGEs{xhW$@c?*$ z*9-B4^31urpW-9w*%5W^v*L`+!A}6fYW9;jyFDqm_i65-T9>?sM4}LMI|Q#6FVMrs zy{a>4G!<k2(>DwPmw(tPYeCIE!*cng?VqtE`-6)RCP5|hMg46#vndkJGpwdLkeZr8 zWQ#!(=h2ZYT-U)-k`-p>N5#X!$|+fG^B4h6iGVfv4>&~1vGugbOz}#8BMoesdfr)7 zr!4gI<+Pb(hL=FVG5kW`>v74U;b;S@X*#E|--VG!B;}3LT4BSeBd%!Zh79wZW^fOf zYVWZ5v<{mdYF=%~HpE?;ax=0ws&C~a$uQ{L{wQli{_~U>SwVkDK9Dv|Q(Vzg|FJGo zmuX#7yt5M|qk%DZ@{MF`Vg9)do6p6~;KLuoUcNBTJh@XMMs=qCaFBFdv%31f<`e-T z5Tz4}e|U^;r;ita>uxQmUcULn%tP{hJsNT7RClJ8En9U1F(M&t`0A0kqTpo4yQ=>U zQJB^TP5RWGZ$*W!AD44|OefA8dCcVs$Fj~nI82no^%jrN#<Ar>Ryev`Ox&TrYT&jq z>21wB4Gk9t?8COYpI0nPBMly_j#}ApT_}N)U<njzI>R8E9NF~@g0HgO-fkG$IZwq5 zFqcZW{PmDDcymfp8K>%UdMHcvF3f|w+)#7&!e4JZ|2u=82$8v=;*8JVK`D&6Z_(;s zgG^#nJUDc-7Z;!Z1pEfJxU-B)W`=Qk)?6oQo>Ud$m{Yy$@VwzX+K!^xAbJmS+||`M zKk1awQUQB3ZF6_E#he_W;NWFbTQzmLGkkr^p(|(4?`){ou09B-DYFxe8eMJ+<|wBI zgJ`T9x<34~?R-C0S}_GkrS!~eI8M>Glx<v1hzmByTG-5EaA_MoR)`LMXdsB%q55=L zY?h8&lN?ePN3MJ^K&)ON3bk+>Rx@_s^!veLSJlc!jLVX=({v$`(?6(^!?G#Ri2bOK zJvH?_dL_aeKvQu$`k9#(nk8M!fn4rJ8!S7XPdjw#%+&w=!a+rj6dixSfmiaFp8#q| zA*yuI7@+ajP!&SBuXAT@_~F=mZoqV<nT@KhTEr{zoRe}_5Sgh_&8+REQq>G7V*Q=~ z3}@O@_tQZ!wH7m}kj`~PFm~Fb#p8ov)n#$L_~_{^XV0v74hOX+zI6gI>nH(MgPP^8 z@$$C@TQ}Qqbj0M7qlJ@SvBiH2=*mW=zPwK?-DlCsG!DYN@^fX#sE;K*6&P|p(sgMD zwI>lXGmud2Y;MB0iXL05-;w-l_hIv>1VvDI1oo!QuvkO=S?0?(+BCY3Y*O*9NITtN zTGlegIrz|dbi^>tOem%wvKe)ZXOsbDNfz;isSg33R$BM2?YG4kBb}j(YwKGw=s;Az zw0KS|DJyb0>ux#TNbI64_mHU(I>lg)D$J%0$F%pl9qP3z#`5xF-_P2|!;Cl1O@8Z< zn0c=gbS9e=D#kP&;L>?5(!%B#+Z0<)Trtca2R&<HMIISYSrHuhZd?!dD=WvZg0FeK ziFRej;V;6T)kfg3vO>_x`V2^9Xs3?Ju98%%;BNNYRc1%08&@T-Hgk=d*8F>h?gLJa z(^%X%ZX~T1x9Zs9prr~t#&L`4+qWHp()D~V$|UJZelCxW)`2R&^sAynT&@IbpIbp4 zxipOl8Q4Rz=7mc<?`r?KEo%a2yw^$m9Y!u?Ie42qbibsuIx3Y{h`{ge20SpdyI_2y zJYzZvBCl<4K8V~ekq*~0iYC3`(ESQgGuRLC*=?mSk&GQAu25!XJzW|wJ*j){wS-$x zzhK%J>Nnkhq05)yti6MAPZm#*nuQLmI4fT^Btx%gpBa#ux)={S2}t6wEi9_XB~dGv zNuZ|_1Z#OYdTsERM~nP25wm!hI;UA>#IMI!TP06VB|#Es8dCwUC0$21kUkWSf#R*G z*{bC)q+alVV_U+*dF9Aq{@_C>@Us=aGdxu~G4I}RRobf(e7BEN^po&%v-<L}R(2+z z!b_bqYrdO~%=BUefjQ=z>4IL+<Te0q{E`0_iCA|h`bS>F=C8rC8Cl$`XQzQ0gL?C% z#`%&1pMOv8LaJ;f<5#sbzpm5K9VV@`vOQ`u>p3bXfF0Gz!)6um<qf6eTbh=t`lIO7 z!Zx%iAmBeu>8I$lP8QW53)w=2iyjn?-O5Wl%0c|3`RDe_IgY8Afq2nL2WJz>%pzv_ zPu5hwJ|6_J1ZU*NUD@O^A|GXJJyUa-%js!Mu{gn6lLT6BW^)vfHg_PLnddP3?CTe# z6hN4~i``3Dy0ipMf3uwR3LH9a9HK6dkvXI}<*X5pAmD;ZF|LpPtmd%Z9n(imk<IAD ze9~(x|H?h$-$PPw1p+D}k~E#hN~cTqs-@93J^>30?%Vj?6l6xnDq?$F3#CU$>dmoJ z%&a3aAhdI3jLH)#j^B7rN?iNxomRM&tXJ*P?C+%PM$;4G>JIfM%lq6Rx?*hI94T}_ z`aa)(KRJFDNo46ltqFQF?C(axfV4bl>R}fSR+hj>!{Z(whyuC7Ob|ZWgRlZtxmew- zlp8lnX|x2{O9L|+TW}99Z|t_l&quBAnlz5NDjFDRwE+lw8IIVIV_F#6G!BY08-D^Q zlL&Sq=+&g;jZg`4V7OUZuIIT0+1G>yU+EDQyYF;HBZ9gJ%!&JyaGJI;l6M!#!SbUn zc=Ipsc7gCxsK>{5!z~1d``?=!bLg@~RRi{pU)!M*VoaC}e4c*O0UL-}g;qIdKn^|Q zRd>it?iOQ0xnu_lLUv%O=Ta@0*zT|sL{OTp_1O<^Pa%lt%Pgq_!IiwAEhBlA)tBkB zMiq9Kfdge5To&;!se=P`BKY(pw@((;9XysVUdOwm2XclN<8;yuXfAR8sNdS#H;yYr zD~yDD+lMybo<mK?km)?8p9TF67}~r%IJ$f0s9`ZZzpgHOg>dX#G#DKNjbR0{jZ1Bf z=>hkT1(^((&Rz!_#*&6|_W$ZPT>*hqw^FKUxA$r^>FB^K?hcw0SBn15@WUs^mIVT) zt%Srd1EI%cU|S&)XJ=<O^jgXjFkhZB(N?%4m5GRbw`7=Gb$aqF4`~LUmiY;+c|brq zGT*Zta2*eV+8LFdsN$t|I-QTb-X^OvRGFu4680d2ZahF2(K#<`c8V_iL!Nnk0r5~j z4PXgq<=O-I;yW2J5&?(JQYe>6T3}xH6HZ01Irj9=2^tU+$valNrx`~q&f<Hp?ZY$R zXcI2U8mZoqNbEHlg7bN4058udl<xnz3xLgQ)hUB9Bs%oZE%Cn{&f|yKcunRoI@0EC z@dyS;AJdQEX4Uc5e~|^m88!2dPPoBB?F%k&=}5LrHW)$ID2H$AneJ9@1jbV>*m$1< zHCj*7UVU6>`{^~7bBtIbHHg9*I`AEW4d#2~RQcI7cqdN&XkpuJb%OpXE~~$gj>qrU zPM`rNV7g?tq|B_Ax)WbiI8Lk9ao}X#;2!&TX~2Dmuv9?phXVtYCMvC(cBNFL%d-IB zc|h)l--6@5?2&aHe}#$Zw%SM*Gt!yBWBzWXVTowAuY<4!n2q4V3^i~4)5ZoceOEo~ z1>du@<Y2!t_Kg~IJmf)8CPpJB;C(2kB-kv7y~j9N#$OiKY~<I{R$uV+9fbam5q<Yh zjucBvt?SkBR1AHRJ+%!S2V%|%J~sIG)IsZQ|69HOAhu;mTqD@R;!VT3vcxqvm+weL zMOEZfO2*siM0R?ZXu@{4E*W>hxJAPdV{Sv&@T>c~f~`ztdzj#_5UJ0wR=3sE$3Bl7 z8Q;ND6mN=YoDqtM{Kx60BqJ#cR7{rm3^yaF|NF%L47a#!eoe(3q_zVhxaHb3Epf$9 zPvVE{=<c4BT(cf}0ILHwq`uoi>ku=OD{a9otJjQgo7c^>gs9c0=;60|3yYjyayh05 z#0AlMM2S@z5@>bTYbUYjE)_8}yTh@#Q61k{^b=O)*aW0A(dI%%WEr}f1v6E_Vseo$ zJ+1uu;NBc>{LM%>#q^O4)lfL&i-IrgKsV0vcl~@a-}PoAHr+gkhobkw1VmsW=~Yyc z^h&x#%n%k{GVB>=-xT<N=kDB*2F?(SWkj@9*A<^&u2Z+{DQd{J_jNlOf9N*Ji1}el zcG+EzotTog3mhYF;WKRs2go4}p^N`iDY`B{tg~bwGvM)E6Nrj3SiMSCK44vOn1{5r z%kpI5iEFMu@P?_s*?N91N_D{B$ivw%_Cs)s)A+AnTGYpvkAF7c7mB-f7tWOAnzq|( z!h!4~`|Ztf(~P#+q<hxJc^%wAFMK-I%E~Kb$&N${R0EX7IK_f&k2(SGVRp~_s|=<6 z7T9R<9R(ZJkUR#j_zz;5tef+=GQ8{vVUF8XfMCm8!QU#VGHE1>WtH^HqokDa8~8<Y zlE4f3(u;j^>`*cNi-EmPfZ}u71J|>xBieEC^~7MzLx6$Pvv_9e>DrIlnlA%pn}Z-Q z{6d3&(Ess^p+BrIUV06sU#FOztF}sEPRc#R!NwXMBOC2oK$T{75Jbl%nPOq0VQxye zzY|d;u3&rwl0B)tHH?nImrz@kW{~T_VWOVgzCBz1*zEZBj~oqJzP4h^t|s8@k&GCi zZStCv5s1C#8;$R@>>&e|xLn%2<~MYCtYNQFbbMY=wOWa3ap|{rTatk1sw@$J%9v;Q zUBxPH<F+~f`SjMBot12h&gC?=eN4@)OU7z$OSxKHYIu`B9+B80gAIXjA4Z9hUyT~= zW-Ef(7lvv5oE)S!07)gKez;^elu97ize8pd!@=DU#zDYm^%V-iUNqD265JEk)WcDi z=1I-3J$s@D4=8-RE{1x>o6acCAvCvb<m!>HZ}_GEEmk-}$xsoXS|}SaLUJVb?+Juo zWE_Z-Ovo#B80?b5ZkYB%M&7XBfzN!5l6J@{=<rB2#muX{gVh@2GmZ18!g0kpRdak< znO>{c@wXi8>D?3vkXqobM8wJ8P3Sj#TpquYVYcQ9`fe}3<?Ybs%m?+=R@Lzd`@*)` zy4QGLejUp*hw}BALI0dKYo50qDEh88mf$~2Xv1*x1?K2g2)~Mq@*;3zb&CuT*^|}d zB5rskGbLmljhHI5{7r$fRN8#-%^w1Od_miu#qD|_6NrJNT?(sFPn8}$nis}x{Q@y+ zMk`PWdpO@aPcS-RLs>b-Qwq-o1YD2AlT*0C<_XMie$|F2Rm^s5K_puN1ypj1Z1T|% zGaz*d5iOT=-2Xm6_{$mxz-@6%bc2(e;pfI>>FFsOhwr`)m|>}oSdVV#K6PePR;lmq z>@oTsj|jf3Pf~FZ)H$&yXmRIvo6h{$AU^8h^62rI-?XqTb$vnqE<zgvqrx*}G^52! zBip!sP!8@xfq6%bwUyPPf!}VOBMO63kk}X5BuV%bgd-!kpDPT96XsOuAk3kUHos2_ z+YHa7mp(4UkWwCP(%`Ni<5$hn;esw~+E_xNt1(EJZ-OWVOeNnor6vk;sIkIhnog4G zM5SV=N8WRd-VO7Si>IB$ku<4EkS-$ilE(XEVgs})2rOQ0m<BUmXylKDdNr-OnzA{o z?yEg88OGRN<3EerSp}MSg;?%464631R$4^ow&DNxwuuP!UlBj+)@@J<&1Vm<WdMnc zw4~K1tDDZh77jXOE?0CePp|A=*fcJ)isTJcw=r>w3JtuyD4{of_+^Z6;P6_7prg)n zqs4;~>`=l{%W{wr!*6E3iJH^c#{0>pW+5=C)KT7{a;fw>lPv0SEiS1{auGV%P@QPt zAfP`4;q3}|VX7lpcW6R~3aAGj8VvY-os4m8XGFW+vi%8S=gNtJO6UTaT+NwBsCr)d zHjNolepCSqKh><ihc{brq14qYUyE>*JV_jiS_k<VkF#DapqRlxYEL3o=@p{wa~$Gy z?ePAK8N{zc96^2+n#<#6ufO*7<_RVzA&f#lz8i!Ex><|^aW4Qr`sLCUi1ehb15^?` zoxd;sUa1wq7-}v4{1ydV&WILo4$h)anVbwNzzE1hr$HI!=(XI(=wtu?eqH_jFh<9R z`ral#rq=cSBKd^-TmTNnHD!NiVR07@UZi<s=H_*wqj?M>A~>OG6G@i+hmuPxi}NWS zC}numACk$t@+8|kvUx2GuhXm6>+Uz{aYbeplJ>ey?2=<~;7-oTIb;%(`YTQ}dFKUv zwL4uEycs)a$TY`co`Y(}o{dNFrtCNJ;3MUxsuJ#ZfNR{gC6cJc=xF};V0HJPmE?Q& zeA-Y&cKdtbfY%!O4*;d)yCj=WH8{HZN7|#>ydF}?>QJV4L;aH;NW&{N<T#A-c#Au& zg<8K>l`_@W4Tw=bEuN1yCR(N?_1Qu4XoYN0P)1V@#HEPkQKIE6_n}PdZMdJcRTw1_ z#bdxDlO&O5#Q&eK-M<P6@X;ax2jsqJ2}ui0;ORRdb5s~C(*GjWQ=<kRq{!O4`0}q> z<9PL(-mqj*tB9e6IOzBChAPco={Kc>7PiV?H9iho3Bu}I8J{IaE+C9-)mVJ7*zLM} z>v2tx+2rz7avi*TJUOg6rL-2qV}vQuU%*KZ$sPqV&JeH+4N(;f>hy9fDz3_2G-3zu z(F5Q$7)ibZq`Z`{$@33#731^ZxhP6+YysO4S((#3o7XPl_`q5y3gut~+ENit_{<Lu zP3Ay$D&rK@4{|)J%z?5$;ZjDAovQ!#Mj;4c)%8nv-vo7X6<dFl1A<58%VR9}U42P> zX$o$<fkXhwi|YiO|KEy4n!Orxy|a~(LxhU!YtomKo+748BCY5J297g>1|{_#38!5| z6Oxtmd);={T~~RN6`t%t+HXM8URpOC>UK6ioVJ=%@rzt!T=oIt6l{<;pKNx!zo@En zU6{{yL$kmG1ixByx0Rz2W~13cM3$3s!ev~{nFATm6C4R--sWkk1I%0VO`Yaa>!1R= zI(+5>M3o$m_6v!U6N9pHUUDv<CW$>vJ}uTD2G}n;=1GZQFPubCr%%Cr2b7{YCB*Kw z)fp|PyNorOT}-n+W=?I3fktq>HfDY8w{mv0ninJVP6{{oLlV&oCpo5eb+RlKYUPC! zgM>~>tI%NXTNzZuPSISI*e!G7{~43BzMnix(jpF1Xu0LcyhGX)3uJ>xNs~IN;AJ9D zg+F^Ks_GP%_?O}m-zuL}HOEFJy_9fJaHj**6m1eQ1CS^Y2@=t-2SeayZm^qc=ha;K zhH9$%-^JL}2E6}6sD+X97O1I_StFK^TsTt{`d0LA?pALGPq^r$F2j}APy;_#Ntbmg z<*0q8C}Mt2j~X!(nkigCLFjGECH*tde;#KcA-mzXL&yhb+47!mSl=SC;p=1zpf~vz zG~B1L<t;9n7$9l;#XEm#>nI?#wvDVg>JW}>-K)9F(h&|KycxaP{EOwj=PJ8qH1!eu zfq((`d_%zdEY#oHxgXZ~V9FwtO8-IHK#yn`e+cFOS6cemgUFQ|&uY#@0Sjbkz6SoL zF30@1Aw|ygWxsWqx^F%9SK+U})WxfcIklD|Y)SwpM?LrWXvFWK;d`>0v)*?R*h3&F z15H7uKTiU%E}uwAMUp(^!;f-_$sn?9y##bd2gs8+b=G7bCE`jAOdPtUB~Vj$?%&=1 z@pqAr`N?4bB_$&NbD{aPa_*tv#y}}YL7chBkH0Bfz<gsWGE(3o7dIqX9EGNDXE=6n zJX!ma^t<j$e}YT;b$Y>cs0jrcZD=rf;K{tOVweaqrC;^!u`hU_(i!^!Ee40XvF-GX zMyZlXF2meKBXacuC$SeT2OS}zESu25a%8f!S+p?2P)TE4-5PTsUMXJ4;(uqRYvO04 zAzBE?S#^%ox0h!v%{{$D!fcq<%%U2|eF{PeK$3yC)Jn|Nf{l(Ab#NTZ{ufm-l}oye z3^uooNpeCTs=P;ju0iTzAOi($enHmG6ZX`CK}j^$pJ*%%L)O6=jz2X3RmD`Ex;Ue@ z7vxvnJfwlhZ*|m#(wRDw03gz_^y)Gj6Zoxyc?4G#GIe8x!X~4Os+|zAgVd&k0fZQw z`f)yo58J%?`%}^!wm3xsfncJ1>ywo-mL@VeGOikps$G1*#0!N^lr;7*%mC-FEF!?{ zNhk<R*qS+Aghw;y60Wh{WCM~OQU+>OZwB;H0dn7ciz+Lsaqq9+fs48b9cUxE9c}Bs z@(TT7Oi%*O%kH85J3XvCH#~oAX{3;YJxrqMJU{OTZNdhql=O`(U$rC=U~@8uUIS=R z7<{qmAaI2*D8n=IT=PVUsH&w&FFf<p^cxi-w_8T&IfLc?3<ETIXUnO438kW}G4>^J zDmxsFawz@xZLSZLlt9!Ts<V!IT(|M<XNv^VsTLm)&x1WE{gJtUeYAdtu(|VNjiba0 zk)D*ARt>2K60jm4TVAq2QtM{IUMizIy|Osy4(M(K&IMD0HIDGirx0SW%pmK2p@o&c z=7pIg;;3fefuk~kKZld99sm%S>HXb9k~TJl&KrOv&ewi-DTCrShrdzB^d?3H2`P~? za`Tc3_otHgNGOP+2kULh>9bFX&Hj;`o(O$xUo<Gbv$Xsq+!pc0LFEI3IZ_OhyQlp( z5%fWe2IhjQOtLq8>d58_t#IAnu!(juBai*X6;rLp6FigwL(wGx+6kSNtITc#_dv}u z)^$JJHq;kpz&eOn$iNO4CesVWeZ^OLj!4)s?K5GV2J@4GbUk*w+nwxxSH}F?zb~Qj z^SZrJM?1!R;Vk9jW874wJg2=Z6!~-LT+NCK4xE}?xZ`8Yl>MQ7H{dz^!)%$TGc<KS zzLEd-lPtYljk=FY{j4yx*oGuza>d0^39iM(1VhT;{hrnsvpO1(zp&E&Ox7M~p^k>w zDXDe1t5;(`x+b5p<-|#H@b)v_!1l+*`2JkDYrd73-`Z0s;+BhR9=-oFKcj20%19KL zE4w0RZ_FzJ2HC=6BiL{71E|@_7<Tw;8N_s`&EtY`c-WQvt8K^dL%LfHN>C^oI;v0E zd_-i>LIQYrhA#A%Ud|Uwp5JL&iG&kqi>quT&4qF5(DI2w@zUj6-{i(Fk2<??i$T~q zjZIqWo5}9|J;g*6fX&cu%JQt}+Sm!JR<>SI%8#@w0XPoZsuc5LxLKBdDtQq(ycjfv zs$$Wv!nguX#3;=P!F#_}K~TEKpOPvA$y~p+-*1M!tY&6FUTw-PDhP6Flp|j{JF!`o zs4#+iY|8sWjzMCgU2O$6<tL4fP|E{6?zt>97fEw4ZT)HNO7%JNf(=tlMFyb*!8e<7 z23G8&(Z$<n-Tz^~zUPj8d{L_qTbj2{lKv<{NDTCW(uvG3#n_P1@;QkB%CxC$rPzx) zZ2$?x*Cwa<Z(ch0VRC%gi&J?m*~vORxb=7FU^to|%f#2Bh}DP()#TD@g`uan05B4h zf{-q=;{bx|M+|g=MvGoglj|E<fHVzu_swWT(SFbpZ=F%vhY(4iEWTFIyj&*vK$M=M za-_pV*6WGotNnMF>e$*$f5Gvd`RuYEvsK%hNG>ZI1AE`n5O$bT+{qZ^#A0bv?CXy< z4d4RKh2Z81WU<nJYe&_G;<w_Ehf|0Zl(FStL<Jzt7f(2SHl(oTbebdB9OlDed@QVl zRjRJV?Q%j;z)iov_Qj@YiPXiPF(HLQQb@$8gL1Dw20q^}FaAp%-Kkv@IgyT`PWK&R zZ7vk=Ulwvlqew^@n+hmQh70aSJVVOv!e+31PtjK27TpqWbiF6F(r<R-!fySZRz`r) zUMuE|!5(v9e{?eVNX{Osk8`>((-2NijrXn%{fW*G$Y4|XCWnb<{J_^L0vu8|Xyoj7 zA||gG9RqKb9M=6s_UiS?f7n*kF1%9`IJw!{HPPG87lEcWQTyV3OHaR$0qF!mCG^GY z7}0d(>kBJe5hKuoZ4Bk)Y|h-Gim0Zs;ZfQ-@1%xmg_P_-hxGK5qoK=0kCzokU}@E) z6d;2Utb7%Y;kXJw^}GR}`dLREYB^=3h)$dGo7P_cK;Jnmn(w%v>;XxKMuOeCX_Dj7 zz2Dkx4iS2;4^^3NM6!Ce-#-U%AWSk!<Wbn(=LR3i0)1PR|Dd2shDhqYk0_=zzv3&2 zX8LCYy$)D<s<lY7+{G0&--;f|!G{=ST3gP(Gx=1LtO!jhQZt+@FTk%RiD{gwJh@s} zWG?-?>SkHR)a^R_^MM`9NRygF?Y3@hToBNgklfC-Lc~cFOzdv5F#Nr|KVlE%c=|Pi z-cO}SG}+?&VPec5-eh&$y6FC|P+YriNqJN=-;Y3)Yjlp!(%)=CK5Vq%=29o!N*cVM zLQ_}EPQ})YG`<^!)x7zXL;goh<00e0IP9I-<odjGm_3*QX)4Je2h;sw9APc0#QcmT z0^+AhP>vk2DVNaaRmM@6!gG*1jh(JjlU1%*`PN*!nkt*3aTl?b^o7!CK=QK^(ypAl zZ{vFh%QnFZRh$XsiQLil;xoUlay2c|tHol7nV&?(lX+WZK|$78S-kqSAc1AT?{`yD zxN`eHSYde`4}BbA4HVA5%=7PB6WhaK8AhBG5XZ;hPO8dN<zeGl5-sUtwc!D>+bc!> z1ek???bZrYMg}NtkB^N?sm&@mN%Pis=MJ&f&xM7`86iw|f7Jt3MLjZqbhS04#iy=+ zpRqWoGDbzDCOWVgz*+kFEhS>1Xz~}hz63M|B!8V-)}=&iCU0o|ltZ2&K~yfR2HHJ$ zkS4KA-s7jj%G=KokcRubfxdwyGX?()sru$qp?72xe{9MFd>PE&PaR77S4Yfi6(=HH zSNeo;78J7mu?>Q-g@b7hJ+Uk1b|PfgeQ0j$(@*~N2abIi$$-!oeyh|dq3616cRW2f z01i@qvRXZ5n(>H#c)m12RkJ~Ycjb0y+|Kys)yxlDU$;aKHKiXuLm1-q{a*v(Zz2QP z>M&~%ZQ4W!JFLv;f0&f^Ik+VhA&Td<Dz}2S+jb{?Gfn@olb}RnIGQmg6u22;HgT0J z(%hH_61O-_QWSV32E;kMWm+iph97QJySUyB8}MZ5u5MDSnA;O!zHzfhkV`qTAOlhu z3ON6~D<&H<*15LhD$9hzkQ9yyuR}FrhcCo=HjS2$dTtn_w~rzH-vH)H<lxC|b?ytd zP5iRp^V}Cj!_90>>vp*4(Sk2vOSW41t-Tj2j+^wQV45~L2aVuDv|cN74&`~P*N^@W z<JciyjpVm)ZH1Ln6^>Muncs>|ZJ1n5vS0BZeI-1f%5XUTa56Cr2bc{)?BY+L{m-KT zl(aD#mLoq+2STqPjO+AJT}rdIDpk7`23#O@@jf#uTH$oS##13q&7r<UQ-k<GarxHw zBbv&1Kq1Fb29f9$Ut=5E(OaV?ra3gwZKVAj0gnM=kqUn}LHBLsB<CM3nzcc~pE{4a z(jt;u*qQ6ZF;tH%r=HV~-v5I(kq>8+<RM6K^Vc32d?bMUDN^yt2P1t<X@g=PB-9X4 ze#&XV$7>1gJ`Y(6z$0}!0Nj8k=qiMQ5lbrdW1|H(q-tG0CP4p2+Tdgwt)O(@;ig+m z>u#cbgt6c1Kv=-9?{%}Tq5n-=^Xhdo8*D5WvfnBy&J=w3bC@(2FCm74D^^x!&@W&2 zNHfkr65YtZO-nVw$Hx@D-#!u5_oE2Lbo)=t6AG<$Xli!Il=La(P#2dxtb>Dg(YCOy z<p4FK+fT$B4oi&fP`mh-f==CM4MqGI-NtkNF}qY+b^$!@aKPrhreRHuveEdPr-{Z7 z;!;gllxX;=*b8UeEtqllleD%lZs!`uatKGGICasiM<1_L<;e2*%S0KYxz+f2_XJ0@ zLc%6*PPgiyg1~h=S)BqCzf9huhQ6SH<1Bj4b~l=q3(<3lp)m6MeFJJ?<Q}SbZoaj9 zXfv)<O0Jq`$Ul&j2KPo5bxk8$FruP@f24>-s~E=@oQ*;3X#&{hsV*G!&FB3-N2-p} z--*BwqNJaF?N!hBX*<O^RdS!{lT;9Jo|Q=@94#J(DFNEt%J4^M`*`7)dNGs!tOnj4 zN`A{kdJ*jTb-$Y7!L`zVV5QPS>Y}BmG3zSYOwx*OpVNc=1#F$$#m~>0`wAd=(;x`x z2MM>8z8?zW@)Vb}zj8Am3U?7W;hygc2V0(cQ4l>tu#!}htq2OwuUmQkfFJe#h(`=Q zE6!lEd<Y}ZIbPe3i>Y<fE$C&wn%F7@P+$@uN?zqu@N8S{>+fnPrb=e2I}Oi`V;kiX zz(<?Qbx=kXsk*El{T^M$<>q;}^k#ai6NUCW;MQ*?Tga<Iw}L_wpS1jIPQg>_7?AW{ zH^YzTjEK7ebor_#E_w}S2i!!0)J=H{)(z!D=u_$A+$`fjX~Bc;E>g}U{Qs-UIR`6T ze^xe`-QfV`a57Tbs_BxrAZ%=1tQIyjSC4zB<htC|pofa0rZyGYZ~zCE(G0f~wMVWJ zQ@=2ao<sd?ql}@P!KMT*tUfBRRiBL>y)mTS@I(7-T(Ix0@SHRk{ao~9PRO|5+II9Q zFPEP@AqV4q0=V85ik?(1aV`1ZLWn8QIDZwzHk3B_{Pz1nu>ut;!C_rsT3Jc-kJuDP zCTy5G7FMWfiF(s%N`{1{fDWt|O9|@dhz6GA)$6s?Y(Gi&>pNB6JGaQ@4a`v2a5!xl z6cmmWBxQTVRm5d&lu1BP{848Q*Q@_#v6e=rR$?Yp@PkQ(#-p0KqdYXP2P7N(B=&`) zm2r@(In>}k>sxR;lLLIE`;z(za2XM;gf29?FIGFcrk!?dMQ5U^a8W7%Q}ah~NzJ(T zwK&>P=wlU=sUd~F%HjGw6KfJhHT=4}OR>ENl>L7XHSY>d06%`t;(W`1zyP_nY=Z%n zmf=qs<nT2EQg5I3P&XNYTzwi7^QTk`ukBM&<zxR>&pfGhrsjlx)=GZs)rS5kx<B$> zG6oHMNEOXg`~slc#UH9-9BSzUo2_)eAuRNW(C{NwppM@ztX#7;RMp3$F0veIPiYjX zJ2P_FIW26N&@X9Ez0&3puLre!F%aHQ7HCx=7E!%E&#8N|h)~H)Ev5Mw0@RecODD>N zP4Ee1fmqE#T`?60zZFQJChGX^oj}9tO)P0bOw2EI#+0VeX`hO(mUGvU_42KFO;`3? zoeOg;YDG`>#Ip3XDkEJ2rwGoi_9o0vXWs_EOlQ*mvdC1$$7|2JX#lPiIJG|B&0n?> zYaS*#Z%hS1np?~*B-q@5N5LZxRLbC^^4AIE3`|VQ>YT|Qu}!qEwTT4T=t=03N1u%- z=2|`uaQth9WQ#-&4HNPpFnDY)839AmKrMCZ#}mx8!IJR&cu(7C3owe(dxP>H9kH=m z6xJi(`uO1PaiJ4%v9^i+O3B7P83;0|*V3NMS})~L8~o`^=pZE?F6^S2^rc7ApkcH5 zRu2`9>u&U8lMzKF-|c6lw*fc|+_5>a6V_7kZg4c`w1zUou=MmTz8^dhj>aHoSirj! ze_zc8KpEW{v3!N`tE~Y%Jkf>5Z3Xtww{$z#_l91~`vE$=9*H>^S;-j?kowGCvUYs+ z$D@ppT~I5V_PgmHzu)0m!t7B?A^br22n65hBb{z{Shw#MjFMC*Awh0Yh-`=(uUbRw zWs=lPrH`2uSP&||NXvt;CY42_ty{G(&`CzXO{0B;o6CkB`N9d<He9r4q^UVP*{WFx zO>i~J{D1BOT<IUly$8xw#G!xhk{F)C&p!JAW(pBCj*I=5kN1+xF$=`))|2LyzH0)L zjta`33M*{4cQ_t@deOq`Y$WLr{nqvo8##t(O$nhJX>t=pH`R<hH(nLQH1fxm^KZ{I zO%kG}O!AY+*Xw+_J*yvhqw{<8vy1yjpf#uiid`RGHBnfJNy3s;#3>U&0RQI>>SE$u zs<1)tod3Q1mYGgo)UaQLkB;saKM8>G71{as7dYJyeH`X?c80ie3zVAu_yUc5Ob4gn zyxI}Z!%qO7HhB0I<+ltW3+ePshX?t3TvqRU(M;1`Gp&pq4g~UUnD?#eTt80}GWr_6 z@3fBHZipGd?MMKZgcZ#V(z+Zte*Ur`94ocB1ZN&YjjKbb4Iu{ESrqaNeoMMWVG4Hn zC|P@ePJ*kjua8!)gf#y(y3nkE3T3}lPSJc0TOG}Qj(gY5x<0I^f~&EO^r|IuyE7jX zGvovjuAea5`kN!#$y2_#A0uc@1z!iim2CY_xdW15G3Y67)i}|BcEx2qzk;o((&k&$ z#4-`jpE5xK1@yB<S@t>@dRc4eQ#4KF!e%uBjasr^>Ma9e%A}aq(U;XE3F=^2N+Pii ziC2LS4s&VG7GSh0K&Kp+if_GY%{>q($e?%F<+g^6EjY$ib)Hn<>RZJyu2(c^e6zV# zBUO*q(549H582h*$O<0!+miC{26C{-mo`5f+uHK#VWOzHFA8I}POb#7;~SL8!?%mt zm9O!RVw4#8skjTJL$DlJ_uqlYj~ZPPGfT*K0W|>EYC6q=`+y~P9-BG<k+9t5PHH`Q z$w~<O%(7<lmt%hP%coskvkrz0P+?5VA$0;i&k~xP_-}U!5M~S8E+^mNr^$vvPaSjN z^rH8`r+|3DDvrD#U+x=N)1(bsTV1Oa%3;&&B8s%9!4Ja4bKovUr%9j*rx_Z~K<~do z^jD!6;{t~oQT(q+dx_fumg;QEjXYcKn@(fhhK5<G3#c4pu<#vdYm^jbD&KC7gBbr5 zMi$Xfy>s|#;;CtPttZLzcyMX&PpO%48k=U(?`f5t_cj1YM!wEpNXYNBGe3hq%DixN zZS_6<93v)c`W8>)PicciAO01hWCWPGebxJJGQnzu+sU-i0{>aNsKSFf*qx6&Jl{@- zAOJd+`$+g`QJ6ibR`X}l`snDVY}^;KEbX!Ofblo;$tZ#`GyRfk7oK-|W>BN~?x!h` zsPC?noiM+^aVH7_l1z+rI0@rH8jQy*w=zix7;*LQ6=+$h23f5V@U^pWUB0h_`ots7 zQ0?akpu6~LJmGVsSspQZn_Qs=<Wcp~X*wBW*(Gkpi92QCP^4YA(gVW-3$xC;taon) zWEE$ILM7*)1csUe=}-t_7(jWGJvfNC2@LgB(x*8uo#lrML7b8wEr|a22>$tfGJLnK zNp`>FN!_9N%()TjnwIPpn$)7J$#>1P_dYP~b=&H+Aqpl}XTr^nCEX_0^XQk%5n#mC z@a_;!RdR|ZupjsPXedK<iC<gjXkKWa`13(8vo9pl5fNO3;s)b@yqm}huZRQxeQ=Dr zs=BEcz1qA?>7Y^+q=06HoC(TRC_S+mL`W)Tqhr>=S)&k;teza-$XKKM1#i2|0(pJ^ z6KGp&i||0ePGPYeO}FB*$0wvH*i<UM6T%n_o-Y30i4DiGKjW;VIO7>wBpwVTXbV6p zZq1AO!e<_F(kP9uzCDj^mS4S?+MKDfUl-hMrDMUP0s7Pzb!BLgH<v*>Zj(3QYE&?{ zt-aWYcG9NHEF0b0;wh{6E;>e^b@;;L?k7on%;SAN3Hj-MOU(*%4yXTQmmArs(R7bm z{AydtWarGV^yzz1BYJ%mJjIl7s@an48zH!fV%dh8XqJCYgxqA`;WbSB8Ca60Iaf{} z(}5Wqqh>~Q3FlrPvpYpNh(TiQ=Bv9OZU~dhFk`B;Az!Piauri}_wt}5Nz`D$0r~+p zV`c_@W}mczM=RUt=sP^T2Hok8T?!EAuaf(6-}yZ9D?IBZJLOp?&|v;-2hOieRu2## zXm^RzR7zD(M?j<qk(GNiEPvY}wdSS$Z6UvXQr8g;w+y-ejlfk~Okn2QW)iCs-fatq zqOwSfLcw=<wC>h5EmE>zw51a!Mv}Wo0mc+vvo<zJyFbk%111BVZCdjev??6~SIuo| zH5n;rjmS*K2W1VOwIN%LLMRt10W~JPL0X`Y&I0*iPX=Tl)Q~+-m=D4zw9sP~J9`Gp zE)-DzjHAHLJJKlCwGM*}-SQ{DbbgTQir?8E$7CAM{D$tp{&;vG`YNx6Aw@xWQU87i zf+C+ky<BwmCOn6mB97ue32}m=N?hL;s=q?iCOrc(@|NkGmNZyg#RkVr5fw(Jz{{=Y z(;p4W)tu2&G>uYcS~wtr`!;G3S6o-$)qdO@tdN*N5k#6uUfARQRW|6VBPzPyssO=u zkC(SQuB~keta_qqM7Ll(AOwLW(>VoL?gpxhLd^?@9V{kp2_n$NLggw$?ktrtli<X9 z_%&D4`S?VU5tD}9ohx`~zjIv}3ehuQKj7o-wBY6nFl&y+JyFHr_n)hcT11>cxjNqW zA(DM{pV+*}fRs%woG^{z&EgN=)vTt$Lbva!DJPvKbD|NYg%B<}wXJ_EotY&&-7mwt zja<Ymu>x~Fc=&r)r~dkyI)Lz6n{#S6<w;_UugR2$@Ctu4RYdD45lV%rn_Fe3cdc;p zo`u-o=iNaupqy;M2M=dZg6KZ_C+a&)c4*!<n|p{Z(QtU(Npxk+Uc&zjamHVaDGwTP z6-uUZZN=1+pUsBe)1fB3JIg$*<pwj(0F(;*@Baa$;io0br(Mww%GjJ3b#QxZoxEIs zh`6yjLz{=Ddkb4|8v3^Adje8l3OcZr@tHic;<ZM)u6UkAuNzIH-fZ?se9T99aV<N4 z`xEPTM2y05=*3mRK#Dyuez&>C<QhqIp6mM<_N0Yl1;ozqqw8`k8WaZmJIiU*kNu-) z1k@cw!7zSLkEXWfI+P7tX0IE5A0PAQgbAOPk8v;@d^ey5S%~YGOqR`eaoeF9E9-$2 zCDO*&V|lUieMQd3ARjbx3sRYQz%SU`SS@nB4}eW0VJz-scj-GUG0~m#&l4SWRHG;H z)A&PoD{aLcSiG!OHHa1HpUzuZ{Z+af0=VDboxXI0@1c$2y5bJhh*u8S{N{IN&di(Y z!HG-(YCO3RMHeB4iWbsGzUNBQqbh(qUO@U^j1EGl0T}At4dkYs@TfB$V{@m_{Q<)y zwqI+?WzNlBQ8S_)Qo|KM*i@&WCK2o_QIE_MRm*_Ub?9c2@lEFmcchX4m9+{zDX9o? zK!t^8*M0~Cur3<{Ql&3z<@1}RP6KQ!V^=m;_$2DWC#_Q=R_hWtrvjO;F@<nHq%GkV zR7Jwj1$vD6^&!wV5uPI1x~<CBh}I!xxW`k4cE!SJi;1B|L{pZk6leMo1Z3Q985Ary z!m80t3!ZDvEvLh+z&a%O-JILDP}-;9$RxbH;ti3Hm*6LRxpw9igRsZ`oxmcKDtike zSv^@4APQkiw(@XNOpPyVZF5PM#BGqSYOd8yLfF2Y>k-rrJ|*Iog-kZLcw!^YxJ-GS zt%{(@(z55N_3Pq8R--HD@8GXm5ax^DOo5s963{9`nwsGAP7@{^fefNH_Fg;tZhJoP zAxzH0N3go*r}!Enw4shCbm7(zL~g?`s?h6O|L+5|wM4|><PF9c2koM=L+P0eFG+bh zvESNSMi%K>O3#{kvd*(81W2d^g<Vg*gOZhZw8A`ng^_1u7KIf>g%fb%9BTOQ>KE`! z=-W;Ft2wmEkAMld(E_Jow3qK?8P01Muw^i_Lsn72F&`7aA$Iz^HDNCWz_{GnQL2a= zs3>ki8=GKMIG8@E$VKS0b^*ORbv4FC4XbL{qevtoJixmy2g{9Usn2=l_ftye+R{5L zse<I4ml2!86zqG~Gch|MP?SfopfD^lc8i(5r!XNitlNhArZ3O^xHuS;0?N%aoW?KI z3XyC>s^NQ*p5Xths|=caibUbjY5=o>?4;KQXz-`1=a6Iv+y3HBz~@I>SQL?<@D5;c z3EJZkA7G{=8h$)pC5RYwRoi?$y+20ov_Ca^YB69{Nc}pv_q64dLp48R^SjlOM+4AL zLnMpeU_{Yp{a%Iw<8LAQC-dL`d-%cr*O=4*j*o>)I|{darTS_^H!`<rnMjC3tuu6w z@%SUPrp<bZ%uJHHDPb#wF@AtQ3coLa(4nB$V_OPKE{mqnCg;v0axq$UgCDn`yn6L( zeDHMC$@&6$Ni1pBOMM2UTVvrpqhtuF(F|dPw4SYGGHHB_KGY3BsuQ!+A9ZulI9eb^ zdz=-(hl?jQ(F<Ghs0wMd1R^I9|4Y^RZckCenq>7vJoCcUQID?WCslb2)|Se9XRjkl z41!<kyr-p|K2FeO3q{Qd;H~hov4AEf7A{`v>B^G~93>KT4=wk@ddp1DZvwoV8hUIb zG%*S##Z<{zyqcR^<MrLa&yQO6iZd-?C1qTzM3x%Cm`Pv6&=@J5*4l0w#nWa#SbxPu zL9hgJ4fRzyxpxVRWWUZO;us9oO|T6vx_UhtD43(7gq%PPwm-YMhbZpD<A`QYI@!|a z9)qs_R@mhH3)XAJIHI^~5x6sNFB~_sAH&gP<oY|q+AA(<#wo+Q1&@i)pj4$UCil6a zBC1J3yy64q2Bw6`ZH0-GrJ+|h&|?DAOe{u3tAel<$pUl2wgp9Zlkkv!;mV}&Ee<uy zVl_=}ag%u1Qp7cLaTfl>c2anE!p&;iPMY37wmfjE${lfQ)XoN3etDgf&^su}?!2mS z@$hfCf-`J|SDx6#hWBp2qeMb3N;vi)KW(R@D?3|VEIe0{_J?=`y@~2LErmf(L?F@d zP+2fOeA7Ip__R*ll1>hX8u<urCmVJI9UY@Or0h|WqMBKo7P?#JGhQiLEsUpAkGv`@ z@82qfX6*vmU(IO|y?r8WlZcN>E9!Ma@>em&uj~p)o#a-Qd`k(L*lD+UIf>XDAR7-y zJA(f#pko{dxi~nzzQaSt{e=UnH>6;z+I<QD2{9Fm;wBGI>(mE+9E$5NVPH)Hr6i@8 zSHFVMY2M)wsetDe|B>~-TBNk%D6Szhle+fkh}7Z{9@75DuA|gms*vb_H}a^=jSmo2 zu}yHVugSHvWy80jZN=y?7a6JTWC5yNY`kJS-!K6Td~h;v3$L^@3PLGE)Y+DW165y1 zGaI4yjB_;~h8JZ!n;QzsvdPmhnDjtYapnmOq)5Db9Y|?=Vm?1{1HfU7KRfOQv|p|B zbqkmKo#haapE?=!7l>;iJmq3y`rV%Xc?W}DT|#V_GL#(2GeFkcndofQy4`3uWxr+6 zOR34g>}{*a-j@xLeINcoH?_HgkM+u0Xj4ATu7a2LROEf$Rd@O}JYROJC}BCS)Q=12 zAVDTt>;YU455`NuF8p9&0&eGzR~G{Q0mWw(0Y<^*h2I4|LfYGtojrp*=hWZ}SkQUl zdyWj?P}Z;dcAUH&+eG6;&utNtu6*E*;3@A0@QI?&(7v}w|DG-~uQ8(di%BF)T!S9| zzr2l^O%JT=4hily&$?+9Va~NPFKiqzl>-1#K(4=;_J57;57Cp+d*m})rx;_B#2bev zwbY`<To(I)063n)B_(xPzm|TlmuBE9JlgAWH_*l~-6>~i@7c$p<}`u<aQ52SO4160 z{lLUTk2uMVyytDOGdX$xXu3><AdZB}1fO^Z2c)eQO6_p!S;~!zGQdj437g7oTK`cl zv3~o<4sEqb$W6Cq`wI@Ytl<y-vz4L3;3E{8n$WYKu#w-7j`20XZ<Ysw<deQoszdDJ z9fnf;Y8aLOn?^n_Y|XEOt{R)uV;6jhFy`>mC+sv#A9jm>QW;uHREKwgsHSn>o@CHd z3)i=?0rW=^N;iKgP;1_Qu(rmz*{wICs3M<faAURAC6Y}$DzSNaXjq#4y#rsvnT<}- zT|9jCEKfE1;1N=U-hT^eZzo8CZ+@Ej%}0ZjqFPvX^ph1kenXgO<ZnMx%HEa{#WDQ< z;$hdD5AY~3oLnd-u!1Qjl?f%&k=!YIWk~B>H2fRiZLQNBz3ZV6aeiF9hSjgw;uM&J z5oiV#xssS^7N_XcF!}UZAp0fevNIb^n&*U&+At{m9-BN)W9ujY0MLEQ$C$>480_Q) z7fu29U4#z2`{MdeRZ(-59M2LdtIZC}O@piBq{V9v?(*PqA>cRf6-+0}5qD$4=vAHZ zs|99YLUA?%UzdT_T8tkp9#b|2a&HzD)<$wP*zEI{p4i>3m=L!!ZD4ir3lMxKv;Ak` zRN084Eg(Wdf9rIYUbq<=e5UZpC%yuv<&VaqcI&UF-i<gY`8A(on3V1YeDb7R58!=# zI753E7blxVZ=+gcVtoC0Sz}a6t=kMK8a1~3k@HzJQ>|8Uji8w8Q%IMW`tagg8`C?B zB{nO~qN}TD_XYOCcYF>+!$)>8ODZoeUUK3_6dFbp|KUrCN60hm*QiNGoV5i6sNawO zbMTrF8^;8fKee4gY~f^x|K9;sWO`_p5R2v3WKZLV!{J&UYwLp88z`~hQ_U}c&0*(4 zI^+${cPA!l&1J;l5z?rT42aH_>b)n?q<O$_fLVW(2pPO6hL?%1+0Ky>V7}lqsWXG# z@Ah?0#ylKsq|!fUP#(OT)_2z;x=O_N9k)5RC7Sw;JlNP}CqU0M4dnbDRYxwoQ`~qa zhc&6mG9-(MsQ0*LuLfa-BWiBD(?)=CHwFRDv_Z%t1Xk1)Xz$65nm>vl>O28{&8%yP zKQlTECss<QGa!23A<XTwCYR51C!HA|v<*L_5=i^sKObD%<2M>n?6%JRaPjh;J8%vW z?D8-n0;Q!b@#R)Pe(!XG+(OzrN$#YE^bG19jVRdI_zZP69}h3@Ry{-P?+8|n51u@h z9SeHFq~%%>O-;3K+Ohu$5rJk!;My5Tz$N6kv_&-dz=%Q~e#xjwb-rW;X=--Ql_LsA z@n2&9`<@js>81yTAS5h+=QyQ$QxXUYQ$`M^Dy9hb**0%rf<@|zBhyo}Jgwn3h7?tH zxZItAXsUKX`|v(`pRlp-w<ra_bzQX%&R(3ben)~ycPfE4nIi%$H>u5b;23B_n%g`R z2bP4~+F3rLFgOd`Wzyc+uD!3h=^Vy+Kr3L|@VgFzk;^I$?3Gbx-a87!OjwK*K8Xa# zLcC3Oo7)`G2^zmYUE3SaEFAyBlZo&MvB%ouP(v!qG^8b*-GcXdVGr&7c4V3h3MTx( zip?bKFN{YHlbC7O5U$f$&Wj#9Lkg`e_|H(kAQHT<{b;Q>%X&52h5)z(R_wNnCQf%$ z0yByYe*7CPZPKbUBp`z_RU30W`uDj7a>n*f!i))8|E{*aA+X?)Qp|iJu2){RbUpu2 ztEey`?c5UD-TNFe!lk0iTjN5ghjr=D0T3+~tJNv*EDA~I2wv|jvduZT2%ToEv`y4q ziE5a*?i&s7oRv6{tSoEN%WM5a#J@q6=-t%pcq<!_d2pGCPW{kx*X#=+1lf>6o95p2 zT|R`%6M;jGZ3G{_TZD`%^Ro!6=CcdA7+T0p=W+akFXwNS#60-$TuFV+4h}WX)u(sl zIyLA<<T(sP*6AeQ@$b3r*m+lo${q4Fs3q1F`U}E9`B1Qfe!;Q#)3bx#y49(;JTA(n zY5_F(WkcQ2$7JWjX5ZIu76CjmYO}g$Wq226gnX)K3qWOy!nq|}%O4j%b~?|2t|6bK z;wyIYeGJsaJPnv}dYeVBf0$lgI!eVW+(mT%2;03=XoBE8;zH4nIbn*CE7DrUM4J?j zrsd%tqM8@c>>Rwn7i^(8b7g=WqELe<s`200PgL=RH^-I1C$J_J&VW8~=bE60he!gw zh9t*ur+aED&!1Darj3FWXP689?rNB8bklQ!*34l}afVb@IJg%Tcn6ymf3Du~Xb8s_ z@4xJhU*T#HDUwSMGDw_*0fR`max>hhXck;X6j?4X+Lxn8I=;m-qyQUISpN9nkuqvM zZBh5nG0nUyWpKNb&7z;zP7(bP-ELXzyayWKK9EQpK^L=yEsX&X60{t({fXGsq~aq0 ze(g;Bo^?R-tB~bJ)u7tN!`u+FtLkhkulbROPcZiNqP>gX8qjG3*jdUR3#2KCiQ!M3 zd~eat;<h|0``_^xK0RKI2j9@r$Dx(kZ>j}sMif%THGk5Y?P9PRb^SfG>pNGz4x<OS z@|@GGv{gv|#w|JSZDFxRkqgx^I>Ljg@g_Zd!+|SIU)1myTVyA9;C*~K%@<Y<Jig*b z!^hN4jk(Q7(^^}9#&kQYP`$8)t%wg#3_&=kRWx@^>A@>XRg@Jwg1IVrPjl+z?SLe$ z4AJn2K|+?@A<sc?t7zH?8u^H;sy_+>_|Z3r%~|$nT#rS4it6u62O<}86}oETFLN;$ z3yVT&d^vySgC}od7h90LX#+DHoIh#Cd@cKY&RE+Dqr<+y_cK2jd|o5gnrEVavNEL5 z2nXxAx`)I)@WWrdC&T3azenwP+vZ0$Iaq)9gpt`dJK5E=*3PIv>gHLu=@DHS&;+(7 z%9L&~W7}ij{;%n@IUQMk8AGS}&6ln68+>S2!vo8Mk|*GCq=Tc{Zja4gHTX^@oMyDB zcJbeo&~|98v??}yh79K6<7FVs%Uw0rUmu&@yAEAo;!9iGK4^4gkDr46$qk}>x-!K0 zCSL`5B>Njg@`p7kJ%WW%#K_mAp)i4Y;!Jv`Sx87AcGzgrGeoywQ*iuetLT&=FDv%p z47Rr*9(k)F#RP1d>#VFa_E(}w)2)|SlWM782@%n;ik0Y09bV4eJw&i$w>h`%yaVQ8 z)7CW%7mvp7Y2gN&s$y~>cZs-dMk{>f5r!1FRcCzel|%0dVtR+br%M?M=7a+Gy6Q8_ zE7AAsE$}0>F`{{nQBrRygNt2MjK+qf;+v3S*j<=qkV4bbfl!GW3kwc4*gwdu_L-50 zyw5YF;zP4&uc|nMYq}<N@s7Njp@H6KAYH%J*q&9w%{}m+XG}-U3$Ma#4yDr3-5SGS zw9hJf_amV|io7ZWLn&6<$|s9LZ4yD5O@2=o0=^_-XOjx`<xzi7g5>f4`}s7BK<wOF z8sBM^%>nd#H?zB{HtAAbbY&~DFwbI4K07aK(!i~ILV*5elJ*DXc)e{=xg_-O4dgGn zJCKIKmD!6{s2el7Q=90jPUGLAozCvxNVTWVCjR^eyS(sXBS@FeX1`WMa==(2A2wha zssiA8+DSna&F>N-_$>iEgn2i>EbIZR^HiNPnFtclh{6wMDuE*upYHTzQ2XbQQnbAT zM{tJF)F$8KSsGEmY+$bm=+#6fnfT3=P{VNcskYnJ$gtnGp$5haiSRH{^bu99#)LnD zk{oqr(4xhD6%t^!MeOW%mAms+oJqpfg&rI$MH%d5CnDuEKvOA=jnQOjv87zO=nn5R z5*D)!*(EsCqzW!>wKp%&Z+=&NxVG(24#meupPT<_;bIgrnLdmj@BY2s5CvRbI9wBB zM3J&f>{fK28+@jA;m@-v{m<2Elc9mKdylU@YPh^Hu}9Hqbt3_*4<dnjRv9v6{yOG_ zjPwjOe5pC;Q|XooPvrmrDx#Vwe2-7Rwvk<XrR%au-k{{?_}Ic5uBvK2{12hMTFb5> z_2ZpRA7{9g5tAmroM$T#MaR$j+T;+Fbay~q)awJ8xz9XJVAQS+0g1eezyvZ>3jyDA zshr^>c(Q837=95ZN*yGWhttKXW@kAbA=d*caOtc`rStgW?&t)tZM?6AwWn(jMKI=Q zaVKT9Rg{tXQm~_>x$7d|_mSD2XxP<g(?M;0Bv=;v5jPj1Jpdo{eKsFLNlVb#Me^p? zq#mI8V_{@>^Ai=?R~JopuZVgznDRg=*p(pF=07V+nZA!by&HQsP{s+Z9Gg~1U{^&E z=WEWG=RSW{Uw<7BN$L|H@H8-M`*D8q8wv5I<r)=Hg^jNsxiipXqZRkFcKo20oE*G* zWyp!+vKmL0+~L=6*g6D}_&VIh^~;_qn%vb{>`^dO`9HkH!4IT(vuyN`B%VQr8o|}Y zj6P55ZD1WQOA+3!^(k#RN~3^k#IE8FiA>)JcfLkJ;gpkTc!*BMD370UvpeKS)*h>r zHECW8xiTbbPLGz>sz4(4XBv8cT5(eqI$-{1F?u*6whOM-e}jDV!eM@N&<7$P_x;$8 zNi;kykn`e8l$}jb&7oH4qWK)C1ZU&_;O<M<4AU7BouRFjoyAEJ7_SE^ZGhnOpseZF zdoWSE12)Z*8I~@oyI2xljwpqs-?eLK*60!qFV*&+s%~8c%ZlPih-&w&{6BXA$_Vgg zgNy(f6YtyKU6{!-!wrj7>l)k*RNt?+7BVDvy~kk;&u?Z9=BFC;Hc1jq@3);1JHOQL zc0=ryjlY$B_ASB0ohMj0eo8;lgI>IfouaRE(Vb+^C&EjqZ9VZ~{lb~~IgN*Ra}<Nv zQ<X@TB3l4;cQTwkGr1P>e>vRv)vu+*z>-KU7rN1T8oyizN{A_E<i^A^ue1OBklI{E zqn(7ia5^|LZKOkiF&yto>{9g4ZJVl%Pa0W7+-YrvF{$vu@801x2*6On-Yr!tfJ%5& z{Ed8)=%g`9C)DO5NJJz)rj|8HVg$(?eNttah+P>uyH(UU9mX#BjF7M}`Ti4pCuu;7 zh?|Lfi)ijD79e<nH$8wb21lm?efvNtB6uI4eB6kltMaK(VkTMwSEsS$zt_W(;IZCA z6Wm~3vx}tBj_z}e>eey`a%G`SoRJ8xJz}ry#ttG~b~0A$65UT-+_B^`;XI}gZhs|n z*F+I>YY)hndQ2$1<hjyT)J#VxR$7;1j)%DTagyORa4X!>e8a}G4F3uu6M4GS7e%2+ z$o@U>d{zpSJMO;PmdhLA^QgSIR$spgd-EAc5WuWMi}_>lP6kUI<=9i}%>4By3c*_E zBML%H;jzi+-&cpiNnyWc`P3NTQSR2f6I1ZL(&q<H1J72q3f;^5fv`PP#7;?Vn@@}0 zhO?vnS`HszK4Mi;?{APer1kLM$J4Cveoa@tD@JbAFt6L)mR_tFTA}~PV$PCJBGyM3 z!-Bi_j<!OD&o#H;e;U99R|`3QT9$zU5o&(di)5}aMh;aW`U}JN*>{(%zu@4O^K#-5 z-az?1LKZMno;cyc4JlZE>BB6=gpTg8M#3ND74poJ0Cp=y2EeT96U;4+Sdb9;BSQZx zydSvxEHS24*-(Sfc>T@*9Q6)MSw%4wHVPH!?JQU06PBm}sB2%m167g<9t$DQpD<z0 z!98%8H?&L?V{6_W38VmEBcqMHUD;~OO3t8X$h7=><8SC+ZT$t6L#>J&2@pb~T_l9t zW#Z}$mBjyrS8xif3|X7tI~CzmwQctHYpSZ&Prtw27Zb%`-8C`(5w?9)^kywxwyu>I zdboE6gzw%eiqb30|IL>1>|0o8(&eqR;b&qvTlJyU#DrW35pF=T_;Y-FU;O0~zi6i~ z9rRa0a~US@ud_A2?}%h%`*-Yl3;@z{R2ZSjHz#zTva>)L6KKoec;&MmOz2e-sZfi9 zSHdsdhuk5lvs}FYe4Od8z&4!_7>jN2$AvQ?9t`E{$60?qIJ4Tq2HiNm+SQA&?bAqa z-7_pIzRJQ?ssJg1T|#JJ>Se;CeyHJn(X-2OBMXy}GrGXT%i|XG?Y$$oT&DAbL)QW} z8ummW49^Kv&PYz7$mWG{sxZOvejGkufQ`BuWF6FfB?Ci(jS+_~$cAhPjqCZP7>B9F zW}ntFIEK{O1JKRvNqRS+`#p6});_Lp$5;5c6B{HA94lm4A*xqQq_Vyqd)b=@CZt4D z?@>WdvQ1P-9HGF>fHm?L%`{RcC!|gu4mGW_tfw<_q)WrCr+ENW0h-V`@a#k_?Ekb$ zEk{$P?}dg4kkW_iZj!-egiI9r?XIctammg^i=!4J-bS4cJWs6Am<kK~s>)Mf%2Dhy zvV16wblj}n<;3fm;~1(cg%_iD36P=^2g2-w&#h>tVQ|_l<mnAj0#$P2W*Po~*4xxl zgI!M4x2Bw8?4LKw=u%7laz(LGwjX9L-EZc9O(VTv4(5LT=ZU@7@GR7x&;?(lScR$@ z7CyI=(&N$l!L)n-o#v>JGjPEK==~`=H569*syhTgh?5bAnl)?E+SwafI6*@b)`Ln> z)j857i5L?n1}Gj;!P*J7O`B*g5lQDVa>swyD`3%oSJ&}!{GKV+y0FujkgrUB>%y}; z0M0d|o#bv{E8~eu`<|VuCj)|WkE>8u-TB_d1O=|52`L;q`U48VZL14tHQ?eh8BUx6 ztmTv#zO$#1z^;iB5VInxm<kOsnScqLAGSC~XG_<j_QJ8ezu$F1YPVy4*T%eCf<D3; zc|bo7%kI-=Szs6OUZ3?DJ@$1g+ed26<_sw`brkz1k3I9(d8aMu$IU(uq)^pD`c|SV zk-UTp4e@*z&kFwC`<v8055!ZE-xZupP<L1!4cxnT-|D?Pc)AgSTl)}_e<J<UH9qmK z$P{rM6eUc+m}@+|csVpbZS9gKD{6zAC5;%`oqlc<BB8CqsG?$TIGZ|kNiyK|mY~x> zd`tS9elFS2^vE>H|Axmr>XFt+7-+IoAZ$++JHO9q6%Fhv#V>I4^SNC{y4;En2UopM zK%V#-9gqGgPwW1{Qxum!L+U+;8VF{|zA6_xJi+Qhr?JB!*xgI~LreU9^9337Dpbw{ zxxybm`NR)l>d0|MQQ&NQ$c?9QTx>A9oHy>XF*@Nzp~Z54tzKKhFiAHrl=W{Wbuj^S z+h*|wS;P&L1<#SXfN1F$!}gMNYgMAsTSao!m)Dw|-~UdH^h)00UM1vv^~Ru30&43d zA_Ce2x9QR1&rJNoLqyZ&Wv@>AL~{52?r#@MGw3S?kl+FL52@cW=<}9|#7+Nm=sH?W zL>QLJ0jJ8`IR0KO_NxdzmdJ<~&S?q;@kwAZK!OlJ1l;3Q&rb|P%xM|lIL$<3AGj*j zQcF)`_tN1_$OL8aYUqkZaRsarwmJ-;^2fIXWaKIlV4qFE<_xT8A5aC>x^je@%xDUL zAuAiYxvyI)zJwDKj8ZQ=T9q|<#5z)}NuPHP<jqvCYe5O3HovAnjB(@{=L&N=rj9`k zuK)Suvq=~}b~S7l$TeSAXf?xMe<P(3a0hmlo(sk-Ef#0xyM)Yi+nQ|755e8(2xsSJ zK#sy&MTL2ga)}r^SMFl5<kq`AXp9LN8l&J7-^0gA$%W8-&!7i{U1$KDzczatOilTX z25`gz{VU=%EJT^%06KCNW3ErTwhIAp-PyCUbofqeilx%~<-d7%O;)dVb3X~ehwKb# zL>{%gnfRjHR5&sI!!{nq$!nd6*wRS{Sr#>n)gm+ZuYAEr8N7FXu$}1m6pY*%biolz zaHwyw0&Bt*UsNQ_z4HjK0CPu<E<5uYXrk*&MTsCyXJE)nrvUVDo|EOeE8sRxG+$L~ z#YIab4;GRL@fuE|V;*yQuJ9eJ<m$oHnHFv3Y`><1UdElh&U#%G6;ltAA>)KsPZIGv zt^Hej(|fnXIv&{%cX+5@OeU6z<d~Iwd>2s=|8j{BkXwsK9HAkGh^qldrvE;FIqea7 zZH}v|>y3wv_CwhC>&4K{8Ks>4XCE&g-**#uC;=QDf<hcFT0uVq1D4}2bw;MYNQ%wl z{~Y+=)8no;e6c{7j!oPlI9dlfDW;ylKP>FtcYxL}=#CR((B6aO*Db%9HL#pJi26If zj{&LP-vo*pAtWNK5CI0PIx2=~Ioyqcvze+CroV8wu5^FZbp*${-m!)Qw59zsl&~4? zAH47(t7NFLECedzZ>0FzAukV^y?2nO!Vxjk-=y~sDVrO39>UE0gjZ=RoxSEcTZwGK z|2;;T>2T3fsp2amh4n@hS010hcdIN=$Qm2|{*|`7L2vY~g)LC<{d)qr@A;|SjSU$h zEpNJhB<>y&kwdAmqtJYQ2&~YH7+_+r(__02Nm{Dn-am^fJkqEqsk{G&$iG}XDzQnt z;`h+PLr$9b$XL<h=kIV6O_q0?s1ey?<$(4AB*JO5Q;NKG`or<?_MSrn&xv{0EuDEW zq@5qu+qS_qu@53aDZ_U|^PC0ZNdjVFX|I6uEutJDB5uGsWAY%9xZCs9n;7jN|1NxP zagE$SStk65L6IP<bHR{_yZ7*A_!$E)I|qBC){XBh#SOJ+<gPPSbD`fwfpVGzuRA*j z7chkQ=aNEDWP5@k3Q9ZlV|!)oxVVeLIs+cw*Ft(*e{yW{aO`F}7%UyJ=#Kn$r< ziOwg*nP`OBW;QZu^TO}nYh5WNOJT8jHZ2^?z@gR{M2(gc%X>HR@RHlBhFdq>^E$~U z4CqeWLvY+96Vx&1qtM*8j8DJA_<N5#wYQw!k<4Ee3)C~-A~zA2>=aj<8OwS~4-$#M zhF|Ln$LA~I))sPm_NJPjY?^@EtwCoP?wPt7e9oJ=ehK`$*>^_+uW~!6m8=mKPOwB> z;L)UdF^$5Mh^0M~-&_V2j?Ggc*_7R|RqmD9SMY|4W@-<|ZkZWrR1KxS=_0_Bvi#F9 z_hIKC%P8Wcv3EX7p#UCqLi6yF4X3}gls;|Efkt4cV>+)tYLMRV0~_OHh=F5j5UJW0 z`5Idg7AMnXMswNUr?9{;LGIC{YLYt#0vfrm6C!S+X#N51&nK!r{4M5~PozPwqb?pN zTsVe%x-|zkmEB8rF-~jr@D;J3#+`%dt+Gqhodft1K_eAB#+2=<ucc8TlDR4wMOwL? z#%`E||4ZBgN%ASG7xl6X(l(NiW;wxjMSO0ng0RGfm{ii}GI+oc$4Fp^ocMsRfha(h zzg2vkvPO~`g|1(cMO_w-COJ%kr=0?}E9Qi4+rY)!A<0?p^CRwodB4LtT};>?;zi<l zLi@YN5q>83T`#`k1Kr`C8(L+Eh;USM!hZaNRw8;o8bOdhDtn$9?=M#a_g1w)!P3c0 ze(pli9yi3>&npMg4-bkHy>~+Z^^|udWpen<AUmV?c|T(~MGQvs#*=#7XiuFE^rFR) z?kZ$9?-$jVSG-XK|CBH>BuUP!O?no6_ldugig7X-w<t8^9J;7DA$WLvV5a-ktme72 zW&XOyMy)BBYdr5VEH=ri^0)Nh=l#}F@w*=}XCJ91@<e`E?+FH?<)iR0IK(`01Rff~ zVs1R{J+748&Oy*CJ@!5BT^_%$r~b~th*peA7pGvL%SP*pcGb6-^2ZB-Ax8s`aoY<e z-d}l2721E#3{gzUOwvm4I234ThLJwP2m;n{cR^^GQLb>Y^(UTmC7;IypqZ>2aOwir z>mTCd$ITZ%Yw|!AjYA{oWU67e{IdlM_&CVBzr%%N9WZSuvZ*vHY?8CX(H>+KXU^{M zLrRmvF|`o_2w@Aq6C7ngF8{WT4O1`TPAehEA9I5rx2;}W&12%?I=2uq4700YmMKr{ z?B|y~1jOJoEF9>lc)L>q`Jmdxi9#@_aJc5AQ*!ZQ@Hx>MSF|$-bA$1}8(U2AMl$`A ziKPg9qQcX4&fIQrHp~LcL?XGIj0Zew(si<8a;DQ8upXwuNQFICNimfg``f^CCoRwH ze;gdimY0YL=j&zy_gF6&(7;-=Hh=F+Cp>D7i^5ZRdA-&+^Xw+0m|B&zr?n+r^IK(& zOu)Pl7wPQ^3c=rJu{DYL%b?s0?-GZAxET2J#DuyKw)G~$&A-pzBp5=RVE9Y<qpoO< zG|M4IB*?P4!zHOd;1vCFZ=womRRrz%V(cuws_wr&j;f{I<g1#ssRe$+y$^ElH_3rj zMf~sUK6sY@8+DrV%nzm#tm0t;jXBb`mGI`WmYDKPReiF*5ev*Riwn#z^X7GQqdos? zS|$?k*Msfxfvs|bD@3vJF@b1<Qg3m!gF&vUw<w5dFb;>MLEP5=F8jR%3an3$h8+!; zptQ%<PI*7dUc9h|<90u)!lbC9^5bzG>0j^YBt$eHEsJ!|iHlMk{MQS<eveH6sjer8 z1hAf0S*No*_HxtNw*HXEQW|+CAKob$I7e;vaA7_kSi+iCz7Qhqb<r4~_qc@~LweQ! z*}QIipoE-_p;vU{77T<B`GDgMUZ$^XW~}@faIrHURWAD@pZD%({1mIoS}B3>oYdB9 zwc(4%?W$dy3+>8O4i21?to%0yh8>5@2JI8*^x0or>ofh&pBR2+rAofR>Tf{_CZzZ# z<e7Nt!q_>&U6|S>3Sl+B%*!he7PU9QcUu-guNt1~FNyrYX~Vew#$Q#(<4P4IG`MC^ z6W^O;Ma`|&^l&>cbZ`<oxK5=n*tQ$*Z7e{WMVj_ApB_Iz#lEQCu?zuQ9@W0I8C&Id zE2`-?jI*>6-gGca(!6qLRvR|C8<qk|<3Klk&y5k{#DtZj34L7mM+V2ULjUql#;OJD z8)E)}OSBWF_(N9S-uM#^ZsQYLTA_Q^F1IUBi%SNGq8)Ur<x=qQ^H!>^yuaH2Fe{DO z)on^0m0kX+K-#6Zt!wT0e}5y)kf2JIrNNDn{QrD=CJRG;E%hYR+`kGS#B!n}riJJ+ zKDyZ!Lh}T<fNxuS&-v@<z+1OE!HH*zs^XKUL&J=7qP}9GCMzfg<%Ejyl+hzXxSMNt z$u0>w+~^)M1Y|MbObC_#!h=oWDTG4Q(n#y52Z5sZjfVB47Mh5n!ciIYsxGUX4uxQe zT@Sflp-~iUYH3#;pk^PUDAHE`1c<}+f2LsVbkLa5x_LQpNIiN2oRN}Z1nA=JWTH)_ zCjOk>qUqbx2p>be@D##Akv5{}`oqyn-?#hc9;wCQBRyW|-jTnAsT<V{@r^A0)aB;! z_h-LrAAHIQOB~?}6_Y6eLOcVGhlqQ2NQQ7ZJ!0C=ejfRx%|kjw4f?rx`9?Mh)_ypg zWy2Ne`*Y*>D3c#tSddb&1qBDZ0~F+i-Xje}+>begb8Rf->fr6L3kpgC8191N)ZK_r z^Qds(9mX-a-Q(9U_>e`bYxxECX%M}A6GTZuj5hw#uLGOg64zTX^al4FeGm8}pg4#) zGN4jAuxfN(o2i4ggQ^bq3HVz-`z2rRgPUrm6RKqwpN#b@@c*}C|9$)9f($o&QjVoz zQLPl&$lFGDxVzYAEAghNu(9lLoHg!aySur4CujZ-eB&glvU5Gb_Q>ch3;`y(!$uS{ zegbYa9iRN_I&-t1YCU}9Gp<Tgt!D@n3;H$d8EBgFlQ($%2iG$LC4+NdqzK&Rv{0I@ z{jc^#7>)dM%m7j9JK1*FPxWM>?Q`<sq|jmv+d{g&k|UWK%4$tK5fw}P#-Anrgo1bt z+DA;t#P1zZX5JG3w~XVJ*~CioFc>S*&=Mu*$<cD1$okXz2mAGuaF*!JM&DdsXZeYU z2n2ppMhO>u-`BnUC>(@rw{wclPsP&JTK->EdnX5^+_5ctzli;6!UwmO#ksjZF|bx4 zH1qVi7Cnob%;4a(chWX@VAZsgyhYsqlEEKVroOxyg%XNka5TFSb}p;BEWBNKNs>i6 z0K`h9Ld+!6%%B_C`r^Ger)}kAqAGuWO|#4w54L9iwIzXQRHTZp|G<kG%~BpUgh;;n zBibSX1QmXHW{NzE)vsiRRi)XS?nmN`*4W4!MTHqJpTJ0OV+U>4FDe?$TtjCwR(g$) zu|q%fIWIl@&&bzA|9AbEk&%MA#+>gqEsnyF2I={Y)%A34rs5~DH0%Sa*E1P6xtQLf z0M-u|B?kE#bsU(NHqAS2(YG&q5KyY?Y>TWIOjGlx*{aH0{m=WQF3V^c>o6keNgT1` zasq(J1c=mPQa^!}LxQ?`1O?J7>S8eq#NVE+ZfC==jEZ#iaMKqHp<v25&imi@z)C+X zCWS%KDJ7Ii`bIVB-Sa*Sl`5RZ`N6)ZR_gCNMQ+P~(UQLVW5XbuKcYa*oBHy4L;Gj= zgn4y*@9&>YqEK>wO3|u?P6}*JH$Wv7gdUZfSweOsLNI6RvawYitX@+|xlGTHsUyr4 zZyr$meA$&$>cx+m$qT2wiiNbV;g*4+NZA~ea6Ttj%}K3ln%Z3hQ$XrZK+XyHO`m0v zZQ)qHC8C6Z^Lv_c<wtosHR7J>I&ZdB9Zk#l%X|C~HRk#Nm%rEr#&`v)`nd3f-nrO= zRaJJf8kj+m6Pvqq;+dZoRtdXwzRh&z`%s4F^dV@3JH5D{4t^`dUMO)M7|lc&wyQJ5 zSzy-8+Ci~as>&OyELYcpA1REsz;p`Xv+dGY<A#i7ibP5N(?mTCGyrcG{3nv?o1Wg3 zO1O3JN=Qtr|1ko#m{gy(7;2B52r}D&<LA}by0&scjGUfH;%9m(?5~IfSOLLq#})ed z;rWi`!yvY=X(kEw!2r>|*~`{4Z$^lXkas@f0!$0*SaQTP=-b(IQc6ukylt8p4Gj#d zr)z>uK{6?>%fd(th8#nZQ}N>Z!me=7<#;{l(_+P1A(r6a{5|V1htv>2z$SAMVgl`9 zneT)4=uHs{{x2RzG@r-o+kyJ^)f!@A>iq|Xl(?-!Rzym~rK4$UtuzzKQqeVq-|ZJY zs+~XJ;^w?)ZH)aOeD>I)N}GQ$QgPcGEtZ8N79K(P`6`7Bh-qRjfAJ|X>ZVkSMGd1l zmqjFDmUyh%*Fdl=5~~zHMq=<j7!u<fh*L25>uJ#%6^<-V%6SGdhQ<A#Xj1+7Bu^(I z4}@9mpzc%B8v?PLjZzbi&|nLu^u#8G@3%-}3Ktldw-{;@Gg)bWhzz+9f&ns5(yU+h zP~@|@0nWd1;f7D4X$mJq<uR^CYIw6JCB>)NYVJ9`lPJB>)D;;;!Psh91DyGFvPQG} zz$@Fj>*PNbK5nXNYJ)`nWdBEAh4HZqkSV(zS^sJifCI5rkPrcrKvZ&=Iewe<&<e|^ zT7&4i_79vX$U%Pl?<0hp3Se;?YJ?Q3y8mZbBYs#VCF>HM0R`J|V%aX&(%*No5p)uT zg*!Rlq@4cdlioQH66vW@jys8o2WJ+eeQwFiC*HdKDU;@6ztg1?QWo7>1|s=2U3G>I z_b91^FKI-;UNJ^$Z(E@lg~iRZ2LE&CKqrDZpy4~6d~vlqm?FK@WEpdX?hD5DL3Yu! zl5^lnQ~_Q^CsWrXk%yM~yJC-b>sw`*Ml33f81drs^tmQf^?nSVyp>aKVSK>Iwo+_C z1W%q4>-WXRc*5wWfe^DpjKqn;vJ;D+RwMMO@Ds3Jx>|(fZ*m}86oPH%B0v-2Pn$*( zh<?8@5+$qhHg{-y1|#Vj%^7=T0nM$1Uo8a$Hc9Zg%`LgI;6TA)MhIo%*ob;NKq3}$ zAka^M-%ti*S7uwts!!P+(qV+)kq-aK&{o8=k)*qkUR&6vS`kgF`25-3%7KvLu+1=w za!1@%I8i@7#-Ui5r-^5zmR^&)YE0i0a|p*ntAhk?Y9FZUjOkX-V>b@`|I<o9X5v6e zBmzLUF+w4~0$TQv<P==700?fa48_Sm8PL$;8T)`$CVt_fXJ~cA7-7jSsm4RA(&dkB zjH5wB6d4Y9YcL}jKc^*C13AjXU?fdrgbz(-Ns5{Wm}Q$=n-}#?(ksSOMNfwa2GDbp zcYP;EL?l68qEGix<#=#|!?DGNQ4`Fp<|I0QsJYHfNr_^IlN5p^j##l2gwy6F-|n8{ zX0P4nr<%6W%m4<D%2*x!ndiA@vR%)@a-53VJ<SDQ!PRYMi4Ki%z4Re=9D;&TC@?dB zH(MahF|<;&K)3K?0iU5-F)~VUW<fXWy(YW-`7`5qr%CQfCm?ue4<!{ao}Eb#Xl}tW z)5D01amZtY(Ndp9cw#v}Xm8(VmT2=%1*ed{?{@Av6EgR8A!T8WBZ_E~z>TX)5>nGu zgq|q*>vuWCnz51X_Aai+Q+XCRHi8|eX72#b8zB~(P$;#ntBu>LCD?p<L*N-0;*^E) z`J)lu&0|{Ov|LSH5!Px|s{tb7RUhI~iK(VwqTY>>C}l&btU6{_S9G+YeG#*|&dx#~ zY$0!qq#U$UM)Se|ki7=ISV63Rx+(eb9U6cLD*zkYzKbY*v1B~I93wCl13ol#WJuUH z4Q#1n$gd$jS*`Wm&~TLKJIT;&QB)<?ZicMyPeQQ)gVSU{@VsL<G|$v;mh7ns7$&B} z;0rUdtPkWQ<iCdAbfH8nNN<RKNN*-87`#2artMgOr}Q4#IY9W~^HXm~J)a#M$g09N zo)$rB{x0I}_Q6=2Ke|<=AU*Mn)eWqPzU&_0*`3S$?ize{>B$3Ho0W$JU5<Q)oh70O z!IuLT@d<@$4fW65JW=JFw{n^VW9Tp?CqX1wq9rgavO(*aj=dMu-kX(#^ZvzDO!y<F zH6S|w2V#kswJ%<+VmRqp8n-GS*Ce22`G9ucUBiCwM#qVhwXn)j!Wr}UjJVhOw*u2% zb31D&8eWMU&cMz%DFD=ke>T6GzzPqK>E23UokeB%XNhOyk2u}hQTn`=5f{P&-N2J2 zL8i3nev6JpArBJ<=kn^n!tzW3Jz}`2s?Ka~#?~#XIM8xojimDpv`<oLM$%zUN+Ud^ zjoNwuh@m!$GYUC_Pnr-*z8E+xGfWS~-Od|1u4{$;!a^RqWIjWk87&X~*m)}tUl<0l zfc}qrej77I_~ft{EKHSR%-AUU_<Oy}#|%8wgx$upB^F^<rb;h1ADg@@q;|(9oWj+2 zDhVlI#7`)Q&V(4|3hRC4mhT&f<s6ozk)gvn4}tVFzs*gpXT#8wlzee5dixy8(Vc@z zF>ReM$p6n>04*&!n53$z$&Ro&J*g5iycG>L%*|C;o^X2fHkn5@PL^~3+B?ax+RBk@ zEPh;J@O6o3fah0V72xx)8i5Zp5CO(h@`0w;yWMPVE^ui&aX8=|ZG-+7H^GkR*gG$U zt0uP7Ja|<q*1<g=JgAdIa{{~;t;PlnaZ@*58F~jZ;er*7MiXD25-AHaESyFFl%G76 zX1+pFVU5YR!!XOx9(VcXWP9xRuB9uaNJA~wJ=f&*%;6nGpfLBx(wO|7O`|vjZD2PN zQ=)XT9tH}`TQ){fx;|`;Z1e<6sM)a;)~V_9h$oKV4kHWOr$SCOo!M5jo)$<KBl}x5 zJZ`?B0m}=FNNa`&$k^r<w;B=A1LwkftX^AgwXE46-eg4?bP-ToZ_dNENH=Uy0%T0T z9tvg#$*5)RJjIS}@Z;-6{<^cUg+XzWkK6yktSn86?f$d@iil!O(?>G;=uCPfv+Ujx zn4*zC7XE^Kr?dU3mJEmB^EgTHkqpK;)KxKz+Xo0WkH6d@X3E3U23WZn1>48E4rxSN zm!15~aQ$-#aOZzwodcJ`EEsk57}wORF_4vt_pkBl$pY-F^i*wp)YXQk^VX=Y!|?r% zrYB5Y6P8M!UA+T5i&GswF8{?%AGb6cqmP51s1kpDDd;`m_+|0xW|zP}ujA}S4zohV zFe>?7CzFcK`8Nfs1WqT!ImV$YN;uv10&+XRd9Tfsz@Vkz5<q~61Prlu;*+}197#9D z1uLQDtu`?f_FhYpLU+8Hvs5{}15XWYmff|)_z{I?#j^6dpe~Gcel+2Bot}(ySsGfm z=#yA%gDg^fy49+(*0QW66ql5E2Tgnrt=zo$F&CF_T_)58$QFo=14&lEm*m#6Ix9f1 zMUa;u3R70m!r{W&I}riM*yXfXfKDBOI4`|0G$G0gjoMieOfxpP3n|=%!JaLXl`AG~ z)fnTG;oz=nq=#1QD970gaaNy|DsjlXi9P00iL6F`SMb@tJD8j*f&O=B942@#uEuyb znQd&DSY#mfhFLg3LV>6TJuL3i|BQqtr5t{cMm<am<=V0FL(TM2t!dLH!^il((?Lvh z7XXPff020D>9Sx{We{s3-+CVJ`%?=yLci8YzkTqYt!LUG{Dp6$FQt4_c&&3GYpc_l z1<9-H@>gDB-9%a3`h`|Fmfe}PlL?^P!Wge1`uo!^$1u_qS_)rh=*T;A1rLHUM%K%6 zltK)wE^+&+EYVYeZ#QQ{s6(e|eAlv?vyv;@>DO6w_F<ID-j+tQ4<4sxi|nf9J49DG zmwe-_FJdpLb{y>5MmipWB%)d<jq@ImmI-ltrud0uOJMpurM3v9nkDV&9XQzZ`M7GH zcm*~HmC2cq_VJ4Ok-=Tq)_nplERl4smC2iC`WSr`Y0nUukcbaU281W!R1FRTr2w@8 zIJV6^2(&a+<+yH!ToTywH646pnV(5R%s%$lWQ4h`*Af)|R((@@_Ji*-6QV2=z2epA zk(4sWGxROD2u%sE!CGx};{kofYSzYBhg(F^`TfRShL$xCkBpi%&j)r&M93@yC|LQ) zYj=2eobsO@%Kj=KN(^u|CbPvjDpPk4Lrhl@0?fW6P-t8LdY?$!2z%#;n;r!`EM`^) zt5JoodIfOVzkOQ@i_JO=z_5Zm9W93{JyU`uqVVYa%>$ND@{)x-JYi<NzLVIM#5!JX z_ph5AL{3iac^v_2Gm>!KPlGU8X#3#OsHU;^h^Fr)45RJF8Tmv+KtIFKjYRMb7C$ld zS2#F;V2AYn6T>Ypiz-_ElU#9CzRyWWn5olr_zw+4HDr+rNDQNR{9C-6cKCAJgxIX* zfEvrf(~qk1lhAWIF17${s!(_dywz}u&0-I&y>wy2tc{o2^ND63quEcY8&M3WWD>{r zq^1wIQe&1d%PFKgeB_Y?x*eZkt|3t0=^>g$ntmtz0qG)Lfl%N(JAmV^YLp^ld;iu5 zkqKjn$0t8Rt&Bw)>No@ECK<TCQp9}>fA|k?N|euCET4_O;}>?K7d|p1@HskC+gI34 z)*p1$v{E0I{aL~H!omrq=zCRu@Ju#SwIP+lE&=f|@!0+POGr;Jk?B^Ov{s}&(m|T@ zVEnc(f08?tVjG2Nb^14-VS0#ltdI2J190UO-fbU0GOerhN|4%ppX4*!I?2CnrJ0@_ zi4sQXNu4h;{i!W!q{TKk(DBBoSl2Gqi9we?tXTcJ2!GEjprVU&sGZ8<FFU0Th>^bo zrD_G`jhk&@8j#?Q4Ng6G!&F%n#`Rcin^P@{w!&xy-B(%7vc^WaCU_osP9Dtj^$)_a zLjW{dn;A_+mm6BTz3!dLC@+t<C4-Z>utar*E7%daV9+E=v3;QBw!Hi#tDX?X@-9<; zBZ8q9%*W~!dxDP69ZNZ)$`=J1scAAR++gh0nT%K11GV8V3Hce&F^7q1p|rEVlRc5) zb9hwM3aw1^?QG~xDi&=MX$gSKHhIu}%J2Iq$*$@};KCuImUZ)tTePI&!j7xCKo?e~ z>KzCMk*##105Ff8u-2S5oJ@y5CY%lft<xn+hv*Uh+rho`!caRWyXOi^4hSPj`5Au~ zMi248c)y-JDlm&uVE`zI=V5e~HY3J8y8vu3GnzH{&{H*!C?Fv5cZj}33I;vKNt@49 zqG=aD*2;rxp51<e0-s0wGFJ{Oi>2e?5bs^Goyw1O@*0>KSFuDS@F!lk%u~1Fa0i9c z84o=+?rgjW@BF-13j?ttx$q3AuOPEmk5Hs%vNYPz3MoPA{}WC~eFNwFQYs6qzB-w( zORF_$BASI}S(886@z@O9A_16NNORZ3!(G6AZ>@JlPBYL>UBBI~W~+vA@S`vav#R3V zB<aYr%<o2#>Lf}*3aFK>gO*x-=A$eaoE_A1w4|~>*{nP*=yUhb_ZWPD=HAd^FEM8E zWQb2*;r4%ih_Jqzdjr?A8i_ij?wTlhBaH-yEQZ8>l1vZkf@L_rcgR46kY4s(C*mD< zni-gdSg7^?0Ezt68<7|@^X{Tqtujw&sy&G<#cs>mU4L<9MwWtmGzPnWN;qm0wKuU( zoRMTeY?Q<K5WE+UOdt#zTF^7ycOuT&s#xe;Ai)~TZs#eVC!g~&s)xrGALJ1YUS2be zX)QBPxKbc5>8a+~=%gUNuyx0+32-4Y-zq}Z%6Wa~cCrDpWy)R~Lrr0D8Mbc8xgL-_ z_Rch@^!Y5(^uFa8^iyQ1<FM=9kX3%%`ms2ov>&JVTPe!ww~^XR;byA#{@E{g_e;ia z<tGg$%P+bn&cq7XLtmZlg;J1S$fO!{{X+QuSwGyLpzE<%m->xyLCre+<qpL4?5*{! zV^s+ada}!Wb4Mlo;L>>jusiDUIe&9k&rr3i{M}cwn9z|YVNL0CXhFfA&KrX4SXB!T zxhSYc`}nzDy&p$lg9Wf678|lf3;Cs>k0q==UejgP!$VvcuHr+3#_HH#eDxa12Z8fD zN_#^$u-Ney{jC8UHDXSnzJ8X6%LyFC!U}sqIeywW_MqNphq=!R_ILIbnc{S3^x||P z7lO4IHpWj2y4<FRo34#k<*+?e8Qk>_9BX20j0_2ds%7v?;ai{gZNL@=&KnsRhe!~< zeWQryW@s35w{B`pHRFuWj^^&$x975otEKk^E*h#v%rAjo9LC40-<w`r$MMRFt3Jc& zQh)WU*lJ|xG6jB~%*zB|ZY3}Ib$Y}gw8=Ac<>c}NUFc3P9B1g_TO!xa*RSdWK*0Hy zuD6mW6AyPk5RIM^#77ilp=E}e^d#gC-qk`8N4;h2P3Zyh^o=Qn7t<0b+#Fc5%M)Ag z->Ac+cm1pW(*`hNt<R+UY-6rJa`CTAmki6D-}4;s>V<3o=rX!-V@Z(q58PY|sE&u6 zd|l*LOT`u><W^ItlXwego;WHMp5gxF=4+gpNQOe`y*4?-+CKv7Iw`XH0ntNS^_>-y zBDQW0M60f|5;H?|>bUf!12hL<u1Aqz^1df#j36&QR}jSATw@DGdk1UH1Zee9?O?I) zXk)RJX&Fz;Eql!yK)J9|ZFYd)Dvc9P(woAkTqPJB4G34wKV|=(U9^&gsi<5fG-Jf$ zoHS!sIBs9dGjgS|EE2J>M)-;aV1J8jM0@^W7ZxF-aTEGZHUuOX*8iYQVeDT=x#4F~ zMYV06=?GPg`M$fb&2H>p3_H1~OY6!15lnvG11wd-2|jj;?}{}~D1^$llM}I!Hx5)k zn*9+{tKy(^Ir|QysQD(!MxN`b6Z8>NRV_3TSr?!86yU)evMo34=7e)Uf05gM!tprK zf>W?>$(BaYsopepgY2G?%dKhEBXjX)ZHEUz_sq}b6Lh0uZ-3cy7o`a8OAKir-vk^P z5+0uV5bN*YE6$6*@3XQ<TVwBq3^zy)nAd07-!iUF@Bgh{>l+s0+6d}eE6T9oTKMv> z<y{qo1ITR$v(GFMDrH>6I;JL>gm95cn~e5J2LyCvtRp9=#z2`~0rs7|1x)yC9nG!@ zO~!F1IVf-5VRA(j6469|x#VL#eH;c2ZM24E{-D?qZ8Paqa|vYXKYcplNn6>tm0ASu z@%kvuv?493=QH95h_K{rJ(sYt*3Glfr{-G`!1Y{TVJ{IOE|qVJcR{Fqb5MLz;<hfw z`yRm@&L+`(D87OG+G`$vnIxOi*PZ=zSxQvl=gnoO%|rp)1!%#2l?VBS-eh5Q>0|(5 z0!<KI*stKu^tXp?;|4ye94^{sh>gV*N_@Vs|G~gltO%TAdqtD|#7Ab(o6LDQ;r8iu z{^_hYjRX1gh(c_ATW;a=o}nEqb?#5%X1(RfB|s5nL1$Lmjxya}d-pDfA#MpBCx>;7 zwEiEgrF1!|XH4U|YZ&x-;ZTq~y{w|*phfGutl~u_`Nny-L2;XJ7+O0p-o5kvoU=$j zrj0Vr$HRNwVjMqhXxrIPuu-XTQUDh`eYKokYnOjk3R^A3d!eag-e<D=uI@86rf0I) zu^Pyl1vbQzD(?TlN~{<I%3PX<yY)RYVEwu=idHAg?uYluS0^EWD0WHn6T$j<5xQ0Z zEI*`xb0J3`$kkFdocls77^A;b)I!Tp7%}JHGq-InJ+l#Tt69S$MweNUW4S5f{=FPb z=LRZ2FsAU>L(n2D*kKL^v~CJe6|Zh`#Ogo=db51ny8b26r}buuh}!_pV%V-O((Sq( z@vaO0*a4%7jVq#;hj<h8u6)dP)jQfELB*g?H4Fe_CD7mtnRS?|#d4*3-GApcH&Mc| z<{B0sA(L8YBl*#|7`ya=r=I}gD3g#FzEytngu1jhOP_QDbZP_4IANH2^5HxTU&jls zkq3kRm%BPlmSLth(5*KTMgH9ark-vyc4*yvoq4`3e=VeyG*9b5Kf}ObB;rn5wACz; zBX%wYB1|*%yRZ~L=@A*<u((82CVp{_ZQ-C5^|4J2&C3gCGu*;XLMBL=W$NG?r0dUU z82Fp@gj91wT`~IF&$#aGYe7H(qKpjP)c008#u3nX796PphJe8)39~xhPTZr=E+Vh| zX^`C1+O;1uHXX(@+3MN7(EaiR(!EeulmjQdPdCU3^WUR3s{AY_Liev54dhzB+_`@! z`HkaLjxhgw;LGVv;Gt!G7vPKutXQ%Ek%IQTS$<f<2iFPCU|VacQXQ84^1V=Tl7hHY zoAv#_4@Y4U7(aXMR!r2ndLug4M+a$-K4<H`3`VgF&q+=uAW{^#KX}|~E}0vfbA5AV zs1kT`5kELC1Pd_&xw5xjb)um}TQ+w43a|vU#MnK+GqS$sbOR7S|7-_qn%CDKe=2%P z1|{!J4|~fuB1oRwk!@5(xGAscG{Y(M2H%AIT+|{j6R)Y`c+bdXh?EL&>Oj={<r27K zW~motp|m#jjx++Q5v~^5HiXS~Li|QR``{L-K(x<t7<68>B@8pj@dXH^4I>p^Wa5$~ zo5VVP`OL*d>+~;iR#<difCpYMwy9S+{|q1;`{j{Uyki{s-AAo!UsT@?#H=HI%SwH* ztB<0Ce6Yw_zh^j_XB=H^C4j|f<wK)9A*D6<yE6u~ac(`snUjme?jAW2wdtcZh7(Bw zg-Y1l+uWZkBhiYMrl*d(c;HcDd<33kwXB7q{v8QwTI;jSN8Eo&SfhS?+x6z}+8&8s z|Cw0yf;(JrQ{yuHzpF_Y5@_sI^Qjz$FO{&6<c_V`tUFG-Qq=*e-z`SrPM9+SA%~Ty zUx(G#^Bi3_Vqw<I_Rx#1XeU_#Pf{`=b#^$m$Iuw`7g`;J5EO3dp>-gr<-lxF>&;i~ zgyeZGB!<G|)-q`N`YUb!MjGcrr>T@^_k%8MXXB%2Hty?%$TVTKrywqe<L^8SL4du` z8L*L|ICFMSQuyqXy$ekW%ekmyt{VIG5hHi#vx4C(xstsHz8gwaB#NT4zR*HiXoD9_ z6BD?f4f#6|=dma~=alH(`G1)DIB2KAiDZ$5viJRVY~ZwF$lF@_+!;})_g+{R_KvW# z_tdZSZZuMHn|b<X082o$zbnt>G#!HRXY4jBpc?*$Ijf>1Pm74&-f`zHQc(*(e(XN7 zO5$5Bta43$+kna7)|DV+fjwNtd@$htXA9fvnGk|l(%7|acJ@O)pfm7evP*)pln~xT z@Kr1zzV+imr;X0&#UJI1Bif$TTn>nJS?1O=72-s2Q2;_JJhu+q9{r79c211Lw>|_M z=C?0oi{^n?O5WUr7k)FBq7FD+GL_O|`+pq*6Bk2bps{>~Hk}m4{~p!=uGfnY<~0l0 z!BCUaSy0CbJhoUwnQC(h7__thI34oyXMFRsh%Qn3^@y^uj+T0shwoBYF=s``2%8KG zhs;pokZoNGSKmVbd7B*}hLS(JzNO@hRWYyw7KN9r$&J{0N*%n8*BE<~ez%t8Rg!_; zB=FGL6>74}Pu}3tJQQ#L^zgaQXXMJGem4`H(-{7D%f`GM0gwjfyJSiFGD4;)UEL%c zP;mAK4WG`ouou*~_%&+QixlYRdnIa#pHNKk69hdCsBc3}Xe<u{_i|oVO_PE4G_t6^ zxIr*Lj<;}0KOW1~!q>t!F0~C`C(slCYIq(VM8WDGIRS8hrBBVB=#vnJ>XStwwG-t~ zW!|2-){xiik<B^<HN1v~A4Mw+Sa9gd6S38UqH7A)b2vHKPwRkA|BuPvfksu2Sx+DK zgxzyCkCMHOPaM?`3sCzobebsV<~^9%%2n}kAOp0<@kedgV#6-(rrWtVl+kCY-rVEk zm+=LLWyV!XZ~Xe|ghhkH0$k?m>G2~_$jAGErPk(kRw92}de3^2tY9ro6jPcB4NQFY z8NIS)*B`CXCD5*<le~!?FZkSh#-W0(!Vq!<4tAmB@G~0yeK3mU`0p`lkk`JNF<!&A z4FF^;Z(FGB^t2i3t7Z7gd)!X=gFJE8$^|of`L=qBUA3-Xs;fY4fnS2yazAlKtK-H( zupRNf{s0Y6AZdc~uuS@eY|o2qlcuk9Ean8=VCJm-*5cEH<@!a#g6M-FjxY>mi(?<5 zffT!-mcvl&^(#r;j~NKvc7c?ySL)d>nvDTwvE7pQLXy>+89Pfvt@381g@JnqEWKkE z!8wV9n$o4?U|+fmU{LlQ_5ewOXNknu(ALUeoY1ZbUjPcGSBdreoW765tk4mp{V#4@ zh6I&<7Y?ssd}2~7+Rh&Dx+m$i<)6tdoY!9&djGs}fF5n^3X5V}Ei7^k`G2qknnbVJ zd1=TrrEAZ%!F9_8-cEN$fHw9g&=^@IE9dg^8~}(;1a9XTpf;51W!0JvGn723rseXB zIl1#|phb{Q6ck67Pzu-0o7OGc2yq>F?`|4uN?*q2NA{rw^30CKXqXkE78)3{wnanq zm7EM*S0--yu43lQ#g$BS7Nzm35*I!{8GTbmh`NxGsrOOlZ5p?K*ZZsx4$3l<;c~N= z&NT~;D&!mz3Z*eKjqeOHPH>curU|#lV|g`vgxGbl6tS$#R_XsJ@oP>2d3wKPV<qQ4 zV;DItinKqWS$4t0x|#JrXbD(BQ5u!B5u9pK!E>~m9@Uu#>xpX3b{U1Fy~(EshxLoE z3yj||xb4GwCW+hGrIOyziRixvOp75EQ~9q`yFJ^)06tCq;NW|+*L|Tyjz+y;kk|R# zgn?{Sd|rhALNV|VA9ZtwZ13j#6sqoWkY@=bY6@ugumCy;6raZa=6e-B0>4cqc}I}O z+D`gG#~i^@-By@SW=z}p>l=cothy#P(o^Rr^U_ZUmiR`+%`JB|ni{6Wu$PSmIE>p+ zc|^vmV)#Elu9FO%rp0)&y+_oue1-wb%X>VrVTBjAu)HiM+vkTxxIO>fi2I9gSVl$n zzBVDaDf2i=dFa#$BUyl~BYsj3q!KZlNT9JC%haqxFuS5lv(v6HI&6n%)8|UV^2Pm; zxjzu~-_`!$Q)auwwpGcV<%X9ijo$p+B~ufimQ5@9-wEZ?@D<FYM6h6?$KSgY^VM%- zmiWf6y`$JWFrlW4x=|httxE>z=KU}@_ERsIdF$St>(!B9m4JDF7Q%-SXX==wHEQ+^ z-=#KRhx*Qs88@RD6Tw1Pb`)CX<NO7-wJ5>Tr+2!t*dqK<_=O7p?C{sg-wKa~(8Kv? zovq`>D4MZzk2aoL5qA~>ed8=GZ|;OD$$NGmZ8Lli1*sIP{cYjcJRiWN2h|L=TeQML zx_?4pU>Wm_Gcyt+br_$rzR?T|0r{HJNCknsDks7B?5$JU{+lm}VIJ?$m{b_Se=52r z1fn-F@|wz<*nkS&(w)416d5qsSHBm^Y<k%3iL1mE_2!12UMl=|`^g+LvfK|VQu)I1 z^X;t^&~5nz?cySgBdJu!<p#SO3*^b8*zU3UZO!(t&qfFUw9vR7q4(o&@%nZl)_4fp zQzHZ}6DK1(`-viaT|_w6`NuEo9?tdasUcU1f!$0@E!uM!L?rB2=Bz(R8SXQog&aj^ zLL9$El^pDxqF<2Un~9fxN+^6iq+jc-cFmL0W10Hg8Q_xoh9VX0^k7Yr=SwzZ-HAQt z^j2iaS9oauDw-;x{0RG~d~1oQgz}lpEcI<WDQ^?yqcONB>>}TM=Ir<Q(YHWg>|^;) zRRrP-J$I?#>#I_4YmuPLR|75#Gzn^y!bNjWSOILg(_)8-&i$IXup9}mY%>PUjo(sA zPVDK5N}jf2aNWf*Gg~DR;ngKNX8fOLTdsq?>F!^9xi$Ocz)&_;<1Uk!lh`T)7`GCm zGPd@fT~sd2EM#MH+cv@v(*MbYWoSE(0tWmxyJ@kI67}YiQ2L*fr~fZD-YTrkE!-Lf zic4`QQXGoAYjLMI#T`m;D6Ylb-CYu#;_gmLvEuIT4kumv?2EnDe?e&=$rHXYhrM$q z1H7H5##<dorDjh7P+wgK%+E&@(d}P~IBDt1_FOd9nE4Cj%BcM5XrD<ec}SoF`Uphu zp;7?!Ri{FZ7ead#)(p+Qh@WYD<_?cfP=b~9MBu+Q1I)jwogXpv>VE2(%Lu;}l)W=2 z72Nu>#y)kW)^Bw)a0I?;*RcUhWto(KH}`@OD_*xE-Qf!xWYjqH+<&=5h`hI@McscO z*i5i*kai4-v?k3YMQeT^Xv#)~^o!v_MsFqb`~^q4ZL@_NuqkAlI?e_uA=vpLwrsS> zlGP$7cf2jb9W)P8!M%uj(lZo_!m-m9P;&l(D;t)&Zpnhp1fE>H_{Oq@RqK6E8@Iub z!g1&>G_5Ppb5;GpOW^U(Eu3lJdI?5BZq|bg$NK&^e(w)68aqEmz=@xOTyy2P^BL)3 zs6-@j9Eo$?p%8@qGJGxRs2x7mBF&zZ@Cu_DY2#!PO=~znDT6qSq~f?DtRmJ2b1B0} zCocrVt_L~@3r%i~MA@F~QKs7JdGh`9(}a@5zW=N46eZAINc5?QBK7F9h-El>gM|ok z<;2j`ELj_tL6{}?j<W*^AQKm>$KFJ&fE`Hwzan10O^q!?Lx@T-+~*<2RQI-b!5pOP zJXS}*4WW4^5z!TLI4=iQs32nYC|()pd4G|cDBZ2m&=Y!u;(gC!naiafafGnZ`PHek zFGD4Ow(rE*AEL|c1R6?E4jyOZh#bdNncwab)44v2WIi;G$3#Px&z+^Z$d2Wk<8}mL zEdl#J>4Y#X^y|X_T;b>H+$3L6wsY-lt)5nGXF(sk#7C6{V*6~^*e(j<)2{`S6`CjY zy!H>nsxe?m#Uv(xKmW^tPLWC}0@ODkM*Wa1_s$(Hur8u9X3BoPOKAo(I|o6TD<Zpc z<LP8E;#~Xtv?!A*j-#GI@O^VhUt@@iF)(AEV}Q8BJErXk(TC;Zj5;m`s^krXd0P_q z(!!*Q2)HrHPeM*?PZ#BXKGO*>v=gFQozC7n9{*4dD15ohE5Ila=^BI>cWqsPak<K? z?-CxI8X~g}xn~DXZp`>7J#R23FP>z|Ww1A1*Vb&!@ft<}zUW+lLA02}s@+=-hR-T- zq1g2)g~=`dJ5iG5VH(DNkJls0p&-$P(=2PN1$*<jDzx$rkGL=@M#<rS&jLL6US)#< zpm;kDHY!QCt}H6AiCM4z@)r8N_d=EM*x&x+;5d)q?g7Oyn!pf%48zVdQ-d0EBu$zG zlSyh}Z-@akk1o7A+wh~SC?eH0C{-!wgbU@wm;Flha=Q*8$C21>0kIcVRQ-kNl=MMr zAUBkvEUjVTVoMM4*V}{S@Q&rg#a02jxaIv%)4pG2X@%RmCn{MRm-OAct<Ym;WdafB zT}iOG^XSm+WPMXr&F=Qi$h4y6Yg<LyHilu~?q5=Xcp9<%t*Z+~G_g>U@Da4cL}&CM zs8Gs$F^Jn$N^TPKcAl#^6KF~`vY<xya(*bF4aN`STjfV0$)!BDk8NW?u7(f&V+Q3v zT@uT=b^lZ3#cnoBkoCZFm_3HHlmrp6Gs(sfv0Cc1{+#2P7t?qmHQ}**YJImdaeYq~ zYN_Z?)naE20WG<^dxV2CzKNT3Xw{dOwI6BX)R5~mW)Vg;dER0MGW#AQr6^iY2k02( zmXyLYK%)=Zk96l69|+oq?c1BuCR3=fg_k7Xe+x+yQuH{0|4r4f>1<V+ma6s#@8dY; z1a>_KOdFyd-u*}Fe@A5=IeS5U`5!>m=jKDCy8%s?`#jc&jN;90&1M!FP#ul7tGb?W z7|KiG1Rs}5O2k|t0>-+Lk84@Ja==^%g1D&zlgqAlt<T2RmH>8#(QUEWRZk#k$shfu zU+BMooE1f#O)USY+oPE9zYQbnyk;c7C(V^aR1aH_2OC^N!92%)VOCErI4cd4YbVTl zC&Kdd70B?_tGbUXJ*|+6)#Iq&{TX-j+tOqcOMlbin%pk0t%uBSR72MROQTHG46!Nn zk{1#Y@POr$hhbK6QuhShMWS%z=5cAqhUHQj9a&nHB!A0!K0T~}Zr_;On9(nFGQ@kb z&k?3EyDt7W8Xr^mmOJy3^0*-t=?SCvYPzRnnD&P79XaetJKg~=esXFsVT!2nK8`3E zOcCi2Ma6?R?~5}XoSyW((BcY?h?2LmoWoBo68aha3#PaECfGfEVc~YQ+IDpkDMJ3> zDwXABsc&xB-u#@Rqa0|MWV0VKQpvkzt;*QtCW@Qeu{0of*MkoUduCk_#r!KHpe$Gs zpbwdG#jfEx2!k<vFsnmubpKkcpRU>a&~U{vgOKk^4u#RkQ}~$m_+r<Rdq$rPk*EF* zDxF-lG?Kr$t|SLKJx%d$;*6~%EH2dhy&%F2Imes*A8Y}$Qa3y!(EiRbAOzAg0Dl5s zYBu-;k!1zZi<IemhuQ8!ZmPZ+!MXX8C?s5Y%o5?QF$Yz=<Vw5vzhlWhRNgvscD#M# z1Bx2=CSq#o#rSsZi>lGaG}`i}1W;`hI|o5*kO*BD1aG58pl;ofVq>Vc@^t?E4{qy_ zVjH2_CB1P#8-Sdw!b^kg8;b;ee-Z4E=S_k_AF>4Ry~#-4r-=4>hJ!9Dj4xs1c0hJo zdPSw?(U<mG^TQ8o4l24|6J7diN2SePsE#$JN*X0xhvHq*7aY?`==7CRwT$o@`TJgU z1!-G*R-GD7tUf7InAK7un3;q@>(;WxIII*DXGQlOyFD{>u1%wB_Dg2J)B{peVdr@; zT^n6KNO`D=(*4+?ZEk;$`KkTqZ-7k<q4*I!EEMs_@z*DIw1~L|-Zm}F?x;ye58ThQ zbcDD!T5vDEA)%oktgY#L-8;2R)x$`}F$>h_#o{D8Aj|0yhQdj|lob!RAU13PA2Ys< zS^sNT)n2AZ7o~*Z_kYh0x7WfW&O%YThIR^@sn!hAeGcT1dUnJ~OD2uVY<9I-6da$3 zjjpnTeR-EGr##Q6(6Nba{vd9lzT`ayoaw3|{&`z=>0!gEPtBbOjQHZB4AXwIC3kS% z6#1T({N8%)?-5PM5MS1h!Vd3=n>@cdad|%*<!u03v`qO~Jx==F-I30%mO>J=d{iJf z4IP-1T8&<~7~0J3(|;VF$~*_)XlNVWN<fK)mBDXObE$}2+9tEK^?@5tX^lJ_I0(sJ z+V{m(kZv18)}H4zkW0_KwuMp1>CtOCO}a@II%xs%{u{(@U&vcKV5Og?GllF<@Ahwl zwYG+|JK5BoG&LgZ=ido^2||ZDZ=jmNXprgS>&)FXRvghpi1XsYiBRGh7-@+urVeo% z+gXx~5L@TPxdUS^X5-{q+89D@dg!eN4ZCx@J@wYoR@q4u&upw7M<WMg{;U#LhN-9q z3ul@WSB_ycWMEW*fi_<55mQ#Be-?gYO4a+|iG1;Kc<;^69&i4^W_i3olObpy#gofd zJnWP=Sj!X>^T8f*Y9b#)D2qV?pGXD;W$LJlPJ#!qSNXpbRH3i_HXT*yu{QM7`lmB( zr^_7>>V6=>tLL^ZNf%J|*n737fk3c#-+Dwb!Mp1D55pwOE=16Y$Y9-1B$HDM{S3d0 zem(~m!lNelqI2Bi8bsSqFmncPI*f^~;6e9T+w-#`ZJ|O^ZsWYdpOSzOPyj~2{OM1v zt-~Jad3pGaz~a3I8Dn_AO(%7Ao%kMYxgVa)VYxW|=z$R%7K(iupAkh%Q={}_UYqyB zQC_l*m5ugsN^-ooE}_DmF#(LT>J{xo1_{_OoHlR^GDg2Anpk2QPs&dsTR{P;sJqS0 zm+?ge!l^cf9|(iX)q))1S!6Ca&`CR!vZ!IdZLeMW9Z}u0QO-aGX$7j*(p|n3Axs<n zS)oVA{T|)TP5{Ba@(8L;mxi%W@F#W;THl0E813l!(8e)gV@74(>}V4Uy;w4g26b~M z(&x{3!0=X^U}fA0DO1;u%stEIw#b^+0`iIbah)Oy`DcSrgu%~Y1_Kx2=ngR=T@m0s zp*}uGZ^pyk*NarRLBvPOOc4#*2#kVKI%#`Ra{e9@vF}SI$}<DO`;%wLQ?+>*E0cjl zezohnO~Lyp@I3$C!0tjxh92Gt3}u}>_n4N<aQbdBE3qRw;CIaP8LItyQ?7cjE8--w z5B{I6vtnTssQY<Igdixt(^+MXWVveiz3w|r1T^V^N3VBdEom<eM2Zs^i;<3Z4BdOS z2*}ibOKM@UZ|s&PI)rF@Ie$8pX+<Zngd>~6`8s*pdVjEEsWY}9D`PD`e{+SN91=qt zg6I|7P?^@&lO$<`SgnXtJ`3yxs@34s<U1;e6&w3#gqp@0?nkb}yPt%w@7~gV2FnjE z6Tzj7<bhy)nI+yF$zjr_<UlZTlJ{|rc`MNuCl!#8iH=Oj1($@;?xN-`a1@B4N|*v= z@^0kU0I|sA<5vUK8g|uWE<WiMb9dkHi$$e#D==(!t&fTufzCWMuRj=}J`h>Fu(@@_ zy1><9UIG*5r=4V3ZKIB`H8fZP3X-8v6DKMpJ-uTt9#f3mbfq(p$USj~N`=|qd%sXw zWTVbVJ$NwY^oVpW=6U34HpJgt{XsxHAHv5@8NnFRwh~gya3aoyFPkS2t^$0U!8Mx7 zpbh<@Qdfhq@`y(6Nm(7PBN2A`r=ZT(n7ox~_bXL%`HpXFaA2lbnD8f7m56nk<o~vo zyvvOHt_*u9|2L0cP=&CzEK&(6hMce2^Iu-B^4<?AV^9-#`aTRCHCZ6Ejyn9bGv!<J zbf;VB3`;~En%B3f{^Ots=b{Vg4?|x{+6gPA(S<~M3_X<p9<ePaQ+h}O7dUu&Pk^zY z#<(sjA7#6SnncUkaN6c=;E*ZzJx9_Y2pXxGx@(%_R1L(@h(ngjrp<~<?W^&#n9us% za0g+wK|ot6ROk|(I`^vzUkZ!{rU9hLIQZ^R%03u@%y5D+XBcS$DtrUZB$aD*Pp!3q zbP%_><GAp8aa1M&@X`bVF|Gqq*Oa_i)gxZAFO`3&Y}}pq;o#2;yK+adsXS0cX9To` zVu;3V9QD{VMVYfhP*a@gSv^(`R1G-Ny_mH1&g$@ihME9D0p)6Elr0Q&yhKAlnHV6D ziQ2chre~JwclW*_h3}lnB&s*}!V%uDgRAinE#@gc=0Zr(_4+g48ppVQL(84ZH|J4V zBO=hpbljLd{LJ!OqnM4|z5{Vc2E$?c;))r4GhY`XW(dLSJw*W1M!iwkCR{rqY}pRQ z<r;1Q82J006M3s7rX=yI7{%oq9J!~TuLB2-gdqfHEkEW&-uLg+$Y7}GB>p`uw16Xf zxE-+jC?9jK-JW#M$cyj_S{QUv>|0Fu5mFd{6)<lg=tB4KJKEuCY$)|3ew4}w{y<w+ zSe1~~Ag!(Y)=;XQdj@nIMCcUf>cOL+wXG#d1Xx(V<M-w#Xu5EepO=Vox4b%kTn@=7 z|J}OmDGA6t!xwTCZRcx$W@#r}rznH+=bdnHn(f;K24@H{hgB`n)4t<}=)f-9XYiK` z^Lc0j`=o#p)ju@iS!VlpiJ~vF^9gw-tO%IS-U4SZWW|=y<Pw%qc}K<fPd`z_WOhnI z5aVbIg0`NtNyl7pL1&=A04c>DU4g+X>!?B>YaqQf&X7rSD_S>)L8}IPL@%P<Y5(oO z>F)6f%I6?t*zUy$ZjQ2b0*ATFjYZU$0gR#9P`{2r_g7p~d)?=!Y~LHHfsu3shX4_g z@U^2#A^l{{^R1b82t$U3m5>rU+w|<06}EPC^hphJF{MkjHuFdPb3X~|r5f8xiVNY- zy0uO(!GpU@1cfDe`C0R5VM}Bo`CF7%AAJ2%3ZcUbMF6!N(qT-3y?T`4rr%Tie6r8S z5M{2^UEf%<Dsb<!Ax?oCBq^zFP(9e=7tAl%!|?=T2xa4^ecP-LH;s9P=}|14^oI*1 z`gd%4J4=EmGtS!BE{R<6e(GiW@IARVQuTi0en97FM120s`MlCc|NE4;ghGlf;%aPP z^jbQx^Z7~Evaj?oiFSg!1aysZuYZVg8otA;6`mK`*u-=p<PV-R7Ju$jiFaJ*Lbv0^ zC!%%H9T<GNVEPe42`E_g6boBDrEd1Qys#Sk(L2a;t(e_2Ll8hKDI(*zco|1SZ0K6@ z4o<8eysI}1j)dAB%MoyKWkrBneMEW{W|>S0C2W;4KA>oRs7_?&Og8ds6I3UY5IiDN zaCF=<bz2Ft)v!05vBgCPlY5Kw%}1QX_7Kw#%=$1NRNdc6?=?^IaB<J=h7wvbks?#N zH&skLyZT_5H@DwjI7)_={Q8mB5w&Xz1zBY~GUJbn<?p$Ci6c>7x;noaMHS4;Gj!>{ zUG*b$U)<EAm6k~YA#qt2N+X|lnFGP()|Dq6XoC`fI-%(w9ZLwPqUb+XxM!pZ%#758 zVi`UkvcwMBZjkZNSS$*AUP3nvqR$QWLx_G<#t<P)^L{#j&f1Et?gP)&(WxhQUrmcT z^zog)grZO9{aGS_w}^rS{<BBM#q2j<^43f+8^LlC8~tA{(?NPIEKh@|Lw(qpgw67I zzfa9bV+^DJ+2Hvk_b!f9>mwE2P%fqDfPfY+ngNYBo}b}QQK)AwEcNCR82$YH2c!VZ z++aj5-dAEIdK@X0`eZut$1dhYNRarFxt01RUqvHGx$+?kUqf5Srjw_%ktNGJ#y5>3 zjD1<~Y5yAgxpq&<){s^1SB<36<s2zIuAe$At~{5D^YvUbLW54BE_LA__`oV8@<+cM z9Lq6rG&yHX5BO)FIms1`niidpIGlQL_A4L2)tJI(i^|$Jx4~A*%YyL3>@kH2H5NEx zKaRYgOssuei*cYht0ixK51~JfkC{yV*eXFE()?8hIuAHRS)X?ecpAb$XrrN}e#hoT zFl0$mhkCzNk0yuI`f@n7nfr-i=Kd;C=v@2y<&w{LJ6Y8*hLID145g~0HNa6j3!ylX zH6fsp!W*x{=1}*w`ULh49rOKd|7~!}6JvkV^N`<dEH<gt;Kh(7rZ6Jg6KmOr;y<1D zTUY1xF18!9`(9f;6Kf)Z{utgbf~Z{T!QE^NX&6G`d`gor?S9oJJ1@=t9XSGatC#D$ zkK7VXshd}yE<B=5ba5iYAO&`C5REK=XsJMkqcbh+nJ0K3D7VhEK5L{9Hara%nCVH0 zZikoFS4Ybk-Hp!M>tJ9craTtBA8FG%bA%d{kgj3%pDgyS7<#yic?rtj?|2^JO;L?j zPfaq*>HD*>@<r}L$>6>w0u&=31uNYlkQX0XW+i>KvrLy>J-FbAIxGQIpJi}1G4@O5 zWYUwEIc(M6z0}2*4@2`lMRe7ur0~A6c2V{oWfu*bHslg#4@j>^dd~(LIZ<L^ITplk z9*aMKztZ!2RTV|k%y_#FOs!`nCRFIb{3!uLsTjTx2laiZfQ!OfUX9E%@w2|Yg(CwL zKp8pf=X%L{IUR_qAk7JXLo7JVoMD}Wh;QwyXsA_P`sT?|8<Y=A&%8KM5aJzN_5D;Z zXdC<`rc4sqV~2R{%fNz2%<*$w^CIYCt3Pm*_Wd2>j6MzQI(6!RO24D)!NwLarWMrv z3kg*mR(ll!Xy!b$ph#cp7n7#|Wk<H$ivzyS7mOP%KVJf011_zRz)Ty)=7-z9chK<A zh-B@AA)=U{w#2UOMFc+(_Pnk-JOyB&0&60=i<aaaU9e5ubVJRf-+Wr$6CqEj#Ux%q z$&L>NB)}+A)}Vz@;Tc4Cb%odL$BLA^tKT3tBhL*!+NQXC_0A2}ap(H|z@^gdP+zzr zTgq)mgV_^}sDOuTXVdC#qzWlkS3LUgJrhyDpD=@ndZ85ZE&tgAdaa~G|D5rW7I|PV z`eN*kS{l00M4UpAqhB^87ZScIzdBT2*oP7k2Ak4C%CEji&rM=z4E|R23O@}wtXSB4 z6|I|-I)of!8#S|}!7z*$!##=$g33`sNmw4_P0qeIFN(=mZA^cRu!;ARKm4*?emQX2 zRI1yH%-F#Bi1hSTL*=>>m&p~YLehD&A99@I`t&WtLZO;F@mE7nxJ*x}Ppm-b{zj$) z5?ShoP|ok4+xPP=7~HkyEgu<I`PuA9VTf&)ls{wxB?))73;s?Ahb(#U3rZ2UF8MmM zBedW6>#in9^Yqz<VzDs+-a<bm6>-w5ED4_tN=b+_jjsydFPSN8AcMbPD#6m6C<QDH zVR#9^b0$a4P$+sq(v-(=-CJzO-C+#T*qqJYDpW6&u?+nVo%GpuJ#g}5%}-iOOLKI} zOJ%i4B1F_Z?WqPc#u)K-pTkb`HpeuJ2d9BOKoI??@3F+lJiqNZcbG8jTlgB$vdvjT zV8p3grjo3xZ24ij=j!F!GKeDBsAX@@)d!C}_?y+q1G$$pR|$=xo!*!0iMgD@kIUY# zi`y03^}P0`S#2<K)YKzE>J*or-II2>n7yOF<MPCA;c0}I1g11bF3-CHZRS2B)3%TZ zcxfo8v5Ig!Yg0>TIqRu|XD|y2ndzA+GQ)%Rlidx_p0Es}y;qf;`%&#s#g)U!DbCRC zn6cCP5$%Y@^_L;vI0>Vr3a7sP@3)LD`gcT6CdC6!B0xq(O9Z?}RYaEs%-%0e13jPc z!6@#$6lH1SIv-S(9dvD^QYk=pAtISdguJqWo($^~#?bxyP!e!7a^E|A)q7cCBi%v` z0shDeFe2OMYQX~YzqdK&hAq`nwtxO9(nSB-%JXR1xOac8udlw`<#BN{aPg@@q0^Z% z+D$a|ZBmw?4?|(Crd(Yb0XJH+d*cb2r<!`iOaa-nibdGFd_&VmbGJSXJ_#gTi8;1; zdowVaB~HU+^+3LZDI9sS|7c=0cRIs?D?OuOORC9AH7-&!@&`Tz+KwyF#ZLR!gB-yg zwA`Fw#%^zt9#CPs?u9yjvEdx(G+^m5d8(eNDCMHD_bzcli0eq_i}D69yyiBV)h%P> z61eJCPozwTsvIUUXWhc9DIhuS-PoJAralo41*S&>-ubD1w!pM3yHZ!+fK}u$W$wU+ zO0)&XK8nVo41ot%Z=C9asdeecZd7zqn#HlJI`FMQG{#qL5|aL6wNa2tHG<9A?65iN z>9W#$AI%3w1tqYz@AG+Du424QRF$#y6QjBV$E!VAa#B%3fD}VXm|$r;VQoN!OxWq* z1wex0(t^XlArUOkB^|X+lgh<Pl@zL8oc$>t<4<Gjb2#p@!Uv3y+TCB@{x9yY5vZ_a znP=+CZ1gk3MG9CcMRVsKF7EKG*T8q`LTanE=Yerrp>Ut0P`N(C(LfQ|M{a+NY@3$~ zMRpy{TRng9)UkBr7dIKd2~Ik{vHU24nBK)9JOkx^CkcmpXSay&x_{Q`4BhO<Afy~Q zBmaTEG&GUD*@Id#e}?eECja>2LN~jm?LD2m>UW=KOcBqwqJX`=z81!VprTb|=|@KH z*qI7z=k%B~A9bTTpFcj_sVew9I}xEGX4>t}>OHbV%WcUtR<c=1MF(h;Dy}}lzSgYH zJc{h(g*rtW!jUgc8af8Uquy?^xnmzbgy`tpAy4t#%~pUSSI*|@g0SMfUMMarI~qR~ zKDANrrx%v(A_l~*1k$%;^_*nBjJ-wK8fC!n04*OMD+jE4OdYwSJx(8cIW?FP_JWfb zgqOTDdX;5oL)oS%CG5ei{6)UVNny*JaI>D>w|2OF{sX}qV0z3J*$xs1cfGA$w8)Wm zw(Esk;@mFI@_BDO%JN5A8{Ny-4rG|Uy}>6FetaJCBo;~vQnlncn(P#+$};*B2#ZaK ztEH4Ewy6U%cOhS2e}p63jk4|T!}CDTewa1-zbq!4FpTbj+Af0XUVI6Ue=B5&Uo(BF z1di&Yk(`tdF9Pzt?pu1VXK}D0R8kP%)YMI~CW&-|m)zNVxYuV2J6rqCe5>uPE`RC8 zb0Q20G~6+AAK)R^xI~%Yqx#Qw{|@X_qOPK}VH#e6Phn>}ee;CHz@bGOrCAEDfOz4^ zO3EF2?aYY;@J}JEzP&#Y0TIaysMvhibn3-3HR~2fza$9*2A-5kbIMl{%d)ZKy?lpX zWrL5psM4}(lG22%=|!Jg@;0xU;DhUiE-R)VIxn?vy6AFrf7^X*#^?onDT|kr`8}ok z+97sb`O+gF-6%~V$TPHSC#lgman15pue3eu;PXsYq;tjRtF?7nIpZHlosJ<Fb_%Bs z6qf$va(I(>wsw|Xs3p<aK;(l!84!_WD)l2AJZJY^n}Y(X)-z~dppA=oXni$%V;&#o zrUNHZc<uEY+Y_0h6J&{-$_x8`!+;Gaez?GwFQL1?S9$OvS(cCX!COC(eMi1NsK}55 z?!{3Dh^`Gxu%e2`*?MtpB2Hb&g&9OZ;$YaY_2H%k@e1%~T92YIvYi}TVCJwRwtQHQ zm0_!%SlB6my!HQp8NK@^{0I}r8Wf#~rM<L$`r%HpR~7fOq3_(+=4^7S=*~`z?xuSF zPEuAsul8R=>-&j17$VIFzX)A!F=}yTCoD@jl7NMQ$jTbpuA|$xvz(U2bHndn3XU!| zbfX^x2(pU8b+4>q&H=|=&Q>1e=$6iqO9eu%HMWt;AM9H|P1J4>6k%uzVYcEyA44>< zWd`*hrw|{^{^6%LEv4pYI*}Q-TSrjl=aF8xxxa51T>hA8Cgx*^t*ti8(elEj5_$&Y z%peCjuS6mXn8*Eu56rxQsI~W<HXV5`Tj6>Mk-E)s+vnj$u{T^Lfo3`h;Yik?i5KLS ziji#Hm$AF=zsb^ZI0?xcLcn*Vim&$zW>#~9oKLB5s*Udw<HSZR?`q^QLMU12FSXy% zC2N_QHZd8IzS=yUJW6qxnKnhl1r%d~k@J0B>v5gj)%O+~V6|wZ5q`8pjoh6v(R1Yv zJaC#^=i-M4t#6gWL)D`XBH)U3KgAv{9AGAE+V*0+kFowLJ2Hb?f3~?RI8XpC1uLE^ zeA1|KR8hnc5{~@fq7hRVv~Nd@>G8BlgXn1L$rTjVPRJHO#PN6*Nl5`VV<uh3F&Q@& z02Wl>iH9*4lVx)K#L)jg2uof0QTu>q-PS-^Es7*y1qv44F5U-CYFLux@pVHC_2YI1 z=zw%xg3*Sl7-WB*AvjdJw3Y)0{>?+^yd4Ca+@xl<<jvG}$=bu{Yk>E?LE(C%J8vST zH3NC8Krbl2=rBOqxuq<DVf(v;{_LPJ0ip+Qs)qf8TRUN3?$E9Z5;P;2wn=V~4WgH? zd^*0vs{*NpG}wCC>Z#mnC*4KcH*h?;Z)KpP$aDou*_>L%o!K%tpPq@`czJh-60)ls zZ9dT7Th(`J!S{StW=rRoO=uhf)z)eaCI##)yvieevW;VfOZNO+SpIspZkwz-pQx}4 zK`;cz?Bk8A&&Un$!`DL98*N>O5Cdq%ZFL7V#s{ICm<?eR$bylPIdsXrv86U5y|Jm* zGPQ0J<7XN&5ZSJWw;R}7x})K^Q!Pp?OpH)hy}Yr02S(S<>L{Z@UiFJwW_M%m?Bo?L zr}SUq!8Wyy7lg!+W+h?ExLnr3IS!xa<-D)z&{5>l0{T$gjWg79knoEfx4fZY)o~p$ z%mTCo7`}E>OKhvIxAy#5hi}E_$-y5)wxcOntWk~PV?S9hajM1W__%!E33P7@)8mxR z>h5=>D&g91p8B`F9$wqp7=ENH9hyey%O>fl=+e;8Mwup<T#jt_oA}?e02lN4_AwE> zbb)R2(>Tj>!#m$vb}w$_lOGOH6Zs-NIr3CVJ5iS-t5`@TcKOAwr&XQz>xrZ#p-3jT z)4nqnVc^jB?R^!AAf~P7Q$-3-WdGI(vrOJIF{qOMebmTRhw1QBy&Q(0>m+DHQ%I?E zCN0~wMh)P|w~;0zuFQ|WOx#iZ>l=K<giEzKR!V>PVfwP1y>h<AiI3)lG3IYW?1tJ> zW@VCzJAtotDh^w7>JHc;H6H5;wP+*?cZQr_OS)^(+GWCgb-rCZcm)QhpK8dmboj=u z^db8~q2q@Le1*JZo$kzR(NbxalKjIkZ_+t8y&#N=sOC;6+~s>=;`U0%n}~r1LoCW% z7n{Io4)mtYdR`FTV<BtN`gAHhSz3z-BvSAm=owNmSJ?;v<7=qqtF=v!(&fx^-AD<S zJJZRMQ*egbcl;c_maZatwC|FA(@H|~b9DwG8xK!QzaJ@5$LFCW<{?_b4f1c$$n>7` z$B<(?On1@_$C0>Ez`tiq2>7o0JBm^QKW<D`EDxs-6n_#n{PML&k-u^`40m~Zc1@Ce zl9+%iRJVn<S@tW;P^Xy#_TZD?e?l~}kM7a@5L^+4pf~H{8}#}Ebmk{&JEh`gzT{rp z`x&A>d~4E9Ek33ucg{phdWd`!!X!>?QHXxHbf*EUbN|4Ix&~B`f|R!|^hh8SsH1AI z_-s2&d?Za><lm59aj9*l(5tMWeDmT4M=tQmyh@3tS-6-!fQB7U6&cyCOKWQ^mR}?i zE#=gbt$^Btzq}pt%KRMaJ&v&ovPf)$AQ@+`*X-r<tf5fW5js8OVIeq4^efaSkD>(P zw+LiVBSHO2a)j|v?Ng|K1j-$rbTZ1rUymY{jIhM=x35m+qg5BSHhLWp<b_R5J_I-o zY$<Mcx;OK-FDf8Sp+WQmbaMH}(yN0o^NG2<$jnZmEUp&q5G@yMNF>;tc?c`t$Ew%^ z5px}b?%r|tJGkzrFNcqtr{7J?G;}fxo4Cl#9xY64gw!yCj?d<Y&C#k9w3C*n@NsiH zIr)UHAX(Trqu{R^>k1rV9Zh8fnj-^lrW$03mJW4xH!>8tfwV-LV4RSePJQb1gz<@z znVVqcA0rQZ5t6xINHYbSb9)`B4t`P@%K}_PQnV=Xk*4I?+6h~-qRwVzBn_f1WPBtX zrnAL^$&B-s$?>N!3x<&GsLGS_JY>l|m)B{kFofbUifqMErnvqu@NZgENS{Z!VhdTA zA?(g#8#D8NiDiy10VggXRheNSu9pfdTVCuoBL)d(j3hQNL3mc_AuhRH9UF-V8*6!$ zrW)78^b9o_;?A{7j3-M?<ve{TXGCAR%PX`u>tIbXl*=I4d=MuKg7c!WP2i-S4O!c( z=Y3vRwTBfvL?T6{8y27u#c<knWl@+zpS>9<TzJhhVYh_*NvFj2w*@s8`ES~v%;Rh# zhlwE9d%`y!A`GW?Zv_T&J0XZjbV))=@=U_sl^lLxa;_pzD~cuD0(;UncZ1<VOnlt( zBC719nM`PwrqM&&SIksG+g!;Hy+<E4jvBZ{p0)kG=Ym+x&Wc8p+Xp7B3#(ZYkivB@ zXmNaYNs9z}ewXnH``MNeHn!m#8WML^L$mrYg!}a@-LxTaDX6jgaLAfRNf+o`c|283 zP7ujvMTzDM^3U)JR;hsyDwr2O#`c%#6iu8&AaiLF6YFk1k)MV&J<m5$Xg^1+bTrd> zz3YkI3q3xaP0L_!_Tl(pDz6}}T>kK`XJQD9CMTJ@14lHCakx1cE{L@UlNi0f=GVOV z;xn<QVT3hrX{;RpK+O%F>U>7hxOc#O$hrjJ$fsfy%x@u0ImcrNDLG8vM(JsWk$h?% zk@Slk_|p>&5rcn8Jf|NVf94g$nR_vE#-qAkq1=6n4y$v<mEvls7Jgm=P_g5yNpUg7 z&cD&bLY1%|!faG58*1Ug*Ldh{$}#s;8qSCbSZ00=>8|wr>FJFJ33m@FHg!%cp#)4L zOyY43itS{_*zxuqOqfBy-@w#zh~1QbD&tkIO1R3G8sx53kS(6Wjqh4uArIc(XgNYr zLw1UhU1w-<A4B=$tGoMXmO!KhKQNuBjUCh~<?&W5m495zo%*r$8C-<MsHSRt-@d3) zFKqC^SH)OHbd?)P%)J&jm}?Ivt&@)e^I_LFJ&0P{n{_!6+UOJ7Gud`uD!iM0@yMUT zcN}yZd)ko}9A>XQ1EP{okDIICJ<WvFGFP?$*ESJ{VL(phE?ofxjk=hgXb@g7+iQr3 z@6Y?!!jWf%2#MZ2K@08n4qa;0jVWMYb^>Q6c`~N`gT0LwB9ce*AuHyr1g<nJ4MedS z)nsR#W5SaH>W<K0d5Y`6Pv~f;t8(n|JP;igC<eq&cI~WHb?NA8u7NHA-x)?dt>z7d z^o~LZ35L2^VeMwmQ0%xHL5R?xu@y@uwe=!2Z;|Gj93=HT_|Y@RDV@%b%jzuT5_f?c zsm$-3Au)Uv$<73Msy-g014mq96|Z0@qwf@XY73UfmfSOI{r?7ZsltaZrP%)M!pvkr z>yG14ROzf=!>U*oZxn(fLgy)=s%L!O3%87~9vT=HVZo>Wlr6+nKE#YC^>!_v5h4M* zzEFyFt830;yd0N<bVStgabqo>^r^99f+2af5SJ;^khIJ)cl=JoIz2&Qu?QD7sgTcr z6sI;ZA=v8$A1%Pn$VmsF@?B`vw~F0sp2jruUGA4TZZ-uMpE_UVl7nDD0!-nrAyn3x z_rAmSx^S?8sT3UwQu0Uh@o!rjX_g;{x|3?$RE;U@ot_?zpr!}o0zCWne*Q7J&GEeQ zgVfYHB&76~#7+lUuX`nZ!{uzHJN;!;Q|qpPB!@FsC$rB`%J%of9U$i;&jjzmB6X4% z*Ow^)Y7ImE@i>LD!wOH+eo0An>>GD#ab^Z2G1{oFI@M=omZVGqkPIglM$3BO$BZb} z=nC4dqq#dPD$t>lE#%vu{WfpNG+8Q31uJ$73%j=qxmkImX9&5EDlMjmy~A{Q*P#b@ zI!2KyJQGV1Asp_?BST=zLY039B?WpL#pTtFR>wBGlvbE;Jh*^Kf)r~xOWK1ARgC$Q zM0Gz#yrE{8F9BN{HqsPBDzaS|{;~u<&w!XWxo5+n;fMc_`|UtR8D;UNNwTC4>D1uk znasWG-1?DrcEb~&f;f{<F@}N#R#1?SL3DJJZK<?h89M<S%>W7J!%-g$3>yZZ2n$QV z>eoJId>20>Fwdy!O&d3j7W!VhC44W`h9tEm;|sfw%lV@bJ0uAV$VE080-qTn0X~(; z(<lBXRl1DC>(VWO@rO$@<7P(4LdEDk6HxieK~pv?Fbb;mP#@%^9^)uvD8?$0kn4G3 z;W}NGi3g*?vu5-8Pm4uLaTvXx?nlOO50R=XUl{Q#9tD_R+={|sj4#Wo5vpP1hSap| zZT^98s-mWgxzNtS6%zKbWqs=&lqCY<S@qYsTUSS%g$nA8eh=F3_@Tpc6c5^-s_T=O zgn|tw7e-N5b(zLtWGN%SLb`E%c`$cu*mb^doUF{0Euonx!;{q~%DVIVc~m`@avY;o z%rmo(X2-oGI^cBoBv(o$E3a%1%SpJxH`k=DG1r%Tx>f;{Q-c;2Xoj#?KV2Pyp@JE8 zKqHs}*hTNo$W(+NR->+(AV<iV0o~yF3$g^zj26EKWH$T8%7h7@Zk8yrlgpGs1WQsh zSb6q~@duW&;fCOSa}fgvQ+b`rxKZk${n~)cZ!r->EX@aqQ$x>8VqF+Qlf?g?pZKw3 z8NDU8c800>-Rw5&`pwGIKw=mwy<!(7g`ZE6SoEhoF*I>xnnkheGUTIK(fA_s8YjP+ z-&XY2l493*a7_an(y8f7@A)hp9&(iki?HRwULW&hDi6^0{C=vyI3!}+&(Eblo@J1} z5Ga^o$<VoXR3Db+jK{v`QbnScSQBs@S)f6;i+-OH1XYcDc~vnm{!{Tc;djsL%MIsf zGXHcdqB97LleIdp;N@CJ&=!6U(UUo9xma}l@BO1lDF!2m6Gt0j>7~o9YYMevj&0uM z9wpHWgRb6dFXioUIK|xPQ_K0aCz0o>t;y$eeg&1}R6>!*rhH^?%xAU>Y2P7*uW3;u zHzgWhl{d`@P#EmKgBji1z2B0KtX|7x94`_uNDjAYq5<--F058!!5bUiuk*sE(7^{} zp593E%zS%d3?M5~zj(~yDtrVPJU)};164ie)%<27ZRHu&lw*VTLqlB%qvINqdoUE_ zrf>^VeKh>2VPoe)-a2=kRP~9Hyty0UkE%UoOQ~h$>8l6BA~RR{oEFAVrjnt&pX<w$ zsFHCw2?OzY_6~64hfoxXu;Pbs3QCv6u0QlBGPiyYXOiH_JBEkA{nPdr03IKn=l=on zx`x0^7^Z)_prD$DHadK6_NdO`VYlsu2Q;LL>5Y79_VRHM%}~swVhY#2<9pEA8MBIR zNGDEVYkuY_GU}~G6uURnEe-0fXA_mw4SPM)#{~#}ysAi4b+#c%u2JY&Ja#CBFKaqd zOWEF*PtNS3YDpkvx`w~k{-$dEIKJY-Tv4*%wTFep?lx57*^}V9^%)NC>Mje~Pn^XV zk?4t8X>|Rxl5-#;RAf^cUq2QC;`nMq`mheCPLE9W;HpY+3jU=7Tc5-n6)FK8lwW-z zOxln<ffIomQzV1$-eu|8f-OFsvF!-CmF)4)qJ@Cbmb`-1^97MAr!7E&br%%|42=^_ zkb|q8mCtomh%TgpJ7G*!YgV1qJG^wRTllmUcylqVpb(F#x=1jw9HZE&za+0uIo)ah zKvqx}N_-RyATzVBmgBZ|cvEUpMON;Kh9K#7SiP(MqQO!^=V0@04V_L4rqMO&ZF?i` z2qjDyedex?M0Pe*AMkk|v@z#1*94?WEU113+Q-O*88CW!KhA8w#zB@0|BZs9<hEn* zejS4Z%g{Ms`_dNkVZga)S}x3>Iurt{4V45-$|fw&6tOA&62Eg11^Htf@MjMn1-WOQ z+0ozFp4#xAIm^5x3<PXyV>!*U=+19Y4o4(yq@&}j<E)q?<6g3930byNm+yQ<7?o|^ z1xfMM%`}uRz$a=@IkC+%P&>0Vs69u+Zx`Q<ufbf!SOsUDZjP!nSJPWZxdCL`Puhv; zy4*<4&o=`jsq~$stZtvCF$-c%wv;{i@lMSi`;Ys+u0isda(>7XVM~#%2eiNt^Lz=` za%)D>9IBKj7bJSCFnU!mnWYb>0c3SagoiRGZzNN~v%<+|F1`OO-Bi1cejc7qW;`fr z{a(%!FuC(3lQoD(fciMeY~x3C5-VoMj-PNdAA@K6Tg74ZaS|{zBMjg#x3^lQb)y9x z>lF~8E(X*ovhZ^#JglCC!;J@1p!Nw@4?f038h2l|97Q&UExWvXChM<+2sW02;;o?} z6_%XDDu6Dwf5R~wFmVRzI?OgLkd|02?;><6ht{tS(Y^S(7Ij#v84~)p5ENq8bO^M+ z9zGMVbvDxC3Z>u=3K+4+^lZc@%vMJ?zkd6xB|4iA`12A!kP+7t#IAKvt3$|#c~#+L zQXxGHQ6UQ=<Q4QMf^ThN*Q$Eto~p{A0m!m5!cvXE{I4&E53`iIbY^k8yNmc4-~7%j zgc0rjqfB|0_CfXX$rl<!Ff*6<q2dydW|ND<R<wR`yr0Ve^~v1fxuv&ZglhhiG)jl4 zzM(pR<ZAl;DqOXWJxMAi%<ieh<6&6H6eLczpE>B*MeG0WTxE!_qpDYVQJ*FfmZnPp zf)$qZG8HzTHir3J*EGL*lE>mZDVQn3I%pD-q_r<-Xi>-F*O}P_22q#I1m^clWM;Fg zB9btfvlWqTm30?w-y+a3v6wy8^fr`J@l*rPj3}%rVBZ-;Ll}-TDr_A|V79GMs|F7- zNb4Y<9>t~U3-@v&b=qpFYuAn?B7nr@Me%E1Uj5IQ)vB{OLs^Tn8v&!=vf@ZnN5TzK z-J~KKFSFiXUNqd^Q;@eJD{#9p1oiCaQRHffN-o^YY9IxKg8Dj`M}o+b)rBK(Dv?X* z5Du#s5%Yar2hiN#YJ0ND|A|jDXRBP_xWzS7heG|sgVs-UaRH2z=#Ng5U`L0q;)DT9 z(_7VfpTmcXgH)+QwED1kA$2K7i?S0#C^1~(FL&8G2!F9ibg?!&qAFZriCxpOhC3f5 zfF&Ve>jOTIPFU5yVss>>A#vGJq#?c(0<NtAF^<23O&NKx5xaHmQ)f^%=hrk6h<aj( zogc&!-c<=uVQ;-l3q;3#CNsOROL000$lLs^AHldf=EUDiIkh|Ci%D+uV349ZOLQ=M z{v21i#jbUU$I<i=k_0XhFK$Dtxs=A3<}94`vX$jG>oK`hj-JdB;UGwE6Jt+fB+-*p zlKW^>yUuEiOz$wJl=mMSK<$wK7y+$dl^6AFM(Oyv1w^R&IjDUXiV@LFZ_A{y21(k@ z#iR^0_*;PM-1mMJPa(T6JF6HI21MCP^(eZ@K3NP=qxN+wziZV(?-09Qh3FjdQg>aR zj)p&xs-*()&Bl}Qx?PDc6+2z&*!K%xha^ePlNZHo7*O$%_**8Kj=x*EgB2XsVA z5Rw$2AjNdS<F<68Rrs#Wdu}~eL?;VZ5N}WQ9R$B3wS>ew7Z|BFo>u4X3)y%62<RbN zIt@tg{s@)D%gOt;0Ag+c-Y;|8L+G&xcL_2`4T}Q?(cV=|tDX0YWKV0f65t(5a!=H1 zDP~AcHudC!q#eNcIy|Ho74mJu^T>sf^y3#`pI!ZDJ8?R$i!_TIQ!w)*sXwPK^wB3c zJEh_lJ}%$%#}~_Nr-p&e?<tRPTq^eOXN!j~I~Yq(@AEcie>f#Gu8paF*ELQ3S$&H_ z#WZsG!Wgaj**pkbpm)LhsBXTS(sw<JLr!i<36uEZ#(X2yz4ai79aDUmPQR+08{CTX z;}eQ@!au`L?sv<J>%=T~>R+$S=t>X6>VO8v-iqpD=nK5GS7Q<Z0z5Oij}KAhDL*y3 zSehTs8z#YGiJ{H}6=jpO|Fe}i)kJ(UW60#j@GHoFBqpp~AQaezC8&SkR{Xu45Yh|v z{dS7b@JOy%4lB#>%9$h}8hg_T0hGpRYEQ)mt+MNo+7#4uv;yb`oeWRcay~CKf_v}Y z8Q5!t%o*N*ja923+I<Z7c5k*nL(DS9_WVXSP)f+i+_>fyh~I~i)vh&<098P$zklVt zC64C*(nko>?EH!Emg!B3a{at)Fqwg7p`wUwm+7r<i*Pmqd|7~I^4!pq>9RxW@z}32 z51)FW&AEv(wFOV}0CCj_N{KI0V%HWQ7@8l}Fbi_4ZHPjU?UFEr3>>iaTl<mh>fnE4 zq$1j(>M$`$%>Q37pKszq4fP=YHC!ak;tbumn*5FPUCvMoPPkZfv6nW4KmlyJi>U~3 zVqzo{yXA8)@xmw~h#t=BX7rg5^5KaD)ngh&fAO1n(EL{SNH)|^Zl(_AY^MRdl!cK7 z32F};m!hhs6wO^Dc;i8Jo#7$<D2?PR3i2MLKwY;9)7lzP!W@gMm;fo0=W<~t{8%5X zbSG{HIlO6Rlz*GbRg(KH8|Yat(!AgUf=Mfte-Ry!7^E`#sto-l<*9@DAqv?pLZiCA z$frY1^YX0tRhcq9?vJc&J+5;3gV2puxYCQp8F69@<QiT64=7U53E<4^Mn5xm<@m6} zFddTiWmRxaHN^HPb2*Uu;wo2=2`nK1rB;|KGd?|E)Q=no_CP>qR6F00#}@ml)0{_x z%qyswKR7Nqk56uMHd})Q&tp&XE!t!3ZO<z5i(!Ufb1GFjPSQ~OPFIWmz}3b`#$$yi zi{0dvr+6@7m+)AbXG!Z9XBi>2551Wa$eLm`jW&tS3ISxDTH+I!U&8FP13X_$s->hQ ze6|0MB6cArswWjbYzoIC<gACY3}L-G1+pD8MnPl@hENoK+PDAgC$dDKir>2^6l-MS zBUmD?KP(S`JC{ZJ*r~v~H0RGoMc{(D^MwcH-JWPv4jvm=hy}jak2&>mDChDf0q>10 z(jcjA&b8+oL~A`As%{^6lc*s(H3pN0;Do@^be#boL8bBjKJ1p{7+KjU3eRNQH@@-S zgJ#UYo6#aPEF{@Vl3)8scEWEedrR7Z4GT6yAQKtURn1wk;2inXc`x%`j2z}0l=V+e z7Tfjv%$0^G-yt>N0G<c>=9?_&u-dHj6&Rf)A#Y91$I?n-51uv5&J{=2NNjLn{R$~+ z^yIRisBbK~BNe%h%9O=rG+uB*&YkL`*oq*ic@O3t!2O+7yre=<yK?q^n<~<|($1(4 zoilXV#c;UngztWSxyXm_Uj2cLe7Yu!*70n$<v}ihpg}`}>YH9yrY_A=u+|AuV}7b& zEY{%FAk;s*wWt?E6!c2!iGyj{+=_M|dz-NMUVibXM~O&ILU?<z+dA0hOmpN*+HzZ> z8O2g1tpK>~?(bMKnVM)Ci#Mj9mCA0St0rfJGdXPeDp}^0V)2J;{`Xp_Wk;$K4<vF= zsm-VUzZ*|^6jfT3m}>v*A!@{Ae(jm)HxJ%V@DzF-Q2Y>78$cBOFQ7%>=z^MAXAlG8 zQbXY`(_uMyhQ^Y*a^@bqb@ny_iMzJ3(?W{A+D;K-saKGuB6_=X=V}R~EEVmb-vORG zz2LjAf{|cZac3pauDqVTn*6EZz7!}^T4sJ#Rju;$afalkwom4#249@H5`emYCrs|5 zU18p5{lz-y?u}_@AdZaj46^l^6L=aH*9b&daOz_<3wunsxg0%Lu7x_<ty483OioVQ z45T-d_b*lP{DeRho~09$ldS7~ue$Z~*XD+IBcwC(gxbc{P$jn_(~GTNv}i9u8kL68 z<x>e(cP@mQnUs%$b8h;->G+f(^)efx{ocZU*6hwaLXhWki(y&Ifb|{jT^<k}m<mVc zB3V{6ymx)swZolGSWZ_`C8}p+#t~8yo@?RA?hj{{ma1*gDqcW!zhossnhK1!pYK`) zVqjf9$NvrUKugaKl>v4*YlcQ(xQV+^;?W~<SEaL?j)uz)JG?65=&6zU(xgGO1?Boh zMj(a?lj^9laHR8(k;f3MUm_kwom%8GXC#nRq&*ZCkZEM*Fg;iY>#DQq)fbp)01Jru zBli81)3Q3tEg;Qedp3+<d3&)(ku3ycCFLXeV@+gcCm-bYcz4lOb2w%iWaZRRas5}Z zgX7$)7xgA$@i^Zd`?)$=Lpb|ss1+5;S43HKp#DL&2t&b~sTV^jbVlOEiv^hrPXmg> zSXTx*7yz=DC4xUUss2o3TlZa>X)PJto3{byBX(UaLgf9ZV)-DN@?DjQVm5&rS;2GH z-AB0}ef`1Y?M8ByjV)*&yWp);7gj7MyKP1$EkR+i-#WNi#o-Fj6lN6$5n7@jz;IP( z_mxLbCgjVYE~Y$XfGf5#@ba(yrI3&OkqdjRp1>j}{~{$Q&l!qw2$XnV4l&V0P5W-r zEcF&{bF>-5o4@-_Q-yjL+F6c&75nlw5SiZMw3J2fx7}IW=izaEuj9HuSIORjsa!2C zLTu_7YrB1={32kTit%DdzuQc+4xHD;McjBOL>&nVWA>BMH*AKiOcFjbjs!A9Iy7w^ zFW=!g&19QFvs>Q`ZyYn+l^)L$h-^RKFPK>M(4;5DYl;8fZ+Sj=eZmdEAQ4d)4Yrx5 zVEcg4zFOgrk!>mZz_^GnbFxl@D8}6c`V(X3TB3WDtbqKRE^shyy(Ib)K#S=?7Xu|| zO%{y&of&8;r>7d0(-nl#!9?K(30X;Dg6+RRQ;^a-kVcuv#)_)$kF&Q)lR-H*peXF? z@UOx1)bl4YzwF%R^Ze8&6=lq=1;4W_W0|S)q`E}-gCNn$1GR$-0H+T0ku<fPp`zne zgieXv$ggg*J8^9|)<|q07b&%LSXIP`s(FY%txXjVucbUz>-<LAnN=41-hg30ZzyDV z_;#i$i~^#RfZS3vW85u4U@^Lk3FplFdU1c=FgQQ`3V{={E<w2G)f2tH9zmUa1@ftD z+>wazN7a*HW0^mH7!u_O|3*?O1yPJ3?`PG$*X#2~&?;Z2xBV|0xN(sWe$cQrcbfW0 z<I9TEtw!4Iom&*t<E!$q`oCLoa|4^WO6*J0hSPB(R)?uiR#lR9R`y18;HQ(ClZ}eB zwr(uo$YH;bnva;FdW#fsn#9cOGK(RSRPh1}P<I6QNYm7<p}j&~>{b;VZX$wBiN2-) zE&1PEUwVwAAx|`w5f}%gXG&y4gmHP89?RT++`ItX3G91vJqBj-WNM&7$9m>8Ok<5j zNo-FMH|TUj9(FX(Xs35J7eSXB?9`exdKi1OUZ&JQc<wMjg4pP!?LkNGNl#wJ)B9t6 zS5Os*LDe3Fq3_yGh#xkbn4o^>Cmu%fiFJffrkuWU6KRSCbNOf2RoY|F>i7RW3*h`A zq?>67r$7MSfFTbUy#MbFW~j@D=b1kUy%@erB7L&y70U!2-U#=;bL-n)$;n=P?B!MJ zKJ?b)us#OS^U{)nBJ1{%FQUPT?6NuufI<cdQe1#cIqbUc2PaJ{m~*evSHStBaUDl! zDABCp$^nFQ14@KNjJV6~e6%W+2!cXde<ipuAk)uI!gwl7`5hVQ#D$ZVJ|GLCzSPM{ zX(eWFMZIRLggSn+Qix^hLdZLKS9izx5Wus%%P^7CI;;(wi}cr=p?j8BIFlFm2dqDI zgKY6X**e^50xH0pPq8$)om|@K&NYef#StP-ke<}0@F7G{cVfMWnu&$@VAj231LpiY zSK(ngA|J#1Nlf^2izVu0EXIiv4WUGGhrb-P_xpK&TRGBeLnvT-Jx`IHX=++3hS5FU znMZL6NO}s)oX=D#p3%8`q%bA=u;+~@Cv2c$kQ#h?6KsXZ9`l3rdthd6DU+}-fL$Q7 z*YQ!jIlMii@Z++Ljn+j+&DmpN^ofjuylQ2+PSL!5lG^sgRu9HFYZ8<oqL|!2yT|!3 ziSo!(()!Ck5AX|ykQ68&G|#~h@(5p-^5EJ;o-((AEDCB_Y8Im9pju#$llFg=+a>O< zD%zD3irBB*K?iW@Z4A@*!88#b0<t8Op9sGC*AgmwU3cGKnDK66(F3Ay!^su1m<0&X z?aM3)in`f<Rn;o7sGMs2taJAMx^PhL3q)FN$vrW8-<Em%(AVb&rv8~zE@}QShJXX9 z>pojGQRZ@UyV9YOA?lGwcZPuF7GrcsciDN0g^$+k?tK{#9^1^OY*5Z^+tX_<@~PDq zlk0ib&+JXhD_BMSBUAwq_yB7yES!}o`NhCQdb`=Z5ji{o>T(`&VDv`hd}^jSR8EzJ zz>PvMrd?p_)Xl(F17k}R-{r}pCx_8f-e`j%)^cY&6(pBixi~rtH}iRG^;NP(Uq zhXH>p7&&M!BWaMhroOefN@`Q@gKX5asL#JuKG{%QYG1?iL|Y6``bIOT;Y~NSl4oIj zm)H)jdo)<hnW1YT0gZ9*witm<X3Nx*!k#CjaG?bah;V-CmXIZCrZOi3x{q#<5#661 z&b6TxBy!?Ke1HB~sAT6dcXIP|hs*f8iOgpw1;Nv5p5wvygS>?B;cxQ~jfKqmA^OW% zL;E*?{`4(&vG2MGGS56nQ&;gALW6tpO44H2I_*%9LdY_J829g^AtD@G*l6ob9l21? zrjF0Wh_nyQNdcDPz&fXxa4Q+PSv<Q5)0eV85W>k<W4sLb{%~q2-rk}tv7MKA0Y|Gr z`RWrgxqugFQpnvKMA~10_V2}+D(_ZXwzD=MfX*C}h(s#xp8la4zaTy7d7>w;ahNZe zBJBF+-J%9-bdkgH&-vTl$Vx2N-$uKxt$$BZh#)hq`c&1ruNhNVs@TGEW>EGo3789t zY(MD4=nWF<fM<3G8j-njsx8un>A}M_#V#Lu$12%Jg3Qc&dXxwt8Ru8av(?pA#X#s6 zm)%nkL-g&^jcB)jn74J4*cgg?>!SYtUcDTY@9W9qd?vH;hs&RzXl1D3%9Dy#5zFQR zCoAk5^%&*r+JC)##87=X&f7bA6dT!Ed4j(?qY=;|wRO_Qrke?t#R!6==!<s$A#?=4 z>I5V%X%MbzB^<pvbPlRVV-sGv@}>LD;J{B<&{$t}a9upc%T_A<*(#5_150txg18J7 ztm~qYS5wGdu%Hk7qkZ01eRGl)C06_!DPF-ICHW)k*{BD5%oJw)5N^SfuMBkzMu)Vz z9|5^110;SqGD9?)#m?kjh(A>X_pO)jzqpz<T^l35EeiC>W>zeBG`}9MG$Dib4y*a! zlw&boa+gYfhCt#A`@z=_1q^Z`h7f>%Cz$<)Cz6&_po6rJ228PzXur#r-bzDNaY)~J zxa?4>#H?{(`Tu9gOmFz7=KNyUD(!#hpla^P`m{Z+>!U5Y2Yu5)iAZ*aUpD8wbym;e z&Zk1@gPkHjjqzP-W3w0)K|Rm9BKcc_7OKDng8TJQ?hP6+VmZu~$^RTtef{h(eJRF$ zr&r>H=Vo8ZhAKM8cK!|?5WnhI<*ak={&U+X{jk88LSPwm;n}8dHT&}M`)~bfsWaV^ z>PB^q`RRt!`nn;IN<;t=7-eC(k~O}**{@V2Xv`8V2qS5XzS-lgd{TSL(wt4P_pqx| znZikw=@MXLqk-7BAsU<{aic&!PzMH~aUE?nY~%-IyqiQOAzH$9(oRf&3j9G{2K;Fz z=5*QF1Lnw`-Qf)HKS%!Q>QLWS3VRJEK{xQbP8gHBeGfcTHS4diO@f3~0_iYj&!BzB z4nm3?Ey{R|qUqENfSy5^K@6Ql(+TZx1f>MH{4JHZw2D4c!&#jkA8f1*Go<Moi!yNh zJ$T<y82#TB3OxD;sz}X`i?sR`c@P2D^>?=tK|8<t*qbAC7)BiU>v227R?);?tD8B3 zUPD2%uv?<4oD#G5UrA*5g^IjmR|jkbMx=TH9=g2OHY%jYg`@oJacdMtdOH{gBIdOs zXU4Q!1|XnuOmp*8Q&}|x#Qzu>6iqL|zx3uBGE-01_<)(#{zo-`@M<=zwK-lH_$V&9 z-DRHwd5XedMkKZG?S!W-8D%C5Tj%=GPt)9L*qZ8*I1h}IOjb?kdWRGKrPk>&4Aj;{ zf8Q(d(jas42>K+HA7X_}Jk))6a0O^zWHkMd&`|u^+BlMh1cOZNa-dpuPfR@D>@3hT zW9EmLT8pNjrdkecT6BB=_ayHZ&1~rENP<}k4_}$`O&6h$puWI>)%D#SDY!mFZCyeV z9NtEt<>QugWM7ku-I|=!&FDEYr#Nz5%*d-swiM;|0i{=2V2PrzWsM&O%ZyAhl@|h+ z0`~51NGQE6GF)!8q3&{PyoAAeGBhp#<AD)kokSCF@Z_GF9$cdkryVhi)hZ-03^Rye z3%vyN;}l3cb8g)W^_veIV_AjmUxkrde38$X@Lz<3PWab3jVnuY8{kw`*P~a(Bd9+9 zuLa5m2F5bae^OgcBkXd2x$lr_*sXQvk@xAJ70=W{pjX#!$=w>ajq$m?)7S88cqAK2 zKZ@3i@$?-Ay-++v4Lq-)M(5}hUA4dH?MUa36h08o)65jh8%r2nnzYFvKKr-?gjWP7 z1(=xMC*0mKY53h7$>pevCCJGTRyuTBZorXOyU8h-DOjA9Nj^vnMzj;Y{1_><N9%m~ zR>OT3r%-12L+_uT_DmdQvl}CVy_o6$4mcAyJAA7L$12NS0hL}qrf&ehFbhI|v>pyy zpyHk0g%a|WzPNV8?uB~4F0Mn;6~h&Gxw8TOjb>Z_Ri5gN_F4>mr6xjO-6|ild90T1 z;ldCE#E6PYK>VnAE{`s*jcy&QK)WhXKl1v<E3tY_hmnc*&%u<R&O_G7s>;XSI7{)M z%?{p1v$xM9L!<@{KB9;S(k|>V+lMS$9qebT^K{AH79>SwT!T-H2A!JFzeeR+DJ4il z$&)dJ?1a>+^tEu+!g6Y08$1=Nr3SmvSvF=dE_P)~DZ7Tu`;SEx*q+Q^NRUK3NPai7 zepYqvzwz33I>e$^iYxwi{UIP|DL$DoELPAooiWVz2E|l#9hzSiMV<8>zUWDZ2}d;2 z`keTt)H^vJv!CCsz?39aOl+6UARMJHCNYo**pCS|TRERe>C9qAr<q=rDO8?bH6<g_ z)TaO`okGDEXSTTN&puqSiQF<YRI`tHV3_s06ByO*>0)A4u~n5D1-K@^_f3cOS93d) z(Kz$fWx%R%z3tgDcOUtYl|tkOsqXq&?>)KC9s1SYcpdf)U14I$mJIskZApg-<cJ5@ z1zpSZl+=RShi@N;rG+CKF*@eX7x;h<M>+vVT~v=biqupGMR}{p<#Rr_N<ej>aBM33 zJA>3o-ILGx+tSIJh1D!hN>mcn_wCEHl)>v4VU~&U-~zqd1%WchEkJ-SPl#4tIX^{W z6Di>gKsZ(_nbrq~Z^+EvP~TASBPQ^t?AL&oK>FWt<3b-uVN&#S(MgH)x&SV~Ua8s+ zP?b&!o-I9>Uxn7zED<hH&?D&paViuu<lM6`z+BeX2Piy$wVG^9OWxXDIdBE|8N84G zAe6TT!gPxPWbrK;po#QHZ`|#NEttA<5r67j>tltTguwf;OF9aw{N%1|5V3AC;6AOu z^FN|HIQ&<18_xYoUV(}NGw!^Jg?d*Za~#n3qQhe^6xvHBw%lLF(CIWn5pYT0$}SG1 zvqS6o>|P4+7E6ogeid(@wFU1#nj}=1nh+#hB32LDFIoDppD|#64I#76gzZEo^+bBN zb6ulG!@xmLn>G&gEV-h%{5$1%o-;D1iA>Z)nTfJB(RS*F_+GWdhwf_7N?vbLK*dL- zZm->YADJ>}R!k2n<f=<R5PADD^HvdBiscjjjq50xu`D1y>^XLthO~3$YnG$K@#_%^ z9o)k(=<nX{ndbRB_eTEZuHWzN<jlLA>3$y_>}OJ1#VH^jqUA!evZ`$0&cjB&nC?F( zsW+Sx9|)-BNF{}>9US!ft^$Q09#~b8dR~ojG2Y$i?ja#9h*ZVPp;YM;`T1NN$R|Py zjKwL<h4<hbX2)t7M$oy#Z2nGkwWQ~bls@43CH=8N3Jx|0zphiCJd^9It}JD6-m$0n zp8HdkQvP~vT@p=Ve9<&~r6$H0D1J;9ahAGI(u_mu`;YC|iWuv{{$pU>$y@UpW$R}r z(|e&-d>OW9l52M^6JL^$pa`Nb7;8C{F=W0JShGV92J8gy`Y@W4Bi~W|KhQPXQoYd< zu>8PwSPekS<&lQ7GgPc~|0MpQ*UH0PfA&^3-Klb*S{_@$oDmgi0LY^*@mhVtLAFiG zkVvHvp2%(W(APouw#YAz+yl86q7l0_G`WcU3wVxDm?+fTPEXe1E(9n%%10A|WY-|l zyx_67sp*}=vcp!u06msu_M0XLU-dM-(1-4_$ys#3Y<rfM!7F=x_pTBK(cSlSp~BXL zaDC1@!{8TYv0+=n`eaKa{8*fsZQ)iu@1t_DGT`DHT_|7w-mmxc$keg;y5^tHy(P+w zn}YXm{MUGr{I*9f&y{=P0<uh%?cr@sHJjP39Pj4#k3z$<Mnb`8qg6v&JLA8!mw2rL zR|@GdV%lH7Q5GBB)kNR~w4`q&YueIl<ZdPMt0mIJm`3@u`M#A&6>rwF+fQHi);7qn ztV*cf4H5LR7IE$tZ0-=@_u)LBc;G?ftZcYQR2?}xs9Qd21{^HOCZyy|p@z&+*q+RM z<A%u*a^-i?AV;l~^n5A#JFqSgOK#LE<TQyfP?g=eD;qlZ3L8G_p>8K+N1icx5K?^; z@{P68bPdSlHHcO}Oz=f#CJ*BY+qsjuz85lq)Ao4R%R2X;lT*3j`Oq>LA<x!41~0So z_55d@TG}0cjxV#3FEE|xZw-Qy{Kj!gz+m?V;pVSThD(RQ?Jms{3>X>?q+X24NjMtg zGG;DSq`)C(fQrb$R~d3zbsZo3#5a|14$m#4n;ocp(i0hSGRH-t(^pSH`_*^yKimDg zs=rt3Jnroq6h3>keU|y-Ru0X&ktXv_4i|ShC?A;%E5*pR^UYaN2kVpVx(9SJ5NuUD za4|&a?Dp|8{S~Z%m^LgWcAYTv*crJON*NfDWokkg;555;H=&9HM13<@68jED_o&tG zuY(0qR<Xd+m(gnJw7)2u-YR8`JVS7evOT{QkJe;ZKLA)%{959KMHm8>SXpfZ97STd zq64Y06LjYjO^?Dl-@aY!cqMvG%Le6r8TZYBSZx5=_DDuyKn2@hV4D$P-`uN&=S>!f z2-EI;hcgxNm$==30!-5b077|uMR*6(sWfYE-)cE?X^v#r2@?N~EYr7UJ%ge6mEygJ z+}QWy-CIrrFa)D>8YtPk8deP>X8^%AcJsqKs1^l4=AC%uzix^#4KgmJPN6Ovy7n?- zhZoiBl0N;idAC3Ah}0!b8MF2d*9?yBUD5EFN(>$F3ynsy!Ak&??7t7aa<FkiExheJ z>DXO14UC{1Rlm0Q$RR$*CP%VJF6Ix46j+v0R1Y5TRZC5yxVtECr+OzW=mKPqivI5S zEh3iPxO2T1(cop`@!%KvVGh(T4hoMdm)I6Eh+b<%L4<z$deEhwJ}&h`7E+*^PGHFH zmjG||2SrrLNt}ex$)2CbP`<9QuqDg0@~n{JAQFTRi_<3Qv_BO{9H8$xQ&skWT_{Y+ zi}Jo+@TXGji6?WH2T^6makj^;&7mN|f~5sPFxYBLYi?uP9C-C^(xJ#6Lz_#nG=FEs zla~Ai*Tz&#BU7@`7+-aX&pI(+T+u;6-ODc*`BH@hHEw#;x%Fwo+7L|Ne*xgg3y)pB zH%6R2Ov^LThghp$L2rSH)wx{R)p1B9MnIRym`MhVo5V+zN|G8c<*h}H$hK+O<DdQ3 z!RjI7wQkCVIw<a!%KC=e^)CVU1_qL;6kw8aP)ZaNq>&Z#@83Z%HTiH(i&e}}9m2Lg zOPlNyQy?D?(rPu<u#CxJHMVY(t0y?WuARo$<ZJBbq_&%gJ-Iu7jvIyJQo(?u(OW%p zjMpjzpJC2}L<PG-ePp|&2g9F9*a9+7i5*`^4zD1z9v=LAP_u0l_CE*Za)a|TPu^Mz z10vpPopyRj&$}AG$bL;Ib>2Fvj!4E6I2#*ZalNN5rCKP#*|tRy$@}upX~)8ytJs~9 z&VeKKNimEEp#tjVu12NV%sYmc*La0RDq}f%mt4>7*?Ze3)af`u?R|7)RJ!2>8eb|2 zmR6FsPt53c#V!0(EZ6Xm+8eNB@=~Kvxp8&m<hw5!n5ZgttwXt<tD<~ym;AR$#x*JS zvTm;t!J*Q*xAH#1SW;N3g1m@*%bfNsA`EGy3=NAC6Yg@4W)2|<s?M~UB`D~n3HNgi zJCE=T)SqQHHng4&-Gf>eiGhTni%>#0yAqjVRABT}<or!Ga;0YXRRd$t*1!@Acaqw6 zR}MqDw-p4;551rX_K~3V1E4s+?XPbk>Y?qkuP?E9xgtDinX-xC3^NXR^1dVBT$7$R zdX6+cZc9{nQh*cnhct2hi0|Uj5@K<3lERUY{y>K4(V^1Qh=#W}dlQT?YFr>Zc1oPv z#r<%*V(LL2oqhT$Yx&W%`|RSfLH<K;{m_esad;4<iT-T2WBPqo4S7)yiLaKk#Hr_A zyzn77Ner*S2GK#qhv_CBTtPbHq5XGJAK;sl-~3)k(i_(bJs~Vt5PdFwCW*Q9`lkhF zzzngOcu4(ctby_lI&2T&xzTOZjHaje+C8^-i3PVad)9+rK$M<MM-c6N>6E}2@eSM} zAD?AwLI6?C!X41SqDa#h@}M_<d;o23a5z3JPN63V{|S!WDlyqBP_#!~2@b}x81JlW z_WrWIXKR7@V0*nnpS*Rbs}YRY7uQvZitaKVgCVq?dt`|S+ZE%EXT)xa6?6`$4oc+y znnCc=Vqp_FZ4!A_s+eNIUZhqiq9u+Tv!;a<5EqKF1sa8NjnTtk^;;u(!fV<KwK;7w z`xpp`)89CySp?U7fLBA>kvrN%eK<HPQ~0=$E{!ODKV-U7Pm5M=37CG*^?J)GO+j8h zo1FF{7;Q1Us}#(jhKGJyG%RUy`#Y{_5q)(I!ax!xOIAf{M|?5V?5%;;$GcpS2ta}A z;brOEhYCs0S_4r;2&IJ>igg-8Mg5FaE8&kn&NjPpjZ_k?7}-)-lVSK6L}z#07KcSA zt^A}<PNKrD1D{<yjnS&};RC{CFi2s7>sra&A6f&fWJyGb+q*~1iysa2az%U_c|ElD zUORBKO5i~!2~*VS9UhKM2^o~g3MMlWJD!4+_>V$Z0qUy1z70S;eg6v4G-8<L;7+D= zd*_*CgZi1|lHC_ww4OlEB*y)(#Zwf8afSY;DjShOY5VCG=-k~`@6c^Gb3m`>3Y<KG zAlm-g;1iK_eq`cTMh>fBfgMyf79+P}dez*2J<HkTOOT}gh4=3}$^axpL)6O|;I))b z7~*!?Sn*-)JE6~AM{<Y0oxgz`2&@EfG+nlMaboA*R^Q9wos+)#oaqN2smYd9$KrYF zhHM{!`QJ#r&Tdw@T^sDzyxvtn$&R=PHV&=Sc{<)DZ9l%A-zl<loF3Lu-Lc!5>IPH& zL0WgK5sknhO5)iO_;Y8>Jg5UbLR=Ag)Dmf)8ZKX6Lfe54UM(|Rjm;tT_Njdy?_q`A z`$And>%}6NT`)F157#MzXUY4Ke65rQaFQ-we$2*`BZb&w7n$ZGg7)xmvOrD|&0j#$ zAaezJkEzDW5l>-GFr(i(S({yXb*P_yB|^n3XvU7?PF2@3$*0Lf4CKlMVUN-k^dBdP zO`Vic>gYM1`{aT|m5n|GBvk_Zbvg(;5h6iw1u7%%@|9XN=479RV%KwDTQ#;`p6Kye z`ehrMbt;N3wSPVe;ms2Z&hH(5_qzXet^M;}Xjcmvk-wUS(Aode3)1bzKya#bBf|re zXY%a%&m=o_2}SlN%~7#5VM794tcqQsXU=b($o^FmH?OGlU7=)4pN0W(h|eU&alWxh zl`sLne9_<U-qEH$MIP$zAs#_i%Z|w2-3ML-CNO3D8s#-Hn=D_&8C7vW2dndc&SBc} zH|E`Ot1Gk8&YTP8hGs5(bxa&_eyK+9Jl1r-DIdO1=PWnds~*Ar5!SAEb#LoJ1is45 ziF-kW4n0P^KVPcLaCs}1VGvINf^^(7s4+Rx+JEWeyvK-@kuy)dGaS`>CSM>YT@x8P zLYLH=H{IM^KZ=~S^f))(j#{CySc~23>6MC+SY96whgHhW+w4naC+$ii5VFLMBs#tY zg?lCpT&>T2rzwL5-enbH0+usIjHsjXa>}pPs@jAjk385LM|SFE*{!g1PlY4hNXNVv zfb480n6YxIDL<_Ix4zF&FjeeA=eE$@7)XvweZ>4|5FIjYYA4r$5FiBY&fUc$U3^&o z__KRs1JP3HBv`}scQ+@jl04e4NFM4-rR;Jx7dpsK?f~(GXJgN*TdGC6%2TIzX@=k9 zR9UBY8Y+EbPgeNBIk<d|6r<r=*|;`<_d9=oO{?L(TXIrGPR0b@>e(WjNjv!n_$nKY z6EJ&|fb1{j)uy8${vf1>pCue{-@&J@96u3!4xpkADTitJkrN-X)_2thChwh<;Cd!8 z-et{j4)P*FTa(@AL){@j5(*_c_2Aq?bc8E-W(g28u6dLEcfhlsZe(ZD(#JD6cG^_V z;uw082lBiP*B{L^dzjbIzPw`Z;Iwe9>L#t80|dXW!B2_I$PCW1Wbv%>6OTync@^A= zY02F;>XK`faX1P`TU~c`x<5+IB1PxOqdnhT_gdinSRdufR4u+^DTp+WZAkTqA&zj` zl!;pLKFcV(nfJ&t$p#f#DX1kd%z4d03F&C~z0F-?gqIcRU3vb!JwcAv%%4MJ3X-c@ zVHTC_T(7$Tb{}A~#gK+4AbI00FuO<`fl-p^Nu06if>8U9*+g4*-R^}*s<$z_Z^&l8 z&0&h_I&3}BL$N9LT<@<wWi*b*@E2s;WNV#8WQkz!{rY9_wfHa$m0ly(MEhllf$05B zD|p$g?X5`VUC<ei5M^x2rT;g6Astz5nh;c&#8&XL+z)p#R@dUICoD8TJisLvzk1C3 zRdr{y7?uuHKUXn(=J=*UvKD$&-vRplJLN}GKyb2&1KsZ@0gPzGBAj-2Z439|_2u-{ zc{#D}`D(5R$yA0^Yzc~&E*39e^lJMWgi*_Qg|a;r!u5EJ0(}YLF!l9W2eHX`85saq z*MYzRA3~h0yhbLj#e0UdzJu$o<4=q3B*uHgWpBA?8d~N=GU7owl<}Npv+X_3VR$M& zVgK36c%!i$8F;?>2ylrNC=6t%Jgr2?mkOI-UHe00BDc$YQ<cPC+<oW0>ci}G8Z?mq zeUD{L*W;;0rs0&$x9Uz(I&f!C8>%X+p?t=Z<=&f=L~wzeFj?=l#}2#xY;Q~{d7d;v zkKZ)DPQf)>2i$FDObN<4+Gd>!EBfl{HF@FSg72THCSH_ClY_7zW~sd4alSA6o`H^_ z?OVKTIxwevj5xPb)BVjdz4nS*vzLs3CrpY^IP#Wnci!oqL@!glz?F{NwA{1g#Wz-( z;ZSw^aeLK^HHjNDpi!r&^{D=5{HJX8=I<6Pv@(OJCYYivb$fU2Px<3b*@TIdc(wbh zLuzs`T?mR@L%jf!HGIA7Lx}Nm0{kyYI!htVkMpQnN0!qY&ph_TCi|vTGKM(D;r6?w z@~<+=OYhu)Ss1t>Q`g^z1Qq70fS6E}o?@9)IS~9s8WmoAg)p5-M#4e(YJN!E`kc?I zUxmY=SyEppg^(f2`L0W_=gQt_aeudwy?F!TRsh<M|2+%PJ-h?EBiv(P8Z!g^Oj4dC zfvjP>6MF8|ZxR5QAQcQ%u0mbY()b!EQ%WTkl0`|AY*|ET^1g*fntPmB)K+t!uK*It z>>mvuC*tkgzln{<%gP5~<nM+JQP-vwsb0WO=Kp)9%43D{`P8mVdF$3+xzOOw{n;i| z{D3x9>E=$o{XuX0$~8D$p1>sjHI>4e#rYm)aI&Pl<)!H-dLWd=rgwyQ?VY4#@ow!o z=h%iq5^1M=UE<kCfZ$u7v4EDPE0s8f#X8PP3B*wEv;r-;xT3N-%jbPA^#hRo5v&Dd z$eV@Zjd{x?7Z04^RO#C)gvXqp9ilisVTlT1<H*^Cu9<EnW9vnju@;e;Agam+wn`5X zAF9IIDVS%xX;YT{IlFUj&*)=?b>8yI54Z#%B2%XVl)bia^tcUid0+Iiwxn-+>BWJ3 zdRqF4P&R@L%Jgtb@jj$K@~;gPlg|3KcJfNf<;!Y$LXj0nnD)XYVG|3pb44l7d77(+ zGVjb+y=k2{^a3^%?sV!0Zw3M%1glWypI~t{#jv>GBCUbGM~@0;$eeV^MNbEjSSjXC zJ0@>q!0c@P7QJi~{LOw72$6}1sG+L#<WR2xjEn+^(3F(noeeTETbI`!;if|r#6lJc zXdAOKG*nYzdFse}cQv-}=GUIQuPL(uGZG(-V(`x7y7(ZzbW{#1_~FcHT`x9{d2iS& z9Gk?{2adPWGYm@WOOT*QFd0F+5j^e=#kPo<JIWIMuW2)75Y6e;4kkA7F?-uP+wjia zb^W|&moGnbIvU;hQE<IB-*|q}GTnDDHM(;1Q9+#DmwQ5~bMeY$>47lQ{v+f;j#Su` zy2mH=U%fMm^=_Jl91#VW%jbNMi%&%dI%YpYohrO%vynbOAW^>;7StQViu^FHr^I2F zE+Zay#2(s;L+AJqHQ+!m#z~Q^Rk*uxjADn!?bJ-Nj9SGK<e#7PX#VEgHPpwY;pgH5 zI0MqyrhiZkA0TqRClT~a_>|82p{*GoM?z7Qz08sx);BiRPxJo1xOYF8O4FpeL>5Z? z$r}&li<A4SL9qq{T9<TZ-ZKfhmU@|EhkV)8HK4gB8&v;u1ELKr?u{I@-yVg$-RrcC zyqYGrn-v8Yg=lLM;X~*=er65by>$NFFtd@bYt;UXn0B&x@NIw<)_zTs*Ojr?O<(Y1 zWxI!3zUED{6W<R3Bi;69pja|PDi+S;4CVugpn+?cG~6Cb|C0Bor-y6HWOP!HUgw8T z*_u5D9n#&+HG17w-c=I|e~@s=ZZZo+Im!^pnVJ$tEjMsFa-2C?A%9*u-W5UyWsp{1 z9pP$noHJF@o4K+g&M_Qpeom;l(TAWMaUVl5;n=ABDrYf4^d;_@D_ZxD201Z&6fk4# zVj}<9)9ey;cJ}sD8yT`UBp_CQex<@F{&MYCdGxRh(RfqIG{Mw^r$wz?WbZ|KHfI%m z*(4xIG2pIv<>k}TeRp=aafl7}+TDUntD)<%{*n}8vk+T<+(%L5KQ4zKxmc1jhBoVo zL)kHzvm0gmslv<DNy2@&Sir9ie<n53+Y)H-RB*Y)Q^L=tH}2eP8c|^EluqGr2?PRg z0&HqmKo>@~TKW-DXC2%m$^C^1aubC(_l%Gb*kI|=DS)+eebG@PhxnmRQSkPegsA!> zBwV%Ba)#KTgV<eR>B#qJ!NY~0eSHh%%P=G5u-LeyYmYCD_(I9yI83ueMf)r_-uZb~ zogZubAXOUVb1m{x{&nufSg~8KDOB~P^dK2DPyoQ}_*oSYK;-jx4XUfwU9`(k*s%)# ze$%1LtgP?Q-&;=S)hu|s894NW2Hz2MWEK7CYx})Em5||b?No3k)~<K^RhNZb(8lRe zJ<7Z1<iOtjwoXF$j9n<5$~<!vq;e=c^ehJLZ(U!$TP)w?NdpmY;}G(+^q&x-)4_U_ z3jd+RyjKD?tU7ZlyJ$cZJj}Bssj`ZNxb*Jo-f~X{!8eu_T9n@Wr~9|ZE^b2H{;dE2 z*Y;nj7oPe1Zy2A6il`uSxn_GDxUc)}B@Qf3QACysaf*LeytTZRotKjlo+6xOk`q$E zb_AEEfjOU-;7B<{lB)H6(+B8gTlhQ?7yNR^S2S?dpE*6!Hq>#TkGI>rxK1lij0gjc z3j6*bC6>|AeZK(M?12P*_8c~f2Bz{qgy29dyb8T-;I`ZBLOVrnc5C;Kvh#y*QUt6) zG+>GN?%kK6%5ou<wq({YsihZ^PW0G0*YNa&gE5G1lPC8t-aVJBZ5=hX;<S9%d=S(j zkSlKmew3b-V6xdR_i`{T;82$vMBBs^tpx%KNUF?4f6g0nDI1{e5G;($y0@qFHKGnO zyLS01H)scxR!4ZhYMMLs+qL0XLCOV$k0{n2dZc!f*RBnm&m`8F@54@Sv??VOdd7In z-=k$_@h#}?qn+=@vJWJT4G&PA`e&a$%R!$L5Xo{2QLdc(xVLX(u)(FWP$lu?4;lDc zw+&{xQBS_ct^bKf+=-AbmS*~Wsq;f;W$!RbaqvCfl+bRPq0{*fYiBz4#z!af>`A`E zD)4Ur^b&hBJJu(XL<!0Sx!IGnt(zrwU0s(!=|rl;x`)nt;cfAIq2F{!VlAKHXDO&R z>kj-5ZUhNA+Zhnj#W8$izNsrSKan2-VcsH3vp&At`!-{7^We?7CsW2Jm%ocK%7Nt? zqp;pL5}Yj_Qhg>@{zi(z@t;+YD+S|yuemv~M=`y}QIzmvK6*Fbbm5&#IuwigJai_! zAVqd><>ar{f8$ZpqR3BR{A`mEMqZOh!!>_)?$!RPz79TN=fF=ceP_g57QT4)m(_u1 zeJ9}^c@)W<;WDDWxoca#%6=}^PApJ>@r}8=c0!0qsIKF*G=u$qAKsn+!1u%XGdY)r z#4M>(n@CeaPM35zb4YSG?~2(y!3>dJ#AAsXccvMSnz~2~hsrT)Xm(MDs|VfSPb|n; zyjWY;ZYzN>4EgPZW0~)R3&tA4IaOUny1v~DX>tc1MKY&SR2JDL-t55@l$Zg2`W36^ zuU{U>CzE!@n(D5IC&P~&y{|gr@LixVJnnM$`I#k6_JK&&^<GJ*eAYW<j##y^XW$Cx z3)DP&J>>B#%QJGC**rJKp1*>mRre8S*!evhjWswkuknj-Q=-V!a$l&ZOXz4*1P`Bf zX>kO(xyQWS#<#b_X+!e8@pAUIa2DSMG&EopCk!3`ob@)$)FOMTN+tm#q*7?z3C|<R zo1`U(wK&JTd<f}QlG6j1DkEa57op**2Q_oc=wKBNUF~y+nwRrEJ}42I{f0*z4oNQr zKh=>=L$sm_B)k?V!&B|tJ0FG{LB3ZLKv>J_T!hXo{fCh4Kkp5QhP}TT;eql+#soay znxTjz+eN>>^T}2N)?YiNP7h&a2`|2>njJ`{m@Mqf{aGy@uEFiWfN1pG?rd{Y$zipx zP5D}cB$eiJp3a?v&NIo~oNHJ{g0<EyeKEwmzhk7qa;XSB5Q0~6dHvW&YBz2(N}|ju z(1vl3W`uGFO8MxyVu`TDKXNImID^krXy@)A=pR-u?#iV58!>3@Z2(ff&KLoTo^Heo zX%1(Hu<S*W3A&6D8{1Gi3QM{p<TbfJLP&IyzItPd)-|-qfeTp9IyKb5i$;b-JsEBI zJ@B=k;hHaP;>2u=w=ml;x^uF)+*rd#cxD6A>TR|nqvyKdt!AMY7QWKSX?$v>oG_<d zvnbDr!atN{Uso8FD?RnH<+yx4bsPdon1GfpE`v15oUBE8>+T<&-E+XtPCvdXusc%A z77b9UEbb}ZL##bE7pT{oM3t@D^VuTTt+?koA#m?WFL&vw;?Liz=bgVIe&s-pF6Pid zJrgDYtJ%J?rp)LmxIpW4?-1l{dE3hljarO`s2gckzBg6f337>%kf{#wBsqK|76X%a z)4AvGLULh)P8c7o*?ZMYbE46)Ez}%JLJctGG4a7QbWW%(8Jc4aA8^CE{`^JxM*lx= zdB-~N5O$kys@bBc-+N-|db`)zTuG%++k-cZ5d5>;bG1Gc{yI;Z$1HiiF_dx?Spx1Y zJ-91t6GrE$gXp>G-eNU+$T1?txtBXh`=k2*Q~|G43N$R0ojcljy$IZ<qhgsSVoYz+ zx(A&r)oqK^dG5WqbMvOrUW=GMaTVsA)6*OXGjlrVYBH-GZ5b73j#qK#+(|&0^t8<j z#lL~cQ6G(O(gVqjEq=ZgOO+pA-in7~51C9D=HHpPOy}!d5p>xko>8vCyZ<c6qQFkI zb@K6s%h{`MPWhA`7iFkKzb0G!#D3GahfFG>MbMG7-DY~|bAYQp&LVIxtd}dB*oamX zw@qAqMEtkBuP;`tT+^rnNp^f*Q{`qYZ3~C<#o_lR``_gT|A<{<8``bM@+h4gFOsAx z_+9t&;|wP5V(w6(2LkkR+R9T!e?h=k1=aG02|h^Co!kpg3s@-cm`8>tXmec1H+b5y zj&3@m*W)GHI?um7vj(bQ?=;_&Ff!sg=;snSyGqyKM<Q>s$+jH23C6x4mcQEGbOu#V zj3PK+Q{pA||Ltw1Sb+CipPdoQ>5F^EF=LTNll}UL54z7V3%D6p%g%tPRTEgzglu4R z4ayWbA_xD)3Yp<W#{Y0VT+b`hbiUm2YLtAOWb6*U3nDl9V$lsuMM1jnvM3%*vKvyh zl}P2C0Bglz*{tE|Sf9=Tj9tU3wDT=o+{+s{Y(->=QR@$JOf$`0i*dPki1ezMumLOH zihPm^J+o7j@@P;Db{LUz!oHQ~$NE1aODkgJ<Kb1sXsqg9e?vfP=34Ne`z;(ga#>Fd z)66ydat7(`)JH5ID}uH+(MLL~eISkAzD<KUrxyNo^JzowJ!x9INxgv4#iNn-1iwH^ z!Pg6cb_O&#+|*gL(8AC{y_U58oBc8l>zdbsFg1ttY#GOIGP7>x5E-Uz#%bZsrXb)6 zlTiPt(lGaGvZhtdrPy=b4D_qB4c~j1;ID_*UE(t6VsJiHi0bR3r~Ni3adHJ<tlBM~ zhh*`hj5BL?W(b(7Ej}^Qk)ma6O<Hf%I|lk1!ex{|&E!(bZ0;7P@)w^K5J=Uz-CN(n zYu+3{AuG80N-aY*L%dTb->`f2O}LD{ZBAQ+rkKn;)4lV{s-wrxxFJ^9dXAO8*6;LX z;mH5f@<`6)@AwFB?8rL^X~Uno`4W1bR4>bd)A|~V9<xZwXaEjrzbZITRJ6>8rF`bQ zI=LCrQ33s8Ga4teZVx!{dWD~rDW%R>RsS=*BlFWmIjp96oHz8y0e9TkRy2={`^(42 z>Y5w)Fta*xD=r=yOwX*pKEBV{b1n`2w5_bH)$kD(7pmz~TPS^bk!(N4F~18*h2_Xs z%)v?5>ZFJd0qVcECrYsl8$sg+lW}1;@BKqmX&AuHh_G%YPoey-svVlhJvSGxV4&WG z`%Pp2)W(Ot^j9q|Yw#rw1BofV+Pf8e^prY8BTp*H{Owyk_eWvDuM=32GP_dK%~i3} zTWhb4`a3sISgDg#d_ENL*9Ps(6?`*#xtSbR6+u6&%J>WHoCWn%^9Q33zDHL3$M7Ax z<PLOCJMIJ^BZt6L51w{rl+B-w+MLWlmJipOmVlK}22AOG)5L|5iicPg_}E7?17+Rw z>B_x%ovaAh1t`|m!qpo%wm1^>(%#;_V^bowM<2UwM>_P;HegV$a@Wgjz<d%8C?T)G z0$}Px#5xNMQr-c$mCBjMoMiJyGDtFx8GSGE(nwEE`k;D#EZO$lPE<lLj#*HJ{B6!X zxZDzOBZCT*;~?TPu^Z<54evY5XCptWfh#s+kzPWUj%v8(lGjQ<_L-!Jn}NAp<Hf;6 zgYKP(nZ5=+HKywNb;~Lso023|oq=TMa{cZ<6WT9idxpnOn+{nhpIYB8+j<r=i5JBF z$j39mQkcEW;)P5t(P42>yDl4jGBm$2k0Fiu#Lp}V36O+D_LoT@=B7^}0(hg9W{inD zdxwu3bM9|Pkzq*{9i!OMGE$S*_?~``n!A0e$a_k+UB98+n^OjEd`hI%%cjOGp&jhC zg9&+P*k=xfgH`XSEgE(?y5db~ZP_^hTTeAhg;j?SnG^zTE*68T#2;g5V<l>zdap#4 ztz4XG#2G1M2jOO0ztk@C4fPchhhXSsE2m<4L5n_FJI9Por@|>^hdFPiAtS5G?g%*E zdQfR{BPWfK%$KT7+;J@)+J8&m>M>!pj{H<u3pKa~0s-5EQO4ef2bnqjd=ZGNQz*ij z2)-vJrT2cUAN?bfFe9wuWeTkadPo{2iN(`+(L7qS&+J=$8hGw|5L891nsj}8Ut)tz z2kYlsS=Xt(+qQ+NlpW>bW6Mb&HiXK}9SM2d{4OJE;S-YTmPds!9n4P;u~x7#8Jy42 z_~LGuJh10#KNKUbjyk9!T&|c()gQZrn}HtEGm=>wv^R6hCXjWtaF-yjGpG`DiKMMn zyo(6=0UG2#RnAm7M_arb)h4~;{~5%6ifd>c`eM4Vy$2<NhREgpC43Z{ZRB|1HNSUB zB=Y&fGCce$y)%_U+%+f}pHJ|a`@w?;OC@kN74YCwDP61)=rm!zrI=$Z(0kFhf<KCu z(>|H#au}7<M5p=4a(`NROyLhQC6L37b!xc7x_TXrNf`ZtMh6a?7ApG#X;F_Q-7Seo z%vnlgux2PXRnCm|yJhM^b_#TFvW)a}cWGNaa(MnkYF0t&BuL;Zf!%XKjpXDgB88|j zNe>!xAm8n*gwMU+##S!wATxDsU>@1jInQzC)`qGQ930a;zADha`)a1HgYQW7J^A|M z_qJ)OZ1x!#-mek@aH$Ow6hko*d|v#kw~G=ASh2El<}BwPIJ8N6RZ0tK7GBC^#gAN_ zdr#ZMsi7!`s@s~?M<`3m4FJAWY5DiHX+1OUcgp0LT3jk;uVv>KYRO}%*b~+%FPyvX zbt=f)doS;r7340>I>Ng50I_l)_#Bk#wIl*UcD@Inw=;hm?QsF}!*taNe<KHd4GQvb z3D_N{Kdtod=0!f+rXb=2r~+Gos$s449=}?FWMqiWKJf~23W2{|G)9VAGmzD^l7&C( zCz}%-@|R*<@(;0>&HKoa|MyeZS7gZ7hb~_8rSgy2-@H??LpQTX9q8&VX~vZD2eWJY z(u90HR@a+mZ86TT)Ze;Tf{k{}->b=0Wu35Gzqab`?1aLIc&B!AQoU%pUJ+>nxN;Zb zIfEml8&<un+}vEG^&1r4Z?p(6h~4ECoIVKZEe*(}Eq?&}E6?Mv?7F|?_wU(jlt`-* z3*b<jAV=(+IzzNL0G+2agtdq)84)Ic*?HM;gaURsOZ`SyJUY*0jd-ALY>^|>G_){F zptuT<fD{-;2SEhDgtC5v|6Zxb+>QcLY0&6oKA~x7X?#Pchq9Y&ocH6Z`s~EV6?z7O zqQXlak7{DMNkoGDp0-@_I(H4&?xD52*#a9HvJ?m-j%>5^ZO($JV!OPJq{*UfK9{Q< zsl{6;F1Ih5q}rCT-_7-iQH0K6KW^lqeuX72DzEcs0E88@#m-@c8GZZu-b|I|OHK+@ zv+$D0j0_d^7w$+%sh|1!cD6oWNtoL?!{@>-#W-gO5b4@p_YmGH9Emx~vMU?#9&V)< z*WYU<KLV<jcc27_eoX<M(c|>ZYETnui9w1R`*&N-`YL(}TTRY_-LkpfS&ia=$EtG| zjpwl=;BA%3^E<tPFlAM*e<!cCXyPaGiF|dpe78WaBi-gIFiT<}i=?kUr0c>55pvCM zy*_dum<5$XE5+lVp?EJ<vbxR<-UuH0;6=M>HDQW5SbL{s9Bo}=*uQ&jY!AdZPu1o+ zvWq=JDOI+-k<7uCE{MwhV*CN7^y?Y_&|&>wgeH)7aB8vP8(O9F$B6Gz+@QPYL`dtF zgs{-O4fO&21qlmm4P{@nX+qRd-sTo7sv$|JgTe72YW91Cgn}qLvjCuecm5J0>pZ2m zIbC_v5UCeI<g%Oi*`?KJZuB7zWw&fb5O3}h)tn+K%f1>a5|$)917#p#Y+6gw)tQ;Y zl)LtumsUC%2E$WLrgMu3>GMm=DfCzRa^LbCXT4LF-S7ZUK(N2GgoX0ce6fCY-&mG4 zK)a{z?s7V;G`ibeHD}JyG`=~&C6}n))v(-Wl>O@xB7HHu9>85#&`+hmQE~FR>?h#- z**sitb?0|5?+(f41AOcr%KDQ+6!kFvp%DINCwlDOM^tfEq2waXyT3pc0mGfdf(RR1 zVH}Y+4uK|Yq78U;Rih~g)gUMMd5(dMc{zkK(52WM<gQMIL1hyFJ*4E(SLj0^qM;Tw zY)jTW4^;@+b%czZB+raXj5+8R!+3JszsD$N60hcm``!32rZ+^Yh^MH{I3xH+j2+86 z<F&AsF*kRH<031?>aHyuY*EM6I2#aFd#~>u^!)%A%-y(jmNIi~Vg?E%hN_<^#=@Ns z*_*HW(zAO`?%r>F2rnyAy`gp0ZWsQ#HsIo8_XV9HH`o@~3S>5j_F`y*TF%i_N{lLQ zCu|XWVyS1~iXE6>>^nfDw47ymG*yumq%WWGmSb`j^wKpF&^5K-lw>R*Nx>L3-mGOQ z`??AZ-Bfy~Z}<nZNIh9KTJpN1SRYl~!3QX$9wtp4o>ruHL#rX^TE~^sN$+rLmW3_7 z)W?1!sLrIyy;pbLpRan;%$Imbh*P91h;@hW<PV-8$(ItO4<DckE*R?tiu0SZyOuxQ z1YT;(yxxDc8U-g_tj?obEv=7C!$8ejJ|f`OmKnX22jT>TPrc6L3oP)TiD=%Reho4! zcth~=nEhM$NEPE)ZVkgkGTflj((CB7JfDalS~rjk(`d`eWqeZ!^1J|!-zsH~gi{U0 z0HJ8{DagJt@5)2S9Kc`CigM9$l=W^#Bl*3u)=mfrB=@noN=}(E7z6@LUf7p|D8B0_ zCnwDukrazHgFf(fYebPdh{-Jf>$80`{61akAbuHYW1+TSHXHuB;zzx<e)nm~o#a^% zcUP6Ftc%b=LlxL6=-b*ir4V%xDc7lA(X8J3jO=^jl9TP7Ok^rfRggeF)_+5;dyJ~! zYq$!%K18>JLm(%K(Oso>@)c@Lf3=4dmS<?DzHSqKs;ua%U9PEsmg!b>U-}t#7H@&? z6bm(wX7p<55QxW<RJyght*omYCz~#6t69l6v_idu(;_tcYCw$*&!(na=B^GPsoJ}8 z;EK%VOe3~3JY<LsDt{&k=C6LGy?n4v9vS0yt>d5_{yAf@f-d;+sahn%xgV_nQ?z!| z(M>oK$H5f%WKHxMV$(S}I7YGNhrc!B)=^Cw@*5t!hC`<%Sf#k+(^qG<Z1iFU{bPOc z``up`Mb89B_M6uAVb|q0osD@fIkh-23p><4yHEAp!6j~`=!D&AkBg+a#i=^jP7dBY z=b&8Zt(sqXgeQI~(CaL-IKk_LW~|0druChpF(>M2NLX??MTk`|bGmA+#JfVG{H{N1 zpp0q4mYXC)=KvurHFkoh5F{%f8o6kM!0xT7LIRb_WlImo(k=86&?EpbEAm-i!#%w{ zj^bHE0n*gn1FM~3LSxUK@~ce#z47gb|C{saP449kv<4+MXXw+%3fm<86gk>u!64|9 zy0<BtxfS}T^(MIZ=Wn6qD6e7(QKJu9IB<fyd>X|QL-fti^jlL(lPDrH{9fL`=zo+0 z4*VqWM>ers{_v5^1o61rGTyoz<atv&Tv~}djX(WoMCeYUunO3~ee`<BeD7chXtre* zurkRA@Gf7?+Pb55DR;CsEW>1jb?xoG>86|0c$upg{1h|5>s2=`RI8=6Q+GMjL+8Gn zHf}ULd4(ciOzS5;vU6GhOnP)|^is~p+oXX6$iN-O@aCTDZ)fu13Zv^|n#r+-^ic+N z87P-_e`EurEhW9dd%FsLrIA*MbGha6(IMU)_)0xHJDKdEp^70PttbOT6;=4O$wGtD zjB@5(XJXGAkhTShVGxTLAVF~iUwO1|V?-iVDT1_}g$~1B@0B;Eb2X%x2Odtp;n2Y< z<v)o%PXz?-^+bcXr^3icc*<s9s$4YgNO$6~sth$W^sRI|&=-7MG}^RNOTqHqcltro zqA!}G+!(aA_mFbbkd~?r+&BWB_svU?lbxZaln$9Be3ekHg0LB&R~VFDsFInCLg^SQ zU!WpdzWl^r`U40;t}^MJ)98VyIBc<Mb1VH4@*(g&?+_VQkBd_N{`>aH|9ncn{<WeA zz-8y)Lmj0;_E}e%?`zM-v}^iNYUraTI`ng69a=ZbJ3;d3c{y?j`UXT?)c?#rX_M}H zL%nM!N5=#|#SZdaWg{a8DZ@B?tDeyD%_&rNYT*+OTEN07Yo))jZ|R9SgTPAXWZ5b- z6DAqJ2P6qj(D?viJ~?5$-bY(>+#r8)UHvq(D;HsJx~p5Y@Y<`$r;5G*Jqtkh-kiT0 zz%Hu>DUkZ7l@=F*_l_k`#Y&76wI&I2D_f+o$<y1KvGd6JFo~)Q<{lj2DRGs_w_j~Q zMq7e*U&CIyX1#0~%;@Xa=6;HVn>~8kG@>&<pC9O7a`+@D60St9yE^Zmi$_DhXiUCh zND~&EQ9N!WB;<aHT}m3WTMNGLlcW~ua$zcl1q<PI4<rnYddByKDh^5~%AM=&zeYYZ zL>FKUe9<kkN&F^pT><hu|04?3R8<mqMEnkXH*yBDycEopzVg6w9Jvlc*7)tJEdBE= z_32Dl{r<XTG<gh(o#5u9LO(U8nksXfx-Q-(I_chpPwo=WUFW>2*eLgfH)-jIk}5ek zT!eBE;dk7^U5r1n;d>7_Vly0EcvlZKSZ*A8`pL#+8MN~!KH1aUL(tVGsIt82-i1}8 zH+}OO4;zPVHUecJWJg@=a89#JgJw`#lGFXRc=Lbd0Kw;7ob(qrT1`D)Vv(q0CzW5L z_8{H+?l12StG&^E4VNhJ67`4<47+Y#t<&doBcie!_>vY;kVB3U#k%b}SM{LQ{OSUa z9ws2l7@j67NI|C|B&X33_T-}t$0~A)!j+^&S>TNq%)bL1dLCpBoyL>`yBdgaS{ER@ zXd3P=Ow2cPryO8-g7~Ov%Zl_|9-h3FyJi{6;^LGtAhy$4Bj1msM|8#%0WMN-b+c}N zP~O}`myLOUS4A)1PxZwR-%&r8NbR6g%%0B5lbuHD(Tkm4BQ|<Z@;6<gsdS-_UwP+6 zoy?>oL0eMMsaU0<qB@4UUarzcOWav)+MSPkd(rk@Q*|-4XqB|$OlmdP>a)s5?*i<n zFa2Q>o-Dignje>2!4oY>tr19gn@Xv{_krEhjz>Ub|KIv%mrw%*Lx+hlp&^udg4Hm2 zW~wG14)L!lQ7#&yu{?%MT?Z)$HSALsnz0tOv|Qed&+qJiA}FV;dwo`R^C4lu3mc+V z+d6?x(;1h)gwrUWL!ZX^>R4W7A_fO5>VQo_R>QOtp`yh`j(2qdvG(Hks#@k`=&D+{ z=!RO!?+<}uW7Ftlj<JJghFS_o#ErJ=UcyQr%6+ctaW;{u$irbTzx%)y{Ci&ZiwEk# z#TMm*o}WgQr{JIE4H=rz{e#!8S3{rd{~4Y-tVP23uW8P#y?M00sP@MNe5VLFVi;*T z>$4xzO$%9{bGIyGU55C9OVj8eQD|f-lM?Z1yKoH_Jf@m5?QBb1op{6P)z)}^mFN$0 zxbmX#qsM1cV-)CT-s!ei2GdMA)sA>`T3q8zu`^3^YP3~9=GsIM8%G8W$<a#%D%~G< zjn7cdrY|fmP@1{?A41kQ7hVe<D_001mhO1i#v9%|<wo9lPxYmEmyIW<;8d)3#%tuo zNOsnKrKLnH+a@;H{qK+_;gdPh|HsxlKvx=VL4!#;wr$(CZQJSCcE{@2wmY_yj&0i= z+nU>N=AT)w->j9ao169J26d`-)js=tnUG(>6gNTI<Ql$PCTn)HmW|aaqWwlwj=neO zbll@>FBC$}aXbh4Xf^O?5b(^u;h)vd2<EIp4OE{9t_%(Rc3ScIuDw6m0ew6@z~!Y0 zrdUxe?Y5xCr|(qO#@|wX6|uJt$VEpU*PN}YZEN^~tIc)p(R)-k4{PG_g%ZSB0_&e` z>aJ?w$r-mCzp7Fx(e;kL(-Ox&BDghFM>>3lb`AQpwpUoFDwYS=R6^q*7O5yNx_<z& z7H92%9^xf6xnpl7CJmKiSKRG=kbWU%pl~=1;yfxTU69u%44PLlcD_cqHR``<%s_6s z>NPbR8t3ZvXI4EI|Hk(G&GiX;a>np9io~lvD$sj-JJ_e8lGo%zYfHBrwI#D_-Q6pZ zZ8|2hQ!#d?{hiNNwS%oGB+b@|Uw9fakCCFY?<afBrys!Z5CpU{0zbPN;fO$A%EG(* z+M2+Zp5NZv#?KF<ykF~GNtc#UdA>*lNKfvsX@bvEd?EF&!8}BLj>>$96t|x>)R$W& z$opYjy~#YJUPbz>RyZAYh7f@j^M8gy$Y}Wx*vXeJs>#MiLI3cE(SijQ&>JTdGv`wY z0{F9|apF>i0WNoHd0OgnRlc#sDXx^|Th$6cf}W?gfkxlkJgvC=+qPWF0+3Tkuy%V} zvHX=5Jb&ytyh1uk3~biITyODCgRHqluVgrZ6y<a>L0ONYti7V^*zw8{pCEUAd2PE= zylmD3zZ(JJXt8)~!=+<hbWsgz%q&)W@_4$2O~0qg;YK)%By7FLOWV33t6+Rz%(dKU zzhd!$XQga%j2r)n;3(PuNc(A8jXB?{A@VTJRV_so`H9h0tvqN^4Qr_HwBmHDkMz>$ z$fBwe8U>LwL3)q>54PAOQ4rT}y+X)*;a(x4*mm)F)qcrwus(Mh(?4c1Xx)bp(@1{{ zzZ93~O3}X!w91pVz%N_5(djQ{!ZM)e;W2b&NI&eI`w?_2+Mboe`#REN`THLJwC#;z zRi`!<&$7w+SwT-WSs#OIfvD}I_s;Ey5VJjR{-@mYxSu!^dMCbANU_r0HX1L^rN5s& zGaEN`%IH9OeGh+Jv2ZMPlvMQXsQ@sIcUIp%G@2@JxS87p1h}wJVpXdyjKpz;JJd0H zjbXL21e$v&>Xdq*cUF#~(~jE*fE&sIcy%%fW+Mk*Zn=eE<JHnNGosJoQfPu6)xSGl zQt3ssWR6$r8m|6CVOMV(uz`{JLkx=@@51kw!uUjB%jSy({OOEInx5MXNA3-->^Z5N zuEa~IUM)~LI!Bt?&Sk2;c2jG%O?K%!d{fQR7eR_*YE~CUWZ151R!jzf<xqnzSqdvI zu_pFV!A?_FN$tt&t7PonGBshEAli9%mTFl(+5V;Y@sX*~0fA=4#4v)Ui$B35N*q|p zvROH%s+Zh%Jgv6nU*@#y6DShq<zGD?&_gsq7L?7(XlftfO%oqZm=m{PwMlka#d=yn zXd_6dW~;vPgOEIFfKOCTb&UO5WNcnd5K*@f*29*UK0<tfZOqWJ?R6VdJts#RD<6*z zil$W@YL}D=R*1PQ5XKeE2}mO9-xyv~WDT_E#qV#hNsPtP>ecr2@U6F_hD_g&meG}e zlBlD_8)Rqskd7C@FCCv&;A{969rAhH<qBvhGIK#U_CW)F7-6v0W$g4tTLgN`mtKjo zZ6ew<9P{I>Mctt6@NS{_Gg&zYB9^0GlqBJ<G-2VD7Ge8K>uB>BnZ(@oSMaI^>xUs* z)Ny}ogOFU(JjH_Mh8X1Y;TmHoDyp>Ia(jjFsF~;d?sGgP$#J44R8aewdsU^jw>sp( zv8AlY`J$+68_0{V9|l1yUNE-XTyGL6o07M4D<DY}<3_Zay2;X=%BdKVkv91{cX}Hf z?H@z$rzTAH(EX6*)|_ae{c*(rDtu*q0jx@0R;e6#yrac8MFggsYmI<L9Nk`F$kdZr zb$9QXu0m0m_0GTcxVF?@k+ol6yQf&?wXuRx!FpT^YpMt+$V!Smu3g?`NYT*7Oc5&A zn%Z>CN$i+iS$|&FhKxTa&zM)U#?O<)ekrJFQ<G_VD}(MVHGRsbYN{fhIibzF!b3Ha z-Mq&|d3rM}V4@<D?g5q<yl1qr7V<L10-N+HkOpBy(Ex0<5}=+(T+iKh#ZeUDh#~81 z<EJiEY#CBOoq7g$gGiOr#4#GF&_2s*P;d3t{?GYCjX77H_IGNTX2t!fXCmWoym<Zw zpP@jXYZPTbY9Dv8$#exsqg6Lssn|dSJ;|P*-MxR(Q6<6(d=1{t<#O83nA|<D9|qr# z=z;bzlv{n>d<N@>_vUHC=8)v^6cqpL#aq<A5-YG9nAow33?TYi7x?LH2m$p>z*Wjb zD|ekS9QhJl(p@1(N!rQ5A;p3R9@EQA2=u6Vyhucho72X?N{kf2`m`^r@##+Owez=_ zFEmK&kTbUuuJjDN`wH<@5(FudpeK_W|DDgRtfWrSO<Bf^!Haab`PqJINqf}gD>Qg2 z4qW=j$(DNYC`WQVfFs{5rUNGWEb8%z4PTA<MOlkZ<*a(T5U@6aO~3!*142<&6Y$Kb zsPy`%p2#(@{uxW!q5n{(D8d)}b_d^$&{FM&(2MLSMOuJ<hk$<wNa0<>#o~qR*5;*C zQ5t0Oxj%0{ZnkpIe%fB&dq!9-9uKK?*sEzX6M5Eaf$W^xTmd1fek?a&m?<|O+>d^4 z)2zTi{`MfvKz>q&^z=eRY_(g-C>z4vtyX$GIQcMGPbv*dO5r#>$v54FNJ^0aJB%cd z*4_eemyQl2P#1F7o0y1+B*FLw$SCnl1#(y1GE{Eue|#CjoNLo-%V7=ByV<G5_Lo!B zk>k@SdcRvzx%0=j@TO(1W@k0K82H3+cxbgG#dijl4+b$G0zZSzK2}nVsgiatQf!~i z^7@zR-j}OH+%eHnG%G%Xx9d^*ruOOB`M(XgE$4`rw_A81|8$-r^gFZ`Ydy8%Q>LD7 z3IPQQSsw(a!Kpms{ic5P=Ap$p*1EEdN--y^Y@xw|ipF-9(j0&0?||4nXkA%(>)YCq zL}m<KEmvOLopdVw+tt^J?mtVy^QC#9xB)5#cTFdWLpW%OCN7M|^Y8RZn{1{xaXMo- zX5*sTrrt>4k9FsZ0xv2sfMsppLDkC&96$9602n4+&iND7QC5J@&R&cL2`LzEIzcU2 z_4J)Bn{<lgcP9YLiL>4mfm72cCf$rpxg||VD6iX6v&C9J_!y=(XgU2EOD?G;KE13h zHJUg{+>O9d{n*pZ2-}w!O{@$(^!D!iqw0d&ep`*xkvA~;T+b4Wu}3ja|0x|)W)HP1 z09dFI331^)4j&4NpOc6I5^=Zaur7@d8A<iGej(_t4yL7N<$y0@L~y$}6`rEDA0ma+ zpV|{3`2<tp(3BJ!iU<NL_;q$f<sDA^&%9~neko<VbJG9G-)b(TNZa*j>ITQH&s~!z zg`1V`*Z>=zul(@rdFrrjP#)Bd3jA!=TP)dh>3B8DZaHq+9`)XtTzYluvsuOH&Lu+p zy>|Z|p3P5h3uLE80|A8zOn&r2OXJ~e4?UFV+3^(7ZLa9@l~XS;^1>!Mdf9WzCv|7x z#$%qOZoRnr^u{Yidh&RxvHeqV3)DfH{=rvfq9dvUa%bvS1wj-h2*B<=sYa^>0UX?{ zb_&tD>E7PfL!YAJ^nw>y{Yypfl6>@P9qQ=HR>77$cEGf8O?8Fmhhr08S$G-<4So4i zzNUJQO;1N08FIXCrd5w0q9FGsq@6DRht}cb8+7V4IVbZ*TbTkG_98z$LaNgOpIZ5% z+#kG%vSPcY)4TP4TH)Rc{8Vh=vO}kGP4j)N2onjCtSjWdqAjc6MWsaTrJGsT5lRhL zpw#zTQjwIAc}`%}T0K4VJ>Emt=_qW=pJ3-<oq1iym0mx57i{ldf5W?sy6JmqLK3x| zLTvC=|A&O9tct_FHuUrpRqzeRijX1_Ga;jF{=vyNtAZlcMe{A8;zJ_p=3hkvh!Alp z99g79#fL^Uf~taum(WGKq~+@Up>n6t2L^f?i%BV|zqzE8`$E*xYRj>1gImS_2XHi( z0d#+zmrw=HmzV9-ZsH<LOsjKlwiJUS;n8UV+e>BYj(1K^%)%&z{A7Px+i%nhwR;KL zo281Eumq<$(_Kw^%1}XV@vtH(PRZv-Jl_&AuA+R_Dj0p4<kr|nN!8?3n^yqnzumGw zU#lRh4iG1pZsch{P+sa7f3~*<q4K+zsFe|l5^g=NGf@9+ad*0KIulQo@7Epq=QPU( zD`JpDlO4Tl$2cwSFHIoUA7=j)BfBXpQohU3V2W1UFZIn2&FJsF^R17ODL%dNV4GGP zGd(vxRu)KPUcikRKdJ=b>0mn=vO%t!I)eaklNY&%U)lfbvAbtGOGJ2$*?}+D8^*H$ zsc-S*GFdtAw4(cB!Q-oZtoRNJ9`2#rPjZ0tY+4#n{U6e|zR1gpFV{k$*~lecHKY%- zxEb_QIazI(H^>$&%{;3F+xD24GK!QhuHsvt7-JDO(qta0A}UmU(NkcG=E0o<-g%cz zn0j7*4cIN2c@dAs_me9_W(hw*H>=C4#Ql7#HnbL-aRNi8CRE&wRKfHCLx#&DT?~>O z?_UyK_0}NF2LS&KWF5Nb5TZN+nud;pGp?~y|A`7uP&?=EYzi4%5s@&L)Py97&8={V z+`ofoU&+lt1Fn32dMdYfI2zz1(>+NZ4{ak8FB66@FJl}&)5kU6sH+4=r$c_^mcI6| z8~kc`CmtRxgrfJcXEK#Q6dwKk#GsOz^L-TKY$FSEh!r#<?N&0WQeQ%E(O#%*4w5Z6 z_@~*9cbsh-NVzwE55rYlIL<`$g<eIGEeesSj^1MB6B)lB6^kp^JfM^g!4a20o>m0r z89QQ3hvgov@ljP&j}6=r8YnuyH@8M5v1a2}ncAQPw1cc}Rn^_p_oiR%XT4V6z2<RA zjPCDB$5;WDgiQ&Z>T0G)oHX`=-t$8~G~4ApBpdeM+aizSfQ8PHn_zfD7>)+_tv{hT zd8V#HWqRaRu=XSV5`c5}-SxaSZIB#51ql0B#mW9LH37dG=bH#D3-K#BC;|qqj{+ly ztxDxv(%ZY!*As+iT;Mv#La}s>OlbD6@u7L-Qu!gwHq<MJ!p8bq)jZ{!Rwnbra2aDH zsp3<&s)+WlUf`W2IUO+26sN&pt%-Fy4ML-$!+6Q(3`#V_;7;)uilW1iT413)AmBa$ zI=ZW`HA$I6O$$pdh*pqz;;ckc>TvM6+uCH4?&C1`1jNf#%YRRgXsoeML@^}4zn4bz ze>*(>>Ol1n1|OZ~L$ewv0OuHf9iQIzr@K2938-tJih+&G-PYSIx%7JHtqMdIfmVh} zY%l#Cum0IxlttV#asKh~b5Tp<5cQPS?mHJduGv9YS8;nXBa@s^zNY<>8lCMCC90mC zJS-C1Q;ymIBEUF%0c1e=>#-(^TJ^=VnuQXx{>iGqs(Sh(S?^bC--HE#glG%j4`t{X zw$NVgn|?1Gs%qrBlRh8%O+LK5?d$pUG|W{b%Z?2UA3qIi6%n;AlBrr|_fsu-ewGZR zC*E`mUrCBy@3}^3Zyvv@R#+FSeIwc#Z2$p6(Rek0PNv2`n}#V;As>z%dZl+=&P5yL zavc&+@aR@(nr3*q;-4Tw+<>+!xE;KVT5CVM+o==bEzyU$`2D25)me4@B9mMfPr8j4 zRaRTR!AIEoMTx+_(Vhbh0#ax#I8)ZhEIS%4*u9mMa+SINH(Pg8IX{MBQUpFpdy<Oo zfMC(mwd@HABJQQWQFS08!unM$#-;E8YVwUHB4Th^M7?dfaE^aaBd;5fWg9f)!q*U^ zvmocLH=yqFh9?fdVX)&3NEwqASIojVgBe33OOf20|Bt!unMrYazlwxr`{Wk%)30vb z*j_nupdLGDySxkmr>Su|Kd|1w#XEhA^84XWOQkSkU=9&X-3`rV{MT}K75kA}8UwOR zwAtx!jakl@lIg+E$-3Px>2gicgm5fXYj0Pzo|;R=J0HJvo{i=*43If>(CzIzt9KKn z(P{tmGgw#Vln7SPwgMSIjBZRn2E=F#1$T97wzG-~{MhCC0~z|3($H|s?CA=n%)__q zCyCRmFV^+1*Wb>*_%(;M3E(V+U1zy_N~5XvYTcKr>8++FPe@)cP&m_SicCDSJ<4NG zMxL8}aSk`SUuRMF>#q9Ubk3(8nCd(FCxh=!IaZU$r$tpDfy!567n{S<s9*DPXs7q> z-GGIdl8egav|@T28Daz($p;d+NFf#}mTKK_`bxYC3EBRauo7eQH~SBSWstaZZNAGG zO&Qa_1B1+@N`@92lz{_!sakCdPB3c5eAX+N_;Pyd7tG19kp_aMU99C6K6+7{-j?*s zmdYXm9fU$QiD3{>5JibAUVj;^fS%TmLZ4PZ8v)eVT%LRZO|lMkPAVa()sEBhMTj2j zm%p?&{+3k15#$*u5~?t_lrfW3(_TmgZiDT&Z3Is+ryoCL{}<?udjHL;+E4Q7!$kIN zf=dQVzuGpDrlXtjh4}8CKM;oi*EKHtrC6x@w<{(x6vOD+-Sh5qp%znRlZ<21Z+i)K z7|(d)GlHJHy>B0N`nq4!ke#d@ol&MI0Y=_KXN$r@)<VvG*7HjcUYE9`^Fwv-;SEG% zY84mnvePe4S*nX~`q=(%y)|ce+PR-ESB+e=<g>jt2+^Tbp)5WeN41jvtOgoa0C)d4 zLKg#B5o)KWL5b>P8jgYq_Q&?G#Zq{XH0%=tDz%z7+A1DWWN-l=f~&Xjk5qdZpUrA! zFD5BgVk&hnhM!k-ri%~#O`mK^-3aakf2VbG?TX@+?{z2qUmM2GTF~gT<Qz^#lRR`o z<Tg{<W6|++myaKtk}4kS7L+-*&6xb3jNpTJj+&;<qL#Sa{x(_Axg2T7R#~WjL~(!w zI(0}GI}YY+KDIj2g&=imFsGUHG`?Scdw8<nv_Qz4bK4IToYbZErmaF9ErJtgXn|0S zAS9#=j!VG_Xxwl`Ag6N|1_xz6XOkAu-XgJCQ=ldjSr%Pw7L^2)Kb*PSG2m>{{Id#3 z3hh`9>R~Tk)FxswP4#D*xCP*?{sRG5usyh6uXF#pEC$wZaiQ<;HADvhk-kSG8W2<% zZm~&TOx2pol5{%q_>wMsJ6lhpq4!Vc-&o|E9or6+iSKcNVml9xpaPSh9i&?HZ0#O* zp#HruI3<IoreU_%jvveJwmP-g%AZ1nb;aMSsF?X65ZeOu?Ah#ItU+x_T(q-mm0}_4 zWYXzghQvh5RXP;LfF?eriHm=Fp^DUdbVi(W=Ir|G>jA9yw--L}&zu&3iaN)PCmw^v z;72+gI3!6oJsCS$Zsuz`wXw&GL(Z}hT3oLe(h@$u48`4Q9c)(PM@TOo-#F#Sj_sTV zFaC<CaMe1s>!z%4&@uTgt5?A)Hm`SDamhah>_E}lEy+>MkoB0sI(^s1kxPP&G68n` zU@B~!7AQPBY^!zJ?QO6ND8U-^Lz%a(BGA8zW{K$h8FPo9eC*so(Y`Z=Wvo8!ZjnIr zBW`rA;R~{X1o{Xqiu!I=+`OBG5Xg&jc^2^fV389dwo|P1P8!39fdR8(%gtQ2DY8N6 z&6sogEj=F8Uhz$GoMzF1O^NEv@b-QPO_Gu#Vik+swQ!fzk?->mScte4genCb0yLCJ zk`zIc>nIFH)<y>Z8JaW+MwFG_^ByhypLX__faDLa&3yvv?b?0vWeGsZHSnXozO;^L zlfeoFc&xAHcQ~KtukUXfR>1Gmzd2y3p3S@j%j$IwM=N<T<h8T-m$b?keno(M*0svD zo!-n(<mco|uQ4Nm_#qq|_e?x|zSZUZwm#I#$yW^?h3WbRdGod6U31x7C1(Am1%$Jr zO1thD?VVgj?@l5A$bZa{>wZNV)6s6Db;%c#N$oA-$$(BMO$-(2O}g#T<GAFU9$+L$ z>fAtn<OAySu1v1Oh{c&sj{czFdXzhsUJ#%{wJoAI99kYi8y`MYceTIZv$gT{T>P6L zcRY&|nIe5A6C4yD;fQ6Wxj$J6YoYO03uq&KN>b^=0)q(emdsj4aHp=_?)Kg_;KREB zmmiVjQVy0ay)r{@M5&rn7c=29%0=28!8J1&n?(zEXDki2DdFa*;KX>;*so4d!99F_ z*bE2*9?F<0dW}7HVDApO?bqapV1k7xI2ec|g-h=$vuh(##ZP;<MP(>BqJhxH4OYC8 z?=YC5Q#)-{cjmL<e-m-Vt;5UY8}oMe;vWIqI9a=F0u*5{4P4w?u&9Vp-k5y{&(4=C zhNf~bCx2;nvmx<}7O$Ua;se7{_36>zLV}i__1|KHciAANF8~^^plt`18{vfe@@66N z`;86^60#_<C@5~&HUJdPGp`?AQbNVRzstj~A57VX!Drjzc0m<JG+&Vt6*@%t|9QB1 z$_JM1)+EtjZCmOIav1r_`%L9JfqJoYNWF3`IdnLlg}zCfdOlgYfcSwyaO<N_&*D;_ zS<Rk5c6CR?3IEQx!d)gg;PShDXKSBLxP9mJWl0WBFUV^0Xfju<d)uVeKlST<`OY0o zcKrJvRg3~T6|>Vi7lkaI94l-@kEAhl=V_<=l78IhDGR`JUcY2>J`Ixtmkb9@l1vsI zeQ)pYcyYI`awrFpI(*3ZDHjg@c6cNuEN=WENNB27@Q37daZdy??=MZVUlF8yn?!S4 zjS7kABb({4F(j?0^4i5H?e~(X&G_^@@Eh5q1=bEmlKMDN7NR8B#kcCQ11*Qx4BJVZ zPK?b&_bFlH(R6X6ZM-EX4wkH4W`45Gf&(dW$6KoCpt|^**wmOz8mt%Kpy^qo`=w%T zk0D%67H9Ti^Po4az0HTR3-7`KfVE=7DMh)!DWGm2khYQQz=wyC5r&=9=tF11d{-;T zjkkB6ek6}ZMYrtv&_3ZcWW1w`+i&q<BIoL`k`sRR2Lu|p=nzRmTfY)4GeWvuE>!pj zfMNj$cNaQ@vt{C>#5#mRBKSOpFr?|Q_=uR<t%CPcx`bQisR+CeXr1476}JA*EC3kt zNh6ps53nzNA0F%fhxdOT2K@uUFN@Hw=kxqk0LZ8Nbq{UfG0Ed!KZ(ln>yQ|*x3Sk2 zmd|*z^zbDmDszCpAGcVgOm0e47VQy<%fEzCkDsBbFI8r7B@ti9Ycv@@YN6v`@@^e^ z6aL|J@Hc{!!^q;xumRxdqf>SJ?wiy92K(AhVhU3g6d4f$t2Tdhs>qQ6z8biC%Vjq$ z`SOBb!Z%m0WJ{khg+X_eYkG19<@{<9sH)2?<s_#~7@KoAibgv$T^bR}Hb?bj*e%uS z<jo!QO&2dYC&fdSqCm#+{-|ZTk}d2cOe?`LI)LT2rNDMVv`$R>^VT-L_>em2BZBVs z!6gyAuM4Zim#MwUH=fbOB^wSRz_vdqop!g@(A4nEo~;OGk14>C8+DvLw_DZoNg^FZ z!sPsqE$q%*X3?QagQpD+eROdKx1RD1Vn&?NeAg(huyt1B?KMc?AzG9<gY@}2#$j)_ z#k_SFc;CD^Sp{3z&8}#F(c<?6s^~BnWmSL2jjyjo3)N;p>109{rQ5i5r-LjN9`+1a zA%L~t0)b*iIcyRf6UreW`VY)<Bo2ZzQZS^efOj;XoC(H_ylMccPZ)Aur7^3gi)XZ8 zij<Xz!v71~ki8m-x9h5raRsm`Jo$!(j+foa;i?cb+4bF_ovG&AyX_-0m4jjS+dJ9r zp^ZD&$HzfVN5)<6i-mdE!N|enyDr<1Ed>1W$NrrNdaLhe{Y@2?cRM%SQX<C#Pf*)= zdxHdE-Bs#Xyz%6Ae|{bNu3<P=LV^nXye~MD%oR%vk{XV`y{oNuw9LyCl}&{Y1Q3*A z98KSk(&^nWaMKs59l8D9iq-Q70)ZtBT^H{p1)|0gPY>fjCffdTJ4asvvXz-wB)XPf za)7mhT&L&|z_#BFAl~j`Tu!xH{F22kxXn}FC+SV8)NJVC-1F_Z%M=ESC5)Y64yIJm z5p^9!&=431%T#U0)H0O^zdtI)T)Kp_P&9w4vuhLD;T(=e5vTte9C<NSDV3ov4mx9K z<46`GY~@}06A{qf*s0j)$(T7DZUvidjZZxS9xyc=i`MN|>GY_Yby>XxtV><qP^;PN zXj-->L0fWj?TDlo7H{;WxPR7yoy)(x(!wFjeL(>9yF}ztkVVNZF(1)}oEp0kED)BO z+bzI_5e2Og3^`T?LlSYfV;KaB7UrrJOqnGcaBaD27#$+f2pFVifgMZ{E+HXG#(T@R z7QuuHu!8>*?EL4qnNF$7+;v%PuI8lJ;osb;)34s#TmCe+k1Fxb674Iii{z@Fje)j2 z8<=(s20dIIKY^;>CJca0Z^`c%8qQCm>iyj(ILgvI6N)w2+n8r$IDf^{q|<HdcC(T2 z5edLQA;+FBSg{Y1+tX`Uv7^9XwI>jP%a{C-4&F#F8#>nX$u{@w8X8$ebrjilNHC28 zh-S1D&GI~wt9ikgns-#=M)U60IrnV%(6gs!8AEVZUcGJDc}dWy0DtPsb@@bkp_CWL z=(38Gd$m<!<NK!%`nn_g8UenzDg|y}f_LjVr-M6pR5cVmygeKmD_jDUuSvC)=i<Rj zCi3=GZ2eWo(01f9$mk(m$+7c-6?|%_id;7RO`1F<Xh=c-CKZ=Ja~IWKzI9+Q(a13^ zK0W%MGdRb0$vY{kIA=8mgH%d1I`OasQDXj!sMeu=ih5s1%LRdjT3e6TU!uhMj<>B} z?`sVhWc6H8D8oNXRK91nJqgNN!NHM^qJd0^iiviC&5;u#g6ui+UCS<nTJRadh|Y7{ z2P6f8f{yOcAyUC09D&?u6CU;yg3a~urZ0m~fnAr4v^7uZ5ccU3zKX*XZC<gWrpV`5 zsWl0r{<kvw^R0c9R-T_nI$TQL1sTV_aA2uBsnKU&42C}|Xn$~b!1hM7Um&c9t|Mqf zh`G||SYDg}d3?1EyfKhX5y&)<;N5gRK8j#fymM|yOu#@|O(HDYO;zW?^fmSAx9{B= zGV9pDQmeD5q3a)V*76MP`Z}K2BTlYkpv1By(XeZPd(W^5@s^;t@gcKWpE=tEQy1P| zEwf5u-8yi!oN!5_MV$<5dCeQW#x8DuUO63iF=q-#OH4bPI$ahmmRwQeC(_03kz2l8 zSYn~-;;nO2k((E=TBW!orKR)_=z{mpU~#W|lwD1JH@iiz*-m|KS3cY*2Q3fYa<J9Y zwsUmn{sym$e`eJRU(~qafFOA#Z#F9uSeJj4AIO2y)Tn*983sKZi+O%-eUT(Z=7OG! zQAgX#x#lxBMuLsRt4;gkN4(J2<DmA?!9@o&&)e_&mkk0#H-3d;t9gHNp*{&^1c$5c ztS@XVSw#z?90*T~p6k|;m@ULo1x(EpJPY!QdGv6^>?XmAro4KGmQln5u1<8xAK-l{ z=#n$(W%4?NFYwxg#Xne-m{#+k)<B@JtBaH~wFzyjqs2kv!^PV+j9`i;?X~&CtO6+i z8`)3%#tKVk6GIB^Ou5Q!_JiZU$2x47Uu>egFCmZN-@>R749qpBms?#*!Zb4#50BoV zg`dZ#fdQ)h_)c9HJ{8iiS?>#MngNPd!;k**Ts6^VLInT<SsYRi<sj;N|L$$oDw_?2 zA7;Fe*b185vejcs8})F2&V1#cjGa@%=^_7ZNNV;jp%2&M-*@g}F$6yw%+0$#;v&b< zC973aQv^KzcnNPv(Zot>8j7-3uzB}OIhlXQ3(o3U`-wP{yikW1X0t_XP@CqTV&ZNP zYyyF^j-Y1;Lz>x=W{{K<7xm5Zw_Na6UAQ<aEv1HyUB^WfP2nUTo$$zYzH(E#UlK|7 z9H&3?*1dKdd`ydflGbzvY>pH%2et@WtcUD={CYPg!K1waCp@p8HX$xj7XR$)Cy@P? znx-~8mk;BTszrDDTOt=O1UN(jDs+|EZp^nQa;IS7!1#PnwuT4Ug;EB!Ex$5{bIG3~ z5C`_f$+Yi%rugHbG#JV__z^Y~ba6c*=sABTzzQshuVs^Fh5m2<WYZ`J63iPPPKb?^ zMAIjXPX$AfN6YI0L;Bq!SeUu-<qSaCo_<kX2@7HA)AjfH-ATGQ_T23MuD8OoP}-6h zx&p@pRz5nF*U!EwiEoMLXV!cupbk$r*i9MzvEMHEh<Ya4bK;1;-j1Wl6BU+MR`Cw+ ziM~WG+K#c9!4k)hy~9J<3XI@Ll%FJRj*cdv;o${h#uUXM*+CK~S(E^lX{(SeA#`fw z#7l)J8<r?|g<0d_+%~|z5|Eo+Y>~W%3$WvB^K_fa+vO8<0AzfK_fiD8g*#Q%#g99Z zzP)~UoZya+8yXB4DiP&I6DC~8@b{~_el$r}3ERJaU~NYDDQBC+!*aHgGLKl{VUa;- z`6ms1BSTwcerL|%t^{0=8jCoQ!}GDCH-L|++n(qioQlr>u|l%x)WL}Hg61AR1Qf=u zjA^aJH=aS0*I%uG2F>`({ZlSqLLu@1hTU9YsC)@`TjbI^QLER;hLTDTk`5$LdeO*> zUxB)u#f3iLf|Jf{cRD9kQ?G`}gMX?T@3zB=JO`rnOkP{BEspqT?Dw5mB@rQ`T-azj zuehv<1L3Z`?@53TAx@%9fHq<KI!N6&2v8xwbNV=->D@L#kkQ{J59wusbciDT^?zj1 z@$<kE!maDU)Xsl_&DoJl@5tG3;WY`~3TYE6*#fkh{%^^JzlhNxyr@z8hrWRYdYp?g zbJwY)U#HNM_OO@tT~m%b%WY)BM170SpNZ-OsbihbiaP^+px&?Vn-DDoRmK_c0@3$P zaB6<pDRS`yVP|sjmqi>XY680Y<LSIU>1GB7KT#k~g)dt3QRdj7$x!C`baS*P6f0JA z@y=I?4G=5?O?8J^v!l^Ru2^#3eXPrXXAb!#*zJ|7S7iD0OF8h4HtL2HDbNt|t)0Nn zW}|Se)3FObEPq;<yb=9^*;9(nu)JFzz}~U(5N;-ki-sPrZxhJv3qOH<YJpEyhRS9z zpz--sKRgG-CVt^73(@OmEqsW+5P*Op^!8JL31i>qN<ZsAy;vtd`Kxo*Qi$_zwSNFJ zGGz`j<AqLBP^M(3uqXk!Q#3#VV}z;P(mkWY1tvFPD;S`yc2JC!@7Gf$SUZmJv1O*_ zPgz8|C`+I)msy}AZlpULUSZ4wt}k0^1WOp#qUEKkYhakTDP#g=CJY+-Vfd*8$Wh;I zNb7c~;`2ixQLP3F*8FEc96wXiDXYF|wa!M+b|#`rD$DyGa@zznW=A-Q<n+=ZGNeH> zqL>Ysji|t0uX@rU&cEYm6GE+mKq1H3P86w~Hv^~tLtG@(i(}v~#X{|dwmXmHYLB#C zlu3j|KK!oH`c8eLcNc|q#Y2vkkDI&NuMb<DDT6^`?9^8rk&wyGH{FAaW8&kOqSaMB z|2F~LImQAf^0CB}?F^m1=G~z`OHy=wCFtQa3SYk8(d2?EMWXZNx$%W9>cMVpo5m7b zxZtl?IIs0g%242zix1t8mdX}ztKr;9GJg4wrc+WW^l&wS_cp~Z<@!@&6{yyGJo64u zZ9!5Xw7{eNESt&{kVcI}2Vh;WyL4xg0S?1(3u!n(K?%I-=keYt_<M%4u_t=wO)Y-W zH8F8`j}yMzzHd7_;WFxG7qzKEq-_wm+>&b}cN8hg@@H(318%9A;?1K-x`IJP79W=R z*H*X-5o%@+n7=(W0=zDk3{o`YNqiYAIA{#qQwczH9UMuiN@H|y-XGJ;0AJJjrMUY% zi`k*85PmE(df3t|NM3TMnKF3@<Ejv0WO1ph(*?E%uyn++<U4zsA02aSLc}FT+HO1P zl#r(&@pN%M5Oi_Uidr7R2wNaht@Lp{a_IQKz!L5Ou?PU5FUf)B(`v|X<wpIBS}<f% z#(1JwNK{C%LhSrn^jaa3OnM=T<^()ei+`+CB%y`G<7<zvzrAC!@!-L5Uv{w1_eh{m zz79~x&sp*X$|N~_UM+J8?unh*r9^3<1_tI|$5y)h%j;Vx%pD*$w*DS2WQRn~C5naL zN2MxT^I6<VZa#0)#5s$UD0O&!Gmqz;Li$inqRB_UpUydj8Bk~-#_YUGo;}KN6Csda zO|&JdAM1o+N2E=idPTbv$l!kQ_qqF4Q4|Ze?~I;-G=pJGxi{I4P4JBp{kSV#gXzlc zrmwY@2;R!6y%M^(FN8g;m{jyn$T)1wiU2vyiMye<38TYLo;-k=6PQ~@`Mx6yB5ESI zbK_7am~Y6!o>oMIMvRJ{G$udavU4RrqIh@<#?@ms0Ge{5xW<m6R=zSZaV%BrGL@Tr z5!<+Yu=;rPxpzmL{&RGujWm?VzY<EsdJUxQjxg$*Zkwk47;9okW=a2mY!2Wzcj^B8 zsyJ4P&yDvv(y$++rCa87XP4*hYNATK)+Q9<MFvC`Oi6V5b!>lgz()?`)aY;C+JxoN z=#ql5(xQs=5cUBp0eXa6<`}dGv#vsQ3*BG^XMt(?Mj389)9`tStwQ^eOY1%!nPO)b zYZCu-E5s0eP{4)*{HN*it+6@4-}&%z)yH^!Q}<UsK_T2<yoE1$wTr*6ZD3wnulcP^ zOs<l#0&`>pV`q+{%a-Jttu&Aforpw-y((+t|7OLz<kO|lU~Tj2&U7ey`Q|ZqYf!2V z{Onlt@S$>p$Of>smZ2`x1HGe5auF7q`}?WP)@|4#=E~i|_C$ueAua+xbMEX7G@JY1 z6LI5fcb<*>^PkpZ$v)qecUSTOCh$lAg{>jRq(5YrUKS?u@Cc$Q=9_y-L$ENm#;|Ew zqOIe|$BRz#@|83$59<C%KpKE*ze?&4AXvC$$9Km(Qc=5ySu4~s#uDrmOp&m4@#V(T zDLHJ$Y<YC`^*B6V3r0S>kl-&;^OdQ~zx}6Mh1--dSv<QCT54JdR)3NAn1fRR!0)U2 zKsKqHjBw;|Q>rrCC<bq9E$K!WuEv-3Oimk)0y3<nL|Y%GNHMA4fv1|{;C66m+g}o6 zfX5<$lovvRP^)zv1Zu`KTog3k;Tm0%IDelL^iI-)K8{eu;4jvVV8*R-p+NY_st|A) z9sqyT$4k9iOSmKyBp$hh2MwHKvY#FVYRbf+dtzujULOdif&-rcH2vT5o3Gf|&*A6s zNHkuWjJ#j!B}uX7A$*hq9F`jf_`v4b)-D}@z$q6XUiU8}GknoH9XUkm@l~xO0JRWQ z8*9S@qH42^K+$H)wEbjto^{}vNY$0SsM)uJ)i>TZ_d(9i8rQNy%j-S80PRJia~lk= z%#w-o23iozdnjqaW@3E)>G@>n26v5LmV!G>U#tr3_Dl}kV1eMfZ{O_{+HN1}=y6M3 z6_v`@WGBp}$XtgYl)LGJDQcj9{aVK4N-S!j5heZAloT@l7`C(4YEwbF&)xj(#THO` zTv`P(`@$`MW+jHbG7~zmgMh>?+spWTs26{!X4x&P7!R=C$K`3R0r<ufKPcp2*16RU z2wod;bck1ZOU-zf3Wrc3tV3bVei}GJAvo3VFKuICv1%~{QFYG4>Mxyu^xH-k7g5d| zbLe2kyLhb=9Sk-bZWEwd0slnd{HJ||+469=Nf38uGmN=rJBiDKaICv)^2^{xmrw|P zfKSUqf-Wu(IAGZna>h$?fQ?n55g#C}9^}-2`%e4_(_qLh<kYzE)Y_>%2;=bVb;*BJ z8>^!XQFOM<HJUO*qcV|%!9#__&LZH2qthtL8MJMKsQ#O?Aq9Bdz#~21Qv)7zVw4B> zw)UVm%Na>*d5P|7SblxC*5zFn;XPt#{4^8a`YJX0dW^8-*~l>%4F98he-j+c+Bc`2 zJY9)4g)cRi2;b6)zH>8<8}n`7{KLE*S0ZwbP0!&-a_p)02B5*IS5ZDa!-UzeD&<Z5 zsGS@=@>SoR%_RLw+Ry?1q(`BO2y~-$CJ2a`4qkG3$(pv4w)U$7vow|*@=TF-T~3E^ z9)@cSEpxnIPqZIfN@Te4;HfJ+TB?%iMa$DZ$sR%D7A)#z*wgJ2(($(JFUoTvwZ7z5 zmr?=3v)_FPyNK@L!-}rGy#F?!;32{)O&%0QfJR%Ji@}run#(&epS;B7?q#j=y%20q z|LwptLUzgYkB_klAhe<{LWZ5v#qrp^?VoxSzHd4ctu%{}TQe~w_A@rpC8|eH1H(j# zb<?Ha=Q2r_W_<M+V`68Jw+h5V?5q_p<!3B|lxM&nvI7VBzyo{^t83EC0k4)Ih9oI% z8E8@nMFJq73AQH4g4#2Wq*K0Jfu~0>!&1Q@ESO5VaHAZ0sjlhbxC(SQ4O;S`kOjYW zG+^VgPUeby4nYHh9*gTX3qlJWjdo5~e{X>+VHc2yyHfmzz}JOlK=oPWx7U;05|5;u zx7lAsbJ-zk6>4EPK|Hf-vf3YeW7GDqFJahi1*7*3uH9$RPDgS6D#k~ap*HzLhj)Ac zS@o>45rECUM_{97%N!j(8z|(Kc%mqK>5P6qu+0JFn<)YXq$n#oUvvPLHM>9pF;WU6 zkDlZR<8G}y9rCOdj<$_BdO<$3Hm~UKnF0qzi*5T-Zdc)kqHI<rn~h*j-sC|hJi6}Y z70Q>pw~u+h9d{n@xp(7+ij6oHBu83qoL{O~lybXOJ?`=cZbTfr*QpNg>cX36K~{Yf zz5Usv%=#DW+W)Gn@i^kZ{!|bw00G{mPTyTN$P{%eK-4+t?WTli8C~9I+H@rvK_6N0 z$+4Q;os;yP8|$|YNGlO3w{c#-bNR{f_2DTrSX!foFF;ja$uKe7KY4hij831HF{whk zs*5Ry1kGj-?MW9`zRJ7v9EvRr1kdZQRZyyPya4s}!sW?Ga6b7lNr%{z&Kjp80o89C z015@Etn)$UHvor)h^pNf%ih3*q6R~+?QRnY1{$$5uO6C@1pQ~{n!H(dJRg_z;3Q8e zUeW?mP7!iv=dZSxt#3dh%aXC;uIFPK=KM-jH0d`$Ce&5>C;hxzq@%wxKfwWNF#Of+ z2LvvJU%C!4DzdJ?m4M}gWBEiB0+_sSuBpAj-=3Au9StCV#xx6GZGTS{VolAp|IVhf zzgvmx?NxZbiB))T$9_BToBMCCxeuQe&MD+*&-O=V;vCBDbkwa@gIL3fkx91&Q$t#Q z4bQ~RDC%sjc$<|98&0mtrB;mW*1?=0MqRi#G5&A2j21z^T<vcF@x`zjfhyZ*RxDI* zO7}=2%Z6og(3Y3RV)6yl#FxCslS+`vO19896;fRVsgFE#=}cY1mJO-Ovwa;AvKp|x z5MHM_>L?@>SbOITQdm5>1sy_$?Ud(s-M`%_y_2dtKx`!54y;kfyObL*nQDTG&R-fL zYT1vQ)Y-@#LxzVL3e60Img3O$yr~!<$feHWv|^Rj_VfVM=M&x-I1PGMd2LUN4BnAk z|0IcJu+$7$ZCmoxmghT_<RFNG^Hsc?F1KAr;PrrjPtm+`5|R=Xw(MpVi5>h`2%7-X z4Rp!4AB5OQ!Mw53hO^uO<jw5x>)&K;JPRHO;o-SZ$ja1%{N4T|$DKr5vZ^mv_o<*6 zD|2S8$TJ4W(N?P5P#Rf=yOIC4Eh0;RC5x?`y^WGxcqc}rzN9K8?CWW3G%y7=MW`>Y zpk5|z{TnkI>utie396B!{^)YApLt)bD~N6RQ#oErW@K-ELJamyR~xPalJ4l6xppvi z%r_2mb*PiTTybxxFg9p2oQBcNjocKPP7i~f=O?JgtC;xkQF4(6^pVXrHmj8W*upuL zge^pU4j4A|S=Ls5T8b{^P<{IV8?T>>57@B=M_jcOWAPui7hkpXjKtVz^Q&_p={`xt z%5|;G8(q6pNC2eT<icuN$d>>~K(@afe^{HW3&Ux6Tr>$ffklNW+?}7oIU8sC@S(>8 z2OP(z=}f3luIXY*qpXtOFR^0rd*p6rOPxrq@>({fo9g<xZL3!R)Ot1<e%8PKrAT!n znO#7ewl<{>6HC%~Aj8~$OLk$RpBJRnE&t_%?>A8&z&wlVn%52%B@Yu2RQ@ujlh0-i zAO6UcR+)F2v)ZxQc<OD{c1_EoG8|x)&k9$9MMfM5B5=ZCI*E^y1OKvi)ssH0`hlW@ zHz{fht+6JCkV(-DGAT-C+KT)OY;Q^w?B#q9yZuPc=EdM_QgjjIS?0jmf)n&9l~A<S zkh%g1+B#|Mq91MdMFu34W)%K+a_f2;G;;Mn+(oUj@PhXKI-wqn9E}EKpf$*@uZvLZ zFN=Ms(NtM{UcJ&9n%})jUoYk9=4Yn2Y}NNqh*8f3s9($%Uc%xZ>jcRelbaIOMJPn{ z_wFdMrwg(jmN2F_t}*u3YT^p+@zTMP!y>h#Bz5VTi8MeP4ir_LKL~YLTW}XLn)@%> zT=$fsZ=7$hV!c?D*0l+1z9?^RWI{gosl3|F-UKgSIGP3RCVvHywDLDE`quvqigWWw z&`|VnwtNd5#@s}D(j&I(yYtJ`H3CVTj+|4M-BtMs-Bn;t_S`{c<9S6|Z+)2&V@GtC zvSu@&y7-p()Bw^U_^W%|G!OLoGQpo))8EGgAFe;M#6thwD;S=qJ6`6+_<b%69MHeW zo-e-W;_*>EA)hNn6B|MyW~CN(XAYN6{^GFw5S%5Dc>N%0%8VYHgSxtkvDe#2>6sh! zlKuixTt68yOA0W&+b6QBKU!{zCBUGCN@BPj9a{Sq9v_uhSmnS~QqX4l;*)@d;zayc zO(EIq&>|oUkXHGj&l&2V&}Cgu8D=35c4l~79a^h$dneI|K*o1Ph@zGAjw0Xv*)3ZC z+4WImE!-VhaojOz*q&jF#`*Rs7p*{JmeV=z^e&hX)bYOgt%aaUxpH*_^VFKh^5H7o zEci#R`1@5)MiuiDbAPuUlRUoctG>6tQMB^l(V8IxkzSk|!ck_EpkKB=Fs>hV@>A^a zL7!f}sjX$e0Sx-QLc{raw8LX~7V8{a-7E-|9W?d#+=CG`IeNRhBv$Kyjf|8;bpbmB zHh`mGXr+sDTKs;i6k1(0wNqZ@?@vm~NE{e>qFBC0+da{cP|m!TOKxX_W(8yFu-_zT zCpY$H&@<Edu^+;Fh86X8r?tn_=iq-QMbV!f;dRqKl3I*?JWcvX8c+`{u}P7+Szw&z zD)bbMFtKCN??j0MZ-l<C{4L9eT8gP95O7>d0jxtPasH8&beqXtZyWZe!X-@9w>l5C z-Tx@?`RjT&7Mda!=l=2Zz~^`H-##)<wVpHz6qK}C<%w*PNq<)a?QY!8Tx%9}L-r5* zeQ&u?fUvrgS7^clY!W*bciIXxsw!y^1ZZ8Ei$jvM&^uWxixMcjMxKbj6cB_2CvAVS zG@D`T-lu@h`GCP(L{MSSQmiF7jD|9vPgn#zHp#z<mIWImj)I`xN1u+xuOiIl_gCKY z_Ph+_POj}5LCMAS**S82?a<=gXQFz|C++p8OhiDT<?CNR#oiHU+dpj^h&&vyU7`VX za^0WT>94uWu1%O}Uht_)eYYnPj{=c+zNyxGXSw%(W&!L8iuUJ7>e>Ki$PR73v5kMO zgKWWa38amyDUf_8EWRo~FewCPOf56xq_$q)WY;Vw$lDlqtA$M!86-g*ay<nQHeO(p zEBce;FTwLUY^(xMX#tg20%%zxGYs3Y1?<+fY3zNTx8sdCixbt}tEzfbWLjbx8dU~8 zHMAWvOs7=4yl85|gzKbn6Qv#x7+{)+v*)<HfBP$+j@}UuCQPm-I=XBMsC9f0!a#z* zCUz&hDvy3YGRgr&@rc6E8i~DG<9OL6V^c;U;_4TC%<VP?k>pAYl>rm(?@{Sx(u3cv z=p~rTnH=aZaa4Id^-XOzjq?QLiSuo7osJ`c%?pGB=h&ruS%TvdMVs-?Yx(M!Y|#wK z$7W_&sXE<2CPW8~v76xE$>94anne};r50QrK+_`DESNzbQ(X|N2Y3?u-OqO*X*sV5 z(@q5)x@UEnf+hp0{*l^sOGv>_^H&_8FTPU-f$3D)O93r235}$Dlg}JPE=x0~3m*n? z)u*n<ZGb@%7<v~;2E+`H@H&>yCj*acGcFagdl!yTxqNv*eVnx9vV55Tvy?|}_a|65 zP<ZrrJ)Z3N?&CYQqsZ~^wyLmKeVBoIQ<#IrFk*jtHB8R<5}r-Ug~z}W-M)jR2|y(l zh<Rkyg#Z{A1S>ha>1q`CzT&?dY0Drl*KHH)0@7K$35FU5cZyPwSQ`@zM|HGeXC|B7 za@nT3=9iA}a**_~uVL8fKS#p^XmD3h4m<Qd^Oru-aZ|uVKBUGLm%?gdzPXdvL&`Ba zu%F<l(pD{ad{&GE_$obKL?}`=*)j8`O&TrX(#KLn46;(IbsWkrY)0S;_a;YKCfEt4 z*gK7MwcFJ{{~GD$Q;NZjTnvgN2ku*t&5<75-P5$%zwpva?diB+QEIt5MC?r-ucs=s z3=GaU(Rwu4GL>u%yLbVji<8tubj*Ym!o!Ur(ZjOM<wEL2+nE$alL3@Py{pc)J<dLC zR(-++sn)q!*@bQ7>h~TZ&TYgs2uO{8n}ruPP=fqbNm?G6hXbFFiRwMm3?|y}Uzn>A z*UK)~H78_<*LUImWp!EQ%wNp?eVgFJPj5XR{`P;>bT2F)&z6s@M}Aas|JXJsuD06f z?+)53$S9g@Nv`SYBFgUhY*nH>2%u8dgDE$r`6Un;Ft&Bt0uo?bIoR#`0`&~1<snj( zg{UyLHCJMU1XjB;5x6{Cu0Jw1={`|T4^@2%(_xX?FW0gp**_D!DHlNmLmxrJdKk34 z<0u?1;M1=P(p^3}#sHsvU)O5?_HAcL6g)0peCv2-o)r&&;(PcYsCn#gi{xs{-JV=T zjf@(&{P4*Iyb>*!oOyvDI2pXdhcR~lOf6lQapI5O#)Bd?(gG&_Eb_z1rOXf-`>o`c z`{J>5mD|soXmXML^=Eg25vdv)j01CQXeeW)?2Hq|O_vqBb@-=}+hCGF7?OwSo=@Bd zbH6W%kl5UcEY9z>&JuhJGHwnl_)%8Du0$cr08XCg!N<Vokl0D~dG7SP*^^T%wicMU zV^<#phS7xl*p;S`3x(r)-$tqq=5cU%rwF{u+m#mV^W>xrZ{3ydV3hkOjIK<jB)<7i z(i4HcKZX0h^*7@A`L@ck7C1g+_4vFm4uf3vpkr}wi5X~QN>!$t;X-^Ona){#PmiN- z<^Lm4{&1s{jzIvE#hGS!H6@<!n#zNcOqI5gWAOKda5rZgKWf|lgOxCfE{+|(RWPd% zaY<dLw#kiaj)*rb{DmzZb#Wp$41<$u1^aTSw>ESaa6;(ReF3VK0l~x9Ta;K7##Q9~ zgD7X?w!lJ$)`(KICTx~`voFl&Q-mu}=&MTiMU>5!@uyUd9?x%FKGSFUZCQaa07SaD z@`>^%X>4K2#bRYlRDXr9U6ND>0xhIqaAO~&i_d5(>t|x5H6+mpMpbBf*-Hq>OW@$M zLxP29Gv;q2p|;W8vkNFJYP}B1AZ9A<<vLsQaaq-JQx=xo(hi=1wuT3(x@h!~5_5e` z+W1NBpRlA%KVK0HO~|cOoDU!Qo<232!CmXw3LtVKq&--agb>y@(Ix**EoBGOJZ_^@ zyRf1xMg;YvWw|fup2#}jbLy76B35(C*Iw~xA(X7uwYAOZTQD4VfWTbvJfHu|yh)p^ z`Xd?gCv=TJXOYYv3q4ef4>r-V-9w9?c$i3EufsjxQxGBj@E;M_00oK%rqYG1|7X@? z&sX8HR?1SPF6X)k^W_!Qi<z{%)d%kqZy8jWDNK=Ob1Pd*B+_i_%(l;*6i~TGcuQ`i zk3Kbv3$vU;BEamK@($ditn#-qZShjxga?B*C^(7!#>SX>12E}Lb#GibnFQj@S-Pr~ zC9%)Zuu(vcf1A?h$-$<TEtv>+4wILL5336P=hw6D?j!-3Jf2*wyL*!Kq9q>+TXtVP zUbVp=VzlLrmK&TP=-~jKL@gIM`q+}<H(|(IInsx}(`6sc6SG$)=j$j$_=}Js`KoT% z@CH{3<5HEC`&7YkEK1_ChUq#826zyc@}{%FJ9C<Rs%6uOi@7iBPSL3hGPoNUyS?4* z6y!z#E|lX}%T63HS;MD_C+hIh#n%!dqpMah>pJ4L`U*tN;8yEytbHO0%g3z7z-n~U zW%Bwf8E<bvhQW)k$}{743IPI&3(`bi{#l^r0-p^6a`iy*4)2Jw3$m3BCnpH>6v|f* zY8FH;SS61}U<geHy=m**QTkbf;bTgPGED*$9xla7kv0TfY8uZs4J+nvrT;kB=Q>BP z&-H#YtCUH9xT{-N0ibv5Bb*Gx_rl4d#jz5pN)(89isVcBU&_^M@0=^^esg1YF0gMc z3iY0e>E>8&PoiAjoQt>ZF3baanYbYdgUNkIiR$<fX;VMfyPq8gdVH0tS7^J(W|Lu^ z_q@NPYTC@XoWK&DhZE^avv}>~tAQD}wwn$OyLUg;G9eIHiV~G6^(&flBD6i?&0VX; z{<NX`ZX*4sTmSWVg|LJqeBJM{JjAQga9pN}NB+Hm6op&FJaGUHPfnznp_y-JUIQ#; zSvK@Fu?QKEP{7d^so}zE+{sTb5MoVr@iFb~C`P2Ja6|K%con}sRiN+?b+Abo^i!Xk zb@w;YIX6$d%Fv^sTSgTTG%oq$@|PB)bb_dBMt8ba?K0q>C>lgfu=h!#dwLecTaE8d z<<c1pth0Es^GZ7$=V<LLAP>ylpK^FkT#H|1wE<cf3U+A4*yl-{Z#1u!xLbps<sEkM zU9r!Tw{?g2h5&l%8ygnv$qpoPHR*;!F=Cz&iFtvkb1~lEMS_+@1Ds9csNjHq@b-v{ z3*3Fx8hYJ*#cq(F6)<0>9uz_oQ53T;$kgjz_79{U7C<FtcW3X&;-be^J^p3ad$GI( z-6@#7OMY{w+YK^+0K6bT>4^Jm_C3Nu5@1rlKK|ZIevrUZ-aprd8<4oSkJXuM!*aD{ zwLODfqgN@gSmEdqo;ld~Yg9cx>Uuvn!Mip;{lB_i{<aDJq`R#5A8wOt%(C`r`eTID zFFKK1SvC#rRf0ftM>(Fqak7o)tJ?bA1hv5~R`fT`+O^N!0@bM*-o71hXCUelT#=vP zcOOAVvnW+!B@Qz{pKqe=t`LdHi+KWK>F?z7FfD1cuyGQ-VBvx-(^?!I!WR4y#go(L zBgK9=4R%ivX0Aku>B#eQ80T9H-#Hrm`B|6d3DHT~11fY{`kzJNHn&M5{cd$;<fqNv zU)HJEB497L@NESm?DkAgWr7Cw;Vh-t6oZ|QV%>&JZ<Gq%hR%+pVx)7=-+qPBptoGL z`F|ZA31#!zERP=19$`eD|ABHoGCh-OkT)-2je}UWt%m#ZC*(xHuKu%kg_Z?j#Z1a$ z!7R!q>;=K1WanIrN~(J@gF}pm3;a7doDg@GGIiZsq|;##{tsNazuQG_zqJOK<^OaB z@UeRrqFk9nu$QMV2+<Aapm%!Kg0YJMo)odL^qr#W$iPf<bfMLwIV^Zr01zoH-2tfj zD_1Hvw6XO_&p|roZ-0F%Y#nH7*EpWOk!okYj>~CS@cUIq`Hb3lVrn$l*iBX=#h(7m zky9yORkfN#05j;MxjkNnK2{)KebQ6K?`BVr0BL3G0*~pB#b}oza{-OBb~3bChi@re zjtFL>hcAhcaQ)4Vn%TMfd1(@XkUN&em6KP)L2Djlj9mg&JhtTjHg&+=yzk(vq8M+r zw^M7|%9BinjI4`WO>jy9i#Pco>7j6QqY~myK$FF5b-g+DTBJ!z8!irZ==4$hacK&_ z?$pYjvxRI0MT8*L<uK^DGZh4zA2(DyJEYhLqj4)1B_N>T`IbKsF9PoE&Jn6DF3XN3 zEf&>*qD6~StuM_1x7gYLXf?U}*oE6p-^#kx{*m<ajMkUM^R9Ygwx8+IZ<$+FhMX0j z4z<oEtTHvBJ6|85vG$L?_7d}^d4?Zy@bJNB4HnL}9wz9t7Oli!$Ag4n7dJa$7xitz zwd6rKC2H34fJY2SFbe}0eiSl+DD~a)u#yjR<wrvJn3&>oB8{=FBMxfr`_O*@-T^24 zGS`;Z{@^`l5cq1=H~M_w4(pC`w#oe}TFjQ90T>mI(APD<1=iA`)EDGUOHOPhxz!Ek z5<gk^6V-tb@M}~kGj$2h$&hamT>Y|B@`nxs@FUTpw4*q(8$1)sDX`og#Ibne?bb}M z)BLi?G#Xo(S0-cZJj=E#e0M{rIflHY23%aCOLnF6O_^>eWfU~h?kJRRuh|Ne*zl;= zwF#XS?o4mdF~H|Al{{B+Wn1auY{P1L6wDAItL-zAZht3FLZlZ*4jvTZ>Wv}>nV)X^ z)6RLUd_H>yEdCrFc|nCL<UeWjB(FG-xB1|Y7Xs24&S+#ne#k3OtxL}ukC!}!&9Q#} zAcJ*hFSEFN){0M7OWbvaa=*2r`7404WvVuITgi#q0<4z)f_e`6)oZeoM^fahp;Jvc ztTKbHTb*<b?dm2Lg!0U*9{va*}D^)AYM_E^pbQcOo;GDSC(?sYE<n+u862lYQ% zsEW9Q9Sdc`y7dN~$z!A4w5~jNuOm4YKPF3`VR0f59T;`kqLhv9e253}HH6L_B&p=3 zmxbqH58w#vjp3WFQO^pM?Q(GjHro~@ZNhIf2kcBH=PgtJ11!+mU99JpFCDW_XJ)qx zz|LX;!s0Z$P>3zSKuAjNzy1IKoH;GF^{%zEG0VDrVS&nRf7G&SW&`obw08XV*s<SR zqcR@s+J_+WnG++>o#J_u-y0F+7();jww6he%I<7!hc@oi%Csayjg-KmMAoo7>Grqf zpgzmi_keVQ8WH-}jb$`FTwjhmg_PPu<F48}Tz90cn?mlcD6Smsv~pzj)#LhMUI;m} z;CViu#%(`Na8NAIu(q-*Be3l;;pv%2?f7^CG(3v;?Ma-gvxmRDv2An*&y+uHT&ZeR z7wc?|_&#NNcM7}>VyH*q7YV2?o;7N_eIo-jJ541y%rx}*D&Eoa?vPZerYIu3NZkP= zQ(~cZQyVjNf9?f9jRVZM-u(oE5CbbQGQ+S5MRH`9OmD>E`8r5&dFH&7>5MFB`RSC) zxpi?BP@tPWfkXQPUxvj%bwW-jHT7CNKAL5>V`>3e%Fu~hqWILITR@(xclS1Qr}F?5 zMPGu=>U%A@$Q(-6*P>i#nfHo5{E}(-Fzeramb}q82R<gDPNGrxPNH~#9;5e}7x3Ck z0<=1y_&md=4b*B~)C>r-$QI?PlPI9*+>Y>`!$YK?nxjaMu;`yk3uN)d@&QK#kmg1K zXtP9~D4P2c;-5M9Po}axn&xa8`%eB0qwI<5^&dpf=75#pw0Jc2&VAw$e$!w}-lT7; zHKvLsu--tFVK-Q#Lc`fBF!ToaF@Lv<*O}JQmF5AooTUX|0*&8oFxtt#fsI?C5(@Zc z9-mny$In~NNqK&$b~=(n?;I^)3q#udTn@@8%I{}~2(#qc$k7`PxBQt~LvZR1u%M?l ztQz{=G`EL3$#)b9_b$s6#ldl3&9)-5w$&Rs+QW`J!#6|ItZ2&|1M4Xl4(8M%tiK!` z%a~Ndhl_SP6&pPssz-*W)m{}y|D4&rzq{%g4jdT0O+uXg*cq0o>X{eS?XS1Fl>Htq z3W_1F9fm#HI+dGC<MXO}I5EoU+qIjrEKU*_7G?Kl-1*Q0wZjP?iw+Yk!nks^-R<$# z{X4aW4W1wdDXQ7dA85lnZqN}o6dak(d>V*$e0R$<M^clKH!V-MDUbsz>xVozAd3o? z8DU~){4lQbZAG3tOwy`4QiOAG$ad&YHVnJS;UE=kHEv~5I((D^mphXk%egK($7991 z1?E47qw)^hiW}SBffEWBTpkmoY~?5_42}DriC}KQO#iN_Sw5(k3v0fUZw}6WAy$h= z$GdueY{{!Wrx!R7ucz5_;tpk#+fudQFWEUgYbT4A`qiY>5(&cGS$*I9S$bp{z6It= ze5_Mgw_!I-vz%W<Ii1FJ`ZHJW?<i7c=u~HGjwsUV=;E9coy%L1?b|6Tt$AJ4Bs$HV zmcl$Jia^KZYnESan!}*aM`^h|igJ4Y`h1ds2#c{@-nPlrpHQaM*2Vrq+&($KC&%l# zJ2pA$3gp*1gGucHAEP@<Y|xmdJ2JP9x4RKBG%bK!4Kqb??0f)CjuAF5$H$ZjcHFZ$ z4FoTsZ)4-{LAuXfTtB(7&)cO(^s3PO`7vn1&9Ie3iApyVs*E|il=!`!KFwbjD68Z$ zcJcs*T_HDBip&+>_iCFz!+<i5VdXwoz7Y=JZaY=@F20YnxPI|=r(Lr#-7~GUl4s!M zGx#2-(Sn&*moi~o>n9w=>MV&!u^_~<<8G)XFhaG+?Hjz4gY5vD%{mn2$)zFrSlmUF zaBq5<g{WdV*TNbb*2b~JxuNo-XsNQ>WO6-(#X2Sv2jVHA?g>DWTRBKq8k0*#XXaRg z<aBI#CF0C4MM<ytovD7D{d1Zwe+KB&+ok17tmNW)d;_^IeCpxuGf|m=|G@LBX<(<0 z-p#EgeIY|1+<k5gVLf#FyGD2@TQx#+`ogQ~!9^+ZaSZ9Yywzrw{$TxXX&oL;qV`-L z(TIIUgcI(wtyhSHq=RkQmLHTid`w0I5$D&wb-D&YWY#->Uru+`lL9so7s??%^j3~u zVxqbUA6%mTmaJ+uVebA>a8_eG_Zp^^Bt)1`!^i$I^Yk`4mk;4kz!f${HY=PvJEWcb zFOv*-fuHU~+NRLu0Nc;Gk)bQG+*ATcT2Lb9W?e&-?qo5ztSdb&561*hF!%yAhT0CE ztW8WOi;*uOAnheg8&?EYK6({5kG|<$-UTl1Z!P}#vgYMl>?FsDNi<cNurc3S2o7dg zF>$0`*|ECm7d<{JCY~S)vpA6xA(o4embY@pj4~V^gd>w;YecpLqR2s08H&P(SY2Am zQ6)X_5~q^$<iP(Ju1SO5hl&Q<FoRx)LQdn%<tKF|Iuv6TjUuLO#oYpk7vUYC_+#2r zhH&9Xn+t_3P)=u8di9%vjw?DOSWdIk@p7QNj#PZ7NZp`n{y&?dyZH~UVpv?40#pw> zqu8r~qX^%4*n`)qo^wygK(DuL*9b!DN4rAQyp)Z^6<!pqCV36a*>nz#{io6M-B|q6 zlM>YhVq0<-+Mg_<t3|_SSsp}ui3qXg>u|#Y*U!`Z<4pj6$(7YhxZOGlD-}iH>&*4f z=NDlU#U#d!^s;)XHY;a$b$P4k2aYKQ&%nD3OO`L%;W?}5_y)`Ngh_-46-PXX=fg{E zkXFb12lEWsKWQnG1O2o&ty3#6OLq!&;X`2xX6nn<usQOLodP2chr7o3h`QL1xk(l3 zc=+^35n^DaF)uB#Io;It_3Hc2O5Y~G&W@kFl`Z)BlZtekb?|jHD&Y~n-wnWJ&*m4| zC+@CRBFoUQflraIG^m7nt!LBVw_J@r4kM(hT*@X98Z=_V2UMzsMV#;g@-B0lOC~J$ zqV_(~^*jbyN{Z~%6ON1Ps8)UOZZil7zV5hZ$s@#2U7F94G1HH0Z2;=o6QV+bxndA- zfflMHMc&G8U)Ejel=Dty0Eh)^dr5O<5QTDAVS+(qbvy&&%s8el*nE%VLGoKepEFCU zkh5iVTxUQch97#TfBkbxYCHOIo1|k6dhl!do`Y5H+8IY-By|xQ#=ahRHFL)zQ>sem zu2NMlGgsWL(f92uwcHH!+BvgiWX>!3MFR`o&)i|}$JfUdziy#wQyc$+h(*T?556$r zNSk~pzy=|L*!^S+#RjmGQo}Z7sbYd}y3SqWC(1U*);5fW4UXOPFC}V#@}7`y2$x-i z(Dlew1H*F+>4ah5q{-J=)IV4BUUoy4#x#DuiL~zwW)dIP4;JTFr#wBSd1gTv+VuAL z*5$By-quSRD1=|Ry|vhv95p13u?Lwas#<?SEVo>aEAEe3K+hKy1Mw!ZdEOWGUg{ye zDvb8@%n+BQ`K6Vr*0*vd6!8=X;i$6iKX%cAw7OC0<wj61mrk&Me*PToA0+N@3*~ZL zD0_p;V8tpqy8XLbGn61oe0!(R%z5AA$`OU=@Nr6>-=!pAV^7lw5B0=x3W}`n9UztG zP#pB5_bxOEq!|QYZ1U89&~PH$PTY8eCCUhuR_WSH&RA9!9mAa%u2GL1<6bzdQGb7j zm{%7HjD#1CwqSk!E2rBDXp95O|6LW|uf#f*t^}x>p83a1519)oI!@%8(4~W1{5gC5 zqhDGCWY>3FR?&=+vaOFlu6mftT?;;nmTKl{IN@zK2>`yrSzO*q56=dcja9ChO?KSq zMlQfTS2~L?!_?jW?yYpM9_^+Ef`+rXe|o=*PNdjWcgk=xU5^5Lwv~IM-4_MU+DE7S z_Ba)~G=_Y2bNTfO1LP?8&=I$lcjFMpYL#7<ZwwjU@}A(yy{7X`^Ju@6ISc_ClWFq_ z@%d2|d^i9`#L`MG12*%@-<w*5leU#NBPFbt4s_>AAm!z{?stR<co_VMRE@e^Xh))! z&HC<XNTUn$pFrhROHR;c+g6r%GSq~pW!3;BG`URJD*<(nue#qiCg2_JW7|C(3eB69 zj^@N+w*3z><*!8<%U&y})tV{&*$`a6k)oqAdCBx?@>)l6ZjbcRWBt{+TsI6g47z+t z0F+Fzbzg#pWNjlQ;18z|X$Ap=MNZ&M*qa>|C2;^QM(%4B${%N?RopLG(H<Y^-{f>W zr{6UcbOyhIEGvNmX8d_=A27l+|7qQRby>vM`hV>Cm!$l7OjK_x7!9I0J3o(Pbotdp z0b;l}%DrkFZT+oFE@Un9W%(W&=nM1C-v2;`{0U>}kDM4L*NOjEdMVbD6M5>CYfILG z^pI=t4+HX4;OFCzrKeaiHY>Kwwo<Kj6{Ar3rX2q{R*$zj$!0@lCvrL7qn;Di2Tgfu zz5DcX5Xuy~quc{Yau;|!MxPqrXVz)2rJ^rW<owwg)0K%y2<0+A*IzRDAQ~A23FzbK ziFaIcRN3*sSQU*{s=PiK=6ohhUi^boIgA;I^`kQfOnyDNgMGVUQF_6`ftnMp%r-or z^cptg=65c|BCwAXhzsi&A-7A%9<7>$iA|VTl6JU7OCr%#%Uhjia@vamUz)Na^8+d5 zB6SulY?-AzRZKGk+pX%$V0CHolfPO(j_}b&4`qiS&Yqqm+j}IYacae<a=*qiOy zwSj@**G-h7<H)yb5vV(xxwD#~7fk=`tXZhG5~=rER;GnowxEyN`@;`Ip{J1|R|k>g zN%Gg8iM|W4+p0N&@Htb=tKY!;72dSEjG=y$ZL-bTw|biRALO1(5d3MAJzn{TN54sR zZ{t06BpDp10E+b&?&hkS^4YeEj77#yDbknX{+(0$a7_d5X6nv}{@2@fhBHNz_?r(! z6E4IjTU%g>)Qcz0?{-3iT91ePktc6B_^UevH2j`16&5^t1h<y1uOJC5Rw7L9dGSA8 z%7-uO#NKXVE3+t%e4yPNiN)&9t&DL)&Bgmgiy!`(nj#i~1j8N0NnL|PCoPB63I-UQ ztqeoyg^r+AHQ8yC%79>qcR`Fa4`q+5YtNVEg4_B)7*qmNt(SEB;Gt`{3SVpsvAmsP z&FigZ`n81_hA{RhQ6Q%1XiqKC^xgST7<)6DRR*(~#&90zFouMWNVxYQ>OqkN7hUvs zHSd}&n9qy$;bG<9bEZyz1bydZAYX8s_iY+MF6EADWy7pfO$$v~r21_GTJ0ydyK}|n z!8GXE{Jt`~hzP!ZUBAku7lxVOt}Js>k@GQeCu@7}vbD;Af99l9$|b@@G_xqR6Jjs= zh}~vN4Y2(Ih@xcK>}X^1QM){MMza%lX7i~>%vnuNbENeSXW#E+cx`$n`xu%ZDnl?^ z+^%C~=>Ht_E<o!B9ua>tnb`hNVzafIs)-8^X`S2Vq-shZws-Q;r(*G{$jmAFDq89Q z!XEoSvj9CMn~!2R`JR)FZCowVyy$ylKYC_9M%Q@_QfPi=ofdFh_<xOxo#eE-Onq(t zN@qubIm1-SMhQddhNzg{Mtkm5-JO^Ptt*pXJl=UdI>6=xn8t^(mc{YO?Vr`@@b2H2 z!^PODqsPo`7rQ-Psz;9P(ZCfbRvKu8B~!ob<{t+SxH+%;L+m{Bu;<IzxUyK~!gy4) zeufW)5Mfb!;77bS2c2Qq%lPP5I9{4&ZP9a`95mrKzj52~#XWu9D0j`GL_z*0qD(%s zuhg)HcQ38S44ry5<WrqtWi$pE2e2!ro3g&qnAw3{$bDHo|Lt+KIP<B2vlk&12S*Ib zot)aBzDyMlU-nRPpjgqD$JIW3@V9Y%@*;NsF-nn2^hNIER$OMw=Hqbkl8_cLJrI(^ z+So%VXnHgBxMig@+fHLLk$C~PB{QfM7^XfAA>jEjHx#pN@-t3pRiokbxtxyLH(8wk zpYOv^&lB0tT6>p`YCn1yP!ovMn~-@uoY_M{x~I>*Vgnlm56;tZsvEns|G6VaPkajS zh*kB_!X4Y+f!WL2ulKpl5H)DBL;?u+88>C?TO7jY8bIbhd%;drSX%8O8G0%FeCp|` zmCrZ5?KfnYWq<m58eoRMplD+DOl&jPa&wX3tfdG&VQFBliz72=#5_|NPtQje0_&|w ztb`<bekp*Bga&Ikab4{koiI-6-hw1CPk;n&D_FeGvww9=@tHlkRm6Z2p?LIP<*9k1 zjOo(pS>((27Dp0gB*$UY62^+}GrIEq+;r}~5QHBS4$op5{jqnzyLntdA(@e$V<qr7 zXuj-iE->igIx}g%s9nhlI<<@il1frFmFgw^yF`9AaG@POMzdgKQv#};`y1}+6>20$ zWJE?g0YyAL^Tx7xt?C~<W*62;BsTRZnq_gBf++_z)fw0019y6bK{Uh&wALra!4i6b zFoa*OUrGB>V?pmHtDGlEgCm00#fqJ><J?O7Ll&rgYm$}Bhx4Z=je~nmITEodHk-IR zz5IpWZM6`oQEkL2_Dt*9OGCA9*eH`20N?0p08!YXWa?o&SQwjzMl7dC_U@sXaQnQx z%P-x@(?z<Oca1VxLZ$=cGti>4_tc`2Tv&{1t%4HA_AsB87xxvWunP9Yf`-8^bIdvA z-2CR{z_@_gQMZ0p9e)6gVNdCWOU553f9{F4&itQSbO^+TTJ;^Kdq#?75<swX&@FtL zc>(8EJC-l&se0T|O^(M>#hhCjy^%jjmRGVwp+>Q9Ke@AYeIAyJy|)j&=(|6St}9sT z`$#%kxWgFOS4X32Pd1&H0bb78H+!o51w00NJ<wW3=GiweDhNkNuu~}i>1`TIzf-Qx z-#mPCUG}|QoLR$v#@)m#B+$&+s0>98B^Va3atd*!d3Q(@G*^D`V^*14EL+n(^0oh% zmSL*|u*N2u>E!dhRu*POtI8a$nFG}txi}V-JU;_&q2AO&mQ%nu$P1o*uuCB-3dG6C zt<>yC))BD$ymJqGImp+Wt9?IrUFqX8_vQ0n+7g>WF3lXtlItin**PdoK;Hv*yS0`2 zxQuGzC$)I}laD@1al;-nZ7wTZzc{;y<Qo?sc$jE$rlK3!-#@iwvxR3J{V|354E^_o zJ?CdUzKDk3g<}dKL~PFQ*>un5!JY_6>ufpM&h?cM<SBxpIW&IwG$s>f*B2L5{S-j8 zCDVw3OPEy`g425su%H>`Ti1W0#X%_+;wEV`7m*xxREr!m<Kc{pMVxn`(3iKHmRCra z$PqExd}04Q;G_BH^ta~%n&8|j@$wbJ+}7Ul0g}6t(UE8HphZl4A&vzc8~$nF{%397 zi&1ZvB40M0le1m=V{LAJ;pL4=1A{T`pc5?KNgms|--m%r$k8?&`{gH)IijbzT}U%J zL8%umF!3xQxz(lE&tl1(J`+5b##hE~#c5?e7lM~#2h2dJp;_i@%Ge+^u@Pejv_n^7 zmN0LB1m@JW&mci>T!jaN%%RXVZtn?fD<KKQ1^a7+xI32699(U{e%$phnrpj(9Yif| z#i^EzJljlAu?lp%0U6-ur9SaKvGz%`PVd|-jp5T+k8ffW?;bSOQ9||&CN^EMwo<QA z=g=~<VU$+Ml^#o00TEKqsxz|TP@vN>&#Wu2u6vDrZ9DoyPGwg_H&$G(Ml7Uzr<sbB z#+rovhFb;)2~1^RAyq;D=%T~y8@ePR+S&RbCB(#bz+fwwB~~yn{d2ys+P0}z7NjhT z>QoKXvmLRY5ZjC_zdV|&>tUNxSVc;bn#D=4V>e9%H=g2R;IYvV_jCXD1vKCXVd6ur z`6^`H?To>mZ)OPq^=$@7&_*_p()ApXl2F@KQ(n>V(V-kDq9T*&ED-mo0%{SB|IR7D z3NHs9*Sf@<xH7N2JFYG1A7OBnL?AOFu?<ohHoURSo|X`|FI@<Lw%c1|*{vPx>`ms+ zzPOoUf#}&zpweRx(!7z(hrb8eyR+e2ecMQPuJ-S)LFu8lU~;j6NpQ`=OC3%X>J15~ zFH=IMUTR}NC-J-#h`M_~5Bk=TEm<lptJ+>Gu8Y-$LzLLSwZ0sn;C{JH)k&YNZjjvJ zZ)S`o7j!3*ZC!nw<f7p%a+K=C>yu+R%pUa7F_F=v7+r>y?Fc<N4eO!`Jvg2w)TKJ0 zJ5UdBn4ofyQ*eus(Cy@mK{15)pHH+31|=&Gu0J+;P9?aLvtgGd3Q=JkE=|4rg<opR zP1f1n$xZ&W@7ycyOO_idnmD%gW<F^>p2ODr>g4Te%c1c4B>b*7Eb2kqO(^@W#qNHb z@Q2%l!1=3W%Xj4V(<CK({aa(>f}8)Zqeo5HN{jjRd1-Eyq{wDyENn1_S@jVp^4+*j z#X9yiX}js1z1FzcedGk|pu-WeRY)e4PcDsMDg=4(ay|$)7rYlfZ%Xv1`dDeK_5pX* z7%LeWv{oMYL}8`5!vbBxf9x;#!cTV?vCQ!Xm^9#M=grH4--#`bTa%?HJTp^AF+(C| zKMYDSdhO_wP-!!1SY$ATvRU{pFB40zkUMjyXS#Y`9%|(2jMlF|;yT_64Oew@wTLhm zI2SK;1#oYPf>k`aGLG#NeV!BY-vnv&@Z^h>XKJ`YmS37E5^ChRml-+)@;1;EBO}JR zda@Z-HnJiN!9gh$exae^=Kro95asjEKG;vi9qxgfUu<KaqcY{3RX=Q6CRfioLs)KS z0O1#^MYT<q#%SZi8)S72^|BI+UYu2TRzUI5nwWJiDlSp<xyac)wE!go#gM?}@e(eP zC$eX977(H=Vw%}(eP2ID>3oYb@@$iQnq|DGiry3eNz0Z2V%%7M=IC?$n&6W~W_EpC zKKay~{E(m`o+S?JVM790rp&`}H~wMR+LNriMZBHI%bi@GmLoT}RWiShmk`rjAqp%d zPHzcvVo_-*<&j9&DPCW+e&1?Nl(n6_-avS4G+jTqXQm|5T%<Ekm~GW<o=eXdSj_B# z;HaC^4Yz9SC>NLFc=X3#56f#r=H$JC+2x-TWyWl5AR~VY&5TDuj@vsJgDxo+{WEld zc7_8ctIq(R+>a%8aRoi$o8k0>G<-J-)?}Vezl4*k`8pdQCVcLeDpDiXGTbu?u67gP zldBeZV3ej++HrBGDB0!3*Zanz$^W8<SFe|@39>WCtyDa?Aagi7)ytGZ$@su1t|9Rw z$9@@pM@NL4J&qFYssw*1oFXcVcUH;yOI%Q7S(I$;bSxOf($%O{opMgvdrIfpjA<C) zW!T-pI6Hf~-%4<mSiCsIx%CcI4ZMqII=@$)WYzXCU7|+j64<@V1_28(s~xP4v+8iX zaMf}wI8-5CADBhzPJJ&cEjG&cNIz)<1^IL4=8j57d+2$?-Je1)kjb$OV9s|NY9W66 z`DGOH)D|3crgioW>?jgeOf0La^=aj!JD(hLhPm?%{GIiWn75MIS~nM7@q9z)S5vk* zS}LR{)N2@!?%Nh36x(8>Rj0wd{J1;(B3<ATAR?`~3ykM?{K&ycW!a>KoWl-z;gW0B z(90*DS#{;<Hr>!mvuXWy2Ggj)5A5`x8#y#)fAAmA%WFi2n3SDR%t&!bgunGCxug6u zBm2qq3rWxh$1f*GVi|1vp^b-ai=oK#oqZ}Go9=vT&7%y?!PPC^XVyyF!fxHc(+XG* zL-*VngN=X6+~bwK@AJaQ&HvEv!`eM{1jCjd-i7U_YK5-96BOXGKL#|^Niyx@c(_*r zrJj#Ek>5IgpKr7;Q7OhWQ$L03<^p_nZ5wA}{?Vsv6|SvW{HT_0rshy7%+zB|bR+dV z_FSE<$0PaZ*%KE0CDhGB$}1nzA!qejvG5&CCG_O733yghp?e|dJ2r_cKsPNi4E?yK zOJ8ue{ZNc$Qaj$hUn(KvU|!lf`+kK4PELG)e*W0GZn=zCX3#HvxhI?MwwIL^app7f zcczUDnY<Rn2@&4c%+}okAQ)-{8Ty8+M7ElD{kj^(YH;N2LI8EMsDAv31LtPH6#?vU z>4MXj$Fd@~NYy!YWHV%*0Pv$9UAxLY@$&hETKIZy6p~3UsbRCs6d%!fDjszE-IN&m z7<xH(R%3ij<w@^3#e1zk6ErFHXsg@&aL%4=WKvvGL&VaLao<VI{(xn62AdR}cVFMy zj-=$n$VnzoowciQ=Z=qZiI0I@GRMT%LZn9hbDOc;erztoN3-B*8Z3GI)1tz`kD_;l z#5<t(%7{0T%$8QB4$;aJlLL#7e82R!8e<==DQ1t>!jlJodbAAx?V>l5#D-R`4&kVB z=i9W7xBaaKOc)w2@Yu%rrFwQ{sz1w+&)F80fo6ASttu9udU#JEh=}xJI&{OgKewW0 zmiA1pHGP%xX;o$U!|QM-SzJ1^mmGYbqAdSF?uKInVJNWsmH6fMHq&16NzKe2l|D(D z01C9n1G^ZpR?(BBwb-@gzyhCnnZUw4K=n?9)4j9uy3|aDmjQsyBOsF|qVq}oCIkgb zB|bVUR05iUZ8Fx1v)V}rAAp|VlWy=V+<wtJb#DWbog|kmr3-~vv#`I*hZ3sjTf-@o zFIrqxv6V+v6eP)PuzKulRNm=JMAhMd;Jl9B|D=3M{l$Qun<gJOsreJONo|9{2m$Q4 zq&%NUi?$jD#7~IbzJvdmnMg%af?iD&E}bv6pvv@e`k3Z|YuRTSWVp@PGdd!H4jsd( zAi9+Ke$L*TUL@7!Xk<uKEo$%(k3@ZzoMso3i7%W+AD1cMN3Vv{Pu4TBf6ny1J8P2s zcxPpc6}%Sd=_sqi9B2BV{ryNEMAEUzgJ!p>L!M0Ml<!XBmmBo~^6cpYOtkan=dNTz zl(2u<Kxtsl&e=K4_xb1O9Qh<mrEKf`wMUkgYnh<>iXRFG;KbKsu`YYU>+WcRzQI8+ z0=yxIx%$Wv-4udN85Jsn31}9|V~e>uAX*vKIx2*g2obC8EWWXJG-I7_+Og}xFg}q= z<r}gr%r7l`F!SR`EQ4-JY;0l>2$*}muusO=3URObR(~5_PgH^y%iP^^vsovf-wEzA z<C2HlgfIukQ!0*Eyty<<;kaTx-?pxGPu)#&;n4K9=9SO4aC|iNF1}vFI<MB#pk3QY z58r=+DSg-FEM1Qh%d~O3$l30ky!{l35!uGJxpWF{k9;%UtbLraz+JEB;!$?(37%M! zEEn$kZbK~3NQrq`!~Z2HxN~QzZ1(36uw2PFem?G%l_lkmi|T-Zw%6!}Zkhhjr#?x+ z%kz%Zr50-%6{mlZ22d(q#=i(w?>j+`F1^q&6ET3VJmS!vQXEQ>-_{?|ZOPUJNKP<k zS%;Ytrgfa?Q)|gL(+mIE;V@UkiV*mU+gU6n9e!$Vuq}L(`WT;wSz&+YY+dD>8>w&O zZ4jKPaqJ%En>&5!0JY~Y=KPeyF>qyT`&=Myw!PcmAzwZ_hC%1JtTudRo62%vQ1!nh z?;C!BrRcUTtQ5-k;#xahyGLFLyb8mCVdIzEnKwKY`WctcqFk!z!`9<JRgXF9{4NNS zeQ|l2I@*@-w%6M6Mx5D@mKBA>%+|e$<Ale_?~!BZNH#oc-w*n&{jB$9O%oI`3(v;A z;0N==V3<qu$nz#=6`fbHPiK4?(-UW(bfe(cjXJyA>y70U)SH)gHxsrPA*aBcK6V21 zttZ8AE4K2a!TT=G3tN7#7;YxZ{De2-uKk^@e$rXZfB+P_<N&*uU|-|S9K0upEWC1l ze-cgX^Xf<jY0}7zu3STr(%izZO5x-N^K74d?v?CpnFL8xtaIx=#wBXC-8p}6M`qT@ zOYLZ+g_&T&Y&-o>eLV4TG5U~6C#?3c5i$T9VK(N`C)K?fL@-v+0e`f1YaB@Zhca$) zQayU$;lsHJCXkrI-_1mKsja%afX{a5;-*IF4u@lXe#0ZFfYtl&W{*+<v*pKC(f;T2 zbe{K<1hL-E(T5qg&Ic^MOKf9?N9S*8;_21P=wP|rv$b4u>5$X@%jH-y=$``NwdH(- zYGwFxsGQCPC@d=*AHdhyGWqR@Q&JzpHHkK-unsP{9d8G-m82&&@t=jZpdXjZJ-!@) zf-}d+Dqyv!qbyIfeMfM>&9-cm?XbAR<|d}~=>3})kVKN^ILG@2IMI1fN)Zd%0{09J zwMoaj4XEoa;9PEmKaZ60`MB{YQd_uqR$`E5Ai=YUPG0!{#sf2oh_!FkXqd_<G>bCt zzMbeKb&yxVplG#?ZzLx>Mo~THO#2F?jRlRwpq7heAynOIJNW0Ep?k80$-09xYp6Ok zE5km61ie|M_veR9Oll4D`6{02@bcm%8c|mM*J<D7MFeL^!Q{#A(%8fJuNa1U+Dsi2 zM<4#WqgOLo6%oQB<AQhoQdr-I9GqR)!Vn)UuhBMQ4nd5$7^I$_gNYkPK?ZG)DBT3y zJQxJ})YF{JW%Wm0(J?0F2);YU`_vcqKtS4W9|yDVqSW6M_4t!J%X>eagiFF4nEFrc zyNU(BHX@q*;81$>#rwX!d@1rV&H{rPiT;JXvcal+avTBX)BYdD+}})PjrEstFw}tY z&OpsDNY^Sd)bin&32|uaHtS0sC41-Z3;Elu$&9ts?^1B|P=Hx)Y3)!b!56Qi&D`C; zklSQvxe~vAV~x46cZ^>2e4rofP{4veho7B2B1yFFe11KEZU#FB=Rp)K=tHbiY;0pf z`<q61cFvn-1s_&3Q3;M4aCtC~Dkp(`+UJE7?WdP1h*x@F;vc1bl=3Z>&$&`tu(D%} zumkf^V#-jgX3TF6%rY3FxV+%Q{@Az&*VifuIGqgPmA>u2ORBv?gM+ps%wcuZo0lr` z%8x8y@hW|ku)$5_<!P1;Veoln7&{gVUfnR_*;<FRSG4Z^>T>K*weYJ@FRR!vsE{PL zX5vcBYZ{cWSFkP8WK^UR>G|TE9Fq<}8Sej^1#2uSa~f=X;!(ivk5lp?zIqwk6>F`t zxLluhi+eXk9NYJuguJHveh{W6y8g77>!M8N8%K>w1%PxlpyAeLO4gw(jNMG8L5mMP z4x=wV$V5CFbqj$<;_o&b{{I7_0Ez+7vw(<>E{3@i`tl{+9P+K>Ynpe_!sfA3w`hG9 z@0^sk49e5+GYH7D2FjBZwTYv(TY7VC?Cw4w5T=(Zp__Py#=0$_X4D)nM=0mF%M_sr z604cM3new93%t39jACFTtX}d*B1IfyajwN6El9PuGSJ7?04)kXm{xqQX%>tu1aac< zyu;$UdQmH<8*lbq-hXgLn8wGWTm*}7i}wN?-!j&@K8`!|A_FYXG%N00osDGGx-+S| z;iFN)B+du!<`wKiB}m_zITITWNjkMteM`1rFIG{;VOrV3n$i6O&(y;-oJNO&%VtFL z*!RkQK&1+JQ&6_iQlr!-H?=6{q&Fu(VPTrXikcUxN*2BuTT>R0;fkrmwRAl)tt#6U zrROsH6E*IM&nMGxQ3>?+xBzYDRSwJdcin_1j%#IM+w_$#YmEIai3ypE)=>&3=TwnU zEk9p1scR)~b92RNmpxFXJOC8MBo}Wa4Ox|LlYy%mZf8@Ob~8K@{m2%PlDJFEa!&Dj zr<izwdUFOQC1wyw#+^kbVoFqAm!E`G9-ilzNZRG&#V1z(v`M$|Z21$+Ud58|GG${f z-C_;e`CBBpt#9<MN=icZzOvIKAWJC*qNioFF1x~Ot*ygFIyN^cIKHQjpwo7rUHx9p zQ^du68f8F<vH<CJk7xvW_9Ytc*MNHT!`sUw5831Ro-&GIGxg+NU>QvkVS`islcCT$ z@G6vB58y|7OaVC~!Iwv_d)0F9&eGKB0iuJWlmr!;9V0aBEDScgKrH(0cm2+gDQGS| z=jIhB+3&N^PqQt*iQ8Ab4Ev|hmFB?{ekd$2%W3Q7t&B+JMw=-FchwCBzn<P6`tCA| z)s2iuWLS%zu&N~4S$)-c7HW7T_FLbduc?N2KZu%bwAX!=(KW`ryV=kO>uIN|s8MUG z>4q`Ts8DS#We1r8wTrz?*#d5J8rY}xzdr*+wJ=QB#kTB1zkCQ|RksK28_ra8D-7C8 z;N*%bNdFAhc}<s}Yt_z$Jr_DU3@(rH+^W*qXW99xj8qGt!hN16*v<E^84BhlKhd%X zB3Pl4k)#Tj>^r?QK>Rs0cC;LpRFr%w2<E+aO~c1!nwl|?x0rJkA}oua)N;ZjDcQ%o zA@vv)FCu!9UlK2BtEmc?0L#n@_V{P!@!7lZgO^WXw*Gl~X9)meYAFUI2sQ>lJq5f_ zjz5Gmy1(JsSSeEKAElOq)r!qu#@cM{txX^k^$(xm1C%sK!;zoP>_lK;D%9=iOk<Pa z@+oOjYa>IC$mTSQYc`--h*@Xb*YQg%kb#ElHMV(n^>P^2;vfor^>4@Y_L&)^ubAjK zN1J+Z-FmsCL2T$!%mVHV7S~>{!L3V?>4~*ZnRL4MMqRsqN|6t9=KACp)d_g3x>K&M z?qN42Lg5|QND6qzs7ri=w<EW<Zx&}g`y7=n!2Q7pH^e50?xTNf(xD+0)-NppD`Djs z;6xdkIA5CD=E^WqUMCk+8ApJyJSEzk-#ech+7_vrVe0)DT?M@njnCgw{|UayK%@e( zexyyMT$x@LFRQuXpH)yPb9~)5B%F@4;BiYU$8Ey2v90Xbvmi1L+VF&8(OaGv9g?v4 zRvS-q@<^<T85$}`&pckrL$=wLWqOeC0)b0X@BR60aPKx=W@`h(iAnP|UfHa#QVCUW zG6(J@CSI{TPaj}ZN#=_1NPeGSj_S<qA&o@R{EwH}&D->Aoj8gi{D9!r#fah8Cd#08 zsP2GaS$QtvPJ&s?l+dmkaF*qdsC6}o%kc&1C(o0H<ag*Sfx3Ll{AY&!D8qgPk;{1X zsCe9lX=9(R(VgqRcwTrTF>6J^d}KfSVjGDJH*2bt=pEfYBV#*Qjv%RxT}C~SZQcRY ziC3Z4H>xjyPyR`YvWz6S%+YEiJtBT`Eeq#dkfF`Mr@i+YhWX``ajh9oNyNgzuNE7H zoKlQlOLc5UfZ@R7oq6=KM(*)klV^be2IFLo|5A2%<k)r!zG)fND-3p%N`wK905d?$ zzu*3+*et90h1Xa%So*KYj#w@I&QU<V=$ldt*{giA!JcA#UDEt%+;?>EpwoYu{+}jk z3x)BsuW|I7DPKwcjT!&+TddaO6&uZEs@Jn`V4H*#EzA_`V!ML6i5C0QCB@B4Ud!-D zrq>O1|1pE7+Xb@)RNI$a9|1w0OtK3Ow%B;4$$-jJ$OMqD8bjnS6VY~zV%+#6K%E1m z$7DPbxh3u{%0ONHW|IM=SW{321xJ&^G)l`GNg6TtQ9kqW`q6i>Sv_X!O0Wkvl^e-_ z{~3Td4JzH|V$WdH%trlAX}RZn`_Pl`Wx?+=1uA_XNhebU8Xooz3F!~+F3~#3Z3H_j zZAw2^uZTQ_W8E4+h#!0-?eUd%_A#K*;aGxS)NnR)!Wsvp2ln<3gGh9al2j%T?ozJ` zJ}gMdUntZ$T~fC<GNG42wl=3O#L0nva6Q%W+NoduuEtpFp)wR2P-wrYPMXyRMGs-v z0lJzNIy9QoR3Kd3kjMJV_mz9}I0TmuLg&x9=DII3^`L0-ek=7R0fqHo%}&KgvFwzw z3%U5p0_JHs8d?R#jO}*<3Qf&1$2|+0i>ikXjWLlM>%!T&2WtR1tQ*>hRi2Q8bzEO# zIMC4of%_`AnMIAk<Z<ouo8<F7u;hYPA)tWd;o3VGkfov^V&@x!*&coOKjo%300BZ9 zmk%?PoaDyoX=KJQE$N`#lcg-4X5q?7OF^tG&he+mg%+ZdaiG52&x1o;k`k(&8i${% z#B&FspME{_0wjl+Oj+IV=_6zem!J&vIf8<DXOe@_P?MfvU<i&TbKZ}qnDOUl4g)07 zK3fUMu@g?K9Ru$FisoBEQ;1KNm9ho@1MP2R*5Q-F?8XplZ)Ekm?Hf;^Prie#k9b)O z%r4oyT&n+f7C_cKGdG|gz{GM1B=tQ{dAzHlK^F$rFEe8#(L3Qg&4S*6en>q$V6Sdh z_gq>2pGY$3T#NGomYm=C^-wVVO0S4oDqufu2bfn>iL1tfMGh0}Bp9_K4%^-+rvTXk zU|F?VmfD7$8W*2GD9dHz=Y20gzgZ_!v+T4ojG6t>7{XQB-y2;^@BqA8vC;jza!gw( zRI@F#lY@QPrEi!l+<2%?q7pM!6w5bTwvfHWrkE86XWmFehwhlS!usPpaaQ%6lW|l7 zd$@Xg1rw#dQkWcGnfU4TtW#@SO-lHfH?voL5V_tRDEFtqD+8y_SGw`$Nnm!@Hh+~u z6vs%h%uf_LHeZ@bfYrwNn<V-K?N=Ta-ZNXUwz?<lzi<+>4It`lGJlQRr&4tYnu1Rx zH!**6>1hGf!I@fKx1S!73<>9$vuthoJ?i+c<BzUsQ`?oYw3=$Xw=>H`j{aVwbYyrO z=ySDnZ81m;+o2@*P~~rTZ(x2s;^OMO%-L6x(!95XbLsd4O#k{Cj0=NrIvMDZU+%Xs z!r>($M+6wmydHSw+s%w`-PISCnv;tiGNyOz+cKybU))XMfA5#x8ijq;W9o5BKKhAg z^yqWwr~I`x!3>B@?m;-2?FQBI^!xK*$FEC~&~)Fq*2b{vyFU0PE8VHOH&MR7r8Hfl zP^?v)F0?Y?<r`}0;$Hr8%mwuU=}{m_Y#2qiv6B^rd<H9hvkD<5Doe^2@J>9~9EJ^h z3R#^~6PPQfRn^6dHmssyHBeYtsI|$wNyqH_Vc1$zr-*tD!|ykB<4H6;8)VeZ&W=77 z{9`qY>?uS>7EO@eoaK&Cim}Y`zV?md;lML;@Q@ecF$5A+SD)J9qj|p@^W568zzKW8 zN`)$_?u3)hC_2Z)XgT518$nsL5DZ*CcvZFiOPoFe$9-?5H>9DeQhtSlfDs}PyPaIJ z<GfAwaKT52-l?4Sa<r8}7NH>2$b#^INBrH-{EtCWxGu8{aklC~LfD?|JSre2*6b;j z9ROSkz9;7ExVZaCdz=e?fDt4#SX(zdOHqJrVmwkTug_b|ous6%b2os8rY`>z4I|vT z*Y#9AuDOS<qOiab+-mD4yA<DhQ0`V%{!eR^y+bsr-1*g`O2vrnNq^wEKFj3V0U{fY zIC<=yxf=+?57UW(Rl%IjZn}B~{gKJzSDgy*&gDF&Ogyg0@S3HymbWiSSrwJYm#Yuf zkE>8?Jhlw+Vpu-paTb1z;)Y3utKC-+!B$qxtWE+lWEw`7&Z-hcpO3Z5eX}PC6NzY~ znGw^d2|k6|y8h{#py+Jm404Z8YB6R#)7sK1%ct>)4@_amP_GR<ws_5e;b|2ci>Es4 zu-$gITm3ATcFCvs+B3xM=G`&dVPEErWnp@AHeNP?p0wke22`GIXoqV-$Z<Q|WEOTj z_jU#GH4AGk8jq@;&uAVdR^ZaGwX7U4&{1wYrYnK(o)6spTbtlK-SFJ;GW^l9)hq7{ zyoT6;1w|$U_cJ(qO(vpG$$L>nGVNVr^rMjE`k;Y=Cs%4yOvI4jV4f%4@c-$YT_Xpn z#at#3ypAV#r9K(yG^?(5VDydOxvSE9+oNxi;Sz~I@-WkwT}cD|cNg@zw1ABU^(!}m zVWqbRqNTN3C;TAI6Uodwb##{Rvh>w{f<Ar<wQXTJWc%3fBbNdl@wc6}1%FS%{#Fzx zPfHr^+6BJ9%iSgOYUg0cC!E|SMJh!KQpV1l;YV7n6V~hc_B^j&y5Z9@`S!U5DpfJb zkF$9sC$OlyZ`sMhcMqJ#L6cSGknQlt;Mg!?ez}HZ8OJS8SdW*CD{WPEWrUy`{uxD@ zwOA*%y8pM78G&q;&dv|`-mHhg+6#PNZKD(P&g@Wh@}-S5TZMgWjvrltQ<%hnX6K+V z#tfah7Ni+8-dDMsHYk3%CmXI4A#$^E-r$G^uU)<zs10Z!v0XH>#RDcyY{Ja`iNeeV z?yW=Jzvj~Hrula57<rfs^1(;f*m4G0#d^=Ma<G)0(c{Pi-y6cR*pui$_A2$c(D_pk z5!S-ux8qM%k@>8VVjm%9r*c+9d6_l_-T}j8KqdzXn5KYyJ`DW~OfVS`w)%5b{6=gF z4f@bi`0$IqEEVU~8Z}ZfwQC&yqbnS{&#;_R&$x;N-}1l-U95Zy18%+f>wXJk9u>g1 zy^nu)l5$!r5T>^&JRYdTrnlUhUE44sznJ-A%~s#7N4jQs4H{dS8-kG*xZHntc^}+l zf?jnOaXIE?Pi6zkodG#Uo$a&H%;rZtjizp{))1^!7XR)gzvnx5-|--<FU0!FjK07e z6{=I{M=AyG({M5OWh}FJZ$x)`D*>6!Gv=k;IsYuH#}n1KQ={N?zB>2X#wG&`LU#V^ zD9U9_ifYNoL_a5y%JDk*CV|;^f<Y~<QRjO>NI8t^{<TW?Ea5vAk&A=dXqoo?QDPNm zM|QVoE=Ss*a7AaWq(CJ{d!&0{p<X&Cw446Sdj1!S>&3zkDtMTcW68@6e>W5MNeyh_ z9sUSH>Y;#sdkAYvWPz&J%AD`7O1?~tE9dE7Q~Tz!9%|iU3<)Qn{VUS`0eqszfAr>D zEF+sI@O)JbtpZl0yLRIW1(a8m9xJrB{@|6n)5Rf8+_Lw4x2VTO%6%rtWMHQD#X9se z!_+`Ri#Oroj8X3RN(umBd5y?t_VWiwu7Wf1j;Sth$(?+skA!jz5<-DEq2lYhyf>x% z^e9^CzcVm?t<Z#DELzm81a7g7k>s~O`G3}ylSpm@KMCL6gdy$y-PYw`k5+y4bOHu` z=WHBx-IS)CzTc<R;Q&A3-@)%;<;EaNr+2D$|2Db7&=W%kTu?IO!^STcH;V3gOFg<& zO&Ipn-l2fsBO5oqo^@_Hyq%}mIq}>Dxx%<|;iqsH#f9G^S>Hy}yCiohJe!@4+15Fz zsDKkf3?R)qyDmX&!AT&?w+l^lK#m^_d+IUw{3IXT$|iqv<JqJs2QL_kuA@u=JC<0p zWNHd6J&H=1oV>vV?io7iYgV2HF>PpyiBGkk>-^#y-~9&2=C?c|UwLIbzq<S=B5nIu z<Ch{8HMmZC#>nEwS2yruO|S!ZKPy!FS*`YcbGjuPYST*JB-5g^)$%8(PV{;1dpyUH zDyDMv-{jfgWJM?p;%H9TWkmcLeDRnILXljyB7Sy=F5^9k(VNTU+&?h_-cUIvZgUR* zdP>5?WZYNpKWB{6)2lMDDHKHHBs}*Rb0S}gl7=0ky&toDnV~3~Wb+rhcgd0SEKY$r z`+M=U@=vw@4xw$whC=stys*alMcrLIqCff_UZS=-xkm{1?S*~H$&n=cWor){&$rH; zT`oLds6=91CE~8l|9+gj<U`UZO{GM)rH8X~am_`g&9qh-2mQb{_uky3sM#t7T%1Aj z_S<K1;Dh;tGSqB6i+i?J5tq=Q7OR6`@CpT&XNNwC*EjL+AOyryC}U82$D6S+m<{LV zw)~b8xB6-PsMg=!2(zoWe529&qVnSdKrKy;s3f*;)SK<xM3coS&TEp}CAxVwg=Vg@ zX5@>lW!e+ViBX>R8e2}YIMLlgn?eawOTTM+Klue}HjeB>p#Ls5YPIC#gE=Eft=@Ko zo@B_WZZ{B44t%XZM2SF8^G-9K7Z(_YS0m~AnWs|Ssoj{~o=KS8%*iz)O{nNw&fkUG zc928^SV~=3U~p48714eyGGe#sztm3tFS7muD(a{U+lL3FyBkJ8x+J7w5F{j|OS+`H zbLbQXlu)`$x;vyn8l)Qpq(eZ48NT6pzxTf$pLZ>m3tXd%*=O&2U-vot{D$tYpFtvQ zV=ibm?^6qd&_`}WJ4^LQV@NAR`w{tTiI;)#ix1U3I!bz^mU43O*0twwYG+2#*+Dhc z{aA7*l!ktg@Ol@8XYBjzl*#D8&PCRN-$)?+);1>EtH0aVpT-6>qhkBr1wU$dq{a6B zd#B<~enze8F6V*=@KA!Fk1Q@X*gBD;8HjOcm9gkUwyb`%rHF4~)(zRMLP-uY86idx zjYoG7gOTa+>+lI3(6gwuot$FekY2*Rh;K(&YGONdH!X$<(B-UAN~c890u`2%&&XL@ zQCVpGjBnom8TCG)ArI5Az>OPH1#odHtrxhiJ}cET9N~uw_x@Bt^1~C!S1jn=UtFX3 z>X76fM%xe(Xk%U}r8d~K^?MOZIt=kwcOLuUUV`@XIQHPj%)N^%60vT)I`5JYf_Ih( zdAD3Z*l?9WRuYE^h=*32>JN=;O}F`%%XOQBJ~(UW*6(ySY!^M+=yl{jz-}bRj=U)m zZhNVz@plmBUDl^l<tFxiLtwmm1LB`IR1%i6CnSXuw`#E_ud*QZ4y#p`s*~zE7<Wya z|5eH^h>~_#)}#JR##es&iMrW*Q84oxW3rUU`j9W!jcJWa1YZVx{)-|Bv2;p-v_#!U z0rGT;ZMX>6l8IoDp#$!YH{J*(Oe<)|s^g}s-`&1=PUlN`KNgMI#*Kj@;7dQK<l2_j zm7w<btY5~pt&qTiLi#@Ie?L0Lc#c%6tHQDs$~RiY#T@0`N}g_#WyFxda~TNMot3`G zVcDM+=)Da)P14Cp<y!?)T1*OlhT&ojjIFk`OEa77nm-N}FLd*@MynDVQn+}7JD{0c zhZ!%RUXhEP<3@8WqOHnLGa+xHh|gwC^$Z#us@`!DpW7Nzc!cN6^>yi<%|6^ryXG9P zoeHB;k@=~<so`o7UX3A~I=7wUI-K~$>7*?8GE|hY^JJcQS=J6M3}V9kmoI0(KS`%e zls1pu0jtE?Y%RN5Rd|g$?Va{Ob)x!Fmx2}Np!Ie`xaU1YdyPj<N`~BCHE6>>+0?2? z!Ni-Ra;scT`$WGqR(?Tojd3HZinLogQs?j}nkDwfx@uis-_QkPW5nrJU1<^<pG3y< zuMHHZ_5&C{;W1x&-8^)YzBOka<%ns6iht}A-vv@(V~fy<zpeNDmJ^2l8>}fU?C%u` z=R<zIgM6FbSlrS6LM`_66Z;|et*1})DYD2=^p@2D&|{UHGN#Vk`haJ6Z!dzvpiX%0 zdTK%a^d^z#U7CBpR_rXc8!dZ6i}~XrEqi3twug~>_!mRkq{eAU2ZMLfW!Fcg6rBG~ zo`GpRQ4@2R_Yw4QyGgbH&P3oxmVQ6ZLFSRGx1x9e?f#B*B;0xB(9Zj;?9Mkpz5G9h zA;|kH+3b))v;XbzaXqU^syhyiZApD&P@eBslflfRNBhDtPa_6x%j2Nr1VIp^#KfN? z5q3Z^-Jo8~KIN&CwM9FS{!O3snaL^Vv(Pg+(X3BS-On?c*{Y~<s`{~hh<~gt8&mZj zfe{LNa8l14-HS5sn-|W=PT({U<0NBuj+Im`RCS6{y~fD6lF?T0#ra+2lk=P4V$3`n zUG=lW2G#CL=X_pQH_2JOsGF?=yPTl2dr(WK1}k2XStT3m^1I1U$38@}l&%-?uG7&f z6=mm?e8}DzI1=#praE3Urq(2TzlYWGimX7bK}2XqN2s_mpj`ZGUCS#vmQC_Zx+)$x zCT?itg!5Tlz}=UfO{CA28Ps4+dQFRaC!&=)k@kteIy(91HARuza%wWf(oP4}Dfgnk z1LQryE3AJ!eJJlAm!v;-d(3nv<Ths`(&KfLa3@LFp5wtrzzLA+UD}}<ucAM^K5jP4 zn_-{AHFh@3`JGO55?B50WhO3<^hbK0{{OcsKZd65_zvd0S!|<MI19Q}C|kKrds~QY zc)YUMpoS1zU#W8o;@ctV7em*GHS?sTSvxwFZ1wg2s@ybO1dm4vh_7~DIX~JZN)HA` zu0^D8kk^X`d^O$IMT4fds8*?ReV#<P@YP_-x$~n?kBM?N-6qZ!(b|tD3oXKnhdB0O zMPEui6Ox*{t$qG*kM~L-@ZNJ3n1^;Dxxk`R!`bpu?}V<595tC|(J&_(0qU8j)v;Jl z(`vN5dE!3;5O6c3s-HmXVCJr?T{@%40@J<aL{O0Fipz!8vs=`69=go-?$)ADTWAMW z#B5dvMP?pJP*u$zJiiVleoD(5I4Y;tmJ{6Hm+o}6_!M{D71@WHN-<J#@bPBkcFqsQ zSTrJ_xj66YPCwnILg6tcRgutJ;(PJnkF^&7@`;wTIcs-89%HM6<7?OJM5xf-Ew+cz zXV4*#WCp=Gr*Udbd`jjAz^SS5)w9$n_}`8bDkR-O0aOKqTX<tYS=5E6D)Z=YvT@_r zL001Ls+GJElNl#3!||s}pf5&~c-Jizoqq7<`rU4ug!r4!DFeK=^u<)J|MPUJyL~nO zEtu7Z>`<$V>X302>;Z6=@pFQy7N75HY!};spBB1HgyAZPu8xr1r+pU3r3ZhX&qsgU zQR6sfmA<^rnw3BZFTTmZU*VjhTQxBw+9!W8lz9qy%yc8So1u&ob60<F5P(DLjRKhE z#JyZ-<vEp%sihd<cWFpz(ztzVqrE$07t~shvS>(EwyrrJsBT29MDn!*XkifrS!bL_ z>QLnok<<CZsk{LpRwYCD!9JX-6G_akqN&>Pr)>c%Yy#ac4LR78(Q8IN4$LTqv<|)P zS|-_?dK#B^wG*~FAg<?~(U0SoakNJ?1(XNmZu}YjjEn;H68~Mxz>7-p>&Hu`$sO{d z(<GyKrQa$t7B^<0(!H+W1HT=}C<eyqnri-0Xuanu%eTJ|OhacmZpVvshO-hHkQHxp zz0~oT9W%CD*_KsY`lSW>MC#bIf?&&_1%&QCOiY;+3$NWh8#vThBd6Pr3+>g&Om}eg zV?$FamMJ=>Nb;LVfqv$Br>caZBALV3Z^_@3OmG#oN=^jD@C{&*Cf1l#nMDc7mE+#$ zLK{=6j{ouge+f0}6|w?@(dN%EE5Qad3ejU@8_5fwh!me}{vp9B^ESkyZKw~yE~?GE z)y<evEgrV8GK5eLVL#Ub-K@E#`HXf0a(230cJ?o1!-Ik8B<W!NQMWVSkJUodG^?|V zYycOF4-v}6!x6o>cS=d`xa2CK-<!5Z@37jKTLcVAUxfzY8W9)jrg(rKKJ6`KkZc@d z)b1aZtGz(^f)pRR*B^wm`o%C$FWfyW>s8V_t6N!i3j}&psZ<c0+h@{NFxsJf^ACb? z_q9Xx@y_rs=2MsRf~KnTQt~aUAo4Yw8Q6@po)PRS#1xUwzp}g7GelC(QJgw*vVVyj zJZiR;9N#|>q4{88z2iJ8;PK&<1<;~b0=2*u6!%GHaIm}fZ10|xSJixDA&W=*(r^t3 zSa2Q!9Gp42(%!Qm+A1xrDD;+6BLS<AAeigbM?5r?bY^d&uI#uW+}WvJ#EM12Bh$7$ za+<e2`leX@INznUf(mxuCF)b-V0fs!<0NFFAB<xhl;cbPQNV~sPfonYA!1&qFG4?f z{k&g`;Z%bzT;Qwsb{^#a`Osmr@#NdILsU24IN-ftD_N`o*@HlBaFy+Y@Furi$KT}b zzfcr;ujZP4j@!E&lm9pg1ebb)cjL&?SjaK%Url5oKt|m6^XA$<0{Y%Bwbj;Y0yZ!E z`I>M+2`$)6OC1B_?Hu7MS)bPs1*8*eIQpw{^ric$Z6?o{{ykpv^ioq33xnnF#U>Te zBVn=8HQ+{0d1uM|w9be}(nTx9iKFPVp`$m7sGcQ-Vn&v~%t949hE2T<iVpl=%_G$h zR5$AaT7)%B9^4e$P^W#e+wqAV)+sg@U#BUQ<qj6?+kUc*(}X#uoF@5&<HUdUPbhVD z>NlE;9>nel`24{=EeGbmru2Kr+I$x~0s0+xB{HLcR{+<q-M|q22QX;z^3pTXNG!}@ z?bw~Re4Qr#GtY7+t*!jRizs;8^Uc}e;p}iBlvFMuQ^8Rg*QG8zdXvnm!-=<Go`FL? zY32FW%Y9MGQC>YhiRY4mjRdnEz9WQJ`$ML_p8dl^rXqNy0TZ7{%oR`LK&=$(aZ|gU zkT(OS|8B56%$8z2KXgc<zD={i{wwUiYNYkWukE|Ez}Rpt-m<|e_Q2y=mM<X4VH+OJ zjJ4X@{eAET5EiwDJ<dWW7sHI5DKf3^UD}<VGf0MXXEr5KY|s12;+O5mN~6~aC+=r- zt%2SV9?P!aiZe+}-PnPw*XJoCq~XD5?|w?o&f9~ye)(MUjZ`_JLA`$B{fQ6$mB~K& ze)UUq;^ayu&_i)%fl<IZP!NA%Q0M$G->FdhYhvDoE&Wi2w=LfBt0j1fL1FU5H4J4S zf4p_eOE+({1p5Q<1;!l;3p&E~7<Z1JTk%eIb)p$@pW+8+6rDogr#fzb2m5|FO#GVA z3Qa6?y)%t298-Jf{rm!33Dqwl!p3&mFd~-Pd)u_H$o-^>X{{`IU~UbC)={)`jUGp) zM6G7H{kZkxVP06Do;J>ghhq)NS0>);g;yaP`~7c5uy~s)p!qNQE6y5S4LCUZ57N)4 z^77RaJ^OuF>2H5W6Mmv)C+*ev9*CrU8}X4~hplZa%!U|4_!N6d@{=1*sunON&%EY; zo&yzMrhLXT$(cAx_P5KK7|tBA4N{pXunz^}JG#OyZm(?V9?AB563A|xy+I*hU%#Y) z-fd_|Rk}jSJi?LZ43VEh1-SpTi@nM`O%fQoZLSN9LlEYCnHA^Quc*9uL?a6w_;X0A zEMr~RuA}wxSy5Mla#9ozaX{vz%eE=C5pAP%QWYk0P&^`P3u0q{0C2hM^%vU%%Q{)P zvjH2-BOE$sPWEtVs>zK)y#%rY(6XX^ORX9Sp8)fREQJzm#?x(0LF<b<tJnlVAWK3^ z_bj4}Ud)mW;YXaedpH9O+jpX=0*4HYRL{iL7}*59Q5W0C^k(DgvM&yWzkVDz%o7Yn zidQa%zaN4T%3}z7kLqWP>3c#&B?Ct;uJzMTR-PR%k-o6B(Q7g~RMQ_naUBYD`&EeO zT!-(@)#$hw36in%>g!~{G6gnERom)c6A$}MM{xEzPEo!dRB7O(e(WhoTO}76q2L@M zWMt{5pfk^Bk653P#+ga@Vk$L^%^MkjlS;1M=h}~9OFy{30H2}Y{CcMFzqQ1=I@J^7 z(I(pb=G)<pG^AbA{FiUI>X<$no>xs?V+_<{&J`?h1Xn1ITg^5wllhkOd1$R&z8EMU z(~q4gx&BsZc#Z9R_J9HT&S}bsRX=9$s}F&dyLB)z`dSuNfxG&rG6rj?D95vnc?_hy zV7WXScV7oeqyW(BqB=33fKI+Iow(BZpVVOc+h|*xACm79$MrLT$E6;SImUz8FI_-+ z8<&g1_R<Sq`pFdtWfz=%c*60N*Gy=zfCO8RC7~g4M2PMM8CM2%0pUYi?!F#&nS({% z_V^0UndGi;$A;ys99V_-!Okf`KI=3|^W-idapWhYdt}eSNwxnaZv0jk*~eTP;o!ha z@$vn?;%oBK4#(Hkv6SUT{_b;xvE12gq#HsMKR?uw?aX4nH}JTBCwwMAKwu-C_=)1! zF1-iCW*4hT3*nUWTGC#3nIRPHuafjf@>|(jn=uh{@qSZnTHa5*dg-e*MhmDR!OfCH zW0ybWw~H(#vOXO#vdMpbB{Tb+f@Jp!@uJ9cnlL7&ejhyp*sqQO(~$u8|GgRyvjON@ zlRts{@00QvkN5G8eX7J)7)XzlUf$q<_oHr)+8-rMB7_^h4S1gHmC4rqWgv&Pr+Y&_ za^)U{o~6He54&L-zq)0^JH@Mqa@=M|+s}@XaAlmOw}7xx$LB|^9+2YsJL6?hXXpN& z$VA?n@X>&#MpLVnpC+$zCw9Xq1kYh_z4Hc}9DdQUybPlXTRW8=@7u>rE%3z)Bpwu4 zwfN4x;o1g5YhN*>MMw0jk=CbiSUey`lB)<?(CzD)LpqUZ>ESt}1>;uYfx%y^3Q?LE zM!BZ|K_U*9+t;6}aDx(PvCOE76!Jx%Egt$~YS_jlg^-25uDrzgJ@CeeN7gP&VozL? zg;_Dtn57>9{JwWD#&r#z9X}4blKc(WqYK?m|9oCR?CK^m1l!`k)Rq?RWKFg5{e9%( z?`742ff5o-9L7|yGmC=M{hWubpQ4DOq9V-+V@Z<8k})llg40(1V-y8v!Nd4S$7j%# zJi}fWtB5(@r@$A*d1fPnrj&H%H8{SvvLa|o2p>IYI)bIr<ftSXq=l3EKeuEtxlC$W z#OtM4OWkV`g>>qfj2}mNkLOX-T5zET+<c55e}<4lXD_3)iTA7N2E`J``^wGjP>Wys z$pbbCTLrWY%`NR9_<q7H>|!SoDltHWDz~5SU~@YQUhE9;zkHpnmp}Y98*kw>$yCbX zGK632abf_5lmOiw`SyZZ>>;3iq4PzMhoGXU^|W{4yyr`s6&FYG(5c)<ANwN9PP!a& zH}Rk(%b}*{Voj(<=*i8@1-ou!`)Dg!3T2tv-T-@j7Yoi%RpLysr370HEL^O-jldrl z_l}V;e_SsI?3TedYcvouQpbt-23>Q{T%9>q5(lS*A&k3kYm9rJ&yNN^kyrCQz}Y5i z`<OG@Y2-EcUIg?SGxi&{YsX@Wwd(|6rSzw`;pi~iyIS+T7B1vnZ2mc|8S~;(3=h_5 zc93u8|D6SBM-GtOT9&U%SA3CViIZykAj_+VWPQNH(SHY9zgOT~iE*%xywJT#I`DDn z_lfI87Rej2$03te=p@crAiDg7tuz>@PHNtfJgoHKROBp+`9GKL9#I+)C=p$BWq7a@ zP3fS)Dp?EYd9>Yze=!+xyY&q}$-qfC_2ePx7OhthHQ1Hj7%X061VOm+ZS%`YFSe8- zS-P1PyCwRC#8zb^jt~_UOO}QvBzQvCD&F*QgGG4b3;~WoIoo{!k%5TdG6_|wRGF^4 zoLiGyw)*n*>6%@vIhsHMElxX`F(~Nk_U&JqwT-5l+O_><85b)7<R1JIG2YO0{_AS~ zU={1QkK=>3j?<LKwoF>=;Z-bEKP2AOkg!cHtV!GJRb!wW(UJmmoy1N*W0%lelxfU# zp2D|B7-rouMa3SjliTDoKc6Qv#FX1x|N7KVEE@?mSm;j{IgM*%*{WWR1te%%yh8jB zN*um)5-PQx^*LeC1<_b`38JFLr<&5w(3H`>mH%ogm1|qatEXjNv&#@89?e15M*PHd z_OPIkQ({Y|2#SJL+%0-ECB^8A?Jf*aUcI`&7a>xukitW^kEU#BV`Eb$zq6k3BCQ{^ zL{SlZe%y7=(C>3-kVKxYIBl=;6KnhsnQeCuUi?2?@z_2cl%39Uu<*BPp|fOX+SzqI zKykXgJF8l-?e@)sw>i>E<YVUQE)`qKxWQ^mv-0A#>uGp<=}V~i;Qk(GSk%g)gF88C z5S783=XYC$?P{MCNLwYy^XgyqO!0c(4y_Hj>TILF^J<>m)?mduKl-9+Bk9u7c{<ho zL$RV~E=)K>6c*6Va=aYKD@o3n#P0SXH|uB3WMkCk{TD`dL(!!W+uwSrR}~BOHM<^= zfJUZa_*!0hLH@+cs|l@-4nMcArNkt2^j<lbw4<*?9u@F<;7;UtWZU-eoF6s@(&lvS z`do<iWoMzaH;W}{NDH6FNhiIM{xQyrFvLGxR;cnuF@D#uqkXekTBV31I>(;CsU&{I zo`AJ4((RM7)pzELM~hMGIQCxtGoc=Jm?zAOW+gJtdd0rWHi!Ehit^PV$z$2vgD=Du zD-!*;e0NF&g(_m*BBtnmqCFt1@VUL6MS0!*Jm(f6e3W6@@qh2#8S5W{LMD}XI~FK7 zcf+w}<DmHr@VBXn&`e1po<I(_jZAd;2=pPyPFEtadFHl%yhBshSjD<z;bXCQ2l4-S z;zy?jg}R=IQ||Z5w+dyC?}Q_MJ<_>B8s5k5eeoeOI~sg00YwxMb^X|jSy}FDC!1x7 z%dvjsbb^P)LN(ZxMrv!Cs~6bH#YJ~V+BKM(e{A=XY#%C??ge?^YYMOGD|+pn_v@qt zhi6@MjZv%#?X3{&AzF(_r*y52`-LS-UanlN-eaN9bX}`plXMRc#i3*M;G22MmmvSo z+iNA9L-^rKtEA6&i3&Ud#X}wYyh}v0=xwDqa0eEu#(y~so(^JWi1xA2sJ~u7>6JPO zzU-ZSaWy95hu1tctph8@LBQH;uX&hJ*ItWimssbGm_AQ`|7Tg|55x`4e-F-#q3>k& z@_cMhei(kTsTfu>!Oojnb}o0*=(v7YwZSI)KCA3RlP!m2lHB1J`PB~z<+`$OKVj-? z^^CD=bdb;E%b9deOa!HmDwN#3Ca>(n_PX#|DL8YgNy6qWeSKM-mewN&!TLBlI`5({ z(!wd&yrrjNdO!V+#2Ag^h>RloD}|_9H+$KUz@*6)5~fwmy)II=AxM;jF4kCQ8_$dI zFS%)7c<`a;429aXDx*mMe$LN@xBL|XBK+2}h$c5!d@txnE;=2L7mtlu;a9uJO?&;8 zt*xL-)VOc_N?%^bU#V0*ZhB_oU+KT2v9Zwne43OqsJI4HSp|Nr7&uwNa5MuluEk@I zBb`b>YDq@;Ju0%AnAaG)KXN05D)mugP>MD=>bBAA5G#>Twv$`PWI($598*4T|5+v1 zyxr;7lzo?F!{YEerL@kkZ~2==LaEDE;cUtFZOR(CJ$mw360$dtWpRdd^IVdJxx$U8 z%jUDmt6Z9PYQ_|9x3=#1&GNi1N|Hq_iy8;&s@0fW%oZ2F6Mmz!uDffdq0i*Di2hb* zomTt7Q9qguU-C?Okc}+!6hAOat;l|!q9UO8*L@aiP|oI@DeRL^!ETq&1$*BLzCIrC zrTr=}MItS-e8EY!maE03ymCv(k>Z{8@b20tXhFB@wLy&liFcehM?p&Xmu@~ZC7tM` z_}<IE2;M_gLKNZ}!H0psEhY`cu5iP0Xug(o_V|)YMDe9FIadd!ibewPFBBUsi^vVJ z?5}efoD@aPIa`U`5Z2n5p?8$&Xy$f5&(i3BAKF5GVt6Zu@WqTp@RD8lo$6=ltCTm{ zV)##&k`E*{PvI@Enx)0HHw`BTM_oDyyAyaAg29lMI4bNU8t<He#jcUf^X&Tz87rqB zoS!F1MHZU#Y;T8o3dU@x0)%!?;dg<OW3vlyyOzu@$MNdjOv*eQ8|Ev&Vnl?FM{MCv zB(9uY6I4Kc)Ny8TSa95V^e!REYq9QMTQ6jVgJF{6&Oknz<!-^5GMcc)_tCAqguQhR z-0>b&l)rV`h!vk*BOKgMOA^LX-qmKW(r!t#qmeO^D<xmQgoc`0i%K=Em|k{LW)rqn z5O-D?>|MCaX|-CgO-E0^azz!ipbnye^Rr($6j5%QF=X!zeh($5+y+$c!i7zSVCsVy zcKzFAknF;xxxM{^t-(M(Nu%?-x9J{(A1rHXp#^RG%aWf4?e_{QN8h1Q$|InUgJZAD z<>x;3<tetoOrUyeH)v^u00YBA|5kP+D>3aj@}<PnFqi+08#w3@$f=)p$jG}lKswv^ zp6B9y$`>ATa-*;Fye2bDM@@z!ZT~Z%1?E|P8fhKOP-V;Rh<CTt<?!!vLvV+9W3<)M zgSCz3mGniKEW*^r1yUP<uP&T1*8|@DXQVa51M(o=6z$m8E!Tz+!_^LIdWSpV!0&6Y zi%r>39wm``{N`6DbgrvFm$Dbh2<t9iswdH-R2=tlLhiuk53kQEA!#^(KX?Ax^M`mW zaSXZe(ri<)e<4Fv1ywR!gPo*Xc(wI|$*(qw3WYL%OC{al9rT4*tk>PYT8I_Z`K)e- z%HTJ#SA`#oF+T>&G25$iE*rLzz6Ox1E`W;>;JkDWzr}$lokE`ZQ_Cuf_;-nrv7~vo zfqu4w*zHw999LGeT~>kC?*z#<kb`<lczoBvKj7e-iL1^Sd;gV5I+Y|&T{{J7A|ec0 zhgB6!CfIG)<B7l9%t4E{%X1H+_b;97bg0KWfHxms7|hr>n%t1y86Clgmk84-T_r1C z-Ck|>kZ+~mpg+$UIW{D!!p@{Fbp!)0PvD13B%GR?yS1AKjWd6y*Y$K0da+`#c1oz+ z4yyAuS(6iqqXya62vV)n)FvXOk&CTO)Rcy?xu?5o=FtBZc9G7SIBA?<cUxxJ^s8BP zY2_~@TXflU@0m9k24O4yY_^&1e~Hug|9y3I+pMIAM%_PB`aT2Pb-lZl=d{`xJpM%U z8;EJl{&7`b4)OE18^JeE_qc~F3+M4+y=y?FTJgcN!Sh}(Y?hma1R!#7hUS=pl|$x{ z!?z6yzB&vQz{WK?kKH=wuFJkUQBD9wZ*O3cta^W3uj0PqhoSKiQp+puuHUvs{BtH7 zS)0N=ds|letn2MTWwnB6M@w-6+3>91G$_N}ZeL>@0|<>H<Fm}gw>}OREbfWhMjf0# z5sBEu?VAiK+?zjJ8bI&7b-PPugbBWMrhWg`EJ6b!sjLBwR;yxc{;p}@DPICgrk2rX zxWDAhkg_O9IQ`rhpPk5jeqf6hQy5m2ASdt&jars?mJQIew7$9VmQ$x^&EK}6>G00n z<owdnk|9KSa3H3jS4ld@TnMGND{+m04=qkZ`V`-rO~%4X?DbTByRwXwCMP`)Yii=> z$nAksqUBI2*8TuesLrq#@-VMS@N$042lT&8yA5A>)}|D0P}O32HQDqxVvh>4Qx@do zY%M4v&HlfybrWQkfyw>Zma7*bJhy_|W1YRujV52;2OA~c$X5#eK@ypJ^z}gUQ|OBj zT?69hl$@WRY16DNL_@rzo=w69n=pn@gAVYUK$lHnN1w-{zt9JGmRH`q26*SZxVTgy zW5E|Rm$#>dTKEvUggD>-9JD0G9_vJM5Ir(=VUH}f!3bno;0DC<>KT^|&aDZP={j6z z+Q_-@_(73ta6&4CNV<<b!2#}Ve#*LG<Y9k4&_`W}y>+nXpAKrd*XRX`CMYu{zOQrw z-`({sANBEK0Mgzq7za_dNpXJIffoqe1ljy-00Be<y4;0OSG-({OEBB$9x|wM-Z2zn zd*omxNc!K1$L;gfFG6c099Kf2hE=!&TP;%F{sJ$5v!=Q83V#Z=!u0TZlQco5ATuBB zY?644(!Kjt662kwd5!WUcV24Z5pt{eeAl_+Fk8|atZAd7?{0oS$WQKfeai#4(h{xT z-VC4}qm1Uit+iYeK)v*hYEq~VuM4bQDvoqcQ<H37<<3hPR`QR$T>7t4dHDnSb`yCQ z#8?O2fo7XR8B&^D9sLN$)oEcvVg7uBr<JB6NkdDY9c{`qS>a;`$j^VT0LL(?8QnP+ zm(25FW6N21fS1DUp?Br+^|X!yuU)x<X!XMhdc2?gIe~nIVg@vDeC*4qHX=EsM>1MK z_{wLinR;@fN1Nu()E_-%V3!mX$`fqMK=S)?9y_Xz<`p13WiX7zHsG&s5o~K`$kd2B zrk72)MPN#UzxW5AfN)jZ)`+ljeG?36IPWfQf$|5>p6jtGNxK&cPb{-FF(7zWqL-HU z@MBn+*xNUZR0(ugP3#|jY3Lc(y4rwI{8(H3ca}|Qg5$a-Y&O-z$v8~ym}8m*Y31== zJqM~uOY(kxBYKkGT|!tnekr7KR6hl1**(R6{b0C+`?{Iuq4~D#26cFi9G(I1|KwS^ zMBX(`5>8-@=^H|JRb<Ih`sRavwvn`6f4H>Ubn^K0F}81D|Cj3cMe^jLWVRC`yN_R; zY<7=U5{>Fcct8BlI*jA?91U=Opc|-hR(+NbL`FmEVdY2I+7agL?<I|212QDPI~z6# zmqt!&3ngcoG%mT=uP4C^q#CgHx642VxOkcqq7DssKNCZ4m%l_sPm@nGrKFnhL|XxZ zB~`Z0boDdE7sJ;)+vJ0QM#zSnD<O{BC!eF4+>g_UeOEILU&|EEz*)2ZM7n8$U&P+X z8@T_GRbRw;4QLU4aRP~hHJ)IDO#}8r8bG26b3w(@fLmZCL*sj?vytNTo2bb<4<h6q zDc$ok%OHA4J7jjT)@W!Q-`?99&~yF<`EN&D0<j7!3eGQDd9w5<X=GTI%JAN9ei_xI z$%l)Bw`fohWOKIDOc?1V!Wo<iTGKETu=<9h=(sX4o`<5WWSZOjwl&-kBi_N}OQf?2 z!N&R!*&_Ks^DUcKjNOkkPWqCLPT+;&&$ojiMW!Zi=8oeM(JafDj<6Q2BZOQ6*^ANU zyD->1{J$Uz&UdNRC^eP8G2XlXZ-M%9`#Jq6^zmay$PqGV?hvkEjol*J7(IygZ2uh! z4=FRSzozDs%;U69!z)z$9x$CRHpXWA`sSAkpP9kRC98&4ln0_T4&aaD193O<7Bc5* zkKHnL{<}x(o3i8I73pTdiqM?{`0op)Ae^7^Bcz4(coW`@I*UNbOBK7#!8^rVL_!Z| z7wyqxcMh9wtiQYor0HNyhcm{6o@_hly1TsXJTdoRMp`2f_GIuWbA5bE#j{^8T*DJu zEGjpd(o3<43@b^0wgI28q{T@Xnx??bJF+D4rG9l1_qCNIHT6o^lP@+)45y{4!Mfb_ zZ}Bl*t4mYsT(gE1fLb;A7;<Bgw4DL}wj@2UR9p7q6B~MGRy>9Qm50&uLi=5(=x8QW zazhQFH;bRv$Q1)Iux?O`XxbOE65Z{%(|>}!rt)pa^&^BXxlqM=FOTCm2fC(EaAc;t zT$*w%jkYSlfywoGiNSfMCgFWlnc$@^wNA+;Bk6}gc0=HQ)d0>FT-_5#vinotZWzVQ z>Br6f{a&RAdwwMaYubRdR@z89Lss}ko-YROT``MK*@d}eSnCib&EiV%v;SnZNw|^A zh057Y&ne-G>jiX}fl~(2O>SZuKzzbYpje34d@U%Fd`pzOtIP}xaI-lU?zzhnreY9% z=Z!W5lJHL&)c7%2R-p3g1V3ksl9J7{Nvy?3GKt;v9`Yic$`c_;E`@W84#*>xNGuQm z24OX<mH?$?mQLF7;ScuSGMrV5U!eRE_}&@90ndpRae0NarI?SlJ-msj3WApW_w*M~ zoj&#xU}0tgZMeH&Mvi4$D?q5^tBXVV)Z@shH}lQEoN-w;g=gSX0=B$*#gPx9(C^J4 z9L-G+{XD;Z|Mo0F0i7BihS1f8EpL{@V{H2B$tGJb=|v)h!zqHAfA)W&Ec3iDhO3t6 z!3lrVyGg5xC;tOWxWMv07Ls0SaHU6J|3PE?BLCb`!7|gp2210L#j|eJCaM1}1Guh+ zr^UtW0kv>K9Pr)?l`Pi!3XfZr`#BZnR)D;V>L6li;QFI^`z{<_4Ja!>5N;<b;6bkh z%9!22d$0ry910@`6nLBKDgJUT?(BkH91Sx7Le5kX<V2=(`K2YJ=aiN#VZH_w@QaQ) zX<S5jZ5?L}!<Yp3-N18{sX%d`zt@*4c#ucModSI2<8{IS)#`+b=gwjWl1t%+T}@eP zE{3ZV@x21CuDu2N@D3td9$&=oSJw-><s#(-SSpI;4NhJBuB4zLZ}BKb#Wiy-Qy(Zj zKY>I>M|Mqo&?`p6c&@p3oaO(`r`>dCZiMxHhG(_2Y}a8o{5}A>v#tMEj1U<kBR`*- z;j70>!K^ncg0|qhH{~5kXDh(KEOh~a<m@uVoCvFXW*JyL{rFkr^R6`~Ea5p>W!EW{ zW@1*k2>pN{L}%FOdY)QAZa8onr_v=kR=9!*|Fd`5e}p|InXA&Qlzf7{%%EbNLq;Lf z{Hwmtzyh5#2e^0NvB9#Z&;Q?D;S5On`EEcDui#dv#@e5v1P>(xYoVAtNpYoRs;lx; z?Qvlm6;Ta&JpZQ}Rv<)o4yu9Bo#kty%WN3ooW%ADP)?!mF9N9`+11;J*sq{FEAV9m zp_9wX)bqaK#AU%pl~-JY^T+%x62}A6apA4m!(lQ?fMEW$%Hh4N^cz_Q?Vd$tno1SX zHi%HK>#leCVE@Srb4==ISt>U6SLCFx7>dN9J2O)Dwy)Lpj<;juzk)t3){ph)!Egth zqU~gc@-9&7^vSLL(_{B{SD<bpJ3DQB8cH_ECV$e%WVc)tys(qG%#Axod~c#60&|kH zZC?;wcDWzAJL3$f*BE6UI)>`pWW0AyBf;WElP7wq62c#7Pp)08D{Xw#mBMII)6nzj zk6Ub*>FCM{;k}#eK-Wv0r7Wpt9s!clg?%3LrXKF3I4tv+4mq)-6{e=|f7DNiNX6)B z2;HXNbao{^mpJ-lB;CwoxKJbkiZ~^*f40U{cr*)`ok^S&D|Dj$uiBva1<N=84!`O* zKorL#{UWeimGilIgi9^|VsZ;iI3dlM|3G9lHmmXtbjRa7|HaoPSNB*aFel5Ea9|zj zxTha`5aoN6;I^Bgd}pvjv&*IFxrT)cU*x<8lF?AcR!ga^NelNm^qfxsDf7fO<OJ}S z>Ska}NMtpzC3aG>>3q+cumv#Fs;Gnva8l_vUE$`wZf02C#D{T2g&{isd>-imeMm?Z z*_$5(;ic=i7kAal)9}0VXT%8YwH>zlet&dz0;#??i0v+`VYBp>{u-Dx)=H7BOoGrm zyPJpx(B*;f&)_Dq&f|*aQda1MuJhlUq2-8dPI_|L_Wov2x`BsBwqbh!#}cO7w1CKG zY4NRG?=09BvEZw^Kr?-~i|!U@qa`iYO$2vh(K2RgBJT$*FU*tsgEhKe?dB%ohl8*6 z^4bf10{i!^sX`r0SUvq&Z;}Al)?6qj4y-S7kFK4_#y%+ty>Ct+|0;V&_b(p}q>r3v zFhF`+nU0s}<Q952i@yK)D*IwqkUM)hBwAZcW7IR`5ob*L>g;F{$g}am1*%R1y?NuZ zTfeDL#zCw!yo|^F2ccLA&kX4d!s%vQ%EVfrJJVO%;(lGRGEfB9>JFtA!3d`ijaYWN zF~&+jkN!HxCgkX66A#?y%Xd(mNT%p=IKKC2clXbg=`NUSZFi;Cfss{knj-m2@f0bg z&j=f)lAWanb7yg4A&gr&IJA+|6xbbj^H$6Zwz82HrFavix;V4hCe?O);=BQ0Y+UQP zkSRJ%QfQgsru_QR;?)Vs31nv9&$-#(+K9a6_Y!blwc5yzqV3kpe<A|g7QEV?Q&j^3 zJf3(}-raOLg9Bbog{zfb=G}K+%{PQm%eWqhvL8dXz415}$+4WjQ@1SyCZ#Nphl2wn zzLPC7u`iUE+EEw_#l;$#YgSJ}1D)Ce^IU#5D-GX7AguQ>_E@tL#^j_QIik0uiEBZn zB|+pOsAAEV5{lTIr%3-*36Xy{2Gdc8RST|INemyRI{95nbDC)%B-u_NN?8aq-3%PM zaFYzvM9--GmVjsi2gran*fi1nG?-Jk*#5y7CyrMZYVq7hy^dzm!h^fm5}bMB@Y=o} zDYs3X{sh8ggM8Okjcayxa%N|Z(6i4HWO%3ctX?v^<sLGtG;xd>-Y$9Fje11DCIJ#G zsixzTgM65ojqrwUTgiOvKn}ub&vx?*KOk~CfI(;P`Nd#O1Bg4@*61pO4;M)#87;Xr zGcLmdGn^}AeWFnb^{-d^Ls!DH2iI;(u!HlrfMPQxFYI0SDr<0yu&#wV;RPAj7>6M9 zhw>F*(PWA>%ZE?V1GFCA0y>SLha+O?=PEvZU3WJ@U0yK(BB@O65|<ecCdp*HZ`$9~ zt}vz*807$oi?kT3O(zpiuvL1yUXq@~aUI;$XtgPIIN>8|$HwkPHsphe9(&*m!U6x+ z4Pj5*6<2;k^$#5dX=bi-GhI^LTVRSAaCrc+PDfgJ+r#_I<CRL978*f8m&cID!xhrI zuaBG`czr>Uf&Nr3UmU>4!Fda(BQ7+X3tO@jeu!{hJSBbhU|yhlz`fav^W(i~D`8Y} zlUvjkpzq2+d<-d~F<7@R?@pO~j_kjGy#mD7^byICf#%6MIP>qWY(z!|q%^NoCn!R< zkNAuBNooZs!%}z#Op9hvaa0DTND%DlW2;Ww#BNdZ;k1}QY4O0;Sz5E<TDk872C`I> zgC2Ax_W?S2TWutH*cMF3K44ne@2I?1*6@_t&PeTmMbu^+aOSB~q?OLP)))>_mEjjd zV5}0<BKQ7s3`q6(hat}YR`=pUo(wO5u*&ZzkP1J6DQR+{39%f{f~PNDc+d(9srmn9 z3U9WlqixFqR2*`b`Rep`srk;D+@5?=-aB)bKxmqm*+R7Kx0|fD&b#F3YXbgq!8bQu zZnqJ!fo52jS1XBuuZ1}fy}I-K5jK5-jWB?ms8H!G2j02_m%w!9G`&{C6Q{yg8;ljb zo;FI<|F(*}7KuAs4?3^j0Z3<iE~<y~z9V|~$L<JQ8_#youk07+0g~|(VO)2n{s^iB zM{OW;pF5hITNl^kIlbd55GmiejxmK=Y#ZZXbBJ8iI9Az%A0(L>i@MJ61>XliEetYZ zZbTz~G4k`im_^Mz;Y<mauOKi)A5IxC{d*Hd&{Nb^S0tBmkoz}+=5$qc`!jx@a7(qg zM)~E*L579v?j`rcZ4+74Ex^<_jsl!`AlyS*4J}xO19qQJzZ9^ncS}520h*k~ZGMKZ z=hzA#d&=w@8B!+{Y-%k72kO@)Vpy<Sc**1!i6{=Lf>dEn5HZAh+^gW7$bVY_23x1u zAU6*Z0Z^Vci^Zk|a@7DI&I+d%Ny-s8CGMB`ns09tL0?qV_B@Y(C3obhb!pvZo^Xw3 z^m%Sf1GmJS0xy=}n=B#AG=dY#A}4$$hxov}sT1|%uIHI+YPYgT8O|o9nc4@g)1AYj zv4LCUb>vtLMHzdZ{!`{P2mkA=!_WY=mUMmIX*J*G-)wA|LU(>S+JZBk@tZ(^&HY+m z4El46tWyY>jQ>j;uy3fnPx!|7Tw`l_m!YmHtQzxXh^H@ZN(Oo38ja^wcIW8kWC<J1 z@`6+o0A)a$zo_eEMaNowcY9QC1b)tz>XC+vj;OBPUb*9C_1I*rjFjR*=RS^L?0`T& zNBKB9qN!JZ(b|rX4;_$XG+hN`We)63{1LIk?-nz=cOp_6^YzHmvj>xOyX)Z%@Qakp z!Cc$?<dyrO6IXE}$`i~rohsEeAjJh1=gm81qC;)+lJ<-^nf*V*U#LuNIFT?m9l(DS zI3DjcMv$|`-|p<-$3GeK<5hNt6<HHq3l-=y02V5F!RNQ((%hnAq2x?bzAp&JyQXA} zn}?Y3Ez-4-|L-h7sP-|o(q08QKZ20d6rPt%;i}izuF<6;yfy1}l3uKrw1Q?04^BwH zx^@lE`PmA2dVXNiS^zZv+F<?RyDtIb+P~Hs9TyOk?SsAIbzyOKir}9~iy8P`6UX9Q z3sfMcq<U7^v*xQQn6t+-1PJv;l~XLL$E$kBUC^4>1>^PQNr=$H>l}JN^~=+FZhPNs zN#YVwDETk4*-bsT6C5j<MIm!^J<n#~3WW~W&CLj!0ldUr;!2!I%`dM?;F2Nk5rWyL zsireK;&wyLgXp7Hz|6JQX|03sbId3i7sI6#USUFc?z7Ero;Oht5XQSAT0_eBA;tE0 z<vhX~zelcc=pMCK;D8Pyd!$vWl$)W5kks@^t=Zs2H02*J2=EZ96JXr&!_15q!idhe z*eG%LHQ^o87Ba;FCj7^|Ho9j0+c#7KG$Iro59ygI^w};h$1Vac>f4MtIgt+8!WcJg z5=}q4p6lTk(=!&?cwxqRVGeZFC{N-oU!M}8LceR(^Zdt4+uX?dAk=94IXFI0eZK;T zS!`)ydUX<4BTe6KHZ1M+duF^&V6k7}<-a;46~}aiXcN)2Tz^g=d98c-Fv55gc}1A@ zE-ng6*AZS5XuWFpWgsX4;uYok5O;qg&#c??S91mV1b+cFh}tB)YQ7l+_e<%8m3&+5 zZbpJiV$lVgP#S%@kp~UH^&)LC0_Hn^CKDiIP}iY|IJdVv3Pe0Pvf2qmP2hREN94mU z#t(l_jtH@vUx+)YXf=akt>X#80mb`;u<5`G!piaaoU+q_^Hr+2XQhtdyM?qd((@sh zwuAlrbdW&H<lbqRc15v~N3+m8qCxysjv68Y1a~ED?#(`!)7{clnBQ`{tGxAp<rL4H zIN5$6x)d#q^a_0~VaMF%MMxsv^&bItoKVtutl#>Y<J_3G$Rgj>Iu=jVb3IMMxl{&m z*cQnJhzG=!?hN|~FbGvhz=^7jJe;4MOp+tv8ST%{8GBi+ivsi1gb`_8_}$kN8tV2_ zpi|n*yfEYai!aY_=SUdqG2)p2C+JY$ZLUjH@(oXPZ}4J*!7)5{5jbgV?Xn%m9MHib z9CWasgxXSta1qPEX%`G@Ra73k;<KTP5A<>C7L}eSkVn6pq5tfmZY@zXHBudj(})KH z+i7LQt#&-*Ir5W670O)naVD$7#$42G!6cJ@G8buAOwgU-r!A&pwv)K6uflx#=+^D; z%a?({k2hVB(_e)JjJ~l7m`u*p#djN9o-Yk;J?X;_;5QdT)7)=tcS2U}6knC47D9-l zz71LaefaA_`q(kP)w6H*CIeZLq-Q>Zw}t!V)EdcRU~SuPQxEYF8!Z`Yd4Z{}FIh?! zwnf3&H-qN47;9YwmQZO%Z-3Th@-8FkJGvlD2`d5zwlA!y<owA@0a1y+bH$Vqy)?oJ zpGmWCM%+J=%9pv4CN_|;3FR1BA<5KC2~gGUd4sy;9taI>OXefNTH;dr9C6G(nZ7uV zJf+O`Kf!Ky^(S0OSHYqAW&vK+AJkw_Z2+x*kBEB`lWhO?PknctqyY`z5Xc^AhxyeI zDXp!kk1tduBuAbs&lcI_)&cwB2l<u$DmeW+yp!;FgIYYeo39O}eREsd+h9|zd$XlQ zv<rD`%B8DBPBoG~jlmmOa(;V+lW+<_5Fo(Tgo57Gh40rAaK(;0_5qZgt&~q+k=LBS zc5&@X#lcHW8&&YMr<6BB0Wi(wzY}57KviCUm*2=1&U1rG{mNn%^MxkfGDI#f;?4N$ z<|AZXrvW6S%u`#rUb%6hwte!eFYRfAL%^@X4JL3{BWI{V0p_j)`Tl*z^xX5Dw~Zl{ zJ1s4O6fz3v6Sx8hw8ZJfI=6^qb#8`wg{n02JTxC)VR?lrs-l?@IQT?d?H*|!be(Su zZ-_!eT>^`Pi>D{-(uIaumdR6#dOfA;cw)U0r7=aUrnMS)q9d-_s*?Qd0FA>HHQ)Kw zV|p(qe+i24#r?Mz@C8j>HpKz`y<RWa9g#QfZ12}Lzm%rp_CmO=r<0uPKkV-UrayL~ zK>J*So&CJfmVrwhVMm%u9#9M3sH(p4#h*kD;0MtLj9@2lgW%zTgz*r(g?LC&++-FG z0OXBqZEjlP1osF%>y1mF{}=`WR&Ix7F((}38_)e%Rbj|*pI(_Z4EWqlRfWAu1(BIW zX?usl^9ml6GO%M!8SoII?XJG#Zt()GeKWuL8)XEt9bTy8%D|r_VPzT9+;)90nK_>V z=w#G49~g7gPE^624dekj`wFdS2JYf|sBCY#)#wZs5VSiGnLqGMi!N7+|Jo{$itvil zixi*2oMdFU_Y;rfYS=bg@W#7pEYZ<z6RXYbzFaHhe+t}6w1}iJk7@iAn74d_gi!PD zE>Y`<+a<3Mong8lbgZSg8`Q?cHIm`|(wm6jqjCxRWer7MzBnJ9SriW$O~?<1|Jfov zEpW8wQ@9y&V}Q7`H02fXE|T1V`>p`NPg3IFWFYMM(x=SD!jH1-V<?P1`0PF`?P;gD z<%%@~=1={58MrW*W=3vk_<JQ%ttY<}k=o*QI5O1;-R(%9+{%fd!8@_<k#7%6!|I!L zZQ-8Um^Nf#t_Ys~it;@*(!xXsGIH4pv&M2JcNg}n$y;<+i{l9600i?(jPpg73{tPf zXdxBwzjbh)opx1zO4gX#LzGW%(F3zoY_5(!D_5zxR;|KYT#8#M3be+t5^sjsC08A{ zd&tcW=tB~XVJA2Fu;~RHqcmFV;-cQBg=O-Do$Y&59D1Y8RViEbUGf#pV{DP(l1{5? z4X4u;auQ9MWhSai!A>YLl2X|#>o_mWqN$9apD$5cYYe%I0@@2tUG<0GHSrw8G0#Gc z)b4d2ig5QFSPLmIoASQ9wFTBPMeL<ZTc#GVz4?IIk`PBTlAO=;FTQvKPlndlLT;jV zdg?(aU6q<P@N-`*e3Odp#jaum%{V{NOjkETUVP07&G^IlX%TtaI)vGwKb(K$!td39 z#zPu(aST!NG_TXJ^@J8wceWP8w)ll9!?0WDFwD(FAWNXnHum!uOGCZ49xl>e;Ok6> zP=dx2>;+VAd@dPm%*-RFke#1&yN@vTICRyS#oM<O=p72*JmTs1{v=U2tPDhikO`0| zC2~xXo#1P3Dm&L(n`i-hBm*+Jmx1j~)OEZ1=ylp?Ycp^HVQ|x&wfR>n8f(Yff#2m} z)0nnkj~w=thN$t;*9e>JaNQt}NNjefVMJcbp#g0&k-aPeLTY%F@7;=QOb8+u;2N=R zI{1H+Oy5Aib6D!u@+c(fvqv0bU6>&Vrk+(NY9o+vPP6`(zfasKc&$q<_J;;1=f=!1 zXGA?s*uZ}$b2oD3qs_U7+3qP{Dv?Mg{UY!Y5hoxt)S@nx*!Sal{8rcr*}Fjf4Y-~P zxl3L>t{ML#{O&9f(N33vIj1q3Q(dN-+rRJl+<fIn;4Ny_WtVrpRI0|swU3`M-e<)3 zY;Epsk+$HuG<`!wEoll&8gFfRMJO-xM#e;*-%v}49bgOo!LvK<+CV7QoH6j&^?T!N z322hzB)bT<=o|$ICb66Ts0S@W1V>*tGn11Zu{DG82`ef3EXdWS16{3N>NJ1?IF+uB z!)Fp_nn5=Krkm#>8n+4~bF6`<mD4D7e?P&tcJQ@l*K^zFV0l}sJ<A(qkAr^id%K3! zPq4v>-P$*(wNUAit|`<@!P>+%;4TMA-9E`N_RQ2qVz-zEy?<+<`fWqN&j^5Kd1lRb zH>QsHr(o~x4p&riahC8nYBAJX;$v9Z_Wd&fv0@{~`V^@HgD>>B8-&LY^hsUU-C4PS zCKd$JrcI-gU~vZ_VyJ_$FNP2ZcL*`U;J@CdFNe{e2O_+XR$FlIA;o*@`D4g0n;O`~ z$|ezDQ`(t&6#zAN6@eVKV;-+M<?lobklM*A;;IfMj))2`%!YoL)G8HRMIbVkfXb${ ziTz>xA9m-nr=*R_hSi>Zu4&*=*7xZQnlfqt-5bO*U6?5i;-uh%p450+7-tfGevxLd z*Efj{nf19Sw?uFa8G2C>kL#b}kC^Q)#a83aqXH=51jClQe8XpOo7gHu_Z4{%@CeDg z9lSp_q#7F&d`IgnWnr;*$z^WmLKAf-*9F*|ImXtU?gBVYove^2f7*A0hH4F;auq2= z9Gl%wnOOB&+%pqeu{DMabNZQy1Wp&$HSne|)|0gHD4)PMICZ0c@TD-+3)KB@i05?J zpPxXQYdP;Bjq{D5AUXp8;2|euQ+5QQ&0DRc#}2QKmVq+Oy0JG=kIdj#hU9m?K7`T$ zlUuYE@+V1#v4*JLhQGa$7d+cEKl`-|gqT>mcz{WAf^3jVB@{Zu8BQS8=<f*y_cRKY z0TLPRt`?k;k<pRx1hUC40__cw?*9m}+kx<M^ogV2^t)1>OG78{onCPRF`re~>7S?V z#>+1ErQDTf(7gn-z(YqXlj{u5Iy8mapk_P8bpj!|ITl=41WM_TAOz#%yBCR#Mwv$@ z_TXf&^@3;8h$sRp!iq5iUa7&n?aCL)Qvr?W{V%QP#kf8w;Dx#Swgqkl+oWm5pnQuc z(-?MQC8>iZ>4$%JlftV`!5TAa{O(pX%=uj(j8vwf_b%bbWgE`{c3UMv4{CU{QU$S+ z^otj4W!fbZdd>gYT9h8I3~d1Y%Co2HI>I!z6A$c+^`HDCd{4OszpHYV&xIv5(;Cv< z9z!$*pan2fe#u2A)NGieo)=i{7-BHXVH5NFU<nzzlL2>p*-4RYr>-40=Bw;`Gc+O- zKhyOR#m%?Gd`d!`w$JYUG7vr`N<`-JGer-&29zdlSu}ZX7yb?B;pYmls6J(|7k3hV zS6*!i26P3giyDl<0Rd2CS?G4}XB^{>QJqELz?m5q36|8lm(tD9Qfhg3S+w=rihgVg zD%JclUM(~5-QBJ8Z!avRF+ovPx#<}V*w^x9azBMcw3_cwx~AAbr2N1w344vV&9Q-7 z@*f;i0&63Z^mo5s#=rTXei9e#)Bei3nUzne2r4bXr?gC7h?>Q;**5o%I%0nxWIyBl zwQJMtpE(;xJ8r2$Sdz?Rt)PQ_IgM1>RZd>>|Dgl1_bS&kPPpR!_FkwL$(5Gi0Fx5v zPL8ZCI6&?gKD=*acwif*K0tD=-VB-%ZhJa0%|L|9@>Vt?khczbs2=o?7sN|d<}lT{ zj;PeAusyl|b7(*{aMSc@TJwH&#=AvS%N7in>B6vOB4$FUrw4P)&td}6gv!nm>0u^? z_0&MB#$(9k*|E2YVXOWUOg#Z~4gRZIh3JPn8B~2cZ=Vjv|Gd)v4^{(u&h?1WBhzot zH&@81>U<-<yV(JyYlXAOU?|&5`GKz~a-&AE#@JZpKfJE3F{J0?kcs~>V{@y5;cWYP zCHDIz*T)}3p$*Sjn|WBjL_P-{<-aW?@|CN#CP{rAN&h@LNk5%AO|X^bHu#^)KGRy` zY~emXx-&RPj|BQ5^l{R-di&JmZNT5R&z2Ca-g$^h(^P`G4%AiQ41VD2Kv^hS0*1}< zK5glMmWX`30=V-`!JN+s?uxq`SYyID&}X_}wf-51W)ZtaZe{&#2^dV{VGrP2&p5X~ zfiw=>2Hnd3<bVhMVUB`AI8Golw*;)hGhOE=kSiFMw#D~{Jw@}zVCpW|w5CPbR#xY& zDJhS!t`|7jf{N;SFtrS3OI7KA!p=$(T=vy+{uJVd63n8?7d_yZDY~vV3ug_oPI=ws zY@!x<WngP^fT%oUWs*HHXGCUM*~*-BVPJ}MRQb1gJs7<DZY%<8C-^G++w}r#EG4^f zXC}L`J38-8HXFAiVA)xJ0ftKJ7-IDm*=wEYCU|(5bF|z3A3wHM^qb0j`!&uZr!}us z4G6w5Wzd5PFLBo0Y^|&Zkv&H_r|pG*@g*24c>`rk^LDAVHpqo-3HQwNl0q#=qi$Yp z7OWM0y3zRSZ9Ap24pWz$6Y_YB_w;Q_g(2MqB2itU>OUCNfv6UqijVMThqM>DZn+0I zc?VyBJna~PkG^$sg~>vzv^nqSlgb^z0ON)PfKxmZ0I+|wNPgjigb%DVpL8lfq@4Ty zDSMqSd5OQ>3NTneTdqWd0Qumgs+0Ai7AHbh)-|zOP48U*;|5RddO4yyOpde@e%(`J ztbZsXVd7I_avRCTzl>9&Ha~1S)VD~s=4$6LoT(R#!)_ag8Bs(A6Ew(1IBW04Ai$`o z*VS+_++Wv_{Zp#oH7f1DOs~Nk<7Kp2LbwFG2&9GXlv#uSGu7aapl}0gu;ujY29Q(( z$VsI-@fcFpj>*ZrPtt}UQOZ&?lij_Z$!3t3Bfsmm+8#jC!PZ3_YVIQ%Ij>v<Qy1lU z<jnFc_X1al9N{`V27T>ai~5GJqPYUAov-K|zyP;I9>B-R7p9brC-_p_j>fRheV{8} znq}bNX;$x8bIj5ULxA;tIx^IfPaj>A|Lq%U0U8OS2eB-K;b+q6+2Wy&jmv)i@cmMt zwq{j8ak7oBJW0QYY>7OysbR^+l5D;U5S%$PBgZ5c)6y_~phP{JtVF&1++-NMP&mxl zrf$aeCvyr+E{kxY5ZI;HikHnz1e?E<R?uzoaQ${*!A&s1*b3!8FrF5RdDb6BVa#I{ zy#~Ar#(v0w``yUD8-Yg`T?)H@`Uyiq3TThH8ETBN+P&l+f!{e=zAc09Afg*kSE5*$ ze7Hi6S2b4y3V7J^6xZ&FuccrxQ-9KFiRb*cp(pq~%{(Yh34=&;O$fFap4`X&(%DR9 z1HKdY$&};U%l+2bgg|$`BoqLS2RixWB+oC`$1Qd*2ch%B_1|$+Ia{?Td?MtuEL7?k z6g{E|arR-nHdIryltsASTez2wEa&xs6<ml8*u)cU4I8fL==4m|Pu>dPrHZ+{=_-3o z09p`oWSyis7xi~||M8RU{cY%Zh06Vvrr*zjQ|$Nn(PlPJ<fs{@=`ugM!WKsXlH@En zcMjKE=O!6lQPGr<+)u1v{I?!0#|7F};iU_(3xpFtl`L2S>N2M$ALEZ<Y?<qxYxJHy zZBBLHuK_*Dm=F@v!E}Rue)9GA!Y)2&gL{uRu(}C`1Td3<8!_^`R(znzl+<2>13I>< z0FlhwQo%5!;gAi*)xn+anLExN`1#jt1KGUIZ4Xs<73i}>ri%hiOo~XUg^|sTkuVm@ z4!_TR);W4M_PAXoLXq1pM!EZ17P+Jdethbf^!Z!;wP;IGY8Gf>Vrhdjb@3CQ)sGiH z^teVl=W(PYI;&XfD7@lR%Bxwe6IhCps^xhoid1|-$RsyH5}X@Y1^h~ST`^YMwAhuK zRfK=(X;g{cFMx6>=$Pp2cQa6&)(pKc!|L`QUCQ@Nc8|&8K}OBEZ!eJ#<^5;qg4zBj zq2kTZxp?sXjXbCA&d(FlW1CmQYruWc<td6X34rbi{7VqQkhS8C{0iA35LX*fJa`Y` z0H=>brsPjj(!gU#PLZSX+`&$GjnqL=+&8;-J2w8NZ~AG&?cierXu=Df2TW9kT)h9u z#tviaJY;hlI<oY_JO=q4jhz%LNunm|=IA&DAh)`na48t+c)Kos#d~(Kex<+n8R4R! z-7<Nf1!f^X-o&+F9vc<1-J2uCdWKY^r8ig9tiD8*mQG~w7npzDMgCQm%J>@vy5hzA zpk1QM{Wr5VO4K2^i{!an%CSn+`4Z1q7s>mxiB*WFJP{2dGW3~7z!#GP6?SJ`R!d!W zXCVpV2vg7DyO%0tOT=FITQz8Di_h|PhTlCJz5F+31E|prpmhakL6kYT(8bibp$g#| z?vO8=!p@*xL?`&T<n5tpRJYkh=Wdd5Ugoz^N5~sDgzX?I=>rgDN9otL5_3eye3}<O zk1WLdb;?pJ_LNNiiPFqRxzz=fgd9HV0^+1m%)xNY-ndV?&Tc;E!twat26v{q=a)zK z3N&85vbz3^SV$K_s6zvdTNKKgx$T{7FW>L~ht(z!L4GN@Zh_X71a@RaTX1#RQpRTZ za1!!i8g4T+wJ@*s!A|R)_Sgv|HC63`>l(+*hSMThU`9>5=S(IS_cG-pR?1e#cbA2i zg@J?($(PdtQo4sCwc(t#%>Ariv1sv%ipGC=MN&jI@Raf@2KkDyN&blY!I07nopi1r zTT#IcexBCMp)X$?Y?RAW14#F@EZ5Uk9OM4?SlxGnt?C5=-?VE$hUqZg_KG=}Yf}QE z{JL2ef&BQ}cQ)1(QJ7DTVd@yNHC_)27<6J$b14cW)H=u-Z>9Je(<gxXZl3Kr+yBe= z@1NpjOayZCCL}t=8;}7{hp^11n`sK9F9knK*?&&BDNx@<K8}0JJJ<hg(AeUlc0Elx zkxw=}clbLNHCi7xCir1rr`EbTrVpJ#7Mj1DpKk-c7U&g_t*r@wJx#PF^yk_3=st5( ze{q8C2b5kUaWO>q9er-X#5YzrWLowGr;YmzwG91@&yB3HneEODLs2r;5~-LBip_2Q zYFDo5S1K%2)&bVCMe^ifCVpk$J#|;$>yrRp)XO<K0;SK`72`oa*)QIgOFU11J`_b6 z85yunzlQy<z{xyQTmz;P+;!Q@Z-Ui+!%GoVCRqzGXoVIez%B$LtgB~VKzA0ln0ioy zC>H5jv{=2s0tW(63#+SRe1KlU%9qZJ{w6Y7C@2Ocn>IUvKFf8=wUF>N`CePkyqW&N z8n~RYHJE<=n~=z=e@kp9@crH8)k~V8N|E7iNunsncHxbUkC8Px{M#j~aN*h6k1o@t ztO%>s3_{qeF;M_}RPxhS;?_q)lDE)&w<)7_*!03YiqtZBWSRCNxjVRO`y?MBb@4W~ zY!aHS0l9yIzhL$GrV!cp<?_6GcpbzoPraCK;ArCD_P05YfUS`p`dvNlhlYXav<mL1 zzQhZH8Jn?B<^g)^^gK1IRO+tt6UbUn^Jfyz!_R8yi6iVxeJ{*bpMC#lm>?gi=oFIO zSGl-ujs{0(Ujqs`SF<hyD?Lx}5&Ven{a*N9)}?T6{E*b`cBr~f2_pif>$e^DgR(8S z;?ptY8{=3FEjf&qYj~*<-Ek>1j@rUCTm`q2CH>is<*CH`fg>T224KAT?Yn1H*p~MF zBX>7LMf{b<a$Qozqtr7a^PiqTjWD%nWU|ujXEVr8ES(_UhEG&M%Y-2L=?K~6p!A?i z&#;M?zd07)D?`{Lw}G`zS>N19a+v1~ex61QATTCR+d-^QhO14wK?7(M)coK;a9Qzu z;LTy1lmc;swDV-w@CtWX|1!dODo8xX8Y4|Xh1gCNgemsfF9$CPyjtA7^y)?rH`Q{` z-j8c;$P>4ppCF&T^pjG+u88k{Gu<XpYQ5J<&`>Ho*)wWgHYToO_O)cjwol^uKjO!q zz5&a_3;`l|jmrKQ0y**kD|7ZV(bmBT1*KcGh9oaeAb1g{5FnZt$};e4W?07O>r+Tk zinw1wV{Ri`i<;pw5P2gT(>R%P$WeLqq7BsbF@F=#N+r{=bx5JZkD7UCC#U3IdIwuT zyx%h!4gxBdylUK3b?6B!A67f`Jq^k*P(P2>6t=?zWh}%zphuF>@@?8|X_2Ifa>B?w zy*S2xjDJA>iE|08LTHAvCb#Y=2zsxE<6>wiUN6X8ahKZZ9r(2(EH9?<M*hNm0XKC2 zv~v5zoGy#y=Q1!DsLiCn99E1;fyMN*cp*xPt@h>wd*-=`ndvw4d=l(VHYIA@mmaMR zd8y6q{llD%MI>vbtONFhq9z`bUC#$uzh=is>zjU!{NAbd-gFwlcN4!w*SZM4pLOSb zW&I_W>dU@R;<C|#9{$g{&YP=tkRM*NxvqT;>|!IS8Sr}rc!B5~uj@cWY#DQ~Jah2y zDdhfU=ueE5rCY-(#3U*$HzGK$vv=Y8E}{)~@kffI!sVp73?b^XM&m`YvMKc0&R`E3 z$NmIC+G1-HE&f-dh}PW|;Y5YVHH9K<ifqm$pky)IuEBv-*aJcsb+%EjGe72+aWema zG_nb)SK$wBedk&RN}9Q!EDcyu&l=y#x5AK;aR)l<3qHRsoK3kwe~x~Y&Ybv%p|@)N z{R+b161YWYPl^>%FwK&<7+GIMEwE?N4_N8KcxbSEnXxWTyk_Ur)YzQ8ZGVNuW|^{m zp^Bup#K#!vI`@;putqvF7H*(R%s0xn%%7V4q(ZV?pDKHkE};H9`vwlmm1^J-tjlHO zOjjOY@PEx&cY7wAO~EnrkDWEJ3A&Y+fbRSaKyz0m_J9^_ZXdl%hnZ1OwL&fGPaxE9 zpcXUrAU{ZBZly@e3-~QPYKYEe?f;zxfLd_J7_H!B3eQE?(5Io!NBZpD$oFH75ZPDG z0N9#A+&3fkpPcjTjV*N!kJC>ffkj23wstN*J0m28$>h0B>OcWMSIGBnhFal&l;Rs@ zMoYj}7stM2@_284E&_vvuE~pDAHJG|3omRKUMTOKzt0}uGsH<?E?)-jE$G%5t!967 z1SeNb0*z-aY6K<ZMhfvS1EHZ*1(sit6OPK4$P3MX$0s+>9%HLap&i)!NtH5V)uO*C znlczDRpYMHeW{MaqZq#)v&~R#x;&Li#m*eN-KoZ>&fXquXQuDL5%o|1ZJt6Hiz%fV zP>{wU{EN|RM4Rl|`EvrfE01^2ScTD_Kwgf(6^KtD8__pI8`b<i56z)4br;vJW>RS% zT0q|DR-<Ek3oo6_B8l*tHXkYH8P~NNG~W{Zrna+^WY)@$S7z@<b{a0+d6Qn@`ShKQ zu|0UW-ad^=7Fy8h8V^ItU3|8U598VRPx1h1lgHZi^hPZ{IFX8ZQwaN&=Kbyzz{O2? zh7-?J^S%#$e&H`wg*!-4ZU#=4OoM-Dr8M2EkjKY7=oh*~okMFX{yrmTHC*B0wT8@r zp`yuA%Y75f+Rs|{N8jO6LgzQqg)&Kmv~zh3LnVzauVQ>q>UxZHyX2#BMf0?s*<WU? zfzb<GrtSJ-c;vrlBG@X#$RL7a$k!oPRA^uCt%O*fePbGy?@I64PTWh}%AngJep_(n zVzoKg0lx`UHv_lPIrxv!z~g=fKxCf$w-8Nv#o|yC&TO8z&y-)|$MS-7u^Du1%W8uD zZms|cdLq^v!QcxnN9Vi0ev&5hZ~#Eb#GYoZ4g~NqdVcB9>+0(G0?mkActJO??D>vc z@Q^CM&yBdjG_3Zf0<EPd#lW>CA?~Wgz)n(gjA(cTFLE&K1piS?+%L2DyBktT!UDqK z&4+L)N<2^A{-BvF#pR@P*j1w?igyqeAX9|?#-Re;^2#FF?sh{fpi257+3fBHb?uEh z<*sJ@vm#0CxOMA1qF2S#*@3TLsVl!uNcsE-R^U%g_IpQCRqey`KWf$~Q{Vx95D>>l zN{2mtgqS7x;{&0L`TSt(jo_Q3C7=v8Ao%RQ2{l`@4#a$TgWd?;Ia{C<_euSpmLq$# z0xYP5?wEs*(!abM^Iussv0H31WUpuj1uO3KG=mVPp(nx7UTGN?QVDwK5Y#{zG)shg z9DN<+ro9a0QV|tZ)#@%Orr#9q**$r}Jqg;Bo1y!&0N<LXrvYA+?HJ@=r*EM<cU!*^ z3f9hZx~j5p3}<B_A^P$~<#o@%A$&QGsOJcYS76sMO3R!p2k2?qE_)O44!Ha6HW<SV zKl(9MV$YZYD@mj1yIX!B(sJPEG4Tk0GYlS`g!P>|Z5_PEVY<-eXZauUzaSWS?i6*6 zTmA3t8_{p}ijkjA2S)$(VB}OqPz#+AxXVT0WP%j5&&%*ZuxWD%=-CDmNBov>xqt=^ zpE5+6Y<xb3Sk=L5OYOj!#Y?~ygFmmHB-kCfDCF0$1I@_1bOgeoQWUA_=QTTn4S!eH z%>{#oy)XPEqgtV5<%n+Q@8g_j0=zkfgeXG$hWK6yC&W=RVlKhd`w&6IAO5x=@&IEX zw*dp(Z21FOFo#@S>3iUS-F%y0@36LNBG&=XX8?Fh+TdkuJkPEC)C^5Wz_U><%!q^M z+dVqLAGAtI{Jz};e=)|#81KrZCOyJs8eQVzRVVS2QdZ)=Qn)pLCWl%!Wk4S^+D)!S zJfPJ|UW~9OW*m#;8IEZbShv!*j$EUi=VRkn4Q}o!`QHDs@9UM-Q~V7$hB4sdM5QTH z-Uo2N206{=#+pxk$6+Xv%ant)qBld0BUVovt527~s<0m<>%ynVmVjyZE9{EfuT;qH ze>tN6?QjO$kUpIl906L~K};u*Fx<t)0-eI-j-O*Pye&?iPr(tetV8`c$vj1YyES*Q zd^^X7dJ1}LA@Tv?h*{+qPzSAv0HG)NfM_O%RsTdegKr5IQRO^#0dmYl!<ICe;&ix% z$t~P27Q%S+!Bq*Yos-COr`U~j1S-UZ`L;{X7&_<@+lJ=XBX!#(&)nYz;$Qm{UY?>h zTKDpybP^A!MJHdLp-yun2|jw$SJEth!c2UGYu%e2Bxx8}u$Db=UnfepitK*xZ;H8i zZ+r;*ARqs4QsKRydMtGU3nR=xnz|=+XJ@TfDPlv8e5-}K47&4cmoJ}?wnQux{k;B` zSWj==5XzXuY3f$h2HV=X4aRvlAPy~P{f<yvbck*M)FSsrgVDiGFJaI1_H_*+$F@#? z0NHl0xF`O+lEFt^)xuC7FD94?aqnzIM8xObn~djiWT#%0^LUvuK-C#%U`v?0ZG}3i z**<4%&v2D0Weqq4d4n9443<>h`4fQ0lJI7Fm4pHBQfTVgC-2vkDP;aq3IpSpIrc%= z$|S$_`#6M37Rl3@H%3`9SgC7xY}UxJBG$XgUVl6x>Zf4JD@$jkf*F@`0tGdk-Zi<| z@T$W<=`z_>sJXnAJ)@3USU%R{`!|*7U68g{fS{Y{Hqdf9&L>!Hg&p{Mp&2xI#;mXg zTwqR1nrIc?n8z9`4g6cxF1rS_7#k+1G5r1Q=@3-rxrvLbJ%e#0v>>ylY^yqrvO|9u zefbIGSKlFHAf)#BXLlE<F&1tTL7OU?yyEyn(s#wx!D$|9f+l3JMoWN_7ucg&2n~-| zcUzFzxunLuJp`5$^(+makr=b0m^Sm&F*MKqRa8zDwqYmR2?X0ZBhMC@@_TMW2YUGB zhgJbR8|NhhEV&5KD$}h*FoI~ga|zq&A1Ihsyhd&j%46=>^CoYZd`>pv6afv=&S(C+ zq^GF!Z`51KBSR73g>&h-CX^h#_bV2gt}Z6O=9pbBzD$oJ+`5t)S-Mxv{GVeMT)TJQ zawe@`UI`~m-Uw`NuA4%4Zr}Rd4)GLV*JzzUMAv}b@!a1%jWlkD#z(B)^ifS@Vi^N| ztgCL0=Oa2mEzcc4@d&cq2jazbySb;U!wxzAiEsFfI-vzLDjc$ks7pY=%kIRXJ{H^K zbu;tFlHOYn8wNbFv+cPHn@y=%*I@fT-h(!&{fo__!TNoDasTWA@|^dJt$i5BkuAKL z!I}uesa$VuLQ<a1(G0q8PtQGS+&H*7f!tWAJ2=mprBk)GwBG&d_)h(|uqaZ)g8){c z!+Bkd>kvpBah=+!>(piCyyWc05?ef?$7UDPXlutRoV$VT0PlRM#rOl|k1<9#309}d zfDe~i8WpwPLs`GQx}*>Z(UiyQ`>r4qBT3b`T#NsS8MjmrRd$pV?Ef4vuavI=SAH)8 zyA!yP0YMbGE5JW(peogoQ^=K(;|plmGR*Z+9}9XTcm8*%SAtY`NXL|XRSNnnF>Il% z^#!MlX)eF8#_!%)?T0Ht2n_mt@h4SBY3qNsIu325nN1JUCPXP{AdFPFTL-;pmd_&F z`N4%XEe-`xOA=h%yq@}n$ZbGy^<<+oHpOC9zoYU5bFF(+$WBzjOAn+Kxp~<icgjTH zY|*X#GECEvi|MhKu8zn^5hSZyVs-tsQC2QO5z$jj)UZ3_29au8mQbgK)qeY{@kp0s zu=Xpk$?o*<S#^*hnxf*ZG>lWiE8YtdcgrBpBjg<&u}*!2v=r*Ywe8IcSzwTzqC`eD z;4+RQdi^iEQ)|)orL6$vC9#d!9|UWI9kSP9c~Js}!lWInzIWmgEIc}{0boYS<+t^q zuA?W;@<neh)+LA!Z|aBN-CQ^IxX-|&(Y?TTA14Nr6vc$SY6$akRWO4$&@F-ie#;q% z^18zIU2V<zJ_OXe+m+#X`SXJfLxRK40o}myDVg`<d9Ks&mk8(Y{F+tE|KRaK8xN9g z<+90-?GF;z%h*HJ3aoz^bU{W%7Y4V<;=xpwV(Q@aPuF&nP`;btN@QJn+s#w(L2u-T zYFV3_NA_0aM!VVij5fM*Q}r^6pJ%Wd%p2sIr;)@z%a0+#nl?`cv<9fPlFy++E)pov z>EmyxFT2rOuY=;Y8?{EewS%04I>^}Ul!w1m2dvZc_!tgFbZTF`*Z-ewG?P+Mqet6t zC$M3TK7%*7;)O$|$aHLRDV@(vci#*=*Av`-G5zja6#~WlP|JS&S_W4Cs&9GZjF`NY zJ4YRXW1PYP!J#|b_dYn0^e(?`EKD0F!b-mRz(wPB(5Y)GW$|fZP3Ybu8E(!j>Dat? ze1b5l0{ZJFq28B!&%2j5r<*~3@8qUQaC`YWh>qBuHBDM6pKWe$>-(zWu2G9uLFu|+ zwf60ZWTOVm39=8Cd{SV>7G7J^I;Ojbs@aQFYK6I;dW@9v;%u#9FBAL}5YTse$BT!9 zG{n?pRc)T{VEJ6-4v#%aLwY#ho0NFKwJc(N9!#!1N%ec|xnG`;<JV1U^yJBu4H*ez z`+B7_?d`^oxSZ`;W8=+s7xG44t!ny2GYnn-GJROA`oq;<oDZbO5SnTD-4Y_FPVr9R zK8Qq<pVTZw7;Jg6t+pO-nAp=C8FMNj?(8wd7Xe==!5_eg1UvEq1A6*TUTlvb->(=D z)Hd|=mOFz3B&K2$b^L?7YAh{IgRp=>rdyj`3Z|*Bsg?%NQ?p!<JsiLE>^r(Vg}4Xu zX^euYgJ8ElaQ3LENj~9oeH4FCGSdlM!y*u00b!hG4FigcPw~x^tPxojKaIj*h6|G@ z+OQo4eow`Xe++17LMUk8)PeI-#x+vur@%bE#Gi-OGU>OeouM)2<Tkh85hz7UCZ1vJ zR7KGGBL3O3S_cK2tl_yH^IF&9y-(#m;uTn(Y|LRD<mno%tvdwd;Gbylcn8@IGT$Yp z+#@Pmv(f)4QckI$EFWyss}sl<Yp{UO&t?z`$_V^R3;7WGO7x9<Tkw@pCBj4|G1<I< z?m&hRo|@7(ALeT1fm%#|t_?Ai+P!)=&*{Gb7j~^dYWMn5ql}9>RB2~oNNp5ygiH?I z%l|%y3Q#vgLqHrF3y~~>I4jII`j+!HR$<z<;07hAOm?MYVpjk^8lc6esp!r+lAhg9 zYWpqv=X$o|Rj19nyvXewY}}U}Zth?VG0BuS4EjA%UtwDoRK`QEdn=b=>WJiuzC?t` z)wHxDsrp-T29y^4+RZ&m&&l{>%yNFdcS<RHW4`x1D*iN1DN(yld}ZtcA8y+TF%~A} z>k?Cw#ijy+YFUG)Hb99b_}MP)<CIOU{Q#<J0#!BBCJ|KgpHu_qy!yPe5T~!a4%w>5 z7o3E<&}=qej5mXVs0~7&P6iwcmVikF6CMv@H$%e?p$_1FB0)6K_XuG#^<5*MM}u_1 zT+2+1KkHj0cDFcK{C2_u9`m{SbOYInkX$%Ysb=6Vu?QcK#w1-4ukL2F`Fry{B4{4n zJGsXWWl%;#M8}ot0gurQ&>vS$Q_u_zMDQW_R-hq2Mq><q&US|6doCQd;2Z#D)N<8f zlY6^W(Lo+c!&ao_bUJX8NJiTB{SPVnOa^spp?^2M-E@0wU~Qfc*XU)hhRJy;1$yB| zME5bnkUb^|mH~Nnk$FoZCmU);*&<Vc3y;G}gpxpeDH`OFI{$(Df5U>Em?O8p75V|Z z`o-wGU?_~&%NaF}w+)6gcLvu>*yr^XN?2RrYydjoi5t{`etUxrDUBkFk@nk#rr{JN z-r&2Np(Q6@mBv&mS?Eq;11R`YS#3~@zo#W?)w6)Ww#F7MM02D6iKp{4gdl*26L`{d zHj(q~i^-3jx!O;#Ek<|P-XFmH3FNXqm}Zwn18=aH;{>w3RM%U+0pp!QWLrh2Gj|p4 z;B$e^Z?p4Ymh!>Z3JVHN(T@_PgCR4UdcDGGv4$Ei)uq#ei<fVuK2mWE+Lv(_2_lMX z+lLF07ebjO2uDOgN_~h!zd|0`a>uc(+^~_DH$}Pq7+DGv3eL~#|DO$3)PciVXYeuO ze+GxoFm9eG>m|uCgczEka3kOAda=g53<Qh6+n$%kE5UnZ=Ku607#mDvM9m>UgE!(7 zqW4`6EYF`$$fGe@3jgr;OePyPt=q=DA<TNV@wCb8E)*eQg-DpFn$%V=3^4)v6G-*w zF+Q*_(Rm5#yk|oDk)DL;uDsi=OpR`Z@dV-#0jq^O2%c^KQow0CsXBz~`Rl;9?An5< z3oyg&7lFZ`L^7ZA7h&YpZZ@Fz2s0VPgCkRLD{){v-TvJ)g^#n5WWwo%aU9?3AM}~s z=40FlAFdSCNja=)p{1_GKzyv5i0^e{tN9^NImxuThH0704dMYZb))ky2y@8f6-nYB zCfH0YYfD+EhBf)$YV-glA%D((Gvt{M;|=18j7WJXUIALT^B%8%a4Lsg98D1k;NBI3 ze9A8DB%?rdB{dLJupuyx{%I&>zfGw)T&HLXI&y`R-95V9-)l1sKj+0oT4BRAt4^rs zaSg6Uf6tzZ6{#K@II?Gmql$2X^Ha0Nt)*<-uP&XY;RoV$vi9zK{9MgCg)sW^WuVlE zuwKj_uV7aHjbLXv4C!v~SI_myycD$H;a-mAQ^-veWY3$16~`=vp`NukQhFndj%cdX zdFk7r{h@Kk&krl))X@w10q90)Mtq7F@B6np%zVbUixkSnjZE2iUXhTAUp^XWiOOi< z(7m^gp6MoxxMNE}{u}QRxqFE^;~f3ZomKDYU__5mFoNz}CLhCF=Cn89cfQA5*NLU} zU~#|f?>qb7VsD0SR2o1UK7Uf}z{9e*18|D;guKR)o-#%RfCt{nixksursA4`frk3C zh!o%iSUQr&jR_WiTLc!>cLi>l`iO?ie++XE<RZNpN}n7TnSoE0uK)qL{?1F?r50d- zajP!|MV9jSrjV;=^C$Q~m1o5tK4TalOkz$NkGs#6U{oJEmEAH>QcmAmK|%|C26-+- zAXyA=*j38FN~<)WN}Bww!so#d4FRIsv)-vr1-8*TB_=y%vyh_8R(Lnd=sp&Gwd$VG zE{PUyHn^KVykk?ngM4m+U~F!f(D9#}aourf$;Xh#m2R<f7ty25U&nmu)E=3VWF1-* z?aiSPd*Tz>Hs7A^9X6qmpB66z!}xh$jNA+{grfzh)PZ!~t^tL_p*!X#91X#;>W!xm zx6$}mmPvk}d-0tmU`kxNn`Yk`yhUpO4p8jtpDPc`u;3M_Jc6^z%WVR@&-`zOVxBge z#>Q2QOfA_lbNvv}6<HYof~)c?Wrs!zrhDpdfgchT#STtwa1erRY9o$>l-n)lqmG1#V8{cnVhEw=9V!cfOuk_-5`7_(0yjzKuTnUh-*;3IAe!&bQ zAr@wM!>ChE?xYS|gg5Q)`gJMmXpJ+RN{}qZa@{wI>Ead&4mGe0_sQ2%@qcHUHe@vq z;Vq(#!5&S)&h6ekQ}+0|uv2`aYG?4nAJO=y>BI;9o#G{+?@I5V5i0?r6G)n~`+@je zIIZU~WJ4|$0NB8rYX+f}SlHO|O$BEDgsG3i0cwWpyO&jnw-zw38CYg|FeCg0oPm!J zZH?By2#(U3#hcJRgtHC_phQ{|A!=pvGB&;hY<)gZ@{}$kUrCOUUD`^@oRk;OeUKx$ zUABGx*kAhIy$DOIcE8)cdYMkeadznUAe_r-W{N#5%(CL8;3`$z8lq690$I?Aes;Ot zsGx)k?v<gPp!R@D?}<5=YKGm>h6C8BRIac)V`N<Q58}CwaF(z#V(wduCJ0jW_^ii7 zWlFK>LdMTZ|Cv058wuFm$|KU~_Z(3=l}Dxs;p%^y7dEf?Z4^1%pB=zFyavIIGWD)6 zGz6F67=*_Vp*WEr5{g?_om=;7z#ZOQ2lBN0_k`ud#9o0NO$f1YR(PfgPrVsRg5ln| zc*iTSAyKqNZXNpM!qmm_O@BjPP%%*XsiN`N(SejKtXhL_3UL2((Iy53kbA3jF3pwX z_R>=<CbgIVFM#m>fBlYib1?}mJaiA=u$3~5K+43L*v*$bnYYN+W>?x-M3}6ww*?qh z#HXiCrND75p|+uy*5~_vBg_`Vjb<v6Oq~6ht@%b+G20tOM_23N4{7V<ptLqi2Coqk zF&T^;>}2mqhf`<YZ=y0d&gx||l%K{(e`j0$KXDqGFGH>PRf?#k>%<-*qh6)>ZsQWy zGag%TKpTrsnOYsFX}%Fu^^u33=x5B0JXs0r&CnFl=FBl<>yYAo#&z4x(A*jdnZ@69 zgn-)GP-K2micosiyO2CicE0IK1w4NFq#*U)n!_Jxt~~`%mw{E-I0<9Y7ugA$_I@zt zD0J1CJDcW+wf4{xNCqSCB5H1ZC$Ec*;nU+)V*3P8{NBA{a4z^Ib-(qWLD#LRkjIU6 z-yk8^N_DX6XU?(Icw7{PgU+Q*V^%b2w<~z}85bt)s^iC6OcWWLJW9)N3v6dm)5C&w z6XHW-$m@;S8}Ge+*H+!-3;5;#o*ysyFIWuWM?#xg-YApUKIhVgt3a%0JW;V;tdSGt zN1hNs={iCLtfIRJry~*k&V)**P5(#J=hjT$EsH+6Gx0Z0QcMoJNg4$k6XSU@Ly-c* zR-~wmpzhtQl_3X_wZdl-%x96my&`Kc|Jj6Zmn-rF>$Ui9oWRfB!OD^`TkaK7zu|Y2 z!`6Tv=T|P^%rl!yPw<2D3oLDIg;U59D(0>H^nYHwN)b<QQ>wiNq&owVo}bFl$>VEz zgMB_qDD=7p_tLrM`Q&YyIxxqWX2sqRZ=c4qO!D2)aBVN<`OVG8oRAAe?f`<jCeXH~ zgg-a(ihP#Sd?T}Rk@ynN#!oQb=ex9tE@L{CXHOZo)@sX95PYh2Fr}AQHlTFRG=%~k z1rUkkR+zjH_?l`$i9}&61*~*kLV+m9@5^o*&wQU(_SD%XY3y}HIWJOfOW==sj%Cpk zt&z`d1w7A9l>Lrqh6)3p9NVtm)_D)ADNcL!L!XQ0`~#lOQHpM0W%(qwFLy=$8B<T= zn2jT>9!3L`M&YLrU0a%sBZQJm$|C;YZ4Fmb>r;!;EA_n=kN2KC#n-=;@9&28xr48> zV=&f$fS2NXcz@8v1{OXtDU17LO1pnffPrEdi{z|74evU5WI7PwDbk|1NM;7-BL!Mh zhxh%x1!DU=a7G2TAJu@J)hN(CoW+r5JzQ!*p>4TP81}%ZXEs!3ffVOP0Lvd69(33S zN&vb>FqHM$jRd}Cd-Q^89t7ftxE0R*!t=53OudAyP7o|VHwg(~6L013=WtG=oES^a zaCWm+(BGt&Q=}w9hEOa0a%lU~oL5C^SC}l#A>?f_qIHY&w<^`WayUAd&%gJ-p(;RZ z4*bV~n0xpa*J|d)DscO*2&zhaN5G|kNEX58WQs&=#5-3ppP(|FfR8_z6BROqH<muO z<w7*g0w~#Qp%z~B@quEnHK2E~;q6e7aVXS+6HP|bHP0R<?GEYQ*ge0@5x+UB>Puy= zRdcuJ#9Kl3n-su^T8Ib@YbVB>TPQoQb7w3n|05ypo7x)%LCqAQ8*HkKe2F*g2^OaK z4SBBSwoxJU{D-CEN0kzS7@GqJd~7J4_^tfy658Ctx0i|rHR~(T=15|I;VpWN#-QQz zH;lf4_;W)0xNGsr`PUK^(fII%l*7oyM9r}KUmeQU3Q~3aC>cEc!-n2_9n%a&cI%W3 z>R8=}=4l@_Wdu`|FLAyyS7NMro(tE!xQSoSk#4vCD)HgJld6l>ZUxEpVI~$Tv-*@! z;6cgP3)+TEtso77+o4^e*y7HzQ^?az)Za2Xqp*vs;Jfstj`&)1Oo6wpAgXB!vUZTu z$9@0+MjOwX?ls?>ZGlOwdBx^nKkxe6h9dQ(jpe6>2Xl<_Pie3&%GUiSwc3f7u8j!r zuX!tM>9q#be`w&3mVq9PKKuS4D)Y;q7?UKn3M!+SqV2p?ZDhZMclxpI6oL&q74by> zR(jy?b0G>Luf7uYV{Kq&uHdvIh`LJHNkp5e3kyL1L<riQAb6iV`+I_5boeLjgr=BG zc}`wzW8-g}i_u@0_PP@UuEN!`lZgwIbxYQzI!PK<x2Q$l#k=qGM00SmxIa4f$J8Cl z9uO_eD>~);fx`y>Nia|;gF1aivx~)tm^qm1qb)M902L?G?$ZJM+#CGy$3RU1)8-l6 z=b#P5O|S}lq>hnRCow!MXa(II<7^*Dy5`+=9tykpVw1O}51&Hv=xPgo{b?7^?w;5> z?;=3F=DVxfpUQm$3s+$>m!j@g@#ls-6C(n&II4r{<XXH_OL|^*6}N&N`*0gEGCBMD zu5$T&x5@>WtMAn1AQtNXodqCeU+uNqlbUr03xvP&$n<KLCqaGrlTtx-vX~IkehP^^ zALW0A)0oe{`=JcFv)!}ot^p6qcu4KkGJN;8G}kM#R0E+*RVgzPn)h^qGn5RP2P#w( zV;+&LMP2CTg~`-Pa>qEBQ?g}e45`YxxdfAm`7KaR#*ZRz%#?ZJ1mO(5-s<61Y-%yz zzaZ-x^2P})VEr>l?MT3m+6?5RH>ept#aGchcW-W)dYFgObV4oMFlA?ZQ=GuJLn>^y z@^~lmRJD%Sy)ZMVH`ww@@bul#^kQy7v&wNPqP!&>;ir%z#xX$fx3F=J1gv_uF9)rl z_vue;Y#fvG-r7`5GUE-qg++~6sG6D)B|%Va(=l8vIPViwdUjPfmuG=nF3#$9DCyZL z|DSt0Wnz1@aI0H+6Go4~y*#Q&WdHe$t0vrLsEmOt*e5_F6a1gVyA<}w#cK!SR2dl* z(ARIZ^1N8jOk=->Ki2Svi(4AYQy4(ptT7s=R>Wj9YArJYxa|Zob+wx@vbHS&9n#KU zt4PfW{o>6>>^#?Z<EG{{2t^&a$n*aDd13(@TH3EJWvPWu<)>M<;0I#!;au_Nw?k*2 z-A*Bu<7lFgIN68`U;SJ3bEWP(G2c@N(0ghX__re>FZ<V}n!AMfZB%i2%M{ls+~<lL zQo>_&J9KLF+N>mU0mdsZrIjG6q4u}9+g7xNziAte_@&N9n{RW($2MU@;_v9b4K@8F z&0{rXeOcL<MK7d;NK>A0ES~!jVr89nP}`(ng+8>%h95e70vBE(Gv0xppCak8sdW1a z;j#AYxu@*+v(n1PJ}X?Ml#Wm4Lxg$RGjggR$&N3PIW<GcJ2DxC&aRLoI!S{sRJ!s_ zeBIR{HF+NOD|P^0K%u|sw3y^iY#F!tEeA#%*9;zgtfYBk7_mnf<MTf?!vCF>UQyHL zYLTc9_n7!z{pL2Rob7JDL=BcRK=Ui7$i+kT%Q5_}$eTkeq}Xg3&*>dEqfM#s0(V04 zdspzAa~XT7mYe&#x)s>;(FTnE2!0?rAN&EBckq4$QAa(ncWu9LF&3)gn2c`a?LQ~f zvlyzIjk^TRFJCOZ_+(4nX-!3dRh5ve@zW#H=M-OC-NnkKQthh9!jkuW|HEe-FDHJN z>&<2Bd#hFTCD?TPPuSMlv&})TB|#Va7ns_bE@q~*>V4D`<c=Mjo?x0~lS4Q_XY>nO z!~%d|O1o@=AXxAi&&ND*&Sm}asrC>-{6sskA~@cdue5p<nTbRci2p*p&s~y`v1qql z$8P_9nQSJtXJt9N+N+p}M5?Et@kai5ALIVxALXL{nL>uhsfCgPo6=cc1s8BY^si}E z7x07i4@7gEQSt_R{A~d-|Jv4jN5<<@Oo{tvTcPYRUJi-1>l9*B5seNms<HP6u;52T z*h}0F{e4&abWMDP*wv;yRw)p^22?fq<+52KdTj7&PRIkbxY0|hWf@lco|Vs|$4f_4 z2GQiE)Lg2pVG3;3{QXC8VPB6*=rbu<>*4V&VFy6k<SXs|<VqYRN6UJ_!4l0<{IUbl z`kyeQic_3gUMOpPkri>4qnUs_dyXxF6+B%01&{zoSWMr}^iOeJ<jeWPsc7GvAeE6R zHPNM)OEIPDJ>$qnn{Slnx~|eLOm_Gy<Ovbd2zPqxQ7McEGXykpNSCw+?#51y7;zwS zuUbFT;BWJO`y8oj${(?$f1v9u%o8<n1wS?MM|#W5QY@ehD#O$c!h>l+WZDOkG`_Wi z9#(-1%m`voBd>(+T<6tPLwA-J`Dn0PmKPX~=@3fw$CK)QB3fyAAFgQT+A8G+_E`h! zqAg%C?X?ulob!HddMS}3?QS^$Q#UpsV!tff%G`$^9ND}PZqU(s*%iIeCbAuiMGob# zXw$*pM?}BM5s5}j>#uU>L}KWnsfTDpz;y55?7>SZw^s<f%nw`X!z?ZDF1^^2A)JIy zm_24czd0-O04Faf;^^4V8{{f=ikP%3u<0*gJ#Qz6-#)+k)ls}qg|U{%CcP0HCjYzR ztuUTt?9^M@SKkadNJbI0DtqvXfCTCO%0-I!QU_}n23EF8Bat`#?}Ph*X02iDzxna@ zvpLfgGp-jEEf4<1yYK^1D*AR%&=GlBq5mm_D_*os^}Zcso(*Mu;|d1oLI*b3s5s2; zCtr9ewt%>=1sH9jBl1CV=4vFH(#?yoEibU8D<ZFG7LA&Jf%$br*a4e2J~XMQIDZ7S zF=W4?uQA+4c^egJDR-VT#5Dsig@an~#F}+e`@ga0+Mg2K{8XU93(o6R(0<ai;a?6P z-!T*5*&dvfa+6R-hFbGnMh|i}<W!g}z-s+Y=K4qgn=`(yIkBrQbO0L}51!PIqM6>< zov^dsPJF+@WOYB~jFb1%Oqr~E2q7;__FjKT<dPP$GYmK89|}<>YztR=jrbY4h{5A4 z|BLA{1|~a#2&~_pofP7fX~}QnfADJw_iwQM(+>ZXeOcZJstMQn`8{PqXCn`OMx2vZ zjs>4*A$ui$I}`$xL6o2Y{}^jJUeKv+M3qjnNy{mOi6T8T?;Y@VNNEx_9Sm&N^~M4) z-A3UWo-RpyfpIcPv0vfm6xOt8Nex}dH3(|9fs(Oq(E%vBok-cr24B9Y<d><-SQ`|n z71(3V%_RD|aYtA#OY8a<L7(Xz;;^OTRpAfiN%iiz&)?3yB;n-A_~QSm_lE2l3!W~x zII_wdK8aI@iXJ8rZ$&=lha!NgiLariwVB@oLjp_}F&KA_SlmL)Z=?M2uY1eO+hh;s z%xtBiEDK3$F<}1D&)B^yr=WDh&<_Y#*kwl8mfR<s@6h#2_JHglNkdD$U~oVFcUNu| zS9@VJw3yn1kju36RZP%72i0AY_9S?dFm>Quz#7mU%yMy~iMKYCUQ?-0!`3(hqbF0; z(8un>H@uZUv%N5YRYCjSfHM$a@#li+_6qv22D}Bb)OOBGL8nKvW9L8qNNxkQWduaz z+ZXV%mWOgkt}#9axU_@3&Tw>EK*1?n0eJ^cnOD5GsbRw3z%H%cqn5}c+`^w7ocFC| z%D_nLrN`#@ia6ZYpy#45&vOmPVXv($p^WgIN?|E$z;CXbo4o}Bzmc)-Mf?5R&iSJD zzC;kqOWUk5kj0)RFd+f5PPXllPZRZLwfzX&@_Gty$Q1gI94c7CyzqlpGp=?SJl?AB z7?9^JaDG?T%vB)C8+*e@*=7*_ZdnL3$&^v{fKM8=kwqr&CXV%!dEz@r&}X7B!A%!4 zq<_pc)N*_mu7l`xe;wk^)E+kqatc?0{@y>g?j&6c=f=yJcH_v_V2HQ0%0)(+-8r)P zcZD<I^xF`3D73GM*6@V<>C-(CBsM^ZV|M^zB(tNFbZrNTCJ5cNA$-6f5&(p+)%^hx zn~C=nIV$usxdm4qe<bE{QNi4n1ghx=PR?&E^a$9riCzIVrE~7Ytm?_gviGOz271aY z%;hJ4I8e2Age5f9{KwsP*1jM?JrHG-WQm(*$mX=Hb@vCfd+Ctd=@3t?ZHbp*bPme= zayAO*re@old#Mq-U7CpKm+aEIw$nE2ja*7@8w%FLFeO3~K_auJrLX{%D?dI&g4Mwo zGPv^(u>cXw=MK9<Dj%Ev%`9%K6h@N<*Unvd%iJ{k0|<dw^-+un+MHGe1aI6AFdddv zMEK*IN6%3o(0hWv9Dvrs6~gqi?gIM}%~bR`{2j+B1kejhl47>r3a}=YeqF2PVIhu& z+M@>1)AG5k4IY~0U+m<MW`xQnX<&VzD>Bo^oA8z|Zvz3ObVI)WCGk+{9gw`p?t&%` zwcny1uMqd28f{yP@@0kNq9e?BgmjWVJE$7FR5;L((+=S_2cQsH8VRkadp{Ln%P!AJ zPcV*`&`i`14MNbV$&8C}IZHvR>_H;c#Iwdlp}!0sB11@A8j7<dpQJX|qTa3vWpUdL zuhw@ZNfgJrV>$A4T*>`)LIjYFFkUC!NdW^(!#puL8tu}v(Jcpe+~{9ZWHdSp^>-gr zu;MZlT?tjIY18a+2eV?G^8nR%PWBN@R#LPIO!I$ldN41GItj}w!&-yYHq-fgYso2A z{(Tssa9HUra&o<u@3PsMu*C6vO}Z~SkUy9+$$xj=8r;N)ySUCyM(U(;*A4=BpNrhS zh<E9XUBCGqu?;ximnMrzj&HK~BaP5D9M#r*=`;O{R|p3>i$7~)H&;7Z;&0)`9HBKR zEpH&vpz%ZX)#*oOBvgt6FHrY#@U3P;^xq-dhX#)5zNp{f_PX^+z3iSoDxM~Dbr?o= zJqGpC&bK_BQpOCiN@)}mM_8Ql+!}WEP)^IpE53z!@hEJO?;o4UTyDn&=;y6v2ww>j zRWt3ll*!t*<+HPX5m1-m*K)HJ{YULR)sb>-mhUWn^Z!O>=O$hQ(nc{ZPBYN`e&nS? z1sI-?necax!gv>%$pFQV$_%Lj)9#AjVZ5yH2fh60GI`7fLG&qCLr%cQNv5}__&r<# zx+I(X@KNcjdCnkiQ@AZwdlU6jFq9{Y)C6d+8(yVG`5hrjX{{DTi&WTO@z}-}Ruyc` z<F?o?7VTJxpuDXz5{H%7;F5OLd4?j+l@q!$?9v0tqoAP1*L&YLL>{iHf@g=M7uA2$ zl?ihGL0DTHfzeiCONJmV)O7Y)S+yeuk7dub#zxo5sn{|l)XO>Z-=9if>z~LfPNSWk znrIHn){Io)QSuJE6RJgCVHv)DJzDnqxZX7)mMXc}-(Q_WJxnjXN-?>ZI<kL>QzVS_ z!tbB+j|ExO;C4iQ6{;B8q`86}$c^v%G?4hQF^`wY`pd%1)wc$<NJO6GDa3w9-KISB zn*_oweY+JA2WJdyNj#ZEVqU$}upDTU6sZjr!eC~_P~gb)_UPBDT`k0Mu5<mG4k|=i zX^xG^KPqq)P6!>7WI9~xh?s_A&P8cu3UiVv{>m;Sj3;-!w2_eZluXiK<OTFd=`uRJ z?pNh=G`oC_#WgOv{H`s>#8DUw7L2!CmQ$5);ndQm4qm5H0bsrK;AS|EjONbx5}4eZ z07Mq{d%24zMVc!`;qlFwu<aOdEygOH=GvmrX~jdxChJvskSou4h_%^r1S{3fiAXM` zuN|6!F+^s%XvNKVPzrt2DVXt4DG+-_BFopLR5Fxx*oGw>%tf#D{(r6yt>uxaP<N{a zNcX6@G|q0oE+$K8mhu0#gWzKKm<i7wes*h9u%(QxP-Mq58kQ71Ht1=6@yqPl_d${< zNuQ!26eEQTZMUfgos!03#WX~e$-n&swb(X8MtmQ_KaLUApQN!Mmx=^P3s?nCTM@gf z&OSXYH%7)>-2y?ShP|)%%g|V{%Dd)Igq`x*%Grb$C_{F%fahH%oZHpi?u*SV(Shwo zd8O$JF3t>?vkk6g-I$({@828v5~rSQ-q;|&mg#NHR``p1{^w^`K-SQa5GoDGFzTcd z%|j)myrrrzb`q%cy_VMSI8I7kF-apG`7?z!@f7J|stOg&Slf%z+BY1}Y&VK7lQjAp zXOcAb%<Uc<`CR3x34K^)JeG!;>Y&oDw_n-q4)}@=+ukg7{AgX2DkM>{WM6yM$`bZd zmcd`p>PByYG<aEd`%kb#o$%1V(l_^%n3kM4S+=smyToj-E-<lzP5hg%7M@&r^ZZr= z1iJGR#<Y7$#_jF+dWwKNb|cd;v=|{}#^B+tYF$d22i|amkI4UCIb!vtI4tk<LmsrR zj&?OWmfp0qWs!@_j?CEV;$DW11uvquZwTgU!HG8H>Qb~(;$OIFdKZNJ$J6*${*TZg zkjwI%?fskmk(ck^E1t%&GxWxrH5bB0rHGOD^1yq`9zO?n!=4_H-;jfYjT(x6McMy} ztZh;tSF*6G1Gjr(`RJAifB@x`PhNpp+@U_-zyAn8TWO*acIDK9?>niYdAe}&zFAmn z$s4B&9v!%8fidv)nSN~)Y-Q<#LAh?F?VcO;1rZwMI~f0h+EO2OJ;&f}j7xU&=Tjbg zqyyYS)q@Jw0~ZCy1NYYWJLBHuRi?Oj)&TxVS6IHr8W3Vqbbcv=SAs9NU2=kuC;QLp z!g%LO2rrPtvxsp0A6*ps{??nT@AS^TkmMwt@@3dQg11O+webYe+7MPLS#y1yV4hkn zEr2HLm43}sWk_v!>B9W<8eY0*H0Zj443*}X#Qfmmn$B0jJCdi6+OH^eBGmisjHT7O zNW!cYnjJ^NJ(bhKTH3vT*XQ%)_FSA0-aZFg{}{#=4fFp!>fBc?q(_^roU7)sMqd6~ zj`8sQ9`$Au?kc59&lD-nO%>5A9MsgtpN*Hl9O-yW_FeC!2-<`62xD<NN!S|g)O@X9 zAg$E7RteSpQjY1`NSk91Qv5Jnk;+(9+Gpxrqv%B#EQpgz941HrVw&gK2IE&zyz%#1 zZ!9uInNwg>>9V()Ma{;IR!;uHTg?)7DITn`B(6U9(xay~hMVCG`WA!qTEa_VW72=( z#l@(By({5=cc34)k?F%<guUAa7GM`=)02SU$Ju6;mQ&4&;1L$rhbf}|uZ##uJq@F% z^QBH}dyjx?@JHD^cC4zK*ogGzINu*2C9}sW0=)Yckdx|wX*wSFtz$^Bj;@^pb&CjL zSRT^8*uW{I`*CD@AcONA4OTVf@9Lp(SA<L9B#Bj??d?27k@m#8pO90OdHjRk0m-qt z2&#?dXZbz7T+yDS@%#SS3U!|=phvBnL(7K{WMV9o*38TMS^EE1#koH+_5X2vN<>D( zCUU=}<&u$BE@MckVIfp2q0D6>8%i_fZn@t+ba9_WhLA<bB_pL_E|s}V%B`Vfd|djj z?@yo3pYS@**X#Lwyw3Z)EnO`cbAcQARU_6%H?@+m@2nVeN98(>d|)kvxS6tEomk{s z6YUm>?l&T?<mhvd_sswsFwh@y>$^c#LT36c7&f2_^7K##--R|6y^7MrJ{}*_coT=x zMe**qQMXmg%Tuj^?1eyOTD=0NC2RHEC)xA^4{ny^#7t6`g}Bn_;;{^ssg{C7xjb5? zRnpCGV$k0djWtwPnxlHW98LM0O!8lQgQ_^+Stu<eQLPfP(=+*IQ_M~YyBtb7XEik{ z9<lH<h$M|0dvpb<MV%Uxt#S0&S&|;N**AL<)HZx0Z*$tWs&&(I-9rA79AR~xj^HBf zJWd1@HJIM-svg}A3LXQ4`7h>-lw<H=|C=I{tNqo1-$(r==lFBE79_YkantBkV}uLi z@d~^EPG{DtvINB%I`8~?z5OTgw8GYdYyfe*s>I9zv_4!h*H$&BA&7S9yrNyB9|p~@ z5L`Sk)I<a&(8sG}59&<>k~Ui+V_JWXwjPRaMhLaKHVr=x3^f#}z)oN8AwHLT%DFMb zHZI?6XJW-gmdvyn_cTC<>pyZOWo=>tPLJ<)W;u)zDN7H%N-{0AQF>&#WAi=AFQsgG z=JI_<B*UNit#)g;z*Tj02x;AGUi-Ng#rtkQSvSWlM22X3#i;QO?@-@g{|HRT%)fl0 zgZ16dce15fRlsj<%1lW@0z>4Fem|;#raq;`>6ZjUbf4f(VaykI)+eancJ`Cyl#2Jf z(^aqWwoypt$}}Njml%I$%IM%Ce>xa_ZA8RwHQJ1St67Fcscp^^*-D{hlGQk2OCpL- zvNMx?Ve<DP6YtT$XcdRV%!{V*h<{bd$CrM>2_=f3FS<mlVuD916}84??O*euZ`)5n z=g!BcQ#-u7ZEf97lD|}drr&{n!$P(<=`yxa(;J6mwROS$5wHheyFVFR$NC9xG}v6` zF*bH=SA2dk5szQ!uP7%47AN<uz4e|yW!pc_61v<UJFluG5v5@}c>J@qvQ)9US~j*E z$%U`bP@ui9>c0%ECarp%7V9s4!q5!0#6mGFz?gvPb@&oH?z-n-Z)<&epcn4BRH?Ra zcf3nxxYlFO=LadPn`H$)k^u*Rf$`o?{yK_thuVtg3wS3Yzpa)8gV$6EY=$IS$4neD zYkRJ+_31NIeqIK3@HizKB<g!$o?l@5E0mQG{gky1U<)^8f{_gnUUzAQYaVf_4hq$b zJ?(1q;c$(E0nad|)D^@oQ;X+Io0inb%{a3CzMarh7nAT&{bC-lPRVaStr?MzgnAbL zJ||c>`Sx4Y@x>PX`9^!)HQM&wo47*5cjT^f@3wNg)+&XP6+|oD7Jy^T5os&3BisEG zA0y4(zguE%cd&H{De46PIz5?MI9GbFX=ZYpu}e|!%kp#|KzykRFJ1X+D!|hVCem9M zR9IG6?ohe_)s`w5@Uj%%0EV&)B>I6>hQy2}6))8mCvg1{)QFKoo?T-8r^w>_t0qQF zH4E2@axTeBwUp`yRJc_n^hF-5ZeejM^;37P+E`R$TD)FDuz#LYO{U_?b*#qJKV;^A zuSsb+;)LKaNbzi?gv^8*8xen;5i`hYEJGhAV*|rAa#P$1{3O3+28k&Gw62k3(m&Lw zDw^@dD8Uc4;e(~zH15|Q1$a|=VY<-^G3VX7A!O^MQ1TuVVp`h{TV;{0ku1_=0FLwd zNM{Z?f#&MudP4$(wZ&16M@Q=~IBDhR=fvLD8~?J*_bD5R=<0>IdL;TKso3yQlR<W* z=WfgGEN;e7#|E;ktvNw`{yy|y;}Os?+czxA++<I!wpoNOhgEZ@?uC=6v*?%#wjUqp ztu5kCEG*gD#)CgTN~)QYMydcGdzbICp6PzZpR~hgS5B6M>BxrOKP7YQ0>5g_VygrA zrOmX?f}~Cb^csCE2uY_!lg$Th`vC2s!Ev*7;mh2pc`+tok9dtcCL<vs-F4vvRQv6T z?Ae}F$zvwR#b$1s+p(DHjo0eZ588db?a=p%w^?>M=WiYF9g53YstwzMI^QBiTb*5D zI7w$;pB{Nq*<RS<V@y9$A8l^F!e{qi(4?HDV0dr|2vH{#<5!hrbM3_I56zr^%J24f zv2)?={3gcnGeeA_*(vg@$#}dDh>!L-KK5Vcg7<06J&Q>YK4Tb5z}Iik5sIZC`-`(a ze&!uA+>F;UQCof;`hcvo3$HJt)v}N3|I|v#);VdXRH=CQ`bBZg8yVeRI;&4`RH)NS z-CdK}F4%DwqCF5}f$!<uy6WaXabt3HYTg@Ka3pM9i|o<X<sMqP>Ghq!ZmkP@{3(;t zE0)~cF#NPAmewB*dqvehFLP!C81dHhwAdIy7TvLZ<mcjSQLI&5logszIb4lP<s=*C z-X}aw5BQf*`bbVPd@)gObyRmQUXPPIV(8KxY~;pTUc0ZEO()@s;{Qf|h3H+~OBuAy z>6|~@4)yd{zb1C+;qF;8-4N2bcMQ<kJorS*pMb&WlmtxLrnqXkCCljlf+r|c3Oq8= zf`IvxH?{8~o!S4OK!vOLQolvadPU}#*<Ibq58r$i$KB#O!rvhK**$`ylq516)xuV5 zU`#tWPu{gJr504mU1^PY$ml(OdvQXclZ(khrWMguE&BieRiO7)U`@kwhcU|$=`TOT zV-KYt6$3}Hhpd5^P{i-=9s&%Bm}<}PU;n@`j`{{ULh_RwbE^XxH;l!<DthmKHpm=2 z96=es!jxC$UiGyXI(GgofzIru5HR;}Qo^qe#v7{=;HTpyVB#{ld$mzI;Ady!C0M4z zhM%4Yl)`XDj-I8(9>II|pxV(YYT4bL51v8`sIYK;Ho&8htkgiK*@OFYjV`fLLAig2 z1smr*llgDt70v89O#5H()eQLg`L1n^f3lN~U@DQkINWa11DnDHQQgo4>m=`+u&^CX za)xlndeB3D93bA3<-^>-2xrigGugKdM_PcR6g&#Q_SYJY>p++x>JKjDbJGrbYVcxG z9Ma!^KJfUAvQt@MS@WGODZo3EkS3dxc18s+YX*o#THJz{4){PKYkRAA_YmUh2v|J> zaznASU%EeV&B>L%#_#*{KKn4=fm8`+5>){8X4PK~5NI*E1Bk@;wYUG2e_`kYCpu|M zzwh%-{on=<E+2Q%I?|*Vk2WbUx5W!}TdRFEs@ZBfWr^pfgLC$=DpL@&MsF)Y1YNus zt8!&T;5|@nnl<XM(QxirR`hiImsm9W3eYylxLVbTIlL<bXq9xnR0!4Ws6o5*FVVpY z=!|4(<uHN;A^%Oeq1Hn^KS+mOaZ|px?<=W=1Rz{b1sC5N&+tHB`w=AHdqye>_Xl8O zI8QdG%TqShvb8)o=v|i{iq$DV$fBMS)2FX%ujcz8G3F*tttZe>!zC#jU!4fu$*HS{ z7e^tTE4w`kv0*2Z@6Uyh)(I(Nvi9a^@a4s)EoHGZcm0d6Yh_L>j>~r5GaYKO!DHH@ z5QAEIMtz|+(OfBK0q%#=0$*q!FP<&4WCmFdsByTJFBt82h~ikSP*7GZkZ8~A>2?xr zq!nz}h1m;)zOL{wx8Un1$k$cenU$({d}0w6lH0I-Ol0abnjLJBY&-yd9$4ZdN{r`s zKNdy+0|0{Rf6fA&y&$;f_d<X+=Pc4SEfD0O)-nbQ`Mq#wgd+Z}UM@k-7iA5M)AXhO zC=!}!sLFnH&S~oJ)3_&}8OQEaXEGLR1=qe)8EI^ez-nc#hBVnomr#e~CE))hnuzkP zhd=MGG=JdCRTw5ORx+;e_4aVEx7uIW<<7-uZbs4E<kv5-`vPDY<2QCmWqJl-KMNx> zgcoW&E5fKGKd3l>&T@3qYRN<Pw=Ls$5d^@^-kr$zTS&S5Y*DPS+^L1^dA3?3#obqT zk9iyOBwMLMA0-@YKd^ViZ#F=NA3UDSq}sY+jUmVqi!mb1WF~~Py4UutfO6K0Ad+rW zY;~fV@EeVl!CKjpL5Q7VMclQ$Mg(vp#rBsMJlT>w($9wB@*Me7a;Vipt}lny^sy** z7gcl{M?z7yE@j29r*A~SKv%E3#91Bhyg`;5SI+-*Nma#nHV>)G9(EEzcaRfQwXfU` z$qY{o^>x5t06K|&YDKX=AV`N)?&-6C-Huk(*_hte$}npSiX{C?XhQHwtHC>)xql#t zhBApHEgL3apT)Oips;JQ<-bD>MgLfn`gzT+Z<3<}?gc-i|7>Y8%~f%QJbdQ_kps@# zq$7&-r3_LWM?cA%e@52;j^08f`?qzO+X$*ylw?c;8oD?R(v#<_!t8UVHFqMiIwURu z<xQ0#i4-M@d!D&VxaS6N%{Lzb%K}IjOxLX&H~)6+Y$uz9_#0Gv#=$lH@lcULJacGR z`GMYZoV%B*2+El`*bnI4<%6y81IT-frP;|SmBjv(<aE4^%(-9$WC~5w49qFahl<WK zStMi0nF;m(w|giX1v!RKxYtB^3A*Zqwrme7nZu(khsGwznN$^!@Ts6aYJFn<`I!&V z52zNmL%8*GMX?m<mj&2=0pMy};+d^7R{>tW=JMc+laIy@DMn5-Dp}Lqr_X!u6T_IW zelLxBYe55FRyc>fZ^-`<_5+qgY?=@3W)N=$`^sAPwmFPIu9ak5H>T@@qA1V<^ANJ! z2R^h8ZJH!6?z_el58`z{?m6J!+g3XMXD4H*AU0vIOszODyPxN!{puZOo9`v!!=9TL zYN$tzG6Vsuk8sjW_M+mNiY5ESw6F-3@j=Eu*}I95pfBcofk_^Pvwif1o!JF{Y4Nkc zw+~M99I;{*a3V}y`q)<`@9H}LqGFu~lv7FCzO#~j01WbOD(KkTnTgK(gn0s6rSTC} zMap?5(#T|3{m$7EdGHMJXRB~-yx!7n2jOWabO%OH2B9&-;^Qfd6BX@fY0FAIELwGa zOIrRgx<efy(MT<{wTjdKyNJJq_4b<hr3iD}0Q~2SwVf3W>3;uzP)h>@6aWGM2mowg z_Ei0F-n*;k0syiC0{|2N5dd&-bT4gXWNBe9X>DO=WjHQyZf8|g4FCrUlG<VllG<Vl zlG<YIn)z3f>HEhY)7)}p%oO*fkxFyP6!#@mtjVR(MlF{@OD!{V!3}p)Q$U?uDydv1 zvvkr*oN&tx9BVYgkVM47!a_wN_w7UJG~fT>>p2e(_jw)8wY;zUy6*c2a@<^;B*nqv z002lj!(k@?K-d-l1T#d1`DE$%S_J^81I{ozkJz#)I_-**Q?cz}?S7f-qZ=DFc=+9e zJRl#muesT2KCfrGQFA{iLsLesx1{^y-#0N#=r<bxVB5QjOcwmU1d<O62z_7l%G!Sa zPEp<l+h7}PgKe-4w!t>o2HRj8Y=dpE4Yt8H*aq8R8~i^3Wn{*hB!975z=RSBDhT>Q z1BXP#(i*2p)CKPH+>3S<k|BmkzmR7*zqUBjSP~bHvK%0nR)_pTR^S=8Cbhn7BE2w1 z2i+ir+$I_gAa1rLm;u1J&LI`j%CrCgJm08WgA$|Zq-Yw6K&OP+5SP!<Nl5zp<mQBD zB4`FO7h-evc6Ef$J#PI=rttvtY0GIcRF4<y^|3*h_sW@Xi=&mok1+WeA}_*sA;P;U zVUp^XPC7QVs6|#l+z2;(7i9GhFKj>4`Uck=XNWc(_=ktxo3&<b_GQ}m?>03=g7*UA z;)*q8noXElq2iO9aOQqpy-UW7u3jTmmnPdU^)GE!*LDEF#tne~Uad#j5QFGMo>k20 zKWTrBs%?xpBEU>lVC-s2$)}v4+YII7b5ATVhLkmvo-56m;hf@V1}PqEo&0qACX2SQ zk$98T6{5-_e~I=TeJl$A>k{8oUwm|$5@zY!#7(3V$w5j3Y!k}#%Au-{Az&8SQdO-u z!dkCMdZ8rFvaDEox9R#(efJ3h3avRDmW;zJwI*E8<Nt7FC8o`(fR+%y%aN~ayUsUV z!j(zf!%?HdEVju!@>CYt2umUx^-C|zO>`}(HPUrL4zjKP<WQ!OmpqIH$a>jj#SwfP zCFA^%Mn%;DU{)IGy}*s~CY7wrC9bV6J|JZUCB}QrutO}ZS0k&<*4w8^5f&$>;%^b+ zB41LQr$>#CGr89LzD(~uDgey7YV(75ZqwVQ#(WX2;(w5~c*UDU4njp9`4W=HjkQJ( z=r=GE!Px4cUwlZep9nLL+$ZAJ%<Fhbw@e3ki(f$v{nf*zI{_eQhbRDKgsm7RCHRrT zOW2EFS}@h@`Hu{>;<!ZfJ46;QB+;62&!QWH<vgBYE)m*<3-~!7WYg}f86SUCz$Tmi zZk4nS03P46l6ib-g&#@yATv&7fRQ+9bsUix4@LW{x-!XKda+ROr#lE6%&-#G#&?(- z^|sBz@xsk}rzD;^HMp|K&^xObzA%Pj-{eW1CWUn}hpX9(b8#r%Z|h`Z^Z+Yp^@=s$ zm>NGSqo0$<223%CJXW-lYY8pt6?x6;X}BKG(i&GnyZ(x)m-jLW%P&75B*T9Pw4J7K z**x>41Oi6CWNz;22i`Y(v<%XV>m;X*vSlcyVTMG-qozpH@JDNZ`LFQ1FP1mDLjR|2 zgBx?cjnR!F*xdfse$%KjR*3Ebt2hq)!jeG=QdL{kTf<_Q3a-PC7P6PFyd}=jx!(Fe zX||81XFF>GK$7D(iB~87q^+C3<I;F@{~Ui|gDc@aB4vI5EUiYQk@$5aOg|bXOe31J zFmtz}liPiles3;`Q$;W~MlX!o_Zqvruyo;BsunNJFMfEo!c+Tjp39)lGv|UE^#_Kz zUuPWI($yu-m9(dW>4+!%l*PW)V^umKoIp1z+{t!4cUBl0Tu(pZ*}icAx56%qiAH); zo(mu_3r;)K_r54TDzvw6jNx<oZZNqDo+ca<2$Ru)>m7dJSbp(Mt18y*@`Q7Ci<<GS zq?^CSuz(sAsT&eC={NOC{-a2>hJ<y@KADT7!e!|Z!u_jvxK`D~^_W%DWt(L23o6R5 znw^wuyC(M=Qks9MjkHK5`UErY)@2&nSQmlPH01o$#nO`w2&Jtr*R&xAI?V1Cfg6W{ z&Cxy&5-#0x6AjGS$opt$1`|zF=Res^sX{W}SE6Z9fxPJZ=K8T7)BPVh6ppBhjD08& z%HF{x4t%vHE}xyYo5~-l_|@-gtVBN*WfveP7?VaykQFWy%%humJ>}Zx7{#>shU9W^ zS0b!i<ad;hXYWXbP}f$+l(lh2_nUFQe!8s=%H|#_BfV3wag-6V`}UABe)x~os=`A~ z<vjKbCis>(sY9=6!wNEb-;*I_s(p_w{un%(?xGkqGMdW-i$Zx_tMzJ=9LXg{?q7y` ziRSl3TohW7bjzE6_c%uMwihQUiM*$GA8Slkf1TV`$GfB?td8En2|St@rDV71Sy>Qd zyQzWb``w?eci`Qrco1&H;nZGtgKMhJi}-`sjyHq*>EV)9MvS3wSjQ!ZO}2`=dXjSi zQ>Hc=;ZZt7@#i!x%j!rXE=J{cmn-z#gN_I2s28KKj-LnL4fWy1brg<_CC}#?R}4sR zdNowkPT5MlyC9^Bh<Asa602FWO~}TBVc4e6@XP(VM(EeURgMSd7L`Syi0mV&P&xSW zG39H&tKv6wr;s%g+_NVV>^|R0i>-H;d+WOcrZcHvNI}o!KlVffg1c@jlsbkV6b5ZN z;VAu=r05Wih%cbxLr?b%tQ5^WF@|v+twj60o}Q>IAnsD_8)e^@Dbo-W)E;!1gf@=J zc2=U1IZ>h1_$CZWrlw~`%&U1}{<=`Di{kaVJz@*Y@lI>0OT~`8?`P?A6<bM#?-ElN z+DcUxJw!DI(a!0_i}n)*E~$z<vW_YqshE)qtr?73zIEjbKe5WY?fF#hp}T10HHi{D z5^ZTYmn&?iEeF?Zx5~V71wo&b*mufo{$;kiZJt}zJLf3omZNIPAC4k`IwR^3h~|iS zpEfS>M7vX0(jWDPFeDsZP0AgM6cp{xcMvG_n}uuI9hvaYZWwj|8~5!Qp^5CBcd!4c zyAV3-em?wbqKL4m=UaGh>-}0gi5u?WqMOFKDsVt!t5w?J)xU7QQlsN9_ZukTR3GWY zLlEwb;-1y+$k5Yz(trR9&IG*W)Y(~Yg&GEAaBtx0cuvY&j{KQCjZePz&KqX&58J@c zISI5R#)Ts8fUJdK;B7~pcW1X8xcr|TsThoC2+^iA!b~On-nx8+6b|P!J?<}`iPDe1 zpOE<>b-a>V(9_{6d;WuRKy4;oiem1?8ZTpj*#ULQ$FI^BI16FUizp}}Kq6rFREMGh zVmvQ3Qn+I+deA@lMaRa4*Zar|-N8>^H#^RYWzKf`OyM-c_trXxHH2xKG%DZG5=@*p zEq|ssU%`G;hKEOXY$;-wD8g38qdV^v-#6b01W5EUWq7*w1uZVpc3O?d*r(#?(cQ2} zVt$Xn7bxs@i+)F!mq?KAb-drWf#1aJFp?Gy%QLl3kS((l)xRoKrX@G(uXc$YzHy_l zrz|q~55<H)aLt+diZ{^ny%m?`#tI>^bF9Tuh0YGQs;)Nhng>U0t1_1VRYt@E*GVXb zC>@p>CqtfF@?<SYGfMT8^3PX6lfJdP1!bHBu0d_(v*4BEfmsBK89c1~sbVH(Z5lhO zD50RTCoLg@uTBH2KlY+Ui##^x#7c6T+D{+Lcn5zUvwN?iBSm>TcIG|q=X0)QgOtuv zwL6Yt9WvK&wjkleRWph1W=?H>-!9E){cK1W(T16)ag4u*VPE>BWNT3R1NVw2msxui zcq`%ZTDkuIcejEb6aG={9oF;beUDuPi_!P!WeJcp(FOw*mCXmLOdzMwkBfo{xEES7 z$_|`aeydFgv--T?Vd_PUm=W7hi?*xMvUwT`-6>Y?0W#)7ES&`l>#KqRd3z$Ce#$I( zN1)T!>jM*03{BS8-PL7;*YF!l9+`EVa`fEbMVvj|N(Kf!BA*2*l!;T;l<?C(T3a;2 z8E(wL%U@ng!jZhraUWXm+1inF8Uh)cb9ynTfpUfnuMN#PxlC2=xS{`Rzh<Bl=1Yx* z6~S_1>^W3SP|i796Sek+#|SI=&GO&>0(8wA!f{5yMRwK3RY{|N8%l61^R+<lZ@=O` zj5d;R_xCvk;XRi`=)Oc|RE(z@fOaZJKxD2hXkda7{JR9<SGP6JCjgdedpo0-2`nAx z=@qbj6MudfUr=dKq@yA4o#8FtI>OtGQQc4aUwO0rF$A*L8x=e{EmBHC!W$HDqX$wr z8!UK^mDobTD^}F4x|JR>kxI|iPUJlf3!1VjuPi#J93X8#Ty<+x>vt+w5ScTECs|X> zAk*|iNi=^>W?}d-S8D69#mpm8Dl{a*IW+fy=a|Op{R&OF(Z?zQhtC$#ewA)?^Q<tv zh6m<DzKlJcC>X^kx8MX!eslV}3jRC5y7g0y<k>!FeWRHMHsV73JRIazjz`t^mxm%N zNaLlVP^W^crE|VwQ)rkVTNxbk>L}yG_^v-WcQpB<EkmHtO&udtn6&7kyoUt@C03Ps zG{+j&yle%1Np%y2l_w{^U%zrK!bi%MObYU>vp;|=2rnORUD;>9F20gEB+q`(MVN{2 z5aXXTPc(^^xeN#8ts|0)`q5!YK4pS^C(n2y@1NQ!!oipR;rA7KQt@%46z$|08r%a% zyxglIj`0SU!@DX;7f@IiMdR1a=HMDq;bf}YWo>r@slngfTApcTF3KZR%!3j)uFVey z;*79Sj|^ZM9ER&g+t2QoPo$#|t#B_qDCkLK)@6eUXO5Kf5uw$;?sPry^z!7_FC!8- z|J*XSp|=K#+uW3`_WzD0F1h?^&x4uzKarUqL*xPqmM&otFk^3)8(#d@a@(Zr&K*yT zyLHiitpi;hCAPyjWXuq*ZTM}6;t`No)tMA+@q9<^m=>h)nZTA{HN<><o)z^c!qw@T zmW4JYQm#h2ttl+%pVy*KjLk#ip5f)$N6&iV^A}EQh{>BpXKoJ07M=g}5}$cyWxkV@ z7)8!!C+A%fU@7;VM3CXv>%b0Js9YP|O49%E{yww2o_>=GFf6J=OI+wRoPR~Ba-ZFg z+SMI$H_zd~VV@7oe$~iap)@VDu%WIkD92Q7{s4bOCq~3Q*;7>Xb%m;n#w?qy6L)ti z7RTiUC6#gHHoNt#&yP^X4l^PXba@I-jLQ;JnhzM2P)(X$un?KjYK?Q=8H>9euqQ)3 zP<QOLB<H0$Oj~udU|>XwuDHv&Oq&RBFakB$Iusm#W}+Md%CzX1s&hCLrq_25Tg=v) z1~$y@EX@3g5W|dk)jp7Vcx71Qx{gNwHNGqJKE&1yB<sh)!9BR|RA%$%xlvX0kk@e1 z-eotCsyHT2zBRO^$VfiA+6@nmuAbRlOe(jPpG$L6zU?v4bu2>4fYNC$azUk*XXr|K z)=C>~&DL4z-G^zsG?k)gY$(j1ZDYh|?fr`B;}T^nb?vL*_XQ^M=%L`MJ+KjxgPQ${ zk0D<>eK;Vq822TF7t75={FY-ysGM%h%)_{NOT%sfh*AzMESEqAQVhnS`XIhkt2$KH zRvmx-Pe)0jc`aKC=_&FDmNTC}a+VCg7%KJ_DJztQD85=+E&KX6h*1;&h&Fz3vi$Sc zMN2^cIscBosv@pRG>3%U&C6_%8i591I8&QxB1QC3U=r=83QR4(AB0y^B858r?K_C< z)NxTLY2c*n;6A29flFmEIFxg!SK$aqysBYC`Ci2A=LYY}|B>yNVO4P77cNY9*G9U# zB{tnD-JK$mk^<5ln{K5fq`SLeBOu+K(w&m;MxWpRJ?A=K{D3I1)|_M9W3CCIy1PhZ zMW--2?8qh3CAUE2L$L;eyCukNru(GdA`|daO;F)K>D&Fk(|5YyR=3cShnUPR3D6?V z5_|N*!+96-JuS(Y8$FCdceNr!a`#b1$I)-($KDbu7$lWTEHF(w>lBT?kt9HbxV$G$ zn@#7SNxv@Q0xF5Zl9z!!+7Yf5CA1Y*`*)5e4hU;xh;z)g@;uu1@WWc5p?SE%KlcVa zcI0*IBks1<_6hi{=$<lgw%7KdayI}zl0^MEPb8O0;8;hJ_CrSK4(@zlsOhHVx*Dl_ z^5u$?F^(Hv6~lr!&C-_%=kTBAP#3^Hp<9RY;_TRJjMAEZBl6gOLRA`UwhzdYcXw2b z{~yg##@Qv|jgD<5LMT(Cs2Z_gsrjhh*sJ>exoSixwpV1+=8OB!b}-_&E0JZXYCX!z zD#`;59>fauNT{L%6I}od_7m2y#Sr@6s|%U_ZOlC<5?K35D!^1_4+&1xlO6<XIzsXL zYEzCqZm)f*ygqg{`_*RurXG%Y`?VI2$4c|e%agbc(C-e4p16Trz;Ta`lM?zz+v;-i z@UNz6KPU-2g__g$NviB=92(Jy_HQ@1F&sJH7194Q+D-JT(RiqT04AP6V8cLMK@)Xd zT6_uYTfjz0$>h?#g;k%zEDgg5kp7%8p8;*VvUgE*(;|eBDjOdRvAFlkFpIjbLwA!$ z&s6oE-0@5YVSjqX{7lX~KJ`9HR?T|u4)6JLjt@xK2u9MyQo_m70DHuajEBcf{4gum zD8e-%h+tD^Lm%!qD#J;mA`x79^(SS~bn5g_-P4H*4M?CDB~3>C4Omlh!tKz2J|qKu zW_baqg#)pO@M9<b`x&gHtU+Tsw*P0wQ{Ur>+%3cGPrI-(EWXO>{yxu_RJSGN#iXi$ z+fB2gBv`nL*MC4e*I&}kSv_Pzf|s4Z488<<B&zTG<e!9K>^GKAt^oxg$p|I}h?h6d ziFRn+^&pf1o5UHnC}G`6T1kBP(gQ0&i52qfw%UGENLp%HCb{D2uCc&WB)mb7(#LRP z>2$}Gomub-1-$ja$D(t3%kIdQQ!?+}hSonXnH#w~j=Cddj^SkBpSNPw{@4E0N`+^q zrRa6l|CiuCg}HPU#QTgSn<SHlk?cwbdJ-u!!9h}1%Sn~}^gMJtJ!OhsFjYhhuZPxv z`4U4?v{X9)Jt-LCL=y4A;js)YLLsLv93Owk<Z<g;pSZn;GX5?v5dcJslkz=#)@Q!; zvrMY?sY_eKs7MEAPzQQ(9&GI3g&nCAYnIE*v}PX}gO$j_7$)bOMD=zD!pmAT97kpA ze$^rkQ+?G$n;F>rytG+yU|JruUIvgzNR0KS{ui@V%7zGD+E-zqo<AGM{ja{-L>5~_ zewPICR<NVraOx}s|L9(v=iF4dX(xho&tMF(6K(x#M&`vSU%d8wujWs64T%ht6u{ka zrXU#`?#WN&7*ktfS5&g&AhJM&I{HvI4D}^7tT$9YlN!2$RBJfqBPit=;-tFeBXmZg zqcs_bPcfR;{BXa^NsdhJ6^*iV$<iEkBtDA7%Rr|{NBs$|z_K7c86s$0A{Y>G9H?S3 zHylYw{CxgjI|yKO%@~Cox}kT!@qOWt&64@QYpIkiMLQY7NSBEzEeGfY*P1V;m6mAe zYPCwZjNWf<+35#ZlK)`kjqWRm-}^EV1U;C5Roho-gL!v|0W5d>n9p8V@dFaS+s~WU z(X8<xo=l_W&n=(?hB_C@aLFT_JVvI*lx7=!ld$^htzF*wv7y|9oV_=na$XyAUZ*e~ zNiBB|#FiT{VW0b&?P#>M!b+|yutxtHG?~ip*_u%^t<Oyh4I<wHpsl0>FZG<&VetQf zpjVfEm}rLsL=HAp*G<R);rCm-|JOKq8Vx9omV7c|(t%rL;niu5me&>zu{3zPzo#nJ zeecrJWz3g~s#StHLxnH~JWA(WRnmOA^E7Uk>7iuesUc)x=I^+<X|>7CIh&LG<;Z0} z|IKYY^r-I3pR+(YBKS`ya#f?(=HXHc3~A5PJnLxEL}pnsvd8FZ0}wLRO<tKdNcd~+ zkdH@(xnbz)kV0BM|3+evE7plqMIPy&>Utok6F)u-6J>HSOd@sqq^$`eQvWYE08vKy z%WNZ-N`j_+J<_D1M?r+rILbG`*j8aGmP;gS?k5GOsnnuR#1Sor(wH8FU?FtQcT{IO zIKpKvdGl)S_gU-R>+rEG7?3<a38ZjG<TTHeWJVYG0meuR%ax<J+rt?8V)lN>IIA<z zMQr7dZnJ&f_wpBI>?pGoQXRB6hLjMKEV+L0CUj)E^r*qWL^RcKYg&!N`Y+=emS}HW z&JYa<7>;Oo3$S<S<^LaDaxxAGETik)&jvt4xM`G*1)q1;%*b6=OR!OPxmB28{|YA9 z4Z||8%7NzKGhjHeANscs%a|>{uzs<c8<Ezo5q<B3kVQu=1qkN7Q}{N0M6L5^=ku&U zny+nUXH)wU)XObd)(X&r)4@L=TGDxd5O{fl2>J7Nj^7FklH4)67ucr)%ro7w>U~5N zr>qHEL1X5otE4!HgSlANBy9_}Q*zPv$JDzB?gPS{G|2Q$ABFP&K>@2-IqWMnJBhrb zivZteVL9`wtS!e&{-XkgWqabs(*iiC$1Uej%Xp#t+yC=Vx}2$wH4CG6z&o>Tu2{zu za3cE2iF-K7+A-uuN^j|HP^)?}b0PZUQR+$5F(jt`2GpX#U~qcH@!9<@D;UNThbmSw z|5KB|3++dXoahj)SLiu>w4d!JL|s{HczJ;Fm_L8ALF&eG6mfv<#zqPia}3UX`Ffex z&)JSYq+8cc$aOV%gbNR&M?w)TxqZIW_hIJm1Z&#aH54wxEbGr*tA#h;ym4^*N<&^R ztBOPh06Fr?F>J{~Vo)!B-8`%9ODfjC&SKmkIomyc)sleqyQeJ@y~n35_Wx_GppW?j zzZ#?$NDJ3``NNd*s!Cd_t*BAHG|KX}U*>8c9Qs=RQ6(cqAOTHdYUJtc{rZ@Hvw~Po zggOIl0+-p}&G03o=505Km_R{vo(T5GaiT!zdeHcKCSiuz?#P}I(QN~oN0EqQsH`-l z?aJNVtN?J=6tVE<I&XE*VP6m7F8rIzaEi<M%M<u`j<Zd<CikcI%FWvey$-7njuG?i z8bjh(KR2-!h>@t=3Vo!Ej!8fEy6C@G>wHl*xiRL&Y4keRRby~8zMH&~l$J+a!**_W z_#Ops)wRIV-OnPt|CIgDiU~hjoP+1kOSCDYVIH5I&fiy3{$B<K%|p~>i9kv8yNYDM zB~`aw;LMo6iDyTN_egTJFT5*R7;xBP8~1ZKR4dn|8>?)$xZ^3C9*H&lACXysq)dQN z$>-e*LX??Hpi~N6cq~VoFx;;9{`XE@Is0)&zZKtIZb`=mdL*RN+<6ymv?YxXSng3y zs<SZ;1b$Ac12@%%YaIwt$A;8F3^?#GYF*d}n?@M*29~OgL*N==s_<=jAc}h>{_yXN zQ^YSL-SvB!lwd5CPmQdzZV<M#-D{Jh+edc7(A8qC;6tx-!phh%&suMjTTQ+M{rlN} z)TwW+>DV&ZSC3dcJ~`iPS6i+y{$By?Ze{egs5P;=SF=l#tedAO(&0>J-jo&#?u3Q^ zk5VkVdi`Cs+=>LycS#5>Ae?v!adDDDRZlUSw=F{7lw<QQ#2oSD!*j`rvK3;(rU^1H zqz^M8@aXO=6x@y3{yOV`G3z=-e^lAI<>#H{XRz;d>$$=pv?l||0e8b;L{O;W*TW?O z_DCbBgCz40@D6;}h~&J)*;RV-P(iS>{N(XkKhM2F-hP*Rx*g(#n`y1-HCpJ=C7)>= zq&6Ixq}O2(330)2{}DUDHA{(wMo#dCz|%Wv6!+iHs9|d4c6WMBFv{;OFzi%4nAJ8` zVt2lF$ohXZFg4#X|9E0t?HPQjCltZlEfA)}>ZIeA2TL6Rld;43+Zwo!VpWW;J@XV^ zN`qE4=;L|888%YR1qo2cK_5$LP-G@7N^<W~H!~y)S@eHQFup}0!z3jQd@B_oMskF3 z<wSu&cJ|B!3^OJ?k9lKxZ~t;>QD`mU*cU(uU$Ak{*!denYzjoFRXRSDIsbQbesam} zjlUbq`#K(Jzcs>zbRf$BRW>ixut1pB!bXE#&OKSI9?^z#7MWq1Ls{=}L-%n*h?^Lm zv$x^<v>y{vV_E;M|JVtt;)Kbt(iUm-Y$=RCl0L?r#Gk#9)`1rt&g%cjVNI48v{chu za$@?RH8m_W@JFiu_pL=m200cT#Q8iXXEuVmYASZ-si}ZqA=K)T&7iP&(cE~VB^k3N zxgul7H@W2>tgk-wPr#}Zb5DNXN3B>AHv2$<0k^425pi!%*hb9P<0VZjI1njsPm#Rh zva&21Vi84&(eDAlzB{QkY75eX_NGRs>@HZ!GyG*rNKV!wZKx-)*u9|X<BH{cm-myz z6r-ykrD=tG>zU`Bq~XX^Q0H!4b<--hu9nDW=4dz(wpwz6fPdM$4Kd2?Zfp*{AzF$A z<?(O}W&(HDer<VoD)4_#E}I7V4Na^DWwywO6ze0Y_a8X#;3Q{cY?hNr8_Hwzkegz| z`P1ce7yL4`XshkF_e=*9v4&YB;uZPUm%-g&4}0Q>8m+wH;M;S3=>x>JPuTF5WyB#d z;#c$TpE(BZH=4<FG3Sac)?MdMjo#dAKhAn@5n*SX!o@R);h;$60E>%giqVG#P$9bZ zS<Nvc4}yXTNS-((*KdJR@5_fU+;-t7#W+};P2P+AV9vM0hcx%MXQvCAE{LoFL*Lm1 zRURUw>%%}r()5K{-u#Z?`d8|y<BUO&%;7p@nj(F7?EJj#S)_^ZLUxiUb9WrniTQs8 zFIS4@FifyCfJsH&?PT1i`~JM!Jiw)^A-<_xpl-4<Fh(-wlIkn>?;-s#H|pv|P*Vg< zfHZ+wmUQAx_y9{lw7-#tJJBn0F%UvnrTb0f>$5{V7<`Q9iDu7oFnY^5tuA@+a1z6? zE|&{sO-K>lX6s)Ua~lEs{oWy^x={K}5#s5ebppu6=L4jbcYOF}b8HaZ!-G$Z-UN97 z4_iG8u*^EcrV&b4uRn|^a|<(@<5_cm_0V)jnM)_oDuudpz8RK|+!UkCPbShiB+@#B zPmw0r=%o_ePvib~3O++Jo3WL|gokHl@f%xu&)Yu#$2X&Iy@kfW|9`kdnpWTXu#|hC zLrWjf^@nA^J5b2ef^^m`Y{_|!T%Cq;^ny@N$Y|u3WFw*lTCK?Fhas@%U0To{ClDg@ zX+JvTo^)d$gp(SIe#oq(s$iZ=_>)r=s`=C4$mKy<yMDu#@2k_@^-cwGTU5R)>~I5l zaQ2~^S(7LpeDPou5g9!-3Gx8@ckn^ZP|*0(AjSM@^6?%DGHi?`nT1|oqOb!q59H<> ze$`3H%`h33+ty9`bFO=*tUITWX$evNW6PvNx9HMVlqk-}OXpBeGEvX$CHo-JPYV9f zFHLD?dNjAs8UIy%xJg=#7NqLAC%d2rsRBS${J<Fav);R<lHM<sqVMDTf$W<<4GI5F z&5$5bcF4a|3t>sdT;o(g7y$yMm&&no62zbq_OuE?;Yf~N7lk}12%>-_XeO30>msJQ z_&o~4k3c66C#g>wlA~$vi0G+z_VBe8Yo`s-5~Xbv-B9nV-9t$<(DswMjmVKdK2+p- z5^R*o(H%0`{OG<e=%5ca97zm%_iN5Atg;kgNEa?+!#UnukA@yU=-;!cS$VHtMdSQ5 zX|5O~C+vo214o@P?k+!rmh3@dju3Bu{)kERzcTNnNSE1cSdKvOgjgHzFOJH1qDITG znrlvdN-JP`l_=a9RiBZG@gtD~rX|a4JwP}#c`t)=WU`8#%P-S|`OuKu`iE*g(TZ_f z{5qN*BoIlycRJIsd?7wG%?xtE7!Uw9w*J!hYxUW#`@qn!8pav*#2m%R@!LcY0b!I7 zXoc0bb|d<N0z`DRnM0ovA^Q4zg;I|_ye;{i)EkgJYqd2Ek*5jTS1arf)~<Nf12+y0 zt?j3y+$fGB?>L4FBESbp-Pa%Hb~r<*`}o7s?Lp~Eu!sJ@E9w2P7R7(%TOh^+>38Bf zg}l91!7PE4x3im<GYDFxaWc@pFHLt2+w}i;7D#{Plhr`(IP-NNEFDiF;;4H9m85h^ zw~rVk522{OG$l>mlMH}^wiX|TaF|1^G=Y+S7RH^~Zo#?aEG10XwGkY|`kl7Te+Ov4 z(JYskVLY97YBdh##)tz$UjT*fguU(Ss#OPibP=B%ZCUG_IA(pB&D(AkP+?(4DS)yR zq2--qNHMC8a8LGy<9VF4vjW`er)-%W^xVj!@%_eVKR3^mq#92nC_Qn^<NMQ;=Gp61 zW*C?44cM;)DDX(EY6*vhzDjv}G6cVO^2Y>SO=v}rNfU!0T6kCz6ckJK*fg@b;*R+D z2NuPYTnnqmNClyhk6zFNk|7ubIU03hmJ7m{ri^IR46>mAwM90`F2`p_w0NaUmLABt z2viZy@rP+a2;g(vz<sv`352KUT+A6Ps!IeQhGEY_2zxQ_9<GQzQy=T%Th&})DLQ`@ zHl#;l8ZVtjJ262DJ$oGaeONm-<iH=0TmzJf50;}oXM!1dr#2vA&F%~d1$E8tOB(c) z54pYTBTbF%?!;X;%E>@j-y#`cRFL<Spd3kC`g_L|!b88=27q~#*R)zq?0OkMwv7V^ z;Yk~Ee%H6krD)$)L#78Gs%<mgZnwiSdcmqWU`axxOZ!-`zD-Wx`WAlu-PGw2Mrlb< zJx0b`mKvnp+V?nNBfT+kEEs1_UrD!T50ko6wW3S3OrcVwqlP^Nn!^?UB|>WB$=m8; z!N=XhS8Ng*c4~%T)BpL0C?h1#GC}ezaYzuv{#?Q^%%k0!N(Gj+NTb}=&vJ)6u~i5_ z8g3}1C6Ws^z+DO;m<p1kROTqT#^s`wAeBGO07N@U@FXDhab&G0m5y!E$OB?I#t0#| z4^tznRMagCAQrRcbHy!wpCV8vmb2_&c8uEWqCi8!=zbGynwPja?K|e<%D(q;>wDSC z!@?SGldce^G5o;E)9Ncjzk)RUX1?F)X-?F2wcV4I&dOoVIYzt?ay<P;DT-Jo*Zh_F z;8_ODXuAbVEIq)g%nbq@5KB}r@Q1GD{>H6;_GRU}T{{-nJ4tU{lHaQg#37|_A<BA= z1CIPEkp5KG*QNc-5l?TgeC!S}Hr_snK&{(oZ5)<_nxefta)4PLoOHgyp6xWy{5J*I zwCZg!&R}Q<b`w?|4TCX_HcF%Vk5v(lpt=cDn%QA7=m=N!cdIIBPD&h($RXZo<r(#- zPmOm#pzHy9KW>*Df?l91xxBp8(7DVLBeDbIISCvTyolI&1v(~O5xm_;g<I`6u20f8 zF)?9|16Z$*h-6LVk7J!Zb~F6$W5*ZK!~?o7xg!29p{n7Zg5w$1Pd~VIOwPJbU$Mpe zgvk*i;mPkAQOTe676md|3q-rEm`%wMZkgP2qf`xAjMQ2`NRas3vpUt<k1KSVSULHF z^dhN*mjfnUUwzoEup0`}TdAO{{>=o~DkcMOBR-B<N)(_7>svg;luF#cr6UwNjgZ}G zH-7Cy{^Bk3+Ms@hpQ_4fH^tU(RY3HB0ElUWXAmrz<^K!gcY0NrMsM1IPR1lz@@q^% zOEvus`=DR&y?R-uUu6@~IFlP7%u;4cPTfn`D->Ndk|(dNf(eAu@)F&&*}EpBa*p9i zAl<Bo7|_Dd1Z~&rNS^_R-2Qqt$ia4n!L?2yHW1vK7^->{dg;Wly7K+G{EZZL@vo-j zMTs}C4|3B4yN}(rtXN^j4E&Z#@-{&wGeuv*!uM4~-w;mfUS&V*X>HbIzz)scB5C=! zBOYcF4O2@UXl3>sLt-^pr#}ZmY~4b!n7(5WD6v`ju7MB*y(=9E^1R<X{bE51arcvk z<9W;r>#vl#zW?-y&b;$<%RGK#>XlsbdGBshc?2x8jN(=yY-cjNSJ%xF{l8I#$Eoh2 z<C36A*<}w{4|@ypbxul)1frK}q-Rq7!O&pocnAn4q8S~w`>pX)V4+$49mTaU8Q4s< z3U4=231h&gEL<^n-Byo!rpj(*l1ZLQQQR?jY@Z({6^n+th?R2dTMy(OhE-sU5<*xW z13uvyCuDO*`}8G}@K8qleK;Pm@AJ)-{q1v9su+b()!Hs0&;wC&h7n>9%-0NMA-y8; zGL<zdA1$8TCF))LL!iMmFVA1q2O-MyYZmZLaF=}7JjML0EaFSnVM*_t8>}S@oE0$p z4`FHQNjBz#_~-{@k&&r9cXI5%y5w@1&=Fe_fA{DHI|a!1^Oh06r>H@@{o|UF_}@JD z-1v<b@XLmzBfEFT&Utt5zWt#N8{d;D2MERxZ>lV=Vbo0HA+1#TkC_({at1!<2YGHi zsRTESrGeXU?nzW&pqJH8s@QlEYs=bd<Ewez8o=krjn53g57xnYM9K#?f0!BUCm7gW z>n4|p#bBSW<$Ivy>u`k%4qPb<%uMk1L(94Hns}?&4f~(Gz6EdQ-$Nv^cmcukf4cxa zx6$tJqbnFV-pl(_oj(j$8%h67JG}Krq#swIt66aHa9bpjs+$%d$;OEN&N<_C93SRm zCAjOT^SNpDj<8gW!#mAN7mwZjn;mgPsTO*1`O7WAo0Ks^&3|$3sCMlZ8y=?9?;ABn zwg{kQfxDwKi1T&M)&Dj|(t!{CxsA1Ze68^8_J5lVo0(>1z4i;6738@}wBA5OJE90k z4HdEyK4P8a%F*rjjt^{B98{HT&nrO`5pu5ifntSd+V$igFk%y>DG5A-^|<U~2mSv( zi%-d!n6HwXfdjf&u1gnVX`3Fywcl`O%CP#72Q7fK&7n3K#E6jd)%>~9lqY$_gfK0S z2z7Xk>;4qj(x8L@nk52gE|xU(R!+T~+6cLtxCp&5$0^9jG~$T+7ivf!1Z8yOu&LLl zj>ub1)mxZ-wzJpK0JU(#uv;kQZcPikO)Cvm7~wE6v7n=$f#ate8IW+?e_asZW?b~_ zn$r2z|J~mR^pLB8kX<<&2Z>7kce^`BKev>3NuIql%(WVj;K8Ta1S(`+K*Yz>&!E=7 zXbDM?)@`l-XMv}|;NaNH%`-BLT@vkjfJl;)Db#Q4;7h$Ik3chv*Eu{vdWR^@I@&PH z09P!X!NOD85;Ybi#rJT5V!7tYH_ID*+GZSeGlMs^LhEBE6oT}brZe3=k5I{S*5#;8 z%Ccm9k$fdSKy4x|Ggqb(*{>a5R9VoV^)Uo{s%;;O5)bJnMfWwFuTb{By~)j8>r9}= z*fc11y6wW}8l%d<|M?!qzZ%2c5(37kQ>c`y*v@HKxzUhw=q@>0Uw=0*%32HPG+xy8 z)|;81#(}CDr1CcWFn#-XINImFph^1d(jMZ1L7vLbmb#F5tF{OMOQPs$NDS`uNfY&K zGmGlqtt5tYIT8Hb(-h1`&_mUWyGAo+Eg@raI`+Sp3Yu7CazOi;Q+WD@nY92c#6&Ux z=X{9K>^XM$4#ODr%hzEU_{aqNu53}VD`ZaLmIQfnJwL;mI;0lB2FLDSqyoBxKpcLS z6M0$)ZiT9DL`sFH{S+b4vScBHn^2Gxb&-W5il}}|dpn6r72U=j$-&X*6(~p4Zjbk^ z+5u0pM7#UOS&jzyK`+?zbDNx?E$M81ED?zzqdd){yWVGyFvRu#X~^xSM}%M%qgQD2 zH25GtP=U_OzP8`Be&6SQHq`p~1HlR{6@<4degE71&A$b_{?sKLzI24Zw~v>-B+~bF z#PtsNB7Q4k#Gp&P$j(fF3Yo?K8#aYoIO3kN*@+RMJn`0R!m$&N|6AgqshZvRjno6C zC@N#(Pbpx(MA}8fSb{pG)0@L-)Iu!w>69fy1dbK%W1h!C+ZjZ(UR*DexfNDd&^DBl zAoi=R3kpMO?k<@C*V;nuI9cvgP$*Z70tD+95twb`*5HCM`^TpT__{-I$o_Qw;71;t z6mm*fcALS;G0^n}*6R85C?TBH*0l+IaXZDN9DBIyWY;lIAJV8Sr#+U;>gG)K=xwOo z!2{LyIwYomm&i+%HyoC7?0mj9L%gK<^eoNX?;#7zS+1BLYC5wAf|A-q90-OZIEEur zfS2^rn%<d~&}srFhBNE0DmPEc{~8ZM?4lhGs*Nb}c<Z;ZF2Q5EQZB9bXS+(s9P6jM zZ!>-+(4W?p`z$mclhTp<u5*}0PoK0LsWNYEVI*Jya0jse8(R6H+mbqvC#9=UdfzSo z!6^N*c!FiBGuTlg@Uaz;r`4B;PMus0QP$b|VBVWOhgfA|JDUh4)|@DSODNUlpZG0z zgff>R!RVH$BK;jf(k~Jlh?B3g``)1b(m9zosP-&TZfg$ZA)HS);)b}!oL#A$o!LmE z*x_b}m571VcqHO}OJfDeKtxFVI);yLnHqocg@TIWTqB)Ab+9IBYcbuvCu{-t#Yvx{ z@rP2BMD>>d3ZobPE-KKhp~fOpLS)Md5ry(_2o<o{6a@Me?RM8v;iS_5<?l(bh1+kA z{dY;~-4vsD#|1`=W&HXnpg(c9VwC@}^7H`-4tz?!E4Nh$(DF8#Y0}qPkJ@O&d^=J@ zPCgbzN}*NgWaPG22ai}aLY1+D-8c4`M&;kjN3IZ^cLo4?6a!BLVlyiZy4Qb>1J;4; z<}CE#pW+u&|2Wtnql#TQB-DC;!=LaMRW{OEnXjevIK3IPkix~}tFNBt_Wi!dbjr4o zVU{AL`yRXI?k+d%ROGCks(v~zG2rcQ_}JHJc;Zzp3F_{nZE+}w*K4l*>^v!k69v=D z0d2OG8*XWZw+Z<97WS+wz3c0o5`so}P*DBzH}`n7M*g&C^A*Px5a${aXROegI0<qH zK)Oc^k^s%tLlSO%ZGJ>aPoX+TFXJb}3X1o&#!2MIr?DKI@c(bg#cuoV&rmKDNN9j1 znht<03tnm<H36|;yasD8ndx4Q`Ho=kJtSnf-hP&TJ?zfAdeY}#=^gXSg1{PpAW*;f zeAg)CLwNtULSVKU%iq1VM+Ha>ee`UFhk88zih*H&-w~@!9WD9ze7@g-c}Vhn=>}3- zp+tduzIKYai|D5xX!-PRoUgn`X+c~Mv72!85^0z_7nbl};G{OobXQqUA+_sVbVsoY zohIOG2SR&*yZ*3rn+IC7%GfNYv@<|w_xox0>Anxcufe=q_K9dM2|6;ulqWRRyBjQK z)PbN=l|BA!z0`^g5XdnAN#MWrATDfV_45`|(=}RaO+pE(Q5dn@Umna4!Uzv3>dyg| z6W4Re&mCQyK>E;O3X-EwA?u%TDzB(BV56=#qfb_tf<XNypD|L}y^f8nj7gAz5|sC> zvUo^R(0-}RyX9`LQ!d8oax!Vj^$v;z`i=Mf8)H7k=>x5ep)hU;-{q)SE|8?Tp8nX+ zFfBV6B$b~og-gVM^aSKp231phYwb<TU)Wx%<f=V#ykO5H!yvi6v;-Ck&pKRX_^98A zy|kovW(aI99niHl%0Te<{lfRN@xeOby+~9w(Cfom*d)SB$Kv;7B59nB#@I`GK%?u> z`kKk?8VbepPuNnK&4vVyQOa#JfM=Aa0wTvhnb6=wB6qjs8^}<k^oD$TfgN~riDA8o z0cWIUZ$0Ot*Zh(O?|Ch24_G~g;QoW1r*RY&`;xnlE0&)8d&4B4=o2wNMtLGf7Zr$O zm<modDv4|MmN2PYV&=F-$b-FYTRxl$S>*$RL+0g=g`rfdcb4PUmqpAHj=UJxi1E~f zq0gdbn$waQlBb_J#}`*!I?w`tT0GH2c{<S?7*Y4y5{7K9;LXPd%DptNx`#WC#({GH zR|#h`zV!Aiv-N!iC*w@8KnS{DLO3FuE%y^7K{PHA9E#X*KqR<-BjmUL%PNEwn^+B+ zR@={=;zdezue>1sGh8CGV$A_%RSQS{dw)LhQYSk*w*LSMI5I^@K4xs(@=uKSsgk=P zKJKbctwR0ynLo&5;N_3x8sg!DNXnQaNVB|$T!;9htrMrp`F@+nMO%X%&2!UYSCcFW z#e?pyqk(+cy<Cv4qagw3g-+G;zlir()+7uLtH#K9o3X<=3hE7x)qb;lR4x`nk3*jU z%NyNizmR(f`UL`ZdB!UeAZs<CxLbymOhJ)IbXSi&`8yBI6HN)en|0&EunL2@_9P(X z(N-V^)o9K0+88Ed+|4XYvwOUEIxDFbU-QZe8sBLA!cw<Jk4NG(kGT&Uz<?Dld4AF& zw;I?j%++L>ziPyHvo!aObGEbN*5r_3{nNAOAM61E2x{?al?N_@L_n~dC_Z{ZK4D`P zu0y6;Zu8Tmb^Fp|a;9IwX;xFdb9bXZ2ue4+vN%~lgn-&@Q!|Y>phLH}kt}*7>%CNh zdk-E<auA48T_jt^+_b2+;a2~jVg%bAVn8mnM?Va67>zvTPvWg-vBCD|sr9iXoG8x6 zr`)a@4}FeiJ-$2V-P6n1;WxUabzTQjDh6TcHN6F~Ksm{PVJaDcbDKB+jj7(eq9zH* zUUq{z)}(In^Lox%d@u~eMEV2Hsb^m&GOaZsM4(@i84!ahEhu-<)sY-YCcppS<X<b4 zHKN9)dV{Sa8H;3rCXHhrFFlxe_R;CxkS-)d*yoK88VRWq!RPI9UZY%f23C)z8ZrmT z-1odjzwS4X=!Xoy$svYw4=sfLHa3XVygw>La{xp=Bnw)QovjFIC*(4Q31GmZ2T&qF zsizyGO%$~lSvR|jguHI)i0~sOmG^x)BDfIdtc4J8w(>mumqL>T2uw)4K^^e7B-`>% zX#+agK#JRB?t1Sg{RgE8OAWxU5V-4DJBOJd1Cu>^0cbs)^<haV&}I2M7+`e7Xlf~S ztSzPlf<;9~vUa4j7B^!nJ5H%Vl8-l09hkfRFDrHsH$}>3OoNd8?FZ0|M>hN<5bEKj z!){p!*-5QWW%2PxLsNx7Ql_XU^CncPEJHTUzp=yDd1P|ZsB74&ODcZdyT8xm$40ou zcTE}egW1&yzhwzq0l#)gfUqfgQMFWAG(%F>przM^VpG;GLJk#bNU}^o?uYups_ho$ z#+nli(A`uujsH`TV8M?sU|(gAHzadENP71iz>UH2j%sAGF`~iw40cKzQa^d|AC7e1 zAi=L8lg5)5X?XwI=V+2aFv};-9USqQ8yw}Nk~wFJ2uyU|1tM~*=h%7UE%%<J=dS4_ zP`ihHw5Wb_AA0}9gVE0Xo-+sb7r&{IJ47Gi7GFd;-ccKlP6bJi%h(uRb87noblCv= zpj#t*mX5N6YEheb*}JAe<E!>-B^GUht*Hyk7lQxRy?6=yyjQ+E;7<a(K9Lh3W#=HH zoofx~XN+lh3wX7h_5$)hsk);qyhWY7Jx!E>e!jNmTn&3#OP_RG41BvT1ae9dHbR<X z2s*5h%!@KXzEgw_`A5Jy=7b(bu|0^rdSn}qT`YHDJ+egbO=+}<;H3M(6pYfAAUEHg z7rhff`2s?i*~|g^{p{PcXi=w;WRr#RsuDr+w=*wfwcI^apcw5wmiq1jwRv9Ws9B=O zX)Eh+D*mkX3*j=Ck3Y`gXVmkOZ%N@YIBDX=h~T$&k`T80E;&E%eVj1H+h@m|ih=Ep zm+EE+r^x|+6|b8lSklh*rlE33kztrTGj+OUJWw{%`aI8#GkP3RTl;?UG)C#)Ane76 z^PQyO=v$fzGYPo`Cc|<Y*CBt-^)fj}eif586TZxW>{66+?sYUoX}v$XWhl|p>m#yu znZFVeU77yIB&X~Wt-CySR?+NhQj)PdmB$Z8Tf;^?GHR?@*p&;eM39WCI$*9xa|f0_ zf4^<Z%=7G1A38|@VH;6)tJ{;_3>SwLhGk9Cy6ceLROzUNw`Ikag-#lu_oDux-|mF? z!pwh}l@w8Qy=Apw{DZ(oUJ6koW^nBA!iE#8`a{{h8|wyCaNvfJN>$o=(<py7tDnK= zj}Q2()(no?eQC5R>}{TGvCYDh3|%#`Qvw6$#RobupKdeBeClRd(AD}j#4)lvBi%5R z3Vo2>cDKrIz-vzH{W0QK9>aUAn{KL$xmrZ!Tpxd&x=dg$Q{}opp;65<0;M7ReczE$ z6VK5eM@>lFA4i28JL_j&*4uJ$(kzi62RTNLu>!$0R^pIDrMClHO0>acr5GlB=t&J& z%kGYllnd(oq+<yI38F;-DQIw^<;~{iwbsIhjZv>I2#9vpSnEAG$ocQ7Wao>~)&YAY z;jF;p?Uz?rL;DA7Z$R?emY|oFB*)Q>DbE0q=l!-1uUpuQ_eu|cSgaL48(@LY&x%Ey z9A)hE9(Ro!>yE?A7_Ga*pNg>8lg#X^vb)5)|0YlK+{SmRi>TzoEIs{4j$rV01L>Ah z4X~>p4t~3wtBG}qQ&a>E$QB8Ai5#;P<)(WLE46YPh9@6>NtI<sdwsi1cKL5Uus-*? zHfcx1kHPA$9J}|?eAoiGtNJdwWX8e|+_4T(eZ3>l%+D2Zw2u~GhPnp#=psbgTeWpk zDq}qC@Vxb3+6RJ&)6VpvMaEqlQD(1O+SRA${FAt40wJyTVKvEH?ju~W)hr1=bH5L3 zZ+!7FL26DbMD)=SKwM6K-6T<DH}p3Akk+o+#4)?^Woq4Fsi!+fj>=nL*m&9kazQgC z10^=lP#~58*~tFahsf~69^J4P!%wQSIFPuv1n#dLt<2}TyPY9Ye}iWo?B|;%>Pfaq za<)^^_p3m>i{JMF=%@W@eoia8R11ET(D#9(m&MC4;|+Wqv?WW$Fvij|oEHINlef%j ztxH!)d{a41lp7L!uQaxWGOg7=&VWfO@40TcK9?O4v|x|i{vI&eTU07^qoxyvf`s|9 z0>o=#NRW>N`*eo6C(d{1dJH{dbzwT{Xobx%Hw%}!%{Sm2>c>#w!N&Dd{$4m7FsL7r z)z>PQVQt@gE0j%x^15p`|H)*^=Yojv^}&y{VYFL+8FcOZbc|U&yW%Abv@o@s=W>K3 z=`McQU9`Y+6C2LdYJzC)ytr98bX)gIYKsvN<&zb&Pw$uxHBUoyUqedV(=$7vq|<v& zsW%|41v9Ps@qvJ9<LOM=LAuD_CHkjGZ#t~nsA+_Y5H0uCb(2X++Weobzqa449VK<A zwxVbib`id2mK`C_c;do%BEMDbkIA9yB;*9E#ec`2eM^(BL=deOvksCb+d2i*T9H23 zd+~+3VUVZri?DRMSqSwJg2sFr<#6C%*TFV$QCZ3^F%sQoAlb$D1^BX2{fiG~P%ICv z!@)-r8rJb<#DjT@<b)|g%Wskxkt9{x+mVjvztu8zH=;Q&y%R{yTE+{NVx4%^4XuBf zT8?e`Mn4D%mnEa9<h@K5Yos_T38iat(MvUw3-?FQac?2sn6h9deflt+Ibbv+8hQzP zEKOwgRps=?akTPrbsA^s`5a1ADB}nA@BPDYvPE6ZOqm%F*}#eR0XRpDENsw1G|g9q zvkv3g{q2B+!EU7iq6KT+f_;5`)#%3Ro8dew_Nm@9lVkGN*CM!GBsf_LLYPr(6bwqB zM0X59|5b{deH+81HMe^73NNe^Vbn=33&!gEYhPxb*X7t%en~isG|P@lD<(7ZY|hzF zr>)!(aHAl&OO`At?_$A_%0nMYnx3$JGs}H-VhH;&c!Ad_`+xh#dba6nsSZ$~!HJNr zvo$jt7?#`W9>!f&>oWer{A+hg5GTHK)(H&Q__PZ@`eDo<!_iG=<BL&{OX!-&NH%`z z!cfPlqyftXoL?tPmQdmUbL{4qCMo13bZG?r-gJq{FqJgP4GGvQO=gi5s-pkBzPhQH zhBsOid6X((c+)dp|G!@rRi@_Ya9Dg;IIi86cA|iVh|od<gMsMxZzWrKcK8kr$MYJT z$%$}h;7CZQ_!XB(j*_7=e`=Q5+mfQIwF2~4k_fOQQ~A~}I<64pCaOx>7Yf8nE5!b- z$Nd$wBMV^_JN%)W=W%{45>FC}L+MzJ7?9IwWtz@_m^G>;OI`Jr+x7RbO-_Uf@w3&; z?l!?7%oy~JC74zFU_>j%3^P1>k~WL?T>_}P94!hNm!Re{xAvvJ9zsO>6=A-<+pI%| z7$o+X;6Q35NEF42ygg;8p3T{Ru>7`4TjR&{<~q=D)=$Pn(78OGXi49^7LbVl`g=8I zPWf_e1yepz-($fjaJ_o*>qlK3g#lp`x|buUlwpse8rRbM<rn?G0kwF$m)p{7KV~7; zykw8MOL9Tevt~>P`Vrj^QMi^9D5znfZm^}ygwJ1rS4it<v@mcFmk3xB6{>86c#LR8 zLy>+&le?qPuCA$3!`-RL(L<3z$e0P=xX+u1wJf!Pj&j=hnFcq23Q#Zu_QWP)spS$v z)aPadqPF<C(<17nB-)iU&}@-}6Uf<B{|2Ytv0*1sLgzhTN{~<oz6czf)qZymxIwLn zamgv%n1+%K!@I&?l-H0Cr_mC1!5tCL$^R1hi#&pWWmSnl88Nagsc!bI-{0p}j-;=Z zw#W;Bdc?rkTyQnuO!rXL%?3|cQPj>ViV_5~E$=Ucp;A+4NQ_#{n$Npe7ohok9}5>F zPJ#q`Vub&|hPvTL5ZI}=+Xpcql@o-<p=ar@EB3#MbKc+90_1?X{?u47YU?IJa^XQF z7N0^~#7f&J)ZJ0s+)c0|9x%QMVZ_r`9;%iIhPWMD)P%xZ)8Og8HwI?v3uz8)IxLxM zxpB+}yfuvn1G9f5UIiyb_svDS6LBH1ToR^UUVUG)(7NvbJ@C5I2Uw_8P$HLP3KG@9 zFVPMNc-?a}&+6C{t`v+GJ!Nvm14;kgfggBBUHSO*1yMGBogC1gIJ%c}y7hTV>@lPx zw$&bD^LEfsew}GgFGrbr?n^SQWvG`UUlVWz*Ir)Ud6{Im%mM_f``)<Z6}n77$^C?- zOsLt(&#rGOLW2{JgbAo<EJ5JcxQDrY@s#^vPo#^scW5eMo`{=oUnjo3s5`LwJ+URy zx$JFVWJzL!)4C~vXVtY-m`vWpNA7PX{-I7~lZ7WyJ9`2E>0aRMLUr)6J1Yy$ONks4 zGS5y8KQ_I?hBEZD#M6mh^&bXTPLQyNjzjCxZCma<KDfsn%*7cY6!pn_mEnh!wgyQg z0=(L3rx~G~H)7tnmM{#TR|C5>;VFD<B+2lw{jk)LV7L#D{EN1Ec~e{wBW#Z0N}8DD zADsu@7HMBv*P{L><+G}_v??dtd@1J0x<+j@0k=-?8UIg&j*GXy>Sw%uFJ{V_KjEBy z4UXj86R^n=kV1pYik`2<{xhnTNx;5HkGyT~r((<#r%IMH=*|%#)W_#s;)cXn&5qQd zhdu;{CfTp^3-^VtlE0Klh)jW7vy0nbZ_^?L4$w*yoHU=$!>b3+n0)6e8qM}>tWm8? z%dqQM#!JBL?a7i7tiP>Gs({3}(Q3~!i+R8Nk((%5=JJz-v@t%1KS0{pz7_>@i3IA* zfmboEDgRVbVf~U9%v)+|K=<54oEgoZtiD<47UQGFOn*a1?`(jD1QlRm_SNHTOo-DA zrnF2(UQ2Wk=*SV<CQfh6Z>GBohps_yKQ-R(D%KeO_qK?BjeR$RNiUPp=YdL+t8Saj zJlF4$)#sgm?<VRaY6F_D%oHmyG)=`lGT^IPP^K88I;BgTHk2b#2sBa_Ylfr1{xWoo zjTvt21G!ls9-Q^e)zp2Cl?6$Ma=`uN?q~^up0rmXGSpp6xm0YIC$3X9Ixa<0jzfRU zw~G$Dj$Wu~nD!~wX@fI6+zN~R%lo%iFvx-}mP7@83A?AYJ$q|br`y7}c85xUm3PJF z#hQNT(klZ%`J%z9K@AC$Z9!3*(P-3&IvOCJ5;>!#9>PG5`z2Y9ak$8SSfn@cB@H3> zhKIva818MTB~e-|%!v8vCL7TJJlPHHq`J?T(G+H`R5D6>U1+e>wx9=JG+Ru+`oj;4 z>ep+?YvxInF-B%QcQ+6_L1Ume^;o?<f7om@2zCmHEya^o!fxV)+(NdS@>{mEU5m&B z)!?ik(G!^xSjZ=6DaT<K(EWiy1VIPNh!bk_i}%7S_I3$5b0UwbOvpi5OII@vp69bV zbCR9uM*nLZa_B9X^tOQxRaA+rJgLaL$o|q$<g(flfQUo25@Ud*eAO>`c5g)qKy6=V zOJyKOjD0~L400DQ`iO(BoiZVqjb3iJ0H7_C1KN)!p(VB1sO`?7@xhF=|4P`n0@WB^ z^oPK*H%<p{L7qLpj4)iN)&0xk2pi@Q{6T1O&7lmxP*$q|$#C$l?ind+mPM~inU2rc z^DiXE*d8QYChaKXYcFh*Nb1iIt><>{Rs?6$@pGEu7?z3}a|^(oh)^9~k6w4!Cvj}% z?5yd=t|*4YiFY?E64FcEni)-qyVNh6J!cq<v<;roO8P;l$Y8E&Lc}yfLJRn!yW%jT ziQ6ES0q74-juSjzdVwOR3V3cVLAorFW34r@{Vl{{X?>}k%74%4`B*5r?c#h%h|JYT zmH`X~!y@g3!vaoI^TdOYAKC`i*dfkD9Qtw-7!kGx__=Ty-ePul+6$e8s;DfLLQlJA z*;_qigT-e02I038vx2u(FHTpET@|BdM~THZ-99p$m&b_GB%Ia+a~&K<Xkf~O$W2Qz z;eS{3ZUdr%GxMqF`ALrUxR-t4y~zHOP)5!l=@soi&Z>VR6Y8ijCyw{BbgU+;@t`eb zP}l;FgqHfaZ$9ysCCuTq27WJEN@Iq6K;68LmEH?gqMDs(n<pfxM3&};G)nTe<o4N1 z4mk;3T3c-!AKn&F{_CbWQB0}rB?{h#lJ-D*Z%+#I#!hXemeu1#?dXj3or*yxc2gWh zQl8m?OiM>HE?<0)zeRSWHi7qChdx$25Bk<1Gi`WMFqy@=BCgZ=Rp8){icrccY(04E zSX_T=B8Bkiw)99&x87tZ-wR<574ImjQ>Ij6z>rh*FI&0dhE@_p9b}e=jP-NXK-6ne z4~UA1eE6Uh6lMfH6cXA0EfjFPbg5hRJ-Yv1&B^AqZ6+Qynz%2R@P0@!{%;q66-lK0 ztsJ8hUvw2=m=*a{zs_+DN{Z!X><-d~ze}W~_}Lt4_Mz9qtrQe=2Oc-%z>JQl9Xmxs z==1vuJ}&mdB$Ky9wTtumve7h12l>p@(c9CdoL42d{dX+}6v2HBs>&#gw06UNROg&1 zouX(L!da-~74~NQE!uZ+2ZqP^!Lfm=c3goq(P7Ao@GS=6@VP6eMu%jfa1vuZ+!vpS zT>6{3HuQ3u=TgXHC2wa4E>U~pQqV8%3Ck_NBABmf<%aD(Iu^R{Iho*u*0{N6m>bZ+ z=tPhN*!H@w6}X69`UEF|9a0jB{pcLN79g)xueTC-%RY5f9>cfbOUU5`Hw4PT&OW1m z<-meh07gB{Jv_iC5g({x9ihT3-q8Q42(dm|o5q)5(5a534M<X@dSK`RUR4OlaIjSg zXaeh&&<%;*6VEoAWY}nCtwW5oC1JvS5O1f>a>t_La1JFy><i4R&DZ){tzCJ0Hf@Ds z`@ao{q*#!Ge*BerejwnkZZu8@T?jl7X352HaUgHqY`NL%tZVHFkk-PE{2rZ4<lKH= z#atzlRHX<@o<iLRi$Jga02BLwlVZ01<a{NKxB!5WLj>R)CiYzRX@u<Veoks|()Sdc z;JdJAK`@TfV5?$8s!_lf53LC47sHnRYcSEjaq^Sq@zEQaBeAPlc0RO!;4Fz9V<Hw~ z+OWv-&}o)~{4JnlIRn*GV}rVsf!A{dEGeB8?RjJ}<1*RZ)Kx(--`LB;<e=4WxN<>q z+Pu`uJ&kuu<7#3r(PT$hQzNcF;ak1Xphy!C)aU-`;<+7e0DdTxu{)@WUYI)6>`Fp* zz2qVLP5Tc|A3_~$eYak%!gsyd-gHnqiWiGxL8tRbZH*gv#mc!`a;;+s{^J_vayU(u z_kVsdNBXGUR$vWtLo8p>VZ3-+yt#|6yox=^bVFAG>8sQnGG(xH8HOc!eHt9w3H^q& zxnyH|m`_0N2M#n-f(PBGK#(~W^3GiwvnmcsFGm$2d>Z|;G+TCVfyX>PMO3M7nY@SA zW9r`uet94HZF7nVehX%brmIztd+#BYYo=QbJ96Cp%#2^LkHI!lREN>y#ru5Wl9-J~ zq+I>I7VKE{S#~Su^4mF(go3xerQAE1xrVds2W+9;VOtJKB+Aa)K-;0}A!Mc@Gnh1K zvVx62cR`UQ!18Y$ZATd#0dB^56bJA5tfiA09l0w0T~)UD>6c$N9BiiF5PnyOS-X11 zA6?$DfE|oz_y|M_;=}ZgOnA<jXyddM?yMKBcjw(XR36ijaCvs-f0yjFA7Xx$I(TZI z$!7!LJOm0kdELc?$h$s}yu_544KhX634BJ>EeN1-<V5i;+v^S%(`yWrm3&yE{!Y*U zJ14VOoPIjrVyiOMDt#c6ygX;(grHa8i~yhI90^zPq%k~8JP==RE~jJcAjVH3lk-qw zj<f~Snqg`(ZE8sBN4?g~-4Xq^!Yf8e+hR^ecSQlI7^%0nLu!U31oVfY>FzFF3mszn z47gRSu<nUiTW4I|l&r);N2nZZ>x;Af*aqq_OKm;(s{6Vue^sR;FlmUiS|o`>3AdBo zJPN_rZ&xcwr4-E&X+#$Kq+nMX?R)h6;%^Q#*v?-Tikp|%2Eopce;lFANb<&eAEcdc z9uv6&M9DFWh(ZT-FmQ(-@A-4i{j|Tfz4Ml`Vw;`(W}b=5LAjBJkP;E=(FJe(0%S95 zL`B^)o&Tw{;8^BDn@fnmfk86z$z!7I-{q{y>+|SZ@i5>*zUI_muTV$Zya7^#l5!QZ z10eglJ|=bvi5%ylrn_N<?K{bv%f4255@llzyGx6x*=o`4&w9_aW{^(H+m>w-CK_;J zAbzhk1wt#ZrZ~^kzPjT)*H%|ZLYGu~ix(`S*TjpS2N2ZENcO4Kt!@mA!%=72cqfNE zvFh&oS!<OoTUe(36I9mY3SlTTECS1vzgdxA0~&0B_2Xd$Pm2TL3~HXkN_9@J3kzIU z(D+j`8}<NvO^LWRsh6a0Fd@|s94H6|L>5`3+oq?{iVVcN<5pkWN(`FgnUa{yVJD=Z zlVK_}K}2ZS$zT4+q)v%3d9YJHc^&Hu#!2CXbZ#>iPN`<UIkY;zR>6dHHY<eZKEqEc z^eZV_kh^c46{5KR^C3Hit-Ge7d!!P~;R#dOJsT6#dUmsK2)-sXK~lJsw9ooha;Pxi zhBNTW$MJeSZ5&7wVX2$*M^t5GoIWrh_h-irO>n*QZcC?KYbSgAd`p>(BX+dVB#4_s zk$-S7pNvl9KUiNyVhWq0Zf?K}(YRnuK+o`d53sEETf0ai^u!@0oaVHSNzLqkHs#0W zsZ>2`gEchcC|wjB`wlPy$p`iAloE2f1reT`X3o;yv$n|Oxo!z|+0q}CKCRarf01v1 z--izztmTB*w356#Db+*Z73xcth1tD=111~Iq=H+-ba~no{?}NE+c38;SVL-9k-6H! zWGm(!W>7hY6c_fvS(n4o15A{X{!Y+rG-+6-h9%j}sxL|m@p-sHF_^wjPj8iWf~yqs zIvZJWKfAB3k_>yyB%EYJ#K^7JOFUoT&k;1!fl`D$hQwItEv|@PCSgL#(3{B!%A8%( z<w(lPYA9ok7^9^PO6AS!f@(jfk!i-U5Ue?Ei9sIAeRT!9TB5_U(7niC^w^sLK@np) zitA=36s1H^2p_7$c0vLrR|d?rf_v;Nsz1m(PMp^lF^Zg`a7XnzSX2)P5WM><j}nuC z>y=6flr#j1Sni1*$F~R}Zl<6%jn`qj)eE`3I73PPXKzJu21$}8k4_Twmd`%RZYOxK zrvQ`B?%vTp##@koEw{cRG{Ay9Dl$NkG#pl@jje;g5i6uPs>sZ1Xqr63K!gF?MdQjz zj`gX3aeuHbS|VJS7}OUexSneO1Jr~V7*l_(5^U{!Kd{NWM*UxU>I^C|)BWK_p3Q|~ z1WCA?AuprS)jt<kv8K9MZaAZtK>$hG>HL$H=<NfzNKfY<XOu~DwajwN-h^o~Co_R4 z-=zZSmqMKrA;IJWYHqO8kxQWDj9A@6HXH^-Zr2AKFd1oUzEQCf<4LjJ5piJM^9}@n zfR4sKP_l9nxgQ1(5j=lo;putBgbdnBW6t?bp`NNMsIrNDRlOba^*!OZBTDgfwM;9# z4TYYPdO1ZSq(`k>p=v*$S<^bjiHG{MLaoje|DzRf+}?s5{<hWT8v-N&*uSCgk@KpZ zc`|r5LKj!~UVw(LCSfR@<;%;eflL*@OL28fZd~EZ6zY2N78hYt3^}FRPo(G14@b)C z;bhf`ehb<Ffd&M=0~P&3o|_OH2_bNwIi5MUsoDC&Qd!kl1kuMU`(>3}Q0$!NQtt!@ z#uAqkUx%S1BtBw3;20L^mbp)TRP8=+$%kvu3vny?7soD7CFLT<(n%iLLRSb<!eBd9 zK;JgE5?5o)gemnF)~5t~;^!x?eYUk=-A&hIbp|@*ndb{4Fx_{D=YJ$Y&?km=&swQ^ z2&pLvk~ME(FS1d4&eCvI*-X<B2;##g{26h2fZA`w7tR2(2FQ%nf=-D|4FR6pl+6>a zIsdgU2G0&ee<Ssiy9YXg`Uk_@H#V1D+(WI2$_2MBkdl<|=C_S#=In=lHOI~W=DCrE zrQC5c$s5k=5MTg6K7jE<fV>tBHgT|@yQL$JRP|KeSnUWUFrjEI)8cDM@E!i9>boAz zKCN;o0x`FUC<!-*hegW`bX*3T$hHC%L$U_z8;sb&Ml(O^sT(VaW-&>Aq5_o0*6am7 zO<33=;q^s27L5q_!V{FzR=!_+Q+m#>rLM}!ThY!7FC+bPWsLTZvw+-ic(C?qkcHl- z-}N2Ap-wZRl7tEp+2Q&r)>IeCf;1PI<V0Vkzjo!&$PHTrw9E`_N1I3k;U^PJ)8~qa zue~ABKI<;La?kI;!#L%nl^|v7jLDrehXewNo)0U)2q6}5w=}qA)o2nKBP$Os3{?uB zjYc~Rr!@mAjxdDm6_XyMo4dB;S!QW2ocNGm+_3+O^`Bc+J~VP2MxvqkV6s<%?z|<t zg`a&$y$v?pT;IDFAu70Wky}Fq!1#%fWiq}r6L<5wD2+9B`H^eN%CY+wMa!2#TE~lu z`-YTd^VH<M0`k$~AS`rOBkMBl>UZ3%4307v{AAOwC8j<&Xz8Pn9H)Ur!c?LRM~Vyb z@F+|9pF*SK>RP!Gk3qv_MO$u~)StO|P^lZ9=6bMh1UUuRD_614n18h-N^96TnQH-L z0n!Ci0<5<!xVn&qf=AVA*khh(;&)AP)_mtfoC73_=>}S1+?KdFQ4As3PK(-yMpN8r zHIi)Q5>~+@!Us@&+U35cT!wE?9gnp0F|7rgE~}5q4LIv$*6AYVdRxg#_oSGw*?$#< z%$+ILbBBvKGPla!wYNq-$Gb64V7L^#wEDty5}!wrOSPm-N>yP`d6BtFd6AbJbr^c> zx0}hZyFf4yALiuo&=HrQYF9(#`J<vx7_2T#snbXGnLElNQyYkP;Kh1nx2)7t+A#-# zP&1Q2)r!r+0g(^qmggEts6r?2@@b*Jcetl)4a0@Cm@yHQnjQPXL-O{QXn3TZDl}M- zQ@FLW9%AI*6a18HufJiY0|j+rHSt}SLCi?d*YF2}Ey|k98JLTonZ-5sp>9ZZ`WGm- zhHd{fr;CznK)w$WMzh`J=J(Qs&)!1*&N(e(+d88?%tPmCGZczNiNVnQJBo5;wM2|& z{%|q@K|62G;Zy-A4+_W(h77V`Dl+XVj5=ISesO)~QkQK#-M-cS#LT}4@X^<Z5MYy* zN8_&vQW;kB--`q$lojX}*6Zh=m={;zF+!-pibt_-Nz;6YM`N-MUj(E4%*>#Gh^?6_ zr8JKMZK+L0Jf{Em<-9DHqvH+<1ax=ctY_+S(K%3r6{&9v)CAOF^vb^o3+Tix$k;?n zoR*CJ{Ii?FfF!BSGibZm3g2>ZG4GD`P<hJB-<dsBuEZd#^tI*F-4q5!(bH#p+zN~C zdRC98z^BUn4|i&glwNB2W(pMhC;NQn-2&o$wdGq6#|((S3<}Ihq*rd{u)bWp;re1F zxBb%e{4KX&9suY0Bf~ZnTB;*RetSiT3ZxpNw1hiJ9&3R))z_*2NSU;Cu6jfD4yUOp z9S%UwOsko4bD$dF{zNggXCC&`8Z&I>#!-<is(%px7i-UwVr9_O$xVRT#a3D^kc6e) z<D%K8y|<5t{1>MdIoQsuGjocFJSw6whvBl`9(|*$B=Xj`S~oQ1MR633M$E)a4&Jmd z5EF^;dE|{nH2P$`Ng!{~Eu|3AY8~8v*JkR>fb^_i3SL&R7y)<B!DD?F#%3b6L(w`R z01}+wkgt9<Z!{LlfhpiG(}4SEL4*?MbGV0Oh&t?%mI&uTPzq0RZa?x#^`Q745FbzV z3m-=!s4Fxzg!B(~4)LgBMQZ8ahAeH3_diCiVy)wc#Fh<oXlisTw~l{4?yH82(?W0H z7hmZ>%qbnMWYhD%U%b&8(TYweI&N)PyfsMuHkZ^G53I{pz%(S@8uv+txyGQRz4%5| z$`E<q1Z8JHm+<+V@50w16)~q|uf+k#G&HXIEDdh5HTXL->vo@kX%hi=2&=;+F^lJ$ zkt9W|I$hR};!SaHEYJzbCdauqHWHpw|2QybvWW~-owm2;{~n{K0OjfzE*Oj&QD^7K zAh(8UsfR$96DEJOqUmaReD0}(72d#ZL-delv~UbpwATTajELmGXC^f!vw$brDs1tM zn|F5<MQ8sa+OfCMB+sIa4yDs?&iOhvm<NFESCk}tgr;6$g<W1B>#_Z3cSx5v$)*Di zMn?rO5}R(7-JAxNx{}vAB+MS8m*Z?nXn^KsOyqY$2c}rRbNLM|OK;c14oCO4la8sI zYV03JzJo2f=s=D)zF_0A;6A3(c<cg{F<8Lm-DAjRPOk25el}I}yU>0O9z)Yi?Cs-A z+JI>3qh2zPKwVxY?a~7KB&l`N8x*~X|2kAeLgC0cHy0QZZ2wi4MnncSl)XcGful?X zWh$|&n+kb7>kZ5wGCk?)(F2i#y+xeQ>xVty$Duh45-;V3*SRWMQAm~N(Hc!c1Zsq& zd=)d1Y5{?p#o7ROOLWyFWpH1PjUxlmwB{3={gkFKR3)KPe~6SZpTZRdSOjy9H~y|f z?rD}3j(wrA#H@V1TUFTQb6V&Gd+x)i+SQ#FRoe4UB*qC<e8JhOL<TM<f2)LK`>*tY z;pl5>qw$Sb2HO%1?R;Y-Y7jOnr)F|A@iF_R8Y7uQ1<SAVfc1s9fX}rF8r*YbuN{Pn zJjKBgAv}WnVl$_s&7(`ogjI6SV-*qWiDT&f^o{}C+aadLY-agycF>Zii76XVr(UgF z+Xueru@{c**EhztbZcS#Z<f#@GHd<X1*u|45uJ_v7@p`$yyw179cXP^lY`8ZG|!9g zA@OFe;cUYJ&aaC{31A}q23&MZ%kNG`5zNG<@(yMU5`CWTj_T9naI&=zI4kToM90W1 z9>*k^z#T!-o89-L0N(`;p$`WV^StORi0?T?Pxm2AJp4Y5InNHL?RiMU>2JMlejkY3 zUZxF$wu4iEJR$)|)X6xT`uC8r6^Aq5Xt|w%3W@!mn-<O?hdBi#rF9Yu148|;U%{ka zHET}cZqJY=Z@gdVrV>Ykh_33VZ9X4?2qYN+6z)tVdi<T+M=F-rFnVG*btGU4prc>` zQ^YEUI_SL}ALF!29#=Tfq_U!&wkdBibRw({q+;vx8IX@t^Mt_?o2_y%yIO+M9sSnw zZZlQvR4GDB66=d+Ms6=}Z`52!)pG$-%Ab-h>0h!ZA`Lnq?R%`fT(hQVxKNE-xKC;Y zg$3kI5R0I!TpXrOj;msqBad}=4O#w8h*Sq&$S_Tx`QAo44-y)Y?bb4n4UY8EC1)Bx z5p=>cCGY~UA6RJxh4~;4!PyOWtpNM(dKgNlbXg#%D~gPmS}J0djVna9sLKK#Xtnlm zN}9=uo;R21s%BYMl88c3OttxYezlMgTBub37c$uU>2gDQH&w<sK6GO&(fOM4$4=KJ zLkZF)^tl%L*4-tgw9=c+uKuu{y`#gtsIAUe#)DAG8zb+ghYQYum!<85D&^_3_`5aj zPY|f4?QZx;0UcZs@&G*r3Pvug(eKxIqY#yb!7{AK9O)+B)dYzEx>95^R`+tsx3{W1 z^LXe@s<GLPv3}IM_y5|~SnhQg0p_~UD~s%9Cw2Zv_z87tCRb-~L6@#u%OPy{T(6SS zyQu+3Bw<}(LsE$j_Xq`sjdtX-xC4RFoXeydR;ZCN^`{V8Fc+siwL1G(m}jEQB@2_d zXJL1H)UDa$bE0-435ECg(%L)>;Y2sknswSof^smoA3z0?ly&$*M4^#Y9anFlSf<3* z7ggXeg$b|5q>&cfn>Eo7L*jS$!C6xgrZ?%>-3)-irOt8<@rim?nt=PIFG>KdUf>OU zcTPLPaf`%jU}Yb05hz@tD<7{SMxj(UPcJ=orremPI~ho2KX}Jj{nN${f(hoWyeEaJ z_?7NU`i1!UNk~h&W$#2>4CRDQhUwL`QwPkEDXW#4Az>HCrW1m>-vCuWs=tf1|H&Jk zI!x(Pwd7W#Czl6@xI#pjQGmUEca37335^f;H2;lfbSED_&7w&3#2;rj#(*%RimWm2 z^9_eINm_`x8va<9Fz3W@;)@<N-c1SK9BYVup91H>_s~*gfyB5|q4{SNM(k*@iP%Tf zInp@*9QFO9rs52XD<^1F#W1Udi{xE$Ddx}L1nTBGyz}@r=Ho7kEEeQzpp*N}bLk+X zVzSdkI)ZAxrjJJdy$0@1E13}@(Am?2e{hl~p+cB3tOS~79YXr@{%4VwK?xjXwUE1g z*1`z;giM|nKwrKV=p0~Fk!zxP-V`9eZT2N-Pn9uQwSE}cX7)Nvmr46~D5s8FZ<W{Y zn{Xe*#6jsRl%0l}<10C4NUC`<ui4clglCfpK;1=*Bx_$6XBY~-=9KV{6h{#z&atJw zI!bS`<L;!(G|0!5Itb12rHdpCJ(r?EHGI&5>&szq*J9?*y4nM#M5wJ(A)Bb6?Hf|I zww+`KRM?vnJrJ%jnCnUGxL2wK$2skpiL{(}1))YL>6@j`*?0cl>46_NemNa}_WFp^ ztQ*6QOTvJA*Tx>FgC508V9SZYhV#CZcc`R8oJG4ANOntGQ{ol9+Fz;m@5y0OH752D zkH-wj2k{ipYhHQ}u1FH3LNSEgYf#5he$rjruj*l&`IHFEVeB60Ij1O8Z*N64oXD=) zb2EN2SD!kOB#&kM*YP2HXoTQH+knX-8q}-#a{p-nPNja=U^|POWnc`mh62rlx1*-0 z=+R2c5b$wgEH~M1url?y<J8R!xaU*Q^ECmz!_Yei{s+{0yF4`t$-n!vq9N){>Y?7V zn0w8ZF#IVbX&u3H_P@prD>2i}baggd%I*&NCUH#gY_!zl?7H&)(~4tR&C-BXd&=1a zM}WQY*0{r51KJ1``BuQm@@aQS<isLAn6RA2kpuJu8v4{38duWgVL~#zK)TdNb7lPN zSZx|FtVG<H6krPZ9~oRZQ8LKs*f=OvXVKu*o~R1@=auO_JTN5Yo^vEdVuMkUDQTs= z*lF({3J2+*==}AU`4)euO~IiNawx$T<UFTa67spwJ}J1e#a9rAju)QmWu_4{VMv_r zHcRDewo_U^G!Clt$EhO6Rr1uEXv9F&gmsX!hy8*hx>9h|T@Ffb!8DVsRmfojDMxYr z+!2pWCI{5&<Z*tULxYCd3d3VrrHDK1<iGEKF;y9_gD!HapgOvtOLsy)@!ff<vU=FI z41=~Q&Ynfv^_)XeO+)DD9af1{a`Oq|-$qe+pE?7%VoGR;V6!0f$+?lN5VL#P^#Vm2 z;??6%*PooZ_lQbq@W>7L2Dr~5e|+u0WIUhKcLM<%LPQZ<L2^)-OC;%aftEyfTMpi{ zW|OECq&}X_Nk}C4PS?T@9UtMNjTWwQ`;5FrxB{F5v~)f@Ky7t(d#}?dDe-Ibi_gf| zwAbxrI0v{X$IaNpQ(f4xn16~x`tQvJELId*Ftj9eGw)tS_~(qx(2l^KdytntP96P| zYsh}%B6z&ETJEuwE+IQLeNFk!gXnr^p6++`;z|9XKoYVYDs71?C@68fmz!+%i8naZ z=?En^OERNLSmL%|XP=a3M{XFwdge+Z$TnS0zYrX&3zwpvYeyKVeFZd1YfyrXKV|6d ztu<+9xu2CocBJeIhTA>Ja)S1C9t#1YkQGva0p?(IPR%!MmY?}>8)jD15$uNTJ|U0{ zKgzO2qA;rQ$*Sd3p*_+l|Kdi2D{o~uBY~^9?p;G<oQR~{jv(CBr<2JEbK35R<oFrV zmqRiCn<*4qbxo<ZuXDkP;VBZUh7evSqLtRnV;S&teaUiOEyu=8ovI4rEUgR1!s)Qs zT48Ac64+*H&*wAwGF=$8rH2BZPBdAx1AN4x80dekgjDN_(U)khOB9)n$>%?a|MlZu zQ^WNs0ZBEUGZNy{)Sv6(u~R+H;D$3ZehCgo4hmKz2y<acnDZl7XGjH+H7YTCum10W z00B+T)rUNo$$coU1CxzLq(XgL3wEvg9Q?F*<OyrJ`3@RRRXIXSo0__px`K%AEN-TV zAq?4+tkiC|R?o<&SwO?m9yH(Yu@3L6OgQTq9V)L&#{m*jG<L*>6u+CYCLi)*TI8M^ z9U{-)K1U0JRE9RSeO@ul*uVvfns|d++EN<=04K$=VV5x#P{5~HXC8>d2&02cKG$cZ zR*~`MVY8t}R*9dNo+^4*H?4nlW(ht?&?+4lA2B4+H<q|b9;$vkMd$Smo5tqFez-6H z7_0f3pLi!1AS_Vb&7~9tgP5liwdmP_=_wtL8<|igk~PSI7F-cM*of^ZTB!L%i^M4Y z6>0}23iNC>1kbQ#y4e;vfs9??<Z46WC$cK~Qsi^IcKtvLg^XM`icLAgDIr(fM?l$a z5QYqZk?{5rd~*3J!yf9o89udYHymt{{t{l19O|S=|HOqZ80lnWr@bqNvP^F9I+}b> z&sN@5o&0t?Im1kE#x$LDt9rUxt9jpn5{WcR+Cs^K{4ySMsqL|zL?Lj-82`soK|nvS zi>8BxE7EC)jlV9imnU8gLRM|eYST;vwjvjt<VJ)bX$Y}>@nM<0^o{FsJ98-cuP$1S zTz2lU>;VJLI2a<0MM(YN#DuH0-CmSot!=FUqk=CIA}qL4&wmc3DQTaLcY%03Bujl^ zJ05Yb6H6pYPV%s(>@0vj($4Fm0{RvqI*UamQm-F5rU^hy0Hx<_UdFIFCE{V*+fY+q zql_!}sIVcTH9mHI1pXUb6+0wA!%%91!A8!{PW}QLD>~>6@X!E%i#NJ-&!Br@l%A?l zWH}u%KvSCZiITI?fAz6Ns5B#{fIOx)p_%%bUk)m)rkk#`yUE|Wr02@o)zj?D8u4Vy z+lm!gF;*)3i`jF^<ZzBpnT&H85t`_|bfs!_AeRmcv#jNUKE6suNDf;dX%q&vm!d8R z>JtBOV?g?N*nuQWJT)kJWO8b0!;bR5T>xGFAIxt>la$zNTu&05idv+My*PE6g%~a( z12b4yUI*DOSbuC5pUa!kX`qIHM08>dvQy8?9MAc&+jy`;KHIt<4l6j!+(sj3-OL(a zj#=9b7f`5=`hMg()BxPmu+|?9QZ;c>tZyotaitB1)o*Vq_o+4{N>08u1pS`Qd`}3e zAgQb;NdPD$X^=TmQeL&Lrwp3niX@5}An!=*bd%I#Hs9bBqF$ogZGB`xWU{I@Lpgy$ ziAbxThQRR-W<>V6zjDj7x_MW(DLokA#|Jr%U3+F=8bV6mFnm~<&Dl8ET(2oRRE`br z(A_h7rUUNN7(K*Q`q@Z_fMm+|;sZHhJ2a0w8Gi?#o=Y5TXSZ~++Bi)yA-5p7Zq$mm zb745K4>$-M^C8eev2D)hzWinM`DTz7DWFi=U6(UOC!7WzKX`P?aS)B)#wVkTl&d>3 zI`O@}Tg6@qY{U7Lzm=0C#I&XboHqhsAW3Q){U$lGiRb}?;QV&0peb%14=zkS(=`SL zarkZQK3U@^@}z<=+xbl2?k&oK3VACl(v5wm?7F`0z$)mXVCtLsR7#xz9S6FwV(*gi zd)vR;QJxCqN?KTQ5Ky+~p25cmDa+NhOs;7qLMVs_E#QOHqEPKz0*&PT8~EOHwp5I_ zE`6Ajo|IKLV)PbbH^($2zU*sl!E0mYUHi==2YA|CNb8^DH&HGo3N^|pX!?-^fq<>9 zewqu16AuRD-W(x<BG`j=qA;8ID;`9%rZ|RhCUth3MG*XlR!5Qt4D&V5w-xV^wZ6+S zAetFIjU***{i%6TTd%s8etGV|hkA~XD;Ci2aBW567!_~!zYAq}Z$M|*iYvteOu>;c zT)MXukXMF}4^-ubBztS3^0-0=QJaZ0)QCFGYR{GPac;CINU$9zCV}U~8-V}p8EsS% z3avEN1-#&heJU07%!j*?j&{=za4Jr~9e^%~_dBm=+JY&S43QMqOmbUa_jT5L#5?2W zI`~G0K}kCsmUl>XW3+6757II>nTGPGadZ-msMr(BxogvSq6jrJC15U$B+Hn71&#WA z`0llI5<{dB8R(OOiFGr?0eF#eE<88bwR#9i1`3`n?ptrqaF{_u)g-J>-CL^ZrC#|! zb=jDh*XsoS46_WR5n@jhIzlPKq-B}v3fn;%coE8<<V0VNg$Z7Ba-UAxqSOGiHCUUz z@v>sSw|yPD7Fh#6?U;EN=sx|~Qk0Z7K*y(2Zk2{I-Cj!Tr0~1nW3cWDfkebKSu&Xb zm&6E}e``1>i~&CKRX<}UG(q#dcaa}U0y)a=k6dB5#{0d+_!b%=NhW=69)Bo#G6HXl z*|{qlmHb8?@RMhk2tG%*(9HymY(*{uOWoXrdwypK-wq0r3qG9NOCd8ZF?<dD?l9fq z6%*M^6xNtI`@wKsl^2+#M82^#PcV=ZY3lQ9({TX4W_CvnXAu=K#*)egK6dco4;v;W zEz(XABce6XW=Jfp%Vny`lE~4%)THQ^<hs_v;6CFIu_NUJQk62vzTw*>RPP@@+X1qM z;6N*KKi|W|-Aszf2ydfUjPG#U%4mPovj2oSkwhYdC0wnLR#;qvzZ#&pNGKd#TBwAZ z6@}dXVepu6Ty1P<|78P-O}V6mx-qa(h%9j4s1p1lrzlDGe7h_+)r2MlqCcdPFX)6x z(03qlLv<Pta^YEUx=|29sU(J!1kcfdJ@ioWr3XWIn(8hawH87pBK@msU#bHEcV6kY zxm^#^foJfNp9_0_zE1K?4QEs1b@IfO<rxFOMgdACeId8Q*qhKnAV?*+2L8;UaI{B# zeKHZGPD7$Rcgmz<CiZ|(=n43Y1a*L^)KbS(1Uad7%Ya_cM^j6g0!pePx^=s)sj8Bw z?6QDWUgKO_Qu%qZAubd7&*sO{Nar$TsU-O#^YYNFLARZghlY`<`kCC3ce(X{m0`j= zQ*y!7r}tyY>)WX8TrYzor;2wIfbFAuMUs&?MR4%SO=uML>1O{*UYawW$Zs7Kk*?Gp z*(1SM=<vZ;L^^T~^qKH~=Xq)F!bbBMzPp3M)Ub!ce^BGWmsuA1yYl2^3#iX5E{+2o z)@j`oXZ5BzOY*CjHs2uAq8~5x4)?wxnP}~>q(a2E&z5r}!Cc%&*83r5P+9if?sgtA zGiz6Um-cE-=DD$Wc^N^fv~fl74~3iIW`yl$+u4uCt0ld!<8~#r=^@I=<_bm0X35QU zaC27Vw@p=&2MIJuQa<|lSdXr%RaF}QI-2<pZtN!m0YUu?P4{;rOAe7n#*zy7l1*(? z11PE!IGABLNyzgl0j*Bq=l*h$m1^~Yk}E}IF|G39`(1=FyZM$uU?1qA{+Vjsu)uXE zlfe4^-?xcKKSN;AYw+`Ct!E<Dm=qKNKVDV$1B0IY*&H3>?(3S+6F1S(Grq*;seO#3 zaj!#2VvbsDs*Euw+nG~xZW*KZ+yJ@zmN@KtNDZhCoUi$klRi4}iFiFtM6mE!hWh}> zPhzM*ls}Sqc0A;4vDi5J&?TC?EVT1Jh61uK8+3)sXWsw3i<+OL%<n6}r^<(;8tdUA z>-g?OWNVp@@cVptnM6^}PT9N}2HZn+j&Pm$@jqKI)+nnXQaT(@lVba=Bc&1lc|GSN zY6taNH`h74vF39w#|k%xinm*qOOC?%va~bv26ZLltlo;%DYzr(PZwq4sd#f&!!bWL zl-<-v(62G@SB#tjlGY50^6BPG>xLeM?Um^OaRzXQU0e#f$I|;1X~Srk+nL-Dq@D7q zynX57iXe&`Qkw2DP=gJj?22n3B5aNdbs5XlN5J&4uiA=RUEY=zHLZRj(x+B!DPqZi zPRHMA1q&d`!k$3`Ci7IBBBC7(&sDE2K?3tNX%e6g2yPckf=O0a{7b-OwZW~PD{)RE z<Xh&oo&gkuWko}-y(uv_h$}!#e^ZtF>GLVwM*r!`D<IZ8iMD%t6;|u|5`*02ujT>O zx&a_}fQ+8-n)Wt-Q??8so6nK5S|n+H2Ton#?%0dK_>Exkzh_88Id2hccHeApkRcwa zrP8^z4~xKyeHL1Wax3>mNfDz+#iVhWCm#sWXt?5*mh6`O@PWZ5GB%bm4J$1cW_fJ0 zc8(hI&vxC(rc%GZL$*T+%yGb4&p$I%xNC@bh{rrt<h5ET@+d8cp46uylYv!!B%-St zvc(JT<?!D}B_UOZX-zOSVBiazYvIoYWO(x^nr4#c)tiqEP~EU)vCRBiNRnC*;64b2 zM&Q6O{JZ>MIs`xal_?W`n(CMHwn_CKECjCIl)FA{D_|dEg*bZ`QEk7jxmavaBa@75 z9)@7{02}mHFnyX*BJ|2O%^a}R61DJJb7dBkC0bJ=ti6}gN-M^_{c65jr$h1{$Z4<R z+fuF>iS+_S`A70{OF{&yF&P|S_|x1m-X9`$NTe^xZ!s$(zR6EphFWjsg_*NCJ?0}X z&HsZl6dcLuH92vy%xT``Hex(~VMOcPp6rV~1b5LQZmf~SBfTqLql7EJPJwI~oOM}p zF2S=izgvFBtZYbG?U!7-$xmxGpO1f`T?auIkdx!J3)axN2SdD$O{@I+x&sNu=!-AL z4ovJr%}Y$C6j{pFdhV&+06ZBcEr$JnPu=VSbYxpCnk=*Cc&1r~1eP-#F=0j#ZQ7M; z(tbt_CjQ?veU^3P-dzhoxMzjtv6xNtRZH81Yt*H+IoUWOd?2^ly(X*<Q`&ye0Kucq zUy0ogzorJ6Tcg{Ei0a++^`9Ti=Uq@J&#g1BLr(mbqY-`R9i~vS8~IJ4I>!>lrB7PR z2G-L5PMNy7|6FjkLrtFlAnudB%j}0^qtWIU*ViCaRnq|NJphIj;#Bp<Bw%uEHylhA zrIiV_^;QH02+H#;klNGpw59jsZO!8E&WtI{r;{v_OF=fU2r>adp4;6Gs{`=C|DJ*) zzB!kvkPykQo5sTdFtIptsOXd4YWBFWu*g1Z!LM2W*lcR)xzal_Bk%;UV~E6#380YA zAtUSkFqcyaiIv_oG1OgB<3UT$_+FHJwy{9>J0g~*sUi_h^|U`nb=SM@7%E%{5-?i# zb90@&;%1L?2-qc6qz(I@4_PwQ>Eg7}CrkGI=nKp!Y>ddNcOS>$KQPjkgyz{1GD)cM zs;odmFyUiJj05x|`d1ikJ}Cv-k2pi(M4{hG*iv_Ck7CLVsSe)ehyX;F7^(85CIlpF zTK1&{OQXx*!2se<+ZKIM7~@mWZ~mxBx!L1R&4ce`*nnbg>Sa?zdOrx(eCB%0@eE0h zr`2#m|328c*^@DE^l-7WKl#ol7cque7j0fIgct#6)v9%axpWI6AO<1tt=Ffm&+9P{ zFg5I|W^GHC0)SI@Uf&TSLY-y|1W-7Y9zmTiC7~NmI=M7>90KQiHDq{yA7@=m?dN1? zKl?o1NX*Gf@{3ex(rE4pdUO(^f0jrH-PmG+%|Ub8+k6rV;92*IK#k~J6p2m^Ck*C# z{1XRhDfzvPCn|m~Bbpz55ZG*O3$^%qx8)GLKEl%hcUJYQ`gNJ+%SfYCCOaI~b$(Za zo1z?)1w_*SJj1;|J^C1u2#KS6BY3~9%{+Gx(z3BtTAl>mT-)+>;GmE+H1ec-m#9=^ z@$);@gBvK&4m12Y@HftJWdH39ytsb5Y2_^?7Aw(>*};de$}Fm~r=}xmWyR<;uil%M zH>-OhxZJ(~R#XmH^^4HKj@oy~YHO5Dm7IQPN<LG=id6b+xP57adP%G#_?E4T6$!)0 z56NF`&z#81YNbaqK65FL#-}XG{wrY^8{LNeR-FI?V329&s%Yu<7YABjM>LHicIRf# zk&9+j+=0d(Rk`xmf$);V-oo*(iA>UOtE}pcJ2!5<4<1bzW1a^n_X|^pv^j%Jk!3bt zuxEk;7#ulJ3~2%`ZD<deDk^0bF^<0?aM*aoJrei3U=LL*m#$hnF;mi%5(%BW<5ny> z%~kW)J2HASCe16OF<k0vwRTnWP7VGxY54k!K-f)81cwQ?8gda@#Fp@KGy$LoREz3- zxCYOV>zu$ioC^C5Um~MxpLtYf`|Vxs^D0846OO+F$;x4o%5zTxF{FS6hOQOvFB3ey zY^7(O22fBbiCCcXs(B`;`49MHi{Moi>Jgdl@8B8q-t1Uw^4jZ%$F^|jqVRH+Lo{`T zWu-jvhoPpf>{vw2V9GNR2r~!>0=q)`z+gPjl`eO?$6a5zUBS7pp;!{Whf?7j0b|zi zlLJ~S^v~`Vd0BlQ<sm6S7eiN$0jbyG@W4ZUfge}B-(=coqc~dn2$O&-hANavAzPZQ zfIaGm+`rc*f#wWpGP;0L`h&mIl*(YI043!rc4Uef^HDBjHnwjkVPrMhnpK)nJ3LQs zECoH6AkNDab2xdIEh559y`CFA7CB9|zysPC%d3#dIe6F1>-)Bpk(YicT8OxI`ypm6 z2clBxbAyY7tV`S+5t>Q!<pe%N1J&$AB#REQbDzB&DdV-#YfAP*Qcn0~13-N*PRf`P z{3t!DIFSie9de6M>--95NQQ_xRxcKSh2W$Ey2b2%K&>H``sOe;d%gdP(QR4*bY43j z`qods2R`v;u@#h$_-YREQ-6R{99SN_5_2-^{Gv0o>U?DY$(B_t$Oj)VWOA0CpVoZW zn&N<XaII}8A$#MsoY6isR$n;6E{G(;lN6eC3l*9i?RHw4>hjZ3BW7~?MCjxGE>h8L zNUvo^p$Z)h^Rf+faci?hWRrsWL%I&W5A8rx+*E?96IA;TOC^y97B7SPz%0nm)!>h> zN<oqnwN<GUlWVgsz`M%6Sz8gRK?u0B&7}N9{$lnOjf_b3B-#RQCT!>9nMG_MsPBoJ zjOLphvd~EqaW9vWw=P{cLIyZV%FVqk-ym2uMwA?rB8eK=$XhpR)HwFdi+kp<d)}v3 zdK!PD2~!O$IjC3gdw!N?F@wRhj{e3(yzeZgm~1yZ>h8199Nqd}_mANW!S~rZTrMHS zUNfrTU>r_ferQ|;|F7WQFY+-D7)Q+br(GdTd`42edCh+j^Un;nL<wd1Y|e%N(+93* z^Dh^wB_EkS=PAdu7@0D)h_J79JG(X~N=WoOx;}g)EMf5`Ga<`{_io?X`ZizXU{YJs zO;?%?ly{gQojkterDrfu`*}!Z;lQ2Ay0kmL3kR>}WK+3+6Q?e0qF-zr=pYWf$mmF1 zmt`?_%GvZskx;`z7>J#^&$6eyNN%NeT~p5PRn6A~MJviVJ|7t)aa5dyXwD%U4jP|z z>-0q%m=Y>rRqLzuH7M#9Krh*yvevf0ab&q9XH1hT0u5=X<?}N#B5Jxv;Yj&rwT7$C zv|bvb$-^M#jZ1C|@?q0uCC=fs8ukk)6e~<w@kN2ZumvyYQU{|(xRnrG|7h!AXm=na zyJ6b=X$K#+5EA(Jr2++OKnp@0eeX?E{<vV!c5hX{;cnU>BIb}_w&uQcd>wf1he3D5 z%Y!g1rt)Z|$J*b%yICl}C%b{qha=d68g{zNweWpi7x~rQ>>RzUlGh!}zSQG908bYY z>t5?I&Qphl<7dy6Z?8B<?%pefI{+_Ip`OGOa=Li8b@Jd46;sg)LCLib$aE(ACmzbi zJS9;^ax7rVlY)r_@X;mFz>7#ej_OI6-nP%BRJHXAh1(%QGx7T5d@A}Zd;nI-?v}5s zZ%d6COzc;tLGR);r=lVzc6@f11StDDnF&)9GK>0@>ew#Q4u)}ii@BYIrCHGM?BCJm zpX5FBY+g_F33O;05g8rD{@*<POr^2a*zq7eZ%^*z$gPsN`kkt|0Vn7ZzI<F<wBFaP z-*=&{s+}_8NoQ(&jfZz}7fqE$-XrB1H0m&63evuAxeD70Y0|6G6AUIns1ZKmRigV? z$il>lgOZzTt4;<yXknk#>JQ1zNKx~~`xzYl<U+k>IJSAD)ikEBn$GOL(owC+Z1aZ; zJ^b4JiApKntjb5H?ECw>p%CNy7lHz_I*jO>-RJCR`qAjAmzO^QU~V)yWI2-l#8F5B zm2b&zR*k_~jpQ(Ki5FUEu)Z=6xBptDgxg@>QytT2qLg+|WGI(pKdmpX>lG!?!9V1) z{aDvj|IIm{R$QC+<KkAZJrP7RWOBUDC0=en5`uXJQwq{EmyQv@+UxHqX|C*8z|cL+ z_Z36~=S}Pnr#()4=AJo0u&SdFbU_}d#3jksJSRES>{o%$$}_KKyNe-^Fi+No*a?&& zJ_tTTCZZT4X$RPM)q{a2Mr!r>tMks)u3{ckB6GvvIMWE9L*iHdRx`Ng*6vY+{A3Yo z+JAg4y$wM5y6IV2o)4!T26NcXB>&=*Wy<YX_1%FGQcT>g9-k1QG|PkXnB89N$uLVA z?!3~?vS+FgZ+xIshUeGVM>~0u*PRSZGgCNFdbTC?15l9Hc+VZKj*%rJw5JD?iD}O5 zmNO%o%njGi^LH)CJkw-$0n#<!%#(3BDx76baXzVX2gQ}_d7IQr?`DPUpejpQ6R%A4 z+w^Be?}*VWAa2>9@Rl>sXg2I~-8gWW{arizWw74-u%Ub9W5hkfRIb$+2pt8BujIBb z!M;@zwyny;7qJD?;c68n3Akk5to5J65uw5O!K8F*2%9PA@~Z>JCcs*!D8ZfX{Zip? za{@2EL)0RoP$O~8q!djMD6gxZyJf}2m0OX5m6)Uip)QlAkrfy6QJ||yJ8TZSPX*(} zx9d!_P%{eG<JFyWf-&kJNgvb1dVxq<x9D5n75)7rg*l@0Ovjs<zPN{2cO9H4T^6z< zDKK^i!`Z?U4@i3@mWSs_k&bqjC#4m9X&)`-Fi&^1L#?oXPIwAXSI|U1&70SJ895g| zBPBN5RlYbPzbEp-uGIw7Lpj=`ZjJZf;V+wK%C!#LsuocFNf0Bo{Y2R|jSdzNjwFab zg(M-v8F6)-&@i8X7PTjx%RaC-p5c`j4kQHe(l<4P1vv+Rjs9&l@e&;3U{^bkk{Gef z@>Ev4d~$84h2V_?jxoN<Ku902#uIIBG`&HTWK`$dxRSqh6rE%f;OoNx4dtGQRSQw5 ztuNX*kM(L5vGSW+E8Jv{!g6oG;A9+Qn6d6KORm8XXa@R$U3-jmOJT~^vK|Q7hC;Wc z)23lKIu>=r)~$_E`jAVM04pWM*D+iRUMFM8RHZ~7F+UW>Ly|m3kS4$NKvjh&A8s0O z+xKbp16d^Tv*@h|a4#BmgPf4Zc%5D{=gX%6O{2&d<!PK3_Vrj?>#1uT0b0g+6!z8D z2CgDk`Go}}rBUB=!Qe6DkM<5}T>|uj28VV>{JMRsN(F)c{7mnCvVPSk!Z7QS`N9Q! z9{|(0l9N2TifHdm3G>9cdB9No{vtt2-r-RDyPm3{661VAc!j&B--1tncp(ff)XbKk zAQ$l@kL{&%A_8hJC525wJ<{is(LoZ55E{unY(y`To~g^7-+|+?&#NOrO&sh6x_)X2 zXKI1D-qeMu+;lOFlDM5&X+_6vAI_tx%l-kWx$0Aj8^6b%^V>M}5?z`h6*$b*R%c~S z^sV9k=Vz-!@~>X(v|YhCvJ3!I6%uxsq|3_B$xuTJTUkg{EA0=c?K<kYZeiX^Se#g2 zKA#%5XnEen`7j}AjmAaZoLlEuS>Sw;bMRJ-hpMUR<}FpN2VX(ZM+K&jFI>8UD0C)A zLap@lCj{a7F)DC|wD_dqhv4moyNp_){E*$2dev6Ghvof0eousLrLvC3W1cxR(&B4V zx|ELlch@J1fZg@yNQP>M^h3!%G$OA27#t|<UhRJmoF9*;A5snImf_xj&R-Ty>`et* z5}TL2U`m~s@HGJPCIIQ!Iwu&H5@Ll|!}8o8<Mv)x>i+k3XK)RIgRRI`UZIkF5Mi)I zog@w&bU!omH0H1-1pARM#>92?KkUdMQ>?ti;f99QA*ABuxQNu)%qbI~FckK!ym89K z<-YlWqd$;?12>xKjWe*Mj14^nM-U(OvkNyhkfZE^2tBb%Q4+tfW1WV(a%PJ$wMx-Y z)7e-p#!W_54FM9i%L!eS6hr^!C(&<#RkOuinnxP>xk(kEf|7VGdTeqXDGg-C>R-uk zH@IVLy*JDe$Jqoj@d`|qh+!BuEHZ^xezOM08ZCAAgaj`<`&L9?98y3S88=^R3Xnc# zzH`$o-G+G>l3W0=H(%@KzNm0M^o}kun+Gs$mKb0~3n6ZeOOpUAnSj$t)TKo4@qH$X z*IRkb$HYn6&{GisI6PXMva%CFe&;U>Df&&fuL{%cHa+%9_}ih?IX8|XvV0OUw;}(B zZ5@)g1=c;aN=-3t7a|6Zc9%*j5$+iAfpuyQ$JH1f1UtV4MYk_=;l>ai0>9Is#qAkc zZs`C=Avefd8sBIhva6d$FCxR2cEWBG36@-F<)e!a>t|@X^TAU$PcL>rq14(PY_;~N zR&`@QCcAA6?@ySoQ&Uq{2!==!ZHy2l?JVL>LtK-C0o1r^3?yi`X`f8eXiD$TWdKy! zszfyB0X!5rAy}_vBW-H9Zl<#yH&?}id-?%;V8Rp7$LKk;Ug?G~06$QDa7g&&i7vQr zEz{B5;I2vz3*&LMo%<qEH73>`+H*M)Rr03s@BzwyZMXMcWa!)GSi|spUR4f8n@9*m zuS=MVpg4+x%%D`@vBZq7gx>Qw_m~oO)v#7Q5+tE|E8A+;xdqXzF7!-AGKuGz9oPNr zs=$~zR|`Vza#38yG-QcWkKkGQY(C+l_~>`D>e_5?i$3cx^43bBA@S&;^M^}G$0=BO zQ+G4!jqcQ+Y66PLStyvKt@nAQhUz4Va6o7eFE>$loipJq$x-N~@v4?U_DP0vh6d}9 zZzakuYXekG#|L?8c{0&NJO{H($h~xI`d!!4#M%#1S}WU}l@97kv~Z3i%ttt1zcfjc z>c|r|$S+hhpp)R11}w+D+u9<y{n^}Q{DX^V%Ytl3b3oOFs<N15lksEQN|$e?A=1US z$Zwl*+H!b`^W#6P-=bEOlKH44Ib~cB6}CAb{z)meI2eBala>5X-BT%^08U=5(HdE4 z3QK@aVoYNFF%A06*4*%WQ8An`ZfMDe?~k4(z2iK<6zDmw4P6A1!)$|<tGA`{py?|{ z%c;j_(kQ7Z{mWucrR~FuTjG!G5l(uSvxHQ;KPkr&vO~t7IQOw6_+#`!G>iinKF8a? zNkbg{CH6a-si*244LA?FfSnpp+w}&mBj%DQT_fh3^Uq&V?>BQ#Z$->VV!>^eF(WXD zht{GNI}yEV=8micJ08FfHaWqe(%a_3=U<Mkl-`hG3^hSjAsLk+`2V_$+&oXqDVom3 z(puoz7S_}VJudE&&m`9?2$-2BF0KB1;`Gy$jOQMMT}_H_mwyG7#z1GFdJE<Q=_ZB# z)I?z!RXeg*B0VqDP$Ze*0PotO1Vnw;hDw2@XKv~Kr~$2d{xc(fx4aTakM-}I6f3uU zGKlH2Q&$e^zbUXm-PJ^Lpk_N<W<pP%Xv$Z~GjUL2&C{LGe<~D=33(sn2p!xI(dz!( zj@2bnSv9teY_`{tO#!W`s5xT}-8G%an83!)rPUZcV^6J9!{3rMU;Sb5`+d<vjqqlm zX}VU)Tcg8drZ+q`(?x1|BKoXC-xHH(|F;X!=3U}UlHj{;=-h&#H>0glPIuCZN^d+x z8z!X#p8n%6Q1Oi`St0)6Xn}4v(ah*Xnl(DM?F*Mk3hcuM@zz$H_PRuY;ciZl=eXY* z@ekT=Hr6E~z!+~8T9{Ti4~~R{C8plYYNy418X{Xk2agAX$1~7c-f@WeeRA1WJiZP= z!Sk_>cebd5F*XgYxO!a5?u5|iy+tIW%MTBp#|>J+ITUp~!bBcE)WhQ&`UoUTNusP< zlIXc=r|-lt0&J7}iWwx82$_bu*+-a^rn25pMLS*BYFTSZ6-Z8Q=E5lJ;5%k1hI!Zh zOesDMr>X3Q|88Bg>PR3EWV)3~6=ji~1k9%mj@vJm-o_BnhK?NjI+O%wS#oT;i5}>> zi{IT#DJ%cJf9FfrlU4}<b0w0i7N|bF&G<Gs1rAe*H6_QU`bz=z=;`pd+p<!-6>Nen z{w_|EvL@@Ev)GeP9v!yxkb-4aw9Fvn;ANgzm~10EKQl%~c2z5R>xE__-0u!41XeD& zTv7$+xC`zQz|51pwNt@yefE6gRuOq*;7JR2<|tPki%QrMV{%Fbck=K-Ny9{I7S9)a z&qV3}=>hK{|08<h?dWjJvJ5ja{wQ-0+7PgVmiD4W-n}V&c`lo<hlZG@@(r3%uYfCu zXQ4w$0SRVA+u*F5DXBo(=RJOAq+Scd++31SjIvevl8kp3!U}j&6=`1)c?opNaLV6+ zc|Fa&6b-F=3~MERdzMJey0Qcv9yGu91EiW_vCK$XA+Z}B&U>kk=|X^>o}D(hi?X!( z-LTb+Chppa4`p@|+)|Ubf)+-Z7ZpkxSvK^PPCQ>YyxKHgYrfQH$*rLC!je)0B666? zw0YW#Wt6z<0?Ec(=hj%O^{d#TW~ws16{E&8_c>n9OM6A32fAdVR2#+ECJMQs7E58s zu?*H?H4}J)?>A75zPZZwzGp!8(yo2KM<lcqY?bb451VD_J9zo_U`y(atn~b)Xp)ak zp(T-kp`{Ivs9#D6*Qm5@Xg;kquABfjTt&oqEw<-P*f(GlYR2@fhIBrsE%WpEQD`yN z5HYpXEH_b0K~$WXR)|vcjPVZ&Rt@l%&FkMEpwO>cp|)Teif=1wU}$W&&(ngO^+4Cw zWE6Mlw$;H<H}V1YhW@A!8FUiGM4(l}9EviJ>g9GTD-`(vYYe+iODzR<-ZUe);`?{3 znxamWRs6r_`$Oy$zx~|q<1qnepbC+2ktD!`=4@S3^=(I5NGlOO&-az*oDJJd@|)>t z)?Acu8g;O=Y8hh>or8Z1eB`H4$`U2B;25n=^JvQMG%@KX1fQl8>dCJ!(D}BeceMIN zp*}u)NND3UHAK8DD;WoO+P>UU5}b;U#Y#upQ|Xb%oBOo6C46Q=;<ZK|4d~)@ByT<y z;orU1&f1J^LnOe5Qud6t*A8&$s&`#Bn#dtdg<Fy`4mSu5)w*lwb}7#NFrQDWFxfd7 zi5lRey%i@Kps$nT;?_P}^v}OE$JRHn92H>?<^6EK^DCcfN<hqlMFMcyb<)nI9@tA8 z2KTLOOWzGR=Ao1{+&#frNfCTxV<O!<iIIA(mt}9x<FtXvEplUBJo)xx_V7X%lM*Ey z<XiI5udnBhw=#Rv(*7_prll4t$%Kv!4X=Fr!)&S$V}}-b5ckMJo3iwq04u4++Q4+< zry6p0#!7}wi3_PTE@2i)**(2*!-rmVy2=QrfVSL0TjX2^gl4Gk(2gv)S@sOQz23J% zUelsF==mL*^&e<+$|>gu$K9G5xTT1wkF4Y(lX$d{OImy|ZJ~s~Qu!lsnC0cA3^95O z1ro04X?I+D9;K0N1MnF8iDpjB)WJ@W+NhJqo#S#8z4a>8Big&=ET@19&I<Oul@Abs z?qi06!CmWq8aZ`4qD$IZ;*`{%9@k`@wK=#JAW+wOavNfX;(~UatF1td3o0)!dBKr@ zXbVJ&O2rx~?RVMO^mSXT4|M-0KpeE5(GbxHRxlnYl=ir;red^#xRDqmnA`E(`i-ly z4^++S{*nkRRGF2C_SEfRA<?liKUoYvH&ix(S)l-<*oFM_GM#BzYs7@eDrHcC^<B+D ziYlXR<Qln3(d++mW{KZEhDML`*;peq;&eUr`mk~0xl@UXA$9yxMdNe^rNm`6tk||G zc9{>6D(UBYS#6%5F}JuxNvL)SIP&s2)?Gb~)kv!<A2{4voAOx=eHNVRM_piH&g@|i z2SZ%?iTT-(8;Z;7xZFsGnZ*zNmv1vmc5$%IrlAHNkWJJ6k<nUtgEC`cG0ajN`1?mO zCQe2qUU_H<er_!#p5S+CIHC52R2uukgSAzWZL5;YAF^+4(oDZHC3Bg|ovZuIGC3on z_n1KZZRn0ry|O!`OYK-xBO<E!lLc8vC)5v6P2^@=*104a>7^<cpM#dIBw=c4!`LJl zq$CLj;VxvS74h9HzQo;dDoN4_(`ET2)+y?6);o6;F<jjDoQ-qeH9)UbPdhH%8Q3(+ zJPDa+<Y|5gfBY%Nwtkah-Bpj~5u<>h=Xd&0P(V`5^#=5<LF={JHy6T1;x?x8B`~ZP zwEI0{B0Tp@H?Mc!Wr9!xB-OLdOSwlR0U&n*;tu*AAa5Z_p<)di)ff@nzHdoQ!rb2Q zV88R^m?ML2<fkw+X{8)nqFD{{%faJh1SQnKPhd2u8S|Af7{!V`Wl<e94WXiABAXJZ z-O7OXo*pp~t$KcMOD5jQ402s?5bGB5{>2DmZKXFI$8YnS%cAb<kSaG_p}1zw=0v13 zv^bPtO;R?r27s0%CXL9GxuN!7@7ze;jFZIQfU}q2^wfH*l^$ENT#ZQ@ASy@lcCUq- zla926o*!`Ml1}lHdA`Jac)zN=u&!^;2!#^vWS25!>h>#*wc1v!650Sf<QsRtT>s@) zsW#9rX-HMhh^Ey0v~AyXD^glLyv-C>Y->i^?o$<w8W`QubYuVZ$m3Lsr<8##5hu8K z(0&?S*LWH&R$c@2!^|xNTbvL~R~)B3m(JjCDBe6~OHxB*IH*-yIw<bA6XK}E->|RI zuDv(-rQ9ib^{;TX)PJ)n@zD=Jw%n9uD}XI2u8B0q1r%utI3K(-z4wZ$oTK5V`2q7C zro+Nq7>eY%Zp>!={oaMQ85Bo*`I!2d?p%UhqG{Lnt)Jf+KiPO2YJapQ;=p`QW$}?V z220FvaJQj&;=&FVR3*B*L;GXxhcLIIH}TuGKXG-k(uB&MPiXHQ_K2udW^JB|^24y4 z<>vhJhu`)}&T)IhAg}Rm2+|o2Kk8JXe0VjSQTWl}tYECQ^PaIE)*nShLo39C9#69= z|D3spI|bCF;9Do4_Ubz*QO~8EGLOZdmfLDGt*R$E<ukoWNZt<nMhW3GIm;3iE+Os_ ziCen0bbqe=sS>4k2j57#FnJ^(>1iYF-4;xjkaP7nkM`4AOCt`9cTT{2A`Ea{&lV%% z7D<fdrpDMkBPCpeQ-qPBn5ix+0aTyo%t>DHq3&4djILI&nafao(PdCqts~zxVqwI` z-emcq1`HQ$&ooT$v8Y$bU??s)u^|UQ`R`2k+8mhJ^JdqetlcmYCVszq@N}FB?4qeW zcXQ9`LJ}}R_03-0`)n`(d<MQ%@-<K~bq7{x2mgdaG(++s?kuA_B}>ezmF9l@!nfZ? zu#kx&L^3&wj2rM4>Asj^o`x2<%E!wzbk54As)q4y?#%k2{j278!*$M-QYbfc-42ar z_(8rUHhcfA6|-HKF3wasrELAOwgL}Drs+u58nld31aYN=t$YNY01I<`<5UJ{yh56C z)oDEc&|-)m&5J6Toc^t$``rUQ9{gR7x{Vo4TC@4S5I7&^xFe=7eiOa6xr%H^z#XmO zZCzR87heaV%B@K^rL0&u<x`)6s9_iU`sfC0Q{gw-+1EJBj|2mVmWD*+R`Ll0cZ5Se zriKOb7*^h~gY_Jknd!7t-@w4%_((okH{oqdy$Ot4;UJ>I$Kp`gIUcEsABwT$y;pHn zA0yim>a`7(Zh6qp>`?=3dm34R4d=12TPTC5ECcW#FB4rj=={{_D1xChWWaBGx6l*w zDqW3;<XbAb$K4295NiLdjGG<^C`yJ|f8;=aGHG4>rdlzA^%cUpp_lZ_T<CX9l$(Md zPBpu+IN9RxcsAR75!7z&a3S8?*GbyAWf<&CGKnMG?>NnEdLWo);#B@8B^V2s@rF`~ zXO_wtv3)H;f(YPNE9VF`pMe@+WN2E*lm#=_Q>Zs?&Ed>A08bVRNr}i}BB}1ew$(O6 zXO4sMDZLQx!kX`={rr=k{Jrj%ydnnP!nX2(C~xA!V$u0JD?`(4JYW%Ce1&zIG)781 z-zfU4ag-D)>xG2*APjwLDP5N?=rf>7+Nv~4T>SqL_10lgb>HJQ-9zV)LrIQ+3@u1^ zHx5XMbayvMcSuQhcS*w_-Jo;`NQX!Xyu<VPeXsXFFN7I5XYIA_d#|<6aGje|^!025 z6J3Jf#S_*PYIOkjHK9_OPy`x0R(CADCvy@vmFiulKH4nu6sK_svajhTr8d(7wdZch zaP_<9==J{V|CVfrsz+>iL=iJNAa?D-cLSySboa`XLdd`KYq!t0?`^%bS-0O25O>+e zdQ$35D1}6ojl{kXAuXGe;95fl##`&XOKaFzF=>dr`VaJlPG6nr>ZXKlfmqcEa5b0e z;<8mLF<u`v6$MS7d~D-ZXUwB=RH8l_X|L$)ETGCNlJd7V4xL<JH*SnF&C)3&-gVoP zpB!mxFndYnGS})=ZAPKo2bomCc;zJ>Reo4dMIHISU1j^$pdhMwcD}`rdcp5bU09FW z=0#r*JU#r2Np&u~ud;xA{O3N5ZbIc_&Y1H`z6ALPDE(&5_1Bb^?o+jnDH&vlTazST z;@uKNNrduh^RE>i7$qsVET1hbFtEf5BlR~y2d#s*BPb!2*h)S@dzYfMuO0_Q#mqZH z%&(Ya2PxDEe^i_T-2^Ap`OahX+*1`;bTLm()ZzXl{PU)+<ok2C))fUA(p2we%vjOq zK((G|i}Iws=N=}*C1W6vLoy=&s1C;}K`$J4Zhm3od9_xZ3=^a_j{}$3wt|vPi`pEk zgL7)^?yDPe`V<$&cBOFMPoL4eI5O{X`|-Hs+VKU-8BMBjG&Z>FV^;gB(BDC@p;~5~ z3}jb`G9z!~T9L9gCVZvdw%&Z%$|Gd2%x%__R=%+Nn$HN2z@&oV0T8;0QnA+klBwaP zIQ`V{<9LrZhI>sHy{E_?%e-k~`I#}~8ZE&7C$Ty-kO#a^8x$hF>qm}m^Kw(3?EZgU zR9bx<Yy`XZ)7ZR72*M8fH3(Z9?>X#x%W3VqR-Bh&0_?bL!VvzdDH>6<@=|R123t$1 z;sLE@6sAD;olv+v9IFVr8V=MR$(QacU5ZWy9#ebLra1k(xd<&NI2Z0;w&_3LfF;|O z3h=)RJd2Gr-!vxZ>b_tyxg||6`|(hM>DYHPz56&7(n>^%l;B44rK=a03fY5NH+8Rq zv{L_~0oVMsD;YPq&aR#6-9e__2QT#id*c!D<k+x)M=l01raP8eg-wH^-|5Qpp?AoC z4&WwS%+$xnTAUwOk~tdmqj55{;%BL*I09%>ka;n2#b+o$Q@L4D(GhG69MvLMgDsrC zF*#9KGhgm$*iE7|1rD$ew0Tw(c^?Mqevd&!zsqz!o+EtaCTanUQs>J%tW=jL|69)c z4Fy5b?rNMiml-iP=Ch=Z{PNq~^8nJ-G|((dWzp|M;v!`|&z8u@*X%W--k+7rs{YC= z26vU5<gN3%qQqf-_(J0+R!PeWMzQW!Q;*B!nGem^VMY%a5}$@Be?jFjyjW8;Wahvz ze11RW(vEKjES4`H5j*s#iJ|)2p;>SgXns(KQwWiU$D;XRo$?N?O@dZve%VLr_eL`o z&H9&ql{f@T_iDy>#Vk9YUB2M3e*Skl4bj)-zqUi+uiCarNke%kveo^&l6K(=CBH@6 z8^y3P{#^o^qin4EDu_^a^d6OgEMa)!u_}N`Q)Av!V2{qVZOc(k(N+bOeBV)<Gi|Ap zw6YfrcF>4sYG)FR%53_b^ed2!`yFm8Un!D#HK`36cyVs4901xK{bi`pv<E%-p(k}3 z(e*6*A57DY3h=?GB8mcQ4)MqmJ+8ehmC3tLllW%ftZ(RMHy+kIAUXhIH6|D8=8%-4 zZljEivx@8?mff+ZaSboJ`4!4Fd;wz?*I9J5BkFO3r}0aHYqu=u&;tuw@U!UX$59dI z3on9i5BDFXV>d_`K0+>f_}>A4K?Yje5PlJkJpKl_N8lq-YU>sw>Y-p6Jq?E!MO}%1 z2{e=68T8tZq>tGFffJXis%JCZ$c37k^~!nGM8<m82EA@BfZ8cr+~sQXRbh=&wR(cA zbowlvO-R3>xNgCxGD<#TNCKqFJkm|Q*O3;FJJxvr+ti3xH`27-X`n^}RF`xpi3y|y zT?b+xjajov(i*|E=ZUl0v>-{ngS0JE050EjzTY_1V{*9v9wu8wCvT0HnMh2vhpbqW zKYdP|XQ^cQYZa*!G(oKi<8dYMYSmAG^Cqa;any!ua^=quha>)KMx(lBoF<sIQeI!L zB&giNY<q=v)QBj-jm3&ppJsvL^Ur4G(3-I6W_yit7j|y28bNpz*L+HT!R&#6Y8fvN zFCgts1k;2<=E386KL6Q<P(tPw(<TYLUru)Sz@%H4SaVc2@k(-#&-G>SVg6bD8UisN z87-}7xq56?Mh>z8ITo{C7FG;ck2;Q84|;`l+{I7|m2`(#Ir?;)N|XPU|50+HB#AV! zzvajrQYFY%uZrb}xLgu<-6R%(oG>-D!|gDa)!6&{ZJ>i7l{_LSoB~&?Zy;XZt;O)s zx*o$E9*~@pwlp1js*gc9DLA1{<Q<}A3dg@i*=<#3tEPDYSCosoOwzH2(2*w0-3xO; zCxSbNDXafPE<hToR}@?)xVH(_5nY=Isq6^}!(YzDvQ-sCFn)VgpM9%KO?#QNIb}D? zOfULcf}FZF#3cxxGF9|3$9T_=go2mqTQ0gTt!cb&n+}FCS=oX&XlrXny_fkHple>V zuouNZ!q}YS8Kn2#;Q9eW?LN^&=uOvVB#S?8ROlMsF_vf$PEr_FKch!a=0~IQnmETN zqf_c_cJ=ix-HyTzQr6hg!pGeDW5=;kK7;fTXj)j&M5QP(+X-dV7_OIR*N;ZU6#5Xh zh7OQt4LVKvP9ktr_numpp+={b=JJ)=ee;6B#N%-zP}WVXrQD398&FI8-!AR*d$!1` zl2JCnRSatEO3;FqwQ-LwbD%j;PkJ)%XK4`}SHr4GX3aaC<fwH!r>vRm4-E9&^o%bu zLlNS<!VEQnoW29}ad=t5pyQ68XLls~46n<z23m{s!)$?ixW0Y}UM6rD`)joz(dxG{ z$m43?lF3`kf~z0)hl=ZXB?GOsauz8!iK(<JsS21^J)e31cfynDwLC^pRe@X-&`SR2 z{VT&cd;w;ODVfa-v7zZKwYVfMt<Z|ERbf3}$9P-?(x?_!;1S2WsrS69H6R;>eKAg4 zUS5S<$%>wTJk%6ZVs+wToi*XY`TXw~^E`@cmqc7=G)1m)T_pr<iu=9fuIv|IX=$f% z_QAuSm=esipMpXThRb<IKi;2~joTS6abZ(&pk<uz-+YV3rXm^p-V9h(eiYvr(w9GX z99JhmGhC{p;hOJZih#pkH}yx(wEQDI)nD${>IQ`HYB-+)=&mivwWU-P{cKJiVtgKG zfRUuVob5baQt`&ME_-ztgOx1`o(<{T$L6`?q2tIm%;gjR!TT#VPHU0lmq7{_4qt=N zZyFJBGhGo)-E^25E;aYmt_G1I#YZTK_qzESg=cgj{}Ekkcj5sQ5zJh7`ninP3x1k* z1AI+C3mK$@>;;!t-FD${A2}+SXYa(r$bV>e;bF>c452C+>V|(`*%y&O*!YY2H}YfY zzkU1JO!1%3UZ16nvu=64{M;0vgd)sLZ3y(R!N=X}Cv`9i4Us-&u~lyc^0`PYE6p}x zD5gM3+=GX8Q(&og#juDK-ETvcx=Hc<lA7;`Dlj4dPe8E0+5GVcKd^51DDQW-0g_Ra z7X8S!--;eeRgyP{sd4~ELmk)ecKTspk%xVKZh`---@nS5t+G5x!|33?B~p9$T9l8M zxwl)M`_Ose+4UX3Oh?^zTS8m2T&M<dLF+`cQaiUH&Zbv%$BRvRuIPe$Fq=SPg!k~v z7oL<JB)J{4^c1<&i!D7gof$5C;XI*J7b{=<;e2tR!Wd=0|4y*+SA|JR1kaWruLC+~ zhxZry^TefHGSGR>&R!3WabL<r3qNv2_=<00l+&6mq;P&84%Vc}McsJf=DJ>zVv!YR zJnyKYP`G^Lg4go4G^)YQ6MUoR-xQ3`jOwYx<v)_SXN&B*@s4clOb6>HpZ*mMf5yLj zlTkh;E^mp==^%z(gSzqUZRL)}EK0T0DDi747NYrdXnr?D?X@VWE^ALw%0|92U}une z+^39nU{8xq2l=EI;>3UQ!HkJcS9kQDwYk@k^beno{m>RZ0<L`I1gnF|?pIRr*Np}k z#$QR7b0_=u5dY<3V^EMS4-4W(Rt>tIY~{Iv0?n8wQscQKtl7vEsI+5C;hqvcoBc3z zocmu0c4{rm8c#(5OIVeU!N~s<)raBC37Xu^dz{-A+CfTSjS_2(<W=>h{E)WhMJ<7l zWfop->Hsw}hUyqSw&eDnI{LxddzTD@1uBidp!s)ZxeDC~?E5Jpqkk1X7X`la)*)=8 z1|(mtz`1DSw4`ow@AxNegwjVyNV(0eh?k$<J91cSo0K>?hv7ge{}X2(Tg|qHj^z&r zT}#BvP}eLSfnO-ofnO}(3GG9G`aEHhktXikv?H0Dq67va)#a<2&lVJIUtRe@pB0jM zkt5($kHkHsiob$ofVn(ji5SSMloIK3GTNT$bex1GfBmtnN`h<>eUbma{eZHsilI)& zKxXvap+_NSpAW0Z7U$>TV#O8Z_qgQ>{dJMp?e|8=%rzAyhhAL;F_kV6SoqGjJ-MDC zhe_a|-;KS)&hNs$dkjYaEmwcuI&xx0<Dubv2rSJv)NCzB&ba5>drNBF#W*SePljej zA>4?{$n;D7BChtCy~fbZ6kUN&5NmDjYpnpY0P^%eCqZLn1%1?coLcI+cf0x+Zyy{g zTec<g)MRAUHHjgQxKgJXXjCg|;Srb~O0NG-=wsMhqD-sHHhOAl=ZxQX_yXP!j2=He z-m9BJ=`_bFzl0|}<RhP_QV@3hjd0*shj_xOkn)`=p)0<ofVBg^*C>vo?8n=L5c6pS zsqWZ?j{?~pRjf3s(plcww|tApfj?ug^~H*B=@Kor?DuXudd3W@dQ+SA{7#PuWkj)| zs}uLy`iAREgC34zN4oW>Bbn7O%^*E(_psd9&M#sI&5!FCi7^Qa^PS)8qn(1x*naR# z+>DH1zBCVe3@;zV2Dr=fj(VN9%^=s_oCk>sS5(>99L(U;Pkq|^00|5cnk!POC#xAw z>6tQmoPd@*7wn!Y=A5aldmSTfsZ4T+$!A~mo~i<s2j5AiyC#hKjIIwKv=@k<{bJPF z2a2%izR|<~?fJl$i7x@Ki^6WxMko#8hmey7tOuoQ%L<aLT068Iq<HzrqM~VtF^OQt zH_ah6eEmXgO*q~-l6jqP==ZUr)J^?z$3zT`i|j00QPAiY;FAw)N@~`7voXwbEV}yL zCOkHH^e}Vri=uN)Rl#x*iM1PTbnkGNY^|p}c}qF37J~7%fu0ej-T$k`9B<8>-z~D^ zDkDIV=Jw%|h8NPUuKcT>$1W+pChR&v2%H)y^3j>3&~9|=8Pc4RuAmsK{3fphk?R|^ zcd>RB{YyU$`C&6U(==VgNx<IRmv?wjoD+we_pW0Kz3Vi6#c!m7G~525Vb7Z8Pe9xU z4I_1`Ml5+&8xLM($z6jCw7;AC2ax6xS@GQp=j)pqbGplqqq}E%hKl5}M(V_=yuy?E z41v6%|Lc0C{^l+bdJ^1*=4pMB)6~`>K=bdToN@cInOIxzTOClcurB@5zqitFh4}Q| z?ZaqniMvXh7zIj5W*ht!!aVu*w(K-PPDW<w#4I-LUlT1%AQxz2GCBmdab9DU*{HZW z$QsB@CY}NxN7ykBjHJLi$^P0p5c6C2k;HO?s$Wt_gAc2^HP-bNl=G$})~Js9V-;r$ zg9G%===Cs~c)?2z&ONGLu+@CFtgR}loQu7)B!d)!+$9#=bOb?h=EgMb8MwQN|Ka!) zJs8Ek6sc1HovfF`)seq5_X=?&4E=)#>!?Brq38!pLG;Xd*{Do4lw2i0Xybv|S7Og) z3xvSVFY)HG(}L4Imxn27w-rh;4_?#1xy?zme<G~~yjR`yXwy->#0s!Ys(g1UZ?rR| zjKhp_`U!EdG2LNKVp_5Pe5o8^3#r?Db8bH5ZWPr)p1gaA$$EGzQ%F?#?Xp9cS5nfZ zI=3(qtk-Y1`|cBw1duZVnj1PP)F5O%eBp^GA5iOGsa_IT4k6-l100nJZxmLKs#P-C zX{NthW*5ak>Mbv;S7f@Kn|G_~KN9~v(QTWofLp^0cr(>c-!_5pzkQiUDpRQO*Y69J z%6Qjo&OX%qz_;inV~E#0&c=stb!A%0Q-Jt^7Fl}AtCc@=V}Alin^5+VO7h42Xb^5E z*`t)-B+Q0OZlmrd*!bvty(SorfPb&dsj+}Senah3%2G9VJw_F{bK?JI0jS6Ax&GlJ zXlT1=m-UsH9qNT%`gvEHJSbY>!Faf^8IgZ6Oa=&$$teWG#d{W!QJ2oO`1eI2S>Ak# zB8D5Ma=eRuM2*$CEpiQyh{y`n6!vp*fzqM{q(n}C?yt*?+#IiYln8~fSO}{GMS8Q7 zbZnI`50Rau!$gAU<LZ*g6L+QK=tpfHI(Cx%{E$eG$L*#ixc{!a5paX!t@5`%*0!Ru z3(s+NO>k}4E1ERq@O#4hoDi;sCax>)>)Og2fsK|@0}kXH7g}{ZnFWt#y_QJTEB|Ia z1V<%ykz8l4Nr(O`xdj_F0yO2Nx)>-2gM(T@nMr6iC5Xt}dF{~U{k)d*;AI5_v9wPw z{$=S0)Sv{KX_&f<zoSUU{N^=nGlRH~6c59BXbY`D_Grx0OxpV42dxu5CF|2J#~T&s zwkIl*2EceO#)J;LUWYpWYmZG#N69tYN_U(8-D!vs<nVw4S81z*+vdVZ@h?>cY;1R) zJ!{HB6e{o{J;4pXdbj3p#pky?yWalt6!{4EBY3jpw;3@&MoE~yifEHEP$$m}S501e zUG+ZDOFj=-PZnI_fMdv#ev_lE)os#$6Tu5#nV%K4QU-W<SCu=yU^#(Ie#Iz~KN!Ng zt@Wdsk{O{0-FBPcL!-Oiwq9^D#0W{E;Vu1*vde)6VDn!dIRjzJX?Iqzm%NjFo#xt_ za>GY=v+0fh?OfMykKPKf><r9DWFe&Y{*lwxysj4UPE#N-<w`Hmx2#iE;2K^?Fj{oF zral&_+zF<7SB>u8xX~es?fK(Y4^YL2{L$4rJxxxF4Q|9760-G%;W@7yLGZgiVL5<@ z32i4gJ8=Jc#B-8w1EilC=C~!#6C_LeO|TDXX!K^E;^S7AkEg}tu4R=pn)!?O_Whm1 zp^ykH)FJDf`f5OTI{v<WD9myqLF2J%#6?qTsku>Vdcz^987HSe#(Q|0+l`v&Lnf&8 zpJ=<5j=~imdvTu?knoczcErFq<u8)Hy+8j1c;_()5LB$fl(R#45XTbaBWo%}UJr%! z)>JnnF`qqF(K>`;2c4Anin4;}@H_ZKCqj(eEK;0As9XjsMy+Yu^lqw#wxPz9Vs_~k z?{9f&hqVNYv8*Qra3lwKfN5M-r~KdH=8I}gPi7}qGkz}AER*6yrSTop>aZROjv3BA z6gn?^W7i%mlk6fiJoBM_ZXByq4=&aJ?M-8i3NQzSs79Y3UOhIIT`Yl7^Q)Hp7`<X^ zJ5gesIGAZp_t&f|ckS5!wJY}t!kiCx>`7e>ro~wX&a%kOnQU784L#m)^Jv!(k;CXO z9eXe~{6r>EpO%N^u7EA(o2{L{J7EwIO1HfxRU=_q{*KtqoJai16i$LnX|Qo}$|k~I zZkYB#cSoNU6XKo{MraF4QIFd;0U1iX73L&pjxKpAnc2BCcj>*d2=)=K8%_+i?d&V^ zhw)@LHN)`dDeHP({p;qof~&5VE$I|nywu)<`{me7qpLP5GzBsVCPghF>3$nKrLL!t zhX3{muXo_rULBB1LB{o`#J&ExVqVeMdlRRsgb*o0>ykl$tWL>%5~s~l1uIxtqp74{ zjoeH53sTA0PUTsKo@$pkH2mtG!?M@b*pKwwX&BCA$FmhDF|EqTV<Y0OAy-HR)=et< z0A>_dWu964Aw0x&6(6N<E7yPd2_+WCvYiD(?NqX|ymKR;okS89xxoqADEjh=y1V-Q z1H7)c7U8fSzacOgQg$>S2mwUq?00k4wmZ&C773j0mUUGQsj(7c68I-8hmprfT)f>! z3_)(Ml79oZZDE~g>bdY+@Wo9okTICg`v?013atpL6Z&hNxy=+h&=XJT7fL`M8;#Ui z6p9~cL)rHAI>Mib4G>XOW^U)o!k&9ij!R+!ueS-hD47*s53{tsvj;mwbX5;^WZh?k zJ&xyQ@`zOUp#)lOZrZ<#B_Tt4C>jKVb2Tb8@ftU;e<<h<?aN>=>V6WW$fdVt3{^Uz zN-Di6wmQr}2Y*7Ia`<oir7$HGB|ZX2TH09uvdx1tqf1?1^Ix-~x)w^D`L;g+UDsu1 zn$t^5q_ip2<lwdehrlqgXcxM<0vh5@%)5SFS$4$-E#ddqm&OoU=lgC0PlkQ%z1D{> zJA)l-VDNdJYQ7b)n?q7bm=Vg>fBvvjj@tL!k=f<*c8O8xGOG71gR30F=LZ7fF8=dM z`MV(jDoxlvzjX}@*{wTU0uiQWPr$2kaT2w+{|z`9Ms$=%Ig1RUD)gHi@&IO0-E)_S z<0E6Z--n00$;t`Q{h*4M$LvQ@k{l2^Hj0LGhh^breRxHaH#^f+(quag+&fagIG=oH zCPP9`<=B$w<=g#>^ZWDv7?8FWt>Bv~yBe4{W|abkp$DbJXK~t^ZL`diEXIjETy#16 zJ6n`8bR?NXd0@V^K4z7lOu4IgObEQhR~OeMj$8%j%wg%3_hJ_j3l@lnZM0&=PH+y~ zB^d&9u84=*Q0j#b=yC6_bm>|VBKFQRiG6e*xSweFB=C`ByTJYj4bfCTM;oWeH+6N* zL9f_0&tTq_lAuTjv&)bS8i|pUgc5YGVOcI$K#&dVz(B{BzCVT1g6L-3zrI47WYEcw zpm~qfuZ_O_Nw2Zta<%$Q-hpPgWPAw3F^n*=<Z`1f$?xNJ%?N+0Rn~k1p2Q)zi?}L% zwW9W&UX{YG#{9_<Ssp|1Ph2!m-l%mr-TWZKlaD#*&B(O>qZ8^jRELWX2X88^EA;(> znIRCAM6f+@GJ`VxSuGBx87EM?;P<mF>$+BDQ~@5LI1qFA+Z}z0*Pq(b$X@bPTVQOl z+VrRSBgAaDXzEo#TImqXP>Vr>E2uz!M<-c1NKUr=ipOLYjQizp!1`n=F~r@%&AOYt zou@VQi*BgN*Obp!6_28yecRhiLQCS|QEQ>5P9Q?#@==;|V(&}5*TJ<ApXPAA;GO^@ zs;gV}d#R-j-E7@koAhArIQ;{77#q16rlg|;*eCNrF1;xF5A+lb7l;FFiL@Zn2R~l= zd=yI(2=HalDG-r=bZfpg;kX6eJOYbnYu70uzm#t35K4FW6^8#!*T;T^#bqr10U|+V z``2SUzBjkoq>!iO!RaS~-R(K{asUX0CM%O2&=w6<S{E3hz67o`S+`Rk@h34LIC5Cq z5@D{yK#4qNR(=y8ZsrA^NUVKYGa;vk>kQj5i6*0~@@g1ZY3GrD<Ck4+^-xl?f%6bp zH&w?Y5&LYE=ton*GILTV{ZSR;#_mr%koE$rvU0i&g<hD-S^m=h>Nj~aW_OX+a73sz z7`=!VuEQ-A`cyn9Vzqv=*TdPrr{Y;`!j&7h>r9+O?Q5fO-krE;Y?pag+s*ZQ^VojH z9s;l*Hi8y<bB~j_j*|$jyx#9HR5DI?Q!L-bMgEG_0b5j9ztNo<Allfuze-ML41EX1 zr)t0|_QqM!vch}*Yl|l#s3ILJ5TKBrVO=J4Ek-klBUcFKEZ$1gZK{5p;RSTt(K{Az zT@WCzzmIl8>=(c=KYW!gMuBcVyLmuwm>eEj^R}4J^^x`4#jHncjm;FHGLk3Xh?r^u zZwc1U<(VFOi1d>AeJ`(DMhC7U1p_>;d2sYfo@!01Ub-%2reh+iG*+3+$+B@w0D_f& z`IuKr<M=RMu4_9b-_o1<9nN2=yG*>(u5;7ec+}(QIy9nd&tU}HD|&cUf^61N5oU1( zRstAI%Ux4{u|S}zl{Ru)0Y`A1`n6`@yWJmcU)Rb=*<F1~wGh6e|HyV$n>3;5*be!_ z&&jg0JcNpCg$jCk6s@;VjNmK_JEptSOo_1J%AoT$2&fkC&00g45z!=7Jju$T2@^?~ z{=-ee15Z7))lq69G|r4(Ok|tNA{?)bUJn=`2n@b7z6H_;t~>9p>s&_#o_-d~Ia{H< zjFl#n1$I4o37CcX8ieaE=+Pu0Z2;x&MS2?;DqjwZ@~N)IeOO9Xfo*4U{d*!Wq@T6D zGk^Qrb@gQ6LBO1(+n$N;(VxKmXX}+#)ZYLaQ<L97QPmH%0dfja5k)9uNJLBhhJWsj z3zg&4aNje@X7lIr7R=IxDTJ(g$hptQ?Bss~)SdPcA%0wdnO&mDe+a|<M6D`-k=#1L zwpd9T?F?eC)+*w2HBViFR7$-zIZ87yc}QcuUVO6E{E-Df2(mLJ5p;a|m5TXa{clu! zmx(2u`fi@rcyFvDw)=O4qWx#{13j7lrf+67a2K;eht=RhOTl-MjELVhaMbqKD(oAO zx9LH|c$#jGLi)WTN!#o#IZsRtaR8HD1Sy(MB0ssk|I<D1N(W9vDN|^|*_0m}g<W9P zZ)hkk(mo%%cq9@5Z6h#d?67ef!i{ZzLmo>`CKvTG1rMkWXX3dy>8q6_BY{X85Ee0c z4Vyc1AP1R&96zGYOl1feL-R@qTMRYhG8+~TEXT7HDKZx`QTH*iC3OR8ZMbm0DS!M& zy)6;QgIJQplH#OR;_qDZ^!{nhW|miwstM;CM0)p3h(q%khKtR*Gs6C}B>AxMrV4IV zR78DWK$nG#C<$q^y-Lx*Smm7+=8~YQy9bOp*V@DSHiI%Q02K$r8S}8B0ims`^uro2 zz_#kuQ{F?|6)?V(DpVnN(fiPZwBuX&?i2tWaP_r_l${-u2A6_ubYAp6;{#&m+oc;{ ze4-oVyraMlT(MsQpHdZyGWDkZtuXS~L>WSxB5B9w>pzQ(*HrEJt4b?7DJf<X9{~~; z92=)8^g%Bf#_?sQXB>Y&6-p<1QJ4LPzpF86a|J9d%_0KpFO|lqg+Y3`IWO$K2D=0e z4Gye{v>kS~mVG=dWInFgMWdVg-eXV1=!Lq%bAHtE9t+u$tv0Dr5R~*fDe&qPGtQ_B z4<Y^mX9b>%ZEjEOgM0lR^cYaim%x3X)N7OH_AH5&lHz5HON90~s&OMh<7OFDlR5zP z*AnomZul<=gsi4P?(~1L+AMQe4!=d-@;E84DzAEMu)rkNOSU3c-Kuf~NKjUqP<8@s zez$#X%RztMZ`LWv-vPT4bgYSyGnp(il3>9L(-M%i_a@JEiKh;?RyCD(rSa|iZ-VN` zNwf<VZ~xmU&rM-L(?yQUz5h#>7OHj~@z8`s)DY)n30Y|T6H;Pw_(M<nvGt-MbF?vH z(FyVZRnQp)9JYZcC^iy*$AFL%6iFj_MOXWfpN2&$Qw0gUNJ+Q2lF>X(r>SNML$NIr zpe@qN8$}&jI-^ap$mINP)N{SV9Bq$Y@;Zc6Q*CgRxvhyTw_x~Fg-6}x0#2wfsBB`i zBb3ms{4Kd8aqy&<ckfdWQ^=_Fg?jd&jMayG$mGC4c()a2=h)+Je=$3)M-vG_Sg~2{ z`oZgGSPm2OWU&>{Rujn3QZDvbGoBO>MNT$SSvs$wJXQJA6{Ut(Dwy^*cMnRZV^!0Y zwBRc=AIRruZ?rNH*2`U8r>ZzqnWU{bHu5bJGldkw=M>cNDP)c^P(<Z)j&Ma!het3i z?m<7`ovjX`2-O>{P{5vJb^}(t?3a!@W#q5k!8TzCxW6?y)6Bly^4@IShzu*BDJ))! ze@x8~W4Y7U44)`ZKubapfeo%zJ@Xl@--sr1xqwhy4F^PA>p!n%`QuWMeQv~pH5Qdv z9b};4e#*b9-B*7hTv$a3PCUAmuVun8%=*x+CcJ|<A7|q)MN(JN)tXnJKHfkVJx;(0 z;Vx5<Sr!~{w+t@~!J)l-8D>7C`A0xe&i=|4hS!*If67ZS19seYVF>3q+*EfFB6*5@ zS}s3%bc5&BPSGyBVYp)r%0&Zf%(q(~zIVb%M?YpVv15v?3<jK*asdo^-d$#H*CwNU zk&Q$7(&M`I3gLJb3%$8u^Q{>}B@<l^58?*jxz*)g#8#c`_+ZD3@bHHbKaXG3=2UoW zU!0UHLY#t>HR!?RDD8KAX(s#(5*R^iUl0idK3QB9t7{P2&SIrFWkli4G7UM`j1kKo z=)s|&mgb<V1Rl?9qd)h}oCZ!$|0i4>vl>9!iD_?mh{`-hblaJ7v5Md6yKM)O1d^oM zMm5m~CXhW>va^9+UsuIdmIsro!I<cDTkMkwQ`So2DobXwt!A@YH^Y4`eD%<Dl1+wX z8_$Hza}gVaY$*V=qH2>)a@s)2pb3j^-`8vXDVq|TDN6!H+7C}Rw)!q^m2A~Aq0X3U zQ#NYXB7$i_<*%puM4bf`DP%R|1_~)gkdofxcQ^}B34A(>yL&JHPUZ)DzZzk9lv>KJ zPoZQ8%17Z6+!Y>U{+_Jip3%*=uu%MsFZ7{&krcR-AGqXrt0B_a0n1k_j8Z^%z}q*0 zwsV#nXHR(EJ(|N#qc+(*UOC7JX<+oGx!&&IfjaMM3Ran<-wTtsk&+@;GE?Rd-*%K| zLuH)v)^5mQ0<b-;5s+Y!$$G25!vESi_FB<yqxGsUL)%k*YpZ8&<M}aWb48p8O1|hG zjs7>NBlnFkvv7$E!HC{X%Ktb0ND+Nzpr`sRiyRb#O_ihp#xj}B&bq}VB_gYFTM5<C zhpRYN>2V~<wlH%^estu<*Z2G{DF$M`O!Ld59nF}gT~GOOeg71SVXG?WUW$ZJm*J_W z`dB$t--f?T<8o~3B?f2HU-La|+WL#c0c=LHn{cj;5u%L<OVHMs6_~lWi|VNAPSuTV zPe@0pvD<F##H_;I*YNYCg)8RcR%jHD(tmsQ9v=!DN^T#yWt1sOf<oYW_x7m?-*puA zNr=R*f2aDeqO0VVbWG*4m+t~7iIRZ67EvT+Fsssgr8o(jZ>;k#bgoo~650~#1AghF zoxWNN=kZd$AWtv*(gsX=(u%%L+0#RF-%s`e1^O9nCCGENSB8tNr?RttEmp`gIef48 zm-ls2l5v&}T@-`|&vqO}l=dIf;+vBUF|(>A4&NrQA4VX=nhh<{$B2i7s=w}k3g<JS zT6sg%+saw>>X8T)ia|B2&`=K~w`6Q5@MB7T6K3G$ljXNw%%sw;R4kCDWPw9rypY1a zBPkl++BTIQ6JK7TNQpI6!#W^Z?KpabhnPjg9Gj|X6yl_R&39otKCprm(~d8P6|8C0 z>~|ktBVPkU?@OX27$qR%F`w01M&S81UnJs>qPq*h9KpuM{Fe4fR(jdvHu@9BnZX2? zQG_{AEam##fplkk96zxuh1u#VNzfFiIxP3F|B6qBt>54cqwa4o;ulZrB+v{xWkM_# zBu{z%2A2-K>5X=&uc9O~93$nuhCg!EWqO7j1%)Eu>PH$v;dC*V;HKWVY4>;UJsal0 z07$atmhNQ=eEYiNsgo(9P^(!_S~{=Nph}d^;2pOb?rd8d>T*{#A%jw;I`SD_g7K1a zHiITMBRs2GduLg5fKXKQnTQH1S|)Y(R;$@7L-9Xf0bx}VHS5orB_`WrJEs^ba8uUO z{a#TCWfBdiq(yL)Q?QMrVA;X&L;t#mcucduW2L@RYltO5A+gc7FFpMo!;%rD?(MJT zY-dZLqZnS@=Z*^@guB&$?UCw>FP|!xuI;f?<nT+|i11%`WFI+9<nr8#z*Xq<ddrVD z9FqvigBp;`SbGj*MkGV>Xhb;r@_hW<iiUBXa=yF|aYZ;98Tyl|g|vgTv5llZ0k>UI zWszG4Ev_NdJ~It>v|Qbko%b9O5^4EcPdN_`Ex);06H^X%IqSIbvOQi;cZU=SGoRL! zT?y0<HQ+q55uqZm5G@y(XYGE5VkVp+S@o>Oxv1UqBv@tGObr;E*O<m;bU+0~zJa9d z{u|#*Pp#aMDF;h1ECEwW5GFJ5Qdr+WnGwcw6E|OZwxN`CrbS*Ou(aa$a@W==vU4$a z!qO9k%QD$2S@@hl?U-y|xQcjU;Iz!3)j!8qEKgwgWm-g6x%kWMAE%AMTYP7xa}_3e z#MIR;p4j`ONt0uwK)VCI&_k+Cw1K{^0)daI6}d=Ck^@Q<?0yvdugl9=RlH)`%KB3K zwpU0?f?`L$o#b6XNlfGvf{V)D=SHCQdh90LoK>~JxuA@4K$2N_Qjj{cq**4yhYw0i z*7wiP6w1<#mHa*X&EzOk`5F&ciC`?y?hz`JivLbMnd}RHjX9mGIqI64&dkFK2%ik4 zw8|QQCAsv`PIYs2K7#|(XZRzWl;J^GGypk#zb!#i>+XaIMp&6gM{eHf8s6d7)t&;L zT8N)LjIjqhJcJK`5VsrI>1y_c%t>hC1ebdaI1mIrk?>WRj`09ir~a*@z0+)Lj>YC0 zHmO+3JM-sbvx%~UGit(nASjUP=gHJ~dm0g;06)J5<}ZQrD2@U`Ju~T-^GEBN`kJXR z$uaR>j9Yt>llgN6X})Ed{msg&ultQ)g#7|Ee_6Myf~|n?f{uT;<aeeUx;>>_FpjPG zg>0<{??yf-0?oBX<CWoj>m^pgr-_~a9fgS!Vp1k2yVYFK6^y!>8M6IJ<zgFmS?{ke zo8ju|Kh=7+<o0LV=5idtDn*-Tt54|N6s0>l0*5bU^!asiyUS*~mF4Xp6<8|*W3Ltk z(VGv!0~?)|%Ir}vDIEvFl8?Tw`dc2D@*gUMs==j*>CiaQW<6AslXpsDJ0Vb)#3w=) zKa%d84lkRpxL#|_TH&kzbN(dBAJsyW2=5LQG)+cOjbDb_2vPG9c$MB_k0FMfD;js$ z;Z~L)Wojw>Saj#bjO`9tDEPF@h>F!*5Kz#u_yCm4#@4_1!fM=6ZbpHNT=D@(+rnB| z6HX=hIu=j)i)b`riE3e2!Ez~+#&vc_T9CQG_&=|o_JXz|MI;Ik1Sd{pY*gm%1>c;n z)k1dT(qr@7*Tq3s>b{LpT!YfFMP)0%*UB%GMD$ZK2L=I(#g_VSb|K>GZ-^m&I?^a3 z;#C$|=eCUy5t+v~jG^zO1=%iBR?9ISP9gq0%}Q<VX0~7WtJ5gyB?M<RN{TL%nl_y^ zmk7K`;V-wTN89lYVqVd*Uk+3)k)TrQdO~|tjBkup9Bj80tW%;^gt*dNlBc*FZzG`( z&AQqlduaBwiuZ=~g2DBQSQtaax4c(A+WLOF(ZBQ>NGo9;0L^B-h!WDVm*#mZR)$NE zGITS67(W4Ge$$wD<3YEN)L8`oVNhtGnPM7DZD4yA!^w`Q^7lEhdSMjTaWc}Yg|7S~ zXYqa!SD)%|e^oDOr_o(6b<M<IKj9`966x@)wOaYo_Io?Z9(=+oo4GXYMjaig#Q4|T z7vZw=&qV@=^H4k+57C&GY?<nfBO(U_-q8=YW_{&DIFTYEcw8Zj$=}SQznr{@<RMo2 z*AOQ}`_*Rje4kldo#3{ns_XFbn-8Y$^NBrDsbrX`CS1z~7#+{e@BIBp$S&(u^ifxM z&%btJW_$cSyX5Ox`-U5^#Imzp9L>`&@FbMV!WvS@R&PYfkrKL9tH(?yGS<8Ap-21B z7**NsU`EpIx2;PU9?>QxEoiG*BEDW3xh-LwtR+A~I0!x}@5nJ84%>C%0&f}!ofe#G z)2cEn^cYm_U9?)Ejxt&Ltqr(tN*Jdv3Xodl{h_%w2sA*=e!F1YRuZJW`v+}4?xh?2 zoEepAl0G^r^$ti|8FYRCk5pz<XYFdD_JItl^j=p@-32Y=*#JAXFfPl?aD8JlitZc) zKgD#e%iiX?xO=g9=dZ>2z3qYJfxqVv%ZV!v8{;ZO$M^so3>Iob>G()6Xg6OgpQwiR z+$=d-uAM1`V2H_a;317JyI46=sccP{*TJf5m<OE6TrfrUB;L*OO4Tq`@}Zp@tZOJ! zYzNa#9+BQx9RVd$|6r`fqn3YAcqfYI#WY9lCH=KnSjjNLg3^(4V1Oo>`dJ1NnK(?& zx^R|$v__@aO$HqcwRol~!5~BOl21rMu@Zl${g_^3g<)6;Arh-NRK%d;WQu301ru6t zox2(`^b5E<MVjd-Fbq!DXXEfoV5C+>Cj-;Q^1C-4Zdvj-yxy+}U{h6<KI&``4qteV z5Rj1|0HR0wyq*1)gy?$qyK}Vlt4nA|P2jg6ic5s5kq@&T!@PMk;eLFA6~>yZ=JMei zn%{Wg*vV?Hv%WN&y+bJ1(7g~#IFN2b><X_8hO{fFtT8f#rM#wll|eN0e6P>`_~H-T z3Q@pL&A2W`u6ZXX0<Vy6Yz%Wxkv#$P;tJ6}_1S+bJvi8+dfa*Hw**N=Uk_CFtVCyS zSDO0W)`Y#TJgAUPkT=>o0;8HyMMp+Fc(vZMzGG&6{>iinHGY(U%-bBAnIiPEa$dNl z!yV_r>+`Qae#sGP;m@MOCs$W1Yk$^uxXr1a{RHyMSbbsr4jv9!LO-8-<Olb^px=bO zGQxoKqX2OO;gS8e>E$S0E_M(+Ts2;Lst?~+AZjo3?uwh0W{0<b&|Hdsq#6E2F+Q`l z+=UF7Y2=kiWWGv7Kg(g`d{@mQ&pwD6gl2rG*z383Hzv5-rOLTzUNESMHr&kq$q1>q z)+gA_{FQf@-degtmR>|_Y-IdP0QbnJ56f<5=w07}#dM2jgY}D*5G?XA1NVDfCFkm6 zvc(s)q?PL<6~Dio2A26eBNCbr%B<tK!$r}1`!7uazkJk*KJ^m4D|e4`Uw?b9c6j7U zopNY`8+B)stsq4!mnh17n2bjAz{7NNU0Wizx_Y>zfxIMAVE%Zm7uRZ?)gO(Y1AKsS zBudR^zU(ALh*CT}1H){`Nd>bXo$$?5@4o!sEPx9rFiEbkko)Z<0B?nNQ<&LT7Dz*z z>Q8ZfRf)KgUh%i8%G`9f;c2{i62RlaC2LuB8AWfGq;1VoDekW;-5opf*al+Fr;2DA zRA)Mb05A-{vviR31Xk?)1ij^#fSQN?*{Dq#2~yP=wOQ6bFoxvuG1g*qQ#)&g_DwTI zn9;O<BbE8c)YmE*p2^dW<*{exZEh!5Xr{BJzF;a?5~LcP$ImOm`te#<Im_=4H{Qb= z?V|c52F*S7-4#96hb;B|8z1{nfhhL5Vqj4;%E$eC5UatbH1orZ2=J%;H<qY>ZA`Nn zCatqCE0nLTf%x8+dNk`96K`H7%w&<?W$P>t3sz))|F}D^xzY0|b`zu6duJ5%J;G6v zJRR)`#F}>`bh?kYH{<r30F1&1qw3VeHC%#IY;6bLBx*Oc230a)N&e1Qg^wM{KGMct z);KH7Io|Ulw&0Bmk-dzxTbp!=cbjt}g9VZr(iodt38u7UTsYJ{HLr3evl<$PY2&%c z$@El2Ryq4UrrtzFZQsC%Fm~X-yXfmekNB0J&wii7!doX|wX{v0KwNH|tJ1Y!@w2gl zV@>@=Mk|({tMO+)3heO|*JDwSZ<J@TU<^pEk^_ZA-O5@CC5*EctXV*<m6c!A=W*~N zd99TUC1x2~R~$EI2hZ*FqunM@hl+!^FF2|sZVq#g71i#?Tk8%md8*60YD=|Ymv>aJ zYhF$VC>+k-p4(aZx^i!R&{QtINKBjX10IS#;8jfp{qErF%B+A`0O!^k(X@TJ!5=f} zlVLOO&)-ZQweczs(7V==Py6`ke>DdVB)@sBZTNkuB*1&`pZ|^3g2bG;-?E)|TVvF= zqfVhYrO;j!t#f6Qxc(cetHaJF7>A?xmDM_-Ih7OW3k_hTtGqSy)>`@=4>&oW0%B)v zi1JN8hoffq<44bbE0t0x(>i6mY9|)YA27<E0RYdxcZ(1}X87|RijuN9#9$zdb>X2i zG5@H6UYWw`bR&bX979q=u4GE^{VP|yJHbDqdoIhp**8{^8rr%-X+d5Groh!bpIDwa zKZEUrk)QH&)AgBcA$fa&N;hw5ik;xt3MPFET0?TiZxAG@0QL1giX2?$u!ll9>SD3I z{Hm<$?=z59oAsCwa4LqZJ!!Hu*B1lUr~XY!mZYboqGV};(I0?Z*XB`snYlOVT14S? z(9M*wqDXTfKljum(^0*Gc07}EZ{+KCYQNZ$8z~kTYpvsG1?hZ^)w^BclM8oV$(K`x z|IP1F=%hHe#YO%a>;zD<>oiAan-L1MWubqoaY6}{gl=ABgt)x)!R%?Ee!kxof@?cb zLb;^6L#D>gD_%}$i1A@!q_#dcU<qf<{CYM!Q%+xLX|Y@j>b784Xh=T32`F|s(#omG z8ElcNm)xk@d&<D3ldc3Ij=DDpR%&Tc5ugYgo5TqY>%RHd9HY*E;#Zhl!w{Bo+hQ$E zL><5(bFLzA`UZTyZx&Nvy(!4-{~<;-xS`e^m4@%PzHOqR&eoWw1a7jvr$)@OweCB` zN*VtZf-|%2Z(uz&Mx7uHK|ay=Z@QH0kiwqo`HgOpuc*_gSCY_ROw0{F$7hw$v=l;B z1%W<_3!Mmc1Gwn%Ijcs=BoHp|lIT!ivILoB58YS_44IlQh?3g4?-jI{3DS_P>MUU> zh@Kz{h@rILAr>REd59K&S9Jb9{c!%qxu({w+Q#rmx9ltoFE|G`5~u1*ucn5(L|dg) zAZSJu*83-aMhj5tXIo0>2OFfn-26-I8=A6QM6yUBt!db=d?6C2h&WgHG<D}m3-D`m z*((gi12MVlKaR`u{Iweg;~&v8MJh!2;%$_mZ53yja7up6($2xSNVJE4+iXK0xHd5z zhY+jaRFB*XMg5uJf(k0Ps~ytxaip?@s2ZV{8*p0_*$XoMBj$E86o#^cq=exJ?tI>p z2v)=dF@|c1nFc((?W_CnTL{yjqoi*da?pV$IcH2Rgku;|Uin@!#OmPX6eoMO9IHAX zV^j)6Qr(Hy7msy`7f@r@+sf&wVEI7twKLOc@Xm!>Dk8kMk?XHr=;^OEi3sg^#`9t8 zyvb>Zl7x`x2MNdBD25p<P+I=Zr(+Y5Jdi5~RIem%1u@Tc7&WaEX(dL0YNxl)ZmRre zIHvE426HDGpmAhKdCD?rN3UvV`RqhvD>&DTy#nV~2*NIx{;6fZ{#>B^yD7JW{gO{q zm2HD6L*-w><Mek;fgNPRvY4Ry2{zl=1|p_o6_kH%M^6o({=A)H=Z&f^J_5pRz?DR@ z#;rQwBP7O*glxHlDHH)|s(%9EllFTJq^zReIWYPTQoe;5H|FMbm(JuU+QuR)8;OUT z81~fqV!q7)m+R_Oe=_jFPW~6rOQR<7LEn?K^&<(H=PEwqqrZE{PLVbFledx@1Sj8N zr!{Lv9(LDdd%nbjwu3Y`GW2-t$1gK>`neHnQTRBng%M->scFpQ00@uwb!x2y!rKOg zI%UP+JbvhAG$Dt`TyJUQO~JrB1>-Mi%cKBTKwGp?Pus~8Uuln_6nNMnkheV#qq@nI z%XRZ_tX=EE7y!vQM_Z4b+pGwoskEycK<4@RCgG3%rW$m(^QK6MnD)Nmt$P$+zjTi! z=R1gA)PCL{uY;~b1n=6UhCa4xHFkCL!<7spOSVIUrH;ksCroW#s><Dlep#}IqRT{T zCL|muF(@!&GIa2s?(g?{91a;H2PYW?<4P2SNmTRR@Byi?Q^CsNyOCEq3LE>YmjXJN zk(lY9r;-r1v$I*#Kl);T>c6ww&iciS@j7w=s56iYIYJYb+4$vQH|HEmA!8SBf#5p$ z{c8k56U<(@aw;J`(8nb0jIxItsw4_mclI}a|IK}QOgnqbX&v5Vn~<tZ)`+Us2yy(( zxh?!0BgYPA1P;$Qii_C>jD;Z(m6nrNhe$3pJ=)zoTx?j^(y;%$(NZ`LBhDkzX-mkd z+^wE<Gp%R}{%n3Qg+i#f_Cy)wG$UO_LL&J?#3QmT4RZssB~0qO@^7pCF^4>9sVoJ- z#u7-sF}&O=_E96pX`9KmkuYY?336#WjwZyjvMsUA3huDvSea+tvkb(ipXXb$&dRmh zw%@+7$0bp4WO+>|z$hIXp&S?Pq8A>wB0v2;@8wCa9&DszJdR=~w9#(k=wHIYq&p^b z>jJgsZJg6w+XWK^q^H8iJ_BvN21DhTp#0XOqywI9=zFgP<76E<XVdnUngpwZzfT-F z8oJ!O221xAx<-6@uTZzUO8S0J4~aN$guU<4B^=Duvv=W*8Svm-RS8aJ$c?Ksp~B0; zanb<<7r*j~t*u0f!H$t6yJ_64a*@@4^RHSD6lAe;B_i})9+66X){dy>bwP6AuU?Z~ z5=VYam2Gzfl<?;kW^`ETot4A{=#0UU^Pj)4_YDMo70%3KipsY1(4Jg`!yi?id)$h5 zwUMXz<Pi`Lf}cR3?vQeuHd?Rq4_{W5M$z!>#uq4S2m&*o@VFtE60pIw1H1YyE(vz$ z-)9@vMYJ%>oI|woFTIk`JWG~`2R<Rg7`aijc=-kMxb--dh-k%flnlgrJ?c%7T9EjP zp44d;PU=#trpbF=YL-XlV|0FpH@iz%uGR;;U<x1FH(~#!Zi60)RDhu9-+C>S1R8o@ zuA%ooe?b^o$g)@Q9w`OQ2QFND0hrX-(dy5ZY#_!(iXl-<xI6PFMqBoZ(#UB3?r;{u z{k+3Q8CQC{DcCuXdsQzixfCHA-rNskvtwunGx#>0Unnai4|bH80EIG)j17{Vf|`-C zurUv;zm}54^pB6CWmQQm27Pvm@uN)MymZRa9;nxx+vWVXzypYR8?|_6i5r|isQ-hG z^ZV~Ul3V>bUeA`9NE*pDaa#Qt?0Ka;Q!2Ls^*2G`F1$*<WQq%E`8HgxOh8xM=)(7g zuYx3((1t*NSiy{KYG7h;Uy9y9o4~!7A;%1_ko)^RBm8=$ogY1qM2d2e5}5SWT+SGJ z9(IJ1ND&2%{<~bne(9_<wQh>~;c<zoD)owQu!~b%PYScc5ZY<?6C)gZ+v_-oQFC#P zf5({{bL0E2aRtE)<Mb|?WV&Nl>I0n3ezo!CbV|LPSXO;B3J!tSU#CcIiF&;tn=OCB zu9aoa^0oxe)xG6U4|-KAksA-f>7)=EV%pHWBhgRDw{-J$m31*Lb?)DY+B5J%ACV4M zzozNEVrm1HkfY;%O7xhS65Bx%{)J_Qin+qWg_(_K7S^P#g;Rf@+q!?8M!}<jTgU$H z5xx}en2HC%m32|rS`eqNB@F4%6EZ#IlLo9YySNTe`mpJ{kNNQ5P1rdBq1SfTg!}K5 zXc`yz+%6|6&=hzpf;aW^73QW@mRb8)K4M!IYKC-aBtAj{3FOINAq9J2;PIGOt|Ni) zgD$Ik6wxJ&UWoNlK`ydZ71P~9Kp^nUi`Jv@eC=T#01Ke?C<DfgG+sQI{yBZnT*P_y zqmvmCa6Dg8ZX$d4^Cu}JO&)dAj#+jBwc8$B3)-vAty{~<k&$rQ!k(~1Rg%9ocVLI_ zHGtZEqCgCYFt=>;k&Lloul){~b;N|tJ9z|Cq9E{j#cC^%T?CnJo({@mf|%0e!*YVN zV&78oZ~cx93&-Y2#<E&)Rf@a&qMVY6EmCgRl-#v{Jh0VG)jxp@rxX#@6f1Z*C>xn2 zFXZ_7eD2)+uL}4N3Ay{C#6@}u#9Yi=fVH~9%`G!3mrJ|Togq6@+l`;4FaHYORv%IU ztuZzUyQ24Jv<7zCI!3tM{QpuDMJMu?1$Fr_YgoRVUeK!;u#-S$7JYjL>PO!R4vnum zq&G0wGP7i8Fr_*wl7J>~SsV_kez|?TV~rR>g%Gvshh<_S5a!yM0tG&UMU?u&q@eT5 z=5G8m_GMPH^$s7#`z{R@lw1pB{iomY0jTqBKw9AV58vhAzlp0LD5KErNnQr+-p~h@ z+dO>g$sf=HJh$9Ev%jqcF(EqsvNy>_Ns@_Vfb5{tf4`|sEU~InqHZynu9ioNv^%WB z*`a+S!dNV&?y^hLo)(o^=+_P8^^A+`ZN?YSIg=X{P1PkfN#BKd9_=+K#UN7_;(eYN z8$~;6lKLsc$B7Kb7|%eT`s#4(?YCt+9s3z=)IK4roYF(*brWi3awYA~^ndQ`yBP)k z{BoR+*)d6G;CxLPU2KKo@b$(#k41DuGrRH+3UX_*$+=UxDeu>92|**sxNI(=Zn&Ri zQPFaRTSI&`R;r?v<@~slxp|14f(@7zkwtc%(eX7sO1F0P8^-T8^R`nsm{9CQ3x+?( z0kM>4@HJ7YHGr~+IRteQx4HZAIW9e2Z{@fFOLc`xdtmb?Gifq{y6O@g!k~UwgmQSe zQ)q7NgZ{Fj?*=0i4If1)-NlwYFx$;f3$lC9!j87le169)<YlR<u<4Y=I?@rhVJ{)| zD);NXjL`xB_BEb+ZL0BNWxMI&ddsg!I<_Z`F@s}R)V{Q@^Ct2NE8uk`fwM5c@y%bv zO&>&*yz=j_JCT&y`A$DLnaE*^Ff+NEBTLRX@_P%%S>>o76C#ZJQZ}C3v7ZSsoT4#u zVcM>C?HuEy+a|cI(!pUTM)4!t&qHQL@Gxuhev~75N1U{)QKMKTIn9b5hugD@S$#vM z$rr7)kE0^4T)$^HSm4<^WpfWmOb&6KM5{q=A~&)~buL%axi;O@`qK>OM4QKBHtTS0 zgSTX&1#^ahueCk8w1}=t@=a(uLa1D)b{ZL}Ln5R!x9AGwF~~FF289#l2mb+cO6B4i zy1qOC@DS(+D{iC>rJmF}9hbWXpJ$Zfe9VXO90D@puiCU2w37N%C^OY{6F2>^e-a7n z1)ubo(2ZR*VYZw5S9R9I_3Ck@i|RZY_VJ3HGz}Gf;L605*x(M0qQwy#243*J<5Wd# zi$YY1%{&4x_eK;=Pw<$eTx10(s8Fj_d!UC%$W=K69?05r>-90GH#WrIyNg1j5O$2& zkg7f*0T>X=-TsNZW{S%|qpI|a1qh^Fj5Qh=M93L&lkBv_kMp=v2W>B+)LcsflQod6 z<om64_|zWt7xLV|>o_&QxYVdS&*6_4;n+iv9nVz~xfCCUKO7vxPkB2s*-P;3&X%h` zuoie*Uhv7Y4L@SXiz6+lvwUOau3?N##NLGqgyv8g{Yp_mPOdF2vNN|Py(P4WWkwr{ zuR1=>6)&Px*s95;Qe9M5ABBxnA2KP}IPy*JO#>&`@~2PMDYbe@KHOo+BUBu2PRg|* zRPsh3R_m1OC#oaCm*dF0Kgc|S;AMX4r>@5QG9&72fqIoV`dp$%eSU%D)<BCA2lJD@ zQtS?!O}N7mvDc5@mtIo8k%WT&8(+g>mI|~QyX`p<Az?zt=CO-5rkn34yaJd9YdQ;# z|GvejFXD9D!0~==rvV=5Ls;*?MT4e<#@rVh-&ASW(Gf&WoJH(;EHlG5?CE1vJg3rE zsNz>}I%HxJ25z+3t(iX<2snW*+;r(21Z+d{_G<-^wj27)pb`ifY_A4wUd=ab-F7gP zhFegy(f0VweBh(nFtsLrImBCkV?RGvPr2)V+%LFQM41jq!~FHp2Yy*+tiTwU#+8HA zGs6b4(B)U)<M$)?2JOruV}mCnf>vMgZcNh8+G$$0L;hH~o0AOi6fZ$_lWR14J`nv{ zHr!rew(lR~ht&LsMhxt_%9~I_EklXhWtiMd{j+01_nEZSKK*wV`ugY+;PkG%VpNH( z^k1t@W4^pEnh>h7qGRXg2pP?{K9fngSEjr%sY%*^w2LQt|6@ENi$I;*vW~qQMslz( zFWZfe?s1mg)pYyFypsl;Qg??@5vKUK@FKp|M5Lwy7WKoFhG6<7aq!nZ{*cx@!xdy` zWR|XL$Ps5oLH>{)Q1v1MMP-R;K7s8uRv1)7`Ldc9VlG13a*++p2X5@1R8embl;?y> z5SMsTNAd?+VghVK=W2B%MlFKnd{%_y;uM#zPyHM@2&JK8x6>nEKtrg~UFM^pS<zRR z+YzBOkpZ+P9Y|WXs_?hfUaMc@agEWoonjK3qfQndl1ieS8akFb-F>e;k27YtPAv=z ziXAEoh)GQ#tOWZ<0f%pho{NSD6`Qq#2d4Ene%2yYW(<bEeE!(APc?}Un!>ET4f%4H zx~W#SZXlz_(8(a}yz#z-Y0k8$e<;3&7Ea~I*LiTAwc0hkM@-Z<pQw{(AM{#qN)>?( z3OI@m2Dw22J91dg;kye)q0LI)T*7Z_t_OBVYT-`%o`9%wP=*_aQxnE<$whIH<e(Uw zc~X78rN_KyhPPAqwQc?MYKM7%k2C*>*hYZX%L4BVgSCEjSC0vmyY?00Cx)}C#|p~0 zp09+&a9Rf~!36gc-842$l=H4!LX*1_bv2OivWSn`0`re<{Rlt;CV6>yXN4q6?)s<? zQhmF(qR;Krey}eyPdyQO>#?i4hS;jC7i<{bry%DK{?nP5zH91?X%@g+UjMhl;&PF& zHYq62!Tk!C+osPX?EMThB3_(8+x4ryv6(xPNE~(~tVl|u;qg($mXQ~_sV-e$nJEKK zC!%7BxDksP0zMF1xlI;CU`J}}n56SJ^=kSixa?FhYBkFADJvU7w7m`V*=0_X+^vP2 zImQ|GKPDdh4`*cH;V-m?O`ET%t}7`81u?Zya3>pl{tFevdr(mkGjndb2q94ZeNzn; z<Q)w!FO!K<J=noQ(Tb7Ppx40#OmWwf<HMMW28GsK<bDd&Tp&>X;pTdKiIE{1itKbi zk2tc%bw=^#hYq{1tu{lUUym%ZA%(_ldq7TFSw<jQR8mGnI${=f>X#lXvl>R}6y<@d zwOWVN6hiqK<E*6-668HuDX6^sw!Vg1m$vYl!@(|ZqzGk@*%NPs)Pw*QlV?)_%!Hz& z1bFyqNw1Z2=O^R6JX0uR3l>osWsU!S8D-RGVGhX+Z2AbX9)nfA1;>xtAx)MEx;Pqd z@icWW92Cg^9pF3{d|EaiB-oU2uNO@26&Ij$ziewuSpLMMBab;53FF129)FEcItjO| zPO9Rl`pj^!y^Q_YC-(sqnielIT0ub0`t;e3URC|J<Db}}`<CyC<$6_jWdTs#HAi1f zV;4X#?`0kNwS_|pWMF_#)`)NS0EdcW_%YYw{RSqeBOD&yq=1NGWb_MO>ytm~+4zBz zL-mBzEBR!~(jQ|NJWdLuu_K$x7F6fjDcszQa8r=~08`<~DMv>`gK>tLGm#Vp67Nfy zJpFCi!$83}J=OE)uQE#9B|fJ&e^oP|0;)q(^iHruh6Ia>T=oj~y;#4q`x;sp$1q${ zuTBj#MzH8O1;GH3WYLiTLqNR0@psE&UMEgCLeD2J9Fy;`t3817WH6kgclBWEI=d-N z`GF~P(06yo{;$99%YXT<=3AmB4;`%C{Js?p;E;LU@TuwfAwv$#RMH(QeS3+{R!!bL zgc_=a8-HL9dI@tl*79<>0&WUhsWEa~q>#*}`suwpe|%-l6Cxt)R>qCJ5w-MEzOiZx zHT&I0o3n@ZLsl~}dY5Y2tKxL5Ezlf4emDEzRa6r_dU*a(+i#G_ywY^2-GmUg`8u*c zThSnMW&L+6i67jUDeL?)#bttNR*@QpuBswY5=Sd)or^CV6JJ(E50e#sr0HO`m++V# zf=kc)p&aY5c>PUd9=Z~_3bQ{#)xAv8tS$Yr8{JFXTz*ATf$K9`5*k#xD!2d`kR0YV z2;z37zOu}4DX|qubDB}c3a<&vB3i<(T>!11v?ZMPp)CH!?uQ|uVb_r{FS1tqG}#Bd zCVD^PI0Hw`_KhcwHja!oQ>xCY5}5jS$eCWoEuX~HeZnV4cJIN_-!m$mEh6zFjaw^w zcosq!tnvqCdat~xhV_1DqAl@l>N7)ELTx@6Qa`68<ym#?lr`*)d_%UZ<D{-J?{CKO z{>r(Nj);QIDom<k@bUz?6|CABJWC}k)<hQdmRJmHGavA8EGsWO8xo(Y@=tdnm)^qs zKclXIV}>e|e$*MVG@p>6$ofAvO|lBD1#ohfDf|knu!go+v^f?}24TFeJ||>DZswM^ z=PZ>{K@*h2tij&fW;}WIX{5wVIuNQ%m47YyYA*SKdzD3W7fOAzubDzIW}GFWa6g`Q zl732Dd2sWqG;qA<s}ur9npl$G;STqihjXm6vqs{ju!tA=ts@MTgwu%6PsP@@FE&4s zRagtOSVbBtJnF6Ra>YVpLQH0QBc%672`deQ!Y}$9UEVSMDq^DHrywW8cuVQgShsX7 zJ0Q?q^QK5}NMH>f;_>Nj0~hA0bgx-?j;<)SQ4tuuVqaIHWMhxZ3<3q+>a3GfZd*jf zF4@?v|6RM@W^BnXLEutc993}dYwD|Q#CPjL5#ki2zq{rC_sNVzJLFk(80+bDdyd2V zTGU{o?Vr#4ygj5KyG{S&KF_UMy!`!K^Ub+spJuCX>?~kOIcK%;4P!sv>}&>e2IDLt z(Qib$Lt%rG8uZ$yi7N+gHwy3l*627jKc;IE9Z<=JClIp#GDuAL48@Lq!)(Dy8qFNa zN;=j{FBEVnP??g^kE%>j=^5#guB<eDWtD%{ZD&f5LpJB8XZ8I&W!C?9W+q4XJDt1# zkR4FoWLu|DsZs<m6gtHt5-l_7(TVHeGjMb-892MPGYbFigrkI)V?zJ#NI~C%q$mOI zeEf+KGYBl7#z0nWd7s{G8VhZ@RZ+lrz=;+6R07QQXh?JMJB{Ei`tmQmY@7t_TZO+I zaY#i&kMn+?5dRr0UHU^9+XH9!QWA~SZw`mV`Fy{*6D|x+)@Za}8N;i2q=VV9a7b44 zYf)y)AR02jY!dSbB1!Gm&(B@7M8941B;<BSe<bQwxo|g|XQ7F#1ilQrTxEtmz2*Qh z2}<KiB{rDkuq>sS1AWA${Fwd2u04J@IUk-<RUw|+Hbz%dI8*u6R)m{nX)jY#;Ylv_ z^L9}QyyQh)y&+U<8Hte*563rjXbo$peC!v*WX8~b-p_qAt>v%9e{7B!B7!X)x9qoX z{HgiYT2P>4gO9ui3m-`}wyj#@8?X#1J>Htt7Zq*AXhYwPY>D7mH)!jfI&*=I$%RPG z@REC}83VCd>*aH?L30UEu5_VzX6aZrjih8$wj>@`?z=!wj?Lbn;%=K0vpD3a^J8SX zQ%$#l&WzClYdWTH@!>VB+`F)gDEOWGP~V3Cxe>V1q~-fc$U<3y><KkzCFhD0+}j>_ z_EQf>V81DqWvi<KGsB-B+s95*!I)%U&)!82;VLm=Xi&`Ngi*XIzSz_+`{*8D0*<sp ze5@uwA^%Q6PJb*l&*+8Ro(p(NzZ7gE;&ugm-7k$KmyrASNX+ovW;rcL%pUg2(8D%~ z@PjTU!seVvKd*Oyv1zF%qlUujl*IUYB;s6AiiTXILnoot#QLru2I~cWx*Qvt=F+*< z@wdaMGA%}(34^{}x60a-UN#1_;c^09ryrZ#tRNKSz4e@ga_<8)Cr;{{!licR2yK>W zuL%?m$$=9J+t?^4kzroxDx07Bfo=%KP}47`lp1D3dV&^x3`}*}PC6353OD|uB<aS` zEAhCQyw#ZK6U7ek8`n_=bh!iXC5#tdb~BfRiWvioEbBCm82~6`Ie6JB>4eK95FIPb zVJ25V$Q=ds87ot|32c{~4v7kR?k!2qa%&KKF(aZF>-XQz_{s}6)9X%hKwRZHF3b_- znVapN=pBvVV4Ex%C~DLH%>w9U|6UZS=`!_Hz};!&VDkO*jPs4rw+W6>QBE_Mv>Hj2 z#xGl)?=lh)W()d+)`ZKTW4#=%`0eS!J+z%~c>x$ymB^F<gFN)L<l6-@8pk`;93ebI zvfYo8cb}jmD#s(0XxamvYK(wCU;a|xUvONdf4T2jjIRyHOaVyhC(~*0QT_Y;+Vs5w zRijcHF6KwEE223^af&DD*aFivi<NqunE9KN!o1NOc1BM1vRg$M50`pOjiO)rcGs{b zG{I(5LSp1iUdy2IRxoztFEEU+nofMbxl?{xQSTFU(<vQJ{0M>ao7?W&H$wX&(G9bo zQ=Q&8`v3yDz~^lf^<!2&GP$uUxl;scXF;YF7$B1`XryKi_*Jd&g~fCcQw~Z<V|OV> z^ILF)2a+%(@P|LR6nQZePItQkKYx)B{vt#>_y@VPiwPcU@LFdB6-DhAmR0R-lK(b9 zLt3JDA5o2|?}8($lss!9DWHXITfvl;fCBZgmj6RVICj+zQdUu3ca3aZyrw6ygSHXG zbM+(j=0A7fA5k<5^ANblYENu-l8R1D?YJWFZeILiRnNP;YE{?52@o49ql{DEga@{W ze)eP~8oV;|#+Xrc-11_p8o(Su7dJeorY%o;F)D<mm6=;pF!JUo^oJ8>@0*Jvl<t~j zmDRf)ch^~qO_Ss;tMq|s$iI5>Z|oTItnvs}&nBrldaUcP#}Ua}h2((bB~Jyb#Pc-0 z8BAs-VOB!+T8i$Wc@``x<eM`kJ~+vPN^IRVmmF^<|E~C1n|1I4GSIC}|4#VKWHn5F zj-Y44Z)dijLilkKg{I0134w>u$rt;$E@n&HA<z9?0a-c31Id3WI)=&Yj!GQf!%n-9 z0iJR-ZfhB3bOC`l(0NJz4znYgGUkV)7vA?-z#=|M*&H!ER^_s__U$nwTy-OH<EC7O zuCso2r~Jx&Eq{B^IbmkpQMkF)7x){tm_K8bJtgUpz+S9Il~nL4P(~6#(s&m-<Yeb! z{ZE)wd^;lWTXbe<yv2q7OkG=(S<s$FKa87qZ5lEz;h~1}{=J04G4V>tqi9%7*pIMV z5Q1N8Qo+;Y3HM(+CDAf<jYXW!;F8(*fsIxNpGB}4&UQTMVN6UZn=^Ek<fGmj#EZO{ zNjG*x-DZ8w0dM~f$dZUT^CNhYUN7i8cw6>r;~+u&qBErkI{au7OUgg<ZnSI)?gH;E z9WQK#!j9=}4EQPD;a?{@Fx<bhkW+tSn}Wf~<mWyd72(E;xW^ERKa83tye)#@%0Ywl z8%!A&p&Z^-fVp`$G9YsJN??~{$W$8;0>@11hm0=5fk&euuh<B?64O$^s_KJmF)<wH znI-eL3oR0(vk-mZF9ru`Wdm^q%oQF-;lBic%@o83fo2_y{Cs@$t3>Q0iLc-JXl#<x z456tuM71`qTWFRy8A*E7omCPBylXu^agm8<#=9$G^O5QhDl2sccFJAtkiS}m$mh^X zmxyd4Lzils$I;YOfV+OARDHc|a_F<urqQah;UZ3D+q<es^_|{6-{ZdeaKEn=;X6*r zpzrL!Udo3IX`|Y$%J3Pl*OP1+;c+Wgf#1In#AzsSv<l{KQ)QNH*#nJ9b4Z1yZ_sny zeb9#=IYew|bKM1L_+2+t8}WCD&fdcp4d>1`OCCH`p;MTCSWhbDjyrJk({Yav?Jz3b z0ve^C+WfxWfI<g9jFHQ$57guQ+jsw0BQPgA`34cibMhgh^51@Xg{46EDHa!qK#=)V zrq&{sM#fYb*_o^B@1+yyf)kvetuRmCiLowN-xM4plE{R_k}D@+IwokJkclZWh>DdO z-5~%9K00sboFl9kDp&P=;27}|zI!Ojrizo77;Q)Rp>QF7nJJFUr32^@CF66N*({GW zrogX9WjT7UWAdK2NlmLOaVfOzzZ!9<>9a0QDK8D{`_YRtXSNlx9U3l3g5X>#Lfxi0 z+#Tz++j~r*c>b1atyg&$$GYZKl*fz^Z%I&y*K&YHi?!Szhx{-3vfN32loEzi>DE$e zR7+gq`5ILze4=BzY96hx=Bd??!U&54$1rIjJ9@?1ugdh$q)TGa9W`-pyppxy%6Vhi zqdI4-cf53AX8XqUGZzyA;mUycfdQFEEFToV4N@!Y>4&XOTaGzRs}9*2Q3$W1H+Egg zTjT}g+R-_3+{R%p-Cx8cDw2>9LNU0&eW3_sgfZ9{AW#vCZtI_o<>#m1b0-xm;J3K& z8u2*<$+^6vmzjnd8!k6Mc+CLUfydmm$>DvEfk-(pPGhKy1R}d260h!(qB!WmvVFp^ z{cD{a#F*3|lhnfz9wSyJKN{K#F24FySWt<y)PEd&p$C(|fHZ#-@3$|{6xWwt@=ZoG zb_v|>q-hl-Pp?y^_DDuBi4THcMs>g;DayNrm9$dz&0Vox)q_<4x@=Xh*+67v3pw31 zf_0urdNMgv>W=F+9<U36SQpFyDl$Pj7;GHtA8%~v6JkwFgG@&T4vyTF?TL}O;>KNd zME^pP!=XUOr9Xp3fix6$Nu>Xn8%ohq`{5YMZYGd#cP>JVE)AZ`M#s>cy5s$uaHtCd z+eBzD9#x`&aB--zH6{m^MA`8Ed4Rr&`^5(Xv*+6YKQZ84sf$JAYwf3$QcG)3$k33Q zJs)3xfGa?Qf*L>7|C+!@U0M*T54kTpL;u_JzZ1%ELP~4RPTWv+bwEI|2w46&jqoxY zVOmy%Lc_<p=!7V_bn&p=<XKZ-eO_wnp|oz|(WLz*PK?$RUd<1F-1=RJ4t}emczUQS zMEquk7|O?XZocF!uH*~s;jrfdUAW1b2AUn*@?IGCTyDLM8|<L%dE4j3Vy%>_cD@*` z{wAo_DX1bpqvC;oyZz_k5gKCPNf184GPAuZLPM+eJQbdNWCv=kG;YBgQgNSG=nx(m z>z{w137!?(Le^koOW-HA+@sZj!TOK^9j8}*Vc76wroZ-9OjY?H7c0N#KW|P~z=--} z?S;-6ZDx5q6&;7S(Z}256HOc#Y+1@w5neJ0%Y}?Qp0jcJz2nuc5zsWBKp1k#yor%U z!Og})HMGPdA^AIXM;B*fywmduNmV{b3h>6WB{FM-dY<?!G(J1`rZ_adVoR^sytVek zoxy=zc-M1<cIalL0&NAJA$jCjO%8>IgJQp<*S!r*_#6#%QujC|RG!0cCza`r?QQRx zzFZTPlMj~tL06e8>nOl1?buYW^NbRKzJmmSbAH~ZKRyGYgd%ds0@}mV5JF~G<;R+* zhg*krZ~ahj5mu(6P;XyC&9=M%p8&BDMAut03LuVTM6v%9r`Lsq0`Y=N&G?piq4~ji z&fhmykB;I+kCV*S3h#rdM7t$7ek59afYv3wBa2_4c||qWTlF^GXw&B|3E%k*aFI@d z<WJ`(Yh$}z6H=jXe|0e;&7sC~Sh%^d4~X@8cq>%(QC~A(MjiZ>D=W5cTfQgg5=Xlc zd1c(h40Z6*qAc?tbX>>Um~j6^vm>$;OD6IAr1kOr!H<mi)xH%`j$u?jt4KQoH+#7$ zZf<pvhIpY@+~9;=h`U!<!O!T1ZZpuOomBVZfN2Bn4J*8=n1?jkPCKqYifJwpuz1LA z{uGmD>0WGJuc)$3*ySZ2B7Wt$n|$CTUnBcczf)|g?FDSddVP0IX0NDR^<uE$m7~Q9 z6Cp#I#-906`bnVjyzcunm&$&Nz9(O@97ZI(jw(x-_O2cK?vJp+Y4JM(LaRmZC?cwS zfI@FrukZ1WJ7Ko#V}ICSdMS#$5kadNcd$z^hC4^gKPO?)-)&0~H;E*WC+P5|#P+A% z9e2_$pSM283NtNUoUqqQ_KvI<cDi(xcUe$;%uUwvI@b00NkWZnZZJVQPB`xBw~JPU zU%~-vGxL=;zuRbgz;y^dX(KYq0xGGETi^KqEd!kSFE_K#OCV6Vk|b*5bd;F*BX#aN ze!!DP{t(IH@V4h=mH}2IRenp~7)bM+y(2e<o*%x<bpa>k)XeFWcMgs|?;%8<3hYG- zh}nFus@@L&bqgvvOWsYb@O`SanaAxkekd!eREnJAMB#JhT$NIBxRHbb<Q2HYR};QO zl^j0&8w=lI1t)3)l&L$2l@~m=zm{88<ctQob09}2dhj?LwdKCu2ggNcUWMqhTE~h% zEQ|5r<Vo)cRo8vD;+f}h8<(^$0+dVMdUn=I7Iyy}Weayxu%Sh8G@yG3yET+ZkhDqG z&Uxr>R8~UTH;tc3OJQs{{%PgBuzF36ZT8i8kCu~{7fQ!j7MVoLn_*QkU&I_`_SB$! z9gdCU@J59meJ5x7A~V<cV7H6QjXFHv0~dQ|b8*^@P}ub(BJ!<<pwev+Q5d^Z5sC9( zvD!+eOhWmW2YR1|5!|l@S{;g|*3PstvaAT!Qba{bC8mWT<3qoZNc#V=NW(5?9%kQ- z8Yl_@_AzY8c#1!%y_cS-Q&C`K)0pP{{GE&X;2uS*=%bAC32B-rB}R8zlJTx8chCf9 z@^-1r+bRAHOk8Bs`i6$S0cK70DIxn;kBFyEMmr|SL6}iP9a(?kbA<NNq~LZUFLvPl z-h85Nl|*hK@581(oaD&9w5VVcP8sC)HY<<I(i9+ufM08CBw%EeZ($ii)Jka&un-R( zEqnGOOg~#><&a;h+vc@am>}uvdkkP78+-Qg%sb6AZwl*1j5PcE!rg>zrZBdZ2arS0 z=(leQ9^R>-fC+)?l@&2STb(){B0z&|Yz_}WK1@v7<mn;P?HeNxEy%!<TX<I$+?Y-+ zOllvMqJbZDS%ETDaS!^Qi=qoLP+G4ay>3eX+}{Y@Wq_D4U%#{&=zf>VNQg#vVQK9y zVA{l5;Np^`Uatf5UZ0tfka_BrPV)l3Ius;lfa6zi#_Vt<=gwD5rS|)uukgpp9n3DG zny*-yPKSK9Wi<Fa)wp%v{95*`-j+ZdXX3i%Tn#;~jMe}#rC~a;y8_x`S3Q2<OAo+T zS>6_5T=C8v=7kQ-K0*JT6H6%vsVS<3-5pIS7E7-Sf%F{jxE9Wspbac1Dt}v|m(SID zB)k1qfb_L5YTpS1-#m1a^#?XtB2w{9&Lj(EoVkIU@sC6s6H#NI|Ay-LD?YJh%0gao zNWwTAx&Bs*6TPBk^4)dAp3x!lts(S7hjI)_$CegJ3<&b##Fx<DAVYi+q7d|PHVs{8 zwDeKSfjrS8lDvV4BxHcxB#EIEoPfy~?5bHT;UPf1GBQ8I4afeT;tI4>8%A#x7C+O= zEbY&z(#D5LD=7thr<_q?5~-7cO-0l=P0@AIQW0*JJR_Bvz-vY8#Rt&>uX2?E;|#me z%aEtGMrprw9~AJ8qLHkq#&xtrPS@jmFXEwA^yq3xU{XONse}D3kY1C2H#r1y%n4Zk zJ9BvEMEJ3|)!#0~fTDNgtd2C@jp_aeX!Y_D40eZg%E)Qu1AOz<cT?Ve72zJx%r5I( z>Es_JGrx9y#HO3)xx^D`yw?1Blos-GP$q{c6RO<Ki$@JBh>}f6ai^5i5!_iZK>&v} zO7JHWv3x`|d88NlkYFqQwN?~>{6rBkpcO2McT<qkE5v!;#15v3CJ`V#EfEhuQ<yln zOD-&<w46qhjYOPx^j`gCIH<Y1q8IbvVi4E*O#zG1?zp(zjC5x3S{iX!$vEq+N0>lb zko<wEuQ>mK;!xW=4PV;iUwUYfpxno~TPp2=#7Y-mBZx7&M148?ezvo#5e5Cy{by5n zc3}bYuv;10Q3%m*439jMm&(4kQrEOKQkR?ytUoj6y98hA?@Mf2mFE3Us_7wnOZ~a& zZR9V$0U_3WL_H<naoP1B`?|xZ-PM}gVHs$m6G&1|Ui42w`3J15K`W8*cOzo$ub>dB z08TS4h~(yv+Y@FXeb3)SUZ@C1ZN2<Va=w{ghnas5JS1prkFgE$ahgyFJ+)B}2nRhp z-tdTL>%wotb33KSzRt<>+v0{jq<p*Wr_{2_BHMHPbbN$8#CA5L3b0T#=50%m>dsQB zmNiMFHme7$^kRjgRQ~&U2Jz-LFT!2EV}X^!z)w8(N^%+^Yiq%m<}~(xs5}ywF-<<Q z&DI-}qTCxA-1fVTvi*EYK<*edCj58=w_a`X+vnOZy_b1jJb&fJ4;uqnwZeUVIF9CM z*UE1Usp)Ww6k~Py2c5k5%Dsoq567xGEcy2M$1h>l-oCx=#VN})^^#zaFEON^@n`u$ zZ@yeH2r#Y1EqLHr4%iFl0@W$7MOg-iT71!qSzSjsAS*0K8+J0+4l##TEaP8iqYpYc zf$CKhZ5ujv!g1Uzs3ez_ue&0!X!RG2Q;*S6eOCs3jXB89v(x8-Cm7<L&t5O&sg9y$ zx#B@um8p|^hnIVf@4m&3{n&#@w*(nI>-@Qu>kBG5BcDymX69^rzr>3Y7dhRCFR=J} z>vB_q5WB$SFik4n?2F_Q?{XTVEabv&F3>D-V2gIX=XpBG`E^nPOM?e&K1M8yP?TeC zdf~__LC$pM=s}hIAM1PZB1U^<_5^~~;o|}m|CC-`J}S65XU}<2B0$IJWPcRLb8DDp z>F`qJLn#w2%tSBI#5PEM*E;x>BnM27&3w1())nE%4YOO9W>i7vz5cN6xT^dh$dn5+ zwX*KHA2MBdnL8rtLF(mjt|!m=`fFV$dkHQs^D(nz;k}zHqoZhJhAMGr0CF!rdoW|D zE73B=#T1U=0HZ56HGb*6L9uj*T?yJp#*V3Hfv%W`Kh@j82!~Ea>QuQxCSStiMi?wU zKO>uRe1Ib!3vOI=M52Cp$$;ieTJDwE(6-HEXGIzL?8~$7)~??j#bJr*;qO9?lXaF$ z=CNCpk>^H+c9G)bHuY{3$nS9NOZ)O%L+v!Sow9;lf}A$D?MeR_MAYse!IQrPLStg| zioD~ZV2KG5+)_T817Lg?E6T2mKFumvB30VZMc!UtR|6<18DW6fklYn8&V2i3<$w|6 z8$RI&9n9^jU~}N@%MRDm-z`5b@c9OeIx4D9Or6V$e66&K0xA8}rLAVB4gaz-s>2zF z`s=IL*aRd*w+$0B7?IQ5PS03>pmLE8PLWL?xd4E#u-e!6xQ1k<Ql{MCb4bZ=y|HOW zvCDPTKns$A|2vl8fmFGpCn5*~G?1yG^lcT~++3VH=~{(V6LQl-^nGww3Qc!eSPvy- zzu$dn(w{g_Nm!odH>#{IVvJB2VD&bqVOf-$GBbhl=~3G{9Ik{EK>wRp5@xF<*ZI+% zcxZt3Y0E37IQ`JavLjsI81ECcYo0@MPj}Rv@OAcu#xKZ#CbU59{AZ#p{@?ByEs1F_ zt7Pqj1jlg`bp=AUjeq*QBtuTuc67v$0Uq!TSbSr6A~4zq#5AN~P7>M>IVEYKR`^>_ z>354DzC^AzAb0!n3%eQ3HCYMnjYqP!j}dO5ld%~o&R0wO){S8(Bqp;r$i@^XK<1G0 zkz@c|`&pZwiI+(zMhqiwowP5L_2(g%(HM_wXib>fkjcOCVr()(=?S$(9P<Hn$Uh1X z6uSI@dYm?$m4wogf3<Xr|K=1G%1sAQtS5y{ied?c!G?1O*Scq6g;Gf$AZA7id1aJE zQ8q3Z+Wdgg?+(=TwBN$h3FXFsomCneFuxFYLMR`SlmZ=?tqL!0BHv<*`EotSz_+$7 zLGKkKF9zl^>5$&F6SOHc6+qJ>SP?!j%{pogZ2vatkskNb?pCYRtLlsl(AXVPY_`b5 ziC^}nVJdm|8@XjkM`PaeCrMPf%-4ymXk}$Z+oYs$l{TajAKXvKX!=G096@#lCRy5L z3;P>fu1dsucZCdjp^V&&tiU4awf0$8Wywwb&mz`n&*O-r;h4K5+)|f^?L=D0IWB%o z;s0>DXPciW794}B$`VNd4GpKaX+ahsSNYqAgJuIGzU3k&cqF4xw|-(cGu_vM3+;u= zmKpc&vpwYbJL8;uYjP;8|B>ThNRiDtytb0qe4*Ek!#6j=g0`05Dl)<i3lwQpFOax| zIBj$Fi&fkp`*k+4c8FLyCixC|<w1q!qKWpv%ORbPt<S#bFXR<h?B_`<y|CG%!1W~@ zEIP44rgVv%Xin<Y_BCu{tu!Q0jG3uL8W|2|UY9)Yve^&3*73=9TXhEsjq$kA1H*!C zdUPTZ^@uk5w`1iv5cDiabbcW2Gx&D0_Js{fN)*J@RFYQ{b*FeKZ_6K{wNvKsT`Xf! zWOX6ZO}VRU#q4l{)md6#6T-C{im54pH2LC7RW}ZA$G40ud*;O)YiYr-zgEmNjWXf3 zm22xYW%U{p6q2t@%zd|f&;OeN_h&M{;>d)xu2|-7&7G}O4c{YVifT^(0U0l3CY~pz zoiufe&)p+~C4`w}m6Nmc38#Hjhgl+q**HNz&Hlb)@zBs{?EdtRenu-NQ0w&T)x-hs z(w^dV4!iUcS3Hzy`6eECN6;^OV32|53P9wH$=U7>Wz-qqb>#Y%u+s2}Dl5hGcW6<} zQ@tv;Zu<C%eVZDAu20YqA3zBSi6LMf6+}iTug;*Z9P5s?P>&-8h8X$lJhi5{ZfVR@ z!IuYbm5<#|9>6yuA?R43&6lO&G1Uqks&cJky$O_xaMO`EGnfIt%EP)~8YYa#Uoe7~ zjPMH~N~1F^c40{1G$W3`2yfdj4BJMmRH5*nB{il#$LlKJ)7dyFtF{X$$Iq!vd2mR) zDabsdupvM2JX?ZR<OAedQ6MY^5s_x<DcT#%i%uMikGu!h*~LY_7hj<=+)zcE)_YUQ z7N_V{?k~&Ot|^DCBL(6URu=WLfg=q+QNnHHl|@aDj@6INa<|aHf_gAhs2pqkm~~Zh z!NajnT%`Uk{pACmSC<alj%=2QtC7d}xN)gskbTrbm&;Sr0XgZ>_df)uJd{EeaPEFU zalt5;73S;^78^7t$83H8b+>Xb++iGR!HLh`x1n^JDg{-xLP0al%0T9G|CqT*ryxTe zljLbgj@3a%IGCBtH4UO<OhU9H8B9oKKm7FL-Q@tAO*q`<tIA9=(ctj-THO#M5@r|f z29;QXtg85p7tDcv^}1a2x8VG1A<uCGD_mlI&|wuI%ZL?ORSrq6)z<Aq!h0XpB?Rff zLU7j)dyU2H&kx|DeK=c}Rfw!*>prAfhw*V<n5QBnnYMp=)n<^pW<k?^pX-W*@s1-> z7B#6o7TSd(iyl}UoJ*M*{%~>B71_m1icUnBXtRAvvV`I2&j<%2U+wI8%_kbV{a!N- z2@E<{%YgMx0na@&L@s~|a%JnoExsm7WciVv)IQ{2<Vn3n^lI*pReTN8oP}kUvML8n z*X8!)ULT85$2LJ-ue0j0p=KNoG$j%2g}R@+Zc9a35tH&rOD~&X0rr@z1p9!+ioWuo z%-%-qbEHr;bzL$tQDQMk$g!at2Q{Il)|)5WtROQ$)YRdiIjR!BTNGXvj^*+`Nuhug zWI^CB^(xNik_w8x5wjuC1r<^Bo7FTJ6I0y;JK;kryE&=GT+bQmCm5gn$}%SPmF4mg z29;Enq26s71&od9DICR^0{DsT^oWq`hyD-a9PONy?>w$b$mnLz&YBq-ZzuUG6Id_A zmmo1Blx7><w<$L7l`t4lA$n0!ZtChac5E{P_pE9<!>E|lkVqQy0mo&2e%C0*OIxBE zWm8z~B3IAi*n%UWWbPvuE)^z2N&Z0dgvz+H-A=mmDKSLSfLCs;gUAJuiQJnH&iLoP z{|Zc(-H$<cCN&9Nrg}rDvw#0NP_|Kcg=A9(0?U?3K9d}QTsb+I{m)#G$dJYigOocW z{5O>U85N`?5Gs;Hqslc``|F<o$UIkfKVwG?WtQtziP|*m6TI&gaC8(t#hWt68t$B6 zdzX~KA6h=USdUN0COe`=rv6_4hpXTt0`=>X#Ax~H0KdNma2Y2C2-eN-ApXf7MvTN4 zE6D!<fwoH?THw3QO%r&NzI-x|UdZBoIty!1g9%H83?{?GdJZeA#&iqLtpd)4Em54E z5wy2saf);JeJQ@A&f?n74IVd?nl)*Kr_Wa%D1xtA(5Xg78o4nIL&>P#)lk5!b&a!5 zxAypV{P*)($l-s)r{xl+;+Yt~)jylQ2=B7BZ(CIQ+73_!(aY4I?Q$eABJY-ACxc>M zA3_suTh_6$de)>cRG_ks;PV?cLE%dUg-C}ZoUH$zhwjHM6bYK+3KG*MPCYZY^}F!* zB|-3gUy9<q<o0s9$b*v^QN*4{<iwf0BV5cL=CHp11p!Ho^e){H5zMq6TnIA{fn^Z4 zdu<w%cKz#r^9#sojk_{`;q^}_0jl6!a2$o!fx9YALw|G4|BFlFNb8;V04mKkq1Oal zVozmG<u&`gCNA*FEIP#*-w_q-qk@=_V1tIcx&NdEKSm=wW>8JNJDTRYz@+y-l_=ao z8bfZo8!47q5hO5-Sn(DbIlzMlHzGHuk4ac2f1K6k9um>!e^ZCmrV^%=-A7P4RNcai z{(Q|>56iUHq0@glW6Q;$w|b?n_Q-O#bX?c?TRV<fgS%~l$<%Jph+bDiN-$Ci0Cs77 z3Atp+tT=P>$76V<zVUMQZar^_d(uY4&Fkb(wgqx%&CYGrxAU0|X(Zp*zEZixMq?(i z*9}{GOy)}|3`UcV%$Rx1%Bcx@mF0>XeB9sOajcm@tO@P1mZ&xRUN+3o6K}X@gmUHz z)l~2hfO0X>P|AFZM@J)MLzXwY5J@BM`AD~(jsKekn4*Uu!1%U)pheQ?TEKd07~chY zGlgp@{1MuVA@5knG^)85`G-}2u@k(#9R<|?PFEKn6D@)S#4`te(}v0odW9)>c!c4P ze+fNOgh-8Lnx!72Mk`{1%$47rC<!XUg5H*ue^|u9TcPqA%CqVfx#S8kOSq^OiW!>K z=2+yo^oES%n$;_jm@n{?ve#My+iaJmJ!!Nhl~P;!#Bk+`D7>pCM$uHAW`eqrr}|BI zKPX|8Q^15+>ot!^m62t-Lw=)f^M0sU3~C-zNP+k*@hT6Dv~p|o@5Ec~x`0?k<)}Rj z_{b1$<D_lDXJ&WC`@}m)(#7Gx3N+~nAzi>bWLkUv`FCPsD?gm8uPUrP$)eMAmG|`; zaHzWpg?(>exC<$e0dQsA7#kOO-fL#)wqL?Z{|!8D2fYA>$R+s^cgvK2$f0so?t(f_ zh?vH}4n3v&95S2X3%68yc5A(oAl0jL+tv>Q0^MbH0xgkKR|i!)p6ZZWn=g4LRE52L zrFT{rng}_vPev62<s&agkzjHI0#DFkmdY!sn5wFaB{L+jLB!~dx)y9GtoK7acSFO= z;|r%wFcyWsx`7y<42I>RfN|1wS2x|X8<=zmhD!cFNXy#Z8E4)8!J_*1k?KP$DiA~< zSSu{T7+9K;snCJ88oSE>+W)=NuX(vDDM4Ws)FR}E&tTS|dfDFd8&Wq31rb&mSi60~ zxAT7QAp;T!tPtrZup>_Tpo{%4)e`7y(HURdO|iM-pRE{#3h^{8L!-xK&FP=HWI!cM z_G)9^!D{E13G}7%C@0$npp&{}g=KD}!w1I92+ZJUd+p=+a?=22<R20MB0Xvh+PLDK zPjom9u`JdmyK&~m1OOt$xS-#2y~DN$O>x;^X>=U`RaD8L57p@^u|6s*hD`To5vjM6 zAMA?FL(DY_>;-rM8MnB5ud1kxD&s#-S>IeSgvP@&dhxF}Mw7k>E5GW55_uRt#i4CC zjDs^CACp!FrptqPF2tD4y3D-?r5`!gM?I9JXryf(<<O<)uxKg>G-#!Knoe<hV#n&n zZA1>9EuBEZ!-_sW<7C``Z#J3Dad}@UYUvrJ&6(I%vMXO_mD^BH3mi~fyDE^73^22Q zCn(MSNW8FbbiAwqp;EnY0ez(LBF~}l@`dXE*mO!StP*quWB~BN2tY#5)jdlAX|@fO zf9nrz|2t739=Q5oH9cm|P&}w0tuN2I1=p1Bvk7L-`c;CdkX$pa1HX|`wD=XO;%z4t z33UEKlUR|!hKck}WYA!<<D0+Uuw3eNwf$3N1JUTkFVfa5+sJX4ZUgmW<?TQDd;o?6 zEO}+qijg9vTI$?IOw=x;-e-Hf0KgVrZi`s6L7Pw{J&yL32)+6egvmYYJiC(Rl3jb? zHYjf>cPO_RhkT=XQ+Tgac~eoB(y3W_EDiv{qEhM~i!S)$++i*)iTf`x`fh}hIDTn} z`qbGGjDLp<=dapZ4pydIchp>WK?GybzjfqaPnRuiir@X#K#H!9&#Di&?0_n4TBVz{ zPvji|Pc2GeI`Wttt-Ep4Zq#2LBx3%}g`>?D41XAFbE$aYv(uZVv5U6vc~(IG&PXmH z6S@4VNY2?PVYtqCEOA11ZqEjAwFd~i`263;tbfC0XG1#yfp<@^@d-gp-KPp4AwJ1B zP9vyJDFZvr<*iMox1?nF+kPg6pO8N6AZasf>Nz-&<ze?ZSRl>fnYF5X!*e`915MvO z9=J_EI1N?&o*gz=%SqG)Big>%Ho}l6>S<*lo1{o)(m=}U>NijpxQSe}w$a6p>57$a z|IJ#4@aKo8g2Fr*QkJgLChOWjm?SFMsj!#t%QD&5GOD+j5p0p45iG=3a`)&$W~$Ib z8+sf2)@C})h~0M(RXKcx`QlBu(ziGHq48DS%X}`Vc&{nZ0)Zlu1?2{a-sze+p*C51 zIF7}>uh>{{zk3D>2j#kmYer-euAzTiRKPsG#8Q<<1%rvcqQa{RoUg7d1zs`01tICJ z@Sum%_<#wwt(`XKhNK`jJUr$-xG-O*mp>P-(P$(cBoa@F@8#OjUsmD$ilj=%hr5SJ zL&crS`MF(i@%`kpeTbx-S2of@YK@gHfm|wn(zdoWp>))}Pw8hf*46~GzSe+TGdTt8 ze=Tv9X_S`?gZN;^7OTh!ahF90FHB@=N;~b*FtUB#lzlxk(w(ii1Uns*_OZUUP%BHl zm<P#@uoO6(!GnSIdvm~&rX#+@wo`iLXHKM_>(|*Mb{V|`e40)iz)y+MLnBAO76~M_ zSxef$n3z*7j$+iLX3b;l9Ps=%^fpV{&dgysh^2OfAgLTgr0Qf2zW#zz#@a6Uxr5sk zuruAqOC=h3VL<Y-t$|;8s~<S{BhkU^PskAdury3xZfx(z#Y{5}3V6uetA{*VQXx{K z{aIlF8X!;X#3308V)PVV!WhS^OzT<1rPG2uuKN!I3`6#h@4&fck1037*pX6^iTd&b z>p?aqgdLy39Dxd$@bak*&8s5k(1h9UngBaO*3wp*2A#7CO{ltUw%mW>IpR)>idMbh zjbZp>yE@U|IOPL3_g}2i`R{)BtcAWBQfb!arwR~bVyQsOHQTz8c5R?r<cjM_i@2fA z=}NO<D0Vd*aNuW<dWD0E0lK)+3}&n~&O&=?qwW*jqPoxKBs3NE|9X>{3V8Be4Z@Dh zN{m?1zqNPB^P@U>78$(cOowS2nB)+h?aVEQJO{s{L*&4tJFI=AcH9K3SH({`=w%h5 zq*+DUt!M92Ax@$fDPmS>?P4M*X(1ncJG)&6NJQ6I8Sm^#@sF5PX$#x=R3xLQ=@-g} z6<KQ)rN(-B=IZs%i#8ExF~p;kyWq9KvJ?5{){hG7kUmGFRW_jrqh#S(x|0BY?T{G~ zeea(@|CnX;G7bin$7E!Z-q%uI+2!TJ&W=_pTZ%Eu(V0St(mycX1w=nuX-R30sn;nx z`{FpU;Y)S)%Rpo~Lg-V&kB_*y-a1D}YhsFLmnqA1VZYBozwg#1WXoh@?ITV$qv^=_ z>k35LfH{TLgbi6DFg{t*zD9IIw-j&vH+ga4?Rrp7LIznxp8=<vMj-5h*NT{Cb&9kk zwhtu!CH&=X(O-zfr#<;Q!X9pD#K3w4Htny+iAkB;k>w3xvZQBYr)W65ld8zK$ywfd z9(X0xp0Ftq=!D6P($+x&x4&|Gt8aJzHjK!G*EwPb@eK=?Net)U=@2K!pMU-=Jbz#s zlF@-Xm$&jY2m3j(*<$!uI&q*x|A-Kzn~2)_%Eij^7l~xHE}RFd?2_2HKT-+M4&Td1 z0kcwok_hH?Qxe-u&}|p>H$tylB}SME>gC#4>Q%5X<YQMltpe1%Cj@Bt1T_|@vZTTG z!$!3`zWQ%`S3a_6@${P>n*rOuEkeqphOB?;Rh7qIL=x4&7P#Uf?A9Squ<nqRTqM9d z*oC2iDFvCa5<s2>^zq=XzKlF~yC8binFIMMF+$x@FvDvA<)z=R6YO%|eOD7^B}cz0 zd;K)mAfCj|r~2@g-z~<^;Jq&|<w2W)yIje3q-8oIuca%E&ME%XlPAJ;J5%whFv14{ zX#}AXLDK41RAYhF_5mnmPaA60(=*cQe1C+N00AxT!Z9o^)K{fk+dm1}Cf(AtN3c5F z0Z?p)>$h*ftFLz?Op~VtBf0Cz99}z)M_pl!DaTcqINB1mCT|v%JSu8Ka5i)(8j`ka zPA#^6tXLaTR=e!F1C9NWMjq-G<%1&J&@eaMC2A5i*(ce2^_k!q>C^U(yK|;bh*MBc z8uw)qN|u-kF|;ClX9`Ar7|w8M_tFowvinn~QXhp)-cjO7d)6~~)YjYThGp5i@8z0A zx#yH@Qce!~`5{Z`6C}ds@K)sFLkvyS7#iNigX15`&-cm)#`mM>(h8C2L#JG>fUm<2 zs-Kw;FT$cKJ7U-41`m<tUQ@<7I7MbQ*Tl^Mk);PN>e$t897A>?1CmhpmhH|rugn`W zx762q@IF%CicVV72xa`yo8|)7i5PoJ)r4i$ePHfMAk6AIb-uMLjE()>v;3VcytGNG z*!VjU3Ct<Sy$!BEIonvG-4pCwDl>wK7A8O(^eklS*~?9VUj}HO$TkUFRg$o=Xzh;Y zm{(xV6AWZKh-BFth;t_<Gg=y$n@3Hd_=I~wl7$XT<{_nRQq|1N5m8t$Cup~ssnf96 zeKEbxXf7qs#fkWZK0<=_?ycoj-D?83g(%*mrsGwlbmt^Fc|c#PP%YBnO-5Kc0W0D? z?(rostLo5`w8qZ#Ufe!D(+U0sCnJwK^|5*3&-d|da(1{SDvj2(5qUw-SKT%sEpF21 zP*Z5$781b6Ur{0gfsC-!njC29+)TpZs(b{_fG~aP`g0S}eySlT^%U@Ty{pxZ{pYq} zHhN;Fxv;!X&$F&~FEWke3UiBjZ1(pzU1EPh((LXWiLOb1y^+Ir7E7e$MHp{>9<@px zJwQyON)j>bL?332f!<de0q%dtd~`TNi-vB%1cq~)g3K}spC3rRelIG+hqEg8AfIcD zAA0i4168B+P<^zvQE<PRvMlaiknm?NZyM{<AIxb)wM!kNZM{37Ay9dU4d<%T<7BOB zc50h0QA<hwP76AZH7%K^NYSRm%Oe}yh%Ji<eR2y->h!GCw@lJ=FU5%!s*do(Q$h{= zgi1D{{ah?AA8A}SJ{iK_Pw-Rh!y>O6hXmdnuGiOEu>iVJ7KTz8M~d*c-y?mz2LZ|# z_d5zq;nPk=(V#SWm{%E;T&%GuMGm`Ua)IeGsZccecjjVVv>g83+o=V&Pg*sD`1g~* z()XP>h7o2IbsW?!CcQj><r3U6-lr+^NGFgwcU%-^O3a+D^u|hUPRZ7nj9r$l-7~Jh z_rh-rnxwLc5dSB%X3u`%p<_{Il<IZu2`QNE<QN-d7NJ(-(NSpUC54miYH<C!!E8~- z1@u}Un$3VX-m;T-+tU*>g`EAo?ZT-sU|?rHcO!!6gFd8f4K3+OD6BfDfPSZ=r6K<@ zc)B7Ex*Bs4Mj-s!UBiIETAvwLm)XrZ@A~~Af$+8^vQG2iuNc3Xr-N^}weBc4=Vk`l zQ&)}}+DHf%O)GpImaa$3l_*7GDak3l#jeyX;k}HKn5Rf5?<BQ{O;*xo%5Ww2iqMe_ z+Gslk)uM+D^2pEM&PaVs4|HW^TC9$V_j;#%*}CpgzDn2m6R`b$RQmGoD;b5z(jqNA zBClp5Nd@O`wyDTwABjkhep1#+%6wsg$}N|~X&;!*Zx!X}GM4RXM>A~@m=7&zT^K31 z{BcU3chg#~QNXvh5pCe6c2u}76g@1gsV&%EE-v-OGhE`j#t7jb4AV2<vE3n(8EXZM zhxmhbdxbG+0e{OagO~RiO4A?mw~?|Ah%-(Nm~~7%juTNF<;w0Rv`UCk{XU$26sc`8 z)|2JrO+EY5@09bmT}uEws_;9++dI5?Hg7fEzIN)M6N46OtT{HiBvI^wb*Z>ESxPR_ zPs5aKzid#xC>wpi+>V3<23Al0s-YoJVPPiJfbPJ|1tKVB!qt!LD!T4do7*+pIE``W zENMsr=@iJuG9x3b@NzjTVSW2I!A0pNkC~EPSfw%%XmDT*?P9Yh&qN!THa=hkk_$y* zlo&m??n^|}*n}wa_H@4{gtjZTB^bXvb$ny0J9My8xKt`h2A})-|0C)x!`kS+uwT5m z1c%^Kyg+exr??i^;sp2NPH-viULd$T1SwWrid%7a=;8Ul=RM~m!(5ZeWUqby?pbT^ zwQv2@a=EIEY^;xuE2jnHq+chKfpFOQr!@(9TxNYv=Ph0Hv)VpXa*7jQ#M(>KFa)Z8 zTwPjG`sEOl8Y#y*^Z^`|CEv4oY~8mHV^t7iDN8$>zz=*Mj982w92jbMLuP-@0fYQq zj@P|IF58~us!Jac7noWGIo+yD|NNl~r2Z(y&jUT-;^VwzCwuj3y-upk=%pX4i;o#* z<VQ33)gQ3Pc%a3E<6J8-3+oc5Bs<w*83yx_V>cr$a&{KvNFpGyA#=E#!)f_Mu*Jw+ zJmH<q{cma-*-6uy{{@Vh=z&6|R$dx#YR2$GOzU$0)-k=*rmO(w`jIlw=EzM%2RydX zR-Cdc;qQ@4XfknugaSOM4YE0`V})<7F!;PbDts-7zXPYHznzg3$S4jkjl0q3wcDAM zfNxFLtQO8!#o)w2dB2JsY?Gv;dyZS|jX2ANe7!UyjSSPl0NoLRJ%CG2j9Gm=JaX5N zi@F6%EV`4m<{)NtVRK&=tw8zDS~&Q5=|!|>$FF6slD5uo)!Nt@WOshMZlHLV?2L1Y zd2M;0nWmc*sp@^N9wtN_@Em<MG1#ny()=zAKFD~;%Nor(R~h1ayT6R=v_Li>{l2Cu zBZnJo6cKDka$)o0l5a~R!4A8@d0}&PC5?*<*tjFEkM8-gG2>wu3xxL+ZN(OpHTxN` zDN|9UDE7p-69T05+!?>Xom!&|2d|=imWDC276r=ly~}OY^w2|eveytId3?%pp$*CY z*p~Bzd>UGmvWxA09MGq$U8zCZJIr0`kuto-l(_TNs7srU&?_4C-MeMqOk5`bmY9La z>3~vO_B(M0|2bLzxm)}_{5$!mMxi}lCI1h&-!uN6@zvJF#UKUox+t*(zeUDIqu3|m z9*uFhv-qG=D6fZ^Q7popRzndeZ~?1)P6!^WClRG^febWK8bf>qK$$PK2VUS()UE(N zHnwuc1|3P*W*ZakvzDo;L1NYX`@*t}gvzz5Y9Xq&C+dn~z{h4(8oh{)DS>v5)uGVd zFP78Jj0IS&4nAk0U8^50ul4GbFf=y$+)P?ZQyO`I>Hz5yfSwFED$0q*c?0VhHXAN? zr&A*PvvaDAs%V6mGWhMwm*7&ye!l3mCADsLR@8i(K;3^Fu=$2%GEq`=hZ{{78Wpw4 zaxUQ{95>b)ji={5Mbo$X9BkhJ`Y6<=&hC<n94@0&SD!;d!crnXyZcqis0?sY@P|-r z#F5sxgD>zG%#nEwj9i4sW`~D}d<e90dkF8?)Nvc=ihLXA2M4$g7x>--=v73Gs5F2d z_@m!!58f0)?t!8(Y<ei*I49!4SRmni?1#O`3Hp5PYdPgC-o_-jm*1o`7VuY~&9D2^ zA;p}~dNaEQk)Gzm^)xA7Iz!1I2P-5Vt@w!CaFJU{#%(=7MMsx4d{E)W{(zBdS<JCV zsHbMAO-!Ag);o%;R<$wAOxbQNyL-(4p{4pUHfH#*>i1eAr%C@$D72@X`jVI!9`#|l z)e&ScTuVQ%w<6LPQuRaOznp!EB4E>iQ*ZnLL<oKQ!F;lBH`V3gqhE^omEVYE;9J03 z4kW{SbYw3vbwmNs<-cePj=x9MCbZ=<A+==qL1|zicYKb$cr_J@B?&d#HYfM+{9WQ5 z_UsVbY2oaE>v_Ft29@gAt{!Yrj*U)yxUj)7aQ`#V+PheW4ASmzM)%VL*OGWGk$)CC z0l@U0`h|LX5j$2fUmY!PEYrVr_V&SIXCCJ<UyIZSZ`DHKnb_Dd4E&4`oVqt`jNT8> zWMF4Rke?Bh#U{wWz-r1pQiUMYp#qhR>l#oQLEmW?8XOW@FV%7LS+zUE+O~t6f8e2~ zi4#+c+QJPY4h(SENyV*Rjz7}5yQ9bvs+*DF^Dzuv$;#DUzXsTHN?Rl|y8In=NKacT zAKhSc1T)mufzjB*=G#$f^IX_6dIiQ3nK&%>JzYWBA8G_kgR~Caa?6FLt~0z+F0TO1 zr%9C`e|p+R4{|b$bbZ1+_)iXvKC#ha5_1b2|Gi0+)XnM!ql+O{S<=$ZO|(rn)geDw zBW6crbr7IX_-6vu;e5G&P9booS-%eoa)Zl*2No2Kk6iPu5hGc6c;rUxF89i^v~X@+ z8Du2NbhMTw_Vc?mmL)d>AWOP|_j{Y)j#V6~6G>J)r}CR_i=D<ZK%r>BL4@2p2&5^Q zkRD8!gjV3D*)ymGqeXQ+RdWszQnWRaqlf*jtSbK!StTI1+%O;7YTd&ONCpKl)M8uX z|JH5}wmC#Lh>^mAzR*o%URSnK(#nu6=v`X<bWAU>b5@d67FGY;%Yl&*{+5T$7hWFS zLN7OuXQNlto6)Pt1CU(ITD-Y=BI)|`RkSF>_N4?-S)wIT4{XV07Wpq(<k&zCI13k1 zETx?TG<u)(EhrnUI+8m3dB$*<r4r1Ebwk;Ph1U|@EfEKHwszMuVu385#DsdZ)!{la zfbaUpmlm{IvEdyoGRd@do{SXZK0Ck&iE*vQ(nE{kKH6PRNg_H@fuc(!IfHmf-92VB zV^z(djW93>HE~%sq8!nn8DuJTxHKD+iqM2^S!4`pyd@d_F@b;M4IEg1`f>ntJ4;Z! zd;^O6cj)IVG(YW1oRvpQ))MV5o$<x{-)eMAJ%T36qzZRP`IiwE43ag0uk!qd0Uwmq z(<^h5PiyHnVipVG`I+rN+txa)?TtB%?)&K#Ez@cAuP;vRX*d!Xixy=&VvAe|xna|u z*qztzjz*mJMZk#Ah5G3R4zxcpK-hFmZB4JW61gitc!Bw{#zT1kIY7q0M(+SyAIGRE zk$_`qQPm%kz@yJjW>PjY{GWCc@LD$pHziCsE<vtg$3?8!e9cj!X<O2LJ7S)@TA4Zz zzWxY1a1GM~fBf8Lu7CcaUflH;LX*q;K)6?aQV87O!GYPFrG7c{_ookp5u4=eK2s^L z%F+=*K6Sq77(H$+_Fx+^+cgpK@t19pk5ZN(#IHqRcjsWc_(^BmNtZc&SBob1LC)S= z=r>o1HEC;yYQhM!iyIy{g}WcWdgbZ<Hy8ezZw4rgkSN8>z%Z#z-By%Zr%);Hu#c9f zXPF#u(|A|Owj^+KCkA0`C*Y3{y4(p0O?6X#5_@hr`Fx(;H~6;iK_znZ%tQngVFdkR zLYBvjfQ;P}6+&oe_af%vG%-><*|DCSdMua(E#$V~d#QeMsM{7Ap->opQY9sn&t~={ z4O6=p*RZ66YNRlxgTtd_F`jFb35OALH6?SVHHAS2r~U-*kGjg$>fV1cb;&5=4>&tO zk1-IS0sgpUzMG+Y_lugJP{d7nfQ53a=v?_rX&nfXnO_q!@ezKDH9Fe-YezY4{_(dp za!DSaumnCUI!v48&bw03*sa&p#YHrVly?+ERVEba@Uw9YxhN^Fn-Sg4h$2AH1%GLI z@)rz@#%0f6MV$$+9U94>*77Kt*#=zrRXu1D(HueN67pOaU_hpQ%wQ==(`83DuJll1 zd8x5}cBrUw(dK4v6ONZC^i)$5=-af<PDR4C?ItDhn2_B0Zo8uDt^6C50J~*H;};{M zm3+*XUL&fSz)YFQGHKaZ{CrLz7V+KDo8XQ8+LzZaaw!E6-S}s`=TIMH|NaqTLa(*5 zl*Ad=uVSQhGK<Kwi6QgF&v!8G_umC9l&_uTs1Q`yO3W9~-T407=-Bi(eC?CE{Is<j z1)(xuM`_{(r}u{s3yP`u=!v#)>8#bo2N}r1q(S%H2X8G3$WfYY`@gemuvTnzn{5&l zrQQuO>ks3_w3I1B5(x#lTUY<5DzbVQ|K{TM??RuHX+EHE^@Cxpf4p<{zos$8a6V=n zYyA4)nnhMgox;4h85L(Piqw(J^y;ub*GL1lblzcQuksJNvBJNgMhEvA$WdkRrj@i} zHA8<7k6g<U+SnGJ5hUPZAQAI(JxAUkwhOJOkIj~w*VLV3{(ut1ZjnT13AkZP3501f z?<W3YuO+(w3dz&Aq-&(v5Z;XPIF;E(pJ4(c9D>VeQ0TuKQD(?xOUx@9>QIm0*Ot+T zrX1Ab?!f(Hn42HrxwN^eA1K89nEn8fER1XO8HXgMp>JT$jSzM026~-((giA4uMrTo zbG0KByHZ^e?M1qHaQL99CVw1*rP{lFBo94j`UW@5<?L$-Uur^IY~dcbI@0In_6Om@ zdpOdXxE1Bk7eY+wp-UpdIE-2q>^1~tZ>PDr#)8?m+df?_0~1_AzRJ@7HkU^lP>Fm8 z#8=}A67B{Sl?>+bX%4dG40Nuj{xDm(GCXj(-Fq;R-pXF5#O}zWQ1r6*e-Qhjm~}Xa zQQJV<jz)3I<I0}u)QD`L<cmB&x1-xauLqxA-_zbs(b^9>oqL>aMrV<1Y1pa3d<ckU zh>%+3{-t%@GbJJ_?R_2Kt5AI&qBO1$uAIXA_?ZSeSa`rg8ll4cvDCxw#$lUII!sxU z3tDBZX7q)k^J_<8XCd}HiLdox2BWFvNY-ql316|>$pSw$O+=|0{J|^Hn)DFP9)4kU zaWxTk0MwHulst;O$F@BgtwQ1_|GT%VUGg-Oov8JgPd6w2w_-E*-BljD<AK<*dYd65 z5Zl@jsBAZwaJP6KstSK7l$w@`iW!jWxucI1MOAZq7BuW;sJ@+$4QJwRxQC7rIAX6e z6efYArm@P!^$VV`q4%^)n<5GBSTZ~sci5J^JtIPtp8BQy-E0KpQ8N>9VJIJZrk`pl zZJOp$jwyUYjcLkuv(tT-?N=U~{t>5A5i2q^ZM_2QueM*uAran(?jjTkM5%=g{9MWd zW+!Gi9s}R!Z@aK1FnXvsC1AMMoPU9SF|hw(*Bq#~&Rtd<YVD<Bb&ibL_xpB8GAs(4 zsHHRN6#`p%nF-TXQ($eryWF$p&sZX*&1o?voQ_`&s(?ey+EdMMKX?%_U7@(Wt}1UG z%VbR4)%yIx<-!^(ghq3J5b3MeR~PRJ#Ix!3RQe_1gxz9p2+}t5mrG=vo9`^Upn^U5 z%1=>nzUjepl(LwFkN&P6S4n-YEPnb3I<?l&#@-fX^cn-amg||JXZlb}SNZ>MUx2~a zJ3O~H%UhSCe<erJos|QFc98w4EDqrDslVfazmg25h+)EgU)Z4NF->80sNIi;YmXPJ ze?e$bJ&Uq~gfDS-i)@K`#;puE>f5V92FT!wo$*0m5X3=ZDr|6&4mzUvJQz0EA{pMe zi)SWsYvc~Ye%qn<+TnzdTlW6UgA7RC$J?I=Xk0NH?BCvNp~OV<O^*}9P-CWdZRL<O z0%f#=vmh~>{b+t{3?{GnOO+b<bpaE7-+v*;421<ckhEg_iD{5Os?@}kEiN^rCokw~ z=Q`OAuA{~$WKS6=sd5H^A@%sfl`0|iCO{RnpkkR6zMIT{q!;iMw`x6-S_Yd5zvs9$ z#7Dc$&5l+>OdS;H>lD8^q$EuX&EmA}J)ts7OZUtEc`2iJ{!XisqU9Csnxd3|EJPg< zy*!Zi{g;A}G$PaFDC{(Do;!KQ+3M?zW|L$Q%F9XAPV^P33KU3JR61b4YqEanhcI{0 z(utBqM$P_e@NhwfJARKX;u9_6E^V71IE|jt#EsQ1=(;i#HYncKFbVOLG^;rTF_aZ! zTK`v1jYCzlUS*n~^TOpYmV4kGO8(Qkr=L|#lh(~b;pW>1ZTOV7-4%MF@lZRB*_R$Z zsz+mHHiT$}d{uDH(=qU4;jsXUUNfvt7gQ1<9#aedzjlfsBkBoa1by`HExAVi8^g3a z@BG)>9rnwOMKY@X6>+bfAuGDSqK#xFGh)u|tbs@Fo#<ka%q>Ysw9P4!(U3pX&U3I{ z)~WRJ70|v1&M=u;k^@Ux2{w&k%lxp}t+d|h4lv&KYqQON<I<hYHu!g2py{D*T$hn) zrx<CRw64nR90aI}T+!OgHU`l-(^D?Gc+}hMjzRvBj{bftRII)DXTKrnv9fN}T{_6F z9jyr%<P2&9I57O0GBshnMd)>Tmj>&V>N!1j;>G1l4RVZ%ZBn-4gRg{^QGRoK^T_1V zVU1y_Hz^@5yLuPE<FZz<HtZ!R;vEPqVM(9@@4{mgZO~p^m=YS_S#I**h7j@f`96N# zJJo{&Y~lqjB8~^*AJHiZ0r4FO9SlYG70b6vER%@c4(7mQxKf+Van8=8HVf&no<%iW z$~PO3_q4ap?!0HgUd%<|agl%a&MJL)3c&Lk<{Irn>s<#H2VhIa)F12po*`q=JKrg= z7?{A*4VO^cmw}#{x4eiVHzhLT(zlq27bpW%r0TzZXFb6`%p|stMWiPY{%h5v(?3HO zSjGTl`)P96`-j=|_@JlCuJ`l-np~JdlSIYHrzAO0hUOx&5-hWs+1f=(nS&A)VIE#g znYB0(hFcBj{X*4UoPwOH>-P5p4>LbGwe5oeb0N&pwjf)bj>jCt&Xl-a=fJx7-Ni7e zvac(4Ql1HSkvBO*juLd#7a!leZQGZQ!&tU-q28ZMcrIC3f{%?G;-AX@F{k38KQ~IL zYbK~G`*`z|b_-_&W~8F87K>%)1<$_QDBRlbOQzbOZBN3ozxUGd?iDqBAGeCi<sLE~ zX#H+}OvkyR(tP?bw#$d5<jHEg<oU-FB~#Tu8tq~s^r-rS1fv!|t@jXYT!MT|zV9TW zMoo{TzL-KgvGE;xlql5No2LuxABw<MKB{Hij!x${=gptRr{j%)SJ#2u-X=6vWd^qz z>TE3m*Dj;muD97sT!)iIfc{)8mZF0}ZhC^dZ98If=8+n^lL7c$OF-aeD4Cy4PP6#* zcOtTIJ9LhL!MgbLtUN@=@GG~n{WZMlEk#u{3f>8A<Sw0t^6Tt@*en-abjHNJaa3@H zqFfZ0btFD#O>V#fcbqdwR9sH!3biA&PPmELVtX|Mqmdkr>6&2@5_N^!%<fi)+(A<f z1Ay}4gt?)~FG{y)^nCU;ltVpSm)ezhpCwuv)XKz>8R>Gt{5&|O5E(X8NP8qG^jLw^ zK!@T6j}UMy8EvQ(`7`mq<T1t~VmYv$0lJ?dj_lI5uJlr+cX4o=gk6s;{44m4uj$GA zT^l<XoD4|beN-vuTsQ%x3TE{z1W8rWlhcL$?ldoHo{EkeV4nIzwGn93Y{_*zIW@-Y zQx%#}7KD`g@%N<eZ?3qttfQB+%Inwji#5@sdVo50ZSB^auYobN4K<3#h4n!cR4$`n zn@N!bOe6uI36ahQ)(eL}dC8*ylYlA_=$1pKUsEnQ{xUvTAr8C;T4p-CGCZ#a#Vi=J zUs8QDKoK1G-$pJx?N4j2k*;e_xXx7U8Y7j8=lI14xtJ&m&v@-MTaM%gouAYdgiZkV z@x<to&~!_$%Uf|8GqG()j~|g#bk03-bul9aS5R9&oE2sT#g_&V3Aw2GIjF6G&$Uxh z^`P-FO>2Vg7r(X1^*7Sft&CBB?Y`gKem|Z*@l@Q|M7bM?!8`L_8rgR$;)BWY(bH<S zuID1I6$YwgtWi){;7DUA>IRNXJg9;yRFEqu{J*U5Q(w=-w_r?%4ZU*6>L)q7@CFE1 zcNs=h4+<1o4RV{wj3SWZr5%yLB0i8;%+syX)bf$j*dBR~62h*WJi!?#EYXMk^c?-= zb>>WUGRJhX4rEN#pws@6+RFh!Uo)Cm^w^h+JJUD#+y7V||5Qt$6Z`7#lNsQ_3a^1L zz&8kzP})LWE&hfeuhYiaPMxxnns!2b2W>%l{#<+ko9`Kbl;1y6RK0A~MedFdI|)DQ zFwlDy7ZlPGZNNCEx#))Bx;K3oyI;<?0IlvL49$(RT=F-py>CNN;!R~PkyYLBe5eiz z#p(~okIQd;2Th;+iNN+PHM3PzW;(T+jkfxl>lf^C%Jj)W3O3|hx|Rq#;*3h9G2iSw zW_sse3c#-uN$ui-cMh@ZI6vKu0AgyK#dJlad!PFTINcsF5v$sp`O7zN)c)lH)R{O! zIgPH8s;16dK__!up99c36|@)7|0Va92W8F`$etzK+rrG(Bp9l5_1B$eWFWHj2a$+0 zxteRx06zdEhzPv|)N><JdPlfHpHJxxU>s7kr0+#xQ7{d2%}4ppv;u!3g~c32ejY^) zcj`cp9x^!;(8jI(Oi)$MNA7_FaNpoVTbq1F&R!2O%;x2{<`wSWTV4GLvTe%p;J9Na zy9nSKWj@&ks>u*L+=kw>IByK$Q-uz4u!7{!ifz9kz`#vW8<gCO99*SWn!$m-lvmT% zs^)!h$57t!e&;`Yf{txCy}pF>UBIXU5>+nR`axl&`FB3y?-7-?TejlNpT6kIN#rJO zZZWg$P6bTW7Z(1i4mF4YTbhuxX2iB{ICX3Ox6a-9S4N;+mTvh;k%*QyF#Z_<S{zt& ztgGDdp_C9G`bsa8lwQXQpGUCB&jX`x-0i?n-l@1Cs|R|y#-n0p@&bp6vJGm_e}BGz zitMx?YUAmy?vGiQWTfkMz_S{kyF9Q(pYnd@*HPL$zlGHk_o@?h8YUE8_sKKsQpvX? z`R{B_`DQ5k{pv%dP*Q}U1l8ec@t}r!?=+WRuFt106CV)=TFj9czh^f=lof=A5ZzAQ zAqbQ#bBq4b(YVb=P1!hsnJXK2De~JDYha45gwt%S4IXD+Z&Ix$hc)8fUoCZhlHXtt z2VH9=l$8w;bBvcxmdb7fP~@M#Gk!s%#M$E*OKg_-y)h=jUn?mSKNS{gu3iIe(yeyA zq*m>`VVmemLa8q5?E4ZY?1R<b&dSLhmc@OBF;9B}G6#(?rSePgGG8agEeBQ)yersu zjS{*6D%SZqZo|5;+^{HX<F2$$ZHa}$?0WG7gqpC&ZyBTi=ViTB4iP^+0X%!}PG>*; zWMWHbeD}njW&!*$+Abt>?!0{>9d7oyumZ3*o$st2H~51&8+@R}8C1q#Cl%Ihx_c|) zw1N@Z`xl?{2_Rxe+<oTQRcs_-IRAsqzx46w^lTm@u5<?B)Gv@UQ>Hjp<=~G@@lE^p z(#d1G7TLq)49rIQY{DHlXmvjaYod;ue<9-x%?(Sa<M)H*5-pA(T~q9&U|~t}<x<Rz z<~ikt$JIU2m*`64+<3dj13J0_qidx2;ao&S_&}ROrqIPu>#xoq1j;-sB&hbct0lB4 zLLT_d<Wf?XhNO268_>ySd;iAOR33MQCKPUa2^B{+c*xzypXYqnlsDQk&Er{0&Z>yF zfg)+8q<Srtl=DSc61C<$A`7BZ$o-cOdP<OxLs`_;tp*<i@iD)Xq8d|wpNoVZjp1T^ z5~%u~7|i7L$CGtU>1ExEk*(MzblM%g%?<_U^BhQ(Bgin@JZ~4HhDnu}-*CN3v2qfP zpPufjUS#q24p=MydP-nXfiaN)9b`l`I%e%HU0Q(SGeW1fs}nPHpw;p3=vMgO7d$Gi z@~>#r3Y3q3?sj@KB}Qgpf_+r3qPZ6tZlAXV>4g@9?XpA>ZQPBdhd`=@vZLRA=EVY) zf&(7b(<?#E(v9FaA+&cJs5W(5;(>Bj2qX!7TpFk^%4ZE7+!5*1cCh2Vg%J7b)Jm>0 z4D7H4B>=`D@$+*%wxsXh{*@;j!TIwoB>REz-|1)<=+8!4>`pC|COXM<clp7bxWCmT zPVNfzdu_Z9RdcRo%>R<ioqq>Y01pc;881^4tJ|@v#8hh9Nic8;%sX##JkuRIrJ|%W zg_F-jJ-=G24N2AEVtV`hZmuHQ;(pdEljVI+xD{_B;|CM_;^t{Nbzrjby196C&L=Ps zL0jN2m&r7se+GT$hkn=O06rI|WO(stZ&}U~;eX_n)8{;F57%<mYxOZqITh!z)d@>B zo+T0>WFKbQy<3qkGy&Ri3;z@!u(vQ@2T3%=E&b-gaNQWLhBh)Qn-DS_lg8w(R?Qf$ z7ON^t0`iC9dAvl9iUJnRZX2~@+|M%vO1ncK))>R%Rt6^NDNEL6Cf5*^;2mt-BQ<T) z<ZKCI$;EzZXCHI6$*}n8raJT-qqW;=+7J5rzg;m5TnOB94n?q(c)7@~r~ihPjwyi4 z<oLPp_P;F;{OwOEcUIMie8(C00>SH&BmiHrHD68dP<2GU>Q2KQBVyD_Y0!Ktg~;&_ zQd#tme%T+UNtr%b^BkRzV5^(uWnT$%CCKrkWlx?jD#nB46i>cFtBcmiai_@b|JaBc z6-&kYFtz6V#c3b-=`PB|R*sU4heu-A<V@IX!-a|U&v?CaQz94*c9<>$`{pwtwz`Cz z09$BE+4)3|%4&joVabOs-AtMDqS8c@+LkwmLlU=J%Wwbf(^6r_jzJb)(>HgUca{6E z62KJ7`^o!r;@FUDXSDJ4KECUljuH+pTXi!fioUDF2JtU<A0xV*r6F2!-bGrP57$8# zx}Q*}+{?Z5xZ7C`4oT{Wd~-s6mmoBQz-5xCRIpR;Qz@xCYCVDa_Fu6PHk7E|rvKi& zyAc1kAD#+G&W<H5Cd;NJJUu0a`^rrYe=9J7(LeLed$dl(BC-Kj#ESdU=R=??6(p`a zNOxzhG$`b8iBt(DJ*nog1q3$WcUJzde$i}Y!23lz75^g#Eh{NVdv@ei@Qw@tp3<q7 zaTqZvdvXA@E~6sPSGpWYC5o%;rrac*_*8XDga|W`|BC_2`ObkTR$0SNi4j*$j8w%E zs_G&-dWqNd9ssyd9YLzGxwad^04s%IkP<3z?zXAM2HBr9IWZ(r5V&1g(`m5;{QPdj z0KFEwCLH8u!gy|9_^lFD3;#8)@+0P7_wIoEe?w^qJ+F^JI`8hw0atCQ)nWUZv(r|T znDC)J3cGBV<k6hF`{6t+;r&l%B~;zgAW`it=`#!%K6=D%M`~oM|CNRq(P!FY5|ew3 z#X*qS+j>*=tUXik|JQ?^q=!tlKw>SqGuS%o;o9nI|Ji^O+(Ql?VGi$YQh`H;DW*fr zL}P^b3~5bIK3}}caoML;omI^E=@OHx#V^__9Hu$zE^#niVLjThvyYL%t=~1@fziA; zn~a8Zd?x<mT?xVh2<)#fJ{xf2!N0NL%l&9e@-)Qo^Wa%3sG((NoK)68u6hRut%l1t z-T$hy^J5aCI}UCmPXv%MvAsLUv_8wNt55iCtPD%*bMq;VPzUZ2Htt)2&~H@5gW6%W zim9gcM99!<HHzB~E%k&|8trBBOqq$-zrC@q)w@e2s5vw?zip4OaP5r_$n3S2Dv$tL z`$cbsW4_1~%4wnPe}NU)ry_UH1@N<q!w`{uWnI6`B*~&GKG*f~7FPJG+#kRxXM@ae z?`fwzMkfW!67<k1K;>f-neKy$fk~BACKZnUL~}A+L@`489Co(X;5Y@-d09E%9SVjG zGF5>Mlg44r8u`22<kL^sd4`>55cOQAcz4t%sTGyv(@XmYIUbUj@&Rp|Ur2%E>c0<) zD|?7!hvW|_`$7i6ylyepS~2*Ur8Bo#NJO9f(pI6KUx7GB8#jh1Eb7}y9}8@DVc7Hh z6Xkxto%a|&SAEq|qGXMd%q6H6SDT+_A5CSrYCud(LXomIlRK3nd!Fo|{Cm_H>X5=K zNlCNV-+AC&S>sAoJUMy9q(9fBf?ADbgKOV?6hy?2f=LInj7F@b3B2z>uu&7A<zj)7 z6OeJx+4MPYm_WFyQ$mUq{nN3wbz5`Xr#`?Uuikpek<QI7wLmf->U>eZy(8XEFgB-w z*lc+PA6A$6wf|L;X)Wiht*rPv281~}buPwNmh*vYBdH1ik^$1|+S#dc^Ue~urI@{t zTr}z)X2(jiLYuh*I=lKJeFt$EH?}5afE3GYpu<sJ3cDHc@IU?tIzl*nTn1)v(!BAF zt6=ibG&dgszrAgG+;hwjxIH?WMjfhY#Cb@9?FH_i?22zCDxrHvK6xYYMebh`gxAx@ ztaT`i5Ppl4E?UIl?vSj%<=5?*1o&sX94`220lZi>5?Zis{B8Wjy5|}&WBi<#we37Y zw21HjZ!OQkD~j1juQqw`_4hYvO99+}MfK{TZ`m=hf4tu3ETDh)Y}am~s>@`&gchE= zbOZlH$ls}8bfoXV@?oDOYZw15Kqwd`XlQBRRLF}h5XMdXG2X>nNqDT8@6$WQk})zY z@VNQ?=oWJ5{eRy;I<vTVb$ZM$Og?!jE>V`rgeMt>w=!j@_I%o83SIch8!z8?;arT= z=|tK}>dPKS(bEf{tZB84Rq|hnSNsxi>U^sonqd^wq@WlMrP<TWK(cf(z)iyJ3>+dc zrl2-DNI6MLVi~Ornx~63n2RK!<K!z1(pvJbY+PSwW6j#UwTxJ-FvJ5YVURGQJVH(` zfuipknO@1KtWW-Xb{Aq!oZ&_AE}iftw3lv+WB1N1s5}%{?EWs`ncrMv6B%(&VF~b4 zVOSXMfo`H(Mdf_C+np%h_bg+(hYh8J-eF}7AFaudmASDxXporM>Y`kL^{5GeZgVqY zpPU)%Mjj1%*|<{uN|?!-`4d+(=)85_l&j>?!O{m}?eqIDIi3-yytR1DezkQ57)N%2 zVza>@`=WQy3`H<GqAgbb;G7I|>!WIxr|Jp|!?MRodc?7ks^gyFy}Z`>F0oN6OL6xE zB%vvCnh&nod8KFEs^Hl3N~CKiA7!dyd&jq98JH;G_7C&DPB-Ncn{VuHuQy$Lt?Vf~ z5{q1iPot1a$7d?qR+ls`Fy5Y&sYGyvzuD0N1qyv>LDhc36Q|0CvgAJpQZpxf9jZ=u zK09rZDZph4<@P@~@nQ=DOO$NRASFY|!`b$Ga;Qr7jD=s}<ovs1B5%(?4;)T)&u`8= z<8=dkctSAF`;gVq9JKnk-1Uo=zGmx2Nyx4<a29~|j1Y_VE&v^Wk;NklTF&cq3Bp=D z|3KftcdabaRUkcSY3CO8@0TmoW65YGeyfk&A@g(R{xuajHCg5h$cRDK<{Tbd#(a;y z@=*fcnb}A*Q*Dkiz(6J0^JIK=9V1Qw<FYb8a%FfKww&6KJg)L-HWbQFL`j`eg$u*U zl!e^iX#QJd(^Do{%!ZOV;wVU@K(ES)`PTnv0B@3sgaMQBK1;A@L{uEJ&pp0+z7O#> z)ixMhxY(Q;^P{b}=%{l9>hZbMuluwfd}$yYwnJ-e{}U-jeqk<{f?A-~c}f;EY*1tp z633~T8t6cr5pSpz5)drnEFddFrtZv!{e<aQD)Mese1;L<O)w@1b6^_unauP~0_)}H zm|}RX%6};ZPgXypP@O1_Y&5^s;kb+oOK(H%ky)yt9g#4k&Drg%gq!;92RnZWBY!=k zG+cFU;CEqiRfDZfnD#w?U=o~h9<>}J=rgHd==F*;f42iQOmCU=QfC>-jzq4g8a?gX zav4L0n2Cl6RFTj?1r+3<|Hdv@d|J-#j*(~dC>%JLUaL@k;Q*gUU;9}#EX9itust@% zy`~(nMhW;|4T%N58(C`?rC&ChPi!mY$wEocp7+qDbFo#j<zXwS@j6lT6>9uZ@M6OV zhRa{Bk`#qN`BkdFXIcHq9pU|E9Bg&qs9B6@shdjk>nIfY*xSzi-YnhQ3{Fc4v)L8d zDbBhRhTn5qprEqWZ@Rbdk;M(8{$Fv4by@;I&1fq_Ek74Q84_9(7A0!`KtTw2ZX6V0 z?X?}Qvoqr%krCUKFw4VRD%nH9VyA}6ZjdIpZWT@L9J=nvQmvG6&uSg3=dnaJTIf<- zTM0CO$~;<o-PA?WcG_h4uKB63LZU^dSzVt~sKTBtu$1Nb<TF(+s{Qs#PJua&K*pUH z_?*r!Macv=?@EqE5-QQA@wC2bK{r5OcuW;I?RjmI;Q;S8QKyqp<s(c~acdGedSo3> zM+>$IlJr6S%<D#Gp2r#cq<^`=g!+{(MMl4VKYWGD4FMe1TSR|#KF45fkZ%Ep=(~>R zt-SkC^XODwF|$H<`Fx^ZCV)a6dTJ|`mj-jwsp9g~r&$~J(}=W#TkBbn7dojZ7gcS7 zQTo#{94_?N)yXXF%@jK3q`tCxDg8XzEM;1o6BhWCkqPXOvXh_fQCeV5&X<9ifJ?2J zY+ZGR_T0`3({Aj&RyN^ncCy;~;~}TUIQ-Yv17^(La_ey<J3rJc&i_M;M$fe`#R2|* zbzd@P%hFh73WjRhW<M`1GLe+v3CBVA*=g4fPGI6F7Rr_dvlFTlj=D>AOS%D(Nsy*w zJPdzfX;92X4u_WaD7GbC;evN(z>BJ7_zNmmvF5Q^TurfW#Q`P`YD?+)KLWoJ>?^Ka zRY8iB;{p%YZfz1|h~?qR-;SCp*a%!7_1Wo2y7n(@Q;YPA?uPKTAFPl0;TqYR5`U;; z@QqmY289D#^9w%E4>n|{cyKSWmA<XP7S%Wf&_|zUCaF`8GLKCu*uYFrb0g%&O}F5* z4(ym8GbzYO>Y_xQzVpWWtrJm-mJ?(06`L4ftJlfiC2NMja<72M+jW&?b@DpG65fT@ zz7V|~Y3-LxM#Q?-YUFP?V_ptE!i=!pr`8)`GlR{%GGuw}{wC!Y2#GOE=X+Fc2vF97 z6%w$ou6mA>?qOl#I}nZ~Q6(2Iptdjj*79(z8-q(S#7c(HJl?54EGz%+@y121-aO-M zs7AXIQ-C!#o8vc@9NP(M1LR)9g1ayGj{S=b?<S~KbXvLDGNJB@CVN<f6$1VXXDw0> z@!Bc8$k6c;0!Y|x>$Re6<d)i)w+!b-WuaA%sKaH2W@7^YpZAd3EDD77(i7;sI9wvN z-u8{vQ<XNU3XxO^c~LG52LFZ(jWJ0S?=sDr&(QF7=5WKoXyDtgGn?>=aJ#|Dn%emo z#Ny#Y1=u3P;&D+AHUg_2%Kvp}eaM79GU_gRDk%w(1_|2J)Rgmi*lz1rUfe{D?GtbF z{g;U<*e_LG%6p7l=<O!-Rr^9UHGoP1x2oI5D0Y@^IgM48r~_1i0_7{FHNS{*&3~3k zPN_q8xeFtMg!U3=Ds;(SGhfD?+TOMCZMABfw=|GOT;<9=@a=^s$j#h_%PIg~k1C7| z+de*>@T$gGd(-r;?#n+Mex1>)YqKWRy?OC#W@aY#K*7M8%czNRG8cf!tT6<jf>P5^ zAs@5YucMrL(Adfh_1*_6txuzxM2#h-vjf6eEk<U|F&FGuBJW1eK^QzA_c`m+8JBKs z{4rU6*gvx=4ima6#H4d$4Z}s#tdDBN`*o}P=kX*sQzYNfrQHEi=!QCGkx?@$wolwp zKXuAU1?24h*)p04zG?XG(rS-&#x=*T?kOMS3-|fH#nlWF1+e9&)$iJZlvH%A4m`cl ze4AeCn>r%TtY4M}o2Gd@K^y)qeBpy;mUO0&tET{6%Y3)xGz7%48Z6>g%9VcG-@@qK zHInKk{v)at&%1hJN-tF4#A=fzDdIvOhW<GYEMX;I6ES0^f_jNN(0U|Wc#UcGTEV%n zrmFT!=ztvxq~@nfhu?EL2JM&(Lru49Bn<7OPn_%I(<0^<1xC`#9uJkdgI@h_`R7Lm zEfO8;6}HwkadotWmFul)D*xW@G3=(DF;K{F-D@0<kcB=JIQ1}B)=Z+UR0xgGCo|mm zn7<vJwuE7AG&z4JGmI;<)k#V7S{h<t#(Y1*izV<=3)<NG$^)x0Qqke<JpVKiHuy?E zOf_nniPX&!T-Co>)Y!ZDvEPz)nB0+V(9&JnNFGJ##O%LJg&~xp>Z0&qmF~QV%-~EH z>Fwa%H6BEvMfFg`M_vPJEVsWqLhB}dU|0TKJExS^Y{ggn`!i9BaN+d}G{UUg4*vA{ zd}!ZUpVLoRHGIhB#^=zxlvAcPA>(Nm*~_7&MLtN`Kw>s93lejQwVu#PO{+abCxf|F z8E_M<ot>cT?e4wg{p`ddIq+xK{p0wf1pDWl|62>-+98@$HN@k#X7u0*W7<a^kEeN@ zf#e8XyxhRj3oFx>dvb_CS`uNcfTis)hXfu3ou(C-FVlRYVI*2mTSv&6@{MGIiQ-b3 zsp$KBYyS(r>@yRhs>Vp7#1jM0Q{e&6JMD&7*JI*Ne2M(8z~!!-iq8U9F_`}FPJS6V zqq%=Y>BW?&4RL3Qi7*Y}bll$Jee~abRJXH9CgTjeP~(0?cQd!GVu=#rmr$lLXp{5n zpvXM>flP_8$HB;@wW!0z$W$FaP*9;juX&wkB)h=@LG7BH*roqmiCHxNY+aHaiseHV zu|zMnNSJk)(zng9sA>$7V6tE1VN-1mo;V2ljI2;PY;d|QVd`dkk`r?&b}Vj4x5LN4 z^(C&=g%vkBQJ7)uyhH&loZ%CWW!bc*VOT}H0b0<rU72VJ!c}zQv|7@%T4%7AGb`?w zKN&6M{Qm^`HQ(a2ID(Q~pVpNYe)sec%5q6KF!YV8DS51N2CUu(p)DhP_$V#Nmr<Gz z9}f=73-a8NV3N|FX@$p79+2Yx7GW=dS^x}CTQ}i-Cr)WB@$Q;vjcL16o=Y;^s;CX( zON7Qt4Y%(epKm$NBJ=!m2WGHh+~v@O&MKBIvydFEizW}6{S7uR6N1s2epYPgz0bR5 zxbqAg6@%qxtMFg8$7VU;HM}j86GQe8N6r*0Er6>uQLgGqe7suxRFX7RW6`tN>PaEY zyk+n91Ob!&?HRFbQLDl}pMg266F=|_1#S=ha>ILbOIC}f;di0B@y8oFF*8sc?oEJN z_wOkNMsc%9T2rY?DzqBTwql_u+S<0yTze!oIw6zxZHg<R|I!uYqPYGmaZP&J4ZX5Y zHc)+gPL@*`hQzp>e0?2W&M=6U^m7bLS;|47sEYcYD&}nDJ$g~6oUlvB;_gW7iCxb; zeCa?+^TkFmkDzb<e{Y&^8R2%|W_ySJ2(>=AGKCJl@(hbinvw`~R}T}$7#Jq%#G<|2 zdP!+(UI5YlTW63X*}m&P7c8&#U&~BU?Hyj@titVw<E_A8P-u6YXxgWLam~u8ZQvLR zvud9A2)i<$(-IW4IMHv#_(Q0|hEMp=KBa09*rtFQ{%nrK7Wl)-^bx+VIIfBl10!!8 zo1_>acN-{(@6p}fOGgE3uVvB^>XMBxnH5LL81!)u36>4by!JTsjHy6;K&j1u%}}E? zL6_N2b0WYPVG;6%9OIs;n(IZ7Mppet+1X27ESTUhYuaDK&!-}jJ{4fiVhH6tA(SAm z!oJtn{qe-JFFasY)Y(t3T`*3fIeYA{8$)rc=7dkky<KTf65lRi5GQPRaY8bTh^ZIl zub*4TgK6sUl%KPbnu@;K`Yqd_xx!q;#iz)d7Egv!B&<}$4<P%zmcUsMiseoYQFigW z0ci-0@4|p;bqZE%8Px^3=6qU_4P2-_{L~tf%*iY<?%O|sV?Y2AOg$8a+()LH@MY`y zz>GNiU%n<vB(U-*6q2EJ@Ed3pHDgi4x4V9et+ftHhZ%R)-A+50-%S4|&ECN;QlI=0 zJBH0KRcio56bo?+y1xS|!pwa;RZ0@V``x9)+4a9uQcc`+kx;yGm{NJGm^P;coutu~ zHPx|L+yT4XNgaAC5BIWYjZQ#-R<?^4GQUir+$CznA9b_H)$MpJP$#CL^bn~yEh|yz z)6I`|aBma)6$=9R_Ds35aGQ@I{Tu6;*HJqyFd>YMPB~men%|PM{CeH&<W?paA0PUZ zz*EyRT~w;N*rY5MRaVrm!f3kZ!E<yYGzHPk?KgA(QH?KQ_A{4|632(fQP2$1n&2f+ zyi{p&-P;5bycVQjjzz1+V!V@wmFxYlt@o>uV+0b~3ZF#a=m?n-@|J`d;lWY`ELNZk z%>Gs#KNZZWVs<(oEh0vFd9w1RUPkOXMIz$#!N*CIWc&lIS-C}b<)8d_pD3hY4!yph z^;=p>hZXJtN`N@<xyr$jc3J=Q(??`)nHhtss}pz*)Lg!N4PW<5lg+(7`@!6_YEE$= zcU6h=SO#B1BOzx`gUWk=>fV(7&;_K3eV<DJC&|F}Qgi;xy8k6R-Z5>5ao3OIt}gRQ z$3Yf3>e(>XUut{kz|t$#D+wR}%}7>x`ms#f>$1yMXICpJ{lS+k=vp8{xV3z$e*NP+ zq8_$~e;OaZ64|aE-1uJ}-jE@~;F>oxMV<T_6$_dTr$PVex-(ucEFv=Cz;U~a2>33s zi<05hyP|l!|B<Eo2(xL;i%!<&LGb9;po5N-;7(W*V!n(nD%*q+iAu{&)&1eG6#3QL zt)dp?t$}tkuI&g}DOy0R2y{BaI^{8>wwrBER>qXB?Oob7V&99}3}=UbU6zNs?#TZf z%^~Q@1BLMVXsR#E46=nJX}IwhCWe_x66(27krJyyJ7Qf#$NMO2Rb2Zb60vYwU1eV` zjXa0sae}0S*H3REM@2^l@eEbo*LWm{s~-pFr}G9HEtWox1*2Jp-IqV|;VqP6eyI%u z{?|Mch#>r_`)J3VG^cbU0$ZdtVQCoA!`3DFia14e7L=tVXMe1OnV?u(3%@DE-sLpV zZ4oM7opno-`eFVS30&pBUI7HG7Vm#IzV!9~rM7_aVS@^41ikM-p@~Cd7m3Y)gYh1P zL`4vacpbaa?lOL|<{`1tZz$($mJcctP$A{Mt2y9sH}W2Ws4(OkBEQcKKwR7*!GQSL zpD6&)7nUnN(E?T_N!devWMR@=bIdWro*QpVIwyqqYCkZfatL#(G(5U$4S_<3w#O5N zN{wA2xv6IbcMwK-c)={qZgD&EadlHDbUS%bkI((HHvFcb+gj-QGY|bS(kUBTrc6>n zPdxK(M%p|1UDacjHP-=syZ(IA8@*^%Aw4;>urTNTOI~isiTVnzM<ofg*)-w)8(uE} zHB$@p@?=?PF$`8Rg=m{&T~8l}Yt;Ogy-x~8f<K@_K{pJmrDy1xoCNaceAYTj%BP=q zr3#(am5j`4;%kY!LL%N<L9!~4#oP!YL}jCm0*^BC87^|i`jg^r{GFfcY%E6jT_{n# zM&%wUAofh|<(9LF!52Hz)QT;KwvgX&l_V@FL!61Z$g#D&i+yQ-ogTwS!R<HW4wTGf zo+--z#b-E+%=lLi*}xZjaE>lD9le7OO2wA>tITE-GkR`E!o>F%gx?A~xPKxYw`UO~ z|ESK$14UQ=-F9eo<cV6Ta*evd!x0@VF)7O0Usa3$9w&>+=)-*UG=!cpGed=`DZR5> zv<zz#pRfeZqdVdB3-;Q>r(!Osq3DEwf7S7k4FIs^_Egrmi#$&R9##iJrcCfCU3?S2 zmDken|EZYH;<w4v6ge)ocxaxY6o=i~AuLt1n@df((gKMqY`$esjS<^xKo6qsZ3pa% z*mc_P+RNdx5p#_<&qnY7F_+^~81%GfSj4}R2DrG^3@O==883-u;+ku0bi**|3IE$( zapZxmYkdav^fmJ;=f70r9znykK~gV=mfVv&TCb{Zb+IM`v$hIRa{g~i6bFfs>r8Ja zGvfA~YoX$lr4qX4N-B%L0t7+V+n^bnEQx-uZ<RhLdKAhL@g$9*DRQVo*`K~pb<|jz zoT#~)egkHyE@k`c7i#hnfGth-HE7Hkm`^yW>Xf7R_vtiocMYYd+KUk|iA}#(7KFtY z_lhu5(wdNvqy@!*uwv(~9Tb+3P$>KjXit0HFy``&LNR}VlciE!z5(ZV^Q^OU<Ni!y z<O%TkRrQZ3ha{LLgUc}koym^d8My<QrGrTfRczZ`7`BQqDQhE;gjNTs-F!RBZPCBR zX>izDy^8UE1{s->5>C~5e#Vy)noDsXAa{cFIL!7AwrtQ{5PcIAR*?Exp}smtS_Yl! zeQH#k;~is4d0P8pN-SWo8fwivGr%c=#Qr8Z6y}w-s{UPA*2X5T0ooKR^YBC_^1*wQ zgrnHQ0Ty+yU@+m{tw~eKq;|5RiD*ZV-YO`jt}Lt3@cr{$f06W2JF~KUd<{$BtG!r4 zoy)BfJFPkPO49LK`pCdE)}ya1q!hBqh%Q>$Snk}T{LSmj$3gAIwOGl*I$cytcV1HW z{S{f%S1nM#Z;g-8r$D0ysDE^)h1(g{U*SX7v-JG@<udby)<}Ah0!X+3`R`y;Qp-5S zfoX0fc*2I<jK#%DkVzAmdv=<Gn4jqRuHztVPU|3i&^t^CB_HPW`)B2Uq^*)L?fVQ& z0IB*U1L{x(p;xeFrE3R3%3#$`XYfE4!`J}1m|w$@Qh;zl??<krZeyZ#pKE~8MkGia zYL`t@%ZI`Bl;Xg>3(@BYn&21`(f%<m67~2+MfMNdWZin%F7+kZ+N4ZQIB6@k*Ao2_ zlpkFZdTQ?mxtLxbe&y*Cr>YWRl?c^Y8%V>4imKq$7Y3i}Kh&f5j5mAzj857*cMmNz zOX-22e*y%yM-#n+=;96pRPJXK>SPoz$M_DO{Zx!5KLp-7e{?<)C;x9Td5o(r((A-m zvme-3w1F^O!uL}m@c+cqWD8Vvl;nPC!oQWQ45DV0*gbH8jHRmv5eHtWLK1qZA3%}b ztA8#D>Z8%3p3TFHH|tWqU8Sv>Wu+`JFdv^tbZQx}3jrAyEp{`U_T%SLQ&TY1L1Xu= zSq8aNGahFD)lFZzJA#uE;c2uAoMRG0{^C;|_ulJPLlh(H?XoHXAH~B+yyxcH7jo2f zj6l^|xe?(ScQT7Hfu%F$^g3j-y_|;;=idAJiQLaU|8}2bUpLqo<uzmL0ieFj(rj}Q zWMK(|E?GVYHPDI17yw6IVpc9C<LS;sS*&!L|2d_OGt*Xk>I1SuO;{Gva}lgYUg^ej zr;)@@vW~P1$bSW7TpC|iX-z$lIrfCu{ZCeOLmdwmQ_-T7PZiYsPDE-_kWgk&X^cbJ zN`+nWuA<HV*h+-uhFLy5)eY0RgQqf|ZUit{{aAbpCtxzK{tWJpz?46-*M7kE@p#I7 zNhtmnI-O{4CgOsGVd6J>iqlF^O4HFov)`nERw^;4;>A2Z$8i_QyiRE6s*FOF$Yc#| z+f?fi^os~3n&JtFp`Vm}U8{sYy-sp5VmRJ=q~#D3@1q6JSnuiVG!WGizoA|hya^hP zFA?>89LD6zX^TOlwap*na{C465{B*$ERhbo-D<<GC%Tv9gJV*C&L}W@4MVdf-_xb| zj4Xa|)$wBk1w>6(7x!6+jI-a2pTHC%&>1iB-#YSU5UiNl34iMkch@dCMhO4@lGIJ7 z!T6v9)W5ol%(mv3grFe88|wV%L8h_d_!U_%wyO^u7L9hY1MGN6`Ge!dV+Fq(-K8yW zw3YF@N$#_p32_|JRl`EzaAI0&<kz-H7!2@yaO6KUoU{YFP)##rNo{~gOb!*mVfNdC zrw)dw+Yg_A<y(q!QJn$*P{TW`GwrNqr?&)eysr(>z^|@`gAxi-Hc^t}AaXCBQdC_2 zT@F=Eph^T@L~(xipGY8uzacBMxOYcHTo2?04qMf`@4Ych*#YGRR%L@%ANRm<ch`^2 zaW<p{F&)c$dK9;=tsBD$Fpi}nY02YtS}=8SoI>`vFukYtp^r-)hv)UdTj$(SM9IBF zWzx<w-Y3`x5A9J@C4;9zz1zXiDk7+HyzDL=zulWb+=fBbkx)`&`Q|eH+kwZ`KDYiT z-`oAxg#ip~U=rF(LlH}Sh4mKwi_xF|-h=vw2csc?qg2fAheD{vnAa$xn%Ynem5hIU zVa@3MuS!i3p(d(>!hpe|#KjXi3Szgt9~Tp?Eb)V^*OH&&RLp&f+I0J8Ol5LNsKmzE zaJsS;>fYf}86Bigc5b?3*Es>kgDFc|A!-^@M`HX@40w%t9C=}Em;>}4y7c;$_<3DV z308BKg&z^_nTO+~V>bk5<G}j{L&18?)J5|n+!SXWYAssHKgX;}HLsD%aMK?2>^@f_ zk)xikO|vwU#7TvP7kn@tA;u6k0_|G=HHNBhNBUtkdZpkB+b`&QY>Y%uHb&5|F)IoG zqgiR)4JdXnP_LsHhR}jBm+?d;uhg9^P`?AJWO)3?pwu48mdSNy-RhqE^gS4NZzMHP zDzJ@F__<i{k3`OJH1Cx(RS$c;r-gOT1%c`2X3NRY^<isq_)_6Zz25u&i1Q3xgx9e6 z>l5tNIgWG2{CTaIl-o;9!E!73LW_W~RT^euu)^j~4#`rr7;@36zf|+C^7H!N*}Pht zQH+%Xo|+%?(4Jq)w<;}w-e~b2XLvK*r^NbuI^h>rnOk{Ua`ly?7$7Bh^NoN-dYe%` z4-VzZ#Sp>*S#K0cvU{7pI)1B(%o9O+N1ttxcX*KD&n@i4VRI}EIH2dTG_*)@ht*$n zDh(*RZQh29@4$mr!{nQi3+TqZemT}M0<AgWT38|)&eoj-4ZRNxP~LXFvtbJNwy}_* zuThiNP4UBRc!4?p9Xnd~`ow^_zM1Q<Ltwc`aty4q?dd^)657djHs`9?;(bH!5SQ~h zow1lg6knCI9NOTK4@Lep3E9D9N2{7qRpEAIL;a{;`QOBLnaJ)$JF1IymB>?lr9Hnr z>73i!E(Wt7J~YvM3n<?o)y{Qd(RPmvva0S&Fj*F1_-tYNJXySI9u>o}i;H6;B-JSu z6zPyjGZ5J5;iLb#(~V&em(jW90A1fv*gyNDcUXjBaA&#6S0qO(n%GYx*<Ka(h5aq8 z4&zPAYplUlL!e>AZU-|d8`yEK3vXg0ZuH@{UePRMkp6$0BST1xPdc}Pf%t0r2Cpq0 z3<F&N<+FWQt51ip2Xu57bukcOD|S4y<0OCOE7b3z<b6YX%hXK+#TLNi#E_}+i;3eo z+S+$%45~R$7~b;^$wP_ye#eMPkIker@W>OE^3Xn&pbgBm+`MM?rg)DAca`9wx$k<a zu!qV|rR<vEik<75+ul#50lXcXp0E<WeuAn+qHZWrw?%~Va#2uou=!-ZUGHg_-{ndH z^`5&|Wn(cAu+WF0&KVS84z4!iI>qgb{p9;|WK^8$SnOU1EGhFm85Zhr)QV#4`TA0> zKwk%Tp|$+ymvEi$rm+Y)iGna?^lJFoDj|ZyET^4NyEIp0uYJZAd+TMvqq46pF=$~e z0%(9H3{(Kdd%VymHbn0vsDCc>@I?TJMLA&+*kUp$2B>pE_2MRpu>yY!Y!w~Cou`bN z-`kSpqEUpe_dmJ&O{$OKx~N8RUHA6c&yi8Nk!PIgy-sT$h;M|8AD<LQ@FnBXGGR{^ z^<-@Wp?gd~9SR6PBa;x>wG0gK`Ss#G&fvn{QS{C)xA#6c`rU-0bIt2%0tN9I3=Up@ z`F)tp?~&8f8T}G}`RjCRHKbkPOZ-P?rN8avGN;7tHQ8==`9Y^n!tur5!epvyRKH%7 zOUHkARptL*JHDE3G!!b@P`|AXscWaeg*;bT_&}>n-PsHKS8lhsH&U*{b|ga@g02Fa zX?L>l8gAoKwSU$B%G9VajHIKey+`Gy9a8Onp!QuJdtFO#%g5_I8lXeaV})&#FjF}^ z-dZDy2iYdGN>i<~G9uWN2QV*)-aVch9}1OZKIFf8ZL1|HA}z!BV~-VK2H{V{XPzka zNs^0!dxKCRXTh9<<j($AHt|tDrI0$^WUz8&SHBrZ{C>JcxK6h*p0U0@73()V9epuv zuD=u;$t*2ZaTRl!p_+_@9IN^R+uj)ZQ6md+vl_Ul-@=vz`w7!3=(E>1A43T_U;_ZU zyW0<khj~sINu{n(j3}8s+pb}J4I5aYK@d{wtk<(5e6P-3D0f_y^BpeX@N_8!caK4Q z5Q46|FUz*XJrpLU*36MY>&8W_L!!x+{^SxM9L_n)3`~ZD-pmb<#sigP{(RUrVrC4I zOfvVSy{WT2%7_>K1=n&v{pJ6zCNC{8=O!~H@%U;@Oz5?QQ#r=&wx%RYhyrua6yqXv zVunn`$l%Y@exxs~py>BU_3(k^##ylE<$SiYf8&@Y!{z6i;o&;A#P%_LKL=Ic{=4my zN?wUe#K#wc_UG~L#MI#CS$eX-DY5lNlg+~YtETxsN%-CHWf|f#UJjVeYtGQSe<Cth z@yqvAyADAEE$Du^0TkHubQjoreEazJlF)RW&`6Jj$B_c(oAh-A6ce(&r80bU!-4<& zA#UqyM?2<PobePkZ0>>IQfatK@?yy1vA{k)dHi5ume+!Gu*@hzHyI~h>;R|RT34cu zdU^ujIMT6|TX{f2ncCPV<0SQgx;WG+dBjzjhF;?frdgw{ZW!CJj*%43Q*p0R6k~z8 zDY3`E2yNKdhpnG}3E)E_D!OJAWuHZ&Dy^j{o5WP$@x$CprWXN0-@mDKZ^xFOEUP}$ zA7#|~Oiy3mrrgeY8glT65`!@BW!*z4mGx+0Mz2I_IJkEAEUmErl<T<$q{{|2Rh9GS zCe=d*XXk1cqiU~O-a4XDf{OEFPpY{et8&PTbnt{*+liL<-CZxwb?KE2v5*;4qt78< z6jN+n$=eC`6M5x|n)l(3-6(_)bm{jKR|W45_@S~ClR^85EIV*Yav4bM@lSmt#_$<m z;6C$nDb4oIkDSv@?na}frrTrFe;@>mx2ooO|Kno|L?X!bkWSVRmGWDV-!cy@uWF>- zk`!GmIMdm<ujEGGT%oVQ+c1xe;g2pXxE9y`{k*M9Z*{~G?$~>Dy~b9Rc|XpD9=(Q= ztpG<rxW9v=4~{Y8)1~ogH0Lu|mDpXLvww`keN0bDaa;e%FFS!iL|E>vc(@5?Aos#z zEM$z79~#q@0J`{x@p7|{%$OBr#+v3#MfLUjzwI3ox0mG)qO?hT`)}uOf$@9Q+dsWh ztBXsGSLwEw(g2%4sr6MfY6lM5(W-qSR0C3td0Kyr875}C>bbV|W!YF1IKjakGRX;O zP{^@7at~BYQ_pqHiL+Sxk5ufMQpjZ9vXOJb1rXP>!7(@_rBOum)J2XFr&71t@$m#N zrfC79TM*F!X2TCOAi#>oGW$XASUOjHtZyL4;>oYg0n#K}?VsTC!kP2=@>kxLmEfT! zZiu$G_yfghE7zc34jx_~VsvF@)!&OnKxA7&q?Xh|5YhHB6Xv<Y5OyGmzl|ENDE9^$ zHQ18+>W>VzcihqzRkZ6wY$1{`_o*K4X~j4@`a7^J7JQRhY~Eb5x_<5&4C=B3v8i$d zMT4Fy_-$o^WuISNSsHMXR=`;suW9lq7M5X#`c#t)Ps`0pN)m*#Bj<Y}el@Mwx==)I z5bQ7lT>PZk4%$=plvc&UFFs})7$=f#TR(vxhb4t_gFuy4bO|^ea|+&u!|m&@Lww!B zbR*HIxpq6VW_~lzV_}2wS`yXRtNmp|$VF(s@yK}?bMa_j4NUmOg74FzWR;obK%WP{ zSI!oAKD@8{J1`VAMjp=C=QMphtdslxhl_Wuqb9^iA{$CZ7Ugm%FS>NPL;Uu$gFR>T z$ig3n|E--D+YmhnJ@X?K!e*wU=Q?a(vj{D38q(9H=}D{X55B@Q>b*i(6H*XlzkgwY z4RkQtp<0;Hn|lbT*)AOJ0x;H4yPyd@)0ZE#E1+}+e7@uG@54}a1#m^{_ckf}2@T}T z1ONkb7u)i$8!cKl@J%FoJz4xRvNv>14K|IGy=`YU@yg$HrhJR|81&`ZP7@G~IRP3j z++Du-ZLLS_7=9<4hvOgk!H{UpU)p)YTI!raj0MAij_P;to%`I<v%B~Xm41u;TD$H6 zf4(12RTu8dDcXkb{fwfSYGzm;^E9$tQPa^@TlcSKyD=U=?Q89o8Cp3!%m#^>TvJKq zM59!zw+ALI@!EbA?klauai<f9sEoIYP23A5Nn=IcQN>90L!M+c=%nMyyw0aHs=ig$ zOhGILsrWMja<b1uh1gy*b;c6;rGSJG^{cLD6;SPyk{nr&<9~_evpo1bJnpnhqx^WG z;L`iJk%at;SuJ&*d$M+(8kvE}lwJ`9yR5W07;JCM|KhsSBSoE>(bm2J)n=5kBor3D zKt*{jabp8?r#`R5b#YK_rkuRY8CTl&QbWop(M$p>fkF<)y<@WN?cT?QzElc3&Z+XY zKpkOo^6w>6nTLwDmDV&I4Q1V>=t8Eo;NM%SnfX^F;CQI{*Eo~yCHmJK%Qwi3g*u$H za_5gui;>E9&@v3|w2e5epSidcaui=}-9%+Lu~{GxYj%3z8_dBW=&x6GT(lpTGJM0x zz`WSzp}7n)tm$)5?P|W;EDS+1Obj@#uxnGb{9w`0x%@|OymB;c?OjcbH4>e1WtXC~ z;fH&#IQ@LRvq-FMex5Tc(@z|J=VOeNbZzO5R#d~ncl7Pi(c5!etK$%5mSNaZVKYe; zE$s!}k96BKIwSTblZzl5o@utKgr-64jV5+XywAJ5=;+$9$%+~%)Ji~1wor0@DT(uY zDN;jqZd?XCGZ`&zrv(p>U80$iMS)dqyBzn2)%rK!eQ^pPR*^fSV8O3>V`|zdh{grR zAWI57%)hg8VSjA+^VX-fLy^%8+#(e(f9P&y-l-`)RJXFXROvdz=M2d}3TcIoW$u8I z&C*lZF>n`WVRVumkCDU{dG4zav?g$#FhvaF1jN_VJAhbr(ct!6K-ErCS;{VcxA2gO zfr-G?<(946ooBff(3pH@IP7w2;xWN(f(VvvC$!pwKY-x_6gqUs!tO`79)S%o&NDly z2jn_z8GFtW*7md|JWLG`*ofm;{p-%*I*)*iGe4T^^uk=&5M*aZe~(17zajzKZ01>u znd>*Q!}w*0oDX{`A#d9LKoZf^`@{5qYXK&5J!N;fp`Q3T+*&M22blRuD1IAO<rz|k zNdvn&9~AXDUzYYZ;jBSY#cK^x=<ux~8oDEPV2V|qLm|Ex8>-?#NduGg#W4(t#E%C7 z-?xKB(AXGy&K+IWcaF@mDgVlkmbc;Oe%frbE6cP{Qk^|5E%M^vq9_LGH<~pQ2yY9N z+vu79z%zMaS1+5&{ankhJqkikh>1FX$;)nkaQak}-%RUMXNBv~D|V<)^f-s^J0YVx zf!NG+Zp2F=oV7-t+)L(0lcfVZuC}LVWSyn7>J^*)6ZZ7>Z8+>aA%X7<C+I^b_yTsC zf0vO>m6^kxq`gZQpsrA@;qna`A9g97G)V_Np2-DAbw*P-cL&6!wRsn}Q@Gfv@a>h9 z8ho5V3h>!2JfxxLdP(*B<Yy57x_)uSR~7_&I!E$|Ng%AJ6&M{jii}=8^ak48w4M9c z?Y@UUAi#=q;3mR8AuMTeSSnsKXo#Wufg#NVkhHqPoz((BAebwZ6|^1kWQp}7OmylY z{<^zX`9rKC43l1U9!R$%svHY9=O^O$Vkh3KHW?-AjWv)G6UIo0W`{!CWSjAF!ZOpJ zwyZSW-u%=cJ=^%5q`bSFpZiq-?xMM9L<lNTTz|Cz0RC#Fv{KQoaE~5rmOnHj@Ci|A zL8V)&Nx@Zjl^`(h(YW4iO)4Co<&ibwAc>3=GEiyn;H3>zR^OC|aFMMJo^qX>5bzNI zYsz42Wd860<&Acr^wK}gAZJ!;2M0~^ib9T@>{Ode1R}rsW9YxFN~5P#o94&*ndRRQ z2b8z<7FmJiT)5Vho}-xCnT8>2_)Dc+FlIlH_Gu`tA)<%;;b=i|0N5txL5T7%YKmF4 zmYWFI7*LQ@43*`dY$wAZB$9|T%8ed2tp$TNNhS+AyCqW?6eM5qL2pm=!~+F|Hc#QX z-NR}keu~DT>o!jGqNt=s)+dL`jL|#i5E~L@t`ZL)iPwO?Zqz~W;zm#l1$k%%c&ym; z1NUxzA@6P7Kt&h27__ly(XL5ba13@wcfrZiO-M(dU8x?`MonDKhc$V6U>AQu!cZL! zq-}<u9Jqo0LFozQ;r-iOHWpk%Y~I5iCPsd#O;l|jD5{N;)EQhvjW^}4)W}>*)Ga#1 zz!cu=dhyo>VT%8sFoDE2RG^Q(bm^zc;!aHHrJ?@zDrXQj+~O?uyX04!H`wiJEv~w6 z`D@1Rh~5k0aSt#!zfTCeLsK2qC>}-}VEMzX>j^5F!36cOMvI5;2`X4WuW(O@0<%!b z-X}wHo02oxHxj;e53jYjJZo)swhQI9PjL6%lgQ48>>w6+in1Q0EKarye?>M#7mrRB zfCc_QJS+DNP5c`1Cw~~|jP^nF$KEN&1jSHvHd=Bmp&vm6Ca(Z|^&!=HgI-AFG3f7Z zO9B&tqO!4UW#6915)sDe2iO4ca%O~M?E}GBzYZozNzJ__7{(X7F?Wzx8GbhKYHH(H z^Ke6;R$=c-P9eN-UG}RU(~iiMy;LpGvoL6XwbRx>w$#RCJ9*W7<Qprae7<4XGm6Vp zv)mF|IL;kIru8Rhq?)jy!z<TC(CIQ2UFe`mzif5rwt}**GCW}ncqS+?dP;ppQz?>w zxA+;)M9)>=zLKF3qB5gtNG6AuUcTLm6j^G!7R&)@d?#?TUGs$<KO+vak`vA1qT0}V zk+axEY!O<98uQeXc&g~VD_>)KXSzF^x;7LOlD5|9@E<N|NkEn3w4y;*yz?^I(6tIP z3BV#v6-m%Y^WFBD9S?PAX1Ah?Ex|FG!z??t504Df@P#l}Z%GOhNl1WO+AZT`xcLvR z+wx5Kr+Z&7vYw7c1{ZeeN_zP!T#aHFGOYHQ!t2GquiXD4M;Z#LBjoe}4Kh74lH&6; z?%6$Bv$bZx)y96F)s9hv)qWNi4vdJfb_G?Vd(KjO*FYdc3`A5;LvWH=$o{itQ+{bY z-0&SJT;$ZHIt7>N=4A3xqn9dTpo!J*aAb>!lRyzU3Tg;;&*nu>!MZNLZr9aBzt5_U zvdESucP#y5-V9^gE$rAZ+=S!BQ&aXQ==OA5!UUgC_akDf3!VxMmd=jJ#kq<0!V>M6 z&Cl-pqTW8PD-QB+PX7#SKIm5OT+CI>H!H=$6Vl+DK6XfXvPSOiO=04!(u&inp7C$I zb_qq+(3Pxp(0&!=#*Le%B$*M<HTbt)i5`N4W6wJBttGlGzNyizy2Rm44LzmPOpf!3 zys^j$S`edl(OzgWfv_MSq%5&$+P!U|>|@~DT*c}~M7g!&L(<FHk@G#wg`?)b<`Wzk z&cYa<0%|1WgzVL;JrLi2^*=8zMsoUd4|jM)R>0(ufp<+kS)|i6SfFP#`ARR6heH10 zjuQ0Rnn!RTZIs#sm#_%jnI0-TPDez^Cq1WOWqLU<{lG?B^O4H2wvezV8Dz9|O!H^o zieTG=;Pu7{y<$?rd*aevk`%mZU0ATf79ZaLGZXbmee^JZC_O`#%`rEsc#IkBv<fsB zF_zJhXS_7mp=6uH<<Vy9N9k>-EoyUuQ2|A{dj!xD5CTLs(Zd}wAJ~PlR96T-vzfZR zoFKKuVkBuFf%v7p{wPnHCpA*^u$sjBf8gC2*CWKI(UI5YAYx~aUz=1@le`jl+l@tP zU9AN1ptQ?606VRdvPu05JKQ+LHChFjkn>~G<Tp)T!f`#mSNYBxP%;zOM^jaKjqi!i z_7qstxa3$b%SvkNbB;~1*&@qNQ8_y(NklJ_v_Hy09Z`nohZ4_C$T8vZO26fjRJn=1 zl6&J#%o0-iv-t55K-fx!X&Qgm51Sk0S2taV<KFt4O?Y_Ex5_CE^s<}~D!Xq^!${-& zxry`#sGFsh^RaO#apCh@yKws}f(&BRJhjKj0V*|kQxNCbhA1tLAWL;FWiXX4t^R{< z<rHatMvC;5IdcBJNh%%!na)|Yw-ogXHd`J29b3tDkm>Zg8G&~Q+%Vl?zgd>nn2ij~ zEd=0c{JACs4IsSjM^THI@Qq#ladXDWs3k06#4cPyTo4W4dxi}@<@RiuX}thPVEue| zCr?#rFLE)qXxk?<?d?l;MrjjkL)6MQS;x*rFC508>fij2=p`=ZFgN;*M1U^wU%>n+ zc)IP_&A&)1Gd`~iR~qq6u`vY6ef_tzhh(m_u=cZn_|<Aq)+hRR5j8rvmK);RD?1qc z@FT9gVq>qBBxyj61N`hBUVKOq^Ddy89I8)$2*q&duvV+1U<_mZS%&|J|ApZ$%=O^k z*1?u2)?_R3nmUj4`=Ddq)4;sn2C$trNlx)iOS3T{@yP&p>Ui=f3?cnClk;7oL<Q1C zq90rJG&0FdwpCk*a!8>k=vE^pZt`BFt``=s#ZayMEFc5!u2J%2XvWs<z@o#8Hgv=6 z5%5P(7H<SrWPdz&9XiooK}p5qR(J2r3Ku`N6Z=xWC=!s=NzJBh#2s7l$Vc?cRDA(B zeroiP5$|tskDW^w=$`$K#6hk>^1EA(<T+&c^EK~c2W2W~tsH^=(Q=!)2B>eF=9o2& zo9fYv7{#%<<XKq8)y6w)S@_+xIW&!fY75)n!FiIvq1h(NNhKY2q~l5i6CwHdQtwyw z9?!t5fd3^=91NUl%3QiT5*u9&{`h9=ieqBOsEw+}1Y)<Ni>8vv?&<>{e@>70#kmkE zMd_5RnvLlIjPvuaoue_P@bj<Hy<UtWiaqpXQQUX(*<Lp0joQ;7M!Fi!fxQw*Fj~~J zVNh|kDamk5?al)~dAs=Jlq{k8Hsi9aoHG19OTKT10{unZc;aHV{bY~x!%OA62{u;` z2End!fj-}T5da%i7Ccg7Fc>P=wldXMP0jJ`z>PN!^3-Z|qH%XUNlcU=B-Ibo3uZ4- zJY&+ot#VEMTksxg71IXMd9kwx2t7(-#!okGSV$Tz06RK|YsyKe`kR!M@D4q{$*O5{ z*k|t3aI1fW<^LJ(#llF}>>c-RCuh`XHu~nvMMaB)!g;4}Ohe<9P+EPq{Z9nD*6_q) zM*H~C@s-`V?@T<iV@)MYh-Vu+LqpFKTx+W`q|RCa<6acXO^3wL)HH5#PhU*=jS+Tw z1Z_}M+*qYMK5e&(#Yz=2Mg2rn!8MBi`XAHF_OVR!9|@Au!I`%@G{Io3nPL_uu)6|0 z8DQ5ftD*o*_38IJ^-V;g<WIGAo12qhQ0y(T4I`TE-HcTFvqT&)IL<N)DjQW6?lUmS zI3FKbLk76e;XDKg{1$@`RMT#a3w9h7V`x(0s?HvnUdq1PF%wR{LBsDcw;BzQX%X#u z`wWnWj#Syod;69=jmf^TgbuQOyyVuotZ%k7BfuFj8G(LcYWBoo;_xq^H+%LIQ2)Jd z(N=Uj2VwZ<w*X(BL%<zSt)Z#Z%Zah31piAWpzPq$l_f3sw?}I&U#)Y`q^j!|c?4lI z$jZHC7QLgj=_lmJQk)_@2LHnK26Bos2=;czyH36ieKv&HYTJf~AL};Ol4an+O$V4& zg-5h{nD7&nCPvuYwBzWt*Vj9m1y&M3sW0qf;kNx=Ysy&+W6>;_WZ0RBqoc)}#WZRh z7}Y`%a5f%48&ZF-`VOKZT~N|L`SUB+eC86^ir^KnH&A2+N4j@cJ|B4Nr*zO$aJOhV zlp<JDoRS6#l#YLp6>}9)*W?a4=YMd<ci&EY=g4PH@k||OGBgUpotO`m^+^U4Bz$im z4uR(;c@!bX`~2&8or5;UKw(9iNrhH$*muXtn3~`0m+net6FrXf))4cR&iD~ehVG-V zMaGiBmXhG!ue2GRwB_<BeqV=|Xc2+qgFWW~to1--N|-2s@dB|e6$h4zAm3Hy&MN(f zbO7&^lmH6jr9(1J6`vop|6tjs%JF%_8yqz?dw_M;X!Zc1D=;Hh$Nkr43$=d4ls0&^ zg$PFu)}#AnBYr|fr`vhxrh|ogRufW4F4mM^))g7tB_3?PTT7IkUW`KXpOe@|Zus2L zS8%39v(2`LOPfiZ7XPh*!b5Y|>gXQvrn&;lEb4Jerk#HVdD$bSk+m0_#th3>d^JG% z-wlz8xo8w2I>aQ20aphDEcTMBb6=ggrM>6yW(Q&nTHld}!k$}~cZsa!bD{H^W9=Kz z<iIXa{1RUSJuK1UupK+SdPNMhBq92MS=v{JqXUyu=HVTutY2X9Jh7~_cZ>x}910tx zr^&@599yB7eylr}#@|6u-aw<ML|M~#7-0@CdyjV;5%`?@r$Ic+=utHWdMH=^NL<Z% z9|!xNroS(XWu`q7BdLW&6*bgY*W`q&7!k!Q1E#gU-TRj6(>}$4e`6BkZJ_jM(=L<c z?xRhtYf4XO6sy&P>KNEu&=;8gcVowr3|FCFB(&N;zcj$dmnVEzbwEal=bFk3@f?5} z$m8#|jE*4z?SIhIQw1d$+p$(_O}b<+PH>>8?nFyr9kc|hv?VBimhKQ*(MTyZ?e(mH zYzq?jK?830uQ!f#)D==PdkVj6Vm_M^JCosdoAa8boiClEj%DgpM};x#pJ7imvtt^> zhAcWMrEx>)Ss_|D-@{=;b3-0`YZAgo^9S9boRAEJ4C&YH&ut01&1Tg?(0=83tG1M0 z0mh5gaVi99jev}ZoS>#tU6v_`;6{21K&1n2JVTv{dZRBwZw|%F9|*y3#e1E<)fI#( zK|@)5r-zV=!m4Wi+-5zRTnyIGcPnM9V^Ri|pXFjF^=>73%%LwZt}HHxD5DPkjI5mY zWRDY4g1c9qRMwivDraF0fTIlr!)0c~3mvrNeJn}gDpswRA+mv55wmZ0c<kVz7(BQ1 zZv0y~CM0CymWU#kZX!ITIi<y1r^ht>FCAR>1$D0!ez-uEZ45TY!h7_haRS?#j%9ps zK4Wv=KQy(_tkt+o4*y`sgWMg^Q<CDfvhTHG1;e!~)cTF=U1UHxW^Lo22tL6G#QS?k ztEF&DZ1f!*UyC2SUuy62YNRR?<>derQ%L*mQIt2iVK9@n_F@n8fr^%37TfbWuc#dS z?xOz**(atCsy{BCj>k*4EK@Ptg<7u<k1*56e?tF}@X$V~>Jn6;g7LIdnbEr#2T%x} zH49BaP~F()29Eb0=y}!uWrh_RM&!}MSmnI<OUR+)usEXFdwsX_mHxsM@ZwTv45v%) zyY#4tqaR2>r*Lw0M6Dw`fq3SLhw?sKp3xt4V5~s25p+a1FsNaxX90@yC&b=7j-L>U znjWdeJPBlfnjDi{32W5dvVCmJd!)o9C>k$n$2|MAEZPD&*ld?&6BUD-GdD=E8-Stj z4ml>r9fziBp?7r3sMilG*nSP)mg9?jo3@|1*OwTh|0rC0=t+vONFd~v{P$<2cJc_w zi1!P8{m@Fr17@L41~wxxl>TQOvn}#WbQ8*-KKpZgT-~xk&EMdpA8>T{IRXVs6sJBg z2IGT%*jpi`N4ITKX!-v1eb>><9F|1%(D!(RJjKAsi{lulx_tXZ9c_K|#Ge|wQ-MfB z@rYUT$ytItJpt7!@8pMaOm43m8Clb4xy{xJ0fBj~&fp^BmZWUft)bvM8gsH?)dv&O zI3;{zV54o;i*i>lBoJ^J9-c3!klkw?qd(|@BP_Hr`yxrW6IA5j#zBQ$m4U(9Oq5^o z8<NT7Zzn?7hG7%TRjd1%xO`kgqgemuL1VM(`|%zidiD1kqpb%_7$OX`nFKQK$@<{5 zE9756MED^V$U4WLCeJ}06f*7KRiVw8%1pZ)Q`W5i&l<jc*0$T4Q%*h}LiC(*A6W;- zRV?U)kk;D(;zbiY@3?ujIlQNJ0|{aXq7)mvdn!(Q_3eN!l2|S8!WdBfxmbX}ZhOb) zH|tpCJ{;C@W7K`N47sE4V5PJ8`LX~bN%`X`%Td<?85&it-Hy+;Il#lSrZEOIcDk62 z9k@hx4PuvjSpae4=&^oCGleM%Y!xcf*$+G1mY~*}5kD<w3B1G7$M*hoY%#>=($svg zLid~GTb)w!8kGXk<)0pSjPGVz+)iylM^+TpKk)4EpYZ-Xr9mx?IPHJK334-FxAK(I zP|OBVgWT!7!}i!@Gc`Uv*h=)v=22DXOA9&9!j+1D86Dc??32)WH;CP|P?_D1hgKp( z7NKT6iu8677!xwW2Z#bC?Am01!*-b)YYXuiFEP3Sfp==77fB4`CD)|)GdV9YIWOb8 z$0^IY)U(qzT6mZmz>G!vB_krjHvCCMTaDx8e1L!(H$$3S#4z6Y#c#GV`10SG=hZBW zlowvsK-l1-GB_9%`_8E!`&3j4SyPn!NIiG*{$b?99Lb}Mb6s2#{)$!B-r^|8sOqpb zIq9A1y;k|u%Iy(tNKNO=T}c1@X(J<PE25qtk2DIOkozpP%Dh^t$hEuil;NjhVFl*q z5gFwHKB1Q?oYJCPRp+*sDug-BX4B`U-o&kPMG0%1t1hyA$PU()T7XTJ6Okw0z~J`V zw>^BQxdezCNsNP8SmkNr*s}eHblx9Tv?zq3lR@dYMvIBzN%j#c+;$#`DWA_D`oAk` zDJ3iwe4hOQqt9cx%7s%dulV%ZeEvz}$8|?%p}bw&zh57NViHA#l)9qK6|0a09KX_A z6~x#adJs^?GuIMn+bp-1zcYo_t|{QoGetAj{6~uNNxWV1j`?rbr&ryFNFmZi;Xf9> zL~Q_#Ie(8o=oIj?tPS6}w6r;dY$C#47!8aW>RXNjC8;aqzkj|I<n?UKzerJK39(df zT<(N&u@Q11w$I>1!=q4S#Uf-DgvIlfJ&Xu{g7%pSDT#PajEFZ)ME)=*nY(ExVK>@O zS(SvJu->ZU;A!`Q*Z-NA>h8M#5i>pJlJp>Y(SR$FSWk;$&^O`1QOzP8AoPY1dAC8* zY)h|N{;Ht%ndJ9ogddJ9w2DD|(DP)2#GAgv>Y#kM*!D^<JV<TR4A5T7*;{a&!fXL- z&A?(<`|XoxPL@3D!a!B5DR!#Mzx0eu7znN(OVB|Nhc!@vV;L@^`Dt8fFl2^*lzHtz zU>49fXV-yg4q;iF7?_-ltgZ&VBkSBvCxNgL&9qr1!~Fq+Gw3shPsfjUP;aA2L<5Z3 z0MO|}<xo!Q0msGPLQxi**(rQ8WCn&-8mp|}R%5&EGL_9Tk?0Fz<oSM44!5PIqsyx$ z()=`=cyes{Vc31`=mk_yiYfahmH1Rv@L`qnZ}!<4;`zpw%(7?3#Tp9SmkXKt_q z_03@hT4xKs5DWnGzm9O~g=WBJ8xw&m4pQ%nY}1?{9gTytJhEyWE}JTFzkIVpVCm$X zIIGP8>j(cOK<jYXb3j4Q?$HkFz4c0dtt5sg<XaNk0XZhPggLqt*=T--!*caUg-cAY zFFhhda@YT*N%OKsm!Y!*Rum1lk3O-N#K#zf0OLH53D?)f)0=AO>L6lwt(hE(pKh!( zH>OeN1RL|^?IkDqsBQWVlqu*^^j^>g=7H~ZnQUfIV;)#wzBPMdP4`6(pm3E*qYjSM zAk+t`?LfhpgB={=r7BwbIObBwCYQmw5CugRTo=0+1$NkP3Ky&NvJ-UFQ~eQyCz`Ri zCqh*ZdKd12Y;xc2|8_aE;8K(xz(N&eT9}tDTj0x=Z;JMi+B(>iY_k@<6y#2*n&q6; z@KO=#)cgpj=-?vEAZ!jb8V%OpMROgtJWf3K_3Yz&_ZN!};@e!A*ldLuCj)H~Ho4Ac zXc6!_c^P|KHD}n__Dw|<Un<6!!Ns(j`pdRSx}~;B<>9Xz)lN)QbWHT$qLV-=O=6>b zn6q#g58!!ZvLN%<v^dZNqB@<&p6#q-VCJ9z(kVBa0TX@Q1XHw;#_XR0Yjcv{H`mzl z4B~9T??#i2U<2ZeU%?2;y*Hi%RuxNCi<f}Is?>Pt)jGgo@zZpPg;-f-X0(3aU>V$4 z4dO$L?!D2K&PkQ$BR?O#0zY8ZK*g<fP<3WBN%ypGfYFK30>dDfpNrLje|2bVe|g3U z<v*}QqbINMe?B|N=HGkBsG2Heo-JuJPW|_@=y7<Ak$-SV%ZQ^oDalKeGSQ_boH#r> zr95R^sY4hBkrTYuCq4}G6A|>K&}9Mc$A=mM;q@9S>QE_t&SE+gc2N}aTyn?!aOg(K zi&GBM@DL8#{xqW*1Ex|webm4P@>YpyZhH{P@pYOd5mCh8wfE0XS1P(@n=oZ{;ECw| z(Tm8S$ZJz*LbXNfMlk~u<^YU%yRXu3$5{XtYUkM!y~wZr$;6Mx#l1T`9|+;PB`-A$ zP1+>XUlv_-#3ZP%4E^45mb5cV>QX3FwK}mby)_{n9c#7P)ImuCi+48PQ&Vk-FSps3 zY7oN8LN8*a)?;33C_PjceSfJNZfZi3i2R@raeF^7&SXDZzvZ!<Cckk#eF_{{C?O)m zsA90W1i%V>kQ&<~_POg&(83NbY(TwD)~UuxbJHtD*_dS$>)4X%DoVdJ*5lscikyD( zyYaCiLGp8=up#j2k^N?FKsot-WjMXj$O_{23~3P=;bd&EqFj`+#7vMo>t-7PK{Cv2 zIfbOWT+}=pbe1Oq8*UZ{g~D(FkuhkGZD5usB%ybH2|B^j-dYB*rtAKM&)~niGoa;` zh@HHP-z_q<X<#CP>FkN0)0NiZ<jalX%o{%`VBI8*yU}zxb-G)9Usp}^c3me~0%Xgp zH3lyojS+aSS$L^pCVzLNC+czj!%BDIk8e(ft1~D!t{<?9J@>N1^$>+Z^?o>=hLPCs znQL59A?mzC;*}IP&w6VVzSuMZIZ9fp_qWFUpdHA?#E)-FWF|EYeZ!MB!$2Bu=*9pf zUMQn~)sRioD*`}6a&|3MH2aaJONUqFQet$V7?G87<iV&Mm+dPkCO)|XAl*ayAxjI) z@da!JFHu9rZn9+8rCUCHdwK!sP_q3Mu|k#e{TrTz76lFE`v@a_xaOAa<<PrtgM!kl z<9%nC72Y0H+;`k;qpGBYWh#v(%FOLxr8gIu-IauqQDNX5>~amy&|<0@Ugz``HPp7h z>F2){8B{_5K4CexeM;hVADEsNV<6Bv>%;lPIbIBt3<w9*7T>}tmarkeX|lW8MN%@A zs+#;G%RbNDsmkW39-jeHMFL<omPp(ugzt*XKzcyR2IoBA9wEB7sg5XzLj2+6bpbfu z%Ib%G(a6jPRDGdzcSJheKDJtO0^EKy@tOKo8I1zhMX)=KEc}6&Y)Q2}G)0$=PTK~B zv3$!#_|CVD5p$<?L>@xq`F%n{p?cmG5A`VE&u5Wi{;i$LkD96q@^-P^#tF$F5ts-C zIJqm5s^V`C<Z%gnFrvk;M8}O%+Q09`I)qCLc###4A1;3v4zpEZ6S~v*Jb>dsn<ku_ zZD%D1YMSUa;)SxlO!HjGKr$a5iN&A|No0Slp)dqOI0HHMFFj!?*b`1qlTH7=z==u= z!QPy&G@v3mJHx&YaHV9IIptZ^e-6FBdz9hRZ2Ft;z6W4&sMYGF+D?8GFRp%o4PAt= z%x6Hp+xh7maSYmCY^M-i>ErI`jn+9{qOpwk3Q-rBMas-GQtkQx%1b@&pZ}E7k+<;M zvi(<lOHXCh(<<|(g_7#u9gQY8oqJMKwAtI*JHRubEp0zRP0=!SgJHxJJ*1#T-xU-V zJ#^&qN*g*j`=v)F+NUi`w(Bm(Ms3G5S<RzIT<t6GY~4M{Z)eN7i!g^Dtt8JG@h^Qy zn63HrdjbUoIDxvf4LIVzjK{SyQn}w}CO+n@C@<D<CCS=klZCSAOqvPiVnhszLrW-v zbWWn+VAy$APaiy$1x@(ju<y{r7Ksf^&9<~R7;&+{)n@g$?*G;TbUu4BTy0nW5Yuab z|Dq!Z{>_E%wc=0#;P2G2GJLIUO^9p&bTkS@66Q*g4{z1s=meVCSGrbX1B!b4%m9=} zqu7Z6UFhJxi2)_5!P>2f;5&6w{Qs2@Y~7!R5d*3LC%*yB4qLNkZZn&K34r^mMjRv& z<M^rWu9V$%UB}P5rBN!2JA{aEhI(o{<1|C66Hr(YgPf0<_OpPE+>tmCZ+so!KwQBx znYSLzh5gI1$J2JMf?Sl73P-ceJJej9cZ|l=&`u)0UAIc=&mkN503{U|uQPX!!vjq` zr`TD}JQ16vF%~&5r-X!v9e%&@=2@2oZQ>I?G>@us$V2p|B1sM8{8slzn8CdqmmrTP z4p`e>KMnRP*EKTz{ORoY^lVtYq5m?eQHj=hh^$j~U<%tEZxqTdf5EBJ)g0fTJT2gT z$E(99_mE=zfdO!-q+tx@-*ldHPIn4?!a8Mm-W_8>*W9YYQm>y9dr;%BbZNh)che4C zD83(|d2qJ=c9vMTy+ZHk!=oBDwrOmgYFpk_gIyToGJp@2faL}?a=5VI);RPxu(md% zKnwHk*YOgP>R0U6pG*PVgynpq%R-Q^wet<EUguH>OtxPNWz~w*3Ez-L4B368%Rb~& zQ)%ABbQ7TnlQv8bee3-@o{3gHi@KWK4PPpbgQ){Ay;4j!z_ctmLKE-x!CyMHe&0(0 z^AE9qSbS!3d7YL-U71v%$d6x=@Uz5(y0%u)DHnzv>3l^rd1;`6!OgcqiR;X-AOnA+ zhLj{={1`XClwTUcyI`@Tel{;JXP)5G`}oX|t|tXf?^YIMRj)~5{taWuH6d$MyVGr` zG(sOO!z(B`)%TLRMlL-8nXTcu^{R1D142oIe%TF4<jbJh=^`VQU*dUVQvaI*dC4)( zw|5wa5EGhYBVfHgAEZ7kT9OQp-k#}T@V^?NQc;N)j<s15HS*TYuS1*Bmr9pk$X>fH zYf6KjQ@}c-WBx)=*o|LY*gjyuRyJ?^GlJ$XJ0sI{Eey&f9(kf1sr4$MkK1%9x@Cik z>^J0=`J)f!@9NCZ;75|fi|$#8N%;pgCE(pI$4FaFpwNHi++#y=7XC}1laz`VqqTsZ zX0vTY;szdCvBW3mVYFrQftt-LZJN$*hlG+lTD?le@YP<_jowKT(Ex0pYKE$ZQgMQR zBka>q=m?w1s%WXt=|T|!+=uUEUWyv{qF;k8hDDRIRAFZxI60I&J@gQlLj~iXSD!?s z7A&Vnfkl6^Q*U(b|5rmoA%%$mQq4dDslEd(w;w)j1XqRP$lk-)qk$dX^5W(#vcu`C zGK<W9iY|68Tf^X)?=f=7qmiEnF%BT|3w!8=ag~{#PB(DG`Nc}!Yps2JhmN(qCB_+F zfh$PHL)T6tZJ>ktCMdbU3K(>-=|S#pv{9M)PSfIrCVxGz4-3ng46}-RUzrdIcRO2i z^3GRaF!iXCBXy|`+GXBP9N)o|b|<a_egg?A!BY_KG!%9hBb+UwXm<eLA6ee&sNVU% zsm}PBnCHk$(91b|SM$inrANhcMLmv}T9*<fe40TnbbuI4`@?hlXkW?TpU)TPWyOO` zRsVHy{gJnh&Z5PVYDw}SBuGZ;PU+Z6AR-LUnGR@;AH@&@$6YLYmFBfkPW}5T<|^Xi zEZ%#vdRgnBqa^pTWJC}p9q8usR%)6}*L=9j?T0nc>%MDBp3{<utG><12pJv0;6xk6 zcRjoRA{TwL#DIN4>+I~hg;1H&E3g`}Aek<9Y)H?|NMC7hKe{MPZA*gOw(Wgm>BNpd zQ<#+!lsS3kx-}GLt8W>RaG>|V^SG_9kP_{#R{2mC4a%NIHDLk`I&veh%m)4}Ww_NW zvBaDuN=O2$2$NNQKc;^N0VTOQZSy@%;_#VBJ_l2%zbvT$6<vKa4Xa%-q9kkMp}6XE zqLcY<SMFg!kui_ne5;cEcrPu{!YQn3vQLio#7&d~aYop>3DnOIuZa7O%pmTGSI$WC zfe#yBY@_!0^J3gVWjQ~&r?1J=h^O=CJ3(Hzums%_yk}a3OST&0$b7$wW@2d#4mJi% z=Uvlv^ZvSWl#JZ8pNm3&-!kL>5aa1Bed4Uf5dn~mawl9Ah~&k&;Ae)5_e0D7aS`GI zNbw(sN;Lhj2(Qa~vZQq0L0)5MH&LBi-{2Rule44NgfxxMiD@!D{n%fQ(4CW#F=iRc zg>CkMRfv*pu@@%w6uEt+=V75$pe@|D0!e<x<%+lvrdd^A#POHEEhRa`vS;YCz4_FV zt6Kd-Z@fCs$ZWK&1db_!dpfppmZ$dwV26GP%L>i%_u=W0+Dfxd9I5)~0;^~9dCrM0 zn!miesn&FMnZ=pJ+sgz|RJFYbN%}D0n0-M~A0C1om?Cn!CbpVvWRkSA75bVo)7o!C z=5>$nk4X?s@VhoG9|LBDa-jlYpLlR@P5dgl1ctib;bA+UTZNodcL-KPx$B8$7M2+i z()*=iK0oG8Y3+=ecH%G-d_s4~)i98&PKK*$g*hmU`l%oL40UW$l$_-q6{)NQg@yjv zkuqjt3~H>l(eI)Q*G&roZJGgnYR8a#YFZOU=B6d|lPC-Az8les5BeU2ped8|Cx&eC z;ftsL(LXp@5IAT=f?q%G-qVzySD_@dwR4s{wLa`oX|=WoL>c5@7leZEf2+V8`gV*f z4C>7f;(e%zlb3R=S;Q9R()oseFrtVw&c#mgAtb6{wQ+EVURulbp(bwCdyYR-4LJ(x z5I)cL0fwa%wx(=rD9?0)ubcJ1rm>5V%fCKuiE_-vg98F|90l;q7Fl=?-3pY0k4os9 z)?Y^c%QO8XjYaeGUZY~ReHhaNO$Jn<ozt+|`gtz}p#%-l_Wtp^*?tt6WO_eETrO%= zFEnfU?e!Z1cAzevF)wjOLMyR%M&6SBPrSxePV|@0qGVJ}TGJr-UZ`H+;h>C+!X}hW z)_}eB?i!2}NO?3~9BK+f@nz7hNfC{GpZH(%KHNqNf3$vYgR<Y#kn6XNe@q2()yLNB zMLW?kB==)y+;{T!{MHT0Y3TQY!Lvx<IIP+0k2(#}JErMH+i*1w+XK6neeV`+0@Sk# zKj|dM_YQ;?`P8O&Gy3T&V`pT9__T7WZN$%n5QUZbeQ(|HprMf>rHwE5GML5CVzEk+ z0`rYNv$;>1A!yO8Ghl2<?o6u!w0mAlN$tuRh^GefoJ6*;d_@*vxcEf8an}amnE{P) zFA?VY*jsH@bM{B+jFNqG7C<tnErKocO^f*aCo<|P7q&O1Ol99iW>#gR#nK*rQgCTJ zMhNF!8LY!*gpUOyoriavd$W_!6FAI!*G#C_tp!~5wTzBQ2KOkrw{IQ>BI-Q>iI%tj zFe2|V?|PMk5~Wp0wL%N`cd6{`fNlb#V8ZcmrM1nO>|44fTa%W0up;cL=C)G2>wziP zJUhrh1+*?^B3Zj(hlEGl4YDqe9L?pxbs#`NCnH`yFAO|3XZT4;+orLf2uSkDy=J1X zQ$V#93Y?U`9vP^H!iaZ-rYu?F^ZYe(z6IhoL@w-8O?m6D{jt)*t*|6QlIafl%M70e z+di!@)(-MHtWX@F1PNY|#R?s0iJciLD&%hiwSI<SM#l=}dd*qFRB{wb!E`jeF%|5n zxGUDB5&eF%Igk0$Ne3hM%aujgS^PZa?UevxD@ma70#O?3pX;1R*VxWcsVQk0`<xDt zL(Q~Tb`j8l9fOdlv208~mo=8#h~_WoO+lQw?|k_Q|7*tBNHZg$@ZbI}N&`k;rVIDI zmWt)j+S#(=7?LW+y$wdREmBUPTP6mZ0m-K6iDI8A9&_?^v|L}74s}`nv%{ZJ1ZqRF z-UBQAfwK7>7zoT3Oqq1kQ+nxHFB&JZf})2)NkaVNRa`34bWc$=6^em~Yy`O9om-@` zb(U!90DCD^vUqJ0MzcR=2qd?wZ5LE$=gcC_aNfeX!$CpS)rtGGk(#Upx`I*?Q!<Bw z$ZPjQ*xogvDRF%2^PP{b6Np4RqWrQemgQ7(Uol_~VLy<#PzDtX?@oiO=QjMW!%&x)zx<Ei96BMwkUQBD!ah!)tHX z-tmxGhh#_MXB4cJ@UnJ$vrSZ)a(KPf1(0;H;lhl;yMsqQD8e0e7;(5D0!s%cTaka5 zvh{9<J}ja4mbQ0-rStH1-!iUNg`+a_ftZ4@sNw#Lgq)u-{Zc6+aJBy+>vH*EvnEl; z&~Y*K9un>PqDvnL>!%;fAvnPJ)Hrcb_r;V5Nn|7TyO|FeG9?W6)>{KTjs;Fmcmgk6 zgz4t>4Ob*LBXNLz6syZ~Y!QNLO;QSwCeLbWpy&1#1;rr#o6Em8+kdO+t(59;@$x~+ z+Ie)DFsMS^bf(l-CxkRDFo<#+_#@0ntDKi07xLcbi34^F_(f|Mxx=PJQi~id81!GC z+(P6S*u5n@PDYwQf^9+~w2Z{$b8fZozK-nqQ#Z7%lC>PBmxXdtE*+!Z%IVu-dlmi9 z4xvwm-qIM*!u{vg)WpTAEjG=7XZqEUC5fqFAvfR8XyHuJZA&Ujs8oF=LJtjZ7;S{S zhs}ITt>1zWREhr}!O&$KE}`XYIgpH*7LqVEj~&0k-zCEwHd*7_^)_o&1#K=9$dGem zJq6ZGRYarMU!!((I!gDHGeq^0X|kIca6v!oT-^Lu?ByNO`K5q5dcj8C+2dBYlf=7= zR0$dzKhgjpdY-D$JHT^NK1QSS!`3P9Kz1X_quUY`E~*fl%~j#}>78b3#&O4fOssrc zydddc(|N{$-}rq3Z)%zsj0Urvt;>kN>MB_?98h~cz*buqtJuz<-4C5F_oXGwr)EzA zkRr0oLkt?qzc<vD^QFnp1Wp)^52lh65p7C+t&;okQ-p%(`C2@0>P&MFe?YrU_~z!@ z=1N95+i>5p0E-<P_Q9^p__)7CxWf;k$1m`j{#dvn1|#$>nE@KJJFVO%FwYgxBAK`I zV5^?=ZHYo{jKUCPc5ZPWrhr-YSZ(vL><Vxu!z*q!4Yx*IPZAaLaY%*f6oiC#_G?f` zSi<|H+N>9)^mDmX{8zmV-^*i3HGdiiZ1{OlOevg7YC97}=#0}IpN8|ser>Yf2(yW{ z*16~1U&4-a`3$L$A!CNmpta|watBm5&=VYctmJ$J9N?cV?y5tS;j%m(Qn;tx>F)kp zRd3@-B$OYnkOWZaK+o2=xikZshy-H8P2U`=D;vW%e$rQhi}gkSnawne$YT?w9D~2T zqCJ4>eR@mDd`$maHqR3sKGKhHr?-#6D@QlawGu~4v)Xc%%B){(a~XNgo5M?5=bv2~ zfgCsjuCY9y48Q&3MaMXdzC<jF;zwOzn~wcz=<A1DywDW67!rAHDs8ozQd5&+={}wH zgHk5?PukRXv{&pDSRXsj>H+b`TcPot77q}Ggmi8p=x{_;Ic^N?Cp*8d^bE}Zrx@Bz ztuZ|XfR%+l?tnDQb+KjZrX6CeqrLF(v;-a}$$RDZjOv67++%~jG6k6uJv0)T`V3#6 z_CF`cZeD%g_=4T(EF?dKyj)BNTpjFjD*L#D9M@XD2bxVsiTZSmj!&2o!RGkIUL+}L z>zU_cI+TlVIo83fDRj`xO<xHXlZ?i*C-OG~@ulRQ^UZ;)?5DlpLFu?>Ls%+tiN1%$ zA64(he`9|nCI9kotQ-rBZprhv@~RO*Qa5tK8*-31W+Ybfb(VCSS%_xzDaf<*p|ENn z4yyysX2^sDi6AjT&utk=K_SX=d<e%IFJ`{vGC3`_H2j0JvvUD;&m4l{;ZiI4eGF7S zWuVxMHNj!ZDn;|YW0DCk+H_NwsglO|t@Ur;zbdV{Y?vE5Nh8qVjq5Bsb~}$UjPG65 z_gn+H_j`5d7R^<f?OpoV0-c`u<UIr#RY1fqr9b6z<Dg)0N~t((RW5y`+NIBseMOK9 z%)A|MmD0xe=yzgX{7rvD8=~Sbg-B1U4RJ{fEUa+!agp3E9G<Na8{$_QP*puUgQ%25 zQ_T^asBLaq`H37HwYEl6t(9}n|F5>BYaa<v8)m;Zd3c>8ge?N|t8gm}>uVHl1MFaw z)X?x>^L0-a78#LY_`wbsRHo|un3YSen8P-#<#H1Vv-HH?!W^qFX!&oMv%YjYk=G>h z-JVS_bD_Trq30$a8)HC0orNPY5<`ZKA0J^6Pu(J;_L%6??k7J|Z1{qx?h{RAdsL)7 z^-C)T>G78<J}+-vcGp&W<Dw;}Ruj8%pu_*ybF+h}Yi7O43NGs;;p6TKfmMN^S4i{1 zY%LS@Z%&L~vg9?xujb&f%pKD#Dm6?fXmi_x;3nF`;3FcrCx2+d1(}((n}aUK&=wzf z2vw6so3ON>3cf^iDZ6m6o?e0F2DmoSZ`An#po3by?f3mx?5jAKIFQ7DoKH4;#@&%- z^457(L`P50Jo(+8`=h|T1Ha8~;@5}Nj#23$k`KCq>i-W>Um4I=8#Iecad(&E#ful0 z;4TG<6xZPH8r<DoiWHaPAxN>J1&V8Nw*oi3-~I0WO-OQ*?9R-2c4xSq9b)Gi2G4dl z4@PQhOACs3Z;`F<zp+PkBU=tlmw~Z4=u1iCQ*G5W<Y6@U)gxeFq6c4f=G$fFUYCVs zn?t1qm9kML{6+2p6$uEWk{9J;-er+$xv=4FCmK?2vI=K+BrehK+*aCRLb$nf_tT3O z<{b>SY;uZfi47wS6Zd&n3u>}~Z>RVvaOE!7M#>>EzEOs1hVw#<x8M_Pw+n0uV=g~m zkh%`K`o`AP&HeG6GGGIkvt=VSFbb);3PUOM-AVgz7imZzb+PfhJ_og%XQ79q8;d>j zD}eLijwD3kiN8oLHgVt4{NL2GN`T0wkBQ{gk&x6Vq9rH^Xs8c9caY*p*xxwhBf9_2 z$a%->?EF#idGjm5V4DLb4U@s&za)ELW3P>K3cP{<*te<6r*uXSqm{l2oBMHD#m~H` z<Y-h@{V@|w+6G$+u=7)KLoBxOXYAsSkv7gcwK#aVcU|N*qa0=+m}LwN=8sWBY}85n z$+9}1!w%u}kq<-zqR_q)SX3L!APDwcBe27U%&;IwTIKLwtN`&0xFq5P=g+e$iEAbs z46%E^X5pI{_Pfyi$^Gk=p_~?Lo-!X5QypFK&Im1~4?Ge`rCAynQ#}_V2TsyGrsf!G zVwYxFU~xXyE#RJMy)ZJSW3IZeCdQBBMKz3lHhs?%4(eEL6`;*`FeU8BL>gS0Wo2wo ziOwhuPxF@E-|Wd*)x{A@m9i+iM^9IPb1W#oflZMD2&9J}HAX5Vj1DP9|CE`CV&D_! zo#*Cg(1e-jnbDF2)Z)VV+36jd9p8<~e}XB8&tx+3DHv&n=R!pIX>=WHT0?N{R+3Gk zvORV{)IlqO*EHTPUR5q2mmgQ7{^`B4>#NW$2eW#E$1w#(jZ~fwy)~{wjyAv~NqK0V z%}sa^XR4}rFY4+YuqUCX(6v@7rSfG33`>!bh#PJY3CgDV;0>R!V3G5dv2-?_u)h@A zX!Nq+-9jYC<Wg(juamI-NqN?qx+Z^;Dljr02Ln@Op1xU(3XmxLb*C#1?QaV!yPZ9O zxjbY%9*#7f_;R(7Op4VV!-Uv+W6ocup!TcRlH~|Nlpm>2dzJ^XE!C9-V^PdX{Pfwj zUTxCZ)+xo1*}UOKk^7gXsN&wv9xDrF<>t~tcQ0I@_PmH6VWvd_l;Z-(`}kR&e1+H= zTp*`E)&40(4<_b;YAPt=kXM!H_~l@;?6F{iACA)Lbs!+Ucep?eDG{;wMQlkB<5tN> zmr_w(Nx&9M+79M~A`%DIHUfNx0Bx`w^~s$_!0TrxU4m`jJtgB%R2T0sF|by`n*7E% zi1h7<eNuhHOzc(|b*%z0I8o3lSe+e~V8`I+Ci)nj=(TLAcUtM>&vy&tL7R$*X|sbW z<3^Q!ZK+pB%KlCh_9R@d<#Ml8ODLoCyu#Ug|9Cv5t?laf|3|_uem5E!(ba=Mo8#M< z+R7>^sxcS({^{<98<AW7eulA}pF;1{wa{OEdl9$cW|I<Btxy;r`CA^9#Mp;>yX$yg z)}`3WQtzDyy!-#}42qH;$mj78_VfAmiq%%uK>#;CUk8_%it1-`Rxou{2R-M*&UG*c z161CM*%Rd5)X0M3e+#|e0?5D3OShXeD8o~gfA~0m1wx2Zq-{h=G&al7g}(idy-}#b zbq*>WhmwF;5ubv|JQv3%QTy?sKTEw#fM~Sn3c~x(QVSm(Iw3M~5HGBcy+6*qMeh7$ zDP;=We)Ns7L_pf5M{f(SWvHgV!41@FWGl6?!!MQusF@o{{=$Fds87;;vQ*spP5ksO z_fZ$!yD7O)hS{k@WH}_#AuGy|EZD`Td!CV>ox}|B_dH2OkGUzX8sWjTQYt|C^XcUy z^@1f~=MMprlQFw^cgc9%Alk0Iq>oVz$?53OQmM=4rDKS=&00uj8FS1!4o_g+Ej<cw zq+x_`GpEK#N5hC_k0K~dk<D0DO9$2M&%#%Bf#TY;ay?@6HSvw~%&Nk?#<|mi=6*aB z=%T9vXAG(D5X<46-utonaO(vTPJjHZDraXriA|(|pP+7<Ql%$^{oYRO63IP#o+ZM3 z1=N2|5yPnZW#+L!7nGBFCWu1czNBn^=gG^)GMvQPPglRx&&wumCb#jM-lLt+Z{Nv$ zS2QD4d}6dra~=-Se4-#B9A|}lQ`qCG<FW3h&TQ0{BXNf>xmalFy?#V+(sG7$&sFu4 zF3mxAn?lSm;?Xiln75EsnujDE^iYZzBQwQ^L;!6-lE2;m2+S#|WiG$4JvN^y(a+aK zzdJ(rhO(YMGh7p{05O|QUF~`DPYcYylFb_Hd{=c1=GwnhfD{zeb&N>JPomgoIh}bh zxS*={4$DS=+cd98P0IhOG2tj*&6S2>;i3qe8=s9rO;XXogyM{@hPGwzF8bQ1j%Bz} z+floma;i~TiH>xY*uYOv+fbg~yDZ@EUapk7e!NR*$JxMdy@j`Xcy#e7;-O!AaAo|a zB3_Z;-2#v9QVB(x4~p(GgYD?vkxTbH{pG+iibb<ehRZ1x2Q&Q&;J@S~yZJKirl6n{ zzsq5_u@__0Tgi$V;`qs4zJWNB@^nwV;z~vTO;*aIh2#br#&S^RGO<L|kKF*PykM;* zXlRCp*hI+OFx?Wmm+29EKH$mAuTIG6<xa!LD+0EX?Quc%kBcN1+Ax9vJ)+=5jjhwa z-4LPn3BNG#_3jF>H+UyQIeuRnn??a))Gj{BZhM>e{xD`CqT&+-BS~W`$Hn|UK6<KY zR+C&w-cMMH4K`}?Jad{C;);oH<iIgPTU>ryU)|w^$`-IGKLZXQ!rGl|P`+Z@L=bS( zjumkk$!+R41u-XUADhW{AT$5~wOX3CTf*&vct7h{Ylta5@TJ~{+aYV<MmkB2e{%+W zZjVD|1S|#&^$P8ok&gA1=|<|?3aGs4MO!vLyo5QmfoWLB%g<SKC)FK&9Q8OvE!p_1 zs&@%mwZD8jVP2e=I7+k28D>f<A7H13T9v};;-*`$+v}<9=Igr6mI(NgyOA`DBh9mj zkue!x&RcCMW?F5O4SuIf;NZdUoiWP9X&dl|6rAa`lX_bfJQ;VNl|q?jot$y~9bj-N z0|;AQ+_9(L>zYCcs}n8sDa+D{Xq1c7e@C!A|NdOa(YA%vA}u{pa-dOpH8#{32k?1< zMtyp^CJD~(&U>Qk*)INVf-LwD`V$1U5s3|h9Dd2&Ps3cE^bJHN;*+)M6z3Lg^*qYD z9zrRFwg&a&Xu4CCUZ?(C0i;B+OBAZFnpYu5hq<qdpiJl^^2YQRh)T<COm+_UPFAp} ztlMb#l$V0L20791F~3O#8zj7(BEJX&074ly#)|ryrTRJju+#L7XUR41)dog<t#1{W zlhR{JQ@$Z3pu#7e@shmMGf(aklq^w#k-5=@Jg1OddSR~xPrfJ9G7#w6LLu#xIZXZ_ z3L8MspoB~I$a~Xf6CLS*G;DLylM_Mg>85-7{oNfI+)ts_aIC9JP3f}KK9<po=7}eW zSum+k!V0>fn%mx=TB<4Yj5M#Mol26(DzVU-_>cq+8U}ua=v_xFMJf#x*nqt-0e-N# za>?d)Bh2okk|KCa9bW(KhOpi3=UPP#4SGe5xlb|{9q}?aX~9pH-NhLoV6f!36Q9E1 ztCAZdj76J_kw9~|g+N~g7@2LP;sf~~@xJll)2^g5+utIzOH-rf3&oQcdHe8vGUK`> zz#2ugxw?N1iM)pH5003ATQE>AFh?`zhhkkFupQh26__vDCmL4wV1jb=qrmjt)^TYX zTfme}n+hYU8GT0-Xi@up9+v<9uFib(Z4m6}%LGD?*hwM*AKX;`e$IvdQ+yq*?1aGE zSV@s|exPH1Lb2`Qvyg)x(`#o|F8HhWQmNPK*9Il{*HtBB5sos1o)6|Bg?2=diI=5` z)M+Tm^W;f(o3p(4HtLlfeTx`C#{8I{a6wNL%16TK!GU`f?5!Fyx(p1VRyp?~zH7@l z+C#LPTNWFFGKLnF#9T~bDuEcJD{|VSO#-wq4U;S)47)P139Xr?pBcrJCKFtiD<OCq zX2-Kn0jJT8U*Vt(R%YS@p*l<p%><O*fo~2_6h3JG)6!929n+RheByYD*Fz<0Q6qw* z!<vnMujb;UW*8T*-*Nie-hr_=hBQ%p!=U|?q{h_{s<hB#)!~n^rAa#RyYK}Tx|Wun znHkEYM-fmd0M`PO08a-riJH;tg@;v{`}pFs|K|&UL&Ue$Ez6ET4ZBi$kTJ^YED9r( z-zF$AK~fQuHQmA$V}0ozMW-ZZ^KJG!&K>R4uvsDMrJl_E;n|p;pjZU9n2thlwqhm* z+Q<?41cL-^Q2acPcGyODWTp$c5|$C!;`TVPI`WiyhlUPn^rHuBcJ)zXBL0q7t*r`P zI;ddg2Ci@qP8ArOhl>xlI6N_Q=FY~KWI86ugGml$P@f`L7#oysr)FCYe~=?ThhcFr ziP@Jdv_xd^{6+R!bpMHUkt%G5dmH)v2->K0Fz_1|q*vK4IWdi`T)MR`bh^52C#AA; zcrgv7op{3+1H|-46SdunYXA868T(;rbr<g&gi1QSE<AnU_}ZjvbIT@|GGu^{s&#cN zI#h#CAeFlaWyEFiN$`z?!@)7YgT7O2eV__oU1F)VnXo@(z;DO=SIYKcosrI_O`E5q zk|b6P@Dn6Yt1)rhs4n|)C-q=i99IJ>&CJvA6Iog>2Sxr~lZU5zt!l6lQgdM%u1*xI zz>#mmL1DJ58$sMJZN+BE<_j2+uVq02HYgXyv&pd@XNgBUKefSZh0&3brrhegSV8ZX zkg~S$#NQ(jGZDkd0Cld~6u6aU`z>I_JG0|2FxR4OVf1pt{On}q7%*W_by|6g=H$jv zoh7cJg`p?`Sa!-m%JW>~HaJ+Vw%t9|DwbDo422b$<xPE36@)b+%eQ;|gWO$WD>eu! zVzS#Iu<P+vKF&I$zFu3CQIfO>&fC&Ls*8iZI{hV*KSwNDt=89KY+Ut?4Ik3m_>!Ng zcAOvV1m27y=YGp1?+`%IaxT^!zx}>}*vQWzgMhDx-CT?B4+H|fFTVLO$pS6u4WeNk zzBYeQe|Vo6DO9cJxqs8(ivIu@ih?70HB6WSJpiuWeW9G+R)$-hl=~n?Nrd}_(sPI& zX#elX@p8+Tt#oJ+LflmwX7~C2?$0&Y)h!3dOx}H%EvxUp)xlGhAua_}zx6$NmWb)b zbDP^Ho=~*t4>{--?D(bstlCgu*k*CZOG7M3@BhWzS4Xz@G1i!VzCO#(k#!g%Vl>9* zzg5A&Tx9fms4wSPd0lHn_Y;BlShMs)09^o8c-+b|3FEw6%2Cu@gQ-5d94?hdca2&A zHS7o`B$EvI9p8UwQjMp2HAWSfOTFUk#ZJcjM;_xoJ3|A+7G{Xnb>X=cf}A<iG-}O| z;<`z=&1yDRX7*`nP&4Cy>1zYd^3d*T%^OlPlW4Rk{Cc7r><gfsYs79}SZ`;8(xlYb z60L_7aP&WiS<Xt}#?oK^f1+mvgrdpCvSp;f>0@0~HA*LoUOEc;<~j3`nv21qHU}Oa z8018F_!Nz!)s~X}xb2y8&s0(XIL-QGTmmA_hJ@$CD+&<?zn`h+Ggh<h+Sn)AnqkA; z`~H;hv!Y#AyaZaBa)P{UZ(dgw?uFZTTS23yYUGRV31|U~2<gD+Z)3GL<hTV-Fte&) zs~g}X47>VY`TK)Gx0$;xz-|4PLGOK2PjwYtyb^bM4dXZwX?P3&*Rc~Wv?tW`DQz%< zhoGS7b!w&Qu}s2D-)iX>?Fj@f{JAib&*#o;DS8@ziyuC;Z9C<$(0rwf+Tr7yu)V#a zMh4eRUtA041Q2Y;5o>6n<2t>M_{zW+woUlOp42-Nt6g=y>d=>>pAXe&RjEsA0+s-+ zd%V#RmB^p^55ac(`qzo;Gr!|)OI$Yt9sog1S{k2{R2RL<9jbA4bLEA3Ua^_mA79}k z$`p+S^1B@TDwj}PJNkoE46I7KVM1hZBm3$koYKH47e^3CQxPBn79_^Q7&Pa)_yAJ# zKJ2ioY!v&5kgrU;!7A}n^+J*<dkiccJiZP<pXn|xtxVi=rwfDQ)#KEt4L|sJ+5Pg# z_qFAZz<0OJV!XAPac%dT$Mx5=TN2;(T8{V8l$7$W9JF|0da2TIiGV*f=I9tzbL_Zo zBho)JuY|QVC?`*3yrX{j(SnGPL>Rn$Z8--#j|1`X|IwwVifgw;;LK&L4gOC5UE5Kl zItc1D7jLN~zGe2uwBs<zK`N(%%f|YF#bg(MBL?ATrY<t0sgT%rulDbPUbTYGz;`8( zz;XMqR_ykEw&OVTvM1=2I1J6h65AIG-NuJ1zz4<dZ$j~A^Q;$IxgKls%om!^-@d)v zlFK2A7mv1Cpwl4KS<z?bYK|L4L@K`<<UHT?@msjk)<O>yJyz!d6LwJcF00mL^#xLS z&`;iDzPJkew@?+IRhW^_jtHYr_mR+|1U>o3`}c3G5cd2GaF^yy(kBSy8n7)`Y)?QV z_R1PBDycMndPVUHz~=AyX-r75Y?#=k5Y+g38R?joJPV8D%u_B<`W93Y=^yN`KFE!+ z8V4V1+<_HDn*GUhr}V<!=VkJbz0<FEiVTHH@I)Vp#3vJEVihy#JL72%+fv45;Gk;8 zCS2J-5-!Tn%*U-`!$k5|sS_7ERp}mF0x-JN9y}ELqY37AO550#ZM!)7dS-UtX{Ikx zgSK8k194Yu62a5q3g%M_yI1@}0-;Q1NZf)_;nxr|`b?NlaD&+qu=O|H_whF?q)NEr z#@s^|ais!7xq1=7Bd(mcCm(a9>!7T>reXX@YPiSFl(3T+D|69^J6;)(ve0?KiN-8c zaTeBT3AF!Jje}PXE2D7(JSIn@iYR)Jcs4`W>K@kE{YF|CRb11!*m3BJuH?y%3;QUo z36}AXx>2)F5mU*K%)@i%30cM8uMdUH4*{92%1gG8pHSYF2@TV1H^~>O#bOEOo&(8? zELg353PyO1l+>gwQ>uvB6XiP&4htW5#SDln`c^tc+Y^`e32ybnyMIj(!zWpp<0dzq zh%U%LE7zlRmu4AvIs_SYwdk(r0_3DF3E<@D4~HSbHIzr8p(%aDJvp-u2n_4-8d$Z> z2>5{>8o;j%k7Ny4;6>MCe4gaS&?~R%A#3;+cuR=_(~gb7TCO%*S<FzERSwLQ)jnNV zpUE{fq@H9wUM^5fBreW@enAZ5_@Av)QcY~9I4>#KhF?sm_XXa|$*W@!#c6YexIt_? z14ujCPhg)_E=liJv@Ckb=mp&D56*t!Vy&Pnp|rCQ){GC;r}ha=Hm=s_u@L}&xl^cI zzPnpNC)f@>mmnt6J9V|6UmJ8~UsZa7bjqXJ&%)LCOVn||XChG6l@E48mC-<F3sI92 z{A^OBH?Ih<k?sV-Es4xmf_Vva5=8ol*pSU!y?y-ckf2#au9)Uoib9%!5l<BH6G18! z`9xf%qe1UH(lb>VoFHi@_K5a)#Hq%O<%LLJk-*4m1FlqyBdh1smGs~3?EbsIp7SIP z^si*ED~ZecW2LrCZrn|Cq1~);c^}H5%TZmvD~GJXIf4Z!+ekcYBtn-`U=~vxC&i0$ zgO5bPMn=l;hN^=xQ^E?yn@=pTnsLulF*7oS*WI-j4hnTiz=O?%nyc5ITEQN%Q*|Bm zl0Goi;&#)Tl?EJE4t|ZlN74pu*if5AtX>D#i|fZ=&tZdRRYgC|<M<VCH^M1;R@;AN z)Tc4PAk~;f3PzyL){(iAf^HMaV$*pQ4BRyMQWt#n-^|CzbN4zCR8xwK4;5T}(Wg8? zVO<wwPlXXT;QF_;hv4E}v|0B+f!lY(11UY?Vs2CzHM;aBrS_v4E15v_W*0-727aE~ zD7eSJyIw{%D@b9YPGtfL2l(?aln$92zTLV)hyOU$x2vi>I)b6WjS1lfe)N726sY4j z5p{D|H6pf=QF9UU5LZ5l=P1ysYwz3cfxdLM5GZQ!m&G;@FI6cH``n4L)YjT{$2~wX z!a}347SX}dA35g0Aq?9{5|wtS5u3^OMG?Ng@h!sUpXf@6d5$xitF!a%=hRf*8za}? z?5Z=vLXFp#7Jak6Mx`4)1@z0@yM*sT9C=9;MCdm9p>4rM%ZHmi7znC>lUwT6NCZA< z#^BK3ed*`TUzbW5H27fo>6Z-Uqrc(m@Wq&y7vDbmITqlF5tf|NA{J6FKl;I#kP7@T z*_ncy^_A9aF)u(LRNGRzBQ67}^J*I=!eIOGJNiVuQ>AQ*-zJ?I?m03qH~*PauCcM) zPI)&T9VomRy1?vTTj#K4yJNnZLIKB=#4XrP%eQX6cICfb*Ij%ik-M0fEZ#616gJ&Y zB8w~k&bF?6mj*!lYeM_gKby=OoLGI;o$rNQX+u?Y*q5~LhvG3P$WZpr;(6CF1Qm8z z;n>8G{D`=o@CW{IN?>oZtbC!(-?p5m{Zv!6*@4!%H3+v!j^&l`<By935dJq}aLq1* zluqOO8GWRY=W4|EKHtDK<q5>C*a-S%vk@j|E)1jCf2Z9&`v3qg%K~s_wc^Y`FV;_K zz%l6u#2uZl;_&4P7a_mqZKG;bZH~MgmTefeZnE7&R9gd3y9HMxYV`3g8Z0!Vng&D9 zSQOc%|1r3H4-SfgKx0^Hu_a}Q9vf=NPmVieG5G=}uAuD4gf8^1*!JRJt8L4mOd?d< zW41d%0H5^7cjSi3A^k&wL6gWUr9=GeeeQGL&P>EKl5(A{FY58_><ZG@ku4R`FV?3> zifbwbe|1Y5%#Dl@DjDSwp#qfcZshQ%T9|%0PG%6iA~s`UV-2@Nla&Q7tiNV}lMFDF zbYe?1W|A$GUmZ30gJhL14RBJZ`uVgL$e(JZbJJ~&I5{zm7<{_H%gl|6inVDYPOOvD ze#f33zYpKcu@$)@ki-Y%u<q74*nzz&efVt8v$UOhxto$3`$Aw9AdlFWxDRI5e6`r% zfwyy7exbND0d3M`Oqe#PYL5~SKRc>V@ZGWS$7w666@2ko;**@nIJ(f^kK{kwCig%V zPdI_FAi?<ckea`sJC+zhQU6K#-7M$%{sgf(U%RP&6Mzy8i;w8uPKtKK-HjCHg*anr zhro~_B-hr*dJUo&A6vY4-!su4=BFOUMDiTSmywBt>G=MoiRfb42o9!gJA(v!2(jqC zcA5bKR>a^M9<@ncM6YxBL0W{U#`6kEmyT96q)-@juD>*-TO9s#-ECcs<dUz^J<8?= z<hh*e5jU6IGA*EE9>s9E0UfwigR-{+z7%SKE+_6S<ey#BDj7e2GdcRWeTp7W^FSRm zR<3Hz(lWYz=1r5DieFV+Au87sCv)w=xwu_Tj7n2xFg=QMVK>;vY5h+7BLZ8BG|mdQ z3CW&m@h?s!Bc+aP1cyK?$q-lAx^nrd4%$GV3witxcDKa#?PW&8ai2x>y9^L&aP!;* zC(<9<@5*>|Q^R^(qHBMhS!Ep){EhjrZ~9s|F;*oi>cUf(toZnU(+ItHbNDI8Aq#KV z2P_hwV!@o^#`sAmRB-dVuOPPbo#;<F$9g2^YO&X4k59LG#@G(b!A3e}WkH8-VrN9k z+H>RyPq}6VT5P}Fv4FC!Nv+j_8(oBs!xC2N!IZAy78*fV_z-t;#a%%{N5+79ulMD& zRjn+^W9o1+U)sIZU26?a@uwQ0{C@LtCQUci@pDXSdi2A{pc{1$avm0o{Vc#AiCzRU zz(#s1ww$J28=Q6IKIzJ)Bt?|c=YJKWO;eW5#voT<+=Pxz%zsHPEoLMTm{@k0QQcvS zG>4p2VmUM-)Z#g9L2Mm{Fix-Dudx;4VVPO(V$ZY~;bC{p{@W!f>Na0;x+nM+|F0E? zT8-#14-y^>FU249C_T%oCi7Wr@R_CEHS@4c%Ey8#1v4WgbcC^JX^x~j_oz8TUS*9R zjs~4Yc%7mAA?~{jgPjBk7M~F+^6%XI{t8)!{iLN@ObO_YbTHUb51w#{S;c6IPg3W@ zYhN#qa%a=Q>MyD!4sg`iVeyCRUlXpsg!;*qtDf0k%k^sO5|YrOcR2<Pt|UZ|Jt@GH zMivtn?c>-r{?Z4+?RgO>KIm!(0GI6ANiE6Xv*q?|giN=v#R3*~ILBl-{S^XSZztT8 z**XB9gQtFYHA94SPyC>(??=rK?99R4w4U-hb0eP@Z6mLWuZj?Hj3fc6^P2l1D)Isz zu`odvS<ds1mY*4qZ<i}xo|CA~s(wkOC^1M(Zy<d_cjkm0en{~TQi-x2!i+Sdqu4hG zF1mHki`9&LbAs9K8>Dwhi+bQc9d$P}!PBJTadu#1?5Bo@H$-7;6I|fx;I%ZT`Y1{s zF9SX|Pow@|=M^8P8gp>mUg>f23-{Ba!r<Tb966$IG0?v|kd$bx#(m;233sNsFzVvu z2rGr?M>~y&(bkvKIPUMu7@y4Iu4nAjwrfv<T;s1a)*@5;rrbkXKv$1b6Fb_OKN7F~ zjx}}x9sZAg#IL<iKmPGP5Cj;xf(EO<U`wPcM7!(sa}^+GA5}7Md4-*;bSFAQK<J&F z?_w20P@~UQ&}E)G^^z9JKczNsqfxBJ77!_grQTPOv+g^K(Fa)=nxtsI9lgEJ@BQ*3 z3zuL!Hp>}HMDYQV@DNZy$Nn2!cnNJkRmBR1P;tX^&v0TZXYddo-lgDtdE;A0&y=p{ zsw|19(96pW0H}pU<GR5u4xHS7H@8_|Nc6-0gJQ(63;QU1$q|nwTvuA#s8YQb!r@kh zIu{=OtF1k;GE*EJ9X`V=*e+t1{Yz~&s~l7?J(x4)5bxF;9_FY4GrbP`FWDEURc>3p zR9-}iZArJ_Hzym0!0uPI)q?-chJ31(^U^-nZ(li_lZO6Q=36<-;fup;AH6ddYF_^m zB~0GcN1JdXV+re?$TKs-j!==|2+wI-H8v#c;vRx+I!!jz=k5eQvPIDkOm~7@g3aP9 zL<28FMX(gGOV7j!B~^x9f#kYZnc8BvW^-p;cF+dFW0(_`Ahw#=hAY-AP(-2CW4>Aa zep_1CaE|w(cA=z?LER#11?k{Ni*_#i#1qK_=3dg`xRGl$N};i7MuzfmheK9o<>5t} zC8d@UwR#e%zW&D={ge-<f>GTGY2)l=%kY(%BLF_R>J*i++n}&{T)1Z6)Uf#8&#nmK zJcj-4UYFW6>+`wWSsiG^NF5F2d~Tb1I#*5*{!dy>J1w{xv>!&RQVGyy{@_ZZgMNbi zkm=UFbtB~UU5~Z=;^W6%+3++84lf8}e<&N8<otSB=Zzk1IN-uAR1C>R8y7Vq%ZUgE zFP$B)!5p}MK0&KBcX7VQ+|BkBg|s3fuW$o}PbN2)s`c17m|h<0T-gXOCbIR|ps*q$ zIekG|U&{<&Q-8|W-?_1EhHYL9T(Xc)6L!VNekyZ%5f$HBWtk*P0yiof#=$H3mQv<c zSMOo)8ln9OwlXJtaKhyLU>7gIN<ent{0*Ol>nm>0^Z7uP?PQFt|9hf+%}5kfTKt?F zoO&5m?QaW@q1zI?TO+Qa5is8nTW$KjV}@c1nf>A|z~noiL57*QGHXTnwx7>Rvn!FP zCWWzlQT4hqOA{&elaXj^v~cihFn<9LId=Bt1(uwm0#Ln~El{6Wc{9z85u2)apRVqr zuW$b2L&FpRW~kKweFv~DY0@#?sBX8!cInI$Bh*#=W^G@-G>oV;J2b&IWQJ?lO;tkz zNze|Vuip?Nd?O78y`}UO1KS*-rZ5G2B~7aso!^Ux7cJ0-1<L8D3W!RYCi^v@d<x;{ z*&;USeV|qL{negGkGwwDzdOk_<n0|Lg&5LcyX{YHv$|iLh7n(Ud!_1#X)0FPhF_ns z6=@h$qN$bS{r-HdZ11BLIhoXBJq>dZ``~Q<{apg^%})WsCNLVlA-VOGF244mQK~fc zzVW@+wOwsOc1l-?h!p2cf<;<t(1i<qMqR1NeHFj{&UY`-wd#|<#7~%~ldC^ZU3@UZ zQ#0=;^)EgLJ*rj3I`;J${)petziUtQ(jv!z-*M54<%q$q>gWr#{mI(~WZZb}Sb=34 z`&+$T?r1GGg69zp;_5g>0XpgGaMjLM2Os|e=Y}4V?NWR(&;ZP_3>S}{reB^nC2o9U zR{Zf}dLa52Kg@w18cWG8`3xD|xR($?^+)Aa(9ZYyy}xI_bWJ5&3tMZWTe-zKP;4W9 zIP`QObYR|khnG?}G?-$~nvk|f`B_a5E9r1Sm4B8>oA#gyA?8&8hh2P2`~<9W<p)_x zMp1`H4Z!iGkMky7JySW8CSFUDToS-vy0Em6cn}06=JauuA|}GO%hZOcEc$OL1Ybo~ z^Cos103sc4SHo)>iq*f4+TM~h%fnwPoi|y<=AhS62>#ZoyrR+eTl0Pdz@9(j%jE1} z823CW?rU^%*KIj14N{-KY57zK)t)MfrHB+=Z;L6EmNN|)=*$dT-NXDfiMnq2JQ(nA zZj)}v@GYNo^}&fdJJ;57%J-Og`*Qs&pp^{#?J-0H*PA@i&4dGPjL_T^mJh3Tf|Ozd zYdf9<M3<w@2Pr5G`=qk$x-2sBxS<o;vn^CV!V*VVB5J9Pm2*B=Wm&>w#IJFkiD=H` zJ=NMucd9joB6*~sDzKHh7lS=rWR2ehapImR+Z|%2t(lQ($eKMU(kQ|RpnR!tu;t<5 z6LoR3U7}aJD;9Y?x+ySZM)0@26Jo~2;oLis&A7^Y>BFV=D}<QICjrQJ3*<XR3SCS~ z<D>Kx>|jPWA#WeTB{T8=Mhvl4g$tiM-Nyk>qIb1wEIcy`Hb|lm_VE_W=e0STwA7f9 zH@X0AgM`FYw$#OEPozW&jH=&!HlZB=#!F>faR2v@%ul^FZa;TFNWmUs1FOIhireqk zzmx7)StN^>1UiC03$;G9=>@uTaU|{#Y{k+phmo?8vC1yk;a&LyP(U5aLxP~}*_LO4 zKEEJSm<_%A#LO@;$9>cNsaUOll@JFc8U#x^Dk#C<TKo(!X_-22pMb&suwzMTyi>_+ z7vYq^1p?7rQ}}gI7Ep9CFr2q5Hm+)<&h6J+{FXxD+rB^Ik_DRX5NyK*imGYpY|O0Z z(TTfn`jdx_PvIzCCU4e9QrL2EQa#-J@riZla)YwR>vPckr4#c&x!=*@zwE*O!~0-p zICtMs5!*U7yRid)(DaCk{$yEE(h?Nfw8Nl|ScrHK@P(RV<j;i#VUGaf+@7Bj{JyrO z+yr7zjTh@WP10@)mhd+2r(3~GP=Di3U5fXeEGm8p#f&|W3WcBzr5-tB;OZG_-Rbgm zTZX;bZ1QHnm!QML+|ga-&eE@5YHgbajE?UE-tWs8aEnxqT8{HN^IUQr3h?>;M9#Xw z)`ofPuEhlfgqAA&KDyZDynl08Vq|Tc!czX5bOzPhd4E`67oO5B>%J18QZj5$=qzz5 zhvmn~`~SFcvxj2Q73mY<+*FIQ5<HX!leo>k*SZ3xXe*l!d9wYa12vIt6<HDt3JIP| zL78(}2>l&1hVqy9*%aKd=jzp0@nUOgjr5bE1qIa+qebPwCs|EV9N5BD7g4hUdZuh! z0!=yy?-K-QK``hNX#Ju(5RmYIN*_QC+|yICF$@uP*s#$zC&-vEPY}Tsdj#PXN5_@i zb;E8MvdgYf6CFqbj=4z*D>K!)iChHYkteA*SmM8B<Im6fzj;LTV2B%Kq>AgzN2ML~ z&+&FzdLJC#uloayxZ;bq*!x4Dxe;x$@Gmy1hP!J>uc+KFFG`4rzGqd=Uzqw7>-4HF zTaXS*e09N3P=0<YAtZvc=_jqw{Cs^uZmSgUXT?c#Q}*jA!N`C=o^_Vm>WJ+UDVpjR z0|OL^YEy}^rp59y(M6}m$9^|}Y@GWVl~<KQCgah93`6g7l)$R6x+yTa=Do8%hOWVp zvd#yPw;9jQtcc9s#I17;3x>gGMj7=s$C^klw<uh^2BoGpV#G?=c%ua<T5LK?q7bn} zFwz7>nkF_h6F-Hb!SfL<G3!Km=nA!h8e+RYTIq6eVAmiy>ny1D%?dHHUPpB79cX9( zb^uJ1fZH${I5qlGLMh3q;MYlD$eFqWSE(oyDmgC0bwjB=!zUD)Ig_2){lUIj-e@Vm zy{fYvmWK*-YkB6RG;{@Hno+F9#bB$NyQlN+?rj#92xTS7nnc{9eG{%*F3PAFa7UlZ zI-%Ie#mqhstRMcQ98$eUzw|*i?-o{H{cRmnpC_y*W=gjtCc&;lIO=`Ixe$!YroRy- zLabs~N?nq!jr!)1Ir=0bVG4}r)gtT;Oz?aL(WO`?3ZpQ=C_~xMAG7PND;s%ci&3W2 zzYI7#D~wX3h<mVLg=d#SnYbr^*g>dfKX!8!ts(AVJ$U$Y|4@D-1*K5)_3sEB79f9i zEQW_z*c$;XnT+S&E(Sp}+OEM=UF0(C@=;kxAB-yjsH+gcTW<_#C4EGl%>K6s`3loc znio&<wA*u@de#^vVwiVWo~Xg{5hZwQuPF2gjo(ocz_yM18BySDs}EblY@QsxzsG4f zV}I{2Q%#yJ%Nq};1hT2#Q-geeRUE!~$x5m)Y+&2WE{05LE6s4!WLGJzaC2dhE5Yrr zmk%Mc&@jAX_tL73=7HA|tF>e9AN1B-`oS@bxK%tXR*$9syF3^u9$#GaK9QBNL7O~@ zabdVbFGnoy#e+d6PTOVV1=A2MX5@%sf-d#EQ2}%MT1FZpMJ#6@lyqJ+g;u1<CF3vs z6Izj^o5+sx5Nj3%jB|HMG6TqWXVF`q4l3xYXn?s$BZ42I7QWTZrpQb*t`f;>uid<@ zUmm_>S{!k?(wOSgPyY0=-&)tW*E_|^%}hGmsIIU>QJXQeiFPoM93fm1xkR#=TQua| zaN|(W%R)d<p}JfhL_}rlA{3Z!Rf6j3S?7CVaw81@J))FG;-E4bYPyZtu`n@mD&k8Q zDXF2_6+=BS2t-%E^x=ZWiG%)sX92Y19R@t@?^&jnJzpp>!vX=Q6ny2h!vL@jP5a;3 z#W7BFuhvP5Pk#PGi#7i<k{zi>e1b{B969p&W4SG3!}tNYt}E^r(YJGPQ{3CnD+#R3 zyeSgjZYa4(9#56q6X&o2@8k*0-FeV_|D1BLUliU`$2)A*Azur#+y0wt)GLo(@s6@t z;v!@%f-(#>jwg}hW2Pngx4G?hY-b0w0wGy@SO}+A_V=Ewh#%f$5XljFLCFa0!_w5H za)t%q3@0z#)bPAOJIb`LV;N#}JQU?8ji4n|P5#@7;({qmx|l9VYmTEZ0voOZ$24&N zK_i6L^m{VRhr?C9t3mf-RQMh{y7TMB-o^XZqcmM~8)G_FmQn`0I(FHfQ28?cZow`U zc>}q$t5sg~pR$yD=2ZDSv6W-(eJ&ZMctnZR$m=(}#|(b>1cOisTU)tVnF&^igoWck zI9+6JRe&Am27XN72uX!+e*f4LOGX6FIO1AGqs&3dQ-o=2I%fmI98h{AChA=^D41p= zy|j}S+^hm=&TqIF*COADaQ&57kYmW`AR`#cs@?b2i8a0{)kjks3Q7PtI5j7uwn2&! z1zqGwL7y!9N6S^zUHw)x5aw>slwaKqOtZSla}X1oHlH})iM()%F=2ob7n-<lE6*<> z8{);XGf|`k6|e)k*&a{1nIw_`P_~e{8AH85z_BYQ2X-gFSRSg-2iy1pVHY>A)^OF? zt1M#wKh!6^o@{t+6kGhD>}`qu0Oio2ohHm2&S6B#ZQMrNFlBgL_fEr+#7Yg*Z>jc+ zf2qvV7XKxlI89#|#dShvL^@7DrWuR!W1XXUx8!K%>%&X0o+a0745iZQSHrtS@0;Ac zTV*(~78!#cgs=PCJ5iR1_%1;dt5TGxmNR5ZQVfVP6V{%gP(F#oVF|x`2~enwboYU& zNbp0Bfej;|VQ6Lk!|#MjbwxShQ#diD76gC{Oe~%85%^$h9`MtFcMg`7(%(_`07lBJ za)!z?BmPuej;1ARsx(Oy-q)z#MfhBau;7SY+posL-&1_?WDfooGITYZwq;7_?g`7! zfy+RxUmjh<_07pYd%X(uKx%Mbnb{{K2(yMtdS*&^>pOKc28d8L&={gLX!J~46f8dO zc=}z=uvHw9iW^~?sK`w&Hl~`9*g2~4F$o?<Mmru3*?gTM*VIMja2Q|=+~Jd`NieT9 zT#?)`p!aH@6L}SO5q#0Db|hx&4xUTDsUL{4$v&q*3pi?dmUqM{`aaqsEZro8t`_Qs zuNMFM`RvQ=_hEi!vcwJ>V&X_lOZ8s&hxW^4(~hYe_hnCZL)DN;xX`+{Eha23og%Ak z4?+)*c@*Zx)m=SSQ-({2RrlOx(RlDXZ8n{Zl`Y9F(;U;BUk%&5*Ul?kghv8qcI55t zIpJ2S6E8l#a0y-HpTS&cB4lk%r%D7yHtOabQ)JU#_yX-&=<te*ZM~qY2#KvF#yvW! zrufCl4{6xAPu&9?%w*zSro_ZG!C_2ZIV}(E+zb&z-t+C6K~h=^Bc90aq3-O%h};Aj zP$~@qNwu0a+0W8*4Y|+VC4kYM+9JM53P#|9WAXlW^3H|A_pi7fxmn1>IY`=L(b!C6 zCBTC&D6G%)c;a_CAUb&^R&-RlvxSS4<(5MaOJ#^kQa~{wA&QUxttWCISejFLUd@2_ zf6j|R1{o1yRt>3*VRoV(T0u!)=fQ<nAfVp~wl_F@s0|{T+#Ry7cYo#Kv*4=&(VdSq zCxy~kQJ))9DJJnw%c_6tC)e7h@+i^u<Dy%!@n@f`$f>rssDogvK-4Sf48Fz)3W^a_ z!nh=2s;a^?EF9+!DMfqq_^Yw1F@$k72z?b+j*9DRo`~vHPyAxa`GMvcvD;7lauW=U zJ#k$M=Vq=}8M<CkisEpK=2%y{+1CVgr}AI{ID+V#WwKZ_&>>)qG~H%vc23T1n9M*v z8j>mA8-a^sEG%ZE`iEN0KJn@g^>^5mjKspK?G;Rwcn4X@j6~cXhs{>0W<v4PVo1Aq zl}WHJ&Tf>aAcLmPQ~x1urKLrItY-C=4NDr9h;9<C6fb#cYLsGxzws=7`=hjPd~_0A zbwH}$MWBXu?Dt<){nE~QBBP!y(B2`rD7(?~#Z{qFVW&L{yJ-Dw>wLrHA5uzsZC0mP zpB%GOPI+xa`^W#>GL?OtQ<dPhP;c`75=xrQcAgZ4C1giS(NoIbx1Ww$S(7e!$I)bx z_tp1Zhl9%hKIS_ZGBcFe+pTNYrJj-}r@=)^ss6Z)C71yk@=+mWa+D4U2@Y9dF!(h; zFv5Imf%b)j?|XU-h-QBf)Vp(gFbN77G#JB$KK!z4jS`9Vz4TfJ-_RQv@Y!QbHKO>4 zVCx>VH_y^d)<CgGUX8fs>d4nBUJ(_aPdV9=prrOf$9$E0p1#VC&YA7L?l~bk`2I^h z2sM?@mlmWY=ZiDQnaX4~=*ouh_erj@cn^PbMm)624^logOZL$#6MLzQpcUjUedl1x zf5~;yh(xKY?pk{*c>6bd+*Kas@Q9SjE*>gDrSl+=;FuNty9jl#z-gPCFH%qz==)!n zp31DgDF+aJeblSKE$|tA{i<aQTB}^*Y&z<$t4<nUE&K)Q6g>0gz$mG8{oC8q;1k|% z>*6~tQPZ%Xu*9QalK~i+%GzzX&tOz8^z7#Rgop$PTq?X`hmxI#bCD|TvS)V&jQTve zf;!D)^h8kxV4N45*=mHz*#v{La;c3;A!y;+(7#^LN#!h}D1t-;gnw;BwkB-s^zwNy z&2soF;CT8;V6gDW6Iav_;f#1&w%|A1N~u<z82oHf!o$d!e}J8?Iv4bcJ#0|n`}~f# zZE<fw6Wfwz9peo;p=U9Ts&@Lw7u~fa0ktEdTOIsjU*b5#url}t+blvPJH%evDZezg zMK`@$*Tw(DM}>Uf95va~x?08%P-})l1LTQu<`GtP8&!;`PXG)NLksk#GYS@FrL-?W z8;+Slj9peQ7w1HKp8VB+si;~|HaO;!6JvedC{)6pJyXg|a9$ey^A`4Yuh-B*fBms8 zN+2GzD1%MI(BtTWA8Wp~a__b!u{*X)Q|3p=xHe?V6|7*g?dWF^HNp~c)<v$d1xETr zg!{=u@H?n?49iq<D-y1*01v1=N51YUNSs0ZbX&9GLc>65aGIoAFYS1^Y)L>lPd_Sh z?JO#W#h;&!{^<^}U5z7o^dYgS$1yP(Rpj`vqZu83(W-Adp$5YMImkv_B|pZzvG9GS zqVw)X`{9hey;<!X{gX7T$&*s~$rb5%Da>|qc^n;9(=>^a=)NQ^vmHGmpJcxMv54(( zWWMOZ&dIAJP~sHxIc@P6by^vsj!<`V8iHJy?ZQx^@D*cOGtP{n_mU7VO&{Da?nb9( zWha~|!_ggFt^(!A3JM2l$=t?PMWDUI2Qf>K=k(A^Cej|xHy$YzDqlqNJ94~5x?Wu+ znF+)Ng=mMG;9vXykeaiP-erm<h_DIe`no4c(K%)RO<JEyqfI6Lp-yyA=dk%W)U%Te z0Ffqq6R6YQ*{X)@ltgsa<C#S!g%(q-NK@_OZPFbOIh4PdiL$@M?(6BrKFZ`CZiSff zFaJwyJTnoa7N8I~xh=e!Y`7~?1Y{F07DtNRb+yVAUka;i&Rj6%Yw6eMvA#&3Pb;5_ zf0Lmag*|ur;g8B3eW-!6SXS9Clt3O$d%Eer)phISiJ=)07*|RiRU>A=&Y`kKY@JKU zm!~^tJjjhPk4+g7h@jTw*HOW2z#NGu`8|140{or?iIYlQv-hYo9iQ*?BQs06UW}%h zkz41t?qO)LX5;i;dJwt?be}M>g1~=I+n1~eC|j9rRpJ+OY@&XnG2_;28*{HZ@$4{2 zOjxnBmYwahu#VysQ;-#%ZCDEBVh@B5aj-YUV;#r$H8GEWB4!+aeZ%yOv?bOyK5>;) zn*&qaAEI62y4&*Otn}W`VS_szgtB6S@_|-<yFf0E5fZiUvg9_d>F9%M#VC1;{ux7O zfig)6nsJJ4IIVvz>z%TOgAq&g^v@pF@FdL&(w0~j(_wMlE9j_7f(8AvK+lSoq~)kT zA+U9f^;q$}S{fJMc{luUz1#C-@({?NKj=0R9bdr5&aCkE><A*%GmT{ItM+kI;=Yq( z?uE!i+`A+E9DzuOto!YdB^Da`fI2+;6u4H0&8Z`<0iOB-_n(9?eg@K+312>0G6xqN z5$CiAK_7hO;j$n^U`5cweupiYKS4hVA`KKh?hosmr|*M`*S|-<_CUlnrKu1uEt!c6 zZB$|-nZ#tE-ygNP`3as$R1W%{GnX9#xgGs`bJE;@i5am71j7uLn>PEX;;R3olu{bw zEjAML@9o*No?cs&;S0V*{f4Vlztu!#`!6Rk=xGeut%A0Z1BVwdd||E_GSs2wzEKr3 z#EZUaG)*sbf^@+lwAq?RUSzlJvDN$dk6hOnxC)ue{H_GQSTYXA-_S*t+gVP<TE7U( z*2Q0xQI=FoX@GpqOx2Ka(0<pf=zWzE{H;$C{yQL|+3(#)cZVjMIb<r{kB^=N!3tnl zbYD0X+s~Ff3S^bXCwFTG@0gR)5lEE{@OtauUX=f}nZ`If*i2PhcCNUx{e&Y*aTaKB zHs-3G{k~}-kRI*5V@7&gFjgxV&9V|pO3`Xzg5&+e>2nNzS8WJ_|70EHne<kPX_JoP zl)nkI39Ju3q-QdU>yo?TQkl`}>PDjP(5QR==QpE)mL7u)JY6s4)7O?$x0v2xpfWs> zu4vGqvY(D&2pVY0AXdZ$!(V)pPP?0&VuGlh|1A)O{MsW)UV+O%60RI1oO4G`Y`y5} zn4o`PdMWFe(EN4DD*Ldgur57X;lS)4(rRf&b)~?s@3IC9BQ+H>ay?QPpkT%GxxhaZ zuM0p0g+(HnvTRENyGgE2wsCt@tL9JtjFfxdle~QM5?tiw!u<1*K#G`%euvSb=`IGU z1Cl&Fwl`aRSZTf%XnQSLRHiutMKL%NIwd;G5Ec~TcjJrm{4<tFjHE4@8PcENYBGJ$ zl2jY@j22pG%p2pqDSM>U&HNX@Z~k2qYV+)S`cvhU;>G>jVs>GP;y{bX;i?waQC9op zVj%wS^yuFsgKU@U=w|u&e782y0yWuF9s7EjVU&zXPjzqszg<dqE&hnND{o`Z5Ivj; zpF68)^XdB44-y4(mqyCsUyyeJ;a_}DUT>ii=r=kYdCxVWN-syzKJ|6p`sG@(2JL9{ z3f_J*BjW!|V7nlDN}V*}))>Wie{EpLi-}HnXzwzqx64U9SLcbJ_H_Puh9rPI!UybC z=@)<qT%X(E7?EdWX7KfVKux7Y<bY~SBR4Yd(Q}6mIqg}le?UH=m3|Gaoi*#1+qbDq z*3zK_?GPi4zD8!tqul)lOSmsoo+FA8)2`?HC*C-p6IRd@R`APBH^wK3w|O#6bK0TE ziVkz{$2a_s#AxF_fO78npEpnN#p~+X?w{zYXIJUOvlVjv39egt1i>{E?c7!RSVcn_ zgr8y@%nUte)}&l&lX03K)K<8-FYW#E#i(3cR7Md^i17z+euW+L*Pjz-z?|29E)&#& z8E@}nq$|6eC26=yM*Ro<VlxGVacd|XEJ%?YzrYMrEppUfR0`0WuY1pb`&HMi<A}|; zVZeCG*e{dy7>gz{w3EqcvSBN&xlF`d2GeR2p0?$TfC)Bp&tm+L)n{%<T|=zjAuPVK zB6Avtt27-B)}F&ktqVTyL_JzY7(JO?@~Z+2C#9oj!4<at_|jTNi%X7{ue|<xsEp6< zrj=V*QZ}|EhBUZb{u{=WjPuyZ$1z{PuXz@J4xjjeC15v>Ulod|+7sdvxFk=QmYdFM zuBe^F25o(NJ=tnhw165*I93cx1W_lS#~-Q%`=#exmt3dR8-Hn|Jfh=l69oumSd@JY zk2QF;gKIT_B%&o%@e=F#p!>gn-E0i~fUv`0YDds}py70g<n#lVqFRbgRXi~2o^3<7 z{XuO&E_YFn0a=3K(%$eUR%td(8$D;I?~XbtdFy>7zT`*f4>ypiO-|qS`1`x3ZrkjF zR>Cy+edW_Dt$9Oi0RxNRBg+WbKG%`aDw%}dCj<6Ugl$|y6lWTmu&~6ximz<vJD!lh zz-IeT%(J{EK?`hyoF-L)IpwgkoF-X}N+|(OSxEM?VHPB>_tE+w-OV`aWZmP@hDg|5 z+zb0K7S|Wg?!{8G6Kk&THp$C`{v3mCHu3<4iDP9A-lIsn9KBe7CEs^{I#p0<KF$Ux zJ5+5E>-v&Px)CgO*LV%K_YI!*k!8tHI!?Byi)s^W-*=2A65_|W^IZV>4vAy5tMzKL z`?)8KInoBrO9NnJqQieItUDM$8K*iA<}5EK)r|Sc6Nzm*_d`F1A0H}b$GOi_Sv4_4 z7Hoca<$y1cnea~nF~dWF8E2os!zR4BGTXKDESZ=ab6pob$tQ~Qy_~@eZmh$s_)b@p zA6e2_PnN)31<SBHQ)EB0Izr)(xJ8hh8wFba)!n-0zxZU_N?X}nj@?c++lcC$9$=dA zqVAX8lucTOL_z|n4A5iBc;>z2jO&)5tAhbAX_>iBAc$m4ex8ko^Y6OVkB0nbv|~i} z@v8F5ySkF;l;wk+3ke6UG|^gmA}&@A{*gcQqRwr&I#E(NB&IJQ4zk2i;DcJm-a3A( zo#bA2yNG%$uCZ)W{LXuqXP;7had?j}RCgPOCS0h_AE|ykX1}Aka3Fchj%f{lUHvh6 znh5h|-}gk`s(_iY7(o!0dfyY<sCXFga^?s()oA)JFro3QWN{1%ZQ0OAhLBi8vVw|U z5Opk?pSE9o#wyvJZ#Jd7176^yDnu7mflJp$VMhB)K8_*`wYs<m>c$>HpNBE<-_ov$ zq*?V6<A)#4jb<q*%s>L~_u+Zl+W||OL$eG?dM8gEVU6mp!3DygvhM_%JF5zY%)u5K z*Dj&-h=Wo})J9XS&WpiEK=h9Vci10r!RwXUQr~Kt5T*;SlUK>$hwNcl*2T&q#(hy} zg1&!YG4V9!!RJHXhLF+0*EtNdusu5FII~|l@o>>H_!9;^XcR-ZMCO8EA^e-an`!<r zNn&q@Y<=S$F??QYVviLW8>M7%{5$7=c1hYrC@|fmtTd0Xr#6K_gxl3Uz%R-vJ=_!O zy@UD7nawUf&9)fsZwS|=4=R4&)c~Y2GN&fkx<-#<h1Z$ymg|J(S1w%ndhGM0G93-G zkbT}XxUs~L+21U6t9#g7iENujIvkX=<m&a4zwSe<mq=YiT5)`%lOJJWSVB9s)w>8B zG5Shi8wji8cDt{CzVgW~z;C5OdJH)2PhDsv2{?8Q!B0_)F5lUkS!ov~CPLQzj3;Hn z-za<r%e@${%<f~IfhInnv4b~tbhdMjEh(n&N%B58G<spma0BsV3rwp%c)#meZX;g( z<P<LhF!Yg&kiejQ<lfL@w4eRA>q*5xY7u2-$g6*qWt-hH-onn%qt5oz_YAoJPs)#v zOAO=BN5OK93tV291#XO=Z-F-)10ED;G(C#BHDd88?-L!TNxg&<gzAI!N1b~W)aSZA z*>rMs+t=0prJC!v=S1d_>73}XeS!AryhnBxP$MY_i<Y558I299sNPo`K)Ilq-;48> zt2RsBPnE_Q`<0=2fj)cc9{R$Ctyp5gj<+n*uVO-<9G|wH2<Rh@n-XXuVB8#)2oi<Z z-3-$~XW!WjO6C{keyG%C?}=z~MWYiu-S{khSMq8llx7oXMSV*O?|sd__e@6sBC~*( ze|^gM+r=@<nY~}f?)A^n<OiYXR_%aT$-N+iJ9-e$+iCbkA0o)lCHN>899m=ZDI>3r zzJhqL_^UGo*~cdA*~-tcG}~}cAcaz58y3As`u6*5#!=RPdJL5$f*;=Wt`Jo!AEa%U zQf3tU5wquQt0In*<J_MFuVJ<2Vt;}--*wGy*;yE7b%NGVc`D}6;KXIs370q`_){Ik zO7s=do$%pfJsP{A{J)z9DT6s^vv~Cs_P+71%If=qCA>o*wIh5#by5oCAz|3QtbbdW z5-Y$KjKG#4_3~jy5fKx8jxb=H(`#ji51brG!OO<&8+^fbz1hurRi)~(^z5eZftee5 zY#djg8>`|%GtRx_$m+Xuh{#5h9)rDFj#*^DjTwrC^H%0>oFZ!HUa*PQ){u}iMi+d$ zn=HCY?LdSkej0Oxne)BYtbLt`rDVQO8FE0xZdf~4`rYYsd)EDj;rt(3hHCbi0e(<& zZFziSE4}#cy6c0jxCZ54S{E)70oRKTGefW#mxMa%dug1FX?*87aIZyngED-pOiD^Q zFte1r^ZNRI2CgA_Pv-OlzHQ~4<UekP>T%xYX;Z%9_?mzhChfVM1%<H+O}QQiK9z(v zk+ss=#&IS`nQHl*q%#vjOgj04Uw#SxDskwuFpNbpG6xvk>S?;<N6pq|&2W$bvt!da z9^nUeaw=r?;2~{AIhLCs>qSEo0-_0T7UxG<P1vs5A%IM%9$|D#6XnKn^H;CceI{+g zA+6{?Mjxo{2p}y}tXmtEC_{A#Bm$r^?&h3^b#R~oH=8>>(ZQ8F&mprP(|vnH7yPw% zC#k#V!vU^_Sw_;ix+|;{#g&<Oj~tlE$1+2EBV;3iu3(kYKLTAPEfE)}5;v!XVF3L# zB&ildMgo1OzfK^^5EJr!Pv%ob`7h0sc1mJrg(`h>h8I57_dC1WoKjG)$v7uEubJeE zyD777goo8Z!M8onUJzvlJ`t`4K>nsl4ca)<;AI5WGZQy*dw4jE-7^K!Q6c<?U5~$Y zJ_XKME(w;=bnBxHtayxe#)r#C)10wSLLrj~%8J8F3tN_8WagFT5{IWT-ZLV!Dn!Sb zJ&+)EAl3~J29>Z5U$hJN{eoW{p5Q&0XJfGoaXT^%62rtq1r<O)Gi=ELPc}aTw-_+= z1LzoUj7O7~kM$$+ymG9IF-Mjw&|?$7lHi`p{dk)EyOPX}LSW}t{T6uuTR^10uA*Lg z^pQf)LpXdyMYSbdjUK9z?U?}8Qz#m~47foVaQr=#^(%gRW?XmwZ<rHY77x#YboqH- z;zEgX;DH%#4;4?Tk;Oz3GZ#HO7FQMwMrC-<>=5a*W6v)|1_n}zu%3|?HJ%GaS~&3| zif9@}^6?M{ss+K%-~0pR?n+bXNqGX62Iq3~ksq@V5<K+FVW(*BlvX6JlE@{5)@%zX z%=VfOpxUKhPZE+wz^4O@7pO6T$z(xZ#V(j{uDobhP9oqVU!mPB*?!Q6TRL_XVX_>t z-`Vz{H1a#$k=!!A;%CDvsFTgi#o3>$o97rD<cEh@o%~=PUg{n0G){ahDeohEIo8Vl zZ{IR@Bla!~8+Too>(&Mp(t7@8!s}Z|Uw?jc!M!H;Hh*QB00Jt}fv$W`$Wt=-UY;6s zry>)kVlGnn#u7Eg7W?+=W2pNQjN(hpP$<y8SoVGw3Bv_kf@)A|W~Z-|Ws|hhZ8pY_ zA8aPv0Y6d45neJQrug@>67S20GDb>Js`vAGnWIY@KM=pAP#uoX7DHRp>b|@p5`_B# z!sgWiy9R9;l=Xx>LE#`g;r-AT>5&F@zs|lmt}rtCdcjlAA>Kx1yf(bo`K1O;$PD2J z$;Dv@$PytVJs;#91*}xcv=Ln#3qezw4tioA{Q(xBzN628FT4!l&EDOOi^6&9WffPW zdJn0C(KcWSh5WOPYMRZ#eYDiJWUs%9KjumfI}JU;fh+S@-|Va1Cq8W+nHb*XmSQqI zDxi-HN^~==j-mlKXG;>l3ALNTbyRm-cxrmAdBGyf<1VMRAV&0i?yqz-?92<Yp_vrp zLu{m{qWS6QHKpRl6lQ^hboIJ;<X&W(CBfFL#HBXGdeR(wqUHCQ*m@8aW2~=sJ%>2T zh}L&f(b=x<vBvf0ez?jO=y;G85E=pV(x-Sdfvt$3p|GQTyk7m$hS-=0FxMr8ZT?L= zQ=*1h%@8VuDG!<v8&amqUPxF+TtFaPW(3C`d=yJ(a&h^UMA3UC1(Y0_K`v=GoW;;p z6Q3WbhGd%H8?U1qntDAtpJo#D9;y8YB%g<JIiNm}M!h8rlY&H_C%}b|KaNhKaGttR z$wlSgA5wZllsVhJt#cVnqVikWDGVcGq`50+=h?pn6yrV_uo*NpYQAZ;ek`l7bE))g zzn(%uJEkuL8MxgY`HD!JXE<w1JQNff$&Pk5)?)m~Vt~_j6EoTi^kGBU7H`ARNI#_0 zn=6666KV_O<*<gzaE5UO2`K?p@rcN{+MTGF+7lP9IkfDy(7sj!3_4P1+qQ+6Wkm!- zD;#|9*1OsAs~D_tAt3@8IBE7xB^LL6)>bM`z{YKL*s{bm^V#EjRs@IJGk&uP>g(fm z0rFuY#WmqT`zbEHzVHwm^gFxc^bI}8^*EgJ&P^gNRuzqRNamq;7VZjsBt!+%M}3uf z{tDCA(o8LBa+Dx6=WNJFRB5+X`^tMR{^^R2-?B?-Fv#MtABk_rB<q_g(xVa2fyv+e zpc!c$W0wi$-J-xkbDlCk(u&b=gne8|45eR-rtD5=dYvdtsz)t^e%UuGT*y}D=-RPp z^n!w-8oQ}(H&*o5YsWmar9&Ldjqx^>6Rk==<;3>3O^23hYcCpTHV0eTSCyo2%eyc) z2>1f(qGoWsFvZwAxul|ql7oP_YNv!HF?9^p+1o4Jvc?N2BFKSIDnSS;MWAeD*6Bho zhuuW`f3pBKTjMteZ1G6bqL<aRf-k=?<I!FmJI2o&I%4k{rvQGw^v(|xYy%T)em72} zA7fJAHba1t^4z7%9qCFN^~y-h3}UK*7M~4SLjG|*X<JjTA<O86pB}y<!`!kwj`oeC zC$v{yxT<0|YeGsD<)aIP%{1Fvqdzod^ly<d)Da^&3tw<~Tkv!N6v5<N&Ynp1C3f^W z>Y7@*{xsA^fM_{zHmCSR3m7ryTaP0)vqGPK#at|zFYlpG)qxu8u)M){B-wy@E;2D) z{d>fcs_mK)a5n_sRfkJtxGdXDXQE={XkN**`l5N<4uuaxSV!~z4E2kDU8yvlMgNed zoNUu?Yb$TX8#x%`Un=PE6TY+7s)3}|4(SJ;I^*8O74okf69^Mu70@EO#iT#$mj@@w zg~;vvc3NhlEfkEVT(&XGN^Sgv@kgShWd!iWJS9z;O?6{AQ|^@74-2$c)u;kOniRWK zNIZUeBVjDe@~H^mAfp>XF_hvTDgaK2(+uyq54VRle(74P*u6v_>Dlc>PSH|h2ZMsW zcg$w!Zlk5QyMygz1EvHxZZa2bAAwN<b=}2F(i9Jz(rojeQK%#V_OtJfO0CK9nx+Sf zBSU3%ClD5Ff{hF$U>eZjT^W2ZXmGLTx(689bG&}^wQy2-6Jv=e8@L7=>6m6voQ}7A zvjqHO|Klb(#>gLP@)xvgN*pCZMz`L7054;yHTJA9t&)vm@tzbuJsZwl`)jG=dEgvP z=w0RZ$Ora#YtNsq7$xtwqRjhSm_x4Ul#|4CaZiS+H2pdTeMQ_(7zy`&lsDTkHcVNo z6=~sh#aoz>`egRNY6-I2)@~JNsoasH>6%leP%h$kf<T+586Vq3-}bgc*X%(MiVHys zF!CYkr!-ykPm2I&PK;G0$)AuvjKDkn@F$0N{LXCYcAwjG<nqFqhY=|~Nm>ENsG`W8 zO$`~u;P4^a`qd8_1C8v4s_;t48(#9vjmnC(cQSZo0`CkBmH+iu{20$RPr+ZRfkh44 zIBrTxP!J$TJJv#F&S7+Vi=|`7E9vVOaK?F<bc$i}b1`N+dVf^upiyg47-n`BiXob- zsX>VZv;2jRF1X0@AL?w46Up#wzXHwI{d*<Rs2R#Jfq(X5z?OeT)s>l#Y+4iUvK!09 zksQNCz8?4*8P&G&?z!d_lkjhIUl&}MkM+SY%2%HpdFZ`mPCIO(WaKU=srN6Z+(81Y zrk@!d_h)2cF^!<j&^(WNg0($9d`fpaCX#*OiTn<<2;@Nniu(WPU+;OXA19X4uW7Fx z{rxmtm!#X(Jaor^iraQ|P`iCH@C1Xo;WEy7zH1qBfhK?^UMB6J!RATAHrp5I$T)TR znG_bmi^au_KqBDObqF!^Oz++`0Dxfg`f18l<QHfYl1@zN`5_A1d*Z@BCm3zRM_PG* z|L@x-CaYd~@F&aum<u_5@VR+LD4L7dYU~%Cs$a>Q6>yWv@ORqrDCfMmc13!$_5P_V zTcc$`*R`}Xq0F$mvpas+$IKr`%9P?ksH<nu%4VcUjzVz$D@s@^yg=bwAt(Dg?>M=6 z5f?VRMbY16PsPJ5<x$wPS}CidwDv(#l#h(U&cuF@0eWXn)ZE@b^cG!A>7QS|Q4Mzd z7r^|LMI{7vMw;KNwG08vinH+Em4Sh;#q)t?YmAd=*nzZ@*n3d6ch1lxM`vj_QZFa^ z%#09&Zs*WCKW;0Mc)A<D-m|2{4DKlXd{da-?>g(;UVNQJa*)^B=X-)lHQ8oOSf+Zb zg7cl&j8+_q8W#*wIRN3nN1{)Qciyqkx_Vf!WO6-SC{Wc`WUqKnua#6kNj0Hk>WQ~r z{(c(!4~-tZ5Qjrb>O`s47gNC7k#I^#;dbHhrkV8bM=6QGk1S#u^4Y)gnc5(U13mGO z-(>{f0WuF+NW;OxUa9LqphRwnKz(8><Br3)Jwn0(Ma8yiTIzQkf$O{Pd%e6Y<cJFH zWOr~fqW|ha<o*D81$6G=oHGJp6h_FYPPUjR3Y{`z*E7(Fj+8vNTH&B|d{l=mCka=2 z&3rvW7hM?9dmit1k)3(@)~5&&q=~Q7BA?`7XZO`#GfSXUwP9RM%XWn2@+}?198pcm ztYfNC<(<63X<C>5oPOzJ_#l@So6g48EZbjtBo~^C_VES<YqjsHLxj`uxFts$3J04W zq`7%h0o8B&)Gqe3#okj;0`L<F1|D8KS6dJ4&GU1!i=Pla+V$iY%$0*nR24Tme9AQV z8iQP~;`9^q-*Q+#V&1|<fBa5j<VmNzr4M#0bsfdBIt$85%;Is+eJx}X^!H?qJ(J87 zAIj+7=M<EMX-Uei^h;bNUlQ>vK(V_N&ARIK*-idZKvwg0<@?Xxyd^j2+mXK_RRDTT z<wQu>)w=NZmIcu<U|TUP0E25w^LOlbOvNY}_udr}f7^vNdgxnbW1M>b(5+)A53MF> zNy0Q_BD7~k5MfaOT2$CQ@paurF@U1ae9s4E)g&Ea+~DSW7ub6ELZ-2TBZNMSfoN=& zOBVKxCBm2PtlV9nB;59Odc8AOsE+yMWQ?2$PyY)l=-+3IW_2gDnruNIc81<BjS^j- z;5+1vIMsL_*fvY_CrT9oTRfUP2OYOBLqF=glH@KM1rFwu=Um~PHu*voa&^&uzQfiy z&-7LC-hC^B`lh9l{y{~x8Qgj+iESPAUdn!jYV!e1H(M>tT>Dcw%xRHgd`yOMGrU~b zpex%yV1(4R4So7I+D7A77z+4bXN>!>^UL;_gPhJ3-kEayG1xK_7n(8#g6Yv+m>9K2 zDqL2Q0EGDPF0?RWBMm^UMmA*{4DGy<t8ngdc&Z+Q5J!Xn>_^dTV-2{^h|#-}1Fh(W zaUx1cFhk`GgB<mVsrVgbJijV}XNA}H*GXG56GzgPlC+OUEf=|!;g&mhF1-@s9MxUN zW+t#SNAk^0s~O8Whx<fz-|SCx@RMLeyr*cfnu4i^4dv~5a9dg$xG_flEPUjzFe4w| zfl;Oc+*6B%nlTY0r%NyHOSNW^OZIVB>WiKo#KMncHLnuMk4Y(Q+}vNfHgo*X;sc1& zEiV9Q7#D<3gj{(r0%7~R_OqH8mFn>ZQ-tiJd9QAYNIkJKVp~{3O@145*bt*I3RStO z$r>JEJu5rOg2IfSv44)2pj7b0Z1Hd>g|F2w@Gmy<VfD97U_O!0%8AoWTo|IU>&_-Y z%=vP;i*XxpmANhj*&ll8DhzeO2p|BEoMr6E(dh*Pd#YcTWTEHr!Ba~3RTls#+@qH~ ztZdYfN%%+l&4PC_XE5WrNWij_m<WJwDjy@I(gO=0Y-Nt0NPW4G#5q^^4GM){8KS$& z%~U32pQTT?t2_FHI2x3r(@Z`i%;w8HBmVW**;F^;$wq1*){NC&oU#E6oPHca=7RZ2 zaNRWyq!ebbOp095pF3<F%ii8+WFYPUeg8|kc(c=LV#1|vaushUp`($ir_SX9zV(`P zn>RH1G1aK9qO-y%JEA5jufttyPEf_j{M}aUl8dU3-N%p*Z>b#7gWa>@8}0XUcyz`* zP5sdkiez2YjXAeTn#G6DFa;l~K)@Xq0OyCB>{Sq6vqM<V9~8P?*Vl8W=NDWJ%1j=a zKSNXA@iJ$Jef}9sqkxW{R@?iZo@_rMu;rq(NeML*_fSyR)pQ~B_~CD+yX&=TxnXGX zc9<=fHz{NDHd`&L?J6Do-)yy$6&}%jhXOT&GY`YX)@tN%d*7XQEPc&}5Q5OBJ3}2E z^gz*5^?3yA*KHrag-&gr;Q9pNop(Q9_9u2~-Ra)kj*N$&Dv2Rq?&ve2&-rNzTZv`( zV*QB%fT;ax-znC@aHM8N(^E<(sRj<_<$x(fWC*d91eH8+QngEj_j<Jv{huI~D*w0T ztznVU%2-V>!BL4o=*^6WCmZdSfr#$OeeGi5QP7x~re+;fggai=r0mW4ub!a|5y_h2 zQ0I{o#9M65UR&rYc0o}%pdb_#mqsj)q@s*!8vw4A$G+RT9l*oG+xe<6)~TDT4Q3)_ zt-);6i;0hG$VL+x-klx(l3-b#h-=6GOCF3y{AE&HP+Li2)5H6ZJtw;+tl@mb;kwWI zmLzQrvCHmdr9lJlASbp!I^4=~sI1}-t^X{cf$AR{HCruAwz@LAC8Sg!%l1vxIDT-8 z10vT*q3;%R`wqKe8AsS>``FyL&PW82D^Vw#+5Pm|N!>j&4?%A;E#lyjB5qBtFpmTq zUNe_Oyh*JKX@Am9)s0OU$&BK6UHlQ4YMy@(im%qM3DAxd3HJFYx5@eN#%{zXM<)}q zP}x$7VJ9E!!gGK@4G_W3N`Z9X8t<dj)bI_=0K`C0EG(6C;-$W=uD!A`K86wQgPQ}} zFl8}pF*oLEt;ca*xXg|zZ(>97nN@-IQn|&Ifc^LouNxOeWJ33hwyT8qj`tsFOc;D& z&PxTo7Ybz?8v4uZh2m~ACYIZ<-xfiP!TyktGnSxzWDkOW^+aInXj$x;Itn1ZvL!K+ z2=q@&=SJ+7`n~fuZie16lJd!mBS(W)!%g29Tlc=*)$_eieBc-5Oo3Y*w%@@ZU6E3X zfFnE6;KhK-LBj0-$tVP{F58_Tam5Nlp~s!2x5ixidTC{5kOgUbUPR^(XNP|py9|Q~ z%AoI-7~+0wG{y)5An<o~zib&|_gG4X25-P2ETK%G(Yq>tA72K_R_{R>x;6PbJ;ETd zqZ&Gz9a|A}Hi|;gDaN9^(s-TxFiJx6S7n6Y+FCN?bV3*SsbSvYsbyaQZkAy(t0<2x zxX8-dBvp0&-p|KG6Vv3VwB8S?bS}=((2GRwCv&BF{kHyD60pM{Wq=Kl>T0*2l|B$A zM#Q9D_s^(QqG7nTiT*~K%#8u9$jpR)O+ml+b&_?VH9Ddw3mmqk`0IKa)Aa5x=PiED z3-gpvy@E-681ZzG*@IbP@{Ev9>5DvtkTxIP1?>c@S6$qvItbB;=T_~&o%a8(LR^XO z_w{qp!mb*@=&4@5Tc<R4rg7%O01C%UE?bG%YqGVGD9!d|94&6wz)-WZ`1vn|qD9vz z1a*NAVtcDD76(s9*SkHux|+lOJLH}?(Djtj0s5_2a>77MHP9v`mo7wPn1Np(Q8${p zf-#ow=c>+Di04-5&#<93<%nd|Sbwqt#)@D|4ZuG&v+xQ%swrkI2T#aI(}m5W3w&T1 z^$wKJ2;pFP7(z*IsEail?U_uH%pynqId%q-jF|$=Q5ei7jI%rJI`oZ2W`+^XaypCN za&}QCSAQkH6W+33Di2=a8Oq-VC`KU954p18wVA)NUF^3f7Y~~o78Am?+H6?<6T#bS z8Douy=v_!mt7^d>Ja+*`E)Wzj3Xd8CTlH=X2>2izf!QBa$WhaN90$~*Z3Idxs5Oby z3o6eqbax~orEY8*pcuJ$d&S>4rmtk99j6@>ZNFC<>>Fw0LS0oUs9$8M7iiUw){{V0 z4i%tnnx;_tT4bG%s{oAJ%aWrkH+`)-g)-r)6{HcwR$}pcc@XJ%W+pun3gw^0BFTLr zhH~@`T0x}pC(I72P7us;+IJ;@v&uwjP2)OiJQPVO?>fxbX68<{6Gml*5p@)zjbyj3 zvHPx}&j|)^itZ$z&&VkW5{gv@@0n8G<TNK2T2328y9Dj+-k&2!ZP-bVrJ7lx!=&_q z{a`3nyFeh*9PK&7Bz#2v%jhro7<~jn+OcRuGI9PMBl`T}%6X01Z2o8E2u^$|-!FAN zBh9ns1c2`5t1r68_sIC$#nBwI#q!{Lb^EB9c4;`>4qw9~siAn=MXh2+gB<k0*&)4X zn$5nX+>_+Om?xv^TLRlcvuZs#Dbxx{dHY{*M|u!r(#!-=!?>poq_7aTdV=f6*Qqsc zj<z_rKRz_?Eg2F-Urt}sRr0E@w#nWj%6=^zd}!>Fh$@%H4f^`zZ>3vRdJ%=6IUV=o z)+gOO=dJSH$hi}7^%w;6Tis6n3a94HSYVVyufQd&#IC;7#l0DcrWm0_%cW(&%E!VJ zc~Ug$Now2<Yiw4)FAo3dCaXg$+_%re_tLok@c9Q)2LCW-3^P#@A&Y%@APE4)W&o5@ z43tO6k9)B85+M|S&N7lM;ENl93sT>xG}&vLK$`)FOK0o4t=V))!;X27AY#h)J1?^P z*VGDLCL^)scSz5fuB1ozHQ~HPX@6Vi&wN_<`9VyCLCMalzkSZB44)*oG;)x)o}({O zH<~w=hAtY3gy>@&+N=n-RK}3sN-_o-bl0N%RrxtRwXU09{S&LLKx_Dl_uNBwH^^0_ zmIsA~lPcxhxyqyy#C#+L*zf@yd~==Jl?1HTYt(L&w_0p%-w>DZJhe#5`+Xi>D%+JA zVTJKpE%maOj=ho`??}9VY?n&bJtrqCaC%=~T<P}BLolHB?VK$^mriMlI9m^b*z>_0 zrVny-p)bgRb%dX=f<FA}8*9N%e>yByj;u+bprC>}$a#KuY-Q;_D$rBw8l@|ZeRAo= z?q~S%MLD$LGlU~CJoUbFG)cD}xf0&@4mFykKW27865zMKBhQLC#eZ=jE#RZU{cmXx zJ2@;uYX7Hcn$pG-qZAlXa#1XLx_HIeZyno=MNMLVpV!+Zyu5n;gaha{glO8|o`_;Z zMpfSbTYwz(UECK&i~XQ0soePyy4c@k^7;NtKEDfV9p4A++dSoEFI(EW9Qn+#H%aT3 zmB*z>M!xv~J%p-6SrSMYHiR~4^TypzH?2+hpBHGwqTveL#&>Uh(oa*K72jBj8{Za1 z#Pat8s+;T1O&~PGzWberfGO)_5;Omscg3En@O1gVJopVve&sYKHx=WV^>Yfet0-rF z|5r&JuG(bL^!Lu}hH;(I4Uv#;rFZyzd>Iw6h{ks|vE>Y?R2DyoG#{g2B7+a>lxfB5 z(dkbBre<dv2c|I`Eb$P5iYn32@8)%ofc@zAG$@|(b={_Lvw;Iv7}S2wG>sZd4HDs4 z%#EWcQ<aD-(LPidGsnU|v1}SVlUBx0=IYEHu@+lN+aRAg6FR7S9_sicY=cM{JJp}^ zyB&wYJl$r(R{fmQQ526ypQ0IFoPHSNhE+1nIU^x1H-*|0!RMQ^NW`wu^>%JnG>vZM zGPYz<?s3HqlW_YCif?D5+0WwUl-jS>B%PUvT?!!ssnSz%k4jg!$<naD6T43>z~L|Y zWte}v6oFEqKWsu>qd>h_G!c6qd(Axe%`Hbl4<T77w0$J;ATe#+qoevbyR8+a$wyCE zV+nVclbWaoQ(hFg5}$x`FF3dA>hN~E?2N*{*Ma6M*98}qJEWgnCwWoty&!H&WFwo@ zX5-_J4_{b@5j{vS<PR9@P1VE}d0lWGPP<UAy=5wE>DTGPgZz!vOBqiBiPR<J6{I}N z9;=D}5<0-ZkgwQIp7bbw`ur*+6HxQZk;;eN?ndYo2z;AUa|l~|Dp{`1#v4%i79MY5 z#(#+nS)B3FGwEQ^?cFzMrxX{dvsKx@Z9b;RG}c02&p^FQb`g5%B>mD|m(B-ivxx1k z-1OxaGtNt>g&R?SxTy;N)=8T8>^(V7`i0VbF4kP=@?z1<O~)z1HTZ+7Z^hXD%BX(5 zzdF~ys|KkF0Y)5}R+Vp>8UVk~j7y9=wGV#6q7USXsQ>gB^uU7lvqSqUr~`OE&}bNX z#D<rus69%|3}2ci`@le)?Pe6(bBnwmEFsNClm%bJjleQ-R9$dLK?zM8*7*{`;(s(@ z|9;>bT_kx{9)x+xMv5}_ZW0|vT+sK|5%2*c^f0TN?+Cunqw@_T1RlQ#!E4^2M_UlL z3l9Qayo8~!d^d0etj$bpU&m=3<V9c2ACVKR_2}!cNQB>Bb@nh~!1J;WFa1IRgzB8I z@3il+VSd8dp1b{awo|wG#;7E^QhInGX75GNoTE$5spabC*0JF_xvqc~0sRprz+^k4 z8Ic9oFv7hONM|P}OOL!|z*`3dOl~l~cx+TEmzzK1{#5vub%iLU-o&UT>gHfO_CtNd zTHV#Y>0MW`Bil8ds<IK*4#&(EfGiKso1ZXgv8J&WimmAiGf^x_R_0unKKlpccw&U2 zGLyBXoGyQk^D3`o7N0~2GXq3#xlp_4qJK%o@a#-y$~+q~6VMUm_fRMJ4Sex%_(d@Y zG-4*#U4*Ps4;tLp9$k3fj}av_u>+Vl{bzXArPt34{y3#%;Q55^?7{#_l>lF}73_2L zV&(Nn|KeXKub2~dgl=?VDx$noUo4Kyuf|H7HNT86j-2lQB@@@|7q82kw!(RyYiabl zc=6ywp#v5GflAb@n~Tk+a%m$5YVPa8)s*pG0h?^BSp(xIz-*`nCl|;>z_0#C=;X>A zEKuK|Q;8K6QnjBHsh_}i^01z`RLYRvRXhrxli&x1VZK~D*@1B5l($$4n<Z}(>Uv@* z%e({)@)lyNLQv5wSXk};>6I~&L|SCG=Y?mw+q*e5y(J*UqP6pPXmxgeZ2CU@EF`5q z+j2H9&^KQyJY2m8mym<LQcDl%wc55My~TumpG%6$CMnOLf$#%pds0o@_}s=~j*i5M zY4}s_B_}*nH<r7r)n=aeQaNQ{_WkBcWJOyHS}=V*L9x?^0a6%|MO!ufv!o_xg~Q;e z;!?Z*;(4XT-6eW2-?~54xOsu~&+BFF*v+>r{Uz2I->k`P3PaA|rvfr!a|dmuM@yxR z8<FBZ`i4%4>7KS~=Z3mQPkTD^1?l~q>+sA|`{2!m>ikFDe&2AzG{ux+pL5=auK<C_ z=mP+i&69*uyL9M;ZODw&*o`V7CwBE6478&2cAckh{wJR;8|lR$cfS%wp7&uNh&=pe zFA!)HHz~C4kPHWH0i~(!pJOK_?dO#?3L@D-fB)IzaM1UN94F!v_$>~<uBxcykJ}Dk z^kNC)|2MAUCtQYo-5PbVm}J>S_+BaWyAURq_I?!gQEW*47b&AMfPGTm%=UB{1!cU& z#;k}R*S&!-KYh>&9cG3{%ixUaGY1jwdYj;PP=Cv4oC}MeZ=SXnNU;y5Zp!}H$<>wx zm6;38a5Z*nyQ}r$GhV?e{yx9za-i#udix{8`-C{${IJw0Lo&~l@sHOlxeZ)~0I$~Y zu6XjtS~IUDg39(F3npYaIXeNoWW9?{ntfcxa#eF4W|DjZrW~6CGaT<wG#VI+KppN< z7MQdPeqF7LJ_odX^8wG=SFgHCggh_S9xO8UEVYT-0x;%O>xOXomffq6pY-VMNL0wl zN3~!(^W&6*3qs`>C}359m#F@Vj%$~Aq@09Kybq4?-od1u16QlpPz^45HW0&%yE6Hy zIeYcmWOWx`NtH`yC)H00{yDwUGkKg}ItnizW5u<)Oook^Svk~j4K5p-rZp^#J5uoM ze;|&x<GS<>AHox>>0>N0Cx<I=SGu3>KlSHm#>%5F$E_fQ=e^AKODL5Ff2Q5F&ise{ z{Lzdd?C+rxgr5uT$48*=0rRzk4l_OGH^d&r`##`#fLBeonY>~|ZQ-H#50)&XaJiI{ z*_VVqeN^WD4g@?nNqH1z8v5H$A75oZ9qmg3$T#w>ZwNzNT&`!$h>_4k^M#-P@S<my z!;bsCG&y8V^gdVU>TAj>1x%;T>@MqE89!;qkpvA*85z?|R__^><k2`WN2IbGyVqQz zDZ#%>m^X@b%1Bj{l<%3kB!!7f%Rs-&skQmaF3WP=we9ct3m00DO7iWk(QkBE(>`H| z)<t?lFbw?n-0&UEn>#%Kz^hja<&^)r17mqF{CLo~PLi-R7RaGguMxLIa=rhA_xN~h zrYt<MrI<f+%%USRSJhuYJNvE|@GjN%^>7J4Ta3)xX)j`gHNwGwcCvc7$TkaUxK|t< z_MkhZ`siDCZPEUQ61=Ts0Xc22`5xnT$SUHu@~0vuvuq?kNJK?LW}PHMPx#S(Z&6rk z>Z~>}^=8e#3ehj9j;Q&F`<(o~*V!Z-?J@U^d*BxdOmQEWmv(V`I!nM}qH%S1i4l?B zn*B#M!Vd}#LlhAQ*IJLcvpg9}N1-}I+&-U-ZBwcCn%^Uk6Oqn)o+MrL^@6SP#@7p5 zKSCscuC}Y6KPV~V&1}CS=i>L%hhfAXk<&zi9fOCbJrM)~7`8US(~pNTAu%52P(Gb* zv2`_J^ASnht0j=qGu4V)=QqXsH5UtI(|v;N%rHtZqXg9+RcKTEgeA;*<0)3zYcB78 zGd+2I?=}?76^8PC!fy5Ko!;KX6HFAtt9y<FVB?g4DA*%SkI}Twcv&1ONEekcId(?- zuDZAGTg%q-A~_s~>zx9awo65X+ePXHdYoK2X*h2c3<cbiw7G)MR>&E)&+R46@@C!Y z1^?6?U?&>820u|C#uSk4tZ|e(7U=M*yNX_NcBy%7NN#a)G-%dN>&w^wDI+SwEwr%; z_r9<nFms<+XCi@^cNe(jg>%&TgndxN=C{mBHOVFIxeA8M`%;sQ_Em_wWp9d{7RDqS zA8@$LXsGDlro5E?P-k5s#_%>O&G){j#4;p6XT1Q8Vh+CuQZ*ozMtxmFMk6zUQ={D8 zbMGW9D!aB4MH$pdJ!&`P{jIz%c%;NWfu>1%EZaN}$4u6>J@OrYMq%`%g$6&(&UPOO z!qXMufLsx|8R<Ad750f3?ZiyqHKlcRGEn5?)|;rL?~q~AIW47GfmNP)Q;5*f2lUQ? zJj0Y&FZMA!f{Jn*`@UAnYD}$?^*`+#Co<1F{J*mRV*(_917OEu_1`n_pZH-htYL-E zRAr4}kFq$^+&W^Vop8DB5)8ii5!*Qvu$>4JGL9WyP|~FE5ycJCv3^ETgvqxv-@(D8 zaegK54@ENwv}5dRhruhx5o%AI=%uhG-e2rL!Thu`m6wx|W{M3OXqCrrR9=1+NPjq9 z54?FX8TsXvrc|VTc_}C~&aE7l|E(wYOUT48vk{IJVJWu%%+4@=tYPe#Gav}^>nP0d z;>h)cg1s^i_1MGIDh0pI=)QBEvwCeBXMvLGIhLh=mZT;NNi~yc8x0C5Tq3AOtCR6~ z6e`*ih?EN?9^R-y3wt>>OEwN1_=Kz<j&!iSKW2aulSyrWu+c9M)G$B3P_>e1@QHlH zG+I>}Tq~gXFI2-KH}sIEGis<wk<_7r<parrLU7))A~6)ZndvGN6VE%+(o&mR##x-7 z1>4Za&`{Sbsm=`)b_bMP-j#BYHtG#<$I7BV5R4SND#p;34bc5Pt{kL+8|U2+A~eiF zz*%H$iz@Mfd7WS=lLlKmf7i+S>=X5!oinMul&9@h;QN;o@-0K`No|V@`NY8hQg7l& zr&&)x4C%O0JbevHoXBk>G4hYQc}W1YNYlH>B~g@Uu|76cUUl%X+d`Q!6RYgjKQp(B z07*b}q;kYAN2CqRTO8H)l@VFc*gO5Q|1vp_Y`ktAwrdC4D#qde)5FbD$?A@f^)_>_ z$wSCwd*3IlF4@WlKi}nkSdpnG0bT3prgvYcJU2A9EM*f;wBE2jpNVc~a2_S*VlC|# z3Uv@JRjT&>tjNDA1#%+39%#K=MNxm~VDj*eduk6dg$e9Uyqh6pcO3rE#gP3JGGO@Q zT-E_Ozn8GMF7R%JQEn80HUS}Wk;A!}lb*p@w3xBa4jeX=Ff3}eReuPisWj5SEw@Y2 z<s>lv%NGf76^2nv>o<eZGsI5BJmxa{9-4wsxVWz_C<q4`__HH&QEsFUzQCTfTYSHo zi>lC$JKvCVk68!#)2JEeEA^#Tn*P$wXr;82E!V;zgq7xNHRJla`IeTv!cXhnFs6hk z+D`IuYd%<|rE-Z07}rmN4>}m$%na?>=)00Zs0wlTH|u=sAGM8b1E2u5_<e)9Q7T5b zH|9tN5M8@9G{`}mX*-g|iPF2JSq_<=CFyMcpZL*mjUULQZE_pvov<n((xYZu1R32T z#&U_kg|<}Om0WTvQXVdh$H+wZcSQt5BP}WP&dz@{)tK#G*yxy?NA;(X$6K(J_Bp4i zl;=$fQl;qL%nU*&`+q~GwHDtg&$nc6c*kwOGcvsCleYF827C*DBz~eEyxuluof}ev zllfM=`<a1$IXyajY~$d`yP6onLZdDj!q{MigP4Prc9vAx2X6lQ_n!GYfDj|}udVI` zLThzWb&^J_Me+eoXJ|xAua-BMRPKxK<J!zW;Jo#V5syedAH0DS(qosG%x})1VTU3_ zq;dN95miPc5gyjloesplR>Nge(TTVkW@ofXxQ5R^!7sj_b7$7S;8`oB+)Bk;4Cp+e zK)5%Td>eOE>%Q*+u!~G|M6)oC5tHOE#@1J8exYRO&mX5)*Ke8P_9*Mw=j!T#eMQpW zc18V_kWu2rexfug!N)WvfZKi7LR0ZmUrH-s^369r2t6n{m{=mH>|8Rg!DeMp0eFN@ zu-!mlS<3qApTokIuBKP3@8uzXY<i+@min1n{ejwlq3~@2Yc%z9`stM=>GjJ`-pMti zwXm!NI3nE?6Kum;4i5TOn`n1d-aqbaKWVXMD}4$72&NJ8d5{Q7U7G}1XjqQuVaRlQ znrFENH-D9nd8e;lVsFaqFl$dvTV(ax8iFEzMrFH^Lao89URwPybF;#WA@H~JcVn&P z#OyN+gnRvX`TCn8zy+_t%9mt$g_BXu^(7@{xb>%%SyKIFb3lcA?;adbhgOBPl;NgN za%!0Vk`r}(uZgvEh@ZI;<eJJCX%1Ce@M9c*h36_4n;noQ5oLp8-tL~c>hQ!<)!+kl z23nO?Cre_~G~ayupfbIBk2sv;#US<ruD31Y`Au{#S-#!&*%4Pa4^>L)+m2@qMF*#t z5q7f5NDZ;lewbn0<g!yU1^HEa)7Bi&IQtHk34e((+?4p<jc0f#Ojr}nOOL^8dAC6c zzQC#CQ}o^x0yd01YlKry2G6HffLp`Fwl}2#!lvYwqf58?`i?(wAH*i=T>h%m4DJg* z32{a{=}hW#BY-vHjO@GUk3C}OBUjQT=inCyAi8j);q*h=2A8^nEA9k*g2J`|Jx!ql zo8vLxg_4su19CzYy>HiH<(D3d*cN);$$ttz{spBBRKhOFOXbm6v*V;LhVmjqsfuQO zee+S}oga1&zBS=0@_Cc7H0xwcKs7X!tE9%>5pvK^BaFE)Z)P&qL5%CMP5(3-RoHe; z6joh62=jf-r$S404UtaDKI>gZ`Ia%J6^Ay?nNP=b{h{&|>2?Cu=&`p<)|BZV;`8KD z;0muotPLqnx<YZ>a^-V8UQX(Me_}e{B}l3gVx5CTJEcC`dz(Yi71lX2Vn=WBqu~0I zLJ8jU9IeX8_+)*XI%AOSlEWqYhnA##t+qV3<`O6?Tkk05FD(R_ra8hTSuM&VS}(e( zN0Q|RxOD6)RjI&(v1)8xZFPz)?;iW-ilY>P{~e@kMoZVcmni-%N6ZtkC^_~eLEl=% zcYE?60bLkhOlh`{w)oDnV9EoGGG6xkEZ)M5>k`Rk49W;tm{Cy?`?T*wQJ;2`54I%D za?;$y)QB>I?bPqj`%Ei^#Qk%$N74>#SyCsjDarxiiSlEe{kFUuScBrFq@yz*tmz9_ zIPjMxRE4>NtM{g+F;BSTo_&0okgWT+Jq;tju&{?sugL|TM6%m5W-negG^a>^j5W;3 z$I?}vdr_Ez7biN@@9<=4LBye0s|I)7*~66~79DMM+md<)o12s3h*??VG*%Mp{LNj7 znlQ&|vL^1{5aMXi%A{N228vz?cYTD(p7UGYjSHo_q*$Hk6vk<N%i($@$7E(m2L@MA z;4n#sga5i1`mzyj*2?w7ba^j5_+_W125ZcrM@aal)&M<Ii3=k%`1PAqvt%giDxQZ3 zjDR|(B>VK=gQnwjQ(#gk;Ta$-tai02xQ#C1Fgx~HGR9UjhpT{??C-$_nQT8I5~Q$7 zHXOcVsY2<=_mG9#=1TReAJpGHCz&IotX^^G!ws-La*{^X&Og>u<b6o9VM;Bv=;OY# z>#@jch<#3!da@E-HQBIwzt2z>NfuTb9C14huRDlg_{`Rfru}Vy`FVw75QaQv!M1`V zvzc^e+mpZ-1mbSSZCT_KCl<rS`0>$|PdC=Qg|$JQB&Ep8oC}o`^TW{-1uMHB+k7Y9 zBc|iNy48D9!53~Qvw#^xKirbuk=!!P<438)ikSgRz6fzR_o`5r4o&b5-CT?8BZ*6~ ze4+GYVvS&OzBu&pyIre6yL<-&<s^4U2uPEj&TgYm*cw|anz0Um{@ntn_wU1@-LpsR z6nmdQ1Tyfts+@2N8ynf4_z_u;iNfy%_tX{zrxaBe`F!!%OI}d$Be#~48KF?Sf4}UU zM{GA^`iM@{qu{`Bii@gVd2nxezj~3ZZiZoE>DT+lahkB9HxqE7yo-MPWfooQn%?pc z+r7&Sr9*@9<k;n=8$QRT9(%GfaC$Yei3s7KF9{#)mgpIFft)lOzX`>ZIIIp93^yc- zTF}MAOFiw*?On&dZfXp)FfDc4@g&rsZpL+DUy`GJ+ztpH3p=T5oCKu4tKSwTv@D9b zAiIeFAS9;1gkSDV7~59Pyn7W5z~!JfKEUeMi;#$;8ShJqR(o`$Xjgq(teTn-WMJU4 zpG}rdsBX!+wnw9zM@JJ<St$4{GtoHCe4zW$*$*<Hb#WSLPpb9Ku1QmXeU_6Gm1)Q; z$`5N8als}$?wvxb68zN&*gj}aj?CS{gi3nN3QwOaSX;xSW*Q~me9LDJ>q%>lJfW)_ zI2S8|{4wR!nuUfzCwi<r5x34_^HHh)rOdXZN~!5nd`%@Pr0ji;Y(OuBt!#*~CVOud zyMyNGiLGDe2zV#%0&5_`id}P;SThLmZP#>DZ+H+39rk21jO$*L2=9c7n6z|d_!(Z5 z8t#}!t4neno$po?>hMG7`C)GPzT*)J69`+y8sr!L>5*@-?wGQ+fNM|dFhvEgE~Jzq z=>+o${}tX%p*i$(`)sc{Nyyn>J@0W`4gR<yD@S5J=}V2lsQfk^^RfrWXB^)wP?8iq zt6eFg?}GFtdCU;@y2L?`s&hjku7a_7&It|`Z>{)#dXbDuxuK^}uR_7fzUYvr5tJ!= zA|ifK99wVCiugggY%u}s9VOj+@>6=CHWF(xaMpXzP&&DpDU)|A^X3L#8g=y!M(~TH z&|Z2fALLm`#^Be+AG71_M}&#Z7TXxnbek<7$&{b|Ym;5I1Ka#k+OFaC#pX~VJ_?A? z&i(j67w@oTOK!64I=$7<%=$Iuv`O-9s^F5742H|M`Z76*hkhMPl^7}7x1<j&KrHtD zc=eYgP-kvrY#$S6?81dqo&H{V;Z+d;_>GQm&=TK<j1Y#P`?^3N{qRe0lrz?9sm_CA zsbfBhw;Xod=hVz*l`RnaQc*ryDLOQIKq{G2o})^Aqvx=PZIY!ng<L^Jbl7Icl<RiN zgR@%)5|)so-$u@2)YUu$y|f7dC^x{0QGf5Y!N?4)?ta1D@KyHW817_ZqWfEXy3x0z z_Jqaln8cW)w}o)HAjyUL$sr4O8DmtMiyLOy+%#tjv;rqas~^Kgmtp~!90j?4jy2ia zfmE$bcJaWCt+Slb7+;j_*VVHf_Z?Fl(RH<xRK;zEq-}DXof;SCZu*d~V-A-F2ZBVn zQ0O0fbobMqP;jg27~-Y&98#Po<QJPXo*JIcWZ!TT=tMZjC(>h`{PV?XC*(NkGkK5H zWUA)-Rng_@Fj!okNmOm*)R?bwX6ie?+j9`CRAn+^w;}1Pc<~lnrvuIgGz^s6$#9Oa zY_wRqGrMrIwGA9fiC(}JF8Yk}Y(@LI3+eoKB&RqVPpPTOJfNj#<Fh?S9j@A@cU6+x z*k_rHI!|E@uVX$Ksy77&786O@==w4k@TkkpSrHP!t#xrpPQ8Ml7-r;Qj&*b0YhPPj z^fO+7VnoZpG7N8?nC9l8l>G<`V`Wlx<EQeX^7SXxN{ApT6$6>dePxaxlF(T@i(+v? zr5aZ}#H(Nwr<1=9B4Gvl4QM^Y(2n0Q@v>A=Fs&sDG$g?D0$uI-k@@gDGVWs_kh7wi z)P!LTN8(tm0q&unxy5%PF%bx@uB<9h5`bH&^H&sWTF8U%64^BvjHsNzza%_PA3H3* z5C4{|nzkZES7*3Fo4QVhP}x?a)u9YD7M1$^Q1>T_^6cb5gpC8mw*%{FXDXYwQ+~tR zlu|47<&*cffS6yEIAb*16K)P=(kW7y!swEA-mNV}*;@R+&;G4u@Hv$iHi7sO#yL?o z1uu<a{q~Jq+_PQ94fxL-AiP|0Ob6~GNZ+u>{#1N#MTgIfpse$Wy67amlLg@2_1JBC zklxzDFhGT)G6=96x~d}e(|B~m@7uB<dBoUe``;)q07QC68e_rCrUT);G}75LO)1_h zzVo-K7;}+>J&jkcm-yldW@Nu;o=|Vv3{M0Bp&g)=c~e+<w$D%cH@8&a3kYPIlDcGR z;p$K1#b1sisJ{M~tF49JNa`YB=n4srQ9rk95+q&>L5T)i{Gf{9H0g6?3(Nn5LO1EO z2X~_R6fA!+;9NSa0VfHvY7^GBjNyP~`iNSYF-^^vHY?qwUi;~*+ND++X;HTB2!2O@ zqf)Gti+9-C3g$RBM?*YXEncT36i%)h6ZGe(ToI4M6XxS56Qoe6yhou`m`K292$ivZ zVZcaNFMU_PFN`DaaIxQR!xQ}bQ|F+u@x&60t+DGKW`z~q9FDixcyTvze|+^>cSl>F z>)%y7v?aw(p;IGw?)ra4M9grdc^g;FDIiq(RXqF&>$5WrP!t0woM3#SOZ<9AlP(EZ zrLZ}*OB&?D@H3YF#5bmE6JF6AW}bcDjS~3y%13l>rA#|=a_@!hVXS!?mFmSMVk95! zltZo$#_^`dCHGBnrnzuWDXK)Iof?Kzy>8{$<Scrr4Gb#=w)w}de-zC0`V(Eu%E5FD z{kNK=yJ9+-jMTm#Th*V-gRy3}<1+`xpfc^Vi?%dnwA4N?_S>=Ap1g2at|BU%W;RMX z_0N%saL2^AozfW@NnKbe`REEAJm9e=iWAY0@~8l%$I#VB@&3IS%FS_$iHpos3_7pk zOV~$#LtBmpn-GJ$*~gT={-sxc!Ohoi+T8Ko8pRNa%u1`zpgadU=QXi89YD0SvV^8) z2xFOSeyG9*HK|w0Q1}r4;)GmWOCwi8<pbAH0gLSz{q#Yle}H_Ty-Mz)7XZY_>yNS- zipt<unp(86ymL=nkhFiTF>h#6#Z3j%=V`y{h9Bncz~f@gNn=71Cj56hV1#u5$aj3y z2X;?5T(U~g|Alxu(f%d$g_F~tvP170+bSPb-YoM8;Xt(49@Qv+pzH>S0ZV$PJrf>l z@R>0<6nx-PvDZlZQ#;(<Kx}Yrg0B9qu}u*`%{+pbo;K&lhXKFc*Ux*6B=bO#K6w>& z)rn)sy9|h-?6u8S11x9k@P&USB6won9_Ot@mFmxXI_ni`zUnQrWmIDsk}u<40u1NC zY<LI~(g<AJm4?~|wq*d2kt^Pg<?>y(h0-4l(PNhUsxCpMHRM)?Ct%vCel}X&6}73n z$*+2RW}iA#p>=%K$ufM=K0!8Ty0g-r7m-KSrJ=F$ca|ekZD1@?e@;;T1v}=(bnTly zA3dQWAiBaR*h1-!pq*drdIS6kE41RND^KRf+92-rYD;*c!p^48uTOMg@%knNngPg* z*1LURGZA|g6!ED$mFW1Y<%)x;zUGR-ht+BlMA4%@7bB=_!S5t~;Gli=C%5@PK!oe9 z&;jt)r>oEZLid+EsjmsAl050t1jD5h#%Bym_V;pJnv%W;N!!eq>vB7am+y|+#d9@# z&IRb(AZ2iUickV+n_=EE-rp|1A=rMHbcm3cvk{PInnBpWhPOD|py`p8>h`j@RGXt8 zRiofF^Zd5YoyE%mQe8AhATsIRsvT&vP;vw*1a*14-FDQnUfQPM-}fj{(*QqGZQA1I zb}I{?4K^zO^LI5~gRo3qm}m8I2KCkrTTztsV4!boXSH#CPads*oBED?OTPQJ(LAzg zz$i8~SirHi^7?xAa6~(Db6{10+90Q=?j^+6fT;-Bc;c7S;J%NKR&6RsK=jIAzgRwl z#cz1_&k2s1h21-GzMd{~zFs6HVc5QJEn1CB+TR$wb~BD7v?xt&2Z<Qwam5X4SNa%m zrOjLjRo57i5x8*BcUU@dpe);2*|?1&B?0>MYU2J$qY`KEM}o44VkE76VztU4GIx?` z_<WSwCg00W?Uv2A1fg1U`+En<U)I`#WL$Z`n4LT;(#Zvu5gFck|Hzv|C~LJD927^( zYqzG<uv=|toxd^8wK@@k1sNnxV+7u>`3-_S*p=Y!l%<=B_W-4{dSu}pq@0Po?93_u zho`rUilb}VwsCiNcMA~Q-GUAdgAKuTa0u@17Ti6!3=-T4?ydn69D)UV$#s9v_p?{8 zHLIt)tLiv=pSwyzE%C|r@Arfdn1Um_3|+k;dKT6G5uQ`Ztf{bm1!m($bB**tx?_Jw zv){oUDH;qBR`*V!ZLsqy#XXvZpF_*$CjTZ~?D*_?dJKwAP$%KkI_z3<_nL22CVGiB ztV`E8!YHNyjB>i-E_a1PX<~#Lo!r5qEj5?y&8iv<W9qmSC!xT6Df3zw6je%?FUzmO z*{N{4ep~23()k&3w(0{ti>#)c<+yrt5(Jv<J^^RW>l_pAZzirmMW9hu)nNI_d_gqj z0g0WpOQTJhwl_WgUjaT~YEq4o&v@#FOCyN}2*8ohi<L`q)b3ApCl@?Knyx`wXYz9{ zJ&X;?#n{qYS-T(T1x@*FqLkaK9AXm5n}Up}!N$8b8O7>eR0gmi|2l#efxK1@Ra`xB zI=;iS5SPzfI2iEWd-9_Se+zjci^mBZr28YZtvd<lZx5jJUL>`+C2N5HK}*SB_Xkl` zdq{wSPv13wHb1Y4g9zUUC)Cn=F6hu!%|%o~PpE(_Pbr7B%1?C^bZX8mVZ37Yp8B%W zSIR7Ka~zpvmU!H@OZ8bpWdQ1y3V?+;;ZjM9$52EcO!+lCddd6~;4a)vvgic%EXTi~ zgdE@z|IYfo{Z}-G{9ydJk7T=r^oQZ`_k=`Uu6PxIX>qLsaDC8Trd>-K{mz-XAzJZa z2S|fL2E2C@;yam*hl_b!8JT4J?Y8yL`I(^@GWqw!)~!L)E<639L5bvQ&x0cOdmb_~ zxTmNFd!760D!9Ov1Fl<ah>*6fB=w<NsXmIi`T1gfO#dq@{{F*}<j>>>j@NGD0U=rb z<lcMjjpuLEZ7C`JiK*`t9GvE(DwYrSl~VBaUeiG8nA(R5RBPHPm%GyhfYP)tQ%A1| zXcUC`4-WB5=3nA7f8{ys%_sH1SN!q3{Zi|&Gk^LsutBM?!<K{V3K{u!?u&*(6y-XM z;@Hj_g4k5QE?9BeRZ`hEC!FyE_j<qL@fu?ofze6oAR6)xi_0{QTHq1&QM@e7doa~| zC_=G@?fw3ZV1vq>ZnI<g$0hN_?v`zSfDgQk{U(*tiJy*s(`_P#Btg_tild`E->ZF4 zwR8I#Lx76|Ha6EiEk8k{50}Y{n-xaXcx_8f#PODm{UfEa)Y@QdaEWAu@*%*kM!U0u zS(nx^>{O^VDoQP~x{&l;R1M0;sTdSi@Y;rR>ZSxiiqW$e*|W!fjy5$A-A=4|du)%@ z_eZF&N~GpXs-&OfJ))^>C3dJS10HH9IFda~JD@{C*Ww+8BnqL@im{V9k@(HuXliXb zLsRvt-Q|!f;piymDUPFRK6`1MY+(icig>6g3{B_)=?%+<B#<gSn4*Wr$p}vHaK?!I zK*TzRW(N?kpOSCBVR?&ml)P)seg^s{af#<E#T}54dhJZZ_~N5`#)Y(AKCg2?-)Ear zul;rxQi|}DFY&S}xXW@o20ccje|y}$f0_Qh{>s_!-yb8y7X|D#AJ7b5zNlwR1<<hH zBVoSe@j}s4B@=;6dgr^FD=MXrB&X6?2R%6{IZu$(i9zpzJ1imqOF*>0FD~0=MzBj; z*8ou9VO&XF9hvphD8H$zXy&48j}v{z7H7xynOkwUg@r{<uO?dK{D5Z=w81_oI%fC0 zf>pQKs=P5-G<965Mct}2Y*xAdJLM=z7wtY9&0C{d-IbExs-Q+~k%RRL;>QvCZy;UP zmcG6@KB0<gqy;vG9pCSKBiEYu8l9cGVqxKGv?oMRmK33Q+&z&+N55<GNAReE_KZAx zyu9i#c!T=qR{JVMhR!UnnP{(*z<2r8)8Q?oy2d+&I3>+J#cqF%L26sF<T9z8WK22@ z3#YSYkbyZVE%l5m3iw0L|DvV(T}7~Y3NC@6sp*CbV@_;V?9>au{Ei=;IXE#yHztc! zVR-jp#C4E8Y>?MmFU_#cT&R_<W^S*pY<-i=89oqqi=AC*Qr5{?^<ci!>GB9U5n*PW zpRZm{L{}BjNCrd5z)*SiP5)v_SAWKcQOI3KwmhTLz`q45;RB1f-lnTZ51(r%uw<KJ z3`w`$et=^+W7ugH`1#@`{x3NoF6``@M0^j1A+YCYS50SAp7-0uI>Bq+n@CWhY;r~p z%~2%P*|s<Pk7q9C231yp^dPmH4B1Ev1JGA2o!|4P7EfG+p)2Ed@xAneOLm06)T)S^ zFy#YYq^kn9d61mkQTT_#2489=088~MC_>`pUriRsw%h3P;4q>XTiySvY)#=oYw?YY z3V$hHn?m@thX5Vuu47iY!Bl9s@96T#5R2-PW=*C{$+ooXCyUZF*Wz6hmZq(g-BU)q zRt)ym<0Tv<|L~hZfV{x@=cqfD&r;`3`YUcV2*!I-U5l(8CEOvyeD<J}Ky>R%7GIs< zUY8V*lam+PA)8@XjJkF!nBRnJXjupPcL$gYb<;T5tP@gz7N%klT#0<!aAC^T3)enn zrB}X~w@Qvi>szBa{uL)#>_nHghcL_TL)qy?Q(dMDQRWt*$`HI6D<82Sk4OX=iBa|~ zx*Q90Uwfd%*YVwDKR`o;0L8u^tu2`VgaYxqSlxT5e#M#o%OimimeAV*Uet_4)G}5D zm{w;|w1R@Ci(WaR%pa)>?XVB4BG!M^$G3|jSx8&QwCQc5xchHfJjt;~QE)H>-5l2Z z99TnC`}i6E%OOI&o2HE4W9@An?Vp~CcVMmfj)HDopU-I!FN=Zg6YxxNf&D`K>H38# z3|i<u4%Wrxdzv#XeLL@x;%p6iyp-*fPxQ*!xKj8}j%_P<bh^+%@307!@aWmZ#oNIV z(1HpCiYa3c{AqbF-r=7?lOUAOCMrS&fdfutWH`cm<<}KOQH|7ep9wjs0S+F;Q}g7) zOitK3MFO_<cLd%Dn`A=^u5$v8?OG!pv-XLxhC=M3d1p@Q5=)qql3oU8g-mrw)#K;| zulEZ;kvR#Ex78*}MsNr^jS$C&s0S>j+iA;?h<C7~9P`p}+90*y_G*+vfHSx|%^EHh zMe{SLbDmq}VaxyQO&9M`GzJ_56!b^o?V2l?G@_9W&5OGvEYM8p0zec<5>Z4Eo8H5H zK@{^!Pn&mSp5x!_XJ}<9O#b--MmdeC|MLQPI{)Qkzbb&4lHTq+6ZzeG2&H%7B4Q6f zf@Wh7bF`Wrsy%lHzLTyxTmM004JMS=#%HgM5<&}WsOCEFjS{alOHLKs_qff>iTphC zua~FT5SG-A55b;?hrysVWwi~_gV#r~PfX*V!UHH;O@XFD*Y7d!cKyg~7ytHsy9h*< zGBZ$~eKmGpHid5%9K1pb4OhVM#~jeljrJ^xxl7IiPq7D+-6gl9_weP;6=Q_C9BKdG z>JZCa2hz3n%M^_Z_$4^SELYnrb|Pgjd{~LNpx`!x1PK5m?jg7*)y`|#SA8C@7dH4Q zitt8dEe#J%T+3^X=Gxd77?E(r%%HLNJM8GBK9uf?j^lUCjp%jOeguxXNH(X*5nnjQ zCe=Hjo*np>5J=R$gxLNiLJ*`soPCsvtt~qAibTb0=?BSDSZcH(D8K8^eNjg%f@IER zcTLuk;oTX_30EdW(~9s0j$!!ZWNMA<lDlCJXZz5+Je22K!tNeTMa8=Iyb3nkJ?A$5 z%y2WFX``JrB(jqXQ-<qkTIMK0lWMsF3nC)cXC)J>!G^g9-pLh2JTaOA)7?Ub5f+Ae zoxVdU6`@HO!kdb>p`<C{8Bj?j1LINBGOEg5%4K2y$`j-}MuK}l{-$hTG+2Zsh`fL- zQ_Q;RFsF>11Z8AVe#0RKMLINzKS7^2?;TBVS1#z$TCeogk1NC;*mfY7;LVTQa5LV5 zPcv?3MPJc+yN{$m#W||V$c5%<l-#M8f0NfkU?#uwW9P6AH)wt}G`L*yrrGZ$7vcZa zQl%Ye3rIY^BCE6J>8mWXd*hqT3OKoE9)^#iMu|w*6_26GBiSj4+A~?_nMZpQsIz{H z{!YY=Y!n;PW|y4KJ7N$uNP;SWJT}RX*T`5$l-D|dLX9){%YWl=Cpa`ljCxZ_LFCM( z24t%m=ZolhQ$PO{jQY>&prX{CJwG$xAkU^#s&}q9OBqvoBeH}{u6rN|ImzUOIW-9> zXKy%Bj78z>f%@<Q81fD)KQl&}ZRa-1Z4oE$)DkqhqF6l?BrtRIDNr|IrACr(v-=qa z)hwRP#C7n!_M4k=(iA$g!8z6lH}+$EKZaoa)=b)aU1KKYDzU!)E?|&RLl@1&B@^%x z|5f9yvV~Gf-Gn`()`kcPk3{$n^UY7)KcD|~_r<P_2Sbm{MY3Lie$4;sk&PcU(&^(2 zd>kEFq&t4`Oz!G`r%nwnNPJwU_X6_{8P)Q?)}4)@e~mtj;y8@os{iZ!p|fxaB&Dny zA<V5~9lpBd(y2v4%y%5Ns_Wt1f0*ky+veYI%HNK-HRk!}>iR)Ih+{(O$&$L+f3*Hf z|HL|lorYeFO-?T-i5=(YJ$z4lOaJ*kCyDod2>t6x23r73dRz(M2!uL-)3e04pYJ_- zoIb9g>?G?9rgmfV&3YkwmU4_h$$JS#qM_@qnb(EKV4&-+{g|rUMIzL#NqrU${f@97 zEKN#KuIQmRD3HI1dpy50>i(%anU)4_Z8UO_&CZ_3b4Oh3XPE6ao>Etit*RG(4rHP2 z!$DU<0EnOiA~?UtS~6&^JcT&G>HJZM{k*yQGugf2_(8o2u4l?b_EQ6B_M@czQ>S8^ z-1tW}osoKXBgL^xJi-cuaYQrV4l{FuCVFLWi!(3O)REqM=B?yBZ+;eh*5bcmepo1p zo86JW`jVC^F~n@G6%m)N%rs&1>C_ssMj+COkM_hGPs}5kiN~Ala`C4g4K_)>=wE9P z7khkMmDY$n0J11)lQTr!HIM|hy4jWlHr@h6kp!9Z)Pzh6Qw8;NBWv<tJ{fJ0qfn-= zj??`1`mvVVsNAejeBLxt^7@enzvAlxqKZ4wABVOXEu;L&l8UQ^&=HbMS&mvC<sH5R z!FBP&lRWAx8^!*JVMgVC|0&{~qu7LZ3YL}}a<$GShPeP#j%nmxm=PnC*;<=1Q8ypL zWH%2o_))eY?!$C;4Rf&GYaS!)eq-o++Wi)ak-+h9>EuwLnY~GpHM|F+A*!Xw+y{Zn zz>!jjyt}u0Lr`cDJ8`ctk{Y*s<U=d=4j@9{B~iY0Dl_Zl`PIXo;@^q}n{Lt17q<-) zaJ{5mjl3YGhNmm8h7*DAl$T}Mv!`z+MKxtRC>WK0K_8Ap-JtP+=~s&>I{t}heAYu5 zsr@YKb?0A0_y#3wi4T|d8<YK0C%)RQ&nur5Vo1WFfpL}kix!m0tZX`k^?LkGSTP^V z^)XqeSU2iEF63NJwu#p3S*UnZC>CBz%7r%kUOP?)fba?RhVg_P4H;?~BtI;q*Zvy= zUkkQn(X~`)ldHu_Z^(k;Usw|(b>IGw$1)6$PF6zi!t0F0#6?&1qwD_1JP1goT~X6q z(dXuYWKCHLpEMJ&{-cP4K2%17)w2(^DAG*5Eb=Ikb5D=}cw{1CnZGAhR6}%&%Odrz zIIJS%(p$nROa$uzIyGP)E#+Qr^!HjjKT66r(`EEd%PyaeI3~F3GvV}NU$%ll#yCry zthOuZQQ7*T`tlnzVWs7vosIw87)|7aX9kXAf-q3aO<2o>2&GQR|FAhU5%N_Ql9w0o zWMr_n&K-`0^M0Ct{<vnHo8$5)IHCrk%)`tY{;%u3j$>@X@_x#ZEpyP9v`sU82C;4B zDW7RkhmRsPW9T=(e0=9-X(R)z+9%$nfmzYA(!PJjgmjRku&8mrzTfs?<frf?+r6GJ zr2eqMWtH$Ef=sxD2XURV=j0yazE8gj+&PR#?4ZAx!9$%hh%wZ4F~xrJ-LzzSXX6&N zy{0=s8eX!POP%tpr|IA+c3jG72)YD%^nX@OLgD|c8S>M*$7>Iq=u>&|=}=23;tbTn z?UHL!Xiz_32$u;DW1t2=4JB}Vj}(i%GGYp20_loTB{R4^PK=?)dr~yInt|R!X#-|& zZ|EVJDR~ZkEh>K-*#y!b<yB&lm^EB+cx^e<UGW*lhmxQ)I(C*5vP0udJ|IL9FbcC1 zLwpMDHKQoRR9?G>xPIFwIOtI8;+nPEnBoA!C)HI{k*TKaYUcgsH4w8gscSi@Nlz0J zt$}!cvT5f1BQ(Dm0Sb!!X8`2hvY;)q17#$(eVlb2Qy)qmd<kztHI|Eh9^@<Dgbq|O z@1aWw>v8|`al$?*m;}p#Om{o+p$6nNHxg-fsqaMZ`&p@ec|-|`z0T7EsX%7DL<XS# zF<EBZ|Ke#tDTd^vS;`<;bB<3%xwsAd1&KN7fVb5<tj07kk@H{rL0_5`<`syJCd<~> z;Mcr>;ysa`mOBtc@_U+WRM{$m%-C@v;^M@jUgmeBlFf2YRoAu&YlKTmr8p4(+2k=Z zWFVXHy}Rf!+^<$sRHx1Ky5ViS7BraTtnkLIvRUkH*)n1R0eP4@T0fS2B?>5px^1p# zP(q<wleEg#LlYnlU<!@(MO>cupMUwcPHL$#JV56L7DgA25WV1*5?QnrdT`t#CvI`f zVS(v3-yab9P4^dzfOW)0S3-*Bn%p<jeE<Z_6A126)!?di`2@oz_u(iwkEQmGx>_LO ze+|7zKx;wv&U!W)=EO$|i(lqE9o_}*6wOQnh-J_>7f*#E=wdB1PDJ?&2F7<CUfdN6 zdJp}@(3X>#YefZx$$O7YLVQ}ul8U4Z_a;l?l?Z_RU!PNcAYo`K6CQW9)^<#^xN8bb z^Y)BXB!Mhhc5PTd#A$_zk(81aulyw3Ev~_%p^!XE!Al51M)UFPZ5PkyG<@1ZE?To~ zZuD5`wnrekk(5FWt`Oo<OW=v#zcJ5oU0eAnMIbt$6+PR;#*wl+#DtkXuQinz1}a7| zFx$rKO0c$qsGA)ZZ`}Lp%EvcpbO_ShR<0+=Z13Aak^h|!h54!&U+?vorAsSk-a%;B z9uTX{&Ogt(QRS2GmuTwJ!A+6=MII6F?ADpR&eVIbtqD!ZU|TuSdUL3G_Cx;qFGYEb z_sX8iI^=2Z+np_f>lOFr+LN+8JMBe(_UF<bM{+G&iCGa&ktMuAo@Uf6mp0fsV?@LS z>?#9?4cI%$Y7~^)0yn@zHAe5R^JxlHWsp-ibS?2X8@t;d{1$8Pt!Coz5u@{GI!!gl z7CTvx{msIDm74f+lFItCd>snnPtWxF*pO7vGRc|+A^wt?=bgMSwKu{cZ@{fr7PQ`w za0QQEl8n6JbYtw8*mVfm{#lV3=#T};^&)b&-b0HT+LHo(O<iHqpm%fFxEn>B9l1|U zMb}}PIsFqft2d%#@<5=HS@xiaH)~;tkmEty%TqyYnpLmNtMVA0EskuU-u@RPbsBI8 z(}HE1^ZLSx*6fX@bnKkgyI+|f06+X&kBd5~)tM2-;14I)okQ$%Tc6=C7Tb6S9W&j9 zN!JyKD8gVj&m+aEn6lTY@V~xZnwGq{dZis#YC*d<Nz1G;uwKOOi}LD8RHyUY?+K>g z@khV^IU+S(x{7H>sJT9bVxG=uSt(Vx4n&54q~gx|+n*Y^M3w-a-NBUW4#|$%_C`^$ zDy>Pz0pK7U7!>Ap=oAXHtjTf#9%{r=3?mdcw&{b)>LilVdGkDEY3aiA;;J<QB;l!& zT+;AH7yS_97enDO!Ad*9SY+AF_Q2>MJF~Jf@d#s`xnvHw{Vv;JS-<6B9yc!U2!xo# zMw<${A=jF;i?ztqV{Ax|lOrK7EF8<!eF#D<0-7zyUC=lAaVTD7HrEgDj|X~y$CSkS z4#%M_{IUO4N>~`<lhP_rRcPvD0A+`=S5tYx3oPN6pu@BXsQFMFIctf*hDpnSgOx+d zZO$Sr<MFR!6MyxsFQ<b?pSsn?zO@ia2Z|Os;`lfPS5y;?ux#x&D9`t@UDp#m=7xoN z{H!XRpQ`Bi_4Ph64edS~FAPQLVt)rKd4ql;bAz5vAT&3`g0hX6kL8OCfj8u<#|Y>} z&q@KY7sUHWC5&SoK8m=D!q^&*`aj!yS>KRk$4FI$UPuZw)JW@S)H*D&Pt9D>un;rW zkv49xDDw6aKFo|AX?6HFIalaETckZ)7#F3<02(K<EIdGMZWIIF+-SLdy-664P}_fv zR8(ktsvb2WO3jFz9dP3vDqE(49WI`r<1M<YKUp0oLqSLqOJ0<}m<(ipSLp<<haM$D zB;!f`K6?IQggQ8mZu&ky@SfcizEU`)W$P}IRSS&Bp`*!nhg2(aMvng5S(1&{SrclL zNvGuroQHBL+o)su_!$rKP)}skRi>yYFjVe<F%R{wz4ZmkJskcGQ%4TPf@B$|;{&wN zOehSge=Qd`<?u!bQs>u>SeXr!!2N6A-AT3-)U?;~JNaJYW6-<Q9%T(5^}M{FJU9^S zsS$kjUMZ>(94?IMsbdt+&5r%wz-2Kq&dyS}Zsz5_h98*B|Aydv<{cUIyfnLRl0By8 zs2}@HD2v5G*PSC_#2Zk)hh&7BAOAT4ibwIy!f$O?GU$l-+JMT1{h9a6qqHVC$cfap zJHd~XlA(?@rn<Rb6VS_pwxOaL18*~QDSc%yEolu+_rrG^2gmMRie=|4Q`rd%akP_5 z;EpA5<qmSVyOOzvY{Y)B`>lvv(}=_BPMKu2?|ACD_Q(E)M2+S2+XsSbP^x~>jbvHS zC$t9&R1*zXwt1XNmrw{xBzUjKX_Q5RuqQMO;Kj7KVER0`QYtBcH(|fafCh`;ymS~z zg0KF7x;a>Y0MAQn{Pt94)60dKg*~}^5!E)zs+#>PxzKu7Rb;(?ly-KXJ@|(^cye#@ z{?u@Un+rKdvPl$bXhlbWo%z=b7kX~rj9{u~eZKnrLi3@(@ezY}Oe|&~S%ex`Qt}k4 ztZ<$6laxY~yOP<0TMk25y(gY8w2QdNISL+c2z2p1m)HQ9Sy^73j8OE@0w95;I4>be z={hEmXFwx+oFrU4J>)+mkhkYYFrwZs4_we2{=&9A>RC_Z{hbsy3$<HGN$d9u@gqhp z0>sHkcCtayW=&IJW=MYrBzBD;exw~cxasi8&7BQ5C6V)sQ(QnrrnO8$4G7(3lrM@) z?7H&nv#^l}>>uxMM2rp67N51{v!FZJ=B<%omOdVZTFl*Vw=*wru!q)Lz7>bFL7;FK zm;{&DV4#S+7$T1gQAdjM-<mCxu#(lQWaCaFsfu!yk}kSf*QAeb?VGClhE`FIxMI5c z5=zHJ=T2H(*g1v=4njX$#Em#?AyLnd4o#MHet|7G94{XCYG#M!pT}zY2&;i<mp>q> zS2MIS;;zf4Q(3Ra8)A_K`HI6*^{J&nuhnMHL(VaVV<>DeWgIc7fNE!*f{9BaMoh4k z8CjwG)9MFl9(dN_h7J6cGM;C%uLy_cls6jhnmr>L9HasO<r0|Mss}YnA?4nrKN5Z6 z`h0-~ZT%*IVIA#<M14Jn1E68GEwPBJsX%5#iu(bOYH*1N&AXA$xo@WeNlgk=Wi34! z2vXQ`7<ZxZtMFp2*4)|(0MM0NBZ%4N?fsX&2N%X0-J`EbV@RP3I&V>UVNH`&j!-15 z<M@)%LnU2ay>g7Y{(tk>KjYh~dR1%e@D=SEl6xlW>YZI%I%LX<5u}(V@<KplYAm0| zdC-6=QfyPP@B%s(LzjMOG^|W*dyZniQ;C!DdEW^_i&y$RS$OewFinTL202Z@fpz-b z*?hYwOi~eB*M34wa2-z^vCX)|)VwN*1-b47sZ*M!^2LiAr#g)?x)N%%`hMmFPl&V0 zF@7mjG~S)q#{en-)ucBj6RbjsZ1gAUNTn3~M39i3V#t#Eg<Ib0Q*liA4rVgpN8n>y zk*>Y5U)_R*)!;PZQ<4WW)o%7lzh$BN>RVN``|=9QC`DbY!ze0ZWT@R-4wdo#+mlJx z`w$<M(3BBCxN;PiL+WAte$ne>7L&We1Y)WoDcSgCiF*1&Q^VHeTT^^0zL|O3&vk;k z&CyvVzJ?O*k{)hPp9WUlwShZk^1&fCM38RIe3|9KkYY>%)Pm)lvLbk8>7OWn27^*< zeMC8IB>>W9e-S2+Ip~A@a0^7aD)~sCS1rxOgH}tGVW;_(!)Kqf^N3m&;VMgC&-gbI zp0$8j|Ev)t4i<rAvb6cvB3sujOF@U7T~Y?zLw`#TfAKhfDcp?LE~@7<;B<4qZF0`^ z#SCO1*R^TKOmsAB{<~o2G5Q{;HP;+}nxA-_ofl!BN<IqeC?Yc)1Dn;Yt7@m6_Gi@l z=5e=&v@zRA32`Q1d9*3XGT`d9LlAwb$aIH7ahR?BF12-(C<%uOFK6$;uq5R2wbU;Z zBrLwqdi9SyZVg1<A(3!@SC(y}x=O-J?XokOe=H`#1ilyg_}_})37!fw97qVn+_<_1 zq~L-hx~5OjZEkj;Sv#t}JMI^=vI`WHvY}}PjpUNWONktpb#L1Kd1KxiR;Lf>cQ_AN z>L24`jj|9Ulmi;NuDrz_C89>v)MR&MRf&yOU6HL#Jlu7{BOb92MjYNf#k(Y<`#L7! zto)?cVP7^nm=_Y0VUPwacx_n5eK8lKDJ(oOPfT9g{>c%MNY@+iPWx)m13#UumxuQG zLK1PhtLyd1r(yvA+?aWLWB?_&-`yQ~=IezgP@Kr38>&z6cRI2AHreLcX_HW+w>+oc zb>WZK>~rz-MtF|PZ-i@y`*x7>-W7>PEmozM+kPOBT3RH1xymwhAf`!F5W3)dn&b6r zmAiKHbc}3V5oj6?JD0j>pze*QykP3Is3q<K5ys#gnE~zr6&9yX+Ym|6&a`pSbY>vs zXu&vDgC>qfe<ghtVvw^Pi3a}HA@CXnEccaHN(plJ+H^_qm7)WpUSzEdyC3fW;=<rO zk>s>qHhy3-3%t}?7Uj-@BzkR>=ncUu!$R`HAz5UUwE?&Oklq)eAqHmCcP-8)M~Hg< zuUn@!%oP0Lzjj5(r{5{}VYbt`l52vGRvz3wiaq6I9N>404e#u6A7~pa&~Z2i4bk;( zJ~va%@?PxgIX_k!oVh&f(Z7p9%DR!dZi?_!z_4uGMJEhH;CtNZU$!OEspBb=4H>n( zy@`m#H_p*SUg$kMMS9I{j6`)MP#T8)bWwg5eOlFkVQOAtkk+?b9-eqs^#jIR?Ci6J z-b-m(B_s*GbVBi}cURWm{AUYs9|=wE^~*8OSgu#b;W0*Wb6VzRZczRp4T3(<(r2Kj zQz&UC$sM6hgVIrq(l(HSVFA8y$8QULyDWLVTVYK4J%@Xs3g6|*yt__tUgpop;V~v~ zz8Dr`Mg#!_jT+So(?=#frKaxy`&%opJu%i!TR>8#DT^yi6QXET*QaHYFIH@mT8%A& zyNI25u+!z@uc63aKSe)OKT-V!@b=R!{He3zH*wm0V0x!|W9q3BOP57gHf2~V=RYwX z={1^JQqadQ!Z91FOr7TVguFUqV&ZgK-iUr&X29K4Bx>1*HrWM}2Zc{U0cp3!4|=hG zssFU1i^YT{=pXD>A?9~sLodh%93&}hxJSz?w3`SIa#~jzsS48Z;&P(ll>Yr(x&Sn- zbWTbfh{VIk)nj<Vx}$DX_+wCP;uQFBt_vH9%S))oNYAIg3YR^tRsV=Z_{%_VwS?Z5 zzGmjJphw+XPk*d_QfW}o2#o|m<w{kW(0tpw30Z*I#+I4G);+#-S;5LX*4Gy0?RS~{ zw^_nyWaEV{Z}DH;_}4{d!TggxCkaG64@OE#JVbFy4FfIJWtMyT4-k%#HSr7dgctr1 zTP_ak`eG^`Wzv&F!QbC01)QRP%+k{*;^DXc+CsMtBx#=K7uYTt4=V@9ciZjSiYPM- z@M)f-m&v>~Bn&+?0*5@fI4<kQ>K%TDY)p3Smgku_{Qc>Cn()cI!FQwE`CCAh?fZGv zF^j76lfzi(feaQ_yA3C9Jp6XkBXi8<6vvUW>KZ``LqYa#yL}&$Km88Bl9QL#7Hh3T z@0pyPc`5if$qNvU`M%XF-f?KHb92Rw;$JU0a&A6vTHrS}I@W%4m>3jr=0X`wyQ?m{ z4U@987^hCwJzZ4~GS^2EB@L42z@C0-sy#EQ7Hu>*4M@ico}Vef!-0XKqbgBvgQlx6 zafa|wtZ&=FSxRTm3?v^;BdL(2KYv7^H(_O_Z%n2hV=eJs1isnwF9`TPO&gWfdkHV% zk}(q=sO!^2^pE(S?sw2KU>At?2~Ax=CVSg^d9J~2kwTl>Ld=)-N_}CyzGOQd6h_Si z&eWHFUrjU8o$X!xfG)=IO(@&x;7^f}Q$jt8$RhRtwhuDK&>4t{u$$LnC2;;VI5i)z zluO{c>p(TyuVZf;s#rM?5B?INPWwg_Ohx1g&P#6!F}q=B>Z@rX=^^+svE7ulMTh{T zmqsKnqk&KoDdM&YX;1U`u3_$epQUE0q0*0<zPqJfpVFic`0ZoA@K=OOFhMtqi1ltS zCzJC_3-T`y=XN{Xj+2GY7jlJVC2)>%6o<3F_$_p}o>vG6X&a)m)D3tEFUe69#67Pe zHG=-9D5<dnEy}(E^Fc+`AQ*82$HY%fvQVWv!|)!zLFTn25=I<I9^P^CVM8uj_1?>; zaR}lmRmfJ0$0x!nA4+9_oc4_`QdVCP7=l6+cb+x+D&ElF-@au$?tJajNcuIY18ngp zQRB`m)IpYGUA36?^q{DVxhJcgIDm$$ePfl4SQf%}U8^MF(fu?QHs8&0RO@<iQA$+Y zYkl062IcXG<FC?*%;lM{&+&eU%lrN+Cj-jy`UfDc-{+RXXv&ymr2Hvj)+{ciY>PZJ zg_TSaO((8jnU0hzLr?S-vd^ayzM|GFoUqgHtP#{sOXzj$T+sXekn+TO^&JvO2e0zP zu${R?hwnya@QxUm*Gf!v+Z>xwpp)88L9DTKJAUo25&ZP&D*OUaiYhUUj6qRk6&~YO ziG?i(|9P21P?pWP0Q!-Gvh6h^JPa<$tHGYnhE67HTmU`@_FsP{1?WF{*CbmHuP2^v zv8lZBMT3c5VZKcy2c*0V+dkvz;Go=b!npy)cnc80te~TUMr8$2`jtP+miE!BVgfIw z`eb(M2B|W-zL6TtkD~eGgAA7cznMv3wPIj(JawZ(d8irD_eMGHupyRrF>PV-?L20H z8||I^evJ4ZA>4?e8N-*V1yA*Lc8q7e*I!<R8R{^sz$}Xi0r}b-oLX};t~)MrYd<Gl zV=jA~anhNSf{V2{qHB&-gZBQn1MQ|MVgz1m`Jkr>M68mM8yTIYIL>|pP($T)S~C?6 zgs)~>@8Pv=t2{cIS`%rpxq=#hPXGY3eN2As48dAqpkI2+|9-RPNT#3V-b)&+nrip) z>BZ!i$&sUFhhaLxR;nPOK74R0Ews|N)h{mW>{V8DLO~T$a&o>(r_Cy`O{4GOiRm)r z9z#SaxR+B@d$<o3qZn{S0+rm=f5sxc=?vE$a^k%(@u<g(CQb>!(}taHxpK$;zG@xt z7udQtWPiHvLqRSAVJsOu;~rpPHZ^4E&P%`~$oVU045q%4?i&;x>A#=&B`I25globZ z<LfIJc;DCFYa)-r@Yl1kQPO$mVj<QE9!nx<;)bNvW=GtrI5!*y7bk$@BPVq}zF-H< zn5(+`4kz}(NQZ=mtFkYt?gt1zkLhLuns0u@wDE!x@^dt534O>#=EL1Mo+5yIV-OG4 zgZGNdyHqhrXYdRQ2O`kx4$e>2`^n2TuRayOEbeSEaOL{l!nf-u1@vEe5Hd5EFeTEI zgib~o!;MV=S)}C88dPG+XSWT6fHYSANG)K3qO%(=YaOwpxh>LaSx^iGC~hZb=l{F_ zC<SGibJ0cmoMiS>p@Zg1wbTk!f7o*Jsj}dxj>Z|vku|@!yE@>SZ}+Wus;;U3ZNp$? z{&kV8UDda6nLCC*-HOFj@37;q+!Tx&Rbn4`qVZ8-W?1OjL3xXMPf3Z28QIo&Ay+RO zS1K$Fro8SNMY*q^F({@9mk01QQLjuW@0VM@yv9cnI{Isa8)7Daje;wfwTu&Lc;|r) zUD<@$GtUasX~oIK#hMde#hpN7p!1@^gb5=mo+~SqV+yg$vi5b0m0m}<6;z6rx#F<O zU~A;I_#{BF1DBf25SU@p!s?6Wb=DD`)zU@g(>*vLi0>w%eO|+NH$_vn=w>SOxs6T> zPhN*wb3UIWTm=2QXAA`A_j6X&2fuDlHe8Jz)6<@SuBA`fykucGTQNQ-0t-L&7+{te z`UV<y+6hiEqnY0C$OmeALAg|>B64AL+!ahS&(u$Yo@@{C=-Vw~X@;RL*TevN9BvK+ zUAdjvEq5}=Mc%H-l0EA%N+n3#=!Ys+#wt5b8gB}8b9b!Y54n-{!~0JPQ5KBD<1H#c z<pD|66nC9n|CA800b(73M31L=0~>JiX>-}NLC?fTPQS(UMg^m`h`-LVcuN(D*#<^0 zWbVCa{%jU^l3DJ?+H2>VVtiFJ{RKt-G*Kc`6E4cO*(K74HRP|zY;(-QnpAbHMxMlr zE-KSEBEWrZJ0UeQ0Dux~RzL%Pk?+lIv>i6&Dyd-d2Y5_f)pmrViA4WE+t}t;zjE?Z z)<&1tSsKjHc%c~JWMZdr=DN<sjPd@2>f%LTB~Jj4VVRTw=2Tv}(9!?6QRhl0tAag+ zi!&QBXhpy~aK<fb%;#*6s(UjlITiMT1K9J=-REK$eGCiEp}d)EPlV`~t(5$n-Gi6t zs-eUj37HCdP13cPyj(Vl4F@aBQ*`GfV0L&I($hPp<C(bodFc6S-#0MOVs1~3IOXmC zxmfu9=qI}KXkii3bI#WZg9NoPOwVTlJMDwQQTHCgpVlNq7+pAj!c~6t(jfEt1oum7 znijwPcEe7;iiv)m`|>PJp=v!dYo=C3{2nk+U@hQZ>*@@hBfp^jrIKa%%3PLah{qW$ z=<Sz9$3eO=3@0iq!?WrlPXwG8%;2YKa}#A*d1y$|i}LZ80<bMEVkh1d9YUhU6!%sM zY7=6MZ6Uo55hq}-vhaN_diwewt+PPd<>8+tCax8h!Q2<x1C|6GdT5yjm0GE>hd9TT z7n;gNO30si*Ubc=+$8ZHF=(d!b)E0tT(~&YD=cL+ZmjsL3+<@2NEZ{vvGD<|v#fBd z+UN+&!*nGK1C>J=;ixr>3%tt>eBE*S$GOU%Z6LiYv{u21pF{G(ShB2kzN|AL_Ld2> zT=rdMI*LCfIqi%5rlc*sNEu8$e=O-y@5EI0tl6E_`o=0N$a6TJHupqUB}iALNco7t z!SDi4=QByighXv-$Up#V#O#Ka<c08)MnCqu<V7)o7{xq_a*#*)+7*}c%P5O&=<)uj zCmS0Aig8D1>dNQw+*0!kAn6S*KM^TM{g}12<Nzz|GDDmEPWPwSqC}iZp&k!e%;i>2 zouY^U3EyALpJ2W<(bgSTlh#Sjm*}kXJdWNTZ~NpY1Bw7O=}O47+5`C#K=%323xi8C zlCB5k+PubH1ymgAKY<7mM@3+X_MaETyM?O~)y=j+<MH3%)<%WDQmr@#Spaa94FPP^ zpi^`I&%T%bT-29Dggng!UKAPg^`4q0NKsGkH;wxEe$>;M7xl{vdT6RwBr4lJ4h~Mz z#hxw2ozNW-A;jn?Qk!i_<QmL%MkqQI*1Or!E5r(|{_)k8;4Tk%7`)e$ZiCEBC$c=e zSo5|mp}XiTGHfUpd7=l&L}0{~GEh}82zFgX!M!==In6qva7xi#`HauPi}X1Qfq^<` zVtbz}zq(_Wu9sj^RV&?sgoxQn0Z)K(nAPW7Xd;iYF7NO3Gl&ct5uFEXMC8S*r>xaW zU0Uj&`>Ba<tdX8%T1gkCC7JG&^uCMe<)R)+(!>Aw;xRK<k8^Sy0W+ISf3~*~jg0~N zaR0T2H4tv7Q#)RO)hvsF!;*Sx_yaAraW!2XxJh}I6NjR9x~SMBAV>G%R-xuyG420m z6Z(C-S?9Xp<dTWt>_=ecQ9%37M(f()7Rq42c087m!k_{)8HR2KU~kzxx&_DkRe&lQ zg^FN2Ap#Dd1e}r=$PagVRZYe{1u8^MtRfLMwFOwE;l2NU-54YewH*`nZ528`Apb1b z>^%aPqp7wt%qg3`j}3>TKDQJpCRdN$poL~bWPoUdl6<mp>yTgzk_WyotG5MVL2ZM{ zS;)_NxH5huB5{9zFQxPLV|UzDa~TG@c-W(Ga&TVd5^l0@`lx^XRc5wxjcyfPTU2Jv z$^a)v!KIGzn8*v<v6Pnhvd(>FfkP#5DP^n>6%ksnhY%Px4iYcpi$0;oYd*K#8xU<A zo5$Bg3*_GY!q;L@FGyIACe1s#v6UUuW$C5BGDHep1`TZy!RO>2#TRV8{(!JBtlB`| zA3#d^T}kQhb2_@9@OajRy$m#Lo;i)WN_c{Qei&VW4-iY;2$d_yyrs6_J`+xbHQZee zN(xzMsjM(&6}i}QJiHC}HxAx9uP#}9p_J-mg$+5O+jcFESh#A>1u7-&^zfrs=93*N zt$18!QE?>?=O&*DyvM}{n1k^`jU_bo$-g(F7k;NLjwrn7#9n+H!x43#o)(9}l`;OG zEGjY0IykB8m0Pd$%T2RI7~dH=VJRjkzq-V_Ub&6SzR=1X8y&Xm#8!5^1|b87VYKw4 zxEaDjlOyJQFOM_Vm+~4g^S^n=EL&ByKFWA%2j830@AK7GnHr>d<vM~9qb?4hW;hZ8 zP6CP{iA?y@vfF%L&MD`4#B-^JLnW#}cHAvXu+0pbdF@ZN8;M6i>XexQk!#gE2v9+U z0bWNDp4x&n^oNh!{cqdM-WSV>n@AWOj=v~I?gQY?sibt3>`s3!WFO@5_v5DVL~V35 ze8NS3P)t$HH6Ou=3km2>dE<^+dkKxdnoM@HH!!G)tM6yT<-j>_r%bY!8y6}frSMa| z+j4`m7&0d@`S6)<bxG>V0k4kYYII<&`7RsaO7Ftin8_|&fRQhO!2Z4XewLX^Ovth( z1kkXO;+Vx)%8T3?q0;6voJvnW@^nRpBjfS%j>be6*5qRdd({%i9FtuL-j#d5zAd%d z{+wHc(bad*B!QWhI~GLpL+nFzmh2n~lc|wOD6-^4Hzo7Q{2n4ea)eL8k2h)co^a=( zZlLX11NRco`2}^5qc-4_FUFEUWc(9oimEyBCr!tu#^D^pQMZK``zJL0$B`!kS>R`g z+S*E$6XAZy@?FR7!;_et{>NBf!flRWL?dYwdXW7bPQ1hJ)6fA`25>;&wWD|h)h~KQ z=-}#HhnRv-P<g)hK4wf3W)dUe0Q7w59C#SbmIBkN*dKcp(ALlu>9Gj|P<sAeX6aRu z^|Z-C5>Hu8hSPidQGXRNiVDU0wGj#C86c&6j3d3@uA=#_h@w6bAzZru<sOi};YEXe z;6pX}5p|@r!bBRBByS&^Ar>p8v|+DQg3qOB?3xKhm-TFL#6*Iz-EeseMYYc7@`>g6 zVcomV2r<gx>w^zmvH4eRl*IUAs9#X+*pB!K?>Gij3od3z`C6b*tL2m~PhnZSFB>7F zLiLe)*MNb8(f<P#H}4Ny5lgqez12ZPVi;Z3afAeBFe+Ne*8U^%z62CLuR2!=K6G2B z{&t=Npsd2&FB)}wT1QGnCmsDKI0Id`_1D=K>#q#HBSj3s(K!#t&kpQ9B^Dvg?@z}b zN0cGxhQs?l7S%o)A=?*~7ZaG)aFNfzhp0X)sJ|#@;~gK>loWA=Oi^qrK=Cn{7WU6q zff%MT>rtZ&^lk8$u-dR2X!I|EeB$?tQOyhYilFhtrwzn1%(${OPwQA%&qUTRWW`zP z_B|#+0uF|{k8N93D&0?6N7%?HekM054{VD+ve2-`wm&^2CI?<kG;i$wWJ8E{=};(P zOJbs)<x5lW?(e$D*r0g73b3<}ZnhTH4a7Pz)jiwdd~G2yx9i63uYcM*?(vOk4}#i$ z?F!O)9oJk=<9+$_Z$N`oD=b;*Uhl$Fl67kfZS+GAI9X4joi_YZwRz(pcL*zbrKVoB zn&6NOLU1_i93H{J@%aR47sNV<>F}KT&VoYn##{!%a>h>Oa1u$xZFWj-_3Y;AgPJ+Z z5F;y7pgOIM*zcbRsZi-G<4TwlM)$EpbJHh|xrMtRPCK}Qn?IXE(q(t)`!hpB&G|89 zhP;~biF~S){UB};)o+HfLrB&&;s0J)w*xb=nU-gRpV}cR@?LNXfwS*n3N){dr~Otz zay(%<5A|=u16<NHk2)2!7Ox$7LFu82#~ot0Su-f|V(pTgbPI8a^UY8zjYOeB2#wFL zYn|ZsbMwxXFi-?fSJym6M*$Td_ChdImV#l|CQO}~e#s_m1R}BN42cgLqU*JPuZIdQ z`=V7XW<uBC)%i`v(!qhU-T?+g37YYtQ=9z1-wev%d6qboO8xPtuiJv(%tbkt)ZU&% zg!H{<fM{7F6o=KWWIRfsOiItW`TrJ$Jh%j{F_Z8QhIgbuT*%Ju1m7QpJMFPa1AwYK z-C+MTz}|>-u!>G!gUa)f%iqJl(_w?#o?LT{;TJ0p(~EHN4t);+o(*_74~>kUk(jTR zlY0-RgQlCZc8{_k#3p5ZxYlly3UJr}G1g?Lb+0OE*~APWfz8mRon|kT^UDv{*+mOK zk^7vs1lB88O{!`Ek@dkgLerCuX3c%9sfbiO*j8p+J%%V;C*CF!j!Rdg0#F1hBUBVI zrp<C1IP*6IQ$bvA^w>ofjYvQo>u~E^iM?}qL3^IVu8+$zg0eys;?N%`CYHk@My3qZ zD8$JdC>1vonHN%DoGR)J?K8S---Eo*RWI#TB=O2a=2+RFr#B{4;LpHy0+EsD{1u{> z)in~4D#v?TI^}_t!;*Ekr%obPphAguNb_f5Rm^3;b4IT>VL?Y;$Cg{slCq}cq}mEn zDgdO(BW!w;WVLVamPPhfw5!KJ51?0viw|qU9lX{;ACX?eXJ%5hj#M|OKJJo<Lg_Y7 zdJx+2Tlp_0ZS#v^tP(^Jk5XP$+^G-v#?=*mmLXvr0z`FfR(Hg7>Q<=~o<Y5K1OQO! z(ibpI#nY$$5zxk)_uR{zTY0xhAQ^GYsIVg1l-TxwFqioI8$R_Lc9SA3OEoSA0oeXb zX2<H|tJS4F0Dm1#%}V+?mkBO#3f_z`{;vt=AQk=4yfZa*$zL4xw%j)c`VzRi<S*3p z9x~K{OOAeIB;nAo2LK*4*fL2~qzO*btUngn2yFAu`I+g9s!2r-IahaHh{rE;-Zw(S zH=<>I+f_P|KkVpaUu4j}hMsq-#9CQ|Xd6^j2)pD@(d2{p)u^~#s2h|%u`Ra5I}q!| zhV;$qDM}`uXCdn`v~wIHqD_hF0_He_5931f;;J7jmPtO848D~0ax+6K;EVJA#xHFo zjgf^#_Zy<9%w)mjLMQQ=x+JRZvUP5oLKdpskRhBmz3f<bmW)q~UHRH-v1hN0mZ0e; zMog$@g|8F6jga`1F4Oz!xVo&QM8$45Xv<j{m+r=<ERC5m<JZLHF+SH-R6~cYBWwvR zbRX+$tCR42Ps~FK0N_-#pXRJre=kHHIOZ%)W!kIq8hi`8z4%_WJ9tuMyA(}f(WG)v zkN-s_MkDC{2|>q0%+(v7+9uOd=$ez<n-Mna1SEvQ&D`5Ab1bZ<9I{ozYy^Or2o1#? zhA-+J`bnkH)qln<Js|LYaI5e3r@h>aOq^2lvn={@!`0cdfV$8TjCh*epgWtdu=tN4 z=o$Av(<5+T9p?Mthn<nF&-nhL4DzTP!j7>wSCX-5RhAE$S7O7|S7KWR14M)mH;y4i zAS6-50ATkSXC+CzxD$T`@yO>3aBQ<}2?2Naqz5^kvchxAkC`qgu?rMT6Dze%LVVl@ z!zii`$QVxCl29Any9CgIT@2w7gC|rsU55|tW7P1@Tvwc5eh!r9XPXm0{6&b6b`^u# zae3}KDK%V6f`KB$mhI@$0l>6@gCO=82vxA1NqU8!z@P|woUl}g8WUj;W;X3NqVqi% zWrg=(skU*}D#0hjxkpB3hT_y6*>1?Liw18D<2{;@AP|Te(f{o}-$(J5#x`t9)Z+@t zvhj}7mYe^O4g){Eg^f|ZpA#KkSRoi4-j;&Y0bCEY%f7U)e%WgI5kTe~hZ+?glly_) z$C*0sxy#|Jvjb|kLu=8<#nuKNkcyocV3D#Iz<l;6()Y<o2J>YlyKA_tq7O1f)53|m zk)mq!aR^J_E<94w^yYC?bj)soHGD+1I2{zwB?$w6Db_DP0N+k2be>wsd3_Z4>uCRV zR!bR4gh2_I4#!ANGo^rBb6w>C*HY9Um>F@$dm>QVOAZ&6L9T=1G`%QxSp13(jhrRn zr~HZM)GZ#9ntmzwsOrL#0^Lf@M#G~013->KPTu~~gq7o%Ye|1mwW_ClT{{10ugj5g znp*|L0Dr!7Ge})(l&!x=#p=oU$9=$}qzvv&F&L2$2YugKAc`~=m6N(J3~GOU-S28| z=l7#sU7F3@_BJ2-N-Od@kD1}0pL%jnF9GWXNJG`fdM#z{635qMhALIBdHd>0IP`l( zQU><9)V1HpDhi)Cd{gAEaF%Qq^VG@<BOas3+zgPsmB-T+-Nld>+yZ)@QiT&8k(c?v zf>8Eb&Ox2-@dD*R9jj1%g@6XVM^!eR9{al*d*{w^buQHgy(X-tJP!P_BF!aYql^St z!VK7=K`1JAk`1S84@z#*M}d5VkmcRhubFdP=2-}bNeNBRPaQAGRD?4u?1u6&HYAzM zx}#r^aSou0Zw0i0Vu4vrYsA+{AS8*4w)lzhafBMz$<sAkKOL}s{%lZXF3mUG!rcmz z@bEKZM9(nnHrJDtCB?6pZwEM1MV2|;Bpr)rwT>T#8YaKZ6gmdnH&APz8s_LKEZnx5 zXJ>{Fe!tF{zi_V(-{s<HP>f>dCHK}-4(<y<#pz{W2lq_Pa>mbiIt!9gpL%}-@}lu4 z5H~i4|FeHmQhLHeC4hsT+!3gQZfpW$Y`hkDLCLxgm3q`S;K1sp0V7)3q09Rh0-9I% ztJVsr88Eo%N4*ltN_x}<VM@rBJoRW?VOW+pM>!&T+3l_$o_2`%1?XLfCiwd5$8K+Y zEFsq&A4=`L*yJurb<yO3s3>KI2Z<kc#=UYp_=>ZjLhTjx#r@s9n06Kz58uCVhZdB8 zgAUAwNB|R&t{v{4hpX)c{A+9mJO%yrwN|8l&=b&RMfz6ic*h~)=ia*CbsS4j-NFEo zen=A%I;mg8gzqnRz-m(Vh?X`n+iuW**6>4Js*OR7djCZou9dQ=lV7_k9nBz!cJ}dT z6WE<fQ%3weHw(mv_7g$yIy8A1t?i1S*KP6Rl&$8>cG9Qlp$?&7aHC13Z7nb3UWhf; z6-ylzoC@=l9EWAl6E)#iUP7kqGa6&=D;Yd!Ynb>fs4DD&Y`FBwGR8PeY(+?7?uSiv z>V}ZYaFqSMp|a@W(0IS3qb44ns&HEED;<k+>_g8?iVON53drxp+})T~R~31lhx3a3 zNB{hAHy-+kP<3Jj@~3K8KJg)N9peJ(;%JmFV$3M%Mza^@ZU{JNB$es{$1T=4mN~uJ zDGhzZ59k*7YoMqyG|}q^OK`1Jf6G|foNmr6Om9dQ507w>)b=#!DQmGo7=tV)At45| z;T=DodzGlQBPBY59fj<dzu$>W8N72|ZNFZTozNx8L22as)-CCn+=MH{rQ|Lac|#&q zL>ubE=xK~ZjZMhA2l|rt5iMj7R+_LFbM(bg0E{`8zAk%`W<!J|Y8XW^<>X360RZyC zl5os$Hhh`z+$?*NjYq?6wP<cDv+3no&^`Jxu}~XV{v~!<ECP_M1`w7haY<}e#chee z0<Z*?HI?t|Egm^#1v+Fo+ppoSrZ4(mtk5O<#*@qT%wZXmcj~ysYe>k}F*DA|qtY0l ztsX35WH35AC`(6=3E>X{GZJyKV<Gx2YnrjXq*nW;^)Yx}<49mO+@pEZ87e43IND{X zyBS(f>Fq;J9X^P@1zwB=351ABz`ha1^Mp(p3Bp29op2(hWcroBOI>3&=o3d;H<!&i z6PFTKCac(J;=b^d-G-CP0=l5aQPQ$-Mz^6b2MvcQ5uRZSQNB*Wdp#5SRzJn!{1fHh zcAL?Whumb;z>FcR<%TtZt^`oHTQwjl74K8KdkhR6UV>JR#sewiGbS?!U6mX%%{R_# z9%Sf(mn7qLATL?PvWO_&r5eeUS1q0O-@H3cGIU(i+<@hGb+u1|U{E-!$w8v#=a(L& z@j|TR@)su=?h34Mr4u298vl*1u0a{)vxRiSfH|dA%I@9=3A>ROp?}Lu6j$jO@Lw(n z-z(e++C)jH4b;&*R?OJVXxMU<t$@E6R`tL=nXi$Id~P-*5#p`fFs8K98s>DgU%WIB zp%UNejse@7F|?cb$MIm1$@!fMI8_xEouA#?Bsa;<ccA`Wi7nYg<tHFhAwvc5d6N#m z{`<aI#)$@NGCeXq>`4MRv!-l9Nzg}M=ef*pnpM@piXsvWr8^wy?gXVRL)2LH!h<eu z%2lHpcOMM7q`SXU(U8#uALn1$|NVNT+L{LQ^&>|^B#_N`C5IQdGtwb3Ihfshqa|yl z*mZV(Jggmu*Za~k3B8Xa&M&Am3IFvwMH~F7oEAB(kjYP83P9r&#lXF()Slc&S!GyV z`NIZJ+HWu;{kKWDoB$;eOCEO=C|rCi_fya(4V?p9=<p%X*^MM{v7Rhh^Ie4q)iwMM zB(h=*SE4kCMO`2tk(m@EVVFg_`n^zUR^Xtg$1tR-ju$rj+Ow==GU`%DO4#V2iiAx6 zqf6}0Cd;<?u78<vHKVy@+I}|B9Tq`qS*oNgVEcxMiL{m^cpZ{9)53*LF7x`Utd<^W zuxm=#7jwPe{s80ybCi-Q0a!Ae!l*#@C-4s0q`RQ;WlDd)p7l(0^x5+#)rHu7<A&5@ zZy^W~mP+X+W`d34rA`Wvd7fgPt7A=oV-t&rY^2oKwbC3VVhG$q6Nb}q>k34R&5A_D z@g-rfrr{}B7CmU%jK*dDCYuFzL7{Hgg_&sXm(xFBm%b7$n&%-ZEg4PMj=0}nVK_vI z^chF}%{Q*r_rv`o{~t2jtiMy8BhLrC(q%FUwrU&kS~YT)q>rc{wCCkyT^8aBD&<?( z(T>wC9JA@;OS9>R<9Dvqtkauo@oyJTU$VQ6w-Q#Cbf~}%xT?a=W-qkH0d1qAKRon! zj3fs=?L)<oJqzsu^k5Y#p05P}Wk8z0s+n0Z>1yMA|Lq$-4z=etvRO4<-8J@(FC|hR z5Tt%bo?#1C1F!h7m>>;m-hGJS5&ONpkPBE4{R^*^`@v{P^biWLnm<AsDe6fj-ogMn zF%yo0<EXBQ$E51pr?6UFUf5D6SfR0~pgCuk474a5*o8rte?7a3&1^G4r~CFI%0OtX zT7RAQ@;h7MPLBd)W9U=dGjB^MUOH)(F?KYf#{J3Zr^Y3P^f!lbsFr9?k6~Ep51QJ6 zlxXXC))^9wa4g3<0EFcCf}4XUrL=&K4E1e22+T8i5`tbPS*v(f&|Gu&t(1nr{opgd z|Med<{>=|q4%-s)_Ab=agG)){+CrhP_x}22vqGjo_mdU8s5613^7U%yg`U|Wd4oBt zp_a4|+duyKnjCcRv1kD(FoUUe0Etmx@GZBDv53^TYM~b&1g%zNe3D*fVFtHN^|trA z9qj+Mcl+bhFpb)t6IY+vy;*RfW3ce>m>38ST3s2r6%l$c2n7dGVj?#dg<q^a_+RnK zOY3frR;%dj9wlMKi*;cJ_Wn%Z3YzFKQQg7|D}j3#1A3+OWD|pw8S{j)-8xXvcqzs9 zJNgW-0_*tH*IBy}(c^!G{MMi@P?!Qlnu2DrwR>;C`n_f}qkaHT8m`;(6RJH14!_HS zGKfOxgAmtU(2+^`hiZQ#&#~2G8#2ANP&y=U9WDqT^oGg$j3V*|1N>f5kVDqP-`JGH z_9Oo$=EOy`c#FM>pn{uPFB}0lZ}C5{b(@?xI8D7nLl2h<EVWQain6wskI)S!Pug7Z z>nc&nV7;=Sn9++gOcOpbPen$8Pof!O<yIVY6!R!2MF=I~c$nGTgn-s0iNAY32kV&; zl(-{TI=n2yQYOz$Q*fm-Q)ssr-D3nD&DL{{nG1LoTgs~}orY@pD{qNt7t!F)N|(oS z{|2{@()O7jtX}+9G6Pa^Fq?D&bgb8lVqbnm$?~(GyHgJ*Ihj-Bg<nt$&5Fd%hyLYp z1A7Fo<QMIFo%T+;A514s)97}^xXZ;^taH~#`YIz{;*zK;$Lk??b${f{LNW9bz=cCD zb+ve7m`<^-ni=w55N|ajC6+rf*=_;P&eK=0GLwi{>qL84{lOb|ACiq5k&zY3Rd_H3 zHrJw^70mUI%-jr%t!y-)<;1=JI>hxZ|4FF2VQTScv0xgXmrZSbu!6Xpsb{KvWS%hO zLIg-<;E2mB-)w41f{?rKhm$Ejk;;S%qdnOcua19H-xEvPtNL-fW%8TwAKZ3k@uCu$ z6ECwG-1f?Dt8Xcv6Er|13+lfF0PYx1;*w-ZIOEjUT3B4oF=MV`cw|2y1(NYKa<el& z4qp*uePh+s)am}u3lQEZeqU`XK#>B|Kw|35hI_*WmI{xqj78n>>|GAB+IJyAv%Nml z4q4Z(t@R7MQ4DNq*#1=W+eHA4C<N5-4xyG`3o90Hcj<cdr}b*yC45s6!&e(3NM?9u z!i({;=aVniNUO6TIv4SbTS_v60p%X(#8)&43ub0#n439L97f1-YPhf9=oz>eYo4O5 z=SgIqXKqIDn3*>^^k44;0(4{=+bVJ>wuxQ=XKZ*5nzxst5)(g1sBxuyLehhue6^TR zWD_*YIXJRnxLPlX$vEplP*dxJVRt>u%Y&|5^L5&u5_3H0M4ZN=5lW-EB`7a1pQMSO zEUNs29GDA-X?DxVH`GBR;uaq?mtqI|y5tIhZ$Wmf;7h+u?~dp!vo!nVD)0_S?Cwh^ z_Z{n)-A3KVRNj!I6-Z_nBACIr>is|8WERyZDzqERd|z6uskpNHTI7iL;WIWl{#T~Z z!AX`OA!f7xY$gdl)5%@K?~*?U_w$Rbn9y;~GXJ%b(vC+Oh?uZ`;evb*@N3{{X6L%5 zX1AU1)m6|t<<kJ9*Tj?Sx=M0q?O}TH&!Sy5IkXJSLwi}7&#~SEAF3xGmE!7-F0dc& z(t(0z<w;_*9AC#9eS{9$qQ@+8nM^!Y_UK8(*W;s4B$Cw36-lkb&XeySd-GuAD9UQG zMN*6ej!O||q~_PT{!RC|SU(rzE{_`b-D8vT-Rz`KC%zN#?KxeO*wCq$sY{%(19~)2 zyr@p*(PfRP#ryPB&;HuVJC@QIgv;Duzk<smR%X(TA$mwEk`bwH%6_(l5#y)rC#XA6 zgFS8rY+1V<gY&jcvMNmUI`JGZsX(zwTc-_+@88TBpmK14903H5YB5~K6!il>p!Egn z3}e=!GJt4Y@_JhxsBpldT6A)q2<5vD2#%N+PCuK$0no4$%l0h5S$#yKx@P+ObLOVE zP@9*mI;Y68qy+t($Bh&7dy2BuuV0>%m|St}7p4jWBvk%$<{hlQY{Rc9?iZPJ1sB>n zto&hnuV`5KJSic2P2uvI(B#;GDGJION-v}*76VsU8KbGJ7S=rYLt)lOv7twLA^OZV zigoR_UaV7W2+?@L{fG;G7^X>3EN{Z^?Aq2pLUSGEz<UW|uO>>*HQ#DdVbl6C#5^@5 zJ6S(hpgGg-Uj@2Q6(m;F+(lo~Uo=KDC<{`Qm`c76{pu=OS;g@4HtR@_frj2IbZbOq zv`33~9fjQDThWKREP^sK^%`kbH@!<T7x!oBzcBel3Rt_}igg0EFU!&Rpz3Q>Markl z-wp&%0j~Dr2&)v*gF0l{3Kl;DWHc*nD<nI|PVOLgya%^~=Z)d0HOV;DHMZXVO``*Q za4Kh6;0*^9Ize<knV^uEUpLFs5lceV&OK9os=bI~;|OghXxblh1{!o4^ngfStzp&O z4SG~b|6D4lg2&xZX%zKi>kn%0*^!qNon&ivZ@f4dCf@*Qj5XW>NTmVG75{CheI9z= zy%e6S^ADFT(SgL*?iAQ+Lm`Y0%q(=W=u<67sIk6#_;Nu{h7o8=?06Y&>qb`WDZML& zR<xI7a2FyEcS)t@RqK7DxfefG+32YZucYdtggS6$ibfrY5!U=t%}!-4S*)UFUpyHb zpFA&m!U+gjq_kaaQZ+@d$z=*-u7oLXgm7F+5!TpJK(&V&&W(ObIVt<aHN?P?{zo1W zfwf=lwnQUmEYdmJ^=!BqP1uJ{1t@u}!|;w7#6#Np4F8tD;lI|{U+z;wo0H8aC7j5* zU3!}+M6JgMf@7WM;<}<?2u(0!yKFOix9?FT&V~Qg`9QMck*8x6hLo9s<(RANqrpbY zf8X-Lk^fm*@_Jr`haG^U6I0MsC4<}5Wc0Y1UVOFpH6kZn!@1F&f6XbxY)m(X;hfza za05heH5Y^D(RZF|dXO4_u!xlKlEr}9^6Z%0$SIPdi+#>t5~0q8rk{965D4iq@pz@* zv&LTpEniLbXIy6@GSNCg|4NnhLSSN-<wFZ|Us&%7W5ZD*yql&vT2vxV)6CFN(48@J zP(<^f67<y+4W^a+!2&lmn2=C`btxNt&N-+PBBO(w=v&BOl3+BKHwf~^m>PKri|Mk2 zsIh3Ft6)w`V_MB#R<0HmGV4r!3e3vPMc|OzI*R%6VDh2%rpYe6>rhzTaDoS`!!Tn+ z9!dW_CYVX+Ean|KV0C{U|1HO#X9~CFKOApS`61<!o&$2-b`C1Fb!?u$pe1a=<>7nB z9<EiXc{Lhe1@tn8zO<~Raqp#@ml@@F_p*-z>^TXd$_UDvpYaEz0R{E~D(+P)<*&0^ z2THSqyM<Q!AeS8LEp~P)_B5z-CWYt3W#!sbm{K7fMwCpk(C_uMWr1GAG1e=79{Uwc z9FtnlmAehBV9Aj(|L(%--a|%b^JBdZ?TC^6Rfa=a%oN<Ch$G$shT=>#>M?zs4vaEd zq3Q3-vQ7i=bIA;V7~7NM8}b+ifVeZtYdc7)pvHT`g~{$UH0h@vgKwI}S!b&G%j|6S zTTH1Si~E4auhFFN;zO7x0)qk0wOH_U!&=X>6<PS~&Q6VOVp`2dY~}MrCMwAT(cYh% zMF=)=?qz!tP?=D}g)yrYJ<`|hwzLupT3t3!AK}X>PG!CkpYscH<M#=Yw?i^Rzh|pR zDQt|u>mc{p{M(_Zzj7jSOBS*J*B-71Q7fZbuO=;i2t^b)`Bzq7qx(y|w%qd0e(%tt z{lb%IHSxRhbuw!G=XW8%*mFQ)Zdk*WI!sC!k~mkm7yPh~a}s-}TxMoUl2m=WkS{t6 z9~Hmq@xe@=9B~PejtCFm&b+aM#(rllQpzAE0Fl4MP<ueb`Uu!U8e!9G{iqc59^I#& z;_|PC`8}bjOf2CwHSa~g{aCWLn#nne_#V2pywUO<g!x!p-j&i1HM}>Ziicg*g|wp; z0p0k7ZqGXSQwwEgIjfWc{t%n5co4&%SW<iTd;2bYLQ3lA(S+$1dnYvg0wO>WW|nYD zOz_0kgAYZY5NAAu)Z4v+2s*L%WnT=M5GKYZa$@zkpvRqZOFmim0h})}I$+)ox)mOY zWSb}n{BM<e!xh7s`f8a)eiDAFzZ|S4+?Dt^A2(K~5>)c}k_<=k?t`-$V{jsFZ!4N_ zz9_yqR953d1IK$AF8qX%kih|IX&QV#lPzlT)&3%-;8d{^K4tmir<kn$avWZapkjXD z&T`p`i)0zK{mE@{9CDP&35=|CgP}=zgv#<#EJZblEKem#FM`h|I%}^v6YKj5#glzv zwGGt$sEXsgn8^CzPrBp9iW;I3BVduWK$H+I{qH{_`@^y!i0;@W*}2kt4sOWI4a_8i zvT;>~s7muZSl)cYK8<cG($9vXN(xa$hYlr+ui<>o?4h>fM+;nNAGBAU=`2D@tY?^F zI?TUj!eKB3eQ|*}4h-?x$^|96*GyvZskT*xo3DPQ@?@JtCE8M$WDOtr)7&4S1@=f_ z?ki@8pUp#$#KDOkYfxrIVm8fYAc!8Dy(eFRFC)!Fn4&5V4)3VDQIgfvhY;OQ7pI@u zmAQVm_$olT^8CRzJfg&&dL>D%CY72n`+~ujsSQ<P<arf26q9)jzFjK^HxQy{wf}mW z>Ijx>Kd7!*6Qul6Y*tfqL}8Vpt7qlT$|KyWsFL9s3#s~QolEf-gh!S10gzJOBP}sg z6JB)4l(tj&*4-hp4xmB&Cf{xTUHI)_Td1}~hB3gXIdCoOiu?|t-aYoA7T)AVMGaX} zOg4>I+JJANOXErlCsl>w5o0*$3xI2{eNRf|o8@>~IT2}7lIPq?Uiw&pms&WqvNUE) z&<UzUO0j1)nZ>v88XC$Y+_xQuQGadpkuxEA9X?K|A0uKM43c#>lKcdyRGue8Jg4p^ z7L(3R<LV1|7Vcu`&IGqHLq$*H8Vl%X1HDo~lTUo8sPIZ3Qj6XBuEAiLoIkGgB`{ed z7Nl|RO4OgTr%fEqtzikR%-`rjFrKuRYVf81eC{bH*Q33VCL>1QcTi5>I)dgAk%D34 zjSskA8wuOMmWj?fLu0beP}o^LbJ(7K>bad}I;;4xh$X4Pdsa^wMb1&w>-~}77*F=Z zGRobcsD?S%U+9{X^6Ania$`CzwU>eQs(ws^AEw(b=@J|&aJk`En;e`I2sGuscIKtL z^_d>e+FdqRN_1Tw&KP>I4)itVd$`Ihun`!h#Wb0w(UZ?XyjT`IU;a0;{dRS?z?GTa zU$jiG{HI2e?o-0!nXhl6-auIIwx=Sg$?eF`g91ObC%y0>C&HAF2afv_GSA<h-6mZx z&n0k<>B#Ad$op@b!vL5E?#(z!TS#yI1Q}526qPOzhbbDN_IBYHHN931p7f61gIGYv ztim_~KUh)iFR`=F6OmISRd&&^gEE)qhs}i4-a3ec0rvw2GQkH2CO5P+GpKFLx)Gf- z8Q^4|T(G+xV*L5q!*w)PaemWbuwGeI-Tcm^7a8&nHMLdvy9)9}(0iLR-(;j;f`8c> z%FMcrNKG8Pi<~$--iG&Br3yFO@jWmT6LQSbRfu}}e6p8`K(}_g%9HG@5sZv1|Nf+h zVHA;TTyPdcJ9>szgpZwE6trV$bu?eH@IhZw*(tmi?BARk=KNc$zDmr_&^gSW3W=Z* zU8e0|LkM6-Uh5%=S;&JHaV6I3thEsq$?P6D0vG*>V=UqBs(e7?-1ak&NB^O@4i{Tf z)%VCNGE^&C%>7<swg(IR0dqj>{I4XnD|hLv-i~(VXEgXSiuMptNeSGNU^``|KwQjc z%1nyK!5_cZOR%G(ngR3SwGO+!d*&NAIpt;tm}9NX&hIh~6DzSQe4qLk%)CPmrgJIO zLTbka5+&XhZ_Vm$&ZT6*rWsgkEv^}GLRR1{I1ox=q&?6ucg_Y?X8SrRzojU<+y%nx zEDSsh|8MGRcsVZczIqo1tcrn4{>g?24nX;YQPeAlO!k^Nml7oOt}|BR!M)t*wpkE9 z-xh|K&JPbq>2NblVxJ~#ZM;y$mn?`71Z9BqF713GPp&c<Tt74C?8!Dyn^a&mB(BJ5 zr@fbtvUJgxY!-)INf3~iZbs#ui~N%FEd5SpSXE&Nk5WwQY1#hw30t|BCuk_si^5NQ zT~TA-QRUt$8-W8sM&H6BBwIT?3%pVmHQ^m;GcC6y^v$_#br@unALrw$zSq@%CWN>T z6E6!kk|wcVzmF}FnjVHGKxE+T(gG;e%%LQZ%Z&otBUPzM6x2O@GjR8W2;R%>D)I`i z8ig8+jsCk%7QVcm@#NI@4Nh>b2UD;AdTg%n)Wa^6xAVk<<Oh#YOQJ6q(MB$OIr3a? zHQ*Z5wR`G0`77QA!J-RH8;obxl4-FaLQ3m2|I>F~+Fa3~%1Y-AkK7@a^Gjg^m)uTD zsU`&{fh%YpHi3vz`te_rVaK#WM**1WKJ96DX{4x5_jjo8=RtPy=M%(m;Rqc(vpx9> z5sTpz1vz{p9!YqDlU<~`B=hYgqV#ppUqlPoW~?BI?)vK?CZ^!F3*2#n*S!al29P1? zeqagjxzNVbKG;8@@ww5%milL1p{v_jBY1^mb$e3~0QQcggH_7>k6f+~twK;ip`Yoa z^yC11*GFZ6QRTq+#@&Z6Y5RgfaO$cF(S2?CD0oj(F@AYS&Rs~?$<Br5Wy<shT??Z# zSHL_MhpvMv1*LFOi?j~^V(<Alh|h^tSSn;yy=kmP#Wy$1Nr<8Ym>6?q7Msuvf@tU* zNSinRx!4?r^Lc;GI7TAm^W9b{Xs3r4=>%9pdQJ{5$x)Y6_HTA$!uL5i)VW-Yfbmbf zTcKK}u8Y0MMx+_AG#Umw4bdm>kwv&~hV}D>#Ww3st@<00)D<OO6JE#N7~|`kZZv9C z<L<W|4ZhAR>TokE=LO3@A@G=iSuTpJR2;23wzvp#-EmPDU7u)!P@_~N9WmLPAL7GS zM~4n%_<+pJSypM<>?M8&s{*9C2swGF=;=0#eB89#ecn811k0+6<@6+~%E|36DYxJ2 z?adBskcSnO1!FcO>rebleU33=%H}ZQMw&yha9T@?DiL^2QX2cDYs?M?sr6-EwnxH| zMM~&F^h|K?gj}-P0_#3v6Pl2PEaH)OR2hmnIWa4E8xH+rp}{+PSV?F0NbyD*7z3(R zg;zz)^Zeo!AEvJWHn^BoF#G$w7W9b(1ysBLO^iEO!OaVRXVnt7!40*Drg4&F9$@P@ z*yG-T185b=0Gw$nByMh2dz~4F#iwkO*U`{NVJk|8kP1<5Yk42S@%oE9j>fafoWc9z zLkkF+6*Ds1iVWsf3^_xvXz1&wc+?I1ThV~31I1aao%hRO{wc0EK4QOH<dhV1Y9k<2 z#>GcF@5i@3Z4G*E-$dyMJ}E>+s03L6q=NT4YJIxpOeaXaR}xMC8QW8!ZeVFkO}b3j zL+Rj&ihbX_56rlT4|#qO^u>G{WYL*lNZCw!<B)<P!~v_;VzGBy8;{ay!KzTYU1=?# z*))(c!nt|LLi6T`$IMH0%AnB4rt;e5ia_PA8?FCFqB%f#-aJnaII*$GaMb6*a}Oy3 zt&a-KOZ;a7Ej;Rd+tEs>b&UZ-FSq_{d|Wh-RNn!?(i^5vXZh=dCm@g?9<piey}IL( zR#-s-i4U82tY{l0x59T!Cnh?|j1>Xq%gXm4+DI0-l)(j^G|g%prMesJEt{ht?|?`s z@Q_RG((oYqmQaD!kGuUU8oUoDVhH9iO`{_jurjf^M=bR3f;WVs&QajCBc=^za_C_4 zgn1bLwQIAWf>^FQM4W@cDOyN-;OgiMp=B@nJ=}5O{Qg^nT44Z-c4&6$4_&%SgL>~p zF9iifT|OHeWS&Qp4dNCum5(-Ex!?Vn{8xIjampS=G~rgFsq%0P^1iq>XM%`&+jIl> z@0p>kP0S;pHdk11D2&au4tT%IODV9?V8-zC<*x~XvJkqJVPm&eyztRS>Ud>URD2P2 zoqCspj7Fj^)SDNn=T~A;HwNjiv-(<<eZNvrFb{<ePKJZD*yei|lhh43=+1G1n@Bn9 z)m6I9RbO#>S*kBHb-sDc5+-j2Pc9x>|J#jGKgQ2Oz`$XBE%3)a2Q!B!pmsc*R-034 zQvd;Ko!bM5{DwlK7K6MfqmG-dJ&->bA&?%{Te^}cVF3<sYx#O(F)u{O1d>ysdAj(B zuC;J*H^WAvsbVxOb^m#Uix7{r<y__{78dbl_HsIUFx^xA<LuTw%{2mVa2~Fho2$2i zt6MSETHF*arC0t_uiJKmvlxbt+K;xqSQqPe-1yjHeD^(Z)69kGzSn!9N3m`n!XrH3 z$_7;SjrCDYf|(w%%2o6Af+eR+P>hPh5d#_`Q^GP9=7p3^%Trh~M*7au{N!d|Z;`u^ z4u|@6e<Ij6Lg&m$>dlzFbe@jzbp&2zANt@F)sGYxKle(bC?b{4>oZD$0k1Es7g69v z;`&Fe`GPmqpjX3=61s9{{g0`Wcdd5Vjmoa9nU!_ht30f>OT$YGwig!ty$Z6P-Bu|) ztfVz_(R$Rsfr6UoyPC*R7u2Ch%vVH&Udl=e^g!Tb|CTE9F#P$FcPGK5obg3uc{uV$ z&Bqd1bXd5*V)@;9ftP@@5s;Dczuk;=2xbFt=S%v+aNNkEz;0}-7lYaDKoTD*g_YJQ zRC+mdK?6@24*Jj^auidlSmk9gU`cSA4RYBsc)L&kfL2J-?Z$PHb2gf~<Iye)VK^uT zeB3Q8^4;)B!iIwm&lb1a&a9-UvES39l-!VazbZ;KSV6yu+$zQ_QBy`(rkV3vUnci0 zEIAp0soLlMq9ns~x<RX%IEtdDG`~PR#wMzfnt%QCff<4K_vOS4%9wpFj(R1VZzK^M zQ;fT_V8E01B3j!CnvL;1)E3*IFWDcVdmZ$VN%QEMn%xzGZnmOga^@V=4QurdhuxE; z`@XQ=>4;Pyc6^xAQA)@*EypN%VZi;<(E2%&(FCM-k|hLsXJW5DlbxB~F`Zc_Dte_O zhs<rGL^iJH!W@YjEQSsir2PIUEGt{@It>2~6d(S5i#jN&xZ3AH$iN}|2+D+_f`(g( zYyLaETAOYD&wes))pzu5v`=6dg=dSM1F6cGD=6v>uS)e^jZ3HXRx5DUJrZfIQ5MQK z7yg6lN?mGoKR3E>_IHt6gO5R!CuHaunGsXfr}1agD9SL1y8FwrDC{c=kFC8h*2D7g zMbtVY%eoS09VI3A4#h>^Y8jzv-s&;?iV-GZ5Tk@P4UPsau>qhxVTi~aPL2+mCm6Ym zeR_VM^wU$~A8O?UWtGPzU@te`w0SR&<B-64O4Ynb6WG7#A?XDKq^kB7=33h%`&#C~ zp_fW|rkDSoWhi8KG=h|l?5fw<D^kY!CNb<&;S#oQDc+fyomsx~v*9eQn*+U1*EHR= zt0U$#9~Zija_~Gaj2%P$IP0J{dSThDWl+rHD7lDtBR-RYGACN}xNuCDB$v@se}oxR zp&OI{859owP`PZ@*XZfrq;*Z0%AViMX0^^-l}8KBs>=Q*M%JZE1Kc<9Muef=&qlzx zFqy`DWC@J%(=?Fw=#J!aTrpdQdZjjOgI0^ZQ<?bKqX&xpKoW*>JSl!9q!*;Nh}1@R zpU?Pqf~bX7)x#$vQ4|&fNvvLO#!mS$X7=8IprhyIL48F<LSLyl-Y_he`_`Kmj2Eew zXIBd-hvE$$bfVu&JPR2%y@0n?W!Q8Z|Ej~KFWSO>RV3W9FFax~S=_3uRWBIn=n`>A z<bul`hG`!^7X=PqP>1sXO>=ehtPVOBG=E#o{wnx2jZ95AZ|ZEn=O+&#Ld4*(GP`(U zW5FRC4_|tSQJgV!R)|61KS4v^XYscU9fOWSm|kRI2lp^D5ll3IMJaDzI}iS?E5$dO zMPqWa4J*NV>Q+WWyT2!|fvr023<4>N{baE^gebn4sBKifw^Q@LEWkvGOzoXOt3_*V z;=K#54tjazO_wb^(L4{Q2DbhMc|@Cug$it_jp8Z1->Q8TWMUgz-p%?fk_O%H?Vw|c zn;Az#o|eUOAz;9G&r|1L&mWqGmYKpK(ZG$3Zp(JBDJOD1(;S%uJ=ssB1-y<z*I2oM zmF*_pi>AbckvCc4k2I84DP||+1)!W|K|bPAWOfE>0#SI6_foP<d_@ff{2|5WQ(wfV zAC_%_G6jFQ52bsvFY(JpWB*86O6B#RM{KsQj`0KOvma#$*u@F>p(w=PlQH}^(rk$t zOu)92x)xgD#m>{vL4p6|0K>>8ONbek;b#|#1n(5>hewI}o9ZT{7+5lfI#E^DK&ajX z_n;a}q}=i(ZQ-4prdic44Z<ujbTZ%>GW^+_6--lNQCePCJ#G}0_vEFkQ5VsAi=Rle zJvZ9U37gDAuz4sriqa0pdAK|7M0bM_sPL>sBfGQqAmm4Gtiwkpp4POVSW(4MJpedQ zk_M%M@YU!`{*7G(7x1=O3pnz@lc*-%e2`a$S_JOM1#LLY58f__vs_nB5I`&R>ixmu z#7Ud1{Ys&mvY!{h!5ri+$!Ts&g+uvSVadz*qX^wPQeHzH<LveYsLAqQgZqk#P(RNQ z2jWY6)LMtuwpxc*T7Eg80uOM85VxXTViL}Fih9t0elXCS*sx(g1xZSFV7<m(6x~Jw zZ0t*#bnkz~sy|deW><pJZAs)7J0*2rqPgrnSwH@}wbECqzCCe4W^n^;9?G&X!ux<6 zf40r!12Uzw3`zm)tPWw2wAq27sZj2lgR2*hwhq_E2z*s|QKe;J%n&v>>Ph=!P(+Eu z9C#Q#YJV;^#*u7UUE%rF6%9ywB)W`abfCP7LRpSwecbLM!k{g@x+Z6xYnrSX!;&2= zqcp+ENuH#6qoo3v#G<DD^Rh|NE;LPVu~~~6^yx|`rS}m_k98kLe<+c8ws^h%l01fc z+z&@YjD_X^Z)oA~1mvA9|IhmAHqj0jAUWvO<ny}r$s!BEem>BGxLyUfb@7FJr{dx* z>Zx!!8nto|D@}MCdlSkwGihQ}@_4<6p6`U7>oX1{GxWSOFlTI6$LwqBH+5_X!J#>2 zO2M|oqJODu$deZ;Z+<An6r$>V2FhHnZVjx`1?Kz~3dRA+_utF{3d~nn8D7dv1a=3) zki0mIaf0m+@9+JR;1cl=NF^<#_~OwgMH^yxWEu>r;jnsXrw@!K-o*R!OgB_zq#V+> zdN+7kafy{tp(P}VC!nVsoT6%{i#{U6?n!l6+}kH|%|-D*Vq9GWTF9I{;oJM=8BHyv zbU-hylPp|v%G2x)Od^mGgB3q$pF@9C8lwHp@ZvAXhyJ&n51A&<ystq;VCl$I-Y<Ml zs=yJ>R_?-V(*@F6ivc^hxaz*O((^sP7b20o9C?GHzp8E<dSNPb&55xc^ad-WE9!`X z$D(~`e`+pv-b3&Uq;zUhN~e>f0+XW_vUOgj4cK$c4RQ_oH9E4mdVJjS9;iL($a7uc zCwdPZM3iWxhzg+){Zc(v#-Zh#D~*$(O`(ASp$Hq2hYkT{Ehy`r|F$n{EG#b%JrtNz zYl2XZV60N!6T|W3jf}1}*dFz*J*W4}eupXy#L&WP<)B^}HUOy1>9g;b1lTKw=@Cwk zdIPHDBMAw^Ahip+q$->K7KUV<qTsiIqf}OVo0Oj$j&RJR_UbIc<rLVY2xF}8<DA~a zGXzMnOMH5kyyH4UWfJ|8WC@4l7we*_WGAo8Q>4e2+sW3rV7gY04qX1v3&4^7j$)cu z$}r3QZMsm002qF7Pzl}CNE<&}i*gi$#Q?Sd9`4;zl%%VC3EUJdp%o(80Wa=Di=Y_J zyM$WL1XZ#P^e!Gi^r|fw<828b0+f{e)H%y&@7EcQ3Q3Qurlo1`sN3cGRzIhykr(ow z)~lh%!v>{0;A;~^vJ3iPv*>JwE;G|BNY+ke#lRS<<Z-t^o9?jJDk3Lhn$1S#jt5U6 z6{vNdwe^IYJUl=ZLo}Q&I(``m%iq>r&=HKkp&aXPNGrTrz?&kU7hsMnUk80I+2N+% zaCZM??;F&b*1xS-U5-Os%Y0nI4eQcMR2+6SjUBm($UxK^Y}q3;KfLJKB8YTt;O@-~ zIoVTj;YI=@fmmZSO<D)&_z~)ShJ(|nms>eUmg2DZbyn+}w6u|%8VunP>>%+leD0?k zC0-;pU~I@%N)7-fyQ^Q?Ajox3!p78RdwHV~u&}l(e2_zolixzA_;ZDUVAgq9e$|<6 zz7gLBxZV#sMJLdLiZ0bJ!=Gym3MF6`{h>N|pNOL{PEy@0RY(#SFLaSZQ)Sn~A~(4J zam{nJ$JI=eeZ{^?l(iafUe{`1$EBU_8*S1?cx2SeG-g^N=3LpjzI$5!gA9w;^Vv}D ziyaXH+d!Zh2`BpBx3Zw6hS?Xg?C`74lYHo~jVCxsRAAZhB_o=&?9h|-J3H1nXX>jg z26GbYFl<|_$`9+I4*JeD0j=33sJoMk4!Wtdl7rM5gHK+PCAI>5Rf<*OJ*_q%oVlIB zFUpoj_ygR`>t1Xl++4b=$K?;P46<=gaTII?E0s4vT@fV};LfR8CXT&FC_eaonEPy) zli1AE`J|W$8}YtEOR~0VG8;h=f@<{!Jqvz<>La_2I2=vi#8qo`kx!EX6nwIs)5s#E z8L)d}9ck(46#TNJ^F&^JQ^S3xZHjFrBs2!)787Un>?sha;(OOHD7tX_Ym~7(qQ<zf zzXFz#9K-PKA7c>o7f+FpTNR(NCY>H?f{`TRMjNRk`dg!>`vd|S?}!mh4SBGBRrHOX z{k7_A{h{_<O|VSQld|}ZSD9XB!QRsgARpU~ait?N5_~l0^Ps=<7LH8k9VW0{79Z=2 zm@+ePKz_Fb6(v($GRRW6m3yJ5r!1}9zbg$3OswzH$~k;o8S$QWN20PCe+T|X%S$8D zWvf|@qOjWcbmNgGrC`d1>@0|yAjEHB5t5IIOft+x{s=K9n?j)`l-rP+>oJMlC4(>; z4#PX@4kEXU#c&4D|Ee%d$R=wW*T1^;^~Lh6!Mq4Tje2MQck#5{a5b`cF!{o;4<|fb zjZk>BlQ3~)#60W=7_TLo#pj-qr<juKM6L9Qf{PEk_`;Eth5Fp`qc6;tZ>e$@Cg7V3 zCx?ms#)ps5YAz12+ea_5iH*At4O7%~&VqMb=y~D=H(C2fS%b;dQ3+$H;%)eRnZXr3 z-CT<~m=ipg?gZUy%^5h5IMhK4*b(k4cY-eBN3D0hz;|Q6CIhN%x1M^?HvCH+tVPrQ z4k#`F>-xV#*iv#s?~FmuV&V77E$Z0eY0{e+Mpr=Isb5Pp;?OlI0F;4CyKohIKk@@o zJB<nnkdGolD<J)n`YOGMMX|^IOH+uV>d<GF@LS4WOIe^<qB^M35?)qC9WCtDkhtn= zgULeX%8M~SD@2AgKr%(4F2T>>P^SWXM}pUC;m@RgnrOTB%Osk4-hp<Vhx3|DrfTfc z_+0`^7$hAhRoesJne&cZ8TMW_50DQ6Vr|nhn)O3n;U3an&?O8&dbz6`##oUQFLr@` zQxRPOPuK=oBV3g2A)yJt20FKS-H~1Nc4rz#h045gE~0+pkMU2cr<w=o`$nhon(cR& z0=1BetHe}mEx9{=o>SfnS7~52gjyOxV7OcCNZYPT?Tg1dV6KE~1U0mrLpiqXQ#sez z$IYHpy+7~C_MV@H`|6Kss&`?sYlemD40inv*1uu-jMG5b#i?kt&1in&)nq6X9-VYm zKxR%#L$lGRJ&9ZoH>3J<s`KZ;UImv~@=MUvf_Z6o0JHx%AG$zmi;?HqSwSd)h}f5b z68D<p4?meUADyPrVvgtHu}8|74VKp&C|>5PEXmqI6F;YsXo@{>)?Q~~AG<zs)#l3N zIhY9*Rjg_DETd~Ch3Ugn)5*HWi{zjaAsp-EX!4{JNKMgD#z3E=GY451>~S$5M%ZOT zvckUSA{q9Xd9mpL79d7Htpy^?^&wdi-#6hm_1KmfyuO&|st>@O^9k<d4CW~wqsKE= zlf*x%#LF0s#QP!=HeJ%y4i|yEB2i1$Zfy(?e8{mB{{pqqM_8C`0=|*-6<(Ou-ost2 z+)h@@snj_QVUerwYy3#u#%5gL463nB%s_8!+)~u8SE0vy;)DJsZuWV}ADLN$zj=zk z>X!+B7e2i4Z|KbM!X@t}cXb0LqFI=zb5y-D#qDbAaZhjZ+y`ZjKlLFlIjtO8vmF}5 zggei_X2NZ7fW~z{*NBUU3a0f+_pD33<D`aqBf3Mt3b0}qEpJSA;T8bXlv#I8Jjg#t zf_!YbY*0c$LjFO6NjR_J1f32JG8{Ut*P`1moP2Y9|2K6baNeuEo({f(l$7qOg#Yq~ z89re>8?Fh#tj5fpK;7jHbr=@R(L5Gm)2t+o=Jsgy%l6a$o&zG{Ov1eeFIm8*qq>dr z<Ky~N>OW_SM@Ts84>_^!ydE@X{?`k>blop7l9O<+z@J!vy$NG;DW#~MW%%er@5A@< z_57V?ch~2)d86mfa;!{Zh78V*0QNyker0Cw_U{Ickp;Lfcj$Hk{xvbW`SY*)YXn!) z#&$46(YY{8;Gc0RP~RQL8#;vws0YIaKfsfFvg4XqQg^|sA~d)pA~ADe8s$(5u+O_E zz0<=9Z73S^ukVJH=oa}3)s4H5DAWbzUOwijssw?0jn!MAl2>ckL{va?wT!L-AH*rU z2!Vi>z6wom@g~dctM+L1rs9gt&hy<d{4ji$YHC<s`T=>6)b^c9%gTp&9#i)+36+5r z)wrrrl<$3wZ_t8UfT~~H(bV6FY`b%*uI*8iY{PQ_US74)S+pET*0t>CL3U;&9Yjy% zqDxBncE!8D(rrvhIx@q~6|)d{_w_7!_dvqA-UQy67_l#_2^~WC8(kHGlFiz*9tW!e zl$iUBB`oK4mShM_S-<T!rhg&06>P}DO3=7D<RpY_jg)GEft%J<g<zn==ar~E2qaOj zj9zC|r-X>)(@<DR1*?00s|8E^LcL7|P!RD}OLqq_ZyqTO??qux;eDrgb8!=Gmc}fv zc<;+8^!<s3U2#K280vPkX}xUhOD!Qfu0yC<#?M01;r(83UGUS2Z6+0?we;g|OP24( zhXKyD%pV@T1>`&rBJ&9sMgR{WC$PY*3t#cipJNZog<LXTk1`u0!=d=+kin!ZFla$b z4IX=%`W|qAyKze!kH{R<T!LU@uz)2&dc{TR&G=S>O5HGC<uRVNR}Ewv9tb>yB4^I7 z=?{sfYE_1fX-H^l*zO$r5$58|B=7&OF5UxwuRQQbfb0c`{_TW@gPNM_+6XxP1pWj` zglwy`p+LpL66*eIB=*~pOh4GISJ-E~`TN`3hqLqbKW=Sg>>}f5(gYHTE_Be9y!Wbk z#l?I$$U<7ww6xu0k1CB_boCs(*fyDmpyxj`KWE$Y!5ei=mZm{ey^<d$uarKH^Z7sq zxzUv)#L8fMmT#i9P#QeK7M?KQGk&~?GR?&#>5J?TGscH%62x#btbB8#4kEZ0pl*&P zKH+GyLJk31jk})}F+xL{ufaX+@~gb80n3cfh#^Ll&kOE1NoZ<{3*tQ1VqPX2GBjlv zHDS>c=&_F9eG1Hr#cy9;{p}E|JQ|z#IkH73^Aq~S%2ELes7sL)$_klfK|yM&m1dV7 zdj$X<z2@ksZR@WHSEAwmA7Ey?FAF&_{D67wVhbakD~FI}X33_)gb78r>yw(){uiME zDPfIBLY%zjkx`UzlNcg=T%vG_?jMNt@gh#-!xnzu$;jDxa!I|lb;!ie+a|9lXceH2 zuEh3g`lp}RO8^k-pb3*I2ZOzG%TS;SEiiU~FktJUr_B%^$^=t@NM9BM1?qus)04CL zE9LwS7g^U!r<&}iG~mt%OGs+(ZDf{KM2o^Fw&V=>cypOVr9>pD+LV#_^t<U7;9{?< zi-3r(yH<ux7n)&Re#|y0j@e<-Jrl`keRA@?r8MOq{R2^Ad=I^r^#i?KI4Z9F<!}gF zxeSOI3e_(F0V&a68BW*8p*GUa@PS9@+pluGAzOCMwZQ~mpSN6}>msJ=j&{%2vxSl7 zrTJZ{COM99<MJrWKrzPZX4|acaOhZ=tnq*ZubSFYg9h9`o;>JOl~C}q+1Y;y|HwtY zTJy{jzM*S3>CRn4*`fxo$x-m4Zu!hlg%0vrtsDv$v^!|T-w8N>aS+2%Pcln8138GS z57J$8{#N`k!TMgzsF;sweza7!Z@5btF^9RoEAP3_J|_M0W1}ibzhmTZ@Sjydx;ic! zBk(B0&_ucI)L+oQBr5m{qD*-dF+*j?l9BkyYFglrytEc5`WJs8%Ser0!bj&g3n6u3 zD*MCin`o!d6Cpx+LopbYmD{L<!g)4DVpH!;SqoQ+*D5%`!mM#z7UpE=CWiEc4`k(N z7*n!0m@n!!Hz&I#{dupIrcA{_l-#uz(|S#g3Y!lSe&#1=Ghr>Y4$$C^FDg2Y2^RHm zTPZ_cUgbR&T@O9c3#e)TqsGQzOUNFjc&o*}e~q0(u%eRV<Fn?*$m3^kR=LpC*lhX* zEop66<|_9*TkddS5%RsUQBW;;^taiDYgY|`C#-!&N<?B0hKsl(Hzf_AM^8`D{AHk( zY0rkt+p6vpJuYMs-3u0v+U5N&*d~&@2*?#ioO~1{!zYC3TPV1*E&0k!Ww<Vd1tV|N z0zT89_!>gByPWe86P5o7jM11;jD;DUb#9x=(yNq|kW$EieCvQv=`6EwjM_NN*nK>~ z&NS8?f?raMayQ_MbDD19jIxIO{06_7j7)x|c?MnXx7<%vaCnjLX3R<5LM8Q1!zOSu zxA_;z1L8AD!Ebob&!qq;nU7@5_vAz_CKUzZ)s`33rE9Kc3m4nvVx7XfGBJ$SoyrD^ zcnmL_w(Xj)c)neAEMFy(bro(<Y!pwvnSZ783Z>}hxBRJ<vtfD?I>mMN@Lfzsl$xHv zFuEfdU`FHv$&$;hm2I_&TGvJyhL_szJ6hdgy6-om_YT{Rfr~{&lOoKw3P~BHD7D@M z+H>obMXBBNX<!4~f6|XkN91B%{RBBTpWJPXR=Wds?rDO8`)~gUK(%Y3h+nAf`#~WF zkNv!4lK=4{G_)xcVnOuaBiMhLMx;;*WuBt_n}NfW7@>Q*Uo^e1)fBS&`z<^C%VYz? zl#;F4?#`5LcQ`bTE(WQHL;2{@)x64+c~NaVwq$1FL;IBa)zKquuh^w8nTTb<sc3ib zew)s#@m?&H16USxEc_vO0h(R4M$t67dE&4o&d^ZcYxn}1&lw(FTE7v{G`lH<wxKb4 z-%>O1Q&exmmACJ6Xp|NTCOFF77`uz<nv*oAweUmx;2DE_AN;#u_<8yG(3nwWiWj4O zecqra#Xrlm7s}xBL0Hv&xvg`I)t<X`#DWNsBRpsx`S984y9yU|l1&3`^`LR_Knwf0 zr{@WBL7ON+CEi}JS@y4CIO~0ZOY&Hlw)@Byp+nmg-5sf4%*v$mGbawgB8&4E-mF<x zV#gHO^GKBFJe$3AF2bmkokW!e4+S<a91X$|%JJm<2fkhpN-<CXW&wiSo^Y!i-IHk7 z@F#(CYnJ%}SHB4Bs$gUhd(;x48=oEA>B<Rn<C77#lHgL=Xhp=NJ@torWt_oI6iORK z#|)BTQg6OP=^ocmgbbW_87cIwaKD%C4=4E_SiU1EkkJUR1$1E<;$L_OU>+14C`)s< z|H>d&7y^E1RsL4A7l|4!VD&9(fv@eCpXu*u?IHMUC8|1sKJ~9FcHBfWGpghl>PPx- zxMh@YWAr63c0Xe>?C+08&_0H653if71>MXlv4jEDB+BX6?UXxO!z3j@3OlP#6p9Ai zK`K>4>fbR@frhAcFPyQzl~BTm_?)K13$6BxB9O4C@!t`(H2%%mA=u3`NTcnMs->P= zun>8^Rum(`X2%6Dk36Pjl4awYCMUJ<2*{xcrR@X{s30J8cmNa&2ORiNb18+)wGb_q z&IRw9Wz){bCo(xZ3!;3%mMQ_P(9x$W235uD+>!qXe+l_vvs2kG#GHhuZSF-1$03;> z(sty|NuBf=f3HhQr*YWN%8(&EC`M9(%P(Ngo!adHY|MQ?zr6gp)AhTZK9WfE4-^s7 zyr;XP(SVbE!euD~0B4E!A_PO4TvX5tu~3bfYHI8@lR&wt%2zqU-|2o59+}d8VUfuV zEclDT_kez2l3Ui88xkLOViUTH%%yo|-l@;9QbupT-hZ_Et8Jd(142;D2f~4rTJ-Z} z;`3!@<@w(7Rj8CcFwAg!lCBc-v+;Qj!*;ElyrAgxuAf5b<q7pLpQtfsWq?&my0Zi7 zTRTPH7uf^CENl={>4G!>^i|uL9d{cuG+fpIl%(UV47-ildr%tRl&rKnkBhCgo&$$B z&vWVbSAgR;Z#j~44pO7?ClTwmQP&wT2lAycI7;z&=Qr`<Cj}fy6b7!#iiWoh(AST9 z5s?OPK4!FZCH-|O@m+hD<ftZ$AJ(nIv>>ZkPD3s1zF*<$f?HXsufC{YYX_O{-_QwE z32wy?W`%NaB*YHl0CpV>sW=oR+J(4AzOxs-qqy4syz5V0{je~{m9W~llUZ-gUOPWw zsb8@h7#bgx6*fjJQogFijrnIO>JK$c*$z<#N=_~W9hpA#1y#OH4u#4XBjbpS8+8jy zq(l_vT}N%)f4$U*CMg3;a^CuMFt|Cy!bBVYS~p5b`?IAyu2ZA31H!pAm)Av!<V`7v zKa3I~Z3<cz?CHt#Hz`{{;zx&V8XanuZlWkq`1%BqsF{ZEmM)Saq^>x?%a;X3OC2PA zIom)l5`rpQxAeT1HgMVC7d*ss;-SpR7c~S&MF==SZNI<ZE^Z{Bs*G;Ujjc^PY;3QD zg~UI0dL-4j@pV~bWn!Kv4Bl)@+l*ZntZE15ahyx)Sp_$q@*C8*DNBb;K0(tS;tv6b z1cT<;*%?%e{FnMWP`)!b-k<=~P{ZFT^?8e9kA+omuShES0s&WfK;mHj(S1iS;Pbe; zf-KZYG;JLm%5Zk1bYLiP54#71uM6{><H3Y&m|kfTXhYS4h@}&_<!b!YvQT#>AFZ=1 zCEsV`?96_indQodHcEV(o=*r*HA%e0d{twOHQ38k;@&-dsA0UQjPU)uli*Oax3WFa zYXv8=i=y#2%z}=R88$AZ%<uKiJUJ`W`7=GX?S?BG9|{Q|i)_JqCa3|SJLcr0xmpRp zYvoYycjUJj*UQQQx`sr&!bWAJ)N?_;T1GRgBvw}9bN(l((IKW|_;id!frf>+Pk{o| zO@(S-^76zzrEu2mQqs|#ChP_4|6+L>vofcN9VJo$^4}j=mbT1!qBuL%JB@tfU{>W6 zhxqfL!*-j~ULH>@C!PhI^mK-%4zADDj{8LRx{j{mJ>r$#Q7{u*3^gbz*#lhu`Hz0} zj(py^_c%8Nf*L04=T-v22fH8_{{{R_20`dH8{`RYupkB(dACU5E0DcS@O+6`aw-Cv zgK<|e;d}fKpA}2axcNcU!0=4}tr7I&=aZk8$47@7qpZV<gG?;(qn?+y*EX3CW<&a6 z`IuSv;LpB`yMBJ1B;SAAngRDlHWAuib1&qdRbPNwz(gn*s2)DS<Yd}~$;Ug=14~0w zL(T_-Q0su5Yo#40c95?h4Tf!+HY5QV;WdBN99-lP4b_`*HP1yl5=AwL-oWlsE#e-; zUedpPf<~W0^vEX`m*0BHBny%?K!J-7tD8R}C&Fj+M8?J0@AaGIEy8mqJz6>BJ$-h! z9Pv}$K%3yaw85bgl0xs?1Pn~_Aq)5`)Amf>3((`Bt{|2q_#)~SF9)5T?SD`BWZz8s zS?rQibarbpZ17urn&3TO;7Eg>G<l4B?Ep<(XnYxU=B_{igDK@CJ@u_tKwnmrDUP)L zWTMxTK<V2eK&j9a2Y!F_tAs`rY~O&)jscPpX^>qmdW_g3M4kVqwNi<rPkU>W#tsNi z;Cl~ai3j7iCZm${3%yL47qCo;mfjJ*j!^tK=W&xDsaI~kAv3-X@uo*zf5f4cz5C7b zvgvOQ$L#1&Y&ab%rbnD7+_F7mkz=!*u|jg1_-Vc0r-B`dDiQn{)i*;N=cJ*#?L2W3 z@pwM-arDZH_x@?a5lap>!@mFEn+h}~&RALMUC7Fq4{<jNVu;aIjLJC!U6hHc8GgzY z?oypNd<5I4kg$n@!}6-S_6AkP^>M#hd__PI;|0@RynOuLo)~wTm(~R?Sopa{0JAK$ zv!)XAyx%<h_DwSeSrMf0|EjvGsJ7ZD8{C7tYjG=39E!VJaVf4rN^y60YjG{^DNqOw z#ifLz!6{C0ANtRlhsk4B@^EkN*^;x*`5xjhj-;VW#i&BQ{?L1zlwu{8(j`i~JrO%@ zA=yz<Ud*)xp26?|rm{t<A@926KafL?J_MTKP0PHw?|PaS2bS|Ds8wLd6VtFBLMzI@ z)1^Lt(k{S=S@v33SrhaGdD*1@+qRR3d6@n=DQ%?x7b)o>Ks9BpMqA9;$y^-MjYpWv z_uD3Xdv*K@8lW73I%^BIzn|Q1c@J{A+=>_V#p*z}|Dc$d+(LDIMroY*fG?%Q#8;V3 z@vW7c=a^gOV(H0w7B8>GX+dRJfM?cn#AsztJ0pVu!gLp?lX+;cJ&U>WE(uGx?Nwe= zYVjT~5%_W9F7s`48WPMX!VfngJl7_Dcs0i4<qK+O4IIs&&oZa`3`ANMd6@=p2-+Qg z#TUE}a={Ls#Ex6=@#MV(@t}*KrAaA?)_Aa69dJxV!f~3C3J2BwP2IYolhXtt=7&vP z^o}M;aFGUz;~dhX8~f*AtNZ$Q-m<{lDK_2z@-7#f#HmIudm$rK$eN}^<GypdvMSsG zxV0;tH;kI+B6pj1QOP3VVC)R95=kkI%fZ!Egy~Q9`;4AJSBZ=j#v{eWCnD>g)xOx{ zbZUWfWkld)ST=nLj4h8&hb35$9*u2BvL&~dZiRmn11%|gK9WG%6>s<9e-Lp~95%)w z7FMn0Im019vJi+yH=Mf|Lgy{Vl<A^hmA5`3h<g8XRYg8uS@5!RqI2)YZ>DZFsl|o4 zDb6hPo&{2Lro`A9hyF<k3Htk%>cGJCzUt)b4!sW%QQ2zD#PZLHT98+joTmTgTn4a& z`MkExoE=;O_opIwaM=ZCz0FMwm<Zp|&c-=1N>>_cn+F#6kOG^-dv~16U}^e3Pp*;- zBK6a;XoAq@0OcuB_VZ?MqcLK@g+tyV9xKggEo8n#@O#H4na@UXXz=|Db1g_|b_l93 z=`c-wJ<x!VwDE}y_Ann0<_O^>(F_+7zJcvLYK@ggB$<Hk&%Ng|ODW5;61LJ}#Y)9} zOERx1LLz>M&hWEAd5HaD(pjU*ezxK*HvmgOw7(Da?bqV(2g}BXyE4?4KWVuGgwME7 z&lcG@-Fi64phnx?9%U3m3g4H6=5~DIG2FFuj1lJOi7$HZAf9C{XPU#dIhUf7boI?= z=hHvas2zav&?%59h&}D=+nLtUKXVyb2raj?_KFMs$s&%zXTs9Imw$o9nuP1(2BH+V zuYD!_ZblK|^o=GA$N0GCanm<M-sc~F+akP3rLSJ3DqZ2jbchuc>D@BZ-wz66k==uZ zq7e|n9gR8cJ=VkxaQm7e)*+oD9APLk;W%oh2<kCJ-qzJhSUok30@+v$@RzkkHke*- zEy~7o1FPCh!gBl<@_Z``@xMIiQ?@<;Pw}qhj|v!M&t&pcoWs4pA4<Bm!5=D^S>fh_ zZA`wr<H^gS=+S3U8nVb?;v9x6f1}dX<|y&=XJ3VVcyG?k7sXz;P9@Dhi(6x$=szh{ zDC)Ysh_94|Muf}_6f=$wo7BGd83pxBT!$x%Z_Xd!Y2m(MV1Znb;oY}DNj%+Nx^)zL z8&s7Ce4mh`iFtuy@xGrTyLD6)7=*sRYYycfp8XUh(|zHxIqq1NE~SaK{fkqe+VUX` zsOI7F=1t*?nmxkH!XHNK<9myQhYBJTv0<tGlur7yHRy2(fzY6UeTacsKM)=zZDhD% zxEByS>583)2{P3*b0RSp7Y;fu-g@J`*3T4`j#n}={OkMV`>NN=X^i#AE{{31_iXt* zy%MPfHYzi4@p$#KhaWss52Y1i%&-;ljjpaNJzM+|F=7g^d1kvp_m*xy2?^i(x8d`s z_;*rRy2%(9C!+_gyZ(8mAYZSSb4vpE><A1`@P=5B+=@y}5;m)$KN=1M(`nj%LQL9b zsZ*d22F#DVG^+HL_Q|$jV`eFB4D(8}FfjFQp;me6ZE(_7^l7Ulb%G(nR#WICpkB9T z76q9caU#v&EtzCh(~VC?eF9kiU&W6bG?X^>gyr?n!s{aH(_p``uLF$DGk64vR@Xdu zbhKC=*R~auf$E)hrtZL_Y|7ynG9>)l*3sUGfe~-FCv<s48kD|MRUjv0WPaG;IcPE- zYz|&cEwQ2igUP7cg`5y(;miZ+mZe!^=a-1cjNiGbe{xSQ`M9^49X{YMB=5AijfqWm zwr#*vC(K9bh;v5AK^q=wO`0ulT9KVo5&LgLe}CJbb*wO^l|Em*%k`1CH`TL^_>B0> zV98P7`!ZzzVFu+UWlj8`zSteU(ErN<*r(}JDE2mT7;K3*UNQU~@%EiqsIQ(}G~3hN z5_WgOPlF5!9$~W^bB9<P(#@QpE%S0?*%x<LuV!MzSS#x^dd>OHf`p$mZrz;miTmg1 z;HW99=lkS4Iw$JrB+0W~B;~cS#1<*bX^5}x^jHw<62@lk>Im=%S=rOzweSQVEfu&Y zJj}kT41)+&G{U41=B8Hd-kpB{q0zF4JC>V7nXE~xqfwh=b9$9A_S3EP1_wmlzBTa? z3MOJn!#k{*r(+cBnG0Drn)}Pr9_46666Lw(6BqZ`!P4o>Blc>-G(6JQJhal4V_I@B zw-Znijy4GqrsVdYeZcoUSB>8`w>4JL=>55*s$-<*v<G^rKLOv;;zAQfQ~9l!LaeL^ zI!L;UI^)o)EGA{Q_!2y&!S&@HgGia685x7`ZLe$!)bI#iNbK~AOhwCPlJy)Hk?epf z#ynv0h@0f)O6=7TqeEC<A+M<N2vTNH<G~b7J!px<DXv=FEc5LiOw~qUalE8wTdwrY zEUcLB=8)m9NQ|b}jx}Y490GTUt(7>sul45vVXErH^(GE{ZOWu8qQhz}bdae<nx0=* zGNhTGYx{WP&#~30l3J)jFPX*rkd;Qh0QD~s9;;HWno{2~rNg^Pviu~r7H#NXAq;E1 z@#XV2^u-XZO5*_frv7@cx`PYfu9yDuStZ`b)V*d7-so#MY>9{o!QJojNl4`{I=1k^ zR1@ZSB%BR>&z!AtNbcs%A?BB~vCaE&FXa0+7k!rSWD<GtI@_7iDQWU_@mNv+Tr9PY z1cv%okBdx<H)j$2TH=>i)~RWJ($PzrxRkBLFsaSc2acxD-Ww<X9tuh%?;wIkFCPCZ zgAA?PR)q$|XpX;64v*i!B@Ott>~oNtYFxS({zaiibpd;{VczqCL(oMxH`S)pgpr2Z zrmx22?<@pP6k@!fU$6^=5X5PCS-oB!RsRApB0!+4`v6kZsc7OX{HM(bd+}oiI8$P+ zrFN?v<Zdyx(CKpq#vuOPZ;8+*6@*tO+==eezFp|X?w-&!kI4KTGQ}T5_HRIT-`bAi zmAav%?s7c3W{Hc&pb5NDRv?u3{4RQt!+d>aV~MFd-Yk&)_-77ef(ZqG;QCe+sOAt^ z$~b)7mPgJ|kLc1a#7b+Cho~q~LHZ$VLf`jZ*wfh<Ys&Qm#}3@b%0|oRtg*{ab5djE z-<_^C!k0zIako}lX)#^;zVM>>MTh=H{Z#;FBr|{b+N`>c-COc1EZR9fC&oz1D?P@L zpp}jMNg=>g9EEt{_s`-_ORxW-v@zB1MHKiD;oO@W|1{#kjrM?4`39+<mxH|F`(Ado ztSOh!bNp#|(tV$ez!^8NWA&PTL;BrOXK?@MljKa4(oCZ%rdYhN@!4($M7j&1JjtK< z0=UOROGu>nelxyUWibw@>V;&Umic*F1^CLd<o8QHP-zNchxZ#Tt@~#r4~bLoRQ(eV zc;Y~$jOk_`YR|2ydEHki(c<&R?z9a=m82VB<uGzeYWMPUqx~ZajUC~>3P_adn7R?X zn(LTIA$r7>T;f#?r#df{qO`qQ*HD^SQ(#46!R}_u4cA8ZJ8TxceJJ6z3qVxp;x&ix z{o&`wLMXR~@LqZMKNgU_3hKpk3s0+ZlQ!AYMu-=VZ_tStQ|atvGP?Z?p0qJ}3G8?P zr!3f6ZL-_Ap3-ag4*X_MV6G7Q6~}VJeT9Rp+67+B$;0ivv{6<XVC$`UeQ+Y;+D8LM zMglvN4smU_MOmjAH;O^^uf&R4ydinIu{EUzHE}a{mg-L=S!g?x-aBD{7J2ac$4b5z zC*gmZSGYbdV)y5Ou-b(4=6u)MqzNOw0V9%t@FYGm_dEhtKumBHV`-lNTchfjO+9il zxivw@DQhG^#8mU!l*m;p(f3()neOU0m&e$+EQ_3+rQ#KF<r|YgIv$R>;Ju{*z?>iI z)E$&%snvnlW>oN}!#g*PIIVe)#yksz_2w7m>gq~C0hWN1?BoUx{F3QG!M}dCm&|1i zYRc>aLaa<MVWQm<K-&9v?V<puIXv$}Ov0@*6LS5zedggl?TjqUo-CHw)Lw7r*AmCc z|Gb8;wfQN>vX=azU@t69@{eB~?$|)q-B~3Gi)6)ZjW)XgDf`?&R@_$5J2sN%?sb9C zv5McIVnzI^GJ-l=gz+RdtNEkE;!V^5l=VdOIE7>Gm<#lLs|^YLEqzKRV}(aA<@n@j zdO3xM!1x!BPTd0R;>6k1EhtkI9Bi3Ae7yt56@wwF2gS}*VG<^UsN>3oqXgF@Kswv> z$uvBP=;R;42Y%?Pluh0XCkTeDwet+B1o**2)+kPGh&`^p6wa=!Wm2%3<(q$PsZIp{ zgMgupI80z&(IF%LtCKZj;u^MXwfgq&BIrq}v6pfz91QMg8=k*E_$r{+@Wu{wP~4MH z|6X(y;lb>Ol;t;xw*gmann%P&Rkf&Jc*}-s0Wx(7)o*G45N3hnFg_A~n0P~W;CF%? zO%^>Mt{EGi92Ww$w|vZg7{82gofK4Rli;w-MHXESw>5et)Vk*j2`{UGGWab#m1+G! zM%MS1!&^f!fk$30ZA4<v+sOI{HAki9uezfs>9;@vvM=@L>pX*BWjc$yn0Z}G)<;H6 zswOwtQyhe=Q>+~1A)J4m#_8&_<eUeQh(>_}M@s~XzjWRFm2R``Q#MzYSFIH7ynp)d zd*j(FQT|9t7tZ}g&uzjQkzuM_s^hsvcK>xC$9eJ$XV2WYkDJB4A+GX_IdROxjpu-f zwsk`B*4+3SuK=m*>sjLj8~bJxi1Ts~2-l*JLoo7<a@|Ux5ZaTZU8W^zoV-lWh6M0U zQsrANIh9j5c38F{)OsSVipaEp;bh-YE(C|7ePpDskRS9;w(Fk`ML}D6;p+`MY|X+z zqa_4uz*3DfjG0kcXu};A+R_fk&HTQp%mq7>HmKmY*+bgK7qZ}nc`fpGso|D;ta0a5 zjwHJXqi~X}eo2W{k%3RC^K|2Amur?hBEwHyEFU?pt0EGyYD%hKiRL5BVqxy%Q4!9j z5JR|U&PkTm2JM1c401Zv*B=F}Bq1N0Q~UXXeNcL7*+^Y7S(G@<bC~LwXqjew;3rJk zGi$9HC%Xb!b0Dj}!zh0a)+$kiPu`IVLOEw%f1id<94&{saV9o6q{X(FyX4%MA3SZP zeN1ePO6chv?eAiOUANHT?0ziT5VrkR^G6(s(G`KLEk|hX_crs{j<7{8N!kWeu%(>R z{Jm^lM8TH<NTSAcZKgXE_UNmK#>%&FbUb@eV$`WZd+VHg8z->uz|T4$T1}8Ikga>m zt(AThvwyL%ov&hten6FouwqJI35t?wZ(h2!w<ZPKma-%zHW(BN*NGNIX-+&eGEw|D z3|d?%C^|ee$S`m_-WrY(v#cAdss(9MF;;!m%<u~F-#;+Hq%3*QKw{)yJiA?+r6P-> zrY^Qj=n3&}9|HYSD>a}`!u?Oe5%y%aqSRDZqO3?O?D#d7cn;lWiHUe|O`#jZPnjz$ z{Qzh))Q9@@TZb-Tsc4u8#AaOb_2TtDqvu;L2<2vRTo=RfI9o4kE*T-ijoMzN8O~(4 zQ=Zh3nYt7bP{gb|0jwL|b;4jX$JkI`rR`U#e(IIjMTb0`HEPwmPf~ctL#NPB#FOux z-r_pes_O3-a+Ts>-U)y9hfrKDU|n$2_EmWNC}PT}_Mxxm{{zkShSvyR;MtVYa$j+A zM=j$<Gd89ob<RkqXg3lL!Q!XhwPVve^rnXnT?q=Jv95gz`}aq<)yu~rDMp5qHj(p9 zV+CQ!q&;yay9R3#Fv%>z-S@$W0lM0T8EvsdXG@~*Bv;&5&xVR+8oY{@sBao<yv&P` z0CT0g-VfFGIN9^upQj>BSY;;&s(LWc>d0A*6}X>V)m5X&BH`NC_CJ&p`PRIf$QCaH z>nJEkmeLf~4kZ5JIdjGnTccU~R%dK`^ajcKa`f23ilT$$QqXH6e88~hG~!c6JUnsp z$T8zZi#db;ysF!JBRBQuuU0|%@f~EI9{$N}H3PiA&lPMC>eC)V&|;#%c9PJLIsROw zVR1%+hmUzoy9n4@z`3ZZ#B$cFQieg$-J4qMV+X3{Plrf#32`Yen+<)AzdmV_Aop7A zQRbNuNN2w58-~2uC{gz4{8Yhyxr8{qXD@y!9F(7~wfK=RQ!z%VMds)GcR<xnusC&1 zvpccG*6(bYRf*=PGReHNgv6yPa=0S-w4IVdzxg#sMz15eFK<hCfR(`M@89gdJ%-p^ zundN;V3E4bV3KpI6%Q-lhr>BAFK42S@p+$M&ISK+x6h7*>*v1a{G9I_aPXqP#IKc= z{_XBv)&7)JYQKzKMND$jZ)Mb~vs5Z8vPFD(<GgN>OtfKv4TG1*&og9wdG?y6n-3FT z4bw5ia_s`9qQ=T(zTis!Ad<!eAW#kpeGdEaw!Y-q@Z6w3c%fQ6xPdV1^Wtv8^kyd! zr~Jn6FBrk)?56@E4R_3*AbxRb&Q3+;6=z<z86F~KxG|Z%7Vm_?RP-AoJikJ##=19q z*4+pMR$iTSAwzta#_<T_$b0fJEJ!t}@NpcBVg}_Qcg&C)Y0(cR37<35HTZ{J_N|sY zoK#IgHJg+@<$<T_Ytw}A(+}QxxLgeN*I#M-A%pt~n_OnBRRn)i={ZPdLyIauBfNQ2 zl#NU%)nnQzu`5+5sXCaNLZjv2La?<t+FEZ4r5Fx(OkuV(Vxm}{J-iwA|FTDbkN2hh z`mJ#&8lK>*o9IiiCNtz~%G*$!YD|p9@~!`=TqhyVAGH8scIQDClX0E5Wo1nq6d2YU z-bkXuzR;W=Gt42vyg4NJ&<hhJ;vA+O3d@@F$Y(1H9u(;BXA0ASIPGt_<9&S$+?CqA z2{oWhblw;nJS+7m(L#R}AsATL5_;j4j%ft9KU8SS`hM~C4c-bW_~zknb_#TxBqSP& zd{4dwwac3FBB~3r<yTvO*|GtVozjn@8FQ98m><>u5YB5EsE^7vW|@QA-KsEQ8RF&m z6~N(10r+{k34i!yvmCfevHWG@Uq_rltA#vTiRH2O{g!k=A?(=UGo7&|!Q$;@xV246 zx<To$&KMeJjfZyI6YRpz6=se<v3|_sQcmfbqCGB6Pnlvq%BNVUQzLvg6HhYxlrum4 z*H1M*NfQRUM>U|t$Lm=TQc~kFEEw+9Ohm1tZ*<2JdJz?;;+`z)J7$tM{I^!|a3-*2 z$x+q?&s`Y+VW%@ct$K4Jz_8kini?4Ix7&~ouSfdBtdtIRztdp!Z+VQh(mA;jT&AqX z?m4+?o0z^5OS=C$hvpyTVMo;vlP@xzAUKjmSJU~I@>5XHhaw&PD9v{q;fZ~fJv}6T zaIt7bSmXiUU!Qs2T&6+!>Mv-ezW41g=jb01uLkr?j^?5RoSd*+LIg2h9sqZb?4Lhn z=~7gC65Ctk@u^CnJ;Y2ZD(5cNl;lf6hy15kRsRz8Ma_afD}U{DAVV%+`t#|8fjSE> z4lJ&QG<8Cxiqx`#9V#$o;zO)Tp|AMiH~qx6;7#*rS+Vg|O@Sb1@R~e!tHMk_4?Kgv z=zy#T&wA8bX%_R6h^melaiGb#ueqCoV&4iYM{ijuoI~*hUH!W^QhM$+T6nC7Xonz$ zqx$aVZ;sh_0`<9jKU+DPo_c7F3OV8HwZbj*PK>GA>>Yah7lgK`t8-{FiUTCY&PT2g zx8F|S0Yu&xQe`)&7-YgN^O0u_%KLpec0gt`>?dqZv%a}{6d#yP#Fc*+W1M%*Q1>(y zPe!Q4kD1%@(QmG<Rhr@N7jG1lca2`Z6R|&%B1h65v#inmv`WL}DoQMmyY%TwvT++k zI(g?qZ}{)11kmCi&^F<}{bQye5@c?24Td=(I#&+Cn$6-p19r>CE4(-)gyxjMc-te* zT+usKAT3%)AU~SOV47kXp9jNw<AfX>6D91>3$3al{trK{FsnO-4*_Ut%T`k%LRG0Q z`TpW`k%<ZSyVP1L$4oS>PwO5gnlZWbF{Y2Yfv1U90kPxz(vMxZPpWo%#u#=_Gjz>B zWfs1PXQenmMq;#$I#}+27Ym`y`QYm7!u^t>y?w~Q?8)e-Bv@@Vspm8TP)h0PX7!%a zus>}xrU<K(%BjKLZnklhaZ6|+Dtw%+ESZRp2FF&Hz6%IXOfRN!N!0g63-W4eR(40c z>Roxyc*rTCR{ph3sT(e`eNoP7XEQsGq<e%eS!k?GIQKyDDde-s{f%17%?O1mZt^>D zF4fclz%JnV3a6w-@P9k)CF}ZHtdFL6^8Jk*{y!+_MBO#`IY<KYaeXolDr+dsw!KiI zw9tEq74b1XVV)uYi1IMo$&8<OHU%~JT{1RJ-%53xB$~!czfIRVkdw!{Yl}FY3m6`n z;^(h>rFAGm`w$&tO5e<;qTd!>X<w3VWUR7E-|)2O{R;u1zWTF71DBG&1deSkieETt zs@-0s1;A{Gw$C<qE#YDtDOgx?PB^Ikts5;*oTxEoevl?B=eft%5X#ZJMF)Tofg8W? zstKg5uih(i6OnTyFg`Oxy#%(esD@Ymb4Za#<b9d3E#b*k%g+&SH?Pn%#KPS_$C+fH zI_J%~{m;1Nb<#Z66oO#Ew?D&`Bcj6T)&a4L9Y@L4X6w7GWm{=@zP$OLF)D=3?m207 z-)@W=&81qprfLm;xFl7zD8$uK5ku=B)}2vF(F)rMJLREekTojX32e!Lb6CXoe0#(} z&Zxx_TDeEaza^QsSafPmaec_EiM~igsP~7{Xx*D#g}$A*J4%XjqS-MNQ<S{9sAo@2 zv;z2>_6e1GyWD_j-ar7$e2M2;@j&5+uA$U>dl!XvyKh5J5F|{TEeiobvr1nA)gABn zt=SX{<sapjxWgIx+h^5WO%Ks!!UW=U$G7`*{t9Icifrtu#UPCYY2Sd3{CB|K-OR+t z+-rgWP3Z}J`<PT^Np(?mevIlVrjTUx<*q)aYO;k8>s%5ff~xaO7vbPFb;aJ~ZA@$B zm1{~2gmp&HLs;<GA?9H*KdB+M1VyGji7=DZo<Ge@7}+Cr0M<$M5|D%wSRscUC3h+8 zO5)cSU7g3aCK27wWSG!%1fjJwvZ0UcswmXw4N=vz%+sClTWIA_p(EaEcv;MEF*g`M zn#~;Z6!^=7-tm@HiOH>J6z9+}&H@H=r}$)}{Yv`WoEApN{K=E?n7`404BtFA+)9!9 zCs<_%k(?;wyj;>p1*+ZJCn4d%&N<+G8CwiuDOORZw>6ea+OOiOTJf`I*q`sq#s{By zSqPnsFlaTsX=PX=RJBquS`vFOjmPERbAg(Um)@sUm$Oja0hth}`|~%s3)ncfIf3dy z*MQh0a%4{A(}p?;eJR$DNOP7v(wZ?tw3d+IQ-{DT^^@;Oh`JKxpT|~zC$@_|3b!o* z)%zvi^4-l-HFOJTIqXf>L@~l0UxwR6DPB2X^zp@q^<v^@wi+cJ2299%owvkc#K>S! z*}t!|fwn17V6LPI5mgXu;T@JjSZM`{PiI?i1P>-}0L(-OfnRAy*$gsc;y{a|@AY{? z@~r=@f>|W0tH71Bt$8Oqc<z@%1MNzly4X+*Lsx>kA&2+PiwrsZ11nvu?b?2|7ARCN zuYTeO)Ir`fAO|}s@DV!?)B6oN-Zs&18m^?IT`i>zeJsv)MQ)!7F@}u3sRxqfns7&> z+o`MDUr(t;=~_x~L5|?->1A&x1z9P%QAVa-tD?<MM&{bwx7Sv1#UbSw5plg%cEb30 z5|=Mi^p>m?3!M2sA?^0qbg02xX?wE&ngeQKi#^>ik`1ZNSGy65;cgZmY8#Qzrhxlh zK)k2#jwTCDwLk@)IIBLIY0v$=gIcWCfiA7>=`Cx>I=Op(cwK_}n*l>z<4qf7H?L*B zb9?_>4=L7&DDZ$G2Fcv?;2<eYSt#0yOVxKM|IcsR@He2}DtzkjzFgkl&(f4E(s*i& zh&@6aEhxYw_ta2BBYi9$-NFPk$*h+vo3b`7s5P00I_f3z{*Q8*wT^Un^q~~p?MvoG z@p*y2N4tl$Z^D~mt@7Rukl6uS*7U{RQGZW1uq9l`N&F74`a``WkW=GTqi-Xs*%}{^ zV4_@5G0l@^8Q6ieLxPVkDof7b%+oaIaxw74nGA0QZ;WXji50aZS$`?>>6(I8Trsxe z5ej1-<9hF~7?>D{d;>y@tA4nEj4!i^(fD!M<7BEppPwVVdl9MH2v*T9>9w{A(Wv<s z-~M$PkJ^)PF(=MyQ~D`)n=NO`wJ9@-xU;&ayEU1MC92Zrl6=#Voy>4jK^Q)pm<s7- z`0MLxP|DcPREtB5sdNlD*m@V4!zP>N0P4lr!<3p`GHDh?76-{bUv3wsD`8N=%Tk8* z4wRIKSpA7si0X#=H%J6LzNF)6iP*I|Mz(%w-Hee-DT-i(R(){tVtOdpN%^5?JTf$x zOVoKICJBSy2duZ#Z+%z7h*Z_1n<Qb_H^#pM4i!QD!rIK?$DG%|?Uc&{PW#&9F2f=} zl@mKv<)je)rBOB&pwHT6>3wwN3QSdZG|;*Iql;4}dVq8PMz)OY;3pQ@a}sPL%D6I% z?Y){FEf)4RA);k?bo8P<*!}o2{3UEi*l|+^r8}-#@g0u?Hh29!p%efwG!wLj={~PI zDjxDDn94?ht!8d@I@+3yM3!pEwV{q$Zvr{CIn{W_7p|EDKP<SosrX&)XNhu$C<Q(D zkBri$Cv?pK_d66}CGN8|sMw8O8G+D@<DTqW5*EVJ^je8D^P+Sj{)R)suJlU{45s5I zmHYNjPBvc^G++GR^4X`b?a<d()a(A3Qo)D?)kgWjPYrRq@nAl9*h}aunpzMNM_<Gu zH_&0vSxhh6igO8_K<(-M$K~N{Y&-4&!ul)q+BKF^_~XNHoI~n2asO<}36zv*nW7xd zSdDJnbpJ(M_Z1DaJH@5ed!ca~GmZ92DL9%KBn39ZvWjrRe-Fgv48IWhFqZaBMRBCY z1Gd-eOo@quFFsT60cJ^wZx0i1-=v(v9)8{a%2(0^;Yl8#+(LPg($I-#x(#MfNwqe# zY}25!<4KtIjQO51I$vafw1jo?NwiDHFFh2#>T*h}E@<UXc$JSNxD3^TfweIk=RS}A znA-Sx5m_O7QW)ey_|YwHmn%_K6L)7$|H5=4{7ag;Mau0@OBlXD;?iw~Hf~zn{Rbhr zaU89UPkHn#ccYwmNai_5u<f+z!JQa7Ia9P1r$1oIv4Jbn52xstUpP|nv{-HvBdUR_ z^*R^tzmfS8{}Ot(T{YHLR5Xt4NU_O9j_ghV!Mg4FW_!F$Sv21Aa0rFSQmev!NPwMF z)#b-3J6)hJf8n>xwfe)d4>|rCl-eptcWjWSsLu0Ni?xOqp7DZ6;^SHv)(cMV8j6UF z1xmS%R3G>L7bsHkk5jso225>v?XOc<EIE(>V?OTvqEm;PexIqTWc0XFi16{7+;2q5 zRGaWp(?Xxb&qTy_rS+Bee}ng#U#qxc6!wllTqTT7x}0*Lx#JaLehZtn+cw;pjuRd% zb_OQ?Fo{=o;&pfYwI?*y$PHvU1y3>ed}28+SB`a1H)!K%wttih!bvv7IFl`V4<!uR zKH$bG8LhuI`mpe_&D1N;Ri#58uY(nq(0y>D(dm$-a3TDgh+^1R|9PlUmwRTQuO%<A z+@5c;;>ImX;TT|4VZ8-uRzXOc?*BObHEEu6=wGnZ%h16hf1yG#%B#DM!4|yy5i8C? z;Ead*EB5@_pt}7Ve;NN|k8ss00xAI^qTGHS%#~)V#_VLUk@ey(K^*^Fqro2PS-kQ} zo%X<0!wN(~#1f;>>&fLS?c762U7@GsTblN}d>meC<m`N&`5PT;#$nz`+(YQ^w(&^( z*&EyXkMM^rg>X?zAv*@yc0Aj)vK}AgUp^AzO%NgS4Nq5O*GP!@7xGD$63PCJJ&hU6 zw5M}p5n!7>J9>$vg#=amWvI|_u$Brr8dGK3)BH8TghvU39p?xdAFWWuYvYZ1l3X?o z{gRDOiZ8BXM`%v$lc%q9<wd3CN%S{X?Qa(30O@Vm<OG94(}Qxc)eh{LHEQObgb@J7 zQ*`5z>K82e-(t}o{iDgRhuX)sBGNv2{$fede=Wo<mp#5aUTP{YHA5GV6?XNlfRBv* zNuAd`-JIF;J^igC?&GIU&3F>0TVDb20LHA_MkQLpvmHqq=4{A%^^xLv;V~Ymqr#_7 zcc!z8ob|E?!rR85G>mZl^6DzdD^BiC7;9muQkY3lnPh>p#|vf%B<Ox`sW0*r=klox zzxQ9qUAI9M->jlH4ojnoz{NqZ!+LX!!M~N%3rPGbhL%-Bz#kh_5egDvN%OjKoajoO zJc$M7EF>``gjsGJ_yuaPSOA%MI)TALau1|;hxCmlC*jE!e4|Tf0z&R*@xAcwyuamg z8CE&j*kbX%4K%#8jiWh}+)y{C<$-B$?#uOxoM%@t6Qq(|Ej_f4gzI^xpaTWeDLGiT zx^|3mjDd)lJC+gC#&|EYoA9|q{wtof3H5g*w!+1rq%}y`q7ma&r&GMj>+JH7m|Y}K zXBRzV*n14>tHv8R)g+I|sBjrg1c=OA@gv~EjjCyX-9yZjFk-p9>ARaS9dtGhH|5{z ze7gO#8+ehs$(}yry2ocTj!~zEV2V$1v4Wl{o?ab*&g^=x4laLBpCd2Ee=#635<i$> zHdaTY_JP*De}mG`NXKmvA{)&f{6!@=khqLz#s6giG%ddBsapNy!;0s_xvOQ;DAQ3u z7w%agE|L5}H79hcKIq0xOI}n`8IIg~@{<?qHc?e7N;!16U_||;J)etHfrRD5lS$$B zW{P9!r}+6|1(@L(#e?*@ZmHHti)1!|6BixhnF0+3@?>5Q3L9sGnvxSQ*%tt_yXTUJ zQ_{4`w~WL$rR<*A7aMn>vL<;g15W}dTj_`5<oDTF>T!53`ljwHHChBJka<nLX8JnP zf^TBLD2siAnhO`U8ScMKM2=*Z6#2w)zY-UlRAQfVsf2hQbOwb6opj04#mQ4iepx4t zML4a!<){BBexQzOVQfjdmmnzr1&6rV;*2S6^OdjC@S01y31a<GwnqB7J=b^0n7M?$ zOaFC9`mo(89LVdoK9O>*m7&6SlH9eD^pg(&2BOin(rkXejw1N+QX5#kS&S>vl)9kW z50IL&mq`*Y+^o;gS~^Z4Q22|E9Bi>~DSU~0w`Vp-sh6q`HnSa31`aRm^#C>X0sI}O zdiMQy;C$fZ{rFo>w`LXck-LgJKtF!Htulux0i*Q3$Sp5*{(zm~8>B!kJZ6A?+L_(7 zkXzvPFV@$Omp(jtmKxA!^qoc_=CuS{<=uYrp*Xc7B)<I-4F@RL>o3`aEGUMUVPBnM za*J)={!6JZun6_1hE`o~2O7FR&UVG0&e<h}%_OGWi(}l7)fuxsP6JbYWahxf4lcwH zsQoQ--V=WcA|SAK6m*sf0mY-vMhl_e@?G=z?}kd$BL>#}*{jQUt8a-jW+kK;^T#a) zCfm6YXK`cs*3=8VArtJdfL&lDrgs3p(+r1BDvr~DSN&mPzE}m-smhOQIH!Znf1VS+ zlIfv;R!|^-=Y#pfzP3QJRAA+a&AeE~SOr0<X5YH-z^l8J;q#3KTs^y789M2s>gJ}o zGCwGMfAHrw$6BQ|+x(;|99<1LHHZCv5td$S2v5WwWlIdzwDBbe?ky5YL8bO*Bd=isS%iPGjBryBjwD;_$>N*@>)!;?Q6 zE#NBcb*tEqy7h2eZnFu+>`K2JO%V_?_}9FR-8w+XHsubH?ea)L<ovGC5zW$i);N12 zGsc%&S<TrO1<&u63HohpC*K`*S6Bc>=VV+^jPPnhsK7=*nakheW__)qm}5<KjmZ33 zdYAizztwSIMa<<Isin|tzr=_lb^Omkma813F()}Lg=d+5km+IK{nioh<2A~lmxYIn z<O5Bo52FJm;N&F^Ji$-&?g8nGO`&L|LNT;H%3m&=ex6ZxgRJCPgi-3|nl`)*h`vje zBlNt>Zcaz9Zh`Q+$eIHE4SR&Uh?KBNM4dcPtH|<)1%;10s!R?`2Ua6fNsRLrN%v$v zz&$h?)H!d=@d;z#m<@Z0Ie9S4YU&k~&wRl0D+|`uf(53%XGNN71c{+dAw$^!<XB33 zT73el#_{~~k2OZ6cv|-IBWkEQ2_ua&!?{dleZm}#P9Q0%by{3*Pe0chjH-qSC8yb@ zm=Rt~gnr1NpgZmr1Rz?@%9*@PK%Ab@>1dN%SkdZ-BS;-ON?SVb_?^m<`9psU;z;eE z!z)oY=iB_JQ$W8&7lGZZIM*kT{Z(P`sX?@7y3u~m#M*TgYYs%1r9lzhO%eF~CwP%c zFUc>)S;_H(raL$>=1%a40%;MsTqJSV{|jwlJ0&?f#Ge4>?r!L$NBQBZffhRai?7e$ zv+GbAHO4Fs5v14W#qR%ugpy;EoAdm_BCdvJcmz7Op}B`%RkV{=8tiOz8|bqV@JbEC zt3=j=xObf0CRk=-7602j+oZ^}-h9~E*R@H2ck5JXSln$;L0GRJs;}E=8YBccW31Q9 zaX+t{)I7gk^(Ly}tGQ<Z`#c4;*~28}0>+#~CJ$KN3=34)v5X;hQ%17^k`JO;0k`)u zC1xzJn{o-<?LFbB^aEK?$u@jY{a<4GjswHe`Nu{T{D1KnQirG*9mp?SkggYdmhj&_ z?Du;GNuFK=@wZeeBPAv6z|$!{Oym5Kc{_PSpMSF<un(wDX*byBWd%V<p)_U*iMDAi zuC`zG3`(B{EO}@f6@DV8Q~3&TqCD-qWtEjYcJB4mj(lF_O<=NN@swDQfk{*mjC{&= zETXSR%*OGP*jgfjA1<bVdJ~8SBV_wj=imqm$c2P$kPoO#&-3>SvypqpSmmgW>$>VK zrds7>s$S;VYL9DE!!En<3>Z2W3m}c$)c5kkw_^GeI$~*9Tjt`IB52f#?>SRbj|bB4 z&isi-X}MQhIgCFMz%2n2n4Vo>UnO#uB2x~do8y2}CCTVxr4XfI(D$|&A9;PHK_sfp zVi499tN%O?>n`WPx3P#ME%dyaK3<l*+Y$?yxws&;)Owv^>59z&_8;;uK+)sthASUi z3SZaR#rmz<P5)thxc%Z5mxXTci=s-zrdTGq=Gb?d)BrK+c@o;0e(xIWDU65q4&tq* z7$LS6N%wuCMh=f2(6yS&e3p`e?Ae0wg7m35#n^lSSG#wxN2h{988Qd4((sOkG#L90 zh2&ncmtlX^)tMBwRCGFe99d=U;3KDMKxp8e!5><1$SKU1EZ-|IO=}}C%_1iqK=5w{ zbJPdd=s{C&8w{pEvc-aTqXo5(HYl>N`jX&GZLN5Kb<oG0Lu6HcAVM46gn(1X^-wQV z<#zV4;znU`0FZ5g^tlz)&WNcTfjSM?)t>cj6aJOX1!^_y&j)$2;-#=lM*QZcd^!&* zYZz=5{yI#h>~^*h$xtAkEI0P4)oNj{>@c2F#X6W>wyEHEJM!<{1j(i(nHVc@xc!=> zUc<x@z_sfRoA!Ii9_im&DrFRSB{GgVh~Qst(%T<E#(#MhCH6K_RwjEKXFSXK_X8;V z9`5aQ6_M6C+t(s<5!o4-J;aLre{Myo^Zjen^(lG`Ym&H#htY7n7=0qluzA3V;T`$1 z@&zwj@qzjZuN6M<i$VCnr!pIo<i}x&_*#$MoR;&$_cu>OTCB$L(#EPK`a$xjG1NB< z)3<dAr}|s^C>r59w>~|xU+|N*C7@gS1=>sufh#V_`V=X9uw_D!?0<=tI_ph|=71vD ze={P8i4m@8Zl^JwaTqoHX<H8=kYq=1q_dXj#@Q6bHfz`ezFJJ%*!J=zPq;A)49X;J zh#t<_$d}&%5s^b=`983YRj_>*DTaUPp~5^)cOz?X%VY~)CE7m8MvOKUv`;sN?Zq-F zlo!Q~>9b2jM3#84@BodCvCQ-p-wE}bsPv6$)7)2lo49#Z*adHT>4zsh{x!VwD5O|0 zMaiLWw&#_~+^Dk_w+S&xz|%R`6*`OzCjv;kLsNK`2fh?>JFsHu$qg!I%6b2eeL>tn z10|MHLTj!!JAqaM9-rzE*BhS+W%4TxkC;6#Ws0ocERn1BbK?m5mQ-ELu0MQFH@uAX z@cnw|@4Vi|Jzp$ea9Z7w9hvLe{4M7MC`O*95r*ss#xASO>2{E{e`W07kVAGgKzdA< zg3?D}Y*A0=ag<fA?xj8y$-OwAVf$H?w-M;h>(oeUZ*XBO=J$iiu#G*vEzcQXg5rFF zv-`+)v_DE#|3%&<zlc>%`h?8R;Ph~1e+&H<9yZGP2V!aJ6z{<PquOxnDuRW3e&YML zB0v)rl)Yw?rHo9>vC@^jD4BfZ*&7d2|DVUWK0v0FxL$IVWLDXvY9cWQsxU_*k_b+@ zQ+8h*^;l$z1B{&xiZPk}86=PW->&X!FYV7cgGk2~u}f8k=Ra(yB}t#&D-+zM;jA(B zo2ffMwWr$bEeX17NoJ2kQYpuOw@$1MIAZ&WmPtxQQ(Yb?qi#rT21=jH0nms|XjU2V z!6p?77;0T9MM-gQ>GNY_>DvCr)(vwG(c1K17~{nxHdz`&+D6LU>!vkyDB5%PEbKIQ zHdQo{3ZXEIG^-4v;9|M^9fl+JVll>W6%;s|{%77BHl_v@bf?_U?B*o10Odss^$V>X z!eIf%8xY65aGRo~!hW}Mi@FKp@;`;V2do;L9;rCYOG0GUSF$fB=AVv>E!l*xt%Z{{ zae&%Ve%%Swu$d3?0MWMEmE{!fxKOsKAcU-SMu-oVci%u_b<jb27HLEZm)uYqHy+Y? zQ0o(AQZjnA;IMmM7)Au78N>tRIbtU9c*P>MMl~f8WFdY|xxL0$?E*F_TVz0D9~=0^ zCoII<2v_Fnp3USYMoB^VM<+`Q{arOdHOF_l?(ryj33(-!6?W}c4sEmEJRHQCNfDcN z*4u<iW3mu(zQN^uGd$?Tk82beQlBM_ndG*NWAqVWC}!;Mj^){bU#%s4(5kZrZ-@nK zb9ra~7gUf-=(%G#Ihyb6+(+E0jx^x`tT9&Oi^#2yertr#{VLkjQH+xcxPqs)LN{(A zWrF)F*#Y1r<(ek+f2VWt`L-lO)o|zhDf(rH%g;Q%(pNj+GWh?cyCuObo!vwxK9CIw z#)#;F5?t^BsXWw{UaRq4F15SZU$boqH`;UU{z;Vlu&J%Ax2Ir@e>2(cA&}Pd9n>hf zUc^9WcQ;y|GYWq)>UXkDvycyfZ0yI90sP>Busqeo8alY0x!V?ljFxTi%(csU<C(pu zf2p2H-j{HJDuRE<e3G`qY0S_6NNnQ4l9uoIvMyS(%toHQAy}CMc;fPnNE}j7?f|&B zCK@lxzzl^kR>B=$T%F^ylbOHE3?eFVYC7Ps7~20q#snv#t-I_vz7$oF6}{a{OQq%T z*6^BY<3kwoDM7OnE^ux7hKuDi2dR{=6p~DG4FCvG-xGYDldn<H(kKytTJ}NOdB|_& zF*>Jo4c$cteCYi#15k+jUEF?kZGMi%`1tF@fGg_xcl#Y`w#%oa@}F#p56<t+KlIb| zR)h&Q57TO{-jOD4f>jVMiq!W`-cny04cLk?`g@A0Nt)TU(6wM9sD|r7|4ep#0IS5x z(^<P}&(WNnvT}I4V9yN*`iiv6n}VEpbLHwIi1g!rmOuj9kx_~9suJHTU;x)bOFIOx zc#`)mg0c-t#Fdngst&mBJCo6sj-M$3g$-}ue=%Nm%&aXh5X)!ULxSP@xy^HsRpx@N z_fKD>`)Q0XEGm8ERCBI9>~oP-3p)hhr|zscam(!Bn<vletyb4wpGww5T`8BgTz&zd z$+&P$@3Ai%?Y0IuTZW2rsQ0(pj9|T6=TAs@xK$1~_sgl1K?Ok^V`=!_;w>N6ltbMO zX&e$@IsP-13aUYQ%vd6i9w9M!eS6V{@z_cfML(^uIavdPwz@PJCpU=LCp#fAu3fym zRA=!cqn>XeQlZ#nsXXpkl@i9nnbd(rm?0*q{8Jeth4ug&-8)0AhFu>3-`I?IZhcbQ zwNe?Gw?Yy5@vmM$fjx=a6`%lm|2#uACec``HLqS7{>f@qUo6@ow{ySAF#BG+IQPE@ zd!AnO1)h?bM*`jb_|;QjB^ctKXZ1DN2t?44op3M6m3r2-qSfQYd*;R;GbtQc7Ce|) z{H>I3<Hh|iSmMdB45|NAHa-@Y`RT&nZT6giaCrU3NJqsSr{mQqQ$0N};@=u|zWc9R zJp5Fr1vzHz)xzLhPb5%vcqdo9O7g0i<w2?fuckN-QHjNP3Rzw@v`khu_%gG9yH(#N zEw%7s<%vXz<?6LEYXxmKx;x)1MD*}Mx9FCLQI=pAiZIxL<f`w)A5il|<3vGH(>Ec~ zOvRp{&%Mh;?~$ow`M<J-wop=C^jZZfKHU8)Q0|x_*R8pIA4lCu)Hcr2zCpIl5FPZM zD@T|JQMXDTG5O{zJUNYig&8n)tC&VsL5H7>;_zOL(^$%vL;)Q!cV~ZLUOWtdo_$1A z_|bd?{A`2{cn%ovu}Wjiy5fp<;u1_Id9i<4zD~7h%<^v&Bk;o=pn-#gNb$G9=5SHm z2W;-WJtdY1V|l?HLis?NXcA<8egC`x9H_v?(yoMWaXK0rCquSIC0LS?ft9lt?1UKJ zf!QByn^w~AF^-J+@WzN<MFCF?J@L!&X087+o!dTn3>82qQy}+P(-r2>J`6dWA~OZW z=;~SKHBv5$y745em<m{c)F$I|2YE0l#*s~JY1uf0h(I%_tgR*0%3-DE1XVifbMpDC zXmY^$y;^vc<ltrg+;1P@Z$Kd}AA@I;{66P{G55z0OCg5x+E=u!PEBNZT;9`Xz@!ff z4jnjCRn(OaMQ_WvhEcNcs)g57ir#%fEtFN_SeOSkXi9>30vfr%pK@xw7_cN&>lC-I z@dCUJ2(uP#2nBq8eJozijL|#`r1AI{kU}P$b?^COX~Z;W;0r7c%7zt5*1rj0L1m#W zE$&f9qGbR-x3?KxZHxRVV*hU=>;Dg&+U!kD%hxcOmi^*$%vwjKyY7^CpU)t|T<((k zqMPt`piu#nG|F|3!Fkeql(U2NFXcG$^KTyQW35=uY3ddnOETp0{*#7FhF8&6T1hgf zX&Uc8j=b0VF+=O~G_JZ5T#D<KuX{d>rnGNWxL>%esH3jY;N78)v`=f8m4CjnEKBHu zgp<bvN~4>YP?C|B{wU(fJ5tMIyo7%{xf`0B-!IJYfPi)DX(b~iVg^YCAvGTj24xX= z-eK}-3c9v3eamgk$c(-)St&iV+uI=zm^5RptM8rdk}^EHXcb*{0Ar@u-u#r^uU;xv z7!_1{dUE^Gs)8pcIvnb#ZMEjbF4%TAY=tLb$irDx06{{diqF>`@(yE-Iw3dfbbbDK z9MIhYJ{2L7!<C)>5m7C~_OH<c(&NXh`OUoVZ>Gh<E+F*!j+SD)6t%wX5I;P@x@WTr znZf<uZ@^m2o)8P6i@tq-)2%2u1r|BVr<&vkRpdFrRemjmv5+}I`gn{-@Otm>9+SjG z!?e-fMx-tHl9B$byR%<U=lRo?xwoJAg&n?{IC-pa;*&&%a9zL+$qTx>=(AA$OQ}QJ z$8eF=jqAykSQs<<%*HS?l5a(qP!zI^H-}jxbRby>f<nZ2LAAVYRc`#B$IBLl#F$yD ze^mKVSYIs;zE?>&_<$?R8quTApx{aP{*{mYGKzf}ca>Np%pCFX=#nT%rkvT?IL|#) z@%hrG0~qjHmEpj1G+xVekt2?(9oB}Mv@8~6$l_uMi4yF-s%j6EMU<3PpFI7kP~;I3 zmDS*t7}Zcp5rnm>kC91H+|*a>{+lcTWbuu929$rME$x$*!ZiVa<TyoC#Mq`8j_H2y zU?+K9+=zuorN$v|n($U_<zEL4aRc<<!BcQV3wnh?N+WyyPLoQtROiB>ScI!ORY=%B zzXz>Q@?as<IrlykN~zzyRCi9E45YC8DwD>TyY2ru&VPF8aTF0wVMu2^j?!mD93r8g z+49-D4PG5?l2ImHQ<b7)LuyJbapI>#ekQsE&wppFO(CMFE_P`WGmf(0MdgkOGwsb( zWo%e<s`c=P_VN|=%z5?xu&&gvv}OwzMH4~!VhVp-2_DeaqhnL0Qk2Z0FcHZ8FnXSy zSs8&S?d|xDG6FgJJV-=5-@~gWeIeV{Xh)j5P)bkB+?V6NajWSd-be5KVc=0S`&r`% z>j+f{HYeJx!LAX^N+8}X!!sx!tn)D?1*&n+dq?HN(J;=M)(j^I<c^8CoW2=SVNLLQ zuNN4h*(xNE&EM^`8(hl)RxQeE``u3>P4QWQ4qNfI(dpf_vSSC3j!ePr{b?Rltg}pd zM+md-FqyUg+uQ6rcM=l%AP?VgQi`bboMU&Ah91;L6-z9vGP{d<3qnRuZ00hW)<`X1 zltLjIPWxD%+-i2g&333P)zi`X8h5G^eLZubXnm#6f~m4>ca$J+n`6k0{CnDJ%ny5| zn2qKN+noa>Ne{GYM~|w>1=n5HNrd;DHYKQOK-QnTw{p0DTbMGst#pFtfF4=M4Sck# zv*Y#NluaxSw4k1mlnfcBLwG@gA);!&HiPZCz;X^f3#Ueg-<GQ;gV|qjKVh`g4xkp2 z%Ju#xWp0aAf`KyL36YlwLXNln{dkQGwHF^RIwYN;#h~EdcGHKC)^Fk1QBeUFFw0yS z5;G0L;#N65x0(wR?g3V5xiHu^4NSbcrj|F2o-2YhC>j&*KAjpb3NhCIqctsYECAOk z!2sm2ORc51^dkuN{Y<Q#e?7&0o8D~CPZ<G6DnuELmcXHk2C>$emA3cBmm&X<rUjC6 z%6}?>t|@E(bJ5V%;UiKARmh&DrR1xu=4xFqaAqB!!?WgqeFwhYlDR}kx7f8P$9c<7 z+Oj@oAPD*%&cGvP{Q~oYX8(<f!M%tihLOGL7SscomXWC+HE1F=&Hb&Dt}*OkOMq>A zYy$N;<|0vttS4W)<{d%m^VKJR-s${Z!az}L4W+MNmf^Z;YXm>%bNv+`ay2bkAQ<W% zQM#=Q>p5j|O?*(Y_YX3ppJ@M<4n4sxpBUFtj&Qx8FgzswO`fL&s~Fu`Y;XA%KF}@; ztPPn$Av@^NLz>kx$LSi!n=#yaD3<JHl*5H1dAQ2fHE<f?JUry{=}mSGqp7DvSVVf? zZ9IrVJy822y-)X1>sOPQEBTNbDa(t`&SyXsP9Xb8lLN`!t*H3qK;uu+sF}UH%+nvO z%UXt8!f2oXhJpb-LoKzKS+ZsZ(Omo4y1U550Wtyg?Uwa9!>wK$Kkmq71oPjGOPXQa zFdGs|tP%+wr97Bf{|G6$>zxPkwvvKqO%<9$24gcYfvI-1$+5Aj%HI4a$mYDDd9^{e z{islZhqkvYRCso*K>#nI4AIJsgx{mBetBwWNr(BzvQtAGS5@VQ89r7_n1$I@h^%2} z?$E%RJ}jVXFn5;BhcTHHxuI3W!aN!QUM!N>=9#D!@(q@-E@m|k%fGC-)-bekc5-%T z&LKnOELQ|0ba)Fr^Hx0K(DHw2Yx=ge=ZyvnlWM7EvSt43oH=ku-s$WT4VYfdRbn=D z<GdgvBTG>)JpG<`M7*Hm;w@6Qo9l?KQh*t%27Q$JI@2%Y;9OIOc{U@jA!<&bvyh3w zcWr|GFbZQ%c=y@R%}!&>+a_^UK26^~q1DHf&5D-z9$1cc7ku+uVIddL<fTc=hUR8& z9!>vtQucX}94gB}HeFKt7d3!bQK5|tbapN^RyK>Z)ws!VUGh0V6V};T7`!LwW+GP~ zDS1A#YiZ;jrStxPu$sv^jl)#C01RA)ll9MvCc1t?c{mMdZdqV<i0PthsH+^DBx6Sx z^?30O;uAD*OlaAjUtw{ygKVeXWe>o~i6zkj#QHCY-mVFF*ZJBZJJvRiFteMGEDz<K z1LiC~UuV-~3|(|UMA^vm($wc}o!n*h=5K$D_eO;7HK_?v#32_pwi%3mIE*#Ph#jIi zJBMESw+;r1k9d-7+WftzdP#rvT2a<&05W>F7n|9yXjmE-$Mz=E_b3pWOKx&3VU)&G zX!*9mN6*v#N+~%|bTz|~Ebf)zhtB-@;QUYf=f)`XR#D!gJwY|-B}*&m6taWffbi)G z&`jtcbs0-wO-)D0JM^eye^*7Mhe48MS|mOtC2#LKZ$pMCiPj;_NSI`}Vu?WO$0)JQ z(&WqLYh7Lgzz9Ghl8=<EVT+zsDne&u{312uvManhZiWUTh{ly!-(S{8$I+;OWg+AS z5=-Pci2#W}cE4bde3;(TRnvP819;DEA316&ZGkeZx;X&=Xd0XgQ`G4Bu#!T=D_$I` zBCUIz-}!#luy?D;*At@3O3!<;&o%#4?2Z8Vo4Pfujn0Ys`A(EP-&6g>$TZ+P=~vG+ zu9_wnb#1pVX*aL*+#bar8*7DgfBSIaY>iHg_tI%rvi%Y6`V~_=*IWQNfW>)ui7X`J zsEwXxlLm_v=;v|P&nVBeSjqlh2cr$sIu_E2Q=w7sfmNuG%EXV3EA`4XD*N})KVuQm zvt;YLp79_V0oACVp|1$BH-FJ6D_}}dB#%xsCHDBfU6<Y!j!BYy9^fLskvH+&HoH9^ zpJd4VXq<ZR2DtySla6F65-lc>X;85w(E5u)5w<ZW5=aba(t@pF)*-A9R=l03$w&s9 zWiUsCkC8+GuqTZ~%NU2P90IOLT~xMqR~k+8tR|aRk<T;irytX_YjtXwf&*NMh?MLV zegv$0e}D{d=G$pnn<iLCI1;d|Nfavhxavv?6v}J5*4Do20=pWu)agz;=|trSulH?u z*QOYvO@TR>_a-$SRm=n6O7enh@e8rsuCOnn;gmz%{FqmDsxjjRzcP@ID9ABtT_8~w z^Ldc()81}xk8B=v=JC|+XSQ1~u^@gYJ}1n4n2!541YYpp7Lcr!Kt;ZA042_IFlREk zo{PQ+r!$~suf=JewAmuu-d#MqLCglJYQF=G`_x8J7b9k`#eqPm`w+IoY}WxKf9Ty! zIkmJw!0n_Y3x;zRAk_0gDzi@$iuE^Uv^YJ8i&bX#(DGX}P8zw%<-SlBU`(G)|NT)C z+fk&Kq=ZNOFHcut@#&AU7ACpMMz2DDcAx3|pI#%pvjRxha7ozWNH<zi-8x-v7S8W> z;AT<1usBHjZ;TOl-(m#Zm?0z@NPg4?Z8N@en8^$sU0Dv&>SZA0SJcn@mV-b!WGChk z0xGk=CPA`#TjxD~4j5m_%goO68S!Sxvvfy(+bU#M<kmA@<%4COiU`j8Vk>dgN5pn{ z_D6;2q?==b0SMx5NwNk2;6D7z0zi9-4g<g2*MV|nzyVhE0X4J5Lr=UY#HsKr!vx}M zWj=XC{8ai#-wa8NShQv@c~Fv9Rbs~L&_s!$uTmtDA?~T^Tk=l1!~C1>J(z=nB#d!S z$8pQ57pHUGlQME6SaNC`JDC(%K&~;*$F$4TUyT)wn7>>py*b?(y)(_I%o>sFstDjx zfZIJxZz@%Qm)-a4oU+}0XjgLNlk8&DKKU5=V<yfm`ww{wATP3In%U%;(!>1&MyYH< zO_@U?JvIG>it%65<#dX;7Km`YeUj5|@B3kYYzWS76JAm^g;cWGuT{Q3>6A_5N}}un zI9e9z;kS;tUuxRyprRaS4I@SALrxSMC#*iu{JKp%iGtbk-j^L4&n8tvtE|=)2#7@7 zEJ@9j`irB_U_{@|@C_Uu#K(tPcJTbz0*jWg?mBeLth$S@r-Yzx7{NamYkei^k=kMv zt>dUN_XY6!Qj}Gbsgp7f{U1<E0|XQR0ssgAY+&|O(h5T2`~?62m>K{86aWzbaBy@l zbZBL5WiNDSWo>0ME_iKhRa6ZC2MUtfVhWPlVhWPlV(nSoirYpMzAyA02HiXQm+U3p zV9R#W?rsvYo0MFR<*_u`k;Z7oyK6$AB$tIkX<BkqD81=LX&XqOg{DulX-b+xUZEq& zKO=kGO&SLRjSaTu%y-UwbI!~;BkBBwlZ1dHlrc=xre>ZqG=S2O4saSZwd)7HT3rK- z!*l=%O;J;uAf{c|{_unIaEr$%K|tuIYzsEEnDfz=uCq{xAv;G$C>4D}nkA5nW)|s# z3?2)+3DGUX@bm=YR0AnYgxM>@Ar29E`s;7czk8r<&#ZTe_(?g-1tH1y!(vETrN9mj z&HRr|SU@sx1W8j90}bf$0XpFtAdqp<(bSCMqv_k{^|=z^Yjh>OUh$dgO%(=*R-u<g z{kfv!xQ^GF+qX*ltGKS;^}62NUIBn%C}wJ|VBL13-EpT_2~=JxY<K*QZC3D-eR~Dp za`SHmZ!hr93clA17Cw|f<)y3eiEjl?1@A8K-U{9~S{=u);0sVpaC*3cHeAmRX0x3` zhLl`V!W*vB^Q|d-fzqYbRqCgF-C9fFEt>TNpa?GHI0bw%LPHn|TmT8~XBh0_C>9HE z1XId{*szSAVT<4V>l9aoN8lEMl6ENy*@`IV16Y{h5pQZA3#*z0dHLkWmrovnmrov^ z-hF&}_m|Uq_fGHrtWdlJ(@0i)@%<NnfAcB$>(RF_?ti7mGa3KKPoF*g{Yy2F%fM$} zKm7CY!)FgZfBwUL1-zBPz6?LW31Z+fItJHhBIc$T0QIxi(>RDBmNi;w#9#_@9R<3} z;|lun1QMvgwNcfBH!_haRKSblTNT3laW>{y0o;j`3UH57(x#bmPCNNnvKPi_q#isQ z%eZS09;wC-mg3tTkHnJ4Dw9EsDm1SW5po!z6mgLE(L;n3YBw>i_;nA58D(_H!A%U> z5G!4BfcspnbO|RSE)%GZcf~h*H$a;bmH7@jsv^a%fJ9{yk%}8H!ZC-5k}*t(jNFAh zR*~GFWMReOjEhJ|h)~cSAjVWWSF%Zk?vBVX>ag#TNm4~-93QHXyO2^D*`bF)43m+P zGfra}`w=@7OB8~ulq*Tl>JG`<A`UQJ8}1tz@z>ki*F|zwFOa-voT;`1qSgI4Aw!7L zX(6bj^aQ78=J%z{?!M3L>dfBCuySiH=ks;A<t!f1Y=GbWB;JAJ^ePhj=6w!-pTqx; zIeguI-hAd>Bx_whwijlSwP*MtCS;#a2-;;unrC8qgPsr;jY4UD%P@+?<#f0TF3MnW z4Km6<!93oN;YbW)79&J#YC2+IM42cQ+FIL1p&2K8bWlo7b9R?16d+&7MWLC=MOosd z)bkg&V{`LGD`GMMw=nwZB&5NrBy0r<-+na`rm-m&4F!w3`EM+ADJo+B0hmAGaGjEo zSZ|P^K^~`4e-_=1M|zzztJAg=(`z^zi*$vAwA`vBq-7Yx0a_MsIM$7ZI@FeuhF^ah zvDQ~}14*kba4hzm?Fus?95uC}I3kM6WF+jdJa0l0rA;m5Q%C=o%reRt??4upu%fG+ ze}Xy60Kth^>v9-Ky5MG7zVYsoYZ&jI=k(<uqu~&Re2rw$6n&);W$zn;^9CIY();n? z81%_Fy9R}$T;I$cIKYh0y*a>{w73^uTuN8dtyp<_w%DSOjAA&gC~`6{;l=fwjx>*g z>GG^}l?(e(ZxdDbY^9~7xu$^lYqQwfEAkR6Tg}Q<=DJ4xj4JWw1wo=#S5vdq)YjFG z4IT)j;XM0{8nNkWu)Jz@>0DW~R$f!k{w=ZcJL0%HCY+Uz0#3v|LNI&4TxNnoI?FC6 z9E>yE)NUJY%Lyzus2O#)TXSs3sMXz;U2D0nZFXJL=(Mdn!YMpXOt&1nC+=s+WcnJW zkgvRoNoL3Fb0JN1TAYLRLb-SqV_K?LF$a0S2C(qVZO`g8>_*$GHSAWe=5*TiS|jk< zwT>6~on9w!>y6$W4IC9<r)39@*R9t)GYD#qXXNzjjhgRRR?G2Q^{&&pGxfEY`Rsq@ z-h$WmKTt~p1QY-Q00;nVVD?l)XXzi#{{R6069E7e01*IiaC9$iWn^h#FKKOIXJt7q zaBgQ+R1E+J3X<Al3X<Al3X<Al?EQ0)V9(Yz3U=9M7rSiRwr$(CZQJUyZQHhO+ta`E zet5rg`re7S5fd|iOvmo%sLI`$J9A~Od{(Zto(z+f7J-4pfc){}2aK4gp!|;?ASpk7 z07QZV{`n2r1eEWee*hfhMfiVIO<|q>`0+g^CdjAgs(sN3=83h~`o&Ye<xy{_)?_rQ zbOmFeSp%RTdCdh7&--hG7xEjIkcGuBBM{gg2@yQcMUoEPpr#iD^LZ=6ay8y))Li-6 z>U;WPHS5nGt;;HBqa+ia2(`)VH!c(7W6t}oYr0G-4wA=@@n2%XA0a+b@u%OP2ZP>^ zm3{}Vb{+0O08{;2w2)QJe*1^)<y*1w`-_;uy^qYc9hxSKnDX`=?){`KTfyFJ+82rE zNIM-x5BChfFJQpHFCm~{AfTX*-Bh3ij=)`_zQBKZa+i^A&L61^fyDk=%uBqJP8FQT z<K|_%1BM8Yjsf#~)>!A?-hJZ&Skr%a$1?`|OC`BE@V5P^1$ni#^+<Y*=pqF<kzU_d z!it8#?5Y|n+uiM>TX8=iV*mTo<BLBNL?vvY;h`l^@M~@s&jKAN9F{`@kdXI3o*55t zRz<qCwe@pMj0_F+j%rO=$WyNU>EzgdtMt#qyN#Dyt<T$MYHsa!8uZNJkN=Zm;ayb? zAL2h>e((WgCl~hc03(Ffams4XdI_f-CjvnH^>2@#w={3LzN51<Gc(Kcy>z|DUp|o+ z&@0wgc`!F{77Q#-iuf;;0Pyt)5B5Y8u1GlXK4fGO{^u(Ih$j}nmWq+d$}0VOjLgi` zpO&lNA74JVLtr$IZThPLNF*O_-6`VdrTVa)p99s~+zSegtvWKRE<Rp+txiT)CX9!) z&s82lEjli%ZO7R!=PudIYoBka0skp58u*$r^p%u>M=r50?Z?S9hC#UR2NKu){^A_3 ztH&v2N)OY%03AiwPE8s#)u+wn5F|7zjPpZ%4>7yXc9%|I`V7AR7=s;hfbwv^N-@nz zLb3Jc>yG^=jlKQ-o1qXOunzr*SldYnkLOSKj`K;@Z?bXNYjT-PdgjxQ<^eRSlkLuX z5V~Zs|Ey91P#L9Qe&y6%NJ?sQhDOlcv!tTJo{L8Q>id2GVqfYStb4_#u{D-U97hxM z9_qE<f7>#d`O_I-PSsO#p>=^7BRZNwDt?k(&}siW|E0VHHe7sAqCv0wVqJgij*?!{ z^EQ|5U0^A&Xu&AN5Wyf)Xdw3Um-lC&Yk4N?#1(qT7QIj5ZIbMvJg35+K|d$i;wCg{ zpnzE%+cuB3(4xh9Z#`iWP$UWWlD0dTd6@DSZ5WHMxM)A7jFMBQ!Eg|raXpV+r5a41 zQxAg3mxi#GA|d|I*@6BGSdlz<+>Yz}<H8~LzW)0y=x!)y`s>gQEsoEz<-C()Yqi@2 zcMA@u9m+iDi3roE;<cahv~Rnb4`Y>G02S>jek-~DV*7n+W}BK;0y8>VLn2VUc88^Z zV)3&3B2g@a7gG^z8|Nt_h#XH~?IXiS!Y7u3A9JhSVJ|QuhKuy9)8O95r@+~st-;>t zHFf+L0s-i(=bi%T`t3gFi?I7zT=TVq9Yg4K?AS#LMTe_NRQ;86=}EjwO96-B(A`q* zm7`1-K4jZlq)h`$hEnG>T1_){`QvCmAJs+QegtrUV@|8c_(N>U(hPLX{^e3j;b1=| z<DFpjK^nmQr1E(7v|W(ilxX@g{jQ}{Cx(XHM}tTvv09UiyiLS)9n1UJY7}^QA)}c} zJ}d!IGgC%V_&=r!tuDB#5_G}199?+$^x8d}g5m{6!zaad!j<cDig9<`ZMWw!EZW_r z&wg{pmFw`HCH+^|_O!cAlBLq_NlW9%XZ5#neIvWs2h%cPPtzWe6Xx&RZujTt$!@oP z4CRODoL?x~5X&FHl^KsAxS>nY-5;=K^K=$GaF^_qQEB+7r$*bA1Gp~RRuHjtPgm{3 zx_CB^4L==H4%>gbrNqR+UdMOGI}lN~tyf?YPU<igc`oZoNRAH(xrEUi?90EN+P~iC zRU5(d$}g-4MIgdmJFaF8|CZP=N=Erzn?g`u`m-p7xh<s4C7F@7&J_&CTXTUX-#8VM zjA$}J!$&l1gw1%?v#}s*PD<f<veQo69||cz>_3$~C?Y@xm$-ZW{<{hvuj=n`uQ+yd z<&;O|Om-r%>rEr)b6>jw8y1OTX(iD=lL)GzT>7i*WyN@%S+tbEBn=X|TCG5SQ3`{3 zg3xTG6ZWzp9KFb>RcIET3@L<A{O~ZG(62i&<t{0+-1E=@RVG2F+hL`yD+Nll4z5{F z8J24Qh9i6%@&aEm$q}HgVj^*M@5kMM19KYF;-8s-+;N_DtRfzPqY}v^c%GwzVX*G* z6mqylcm@n-r_P@;?+@{p4x#^1I(oF|?oQi5E@6+K`Lrpt9$726&rT+RKL-ytw=;pa ze)i1|d?-(_VLkq`n>9Fl@OcXw1Q|%8Ca9Nk3MbUdP^)%{<;@*0sh~QbG?3(`S!y1f z=}&43W!$9ceQZmO|4;QPgY-vzdUF-%uc&kV+8HcLda|Qy5Jd`xNnozrFl@doE7)K9 zSUZ#4UcpVQWWY+(Jc+4hzALOe49XN~VyMCRm8wN5s5ho!Po1P7vaCQxCWnfMT#RH9 z{F~4dFH`y;W%PpooxX5(+%iR;rOIS4u^lI6(=bsKt7xhHYC3<u{VHXKiN5GBI|vJK z1$l6{PmF5{;e@(l9+R-~VBPkYbAmytIDGgm&r2tHN{3l!=+)^-i<t_7n@3z=Ij*4S zR0Neq!XI5oneSl^EB>C-dCx`k5@aDj@$^fHnS}2Gl8t;|>{u})vI9mTN=R7&MzFa7 z_`y@-ReUO_CcR9v>?FI5DlS0n*TOM-eK91UQYu3^NL=0ZmS277rvz+4UU)?qZ{DA` z$_|`66}m7zSo|GuyfHD;cVfYB@*bdWrL0(RPce+1B~IF4|1Y{VCdA9@8__8)fo+&0 z|D3Dsx8h^?cuh2qTDDI@&H9GqMiZYWa7iGOif@swuQ%ckV&CZ%vf_$zy)EiPEAr;( zxS@XkqGMo#AR!sGEy}~lmcN39<<tCdwUsgfOI}4s8#LMwrA-#qc`V}+C6_NfvL4D= z1!)sTnkvwRdP}oKrt^?`x47bAsMdp6uD_f}y(tiX1Q7s^5Cw=CoysK}f3#^dhjy?( zou%#gjNX||IQc%PWp9jt0hAGZ!tQ(WC{0FX_O<UaIu>C@p%zhshf!})2K0?gBHOOx zZ$U7m_@9{K)7O`;lS$0WK*7YM*sD4ppTM@JscH)id#I?GCQAJ>J9H<)xkZ7PSt;q6 z!ifnK_=&{}r@gdH2*$<y{ItRPsj4{RSl^2~tAV=7Z}dMGPlrU$Py`_%=}3Fwd6IJN zMQ_N?BAzzNI8NI+*GuY&4dCAUkgH<AilUSG^S-;gVtX~i<Mq~SI?g!Be~9RY2mn(9 zTJg6<^zP;G+ItSR&$Gvo_U7%>mrmJ})}xWmw8pB}1nPc=-JSX1R(6B76&4i1f7TNE z2SxdcKm<Zd$!Ws74<x5ekpM`q-HYWoCHxzH^R)pteI~lSzlVZ>c#_hhOalHZ`sF0a zt#3Ei<>gfs4LufOpEi3?>ZMHiD@^u5nvtWM+4cSL9a<yH6VUsfB@!o0{&VYi4DoNE zcN=MDXmG}{rLnTJu#t%#zhgT<7wnw~0M`m`gGQ}Z;Xh#PJA`ANek#WfR6*p{bTHM$ zJ8+5q!zY~~+`m`dBi_S=5-{+0G{57CG!qkH*QGJ|_J4urC49+2kAWfnijIHrq7>Lf zB58>I4QT7KdgI3+|6dpp&q%b;m^^vU&GA%!1+TvV+!JkK|I+9mpbZ14NcT3xTATD& z=&VS`3ij7V-#`I|22U{e2bAOg5qJc!Ff+?^g$+2Jb4%*hqv0gzcO}B^Fh9TMbYJ5C zi5s>4RN66~Q23A8(c?yJD>KNZBZ{7{0#Cms9?CP#W%&5tUQXq0nMJq0U~KUnAr*@P z?RF2KFw-K97IP2(p%j^oKk42k@+-f9ptF&wu#&2)fUBc`U?kKcdcpjr{Qj8-ZO4b1 z_QX-vwjP&;ce7w(<I}$<W_;XpEhYsi!Bd?Z>c6d(X>ds^8|>vRjP2D^<tK5T?f?Kj z4nY5nvB81kxIc~EgXbu<3+jqmoTm;AMK&!_E98K~awB6XBciVui4*@ZMI`^2A{#HR zM_lrUd&gxHUR@?9cYzq^IT(m3u-e@1R<|}1*g*N=voR!a?f(-bc_s4xo^>^{P*4|X zAHJlyz1KlNR=*tXiNhhdXpK~)bB|`SuutLj^mu=Gd&8qXK|70&0RyvviZQ);c4=mJ znb&ccMwvg7;;X{mzEpo&Qn@lVaYwvC0B8)4`&ilrg3E&K0w*8xyE$YD5?WbO^J(z3 z6MAS{mB!^_Wd1szWyn!wkRQC6?WtA$ZzI9$+EUPpS6biB*E{w4+KG!bD}HZ19h?W| zAUAlzw^A{N4QP;&ZoItQn$Vx#w5YoR|1${<>q5<0#eTANug~JDlV7a$VzQdqvvD*j zQc?i0i#S)FPFFRL6fGQG&n6;|Ti+l8;r(N~KmupdXQ^mZk<OFLpEBp4i8V#wSCKg@ z7N7tK2sCAYsp{l|KeM%@?Ob&5;zz)Jx$x1HJZeRyU8=9cJ9G96l>Qk~0vDAZr9Z@0 ztzj70m~lbI((-||eWZnmQ{P8bl?BQ!@pH|is^er#ZLE3Qv%`6D*uqm0ErJN38N5Uh zI)U>x8F@KKWRyz)JHw#C`}2nqbn^=X-M`j`7GNyx$H%8M4)@m5S|f?g_9d~#Rst|! zfPZkz=-I`|Lsl$;Wg?DsnG!q7ZTGZr6kO6bXMN!d$@MsHm6zen=PEH!#N1GMcGXqc z_cv^mrEbS`6=~M?_34v?_iMc~HlTJKt?U&D%p==oGCx+-Ojv*Mf)2`Ij?y=q^;&B2 z_RFLLF4z4^JzPj|26cgF9Pc#Ji&D`;ClMBCzCnctk%sp)Y&d$7>DR~Dj80lQ$a4HE z+`-s&4CeXtQYsIRY*%r+zW%gJI#c|=7Q3tD4`uX3TF#>3$Tr~IP(67)^Vet@VUdi+ z8<8CUz}c@$g2Cz|3@{zq6CX6uxl6HF+FVo3M>h!p`;~Z+imyglmM%~7p(-PRHU!On zm(7dacnt=9Ok>#6R(-?8Nw%bBnV#;KNCMWaeyZ8ZXmVj2bdaWA@gLEIo6UW);Temv zJQaf+OGfE@>@E8@AvE6UF09`>(F8Uhhg=_}(zM58Py+o%3Jnc;0rCu<u8T(tcmO8A z*`Jkzk@)Oy*?3gni0nb9pO352T)6uIY<^11zF=dyrV&GNtfMMRl31+&WzTDi{%NtH z?<8n{ZaE`R><|dIuqX840<Y9gb#h4bZYyXHB@T;7ObQz${^50Z33N1;jd*X(RdAd^ z8Q=CbJ-LIJjFanSjXHEllwBip0JPaim{F6x1lh*3C&$Z66RWY?O;UdG(cqj0YmT0? ziGX+j{TBu33tEmH@bE3wT;}%Ge8IuToyjFLF#Od0P?@+E>DR6v9|35H6xJ$HUG&>f zTapGl#>8}NEy%;Lo!ulCrWLv}x;Tf<$7Z=(Q!u8Mvmb<LE(fsX6R97>kc`Ny1bBEY z$4)W39OosLaD^S6V}O3HUSz~<)~ufPzd+a|@R7FH=o?Mf<s_Bi`Wq?0wM^v#83Tg` z#qZy-A5411>NMt7%;o6BE{H4oiJzZOziDW|O-Cv}dBc&L(0SZ=j<#t6VXV#F9#xJB z2Zsd@>TelWv5-56dN6com>OP}@`@Gu(<3ki%G3{HPilKB_om_QLy%b>bADl5+U3E_ zgSrf~KfsTFYZ|;nGXNw>9UDo@53<s%sFia2jhB}@xe$hRo7hc6L46WvvKPoY?oNNN zH9V)v568vMz{JH>2~1-#P%_goQ`0robwC0NDzzGgh_~a%A`Ua+gWPdHR_l<O@%R`B z+4ZiD-I;IN@7T~gpP4QMJqW!HlEfUaFtN6y{)WY7v_3<Zd+E&ziLl~Q)4V27crpM~ zMiIEEEgKkoS-h?vK04gGPu_Ue`Q&CWGT1WM7LBjZMHd}uLH~3utFib;Dd*ztd=?TT zB>0B;x)dktxQdUZUQ_^=ia{omOE+GRX6b0y;C24;9&PO1P43Rs-?;PtEjShnm!TLr zEd_Dl`g2ywIgY*y5|RrMo-{l*ibh_dn@sxa$g<9uHp}zyQZEKG6G_W$Cs795Yh51y z{1_S~8I8IN`Z5av^A1RYb0fBQP~9=%kD`U;I(j7b!>go9SzcI4Nqu{eA)wAYQI^6$ z0dnIBi{e0=aca1Xpw4kxorDTx2)%;JCb+@vRguNb{y3%)94iVwGQs(xSOCNFyjabF z6zlscTpb1ulk#YkRxTEl!&J8XIzr0g&6Ab1{yc?A@59UW{5pa(|7k51<DIiIgbLJ& zqCTXr;0rA@^2eew#;NHDO;A2anrI@&F0wi3R8M(#FJ25|`Lb4)pFKj;SzW&t3Bmpc ze)w%k_Owe(Zfz(uRfa&gTABaUmoJXO#hG`$a<ntEQz}44O<*@2$sLJM_B2~2NT3Qv z+?ju997Po{a^B?~l+E|xFGfdG*dN&8Pc_4;h;CYD?GSfec_~L4>spc9TjXC1>V+(@ z-UV+agpR}J7d|*c;<Aa`#m$f`_R5h0L%o3YQ*(Npb<W@%S4LNvb}B|^v$`ysyd*ki zY?XFtygjRg+pO7XYxU!s8i@YgAZRJ#AJ0%XXQIWfrRYZ~@_eM6q$1O1+aa7J+l)s` zYCG)GK8PTS4)^u!RX}WPff1H39EpvJit6sTZTF}``UKY9G0!baDi|eJKXkq7ncF&R zDRN9*exLI-wC?TgV7%@!Y`It9yh?e{#zA8L*qe}?sDRV*y;MGrox<>)&7(y}XFSa9 z^dn()ne$=h09^@BOZhwq*uD_TSSEC(ji@_f&N4mZiDtrl%j>1VikK)0a(`h6G(*t9 zcu*=aoqGjeCQj;n%BxG}>#6V64xzYQ`EZxuA);ZNJ>&O<?5XRbjSg3em%tH>pHkei z@t3>ui&yiTk0F8Hug@ymLx7MbuoTX(8Kz}PbjxjN3;s^OSaDdA$W$)t66ON!Ys>P$ z54%sJh$5{WNSPQgnQTi3YE@RNyP78K_Q_{Bdl?fpY{7Q2GrLdj$<Sy@43o>0R%(ZR zAmZ<<H#3MPlPD{TgL`Xl$K`}o6E9JSKU*f7iQxlEKLHI61|12Lqo=2Ba5r9V753M3 z=dsgfHFw+jTL!A8^ZZL{Omp<-Iz#iMrB=K5*q;KjV!M9njEGLh`|a%4-TV_9Wo)HJ z?I~})y)`KgcbS-#cy9^alaUF3gE5)%rVKl=TDJLNW+vwSJgBaIDLHX>`?FX+vC^<Z z6N)z~WakM?;7l1R6$@HI!>OD^MHkQKqy9n^CMhbaORC356e6KlBRYt%u*bzSd;G8G zs+ohQ<d|$5dFqm7ZbS|m?X~VU{U{>Q@7c@8Ynz!30fXX217d;5iO@HT`RT4W7HDpQ zyf17OSn5{#OG`chSFLuZTHk3_`~BGbf=0Qs{i>&tMaSAvf_{u>6bew1sv`$Bt<6lm zEQGrH$aNYX0S`-4(QI$YAI%aDY(Q3Yn!<yDU4-znvvwkd$}YT=k$JdZa(0BJ+YQa$ z``OGKZhc)^<}Qf0R^^7S1az}vaJr{AGuKxth>A*zD#=R4Fj5c@^|j-^HX{z*AH|+p z^-?tcIz5~Fw<fsGisRAOPo6J(BzqbcTK+vb(rX3LMR}#;+-POO?mE#im_`P2j8i|& zEaa%%?&_b(>PdzsQ<<o1&vuY-6}fG{GbK&XX2!B;x{UZk)$7a`W3Fn`v&bvG9}}Wr z)5Dck6(N**R?*I@*vt+wy_+r3P)AjQuvxG#O3{{X3ii`AH2D27D81}d8>Q}J>FReS z+F{AfW_s<S?2D~CE{AD8H;W`2se;Ao;psRgtMJE~kH9gODvE%?6YLavo|!W$)A#j9 zl#127gxi0usGC}MNb=5|wr8^iYhQbFFAgn@auONKWY*bTQ`<!6Z)7{#J+YvT>RLgj zcpzA(_rRVxPPPeVCu@PcEtPI&d^T_-Nd}cqp%IEw(dM|Yqhu8M9Y6=MXp~b^;L{pu zUPR$})13u`ZWC|8SQToJZ<{e>i@3Qw$!xW7j_1E5c|RZ2)1+%aX6buAF3Vgd9vMq^ zx@+st=T+yt;U12G^y+I~YWTc7Ln<}nyj33;EqdPuEHA%@6O9uAPyigmP2}lEqH}x< z<RuJA@1KYftaGqWWpSY);vmBB;9{ZfU0-i6&82(LPH#`!Of1OZ;Z1qtvquem7!+HS zo7WGUBxO>wIaTORB+AX&&9(*1DsH#9i~~d~<Ph(mXheo)vh9C3G+!;&iryrAT+yNL zW0)&ul!+Iep!XEr(bY0d)`+-IO<#ZRgeuP$RmdD+t;(jqc&Pybx^X8u;V*PMh!|07 zN~E*ja2VXTk(TO9%fB*!iM(4zdRj#I$!0|%Wl>4CU8t;V)#HVXw@Dri0{=1hz!QYr zq;(|~=7k>BQ_4bDkrcjf6y!(=Bln8G4&DC1Fek@}(_bMJhN|q58OB`?yk)MpF4esP zf(7EdWTe!j2zC^XO3+xtIOQw3gbow3g{AN`@CZOMRL&LKRCj$ffX=w$faorkFXjvf z@#EI&v{qY$cA8XfoUeayLo}f&CZH8>6EBeWOF0Kh++nNEXZ`YP(upZ>v~o=yIh{0n zT^_T8wBpuwwuVV?fx5VwZJOebb+=#TcuED2$^m0zYL)II<Ks60MM`Qi<>*C2DY$VQ zq%Kq&bu})u)m+MSTVF8;jBVmBQw7EW-x?6No20$$V1{g?d8S0=>f2{!==>F@!cZII zWg`M-miGOK<CcO%NoTW8AWLbhPU^VDH6`e^PbSG$lhmh?;;4CYZ&jBNy#ykIl(4j^ zN=MEH5?&f&zB;0gy!0DxK#}n|eC%@FyQ-g{+l{@4@pzJwNf%1cd77H9{l(W}90u`J zxz-b+^<+w>xKG1{`B^dF9}Fp&J%NNfpa5t}(21l6kz;jbwF(F8#RBcoq!?hZ;pCSw zl35H8E`p*J4P;iP<Q1~xQ_6vXpvy|j1(KdjgbZ9xs$*Z3AsFXg7+^gx^pa~*fZDQj z(5D8dg-cai&O^Ohzv8|GtYOI`*^2jbuJrdMK0Z`{gOoF#fPL+64_XMiSD0{eY_Qc+ zf2w_d>{@z!@{_$*D?AAdmYCCt%-hxqrzE^85B6je48dbtJUo<~-0)^BDrlG-pQfKN zbKJWLICxyl2~fKXLqVL%?SX_+=D!2mr(^7MurnSCPURF?ip$@Q6;~FwA3`Z#U#lFb z4z|3kvB}XLf#+&;Z34g{FoJd${n-u#)uRP0WbqyOm1Q|%dX#{1h(_d<HKVKPhsWf2 z1}#=IC~|d>v1lx9EYL)%I-kp02GDPRA`X?sEbmaX1pYc1+Mu98=8(&aZ5%&%w;?5i zs%m^&_;@|`5kX;%KAYhTCC<-$JA2b^MjDHio38_+u=-#MmeNcmML9<=$=Rp_5<V?e zAT|M3QLC6I*>ZJo9^PU}UbEEC=(c%`uB0QN4lUofS!kEIb$g7)ZWq~haIqguq3Ql= z`zUs8hRKLUQ0}_6N+=k+ut1f9BwPPTx`?Lp80w&tiz}Vq`DM%JtmuoJ9tgL`#j$8L zjLK5fCEmwd)eqJ@6xm_9B^d=56r~dh!<!pnG0x<XsJi(xk<q}OTGX7v*I+6&Q?36~ z12*$k;gbDGm?4WeD6p0ZUlU1R*!q5wVG<f8bqs89S)gT(QW82yBx%COfBQ&fQJ^R? z>oj0gMYP)G$lASJLMyqzSE(@5epM)K?1CPbhV3JZ{u5uATJm9h{iCmb+=`=+u;w26 ztnMebL@b+yx~If$^rprkgM`~YvV;})%K+xJ8r&EGeomeq(cVIWOl^z$I^z){K1nEj zyVIcaoIxlW(*CtPVdTdf%zHUEso9#&MoW8FrK9YLswjF3P!xD5_iD|i$$=(~>q8Jr zq4=w^Pi$Zsn(^NCBk^<1zQ>Zcr8D`@c2hpj-DMfh4`Oe$uGbc)7ZkPLK?@e5&zq)E zC7tcp4WEO6I}YO||6cjp%JH!CC_Qn+6MtW%dY=_>Xq;?R3<Qh}c!OAIIlH*qQM*wy zv8=3`a@xK=M_FNUUfCa-5`o<i+Bbngv3{zjV{r?Sd@aXv?Kuld%Y2U|+$s@s>KPhw zD~|UGd&kEvZv#JJRlD(aKw{z-D&q1`z@W;o>CBjxlBBy?YnZoZHhvm6Ty>s7_KWj$ zWBc_|1n_6T5HmoZIL1B7`CW2MjZRNlPqNk*a(<~+)^`HJa~E{5wN$K%yeGZP6#Ql) zXmV=lGCCpZuP-Ww8I6`fzBV&ERf7n7mk7_`n25ljSpUKEy{7z~p3UI*n<|(BDZ|WD z`Uhr(euk116L>g+&-LP7u2+w=%X%U%atFEkwmgCm*F!rPG7w}QW$4|aGrV*M=Yme} z@4dMUYUOm3?)frzT;&m5TP-<6nG7B=x^~x(BN97JEe!89mx}cQ!f1(bxkTi~%iwlH z&!jCP4QNaeh}Yc?%Lu$vZdB#$D@dg0J?MIcFrpM%TX<^%W?@`n614ky8_f4toccjp zHrNx+EM~R+^|s^^^{Ww7fvj>gRSMPD^-034>WenZx)D?ODQ@-Sp!*dLEgiUe2NAR_ z{GwOmI-=Xf(!)Y~t2b3A+hWG4JdX%17p(Wbmo-SBERheW4v?Vm<c$C&+|n@3_`Aez zxjPoom*<GN;-u=nPkmw`%|z5pgncxE_Dn~`94o37^=~h$;z!5}qPime9Z>pdrek&m z`&6w1lQd4Li7lc!0r7?CYK!7sopKgP`LUv(h*oqRY|4}pQn?{kbiy+HzO?;uTz6ge z;MBpx419QeHxv*MFlQ$xmKI6Z(5KRKJVhmFmUO|A88}(ZpT6}kP_}G8wd?i1&B!)P zp;?^MK_H5O^PCwmKF+B2g5pu_xCDUMlTnKHz%MAZ*_k=3x%<S#YL-hZA@0;7WpLN@ z87Hvj_IL-up`agFQkyB$l9^wMYWKUxd0uaOKeOCp#{6ZJgKU_FZJ?sS$478rX&9Jl z(;XH~q)}ZhxaU#(H3-$Do53Y*N}5>={PBYIBl2KZ!n7nnKaWJ<Ssk}m5*qD>^P<Pp zr2^QYgZuMbp)0<}uoyHU6cI9z>m5FEI4OLWK{o^vp~tu0#A}Of4I}&pYHAhN^+}B} z^08KwC)x(EP?3G|<<aHIZJa))Is{e@8r|1A$i(|^D%oq<>x3N)A`sadGzfMFC#qKT zC!!%rqHuU@qC+!GYX@VAsUw>jD@`#uIk-Be9voGeD^5sXhWSQ6pxqt{S-_4z^;$np zaAGDE3hNfZ3~*Ih$tw(pBmN+EOq+IMsQoQDD1l%+@&ahj!g+q0Cmm!Wu=<Xb2UU-- z*VzX0j>A&}4&`Q}&B&KT0?Ih?`vhXi@ld*;C`a80J$m4p2WjbqM9BV-1zECR<OaK; zBl=`!qVmC6QUjt=h6>kCia3qEWNl68KkdHc4T7XjhEEerii3lT)bV|{T-Pi2{UN(O z-zDa&w??TDkgk<M^tfU=18O5jp#h9R#J+@#`*9th*JkHYg;b#CaoW)Y)64>HGb-zD zYq6oWVFK3$%+Cne(X{~U;}%H{=ZE!u@|p%srL!vN%IZYX!Nu>ceN?Gf4V8D5MC20J zrR->c2qWRY(c_K{H`j(>Gg8G#&RH@|S8TDa2w{|6;&=0qPzSe@;A0W@(EQiw&@BQn z_~U^Tih^aTuPeyzg-B<xHG)nDSa3yTI>;J#+eyCPRg4Y7Z4ifbP+bph-@lE-e&LE7 zNU!J<vgFXNn~Dk)X=k8p9HpSo&&D$|Sgk4#N~<uhmTZ}b9pSJS5&Ka?u=?m$ttjVW z4UPcjaov(kP+U;av^5O+_6og)GHxg&r6>}^Ne5C1s|u1@dpp}~fDtS)kVLR^u-Eu` zAv`Bt+aI`l0n)7K3l<j!DWW8eZmmXZ^Ns$jr2;8rlF#U!(Y<lF-83iB%l()b2|n0K z?o_&)meSU0aex3aD;iW<Yy@*oo0#{z%cByWe?iuAL1aYvBB;d1w!+3HLx_tIi6$$p z_OQ6Ff;A}irhyKQ-9OSXtVjg}1R^LX_yGF&{5W*+@bIwfTBP4pfL-!bq-&dwC35xa zc?bseXkCa42Y~1oOY-LPb2@ikxt5!w{s|jA$_L}5^WvAu?NfJi)Dv?x0OhbF0muPP zL>GzuWW81WaatShhwDM|o?5a_EQmBh8vY)Zpe=CcD-ez*+!rC#lCS><>PHkRI-E76 zsr{U6FGmUzfl!Q0Otg$B2<ZTqjDd}1FEd0D(C&9Z?rJ8|F@msJEd?I0X&EZm#$Ipq zcvimmclhFRDQ3CkoJ%yf9~MpH<fyrMBzis4ep4Te^&$-h8_fnebIKa396AVtPjHyr zbQpMhGF%IVs*5+0K@z)+FK|ti?6^70!xIAQhEEUO2#PLH9{&!wQ)jHIt05;B)J}(t z0aXKnBzI_<7jy~!q%<whLSW3XYSwQ(xMLIBl{eBByBLtmx-6*5NKtIRKZH{zf9y99 zB{IzX-kR(_NgtSbVqaAfG24$q)5KD#zrI|MxOC}^6Z*+n;<p<U<&zK;b77``TT*vX zrGFhz;4<K{7IMf*P8a4|YYavasvizdz@g0~fW>HmWE@e<vSlINX`5}-j6KgxP24)H z=ev0|K_|5(H*1W^g~g*e@8lY)mxp95M3p=U)#)NEJ2YF=PsJSxRQ5<3S2Wo{IbUtG ziZc&HwxYSg(5U51J}XBT&GQ^m+ypAwVc6SAKzYhE+A)$O6z411gMw1fT1v#q%1X_K z%Ka-K1TH!hHsm3eosr2-w&RAh7uC|BI1+=~{3Q3m@Iowyo)scz5VKhofo`{7#CV6H zLoWJ~XG?V(IRSoCb{$;pcVR0EK({`U!CY`*p$Y5|X0yhPwqIuN?&&$OyXxQxH#NF` zWJKwvJl-&1x%s90eRPDv*e^H7<pM%lJ=>`hyq~3FX6Y`Du7awnj-DM)uIBRmqE=>& zSpgxKKhlW{$IiO;RV+nMlvWM!{r$JL+S`j3Yo|qhbx!ase5c>m+yip(IPv>*X&agv zGTH6(TW8Y%4}~M7#QxxMYPzCl2tVAUl+_%rXio9E<<7khgtjY^M(;1&0gedq6T=V$ zqOD^2>VlJO(VdL~;27lWw`H0{d)O=1e9R=I*-F7oC?~VftXjQ6<M*y|fsi*tS52CQ zBrddyLNf!bGEQ;EcRNz%k9enJ@IovE8YG(c*t8i0<ApBL_7c|3o&HBy_r$q2itx-$ zy-)>-)#NFhQCX`zeY;MvS{NwvYh;6PVYeDmyUdjkkf66IyP?C~rVB#*NdeWNj3*O6 z0r;o7(hWDk^fC;Ld&pM8M;AFTCziO=(XBL-#8rg_Zy&66J*6TY?H8rB9}Q<}1&IY| z;>6P!r4hc>I8r>vX%*bcXS!`?(`T;+EGd*8h>xZnb8ciZWLa-jf=@qtrHR0w!r;ua z0Ey``$hRRF11Y85(UZ|oDnZ<&-fsj7Iz)n_e<H8~c9CeDv3Oqhv*y}6P8${uf={%v zKb?ByKW%^b;Eo~=9jeK{HpzTl6AaIC#VH*M;hX%-tlnA@O!s;PS-G6^&Xs_aVDau8 z1gj4gdNKi&p7;t72naET>z$OBP#8Z&qD>@4{grr<{iLZGc2#<i-fF8pxatr`haes) z<C&Bm=dX*kzWk^udHluMcHC&gbs;zR*`;r>$Ro*lpx-mKFmp6Kbns<-txB@Xqh%hC zN33V+pKXYkmX5S#n=43TZ{~Ga8h;g7P}1S$pU?#I_Nv2-?_qwnb2top&8AUtE|G5- z<KdGdB?l@X?r!erDft!Gk$iO3AXn_CNT-=DCwX82_^g;1vJ$jw_gkNk%Tr<|6z`1q zH6#QyMpPyGqzwHK06@Zksa<2m@%(?d^;iR~lo49RJyZU1CO!3IcCG!!+Yub(9hk)Z zxPv9?^wNwp+4_j8YZgtpr99HK+huyz&P#lHkohhXM1OqDb!_%b+0!3M3WX8R6;$PR zL_iZ@obV12t<9Zt7-y0A!NkzE0<ts<S)W0=p-4yR(OZ>ltjglA<kUMbwn6ylT#RoX zu%aN4v@Es}Zv7<DiCes%Uy;$5OT_T|E_j0RQM&xhPSKdZ`XtNH+)YbK({MjHK+j>q zW31%qLFrmiKkE|qX&|ZnK(Ob`{(R{wI;r5Ji9EQ#N~h6|t^$)h!&ocR$mbB}4-iL6 zq@%l{p2Z%x+i;UcZA=P~r8~${ma?O(Sv_+()*gk-pkup3R9#JKM)6d5jZW`ps%<s~ zjp|Vmssy=KTJ<~x*|<9*NDD_Qa4%L8LtHP#iEJ}5w-?B+3o3I1Q_g5XPYy*dnlnG7 zl5kXv9N>dUFp&w3Y=q!YQBeZR@N|L}qHzotg8l(0ot&<4Ed6xP@bdb8c*V1Oe9YrH zA-ns4gHE_!8;*`@BxH1^x<B(PIC_k=jYMU&QP3nNUawRSL2no?GnLy%e73ZH^i-_o z;>46CqoQDFDtd~l+(Y2^769!>*M)wL0^JXwJZk<A_HE9zS)$aCx_fes0PcxqYT>qt zJ!3%Jp}~?iwqbN#SZ}@UGO~cVDoieG2feSg1UGg*E~TH)msz#Aj~me=uo@S{YQ!Xd z)(9o_QD1u<6?Hz;Z1*}oa@|lkFJ6zu<ypsN&+}K871D4@{G#ZtonII2p%r9XG+$RJ z9uWO*Li!v^he184=?`E{8Z7AjOJ!r+1Z{&jHIGPs-1*U2vs5RYME3(HqNRmP9TXX- z{cX+JuD3RK@8I~Xd}_2_-m~8OLpu{{Jm2#IfBssfjCiHxgu`dMDfOEDRNqU^_I}T7 zC6(LR?xHl0tKqE2No>}+j8oZAWL$siIu_1QcflsJfq<Bg+mNps<;QJSBZPJ!RzP!3 z2S|^xq9nD5mP(4qVx^=ispCx;JkJ`y-zX9(+S>Hlw{#M^A2wpf@)5$UIa;?8l0Pza z12%cC+uCGh*CJ;p&6oAM>kZ~4^BVFra~6(Q^d4&vDk2ns702M3eQ;Zi*aSaz8{IG1 zPmgF)Ya$NXxSs(k()V~XV#7W-HGHMaAud7#rXMFI=%{)nq+fj}HCbXdD<g_Be(;)0 zaE`zPcUG^ors`?e7HpwSdumMUl7gO!{mjyfuUZDa=Tq71Ze0&Rspc{I!d^8qPk4J& z^Oh4uC4^ov`q+7VtV-<Id$fULA~De-nOjPZAT#ymEA!O_SmkHqhv-Ksk=&>D%Q|=I zmqktoq*qQ<#9H^jlKUo~QnpmBg}CnPU;yy@qMBs(&<zd_63;^9cVR1~V5cVMq-P|j z9@{wvn||Hgz7B$!t@Uap?fBKKJ6~3rNV|beR`iSt5cnhsWz#{tY3Y1Wq8f@_+gphb zYpUb<y4cKa?yT?nQptuiy|Cn&lXI=v#|t4nb_;@9hTfGsM!!icds<yDQmawuxZqS< z@WQ4r0VP5cc%ayo&g_CH2y=K@WiG3!Ti^Z55mFQ`WvhjkOl0+k&_bvUuE&!eVb6Qs z_U88kX15&Jl<y(P1yf=ZUjA{y_s3u*+@|lq3z|mBFQ^X14gE!dFoiz<49qN$c;;pT zX3pP@7bDsU(0ELWy8&jM4=<h)9Jdeab@+WqHskE#samPY^7<Z76+q)Mo%X+F#WU=@ zm3^&km45%MMP4W)iB29MQYG&`<GkrfT(K>!a!zS@R+O{YSXj6A)HQeCjLViYvE(44 zkY%o3m6P8>$g<*KrsmMb;kdeeO_>mdqMkly>df$&URW6mAWp%Ww^*jA?gKU+I}t1` z>9M!HCINF&s?U8WzhJ_~vfDAU-?zHMVK1+A5>tYaKdQh%p`V!ItKA=XC9+Z0fAv&S zuQ|Qvngi2svmWVRn7iB&aG(z$bafpaZA&e&&ZMFythAw6)p&*7GQq5zjaZAk>m!?i zr(A#i`RIa!ig}yV^lGl4y4f`SdA&U$+D}d9rt_f*{OD^o#L(?t65(C-ox{UvEnS@; zPi45ExOBBq6QYbxEr~^Zit3j>mR=7+WJ~*#9v^#_j$Q<=lCqNBVb0iQ;pBysbIq*6 z#W@5O6-QlX9Ug=DT4r@&h11pbjB)j(-|!Ft%MrjEGx%w7P_Oxg-ht-VkLOqxY3P2` zvS--kZ8acmk{5EO28hwNa|!#eH%!@5+$wxd+LMrkV!mS?Cw#ORK>Psz+h}m;yJe{0 z@FNcLVG*u^@Lhr$$|Wv96QK6!^!?w0-#0ZSLdFu1BBN8FtmXU{GSu4OB@kx3Zakku z3M-f>{6LmuTBj)9H3*mdS%^!hDVv_Pe^jNO{%VF!DH3l6FJK2=)-PDp1Bl1w@hx?~ z9;`70Lf;9$KXXg2I#vifXdwypNi;o-B|5^Yw(1#cnT>;7)4ZfNLFiS$BA_F^2asOV z$j-M>U*JuNH~`Ac&Bhztvt~n`I9p3&$*(BL=!i1PNg&4Y)l*TQ1Z7YN1foA#tNMb{ zGFobwxag1R5`$^lUe~BmYoqy;Jh;R=A8V7tA)m&oj>8v~HtKePZEVom`3BUFnwoIY z*z}zcKNj0y*Hpw<bdueq%tOA8-_A!nO2lEc^wG}!x-*!?#Sz6rM}|z>PHO>w^dwLd zyThPg-MC83ux^wJ42wHWU)s8Ph72u&C^#UyjJ|_b@u6lgM{LLeEz*SE$J_rasY#<C z?zQRD7W(xht$bK~czaC^Bb!Zt6isDFSZuPf>WV8R6sqt_0{myO1Jo_)yJjgAV4Y3- z*c=$JpMnS!{5k~%iNir4LZQ%Mi1X^khhfxsWMnj_hN(%^Z+##n=<l8%z<s>HQB6xt zPfN}Nj}?_==NA{eWlhOTXW`_Q`iMBEx?6DI6BoY;g(B13ABh}Dh5}(T0H={juF3lS z4M^~NFZ8CEg`9xQ>=Z`sL+V8YmrR5g)=dJu0Suy2>>1)FqWC@3=6dRt6}X+|<@*Ty zKLN`!GOBU8u0#}!L!UR1iiv|y`<)b{W7;H8`bBirDm;Lt!Cdn6N9gFWx<fkNGI|n$ z3&)oBgVN73puGqA{G`_iMOGEbK%U6(7&o5gF_FChVxShx7=66Ijvxj17LfC|&{4F> zal2kh3!Y5X0o4u$w>yu1yS3f&ZDRhgDb5B&@{J|Wc+3tUzp>RwwH%4r)03=4NJcB@ zzjt2aOh~zW?Z0i&u7>_SjHIiiD#%v*QPCoTYvh5M8*!)=k6=;PQPUwQ{gb#Kb)`O1 zI>krchye^u;@p@%$}enOX8$l2p7=TK*Q$}gBYRF~fVOe<*N7+;Dx`77uhv7mpH)bx z>{)m8k6I$s2;7vZLtMKldFC>`P5#InD!JBEP&6hsR~5m>q4Fm!D;bFX^?61+QE(8w z1c%juVL_*hGjc#0(63QeD$odH924+((2VNr8nBG3!UXsB338c~^1m(y9iD$@xj}V> z`@B4dPiKEtak_2Uc-t2e8VLq5BV()KEn~1h*@qq#Js+yIl{baZ$74(2z|%MRG)Eu? zKZC^*ogs*dhE1n&Gh3;WH-L5|$Rpj5I7^_IiAaz5D}h*R!5b|>bdQi;==^GAY#bU8 z+5b6xGb^yZz9yZTpRxaOagk^bml@a)$HkoxK${D(fV=fN*nGa}YQtGrz~&kXFN}&g zhPcCQf0`>li3#SSIPj=N0nJBPk~=n2Q9nAm8vF(ad+~WN^M%qXlK9;0*1AZ=-h@dC zaOfJkQeYW*b&9}jd<WnsVQwDWyyhxhR^ZX5jR$D>%Ql$!vumcN5<#n^?q=54Pap+_ z>oK5M=m2V96N|+Qn)@X9J1_-IlF+^=2Gx%f&zyH{<#yBB=~a~BIb1DmKe*5UN<g*0 z7#h(`I+a;6=yyIu6`p<X3!pJJ!4NEx(caOo>z&febC+j&6oKe4aESd}>C_)tC&5QM z{&(J3W-D!bRHscjCW)%~DrG=KW%=akrlFC;1;$Ykj6#hIk(s0XTZonOd_6+jR$F>z zk!Jf4DHo9kHKD}dOCqCMlS1>LxCN7O^j0j_v_cxl0y~DRZDqOR*NYr#rbrR)gL03C zHEBTUz7=~iizQjhTVYKRrlmy?Mcud|sQ#OV^)Wr>dPY%kr_ha8r3;5EE$Kbn;#IB7 zbqZl0b#N=IgB8k8(DscG*2NLvl6=0?KLVy&^`oyKJW{99sZg#Nos>h~2X$i**$#@y z&Pbl(p=bxc5(#|MVZG%(Z*P+gtXcYkpl`5R-78M9WP@%RMoq$gtT~EqISlAIPKSJ* zx4IoA;nhV9P%lgq67E0%kl>*YOJiqcCW8xv&AXY@q>%4fE2}IZ=TMVT#9I+0%pumQ zNGn<zdO3Nmu0o=RXLD)U_tlBi&ml`WPG8&-;O7(M>I{$!U#~X!jD+?&Ejk6z-$1iM zXH4R5c|mWHwx~hELQs=k$W7D8tkA_M0BVO`m6C7Mu#$^nUsn~Bwhj^#N4SUpWfQD8 zF)@o;*o0!M!YPY9hKBF<pJeMUauS!?<#(XpzMwQcTaN5z(_1n&#*+sR2Mk7P6UVMC zHMOh>_uumln)WW~d_OKngI0naf!W<QN&|)VjqnQ=^neoKe#~R+Biz#O+_PD)nHDxb zc|^PZ6x^nsYH+Spu*%n)$M!(!@9-P!U3otiJXCAmqOI<<Q(IIZePhPIZuEZo@IWm> z{+5P?(pR^XNRoH$Kg*iqzl6`M*5Z6@GfxAGEiW26vogawh*|2}ciTPf%yl70>F*t3 zTTT4^ZeX>!Tlj9|Rt`+kzV%`&fVI99QK_^mmw$?^2whNHSfi)G*YAw5iBzqZheRE! zZiz}SIR@fSh-Va1Yb3DA65?qcx=VFK83OF?@9UD1&NZvQG%Et`>S9hLsYXj))YT^4 z^y?-fGOTQBvqi!p^iqp<HSSRbj#?VRf_oD_I6fqhCEE=A^TAPFui&HjTBl2iZssd} zypDa3>muU2b?8KC*bA<=2(%2H3p#U=ji4sC$yhLA5sTm{I4BHmdyk!7RWH-y&u$tx zTZjkh7(SfirK<Sw89tfQZA5?B*s-v^hpq&@ED}iePmp?#3$Sh?03ML=PjDN&Owj>p zq9-O|5Ti(#oVajSj9^_+bfwEe6Ah@RMVso&iYKjmReFdAA;2vy^Cuxd%la5_S2uH^ z$W&I2&iaxP^>8U{MAbI4eX?zxDUx9`E@EeuCsohSmfnKC@o3aH>NiCXP1DUj1nDMC zCq}xOUh{u~x3JcbqVmFb3lx$D-T8mj73>d<js1#{VbFI5HEM0UrPtS6IY+ybs_gzA zuD#8YW|<4vB+z#YM`dAR^tq{)f$de^e((>pyX;iK_j^G~#*pE8K$CeJ;{0#%{p}F0 zZl$a39OFxmgaFqvRNpOuyAXPpQc1;7=ZB^>+&+f`3z}Kl8*_LeNze}r-rnq&qE^4B zEiQW@*Zvix=Oi)W8;DSg$5SK7!(Ae?E{)P(?5ftX4lK;rOj%MNoa@5TtrdJoS3Br8 zwdWp=HQn)wiD20`3S~#}_1LcBp#~p*g`^Mhzdz|0(#@BAf~HuHV6Km3Wi8#3&{*Et z$rnpg&4_6#^NP?iB5Qo$HS7GnGCE+pkEOl%H|CG0l54~gXz&wSbkJtEVO?`ALq+cz ziCIJ_dnkvZ7zpsd%GxiAYuhi5?`J%s$S#h?75o1c)qM;M3O7y4rnRv;OAyn<h7J_W zt1CN`8`&E~a`)~YGoB%k=%RBSVg3G@z9w)-4ud`PlqyTsvuj+m5=VHUYc{aN|C>h# zt3*GO=B{EH&o92G$Jqw_XDqF~faYdrYgvc;bP>?qQwgYms%t2|32z5$!{^PK5vFoS zH{^So!^(e4SLj9rhk%KakS?jL$cvrT328Zg2Z1nnNv(KGZyT!%&#um5a_9Y(+ky8W z+UjFPfhAl+AAbnV1H}El+ysoW9E3w1v*M0n#!0#wp>`s-CzMJ#mH`~x+@Ptbf~J4* zkSjaT_rgs-h9ZIp2Wf)(-%^#Tf$QvrNnoVy^t0A<IHtT`Lw_(&QgJBQfB3Q;WX725 z)dEHRP>S?p-t#K$&dbW0$2=2Z%5WKXs6AbYGxTr`ytmD!MjbT#&pe6F@E=^_?u)iH zbj-jzD)R7Hku1#UVOBOSCmBX#3zjz=SQu^0^yD;z11F9mi1PoLXL?cqY#K2u0%qOA zgxMzOZXqGAp`oeaA!uR}I|~j><sIzK^X&itU;+db;qMQMh3uUAmvp-_bRf%~Rjt3J zFV_QSVxB&)TG#IWHP7QS`cJ>TS$<!@|1C#E;h!9l)1Eqwzh!`5gUb${xCo5F#{DI! zg@=e2r632EvR&w}jr#5;N#Q=UOV<kg{i|Yq^+soD-u0SSi2jz=;^!^mi$nBjExL;L zw>}sDlf*OcXVm<+oSAKe-0<1!;6!Zvztt=5OD@cVt?C@{x6~KxKLh>$Z}k6LjY3OA zd#}p04_W`$e0#tKOybD#A$G|q>}05F|EOK9eX8X7I(;8cc<he<-BB2WcEIUkm&}YA zZKHvYE9v&u8j-;4eOoYnRw-s&xKY<S@KAY4LGaGQlYtRsVBc?!7NNhGW0kPHf{b}P zlAtmj?EuZ=a!Cb7pS%%Ec1(^P0ax_9>9QGQFPBm-j)~xfvvHMAy-=j&(+Gl;GI!x| z?>>((QO%E$NSv?v<K^j`2&)wBGv0!%?j{aN$?9Wx*(k!gn|nPI2m<zCqbv6!0{2py z$)Ld^k&5nq*<PrKe*xQ$@uy{YB1aIYi;#A(<ymgRtXz@>!}f)+j==hyt6SIMw0InI zO6Y6kJ{y?j(4g4ZIg+I`uuXJ(8RdFdag`vO8rHP-yqh7{xF*r{@1E?}F-B@wYRV<l zTn>r?$pmGN^2JI;AV*I*dEyL#vNi|Ipl)KV-yQ&hm>0v+#Q^LoaPuW;U=ki}Vcmmf z7VH37k6ODs9a&rqB^5!yqPjhZx#4uWA=%g@{|fgO>~UYW(h5DJcD%&2QiD)c-fwfc z;YrS>hX7l;u&>)YT>`1RdTS~d%EE`q)$F7`!B<wsW`;tHXvmw)*Wx^<q?OFYuMv-1 zAdhk4GNzhSFKA?EU^(zIuLtQerea~^_+}^{`i*QtT;1G(Hjc-UCOje*|NF?88us%| zyG`K)N(qx^a=evKF3vtgeF26F>%2@-O?})`n^cyhVTu&<&YW&Mej|Tb6$ML#B&_s0 zNqH8mo}!pnl*b;g4jnH-C)b=mFFvGA)U0%-e81{6NCBn4b<BWme1p(t{l_GF8knec zlELcuW_c2Wkc?KcF?ri>{gD(9vBH+p-%4CkvV{y~7EL8TQiYQ5`}9bxikj8w94ofU zrnwhO(r5z8#<LFPbF1}LkMd66cKUuzr0Y4PIpKjN{3}%w?9VE4{Sl@1Khi#>dhh{Q zeQvH!YKxy{z2<Q0Tm4%2hVSM+Je91Qh-xn#JhGU&JC@eC)r{VDS5O6ZYDTE1r~nU8 zgyx(cX-ZUPf3C{NP<xBB<)esD4*jwxdW#VoY<n;>!$ehl7TaE5$rx!pP>P*m7px+6 zjxs|af(D*A*Fd6UG;3vae!H?dQc}2DJ02(IVkW+Rbt!xg%nLs?vSGms7F&eY$UuNP zqd%|LLEaxp98&B$a5OVypf+a`+^GvCI9gQCoUCETRyb}#FJjh^RAHQ#Y<!wmp-Y4) zl``u+^AFd{w%3aCNH&{VA?I*Du67#>!-=Bu5O&duQcJYswYojPcXP5TV$hOb71SN8 z6l+tbJCGwzGAO5Dq2VU(6{5S3JK&jA7Gei!&DA$uKwTuHvy&eGn*J!A(<`4`jy$gm z@m9{b-}o(GKN|10c7V0i+-hsOpSx)C7&)$ZBuZW>Uao&~R=kAdru;-8)XI8p<WM&K zTO_-KR3tpAi9siyDmVivZuAc*?hx}O4`wl|qx>(e0|$|6Gh-FCNEP860!5o~Tyn(W zR5=~m#+UqHo&(Mm0S87es6rlWrWSFS!+;{t30$XT9BQ)T9PwJETz{6-q{LmrUdD<9 zE(tYKJ2$Q@gXLfr>u0GL`EzdkX<R)bs!beEzP|zKx1t0Yo5T@7`E3wkH5Jnk{gGe& zeEfw;s)WU9N8xvg`j1;70+rJ!v*noEN(*l&R8D_X{ne~F3t6|D>Lt|v!NjUE^sC5r z<=442{U82nX>;m?tCfnEpV`P^leON4*z_ryD1nSiUML0UcF4g%=Jk|bC<0M~L+}EN ziV0#tQAGaiDP{XfN=))w7U78o=ZCu|Z)VIlwUD7jey;T9t$WwTUFwjNQ(K`E_Dy3Z zX@>hMhdrnQU1#Pn6q)Nqt2&)rA56N;|I*X(KMFjY!$SWDEr5G?PX%;)32F&Oe$S;u zcD=_pt5CDrY<)E|QMMfvG<+;*91S4^h575wbkW}HH&slAWC4`D&%?`m^M`>++FfO9 z_&DxpEYuJpIGNR!{XukmF(cS_ZT-+%^hBoGl-gnCtb<{!Jyf#jqY;X&MCq6dlJgP_ zL$LSL<2`1%<(<`5k$EdVuP%cAJVDF0P7ZcTqTVHPrg%|IZH#EV8`sVUtI*Jk;S+Sl zu2BcEIGDJx=pen=>*t^!9sS3*CfY7PZNylef2iR&&{lfg+s`rFvg`%RkFOyA#6fpH zc}Zu~B6p?zyN@ApEpH}FI4T5!=+s~20*E9L!ft)392C=?#U`Ui<ac}-VJ7LButoV+ zyH&-GW}qz$SJWsc()cVR>&O}H#~@@Lenj5kO~RDLhxKCASSBY;(_KT6^f4q|brW=p z;2P<E)!dWwR^4tR7u7gtc99uvuF9WJ{Y@sZZLFEuKTFw)THQYsxG0k5xTY<Lpq;$) zu2cD?a|zDL3-*h+pE5nys3)0-5@bln7wSBRJnOMobmA`9Rl7g5R2wDd+KtCZD8*@Y zo+(YrN%^k)3pu1gwS-ADZzlHf=hUl*_86Nr(<ae?U5pXt|CRN7{EzOMie?l0A1Uj+ zF4z=ek2IVHB%~wba#=edg_zwveLvu0ZEDv#O?HBDwqWkaPjERBtYcN6j^1r3x##s0 zD7}0w^|TdJqYcyKoj;qj5J`wcSoQoLf%dqkY9#DFd>=-f5MGUnoD_u><LkJawemAi z?dvRh;!~)250r3~DOC}?Z0fy-1r#mz7ongzX_#Cf;U!_hvOXD{SRV0paA+&>bg1Ld zl4GF_*?w5G#urO+;=Zp6&3H+U3t4Pg6(*Vg6opyZ@KCF+EhDk@t5s`EN6Z6G;A{69 zP?igBJuHe&eSb_1XvyMVrzb;*7O($_!l371GC7v=x-(A1Kx{$|%cRW(qBw3}X}C0L z=Te@wWUM+g$hckMpM`m_h$2wl_j4JAz14Oca)Ys8;?{JKoo6q|CCJ*8d5&)KejJx< zt%zZm(kX))+#+UQCIKTq>BF|}__yV|WlSdTu~MU5q0xZDGIt}}Au30q{rVB&%gD)K zKy0;^gu^Vs`@A?RhN3qkaS*~XV_qYlSrD2Mn!U!rUe4wh`b1F$By1vIC(ep_K}+4I ziT!Pi<$;Pr)ko3~5U~<^wn_D9qlF(>CY_JwmJBSCXn{cdiM#&-Wu7vBkad^I1jc_Y z;5I_tV=9}`JURsx6vKTC-KP(h*4*Q>3pV`Y`Y=pLhQPr>oroJ4eUTp$wjArU2~&WO zC#td;n&dS%OPe75$PM;gqx(IGQTz|XmegI;PhAHBYnKoeOJDev3>luYAPFq(=D4VA zDW+vhzciatc{8EP<=O_l1kUC3y(25aBm7J;!g0gP#K`YosyM|f;+P(W*W5k;&jo$U zNAf=W->i&j;7si34xTI~*xT+9>)3U`i%BYx5+c0u$?vpYvQ^oSChe}PL`J>jwO21n zi%h<nW+}7?ZB7#^Ng|lkL)^+rrc6D2evbF34XMam;RN12a>gIb<Eg<)mc#b@HS}Gd zCaaN25EAWGgCIQZ&0fgqLo9?};eJ0v%)P3RR4Y8)(V`jIxEUgO4m%IyW?1BDrD`PA zXKbcbp`ig)%CnWK2@j9r5TSNcQRtnsVcLzy=w%XR=&!!5p0<yyx?{GUQ7jzF03iJf z6HxrI1$QBditzr0d0AtC+nNShzsQ{5617B8r?cI;a3+jZC$f!V5cQIB4U(cv;-i}w z6rYv1NwK>?tqH=isGc@yy8~Z+3-#=31tQ8|6UEg-qQljVfYd`!)Fp2vBJkr82_s~p zH0ug)!vXv|se)S-=kLwk`W1u3%*;M#2zT%Fyk#vdBJh0l=v!*iAt;lmnK|@F4D_^N zS9#u?(=rzi2joywn?(~8@a8%9c5ds447TL;B=p^9E)QBehZ01W0s=jvS0GmIN;dRU zb8nHzggb!1_7B~~6%sl*ugKrChV^#!PZMqDZC8w;I)1MmI>%gT5!+z5o%{wb1((Ac z7`L3kYnNvAP)b6DxJK0T2^=-P>x_Rb*=W}t)TL5W(nR!Ru@2ELb%sfB;rGK9jBZ<6 z$s9$HP%i82pV-FHNok+lJ56>9P|r%FQqE;NYuYv(HLCR+W6naZ!xMWVSWffYKvp12 zY79CBPJBd&fB=2@g#*)OS%;56Gx#icNa%l$-GowI>NRE<gR;6e;rTe<uG(u34XR*Y zc-J-FhXF;WJh^3<Y!Uj}vZAB5uV-Qrq1Ot2lIGgt*~NhOk8RTO$Ib~Z|D78BU(^xH zz)hD^3WKS#=I89xpi9tA9$2b@a1~Y)2>5Ml1$<*1HEPK}+Fr>i7SZ`yw6%}?M+a$; z(>AY@EUVCW$9u_k_GQzWH?hnB&nYB$0l?vz&ml2MU?r&T_$r2L;^_<q+RjbV<l`C) zjkKqxZQ+-$>xlKEBk(jDQ&mih7Sole=}cnAGqVBi?cLHsQ1-o)@4*x<>nLO|F%ahX zAHBT|vZJ^<I-btQ-hoiR<|5CBM?OWfy&mVyS}m|v8^+^A5@`X_SM?c$$z||cW7J_J z!V>kge8%3ui&pO`&I|oR2Z>pT5|oKtQ0;^j6UH7B<C}*!iwKq;D^<IkiAIG?bUe2Y z)_~4p391rQ<|n6G3UgPAGOMOzR9#t2h553LA>@i)D9KGoi@(s85V0JY-6hYU8({S8 z7pm*B#%n)sJQrank8CE3z}V?aq>v$$)an{VFDzI6sP^A70X58~9g9*giYun{?@I9~ zy$qMBI-v?0Z9`$7sCpYulCj>CGaPm`TyN4AATKxyj_XKZ)ytZmYwDx^5nBtqW6?RC z3FN=P%Rl52Rp7TC|7ES>5af3EovxwwSNTz|>W6CT1L#7og@oU%C@hC<G65&4-nS&n zlPGPaZ<faVUah(%cj*HCM$QsSWaq(A9>-&|fJL)OFfi|F^PYYhMN<P5G}P`cc@j~c zcGJ>;e$91532aOjwS*i9{R3{d(xW_nk0#re{X{T2FGF1sgLbX5sI{ZzTJ=`jDpvNc zvD8{lGfy$l6Q-(x7{aR-l7f*Pd{@-}$x0mViZ2uKBd{nXE46UU%pHeX1;D_ga|C=% z{NM-V9mbrql9@r1ZW;p!8*xI;uy-)X?(exIqU6E?UMikW7p}tApV~Mst7m-mNu^Rg zw<p@2FPs&DbBQTSeXx5XIZ3JfoT>M%d|O3D6Xysk{7TUjCQ$y$lx}K9F~9D3$r9|X zpy4x<jj%;Tf=TK=`xc3l_#We>*c?0ivG5m@atsAPA5l4FgWyYt-IdD({8FXi6L<+U z+`!9W&<X*ZKA>LJ6XOej<xx~XUzL9Gf8h6o5SdnyIae1nH<~NWpejH-HKA8U63_oj zL8^eu4&Fctqw@b3O9%>J8wZG^RfL{OGshq6!{|~$sOY$jC)v;dVEq%e;aqiC_@yp- z2NYBf6)#dyGJ}4L&FKloVBC;s@S%_YEo~!@XGu%2v<!h59q}RhO#`*pfXL=_j5O&r zfY3<iqrq{ccME&%Nc{;it`byMed!_shm5`9VV*`ifw&aaRSpV%v;XOpmh`j4vBIpB zvOT8+$YI22Y?roHm3~!uBpBz3kB)OaM`&49fXYM7$~JKDiwaykUzFKBz^Eyc=hvvm z#tO})qRbtYOmU@^ugN@=8N<aR;Icw?wOunF-OwI@-m+Jrg&IrCpYgYi{7P7T6?avi zFEwG%k}9n~GLaa=AzDTIK5lbA-{L(ABjM20&43%s91cr?his@lqLt!Nv%cw-SYa)J zOh)^z%Lx^??r*L`0B$;BdK8+FY|k<(k3ZV}$~h2Vwo^h0A+ApgwgTHRGLWO#0XNv} z8W`dbi*~l0qimyhoa>tn1ZWx%WllLVB|yRbWgPdf!)&q0t5LQ8aUci<uG&9K7I#q5 z``u=$Bm7i7Z~qNV0RH(Bjo-{hsyn6Ua3H~!Yur@AkNH~xwk8Ay@IWbKKi26<4$rAA zciGlqLD<Pra`hPN9P1uYj?fn%=%U)Xd(IZV)XsbH{#+lo9Zv!HSEdy#sp%=kSYmfl zayq{~aaulRcwrWZ|D0kP&mNlkvSO>nBp=-%m>^J6K|(qu<-opC>;B-p6o8ZzA53NK z4=a7FG8JcX+A~)FqNf%fOsgS&p0;Ant3rcG3bCw}kYw@7S=7cj*~-bfh!Imrs-KUd za@2&-N+^vHmm$^TiASHT9UNEc&4BBq8Rk3D9#&F?>^hpiu65_ppG8(bv6zdKnA#uv z@Q*T#lAV?Oj5Znv&p<XAbM)U7gdoVsmrEdy&E^=5mPr~zLSMrJ9W*oD?GcG4$|jxW zJVDj?`}GaX+*Hi&|KJB8C6wr8v2Uxjg0t!n5=)ieuU!9ZE{=bURN<7+)c?Ut^bBmN z0_b&pv|>z`i#xad46g<R;h5k%N-XLVf-P6)9usf9G<fkpd3Epr%FuEA4VeFWs)|G0 z)ABFhQrzDdgIq=bY-%ApsZoEWA_{?!9X!$7sfhktX^#M)A{{62u;pJ*d$}b4bO;W} z#Obf4IEcC7yLha|1b=1c)caGhJ34FmUrTRde<(r2_0nPfm3IjaDK~t!zef%GZ>7E= z|Cl)7(W`$YL2^(1vr*uHPM!Uo-inYHrC-2yLin%5sr~<)p3>SXi~Ozh|DAkzQ3^u* z>e>HF^#u1v0ypqj^?w!K11&&5MF#iDF8Sa4`$xRIJvX~sg*b)=sDG{gpRs-*J^lZS z`2UART=svrdjCtj#zxGDH#mOJD%daj{dC8NT3jXvmnnx8>sc{|_atys<kg@18JHAh zm`)C#PhYJD!9?UbY~q>lNKfCJ92``1kb_+xr_v%YGl@rh-ATsf_e~9r-^cZvP(?5b zER9vQhdMbIE$4T)rb(jEtVs0=3udr6<lmp==UFTUg6<pD*IhMDc}9oH9UL^%eEJKG zX4__)n*NnwpMWbaU0dJtn8iZDAnOc@H{tP%S^{WKN69TprSzd^OMtNA%44;~$9%=9 zLI2LB{Ad2mT7($;GDAnq@rA{~lL>y;E@{>8FT_-3U}2%>Rs?>3JQab=hnN%(lbxG* zu>C<GA1}eB`H~g(+aLDZohnj2Wg1cF6gTyUPHhq99tgbwwRT#A@LFAWeHAfFScqr7 z381DgCsn&~pPEugZIRIw;b941ZHpXH;d#cU+vtUjC4Jgma%WD2W?HOzq3*<{h6qF) zZO%7>X~cyZS^E0_CTDGlKMSH7I~`!HhFS^Q=#t&$ZsywgxZilUP{t*jv_kP-o)O9e zVIU5|_gWG9SQ$sWKBzSWe^^iim;wVPbwDV{yOj<tm?S-^gMu8i44w#!rXnyL017;6 zHKLP!XYW8^97Z=<6T<^FiYl1CCE8MqkqSY6q2l&5T9P?Y&H+#@4Vv0H{ND)(-5LJO zp-wkPQ2q7Ha`ZEj?>z=Z=-cW&pS&jb8P1R9=VIC9797{ahQ_ALb!X3sgI&E{JT2Iy zh$eLL06f)_Posf59IzmdQ2n$$%|Y3W64IPJ{gO&8Upa-Mlkx1z;kghZBEn(z>vVU) z%wj<Woex8>50_t7-~!OUm(kZqiNHVg4Tb&Je)AKUudKVDxSu$(F-rdX`U?5S^C%F& z^ecU>kP7s`muX!lJQR+<+jbBY=;A^PeZk4iIAV5Xro-vduO#)R6fMe*n^Rg5k>~_8 z`Or35EIJ~UOK&7+dy5oMql8QR0wsjnif&-+I}fwi2sRo8ShHc!SGeBm6VK87ZKKwY z&oA1&xCA|@uu;4O_Cd5%=mDQ}2DcHHqQo~mPD7OpOXh;gNRTR;k_k)A89e3Z33g5u z7d|k?$j@tUFWp&?wD2aTU(z_v|0iiF=#PKgwz{z%UT9ijN@VPKs2}`xsT^$me~beJ z6n+SXSuYfUhO!&Q(>yJ=pK1ZZGO?FXjyhE<`ng<ERF@;L7Eq~Lf4*MOQKt5y`?AjN z`?*&+3MtCE5FfG#9^<Op_ztWb780c&MFUz+SIBHJd$P3_A}-nxBQO5fp;CQ)Kmbtg zFYt~MkZ*o=zq*>2{EIA+Y45fpTXp#bDyU&=E>}>I+^LnAb}wWlq1D-eR(NByz7}DK z_p<1*-L^Q<Y95{y-hWe26o2}Z3DX(jOB`QVF#KrRKr7i|d?ot+PcjDdZxu^AtWxyN zjRM2t=a6#pGvdjyrN_RLIaHwWJ136&`jCO@^`vXT!I_KmJc#>U!w}d(PQA}7K$m@e ztW}q?otM>G1^W3AqVnR1&<MN=s?2r$iY+_yzEDF)DJ$GvLtD9sHd};nrF!hJR3NHK z?EZOuE$D{X_9J!;fqzrN+<!jwiopOj2cag$LbrQHX)YJ#jHvS}Ue!ebx_Vt7yc@B> z<Y<sBTHmlmKO#?*;fXvLaZ|ydGS@C}R*6m!BbBFw#l+4|M1EIgPIY@vG;5a0ZDvz( zaBI9jE_~LAQxSl#6DDe=G7%7E8L|3;X21S*%KzWUAvgXg`+h6Ki5(6=>8B&bJvH+2 zqr>fE$Z2rBm>=IDt{R4g!!TlDLx?Jj@@|4YqmdIsN6aq@zez+s&l9lmF-)Ji#M>5V z7NX&%TFJI>@t2CKM8Zzw%#;G^kSd8ILlb;cMkx5rnwp$=r&_$fNL$i$b5iP$&#E&x z#=5Mu&d~595DgZ&*~8?EPSUHw^8)AK!<?RxW<#;VBSB#C`NQkXs`S(Hd-vLZj>n7r z`~K*w1GhYUCfWl50FEROUyvnYSW#-jhf$j?6Ad$*j*18h4I@~KCM~*czXP4T<jV7r zQe7iD<nRuc(~8jM`v*)u;ZX3Af)Sn^sp@9==)T|H&WmVvxTX^zL5I@BY;a=3z+bCm zYkn+US2cb|5=1j2HQEqDQw;FI_jsI@@JX`+P6BT8w*wTuoX9qS;gRPa2?mXGW3b{N z{lvczWTdg|rZ*hOm8i;?J!B>t37yOS8Xe5nY1U+?cCg(Dyg=sLa$Bx>4hIA#LvaGN zpHTSLj@T;I0I>qJ@k8cEK`f9TfbrTbxO63eGQ<c~JEJ7!d&#@`w{V6To_|yk?*7WL z2LK%)l-vcQUH@P~mWwcOaUi;1Cnr3o{k<Q9Y74o{er=J^LC|GL1YXd`eTs^%9_0mn z%|p;5fb*LmiYoK>Z84NCM{e8?_`TgF5}sNgi+oYi$^I#9hNI(_x)Bl7ibA<NplQl! z4h16dm4@n@+wXT!FsGDNexn|4$`>@i5PdEDwwQoeoS7^zo7A!gtrW~YrJa|szOu=8 zC<Hi^H7O^pdU=el^dtuKI&i`tQqF<*3xd5T_VIaQCsQMMw+103+6*Ry>5xQyU4|-S z0HjXULa2BTxsZ9*;CYbHbagd!etr;!7*5NvpidZD%EQ3_&bA-=gG>BvM)z^O2ol%N zjvzi!<W^k8$px{~t#@Uk&w(vXOcb<tFI<gaz!@c+r_ba(MjAJvY{fD32P7@KtOxEd z8psfM-%g&mx%w>Sb}Yoff&uSm7$;mk27HX_EeWN-<^@H7eUOTkyiF`lxuVr3AhJs? z@jx3PNmp=ndNafDIs<V2wDA1gYts(Jwu?m3Tt^sK0{Hku>KzIqj3D<A1gzx??=nm@ zfmLP{7zOYWE-Aq@7Aka)6T>w3Y9uB-ry3cO1FZ|PgnvU&4><oo&}r2gqQAn|De#$s z!25u|nngD7f1nA=P*~+(`B`(rd)avZ3L#nknOFalW%WNE*})yGzhiXFf1qcSoj%21 zd1y=Y|DUnJ2E#p56M_5{lDa@_(BHbd)IZ!kNVs<j@@hnCa|f+({`Fl3fHi$v^1nfG z65v28;p=7{+d><!LYjs_TO-D_;J-5Me*A&-c3;E3RDbQiZO|WcK!ubJ=5K(%=aqyP zW&a}vK;y4tz5@v${OlNnIR9_|&rvG3sjVx&p{Tx~{`|M(ECKMx$0uTZL4iL0g~h&Z zD-&R}Xn1I<kLDdePwJD*))(p9-Nd_(ON1l~5=UBow0KeYtkltj^uO`?65HOX%9#uE zi;B{Qv69&C+3tqYopSM(wzd|w<m$hSFuu3FJ?pw<)eyw<54u{MgMI3*l|Pf-vh#}6 zZ;m1thR*_}fGh8^`7H(4HNANnn6$To7X;)V?1SE7bMGav<(;+MRThFfxU&`O@QPZx z>zc+N!x%~b_u(1_cDFp7Uk1w~;bSW+Ct07l-#?7lI!#_xaVBvx0-uTq_X}?2P>qb( z9W$kmnucglL<<%c6eJ=n-HwA0i-Q;~a}hTL+!{qFaxwI@4}8r+M2KmAVIbm^_7)kr z=0m7;Ee>^YwG_8CRkV=mn&#+-{7;E`3iy%-+qBdvvOu6mUHbL%fd*J=<E=}Nd?$R@ zt;nUqMN~V@jfhc&DCJOz9WL#h`{w>qJTRVrGrU_`YJ&Uz9Gs8&0J`od068v)D^YI% zh~i6_QekjBza$EEM?qr#KWC9U&p-IqClXW`%IG_mw|j@r8}Dvi$Gi9?XwRXp^!sJ) zfJ6VSdog0bl*_uobLcy1TAbSgA=*>P9m&|}mWJ@h;pbw!Q)g+Ky@q-Dnf6Ejy6J8T zZpG<^Ay)MkGq)w&|GBJK{#jP*p-+on=!D(5z!LjGAi<WJdKZ=mIg`7zfmFdS5-Xai z7c7$B%deJGCXG9^KkaW0xd7cnWK@!sz<_}xGtw`QhtI>FN9qXwZL)I#YC73!KfnSq z6C>`yt(Neg!IKA9QUzOD>CunTu4<)npZG8z*Q?s5#y>@WwJn7s7=(PCwSwii@0#p+ z4N~1}jV}w7Vqm5}S+WO?fx^lBOq@zB<qFJN{BIU?48l$M%8^b-*>IVG&_7G0482NL zA7dM7hAxg)Gz&Xk4p_k!9jzZrxWBOl{U{W(>w5A>>8_*p?P?#rqw~c=T<?agm2V__ z`~PIO-XxgW+LE&`qI~WdWgwYmhsyxLT~EpOF3zixD}~=`GzVLs%fDm!eyU~n(~w&4 z@~-Y|rxq6|Jf^5fWw%D-be`oe6fuu6D0DjunEv#s{t>DH+$L#hT7FNXy65s{ARw@8 zx3my-D#l~FPzbtcRLl!evCz9ekW29+33&5b=ylbhn)@AK>%}*C*YB*WGUWT|pqzqR zb$*T#XUSZrMDbGY>P=CQ#+Kcc7Hngzqz55tAv5ocEf)vb<46lO;U4&l<?A5X8nyR= zaK;Oeib+V1E<NNG)WF0-L&0fvcd-ymC2M?B(aBuI!Aeb5QGYl2S^bP0ACW<*GYX{` zs=4zR7fV~k^W-ACP>G~jF>7s3)|->jI@E`^WR6)caCS=*4Y{<QiKU8+$YiYh)v-VP zdAUlX%Wa>9BN}%CE(SVEA{s%P^hNIVB?%>`yV1OVc|Cq^5AK@l>osG$;_Kp_D+BHo z?1iY9i1Z7&lBzPJYqRyEbCJ~QK3yw_BqBk6pCG?aNWxZ6{qD{l84(LrQ%U=A)I!JS ze)P@i{0V<~N0035>q}HYNzTD`n9eg)BK#*8nFN-icFRo1Qwp4lSBLlT^E-nG90Jik z{q2wgZr;jU+fapFKRY{n%mtgAns!vReNjxfL})MAL+y#;=-u<OXQSbzi;neb_h)GB zd}wmSo!zY4t<RP)#9*-mlDs~TyV2m<VMfy3Wk^eBr&oXYB?{5;%!r%H1T^g8DysH8 z0*_C()b@qv`!}}`)i7+PAV+|Jf98%n11=-s=|Jy?%lE6Am6Mn7ldch^{2Y=UX2Zi{ zl0GFM;Ag@-(kG>!UKVmyM9Dit8qxpU4StZws%c}UpjScxbdR5RuZ3e08WbbrpeU!R zL}pZl$CowekpcJtJgNBy1lYr6kD<pAUpd=CHSCsKF(ow`5F3GjfbEHz*$Ju14YrsO zFtJGFlWt)DF^hqpF{6clm*oDg?NUqlK_rvGz_-Ei`cMdEzB~lPv2?9)Hp!tG%ghN9 z)$6qe_N`uoH5`@CTD4)ZTmH24<i9TjiRHA94HKTwi@5qZ?R~D&)H|~k2o^H*LMH9& z`;?c}`pjdu{xMj8q)7*)YZtMyv2ynnk+V-N-HP-CGPfUc*N@LXA6#S#*?gVV60y}{ z4yKA%YoD;Ov=&@Cx3t9V{Z^72n_Hby(ch8I$uYbItDdsb;zPq{7V?n1SYoj<@{rgY zMiP^aLuYKNATa-iqJg%_Nb~)YHgXcW0-VJFvdPzP?Qw&lJFxy(8mf)8<;7`nA?spR z&QSKAzpj?)=)sJwC>!t*m}W5W8frAvoMSE9HHMYo$7eUtG2Uy>tz;Up8=(+p)F#t2 zgeuU~(G%ZZ-`He&Od@qGO=76S>No`_Ppr9%i;f77jDyHk(%RNi&?q<1XUgg_M)Ql5 z(V2Duv^#fZfsCb4svQM~*eFEB*|~{4k8Yxu?qN?qw@Pap*LA-d7kkx9b0j|tJ8KYx z2>0`N{P4P}2~9jt$5OSnvZ@G&?3M;N$Z5PebR}8Up!>b=_$928TZO_~`sV(A=pGlB z$5kB2==^L`r=z`SjF2%GlJeTca^;$vRmCBcyX*5=Mh2UUih9Fzw>ihF`(ZLE9hRA; zvEswk%g#IOK0l8%XN*cPJ#IflWJtJWE_&}{j;h>+z=&72r;ueLEIiB>8%+_87nMq- zduD-YoLOynF98P9d>P86@K*AF*{d_yfG=7@SxWNieV^TJDAN+Z^aO{6Ha|~b1n3pE zeeBX)<tyDlK*53oLD4cv5r-uxgFzn~VfIF9y+}f0a1fCRt8?FmDOg!w{79^kss>br zBDnWjr=qV7&GzRok9SzV22HSfZztq_;@?hxKYzU(tPBMkgGjshIWqn{lX*$<BKgU2 zLpf2cU#_!gT?%9$`~_v6=uSyIfwgHd3_`uGdssr?(Tv4zM~Vw^q)k`Q4ow7c$eY~9 zVN~<c!A#0Z%1LiIX@W_&dz<%um{W~7pg8c}TYQCx?bkRM*GY1-+mxeC(3Q^Zl0V0J zJi&DWVnxU4J4Crfl4}q#yJ~ke@K)pyWTsFJCxZq0iBHOj^MvN@4Ipe_;&oa(liKU2 zH;avJ^+%C{1PzM7Oqo@XnwImRCD1XE;v+~|QgR@~amv#T+v-R7Eiy@x)bIxryWhuD zYkD3NB~YVlXv>4RwO?2oY3fq~D?S!@XvSQ*KfDRCOb6fr;UMtdl~7jyq$38>KRBCa z(MPemxo<ycTW$V0Fb8k5Z7(S=3xQ^{@3R%`4eW4#YPbkO_=yzFPu*!peSwfmxdUE? z&PIo1hOCA?ge=RV+xlyZ-x1B+PC>vySN7K!nmGjyF)wv*2%kW_lNFsf<an2>$d$p} z&Va|)`B2cZ4l)L+=h@2722WXGdw%;&c{3{|t}Rk=tuEt{yfDjeYa8#Yw3*PEpyes& z-!ElWbo3%7p7*EEC??YotOX=dzC@u8nzE(H5%KYT_IXHo0WVRC(E^*@$Hy#F?e@kB z0udKm`iyU2FDA#(0u#u~P%4S8*VC5CqW@#&0Y&;=-D_~tzdD~jGoVQhefIoO--BG! zi4jBlcF(<8t@AY5iOF#dZ}(CH^<eu&qEb+(sNj7;hqbgRJ!|w#1V7JtH=x2yI#jWw zJ54#S1dt0954|B`f>^3H{4%HyL)V6ol8aaOL;7LSh=E#IkeuuAc6&*c38A9E5m4c` zJ?jAAyl=2XYh6*O6ftY@dwaE7%`>7u41%`3yCC3(l3cF*I89l05tf3=sYy2+$eWe+ ziV$4LZpCWXmo9rdw;x`SX315vaaJ>yXSd=QoPN84Myn_ZJyuD9_4f%BO=jg{DeATv zMIhLotoj<zyr6kP3qT84B#{ox%wDLp^?pCdfA>v)kh@?ane6Q5x!06UEoO4sV<@7u zqf`FbEwA>+=E^oP;UITtC*eT{`(9KChgL?F88qOk-yDG|eBrLys=knt5yC;LYFJT| z$O)qDZzd3@hcs&k;e(lJqv4<Do|@3b0uZ}2YEf7wmbX0A?9)4PXF4_-2hkJb0@;#T zNxg>#k!~MQn$~}+nW3v~@Dv+`R-!l3Xw4%IqGF!FUQVH)vglXozj=MEsT9i~!(cKU ztaNeeMc^G3t8$dwhl@p%FBS*%PWxJc2@U;o$a&eB8h%z}uoHbb8SubtuqF6tCo-W0 zP(Ch#^_wafiS?rl3}Pis)X|xdCGk**&;(Ryz+z9o=c1417cen8?SQZ4?2;l<T&5AN zDsjD4B(#wNqJt?6mqw()`@MR)Arf?^t3dsn9Iv9~LF6lvT_K&bGtR1q=6(a4$85tu zqATI})K6~rJ#a(IG8=L>1-}Sz>g^W>ua{g1w8-1%`v{51-a~W|@rWrUm64^NV-|No z`?BD3k?0u!1>#u4L`4NK=FKwNs!tKzQ(cxA>Ot<e4Ddg(qhXJ*$5cePgsP8qxX#16 zxgK<6zG?N~cg{O<$FbIZ5OsRsftHO_)H{6MXBCDG*Q0LdMf@2~T7#e(KVC*TvORYZ zNPnH38EbMvtRVrTjo_QMa-zaa+O{~A+p4ThGyZQ^6%uRPwc%Op!NY{&hva^+$yw&D zs<U)97p%)KrepKlRQEj)gXpUS+yirMTM{ygDqhr$NR-2r9T`qk|0+MjzLOv4)SioL z8^nP5`v|qP^1d`bxc8HR!1QW-2_$sBG2r+I6!vD3>IH?`S#Ws$SpC69wyQVva20;c ziOGuoLhKO)j7b-Y1<bSV`2ZL`rs>jMcky7Fl*Ueu&qUQxP@>pU#m|3-C(r~7C7)sD zq~=f2OTgEJn@SqP4zYv0;!MgHL=RH=dH{&l{0^y%A<Ya2n|8IbI$W;o?H@LhsM zgWIzE{<zquA)AHI1^hVp-lTJV`IX!LNTSlu2(-kw_mg`@j}E%oVm2Z{1j_IBmWTUS zAkg9T$^g320&Q0h=}Q6RhJ6G=4zmp)r<x|%Ip^WgB1bQ3)IjE~cv{OoOayo@VRdy} zF$J-w9iN(nfrMyD6zD+*^@PufsRDI83Bw<3eq23vcQ8>}AM-KYN!(}LOey>JQEB6g z-3jl8auK^oJIYinAfa&HT4#>-PC<<Kks+uFO@~h^OX)vHFAq-!H0*^?D7496hE5%g zmhhVDySapyWi@FPwa6ED*H}@R_jb^h5>x%L9=7;xNlF6_4gnV?9;_f{;$a~$NXD~b zHt>7&Jt;Ir&c8}drGbYOzn6zqel>BRV=_!jDE59_f?Q~6A#Z5~3qei~PtU#rOw({( zT`*Se6$Jw)UH28iKRf)fo;5lInkmW2sfYr3VW#`*&dAQ%=F1r^x(BMNYYQU-QY6<s zJW_8ruO@lnuza;(VE??dEheYyDamvtqT2_P2ebsu%38tAoY%j15P=v^b{Nn3gn42U zMj0Un$l6a<Qg;Xtj7P3Qqa{{?R0Ps?mUdu`)*uobVV_9b8l`Go1m}O9Io+W8?acgg zP3(b2lF4FU<KW;p7-r7OYVis{D8x;6hG~pyi|eb69<)MK?zZh4jNxF62pyr#v(Tl> zNlf<@;z%BL6(#sUt2qj>sd$@`a^#~-CDEo;{wRIn;5~wWRyplgxV6NRd1ulZnoJ!D z0%6Y93M0bm;IyqLd;rAiHl1aZqGkjQCRru!2iWM;6>v`#ZRsN6Qa;6p9BO>l48N1Z zctHDrI0bIDeNl1ItoaCjue|pyt%5G0bM|~M`KAXQJRy97GMjFzCb$&ew9m!jQ|mEb znuSCy0kO&*AHks1-2<sH?*}`Sfo2zWxHz!<4FC*|+Sd)Lv{R36hfJzz)AkL>J4=|j z?G-8RakGHLz98Y_3P#8M{km;~cOpC$Dd$>r^1D|*H)$m;^*gpUaTV%U5B|p7t-Nd~ zj|3z|?B`TSHHxT^wxo@p*Tey3CaZZ3E9`dK3!%xS-JIeGk@=;~tH(BEuy5-_R1%KJ z)}=jTslH=aD1>{UuazdW+rA>}{_ATq(?~I&uB+nP#QL5{I!<4PBvoGm{d&5&hQ)X~ z1(ZO(0-yka6dgSw@HlJdY2!SmPVclq-$@W?w=ea+{>YhdF~@tg`jbTM@m!d{q&8gV z<)JdJ-t*yy3aa~LUY7lh+%k)5RCGjSR7wtBk6$5ax8jW*6dF!Ii_l_a-zIrl*#9~g z+#vcfygu|soO-)&ChLBbn}loStJNP4x73%52zP_f(|&WXDu)!jjuw$bj;N~z?8Rq_ z8eRnu0i7xrN;x(KPAlfy8sf$F4}$=aJkV0JE9?Pbjem(20zL5*#(rBM-V<prIr3q@ zE}xq}hy+-za){H=9tU-Aw`#h+RV2X-?2RYR9RM(zYV@y)fc64|92|aOk);@-Zum(R z?9&Ji1yoit+|FRR9|LHcC>8EtsH*9XtJ2Wy%yqBp-yTYor+F8?o&s7(OE>WKZ4+14 zfU-eiup>bGXVc7W8Jlu%sV$_DvoT-W*x=?FOx7m>-K|L4RO!Qiw%GI%r1Vvay}=a< zYf|6@Tz0@ZiZb}Se2$tp1ZcWO+r3{j;_&ywn`lM(v=9giu;xLCt)N0-$^Fp4w4FZ- z2dk14={B%gi=JTsFn{tr+3-3B?1Z`ow)xTmoC30gNKzlP83hUW-v;IQ@LsO=SHdXm zh7s5bHVx9I7kC&?yo$YnJc9-gjRvD9H=ll+PeV9}*fuKd0i|S@%C@QKtb-qOeT3ym zK7wMgs@&4@5%#-x)k!X??Tr7B09X-*+>XT~nDf3(!Hr<hbn~zj+l90{=8tTPVcBpA zD$?s4nod#|#0bn`b&!w#JbeQ#N0{BcN1Yawl_}xe_I~qHtHtUaFK+QvZ#l2{-`6Pq z0M^}iTa9v<%B0l3UoEmz5YcvgWejXjZ?wGwfg;A+dfloFLEDTJ)q5){jU~Ua^!#oj z;ID^o1NC?4#TTG7!qe-C5PU%!885cIT*EZ0VH^ZpiGW){;Q&OY=G45<F+Iy1H<4_m z9d@FCMo>re4?<*=BU3Ixxxx0WXRsFW!d_aK0aY=zQgkZa^n|<cR4)Eaq>s#KCme(Z z1P!)OE0L8FaEr~sq!C%+x?hFj0baIz!>@R^q!x@JbfXwbS!H9lW^`%mto?ncJh1P( zKQ!Cvrd6~|Sd-I9YdyDU=ZlSxc0rIhL{NQGF29v3I#SN8)+c&u?lZLx5kaC_5s@H4 zhi2bwfm2)@zDvh${6G${Zi_M$?XIdh0GlzlB(Kx)9#J&LU`uXR%5>>#wf4eDN=eR2 zUfA>!3NXuIFfZwmG$OR~4Ui`X&}+NMkW^BaVT*`nurPq2s!PD;4Y+F$QCe`OdHGDy zY%mJr1_*$*qm_3>l`pTPvgGXOe6?xcvJ+^T3%)#j(0dEs$VIC4B-VQ$n1%Ti(aCdj z-J3OBQ(4;V%EuxkL<+;BdxI&+01u2TN0ONmlf%Bj`wQkt#&0u442oVkQMpR3skWBS zg7fq@sbx)@$3EUi#AZFc$mmcMb=M9g$KV4rz<XH5yFEkA3v!AKluPaS|GvC67v5LY zZV?+QBvRDtIwyz9#|6eZ8UE?Lv76Gb;Ku1$y9m~!)GwHb4ppM%ST5NrmcjlxCy|Ov z%J}t+WYK;CoJ#{*E>yp`#^xL$1_h>8w|~i|PhER8J@4J15*V!qQJs@*7*mf%woc#D zKjcgw3})8^&tHFsDmsD{W78%~lV2fh!Azb`cg+&w;B?t>Np2Ujdo`~Gt|tPZAUEtQ zTBurI0FMJ0n`hpLgRTpFHMf=;fj&9Z+aGa<A~4!TE%6)z84V?s%5@eG5W(t@xo1Pu z)AqP9t@8&UrT*P|xBMK^j&wfw&k?8v3?Wc~0090(**LG|p@5nU+ghQq#DFMhX)Z}2 zMZb<z*HrI5G-2kjGMhP8$X3;^h|v=L7Vz*<Pf6bWIlV-h^gO%MfMU%MI1^{;$?vbp zws->sG5nR{4@jAbfuLW6<V3#+=PV=ey5OCE;^PD#elNwicM-hsY1vK&!Bf`sc<;By zWV;;%`FvhUq1Wt=Jh&kVOOGr#c0EYG@_fHf@^HV&2(Aau0e~1@p)mCK88uJ1sZ0i1 z5yE;mdyeZ!=F#0;AKO&+DXjzfn*-4fGQl?L!oebp+D{&1&O!^eupaN=`O2T(%-UjL zh49qYB2`hI5Nv&Wzin;+73*#ty+N(sM~}#P{`zcb=`AD0lEI@^rDY@1>YBjjv4vb8 z0|f<fMN4Tz)5e8bMxZ15U)~yO0EC~PUpkx4!~M&ej;jqBK8{3`ur+j<t}}ZlMEV-| zra^U<Nae(qjlUwrYO{ygr6`YXS;cDyWupxsz*LYg&LB^FGb?fjs00+H)^!zQYGC{3 z0rE&0Gw5A8-^Ti_j){6Azq@oc&2a~jEJTSg{D-Y%=`qs7b9Eetq^vT&s+-cP9ih9# zooUTV8ChwEeI@Gl-uwzFO$&nX;eoC=cZmb+kaGZFZi!J8Oi82$(W$x&^61UQDaBNg zLPhgg{Y8Ing-7Hy2u35tVMP$Jubrac0l^6(bTw2~TD_Fu84!<h0JS{MO=zbQYkl{R zXG!X|B=nSm!LrI?#iG&a;F*V}(eNjmLJEpXPw(lM6yuW*KJ*hJYxU>qrf!@SX@tSx zUTK{vgAx-1=)jk7)l+c`Xd8^vm?lyY*F(J;(TX9ub3}}|2li5mv%XuBjV2b=K1mMb zsy%7>KKOwrYAj#$a%0dU`O^B4vZ7IDLeJAA+=gJeqbb|+p9dALh6#YYw%$c!+T!#o zL6CII6aS8-DtEzMbAq<^U<H>mIC#-xK$G@U!1@|k6np{5hp&yO1IMOpkhB{dwy6X^ z{q05uq3cs?GT$pz?wn7Jj;%Y5e8GeN@jO5zu&K`a0%3ysfN<A4q{JaHm8j>U`hYM+ z&u}c$_f!SmT&fs;9#=p?Ag<bOiR2z4y?Hz01QFf5hDy~;!|>cQT3B5jNCsx!efmXF zyP1xp+15D|88pYC8Mpm;d_3c|c=?=b>v6%!|G(UB?0!fgP$H3HE?izbqG9bE7y0B@ z=bAo`grp))Y-RyEhtdYNnRFW%6~OIP80HQfNbq9~Hk{zkAbOkhHfgS0LtbLts><c> zdr-d7((o?l`Qf{7g~4QAqPb1B8kXkaI<f#mK)k<zXD1h?^i9ec%A2mGk5B>nx_CYY zbWO4Is#KJ@?xdHBxGW@QWn|%^i*j^r7a0X8PANa%6#!eXyWXd#$;Zn`rZAu?2b@Tz zzkvO`@cx&tk-ukiQB)^{%(?NQ2RxsI&n;K~;n9xo-HR`kJUE6pxIJKzC6E!fSHHG1 z^v3|CfriQW>eNxayhbBgb`aT0P-|H73u@7~27xB2*@PY4pXIEWqZJu38^QW;Rn*en zYkqwNqw(Kj2(#g3^A&ppw;3S%6V%f}fJJ-w|G8C^|N571eL`rcNgi-BFO=1urfR3C z;w??$K{EPJ>w&=&Z16W;ik;T*mm!&t%e*`_pmF&IxJZ}`(f@VCr~tfEUVia%^MZ>j z>)d!z`lbd40qqE=NC)}`eM0m(tV{szO0cd5E&-_*p||Qb(6$^}GYCI~ew1jhFF}22 zQco2;=wDD!34`(&PhJ1>KYgoL{{(pc7gg}i$wSdvTY4S+e0xJvM@19X_nwx#incn* zw}sdKudY73`Q{=QkS&w*Ll?14wvOqg2$#Y;>fYnz;Pl*)JnqvUP(=S31j+><{QSUW zu=Ibn3KY;YY9Lhl69Nyf7pR~;`+08DHW+7lVPivHQ<l!tFx?B{)1#(CdIdqOwt84Y zgXaWn{;T6cZqG2BJ^e|Mj<f3*Ey2Gzs$u-r&fdc3FfLA|sXGIGbGmi-?Hv^*1HC+0 zRjs4q2;%h*zlVuv9s<n14=!W!X{I~AU7AN68EO;A#8C<|EYq_7;?=eUFS$f}V^8mz zLmL`AIcJEvB>78dsNWxH5ApsqdrJ5lc>?=C*Rq}yj65a$hvPdF7qAbifTuJ0LThcj zUEm)NJ+CFsUqfQkepu15qWoW7{JQr4fzX2gyNhPa(7g;YSH%AsOHhWM3G~+ry#jtH zMRw6iTN3>>&RGe1>aRED`gQU7k_&I6lQhNu_0r-$3+>1MgX?>FQ34!%{~tt#(0aDG zkdghXfonqD#7HTa$sy?iuX||k;F%lv0K=0kDwFbmccuU7K`>28-GsMLkI%Bafuy;~ z(S-M6dDl$Z9K#_6w<=}^IyTNv<L#~BwxP1SbPAhxRySMy>kBCl4G#$kimyx4Yuoam zFMuxqKY-p|zL(|7$WJmm3kwYo4Gmk<&~98SP_Cb<@2A6VhY%u1w*UYm^H!CYe0+Y~ zq!~i)(z#VdT@5Fip7N5C{E2sgxs{ETCAp03%<^6{_w1?vnzbE*e?BpVw=VTdJhzcf zcTk7jc*9Z>dsC-<h2uSFz0`(#)%Lcr-eA7~tFfl7&iS%#GDVYzgPuLV`7uAQtG2MT zFryL@76vwEM$WcP&GLF$+rH=`L8bfZ;zIIgrtRcr3I=rWwaO(rv;D|T+-Ya`ZD(H4 zRPpwYOcm*hwuOBmsOs#r&O)KX43+D)yCx81dUsIQl*S$4)%L?1ze^DXP?Btla&atV zp6@d?*;q`>bZ(#XjL;HVPG)pE=aU7teY5WsB1z(ZVr_o@6BQK9U~$R-{PE;t#p+S9 zU-ykj#hkfy-ff{a{DAq{+_7!<YA|%;D#8Wv^6@;>(u?ijZCXOsd;IjuL%*Q(a{XTR z8N7`daLClOowxW^uG3%~BNoS_l2QV7k?Dvce!@`WxjN&u9^Js$ESbY0R|+f>2<Q*U z*etugd<_E&kxg6RVkQ}@JELB`0|5<r5rh$?(suMaRw<_fmmc5h;AQuZ*pW~$8$ITG zgV#W9MJ1y`Op{XgZWte&`ria!t0cSqn5%8M)Y>f#L{&rS{j;#MoS0G-cfG%q4RVf# zjv}hlHrK02y!4k^7ezf#fZ`wGxJZg7v*6)(u78snYQ7DPo%_^~vQ7R0^EtlZ@nsa& zY1LCf0k@;IX$ABPV70K{FN-KC+nh3^=gJxHE_-WbZB9DYtrx+qczV6qSy>b*72|2# z=Ay>xTeJRqA9WF^QWn<MuTS&WXqp@plpB;4>u~tcC&^u3OuYYsV&@7vRB9~teYTT7 z$O3PvxG4<6d64Aw8H9hE1$X(xgtm7&+(Pr$>ZeL$jSU~qgwAN-w3zR+a17*(K^0GL z#%$%L_UdEol*Ye>woe+k!vJVTZ+#8Vja#>vzLY@UzG{jUPQw2l*!-+Nzod$z^UUdb zdW?KUik)RsibF&aXvUJ-!ajfA8)00ea>+rb|HkyOm&h?C#S{bN;_b1m>hXCW&Z@tT z>&q8%`r=3tCtJ-TFxjW*54#*fxS^PZ82A-|Ewbz~(XIm-MvG3^ZLp1LFwZ_r{V=|M z)ctK?@DwD^8%t;AdOV>KSxNxYScvVyxlMQ2HWj9_7kbCsz>K~h@=Fcwq2XD@j=dVZ zyTA^D?(!1b+uNHYChO~H{<?k`cAiyjX9?1xsUeS8Y~%rvr+IZh<o%ta9rFnrfD_cl z%Is13Rn@`?BMRs;%t-CFwH~ApL2eh!87qU?2GB5Ko+KP?lM@Z7)1luF!GPfc46S*A z=KJ=uah%!e#T|1CZ@2eMO^*jl^;p*^gUK4*`q!4v?LD7BylfWxPwT9djt<Slrv3NN zw1N;*L|2Q@PL1e@d7Iox3Qd{Z2rZ}gK0Advk_jw^(>}X>ljtGF_Saz*siEW30z2Ec z4>3PJfSYf5V_0fpiLXx2iQg5uy7kvU#)G#4uc^%X3$*9lZkH4vtuE(z*DBV-M#ZhQ zgWl|Ts~q2|?1T)BGLm@L(xRJlwsR=ioEcdLo#M;9gDW0@gjqVxaMx@&$XJZ0{<Y$@ zbhmPtU2CW*$N{)ek9-xbOkjDGxc}wHj`sh|O+-~uR9T2lj}5E-fCjDbJhQ;G!(Uit zL_R_>ipEyg*_5^YkbG*<0{}4Q5lJ06#3o~H*;kd+T%eft4z;*0vT;^UR@sk&o2t%a z4f`co5+Z4aD4p!30VmKWE6q*_8v%};mJr4O-amFP`kcw`RAD=wu4PbcxDRaS4e8?O z$WPaCanzck>4IPngUfW_s7?3P@pLu*kHg;vTvF-STv!SVPg+<Ll;>rcUXXOX&A1s| z`B2NV?SXU4;;|=b%tcApJtmD&|1_g~FCpJfXpGDDE*V!R%8VvhcT9*4WH{pHmq;c^ zEc(DDBzMFvCMPA)lH*|gMh{`XuK1=pme0LS4q-8oVbti$+x}yT1Y4dXM-UWQd>&o? zO4nU}_^gU>_~io^0BelreauuG+RqRvl%${O<{z-0^K842WRyd!roX>?Z3?Gg4dOo- zs@*^;-ec&TknhG?+0{RzD;SClN9zVlTH)!TlY)jK#qgmj7=DMgOilc>ADj1(E3g}Y zHpL1~cJJOCXAhA{$ghO5-+pd=UXoRm^~X#ZDY>cU*7SH2l)Lg%P}%JI@wC-K?bB(9 z?JX#Ch`N^yg$U}cxp=-<7M{NMF*ln~_fIIBE^yRi)RSsN#95OSH8d=2XgKUpb1_tz z%QYo;oJUnr85=j<#`d<Xyk@h5$L+1b@r{ygjgMhsresG=MPGu$BhvmBho!dp&x-Uv zR*_G){cuOQG3+D`Cn=ZN9*DtC5)9Y*L}|TR*<g%3o_Br3oy67qVI@>`RuqSC60VmC zBSseZ&s5#0$H^8d+lHpzN``FVt*0HPmO^mwhmh-dcc$~gXlE_x<jIyi$Ep$1!V~H4 zx%f9OjtGYsMdYkfDRBrmXvT66AaiZK7CwmOaGI@G=j)~Z!Q$~?XqiC_OH=2!e*zI+ z*R^KG_4n{Iq_lM*tp<ulxm+RP{07_59H60$E1Hwid>eKCD`e$%!F^*PuI1=Nn#3@N z*#r=6`mA25K%cY?6x#5~k{ehFfu#NDfj9k;qG_ttlYMEr`tz_~3AcI}4nSEMUAdxg zaO`a6N;47`M_0eH9cgbLy?jp$rGNCWD8HiY!?F;6I_w^VgkMk+c%aM3#>>HRJFHb@ zDpDd+39>gI+_g4WTw12%ZYjbpE6_PIuk|}@{fH);2-Tn-ReCn-siketEyg~7m;4xQ zheR;SYWuSDCZ4R4%8DOXkgDZJ6LWJfh}okFCf$<A)6pY}RO|V9dy0I|yZ!pwW}(Rx z-|vX<xF{bZ3t6D6RLAVLFrymI7P;M-$G~tu9uzr<6edn)cow<X_uC&3a&k8$-r9pT zds)n!ASBogF#`vzG*0?GC;_cpR#UDepy(A^m~hsbty*y*wrc%UxD|jw53-hjezXC% zQi2{gvPxASWOZxUN#gOc-Q-G<&S8<`9*@kr?z&ms*)`r3@Kxq1rqdBU&$!_zQ7+|g zcgJwt8jd6%a>E5=&TWRj+5W&;ipZ+Jiv5^ydG#)S{yCL(h1D&}y@zWmiGJ4o2*k!4 zJSZ=~sO6gF7@cjxTmTO4Z@=qe-~Ro!{Mk(97Z8?5sM1tFk{UQonrASl#9!8v<1G{t zIm4Z+&#2g!Uchin|NpA)AEPblmMu_p*|u%lwo%KqY^#=S+cs+1wr$(CjaPN{edp|b z&UgR5*53R#TaKA?WJZjL=ovlxP<MDhBRX!x6&jR~hz>Z26c>Q5%8J@Hp*i|JF@?yV zk8B$4rwzsup;KhQ!pgcnd^b=%Rojm`Ie8f-xvRifR-OTmPlL@x!)9qDBq-=4?EoIV zywFexABM-slvh<%^kC)nOG-q*_l#^y4@2Pyqs6TcjKvi%bbAM2exKkYIl%XmSnIJ3 zg00q&d|y(TV9OOoGu1`4m9jZ!ys88v)o+gvJBD(hd^MYgdB8yeT?OX-RL!mGbmptB zS2*8+thf*+90n4yhpB(<3y`^bpv-FG;G#C6Ue6hj8i3yixM6lSK|FE-6HYVomRXD# zt!K55iKKpxO=1{6yKl3Q<A-Y*$F&_GpWZFml8NT>g(P+|5Tvl+SWz9dX~<_-1x|0j zkGL2ngKKXaOfW`q`!}QkCFnl-V;$!3pcg-wS;L`zof%Td(CExg%7d19QfIiIF@rKs zs@g=0>)s4aMvaI%C@2{Cga(Ung?H@+uiHVx4Qa0#o!9=kKJomZ`c64}_Pd02mi?0> zCfb}3tO(~z7(O#2H5J?30TC8ReFUto?KB?y$2k0wKzW~JN{)vZBbr@dWDC>nn`L_2 z*_&|tulZmya1hWvOaTv%_qyh;!N6f)fOonG<C|dAI-r%MCBS=@JcEYD21pMv(QIGT zp}$-)KIi#~*MwYBua~=DC*nfF1Gyguqui&Nhe?=0aldRLcH6=ge=6VJeRrv8s(kk# zH}8IFu)qgIh;!Gx`_`0W81F0@bR2TRb`9PWHZq24l>bQM^eFnRLmx;Lyc}28!zbCJ zkbdrRvpyw_pDe>jGca!Zj$}Awq^^?s4Hv`O(2Vt~o4qf-Pftg`FPKPg@mtaf^~V~9 zy3tFumj(s;4*@;y4Y8vwavZTh+Tib}m|Rsyxpu(1Ag!;ofZ((GtbMvT{$p#_g{1!B zLixRW!GfT0zjfkN@n{Tg7#Fs-Bn~yk#0>IVUpRJ|bYd0M#W7%f`}(5P%UwPhw~gN| z<SXbU<|<0U37=gxrcjm^Wf{8|NI3{#s0DXghN5nULo+KYEeJGB>+9U$MPg#2pdrCv zLan~7)2$9s=H`lH%npj85+#dV{ooxQ+Hr0EK@n77T)?8jsXt4GQEc+@yX%Nph(PYg zXi<ebzYv2wzm}*r5|@`*sh&T_HhkkQZ-svc79<p`%?fQ0biMG~T5hN$4ii%tt&}*r z((iAfJV*2uiGD)-Ts9u^emlhDM#n<qaJM2VR#k}YjtXRqJxVfd!cdq;*hJ7rAD}S& zQDj20A0GJX+dF8rQR}_E5HV!fTftG+t0Hc%i69)A#Ae0i*qQ9Usj;jCTi4vtvw*sU z2_c)$IFAtJU(lPp*sgCM6~VUjb2I?C=HzF+)x6U)9TY4ypaq4LL24p1G<n?K1pyx0 z-jVn7P{3Hf7)(@^lCZq~iRdH84@ME>OI!gvOe=GX&xgk9fglN5eF9!@3;Q(fX3q#a zb^)M4IlMQ~sRqTGWPZ0o0Dg;_8Z&d7&i&nU1LS-~vWk2=IelL}@DOseaMhp$o1u=d z&QLXa%dxbN__Z_lm-hpF>WMK-FyPv#?F%bQn?G}#d8FvYD1w&{5+V_k%0z!rOHJKn zM(QEE-T$uWaRX_OT*q%4Y7GIZYiJw=<lysgC>nw{K5ye?s6}BT2EGp}{hIYrrSb4U zb^iAIjy_cDw~+VCNi}?zr@|vuU}US>AY|y%E-&l&$(SBnRI&tDawACSM}bTyRHM57 zFbOwUE`1O$ZoL-@s;2w$rpw>gNh*d+&f3w>=G6{8S)+vwUm`BmaM^*u+RjH^V$d=b zPWjFZD6ChrT?<=xEaA_o1DCJ%(#v6Rx2URJP_XFpj6T%MIh1G>6!d-MqF)UN96m*e z%!S57!2+$WBXBe$fmAm-G~|-&@^bkBBNc*z858L(&c4IE<xTD~l8jZn4-*C0AvD;N z1*>IbZ%#*FIx!-p#PbXFOHMg5JYH(!5egl+WnetG6m>D3m_btoZzn=(a83=b>ET(P zzSAC#M>Ow8e<UW_6i3OZ%{R5pwcHQg<#dk*A}=#5Clw{FjtYaGA8i#4c$U%}@tITA zeuQFLo+T%WnwrO@2}yQS!~G7A{>WnzW-XkuK78;hUgy!_et$PL>lbeP=~ss;{nJGy zaxup?Fp3KgD5AxzUmV`=_vl1W!m|x02@9e<GJQ7WKE#InO$#17)L7))0v%eXYjV(N z*dvAwhh2M`&&Nb*!I4nSTVKK`B=e8}MKA29?6Y=Q5mUNfDnY&le*iv`8CihITkprQ zvW~HYSx=nsA$fF;rInSm1Pp%a{g|*O4CJo{emcRsyA^`VHCF=DvyqY&2>qjgbI2;Z zJ{AFcBPC@Rbz?(^5PTkI<R!2Mpcxruk8x<x4!aTq6g8_a6Y{I3T?M=2{^cRkAsUZk z&A>Ahoed6fdnG#0>Klzz^PWb#vkgdeZ8ljAp^R*Hx~@I6)lWf<GT2z^vU{7hasxf< z0MjquNYh6KaiN{*d?nJeAmr@het%*fDj92WFiR}0Kz+uLUMx;N<SF8S5LkaWQdOxJ zbW0Ph4Wokbh#~56@&@Z?v5M-ZcDyGufhfwSl+`Yq=^91h_#gZ7I1~7MWcxeO8w+`o z5Mfyy6jOX$Emh)>GRzCq>O3!_Slk!)&1#UHIvuwKWLh-4U&JJ?x2ol@7IzrEfr%~1 zA@_u?l*6#z-q2OqtQH1G0$UegM!$-qa5xF?t@J4iH9ssko+%U^1$u@dfBY)myURG% zF$_2K$5w7pGpyNp3}Cvgs;siKGV`Mi-dhPWx`FMTr1h>OP!3Z<I@VK`c`;_65@j9> zryi)R+hYubrzlI2#yAODy0jC>dcB~5qyVXjk{A|!ez|_zP*5R(!wQGT?%$78RQ2Hb z#+A13aJT@%wyBi8jKE6(s?58-rS*5j!YbD<&Xa@Ggg4w%FdQ0q%ITmbg-cRnb?{z! zI{9%}iF4dS0rC?|Qy!1<qj#UZR|2(JL^f&?|LZ*>CEFYPT3+W<ildg>t#`Gss|gS? zUI|&G#PprGZB;saj4)U4)z3E0e&V3QANg*;j<Nj*8Ic3gi>Qp1nP;X-07MJ~P9`3# zx#9VckopV!XsDq33A!d5s(167k%N-QQ;91-Kd#FXAS<KYZ%}ahj)l%8-VzcHHPz4N z@8`3>@27kV`Tarx*mjCUz*4~4awQ@JI@-sCFu}d*yTx=siW85y<c2f{Mgrr5uEt;B zc5{xt{}~I-j&C4mkPaFGmS@!Z5st;9KNQm24}SWF&`T$v90j8746=uAq9-i8-hde( z9xW&08`(F{s(o}e40-c{e$|UWp??n~@9}{0y~iBA!_n1v?O|mAlZ~<O?+aK~S`me(CEx~m6 zopws0qjm<=;Ur+I%zh^^z?ebEV@YMvP_=#05@xKDzm<!P@2&UuRo{u(R=4|=pjLGv z(=DKhl#)pdvI@+YMBftm3O4Anyi<|5Gx5l|g4Uj%*Zs!#Gn5!w9_jAouS?z(s>5=2 zdWZ7fPa4J<KMP}XCs`FQ3$Y*Sg`OFTI-XTGMz^Vws}KZEdhd)RW>#h*iFU_c!?tM7 zbAz#fOlUonr(qPZ0p)l~kz^0<x7fe=s#Xalv=Q^Ax9$oC741!Wagl~dmnVm84+WAL z9KnfLX#P^8hbcC`<}E?i&#$!ud6O7CF%GA<enP4tZbr65^i0p3BAfDLtW$ViqG#xL z`TbH@2B-Jhy%O!IckfJ!pbBo5sLSM&@8K|WJTBq<%GiqIBEZJ}jJ9PBdS#&}gEf63 zUJxDLz?b@BtAfRa_Mr;nRZ^kf-?9IpS+DFa<W;jDu8Wl*{@^CVyY9DBLvW#dcT26S zlBg;=EZX}EgTK5*zwdqMz1r@|$nO!D?ZD$XCug5cVq<L$-+lpmgL#+oygsIz<SNGA zA#&SRt?qr@2HBP8Sxd=*dr!B-5D^7+2`#fMo5O8pFa-`C;$gkJ8iXCg&(E9Lv}igz z0}&Os&clO|hGW5c9%a2gzz)xXnp3Ii;W23tv`Dw(6P9fQm3D@=#74{W$Hesav$s9? zj29#@sW6nFV)N$%mJGn{d~}GMIyYpc$cD~7T}NIO<Qy1UGhKY27w|7iB*<dSY}0(B z229p`yN&jJxUDW0`}$D#yhC%FPf>$SHzp2T>T3azK?rDge=)Y$W7KT-&zJ8_zw%*N z{uV8c(p_E8Aw-<v=BJ6;bpJ_cItUDcJdHmnwF)w}`J!InT<dGA8AD16gDxA9jx1mc zq=rLR$K$Dg(1m6o9QvFtGh5wJaG}372L8Pncb1n`tHJ<)EZ|4S(Y@@U>2y>k2hI_# z(6h^J(D*`z&pXDl*defLD+by87X-fWOFyafD%Gz~wRJnNQu*+(;!YF2*<$4oT??36 zgx|SHd|$)hcA!He2A+eUs)^SI_itWxof+_gexD~v^!6Djc$m@Um~3O4wch*}gL_B? zAttcFTj3zr-wv33W@bCX(A})DUxT;1#Pg_(xXysCTJ%PaGfNObV>xo(VGB-_LSUqk zbmRwp=O(tA&9?hxxC+S0U9ETN?ev#S5fPAM(q%|W6?tx=bTS!bcUT){o!`~Qd$;mi zyPoHllhSX^m~=}k%%dd+4=|=nbL<d~dfZ3_i0|<jRC3a^k3)|4z$#X%d)<fq(U|Pm z#7;t_tIv}dS^n%B@&jt#A*$eA->E|^{dP}gI}y#`U!U%Wm(53{rL!LqbL_6KElD+X z0ebw$;im|{ZC^+C7<f~l3hn2hHW+r<Af5%rn7RJOS9|*q3Y+hSyzz^(C_Q~0zZ&$% zM%we`%#D_=+{PkcLEc(cNevBQJ2L<nmXFWR_ypp!^PfLuVuJD<dnS!eYA^~&2&04B z^wU3$y<omR(7SEV<3N{nUT&_h1S6;SfH-%EblSi@aw`$gnd-py(Qur0<=ih8tZsXx zIta^y#Dj$t`l-}d#6nTzu*lGc)V)f{Q)9IUnCW=>hlBm217S#frJ->&FVrm4-TZ43 zizTR&9R@<vjPJ1&?xC&>)wL*XK{|Tqre4&%5X>*Y;eLQxS=aEOr3Yc~1!52M38=O8 z6$Xt0Y)G1+?+nf>v3YZPi$O#vWDTrgoYOrb?7Vqy@<xCu6C7M22cLj7-J|I;*dM8b zZ2OU;j0Ix*Bke#YV+oXTFD@QQ%-YBKCBueYY6dv~_Om}jxw)_%1{vguUA}$!y7tAO zM=sp#QxBL8?g;T%5B-8Zqn#3|cxc-`|560X*Nq6_x&eiNxEcPO+u1FJh=z88k1nqv z@4SyYzrFnI?y{cI%kWUk<cR&~!JO+BK*T@_U4eoy{^fWL`QZ)e2T6aTu;(H*3zd{Z z`w_S+buxAeM!4SuUOkkK6D`!xXUFu+Fe=<<<c6C!dHuEeSo7<Lh`_W7O_LdF8M2%T zNb}GZ>5RDDu`jy}v?5vX(JlYz&%9V@=3y8WJW%}+EljOxtfNXTWyTKC_`?Tipf5q( z`s<;?jcU7YM!HQ56Gb}B3@-6W<n@BKm$OvQ#=H*{gFo0}PZtBxUKo`f1w1N1tdaMj zYptO0zOP-Ok&&r)km}8a>1E^SiXW0$;^Rm^?8LVD9Iq|LHV%x^NpYu1vVzFYGAPHv zvxXn&-EO15R|{v`U^cXpS5%SGJgnt#jz;LBetkKD!Fx<FRZS+F3*rdXRX!~a4dZ~{ z!04kT^WY>k_Nch2Y-}hw`KjLYTrb*>hT+lHqEBAh^sCh30~664d0a``>Ko5xwtXZO zBK4UV4hPRA0^dm-yuHxR!vLnJrm#ntKXt`1ZIBPprfbl%$HBGbr3@dBs8)UH>cu7} z7FBPud||J|xgrGh9j=ILghi;er(r-!eI5oSTAU>x3Z;A<dXlF%xwF<@AM}+qDM?n; z)B=Hwm~U%H&uC|&Tz~ac{d=dj@Ge*y3+R1c_ffD=PzqL43wGz!;m$0tF1G(>cPzjd z`zYW_ps<i!AUr>I_dqM4TiwtL`D*r9hY?vv`3WC|m_`u-Nsl);iB?WnUnc|^mb}0n zf~I(x%~?jBP)Y6=6T*vEASYNwl%9fWqAr$6+g%|%ejqhoUqK%wY#!Q~1@^`7wwpra zIlLu_Uc%ldOT5^S2j5Thn*)5P#Lsvb@hk5KFbK@PJ|IgILd9MA#z9OAK^&WsW`!t^ z@3FCf91L4yNr`A#{Alfj%vbC^M`UXCNoXuC?-5lR4R)VfP^=LQO9&jh%12kltW>0! zNrjt(Ax+*(@I#gbRu=a3N}CKUO`X^I_nPjOhd0i8`V8k)SoB^ppnPHWc24Unkvs*S zmxC+}?#!c?)xI65VU><-4<Y9@B-<!juxJ60Qxjm%tj(KUoz=x0`oBUZe$h?7^xq4N zU%wK>C70>lGUDZZpt+-`YM~cPKiNC3Qrc@ji@zUrpL3=vG+tEs>W-!3iVb&#(;s4a zfK)#_KkLM!gvp$>Eq&wxgA6W@GZ4b;-af+Gx;-J{YP>de3T9nz8_~;H;WpUxdBZ-p z^roO(;)~zNa{E4!ZG37)7I1piBx0~>JbU(`MX-c(ZS|Y0<#4bN!&xEW)=Zo6LxSIi z(As@*WuvUuo3k<FP;-*;f)qf-W0W&#%LYSgZhA6rDR&VC!Jm?p6WMq4-6YKPo<>|R z8p;xJaIkRjcFUTDzEjadgIkO*Z2~pB^?DN#_k+WKv$ugKeHnCgeVw#tTy@WVu|cyB z+@y(*xv6RU-gw)M4PIg`vBgR-EFp00c!e|gVZHktNJ)gLWP=-I>nVnt1B3yd>ukV= zmfiA5r7BW1hUQ{O>1?jW0l@mk5<>NE^hXYs$;gO0)f(XKL6imORi8j8!)&~rZz)(5 z<HPtz<4_5+Xk?0{Y1k7%M7YBCxE-#p5(>2uRj-I5;fp-zim)ll!`rX+Zssv%4K#w@ z15%}4;oMj7eiERggtLyb8D?D+(ud}RBcsWuCb8@(1IcGLjlG7>t8zZa{Q%bGZ2bcr za6q+p5KirA`<kR6PD60%1|C&$Dk@5*aI)-ojg>Ba0#GjOg#0csKG+%2_S(v1TuZQx z2ajt!=s+Nx7@%QD10e^m<-^ipkO49+75rG2RX#w3b$aI^G7S*o28-J9Ga+=YfnZG6 zey(Rh^Aa_&cnc1^*4?D9Vt23l<%oWi2+9E&S;^%^pAvhQB_b;3#GK_wR6iH_phNiS zC7pr+pf^CH$?3e#zC~1LgN{QKEw|`+-CmuQUu!{R-Oev}1y_e46Qpc%fcpnY09+a_ z{@(6S6n@r$@FtZATiZ3v=L}24;$13p_a6C^_<0<bR^A~o5Hsd6ut+g0p5^7RE+qy9 z(CV!a@qlTCpBPtf+VbvXh7V&(Rp6~;k#26k6R^tSbfQ1qE^R&dbF<9}y<=`s%+}j@ zomjcD+u~+-nUCauB)9O+lb~DnUJ@j4(2+T3!_2N-8b*2)8KLcQ17U#<xS*aUUyMEM zcbx4C>N{<c_!gn7YN$i5M@a33GWa6-6R6sAfa_yaL&(2`Q;D&M2qb7*O@N%@YerE- z=!oK~E@(cUsm0kiIjJ*73mK~pDUVj+Ai|?!I1cU4qI_{H_~$|z5ZHL#oc--boDx3> z+7}BH1!Xe6_Sxfq9!no`bp7Dpv?nU|*k}TbM@(=V1h+Jy&BV&UxYWv17)OrY+0jB? z3zYEf!%cz=iNn59Dtvmim=%d^pOGywfQfY*vH35hb3Q=r2pAXrTl3cT0e8u_`*MSk zW@2|RK`5N5avdi56`22~Y)nJU2#+$`Oo;wV5~SygjfxCuTok?uT@cMk<jL<yqL1>B z7N~7L=6+1mRRivSR4GUWV&d<|a~c!=iD1$q<=cc&6>sp5f^dHK(!NwfuZPoX|H#SF zA{9XGSNS3Hk2-XA-jE7|9Nixp-2cb~DhDYsXpss({YP%j6g^-W#&HV2CHX&!a3uW| z;gDp+{bvyl(!U}cccz#B$lj^?%M_!cEdEEaKaTD{lgiZns>u3B1wxho(kXFbrJaxS zorVDUQ?BMDP5Sc^&OA|6!(`hT;{C7l<sjwK2Fu^p+5IEIs2Y)>qv4IU8g<BDqDKix z@_O^wT=nQ4(yxx&)%XTd9Zl+gNw(ku1s92TU&whMk^VEoD4Xz)p|f`<e*WV<ZTqVT z=K{&Z|Bo!A>A!3t=1dLfe?02)SA3IB@aP}S@!vcZ!hbwU_s5i*q$3~ytlKF3XHwI4 zCba)}bo1{fPwgOSIsZs-GW{!IgE>_Z^p8i||CrJ-h2Z`lo&EvluasebTH`-5${bSw zR3fjCjJ*Hf?lNkDDM$T3s#yB{Wg^aM`%lRKqv{Sb$iI-1&_5p4{&OGOq+?(Iajm%r z|C!YPzZ;j2aAtP)G~t(qnJ$6e1<T$h`p+@8e<={TM)~TW&eC_PVn7oC%0sfSH7+f) zJ2~Ho4Ji3{vgYJ;6A}@z(6E#=v&CK#{rTs9kX&6B78Z8)W~X1c>mebv?XvLj@X-+P zj4zlts0$%ij9Ra=EO_d)l|I52C8u;PerfzXKhxiVg{S)bRz055LEd2h?gwQ;@$M`> zHfCvH*ar*@{N~KQ;?50ZZGEY-2rC&jYxH05$?K3Ss4Yi=-y-hjslU5*-uNl$NlH3N zNy*?}(r5cDu(M#o1dog;h-;q+KVwvVm|=apfs;ns$S&WQ_4i*pm4ld&{RuAHASa5y zy2O1SGaz>80+GbJGodk5(^nqG<BWex<gz1}Sy<!+&SHb@@iYmt=|I3+o0-|q1@k$^ z?9RoIRWh`3?n2aL0HkGsxC8zbnbAX70r_uBJVW-x1*&3P8J^p6a)7_Bht~1`mrJ4k z8L5r9_xz9c>HN!N++u{Y0{ut7Q2V=rL_@d#c?H4!^^0MS8q|M0wf5g#x=;zd|9Kg3 z|6RGb`#q|EqBYsf(wvT#LYK=qW5+F^PxdyNQ-jN&nmgy&BvTjSe<E>iH9|?X^~<pB z_RA%(53fCiuDOGx{%el+7d_5!vmDpl(%jP&e=<=unTPHv_qrqyuS`$P!$}IS7HK&# zpa&2s=^`a1Bgy<dNG{67ws%EYep6?qu#$&Bu8)<_!pkXfKe2GzJOeyfb5ooCaj-C< zelM((>?$WFCNWs+BESZ(l}7#h5<Wd0hvLIxyc7S&;3T5ruAJ0Ln+bbYR;yl}W}|B+ z2GHaaY>36wA|<KFu&7Lzoui#Z>^+lx#QpC0IK4W9+rUcR$^QEHa~PSI>Xh9B7Xybv z;RF`9@@DDbb*0$bpbO1I%i)9sP-m1ccuLCFQqa~+wzu!B8~Vl>L2`Qa_hZ4S13AZ= zA_8Ppi!mSFpuvmXK|Q;gw#&8gl#itr&N-c?<;T4W9a@p3Nz1o%=?m4qnsaNl>u79( z4d2h3^xOXFLd_HmA~sCjPjPhAQf4mcpA?_3f(4wt(=gp#3O_v}>_a}9HwxdDBj+lE zBc)WZrr(am==!TWyFU=SJBHyim7Dj&HR*?PbiG<sy%_WrIzF=?ZA24|Mivd9No*7h ze;}R6{ta`*vlu<rr+4h@zpYrH`^@jjxHL|8O^Z7U>)xdWX(+|zaq>2RDRGs*p}1Z# zg`WlzIc|x6zxPw3HPF&lwyc(Mc)*Q1`mjRFWo|Y<rXqJBn?yURiOeJ(_3q%UWuYS> zC32E=R<zt5)H2T>AH2L`Yh?nvp41-jkK4Y^?j=5m7}*=2UL}Y7-F54>Uaqy%2dER+ z=%DsZnMPZLuDjUq6efqr9ik<ns5(*_m8ifRvs|!7gDy{P)w!z~dL_gwGPf__DlQ<% zf?t1CV=pqJQEYjB5hr4zA-Z21vP19e1%Y|qok2|sqKn6lO7u7Z;c4kOLJtQS47+#? zs<ov^Inia(;CD1w-Cm{)kPlMy<#YKRfn0n-BiZUJ%lYIHM?@G+cXX5(P%QH{%H?6| z&I;n7AOom%>y#Lb010+Lzrbr5C+aX6sbGC~&EK4O&E1wqDoVp(I?wUPua4j^W8!tH ztXZKE(<}<)wJ6UOqv#TSdc_~5jkMZEKB8k4!W(ZItuY5jh*O*eLtkF0B2|}TjAdbX zQxKZ$4l~j)T~y_0yI6gfUMJgTyDWkV*Ut|MZjw`vT~peS*wNN~t6Zwurlo<r5&sR7 z_R8;iIUOF*hjajkvz^q<TAON&iQ80@=?W~G8cyr{mx|BQl?D{UNgkH9*$WlN(DEn+ z0cS;IbLuKE0W2gA3QH?6I6U4ZJC0i#qYoPg9VHmz&xg&8O@}h$LicykC~_IhY)oru zj6p&@-nTS1G_eBKg}H9Z`P}-Bq>!}>iu8BSR(u>3yqL;PllYF(!5NWag91#)LcwAs zzr1~j$ySWnCwW_#)p)Q)o~E~ToM!VeQwhbNvS$`|0$-^`pq#`P5)_!*Gfz<R1M`(k zOAT5)Xbs$5AYIR!g}p=vMZMqOyyUD}v=kW=jXOB-Z9BfDJSNvRr`j^M9(Ad0^-*XY z&&d}z<v69TYs2&2F$9{?4#%n|&_ox8fCK)RY~{HxjTTHfaxz{&*@y>^oEmHIemjSy z9Da^(-gFUK6{GG(-$UV7z5#`swH2dL0eqgp!^QYHRq$K1v`pDiv58sMdow;~8$JAT z!p;tXcz5KO5=fpaR6!)&;X*d((3(W<^539(9&Dt?Hqzd#aK+?!o;?2eF0^S9y4`wy zt?{s_rWs`E%avx5cTz~FrVOL@R#bu^*z31n9L-U)&#?yly0bHdTuE#F;;Ew?nS8Xg zi5;V?w$xin;^lf*YB<Pv8;4wM3LeDaQ3p=;I~w(@iZ}2rml``ShHlLO!VeOSB^r;p z4G4$y&uTIJUEA7<dh_}D+14;(M`sllR@k)MW7PjS|4~lYlcgl%nTSBIby~r6%fkC3 zn!6bav2_48Q;gN&dBeyZ$xg0ka2qZPGRZ3q>zpm`jWfN|rWB(@`uW!;F!A|Yby5UI zQbeQ!ADs?lr*w}Ys<1g2+34MKcjslV<$?}jI7o#ISfg(_+peO^@T_fAg!a`hj*VLi z#!)CZT{Lm{1QNoeXkYs<Q3VAVaxBM7VjKvf=s%FbOa7tU0Ws@*w4=&^LIqlhX8G7R zzo0ZHYlWZ5zSB}h5(qfZ_nQ`en@^x^%;w1i=<#t95pl|&en)NhJKNJ~^KR00d6_jD zhaYFNxAH*q`&rV_>Y)Am!)ox|vZ->N+2EoEVqVzegR0|uuTEZ9J5Me~vyE31?hudT zbqiYBo`;3U=*Et7N66UiF-^&ISQhsbf2UfZPhLXBtx<x2N@`p}a908n*?ktENJVNf zf9otf9bWgRGu87%Y8df?F%h&>s@rX0%}s1T`>**B_;BfP#hCF^<iVCWf9|RgR0NC~ zk9oiaRFsOSR9~Gy@xbsSO8OHxa2Gu6v;<0mo$0LYYkWQ`;g8byveF8AUgGx*k)c3% zDS0!?ONba4S&3*r|Cx=2@O{bvWP?4Tq>dT%CC@JN;Ww`m3AbhCB^W%mk)7Yy53`3m zYwR=xJ^ZA!d3E_FcR_|fz=q-R)0Q??>P+wB5{AR|GBtF5WF=ySu$)B-8MM65Vqa+N za$v}1u<sVAsUF~Q81qwLC>753G}xj-^=i5_g$`gOPEAeCCe-1~q78F%b4AFfkpCtH z0R_+G)Mzt*)R_Pmh>nV}u)XH+zG?8f77>$ycMXzB<pfKn9D6_`54s!rd`@cCra3|# z;^kqwDB|z%T8(mGWIONL@b5A;f_2_fns{Q>wMzF{q%m4{Y-%k9b-)YCq%NnUqe$cQ zi8paC_+g~`^>r43CObV%t6ZG#K=6?a!b7&RcUaWbbo&sNuZY}$Zd9c6h}u|Mi>W3z zp>y!Ivpt?jUGoCkn=_WQG@GR5uvY>tPWb)0@4=xDf5F4%EY;MaL&;Cdp{}Ii;yP`= z;J*#Dxi+ZrbZxrTU!DCHBBOLyCeK#!{Y%>38*;ADwAjMilBGv`phT<p#){K$Ku^4z z=Im<y8GYH}7TJ@m8w5S!u0F}eX?|AOehXBMD|AFe{5dN!Dn_+l=$^rWY#NKa%IPIc z_x1Lz?d&ZKJ#z42rNv?x9<SZ)HY;W4x#+^`@Uy$?u`c6ivfDkmEpYAZEeXGJz5cc4 zO&obPE|a1|yV-gEoi2xo8Kyp<kbhfW1Z}e2sX|}9q`^E$OL<8p_(g$|NO|oW+<XeD zKj|6EBqotf%k~4Jl?#UbbCKcNx&LAv_EdJRx1hMp$E1Zs!hJq*`6%d&sp!NK=H7;> z!J7!Ryo<X_h^2?&&AIf0b$`5@wVC{lNVtb>A3Ek|x@m^Aim(1HJuLc$Rcgz~5$`UO zuvJ-N_p&j;QQ%2*yM~sGuHBxDsQF@7Wk`QP-<JE=zAfKo?rWNAP7_Cp?(03c>0P*f zQ0-1SbP|;vXb<mMQ)BxyTJrjKL(2*h8L{7&>>p_IjknD=&wbpzx;HxvEWhFB5ww~j zyZ-v=SNuj+F<?jCYWVrJA98p5g4+y7c`BLH{Rw*o4I3{Q$kuT_i!I_#^J1^&H%N7L zhNi>)9{gU_qm2vm6nN&RS>>c_wRW?}b}LP6^Rn=qW#J^C$T&kK67BiobA_r>{cVBm zZ7zUwCnBq|8I#@OH5YXBj`yzL!=<V=IJ5D-M+P}LlEya1j0&tREfMX7${$;tA^HwV zj#XTOQ7RlC94#X~DKUTz2ko>NrE+W$Cs1G@z%4Kkz7H<Xy1>@N(zt_*ap2QCsB~j_ zxjI=?pmkQ%)vFgO9a&XvDJ2z^#pvUyBrNS_ukzz(CKtW;-Fz?^waZg_2H1#<A(<(C z%TpgDvsggDFGJe+JZ@KN4HP%&X6tBWn2iX}*WNV^=-(W=w5ek(Xjyb2frzNsh-ipN zxY%$bHG@6qQ$dlk+gAhWAkSj5QMBy5cBEHHw?mHBR%TzPw%0nYo1!mDiWGsl&UYu~ zGJ^wxw;b7-={HB)e0b@Hc9(>z=)-WC{um_gfcq)5<u2q!L;Ldf@6iD>?_<;1<$P)$ zdv<>6Q51bdU4v`p>dtRBv%(AhKXY1<YV*9J1eVWvm0~u2Fgn}vsB5agv$mGzX?TIE z(tZ6&E-yvC7trwZT0{1Sz3|B#n))G5X3Z6<B|cIFu%4Yp+CMCSqAjbwr7pu|(Y!}$ zT!W7wf^fsSbsIm)<+sANi8J>ZuKVD@>5Lg6XE|05MMp&=4V-uOF7m?xAqD2CBx+Bp z2@ufnqwp!kW1ZShMdGfz!u@i<HmG`z<#>t^=tH{+!lX-HkcC&(w=q&M0^<A?xLwW0 zDCV#EiU(#p-D(!<ziWro2?V!xKZ@T>ZVNC`(HRY|MC`Sm7a#3fejAXa7eUDyn?qZv zz^oVyNDBWbYWAVDwqTOUA~a4*j95)50+18}fQEoIfdr;YkHO?}#&)r-x9pZ2q;MZr zPqj#W&DD4GH<ATrj@lks1GGUiAj^;%dM6Ubykh<+vbH>I!Eo6$LMRKrf^G&1>%Vaw zJ{mtm+Rvsh3bqJo#X&s+Mim~3!^O?we|eR4sLtf1;5C2BKiy0D>9$`n@F}*`qW_{8 z`~y<9zPJu87<=C|a;X6Y^5#9deLf5Oi8|(F<C1JXL4cpECrkDHcIPRlYPSl=FK!?J zTEy9x7|aHwwzw}RZ?~77-!7@<djca4EdwD+7nFx0nDxEIoH*%$LU6~oH`{JcV6Q<x zAW^$|=lU(fhwtrO&D*azVr!fNxw%zpkuXoNL~X$ztqsYb09*{hOE8Au<YRZY8(Ix$ za(o(Ka@bxNCO)(0DM(k9Lh$CXXE*euX52O%KL=?Y*sIr?$op$B*TvDyML7-|8TG4v z`y1eMkQo-H0YkO}|Lu}D&vl^Cz4!V-ZJIZgj|f$la`Z+JM+Ab-rM+OF!NvG)N5^dr zv;ayDC1;c#76!`q#os3hE5!J>;KEAhX{bqxhKv;ixY<@Ee`|4TEvBMe4QWPQ%KB}< z>lmGlL37h__RDnagt7=g?@UD2y3WU^X6*OQOd##HLb@0J?k^yS84$#3<q0%`!B<dN z#8pv0DLU7aon+io`@LL!BHp!tX(f~67U<Yh$sTl&#4KpWS9mLaswvP-YC?;UD%vTO zk1j`krlMbGyD31+q=?yIq}1JTFF}2yL_&)c{G=~w{V`b%C>(CL(jhqv_Q6LoxIu?3 zeC$i?%gZc#!go6&)fb8S+c3Gn_<A5R1cRnp76Z1m1u0(TWmFajqCltitPXd=rzII( zspL{=xm4%%$-GR1pt8AW)k{ZBLCce9Ik((<V{}OB?lGCMVc=9NPtdJM^Lyx<49j6x z*8y<F(%oN3a42ifgUBpSnEV?ggE7fIchxP*7B67l)I<JY8r?nM8Iw{~%p}rte8cN0 z3*Ka2kGZ$g)snj@Sl*oj46+ON@cTL4aU>j(TBN-IDBO9u>Q-7mbj;tLxcVy~fAq2^ zd&xX7;H(>M)C*a}k+;68I4!j}g()Xr1DkD9Au(&MGOK8*+$>!*P!S#Nh@o`nMPK3A z;cOGZ{y6)xa4AokkOA__1W<|O<MRd1eQgo$vlbBwf9&PHnkM)Wx=!#2{VZ(vHH^4{ zZV>f+u}>eS3&%l`4|44C^U5Ek^2e3?pmx@$+>Swl-7L)R-Od#?866a2-au!;aC>Nk zDEHnXCA+B<b1pQ*a%5Y2u+s1ph3!XJz>5?FczOx~Q~cas9{P(!pD#CLlLjqySr4+b z;(IJ&K=cJ?tMMb>z}LXoHl(B#Q2?w~X2B4R|NKC6j#sq|jHiGr8x7<J>>)te_s2DR z?V8JBv}yxX`f}o`A$0V(P;haUYowBQ6BQL15yJ|VHNj*w?0d0RDl!rl(0gbGUW?R( z&*781genyp8@LM&GF}r0V)o0r{4I?{<?IeK9N$|AexL72fm)YiLo)K%pkLO}D-6~M z>0RF*7HLEfcp$%GI}r_9Hc$Ire`AW4iz0p8%?9ssYS%Ynk8;Pk=`u7Wv*{ZJp$a#b zyge)OF?5}y4;-{H4!RD=IU>4FX1#jP{<DPE=q+>*M9a$I&wJqILki_Y<+4S|518HX zkb4wtX8qED_{-{h?c`Gfpj_lWQavch6;A4RRehD<DE=82@t<XLNSiioD{?Uj`WyD3 z{Z265n|)$nfbok7`cp~FL`0K#=`XTs-YK)hFyX(J^AKH72!Z*tQnp#DO-W&T1a2bA zBf+62-3QjZj)?ETC(9Kqq7#ZGgBKhr@qh+W?&L`KfVX1!4CQ#OsYonq<;&)mO^3P* zwxs^V$bo)@{?E`EL^^G&HBQofzSfC%AF|7pu$H-C&D+JUDnrk*pvWyMeF_<bY-BY6 z`>`GWTzyh+%|T3(tJ_5Lf|2Ufz&)bi#H+0|M^>(nY>+pezi%&lL%e%|2eSELV>!tW zuIbFX<k9Tpez=bP>OUK7|Ka46ufhPNT#a<O=x7WYYE)%4RfcGG6G%%!1L73sA>J$_ z%3`N*R}*)N6)Ay?j8E9~O+jDERkI&>H<ZH>S{*Ck61{74@rJJj*Z)&@qNn~hHQY5P zr@=(*Uf-P|IFtzLXsP{ubvm2(&`1QjytIV9I(<W7JhL&D2NZ`*kCn*0awK|%a?R23 zgkV)lwi~)nTa`%YoCr?)@b?3;%Qb^z5R3#yO`kwye614GVx=f_o~1w;0{AUCm8fOX zx@9I@pBUu!UbN}g9<&`li4kkU`sMqWA<hPErDhi>e8}cyscSsUJG6ax-X~V}4IaPR z56bMBJsUhJB0lapDNjagbu!2YHXshA8na;ojNgQEbAqQ~7Vq>GG6=Ym_rTzieQxx* zr{&g@iTLQZ4go62W%pUJyL9^Rs*uovR(c@q4CFB>xK8t%U@aLsiaNftqkOCssu<N_ z>@|jIRLK=>dvJj;FWFj7??4<@ZR>?sMIoRA0e1zyB^;$XO{=wC&ODSpL9{|Pol{4y zd(1yNBwrNP4R-2{xsmz<A%9R7f-mdTDF&AU-V}K*Dj(&jG-1?*4V(TDZb?KWw_dVx z*~|5Wz-&*J6cvwL=f4b6#i$b0r$QnCq({gN-vte&>01V=v3t83r`>Y~m!{<5m&dnh z5)lmr;VD3aU1_`p_!_+5eJR8cDMs;e|LE)Y9JB>3?{X+s>3j=P4f9ZnDOX_1xAgg* zJbyudmZuCzP{8dH8m-Ajh!C6BX^B(0GFHUGgDjK%DUt?3z-7Kf@s7&Z)hFl~1d_eD zm8EqoRUTr}Ur)?xsRfp;V_;1$mGGHNEbIvENwMgMhf&4~`ha^c(#)$qx<88TNm_F@ zWY8ZF#Jd0zgB!{s1lHDSdOtgIQZtJjV*V4l5hxfn{Fj<tK7@MUbmARSGUAIAUVDjM z15`2QUcG@sG^eU-o$G9r!=<^EdabOCiG8?V-VlX0XLqcaS2$(-SWt?b%Jw{T2(C+< zv*{WGJ)~<2K$TyMV`vWEM??-G{Mc|lE)-LhG)Khkcu~_gQqgWRSc<#-Q(m$#_u;%M zp9AhfbVP>1c3y*c>)JjQU_A}|+GzyMQ)S=Mf<L)Cxc%y;&0Bt4Iuj!TgUTOxY^Y5f zdGQv8$uA^lq%1Y%!VH_H_wwkaa8y)+_(QO06;jkXLLZIWo6Hhta~nft#h|Cl5K9DE z(gJM=H#95HHJ1bLa(_LtTsK*2BD;^5ftsg0fA4}*KO5LVTkXl^xdQEo$PZB3ca|6Y zV&=IjnmfigXv7F2CyXK~lsFV4b7fzcChEZT=et}XoTT?BJ^miGNI}PEp5+dppNh@V z2_Zxyg-{DMAot>WM9IFTMZQP4dMX7PAP2vP18LoKDt~QTovKw!E{eZu@9OU4F+ZA0 zsFqoh&59hXjjW?QhzWNCwaZ3g9EH!zh+`n};1yLy*Q(q8ryAE?vd9Fd2-PA;VZ(O8 z!KaTG-JT&gB`o7mO$KH1Oz49-%UF!e$Hzx-luQPbM+1cS?4;VV-`E9}nYA@F9Yw&S zp#GKyh;;uEWmSXVK>Yw8*7BBD>CaOE1sNXj3=YFcu`dKhKEz7vDO6^{C4%7O1cm@V zK)}BeDd2@!-a!tc0w#pBs9##<%sfSi-1j3}2@;tuFES#^Cnb<SA%!W$l|u-!)bAs6 z*eqU7U_6T&z%5AvJ6D=7LqiXsxYIAUFQeqc2MdL+;VwAR)8hhfG9#|FO3q0gn`&fa zOfn7944DE?W8JIqNA(o^L32G9>UPgBQ%la2ewde;P__B{n@jWn1JUW|*r5^J)FT5b zyDXDydD?;Xf`c4`Hdza4X<E%4^x~1;_y&agZ9{+j>NPqIKu;-sUia6|xKqln8dSXG zh@OcbYt+_quv5T6JT3@D!AL*|a=+z1+2ob-MP$eVSyQHy!oAE&S0$urc%dAYpKEl{ zWit{<*W7$Cca*=4@Vyyg=uLHag&8mgQRg`IE#o?<x3N<qpXK#pD&Gvf3X{l`hDq2f zY<$KVj3zwG&Az!yb*oms)s$=-L&&oAyz=H8JL;7$46vN!4ldL+Jb9Vw@C${wbQ|mp z_9b?==M@!~o#h?hN;!~SXQg*=ly~rz9~kUmBfVwEG%1#}tWMd(V>V)!%v%i>Od2Y( z<n=wWLDRiZ^iPYqS-%~vb^Qu7tM>l#CIaBe&(|wQv}$BCUs|c#bC7bBFPdEWfXHjV z9jAWcK<<7_GFDlMuNa@{xN^=smCW5nV4&fBGwwcx;huAWbZq5rvsu2GI0#5drtSJf za*29<r=!Se>Zt25xkh_s+!=rtGmuBHT|8XfIl`x(nx>VLix|h^9zgX#s1@esSr6(X z?X%vKgy8G<M_(E@h^N4=A7?jA9*~k3ZJ@m<j37SCTJH?%Q{-g8UHjVf8xXXAQpGr< z$-iZ&Ls&~*k>Bbf1`4`oD^GiAbD_xr@f7c=ACI_RoBxcjO%7HHqs9x}tR8nir7o4T zzbHN)4EIz^yieOX&^#3H{X!Qsrv(GO72jb7B1H%1_wiU1jW98z`9e^I6lCc@QfnO7 zpyf7hxnbI{4Hp3H>{)W`^W4w^$`r?A(YcK$EdTKmx#Df9IoYa3$)m~Topehrz9?MQ zqRh2J;+LsdmH)+Rcv%D{;?MS;p=Ij&zz4a+>0IfQSCCEOM;c1Lnt6oC|ECI1g-nHK zNJEj6G>8u4*C!5ZEzGtWiwgOrkd|Pl=}c<WvdrBFB$+G!w?RxET>8ykH@<D94Wi80 z!N)8@AsdjBU@g5-HDBNB)Q)9B0EmR)3i7sn7(^9pTEAk5+FyU>nO;7wahV^!`zhAP zY@A#OGIHbn%ByYwUxI-}j|B4GpvIU;PPeC-=dU<;(i_%O_Qvp6NTxqvxH!Rg8B(D8 zrYdmv5v@+(e<&vc0DywDjC|9=mtK`p#xY2U-zp##h`S!5u}qD#6hsbggR#G>1r0nT zdmR35328c<d7K4M^#cF#=G>N$`Ru0${I8Z_hY$dtJ@19wUXn>Y!k=>o0r+1S)H7Uw z7DFJv_-=+GTp)Yr-l(B^6LGxkB)Iee2W1my@{sHR0=g%<0z_$a$mdGGOJ1vuB6)-Z zfH(h^sK-OXumf>*yB&*t29A87xE+(h;0Su@D=^xbF_f3gWk<-R6|=<vZSwm^MuO$v z_P)sg%0KsF{r>i18KA6y|FIXl{I?f78A|y-bO1s?etu!okPdzpUEnl;;~oJ#ucs^! z2|Yce+;B#Q;m+m9wdw7drKPR&^g%GE41i$Nfb~lQ_5V8G2?7KxY?ZCq9+5MFJX|E- zk$|gf4Kjq+30{8@{-mATv|JYtxqxqWy`db^2`xyAxTGy+7~od)Q1Q~6`&QUfzlN{J zaA@dE%}lQM3cGU{h{TR3^2y1Gm6@51jm`N*q3F;nUgW(RKS^Zh4MISU@L&i0reVun zfjLjj&!6AH3knWjvCoI;g!&VoeuSp_x>vyKazG>mii0~O|8Lt4ohZ)z|NS;c|3B6u z`Y%F-q#uYou;0^D^w5y%N5l|D)X>%p$$xlgE<OSS1`HtJm%hH>OEbP>h&F*Apqww& z5I_z<XVE(Xy@h245s?rO@CT*-L$abi_rLvA7r{4tc4<pdcN+&4Rf@1c7lx9XF&A>C zz(@ez=lYbVf}yWp80h1ZLjNIKP+$7re(8hIgG+YBeA@%_ocUQGegO&zWAs-M?C#__ zzpL5B5e#&$ry4y9BIDn<GM|wER^CDPOuBzBJ^e2R=k@$7xm6g!gf763B5(h<p`B5_ zr``#@%kJwnHM}G{Y=44|9X2NOi+@k6gHtWzZWl$G@qhS)FM)!}CIUYGsWujA(4j5g zx1ym}LfZ<pO{eQdL)`z<$1N-*cW)lDNiH_GQ=Pie^y%PW;818@K@PcVu2{V!@hcc= zXl(F$xx0f#lfh$jHe<)W;Ayvko*gFr*6<#WL2C!y-k*AF2#|w97Y+k?=5wwu$bM>- zYXwSZ`mb$o{<rC82z?j#k$v7zuXSGsH@}^TQT(<)?iD?=TlId~2BYR6y_X;3iE!U` z{Xx*&@eJ+`=$Xy10e2_(-Y4OKwI7{}n#&hg5xhZi50|Ff+pgb9sov??Pn&YB90<yc zS|Ec)|FmYPAsQMQ*w|UcMPNldoZS;2!YN0@W(orTLuaaI8N_o}F~32>uuWHY9UvyY z6g^7!@z(t%g9Il0dzan@%~H<u@lBWiZy!Hr*TcZJg>Zv08lNK!L?1D)PgejZ^Oycq zl`QyxTFsZj2dkdK&0>h9y+Y}TBJfUd&Bv#$t;Y@4BapfSLQztRGF_KpUYpXHs%!>3 z;&wh)Aq|hl#>T==$FqvHYQalIA{_i9Z6`qYGbzH?)}RvHpz9Z#YOFXL9qky%S(n`@ zLwPZnG+v_v|M!X5i3QdiTM?k5n3u?(TVLJs3;lU%<re(7jKysMCDId$&`DH@AW*PQ zP8K-?*Un?h#|6WO@7s4bmw2WoVt<vci;I_LVhL=MhJO7gJuq9q!9i19y(VTvIaw`- z)5&>bA?^$CZpovP)|z|iy1LxvWfr-4y3@d9D-NiFM?4yzjwF)WCe5ecOHC$&U4Ifi zV~*(uQGTWT!k`cf8Q&SX{1)f;na00b50fjDtAExgxXa<yM$L6FzE17Sl(d-q*xN;= zif}y`F}-T*F#O^7L$eEg#}$#`@7tNH{gM%TV60}(_Vaf7<_gU&%<Gw(*xr8d#bvf5 zJdQMGYh{HRPx<I*0XIQHsoz}OT(e~rwZhl#55fOWALJ%<rlk<0aHIZ|Aid$_$n8vr zfcIwxpC>{(AS7@!{Jv=<n)Z1eLSpOJI4yK_7Oco=TB(AmSR^hQ4pL!;T7WhT9TjiO z{mMwD%)|M+%DUiPUB;20ih^D434snqF(k9t@-nMjCg+i=8Q1JCg~cX%hL}8#A0N<l zbB+yw=K~_rkec)o?+5>LJ_3%$_hJ(xvUsQ>8a-n0{!~cyaEqQy2DT=nXInt%8tZ`L zupF;woZkDJSH3gK*CDv&eu6<rq(laX<;7{jV97(D^lz%DTZ7-8j_IyN>VHx^C^7W^ zA+=!x<?Z(VmBq=I+lk^xSv<C=jT{bVXCve?6v2w`!y+<0qe#Uosn4P=5B}ZrF^C=- zAQAR3Li!bmL*P%av%OmoOh7*t80dE=>IyA_Dk}Qz<6#P<t>X0g9RXqFFB2Om06{_m zB0&HHi68)CL?INH2gRXUv^IuR{@GelmE*HswU+!-Q>(Eu{Hp;t*FPKv3L=g%76GIW zAszt&k`U4e4>0fhy7RsBeyaVti}D~S_M-jDpmW1xYU|x|3f9eZyYtzv8YBl6w#TWJ zE;xdeXM_qu+y!f@l-SK^Ze}*%LM6APvg-YyQ?@3}KuinWp9A8|fA<*^fLyvWpeq`` zJ-Ds7?F_5|@^XFL{0npsOH5XRpaWysn3e>DST>s_^Q{k${<?}mOf|js{Uo&=84@TR z787;f6$z9P+(G=V6wp(r5cj(eNpS17XK?cfc1(1)xe(KX(FW34bqpjG09g-6#ut(S zkgNwJRY07?H;D00(7WF1uv~h(Crki%EE@q_^+IP$XLEuO*bZ}NkdOAalX!IvftH|G z;Mn-$hzo%qwayE7Jh$2AmOpp})dY30-5ik9L85)d-u?GGR=G{w(;N?BVZNK!u11d> zDFm3`Bt)qh7(yf>@gU1=52L-t>FNPVegM|P!cpI*q$8J0(;$8B2<lz5_?e@^B*0?2 z_DaNTdV@xaI7DGi)r;PFtM2Ff!TmMPU>N)hB06t=WDwJTP5-~HrAG;*%eJiAvc`i= z`#Di3dA$sz21+y+@Dg5#95odIe5;xG3~*fSHQy#qrg`KO&`10_REOW=QIT-Qc|JS? zKM#v79!H$JrlqTOv;%)yge`Cdq|i-h<i+H<NY<!^9J)>@eRqU_9!V;8M2XB6-}1!d zmpxL}6fRaz5h=H<FVNG*K@*c4xYIp+q&R5}dVhhdMvEzAj|yPU;8|AC@Lf5zW%XuD z-p&B{M`%RLU>D4^9Duaxe;eUvw1Du^t}Pqx>gOZlzJt<Rc12tA{7}3NCLm4ObT*x1 zO(q;1WKSQflOa}GXtEjo4>kqwcp`!mt{*%#L{Xto!^IhL#Kbs}tJB-RYrmilD|d92 zCudlLRVa4TTG_{G?KVF@73P&Wn9|7uS=g%SDG)7MfMZkllW+4Gsf>Go^BqV>@@D`B zLh;hGCMKMC!t$%<TZMrW5fRr2adPsi+<<3SFI*MatNR>~TH1aeuhbc_L$DOI9lv#o zX22)2Xm{$%!`c{URhD+&ea3q8ZZHI8{L4N9>%<BjE*?W})qpl%J~|$b+g%+~Z8|Nk zEi42?6F;`#`|fQ-p5e?q`b{FZF#Lk^?^FDP<#Mo??IZ#(SI?zxgU)*ucXgWalkSMi zv-vSOJOpy%PE|@RzrE-T4gey{xx5Cqx8BvTR0HN#G0YbbJH5Y8pTqY1HwI_N7I{m1 zNESO#L@5+ynSbeRFWUOlT7TN0Ec2wk;Yz8EIWa2cA`TKO@;Q8#O`6%|<tDPR=eeh? z2<|7iu;<xc-PXg?WrVCHAVl9~9^cbdysm>$t%QXqDR0it_zu01wYHfq<;_#zLcNw? zhVdXeR+p8CM$J*nsvVwXtILVQUxm!YXQ*8h(3Z4I{+SD0iH*CclYC<TfNS@Q+4*WF zQD~GT#*T6*jnc^JBKOJ+!0;lkqHKb~_0})Di$uf{hO+v3{u*wp^>$X^dH{o8UaE=Q zqM%AOgA9tykNxcYMSkd6)UztjBET>Xi}*`BS6$X2Vsa9`jll^Jms|$H4&>NjU_#u1 z5k$mouSx9<Be`pLKCB({7Mj^va7G#J+?9PnwdB&98DmL?20}OfkY1M!1KZ=z^wVzM z$q)EztE{$H5FUG@qfc3lFNPmdPc_?gQgBTYqSZ0Zr->wdZ!wg>T8y<(4W(lr`{%9T zsNIMB=UzLu=)+w+9(%Meayi{!g9(ISWz^3dosCv+`Jjw+{Y<bSYwxt^OqEsC5h+qk z4oc`<YFs8)k>8lMulY&$uWPV`j-rkF#(oR}38er(CpS<N3<r&6LkGv~N6(K=zpFH_ zxERDNK`!YdTnOVB%d;^_Cn42~su@S2ytJEoq2jHY1^}&L5PQF@c`Hy#CnpS9aI&uQ zW!ClD95GM_{Uth`2o#TOv!8X=`pseMEw+ov$Ai^(7sXIWr%S`~5b-Ci=79-f;;fpm z5`jDN?K=-Km8vm$Y1tp4Rh&M?4UcIgTgu?BSM-&N$nzPTo@du$!}uc|US;QB8(7iX zrZLc~jqg-Vi!VoK=Q6ysk${{;Kd-RRFYl@gTM08EhLZyA`)R+7IS}i{8`k*{C7Jiz zu)~zsDTIq<6e4y<!3&KuYY)7^qchp^yAQkEo1402tJ5>9;gg^7gxOZi_n%r?fRS6= zfL>U63Sm@zs=IA1TJAa#T*cY>tGO3-f6QxR%c{?PAMP7m)_rUWf5z8~ZbmDezWcry zICziGpU+7OEhHZ6$iUPj7klSWCRXLFy{?TBS4lQO_{S=RCDW@h*k;`Udu&$}wllm? zA40yqqgG5}TYXqd;cnKFgy^nB77r9~S8jbU@2LBCxRm~Os`VtBNrtRJFQA>41FxH; zr3bqciDlSB%OX`GiU-$F*<f_BO-ApJvjO(ANpnBPYQHAC39Y2vA5>Uw#zt9nsQnUI z0CFWd2r9SeK7v57G;{*g<uC40dy+coz;Krje>_uj;2NRc`gpWelWY9NE3trsEj+F_ zxYt^Pl~|^B$8u<Lb;>$6a$X3hfLQ)kHo==BCcD5R7>&UBWN>mNlst8-e*hC7T<I}q z)@U1Cd`~8@a4WGW?|1&)T7p7R=P<bx0r;gMb%G^&Zos#IN%N$HG(0{<xogbuU~qEG z$nMn1wAuv@E4-qHR&@|ELdEj|trFL1XsL9uHvqvX_b8=NU<n7|Kt38_e>76;Xxu`k z@EA<-X)1qZ`mC1eNZ7)@s!cx>bj`=D0r@T6Fd6`WT86x9z`#j=(MmNl5r^J?@LRzP z`O*HV1LJIyNKI-p2;)VH=dK$U+8BrpBrqqR@OY%F0?Yw5Qce&Oa<talxf7$TKrj!T zyo{TeINB4rj9*COWzFD&t~?vsxb;YtqtPLPNz}v5@Bma{d;Wq3X$$tWG0I_7wLdOM z+8eobvM{Jxwpw8^jh>9&C;wP1VO`Wh!W)xY=m93HTfl%G?E8q(&so6t+@K*q^1@E| zg{oj+laak3qMgd-`zgs7)SK|^OQHEYF5~S0Y<pQvqLu`(Kp7p(6K!v^-8@kdT9t%e zj=S}@RAk%pihU8iPgQ5zujdh2uT~C|Bo&!I_V%EIF&$FATqkd5(39?YSuH=JqE=#E zr(48{yvXvkEp;5gXk)nXYGTrbltlof0VG2Q`+##sXyrC3cw$Ug?!+mu;)vgmujvV! zrg8VuIt}(xUpI&?I0~Pp%6~gdnEVO_+OEa;@?oNNC`!r6NkU6!pr3OWl8u7H8*M&I z^)M<zYU7ye5#bPjxX0M<2?88>1y9^kB7b&v8=<qe-zd2;OG8@U-s|%{-!)5<SHG`6 zhMHb>%>WgHfxo3ItvRPs)y7E5V-9{)+b`JUQbrGE`t?&QRHb@t4eWYr7sUs0i(R6$ zyb|?!+W6{&CSi*{1D=Dp>3YMXw`%X~qG7t}nkB~~RcuxAak#Uwmif1A+I62f^40DV zK`SG&86ps0ZP+|o;RH+8{!X7AK~q_wOd3n90Y7l?;NxWV%ojhekA>Px#pyxxMarFk z>s#FY*>LYcU(YUn28xdI4_axyc5Bm@LJ|9-Gj-?LLX>bG*woDU%$%$Ou)ei8E8~2h zy9jxh@e!VKE~TZSe*N2+<HP$|NvUlHA5xCnQ6HY~4d7h})L!k$nj4MoBuzRQwy;Zf zX$kdgiObW#l7qwiacflIb)sn~Xni2ucmNMZu7if{sQ@tourrr7ZXic<xgz-ve^+<% zFMxT!W`yd>*)G5mdXS~!_So5cXSX+5uI5Z4#-H0tu`<iFca55kaabeGnb8>Z-ph2J zirm|5wD&a_%-U}Dm-yykp}_Rb+fx&W&1S99=$jTcLYrgDrQA9@wn)$(5t-BXx6$b$ zyZu51MO}p~iyfhhg@;0*8WdI1Y?^fONhd;4v?e1Ekqzos$2j7u68WTq!W*Ns>d2VP zDme*ANeoq2J&?@!qLQiL-C}QVTE8cpV5y$1sI_^tr(WzRdczo#G{n!Wia=p5dC4jT zK-bHMQ~e_}RHh<fAR>QA)msf2pvN)0Rc*nCVqu%-F6%t6yeRA%hh|yb`6^#>x0-Aq zaQ2Wme!Lt?U3u*3FNFcm*~is}dkZb9h6&HuhYSFMpvlWO=*T8;7~a8w={W7>$77)G z9K~vrny*w5asMt9ulT6Q;`G;wCv4k+3{<OFt;{kXrfp{<WDcUc+KQtjLY_iTa)iW1 z(3?X;K|9k_at!vaYuJ7;Zfe_r49{p=NetXOqIio;wMC^6+}v$7<4KUN3g63z+MQ+i z#K1+iDJmAfSb?~%OW4k;FWBI>$vh~N2!B#U(Db7&vjwt2i3kwBcf1%c{eki#)io7- z4x&gH{XuLKot(k!mqFwkiDdpeo=o~zn4j{ZL#-vh7wzl^T)OzavW~m5Rt4vyie&<M z*PPjpsq1fb#&*sI=-<vnDI}zdB_&g%6moJX-}MjJJf$xywHD|k2_PIy3mD-_?MV14 z`+^l+;=TP$R;ihv&PyMYWv=7Y#q@G(>_iTC5vvrB8H-ZJD-6&ffD!0a)Z1D~7KhQT zlrPpT%v4G|9~Yi(E|F|jG#Nu6JQBX07<hr>`MiQVFRkfEVNNrQUPT|zb4?wh_bB;l zPI8hP4r>uW9i|f7u7zVHrLN;*#(D0aVH%3!e08p33uf|{gMILcQON+(=nENTkQJJ> z5Xa|h&+xRm0JjilNlw)91#DK0G~>{}*eUiG&*_IF^A6p6O1=dp{C`gA&2pWu0IE#I zZIw&NdHNNJ1;lCm+E;NnFA5EAOIlAXDvQM&C!UOhQ+YKGV`jNuh$vROEmP-Ef<ltm z|FNA^4P6}~S>#2#kXzTF9tOo&LZGUmS{(=uwxW)QwC7SYu{S7?f8$@2XSp?h?!<<8 z1zOL+JQU5cNUf+FP7bM5+*iv{d6A0VxO15L@oaP)M=U}{2-+&2-XW1rFIkyPggdAG z-j&^>V5F|D=rkhlG`66i58}Wfb_90-5+(qnblnpM-#1(<AD&eks)CDrYq1l2fy}rK zm&w8FILYRKBd&4;CSr}TtZr|M$66i2<V=y>+!H9$%{rWcI=FwaI=9&jIlz&VytU%v z@5BkC6g;9`kG{>yz52ePGYOd2MiQO$gjuYk<*8;Ro5pNfq4K`_7LQ`HW?k*}t*9hM zwVLjem)lM{FH$;2M*$t4IA)p(0x~ct{;q6N?hQUKIE$8(h9nm25%0XPr3;nQr6j^J zgwQV(K+8gf)(>J6E+Fjv#5XQSsxf?rYa{C)8oWJ(JCFA5Ln%4?LjnhPgk=^7q=a2x z+t0vwwSxS?n90Tj!*qEk3EqH0<`yxDw0NYfY~l0t2m!w6W27x6B7(1KCem-epUO!1 z{f7}`weR6bN*e3w$RSe%xJUw<vHH;ak(w;KA=9%lkj%~#L61)4x?%Q;lwj^n{OO^- zm2P)R3XB|+T6-#M@pE|$jF-FIgXXx{$nhR!ara?<0j&%r!YoSqicrsI0(wRltOR0q zEUwL0@=gv9xgupnNgwND)@UM%L#*i?veLyOF>8%%R8)+H1)T&YH(s?_<MXJr=;&xk zsYB7DN?~g)R_C>Asrjc4m&x7vzRa89F>M{?PxD0%y^q*I6xLik?{WM>^x-puACy(f zAy#8|3iJlA<gbW3GK`vd2@v2RP85E?w6rX?2nEr~&K2q;)r!18s*LnQKN0WqV|dLu z?<J6s*i~tMCb=TwflF6JRU$2lg8IbXF<sa*DuEe`$bQjJrhwR{(5SYZi`A;Qh~aa? zdpB!o69h{N^pq44Rf;83a+4Vlp|69LNuWFYa6s)h!*z*dX;krfmnr2<mcXpXQOiMl zeju{xqe3WPc+?WU&?}pvgyR$z3A@_XEu|6R5EGR&?<}$%IQaSzWI#+jmC5}(Fp>@2 zOC<7Fr%egA@DE~w@IH!VVx7_a8VH=hVQ5sZKYwray!#1^4HW~e1}dsKfj_@2ZjHdF zAG(}I!#dKpV@9z?*~hp5h3m=S*Cg4)P*CWwOsCzBwHnceaXr5tcdRQtQ4e>|V#cq> z=mrIr?Y@T8=i3pp2kuRfLffsubSUnuuEJa06)3_=i$|h&N0d-5TG_71C^JccS)|fc z<6cgZud#@+_{$+J1|2!!w>+f|<(>*<J_#ZuO+D0d+P;qMlJnK{9~g~I{>O#b_yn!8 zvjv<w3moIKwv+hYm#@FxL~SHR=ewKGcka`(5`ptMu1+XtUJL|%;*0iFg4-4fmqK%W zO;+_ERCT}kI0*)p54i2*gEX&;X4PwH))!DvX)Sub@`{Vhq(8~oS3JfGyXKntGA(Mc zLG|E;G&D9bGFD(|t9y5{_`?N%OhnL`fp(?Fj<hj3W!PQLXu-TacC#Rv4yj8c<1TWc zcje6m_#0rpsbdT8l<_hrqyM)2f@23J-S99eY1|COFx0n5i^2Qh4IW&rpcizR$2syq z$uDuvQIc4ejrF)NS5V>`dgx0ZQx=}<8JvU0tM9r(X#1NLNB{*fGasx{owNIbpLSB; z;>@8qpNB?5c|f3%{~#VhJV3)n#i?>G)nOu2(SK65YSG|`Is?nAQ;Rx#w#Xy*hxTHL z<FmcnaKaJnna~zyk!=U%M8W$_V3*YEAQkI4aXTH+78^o;Vc~RW+=y`PaoGv8ft1}V zAf<Z00oJeqi*0&~S~)Vq7{#qL2CschimbCFt3U7UkAa62{hLH_a$HVhDTBpNdJLma zeBEx1?yP*zisUMRbg*BNXk05<lQfh#gEUq#6j?@%K|c))TT#yKsgPAf@x5{<#@HI^ zhEN>9N|axPU{#Z#jY@tgA43PFfsoUA=0*x>H0EO~w+ct?$2MnLK5`lc$@oGx-~m1v zG~ih-E$l+{1l2NzGD+#YS3=jKq9h86YXniOUM6PDy04g#nk35XDs$X%(@;BDn_GPQ z{-7lvyu;d_)v0WF24~e_UDnxT(u|sF#2`g6Q^oGeZ*DFwa{2lmO=OdGk{O>21X{!> zmx4`qtnFb-F0NW!oP%!zP9o5f+^!kuSP?zw1K$0COv^V?3=-B^Ws{7;`1`|1<3RBy z?%|?z^#>8k$U^j9z|%_NdJWrnrJM5c_*t5+1?9~y62&t%;RsPn4g`8NRfnByDgC<e zBmJCZ!*q#1;?B1Ara&N*_=$3}2<*dMm2KU@Pi2-=Xv2q-tMXRP69r+mj?Vy;Zvfk( zrd`#8^yLF1_D5XHj>EFikuOFsFRU@>3!`X|fhgv!+9X594WFZy;YtEM@`A$CiK&N3 zoRC%0zO`5ahcx-e_@DIsSK~;HUqSKR_w)~2pzmd6If!37+tfmoO^M&i5$;cc-K(gh z5CZ~Xu;Xk`$IWJ^RKR4vDUunWH0vOS5d_hG_`xV$RTlB)bK<Ei_5O5HQa8n9X*K}T zAV<~%$|mj6ftkKDKBblG*=~-AJzcE4@1G~4^f5B|v67X=&8a}{;<#A0lWRBlAtXG$ z?$}tcBnMZm(9O$nQBjn6v0>}(mfxjjFPzeZheitT@I?5ks~M(2#ck%{u;NyKsSwx3 z)1-{tGuP0wuu;-Rp2)Q&B&15(U9OgrJI6b&>A3d0-<|QoAMGHIqU3@AwW(xGt9pna zcL&r$as*X)F-qe8IGTN}0L8<<q>)6exRndl;(gCiQF~E?y{xNNm5Ns1I8rh_5!j&2 zNysDA;96d~QmUdTO4={irku@=OL?le1i3vlQ{%GFtMQ5I361d(f%DQ=(N-HX`$Fee zc=BESkH8zflvtp1F7%;Bwp*Tp6zf)4YGTTzeha)xGwG;Bq{=xt#umd1%K7glb#JeQ z3F2m|ni69UL{fb|pgkXoR;qXpiWPGe>Q2nrYH_zW#7{nAK|Vey+2~dth%-yQX5~wW zP<#vXYMtM9F(<h@Z*{`?USz1tW~&AAW)i})_Vd}qjpFs;i91_>yauMxF|c+O5Z1*} z1$waOZ5VLv_B3MSa`@8sD1iNu@x>bnt!jP2u(Pk9i<M$Djm-*q4r+UPE%5%xzvb!{ zw${FDOXZGNS^H!avcA6LDp5+DSi=v)pqzg$N}0f<M(agY%Qy)udi#$Bt;NyQDv*Xm z+#pydC_A)Cb!&_##i)i#=`R7qX_qHzGofC@88BLXqMR`_b``^F@USA%q(J^nGJon+ zYX_Ybs&)_}cXPMtwOPkQuA-=&53YiP_w#Qj0J*CZCf$!pS(e2wPu;XPU%uwvS{x_& zI_<Lvpv-eAq0EI=0fnNO#|O1B9CQPAnzO}AA;s>5I%XX@C1`bv_Fqd803ODtM9->W zCcCxwCT4hmv<ly@g(VUC9L^M8yjoN+rzKDUs@Aj0h6cJCEgxAEwr&!Bobv<EP8nHJ z+B5k!Ta>W)kCc{3B{rdLkY?Aw6yfG_yZ~w6j43F!n2A57=gLR|6U4>WS(M3c+-(wz zxWZ&jt;K&-J`|4x#AYF;vyf_Au@od}u&TkFE(%|nxp)Huq2347-V9cPBblaxTjIyf z>%zA_{dN<^kyZu03m6NoNN8?lMWQgq%YqU7fcpceI2E`JYg>8Gv{nL3%%XV|r<8c6 z6AXt=KH$KlZlR5NW7gd<29rt%NepYa!;(OpLQpb{&|JWdT4?jhJ%NcUr1dbKL*+6t z)?F7G#7AxBpNOQo?IYgbQ<-JM-z1$F3!lW3zUs*{oJ|wg@hfj7oF!iZ&F!I*jyJOH zhp4AGg8K;3|9FtizL?vr35Am;tcxDdB;ib~0}X9`A)u~Z6)G;bbCK<sz<MMc2pLaG zqIGm3g>W{+WgC}X?N2Iy=Qn{@yRjw+80z;CW$(RDT14oqL?D&!%)psqLW=U&jfmn7 zRN>L&-J~4e;#6S9g@vCg?+HZO#y5$}N6Kckcw7Xb%N+3?JcoDG(QG)3No3lkJQi!_ zDwS7)LCkB<aV~os<-$3x$q`+6PV&N$8+J&e?j=;2%LkKbn&XNOOB+MYI`7Z~G{ zFu#jvIxx#fgHpV|@0;!Sgr!%B$Ng5GziNK6D?Op)VHTsxCz8_;re)*ND?7f?cqANy z^~9(7Mu3csTLJ@nYMV#GDydy7Z`0?u9rv{pHJK)xWU4kJh&WBp2KX;s(Tq@*&2JLb zN*9ZeWJvq9<)5H6=UJiLF9&H_MT&N|VM?t&m~e@#O;D`W5V|sdXQ%funN-=aH|Sfg zvXJe#0j=1PtT%YT_EBVlnWe%A4bDU|7dxi)#2I*~T{O5)siFGAE3YwA*nE}P4gB`B zUfUM2xOlCt1tZfF21v4*>&9o`({X*ezF4X(wfinjNNEFkV_gItki#}?5O&lgg^USE zztw*+7OOl@<Gnz)AKp@6H<s4<5}A&=#+P>Y&&0J5FCWVd9rtw+-gH7mU5yIYRsLP= z>J#x3mhx87Tpn4NAxY)2w|8@$in-lce=@CU|0e(UkzT#Z?;*oZuhK$;seoq=Yx8x0 zFaP@A(D>hjpWeI+wnsDX)7=#w2dzO3oz!l~5_gT%%h9IUcyUPEFtp90=oL@PA71^L zr1O15?!7xEN}wf;*H$>}PKC!!BSFi0`)8LCK3pj#lTUVQxuB+ns6)_}s}ZyQN<;bS z@;y%UV2&SW+vL=i)vbqv5EomA-@Gh^uTPE6^5LB<pR~5thfj}bF1DzeISsh;Yb~S} zWg}RtVpjM1$cDe}4F$6OA5~i@R(DERMkg&D$?}rGt|lVUTDP-@=7<E;A^xN{JOYL6 zW?Ng0%V(iqF@c~Kx9jIBrp&c@cMXJu(Z5W2_2fNJMs;Ao>!ET6lVg;EpaXtFfkW|m zxU+5*XSXEZ8Jrxr8br!vp~zu3<f>FM=%|nDM51Lfp)Gm>*|;%^a0H*f*@OtdEIRn5 zz&JiwGt<FLIuM4d26oXgVQKxIrcL{wM&=9~gzHp<pguIqSYbOdrJkRvV}j}L9&Wo= zgVvawXT#}j`Rk|CBqy6>EMcOxd1xQ4(U&KPudGJ1v6WKd+g=7V;5fw2KK~NG4#&g- zus{_d*3(OL-0UY=lN`X#!xuP>+*CS^I-H1ISH9Wv0Cv9KSf>I4kv<G0JZ${N{fJIs zarm;*GE_iNgIzD4eU_kPh5cFN5bIAzHDPVT>8;+jR78nr$<V$Ti?TB-VMSl#@wF_Y zCLC>{l37JDz)SqDSICA?%`}gCnBQQqfkvw&Ka8l4$CAqZBh9KcU(b2OZwm~cJ+tyW zyp8&lt}|jCcyeY&rwMua+sGY``XuYvrH1l7wgiywiTHEcB%3cSxpma?L(*@3gpa|K zY0bshulhiKCJPwutJu=_^UlCNJe;0t`y9UC=hI{{E0K|b$YW!kRV>nWU*j`-Y-}Dm z8~{{n+8|)=EYd%Hncp5c__n2B;{SKo7y!A27m|fl`~LQHX|KsJuf=BZsED4I<2cV8 z*@OglEn!i8d4;{~d69aV$r*Q?*B<Wt5|h7;n}+Bh!p8=ii>fJM4w8B_HSZH&r^|Qk z{ml(L2m~dov&B+rjrUnr{bryd^u(^B4IB=4=lELFzLe^5+^fAAM`p7HpWG(TUQU(I zT@X4LSacXZ3oj8NY6!vq@Htms5k<51LM<llOj{EUP7)_{XqefdjM~!YZY~~if1i7M zHO;K29gukjI^LL%f%V<Y+bk!$1&@^i$a<-IO$Lmkr^RXWYUKrxrHz|wa~FSMb0+nC zxjFzo6HC7PZYDR7f&vQWiF~v)V-9RUOawL>rJpdhQRT75bFQM+R1Q^dvI5)0%ynA! z`<0BOgS=||NZ;}JS2*5Jw(D#+<W8^7XgnTJl#whymFbQ*2s$v(ci^mCzv(ba;pt;^ z{sybBm(v3K&8-DJ(wJ9L!tc)8ZR8LK<3%pcC|FrLeG+*rIHm-jRR5><CeuD7JA`@g zdd5u!bbfaP*`-s%*M|?~<mF7B%!nrv(<R`9+e}}Ezy;Oi7zxa^Mol#iFEqMN^e9I0 zZ5uw{5LhLCR}q=fAZg#sSQMB2H`tNL&@<R620pK4MR%e2E4(iA$*G-K0j=N1)^>XW zD`8#h%h$mOn~~U0m+Un$(V7w8RdE7USEqzEG)wg$Xfh|z+kw<vGcZxw=A+jCi($YF zk;xSw;-ZLR<d-r{;qRM7t2*^EyWYJ1DQ&9M>p$Y>1?2H&c&V+Uy11}{l2b^hRLV;d zt21D%00_z=RuM?C8mi~_{ds<;+x-lkNvEprD?^hSWI=yjH6#5qw-%FrboOx9^tk)w zcTOLtf#!?Sa1;^x45>lxPlD}i#+?MmWjhPVW;pwv66x@<x8bsP<56%d`3!bMTF9R& zZm<O7@r<CU5bKyC?~>2aMTEjMJH%u_In?xO^WYe#D4~}N0^DRjdj<mgNWfLt7$02$ z{_-)PXYrClC2LtTs(Lg96Cf0fI7fStg*JLXj7n~`pQH1J1pFeL7LQ~XtqT)wg*e=I z%@L;wv)SvAe<6@LXk^IRb6i>4641J4bz;y$B#1Ur0ltvMlKcCkKQ-*3VbwqvsF(&N zG5!z7AvXZACmhalIa@y&x3Go)<=hAp3@sC|_Y7@T{RHg@wc2&}x&a&Fj>b%I%l}}6 zO2i>He49oyEh+m_&ri1L6s^1l+|ndclny&=div{aSpC-fYgg5SO-Ts+;p@C|dS*z} zFc2M}{Gq0c@BsCfCxL)4__mHm?ezGz_ot%aCn`$-GlZq<giyT;JRr`CAcGeOW<FhJ z=Shz}K!-2Q2I*#-)8pOKFMC@=H!UvCJK8n;z(`8^St^ZnPAgNi>6(b?-N^?hwj#Ps zQ~F@()E32c5?@|%g?i+waDBzE8;uS75PxL+8)CY>rOO6N$#szl)qlHuUq}uTy_PR{ zh%-OdvMPMqBYVVX-@pS7L`}aNr~wX+C{Q~~yb&rC-`pEmHGhs+K>{I(K)Q<X+BvwU zQT#Y!EEw1TVqhsm9ls4s7P~<VJwawO5fOk$d#{eV`yc}WM{t#Nf}Ovd5X4phaj>df z_0i#L8>=C<lGME|#7+VQ1n<-7X%4%tl{QEO0z+FvMDYIQQ9t~^4<=<95KN*Pa6;x@ zeLuKBj5h@%@`#YPHoi)@pLOU3q6~Ghnvwuj;lrj6A=7)4zk~M&z&}R5A~ZQkD>D8& zoazDLh5;mRY}-f`7&B<0uJdmrBN~q>^xQESJ}dhBLB+kGhXL3@v9RhC;b(Z|HvG2Z zDzuTQ_qv5EkA2&HEBB^3tql#D7Zg!f=!BQr>lxI}fDhF?{spzW*&~HP%CATyh!?c+ zBe0~!3?{vI6F@hH+7ClvO=VnI&>kF%taxW2Z@x+5a0gUf&hqQ}3I8|c{r&Upt)-kS z7ppEA70&#n0S+u!&<ZT$^^5N?06Z`!iXKK}uK<H(bPf~;AHsuTtczbZJ3_(JiFASx z1<tU60#uBvkVJLFR6)k+`USYo)yN{RCI~Tfs|Jvb%5#T?@kY+SUA;`MFw%{JlROHa z$ZNlfk9xpdMoBNH^BBY$7sxBzs`!21dyx0daAQl*S){Z#8~P%tA}y1<9Y2cFMu&Td zR*jN!orrELR6$jn>1-=fqHCafqWQ;1e>I{0#KAyWIF`1Pyn4`E+@Cy4S(>X8OB2q$ z#s^d)6V_IEU9C_#=$4oJP^yMkSQlNxNlolAxy?31Tckv8b(SZ^?dblJN=RWySvX2d z=of5d7FktBO5*r<7XLK4t1oF^axMvUc$OVZ%0O)RmW-O>^L9n1uA-tCk)NuTUUgRH z0rqeKC=NgSbax8YS>oV!IrhwA{N9Ayb{&UVB0~u*SR}&%q1yckYTxeK6=_j?Rt&bN zGJUL#pnhh7?O1l$R~{SoE5l$bjF1P2Ah@ki*R#QC{cZDi{ghm0S|DQBS+;T*virFO zmckrr^1gVYSCF-tkJ)o=qIm(GHqEfp!VyZ0h_Dy3-W;)CeM>G%sNPl&;pZSQ!2TdI z5Cn8iM~YNc=v}_@m2wp^HNxsSb<DEE_wbEedA8wr{3gN9l3cmX$YJrnrT)K+E14b# z?n*4CrOVvauOmSEkC>vI^sb$%CT5oYPlNSnH!H~qgq_HEwB8Y+|I7ye<?0atKS<UR zp@AtGMks1GHwq0WrNA+0Js7!qNbV8R{?GW!INudd5NwCsaBwN7Hg%-}-o6tG!@bD( zXr_5<&&*84xgqk<NyC3jIot#@W0<6uz8LU+kPU)BI1#g8<Uz6q|9RT~?-v*dI~p*4 zG;4nV1I8-t_AN3Qed7NZutw=er_BWp?qd5pU|*lnFIwmiO2;)WUVq`(9o*@ru=b2z z;rX|-Zd`%9a35dt1z7PT0{~7@><<6a-~Lw-1yO^(|CCDJ6#vfy^ytC(f&X#RsXdp1 ze`e7<%u}26e+S4TQ&4t1yytXBA>;E@mPd^YOKiXQpS7jGWi*2e5sabXR&_s~eII6V zfTRAwhFdQ=wl{#2s$bXOl@l6f-LJh{LXa1OEkQRLtpCS&DFV<{Ihr7Qf6z*kPnYR# z!gJTdvFRU-(il4NL;|t}?h2UBNYstj^*7A`hdiac``_Gc^T=hchdAV68l^7>bz)5J z4|V=uzqkzVNupNEz{;pOuu&`6>uul$>X^4^&zM_x5a>8xyyUdC`uFMBkOSepO@(>- z!Ee1B+ztM!No_Qf`d$f*DsQI$I@S6GPO!7L@50V^lfe1%v73>@vcS66PdrUK(Ea@} z&efOV=(3jyel18bu;#*cWO5im{o>pFkRnBOL%6?A%<BQp{}u5bW16{D=S+Tz#qCtc z14yF3@De!Tr9lE7E&>4{q9`5@e6RPK-fbHi6|;6bxRqA`o;ArQe>6xULhCNYs=l(n zfBd;}|4eM>tNaiFC;v`XKkd79kDu|n8lpQK6TNxw1O}l;z>F@JuaggbK#(Q`qnb(! zFUyW2!mHO&S1ROBql(v#k%hq;W%DqgugSj|WFMwj;KyV9FAShNkrGR31ptdhMo0?m zFAM~NgF8K1uhit335CUFwqG1Qpfyv%xM{TY2ShSC;}`Yrsoza_VYbI8N`FW+7zRJ3 zkpJ|S3$(bAT(`%#_b*M%!N=so8itMOnsY>5v&P59%94?^nJ?yZ@zz_7XER2?o@az) zVbgj1Q}#0sPZgN_yZy{?|C*!qUllYwy)J{k*c@)w6$B*w6kj?%#sxkKlCM23zhhg5 z+VY>csr%*e9vPH?#=}T`dbOLy<#fhgGrfbzNQzF!`#B~IDQR!eDfJ8Pa`f);J~%MH z9^J)Ss{ObN@<d%#>+7^V!+=E_ad!7lHOt_rY_)8o4cdvlY>P8J!P)SB;y-LU>1Kv? z;PW-R^u_4)`QcUTI>l>$m8OQ@YPvP>z4dY(*54WsEUMl4i`H<Nk)}ys_~S(IKMHX| zsPkjr9lRFS*APm5L_*yU2keDSH&fG+lB$Z&QE6$h$e8OuK$D|PzGV33krzzKQtWwW zTTX#B>T%0(XsJBWpjdnN-8m1_j}x0!D>t(iIQa3NJYYSlq$q;UO^=sXa2Ng@HJI+6 zI$d5c$Qq;N<N#qLaObZ2dJK+}tZ_<rvsIqRsrBXalU^k=yU#bL$f~9?ykfa@)~AV5 zAlF1a_*MoJUIt7FKlkmYiM6vgL`q@fcsr;a5-q{ruP?z(#+A0U;DK6Uv|j$hYmZZd zpqL!=Ot@Hp(dBCGYwX1gSAS-+*ixp3(2^~dJiAf^Paf<5q<nE%3ExRT-cQDZY<<Bf zrzlW2^ib@E%nv%#vyIz2>)<kKI+Y^tR@*<QfCoGE`SRSw9N^^#008p7q==xhF!zE! z3Xt|ePnWJ&CKl3GLSRI{g5LRu6q`J>X(CGu_VfRZ!Kn}mEg~s4+C*T%`??*{!x8p0 zmG%a*5sjpc?G>!T2qI>>UW;LObyP+U1LUwooUwLi5_pe7zQCPnAvhgWzu6!nZk{ex z)i(9G!6~c+7twBPm9@GZID?G9jD(n~goXap_>1*{v4!oy>rjLqWYd`9%|zf&kQb-) zQi@QDj_7!RFi^+7f{3A~1eY~vKXb8iuG?H-M2k-*(1Zg#MVxy`N+>9)kljNf!v)22 zC9+vENpg!)T+~v@*CXv^+gxa(;A$Caa8?;v+RX3C_P7X1J#v8z{cwb$z|2gfbMJn! zLgsNUvi1mw6%HhT3`orY3t(OAa%rYg3D>LWyMopO0|jC^pf9nDr0g5Yvl@u)AP|nE zg1WC5IktE|Tg?ZKm0dzQ&h9MP4(UWLnNDH-?+j_i4?@BBy;x-X@u!eCn~gRmM4MAL z-yev_hBm2iiYowA14>t{@Vn{(>SCyN9fbA~2hJSnMxX<jMJiwYQ{A>n_M*!XK0!eX zVOI>*l7+}1!O@~m>99QbLip7TkFQIg_<x3u=LXdV0G~+|T;*2EOE|en76C(Yb(%pI z3iwIDGJUa+tC|#<uG>)h=K@>YH0$~-sQV21K}7-?);h_IXz#H3TY@cdtyF>DOJGsT z4?hu@$sJ291JuJzgT7`%-ABNB$;hcB$OwhJ!2M=xp_nPnTr%(ZbGf?{KmT{4Flz?c z8F_j1=<eZmGt$>Pr9jJ9j}Q|{+d43meZQ%{pM^oO!o@s^kHvZJ_R)?8bIh;ZPimrO zp%ep{f@tCQemW}<YMIxT(2EH*LkQQ>fM5R!iVg-9M1T*nru#83AJ7kkt8P=C;t5D` zLl`*>zUhsxjOu@)pBh|?dPiXdkBCDQtOH--%aYh5pn<&pslXU;vm7f~@}SQ_^oyv4 zNw$p*!qBfjA~7Ez<f@9gtTdwXT5=$Agh?BHC9>8vAKHVFM=;6QJ+kNVtgqmeb8n)` z>@JlGZQ?&Od?r$ll+*GNFp57R{oO6pr@FiIQl6C*K<^K?=c53UNrs<*5sSq`<!K)E znHG*~zVR9}FqZH2zoGSg)6bAlqqUV!+o-`W1Zlv|v=j`H7CSE04sW0;CUA!hP9Cx+ zCPZB-&J;I#*}jBeMBu7@k4Nljz;H+*L<Rpi8#uyF9q8TW*ZzUX&Hc0BC$u&&=a65W zlL&B$SfkuqoJqnDwGA!`%cJ_3F0r}rsf0s;#ylt<tJC&qB(BJlKVYINW{@^Rvz}4y z*-Cb;Vw?^Totk#>^2_Qn&yxMDe2l)-^mO<0ciRv=Y<I#a(|=Ykzd^J<rcRZkHvm}4 z>Y3`6Kdgn%hCb1uq*6Yt=%`rp0jb>ck4QhTN;bmqxhb=rtoa+f7fo1{xSakJ)u$(+ zL~$iPVg6YZ*kR$3vjOkcKkFUt&v4BGkU{AW4Pp^~sLk8)T?=j4HP#fBz(NxC;gwy5 zMN#p&xy&~`wmZb+c-gJ;P%(wCC7eh*?*)pr_K-lv84H0z8Rd^qtVZU|Hjx$jL#gCP zT!|-Ek!Zi5Ka$-NhX;d!JPM>t^M7Fd!aB=nb9WMylr}?gqBG{~bO#@Iuhwc!<}iVv z%O^SwvGtZ3`WJH>=42HZ4qfQ@a30o)7m_<^x^NcKL!k`WSVZj)B0#`h^P(|cE0IPY zpVg_#)zF=<IfJ((u-<MGe&%HYE>b7#<*#{1$G6^WXEmIuIho<(jmrxFi}iJ{a&c}= za5cf7guX_9>&0K*Lp#fuyC+bptGt4|5By{~_0`o>2{AR?gO4{Z*8{f6yC|=;VC155 zPftjSF-e8U1kzR!r7Z^bNc@A^{`kXrb8Zs$y<B-EOy(jcvYq{M`B+x@a}aGB?*L8V z=|}Oh^CBGlbydn4Hn)RS1)Xx`-c0!R5l-w+IyZ~azLh6d;xmkh;m*7MuqlV_wdEc+ zmVaB%c7DDQ+nn052OW@?oJ36%j$3)8KR1wyX!SY9XOI!F>zJ@Kfie~Q<OeThddjyi zwm0}~rvg13O&wpWuFImp(4N})X<s9!)C}&oHF$kK)7W^uT}gFTN@L#Ynp!NbQ<4=y zqP%bAFZ#^pmBxnt=cxj2pg?^+Bo_oeUNJC`#3#qgC1QVD_5>`*N<?o=ueDsRG&?>2 zx>8P?34?@FFTcs?7qUkt%FnLJ*P7S=$YPb!zEArCjQ(yhlP#}znU$8@mhFQe2(kfL zHZ_xDoe{+>)lj3fcmm}m$C2@>y%SQIh<1!^@;QnI@)x7H*GZ8&T!Y(ZUFp_}%+K;l z3wKgS`wwr6*g`%xdmyZ@AcC+lK04wqLsQJ!%096_6dTS_&viHusp{B%IZu7J4TDcd z!zoZbcRZ?`PB4yfgR2#&jipYbf$WauK;HyxPt$7PSukG`HHNX3(&4^wAMVgUORo{W zW+5dME&ON`LhJKB^B0zm<s@D=;USvb*^Z+5B86SD3aF>td;fQ|atYb;l6BvNPY&-3 z*<kq>RaN~?0Y8ouFe};i`@xDKta<aEb}u_5;`O!IhErKzItOx?7m0Z+vvcMGh18HN z{e++S-G_Hb*tmcF<LoO_s+776n%MdPp2eL1<uxdPjJBozTTj)$_^`AFIOkfCSj6Br z!KHCUzHzVFRP?+?_^43hq{|2kW`o`+`2B~n{6NkFE8j&lgg?|THVS0QN|OukQ83ej z{rCTai2O9A|DvU2eoI?o5UP5(Wm-3>Ky#68=4o4}<TDqJtn`A33^Tf9OkTx^H9Nc1 zAQAFHf(d;JC!9otVy%*jzTe@@=AilxvO+-QQ!vD|XK_qJ$`&ln1JlIkQuNpqm<>Hv z`c?->MO71ubdj5grN4*`eT3LRqOvpc4^mW`;>`7!|1aQ)hO9vk$ccrM&24C~v7+FC zMJ)pL&f}$}022CO=@vF#1tp~#2s`eJCCKMt8C@DaOb3=4rPo#G&5<LCjCJWB6sCQW z^lB_b6%Xk|Y%K}PVEjKgagFFNS!7T{KjUYZz+fKiJ0%kl#RA($p1htf62{zbQDIc~ zCk$-NcfS>KQ2YgdtSa2%HoO2=K&Zdsjbu_eu2t+f%eEHO|2=D&Tv;SNda;a5G`2ES zh}@AwTZeoZ4H7>{;!o9X;wKi~`m3yXQb-F*D3XBGGUXDotkrt-QS`C^f=d!({Sw+u z1~v-!%=r5%s)0{ndz?64p;BErzj}3;cH&>UjL&-ir$TH%1?mu&)JzM5vk8fK%+G-H zdR<DNqmz49w0`5Wy4{Zucd5^(vS!WK5tj*c!U^ms2x;05X>D#`4n1uXRbIKy{^4!j zC>~ZyT-aGIQ@AO=&?zco%`zO42rmSrvREWs8c41JK$~SAZ@3mTU@?r0G7F(u*FDuC zA1;}@&nrbkT*o99=VE@k15XJ5KToa9p8w{l)ho^$fV3WK*}wkv_|S;I|4J|Qo+gb4 z`R`Vs0)+QEp5V5pvmV|Rm7hGFtBeT9!(XxIcpl(fH*sQpwEXJQpNcovN9;_Otr87n z(d2evA*s3L-+q9C{tG_OJui4ks-$m3q}84N)lhU5a%DF9B__$7Ymfeao(}kWfYhXW zy{x`Q^Wt7fc7!dF2BmDh_glR1*$9ETSi1pPpAnkB?l#7X{P7M13AFzI`{?2C7uQq( z(?nMch6tA^-;n%wEv2c-{}{&w^7pz5BjXkKk(a&<fjNdqL=@K`jNJx?#4leAZ09z^ z0+7MO2NEpRsw%xq4Q*8U*5p&uv|`mrn4}OoyNxg9w8YUrsDB{k9_ILHgi!N&Z^iKX zbkltXI?85e)gA6HjH8bqvb8++V(07-y-odO0kwS(qR^!MB^EG}D9Ef&TY;1Y+P9G1 z8St;Rs^@6re>dI=TIl$7==S{4va*D#W#nhrSj5=vG*K8P6reFr4>wt<dEeuX(fpg_ z5<7J<^ub_+pF>OR#wccGb?qboVxu#-e(lVBwMY~9#k|m%k`t1X?ynQKP)K0$f#s*= z>RV>ROeVb|h0k!<xIQEmms^t;6y5`mXI`$X5Pk{o3vL+zMMbH3c~(T&Zy7|W^ZrLq z#DjPz?>ZATrR+!d#_{Fx=L0po?3e!7YX`I&IW!n-M4S8J&!H+qJBl4HZ;|>x=yzWn zzRms<EV+VF_?^GQ6L2l(gRYt2H--I%0>6*$FCw1%GveoojFr}VT;0k|Ol1CCTV-1s z%H3@Br}ANwkCUsK(Aa-<#a3RYrVN55(BJwp1gyJWj+^od4D4~ouQlLhbZ!PJ3fn`j zUw-N4jMR7ozr)}mD*f6;f{~U856CY7mlq^}S^rdd3#vy4hm8nk<kWaow+eZNMqQFi zjdL`UPp-~!QIPPpI`gspcpli*Vmw$Yd&}u)F#1=2jKB$W`H*~6R14#-O(i3x>tQD| zq&RMCs7)+4cd;ecW&iCl_9h#%JsQfUFSYXAd3XpOz{s(?U>^4moVBiAnHLh9`k39^ z3GQ8UX8G8RP4k_5dThUx#m57F0foAwL&*G7{oY#1r1G`3<tO7I$<TQsw}`^4JmYzP z^=?idqptITokS?kFe9T}#Dpc_!{{FuMWFI|>quv}!m}{Y{{hC}GVWGZ$I{+ge-Ps5 z*}k&C(&Rqv$F?7{lntS$>g4}^dDer#*JbDL<C{2=P1cUWl1M2z*LUasm^Q@Z6ctuh zwn1{({PTq4NN6}E_NM+f9BKQG*xzfIuF~?m7#woAqte+dIK6N$IGi=`I(NdMax{*c z-HuIW$Sd>scp#ZCzI0}hnveziQ->&LTtC!@lc?3~!9bov@sJ?*^=0(E?Y~zbR)1oE z-Rnh8DMuESb%?>Zt#yQ%Nk-Y@Mmb?=_kz;8Oyh|+#ZmP5QB-``8!rTc#B&mn;(d>8 z7#S)g#J7pV!2Et{qkd}0C5<Gp3C49IwitTwt8|sq1N&h5HHqSM6+U)j6`N03V8Gz@ zgcmS2zL?6*($8>-ssku#5Ck?OietA^Tbo6%fyiY*WHsyoU0s8|kJe|p_<w>pJCOGm zpU##JoLJBzAC}|!lFBj|w4y8f2rMDKdRsrbFH3@2N|)dLA0$aM*=w&aSE0Nc;~P6p ziaMexh<*l5Xz)s<97}p|CjbP!)TTZVp8`^gp`e_q*0C4Vod9CgSOOQZ23C=In?|=s zN5pYfhMmrs65L`o!rSj3D4++3L(mt>z~WXJ9T7aF00uJgzO0!OM=t6z=!do`U?sX5 zy|8&2;6hMg3y~VY07l*MlVtUYu=W|FXFW(ATc-Eg=Zme7GZhHLC3Lt)kQv16WQX1G zC+}KNCkEc&c;ElV<R|JNHL1hy>%FOi{u>QCl{RK2%#F4c-9#J64Hlx<za(?H`m49! zgE&gF{X2ypf`|bCaes-gpMgF6!pn~MxVVQv=sCl3r$<Y6e|6nW#_EmxFEmRRsP`MS z`--oV*!}ZjQG9SP<?BP{-Z`9gKvX!mUkFc6KmndZi-Abn6P#|187v?u2m?1>A&^*D z%g@f^r&aG-_*|nOrkz|Xs~1HQ(1jgu4@}mx)N?F{H_Q!#o<d3T-EBMeB`1^Fx>`DY zqPYFdjbo#q?fGk4WB1&}U`ykN2KWC?6V1GU1KbM5z{z9l{M!Kou<Nl<j1nUFJ(~7B z`z+d{D_$t5_&0#sU@+kV_ToQng$a_r2mB7{polo4yM1Ls^Pm0z*c*Bzq8*LgHppni zemDDDPYowgSbuswF|(X(idev+lOSr@C^gAkjs={k61&I+HqC*gR!30u2A_7ysHFoD zRIEI7Vxfben&bA*;n|)g49C^RSAaBeMqCKS8EwLv;GYMIE8%_G9H0uI!owg_5Y5Fg zIASM4C5ON(yU3E8sbc8zCPxNOu=v0T1X8Y53a>!;44XtBfo<c8<cY8cuIW4165CFR z+3XPf_9G7!ZA`6|Gr`Xk=Aa`LeVl;sixJLMsha=c?v5CLpN3Lin*t^qpu?}#2wU+H zHGSk>N)KeC-+S}i&tw}e$ZSanHH(L>d;n2dHRs1Z3kw3fIUrOB@q6AQUtsv3-))gL z)PibIOPS0CW6cDK(pYo*;~QJv66Xt1Ac<H-5sF>vjqFi6Afm60w};GJQIUu=iO)2# z4mk(Fum4%oBMGE2i9JLYdl5c1SsV_L)-PcSyL%6Lyf~N*rLdTWEpbtosx*6yzReMA z)rd;MSEzmwHlrCCxet&))(qEhN77qXMY@izvMSo^s|5$&!0H6^?<N5XCIEjvlA>}V zRYH3H{~u6G0|XQR0ssgAY+&|OXJ<v>ED8YtA{zk!6#x+caBy@lZDnL>VJ~TIVP|DA zFfMRzXH`@U00#<^+F}Zl+F}Zl+G6beWpF0Dwk-;pnYqkRWoEm~%*@Qp%*@Qp>@qVm zGcz+YGry{R&fRCPweI`T(H+s<H(taSw&P2uq?D$lF*V1S87d<s3=4$`1poj5D=H!& z2LJ$41^@uK1_AW@n{cqGmfybs?d62|04gW3PXGYEMnwg96<oB=Ga)?`7G6HD47Nmp zR7D^l13)0&I*B02t(tS2X&THL%+xI{zbYCk8a^77EGpD1lm=jx5l{hnc^*Bt2zVeM zRq@|CC%#&q#@Acyji<84879F=oF_TQo-*8zIG#MG++l?BWp~3tM121G>4t`QcHzZZ z5kSHR{M#oL02O}-5HbefFCQ0ZKz>u#z^3}di|>EG<BFIEE64eXTU{FHJI{Z7wk1I{ z$an@rZwhC+8{__3o`W@z6e@mR04B^v+lK|tKdOTVEP{$TopJ{QQWyJMsh}VluD))7 zKuocJf2{TZ0Mwjh2gY>Kzuv+Fv<@Gm@AHp;58|n_^g&PJ;;`%AdUB?d3Eq60sM=yT z=$ZvR(|VrpYXH?O7i?T`ToiII@wQwuV}P2fHDhhzzxsG(j%pR2)U2GcmbeOpYppqG z(1H6)mD8S(jOu`D1TEF~v54^Aj=6RE<SI??Hscwr{A})=?5$qGO68>EDGUsa`DeKl zU(@baqRt;5*52`3&W6}tU(6`JndQMMIRDYlzLU~9D^S%-j#XD1PiH%sU4coMXxN*I z7z{=t#>h-K;Won?-d}6+i+WenlYMf7DU(I<vI}h!4VZRM8{cMkH0yz#&X09Z{<EE$ zQ9il#?Y*uAPhXz<nt0@*g&c368K}+`DR&=d_U@wBK$#tSlc!5n@z*=4l7}3ZF4Dt% z7ph`zb7M2M4REw1ldm5}2UF~uTVE6ebU(ohM!bb`3Ats1pAO5L)fKj*;2*gXuNV4~ zx$-l(Usirrr6Q4+Krd3e*e<1zc(D?pO$J=yEH<(kO(IKACM<T~dvhP1hhK%$FkHT_ zahAgQ`RAQf$En1|+HuWlN<V7W=m_S%JCA3OWM||;Nr;ot*<a$;oposHUt8vG<Q>@W zpN3k<REwT=W6jwnLM>9!CQ=x#dnVs+zRhlU$D_s-Cl2$@_sk=RBQr|I!>36xBF<pj zrX+5xh9MuMVJpcPV9WVvyFLmcTQ+DywFh?900<UA<h+iWxR1QnHCjc<-(daC_^ANV znRo=Nc|$KYf}i?^F6m7fEa7VDuHU$&gSg&tO$}a1Xb=P7Vx(8Po<0(cjZ%}K+1RW` zBxT(`BnB?JcJJj@YET@fu|2A`u8g_MvC*q0y1t_Cja%^Ncly|cqnhuR`|{S=nYi!V zEA&fuS6vG77=zX;T#!bu+UN~-oRU`{l$v)3H1!j!43OvE3V)hTtA)`ceg@M~Xw8=^ z@)Pc)J@;p%^rBu>FjNpJ{8A1&NnkbJVlZVF7UYK;(GxA1MYf09^6trq{?1xH>xVj< zL6ShuIpf?SDxnH%rSQh-(!oXGaGo33HfW+jic{f2snXUPRaDMJ5!}EDlS`4Tr_@{g zF-b?<B?<8J#d7ovW-IxU-VxBp?R<)i{oYB8|A#frU*|>%B#W}oo3aN)U)l%)3GCOx zn{)F_%EuK)-AUBb1YBO<mABJvFvUR#T~w5M?fTc_6|;I+e2_Lc@@8O_*3u#`=I1=P zv&H8JdlCYp^Sc1XtDEK%^1Rh;_7$>G-;VMofhAi~nUR-CGR}Yv#34DxF{Kkb#*jo* z5dYzLXe<=80k5+OYkmGp^LKAsm!eaz;w)VDy-}Ew>+<SdvZ#b4d4puZ4RLjc9yV3S z)G|bNdnuuv%04p@Om{_c7LZ^i#pc1uW~{^pG61yRh&BcIDS{^z4bmYMvr=|(mr)}X z_fcFo>GZ_8)m6&6@#ZlDVN@Py)SOxjX1wGe4al6V7kgYa2z%4<3<~z_qEf6S@c6&1 ze>~twHl+YhRRPaw`Ko8hv?jG<ty(OeYH?ic=Fh{3yHsxmSzMmHb`Bau01pEr+6TC6 z7MkE>y4wan_;1oUNO{!@ygn3y<;&7m)z^ZC2@$lMP4BZ&=9Yv+ML`2)97EXkqWH+( z%%FY{b?NDyms2S0AF4!h%^aC))|X>JD^t=6w<K&xPRJpFE|<k=6%7okEVbDTKwsfC z-s%Y|8jhu#1agMw&SJ8Q|FEpJ(^^w8$96K;&H+%&cN^_2N6V=MOTng5SiDdRR#!f{ zcK_Ry;muiz)yV)t!Ocx-a^=j*-?QAn>a{Smq-U#_Swt-TD!L;d?o2Qml6~<v-B4pV zv#c^Hk7Zyj4D(a)*JK#$HdPAx2|=<lHNX32Mx#Bj$|_6|Dp_*R)QYx*##6CcrpkTt zt0#=T@_f0}EtM%7ZtAZ)mi6~-1wb|Rwd!u`IVi;Zft51lF0a`_)O3r+ARCAExa3Zj z1FSXwTE*$uk}0nNlx$J+B_Z`M>0rya3v;z931xum4vQBg++VvtlzBe-8ckSRguP<K z5+&e@#5!wdWZ%M4@5IZ+IV@DAi&cJTT3+kuw<grpkBsiEp85_9y1^(g%CY1(%6PTS zcuMg7Wt-Ya@{tE!HowgvOL8Iqy)o&BzL-J_XgV;zcN+gR)+N~LBSebG-xHzr*uN8* zHNWhG*s?p}mN0*(_IThR>^z1Od&};+<9DpdcHhuzYn+JsDvB@P4>Sv;*krawi_XcM zbfQXT2%Eql%GQNClB>S-w8zI#9b9hC602c2#J?POH>(WZoD=Y?QLiD;|LJR%z+o9T zF!_9-`3<69Z)Eh`luTU4y=7ICyo7OxoMOtnj7CBWsW>zZcr1%ORwv=KqzruH%&m~{ zuMnY{aC;pZ#g<E%n}U-;Ty=)|>{xm~C7X<_k>VnOlyY>HTlIXW{ONMpfX%%Bs(?E^ zua||*s$}|Fn<%Kr6?W&U0FR7Ls~irlOZ`=+%9R=7>2=n~+kOR7KD4HU`obOsV@`qR zJc8sZX&}KAG4ofDi>-?9a;h{JoiIJsg}RN?WPFGpVHJjh!hMW8N_?iN>3Ss{b%zAv z<o#tt-&LriC&epQXi8zD_+`*~q@C=Qc9*ls@J1~*ia4xuR4h@>skWViWI7AA8KI<7 zNWrP8<%41Bj{*}KzY;a44V%rPv<3gsmdanv?nD74f5lnm5Y3zLGT}g24DDPZ8&Or} zJaJE%eS^T4W)Y31C``dBo64JE)t0rwG0C9QsY$SNoHRm{yel=;6{W|ni7sG&1x7sP z$Tn8M{cv8<#qL+Sb)9Wo0ouhMI_VXfHA<t>QGoh5Np*?zPFb)Vf>cg|HK|!%;ekmD zz;Uy?tYm1zk)|V?5Oy#rN|kzJn8S6Ve?>#9K0e}D+n-0lTOYY4Iu@|jn^@JbrLz;Y z36{}^2TseFov3>5YQTQO2~PzwS|L#-mv2iGw6&~%Ls}Ig-334v1GOorkj;WT6jqWX zJbR6q@D=KbdW3&5ieosCVt_V&np)VumGFHV4zTD9Ao6m*oAK|Lej^tD-&4dS<~xz1 z&eE~SV%*<Bod%K(F0?`%jEt{GEWqDkr2{xnC5n!-3DMd=%KeUyOp9@HG!pxdE1SGN zOgvY|#*P1|>w73vO#VM%W#DfV+H}vj_74;qgiOL9>ibVHjs=173X8V`dtrbj`j6s{ zK}YHS*(N?8sA+Y#w10wea-OKae}#072BZOgOvO3j^c#gc@Bsmvn-ME1fPKSK@38s_ zwpF2<JLKo5#%XLM^6xFW0CE~^xu7jNk>vMCt%9tId;&r#{Gh*Dbx`^Da_-B7&x56d z#q;n=*@uZ0e|oxmcIM8+6u`s;h7rjlXM9ce^w4p9<i5$hZNZ}x8QpWniU<HH0*{JT zPZr3mr?<xFZ6x*Y8V?|T*LcucF0b5dt+|mA7snn(EmcJ-T~%?iGL2xss28(?V_*?x zT8yV4&rsKXo)sQgH!4Pe$nL1G!ir?#4Rn_!@$ouBD&F$+OXZ`aZ2G{n(~GI{gJJ~f z-<{e@54Z}@W_RUS*vfw%Syg<ju6-n1AO!+u1r1wv|L|~JZuGtLGOKKG0>dBKxqPj` zVW(+g*taN#M;&2$6<`mobKm>eVw<t#cojHTdkY)MNK<EErq`V2UWNT<w<>38sn*9z z%M=xv39v=DmVVa%^rj4;)5+x-Wg?!OCTBxlyK6%U1IA*oumKnt)0KnsWSZAP!r5hq zm}JZShV_zn+ejvIY7oe3nvW1*Z%$Dum*Q{_*mBwZD(FCxn@RL`LdnAtSA3NR*2Ati z=dG91p=%krJYb_EJiYh7rWOy7X&>0oW9ZY}(^)rL^>L+$4^%b9quNpFUBGBqtfC@S z`CQU;^#=g~)p-BR$<mhnLwy-Z*_PMSN?KyJ=a!HmojTHW$nV<8XRUHkJmD>TO84uE z0C3U)&yu)#K#vi<iHZMMK&3dq?bOiH(fkhbgJYJfj^hS#-C>2G&l!Mv_^;%{Ir3Zh zb7Dm$81tG4hk0-k`0PcmMEk?`$En;s`YiXOCupvZG2|(3Ol-{a0-O;eXBOWgxdK?D zo!|u@^DT+wEqUNxuz?h=uGHHEIq_!yNssO3_s{auU5}EJJK#WfwO9PYzHin4Z9|vH zJ`d5iQ=S?UB|mtu@Q3*CAnW^I=B!G#1n*fkm@aenj3Nfvx=%+>an79Z)@@bPUx~au z@P85sV!K{MTN|p44IIwxq<-H91N5YnG3j!5V-(}WL^Dge<9x6%dmkJp>6E{1BMD^U zVeY1f{MUNo4wO9JaUNWy<oIS(>ubsTyPK(s-2}5BKIp5Ohpps2`T2ps?jgUiPX7oQ z3@g1wRmY@|Yz!y&pE91A`N?%*mKO9NT|t7HGe)iNxA;S+0D$1ji)~oBm#}-oi@O2& zW?*n+t`=_kl8{Fs@pq>-b){hat72Rr1)t0!npO?T-;1b5vSSjIwyK;S^R4ledu3z> z^BVK`hM?z4mrJhO6<vd(u%F*jaB$n!@O*@qES>BOovdKs0PPkkx*4C5%8_3JOAf=$ z&U%sdM?u>4m~+yBQ6>#JWlcJ~hd^)yPDE`C*OA0!36Zgmf`i;bK*A>fkWmN-xHIl# z!y}htSER&BB%}&Tj>SiO*u0~UG-o>3_q%6K=z~Ue3!h0CACX~4pADDdYSTZXltaV= zI!rKQ@w@pGLPrZEj}>Jdwe|C8yuJ3^u<7)(M2u{pA@<zSVV%cEY^4kJ6eQZVW98e^ z_`(A{Yj>I69wFAb>t0WzG=ih2qiJ0nuRsY{a9lU<(t#Ouo+rD3gf+F<{U(-T1`S>- zhgV!p$O>R)cZ=DZzs9h4@5Y>yWx?GTIa)pS+_iEJMQBSQ>TiJ(W4m|Jsi?-r)6HZ< zp~zghL#x)@m_uUkK3Q0qjPJ~?FE1WD`oR7iVDK0d^MEd=x);SSO)!&Fcg8EnE}R8` z5GO0&o0!cjN;G~>bo9@yCRMDj$2iM6FRCh+0a|<R7pgLA?BZ=pkPZ?L;-8b)NlA&P zdAzvDf=IEpKDpTHjueyiIfhB8gMR^dmt&v^<A33P_I>yZ6`qlYmV?2Zpd%r9IBY>) zC=Wk&YHyfgDS-Le%<u2GGvO7Nl-?xB8H;jXHEOTNsdZhZC{p4iC-$j2!$WI(UMH{~ zq=0*QoUMN!dKqs&vR00aSg(<8)3HBwjOL(clZy`>(^Dt#)i^FMA?j_kV%;NTE<4Tr zteZ1)!s9acj7t;px3y3#P|S-MnIS4T6;$6Rs5QM9pm`eEl1lxC<J9P4NX*6e_Csq% zfvNypoFpvU^-S+ovV{2sJy<*Y^=u^fY3uZ@B=Md9RWmm?%FJseK3c<hBZRB*p*};W zis)B+Uk8{3PFf!KjMiCsc#uQ;O&IGQaZ6v_N+t<><4L?xG}cCy*U%+LY~=dvh!p#b zQ3zApI};}&Y%0V2EVaC9;pkiB=U(KVo2vHD#fI3bwp30H_(LXhev$Rz>&|3>0<AeB zQzwJ$Z@HYpAi+f<U|p|fHMycBt{d0$Ma~;8cjXjTxVSGXiv(ZqW0uHgi|@3DCDPWo zN)28`3lmzc2ie{)Ga0yB6&$4{tsbulDL>Pl9O4eEF*j0qM!V<B^-rbCItylMWcvo; zODaoyfXzLEMP)tYH2AhQYar<Yk7yi>sV&m6KumxgfRW-=kRi-1+Ve%KR;nLq4)(s} zGr1|4E-IFri#CN;S8C^5eZs8IzW1@y(Mc8e^*#>cd6yHDcFM>p$i$@};i2dm!Uu34 z`Du6f8MNN()!=C`W_x_f3KyKKG#%|NNxYd637P1LS(7}>RN~Gj8oHx}3B5|u7t-cp zpGMRdq&1}0P8g5R$Ic)V!$*>FJ*Nu_!oRz?mDWv+ggbRM%J7EB&5qU+6OsDX%$_!J zZ5;yu8`bOoK=D1eNU4*OrquWvDrm!}t%PLF#kQzIzn|JZPHSDw@e#9E$40YM<jhD> zdx?|;USKrYo+fXRy|Z#Zen>9AMd{2r+`!Ly(i0kiTOfXtdQhJW;~gsz19BDS?SfUp z;!9Zs92F#K?Km>hY%IB@2ON=FyGRARXt+ezudp~TB%pKLPl<GQZZM)5eGo-b_Lhu- zStPe_LCqZnaFQu>SCVv9S#|zaZD3w>zi3f3QSi&4vPCNfpJ2>kV}(rR8(16zN`<Pr zrPinJjV!<Q19S)@<2P8Lk?HR{+9RYd+x+ng%Bjwu{k?^Qa2||I4<uI_sYYIEab1_r zQ(Z=-T#TF7aR<^@3Dlyv?9M_G54i`@U!ooMyyvh~>d!}ClymhDvDq{j%8v`4)?d>~ zl&Lh3DiAD9fP8>(7_(pdx$=X=d)u<WSeRHeSzQ<?nEOXZSQtqAXJ_i#>dx;vg;mkg zgUh_UypvvpX%T}ALz79U$p!GzW9;e9uPRD|DZHF{?#mYur(vZX>TuQBY^;Ff-BO#p znKf?T78d3#9=+ky+30tsxKS4Z-^V;(7m^e_U89HV0O1xuDJ}SiV9{Rq4?7-*zIw{! zi;i<@?dop(**M#v5Qb{t`|rz&ihX%(L3-gS0B-6nhTz)<T4;}ZHj5iUg$5qBtb*p- zcMny6Z=6U&4R$xqRiAQ>p8^}z)d+F$sLwO<&ZR((J@Qo!Y}zvHucI^P+DZ=m1w?0K zaz(-hpY}a!$k-E%^AX~*GK+gWN^t}J7Zbk}7jhLNZs$4fbLjIetwD<wI<G_4d0I?! zjb!(AG?>)^JD;>iPRwSLG=zU+)4&e5MttxwjF^IE{vH}`L={72K&ad`KTH>=Qu2z1 zq7l?^vTCG#%z@)pfU#kR%*IIh6jYsri$p`sTJ<TDdHMdk%*HZznW~;x|H`|Y*rViW z_rcfIpfHa2ZwS~`r9E-$jsvclyo|i_k%<<lIWnHgU&k%(NK<5S@S`?-d8iDzSeDV^ ztnAtE196RgV;LQ(KIu>hApt0q<fORtLRnlmtBwK-!7QX0tGM6TJyDDVM9TT3Bt(6l z<a=JAd3$^hexME`Yd=UziXEeOd7tH$LRpE;8x9ho>Lj0(PRh@SkBQBhnL9rCLYqvv zABFk1ba^-E>4zU8yYuli1_!a4)h?12ZESvwcypx1SkNz;Dkc$uhP)H(Q+K_{HQ=wQ z<g9iOI;f9)9c*kt%Lc#g%{_g5!*d|NKY7cN=N~XhG%#L|+e8K>wHb-)&I9-<C%I(# zD%yhcmNGCMY~OI_NRm|6__NVuKiedV6VXK8azVg!L5Lv5@Q0~15vNjT(`jF%mr#ea z<5-pRaM!<lg>slZslbfykOStYpcNC-u&DE@s5y$vD?O*Pe9O0$CJopcs{jo@OtC8O z-3zMA&a@uyEE>rBh8S3^cBf#xczchPy^J(pRvZc6wu^affe-nScNbLTJszjK)T@?_ zj(#coB){)GC5xK>bmEquBwouI!6i*cAaZ)Yd@0A{WR_MdpaU57lgR_JaB{vDKnKYn z<yk%^bbo|^fh(`5>_|~YiC-=&sVRZeqWbCh>|;ntutTsc`FUNLk4wg*K-w;>A|FrZ z=~7w>03IziG@87Dm1qd<;fVMfm1zFTXOsU~0}0aTH@zTI24Lym=A!n&0O(8MzWhYZ zqZFl(y7+n6&mjMnC=Ob@K><Voykk|`Xt+KuTiS9pqV5&Ex4Mpy?l82<X|{X3EaJG5 zyJ&Pwmf9$Gl>}6e#AF0Yy7E)FSP66|DJk8;4y55&D12gibh((NFzr5QVZDCC!Y8aQ z8>cLUP`F})_vcS%1K|0r1xUuY2CF7aNvF<Q(^@5wV;ng4YDcFJ2FWQ14Hp;kJ;@r~ z#)X0fu@|+5n&)jP(_;Q)h4e#~M{P^<vuqAkiB!ZSdj7&`gYpiS_Ty<ns@Q#7Z`zkY z%mR7$EXA(dr|8oado>f0+Aizwzx4SvZ4DKbbZ>%Qg~o826NkxHx*hF<+~ID->{8w) zf01qGDnZ$}uCNG#r*VqJ#z9s8YzuW=K`=4K!cV}3c@cgbzF9+*0ED8&Ck5!t;q3v8 zjFfzEyd96B&e1f?kOOo|%sLf#Xn*3<%|VQ|uh5D@$+<huS%$w}r_n0rOsyD$t>HmL zoR>|v_B6;k^@YrR*p;v9oiAj#H@&c)Xar=_rYNq+l1W?*V?C)J?=#kV+e^<Z7M4YI zM!`?A9)QoXQWC}lEmprPOtnw1OOy}?-048erZ8Ij-T74{C=?$O;5GANvOaMQcUtbG zJUfl0nLKA2x`9tQKYVfCvev86N-XqA<}nwsC-)Y9Bvf#TtTzCL`ALrUSOCmp@m1^` z!#3hfv$e4II-UXGl#eK^9{B}*Z_pHGtTLvW5~!D2TAgZ44psd;S)H|-Z8{o$10sx{ z(Sm5n^Ut2wsBeyE^+Q1XN#FUTq4-T~RE-x{j#;z?y_3AsM4sJ$6O1&xubxt!S&E&h zn;{jE4AC&o;jq)&)66Q}vG&lBeTon;7-UrykT5{vH3Sg#2P(J|_BSp9U?^G+dWi;* zyd=nx8_!n~EA2I}&M$223F2;*oZncxgCwe|Ji$AnLVNj3a|1{VYqRd@3eSOWl%%`M z;{xvYIszNFqZ87H18P5+fyZrMpWTHGff5ByR0M;?#0C7w+<=d<@@TbL^$97S$#hO4 z;Ti%;-Wh1@af;xY&2uyB707K{XOBdquvS?B-DO#9-Cf#yoFbA;M07W8dakfTui8d@ z%x<F5>K&{2Yr>1jcu1rrZQ9THZW52Hxq(=By}y1xZQ}=Bemrn^lU1zHWK^^?Uhr}F zp|c!3cS#KkRxHMl1|3xc-CG}(u^dVCnQAzZ`csLZ0ZclIrlZ3~jb@v(^-oarOxLLm z(FOKs1rmWJye&@_uX}~B^CoUq{au}+pb9Y&IKvfgeEYkxsj5W~r8(YV_I9hG#bMp0 z4NlJ-q|$qZT^~_XTRQ~_QD_8XGD#M8yV3Q8oD6^M(3}K2WX$N#!%TSPt7Y;o_^dbr z6hm}jkb~Uyszm<>&q88Q6qfMg<v62ka7+1<Jh(;cvzVe}O;%1O1@h7Ha7@<X65VN7 z2E8$-&Ki?Iwa-+~vOb|r%c#}Wn~HSSi`JCwpj%4I@>SP(>PYI1C#~Lt#u>w-4W~1i z<~07T&YQ=zM#f$+wZSgduoA-<bMW@hIt(n!8+vVFS0o`RK85mPX+B!3fWoO0L@zl> zU$?~6{vCF_#qScSx>06j0pgJl6RKbJeL4~qDlfylOJyyI*mQwQc5&V;``Wz?&!Mp$ zLN|QN7zcH`0%kC<64VtO>joBWDRllt>lyf&GXl5R%r{{Q*{cQawfn2xYj;^Suyz8| z1olP)3mF=B{t(Y=&gT!Nz9eYxFDDgVL^SD+R{-{Inzc&%qvawz#M>Nbq{JdBtIG14 zSQr=>IOq!u)UDEAT)Lcm{Jnn2a!7h^PxsK*{4z2DY<ToWGGDx89r3%>)=D1PDjsOo z`v_>?R=suTxrTlW;;wn;mFBV4Do2mjlJCO=%asR)hJ{L;C#NK=f?G>8!Nl#XmtZ?d zACd52=^S0<ODXq(Lqq@G-ifeuUe(YCsoSXY4Y@kQ-Ppo)cKX?h27_dKey)KPuhD#N zM-e#@HS7GSUpCP?0}Z3Xt5(mkJTmPYcd%J%MP8eh6Z{aPWw!8%`@xr=7Tr2K?qrC= zxExTsgw|a#Z;C&`RA|&;F|NykZBI20Hbpd&CR1S4Cg1J|@vZGKHCGYbUN5LrX}XcY zv2|nPFeGz{6A1EGKW`v1jou*I1qWf|f<vUJ=Kha&y4{=&or+PUX(uzBSN=JkHJ19< z1)sv5<Zo_~Tq?0n9;~&1<b(Vpf;Kr!7{ysD0G5MstdCV#Wo+tIw;jgsvIby~$#4Ge zE6lW|#;cCC^~i|4KUmpF&)p%wPxr7A=&x<HvvW>w%WLC0Zs8+q-4L#DbH5?>0LRqk zJO{tmK2#|4YD(3@(n@g#;Zv98XSI>&eNoY#k=^hW^jc<royiZy>e!SH-pO+nOntL_ zmN7j|j7NywYW#FvdBIAyHm!4_+q)F)4uwUa0Fa-3)2j_|^f8t;%4ScbKq!vYu?THO zh7{s7-#xcQpVa;ZTYUycN#0$#=8U6s=T40R)^Y)g`F8y71L)b{_y7wFhaK|^x26mL z`r{pq{Sj!O<-gCY_JAAxLQYZ1?EIY%dM<*OyxT;B2Sb4bSf<~+9D~y~nUEqdFF{Q; zD!0=A`-pAgq9wc2XE+aMQ5qNZJPN%yF8B1w<a1jOC#N{jvL2G|TSF7f$oFh9lIG=- zyhx6F4h5gX4{{}OWXg0!lQew2?vUg~X}NMaWL-PPBR18dBU$fNQ4124GD~uC0laww zKLwT4wBij|zO`sH_~prIHqjDSS6c^{g;#%qImsIJpKnpeL@=S%oKhYFnIT_r(75^) z063PCx!T|+EBAum9A^$Wbyjr|b$ATKredGM0B2>gl$+1EpAj%(kr?)I@dO{pYIq`L z+#C~MScSKaXUzE|uEug<$|xqY#?*>&ay<8}py9;?UrSHR<pZyp?(L>CX~1730;v?+ z>)Uum;+AiBbox2<_sAI*EOF0;{SYYt64yufr*oW8bR@2{@{6J%qM??Qa@(7+Wf_|V z)hV3I&<&0R0HZn#>Z79pYqX-SxKH->*0_m4*SG;fmqk>|S15+b5T>dIpt&;0{Nti8 zSt|#FYLKDpwfRI;hC_i#hNiIN?O#1K<R~e_B4NdNNJRNUAsFfmADn1(whq#d=ML1n z!Rpz4?GA`{56iX_r6)h$@m8G|fv1u@YF1xPP`M_<eDaWQ;j5amzW`)a`mw^#EDo~o z{N`0M30IoG={uajTQrrc_3ZMK3Xy!nt$w@+Xsq8r-;}h<{JAoWyCY|rD!NFHw@Cdy zVg8k{B^;LEC_j3%WZ^#sUMTfBu!Z|Fuw~UIVYN0665u{U2`3@3h|JvNu>d5mMA+x; z6)#UwHC=~|k`CM0N8v_UYU#SgFjYFPDGX)q&v#C#7THA&Yq@Te<Xsq_Kzv^BMO{r- zmP1U=JLzQ5)$fx>xj|O3DFA^{hDKKLcGF(6>SqKeS;28byvV59p=3E0D+fNt$<h$t zV70mZo$M%Qx0uAU)5Nndfl;@R@h7ViIR_P!bvyxhKOAm}ht{haG+&p-<9Daf@fD*@ zE<m}LSnvdkwKu~~?EM{sPfBg#QE0!d^)ZM6gVvCQg~rpw21!hFsr<7KCezTG9)+Lh zZ_3I^it<T{+L=YoF635Ok+)4fx@0y4ec6xZIy`a*Z%W=&?r)}ZSHn{26DP?TBamYL z@BW<A6Plk%9UZ4Kk{YY9d1;1$O6=KuhrH*!w<VD|@8%Dm20{4McflJrGJd#yN6@b5 zQ5T%L*Rj+YUDaMI#O-wqQ!g)Xi;MH-s-VFjdo2=@iCoKVOp?*ZA=B5}A;%E@(bD|< zeV4HAx@}yIS1j~XY*`Ja2TG$|mGtk$0BvH@j(KiqFQf1=YPV*T&Nceuf`*aV`RHg@ zCEAf~1}Gr8ua640x>G!sWYaD&mdR7;1&4LFbyp3L*Hn*rJV5O=6d(3i?^<m#2x#2P zkPG+A!k^An??`Kqgmj;R#c~-yQ?p4q=4JMK{6OZV_&XXMd3^q-P*LZK-!l|cBj86h z?nY7%k#!yErilOi;0<h%P7NB>)k$D=*g0X2HV_X*W;1#`FU?K6QdFfVoN+ri5s}*G zHDcL(&>HcUP$*W=Y7}2}XDgz1JGZ>U#Yk81`sJBW;h1mmVD*rONnnUugN$pxH;Wu7 z%b%U$x)RXe-79f4HoRKn$Z+)yOVMGv_GY`1dCTv_aeNztjARTuR_E#n{DR9CLZo$2 z34SjG_-fj<X{5$X*_?@$vNA!Aq^S&o@uf`&7Ii5Z8)g3e1v3CMj(dxU3aQW0lQ<}8 z1B{E%`Wm9jf;BbV_q1nWm!(AZ@i0OAA<-2yc$13d-Ab^BD?XmY$=@X5N&DdjQV!{a zC^FSP@Gi8baPzcqgWS<R4${d#=IO)#VXD3ePr}dJ^%N0(;PbkOn|%dXh5|@DeAKCO zi~mep{fX#~hKigsI}yBSx)V6A8k5%1MoiZ0rbYg!-oWiXqFdkg$o(}i08BYS5iGo- zy439TUK)c03k&s3PpA9)JJYZ4F;2<&JfO=zT1)H|Z`-^2I#xGIimgpV`my6dr(|F6 zye7kV-lZP|K(u|!<+i3e?ie4feMJ1f{Mi$GCg956>dABu+IEw~6_;c}S_`hc$|M0a zgF#&Qo%AN^ow{7UtGC*GLnACbi3LDH485UI64^ts?8kIATc$P@n#96XG*6{qr?xi} zC{|DnBU!x-ZWVJS4jOST9-Iwybuyg&8I~)ZBt*Q|*TW~CRh^o0G(Gx@!?AX<bdg%} zGK9~<z{x?thqn0A&ED8aQUS@yLS9p7t=Vs}v|H%HLZfxM2W_Ve4Vx_N8|72ZWc!M5 zMV|>}z2YQoac@M+6432kdtOd|?jo_q52T2O237sJ#uE@hv&;Hf@is2)`_;)uoWX30 zQ@BH}crS(pJUwZ@?4k>Ms51j%_Z&jFHJ1d@$b|wkMBi946~JPunIUeGny-<e)6#&- zc=!<S^9~&lMujERddCLIm%h}yxvp^>!c3KB25v@2KN(MDVL_2<?N-%5jCInB&HxAw zcMdG#gzy(D4iEb}9%3TEArL9N2|h~ydfgIWVVL15viZxqsQB5S!k{Mz?rcka&?N(i zx$LSgJU?%}0Ub|GPkv2cz3v3mWaghE>Z^-Oi-{VfQkXFqn3p>1b<S+afaKki^H`d{ zsEvU&NqJbwBleuPn!K*?w!|&XHy}Th5Ej6)*8#jqX!k=XF%u2bkq9puvp0X4F>n;l z7S4RU9JGxgGzca`+Q~$B*WK?eb=oN4X-eXgX}|4#WhhKpQKm*+ywK5df}*NVB;qJQ z2%+kdCrI+p?pg*6SlgH!N>QlCocp6gF~oLo#NZ}@OG3c1)>!15C?ku3?{reKiq$-) zYKIXO=*a})INHR$3n(&GHAr7L1W7hk@aXlyv;!G1i%*mhsRtXwHjb(anKeeFTFlr@ z<i~H2P-fW{(-d4d{VKd>AE32@*A|oXtZg(LSZls&oVvDcN*G+-ZAFS#^LwFo8-C9@ z=AHI+0T+gaiNYqWB3&vcw=Skp;_Dm!dVURhG2Il49ULr7+a2}1MB5s7sO|2f?*e`L zo~0i00P6iYRr_PAiXtNY<}F);N^}IVCy`Y+X+#wqz6A*$JMk&e)XBI#`uh-TQaFO| z+R{bdySWj~4I@0{eb^PN#d}P@7v!|5%MkH>Z?>(c#F`Eqb}X1VZXtDu$o}`e>kwLw z?2?MgKCL?!u1#+nF@Dbv(VDnv(w{#?hu|~(DEp0Wa2KOS*nI$qdK>`mtz`BM3kp8Y z$~guaYIruR@zFr^a&xFZI=5pgbVFt@&q2GyFcvk?eqBO^U{LW7jfp>>2Zi|>6HD0l z4Z;g)=>PJ?51{OyL|A=~J&Y?OE`qyAj-d?a|HWEjaSFg%sxCn~={Ey^*bm768p>g- zKf&SR_6Fa^o(eQ?ZBt}gn<;`($b(|HE^cV;aMGy#{V0_v)5PD*gwTeRH4Ir=K%#M_ zQu0OZ#*9JO$rd3a|H988ZSCC7nFTcpn~&cY;n)r$4Vl!J5j;JwR0VuQfzUqW7)PqL z?;;NShXWd<Py)rILo-euwM+D~{G2(?Dx0h`qN=d!g%S5<0j}SKPF>`p{-J4T(QY}# zs*}CzT8P-`0TH<&*7`sl4!%0as0G6{e7G<zhQD@9ZKglO2jLYQjj$ix*NTd|-RH9V z^5X_KKDptxej#nHWG!66UZB|{@c86ceYx6ZWb1<V^<xIRKnob-j#jxCop5*w*Y}}E z2MowTH+$FE<^}UH7*QSs8ze}h;pHCNP&(S_%n6R*4_t)&f_*;I%awLN>=hCcCOR-W zQ=+`ynilPz7ib$9HgBe@eclNz5wXu!5!#bJ@PG#h|Hrd$OZHQRAD-a%WHe+~nb>%k zXnwFYa93Pl@NyDKK>k2?wQCFN>3g}~K#Bp<0V9h<ARiu<l2ioiOoD*=g|3ghKKb+u zyd<~tj<XD<{3p7bNtCt-5RUVdDQ|eHxe&N6`G;VY+=rPON!X?Nc~YN}&HWVBW@;3D z3VC9|^SwAY3FnY@XMd^VhdZX*A~yzg&!;|(M@@a?x5LOGlFP-SsI|BiF{*EY;xx?p zbZpW`1B!gq$UgE3L!GE3dlE7*mLS(l<pbcra2aFuH@UQ{5tcNvlqrpMi#n_@!El&s zdaAq=f@|YV6REB&P8E~#%%OP?zOLT3QyIRjA>ayS7_7p}KnRBG1-w)dU+p^oux!Ke zDAP3-`aaDCl5qvG#pS3&rkMbMs)K&f998vLUONlefX1LRFIlILn|bBcp!3o8Jh{|( zJ5>NE(}uhqWSHKiQQW+jqTT8VR06PZg;@B9+2Pwr1fZ|O6Ya&->8qE_{jM%=SJ?O- zVHw(!J0d%S%<muX=>e1rd}elARywIcxgxtYEy%QF${sSF3Q`U!1866}nEtyBbu+GS zp*xY0cVS^b<GgDKTR-q8YR9te*;L+)%RX$xLaVNfWjWI`z}^<EE`v7~&^umV2%eY7 zXokDat~xLw`?ISNxSoc&+dHzCz5dPqxcoyZV1G1YZwQ5|&g5|((*v8IpCoSza5Hzs z>WYdOeQ-tt7DCD0DA<tARVjKp#oIbH2)|U53Ss>pPL7X+4^+%v&I$+ybp6V)OP&Kg zsf~JZcnsC0z8V(pPSiVp&@$*IlUq?^&Ul|O>DM~RRKkC-mjQOGp26!){41%K43wH1 zAfAN=2AY(##)qIG_g~(aF<?AT)my7j_P1{E<th1+F~Xt6A1&DM!+HD(zB3L_wR>^| zY~}uT8!0ur&hrzOs|F3ZB>t0Zl)xinW8<JvRhu_kDC8>4)hW{L33LzSn2jpW_I<jm z(MiqKH3qR}jl)a#VhgOP!W;K!68V4FJ2~k{B3Mi;jneI}r0waAaT8{qKngw;Q}gWh zFji)m+NyNLLR}55_Lw2>Eu4(wuE*$C`y)#6f1!M-Bjli)sLMPIa_m5-p<;wE1Gx(Q zWMt9SQPaO>#l~(Y<{)Gs9X@8fEn?0yNdF6eC}-jir^d*ngGJw@^;hfa^Xu#JYfyDz zAwWJNt(hkbDpx1^$NS{l+mX#qEjm0rQ|5o(4E%?*g71MQ`FHZsg_utpZ#{(-n$X{` z;QTQO;GH^?zcY|blz%_>MOb>^-#J-4;7B<@=RD7pX@BQEttS4q+_qgK-M<sHrhP$R ztgY1MeFy$o55BJxk<Rn}G4q8I1~lP6h)~BozX$K)|JB-x0oW0^!ioP;(~sXsw6a+h z;~y+D{NLCGE?_F}?_{nV&EH+x`2Wq0`~SN~@!5&b->NtFrHuHmYRiyGS6_CuqpTU4 z^m<{Hx#)h5HcFCoJ|Ca4ylIQd9qy9U1yMCKN_t~PS-%NzVSKIoiR&|aJ#5E8iN}rH z+%X@KZK-v|&3(N+FXOThE0>?E#a2AlIo`^ZS@hw)ZLF8fM78Zdr@es3akr2ua#46g zaFL2uoLR&6^J?YckA-gE-5Y_ME}-S!Gk?#a^`A`&p9<ECJp%nTBF~WaHGRP>#v(_s z`Xf0`|B#4;eDnG00My>9i*CaK3<(><>8;$a3U@tIr`JTD%v`Uq>cB5Sq8`?k5u>~| z0V@!yjgW?43G?`uGvkX|By;-a(hQTb7Ou51@sN1>UBAoVjV^fk>wxGemb<DZM8(Qg zT6;NoRwKfLo-K!4;@PlWVvG2uXwb!7;w%lE6=f1;4l4y=0&f}K!m64XAX_I{iT?zF zVw*lz>X&qy(Gyq*+wx;(Ce(6^J86f}Ddooj@h4hxg&iQ9dE01@E9Y8~ysB6c;cwF@ zY4uMe_!r-cr<>leMq>9O3}kIE#aPzphraXUUCezwVJl_P*ofVbdcTjR<+d4L`6&6m zc@?D7Oc?`H*+_;e+NtymG(3Ae1E>OqkxQHsf%;)>5+&6SwJ-+Tz7}a~roN>Kf8nBR zRlS)bGbiHP$6v82Vyhw=1Oq=r$0ibRRvUO*<xT2#Bef0S+C&w%hvdgcW#EVC^A!z4 z$BzyuE&0YmY6+`65p<-i7F*FC&W?9wSG5cf$1ybfY6C2i7-9o6-nRi1P*E^VF9-`- zx|J@RH7PR4d5)k~JQ7_+Hd}#Ox#%5ZG$@9mVK_R%S=}-7Cd8RhHspM6EqP}-DyBJ- zYM(d+?;?cMYgKu5QBtd*gCpxPH&=_OqOv_qtGFbqQmy>c)-qp|bhH7}hH~w^ZSs+c zrK?*fT5ZAN9k6~I|3)Fj3c|mp0u7MS%l`WI-mz`lrU6RZkij8RJeI_S<kZ8#VG6SP zTKM_#57(?#&-%gr<7F^X+SDIq_TmW~Sm7PHyM`4&qEg;g4wrMMh#l38SOf=r=iFK7 z_OD03EK?#jX)LR2?MIDA7)03ZSz2<6uM#1PX(dwYefeM%U)3<_y`GrnBJQ5k(4mDm zV`E=-!Dl~uc}m+YE*$gH85gP>71LzVRV?6!2V)_XN3`wOD(X+sE8<X^$9rcP=OP<V zm5Mx1*TIVCS1jlkU>PRbS2}?dz<+TSd@I9(nr7VBcyLdnH!4@GnQ*kkw96CZhx*i0 zj@Lo?fj6zTy79e=O0s44M<f*-|K;0qODUi#jzUz$2kvG9N=<26@{bqk_@8T1LRO?a znQ{v-NP+fxuinN{iE!#3u*B;zS+&0`mi=U3h~-;Mmtoi~wib`38w<S~4W~+Y^}&{o zJvxBu-_A$u2&ARFDUVnx-Bu#H1l-P@=Ym9KIW5Ky>jB+Z5Zb)$$h$AMhAasFEI#%0 zfOGqUt3BhCF4$696<J&9Myzh!(w2e~Ck<W^kCc&c-!mvci$#DWGBe3|F79XC!iX(s znD~Yhk)}&g!tZNYlG%`zNB7-B?t=#07Zb3)*CzsH;CJX!K#qGEVmej?ni3uUoRfJ; zm<LA7&;C9&<|w2lKeTdevle@l1UI7bezmKLP{~$eT_vrV9!=>s5&>EWf0MH#b>b~E z{H$yZ?7&da1~nb;wZ#2%dJO=u=hx{&l1;j5XGK-*t4nXqW1~Z=`eop54c{1Q&Y2eq z7)1rUk0)sHfSw`1yn-U#fvReEy|F2#mVySk;iq(B&tg_;)MXiQU+uw8_$*>q__NxB zEb|7{z#W|W5$N3lxwc_kB27IoR*uKg0@i)To51pBhx&`M--@FhPz1=_2z$r^(ZAGa zVmfxU6XaY9sD7u9(rC-=cwtRz5xDY4<e?<v!8_2V)w9xZIYRsX(b0h$rl0X)?DC5@ z;MwmcpIy#q#an4%&9^lMtojmov9qUCRSM(oYR=bN?BY}pA~;MdtZU;}7p!<<Lv>uS z<WSVziS^GB!I|++a{&oI#<bT}EF3ovEz{D<c43iO%FuLMW+G2!YDSWTdJr8vf-a!O z=dl2fa$UadUCom4d=0yxih<t}i?q;-zI-hB!hHMmwuZ3RztNKARZ_`Vsg_Zbq2vAF zpNpG~#L}7!>ss8*lNsnNN+>%?MrTG_IZ$rBnI_2_ssWSJ?{=WyNdk{3skvQtx2m-u zPJ~y3<uJ5i!w6eUZOfjmK-?DXYD>%|3FW}IPQ19`q!B-<8$T0#_`w%8tQ?=gS~+bg zo}@33`iiWbI+RivJh9NNtZlGb(N!{LafQ3;6@lx1u^)C3Tv3H@>D0^-j~qm%|Im;A zSf2mlt~Ec#eeuGFMInAZ9n&DlnK#5$!_#Sjj;9<qf}Y@NlFF^$o*JEgDZ&I>{`?B8 zA}_qsW;}{cX-5E8K&ZdF@ieYnHq2|~*TO2rrYS_Sekl1tIIDI!xJ%Exl`6>$A}xeC z=fwPHg{lx<!Tr|?g$LyH)91Tl`#U-o9kKMm1?A%C)-x)xBCW=F({t$$eR_~+0avh> ztIQha5eBNcbx`D|{$dsTHT)L|WcmY<w7A)aH8rXJ!9Z5sz!r490Euc*+g+dgWmsKf zs03CMJAv|2%kqOrddQ@W7cSR67=bK0{l?&xeK3j(|KO*jQF9Vw7b$Bq6ns+D(6ra) z#?;5WU)VB-Th{v{@pi*hs$#mh8Bg`SccDW?ybKibmSZhzx8e0jYS4@GZmMT$2_)-E z6-MucC8xq+$Z3`ic(K7HhhqE^7jC`05$HD>JhHY?c6Fzy$hz|SlG3me;9JA#v}}rw zewGX3{6wbr(O7EBSGbCEa<KMYq<a&$)qTLXtA4q6wgWAEB*s=sG@~K(1Jp>EWakI) z{S4^wwkqF_l(~}XCMGc$k}K8`7BjlD!{X+-se1;vD81I=IPHMgt9BzP#yPz_Cg#%j zj@CF1RvKC1y(%6TyGEWW2Zm+{*T%%qOfk2V4^Ch%O?O#Av*dd2RtECJs?G7bJ|I)h zs7}$P70(;GUt5qaExvFv-*Oi6Ddtp-l>kuo9b`4~e&E?x0sda~#x|DCEJ&FHfcd6x z4=O;8K~F0<r=0$H6+Cs2%jIzNN5AZ;=1_DFCXLljeo?ltT9Gssd1NU@d`s!7oY1CD zDhnNUKjeW}BoNJ@%BkIZ_|?qISHB#|R06`1TH*qkro0vUn4;0XD71m+EP@9%y_-ui z%XXJv2eLD-jwz`4Af-`T0C)CE8D(IUEZ%`$JmQh73LdiHUwTzsD2AE*8`I<@B?dgc zt-iQXjq&)nALTNrqOM6~rA{sajy^1<B5S%ns$mlc=GSiCEK6=l!MdV<<{bt#7<Dzx zL*ILm)#;q73@jSpob*fH9x|!AXR9fZqy>c?hBZFe{&dc0@%|whqqT266|T~Wy}OSu zv}zbELgA5kBpvl7AeYadib!x+L5)_-S`44&y&GP2YdjgLUN$(+XlQ7D)2L=)fup)~ ziff9DB)XSlWnZwS4j!Uriaj>bvG*OVcx7poZ`p1lXu=yp3a}R1r@^}2v&qREUf21< zJ^cf@2brB4a20^v8?PqlUzj@(qPY<;>lvsGao8$*NeaiE2nJ}xNcqPKw1P_Cxr^M6 zYIA<fnHt+8&d4_2F<ozQ31Mf!$&YcR!!SYNf_)Uc;pBU%6!g(~NqTHF6Q}I4Dai1P zAE_TY2N@HI%COpvOg!?HVVMG(^Sp*}+1jy46zhzVU{K~*Iq!jb$8{-1XyVCf86*dt zw30t8C8@3A>zYH^*g%aGO&x$Ne4<%t%~PbuH7G4o!h8opJ4B8?D2C<{sT=f~km^DQ zEfD5joDTIoll?#KxC`VClrEhkH=adRlqMpPDih((EP~M09~&Y^hAnTCD$fwHh!1p7 zGh9+(LTlUd>y&N1qOKuOovdM)2DH@<^KD0h9>(M9h}%@2)i<MzIn|u4Sa(U!t^4W= zgkZ679!H=mgqu#*kj<m58QhDCHhy{55~+*bv=3T+puz*yU2tl)kQx9Rz3MZQdYzPp zYUv-yQ}d{*r%8Hm`#&_9)arGh&@5;x>@A0$;V^Z4nSOK|(#WsO^*B7$IoJ6$0l_@j z<=$@6_Cf>PxJck`AG(K}G%o`S9iduV0yA!boTs8~bZ(|rn<M{rMpi$DR{u3&gb|k; z+2!jBr78l?9DP!(Rfmum!-dA7B`J0_2KW-_;VqI5<e{}eU(zPPIL9a)7mwGI?Ip${ z=jAtSGvd+rdT44$?b}QZaSjU)K@||JmF(#$hQ#g3Zh6NI>7W^P`!gPH6v%{M4FnIX zhinmW&1<t5D}WO!N(xsh=;s<lB<D_MO7`M+kcg#Y>DD^8^ql0yk~f^kI?=_S8L!Zp zjnrPMNA8T2anr9y<B8W(2%3njPS=l+qP?$%;U%?9OQ^$VBhkvdW?jBUE$7d?9Sw5~ zFR9JNVd~J86+~2Zm&hvz!X}fk!W|RScn`e9N*dlaN(s;`@e4mIagFaqy6!(`48iNg zDK|)}3evMUxG9#%@s^fEP&kkrJMiJ_v=B$#6e5A^<g-P^;ovaWh=_E7PJ;}4R+W1u zt7-&CB_^op3#}!IY1pG<%9SQeZ{sQwWaSNu?)I^Q4OO|(WGhhytgLOXlW1Udb(1zK zE;cZzQu(V_7D1l!UivJ|t=OQqde5|E-9oO+rY5wo8PP4zP^~-Qrah2t^kXZ|xQxRp zMSnY-=8stB|2n9^k?Q_DpKgGiF5I<R0T@u#yZr^?!o%ybZsj}^<!%y2tL;Ejkg1Tm zbtUCOIpgM~QGe%sP1e8wxR3=;6pGzhaBp+T<O)l`vHNI&$2rlCPyH~+Y6!2U1hvut zI0`PwATlm5sQ1GJoGAd|D9LJ_D3U37QxuLuMV(_zD61z+r?G+zEs=S@gVDf0$WW?0 zfqF<XG{vytSte_U0(H7SNOsAJl{oAne#-RGrQQ`GhgH6&Z&<LKcXCsV)|24YkIwbe zl9Q;3J~?$rVv%-W{=I)MMIw4sJJvYM33|SEVfZ7V(5&9BYiyBe!wFjHB5*{6-IlvN zNHf+jw7QG4`Mb30tP$H3@U7C1g3XXXk2H_<7PV@Tt9WKcCt6#$EP9cl3K(svyW0DF zBL5-_=JYaB#tCsIg4Ks(r;zzdhh$ijRhcH4d6iU)7V-vhyhLaL#HLzDSrzDw1jW?{ zuiFk%uM|uN;q`C(%1IF5fuNCx0ODd9B*NC>GiidQVsO7#BxkpH(^fh_@@}j377NUO z;cPO%HpCZ=H2}-g{ZLq$SP<zW(nk;rY-?m?nJPeR_Q?^<abS*KY?6q0vF&H}A*l{X z^_o<YHUt9i9;0I?lAJWXfD>syrScSRaIM1BaAg6LajUoluM_)O0&qI|hlQU*`w10_ z!&H{1^+R@WRG&at$&s@XQA9?%Kl2+jffA|-atRp>l4UP~0_?Kvj!`5SQPZ<5bm}!h zmfKm1ogxEPg~8C)s;+C(qXkn+*Bh2piLIM}<FLgSoz%)}@KY-Yli0ekUJm*p8`Z`> z66_+`^0q2O3{pDKEYqr(s4j@%ht&<EHor7qzx_;zwL4LTRsP|)I_@AE37Y10;%!}A z-M{@4mSaT}X@^mfp%!^c%fQ4?P$4Lra$$A*hlP1sgyGKjHzzY(#clPK=b#JzgvO9q z)4Df7+w<|YFD&O_a<J&r01IbiSC_%GMBEHzDqX$`j<ADam9R~FL!G6*nZOA8p*i}4 zLsA`6EPSJ+%)~!Im&GjIj(;7T%pp|=P|M`QsQ?K!7dzU$Rv|}!;S4gr)$sJM6apYE z2dai38wQ)m25{ws8$sI*?Z8?Pg)E!;b%do8dYBNE44Yddc=jdU69U3G-@an6siyfC z<1&P6YhXR}OO_C-3@FH7L)y>96unbD0><|>6{{1Q;TJ0=z7Q=28gh{{`2{~nG!eC9 zy7Sj%rXd0JAu;!o;|5Jc&E|<%jzf+$Zs5WyFh2q(ylHL_%}8ay*t;eTV@EY{)rD^6 z1`vdH6R*a27lwA`129m_r|oJrT6LXi0zSL}s+q8FT}%F&)1a}6aYo2k$cM8s(kmMq zjSD^)BpggXvjiS!N!t*hQZ8%OsW=Zyi(I{cNB#L8kx@o{AHMvifUY*^Al&=2at&Ul zlUrqjL{d41H3EUDE7rM_ZsYQNV9eH<nXl~CWOZ#Ex-s=*WR8vfPh@hFzZ~yh2V`tO zi*?17%r(_%BCKnOopZ6qfg;^vfVg1|cq2;RYc~<Ij{l|c{BzE&@B6>eiY@`ViA&dI z{zK^sI{g0u*{6cf=IopW$={FlWB~18{`OUjPZL58(0x*t5&J(hs8IjA<SGBRDpv&` zY~X)LdZ|E)0XhnbR;2#k$Q+=3jDO^yu_oXF{a<?3zqS(<e+b}zlbeQ|$NI#yG5+t3 zECyf&`-j?A9Rg!>y?$7Ib@U&_`#2-hdbB&&I3w$viT?AxY3TX?r}O{c?R=U4)9gJc z`iYtt^dF%HB#==ta_aqLrk_lXp{q{4Vsd~^y;8b~e`LszzJrB@&_^^$Xo=yE0Rdn` zk0+=I+gp-pLq`AWOk5a&#gUSPpha0mMn@QBGjWu|mBpP$D9$pn1fWfh#;LJ&abY2w zBSlj~;ZXnjWR9j$`isTiU|MOG^xIVCD7SNK&d4$fDh{2F3DQw#W(Bfpb|aC^<@}3a zl{YHF@fI@`0VCzF#==VrBkFmbY_FT-$;^yp8ZGCJdQHg`hW~Z`PXZJbAn9zTUsfLo zRjo)%j|>es-1V_0rI4VQ3il1hQ%=t@`Wx-}WF}cmgitIoC85D{0Am;r91#rx0I&|f zrf1Fr@@QJ=DyKS}rB;La=z;#=1jfl(-@vjKJ@&H1e}x~Eh<;lfv6yg<$I*vDXSyow zH%Jr6eIwMvBMlgs+bN6{Zc>(<`sUi!T4FXPAT;>c^1OEPyJ6P+nPujmTm-Cz?Z0YU zOX0R2L!j<L47{Xvu)dyV(hAbyF1WJj$R#JX@+DeT^@gveHZ>j(dK1r*t;Nsr@HQxB z=fL<fEHr99`jopkYL5i$+_Gb;b)@a53$OM)?=MKqxn1|ntD&G^B_u+vMa4PUmWFh$ z@9yR@caN@;=ewS!=}yv>F386_Qs_w`M>s~4LjT*8y2l_<P?H3Q?yv12E*ZBFNx8h7 zf^p}T31rmeqw{xUb2;}2-Jc?F;IGXsEK18PW#V@kqI5df*vW{gbB#q@Xd`?Z794-A ze1n)*Sj1j+#1=1xwxh{nb6Ye_G&48jc5%J2kN&{=+N~SA*JK2IPm;!Ae|u5i`rK2t z&Z+Tszikk#q6zGDtYd|Rjl6y@C#`Zw<su}1PXezZ>r`oV-vdNBrRPNc&%_dlIY1Uv zaazgJIyOEAv<Ya68585|o|HwMl|55a=z~0{AY6M8QO21Z*`DN8<;_SZ2X)V<ARvDH z{y|YV`+H}|>C<&zIi1wz4qR>9>m?lDvFM$0CM#wRS~N*}E@8pB+z!U_-=v@t*JPGr zTv^UC(Ye`euj}uWy2;-T+$plZ4$iJV@9H?y;o9c*bGExzmLxYiZgehFJ)CD5VE<>{ z)<gZ?ewBKTBUAf-2n7d%FD)@;u(?&@H$gz?A?NY)`75A3M-V+T(7XYy^I~CP#^M^g z5|vLb8R6k&o7xY4JZeXCJ%3#uqaNkSV`5@DS#tz<=j#*6Z^VRWR<&F%LQK|h?&V#2 zya#<f&E|J$U0?rDmPTQ-SzG0tq{^=LooaC%tY_WZi`TQ8%&4-Rk_f96lKkdp=qo81 zVSHhQNB8esW<1b;LSzUzPgzku)DUO06x2u%I$~lt2_{&UOh5DCqxRH)ouJ~e+Uc?N zbvq0o%Da5(9mZ15du(5S?%-1IovU3$MuoQS&0xvR#v$YkXyfkq6S|L%!9d-GRX@bU zH{zF)B(-O8B}L+A=OX4VBwn(O0-Xf5=f#B^YC@x!i~slfl$i>!Xt<wA!Q!=zqGa4H zJtV4#NC{y5lh@F7;cTiS+f^a!F=Xix@6im|W!`Kb><EAD;5&<-+`6{Wu59k*_d_d$ zOBp@PV30{;blkP<1H5Byx7(a;1opOC1?7dyO^^D{Mz8H_14@YcbVTYp!7A#84{{dD z=SktJp&NLum)h1mOt5%!>+BB43tWvUmXx?GhXX2xJU7)vz~p2l3)POd=}P^?gN17a zY?i#Q`!ZqyAz^&FO1hu%XP2EGYiXQAa2aM6Ca0Mw?k|yZulH9}Vnbo&`fv1I+N~|k z)%`Tx*2Bm5)7Lrymi@~4MR09qpAtukk>U}&aI8glUe8YIk0lz*QH1V75$Rld_w%_i z$io7hp4~ACCCSn1PZx`IB=#0-yS13j$y8qMFC+ZMHkX#%9n_98cA~N?!89~voib+E zH!bglrus$jRpeEhbuZJgoFp`8X!*n@!!dNgMH+NyYe?IaYuMNibmacD8~|7t*e*x< zOHWc^b&@3m?oU%zP_Xc<?MMA_&dQkSX}#_N6JH}gZ#?y4r$T{?m@C&q+3EB8@|bl4 zuo>-qAc8{ODU|wm`VN>S;lm*`KTlfw6PmHS9S%-^U=7@iS*773VK#fcz&XIOIiKI_ z%2#2K6o*CGQ{1`E4QbQQew?-BmEU$GcaoBm_SAN;<Fyg65zmgayc|I(d$!yZ;%R=v z)~g9<qlD&`72kS;lVh+H;Z6=s{r7$c0Fu!UR8dy3)@(Oa^HBr_Cw;NOjMg<t0-t@7 zo)*GNu&BK}+qZ5p)asdH2SE{-QW~n7EfPT{R`pCOd<TBC#Rus1xJW;)Oec6A6IBNd zm6pWR4R-=ZLyi)J=*SEqogP`7JB@UzDi~OB_2GUq(?NpR1#%@XT-)jLranF+2ow_I zjONkkxuG@8{SKMk@v#;~>2YI!3~Sj^FmSM(2g@siAC@C+S9ja_YNM!H)2_>G7r6Pn zdx1KQ@r(@lXvs;rpFNgbOrF+i-UnzBG$%Z@>yQDuHd*=u3$3e-?}#5F@p<M<d<uI^ zX|2{`=7~^}q10ENiE<0<C3p@z8k^Sa79r&q0-NIov$~JqJctUwQT&&Oydv41?U$mK zhVL5b?31{3*vZCRCNhEWl2^kw7Xo2p4F<?tX~xsKrcO{B#&6oX+4n!L%AdVPgggo+ z7)U6rUyRR6Ey-IPA1<r7p0ylcc`RS8j-npk20|~5FQpC|OshS$Z$MYrf_?O3rYEJV zii`bdNEbWZ6rg7HlTl`z|0kzSeE<Nq6W7NTb4_T6*ZX`$jO9vd3uhkDwMDD7S+8&v zRiJdd<)QA*ZB=!O&bFh)7Fhu7(722W9KjBh9nE)m5ev}@ww;!B*gRw>G38REN8t7p z?J!nPFDY3~OHUJlYBu1?iVAjnj;H6II@pIu6Qp;+KKFoCODraaZvSsLxb(yy&%SfZ z>{!IjW!CAaTO?pho1YiLhTrrV^)weN;HPjn*kEs1&C1LvD9m1ACHxG*;<nG=m5+`z zx>cDsnU7xGt1x0>{TQpEn7&2QHY+MBgiFXMVr<2XTtoU#VRHxXE%)b1e+8sGo2(Oe zs<(HR<RTiCspGc3uCmjJONn!M-ecnu=dO0V4Hm#&9JQCau7GNHbYT|sKZLd%9o-pi zvA{ab%neQQwmnKk_1Uqn>%m>J5cAWDDNknG&P7*=;beH6cbjI&DXRLj2@3?Z$isrD z2HIAMw5Y>kaUbhx-MkvE)g-|jOm^JS>-zgy>uv!;(z;BxdX4U{=$o0J+1K3yekWkX zja)d`HsB8JbC<r{aswGPI&_TJ+r6ORX^5^a>z}suZ!BLW+YOKEGU)GL$*)-h9B-8I zLGaRXxk6@^?y~bMo(g>5o$v7keDBX?IGP$&!@>FvF%tGO*k8DS0MC|#gZ{oUd&A|W zT^z_C2*27EL=uCA9u?J|`))qM;K|vaM`pT;`yKbt9EI*JsDwIuGuOW6U?c~zBulG1 z4{xI?rRar$^M3(41|TP9)@}=%g<V)=<H*5%v)}ejCyl{i>B2i1=+7P<-Q}R5XLo)| z!(8y|sYifMoCu#3Kzd&v$xV+MWWm|sD)fdyIE&4$QM${8<%ePRq#ztEBq6gS5p@lB zszHnmh!Cg*i?hXY^b5>v*_(bSXR)696G!`-fQtae<JPQ|MNsIRaFr({@((FrL94As zq7;Y|r^;EY4^W)8-8x6Y4z-t$wdihUsF$*<-(yD@+34%Ut2@ezrNi7txZ1{=tJ`y{ zWCzC2@7dQf_oCj(U2VP>%Rn-<r|mI_2;$SzB;ubyO%W{a{4g8YOUUdsIQ;2fp{Kxy z6p@kOd(w>5NiUitD=CQ%9d-k_DlJeN07~hp;*IAIUmtUQ5s?1FAWN-24bp+=5@?sj z0r7K!!$ZgfUgJmw5{v=!bHKQ5p;2A2nEqJqSFk_fZLl{H2)qN$X{zgS1k<tiR=ofV z&*+21d7wIsR7qJ0@(w>oX^_TC9MrlYLLsPD+O>*L5DF?T9i9GeLB4LP0E^P|Zt3mY zyDB`PbY5z((`a0S^p^_<xBZI0h|Q_V;-;nWb?%jq04XPrPySwR<`5ttvuX?^By7-= z(O@y)vDh}7JH2u`)jU2>&HLrS(6$t0eA?^6F&Td@ckG%E!ALG*ts#c<)ZnX7G`(}t zrwDNV?&8ljZm$oDXWYIB*AvJ1xuBMVyii|-D~B524JZ`!S%71ssowznzs!Z@yN$zE zNkFHqXbGfCbF?UsQooK|Kq5<uPofs3zc5l^EW}d<JKkh=icRl*@Ln%c$~-p#Q!e^r z!{AZ)%YX``ALFyx^>BTWw%2<JD7-!-k^ny3=4*UQ3aJ*C^=tgs6F?RU|0k7~F{lzP z!3xdi>s|=%Z30Z9Z>h(*^ivpejm&T(pvtvhgE$McxI0t%vad(K8IA%B_)Spo`~Xmk z)haqAc2BNv!GPgzq$ou1Lm(?{)A3{h(0<@NArPXh?jFrIdeg;fu8-a72fT5IgMvik zsDtf4#)3Wc$5tlAdmkVfHb(ewXVpW3N9qQ7{7t3lNNKQpY{$nMv`2#S!BpFEmc8z) zxZMReM=sE-^s4M%ddo@&G<hV;jr@pY(>es`Y=!ILV<`!KC`saBSg4s6QcYSZHn4i! zbXm)Sw`;pUauS#Tf`~~>^bZZqGnx>X;65}9FCZ9Kd^x#mHMZ;G^egg(8OGvD$Z5BC zV6(4se(j%qeSWOjjG>&EbF9S8%t_*J8-yz+Ak6mU_Ee{Xl8N)5nVIXxByi8qchqgm z^B#71dlIxtI19@kFb|u6`}9b_0Lh&VUCAC^MmUCS8sd4vhyNHKPzhzb`lJ||z{tf4 zbGn0sjvrt`DPb=tHjTjza=5Tlik33g`=30G0P0aa(DTa%jL#w=57YCcUxds(-^NYu zAMSegD{9L}FQb%fZUf3l3d2=N>|+3C;c$OV2gK;og7Kvj;6bz_B7^Vw%S52x8bAkJ zHkj}A(9H!w77=jx4b^#hbbqQdRAmO#T@Oa^J<u#<g^$4Nv28>28|&F&_mhAaOFB{k z$%PmsYy8YLw)j=aG9H594R>kB5`}RUPmS}_WFElTh|<mt4im|Q)wjDF00b!0?j=Nb zZ<a96;EwV4O#MB89%oXB%c!u#?uhIlH4*_XHg^T;;)jQ-s|L&QSWPg@()H?!(RMZp zG7R)5b5%{#eam%~jbctJ1JGkcH6louD*Zmbto7e~g|?NTh9IMve0fs7v2f%7sSJaI zOX)r`GVOexU0Q)V{b-8!x*@es{s{NI@2j;`;SEbrxp&z@X4c1PNoSr5IkpKA3W&5- z4HJ=3R1L(SMZcxq&DES*CS{(|qyKkzw}F5eeDAw}#!YmA$xK*vA1FGDKId$)n8B2w z)E#1Xy_R?^x${S1Epmrk5*yFVISbfCPLnC0jb;Y7<()>qL3wMNT3Ry#YJqSJ=5el= zWk>LJ*^HD4pR`9Ntd<sgpC21)rTK~>LDea9KxT-A<l!Y?G*Jz;u<7f1jsT~%%Ii^V zdY@~!h73qa^?1Q}wrO?E69N0;$@Qxyy=<c4B&R&wr8>W*w)gMLJtct*?-GFrlsEV+ zKin=Zb*ax+v$JabBDci3{^kXAc^<Ii^>h9e1}7bEOZgqrdkL1}V8Q1ZW-W7smc{se z>g#pS-P`u=*py$BZ~8~~?SRC<_p?u81h3CdmGRIw%1OTO)EumR!9G0REL)>^en6M* zw`e%uel8{zEg+w$GusRJp#mDw0$IE7vmNztJE9KWia+aPue***wwxVZ!Ec>BY*~e$ zt^iZNsgdj)=5DM0ud}cTkm}a`FxR=M%+U|8k-}VkaH%#sY_C|7DO^s|MbiHGwYG=r z40Qy_?kHctN4929+;vB6B&lQ0Tu4MC>@TQq#Cl#~tT5|bmaO_|!7tHl!4|H<Jl=#D zzQf@0(k}6<6Uc-J>`3~s3F+|Vg2W0wR9E<iI)pKf^jCbH@6`fM;DX=d-e=F{t*BW2 zcR&f41NB6)()>UzaAEZ_0?p-8vaYL-x})@ak>Qz=sJ5=S(#fowwr>NG;^$r=zO@)G zTxKx1La0D;;wROY&>SfSDg#_{iA0!kdNe1J77s$d2yW4Agp4+q10yx7!dfbIes*4e zp;Z2AW5VsWGibR$EnEY!uvH0zq?n7slZa*5C;^)#&8if(AxuIyijcDJ5_TI9l<c&C z5$SzzJ}jHK9`fNP0eZxjcJb}~z=`FHWfkcy@!Y7Tnsh#~Rb5jW$NtQ==?_N5%ye0a zlwUwiq&~|b1|SVU?<Ep)mg<ofob>_e=j>GjI`;x(xy%^&pOlVK5IozO_Cpo|y>Hiv zKeWBCIlW@L-t_vuK5s;2Or~L<v<R5`Yv24%tizE$HUA92j%Hv9j#pK~Bj*n0DJgPI z82nam5z5Y4`i4ATh+YuBosTye9~cum^BVFu=z3ILH%BD|&7$Z-d~B00-q60G0^J3r zkwAKr=;eNsW@2_>``hi4pW@8WV~|;y_|x2c>DyF56gxQ(d!aV;2*K4a+aZ{2asti) zkf3*t7B|5LLr>X$50FLr(Ci?Q;~4Q#+fu7KiDtwy_<S^>5^e&)=owuQG+ZEG>um?q zK?iGy>X1EZ0s{h+GDnJ%=SyvcrC_IsQV?y-xB_r4R~lV-(Uw9IG3J$nK&Zado}LGp z!1ImWKB1+p^01oUr+#^L=z5HC*rEAKAnGvSyfq33gvFFX{DQ<>{z53)mTn-R*7wyz zhB#)P$F_D_Hdc633G+e5JVrU@DRmUfy3$p1F*7&S;QUJVLpAqGf^rEIa)_9DZh z<FlP}Cga$>j5{PJ%Hoovck1HvX{~kGs;jD`QDb?bCBqkewdJG$!*?Mw54K&){%fat zhKT$<*iiiqR;;$|B<7M52Dl%tLvQnkivn2|&b8pbkDB9rHV~3`DLLwbC=QRw`sjt= zyFpBspM4=Bf<Lk|rwnu~*=w1RbM>n2bB2e8ri`bO`sR)zhN`%U$$NBpmq`%n{5I0z z2kxT=tC$J{MS@t+w>;{>h`}XPYr<$MrK<wJ-mym-y}I1{_hB-^M+{bDQ0M}?DIq9A zY43V!5g%9z^IdFc?2zXeB*b>Qf*?GGzaa|5t}UAqA)E<L4E@0S=}RP257;^tL&iyr zkJY0CX8+oopRkb*7nXxh<+?NKy1mq-n-8J86%0#GPHcCYVH*N<VARNR6Xaf*;_;#q z3(RDnZ9f+AZAnT&+F4amptSwG(6oue1=dO9`X-Tv`dlhD2FZIw5&7o2q@h%oIa_xR z42m7gih9elhKqyze9--<pJW6+W*e6K;}lXw?ZgOFpmsdpm|)q)AB)p5q-YmJdaO{B z6<1dwX6o}|=+S}=;#bIp>%&Ez+XK_f*{;Y}&j>ONP66!mi7f0we?=l|y`iV4_|T3| zE*bw2?E5pfwm!64@`Udm>E&&f6~QsRI`O}crMvF|3OU-WvKwu3nyalu+Ai4n>P(c8 zcBCC$XJDVkWtXZ$kQWln=)VsdD*#Z~&L4=d5GH||M(4}?WJc6h5C}wM4d>g7ciRaW zBbm8$Zr$1I2;Y#NNcg@T&|L$pdNhUB`x^X>O2SVCZMn^Qyj%Ac|FX5}r?w?hdT-y6 zy1TZ?5n6-&&u#cnDy!}35LgB)uWd8ttE`LhUvp@|;CRAL*(#qW@O>mOe*FuBZi1P) z44&^EH`O_Fi`l3||4mnylG@(ivFOJ<-%qrtI1SAts2;BVmWzz-n}=><{s4CuyXT#h zsI;K4&|4pAXu#<fR0MxUfsNC43?2ToNV65C^PvLGY#C)*q50NS@KI)adH*u8brHm{ zpFlB4uxRqe+#;R~@rB%v7^ui}W^lQLSGn1+)BSS(em=h5=Pp(LX}8x})zoW=3fby_ zrRw@W;sU959`<Ub3YB^%b{EQMv2Q8!FfYNcEI@)-IuuT5b#aghi3&-{3PHj_LIR_> zQ<}$t;g)x$nb*XT$(aMN1%d|@++Vx_zM~kKTu+rNS#11FRTr7RFel19j<})E>bPAF z#4R2w%g8;HY68pHb@e&Th=4XTrbdTaWo*%upzp)3M4P0eG3e?38@?YyxFo_>|LC}a zKta_JFTP#366C>Hk;Y}qH%DzO>bmJ<tvGhS$WS9G5o$VBV+#5=yB`ZN2gsq00mpY& z4TTwyUiFE@2VYk7!=1=0Vi_5TSEHJ{zx}PM^`mI1A^n}d<#!u5y1G{Q{v#G622>B| zX4q6W^H&MNPsj|mr1+S1is8-2OU*i7OGR@x-$qo`L-D_96|DX{d@`B~{$hp(xC)RS z7)kOE<pBEkZbu)@>Nyp|f2a-60Li<JboWI6p@IPYqigAr(og({ra|?OTJ3*d4G-ut zD0`&hKa>+jf6mR(n6d=^k*7H3kNE4HQ7QHBk)$+1AE;{8Wf!D>h%I>k<e&Qg&4=;% zGtt|08dMLAkW#pB2aU2u=0tMxAw7E26@{Gv$4LGi_W}bk0X_%I947upz)k&65=3bE zCeiN}KJ^6->2MEmK{o4dqQZ5l|D!G9@nPzA@);-md*m=j9w7(l9A%?h?C<6Bu>Zbd z0X|IW_xGM=1O1aJZw9s;<nLWw5B&Rzlg~PA`0x~&#`V``KNjA)sg|bZ$I#ac`JG7; zd#Iyn=ZC??Bi`d`R>*pm`}tNC_mh{Qt0F_~#kD+KHg)@hb9UKPv=Xk3TtP$I6pQqB zE$gx04`^kRx3b30odfBnd`#*oOI;uoUq2ZQ=)0Z2ym*6(<o6)h1!*M%*Y~ehHEDQH z9Y}v}0o#Vs;mmp!cfyV}abKse;d;GRPG85smGF;2XVT|g^>S-{-Dn@~c)p?bsb%HH zW7kR_EGjJt4hS@wl8tBlXLrT_p|S1b%zrCW)>hY+*Th=PZ7s_yM>6Rp<YOnwky0(v zf0K$#rz6Dg?vh`OO8if;lnDt?=baaQS7w+VU8Ya>^p}U98nzj4QD5Zs1!y+v0s7UZ z3+<DI*X#9XWTa$vN6YzGAjJ~RR-=C3=X{SR!MF}de@|SvVfM$>S{;c!7>p=u=a+(> zn1@4^$o}=<m*@V`RXDdGy{(m?tK#ak7ZB1q*Ouxv8C)L32)>{|5JAl-{AV`w*NdyF z?ZD!d^Imztesi?eTWwzXX-9G=LMncbxwjj9k$GL<3c?5sST?-&huy@iByX;7EGN<D zQ*^Yl*JEGq#t?&00Vv4nf~>3JMfO+IXP3B>XXoMdCbH`uJrdBz$M(eYD>^&yyNB&{ zHlAfq*S8OSy*vXd@=hf1Gfd22*pNQnXCANiQyE*;hq*7+d`>MDIY+i8gYoT6ug)ZJ zy6eaFT5k0WQafmPNS;IE$z%nEh0wiKwTB3(lO=Y!Ujm3<uP)|BQa8i*ES6a;pqAX# zAIB+Vef5?W7G|rC_a0yUr2E<ODvxVRo$zpv%Jy>&K&a|<d-sK&D_7oa)&g$pmHJ1r zQ^2X9-mb>Lm_JGh*dWNhwkXOP`p+BZ^UHD%_7?MZQ&RqC;Qtrv$|-H}HkEOHBLvca zDwB)*E7zPviw*PE`etp6D6jYGYoTJUDh*+&Xo(rm6aMGH*^#@!)JSbyn0t1!YkvTY z0;o6NK#$jR4~2HGzr*q}Z;Urf)7N%q6Q{>U|4ROo6)Orh8b~O_i}UI53f|XYW9pLB zVC-)!U1ap#92I{S279Ip|A`O^hn}sYv(jrR2)HMg_gQ|piw51x`L|=N{qsvM)>6^1 zL8CqnW{_WjOy6OZ8Lxu1{jGn4yA5)I%bv0=H<wpE071>$+j_42=EK|ZXy3Jt9)>IE zsxiy2xmOuMs;tqN%cbuaPm|qj_L|GuyTMsTY^obz>x+7Y(}9O_R-2vEb8pjvU^B;? zOQqAhx0;J3sy|!_S3)#IA=<m;lC(dLoTx!ex@>xWFHgzlo9A<(t+IreX6>a(SHN%# zzPCb2artZ0lVm0bhbYOH%ua_od~Q*<7(4O&JAu;I)kb9WI2JP(5u)C#6@?5SDG%ez z;#iPS0NCzSv=VlT_lk@HFwk>{VJ&69?QoYr33Qgb3vrz9awXAGu38B|#~F3s;=ef- z4px7piR&M8C+5l;DnQZG;+1LmW@+=>1f|N+9QH04nQOX&q6@puN<5zhaAHDwwv{nI zuB8O@T*&#*_&!TW2oH`+D$$2|KO<Aw6y^a_CDIwBC}mJq2>A`dxnnI38{%yc#&(e6 z_XZ`ff_?@(Ba`3rY1P0vIeDpSI4tk$diLMc_`4}D&TEp=31<3giA98V+rG2^@*clA zC-eve5ef3AMV-W4vc9_Eu%%vn3-yS>fTHSBaneN{T5$CF_OY%eOJ<h1N&;0B91J3b zu?j92zAi&Jy3hdRop-@%e5=6K3SyYpP>q+zng=AM=9?By9KN)E0z5!gJl?&pRe;(c z6CLAi_S0uq&-CZ_GRs7lfd5?3@*#fjbSN)Ya@6hA{(it86QA)i^3~v4<4a{^GpkkH z8lW>j_VKh>p4Ln5zTPj?Ax=V{@|2U4P?MFDl$#7<3FhJGPri{rf4}K<6EuKW%TH=9 zE@Dcx^yVpgIQMN#WmNR(vNn+caEP)T-K5)L38{L-9dqBN(GI`Pn(BN2zLzco?-r<F zx?p#o!s|jQXulblybC;-1V>I_LShL6ysHva*F92rFcw#nRo+U`R`3l9Zv`BvDTkIx z*)S-t`}QBZHr1bJ3AZ|L7Fu3Vj!IZ)aMl3hmT)u&&tNyOc$J6#z3v|j4ZJO8kHf;k z2mK0QL9s*%oBViONzCEQ>r;$8^-{8x&1HiGHy*>)^=)K@fDNjmPLC;Fy+_!*t5F|Z z`#IX84ZfC8j2dB0=uw=`E8uL&0RgToOsC`Jwbp;tl<oIaNLu!z!bjvX8KGhOD7nnh z{XkjSbRvk#lx6D2f9?gSe-z7pGwuw&hLC<2!PZTXAS(XJj=LJ|{#1m$g#6W)QmDQx z=x@k6nOSJrF*fXr7sy`e%YEDX1o14k@$^X$Rw_0879J!_l{R_a8T+Xy=z!sihrmYy zm>$KYC0D4XtFF6mI7NY;@V;8tK|@5Hd_X@t(i;|j_;>SL_1Yt;_N*6)`>2H?ZH(j5 z>EP!&QUEj@>D_ErU1jBkbtlyW*)@4*7Y~?6H?|(kO$^e1`%lav{=4<mh;+UTKnNDh zpT}Y*FgqhJ8%JlkHyIYw!Btl6)^I48Od-OZOPh39eli*1P0RG3r7sKwK-u26j@UhU zT+WMtW@QjG@{~V4?ySRY*ywvOyKa&rEQDzE5;J3jdW#S#))Bx38%_#-2y(wvUD>=h zOgVFS%&B}IRDRN8;FFB5(l}+T;4WHbz}ZZ3fmWVfT?L~=nP0#L&1FF$H+wkd?i9q3 zCaLI4ljwHnG|U^m3%`QThZ`Q9Q!)|HW@Q7dtSgN-gLba57OJ{I`A^7p1OkJ1r70n_ z$*=P{j5V_?y?jD-Y==mNd?U3Uu`%nHr{-1~(io<~a=JQ}bhylWWWVl&;DYvVs67q) z=PeJg?1_?ufV=>7Izaxw2sw#7e?d_^zroeM2)?hCIDop|y3G{!ZyRd0tXrY|&xQ>B zA$zfjbTa^{Tm|E2XKsPc*D2Bc{0p=058Eor%ZTD1Y%8st{|#l0^EXz!&+0T1|J%Q} zXa1pKMFTWu|BYDY{)bp5tzB2}cM6%557hLUFu<DhKWZoj=qRdMk^4LS?Kd(zz990s zAo&}+>`%)5&ABBDvcL1lej}~>N5t;O_<y{^j-2P}#Jn-#Z%ti;#NgU&TVDI-BL8+2 z-9D3^HrD7w0hE1hv{3OHA4%|UD2?&khjM~(P7?cv0$=(!N`5q+MEVEn*Z-sVr(0Jg z{|Dmb{tXQN?{0yv*Ke*<Ksp`-F*7&AI>owRqNQb-o|<aHYRZ%(`X2{D>UU>W$2%jG z9TE7pl5fFYF-c}v!(5!~q)Kc;ftZz=D^sngD9Eg{lPxl}1qBWM_LpxMgrYJsbYoyD zWVFnUXJocy)YXH%v9Khd7MG@$rnYEkX#u_(olG@}x$_OmOG*VD{rP~{jfWh)60p@W zyQ16MgPO<B&M<+1-a9h*Ni4Wp3-|d}2K?fh`?Gd9d*?BC8$Gz%a+Ez19(72{xy$BR z|9C``Ub+=&qTMm>{myGeu*zRzP!Og@XdD$SAZcl7i<BGdMc(h-h$T@DeEj@<zw!64 zUr(Y~vsEnz^$V_vsEQ2>wUae(eh>7F<5=LR#CYsWS6j_?;MEcxdh5$4ec@1IOrA~l zi;nVqeI1A*41;*VNmTW%t*@`EZppMCz#k=|8ggcdATO+e>B?8FuZ^l8o8%no6!C+F zg^?6a`$h*35s{;u>a-3PuPLT|*U;(;Dz^vjTLVv_EiuZBri;h*xtW(F4Gj>q*-U@* z*Frj}mTd?o<#(DlG<!awlE6jbw;oGfRG<N3UY~NNT6^WeKfr^C`7Hyt(5D!qnoCWG zE&5hEyv)DWY(5yc-a3DxWcGpoq{!ynQb|LMCsa%nN&K-I^mEb+gtcB=zKw_Anb%J$ z#eNLN5ol(4ne-b>CzsM$B;C|<jn`L3y0HVf^Yra(*ee_Qo$MEYH;u=<nxg8%L9e3n z785eR%}QQF$8MgJ)pGO{XI?KjoOGtsL34LbH#IFAdu155TH|?HnHiVYM_Fl@8J_mo zL~daz7@0qx-~7E~q$GiEPZJjhvx<H7o?C5tvPBtyc-UyvIV<aB9OC5F0>WMRme!`X z&DQTV7bPNQ;Z}NS<9)BJ0Y22`db@J3?oevR_Wd!wp<1ux$jN>*i}}jK>9ey!n7YlB z%}Z4GUj1<-Ep<sEEGl&Uvrp?C7Z#T_r@q-@Z!|M`iv_kzhS1$3(7Qnd@XKGhGlR)E z!+tXHKvCPf`E`}uXw9=V*m}$TBz){hQW_^A;{E2x*qW;CHtCxxiM<pKtNUJb<$fJ7 z$wr&`o^L=x^QPx{v+&8}C`Veu@j}7w_HjucSk!UVXGx&|O|hn_J76p8=zmchMN=a{ z*suVzKgM7W0wwp3M7eHf>G>T?rZ%n9gr<HH8x8MHa8ECbcS^5xdPG$`jd0H}K2VR) z08EB(345EIa!#|@q+NX;aHX!Lfob~5M~vieOOgjZF)}VPufM6yRa2x1X$KRXuE{to zrZ7sJB5tizJ1BULijC6gi;Ri%Fo^r}mQt3fy-$W^brAmc2pSaWF<^|P4<E4-_Rq}K z5JKLTjIF7m;h@7VQCA2OgF_1|8z&8CQlgo@MQ%P4fzMsmc&4VPCumT1rD!wmt%jzQ zEG;ZfwSATPWrQF6K!qH!Z9KlldR)!kRPXXgcOiL<cAjln1@uAgdh_u7?KqxZ^BfZP zBtt8Qt^XHIlM25Yy1C5OWTm70)a+CWhtqwGe<>o1-r@PVhltoHBAa!TySwVjr{CNv zo6|vpEh?f{85umAD=m|&K6`aZ2ATveQ+5I;#sBjP4^MbVs5Bqie#>($N=Kq}=pu?# zlZ(2_(^>=|Wu<7c2)<6ktw6@dUD~hlQLkPQ5Nm$MGnJt->z9+fiU4W3qAH19eGnNo zM=P`ZnkOLzw(q30#12i#hpf}72~#)m!&zii4aUy+jeRa60me1@ZTO9UdP16vOXsnk z*NqPW*|R08Dn@$5S(4>X%t%&M*DK0rl&A3xEO@5*p9Z*-a#tfQ#&?cQsu>|eIYaOn zm@MsG8*OKs6~RD2z{KMiWMaI#eQnaeU`4;NP&Sm-y4{s(Hhy#K3*3{!GB-0@^6VJc z+Nz44jh@sVKo=u;@P1EUo1Rfb{prF*_?h8)v45g0+1-}c4)sB8<;M4!$>AWh)?)Q} zD+kzm3gxw>3W+g^ce8fmx)%ZdYuZFsxUa>Z3%xEqXv!D5xW*W-YXa}v8%&}fkpoo> ztdIE@G;mJM6aGv2DwHbVBbNU8%2Em!C?SH|EXJC4#zEVQe_{Q|u5>nk*#S4IrwQrA z9cMLCtqfEx%Yn0!!i55j1U}TH_BnU;RcA$TQ{{@i$<mE&GRze-t?9xpY`B(snELEu zgZuVZXoEq@w{71VwlWh7i{5ynaR4>}Ks{e2MZv@*Sxd{kPEOZgxczKSc_fTuEL`0h zTU}55`j|zV87Uj~N(^ppZU@-)KBy_}fCHvlWBB*+zEI{`Wr3MMBnkR+sg3z9+IN#3 z#KR(M>hQC<G1)IOZ~&=s&UkJYg*2yGG9(S#u^&rYo}gY|w0o@8A0}^8Otih+ZWm*l zp89mjjz#<y!Ha>=ifxTY*xYWp_*I0h#v(jEKgi>hVX5e5Bt)gv8VrDmqrjc8!z18^ z$n|6@D$8F^KNQ`YaDxJl*SHDpM3S7iPWO)NUyoHA&g!I(thC$E>*N$oc|LV}=V>@i z*Y6Sa+E;L7MWm}(H!vC%eNJO<XGb~H;dS@lRM;Ituor2zvNDn&4yPBg+ix0DJhQmf zeVVL@(=s-XhBuLC=s4?@5m0mP(nnUtvA@e$*L4RXM%CafQ0xw0B9C!t`4{*kPiDfP zRvh{lReH)JH<oY0s&c)(mLMBPPfoSaKF00*_U|)e5M1DK*r%12_j=d6K16PP1ZH?K z0K&Iaqws7Y_&f$BT^?cOb;o)YiM6@FARX_X;GeG-XreDB0+12JOuyD@*_(FZq~pCW zdmkO&{P_0SQ3G04?9YyS!raD2*_BCAavqrx<E*ce`1Lviq+Fi{rgGqC-kiCd`V{YI zP%|mqu%icwwb)ii_OLF&W_E!6QBB|ghncoup|OIsL01a1;O{am67CYIfCo4I)4?R4 zHtsv;i<>Smq^uIfZX<R&BuMyrU%+1~T>HKXus%NRn-p9Iogd5*+-t|#+t9_NlVTfb zu%F=b-s{#}`$%A-B#%QwX!L5f44I|efBRiGUZ;56Cjszoh_8Z6Vfw;QXQ!A&Qqoc) zFx<BHdV(#AKx_9C-+DApGm5o1!C*uOvGDfK_~^HR6LQldL&PI|pAfU;+EO<SYw6^J z`KX%f!p04iEYo<H6-vv_qH)P1LSZxAMCse}qj9M%%xcNE)`FCHV!jmbj5j~((rKMf zxR>{<eBqyw!EaEJj@d{lIY8#}cYBd+-<Lb(n+p<9ll7Ip6PJUwpwoI=&RIS5j@R(8 zU1<QW16r)XJ@L`v(X-)b=Z@KAe+_7R{{}i&;9mCW%@^TK*H{6-1F%oyJ+M8{-x}TG zcf8=2WH=N8@rX0{7T#@9J>Ijc@OLgh1}1C{=UX6pzr*EHBkfWA^0=(=4rk`tgTU=M zUv-huki33@fq_FH>r!vWW!74E+__Fo!H&M4;(mF}%^YH`+I)%M+9Ys$`R%?wFyVb; zZbOZ#<sU3mR$f?K9G(j;M?T{6aD`M-VPV5z;@l2ok6;31lhPUL`Sl5TjM9AGi*vtI zbkz%sOs$+}yaVpb=rVj+%WeYfQ1_NnZjX4q(V;;9%qZEasCi;s+`L`qZ8(>5R-h9< zMF8W>HN-4BD5M`Tk`v6tGxJjMo;<&-bIv(^Rd$3=<mp5mi~cOw&$#|^HAv<RNg}O# z?_Yv|S!KGvkaxo+ywsBiaV6vNxbakhg0_*smTPZ&GQC>N#DnJ#2#?>;CA#XiLza(> zm1A?J_Ob%+;)0EW8FGSSgkk-@C2XE#C6@_ln@-WGLf-#tlG5Kj+r~{62h@^bp0~8J zJZLJyt-7?9>&`&du4_1}gAd66-OhfruNS!9i02m!)MIO+^))eHpCi!bB`>d>u}cqw z{?4&s)0H2;zXDP9?@G;n2xaerBgISI7^pGp^m_<CU{+Y0sC->8={B2>4By;6dAj!) z3%(3o7a_qZ*m%uFN*wW*;aA=62A1~l>+$ow@5pM%$b8#kAK%(Cvqz!%rZ&+C2nGV0 z!J32<KaD)qH8Vy_8kx<CBtOgbu{+a63yHR`(LMSNBT{k5?jocYK;`2=s2QOzd%|Go zc-q~lh<tr<H`qP@8ai;VX_8lA9$T~eJ-#8H8VeZ}8FJg0!Cv=3{dLos#qV3`q~G_- zIUKCVzWVSenaoyQ@_DxEp1#OK)r;=w4I@P?{8^ohY!(;H;sz$g7xc${R*(ZJoOSf2 zaH~*aYV3V{FCJYSzaKIxk=w=EvTBKJ#Wa=B7^sMk=W|U-k{LhE9v$Uv(+4^(gRPsa z)$72ww49d=OTLYivhN0n3(L*2cg5JIp0C>IJU{!ouAuKCx$P9$%#~^uMH}>;Y+N#q zEJ7<R1As@0EUa1!K0!)@-y>R?KNs}<0J{o(%WD2s*+Oki^RI&h-lFe17WbUBlPUCS zP>e15FBz-Eipf7=+s5-C!>3-bw@BFogNB2kZ*J9Z^3KVw&XyQ$)b_@M12*qQ*o`8v za^mf2fnU#G)E*z#A0a`C=%^Qt=HasQ&kneoJoSdzqncPI3w-=4N&$ALn~xs~+L&?r zY2q*Z?2e!i?iiNSw#$K-!SMX0WlRu^FzPC^fu6WQc>E7Qga9g*Vp>rExqV~2Q=p-o zU0q1{6m*Dl$7GsF5f>I)e3B9udiZJRO27+GY+QSdwY9Ug=#p}hW5RoK(Y({8TwUwE z3e@rda(9}%y0B(Wr-hx~CW$~vi8B#&uG!>?kVAHE`f4j=+)jT9H*@HoAQBh$4Z+(f zw5Ah*i;oFOV0c{Kzr4U}LN8&CcUTA)MzvX)WKL04m063OuJtV~O;4Ky;73Hk_0Y;s z-Dc(fK-u1&0S1FRi+1$6{ym8{knf~&hA}d^3>+{Q0r^~>pE0BGSSlWX27ZB4MAb4( z?adCBqtqIl-y>c-hlN1(NkB}2PSd22tUOR?y}Y=oKwr7sgY_r&xCFVQCI&h6mqJzN z)yq+S$p>Z=fkHghS(-m}Bck{C?ifI1^YciZqjOu7xAy|o$(3IUT^nmu=)iSpX#6UQ zHteIqR*pH1f*4`8c*kGhjm^w!i*zXk@Wt8D6{AktAup@4R_U@xw+h7g&MW|QpIeG$ zEC1m&B1G9XfVfUYaNYT3w>JT=LG_AAgPqOc4#P&>=uG2Lwuta_*Vh(Bqki9E^Ay;= zWVH6$#jnXAyj~)O$Ifo_dJTO<Gny_A`hvG^i@h|KihNXG#=J1N;^v!&Y#Um_wXplb zvWRAezP6_dK<R7qD%fuI&Qv0;lHmZ=!P9o=bNi}>^#)^o%Drj)(I%H4vSq@Uv7#^G z>p0myhRp<~@uW1j{Y{No_Bjf(FAvLzGjGp0;?kcqXVw39w;MUVASIztb_pLQ0tGYF z8j-mE(>Q#g$!-12ogW_Hu}Qo#D}>n#_ZsI?sfzoFYt#DE5;1~=+E#Noegkwz0!W!K zR)qzDPh$5aHGl2~3+#p2Y7k;45C|C2$US9lyUsF*`b<YuM@#*xhirqI42_DBiE$?q z-fZt2cb-Y}xu)A3l<wH7y$V&M3jrRsrQ<!=*;tERG=O((j4Xhg9G5X<Czg&4c9O{k zF(A6wM!fGVu8jCTBC%?#5rg$ILZa=UH@=a<DrBXTzp1hiw-MhZ&GY&;PF}cHVCUI~ z+ZF&%K(N0-o50sHa(f@LiC<&&*qo(z$8Cu1TeE){I{<Ns6Bb~i9~Mv_YNHkWUY<WV zW;^W8U8p$H)V7l~2f)(Lg&Kq<%1hv~WDAQ8yABfO^K1nr4Os=1Q>k)#Dm0h<JmGDR zvWEdh?yZ;Ohmf(-!YQuA@Tpy)F!Wsp-qhpwM_bQK78fvS%NPJ0s#c7R$aJcAFTu$_ z(Y|`{QiU7j&>_WUd0vI5ODsGTl;t+-^_RLAhzoyD9Nk*}DZWS|UdzZn%VGhm6zCn# zHR&qkjGe=225PaTmgiVO6Q%tib;5V<h0fm)R>5b}p5(-e$`ac-KeuzRUZ?80J-2*% z**IlY<Q&QbCNc@uCoP$dw%qnHzcKtNO-`t9F}Ueq78b^TlOagJiP`L8HtW;>wern~ zV$)`V&v&jW!$%cpGv&wk`vzoYxu>>3?uDO_&B?m6L7_NN#bxN{Oh9MI*ZUG7Anji- zYfW~ww-lq~H~hsD(~lbGFP9NvGkLB8^ynvRfi~`Fgpa`Mtwzk7&-em48~&|ox^Or1 ze!=RtYWQAX)xQvwKx;0c?NJns^XBLt0#<`X0Xq|xg(oG&Cb0gDF$q5?zyt8uTac2D zOt<8dW+;0fe^&=E8uyI$zlWFvst=Uf^1fl(oez2UcIe2(-F%!@1n!(A4C6`T*Z!g4 zju(A7h5J)>_Ra||HP5)1ZJ?eml2LK<qb+#%&v5vZ?Ow$04~|qhgl<i%leaP(Q~^O@ zkB^zB-NK_oXhKO%RAO!k*`)W}y6Zu3my6OhJ06DZ$r3IO!Ov!i>jc=S@Kr7U2<@i{ zG>&=oKS5<w5)iOg^r>x|I>kHZI=9W3^7>+r5q64eTJx=>KH#9ypt)l$PP@tdt1TxG zcnbbr{~i0c1@N*MoxU&}SlCE4;#NnWXTfw9dz37Df=Crt3M+@_h)V=}Tn+ytsm!5q zVb4!L_+u-Q;u3%kU2La0rdKdVskWh`Yqh=s%4~)<ogs#xR2YFEhPIlY9&`0=I2Yi> zBuLBvJv!BRIV@3<pdXzcO37ew1rVtDo^R*R8l`2Ig*NFcl$5Rg^NrSKyPRDq!OUFC zMj&4j?HMTey^uOM3~035&Vrsff$|w4Jns+#Bm*XW@Ws)c4&P40f|P?EMR;=H$(7}) zz7`kf=ZUCITmlvt6_Ptsf3;4Usz3(_cX7WSP`T^@e+q0|;96ueMP@L9fD&L}ehx$+ z+e=>XTiySB4`{H}!$(C}>lWQe<FwO=lGu=egu1OLvn;NP_dcN*Gl%7p6DeL;zAMcQ z%v9_LwtI-A61rZ*<puga_keRQRRh_f)8iv4E#V(P%wfCD_}NhQP9PW*i4~BVWCOKb zh6<^pRLXURxTAILr>I2bH=~^<iFFBsaUoBQ$No7R%SqTL2=M(JFhsFmt-Ucf)bY{A z(s^0w@Hf8rQS>1DCiUHi3|<WP5{nOHl=unxsDDDqTpkG>Un0b2qFcI=I^Kx6-8}>2 z8xCN$J;(U#O_eqB8i0^M@SZQxVxrFPMV^OPgH4PBJNT^7YE04>Q!^*8`w_l*4`;(2 z37)4&lU1v{ikCT;U7-(uwyZ12<<@VR;rXWnP&`z%djunmWnhi5-Q4n7K^heQBVd`L zha_yI{1sEsqeFbS1s1j~Dq|Kca4!*xo1C+i{HsC*G%43!2nxcupbt4IWli5IFvn9b z;`=GP+d5n{MEP6o8<kg6by2&^Z0JbGZJ&I{O&d<DDyY|#4l2sX^_gQ0&!?t9kjiSM zT5vyE<F{3~&~6?IUvx~&kY*a=sU#((#Uq2{mzNg-LG_B)xdLbV2*(Wr71x73eHMET zaBB~Q+=2^ShoZ>ekRlU#fpPU{F2!3%E6;sA^abHNo<{5dS%|r^p^{GpiyiHcTAb9@ zpyMF1DXm=EtgH$0p6StvijXiUIJic71-Gf`-dC;W4A0NSCK<z1EOw9W3Qj)|k)VFI zYT6G=)dpzrz)j>dgfSgja7TwV-fj#^zI+G=uZo_zw$eOI4w@D-!ot!<Jd2Hm>v2$O z<KI4=H%D%tqc7*K!;Xq>G?IHl8O?FnRoCkNOyE^uXblcF@khY`>a*g&BD;z>B!miD z_|L}y^s#DAs&dh1x&d`?VVB;$N77$8&vXkN)2h8vA?l<W2bRb@lbYUB2i252U=-_~ zGfT(X4)v?)EKyq@H0WO7O>#%>6YjcCE2$PBp!X5cnDkEg>r0scHCW78Piz=Q$)2@n z-Ij?=uMi)_m7X^7Ohi4+kYOWiWPth(ak-VFB=%*t_ZrJL5)Bbz355G3)K1!`U_NR$ z#Ncq8ZBtLzPlKIA9#R%&m~2>Edf7YyUN<XkFg5(?vqi`KS@4Z`<EwLw253(K2pKhN zWRDJ7Zwp4}??E`$`-aC%SMkA8`a)3?;q{-IX3Ie-%_bbHU+)!$dh8|YxXobc;Dnzk zDsvGWRh^z__27hngrj3ic;$mVHFH7<Xvw<rYU6LY00cAxCoX+h2y_Gv-@@=@FQC)k zbhDk$2Z`bIT$Q4SbKdU`LLk(X*H{c(Gy;scySuk}XhIi@36b6aFIOD^);Kkt`WSE8 zS1x&}6x#?mW4o=kTu~swQgh&FiK<jvzuoX5BmtzuhRM|EjkqgRiBQ(4+?=o>$||w* zsj=80=<!C;zit_-OhO^n-UWZO#-4bXfP%d4dLBB6E~ds^Uw237+Co6)XYDHTL+|(z zAR%D(A7G8dsDPun?G0~^$Hvnu&;Xw!Hye-boY)VB-<UEZ!650Ah&~$<oD*ar(jrAf zkzZ~eNgeHc!*&35vKO2eUV}$9RD{qe-ati=mk!8BkR_FyedW=QPGP~Yg=o;s2?83V z0rG&B1!=W@e2|wIRKJ9{(y8=|q;?kwta^VB)_;?h%w_;=qWK<h92ODQ%}Z%HP*^Tc zjb+|OH?_k_0t1G340yf~tWLLkxh;Tb{S6O6#g0b^Dywlj6l0%lF?uJ9tTbm05qBoh zCjad){|a#(YZX2>Iu;j)D$gc#yRv$XXj3Bk*hWDbw)-rHchd{Q9^;*FKwn#OXsr7N z*`G=dQ3^8i2ar<e2Y~GcptYQtwaf0dY#S!6sDpqkZ)k{Z0in=y>K~0*8Y2j|dQ>yk zzrt8=0T)-NAed(`jthf2;@#3muyM=*&$lZ<sqmO@QS$};w)~4)AU>weC#o1=HzX0h zl0=oWg+s)?URxYA3u9h}A;@zqAHtfM+GmSjdb~G>3vE+m6k`tzFy37~`E!Gkcu{zb zi&XUoEs4oW+e1^XT+7h7xGYpO;jHx}fbTqdo*a$ir^N`M*lHIm8<b_7klVX{=wMEe z!6&Fr1eC^pR3aVIHUbtVXb~5siF+~Oy;{FIFm!`@v6In$EuON}0P19Wbs#olxP~1I z@8YAq_0U2j!cic@_)pvQrpkDPHyA&|eDT+~XubJOIK32|S$*Cth(u3a!@)wr%1NUO zmr|7Oz>n*QQ=JQI$S)tja|Tj?itH?hX7Tv|KM?YL?vA#;^q4<du!XpQuR=p9Blq5g zux)D`C8MJ1K(mJz#REV(AOj_$DlR`S%j)ao^`MDv{3_X;kAPG5@tMdykR*z-{1cM* zrRMQD18CzRsR{cRQw{)#hL9dxOd6{fG20eoi0o@M7rNCP5nFAe!FYxGUlGK-KV-Z- zoFTLLzmxHX{sdStzDfThfi|_64^(xy6L#4@@_ys~33UD+bIZRHy$q4ufLsx8f6Yd2 z!sakEc77VS$FS>nRZIN`S!3l-NOi?6;DO-p#Wxb_xOhH%t&&?Gu1P}nd%1WsTdJa4 zDfQsA$F$iz)tvr?&k7SB?KNi=ScCu1q~&nmd1$8ppN!%ECp=1b_46?^jta+L>N)lT zi4f9%GDlGt0K(zx)}gJpYN-coq?SJXM+uq9zaQY}0&6ki?~kUI4A8-&o=jr@9|8GG ziJZs{cJ-CD3ic<EwZ$Kh^|{XVZ<BfTfKDSdePaJL>m3Av1`C<qFRsFPRE+=YzQ;c= zMtozqy8WS~xTL6{!2Ht=ch0qKc4!F!4GkL!d)l>ZI4#yE8L_y^y11mIs?7ZNANRF| zbuGj|TwFoh{});B7-rd$b&Y0brES}`ZQHhO+eW2r+eRfTZQHhe>-6c<-S2mwC-%R+ zVns~F93y7L+Ubjr2hh_Co8IQyrK=)}!t*un9|#P3<YQJv?K(T_aCGU{|0-EudD(a^ zXTepc`Mjx7Rv8=5;{X=)6i?l-LTBydICh<MqIR+}YqW+l-HELVRQA_#@^?0`hJutT zBozAm{N!vxrQW~*oM4HPqBJt{gh%?LcrpTcUEP>;XLWOW)0pfcNu7F34-b;t+XS8Z zqcWzPELCOIeIa4t@Iq4Oem!+D$h!QV`m&<_w=hw@mf5V6-}1cx^TGL<Fg|X+mNB&( z60gezP^?8^yR&ebNkVAct1vhxHQ>%g0H+{pAR{7TY8br+Nq#t+5VT`rV6)=uqwnF1 z_mn{PU%`)Ychi-en=SPXqvXu!CHiF8oTGHq%DHcj@>)T;A3{NN1n1C*f{R8a7H_>T zQocq9?_e(!6bEi>UhR)cQs;V5UYk^a6{*peEF`gMwDj{KhZm4e&NNDZE%y3%&i~f1 zy+GfNk^enewI4P)`VX0GcbYP(MY9ygv|vr+9Bz`!SfIFpWMEDjz{I0@?a(nI)F{U$ zEvHKmS&$VAu2hu&u@qLa9p#tw<D|%`Ms;G%az)J_BCQ|Pzck{mQxHy4ehk1cb($@w zS)wUZ2S+B%5Q0By<U3RHProq!PZf_d7Eo-fD?Qdz@Qqb^^7Jfm&$_;`ka*rIu;%Ak z-JHK;^M!Vgvj5~2U5@zw6pttSr@5_Fc3bqAH@tYv^{D2Kdn&Te|Kx8aoVlwUZP1?) z1yclct*q}K{-5>935d2ScXfRpC%QwTf~%As=8y8Fz?t_8m`36R>PwEfl>KQ=fpY%m z*nm!iKT~J!>h3%a;HkQ3OK_;`t>W{`1|lZ68vF?^(Jzs-6jQgBcPU7k@gF2VQ1lxE z?u8LgLV@Ai|3HJ1j*1qnmKd3Tl|k2%>C1gZTw+T{eQwP9P8OUvBicnE8z$|ft%YoX z-|scG&_o6F<1;b_uwufY6erVt?`HFHx9uF{Gg%^dm_dDg4O+3s+GQtcscAj`8jo_Q zxpHo;w2Xy25Zv(eE^oir9zMYA_!B2^&8CsMGWk=t;+MTTYA`kzR#uv<26i*f)=ElB zW^Upclo+`ob>qBFQm);$-)5RM$ejKvN{{pPkWv>eL)y{m-Hx#%o5I}W&7NDCY4iEa zpNl%Qbl@o%5S7EgMn~T10(xwI#Ou9%EYc_hgO(7$+J0X??s%{mcq?4|3iu*4S&K)u zDeU>OXPMLU8o79~AeB080?u%da9wM0)*tEs6g`%?DGNX`Nw({~Ien25W$#Fc1Xi2O zjaW~e@l7^SkwUF$+s)y~FVQ(o)_F_fr<2u<Ef`|2uFfhZ3AhX#u&w9IJO6qc*)Y|m zd-fwaoJvkv&+<8}oSPw@pKZJr&!tW{qWjs;D)sHPDk89klua_3@^!0p{~RaLn?YUO zEwfgR&7VxUl~ANr)FYC?JZYT^R{D8H1&7#~irl-L+w(ek`=hjZ)S-AsPFlYS%xJIh z+UpMW{?YKwbUlN|k}->AcTV97<@|%O@l`eUxZJ0`6ROKIw(xT2Fe(SK4&`lPyuse5 z*GdY%gW{zPgD88VI-ddZK2nqSb(q-q<~QIA$YQhf#ETp@d&s`pre}HKwtiMDSNMyn zS7b(JJbZJr%S(BW{TE^E^V#NnaiC*tJI1CnK`rsU`BR&P5Edq;YZV`}^@V?U89f^p z6J6&`;<qo)_b;pcL__;Xu7(jJkZ_NQpKfYf_SYz!DiMy`KDYB8d_8L|Zq}TY2FJrf z10!(IFmQ-^*}OT4sXo7o!51j`kD09>cdO1zZ8f?pD+)AuW?i%V7h_$#67Y$sU$)3> z5dc7h9JJYfizFtL(())40Oj^JOJ_!8ZjKmV^5<cs7Hw*l{}{-|0-?<ksio_FdK&i} z7Oj9|Y+5}7txkMb=fZa^4PWXfA5+ZL+J%VaDsGj`P*wIXi&NcSRh6^BC&sp&MWVym z<f2%r0yrdde#0nnL5&><&X`MIH_R!mV4U{ulQ3GOXyXhRo`i{8p`@y~{#unO#~39S znrIx+Vcg4DH(PCiwS3A3xtqMX%AHoa&T1KDgfr`Yo<lnwc-y?|V|iI}-Ks?`O(`=) z#6-Q|c3S>1Cj$cRfO0wf!U@jvT9Kqm{ppqZ@ZvKU(XKd1SYA6hpi12MGnP#}Zky1C z6^cWNL*6Y_;w@>9tEg8FvZ+RHma^QC@ntl_>B4DlLOF`jxp0q0a&8S$9>?p%llywO zY~cD7CvFo!;AMbKi?-d<&`}f5VMg^mpWuvt==a9$0B>qgk%-N5c9kXnc=34(byIR+ z&plpuH;dJ9SC>D(h=`1Ong#6U*CY)kb$LbA>nW4lbdSN>M0+9_?DcgK?6GX_h+WV< z^Hiq)`A0HePo~SqMtB6qY<)t<;EM?)B*e$)^%XXo(I8vY(nEAigG`W8EFOCZmT>M@ z_wDNPwA*0tuQCo<4ll~*DKWdQr>SxKq8snocRISz!2aA9RsxEe`h1G2Fea>w`wX_i zOiRl%NJrY?=Ti;6W%s9p*Z8_T+}YhLX9iLXyzV!WwSq6uXS}o~r-6Xa^;qL*Y=6>y z+xJ;3sa|)h)wNo-%4;Mrx&3OMz-g32m6lJC>X)mi+}D@4=nQUR{FyQ1)~8IGSWhvv z`;y_3jm8j%h;AUD&p|Z>9wJOkOgU_BtW5aJ<72CJMTJX}>l$)O@~zg#o0euTQ0UX+ zG9`LtfZYr((}AS7eZ6hZp-H9^T?X6b;UCMJE<-yC7JveP=wv4v4A2W`rglRh#m~GR zP(63|&+GNRz4)ZWP3$21rEPV>S>*CU`vzIk*-W}x7z?gLW_(Gh%F$WOMI=Nc*|=sI zrts#&Bo?j6(P0TlOjmEKGU!<L>%-Y*ztfyIUGj6()wKNVkLv>l6omwXV6QlH7J6H+ zaErSO4fA~4?M=KDt2W=&nKCZEDB6aftvL>+x;vWbBRle6U((SzUGZr-pRLyWlcq9v z4zxPi=47@n2dA-Z<=4DU+nGG}WE(6NWt}~@0V7@_MtKtX435Y*@?x*JBFr+-nPd-g zr7lbP>6MiiLPJ2tbL{T)TwCy*=CGBoFGe>usy=?}^2~*e@*Re`;_!7H1M}{LMi7}_ zhbFJnp(aiA_*yzk7j0@iY|(_Bonzkou<1Bm&4eyYy){C{!3v=gNm5jnFPOC1ZXx0@ zy8{hKtEC$bx<E4b1p$5;P3L+tD=({pg@SQqB#zERZD-MUrTZDLc+U#mAv2a`rETtm z?GCDK6JEo>N{asTE(Xnx@nMpsW}59`imm6xzo~qU-ZW{UZu{jIW~E@Q_XK>lmA0Xe ze1?8n79|Qb<JfPP+QK<j1zWm-19po`?tQbUqRsW<d^U_Cq2VC0;tiI$61pPoR?Ve5 z;n306W^N=K*pOqot2O(b9KDJ2%#83~uB=RGg={YJ+ZPjA4SSK}b{Vm|!9g#lc-)r$ zHP5$|F?zc{3mm!I+nleAH#8Z{8Q>JI25i3ZCA!CEa2eKU-oM&IixvZv{cAiJLSp&P zzW}@<mkaSOP$~Hnb<P8<#>Xjb%w*f3taTc_j#v^MO8ev}N(^s&o4A5zDfyeb&nBcl zY!9=ky3+KZ&2SkI0v;@PiF+_Mk+BigRTMhi#%CMTj}zxTbNSqM4|c8FBtgSCkv<wk z_QHJNKCfUes}#UD8_AqdyIYtkSO`ko<nq0m?Tj;7n{v~BSJ-vlT@U6nv2D7UER8x1 z48zP#InN4&x#fb#fM2EN95_x@sQ8~$Wt?&1;pLvB;mQi<nS(UF)&D3pFwOE>K8)oA zVM?y$Rd*TclDffyPo1$k4*m2|Leh5>cw<ls%eRfUM~~rrC6jXo`tfuAJzN10#NB<` zVWOXbbs?VwF0{;EI*1=MR&&Ok9ORy39qRa@-WnMJ{vhtu7YZz{RE=c5Q>brJ3bD}h zwbW`p?8&J}qUjlld-gYnQ;(ZsRw1sN7+?h=csjBk^#JgIYhK5EUrLd~x9%mWr~-y| z+F!LoW=^p$?hiq8KS3?0ZCZeo@$mO(6H=AJ$%NhKinh3Kf0w@qo_4+0qROEppi7D} zm`e-Z-_}`Q9|@hO+O0oq(w^Xv54dbwYrH?E6n#N-WR_B0n&kvgHcm%M9!AvdcLP;p zS`kg(Xv3{Ri=vm&iO<7OwLsaB#x5)_?9Kw*g%%IhfDYWWkn@iaR+rT|f43B(gPMZ4 z0~K#PzR0|2q<c&jjonpjQ~_a2NSy!3_PBE18WqwYzs>)41MA6ld}Ti#$DpLl56I?4 z+Wx3t50J)X`#5t8rD%<41=hi^daJ@tH(mLt&Qe)h49!^#?NcsyY<@V5nrmrRw1pc8 z<_J9%Po%YJTWtfDjaIFsg-PWmHsK-9UZ5Gu(odVyqkLI8Y7^+VV;O*fqX;S4Gm|_s zs}YR@C?6qj4h^Mnf^mr|-e85BC!9B5M0-P)6S}z`9nh%#aM)dJ)r~BLeqnO4zk9(T zy6ucM1N@UBv|N66biC1R=_dG`af|*gUhXHPd^}yo5;_^ouL`^u2@);Y8&s_<mtwQH zbUBW|MCOc#tXuRP^I~*-{SmE~?e}>_bIYyBa>`Ff^RaxKHtu^f_R|E<r<SGEJlCq? zbco1c!iCq{gW)bf6Fw2KlWzr{pdvvSIVlZ0ZkzkEO0YUvvx&U*K=5>=mX62gBg@^e z;!^B@{&r3wHYa<3m*mK@!gS!l=eguZTFE+Z^dAe_ONDO8|IRb+WJ+Gk=(z6P0L~8? zc|GfFDno9?4T}5B3?8>_;4<_Y5?fMUBzcOG!pT}-Yi2vx-l`s9jLYKcxPC}SI`$F{ z>8B9%Dxg>S71v(_0mO`-%j@HW!A)g-Ti|xkS=uZ!(V{Buzbfrw0z+?!k_WG2R02KF zXrtw0n;EAHn8TIaYw@W2U~TN&CMAW>iJ6n-4voD<w6OG(Vwl61qo(Ilks(14&hYK- zEq6OeS!i2-FQjFlc+f;D0a3B#d&hWl9`GZnaQ?mc86<e4sw;v?Y}N7y^m{FzCXdb3 z3)4trIRMx3=E|g0LqQc}oGfU}%y#U8sKqteq6$l!UEYYpQo%R1$~9kw#N?k`kgzG8 zDDnGiI}Cjb%oSH@GWskA8B8i_?DhsLWKY(-)meieN#*O94sS1~wmatB@vrI!@Z=39 z5Ah%{(W%^{wg`oteic7wJ<~gX-Yatc^{2frQeXdI37A&QxQtVCY*sD63Jk-?yIG&o z0?((J2Ej*qM^QOk$}6}?r9RGGWdB`2rQPn{HjF*{k7$Gt543B)Gu4eeQ(Z2NOd$;i z4%yYl!<%2(Ba3XR@*~d(HK$|VNJqT4nS~#Rbu^~+#~Z?-w;smN5Xy+CeA3yoAUyj8 zHvmoe$3U^a`J&FB$%-CuxqR4rhKxUpw|g6}GOOLe!hm;=<y8F3F(~NAso&i%^Rq`7 zMbBjzB7wLIl>A>b5L}0n0wmD;<oyE#zQ~mo{LK)R_JTF$4#$fEvWpT?@-pef8vsu6 z+%Oy>uXNZ3XXw;_qU05k_vu4~j`;W`l=vC9-PtDIykncOU><$yBm}l%ye)~-FOAlY zKsWv<3K?rxr4s>sO0!DyP0XKK%X7QaQUDy-SucXRM*n^nQ}XeYW_qz<>$!t+dc@8E zgjwdbNONyA7(`LM-c7|S@RZVc-x$m%wQ>O|JBkK-M!S!q=N9Z2+VVS%x<<7_{vrL2 z8U$0i!}+#-k0<n{<1r4c{=FbguN-f>zSfN{UQG>TBf;@Agp<Xb5t@@|QavvxR;a{H zfWJ!E^B~<T$LBt^*YD7b1Z{lKk*=$P%1Xo^-Wwze()*TyLq5o?>{JB|nmRDB6f$-I z3Qvy8!6L%D?&@kfuIFLm2i;Ef<C4816S2^&9F4m=a<}CuXcE=jz|8l-Hg4DXE!Mgd zPPmQAE?-2cd@WDs&8Huo>Ujz2!1ZVRtVQ!;bMc>-cGl+`+=Mf8^V`fLKp?Hg&(f2F z=rP!hrCDH%z#1<uvzki{VveUT%f3A`U58)IbbmiZsZmK*;`%-D2A~lMWbUlTE$>w0 zDvU&A(gX&X7*B^c<x|*}q!zBBL%WN{KHN%l4@+ZY%`7+V)#!N=#$IeW152*6wi0>C z?ct{YSG|0IF#`*UM@v*~4T7WjRY>vAx}69>(?e5I%M9L*+onCOIbBy4F0=YU%K`!x z>Ky#w!Pq8q9r2u>KKO+*LVJWl#mAQ{Kp;>SDo%IM>b|S-RaYOBRTb=zh?wX?1B8wx z@Jm2_f0=S|SU#A<<D@O%H_S4T^|fK}J_i~oI;^E#k-B2D*FNC!VTIH}JcMoUAKx4b z@n_==@4Wp0J9N=#i_!liSnAvh9|!5Ko>N?xwzdix-g}mUPjgrlCOcfSF~wR`GLBlO zFjR`rN_^|bF<LmtKZC=-g#iWu=`RTYcBg0l`k8QZ?SgzQG6)BKjS$*yZK6^9CiEj0 zsI7;pA8wUgfd)s0--UpV=F!nUkkKIIOZo&&PeTJH)Z-YE_5ckAD--sYMltp;EIdN5 zP%z*ZJFU+5pwwP^^yt0ry~buTxLgEVd-0%Jd)nCj?c(d&;QZl?-cxD^`2&5|{KR;V zwfG)(MNQ>Uq@h-><?HwT0lK}<-AXBI$N9(VN)>fn_1_c0mpOzx<Ln7l;*|7~M7YVk z?VB(CT#7bj%ueOIYVK4~&ylJadTmoLqp2kit+GjxvFMiv<qKUqO8dVEUmxD_7SUnx zR2;P^>13ok<h)rw&QLtCgDDHmH*yd8aM&i@y&IL)EMna(aIr}|hKbHI8XJYMv}Mux zPPPX+<M>|IxpF*rcNG#tceeRHkI~kiRqp8+;!sx=pqQAU>pF3J0b2ldV(fuO<ZwA3 zYqxtslCGAQnc-D_(oQ?O=UYrM!ypQmCy#WZGq=>XWb<}dgCjZf0lmm%I7|{VAffas zrip?}AYo&MO9a`MiQ~qjFIIy2I`8i3Dd`X$VRz`UNP`br14JObKMuzQ^c81&baLqM zSJOu*M8QJB^0yPREz}t`=W>G1ph~mAOCY{2slxsW1f~O_<`RCZ!zEDL;%+qaR_2P% z?Z|lJUnS}%BPZ`08JRJ+o<o7Gm~k&_=L|zC0G9&{tcD4VXG?n`ff0v?17B!mPy1;L zYkMSGIp_?tHy_hfLhMe<YdM!!mDqkf^%t|ai$M3KB9|(nkEa2AMobIYPYu7=`AD|B zsJv*LI}y^Sl*^UH?hbmU7A>9siTZKWd-J`(ThwPK>LS8oNY4+qz8FxjeLGC9^7x(Q zk(#HS|1c&=xzMAE7iErD8(vPiA+uTfD=9n1|Botcq0@e>$3=!|$Kpnn#mU;cp*Wap z&0)K=83ONV4x_}3;hQ~fg}*a_q7Sz}iAH8}+dfW>5BZPy;Ii4j)}SCnh9SojzC_cQ z-B^R;?Y#}MyVYB{b`IW?>H|yT51DnsEjPWcFG0dZ!{<R+*n`;vttv2O>Ug-x0;@Pj zdeR}X0R~{w{pMI1G2NtB`QUI^Lf`N`q{+WDv2l237N_TxYxl0o?X?z(mbh>kl1bG^ z=w#X@yAH{VqyR%fdsBE;oC<u4jE?26)(`uICE+<N0*47WEi{hs0RaR010QzlbtT5n z`xD|LYP#;KLL+jY?{!m$ApaLf>Amy#$Hwle#T>CjueN2K&op|?@$)Dug=hRmzLTj` za^%5y4ZTHgtKKYe&lWtD#Cx+?l@sNsqULQGHIWb<)5o3Afcotv)i9dsZh2wT6=%2% z#XAniHySRBZhWqY<lJMZ#6a=I;#AZ1EzK~`wxr9QiLEEfF-EHoCCb?6O1Z8*Yv>eO zpq>vAKrrXAunoc44KjPZ-iMu@r!~K5<mTHxdyfcak+UAKrf_%n`S0>TCChwB!A=)M zMS0y4E3v<L)(VG}L#iN;AHKn!Ls~$ZyURF0av$NAdM_*?fM8<wF$SuiABnY5qqH^H z2l`gPRuGs9R4!A*N5E@VTE?+@4imFB)l^q#F?x*QB-O>^GDyWO-~@>+-*wYZ+5|vG zNM3?g%?Td^vi`+GhiG?^1RuiHhDe1ba0Mz}thHOqM3m5+GYIg(IwHT7j@#&Q>l_uW zf<&(If0v3qQ9a;5|GtBiF71?ASppvOn^+*wATvfNdq<U$hnz+e6ApdN+#d`FcCUgJ zQ%cjgq5e1mt3e>r$ToeHk?I3Rb45288;<{)<nxQ9H`Mfrnr44#<oiCE<=c$1<YI6U zd?avUFW%A9#;@o`s6?;_ZovEAyA31P@#zAJOEST$4JfV;VeI>Km`bt{;J<X>#=~Is zji=|~fTWA&@<%tS-s{58Dc^1R@guM8Qa?-RW5<^IDy)s~IEz=$J73z(%WZU5P&eVp z0^GL0O^TnB@Bn3Rwc~nlw*h}0n4j!J5<rRD(Q#_5Mb(`-NF2_*v(SvqGT$|GHJa1Q z84?t_##8(K<q)w&BUloZ4KV+tM304lTD!+W{|?MAfRDRrCmrnY`M&o9ZsYE@_C<*< zT87YGJNFAhZG)MInR_L`QrV5EvAo&0f<j7IEL13q`T_UKXvV#J&$IuNfSQn+nE9Y@ zYTtcdNZsAs#zn`$pnTTc{d-&L>n71}PtRLblQNZdZii{(I@txXVXtYmVA@}40<1Zg zVePhSpStG~0cZF6x|WzJI-7S7u9hd@`7&-J58JtI5-ZZF*(0BPDw|Dml=W->t>nk* zaDj@<OPy=)Y4``=wxyNtlsb|LwoyFd&uE2I2|3#2x8QW%o%=#RRuWvMVRP=qrUBd2 z0)@TGVwrEz_Mu@Z-Gn5fxj0%T%z@}sY8Fw6VczG_*Y6XB{a77QBfry>Rnh&glDO0k z^M(3q8Lt#9t4fmu#jNF~OD3a$iFOUU*4EW~YdVSK(tI`TheSUwaGtO4ug4XCf`%V; zps@tB3`c6;?&{E?)mBgX@PD9ADmsUFkl!ta*v$g;HX)26VfUuO?ko$fUWX%3Rc;+S z<0(f%AgnV!N?z&auZJmcaGkJRAsfQ{DCbfLmC&HOAcK47Qj}xnwLRhLotDz<)OAca zh97;>Iz<j<KOnN(h8k_$Px7f5?&0m&WRf`9f46V<5#xv^fD+yezt=Qjp;R9VHI`Jk zzIXhvABTW`*skBz7wW#afdE@5PmRN5vAAjCC}b2J=Ua5u>kkt%8xdkw$k%G3qYubN z@`Nw~FzfzGg>%L_X}1P9<z8VDl9tOqW*8bYtClKC#J-5+|IMfV-A^PG7F}<NZwW2~ zo=(O%n7eWV->lM%3ffZVxUV%qXOKAPEXl3i*K7CnNwjzZwhP9`iLRbe|4k5@!bk-< zg!Q=G3`^zrC!2zx0yC|2&k3B)=~(D6o&w&?0T4w4h6@G`r3H1pE<&%a#(fs8YFXUe zA~?=6`ZdqLyI$TiRIRdMozJ15&4ioStf05DB)M{o;EBfSO%}Tmo3SeTsNATcQtA4w z(&?amw8inh`prwRCD(m}bP?t6_x&)8<i7p70`nFo2Ku9*PTS{PTH|ZA=OG2Mu}w)N zhbl48))e{{6vB<Slm6J*cdU<B-a&zZ2T^gak!gBA22KH!%xvK)uJ&87tF~vci4WK{ zj=za@0Xa0azsvCB>ZHZiX$zqewN^~oGL3UYc5!`mtpm*F&TsLh->9MD5`jb|tMSeC znCVXKo{xT_ck0Z&)~vY9`ZVM`#(e-(9oi`G?)A`2m~kL{SMe9E8&<;}gAxcn=U3^$ zeg7lkgl_}PjpzQiZgNqvqDop4GKmet;Wgp0kydnP&(A3wrYm(q6lc!!+)i~(y6nm@ z5YqhfD*nqylkJl0KGL|sl1WYJQU$;k-4RBz5P&7da;qnLqtIrs{NX>j;u2tmRAyZ` zl$icxA0(=<39=vSJIH+EnN_4mi#l_$Prj<5>HG!Z0ulq9`{}dYzTU^1p)PI82)>#6 zrMzV0{Rp#oHUt41cl2_GVrF)=7+FfPDk1yWPQoWB>@``~D=pKdVVFMCi;PQ;6DPZW zs4EVpW&m!h7GOOmENr4Yb(*s$Wu$Ve#BDSlD)etJH{s5*Xjx#vugg_$<}NXC%$iD? zVH#-9vwJA@V|{c4-0?Fh^@HGDSSNFE!8G6@v&CbWLXvmo8v5H)-8J7475@(xt5^H0 z78kD(8N2|bX0#|uvE7E^`_iGoO{F5-7$nlGVBniFkkm|hiWfAtT~lR5HPjrQUCrU& zBR*PIm1ym|vQb#sZ3zX)!kh3TILWcUs@6~z-^z?|)lj8RCd<sUvJAB<c{1T3bIfsU z{c~6wX(-FbmE48;R(mSC&XW1MqSn@a^LbR5`Hh3U!+J;dmT=27F|4mP)2C4*OLki` zA}8u-A*Gk29EHd!INT}n2lo#<@<P)upvK|XKgm_~V#d#+y)y)h1mmMae|_8}5BYf> zh;-?FB4s^L3YVWbct=f#Uj#mMpqOVg`<1W+SgNYuh1r$rvGCT&(K)23gONk_zaQ+* zzdc%`ZgV9^?Zd^Qjj!q<usvxADb_!nDn=bHxF)FY&=1gECl@Ix#(gQe)<2AsfOaJc z7MHEwfprleA2#|@o(m-;Z?>MW9<vB%6nPzT<9VrKLj8hhT&5rrF5WE-)$_&ois9tr zaSC&|%vAI>bxQfxz`O!Ai{l*Hm^BnBQy1viVYAEY{JuV>Gvdhgkgk*xt)|Swk==8? zA5&a@Ov<ijvExBisQV#R@>NsNed266GYUd=O#94<qR+Ka++7JiK>%+lqE4)zJDcHF z2Mdpiva1?w5p1vV2d3PVVj>J45*bu$CEVyEP~{DdrSpF7+3*l6P*wd<_L0${1$Sti zUKr989A&S6X@~Xz`sEMKSuve_zp+u3Q#!iC2+Wd`>%_p;3D58_qjz<HzeM+|pi+rl zoiX?{yZTklebg{mI)evv59X+I=?vD*l4`Du5dK}4|0_fU7!ET()vse?2Nmi^UPp%V zC+ZLMAZ$H|WfO40a2^JSU=ifpD7qwlQlG<*bk}a?=Fiwl0EeH!R+VQ`&}JNM6Xj4= z^(RnpT-J27&+Ai3*;xQ@m|w#=Zx4`AIrPy+UAudhx=aQmp{4^j146*+9}8(({ll?A zXEDlJk%e;(*jBxZT$%Qz$|GGb0r0Id-0A}D)mLbc(f+5h!NlvD1k{n1nqku%jJIX! zll#|48hc+iPf)pgv4C(+=*k9VgWY>@aI`Zk-^mpDJX8T4Hk~dGN9?&Rr7L413Bx(j z%4D^w>6xW>hF4aanMK4fH_t-Srq}@!!=FlnMG7q-Kc{~+@ZTErPs}>m=2)oN1P6y` zyFH`4plz4HT>7oX%<DuTQjG>8`Q5E|#`lVuHLL7t@zPJ6&{cbB$GjEjGpnq?qmm~3 zlHir`=xf^--X`;*^L3BEoZ=l!yPK&=4sB=h`b8Rpo<<5N-ZD6;;!@0t!N~biY$+xQ zjOmh_c@avMug54Z+7HkyOBwAUQ=BNYWV11F$E(oEM-!5LdJ*8Ug07me;{(ug<g|#p z&MoykSjsIWX5f5P(TTpJrMArt4xJngMH$-<>v%t4v0bxEivk7m>*`8)dl!{5-!wVS zo=eqse=@rHM)OQ&o!US!*Jeu6rr>S)j4f}A!2(k9iMredYL65lRsIZ~l^7fhiX!DT z;sGTkDd-$x<PdlBRz<4RFj5R}hhk+JMtF&Cx0`fQ;X>OMy6Qh?DRFD6ew6bnDdUdz zGOVDy_G`1PwGje_JQlG`Z>qcF?jA=l-y&H}&xEK46q|AF)YrQEu~1IWi3cIuqheRo z;-<hXj}9<PG0vwE6=vn`7+ijkdR?8xY8II6CTel`Gla^n?HJNZO=6N2PE(yThD;8- zTK(t{ZDd5`l%!bHi%=j-rApK5=R${9a7aOA*WJC;-X3B0;u8pmZOr*{9O`%g+jI}r z=$_0y;)qPG(;QTsl+zat40(#~YmoQEnbx^rq^vlB#oQ=XF-k0?pYYqE^=V!r@K^+S z!JbaJbqlldPpMQrr(&_|WPP;O>gsb>R;nR7G`4eQGcprg-uqoDJ;H@c7q>~>x39CG zP$Vn(yvh+lkE>eSk$iBM+_5|B?j1Z^*dI*a+Pm*`G@;#^Jmhn^+|F;YVznbR#8(UR z0^+2b<*I4{E5D|lf4{xe*&VdDE87eapyY974>79(XRyWP16dy%EOgmg9!oZ`|8)n; z=Jn4aAnUCYn-(Bv#jNJ<Qf`eVF1n^x$-4A4xtuu6;*UVYs6HjqmW~W{5_xOCD<LNu z)XnM2NyRfvb1m2^GaJ>m`RI|4QF@8M>^dV!yG2D9xt0JRZo^^#g54&SD-<-7VgR$) z{?_EfWT@{~4r~9t^%?tB1F!%~J~fmbeKW|JpnN*4`>gbPeDK2!ZApPr&UoFtYEJR= z|G9ani3m_jXPNMoOclPI&I>m8h{acuFvh4<5h+S9>*A0Cuc1q%Msu2jEK9q#+;aAf zdwMx$m1e37C$w;_WuL!})^ZuIBkTi7vh;B~+^r(o2|=wz&H4f9`+4VD?~`Ne1%8zZ zaRh4j#v-X;zaRl#U>2?C1%$A8|M%g&X)yjrRh#_a5Me<DXLV^}g1(o?N)2#RM}xFl z-UVZY?SsCHN@Tyaju49)8;X9IPUe;>y{bI-&H4H%(3#EW)YDG@2xm2*n@?Law3#c( z29<S_?V$;s^W0{YUrST^=_Z`;zMkEs%3@|yGqOoKt(%iC5jaWG5t;keP=T-&YFIY8 zGYqRO3grdobxb!laMM07>755Vt&(=TLc+@Ifs2>gy?zf(yX8UekwMSjZ%YdVpSItp zk9*<nnYfPRigTCnv~LR6Cy_I{TuW*x60hZO>e7lc+EA51)-=~+CbD$$%WQZhGYBWX zJ<^*EQL8eW4O**ZHB$bm#+45`Y<(*ox_O@8a-Ca7u7<rU?0#$JeAU*C#`>3M>3Z^z zbn=_fN>(gQz0$JAW+UT`QtZB(FviR00B9QvltkN=OdfYpS1aCFt@4SZQ@bkq)3~*7 zQ5lZ&9O0ImfWZN}KC_@JIAAF2|G6e}W)ouN_PfcVL2HRGv%QSy)$Hz^nadH9OfLUu zLCM*+sN|A_+ShxGP-M|(a?EL}@w03FH}io(OO3U^&F-%g6A#Z7A{`TC3r_`Y{v-Kz z)y+x|@51he1uEGl)kg#t4UkE-!l&IhS&cvV{dpU#CGJ0!i0cS-5nqIRAe!CWDSk^F z=03bKTI}RXDlU;UavI4%)ylbh7#12b<bydPry6oIB0h)LlUA7*qnWfDUL7zyFJ?^O z&Z}2$U5xSxHYuf~oQoB@{G?`9<07Uh&SxN`MR}e*5|EKr@}t{RZ~TYsDEg^5s#Wa& zwR3j-8SK|m2GER>3`0muh+D(RV~Y$oOB{ZcU9<Y@2zrXK3uPaR!MwvfZjD8|;1Za) z{B@CPsn1mz8ud#{i*rSsn(``FXe~cg+#GW{wwRN7Z8XfWifnmqnfjDK&BVOZ^vJAU z4&~^!z{ONU#v-5tIk10Rj0VssadvyVwS0DXwZ<mO<SIKBVAwxSj;hMliRr7<<vqLl zGcl~h!(B7|OSlMXC<EWL&@?k>@?p{NT<OvSbw9Ux1!<MT<J5>R;~*dFh-gGLl{K6! zLe;!F)3rJ^R>WULUYXQMIxqWu!Ng$_FUIl$J+q#!lI7l{M8%R6&+5>Vp*Pu}lsip< zPV-j63J#f5{v6rzk$hMjWaZQsr-MJl+Z*Qb5k@DkKv!GD8NOpQ3b5{!c%~g3-5VMZ z&=)0n5jh~c(rB%f^~5JSAP?V<Y>4$7Z3*XF4((3vJg!6<r&`+Ys9Cgsd!p#`>>QK6 zZb*23Y^k)~<^>%Z<}oG`LE#<I3ha>aAqrH+Ji|`kQjR2~L|~eWP60C3d|P4ZQW7fG ze45v#wCYI9r8!O}DV8zD?@_ZZC7e^nybv^5O3t`&<wY6CoYz=2<S9BJ8f5K~Ho3)4 zUd2U61mu{(2Cf5yL?0I6@1oE^Zg<MRz7>bq=ain2@z&81`t~-wG?D7zf&(NE_3Kvv z0Rdo74=hjJ#%oBk24LCt_h!y_DQsfhb9!l93LTB4ybS)aDI}oflG)hc-0}z+H8VN; z3blDPOG%j!3n_Fmi;T>k@Cd8DO`U>{4A<>|w6nRnd0mMAX1=?7cGIm;c}3NE^!$|a zd_1_t8IIy`^prB$^!c9q&iZDDk~U?@F(>A;%%eoyUG<SC;~^noe;O_Nqt~RS&Y@N@ zW5a>=pEO}Qv!Chz6bxtj$8;o;xoajH`@QB)nayikCHj@lm{m|NwE2uBic~u*E#ygX zYN`_c3Yb&|kvcUbwQT<Q{pMfYRG8}Q6-Sz~>;Q}%=f~AB^JY0GE-+qfw&YvmoTmZo zh@(I9$RqXNI^cjKq?vI(FAj<pjz^PEh2xKMh&RKC7ekj&i~8K5bLoVjJ4d2h#Mo@o z@=|R2?&|)aNMKgG%U?%KyXiRyWwn*h7r-U9tbi^PT$tY-R0D_vYEDDDh)lhMiD;K7 zr5c3h9lw?N6iDox+|j)YVCq&se<S_3bUBX);zXO@<p_uiRWNaJN?S~2+Cti^rrNLK zR1PU%hPe@0EJ>sM(ooQ3%)$zsIjq_qcxu?u+*RF1ZcbML^+3<XM8)2`&JQ3prb#4j zeWe-a)d!Nq%m|%X>q44Sj%WRVv_hMrpV-``#U7D`D`f2!e27EY-)44qBJqEVnEic0 z^8Q-3p%yI2HnZmHKN86@FpuS^rsZ60En->o=Y3Q99%5C|)?{sH3g%%6E^(2nq2k*u zAo#x)l~u)rMUqfbLBc@ZU%8?bgq^De`;LC9II+}D&!ZN0+B2WK(g-THJ71pgyEx=& zs76L<>Y)DdMoOG9>Hn$Uwt;B+4Pb7UoK19|TY@oGG+T2jXY|YzC3bF3_oRlAao3XU zf%zV0IA3Q3VXf7ro7_qLT~R?);PnFbvbel7PDr0bSO*j4?{S;6YBpa&zUis^>P3~9 zdj#Bw%uEA^Y|78EQ~JXwuh~WcdC<k*W@UBae=612{QZrz0?X-5ex5MLmx$fTfwK-3 zD^b5B@<G7K-J_Ylnk8f$=@2I&k71H0XiFG0!peV6b$8=mTwgDPmUSAWgiC5Gsh}X> z0KSGDy@I{%Gi?a8lg?yMwdnk^<TccIK68i8bd{~|g<Wcx4R&l!zhlv3+^bNi#knV? zKD$SBu+XIWVB*QF_xv#GFg^u2lQsL_FDyFa2dFXtoJ~5GsCf1}=aF;H3Z94f?NKX% zOz4_<cIK)qk;+!&%Lzx-&nTIe9}zvJiq4`n#eiZN>sF7xnH@ew?3;)b2N0+uiM!1# znb|$3$GmEUcRU9jAtnS-rqg1Kx2H6>9368lJ@K3Lf+Z@I9Y!{_QpdCQEnOQO{ZHYr zjc8xFg&ggo>9?Dcit{f`=6i{uiqa+ZuYTraXVP!xVTkdgz`L$R<LN}R8q)RLu9#rV zHF<31RN_^ZG;${G`IOt1KM~z%eUiyG{!lMw@1s1`gFSHnB_*Zr2nI;3Mc`h%#fSiT zIqQ&7;qt&xr{<86A#6dVmc1HTnO0%`2kPr;%qY3}BfnUqMReOlJ8Ydt_eA6W*wH7r zxwZM3uYSqgWiUW<D`1`_(#)%$B@Rb2HVu<x)CW`TTjQ}RX}?bfbcCU(6)SoMw9ir9 zqw1D<WFHcfJ{R5lIDk&%_S1Pht%jnIjgP*)KN3|gHcnFoDL#3f6l-mwvL@R^$X)}R zvy9<{=e$fJDYM8uvekz$?Ac=h(?@z{wK;Eswhl&F>z`!#p$O=LI4ETCe~veV0W0T9 ztgjaFik6Lr&1WThWRzD3Hbyr7W{qm^6a9L9du>qr>(*fMfZ<TlPQpKVtWJ}VhRuJT zuf@+B)@5j3D#nq{<Yy5};{#vMSo)ri_%Py^twlGmHhw0-HylW-@r?n=g{*sj;?Vlf zfrgn&@Dt#?NnC$SH0H;`SM0@arHe1JEc$BGFv5va%(tOY(4|dSYAj)(&3ON_UYa#h zVSHl(qX5@|Dcg5a7G`EumBn4X7YsHQmS&#->VH0+-Ie6;dz-}q>SYx>L2+?CZ^p4* z^^laFj}4`)+gs`@kBW<7v`^Tb#FZ%nq?5}p<P!uAPnm)+M&+11lc(&j(`&ch4Fd0L zVzOvpAn@he^8jbz_CX#0_sxu*;O0*v@C=;Qx=Wp;=G>enDy8DwCS+iT*d+W>91$+k zXi^Vohul#l^!Vg`o%W5*#4|DA{D2kb05k+e(4d|Hu7$F;wIzLTVz0}(bsDh$_9%7m zws^lafQ$;j8E<*2Z)6^G)I`$}dX4vT5sF3;Gf+`is6WeUDVaVbl!@!Hs!mTi0GH3Q zOAll}sQ9_w@j2>J_}}9@hhT?7G&131UIkjD&xhowJoIzEyM3D#2G|VnU!jy=C6mWO z35BfVa<=7a70^KI8wtFW&K~;v_>4Oa;Qi9s6PE4ew?($-XL`$^zXCQ_vYy@e9seWT zAyky_L2cJ^3=3;pCZfC#|0G&-+eA4)r-fguNhA7OG0iEX-M{UkPO5K_7T$BUq)4sM zPm_ZCa*ba}V{fzu5kmB}Pxi0#F1Wx+WD<J?s;Mu3GS;{r6RQ7SP|X2Yia4{Cx&+EE z1vzf(p8`NH*@eEUBHj5B*V1RpTeQ+;E7x~%T1^X%-1A3an?1*?{Qt2>I(+@&^I!rw zqfw;sfWbg~tNA>7*zi=}<S?qvLNt97B#AsKB>2?2RW#-9zIH5OwW|f#iua+YLxqHV z9A)+>lK*_;I&b|{fNI1V70^=J?ac<@F_WKsJxGH&SLB^SPrXM0*+AYtuXV?iOX5$8 z{c>|iLI!8HD~QWuvyzo*wu88RJMiUH>hwoEI%=&xL1h5zISf+&4ALXj6$ZqK-))}B zr?OVMgr_l$NzA2Q*bkv%`U=-Sg=S}R2}p@G@)V!EZRj2FO3Q+~Wz>GWv7{v_i_Q1B zWA`pBM(T?aC98#bhVM819prv&u`15CT~pRwke);`$=&UY_(1k|JfW8q%i*v{FH1JB zYmLEDP&K1=oyXeP^fJz>7k0Z2gWXY`L(nb3yYdy8op%IWcjBIH+x1!eOx_Q!*d4iB z8eI{Pp%J*89QV@`)$$*V0$)^odQoseVkLSEcEd-DT<<U!nG1XZ2XT@$S}h(A2L{O~ zi{pGcOxI#+Vk4pvwf2U_)3}yns7s|44W^@9<5OnGM7ghUI@??ns!5foVZc_sYwVvD z5a+#{f1Hx_b1b4j7<;?j_xfPf==0+fdr=^@y{xfjm%V_h-UVw#kXL8#fu_<mrrTK9 zM`z%tTgtxB*-j7F(&c)cVc7MDnB6rZj6Mk$T)^2`hyE4Zy2o1(%il-xZXkhFA!j;< zB3)(<u1s{F_xl2rN{N#1gA?R=1<U{jQ+>aBXo@p)DRd@Sq0<0MK(xOt#!5>B$2KDP zVD@X+q`Noax0Ecc>A4?D4CZJQdl~K$>X#)s#Guu9ZQG6{Ua1qlru@)N`HaD#S!zCW z4Q`nC)xP6BOEIoA{T~#s6ojn#Mr%>5ld*c&akt5iLcMA-yjR<PMwukcB9Nd-u~n}* zyc4nMI4&0PQgl~RS@jbNLOIgq(Ktjf6o|09*XI?<^={FC6lcNx^7!a0=fdl@I7315 z6b=!(4iOE`;dN!@sE+%Mr^1=5LvR1$AK5Ur7r58u6!Ho7_;{O)=9+IPKp?<gdB`Hr zUYS~j$LI8r+^Ws#J4}9nojFt4&{fgZBxvKl)gD+ecJ}on(LiZzaxCf$g(9-1)~+uX z-lagbg>HSqYe;0Bm7AXZW+K8G{Ca0bKS6?uweB#yLl}0KrymID!~4@aNGRwg%aC7G z(pJ^iTo`;A&^6-foHu#Hx9a3F+3f4#*Dl%CN*EjOjvV#{FO9L(e-=py^-~@jWcgys z7EAd@<mOmZBFdTwtnE?5KvFn0X89gvJtJ`(GE1v8&oJZ#&WzHU7Fq@lU1KhLcS>pX zy2hcw=ip5^G5z<*b0b9`o8<v`cONif$a9QHp?seGf^jKIeP*PPBjZDXpa@_Fh;DuF zAbjh`w}nL(d^zM8KLu3togX^~$H;=c5qo)323g3tBeHlN*54A3RL76?ne8?MTHOk| zX}eO>U7yRjy>H98-FLU=dZ{SM1L)x3Z58DJ-S+g((uoB3dC$C>iQV7I77iXhN{PY$ zn(Cn1LIBP@19kG>lZAq}Hw0*keJQYuS`@vB4_vz>IB3t)*s~DwA2a<mH9<_S9Eqp@ zVH%+9*n?6Dk^RF2q*qeK3IZZ2JDq5Qcl{V7x%u#2hd#V~NWf3<NM|AyFIC7;AgG)X zMJzNHqwO<{XN|K}l1C)p{%#?%1AJ&uO;tPAPl3?6JU-lgXiy9c7!-TetKat2JT@hN zbHWB|ixTGcPTKeNIn4LHR?P2xuCVv>xv-Vnx!MmO7yEZT|DOc#@JAuXq+KZ52^!Wk z&3cNO((*wWx3|lVvxbR{kmz>!(L%)WKSwWHN%X7t4#ZwqOE|J&W(-#w`Rmufal?|i z7i91sZjwlXU#3SDY27>qpq!5tE#}2ao@;80{qYCtG)Q}8vg69C9M6h~&S8AQM$bQQ z0?|%pVQxNx^QYS^5SZf)CbWgV85+b+$mFERT7K&_heDA@1_A|B?RV1AQufGGYEymw z_+S(*zTR@*sf1G{E+&Pf6MG>v%-;GFum-)RQ-W?K>MK%9I@Pg@f=2dt6i%u5v>II| zuY6A>`T-GH5MuKxpvYtSBX*|+h~_b|Fy(MY`&+Bei6fw`tStGw52HduMQ1sYD>wro z(d6Ax3^UDlD_7ZQEY{aHZ|mehU(UPu6&5qjG#7o4HC9b+*X<9yt^JNFNchUinBa0T zI9=r{+uB>|GCRgjxt6cx#A6fjPSdU-Zh%5OOMxyZc~&CMPRoIUKi2Jc3b<g{wd7?G zPGHGP{)%G(Q_}cu`xQ85L2n)}!nNMpB{F0_E@rzsS0BHN+{Y2=jC~s@n%#`eKxfWe z=BfC(K-lH|NfXR?e;G?K*S;x{g&e8hI&wZrIVhf!^ViS8S$*8#aw?7SnxnH1{Qzk@ zr?MC~Yw))&W18?9b~gL~@IcU?<*=A9P(==qM^gs|Km4&sCXByzI`9^k#SL8{P3;mi zgBd?7M~yb<H4_d<B63*W3=2O&z!erZ?f(%ZfEWcw5cBclBkq!GwbV~=Y1BzQ9K1cm zSP)Q9@~;byxg9|(QR~HPo0kA1x57+?ekhP{2?D>pzh`rMci34HT6@|9g21Q%_6vrq zn5hq@#beh}_C1cb`aUhGg}LH{xCg~66*qrQRAa@u_^TVZFMen=*5uO44^Xdmz*s+8 zH8+~PEWTIvXm$AxL|$U4S<6XBL`6nS@K90l4+C9V^DKg#?JH2rzqs~~&KIg~`dZAr z1dx^jog+!L@_qM0E%Q1gQ@o^n9G;5M`QrI~$C*9Zs}Bx!+kIZ0-1Kg6_LP!9OliIZ zT}3B6e;m*G;;J+mA*Eitjp)f)C-(b3iC<UOX6L@FTa}2k_=U*&+%D{@bBUnYxx1MB zI&9raI&w{xo<uku@GUvAaMA9#1eD1kTblA>^6Pg|`>>3p0L7f*?m5^muHOsS4ohuV zfF$>j^jCG=yl0wU9FQbU(UisfeueqOQC*WTNpg~ZvujP8mX-B7FEwKJ0a9H@OYez( zuWW%;J+!E--t}j8Maci!7EwnbCSz)ywLNzRYi_!1(hgJjNgaMr+Y-BQ$M)<M&B$JD zkYfFIGy;O5>Yj}HxcpQek<Y^`*(~#ee_d3;tWuQYS0!mpQ#8YCTKDW+0aV4oj@tXQ zvL+ymEFP~E6Jf)0&9)jYm(3Oa2pgS_U)E*=IoU^~givy)(P<40R_yY4uHfbv@KE+S zm(S0x_>o35;1vOjl_CVxYiRJgLc>V~@wqmRpo^NGpY!4vsj@N)D4`p!#;WCDg`#?_ zltVv-zgoD5j;b2=sakX{cmx)H31CiRE`}&(+W6S60Ekp>Y=ZSSA#}m}8vX!3N2lNO z|1hDt05xDkJ=xGpN4-An5g84?e;vw&QL;@`6djEbyqF>JW7)XTN|caa_Ujm|Ug)&! zl3}?bVGN}rf_4aZUtOx_UlcWm3QRhirvr=xr@9*K5N_t(yZ^EY^LmbnIo+&mHVmj( zglFJ0o63%K1i={02ZThpR2r8AR>Gk#!qZl1uIE?a30Gn9tY}GXN<YWsbvMQ|3TUwx zUS3=p&(ATQmTSb2cX&DC>_ZJaJf#Jv-cC5CC^XI5s|wE{^83J}dJP-=wDsDH`~LO* zRrw~h??=k(M)4X3aUOQJ@Opn-o1VgWr1ru#r!<jG&eQa(t5<NafMe{vwHpc+W&ClV zNml{9WPds?b?d`@>!(sm1zDJcRC3-XtS&tCk<%r9pnm3a$%C3g*$1wlmaRiXVVAZt zDB|A!_EAZ<$<$?a!m;1S0vndFt2}jsGAr5xzi`i|VIHE%VU=S%q)f9z_-_+7!SD(g z<)P}QogevhpO5=~){6d}!|p@Vj;+&Pmeu{-mTNc`svmL}J`@IB5>I4dGAoWN3*KO> zxO!d%-$iXAU@SNlMOpFM?aF$&dobG;!5uE4Z@%9Aocew^k?b%UDqE})Ym~!jM~B`` zZNxU&_>LzVr^_3rzIq5))FMSzc;Lu5JXg2X3QB@UTQDO*V&t!J;B+f>PgRX)C^(<K zvu{3=6trg3dn%g0LKX4*VpWM_I&T}K?7FPw)t_QxIB<U^6s<sKd7Z`}y#=##pj6l` zW(@6hUuq{SXSd6IP%M}3)V)@!SY;>x##wE=%GtLW%ZYQ1FR$4EB%5+L1ERzXzpn8d za=}5A_1Jxb<dZLh^A;peUFlyfW1g8jmwXzoVhJYWn*;Llca%xp<r!>DSFcj+K8IhD z44&4dmB04ww3s}?Ry8Bt$vp?21^HY&D3rSWkUIl5Xz`i{bP$y>agmX!exX*CveoP4 zs!)T|dZ&+-&R{v(i6sgz-!EeBOy{y}BWpI*<N-V+Y;na@`zioBP`3~Qq6Z*ciYf)! zK^6^h0I6=nr=o6|{PDBBLZs5$&+sxXHS|k`%8+PegBa^p)+c|>TN>oC7lLq7Qtcs! zo#MMyQ|81sS++_AICB`6{IPd*%(8THT*O3@)y7kzf$>d5w*9F3yeM^v@~))LTFdd; zAmIplet1Rgf@G+)sLh~am)UWG`F53n@LB7e-DGWI+RuvSAnOp5<+8N(%SEwAB3~r7 zUG|guS?zGzG=rv0BOht@1I{g(ed2N<fW~3KR=nj(Ug^xnOHLyj+=gOkGsT*W&fLg{ zuVm8M)SH&0S>=q!%GB<78dfu?iX`sB2Sm|R@+YYhHbjKoSH|&0qsgx$=tR*$&|?%1 z=O+ITEe&k9p_?Rmxpm-IH+4*()jah|r19~}Krb@zPCda~^YQ}i^dPEQrp_hmEfWY` z0zAdwETjZgPv<C!BaO<=n8Q;i<Al>U8za+)rtEB{?gqQu58I(L4LKm2ro47yj&zkd zSqubH@{M@*m6ti2;a)u>?|s05U=LC&gK>9(?mqvg+S2d${#re+%hlEqJw`}Se(ON6 zb<EfupC@D33r!lT!N*l~8}MT}1wzG2S0)4}5{4n<iUn4p;NW)klb4e74&zGXnRI(m zl*N~iOB1HroGMDWVC!E6yf)03m+AhY;Kj|0s*vzNDpmkZneBz4Ug{2{%Lp^>@MUZ$ zKZt(WXSvJveY*Hlxg8#(W#VFbD98TNM`yvGJ4#y1lJTklm6e<)&;1#sB^wrlyGbV= z*m{f<R#<aN#tkI3<onTDjldN8>(|*uE1!lgw}p8@_VJ`D##rgcXQ#`y^{-A!m862K z%(c3YXFMMgyjoe-<67^>Ubw>`4FX3Xsae}5<fnpSIbYwKc@;1|9$l~37hvwm0pX`9 zHP>-5Rh$V(iL5!b)i+Sr(zqzmrE6btZxsZ`@g4HjyoZSZ6vfRJn7xM#6FHj>c3K_{ z4^s2dQbOZ{*<?GkQH@{XcQXoy+UKbyGyMsvk4hiL2BB-t48<Swy|v$^+8B>*B~uwe zVyY;iviIw+6JurvgJzzY6$(zSVx}f%GteYrUd8HX4&I+Fkqk=5kx!O-WKX<K47<lp z#_SntNqR$9*Okb;B4)gk(B3;&fce+fd_N5-&-Z47Mg+mgAF9su$MTOpj$oRD4pLC< zUflJ*$La8@Z(&@Q9B3((8u!nMTG~NGlFVo*!v!3AL^QUu;OL(d1_A>u?^JQ<=vzf( zj^Gg#$>EPEg?^XBJoPktNy^*L-};mmN<&vynt>U~_4fPORv_-Tm|d?;+L`3X^klMr zvT*LJ6(%v1*yB2VzvOeZ_^H@oPOz+w^j1XILkr@=Nc+0m`$>gSf{gQ|aXRX51q5Zh z`SV{CmDi^q2^61-bsl6pn~c_McJ7N!NX9kTHgwPKS@XN!>CDb%zkAPr`+1oG;SISQ zzy1_xh3Di)WD^(7Vk~WsF!DCD$F?TJ6?bL49lV{mB2FLd%#r(<y?SwA<h8FshD4Sg zojsU735Wr=gPzEK8vr*!L$8i4s1D?yfq23%E-nsq`Hk~<rsCq_=2E$Mw!eH8uDZz8 zTPs<v_Z{bUY&^c6NbPPWMw_+f_SSzRF)upWT*=e+D96GQc5VfmdyT;s5FPp<vQ^~u zjGGtqXy!SmnAtgRSEN)LcXdUr&aRR&itT%Na2hp0CZi7*ruv$Zs57+SepEIGSuwZi z+*MyHo^<;%hQkyzw5G$W<3{1r1v!A_(0w^LoAQ7m4V=U0UDRkVnvRh_;!D$RLHeC+ zslzNPm(Jc{uWUE4yB3wsXkA-+JMo&sjeF|W{5s&&y^prt)nq*e{ffIdZ_n#;R?&HM z2ShCJjLoI$Hs{Iq5Sy;PQs=jR^`yWSd*%Rz`M}=FPL0YAJ3}z{aeVtgQ6{ghsnm*o zmqG{+CJyLj$;5y5^8xF#!m*WoN-<#fl!9&3;MH64)g#yb>bWlnU?}r0P}EXJ1U}C_ z%9)4|Tpl|g&M=6JG4NDEhFq3zPr$!GjHfdi9CjfwZ^o<}0LJK7WF}!6i3l*@TxNy} z*WK*HDN~Fv4gqQLJlQFTxpHK3Z}F{-wzPb1o87oFRUlIIf(g?2rS^5_)FxjD5&7!p zD^3m&mOeF|=AYz#0tDk)ftU9<^W1d9TJ+h+@HWlwBTB>1$8NRJk4w(4R)@qbSpmfd z<KpwzbI<4U(mGidowa4EC1%MtjuY7D+cpog>opbFy0O&p_f6z&o-+o|%Qq|dH{?%0 zESOVX&$!#MmPP_+s>0IX((Obi4H;Czp$q*vwEBlbJ{v__>qjzO))c4h-{nzmmnI|k zzb~C;HBoyWkFhRUsg|aGG0dIYxpt!@9<g$F-%MYfFHl?H@VQUA2g4lI)XFl_SlhVB zI9=}<nS!y9b;sgyYv>V(PJKXx_~kv`ZAX#MueooL(>O{h4HuQqqi5zGGu;&wWbu@E zLGx+6^$`tW`JP>{tpo;}3d69X^Hm=nrebDK>?Wo}b7}Fu>;tee@TS_yRujpootk0* zCuA9YM$qxfs!Xs&!7l2qX`B~0&W+OHS}m-WfgZ4Nx;glCZg@*(06zD=HW*+4nAq%+ zb_^_{H67XSudPn#tMhiQSlkkQ&v8Yub(uC;u75LXKy4aH3TcUTY*oNwN}0|+rsy%S zjVuGQte7B8dEounIo0v%B(1Fr`%d^+w*s%7T8v_p>sFh@=~bsU*l)`WX0!0{QmPBq zY`JsFB5>b@-YT9t0I58}THLT#;}aY{y8WfP%!VR8*AHT{*>&1D-k@1oNu!kiuxs3t z{ZJ78ODAmY6PniQgVF>v>-5fyP|!&-$F!)8NyZy?nO+9>E{@?GD1#d+G(C`?7~DKI z?~b<AZwCYuqRD&!E<h?fK%2j{d;29Bulu`jJKNm+^lS0_@xfz&^|Ti^uK=TkEbzJK z>s5<T#P6V>+3DWh$b(G=PjA^!6eap|P%mPi2yK&VnSFjv6fe%Ft<`yvF+JY&prBWC zXwJyPo58Q8JT7fiYAjXB8lETFwaQ1hohW6?HTTJybCh}lxA_NO$-V0pb5Kml*4u$1 zN68(F-&NwypenoF>qK+snapj<{o-__=t@u<f#80T87Y@|+*AfA5rJi__n9_g*b{se zK)3tBVLp0hIjv+hC01I--gVzxly$YDKu85K540RIf!TQJcNQ2JD0GL>T~1Tetqf+I z*tIH8nVh#$9-Jf>mY^Z-^n5|!p%rR!kGJ8#Tsmz{wFeZgLQS1#W=B~jr-jX@n92p= zyzZI+BpUNorWMIGgo*W3!^KtNRhviSFm+3fhw9AvBH|i=Y_3h62tba<`9ks?24QBD z=c#VC=<30!=sCvPb7gUU{d@)2?$W3L^-^=GEQScwBp(10s{1qpQhyRTto`~b;%*kl zdfD2O7{%oj9<Nc749@w|TsTMKeQg#;m2nOato=n~I!3b!ODq(Bi__r+D+-J|Gh>1- z!30Ze)LOr<cQ<=>3cnJ1hYb~ap@Y9e7dtv9xNx$66cdLVLl{u>8Dm~!8mYZ?W)rP1 zRk%!Tb^d6Yd_3Bc@kW(|ESIRRLd$|qz6-)no?u9;xGriLl2+AMzj|*hZBn1xLs-7z zG>XwL$h9cF^F%&y85x`?AM4P=){gazstw#JfZmS+2^<;I92A1-tTl;DiMn4aT1qGy z+Ip__uKDuz_=lPGtL{1q4Yze!RNMkm;h-HeH5dwOwIoa345&+Kl_FuY4=@HZ_dd6D zXl<98Ud=eK=5e#Xm1(`^o0kcGkXAE3@PvmK6xsj6wrzIuc_p|mWyZjTF+nyNR$NB| z`>IW`PaETGrkNxGp#+LYbXWY6Bbl3UU8mJy?Xcus>DblzDj_cDPPI7H>g;S_>H>i( ziT%w++w6it)WB_q3S*~u%v;4WJe_hhgy2Luj5UeZTo2AK3CFa)3_#9>!Di<xkgAu? zX1i6<f3%sAFoTI{?SD0H>{sLzapDBGIS-YAVVDIJXBN8K4cR-7zKzb?HIClQkKYa+ zzOKGCVcm$v>O<al&;ee+y`HdIUNI8=VDNnyE75;^f0Zc}3I~O(U85E~mnQMmt%%>n z-}@O1mYG8j8mWeKDSGgDSVFRqW4MWp&-0L9j`^j2{VkI1$frn!WSSRTV3-P`@M89S z_+qitI<nK<#sPSDq$4Br_26H}@@d+;?VT`%5OxCm8`Nn}#w=8VM0P{Vh|}zp7;j(2 zLIhr`2EEe6>M`o~0LX4Rc&pU*k;^%3O3FMV3)nS($LUzKV^tTur`0m<y}c@_`D#I( zl-;(&!e$4#R7g{-b+`5M2T>1f*{@?HMF_?#6xpPy%L8(cBkkJR)g~SC?(WNv`<ek7 z4<a%2kf^4Oe5=<Mm{*MS?9CKE<8c%xw2%#iRc*pZG$s_&SZaFFBNNQjTKnf&^4>M8 zip~)_hiz0rSd+VjTMf00^G|oLBN@H3o=RYAe*)TKrx7=~#my@34N>?+3Vm)Fh!B1N zU~J$OH2#(YMS1@=QP70G;91qD<g3c%;7YRY@3z|fYt1}lGf$D)eJW~nD{OApXf!+C zwp%`+a=dL;mqy)nu*Cor95<xR7NrLh?Sedk+MpswZK;n1X;;0*pup@Gr7D!s;d$A& z`ZC~)a0w_X&q&<!a}x*C9;Xgu#nJ#JmNT7GR>G&3n(W3ZHbT4-9dY-Q5N|P<NaOhp zy7ebJLvL{o`HQUfe4z86Hsxw=+m6e^86M-QN?d&M>$f0Uh^jfPtl)@grJ4wgN39t& z<E-eb8K4@&u8}b4vR%b$RcnX1Z{i%jFM~r-4k=5rz2Si}a|0eN)4+!}Nxr=TRCS+} zRWx{ksAwQ<nOAU0r)doiOY8e@cao{>pJC;gI@8MIY+W-;m30hjOS7U{RNe)?K{*L3 zThY9*Wu`DL%j&Ig_o%R=a%tN9=`K^=tF7VcN#iYdTH{a8ne+^;9@he9ywibI)MLdK zp+bt>2C3HMc2Crm++4I1(Iy}v*)qu$AHE3E=&Q?Zdj(WxaN{`mw0ISqQltKNj^o$5 zx;bcVM3hcp8_F}dVCZ#!d<ZqC?jS9hkF+lbmY1f|Tp&T1w<?FoYcrn(9w6Wbq7IvW z4UOk6HWUatm)sJRgx;%x4URN7w7-J=7D+Fg>VEKJqwSJl*&n%AXsXj?wZM%Pl5Qpj zMnqum%{)$Eaapg|a^w7$srlnX3o||+|E|L8Bx%Y;@HO^KdDb5EJMO9gM<vjq)zzM5 zB-b)dPSGBKj#i#*E_Nje0tB+lFq6~ov<@5@BNr_FDYd9Gnd_MgG9Oo^n;EEeeg4cZ zJ3Q}(Zoxr`h8W1<ixObUl1}`D*=N7j>8L}T`j9>lz!5gq8Hl=Wu*XS)i^ta*2yU6E zJDr6PY`e+4?mKBcjg+4w);7*Hy0h1BM~7HPA-6mGZ>Hy82q4|;58MorSC(L_w3ol0 z5}SYy25Uks^?v1bXM&Kc+E>4(@4b0T7k)^=C%=g-cDS4whM78@CfJg{bM~a1n@$^- zj1M_UU2=v9m(>2KIMx865m)WJ@RmDe8$YU{zUCzE=HK4z5D9OMkXn|VV(b>0mR;Bb zXub=J9<8)PF%{K%6}k-CL*R5B!kLF@$Jy>#i$3*r4Tc*Wp7-_t!pc)-HgLvtu1Bo* z|Ay!N0xzTJ1layf2uqJZ2Qxtt0j_Mz_pn*}P1XH9z3i*~dPTr;pES9sl?eW$1QP;i zax(S)zUzwSvDeQh>FK#pI}gs+y8rwg>lvr?0~GWSNQb?8r*-|zYRZ*ec6Rjxq5S*Y ziHV3|&b*m`TO2Pn!nk13YQ|T6PGL>gJO0iO_>%V)DqiHIbmG$a*2nF2xi}&YkO>%2 z#2?X1b)351xChD-J?W9WGkVR9*Y6AGo-}H|32U(2dI@|zJsxWWs${!YpL*R${s>_a zl5CBT{U;lH!L9ZlKuA`jw5#;|sVm>n0>vJ{q+EZ;$oL9$@E-WLT+XQTx}P>eDbDL& zi0|0;egvED66Ag~dVrem{ctv%ceL$uPfpL75Z+dkdFaa%7$m)6cw%XOJTm^}Wsh&> z_GF|^ezg{hK|;HoFt@x3mr$19No|k&Iew`=ctS|~K(Jq-YB&t3jKk4ZyFe~Y@%%%l zlJ|@9@79?f9k7rx5Xd3uUb0%2LS~2B0Sx(e;f!&A{yfJlMD%!|g%F%~>gN1TpaVv^ z6@cQW#9;vfpjAJ4e+N$#gB5&!;0m}!*>qL`V;9C=DZ}k=e!#su@N|B0$au}|hpp91 zm0zq4jAHc-1vddG1Q*rtcPB(j0p&g2rb_!pqF)Y+rGXETxyriX3F$1FfPnA-fbij< z0W-*X@E(c-w`SZXYxgStRrGR@1Y=G*<S2RNKq3g_edblnZvX)Tr1;kUil4VynIm9A zfUu0u!PdOWASXJ&!x0}+zg32c{si$q%`k)?85uv-s|PY32lab4s6aj<z{bBm5PJX5 z%j}76GVwlZp430hdYaZuA&S<q9Q@n#1xesTfr@B<<2)?-z#t=?tl<oOZ8|wgXmj|5 zM#3Bl{HtUBKBNEu$Qd&~v-ydUMNFU8=^-qy(K7ydsD+CaOa8;R1#ABlAZ8)Jn5ryj zxgb%3KVfKvXl8TKsd#@Z6t7p>4~_R-k1shpljKt%AHc}2-q1&Qmx7;xYAzs5t~s~e z{!o!DF|g?x&*p<aoiG2>&}Wf>_b(9v1eha)cL5!Y$$|?_S}3DM5I#mJ`kQ*|^C9au zsp5S4_u<3igOGFcJ=@iCYWN%}`FW^mYEp6mfv|%&A$5%gkoN(L1)T-}fcyVxef|)^ zc>s?%@795`BCimuW@`R~6Vnr)hLS>3fDL;`t5yE({9xQ_%m6_6^x?oAonFC8eIfUg zerqpNpK#lWOoUjF_V5v8_Ve=o5M6C)n1A;gkA!XwLO$@32N336%;3*XP-p77ap75j z<WufxCFW&DiSY@&-}h9(Y5QZN#YD_Nf!8%SE>Q|@0Qg^K@UK=2+=R1jqw;~X+!}t2 z@`3um36%5$5FXtTX#0J5y61gG?$57x35V~#e0p1?^>LAkC(#xgjBbWNFXIIZz}o+| z)fAoKU*qBbfWNW+anRXCRc?9@BtyU^+YXjD38nnzcE>|ReJpP^?%p1dw+7wsk7oX% z&5nMmj{wig&sYwl3YK822BYo~5D83=Hl@ei^*vZ2M;in~KlghU_g`KAs|kk!P&5Z% z?jQL2C1Ak)Wy|44Kq5wB)g5jaG60bDv1$lHVE>(&A8?=rUuMezsQ^zsbXy<*I593@ zivctT06!q<)|{az{vTogt4YZ4ySsyWoC4YBg%0cc>~jB^3N?a1P;~KPpZebx{#V1F z0~VZdv(9yISL;GU!8lDQ;Q3=F;7B`cj7*>Dt*lmf>H37y92gme()8Wk%RdcD(un>U zd9J_dFQc^>#E!Dm&9;%}$9dViJOKyc1q0n|Pf2tK=@-vCN5WI+X)+?<TyA{HncXA^ zBr%a(08ik6G(!00bp4YOSpz@eHu$7(0l?vfM-;Lk0uXg|c0yUuD1*Si1;n3)04@Ny z<`{4$sNj7BIdhUK=Vv-BCk4269}u~bC;0<1CM_Wy6+q9<PR~rt?Rl|>T_}1t&>sw_ zynJ8~sWu9z%CqqMQV(5?*2CO%Cek=Y`t=1ZI&$5ItIjdN^|7u|`ZfLgZn_Q-cCCWg zc0k@gqO&Cp<8M=(K?)}VSy@_3;JgUkwHOG^!4w4mN+6wCTT)T{d0YYT?)S2q1lDU4 zosN0RD`at9i1dlon|*h<9h?t<0EP}}o&@qA%>}TN<+1)~nkEW17f?y4@{9L#@a52d zF+jjS-<}!c!(@TMmnJfXMAlcYjFtS47XRJg!+`Su_U&isjsIf^|8C$>0Dm4?k%s{O zk4_OY`PpsrBV>RZe*~}-@3;~P0S@m98vg$Ob&3i|-d9(bkN96>{JRaZ2K3}?#qhlk z)Ud&Fzr)de9LxFn6&Icl9k&Vs4nGwbIR8&CDnQ;?Z)H#6Q~db5;8~u%-(tB;vfX&b zhRPSOV$f^LyKHft$hPlg-)MTQYrK$|Q_16MgO}b{#sk|Q1IK)yzjKRAis$}B=emRf z!v7hEKi8j8^gOp-+p*((4Oo>KuhTa9*4^VjR#M`wYN6-@DEnSxb)J}&;fS<z%LI__ zty?@mh*|Erh*|2G9jx;v7gdVuDZNQoN>?6rCy2vv1-o|8J@-Ba&aN(f<9*M3Z!TV4 zqkSh}Ues=y9mFu)Nnyu4&#wykLFS9`iDXW(MKM9Csuq>Ns1@e{fK8#&{I7`INp{>_ z$r$*>x>TR^t~N#+If%rd+3=hsh@D+r4^fU@D-+l_{bnzvPRUU6`jhQ0FRv~zU+4+f zfgp0?&Zf~)q9d&vZ|5{ms~SA0(8^ef4fL$r>@U|?G*4Etfkt~_wwW_zOEx|alX|z$ zy!~8)6qrM@-zNAlHdABfRfb1@eDbMVW${oR?mgo|+j2Z`zoPQ#+4BQ>iiQXNuaX%g z{0FtB7jx<pM=EBUnVXT3QA~}^h7a7kVJr6M4h;rEV<<5$n*|F}t!&%aP3P2gkcQWy z-&;Q#6|_YeYro_8oa?_5R;)NFM!dbre8gYRKs~Yc%}Tf*a7fX5duG$P=@b(wcl7LE zdK6jJ>|&Jh%*iCcnc4JcsUL0@$D5_hVA-_vN{WwVvUKAUh@<Ic{;}Isem}onjpVQc z3kHuh3fJMhpJ!DS!Zjv$OrME!b`MGjuKp-TDl1}tytCh{(D9DXLp*Ejw=@)eTxe*^ z2e(^<$Z%x^PndWROU`TAu_fJT8U~c<&tEarzSSi<1<s-t`|ZP1PqJr%$R}54q={;? zZF`9$XD9luwyr~a9D5FWD#&1Qc-*33W;7M>14L>PbD(ExXP@SWyAeuc5J-60pLJ)! z=JaH2VNHa|#Ix@1c8f8MrHZ9{)ZKSt$MX~n?hNz}!dWC*hp$S<CqkN@XEIX9oChQr zh;f&ElBkrF^saa84SJ`S<Uj@4HL|FABILqK$8y<dG*OX}?RBwp2#d{_$4%`_+7L>B z%eUv*oScd=^Twyjrmm>@O2EQ#Y^u^U>Fl9-K6U5#G-X?Xy(y0d(rpfVA@?%EnX1A` zYFXtJnln9Hx{D2(Zkp^JxC<=&-FRH~&ch$+!duM<9m?Lz;>>~{>ssp;s0%oslBojw ztHXWg>x))NNe2q)Ec0sf)2Ym}!gH|;8JeWWV78#r>Ah=dPHK5d#y>8u^mX%;edpa2 zQ)*S#;=1^iN@&<fHy6I=5-F^DM#tK^KVXDl+KS6*XowyU^?G{rMTU}2kxu0V?CiF$ zzdq##aNpKle8u9B@OMP>Dl5sTsCdXTW8K)kTN<7{&9v@8o@}}6?$y^WG>mA_4)SR7 z{&6j0Ho#J#rum&cI`Jt~FHJNZnX}waCEOfN>OMqgXJ<3hx<SOA+VkZawrneFyLREb z66d9uhy3>2y%PqJBEmP%_s~*UJ@@khgx7ZC>Gq8!S;5;96Q`5<o_$5J{d7=F%<OD+ z-tyx5bY~n0LC^5sg^iXSBR07lh7d&!V`Gy!hqENvSvf__W-(rBOueeC9~#Tmmq=rz zTl5#86<!@j$Q(#>^o)&+a?1;)W+h4@n4<ITq-UNBE3@sd?aIDacOFKi(MTO8#sXW| zZ!UN2icl036bp<JQBpLH&}yBYWl*!7?g<~29LhXCThVvz^HIYn3BM=CrV3o==H>^r z%~xE+_^7FIS-5GEgYic5Z%vR)x41hm4Yf9B*AP6~7j!g5*Tf!=g)uA>f#rNA%N>-4 zk<vd3fGmTz49gZ~VFp6m5lQcA_LsSeW2csKFc=(z;}tD+m7hOGotV@584ArUgyRgm zCCySGUfJrs8DTPy#Er(sMhj52wQzGXDnbQfvMRae7iU>KFU%Ek9&~@52>v?$BSVXH zT2^grjWjaNuakxLg$HIs+2tP^0#PHW@_;~&Z-b{_=gSr`CyiD_HCDv56%a~fiu(mJ zZz@%Ezqr-hQc{Lpe8iAZ4-V+}hobSSOLG@H%-8C9O+x%&7MG2%eG@_MF4eESuUCa{ z11Q*NS??m#8&5iWjX_TI-$C|&Yc<?N=scLnNGebyGgP#ePN-WLzc6&aV1#1YkHN5M z_xgUm<ag8~Mcs?V6!C#QSUvvIbPphX{%(Xmy6~#SQc~S)@vQdtJL}y{ZoeIZ!P?q5 z^S-XRjrnC;?)_H(_-u6@!xF@?L|~CQ=`jA3LU4+e{ZAIc3?8ouAIkWXVfn3Q*2!;1 zcl1kWiAEvXQh_=beEPh5ji@3HlPN=*$5=qIghNkFVpA=iHx5&YI8*?%Y!70p3M-aC z!HQXVS6&h)0lolL9QCKP;#Zh+3UdxFo47*wLKHoRqTasbNR;cC=_dIanVhU5i_N6X zo?1go0(uD?^1hfU|16FO&Ci<io;jK^`Q3>N>DdzZS$bL3<pgKtBQd@HnteBC$)M5S zQ~3L(M!L+z2B6AxiY+uUlZL3wxEX==62*Y=?xbp3el+I;d5jB!mK~SlKn;68Ka`@x zb)fJU99?Z=#SP1Q&C3=@br9bKx)T7bgwc|(B&2$OCL{vlW#?+eOZl`fxj^Fw>oJKI zdGCfHUziym7jwTUZJYC(Vj-Id=jC02NcQ^fhKX7ZZXBJg2ZQy#L{Q9=h2JXircHZW zupsM$S4I^4AdF{lcy!}!JlaBO<=QftyzcTFtv>u&nxoOG(bcP>`@He?&L)B{?ai+Q zuANTNVKee0#lp)jiX|#AB#!TXG#Mm_osb#kU#na^H83;UjBtjdsOoUt?gY5Rntze( z;rhGlr$d<Clk6OUCoDPw61ijFOd=1{NX+lM*brv~3;MJ3?(JSFJ4g6p)EZZpMBw7- zJ^bv;E8`*I#+q(<E@pSekO)R%Qi+=v$js;oXhw?)!#8#b4^GFv_#J}%WO>Oi-9Iii zZ*hhqp`0jP%+S^%O3cUY9jMI~vQzXc(d^=C*$oo>poP*~WAl8i^qO1<mAjy#s7GJi zf=^_8OisO4<Sx#4(W#FeGrt{Jy|53>-%96tIa+E|$ghB%KLz%oUCg@>&?HCB@#|wK zbyb50X~IoSj2Oy%=hq+DYVM%G!3iowxi2dC#qU*F`uIYm^L76OW0{148A1N0Kl zS0OKP1tN|Rc@u_?HJ*;-dq*FF{MlGc3nWn-pHPwa`%N<0@J!t5RKT<23KCyaSd2LA zH;4Tw&UhKuEh*fbbIrUdU4=YY>Q=Y5#<BJyPV>Ii(?gAjk5l?jE~;`;gD%J$M;t%@ z1&ZZb9imxsOk_n>7TKO=;}fO%KVk@xN63R43q0n;HEAhsY)V>4pcK8F!Aw9ai!bTF zPm!)Fa0tUuTyQ+_EGCK-6&C^fBZwL8^U%+cpn{jQ4=ldKRR9rRv|HbYQs==mM!h&V zV-JC3n0PZtn9l7!lt-;U7&0Eea5Wr>yi$Fs{=Cc?-DH?~UhLuYnVC*;(kBV8cC*Y& zbIH2%dv%PJwQ1>cx@KEl$gI7VqLH?Ns7q#(NeQQkI=(;F%{$RqF}Yi5TyEil6|;vx ziwT<35RX8`<E0qZ=opuCDqGXW$SD^A@5X^;6}>f3)O&Ik|L^E<hk#FoWb%Pl;m?gL z!aM!8UmAQyREhs8F$X3IP4txH)F#R44I=RxKYOt!Cev?}h-qPG0SBF2C7m>R_z>aQ zjovIYV!;h-lz|C~aZcVL4gK@2;DnJ<j+Gx#p#W#jF8dM((6!V)dMsf)NwdU!m||Wk zsN|P3PH!&-RH{^@3-UeT9pN`jH+jhv0lUQwGf12lcVzlcOtk6*-_9jB9X!x-F%lpb zCF0paUF;uElaG{;CowNtM0C$H{AZkNW?HW<Ee+7QxjvkSQGEF^fa%HCaNl#^-C*y2 zpL~kE&(qd;;reu{!)#H~b(&k#LV%uTAwPwr^V-<W+=!gm$m$<%q&Q0APWI+fb(0kW ziNAB$dmps=-JEad^!IhXwS7S7+GEQbE{BiRhe}giyuWF7Z6)un7j^EhcdIw=o1MI> z)CaS@Dk$CQ;!-YrEw~z`Q)&s-7D+&#wSD}HZ#Z>Lej_w6UMISpG=VL3*O88>x1>?> zs@q~^ZDS~uzh$JxB=@7Zj>_6V|1u4`{|B060+S!b;NFg|%9%q%UJzauZE#VDR-RfD zWs}$mDS{I+kRICRcV+i~{w&yem|+jAEUK-=Z{{Zyb9ea}jKwl+V#i|{Pk2=ZO~Hxy zBgy8caN&)(@_v!4IrkXYTzx4=I(g{?wMvljSFXhXMFdF%`7HP;+xA2L7pnM)y2%Q% zVH%@-<kRWolf*NU@~Pd&*BfF@nxQVR(#p2D{anEbZ!R&o1Z~Q6y6>HNHhNH{Sk0LT za*3$0!CY}HJ3l2w$5yKioCdhWS=6dR14bmPb99Px&p=HjWSOY>M8Gon%_V(&hvzu) zmO6g!?@hsXp73tGiY<E2&UB>{E52K{=&!<SdbgP=RY^d~@g|l!&7hlpTlgRVmf6gQ zHZ0-umPanhrRp3E=#g1AzqPuX1QjBi!?YBu-s^Og`KCf?QkJQ;4}L(1#^FvH1QT33 zBBJ&2p=a(M!8m<VuJwdHyYyXGW5su)D=0mUw2{SZ%V0|10d?vmtj5g<##n}#+X@L~ zQJ0ahlIDF@Q{7?Apzaz@TP*1JMk+H+Q<zY;1J+;q?hd$r6A@eB!HrnKJg_t4w(!=a z;O$btV8-iE{TsxF0G$HCVw(w{eC9+CGjaiz2U+Fbyb@`%rl4=3kg=kHsNicB$dJKf z1d2k6TWJA8Fasx3ZpB?}jP8Yy+@VV?HTJGS^lrgsF>>kGO)n8I{GPKtH&(exg0pUH z;cU5Vl&x*8c`%$Ow(y%eJkGgL-*T^X?_?mX{MV^?lCTT`!^5#8LkEZ3bLzQDRX%>H zYDq>}RyItUnNt|WB3D>?ptzhGXddHF%R{cGixgQLxmG*f?!FpdWnSu#yZm&1Om`b- zkpE;7iiq}Yl5h7Y%GTl<f1)5RGkWGqsO7fPolo%&&vi`&?kNNosfGp)7rAHERp$Ak z(NI1`3EAs|%S)D1YBYqhs~{$c%In4ao9GQitB(Zg{SG7MFmpb@fPW~ZkU(DX-C;J# zGsC;Cz->{iXbVLA6J~0z*#TM%(^-bMTMD>aQ=wz3G^L-wAyF~hg!{=Q$z{MC9?MEj z=9lR~HC+<Wzu5|768;w6%?&Z2poSK9W6*Nm!)XcJXhWknbTH9f8-&*W*G$HCH%i`v z_p?nE7J4C`)>8Wum@HOOeyb+kCNupRfZynP^J$p4$okSWV4(Y90Mm_%Z)Nt7leKBN zjb9wi*Mfhd0p^klJ=l~5im5U#m1<|UNua^r*aY5yWT<~zo^`pxeOHd@u$M^#p6poi z`ry(6SR>$DcEU5P0^&bZhd;n5?oay!pCvR2;UO)#opgXULPn6EGm+B;>#3n;CHFWG zG=wz8mK@fvXbBtz2w;GNfO|i|)BQ)-`>w`lrftokd-6@(^hVdhmT9G1V}e#^$eT-E z3AM5|zlN1ce{(CG<1Qjr#;Y=$<Z#=vsN5|S4zq3S0hBi%$0RfQ&qSgaGdk`YrNEV% z&)8w($IZVF%LW~K?*5A0M$;HfNv>L7H5euw1NBg9K^J+(SOpDY?~AWhQT~^V-HGET z9Q<$FbkUs(5W$&X=_A?uV}Aq#Mek9PNUGtY=od(%-Ty-$l_B~AMN`^3g97=26W0L+ zqmkEm{=a09I4Y35|7gQp8rlEwiz)n`Z#O+TRtYvp)dBq2@V_xFyqyihM<jma8322K z-ur!zo@Z{Uh)}lr-7GBoejIFng6rl9b-CWI@O1I-J1o+h{yhSB0(ddqyzXwFY@E$a zwfDUcnqdf_Er_BLSSo5`tj^l>o($g}<?h7_tw+)C^<MfK?Yk|_11Z!0Fm76^Kd#yq zUhisk_39c7$C@C(TGSR*a$gtpwvtm)AVJVy55-?l^8t{2BNzn!ekTDjJPwF?Q4x9p zS$$?#I}!Ky<az9kkT`@+5dQ*r8+l*ZBaW(=WnUA~M|s9P8EkIH<CaP9`=J$-nrf14 zZaB{FKw#wm&}r~Wz>0>J%;?a6JW(1RpKb;%cYAGXZPuf`vifx{>iY?@i{Hr5V9x=* z4sdwC!eHX>=WYe@v9a=+)<-EE=X2PT1Y3B1hHaEB(_Q#}6n;Qs>33<PpdZ5{hFf9f z36Sy)oLruIJr1>|)?}zL+ag>03%S$eTm8SvLU#r#w-^|aq4Yg|_7aCwH2V$0c``T) z`2VtT!s!4W0lc3py*b>zp>H~McO@GiS>Nx^(*$VdNooWF9YJX3fz-q$fPYUg5qJj# zGjTjnfP^jp_y*`ON=$d>A?OnfOaD%HGL7T^_Rimc;149-f->SQ0PtS|@lX4i3V^JC zSHoip`(G}J7r5#p&;Q4tgc|_Z*jB&&kt`G5HCWEyB<2a39G0Gmif666fbSnuL<BlA zg{3wQ<EgTkZ;`D>LT30)<h3HT4k+k@O6CsrpmYgJ&=Q!+)jwWMXwB7MIZ6B$(-oLS zoF8iu=+6gqiwjov6?ucs|AdE(U-J|XfsZ8p`?oyczsJXognlMXp8-?1{rk7{J-0nF zaKIpOygMYkZeD~(v7zdJHBOHYRC2!Jk11gC$DHy>c3g=DK-rtD5L3GcK+#jjLj{8V z<~$(+)awE7z{FMn_75t4(Ss%U|FMA0^WwAWKZ}C(%EbNr2U@4V;HIEq-~UUb(!&GQ z0m26B{#*)yp_f3zod^AULkcqBR|{ap0zEeYv>f7q@7VO`hnov`9ZX$!GY_Ts48*@U z&W(=^0P~L(fCMPyRHYN(JOClHP|SaKypzn2O~GHQB*^jC*ztGd011&M<f}m6{=3x? zK#nAjC3f=pCh<(TANmkOUcjyC4EASC_CSt87{}SrAnf){=79f4xqsST&>#JJS0RZ) z{C6I^2sb^|LXqybGzU5|p}Q~u&42zF8VS&w@V-iWvv+hvN8XpO3Ht!`-$#N3`H}3t z7IS@vJ4LaRZVMFtPoVnG-)0H&daj@6vvr=*OL|YDVY>ea92x}B6q?uxA9+W<Pb~L; zJTwa+qA4Kbc%nNm$SoA{ubm7*07!ZXR8R5}kIT7qAs3c2oy|EO<U;;`o{G-{?ne#d zMR}ACFlf!lOJbmb7l#L0tA+td!?(f=nm<|jdf&F;({NJmiTm=Mr%F~cvd=>QhxR6h z0c7(i9px+QEow)kpEV}Vv%UG(Mlk}w5jOx3u3NC(W{a=bXvZScWKM^i-RBcm>TxvA z?geM(#}&!p>r)|3vK-&6?>19qiA7kPo#waWEl*snyogpS-}~9~xk&_x6&ZX45&!@e zsD!Y9@(YD(y=iL&OZi7gE%gKvSSrod2Y))}{L@xS7?xSO*h7h9&r`Kr4K@8nX2BcF z`juaeK#P%`6M(z|%D=To3}_?f?kWs-?386lTOirHx~S#Hr^4+1n&dm4oaASm&O1c$ zM&W0|Q=iyS^%C}#nvf70^4HFi642%*&mLXy+HT?qAf~*(Lr0zv#|1qKK1}<wWos?U z%?VcTnfmSTii8#l5EXyz1q{K*dbRT>nPwC?@cQGVSn2W4w=M-cYLvOyUS<&W&f9vP z;lguV>SHoZ%2qw?wx7J6EJKz!=;O*HbY36bV|yrf_wuw5Z-0A)I6e>oIX}VCVAOXd zaX!W6267%b?LvMT*&01cp1B0}^zUFG={zeaB?(5LKVB#K!9YR&i02w4-f*rTUYePa zld%6j1@5EVjFnqP;p3cb3OAuAaYx55^vEH#jK2NtVv=c>p0dPQSS0wH&lAP|_4s&k zWu@NOH~q{U^FZ$;D(v5$#UKZ;mB-L4jE)Z;EZXO)L<CFE>`sn@1Z;V>EJxY9*(>XW zV>}y~tjA=T<5#=r(SqN*U|v>n%iOrPm$eCIsbgGJx<(HCZ=3x=2yYz(cJzAs)&Ofo z0@O5&IK2KL2gYoz{Ab$eh(H&tN6!s~ZsdIg8nDis_&_!?IKyop+`Tr;-uv~B&-c&s ztlg=-cTR`HQtPd)?3O7!FV%M)$7LTa`%|phGKbYK2TJ>vxUMbSd8c`d|5+CN@vw5a ztto}nfeO2*Phf#Tg8(`cnrppQYUTZd05NS~X#)O5sHFF@uqp5s1%~Jm>dmxTX75v} zzpy9!E$GiVB>FBDms`Nek3UoM+?;*J+1w%|3UN6+{2le<y@3UPT4)-aN6bJ28OKFj z2+YP|FucwTuSM7Db?Uk`xqh#|pOE>)Ht!m6GsyaHuYX)!g#kt1Huv9bfFGb7q91Fn z_Xj4n8ZLEYd$D%BdH(@*7SDgs-bISgvhAIkZwRu{)N}3)3sxu#wemlyXE^)}h=IIA z8Co8hQ2D2_;7m9)c#Lo~z~Ou)hx5lDxcqjSqBUJySmG4({k56P_btbF`&`nfEV{t$ zQFYbFmAuE~lc%@6@zBAESZ|S+Uxq~A$a9O8Gu~$a_j%b-2KNJJm@S~DCa0?EA<yZA zSHp$0w7}cBE)Y!?_XNFDKavMedifP+y;io@YK*+v^}fDhpF=5CZh{%I7S5}_=Kjbc zk<ka!t<ro27Ih-aao3O6t-)Dz`f92m%rv82z(gvY$V=|4%>kI}YAtDt0A|10iK1oz zoYf)=>_7X{KpKZHY;RvNu2U5yKGPq|B1C89BB%E^y8~UZNQa>5{CakJpSMarJl*9M z<%y*-`MCmI6H}AvorYh5TDGWmo=<pO9vf%V+oiEHt4$A0+uxSsT(w;?B}4a*$Irb= z9yM3iqOPX0wo@N*G#_PO+}%!4qPB0XXl~stK~s@#lfU+hna0Zw0^F!he~b=&e~j7< zmA6FMI1`_&$m2r-zrEFHbPA+J@R#ek2Z#dlc7(GBG^~%N-$y)VP{g?g*^l3!t~tF{ zl%}wFe;31gG!#1)qR_5ry5t#2)C-|%R%34$VSJJk#3U#kv|10E#en`pN>KrR_hcQ_ zAec&36>Wbo+<-qqa{G=Kmz4V4L0R=Y#Q8amlwNDPk54`X_|o9&&8-b0l1=oQ5Og;> zH7@%;Iyp;rjhk+^9ZZ=x%jdG-Ae)`yQ-?7)^1K}RBm5Zf^=D|{zh#Dwdk1t?v-NNl zGP0cM#_f2QT;lC=&EG6LSy|c4bMI0KH4=08N_R07;%kkZ*LHm}@&c$yeQ&>?K7#z6 zeR!(YS`ul&$4`RuTK2$mzHfoTp!&CQs*~(&JY`35Sna#@DCGXMv)<-)m>S7JTT1bF z#Nuza>YB}s#o0AF;ygXO@H89O(!o(<bZW4DJ*ZA!?WvI$7^V!ypy2GrPQTXup5_Co zk=U~zi&j(!9ZPJ!X#u;M;p@bW#&8_vim$X5bEp0BdX@Vj2k~9s?rC+W_-kT-a7O_! zbdi-Z;Gg^r$)1wGJ*sigkT27af*%jzL<F#5L}0dH0*t6Ni7ie5aCmUheJ?0uz>D_= zXY68#O{SY7c(Yy{a0&ObuC_F;${Q9+_j(aG@{Pzrow-I`oT~wlvxyMr+WOktY2K=p z$G)_zCK&Gziqj_N4T^`H83U2jLuUX1r<+;Pri+IBZ%UyJz9RH~aG#|+rT2w4lHxCY zMxmyV44Z^!P_93bs~)6|FVETN+`kYJn=pgGiF<Yf83{QWaL@LACpBkXKpW8k!}sz? z*YkcqkC*ecInAatg)Rv<zq&Q+kv=pYPpwRHy1ZF?U8T-Al8^hy5dX7k%?I4UKfh*t zC%JWV>H-UI35D?&H118X&8iV;T5vWW=|35W0!f~BtG1U*=vli6fTeGd_G?6F+nSOW zKnJs|uF*g|1ZjoU<<=?;+lD-M&x_=7@>7ab0q|(A2h|ZA7B6?vtb%OnMAbw(l$lH} zTVfH82_Q+iXuAH%aq@V!oA&@`K$ySV)D_icuBSW9VMIPM<0H%CDaNU?$<>|59wR=5 zd&|>AU>uFIn#lUl(h^j)ayGAWPj}p0ANI!W*MkRBSyVh|Xn&CKjwjwa%b+yiz$X7I z?CqcU4a}X883H7IusF2w?{cJAesjnfn(C+$#Ozc4$yH5}iO<4Ugg+@+H+GFqr)%>$ zr3qlS>m}!_*&Hc6F_6U9WJh~o?2LowHhna50a+{WPbcPVhQyJdXO-%XNEDn6KaS(3 z_`2SMh~8o6J0At1B-qDpM(4ejmT+I~Pj$wf?!^>o7_TnZTaJ&`QKR&Rq}2Qu7D~U5 z2o&QMzGei4t|R-Jd(N$~_)(;&ZT%1f!hZ~^AX5GT*rAfp|0#9i0!(G+AGaOJa0mse zAf|T(lQ-Df5AdC<pT`Wccr%hY&G%;{j3<fRX^wt~-qC_}&&8AsmCSqVn>Bimi_~oT z9LPGnpJSZ!>ZrwCyY;n`t7Ydk`ZaNSZ{}&S%7PSKA%2y2aKO=H-GBQWx7m0#y|wuU zd&(~fAk=&p1*vQ)-%Yg4&QC`qkbVN+wzg??^-yjSBq4yU?|f5;_Fph|Bg*e>hG&k( zZ+B^4{B|j^t5X109Lb!E`ltgabOnO~8U`T2dt~wYr2AHWpjXsENF(+u!1#fPPwuB* zZOyljrYEJyLqc*~mWWr)lXu;_{2|x-!qgoyr+6fTVs~M-0Fi#N2cp-nMzl{re;E6j za5C$GIzZBkIYYz0ZM0svuj!Gao8Koo_$V*P2ArS@fRTaQP6YE^m^;rSLkl|HyeOCW zharT-T#QI7;8`MB+)V#Z!3Hp2brmLuv!Z|%0Eyo=uR~HI`%$SI_0iV;P_`N`!^6wG zuGb^wP;<V1FON%s1weDbO*Z;-vvJ=L&)Otd_?-!dIq=LxzL`RR!{2M7KA`gc3SzOa ze{1h&g1;IFxto3b_En=_(gKqRF3z4@0O5G)!$(r)7X<}*Q$7Vq$hkRY7k}8poRytT zE!W*{bC1=Rs6aqQaii_T<TTElLBTyb$;|v_<z3%zEv=%U02q2vHR{kX5D@f%sG$76 z0~s-Fz;AN?;h=KP1mrDmjb4p>|EYU<{|F}<1JY56z7hZ#-~*U53I};d!hx#)LREZF zaQ1AjpfK<Z7ULtnr#K>H`J<GCPN0kkgDUO<)2|owG~Up^Fa<5(NQ`yKM+gu!8u?kk zf8lQuIC;d;QtmpezbA)|z!({Sr*KjK8fyTfI=v*55Zhm|13z!`?g0Uk9`g4r$bXSD zG$~*%Hhqf@pw5(~guzQ&k&Xf|U<TuCj({`$NL<UGA%X?~^o9(z(5t%BZ(jUyXaFpk z!2iD37~-XZefeo|`0D9Sd&k0KS478_+Ze-euq5C~2W&{A>o1I!>F-K39{2hA8yIQZ zij%moRGL0r<5Xylh4bHKMFGTw`uCsC)~Cnv!IorT^?F_HmuSl#+{;m?>*d#PeGj=! zaOPSARxa=FPGY8H2=>w_z=%=&*D7NmW7p>O5Wy=qNRagPsvMGy0<<&a0itYw8{?=< zU(a<e(|6Q<6-xK9iyD8)_exNH3qu|W+@z@Dd??v7q5cy-{0Ok8*W1B~jGufB;4TQ} zh*e~M(0|K!B={lt4!g>|92#oBO+@8Q2$k1`)LDYt`wWDEjsB{KBEkQnF4O0qCqj1k z14MGrS^py)M+9(mh!fYjoSXULU~t%^S$}OpNUuCc3=v{|M;*g7n|=g(pN`eZ$({`Z zf!^OB8TRAR5dTptF)84C>{XAGv&@De+m8y#uL=JLXL8FM_x!<waE*XJz2kq&F(Jxt zY(Ma=03@Dc_F4bOr1nAp=8e9P96{I6w#bOewySq9P5C8;ccC!py69#92ptS?JcsU^ z99$28oL`&bzpynP9yst4JwF7JQI39{C?A80*ew)(jY&NSLI5TaAYhOr@A&)RD|fFZ z3`lx|WMtyM)ml;hPEg>PA@ZURqZsc8K?#wvNUjYmlhEcIz7_s`gFxY{{``sv^1FV9 zOLw4Rv@=B=;Pe{*f&cEL@F@~g3KGR(yK+G#2lGn(H!yo1V=wNeA@zThVZUg$HO2T- z{Q!7NyBo!wAD<X#1&*Frn;iNd>_PxPR^z`W3cFC;!w39L?UrUH=Rbink)joPi8<{U z5b4<k&Na7T?|>g9rt>dCPF|f+^6*<3l>Y*pFPI8(MCVWFxZN{2`8QK0+Sh*1wY{q0 z_qvIxixyxCLIAYb14j(hY|qy&&?N*csbPMJTD!Jap$IPHw9bGTjh^>2Rkbf4IcIHU zfYEYz9mue27s=e_^7r&KL~qY`1{&7-S!{NCtF@@*nteC2O@7byCQ;&;<gg6IQk>rD z#n$)MEQXU*qa!2i6(_ITX;ak&w2J@KoIr(&nv?CX$aLpONV8*O*<3CWZ*(5gTFdJ& zlqlOGN-(!Y>0G8&%k7-H)T_xxmzc#c*-0H%8)b)_6TwX-ZfP}K#St4n1Zt<AuIZsC zxRj6m?HhbpdwN>RrvG705(suCz%i9sPC>K_0d1B9E>GnzuxyT^j<J3?R^~kr-ZRiU z=8q^%-h(MCWPXnv;&IuM7PRIVi3r@L(0#`5I~l_lpupQB=0!a?t|zzZuD-98WWQy` zI%}UfCtaPNa<x@*QgLMyV{{svG_YMWayDOASA;U5MU5aE8yC+yc(Spz=-OUlvxuIt zb-+PN-H9ET>6y0)<JoF8rfIHxZz0T%w|5L@*W#U>w~H?O>RmVE*kKoV?LV<ZY3S`8 zAs%_&FCntUc|_v4slQj_=uB*WW8cMbh5!xH0RDHHw}O2^UrsUGP8X!)z!|RxW$C9M zk^GgR?paBE#SVhY0Vy|$iZh;?&02KDw$3R2*5*A<FnK5rlnfAQdbGm6t`tOf4Qf7) zx7l#C^V`nEX2vaD{gbkAm(}@HzEgXrOKNCG<y*RnHp|1(=qjvUK<`&UQUgjX$6^O2 zF_cqgmoskU6ZE#yw0K^(g()?$l@A`?7Na){3r8ia6^h)x&Sy7Rw9UFD4b5V*XsAcB zX^MszbCaFIKGTNtzLuqY4pNY6womCkZu^#>NFezD`-gPC*s=F(#Y|ymmJ6L7#ayst z0R;aJU;I@F@w?tfb=rz8ZRvo?Z$BXuc&Ho9MDI0}Cg*g38_v9=z~^)F6cR!q%O8rm z`<az~V`hxXNeE|>%*bkJ@_wcP6VZV&j}v3cfdV<V>)4)ew3tj=VY!{zaS~el0|7y_ zwCb&j_0skl$y%<_`=XR;Uw6vd<`w|_0j`T|gwA};+HDJ4t|oU)4kh*PpblZN6L=0n zXE3FF+;lY$w@Q&`u~`K3dYWr>8y^U0e3o2Z4dsRVV-FrmgFL2Nq+P7vj6<e&%e^NF zhp(-i1x(*}aoI(Rf7THzza=9-ZrptUt}Wf~sDU9R$iv{bspZG5JG5NgG~9QjLGXXa zLi{E0;1sw}9(u=T`ddbjd?|5UIf#KMbHIRx8aYGsCv{6)Wt)g$8<|R5laYr5ODsOT zG><`^!?FQW46E^gTj4N%DJwGp-qznDZ$o<kaXIO&-lV6T-IrTAR$klH8Op4tA4!Ik z_g^*pOh?is)1K*LmtvV%YYPbyY_SFnlk{aD^*>yoRHw$qBzor@T&A_~9-N=I=)G6E zOy)(Qyzu>0Z21I9Cf^m+F9vB0To?)I%w}mCg`*4JmWEu#qB^xcl(BxLwU$Ob%3<CX z&yyqT7txgwn@<-4S^vZ5$q;Uqw)(zjk2?*=+7ph^_IgRQyXZj&>z_ZF>DhF7Z3Z3w zumE=XM<S>Y=7f@-!KZ}}qhLmU1rN7n&Icfe#W*2t6^W|?GD`U=)JZB1C;YRe-jpcS z5*QVjXh)Fm=93=ku7bsIpESX$%2a#4%&2HcMt8z_#m$BK_Kd&W&$g=L{rE2Uao1Rd zy0ruh;?>Nk7s;+9Ne~uEY?pn{S`tb5=UePJz1FXwEwOd;4D<lX&<O*gBPx6E(^;Nt z+BR=#t$dF^r3hL=_WoIoCV&Gqf4?Xh<&i1Aic>JPgwGI+58|&hh$%8LMAsoX^2s~- zF&HS*%c=X?r{pko3$@plM}jKTTCq+`sVq7AHad=$6)~#1Vr=EzXHP5xAK~Hv)u82c zbOq^je?&fdU7n35w!v&u+H584^&q#F(2qL#{N`&+eeI5F8+Ye;_o1=XAn!ZTra1{g z5|^3&ee0vu?i}!+BIQ0Jz_6bC2+*e7WgCDaGco==!~jhVCE&Y)JqJZz`?~{FN|~~S zfU{d=Z+N<L<mM#Y418s|3CYR&E{wa|C7FX)KL9s{;6JNay#T-NVoHURclobtB&)KI zmKo^4kD7UJUYWu?+($Ay7KizWBbHY(Td{ks9A9$&I6qSb>M`KoxlW&-aS_ig`vvzI zHqU%o?LJ6cZ3&Kyvz5hn78<6X^ViK8LRFjOaJH*kh=&G+T>tFaPy@Nfpe;a`K?5JT zTmO{CO`0-c6cyJ5vboBfLs(cN5#%+8)XHn`&a1hTPA9MSl^rkehJVc5pS_IOTm}s% z!iRqc_O@Q|JuLg_wx$P1u;(3|+wfjrz`Y-3`o?sKcYm6)#OJVmuQw4#aRY=?)jMbI zrVp%XiFLf)_?qsLncIGBm58aUdREg@QXdF=C(ifNPcBRE{|mqbKl}PE_Uq<n7B4kB zT>o5s1v|3tsbwAC|8-^Czy^ZaAOHd&00JNovjl>h0d-4)J`GJj`m+RD-edAPl#4*q z80gS}QeBF@r_FTr@+p*x>JPHwSJxL+mLk;QOb26NvJ%iQp4hPFg<@*9U&idq6#u^2 z>ZZ_c7AE3MZ%<wLag)0r?WatC4!gZ6|M(X-@B)q5Kk7+7u!4mTuE^&M@+;=&>~1t| zd6UX-H?zDPf2+n=vvOsDAXT<fmN(Wtx@sCfH0{>%CH3u%Nlp^e2LTWO0T4)70!+pQ zjP>I(O)5N2!Rg;A(YRUyrN*=935%bv4wO%#!X&7qpxipbRD(_%hwsz8{;Z#{ONNOh zF#-L15ZCM9yhr6pYu6O*n-^2~al4=RzC=_r-9D}COq$!aX8jXpdw78+@r4-MQ$NnV zJ?Z`MOC4?_ZEZSdlokn<h!+Te00@8p2qXmopI|?yNx`LnLna0kfm&i1x%rsQBUBgz zojQ=W$juuvPmJ&mRe25hv#A+CXjurY=i$JHk@&OxB&)p+E9FYS^)Hh$?x~AK={;!( zm#UA|7JJH@FD3h=SEob!Ijr<DTa)?S4Zjbm2ozva{2xZ#O_Jo_%f-SAblnSUa@@wB zUo_6BYf`a)aW_Q_7z9871V8`;!Xe;{2J~seMFcv0K|P2-k(-_?JMMADd$FtyJ~~kN zs`*MmnK)G021N-ofJ;cfK;c{vQy>uU1pKE5HNBoKW1o2saVJmhD-{{(C%<g5GBU|@ zFT(C;*M92eWtn)zJ!Z;3It2w7&L3aY8Ds*weXq6ZfU6DAm{w7;`=#w>u9w>FRwkH1 z9vzwo0T2KI5CDM~BH*&Mo=aZP5Jez=q!c1h8Uuw6w46C*a3DX-pH-#1skRZlihEM# z3z0rXL@~){To;nTGV1%6jN*|RZx9$f0s+6V2zcrG#J|eBN!<&qw)Ij`v6?ItU$SU{ zw(2Vt^WHSStP%H_H2n#)y{IZ%+g!ahhW?0QDDgnR<Bss%m0O<O(3l!@uZQlwlC=-7 zU6^j0I;H)5u7MxPS+~qsZ_L{KKpD#g`p4WCzOpb+6}5^{_#dT*vF`}aQpL32_lyh+ zj0dzBBM5*12!H?xcp~7t|GOUU#}$@%6x3hbIa4zL+JXqB%}<tB`^B@vT4a$PdSvUs zYT4|-WdNoRDepudNZ>iUZy)c86AHyQf##Nu!U9)cusE2Pn@hI)u+^<(n%;fyU3I(g zvhoWWSxlT$+Rv=aOn>a4UHgf9F9ixP4z8dW8=^-A7-OTxa6kYAKmY_lAaMu;Re<cl zFCrpPXf>q>+4H1)Ue%vFEwa8+kPjsgdZtWmex{DX-nC-lEHGxm3B<Jm^ncNF|7wR> z-gm`qU+TCBKXGd+?I)C-bwF$1))N1&2VS7K!$1H8KmY_l00clF&ItHK1A6fV<<E-# z-9a6BMU`Kt84qZ43Z-XF)3Z!-4doBEy0562HpVC4h1I%nBbC2<Po)uO3x?q)9|8ZF zakz`7Zuqk~Hme&*OQ$4mGE>PZXKZl~D&JG(_Q|d7jJSTE$ra$o|39zc_mU~fC;k8c z002ovPDHLkV1iIf0|XQR0ssgAY+&|OD3ztgl^_KGC0PXk6aWzbaBy@lZDnL>VJ~TI zVP|DFE^uyVRa6ZC2MUtfVhWPlVhWPlVr0DqRMb%$?L8pf-H4RZq0$1<F?5II(2aB> z-7!)U(%s#i(v5UUcO&`zdDpu4dwuU(t|blw4$pa>y?^_hGa9NOCxMPaf&v18(4{0r zl|Ueb&mhpN03-z9k-xH!Ss>6Gkd&y9ifig&>#t~L&DpKml18tc5swK8an9J)L``%* z7?~tI;Sih<?5v&;7)jM4A5c72R={U8qS+jQP<B7$kjZ!PaI_P{pl>M1aX;{hbxc}Z z)9$TH>K%qhdC;QfoqVv5U2Hwve`3cr`gBL65zLL&9#9?`Tb6e4?AReb-=;ske(rrf zl|M^-USI9`Yxs3;Ah!MXU3-_{U3*)P;FHHQg5TO7x~I+O>*t>EoF1Pmm#4lxA<*-a z;Dg@jL^kcyQ~L$$&(!MCb-m}YC!FWw_6LUt#OHlh`O$4Bf1e}4M~T~ep98(F)dxav z$FJAl^AR6Bp4ZaXSf57Q{d}I@Mazvo$v=;soTWc-J@Y-C3*ObAx_;o}xz~HPZST~3 zh<>JcntOg&703H2Q1N`;{@i}%<9SZ@yu5nPB|i$&vHBSN{6SnX#OJjBxv%xZD39me zCm|xZ+j+i}?{k(By{2Qh!|&L=FU_33)~PUi`=qT~33T%9Tzsz%7GD3G*|T|tmRP*^ zYd%pbR44EBX$!V^{`Sw|ck8GYi_`D*b4d|d->cKxCC6(BDB3-o&-p4w*QfFk0}Onl zSNZweWS6x(uOEE>a`#EtmdcM3IQg&Y8FOpPoF4aX{5cdTKl9YvC>=pdJeV4r4fpz{ zqr3Sygg<*RwR1J28q_j-`)iR@rvL2MynOoWaT5RZb|3q@mXdDU^kZxU81JX2zrQT^ z`_`&W5r^MVdtP4eT?{ftmY2OxWq#*+W9atPIYrIYp6>K|-tSZSPBU3^NnfyS>93sw z7giiRC;#YGzWyZFHt+kZ*L@lf^N55<@~MfH80nwp4e$bQlek%PwLPy7eP^s9Fhh43 znel(N$k;dj*gU$J8k<v9+OW`DTOPt64PD)wn<Iv{^hung8nBb6r9M9Fy{@%6yTD{& z59{{WNp-mWQ%nw88xv^xY_}muC2M)Q_>NDepWXXzW$%K4A(A!y9k;gJ>C@)aPA!=6 z)8e-4foD{|Y5v&3JZC>k>FK(*Wl88Wr}y6n->k{o`Fp}YwlY|7LjU)d>%~%Y{GCtx z!n*$uJiYhrJoD3j@J`Mx45;0$sbBATf|h5lh9F%){&bG0T2E((PQ_o()6Sg|0o3kY zg$R0pax{wo{cv$3&)NpFrmlBnSD6akka#BcK6~N;zTbh(nYuvBn;p>F_wt+DEyR4& z>ZWg%7%4oDt#5M?K(mLL3f|84?x7EZOqCffqdq}&C>5zce_BV1>2f7SQ7b(ZIHE2S zF_}`I^9@L&ACPfItO`vo&k;ke*^D^VkwE7kxOX1h0x27ZZ6m~VEoCIw8<Ut-{qs09 zM&A8#%gyzx#V`fmwOv0F+nG2BdbE9N%|N`nKp8mD+KItK$xaerT_yomv)55Hj6!T{ z%(6Nu6;BZKhTejEM{*qo<m`qH;)V<#D+><smY0YVA^gVLF^&+^qKlAVr}tJV5-Zg% z+5Y~0198oVtF)F|TUI`d0#q?%!42ABygNB$IT-cj(56J%)wCqXaEs(dsib;hDeB88 z__#e)8A9Rr2I>F)TE)Jx$@9K4if-@IXwg16O)1B`-60b0%~Wu$V?9$R+UU+_#i{Ar zAUt9334Zr<wBA05$6>NbL?OWYNYL1R{F;Ja*Pu^B_i_JM6tl|1-LELxS>WmQ@|Y#_ zguytPxn~X=Ef|5~Sf>GDISNSKpyK&G<NQht%~JL#>hqHQz6=|*gemNe-Alud<s1?A zzlZyC8WQ42>}n)Ix9~imRCFxo0?oORAR%9T%EOvjs^X7**+|vM_PR}Czyg_Ey5+_P zRT8B127D^-R#YIO5;!#-3+Zik_zay3>GE|fs_COD|CqNKLOWYf*Xu4Ij)$|OYDRQ0 zFopsOPGzM#JRcnU8W2_@jy1kxTq*)(jG)pgQH&H)v}7`YD3$z@UJm6@4(Ji79zzV_ znD6+YKg_$+n;b$p`>|9^jRBa5?EnqsY4kWw4c51RY?<gSG!E=4e?r?Uz4ph}{Ol-^ z|GU_j{b`G@XNWxQ<JZeS5ZvkMnii1y>%ISi)9&UD0zL4EOy6F8=g(s67+d8hpMrDE z+&CJExZ?CWY0F6P@^<e38pe(IaJ~1<Q4jQ4%i`1g_N@ceF#<@y%lR{e$y-je6}0jQ zvz7zO(hgVRNQ#yqiro<L@6#wTg`Ag6Ds}U$MbH<4y1(FjL6pV<SsL<Km5OMYM`VR~ zhU;)3#M`i^M-0^ezL3tYB}n1fY(eqSC38_dfvyc>U~@pT#EIaH0-}MH+v`pK`{&Ya zCer7?hlg}(Ons|2cm(Qw(C&lLaE$5O=sMP1|0Gq}XOPY~tNko%8JkE_&3;ruzmHJF zuJIw2Ln>20ZL?9({p=g{EE+z8pD&(e#FbpEBAJ2I!)wdsER{$?%Z({RS*__6`YNLk z4o&zS*NyHnLI!TR*tk7BdoH<Hj?I(A|EjCsDce$G?!zBVSW9y6UmBCoMd5LVp(J`I zmC2E(FtO{aV^4=i=#6-<Y(&v900A-OQBZ-L&R+!3T6ne&Dee&n`a~00dQYL^i>AYY z0I%6I**ow)cZ~i;*A@J(i5Ci`P@d`6tNemvOgJGryugx0k0HVoV(boKLYXn-jrt{7 zEX-l16+UAn!wLnX?~pCRygKbkrmVgfrbIKV4|BpW-&?)QC-~LG;T`*lIJW&q%lXEv z2|Fd>FR9E2?Prl5#2`>LA1?#ZPP~0DNxN%$4?FYhE<yacA^KhkJx9bkkL9%+#l*+Y z1w<PK8L3pG>oJU?XqDnF*s|5XLhvlBq$wb+1*^X)FUE%9ciMtNFw>L+lAT5cKak~1 zTDs>;it>sLHVKus>WlG;eT9cGkE(xA`<U~;CG7n>QvC|B-Sjr6rdyIz;a)^S)bo*h z?`y)7vnJsemC$4RLfdzzWE-VWIb_))DV=b?Q9p*kHd`4GCeLe%YI=RKgWSc|A-|F* z7CDywuHlQU=FpCOo4}gsiPiBD8TYk$0E}8sR{6<PQUsMuzhipP#<jT$dWnO^2dYwx zK-i=*D5V#PZUNH3e9A=@b@1KAM$45R!>V9a@=HfpXbc?;aI<CSgVq!rb#TZk-`?0h zI`kyB$@|mJPNQ!tYnA+Bh)kfLCHo4G8hn8-;`{41R_z{=2uGbof8#|Gr!hqmUNfD< zmddd;K`$K6A$82BF{&OBl6Tz3%@Rs!FV`kd-9b#LLUfS+!=5a*(!QKqY(RrGaQ0R% zmTMnxPmC_1I7bu<4#$V~ziUVCu)}$zE`NP{o5s;-^~zUIkf&ma0(45cZI!G2aLfSV zQ2-!Cs6OcEGmLLEPgIyG;?v<2Kfx6C3cp@Vb$YAh>1MxWM5rV!=ypRaESfkAWo@%c zKma>Fehys=!guy<2fF5DgvKguij1Fo9d2aEZc!ql%Rv+^Jgn(O!kiEx5PA4JzZ2Jz ztf5l3^|s?64GH$HY4q<{2eaT9gRZD@A<3@I*=U$qRg{z7{TvpBtJofgFx+pf^iB;f z?kw|PA!fWRD?DB#t+%H^LoGL&@Ms}sVMN%nO&kM1<YGNTl>cz>in;Ferg+WJf4%!q zqXYBcC?l~GU&KSu;qXMt@L$z<^NGyG#`I~v`W2&6kvX$~S8PStVEH7<Vv9*5uYjAo zuanG;7^_N)2r7O$zdT!*$iuFvjLH}xt5S=DKtEK&8K&*o|Kj9CuzQRsD=eMA0xqUc z!?ShdtQt2xGrD~vghZ+k8?NS7KTSl<oMJ*W^}EfzKx7i0k4-p-5%7~XJz>kKs1qJ= zWcUQ|k-i@-KAAeTeFWMk*Uk9Md~4Hr6d^9%A(e`2<5j+VHUg|xLB*((q3q`{jwTMe zq|xM-$?;Ows%@qfW`{EY(Gs3McSSjDM?=|;XtU&qhH#e?mMmV4$*gEI_iDM=?As2< zcsQZYKh^a>f>9!q^jXOSV#~;CX!(*;ZEpDkoU!K)|3CI%1)QL+E<m@O{LAZjygM~o zeC*>pHTrSD-jB6}3{MgE%d4OG-=M)hTpn@o-0xMxnT8{?5DyKH{mj4J)3*F7v~P;* z`G7Iyb@qveUSMfEoDdoO8xU4j4BCUHc8?!jyus-!xWzL!=EFo@B)JxkR6nrI;}b|` zdEUQ9Zm<ul7;Hfd!xZW`ppZh<GaA9Rl%CNa-J9AS+~C>TX&Xo;<>z=axz9ahA2!WY zna4q3-ir%7McCXQAE=Z|7}MWy7v0Ri74vLJ15enN_ZqCcSyCJVvzF}SvF(-F%0|CJ zug=q`$acE*)upi3Jf#|GfVs)zXaoIR$D`-%9OM&|6Z~+Wt>249fgtK+{o|2(l;>~~ zco@k=aq2paik)8LU&9=$=ahdw)P&vf6*R?jf39QQGhx~jbaU>oBHQE_mzgGHRra)N z?1<B#fo&`HKWMw%Fz$+qyL%8D3~S#HL>YBTr;v^-GDhapYmtNj37QOhuXtfnv^w3C zMAvLI(cEP@{w%--aZ@LBx5;<6U$v*6-+j!>4taR;N=GPvXd$#j2*n(ZLh}V&FfN^R zF+RP&MnjoP=kH(A<Eh^}ZT^Ay%JG;XHHM>2Wy&;$JsBKcqEoH`#I>&F%^KysNncth zP}-D@Bt@sZ6>?N}@YWr}@IK{B=4wqBby{%th1fx81O3<ucF;O4T=4XFFZO#8M~M$7 zQ7FyqhtTZ80MPs87)BE)Y?<m3hUH`GthtA}Hh1ye;lFFtMG<6c-R^zi7)^%;sEDJ? zbp9AlOYKhsj_g&(#|N>n^tM(L{0yJ#PsZUS>7T$Fuo1Nwdb-B90B&&Op#%$83Unv3 zwkn+A1}U6r63$(1dIW^2o1|Zuw!6j}az>q9&o6`P0d^CKS^W;!|JKmhP7jqPN8gP( z8&z_ZR=36~eHViu;z0dH@Tj|@KZ{^JFiz;%^4Yaq*s?u1wFRWRvxfZn)X72IVi=f| z0vQfr0WG~AY77yL;V#w{f0$N=j(=#%{Tfa7D&tLr(<@j5S`;g$ELR}QyeG`;yi)g5 zeu(%KpO}UhNylGzUyW{ti*1*%!|G9b;nYMM8(uM!fMz;IzWjl&(tKi7D6>32U%h39 z0VR@d6Z;C3KcQ{V89B`&{cm4M1FCzr+0Urvc3_*1X|I=an?#8N>L67A1d{`>2D_rX zGf(ntm5JcVGGX-I*!|WJ8t4=^O5yCi7+Ij}iJ{b}_cc{#_Ep4;(D~mBI6?Q8Cgm@5 z`v{Q$!*Y9(Je*%V#w0Q1Wp}Zz0L?@zP^0tX#t1Lg_EEhl&_b((Xluv3u=%~M7Qo2@ zKSOX2oHp^+M-Wm4A_cPOQGUI*omuK}R}8;-s8bHmY9Va%Hx2=HV>2`?lX{6NlLevW zhluHNB*_{kD2rafpZ0v%glClKlY-Ha;t7g(Q{M3RchL(l_?$4l$}P4Vk_Y*5V<n8L z*67FY9Hsym9lI*6<!s|9Jq{c<^=L5%fz(byrZ<=Ia)uJ~>;?N?h4lGCv$5KTb2PaB z7B4}x)ddT$r}y3cH;z)C-&X~|r`0aIy*?18pNA-FIn&`RZ^LL+9FI}ua#UC?>`=x9 zy|(!zy)Tmp7zBJ`^*KnZ1AGB0xShzxFZTZvzJn}a*kA`*D?UIIY~0}^rBQL*=ni5K ztOsyuXsnR7$O27z*^r$$7ChZDX;uokGABdmaYqlWF%0LZA8h&6>p^kAk=L6H2oI;Y zOv~BNxHM%W9{4L!{(xJM>&`d57UfD^0{SU>r2~Rm8%?>`nrX9AV_q=}?m7kb9QkZR zRJGt1+!DI{5SzbpvBH_wZgR0+vuQB>^piXkEc0@)zMoiu0F?&z+sAA4LQu(<R4W=~ z{y_WOhQaXhWSN4LchX`pu?hUQ@xRCMCP=+5e3tj&n76whO>t99DN})&(R+U=k+{U^ zmRLk%Pb@N>Jv$v#5#TqbN0TIP*wP#F>F<Vdn9JzSAJX<mrgu*$r^b6<6gOSeZ^B7d z|NP?Y4tDu+llSn6DzPBYB12oxNS0agJHSa2Fx!`1glnky7`g?gTRZvXmL)D>5r*QT z-))*TSXVZd$<nA=T(eLUz**r}hVgFqAM|_OU%G|#<i+abVoN3gY8^?%o#=51L)(M? zHs*jmO`}r8GZgt04uHEVO0~U=_(y!z6TBZW$5|rYQ}n{fYRxdP!wGu~_M_n(21L*_ z4%q|v;$Pf-skh5`@j(_XU_TE8!eZjR3incBhe`Uc%4VZHuk_61o{#7l&~vp*2yr8b zj-~#qt>D%%yBSlG^Y177McH3ck<&4%$t5o6;SY0^LaZTPu<OoGf$+tLC*JPG6ym>X zt<Px0K;sBLSPg!S2X&n2=2<Cj{^B$ZrH!m?kY@0-lj2h-gQC=Ox;{tEi>x<eyB=er z`_il6p#Uqp(V|QfC0zCJrGAC}Jw-o2eti-j?Fmi-k5}$?ngun|r~=Q!U8uee@KmHx zwSjc2Q>k+I2~Iw^?|A}MvI|4A^C1J2$T0F`D&yq|-egn9S<>|dj@<`%^qwVif1v~= z&S@gPQ@CCD6n6&*F!{ra8w%4Ua<RaZRKmBcdgv~Wsgv_^x-Ak_eSsKs_o2ZE&xb+> zC*p%7$}^e5%M<D1eJ~2z$-7ZT9vwPbS$$n}{}ucw^}3++D`EKT`;G8KVt}_16H(o- z8M;jb`jTDmTiTDKSrY$zMLG4NO_gK>-5$DiG2q=)w;a^<ZOmsH>2T3=gf%rP7u>!b zyMZrpV1oHmY`H3Q{?uE%>hJKhN(>L9>Aga<8p&pSX&zT}C5J8k_wNLK7oDJBlc2`d z&Li|E;lWlfN#91=9$ukSxOBaS%$`Ph$)xxCpk3G@VgpT-9QL+V2a~U$qa3!ySy}V@ z6P|Zjg)U)iykgg0Ke&nq+zW28V$Rg-PVfx4#T*ZYT6S<3=r@L1m^o49ez@!qk$go+ zO)4shF64b2USj#UYKJlc_Re&hBC#UCtx`8mpLvBc5-jEf4^uzhB1{JV8}LR)NKAYY z->ar-ssG+*y6rw2B-p=5q$l`J6ixj1RIf$mY~`;X{>_=2ddcYe1x!@fs*dq3d$+1# zX}9`fs?&0dO^j+X$Gw$amsao%aqhOBtpkYY<Na$9kXzLi>_G4;mQ@vu7l~Bn8XMDO z*g*l(=Vs{=2TAEjZnO$RZn3bYUaKy<u<1y>hS7c_*3U|Gb;^IX(Hce(<wU3000psN z)xZXup5U2R8us9lr%|Dbiz@5BvgMu}>||{d2~y4hsH>1YG&s%;Kva}IXB*-{T6P6r z7+-K7@nO@4jL|yQj}#w<S}bSMVN|yt*#ftlgBd=K9S8+(GdgEBLhzF*;EBXrvi`|- z!CUdxYl-R)Nd>DqJGaQd(jUT?-*@q_mOLb_f2LOrw^pl8C1IUHDXqLc#TN1W?X>Yq zq~O-;q)op;|L)+cN&2NB@(>IZ!W-3A`(-7u_4YHMCc^g4qRP4K2E1Y_bM(T@D^uEO zR5{8ygcLxNyxK?w>|Q$39?$R>y|21RDis01vh*597bF-hyM+KY<1xU(mApU6Q3xT% zmMvnZYm|#s`fK*V<_DKAs@e}17lh#rTRGA1wJXdY!h}mgOcgomQAP^ipLC_eG>?;Y zY+=D{%MvE<07J5asc06J$xj&}Ssbu~$3AP2u1?g8J?n7y7w5n2>#4$X2<ChO;=YIB zTKPvJLUV@blVBVZ;()4}5C?*wArd|i!(?~5bv#=cL8nWE^39rZHFMt&49cSH$u`&_ zf3F?Y*CyP9=quR}d`+8SDZaG1BNVY0)N~r+KxCL#EWM`kh2q@^7g$#`0o@gLSj&_5 zSKlthmH;B};)<-L;`GRy{DI^>yuJI6bk48tKHg~-CC&2$dyP7T-M&9TP!|8;qRTbD zOdKON8|YVyK^Ot#3laSg4UtBg)NX-t>_8aei9chXfmL9Cw-FlF#QHIROh0|DB0=4( zO_m~Se90+r+fnp8>&KJPHJ~=y!QmX)<DR~tYFS3OHG<^15@CnsYj)Kd2puDb3Zz0) zW^d<Bv3_Yc?dJdZ{HOjSIZGxWvR0G5X>JkM<tmxazlR-#p?JT92E-;2&>lHHVU5C> z<G9r~fI6>(2pE1^eMn_~n}j=L+!4-pqQj&Kt}3tRIjDy1xDfeP->yj1PVq+IHVUmw z+32&V@(y0+Xx=0<@FM>3iZRX6PljTOO7XA_(^n07eZsDFZP(eB<q<0ap3FlU>!+$@ zk#vkUKy}c9u%>Yw&9CeUvbp<Mkn5ml#2+T2RN<aGoD%kq!K-C)9;&#Vrfz3<*vr@9 zfP1N^qoN*KiScVq_<}uq{NZg;xVqV~D@*7x50Q$Q96w?o)h~Q;`v81ZvoaDrGl6{6 z5zIzmOJ)|e4|izLw(-;pvfBa{hRH!xHr;@%tfqg8bP}{#ceU3RP>DgozC@^J-Kx-u z%kl6&l-gp6n}aA;X%W_dXw6#u_-?Kl_Fz8gi|9@D$xl`d+CzC4_=C2)`J1GyzPV;H z+q4N(Nsw!uk1D9r>&K06NZ#K7-Ig6-U}#tAzcO8HkG}6oZX4zc+wE;W!8?<~9<=|i zN)lPgls_O)Zm^sZUASP%0Xsf-WkVduowFJ0Xc;p{0@!vx?lJ?=9-q&KT0XRa4d?ja zLN3k&w;zeebC2ChU$**Ox%A9zDz;NQ5Ac%Ph3aMW_D5Mis+R~~)To$gZ9<BW*1sms z*hRe))_K>e96;R>$CMuuU3gA4os1=Fxtvu%!er{GqONrNfm?56VCVBcvTMU_Q`WZP z0+680w70K9B`X$ONApg^Zob#IUZVi?$`UwVAOWw;4@=E~)_M`kvNsNvv2MgdUB-UQ zEpM-WwMb3&+KFhhv1F<<e;joBE`8t2r}zm2?QlxJNjmky)+D$SlrJg6Cnmj>MpZl? zqPTsOMzw>MKTw9NuR%^cJikdC05ghowqB<lq`JLKRI&|;APU^>yL%0PjusSxd6-l* zN{js!bp$AR#s_`;WQU;^uR^}!cYla>dgwovBmCzP%Oglpf$)WhZa2{hG-FhsFJssv z<&>&a*IvpFQq+futK1v9-z4XLgP8yBWmkyFK;qvjxc0)pf=<{2!rnD^5!&L;UpzIz zzb-fZ(^dD3cA~>3<_GxCyXI6?x)r@dMvE5iIM-lGi<-U-F{LWQTBuT{3iAqYcA|y4 z6#N0%O52s&P2<VbT7p|N5w@(8-u8%Hm{GjAB{OF@yUw-_9bl%PB$_>a!Bpj5qPWy~ z4D@&#bTo;hfJCYI_Xa3#FY}0v5=2lPtk9l;(x_ly&#mr-FBC6>P)CZ(##5aT(r!-? z(l9@t;AQqA>Y1(dtDw_;q`+ngg=GGX`{b{qzRgclWGN|w@1)zOMRwlAc##JwVwkDO zYQktF%w%~<3w2U12xMp9$dv=LK_b2J9M<oIBh9gk3O-s`S0u|zVoU#1p5q2uUp&{E zWN5f-2VqS67#?y^1M35me1WSsk+V*ef<bBb#bZ4m$1zno=^rQmdLmn}UhWgRkzC0P z%LNPYXK)AM^5UQunua3R_;5&G&f#E7aF2?8K-eh#S0T}n27x>VG|7JXDJ|fu_qeGx zL!*pW08PzNu+z!p(b*m$)OU7^e3LPD;QZqz+3xUTshIBH4;f4E{ZU8eO~;v6Rvk0l zcJK`FlM|cx{HL;Xbh#8tJ5AUP2$S_nOd^CY42)O26QY0tY*BJqCNhfevl1p;%+D2` zVuKV-vgC!G-5e4rb9^pX>ro*;C&><pvMR16%uG<0lTnS#yJC5>Z@a<5-24;kuI=uF zYY#W;KTzDfi4XIKKd<0yCPDE2s?BxNFw_Zy^*a!-;)=wSED{vXsLuH5O6L9b4*5-( zV9J%-(YC+b7{9ZygNrG)L7wvoTJDf6W<zoXh!R330a&e8y@s5G<0nPEZT|F_iBI=k zd~n>O!70KHKP$SO!gAvK=%Ol8*-=OGTi)A3$VU?Z3q$mlN9u4<IYk*Ehh_=-b7`9i z6bzGg&{7v!4joQ$_o=W`C2MVhmxFs%CNRDMgK`Or#+A2^p3ua%)ARvpo?TVhL?+$_ zjS~#~<`I%qgd+4g{adYWKv*`&v}Y9~SNl(VpC<`K9LfG4#B~{B#MU_Zu$iw*vjw_= zFMpS9gI4D@f`eS9+|K41UJ2(pdlheIVjF;RNA}YN7U^Blev|gn*Rn+ke*2y@YnNq- zgF@B|HRf#yz?1%Y#tCi!VFQ{<mg%>{a2B{tqKKzI!tl|SJ!RZB=st<TAH8}!)d%4r zspt_PU8axGu-=(}Gd`^0CEtHo6O%`0{3y{ucToqlO+V#$4V^_K{3hC@aHcu)C;?jV zXSKf#?`Kz`2Et+;+^-;q>_y@DS=WuJ|K~1%vMQIxXn#)eNem;=rVdUH631?v^z0#f z9s?1UaxYfqxpej{v)TnRea}(#V7S5o554f!>JfF{s>8nxv4sy4u(@AA>Yp=RB3XD) z5@a*Np0$T3@8X%c(K|ug8J>P#jV94+pKvn0cIkd;|CvlNTd&Oi3)!4`r2XNh@138` z&-?6X2SdDM!ZyG$3txOw*=&WRM1x(m9LQ;Vc<Z4Y{U7wX#XNu1vpSi^yIJ}m09_D# z(d#RG0h31Mk1`TkZLJkvbIy-4P5j5{)eKR|&TvwZoG;~A2ChCg_)h1Y03eNk?xX{s z`y*ml1msIUY~}bFfh=?1S0<A3NPv2*q;@8UG!#39SJ_k~MY*x7ntYbQPr8Xe4M5p> zAPz9_Mcv>rixh*-B}GtGv5NmI8pts1Yo(4uI1Evvh<#rx2{~R@Z{*)@h)@XjehoKz zxGh}q>cn<&{y~Vq9ll*$)8&X4JBkMSZNf21+&kf2*VX&=EA9kdppocQ<#;OgM4akE zBKO!{NFF4UN5r?0{^L$4hY;xNnN5iZZ_RkB>UOE^U`yeLfk$FAhKp^2<PT#Vgvk;b zxPGd++HpmlU#0orpp%Ji)rLjqDEcgW(KfI_AO{D8;Uore6?H|f0>|)~2wdfvP=#Xp zJuISa=-LQCV2VU*5!|fHBsoh-MbaW%%(JOwaV6(0Z^UJ0u7Bfpar@^8gYM7{nPGz5 zG47IzdL2c>6?EhW=D&u~eeyzBoNo5zKGXhpVC0cpZxBH({2g9rNv_HSAl>UIls>26 z2G*Yx4@`4j>|w%n3he1UB~-W8YEF;%f9S5=MzoM#t-uK5Q?CAO{W8`B0IMhaTX5?A zZXs%vLgyi#TdD8`cJ+A6nW7GRWs*$TF<Js{)3C>9nVCq9Zn_H=i=K!Nr|hceLzFS9 zBu%xy(Hx}|?3O7yWMyXll13CNMG7f$C4C4hnUeE8L$zSYD+=<5Gz)?j9w)|vggy&= zXa#);qdrHIo^jNn2kLcT*N2@sDHmYqYy^5`SR||~qpCEW6afK#f7hWvH7!uApZaXG z_cLbnvD0xG9!AH^rnFn2lov*P>7OHQK{#HR9ETSf1X6};b^S@T{_t^g{S9k~8GZ+= zyLv<}CFqMW2WP}BO-DbKqHXrgmwXOOH#86+t}_%cpv9U#>b@J0D?6k*Nng(_00w{o zW!oT3`j7I(Wy2nw^dEiFequEZEF?DhlPmYqJF%*|AXKxvAp{Fk5KiZaWQ4zWuVz=Z z(U4IsWFrS;Q6SIaLwby&&V5TzZA(%S^VB2EQe66Xe#%jU^tq7k7(8rM2vEU`Um;9Y za$xvn5-SZBWL9B&F?{{c@<@<bjbIVoYPclndOFL<-UveF8ItgenFws<85i8MC5jH; zBnA_CNuX3wKlmxb-gO){{lsGJV0-eX`tLnY&z%5ZVeljhTw`y!^v8&Wds);q90J2~ zx@aNxD6WeBxaofcMIt4v6tk(s0)AQx9DcAPc=B~gurtg7QRvkDh@2n_zdAHP8PNpa zeW3&$;Z>$7(_n~HjX&&SCD}<YJI!SS5_vr8yXCnH*8<K{rh)T9=uax*?g_(J-V&qZ z&3idm-a$2y!AEEiB&zn3Q6+){%AsU1OjpISU&d%G@RoY91>A)ZR+z<00b-TD(*%qX zK(LUPE=#6R?j_J?&_Gp_nTeto0Hx{U!x>e!Rtgj`M!E4*ij`Ixp|C|(Ht1glSWQ96 zm7SJ(NX%jS3{o61i1I!&|5J*a0N-fd4HW#vmOe<H!nzKQOl*ciiN@OwR;@;=PA9F{ zGT)!peT3jTdcA@MIm^0gqm-FL*Z3Tj{`!Q*!0nPG21x7-`rB+I2db<>1!k2^!s+R+ z*9vsM<$N<yM-W9n8n;L?9(al>;{^df;2>)OAaOx+*)ek!Y4`pS`y@Dk9wK4I{73gx zA4%9%Q)romkE%%QmhSiAiF9*jVv>s3`SOa0v6Q!TaDczgP6x+ZN}l;L&Ea>h6QQ!x z9a{428{%=?EXVK>Lt);`yPq*bSE)cpEE8^`m3_y7@kPygXkoRW=%wTg04Wy|h|TEp zWT&5qtX!?J!4dsqEBD<KFkO3>Am8E|lSWvOzWQ`Y{m!H58Y=!Av7W;3t+1nMA}Rqg zlwPf+zhesDQC&J%cQ2YKm$7~I#*6#(KZaE#_54{pGY5E-{^J;5VoyvIn&JFz(?O6> zM|2@cATZhfGgblYm8r5Q=n&@71V@#*ap>345(iySXcD`sW-dGNguSsqUQw@wz*|TW zhS(f#RgRd9jTDca1H!Zwg))BNr9%dZf6KWJeH>O|0?GnfWZ^~#!&6&<H&RD)z2BQR zf#eWo47VLvs?iLkG}I9Kj+!*E-(93$KK|O$=R~+8-}!5P%D7i~?2@Rg9SSTNB`N|z z);zTENjh5O?b>yq?tN)`Y`6|u%8q}I307HKUK#mHR<Pbq$g9(@7FG`7EqblP!ylU# zXn?IOy*}aQ`{$T5@Ap*%gelcl%o>bfeGY4a0hJKV$x5SxG-M3x6tLl7h<%LHx-$>S zU;#VqivXIZ^2dklrc)E};Qjm?Bv*FT+&((PJ{5BtnRsDKPjwV><t-24AV(vGY7t0L z3sP@n;XWLZxJ>*Ba;68K&2jittl~XT<5`|y9bIZeJWYUK0_TkacqVY6@gz;`+z=$T z=1Xzk%oaF_vu`uF8;O@HDv9g_!6gUCl-{Vh778=1uY$fxO|$iF7;=aVgcQOyu&aKm zk8r|ht`Y5_vzUu~w#moU@|6mg^VJ-OjreCP>2YHh!~;P=nfqZ#=zfCwbm*j3P4*_T za^N6{HbG^f|AT#5iW<r6SwL9M`9`;evpYS?ZT$s|K2L6W3MSU)>t)iLl)ps46vy{k za2j&MeJpX}HpS~d3AzkG3oYEwY8vHcSAD^C!(J7R(#~Y;ncA@fKpX%<xIps*0kA=0 zk9P_wdJ9+tkq&)Z!E$9!aQ40bX2I?koE_1RE3z{9%);?SLb;?RCb$vE*cR!<Hd698 z0hjR0B_VlnggZuQCj)Dj0heM&)%FoQ>#)+O@XH!j3CibxR{(2Hfq_NK&UxV7BV+3! zuE}%hV51t?N659PNRDLBG%TtjDRmO?i*Ri#|BhqV^7MU^I5qTM<iF=BxDS{ox2YCA zIpuKk4DGM@Vff$T=g=K3HAbN|4gyvLm!{l!-a_rK->BG$M%G-;<*tw+JZz+SESGHf z1ifn}1D%e}`=xF*(Rj+Jjzkw0eeARE2`{ujOHdXE9L1o-MJfj4+ZXg*=vtpjV@d&w ziOftK&@wtAElCV$5ru%R!SF2htMn>LK8<?H0C@erD}u7)V`=o8aN#c6SSJi3H9<J} z0=tGi<jkKxo=)am@nW;g091){=}>?jrYtw$MMT?zZ303rToMYBD@&-?ET29dOrDso z#ffhwT#{0zIXWje>Q&we@_N6D;)cJ&Q%jexH%1Fc8S*}?g7Rq;zg9d~tAr3&O(Nmn z=Ap9EY9A0V4Iv5cYNp{n4u8SLCe}N6ehCe!Xg}C~#R-fg^4EeKG8%3U>7Bg62h-^% z5X1Q$NRbwWvKZ4TLca=6KThf0N#Y_cHV6>ctOLb2qs5cV49kX{VTDb5$OgSC1{oj` z=Dqu*A}rtu(!fiqr1{yKWuw6La<)ah=`he-<sJpjiY_#CM6&*27+I?$FNqg}Y5@SN z6F?gLl!1OW=%WeBTE307Ir+a|qmG2q^0yTC^sBIkEjZ{ZdH}Uj1+b1l|9ZYOiJ|CS zPV~=>%XG5rCOIJ6q`i8JBK1zCR2#^He%L|@1RRbBsJl{#GD=-MKeIRQ*2dN<8wCG* zE6F=1pjDwWv}nH<QSQ0V+ZXgTBGfPhuJx6XSWE0-`GF~YaM#gTN2AR%F?Xd}FUVAC zB8|0nSOAa2X|p%&@8#uW{j;~5u-G#bFc$^&o6+p5*&&WdKok?q8x*WROkx0JC`Jx@ z%Be3R3+sTGHP3>bJeEqu{Sf)bdq|OM*QE1j`2o%g7UX>%vzJ?jGQasLgJ?SrFOrvW z-<MElN1J7}FY4_0W~M6C+Srn@p~2*_C(w3SO`%|XK?MGiB3AnR(G2ruq$<S-{IeT@ z@{blrIyf~T<<5nbM<KD8v+Vq`?}IKKSg;Y5D=;6zM3lZ9v@dR1$@C5VbKJiw-*wQI z@@@V*3|kuJ%MNk~rWDVY>9x3cO!_y1x-KCNAJ#79<m1r!T<xWtU<c?G*ENjDgMq$Z zZWR-FlNaVJ<p_%=;i>N&#=TR)iq{nrwSNu(>f3B0)D7lyfv`yG4l<MzC=r2jFE)ec zOBTs<kc!BPIYyp1iUf5ZBA<cXn{t+T7G_`_v1RppR2sDb&jC%{?JV-?%RLj^(>_`V z^d-?*v}5ZNVI;+!K-a=J9-#szc(tofHuNxW=`CtXJO6&|!_t@T;Mw-NGG+VhOZnxq ztYr)yN;UgMv$a+#^B(lvORZBQSR#doxs3ebhV~fqzxNd>SPWP#><BK+IX=@Uv=*?_ z6os++qG2=8N%S6R77f9i#!7=Uew;o!N%TzOgQ{$<<3O>hB&C&h7|Vx`bIXJ%7@u6^ z0a*I6yi?0swcVo<Pm&!%p<Mf?PlZ@-dNi~UmQ33d1WdJ#8nxkd01*2fhj)<+n|{Xd zEaO&<dC7-F7xMDBAGF=t%aOrs$1wKTOY(MEEN7LF4im%5C{3G1_5w+1-UOe_RqTk1 zT{RB0=_xNsw3b?#Baa$LFXH=)0eyzZiU0sjK(fF0+_n>7cJeV=_M8ll#rQboG^#!= z*0Nq~&HyCULIUH`%G4>AP?6*IMN~DZMwbpd>A`XgTG+l4Cyd1$Q8IXL>YujDt}rG7 zx%cw_ZoRS^u=jXP^wQh+Kn;BhfR7dT=NgVdH}E?v?l1vg@s`?HEbFqwl2&LZP~Tj5 ztlR;@PNGN@!*1jyGh;;tk?T|87%v6<6jB7B6ForjOcp1mts=ez`WS&-bWs%mNC28L z!{#B3r)6nBx{EyT%z``%71(q#YADP3g!1Yf&CxO@fn-Wi28B&CH&e@h#8ViRO>+mT z&#hnfW8;;bwr^(QWpGO$T~>GrBS3MfblD=AO|<+XzEVIJ`9`5l(ymv?GCnUWf$xr+ z(;|sitqU`G6XA4}bi1!uLcf3Kf*pngDcGmQ>G~2YD7C!>50b_e8T8rCm_>GPnaDla zl=nPR{<pYF2qhKEDXbyA!Eg7W_K19n6smsJgDB_iF>0rG8MpjH(F?;j+7!msCU*9> z&Gqq^b`e1lyM~;ET^j7y)mGZvAp0+gaIEfwW7opHd%Zc)h3DYA5kDM#Pnj7<yk*AS zOQZN8n+8}JFD8q8f=2%@I9`f;+3#rRYgjGv;fQ9kR6Zd_=uPqg`Z&v@9~2ko@CC<h z2l{68b3KA)A-e&$ewC7ky)`>!c7*c}myR!Gt1Td01V_>D0GX8Kc#1LYfoC!fr3ZhV zaH_NEJR{SWv1jM|$`$B02$o#XZl&Hb&kz~qx=0O&wD(J8j@KaU6w^}`<$SurAiDPY zM%*4BmsZgex?03;+++K%s@Qf>9*1WaLwsKaY!N7W-M};BTppuZ2%#*AS}NLBzw)lc zNR5iyr&p!06w|A>k#W)K+fmIIOIi%v?jN%oYdvxZ#B!_$Tk6c=;>4CESA`dz^HcUv z)gK@mAhQkc(r4f@5Rntl@*Fw@(&Y?AIa$W2lT6tIjbWafsZC)l+9s7gBQR(t#-|^3 zj2Wab;bNrVr)p`XKK(jYY&LhFdVmOgC)`Q28Y?75yeuluo-i+y*~Pl&fjGSPK_OB| zmwx!2W1ONE!)~8`bx!-D_4Bfg$)(HC(SYyC3X;F?p=#q1G^3{$aJWK*l)nMTg1;<? zAolDu-r>|Lj!`IbQh!-W*}{aa2pk{Obj?e+M}M}6Pu<;TrSi{7A@BT87xjNmDn`iW z{=-Az7(UPaHu0yg-nK&zW=B7Ry=n0=vl~XQ@0h~$!@Oq)QwQ$10?lO-JRKQTJx}k| zn;12c1q~|#$k+LuW*V}+U64%x%H-oWAi1y>XhUM-P$1&+A*>cR7(^DaDR?MBz}OM$ zI|Gp@xwhW0hz>@a13_~}EC$<lGQSmUIEtmui#WWMOxa<__r7V~cO7aLDW*ghA%Q&` zLHk&lle!0O_%Z>$6Jl324}6o+OL9PV{X=gu9UJUEQ!~IY!ay$%fSuL}RKMRA-A)P% z)oaelD8N7xg{_H0@|<J}Ir|w1bhpft^A1CgLcAVOSkO+}191S%k&Q)UFXd+M|8$X0 zSBs5i6b48~9_}ax^dS6wvjx<m(21=NV(qdsb+Xg|K35U7v%9-KdM!tU(bwSdJkQx~ z?*r0BYbY;=Br?K*SVFc+PLLHtvSSXB6-Q*{2O{>7={ZOs_MAINY;6T;UmZcOqz9Wd z+d$b~@<^2fK(f@qAwwKyA2b^z)Cag&a|@oxu#QlFgRX}d&{@mKzX6pwtoX^ZsNiXr z<{^t!pZ6K}{)`=Vyzi6ceAnaRcH#jLvm%I~^-}YIG2y39yi|V$DT3{Tu4sgNsTq(3 z|ADqCp@&IBIMORN>a`&DjobaUXH9~xruuw05@dl!QjO88=Uq6=B<`kTf8E9VZE5jK zHsc3T|1FI$tH7zKpLG4<e2a}nE8!#4O;aw(HF1NX6ol#RtI=;Bwxc|1h@tH^4m-~) zB#XT&ffB(Xl`i45fffo}2*rCLU;eyCaf&F+TFE(S7Sv!@9Ts+gkY5KH;@1}EIdsUF z!MtVW(AsRK8KCvjeWfFV-^*f*!ZxaxI2AiV6kekuFc^ZPzmHJMxk3xf&{jQo5J=o# zGO3V0^TI_O!6k9`1cj^?)w0s-$w>UMrKQIMYTlNkgVS8&_p&9`fklye0luR{8=!5q zL7x;h;9O6LBTZ#?rQK?K4p3HF3CFCda7>Fs>IM-8G|ZBOd+9<xh5a(C&6+IuO}mA! zHH52Qh6%q4<3RVjYm%jyEo|@ir+-3ruu#$*Izf;2Du2Aqe6>hfvG!0@=wzu|%q{)Q zX&T89a(*9|J*aWKWkjd!N3--`%IwnL=T+lnCQGSutRR>@tQRi(`x9&bQ+U%i3pBNA zcChc+nKm#88A(NhgaWwL-cqZ4`USMDLYX8?Z>fVoQ;js-u)`Cyoen-Aw8VgmIrK)B z&?*NhtW|4WE`^1gbcN$Gk#`-Rv?f?WAvcH;1(FN_5g0^}W?C;Y1KI2Jk97M82gFCv z-<Wn%c4?R(JEy~`H+S+S-E}TfSQ}aZ-sW~0a^`^tFBTHxSWQE^rdE%flwe2K**EW- z0Ity3v0Fw4tJEahph1NV`snD#qyx25SiBD|U7Ep+&%-v`e^#mgpBg<#7D``G=SDak z0>a|_CBcSyVD6`_R}iHKlN|P^wN>A3=$uP4@3C+_!FOAxxkxAOI23y#eXoOy!ah&1 zegUb!aJ@zZq)I`cv<19jHR>S6%{BbkX)kqnL1NH>rLV=>AtPP``tAZd?9OSzw1>Z> z=*z>yTae?qm>Bl~E=i<}EllLA)QJubvsyKFV~)IZdrrH?`>Y6r5X?ELU(Qkh^D5%4 zMeK&}Wk+n|$~}kr**v~aVWOA!sz;|KfO+)=r;L#v^HnM?_%5$jGVH|%o^*aOMrzgT zYGfr`{s5w9k1aYq{p#Dcxh*L7D+trIW~3re@q{=ox&s8TxRe`o?&*il$Usz~wN}+K zg*qYyV_)dY3?3a~|C1WH19ENHiO*6=wtRQ<XSKc}`=roUYxnR5)8AY$v=xhRxbQI? zXIW@5g%}?l*v$c{6J-=;$AxLH-3_A^ykRKTU%%vNl=_onmXiLXxZ-UX$bm54Mv=jX zbJ`_64#k?Vy*Iqj5QS~&C)Q5Ikfo@BB+DM)ZK^LnllRGgpr;yMM`?v{T(8W;F%J7f zUeU<_;754+fR51Ny^VPKuEbHG63&tRY$RBbLk40&bd>snv*BMk%DR`0L~1CdcR=8l z>ju8d5}(rgVh0{1KbnQPm5W_G(~hf_s7Ej_WJ`${xGlX@lj31!Qned~o)`NQ>c9Q~ za3U1P04rw9WeS-s6?)z_7l_+lJH$Y=Y1jDUdsgN@nX{V`&d&D7wa)2g720B<qIuh` z0-bjwuP+P>UR&`ikcX5>3Atliz5S?*k!xa4J>hg|>)+v~+JOUvDa9U*Nv`qIPItLx zn(Oi&m9(c85qDu{%}7uO59KV;LHI%|*pEP;VaAYybSiKxFsQO^IOUGT<<&-g-LjV= zyFeYTzNZw=vJX@heH$o8$+QGOSl&aGO@hB+BM#t*<esGtz=Q7~LDl)^<ivn@eX7<( z-(+H$yZqpRN0DT@7MMF#U0TU~d8XY1Z7Tr)u+u_Lu=>74+%nBYDu$excCCS&I5#>X zdx>J!Ao1!<y9PpE{&9N>o4kDn84M6oc24TaQ-i?iW__I$E7Qc-xBsaPlPYT2&zQN9 zjCx3-Okz)rWFh6pzAAVukpD(igGv!C;lzzS-Bo4ILzzRl4bK;6H*~}`s0Qy%wb17= zt)1|a>=@lik3>=bdG5YctY1~qBBTd8IHIc^8Mn-3_pcs_$HDF=(D6g)xpck8Sie!p zl7Ko}-@0KhEBy}3-YdI%d5e=n%7jax?^K5Ava`b9Ysvkh%ZA+aC!aiJjCSw_TdPr` zh@3ZHbwRs4-*=^cmBK@5V&~SL9Q~=Y(5qq(>Fu!hxg34n<ohJ95mreh+6{S_^%Umw zc)uFEzFA-J^nLWP^XqjS(&uJhElA}U1CaI{ukmV6oHR%FOr6vJnqGhX;BnMG^UrC@ z&G&KM;9sCv-|)8loO=Pl$2jO_!vqgdS5`es@Y$Hciu*fRfBA!qWK=Dgph^&&V2u&E zRgpq1m8M<`Y1X~(U8rn?L&(`VONr%zB!8f5NNg?8uQNn{RQ-EDz9szGmb0{$x(+?f z3ZsT3+L-Kxyxk#l);wC}Htn&^&F!-yi&Yc{28?8tR)}S<`YsQ=@rOpw*B(@+%*v#L zr9)qOMozq`D9Y<GxY&iWb@<DY$Wjx0XRURY#1N$rtET&rriTR5T5XCK$i3NPJA+Oz zg}rwu6-E+S$*ng5cK6YX+JWxE6H(<Axkv#>)I_5Ki6KCll8S(*BzYU?XMr}VraT#0 zC(Ed@LtVRjTM7#zZ#PcszUsVbQW$;xuWCym`9{R;6_R$d$WY+Ws}?vbRQ`>aCwvbF zA&+pfeP{ydFP$Ek#EW+`(XRsGv;)5TaUwBJdBfjfm-jtvsxs|XA602w^eR=trPy+Y zP12cm<ICNrVxW4d?*uNZg|OEACVVzF>#5FV@1*PLRQzY+2-~+%)ALJinGt#2QFa5v ze1Z6u#&1sqg}>~Fp6?-j=$ijd&|2|PNR->7?nQH#=4O0vOAl&<@y3s%S7_PE`!#UD zcZc!NuhJS#M^J8_Fh-zV)4+a;pI4p9i6P<=;)?gs^BK>su+{xQ+QE4TJPHlkEqK^* zmNyV4=Ry~sRA%{fq1@zbNNCt9uj6ra_*F#2>Oc3*yj=s_mMel6zr`v|XO;A$;~^Dn z?H?%Zt;?aKSTwp*G%o@AtUY;S+ogSAM+YeI=Qb%lE(Eb<eV$zK;FPYfrp&;}nUG;o z6zvvFV@~@KRKM4j10jWHjCMV>d&`11BPTU#b-|=1Dgq+)ckPyW<$VfnyA%IM?{Mr1 zqmo{MO&$-1nXJPvIC0fG<Gr?NFS;4rAjq5P_todOHtm*a&&4t-xLQgkF^&+Wsg_%N zoOWwYY91NvaQ@>c5Jm3q9p~N`oF12AkDGq(zOY-HdyUGGuhP68Wz8Cu5@<L5LuL1y zr4Dy(WzF{+pH}~wAk1h)kF8o8wB`qo0>KUEzc(pVQEm5!H}l-$y5@hJHc``eHa!S` zK0-b8=#tuUQX2%+J$Fq3IX#AQ<B@D8=}smVi4}TD@zmxB;@$m@6>6l3y6M%LoLg(4 zxr;&@g|^v5M88iSR}^2NHL!2XNaJ5D!A%GmLpco$6Yyq4gH6R9`$m}X@KTc8d+67) ziXJ;DvXgKu1~TBwo1Swx2&BrIZkZQo6$=S0gTRJ~vur>TaW^SXf?w{Cl|bOIEMe87 z=%pMDS+zcSI%Nr+8aq6$0|TYIT&57c#OpXgW(Tml&GYfnOSMQy*Zk)__0877#?wEi z)tj_6qXs`O%<TTpT>#z<WPA}KB`bkx7^MS)M=G+QpWnP9H5kKm19<vWu!q`OY$_P> zHrP6d*Pj$hg>)^4-?6vmlz()zw5ucfjw*lhWM}*PalM@M{SrlFr6gESsm-XzwlL4Q z*OnXw{@@OJ{yn>%_r0qr7J?((k4lW-mOgHbU$kDiS})!KfP|76Gpn~{%B(M>Nf1X@ zCjRJNo~r4&=ceh_)LD+H`n&L7Q)eF9#QDV)*^Z`i-GVhF@XBN7{=jYkt@KBk=BNmu z1Nv-r-r<*A2_w@pu?L2&JYomH5VPi!`qPwa9!Hm`2&hG@KmE?leQx7)sH^C)_xVEp zzadjjqv*PG33Ex3-lFizD@UO_tNVBLZ00ON@%*mQs&sn?*X(+#qEg#XoC~g<yKvGm zrlptEUpkb^w*-w&5CysuXvRi8ROxS*>C4icZPrJztES$TmWcQ44vd!yshJP=T|xzz zYxPX3r3by%FM0t#YNCduxZfbE-Yx-AoBj2~<2$$IjMrH0#-*(B?>6g`CX_)B(ASsH zwvz#(UP?|;DK||nf%i6?Z#V0&fyPu+8g&u?)q4nYR~q6EJ+AY;Z(u=oa?p#oW%k{9 z+6_dBx`!+_3exo}y=?tn=blI0<J<)Qb8lM^v+1u}fs#GTCbyrPZ$rs1-`8=yG~)aj z+BxaD0bx?=aOI9eO!RXlblC#lmi*a3Kv|)!{L@VH`%D`&s-AyR{GXRL@1s;i5N}gy z)If6`=vPUwGlV=uyAJwfxSV)0kdbhihnuhw;@mOabd<^;aa*dC$qon`PQoOLO$K-a zsxhg(lQ^IHgbVm`QWQ0lX<S8427q$3I!fM-K5Sob)MYZecy@;7c*u!Mc@oN%yOd^; zO<peVGFc-w2u5wZ+Iu=R#R`C-@Az2y%p4^_b`$*i&l6k1!PD;G+!(>Tom78EpZ`8b zdkDpX_2zlV%iIXjB^>0pOR*=b)S*)($}no;?X&NRT1W8*HEo5mwKD4SMga+LO2>hp zw3_#QP=g@o<;{67U<OCt9zP?y1I^g1zdOH5qHA8=vH1Mgolv<qbakJMZ5rCfP9U`h z9xSZ#IDxVWc!z6Do;a-1+5_ls*DTni2{a7f`|H*UQ6#op0JVzelOkd-whna4QKx7- z_XZkxZ|~hjxy2%Cf8UT32i#{X9Zft6IT@jS^<jGnKk<&VTLB6NB`!>VqtF;wtTiOW z7n6_Mh>kILR?KdK$#<V5!2qy`uH+PClKNlZlPA9Yrveqon{=Kr0^yXvIIDEyA#Vi# zZMl&8G*J1TW>&iXQ)SNcjq=tR23MuQ^!rvonhM#812wR1CvR9nudF=Zd!wG};Pml+ zVcV#8R}9>OO19qnPsLWUTJ*4I=X|+0zBc5g%8r0eN<5{0_=2-ov%f@<dhYb|e)D%M z_BrqSszFrn^duL*v(fmO_TuQHedEvAGi`O`>YOE>RUe$mGwmh^9~p7%<yb|Ag1X*$ zzs;x9Gi}@1M|<TqZz0Ey-Ptv^jz>kypZAbNH32oN?oj-TRl>ce4z`<qfpYfOy}z;i zG<D5YiaOodGnXkeIXWIEnzhVs`e!mliB5Ys{sjhE?jFT6eF`e1aU$=^zcEjdE!)l7 zD0#Rhc!5@?Qtff7BYXGFk7Lw^^NI0y4Lx-MX4MB@a8%L}L0?>i;b{f9fix1YH>rH4 zUCK(I9!2$4DqR&_#S*aRmkSoVa7o{@`|q=Q5Q7&V-#I?0DVarN$9yp%taXuM%BSY_ zJ^)1g;7On9YdugzyD(P+DK{>dnb=H{I4A$D2!e#`MnCp8&ooD=oEBRCHNra>*!SK; z8sR!>26z%oH~o>|jY}``bCQv>HYAw0>ppt@$CyF)*)CEF?TcFV1JZ#!+0@i-Z*CCP z3o2#}QcjmBir5FFIffrAf5r-D{7c`arwC?}UlI&?DL@qOdJJ$R{!F%;ejH!kNUEN) z?{N;ljFneGo8>Hz2LDOM0@vw8V6J7yA9rg6ixjej!B$acPclo-=<{sF#aY(q$l&7} z*NnKuYJn;sqj$H=tQ|l;h!pZ>qJOthj}n;2@q3t<CA1_c5Wt~?IOXt@6<Tccy#XRI zqopre`zcXqdH0(W?&7H6N8$94pZk38HIAdpsQove2BagK%q!O$XqwKQM!nDhInSr< z@+Htup52IfxuJDlpQPSK?Z5Rj;F*uy|Jdm)<$LmE7TI2&d5kHIv}BC0WeGIg#BsD2 z45GcyzX$9lF`)OvVpc*1JjCQ44BU2n9DpDY802jt^&)>;<E*y#RFY|seNJHShkt*v zQX??Knx!3HViAR{>Q;J^HnNY<R4XCTUwFT`gHm_!qJ2v*c!!Muv&Uc_@v>V8asQz+ zjn1$PB(zxYs#n?X|Lk_;5Azknz%|fhMLbNZ8{h?M;GSvcS|~91=*3ky-nVfBa!bw+ zf6H|_e;nOn(kOTr713)20EFue;ybkn(g`?6use`!Amq;U<<!};ua+ppBJ;Ky1<R%; zS@%{m?z?$|mn|CvB@;z;v(060ye5t@ZxoKB*=XRawdy7RHN!VcB1C~Od~YrA0_lEC z$RnA(6B)B2t0sSAPn1#npk!aBKZS}<X4;>lJ?;>YG*d&!aZJeIzSF&FBb26oGxqxa z<K4VR56+?laUcw559y8*BxVkM`#ZLYXq=+fN?e@s(4mf6_qUy=wLX<Aa$?Hv$MtOc zk9nz45lY$S=%WOV53^+sK3~eXZTz@Sp2m+N@BNPlPLHF}H{0q8U2rSD;F#ABzg?#2 za8jd0GBYSNXI_0&G@p(%XcA-~vOEjfgmNd8f7qCWS~T4IZ$Zr}e_k{RMjSP1tz_J9 z^3r3&!TcSr>oZK}&$x$tpe8p_4=$toxju{iuQ#T@&eU_gfMf;X1y+ki(!Jq(@1D1r zbVTqY8d9g76D_g9Eq(|8IzK#zQ0+Ly8dzHMh|OJ%Jg-$#I+d4Oh$hrl+u7f%?}a<L zgD+rcw-S36&+7T!7x*2|YLH1sDw08C1-<_AzVklV1so7o=H$tB_^Xdfhi_DbA|4c0 zrcf&`%t!CYHwq2$=Y2Py*zIvN_S~Z)`!cYy&c0ySwMH7x8$>UJ>x6rMoP-vzFod0) z+^7B~_78`n<?S&h*YKkd4?~GZ>oI23y$ILK;lv)affs0)9Uf1*8wo87K=~5_^xyt_ z*e56}3>rwnh}jFF5ab{hJIp%$%N=BL9mtf&zNlICrYBfkK%{<Pgt!_URJ^G@*V;c* zIb_)ZlUV#~<dA=^Rn8;R(A`r+pcyjD8?4jGNUvThH0xw!_XVek<2Rf1V7=Q>Vm5#P z5DA3J9G6kny>1wm&|e{Ldgx=1l_M6bjU9GAc95dfZnhhVP6r>?MA7gO!{LJgI}E~z zd)|aNhb0R7)kk|eyuR!ZruZ>Nip0LJK7TkONVlKfGz+f5Cj~qD#IS?{j#8QI{q8tA zuU3~WoZ1Sh^ANBBU=%<9do$1H>#a5Ghqo4F7kr<$H;GEu`{h+-)ca|o#z}^7WD=@Z zXoXPOB`O0bEiR3>Qs=X)|6mww)q#Q8g$T6jRnV*WH@zHKmE+Ox%+ym?T#M~MHDq?9 zBIH!udg$p-mMBzmfIN;7cuh|HA?QWr>F~6=oqR484FEPoK?-W3ky};I)&5h<8lP|2 zixCK<IEQ1#()nY|)qL!jE@&l2^KiS9JdXzu5u)y?>1RMU67bw>?ESJaai4A^PM}DL zO@iDkp|fj;e9k_iFZWcNz36WGos?j8ZV-tRop&L<A@}ZPH;9{U|GuGyrEAME!1J>V zUcc-aZ*{zl0na1pGBkBcTbPHz=0nd+W%5}s)O*i$?vO=&<+1XTB~<Ljt(tF%YEcHJ zVQ*@8^=WlyKc44+%(+n*k8PQPW9m`SNe2hWU;^rPqkqqx24y>#=w0fY1kDly#3mbo zSBbn#WMwjZj0wm(FY(%wWNV7A)*WXb6+Hm2v2!E(fC_>)`bxX)rQ%j-JHPr&6Gc;1 zskFKHl<Zu3Sx>DmQ-~~4On<ls0`t&S1Ri(eMz=__pxVVRMeep}YleUN7;b$8XSAQ4 z#N=VxldL+8BwT732iJFz1=+ihn{l>CyCFVez83^zw9K3yEUHhtRV)|T%=`Xs-b=Cl zy@$Gl_%ku|TovYzf*H|4vtR-3250FyS$U4<kfYDi@xX7ap+o6=K!F3CeaH|R1sOVc zUam3YQ=0%`cK_RPbe~3QIrnk&ppRav-1nRwkp{skC5QkydHT$~Bw&2C+&<mM(FfW0 zo0snwf$)a8`}9T!2MBu?UiQlr09C!~UZSY}72+)Qsp8(>L2t3<^5zNzB>EXNYGF3q zf8IiNi`1&@KYxH7%ry7PZnI$ROEV#Zt6vxBrq}4RdcUtm@zc@0$l1|t;l0WC4b@D; zxn`OKE^=b8zn5G(<a0oTVLqcodo}!yn#@LL?mzdpP+-4cf!&w2jGX-U=mfmgZ(`L* ziq;zio!w5L`VE3gKtyxs;8bV2k@ztFn3+tF!m~_UIR=yi=0>bhaIH6)4ax48oevqx zmGr~B*B__V*fTc3cMI&wTyV#`CJ%sy1<+CR3)}Gl<ub)4cUO?BNpO?k-AVYtQ$|nl zi9f(}32d|L6DCi6%M=EnPgJA-zLjT_CN&zOcE+{V%t`{8s7XjASNbf_<7FR_zJbK} zimKw+!D8u=_?Up>I4e4HVHt-b!ihVM#2)W;8X1V~xaqS^IEhQ6pgW8D6l4y54gLp^ z69$@~UxUD1E<WRO*eB4nW<iu0efCTp9IwQlzkc(Noh__B&W@trU8JT%x?&>mi%BUM z`|N#a-2U_2f?mGyX2IS0IbeDThB3sBPAva!FH?Y4AF%@|Swc*&<L{{gI=TV-eQj;> z=CUdqB!X<RLVE^0C-~4{nZh;=P_^zRK?3DIudVp@@++C9e{SPEi6ZZOC#vNv`Fhco z?MI!2X0O5|hZpGceTIKR-bHVY^&{ph(MTO#-0vMtxCY$m2Jgez$i>P-NSa%Ymngp5 zGGmV=;*y=Kn|^EV4X*C}<EpbmRtFG*d9Eg)GqeU3CXPmjK#*#n-5Pa6lp*r_Vgf`C zvKt9St^%iU^lb2ktKI?q5p=gnu;4efj~?dElg5WH%$VCxlEtHsopw^6GG2UEKTNE( zcq?;>0*Er}P*>1RFzN9VQ8eINSB8GSLV(3>7Sufk^h)^df3!%qi!{@3qJ4rno+qm> zMmPE?^1LQ1FpTu<+s|dDyDU4c>4x1EU-_g;HASM9jW+Jy?5jgMmD?z^lc$CuTKl%t z*J79_fX^rOxHubq(i)4wLmB;hq2Da{we5bhVfbyrrSs<-iDjZcR|+@%aqG}sURk0W zr+Bqfz#74ZN%s(e&|gszB4>|wKBAawPiA~Kh(}Q1livBix*G&dB3`b9=rCh$J-Hq{ zTnaxsEm1fmfV0G>Fr0jtB)@%UR3TfYPz-U{Xk(apQ`~Y75kjiJFA<))L;CnHT|VsL zu;hEHORx(3d9{(R6r?aQhH)^RVR|2U^%GmQcApF*b^d9A%oKS|hy2k=zEKdgHeul& zF}tub@pv|JKypwqVo`UW%}!v>v-HRwwRemOA!kWQ1?un?XhYb#d&nnu4z)v;D(O`q zCF(E(YaC5%<7eH6n*b!&Drt&kiW=}no%W7wvmn4tE<O<(Sfm?2S{uuQ?R{E$?Qp;3 zzgniCUU-a+?`{T~bsP8w5%<!rfO02~K4MR;suw<-Sn|-G9Pl>IJPIw%4YjtH*CSUB z@Vab1>4#YUv)}eSw&KAd_4SK(A|I8KrRt0p>>C;wzdx-mR!<MVlOiL%MBs4(-XKTX zd~9Mg7Bw>Cz&!r>V@4-_hlWLe?r>8xI;UD=MRggo&Ee>=owe?-Xgvk{e!kYj9sNZ^ z8?V7TNH@3T>-t2rVn_}bHFq77z8}iZ8Fu~(UOJOUPBrg<bA7;Oz=lhfl#J4!w5?sP z`<)U3+&(>T2Zomvu<dht&mKi9A4MlaAk+L$lFw6zm{GKuhtb4mt+4m8=X!?sBJ&h+ zw6SDXMh~gi!N>`66@m?<#3Raw(Qg-@lF<2TXe<A20beA03OwX6+WJLTb|#ZnXqi!Z zxRnI>WMs{wkT%XmWR>73F=XRyL5BENcvjC~xPr^>YWJJbib&<l1@xNG)$UqCN>&x5 z?T~*rq-;mZV8gkdO1U_Qu6ql*F*zdEJ9sQ#XYsuHv;E*c#K(73uVE7Uw`u$P*`Ik` zTyx!x#m4BWmX#;ab@ZGbzl+Q2ROJaFsIAe?K)WO0wx_X*MyY0hbj-?!hHemL>a{iQ z@Kri7N5RwgBg`P$SR<Z0!HetuWA+qtpWhLRZV;c37A+pV^Ly8bSB3X!r5C8bDJ;N# zb%M|m?q5$yY5G12(U*Mp-E{-$*2#pwtsuq+F$n=xG2%LRJGG7?#y)IyS}dGJ?qMXa z%ZpILm&N<eJZLpxxI!i@rUyJ4h5TrguO<8&=9bVE_k^4lEGBNKV3Vp!D(pnK>jDd{ z{vDe|Nc#I-YuFfkYK5e|ejT}r_mk1hWZF5p)f1L8@)f*Vhg!vo^^G1G`AL`Bl2xz* zka{Cii!ZJcN0|B)r=PTgfe%0pnG~;fbcd^HfOUaK@vWk{y_OiR63qH2fn{0}8KJlE zlrj3#&_~of>gZVa(><i;_rPs>onV&#5#}WH7WulL*pzxx^gg?<Lhw34l$<>8k$taT zGDUx#;oko}udkN^JM~dC4r98l6r5s^ZnK;g4x`{~f+%8?>^#M{J2!TOnVl3+1yhw8 z6RUKI*W-!!$?eG@r!;mCF#`F*lZG4ic~zI=@3+s(SpR7MO+RP4uwJzvinSiw>qq(d z)dC()@iYX!>7+|74K~Dqcdc)?Sy-o&t{2^1Q_EhZSS<SCCMCu0#Zy4O_B<)9idecN zyoa;dl~}K(s6L7|S*GNAANLshe0Yt><*ASmfTAyXPyKBEvdkV39~rs%fm_<c=qA}k zIKj>*?h)wPJVl+@BAmJI;bC-V>>I4#ixeVJwCm>g5J_#Ehofi|ht^mjO=feoj^($5 z&^O0h@W{}Tj)FxR=A1y%%#W%Df>YNLnyT*i-ER?RzJClRq%q^L+{L~5>Q7{@roUvF zDfiIKzDjq$naW;ZbBH;bao2^aSj{YhX!vh1_q9Gmm6M$=^A0lzCsN+TyEk+bF6hMk ztc3(cQ<TQ6mv>a?M3x!OKJ5(>u<QzTiaE4OJYb7nUZkVtdarfYj=2%{P;=2WwRs?O z|0;uGPrgnNr|mHof6JzOYxibfqP^sC;y%4nkf5w-Zr*nVs&I|SfBPj4Uu_YIW4qOl zP9)!{>sq2+Yyl2ceV$?`!ab|?QD}Kc0|%o|6pN^jxGr`c%KhZgP)&1ZeXdJr6M_;U z%?u(;!6Mj2d~5-#M!liCNGC>Qy6Zx8b54b4LhXNh?^L;t**nHX$rS!tW$YZsQc$?H zk2p*o>n#sLTHo<%^MQuDg@PCFVT`uqKib-kSjSGxttQc~Be7hmiLc>{f~O|n<Ky34 z$bMAsoQ|=R3h$a1gv_AJ28(s!>(P1Jv<<@}=WwpPwEg{f@wOpQN%gZ5p4lw<`55;I z*mXj_QV=O+EwM)MGa{RLSxJK4;8PODEh(|peRrOJ*hkj2pirQL>ji^!?sUO|N~9kn zm_yTOg=~yeG#Un<^fhsW{7kxq(i;*9-}2r2n@Xv?o2O7wP~7+6sT0%2`B6o)5J}?3 z>Ox9Af*Qe{&?A&fU@diuI74Uy*I)T7J&`0#e%xkug8FG$LDc}h&nxQDAOhn~_bn4I z#ZA;t#xNW(m+(j(n?XS4|5U*_UsEL8q*^xe3^}ilK80k{1~-LGEFtlaCa#KI7vhD~ z4XSv7fisvJVc@SMf0bgUtfHFP$LUvP5=kFoF(i3M7LLEq&8-I^pJ#Q=SNNM2A5BzS z-1}qT`M$b`*gaTf9%1&^u|3cpV)iBUOsaFjtUgtE#~wx7e1}NU-9wfj8qDtZ{zX4w zr%#G{YXoP#OPE79Z&1FY38iK(mVM{!bWeH1DlLP+e6D-AZVz&>R#P;+$m($~KIYh0 zN(g8o9D<%g@Qg!$At%6@QbX2*Dwy1-XokR64@8m4BNa4CqM;}^bYR0RF*>lZk3vFE zIERmd*YWvb^hafpv&bfY%Cn1eKREkjNJqhEZC746Qm5X3j(f12fBP;}vth2{O?jgd z4p)ER|NIl*v7i!_fhe=D(VJ*HfYIcgzr*#c#!QQyOkB!c<wc`6O-s}ar+9v5->{Dc zxuB(AuJ$I2H#d%j3Vy}X+X~Q9+O^$!(A*R8$r0u~&3(4i0!3w&;N4|HPvLd2^@LC_ z&`m*T_uW=TGKlZ2d}2t6;}-@hn7^tBjG($2gsB0Ia_i=nIX{qLO@8rtxG@nKq?r(q z&-uPUe)-*xM)k;+L{gdss2P;=TczM=ko5voAAwCw(_k;i&MM`>t=FBdZMme9DfA;N z`*E$?HR9!U|HSu>C3FxfH-$1OF>Qh_Qh#Q>U>1!CR_<=i{%&2=s^wPyK<%SYU_!9R z>zYUG)8eicERH^fmVY)sPXf^kPQT%P0u4@UAQq9P8|DZKjm;mhseVa4UGLkCQxHiv z)*!Ecx1V`LjBNoL6fWeuo=_0c#Gxna?@Kes9E(a-O%RQ8&JN<6dcAGqXkCzbh*=wJ z@3J7GszcF}YT=`i5J=qr^!x38=NVyzU|+-$Cd5Z!M!93<DTBdhT3o#3M9fNxX7FjZ zcK?rBcqL7q7l0&OvIWx2pMCa!)*;JP()e+UBpL12lU}wy5Q$|5ZTMh={fMeYzdDs8 zn1ZRKv1y4B(%xE2-Nvp!GnkQ|#KoQTeb|CF>e-W>?sNyCbZon9Ovvi086!dD?`u9@ zBbq9B6&_(SXh=K4CszqZX-lS9mvpu2hTE6hapB1?gZ~L$H(dz6QuU!ToI;vvf1cN@ z#)VbC)xP@5xprbpl<kMxv-HWp_hB}K!XlzcwuZDeTd0?ECwp|Fy14Z9>k|%pkICNN zw=JC9@2~qyR=bX*FpX7ph%Ho90|P0#t5gc?U1kwM4;7v>M1Kpf5nCTKnL}~w1a~9R ztfe#v-u}6kfZ>vvNq`%I4%E^LsaUvS7Zr7tj8!0idd!etDlTDQ@&X=5cO(U8jWnvq zyctnNQp-n}8EKWPpy7_!LS^;a9Pd<0-Tp0352%qlv%7+hYT$%64l0*uV3?_tmCEgB zTcbD)cWko7w?3HJqRYjLMcLpb%cFjVrGt9ngq{@@Kn`>(j1XolF}%v(jAHc>Hyt6k zmB$nAq114a?dvv6GjC_`nrXiq0+;Y}{J+%`fq&EbcCe@`tn!tiUs&T9CI|O*AUg*) zKy-=`xE2u}``;&29;erDI{!BLz8BYRP!A>vzV0uW>L|5W4<u2y@*ukJ*1+Mz-3mK# z!_A=^v@n%g`cYJ^4*v!$sK&t?5gE})*jdFiiN}5o_<~E&m{UM#m0*)>5G^*%zz_=V ztho5_!czf==|NJPxqob1EYvBZgkXPaZxA{#VLOq6I{37viPL=gjqJ60W{~kWG>WRM z9+MP0uwTO*Kq|RBch-Fg0mLe%Dj8=-m>lCkodNcPLr$&*)SY!&8wU++xL4?rhR$;{ znE+SJAQR}JqLW-nlk9}}YD3p1BWOb+H4=?WR8=hrgU`s!&A<<3V@EXsKcTG1Is3`G z*BpaYX53<$ZFl@Sm^jQf<_1Nf3#};p-_7YSeF)d-hC671>FIW}zX?+nx<B1L4<J#D z-ZB5K>*eG)mT4*}M=f}a+)2TL?+$9@I?7}!W<0510IaFIifQR}io)i82JG+Xij-=3 zJroY0i@p|fz8}VVST213xh?%Zag^jfTh(RUmf{(&p0JP^8BpHt&4s7k7uw4dsrrzm z1lGja*JT1zy(cB^Y3+goK<0NQGqNha+PYOorQmdH0Yi3HNu2E3xEeT>;50kJS}Lax znsJE9rIgT<F;ao-x=7KS>Do`lMVLhc;HNv-uY#toNXvF9yPjsc)wddZQ#U1qW4x3p zG^v&ryAM!2Rf%9rsY`7;tGq`cRSSdme0FNTFecW@Ysj=E#$S(y8C8R2=T}GDXCBP0 zNMf3Xyt^^i{VYs|Dj6d`7Ab%icvOs1qZp0h2LIp5+egp}^qdcp{6BXA8k~e5<A~q* zj25O(sv-8bCG8KAj%qH}*+G7rq>$8$KPYTo=Y&_aEKIxpXr6ivTAK$81y%{h$+AtR zJ9EN}O>J$R@JwGz)N3wk;?!TxCyGR-J=*I_C7rA{qn=F82U3{dZ{GTw!e8Bv%|Edv zh%Q&M(+KpE(+olZ&0_**=`T<?MAtuNG9f#a)7zI1FBOaX?0b_MhbXDy&r%7bwXLA{ zzAS^Dv8Z|=bE_Bp0{e9WoENL0j4J#Bazc;QXIqvphe7>r_-3h*5oxrF4w5My=r}ZP zQI!4A-^<0a3vjHQeNcTXBeQ#m^wL2UZ6~P;#Z|JA@p2cs6Ywpr5qS!94fX;ntiw49 z+R&A2Qk*VB)8`hVomCB%GF^>*$oT*Hmt`MPzS4u%Ki!eO`ZFIyY{7jkCDdEZ@yHJv zgu1pNYc|u?_mSfn*Lp<odtcw(6{@!dhoVsYY{Bzo!mJY<?oLJi+~&noFiuJwjQ`%n z)JtP_OCkGHjUdMB>J%qLE^%^C2RqJRwXzB>k}039jqr$^NvyzzeHAnSrK%oU!KN5U z8Nt^n2B~#ZTElY5#B9NPP`^?Q)NBWkT^A1Z!DEJO!6H<NqhQ5+cAQqgseNTX(>0G4 z=2$#vXz}B(@UMb+tJw_WmkFZ9Q5g2+Gd2pXvf4Oz>nTNM3+TPwR3h;ubd_g7k8$>i z)+Sfce0|BRDgE88xy6Vxh!Gy-Rz76eMZUc@)czGTml^J@+xnvDy}|SwA0^tSXc!L& zY#K;a@`Z;U6+Y?UbGnGA;)|!sR>79N4$D8L{ilxiS+H2v7N0iZ-ndKtoevYR)a)2J zJIg#3v5Dq8RM<SO3EoJ)D@<%G6hV*DF@%kI2TtckUYfZlT^+eu7txLT4Oh4T<-V=C zc&rw%8fr3ff|H7(n@Q;D%%9SBLagsw250v1{?^9124hBH+M=C$lE3+d0%Gti08Q=| zFdP=;)1|y&l(y=^i%b^r=Jg^qy=O*_qE%E)y1Y&3;W5WeibT89HP`Jz$N9K_DIP>Y z56)V(8BYi(r)ZO(AJEsp0So$BPr%4P@$Ez)Qe@9=jRt-+tZavzzeWOcUsNQB*1pqo zd{q;N)B1o8EUezFcr&Su)6FslrE^K>naDnr{hl=~$eKVK+dU_8Hr+a_Z7daW7m;}z zStZDw5KvgiOM!dCAYIae6a|3@2Z#x!QUX))ZT9W)R)4dQlRKTjIOXp%kmSFf(}$oU zt29!nc`deFX)mxgC%^pK>1-)dK`r90(4Npu@tBh!%AhEnd-1i4OzyNF2FLLH2@8>_ z%a!tdwaGo?dQx0G``V(wfb)Hsdydc1HWDi*!!+FxO0hL;e_h$b^ken~Ws$V1Nv|f1 zpxQN}F>ZrFR$mZtLO`Wp9^eMR*M;;S0`@_vm`oiqqVUN;3eE(aC8dqC?XiW{+Z_8e z%@0xVN;zc?r7_jUaZ@xHCQ{+L0fbRs2Afyq*Kn%^r+KZ_CR%J8p}CYR1Cyb(QNyr@ z>h_LtEKEcdjSBoi!B8y?Ne*r0WtUDaf#y-)%D`{T-tRYqj__KoK>#0r^@o#6hWxh9 z)D-kC|0|R`J7jRkXnNIZgB7o3tZ7h*y#BkU6gQuz<&99YB6acdKU<SNwpO5u(kV_3 z=PTt1h0WQ9ZVV2apB2P_f7|YmDT~14ua4=Fzw!BjxG;Sib>_4fNn#VlcdJJFrVm;$ zcgQH{^nAMwV&(i+^fl~5kNG$6X760uvr|vsA|>Zv43Y}_N72PreiB@WAeGkH<Mouv zScAi8<TJ_i?XA(bL^$bk>InfPDz-T3O?u>LMN`*^C$VisDpzq;T4vxb)c8jsO&r}M zhLjAEML4jaxF+DMS~awlq^|{^T91P^tnYN2nM2*ty*89@Y$`B2&A?QK>VP5CO5`yN z*D+7N4S|wrL!_{77OWsfV&4?YfpxjlH6^?6=2)bdZUuTxLldXx#0tx_2)0yJBD!I2 zPy@$n0ow2z&bLx9Ds>UPNSk03>7JT(I>WtmJ4UeFI*uyhgATrUpa=GOm62MY`Mp1q z>VH=h&fsR!(Q>*o`T#3J=9Npnj*(bsAjNl6+o;>jKI_MfE9UO$hT<D8Zna=!j<z(9 zKl9=vokvoMP6P@<z2UMU+>F-=q9+#MjqzzVALqHqIKh@o;YeFuR}E6|MzTDg;3sv{ z=PRp7YiRaVL8gf3zBg_GbEsls9ZiCFKoP8_JRF&g&nbX#6350!-@j<%T(+t$iY`*1 zfxAqD#5!0yvY*h-v!*$}MY0><5`nYkihvY1IOo5g>Oou_sEl8?IKcgMnzjYM1junr zf@ltNsPil4Nhm-FQv%&kyGBxC#1{_gLZ43Pi9v#GeIo=Va92oM7*Lp9ocAsJyr|mD z&iS6;PWO+(!+Hkq+0D>$pJX-crfxV|=XRb_I5xqNFk4^7T^G7ywY3al|1%nu&bL|X zNrTw`4l8dCb=z#C`3Ayp9MS>g*+neP2lGy|@ez|LZ$8PWOWT)3X<{by-Zwe*_W{+r za)Mbqi-h@Eu38{;CYeH_$M3Q(Zb7}t3*Lyu;CMRgCXvcJj6QfxMzKl+3lezrE@TR& zCMAx(oF8k`gJ}>@VOKFxSkB{m4{h-!%`=-NM+-reU<GJgG+#&?M;qcZu8rdmZR!&@ zlPUWdv*_L+?ClhEpg|i)Hvnf_S0eiLr`?O-jsBk2tV?~cUlom?E1{nvzL|r1pgsVE z7pMHBiZ=`{H_2F?N<^kemkOTcvgp121K<^fmLdn(A!vi0h$_Dr9DW~E!GB*A$yr}2 z2H)(pkHVuNE-XH|fJ*$Gn<l|KIL1l=0|kER_h?PB@8PuFD8r!Yg-(^6e6;_wm-Mk& z{UgM}PB?N|4uM+1mF?gas7;UUAm0jgmA$A)3ou@ZG;sDtzpE$2cZXEB;A~9>9zV6* z`Y>ERo$1^DK7X|OsCPS@ou|vj#OVI-j!Nc;ra3{A=q6d2duGpzF0p!GkPbd;<1D}Z zTX>(#$;+M4)1^*ItRglw3bnI}2$9c61O}625t@{0C<Vl`8O`vOfdQ};>`H4KZ6@RR zfCssa5nFK=Q9{51G{f5OqdL%lnXardF-GtRX$V??vewgf*3cB3W|lAvFNc^)?V{AE zWd{ibSJB|)XnuR?cNWZ|=TFzb1615~f%In{MEN`qYzC?p)^+SvEgebh1p;&NT05I8 z)NmhE4FVn&<1`wu_oE`&so@sI3sJ(g`n#$Adv1k57_c!OO-lQGa*uKI)A|7<HzxeQ z>jG_wvp0YyTb7Ex;s-G(tOb$0RdDUPU5Lim&*xr!mEji#4Di}O{?y3a<8@be#?<G{ z0e?udX7_wW<jGDO$?JEzWGCrYm8VoSr2Q18GYJ7j)5%!r8&TD;x^Y<mhEu;Ln-Lc; z<a!@60xu{Izw1HH-&8GFz(D<>z-EzvXPi9O0-V(gSb@gJeNIWR;ksBsMi<q-E-EW5 zlfJmh6WIbq+zifJVn1%Ne9d=0x(C)>^)#H=3iQf>OHjL+R*i%nP80NA#4~e|Gk6E^ zh9Pc7(e9~%I=-_X?S#HI4i5r(6fO3VFn$@Wy?6j-eBpEz^Z8D^2|VW_(TI2?TIbRm zq10`nD=o7xm9~xpUxLL<sd?c%D6jwfHi@4dRWo5%u<0P+5)g}24M8WDN#j6T(CJ!9 z{o-_ntJxt=RA|=8&5Q%@w5u#4zMjBpjH#^Z%#8zuY0tYP?MM=nSL7C0(b;Z_8`}-x zfrOdjpZ*|71@YaDZP1_Xv@E=(lU@<;o7};OE=Kek%Hn!ol@(CT97=gs=pm>ia@J}Y zw1KH<J#%`SBcaXwka;V;8eS*poFF<v$wk<rFi+tRs2Ej+mMiw4^dnk>$XTk;RbW0d z@`kRIT1R+Nf~Y<dvaV`U(KHY!(%1^x9I3hMMo7YLM92x)nL^_%rPvs2hc$gM!o#Y1 zCc_mRtkjU|B2{wL5|KL9+NuQK4p$&$L}I8G<|597R%@0Ob*X4LKJ07-(|6GTEkPs8 z_D`#^9iqpW6GmBA9)^p{&dIaOMoR3wYOxdPp(nTaG%F6jV@aC5VHs3t;1|Z4-u!1C z@y_FRL*mY=)daF&yS`^QR7G<v<Dp><q0#idJe-VnQT?KaEi}9oZZDtycs_q+I#ku= z4iL;ntgf|`kr|i8pVlP>^dd~YOMqKwOum3&9YM-*__J1EDj=PiaUJ}5b;he;fNe_W zef;`2g~X`p?_e<%h01ywraao%%*CvFn%M<tl3j2=<DG}<%f6m*?O{EQ)dDm`Nz^>b zJNUJV-e2snA{7H{V<|Qfe0)E8uphpk^;HHhz8^6-Yf<z&(v7qKeuQ*s+M|#L4uErg zr>?2nr+#opCghKn*O6$X`~?CAY8I*sPZ>|lfd5v!`JetGX(lX6=H%c;KmvW@C0z?7 ztrP~T*2l7LYf<5cV(sMF$;R<I^~ylABT;bD6hLCGe)8G*T#C&nO^RY`G(qWdes$HN zJM$ZU3S@O4_P>=mTad+HcsP(OsEqv3qxr4=B<gDZ>T31Cxjj~hAB)wq_OX*#Menw< ziYBD`1&oz}lz`A9Qbd>wIABjkQ#n(p`SV?->#MmZx?&VCtI0eC&`fix27g*%YhyEu zx{?xld<~?Mn2`ayn^aDK<H0Kj+_YL;8|T{!baw)C6?H6t0gyUK(1tnKFxQ%XUsthf z6{>O1UiBqV%u!V%1O*KY%ivr2c}~SxEHs`XvlA(NI-?0CoDOWbCr%fJQ%y<kXCK^O zT-3FMuAyp>r&O$%U)&{=J6kbF^*{2){bw?K#lKpBB`LGd|HG3>2(j=^07)NcT}8Fk z+W~0^w$0FUS#7zqR59_2zo4AIt1G$^8EQEOK%I5!dTbrIjT<MaA#(xhdb0x8arUM! z0JGiehzxXEPEm%*LExVA@QC=~;{k?%PgT?T7ezG<L}ap*l`p?FaUw~~rL6o^FpIbb z5I4F{zd@u5BGH-{tXgH|YH0Q^6<W$rHZh_}?>C8pRSl*;yQmciU5StM6@UdjC4lBi zfk^ex6`?5iwX!6=TAmTgCEyrO+XmDrz*H)L0gm)NbEu!Cl$9K*3Lp;6LViGjwQ!D+ z<F&$N3tk+ihZn@eTc8lHm02`Rb!;5e&&RBrtM)T732nDxK*eJDjR?LID?S1Fv)e!K zKJFU&;-33{y?f4~@3tP9gXl`x#P@-*Z{EXQ?+>cD!i3GVoyU@~swzx}C0DS<9sBI! zfe5-kJ42M$QLkDcX1h0=s%g58S6vYUQyntXP?t}O_bbq8biO(wKG004%G2bewkyQh zt2S%Zmcr<)(%3uj2*AKRZ>O=hJ=pvI344soE$4in_xRRYY8Mm)kz#t#;P=E$L6s^) zm;ti$tFE`dfsz7-u-ESi_A~dvGY-t9=rqCTy|*ta>LT*rH!r(ZA1GqG8Gqt-ztq3? z|4=YmLo-Px6jvG4Keq_yrfaxlidK|z5|5&4R}m|;G^7&9LALPrw>Z5Y_a?yIIfyfS zjv6(^(}o&2DGI^*0kpA%8VAzM`?^I+;S>b%xvy2;byMN0U>PU^F=Im2pr=(PSFKo4 zB>i_h&yrr|6Z1bi^#O^Ems;jQ<2*uvg{B*-s#p5j1P4~d$7{1mwiYe+mH|#N`n^aT zD-)RrJC^NE66vjd(;-U6QZ*zT4|i=Sp8<-S5$b&_qliZ<o`wMEACXha?O`&=2#5o= zoqi~WZQkot(yX>YDhkoh1lJs@Crc?=bc~*7O6Y23)_%zlh>YjHfaLji=1_Ks>(VFB zv5*WSQz_q-mwlR6am*syO*H%D?EVUxS#4YbcCPoI)#X+3oihjHN>G&j_sPIr(Mmm< zqwcr5?iOIb51+g{OMWh(7kyv~rD43rTou(YLYU!+*K*)exiPesDmeXy!r&aQ6%~nW zKpEJiRJ>?-0AoO$zc_fy4hT=2BEW3hKN#|qPzk&^8K+zKIS?TmCs{?)gX1S3C*BHI zeD9(%$yL)-O|pgkO`wDS&%Jgeb^AtG%RGxxZkW#OY5}W7!yhD($^MI*7<|*N7qdty zZ#tDykosLW6EF;kJjmZpbJu-8JD>OYqAbV(WOL@FAD82nGvyyS28)!00&9J4y$?o- zR&{PephKDB$%LobXpsvmP}hTFIAhJ$s#k_gp+X+EQY{X8GnTCnUQG4KgVOM{)7>{^ zd10<(%tI)QfNmRW;Ara<&e&cc%t+|CD|qca!h!t^d`cdYRPhONdFt$gUe1$%m|`FO zT7?TpUZ>m{$Htljqal<BEp(L&eFc0NnuW$iU3X~+3!+GM=MX%x&^_Nu+RoRn`@hk4 zmP{AT5XEa*fDOk1i-?aWQ30ZiN<kJwZ5%B-?J+)(Z50B=UPaMnc2j*-H^Ds*?jHe? z#{~n5YT?#zPGY|!#@hWH_S$O|jh=bEf8Np?Q0z(%+Uu@kN`RRx;cE~)s;uJ$t&Q+O z8Vs6>)p`50UBp4ILc<4KGxI)aSiTRNh<ArIt6f&(efjDEBnD7w>93B-9F8O$8U&}; zt;lV9w@7*@9GpT~!TmQ0J=!ks=!*B_?Tn9)MDV*8U1SR?mmW>~o<J<NMlHp%abs<( z>HJI3H4U75=Fm;d!eZ;L*D9;?6cLeV_ype!qzW=`#h3eHet$X5#*^yvxYfO@tU^Y( z%(!cF4`VMlKBx#OLK#A75DIhdHqgY8QY)wkA$uJStWFF@c*AwSjl%LeTJ+BTdh@Re znmX*S+uijfugmQ?vs{c-3Jha0@7xp(kNOMdtlDTN^18EfF;wF;MXileE84TV0l<85 z6BjlkjA+az*~z5jW<WnloCbVQov#t`3F7eyY><N43t0YX&N=%%{4&LAd!JdzkvqsD zU@2Vbi<#vbk?rzqCIX~<b7YaB;CAN&Z-J|_&+=F_S|F+T@>?4;zBwC<mSJs|KG&wD zuIMW8^WV`YZdWp|`%xm*K=6#3v8F+z?DT*3x>hGuzXWFnRnlmoBewb@Zn#h+DL|f` zmOC_XBEbng%jOiVYL7~0kQe17_<L%NFjKg0&r$HYSep6elz^Cbgro`JwhY0u<=lE8 zGsCIWOu+0OVGdEfBC4iUbl6=#dozkfLwv{V4hD*ICzKAzCMreI;BN}Y3L~aa0QP;0 zrcqRL2^g8qFB9PUq52p_iK>BtmIyQE)dQ%wHTyNR>oyR4f~({lS_6jKQSR=|VWF!m zrpikIhp>}=NSDfeUy0ZJ>j|JZIY>3IS}_ruU{A=2s$k$NKEVtT<!?@D?6<`3M+m&Y zEL;lzF%I3UK$kfD_x9(z^TDCXlzNHZeZ(wZ0H%J-BjMUfB6(YIi%31qhJf^Lnwz4I zeUIa8UipqG10eGQkWCWQbOh^e2QjnH2ArkZZUl_A?fKxmYD~uTb^rRi?8uq3zuzBk zT2Lu;?|S}@C`wod?J8s!spQ5RugCAx4=H{7<wE%SK~mMI5eUFT(1B?nAAfs$_PJ%D zZ~yxte-Lda*=trtReob_g1<4zM(|5)V&M>}0AO&Z&9j6walA{IkmYg{R_HSiF@ZJd zw%_#-Gsh5|G{82O+6_K=O-{hPB&mthjq!NeimJa`VYby@Ftdxr6!Ia!{^iPvx`o>y zGzm>Bhn9U6uArluW}8<9=x|#Aw91si4Wv>(ernrRw_skvs)HXEe~@M_VzAmQmM&E+ z4@AKB8(IFWZsD}2L%e-0@t-tkQ5Q+Cc=WHl_PcHcP9%{$8wQZr?ov9+<;Ed@7HBr1 zdx#Ng{<gTu0;uf$F&rx=B_|AjKpU!h88KzM=PcYCM4>>6SF^<lJ<T_9g=dWz3~{uv z9hIf(LH)K-yhJW3w<<4NW@cPvbu=rDT%F$oqpvtS-%7?1()KME*VC-{xFUdVZx;ir z1V3X&7kh}g=LbNfXbSi^#d}07lKvp!;uFLIK~AWQu~rh?wK-2=p`deAuAl}^Nc03# zNxP^TI0A)*?xt7Jb`rhTyTi6ZEm^mBF_j|23~zZO1SKSLBG$&Sal|5c{N%siToIy( zPeA*Y$<Rv53S#8;&AwgicyO4DvIs~=1r@u7xLvT17fJ?-j>)tWMN<g@h0`RCfCR%R zOstFKx=5?2{ywWVSJU4tt}wfFP`6NRk!JpvHv5WU2AJEt3}F4nh)g|7d5`6qZu^ya znP61(-``L%)nA$n@GVT=#$hLY!M7MURV`TWCx(`EWLy=|+H+a~G3RJMUrpQCN9JB# z8|Q>SX?>odqbuCGna*_X)1=R-WFU#pvvbsznl{edC+@aqeV}@~2dJ)!VQR~i!Tqgl zVo-b{=a+5MrQ}GopR_RJ__D#6tKS76uBk6HD$4KqA*g@mrs%}!GN<e(>=;1Zp$jic z4AcbB%)oi5zM6%7Q2$jom!<2c5XJI|gaC>>ch?pn0nZfa(!C5>TPdp=*$$*|0vou+ zyc7KVMwD<8j`wg5SEsiz5UE`SF;xq85w<}n9k{mLQ2X-K6>30w9@MYy9r1~kjkxAl zh1tyqBB$slZ3Wei)W%0ZD)u=@amDQz|DS$5h)farozPpw8<d7%6UkRn?Mou8XS2E7 zean8Ghd{2<;w7Of{df^DzFlO0k@(|U8yNjF7k&nt!{`HqCZ9+BAi@-^v02Jlp{zQZ zviY~J&zbMVpB`r5yJ#eCLTJw{TVI_Av+8BgF-Bk_%;;^mA}aq*2#jt^&hEO(3<G4p z72wy1TgN6675RAD&VuQ%NwSwbz46U8S0w(RD@&vyb8rQ^h92!<;P<v0YFA6kemJR( zgUSkYP<kEBwLhSVl?#DlsnVr*N8*o@Wy7jT(xvwGQUacg_pi83(W3PlDD@|9-Y3B2 zGgy(DA~|Y^YT_`mDrw_Hte-WKGE|2E(V7`qJa^WeG+WVujp}#{h?U&{7&zt<xVWYw zsRF1~H-Zx0;!8+iUB^Dz($TPL5+DXMSVSd)|4(PGoeqZU7q729mGm#{gQjn9cqLE$ zDv1sEYq@9CY)S9^a4nWp^=`hO>?uH|tv9Y4hEP6(@GY1giS!;C6w_}7s%U{&{(Ln? zp{R;)A`#RdS$NjZst4+rI9*@9SN>fW*zVP=fVnDR<!4hI70iWjJ6Fx2<wUx?eTHbr zB{RMGha+AqnCX+M$4Al{fZjXN7yxP>snjb(@%X{^3#*T(sg#6wI^&LW9Wy#54QFGb zzUca8x4NpO=dI*;!8{Spb#URdQUYALk|nPhI}>s>Ef5PoRmXM~Pg`)3xx0Rny!J62 zU=9tjmKt{1hRIeM3Sa-t`4$b_g{kbA>;w?fQUAc#t7g@A5rvOqzUqbWpq<Uln?Xkn zl^r#UUSjvOx4b>=@L(=s#ocxLA|-Gz0~dF^Rtlh=*anJu*Xqd;|1<4tc3X^dfEn3! z<BeTX&#|uvP)>7OBP}P9T+Wd@B{y&#txvsURKa&6118xJm&Uc~H`H{ME3=P~a1hFU zo@6Z?2^8&fs|iId@=6<@&`2d<L>zZVcZ%Sw<%0FINXj<1V}o&<n1mkEdI`xY*p#C) z*|?&jic`q%I;YYZL&<Yk-2#SMgg>XQMgOswa>m*_=BC%Xa6mkgu(KkCY*4DITI8B> zSOAiMTthnnv66B{#JrP`-<M_%CnP9+AmZ4$L;2|cLgCgkzk*NVDX3XxHF{jf%XiZ| z+myluEQ9(FI7qWuI6nQPl15d_o$W$ZRG~F_C9X>J!IQ2S#UWa+u(y`x3q<OY=$<i8 z$+D+lS_{z^e(6nj77mzIbfj`mx|F+{Q+mRjV|+`+0-rX|pOd&kcURGaLFFGPg=0}~ zlO$H&bP%tdS#<Z=q!@F(QcmbCPT#NHceR`C&zD!DBQEUoxXC}w!do5jIxj)y5SW-z z>%YD7a=NCFS0{2Jm7q9VY5E|(TzOV*N~-GN_~(H00OR#f%+sU5V1xVHO*36JS4W8N zM^=^GaqKRdet%Mn)F)IbGc91Qz`*FrV-{5h_5Vl^&14E~f<PoOqD@1l{LsQdSG!sX z_+wAwnJAXvu5hPZ0&IdKhT7dCHZIBOGMRiSj3QRYg7=$f(arDBq7RsnEgUGNRWzn; zX3fBcq|{?h8lnOE!B=_`^)wkG_@_V;^^R!TtY8X#Gdga`Wd`n=`p>2b*>8$|g@gc% z@RyTB3yy=!r!c^RoVCrA3?{^n%7=r<-|KTMzTCk}z$ZvifG_D8W0Z4f5XwR$>te$B zpJF1ush4Bpu!+{!ey7x%_J8gI5C|9qkSv>^M~@-iUhbh7O9hjhtfo^*zW4MH3MOf9 zD|h}Z;MRr7A@CF>a9_Mg{m}xW&9kjD&eg6&VZHM&XmyPLW2l54tMu7IDdl-qkNQ|> zMpyJ%pEdr+$H(U0iE0Pdg|x@pl)tq*gH>G?#RuO)!t%J80cPxmBH<c|g(^l@(yqT4 zJ^QEQLT2Oy+R8|PKRw_>t7v#fc#D;a>A*5C*Lb|tcX~>utESUC*{4rkyQ*j&B+;X9 z79%ZPjM2cY%3Z`NT$w0W8RcDBF*=1?@IW|6>6FQxE$A<tMp0D59}SAAFw6F?-<2)} zB-O9Gk_HDNHQv2xsrN(dyFfQo<3!?UPnucxYPw9Rcw1j4Kpz1ARr4&_hcr!h%CM>) ztKXD9^}1{>(*Klo9k0yO+GBGTE6RHPBtkaQIXh_17UT3UCMjNo!e*-nZjbplR=tKx zO>zs*VRnw!ry`NS=O=8Yoj14pPqWaXM-g4$uTqVKXPXjwM{wChD#YOn@Zli+SU;Pq zHFsc|9tguZc+<J)GLzoB+TQx)vC>DJRnl?56-;!Ke0w`Er(*-bGY*t0m$H#M<b1Eu zy}1B=(?wPLa^b<H8_!(L@V7aj7n9M7dx&07r?+Pw#Ne*Fr0&hi|7@S(7Q7sPS8^k% z7TBAq?ucSKo^(;AtU!@A&<s*D7q?X{@Wldu`DzxzFT5O|GldctD=`XH_f^mcTT8J8 z_lGM50*D8gwoSzDi$wu4vH(5pf;$qAT+*Ajg5+p^vrpG9R4oJ)+$Ef^Ko^fTLDx|! zSFL>cb0U%k{Qs6R&1#1HVSg6u`N7`5gzgvX`El#ZJ>z!ooJee36}t#*h=pC>2t^v^ zxb>`NW{|b^%Ql=|yB#*oeC-avnrrGV;y~6kb5c*m2SWVG(p2V1?3+GxTqC#8)plo* zG=3ZlrUxR>>FhGQi9hGl_0g4DzjsD+;0?vk^?ua~Qffh(xlHMiO7^!*p=`f^q|_t> zrec-8&fxtV%+M^&jGBa<F2~iqd6n#sty!4M6#5!yoxL<Dy(zd$#ezMkU%qhqYq!eG zYv9B0Egc2mU@?>FpVm^o7z`MUwRyup?0MPwT$FsYvA<U5q-0RxCUuem3kNa)Y*0L1 zG*5J62Br%6aLI?h00q>=G~Y-NDhF8LKE0eq%}Spcr-hNmpZyn@7kjc9S;jKftaO&v zWka0#x0WhpUQ(VXD{z{+8|e`wB{wG*B9S+apHFX2cB?T>ywDcVbqfqMT~D6iR&{Sr zv*SKJA0R5L;Gh1AJ%QlU&=ujddwJ%y?@$W`<^wi=F`|8UICC9H@>*VBlfc`_GK4gH zv^Gz?D7c@LgS1=j6~(7igJbdAvoL#iR+-p8v<OEC$sC9jpOjWF^xB$Sw+>(KUI9_` zQOcQIWf-BKLgFS~tA-XkpXY&Fr1&^vH7}@N_2p#89NZ<iG{EhyvicH5AyRflU4Gnr zNa0bdmZklf@4Nt0L#6-_+y-uFgWuD(4w>Y|&{Z{hh+pfun}D-qlf~{M(H5W@4a4ha zhvU#U!&%l5G>mM=98zFIz?mv&l5Q9Valm?-IJhRcYW1q`m_q@N8$y)<0_p*%fZ^Oj z)gZQTn%A3iNLJ&Ieh*T37fp8sn3UV^pM7`+iC0*@<`zT;-wZ64Qm)zdInP}B)Pjv+ zPF6@ae|-&?jTv7J#xUfb(Ydcy_n{EeqzA_COwZO#c{4eKN+zCm!hF`wbfNc1>Sm$B zh&+dG5C_6v@buJ8tmYk&AAZDWy2Go&-c0y*`u1Qhkr_+5&=@9Z?{r;+eBt3LmmCYQ z->l=`MA)32oTFH|Ja<RDtuOrpK)XlFK0SbmuiG^LbDRT!i?vj$QeiLgYp$CtzpyM7 zRf8yzRYqxtTgAQ_8bc$o&MF!Ln;fQ4N(i`1m6VtaZ1|Elts+7dj7f_h<8@Q&Xw-gI z(M-!B_djKH2k!^$)8i8quAgC7D_KrMA{Lq%n0NuBD|fpNMhO=Nl(=9T1?N8(s@gx0 z`sfvkMK2&0DOoPjc4rYDe2!ee75wM_8xp#u|8ftlrNGzwuJ>oQ!QZ^R7X=K$FMDXf zsGPo%>vw(bL<6x-v!zgyLH@Mf<7&)anI>uj+_=ZVzE^AKGu!`el~qx#{5bW{4@Kwi z#gjiVr_lMJtB0nVh7ABlfl?=~3fQLbb@o9f%R+iS8~63)I$pErxH*9L<X3v6dLA4D zdWBBWYUIn*(vA4I=_Af}?_cnKFdXOLh(2D6r)h+wDUP;MHii(tkH1MNyjeMmq1Mn^ zYCK-+ptNinpl}KLtdIQ}BNa5BIv&$I+BnlcB{Yv*qzf`#RSV-YR82K-Ok7)renahK za|v`jKCYf3%wTqBAsbMNNnr>|PgqYT^tcyas{<`~AsbR;7{KuRBrX*_I(_8o)HPc? zn4u3!<Vci#Z4;1H04O}+@XHFoS6I8Nza2rbdLSwlkL0jO&*2e&B;c`N{U<mH23qPp zjUrm7VlI@xeEkfMLTD2Z&dB*r*My=hRpCc38i&;oua>IuZat~19j8KOA9(Yq4_Ywq z0p9Qr{&1@pWUK3%IBK&gV=Yy)Z^kuEz2cPF#~`VYfd6)R``G@RYhnL(m$rDb2=Q^w zHVR-y))}or=~5z2yI*hZtWev%xx43Bzqn==!GQrd?Wv_vqIsu*W9+1rOMtJE6nxTM zvC9k8j&pF_hI_Y?p%z88uop#@Ar*Z=f*JX<y8O2~Ef(9CN*iQ(*B3m-zwjt{TMn7k zQz2f<o!Y<QKUY)PNt}W`Z?7G5XDa||YnCpB>4yG3MQD=EO@L_s`RtOqZRZbnWD;3J za~-c`{UWS`#HOxGOX13eTVe$>yNdVS>t`6*N{nM*8ANjKp4A_O!?Bk|N-z<|n*VdD zpq)rUuX?3fu+t)CP2$n~2=d@gsFJEAD3<QEb4*lcT{-HU;`FJBy~9*~j&4w0HZt+= zNH%d7jgN7Q*Is{tg2Alq(d&0U7m`2dC|dDe%&6jeMtT3RI8(d~afW=c>GJgPwh!yk zc~c2U;XFV#ZB`VySzBMMWA;3?3p&{rnAKKAuEW6jvo({@V@r{qUF6%oS8o0CzP8HC zT3VshkuV(6R%KyTi@y^9uvgKjx#t_r3g#+>*U=Do_cW<P@d1OD&7+O|10SU0{&JE| z=fX$ZlHphM69}p~&e9t3TJ*et?Txwd(GET-Q1AUYZ77_k^40|!;{#)@A5C}0at<@H zJbIA>6EdV|X-&<7eK_l*a`z?~xC<2rARfi&I-2bium6Nn6oxP*^rB*EX7}k8Ok77T zr>3%z=-+&_|LEzdGSA()k#MBEMkd1QzU#p?5=XzuJS{Mm?M*yArt<0oVbD*{>)pga zuj~kp&*-$f75pbHtzJuBz}m!RDmt+6d!|(TJev5-hR4yeo9WfjyiUDhKjvT!Bw=i& zJp=Np<{*(<(~@B(#raO#3bbLP^Q^mn2jm;w)&}&F_y5P%Uw}oueqsM8DAGBUgyam; zAl+TV&>`I^(x9XuT>>(|(A_27DXp}WbculEh;(?q?Dv1pdHtPpZTH4&%giwAS?gY( zdp*xHJ{qdy?%WKzeC(8eyS<Oo{|XhTOy`+NMw%``i(o!3K;n0SH$6);b`9iN@T<Vg zmu1QHA3QuMfa1-_WmZ;E$JTw?w`Gc!@uD<)8zS&P;hP&qx(+OlOXMkq2I2O+>{!`% z0E?1kubOS>IJj|OnUwJ#xix_s9;Q_}E|2tUo?2)|C6`1DvA`I<tml|Rty_6qhd11Q zPUHsHNwO>G7lscp^8LbB=<mGcmQS*N`qs$PB!eoSSyx|fuJHw1<5#W2B-eAje;KvA zZz`qD>o^t_g_c()R?sC@qk4f|yTHKfq{2w{_H+T=?d8XvwLorJM9Sp>3qY!_@}+Li z27d|R@{<MNKE2smKgfDTP%rIA?r;!3#IX;*tNpuZ=iP;c^nd06V`zQr?QfUjFFv1a z_{6tL#4uKmwkyy>qq=dCiMbp*G2ry;&=)hw)cl{{fnIh>EWqP=mNf8`W&)?>VK0&+ zidz>U7tsU;VBK+&LGnw$#_!;0ZH_3Xr2Li2X$wt4MmFUSH<?+W)7%Nb07xyO0b+V2 zR0tsgkTU>)RsAafW&tKx&VrZoP*F4l6@(A@SR{}$MW!Yj;^-Y#m;Pe;c_Ktg1|YC= z5rUj)m+uwKa%)KGObu87(%mfh7CL?|TO&J;oz-HG!8MTsKL)WS26Lnqnp<>0Nt8hC zVZF%bo_}{t{^Bc|&8~Lv%hVs$$i(`N4K6hgUGBtF$-Pp`{yWx30a&3OzyZiUBlI7| z<d^7Rm}!Zl>ce-A6S=IoZ*zOu6VKc5t8wMza%Alk@JpVpVN^xKzd?QDKvhQ+qwi-3 zlLdSz?=4cUf|=<VJp&TEi%Lhb-S*@v%a53EAOHUM8FdAn!dMe`>(8JTO^=hKI~EDQ zwqAz}z(vjqNSh|5{xK|FNV>D=(i;crH(TUhsrp<G#OEN;2iLHe0^DV#zit`-Gw!#_ zo~7<;p#)#yk;y@_VuTeB<Eiiv3FOHkIu=|7$S2munG+$Wb>o(f+<fNQT#+GoB#4yk zjS)bz`Td?!dJbv7SibIRAmmDMslUP}Z`fk5vHG@Fn4F;AzBAbt(1VJS(wa!KvSjNg z0@A@R>%&ozUbgkI35CLg;=VHhU09mQ$=JG)YgOd!Ss-8qyz{PC81DbQAsPCYQ_+n6 z*-~%2*U;s4ScFq%g4sbxgm#k6K>6oIUF8=tu>>@wV;{S@Wny1-hlwU~-k-04YzCH4 z7tpY}GHw>{QN};{{JA^a8p#W{F-kSnp8B&PeV0UDWKUfSei#z8Yxd=Ibx5UGVBGD~ zJl~It^*UBZ4%FiX3(e<!J*!Tn6%&y)czOAIAsv_X!OBvx!GcS(MH;o(fc&KB+rr_J zc>*|jaX^C?(0nv48)J2gUZ&K5K{n7o563lE%Qui%C0hHr<9km5Co$Lw1hrmke`W(& z-s?DAI%A1nUa{e31Jw`+ssn53mdS_7FFk!_YQAiz<KQHdq&v_6meD7BSKXn}xAkyv zgwPJt(q`Qg6V`i>q!QsIBuD5|i~l}a*r6NCV!=~aKfNLguF$CvE^qpgPR$+HkAn{Y zvKZCUUyI>?N<05KW_asGKW`U!Y93uze&VH8nimos-&NEszS=DrW`lh6QL{M;!|t8` z?>lUW)$(nhqTNXW31Ay4>rqbrzC%(=!}F#~O<qI&a}VK?{>Vr2nwH->yUusdGGslC z-rQbQ;N-SR=%DIM{@KUi_4nGKSE^%UYvg=KOJG-8j=k39`X%Dn>rdQ>-h|*EM8AN7 z=C3T!PX+WLxV|rtVJf-~jlXbV3@Qn>MNQzizm!~ecbB5A5I1F@lnVxFXePW7a=A@l zH42*NvZSTCy}@Dis8-(oR0XCU+zh?>PMP!{9_&=p!z0M<as$&L8|YYuv6Sd~Gn3CY z(Xlr9^!m1vg0{+QB6-D}1$cxC&T#}~Vl~T1Ar3QLe!VA`4eG~9qx19{x-HV_tT)OW zzjl(h+dftOHzoMDjd@6+(;e??Y*mkH^fj^j-#&ZSwDxJMkxJJ8w{=)BslzBCn4-)3 z2yQo4JZOfmFkIc|7=DW!!9f|?&!ovAm~s(3K{n%@LC+aCLI87nd`}|D{@B_FY6x;! zqbhiG;(3&a=r72SMPZ%Em5_b+`dgTj!6gQfdD;fD&B|(7{Qe^)lW;Itw)%lNv6kTL zafQchjZ)$AfMkBAriq`X4#9VVR^DQUt+M2?HL9GEJZF#gewZ*V;yr8(F2e13!iTPs z4NqfvT*tpCS80XGk3Q@LdYVuHF>ThCS)xsDl8m!p$6B(~aoBz`x1>ZNlmsCv1}c}8 z-LU1WPFk$}gVU17jnAkVZu&nP)5~-U?FNcDm@xuN57&Xex#X$6ba?X1j{6ASZS?;q zf-4z4wLW<YB?f&|&Ec0n_OJ~!;X9Jv-13>EmqP>}+)hmh`<@C)T43INHlQtVCeD#G z$y+O@Z3MI9JPZW5JhO;wpdD_oC#33#p@$La$+~gY-R98PRQ)T{^`nOPHmk%8X4BN( zI;RdFyASF)>_klSF7@oqK$uhm;8~)jpTdW%&T`dXI&7a<*{o|I`k9oH{u`I3#^MgH zz6W~o?@GW8Pr5pOgKIP@3SU24J@Gaz%>t<vk)dS914J2C3kE>yMfw?KI1nF)hvQ!% zFT}bCbOUH^3Ygj0J23f|iaD^v#m4Kv_^gekYgIsPMhvwph74o>Lase>3M^gY00jEz zS$E0;%U&~;J@Jyn!!$Z66^{ZPpI4`>TzO@rj+;>?8O&C*@ZV&BkmX<aC$~oVRxav& zdXAYRxkNXP{TnCX#5|gPCpIHPW6R}(>$YH9c{H)Za+>E0s)iH2aMVXA-EHE%T9Oj9 zz>g@_@d5?K|8x_uPsPGCYt*PH67)yS_*!CO#|1#cnVKh8oEYzXdX^sRb)=50rk$I2 zuGb-bm`0=A?~i3Lk6;J3|D2G;i!ZUC`LxFJ!f^{%Gu>+P)g&SmOZVX-DW}ecJ}3Zf zsYxkA3NOB5k+BIfRlpGyMxGbC_+lM5-iS<+y<Av;DO8n^Nw_J2$5jbt3D_j2cMm&R z3J+&q=lZ-5K)*uog9DPJ30Q>7zO4@rq#&8kfmN?9Be}cd8X`vl5Iuz#72_A3(q2lM zhcRJ$<Hi%xuRWT5TRQqAgK3nFE`q~!?r&<eWy0l0bAtXA$IS1VzMZ7zmt!F;4_zHs z+se+&e*%mD51|NSX$$bSewK!G^Mp^1UDTdfiJ3UZXP@SibhlLnM|TH$-M;2(ezDqG zA;5qC2l7k@a0XI9TIY26yB)UHRn{yI+Rr`nKd}$z%66*3hqFx#8U#6I=B<=&NUpU6 z0dl-k{po(uIhBq>`Gc?O?a;m;3QFMZ=2fyC`RZqd!6~D%+}=9&Od?X%h-5>?P2x3a zIK7g4K+(&*x5_}YnzehWXqumjLV(29_2LH8baetnMD~=2wUNv;w2n^{BB@@4SY(M> z|1MA*vUL$XO>LT#KV4ZcUyPgiG>w9$1eaP+he}9x^+d=u7_u>mkOSHds8L(S0Mw3g zCmmq{-K~kVf*!n8j@&@1;Kh3=9L}migNUqV0zO3yO(>ZB_8R#=r^_0(H@^$m_J2}I z`f<{SmSvlT8}l!v?)2NnW=Q^+SAXYf_5_XgMR4@1>ag}iPKo<~sJeVFDG6_(J|>lu zl}sAJzf}SX005nBC_gdZc<yZ!K{+%|3EOPUc>HGx@AhhV!720bSCE9if4B>m82jDj z*ZK-N>9UBSzgu{uI{trVXE(lf`8ouiPw1h&u+g>H7;<IDnKs4g_VEu_7#qy#^5$oU z0(LdY0k(PB*GyHcRQISrEu;aAxVI>pn<}{3aBG5CSg7bY$iMm|@nyB#Ow_?eALGUE zU_mhnFGd{{VJ1`5gP@~I=GxUk`x!^vD8I5r#%xIKZ$=WEs09GMxDN?zpv;dW%4gcd z!~$+N{D{Fy^^dI1Pg<~*g%F`n7R8vqYUw%vxi6<r!nEM*o!J2P7k7{}*9Wy<b1~?A z27V4?y@9FaA=_g+xlq4=R0d@pTwtAHf;!zs1^5O}ylY?5^O2JMdzfz`cC0MN_jnZz z@#Hqy?d^=y=I6?I^=x)cp24xeQ+ssDuP3t}@nSdaL%ub)>F?LSEzIkn{4QZk)^bi| zV8ib43k(KWK$7;V?O}kn6M`?{?-@>uFzT2jKycNcSV<9h{yjnpqpWl3`5$&v)+{pp z_c0bfj}CO#6jOg-60k=BP&HL4sz*uZ;N8(%I3H?dWIsdQabX@FXsVg^#y*g`4>x{^ z9VUYpFZj9vvZ2VbS=sYZv#jw?GUUa!*e<VZGEg;tEQJJ2#7XT~*?;jl6hbzfi3<Ur z#0-;hvgYQ%64WAClPk?<k9zuMh`x`(3cxR1SZ{nI<nwp9`H@fRhTF&^3bLZBRe0_w z1DDF56Ym%SSL3sGeyVSMTgEp9>=(&~I%hhSUdoHAZCbAZqj0K4Av9CkNkb#a_*NOk zq|C;^8YPh&f-ns=9HW1|8_X<EXt&!)wM+Ov*EepLzX#rA3rL|Kq66LiWG|5vTcH%W zQNR)m9_o&ic3JP4F`qF%><wi+58Jq}jIWob3cUaIt6sOr@zGKp_kQEa&HOmB7q7Z< zRQW%fYv48MGLNLKt~lN*r)1~iLC6uurpK=B*9W%bqmP8L)(7Aqo^-r(33jdsu+dGf zm9)M7TzmB0`|k#>*?r4r-}dTJR+Umqz#Io$w3Uxuk4T$?idwJ1e)Vyj$dgX28AN}} zJXrEe*GU6JTFh4O+LR3NTkXnK>DV!GwXwW%zSQXr;HDSRbw6|+4$DhQG48NEj?n-* zn{)uU-}xiZ#!M5Nz#RY;WNx^nNQ!mwA<&Q~&mdoW_PE)j&gPy9H9%ghg_b^Dd;Ns8 zN55t`XFd<|f=Py(S4?7;?@L?LfOARcr<p}vb<Oi3=^`>+QiL^tVSry;bF>1#`h-iZ zQ1nt)SBUn__hiHWna%tq{+=UYLO%xky^cXp99jP;=fztoi5XG4Knoq)ccorZLV1H# zZg$O&d+kSiU1)PG8e@UT8e*{guIn$XV2@gp=<4EmeKgb)1VJv%s}On!qrB+bLfBZ8 z_eBUg$4|Nln!b?w@6hz5Pz{)Rsn>-jYoon2u#9IU{^9Jj^i3TEnd7o7r)zRA@p9>@ zd=YCSzT}ttobEO(l*=t?yt!rVzqJ3IhjP>{d-Flg2z01`C%(C1gcpCx9@SdHfd%+e zn->B+Usq0qY@ne~KwZX5XAGT)ZJ;$W$(?s@AMVt!o{<&#1dY9<66)`3rY(+~&TQ1K z`=iF~Iw~cIRB~a*%5Z`L=-@CDP#-&6Dn0~vl}*wu!lka$g2gX-yj4yGEVZ2@%(8Wf zB~S5?YYtVz?XB{MAlV33+mb>}FYW`H?i6zHFRvKQGRVK9FSNIal*>OXPC>Urum2Q> zZ+MBQTu$?!576&~2po<1UXBRjytJ7+HWeKLbb8xkk@Lmc&`7d@gSS|a)iG^XtjX_^ zl<|iKmy|bMdB`3$wA07NRxe-?%+B@V=!gSrsqSQBix=piUO5dII%g!T=I7s5dyYL@ ze%m>H(9y^NV|<dlA%8cg55n8gh4t##rak*eH%@rO9<@cVR^e1v4=(Nc3j|2FtVo6w zs2@i3+3EjoGV!ouaj7I&3oB#+q%et&Z{>X({3`H(11qKp+z>SV>YK%sZ$&fMcR35L z>|{+XtS7w!GXMeRBYms^?9MNy<^;W5gbU?q?V}r%z2O!cUu4-Z0397k=V+G|$&!Xc z+-iS@$pdWxM|*RJ6p}_s<1#zN*qh%-OFx41Qw@ruLpnaRQedH}o2JaMuJS*J*a9)B zP$V`#WJm%$>iu%4WvRd56!rf6E?771tX<I#6aE4Cjh~eRx58XtU~E|}HYiCq>{WH^ z4fy7cS3B*^)dA4V{;t~_u=;y<E$G=M>xLEOl&aTtTN9@qZxM+2b0g#`Hgf-d>$^BM z)7$zPIFlDnUi=ll+vNZSv?AKMBJS^*x^7zIiB(e1C$0UDZB|=e)oVQ|lFl_J45Q*U z<(Whw6Y>TYHtblNK|(6-0LZN{S$P{9fow~DJoONK#Hv<m$&PisAvyx9eC!0^vRom1 zlypfDnN>+)X^SYN;}^?WJ1MdWT=%eT$d1+cFhTz%r_bl5dq^|_cV#>~Q4N<bS~RoJ z2jw+^+p0ufL8*_DCX)?O%cHxsEsZ>j5DP4?W~e_z)(qolcWTQRfnpwOhh48M>N;qO zLYUa=oJJ%49zIz>Y0_bio6ccZU`aoIvH1&~)<08(02arkrjwHDJ#LFh=k@=`m+^58 zpLW0Flg%W%JYXr{fgQiUO|wWzt?&3+$@ws^+0Er)<APNNqrDmO9e{hc@~|nnhn7*$ zbl*lc*K>KA*9joxj)8m(rDQTr+xM-gXB&Nx3+`RMlOZnC19q&D-sHZmIH!$^>Xn|v zu=wXO9LwDD6>mEs77jJ{$LiS(<1--=XF{!itQsLxE(tl-YYVj2XGx1@ZVz`$rl|vx z^2Tbw0zm?<K!^9>(rUEr6A;E1_hLlxEQOOp<^qBN^QSWN_=#IM_xO~{JQOA)zN?q& z%GxM!n*|RWst13o)F?Q|6Jd7`LBp!og3Si*<)9jr4Xm*k(0r47{r^4-;7vrmG?>I4 zlP{<1P|F^r4Lm*%TX(P_h<6RmVJ2I<Y+DhKh5tSzVvyoGi)m3cUuz^*g9KtL8y@8G zRqYFtxvs;%#K9GHH+M)RabpoHR3IC>CMh8cC%sG}a!9>qQ7c9InN*)WA6z)Kpt>j) zzun#!uIAZC3JXXFbLF(7yf4bhE&tR6Rw=bOhzYBv>8h>+pWAT(W(w>|O|^AYK~NU& zg8O2x@g#!Flur5KmZCxXH+T&P&R^s;-fav1$(O|BCa__t$*IsQnb^PkThB{R98~A% z{}xT$cjx>qttg3;{ATxL4gP)bVXmC3Y6O};Ofnt_!`B^;(iqSOH8~{^tVID&K@DR7 z$Tvk;EH1iH+kGQk1(x6YEyf_(&;o8jRk90MX1%4S2AY=NO4u4Xmo<Rimj%+J5USij zR+Z1>vtvm<d?18u{36$XAKD;bpZLb<APer$t<A$2K(NIZK?UgbSGa3)EoI|z^Y9u6 zae1k7Re_?ehD905&!=B|ux8b;h=Rl1!kv=xmmG3ow^;_y4w5wf*E_>3120{}JD8DQ zh<!1BGy@FBsBkwEL10(IzFy$6t6^2hRxfey{H0>l_b}5e?d-Y>oox)(2+^#6(XvT2 zp`&}ZH-dASKuJT}w67<jCLy%HHCP%V8F2Lo$1GNM!gq{K@{6-UPvG4zbTZQhUcI<k z;k4Y%zgGtsHc)CT+WUCH*#${|Bz0D}#|+&2ZVods04MO~ZGcVD+z5Mzl8beNKESrV zxl0F0HSAGx1|V?+B!L;0KSV`?VXs|OULK-cwYBy-{WUC@h|I?#T8Kj*(cc@B6x0W} zHVYyy9XCfRVg`1=qy(hqul&G^xAO^dtNubs6Y(h<@O~feJ~xA@&riI&SEM3pz@s7e zA9%&OmRJCjNzca4)3-GyVp3N0RvEif+x_-<)StLKu=(M5tb;};Gu!A2W|NbZ@-pmS zy?Ax7wx_Wbk9)IuccXp#_n>npg=)UFv$f(Q@1)dofyC5Ar6@Ra!q+D2n^jTXz+aX8 zuLA^!r4h+C33W=*n&5$D>&Nz?UwtGpS^3(idi<_Gtu;a>Zv2x7Ug-#4ZXYb(Xp%lj z0n5Z%^X&h^XR2qPA9{mD?+5B1Zh#HS?>-wN<A`EODHw?by%ij3@%F-dEsKMl6g91l zwS&)<?;_OV-yNf3nB{|fcT|JP%DHMFTl6t)0j~7uW5q>#Y6f>1|9JMxCshup^R#d5 z0$xgWd<k%OA%5H^ZPsj;{YH$QX2MR3xG&!gy%=YRK!a`jBZRX{^h@E(H-3-p*be(4 z(xI%<Pc2N;4MFvN7$awSOPtZIxXS$lUK6eYltNmYZc!RfHh-IG?$(<U4sv3VzF}Yo zabOY5K01W!&&$E`4T}007WT@xLDSm#kQX<Vgz=)aGuf`tr})O|-pa#>{^0~^bqDcd zicK#mHHWZWT#i;mXkr7Hhndt~J&HWk{wtrWf+{JiPSo>8lIx4@D|+AbSQU{l1)p<| zSH(CZP^QL6^zk0Kr{Sq7sWX;O!!7<lzf%9cnwj>?P%6=3A@UW@`COYU@=1Jk!+MU< zmuJ7RrOXZaY1De|5s8f~t3=F|11cB0j@#ZUrEhqMjO|<4=JJO8Zc~Jjx?gEZ9j_5+ z2Op<-h=8EoQtS2Lj?%cP-^>bFCr7U0Wsg=t<bHfxDTutRcx!8>i_CMRui(20Pi*$l z`j1tn_pxc!uRKBOSPO7MjwkY#S|ew&xSLRpUz<jeLyvWE4C)|Lu~b51(I32xKiv@x za$xCx)8=U~W<h$Jd97d5Q*Mi`^ib$qeyUPXcYtKWuS8aQpoQliav5~5ph-4{pjvPL zPYfGyC7I-OM_6$7n)@BfJ8|drkDG4K5sM>{LtAh4R5#maVZ97(kOUP6O#rh<v*9uV zv0q7=)n(M1H+(G)Sn`+}apg2a!xUa&BpTM|j1b6pLi!l~uV6k6zw*od$;(1*R<`wX zT0&*$`QM&#ruw&Zf@_ilx|%0W?AST-ok@LpMIv2+lL-zfnW7DtOL(q33-2>|d^xf| zUvF5Dt8Ox!6_FcipcwmohZuntRIuAKY?l2y)J%om@?$)|7>s?oxwA}TDAcGPN@=#{ zD{yA~4KCy%CAKEm{IVpw(U>-UJ3kec$Pv}Gftex~MHcTB?gq;jF%qLeMgAdKxj%tJ zs~V!)K9uwmkzdagzSL`$hskWpNT$u?i$SLJVfj#h0{O>7(h?amvF<<)Qct8@B*_u| ztdJK*w#aGAt2h`a747cSQPZ|TD1~eomiPCl@~{_r_A(*~ExJq@x{Y3c`7`r(91*(R z>nWxaZO{gJ(LflgDOPsYZRgASfx+{dNrzMmFSE;nF-0}e!|B~hT(^;rp~ISB*vx;A z$L-_(|Nc6?kb3f7&oou>slw$w>dGUEoTPlA8yOrH-Opx_@t4>X)Ml^NBNX>*j71`a zz3fr5X*X|fOnx8i-7(NzB3}{6Z*JbKyFZK0U;nv9<0HI>PIS(p<973kVElu^2Ycvu zp~mVbLpZK)6qW{YWd5jPa1BZBxHzj5@bis?Y(Me7+Xa!>oG-jtQ6N+hYSHh@+ZO3+ zXUk+xv>)1ZWA(=@z<f5QpqwR6ijLAmZf@TSWZL;aGhuv0ueOY;1Kt)QG}K${6_ovB zqTv=t)B<^b@s_lgSkh_Qvj*^QC1TE~b2@}6kb#Nl_(VEjjwnZwFiNCxuQtOxd>4NU zA(#9XsuVNShnXb}B7;T_sbYjVQtIYIrskbmOy4UQ$cWLXJ8&pP4lRijWAC0v(1z;A z8-Zp#Ab8X)W$zAH(kjUIpjFxQw`_8y3`~vi8vFBwer<U2NfP(}9p%wA98wh1*epu& z<0;hPv`$s)Z{<2DTEoR|4inVQVn@==;=gZSN06;!(03(%tbCrR6$mNLL^1cO4^Apy zr<^Lr?89s#U!T;%YtH^-D`4p;_}<w^=(M*3)6&*k^Sam`+TkYW|I@`*#p_MD03oUi ztyxex>*aou2IHg2sZj6R9vM7Ey`QezB?69KeuP^tuYd=5QpAz3-}o&BMuZ=J_Vm{Q z8-n)JL+Eg!>R2^I<r*6y!0Ks`is-n#+hF-(qg6^ozV>)JZ0o8txo#M~=_ZQkp5}~- zg>qmaTWn(xXl~N%ltMJot$#*a1*96lq28I<GoWlZ=4s=?CbD0fVfy}L6I!KWC?Dd@ zx#Dgi(q+G{!GWdP0Jf$SqRIxfLOC{A((Ztzv1CliGXg#C3pxZ|Y7Zf2_k$(De!c%N zULFhSZAV8b#Id=Svh6*of-&G9p848np4~g(eXBzdF2npaI-$IN>2#vu|D?FgllO^! zKR-?s7p7CTs$kol3m~`ZQLn>gvjYz&AN4ZB(?5%l`$<{L#PZ&x4;O1+o{t|)R4&ml zpeTCryWYG4YF<rziJv-DGjtxGivg3-I30Ov{~AdB72<Xj6f<=!)?OuJ|BCWpFSR2D zrXn>b2O&2YLkiTQOtZhNQ`Pw0_plfAVwCC5%kW`_#FuXO-+4Od`Ugap{yNjsU>K54 z!CPF7{eN;fi>=%n%WmA~7WWGDZ?RHZ!+ObG>UMaTLF8-VD?zm3_DMj#o%cM-f99)P z3gwW*iqZP<P!BhyWOckn=RJdA0To(weffBb=o~c1_#A~g*R75dLzA8#Q|zI*o*18K zb2amgKv_Yl;tsRBi2g+>wNjeU4STKEahEjdO&BY0HNV>JAwroX%Npkd3FUiaLY&t> zFg1e3AmU>R0$DOym>1#2j9o?pm7yj5AH*T@zuOxNpjAP}`qu3d;R?4a4EJOIll#P^ zC_F5rT*t3B0*t7>RNEmJKR=Npa@Ay*@xJ?LFFwqtpmvxhOP|3ci-!UP-}_Y{vE--o zsSKk2hOM1eS5GVp64m6&o4l4wwF=hNxW~b-q(5w2ZmOR9qgT@yN^$avNAB(62Xprt zvqWfd#*$w&yPkd#LH~J9$8=Q*XeE^*f+&1SV8M?>U7ZD6!72E32!V=Xwz7P1?s~`V z3@t4{^usWIYK|5mw-G4T_N~BETjC3EZnjq}00LB{oSi97sp{~h1q}2|<;koDFgEBx z{v#1`EQ-zGaI*JG<Jvrgc+|gIZ|U5ilNOradRWMLtYMZW^&1fhN!}eR>SB<Yuz=9> z$)t>#-;e&_DUQ-W8^F|pQdLO>CZO8ecczwF`##iU9Pm8lZ}8lb68518TWoc#S@`ZA z&|ToqjX;2AJ)-;F4q0#@((=PeYls$R(3#>OFFwpO9!>CYS_ulH!<?!lO<?%BXr00O zKLudxS^tI;5f~^6p?mtAC~O3cbm;A@=D6L-Sp1&_PvwCHayi08<MfGJYG@13wg+xy z3q*5t^L7e?@|}zc?8%Qo)E{=g_fD0>W3S9^Nft*#4#tq7wy{nA)6K3iejG7D9ZEEZ zhf!9G=)Wp}MdlxN;g67VVA0c%ldqA-#b{W))-JGXISC<*eSy5(d&i-JZQ$=_<$>~z zhAHI>RZ3S{QZ!Il8~2NZ75kgNd5}qwi2j2Z9WKl%Udt3T`rSDv0t6dVV=1D)&6zQh zfsf7SS|(628w68vAhLVL)dS@Bh*AR>7bA}LKuQe%3zVbvJc2NONvVY7_vVr(0D-BA zu2AqM(mmT5imS2#r|XSirp%dvlg3vR!en?&^glg6WWnmyP!^N;okVy@Fa@tE1Vrcy zqF<_c1Dp-oTpKl%d^<1$0T3{%h8c5;BK=!7XeF9TNKU{1pL`E=Q4q|mW^zBpGL5XF zHZ9M4IjS56DKB47ethb^$a}&UpzTezgAZ{gxc2z42q8|V)C`S9$U!2k+9^v(>WF3W z<_V?*S1x5FV*u@+4Z-oAoU3Wu=6#L87{bxuuvX-V65Mp%t}x1wjs4`zh|9<~(mIuK zKpq#Zu{Dxm6cXKXr@7GLD%SQ*svxsZuUTL`9Qh}y-1#lEv^;n|o^xZbEe_+gEQ*ZS zrv)19g_$NqzdibXF{a+NEsvjEGa%f?q4MsVZsysTx}hcD>=_2mNW7ttS2xVtfb_f> zQy`2P`l4a;5fE-M2$|00wDu=1Lr^QOcp0RB3)P{B{Sf}tFh5B9p=)mK!0n-)#DB48 z;jZ$q{Ez=(lXKsx>;_AoA;=AdkBhf#RxnSBzAs-+EE`%fT*FKhpMnD*4N=Tc#_XdN z`0mJ9AS4?kPn0*vZp<ZR)|`+?7*BwU(X?Oi@++fasQh726!VA4a+uN~ur&WSdO!V1 z`+0ZnC@c)yFj=gtb4h_@>|QpS!H^DcF9af#SAp;r@xnz2BLU{K_teJad7580GO$pU z);!lS66~R+tU9`%TV-(`R;;G;iZ^DV8uQdDrC?_(*HUaIl5UwcIzN|x;~>RKI*dGY zmkQvLN{E|%YuuF~s@a;M{L{a=i3mC29BGMmH)Itn_BgGHf}i=uxC1RpjdLWl>L(iV zGR!KYFWG=2YHEQ>T~G`H+H@Nt-bDH{$v1;l^cuj?fXF12fYrOctkURf1s?%ip|$5j zH*!{F1QIt<I;0{MR)>=KDO>k%MKcuV*lrA1Bz#;X=D>nAfPWO8|K^Bl`VkiJRNj8* zp7hrRusH4(nv$>9lRT_p`Qo7XX}rt?M%iybV}^5Q6+#lE(@5f%PJ#(lq3ThWl}WeH z>@V<`qh%yg$o-Ug_DCqV7bc3*@Y#oCi&7bP7XLTW#Z*o6_~Qk3LM=D`Qum*&(P2!b zfB|$VR#A?v59|sKb3k2NHKBTfHmyOje#RKHi|e%P(}YaxW0ukL0<`73yaP|j+3fe* zq^&2Dj^tOPwkdM%=OeW!*5+*w+<-*%cU@t>9ZNnrjGrJ1-Q@M+r<&T82|V4A2=t^7 z@B3W!TpY#fFdmB|>eMPPoHiU8))lPq>PG(8l~wy@y?U7UGE(zv(eoxSf)YZlU%s(K zn`2ew5^Ec8T~bo|v(FZJc>wdBCwRe4Z9QF{<h}g%@hhbFQw4k7SL$CDOMRqN9KtNM z*ov6#UxI&37RSiEEQW0KYx%Vz<ak~)&G+OzS?PsXFme!)K{%qc=w+M0aCEi$bfD=D zhY>(wGRdhk|Cu6uT|n6;RSZFY3SZh01~xl@@G`TFHR#14GGeRX>=DYp&P3AI>douE zsFcZKJaU9AOpOfee9Aw(_I<d{t6gtG{_#U;b;2mZbivpZtyizVSR>>rtn>;(w-ty| zjv9%=<vP)N_9Mur1gVz;7N1XKOELsUR}aa=p2>-sjypL32<UyIGpi)lwf)Vj%(Opf z0PyZU_!9&~0~}cLSqH`~uAUTahZ|o*@Qo#VdfXF63N^A^k)2ar`U8{h8`r1~0|)(x zek#S3TvqI^j#gGN2(K|{OqoVekMeS9g<tIG*Ji6N8Yy|)VesMg<*&Kv7RU=xe?q{T z53mDpLIE^3KyO53aWroYiu$*(pY=o{LPJ!douRu;7$Znc1fU&njQCv3J@p$9qk*$P zfrEP)hH$v~jLQ)HJ+ABC62Cy3NNX)vF{E~mT!KJYJt{0oIYPd8OSU=mafAc(kEf{f z`fvkSMJ|%tj4NTSs<G>1xAwGlHdil0*?$JgA23jL5Fq?ShO-QJEAY&0>;lZJE($+o zTgjBItEamHzZdvcdZwIOvg6xAOG5we=v&-tI=+67(j(}#_i{+4>iyj*sd3wU_)f%+ zD;z~c?h;LacY|8?vqr9_$lm8}N0SUX@}B`W*bc^I{DX_J2c)VkB%ZPT*X0p_<y`Og zuDPiRiVmz(fRG~0{ZPBQ*Jz@Kc9ew+pBt;iiO~t_$rms>2ddnRvgn3V%8134O=~w= z;y*th-}tTWRC$hTt;OoVyL#E>>Q8Pg+3$5R2XqVDCNPL#*vo5vvT_nonnJQ!cqD@- zF;ZxXsiqS}7WQDqqk<9|!0yBU$xR{CG(2*NR<4w16>d-H^r$b&2y}(34C26&JWrZT zG-P6!+z26zAHt*Fyhv^U*S$(ZgyJln0n3+_N6`$9Ui!J%^bL{ef!&9B7=)=?N~pr; zN=;JNFk@=G3pl!b0AWC$zX(005E0ogP&Vkxx#A`ZQKBI{8{QE*6YztD<(q}(@@}q7 zGIR7`FN1U7KV4PQOkgFFUs;&i;M2wphRJtRsr!w20<OsS>(Y9gm4t{uju#<ki=TZ8 zXJR$1$QmulhP(t_x1}+{w*b=+T1I|N9>)pv9pkokf%NS3^SO85W-d1eS=*3*W|or# z3(UkDB2^3r$OZNCmT0hf4M9cz=yvDLu7^`1zTqJv^fcYBj^qGgHe#5J>YehgS*tVE zbFRHEkneaC=wL>C<w&`<_F6r2hElOvJT>klX_7Ol1ycJMDMVThm`(!=&ES0;btq?| zOcg*WD&%qGxi0~{Fd0LT#W&x$%bd}Xj4@2XbHyQxr4VT!Wk>IzmdTRB^TQyBA*eAw zsYGtDd-KV|*vT^;KjserXPm(E@Uc0sPiDjMkV5bB)@T~R0He3X8oz7`Vibc|Kel^_ zC>}KsX2S4YT=qh+I3#^9mwAr`d57XL`$%|x@SgzxRccx>&64cEoFG81sQ+o0y|UK& zrPx-6{2Ju*;8sgDzuLI^nh^`qTyS%nTzgO($Pg-AUY~pX!6RRw0GK2$lJ4j9zPg2< z1nbovXB6*^5wrF5<?T<_UhdvyG^DqTL}Ks4W1N;7$M;<uDt~+&uc;MNh~yb&>_O!H z)z3gVSHJHB7U16n&E#2fK5yqN0{m>=Ce+y-W+(obV6oojJc~l+%q`S=8A!=`uE?+w zIpf_#4lJM(ZX1Hg2;~b^{1Zz;+a@mt3ST}L6>m;@nhQ-1+b;+?_q?@ovf+oX>ONe( z)>^MIIHLT+0TO&W3Eu^0!_(zpGFqia7*XE-zj0TD!VjgJO_F{;jK!YuyZ-3kA_D$> z4Yc?!ftyOIn4$VTl3)EEc&g9uoxk`h%aozV0ctKJQO1AMKJaf)?VDE4J85u6y6+RR zKa12?NBJ{_Rl7{vou-kPuCDbS&Pueksb)(CdIKJ3quOh?=ZB1#<k^?T=aF=jkETD} zm@Y2?5D_K6`*kLb6=k?kr^DACHNG84N}$7-Mh%=aXa5;SJXlPWp2i51->T=W4ycV< z_&_#Jkn|~PhQ3)DgmH})@HV)LA}ZAx0N+m*p`T;o$8&Zt>2BfIt1SZ%A1t4Ro<^Oi zkqj)8TnKpqP!&+8KPGix`7Ym2Zr?kuJNnPr1GHWKFub$T^3>;ZSSMkcXpEhHwusqF zIEK9fS9%!4B7>gDGw8T=qP&xh9NLF-M5Py&$PKT>G<b{Q>ykz7VE1CK1hLG*Yp7|{ z_wrLmKK|F~t}N$1BrRTS8Ptoc^em*7F^EBsg)f=182T7i+$|PqSO=(C8jtZ+(cDU9 zpobLyg2z}BRi$?Oj+_+T3*BUBh4*%k7>y@i<sf-ny*Fd_=W7K9V`w@hPiz99v!yBS zEuPh}{tEJM1_zqUS%v(}X%2&)tegW8jB(QdoQ%5KH1&cm28wa#TAB|hCZkS_a6|bM z<Bl8Z&$ur-wy(LL5meKFEHC#7N<?*h!*RGioQ#)|qV(9!mqbt==EX8cpKOfW<g$L9 zL6K_!J5Iqr62${(n3<aWjhz6oU!XPo(WS2XwLtGPbqB!z@rjbfPuDBTPD`s5Lo9?` z{oV4^+rXPRcZg8$4!~xD`?vPf!y3xr<ZH#m&0u#BXH+3XvzSWg^<&~lsjvNECE&D~ z{Qj+cNCLE?l$bu%wynlky&OW%`A7b7MD~obAqccq6$AkyZbJLGPg){FAsIWylj;-K z9?Kq8WIpEUS(b{!6kg`Il(+KF$UxqIU89Hjl4>y!CNEdi3UOirQIRY1O!Z|Nko3S6 zW4_bLK$Y(AgS;ZjpA}F1@3v0UsxVMANS~Bk@J~%Y!&P<pxxoA=?lAi?%CfJR(eTkV zJ^rx+3JNEYrT5tHN#>ne9=*YV_Sdd<ksHJ*{b5!klN<yocB8QXJ`s!`prZJTKuR$a z5uy3(A=7>dYGv9Ji>BNT(8|$dSKmOKlt2e7bD^d2bJd55hUr%z*J1_#0E`PyGz=iL zG-*yyW3h(yMj8P^j&Oulz7`197gIC!CxD+wk89`4(C3VtJ;vQcpl!pSrvC;4pwR+0 z<X_b0NuPngg5rjGXF5V#@*$eTMSuV|*+Y|nFHr5U)R}0yY*>&?xV(%Qrwl33`z-vJ z$?Jg52_O}n5vcCejB3;E`eNH##vx~<@Jo%oxeyTgMt7Q4T>di1kK-yJ#s5Kw)SSn} zE<3A2nWN@Yd4r{8^loomDn0-NM}FL7*F+;A5n(UB?7NubGw%K_Gg3D8_-G8D^}0Aj z+b=@{#ox{2E#dT(<EXB?P>oI>5Y8Ioz|B@nDI;ReC@-~7J??j9K~aD`$pA7WlrqO8 zPy|`&>{qjlvh9!V@@y^4QG~y7w)T@KW<KVaGJdipnH>S=`e4CXLc3L_CXAtLG~nh3 zb}w@;xu8H`95*O0x}3RCV+Gk?_);P<-w0I9CX;N5cnh@$BBTRENLDzn?Ih{D60{NQ z|FkJ0AF$meqJX7{RaX0|%|J~7JZ>4TQD_JPI$4N{NSJSwJ+wa?u1pUbZ+sK+_ZhMU z(2L&gO>ZiT1Ql2>^4-jcuys^TX(utV<%h=;i%92XINiWj6UK_WCg9vL0O7cGKEtDn zR?1N%i8_zSXa3>g6F~QK@f!=@*X4Wj|2xnD6e{>qmU~SfFsxfm`@3E~0T6j(%w8O9 zEL4ZKa_)L&ks?9WF5cB5Y*e>8=a{)TA6m|O=|8x@9X&bwYz8Jwy~Z0cav?f-_$8KT z2`6`f^LHBGs$}aUpkIz9eY68?$}J(l9mm<rPt31xb-X<Da)uT{aF~C7yY&3JaIVp! z^|Qj~2M<f8XkBFc1iHS7pg`7X2;qKsY(sf2kr`q48yWw&iRMr?1$G*)Z9!v@OU{Sq z^-X*VzHPke;tVAvn<qi(iIh=8kny&F$gT~#49&d<gnj#%o+bsE6bf*ZGy_eEY;v3} zJz!Hn772v$G3fZS@LehaV@bJ!qyi(5EV1S$OCF^VP$f|%;H>;UhQ4$2MbiTodZxy3 zx5p(9ex;vS6`l>!)f}!FK70J<fxoSdKoBUh#rpBi)o!aT2C4MZJYH@<V7xg;kT3X* zN!%%PBI&fel^^l3`dCNOxmUTw$&hmX%WvHzOsit!$sR&=#(irvo&ernrF6Jiqc)MR z-(b|QkfXRtIDhbWd;Ru@)ydia`z$~yD#{K%2VJ5Ta$)QX9+s5xu95Tm0Yg-~^G4T0 zP4YV|Z8fQ7I40w0vWNH1B`2CiXmzoFTpU>hL9*DYSQoCjyEbFA2`IWe*Wk<6pDwa; zz_8Rud5dMJ<rxwtYPnFG3~t56-MsEowFAt$QzZm>9`(gJ{*yD~hxacblD>&|D~au> zC^;^|qOW{^g$+=iH?Us*`pMcM6{=6gf%U{Ad0``D`+CxeV8D^mrW|6?&w+)NB4=lh zmC}#jzonH8T9IZ-mI<+k?$(wRvQNSF=MP#S^t@%skwbQYbFm1tVS&#IFb36d`KXdY zQ=p<O=h#82qzh1vZ`z>ziZ7}TX>k}UzcogSiVQ)fbew;n>d-YglBkm)An#QHcdn-H z6A<}kOy*@iBrlDVeMqq=RX!+b@p(3U6JHEcFPjWx?_P$6t_Zuk813T~1qoPS^S{=8 zr+>z%_cVfh<BFbhCF7_>$$P&P6SJ#De!{%d-JIr11=~y+jV{cQvYIAyD8Ayc7_DQD z`y;uV$Al?=k2CcZNKkXsQ=5MGVTwOk1%r;{P)flj4ANpYL(o8_J(SukO|~9Bl+ygN z`ATUHPp{*P=~wzHRt?=J0FYZbnQxpU_C6sM6nl+^ng#jumC(4OAMp*XwgrkhzxmKE zE+#3r=9-}D<P2q>NOpBC3$Jz&4<U}wPv8Fh_MHySk`YiP#z7W-El-<`+mK-a6*Apl zy69<2xc;=Kd&_o18?YQ7hJy(c#l!zO#;d%R$>)ZkFJWDT@e^Xv=iFVBDQ8KgtUn_K zfM@B2Bmf0qFK|oOn>l(gCG}~l_C;AyE@TS6yC?9V@_BpF#|TFl!-vW8DbA?aJ(f)w zNfHZ9WzDJb@c_=Hvlo2S8!YsOpm$Cf01VOFj{T|^hxB+?*qnP{sY4lPQZAhh@`GfR z4;8cF3|cz+Gckb}a;3fhIvv5{RsYV~kmA9;P7mfCUgD65D(h)LHX7dFIN_-`sR*lX zj)9HSPP_;>2p){YFkOn;#+VhfwD#`6cNuQ~vj1S}a}g!tm%RU*{RIKqFLSvvn(qbU zISNWdTkh>;Gil<Q!GpaK;L@iqL4Z5yMIic(p1+mWO;WYHDNfBUPjS!a->Pyz9l99Z zX!kpu^3*e`CmhImv!Asu`rNDU?6Low*SZ~FBuKL1P>!ezQ<B&O^-mJPw4u8cz1mvO zS1;$B2#WU$GAD+c9}uQ4PnmBOPA5Y;1$P}dNC++IM?RW~7B&>4fgKi!LEsalp+s~1 z$d&x;5qE!kM2sb8h<niQr0)gj_>e{yf=zU_D(0yks2D`<@esk(v{T_UE2Ug%z7f!# zIRS6aj%E>Q>-0Pu)CQTNiA02cC@HKK9ft9_Ubo>5;b?H}d^tv(BuRbM{@w9>{+=+= zkW343pCicJH2i4bH~;Q0x4t+-|MTMrowA6!tL2WGXoF3?L?=_SBXYJY%Fn1clL`5f zT4xxI2?#bn3PmHh#tqq7VlcS+^2yq&!O{;#<fAG0aN&$9`5Mq(0kU+xx*zmR0a~s& zZSw6;M87Ds^u^rMy<hl%DKZu&cysXWES3?bR5GKQr|?ZDZS6OiS5@jj%uPm%dv{3J zh9f9m@VPNzw}<7E0K(0Yj0)Edl=N--oU~=Ql1!|mnNNefSl8Wrz|SxrzOTZ!+rO+D z0AvDqp4UR_HONwHMA}eyig}`oP5?+aK4l%4jMq9w!puQJ>fdN?bw0Fw%-s(FBLX_5 zAW)RACZ@+gQ%zQH4PzjRZ!Qm0U8{mtLYpK7qK2Z@QcjYDhV7;SBj3E?i~0)!M4Mu8 zTALqWpiJ*&0-&`U$~d_6ZzA34Va?#TbTn(J*>I=zNo@-N(5e@Pi*;wBb|};F9fuSf z<pP^U9ur$UjYh{uuE6nh|3{IAXN<&kHC^wA8QRigGajOzfH`6Z9VQ;9H3-f}$$_HL z#WX&`=a_Xxno=S5<L_^JJU5=u|0+5t7F<}9=)xU26IAtj!$(DAsW|w3?e48u$eGXb z)2NSVq}YZ=oYZEb4Uvu_VH4Fc^-vf?mev%rQx_fQHt&NU5TvOF%#yhf4WOm3lwq4d z10Yf$l4!s8Of0efmT_?WJa2GTk)gEbTm!Q4{YaR7F6Q#!TD$UWENxo5Jb!&fyM1cb z(YT|YX%-+$PDgcb<y}PRM_E|ZkQZUO=N1BuU)-iu!V?xbRECgS0|3>CQYdj3R~0Gx z(E+Nj#Svw##g+&(=9P1Ek!%2A$vC3Q<zNiXfy2>5Hof_Ukc5%KA7T*G_lD5?AYPKS zs;g(J4w~6;z*$8lu};HJ^3tG>6&1v2@-<l|wQjmDouNL;zD&6X=2~q3$5MsObfrT6 zcY?b!JWAElys5D@vINQ-+>kFVXW&oc*BjrsRDP^S<Ef~vR{zjqy#pe<R}CH$wu3#5 zMroW{FIRt^134)>BFkBj-?qJZv;FuKAfAHyKGjX+m}I&!Q<z5tx!c7Rih7%fNE@Re z$Z8Ymwki$@-Ojl^v9{8B{WZ+W{d_`?*2=`|qgHYm`5Feo;k&5WXL7-pQ-a1M_0vY6 z=tmuX4uX6m1G5+=d|zABT<W?5eF;$3HxG4r{0Z?g_Yw`ayrm<%j_49!YI12kY&%tx z@chU)*iVmj9ZEFh;fQJpVx*^`O$V5bWCb3{^(U+(G+n%oP(D%|((iG$y+|v~jJC1| z{2Acz!VmM4Qe2@Ag@KpZQYQ1IKM{c@^|uS?Me6klswEoFWw_~SE;Km4Wy3WemoQEB zP+W<DyNn)B_2kLa$T{Rp6l)aq=GQ_wlpWTNGGrXgN}e~)`MUrAXbsQl;P1weQ^3`i zy;Lmv_&Kdp)!45iu507t&YDEi2f7a@XYma}cVkv=?O<nzKe*%pPc1$*bVA&GU5IC8 z$a2<<pN(0g_W0Y}gjq2aZ305#y*%r7u|StSqcxchlIZZ$8a2P$`(=fzg0b-DPt5U! zTC~O%K??0><Rcv%Ah7KjHq?fnwyK+RKD*x~lvq<9XD#9_ogw@B#%IolE)7sxJa-oQ zp;d0C%YyMT0<kc!Y?t3jD)}xVuJ0BQa?3hp!;wQk@EDOTa{rInB6}Deh(YLof@P8$ zrEkL}SZLNxk~Az5_A#EO=0l{f^c3(ipEZCDbqyVI8o;Hw4490b5s3fJ0_Zh>v0M27 zufH!KW_FAJ(6Qx0ncrHEibXeerSd1H%^1=e4l9MqGnT!hkI8TF?s%W195uAv8^H|9 z3(ueIu68RECndvERWx*%__wF(*{=4I*1hTgh(=O^DiTT^+#Jur82z5hc_ftbH_b<@ zc1rt~zb`lEc)bIJ>LGdM*sEeq9~y(gMhHYEpV1CDVi&QHuR%4CQx^mq5t}lBi+~hl z>IaoGUta!Vq<dsY+`okdw9Mxh0&ZsyQ^!1cG}7Zt;~?_Tmh)WMCh+((qM*rbKPN4* zF1x&7W%?K(mWeL@7pfR`_@i4sYyI)Owi5zA51To499Yv);t)?j#T(>d`68`BylS9w zcBPmh8$%F~O<$)tqOy-ZaQ*@C-#&2i_r;48v<*IFFroOEG*gyLr(6TrQXN|KG5O<S z3?g*25aFl|`M}T+vDs?P)QBF=0ihwsqo!@tigSc|q8DSvyq$sP_T{TllR;G-3^=1( z`Gm_FKN$eF&13cvN8@pZ6bbMLRcE*_$_9=I{t*rG(E}=86c-u;G?cPe6*!6m25A~w z>z1UjGls6VJL&+!aj^>K-uWp(YJZ=bG*@VnhxVFvAeXa)zvmS_N-lriU4rZVE{KPP zG-t&dTUV1?us~IV&DPB}5T`l&kGYQoYyZFnl_D8YD3P=HUP4M@iJ3hr3g_P$rZsDq z*=YMDkIVCM-p~zC*-qNfr>UH#!VT}=j13YHh-yzz)_UJo2@zhOCP!#boO@yf5L$j> ze<4m9L7;O=A6-&H@*Xz^utjU0AID063|vgQ4`dt+Jj`6gAO%rOB078aZZONi3qqy- ztzK=JCNQpFK@j5-{Nu;P5jFKIX#lzr=??>zqK7%6y+AM>{5A9gHN~I8mzzBaMDZ7% zisb;3*Up#%_0YeSkm=pQ^_+%0(Qvc1v}XA2J0dchX{|)VPvp6poFApZ|M%Rb?=~~< z@yG9v8K!@IpJul*s|fC1H3`{z^5e=&{UF%cFC%oje*95SPPMo+6aNwfdA%VI*h>F* zH^N`9_^=oDQoI3oUvkmx8t8;6899t|mqIYg_{eo%)8%I?ceJZzH6}mjz!CgaOThb9 zcbXVrtvXMsKS_!cQl@f>N%n+UwR7{C+#as}>3%r>z_>nNyR?;95nqz68XUdW(Lu1_ ziA`(f!-q5`RM4NdLVDYr%a?CQBjjFWFg<Vd4QK4%vWY_UPogorNQ6A6(Hn+xaA5)| zfLviP1hs8{PI88V$**}54c)YhIEl%kpd1wHUwT{<5}lzBJ?gFXN4(6>fO~?%f-z$R z3_(1bZdBQ{xqxdT73CoV7oNX<_ZWM32k^Jcg>y<`rnv)KE1$g|N8ra0PUR_+$Ri68 zGHMPl{yBm&@r(z>pp?|rx-}ejvFP6Wn|P#V1tqXk^yVAwcT9eX&if>>8)bI(Zci_~ zDrM)N83+HJ5^6lDwCi!V4YZZ~;A-2A$=dbz)w!L(Gg_`Ar$;DV9sKRv-*~A<^-jMx zYkU^0U9zH#0^emNvT-{SkRPkyXMjqg@=>~de7I2P)pA1Zp)JG3Ivs(&T+yw#_ntoP z6|z)~;5z#xckk1F&SjIst@}mSrG-znIKrOty^t56_=&DjeAz1~#}ZC%8qMzok_GtF zr}$!K06D}Qk57WMZqh%L^oKqIoJGq9OB&-Mnv57tGdMEFg`OrJ{Jc>GCE-UQ;>i<F zSnsJUVC4ThcR3QaeOXFUueFH;tWU|nmV4gUQb^u64y+gRKb4xn3Y%_P4ldCKylGI5 zFFV-1u8iyq*(07}yTu`v+4wPY{6u79x;Q_)V*VLo1ss(=o`w)~diYbA5-MYjtch~U z#C9u%QgR)o$#y37*$L_qDNL7SqR@SKpK{(jIqO(?KAL71frv@LkJQ+L$*gyMTJYYJ z!immb=bFzR6<eBPAJzRW)b_1sKy)I{Ah8ed4usioGoU@q6P%nSVbvBwG>40k87Xq5 zFRI>63HJZd0bZxI4^~Q22Pkqulw^AxS<FzylONw$SH&BHpPM`b$j(KCTpBQ#`5%gV zCA?qJqO8ZSNq+a7!;$%;@ZZ_Nw!_cv?~+a_+8}u`8bvJhG$~oxK#51om2O_6qKAK6 zoX7n8RY{EVMcM4LMWC)XSPb?@{FK|$Irz(LT7mx|TDJWJmD0x0q1!D_vOVZ=KlwHG z;k}X}=v$&;TtuCUK3~H|1bh?O1$abIqT!*nud<BT>U^ko2NMfTH6XJC9!`x6&*aYE z3Y8U=+Y@zj{fi8c+yKsvbMKuNLd4%~^uu$Zwu-ngL)4r#L&yqEdHMRG)yS@cz$bCT z9G|9w1@Eh#j!WwK5)9IO$j15s&Z$xvwnQ3{gLjZUlyBro=IVSuKvaJ`?KTa@&du9V zS;KGx-Z%&bbN7-9K93OFZ)>^CX4^sD$2`nHZn;~_5*j3bR`_Ht&dXI8_B@vqTRpGG zDZn%lcZT*K#a@^#$Bs|-Cg%vWi#u|?xAhse(<&wDe}ar~D@B$Z3pPukD=^SZFi<sv zS4C=r0RWeD7G9ct7?Qg}JvX5o<&cC>`8^h`8#k4q2#Xu$pVQ1l<ZD~mAPS@q9SaSu zA)v#VXF!_+%!;bILu~&R;K=a+^w4i8K!ifJ;Xs^Q9n*1R(8C|k6XQ`EigErp26X24 z15?A2GiG>90OVG$U%$#roq-d^1D4TOiw*zc9)qcobs%%O@FiisK|#^^ze8}CR5BJn zKD$nByFss>q(q2dpE_!P?{BM-Np^xY$z6Ehg&z`k?l~_dV-vYly?CZ*$9v$dbsJ{{ zG`V1>^t%^C>OIU<6KS$9o(n37q;ve3Ocq-eZ4Ks*K3Rx84D>?F<!wNf$DCagO%A18 z>LZoJoZ>Yu)MlkDVvqa8SHq(>STdjEc$)t-&K{byi3lx^)R3(=_HVaAe{JGL7)tc> zYwOhZk81Up!C~5F6{9!d&>O2Q_djO^Bh1^p8RH65KlaKjIXj)u*<L|^d}Eo3uIGx3 zc=-)J{EZV!wd2cbQtFHY!4{5Xltxj-f`;yO@b@?)kWU#R6f=g>=6cg_OQxHdo~AjM z8Aw<F^Z;#rIN^}}7W#*83Z7c=;|oI05AXwpOpPkc*pubTkwbV?X$`C#|K)QUW<KF5 ze;Tx^1wv0uhR0C`<p9L#d1GmfJ(wmXb>`QxxmJZ83ih+|NGJz!S(37^&A+}RCHVTV zvoS3oI@Bxv82;7|oHtlP+#6c;KypRKwm+?38WD3ut;B*%0h69H7w-LisyPdXaf(TU zG}mB!YlWCiTQXwn$x}m4_g7PJZ%KT9iR{T4z?m7Fjnddmv!0LXJ&cvOTs}G9EWCju z<ZP_YcjrqkdOZF8eLOtA^Em{5F!>hfst`&U*w*nPgfx`M7g;#x4clz&i?KxC|2l|^ z*uH*1#Dkv*If1Ipti%kv8sBiLm?4iPLy(bOjfgB2(R(sCVOFNbO#~Wpu9G};cV9Gh z#{E$ePF<p59?-=!oP8Z+#ngbDHU?3Mus_UrnHoi8aV$as-@@`=oDORK+l(04l5tSK z)<d7O_l<Uh;#&TV)`9gZJj@s|bv;MI=-GfWIeFX)<yb%;5BJUt;G8Frt5>qs8c||u z{0*>)*`?l3;JN=d#=oxUyWp;VU|#*4)j}#puEW>)FGn}I=5vBI`~Xvh988cGGZA#% zSukJv>ntRpGNj0oqClT9==a=eXgKs$MfOGy0pn=09Bi{Qkxhg2Nnko1_Obn!KS?cr zOe)FU+$X3xSAF6(Qps&(#XjZolS$lO|Dgf+V`8Y6be`Zvjj{DKi_Q>dSKzw`U#D*6 zOfdF)-5a$$Y>Xpn`o?I<wx%upSu^-|2Iuo>7SiMH7Q1QOmwtTWjd$*z{^)EU1dKsr zSmb3}y!vmc$*@xT4{$8$X$ZClw%*SazVtJX5?uIlt{9n(h#azEY6K5#wS~|nWzJAW zpGW*DL@>N4+m6_!iUUM}D85~yTz(NU^=yz6ivoEm6`)nYwg7kSXfa4qoqEubip)e% zd_=;>ZkVbAi~A<>EDtjKU>egQf&euyJWw;Kp;*`4(&e+sL_>5Ed3ssW2_WIWvG7F_ ze)zX*LQCIgE^YNIKdw@y0nD8I({VL^P_v?9z1tnqu^FRg>gkntZ{ZAcY2;d4;OTcB zt@666GJ0dsQ87ZUAhU1b@oCHNTwZrA6eA-L6?uQRuNy%y_u>z{y^LPS6tj~v)G?Hj zDyN`eK?;q&ljg>8=xq!|<%Ek^*w&MLNS*<Z#y>|6s(AGS2mwc@RH8HU+?eq1`F2a0 z+ZDa%Qpg^9sR~hi{DgU|*{*uqB~8xf>-&<X%V!#g@ys%Iy@hk&hhssW+d$z9IzyFI z9PqYkl=2}7#=9e`4pBJo9JF2oHEs|66I+WwqbTpMS8QA$Uz7SKrZJ2%NFY<W&%mC4 z%NBn4xj{S$2f#U7oWIfig>%C@ni(9saSVX}PRd<6d;I6j`;+QRF-{_~H|V|HJZ42Z zi|`%8%8}?H(%-F)^Ft3uYJa^3)*TA`1h{gVB<c=hVqgE=d|;k2i3N4tBU^!ZU-F<A zvuy)S)SKF2^yA0pnUZaxjv|d5C{vCEP2{<T!yh=iD#F-J#arGRso!|lIe!@cv>(@U z$+;t7qIUml##xT&WT$o_LB+u-%l`TeJNsWD=MRyHP)5$KW@AE^tk0lLH@(QA(<QFR zhjeDw8#TxK?>Jwg5eP_7OD!BA@aH)zY#8K|%sVH@WW`<xDp8M$r9b-qx0RhA1718K zXUGcz&962ZqhnokM-*=Qd=^@-*`V5CK+d{A3GF(i8o)ezGyOI8)MM@z?Gmg{D3C25 z7X{fGs6~j%wWqavA@scrzgp#BGXBlwKno0Dr+LoVB`OOu_Sb_LgQ9XXS_;<)<JqiX zz3%?I4<pxDo+<WUdoOQS;H2?G<k!68@=7wKZIBI&e1jxtg*D6)Ov7cZNq0ZyxusF0 zThwh7RbpLB|DuflqaWvdOkciAx+B@Y%*};&mbEp)O--A!*?en<G^KX9mG3=tJ6eCF z+{!0$zkwwjqB~sdwlT~=^OkS<9cSSZ(dHftN)-pW2kqct47l_pgiw51nyJXK{c=?# z#70PhT~JCmM}fZmDp)A(^R+<sXT$ktXqqihF$pywWM2r>6;zX7r7S?Le#Gn1<Ws3T z@Rx)V03qLROBGL_gKOy8SfTGr>!~=5wOp#%)^v5;doC5uy<C-O4K`*9<8l#86Ds3Z zd+H2;a<KCfUamnlpdM?~84p|RfR>FG&P_hb9gZ4$1L$iX(I&F4zwo7tHcV!GM>>o^ zM$9>?Re<3=)DQ$1B>v4-KJ8F>T^3}EE40A@K#+%ydQv?cITTSG;;*14b~LQ!aFz(= zXoI|PXe5*lBaAoNY?oJcSfKG7k!4AdW>HsnxB?tnIq)KDDEX1MmH)#fa_=OwbFNQu zv3z<*Zj4G(+%JDzPbYZ#QKmISH^*^UIhjMp%<otcAD=%wc|<8`J<yMiGrxzaC_fuB zfAa=I6WqUJ#Pz&++`O@|#fRJGD>D$)Q-b&@Ug|;}(pZ+@Bk;`S-35X9cbe$du|&hI z54JU*B*XT+mzWv{DRMryo!7tw&;m#W6}sAx)($s}8_BXU0CQYk&#{*G%V`rT2>H1Z zP24aYsh-q-0Bj+ED!(_~02t_pOo6i>aKzdWRE#r^qrqmA0Cc4`#2-eLiqX^2o; z#^n5x-u^<w^96X##*-i&SUzu!94t6>M!A3MBcbQ>O{Aw`(ZgQw^#8ejr_lgT*Y(w^ z5a%XB)wkD3Gz27$75nPu;nZcHg0tc#lG>dD;JpvleGF6gx!G*EK=5^)wMJYuhHW%} za`_+9&d=6=WuEu4r$kUs@!Mfpgzl4L8Z!mGdN+BX>(9HD(({I#{j80psAPWFA7;j8 zG9^qor2z0R@<BCfiY?6BhKpy*$k)E$&IJbiC5$7FhE}n-_&?{>rya;YsRH5&wA-~+ zgOKe@AfQd};>f-F&L0`So6K6gf0`BBm+azPr3MuI&ZHLJnHK)q{blAKSzLDV>Sw0C zZMIuHQ`fHuIE*8WBx&Dy1^yD2#I5}#3WRqkF?|N8i%V%R5SEzZek21U%`xu7-1(u) z?OAHYI6j<%mm%}v(TTE)X9d*i%U)T6xA9x8*E8_k=Z(f(Qk~!}_{W?X2S5ls^+}xh zVt|%eWQ=aJxu&8{e4pIP%F$@HKXgwDWcNwZaLkY{-`DyaSiNy-9G74je*+;JgAV=k zMql?l?0@GPTAHL!E@z`m0CY|X`1LVxUGKRb3QAzhb*j+S+CzJhCO2iE$#IWL31$1c z??OOG|JGXNs$G#+UymjRT1DZq!ZjBoRBMNya_rSFhL5!Uv-JG!X95}Hz>Y2_Kq0GX zP0&${J5Dn@F0-piUzoA2Z)WYdc9{QaWsa_K7V^H^<>4C{5Nys-72m%`4KI%I+R9l8 z9K+-XAuo-dd*vC9Ze9fXaW|e#&xU#%dn<#NXyr7B9;Onnpd@uHzc<@mgib6UZq_uT zVD9m=(8S-d@oXZqZ5bKaXuNK{wPMbbE-fO3vDCi|{z>Y9$v9|@)Fg~eT1-uPTC}5< z1I{l?&4B|*PK(g<VQq$mhx0-E0>)-9#Uz*-OMWf_FKDSX0yH#tu?@2?cAEb`cWJmt zNl{kgW%1IA6#&Ugp{l^_`<q5lxn>ps?%&cbE<stZ+8O~`xqraco(|Gm2Ec@voAj2u z1`J8eFEPjS1P_;&ZclPyrfOaO=BOwqXH~OlJHgyCRY`qEwiJPPND9xT4Bt6V|J1nn zX7$Pk43@CUuCx<6>BH<6XIrMBeRpC0YvEjDRJha6;o(wm;Pw4R|C~C>z&)w_XUon| z0@K9^zy}tIPBdqcZn_DcCuwkC5xiued2R^W_hq12`&@{SgXI@|X_TaX*qi;q)M$zH zR@D-tQIM)oP<N<`U8d!+NC-<Rhd1!95dXi=0%%(xwq%=4NNfy2ZI9Oorb?9}hcL)K z8t+aBr9=*)ns)(!0Q?B$kUS$!6-6zvPX?I5gsLn^@6A&nsYOK7X1)y+l0hCuaMEIB z^8U@}WW9v;Uqj`^h4V!IO;flg>UuYC$gCjs?V-fV(}gQsM6^qQe_ZP~Yapb;IiJ(s zsfyXZcD3UJqqqtCocD+^pscMJW%$gU$#!^}qhh~Tub#Lcl^uDwjJjd+#<;CLJo`vR zJfj6HAyiMEO}m*$TP$b~QvdSzY!MZuM=>yi+5r>U5|Wg^-aBPe$v1L2LJ)7!z7$CF z;3=2&#j*!n%vK}vwl^y>mO?Uu_96urU<TG&tO0&+CEtIEC8DQMr>4-RedS4p!lFY? zzNY4nRE-%@T~cJpVKM@VuK+&!FO_UEGssSNGB4U5+OKs(u|Y#;8!rd5#MnfZ_YZhc zm$MIt%GU;l`F<*dBupr)IP8s&8-d;kBU>J|-4TV-&)E!Yxxw<2CO$r#BYqi{J>xJU z;7S*O&SQ5cC8ozzWf_;cIsN}!NXq}Xb&l~*znX}_M)|u!!JekEwM>6SQ3;sj=^I1u zIl)?*2$bm>V_G|c=<|UcK|7pfzv39cGcy#iUT$qG@=m<vqdL<fdl+b51z=2U;S5*F zeYc0+9&NwF?8OXh6S+D*4<>vEkV4hwU;o1=C_TsBfkOYCb6R;g=k&0PJ?Z|;Y}s3+ z_C?))XPrEfsdaQeyG$H~Y+qmgSv+^OsqpqUEG3dB0{po#2r2&yhVipjgKKkZB!2yx z3N?*b-Qi30&@)M?s)rd_qM>dSwCY*ZkUUJrRtpy2$502c_zs}|8IO1wq?h3fqMz>V z0}xm33-FYYP>{v;Z~0K9gg%Rq_k=NAJ!4l=cbJ-h7=i%H!O)wZx7Ty-uM^|W5hdlW zRly-z#!p7ZAGPD&ffAyr&v(;`-i9|stmVhU9xV=eFwm_#|6VaS6Dgot`a6d^_okJi z(kt$`cd@6J-x9r|Le%^2gaKvo#kV;}z%HXc%x&LEiqBvcVD7htDAUKxTe)5LH3=Xq z5C6Mzp+foB_bqKc=H*>dx8MIc&XjMjT^b!6e=i_BLwHEAL9?*JzV&03sp}3Y?Az9P z*BZXr4dIAd>*^pdCEVO%%aDwqRnQl7EF3EC4Iq!8G@@cG-s-D)mo#V$0+zvI!v9H* ziQl7Xq@rDzw^+ZiPeD)tEA~SY1G2nhwV`ZhPT#9g$`gx+6q;mMq|K(ycM%#c{9y!2 zwp5T2>v~Zpf2C(FOG;1E477gPX?Y1Y;j-<pQka^9ye62x46-B!q{M!Dn2z#5=4c^e zJD+(PuGD3e{AdOK^yb;e`{b@CPXNc9U$XFUkJy8v38U{^1CcsoNV|BVXhB4;qu#$| ztxpnRPM9~yE+#2w)|@a_S~_t;h5FvMt%jOl7IbK4@xQ@eYO_Y)Puy4ExcY-T=lA?= zo{Lb+AMK1=$*c80;Y(JOP}t^d2oCc$&t+fokTw-#+tz3I$9!x)9UlG^1frDA;)m*D z?Lc1kVtQ;-2i$yHO#?jJz=kX&{zCmwfvISdAf-71corE=Qoa%423DUAcUM$BTF;Zp z=GGSvgUOf6aAu&@uXT11SdeTG7)cC0T+gsPXKuZ`9~;@^b;08wluiDz>GxNLRPiO{ z<@HZi^ua;u`MGn&-tNp5f{`;Mk`xJ;Qwx*k=S|@IL)|IktBV*(RKj}2^h0PP_&S^y zzL>~?#euKu0NO<6Jz@4lsb7H5GtyiLgvn1U^>1k<8d`nZH;_xfM9Arb7vM@G4d7)> zSTJr(_{-&<tDOHXzsHfA+YevqU57s&y3pi;h02FqwmQf!c7IF3VFg-{m;Ip3*+Mth z$k_m{31_T(kT<7^iUU8ZkM*~iLIja|Sn_Zn@9TGuHAqH1{^uIZU(|vOetFb@ckWNZ zx3>00>%}QhPBMgMfQT=s;-Ng8U<D8=@OtCR%%GB<7omKQR_FT*wWHqCt|&Hwc49zd z+*&2gzHIdI`fX0s0yWZ$Dc&b-s5{AQgFHu?4BKff1!JIao6v@D<)xBxMmfBQnU81R zIG>iFaeVdR4=%Yhq2;F}s?IO>8_dQF)Ts>-0)!Z(ShSf7#DWR}GI&$)8dRIpg>40_ z2OZlRUt}I8+(foOYHbvD%*Kx*$U`q>#cGR|7}(26nwr7)9NAmf@i7;uC?*dV<Lw6l zTBJ7qv^A{!ILFK{xNGABzpky>b+~4zvsl?Ico_`{Ex?=cz+ya2#W&`Xd&kb6uJHW4 zx}hAz5%mmEqSpdi<-x+6Reo;B!@ShQ)Q4_3XPovH`hiji_?Gb=v|K=ypb_#-5$+GS zmweMxXVNQv>>>K?^Px=aJb6;m70S(E-?rFF0F4^Jn>CU4&`N@V!k6_g3p3;k&M`Q2 zTnJQ3u~+V0#Ws?^*z6HHnhUua)4sv_-}cH|v&Zzik6gYKIYbeB6iR-<=QZ>6>a2|P z4<5#v+Q*OW0g-uo*utLlF$C&Ed4r+3mi9ib9Vm@5=zxN`P@6t<VA^UinU*4+Z?jIJ zM3d}00O?~d@U2SJ;ye_T*pZXSQkrXC4xhsPYxYviK1`F9a1jCVCn(*%ntTd_vUp24 zxl1&^jSN8^+hV2wveVLdB3lX`6Ovz>66R|zufi|q_0AbTFx<`;-E7tms*-LDf4@Dw zT4B2ZUg@6E*`Z-;uME10H1V+M_|q%Kx#|;MvVR@!?f+H&*I(o!Dw;*;--`@CZtz3% z4Wf0<o=H~#ooI|jfZ4T3KDw*`Z!u_tj&TY;$vy=yC8+}?8j?L)K*;fkLwL)I9;UFZ zKw&)?_nLYrM_G;1QERY9gQT3k9L}ub1LRnIcfCXL;Ngf0ieioi2nuk{zO3wWf@I}_ zQG}xn;=4`HAv$LBj#p*e&>TgyDH2VRCmfrt|IYn#!c?1ID<WQhUt-;=&#0&|4qVJZ zrK4n|&0fXpLn5~i?SA~7QYftzH{P>v@=g@*lJh_75&QX7*x&yU>(-pnIEt<~hs4}- zBNbZV{dWd?4xQ}N@|yj_FodcZEWoK1=wa(}D=g4Ux^iyrBk}cWj3cU9{Xm93WAK!b^&PMTk5TTo+HWjrlss~oQ@=A^ zo)mQs7wX*J6y3NIBfWjyVfhAMw$2J*mm3!3^E99OqQoK7oLzqp8_9tZ|9iLn>;-{N z8Yj))m4!PE-6wwokfyiB^<4E~-o{;!Jeaz}z^T-?O(f>&LqFHNkp-GLpKEcLJXZMD zXU~4G7~Gf!x0F!FOS(O?pkOk$hmE2)L}Us7-LPaGU|#{259v~@ESche!zklt9%V~J z8a%LxG-gs&52L_$oL8*MOaYaTs5=}=l}d0Aco2PtA6`FAmnk*Pli^+o-+xjH!<?n~ zpEYr69-{4Pq54F-IZajZgI0}_F{y?cMeQ)H&%HBJ{lDp5!C%h)EgI~!ncYnzK83dh zK*RBN>3hM$ZPFqg>C4i-w<(IHCqaqB-{w~Ot^9{TBY0J)E)wYYlEwi->06*!Y#Wju z@DE;=4nOxN>TMzc-rr*fw(zxBNMpa9;|v8xL4N$bT6vcmM=<?xX;L%ORr>bm3n_{F ztJ|T08+}1)Gz&35zK!4(t>MkAM7EX-$M*mq<C{0B+?rXL4gEbGTT!)`0zd4r)$Nho zyI#@nJ?s=97dIfwK8r&=uEU7_He1FImPnylrqoTAg|Eek(Eh@?NfPokYgn)6`ZcNp zAWBEOt#7%@AY1UrJ_hAUr=dhc(N|DDR*=P1j~rTSO(}2W9h>zHqnwvLPM*jt+%?p@ zBXuH|`2{Hxmk#+M0gq0QYdSObGqOXu(ocXX7?PEjDP4UAPBaA3f5$KGU3`Z$p1Jt= z?~T5+?=<f-qr<jA&hfG^{)3$A^%$cG3n5RdA0b$=2}t1*w*U`Yk5ZyoW6*b|T?s#P znlWXXz_#nB*|gD!&~5sZm(7jfZ!Dy=nX9pJwp&Z>ub&!nQU_WA?(~7KP}bMDR)&E0 zj?LKcwKeMDay&=D%hAn(Zt;E(%ki?0s#|(oM}rO%J@bM&P8l<c=fb8d1SpqxYczB@ zs$-7O4lf76=vG{b?t8Q|%eOxVyZ|w5WrTSz&Q3iu{4sD5w)OCN6l<B!K3+*P-?9Nw zjIB{}*J6w0)+-*^%E~h?V3gqrD*kwCWXi5HQLHl)wev0Uzu>naF7>QKe{Hss{nEK% zB#Vb#>KRJ{7>hN#g^){l3q7#cs^H=RM4r76yhsa$<<}G-(4GZ1VleeuYsFkD@}^5A zVt-~A&TC@~{WV}5j{Dg+{mBGD;r~un>@1g@z8~3Q4e9-A@ve^T+V~jw*+uO*d>`ZT z&!G121ABBfe7#U_e|OmCk8I(}(d3i8vl74`i1&rjD%dBvFByW$^VgfX4#R9)FE{5{ zMbe3zC7HU@vO+2Uy6vHgq~ksLI)mu1h#=!O<5-W^qsb%gMt16oWq*X0U7n1ZR_+UQ zb>8{sd;4bw#$-?eKw9@OJJ^ZmEHE4f3|578?nl)MAuns9th}%YBeWwUw_6k!Y9n+M zfA=@-9yXaldz*i79!|Mk?tZ%~lkuZNR*z=SDBHu(Nu#`tlV3r-QTawzewwBIci=ea zwvg=o%PJ{T|M*)r_(ZZ=nf*r&tQVv&M~gH^H94>_0toZz>2*?^%H@y-@<D(>;FyNj zY?X0i<pE|nrvh-O#i{d&ub}<Y+By{jXOI6_<@u`0lsdOdltT=Gd``ub1-RJH29zfv zPC7@C3J4ts1Gm*blo}|&v>F}Y`rqDePW5!&AO_c0K?Quymu~hCdtc&xlkS3xwA!5S z0x!Oq>VJw?|0GT{t<7r)`un@i)$g_%M$n|{;Iuun%5>iF^>XCw`6Ro`QsJBsun=Bc z$6?NXEuLN+U6VQYAEK7FVlvdH7*^W?-2#b$+E`l-2)BHDPPGFFTCCN`({#>HtH+~a z?ao3iu9i<wPI796-ce@d#cJOe+9#b}?zUsNmS7$d|5X-9>~$GG8d~h>pKoSrmJ%=q zP50%a0iC2(g7s>_f(UT0fH8n(NPU7J|JGh)uQ?g-EFFo5tS-zfl&$)ukX|sg4!+Gi zXWPFk7#Fe2I=%l!+}z(eP{(1=sSmf&h38YUB%nmb?RiKXP!Q6g9>jK>r(Cv5h%D)U ze>zB;ZTIO0Q8)<WCLeQc19#9Ib-F|FqHP&C&7p<vHptSNO8tX`?M2#00zp)yWPf~! zw!Wh+<YTJ}CPbdJgW(H2j#M&;{v>lv|2I0{2^^p#nWkw^0}YZ!5#~#yIvW()$?{Kj zOv7L4BFsBVYw~-6e;#RClo_YVhYiS{3|j~O^BHiG9KY21X-wMD;As9YOKSWDU?L3q zOVdHTjM~Xz3cT6NlaE&#PBvPNm|xpYf4-QeTF~0+tZ)8KwU!_y3$wJBel$YXxY2)h zGn{f({EPy{=u>H1R6S$j?vIXvyB6Z1H@Ay&E1O7%w)TAe8Jf?n2~hj+g+GqPxfU1Y z1I(|{<6Lpm%Zw@fvWf;V?3@L}><k3HJt3{|6R9l~50)i&DVU+l9&H5YOVehr2)uXH z9N2)J<@huWi|{Nm1avgKW<gnBA!d9tQS9#g7kdq^<euMatTLj|mfN$RFiGRo<qy2Z zJ{<G%5+SF#40k;ws8!+^g0J5`qbv^dl(q=_mD$~A*$DZ}L8Ax6kqmqG342uGbi(Hw zJkLIv;@zj()K)BJZ`rYeWX_VT0zC(0{b3AjWM#TmP}id(k+5IV-Q;fLopti0<y2)5 z{Za|_LXCIn9J)V|*s~l|z#FS$FW^;Mq5Z!@-mf0tM!fb(pU?<nXQN&8)v_viEA8(; zgEab0CfYKqk<SJHNFl)f?)Ugqgn~XxK5mL=`@W)XZtPLU1{FqPrejw7X|3+}KXo4B z`c}AB{rRW09sJ0GJe2F5AvX*51wOJ-^nJdCdWRQ$eZA!5RDWsOUeRl7A$dzYw)>{7 z@FvJeo<%!bnwULDCuefK{3dP<JL|?^(`lZfz*%2Emrl}o{I|ok{b=FWcHgOJI10*f zR%ZK*>x~{5Dr3hNIop}_)Nm%eFXd?bN}MlbW#ssb?(?4Ua0)+jTa@?kL^Jp|HhT<d z?I{Nq5bTkrgs;Gt?7PqGSgOPD;nonBAelFF3G`3PwmDhR5b~8U8HML|sM>R>5Tf5V zEt(c-`BqT5$H4<zKsFnI^3O5q!Cy~&!2x+~`30r+k?42EFovug7M&dfkan8ZfWxbB zyk>9e)D-)!(n&m==`bFDQwpa?VZUs~2-$Qdk}cB7+R(6P|M}$3&9#K^>8=vn<d1?| zQ;jPpKGy#3*?~>GWc|fKoVaTf`MJ9%ei;PR7gdI6R6SQ2(4&m04D=mo1eki8#M7t= zFK0d^8Mf%Q_ZFKV6V*{%X9)hi`z@Br$Y9CNJ{K{{TtXfdS@!BO2K14H81LMPBWra} zQ_!1tS^CpUQHk@%daL?5s&6!JJ(ke(GRP!^y<U&EMnmXf_VH-0=1X*7Ebrr)-OPHM zu|xO?J?JDqFo1d=qs?`5u|IQ-QF|sggG{6xeQo0SX|S{5r8gp0i-l$fchw0+Tlm8C zkqPKY35<ck61w|etSsAdMG&D<g$Vn+wz2WAkDjcI!ZkL?8^B-FS!|&{MrzopvK}G& zRSFSOI{Hlq`k=9hzva#hMp{HCK7>08VYN1z486@@t=3;k9Hxrlsk4>_?5rwatqQGD znsxGWJ8W#;;(X~#p}(;nDe{(Kztjp}`kfX<zcNtTR%X|V@!<OBV>~atiZ-mB|CSG6 zUW;G;=zaD*w*3<-O6^AiznAR&yVm&g&+Akt7E#`^8=;^Gz1fnUu5Wu~0c5H_4TV|2 zyjWaCDdmZu_;;bnu!@V~7Xk|{x1uKIh<;)!KZ~WF=W7C{4l2SU5j#!zJ&dr+8tIa7 zrvgi8rT%ib6O4SlSHI2~tJPM27{PbhNz>mKAlCej5aBd$lKNvrL}wm;;(PK35#TM( zvnnp^RhGcXT;o_H^9I`6d(Pd&WfqAeSmOGcN6(MT?n<MxRH)@0W)ogVpu^y!T1Tp~ zNBhRRrM{wfX-<z1{4$?@y5-dsOkjJBc`fD-%P$m8Fho59jhc`lul2rnQdh|5dM`JE zy#=HVcr}<`V`7n%+eNc_PRnFS<z4HXNp<f*OT4KWG%eJSEs6>l&si%A>o}v7KGKp3 zSV2!x<i9v#)eK<IKIer<ZBmhr!p$`;oH8N$d6jvEd!ukdeX_LTuyOBHKQ6B_o*ZKF zZ3PD?2T3^wPzE0Iq|t*2c`+;2v^NNIpi2JvYYLFZ%6(W)lgFR?D#)!Y+d^ZSwU-Ip zZ$u=VEtOClPddA*ap=3rbIdxHJX_(MHI_fKM##+_S>u7VpvqSLxv+lIGZ%0!-j((G z;oHRzNy=%zFGjqd2q74co4up48I#kTCBpZvEo2OSS3$OQ?TtSF%RgS_%N{(E8@Ac% z^cdy+h5E$dzLIWoH_ZGQqjU}iZDyD7j$g}#J7fA{0qTKK=hHr73gga<PnlMTQ0yE< z8KY#?ljXP17t6msVkr-|g3i2!iq)2p1HycqLs{h?zt^jxsBreag#*+h`?~#wSi<LR z(Su{F!TWV1&=+c|-P8OM&qM=|r3pxcWK53z#|~L}2@W><2wC(@`7*2!mTwstDd*6N zKnpY|{Kd3M6riL3jYa1;I-;KgYrK=)&Hy|D60u}JgbuP}ndY?_iP3C4JaIj^ZBdRr z3IskOCoQ(2&telrpxI#+*Fp5byRxD6Xc^=6es3^I%Jqf<ktybuFJmm~{H_2RaF74z zL-y~pUWsJ+eKm0KXCMq|^jPo*_XhX}AURbk?qBvb1?fo3Pd?wWdrh_#P#k({^`*`3 z4A7CS)+)!eld0D0k>rki*(r{GSqZVWw^%?El@Rg5d6{*bz*!y#A(CR>9b$al?k1?) z6INR$Y`3x<vZU?ab47DJ5&g~*5&9Lqf86NeX8tWB+3&5sdMp0!2wQF#!}=*5nPtd~ z(qx3<+{L<c`Fj@^wU^_zFiO5Y8HR)ET5$G~1ZM8rvIJJ<nx2FBU#Q6Y#+As3yUX=I z_S=4ZtTY4|{@#vOT!Y$AGN1XZla#lg4=r!^;fOA{Zv(wtgYU7AyyEcjHhyG1#0}Pa zIGjpO;D*uv#hBtF8qNS%K&QX#DYlplLhenTh@{p?O=c;#T8iAZDUiq71|_gyZR;vM zggFi1!FPF0K*lhcpjUND96;yTtsAa21b0>Sv15@2<V3WijU@9iw*`5px<GZXXNiHw zQ#5;L*0Yxz2H$-Q`;`{F36#rKC(i=NaY-RXO6Tc6f2rrK=(MMDds#Q}=@vb8n<qiK z1^*pgwc_B`e)|g(9XI!ufCk;cXZ{h7z29mB&a42vSfMVr2i-{Gz_<w|tCmip)0N5> zScOqGcA8-de2Lat@-H31Tl2^BnY`>c)AFRI@u31cRW~6^*QhARV}=euM}~|^fw`@q z2d1@zCcra@2jZk#j4xM|e)c>d@RB;X`0DMT&86k@WT;#O%Gya@zdD-TIa4a<VDSl3 z`+9(3G$!KYOX~~!@I8GH<!yE=B6N*yYj5mMX@``$)4kgE#AE{Q?Hq9`t`<jUqLC?c zc8%yCCyn9m=J*glvD}~4z)SaYkyZdM9A*H@Y@X)tlWQt$w1$Fvfjn_q+KonXM13{7 z0OI(?pMnP319!!ql?_0J<(JCvvNy;-0$TR=^6PA+ytdrC&j@*&CiYGFFkyt8em|VK zMycvtKk_vcT%mj@k39=f3PyxJ%F$C0eePRcT2oqMKRgkSJyPojG@?^KRkaunUB{ZD zaJ0{*H64$-Cqe}3B>(S%iOdmFeePKY-uQyI!d#AyZ}!TR9Un#A#e8r$;*AO(fFqpc zA0f8Hjt9rRo9CGLCT$ULhndV-T%6Xr@iuU<gts-8y2~&5uF9?bkqd|MpI=AeK=LM| zB7-;_TYukIcEx#`hB>t((5Q->4{{<PS(^S=D<&kmo$hmo_o;gPa!EE=6OMa|z!Ox! z4*c|A>M9OaZufmw#w9ay00=2KpK<qMbPxVrh?`)=M3cJB8$(_`rxwiM!GUFf0NOta zc66L9`7vFZ7eXFszJiK86-_Ne#&0pQ`zl-7?bp6?l|Uy0pG>&8Y|QD<n8trNM|UY1 zsS724%P9|?MGjmUMMmm_<ZYo1igN5&Pin3d0Jifw8ZeM}s#b`YXPlP{n=RO7kI8?8 zkQ13e$oD>@06<B-4S}{JSgH>)C75R#ZnlT&lf}$z8iEWyKLGPbaM{LMUd(G~B+#j1 zSatebeQnT0c+fbal#xPqnihrvTCJcPmmsM;-!67C(m{ZJ8-~#Gdx1pa3{v9w9|S15 z;=|*8p-;=tg6(C{T8Jl$vw8V*@trlyaO^LF#erLe>QGZstPTzOD0^iYLtYR$P#Nsu zbu~$mLE+s7izOHzd&&qvOd3R!)TY55DvID#S>K(-vW{j&DFK@8=beOv(mE_~)Vrqq zjLRK)vNK%`PoUcMCk5@K{3l~SySIsdlTUsFl?(Z3hu5XY{%Yv=fYasAuR`CR*c8L^ z$3L3F-|sZx$;_(yUmtSVHY(Xao$@rN;^kize(}K=D%-=xxN82f&C!kO<;C0047RP7 z6ix;jY`RHnsoTv@MU$#HW@c?M<N7sw?=QnlVDvCh*X22xSE|#3fR>MK;ECg-0S=vu z3Ar$S20a~s6hRhUkc3edAkj`aqP|q>mp~y}u%Bxcl@!A%2GzLpaAwxYtb5W=kOa2A z@D;-pG&@wQRI+bAPfV*nyj9cD*PPNUCn@(pnEMQ{&=9zDL`9b|m_t=;((a}JPjYnO zGdWl*iEV>tGb_b@p!l&F&4Zy)4trJ}k9r9mo(3l-9qiUC&h0r)Z2eyz(0<>JvbP^? zX`+sy7O%D$#7pQr7&P{dTLmXaCppiEtR7gV(75vEmYjuU90Rz63f?>%^GZDO<-pjV zw*xg@)x;$cwCh2<VxtIt`{J;s$iO&=o9k;y-0AY9yb?ea$WnRf0^Y(TZ)nD~7}Kh0 zwV$Afn`k=j9`~jtV6<eg*7*5YHz@w%qQ!TndjD#{`(lPUx;)6WXUSFS_FyhxxGuCg zo}jPcKsnD>+_x?Ndz&Zfc)Xg0n8^?PJ+s9|k|w9ElcM%F$GT&Q88;iJ!<WA{oxn0< z7;6dd2{OWeZv70Iv-|Pv|9uvKeURoydbTRLjvI_Y58bg==BzC9+l+(T6fRC096Kix zqB)oQi=FkuYk-@%vjA5Ec>%G9es7A^`GjlGb6@HSz3f;n<+g>U${<1kL#S1Hv<e%A zGmDNeNW*04SU(tmic=v89wI!On<ETBUm_-Dg5Aoz*)iRCPp%o{hsE`I`2L^%A4&Pc z=*y#v$@&ZcaAR*o%6;5r3H)hV2WL__g+q>&atGn5v;-D6->xq2)hMmBeNe_y2r!!d zd~OONm{_rVyczt+;E~9$j>Fp@gQn-=<8jiw?A9Y9w|MMPK1jm1oMw^7$Ay58p)9vx zp!qFGO-Q>eg0h6ZDk6cqR5wL|$45;l*;qypQ2oJ6J@%!DD&-U@fyHt8z|-vE^*QTL zN1YB`5mrIeSNBJmN>vL7#<iFLctvonY;)4`P4}Jy9VCHsb7|`O9Ve%@@Dl>jDZ69p z_SF;PSjgvEtgq=o!3?%gpl<i!kpiY<t%dG3J&ls-*_E89KaD`sPe>)wT%buh&*TTB zbb8=GuX<V>8<(nt6r%ces@&|9!GQ>6$GR{zMTN;s4RAzt0Qy8;e%e(*1%wskWzf%# zRicq~+VLA=8`#fyTUz6A6Vi@W;TgzhR$k*5wLr`MNL5;@$ASLe27>)N;t?!XagJRY zAYsKFm%gTq9M#af@9pmN3eP=S++EV~x^O7jXsWHCIu~z}_(Kdp0bIRr(97aK?JEo) z4@B$?>ZgRhD&PRUZyu-PCpzECn~iyKO{d2q>(b;eRMSX{a&jJJq4aTb!8-Etd$_4w zhy)-sPD=35CZ-iMWDTvP(Nb)bCy^C_`!Z*g;(WbL?-bkCGAi=ds#?EH0CksV^DAhl zQ$79J>TFEHXtLX%uikz2Z5H%K-%k3A15kR_;t2%B_7%bojXKeAmKZPpEI(D&6=$6- zJjG^jcgyqTch-5@eA5S5b6!|}q7`vzTa+VIUJ7W&uO@McqiWtmHdbLh@Kh4x@>H@I zY~rXHhc9qu9#}qyNVA@;z?Vv^Kuogu$N6Eu4onXpX<CFuLp~b?vrMXLbF)_dAQ@-| zkuvF%aE<ui$i6}NJ(5RqEYMO6-LF3t`X70bxd%L8>dVtA1)=qUg4YOhz;t+60j5K| z#;3TN(L}>yA?{AoPO8IefZ>6Be;+!D4U3#BhR|CAfiBo@d-1}gH=*LfAVn^bnX$Qg ztIwmE@Z?J*KZVedQRCCY1e7>q8UQB4x}hJ`CU-sqB$~>}{4{OYwH<t3W%>x^@^`za z>VyFz_Om>e=b-H6^|uw_?UUIg{>RbIn+a#)!^wR9KD9_YJ7vJ04W5c39@%%zDE%~0 z99-p(c~L_bBunnB=c{AOo6I5mh>EbD$MbQ{C~GzbHGn?7Y=WFRUMyvfSWH@_*_@?u z5c;QOPXbgBCc<oPvDmgy<`W!}a`LYLif=w-`^(bRh2BoNHn5g3pyNAhY(}2!SV5)S z^1Orurv<&=e1LCY(I{QjQVh2W^u#6`z>quAbw7fb2Nt?RQW3E}SP6c@=Mhq9i#kpH z43lyP@%i67|M^RfHcLV?IZK5C3VcS1dMs;D*84nedHx*2cB}%#LMOOZKU;so%~5o= z2V{&V`}<_bUVgOI{4pct3B!!_y7%M@e*AY{<j>Udd>NZKvf{6z2-Qrx<0HGTmgZ;- z2D|uS8ai)`I~M%E6l9RStu{tOxjgVcT`S1l-OZp?Jnnef)yfmM7yRwSu{^h@Dd@2g zhQ=JOzrS<khJhgK!L0ZQDoUWFW?-2``@j}Yjnl%T%A>=6An}uFk{xvV<USSB@1D}p z{MP$ADJjG+vg7!vu(q_u6$Q|y9WTx>Ma0QZK@Y1MttYln&w&i`^2a?oYNPNP>I^9a zq``wBkYq)!tCF7C9BLiI>e(mP{vML>HQAst?ZI-#$x}pqr>)WlRce^@FaZ<<h((zr zv_(Ul<*BxAYl`B}H5k8!C&OfK?*(XYm|5?DfM)YNBFs}QNbkfn|9r^PG|0kmH!>{r zfZ*fZKW2f@<0I<KpErD#?_8eyiWFS_`YnX5e3x4AH9{Gby)YA#@31~|QaGJ3b=mRS zfx62--e|J3xc%`;mS!eZ){g)?-R2sXGmw3FRA0(5zjy{m+4p9L7hsg*tk#7;jy%=5 z?Yz;m;?IQK-aWb~+2JHMF8+;8hst$G9c*EExjw4D;t_6Rwa5}3_-2B~+q!H+tDumQ zxeT2Fl?%b)+;_f><K}GrFcqO9og=ak_&m~%=&f_QEf}|Z?t$(2om6&x!6^juQq22w z_l>^pf?d-o6?eva@oJwaLK@Sx7^<ylA+s|_&uN+B(p~_&>_MdHLM9-}{b9`Cj=?Y4 zu|DsXDJzD9^Ab<JN~sP^Q9sMPk>?G=o~<|}aMsbsxo|%uFx5%5t&w@tJ>M6L{d(YD zX*(6b7R$f}4U!3Vtgfo9Rkroh-#IB(ferFc4&ogb434nma)r+^s+m`toWLGx4H-S1 zJo2Qdk_-QgS<zll`CR3r#jSb2_sk0z)#S$zxRB;m@psSjNg_rO>ntM&y|3n4+rrl( z2g~TUaR(hc7jdu9Ie&qe=+p*|fq;UF7Zy-1&t1=(g{>z*I{bV;4XpQK&+4+<<5=x~ zd(y&<=pXyiI)e5dkJ`fq4>bpa>)053Nuh6IJel8KgiS}XCYgiy-p#$xIbK<0;voK$ zKA{PckjAhcO>mI+^8T&E_(GY#lj0z(UB6*=X~<<Jvp&;Lmpopwwu}Jzk@lFHD%^Se zPk0MLZuq#0q<p9^K&-KdcB|}BobFjTki`3N%$wKjQF<3VRNJwA^Q?c_w;xoyv|rdQ z|AT%tZaaCkcP451>rpr+U*NvPK1q4A{3SxJZt>pU_nS%iiKwbEtapFID^Q1gAVT=U zp^8zKT?@yRjQbIhYO&4OciN7f+2FeuCaJYxvAWW`sapyZM@@PyF@S0M@0nReqNC&N zCx_md&Yoi&n>y=!_gBjk`PV0tBoH_sg}hq0l*+}uOH=JU@wM)l@3AZ$+(()_xjc7P zv3_AVq*BV1riVOPgw&vR__fu(vk*b_%T|yvuAi>2Oc&t67GP?5*PG|u=T(LusE7@W zyD~ocy=^P~T*Ka=_{iIBhz@0)_W3>+KinsIV5~pb+f$YxUz&DRl3%1m(Pj{CZf8YL zOJlSa(q8sRjbL6OZm&2@1sc-)74Gf!+{mHhP37DS@McKHDr>>#)rW%}-k7wRT~T!c z(^PQIQf>~aXHzKFLvYONPNAB2gnPlkvbr&q3Iki!M<%E!$@XkZwy;=VME}ns9PXAH zya>)!X;wYkuwQYiAJ-SrL`dumz?RS&&M4YCjb}<f2M!3v0Ban^f%W2sF_}yB9Ak}% zuvyYL<Ney*RP<ef2YZy9ej#JX*;h;hkU?!wm(!B&3hkqbic*H%oh91Vd~998gh;fF z3v7Lk;EQs74u%W&Z1RbFjW-vjH2p#oG5^40K=iPB<*_u-_ilEaXZxvV3&cS^UCA-r zB58eIUcb1AQKWd;e|)8+F`CEAz0zVdo6DnQqA^+u(I1Yun27sa%0pakVFHp;*CUCq zI{w`0Nn}SUXVLnMB5R7y^!qr1GO)USrpD2hxFzh@%}WjiMZU=R@s(iPRDQdPcJT6( z{^^XHkE3it?mitq0kxJEWC!>1nt(o)A?IohwHdcb;=KlfNnw^Zbz!@E(Hp0y%^x|& z^j~O?ca|6Qiaj`54tdQfWNm$B9Xl03gR4Mhu=%CP!ru$V*A)$ZP+ga`eu=#N4LQ`8 z<R%!Zj@xpsd+!JhbFQ<|6wg?1d^ci|O13I2@WFbu5u8p?y5Q1-e%-PCxLz_9@|jJC z>-8tq9xk06&bsC!dG;tBwX*NDV#Ref8%Obb9bX+Ep~CWWcO%iR0CktHT81@fyz8=8 z3`cYRqr-Nt2%XZ@@{|jf2=$(*$nB|dw1DL&9}z&;O~b#mN&1^o9A@g*=6h6^_H=&x zbVo$qEcp}izi96}obaAJ{*y^?)E;R3g8<iG^!MbMpx?G+O65K1{qfcN3U=&~>Rih~ z`57ML3n*})v9UW6Z0yCpQzF;#_jqGDZqQc?_NSqU`bf*=Y}ZMDhM<(6l``NZ!t*8i z?N{?|?-Bc6<mPFN*UvvGg*dD#OXYyQkN*&|be+KU`qKa9j9%UN?~S4?j}*#LCRg^T z^1S24Rkcd}Z*h#ekRRy}Jo&TZ4HvX$!iy`+R^NM~)k=CQ?-!FL{aR-8k=e2^T0FaM z7e;$Z?D(!REFb7ZS!`q*y<;rK-GU|;rn4P&Uc!!4-ut_60CMSvd;9Lw^`g?QO87q8 z3$`M5jUF<&VWgjgB#g7wu;(%ka_InJItYI`;%Hba=?;lqK-)lBV;bho$kkpqP2}*j zF8uuoLT^ue*<qYPr>B({wK`HO`Lodyin+{|#@5GZ9td!(F@W{UevRgVU|^9_sScSO z0`;3>t((vc$oxzXO#f&5Q;yLZ#e3Djp@WUksnN%r2H`2^x_jgIW@J)#MNVys$kQ?& z-+50~ddhA0+cN04F*L+hUnx{SrT=v4`^BZ=Gb^yJhQ*SU-3QY0>Z7BcZ}M2w0OKU_ z_IN?to>6EDP$z@e!ww&7ydkE|&T1{7D%(!@L7A~W@J#k21k2@FPE-!-YbHQPHF}J! zpt$UjR;TO!nG|XLset%!ysCsT9OPILceL42u#XIiK3B-}6E0R}=PrS5E>u0nycYA` zzvQNh6EM*69FX<4en$}goJUAhEXq?eNDnbdRwhaPZeVZ!a%AJRF>G@RuX8sN9T}g< z2&mm+K~T7WG{D@SpM@y>{3_(J)%EdigOk<!$;yFGqivvEFvEESw)S_p>j6O!Csy-K zh+v`1z&&%Bh%zf%G{Kb*LT>*&Vz{%I6;LOHTo-P&o`O-sm5YYf_fEM30$b?!-AIfl zZIa40^mDIz4+x_C=D0bme~;d;uT)qDhTh)#ZQC+TdQZe05d1S6T4#LR^9v|vpdGt> zTG>J5!9XX=hyY++)yF3|WYtCfc8L~BwiMCA`2^8NnijNV5w@1`=s$;Q^QwtU6q#OR zbG{t^6&~hj5VFQL{~e9Xkt+1ng7@+0s2%ykrYAjFWg{5haW7(mZ7VC0x08M^_*cgp z+R|DuSyNc8*DQl^t7z<TRw<X4rl!l)$yeu+(A)k<?b6lnOy2&oT$c2btK!1J`3`hD zi?napqx6U4O9U>g7)<)f$&aLFRr~wy!(B@L`cLqn^yCnjh1t|!Rx7xy92+z~jS<bi zyuIZhA$@k5j=T4chGOEFS|+b@qkk65(>1({>&S9#>(s-__=Zt$E|+rj{$c;I-l$fx zxK6U;PSa<9b*S0UuujtO7o5;YNB?2su$->Ce#$V|36POo|B=m-nx@!1oRH0|+4x2l zG5Ogbb#^(%3Tll#dT$?tzP@$)tjRJ^#rAvP(9dS%@wP-Y{`jdD-{V$z^vCzJGXEY5 zuwhN?+G)PcNy%etiwZ7hJjnS!0kT?nWZafGcyi~s?buW)Ey&Rj_W0yw=izPdx%78| zlku`N`wAUti;x-nnnAd?gB4dVD%ZW+FWaI}F<lKh)ZOUWF6bH=)_Uz5@fPvqp}h?Z zpueWUv8&k&s>TVCJ8EV_OG6Pr;R>zGw~QNI5L6ii1EeV-=0QxH2J+jN&{~5(z^L;Q zN^uP9suw~gt9H=ku6vW6e^uyfew9cDJFNiT_|Rm&0ChW0oQ%P1`#_ZU>`-s#Awr#% z{;1c)#u@8K)w`2nkc6n<;5$)q>faW9>te>8iG#^ZCNEHUS>KZ#5LAygN-CEJ!GC!| zPuQ`B?so|rz;f-9a)$(c4Iep~PkgK!+>QY>O3*XcClkr{&ybqAuhCq2)!Pg%#sTU_ z9*rGKSCJ1q`S2Zv0wR{TJN(;=w3*u>cywu2=Zbo_5%vGqJnppP9&!`%zZ<1x+6M2% zYP&G#A2zZ`*<=Ilf&WNKBFb-1(>9Td(nl~gtSeEql(5&(VR&eqfgP<uJDO7h%BrL& zx~^az6`8xuGr$_@mo}XUQ=e?6slH47n(X%DYs)mmf}ZC0>^srB?JQZ8)UpIlo|^(j z%F>&;yQU(XNkOjg2PZfNZED$b;4Zuv2AO`B2!%VWcTNk^&$jA~U3~8(funT<IwUP6 z)H=FR&HZ`1xjDu{LX!0wDpp@aTWqtndvVbs@cC16%=(4T$(MzUn##e6<t8Vky3oTB zatlYE2<`b}L9q%-CU*!PhF8tnHJ6#mD{lcH^RX6b%ls)2PfD2YBlhmiT~^o*s{BxI z05l0@k8=D{izUY%C1!N=rpfw2^|=D7qg8v_^`;sngHPOIHjQc|c`R3Gfi7VgII0hl zxbMV1FqJu1Y(g7h(IG#&Utb<+D1R`_KSn5J0=V)s{fPcOnUVFifeUo9iF^a&PGH&S zkA)s}Uw#vKDRY!g8SR{3N`ZN^V+d+TaP{OjaZ7aeC=c^O@WNjeaBSwBHq}osZe3N~ z4X3=hJ#BAKmN`>+vce?{i*1gJ2kZ@B6L{{Ar@5||DByyF5^fg4&oO%PyG$2_(N=0s zkgZE`s*~QScfE1a-Zm6DIo&Ih_pS!thz5RszIvKHOlPD+neE}@C`;go62ZCb>^olL z=t!9!uQVAEKfW4jtB*H<(0N?PzOeyRmZVAVe9Do4n5c<$7E|@15h}{%{=6PlwyLng z5aa$0cMV<8L|126QvJtNRi2&iBAIzy^;kOIojjlo+R1xnfO*|+9-}l*_oIItZF^Ap z{)717=>#I2s}=#&dT{>%ftS+S02|HFXs2A8WHC-0<a4bgc63~wEgj{i5vXdB7A4SN zCi*T9Fnj^k7*Vu+_mPSJV~Qog{MDk}yFlH3iq3K9AH3(p<%rzcXCqeHCRO2Q*+oFG zxEyKU=Vx4=EOQjbu+~db;=VKcE`ezP*nA|>kFO%Z5(JjgW-Ik~r<UKvga~$=)quo` z_a2`A!*P`2h5s3Fv8S6^;pY(}^+wl3Cq5_JUS5;|dMR=CC`$;Ao=zQ9tHgz3JN~}@ zzI|U5l;dp2d!wDNlmd7hQUG=lOf1XQsv$dIBGo<nXX`yps44(+`991l=I5@?CSE>5 zxp)6zxZ*L&WbRUOY}$(X`likG$8YgvRkEL%x_HE`b%P>2y%M*Uf3cqyhY5DKO6)i` z{rFCs03eMkJC<!ApLjHjo#qSmo_i%xgq)~d>I%UBY~_<GI8GePfWcD2ew*H4894JD z4e$Q%Hk_k;5)beUX>Se)P+<&dL`FKPb1D}YF136fT(t9W*TeX8eU03kf*;FlXyc8c zRb<oYSAWU>#}Xs^w0Mz5P253mI-d#g^F;Xpm>28qc7uXD-D~t*QS%$F+^uP-{~1SA z2p}#-&lU0nYb1@yz%t+4Er~v<TXWyii9XkQEl@4=?pZ`v`%(krV-y<GX0(J{0>v&` z#r`$_T{cnKzt*Oo0clsAP$TCTYYO7vUlkKsewbC5n*@^kwpm^t+&UGWo^cRTIVv3i z#=6dq0#I8oD)tiG|7VVHQgK&7Hv+nMZ@Jg%YXk#r_vKqJ^ZBpxmv5~>^GB)^oqEz? zuNLg%(f?m;yk%Hi+qSif2G^j$f(LiE;1ure?(XjH?gR-Q+}+&?794^Fm*DbE_POUi z&szKZ%34X0RE<7*Yi}E)&mta2_ignfx5m3a-fqPTxAJQdel%-FA|brpJuT$;hHE<6 znb^u)@4_kUd8bQqE3PoBpbBjhh;<S-rYJf>VSh$$?swm5cq^{)v0h*<_Jw$koN4~$ zvVVoB&45_R_*Pu#LYHKkCWoQlkrpmP3xmPjZ~3H>7PK~)XsbQ~`-|uyF%;PMgmADc zM16OTsnpl2q%zb0P!*`&^y{(f@zoFdt38`JfoG<?t@$ts{_}W-D@aD=V4u-$cWWEh zaq{SQ#@1PvO5F{#1i-eA&xc#>O6(4gg}hk(?W$shIq-)0!M_SJ)%Z=K1Cfotdzn{} zIz{cGrT*uAmXeSz%KOdc7xk_pf{HdC``=@op$KG?j0tX)sY^tf$o&l$x0jCyN&f*@ zbA+eMtF!O#M!K7I?82it2aSoP{=C$8%SfoP8MGaNI2Ah)!{P+<cy_goE!(i5XDX`I zdUrL#(lkYi=gBC5HsnPqZfT97Vs<OuD1&<Ab=g;Cl1~5S{(fR&Q|UeE{UDlrMXe=E ze<5}{MG@st_+ka*=WzR1WPoTA0g?~@Ma04$@Lae|bgBTTyP65m4jODT2LoIg0Hzaa z2(@o@_JMc3Bv4VG=+=Jj_z%%H%)QJOyr3c9xA=wqV}S)3_oZKMt97GqCBTS$z3?J! z7oXgygP(QZ{c~Ovb8{0!y4>?>@8Qj-MS<VNJLSXEY37R`^^26#_l3VW%Cg^y-T$Z{ zQhd=>cviZ@&lTwM{<?T73wK8)24juB&CK*q<O^RxEH#D>JWUK*{!WETEldezUhGOg z)5+1`wy>X4`<ntdKG8}iswfz|-~Q76?q3}i-@kEbxrG699te~OhIIFI5*V5n#eaC! zJ?$(%K>?aJ?UP@QNdN{7dqDS9hwBgR=&lC`Z`U)`m>A~OS1_<@@gbV0)WV`q_g)J- z#fBdzKFPoB<YQiV8b2S6)701uQ;b9b8`X;eJnLKOp*-uy+4#68H%=o^xSQVvNuzZZ zoxU;bGSpP(vo5ZK!ISVnqI|jxDuSa;;8>^oZI}^A0$spUl7rSb3f@~6<<4Vo{1e9H zSKbqG|EG=tx(JY48Hs&$k&$2c8jX@X+69oTB8~j)&;K$2IT<qSpJ5hvpY|&dMW=0! zgu5ztqt4G3p4=>#n=R46wr0NXo6)U`nem4ALOTHIrf<NxY+GZpM*hq3J0k+xvzg_b z2yANB`97!B4_kMh7yGr_ZJ|&-v~a5*QW-4!r&SqxV<Hf{I=NKttX)b*t-Mmf!CoIH z*S?1W^b<>ddDv$A9)Zq(evvF!a8jKmc<MhF{7H4>>pP5Ei~!Fspl4Osk}9ILtmkq3 z3RJ89+@YvRiF9w7NT(JzOW(&2TlLO)>*CJMfq`v)X`5cZJPjpr01LCtV%ts@TO#I# zi6-!5Z+#r~%Ih+%y1K8y+Lb|6yfl`ashcjElKrp2jW5=4)tb>Av*z*0VI%^On$7*v zQ@t2)PqWP%RZrri6-=gSK5hMiDzkhlJOW*EQo1sj`d!dQI3lnM7MJ!g(l#KhjW+^u zRv&b+(+mXQvGRbx0%G(FVp@BK^%~6@0c&S?b-Gca+1GDp{|rs$F>OiR2hF#_spK7l zREPBCAAS{pS00}ZglJJk^Nz6b9&4flLCD`^)%|)vqQCwu{&nyaGW>&&`@wJXb#ofL zuiVu_5CCC18ljwhkK*+F`<h)JI(mYVCoV+td)UfrMX@j!T2UG4OIv_>&-*x+4h>d8 zGfn6;{o0Uo{-Rh}lYp^C;1cQXL3?UJ(I<C5)oAr{S%qhs_B5eX^5@3#;I&2pvTqb) z=Jo~<t7&vSD+wTNA~PQX%&Z<#Qo<^N*sil1m*<t*uYXpE=wSf)272n$s9&BH(gL9G z@To?)9RmU6Gn~F4X}CNeo=|1Tr~bXAxXKS;&zCcpiwVRa0P+@V1xz=s*rA7C!{L^R z=HIUY!qw3=9G*y1%x=R<7f1~K7^V6!8psAt<5anssi&o8UN4>ino+se-ANT;rfl-I z=aB(c{ux45D*wdUFBtj+c%jUikc;fU27pi-f9m*8#D&$^4GOKb<PC;sm4&`JmiK&k z>|SPr0(0MWfB7D2vMPbC;%*EF!+w{~f;9kRHY~pw&1JR_DYGT0MjIZa^^`zgdcU)? z&Sj?aM7phxUVUn6a%hL2Wo21}|5P}Cl&HSB6!AW0`umD=sKn}tJFy-MvyN;#WnBuu z`wcEGC-L#Rgv^Bma4?1woZ!vlUOaI-WoryTZ{^cp(BLLIa=L2x0`q>H4*k7EoQh$_ z`ws9#Et#%gxTx04CC%be!Wd1>_L|jV4$<mNRLH3T0QDHHiJ`{22BM3Xt-_B$sq@Y? zLah}B0l{ZHU8_hSzdX+S5ljoZ@6R7cIz>s_lloQbGf0x%<v_$SR5FWoc}*7qY<Dbf zW|7mlx*=-_CMlt{*YsL4DC@w~%2ei#z;_P@G#nNAne!GV4q(I5vyrV8qLsj3hIe6f zix!EPQDt@3ct_dkFZq8c{tYk;bM}vS<@G<^uSI+iib_9yIi@H8CnD7Bgk2{<^Y*+% zW_EexF0P=B0Ny%wGs?HpPXIvv;4({!HJCjzK7I2ZMl}ZYZN@HSep<K<!<%JoU<~*n zd~I)P3{QGjPks<Y^uMzJDfMj@#9DJ(*CXL-NN9Si^@yo9yFZLrq>z?g!=ZiH>>P-e ze@$B_e<a1kBiB*Rkdc2c1Q5V-f2~EemqB#3@*;ohdfC2e`)KobxVoyY`7B3t@Z^vR zY`N2s=>s;!#lypDOB(%Wt+_t{F~8q1G`T^KWd;cN`J}862?{`LJld6Xx7l$$>!Q5g zFJR&nt1JPTU=4S$|Jcj^WrMY=JLR_~dbh7TCfHWtd|`^&D(n)lqwjCUyDEhj27v`X zLFwHSrnwC>O&`J1NP~LQeG7acHvHJ4Iv!{2H_-1bwKH5JKs^q#aSfqm8NN&us$t@1 zk7XKC7g}fe84K&sax^7F2b1(E=%2^R(x2$RvfsEEJ`_M9>*e%_nA+-vS@}7OLQcdl z|0mAGu^6!((2fr^82L4bFVEZ!+CW}-m~^-pHWXJ2yU<3&Zw5*DBcWk8hF#8-i?*=m zmenfMk(>H8h(5EW2CptDbTWdlm4_2ye|8MM96s7Q4+XlP-%Lin+oC<(L+ASefT9O< zUQV};Q+3nGnt`iH+2!BH$QQILFRK%jw7)Mp>YJM(g=#~W>p#c<s?=(E)w)ZBdcMlX zWTeCE7I6Na4^(ESidZCwzr*F^1I=rdkzb3mNRYdylmNw?s5cMuXd{`flXbG(bSyEx zIsc8$!hFP86;7-kK{YM*r-X?VgZ?8{3(rK%a>!>Pm&Mj^J-Z3V^r_`#jbxddfRO(( zB3UP5QALOYy1}CPDQL-}0QU<wu<!<c7g+E;(v>*VuQex&r*ZL{!;NHh(3qLFB*fm; zizg_$&#8cP?2T2jNc6mpq$op;{_EV>FQWKkkJ@|0vF>mxZyFEOKsWskkofy;qC`)W zo9ue!(Q!IG6OiiBOFK^2u;8{L{_?dXQE%P<g-NNeKaCr^voH9u)`h%kDurYU`kA}l zX-J&vEOK%5z>~7=%=ZMTA9BucjxVIJaCugyut=WIBGsoioak<I&I|~eAHO%!yNyk0 ztpy>V1G^cGKAPO&<PVhp<E#>W_pj;H_m}*5U*VfnU!ZpPzt?bRqeT7LNboPVS8O0h zuvD^JFTcIN;N(_NLSG7LWA*6zSD*UqdVmut3ZtjM`~|+3E<Ey?zMq`m{gq>XeP(ZN z+9r)5=&+9+JnCm%4r~L_@@qVq^AKlhFwmxt+oy3y9T4-Dr@Gotkk%Tc#(wD&uNM){ z#+(GKv+>KFzV;Q+6TlC^>0Itd!S^@BkJ11;@~ks5a-;5L78jwH6yX<9_ILPy%KTr8 zHZTw8b@ca(rni$HnO(8CQii6CILPh}`c6c^4%GAYLjlXwL{AB)E8!SuB<u6F8+^52 zS>6oUi(0k6ALFDbmKsUTiH)uy+RzXd(MY_A;v4^lOR>Sr-`6I<2=udu#Q`c1WnVpS zJ`lFpl??wu;l(EFbGP<E5hFBqxPS6`S6MwCsTem|L{f|kk~L$_$C*rW^)<BKgz-Bt zJef_|I}c;tP8Tqf$sPx@*171grN4coQukXoU&@2CxYAQ&Bxb^7gc0l?WZ|)GW&ei; zPECg<-@Iqt%eLtYa#y(hp>5DQyu4d%l|S`h!GFCrNswaJ`|!y*Q@Q^=sx~-<uDnIQ z%woaWhpkWzC*J3u#z~fdXb5oepGdWo^RtTMUldx^gnAZ7!&9o&w9rqpTUb>9>aPH7 zxoYGjuE`vXpJDU0#u`uOl9BTXn+%#q=EQIG_2To8M*2U)l0sgw($_rkp{P|Dd3ope zr(nQtv6?N@D@lz~WiH01h$YZ3ILyivrU5BzV+@#tytel=M(@9?Px&rs7PJRQV`^WW z_4D7unEx;OqoO=qE=Cwg?_u0`GNU7f7Dm(%!8G0O3Kj<!stx1)BBJkhG|c1Yb*i@z z{{Uu<n;F*&4VR6Z8(fuzG!5<#wKY2V!YGZPr`@uCQ)#NcTyMz)0o2RE5T|&-y+T3$ z{SxRzYd)qHhRfS&Pq)ARC=g=2iN=SZ`)TJX)NK9W@6Ua3M0)A1q<RhqKh+H0Ep>Eg z=sGe3UoD(&4`Vh!@w<I}8qYeZZ(+>Rb!r8KCiAd++5~)ApM<|X33JdHM^ZoQX7EhV ze|hXS_6v8-yog3#<)R4?D01Ur)@&4TPYw2}j#am5mgP%aLAM4fKv}<+dK$+*1yNjd z_=TFgfLK7N?`~(6XjHODwdjcJAMp73)BH1=IT(ZWY1lOBE>cM~>B8q?c>70gRr<aK zFI;agmWZPQ`0A2c^2<j;EWpY7mlTwdf?s0jBE*+mjC@Ig@21y8ii;K-1+;~H8FYVf zg=>TQXDfCOcMzHUYRz!Tz=-nNRho-BGV?>=Dvyo^_INDFoSfPf%BieA<gWchSZ%tT zibyCnV<AWKQl%53{XNV>8EO@swNeBR|Nh+9#sn5eo-a?c^o9wwS|}O#+spkYu%7cz z>7U*oWcfR?-0sP=h%(WiaDHxJY-roC5KX=<N_IHt$KUoL)nxZBY~R<lsi=>Uu7M|Y z0HHng9WL#{s`HB$H<(T{Md_A_NZyYOXNPd-XxdiVUS=c7(XeaC>I@NZ#$C@BB*jCq zXZ4+ckgA-IM}eO3RR&mS#gtgY1g}P0KWBTxLF&}txXpwFnsRv;;gMGfAgPAC`Ykub z7*9n=?LPZhg+^E>41Q1e*9q7gx1)=mI3ITbIB!=Mo|_^xew%Z(q2E0oBAVYeE!*qC zMdSMpuG&MG6<`PzPCGMfD`jsG0K<a&J61*fr7fbGVZEZ=zidAQFjr6G_eoWez{#+c zO9?Qo)T!ZRW8}?sS$4iG`cfdp0(>DCR?WeeHAb`C<xRZb9CF!vG#gqg*JK0GG32z` zEv;}>(RQa&q06*oXoxl_Xp?5Qn@A5qBlV)4fqp5b$*?Il#C;@AWu4%Cz3JDo`yRMw zRjUB)G)W!s;~&GKcvBjN$cXrA1o?-u8Bt$Q3+Fty6!^JRsCohJY+|30^TA`3A0kyn zJ2^%y-Fd4C#D;ztKn$)TSJ2l%C-|X`o*fbx<2U&lj-ZKN8!xx~YQCqt7EUn%WVCG2 z5CctXgZ-2QSdMNrkO=|qk6%P2?|<_>0j^T)OD~JQ^mw1MV8C>LGZ37Zi~x@{g>Hg1 zzT2VIr_Q1H`R}!-90{XmixqKv7_?nnx=b^w4DMLDGVrmZTy$>UJsBY@c7*?x+0jc2 z>KW&OG0<f10&4Rv56{+<=uj_&&)4ldHJK?I{zy)4)#|}d8R%WDa~+hV8EO|l-{<f2 zVp(-90p&ePjFb_+W@`By>!;fi^OW(3C85Crw9kMr|Fh*LJW#~u>`goNjKmM~hN%Nq zUTLI<*IROWdLasCTq)Eo3I>9-)(E?0GCnO2pQG&Pr+s2aJ0Rd#AYaB5ck>#hkO2Ir zVt(pxbh)k44a^s{xj$LeN|%@x(Nb9jcJy`v`SWc8o4m_Mzp}`tvD9?(gz$T-(3R>l zt$_H=C;>kY=raiV6g7QFZOE|o3YVwCPEZ-|mh((98`O)ghzKp5;1g+%nlA>BpxjPS z0%8#ro=Ei+^BXPw281C}gUu_`C$Xd;{)3k(tWZ9>Rpbc_7V<8T5fc7*X{lqA$<<Ln znH(%Cy$ROTnbvFKslHgFjr?2jXYn7VheNZlj39fqo;jP4C;J;O5h?2T{-fVnPx_FY z&PT}2P6oR@yaWBd-k0m^TnQ2j%S}k49G4fFw(sY%u3Zjtp|<KHDK7YH>|kK`^9fc+ z)BEGxto;M2y&mdIOA&=?l#Gv`)$Xj@zV$U(1E_kx@R|akpdY{XTfI^&`79d3&I3V^ zMDUCI?%`jqS=A<_l6es!an|rA39#vNoN_#y?`kW+qF%0ssX>ChnyEf33(n>rQW)mr zYMJ%-@LJ=ihXK6lVB}5li&{rnBTdA)m{d5?|IOW)4Ip8nuIz`CpR`Z?gE38>yRcDB zj;AP~#C_Tc^aL>7U-gJ6%;etgmdPtbqL}<B-K2$w&c?7B=m4%W$+eI|Vpe=dvlSPs zxDBfzN5iZkgE~d&IT}F)*xkWG7uN<&Ry?%4@b}Hk1#JZ2KJyK;^p4fm8FUj+Z34x0 z)(@W*sReQv`j63QQW%oif`j;jxuU*XD+Ji8o5zJh?aWE`-I4rbPOyOMY9t6>Hcr+N zg}<o^59|VzGzi%f8eY-1$|OM8m$n&a)FycH5iFS%vdv)oNT%~kIrjz+&*Fu3aZzuL z^|SX9DsNq|fS*(0_6~)LK6`KIhV1*3E7*45FV;_$`|H89_@7PRB*A)!{$Mz_--Zp7 z7Sf#zC*gV3exr-Nlbr-~<2Ec--rprN_*wV;fVhqv={&bGrYZAi1PGJwN4_0|xZQ78 zl0c7D)d^?=d8)>465X34b)Z>g+Mx+ROQKllom&@mpbI6%#ZIrbBPL(oA3<)X6l2tp z&md<S2cpD1@BQ9u%19bphr@5p!B_LB`(tDuzo)}b?tILzcL!;VN67Wiv=L>J(wLix z>GY)nkuUifSnm&Z@kU`DhhLtjlqXkn=qdkPCITc*M*PFME;-WsDD~yrw_9;V#;MV! z3?E|9maFmM2d#AI4#EMhORbQ)5275XC@@<GLy;*fhE#+*^tK_VC@p)(&k&wiG($Vh z==k;jJYIw4XJ-6pvk=}<U<8D&$Adxp`#(?=#dv9cB~jGYU<{`?!KUf%PsT6w2>ux; zU^K)ikG%J*wFc>nYd=D5-VY*1&}+OE@Cdb*g0hmh@Y~rrevLH>JnQ1t##h(<ykA#y zO8Znv+Aq>qOLkkO9UbuC;O*%Pc&T&33Q^817#ZmOcqdJ^VIgbS_GflZEtzR(di9C! zkYQe|cEtey3VXccN!%aem%b*(+~wt{+EM&iZ9=m<W;$cj6(ah#hj60+PUwS$TXB8W z-_yA&QMJwrc>Fwm2zQDh09bCXReXx0-ENMn3N=l?pI1wx5q=ayGk+H<^O>-2Zy(H$ z8HPGf{oiQ_`>uJ?c5IpB;-;hf4ieC?8w3i7i2}8sgiUG<XNL$_>C3zkZo}Hu(Q!=8 z;HkZJeIGnQ3kr%zt_*(HUMBD-9uey3Dc>XgWf<%I(P{-SDCvJZbOLPzaVuV2S|h5T z3^=)UZ(`|yodXu*LKJ!KO5q=hD{`cKfAxnp({%Hw4<TbqHd#Ju8-3CLD$!N(D}6R$ zMxR8`GNnJ#5jb4;uXaR$Kw{n>P|rw>kp=~+rCwg228D+`yC3}if-#xxq&ll1E=IOB z`0Ne~({%F=rPB->8BXj<a|Y?`zevD=xYfPV4FPr$#(k*-xa}U|2FI<NfsWmaIZg9K zdp{QqsK?H?2_5)n<W%x(G}w!ysCny@=Pj<*Zoz>#(&1s<f^PGD0%#HSh6R0@h7>Em zhLD$wsZWoux7!QxWLs`iilltU?W*-v-3WLv2ix}xaN6x0lLaO6-T%=qPirJVzs`|$ zs+NgjXd{AF!)9<1w(Z2L-XA%X|0qR*b+wz)NfSSoa(R?d`!3pk0<~DWanX0ND1|Io z7)=5q+{|+x&~@hGq4VUu^#WJqF-Y~$CvlQx-qJmZBU}h9v$2Q~MBU$UDS$2q&%<V# zis#p}0oemT_P`v483ogtDk9kc#JYP1OOP?N)Lv9%Y+W%a)>Tx>SQZxd4)Ix^_0TJ7 z1g4Q0P@C&1!-#)PmD~%)>uq*ofL$CE{-ulW=;LPIAtoZ!TZ(yzK;01F2(<=fIk5wp z{abDzPQE89%?*)6Ywp4~$DGFPVde;N!>`c|*I1*E2wAT>qN&ctRBr@*W*d<g277>J zRu$WpoW{(he(}}*Auf*z;rE@&I~JiKJX&$f<Sx%dK}Rrd@VV5Z+oaH!TOZ>6Ab1P~ zB(2Si%aI)E&0ZQCAY<K(yW=O-p5uheu<EM5h7+J86wDqNYd**NRHSXqonpwYx5P<< ztSmv#X&-I=zIopgj3J$%qz$v*z7Jj9$;B8lD+!5ze1A4`>%EBzaNkG%n~R>)P^yJ` z4tm2%#9D*ys@!4Q)#!#gmBA^Gmw6YGl?zRtgiA^LYX#hErFx|AU>JNW<`QND$<g2* zQFomEfZ&1H8yl@G3$E{!hH_GQZ)m|?-Lq?v@6GpFo!U-aLgfDYRhc$!>LeEYv!aKY zLT}7wUBXyITJ?bxb)YZMc~wP%3o`jvf1P9LCPWMe|IsdisKOhK*5H7aT@2pcUG#Vu zwSVF$F7L;c?P{{3!k8RbEwL>8QGSZDl<02qKN;Ek<^v+-EnIr7z?v^2nEDLX(8ptq zh6N6l{tIi3AX`nqz1f5}H_zPCKCu*wwS8M$CZcawqwU)Y<mB&mF9AwWNlR@B^OI1c zullaqACQ{WSv-~7;k8&qFn5!?ImreU-B}>fLA^8r+xT6|e*Fvsq>P{6&1&e?obkq` z@W*SlTo<H&aq2)-N>oj8^G9*|_5M!fe1jVdu#v>zH&1UQ#Q8o-v*8v3+-YlqudKg^ zf&ZEL=K6iVo@n)F*im3$oE%520OWGrVaU4m<=^({ZoB0p2;~$HCoIOMNs>&F6O_rC zc!nd`dtRYbK-DFJA=kbXHYjy%;3B{;6P;ZJxK(GwBIds2tI@)taHv`rd+W?3)~J`j zH7o1ZkV4w~LPprVUk;0ZsP^ux`~+BYfuMk2t+GCas<?EG_c~Tb+7`r6L;A{Y0(pZ& zF5N%TcxNOL>e+Id8K*d;d+HBFMlG2)rqoU=ozFWOJ^eN(zlGB$->Z7r)<k~~(#^L< z%vwVS*ypNKswZ(8<6)b;4fs9M4JkJD-$ThJV|+C?mm-jSbU1xa`9sgmR%V)ude0Nk zkQTZe=mF)r1y~hR1+v_h3#dZ=xzj2jQd+}dO#C{|CvlIdBD^QV2s|H{Qs{Ok3o8+d zR^nd;h%}%<5Wa5<nBM|kw(Ecj@T4*feAl8{^N!y`uJ^l~fnNsW=jIzDFg@3<#nHJ$ zMb_z1ideD~0kK_7EP^L16WIAUbsnua>-Mr}!EE1oUUUn*b=j66^n`Y;6oj5t;Sg^A z470kMyMJtNy)*->CzC7>keG@37Ef-F&qwkr!N4g7S)Zaf(kwDvwUL}yvFj{#>{@b6 zqs;sLk%FldgSVdBuyvuz^x~{{EPf&M6&C}A6i3meDsn+LS^3#xNu{Jy%gTk@)XSo2 zB)0g$RC?<O_8e>v*<p@-!iX7+yu_BGRjpL|?EBAgURVcXFn8~Dbjn|URAm}e#%cx1 zZ2|$1Pit<URjnK^Fa$|765xVeJm!9XzaqRGaZzv5G4h*eB6}Z@bK4`)Zp#^Zs5KsZ z)hEDpf(f$49w9=}t5_x?sQs!VwR8EGPkk9{$g5<S+K00K6eZ1nI%w&R?)^d57^D9G z97CPz!F4YM`DNpWOdkstfwrCG)DTgA91Z;##jo0watd2v;6XDv&%xgld#yY<`g;D% z8LNvsoMYUz&9&N;KxgqjhegBr=4mU~5%nG#*zlLx!vTjE@b-WvUnuo@p8)zq@wh*H zIhSkFBA_!Mjzk;poGbe3EE06DCs!2)r2o5N>|@Q(I|R62sm})@0XH|1Sx%I9F$G-| zL^F$Gntp!@GWyu^{VFgum<*f%f&h2^9jW~!rpJ~t$a}SDWtt5^%Bj@A9|Ve?+CH?+ z7=l>j<yl1__|FWfw3NT$Vf```bZ@!T`aT8`D$Y#f$^g9eDJr2$t$*G*H-sXB0WP=X zMi)|$<vxE@S8C?h($QgrD%cI<$H$Ji-oU6cr~hjrF`e&5Cmwe9(q$bdYi##$;fX~m z<pa<t`~#_<y5Al(g`fIOmaal@G~;^&y4$0UKjPl=G4CL4aNdoe`?mX$10lw%L@dXP zjnK5a!-<LnoQR*BCsbl){$}!|N*xuY`gq8=DfqfD32C|&SWhsx9-iSpcU3JosUd?o z3YCA3dNQ_QS{y0YFRVdq@{7_PbzztbZ+>sjUE3?t3PBbc?hZ?e6H>vKx3hRDT}dlN z_&h~sx`^Ft-RLU?ksPrTba^n#ioy_4=8va^729_n7jM3<7O~KV+z2eywE1*9!&`k& zK+otcK`5|(6b;cp@Ay&(m^<0$#RP*@m#7`HB<p-q(iDb%(#x=$lvu=WYz1AQC4x-V zCla?-h&-U1YzkSX7*eox_-h6e)y3bFT&nWD4<QhFx+(=1qzC$+2NSir=o{3_X^94~ z7!%1H@_ra-j$kO?cQB*lLl)Pm!^6?1(l)6la{1N&t4v}hnV$A6QB9r)KV_2HAj@{N zpZdwsZg*ShXn*~gzjpidege4Bj1S1(*|F7^FWf@Da_fL0sIRUD$Uy3FI_!c2!iD#X z2rR1UF)r_izsbt|#mSF%&<UV>F^__}n2vJ$<XbF7b~yME&r9L{ZN+Q)uH}!D&6B2; z=X~i(-I|G3U8ITDS&KhHlS8jF1eDMrI6IY>z|->Z6HLdjQ^)iM$Q1%ls2T)Ij1lC} zi-fm|vqra)>UExpYw_#P@ymsl6>A}tm4%%|F3R1*Y%AYvWx|8~rjt&|XQS(01adQS z(ZL-M>DCt4^PW|zGnJT}rjX2XoCQ*l{h>A#kK{;qAskv8GH;!K>sLtvHtC1Qt1=fH z4W-aVuc<9Z))bDCW9!rdF2pa_+xZ?b5>oIRtInKush~Y_cWq>-PWm-JC8Jpk388r6 z5o#e{iWDN8+uf>+znp%2xoHp)6ob-_{o1Ai4pQ3~;X0sJWY@}VPIW>yj1;;f9a%3b zI6+0!hV7AXa?$>T?Z!&xKYu`wo&tNvu78@*1BvyT?TvA+T)Ky2y><Kx%)c~~rf_Ve z{dlCy3WHbbn!3iPrsdaiRY%`;T8*#9`>VC*YB{)LVcr&7&fJak&^FnR?q7A5yzP>I z1M`o%dv6*y`RX=9y2%lR<TeC%pYg&esG`xvzcN0|B8fFFEDbMnq(^ZwgX#b7K{e%A z+_?z(f}9hVjNuH~BP<4QyysRTZ&3TKtJVb8k_KYg^*70!XnBUTu}c5kC@Jw6HUG<* z^5}}XVqYL!|CS5a#YU>EM5Lzkt*5q#%1qRt4XORUCO#fAhN}ixWdR&muI3s%n7f(L z>o)kI42aVmnWGW0w`E)9zI+#gn?dB-bUrb#sPyxe1Id=d_GQTKx6)4=zvBHEnUv5m z#Uyv8@ct-ZUhM=`$L)Xr+O`ww)T_=N=55Q%*lZ79M6>I1^kPla)e3E!23cLj1*@?D zhBJN=+!H(iWk8z0tw9wbM1?wQZ|uH);*(N9NiN8)h^{(*LeE03AVh7K=-{^;U+wl6 zc8iPW%7x8Iy^d55+oYWePL*az5uIF|<tz@|HT8xMf-|<>O<fYc30Vpx++}-QlZ^W4 zqCRI(?^}_z5UH|Kwi#L9pZMePM*~!M%;S&T;B6N;PdY!de|+gu;GqDQR&#stLhrHb zR(}p<zWJweNm?eWK7Lw!0gQt-^ktVF&Doo<(IBVvE$@X~7IMJMW_TMQ3N6QK4t}y_ zpGziZ$B>KC=CDGP7w@iD!>h4mIFmz75O81^bmI|O^MnR}#?GF1arK6MT5s{%$8jEn z_U?Le?$rRzqGB&IKg~i<Zh0Wv*>Y;nm?WSYOTcTHHX~LHObltBaCsnk$^Kq46-}aj zQ7|bY%T;GZ2D|vxb_;P%!|}uEdSLs#Us5)6CqMy*Lo8cd^iJwmE%@&4f=;^dB23?} zrq;-P@-f0&Cy*bsFO2DqD#pEAtW5dn#n9CskSd-cDbytkNYc9}d>u#KFL={H0qNo? zmUvVVRqmg*PQH^Fg3x4P;%d5Yn6pNgOrSbk717Z#WQ0X$#9mSz)a#NGYmVV&oe2^| zJ|S;-g7S2_O{BW2mSsTciH^tpi9Qc)9{vH1OQN$gIT+gx+;qpy(jbqK^IBe7(cOLU zp{}Jt>X%;AmF`Juyx~v(JpX@`n-Z&^I2gKWLJKDo@%B2&+~cUX%hQC(-K}xm<g&-2 znJ$mV-VIgTxp??;n|DObwVHxjYbZ$owlyg;2)$lDWW3>&31cK-0+x5qA9Or4*TG-` z5|va`K(pTs;6jpsW#(T~Sni$8F&sZ}?1n*^u<&0!>RH8$Ggd@g5kZIe#v(U5Q~o)% zA*N@PW_{W5OE>%Y^GbO%^j{;6W-u__Q>UN$RB)-Uuy|L0@jh806n}-%5EY8gP~PCA zy~GDrvZLent0{X@;$i*7RMFR_+v2YzaJBl91@iC%m7C?%^1DXGUpLg3kU<J)GT~e> z>DGTN`_#EjFo3?h*xO*CCEs>c=V6{hC({sKK5sf5DMj?4Q$jy&j=}lgS%8e)AW=Sr zp#<=%(&`}*)s@7J)4J4ZN@(1`A`)X#ax@v(8P;o`mD0_?$;@)XUQXH-IZ(1zkpNV^ z@Az@x^bXFi91L|ss>6_=X35*4eBovn?;1b<S+t0f?HYw{aw=-iM3N3$%0Si8Tnwq( zU`WE2$fA>frltG5gk}#dMq5~IWI`IZys0ELv%+KU4qKSw7~JqAHLse#5)Nr0Mdslp zCTm{(IAA@iSy7a1JAsIxS;mqwtiO#0*5(3n^-BmPUr9h{naGH+9+$gZNbwk$=a`@X z<J22Ll(P)34<^1G8*h&|bBeY$SWd>_TRkF+DS`}V>HP3&ZA$mnYXAA|5qlnjFW0r? zFQj7dzZ)5N9JN1#6hgmLz&?2H9q)=M8w@QAdQhRxCn(I8s8-6ulO=NT|EABG#2ERr zUgB`(navl(S;1U>l7xBzw2<|7i}ZV?95EBd%t`=tgHS98{I&#b7eL;b0nv&swauW# z4HP7f!4`Vj$=zW=_b@Zo5-;(JK8sD|#0QR++@P^2Z6TVp->$ak98^nPc%?6(i2jmT zt+iw)x^w#n=!Mqdy&CN~$~klqkinHp6uHmO(#<+2|5}<97*7<;lvEfTq}pJxwEh6* z3gfshq*OP;idB}Suo_Qt%(5S~MhR12Ye+3A|M@I+xA>GQ3po|=5!7e6gW;y`u-!BU z6oIZC4s!a_>(Ila6^oS<Lne9%Rvd>L-juMg?C}iGJtYc1ZMwk4$6O89hTNgFRhn<X zZ3u#s%^h7zlOc@AtU;l1%b9Z02(ODQD(yLU?KyDmJ8<2}#T)v@L%v<T>ZJ6U&w}&? z?J%WUfVH_+AAUd@WK4uHfiW^0#biC=>0A6%SpD`pBIKmhp!n;=4a~Gd>0$lIX%<8R z2Igf0V%~Vd!3d+$=gi{Wn7;(H<oTtdO6bj-j33zce7$S_ev#EVI+O9kSbi`q`MR+( z!b|!c>k(yh4I*wl;EtUzu)vaB3BCVAaE<fWm+W?|VGeP64Q^)iK<m{6G^xlJS<o_< zG9bJ5HC5)!$IaTZ?SHl4A#~IB68Tdx>H+Kdt947==<mB|H#px!wwG8*lAD;mG^nUZ zFQ~|x48yxPnoHR4r)YXAaFkZmL5Y;ROG~~NSx%gavCQ-{_Dw_?^-7D<>tCI5o>Z^G z8i#^1Y2iQLyL(C}o{uRJaLA1+Be}(eyc?!wV0*2P--SBJF<kX~vMxCoDlSQU=D5%3 zItvW!+;&nRoeT<Bh=RO#cc@r18XvVU^Tq61`}1saLL#htj{`o?a46F@BASX<+MkzL zj^Z}<PJHT*(Qeu<N`8p5P@(RR=pV(6Rg#;!d=UVkm|0tvzk2LT5`=~yY-SZHIhFMN ziOU`x?{G|MUv?^S28M*2Br`rP;RST+$_iC{6(<iZrq)~*RXl@hp4jjTJ?V>r`{Lf# z<wze^5jnJ-9j7rTb0iTFVfIpR&1OtoGZCb7va_*r+JpV@geS1n)&kDGjv&A3><<7{ z5ZN5lW(YyRk1ru4fIt@^$IW#HVdQXxX@3*>b5lQ4Q%ixCCH%}YW5>R^yr`zF--KPZ z;SXyN>MtkiHl!p<L|B9D<P_<Dr6%7oyclpZpWy35aoXI=L4gF<s)~3m?&Yk>yxKhH zLf;0449Zp|{Nn#T8zj%H#V4qmkce@=CL3J}Z>X_quN_WSTf1wxq4$Sf37ww<pEoRT zjS~y(LN%c1gB0j<y}MmS#ZZeu%ChG@daQ2b-W0`TGL)9#6@Hlb0h{2wb4Q9w*7qas z0uUT>uCT{9H&C}Xyi|bq{p4u0ov@-Z85Fc`8fnScmqVBB*Ok9qRPpYbft7X1BAX#* zn-~&g7R3TrA=9Stzi$=@t(X1i>x<5{_)M+_g!UmkOmx~6ltK!m9#1evdRdlO!oCX` zmwe@4_QWvZ=U5{zk5-i?iUBtuVm}dpl$n<*CVM8tw$0OsOD@$v%~cXTkj83?@!#AX zfYFLG{(Tf8&qhFB0*OEwGcZ^M#Z!YpOinF<M+G-d?xPr7Zcz&BjzE}NSL>zBWOiC4 zpk62L-`|_RmRh9UL{1e~qFy)LRixcaPSxyH%J@Q=9g`fa(Y@!&Wi2s=^cJy+)SU80 zM*nqzO)K%L>Q!Q_U1^Kc3gi*{Hc${aagzsSeJ}T4j<J&NO70kkB9P1Xfp>cQM>V&T zHWqh!VV|=x*jHg29H&oK4j0x?n<lNa7%IYUnt`jMq`!}Ke)BU|qk&zBrEc+3QA<bx zd&XD=chZiaPx14Ur_$%zqJ+eYcBd`}+v2ZvI-i$f{*?WZf1P`H<w63uD+2@8>%&7V z;_aQ6(r21(z6f<mL#hZ8OqsZi3B}LVzAL?0xrAo3$pg#8m@NQY-{y9N`jk}VlgO_n zfP={~;G%%tk1yq<N_nzC*PYHl-xLib)+6Wk>(qbxO!JBVxvixH8calVQ09lQ0^!Y8 zKS0C_u_hnoq%K-=T3$juMLv>jY$|G76Gb4*fb+JMF2t7*1%Ii4Hk;(8v=SFfeH##y zEa0K)-D{wvl9ResL|0%TM{AG;8UJaf-N5ca#>D58QfM!)g`Bvfr;>}1PoC4oP68mU zCL@t?p2(GKPlwNflQS#PvCwy1Q870)+LDduHOaaAxcP(^@}Fe&YIfm&G!nn<!nMtj zdJ{wgq0a03MOH7$$jHkMKKMHsYx08*uJ{KqUQ2v7-4%PzYqNx+fjJ^@xhak*v!6@) zec|QV7!pO(;1t)8w*Yo>e{{aq-lisHfxfzIF0rS|6w;30cDVG2Mf6`_=VL4ZU#EgQ zw>dJ7Ma-)(Pf5st@Nk+p7^#aK`&M$;H!mHK-HJ6lRhUMHeIAEL6(8q{FWw4J&1xyQ z`6tbYppxp{pDAaF^?^k@vA9OxAl+ZaZxicli-K`u8gUdc2h0HW9hpZ!i(uL8?Z4Kr zSv)>Q#>!#)h#5zVA7<YZ)XdR9nwxsHFa6LKbii0%jCi;CGn{6Y?Df{gSLahwGR;K_ zCvC<}Q3h$@+D^^Sr}{rl^F&~@qNi=K8;^8=o#!?{#f=-B3V`k&<!IAx;Di+k8@2_Q zHq&H4T*JN0FTG@Y1qwe*$*Imu-bCi*(XKRnn-U0Fz>Ri&On8aE&l8z8X7&%6jUzJ_ z{D4IK*M+~6`{!=YvESQSL+=49dS#4%7={Jf@sQUkpfqy|9~YU>1Ul76j@JA`kK$(w zkf5X@>ILUE-G$7%GUOvDe94Tx@^9BqQE-L-9TO84eW&8h<S{+L1nhYCx8p*I2+7$@ zYJa-6^Gv2sOI~x!YrcegSa1Ph`|N$aPWP*^yIf_dLO)eMF#a$=mDP?kcuIKwRcl=U zLc5!?00Zl2c>FrLQWfkEDzuv6t%T1)&K5ohG4JKlfgyndr-zBlqsssjUAP!(>x22I zu`rXAxaGiYzbO+_N_Dquw;H!yzRf;DVd1Vb=54DC#dkmYj72ubys<Kqz=0<f$tCre zM~f5oZ8~OYk?^ZzvXdz(dmM^?>rAt(ACMokq&z`_ipgjf>I_HiGN9HUkkLnpHEFM4 zmGe+suOGFj;LvpOUXyZ@p+-$53z~h$fd<mcMNRdueYIvAK!=dJRVUL|EQn72vU;1B z4&ga&$(EIe{m=E^MCm9p2SD5T^GwN^skw<QJQ@8+JSLI}zgur|FtAg7=Fvo$$4~mG zBAVJP8)7Pl7W>nfuWk&(;B$8`4!u($Jj|RZpN2dl$oH?PNSPQ<`hWSDC7_!GOVT>} z*iycuE0sd;{_VBB7CyCY7CSs)8f4x%H?+d6<do-{?AkIjl$s%xckPoiu+A;vJf_hf zrXAc(bi8Cw)!BiM<sboV%8opg`%$g7{@Sru1F$fR6@#M{laF9vZ;h6Ey(_s5$siDI zCM(3>AetJ>B~W%-b{->>RXMe=t}CMkH+W*@&H~%RaC-FHfV%vqpAu>LxcB}1K52$1 zM^Ea_Y%o~vE;FXgo*)XL=1lZiQF!yx9icQC3lKh*6O*M(CHwjk&}3@JeN09|i`H&} zm*bOJ#6ue?$w;Z(u5JNT3XGrbdK=JvNqy+D#wXgb@UQ1rHs^LS=5)7uiy*6zDAJHg z*_;9&s(LFDKm1Wf&6Pp-?OYsU$gt@StY3>z|6k_dyA}0aK)O!pbH;bOgcV?uFOsGq zii=&6@Ba@M+3_HEufpZE-;=oc9-~I%<McI=ro~H0k#~d69WPp*LTBSukn~QtbeyMt z52X@+xo*FFs8S-=!D_1#o^_$kU`3w|4o7Li#C9H!3~l+mEnbhe<;s2WC+#$Tp${f0 z_%q<#tVllw5=TiLo)r=CZu4k3@uZl`yhUfS9Dqo-4+g(3RcEp>|LKFl++o17!*BH4 zyf#())ZO&A-~&$HMq^%Q0{6?P7cQsrVp3BIuV|==IjTa&x?;q<Gv0vuB~Rx14CA<^ z6ws}^HZt&X2q@4fSNeYdeOd~{%h-&oV#5FIu$wRaht#l*>`_6<gstL;8|XLWjb91G zpQJqVRyArg>F_A1mQLu7K0-+O1y_>qxuRgUF<EW;k@VU0`z4~Az!m_7(NrX4d8Wi9 z#)C<3c}a$n@>3@wV$S;!)J*wJ4s_uGP?U&j7WTz2?w&({oc`34|1(KE1#}adAx!Hh znCQ8}8(STi1a}M);C{7(|GjG`S3t5we}rdVQ6Y9cBiWF5+Lr?H7sMs-Wq3RGsPNkn zH~-_l@u-H%Jd=wwl4YN7<%$=Un&F@x4_(=eGlAO_PE2y?Rwv!y-sZXmZh853mj)87 zr_TMZnmDT5IJ6ll2yG@{HfYTL0IAS{Jhg9lGy4mt75pKMFd?s}6GApJp`W@JSb3_~ z!px1XxR^&zOsz0=js7#^`#VXEz2>S<EFd8sxoE||z#GjqOOt^D>$va$+B?^Dvj_#i z0nsy=-OvITV>Wgo-mqJiC9h32SING67MSVn43m%f7M@d9*iOc4>_&*8D6reRr^EJV zn)ux6<-w5hv*N1fcbu04bh`<u7#&UfU|Mq}WVbS&2ysG+$;8Xa$;0R*tTN&u4q()x zX$k(dZvM4tuQROc_Qv+N$c%xA-AHdBUUETIm3}|NT`<V?D>LZ2KiRZvL?`u)dHzRJ zWcrmTjIPi(wZX6|jamLj!{9^3GurbmB0CnO;6^XjaR2U@Zf@s%;~WeyUS>C1fMQeH zWr?k8(<_OTLqRSJoF3m{!luO~rz9goF_pw1z&19#i+)>c$Io&Xd@8i+TmI=lD9$hx zIVF}v;v_L)6I@{FZsOBr*GHD9FZD<?SuQTK9M^3t5PLkd!;iO~zQ>6yTmf-E+Ckx5 zLiYUK{~M1Ni0G>Ia^%?*K<kdiOH>h!$qbnYc&#}voeNF^98JuDA4=le&wrs*Pq|ZA zR&$cSS#pm-c1k^#V8y`z$@wx0lB-ce2ad@OB;aezW^0Wb36Ph;aXvz4y~8fpycyTi z+7&xk&vo7@bPrZ*Z4oTx^udGNej~E@_yx7~njco!l&eYV4ZquK;zqBNyQ>GDvdnN) z#clrkx#FMZZ0OV*w~5N(nLntnO{ZUwb56&K$SP~HUICiLH+xUihoFcH&L8A^Ai>bj zWk7CM_<<$!i3*M<(J^Z{Y(wMtCQL(VuOY`jA;W*ei1?daBw!JH;MIS@DK@eaYYLi+ z$AlDZC$3&VJuUc)n8tw`f~E&xq&RRmd3)fY{~VG(M|q9%G23oJ#ZiOeO`lhflA6U} zcT2`{9#&*N%VvVd_gCY<r&pgeMh8Wj<7mf@7Q*P?jan@$eaoa`$wKV~cehkP02F2& zHTy1v?npy)(MCz!@OKY$<%%1YS@rO>si>%^P%;2_3TJm)CD)mssi-%8xpUgF138OE zlY-m<po3CaPaq`bcr<Fv76Hm5n40(n#ohib`vZ{MIyMjV4GHz@_KxEitPL79j(@Sh zeAF?Uj@n&5Fkl8`Y`o;>_RkdC%Ewp&X;1P!Z{4~Bz>azxdVm!do_7J(^V`J1)DxdM z9v^CbR+#>DM8&f2JxPISio#4%bI}3k)&UI#xIWCsirxOe2+|qWO8Dd3>>>Joa3yQO zQ|AkJ&j*n&<)Laz_&{vdkQ{>ss3(5=u7y?!eVytl@yZ-v<w#!w{hbLv!*ejw-d)Gf z>IJ&UU(d~soB4YN&?i=u(CYmBYxhPNsee$@X;Wnm;WN^%8y6N++mPu4nx~8jxE;PK zo64oL*iTzgv9Cl;N`gb^jIOb+|GcB|_PYSkHSdI5$FY=#%5dfPwmr9d$HPKG0X+i2 zN!E!lO`!S=H^wl%n~~CRNML>Bn8>0nWt<sS3?zU~RrZRcRMe=(n8eix^>|iHz40Y( z+2eBWQm?%33<5sqEGLk7)s_y3q)8&Q-$s8Z9WxeDhs$;GMU2lXztS#wm0q;wxV!6q zR4fQ==J-n}%^LHa3?G?ryE3>3l7pS(#BDc6CJaqZ3Jj=&j}rOxSIkX5cF%()5H zAdgM*myc0e+km}|{R)c5z(gZ`ndO)T2P^y#Qfoc-1-~1kKXbjL{!cSJgIS&iI~xA* z?;|uLK^+BSK|T*@BvW>zAvbXbqo?gCYmi=%X3VaC-sTW8g<Z9sct&+Yk@sa0_fM3v zo?BsTd%D!R)MUyN0wVtnQst1rN~&*eR~<hfr4{2d-UfES=8f?6$AT7N(j^3roAr%S z3H0Y)ID2Z6MP|ex#FCYRt?~5>;J`DB3z>h{=lMVI^ATqz_&Y3vdcH^$k>B&t-_zkU zW<W{LSb6vp|I4F7P~5fM-HsKC$iHv-f2oj&fDcvu;4u7?TRXD2#&S9%u%6EXu5L&X z{T-qKwei_CFxT`&Buh;GcKp?(CuoQmGksn;D%J_j`n)4sz>5ATX1D(%2L~jW?kn@1 ze!=lqR^q?|fB3=z3)y-7Xaen6B)}t<zi<4aeJ9>jr)Nqa2JRwc0?{MwG-CxIh-8)E zj#jD1c3Yev!9Cw+n_)O@c3#q1vL^~3lb)pdB9sShcXwYF^uTOTx`-t05mD}DaQt*k zGdsQzFP#b2W5}N|%dwXhH&?!@0mb{RW1~aa2z#!U0>Y3ITZ@qK-resDPqRtrPGoyN zWklMsS`<s$haq2@T($N8YLTbjOn-t&60qa9*7(5=P(4K~VR$UdlEcpedZZbLH{RRU z?o@I)hTzKgBUyKCStweOML5AwvWhR)UXq0RU=-h$q~9VIz=up9`?DK&N95TEYJ>G* z4{Zqbc>(*Xv!p$uLt#966O&01mF$z~vCsaCCdqDD&P$(#X<Qc=ziD&~R%p3zruB%c zeclA%`lDOrf7PtpZr>cRkB;ubnr}RYKY3I>@VeW(@^#q4Y&@5<Oq+n${GmktD%um1 zp8`&6g%>ctw4+}CrahHiel(G=eTb>?W^I7LiR|v-BQ9&Bs`-Ad1I0Tvk?5<q4kle) z-CG6l@{_ThjjEewpdmMNv?%>BxEzCRNEIZ*k5fL&n!?CjkY74&CMUj;Wxsmo9ipuE z(Nw1BMkTPg5u&?*X6nAw@sUy;Ab~ve&bkZ`fqLBQuQF+elf{sCLIyyv@e}9ap-kHW z1>641z~cz?(B(Wd9e^<IR>Cmofr(|C)C1ol!Ok+){l{l97SDO2sH5y&-cC|40S)o4 zX{_Ix&YVo|#Y|sk#xSe8)t7pDNUXO2_4;tI1?+Nmv{>rp-tc9eB?kjs!&K<Nc$?D^ zDf2Y_esT--wVCSr%uFUFh$h#c$p8iiPPe)L5iH4cn5_Z|QNM`H`Q{kRD8*a99;gwJ znqW)%eIbVINWqiJKG!?>AA#`T(tUp_uW<Ji^}gR@>Z*-O_AEQ~ELVIc{a2yFy3a#r zfh>7H9{W)O)^Y0X3)QEcK*YEtx}ypq-8D8FjJ6#J{#SannH*H(aLF^0yM$IFpb?7K zepQ-}T_8cNWr*6Y_b{)maU%}XyBHZQ?sUYzKN6<73<2iua4LA%rqG?jNPycKHG1@y zEuGgA%oV>gy0fH8aF*4%WCgtV96jlvWg}=bGe|-Tel9W4e@R8&wZnK0Ho6?n=<gW| zr+aY}7jqri-pV^p*Txe_>uOFaB7ToWxtp@=@n<IDU-QMUEmE(U8!MVP9}2q81X60v zP-x|AZ)?njSN6U0fkUb0wj@hZ{AQ4-4XJ%6WeiF;zp5j9CWgawcC9@RfxE*3Kdfk? zC>YNdL_E~Ky0Sw19Yw@EU#E`4%8bPO1D+E91Fq-Sc|Lh~<=Qea=#2SZY?+?)B64U8 z1^UMo)A=0qe9Ow>a%G6nmr60ozStsOTQ^YN-UzHFk$yVmfJQ^$!~kzkFyKy}R^@;c zK5oNB+@!<c9A}oR3k8q&l3F_iqZ<Q0DAW@QSxlKiXZiMu&X{p0di1Y(!mysFHCbNP zc0xG8p?06t)mdZPzW^3;wu1}W`P!(eC4$E4t>OS0U*r0Lj9mz-WaTAYNxbTkdZff+ z?LFGMym}M{`u!c9zg)BuT-<3GvLl!EJUa+G+<Rl_5w!WcYlaqC!al9pUp+*vnb}%E zgLSm*e<P-Xp@s}mLa+a1HLJ=2rbpBjY$L8tuC{q2z7Ot*pQ|wkFSB$x*5+!D1sCu= zDI?vdKftMFF-fd6c;wfv<JLCxBw$Z8Zn-td3k*4mVUgcp^iH@_9&WvulnK<Cd|1&f zaP7P`mOBm6L9i{Sp-k_wZYb^4W6tfP6G-6mNq^h{+qS0Lr*oSz>@i6HqS9~#<_>z8 zT&>v;d8-j=s;9z|69Vb!5Rc5=c!gHu4tFOXvO5=pP@Z7-z?+JeCNs+u&&&PTR1#Xi z{AoObA)=j?6a&XcNsV{GlF%`sPVw~<(J@raU~p)}#dwjvp65{xOo3C-*CYq0P>LA% z62*;+K@63q(IB{Q)!o0C!r>_W)OEy2$n^zEIyZ4{L~hBE8$h7YPF4|KLVnLHD<uc} zukW2f<ON$}YD7*EM0veE9hF{BDzH419j7HvXdFO%&~CBY$9czX54@)#-?8{)7{00w z@)tSVPYBhk0nO}0f|`oyMI927hUO}$G{w;a4^>e7>n`PLGdjjA_dg4;E_lNPDy@e9 zw)7w~iXvl93ezw(o522>7OUCr@z@1Z@@9INKzC*I@VegS1r*Pe14#@(>l1zl%rugS z#7z>n3w*-tRVbMy1p137=FWVqAex|M`z?G~?K67rlAzI@^Na;Bkiz8-_8=c_WO+Uh zxxvHF+0q}dTMSw}4orz(IJ2118QJ#0d23rRfz3%{g^ZQWCa`+t4--dgEod?l)x6|p zJO{QSvLp6GeI)7+GZA4|D|AAOe{<a$4TX*a_?9OMrW}2SzyDH5n%em^P&XsN9Ms<H zMG`BJLV|?UMcWVTpO+0#AO$pJjOx$h9o4~LNbD$#`-vO-`GLFeQK$8QQlim^L7J#i z!GQ$FTp`59ekyB_>yuov&P*o<n?U2%@e*TAe`Vq$o&x0Yp^}fdHrU)<$U6L&4PolP zjw!acz*AY>e;3!Hl407}96^DJD4~OOZe4DRb3}`o%mfM8@Pw)>p8O5Q;N(|^;&s<o z<s*SZJGbMBHCKd~cKE_@b$Tzp&-Q+W784^rlY+YCdL?S*9jXHTeuX`yE2sYw-~_k{ zxs|tXlR3V7Y`<PJk#NSeietnIcL)6ZA1nJ4L&O~H0?`BMvkVm!Fn71>1pF|N9;=S{ z?hJf1fnoqbPFgMHxWOE@f-3O{yl>k#+|1(LyS#H6Zag`ucon4al7)O<doI;;{t(gw zgtxWXB3PXz1*NlomT`)&s%#w>53hms3GQ~#E9>>27%RDhyKQ(P>z6#?ryTL6Kme4z zpLGC=Ea08+^y>tSbYD51kF^^YvX8%`{Rp)RN64dxvkF8VsH<iwsDpO1Gb{SzP&U%t z$mX1>n8yNt$@)9lBPA7#<WdUwK0q5nUlq`>PdtQ{!Nr7^&ue*m(y1a|$@Q%XsjVf( z8nfZ+=BB?UtL($o5?jXM<)V7AsX#a%rlx3qb(Kkp!H}2xm0GH^!0JpX(vpoFOq&b- zul~Z%u=x`?O3GBk?4Qy;y|wli%8&{Uxl2tkH)i^Dpr4~IXw(WX?lTqDMY|UO(;oV+ ze0{!d`}*j&?UD3M6@j|X=KDAz=n#u%JZh{j23O0^6fHT(-dCp}DZ#soKd83Wgwat6 zWUe?1s)O>%NN!U&kh!}TzaC=~1J8;|zuD^Jnnn`@-`49aD+|36NJ-AH63A^b6M|i| zPv2tkrKekDXHg>d|9t#(!s!Ud6NmNMN(!ecsET>Bokl|;xD>GYV=aken0iDyp%E`? zRjj~5oxE%94~4AH|IPxqeK<91b2JrwpF!BZtAUCJP^MLjQfR^X+1KQZX^6Kc`Ds04 z`t}y@kAm9Ap%Nast%2|Arhv^MCAgfEtQ@=UWSH2*8)Gu~c5z%E3?gIRP22PV2=m(U z088&ot}gVM7>6oiuA4>Ln64JOQB=sEKpz9D)3$}qs$7J0{dXg8kH`*$6lhsvZupd3 z)H#RXtNYX=7%3jJUEH{Zhd(HjP37exc)6_X&!6E-;-u7CB_&|rZ+S?mMUquWz}{Mx z?@+No|8C?L8eBmu9~(l8{AY9~ik+aC2J*e7;71IVeyL*=!E;io^YKV3Ql=IXpsI4a zo^kS5^4m^4m-DSLKoH>H^l2*sXyYu4>w{o5Ld9J+RYoz`yM%;%3?)v*xEyV!l$siX zhHIY2L5dp>SXy-Z%_;o|B=6E6H%6mHXq--Tv2w0hel|)!U*)7IdjN;j(>s|?=*l|e z)_Qfq53~5orv8&1Uwlfu*7Q81LqpVr5Sj)2dR%K2$iwISt1v&Ng+ZS%jfwLR=qcmM z0K!>d#c7w*9$bt?;Hs}Rwu8nUcG%+FQfroh0DC?tX@yDB1@}3h^LP#3PM7BZ%R<TR z-$+tp@!P<h&U3lI_w`*RGtbQB8cJtV3BhL^FNqU+*@CZpJR{?t7H5V7&!g-PoB#~9 z6*CE7*xWZ~lpU&lI5-$ydkp&?<Bu}Hwou7Yo?@xlg=319$Ha=dla@(Ak_(?fk&}qa zNUTv&T8M*^_OmQUr-e4ID5fUwvpI$xv@93mZ#I!paSI&%Llda0#irsKvY%n5-=BgG zh$Xvk_rJw)WCdf|iZC$r7h@A)Yp|2fXaSoF*p}mkyYYs4X=ZFnyR23*1C|_4Xn8y~ z-YSD}>fT^H8^JhboQS02#jTpS<ojV%stjR7&1Q^S*B=p91@#%E8fX`fo}ec)jxA5^ z9xp9;9!^#naW~1pq=U-|x*zXJ*~JGYu^^j+W`tU?0HS+1f+?u4#c9YKfcDGn+g*=( zhX4<ZJ~7Fi4D#J=*Q@*fKai*<Y<FgpKO<|&Enl`AX|oi=cGC>+pWBsuHq>4(w-1_S zp{AYgUk;v_k5Z(CzR8Iyt(FF)uW}<k$?5cmzL<dnl!i-~Mp_+sqSjm=G-@ZX0jYED z(i7}`#+&drJC!*77bEN{iq1fDP8zCIq_nY)zTl)2zOT!$@geucs+_CYhFa~PG9ba_ zd$?mRo^r+5aWmjff4jL9oOcmPB9VfHl4RI$;v>ewlqsehaFxM)>Nr_cUbzm&DR8aG zq}CCqCGHu$D=Z$fsxOwDl_$JeE-wq**t`jg5f<e|ni^s`l#@}>G_FeiHf<xUYWD^! z`VUzgK#`g%P6cxPgoQuyR?@kw#^SwndBxDhpU+JMt--tGQ0rho#&sBOPyj@Yp;|!M zS#~KvU2&lAvR__ndwA0|cOXQfZmY7=5=fKDFud;8f-H&!flKTdzNbZBgq2y7AGGgB z*J?}QJuXY=a$0o1&Jf6etU*K<->82N_FsQOlZtfrQhH??sw`uULy22o3;ebevb01r zhUR=QRTpAqBMNpmW!tl-4u5V2H=7|YXh;}RX*Vq3Gwu!m|Fgklue7IVvI?0fG`O5C zw1$ohPO}_Q42zoA#U-+9^wH=~<voT{zb<c*Y-GY|zb2Hra$-diawc05Hmt^&o_r@A z_4Whj#r%Q`l7}>)35UVEUyS93J}S~ev-()mnX;kux`{LFRzM!8Lky|4<c9D1`?Xq8 zgKfn$!k~>@1!ENQPzla2CvH#^&)n71ajkA<QUmU!F^eh(APImFmBo^R8Jjj5N|;hO z;$L{!R6-|K7r}>$f3EZPEW3PP<`*)tEU%1{N2@O`pNOs8=$h%MphQBh*(3T_XbvN{ zlj1b|iklg#tbbm1ysRTM^TU$ca}NG2O9O?V=i2I5)D(POWOC8g{vt6BPYeF>ZC-x@ ziQ#2#1C;2z0>RZzhUokF=Bt&>_EIcax>N!4RxiQ4n1Q<sYM!?nyjj)YwQ2i=iE9re zfXtNGO<&_xI-X6$r?Nf#N3j|=1=_(O`}sTG{xWID-om$;s0eGvZ#i%=!=(dFDvrfU znwxr|xtLE$^@$K#?=0}K<T?xOw*B&Us6YHuS)92fEA<F37s4NK10r8<CDN+9qRWka z(xIn6Dam(xqk}(yDCTamE=UH=RgwF}&vn@!^(<E<4nYSF$jTpUlhfV&NB8qm<$yG_ z8!~-Il8KrDSu7!>e=;LUo5Ku0OfObz@U|iiQH;~wVuS9U+fT$nAe1o}*kN<?b;2A! zy6}K>+3Q(yRO53+!RU_5WF~b<zo|@0(dWb3s<J<_5%S8nE1HYS<WPs6ese_Z$c$hB z7P@D#sqlf|Y}EuT%b#7X%Hd1=AJLg&sa0GPNgSToR21rqspTJCR?sAam)23#Bzuz5 zg8%uz>dv{`R4P63NW2PW+!`wuK1@eV6X`UE0lE}u=G*&Rk2DbrYP+m%e{5k0_RK!V zd#dJjlcMq8fk~23gc=6N1n1a~!;4HcNLgNU0Ec;mZCe2s3j`wJZzILOW_A`K#YgVG ze|xjvF9uVU-_Jk-Js*B2;HW5ts<g`;6sawPhmLkkLN^ZY^~^_U5mQm?YA!wfN(dgY z^nS$0ILlFq>rDaoZh7IHawB)l72I5jpAH$ujuBRjzx>q}8%-G;QF)y<C6KWcJQk0A zZo?l)Q%kmEflEjk_Z2+C2>|!J2`e#H;++MTQ&br_i3FfEyUg(eb+L7|mSWu{$9Q^- zSz4&WpKL!xjn9%Tp75Kry8F340F=i2+Sd4yKZ;av{Tt)H98PSM4qWA`OZo50qS6*S z+mG7FgbY4iFhX$EQoMA6s>;a^>#1;n^o)?{cTHzfr}~3aS1O`sQdJySFDipBytF;4 zlDh_!XrTwRslIP&up00}@|@Eoz1C2=G+!es%ZSrb)%fjVP5ZYh8bft%+R3O405Ib9 z!BjJJ?q6T#<Oj*6wIz|L!Y+f$1{O7h(qB8iuHOFUy`eYej=_m+(2X!nPY46xo!;>; zmM*xDpxJm-V|N|o`*qod1r;M#Bf8t1uGng1orw$?SY|R&;fy%CQZD39n4|?5r{Kfd zWLO!qFm$I752I^+>B@?sCek#=Ihuq@AT7sS<L7E|6Sg7qz6}OsYal<s1q|BsGr3AY zFP`y5^&gPZ62}{|srYmgoC9|1I_mzVJQTZ&GkzD2sv)}*FgwHw<n2Pc*xi{{`qJ`P z`yQQ|z=?B*owC6n5>oKFdX0JH`jXyBZ^KS_Oh9ag(Q_-Hq5oDlz_HN}jzXxziX71p zoU)l+Q%ULRE{G7w&!Kw8i(D4hU&KJ%jW=Er1C)9zCuWdl2JC(8?~Kdneco*B&r3K( zB#%)692(^KOUvDmn0CbXi=nn4QL|H3&Du=rYgiKnrSEl_)N!Yo)cq-j9{y<g7DM1e zI}k?AzEP9EDjMdT31(Yh!-B+@#bi`E@~V=V@v4&36a33ySGa^$s{b&fFsg<{N~@>| z<OWRd22bzcqW-gHcf|Dp(o)n=8iGB$fvcmtWzaJAJRTi&+w!^J+9~OT=Uq}0w>YD# zsQTxcwmDtcVyEx2M>Aq5VlvAsfA`l%4F?=>bu?5#MwXkru3`A88IuzY#g+CwI|$D> z&<7&HtT2f!0gjB0&l_f+=UI@)K!D;;z{aY>VObsxDV;a?J33S_T~#m0E>5SHL!6-= zGP=BA;$Tc`>Iy&2<8-t7SDd=!pC4t^7y8)IM4=A-6*Wg&9@YYinltZL9=0n`=9#hB zUCYy^QncD?(s&^XYzE$~=d|>q=%QBTV5zzujtVr!qW$8laec@1FQ@k=N`K@DZVlFR z=UZk{^vF|V3jVZsxkAnr1Y+}VYB{o_W7{9!%;Kn@4FgKp_i#L@$CHUFzwfkL_WdK8 zoRs_JwGZ^cPie`(;rV9S0sk7JbL+z%Xi}G?n9o!aQOpp!$C>514GE|<3QCwU2r~-W zKXYR|N=xhBnZ3v9Yb&sBXUVY5^RhB2fel5Uf7dH0rC{V+exeQ}l){$Z_gN_|`;*gH zTE=Ypq_nW-z>V7A`5{nYVXwZb?D1ULMd9(E^Lel5#P#5;aVYycKKjdHMC**7mOP<4 zx?e>084mTuW4fpSM`C>+&~J<hV+piXnV-!`1sD$2#D~WhFfcdiAN{RWQ2Y<ED)`^Y zRh2MrIJb}LvwciwIXMY<0m(zwn4QT<&A04?Nw<D?(941C!w#JO%uX|w%}0iPZ+F`x zcYA!E^mP6h!}=s~l!23C%@aNsBs}D77Lmme>?(YiXYU6nu%6>%o-Ic%_(kQ6HC9{L zp}5NT*$jtAOSe(GVIFtnxV1Gzou$jPA31<n9T~wG4D>KtTXg#el~ku?#~?5hwv@p| z7H=;Rozrud;8A@Gu_0wFZo<#=@q!4Oa>dL}!E_C#zHYy)SfvzJWqaP=)qyr+q59m7 zC(u@gR`?<0^76Luke6sQD~4QDRSx5(=iGHC%}qL#tm57#U@6vEo9Z_0#?`XC0E8x+ z+pGc<%lMveP=|`*G8syvR!fQeS9MwBYPI>;$RE1gwA5Y6THg;;f}xv3Xw<oh03GxR z;)$0AgAufy-a#+Rjoag!<)ku|w`C(AZ~l9V%=ZGUqD(T9xr3h4TLUft=79AZ?^dsu z9?>{HdOD?uaK`pJV;O*byBdGP$wWGu|Kfm=z8DmdJzgDlh(YnncGMohq6cQ9`D3Fy zqf{Yo<>D4PP-XV%x#4plGk(#OySXXA0wVUafeugAFf^wJGO^zFZhyL<0c{p9I%T!9 z(P>xxMY|M(S)LX*IPdVboL21TLzk3i*XQ7bh4cmWC;;Wnn>l&GdV-wrz`@RKxwU_G zLe!A{Oz*`sXG5mYYdly=&iIlUo7)gQj1>zB_B>449@XWlX$Tka@G;cL^5wI&fH&GI zvK}qxYEI%eU~dQMJ|F8S<sbKS``r-0cRKIiqh1**tV&3K(g~_Y&K-`0sLs)lhv~Gx zz<*s@pZ|8;^Y(DDn!RMorUK#Kb$7RwI$FqR@bjznn%jp>g3jcO6cr>ss)w+$vN;!J zsHk?utBthDND7|%wkfQ0<c+q12o;xFzg<-}6_8+PQ7P<-<M*0!dH^C_kDDD$>5j*w z^SR>e6M|FVK4#*n=m4pV-G?c2C{|vz8|I%^na?j<;Ks2iDL!+E;Bg=0CJCY%injjB zh{yA39hP49RC+3hblhLx?za5O5u*hH-xxeT(HJBluk)_@`#p^XzM!<61hFr7H5w3Q z?QFRNC4`KlMoBgitEujGyH<?se^ACS+-B2jDw$mU?85@k+`D1deG0r3mGndK`&@>0 zY_TLEA=o}@i_<<1r#rG;<@rbj`nZ^~GGaOGR<VPy!-*jxjax1)cb3FBkTu>XE@7s( z1=P+$ip-(SCX)xEhcsz(S>M~lV8Jb9aA&39*00rw8DPC?femPlNxxIzJ;4R|!z2y= z+}e*IwZFJ=soY3;a>}a0P)nuR(>u?6AKD@!Ivp$f`jHHpDq^7~L%j6J$coABnel|j z0n_U4=5-AK_UW>+9nP)Ivy2b1kgqTOb}am#_EBd~zYCz>T9!{}@L<Z67Z*~J*O4WQ ziY9pk!#`-J0-#7$c89BOy;10}i|ZW+gTtQHl!BoUQxrZv#G>zF0uP~!y{777LIt${ zisuJubK7%V=fA?{gh#b$ssBR#bA)Pu?4fY!VdC@y>_n^6nbAqhgYK=Taq+uQgFaW_ z%1P*T*uvy$&p;`tvIyM>v8hnpZ7_afGZ1*aorKelLJ+Me0sH*hX*<C~Mk10~)z^)A z_@iQYm@R%3a~_`F2|tnyO>QyRGLtE2RRXB5_w!^#Vm*~YZ=^-x)*a{NP^j=B2qbFO zu7v&}`N4kpX0`=GW~Z|{79%I-({Pwsnymly?f}su{#Ra|`^HJ~mwPlw`}4{V+J}-` za?rY2<WK|AG<(?1O@LzW0Ju&}HNsWDvKf2VnuDXG729scwzbyC`MP${_)$#g^J>af z6lT(vE7!%-^eqYbZI`R8WZ!*#C^2S>lPaIA-q8?@7Ek?#+BrBymS2|>^_nb<@7?H` zbf+d6Jp}$$>QqdBx&83O2mEfF{xB_`j1g|CK7+zyNkwHcXk7kgz^NJr66Jk?|DXoX z%zdlJB2nr#xmNFANoUIgulPg#axV5htqsS&d-o0FvO#0P<Q(_V^9`L*H5b*NfSS{u zJ!HSKd|c6-zCvOdBQs0!&b|jSOjI%WpT|?(49`u4YLSb|;1e8|Cp%d0hQ8DYIU*Nn zT;E{BDYles(BFH_xs>wNBO;^%;PH<LnV%~@@jvd1%w|$2?Inrpf6YL_L&+UpICCD= zkXdqAy-`3l#;msEReryXsx`iX1-jJTPKuIVG)eS*M9PGpgD`g~IyX63E!s@+!X+ko zK&iQ*fcbE6H4AxHk~W2-<UJyyYs(S>ZFn&fh$WIlqWi-9);OOCA*hOWQ%CyqW0aNx z+RfJFUxJp!q$lY%C3FlKaSwlj{13q|_eX)IBIp1MTsz%yGkf}><hGgc_JO15>Mg}q zxwrLLpEI{NG5hDyoA>_BW!2>Xn17{yj|+LvCl+OzHY=RD8;_xSBThowzn~5>dN@N* ziLHn_JPeC<*OE4bV~IdSQdwOlWl5!`_)o^34XnG4yTyWTb~~0CrVKmKX{5>PyTY4h z@~}EEhH$eNgUPxbX1M_|<yFb0U*nabd~B^Unu%E%nn|x?SJOOJa~68hzu*t&^Xd!# z$;H@i`ip1`TW5HVOD0|RboY$td9vh*_Ah7*@pIWFwimT5mo{Zb6w=aRyUp#2HA-uj z@@2_B;N)fRhU4}}>E<$6$rJd|^??*7xMugz1iuxPjtdXlc#Wr?u)KITWC2EMN(`N3 zzX@@0B)~-dVVw%U9fO9m<cQml3eGnU;jO`#mrQi<T#euhXI2iX`_|A0#A<-jb13b1 z9Nl{JQplmSzg)Lop3GgMnqW>>|H|XQV>8(p3VeR$GGc0=4)3<*2~|?_yxPE?@hW}4 zVm3X3Dk6tw@a|%8TeSafOw>%6xfJ|s3~XcbR|JdNiWPQw8H7Ku_;L(6{>fj=bhVOI ziU!tzO%{gTpf4{9=J(4P=b&mBO%9Lb*q=wvm;l-RqW=5G1c~wYyUtrg`DJiOusB-F z!5&9}jdgq2uxX|h&st&8_qa!w6AtXRG}TiUtn=@2DAL9@V;xc@WRiSAUFo2NlkzG< z#{7r7V>p9q8h=Q&o0ZJp@RK&YkgGyYXp!alYsEA8H4liMj|yt0sxCfpLQV>%Z+t-I zQzMA~#TTy^B~?QX7tU!Wey>6G$Gzb0eyf*>fwo}p;dXIbh10zWVU?Q!J7?bIb84df z=E(=J9y_&DhA*=pChUgC(^oiQKZ>au9dAe7-!7*F0`eA6YX0R8V5_~4-;TI_uUEPP ztJiZ9)kTvwV+KEp>#to<TU!dmty5O*Pnr@D0RgmIlL;-ecy}r9jE>*Rd)H^>H+KVK z#X#EAwBh-vmB#e9=HjtRN=F`#XGc*yR+(Wt{`Dll)9H34NBM=;xot2$g{kWQJ)7q= zA6d*8(G<>LP}@0i<-VA1mI*Ady#Gtt?vy9UxS8TO9L-cpq#dBLnIkg1QZ?~J-5`C} zf`30435r)i>V7a+OJyj&n0q)|L3-CuIamDtjgM+hxq^D$wv@gOPsS3Fk!q^vVN0i9 zsIFgUWnysnYY_F$xMHf#8X8Bq0jE-)iJe&0eS~DREN|HfBS_NC=c=Hg38}P{C?emV zs3m4?X1HcQ9_zBpZ+&S%{J840sOVN-H)%r0D);<V=z7CUKL_LAE`@Ub+vC|`wYC7= z#-ALDT3C1DlU9_HnpchIW@|xxU?mATmHT~h?Uo1fbTyZ{d;wBTa&UoVx~>4KlUC@r z7i*~F+dMi>JQ>hTuOj+ehc|?KY`<UCuRJszvyY?bjdFNOL3mj(Mw>^+>VAxG2eA~Q z_WE$(fF+xV;&CG1PmcL;RZm)$8@FV4Rwd&NEgGr<!8^MnG6u#g<j?{X@);N1tS~d| z{lv}&9c&Az;;1{wbB@{R`%MDpv;|=xu8~#k_2FK$HJ|41`yMC!*S*_OF#orEV-8lG zbDs~;Sm#b!VFmyPzTe4cq3C>N9W~zAhS+pJ@IZd^Jis{QzVLg!C1{&RUy~IV)I$WL zwZ;no8Clje?n1b_>W(S9V7^b;FSQp7Ed{*G-Ljgdai_Z?fu@+U(bDWVrv}-q(GC#* zoE>PKb%w|FF!+5<KFYv0C6eIgw+4yN6x7k>&|Np7X1ZkwU4I*{E1>#>z1$6*Rp7du z6SJD+!IIx<EM=bS@qwQQXs_}yWX4p*yWj`J$~cr+UwrBbGkM!R6{hcJ$b^DXL74w~ z^Z@7nyG_5tcb*s&$&v2%d34|%6kg+PJ8)fGJtC8de&4Em`0;kxUtvG|lRLXTw@1$n z!}ru&(Rec!#r<N9?uR`O!F_e(Dei1zgoe`IZ?5ErwbE+3;m9%<P9M5hl&9yl!~zm3 z>i0Q<)|I}$2U3(hd%rLH{y?G{v$0q$Du>jIEXD{^+aD)$XSdA7$hqcDObjI&3aX7U z*x3Zl_wL?R+zPVlu6ln+@iEm3RWn%moxtfz6)M+lQf)&)4d1Hh+gN~voZD{)Fyd#L zLs<}j-9j7BD{wB5H7zz!$azs)Np`ZIfw$03aDk=4{Z`FG5p=-y{J6U=5hXdrawxTW z7|`Oe1M8f9+P4^VAUXC2d<&pN2!ImLLXoAa$A1EuenUN~5WC?1_V9aRJ-0J&%QtBJ z;q8zVuSmj0uv@Pg#v*i<tgx-EBP;cX$=ZT?+>B<Od@g;B?@%?u(E1Ei=xm83s`Z^h z*E<%tA3;pU8@9)h6sil~fBAlBt6JsdU%s;tv4P)m(GjOLC^C_}4+l%dsHI_*gJ&*! zEiz#xz$89yK>V-D4e!T_dh`S}H{%bw7=dTRR6*7jLB;Me78fI;Oj>*;Bi=c!=Ds$? zd_Sbk82Pn3uzQ{L9{wjM#hIgglai^fZy6I@Y(j`orYw5?w)i)*A9T68Nd}r0kxej! z3bfYX3RWXj+i@myae{qir2-%MtBY8Mxb?b%1O$X3o~$_I$xKkf8u_33C@r*$mWwc# zQvet%GbzbyEpz#$4h$9q*96+Z(+a6No)*w{ae;p<-?QMI8#mv%k#HbI9Uj;nziB$` z3Akzy1v2OTqY}tA)cwL2K0-&1clh~Q;Q@rJtLXzqr9h?02mL;?=<q*;sXuu(pNc6X z(A|h+TLS5~G6$Dde>2uxMG^h*F>F_nEJ7{{zgt?dAP{Dst^d?<%PsFrjD!w5=Tue_ zhyNR5v+Vy|4@`x|7S!*buU4O>L*%VSZ2Hx~00_TTsq?_~)GV+5X9HVwVP;+~-=lUj z$U1#SyP2Fd?soX&T%K@<f|5y2>a4ovkP0u8F^R<cSkkv?6Drno5J;Z+jjtvRqYU;J z$ZuILQe@Y{9-lUe<X>TIckBI}m#Z7i0@N#YjIxI`0F4`2Onl-LbilbL;Dl&7{&K&S z^$}pjkqkDga_VSO!Hnq`N;_LIN#%>Vw%fIpO2Euv?5w}aEQj4S6ZD5jFkc_kCJ&^> zXbgurcEiZ6tpx^u-c4axA<14)2HA79bc7ts9k3U)O@s;9az#eXl8I=DYAT}IA1r-T zf#P$2-ZveXM}MuUB5)84v?LRSSGne``-ZDR%&@WU4JFRt0?8doANKyPf#0ny3Qt>V z!khkf-@Htu$BB$7$ne_n{bOyByyFq?=aYW9gXV8MR6F%Kl(aONgt{})@zXJKZn<AP z@fqRnwOd>szYHXj=xQiwekGELZ1I{>4~8V{Xu1Wf8d3zX77l#DgrB$L+xzqffEhI0 zcrta#0}Qr#(PQ!0)jzoWr8K%JDS!kv9PbfVPB)w+Mfo`s_2Rjt{n|8RMmzKk20c@Y zK*j%+OSAxPHdTo%38R*ZRql2d_e*3bbN64C@E49;!I1S#YV{I(&m@wL)1vSt8wRSr zY!brp|58a#cQAE+3#d<){p#&+_}o+CP9F-W(7@6(=Df6#dE4FbF;x1`yAE}Nt=guj zGdYn>G@|ZSi=zk91q~`U+_1tJYL-$}kU)Y!=XWBgRgVX}AKF)1-oIeOfPul)s_m~g zXC6!)70Pqe0P#1cZvaq0ufH~mNqB!UmefbBp1=9yG@V6AQK`G{LIAC}*!JKdAIq@* zfIlk#!!6lu-WdcZ#t+{suWWbIQTK4#%?Hl^odu|iOj{x}Uf?B<MY)^CjmlRMtlaSV zwB$L*C3M{d)k)9WRRdj6xl^r2R9{J{$=!$y*~eeG;sbA1b(5T(qC#*tVe9{y>VAF9 zJHd;6HaL7wN!&<61@+wSXdr?F8CmHM;cffnS|ods2z2+WyV~}f-*>e?ugg2C(Kza% zC{3;f*WP4y?8GDS#z@3@czfU|z8+5);dPOIZx^c_D`))7=S0(1V(Z@+`G2`$0D*pQ z!W19ZHDterlvTWXX3g@l%2EOry~8$aZ-<Y(Zm@m5C|oDsgVvzh6aLVweBh#79d1&l zTCz#61jkg7Y^(mZyrwAJRDi1Bj)Bgo<U`EAzLy@Kw}<Rkx90n_MP3EUSC;5mfDXP? zz<Oreo6u<=u%it9ZUevHU&cJ)^n?aOl^d6LA=vYEo2p9y+`@6i{r##|1x7tbS<x7j z01-8tr4?qlGh%7Y_dcniBREmnKz%{y3NyW}Hct6<DPYsPi)c0(Hdk0zCS|nmvVWGl z06vR{UjJa0#-0Zs)*YTfI|pFPHWv~A8IO;7m{oKJ)wwOmK7}a*uNmib<5O_l{^JN> zfgl2_&ahV&GIkD229qo5AIrYwIS243Ssfa#EDTIu)^1!Nf4n`FUc7&M%Q&qiUO?)$ zihBJ4YZs3z;NPvzRj{5Hc5ZSZ#Ygv>elJbm)Okr=?!4?*Z<x#pG-8mRrVP!@x;9BO zPjouk@p)fQ&n#w~3ErN9ay+UDPMu2Cxm_?QV#<2=ArERAU%c~{Fr9+;Wntpp4!Uq> zT(;g`u45<8IkY;Y?70Y1EpP=N-@jw%qU8_I%aha8P5B0`TdP(botrdbx?vAa7NO8G zYoax}A{=U>%<DA&n>9QLwyd4lBuNKd)0}<C**@Cgywgo1kxuH9#iPY^6bnn{tnz7! zHp2AZr;eMy3zrje!@ifDes?|<7K68<Sm$W<GaVC3Ek6lD_Y=RcmD6z1DDW0rep4!P z&-c(?fE5kfN>y+f;~nG?^$h#Wk2pxj;#?9Q+&$t!l_~2-7CLV`m~-%k9PsrsDl8Pl z|NqOy>*vN<J6w&?g~=Fv^W(jg95er-CsH?&d9~Dr&*SI<ekLf9#q%FyNfX*9+FhL4 z)Yv)d&ZRl3&$wki7w9)i++VHTcG(>{8-sRc)7)mU73^1kcwkr6XIZvdk1@LD{V`k* zxXqSLAWMYO(_4&$diFTYFMwXZru@m$UX~hU!*{|xt75O3xOGNDK??5Y?!?fRD@-8q z4e!IpPc-TL#i0bl3>S-MEFNaN<zk#wmn&9U@nr7ztv}2?a&u^1x(hrw(_{&UnhJ9| zns$|^R*cKMzE6*G*yaS0^~U9`24)tj^B$#^-EeC#df-GA$LJqiB2;d8@_MloD<^wR zRwdePFrjFq-fy#HMN~jS-|X-Bd|M{e-zfS}WkE2Qo1{~@?9RH2D5QXy)*r~Sjgv^` zei-YaZX7|x*B;_t;LnevApi4(`Fv&fxYc(`9XY#e<oXyHvRH~lt=5M=l!9MGDza?M zJ`y9MOpz_;)gIq0*EYjhx+FZZI+*#qNNL~%gNieA-}}pUN9b0fM6Q}fz|<!k`^e=V z%o`+zF;u^(+_P`zvPm*!TbDGnYyNNye%gNhM+t#nHr|Y_#k*_Vsb#Z5HalALzH-Vk zmhaSPI*PHz{P^p1oz0Zpit~H=I2Kij&0AJ$BjmVqiQTAK^Zst>7CpAiR9YohXSd~% zIdvL$@~G;w-6@w+4JqW-xKy!0{Rr>N2Aa00ZLysBmxIXt?FJphtJ~aqXfqX=gIE-q z9?OJ>Q#`K-YR!!mdubDq#x&7+G5ZF-9w)r(G`}nboez3#2HfmX6Vs|^WavsxQxxrr z`?94*D{B<7E>P}|>;0`}L7@D;UdZN&KHJ8NddyWgQI@E|B>L>%J3d$8lD0aGxgT?U zp1FRI@q2uDK_f5x`O=kTy4|4l@DNFWyH32Fo*8K_*=9n)s%rlfMqyuEktfj2x8-^y zl`Z)2P4Vu@HX~-$U=N$7c|HwwOL3?F8}vg<s3U)yIlPU|%k%bMzKCl{c*YfkKku&` zw%AnzUb#*r!zC&iX&y<IO)^N5nYhjzyCa+M8mv^59A3Pk-^a#ARw7~1CreeUi<?7I z)mINH2_H8Yw4k9~gi?}46CagLApTpP{K<kmWe0<4@Dt0g%KH`ge^w1D@J)yLXQXC# zl%FPNK(2iBW|s>X;}-_y8J|7lu{GD%t1~o+ZTH@moJU6vHwJt;H^!lI8%if`(Ye-x zF)DX_RaI;LfW-ckc-fStQI{Wuhj2sgSDmELW>19<wp~SV&HZEN8_VK$Li!`3cAT<0 ztx;P09J8}{`*L;%aTSvAn0lJbNO|K!ejRO;d!Zw2G$2M35pp6e){N@_#%?K$){?>_ z)9T0tl3k}?EpDT%V{6F1PmhH3P$anZOroUtYL}dq%RjI}RXiUCRFqnliT0YSO;S_u z#3%92P0j+si>DbfWJ8vEiF7xm%rq@L>^O7x63t6*E{+B#onZ=}hyMi3U2WhG-h%11 z7<^Fi#rAXeL9xLO+Q%isIuF{+_{Gfe=KbOfk&n}@UhDHsYlvho+Wc|i?|dnh)3u)6 z$*zdFT_2U<V1_Vk#Z~)#U(Ao2klp8-2f8oip_@9q1s3MA33E@ZZBp56&=p_mXtxe)&An6(j z`(IV_scXt5(qN1Q%2Lskx8tpc(arJ(F?&$wFkJu=*`a2z=GOh`<1pV*tL%}}(RGY? zY9V!-En$D%LDA=sGVB-*d2|zOxW;J3y1-BA=W)kqvz`x8@9<2|lh@@*-CNpMt+$fo zG$kRzs$rZlO_wX_)0)*?$v04j@S;&4S^P0N!(;;qlaSxd1|h$+k3scxEE7o-Gr2+W zE>4dtBNQG*uG1_0W02%H<aUe4E?=!X!yRYKU8qH{5w(C9ReeJTW!U{iElmky!LMPZ zV`Qh_YhPP^?1cP5*hIj4(9>O%WaXFFv?Vh&(dZM9sChgr7>zFfd%fl*&gtI7vyBm9 z#wnWUp3UCX=1svQx=T52$CN`-9=epW%5;-JLoxqTekuwtw&qB_z198hw{C}5Hv3t( z4YGsE?vtFIWVYZd^aDYfjG>Sbc?Ad2!Ntni9M-w8LuByoGOgpKESe}Oy3%Ev^>Ss% zV3>1>1Sp3DhrC_j+f6!k(T<Sl9F-xw>R=8@uS6eJV!uhM>>SmOTiQMb2&)I1l)MM= z`*TO|0sQ|_GxloNiir|z8KHTkTn)d5Lz{CcN;Y5##(zPco(QZe*|Vc7wHozuD$5*T zSGXPIuwb7%R9V{^Tj%7ZHRTv@W}Ic$XWGtSt6a2Nd%GMtW2hV?r0_URiS1A;i1r^h zI1UFoL{~5vEi@&a@cA%VH8B)?!{y$y<*^Nmsiw~fC^&jH9*nJA$(2Wp4#3IJI^bZk zaEGq878tzU&G^2@7co*=B)?sw;l8z>Vcymom%Ev%@S1}`J@-VMI!PdPJwm;)?7^*~ zSw%^jN$V&klC)0k^fp;P;}R5>$C5{&#M)PDETXhu{T8}nlmQs0n`@pyf3Fi1DIiUJ zR+qMbk~=?TD_eNv8+!R4o5mO{ws0?=@r_&Y$Wlywz9U&7k>Yh8)~;WBefV*R;i{)S z&mGzN5pUVGD9A>f8$Q)T%Qyn&JRPBjNN+V}Qt=)dMQl<wL1>*Bl<4zGShEAgqDi6z z7Oq4B&M@W(BZ3^N!cZ11MO~X_lxhw;vha8x7vrhB&@H@^T0XO)hy#ZWVJm9T^XNl> zJYrU3FogSH^xrE^o8>6jPKbX|%GQhEl+Aw85PUIWwf<8C{UXuX$Wwot!3>eg{j$kN zaChgww$7w(f^O0au!G9<dCbv^ObZ=ur9pSdd%muW3i~?SE*F2lvoIpM|NfrCmA8%; zYk*_=@Tfx9pTSa<iWJ79USCaT)kK+$N`&4#((Q094Myl|;H6sIa#R|xsGy_9%HcRV z;Ms(KI`M^$LlI4exhq&pER~F~!=hM&Huu(Abbit{Sn&JVJBsvC^)LHA3zawUVz5l> zU+n0ll65&8TLXY3K5ZvDdm~aJaaQ*zMZspj*MN4y?GT`%6<d-`(z-K72G`}Vif^m| zywGObo5YkR@1D`jn=eXBy!QM?G*{0LLu1S}(wO(@wiN)7Vbyb?z(A7?maIQ5u8TOa z&3ARS(<=p0cMSAagMcenbKIfEQbC)AE#0>mK1#^uobOKCoicE0mEXr_r;PeE9g*db zxK?O4D3Ot?b4eXyfKoluPB3uG!IU1YYtyOw8AITuklkkWF=Qxl6zqS|iRO@OmkQBh z+NhE((qu>feSGp^_-~#hwi3pPtr$>=k<;UX1HfvK#!KPn8UcPlO`t8#1fJTs%47`C zZvEw_C5}_K6a!(7aXC+EQ$4`$YqP|z#UI@1v=9<KPPeSeVM+|L>Fj8E5E;r2SWzIB zQXC_{{EKInKDfhhPJvGJ1xw8(NME_vHbp7wZa+bVHis><kN`Y))t!|MFT%=HBxydg z*1g+LgND6gqOighT{b!OP87p={o91ebju~bi!mn0q}7hQnLp(wU-G>!=#toL`{{3% z=}wKt{X;ncRH39~<!GaH-m-cxU0U?+&k+9CtL7k6k&p8GQ=RVJb`R3ot~A}+jX}3( zs7(-2cbENRtxnq_Q?Ae+rtA3yCL4F_)~Trit)>ErBE5r8%a6>q8jJx50gM&R_|rUT zzt3n&c3hY5uUDU1ma(Zgj~#xsI=phWL7@58b2mf6ekhoHJt{9#cF*B$@}xXn@6E1{ zw1iic^#bfmUYWQm1#6adrsVR@$<KHqbtm!5ELFkLhnH<m*DPqcT8R4=N!F?zmz7#f zw8}?P2Ug%yAJgW8bva)ed@+=<^Rvhy2{o9(i%ub1{4a;QL($M01MutD2(@h<M{4~# z@oQp<dItwSOQGqSYnQVQf^AsJW=Cz_SCW0I2wR*R(PU+j`9n=2B3;JV+YQFJYQAhH zJf->Zj>)*Y@5h=KoYv3#e|@N6Ak$^hR9G(Bt;+_VN<R^~(Pe)%vr8A~Vv*M*gw5jE zfJv*~^zuRAPs<qwm_dzXx0@py$Q`v~<HPiMB5HcUo87H;`l@4emfqWKSO6pWz76qD z-G$1OgwuY{COKkNcEA6vqI7r`cSTfv!j65;E;Yq$=g&Z!Ar`VUO0=;&-kK}l8(!Sz z$dRY9CN0M}G=EM=t-1fQa$Kx%<Z?AvY$P%-Qlzc?q_gI*LKdhHLb)-jhmKOL@3Q;s zp!}H4`_degeTeuwN5zF8N_3}CO_mr#<$lyj>+0PH05b$?%2+ovon(b<e<AH!iThQL zGq&m&vHJG%uhs!-OvUroQ4E)vm(UyJWq$ICJfa5m83q%=meDdTxd?07r|on_<(fc| zJTak4sz2|ZmPW=;M*8Em>tF#dnp|XRr&iZzn-jSL(+$p0rbwi=m;qmWe)8(t&@kp- zo%q@PExz_ai8V*wTL1F3Of;$VhWq}!G0ft8l$H)<P<baacG{w!MC#{#&RV@WdVqcQ z8;-K3tr#nAa_cGCQdpiQYXpF%0^MHeEZ8u%TYy9XeffQ<*Q`3jFg3Nijnd0C{{A8Y z_={=Wu79_YX1C4c{lQ3p`D>9baJ+TB#Qrh1?Ah@z{q>NSNUv?<)|A8X+in!atoqS* znM)X#eQ}t%cK>nBo_4|GI<Tkuok<*0h&s*14EAWQKinVgCE;l7?mi%ibNS>~Z#ga> zH(aKCX9=hJ<fq~E?U3Z5YMgRbeQ)nnr-aLm$q&TqKW?yBC7Pt5oTK++?2H#gS!_<5 z$)2dt=&Sq7JDOm4`XC2MOd9-f<NJ><nNxRpzeI8eSUrVJ!Ji2bDCc<FGMAe3j9*?) z)LC%UJC;(~ANF&uXI+B)yc{9ha$hc#8#0!96I*2_GM0PVy{4~B3)09U5@@eeO`b)^ zIxqo=RIy))<Pq&-3TY`w`HjK!#2Se}&S?MPdn=hFHnnHaY$E)Y%lbD4{C>-X%T$s@ z5zMvk1D@ob=FfyYj&M_-AcNrbF3%U%_1Y?m++eHF{|{v~vdVL|O{TQf^ukx|a<*Y{ zP&t?t{Jz&&#(W-Na&UT`g`;(Bws5P28*<pW-Ga-OM8V&30=&`(A+q@Tuw3VBlM-2u z)<KMkw=ix+bDrT+Syi&qfKBrbPJ@WcFIw-HA>7i;sW>%jjvSJ<fXx)0eWV)iGaL$( z>fe8JN;JH_AwiOkQzZ`AHrj92WgNEk%Bfnj=#WFF_Dh+?<$D-oo}bwnogYPc<XQ1+ z?Z0N37T|sG^RyDs72g)UT3``ls;vzKP-4Zkp?=F+df{O?MTya$h_9QxgfpHDHI~KB z5RzqRvF^2pYhx{gXAw~%910y}gBu$ZcrMThCpu1$k?MS|E#QTy))1}#R4c1$%bm$) zMwUx6j=o0-v)Ofx4tQtSwDp){k$Ib}A6e`=#jfjeI!A2)xzkYH8(^WjUW`Vrp9?I$ z);uoer0F+ny5Co4!HUAP2`kQ;5_*A5Ha=j`t%tJa7houmVz3oXMyBN9nPxPL(gR&O zn8{g%ZrJ%@Aae)$!Y6`1Cb6I-RNj{#<FfZeKjF(YMy^aGTfwvTzxwe0jl;1{eU0%O z2fBDFxwpkmKihmLi<30lF^XFqy@F=0W28C@fOK^OkQ}nZj9cO~Zr_eSY^O_V6WB)< zIhi<-It?$>9Z680pI8+#%u*#vk;R)tz@#>kfG$SHa<osTH%q{4>>VKyC>HBa@1b=! zT+6pAX+gX-YqWH43xC#e#NO);z^?tnPqEvaBh&e9S6=9`4sy6IS0kD_vdaTDm@nUW zz!)vuF`b5%oEkdQRJ0K8jG_9N_<a|Yfj1VHw<*S&yIzu5#DQTnHbPyM!<7kX*5<L_ z*$-_-4%%5I$_-nmz8*nXWgZA1^DF?{Fiptdsm;~GmfjLE^B>-vqQ{CW1J-fX0A3Yk zgB=D)rqgQHaxR5raAFwOi`}aoe+9Z~1KY7>@=p!pH@llCjo6PcK-d^(?Iy^+%{hL0 zjX_fz_P?x~?itG$r}>s-3u#cd(`cHICMdipBVjSAYKy;ud!w@vFLGLAX+v+|N<^}0 zhN>r_)XNDo9MVh9Jqg%HCiBu@Vh2p{Bh^25kku9sTwTB0sO3HH;9%yP0*n+~C-r}$ zXGjM#G4hSLQ<?|lnp;0>C00gW^@fb{?1yX;E~pTT!txf|N7z_rD0hSL2q0AQ>IvS> z9WB!`3;20(5CkwP#-^8(O_I{IIxMD(SUfOQVo}*;aP;_aG#NH)-p}(qB{0?j#wAUt z+ly2`WM9QIz~eQAbt?95V>MbPx!PXo`p6ESbIO^q)ntfzThCDaURQeq>pQn`-1L~> z($>cq^fodyg;0hVrAvlNH3f)Ttw|2rf}USvI=Re}&}3xWQ=V)yBQ{MA1XR!Wz3n)y z*zsAOSiR}-3N2r}|72pdJ(4^>?wuH3b{RKh3<p4YUk<63KhyiZ{UV%l{cGl1EpJ*a zsS^@5y~!B#^~+EpgY`I97Cry-bs}K5p7-Y*caD{v97c=YW*<yxd}O;E=dJ5`ey>b^ z?bE@C%|eq2+Q^WjwKa9t!JV$;8|hNg8Ni5<&>qw=%nL0)PHuH-kD7xc8^~1j64Eaf z61_b5fWCJyIFNaB<>Ur3jES7K7}iwG3r#qj|MINyrm%Ow*PEY`r$xuyMZ#qM-{lG; zpJ}+)v&-g+{7M#Ej>nqZUT-U(=7le^^9krTeViHfJwc&@{E3u$4EJB9)T*{Tql>!- z89Y_7%*{D}csWYP*Iaipr@X?r!z;Mcq)YqtwoKixOC?pUxq4sg*WVel970OEdt8>W zpyuzg2cS4}5lGM|g-sKat6o!ePsZ3w)1Or2wU45xae8iz4&Z=9l9T+j0z}7IJkzmo z%S8fnqxo%QtZAGSCvXB4R{C4<vdi{TI;YF#P8;o$I7iX(i^`Q(iR`X$p^)L;Kv2KC z%M*y5(DEQMbz2#k`#4uW+Fttm(0M`M?zf5Et<&`qt|bCPhvU-d6@(Ww!$>imR=h0H zViRXJyHnoD(4Yf##@2*i%x;!Vg&fhvc!(7jpU2T%D?-{FQL60(MkA*9ZPQt>7_moB z`3#If1zl@Nn%;5*8k4^|%~tHU@au;bm@3Dj3XYsV^l{o?mA_Q|+%#z%i7uxz`kT6o z&%ZiZ_pl2$jOiK3^la;uYR(SGNES+S{dNymadc(z+HsKpddb|u!0E_yr>1enWk0og z>-Lu?Ik(yx6EY^z!s3aTLWz^vhp*`^<@54KbZyUe=g5XQACOWu0u2GUY;c3A)inM? z!wa2<tHuVv-X*7v@}oAi*%PUQr!do4=TyO26tE`pWU?+9?WJ0KLZ5|Ls}$9?=|6p3 zSotV6>l~`$Q9BYceXL!8XRe;otpCtbe$?O=X0QI^Cni_5g!XqD)S-hWY)q-geg}wr z987+*S>2ES?Z3ijabKRV8aqWWk>qj#s+7~^PXGvsa*62s4<2Kz%mWQcRd;;v+j6R4 zLu$Ed0nM5_h^^fSv+ky2=P{kcILGE79s$-|bM4*kMGRM^!_Z!pd2xBQv;D!zVXj|j zBRqI&E@Zf8UEU-LqPw#xE3si@y`_N#f4uL7KjP>dA3Vf}ulN=799Vz0-gqQZJ=*Uw zVTq{VMiJ<yJFsrM-j0=`WCR>`VO6${O}tyYt$xU&`C{uw{j75k5pO#*-w%zo9_N(w z1mXQ1zlRPA)95mT$y}DobvJglELwlJ<qz;%Hdq<&=i&YS=X{-TbP3y-F%`h4t)5S< zz1Lggj+CN6GMdkK)m?W*XMAFPj}$q$vt;AwZ;l7vK)!vFvm>dp<XR^J(dYacS@==7 z?6L#FP${7Oe!jm-)Cv_vdl^*1F*p11Ls3V9YW>hsz4a?6a_-T7SvSF#Ryk4(l?nbB zk|;lx0?^xVN*?x6r+>qJ1$r*e&nu^_#^5U_QBr(7%?FQ+;Y&9<0V2r~iE~tK&i_LM z)|3wp7Ie%w7gyBeOM&R>Z303lFTOr-L&3&mv(4lSon_-+B>J=EZl>3(5k>2;)CULP zOttQMkis`gQhYTH#@YY}B$JNL16r-PoN1m_Y=xQ;X1$gsXdMps`@vJ(ov+-T22Lv; z^BokL!#`_G_3+Nm1k%hFF^DX^WeM9%utLEF+-<ES@o}EDL5W|SR$4tDVX>qw^{*3< zbypKKXl=22vV1-fhG7B`dC|rxo;-qxzd5CaTb`Cs4Nz@WYgHxh7UwI*s!aYwKFW6W z+9P#Kb_^AHw*HfOiBgnAsLeJbdex|jcWWk7ptX%;6I0b*nJCt@&0ZbYcH-krK+W+K z+Q<E^886^Gtc}l(AmC#_<FoB9m~Z%Jg!)XKGePO#>3$c_3l8IGzU6I^tA&8wx7Luy zMn_Poa&%W7M@w&NxZ1Y3ka9q8V<T+IgywMW{uf>SWjg_H{XQ6zC|&1s2ZmsN4=!Rc zWpcPV^`b!H7lCGgY)ikV<xxJdN>T}+kc~}Cq3I{q>IzdyGLSD;aNvj*K-CU09wKBU zsOBn8(V!2X)?m7T!~ItRrMy~7m4@891S-}!$Zw}jFiA?i;@1@B0<(%R6}m(1#*iHj z#am~oChPDSWXCymGrKT>r#F1Ni|y{Sbo5-G&zVT(;8&pjJWS(?s^*mDN0~OI#?Ikr zGH!pH+cgq7Nm;j#*ndJ%Gsetc5(8tG8?iugorKAwxbrnp8N6dXu;0{RDE*UdHcKe! zX(w+ZeZ4v_zLJ76LHBrS+u-ZgWWD_|E$`!;>?0|pZCY2bQW5PBHIumu$+P<zcUir| zgYLP=K`-G}FO@Fed1+o*yl&0LsIyn|AzVbP%Aubrm$jlvM~85it7>;erq>ZDdK!z8 zt;4-W)o1(KZt<_d>Pa*dl|b$_tI85{^GnXFUX~@R+HqK}(Q=AH(NpIR`o+xQ=k3E_ z))t6sIH_+rw&v}iLGzNp8Q0xdT`F;raa^LLx4oS*Ioujwcukh$Se*p8Fh#NXv*|)? zVEx<0m6Mr4?T2pyN0n6HpLvx%^M>TJQNF`tekfKVU5`jcQDGT`3H#yx;6YZ5uEgeT z>oqI!<5l@Bd__YkJm4CAo#<a}*9(K`VceL8B2#|gtQLRJY#ar7bQ8L}=CcB2jg_I- z(H3SeO~=X8G&POHBJQx`O#~=prqdJ{L;@$4#?Gq=3$UKg&nbL2;&oAjZ0nzKQ~>-b zjw#=1lFH<CVjA&#JC$FwR-O$n<L(+Dd9ac)+j3aGzf-$YT&olK-&p{ACSqi=qqw12 z#Qx~N5JNv7Tc55X0N;AP{p*8UA7GCkEq%EiB~`3+=5W!zbVpH;nrIg9bKITZ*I!bd zAt}c=R;{~{;-DL^1NPQ>T&$q9zawXNdhj#E_j=K9r{hBu%7QPpo;q_5V9(+Jz=pF? zR|TuHq<dj;%mZOGq7i1rr!K0ceA{WS>#yFv!$spBOT>^$*W1Lt@`DHenJ#Naai}AZ zTgDQa2*>yyL?Pnlhaj6L1!tXK?;mrcg|4;Ny6j10`o}!%{O|ye#LRBgFga_r{nTb~ zkz~eEh>f~q7&-Jz6(dcgHSYEF%iYH6)eq%7?CLro@j`KIdRLf6pc#unAdc$OY)j;l zO2;!VPDG&vw{KjbeqPvvMwtBvP=3LHI)hUatHCfY1F`?V4}XZ1e}Cni0>b14x6SkG zDWo%{tuu<)64GNKd<-VxnJ#Alf{()M#Z*9cJ(CJ)K{}euo$it}uyu(x_`izB;@y{p zQ>5h#!K2)1b7gGEN9zGFZ^e!po0T9OL4IadohxaR5jFhg8a}V{f?E$t6H$~ez2$m% zZk&WFgcp$eNcg$={-TVA@_jvz{)%({T!aMZ&>r7ohVB+XG=@#aoYI2JUF=EUxFYr4 z8jZSaHaEI#2_+v~23zi_sw5qe-A}c~c|+f{PHe+cp6oJ13jQBkXBigN_r-e)kyg4< zLb|(^Zlt@r8-^Mb1f*f;mhSHEhCx6;ItCb!?uL8#-{-#hd0+876NfoxueH9P@7`;l zvvYSe$9NWq<0|-JX5$aVO0yxciiGOPe56Wi&8=<MkB=?W-J-xC%%Xv>_RQHIiobrT zGQH5;3a_w$b-CA*9?;+inAZ*Z>_#@>zrKU-dOOY|Gf&}hVHDIAMfw&rgIorN{A*$w zhYKpwBN=4xR(IsZVAp|-?T%?hImJ!QZrF$l1{)y)hYU$jL?qBQ^cpZJq+oLuYl2K0 zTp2t%(~#^D*Cn7T!aZhka|-htH{CVEF08(1BZua%dGLpZa{3z8DCX2^GOK){!4*Uh z-6KQli_VqfR%L?3sB_68-BT1x&=jw_{|Uvd3kJSbyvCg6C-xsB`nJ_C21mZ2s=EhX z&LunI_h4Or^z0X&8VhOwTVlGOHcv*s42ItlC{1*~O{?ac>gNWa*g+F396l6VK2_Qo zTZeguPDv&bMV0i-cpb&++uwbqTGB84jOTXTHJcoEP_gCVlFSEEZox^$W1li5AgS;O zv%f!NmjAc~$xDtJADd<d4P<CNa{zqz_ExgF#~_Ni#}C?>?JK>xhKGtw-jq4{x>k?M zbWZQ_{NZtzkXL}fi8eqbAgjUS_M65m#u=Y8HjlCs))>+z2kTAXo=&G#{xyJuEn9$- zk6?Ca*7dZy8N7G4eCU0R+Yq@v*rY$R#~W7iX(O7lYu26()<x>)EzC;gai$5GIN#Le z^`*36Iy=4MzeRyw1R47{JFzph#AmiwGUBYoJGh&cWww+jjW&gSe(+U$=)TD?M5PRI zSY(ZIt_U#bs7<dA>ni2#VYy{ss2=U@ml5iyjn6QQ%M@y$vQd{$$Xp0b%nUZ6b5c_j z<G|6+zYK=uH=cVOU=vK*iWJgZ5TH`Lvoebby@)DInG;@T$nvAaR0*Lc)Yk}!Q4jj8 zg%lat`IcW?CLQO$DSBvN%0hxVVjf{Ue1yC_ztEqbGuOAC|HVjR`%f7zX`|EYX8WU@ zcz$-{z)>~_gc1SAFyG_accX+lJvX8xtu+;loF$fgYe}Ia_VVYVnx-KR44EO6T|M;f zKdsHLJ!tZ?E&0F&j3zNYb8$utX^Wi~Sa_Q0G`JXI>)R6UX>knF0<I$rfb$t(wx`aw ze0dN>+%N_YFM-X^#Ow(#jJXg+nuT!gNMQ<qMi^|>lO@#;eztLcR|N)UzR=n}Ww!Si z`b@FS`&BBZN-4qU)5^b9!-;{zzU0(7YLz()79oA3T^9&IeNVI9kn9-I%;tQAhMxXd zKmNhMPr0k5<NJnlcOL=cbglM$?fGcmZMueB_Aq?ovf^Ov?7BV8WeEHug^l}3Cfgmu zGdJFnzF#X1NrI*@GufGmMMP0A^L9Q=;nkSugi6RM9rM|#Uh6ITE$9NJ^)lm6H0J`D zbSOrC&DKFlK8vRq4m~%i*;JQ{*2>6F4!Gzl8Kvqg5!R^?j_*<>#`hGg;uOV&p!7Tm zZGyO_u*)dmJ$5epH|3B?<Km~8KP>nrvwB>H0COrrLrx`%<Ud*25ksPm!jy`j1-a^v zV2?Hn$!u+<hq?PvmcP^BY*nD2`F_RXZHpFG5V2~g!#rMq6Lu+ybE;lHl0Zk8KnYsy zC-_s!7S-OG`X!s+)G=2LvK150kSQ311@PTSGewcsdkf)SUqCObb*?x6E}aD#zv_0P ztVVeI)#==9(Q^kh-z<6uUqDpegkO^fw|n)V`Y;ha9?z4`HwQHC&7}DfKBFk{_3@c7 zWqL&}&~#C$1=cs@_c?^@sDemZ8;|iPUii{IJKwYitP5sWVYiA623{IM;||0LxU2#l zYcvCVFAyxKkPe!CFk_O2qfXvn7>4QqsM5fIKc3Xgmf?HI(xRw4$V(*4V`F`1-|lp) zyI$PiAy~({IVnvIK(E`&js<9XqGC4SX)El6hnjsYYRq4*X%;gq+t(cJN9p?8<NI8O zpjigo2r93OuBU6USumjFb5tL%@~YeMC7dsw0hE85-hu}>-^YvIpzx%!Pc%W{ai{l$ zKKi~fJnkjBuF0etoZYNAQB$FeidsIH?32a44>4I{+Gt8&SS)1e)e<Q~!!SbLu#|}R z>*Uf1mRkcZk2JWf_6<v2?VHL^JVEyOR7foUnvsaK_FlW<Qx`aueC_4;YZdJ((0j;R zve)8EK07z&z@?6AtII4GGgW$Dx`9n5q3V5oWro%ChitQo`@$?P^VazX24FmrWhw%M z+g+kn^gjEuA_S}Tn~m$c&&0P}pG~X0`3}3=+tlk-6`UxD@t(WhDJgiemCQC6PR;a5 zbi(7}fwNt0vx*eNDxN-LUD>jSQ3kBZM)9P}i*6rt-U{LgB}VvZb0jwwAEydTm`J1c ztX3zig_ob7{=JB`9a)={1`0xo{n4C_&KJ(~Ln@gO7b6J{t3{rQkePgKpu&#uw~TM3 z?V}7#pal?igdHyOVthRms*7n%Aqm8JgT`Z1o+bpL*OsWf|Kq8@2%;RYRrX=QyIHv& zqynnXp>SJ>quh{JIVIW~BbSfAYwjRU#C!{5ejQER`>k>lqsB4Exr|efn-r%`b7cZ2 zi@08xD1KD$tTt<P*l#|3j4E8uEKeDpD+hy5PoUpUCtZE)btb?++CPYC=Rr%pPwwYl zeVKF#VEshLI7vr5Kt2LwtEBcO*2`E*iZY+_Ns7)O%<1z>rm#aai5Qu*f9tKoM%Vq@ z%w}UuAjmU7hcwjC%Yxx?#7nDZsvzRUmd0d9xy^}04~)3Xg)&}>lqX11;uO;V<Kw?S zz?=&xncnaPpPi4}kSh?^Q5s42q=5-N9=dFiNC4>B!3ogo&#|%TblvGO7#zf>&>pTX z9#jjYgc8OGM!p+u+6sDQEEO~(LuIOa2k_*(SWv;u&XNiAAJQ##O)eVwo{ap|8oIu$ z7-%zF*cw^ZKyN0LLE7hWZj3h&5#Mn}m)Gvq>?r<FhKk;un_m5qAr$=w#-sCq?w)#b zaORSTpU4^Eoi0mXnU#rk<NhR4+BWJ@0r#cZDB78o)D`B)8KOgGz=9FXg1&xYn)_`{ z-rr^|T!*^cn-3|3!`B<@xP0CscQ<(?R`9(1;q|G+9fKB6E;S+QsJ7}bcDx%bIF97( zIfGM4*5pXrh&Ix9<GYQyv8_wGw}R(QMCL55^8+x4eOPC5m?##Rve~j9T&hHhICxCC zvI1fBG?b1`Ke5a*SIv(yGJiMDGw7|A8bpPXRw#~1H7@>W5y)e4y8YH0nef_BTEdv5 z&;d1p7jpj;*~b_}$*1Y7106Or#)-psQuM;(eUr&KNnF*ToVVl0Go&>u6q#3sHNygx zwyy!&o=WscZfHYcV5!L9O7n#6{sFJQNR4t;R)3E>KrSoL*oq?!xjN)TtisbWgpz8E z>^apD+hH781A_FPSmmlWdk6?^N%g(=nB!y`(|D2WRv?5hi|~yvIv9#=slw&O+#iGl z97h<QoVi{V1(g))$DOxHg5{C?cnYg>8qq85_1u@XJdq5^=&`pB8G$Qy@D+{2+#KpS zRtpJjT0rO*(dl!n?-y$t1H<m$fs;Q9eA3oxbumnS=*wd-Wb`;4;J$DcU^J)4R{3=% z=TuTZI;N4(fEi9BkoJ}o0yn#`GHpk^WUx0^Ez2yJB{dx%LJ2vQX_jHb+W<GDBOWG6 z>P}oWP|p@1H-Bg-bb@cjCi4}iXw(y1+&^%!v&lo8k&P5u;vH7pkO16x6l#xL{=)F# zbppQCW+l#^&GR?tA0~^L-#u5iR(x}JZ!soCkL35RL56N}m<~3C#hOUzsc#=#S1Uy? zKVb0JQ%O5l&G5~7!oRDSu`cW_h9V>yas>Su>`Sec*RO_7PIUpeXtaF|I7e=W1IelI zRzRf6a!Q))``;*J99oP$xD=h7`Yd|ep>Tzb#_pnHF})XfhFWsws5asVbqfah>}UA{ zelV?tIrGPY{ia66-kLFaH~osONqk}yL)s@vhok}haYg~kr{#@yvoavh1uky%0Y%hu zkv{ISjv>%6=odCv5OJXCA6GvZOi|-Vcl7zm@Zd75n3FZxllkcWl>+X?Zmwc>%;dtW zyXJN>O{9Y~ph`;m`!FWFRtB$B$bHkapEK^XJ1ECinCorLG|@2A*GnEd0oMgx0Hjwk zmXku~hT)J#v#wX>;bl)Nom#O!=8(Tbd>NB#+)Dxv7wew&0Cl$Nx%f2Z{aa<|<!;K1 zlI{$fKVvXI$mrfkM2X5te{RH8E8)uTK>w?F!u0{x?heMlQPZ9$McI}-VSn|t`RL3@ zY9xBmFCQB5oxD+if~BG_S4=Q_Sl;B`*vW*|(*1UbrA!O2b$;}vC{woh;;&*#1Lyp$ zr3HQTOaJd^T^Yt`_+I^m;4Zq;E0zg|=I?smay$ckc%$30CctZ+p0`85P)Q3lJHF5_ zh_K)$&SU@5NZqqvS#1l&_Y!q_5R8I-kTwuo16+UM3Gek(N<f-S?+3JgmeD!7%&>8T zSrI=<XikayR+^eyx}jX3Q4JtV`E1$qBkYGHMvrp`rE^k?ds9ceb^x3#HnhekWgiDv zG?>TxT}sBG9<NcLP_qD;SkjPgdb$=FK6kcF%c94((rkwg1o4suS5`rvEfopnPImt! zuSqg{dxjfO9K2E%sAy+$$F&*RR@z;J0K?H%!2M36uGcf!moXr5Cy^5a{+A%<kMH`6 z@pcb<&bb1knpNUjxkSn<X!>cDmMQpZR^Iho{72DTjJmXTs&&)(BoeXB;bxVFd#W!X zf-d69-I0%g0+Fz{5q(>hW>?;2qY;kJdWtzvSp{k?3@51WeH)-%hfYU(^8viDu1Qvw zK$0+qHG0enu3Ra4aSFm&p#CZUawYLAicv?E|3V}E`whlslX-(|6%XH(nsKw^qPQ+q zXz{y9+I*CPAHN6{=w%W^Ns|5<z)#U0^qTuFCovciPq=W>mLpE)+A})w`%15L(JM43 z-50?Ejq;$?RX|A`7Ngd30<~)X%#vT}1H}i1S*vRERm+L1V=s0@VYbq~$4O_kI<^`- znAvs&lk}N?(T|Tr4WnfL>t&nw4RS+-nvGoq;;@VsG65F6!9F<x;JCvIfHDM4+$+CS zf%>JM=1fN>6x1DrwH(zGs2(;ing*+TF9Fq3onSLJlkQH$ea__|A}DJfv9&s9pW!v@ z+OpleL&rL@j+n6Xf2T>&Qv)US|46*YCi+q9tXY$=qavy9G|(NA*8XeYsW+7-|K~^Y zVCVfHvPLs5p~Q59w%S-&`g8V4x~MO#&E?_VxDAdU-mU@imum6F@bg1_s=1QN*4A;u zh0}pC3q2iudb2aPfi_o|q3T-4%A(HM$H%7?N<i*PbQB$1+Zt9&N9;FYv$bzEIKfxH zgVGMwAYXa~DwJ<H9*knt*RuKyq_LxF*)Z1wrj-RIWu{$4-XUlp#i#>nmTiro$0L2y z<Kzk>gO$>{ssC5md{_qQzitP0<zej-=<LGx+w5!w!5<Dq*NY>~w|%yXhk*A0XP3Jk z{TeH@s4xY3&MwL3B8PTJvbUP<YsYJGOYVgFlCBNC-SbrL8ThK(9b0WY1&z{vGqGt; zSI7-NQIVt{`qT&SEa1&0?-NZG;;_Vrk}AG6Kwpm)N~=|~bN{x?#72|Lf&l>iJ1RhN z2&~L%1{<e_*E^g>7yzsh_O?P441rjPPlxo5wFjJme*oaqbbBHV05NE9dWitO=`vS+ zgWle3`*D*LvBT4i8{QnS<r&iwU<Qg$9M@kE@n9JS>a3JFfNgX_9j1KeIHV7|WxjiS zMh^!gr=#lEdOrL4THj5OqgpG=EXAg%E3C|IeR(Tvd7%?7Z3q-oKz12)xS<#4pJrAZ z_M6kT${DbEFaTC_4zx;qcp#|b$W?6Zb91wUAJp}DKjN+Bug=%Dh7Y(1=b;S=E;3t- z&Hlx_lOthAp)UfH$Z}P^<g%bpF>R}6S|J|0K8mtzr)k%<M&}mCNhAqu*QHK_Pv2!8 zOOK*Liu@;AWHvs$;jhPRmU;Ehv}thb3n{<f*e}|BeA%lRj$w)JW{sGWfB{9J=BxzG zJ6>e&ugyiwb-zUYfw9TNkHM7rZH(@8D$yM?oNlh>9TiU4lt48^2hQpAS47xP+l9r1 z3Aq08dB0zrKA4q((z(Fr!=%kO<V9L)Q%HTPX<R6gy<=yrb>N4cQ0X)bu`7A)QFY34 z%-PW&`Ddv+2HI@tbeXX$9ZgYFdVo5tN|jIo*em3xhvK`&6GaI)EMxh|yvqXM0)y%j z3uZ{RI_D13fVws;h<>0W6l<vqLmaoy;?@NvKTObnWUs37SJR2Cd06FTs7}-HapW)c zIlXAIZ0=%Kw;!;NM`4<BNL%O~&DX9c*)g0AK|x5|Q4bsSZ5Wk!0lpk&TDLy9q?5K$ zVRZS(;kbGxp5e{xS0s>x{%u@Wcr1L*%Znn57|5qjH2oVfYKygo0+P^kfL>1|OV6ov zc~+Wip4$gUNM-^N6uF#qCRNh)&M;s|jUhA2Q1$b4cq>y{_#sZDiDBGF8dUK@skShx zW*JJEw`7>zk>cGdln-<S6<gIhRd~D$QlsHHr_HjC@nWOpkZR1(NrZof5|NkSo-OIq zA6;TaGPORE(^Sh{^y7ig-7k}T5q;kwgi)@!XkQPXGhXSrlX}}2sCP)RP0}?HlPYa) zW{Ah`p!Yv@OS1iMR$>AejoufhE@1`A8e8kfb-_GN;P>YA`0^6kb1L@~(?Zmj`m-W5 z`A4u?<Ks`gclrScfr`4U$rE+pj0I4fU;)!d==+u{qE2|V)8k1pO)(TBgZ)+zk}bh> zymlcw!0u*><FF?%b`!8~o*U1wHu6D;#}>EUvt;h@xUIwf<J(9RGHk1Os2jT^yPxsP zRCKqat@0@#no6Ay%$mg$t}cS%A4V`cyxlMqQu9{Xe7iP`7*e?WVI<E1Lm2D#mfd{U zMON<fu1CdQKC^Bkbxzg%$huYz@51yr8FJikz_s_)@47LN-qWHJ5!~D5vOkF_jVEV! z<ob8r)b<|Q=}7#73$$N_iJ0hei7l9}BW$H?xv%JS?$|D?kicrwWx=ZO<fLzt{mD;k zCr4=2+)LvrgdAYVWH9O#Zlm;log8kx6&bQm?1m!BbH9;T=h?$e6K|F=9xBJQIL<yZ z<cLhzcBh?bJ&s}!X8!*aR>x?+>-qLl;qVeZCGkExZi*Bk-%UzFx<!Ge2b$o8mjpFg zNukB5@8ltrN(W9yo4ctY{hZ)hwi-<V0xPwI88fHZ;C}Y<_HeZYh3fm>PowHyxoVgV zJ;V1S+Dd?r7Vcogso{JtWXj}}I8HDU&N^MX<QK^ql2q32SZ&MeGGiWpy~SAb?CQZq zCxn*peqs+u#W3w4m$^6zcjAuDQ=+JMA!d@=dFWb@tHgyZ!x$>?(IT$DQXjU>Ng+nf zz;u->6hAU;*X(=-OWa}6@AQHfa6lQFF3)nl@FD;hL^ZM%x#{zMv_^ap`x%)Y2SUYE zf9CQZNpD4(!!#p&ke<8!?JqGee<g6evCguV_!I!JLhf$tZb0!p>(`Im+*y4ypo*<# z0jkTaV8|4wDLy(f;NDC_0}5adc9u|6V>0Wx+1>e4z#bo1$flloObg~RcfA!1$I{?@ zILurb`Fn}~Lyp}KgRI?{jnTv!WVeg7yp&3dn(Ry1M8Y3{^xb5z`unV!rq3@l6(1VP z?^Fb#C6rGyLT$P0ho&0RMF$vHlE^rL<1;LyHFd*m%f?PdDGDsvtF?GhC|LijZ7?t# z56M2b{XLQi((qFD`$H0%9Jnq-jb4IKB5rP5mZ{;MvGqxZS=J&_=3L43Tr$Ll&kd|$ zy~fwx9xhnWGUsz9KvCkuF@61fdoL`T=r!8r!SC@ANbg2Jvi`h#s9ph6wGY(NR63vH zZ5O%p@AwvW`=F@Oi>Jz*8tJOM<<8=y$(!!0q|1e(wmkZVNZQ{jr&tq!riCbj)s!8I zH~p%2OghC=6i-C4)P=u`;r4UqwaMRmz<=-}y!}dGVy#(q&7%{Q0T)#XVr?Bx^a#=3 zam%*m+eNR%Qd7kp$JcWFEa+m(NY6!PaXG}403}eVJnh`A#R{dj6`YiQk8Lqg`_9vX zbLr<K+!&VS&PBFkxE3c-d|#ecqa;p&uU1%bRBi7^M9qKO2);;4tGQPSY?n%Fg6+<E z<p!K1LMP@`WliF_ZR)wP0YEHb_5cbzWLhWE<;a$MWGiY!yVqbZ3R8{4dPG-_NM&S( zg2a}`G4eP9C%lMxBuS9$O->;n8jk&*I!bJiMzt|a$vwTXa}1^5MB1evzyVfN%fhqw z(wHW@BfLKKsc48$C6xp7;X%4iY_fT8kv|M<ZkzVcD5bN_<j}?|_(v}&NEUr|UIB*- zEuJEH19SRQc!V3Nf;^zwe4BH%6q&6M(eC)vN|QGpvY@2NuyYWF8Cmo@uE}v8IgASL z#Z$kGZxdo_U8Uya9G1wmTacP(n1oDv3;rvsRom07o!2BwpZB;>>OyM9B;_Wyk;RUh zZQ}qrFyv5hppj`B2&ovH16<Q93a8=`-Nw+gvVT315rNC5<bxZ$D2ySMm#{><{~6zl zca%TdN7F;42-VltbRB-kOOC_b<}FE;Lh^}RFT@=+8C7rD5+PF(YE{k)()FbL<C9uB z&l~Z>*IeeS?FTe&^<L#5?_zlT++iuI@&`_@Y2h1n@D+=%D_Ti?y6H%j!j_`#CkSP+ z4>T<uWr%3^kkk@x>=&M(H2piF$(fJynR$58R{Va!ALl&*m;PzitSkYC@TdW+9(Z+) z`JoomnRt`c!5{w^<uQs9PrCtH_sl)xwK${S2{@WJGKMi`T%@*eki}Ob^N69_y)SZE z#iL{GDtL1~jR9Lq)8T~|KoR&36I-VPQ2VqWszS^&HFn}DuZ6Jt3<&F(#^FVzb7Fyo zu^`d?@WNwuu%_qCUSRthC$)mCZqbo#Yjs<J{&E-|;C(?10np|g?(lLV4pk7o9vp6J zK}Lk0ma_=^>FMfb4Q2V+M*Uqp0SMdo(k#BVjLfCN-3dJ;015cWI4X0dLzmwuv;@*+ z(r*9O06p!Hb1)#n)iS@h^6K1kAEFYfjVyr$UZU6R81e(*+p}LgL8i1F)mwDL$BtZ0 z@5`jRWVoNf{vC!)mco~oVJPBr)Dqe+=5{Xmqo4EduzXeiTWKQ;&AbN7TvhLeok^?0 zGhA%IG5yTp|30Rz>+_?85boUrO5>vQ3G560qMAjGpEnBY)aYfzeAD+v0-Nr>9P&L~ zN-i&dF(T(j<rL1F)NX}5?!%5#%9q`d6@`@)|K02<q^U`IlX!Tyd()FHh7;ilvj(W{ zhTLg*5xo^UDh@kSnl4@TOaUUwMSjH5wdXyyM$rjRb+)Gu6Tf@OXba*z02)br)swA5 zhaN`bP76Nsg>=h*e1jq+`K$=k0vC*O+85JZ)^@9PijH_d-VQ_sE&jS}RT)9f9?O9a zBZG7g^&Jsq1JEh9;uP8*`V-P0OV(Lg-91Dt3N9DM(W&qV#zrYprG1N@HTR2*=E2^6 zXNl>nQ|N0Gx_BXKo6CkO_-}Fh6mG7=$vSHMoMCu&4t4KVPx^0-#^gUqw=N#%$xLY& z^7e+)39vmL@VCv=6zAo?!el>yQplcay|az<1e1&CL{kI5O-BimL;@*4`!)s7RB;NF z6i_Stzg~cjH5wgsk4hh~O25Cs6dIp*&;PpDn5>5vpK|A-A?xq!(~n%a0B-g7JrvS@ zr_yC)PyMS|b&Q{io^CRfRt3U3NCVQ`fJebI<?71;D=cN^fLHWAHmn+VYJZX_^j&C? z>a{Mxp|On$NeMTZ$^8RYc?xSNa%OCpuTplXjJ#I<)vD9{Q42|H9Sj@J^jb^6X7p=G z?quxR`{zl^sw1fjiYLqMHM(p~??`BS)F2o=ES87pM)78U=><IDo!IVtUfqo(>U3d0 zFxHY}JXri!U^Lo7_RTWusvtdrZUv_1TNA+YaGD*gcPn(ODQm1T{-xtx!4jE}!E%S{ zp}t@#EpDuwS|;f=ulu5*e`SlKR!~FzeZVSbGI0Tc>YvDJ)XaDsH+b09xt;&xdM0o> zF#FtGQq)cxz?OnBk+PLO9q$Dmr}j)hhDKBGtYXx6<OuYKZhA;;1ty0E3CYlKNdFEy zGZWh3CQon*>CbtlP>?(?PiG~kpQKAaM%&!uar#C=-HfjSFYpvITh`J_z*mB8)}>qU zc$FunZbgh~n->6pz&rWQ5YR5VHidj_&_$nNTnwks%$}XeLKO-_CO_9<#KY;gH)f=W zK}MBpUl0MaFj`f|Yr*eD@l2P~?iHYXCZ{n9fbzxS4CL*;-fuG^R!>Iiq5Gnm?s3`h zPKARh`FAuckp?GF<c|34;=GA#Bg@wE7zgG+h3PgHkx)m`@7c(0S@@gwi28|WnF|1S zK#0GQJ?2JZ88rY8uo>6C$l~crBAAH7Cet36Ir&>3TPo}rIie%+CH}|UUv!C(UQX+~ zgE;S=%}V7Rx05ZXN?JS1+nRXScp$vlm;0;$1+Te9J=}LN0ZI@cHapvBIRvkJ=mZH4 zvzM%m#3C}MQ=?qAZ85l^WRj8&_*w~;gCB(CNVUecME6UDfAu#8IqRYmDYS5I(n$}H zkH``04~3pf{&Bl|fl`20(E92)OE~-On}MPu-q27C!7Q4rLK!zLq;g368zu3)@<o+J zwMin031<}k03egHi2C}1b1O}%;y&)VUVL}rEiLk(Ad4~8)s(g%qJA40Pq}yYItREM z(`E<ROaHb<2L#(T4Ew<P3ATf}Ff<N+GH0(=YCHE!Ki6GiOS^{c{_(ndVRKQp=Jw}g zdAWWN6JzOjD1-Ffae4qx*y5W^?)FG=6(U~G_9%~wTAZ|a%BxY%u|H*Oem=L)d_&03 zd^qB~o4n@VJgrb3?*||}O;!kj`zTu#h&sS--0+t%X)gcU2l%vCBvwNqtAzP!^K80{ z`h+XFQw`0%EcfWo`NRJ;@oZeTm(DrLiBFFjU*8~eUos^t_)$VBnC-_ON|g`-zD@3X z<0_ho)kPJo2#&T-;jvrv3{`_%>PKO#52+SdDje;Xqg&x8hg~(#JoLCihA8N?+BRRM zqSqBX2)qrU_$*NoI%U79LzWR-PULergtpxr11k3yPdGx?R#@Sw2x-FltJP2uF<YN0 zHihP|gb+LinJzJ|8@$VGVfvgv`LI8Pb|$&ri;Y&ne%S)@9C=fo%$uS&Fn-$0e>>qO zXn}~DbU6KZz5T*gJ(*0XCPYe(QPXmnuRL-AS7Ad;l9_&)U)lAuL&oRouWfPbhddCm z<?+;B7StOGr&8Re?RA4`R}of(#3gN2nvj0A_0XVkvk_Y7e5`P~?PjIPOF~eG3{OC> zC(iEa*R1&B%Rpl(i0Y)p+kY5Z!1U|P#56-XZ>UMSZ)@|e>xA+aqJ7%8Df6`=H%V4x zh3@Y`&IwRLaSem-9rgn1XD@xPCXcVuxJV7We_UiZF7x(0i|XlTJWbt3>$}?gy9n50 zlodza&4UqYWsQTa;|`JyP09CgTgvimOTGv-{dS)o*KXE$vWh`m(oWqg!sc%)W^j|R zkF53O;c#wJli8v2(z#E@YdTx?07HRR^OJkk(#Zr`I7LCLk0ytLIk47o{{3Cgd_1|& z1ZU_M$m%hw%n4#L*(qiNkyzBbwrRaXd{qV`PD6jw8haJEmTe*D2Ok~QTkWeDOTM&e zK%Plg#=cj2gGuQ%aOOFGyGHO8-w?Uh;xb_K@w{(<Pk4+#ZX)=W`_k747uiMYtE78F zWmbFKtm66U^7W{(C0Bx$(4R8g_M1QGu05-%!ovQ=I|NZSF;t<rsDr|j+T$6VYQ+1b zTY))=Uw8W=m#l}b%vu>_efCYb-;ZFf+-bG&5^Hc`(&98s)tj1Z2TjNCEiH?|r=`I+ zP=stG1hrXO=efiyIZCAVn`5G<HoEgz$tJFM&jZpndzx>Qg}@`$<>AnidprfRR{goF zNlA|{8`Y=6`aDCXJTV@hmcOjQ*)MI4jk%yvD*^^bw?~<z^9q%NL+pqx_^FXwV^AD^ zh1*GE3sz}ySv>v=e{iU!$mgkZ|8bmAMkG!B>!Z)1p>wX+m1*#!&(&+1$XW?Ue5V#} zOYb2}jwo&Qv}zO?%EuctWB<&3RS2D8?T-7Jl7Ji1Eu!=?$h@}5H$099q2}4rfsf}m z*R5Le+<zMCzBzY<8PprBudlj7ZAB)4Q}ns1=cL4rI27<Ex8Q=P{z3~Fa4$17Q~Qb+ zX|SewXgRZItIL|%Fy05lu>U-T)_$%!aHlR(Upj6Ef3S<NwW5Qyod&czZOudWx|Ms( zW3Epn>pw^zl~G4Ql+VSZQbi!;4nm8~?Lj)TvyRmc;RSfuqRmEcBkBJzocLV7m&G*j zwngL$8}$IsedaI{lBCkxYuuj+KQWSZ`GM$QnQvj4Le{>7lp99kR_-%Md<DLq*awun z{c_LgBLz~o6G9J5HF|-@^sDRNb~gBF;lSW18u+0(+tS?4iRvJMi0>}(6ei=rhb}lc zoO$9t?uQ@q$&nt`I-R0VFa{rw+STd&Nx{bl2;~vMr|5&SK1@Q7M_lXD@no%DAK^h$ z#2uak+SbFNAXu-Nf*#>WDo|RNyt%Th`4sPt-ruZC*gRhYA@^vSOGlfb6gXZ4#1W4C zDf~e-cG4B^SJKNedeUWIgDo(fSGZ$W$dET@{1j*G-0sK>Ka(mL`>Pv-4LwuI|B(X? ztPw0lf#X+6lQya1`E3?)vN=WvOR9-3tN8LXaW`qM=yFcA9^r1BpRHwDwQAU_u#v<~ z^yFC`(wh3OztJA7%txQ6K}|WNMJE2ts7lQKLY4HAC}g_$rMzYUNyqZjc&%4j!MN2F zIg++V1pl@lAsbZO!+z|kA+4wN?jB||-y(6;v|n05pFB<wMEg)b$hHZ_gS;ZzmG#^j zq~h}$02z8u-7$}-$y>N`MUL3#{jot;8hL4NZcK}=hc5y#w5i#-{86BqPcH3a@7+(E zGn3DTPTbTRbMWrM&Zcv}@|^+=U<E!`Q1o2BJL3bw?h=aeR<?LgOQp}1Lz*E^S$jj5 z?bphpYCnqPtz`>OZ+hykl3P#QuiGWrjo<o-B#Ax43k4Odd?Y5mqRBhKZ@j7>_`ohI zKV}tl*S^5t@BWp2<CU)Zsz!D@-JRYH%w3V**u6QSWxt>*J9wxMNd>+}aG2IKTy^k{ zi!-6Rxt`Ku#yq}=?)b!cz^puc^k^_6-jf6e=QA_OQcqelhm48%*RA4D&^=cMaq+5P z4+XtV)5A9yhgu<21C?N7uFqBDeX2ZNYtYZ3VQHlfG$Sb_=^+Jqe*^ngdQ_CcYiCWh zl-<GtPd**Y;*L(*n(~D%7}3+HWqLR?Cc-(BBdCyYc@qzpk8mzh<VO3Yb2&u1Ha+E) zizURX8Vsx01aQQsBK-e9yD3UWe4ex6$O9J<KRLu@Zxa7QW|$i9>t0w4WoUklg&6{K zT4VR|2yAa<<}2gKFDF;7Z|3;6_B3X$TnajuPnIs?JUPJbrOF+nEav8O?$p1sp5-t$ zlD3?^1?5aunrYX7m}DOG)IjBmSmn$xO_|NrKqC%43rX2)AFd)xIWY(}uia?}$ia>Q z)?|{%J1ICUSmt)BLokusEhiATVmAO|c}xcW(2cZugQIsWA*r+K&$qq`B&gDAsR{wV z1h$E#!Q<nUw7{i`b;g$*p46w1JRa!#`FhnoX?&-QeHK3{+;Mh`uiqR-lcFHr*=G8w z9gqd?aox?Mzz^=_rJd2EYaV6^CtXH0U)1(C<FPchNmI;iWD(TE#5^NUjO_G~?C^qk ze2jj~voXu#fJ0rRw##snw`7FJ$(qE*SFthnY@xfpno2kuy?IIsXOWX{PpaD6IV{u@ zD4$aQT9XW~T;b>l2#DZ0rh<qO3ih-;lDt7P3lo!z_2+WZAd|q%2E}uiTALsDE$SP@ zol$aqZ$RmqjF^X+M4z|~;p9aENqKX>RIy9Mw<vT7K{tkYc6hJn8fpMmEyGuvB}i5X z>p+Ra2#FgO<M|x3pkL|pgEFr6s>Sh|1xp?iNck&WguWH5HJ*?-8Jg8DeM1v-+m8}5 zTKd;4Y&fFRuEjE;Ctl*HFM~c(3_`@roG$#`(B--DGs4$vlLK{xAff$#Tu}i47ap+q z@3zXfcYoQ1i%<t}Or_UlFCF^#D^H>-GECSYx+l!r&7V24jB5r<%h8XDQq|e`u;6~} z%T1K2%5IpUK?6p8<gz{o8RyvEBzGe^c#T}iJ2F40)Hs%Y4w{L+pbM}EA42Qo29)oX zWG&dLYmRHLyt}kA#uuv+ihl-YwyvZ*ncF}M)^wuLK*T=am5=MR@f}__SCGAR7lq7L zPaMX0a0dU3q~y)$%%XHjw)jhnhMwWa(^Xtmd3b6EPf$K{v<iO$dK%f{oScmckj^Bl z5mOo=AJx*_WhIo@p0-j>M;$y{B@z}E5hz-B+e%PbX|GDqnVEHL^@!tExPaqWjX-*5 zh3c`McGS#5jpI)-sv0T^SD`arPfBk*PXdX01RY8cbD=z*=BdbuV|vzXKF7Fq=V0X^ z*t}&<8%<_Mox(WgC!71!xw}f1Dcsd5Mrory<(7>Uf8#8ixzvz6<mlhw``2;?5L~IE zeARmw4BM>gKO-G&?g`~Kv9i?@V#tiXOr^c>b(E-s_bFelW)v})hk{JVR_~_CG312I zg?@OODA4GCDn{Qrts7MCQZ`#|ixJoCNQyJ&Gf99gv$TEeukJf}{kk2)@j+&A{6Fg{ z{utbBpBVB|oUIEYqQ{5G7Ml{JMAjS(H0f|LsIgssC6WGoxL~9&qCY<|^=5`w$eWp3 zz(){o?;gS6LkS>sJTe7iK0Ib<#UX(9g3Q%55Ir|dh3)hx2%_j?czd5VJYQ!qZZ~%| zWd8jmdn?%OM78_&a+&em)&Xf^hI6!p`gUTnPl4-OwRpnSUy6kost^a^>CZeF<VBXC zw3$-TMWR_%r`ddM=!N1@tOs+7=pr#Xg0#P|pX<{+%Zh++nx^uQj;gIS&1Q@qeWL*1 zh>IlCrmMr~ab9r4TD8vgr3b%~Dx*Vv6I-Wfi#p3Yg`=E?lNP;aLf}*DJ5oep&^__J z$yyq(Jhvmit<O5}oBEaS&Y5fQFrsn&N(ejL;C$92p;tpX>1l_VgDDYIW6wR^LK2yU zs?)_}HdD1i5m|&0bA=lK7T{B#O*qok!Pv)pooI^3$F_)0WN_Qd#GwZdA#3aCC1Qtv zO7<SVIMnWnREux*-lAhBYpLCEq6%p}JoMqR4(&imzzCvMYtTVy;l>T^NZehfapq5e zFS7t_JIZU45HF91ld&l~eQHO}=%Wh&AX5$t=6|h2NAqCimpeOjol6HBLs30ehfK1K zHk2NM$L{sgCF`|gL~T~os|$AOFPwrD03NqS?ust*bN#NgP(vU|><6v&;&c+POJE_p zmxSAVz6RLXz|#^1S8KgxJmY<aGQ2@%5uJWUe6!~w;jMSWZx<)W6hGlV@*G9ke_x9$ zxRjW(8h}CcfFv9W`h|WgvXrQ*N#f-EEL3lSF#D1GZd_yhMN{9(Gr#%{oXiENa0fUe z#F6~)S4(^8kCiqTlGvD6!rm1nt6%S;F6?s~2Zz2<w1vwJoS4h{D1c#GYP}G;l@W?~ zL>Ci_l}L$V*;WD1$}slC0T=TeB!q&cZnA>~IhpCJ{_*+2%?GZ{-$zxc8bG;@(}*<K zYO9gWJ8^8|pg(WA`a9r}MfBS5I#%>FP#qvvJB!1MkM0#^`TO1P$LlVchM+h&;`aQ& zc{2+&5osk{^(&&sNEIcIb0^T2uC&#s`0}Uj>}9SFpoD&)kiC8{eRQsP0BFondS>02 zg9VMY_T7FZE(6&*EsmM~U3!P_kBxUT%pdRkq~jhw=lzAKf?k^0w+vXvIPsq(eoD#5 zk}YoBtEU2|_EF+Q<YuqA&7Wqh{5!Tcnh)#3k8tWBi*-##whx&o&!i!f#>ez&jRMen z9imDdGi-SahO|zz229-}l!MT(sY6o!Jxdh8hs)6NdX?!^Ca}SYzTjwqfwUEv<{^!@ z&aM(ix}ylyw$rNq8U2NEMQm=i%l0~pw77|y+gFfGPVHdw`66^HNIB!MQN;W54ZpU? zpHkf6`|?szIC&yT%XD`O9FZVBWMW=b!mKkQ4aPB^AEc}==oxP!NMUP3YoVsb0<VDS zxzj(73TS}pn%HvnKaj|KuKbwh{H!nR7C)6Z@TWdIZTKg(h58g)nmc_kA7T>^OW!?z ziZl9fk5eFKN9sWrZKNw&O*P#o(QD-*flgIzk(GJk^>|n!udip?J$J3?l5_GKYH2#c z1@$-=D^O59N<iGTUg;1yBbmInJY4`O7k41&#u0-=Fh`)a1z~}_>ikF*m8I~FS0OE< zu_@hf7W6Yv$IHfMmzeUsDT4aQ$Gzq2YvWFTcQHlk60d(F(ss;Kj4VolZo8r;_HZ3? z(w?_S(GVV{w@D~Z|EbF-WElw_lIq5uVWvTT`rh6eDSCQGf7?RpQ4>l26@Lc#_K>T? zl_2__I*LPjYj>}0+5-11J0RfFG;!FBJ#8_#eu)T+01>k1U$wApkI`BgT+RP&{%lso z-QoQbKP8-e1T(&`NjTULj2oO!&a<yBGxc~sC@wRBpBVykn?nMfCbCR?@0Q~TS=rTG zSJoP}Wsv5{$Zi}|t7J&VtGr!8;5Pr)9C9Tv3p`9ylOqLwU5NDlmP5YkWQc$C&}Rg^ zvP4gx6qyH*x{N?1>M?g`{tc!+pJzNpTh3y8IiVW26dj?N5FC@YdBCd2uHgiF{XxRq zxU_;<I;=xaD|jEEMG$QCncWgaX*m++8BgJx#%lEYbgr5s(ES-FQxw#Bq?u5peK8wW zSJy|}%F=r*n^RgsZ{+620^oK`5uN+#-y-mn)c%5QwRZffc;m&h%s;#{0^^9gwk#ji z7x>yV_J#E52-@^q;XLAW6>Ut@8N~Ck2gzStA)i8ez9k6oc%>ye+5*q=RrRKu+<ei- zNp?0h$7yaoxGWf>fM2^Eq;&=eH}PNMUUFGmz4!5mH9q(mk;XA&Cs}p8z3g^^#7#WC zzWgcdLBCS$lhz$t;@8Qk`@|JEmR6V8XMa%PT$Gk&jDN(A01}NH$gEVukx*y!+H=Q7 zmme+l9B-xY9G+m8L%h=@lbNiQ>C|*Owcv&zBh=Z#=H;`gDgb+wu7AzzLg`5oc|rDH zQ)gzsY<aNbD7;lHio0GUSa&E`lJV^9DIxJaLszJAut0&W@zAQ}kZ)@#SK3)JY~Hia z@_-HqQ&U9#*r{{q6%>EEemdI(Dmwp+(o|U&Kzol=v4h8CiaG#b<RW4p34Q@DFh&a8 zvGo61;CTHuGVjfRGBzGBAU-M+lvUqFidNJreOM6o2(vchK24G3z6#CWd96mZ?7zVI zuNNg6A@f~3rpA^pSUl8M7J4#{>8GN#m*LfAMW~cWqSQ9mh7H<<bQeeSJ2q#i<CS?u zs3ktWfKHT@1Q72N<N^NmuQ5hM7I~-(sySn|oJ(L7UZg=5;O*OVh~8}QHcaWR!Q~z) zsc-uW=^2fE?VO;c4AQEJUY?s`!gz@JAV&+AWh`-pmWUGAI|V(`f!*qwEFtgXXMoiI z`f>nEcX>&?ORxr%9NEwuUI~l!D?xW#++<O_pkHnQ`}B0x=D`IfgOFam)W1BAXPEnV zl8qL!FPFtL-T{o990IG=v822FAdPvL(bg}=&^NYQ%w7!?M*-Ue3~)pGO#WMD_p=Fi zqaO=gGw;synPal01CupFzYcr@k^)w{=D`nwsS3ZudM5;7B7J6_O$)qlTw&7g^XHFd ze=7AY?;qYy=(L(@ZiC)O3TXgxl~>O9NrT5k0LDn<zu6{DTYpGrl)?-j{|Kbp=C{!k zBRyZ*U}jY3MwjS1x4hrMK7c-c;S4A?_K>(XtQssWM0fsK77S=2$nsJK2=VvHo73yp zSD}C3TQEntT-`m3@6*2{rFKsZtY*k`(t>ENeCby~WS*Q59F5quIc_0A;3hMcjxUnJ z>=;lwlKXATAkI_HP~wvm`7z`pj*M?0Q0N@}#bl^9n01B1$NQye&5=|Keejb*v#j~z zsYYnNeI$SK8CBd43bSZIA9Hx@fKrwEsp*Sq#Kev((#Dux=s&j(#6V0K2R|HB12vdR z>vavTma$o0CZ58X%gr!li$+3f!8d1AbE4tUZIX<vHVf>`g?>Ph1S0o(W}4V_5c$d- zjSL}(^_-j7fiG2G3!W*8@l0?BjhmUss%R|>mp1?Du_>r<-Wq;&X=gX+?JhNq2Am<5 zuL&TwMC#_uq|YSG*Gr3$oGV?T>&uM}mUT1TzLf30reJ3cZBq~t!aGbOG9*u1ojK=} zt)`u3AQMm^;;ty!0^B5ztJ9CvSv3{qI9}aMda^rvL^C10K7Hzn%)bSG45NZNglyGo zjUqfwZ9ad#7!31UR5)#Szt>3>Rb|9yQk0DC#f`&wx=jQd8ME7&)A2mzCG#J50*us6 z(ZR!%l>;q3mF}toBXk4&>^!zlCSD6>t{?5u+X6DKr;Ks6%+=(hU+%Z1wR7|bwCGe0 zvh`SHN^fSLWEGKrn(d?v=0^lnN>fE=^vLzMz(T#{>1PNf7gxgZS(ZJYmqeq31^d(l zrF}4CPH%Efaqq~sYj^-0F`6o*IT|CA-{ZP6FVDXK!+ip56rIX7qfBtN!9XT+&xA=E zaS7EGS8}so&^2iE`H@6KGr~lsD!BW4*jOUp#8P|hRKqZ%140R?>nZXtw;l#EVy+Rk zVZ>9^<bmXSUri~7q9m&5h0jXQD+X;D`fLTHD+jf{;0u#T=Z_oUFn#;~Okp}R6s?Z1 z^XMArjP~#oHu1e%yM}4d(6N}_)!cHexockct?4U=CU7s{pH%tjyi|#y6c+rWb~Gf^ zTtd*X0L55olX?VES}1U%rlHf5E!6nWfkHccA55X8**lcj@rui>p(&Wm!T`y_>xxR} zG?m2x-|SENaQ00dFgXpGd<kj~BnmY6L9}6ySMnvAdRQBMkt4MpXv||wZ%118)F199 z_JLB%?dOE;8*|6sDkak4po7J)uI>oLl*Xj;HSZSXnoExlVDfj#7D5=LeNN$$QbqIr zrT(p-?$8{knynA4%iyE&PT+@(>j(Ux&y?kcHG>3s5X!DuA@IwmR&)W+I7b0a<_Gt= z#Ly0I&cLhfh>~rh<TV3*L4M|k3qCuo-~$7&Ewz4PdWUy@Kzodqt6+m`3*dYX!KN=M zRFobLlF?7khuNhbr-B=l)?JR7E7Hs@*&rGs21<KtF1HOVM6$;Y6&bWN4-b33WvbZT zo;y;^FJWt~S}ck(TBb#-62U^uhKV&9>^eVy3pe@V!j^gq7gMpQusL$pY+MKYOl<1K zg$NZwr|n`~7c(`H{`*n`_xjHIQC)RNuD?awKSLY*Qq~bpp}5#q#C2%sYNCh4oY6R( z{D5>Y|3#E#oPexgNkn;?cZPp>TP}^Ci(v_rBs$^huTKql6`pzi;mCwvt-rijkK<%0 zi<C9Ad%e>Go<zn&R&?fr9Zwdf0*$Q=6KpgdX^KRdB)7cQQri7v0(pWm?P-&yj?O3w zAiCae{)qM5OfgxC`BZBkI>M%>KSTA>bK7i^ihl;jt9=XKyRz**OSxJCAbQtY7IZO4 zrJze_@(9gGWgbrR28c-lLTN42iYg~z*~0UEz{<o#ls4MkVYIh$aF&~l5{Zj5;aE<G zS+YeEWGIQH(Bk%R7e8X2jOX_<?s`cK6B&^oae^a&gq|MYNvt)w%YNdru@C6Am(IC1 zKfD{bUO;Gpu{~lSoJ15rKOLP(wvm&B*jm$3q^Q!;I-4(bTG^o=uU847yP;RRi6fx5 z#7D2hyPb9k)R@5|V()cHP*MwOUL2&QVi2VcgJ2st^USE#S**P`HxS@8z^VP6B-a<3 zADFIUiCSv?czEPz=ZoZ!u?IiPQ_@ZyDMGt;4u0M+)z4pWyR%0I&l03}5sDI%F(VhC zHXM&w)?WC3y#T_wQIy!`COel|pJ;ip<oUn&1S0IYpvOfEPkn<#gv>R12H6r2(d10+ zoNDwfQ>~Qrp~_1<FJ!pbICsSl>iT8+Ds@_fCfZ=8+?tPKN(pe!ed5=?wEr+i&$m8J zzZI;7l;J|u4I!f(qSwGl)E~TS4l@7KkjDf!WP_;EGC5E3bM#Ee=G4aBTG2cq;ApQ3 zC3b{78r4=)@q;w!pP8h(@ML;2Z6etwHr)I+@9&f37V1{lAfC^3dO}b02~8%xY1>5b zhkZ2Jpj`@fCsz`>m-fYBZQ;;fULPm?ma*=w{#}cDxnmFW>&m98aEmD2b<4vyxAl6$ zHF-O)DQZ~LE_OFXrDI~_vX8;=_ekO<v&Ax<t`2fy5YW`i2VQMpJPs_$f|=1>JZuDo z8qzH%iM<d7F2YZ`;PtRdZ4i8q^P@Rzu{kSYPBT<05<t?T@Wd#CtzUs3?DaJQ#1nx3 zop91+)}XAsv3?GWHEFupz%VkTSmJ4FQ&g1pFs-Q{a5mb-{s7<=p*Gi`-;c5Dh_`}D zqsqV0+AnA(PPefR{GG>)bVGBg^-k&!eO5M>wfA|HU57FLd4|nlo`+@1fW3aY$C19; z-lpjxO#yR+veurFo1J}wEJxN`WG~R}1`c1dB<QMN?N8|(%GYE~%!Vlio{Zc!m$wyD z(0t-?Z#KyL4An7A%cf1y3{1<&iDdj?=aJwd8vGGjGDAx?|7qh7aqte3XeP3J<3{2c z|4mWyJT?M_FB|nR`u8?ZL6t52g4Cj`EHYUW;>aK#G9E!cpe6LrboW}fvfqM(fK#&{ zkkMQli!YMHQ$#O!G(&URa;|jUXQoZ@!W6&9=5nN`YG|C?h0qfplE5GAWWx}@PRzYZ zF{;d}{|>NQj~>M!ByReURe(e?fpYksNt<XGR1Ra4^pa?5sAI}OO~UhAFqLUl@YhF7 zF*?$Rzpu(2K5#vL7Om{oPl41L2@JZ83IVgLZho0f5<k~(OeqW_6WVE42L>9lRs|x` z;P{4dbQS>;SY$-qv(bL+Y^1=S)HObTerpcz7L-rAJ0&fZ(9@o_B!%Wrt~=mGB2>go znddDYZq)%pOqgtRI3oeDA~4E>9j@DL?d9Ju`4NGL{DFp+$78FmDqldps?T;-uWgz_ z_oCIYHVRr2yQixb_)7Ivbs`3Rv47fMqMZHpw|(MFDfIVReJjtZ8LH~bzgsML@%p*> z`!1x?jKv@nVq9;Nq^xOPvQP=(0j?T8DuY?8is;#1mUwy(6KM4oU(W8_tYl?*w*`cS zdf4a;v9c%N8qPO`mWABnDew?ISA!DLEDAq%I}y9n+qc9Az{_J)IovDCpeZD&AvuM7 z9u9UJo&VP-x2H2|jq{@^4zMJs3E`v4_f-y`oD2u=;4`&EtY_aHM10R?WhE*Y-0y@# z4TQvEk=bJ?pI5xBr~wR&R(`23n{C1;Gq6Y3ls;CC6K1H4_^;HOuPG+3d_mdPs<_@L z8PEUiQ$=Sm0Ns@+5+9I$o<^&OzYW6}?~VD&KcjZq9RiNLh;+KlpGP%#m6S@}!;VC( zjv}8$ZYsUrh9W9A09mYUW}`?|c2l|Auf%j*nEU;uy95}z8NqHwn-VstZ6AbgstOyN zNK!Esv|!W+uRon>dj7f~doh`bwA0m83_|xg>d6Fr(dgEJzvfxw9KA?z9-b0~6<I<+ z!;6q4qWbwVT%g#rdR1p;tXW;y*@;06$sxFYw~GYul9}JQF1g;{0ajI4Lo8yZH)bFP z$fKjsCuu<j^q@&*aZCNDBPXQFaS<pey0SsbWAV?S2I;x`>n!n~F@&OCmWV^Og`^;W z2q<UR9d3dS@mpq9l{SVM)5>X&**FL`e+51@Wa^}d@{Th}W7cv7g8n*UJQ;|`$gS3% zGq#S@<GELoEkRY<rtTF*!^sGR%$LU}RYD4v5!DWor;zb!5!I#lS(dJ@QEwv)8fn8+ z!I4$TJo53+(bLI(mbv`kZ}^Qhc<cq37so$kzvFR^w}!wH`NoS)Qgj$Q@;_-+I>8z? zFDr<5VZWN5+iM$$&SkTSOrc5S=QI+l7l*cee_^k`zn$X%O7Z2_VSBP<K3w+pLf8ys zsxGHpyMwpd-)NDdD3#-|n~?2=0FU1bq04LEjKe^}q>VrMT3`s6VG>cLbF+Ai9u+0m zo}bmdsSU4Q;HQNf#sJ>=dfZ?KaL&2cLU9|kuz#@y<yv^TDrop?Y9{I5EE`L6>Gv7R z6Rs)>dV6k1O)axnibZ$lF0y^=G2cVKu`<g%_GaMJs$O}v!;lAV`vFVvo%WPTW~5aR zoyfrFCyv_G^~Kb{1YS~~1)kY+K$`{ud$TMkJh%XV?JUIfb&T#bKDgn<QJDd$sFE8y zkw$cM0&0wdp21kzZZYp1H*`wUixu^BF>;I!R&9YEWG1~%A7wjW9&^2G!Iu<K@Pn!* ztmAn-NBr?B^rKg>#nmh~6i7h*0#114<*{V_6G2yuryJ5iI(LT!kMxyrR#h6xj6ih5 z%;@eocV-W8GRwY0r=yX8rSDVSXS%BKpzDn?n>Pb0cdO?$o;A;+mTMu(nPCR49x)kR zJFQv(=EgRZQ6;EeLz(AK&3l{zgWW5B7Ilv^W4Jq=Oj^#Q<r4t|0+gWkyFUub#r@o1 zXP%Nup(4v%RkVt!ev^h$b5Rq53fD6y$1b>aq^9y`cGRcd%GAILUuW)SqoYJ&q3`*- z1andXfkwJ`u7^t#qX%`<#C*b?VUk{W_j+V<TWyPbdx)Nkpy4~Ajq7m6QEf)&E@kmq zv}|dFf+gij8tEcJT5-Un!_RU@-^tQhHdmE)&_kq*@Pnc=QT{viYCfot8pyoVL7>Nd z1$CjGI2%Pe_PLH`LONK|9jMP|n+G&-|Ew<Dmd6NP$9Ly>@ih4<9HX9G7IVdO>y@;) zPPAHd?rs#y(?q+6ed*d_oiupP9qHN28lOsS%0(2Yv^1vAbynG*QZ_%A)mJg!*@VyB z=NJfd2o3GO2{?<QX!LjAt(Gac{3*5qrO%Z1%rFZzKJ6tCZUv=09J4grZ`{@SnlweN zwA-QOusc00oEAJgd0=~V@#a?f>vHVi;11;VSZdju#_OK8)Tg04Duag4(i3G~4|>ss z3ATFOA<y>rc-DZU0u)!O65@)FS2FlxxNV*_I27kpb&rn#usq3`#$K}XbnBB_Z|<y} z*M8TB!R*Lofw`&?am6(bl2|$#ai`E^n^vc4VH>U#)n9G_KWB$#g{p|YcH9jaDHqpM z5``2zbNK|m-SV<uP#rkVc$dMu*ha~(Aq3LfTD^aoZVzKPjmRV=Pf&F>f9_sdZ2DM^ zqua>W6}8Nh$l2m3^*F7#*KbsFw3OMvjwNqyN=5q!H(y&ZkEdE3p&>IyLMRw(E<O41 zw189(u!KNSw$)8Fa-fvR^MFk=xIx7xHp|v+b?ZPny}0;u^8YS)@)>!qhfrq}GF`Cn z;N-MfU`O=~2hHz-qhgYKTfJY7t{bWN(jxLPxs-Z@-`4+z)oM+yAMz-a1g;~%OJsbR zvZVt>^(YFPp%+`f?yl)8rb7KDzBs#x(vExRu1Ss4T-p|kLnx=()}YvaFRzx|8LCIU z(?#XPV{Pqe^qe28k4-w9vom}2dTi~Gj2g6Qj`?abZk_l`fsZcp@pn!izgf_T!#Zh7 zz@~SxEo9!@cbVmx7wn#I#+;ePg$rE5Dz$*$el#2cE{_bp-p;`B42IfRhk3#mpA|4i z)nv7QzhN_gmVW=fU<Ge;ncZ&X8Vca9-SF9qD~37$X%yg-l^lP=Nu{r@${0T!z<ZVv zlJ{p(v!9;2-0@_R24i14#%+X(SmO;f_RLHI3m-|&e)n5&L%=y&o^17$l8Z@x?qFYJ zJdS{GVQ|h;k3eII+0ZQ;jx<EdD(+hEcLFXej)LRS;xqNIz_PH#53m}fr#6OP5#k9} zc1-Xc(WP1geC_p1{N%_Sg4b%Fr`nWsH$;>;mj!EnAF^`bh$c|d`Ol8))z!zH?q%7d zXOgXE?8{#*qMs5ks$#c{LDoJUH<17ow9Mxg7~<%^z&#7pIUpTcnHE}IKH>qSrb-#I z0;A!%!x+FZhe-og^58|^upEatN7fhRjo#$VmYV3I!L$O{%fb18470&`*l9sE^3c3w zel}pr&79U$v_xaynQCRXb`~-Gi=f6}^6LSQ3hGs-qj3j4Lqj&?q;-eWJGHG(wQSp4 zm-YrdatwVdZLY6b{L&qw?`Ib}JO;F%R>Qq2gTn%*X2(^{2!>w^qCc1(zFwz|KNPUB zcmH%?(C>GWA786_0|*FP@RSZx6ZrE1P_rjRb$+=9bO<_P_6$CT-2y)LX&J`*l4XE7 z!i-UEt5VDC;cm_D+1)M?ygEZ$doW{K&DM?<zTSzA7^yp)Do;cBxK@6yX_kB_H2s;O zXlqmgf?Q$~b}eNixD+sTceM{qn`=S~WEQGLD_9!7%;1Hd`ImjSog0(?0ETT%>k>sB zb?6JFbL(tWANK_}thp>)A2O$zn(`%Z(i?$s|B4C;xs1OCOw8T=w>%=+H4t(b!x)~C z-(4rJ$aC(;!;yj}0q1+4RQn{0L}D(Ki&{+~Y{%094BHRHipNU^#L44y#R|$w$2_G3 zqL(Wz9$0Q4$b@}MVqG-)pV#<&aq}I5j{v%qH{cFY<!C>S75&=e_LIo;yx8X?vaYm< zeyyqJDWdK^!7H}vDUs8;M+TWpa>%PKYp5K!VniU60was+Rhk?AdBb=0p--ZayrAyH zpU_Zd+-_lfEBfDUCT=F+$!(8?>$^50DLTRxUnm3ORv7ZY<Y%}EH%Cn~UnjkllP916 zn>F!-fL;t-Hl$e8X9#x5jS5`WfO1SC+se-OERiMvP^2%osTxd%SKu1QP_>`@Qa9CF zzpY3^2v5@?eAc3&<_PcC29z3fx%g@Mc`;>ICLle4s;(^mO%ra34GVG>_OLBBabz3D zSQg0SCQ_ieo3XQT<S)JJK`BUjL+xw<L!PG67jhb*lgKymdCc4E>(RwsRlID#Jmb4A z&=_~NBZqJjNz+I{#9RV1$Cq1Tb}S)>f-VB^)4JSoru(kt2vr>Kt2Lc;R}2NSjnR|O zefFFq!RzGInSPEo^M_896eX5?Ax)p%n|-eK`DZ3{30Uq)+h*@ckK;m%2?%<8qNe&` zWJ^zvWZ8VtAxW8Kh%bBpHfp&wG$O*R)%}j`Fug6|p#`ucPonNeK6UtRC<dX?!W*k) zR&8pAcMwI=>lD`mS8HpxqY3e82{sCYl|Xu9l<6Zxhy?Dm#f-gGJ+qmBA&pbO*wSGB zA+$JFE*Z#GJN@2R>-njw)((`1@yuFnpXz_^RC0G?_`fQjbSo_Xfei1p1<xeEOyEky z`2MFCB4E5Q$#e*1Re62VOF;6RJkyBORaf0LX^+i?*HrZOj6i%6I+t(M!+P^?lwW9p zNrVUbZ!j|i-IHB3r~!wV0U@`5+7^xXsd5ZWWGDdz{y+`K^KrW$S(rI<8-BLwbYNFD z&JUVF4Tvjtx|_tWImYHL0~k8}2PNRTEDuTZ@7LcnIFt@~PFlKhMUIiH7;M4zYi99N zLY?6G^QCh!$vjeyxBZ06JZ|yzVLf}=deVc3&_RNrt|K|rRJHu(KeC>kV>Z;cJ0uxK zEA{>1rP;|Ai2~@Sdy_ZKnCR~4&R5-UQ&WcvnU0|rFxt~S$oS^ZL9-s~7%Q5~)Ab1< zz6ym(KZ}t&76Hf?03Y9gh))q_hyNNYoJBeUUzLvs1J?4{XfH%8*1CU=N-IHAO=a}k z1*w7_AuMZ&zH*RFC5G}?^=1!pelwQ`oVeag72*S8N^Hlf{POQWUCzyZhisam2cZl> zi!c-LtxSzPct^Ti<G*8xEIw8A#w#IBubA$bjSXjWwduJoI#GO|KI%(4f70r)2c6WB z>&;s|;x?Y%h}{yWIlJ#K4)Q+#96dDWN?5<InFR_WBmFQft+Uw}w8Nqps(GWD(9u~` z3Q{%$@D}cl&45h4qoVb^B4<^7z?MOpvi!@Q%huA57fF$nKd97X?hi^Wws6@z=;*P} zHW*o+_nRB%s-_QPIzZW7T*BqVC)@&tA>9Sl|9XNjs@Q(!gM}XpMw^EQyd$QR-)60J zl)<ADx(BdW?s7xZk5J|XZ<GiBdzVYw_p9}%dlN$DQyrsFakXDP4gf(*iL3=5>N8vg z3;2k#n+f45k~N9VuDULliYHt}q^d){a6H`1-JKjd>aMlhMQ~_bc|J`>o<*3A5d?jv z%v$&0znTotQQ}B<5cFi&rDaf?lFsE=M5o6%v^F;prFF<?ANGd7PB6s^4JzKj=C$J~ z#ce;?c7JM^?%-(_(<GBG-tIqVOpB_Wsj-m9d780Y(=?E9Kft?m>3}Ahg;aoTsjC@| z%Q72crSybra3U=LLMtoZ$S6ZgJIq|QIMf@3v<bN;QeF)Y*mv639i>x8jXu)(9VFg` z33C$>jez#@)pSXd*9;5<Q^D;nI-;`wo3chEEr@u$kwe6)Io?gh&<Z*L{Hl=etd~T7 z_8sgS41t^M;cRXHRhz=Yz$rC;+M5DyvTBK^e#|-F)Z|dgtF>MD5%wRStDf72FSw4U zdtFTV6iwV;w~|)OHT&}i7tKeUp$2;6;OH9dkw5K8-s1_rbh31s#oNuE%cE8`*bFkG zXcRb?Y`q8n&NdD}kc<Zp*D(%sWht|cV3#c@=sJGz88uaerB<-{R~xLgR;`W&sKZio zN?h^jy#}&3o4uBXyvg7Ikwv*vt~aFxlx0+TjoqUhupSS8cVOFI7l;~e=^z;xRKCvE z2HokX`)x&LdkSaj7Y<du0eJms{Qvr-H5A=`7T!Q?If{(&U+Wh{q|T^2E!+?)=#j#A zE|#h0j{Hxhswt1-B^yj?27NAfV6u0lVZqCQXWv_ylN<lVA*{V|IjAlq@G$7E>rTJo zeZiv=vjN%bzVuLYi&k8$PWcw{=J9Me`Pz?Enr0AEo9lDcEeaIy9+io+-RL%-LVEi3 z%Y(U2Q=TqAen(<??jHrJY4v;1VBzKpz(S|``JSULy;RA?7KG2`v2~;h&vgV!3G_Ai zEk~B`dI~pWHd#<S>9zOe3*Vk8PuUll3s5}LB?aY)t3(Y2ygMPEzfd=hxLeQD4V;^x z6Fes%3RYHTLyLFrVC*Ca9T>B+C7bCX+U*6RU34RXBZxikQ@%LOmj#XlpB0sEdhv~_ zXazo&TZ*tQ36lLRefNOz-@%)WEmax4Um(;}+JS2x;!`u3t$>nx%&U$T8p``wP#;EI z3Y6;dHam%n?SIXG8BXYDi@c0Do*a5eoBN*qWN%y#Uz`4~_lYvgQmbYnmo{y=uGrsO zXLp-8X&oNyU2RTbr4cf21v?I|H*C<pT6QVe3JV(DbJMzQo;N04n(mITVtKroQSOig zO-S_NkuCbqTEWQl1;(yy1>mq390|8qWec+`d{20L=%cwRdmVerrKD?mBUm13z?@Dl zjgZP<7KefJnLD%1gMxj6a>cv;C5xXpnPPIlUf*WV;Y!W7VoYXXua?;IZ?wwA3Nq72 zJY}-O!9QoaG6fsQuxErlziWC$r<YJ({oc2+Dn~u~4REsoe((EBu7CmHhYz@?q;d$` zjHDufHu~djEg4{Au^K#XRvd?47wv0~;AAb&0n3}1sJI5LR;!No<xiRWquC#l@h(!I zcr>+ckgdaS#hh~0AyWWydHbxgh_^QZ2Zwl<a4Ya)FH?(UBv{ky)JQ7>UA(U*?c_sV z_RdW;mw2{S!*F%(Ur!&}u<Q33k&lc<tu&whyC`fRTdkmsBM+ZyDDAe6xn96i#L}yc zuZ*^oF%!?rjIu4>oZMy*=1ubc0dNd{C)r91Y2woGN{4IEjwPD~uA!(MYv!LC|E?mM z$2$r4sw>^1HMjYz*fyf$mi@bmStz>z$;fphkXb31%#Ul4oN^MFclTkked}xDsTh8a zm#>HK?ZH<U2saYui2?`RW5LRqvE%zoQXE-F+$g>4vw>5<7$~l^Cj>=D84&+n*L{3t zh+eHy961o<>0UHw21mJVh*suozu!<oHL;IQZ}YjjilEn0(HWH`Nwhj7{FtJ;)u4t8 ztJS$4mVA01$;y=$|5_5S7?i4XrJ*f^gq|LBxcH1YZ`^j1j;<6pxx&u}5Aw?IRQB|{ zM*G?sBawBJn+apVZ9nL8bh;Jc2ZOZFKCC60D&#3MXI|L<NH3vpa?(R<6P+Tq9Jx<M zsPVZ<Z{dF04>cAm`6FLgbnXjBdQj*yvbh<l@l|YLFPJWLFYV90uwd&G@B4Y4ykX~U z#~`yjU3;0<ar2(4>u#v}v1e0s<7L`#=tpdZ>hC3=tjzGuXN>9$Yqprf{}shpRHPf? zsVZ#su<!w+yfW`Nkc`=E=t(IC3xPaDmD65JWyq$WVq%89n`F1-*y3GUR4^7zih{~u z@T?Im9s0T70&B6^zDU!@lq=F6U-e4Qwv?HZti}7gU<o~~9;FyrMu<ram530YLQ6b^ zoZ2C+N#ap6sfBxX4DPxFNN(hmc@__&je&v2Q=^*IE}^-N%a7roh+pH1*<;*)UQLSX z0>qTxJ2FCD@r#pZ%y)q>nleOF#_VHCH@w~gbw@)3&!yJl|IW1{6k%Ndpj7Qf3j8_{ zQ{`zGL#0jkQoye^s^%W+spwK>y_GM<_D+{okm1z0+G*tyU+DW#9M%?xu-L0Ym?sWJ zmF7u0IXpk75?GoU30Y>fpZgM4y!-v`pmgCCXP!8!oEVRf(c6|W5tG2o(68Phl#4#L zQ**~>S)>Z*5ze<;Ue+gX3PxVqf9yt@=L>fHQ@U8){?W!h5<qGJx5Cs@jebwi_^_vz z7nctyBH&X2V0%$%qGkrQ706R2Jv+K60{`E3HuY5~>(@;BgQtGGag1oGqCKs|d(ZKH zWid=-@0sbNlPXzaA>mHnr`9@6fQ&+@)c%h6f{3}6g{H@C8HN~%b`wmgdyp_gC1_Te zKwxX1k3i`uq+wz}B1?}1N@sjuhCk$Jt%wFfsTA`NxzWvn`qT?ziz{<~-FHx&&(25E zvtRq}jPKMuHnhLjmbhXha$Ha9MFk6v{OTo7-|HX$_0~2rGt$<SS>zv%`5Q{J+kcO! zNZ#;xyRq%Q6vNCH{#iRX1i!TVq~zA_y}E&!`7NKQcM^)2D!vtyE?-)Ne)4yxq?Yl- zJ9mqltaK3KIk|I;r~|Ovp+M};<&QBtA%;I+8Uc9UXZ(Qffp$6%SQd`Fl!7>191H_b zQzAfU0X>dZ9%I*;$i23?>`TSqE-PEVK;uknVuP~pCyv^Zw~XpQR_UYc+3!imUEj*n z5D?LXS=rISx`<K$5MLWO)P2u(Nt`wp{9xb(O5M5SaZKwPqH#u-=IIPAexKRwh87U} z?xCXr3Xl6fetdnebKJClw~>w_HnqUmRLID<KIKtv!k4m9blHNOp?5R7M0D&;EZ|ld z_ANwexpa1OHHJvzU1Y&k%NbIIuGl(q)M8`Gm(H<{HgKeDPZJ4oOr!q_Y_;ZAJLDtw z!_Ck|>s%9D5AWpo(7|Ied3jO`BJW_JitBx~p2IH<nA@A3HNgCj1uHJqMJ5!#S8Vf$ ziEWeh<&F_U-esd)3o?@FCaLevKzCEX%y`Jyq$sj1v<5c}6IbPi8Zr3gyiA~WkNTLv z{4Mh~gAvaA&-3pvsAWIqx<C;ddO~~5*N*Q~Sy8W`-(qEbURTA1n&V^VA)Yl<l$ehf zBLkXz+8silJa_iR)gDAUf@uJ*#0g_K=0;R7y%O9S4i3!gzu0<vSv%uoWEh&sc;qdH zm)4;@2*a>{YRPSbE3%~u4aAoCXsTdsOz1J5MFn4X>7*0P*}nYEEMRye_;5@GxKHU~ zDad#J5y$2a8?dQ{3Nzb}&`Sd$c4j1x4H`0`1`jMMafOGSx|*|y(UgMfjlF=q(66b& zjUE&=RoKEHn1KDQvf_Y<&}q!M>MOxk&>1FHSSw{1k{8L{@)D7Bt}6J<{9?)k#q%f# z2XNM&MLAKYyu;rD@3!`Bq>Bjs&QBNnUM2-Rwlr`}D&uT?(!m(;PDpr(QiGlv$n5J% zU7UYf=I1a%i_5)4he_7r#z{mt0y@7kLr*6gOs>;51rpxiK4NLhvoe!d#NceT+32mT zF7x%pfu;FCvCJ~ROZ=>&E_ARsMS(nT%$pCerL%r6PtUlxn&=8Y)F$_(v*GRWIrUCh z=&6owI_avBdqni9RE9mex|jbr;Yp;BRs2vTfYkcWtv4LWnJ>I`naP%kT5|qhFTkkL zLw_^og@esc2aeGw40q<?l*fZ^#t`P^hNmYc3%5Hb6d?!&T-ya95Fs<-fQ6i3$U*tW zcT>A?JkzPD7E91IwKq4WBmY&wER>Z4C)H0^%UJsQi{9Rv@M3#Hk(BfD;XC<aO*2}X z>!Z1r*;H_p2h$|KfT%#;TCG-1Go?&unvebA$84m)Lm`*6xa>72&7o<*r#TYKH`kyO zM{YdCd}n*BuRE7lHTODSRMW{?oyu3=-&P6ITNR-?9^E}_6K&!q?G#u$L-gj(-g&*^ zcdQC^HjGT={#{wkH+Tz21Rd&L059YgAMdoxnBc!&xzY0OPk<VeI|T~bl*~01LqyX9 zTI&lLMg~7(?{Ot}Tz%g`zn&SN|5E*<PhPt5DeN!g-4^SsB4L6Q0*T@b<(B!Bi~E(v z@n-E0L@hC9Ar6n;L_-MT#7Ub0`Mal?eIzAxb1gZ^K$*Y3=Eq~J22u@ro-G1dEy?^7 zF-CW~lv!uiC|Zs7z|9#9+U{4&=ifN5nXMVZ_=0)o5RWlJi!JmACWFbV7|ICMHl;nZ zVrSvjF_uQSWlJMXv5%Ir8kx6!_s>G9K0_b3z)kN#Jm3vrF_gvmDhD3p7#Q5siAU>0 z;K;K`^D99K3mE>Vrg2W;yGtIs#y#BS9b!{gE~wpZ@pJrSK%vb<+DG{xiT=uf?!$M` z=h})P#uWh*bF~FMv7Yc1tC}QmRL$%*8HUSk5Mh6hw1C2HYk|p!-CY?_h06~>duOJf zIEmJIt|kGQD@@ML>K$`tqX@hcyG29e?HNzCz1y?WV)V%gei`psmh&v~ndyWL0a~*d zDs|P@PfZrSIW+>+B~*vkMfu3W1I!W5Hzz#un_zWyL>F@^>FnR|^>Y=CCPzC6qJ!no zu5YClqb@=E=0+Z?$aC%zn@|_?-~w1_A^OQy5%_<T9D0meibgv@U4wGr^ONMp(t*HO zV>gl5TGHr2)Hu?s=6L?+*wjvcciBgthaVjs;K(jgg~UBgKablL6p?p|@pNUKz61nO zJC!}1W8(X;ErWRHZYQj=s)@FDD!7?vl5;emMcowjPmj~ol+vEtdbJMianlbfwPk*9 zv;aAeLAl>&u5mZIr+sr<TW=M~_OkE0-(&1qCzG8iibHx;=*+;gcPp4je1OV%C>T&B zPi`%Jh>dwAEuJF~y<=o$M+;9D)ywBMwLlTK=ZDoeVXGC8Zx8)7(i+@$MO|VkL}eP^ z`S7&y&to~wsPk9c&Kb?|riYhhGj#AbqKg-H6Y*6wPXI2aZ1JdA?3F;Izd{sX|7;ng zf9-0kBmH|%l{8Ib`a@4+Z<im=9VmL-`04VinyOE`w&?=w^@Uv`mSeOImUM%Qcf%zi zAQCR0FokVExF?s{MZCvpc8kMkX`R_fWY=8g65=q_!{h*m9Y%fA#KO{Nw`&7X*$Yzd znUk!%$?@cp*jkUMw<k?Br!BM>Jk_|!)s$7ue1k3nOfJoS{;9KSSSO6}-^Z0Sw0k$J zSoZZOt_0ED>*L_A22v2MN`a;2k-jb~q52jC?+oP}^6e}SP>_l*?3DmImpLsW?o+eP z*pvpZlT|pP2iK-Ravss^Q1iEnbgpON09xBxp_`3C<1xzQKj;h3jaMBQ9jwg7P1C<q zERqwC{T+vER5RG>2Y#l;{U=$RfmFJ1v|r`v|5uc+&()JYZF6w&o`OVtYdZO`?FPkI zUJ>+;uoPMAch%w=aOH?+B1<#hnZN);K)k<R2lT-XFR0PO#w6&CH(d&4%p}ceQ>B(! z>(e4>e1qa8JC3yD?u)7`F`mydoFj;`H?4nwFkvR%**v=bd|+Eft!avWIAD%dsNL)% zg@<e(jFvgjMMPcB!iEDYXGD7z4((+@EqnuFtN+Hu5d^Bsi4uh)HrlBOQVAt$2@SGk ziEjq<nCJDvx9TE=f<96#*44$V6(wms;Lwn%%3HX83>vVaSk;oaejBN>QLUm{>GLHi zgc2YY5Q=TscN5y~W9;V@SPig8i^H~VSn+t>;fnTDuF|1%3>Dr`HD$?M|LX;OZe7Qh za<VUIzrXc=`R%*up|9_X+kWh&@1+9QhYxXYF|FUcWm&biU95~~VO)UNjyN+{GnUAz zXk4SugmdI*u|rmD{HRkO4;>q?YiiBW5XajN;E{Ghu8pl{pu1e^0gR+)R)-hs7j&li zy^{BgudMb@R*z{-3#d^41pIet@XZ6<n80ba=TYCgD54MR#OYS8SrDw89y1i|UrI@s zGC$|H^_rLVcq5;0=a@E^S|SAlU|&9g^yy%zipw$!>0PmeM0U?_AN-Vz&N_EIZ^Cku znn7$+>ezT<vS}Y0vY4*o0C*v<M=ZZ=5G3*4{n%CM2B>)ve8HtFnm~C#M}m7gb`|O` zC$!>`a3fo`NYqFC2C`S{lG7tU)@0s8Ofwu&d|pDBJfz@0qqk-VL)+586Vr3pJTAIY zjQ|D5`xcZ>>>sn2nHCn+50v~`yI^l}e4`VkXKWyf<x+AY?Zii3`}x#JQ-a(o1ihZD zL(V2KI2m?IUP~gVuPa1x&Eh17PK1$ZF+TLsJRTmCfi0x#uzS3ITw+?#8;k8gP1V(v zkb`Gsy=!Ez22Pq`A>(jXNz*h9srHwv|E+5}9#SI5NFw1bllkG-;*P`w@GjbEmwioi zY)WT-51iL8CpIuv;@rBTq2*b6+S}7C4&hjm0jA@z5PCT}!tUrZv1jFVEtP|qS|1)6 zDW1oT-n_K1YMt+g&<1XA>pHl+vuJ=UGmm{qOYF+Hq2DX&5ZT-&cAmm&oLKw#0V*NW zu>qMTXJ_LM<n$)u_05a8j+L02-~2FVMLk40_JxBX-Iuz&y5IphuxCoznNLdE5w#Iq zJYtuGu@iFKJD^$f`q$3M1nf9Ah68l^fxeGmS^#x&-YmnGl_JTO03wuRDvJ?X%uY$+ zv}!7A0}OpkYQkF;>VJaBf`U2yOXu|#(?k2NtHGs2+}h4*7dT43PS?)m!@K3jcf;Fh zrtR!y(Kh=`%S+(N?VTU2aeAzN0!0e^kAJ2=c}G!ig%)P*Al+Hc@bE1OsUHZkul_s_ zuIZ1-z#nK9g*W-s@aNC$R33N!W^HUm_S1CX$e-C%({x^-ah^)^sV(_7#mdLyB>={R z*$Oy$5ZGsShn1j9PQSiYZs*QPis2pdX>W*`N7?FI?}7%G#_@ogN(nQwk2C2pQVc|; z5_<zw!tl8T($5jcoqpwNF4DMjx7YBr#IG=Pps7t=8$2$OO^{5&jwxh)1<_>-!n2%J zxpboRQFqZNSW$^m#SiwKDs>p|b^{u+cK9B5bK2ULKBSbxE(ikGv*_El<Y^3@kKbOT zH4bm}z@Hz{6N1Hib}9p@m>H^jAF;O4uMNl!J}Yr93L!A&PEo`WY<iBCvNVg%knseJ zlswzogaKB~A!;#_LHZ6p;BAF*wj_2dC`Z5@-ZYKyJFN){U*R|dW0*@}-Ys~9>q8QS zmZGv#3>^IIi@q$vh-&Mpzu*f;7h(QJZ=ULb4cOP9Ufrs3+Wkr=6%y~ODE{}+vu_Qr z@Aif7Z~Jo+{{RIb9)W;zfS=rp&!3XVmS<nxJ<W1mq9C=XPZW4fgcjq>o0xZ{JFc4; zxf+sf4YS3Cq`SNSHrO;T2oAi5yu7C!lrfjQSBunZ9Li<oW%WiC5Q+zKw+(HU$D=J4 zVH!aRWrSZ>$XPi(t#PscVQRLBX3$jgJ@2o~8GB~1T2A)+Sb0gNNyobMzF3Kr_AGGC zLYTosqsiV|Yba+;!y2Ku=p@acLgX(lk7gy#^bb2o*l6-5V-GIB^{mb2;wIj`TqPp0 ze+C>sd{{o~z!=3_QO`t7oy{aD_u{W>_(s5(@dtKVbZH0;RMuj8nVpz_WwfmU?}8Am zIDcw!?c=f$73a}?<e<#@XdU`RhAlb&^iZQf4u5Zj<>KB+G`_{|zEd<M4gKJ1je~-U z%f;)<C8ZzJ<gjDf+DrU&(yX1tEP@bSyB#B-Tu}1whcgdm57@YR<x=vH%LRri&H2>d zav%~`xIF$Q7x=cJto;*+fjw1fZvG`76+aw{w1^nqqQ+J*8)Qs_Ha=>2eJZ_xXAzV> zr*>VKqM%+qRSV*0?~}GkOkHx*0BT82a9*FBP+ZjLdTfQFvdb1<O$o~2h)g8kuW_l! zg0_X8gByCDJ#};SaD1NYU&{duvhQr_ZgO_{X6JPS_RfAaEiVU5Ink$+UR0i&n!n-~ zRDM0TGqH(WI!)O5XWR99+x=EbF*GW9`Jc_4kEbzM#OfJ3nvn(*Ae)7v!kwu1m&;s` zb)%v^ht|(M)7v44EXxOvb4zC1&Cr$lj8D5{B-;b~;!WX18U0x`W40L5=t*lAMLv(^ zPCzufPa9#Yg%$5#+$6K`rSkW0Id9vt6GiF%C_lf7p-T2^ad=V9a7>m-)?ZMVKTlfW z-$%~wyZB{GbwkOcDv<diJ>u6+GwV^E4&$FvwvHwTa;~sZpf14BbM5^LQz8c{Fdev; z-7AQb`ydMv6Mud~gAFo~r*3f2GK&MLZ1fu)$N{6eQo$#exG;O$G*Ix<%InW1zdeW# zLymsK*ah#<uI%uBaZ~Nr1O*>4*zHg(4V}nO+vWR=z2adT0{QEy9A_0zS9K)$GQm4D zm=g@_>5r5%_~C*%K`nOA_2{NKXK~N<GLJy6wue3TYGMgywc~mUKbI7RU~G*agi=id zAp&x_S7PGukPyT(l=31M*8lQZwji~kLm*P%)5+Qn6_%82IIPF+-1P!va-p*E8hWsO zTz#?|%R2J+d4{g4xU+x2xO)a_=~ZatYz3io%yTd9_eb}C`H)_od477YmW}16r}G_G z3cvH$Gsh(n?LHikeVS6cL5&OIU$S@qj&If7ZO7wn2c9XFl1Ed737!sqMn-3&k(JUT zf;41MniY9MQP0j|r`JD;-nLXdd8AB`xaF6KwtoO*ZDPEAV$;afosIu*xw1=pAQcu$ zwmZ7+p<`?^ad7s|o?W9t>ym^gSmL|F?3z~rQLvi1#1M=6zVHYT7!1igY{r^p)_h}n z_LzHI5}TA$`xmEUMIR}pjYT?)oiej0=l7{-p%Tii5hwl(Pv7e5-(^VQVB6bwX)ws@ z*`(lICZ#EKUsd6BpEl^Lur^xyAV?a>6qOkljd>LslUzFI7kOV$QDZ1#;31W`Alabt zL6EiF!%VY!3aGn#r7f7-=&YfA{9Zn7KuTZM8k^$UV5FI>6n#8EcMS%zq#6S2k;%nc zx9#OGwdHpYnPFmPA33$$pWS&Ub3MqwManmx5v!4`mmHP7BasCvW+%UX>(BsMudUhK z7PohArllVg8<46`LLlqMGp%0x<q7D8jGGbDPKc9fUQz+Ux~)1;R{`qCZR!~dKWY7; z5cOpkneFK|<iUyt782KQBzmQocx`bp*Y|Dty<(uG%qSvW(xdo-l<^UWQ0KF~h-Hy8 zOVB+XgtF$c7pJ`8!tt^<Myal0ac50skl3^!c%UF!5IAfC6Sq)@jJ>u&lMhD<zb;L2 zfArZmenI=%mS3*vi?zLlLuK!07rdgWLWn0GKm7Oh$Gbb}%3ura4?ya4*z-#VkKpaD zd|>B|ypH$esA~dQ3=|de$<I1ntCFU&CiL<U`7P^8$|eq|mRR!XcMKQqnLfR~rNHd~ zcI#H%Jujh2iJUUp-0?KarQ*3-nDI)PCtrbh++w>fZC4M<yPd#zscJ7lo}AG#Z}JMb z#|%-UGm~^=++_p~9fXGhx5~luojN<;TtAsB6APybXV^z&3YQikO*P+GJqL5Nd^aKp z@oB92HuXU|WjP}<n){DR8hVD7s+DW7513}1@TS1M-9v+w!bSPYN0Fiq&;BBVURqfU zLsld$!eEL2IRFu4nZ(=E+NMLUfxiN#Lh%z5q0KKXc%AEcvw=DeK!m}P@H+q^#uYDM z7qq<#WlFIavJPZDjjgC$qyhsIE@M0-Glef5TE@C75*0<JT$gW7K)=r<qs=_9+3de7 z>4I;Zb>zyHtbuHw28^n~3|Yvwz|OcH&UH9JLjUXlbJe4&id>oE#8p?TGlx9f&##es zYfeyK*h4-1r>!Y&Dn_P>qVJiis%6K>r$+zr>-T(uy86N=z#o6@67hbnuSMCre59HF zJ@y2Zce>LYt>E}8@I8|`{yo|JSDSyk0vcWtd{W|stlJ9km~o`rlU3LkhutuP?&ym1 zPnWF3H*$MVqn0Al4lU4MIo+zd>RDK(#Ac4svxoN0lCe)Wdm%omleV}pcmh|x`4Y82 zZpOCB$2Z_H7sNl#z%a0@;puc9^TsYy+7MNoEJM9_dl6fmjAx(<+_(NYhx`M}o*Q4O zKu0ceNAd9jGkP#u$=GPHcR_f*DTpuCnyLEH)u5_TiJU~pu^vFOt#%~K6zHRtXQhXr zW|Ri2Ozv%-%0V&@1SzLxPRS#Xq%P6BV%9#UN15=Mde~?OQ|9;bp2vrcXQ9~$GuB#i z{M6<e;j0(xANCv?`}=$FyioeaqRm297&5<8cKP{KlRZ8|Sn^0fv#=gwLFd%BI2<Zr z)hHc;^mYh<h#;>HZHuX(xZc}BZLT~jp~1?2YahK8`?*L>rPqtZ)ucLiZK8f!SLsEZ zC~2wUZ8`4&@`f%}&WX~ue|nm8jWY=8eZ01G7<IE{s>m#6<sB^^E!Y}$n>iH55-l-| zr+Qd9R1i;~e1PQ$Ug4b9=;;f)?{)^RcR63LhSq7)6bFr0pj)TM%~oU=Zv`ITJ9(q2 zIDgq~7Kqt0axK&J`{z!cH_^|%UIcaDH$-H!a0i}q;uY-xgNT#@_yzO~1J!TY)_3l1 z5j&}SSwY?FNY`<jc{Ozx$lju(-`;11Ag8Kr1yaQWA?jDohY9fV%I_o%UO@4x|M>nT zT(It0fgB!R$9x5~7|{S0YK5Uh0<tPBER4-ndT>mqX~t{IIir`?lf-3D6AWE66#dCh z`DbUXG7uxpOnTkmfV)}r;j~8d3Y+sOuZF~%M$3plFZJOHt$4rA%+5O7J$pkgedZSI z<CIiS%A7*#yQ<4e7uMHx5Uq#y4O{N4>j>qN(Bjc)+Nc%GnXjajkU2CtWWqD`8>+#H z_nO$W!|_qfRz2CzmY>z|P+SZA(WL~r(WfTN?Uu;I`Z<`zL4d1d6d12F_b*~5mgeL& z#mGE<Z2=e!$pvBlXCQ3SOoPZJ^R>%Nk{@36k;e?-BpJ~AsR8E$ZGJLaPVTpLoi%SQ z8cw<cVx9glwAMOz?9741QSg=2Lr>X2h7zps3b&&NjhLZ4!;TTd*N+FwD|4&OBB=YT zlVkyc4b(CYa-}Ya3wAF8WV`-ZczC=X{Kd^97YZDH9hnm8!DdY9?xREXB_WPGy~@Cr zGraKwaoex%o0PB^?M&l1Da4>hW`-iM1S)-97wih*R!sn6Dzzzzzn$}9Nm{U1kVnO8 z%wI9&YU<9SVf7o;d`Fuy(A16?BR`#-&uM$9t~PaiQ}^c7$OrsdmO5g6?_5D>(T(s~ zMRvC3)>cnNg6cbqnxm8E9M@)_Z*|(uMfH}Jgc$OS8_u%ahqi*Ot8cHHsMIKX=Rm$a ztmU=tFDHWA5O{|KoZ*^)9R}@|G=Jr~arEjF#G&k4xL(-O=F@9Wnr|(oZ0B|%e!}9a z0;kRoC*!zk(Qhqa01h8r#U;(JB}+3TvjxpCVH`S?L=_=`R-skE|G3)iht*1GCBN>c z%fl{62de7i;@Z|2nq-c(n*0D<<9cn$?1{5Xe9^f17xT4y8UZsQy>{%mS?k*DY2q7E zGy_xl^<unx>Ra_W_YBEqkhE13ePtx$2PmM6Vi}s6Lt_fu6&1Y1Mf(;srJ8)-YIAuW zs>?sF?>+M8tar@*-j+2$-CFEQW$8LoEhWGCV(0f#<)5bpc<;!6)ifmto)#IZ<VcVw z9s=yN&?3ph>-PLzkPjWYP3HB{Vz=}9zPkQ>HCHLW7}CK(gN~QSWz>-T+8TeqV_jKr zLqq1?^o6_E*)9Rd+{jbRL#lF$A}iBf%$z)G31=I9&K7kp$IbNFoh_KaDg^zZJ})D` zKBK*1K)$xgN&zg;5O+b!Tw%*IlbRG_t}4LVP};!1F<KXyG#{SJlaZz&k+?9PnrfY+ zFB&}nPk^Man{IMP=-TXt@H#307+QcbymNeY4KG*82N3Db(VmuI=-5`kHPWU`khQJ| z37s@a{rf_}Q9)fy$$*HGYJ|5vk+^$tEJl6$>fL!{p|*qJ<|M{e+}g>_bq^k5j&%f% z&Czx#W{^4MNmsoWR6k5N`L%D)9pH_G4V2}h2F7JG$$n(-vtxr<8p46$zcblIf^sF7 znxGJD6#zr(J|_kU9dr32**T&AN{@-l2;hU($#izDTIXjJiFmjT#i;m6?$+C-8{3eX zeVaQnFVrz{8X(V*&iqg(e^+Xo?!8RHXhyfM5bo~e5JfwC(YH|c5;yM_2d%@}HSoV_ z_~QB3z2g$g6jCl%Kj#acNi34q8W^^Q$m=!x%ut0!E`F*EvT?fno=sRhvyHcK)P?#D zjC~*`c73A<kjoAu*Wk0O(Xrs#SBQ#;&7%6+Hmyr!Bfqa6!i`VZFt1IcCP*-M?L2b$ zb6->#Y+l+}lgo_Vo(|TM12kN-waOcr?jQllU9Qu<cLD^`MG-+r9CjWtAkQx-q6L=x z0Jz=i^KB|7E|2~_rymVEp6*Ump~c5t7g#SZco^F4usyY;_jte|Ft|hi?-xD}TRhlm zFptdS)R&(Z^#iryDe&V{hi_h56!Cgf6wd(lLWfbnP0`S7et6pgF*DWskOg^Sc3)U_ zjNr5;V8ua3gqWEj(=@K^(ZyiYB^{k;B%d&Fn+QE^^Vg0IYpr^Y?S0o!VM@QBPb>Fd z&R3bKW-2HE0<Vt*z<K`s`mI><J&#~d9i;>8h@6st+5(<kvJv_&z%6?~lS?Tadwx6a z$glx!X+`ELp~^<d7xw!3NC7n`5xWL;`Z#J5{PZTy%$Cqwnjvc#cPKR>Qq>q_r2OI~ zyNcNU`kxN>{ZHubUf=VXpC*sk{RDu^cDZ{aGvZx$|2iE*j=;_}n7B!5%oDiq12(0N ze=~posL{DHbMP39Sr$TrEe?K$uZJMSMZ9qh=FlD3L_v*_A4LSTaCW2^;N=yt(|7wQ z;rwfsj$t4J-LgXj3sM|488yvLKU9k+fQ+m-o6#NY%PF8A2RO*K)FXd-sp4|NQ;OOw zmkThxE^5N)e|__)|1Ig7aRvuCBrbCB=aw$}!pp$ziK81eFiQ#c*GEmyXN(fp4GRS< zRV=~MflYh7bG`K@iP_eA-_FfDnjOfWbwoJ1A2lWGXm#%QiOzWxhg7`qrJJZla&mvz z>>2_pn{R&JCR4?WZ_d{Qu+t=UzO<KUvwwW9T8q??wFWLKFyvXG4<P2^{PU@sszJ7k zPQLmbvz}yDp{SQ=@;;v1x>tgybp0+^EMx%M7?5#6ANGYW&%ucjUUbzyJ~vka`3dM2 zD<LJe!q%lRDynFim{v3Z-BggJyy$cgUJffq93IFiwck}d{9E7U?tuD>XsYD=dx4s< zeh*`L2jN~*Lv^|AKSh&2I){pGE1ax9cS38=rnPJ4Qx!<j@rNzSthQ;00dtWUWYxpQ z`ly7EDRX7}jD?jf9~aJ+V@e~*Tw8fCh_Lug0i$F{XQ!I-I5ls2u)6nf_V=&-V_0|< zrp5ZU?N%H{!Gklsj!i|cE;Yi@NS+#iEtei?;mNJf3JK%;N{@S<W_b0^<yq^VDUOjv z0mBJs*AHmyLpUj9__vd&m8~^Atj)sMdPyj7z&zftZm_lX#&Hw?wZLp6tI-mspKCHi z^c}n;Dk$G3ox?^CJ9x0`R(dwoqQ8a&@-id~qy*91`P|5hs+KWG_s%iid0pG}&t;PJ z+Bw%R>~gEqYMB8RP>anIwV<N*cnBJ6#HYu7AiB+0Zy@YQ<X)nrP3l!2WB%nuNnH5& z(<j}%-&v&0U&Ch$yy_-GxBcqwxB%u627@av!QMW|#pRM`DsfvD)s`ptgiH-5eFs6E zD|xR%x8?cFNgKyN?ZQh@1{21F{%R)9jo#~0k(oB;_Ydq1s+h~Lroi&I<7EZR_Cvq% zbB$gG>^?eP3Yn1qvmNOTs%ex#M03=mMi^bCj@d)y8V`v*nUHuN!6e|6hmHX8V`~;& zzHR>SYv-Ns`<t-9&E7eN)(bO6JyI%iTFj@pWYSh&jzk^rKaLySUwfu3UbInW`nV8I z=MD<S#mo&cr0_tt(7A0eGQt1~*eiGHohxgtDa(LHL$TP|RMJLEhT&c<VIB?XKZ@ME zaY$42zXJ}l4sF2l@K|EHxfQvG4f6_`ZenG<zn0E85!SaPgb>Dnk^PSQ|MdbK-%b8q zu0F4~2bf#PL~VL74ZGb%gLQV^3uNP>_g!JiEgar2#a^nZE3Vv{K08a2SI6I4yC}t8 z*w%(eQ4ImPsw2%V=-r)<z>KsrG3O9!jHNlHkKOfkbg<Na92`p$B0tRtJuI@7Hvl{| z61|}ur)Ei?pdO3w03Y9t{PnJJ<$xxr`v^cH{+hV_8T;kO;`&Q40bD`|KF*N(skLXA zz65;&c09nrDS<A%nMD9=1m(m=)z1be5pIoNyIigW^_Z_=&|gl?o9SMz%K7WCaQgU$ zBtNgyhY=9TT{jLC7}gBGOo?c=w<O^j`D(LV8(sePzoqm28}eN*(`!()(GHT&Bebg4 z-P_ZohP5-w%=*q%0m%vpUFeTn%8b3@=$Sa+$b}n6w$ZPB4wIkDM+{g*QE+y3%?H4@ z2|Gc9GLi6a3j;v%okpc^6@CA5kjfT{T@Zlb!R1)T=ziVMW53o;o3rD34f2H@Cuuh* zu08Ne#3tKfXB$K)GnBt%%9L>rjio*yRZLtMupx>}whq`5O&c4A0h+Jibn;N|#nj*` zX^ErOgD1tFOHB~Ctp^y_vWk#jUN7}nx(?TlTLxm&|85*E{B8QZIDL4i9HA!j+|J9G zSaC_^GjL3Ln{Jeev6*~9@FmE33iHa)Mi5UF%C#FItr!Zk2rJ$`zVhVEwH4I17{P!i z!~lo7FFV&oTg39f&LL-Hjm%^y{5iD=8~^5w+4`DYbZr2IP73&D8FSRc;@V%md((?F zi##4rA233h9_g~KLBPl^#_r?xxFViL%%1B}|2zdpojZl>>W`Ba;*^-d9G8*CiG%eV zJGXDWqn%r#ELNOft{X`;XL0cQ_E5#AIqpLF3bS1^v$L)Fj#(ebFexn^(T4vV({77> zbo$rP6A@&0SfL-KTbT@wNSW@hq3BxgL>9@1*Bqa<vbBQaqujaI!<8{fH`a<w@KX{x z>znC;PlOi9JN^NgdVK&Sb3D}=uu10e7#5aZFG|qUa@MT9RnwIw-XCx4^<81dC(eka zy!@;xKTuG}kj|0vv?NpYh)T`WkYXKB5;utjyXwo9@d+J1)F9)U_7X)649>@4rK1j< zz8(K!F-fwHzGKUZJW+B)OUMic(}*nak7A%sk|k-2t^HC}-{%+I4@^j!2erh*6BIff zlz-SK6l#Jc-vx?JX|^58Y0fn-^cDiL?fI}Aa-|lLC?t&Ugmy0<aa(}H>Lo>2a*?*B zx(b$*Wd}-yK#l7Qp^jlP4U)h7+%i`8qU`;w<owBgU|)#KET7k{@aQBek`q^kKHKvK zjWtCB;_l6JlLj$Gb^*SE@DDp7K9zNmD6{<GC&x6AA~OB~nM~!`3;VDDMz>ymTh@^Q zGJ`Ll%|m0E-8s+7OF{zybG{S6LFUsRT5<K6Qhf0~BlWWtV$-Dcui3Y{@ti+8<p1>w z(YqD3;;vrbjcW$)jMqRMdhkPjMH3=Jx3RlW0p#FZ$D>iS$nU7#W0ixLE6Msl%6D5E zw`i)GJ8<MJCX<LmgY&9#9_YM@$|a}0a7@15ZY;6^$M7gYmlRxpaW9i*>cmKH4l=l> zHx6?bjNS?^3L&^kg*TjxeEM*6*v@0CtxamJ3i$7??-O%-r5(cuSQ-?yS>k87TI+$g zAMq{xz%=W&4ct6wT<tYY@f1lcAA^^u%TL^va86xbYKJi#@7_{p?S7j)iLM!g5W3Jw zI_ktI{b*<3*lYjhlBu3R1#a`fe8voR2V|)w+m(G3UH5XfE^*GIy6BRyv>H3c95}J@ z74CO>!FU>^pQznajJkT2;&4o>ua7*@x%CHNDj^M8a^5C@xWNz7f8_7n9ZcO{$=?Wz z0225iuxC=Ur6OiZW5F1Gn}iFcqtO8qEDpP`utp@l6L!^LrKpab^STn4)ixpWR|t+E zV=nD1C~R#R5@5t0F2l!Riaq51+r&EaRlF@oXXg<=u4<j^tm&V977GD)YX=gljP8mO z=Yw*^lIG6MMd{2@`k_VVbaX4}`rj#~@4!n+cdUFo0z&bSwVg#)uEb{9GTYK7e6?Nl zID6qX!&W8yw))o{#^8GXqt~|^-NfcmWD5Iv>N6xl4#jAkWcr%gW@&BncY9y<dne{b ziw1KZl<95I#oU7%Z*X`X*}iN%tQS*UVRMGg;NNLP4V&w$2?0r0?e(bTVkecdHhU@G zNiN%Z)t6N%;+m+~MK0YNm`gw>Y0l~=^3Ca@y}jBkQKQQ|h61(RV2S^oRszUs`ompu zQ2B17FP+oJEz#*hTXT)@pBLToT%>#!aZ&Vi$L?WPDQnl>)a24f>u|*5D^+Z@Fl!n) zTGHX)lSahWt<c0^XqMFk;xgn_N9#C?3HWjc?5Y>W`?I6O=T&T|^PGxbU<y08F|O4} zb#Db}Qh0ffcWNXSUXQ@5M(=JZ85A~N$KsIKk0BXf7^+8O!-^+d(>qGTGQ^PCYS=RU z7gg(tg~qFDxQ(qH^1dv(pahBh`i&1r+Css5X;jd7xXb-uz#fj1H;ygt$k(=i??%56 z=#y6$>~|nYq_S~QB*5l|>RuA4!96`mVzL<tFg7`RjCb)#6R0K?D2o!)uY<1@$H^4a z#=7Z=q9g_R3mFMAp!czoPEC2K81BiJ-rvhzZajb5-cLsi>^Muh2Y<Jg+{`^%B?;`G zGst9{mVx}{@ASRMkXhfCu=0EqarLOg=ZiMSPfzU@RS9dHoFBVgP?WITS0^Z0<nHt} zSE5n~j@OtyPcPfyv(FUK?J(Ys;iVNIrV)D_K!@3iPaV;w?93Nf;HqI-G@RVrm^8M6 zTfsPL?A%BaTltPF`+>UF2kWtVXdmv$wt~8AWQ(hG81Jmk-_3jZBP?yrueZA5Dw2*R z=erBdnJpe#`f?a15dxX5Sb|PuE{$r}S7^H>k3Up2QnpvxCb#%(_m94&5P>uV^jI?g z{FcL>i2wV7Y|w;bQ@r4LqKP#X61epz=2s1M@sD0NDnfLrCrWd~0@J-0ITL7~Sx|e) zMu{+<EC3Pv=go_on7l3mWC={_NmO>h*#g6kJpFgO@4dy1{W?D1g$89?k>CG!!Ql;g zv`U)$^0HItmV%;c%t%3W4EDffKHlUEY_kmf^3KuD@m>|F2nl_84h$h8IVgn7V1^IM zZ3MH2S?wO5Y-yb5132+H;XTxRErd5Omx>4Ea4TJ&nznzSmq!^3xbxte{)uJSX2h7A z5uZssB(!IqyYv1y4U-MB4)R_=Dz9tus?)Yi`M}aSCKCcb=FM|$^l5!JDZ8%0Ii)6} zILb&xK^y5&pRual;^bbLn$^L@&YLj+kDFLKIWb?|Gvp4K3(X$@pdn#<HJ$Oi*3~on z!U}(Of8(}B#&ZAS=t9Ho!*0-MFicqQivqxt+#LeY^G-L(DfBU^4So+Cmz<tHM4eqg ze$^R@yLT#2F1ECF^{MieVlvZ513YkD%F2Qx5Xbuj@K)!{umIogQ%iAkN|@`YN$667 z(l|dkHt#zj-|~JXRV7qB!P9Qc$Op`s?=I%f=8+J!dKRy)eh4^}-3!_~OK@O}*o`Zh zOx&yZa-!V@x`7QAk8Z#Qv~=~qw2-Uw9Y5&&_$}M|8zr<;yTU+x>P$yF{(NN_XZ;l8 zM)zOiEdqAF;8_$3)G)>lBiah+&6x^)T2L&wg*snISg4kbk;i7Nt`;@rf$r#-9e7By z*k3mWJv~MPLy?h^nIb0sc6<_4Mj>ZYs?4_hCXr=$MuP$0A+7DfGHIs3lIA|BI!cb- zSj-$V^N^qD39O5@zo%j#p%c;L#=*`@?u_hK2+98sTW<jrXVyjS5(to>3Bff4cXvx5 zKyY^p+R(VW2MF$N!QI`ZaVNODyF1*Mx&L2vXTDoS)l5$@A$|7QYdve9^EN7fUb0^P zT&<b-p&L+K+%2=Pve(=!!~C8k@0wHnxNGi2X0=ptj|s$tuG5h3{7>7gSV>KtF2eWG z*r1L6yRCY6gt8KWc@+Z!L&nG5A?wX-?z`Tw=#)0yOR4X8oUel@y=AAyMgHYwO}q<D zFQO$a5f^#<mqq8GS_>ITa}gU}fksze0zPeJcUzbCs~-YtvfuQYQyH#V$Bx3Zo>P<K z+SjS{jZdymZ|Jsr)ISiY^1IUlw!|?#^_|p35KzC%Y$wbWe*Yr6rAK!OEk$$2z>C{Q zoApEG=gV$lm(1)Gx1gZHJ#=Il&|PY`X7hNz=z>fFn9l>2@06F{@x^?$1oQcJ&bu7L z_?yqD)S{>3O%Gl1)O{QE*EZNH14aVU{~wKP&gV{#(ls$FXz9$bjm+5+|2+J`vJTg8 z{3a&Lgu6`#Pfh(;Nl{VjgkWq%Ay&pjn|oou)N0qvHes3odljyRJ$T4An0kyg^+jFb zlSA#G!KpwSbNcxsQtgzsuBX1v%Qqb=+w^Ip$h)m5aez*`r$k*w!`Kf~bz)_lJ;)ah zN&(6V^_u2&*R264sKWYM!W0S81>j86pGL2!W;^y7&CS`nWG46#;73&j)5x)<3KaAI z<>(7z#@1$cW_=xqUAL?4)7O6frurgEiIVJ>&QREyXZ&bBVVz}3+_Rqt4>0H#n#9n6 z5uk@Cj8=RmboIM4sR1CCY30YLEgcLw8KNYo>F)RU-KlqDakz67ObOkZ=vlv}Zf5@~ z<1aI=%IeIzCuZIJphP#L?wSd1@rWhOOBFSW8yg1{1sjCdgTu>S7gF8D`CNO3O_#b& zMIrO2+QZ2RO&~=@`t_)vJt;meAnC0PL*iFpQ*cZZW(;<Poc&5bg)m1uIT^i|Dp_)? zru(~l_d@4xO(P<F!iJPd`=op??uLMd7WU@v*Z-|u0IdW-PYPkA9TErO!o`d4OREu* zP@{onZgG0YhNV91#@qaX&ls%>-v1czXmw3*T7XoJ#>=aQr|G4rhIB>xWy7?L-_v~O zn7{?8;DE{s_V^ZtXy4SEOQNt0`dc3gBI*z{p)1gcoeq-4_VB4G_~zm);r#&YCMHw! zn3AwFgN0*O&Ji|T2ieZ=JKzy%8uGC15=G&w=LM>Imvlpvcq6}<<_`I-W8L%0^s5Hs z9xx5m*6$3bcDb9cl;}{BVX6G@tQ?j2H!fJ_Tnhtjr3mEge`52E(iR9#*z?aCrHQ{Y zw6N!g1#*U#Yhoi}#b6uTYGhMS1{l}#c3oDo1TgX<=Jbzq{cdN&Cek`4!G%}1==ki2 zGPL>aJ1TejAyvMR#{du}3olJzxMRxZqy2>|nj0ZY^v2y>6j)PRpsbi#fM>G$zGG>l zU)uishOS1_GMH6gu!ibAN}8&wSl-}ZGTxWrgy(I@ryIqn&FYKodlI|GW~Q17>^=j; z?hO`hYkc2Hb%XcG_N&?-!*x2qkrjQuWA}=O%FbV-{}=loBHjcA<W?F8zS&7``hqaN z^!(#uE%9yxu<z!|im<eHD-1y-zX*=HU|?sP{r$0V$OjUvrbdetnge0QZIr7yT@7xu zh#}O;2uJ-^4QDm_fiP%+*WaD2RlEq&tn1Cwdw=P93F`K-0kBzx1Hbn`<?L4J5c2|h zrvmb~9whh%RBB(o-`-GeuVuvBl#d30{CQ*6rPCu*6YanSOQHss&%H#+A*Y9PJAJSY zeThgM>2vGRTL%fVqb?>cNgAAif<bct0100=MwKfyl#{E(k{9gKR8|#^PDFnsuqTu} z$#SO;RPL6G<)O464}Tu|SfqDut`o<E59vLeN#GmTV=9<NlBKE1hvptU&J4gX)j$PP zguh;_WI#>b*qy^;s_8#-NNcl1E6hFn3xd}NZyYHfC#!eu5*HLNPyE=J`oYpeu-g#m zsA@e+%iCfAt=%?IRD>!z1($vi0E&wM)K+w1-voTb-h$fEd2NvAOM$68zIA>UU$f>P z_&OF*)ys7dtU=MZ+~NIQ>N``mTCRcJ=Q74h(3XijKq;q)tTY8rTLPa2r8QOaE%ARp zVR}LI<ojj++{O><dFP!2g=)JijLarCYMVAzNCYcIxHLm{%>raa@Gq1_de9W<@M$y` zSvKcUbIlPc-BQn72S?pQGHOGCG+|5C?`aE$lVeW5+ykd4YU|q8^E27B1O;)ul+ZTw zg1nlAV411RQg>V+u#-##)i1BDw;WN(vC(b+xhinp2&~g^)>ojTFB90tyS!5qqixei zQc-W5Q?!k|ebY#*Ok4c=xO@Mxe*zV<7n6{@8e@hR4c(F%p951a=IU9~AdtaMED9ib zUG%&3ePX)ce#Q~jnkt8vxdioanXM)ki4dRTQB+a7T@-Ne#ot7=wBCw~VKZ(w{zCQy z{QE8UPm!dzWuqv6Ot!<stga?f|Cu|7yw05+4x<XD34Ty^EzmvM+>t_Q2kG@VxgprJ z%O<EX`Rp@sxw${01xQJf*3IlTRHz#O(vav%k-5js;7OPWZT*0LNZd2GzR)YnNgK-M zDl=h~Q=<aHMxeHKFg>w7E>}~nF#Dq2h8xE?&PtGu#&zpyp!{Bl8STzkgFr<iL`g5G zFazl{1^$c%H>nhL76QGh6oTR4JMQw>q1fL(v-;jH0g2t4S@nN^XYcj+fg)+|g0qdo zd-}3Yn&c39kkZ5%P2t|^dD8>}4p4|Z*HN1@BaY|xKU1{B5$Kj1fpcU4L0FoV0__(1 z%`~QC%P|ilG8%1E)cf3$AQKmXN}4Bpls;o&V<+_IH%D}sx2q417|{SL`lcdR+q-5Z zkwM{zSwH^V=A3tJE}r*vXwU8m--(Grw**~1S2;b2OPX60Mn6~(Nomx@kKVBMOhUh& zw5}g1FE2Rw&^uoGSa<>cv#o?>RWjTy;E)33(_3@^cfJFWrsyDS{al0r)A0fQocUA3 z$u*Ov+3{w26RsZEP;9;7ADnD%zArcV=6DJu^Y3aN<Ul*-o`HFau9H?i)yZ^Qu!L0Y zoFxCEm1utKCZ6>07aNm(SNf(1KX$lyz%4A*)aYOwQCA&UCMs}3$JL^{zwY@%EPN+Y zG`~=WjO)%VFFE>lWz{trywG17eqn$q%WZ)lJ?Bc1ad6rj@hfnKh!wpvy~33|JlEKX z`{0_*X1`K5;WFv%Q#Fv=(iu{J>x?^*{p`6kfwxpdA}?6Gf(;G&mVn#Zq2tS83|@?? z_=5C5lg$res*3t@SMPdIqzo_42Jzb_=XrS9Scndl5oJbcgs1GZmz{X`W!d|p0%1c2 z#EhOI5hu05$SHU&e;)E2<JVMJwGk7TD&R_PWC(?|MZTD#YOji$$_#nuPv~y-Hw^-< zVTlWWDEvA-Q=>XFD{S~7kw=lsPPIHDG=Tu@V4yb4K%1qBk%&oIosN&dmDV)r0iuLB zm>ZHiv9&QQRl`(6m_E?rh#vJ%Zm`!4OnU}GIak4ZUhbk_)AXp8mZdCHdyPzzj)2hB zl>1~m@mN~$N{fbb2o~*eFMC<Dvyw!fEGi9MIbeCN;Hr(4<l}nOjLJH>$YEGJ(3F)4 z%r}9lf6owEPy%FZyF%cnSwG$nYJv=7hwFTsfeZ(vGnDjvk$5ywa&jRvR`x?#8bn}D zR8ac5<d^Jbzv<T3@Xx3j9w~bC9w~Ztb!A+Jr^Jl2E|j42xN-21$GK*uVQn;vR*cv4 z#T+p9%f08*12$&|EJ?!Q*=D5a6U*#18`H83#)PQT<?q5s3XJkR?-VvLLl8#kw94+D zF#hKRb{FK;7u8jDF$m@446$B>Nx)?h_m@|S=uh)MaGUs9j1Xi5Ry7C&VTOp#tX&Pm zB;z{9@4P<Hutbr}X<x%<R0sh_s#W~Kmzue=0ztfB7P~(o_Kk|KCr3-AG+;J8E&!6) zSN%m%YUhd}ymt~>l7V1k?DFk2KBuU@!UGgIP}C@-J1@Vv^4M50mQWR@*5KUOKbPXP z-+}~3-@kD0Rxvc>JG?+52VuO*+SJuH=mEXN5qVahr8hEmeUpes+NLIlNATdPXxDpE zTHME%VmmZ%@MuFS+7)d+^35rv!7!Vg)5%eS&wOdkNV2RSbIgdm_o79OtlF;e?jg<! z(q*cL#@kTt<J1(}RxB{Tfb*#knILQjL}B}KS@DYg0}+?vEAu(0JKKqdQ>t{#3}xKE zbjG1~l2D%|01xM|CcVP4s61Ppdo9I?=SN1#XKdB}Dc2VAc_7wXYn;hmPwK3#7UU-Q zda6a;-nD!hx4)g(fw!c3v)&SWrQm^)-GPS@Wsu<H%cT-`-zcS*ZW@z=n!E7*e}U$A z0)AY0-%sT|MrlnG&_%`I*F%oZbS+LoF`v5H)UPv_36}aYxT(XF>zdM<78`vHM)*wr zDFBkz=iz&yI<kFEMvo0(c3=D;e(|@UWwvv90w%_j<Scbh|BaLL(s%;wQemzFA9wP) zu8EtLXRI%1NTT}9V<BAQNceWlt6h{71QsIWB3w|5%JTAt4zpnuw2bK$BBNA9Z<zBo z)gvfP+(Gt9a_40)bmwB2LPn%?kG!i=8qw6oj^2;=%#}R4$&v93Z`gl=kk(sJ8Y}WL zw)}p*QP|kzJ;(v{iKV~>E%8Xtr;9;r=cnd|vxL1B%=-{`PY0_16ADU*_b|c(3nC-& zNA+#RP4>=DpX27=nZJN;C=jWwxRD^)y&I^D@U}w43^a*b6TLPK4Z*QZ(tf5=a4$4* z((T|#XY<fV#yu@6Lp}bOkayVRSfRfFO8K0qX&C`JNqyH&#Lwf^YZ;Rx`cNW8lrCzo zORq!J^h0XHp0+Y%n7ba@E}5({o+638dVv&|+q=>ZfYC}jt==6DorW1ArHRnZvCkm{ z{~O)A?5OW27ts!t6Fm>PLrXu|epXLN?#$eGqp!Oxf0(R!1D`1~%7V}+@SIz5Q*v({ zLXb27us=PkW5wE!!*k2@%=5m>*H5370V0T<;IH+wq7Z_#9^hMmWT87~eSvoLM;SUT zMa7@AgJ_0OICwqbZNP>?aDdgrtR@Qk@=wr{l7cy-)`s1zlZO}^RGW@_*JOxwfF0!! zzCg<U_&?d<DX&b}SZD$XQ*9kfqA0ZW{U=Cvn;4^~;G1s9#GKPDF9m%~&*VHUvkXJw zcR4m~Ei8-61bhBPj+%((AyQ=z+oWLPz1U?8DPo9Q9%SIPj1TC~l^LTUdlEXoQ2U5d zwZui_@lV{9L?!Z?PBg`W7>WKyufHDL%{THj-zb@%G>pr`3#h4jPv|0&N<KP0Qe&!h z8bxtqrzLhhP4w6lGz5=2aI9Vx%odL$`(a2>d>%wA^RWI+SmwhwrlKdJ_6@VD@SMw| zG;ygW9$u1*4{w*z*>a-dTgh((Tm&N{DbL3s|J*%a_1LY8B9XfO&yu07=tFdNe!u_c zqhr2)fK`Ao_)!=Q4>(9k?_j)WRx-@DRsnrlYj(u+V?K#G3YS3kugdbgRlTS?A_2+a z@RTnO4@!j1?ymz-0n5VR-Cyq}?iKw(q?LbM-eM&+sW#k5Dw>}TKjv-6zCHukxaKtJ zbG+(V#VZi)HwBww0R|0w+sc*JS$=&9?vCxN>>`?(#_o@Jo*Cn5uaRY9j^@H}p42ka zRT%aIHocPgC|v>bPy(Cim!X7b(@b)#EoMVAdU$Ca{n7qhkDG7E5@<irc&qBsyy8`e z!Z=lY7^8n$81j=j<CyW=c;5%p>8h(mb;`f~hSi{MCCb7c8q@m`6kLR-8SEv2n%^JQ z`imEr+WqiSThx=4!hXPT5h#1O$dCaM1JC<1Xr^qvT%GaaQ!7VPOvt9wb8AjmoV1Lk zS|g50pfxXdUQDe8>WQaPfR3DgE|BnKrJErGcn9F!vwMB;MP*cjBlzP^nPYj&cBhwr z=V-jt_c${CMRkEc1#(>E0VamdDb2H;XI0}065sA!xZ$dD!Ka3MEvbaQRBUZI(3c(Y z<^TPJRv$|WxtsMx#|29H6o*z$t28|Cy8Wz=mUWfJdT&xKh%C*+wVsczi)a%$qtNqG z9UW6LYj`TZ^Zf2Ddu4*P0)1mZP?p0KUhgLi(GxR`^yt*3{FyjnY4iUosB0k2{CX)* zy(t)w(gd(jG^)%n4au^_)@X9rO{ok5S+!&4XP(5Zy70BX!xqXOpG+?QxjlYW`o`5o z7gjlV=m0NF7@NF9``6F?pNHkF+bURA_h248RGr^r>V{Ob_NPN%AdGht^MEZKs8pzR z&R|PX4;b#(XW*MPkCfii=&A?MEy_la-ge8Aw44Wc>1M(sj19wGR#A({#-;biWdV9@ z^@*+rmn4|BLQf1MDfePOiG;GyzfeSmfVL?s0;s6lvlI-dtR`!3e5Rs%LFf~?hzpr= z)M^D+&g-o{PYJqIdL7BEFD%{tjv!nDa=hzw9ILM{6T(Wf=9tPJ?q~{i<iF&E<N@PD zk5A^Av!-?Ug0LEZI1uUO$W9pCu#GGz&*Lkuv*>dTa7TK7P*uKq_qUU6+W&hOU<@Uf z=6|h?Cr}&d^B!$FF9INR_uKdR%#8AAj`64<p#NeYMy&g@|0&a|ovO3jG^eJvUz;1o zlbPcmthEXp{eJPV9f(#aYfVFDifJ}Zr9$fKgK>?E{Li>sW@UftdUoNfg2W{3PM5Ev z7Z1<BgP*{b41z{Byx~hqk^to2IDW_FBW%N+4nDobhlDtrN)Tur12rfz<`hIj6Pozs z^b<@hWzOeT`Cxal(^$H}!i4U@?aAv<G?dPPe?$OxbM@tyDPllwrB&w-X&rOW(>Icq zbrl%cU2@1aMldpDGq#3Jguypcgbls$b!udX9e`I>RdtM@-KM*okZOue{s{oEskMAQ zf^SAjn+i!lEt3%O`DT#56NPCQ1m?j!QI?e<CgF|;Y}`oG>8ZX>Xf0Na0(iE^miEfe zx_l5^cs-O)xcGjauRS=1Qvg`JZz;W@G88TRtx`S(DE;p^X%4&_Q5ibeyW<q**N>b{ z2FumV(ro&J$XIghIP=P?D~Czd(1T`(8iHsG*-tsT_fOy3(Bz7Y(c(y|xiChuCfLIM z&p~)}J{(XM<{HlU3L%9#w?k(8coK<fp&Aq*NsKZG$+10GSFq<!8%3(In~-MNM5(#n z^5!LTOV((&`7cqwe(urSBePr3fT<2)_}Ct{kXpc$&s*9ycUEVdz~V(m|KKNt#!&Cp zX&z1~tJ&NBMfpX3KMsxnow~w3$|Ov719t<LkBR+fj~fSYNj&#aOdeCa!tbVX0p>F^ zVj`d?I<XWOe`t_lLKu5Mwe-aPQP$j&6IS}wrMoBr4?*ZJ8c^AfGxJ)HwljO}PeJ@< z9$;NqK)h!-@F52(`ruw9F~jlf@e~s<Xvw>ZSj6vc^=0P`WOJ%U)av0;ZWK2EmA0b( zIi)-P+DV!ObkdHuM~pxj9%lhlUZGb7;G62U-iR|i`s8e8%87Z$Ox%+EbIvyHR|=?$ zTye$d6v-&5IaL%c;P;<_s=+v7Zk*rW&2~{9jJ8Y!TXCB;H|=rKTOMNAP`yXlmd5Un zP1bU&o#3rO2P8s`Uq5A>rE>r0<Z;p;<<4gK9D&xaE+&lK``W_7ab&dT?ds{7dKEu> zsdaDel!`IAz@VW2X7CRQ(q#5aj6~~Z%4u4%aP34K_#9eUS$o|4Q;hG8VvuqQKSwX+ zm0GV#8k~4#?ok#p-PZM?jnZOUqT7`T;AUJEsjKd<9-s39OgU%s$lNP*PyRXEm@E5_ zYq!r?&wY02n!lK(AhE$%lhgW-^QtIS*InKn823;9?0-prSE=3hYeGWqB!26zhejDW zIjMgH;@#^LCU^vZFsYvtcbn`4R7t$vWO0>npEP}Up2d|z+P&cXKm%b6G*sNo=61dv zsaQ02JUbgvfXQV@)07Qc0<VQ4_wG9Mva^Y7<=Tv9%dxW8Tx_jf^fWMq1m$5VeGxm| z?$O`vk_Jlx0((A7jBn8_{nVYzv~r7zOWue=<ms;0z8rWLEfSd?-8r%mUynvo^R}lj zC*T-20Eowqw%PAz(w#qvMkQhQ_AVTloP<eYUI{#;QDyDzo}G`^&YIAq>logpc5|9x zJ~w8-wW0CBu3r?PZ|0U84`Ab#Rafk-&h4rTcU$1iW<zC`avp@2>L+P4&+Ok~n9CNR zmDH7MWefZ_u6?sJsPeJU&xsnZljZ;7t7ZtvZ(Hoy-iY+ueS&`(rN<8^?HI%h%Q6`U zy5`$K_V}D6LGoavEytXR{21~Y>=F%T2>fqWwwNE$t0PevF*~4B`zNKav^Jc7hJ@O( zgt`geS>9txQT|kvMmRu8+Zn1snK(dRFIT(WYd*V0kL74BMs7kif?0&m#f*yH-vqWs z!}M{GiQ?<c^YIk<*JGPGd7{^2o407>Cl)1nY~{x^N$eC;{V=a1wPU@h)}H*C51ajW zA_4sm8Zv(hE8yq!19Di(8ogMgj_^6{?b|0ig1#bbZV*sZphS??XBl9VkuVo<+4^pH z*Qkw0kOjhnLWJP8_f+mJJg%)?Z##D%PiTUV@xRhp1EH<H1;NtYnYK`T2D$2F*+gF~ zr0&8Z#si0ONTjVWGWyuy^-Ra~Xf1eYn<`@YGHR;x(~TnWAev<{mtGRI92<es1bpoC zDGhF8E-F|mR!8m|(W5vG)Wc_lF?aGd-T%4MwHw}S^V0Aem9GUxM1S@XfPA3OXE<iA zP^f+1s<6VsFZ(r6Eh@y0&f%pNm%V2I9}|oPAgOz@mm#UeIUNnED@uir`IECzpR?3g z8Bq4pSC_Yxmi<}SK-CtywQ}qBv4PT_n~m4rV|m|MGtrBjlleJXi=tHC_Sk6El7*;x zpt5Te$mbLG+6z{+k1kUFm53DRjNBZ4_5mZ~vy+5VwC_Ex4cZx<F9tW<eb*=<ds~j! z{{6i?c=glMzO>$a1K`YTC!Q5lQc2}w{?Mr}`ZeD<&^;LQVt#Srr5~Doonqa@E(-L| zrYLs<#B#y)w(<J>tNSvLnqMc{qh&IF?k7eegAzNn6+*_%^F1h^KGCB~O*k8iFhP}- zhMI%(lccA1&3aH|Ko1qcDb16(N=5m&QEyk0wfqZBnoXkA5!O{gF8}`J3F-h$K(oJ- zl33k1qNtzKUDnbs7V@p`;`Cr`O9>-nI1v>~xE1se5YSfr25@Bh4F2)a$*w0o_BQ1A zp+VfDT;E)-!}O7P$k?*@OK(X`_=>#BkJA?t-ya!^;wr!Yck=k9t!e|EfL>=dK-;sv zfQfXf-&a9oVsURR-4zm?#7FMm`KhXR4cPdDareufDBJ#m-;~jA6nAVh8iMTu7`i3} z({;~xq}=_*sy89GA8{6yxI^ZHftTg9OJ-gVL!Agv+S-n+<#3Y1aUqqL&ysi?F@<t! zhx~J0kyXP^7+KNn#cf~XNR?@ezs{_UzEOY}#kvmueW>~=_=dzbO3icjM*^o=T)w{# z#Aq$BDKu7-=!lnX^}|CXPj6HtdT*mI$l8?zekUWFobz@hL=WgZc0z6<1;o?YLo|FK zp&apt_F_F8E>^!iF2w$(V2WBK<$s=Wiypc)5gch4I5RWVby#^yMePUqo1mI7m@zTK zH8zH>gy&{Kn5<vy>`F4mf_9|oHK%kJG9+cV^vois@VNuT(V@F_28#iJt!1*^%&)YA zay2KXZBBVK{6}{Ho1Q$P{ikoW=FKsIT<2_H^#1kn6TQDIf7{$1^MZ>i)D4zZ@e-lW zU_DNJnb|BdCKnwMMTEzG;V43Pb^Z9C0hP~l-x8s~$rX(PJ6yf|tk>E2o?kZSkz4tJ zU4pKja#~6vdN0H=BqL`KBHHxezd+a)Bpk+yo|d2`m@?d%tTVNNf;7VCfl(wzeExfg zG)@}7zdL!UnEUjl;%0e8ZgH>iB(KodM&$h#e*f>3X!G{DRaU})_pT?lGc7Med^agg zAfwR`+b(u&v-ZstTTFy^AAWpBmpv{md=Rp)Q(w}W8ct!kDYn0UP&19|E$-FvY*IW& zJ((DNsD?d0sAWWdK57ubFYNSOvBxRPm7$hE&1t2KRtojgY`Xd7u5!$@J!L+_|CG)T z*=&2Z=|5yBAEz%I1{tZb2b9^{Y<QF%H56u^T8<{uG_>-$(Cn8x3n_4Q&r#twyM-^m zd1wvfjQ71!;b7bzzg=^xD#2X6>YmCbZJcviXLpwyXp3IgY-X%WS?-W)<+htp<~g2n zGM8hs$nzCAX_U-XGV|zZ#)Sn!UZPs((TKJOGV?%Z%{G_k>66*BW%87=$Azx7(3>h6 zTP~{th>f}OAD*7A&9-JvL@kb6OM%onzL_JN(}7IzIZO22@hLLlHHt8&;}^L|?45Pr zom>`9=8+xOvR@{>LVv%WlqHJ@rbM?LHDkv?zn4PU0+C+~M1i>*;X50@77vL$jAFXV zldxAARPKRYOI6T5`+R=)|M~hZIxHh&Fj&A&cqv`Hi*u3SFIb))fq$~@yTyhS=5qV+ z&9>hBCrZjj3OFI-^f(Hfu4@zAno;r9^IP^Ckg_<hC0%JIXpB{oRY$EcR_t`VkQ;4L z`nmB07lvfRxKWpjlP)c)v*===VS%L&HE*5~>B0N3jh|y!GU2e%CwCzk_ewai*qC+| zEQ-3L-js!6`4VhNHp3yBnT$J#hgd)}v?*ze<=A-mKn_$J-V}EX*>{vA`;DL)N71j8 z%kLgs3(`BE9?mTT3Qzw&B8c=fyEWewmN+aHRkap`WIJJ{A2;=!s&3LFDilSg;rB`) zQt$2)=p9%ep#S#dd|p#$dAit1#iCRA{QSmU=nP$1l3`u^K|f5Z$+F0vhv0FcM-A$+ z4U;P3=h41e&Lp}~<$)wk3F`fqMMuE{o5IJ1;4173<43a2`QpGSneB(ukwQ3T`E`=q zuY#dLmz%d=5ex>``u!EM(?V`$q&QZNBIqMP5@6#$U5(QNk{S(q%xum4=63pqi=gcJ z63b6-zkT@se969)7owEqUgWvYys3&%<M@JyP{ta|#6}WGBwc6y(jPIW<Mq)xAsu~Z zGYg{zDct$);2AH()n4Obt;KN4fVBH;ZcW4PD$yupDuRuMEUhkH@yx&~gdseE3a;sU z_XCX-WYhAYjOloa;wtEuJS$lu)=r%D&6z@&_DKl$?o+(|ge->NN!U`)Q8hzrf*iNs z-IViU^U7d%ZEvkQqr~8w=hhQ-#iPf4H*wnuPNywGj+2{tusvk;N?6H>EmhzIK?e6N z%kh*N%LJ=rE5BQCFAPcCJX4v7UP|zd^3;R?YY(W^kveml!|uh(oaDU)h3B#}Rk4oI zI?8r>{8rw@dNaa2;q}Gf-sv&!J9Z+)=XwwFAm|tOUf3^pWE};*4NA^K1p^ziH4h&Z zK7S(jHbHtG>`}vpd)(Wxf*1_(I1kVJ-(jE|=9ORFmXy;+SckKloD%KWoGvHz{HBVq zUJ<Wd?PwE#JwLNx@k6io6@_F-YxgUsL=W`9##Zz1CdWYITo~8mPt(i^o~+vBQ&xcK z{wilUHM>aC)IZMuFx~ri#Xk7R%}CQ^a|?v(Fsy7CfplaO9dEtHw`A|)*{*;U@mz7G zGp3W>?ARKVGDJ5bueg%rDOrMv+kqynPj#!WjEl5pNWYz?n9Ctu)&i4Dw(@u+cgTg8 zIEah$CSxi6<>Blp!{W)rq<is@;<LybK&8;gigS+N%B{3fC%$oo<8mUi`TIG+F>dM) zl;@Hy+qx`&LQ<z>Zmi^*rUVDb(s2RIm(+tNQ3!QAcx;^O-_tn{luqI9&J53yNT6o& zzDbH-bE3UoWn-gd+Gwa=Md;14wuOV5oAoKTjA&;Qtz=0U^rjK%*>)u^OSjc!oZmDE zjq|lEaMA$-=^hQ(6};|?rg1eq1k^QtiN&c(15-TVuQGRDbvL;5QWn1h6{+y~P05L$ zDpSkrU(F%i98tnM#MRFB^u*N>zi=R6bhv$E3exy>=*m2LWvNbi8ou$XzX)G+4e^PE ziw$oXL&?@!G_eQozJw8uYN^4)hQFFoP!9+J$N%oQOOGGh-&-YkIDZToMvB9#H)40p z4n~VZPu$bE(c1`{DM$R@1-l&$Eu=j4EH;N)ZF_QI8_W1<NLdV~{Nn)TekfhsNn$Yh z85?EArTDzdBFTSNGF&O4*nB9FaLDNxkd~KKJO8#W8dZ6kiFMnsckVjhcY1}kh?r}+ zJB-ELyGBUaAdmdC^H4sGm%#8L(LsZ*9WR*Lnp^R?_N37~9=3gQ$N+PCd*bm=I3E@y z;JhQmm2Fv59l8DGldk(;(h|{EzhW7z;sP2=<ye(MvWJ&jI>6WS>MG>X1hna6aiM8@ z`f~0ge$E^<Yg3$f+`87MUKTc35QToS*`joX6y|ih{&f?*uio(s!Rhio+^aOV?tr_1 z|Du9g3>p~xvAzWxyXg8DLy$+|sD|BY>kEJBsVM*>>@D!Ze0O&z<@59C^4u(`5Tfw8 z(ejk&ksmJa>vQ9U{OTy%QhQNAnTzZA&0{N%8%YH88DKgVze>`?Lu}8U8%>bHLN2b} zOjw;8x4u>SwGxP$o-Ca**rDUm;MH5SF=dAYh*>vRL2<guw~Hr=!?v+76_#{I+HGF} z-E&EGQM;_pjjI)62Xoq<pno~myO##JH`_6wsz226Rp#MbdlI;+iKu`k)Q+%9^7F6C zfK^dRRM;@(W7B&g4^ZoGoW`yfHs}KePE=+x_TU84z@gm6?&jKDKpZ}7v5Q~+_TY28 z>4e3=7R$uDy%h|JjE3tlOV9u$Dmwf|2Nk_aBNE7>NjSp1y9DbL!BdhRJuSG&@rqf6 z2%dLWg@*C43ArLylSpwK=vFyd0UI2Is;2HM>o4&;!)cKMYQ?q8ZD(blcI4IAS`zks zkQ`Di^Gb>YBo9u^t$CCH`+2nM;ZyJW6<8`G4d2|-99KN~mVd#Kub5YB0$Im0`0heV zCTL?x>FN?G<n$=AUkj5kUF^dnzsKbwYYIwi+hH>+73_Loxlsu(LuyTxc!Tv#e>VLG z+Y;sayVKq)7Vmzl4{f@bg<3$n75X4~a7_#>iNbu_@kia&l8#+zVf1AR?^$usL0RO8 z!dxB3xFV&fzjL}V^zY@Z-G;<ee_vKr?uAeYnF)-C^jd;d6Hwb+J2a86chVW&@@q(n z_-(gAsuFOS63Cuy^;J!`X2f3t{#~%~cak4p>I+eXy+^~@v;6Jge=+CLCO2%&X&&!p zG*qqB@_dzB)tO=c3AK_Q)G7~N3i*Oi6~*OpL434yy|qH0H&ApjcxKG)S+kdXT2)!` zJ0zR4m1}-zBQGnC`{lz^POi;;K=0jSM2+sc419A%{s67fitBLYV5h(>13(}5b2-(H zsO1N4o9MrD@pk>a7jn)Y>_ed*oo`})n^p}iV@^~jDMUgJgYcyn-99kEu8*@KLE4Wr z#xDcxCm4~wIC$R%90Sbuw8)H*M_P4cfQafEKyK3OBi`BJ=5bPH@zY>&FprpkT>qnZ zoo7{LSQjT&`Y+zLAO3<?2%9^9(EFVF2p-*lf_<Kx{B5Q<RFbv}-LO2q;ffMj69nDn z>hbzpzd$;Ipw9f?V;NQXNzEaotpYaDtsUckIy`@&q&i`>sV#k78N=2gswZS4JM$hz zzdslW_TB**@+(S8fv$?>OKSzz>qpUp=%&^<l%K^+B0*z4^H^X0Rf$edZRk(E`;V;3 zZ0J@y;|e39l-?*?I@1ZTODk!{f%Aq;Wy}Fd1$&yto<li2e6{KjubFL?pV)9O&qeNc zbt)5Ts;M%%%FGL+HMV7-G5Le>p({yC`cl2gth2d}<hXh3VM+LA?zWWb?;JV=4c!wT zWeiFzKPN}Wy$YW*FJmX*SG3iid@luxO<5I?n##T(R=#6L2O}`6vScOD5b)tQx{O|H zdc9P7z(Kv(i{8!`S46xyKkpIT4`QCPJwq8zZ6TiT_xBM}x?O5C0SvY6*@bQ0_8t3s zZ5>TvWia##VJlYwB59OdWYntB#b2<CVB^<E;jKtX<UFCRlQ!-5*~Y~oLHj<E|1arn zd`0LQal6erxqG7On*1HZt;&-ZQ`v0ikOE#?&dU2n75I*T8)%c#)SkYCc$sU>_q^~$ z9WPBqcw&Ie&85)*(B*y;T0AT!v)=8eWM_w3exun0<b^D(q3l6Wn|5uB5aR~>wlt-~ zD2L<&YH@qeR_nhJ{Bg(VFZ!9UAzOY>XB~z57nChus!=gRX<_y{qHEh(BeqWoz7rgn zicqI3LU224>Y-|e3i)(>t7BKvrAr4j<4JxqC-fyEGsw@CGu*K2FUpUIRT4nn-wcQ@ z;l%~~80$0J_;Ax87#siUv_|S1M*_^fWBgRas>Au7H(s0;riZz<%NGXrSnD!SgpM1` zL7)1CD6sQGx92mL*0%QEM7PK1Cuno~!Lr>MIlD+W{&uJo`$KtZ$uQK;xN7N2jwc<d zETES2^-ChI5khv_8WV#KVg1Kj+ZQX|$^3W6&}S<X1G0UCKlFfzWsdrAceR)*HvdD! z&$DJq$AjsC`%oVK0(_pRoHXn$L9kf=(B*IyT}b(8-I54>cRMpEH^bG^TJ1j+<J8LK z<m<5lW~}pLCmSE$-m2jx#9rHpuA@6S*vZ<-%c4B(*1m8Yq9+?yO&We|gdSlN*t~vP z2C=ZEk<pzCxWZ1eBryK(;&(Ceu%#K=-`QQGTvT;~$pto&Mu5a3hvDbBVmsVA*jXeO z8Q<ems7b%HxAxsOK6D!2%A>jx(@Wr_M%w#!0*M9)Dg!d0n{JeO+G(TE2mj(gYw73m z+BEAjqXu>wr-U{WIkMO3tH-XgYP|5N`;v6*Wj5!sy1LZpgd8AcX11kwvjVDG;R}1K z0v;{6%4z(%iV42Um5YkgLzLUfAWKyQQY(uwsJrmdyJ@4NBuy*+Qa=i603H-H68h5+ z9gST%#{n0xvH%1p`p*uC4d2sH7sEu%8UQz!&#=sL5qxUNY3RMlgWz2pY~5rAVSNt# z7vm*XMWr>FHci$CaWif<a4@qPf6H&glBE<A4{ZD0=Q6z4fY8LCwmdUB&y|BNEvCB= zxL|iDNnF(7379$12H5yGparH20_*vNw<jegU0aHG*JH?bkaD*7LAHNYd747vMzrZ` z?L?3IZ=Vp2{u&-cCNm|W;!;*P+Ea>~X%P^fuo$x;E6JIuT)zKzZNC0~!(6)8%v*<E zr?6!SZ=vp>=EZe8I{L%lsv3Hph|h3z>vT%8L){Bic@pZB=%G}jboe|O*Ota6L5bZj zdRR-d<)Ld`^TNX#XyB4U2xB=D8#&y|=qPo@XPU$#(EQ#$UhQ}x0N%}Y%>Z~?cF{+S zZ9;e?On-zqo&mj~yS2ALoQmtb7ueib?lVFm^yrrBUdb*fzJ6m$lK1tC37!PG{O5RI zKw%);W5m}d)9guFpTEKG5K4&>yD_$SSl}pBMctisnG-(9vl5mSAoFoBjr6+~?c?B| zy_Ns0yaV0bR7qF|P?2YgkLbji6WidLlbnP2XV}UYJ<*@L$Fd}-e+AS*4&IOUJBGZi zml0E+-R0chu=yoEx|F7diNe$hIR+G-KhKNw@Zky&w)hDtnYmiCGZc|fEq70E4Db3| z6s1PR^$i9WI-eRuOmJ|^Wyb8fZL+Y{60~5{Sb{vX-o(NtrnJt99r*IQGPSbVFvW$t zHoFW_A&0BD!j;e;l>M8Re+Tx%{Z^r%8y_~k7}z7k)-~;u^{AZ2e|+&!N}V&TIPu?_ zr+ry%Yh{d93We2dnlS}BpuTr4+!Pn;phm4jr2B7U!6c?Z`OP_B649mT7<k)j*#xuM zv%Yfru=4lMgb>%^jB3x>hy6#JO8ND><J+ThAgUwBPjKMNh*_OYM}c3>etY+*KV6EY z20Zrpsg4E=kQD!%r~BWF3#Y5{Z;eU_U0HjaN@Ql7&*SPBcd%F~u51JWh5pFB@f?`) zS`i&U$JB2~j5{@Rqlnf|XHYk{6{cB-_w=^fOK3~gJ;J?g=dfjyb)Q|WB?AIK{Ge{k zqOk7lZjGVUB6P?(hqh}`u`aX%E^j+(MYHGRFQHA&-RG5F+}+%6p^$r^;&&UN{r&RX zH=HkY6OWnXPQfEnw|=%;t8QDPMBwh5h2Ls7ql|d^JZ}PMez>Tm@X<m6O<HG2kmjq4 z+i29aU^_WmWB9*GKWsHCVnMn9;Rnm<V*3|_cF-~*!ARA~)V{6u%Ee<M6aG*9>_qwi z>vt2U`0>QybS~0p5dHTGDdmu)-o~Ncu>g+VOm`n-(YnkZa%29mQc^4=w_5f9?Bt&2 zZ7WSBbfXvprZ(z$+mdijtc(PA%?Tj)pbLKk;B1=xC-!OlJJYI1i1iEYi{Bhs%yxF= zlbMrqV=s@h6CMz#7chWa7ukyOvK<AE+R$?Iu(HAWL3$K3`IdbM`2@Ox`TZkRM7Zya zj57&pGAPcFrRfX6%0#biu(Ga#e(P(w`f|gk!UR=j!Pn(s@(s3OFVKu@T5_~K-;$G1 zEg5@fa|y%#5;gSfXf3%`-Rnjr8TJeiXxOrD(1k)$a!(-+ndZUnnxLtpqQVA@4uZi! zg@#<fu_-9Is02l`d2m8Eykz>w=5%DhMWm<Ykb41K1nXpKNI;+GOBA*&IB|p=U7*%K zR7UgX=o?XQsTxH|`{P|}eLjL$+etMCTXT}M!ja;6Rn(kEb0T4|G(O`BY{=}ij<dUn zHm!)?%4L=Kk>uZd9&LlC*njgc(+52-<N6e8lRyjhVTPUlRqT~?aPTc^nCsP7jxNji zsa2Z<(<;FxTBIQispl)n94@M2Fm3kTH(+(WxnhuyQ*NIMxuKp(vR4-$MH-n*B3l1& z$NOhWqG%m#DuY%G%=_wwl!TX3$n5{`U4XSLCHvjRj-3DsN#rHQu@I|^wOHphst>@w zleoF^k#%%yNDQO*p;8RdBWi^g!&V`7?aAIPq?sBw-i10rGEXvSIbtzF{WSM>*KR}M zo$Lu<4mvK0(pcc1Un(9Dw52#kYZ!^**f3?|k_SdX3-uFxUb?D|YW4WkM8zgQ7qiap zyiIEzp=PVAle#!5(gA9<kCk^&hsN89wY?cvkY0BCz*kT)a>z61(9E^(<)OQz2)GZI z{l*(DccEH!CAr(-eK=Mv(8AfNbiAy#wxY0JN^nVUaj1|$L7+8ly0)as$%m%V+ShT$ zhy=gF#)j6oRA^7788ssFtYd4cYk1mxS`j6JC2f)ZV$s=FYo8d+OT&lcg0pawtYq9# zo6>*RNbqM={vKST?%R+c$9Tm^{FC)6l3`sfOl_&&pL!8#$#Lxf5$qlk==C=6tj$MQ zhP~+86BHJn0z{drm}Zg2qqZO$)1R5dJ5tA&76V;DUGe<1@6vvV6PT;T*AkIQ72Wi; z8FQX9o@5O6eCp!_V+Bp`a&>;x+q!5Olmw~|MNw9aO<%Rmm=!*|x@%!7t9ymJ6?Hr} zKb&_F&{o@0+azd3LdFkLHJcXnopl)DpW8ewaDmXU*J=v%Lj1N$L?ZrZoc=JNR^~NS z?=6;9<pH+%h@#bsH#O<x8JcK!x7T%)e~`ByT$P{^+dIV*ZW5R=xSpzXh20(p;m88d z3{#QtaitODsbgak)=f2Pp-hiZ<#-y0l*l1{D$A|X{YDl9o&M}XR#;2Rkg68zoN`%m zQrVdv<zy?&*Qk3sM`#N9J~6b?f{aKlCK0re3^Rj+c&CNR#}Rja1{!y%nVtCZY!E1f z^x@x%rT3Xp>=Je9X)hQE;mKGr69T*=anaEVp9xpSn4MOilF5|nQ&IT&?M&qnNTV`j zV`7JFS%Qo`FJoX-czj2$P%kJ@r3EzQ5GAF(B~y6R@KT^nE*#ZV6L1SNPoEL05I0ZY zOBcYpHduW?9Qlf8;`GWvxx%rRyaZbTpXh3Lpxw#`SpA;$N2k8F1;y6pe)io$hJD@n zcDC^))4U6;e*8<Ge1#5IA$makyBM5fzxVGktFfksKPk@FH=cwnBRXbY3pH0|qQom0 z_7=p6@li%nj!5gO>3=-ZdeSuBtDJ&v-g6ag<w9THLmS9!gg$49p0#aFwMaiR^n*4_ z(COH%k3T_KDW3v2c3end0Bw|hlxlYDXTs(SM8P;|n(g`2-jtTBF~BuyPj+rAq;vvS zWL0_ULKZ_vJ$PM$pCgu&yr%11Xs9~6w=u3Rk;Be6#x*eKK^)Y26Zb<=s?&zB%0C0& z{5uZ{+I1pDtY&O&`(b30*597b9*I#!{D3?b$2e)5Q0Fvx8oaK#8uV#LkU9X0(Lx+B zTA!8u1%>3uFN$m^a=soS`JuW4t^m8^Fuwzem5ngW{o42-dg?^7f;Hs*k{n$08al2b zHRPgkPw2~tJB~IlfInn(^q)Ym4)_R=%&krb+%@RhA6l~qu>yuNnwQF*b<O#wU~%x9 zZNf`ibr)<23Og;8r#H^_4|x|b+1$_W*Quk{wSX7?r5dP@9fv$>97Qp}cZO-#oK!;1 zHV?6~wQ_z~noQ7+lM?oT6D?iNYAIS#F2aGs!%|$IvTNo2u#EL7L}f;etttTs>p)&1 z{IU3b63o5VZ_Ue5mlAgT24xOC<pKW1vW#_Qs%;?=m;Y$pUvS`JV$QxXwsg7gpy^S) zZsL`Iad0lqk2?BB8D?djT$T9f^9J%<OTV*PKo^987^%~SC!OLjRR8|}uKb#lO>=M^ zrm}y|*W&5#uz6n}w|bPfg>;S3Xz&o+v_7W-oAc45hKurfb5&}=_6?@ej$CZ|$nv10 z$pK;c5sFnl0#PZe!e<@)R-CEHSwK(zPw;N<tKTAMm-KF~{o`}|tm}~0rVp5%rxITf zw9cI}%bW=wAOi}CgAH*O^G)|z4mxh-jf4;{f;^3^BwU6O8VVAwv=%IGT9q$%Vq#Vo zohi)s0X?$>it85LG{J?k7=EKSI=$qd-z329Obk>ujQt%}(g|$BNHQw7_J9Sj<*15- zjdl2^m=G}z)tMQWP4F7ifsbvOQ3UqRdaSS#?=jJKJPRGW`o)rSZ~SCA8=KqwT&%Ms z!{}OHY*RH~h}oi(?{fbQz|$v%!a4z%m!)kL#c|nASUSf|nB(>DrNNS75(XPS)ZC5t zT=*UJXLvND28vyo?*28(NyY7G|DvKboN~6WP}=D_A~uhk=)YsxIbkag)|Y?`x(yMf z0n4GY6zF2l<}%<0F`E?jttr}Kshsdv@Ttg2Lb`x}`%nhI#Bu)hx*@T9Gnecf(yvU2 z9HP4X<}<LFkH}t6$!0wohk?c%sRXB>#M1RzXkaEkQ1wge3hRHYBf7NSl9o}->TH|e z&r<+AYKkSOfAq)tSgflznj_7kG(2F5EZoOiy`QFGJO%K!V>fIH-8@cRe*Q2QmRA1) zBx94~!>!F>X^j$<nK{lfXfK&-bu7Dw8Y#9r$zgG$hXPC&cv15jVBZ1Z4hJ7+CqRGN zogj%{7o1<%32a4mT#n~aZH0vXD1SlvYCG$kr^u4&HCZQ1a}uCZ$AOEmXk&#4Kx0HD zMzuQzSctG%G=H1Vev4H`SF&dP!q_BT=Wi<1$i1v)?l9<9!SP7=@<XLppo~%Lzfzu= zb^Q>ON&%M=E#<RHA8{g+2;&((Or2DRrL=CB|M;|u%(_%AWe=cZd0|DwHvChHvBz)G z8M$&otJbzkIIp(D7Jt#I8TyiBaU~C2SB8}hi_t$N(|fYcmcn!!+My+R8gjB`h$%Wc z#+WHDc8$oxjAk_o@}FiI^J3szgi=iQ!sgx2S}omYu31X*gIXLs><PD=O;Q@JBANgm z04oWv<-o=oH+ICsXT^J#rD}=mr9?BJCXpRGWRvz(6j%HnN&9xKb@(d7iIY&bq~h|B zA{<GY!Q95rzV28&yKc<J?xndKvKY%6Q|<Ml8_7biE1jD~iI5yWg$6+IU90JvERsi* z?Q|>yvMLJ)oH`y?F6#{sgOZac`+S6xyP$o6T1w6vFn5q%X}UUJ(Jvn=szXle<mJ4z zo=}cmEk_=L=7!9$j!0_{ZV#SykZ+*l(~%M~CBnx~B+sLVGt=mXOnKbt8#Bifxboxz za%Rs+H05dE9t3#Q{w***e>|**@H1Ulf!rg4-)O0=`VG*UvhX^_?Qu7CvP^agI`7b` z;D#52-&$BF>*IDQD6mCp&jB=&3L9k)7OQ9boCMU$8^d#kb3@dF+Xl8+bwnt$U<}x0 z4ej7kJTty2Tzlck9<Ce%^4_W)J$ORP7;jIX;2A9CF%H(AiUU-$8mKlcwE&;Q$=@Pc zy5yl`YOi#@zm%4LkF}%plTpsfqBrWkz<{*3VoQ}p#{HnF7>FCw!}M8}#v$pW)pKAr zshylV3`zvIMuDV)3<W+mU#{4Ol;$(9g;e)Abt#UOfE#6wKL>C+vu+|~7OS#K+M2Rr z;LPMQR5d(~TxDW_X5ujw&sO_CyE1%dw_sg*hyC{C4h@ayr1l5cSmfufK$`>glwaZ@ z-^vK&T~BDP3^oX0hLJ*-9$s9HuwTgvNfxW`nDIF1%DMqMwppnuXAM%Bp@{v3B`KzR zcZv2I*5plZ49v&epPEf0q0jcYQIc0S`qeM0x-+NjV3d?(^*$W<duM)#R{rqsptfXF z82h|t&6{M=@P(Rdxtm5RhZhIm@F3BlIq8WyZ-u_71Nf1br&2vFNhP(k6tOw>cbY9X zzXl2T<YpF{>xNh*YrB7fUvt7|mPDZ$ZfEes1=J_l9f-d6wN{w+*weK91<SKtBisIb zUT3kvw$je{GGF^y@;GvIsMHpeTO~td0aM<WfX5+H5B>#0)fGd(OiD9jYLLO=AnM1z zFdaaf+~+a_f;Nh(8Lk>~)LVr2I{yKfW`^6P{sXfy>J&FV^~v3|qdR!q@J+7Tx-7=@ z2t64EUnG%v2wvH!u|$aNc~2DXJzVds2lM$oz0?HE$sAAXa;yyPw2ZSo-%qs3cu8Gp zB|-{IyT9k37wgaV@3R#rn~Eeiwhw&QOwcXI2%xmpG^GIaw?z4sC)b?B-=E(nF131> zYco%HZT&dk^5Mv!>aCB8hLp#2Qf@#FmGUsPAy}DtA&iZMk+*_cY63EhMq{THo@AFa zhAS5>{qp<2l^`IPxxF@^@z<SALbYTlBwapQy&xHOvKv-T2B`mnC1}@)w=XeHR4z1V zg`Pty^a!*-CxtD5SZG@?AhB_IL{BJ+bIYUXR~M(aHf86~BRlr=x7h}5QQ9HJJiPIm zii9dG=SpF3AJ1rI>-6vLPu8WM8;i_P{9Hd<lKRU^7zQ$#1yX%gPR4bs=EWzFWzn_O zWCK+u?ymdjG)i=_n;G*$fRIpzB8A=>koi!}W%8a^ATNez2?oCfv!P6gL$X9c$;mRO zEZ@U&6a7cI1K_!2Tm=9djbuHare_tf%}_SrQ(Knh>jRaIdza3nig-GG&iz{0Yrh+N zY=3VHNu&!28+kSMlHWy+gtiSwa=)kDFgtR4cxa?Hwu>UNgLNgPgQ0j=6s28kcr{Q~ z3|R9em&=gZ(E$i+uFelSZq>a`Yhu|u9JAH^QgG&+UyyO2E7ILOUl1cBwKG#?&bv>P zcDX1RilC(AWNXNmwW00tPCSdZO73IP8@)%{5sd#_dze65a&yh}lM8p3C!rf3rm-E| z#lhd&4GoZ!3I*a>7L-7G(<inmIh}<5;z}ybmWN;077z4@UUl(``cN7&3uQ*oP8K2` zfxzv-wbHSg?~Xv)arASlS`YyDS?k&*<%21E?F6l$LP|H>smU>_elbHMHTE6##s-g* zz!J>W8oyX<I5+FQ#xh8m7E9Le%WTeC{HEd4gc;@JxZUko*jQd%?6sK-$1mWP`|kme zCO|bI;2NbrKNd2Wt9S$M*J)97T0})}zTOf%^05?xODQ#!!hxbv3+e>u9C(guYrO{A z=rYu$cM^-n#7}Grf6<&gEN~nf;W<6rZFG9Se{+l|sOV&6<43&<Ng`Y}tk82|x=ZXg z6PW94KXrP0)YSmwkL0*1W=7tgus^IpM!!toET7~2&^b<LWP40!vpd$&VfMq>;=*rn z2@gB=@cJrFF-a<m?gUbT(U#gd_`{|biS)s1CT<#S$Kiac)zq8i#U$6io8Vb=^uOic zV95VzJT&-RbVFee|9!ngIF?h%Plw*_7qWp6Ra(?g)V$j~5#N@L=p}tH2bR*C)0Xb} z%%5?SThY;ReXWCz&b%MAaS1{S3wb$;evMl*tO%<;Y)&DiB`f(X6r9gxB=52pm9P$f z=HQDIw!d54KimM4*HHshGG=o6nJu0IMBtB(y3SV*5wr!Fx^WIxqavx_wiPB~Y%-!f za~|9_qrY_ytn!;%is6)$ZV$h1VrV>PGzlr?56OVON%8M!G&W#nM3VyhegR0kaBhSh z=m^*}{1>|J3S2n-XKtRC)7iheNJ~x@W8QKwjFho{Lc==#J_*;>X321q_?|f3I@8Wo zkf)41eV_p6kjpXPxHa(CFOJPBZxebmZS6rIyOs2k|E2sis(XGimTOqUsTj-PJA{$` z@{#?PVOUCEPKbEN($RY9hDYBJ?A0(oz_==*lh{niDA8HNKwtcYY<w7q;HO}hhzhh) zDIh!h<=Pwzcnq8s-H;!D@V)zqz5Vh`1^9di?Z^L=MkgIq`hDJgPkWL+n2PGGI8FJ7 z<I6jWq!L%c$L5MZ&|W9f-#OTf;*8{yQadY>QTLq8(xJzZeXpt{PWRz-2y3(--fsVN zQPL+Cv!-w5@<_H$_OX?k5tFj3GIC)`mGS4ax@ygt7O-16<X}SqVo<Jwv@kt}v&rkx zc|eO$<jE?F#G-U;UHmlT@zkshZKX8}(~ydjz8r={o-YH62)l((&0V5cahkTIEr^K1 zk`Jk^Oy@vC=dmYV@|ITceFH~CD`O2!9#(XEVprHiNi-T7qb}O*Z~$k#?+lg-6C*F7 zay20%x=$3YWl6rU+?NF0k0C*g>$JJ?hPH?I?%ae@*>c55fc(y6>~XIUq%~htU21x% zV5xipcx=l1;7zEmF4|@`MWvC$`&Sw}I`AAfL-KP}zPsmkTcT|AtAH*ya-aelaL%DQ zF_NjQMDF8>!};G%unU~XtZVDiwCbDLLyfB|sWDJUx0@4Y)u!4AGB!;V)W2&%EHe3e zi(rU0)6*%%T?GKlHtsSc*jsY(B<Mf96tVu9lJvDVR!7=pCDTQCW(f*GZ`>T}xe6Vu z&G{4i&&>FijGE>LiVnJ(Qq58{#7|bSc}5*o!B4)I!@)Fi=(p?T?s;$t2TevX(raDA z0oA;RbyJP_2tcY9o<VNqM!REyQ>Nll)J{^720+g;Y&pmn2vPnUIQ`bIw;6V#zg>&& zlD=nq?@^VB=`~7{{gpffL4l`@JU!^q?ppis4^O_(m)lm45+SA8=4yYSO$7)oQO5mI zn{{;LLxq%Xsk140<ufxmd18g_VKu?7T~~nYOfkM3Vb}vrg%KlCp-xq!tIbsqXwk~! z#&TL*;(uo%X5C!>Cknu76wUp24KTXRRexF89;rUi=)?ZB79tj&D>&qz5Pum{9V6%* zwdYpU){uv+_Hpva)O}}TW54s*?#T6rbjljj4(FB{Aiy&?oUZo&?ArMd=-EXZc!^(J z{Xb<;R`f!y61U=3Y~`85WrK~1PU>3>!dGvE<20$dem|spaX&`}<z}Q$?v?14ppYg7 zgzYAJyD=8y7QlXo<acL)WXij3m@I|$TR`rt#|Hs$N(Ph_1e%`f4H=f#v3EUtIt>Az zX5+=I@`0k#@>OiTr=gtS@eH@3pFK-(VpLLlIEBU+T#n_>7sSLP{icXCdj$9!JMU6S zGnTMUXv>&Fli$(Qk~cC8y?1xF#$*|+<nq{f<0yE~-TZMVfFpkT&mNpcm^3@vm&CUW z4EX?&Y%Y-0k>|*LDKQ=ZV(;(}nmXa7H8*9b9^0*_X#-amDmxoeu)VaYQEXInT3_v_ zVWhjXniuYjd8fK)pc5u|I0xu;aJ$QK8r!xcez>`hu|^y!ix21bW#m#u!^CqtO$wML zM*-%buSTa&7@8i&u~1qA?c{EP4DhhMl{`dHBQ9QAL5e@mlK;<@Zu%DJ;$l0<#SXIS zszbe<C>g3cgqE)C45v>PXAAr9OxO<c$|kQ@m5&w$oiIL>+0Q@2B$ZZmfWU6ntm1k8 zr3xw$--ajcP_#}qm!tbk(;wA^<z}1n(ZX{tmaGqI)ShGI%SLD@fUKRoQ3qq1{ACI2 zGXq~_%|vkh#V%E^ThZ_0Y80ilCBxi;v+j((Tz||-P(`){b+>~2?bafJOPW6(hj+{` zq3$i&x#s$yNMKuws3K#kH$QDhy~cG0)FmVqi|Po=vG~pG%5w7b!K3hokMh-oCY;aP z0783w(p&tlzH`}`A}{}G$<4Dk(R%bdF4XN6Bo#g^0?9nr)n+KE3f)Z8~-%yq`^ z<KcY~8tMG+5DyS20j`*tV^6zHtC<p~3Mec$F`)zay!IYV!r{H&@E}-<r6XRXf(4!W zd?HaHwzmKeb$6HWcjLXuMJ2c0($B%QWH|*ihKK1ycRa;gi=5#>Nxi!ey;4WsZSX@@ z`%bN1)rp$t2~Ap^gnct(na}214vp~T?-N%EXrITA@j|rF$R%ms|0krUeZ&~b*aEm# z7Q>GrY`!f0ubuBYRsRsx=(gDbi3R^|)f9AdOEv<;tIQnfQ=7xaq5NO8rAMp6(8vhA zLs@edd3-#h_^~B{&Sjd&8AsSWoMkn2<o0+>lbFCuzk%XPvwZ{>PNyUO8y7gblT}3w zMd7uQoGB-^RLgKb0Rg(rg@ZD>{Ljl<s|)&d5I}>UMSoJJq{g-H?+I7iBU^1dsQhMs z#JluR*eHq^#WwM3wsHA5XA)>8u!Q^L$J=zg<`F8OBb0P-4R;!@|JV+<`J?o%0OZqA zR08;bNsfXs<;d%JW$}j3wCK_=GeN{pbmDGVMbH97*<4$X5HGaV1j+R_;P{cA6gw2v zBUrlZJapB>SF1(v6Eg+I&GA-bb;pS9kB&f@Pqq`*3Q<E~FKAjVH8~A`be_v_ac_TT zs06-N-Ak&q^X9}|Bra8~+(ns6t>FD3r*kq>_&;=V{x_4F@Fv`9d)qf51fhsN=7(f+ zn_Q0ff7?S(7}oYQJw3APywS~qZ+FK`W3xuaqok0s`Ss!AGBZi!*JO*K%!VG39M?Cx zb23IGA95smVY0D=qMfWW(%#1@pmAw$+{#0V&|H&^pd@$uw^9M}RcVOW)KD8&DwZq7 z+`TLGVJ(%^Wvl_}gtp`ihvTCpG6c%7(`|ND;>V*?C0lVBiQR5m)T+@_iag;piZx@l zG2h?)JdXH;p5YnMFUhzarrwy7n+j3U1IHJR(C^>BfLKOT#{j*P3NFGXyf~jInEqq? zegfJ|T{E<h+6|*xZ*U*)Wy^VwRcXii+5xMM=Rq(H5dVf|Oo*4I`$62{Pyi6kBd~W2 zf-Sq1S6e^AT>>OloTw!3sv-cg6bMP0oZV!JXyrraE2sb)y?_1v4Sdr>`MsvD7J@0! zp@`Ib$9UWMqs3J$@7W)e-Jh&j8w)DRTfJV#DSR_MWBI+;nt4K7H91C>eP^aOnYb91 zv@FB1?mG+mENp4IB~t>O0tcG^uEp~WNd%O2K7u9Pc_MD_VH7U6w34B=Fufrc)nSWG z`tkEe#1d~IrD458Ka3C;Ru4{$hBAm{oY&mUnoXgbb2S&EEV97Nr1bC)J!gobh5fa4 z?v`AFGU{LG<^wz{QD!zfNCNAo7F$Wg;pE%ebQ6%VnT<}s3hmh|shl_4yoM8Z-AZeH z>@{Bv8U>-?h<#(){>)a&Xvoa*1WvUGt$flqxuL3-q>;EknJz^gFEohM);t7mwwuad z^#OJGp(m_QTz7n9(^|8jjQEKv!qP3*Kh@!gc0zL2q0-N~%*d3Vw5LH82y!Ybi~*&K zRdfjOPLTM=L<6uY(qAk#bVfFsL>=imW=?JkXLzW1g{>*FDI}!us+UIs4LV6uky^rw zWZXD;BgIX5t%Uw@8pl06{2DeQMPc2EbM78q+yDm0?^24*t&@jAbDphyg|(HReea{F zG|l#Mn?_yymR@vzzYza>5MF$X^noC+a7;F#qdHSEjKgvKdDo=Nv)z*abw}r;Npakg z3&snVW3J{j<dF6@&DvDLhI2HRLEbSFy?*eeuF*f3YRA_Mgy9e|-|adql{cqSzpfNA za(kK!HN`6xW^MNfWdwt!?I8&UyqvGQmKp~Kl|g+5nZ%52>;REQPRY;m3%XwbN{@uC ze4<Kf@7=U0tK;<?_zgQlK@a0<a@HsRz+;KJUzHvfi47Kes<uCuqK;W~1>ySuyn4;! zP2uS_lQS=RGaILIo=4FP*7|kl#wJ3<&NyO+yr$%z4oB>H2%4+^_&jGYdGL8sfaN!? z$k<w47lXjyp~Ai#8!-0+gTvT`UDr9vGmEy4{4kIzmO%6Fo|tmD^#PgfG8C2z%WwYJ zfZ?jBZMhsDh*4bwWRLJatcK>)7&mr!2aijI#$zh4$;Ntp)bE`vMmJK~vdzj0XbOkR z+~=Sz?qo#r;4)bnybutSB>3!7|B?FN<HDZ-xZE)wJQ2|Ei5&dNQKp9}ztC`{nS<tW zaFZ8jbg?}YAde4SoD>YhbX)za*iH0H$UGVo6sXTD2no1rCNX0jp8D39SAL234QE~t z#KH#|x&E2$xx%r4@DoYbN>7V0qHCwAge~l?HtE+<<j7sVD+p`8{2n)jWmQxaj%fbL z1f3=eFf<mpysv`Dcmk#%%;;FO(c0(|q=&ScSazn7eu;~LJ!kF#{*@{esp7XAGFfJT zm?`f-50wsO&~k*fVDUIHa|V^-eGJ85TmisGnVENcYlp=gSeouBN`%%a<ymkMB6EUv z-0<1K&7K=G_U(<@Sx*#hbJ7TXdZZypvAMF3Hf_av;E_PKd|G-~+z4P)4sMtFi76uY zoJo1xsTps?@z9{F3!2}yT(h1Tsm2)Cfbi3TDL1861nQ3Y0$r~CVYg52WY|p@1d2fM zuS4OB{)La9)FOZ96lo%+kX4}kM|F0x{84h^C%5Gi61z$z9G#gt*~NIrk#(P^wq%{% zJ#d5oVn}cKl!^RO`;zO2kzd$Z*Q@cx)Yrc^XO3#9XlPCFLEl2)5cRP^*X!FYl<P&N zcva-O>-GP=3m~+9yXjqO@e8$QW|W?oYNQ*LLIdXg`!@E=g<X?Ci?n35p(hF<{3fPI z5hhwmACCB2sn9_5-$of)n(;E<l$o1G9N#v|6%WA!##!SRixlPpO}5#n%h%@#0hO9@ zVFKFm7Nro88PKZr*-&Z1OO(X);SotyO+S^1Ifu+{M;!^OGTP#<3~D2J$aX6ftXe;9 zaq2*Kt!Ophp{U%U3Zc2Wo<sGc%{*)6;m9&$o6p<2=v2^rCMFn^+g0VF{GMP5X0d+Z zlY34KLujP{oPz%Fp?uW37Jl>O#~)p)ktwT2bC-IJE&-gLO*H#+qoXWRp+~(WH*0UJ zsw;j2P{bosvpUuJNv-2m{AOkQeAB*3uk2P&Nju@{f&bkGr)_bJFyEEX*%|WNH>U20 z?T!?FDG8Oa#wNZGj4mO5A82JR4Th%K&$D^Z71&vz2%4rCNp)-Z=X$18gsxuf7u7k{ zugc=Q3!{s=28(!^scsfN3;hyOhL^kqhT#mvy0|ov!vVtpI;^q=DHZA~tFcchOmJCU z@uNQY!`%Efpv(_y&@){usu)%gEIpWB`cOuj-=0D3ZGoy)$4(uTo6Xq99gbKMZtOm5 znY<6><SvKd|7L}#$vheJ%`9VC3V{44;VV5wd$se$lW&!!8FIJ25zX+p(As;u-u|U* z8mSegYu4r|`c<9Hd7XBWU|=Bpg=)DQQEH2KpJ-d}AS?gkZU!^?2H4#s`+RZIG^Bi7 zX;~`AOvmH@oOu@+#s1~s8~{x9kl{@;<LD#7tj8A@`K$u&^pF@QhjbHtyG7F?doBXn zMCGpNJQDoIN!=n?Rjw*@FS-DW*?m2!-;Y^c@?G@*UU;ZKaPkD-d@rw9g2lod&o=h1 zBYu5%DtsOPHSYP@0aWs+tWwWz@N<uYtu@sE{A=aSPdO<<*hI0zR;T#Z45mRIufzx^ zdu=WueL@d@kjJML%VN$iNKz}Rir$&+b^HntPm63_M<oyLs)0(bsYPMe8!z*39DqbA z?KXByN0%7QxBqs7_X?FV>}tS&T$NBzC6j=vRQRMiE&J6LL=-<y)N25SGUM{#DRfvW zMg!7-8INvU#6k{t)P@!>N7FAL<<eLCV~qx!`;Sh}x|i~SS0I)Cf;JPMxUB9hCW%`Y zwpP3EFaSTbuD#QpbZy?3=ss+l{b(Ptte7feA%aF>X~)dEUopk47+X^%frEQhexi4Y z-gjX;_+}PUNIt8AHMx0+^jgb!r+|UXz^{<HI6<xxNXxDxwW55kSH<#B9;dOB3vwDM z!qyhJ4<j`!oO+(&p5*JE|6c14G~nz@;pT;op1JNzl+cQkfv5I#jYQmJ%mkPvOW%Pp z3T}Mz7er8ufn02Q&l-?Q_S1j-_|B~Y^aWk<Phf9e*)^Rk_7$LbsqDmW*yX#qHp4>R zY0qKMrzJ&pMa>szw#^LIG|AA0#<qhl?X%p7V(cn#Gs~{<eo$!O++eh7<h+wdTP#kM z8+rnIaoNq-mA)O1Ut!~6<N2?-1eF9HLZ7tM&xbvBksj6sQs0HWpZW@1GH{|?1ip!< z{tU!t2X_t&_G(bJ)V5UpVq3RY(rF?%X+?#dG>Apm1UEL1jZckaUMlXR8|~e@RQ~=^ zR56>mHl+>06f&abH9^p(pm^r(@mc%YVP(W}3uzpvg)mVWup*{`Y*KvBIL(bSFC&^# zn@z5Bc)E-*1F;TM)mty3FcA*6Alr$2x{>wM*rv<bMaT<Jok#0kQ$35nD=%V2Hg~nB zP38B0sr#>&Ct2iR-RFag0Xg(r`g}^>YM3q=fXu4~a;+M-KAJDdxT~8A=}!0{*e$I- zM4Ly~e1yvY0@myG?5BQZ)}`_(Bl6w~BXwd&LcT3YiPy_*SAIsghJ%5a8v3w5)t(e{ zv%4-X<{bQchuK7x3&Nb@eUWV?02>+TD0+=K8}7rFrML1-4)YDM4d_y0x})7FaH4#* zx&A^*PKMuLA^L=2-9O2jk0pK_auF>_=F<#hw{iyC(k<~ig9W-&&?oXw!Q265-*p}? z|N0=H|MWyM394*n1qU-XEMEVHZ)LXQnI54Rnz;Jf(Li8o6rV|nAV3(LHc6QfC1@^( z2}&ZeIyqC&C@IAQ_N!0s!6Uj5g2COTo}$uPZ&qC<*p?+KK`FL3F&TCDu%b1<`>xe8 zK_{>j@6nC9(fUF&`flZy>hUA(H{=(s!}5Er|2!jEE?6Tjwh1Dwtmh6txOu2|DZ^@a zxSAke0T-P}C;1xkWa%AU3jU2=pLNJhl?#7G;O+)hfuaOa7!v%}=XM*dIHI<Kk13Po z%<s3Aw&f#Yhn5F#uusW86}N^S+vPXUD)y}A2k<>td#4txxe^Mb{N^{dq#Vf3{p?G^ z!R>r*H#t2ii|*vEOSYk%Dx{K?{2oy3?@Acg-D4NBDXD@AO7t@)*Qe!<l!ebzezDm8 z9nZmzSzr#<*fm+D>z<$BO+!+qtS<rE4=sQph8ODa6}^Q4`dy~y+(ej@04$j+q6~&+ z8L+K)*kKw@ZK+j<QROOn3-KypN@=OCcvm;^F`6CFXjpq#&8CZlX?S<JD?F_4C&*_M z)zc$vp7a9UR^cfjq)Fgho7Owxo2&%h(Wn`xI4jZWb*F!`$XkIzBRO;wAW6HyF0tqK z{7vFL|NCjqd5zvTi%_EkU^jrlkwQYM0L949?J>O=c70qunQWhTHKrZNrWObln&H_y zE8(gXx2FthU^gAgs<?2w?0BTP7?i{CE6G#O0>1*bR@!jGv?%W`K~UrN&XwOb#~Er@ zM8xc@qW@q)<%yo?<TqOfb!dqLMB|hFyer+ywYx#YA=ZIqY{}3aqxcUyHsvSsqLai9 zA~w9XMK%o&yHqOrltMau5Y4SieIyfKVSCuuDe9Gd>TG1xZf*g0cx}LwrrA-L%k@BF z_g6awp&8`uDQPmM<!%{@%oP&gpOt&U)s9!TIeaeR1HrB761024u~p)Mwp_P+2{mul zPxQoO!a)7if)<NMYu8VG<T9s459?oSujXp?$0sO#{_}(yjogtuf$c!m>vJ40QxCj2 z_=rdiB*+&^N^4WO%p!caZJN8~hfrr1=Zo^_-ICz%8r}+V(E~$&sZuQVaxVfCC1uUl zvC4)yRLso7Gv2vC4$(BFW6kpxGLzmnm;}<64(=F%7|gX`<VHQ*Gq|dk9rr9IW4|64 zVML?vthaA9$p!2b1X?J|Fk}{4CYUlMyk~eo%65;>Ova_j!-_;dS#QrlX-={zk_xe{ z_~Ssm<PKrF@-I%(O?qFEfNNW5BPM25wV_CpMtSqwkw;CHBQ~H#D5d%A^F5zY;`YEa z<qac}FPBn-0ckJrZKjhuAAy=UC{qEMM335Vg>%Ic{9UG$)`ZoQenFp61#MAUd6+sU zt0`SVPLfb701GRrXtb6f+zfpCNz7lj+(;Vd%z}a^j6;;QB{Oyr{*%Ow=+_6N9fW_c zD^&jTi@qUc^SokEE}j|BLYQYo=+vSO<WNr&C6-7=#<-+ULdHPOo^a;m#)ikAO|)!; zLn7A`2=hVU5_b!ukAc?G9$bzT`vWPL*__G%K|sF0GBlgoqn|lmnLT`FJNdxxTB{Y$ z-m9s(!YgExGfeX!gu6?|ibsv3DFMKXk>%qcm+<(V#GBhI!OP8o&LlTLQ#hUO2=xhv zl@A;WX-gUYSQ>|r%p3z=ymk2ns<x-x1MK3={yG@qT^Q-BpHV)r%co7&{(iDb89*<} zVWB)6GCT=oOq(jGZG_gAW*UCai(fc!0k9%+n9bz2^R12_a_h}T9=38iU4F8-kvK1p zj3|f7B0c;lN9@EB$4~*bWLhYqzC;K%c5#B5pm=670fhzp^tiAf$7ibLEfy8H`dPiF zwE5JH-j{`}z3cQRwf`ROd3}cI+DDuo1@d0Uk-@?ok5d*B5lhs%s+>UVwWv%3z7X?T zEcwLbto3!+3Cgs8XOKVitC+f1kdU*i`Kgh;o`mWl9r%$;hPuj0h2Bjy0Ag&tzAfb6 zdl+y_A25JeC4r55Va4m8aTRPkyi;+bci9?-V>q{&OJVca1M_M{>Pm8|)2e-^2^6_i zDv|)cn^R<=o|z)BQ1yu$z2r0j$g}`Ph5=xf{p6#s^@dD{S#XDBK6T$8R*q1Z_!DM; zb5LbfR}@Fa@_TEIm(ty4cUh7hX3_l~R+8spoi{<`RXdtIS(xPE0>iHtMG{oLy^LW8 z&`GAPt_+5@vZ*e}d}n9#sR`akOpJ<aFP$iHYF=w&=qPIdG_RonKx4e^t}Cl(ic605 zZeb(6&G>ht8)`PV4q6-;x9M|Lmwx|=5$SmLL#8jtw?JY($i@1*B+!`{w`<f{bTLHy zJc^ZxI*+Be6BVD<=UsGzgL5;FBBO;8i?tJXZr24V*xr5r{)O+lcdUS^gfzG^MRBCY z4t`*)L>9vj%P5}lc#0EWNKg-ge?i!!kA16xWdOL$z}|N0SI<BUIJiMPM4TJ&A@>a7 z)!|kszXFN>b5!Qx>xh}lr6pSQiKJFti$j%f!i}&k#iVMAdY~#1S9q>q5({Mgc<-L} z-I)*yZ(E7+czl*%%NZ~$k@UTq4Mik!897WtXA}JT$&LxilYp1QH73-Dtj8fX$U8e% zvpOe2?<<AIj^Y7cgxu_MV690$4so<8b4Wr~{hVXtwu5lTlEOMgR&a~8@*pdyZFj3O zI<)x=pGnBlQu8!A(QrJ>X$w%=UOsB58=SlUXGofvLD+)RQnVVID-Y!W80HXVe<m%3 z-v$Q}Gb6J_Q<IJox^|kzK!WIoG1B|M_+)W8FBrgwaWR}tCb5icwxm(R^|9017@OWo zam?ZY#%fz7E{pD`wUZ?fo=MfOC^Nh&|F8ip9|5p<<95F3qw~q{p#TUSmcPc1!sXfv zWQ~(tJ3OL4=J&u=YBMr=-)K=z()pDaTS-ZkspOrKQl=?}U&`h8ZN+Vy(wty;_ECty zpB2V3eBkGq=$F2omKmlImHR15OLo;@!WtvFc3UIu0{11Ex5M%{_=4ul$=;#&)b`BL z)ht+-P8DFLSOpeNy9QtHH71EvZ|}?ms)$G?%dX9!7cOl6=$|d4n{&?Gk537^SBx(n zMuw#gn1^O~8^pQ!xRY<7jcg2u51C!k!)*3N^8BW+_2EanXC*_u-jl%n{?CI6na7RT z?yEYn@gn+i<U8|(XU0EC_mh%Uk_S%r;Q~q>MdUhzZ6&M=5#UQjW?tu-%FgU{M3=TV zXFnC6E~<i<yq1`X-PQS8-sK4yIs$vd0SrAMQCUAVCn16KL`H*)$mErtiTxH>u6lZ+ zc%e|Lg2*)V-jo4Ni^YSShAM_ak0VJI_X<A$s(4oPRfj@3DP%^8Ijm{vt@$Ow`NqTa z000^-se2h$cUag#G`ZIeT!x&Aegq%=Z#@)+I~bA9nWGXE5_|9B=#Ou{dkFX-H-ui$ zj3N7`)A4U~akKhfT}at(Q6MUilxM#8japR9jWvAnJZw>M#Z##*;hQd`hI;!0`t!Rl zA0+ig6i1@y1}&N%G~L>+4qJHUqDodBV!9;7GrRCRQr@HGpJWz7eJC!hu}iZpWnD>L zKH_Ui^Ml?CzOoteULlVwZ?$#Oou)>Z8Qz4vG#d8Bo(y~7HL<8t1)f-7`(3}3-=Ro= zns5upKOnBpjp3unjFgGdNa<MhoDSDW%nA&w3Xl~PJeozi-7e5Qu&EY*kE@saz}`9j z=)#b=^Y0t2-=Lt<HRpSLzB8}AG)=!FXuk+F)RpO}gSk2dBc#dDA{LH?E=S;%Fwt5Z zZ<KVAJ=evDO1R<3S+~)=PtRRl@wM%2!!M(~SRKfr+@9XLmmsv8frffMK(+p|Dx!g8 zNQm+Bv=ef`#R)ofWn0{n)T3_+=rGxd)t`1etx<b^(y@?-JT_W5lCRx>Zy#uGY@xhX ziq^i#5ExB6Fwvj!KRYbdC&Ygw*Fj}%&!Xzg_DA`wc??M{RhJyGT!&O%j0Rj;7f&gB zVing8Y;Pg-dh(DNpGQIc_Jgipj%y$5Wuu)XHAaZ~V-=QCx}n1!82MOyw{TW6=Xb$? zN38gP22Sei!~DUQ+tFEQ2b2*Ck;A`Oo(&G~dlOlBiTGb0qT(5aA)ai}G@cBRxDKNP z#-YTx=NtV8iMD}}f2Y(f(5DUi`_SNeHjV!C#35AG+o!w=vKb{MsMGvB%q@Oo2J$$+ z_=q=UK}|>Ri%$r3jg7RNep?P{ze~i>;LzBhyfL};a3Tbu8Sc(#Y#4d=C!NlrN)?>7 zd16U~4#tB&T)Liy&#=^zO>{dc!lE{rR@B=5)*(|4<6~dxeW@>TXMVW=+oET9VZFGp zY~1n}OPENl-4?c?&}hIrZJhIm3|bR-R*COxjp*_{1gD`x^CNq{*v_AwC$qp2d~MHL z8(iidDm~J(n||Jbh}%O6lWn5NXVrgxDDsALVuO7-Vk|-@Ll@lQUpx_8TUsa2jjP2M zNWOA@2B&STu%BeHx}ROek^@^%29G%Aq>2%=p|rJYS=y0qsS>fwPn+1?pw|9@95jcY z*2>ieH%MP_HlwlKM6-uoaWJ_H&KGf)B1=OaO+CP__=J&yLqO6LKyjO6OtzHwBlNE$ zdCHEYOWeOD$0q<r`|;cZBa_)KeBkU4i}z9%l1D09e1zvxJT%m!P$tF3eh&E8V9Tww z-N)X%<DD_|FrK6LhxkUP@?&_N9SHJ5Ukb*RRQ!^D;&@=E^~!DQ_1iHafSe{(0#YGJ zX%aCR8V7mL^m3}p6Cb`wjfGP{E;v6nqmFR3HY|FTJbik+pMG-Rv|F{D>5_+Gq|dQ* zB$ZP-hP3JM3}Up`A6^?Hv=SP(&tDTi+ff#Pimm3JIBa91C%EZ*5CVPSTc~2<olkEB z4!6X$(RR6ka)jUGF{Up=eoOh}RzIw3T)5AYv57Y^wBj0j<=Q+#N-3KSY7099@Cd|0 zB=ag%qp;;}yT5nW%`gz>9o()B58ds|+v&JDF7a>4t1F{m2S(N^VtC-_v@h#!cbXOC z-(HKbgh`K_7U%1Kx87a3okkaYp%fpZWCvLZts$vtX(pgRA#B7z{pU~x_u0@9O%!N{ z^bhe70>>pVpDEZH6_kDlJUTH|gtTNS%&7HXAKQ~!CvZU~<ZgUyd%WPa#Gu+e=j_O1 zMryl!^UF%xFV4sg(Y2uBJGo%=k#ufmHYjcVDIg;|vgZeRNCju%GgycP7o%*Tg(%%g zQJPaTyN?gO*C&u9!;rP6qEJpw{_ZL!_y&3O**jBh@DOJj#Hl)LaG34KFBm80O<I+N z#7S9B2!{%8g}aqcI>EgrC+O}<GH%l9aB|g8vG*v9w2<2Ec812aK|ZDRG#{b0;qULu z5n}DRzF2v&pJJh&@qKSMs&HNs*+4|sQ&~e<^Kr%Tr8U$H7poR32nrG!x2lz4gY@oa zSQ4c%yvY^8f@{e|B6^#h_f&Xtk-uZI>ZpPQR_N1dtm?$OtH?6foA8D?`3BblW+sHI zu7Q_s139MzHb(p$j?b?9CP7~?O1duA8ZJ!BIioQ#(xdieIh(BD{uBKuZdHr~*H6&o zvzXMq{f%KglGPzS%N177-#}=2bNJ7EwDjt2D~V7rr#kfUx0p4NHq{hDw?|9V(+*+3 zE>@5xadsjog*+!sNmUG@a0`BL&6`4Qw~m-=uVoGcg6Ml*9BMu$R?(($H;1p=i+Z-q z8>c{s3v}Q6m`RJOXkp;$$2u|9u2QSma1o?1xw+PS44}xnweDKOFSeq3YNIV!vqJIr znZ!0O{8m|rF9Ww@wuK<{EzWA>^k|A)-!Cdulj<n-c3YeTYSlIQB!|`Ax``!Fybb=v z#h!^te%^g;3Z3_`sJHW;P()(7W{!-ywZ*78{O^=<oEv4DyIaG!WQZGOVhbhPmsrF4 zX~Nz<JKRBG*yA8bQhwW#**EE#(UJ}7l$&PK+u*rTd0taTI4EOj|M3*0jqX0TR?bu= zFRtG~qVag4>z7e%s^{{)B+0SyWR23oyZ`pTzK&08P~1_(NFx^S2FEZ)P5~tWtm4F{ z6{W{(!Q7fMMU0dUJ2Tc0c&9yMhj81|H>n^gsnd9GmrXmZLXOSBV{}f?Z7<$Vwm%sW z*vCWDB4~Zs4wptF;JT`NFPJ8@Z`-a{{`zr%3~EK&0!n|x#t#ESn`2rrv#1oItyQBV z*VjxBX-q2Tbf!qEFJ<fW>CY2rGX(>ov8+h~*$+b=^{7UdwcFQ;3Cy6v$)GvH0{2>t z*OsgjJKvnZ+HNLedp5sli6N&ht?iN3Qu9ACZ<JOIB$dSoD}%!YVB!~t!cLR)p$o-% zU?i{@zzRz%^6nN1C8~4_h$9RhMd4z2pjtRiuRpD0=BhZ*4{_%(1o;I{6c+ZX;C9U3 zt=sv{jZQ18{HbciZIhzi3ZB5x|M|0)rn|NA@9*ddT5a?|Zoj!a?p7wxxHR-9$)Xeq z3O00$ly4&7{2=1Q5o2V`e`7eB6;%C7B-H14=!Pj=UlpZOfilpV1E?SB?GxdmS?Jo+ zIm&WuF%mb2skVcL;jTqy=RO$N>%RaUoG_opM}cdupF@Lmbz&M#xL#KYQ~8{fvVNWM z_T=vSwT^gW3AdkNwN1%Zf0y2n66VDDvoAK>gw|3kMk>c|W<|^VJAEFHhsX$a@%^th zZ5H~jm$isLOyJ?rooP{;F)gAFOG}mV22Z)t@=R!(_6QoF+0syS9`DM7h9#nL1!hwk zSl!1LR72-~aCzW2CSX%ZQ3AGiYeV9I%5qzheLyOp(d@BbNX+(pCr(RU+|?%_fv|Xl zh5@h;s>?xn#4@C7v8Uk%O7pP)_Fy>JoxpF@K^u)1koiuoRt7YtI|H$P+bm)MxFmh- z$MPf{U&EA{Z;G0xg6#2-3%!Dl#H0HP%ThJ@tX=$|mdRc7!f&jby%U*f*xj1mWS=I> zv;Bt#iXV$5h>-ui=)Yj$y^7*9-#IBgj;^Ly*-IsgcDICaVzQ$$YTCUy?BW2>L%DFn zK?BL7EXWgic;VTQTQ&j}c=13WHk5tCSW&)puPFhBYF{C^=MEaIAiBz3mBV;^imh@g zH-c<wFM@+Nj$U_=Bg06X=Dh~lrgRH&Hy_Rl5-YY%w-~s*Q|EN%?Nj|<e8?Xmn{IV) z!?SoA<i0)bv{_OWPM&lmC*GgUO(*8rB75DQ5?_98fA9Md5@Xjk+aFL?2KX74J|bBa zmWsH$Ysp6_`b+y+GV0Qro{t5zkm!y%+xSNZzhy$Dj;v?6Y)2HPTip`l>1Uf~9+oRv zP5<L+`TcK}1kFi4dBV)0Jfv(sZx}2b$eEbxykm!-qIR^KFJJD#pX>;n)F<sTxi1ae z40FtbK9K~u7dUAYA`}?IrXgc>#SGw7suAQ&guDqa!!8<nX6=s2oOSe{)g7J>OhByK zZsLsAOcegtqIc~et8n^?ZaGaV1c$chKR)XYJI{ttx-EfXGMY-#E9rB}*n3~u?&;KL zL&sTTbP63-$6-d#@Zp0mnL83@cTr?(ljeyFiZ<)RAC^Eb6-e9i(A+@m`cB*fEAOtj zo`pN=#zk^z6%>Ly0ZLJ;>bQ6TgR49M@6UVHa7DWf01(#kpgGl5`z5mBHFS!L*D)k# zc9J)A-U%0UBs|?0$je0*(u>Lnv3a;UGBN2netQ|-f=e;7bz*mE)&E{0CguhrXM0vU zKR#?^aKX*Y4~^N#Tf2Zgb|^~c1Ub1iyjgglxNV_iS|=r<EjT-|-9vl;EVoqstsAZf zt;?u%X6MP2RUVHYs)Qe#szpJ7Xs#JGf51TEQO*m=#lv&PE=Wu+!8}hyi1v5fJflad z>X4%=XFpo|4{!X`l(m^N;fscmz2M$y1SW;jd=%zB6jNoR5+z+&OtP>4Ig8RaH}0G< zy1NkwNI@JdiTUp7jsd0~Jhig}d@k5<rpGr_%?~ErRbiH!v%~U4MJpW<T>|;R7Cn!_ zqPFJ)g45a4So4ui1lC_Hk-4j^Wprgnlry9IOie1y5xkeDGL_K5tru&mrCR!)6GyU- zrzW>I5iOcj(u%-4CA6E;V{Zu%OWq8U|3Zx*zmd6Fp^U7?yI<tnnOFiPHw0~RFgHHH ztZ5#mYfK&*8)dH<B$c^-_LUE?SAn=kx7i$qXFY@r&p1+*L$uFy{U4I_zBS|PbbXWS z{ozr&tHo$UDuN;-eO8%m*K~;lb(-2RP{7%+9wS{pjVsEy+6{ETBae+ZK9CJ=T;x?% z8Hzio-$5r!BVX{i$)`-p9?r<{H7-Jp%sMx$mwQmlDTSrwQa(F1rJP*LayiDl4=-a~ z+hh&i*`{WxyX?*y429av?wOi?+lj%?>(1hvQi}E6?|TKOhV1{n3sAW6GDZ8JnSUMq z#lk1zN#TJrHya#y3eYt~*l&5|a%OFH6N!Ob#SC;o6_^rc2|r|k+M8)*t31OrrW&f+ z7oL}eh~+{o4pQ>lNPgxvBT8FU!E2CDnk?T8(vtU$eXMyIp62Y_(&n}PQHoAM&09#N zQj5xD7OlDV_;_E?`y}GC9YCCXr9dXX;h{puTd0>l*>_`!eGv<|S`7tbL%H8vRM&5< z^EF_-?Vi@T&Z~sa*OCW~dVh$?)i0S9HbQG%eSCbjz**St=9QfU$({4Jwaot>GQkuG zO*zSfq9;c=<Q7Shf6Es-m5&m))|)Z+xT8#v4Yz}&b3LQ)zVnV`V$XJ`MoYjj4T6R- z#9O7sy%yZ+l8+!j@fF>o&7-g|6DeLJ#3KCiTK8FNHV^}_l{rm%PZS~WZf(?R1yycw z*YD(iw7i+x3nXOAIk<g(zBc)dmA`TEcjyuclBcR|D&5x053iKS{}OtLy(hBP%$d0- z0W*l}k+asAM>7Gom5t#nHCx2`K9dGRM5r2?fkLI+)6GS<w*0t{bFA*ko|BggauG<@ z3!`x}<lLaA(x_D_V)BP6NOde6q%Xlq*YMqtb0s>%%D>m$ewLrJgGd2u3jwqv+^ug* zH+#eW9@nqJ)@M~ZAQ2lUrAZdOgps5`_esA^rQ6qngz4Pj%uTPW^zp&elukZyvRuO6 z&D<g6u_!ydt90}WE-hqBf(<)KTHpL(%pQ~RyD)p+M&NK#zP#A!toRQk?HJsgQF9rk zjM_$MhF*j{k}2Y;4jhOI4Du}B(CX9!#s$)d{6<Bhi<90nEt8SQDEs-Eg(Cu?RL70* zd*WEz1tp~|L&8O4nV)(VFu@0|caCe-9{Uw@M`s&jX3rOU<?(NIl4-hV8#1X!<g;pO z5w6(2HDf1=Zqpu6Q)9!l;v07zuf5l9)A<+_6yV--vR0KbCliI6WDobgAj929_2297 zv)XKYHNoLd#R&Ik>(t><Z+xYoUky!AL;T2J<3IfLX+{kySF?Y8Z&$cMzVWzE96XDW z7q5NqIO#8^qvf4Wp<)%om9D8fl>e>H2nVJWCm+($Pvt?s??=gh!Ie06@`X)Yo?u2J z#9mXze}{n-U;NW&!q|;LLKY_GCJ$XqFLS+YJLI?}K=)ljpl>|Ie}n><%`v~8pgG&s z?9Alpas4QKp;O9=8yJ~sn~zeIPMEB>->aLfDBAyE5&}D(@@_4@-w;1(kEA>2<h4a! zb>?96ykTel+Tapzr~JFHHhA`(&%u#3pmePa(qPKPYb5^gpa(vxq2lA8E`~gwC=>;9 zA25XFh3bH{P5eR*G+<kBFsL+GITKjlwh)HZ(@k`0$N0D5^fMc~n@9jfep6WbgrSq* zPAVYwBa~-Jq;6Qox5`<LIC}CHUF|g}RznB>I}vde^Vn_L5d=mMJt0qFr>OPXjO*O( z1V~I1Jms{Z%%y~#h|(iO|DCgh-w*w3j+fXj5rum-g<&k?f7%<sc1UQb33{VXpt4OH z4BB81j6}OTjZK_%(j##e2e}>;eMG!Jo7i3VYm?o1Y^GgHS)&Q)`n}ZM77c7)%0(85 zx|b)TYfZhb#zXqJS15AT5__GOfSn&Yal{!e+SpXM_^9r+Q^XtF4vSzwNHPJ4AO{x< zUi_~r?r%MtH9C%Ud(N8gKsPfawn@W|uJt9L`@b=`%6h+;;6{!V2vjuI-^D+ini=pj zY$*CIXlJ@A!s=X3=^I{rUO8H0MMOs!3>NlNklz4=1>j9zDwXr7_HC`nUyr*cA?u@# zgR^|RAH{tb;Bl>7;vi)k!LS8uj1R(X*4rS6ZKwR1srmc2Zb>ndr!I<%`-R<;e=(JZ zrEwCo{fXHQA7l^5G+R;soj`x<Ihh2l@?7XWuhjaq-^v`cULGvR$Tga?Xf)askgNJH z-@k(c%~Z5Hnh9tua*c!fVkt<lK9S@IuZ2GVJCTTVTBe3VC_h|z_3rksU)OK>D5Rf5 zfUT#btP79@evD=L%AiJNXzz-YE+G01jBaFE-SZK}=?pS<_s_xu&@`(M9D5`bl8ALN z?aF8*;lgY-{c|q$4b-vYjNlrQjK5j7NWZYHQUmIflpK;&UPY_x=DlY74;=$r?zC`R z0iqy11_>yA0xa1dA=vVeXT9b;;viK{FA&Ma-Ah}A$3ScPdT=Xu@d>`}E+mPmXtt~n z8o_4kp*g?Y6AS9}PaR6qz(oPdu(0AU8n^mITu9#~F1thcuk*EFk1V_Atz92kemC8; zySxmp3|buHFk<Y}^*q3c9d|A@rMBuPQac4*P;HI!LXszM_5OVHB38M5At_iR&;GZ7 zd=6R@?=LJ2NPX|5Xu-fHZY1=Ep;RkKPtO`LI2nG2Xy`D<zZ6CWAC06temC3&+<|>+ zF!_w%U8StIIdfBlg+_wVR)4%}ogRtpEEk0>hYm+@|7!DaG@j0ymxugS?N7atum(Z& zu}9ziI&oTerF2bSu*-&m@7Cx3BHot`OB@sVcgt@myFvr}Jh8T}7@$P$;Zd7eTn=a2 z{W$2(QJ{;FC&1DsG$s7Ojm?U`paaLY8QW6KKccX-J$M{8B}ILS@VYAGjn3t??hT`_ zz;a1K)uMxNj5Uf-DK8sY_`W>4M;Qfdx@dR!j?s~Tj&maX%mSK|X)8~il9E>>^tk;h zu$bjz4{HtC{#BgNUZwt&g*1amXRDvfXaUL`QwgX!f^k!2<~Cf+@wX1!*{)jJga}D= zA&q=h68Hvo8z`0-@c*}3WMXU2bIBb~ST(WvCtecr7azwV=}1zznddNwXZvf-bYd-u z=_5ykLQ!F0R74QDUwv#&lwKeg5m!LfxdOD3NP=4g-6AF^{S%Y&K+botDos+*mhTkP zxy?G@ZPH+%2lF}no;DO7jkJgGMr-KHM|DCp4(dIqqj;ssmS!|UJ%ZAMmbKRO9v^L= zv@slcq7&4Xx<l^bA7FKD&(?1vox_OE<DW<3cXd>&w)g2d3glF@ytlu<Ys0j6t<PZ~ zM4fz{ldTL@hYqCX^vrDUm)gohG88sMT%iGf<0U}%<S)xzRTf2Kq2Wo;SfG29<V=B3 zzj*NTGH9Vc>s#mf`%W5{Ad`Hg>K)8XN6y<}HhLF*^rSDDkjiY4vyS>8*}%+7BMDwS zVVh2SV&$Zf)cNk~amgxtwzGhdl42wv28N2t*(?0QC-L7*Q+JfN%ako*QU?!0LIR-R zDeNt)-v)eul2UionitkgvMFP$6%$h?H!0g|riy}QQvR75kL&zVq0wU?cQlh&-Fq5% zqis6FHwvnwbg8gjW%u%&{KM-4(SvAJ{-2%LYgJiI)AQ@+HGO5<gVRN@g72w-HW1ya zpGoZcyZwe7i+z-D=9u|bx9p6+cuKjnD8)s-hpaB~evSShPmfr@1-J0*UTAHp;dLQd zS6P#3>|804Kn?hZxkRycuJvM}&$*PHTl|l#yr^1^ZQoTe!kV;dRF@ZfC;!HA7U&{W z0xHp&-2-#*K)*j}C9XI*qnJrW*j4sPqAzhBLg#*F=m~Qj&WxQXjaOAFpY>UfQ$I`( zmJwl)Ep|u6sG<LtYy)b%#s>Cty}$2<LhnhbRT!LsEmw#eql;B`w*P7ihW?XB-_XC0 zW6qo*Tr3j5gXw)ws=HS&D4n=nDioVp-Cy@{9-V)<Y13=BgRtlmiLR!hq0;6_*=!n7 zT7H0e_X}V_NGqtZ?>^uad_=q(*C6UR2tSye7wCVn&0{|5b*BO{-R)gT>STQa{TnNK zt@RkB-O}Jcjg?3Oq4b#dRQQ`PJ4iQ8QK~C^oqa?8&Tu=yj|@@;XIWIanmHnlbU=L* zslu`KYggcZ+PP|)ly;m-;_jtpJ?_||y$!z~t`4P2E=GZG+G8mBdlwZeua?Z>IHi(B zzT0~-F1%^eSR}ievgYAP2M8!5f1UPa*wN@?yPM;v|4wie|8@NCO{2okp_H1D)z9eb zYf$qFO1B$J%+jNkrK7N3@a|WfBPnZFF_9l^&}e$hzLjFHq+T4Bl#(_l1*H$!1uobQ z4zg;RN&v)1;0jM6Sa9~I424Up_jHo_&w{5T=FKq6i^;QgzZkM(zhX!(_WKVUIRCz0 z_x24Ge*J90KVwNrJ(B|{eMF6&XZRo+rh>EBSoZR0TrL7(X&4<lvJ5Kx7l$9<lvq-c zQZ`Yh+Va4uBZ%!N>>=<iTD>wmf3dEkR)Z~sx_GJfxvisc=>k84i=c0vZEzB+1O@z- zYyrqSEa+aAgDVrr9ah^xyeYdME$gs}#swte)WpvMwFevBh=Fau9k;Zu=QX|fg+4uU zrO@xR?Xvx47YL2{ft;LtCTcX_o<w&U%<1U*$XpRJVTOY17>65zlc{%e`c`OS&yD#{ zbzRrGZdvT4>W9*p#)VX$PMoyRAt8Xf;3Ef^FWH69wjtDE($b+j2#pNVqc*pY=1a%q zr!VQi{~#U;@PhtP;&*vSQ9=EZQgHa-!t5*`bGCo*l+(|&jo}#10_(b7r_r+IM0toX zza6_GiRK!lsBT>?xbr6Rsg3);nh{F;6+KxxG>sIhE?Z<ReaSQ&vLi>2o>#=~{(3yd zp$<N^w#Ta4Yq1?=Ga6l)SI=DEYq<3Do!n&}dDM@DvQ~FgBr0joQ6+m$P#*;N$zF(e zzXT$;jReRD--~8|8k7?l!;c3&8K%7^4jY;uStckO&hZD>i4C@n2Q5MBWNl+W`guq? zenz>jSLUwMhNB>oI<ZCu0`;}95kG$Y+vD}fuFHoK50^28U`Vt=bDBDxizSK}vhCA+ zRircJbR!A8m{k?Y`|!fmyS`?tQ2Cq{-@##~kl|AOo6q`b9c1p~3IUqZy=Bo7ooW(Y zyhMo{zhVZ>UUG2X!e|4pd^?wN{0prXkEC_2-BAaVA2<j1OXW9Oox{G-Xswg8HI7Ok z*If#06e6&#K|Q-QA!*HMDG;PEE$&GZx7hxkn<7Z*|ABna6dggfPw_v(q5s<X)>#d3 z7>2kWl>2#5fLy95Sk=*m<&?lQYb}qw*mh@(uFHiJv!#V%DVv#~m<AF$;B@be1{(oM zk#<wmQ42%cQ&Rti()PHymL|tVzAwe_%tr6-(e`MdZJ0%%UjliDFz~qt{0n$HEGt^N zPm|p{V1!=ZQc~qQR3?*LbH(`Jv$CPI5Tf85k&$P;#r^B@>7NDk!n@;th*Is9oSr&> z1r`ep;G;5-uDZ3i>96H|e&h;@#+@Gh^<-OC*Dbd#cjjhC?8$U|N&l#gF|)AlR9EkJ zwL}7hC?{iwfk%*@9Or}IU7Ah^?K@#%kULxEHv#RCqyiL<Z|yk8H<P;N4<8Wsv@#~^ zXY|F8t>rhus1SA9Sl<5D5YJ>H{BCX!3*@?Q(ldU6K|ESDvs|1Vm*);1Q}Me%UljHI zAp1I0qa1Zm$w~4?@ZZBzY?N7@kRssCj=W{R4jV1$7|6rH&+fT66U_6UfW2-Bd#mWT zk@uxwjZ~uZ4Z}Si33l2-`~5M~Na{@KLnck2ne-^)r#i*nc;}B*PR|YO@>w)Wen8lc z|1=1M{dR18h9)l1EAS3K=_8F6C+}Ek2pDD)reT)E3~&PhX}ihQV{Hg4odCgUd`2~N zEz$lEKc&7E5vqPgE4a!GrA?CleKhXPaCT2{g)s2;7d3r@m{GMu=<3DEp-%G=EF4G~ zn`(n|hTUh>{)`=+r85O)`zQW(W@2WD!5t3#5EW_DjIRNue;j`i^2X6ses)=)=W;)c zDm$g5N9$q<IZ1fU;(V=?jBOdHEwj9LuG2fqTxILH;rC=6OKIGPM24pp9txbU0&UEu z!j#m<*OT5%`pUU8LTgAVOc|;bW9WX$KmYT9br<^Q>+>}U+nh<3rc2>|vfYwtY~Dhj zJclPdvQfGlllpn|?u8t4+T<ld3!0GD-BQ0&m{AJxoStq8qoVLliVML-DKKlVZ+;Pd zuP1q^lC=M1c^fte3D_yFk9WFsFZB31{?7g87<omDYT!k%OnVl!lSwORIA=6-F>h@k zhmw4oBXXH9D(Y3agU`CZ5O1}5?BC617OB4RO7nkLIN<KY)cWqYJZcEY8;*@ps>{6X zz^WY3Lh-VGdJ7~h+E0Y42YDi)v1%6a7X|wWtlhr1hI(T41N|=79cNUzn01kZdpl9G zIg1DEIXy9CY?@KHS~WkBoD9W~vBYEvF0=TQ{4&B#Ik|>`;Eo=~0&?Q1BYt$d89H&@ zg%qAP)Nz}3;6TP=oY*zjgg`=U<U8!;j&|$ZrWpmA+*26^i;^StN_GFf$$ZuThyi?o zbq!UJmrA#cZ~+R1+WG|gqD8Q-g*#Ezfk<7z0s;vQlO9Ig4$oIJ`lgE|!mRa4A#)|D z;j_;ko^3$@*3M+Z{p^d)8p83YYUJazZMJ%0PPbti&9D+JurA4g^C(M-$F(3^;+N_O zoyO)bKKyBN0Tm?C3Coxb2h|)Cf$KMylbPxKuv0tZFZbzuW9LjbK__4Xhf}|PMk_dU ziA0jlylDiwXMh&!)=)5IvVKMXoe!3C!P?`@b43L4yJxpLA2Vqza+G8HJS&@|?uTx= zO`ChakwiTUM_d6%U!tzeb!8A*3QIG)XV{{V?;D0jyiDw5v5nnLNoqN3m$>e(!$zlR zbS6vE@7=>;>iG!0tFG3CS)C`}JZ+Je>CE&@U;6AZp^k5+Ns@=RW~>8cl{OsvrI^(= zgU3w%dtgOhPyUrPc0*efnr0!u$yD2>>Ds`K3<^p{wB*uHP0yUgwT=X31lt4u6QYl? zAx`5#;i-`e0Z#x9qfsD2!1+m<`YU~PH@n$K<0|*xa}{JPVENr}C}#aV=@<+o+jTi} ztvb1`pTg|z?BUN<ar7%nKTeL?>7M<<8vhFsig%ZJl(%;Gei`adMJ}5C6vnNg&HKi? zr^eEl{nGAZUAPTfJgCKJBveV_%ZuAD2|uqLKxhaY_dgW7pUR#fTl|--iW|edYzETZ zMJdPjcq=!Xi`+KcnmIiL7fUU1yOZ_0<hI%^Sb4Aa5MbiLj9hKrPgx;~_g|7HnAoE+ z^SFo7{~xyA0xHTbY#SXAq`Q$0=~9LcrAuJwMnF1;?vQTj1{u0Rx*Jp)29WNS6r=>s z<9GgVo%enJv(_vY;~JlteedhOV(&dXQ*Y4#L~$V06u-X#fQe~tM5L{^m2R{!bT^(4 zG{o|8RdDr@r&$*czeAQK6<~X_N3KmaAfr^Do<?$L|Gn$#+m)>t_`#l&@YG`f0VE!m zmqzZM_RC{&bCNLEIK!L~`zL2%KLQsgzowb53Bi%i@cZ5R98NIx6=_AbkuqVfee)bT zxAz;+`k>U?>JM)Bg))}q=n3f5kH6f>1Pwh>$g^KBAIrVB-$Ol3Yc4Dr0%|;e{Ty_C zQEyt7P>TMU5wDN>RQuOy4;V6)GO+QDOvWNs4Bw;7#N9@TGl=JUZ`BSU3l>koF6Lx% zB6BKCgYw>+<u-%E{0idM?6}BVw|${cZk{A>-r98VXeYIb-a9K|`BF7bmTfp&05Nwb zm9#jusn*Ylj+RyJ>w%C=@t|72(67%SrKDDIwCgjYy4NQdKzP&hL3FWg*8vM_ECYf? z*sp)uAFIEc5iVZY2GI6?J7KW4I`;+ior1=;I_0bSxi*n+<GBA`JP=bENBg9nHFCRD z#d9Nqo~uG?Tf02RoN~`=;8@*zpF+v*Kt-x1xe=F^iPN4a(=0oc$;?y+t(lQa>qzGv zhX9i=u!fIAM|H84*31TIQIuGoU-R%v98%M76>h#}mSpnl(MGw6;X&yQz@V<j<S5z* zbVeV3f8|<Ses&l<bp>iM9$!0EpmRy(Ft}?U)l=Kri)7>;GO(;^8c^MZj5)h_lmWsH ztzr!Gh}QohJlgUdAJj5q?Yl<*+Irt9jm=~9n!R4FyoM#};uX%LucbWJUNjVNS>E~- z^+0vjL=$ybH054JSUBb-kpluH8Vdm&6{ep7k<m6F$zyR0T71`apH^LRkkJ{BY8VQK z-u)7d_cb6;h|L{h{v(D}Ks_Ilr=l)+muZ%6yfhdU62Vg0h_8snhLD&~r1NiRw)D8I z9Im}@3NSyNC0w@QX%iKzKK|Itir(DK?q^lq>#a-2`m<%tWc2aRTryj>VCuVh>F<A6 za@W>sfD#aS7`wi#4e*W1Ux@X+>tm62TI)da7i`^T4F;`i>0_4notyfybeDfWFcsOq z{#;W>Uf}XVKtvEcaYP4hOZvL&+L0*tYMGyFDIiw|iDVR;R~iD@{pJzYGUlz3OM;|- zKP)h^v+mB}U(xUB(f>-VVB`>v8_+d=hx!r0(O)xVsj`pEp^2%sqcwiE>RDaH0c$Gx z3CW4a*g`&ztpLHOJ6syKjJ?0MwQU4zoXo-PWnGs`h;BXUDwbk(M+SaPUfY7nXq>+R zL09zeJ5<&`RP<%EpK!8YWAYCFz2=}>T}0jXcSj5Sk=T!LTnyZJ7R3+$IsJCyyWyDD z{I0Cm>5zt%%3V*bpj5s8?aO8B=oiRy#qipwzT-lfceR)t=QKusa$C$UFB!pcD)pXM zv{<u=IM{o&iR4@_Q_<O6C^&;_n&E(I7sH)Y0+Bk%s|}(yk70Gh-;P@Y6W~B&`3Ep{ zedPjjPwRyHtTwH|$zZ_CwEWT&wSHVAD7z!od%zDaWcv+A4%#c)D3#<Nov3Y9YZ5*} z*ui@ECK}qQ8?$h9*Isr@%x2*vxl;;L+D;}VV;$$6*a3wypB3aXT0KoS7CZ?Nik>r9 zawf8C438nq)-Rm_AIo+)08`pB%fbb&T);yso65%gn}GI}^lmr-ky|F0_1?psVKc>Z zS^3iy02X#xZn4h2ooF^i*sSvwMcPE=e$443tLpjBeN`wQf9b2+Fpn2)HtU%IiP`+` zFn_BRlrKkDYY>H5@B`}4`m?KLEu+VpFMO?JZs4e7R4kDsX{0YjEiJ1Y@65*2OF8gI zUT+0U%K~|SL+jsS4P}fezPH^;d=m(gX$xt0%?7>Ee-&a?i`lJI-IChzteD11<-OlE z>c|Tqlq`5;>nuC)Gt5nnGRa{@Ug=?hQ{=Q#wyxl;&TS_`Bk6UEHuvjD^%cSrw@ynU z!;=j<8aidz8IQ4xhv<dnY}`UgL+52T_z%k39KYjVc{Vq&WOrJBE5Na>{+6-1kYHU` zT3S;k#k)VeuSCv-DBnZsR0NKz>NHd0h??;27a2ZHGKE0fM|5hgN^VaP`MpPHKh&&7 zYC~DFgIr$b9G;a%ahps2cS$P11PvDuA|Yo!mQPWyupX}Pl-M0iT%HQ8u975;Wql|B z-ZoyXL7gG-SbA5+Q^%ftToq5Vf4#m(hp_3IP{TsOzhtVjEYkCF;qAKnH{W@s)<333 zKie>Hx4t~2eIs%TDz%ExqR}Pl0hFURqaB2R38{1O{CIoiHylS0t)B`{SH_s|ZP&1A z8GTufSQ@WodS*s$xsc5bb!vYd2{<ZWoke0MuuxSlCNyzF*^-0wSs23|zbUP_ULq|J zBKPKFTgBSjiDffhD~(oRSURRxEIt>nYz2g%#d<t$G(uYGm0FyXrr=A9d1#^_LGG4~ zK7~&>nbP=3wyys}GGqLQL~=^EA)7D!_z!gDeN!$hQH@p4Mr)4I_e9I-xZdz0>l%{$ zPW|_?$N6nviI#h9lZ(bD9A&m5q0LFR^)wH*Y5CZ+q|Jr652XJ`Rd;OyhDRL6$xa%W zKCO!O#dzf(GMEIy3d2~u4AgOUL(jQRwLUvtr>LFRQopNH_`@=#f&lUm!hCxMH6O0q zD&)2`YErCBZkx>onK2XQw~xxOjZ9`@ns{1JX4F@Pl*(-~yM$dU>Tkl%eAOhgKeR05 zf-Eun@#{5-#2RL`HjevV{*E6|+p-9UV2X>i)8>MAroOr^UfqKNU+n(;p``bN3?J(b zLQ*ww^HV5}v1kZz-$NEVMMKm{o0rmJWwZ%hR?1qmYPw<k>J<{b{eqH?E|^*Evgt;v z#A5f((dVa#8LpACJAJN+p)#U0|JDT5b<o+xaTNEg2_ra0_quSXC{uw!!v7CnBf5pi z95j_@YhfvztizB`2sL}o9HFNZo2`u2NZhTR1A9E3)*k7oq@2yy>Rrg0g;1=4GKo>& zs!jCP4R18g$Wj>G=~nSl-+rk5MXoMM?yX*Qox{&qsd9S4GuUg*(DU1O6qe%y@>uG) zN}P5IsGlU-q<DR*W|_mNGXY!1`apHbr?vI4N$igEs=7Wffm3i~mz$Lyb+PhwO{+gO z$f*&GJ(NC`L@Q?#GU8{Y9CGIFPjEjBuu>IAT+$4CnAms1)U2Zt1}%jZo_0ke`9dyo z)0BwNXQa2x{v<I7ercvZL<M?%B2#qJ^i4s5;tcroY5K8w4``C3IRASVK;-}-flY$n zl2I!i??0;&eF*E8ks7k)tbs#T$d5O*sZY^f&C%yRlxRPx^GtpH)oqAD{(jBqFVj1x z^qz&j{&VLr+t`c*`sk0-re+c|YQN5#m82t1G<=|o?MT9(Ku|f~YF3Q+yu`dv28%az zYZhfo;?L+#UngudxGM}WZ+08&H*oL<BB|OIdsct?E!j%#G-LnFQQrdF7>}pMpqvdV zQqWpOem6^0Mhd0f2_+Chdajy~oZI3yGQb-@V*yB8txV0%2?$t{W*L$g!L;v0t=@&5 zJD6a!%QE%37}&?syQB_IqMT<`fpr49h@zvGcJEj+a$|tjw5ed@{sYC*4KLK<=}fb! z4M^@C$QHnxSyOxVrh3V2oj{Fp>>D@hAEUB8n@rsh&Ks|1V(<RjkzRfJTW>pZjV7Xz z=5u4*>94q7S;}F}r>I$&Za0^Kxp#99TNVwTz1z9H(sQsx^#n`evO8?tXmor(u+XPi z$c_U*voB=8HRYHkA4?lqC=;L#?#TSek6%&#U4->{ChVrAEqJ9r2A<(&IK00c*78Sq zO|XtL``9+B?^JV4_d41Pu%-$wSi3VmI%~qtImm%8?4kSI3UlTbRj;G*=^x%ftXPMC z*y(vL9AB63mq)MnPxCcl1KsKEL$P3hT~op!6?2>W<OyhV_W}fCh}7s^WRZ-UIoYAv z+ZaW;7odIH>R#wBrrGOFshCFpLzT$a#`a+GJSnvT7QDn0gmW8op+kC|h2`PHxuB!U zVLe;Mgu_~-h#2;N@4avS3R$y_-{Q^c&m!BZ8IVRq3and19|h-dPwHUh6|c`<S4fm? z%n%wl#F*NcqudXd2oU^nyRVuf1*ZF4P|_w_UM_Y+w+_Bv7T<HKd43oSjXZT1JcSS$ z03XoK8z<|2SnUAckbj(Zsf>qiN^r`M<gIiDO8<=Y2c-JUK4_z0SkahYr2}OffFd_V z)OXP%-Bk-bkrVUtgrTzPqlIDjl@kT93bBuW!S*w1hH-vz6R<5tDv|RlE3f8NIujGg z<(-DkWHwtjoVhYL-ztsT%UuOt8b{H&WDb69(4oTOeQ{LcpSF)c#;s0S!!S)!mWi&R znY=OPbH4Yh6kX^AOwN(ol=j%j;RHhD3f6drThn`&tPx)9>;z)^zxL2kS{T9pPqojV z?`FdH<u&t{OET2@JJluC1*(mr{vKh<3C0|E7HnC`U$X;q+RE<ng-CyGUW`#(e+vM~ zk~QZ0D;%Q$LJu1tPhX{yrZ!`LS{1}M+Ftw4L<Tq!2i=Nn2F{12M3azbMlqvN1T@*N z4QwM#0BfQ6;=Z~b<h0`JAqlvC#0u!jPe;;}8{d_y*)tz7OIbb(g<mXWwB-8JY62b) z+Wx1bu9gJ{IjoF}Q#KB$75cDkWTV!O7*<soYlr@ifsM!(ln<W;!|eE&8edhcC6m9h zY_c#`EL2QPK!=C?A^k(c$$wpn-bP+g*Xj`hRKJ&9wuA*NRnabz`4Rh@uI9#iw!9)% ze6cDD>c6vo+*y+p?%QsZ?sruZnkz{_lr(539K4vLo%4uK7~3)6(sFDhPiv&dSEKLt zSD-7K!pEUi+vv|a;B{^BuyGo4st1Q%p5UeO;e<$RXibr`Pf0)8SE!q5b@-PHQc3aZ zgw-uzeL#8@#8aT-Yx_i6Z|n27FrBlB<VUyu#Cy7cc8JOPu*LvkXb7l3TRq|U<Qnh^ zc7qBdc*f7e2a399%gz<({GhFa`<!HdXmUAzm0P{j+}N51WMDA#r{6oswku^YK3n}= zCTu8!u`o6T?#Xe^xoIMvnBa`5T!lU|#sQcYr;j*_`X6<XDX+pxJs(y@c{Zoe%i`ug zUdHs1=_Q&Zdublfxh@#t#23?4?1k9E|GjN}BeIdrvus!P*87@tL?1<>47!v^{_91U zuamB}TgAR9l~Wpd>=gQdgg<6x+Koef3<AHt+25l?2Hq;32?6b$wa*m=Y>R{}2Ft=V z3MsyogI*HzLFu5@KAntVD+QQh=#PD?naF_&t!^f_&5Un`7=<J=w`fBUjS6@TlQ~T= z)3~G)Rs{$CwCM~Oyq-8O0qT+xajPz2bICv3vj-_E43pj2uZ(~1Zcn0rznP*7lx05< zUVop7389^N_G*&iS+GHQLECh^MgyWG{?0Cy=35^>B$VM2&+e83u?iwZthZ|YN`auw z!snKl@4n%F9}!V|pffijvUkH%;&L>zop=xin99|#da2(wwOAcJ<lns}EC5>OeM0ne zU2RcyYrpAs7{}Jjq2(k=`Q`+2o82MJTzSJ+5<Npw#q*Og$JE<iJG~1?KCh%V_?0qf zUcbP&ox-gGNcZ(-^sMa|c*y)Ru>($;wd8cnfe@8Q?qZ5JqpBWxs6cP%?98g1_IF2a z?y)X8qSYdI3n$VcV#%Up$QCVQau)Y(Pl?HXfxx?br?BcfRAT<$b#-i<ADX90Uincz zq$!or(%Ro;+4hhnDY%7<be6^=^YCR6KaT1iL~o6fz1-tlwge*^7Q=DBrMNu2K!o&? zPLg8ePoJh7N}XGW!T%=ew)e3a38XyT1PKv5MMK}pT7(A=G4rYZvsCeO9pqHd`aA}~ zks*;BoMLVjr)lcyPf!AQWC*mLF|1&eY?aF~I=XMnA3fu8FqU}hmA9*dq|PH{*;&3I z)j)d@2Zi~-1J=BrjZ?N@Kk#&Z760?6F4C+u-0IC%i|++Iktu2bkN}{++~qF<(qj|+ z{V8*BnfbM*>`(?)8EsNmi~URRhe8?KS1}6RB$CvF=BwE}uKXHiKv1mEN9prYwE0@7 zc%ddq=QlO4@hsG(BNbO9|4sg~L9);pAWKITQ0L6Sme#p3KR(1a>|owdk~tOmj_5lb z++ODzc%`=bB!s$mdPpple`P-1YjgtTt9<O71`+7J+?mVvLkQiaFQSyQ`G3|I^GGN_ zeF$8O__RQ1+1h4jOD5;nv-u=A0;Js#_*aaN?>1a&jG{iegq??SY`CzEh*&9xotc=U zpx_t5=Q(F-TvGc7`kHES@4V|f;I(R$TP~Z*v6-K#%MP8DI2|_R=nS2A)Gz^Tr|W$B zM7}FnSSS-t`({<H@UP}*q}+4A+VYRYA!YfvI%ETwBD1%q=305J&hjq}P32>?@#{Nd zXD12c`0=NU0i&fDN%N9~&nX*9@=oi2Y}Q#r`}VmNpxJc087s&^ePnH89<)h%WwBZ` zYPv5|q|Qqz46z`E%{X<R+@F+1GV6>m0&6=~Dp;*5UKbA4uJ3&Xel4p)v{Y)bsr&@O zd-C`F{-498dDP2y;tq}Qb>Qs=`cmQLtUaH|VGBVo0gTwa6?t)Hv#$_(4pgLF7GJGE zFlwff5sbuEG<rFB(^sroZO}@H9L!>mWQmR3VHKrGevn82Rol{Y!5q$b9W&8hBZL_E z!h&wMas3rJ$RSfc_HE>)w0$8W_^r5%<y`11R8ZTCSi0kkM#Bxe_zdMwEbOO_d?VeA z7VR&}H>L<X5<E%#Yr;|&xmUUD&7Qt?E-x3b>{mw9q|JmLwTRffwTak9x5VtUu-Umv z*3n=n|Bi=&a(4F+btZhCNoQeuO8WXE*uv=D+xE)RNy3I%T|_B%R!+u#Re}D`>-WE` z(0!?hVk2>fET*ePndbD^GK_G>NqMDd|GP=W;f0WRijW{@d^sz<K1-;?Zil9hBlhmC ziXoB3%>55B*Y23-F@-Y9^E_hRk=g4nZ!$B`Nz>%g3>>09z7C7LeV2`{WuXc9UHK61 z#*W|zv$}}ZMY}@9Fa|YzekHHV!(bhaWnLfU5C5}Y_=PpFt`%z=>46S3sY%`Yc+MhL zX@_C?>u>Ks7m~>X6h_^P>6m|&s~t50##1lJM5)HX?D}lLZ4Ri8oaWnkHxo5UbwMG< zqSyo{p6&EfW(p9D_OC{DWatt3Gf~ar619gjr4#!y<(ii9aHR5aG&&!Zh?IXUmO?G> zD?*Bp1v7jd_}Nymd|8T4`fTxtP5|#Ro7<vL>%;$SerArLKN-IL&q{%;QJ`x{x#}*2 zr;a(5JoEdMHg)fxAu+z|6|Mq=bsHDLw(7r&&bqzQXN?wHHM_$kO(6%-T|<E7;a8*l zsN1bAEnAhqxsZU%qn#BiHCmet=hjw0<6J^8(<FMv&A_9tc_LZfMnQmoiUn#rq8E78 zt|*1MEesyG*oa~TGe}A6zxt4x6)kR@A^R4fq1#KUrr+^~mYw9XvW7@)oWv4?qGYgf z+~=Q5>d0ew%BVh-D^S}M5RpE%>}Gxdv6tcX_MVs3W(`)bSSe;4U;w_%w#v60aLysJ znuQkN(1Ieqm~X9E+Gv2K%6{EYO!qb0oQG%c(MOHlRBG?ciuH@2;f;UQ>t_wm|LqPV zqPLMF`p7u>WokRzA}+@h&H_A-6QMz3O|_A)d!=_YUEF<*vN;c`qI(Kh({%`I$^c(L zpuaDy(SevYT6|sWMnh}LDV;Fm){#N17@K9Gw$(Tw{n%(x@X1gnRRe%jX<0IBC`uqz zg`AJSx_~WF=!mNgX8Ky>sCQMW6e^K9l}RQds3SA#w+2xv-*sKr(WA>Y1Y>8dret{{ z-zl#8d8;y3k4}cUt8#?6G4r~l-#bPbi|M{`5?ib}$S&q7(h9p#tYS2JydE<;b%LB5 zeE1{4*I~$c69p`)EiB;O6(427@y||iO&S9_;Y^>%fp$~0Ck>QpZI$I1MNi}tQ?!x0 z-1ZbL7i2RMm;DcDkhvbYw8t<mBc<y~YYW4aEahko=}zF28gaR8tfMuj^qoh!=pfA7 z&qqQ=iU#9ryu#q;j22wRQ4$-N^qfcD?0<}i(g1hQ;YjcDva8|Pn)}hl|AQ90(p}al zL$H)eSjyq2Ti@6^1;E~5jzw6CvI1Zr(gGOsiyKY0JwMll^a@q>Yu60K?J?O5s!ynd z<2=leRilIJzlV~3{A@e>Yeg2-HNR$C@UY;%Gpf?jK#iJ=E(~MF+nORQgb^|SD(ypb zjxT?+gZbA&8!z{5ME=U;t6(Ysn_p(fpfThC(v^&f5Lmm^k4xix)CfdIsY1lwK$8BC zr;A5CNMGxu%KK%}{-fy>%y=|I=JzcjAnRxp$jMBMrshZ8(ASq>(u2g=9LbIRO0dos zwj$7bRl3<JZDXu=JES=TB`m&~AAwn?)^>MdhB&Mm8i(2`rwPf{wB{Z(O5uDpuiulB zv4Lx9e{TDtWYd`{3-*4+cOA#m-L)rFQ3edt<k#rmjcT4tULENTQ^=Gibx^Uh2_h2c zyC0Q-0um3c&IA%EU2$U*I$$nTZ9FyN_+IDG(1S1JpKq`-AvY#CBl%`ZA%;i-Ze@6f zgQCTCg4-gZFLjX>FwO-ZU;BWO$BN;k_+L@-ia&EOwi_u*vs1ij>0?Ufn=3CL4`be) zcdu*QW9RS8%s3PvdRq13MaCQjFG&0cHs1shrYSIBUq<O?yL$yC10<0SR_NL7T1pTD z`@UCd<EQ;<9=%croO+S>VL8CqF$$Ft(;9JeQmFL@qCcr3ecpH<#$fEejZBsbC}>qv zpv!q*WVtF=Ij<1%P>OcT^QxYc-TSu{`l3z$57E*07WVUQTIw+xC^RSV_aN^Vqppzy zd$u*vJryhf2mdj`O53D;{cYVp@>nzWB-&1SID{s{?D7LCOroJ}#G4a@i8iO=1xAi6 zcXnY+zppHIDvhEwwb1scrPrC+oh58wsQ7$jdb|FsG<1S#>Uc`ak`X+hRv@%5TlhtZ zbrt~xh<v5piP?&@!<|x@38U$dfq#ieUM*tu>*vP=3N!!RB@keGL;9?mSJUih9jX4n zZ{z7EQ#bBGkM7E;U@)CB6R#%OMls|sQFqa#lA~K%sf5)w)N#!|o7SfesvcnkUx<?7 z!#17O!KB-X%z#wmZ-9pO_&*UOXZdI%A2*u(U1IW{HMA+s&aW8%3IFs7Cl&rF!@dgK zMUYV#wpQ?&k!)x<#eSaQ+52zd+|F$}HlDl%yp*_UUwz;oL3qVNyvShM?$+FIep(xt z<qKtXpH};e6%!Ez){<z2!nM_>G85CtQya*Vaf$MssZBQmZ(4Wn%Hr;90H>3%>YhrT z3bN)CUuzjr;C}~Jn0Z0))@AP2ko(ud7q$M9GJ%nukOz+c?28(mO$Ruw7>Hl}pDLsr zd}|@Bkm{*0ah~cFAm^TDr2K{pr0zP-miNyCSMO~0K}PbG$zO!PM)Gp8k6||4L);7r zQjr=rsxMfExBFgxK`hHJqo6F~##R|W^Y>bEOLYl5QTaqZcgF%Le+J4-dJA*{{5yMI zF^rL{Z*-B<9cN|cH4udqUm+Qy$RM4L7o1BZzCC-r$B|0@Q8&JvhWwJ=;Dn%9D26cT zW78rlyW@$O-*9KgiZ<MjmX)20m<To?ckW`2Bxl|e{h`o+U27C})}%qi=N?~sIK5>m zkEOWS!U)y~m4pb8n+<taK_mSW+A=?%wFV|QeLHBYHAZEYd!Z2Y??o}lC^CX6QGWb* zw6wIO8#3#NNV>st*nLVj^xJX@x|#hR>Ii3mro)u2(e@Jy^kB`>@J=xz3aE$EP$Bx) z{v9J;DK_p_niHuhLS&#AaVqucxD46?X8V=(-@6AdHq;Ac)Y&7VUd3y)wrYdDm3QZ_ zYdPd5JmC^|rW$7_QS&O1ND<A<v$T4eMP(ET3e@FnBO&!MWR?z!p><7u5t_Xd%dNSX zEM+EFff4GI9N)M}gSibiX9<(jygo%~$rVboLm;8Y4`%F+LQG8^<%og#EVRlnouUIQ zsG^3PT&zx!Ae)#ApliI_!=(f5pg^-os!u8hnEzey+V}{P*F?s}_T*`8Vf>j53Ovyu zeQ`gWZcI`$dRWH)*k))^q!Cb%04L2PDp9;6r&A@0Gl^VK=ngB^VO-^~-_kiF*~;vj z%EjE^&FXLYY!<?^J+JbOLFVqoHnN;#13>uNhpk4j1ppc@c7r@c)f3>jXtWiCRG=_M z&cUoPU5J|G4uvLBm+wR*D!n28(9j89ssZN%#@<bGirSZo@|Z>~z_sk%`H>&OQb;q5 zf|qJEjBFSxYJEIEBBwcf$Cn4b{`}2=WyjrOC?+qu?~djCdLEacrW_G?24u22r#Ez1 zW)V@<VK$Za)Gh8|p5pl^1C}q}#4-L~`;09#Z$O{fh=#^Zp1-yoC#fawEQWj1L%sX} z`}s;fwyTZRQ$w%}kflit^++5xVS(>0Ped)>vC0z04kXGDKr2@kcM`Cr{zSf4ADPHl zWLuV*fV5(Tu17#yc}zjqdDNBrO~DOhTDI{Q{S$jE{?+UETQT|N%i*4ypo03N>a@pO z7l!^Hi{eARiw~CL*DO1`nF*kTj4NyO%p?=1@j|4Ci2_(xF+PFIi)tA6T2cb$*7^<M zFY7%j63q=&0m*`luJlhgkCj*Io4Vj9g9OmIR}6!~D>cqk#$E3!fK2RuQkjgIccwD3 zW{!c49VUKfOo$Ty5qp-3X{uKLANmmcf&R(=*Ys0th;NHs^(c8VGykcAW^V-xX#y^e zxe?Jj@Y~VC>sl`6X)OWCaNR-<dL?giOvt$m>>l<+U|~ip{`Z^iN&8Yf(<HQZKPk<m zO+{x)3c2(uQ`BIOSSbZyGDI__mboY%8iNzbS88!}3vMPtUxj|1m^^pkOnaQGv}+!2 zonWG6%`~ND&Nk7wT-87ZjFw*m{+7$h&ZW^iglCh9m|JJtgf5&rm*|#&fhulUNaA5i z=;D?hEIl(UwNeV{NjE6(Kb`&CH>2bi`Cy`60ApHwhJ`ZLmJwNS?z|<dP7IT7)Fizi zWYWIvZC(sRx<;A*NN-RTh|G#tTTuRM$nOuh=2S!lA6GGY3<?NwO#S_++htFr7qu)S zs*ltdkLJ8NGF;^yI~&Ut{wyE9Co`oLAKK*~lz*=I)`c$OIGBLlE@J+5V>-!7Utt)F zBIv!wSxzastSueGii;ZA866SJaQgZ*HFqL2$2Z*H@hUu9&IdTYuu@fwdYFWJO)-pz zIHcUEj1&Lej#Uiuxt6MOjWs%{nN=CqmVisx!7Sylu0?7w|4{4+Mm}7X2%aTM_6i2$ zvG5IeRS$e{w<!f^d4D3gh2_`jFqi2e1sff;{&xeOV50Y5OB9#A-w5!p>KkfQzb+gt z*t}%lyXzzxuapSqG_d`ziw&*<S;wN_o!O8k$=P^nBHKsOr1Ig^ww@Xlj*(7US2HBa z$LOeS#SYw+t=^%M(xiYQH9QkgQMkprS(IOuQjDF`{EmB-?sD(}1d1Puo>OVf>n|WT zq<mEmsIxp$zSB!3H_)4+wcs`@<d?fETn`9}Vj)h+g8lG|ru(0*3{g5Zz6yBWlJ6LS z3<nMRd0~UDG5Cr6l(>1hD6Fqnu)jzO6$s?MuD8CJLmsAX#!7P81-*LWjG0%2g+rxQ zL}{{PHS^>ol{octQjPG;99qt!e)h7d5B>oTd$n2$;DJF=niw)?Mxqq`8qHk@F7q!M zVr<lTcim|ji$=`_rpi&e|L|##Rv_ul+S|$#3X^w}f(W3TUFl{e)51?(xW?PpaOob> zB!$3`XGRPai0L{%@L!U}<i^loD=YJ`?PoJ9+r*%cZ$O9|26pcF1<b7E!(teM2ii-S ze|^p`#!rgQ5*XV>vgDH*{bo%Jj1j3ml+HE5;M^L0QS7Y^T$&9qd>abfHN~VWBy|dZ z9eKvcp1MFVjGK2b81V7uZzUGDF*=duu>f)YrtnHGxo>`$wMa<PH`9he7zh*Sg;|Yi z<*i!FWX^AGMg`J7RiKBLI~lxE+yKhJdT0|<I25vey|@R#J+qF`PT4x{u$sdq8f(<l zSrO_v399FPcv|qOVQfus)t#sR9HddiXnsAq*kr%t^>i)JG^b=c_)?cWBSml1Kne*z z1C0h2cO2~y7oh!m<tY%MxAjJJ<$+O@hAV?H1Xlu;_W%9y$5NFg5Y+R;Cq2`>U`X>c z@xqYsr1tC6nl=h+?zdjU>35O_)aEzW!%P)Py~(aByNZAQ3{p*8zQYrr?Wn~PX^qVL z!hV4q7+~-l_h$N==u8x1hv@Nod%Q|IS5|>f%)M!y!Ip4VDa74aV1U`r#RLg4T6M#x zMZ|^{+wV{F?8as<0ixqX+s*lw+17(REv}XJuxaB^Jav|ItiajX@6pQ-0ukhK)o}us zXLk+HRM5k9sq;@aR=jZ5{5-7)SE4Q)SI92(C4F@WZ*UQ_#y^E!Gljk>rSGz<4}{t@ zAb_5l(21y~xqAj77;8%w&$grld(wvSa>HiAj>;FV^%|`4l}24$SS4_DLX`ivD8P?} zVlB|ExTEWz<lxft?rQI|B3FE{kbL0$Fvp*>gR=9q$H1t(yWbtr3#Ose;`1J_K#N!F z`|z{Eo`4Mh;I(7R$KM^{lh@f6Gn2zhGuT~EHy@7aRbetDBeUdBkCW^+q(LZ71mM-Y z_9$|E5)`t{$!4+Up0u-~f%bZA|E>eGIi~=L(xS_ydTgzuWlozAqbYimqu&wFx^+H3 zjkIN71J%G<OTs?a6GK!XN_{$t_o<w_TC?1MxBS!<mXuf%Fo?lb4*;%leXZBdRjEvP z497*hS)J}D2&YQ?Iy?(q0^%@ih(8Ub<v9Lapf;NP<*N~CxTjmWMOH|9&oxa^kE_G! z6|U-pJ)dz9c>f=m!TtOebZeZ3f+`aE)Wp7vu=BywZ@Mo&?_P^Za^J@@U~bU2b?7=T zQyPnirHDR~eKU#>@yV?S84)Fa^T8Sgy1((%I6#N+2LBd#ZLdn+eY%dn2^BKcBXp|Y zJ7>!{^>xLxs|Unv3tnq{{gXx#|MrG@gv?ik?kt6Vw>itQ<le_;ZqPeNf2(n`hmEet zZc~!tX0X0CiabBOqJU3g&1HY>Y(qZMW3T*mp}Z@bFnBkb$lu{c%uglqt+ZuC|Gf)` zMEo=Anh9@Qn68p)J=Nyq@D60DcQ!vH%7a97SzN_w4cAdSg51&_LO(rmd{vfF^|UKe z25aGrPa)V5MkyKdZT&K|n6UtM9^FTz{YPzp(tMM^aa3Nsx!qkj`EbVAHPwCjbW-pR z{^@2fG^><01m6_oqd^4f5I&-b^(`6yBmh@@T0#h$k>0Y~R`m6m8WftSvcz_?76Kg! zelOa5y6dO1bz6LwFo^JIe_Pa@jF`Z5KIVnfy&`5NQoo$XNo&040F&AHP%DUyNPYS) zIY|=)IoE@%FN7BKgfnU4L{z<IxDZ99MTcw+$6sBS&=n2oelPgnvj8F;f-Y{xo`chC z-U0dX+DwLWv}cYZ4}<yP%xBBl<cyFlDEFXYfPr|0A*CawR4ljZ#Mot^?{&Vv7CI!G zBvAAf+a+{S5ih*UZ7w-$DMSz?2kY@l{RdbsuGHBArMki$$Kh&!gcW@gPUZjf50D5B zyno;#5Z~dx-))H1q7WDxTKsl4yn_31-T~#CR!$Z{d0g5pMHTTaAh~T?XyLWh-wy8@ zfHJ)mMmw(&KQ>j}_VM(X>pk^&7GnpCjm!J)q9ZK1*|T){K_~5(*lLa~Q?O*o(4a{e z!{xbns<cO;FvV)l63`jO5(+`h05Z12!|q=vs5vUHjN9eD0Qp+RCSRN%Hej)Yi2Aes zh#(i&S#_he0UC`rbK`f}TR3X7bZoH;QdbBQW3`IVoG!v~gWy~}_S&F4zcl`>7Lx-0 zEw04+!w!P~pPNZiaB9cr<qlj$3&J=5U=>;{#E4{=lTAwm&eMI$Atp3()Z1-Yf(b1L zR-TMIGnj`%FA`@lr#t_ZeWn|shgEE#EBxA<#lc1NCKn&vW*rfrAA<5mm{nQ$#)-c{ z2(qb)M&xy}+4VyJY{#PmwLWkpdV`1q(8=^y4}5|UVzB??@-mqzUD0ZeTb<tCO>aKx zN(3M0NumTzZRFeh_@gcCLRSK?#9IHA{8D~EzW}&xKi;Cni(+<MCI}@+tx%)CQIrMO z^Tl<jBIaBQr$lqBV&demJeM>+@^4*w8v}~<lK8Re>_Ux@E}iQ0k&-))9H|rRPt0fQ zXm1hzNg0ShV;~s4v@xJ8+%L{o|Dyq5-DS1+T|mrzn6vpCj*M=%n9(T2okP%jB5Jy| z{&w|Ye>@ha>32?(QD<D?mL^D{@j!8wvYCVSewH$?<sDN%Tkybk3A)hrEr274QEnVZ z$RyT+lkra{d~Rl^|BgBvm~O|JvW<04FPFoYHc~<H6<fq2vJm<+Mxz|p>;Zg`r_bu( z`&Yvy;U>p+q@@z4+Dz^q-y8~)qi^2B%I&VxLa3CzSrw{S=FmZ#U&8}gy`K)Yl9Ec# zPhjCY-|1}j7i@n$l0QD)<^pp`1m0xs@ojZI#QY~A_^$Ax)9kGvg;#z3hJb&oP}=fB z>AWc4fQ&mq&EX{RYnrEr%`(Xt#=&HoXFzf45Z`<-ZjU_Ekcse6_miFb3y=bXrw>dj ziz$mhx?Kpg9za2S5?XrxQ4N|^iia$w+|Hs0eII+QHYJC6I?;Z!0t_71vYOrM5!L}E zHsw=}r6z9^0=Wgu%fM@86uizv8EyWY?a^O^t$0En{T6$jUJVc5djln5_>)+A?$>|K z^7-WSuVP3jZEv}4=+(6=#<jD25pZ>KL&62E8dI#NsXPpo))g{KoSHNmZIy(1;3I!W zxcE+Mq^J<YedYxHfe8BZr|i~{DItExW`(&Yc_KSll;)pchz8-Ku=*dG2=tePQ6avG zCikAQCjbLnE)^Rfd>Ng7v}l2_-jW17bOu8%1W$6Afc9#A(YMPPsfZX~wQL|QNEX!7 zbb0LrkDHR0s7PN|L@-A0=-%Im7xtO*p}6t%Dc@}Da)G90FXmuc{EjUUrbYKPplV$A znf71l31(t6$`gtp4?=mfKBkLOaDYhtBAYyy5Y-o_M!8XSgGMY}j%CRX|IX9T^z@Ls zUN#4*iorD#Iq*77^pE!p1vpiT3IzO5l8P&GasEF!=zdo*WA!&v(~bDyRO8sMK~{u{ zqZzUNMF(vb#7;-QJ>@?T{{s@+N5v2jM0#TpVxm8OPqms=)FNH_Nn)K^XzoxL<$4ez zJS5LlhmI782VV3f9d|lfm-4DeYv+Uw4Mkoc1`U59#PP!kKPFva{}M&cs;01ctcwz` zjK!1AJ8V11$P^WQzuD+dyta_~7!*FgYbZRRVo1@1dxO8GpSDRQ!g6+37)vcKX0q}b zXb2RRp!pKY7)!-JUgD)WL=rUEq9qrOE^+hTzfnf`(?b052Cs4?AvY!f?_yOUs;IF_ zJk3t$;fL$33u;2l-o>G-C?MsAE7FVUtjbf|3W%#JW064mMa(Kn@ox7&;I&neinpTE zaIs1_694%p5gLofBFgP6`kD!W*<oS0J>nBSxV0EGAg52#0>>|Jn$645?F{ha3&<So zlnJ{VE<JF;Mz3tM$(zPM^`r?{4J+r+zEnFrKEM!?92Kq;0{`jrGl@=)dRD`0%SLkz zg{IS9iXOSemYyFL#^#A#y^zLI4|zN+4F2XDiQ{nvd;T7M<XvI%gKmd=OrC;70R5T3 zD3uk$5lYrGhQ$c-0AH`629tbhWU4|{<yg1et-Ua1EEc5Ap8lOWd{%>j@Dcjqn=+>v zE>og6bksS#68zC;Nx?6kt6pE<r->1d+<8_AIFo>VRnSD(C7AvJeSix<XA{3TLvWR0 zGW;0OImHzru<uUde*E6e4Yy5pEFzBM)x}~FQ@<ws$KhdZ1OQ6`yFme);kl#K3Ft50 zp)Fv<KP8mp;Z{0PS+6@-H#6Al^W*D-;qveZ*FW$p`4{4T-Zt#neA4?hal+~2X*XL< zx^TI^iwq8o>*@O1VHNu}IfL(GK2@ZhS|2?6)9EhjIUig691J>8azjqba$|turcL-A zHO8uLY{FZ(VPQL`hpD9-G^q`VxSb>dV52;@^9_edW*e#eL(En&2eZ!cbH!j>GldPN zU*=};4BA*<_IcaU7Y48YG4M|{)D@s<c}asywLkY;Np82Kw)v*qhU>x6r6!vtm2tsp zdm-k0m?9m*(CFhtiS^Q=twtjn8v&27>^83Dv3e({1}Rgp-`ub+mo%a0+)de}c6W9_ zk#wwPFyN_(wd3^DIkaw$e=qp&s`EqWvHd!Dr1v?o(_qZYkL*I$A;DTdRhLgB|28~H zz$zBG;)ZA$Qf|c--v!0ZZM~td6A?JkY9{HtzQ3Ihd0SktMMzIRBG~;Wp)E3Kp2^;~ zg_2hWirmGT)y*muduK@tkmRP^3ZO#P6f_f4`<W~jfTbc|d-1P6m*tbjN05PAmF0$p zU0C(FhIP=W9S%g0kJSe;oj)!gw;}eJ2+t`KqCn_1Bu4w4qJ$MK<tV&8%?41S@9EGK z5)_+^w^68!C|^Jdy!g;XvfT-oApPun#(53rBYXY@r3j_>K7P|ffZaYdwu6P8Qe+f; z?>5XKFWTE(KeRfM?s^AD^}|s^?+`n-f)w~Ca3bM`QdP$#mzucPFl-d7_m}<AUo%#( zOv&ivl)}2VV?%>ZMpa>d61b$Haq^q4i~7ro&v3Md7aL85W#t=ye}Ei3Qdl4WC60{+ z^^vmwf21z)n3NE(yp&D;#fj<92z~(}@|TG6FM?ozaULrxgd{2G>Z8VSWlM&#lK66E zUN2u}2}?Ga!YUKgy6ROS#ESk62K>MfsXoX_tg%+g(ME|y8$0CI8O#o2BG?E9_$?0s zxv+-6NxG}si@51)(IguMinu_FkWxw5h?~BA1U(9*|C+&9W%EiNh59s{^j%ik7T^sO zu0Q<QT!(W{^hx`+xM#;oQrE=I);r<7`6BS9hDd*f?q%vvfFs0Dfw-cM9^ke-2Qe7i zlPma)3-)(QcOwCRl)(IQl}f4|uGlO~=y?|M0Z-^3ll-(HXIq$jy5R>2afna8)A9)W zVOj-R2j;qkIR9uIS0B$C-`msAZUE(edd-awTj5+ib;oU8KAW;o8TS0M0nOh)={(aM zMPBC~!>(=n#|COM@b;VE1}?Y>YSVJ*XjM0|36DTzw4w08|MMQNy%0CzuS^Nw{1E`? zUw(h%@M{G5Zx4Hg8AGYq*reWFZ`7zGJ?Y}FvZ+V{c1&7-iy~pXdDjvfe?0~ZYyI8m zZqtHFH29!97@kPFjk{!iC++X*bbqPG10dd*<5V&wOL0%9g5iQkzq<CzA49r-nwie8 zPtb_uyWf=<2h29E(c_<Fug5=qL(HS%fXV3k)~3j!h#4Ij-#uAn#QNem#(+$9$$iw; zFK8smZ?)>Aau$XG1Ll8w5#uFE%UgT!Tc^t9&(C!@^Y`wmbM>MhoZ+6u^Cb@0X+3FH zOnAy|X#NeO=%pThz}$}|Rg~tN!R(Y{t+u+HGDQK}j`|~^Q)kFOhd5y(+$4s<BDEoP z>nUFAuE!wsl68V|nWV^*BdaA*#+>IXr;UMd6ghOiAk7-mf8n8`up`wf;;?be<@aOr z21vs;Il?Jfj^1xbgQfpJJbw*fotB30Gazu{sQW&Zoif;TOy$t#aVW<MXh<&x8kR;# zQqLEQEYgXEbS+=X=@73-fJnm0zA)EDp=G^pK0i8sy*siiT^ZGTSSn!^T?zpTKVaKR zobTAGMPd4_%{nB>A&Qzq5&E89!}lPbCw-KoKI^6|FDILvE5q#+&a5!Vv8K8%@A^fK zBy_1en)eb~mO~EMfLZ8pnQ`Gycx@ybtN-`pV&N98hEkI(tiP^cKpu_@Sk>Xd1VDk; zH%ns&onuuz#waDZ4t~p-U6236g-Lv!kNg7=UZR?;!n<8XUthZuOvt&Cjn_kGKiA&7 zKX9B>UBFcdyAXgu>xbNuY}nbGB^o$#7~N}F$2^jEqepIWd5%BN)oTnCXB1&!jjso^ zA71pCXrTr<6iZ?0|0MW4kaDy|>~K%O50Q*k>(<L1OuboOhdagQMFl4U*ckUw`#c{7 zh0AB>hT>_9iDOgdkUJC|SU2DW0~77s{dIyE!ip{0A#^M>=B>6~m;_4+xf!DyM>u>O z$61kz<-LGfOU3#`m*&@C^mxa`R`he)Fy!O>J9>P2dcW;j*O!Nb4I6?y@1YVWLf(;M zQACQvz1cP3urs79;`AX~l(*`1fbMSbi7m%-H%5}{t$%X?SlN|JLc7jT5A)0DUG6~E z3?Crd%E`g(15o}tbef(a2=v~L1Ux;-HK?+%LLyUID`+rnwY6RsiIaayH1XqQDk=g+ zQ*7zRrXFOoza%{0O)&S+Azq|;E$?6rv@8|NCJLC9ctG-9QR2tSXhVAB=K*n8s}piL zLxj-x>_9Q1cgXXqU^0Qf=sh4?({=9+i8?WCL&!hp0+BO)TwAA#qY3=a8P$$N3Z&*3 zneIuFjvr7-)tw<j1c?hokXx=G<uD9fR|6%$2w278sry5>)}nYJGOU7~LmOJUvEJor z1}kT;2c$w=z37ZnV(=~TMnjfPC<@@tW$l-7im{ckPR(IqE@d~sI9KwRkXJLMyZRp} zfrff10?O)&Q^BFP6;W%w@AD2Q^2f8q^Zr(5(q4Tk57=^{F~lA~w}Ff{rsj#mjBxaa zyZ@9wP8rJ*Qm_rbF%57S+SpWca6qCWVNxJR(W#u9yAgbyML+!GE%(2&lpiy~fC<|D z#4jq){WLXb+#9XU+R7~&l=ZbT9(%-ghAi=!7K9${fi7yqeHRE+9zg0tMey~hmcmN2 zoEnp0v}yT6XB>@#)6bGSd~&YN_m-9;nmm=!h0s&_DeRaGgZAukIf5J;QH5;?$^^{> z!-gzLAoT3f<i9<uM(EWa?c=T5-CbdFv}Z<7lyx}>AY~u2F9JQM%7`kTg}??z{+ z>J?xy@gKrqK3G`ruWzU#d>bmL9a9s1gOL}H7ofnE4Mb2zWUn(W_{$H`SJD4kDWOGJ z_dzKE?7s}Zn}<z@n8Vhu8B+R@3n4T<&X0MO(i=t_QgxAhx$efG-_l|rAVG%`_Q_)& z7AnARW_L(#gY>q=yHw$|7$Qc1K@<xIsxNvZU`PV$>Qo&$GNw%Z^#anrF@K+cPw0?4 zG)G!c1yE!u#M$_VRBTU@XTcyR$#8G8x1b~2)APWYGy$+H<i^oB7eJte5LnB0S!eUG zNf=C#ZP@mD;H3?yNBEbafJk(JLD}B#Bt~pZP@E7N@bGVk;=TbG>HdibB-aO0Ymv6V z`v*w7#J1lO>zY*s0`9y>ym#`8YRogond|jQvWrClFolq0OzHWS<$XrC=xIwdxqQTo z(IIgwp?8ar-3C;kKAL>z1S8xM>Q&mNWw-Z<@j5iA6uKH3Xh;JxVzptu9wd>4Y;8`C zHL7ubY93QyL5K89H{9+{3xJn5OQr>CQ#+mkZUPGLI|UqgV01rmDmF~Uz}uneK1pKz z_*PL0i(t?^@8S0$ZeZtoN@if@Ewcv|8gBn^_nEdjWMe(U>0-*Jppjs{9<{6cfb-8x z^Az+|dzi!5s|onjrFZ-w9~`-L`HtBU+ceV30D~5fFj7dr`GKQUY#yb5LXA``=EFIK zN<oJC+;9qKXmhI;qKX6H=J#+xT|7Jr*p`pG9ViGsPtQS@Ur>ivki>;iWs8~rD6UPF zZIBKU-BB6k9roFdxDX(EdhAlwm}mc$hTFHr0EOldq=j?%wg9y%BW6vl06S1+Nyql2 zh4v5bP{_b<7B&pK=asS276J?aIEeYc<(+;gpM{%cFWs78@W;DD`jha1RJiRGC+<KQ zQY?2J$o^B5Mt7SY<zH)^+v2#^Qdmsap$Ffb4lrA}|0cfz6qZm;B~YL{{$@j(02-3~ z{?;LPe|>N%9*X})SM8OXr`kFYPMdC6-n4Ro)|t|zAEhT&$`V2aPF^ZkhcjG4y?*pP zyx-Kw^amUb$NZ{4@o$&(T+Folr2&<Nyz|>2XPcHm6_)G4@b(~0c!VU8W~0ucG!~0A z-rg=g!IiRjH1$)1c(fy@tI80D6c&m0FhoC^9D9NTUBrN*`E21W99LpJ1rJP7{h$ya zDK0E!Q6!C-s)!?p3L;g>>h}7VJcj@IJ!%NQ`7JTl7D0YG(e_DAASIyLlzMN4u-l(Z z$1-Vhc=j#E1VMW#-rX0csvqODNN02G7nH<JYneNZBXmy^DaB9w>rOn%SlU5*ccroS zy>M0=siJBkeUC_7*ghr{s?jk}c8=5e)gv;wO<?qs41#~VTjZviGT_!E0R_LqPm6<v zfzIv*s-ltpE=vBfHr@{Sg;+8qZp;E8TSw4t7;t%jsurJ#Mvj>Amplg<<S|3~i)#9T zR|`duJ5DtG`nI7<C`v=n4oZ{~6QSjCP5<W(kgws_fb8~Rl}>R@SlEbj7r^LSbDTB< zLE+KCg#8DI*ZtO8m0ZY1c~$^*P@In9&lSDc9E~97tTUuU9cHd}Am3=A6iz9AaXlCu zT)N?dKR@gsy$?DY7l2TloUUZF+wSB6NkbkkmjH~;LuY(AD1M}XSZp=E5*EgU%o(qj z&ZT{0cK`>ewrKhPxxt6@_m)A;b3-4<p3;cH26VO9Ur<qwf3VOgpa+d?@i|Zprwa~9 zkpZJ$=b0FjZt(JPP?(`KZNKEdZ11lJ@=iWij#(AJ%D%0AzSaT6|4N}Kw~v2!k^XGb zXf(vCZ@F9L#3Ig?ZP3{Ol)gJ~N&92ML@Jh=BDHpHzo<L9^n79@Et0%s1*uyQU8E*% z$&-AHyY>&hAv)yp!;j69z`q$;$}3>kDDx3`r2tq@t^h=R@^gajQk2m~<VOy<1PGu6 z_Ea|Cj^=1`M<CG>B42POs7YJ5`Tg#8{gbSC>miH={SkNGyYT`sSrvNEJM^KeVZ2Mo znhhxT<7#%>b#zC&Qvfm0sgGElb8EZ9?X+{)p*vLq1FRD~84G#RsaC_NKL1>0zKxe? zGNrZzK)SX7^nFr`&?t8%$Ju*4Fo+Nqriht(Kytgvs8+rYcRE_b?c<25zy(tf-v%*3 z{os8wR$+T}oyP02K<PuGJeVl=7OpK%3>k*XHl~xH{-3kSsZWmALZQY0$b{mwhwa%@ zZGD|?c1N988D+jnDLmYK6KiLA=W(-I4X?C)du<{-6fWG}^9-ni{j%7?$S%S<kVP5` zN==ZENrHw6E87QbJ7?z~`rnpz%q7_7orceORyh#U#y(pX!KQ2%O)lke-T%#OLH2KJ zPN;?+bX0)3b&G%9zpIP|@~n^srfneH@zVKGI2`B^TObe--;#*R(Pq=t3Ry?YIDEvp z{vBFHSU%7uo|!KW=<j9y%_>l0z{iYm?M<xE7d@7x{Q^kTS|yS^Ku83G7O6T;@8*(w zz{cEo8>m0y_`w)P8*NvsXQaBMI7ay1?^xpCM<*xaLI@!KCt*63KSjy@4)bbQs~HE> zA$0IQXHWSgn*Z)}W`YZs)!)MjmabEQ(>$RywW}BH!jB_aaSxl10{Ws$BsM!Fs$z?; zOC&C*P4tUEU|?1S{iSF~Q24nkHi}=|KW#z^P0(Lc*~JYTQnWB!CXs<Vu}G-UQv)y! z5D)+(1<nuKUk<y7=qbzujn&_bn+O^w2MDu2bPH-v^zA%8Ld(+Tu}5yV+&{9TpPl!f z6oWoX#SY``Vu#MxC?}VmR|Nm+CHxA^3t35+B1t6F=FcHrC8<Z>N>AHY6$$F_W28K) zuyi3Q1w+barzer2p59|KfNEt!@q!J6B#rXgqRHp)gdc${*2YzR`7^B~K~r_V(Ud_C z?&MsR-2nZy&v$=U8U4*JXd?c%qpm^_kTo+n>YQUo_4d*QS``1aPKbgJ>H-6(<qt73 zYH#6sg#Pt%o>c;8PIHRq!z&={Z*M(;eE9xL&+)GTA$`ESG0s^eoH_@{tV0htZnebu z(=JZ?wJN2td~W$c22|!ZmjZns9JsvvtE6L%DUd=X;7)k$qaNoUjZ)VratCdX1#UdW z2c|c><miE+lIBr|kqWy?8c;SjsP{|5t;`z7S3*c1mi^uES!3?|I2R2L`tB#<>1}bo zy3yMF*lNUHLQ9++CXvnmo4L7E%$T%?udGqF4iJs0jwv~{g<c)?ANQ2iibOx#{>tMn z;4<~>Kg%d)pLzh19yB?4dTcmmw+ZPQ@ZuVzzLqR8w(b^mFyl5{-}SP~149h3IX`+7 zGi^P6DLwDf*<P~5`GTrTu|Bi)qwOn7vN~WLQ47la5}tM&3V_%+C3mMQ5MlT-YJ}1G zo5<E0kdJFFr=Mo}ac87|!So}^(Zs}KvfF5@<Ca>ERk;7|b_40W#KV64Cw`4N@om5= zR%L=N@OHb<kh&ei7j*;DrGWB8G?s1<in~n@#oCg5vqmZSM&U6*U~A$v_3VQCi;M*k zY;5bRe5utSEl8mAh#i|I#0kIs-}B3gc+`RnFtR`Y7mMxtTzs(Da{C~2r=Yc&fZ@8! znlxOs+v#cQEu5LIh++Umz4inM3I;d<%S(!tKDr@51pLL@#Cd_ReyAErF3ALu6a@PR z^kxJ=_szW=P1`9fVs$P`g6}tHBky5L0$_uJ1fZ!~d~yX+bh?Ec%o>e^2g5t3M{d^) z+qg#Qo}eFMN85zd*6I|MlA&(PVzE38qf{RFQbBv$hpO{h%2@pTN-uy>suYxozETvA z)(^kdb`2B3u96s?t;_5@YHw9c{2I>1_#C@l4fO*w@WA(g;SK&jr}t6rO(c053fZGC zsp%npf$MUgRZ~wakYPzWI9G5_Ct^xXJkmONMr=`ndRnB#mT~GD{+M>ANq>cb_*EPd z)aGS5eElg*wrfB5-y=e{#=c>o*F;lAT5hLGcSTy>T?!10(k*tdN^>rpaK$20G?+GK zdq8a{tV_cBe_lafjLec#Q{*lwE|a9mlzLL=N`D+lEHxouHNqEnTYiW4JeOFJBDyax z`RfNa<Lm~W>`~wWU}ebAl!SWpwL3H|o7w^tc)u4p>j#}yL;yW(5EdNt-Elm7!-iI8 zP?h6tpeOWvWROSVpMrExKNip;_8m|m=u9&ZY-TW4^C&h0m3XHeu@iJ_t`cwKeSB~t z@W5hXG2Hc+$fS@h#kJ%4GX*%Qa3uNZcpDH2l|z62ZHtXoGRW3-d(aih5dcO2<7Ojt zp89Yrqwx|*pb_zg;@UfSi<r$uleoKcive|WtwGiK`S?i#4`(EhP%GY8E|WAr)HS|< z>1<ygOGq!2nfMS7=Md(fmg&lt3?0vq{@Pjm=Ep-i!IR5Xwb#NrXsat7OAq#$r`FHm z+Y3L`6~Qc?Td02qz8A?f;WGyNkL<Ro^pjmsC{K(7rf5p5iorGaUnguHSdeh(ZCa88 zvecj?kgXIWxqudGU7t5V%sGI@e1myK8pY)~6M=z5rW_aSVM%ET=|@HH_VscnwtwuP z)>$E`Q5n5h<QzzU%{&~mQZ_Y0xBQz)`GHOwAk>Ub5gU^_y{%pA4@CA+>C7mQa&{Y? zv`6oR(~D{hNdH@q;IRd&Z)E%538M{Z`<=#gHKxBp0w{#+Yo$HKNG(T=|2+#(p=z?s z*c?w^apP2$H`w1pMQxEy{xF4EumFQ33kj>%_kUYH>=Kxn_aj$E;El#XIVR0N-7xY1 zVNv+JK?+IwD_B6I{N(&+X8+U4g7k?_?a<%KaNGDO^s+=2nCQr!yUP#p5Y}jN&XZ_B zt(Gr`N!tX#%1h~7^Ec}>i|P0G4-W5RN4?b#yJ}mxfJ!ZFJdTnXAmy@SPrjpP3IeH0 z4B7{LJomNsFs5j%)v1Pxr|bAA^R1BlzHeurSX?GytQ(jugRbT2C=RN$mEnW$2u9N? zWUfPTdv;7PjHxtL;-Yb9sK>bVD=T3`=JM-x=tPT<bAfEV8rzVlUeCA#(*;sA3yVBi z^=+@!n{0qZ1XLaBUP87?llCnurLZc@wz>OPW=L~g3BZMfa`bDhO9d$*IyG6R@&D9n zx7x^_X~nS#75D2wTY`dZT$B$|fGQAFy!l*R1&AiX_E;T2d15Wmd;vmI0ACJmk(!M> zWYF2CSwhR`{T=d{<`#fK%S$c`jw1H#K*E+Dk?MCAPr3x`Ou7s<tOXj|2)>VaY3EC{ zDzb}`E#|CmA5Ko(JnBaCVZq?mT%o7(%UCaUs^(*_nL>L8^PO!#PKRBd6v`>3CN9Q= z5;2|2%c$tVbt`@*7Ag01j;_Xp)!4^fR``VDSM5F&=?izSsomhOyG~VTLJZ*o2j(pS zxiqd$#uV=OBA73~ZmuJ*P|-T~++`ztt}?5&vwZm<=zsbGyblG%2fQy|hxba*WVmp_ z2HE6}ar%F!`qC<Xw2kj1ahT`j6Uhq6OSSLP5v|jTy8v3RS{su<$5N5xNw?GF{Vram zn<ZLD0Q_1+>`a<;HoQcd^ICtFI_0?Gd0zhP47M_}pnk4ydp&6FQST(X`m;+FCKHw= zOK$^saGYQk;*mzTIVlBEtYRSDwr~}@DDC|P!$FrP)mYUE$!^;VNP+)ci%@P%>6Ft- zfij|s!m_x^y8Ht3bF}=BsQX?dc|xEOhjWmwCkPldw!OCaJ>c?9U7=|a<Us9s5~UDC zSa{M$E9?K6HoEykL8el%S&swX{Qi3Dv`3_^h3`Q10qe2!_~Wqahm`ojMBT9zG&<S& zAiG5baCGpuaMY=&XUjOruX}cZ(T<)KiNDQ#W~QHiZ4y>S47O8FwukidwYQ2_yisK> zZgMj=NRf)26>{`-x9lX$C2TpWAT26(kz;Z4|Fp4dZI`3DXSMa{^>K&Q0~ZX>xZffh zn%R}B#o%y{wZvebKa!cM!hJJjGquXBajEntIoDpG9uG|QTpcwZDOD)09W6w4GrQ_u z0zD|$J*NGUlmq2@P@aEqW#-2>2y`-zCyQ%C5#h6LslZ_&NcGPGCrpOaGs2g;;9!}R z6&;~r1{7VC)&9@D|BGws)Td}XaPdgWtY5xVEYV50y6uNl7K!eIB}4oyU7tV6P~&AW z74A%Z;uUYG?~}-&XO|tJy%5mDC%H^I)$?<G7bE>zb=l2PY~f_ZzZjn<wSr%kM~oiE z^E6!Q0@AVJWy8VF53tl2w{bPOkHL3kEdA?2U9K5em^bmeYo?;8yt_a9<l;rk+=9!} zu~V)=8AbPfs6<-}h=Q5zv@xm>z(q<(2MEkqmUVa6KWn_~rdC>)4}t`zJ5A5jPY|s5 zLActy)HXk-0GSx*#1jTj&s^9JvrUX8Mo8CP_oreiT$kM`SBK-@0#?JIWYXlp?}pQt zkC?~2140uyu&PD*!beOLXz0J{Vy+1C0zhKd+PCFo5g+OOHfFlfXuLf+>qW`XO1-Gj z(S_45+nWW`73M|P8C>h_E&un+B)@F~c%pq#AZD+OO$7{f%(|+hs6MfT#VN-QPhlqA zemQ>x5KaBA?t9h>NvQgkZY!5vf}&c~rY<kXgD8uW`=^axTc{GK?W)l9jT0|SWAqry zv6E;Q4lyMQ#Y!!&g8NMkuI1so2}ixCEZr?$E1_Ry#H@GyWJsC9U}c{y$C=$OW~tam zq$-9USg#+D{yViQ>55GG^EaUaZc&j!KN&o!CU9@5kU|=lDOBk`wsyB&&)c#<wye3O zg|X@kW<Baj5w@*ME$l7%2<x#252_df31PTj{^b#w^bx<xz-viTv!*Yzx<p?d>T&H+ zhrL$X9ZS$n^ZxdSJKLo7`wRMdZ|e|-OXzi_5O(F1N;sK=>vm#e!6r?=XVZXHTLU_g zOoSJOGEXMQ<aSOgJCPAr>XF5@G>iXtcMF%5`=AHi?5k-Y?ROI9QOll*9uQ`@E#=W* zi;Sj@t&muvkX;xIQtrGda2bri2`!ys&>)4FZJxkADU>$;(gfg2MrKH@3EwZ`dRdI0 z?O2Dn<G;_DUo+nK`ML?h3H~NiYK0GO0DZ}@cQSTW7r`z@eTHWIeP}_FL+ny^CiWh- zdoKb<{JQo2qkH)>qnm^h|4en<d52RPJf|SZVVR8c+EPw}I%v;?J42uTHU#%;BB*{4 z-6gs``oAb@71B^#YVU=gcyr^47nFft9Z7K2P=~8m{_21j9GL6DNl86EK2Y!v(sg_N z2FhdA*7KpMcAWfezPK9f-ONJ<bM>QV+*R8`4gj!tX<oGl*iwu1N#60q<|a)rAtJvD zz1&pC<+W&Jy+agWss{4o&pQ_U{x036J(5~)o0+$E&lp9y<(gHSO_2|xY{ApXAO*B9 zzh8ccvBXWie_daEZz@vZ!9<$BxoaIVI_(FoOnU@!LqihiO{Xdz^565ATTV8Hch7pD z{C{<x9b2PWHt8OgwGI^k1Z^Nce98{8G-gUc6dz2cCm%8EZOEoW3>$LNYZK2><*7#} z%29f_-<!g$5(vbF&CO1IgS*|+y9LPan~50e(BFb)hYL<7sDd@K*WMcZ%dLnm;Quvd z0+}X_M*MADQOdDFk12lr)8{nNxZzY?BJFKlYQFyD73s795jwT?n6?gCHQBivr<)#r zLyS%t^UEhWNfLa2pv+ybf(?^_)K(+s7T*gC%h87R?3M8Ns_=>NuO$f_yu7*myo^@A z)7E+~A?s_NP}4@6xlGbYc;sgEM{iXc&g}pqDH+;wDsJPVsJ2}usrTw^A8@tt^&&4w z**}TSw54u}O){||0)G*BL+UB49BXks=oj#j;c~<0OI>ZpeAF3lHbC0!b0;C0-2p(3 zJ#woyg<U?(itZWN(lh@sg^hNf#wY6_La4>fL!$PkD4_fFXN+Os6AXI3%i-6kw37;m zfMfdZkTd3Hsc&f$^<qi1Tk(Sy8(Jf7|GxrjmsS(<r`4DK=vIGCiF5=aPV?U#CAjA_ z;{<knaOB<WBYd-qJ3%-20P|>hvx_;K{3Jmw9y>v8=Zo{K-_$x>V3Y<a`JV2Ke1#;4 z3A!wQb^r|-?e&AsDW;U--GSI8r1=NGYr^--E&o)K{NP0VS_L)cb(Ks<yvQ2H(}M<@ z_dk%;ZTr_kjo}=FIIepGTTW5#%j`C;)3`xg&})%}76Nu2NPKXju!+{GvVhf~=j57- zFj}qNPUFenP1qfq*j}wmb;H8s_IsG2v&{!!I=Cn{OW+U4q!T15JjUiI5pCVLM{ZXS z$C2b%mdf;3T}pTz8Gi1#tkVL4OpLiqzjaku^Q~W1#NX2W%lraxid*E7Ft#a?`9(*q zy4hb+!Xu$#Y6mqopeXdr9i>I$Zgw>`*dM%cg5B{NER#GW=oRw`lEtW=bJu!Err(rh zb-5e!8fxcV7Z9`VV*O8r;L1)j)b!EMXdJtMM*Fw~$a3dbM{g!e(MBo$aRidT<Xi9V zlb#y`IL!|U@e8J!?Yw;T%_?RMTW>skG>n%3D+I)tqHd_ovTZ&h%>VaiB1wgy@Lr@k zcVo<w=tYMJqvEK(P<P|ew5yZoE#)X-j=M$zw*a>(L%{X_+Ckr1=<^QPUAt~9rCpy( z0$NsLZRRBU;RU;etjlp1YF(*|aUs!3bjO`A>#!bC{hgA}b@9`R+~2a(N;Q^FP1VcD zp*?d{|KbqYiw_ctWYzVE?sX>7{wMDTh;N^Ww}^Z_JFt#nIO8__(I)!pa@a+Vw)RUa z7q(J(u-->LX>qcWp`>W_t@rAW9MZqsV)eIwB{>@_?N;b{NYL7dFnjdbbXIqE_oNBf z47Yeq!=C@#?B5&yQVJ3GSsiJ3-!Q#G@(!@gy|2?*J-*rLw)2WjRmXAZ8R%BcH?FWV zt-QMq6?8GoPJ$YXV6I5Vw(p^RVFnZm;FJ+M)O^#SWZ}21mO$%XPYn6tnRXhPiPU%) z+hvmje&4lgz_-;qNZl-s7k&NP^K0pEj2rU*?_$@=3JI9U!n|4T_K|fEMN~MGJfE&K zXUx=%awaWNCMfE*yro-8IB|51ng#ibz<^zsu>{r8g0(#1&qCUZ<tofhiZSzo92r~* zLOSe!9XWzYfaK2$(`o~Y?j<nLi{*Z3O=E#n3Is#kw1%0lm{3Iywn4X-0uto6>HMz7 z=?n4k^bK^>Ui}ZqT>~a;LwiiKNeDkyNcaJ$&^6z%%mlr6G0y&-Ea$YOP4_m*XJ|mm z@4#`H#O>oJJn%^#le7}NR;yGMHq?32g^N{ht}RRGiAugqg3^|^2`!Bps~70;ZLD@> z0_^By6tn{4RKE_&q`}pOv-Euy;fHjrGP$V$1o?MpkNQ#9k4vSHuJEtgCn2oY((T*a zxQJGa2*e|YiB~I+QN`({Lf6u>cDAx-R*bB>72nHD22kiFLc3U<sWp>7$p$rpZO7~M zs;()-ciWPtn}3u+V+N+0bYK?E(%CP+2n2E!&Dh}u7a?=}Ylmkr7vwy(ga@Vogswm1 z?y4*J9+0FMflF>(csqeReNko`S4`~%06;DH&r(!BoKAK%h%)v`^o+wtE<d7sh7T@4 z<lrB4t?T>HB}H);dxAs{khIzf#%zx2jNjBs#9O}MuTVS!FbBs)Rwxi82(1a<C_s)5 z1=xka4Z^gSJY}uj&mJ)T+y_NQs-1+C%h9bR?OWhcjoNK+ma$xp(}@s?;*VX=kHAdP za%IE{lN(PGoe2|}kf)h@Tu*kpfEvw#8MiImxfhASxfN2ehT5{hr6v}!lb=Gw5GVS7 zc{VW(q@Vf<sbl!FAn8Hf&{_r8J`DQ>p<hcMv;Pi7-y&u)F5rAV;u@Gd^351O7`fE4 z+29m|M-z_5^RF-?evcSIOnBlt<&t#YCjb@`E#Ex8Enm&4<*-5e>hfNL%_hB+)#qB8 z!gHS?-&sx|f}Dwx(PkhB#n{F}V#SWX_e0l!RTF!g=%GK0|1^ZIH?7NEWBY1zs*IT0 zp_#6z+%mr5eshl2|FE<^GA{}dC!dKYQ?s4RTd&lUR5?YMR_!k`1|i=N5KD^!;tqFw zNj(8;r6S3J+Y&)uq`Sje79aTvJ93hXV~}ly1n<JvrOKV+eQS9f51WS#s9Y8ieBIp6 zeaZlkX!}XD4#qp8`rRe)M~QX$!i4y9SL2Ate!ny+VK9%*>`8Q4Z~^SFEvM3(Z%RVi zt0|(Fe4@Ea(8X~lKx^PV$8WRR@_ma0AIv!n3i_B{x_`EyxeBOtdb58Rg@~ZhVgEN^ zk4x~r=y0eUr9SR0>N?NleJ0``mSW70*P>V-`GsV?FNq%XHn@F20PM^1DWrU<V9syq z9d{-NcP_`&T=yzKCsrjg0j6$DgvzmBR3Tf+0*7{OT+@@`c1~%e*Mmv!#)bLu2LN3_ zqQAbHfaiF4aV?!E9q1N|>$1#K9XDpTlCd=@OL6BTO6F$C8BK1z-Jb;GdsUGX7D_Kc zemw|llj=$e(W&IaQ>$W_q>~N3H<eAda@P1s?Abi?{;1n=!hvfZxPs1ruYG_E$Ai+? zFB0H2;?LP;r&M-+xlPxqSw*pJme|l2HIzb#We!bi`5>BE^~kwW_!*>?W5Va6R{@mm z*Hg-pm2<aq{7glv*G=?tKgK(J3_<(Cs6;QHS14F54i3D3x2MQN8}=_JYoY?;kr)K@ z@)d!s`c@aWav0YGnqI=)mH&zz`R!La>gEXosjl$JG}7_ZloO;kkvPo{ktbniDZ=^V zKn2f4GR&HE^3B`0Y(mjpEPT*ztz|`{+b!J!aIfl%nYN$;lKYAP;Y``-E?}9M!l-2H z`~2z*s(9R7jo~?7^r_7Gu!F~G<~REz671hh8wqP%(p+b1bp}v!r6@}8E20<<3u*6) z%sqs)5~MUG)R{DkHf7F!5IXV?N_F;><v$q`BY#rk69OyUHZw6!%ehJZMCXw%g!}%g zj=49z7JQL5&~y(Idd?PmZMg(K!KZ(o9Ewg53{D>fa7MoyW07SmM?0z9*GbCm;@G~a zCmb8-dry(eq&iqkKRD=@Z(4gNT;IiX-9<DjyQ%p*K_id8&$+YOjUa_b`kZqU{hzXM z+Mf$jBL+`@b^Q6;iV0z}r$22^ehQ1n5bj}|ZB_F8bL!)fTO2gDeY+uP-CAVWw^d?k z`WQL~K1n<;o?M~}T*k4Klcdfq<)Y<MXp?=tqip45OwputJt*V*_19sd8@&ywtaMVT z$@tkiF3YUEq^BBTz5IT^qf?se^t-}jLPXu|3ON{hepynOKE|0AKHbEx?=B59R&1Hy z2mK(NPsB~S52vsmNz&5m<`=={NXYdd5(&Q=O&*;{cZ%e+lhBqg^kV53r&SWCfKsw- zmher~6IFOL_^cGtm4D~w(WyTsW#9VrgM_u*tQPbWO*5ykt;XznHPEIc?BMVR05H+` zy_8L3GJpc*BW_I__ZV~qFKc+u@gW5{VV~4gLH{flo0$sepqN&|c=NXxI>Ob+t&j&| zZDbx|pw>2!3C4w3sAONWr`p<LY6<$YM*E>c)}A?k2#MOj3}V8&#V@%1^5q4rB&{^` z2KQd4dOm&hXoW=jQa$+Qy%0E8MmRw&1vXS%@hp&4mjvc~ur>m(yiM_4mzN3(Kd;oY zvSHdVTDWx9<QUKxL+o+UEYu*kZzUFz{-E`@J4L>_Vrpr2%$?A!vJJjJ{{0QG8cUm! znwVO)CF*AP6Xov4$u;@|?~jGRF{Ijezcwdj_kDbLbf7KNnv5a%9lIm;v@g+PP}Moa zlJi{FD~?WnH@d!4(l~gO5N%gvL!$}(ky+J0@IKZuT6C)D`@z&0UFG~z9O)M4Le^{m zwc$8WG5ScjFqzVB%9FTi@z011URSDr9`AWH`iVvp=&Z3UVhia<B?3qH);oL*-@uHX zUDWfmkLo)OQ{PcOJ6vHz3H{6+PPpg?nZc@C^2=W)DK)suDlIRWYAS$D`z2_$aM_sF z#w~rDv!n1li*|@OUN{-&I*h$HHG)V~XJc%nnth&`?443>${~-HkZz+7Oed`boC7}V zaGbw!{^{({`$ms8uF)s|R-@BSf*HR$A{I@T-9w2}8xMIr@x~vV2dQc&V-`f`>Mx($ zwh;ttf-y=xzPt#YRi@LJl5Z;L$mEVof3ym4Z?1>onkpy;&{wj%4>07XJw{JYuerKu zOpR$^&N&!p66Hj7Vbe+#y)H^AHNA00^IF$_TuXEw7(f`RXCwwgJ=-mf_FC0RzRDP6 z=vkuu)8XQ<^2e6skjD3uX&rSqF~J4FaTsq+s@rINakg&DFSO@T7)zeNZ{sRgoQpoe z2p5ZXE|KwS`VM^$D?fSu;ySeQpo@DCY#Mng&kz)U?z`q!r(cM*kAIOPvA-#l-`$vQ z?;O*R^nN5#^?$xcD`Q2j^gA?N8Q&q2Q*Cbey{71l`#a23Jk~Jb`ojQ6u7m36-dAx^ z&KjEgJ`spJUCbCf7EOPmADuC^ZpmNH*=YNgNA)I3L?X3Ml&EiXaciJ)<`M#cz8_rc zu{aRV;JTKIVHGMfx;y=o(f$z&<T^TS98E5>Tz1#KBv1baG(jXW$_d@C@OYKs_#j$# z7>y_KIVnu1dTx;aQ%G;Blcoi|2JkV<+RX}6Le4}ZA3cqh6s7*TljH+o38ZK;t^7ry zQlPuhmCj|n-u1?9TP;TwLS#R?lwm(y{K3zdh8b3_a1z~<L^?+7BZ{=!W^v0N@`e~$ zM`OTOvlU}e{xf>MN7}Eu3Ex$y#^>G9V}|9ZOq)T3kka^MRt%itkPg=86*(aQ6${fZ z%13B^>oobwnoXXQ2_S5*-@?75Q2*)I1-=gen&U3!ys;!iU5fWYYjM4=&ehwMKf1#x z#CP@#BDjU?H7y+u;h-kz*tUyP<}=*ed&K}y&v*clgrQHX9?8V&FSzkwIco8{hLpRm zqXB%-zQx@m1=2??ik`IM8na&$6@R~&WHm@z{L7q{u<^3K5|$)=nDgi9=aCM3`CzUx zz63fygdS6bAwPb~RlKd@WVB+Iya1gi`Cn2hsg?36OF1@NqEr=Q{<|1PXSN^t>8Ms4 zSJPl3FI@3F>WJ#3g-hw%-G?r&0S!0mh9uCDFK{)(I?&pH)G_-5{cKV#lTF0o{n9a9 z^(6X`w9*~lZcKr8GAj5xX{DWIlP`7q(=z)olfHy>BQC*_XQ6Iup>SE;|3TBbEv-e{ z54}6>vCP*s?i4)Mc$$sk7<SzyLg5mc@*ch8cEl)WB9U(gxgI=n<Nze;+oe9b?W_gr zZSR#5*ZsD5mwz3n3SoTJl!OawxV$c`%)#<&yre!X>Mm7jMEsn)VsqSdS%c47K7jwe zd#OJ{Ni%)(vUea~z_5Jta>2P<pz~x@(7B|A$0a~TGBuyzAH@OFR4kMDtdKxJpJhq` z+`#R&eNaWq+Gu|-ljyNeVQA38YbHr59`G;9oj(vfG~8D_mYaLE1J0$~xDS;Qkf`?m zVURC6C&JGY-`6;P=6ntqtj6)km4MZ#7)4Xv%&M+#hD8rC_~3i8e3(K+28WiuL=2u{ z*v!N0Q_hF6FFrMs?XZyLnNEWCk)KWO10rb@NH6_unqI%SquQM8w`%IKsalnvqtS51 z@4T!z$Xm#)!qawFoFA)v!=lDoCN4>Si|V^W>a2U$>}H^QD>#b=%Hc)4oL+0;{cXTv z!RNw7>zLIQH!WNi)rgoZkSZfKG=ofB;bzv2TFau$zXmbHL9K;CTTzKtcs~aA%uKEx zCxnQ>CWk+NAC&xO_bt%^0mHOc$Jw|rAzW7)?Y4KE{WC^Bn`v!~dchw{2UFPZ&}Z+B z;i@aR?htxxk&s7!%v5-S_Kqzt8c%s($L7SyH6_t8!$5UG@qWUOjCT^$M{ZqLBKiq6 zfT5O-z36L?=*{G+W9P6P+YI1aJFWj=c;^T!celLG>x3HrY-2zVdOv)tCJhW&q%4%w z%>rTu;qJc7<C^n{e)N(ik>SVE<jr77oyWK~AEfi)SNm?OGu}*ajJO!-{N2N)>hr2R z{%!iG2DA;&&OMYyk_qc-Iv}X0!uZB9Z-G+-;D5heXskN@)ZoE0!)%9D7ox1qOSfZD z`<&Ko(z5$sSmqEj?hLSy%om1`Q?$$B*A<@IUiei~DGTiaGTyo&A`>}uP5)ZMu-~@n zT-9H6Y!mwFN35wF4WwAjCkb**fP4)LB6=6`Ok+rEnPLXqcyx#o)W8x-<hMS`L2aa! za@Wquk<V~~98GH#cpyP|V7|@Z$&=_6u|(4*SV7@9K=pKnJ6#cOx7RS(nZZf2>kD^7 zuAq{DgPOEQ^YYZyoWGk57~u*PCL2cV50rF8G3oVexJs<VS9L~rI7}Fozd9ls%UPc| zQy+x~53Ve=cyx9wwHf=;b>FlajQV7qc9=;Lhqnp%g{gKo3;C+h%?uv2n;$n?j;EM? z&|Y86;y}wia$DVZJ}ATs`5^%Q^E{zsdESJLmgH`fje}}o|6pH~X;_Z<Eh_);KTEP* z6N^-yjd^eS#t>6$)^1->6Sb2dxbdKhxs~g4>iURgSEDcZf$V;T<cde<YW&kN&_=<c z9twEDnvlm%Hr(4>De`jC$_oJAT<&RKk98iVyD9in_ixHp<jNHCVJ2EXM`eVBtgat7 zC)E|74q%>4FD<M*-g1S!5neUA<Cn(Q%pog{GdzT&5@~jiPr%-AJ<QrA3BTod@B`-D z_|9V**DKf2&$uAd{0?aBFs=SR>PbIJC$@t)M4}aNHfQbh>4)a0L7EVuVdoTWq4(|! zv5_|30V{JBO`Ox;KMf)v8oQOoSVs5lsD&mY=J58Jw)S~8F=s0^xv;0Q6=I!|Ge?uV z=fjA?&qT{8>Bs6HF(~Q(m9;silknR`Y1~et*)OhvP*oiVB-30+u7~=}h!P<WdA5sd z;#=UeT~8=VP}ft=OKw+?R&LnUF%AsmH#b`m|CJXbM+}}`e+{C~gW10KMnEoWSB`y< zW0@JN71n2e7^w%3y#J;AGCE~OZ5b$J-c#Y~HOa~Uo(1SzsC{8?Zor%}Kg+mc(NuOy zi!K5f)G1}Cw`P7b?i*pOI=vmzcO=|thSe3Pjp_odyRmyKIgJT}<%RcNuTY!`Y&AP6 zu9f6HVn5YII~#*0us=rPfyGvFs_Khtwtj7)zHtGJlKcmVDyrSP2Nuxe*ro)twX<8P zuA4<xE#iI`cD~f-Vx3oS{A7oCz8onmN~5~P&DtDmsIHAPwEXAD)ZACCpJx2eE2^9O zP>Ck6q1tY+Fuewcr+T{QwtM7&_Z2U?lk-*bNPR3vYBx>D3;F7CC$!m96LVLF?*gPT z6?numRNAJ^4B&Tuf7T0t6q<gxNdM$~3{@RD(kv4&jJPYhuU1XqWv^)mGahMvm>LRF zf1Lf}AdCL_UPxi^;GHto8)^Mx84vIn;!<1!YwvT_iFc^rrEO18vf?-PNp0{)1+tlW zp6Ruza+3pxkSN)`uZ-&uVX{n$m(YEB^bUzqD}3q@-2LK&q!-UsPcXJTYl%{?zo5SM zTPZ%pQr%3zdu>;*hTd>>ueDlh0Z<J^Ym%x71-&21upEq%Uef13Jr@0w*VQw|osz5$ zr;Z?)vFHtjx6en3{R*SFm7)Oh+rbMs&HH7NrNM(Lfgc1^frp$4?2GZ`YW4T9cjY<c z?VAeZw`V)Qr`HI*Plr_GSw0Pl?Rp>JeCF9K!8N_i$nxLlicDS<GX~-b8#c}0(6{&1 z`m>C9`$bQlO#{x2VO&|#h??2Cj-n-P#!DXfhMtD_tnR{!-{-;gO{E14mzvwtAF#6` z-w-pdRBX1B@d}8<2%EHi;cAU7<w;+pFN!f6V9foNgjgjYWqf@MPw7jWFj=)XT<FNp zk`8T2(i;d@#wUhq@m))=D~8-X8fH`O>bA<E<(D80b6Y*~A$(4f{`B`dwuGK?bkzL^ zuxWdZVyBqOd1Y+ce=YzT6J&&V9~iSzWBa19AP)&|1{1P6TXz}QOaGDT(r*3f!1Ols zzR!gi4Euc7R`nx%IdWP-qUKdO>lp*Sp|V5j^-Jv1!{L=2h91_5>wyH;@^Q?c7_z%< zHd+tu4R6`yC8&d#c+$t&qFYDg470_I?PWb?A1>BhjYU+x=U~nT$dvr-s{KRLO>`>j z!C_<C>Z?+|Uww;j+xfXB3z?4x;x?si9-~^vrlXk;Ye#apCpfYLoVjGTlN+zJLRsQT zt$^c9yOt$(^wUp$pd{p`2e=;3OHY~S5ktpjX+z$8rew@#6vO<1YSd-vVdJX4(`Ds6 zMmp+Z$Ud(H9ZW(zW*@L??Q7XQUFJloBK67@MpH-O+9&<jmKZo85TA8USn-MXlBXIM zAxiqOfnDszr%o#{F0!xb4KB)koz@{a6{7J~LV8ia{>b;z@~Wb4VmXmxi_$|Q?r2~7 zfpkWf6uDX;S`og6M`=v-IZ(^buFhREsC8a)Me}N!MheR2R(!c;KC_tsCBv#H{Hq*N zA0N(N@|7O0AShI-B`9K41iwLbJKnJ|WN|vq(ZwL5U%{(?@uEre1tOx4Ay~68A-?B2 zYA=(~<hU~VJI@z`1IMplMo-NX8XZktc1t4;zX;lY5g0JtA!ga}!MCoI`p9he$O-yf z)vjz{+NI>0p>L;EU1RIvPD;y+`Mcf2ohQJZ)Kh=Wic+T3(-oIhNEb;3o$0UB{s0Y} za^0Yym-(kLvZX~})Br8P!VVUGFh(QF)ve4=m1nH5KkyG8?4~_wx|%W$q)U5Ln2;@d z^#V;*a_tckRc>xa=!pvWSmQlGQw}kW2l7s4W#cMa#X5V->LXI-b}pq5)s+i@=w~;2 z5oqj1aHF!Cf^TjnfC2B&+2tZn?KSMQ^N19(89o$#WvY`jNw|M%wNEMwf7dV3QBO)e zIl>pZ!^s1Y&^NKGFaAjxI4ep&@N)b+D($=UQdSb4p$NZR=@5kEkwJqscY9qaw;fWw zHiKQg<%>d5V!O}M@x18SAyK^OxVK`t!!8wH=|kV}N7w2IrRKkYn!h3Wm(7u7sMWoT z2QpX7OaF46yR@hoKjS%0r6nRt3Qa@eH`0a4t94ori0#bEd7PglrMYKKqGl`s+u`P# zh%0!(kx)|po{|}jD9LM!45U8I(d7N=5Y;bIKx4{K#@CvdTB7oz1D86J_(!o$NBQd_ z8?A_U#tMctD4)@{3VK}hNHJ(9<@-0io5Z4XiM2sL6zA$ooi=_DKbh0^Yk5|g7CM*c zf<j5nkKoLC^d8Jl%7CM)W?UJ$YSZ%MO&*!OPc?;Z)k5)DV}1bYeOIt+3Z=*Xt;bXR zOA|7>I`CFMEnhf!{MrcD{(siC4qxjJ|0~AxL>)UZp~0t(x%ed4D%`+7qsZkYE#E99 zyB;xGsgne;C{s_Q>C?%lSkYc)Xdh7&93V=-ClIrW0s=&u+ZfvJ9t}dG8ki4OBN*#5 z1(-CaDc{%Wk#sjX_OU<Y&=p-iWH5Tnd;u;uj|MRZs8PUk5i3D$mqI42?n?4<dQ#A+ zGzUpqDYbzx6eX9P;(vPn4P?N9jRxgA55%2ztivqr+S0V;LZn&9<+~vtA4+ltmfr*` z?&u{yL8urN2Vw+E+UW<puq5fNjIo~(re2#I{@jHY-?(-(P_tEq1F>Wu$094XAJGDT zhH!E|#-$$XZ@YEeVd;N00fZUh*mJE6B3m9k6JE4=*+zxNg7iOM#29j|`$8;{1=v^9 z^R|VR*Ykr?jjpcqzdjfda?GQF$_s^iKGZd&etPD8khho4;hOJ}bT5&&kX<idsv3v) zewPM6q$`}^ENaj<Nsi{T|BAzr8S{9yOo|`3rt38BNQ$=wpSCQ;9cqJQL74`H>d3wh zhCQeG{>!^>yWSwx5AF-Zn?1X&=q#0piC)OLOt$StzaRN=J;}jb7qM&-3PDWKswM+r zTKJn@BDU<rYp6s##3Pzp8L<^xEm??ffSS0eczZX!jo^{!hwz7<%8SJBK3$JYF7aF} zk0CoxYQ-g>{5w@P7vR1@RG~xTXI#l2WSo*mth|UdD@3cmJWZ2|ZQJpY<$AbJYHj=@ zj4dMd*o3Pd&U%1dYp@r3^x0a_VSE|>u1>I?^}rpEaQdt4`Zv0}ZxP6va<r3ik|l#8 zpF`4Nwu8h3DGu2beCNHFU7*@FOJA1g!S0#X7pCLxJZr&<<Oz7j7Zh`j{Zbkn+O|i+ zyiZ~iE+YB{2*oex&kAQDJae7=y7=qg@LN9&3>mQvc{bUJxGeb9jsF@lg}SUJ#o@7L zN@2O>BpH>5q;FLI?o3}WVv`|9A)O#@wB*~fFQLWOOSl?+t{!$mr;+~Za<~_MXAjJg z7QU&7p}-*YUn_z_cJ}qcMOGEuXXN#F*LOnXU+Jj3N}^{tx|^;G->{)`>sM}MeAx># z4y^df=(Et6fxNsKt=Cq##BP)2k45c?Z@n)pNbr3R^q$D;dws1GuUlem9aEvwwomB( zdmmQ`W|L=uN%Swlo5B5pO5gqr(7ybhY%oF0W-H%}*IWpCKC|lxmr5;yym!+`zmNBw zV6{m<WsiP_$@FXJ^$XcS6X9Ox6cRs*lzKe|f#bj5<b?|y6@53HUhm>|Na$Do$b80~ z&TcbdH@>7S>H3<8KvO%+C>JatZP<{4m$E3YbLl1`;QGA~5-4!SL&`61`35bzQ|l)M z;GbzYp$7jl_SpJ}a>81SD>Cp>w#Vlh#<KV~q!Vd#I&5z^_Oy>WAfwC{v8wqb8A)L- z05c-?C~y^PW6^~`V_F0VlFb-g^=_WMd_H1Ln8V9Xe3|dacJMp8v}p7qyNK{bT1dZc zjH2o0x&e>j=DW3!-fWL19o@XV3@l&WCBb^deIKoSSO-$Gn=xsAUlQWOROR_-u$ug} zU7d|99@fi6#;JFo_N>^6`J-=Mr=>Idt!ybHt`Y3V@BW?eV+$U=Hrb++)1=mFJk|@5 z8o%-4ih?Am7uV9Us*o0;MATzmc7?eLSXEf44u0=7gOGK^Ex;LvwUqR-Ckz@C4Q8kt zyQJ1kw1{hx0Rk?EWB>LTKNh=yx!3fxA6Y@s(DjUql`OChvZpJu!&3-!kCEG8&`3{o zcx`j!`@>m7XTR74>ewX5!bny2WEY)`E~4wIA+S==RU3Wt>FC$EHa0Bm$Kx8W2?dQB zs;z;hm%JU@0p~FKf)v(_B>vsBo~q+`sVR&&wwikDMDU<kXV0sywx+LzOd02=#GtCj zO!n0)TjTK7lefY$__w6WB#jeZ1O!C+Y0^4X^T6-gaL{4e<BNPcDgIcRqMj`$y@PF@ zkMG#9@Q_!ZhF5(a1QI{!<_(WF!s5P;%4zDkUXOy>dra$|p0@lkl(Z*YHMKOqPvXJ9 z%eVbNdF>*U!<qhiX7ky}X<6GL->)!PDY50PJqkQ~qEuP^vV|TZQ}g-e1csd{tzQO~ zXlGuO6m*MGc@*|L3njApZqM`wpa~fNzLm{m^M+ikDv!=N8u7;-o}S(>&BsTp+5B$U z!|*R#o`y=XtOsHXkd2>%k;QUlJ%WayIxMVnG~*XE3T>Ks!zUpT9J3r3f;^BC*O*eV z=-HPJzWRodh>%3B)E{igay^3Fx^vMu-$S?3y|*g+8eK={mlktoUF=(l-63l2_4w4! zIZ)mJ{5>Qk4=LbWR1hS59`sCoE4`}RV;l*2f>1duGiSCdh`x;r^xlBBdYisTs0-`) zlqIA+*tV}8OQ%hXj3C9s*lAp<K~sauzR1Az@Vbn1k+u67$ki9){Z3p$hVSq1$h&%B z5nDpw#qagFjPfu4z|RGzv<%mto5g&e{MX+d-VC6RL&BXWWL$YSr4%S2aMuL&R?<-R zwL09e3J6o(Sdf|X%RetpbVwBhV|E&`BS_6Z1KBC#g4u6JiL-WFsN8tPi+cRZ#Nuh$ zRB9w5x#NoX+ZYIo$5l?cxOq3aN|$t{*#(Q^oJeL*L?+PCSyc5stFRALQtmgAWCxSt zFk*i#nnGurr>^Whn}VEP&{pm96#kYgK68TCtujw~l;{k=lMF`PK1wF5QqDhbO! zU$kOtbX<ibz(f{pQd_w~KI@R!YZ8JFVO8*7kQ}PEp($seICc7#0>;m9MH!-2_fUy~ zu(ax25_)({a!Kur<lkDgN3*pn|K}c1doT?StDS-H;vYp#`qWq{OisT|<<%V{%1+H- zu2o&dS#K|mL4tLkpS!6$L|G#KR!(`jf$+6eYI+7%1)`+`r?~D}<FjfYkv`+LX7<z? zww&Or!z@_LNx3(jbjD+nx0i2T+_0XvT^5XvJoGl*Ban*qU+>`qv-cV9j32&PbLMCe zRUeSj1g?V=TAX+ioX$LfX!$cl_gPbZZ=)+a+h)tfM?|wvQ(D#s6Z;)~evn;dW^^K( zJ$d;CO)));H}(y)u4EtU9`@#>^|4B9&voY>Poo@Ykm5G$+o`#xuzrrxB1c%Ujc3F( zm6Nc3v8ou`lh)TnQ};^7eVtwP!ty_Vk$PC2Ht;7-iiM<Qxb5NkwAvJ$v6pOQGeP;F zUUm3*7A;(97J`@eUIx<l{iO}(fz}f^YI7*@<WEA&H@|!-#F0sIGZ?&Ar1stDTze7) zzx{k4pMs5t)~53O>jb*06~Ut}tC9XIG#<#FJxW+iWI6jmYCWX~HGw9hDa({}3l}?0 z)yet~VQNg*&gT&Ny~H#7XJOSQT6n{aU&m~+BXhPctSWBrR8?^YH+OtSqm;3XlU>us zIMHEYmfFKoV_GkqhF+Zqz25lnV{mv%YepJ%365jB?M?J?vj0P<!#agPwNMvh)F6gw z-@}K<`Z$lXQv=0t`>32>3DEup@`qF(?h!J{VUmxNEY-zbuJPG)8m@l&?m3k&a&(%? z`s=aS`ziU_ce|7R1EXQJatBiKiMYg)A$^25^|GeMA0Gw%h<{yG*Re^Wp>Oaxupek` zMpr{ewXWju+*I9_I;SA{wMuy6n$7ix#C7i|kL)#GpcUt8E`bw@cd9|5_&DQBn@)z! z^+Jo{N5_h76=tvjJFeOd-RD|ar58Q|Y1P<kJX7cF5Gq63i|xVixcN!H1Q+9mLJ*H` z%4x^fRtC(R{`z-h_L`IgDT1sb7}k1J1Yl#wUb0|I>LIBVcjL-tZr5Bi^dK`W8GVj9 z{U61-g4C|D{mob*OE=7mHeIV0o8hpdG+F)FJz8&$dn;lAV%C!(#cU6pQ1mr${t?|G zD;KJ$vbKONH9FDX1~dmq1Q#C`7EC94fJnv>qFT2wn9jkk+xw@tlFL#B7aT%UXy&fq zh-$g-$>$FFxPaEZ)~RHW&-w3La@<&!Ot0p9zbZbOxo3aL)R9w#{a`{!Z{rkGx>b~K z8_T$YZfF+kQ%Xwte2&@XgEE$SKV6JXJ7V(9<S%w9s59L0ldRvd%Ho(GalY@8K`YlG z1-)*G%t%m?%jkUjcY3GCvo-g@am^{M3{{gC_lYOpPog{TVOzTI!S&Hs*fEg>jb?|n zv4;TAyfF+3J|ZS5hY2Vv7F6vXaj;8{AcY!@jsLnL&b9v_{>y#>(X0|~_{!L^J`VE@ zA-ugf&fJs29&Bv?S{4OFW^bM*qd%rK3=4}gV3pBdQPIlq{QPwoy3?3){|!I*qpArR zxyX`0M5KZ`ZNz1;WL?PHmN$tEgHk7dOIOph-#j9P)ml%;I`j({lD*!s4nmL;$tZ>@ z5li5bD{F(Cwm}FW$vvyqmwb$!wC0!Q^WRtuX*yFm6c@4vQvl{8Codj(SJ3jG+j@wn zF8Z<!!+G?zhe=pS2bR{dn1|Y6B6|68Vb+Vwy?FjIg>acRF$48sJ56KuYIo9x$|U#a z19$@OX7r%ak@OFrjc7o><D%ZamrNSm)SS@0`rzvKBFOAL!C*?=dmBC{rHv178o3*F zPCrAR55uRfGNrM0RL|@S_!e#O95(cx3z*%fmojt4Hf7c{XZ(`zjWvyTJ~#0YIMRJ1 zt)wx<xKU<RF$-;&^>u3rUi2avUihUks+Gk)ZPQ&JOE~PKl$JF*oA`96U<Uh(M{Jy@ zYBvh|lwt`DQbGzMx|iQ&2v2h`H?#-~a1@Y2M<KM=q+|0DN!!fj=(syOF^W*+uOU&e zXGpklFXz>GAW&jSP1k&o1ny!q+Y1q;?LGH6agwisGRnBDi@C_LE-a|v>oBCa$g7uq zhauScM(Z^1W|9;Z{>z*YmcYtp9#R54o#<MzQ~$=u_XnE=#YECGQ3CHa7B&UMtkaPP zpwm2HcK(tS*JeWksNM;>Dsyka9(Y)a1?6i})3cXmuyUPBkM->QV?8G&%8GXyWW$X* zjwV(VO=bC8nQ}I;zaX@e3?9;TSFKqz1ByA~S)6JsVKzIZ<#pZ*_X6a=v{Ukvix^y5 ze@xLL2%yVBZ;Z9oXdJgGt>};UeUsNbkU^^o>9_0%AvdbTfQXs|`dv#;`SIk2>xLxL zIVq85n|)cPN!V1#W&p}2dxBxOWhEG{{G5@P(2z3FNuv<pf#-~LK|eCgh1XP4LEn*) z*LdD5yk(9`QYvMRE>{!xXlL&AZ5#|Hd=q7?-z2LjZC6!Knd|y6z2NW}Dc|jPtNA!S z$cde@sm!cy6+E=eGc<W+KOnDmFI=(D2Hgp<s)%!ZyM<Xm@c&cfBM=06|6PI_H1i|R zb9I6QMK>Nu#XF?uG)|a5VTDbYeq=J-ZgFwGN!^@xEb{6C#c@rxAHhF6Voi0zp3hI4 z*ytSt-HV;;`nrKq9pJ%kMll=@R1JQqml_(8<n8QKEcbV;$e$i~*1&Fmjh8*67{9jX zac0CO;jcuXZY?7N_@KrqEeV~4Xe3H90!^WIu^9jI=qA=EoES6&7UekU%2)XkqI;0H z1{qa+D8isO!=iDKQJY9JJ1>viRU`6n@Cb^KXc;vKr4fe)>J^<gzk6~%#`uSp(z+85 zySv?R5wI>+qZy(*%4b?g4C+S8z2Bz@GNW0R(Xof=U575xhdR9ynfnQngBH<fXrR%Q zdziN^w+ls0Xy-#Y6&4DRwBucF8&d)}L6`b!xI%AB_mTNXf5>;zR@?W~xsJ|d$v{J2 zhdHd%#3iYf;Q#yXVowwr=rkLAAMFp%*q?1wx1EvW%6^!~-<165eT^I_2`L!zODJR! zFhjN5Ku@o3PH{Bg>ZfFv49<soHpMw<Q`)DHunOg}d@raN2+x+AJRcZO@gv@NJUd-_ z?iy>RheyjdAqaMTM^Vk+e(|@M!5-_SrNl}hrBG%K(2j%>L{%W7iFHVd$bgdE(n>H4 zc!DZ1D91u$OzeO2lUT6VLYz%H)<7xwP{W#NvqWSm(AsHq{yv?VQG;So3Oe-ye^7o- z9rhSwdX4P#6Y*O}6#jYs*3!Dy^`Hhi5#z^?5s}k%sG&);F2>0bj7l>4gYv9Mp_#du z>)bCDB5}+gUIa!(nv!zyWvCY@z`3!ox;RW>4zgGEHu1d3VyhF|*jM$SvvYrRP!W$o zR8Ql3D~crZ2!XQG^+_;owH@7*?zB|*4v6K;sVrq@&vUb%g}VQ~-P9uwP~h@HeKex2 z%x9)8(XYdiWc|=?ElB#|;2&WzP3RQ`RmAxMaj#$g#;pz{SSGoUGh(b}?*|0xIFl}} zLISQ6cK@ui$kvIS$lk5vmuV-7A}K*$PBNiU#ln~L(l4UKM;sr0l{6goU`=Z52Yha{ zs6+)-)0bzqBc}<42fg*tn@AgcLe3h@5VPbZulDG==%j)Pd%>5kL<Ed!xm5$=B=kj? zvGkvKAZ!P?Y7){AI7mZ$#3=o{)JOcc`TDrv6Q)@|;;y7qEbF*P8=sf%Y6fJpqZU42 zH_wYtqJ15|7T{~K4xnfcNsY}5FUO|nsC7NFR7(BA)Z(r4b%G-g`S*BAyoW?-DFIlh z3wfNZnkp2eM!Zl|i;2}`w(iaxl2X!XgAnqqhDko&N8`Jy@jZ)#^tv9m8`g}pOK)p6 z)KvsyiFsT|`~PzCY9RSU!fL>!xss9(i&Vx%E)Jrx8@g&B#Rb_LP}+lWJkHoD10xs| zAe01+s2*n=P&vn_rti@>)kXdAimjI2BT8TWpFL!fBRqJFf79jFZ|;}htMFKz>0)l~ zl(^m5sTk#>uK0v*4Cdj|8*a3VHuT7$9Xc>r)h5GOHfCT1iDKeq%LI(!rGm66<)D-o z>r0zwSKGU4uHR2FK!BkKyKS_5s(Y)Tvri<2H8cPbS$pv+8Re%#*}cTE?|v6)GR6K< z^-nBayHCX|R6BL;Ki@bWQgoR`eLS-dIfogQ?tfeTbZ(jyiK96lu4IrAo>8mDh>uhq z6}h-;K)D0aY#TC9@cnqS0dpr-m5`27!IAJS#n*zfKkF|dWW57dV^8qC&k}MN9vRZ* z6c#usLUozKVYNh{)mn*9ThHFm?e5@`Iv1p*NTo#|*UmCD>lF-+I8>M>+?v4CF5X7` z*S&lq0%SZj8)lvBgK4A3gsUSPigkPwT=03N^*LM;)Pn5a)I>IY52%i4dIbbClRaLd z`&~m6%6Y;~g}1&xq|urn1`(00@lAS;^aJwVG-4Xk`sQ?R9kk{Je3u6J_CA0@P#G*n z?%6MVn1c$K#Xj&rS{I~s#Eur8E9ICqty+xdmi>8ZT<NFe<s3*c%zmFRD5WXO3qT#P zfoyo-wp`a&>^LhVdyL_(!*G+V%$P_8XNaaI4+O^lp>6S`olC(T<UFM%m=F7YJ2{Rf z;fALZ==$o%bFC#*4>g9;#h`DZiM)e5{b(yB7e`&bstIbdoRO)vy^{@g;jB;;RUU}N zu7uZO)uX|=E+5s9BKOc)r8bwwCE|<gEk+7O*`<0LOT(p}{tuD<BX23@qsc|s1XNTG z*Ka6DB5<_@WPa81wsFQ=TcH{d9NC9xN^{}<hlvF|bsJJ}34ddUrkZ`M1K1K6WPS98 zqIS5wl@lh`$Qa;{igDu$O<|i1gOyHiG#p~qd;IdhPvXSqj*QhwzLnCCT=+xgVnm0p z)8_Q5vI(;L;p^$AzjX0Yo-Y3Qe&KkE{gcb9Y#NOQ3P}MnEgz^kgf^9wJiG>pcHspK z)})6FkvvW)z7MX$XBRSxRNbH!lA-z{P_nhqgV#wrGfNCj<T?-&+qDJkN<`lgAdRbE zYKU0X-glrv#jE07z7M1fTJu0sX-#2NFBRC!A|o$2@CX=JNHpsg#zCCs`5rl{`PrEK zOs+P}(49J3J&aGA3hympLrKpe1tbD3d6fWIh5Q@qk#Kn+*GY`t94H;r;x8w`arfWQ z_Y7<5f+gMZvpqyH_e$KHoWhbU3`YXZ$aE^38x3UwZ~U+I=!or{KVp2KY1g4D`|pa- z!MgdBmh?GbGlJ~jYvbEDlAv9jL<42En-d~r)mgC<d-;9Z<eOCmz@@rUNl_Tv>E8c) z79cVzk@x--B~PDyRqG^raM!bmM#I$rBc|?IiOlcO?5%WW*&(U2)lawOzNtJfg#?^C zX_L@Po_~su6mm6AzWUH$KtR5iUMZ!N?EE@At%Xd<kYZ_m33Y?-`!b0o*pJvc)AY+S zT<Fcf&#v`9UA+*zmSU%+%BI$vvI||q-(hwhXb$AdB==9Lo6bLecHzRF_m9c_{s5O! z@M=O>nmpsy2cLW%NICD&g{$UWaqIT-HcbDh6`@?~>vs+Pf7p5ppenoejd#=C-60^- zAT7-%1qngAOX=?JP6_FfZls${im*kxJES))2%LxS%>T@MerM*L@fF#yS@(Tk*Y#U# zJ%iy`P{9l<QCh)<NyC87@L)TA`@5tOj?WkIOY?o)hN0RH?t-VhG2{XXn+syce=;~! z4%a^h$f6AAGb%2qunX>Gn+O`wxE&EXu~Fr+52QNkJstg{#P|JUh1JBr)HX(QF=>s$ z{XK2j-u#XESecwrhA&BXYOcM59htfrVnrpR_exGim0klBk)$4TRo@7H5DG6bNjt>S z`8=QtCxvU>X1Qw)x;}|9eL{8ws45LlH78j+Ki&$?_LS7?2PM()uoE!c6!c8iBrknD zBu1U|2@SI%HxV1JI0(Ee!q7E|yZa#DRv9N@;8*vaZKKQdKw8XYG%eKltD#dxly6!H zAn7uR#b&&e-->l}O>qa~VCsF8vk~tAxXsdzaDIatJG@bq&_Y0v#k)HWXgjL4aEp&k zjk$K~CJp^w!-M=49z4aLqKAK@TiLaIt7U@PHudp{sFjg&Br?3pbrp>zx#Cuv`-OC| z$=2)ro`&G-onp7|tmGXT(jF!o!SDev{%Hkf?aRg_Gcl~>d;53KU_5$`ND@g1rT&`# z&o4j{N6F?6hgtjJ5@-^Of6d0MRQ@bPcHU?>G1HfUs|4tPZIie+2dh55PY^Aq^=Ay) z<L9V^rPd#<mBHtRz4i-0bYCvLzxwqNQG}n|xj16R)Gy5)BJo)?bXuGRw_#K-TzCc) zqK9>wilp`mKl_m|YKM1JF?VXSbgxOHN^K1?WmOCRjLBdQpQIl!nDtZR!1qjJv%qPI zTOrXG)+!VnMQ^Y%D};x|*2s=;N)I>o3PExRSt{H?#jU1?qzZT?dN0JvGRj6x5v2FN z_Rnlg@P{|@E#{`WZE4`OS~6)6u4u{#nvqV-3Ldtigk4)y@xS@;fg;<jQ#NSb{o9Yw z=t&Xq3b9s0$adkW*(xr98+#6UZQeJ$;VUZ2ilyyJD+3U);93dR%?Qe7q)^C^mDK^c zZcUUUiG?4Z8|EVRFWy1NSvHMJJ#135mqgh<&2Y~k%qM4y_g}w?40aRJLW!W(>A?fq zDMYS2U1yH-7j`y^TutmWGdF~_#lP~FCf?xidDEd-W*mDwNc8*XJO(S{3C7b;zoaYk z&p)D9aT#l9UBo`45tVRcV;(ApI+9pzLh`GMDWrVm-%nB$4kUj+!EjikP~QWo88uFj zF;#ZGFR}&<P&YnkoMU3M)Y`1jm*Nw;ejfg-ofz!+EGM^bY5k30rRgnKq@jvID$u%q zBx}kba#}%OQ~Y3Ah$uY8mP}-`m83(Y|A8klwUrH~u02zUrU@B2bqOoxqWx@}x=d>n zPl0J?841hD%eP>s;EVW}jVk|Z#X+!}s1mtp;phCb^Ug3k!Z~-xvIWjOH_-GjxE%l5 zA@>IOzE#3ZEKhAUcE)5UEO{%be*v{(zeGR*IAzk<jrnE}f+i(1)@Xb{&J;66-z?l6 zJ8$jybNhxg`Csw<v~F<YdK2b=@e(4bq`{1xDRUDxL<aoab{tF<6)zD++9ZmNlVvnh zf4G}Fj0n0I*){|i4e(hwL`FwtYTcMSzN!H$1nabpi?wKN9)O%T6({`E_?Db*o_*qg z3N#|!<G8e3o_vCyB!P-boJ{C*BNLaO|Cq(HT61s(3Y9niNQsj|#5?hm{gsjys?*?r zCv`u++kA<kP~~+7o507n5poYzVUxZq^FDB>PCHKRQk-=-*@_lmU^wXq@{cLqeiC|R z)YQeiBV;kJ9Z89gQIl5sjL&C?318KM_aW;bqpU0cr+sXcdgGeDE2s|OHWu5byF!e& zb6f_R!(fA5(`w=FIOca;)sa!^rlS`@c@I@uLM)&4w*Tk^+8av)^y~G|h%j)fxSpZy z;L(Jq7l=!LZ%0=X`wmwt6l42aunS)OSCjT--l3F#J2xmxIKqky)uVqDbhJVuqlH4N zPx~q~1+I+vEeP)w5@@U6b`lPL+pN%C{uiM%(JM`7SCX(fWd0;(3x|`&`3{Nj3vV^) zOJ}ZFl6$cjmIA3k@OVG_N$FK%_UmsJD8pSWBQ^7qe+6JoW&5S=Co%Chl4h75Q$&JR zO_M70Oy7Gy;zg_f$y`MP@HUH0VBfQULro4!auU-(T1OwmI*?rBARtRs9$D+ZPD!|! z&aGpMdt#cMhfDA^{*Q_<wQS5?Mw!h5tMlYdJ?ddm{Pdnb?3)mPXN*P)H-lzzt%cyY z+B~;>8_X>kH>J;+er~I>V|?`sGO2ia*4KY%M>a<);vcoXfPP7d*L{^xeLT|mHXGCU zftWy(sQwCOk3Rg%Y4#e3`2x7&BwGaS63FZ=?t3CszcI<jr3VzcB$()%*+Q4fW+jUR zZ93$gbSH)XJDLUf2qqG+6c?H5Y#e~%%?e9&il<>!Uv18cQ%qa{N%GCN!rfF%F3G5B zUf@Utm<aHBHw{!;cD(_xveptCOR1tNmxhwYw}hyJIbjwy+QCmr>gwQDs@i;;&JSg( zo8PxYLLDfYq{1Sjc(@JhRft)b#*~lqYWF?WL9pYY3}%C^jPFo8U>4W~v>jex>b^5m znm+y*#j6~4U$`;;@OGzr-#eq`peVjZPHNiIi`aM$SX^)%XP)~&QimlDW16quBoVjT zMIF!cKpVbS`W)T#-Lz2k6)t5Y`FFobT5J7FKg1d&>2`_lxhp#m%=RItStl8xPOC91 z54Q8po}Bg0Elc}+{|?^-24&cZWiV&1dqdueA?-2=<WD<nZ=&ASGc8D_b<q3$lgltE zB>$LJK|Pi{TSP+4v{GoXVn+wSy%d>w?Qie?+u_!zu_H5>-_LR3ya3c`v_e=t`nB3G zDn_*34eTNdKLroNGF5o_RB2-xf>Z()7DS{sBm{1pI28}kIzt203emRB6JPU%1y4$C z=psLhpvV|!J;%jzwvn3OIl%w*^1qgoArM{b*BAoxO<u9Z5^pHv*-(&MR<i5XEO?d~ zgue-0LN!>M7^q>fAAZa5DOz%Ayn9YlUm<B-VGiQiRvss;9^8K+8R$qcHw0c`hHZSJ z_>^hs$NKfn2;`}Sq@nm8QEe;BifZFd$Bq?PkuubusXJ#W(bQ;~EdJbQ+#jRz)+`I? zC5BtTN*Xc)vol+i<a?gKuAI5mcJTD_POSEC`F-WUV^;`t?x{i_KdbhARp<V=0D5z> zj@p7(6A@FTg^26NX91*&1Q**PQlqg`1X}t_@1PLDcdsL~sI2nno{ucrC1&GJUX1<x zdH&8L2y>C+7on#}!N;8c{&nd+><dkXtrF_7E+;W8NfJV`V1*XJ<m-@gogMRxh&Li5 zA=a9wh<gnoFWv#6GKM)jGsNGpjLWT>H~j4+Ov#Zcn>+`(pr41=vm|KJ^!-vP+|gj_ zf_030oNDrMcFbq%{-#)^vX8>k_U_!x9i;4YBFx`7xBMHVGD}FmWwTjVp)+b^H?8bu zF#j&|Tm`1xqlsHhQPtCLRVuqU6+UQQQdV5l4go}MGmu&Z-P9pz9|FXp!mKd-JKQg+ zv8K9}K|XG^d(<k)_33tr={>Pilzk+AK?K<gx8IE&zS$uz;Z~vm-J2GE&szZ&nte`+ zHmpB4Hi{)?{?1WgP-YE!r+IhoQNyfpREU^IZK;Du0&*3h5Z;r+)5Dn}B0fA0Dl^$9 zUp!wJcZTol$U+0HAMSO9h;zowe?NvT&5(ky#k7vt=$j9sXNhX;eA6(B*PL-*mbwM` z#<wb@jF{V(bGTQsT>m}V!nMLDHe11;=VGx<mv#17z*WdSbBvT#8^I1?VHk<a#h zhylUgG)##LS>%Tlo$fTDxlbCiAPqZzD!kHl7*BY-PrGVCJLjU|MU_L0eMp)OKecs{ zU>|?<#*!=`1!lV+>R+o>MB8Xu`v>1|s<&|pQ<qfQ`6+$Q_H!dPreJJx=&OW0X{nc$ zEp4&vm8~lg8fwW<l>>&~ys;qs!9;_KAhk`#7l2uX%n!1*7JkGC;x0Iv$G&{oA+Lco zr3td>pB7{qJI^Sq92OE;lF++W{w7*^zF>g!+{^h+u*x!h+Ci}xKpbHH;ptYA*Qf2> zxLVQNYCv8A{xdQ-LP8pz-dJGzkVW-DC}@4_flwiNGp6)jXDHM-nc;U3#m-6-E?+kb zDp5!?LY?&9_tQD4>07BsHfG%#q{el4HPcZoArw^5$7}!<e@RYJYF+7YB=&}vIK^7# z?ZNA4pqis2!$d}q{`>6X$&&{TEJy}M83r`g>;TYMXCsjxbNk*Os#ObsLRiruOS*j# zs3XxDdg-oFCKi+C60B<STRXI4QJz&MnE`-{ZadSZGp3g4eKg8OAtq~j9~pRxqVSJ2 zjAGd>InTY^?Fl&7>Y(;)CsM#`bt##*LtxF*g3we4PGRFR622N2*!#2sljhYAVjW%2 zmjW0+?KF<PVYxfsE45BI+<=dTgL+d7Kc76rlI%cFyjug!4gghPlMXq}05l+t5j(ST z7-_=d6e$E3^;fiL4K<0U*gOW2--4AIAz#`C_Du?rVcw|>{2I4O7QHF!DSR6lN8Q38 zN@4hrjE*PaOB7(rd~eTx7pOX=5oMp^Tzq-IwdvS=hyi0dh4=D#&k>mM3kl!;M&|Gy zDoV(QeVr(EsMqEIbAg*Ihh$_tP?E^c({h~m6krq|Fa6K95InYXzHmI+5GnPZ$=7>n zfc{-$NwOBju#7ote$489Q^8{?epATt%UUIx`5ms{IJeqsuWYPrVC9G!r(r*2Z^H2T zCUhszxYeXoTlaHt3HXQ`jj~$+o?;p!zX|)hT)Tt!hwx@_PUQ_3Z~SP55Yxd7tptz& zqBg%<m0IRqUB^dPV8<&>@Bi7q`@mH5+0IE+zn6y>=;oTQ5Pm*37SlownmxeVx!jZm zQ+zR;l0RR|>to@BMN5WZn3FKJX0hQ|F4aV;WwBu!(6($b0zKO8*+9aFnNxJEJ5Oj@ zxVrWZjxq*E=abh7ml2~Fkb$%75lBYv-|UnLW@~aJ`cB?C5N(D;M}6;*SY0hEt1wfO zma%=Mwsk|U_Tm(NK?ZGgRVm*oUQ1<BuCaY+^6I!J3ZwYO$T6r&VBCNfg(H#Rn)bhc z(W?U_2-Ghmy~NF>cly&gYY+wc3-4qzB{Z5>8SmvQ-{G=YVf8WuvvpGKIaEXt&yCbN zF9uNssB24yl)shJzWDa6c#D4sydx8Akgaho5ArD;(o)d{sV?;;5jlw4#blKICrmwT zvIScG*0!rOEBst{-g#QIw<Mo@Q243oRK^Ib2scATDNw|yWB|$E$=}J~a*h8aqcnZx z81Fw8^y#CH(lp0AY()6M8OQiNKk@rDpP+R|ARjorG2AR{$veK|7bL;cQ=ntAu3z1h zc{g3BOqFX#ISBSk<W@7<-OMH>*pv>26uL25`)Wq|tNRgqkwoGX0-7N?fmHas=*l}s z1^KGG@P8f@QE6pRQ0o%r)!~Djtv`<w8_+t`zBI-}fl30jqg(T(O=5LLY5ffovU(zO zvPV&87xmUm3h`yMVXpt!A6t?U-<4&g^A^`2X01t2JZi#jf`2mf*8b)QE%s>8%F(nc z_uC*dW33mspkCKD626i{@8=F(tkL{UtGfL5W-#BvtaEvG2n>{0W=(D$2!MQqjYgtL z+-iKA-^aC&&W;<K_oXuCz>0A*d(jzXf4sHG2)<exVZytLY&ez!O_I&%N8?9E^?~tR zABzM?DUHn`%`e-HhQ@$=RzVVJR`b;c)f#Bp2p5q<FJm68>eD59CTk})jpf)hltNkY zx;|RO;J?I`<Jf?-l00;&ZY&|Qy$9P8nH3fa_ElbdxIP6?=fZA4!CCd&<8^Z(R7!~K ze1$}PnmHPgN~Kj|sIAcLs%=n*h#=J?sB?TE*$h@dQ$~$eAK`56Yp_`+=o$n%W$ESz zIkF?vSeSDpwg?c+m&9AO?NyF+NXTCB0gLT8iDUfbZjvof>8O>09kyZrfjr==Do3J+ z00G<VQqg0A2+-EyJvf0-0+zcVEQ2io@*`93dLV4l(t7SeKR#T+Tl?cU2mQ0-5&i<s zJlVyFcMx1IFrgQ}FmF|$k6-}p|5#rh7p0!0uCjzpY@$Iy;P%3*M-U^ixD@E83k}MV z!+}(#GC>FFIYFjMI}4?Evpw9XKb@6qZA=TV@wBPEd4#L}BevPEMSi!^Gex7R74b4z zf0J0xII}|lbb_0Yt)Hqt*~&vye_dw|!3r~*`x20fC=3SW!9C(I^!0f_Az#GqZuHp_ z6Eumq{#;i1Fh4ljSC!-vwEZGnY#9my)w&cSgC-eMsM{r0Eu{tvq$S%V!rT7S;A)Wu z&Wif9r!1l9Ly1Jym8}&@Y_AAd&^Z!?3kr8K3*}^h*Q~uOu%YCfh!2bI#4v9FK|sF0 zz<kcxjqw;g^!D%CI01a`?8yQg^H}K{OQAk(9`&wgMvZkC`UZUc*`s~5pn_taq*KBe ziW=DHWg3WHJ(_#nq}kdvai>G#Ll&^?q-Lbw5-`?SJx*Fp6BHWDCePWl!{bLy-`{(X z{=+*I@ra3C_x%HPbm|9^)R<6R{*uGH3}!~_&i#A(gEA(j1I1_@qcLgs73wc#Fz^64 zE<NizLb<bbr&weZi@4HitcKEOT$W!9)v@#K)SP`nkg52XZbCkmx9xIoJ)48lY);Gy zXP4Ab#%Df8y`&-`xBA((pA-q`bd4N_{$=M;0ATJw)`fU^axGo4eatq|V8#f@uC9+u z4v~Mg^b>a^KFwEYdPg<2?iA<p`TRe#1ZXxEwHH7w+#f|_KC%pfsQ@WnNsS>Vx7zpS z-xM6}j_`qP2u_sm!>iTAZ|=cwF8ua=cE8tfR!93b2!QfmToF4sFnw$zZYT146EeGs zbbdchTATN+02U3nJbasP_Lk*0!RVRqML;1>OXh8hbYVb+Id*QU*jQMhI>UX#J}|%A zYp<@dNoRK7b}dont48v@eI)En!NFTZk`XVtzrK0TH;gF4C%7{sngSx=&VBY3UaCOW z5=;}OR+th0J3T_3U6nOO$yDBO@MCeSdELmM8*6NJtHwt=<bLZVWqI>5&`)DVYma?C zoVjyVa{z2n{{ex93JU&Q450B`5fUjvu3Kl9s@hIBDd$FpuyAfze5Gk2zdX>0b4833 zOW3><#uXW52C){SOMAfQbF}-w3Qm_KypP})WYMUt4iO3p(+RZB^<qir`t5wz%g)#k z;tNcuPwGb9aLc-rW0u+WFb&8EQlGkgy$K!mdMGK|u^aji^&Nr_%9yDi$Mk76Cso3k zz`1sWR`3fEZ=5_i3234@a5V`Hi3w&fY`K~}f;5CA0;Netya_f|jtOfl)<2#26yU=5 z0jqy)864A%GxjsyGN=n<+w$AM&eq>DkZ6K)kZ)&}N%vx!y8|=tAJM-IVbKoch+!A; zS#6x(DVe?6yTiuhU~Pk@SM(({8y_BHyL_G5;ECF(qp6T{&TA4y9?}pd$f!#X7t7u} zUrPW2UfY7n%(^)N2QG<1GBr3)(`lBNBk_K;Vs;c61Y}=+w;yQ~p+q?%{}jkh5MSc+ z`z;Euk($G9)kdS77GuW^^Rn2e<dc|m1RD0?0VYMR+UTg{MyPO&qf!1MlC!8Gz)!BC z7@{fz;HZYPb0`%eHf9cl+pV=Ee#cUaT*XCH*K!jfg<DO*c^Ro8hCoDV&NJ6Vf!XOR zDFL63ecd7$uz)cljzoomj|OOO{y_P7<Ku0pQ^SnJqC+kk`-2RL3~{WyZo&iwdsx7) zu7G0u$PI4LE%Ec-HV4gE0zLmSEV{6$@CTCmRU7D9=Fr({r~9^jpghSV2pBq`v$@=k zd+Q5T0jmw_?8@0xm<zEXlWXi<MRFE506<g|c>BmC+<^UQvsyC)F=%Pa^onO<@g0+{ z-&K|2^nMGazT)J8TU1@jFt^*XJZxje>w(P-Q@}Z*lo8rIBKNBQ623)^_V(Brb7^|x z%?C53&qHM1L2=9q+!c=6J8CB}9R&KcRM7AO8&W7lv0f8kvi9ycJ3=$(erlECb+4BJ zrT<(Mxp!m;1mJw;3(nlH`kJUHAWcAhsM~YH7^>r=+LNSY)>^_;;WVzpmt)ffZO{tn z>##C}hpXtB4lKWYrz9e`Qm2*YW(V62Dnxhuu2?T)K5fjXZP5;WBQhq$C!C8G7ZX|i zcWKWfg(#U<G^43l0@ohLfL3vOgl3=YoFnn!qBVK=cT8~E<d}?JIlGvMd^)(#Z$k(9 zC>UeAE0*%E(D9PPC8#sKa44N|_|lJL#3WBf=Q71PNGV+ptPp(T@!oL)`}=pIl8H%o znS}4QO@kdvuY|k9(rl>4;eAL(w%7)imR=d=wDfv;708I=8qjJ%kWPlie$~D$(5Iz2 zv6?^G)P3H$^YboqucSO$c6JoSUt8lOr~e8+yo^DF6^|bGdO7|xWUrOAcqG*|@UnRR z{qWKu8gE?D@j@K8T8}UJX4O_dFRzjf;<O{h#=|k<TF;SHd^D4HkfUzYuXAs&L4LPy zlo*G{C;3_>n9tZ&@`}1-Txu}?IM^jT;&;Vl+~xwZh#n!7lVbUQq|AvSa9QaC5a1<^ zi%v()?i>EH?^VLksi47jANO04T{*HbzXB~qlshWWpq%r<5i_)7tKp16!Rd|8hK>hK z)YJ`o@$Y)$hE>^&Dt?qkQSm+a(eYJfE&1e2TL15juJhsXGJQzNB<>9;gQVWwaSTFi zy3q8@y;rOlPYgNag9~XkKo*-}dc)C^{w}VtOl=n)=rbOe3GTf76d*4KOxB-UIRQUz zX(8bH@Yr^r!Mp+Q6(AmBMIq=wBS-d%Br-Az9d<vC$cX}nS=|XW#T7ILoiM%i_0Fb| zvDiVQlpX-DK<l&xhQZI9JIa$PRzh-vT3GMm;;jG?V&iS&#LU?;Y|DP<sIe@sX66{I z3WM3B4+Xwk|NKb3`{&9!w3lzAV|Vh@B$q(}b~uA-Bzinj6yWx}{~tE|8$H0&kLi1V z>CD$12M#&;UxWd-o0#!m&FWW84G7v$B2PE+cWA}9YYsZMf`f7hwPvo_=664R-2rd| zhZ5`*Jc;H5%&KUc#D8<fscaO2IbgzSWk(t0l<$YF3Fz1;5vMd-X*h~+dr76|UgMR% z8VYNvhS<f9I=eXDp57Opd28eHo$O?-c*)7EXK=a2|33JMROl^pUKl>%wF^H=Qq5XG z&zT0gZ#e5zbxIwlMko4?#G@O!ptnY|6ZBW+=`7JMy;Wkh65=E2YmD2kY`8sYTBtY> zQHWvw)HWR9u_opk)Y(DAtv1-o1_ZD34gYYft^=`{Mp_yIzDhR@;0M`pj2d-*|HfvY z(hk}mao-jhWsOUSZCXek8eQYCrHhVUOF>E0T)w52rj<Tuy<=h<uq-B1rfQ#*%O+gA zb#urK#L%%83LgglN8SM$@xV`KRTN)iEm|SN_hj7x3n;2a#E(F%0wy8B2-}#PoM{Yq zsZ5{t_Rkb9=xpmytR0Xm#rQkBhJ}QLg{tVv_B>t;#ID}(0;kx$Lv<}}>ZzYUVeGc< zcqK1WOUFdt;j-LScT#-y$61;N!a-FFo@M3kx$8fdh3+X)X|oJsCrwj?_yYCwWHvl+ zX%iB>U<F&5KS|%PU}#CnJi1)`hc^wU=b@JHa6oLCdvQhVN5`btE)jmAd_8+3=6~SW z`~&G6CYc&QL)|50w(m*2nT@dx@$>pinCKD2tR^kYH}T!9@bdYC5184nJ4N2a^RPSz z(D9#F?BDb+J`w{0Qyv@T9Uu-lydV~2O^8zGNIaax2lTI-?N2*lb2(idmalJy8O7k& z9BTBT0qS%XrV7cjeH3@%z3J_;GrJdWvc+k5hrw81LkiZcIaa&V`W0^w)wWiS5wp2n z5lUfPPrJ^chU>jem`VWa0Nmm*XXfiNiDZR&!*>#swE=%ILmc2K8aN>&d*NoGKa=&A zPUA1^ifpka%u&lP<4Go(91tjs2o+r_t*Z;USAm`6#y|17)gZsyr{fAO13dWxZOG23 zHkfs*vNkJ7CxkhY2|Y#V_z$a&gI{mxmpd0R`woZNP&~`L-N9Ccpp~FaM}M69g`Zls zhXEJpX3J6l{r{D(m>(?||92PQ|Jzvd^L(WCe3204r3T@<`hk?35T=H-?<I$nZm}Ul zBLC$*0zgXF01)1KqJTaMF)1DYL~{OmhmGDSy!Y{qI&I?cv<HtmV3PT&K(D96%P+us z_H@>TNJf@Az5pru&vF+AL%(w)BmxDGz-?ActmJiCOr>t9r;h+6rrQW0N`2av6r!5& z7~S+x2MR|eEWo(69g2S4vLb15tNmK|HElKNu(M2p)yO{ApF_wJ&3Gh(8E1tjr_w$y z6&7uAaJOSX=hcvWlD0Dc0+1Wh8jJiLos2ok-6=v(7onlUm+bq(wQ*6IY*Nc{>9;UV znrv>7iP=<9d>|yx%b@xDihevwx;=c!$b8BD@s0eigN(8s|7B=ylZDc>tHFWnpGsHj zzh@N*fU0Q=?^d$UGTIaF9NcbPfyhZ#n4OYM1;tml_HYt@3J%XfW!mn&<c7dG8oKs< zJiJP2rGuJRy4db&zUp3g1Wm)OUJ3TJ?a{I?KbK~;hrgp8n^JKs!u@ZCUklkA>(_+4 zli534@AL?w?BL`;AO6il5{b_j4SQcQ0YLKX5}@?z)KhsR+2oiKoB-xB7i`8Pn|VV? zWDdV0scRBqQ$FwDD4URx=cZAvhDp%s(-sXP(*UqFd&Oc__!(o{zI`Yn!s~Zl?Z-AI zK+w0g;4iM4-DiIa0%0Qo$A#gO?i&nLCz-)OJ{d(fKa3VLz9n1&i;tuL5IR+TpbqyV zQJ8aZ*C;!QNwWgHVnr$6hLURSmFSN>FJRTDa#5CkzQwtS9_JXk?|9W6Fo_U?t5Y$1 zd&vc{ZiLVnVi`Z5UK~Jti3zSM5)5e-2P?5Jdi3K5j>g0$zB*oWRXZCUg+<3(L8keX zh_ik{eEnyC3IUPWfY40+*G*A2ISa>ORrO{?{LSs3E!-fRO)1&_D+G$nA@1xj6#LJD z3TL~{k+pdqCI_1y!#up-L@}}q^!0LU1W#M#lV*oJUV-(AhPS@8iLBJSBGyFB>`tG% zo^GFC{)po#Kar*TZ+8hm7SpwF*g98^szku$z+L)T|6>qrprTPVvoYBLXjHk>H0XLW z+Bs-Cid=?dBqBnHcS2Eo?x&z|u49mrmR@I1UJ=dwnO)JPB%t{ak%7`-Btxv=?-^w^ zu~F^h>@Y#SxoDi`0y;-bUvGWd=oBCi_0j5ce^*l@5l2Ez+H+^K%tFM4^7Cl*%k&tQ zt;bpv$_}^KSiw!g!AIi%W)fRg=_8e1YN@mHG<zK1A!VPF8sp~X5c<IiR=6QG5<isK zy5d$#nBoh+;Pdxgh^TRjCCLK5y;1Fud@`YU_d(H?&b;hQgcqZR?^8oWV{;5|H8G3- z9|kL<%TS44GTDo|ORhW;7H~pn)D=I6=nqztorrV<E~fb7SHF(#-)A>rvd7R<e3Lna zZe7mDonH*o8Rj;vzo9oBZ^ZJ957O+5qxY66xrNQp-h0GyXE#w5|29#Yu1z<yb?1J( z99-zjbDMRS@wzjgVfIFfN1Nl}(sOvns^ah_G6fN$(`f9x3Io@Uq2(~x0ZA*{Fn84^ z>ilv8ZRhtt0c~zWEnA{ZqT&4XU6bl_q@)?#c$islrEK4a_wo=&vBIoH86FN8!xhCp zw2PH#g>>8t>BdLB8|CiWf6hsev2L6$7A8gaARy+oeqpnD-m%=s6c!VkkWtcz%clkB z0whWtkZOfHuagc=dA{GekafkWn5#u?(5-_5vdY=bD3kNLwQC!H-lYF#v8O=Qv!-M` z)^cNo<?!RlS*SlIi1|Z6nGm>^{|%73HipwhCtq-5y!BxKt#3gvH~9M#IPcG>5Dv$& zV}PueXK^!l!|6@>ZNTKQU=#PjW!8_*@=I(bi;qhHr`RPR2l{V^eY+qP+gwkLgm3*l zXHfPq5y%KMi2*+;r4uv*NFFDU+1CoU@V!%vkr>vbgAl2Fsr(q935Bp_C0756e**Kn zv!xl*HL+94txXTPEy{;p$<GW6P(oUNY^E4o@y-L9zdCz%B*qaOi9MYia+&Y}cjv0p z`?vf`(h$#jPL-#Nr8l779$z<qF4kpces`x}*k-6<9F$#UPDmC>K#{CJ&eW{&4LgwP ze7wExB+^R7Co=zMpI~kymKzw4VUwn^4ILmuwJp#s4|+avMc7#ja=wa~(5F?1o^%eu zNpKN4Z0EXkE-=N71n^cTvU0MJ-@W|!Il_%?z)#IIfAIa;#*ES9t52((Wq|*nuQYvl z;SDP|{Gx-SIJKAA9$pYDC@d~nrdqF*x7B@STht&Y1>5jPj*FqcX@L0V3TT;SHyO;A z#1Cg?lmUwaAiP7KN1qU6tFu!M9%MiK_Qwakzqf@rOFy}cPH{gBXg+xJ$!5ZfcM@_$ z2`b>Uo1Xu57DA@Agz5r$!uJ_WH!N@fNci+IgF|3Gt+TCGpGv%QKT6<c$Hf1epnH(H z=_m%BM%k&$7mV$_1nJhaAd-f<uEQ9}Ur#*h)Y7M`EnFiJJ1ab!lA3}SE3c=Psi$_3 zTZ$}*-+vvs&N#{&=FF3gG@WEkE}d&=Jiipg^ZEPd#^<>vUd$S(0?}cP9nWRb<G!yo z5*5m@m>;$*Z><o2;y_FcxW98GPP8ZFSYgJ353(Ucr6d>|Klyfk*&M?l$_@mLqVH2# zTNS>)WrdnV{C>J8F}$K?)tCCGcsCn%bD;oe2V`tjSwI>uf0^vSdu3F^KDG8%`UggT zW_C3oXdiOo(=`#qfyu<>8y`>xnXN-0lupT;Zc(5VtM#Q;bt)p|!f=Nz*@<pzM~&8! z+^#Sq;>y&B9n->huU0?gEjd?zr$!5Nj`?QL$gRHDvV^ApR&KcEKRTDpJLn)l&?)91 zIVX5xv*}SXhIPWk3e@POH$&Re_u##jmiI@Sh`^$cW|SeO0D~o<B~^C&D5D~X8u(q* zKdo@cgVTHe53#HA064X)t#%;d)bP?-6d$jI(f%`Ag(5nURrP_W{~zAq8YkbYDg+5Z zR9=qm(?NlofIqzbQ@QDbfkGwmz1;PSV3eKTz!XP3``*HszXvJ8gf8|kLKJSb^aK|+ z2$er`BzZ_0!bD)i!XwvH`V9^!P@E8q1?6AYK_=e#&xdvjk*x~9iHr_vKJ4V&F8`-Q zpoyjU*eLwMbo{rEP3FxznRUukjWfi+cgkB^g*0LM`b~;vYTAFUIKM0s70$&~Rl((3 z>}DUEf~ZfjCKNciB2aXcwHNIeC;UMA)hV|t`=z!%=HTX^1DhV?Qy*edv(_(FjsiL} z(TFv#Obf-Z(&vv%eRW<~a}E8x`0@O>Owae%XLifqNwb&$b~?Ie%e^@m#E*L&TkIl{ zDnC~c8r{oBVRgFQ$LCl*B%gD0(^!>W{EF#d?hq~4J@kIFVE2st#MHMlZ|i=~;E$U< z%L_LS8WL?gdZ1ttX=e1xvKh5wYZ^~GicvTQn7Yl8Q5AyVCuc^)u+!WdE>!b`fxoSC z@FOzfUHkn_&v!OvnED&G<NgR}`P?9xDGh1DB``v_(#P;f5xP@{FCncJ{n&Z3AALT2 zn5Py*2KdmlOO#nfC7H0tFab6$^D;(zN{}Gp&*d4Hcy={+b~WrFM!H~A2_4Z(;Cogj zUNWyJKHp+4BhJM=H5#MX-};{^1vdI=rKMjQ<=Z$Pk1Ne!8&xjax{s%dWz1iQ><O{V zbaEe0d)9(n+_#D0K+<zRVRmY{-KelVj~ma$i`Ol3cssIQ9<QGd=N~V3$OJjHRDIYf zGMNTS-fva(8%%5GPUI_&1$7XZHX_?;4QMKB#W`s{M_XNOJNFE}<Gy+S1Oh~Y{{}BH zni{9@8k<e$ZxZP1WAE?Sc;sZdZhtzBvlW()`kCxgCb&59vc=4>6t0elef88sBg(bo z9|9X-k*q5XfHkk=nf-fm3J;h1h16eY3@AjeIh5WWe4-%V^URJ&O%leL;u{*n^7ou1 zNHW_vS?9{zYdPcw=I#dSLwegR@<VF?Z18GNT7UqR+VW6cKyi24b5&-H+vGXv*_Bhs z4667&Nkwvrl4<c}($ECX9C@^fVO;T%{Q2XIxHJtrP>M7G+`ZgIDJ`q${4$SI&Qs`P zUkcJq_|W7P`%&R-zK9>$iQ^x^VH{2$l&1i<I%s-nKr2ZXy^LDXo*ox(Jj~Z9_i-+v zKj=I{N@Zv@t^ts|-_^K$(K~A(9<A8u@w?wS&eoLBYlOXgk%yPB0txR0KpV23gotOC zP@g%?{~ol)-3WgvQYf+_8BHiqg!Fg^!&~biL^`rS6+njs_<9a}Y~~=+B+RwzZH!Y2 ze03eLy%D=n_4WI9mI1Am9SJ4oP0DU-MQ^H;W+nRvte&mR*vjaXDbvP@j>3V5lTgvc zT%=)qDt6_1o&Oe4UolD$5WV#l@Xi{HIIZWy)2QzA+*Bf?k{b<b7t{(A>qUplj*?WF ztrW)i@c6+CzMdJ7Cf9HJjo*6cpbjnXJ4qu=uY}di@J<|G8*bjm#P26*J2VFGZHWhj z+Yvs`nXBjqF&XEW0j)#LS9!<DL7lg*ff|G0uD0CBg*_@)5w8p*`*?4Lz^*dbiVR5! zN4r|Hn*QC;Up1xAge>2$Jze<V_b}JWGMLxC>kG&MYW4!iahLEgw}o(~W#$gjMtvm> z!k4!X-oXwW!e68V%SF{GKbNkle8^zqzwM^AzC_q76M0bHI8<*<!-k5nsXRe(5<r18 z7=_`^MGW)lrK~rDG(Cdu3fUG;nuS1tejhLs@cCL9<#w-vZ-1{KxW>^OgVyUr{Mv_9 zPN~l}*(5lbNpPUT*r4z=2c}z3@j<}ukPVZJ=G@um!{hT-SIin?5(*p6_sQjIEw=U& zHoa!hXagOC{(3Va7BxI3h~)GV<Jrd4aidTC6!K<A=@1lScB<Wsif!$9Q}C^mM6hAN zZ-q3=;(**cD8ztJD>@0qXQW5^RCe6wA8PY*l<3^4x_f~v=>ltxjyk6*a=PY^iQ)km z$V*I&Z9wm$CQLzEX*%MbEccs%c6fM1X2>3g;u*{-{`qLeB^>4)!u)D&%d&HTetDzA zis~B`LDv2mFk@PbV*0L*#PjD|MmycOjcZ1(KX2HbGK@mMB0+WjPG4YCzK?LAKy7gX zCM=3^O`OCJKcrVS8ZbEhCuCamHJML;>M3^854quoe;{%|@kQ~+96eNXb4xZ|dVGI{ zm&YXAPmm%99VLwng2zATEyt&SxtDgDb?&8IJ=e17>{z;q-bSM&Xf8MDUZh)&mcBHs z5;{sA*{n!rh>^IDA>?~JJJ2p;Zs&Y7KqF!-lwE2x{@oxV8V#Gex7LctJxn6y<iEY> z@Bs*{mc?{+ntJY+9}F_)e{CD%`juiwTujWkd2t$@2naTZdbgE?EC-fwuQcR`-|19+ z$n_uVb2#6t{1KEq%<tCOf!Bjmo9AwAMHcw7L2HY!!1SkczDxY@LIpSf7`NLu(T(U& zvE!z_DQq<d7p9Gw*Q)h8rAPmLDmbv$HzUqm(BBd_RCQlDiBC?#t#%QP`o-hs^(6vD zvl<OSD#I%=kqMYLu7p{?q$-gXpPqx0fWcOlm7Ql={0zUa;E%mO56>r+z?7go^vWi~ zLy|q2j8B0u(UxJM3f~7i;uI<kcNn9Na*VjTzQuwW?Hsj`7&uP+ys=|Yh&G9$U_1rE zCALXWe^+d;9s0=^&zU!p!8{lG)df#W)3NBUGv82SE{f3*_&2$nO1s*5O$LC`5glaR z0shR)=1!VzqBU|DY><_tBB?etrUt+W(TKvJe6I2FRwg7bGpYut10J+b03;RVxcP;2 zKIP-|^T|v>PG+tp-$sO0<tZln;eAxue{LMaR_fZpfC$2cg|(J?l)udU3Oqe&v?{)N zmGZ%YGAp|B?!of;$*k#z0!KC~AhC&yW7fwcFX{}DPAp>kr$U=Y{kT60-D;u}DL+46 za2%KMaOc&f+D8Ui%Bqi)ut~iMVE#qudGRT-F+PS_f#SvQ=j|#CSoN#qc$aYCV+_i# z=_=zdYEULfPhO4<iNeo?TK#7?D;GD*Z5EcuP<jjl4_U4xq{scMnc44{0(~htfY<~- z+*`JxyzPPGB68~WGc_dNlw*0QHLD7?qXYU+MrSFq6~iKVPBHgYak&n3it4ef*SA-e z=%Cw^FRn(QRErJ8>Dy}^6d=WxJ1KowDx!|stYTq<((H~|_M{AN=oV~x(<`=HC~3^S zE*NXA*reEWsCoIZgE)7j|Kt0)pYF=GMTk?`tg@e7RnD%a+&}zczs8OD(@C-8)I9W& zdh<T`zHo2pr=WOb<=vHcFoQD8K(ee33oFPhni@?f*O1YgD{V=-UE=XhVSt)wtS87X zVZf2;`_$8x8Gu8&$Rc{fEQCA11H7I<LxJL{Kb(htI-m)Bcck8go>KqBq14wH=tN73 z*zgt{=1hO__qHM6%=Q8?9&LCUHnxKrbJYw~@Mr7%R=SFMnP8tE?EdOgqaCzg?{^t9 zfej##!}kCiR2i*}B7k~~;x-nLl^|t*sZas|>u9OO>-JofY>mVH;5rNHy<b8rdAso; zY6}q(?b#xt@|EDXe`nPS0!X+UYwYKLu0>befWTTxwL8WnIn8p!T5iD@#T4`O{5JlI zzUi^!!Z5G@R!=8#O57Zbyl@O(FKUT7L8dV~3;h`g+p`i@UZe^B7)G-sa?<QsQ%)*= z)txF8CK#EHLFA=Ybok|`5aeS$yIavwSah?e%NjTC$>tGP0GCf=LWL;^S-p(erKoJ- z^y_`$>Cz^b_!?yw-Q%t|Jg_EG)KgUNujOqAO~jy_T4tU5D30uE4CAB(PMV**>xO~v zY~4BnCK{xz>m$Y9tXN%(F~r*;RJ(146L2X4FXZ7+Vi0A&zO?w%cEGA?@mmHCab!?) z^!)PaGs=Uh1`%z$&N)!5KeUL64f3zz8kH`|+4%trdtv*2xP@f+4XEwc`6#-0SHM8J z%AyXOcT&7n-%q~IuB=V_&H=#0{_e42#sQ(m(?v)&x%hT2T(I<_IZH;I4~<B4t^f3w z8cbTDRF3-n+}Y!Yzha%<&iWdL+s93g@NO)3;)I{j|DJz}v=XIpO13=7<^d2skJ|DU zHUsKl9x_)uUcF23z?qjpdrWZ1gU7AOV0m0Ks(}MNLGuiO)emoUGvm#*__%-DpYy&2 zh1RT5m_xm|l|rC{6WQ+NQqilL@BD7Az8D+)!gdKzT&0PI`Kn#f|9+NA5DObbLroHy zLTHrJ!gXd>%$#5aA86!ovl)VqN==gWYd=lkOW9<&&2L9`sxjqI%~6WYFRHLAtO-)@ zZuZq>P9feCt1wkAR9mim-kO8)E5z*AzU*d&@JqP%pB+6kavu+`5JS>JYB&pHr%enm z<pBT&%=E-Q+9B5sJG%I_fZ~Lo(;FR=?$ynX7-_Yloy_M4akD8b)>xfAZ|C^@HFCQ> z@;{>yMc9A#t(8x*FA#aCRiD0<9!*-E7Fx_r1(5sl5ih&`mrng~x5z{34UVAA8=Ya9 zB*W*290ZCO{kzDv5^C>&+Tktz{OPRR+4aSg?8G_@9T_j{D$BKUT8Iy{U_}=eE&jPx z@w_!H9>-(T>hG8pmLGAf#Ys$QmotiDu2HS*$2MXm>B_ibj21lq4(hF}7!G$e{a3Q^ zy&X$vyOr#ZJC(1C<(-TOpqEb%-WZ_U9{*0z9wyF|<_`7K;W!p({pk_navL9|*$U|_ ze6ttOg_n09;D3W@MMd%nU1S=SDY_A$C-00Z#SWMA+jz7!{(8(7ZH=RX_1KNhEqVp@ z<-EFKFS$X>>P)jnO1!Kl?Yue^E5TDw`tHNff6DqX9HF=N-0s35ulc7lW=4DX!W}?i z^D*RWVnkmz4d%d~k8my`8hz>!CG7N5GaqCp-1P~<IW{Yz9U^<$a(f#w^)Ck~W?5>i zDPCsmV#g_DZniAF>K4QRN_HbPC}wZjzPM@M{vAvtGnWG76fAl#Prs}~qEWL^$Y0AA zPL+W78{H!vYSYx#&CG!y`kLrQKQHgpN(7)Qdim>;pC^uanIwSi)sv+XSoQ0t=;1Gs zQRj9DPvSnOSIa|9-8S7h1kOx@w2FoBsTM*@OFpOXOLy~fsVv6Q7+F&YU9d-l_ySK{ z>f3{me_}~!zUF%`Ub~mvgz0A;)UE9haN2l8_dEX2DCHML0*Ya;<&2jN?gG3zfh;h= z(GN-N0!{%^x4k@=rXOyNNlPkAAqpabs4UAB4cWIucoDzR1Ap_WQI4(83;QtgODj)% zq0vL>@)Zaku)<AD4~qlCGH660mw?1d6f6$t)I>M!ka~wlEr;qBC!pw%hDQxozTz@Y zd?lct!`Dk&c6)FwLYO4?by9Z94Es%)r?(4sePFO5)F)nRc2BHJNUmauv>|7Ue|W6g zCDf0n1}ca9i(!O5X;h_R99|xk6r=2YUW77FRS;arWo(m9!$^^a!#J-TZ(07*>qO1~ zL%Z2&p}#x~LDKcJQa;})3DLu(3RIc@zdtO5rQss|{y3l@3X$k|iciZYHR9!gi+8TB z=P5Rq(k&uIA}kK+zj!hre!E=F5b?Y33}wZ`$^=)$k|LW^3{uuqT6=g4e%HJ&h{jrw zg*%@K5_#Y?l74@B&01}%5k-?y>Tn~o11Ufr!~N9uyDF-|;`hat!$V3t3vwI!g6x8` zr;IFY4Bou5rsC^OotL$iVq63{<rwWjI-8d_22H%PvCdGFKRWG3w1L(Yj5(pLF1+mO zR9I1!hz^aC<E<N|B};1uCB>qxQ@<Xc8c>`}@41<-4F)`odK=LtpRtt6JgLl3gu{+~ zCJ7IEN49qjnxNifIqj|O^#;Un6I?W<nke`{m6u+jzC4JzVJG<Ti@b|eM>!<*-i(+K z-iYQ<*@Z6V!pW1%ovoB+tkq)+P@;t7who~UJ5<Q<w4}Q6Rp<kc@Cr3L^_7x?`^W;P z!#EvY1IO;$lPjeFTO)~Wq2-=5i2;>dnfgVrm3e%w$@=&NV@-)vBqCuXd_<i}`0DQh zL7ritQIzWAhXvl(^%yGH#E+3#7Z$=TBrgiQob`Z<U#zmnVN6&QeK}f(oY6R=DTDC+ z$CW`b|68UjgZI0RvzFuMBFz8P_Pe=upsiaSX2{{JOal{46-<5Qj-u>W%yiHYo5*x! zlO``gTVRzbeSVp1Vk&OXcV%u|_MLgx<(91~&w^F?Gx?piJg%y|f#x8c%9@InajUJ7 zBb&5!A?3MiDXaPCK7K`){iFRocnMVkI>CdAW|4k;klDHGQi{_s<1`4_O%s?dngooq zQTVjYlPr{Le#M%_{?aM>4|`IHNE268=A%<87jD2pF6ZEjF$AMub0~6+|CW>);JgWm z<|8R@BhXpDlN?mER#YYo+`?SwmJhQkk7AJ`_PW({DikQN%D8n^?^W-|NrU_DcA8JG zXHWay`qF?g#h3U{PKdN5>Sg7tGqw=@uTeD{Vi8o<zV(?>5{x{5oFRVLK1G``S+5wX zGMQ_8w`bDa+*56>9ob^^2fJzxc4m>J#K^Q#=*sXD0vVfVs>dt%+<b*6wpJA>lY4_q z<V90H#fvA57l~vZb98s|%{}Relm%OmZOd9W+CB|W>0LbJl{bL$=nEH43WW>0F#`D_ z&>@IC)O~R&o~lU0N;RhqlT|_o)f3Y~cTGAaQ9m#xW$24_n{=)g4mvEeL;h<(fj^W= zdf*yxXJ}(W#x64)I%_Is57rCkd&j38^KsP~QQ4A8mq;du+gOrZ6GCz5q4Z^uKRXb- z+NX$k6m5(7ZKj_#7&cRS>oL*!8sd1$*2%?L(J0{?08n4bBDc>Q3q)iB>#h#$D!{=H zZ-z(Q&>f`oHDI345YHxDWF&k<y<cwO)JTd@Ax^C3bxN)@wR?5Y=GVuCx#>?Pmj-$` zA^hUbmT$av{%+Z&yvMmvK}x*rEIDBbXuK3QG?rbnsgUTd7<^d!ZEE>y==hdMAskZj zNWm<5`r;DrqQQ~D=PE2x%d!dE&np-7y51xSwJ-a)wyWkS9jfy;VQ~x^3KCs2k}GD| zdkflue^;ETo8;ZgVCH;bU{$0s(1P<+6aV43Jvlve<79^PZ#1grrkb7m&yP6J$=8^j zOVIU2eN>aN0(=Z+E=+<2yq@7t&CyEb@udQLcS|HuiHg>ZidO|ftH)nWGMKtsg;4q6 zD^O*CFR?FuWiZi`jy22^iA1EXwUe>6Q!1&MmSUbUZTa=B8}yDNE1yXc&+9WqyOm!$ zR(YlRBwuWSP^Wx2AJ^*%lR3-O!&N@h38AAs?$Hh&UX;KwQ#;dY^00r3`vucS%{G7b zAU2FVdPFh>@td&0bQMOo!4eS<z6KX2?!{X!V|uF@(3Jrl2c6`!!`PG_momW{0x2vz zaIV;IAMRz?|J?<s>WVYXkm#Q6pZ(&YNn|_+<{tTwH81#zHa}WBvfXI^9{4dd%bM!_ z)cUJgO;9Nhz0=GT>}I_R;+>`Q$TbEK(66hld_2C(%1977eY8_pc83KBZs;Ie3E^9_ zdE2H6){BzW=L^qh)w$`0vY?%@Ze}R0DnPmF-E?~uSy1E6?)XgYi(}ljS(HV-74Lp= zo^pvFH*4^N-O9oz_ZH~S-Rnseb&8L`gQ%+p@L*&6*O-JNyZaI3b1Cwn8aCJo#~6p_ zPp~UQVEXW(1sV<=6R_cHMxb3-%V`mF0bMAX;v341=<;)V((OF0R?u~cwKuAw+5P#e zLwZAc{-yM`5TT9Te!S4*e0_^z@<Se)h}<rz7d2;fb#iHoY;g3?UaQF`eVfXyv84-X zs~2Kn)0RR99fqg+y`_<@eCJdoUf6gvUesX+Y=&6pB9;~7=VQ1+*kRT-`(CYp-Sqn- zd6!1~#dIlVLz%QF;P;CUlzKE^QHGwDyTr>&(5)qq`M&(uU<aw(hhI#Cjxw1`PS+jL zf6AdT(=$Yf_|=tj`=?ovh4SI8<VHyu<Y|lZWgv`v(47}ymD(24S8g@hkI+D)A1>6k zF?;wH_%(yZU&d9`W=@mHnmwDyy0t@a;Y||ih~RgP$z!tC4&Fbu+9{6DRr|8pi0egM z`a#u+PiV!;#KC%=q%LJ%h%?A+^m>rjsBg%L+650QS%TxdtE@>_@W<!+W<n$g7r~nK zniy;0%I}ShCPA3M^kS|{r}z&zT1grC)O-(b;BN~rB?liWofv`#4mUKlu7<JkyaND9 zomLUS|6@G{OySG~BSR2mWrx%}NLn>Dvd82<Znt8HJhvx>`X|zX5s$ua@}t3wLUS-6 z%ENOg8`9IYfqSIetPq#Zm9fO*m>J1i+8B}GipaE8ii*<)1X8O9LP#&V{f~mZ$=dJa z3*C{|HjSANLWXt*ffi&Uow=mKmGUC+nW1T`GHt8jCYhd%DMP+L);zQX_v9CwbOw=s z4GO>GArdiE#?ste7zkz&?2xtnexs3!h*(Wtudw!>2PMQ@JLFU5Ya}LEzM}Q+_qc`K zpA0+^5gryF<0Fv?B)r3W8K^ZBsuwX`RR48YkNM-br>fH1I*5dD-YpT%?}x9yw!BB6 zb<<>$SDn0xW>|sB`r>=0jZ6u=i;2A3_FtJ{Zs?`UM=fg>1}d_(>x<ese2oObtsU~J z5Av=I;lsI+4Y16M4dF#2oGn2liXPeGRpH>Q_4?bD?UHRdy6|V@GPBIj=AIr;z4Q)U zEQdIM6kbXUX{My*rNk-uycp}|5T%!)PJ%ZRNN`kBt)d0CZk>Hg!NRU$)He*FR3h+f z#Sc*-{`t{E&8~e8>?hJ76<6s5jK0#;W%kwz92y_B!CPA5&(%ViHP1B(GzlCQ!2f9u zm&q5QXE#gp<`eh<op{T?4zoOpN15PDl2C;*)f+1$5$!1H_0bzvY7Ke24_>YOHe1XI z?xhi&_Snswz6~H{d{rBd@LkU~8TgFS7Gx`(G)WN&5&VfgSj6#@qpch0g8`9rv)Yl6 zp`QB1%NJG(c4>jSZ%^kux)u~5z-$VgQ|)OZ!}5RS6@B%nclr!jsdOq!=DKDhkW39V z{EFQC?!1h5(Jb}DgOCPZ1zY~?G;C~`;QZ!XaI7A4la46d<Q?I_%^s?aF&XXq?30<Z zN_t)$aCLbR|Hh4lZ~X5d1)eG$|Ae7SAwoPc9SJ*PDC!t3-mLKtX3NrltG;z9AR)_I zXKN~kh6$n7vNJpE#MD`@+jlBBP4WClpP<_jGTum^w)IF?JMxp}2Up~s1z`odIqP`& z5{Xk!?3O-}0i<{3RYAB4v7@P-#&Y&<qcK^wo`X5(K*=1KN=J`s`}lg4B=-#o;~8ZP zSXEN`<{B}hq{$C&HeW$1U~4E&y(=z7AL}Nq&=_R?pUPhAz~$ryMX)+C(=SYX^8Qip zpN#?%X(gBb!C7QQn(HDc9S2s0L!j0B)H(sPOxOP<-bpN{O2l5?6`wXn8E{k#h}#L9 zY;Pl5p+8wyt`NT*lndt08FJ`if~biGN@@+ETOyg@2D0;Z<#@qCX(E#(zNZHHG2oj= zB_^4WAb6;b3n}t>Y9FQF&0yTd86BDWXitn;yg)~Kja7(Pd5@jhTx8c`Hwap9wnSo% zjRa_3C(*mE)wTgskwEZAUxLVKFt>dAK`Yy=Q*!k>%=*_1C&BsXEG7Hj$KRAIx!lCP z^Qa;*9|NZ&ANE$b17Q_xFU#wYxq1WEQW}lc+BUuTZO7GWT10zFAA|&n0fMSAq1F3B zol#6rP8!~4;ncqN!uF4-Vw27THA}mw*^iD*S)NS<1X|IMwHMndQK!YL)E7PfmiqJW zy1a?#$UhdLyrWmZdyo8xPkxMz-Ke>oi_`XDetrOfha(z`_lo008I2E6tu0D48hZn$ z+8*Z#CpB6JDNdhhBO#%Bem>iPeg^ky>soX9!+Z43c|msCG6mFo212Ik({FD?ZF7k3 zmsnDoIpZ6Mrgf=+!iDrUGS4ji>^Nx>a94E-5Q?s2Dwuk$TGfF<L=%71Snsbqy+0c= z{$?!2>B$<?M49O^+?#?b9T=Y_5}XgFxL(+Fd5B$yV#72(WCJ1S#MO?k@V@yH+b@yq z$%yDj-L&}7i<O@yIZo7jWy`%k-5iaRl&3|blp_BE(UH5f9v1bL5C2>*WGDnMFSu&4 zN~(IM_SD-B>5Ym5c3vtXw&Zxlc*Cw|lV4OI%f?V-V^|R6RITcHHodZkbG|a0C(-zQ zjzl&`rHt`yin=PI1j6o5<Y*w!<6S2S<#vhJTe{(}kZMaJAxjRD5J<&+lz@Xade(a( zgKn**%AUP8Gq$DU)2$|+%@{Ydu{VE~-5{gy6i+pBt%#>`O&Wlv@olm{B0VUu8bUG1 zX#sTqMqbC{Vh0oYKk*q8vTJi(E-9n^LNe@AX6tL2PIegOMAcY(>VSD362khj@Ee-k zlSaW2%x2D#t4)U-BDym+brY-|G`H8`pG>#D1rC<sR1DC)hpl#xXz8`G@jC`^qfeac zxQbdkG*86rlQEre%Hh?4H;591#Dt~dJbTeuL^$M*Rkv1o7N*xpk^fjPHSv$71*{px zOW}DT5^gG&wN8V&R>vgpyp}uhnW)h^n5>`8a&twJxbkA7TaR&9tG6EPc#^%vpe57& zYhcSJBws4k^VR}Rx$BL_+Lb$}bTg+tCO;o(c)fLFVC)wAlYq~MTP}Pc#wqr6kL5zJ zS+euq?&7Ye$nY-ZJW@J%yj~X~zNy7F`qhXT;;G6Ag;WT8H)ah1^9KMmAFo`ZNP=x! z)RaCENf>$Vvg2Aep!)t{(;lL0g3>Kkp2$RO5L{@a5Gsr8VQu)HYF|B@{|c>S*xcSC z6jB@M*_eeq#zO#I<TE`)(fJ|wkdg4N#?$88n~`)1?GAF93cQQV7sh`?zrVf}#W%rX z5`&&5Jp@2b@tXfq4+2BU=DhQ}n?Pn0?^`G9AX=8m|Ljvx5`$_~@Em|QA4A_3*v+%k zKmdAIRUNM(|HXTw%})&;!j*wxQ>Id$wIKM4{wM_(Haeo&#VMENP2!VI1PpA*UgW@v zO*}-2D9)YaCf!U`2H@dg7wk7>tu2%?KLF@Z+7?-5Iz=IRt2O}71C#gsVUlN{7v0Z^ z@r=$NP_WX4R;kVVxEQ95b&%@=V{<>z@8M^33XRZHYur6q`sK-d71HQ=|7m}|hiz-J zNl?(HW4JaFc<oGy81L{9x08{GlLoI7o7oH)OFTiGO>U5+60#vJ@^J>7isI7Q5E6X| zu|lXo)!A0H!^|CKJ#@+Gix!mws_9K#>oJA;he1D&VvS2Nl(6?)U|Nr=ie}I8)cS|p zJ$+epq6~FvNxaAXm#8HYk+%n5yu+iObeBjH<Z^>j%;gavAn2Te>c&;u^@S=Ub#3!# z^LH%*em=o8Nw%`}6>3<3(o(mo3|xnm%(8B*RMJphPzodlAAqr&8pgX^JWfMxxE~=l zqhG8G@n<jO(@X9};Va}jS*xEC9;ho&^XT(uvu92v|8h3oiXyvAm)-^a&t3$G7^F^z zHB~d?&aO4$t9=Z}ptd->1hEi92n#yjX@21|&3_nB?8nhrPb}vZ-TTj^@i{thqeoe( z*&pP(z0N9?0igc=ts0mY%>Z(l4Z-F+;gC(NTiu0v|A4_-e~ME~Gep8iJoCL3h~ANn zUJPv|H>hxo(&45NC__v2ai+h)jC|STZ!&H1iLD|1vK~LYUks5VG3wHCOKNLw8Rhw^ zc34P6*OWOm+?OJTr+9yEQ}9j)^7(BXKRrYcX^2n@QOuh2$W^c8ZN*)+CCEu(C0XHJ zkM3V0Kc^)L$AxYXC7)Uv=<kX@@)+99aZFvpG#=5R9c9T_EA#Z(zAik+7zrTHcsB7? zG%6;fyYp4=)YI0s_O9N8dPxL2p^IWM>1nLnV`vma@G2rNPH$cV&6eQci9!p)#bBNn z{BFXrDQ&Gtt7G>qiB+J^osYk1^?3Y*QE6(RE49@oe|LKh>m2jM=&jO~^`(HS{WxCj z5N{6(l%8BQ^2uT-lNtF*{LClRu1D_SNv#LvO9-O%0$DHx`oCOitP|cRr6E%;_NRL1 zYKq<zZWDd<U0Ia%w+_MYvyL8grUu|cKZkzi``_rgIn*bdGI$y?`v#E48taG9P@Ee| z$uKR0nc);kRXmu&x(;%f_fnI+CFF7WD>F=hnSOC4_mGk%-o=;<*@Gl1Py{a#ZmO&1 zU_}xemLKdj#)u2NND%qY;u+<jH$}u3^b>Zu`z4a+=p6acBYaQ0rI|B33kS#%OkCS! zUX2c6IIIv!nQ1v+;y=2T;t^DVBIFBYK*`}!r#(`ugz4{H<OBezycJafeMxTet527e zPpM1Bj2F$zFlx4L%q-(~wawnHZ>9`kb~LjhN|IA0n4I<T?8=gCDo@bV#Tv&`hnpH` zOxRBL|HfkTF+LD8-VD}3q!BADnms~a{=(ZzJOnLojEkZ5k7HsO6Gm$n>6HiuuE4;F z4qm0!$muu(kWkI<O&P_Sh<^*P`nL8Y_gXleGj>yHh_ok375tL2k}^JD8Y0sU@4LAn z26&6vdm4O&iNGnIV<xsc{NixUHmy2BTY|1TMbX9D@daRzVr1SouOFyiPitO1P|wU- z-HLjTsN4o@&r`ns^G+jD#AcjZsI}nVNP~E-%L9^GPpWMaIn?A(#3DSjTQ-W6NI~R% zV=ygZ?Z7`Vay_^xMatcS3E@q;Xf19ELBD4k({|J3aJiI@`--X&6``^@`EzAY+ar{G zK#LZ_8&m~M7>*0D+;i`@lf{TtkzE8=H)lIUtMUjPUBnP)Do}ngz-5B}Vz~|LEz2#i zpf?dy*ACo^n~@=Ni^Hr1_v%_0a$`erV1bz7bW6<Fln&QXQ(Lg6+n+jlY!WG+(~BW{ zFw2B&x9EO2^&WzYF)mC39oAN_j=UfS$JP!Je}%ldT)F07QY|*?$Nt1)QJ{XYPe)ZM z&v0~bjO`A63(OvDTlSaReXs=?Lohlf!EHj5AI!C1776A9g0jP!wLqrOjg&!2R9=(H z5Q`B?8l1-Gxs&DBla0DHx24=k#I%ur2b<kyRc`RBr@Z*<SMSx8!ld_>6|MMfN=Wn? zKNJpxQ~NThl6UfTrzn1pU1H-}je+F*)BIm&t0Q-ITZCdV12{LtCjFP$MF5`oi-&Zu zI#m@*rJW9}RKiTeV|3pSdw7r_`zKr<`QsQj1Jp_1owB@lE4rAsag$MB^Zh#Z2Tz3Q zICsoihzYXPWsJxQ{J-V34C-pZm7NB>OnF<>x^Pw{8Wh+RhPvrb20|lP)-~jRH@a{i zqXyt=LvO*aqt;o=>OAabVZaBbUlv%kLID*8rJ3B}UwcZxnL#%MtulM>i$szozZz{2 zYJlZATs|MzQCd`bI=a>Q^)+Gw0xJq3%`|&x4SY98ib1mpM`j$T<aH)uxI}XL!b-Y= zPfl9y?Ms(V(I0Ri>bUG3A!0QenDut`nA#f<8P;2nx)$G=H7G!PiA2i)d`YJq%y!N! z;JVGC3`An5xrzhwus!XuQ<L?Z99}0QB~+T^SxWJxB}9(KMSx2hdatDO6*dsQNcV+n zvh#mJ4!jke#c=^*i$L{hED0sV__Q;0<`37%yEuWYVK3e#gXNyI4BeQ^rIO=rd0Mj> z53f8%Abz%}m+@ak8Dja|Z<eCO6cd*pbzd2iGWkEb#{Vg!NvHu<6Z042jnKpeAEgzG zr?(BZNgkpmzN#ItUguLnn2>=M8w_bftd>0!hkW0TW{~mvO~zm)o~le456t?<=8b%) z#wDBD122$!*zSe=aqyZ-#In|2fd5iAMlM7=P^Tae<k9!nMt=PE<~;(#zfufeXM<r9 zs(}VCCxY+o@fUvro8^QfobH@Wsv`6qRAO|;&Ux<x3P{di=9ckzI0fFfA@FM}4G4F3 zgmO^Ur;NXH>UEuy?!fpTTEe%g?B}*U{FU3Sm?9$@sueA;j~0Te@`&3&)Tc?5*w~1q z6gGvbQT&+1VUeXIO75jAR{Yr^N>~j9pTtH(NhDA)>vr<>l_4@cbaPeR{K$4dZkKs_ z@#BGL=bI5zp%agl?nF;)ppL7r&wf`0+O`SpUOFa!+x2XA!iMm^L`KJ>f%$YU)A6aL zh-qyrP)!cMILFL=ml%Lh%w)aAfRkpz6wV03RcExN+)Kp#g!*SY%Ifu3<c8U68K>_S zu*#gbq-po`qJ#Bkn*?Yq)J7_W8V)K|GIulRe2>lncsVtbI1Tzx`)tV+q`y0>^dMRT z>sIfN*2+{g*o{C6g_zQV6xLO%ntnRNtgC2}j$<5VckgqP?4gcV)_*O9M7!HukU(u2 zC<t1$;Z)YXjj|KrY-<YTv(#Bzb64-VFwbUkyg&#&5p$G9#r^IEGp@C=^Dm`|JwG2* zm;2)cnc-pJ_6)NHDex!-XX)&s{xN69Pf+X<)x?Fmux-*2i9*2MiZWyp){Ug$wu4F- z_W$yx_?x4ZFjUfTK{C)(6R;xRP}3|NZ8#7?k#`Jrm@pkdn?|LSQ1S~CER#6>U##>f zJ#6{qH>z&>$h$V|+1u8hbxPJ1AoUCUo0N8z(ls;S3v?|}V6fOGfNO*^wsL?3V@M`e z8SNVoubA=!RzstK8NrANp*_(u?gtNfcRXJCBV&dX=vGb&oi`D;heyrblZEo4jeV$l z%^yLZ|MkZ4Lz&r4VQAA}S>;WT3F$y}{^sB{Ql__usVd&Z7+~~0w(oFQY<q_9rEher zH-sYBAlF}&?(}`)$G1c@6dYG1oJ=#B+@Ue8+%%a7-nXuqa$Pfh52=E`rkXjc@;5gW zDgRiHO-XNw+#lz70c@<L)-@iZvIhi(fPhv+g5Ixk#-^l9hV}-=Vh0f5b!ZJN%C7qG zLt~~?a=&@HJNZzQiE+;rK6-f9Tq$w3Z~%kct=9pMj4jzY#`su!czun8#!{H31sOjz zxfk#5dOPtQKBA7P<4!cUHUL{dq`yxp$y4N8#UQC*7kS8@n$3Y{OM2g;voCX9G!h}I z2!OI^e#k(@pZB3vGt>!?KrZge8YZ$m5xoW4HtoprMJ`|jbm0|hXKD%odl!9T>-U34 zNr9$F@~;sEMCNepE%6%P|5Ne+%lWU&ZDki@@a92sT`Q6hC$jm2%Q`o;p>Yk|WX7_S zIn6Ij&hcZDA+|_6;qehKIHH1}rt34F9`Y5j)NELJSFG@aNpjUQl8|;xUo$)F*l=?5 zcoS%3*9>=iIkyN3%o-pRsdb$y_E-m_TOzoMk)qj?{9i}w5H)JnC=h&wpnIB&C*N$s z#YkF~r!V`-K{sgR115ya^YJ%)iI9-**%-V=)ajg2oPBfaIBaxr{)_8u?$(q79Oc;h z$*<cB=fY@_=64wK;TmNPT(BdH`gqs!pr)^7rB8#qJMQG+CYz6nlnaVeQ_={a9zXiN z36jcJyt)P&FQ@4jte&nN(RM%U78?mb3r6AnTRV*Zyd$r10q6!06k|J~a1C&X5z}LO z^jr2{!$p(}-L0>IR7^({j%Lm@4feCMQy2(|-kBi{pmx`sotrHQXTo^UEuIweUlMt- zMA9;<!xMo_u$zdx!lm3fFCxcNWx_~w@RaSz7ydxK*H%F^n^=ucQMv|M9r5n=kIpq& zkGPMKcHzbh0ia3ghXz3^D)w#$p*dV2Jq+~|k8X}mCpo6N308?vR-_2A2HhE(^Xte3 zizGRqCsw|2SXyyWW+>%B&=Xn4%T3+?QSu!q=3!?s%`_ORlboVd#?@y?J0BOo56TE< z06&20Is75ZjYTAaAEqx%TC57ba_=&D#pg{7N{(-5A?ST`=t9#TN=~O7I*@W#^Px1N z1w{z#d$L4wO=$obP^$@F8RI!&myO_X&PlxEK<=?KDxCS<_CZ%DFM`3*v(4s@I8!Lj zz$u-{!@RfQdwv#t$*(llO6YHogn;S+rm1Dx9c8tYLw!AEp`VALoa!1N%$`4cu)aD& z%Cj>x(6VS`Ym}^0`%?AO!N+%=9gjEc_!_=F?nt7LZ0(p!(?fVR$a;XNJ_B`>^Hfv( z2$xdlBGVFy2XPU=rZXk0IMdns#0LX@^_js8j*&=&q|`3|`Ghs?=fh8()zqPR%H}6X z&1dv7dW|T#uLVV`)c&)aRjONAOWQ79X)<j2+WrX}z1wqfuSe(;BH~X?d5U%X6THQZ zZJRruC-r!cR4V>EFHgkt*0B#CKeh|=jPC8pN&nBholBp2xL=JpFF{<y)}VKJNN9<V z_a~&FvvicVW>yassLI5u4sj>~MRir|^m)pWxv1sqq{v^$z}sRnV2PaZ%0A)H{YFHl zs6^S|tY4U>?hE*hhb#4QS!(i*uYHXF-EsP>L)QK$9SK`fCUo_<z}7$!dzl21MUE+N zY-*~ib+uUW*_*2Y4jwlT30luQ8>O{%C5he8yU`qzpXtd5{>JXm?_+aMzu({|xl7BZ zb_$H9re4hw4a9}Zvn?gJ-OmIH>q9rDZVTmmhcAhwXVr*AgqIhZbAb=wL-ng<`yh*Y zKSL?{GAYOM@6OJKWpoDC>(^3<ZQr+JrnNfE@1JFM(A#HI@3==ta!{aUH{Sz`kV*en zcU?2*<D=tx<C#c@8=NNo*+UL1ZuM!zlHM_USB%F!*|JVF0Ft=Zqq&B0aVa7!SX4%9 znFw5MOb3Irj<>+aalJNYNOK@H-|rTMS#=HL-a$#1T)kkwgKdqpU(dVX20&;fc$6E0 zk}++xzfjm3g+4Uw+>m<maiH^2ejW4le$7X?h$e!j)Gk_N1id^QB5M~#SX-mO<^x4& z6@i1ZtZ3v_VMT9M0p<qUYR8)*&Yc9h>JvdOGE7gb@w2g$Ts%Nfa^&S!?(nJ9n$-rX zeJ83lK4H`iVPnDs9?qwIvc@}6Ut=;$rdnBvRDcig3Ze9tI5u2LE+y+FG_*vA1Of$t zK^a}Eg;K8np5(>U&qQPxA&+qZ<=7`<TBY3W<LX5qQD|X;ohiVRdy~w3Kykpih(s}G z(-sRX5RWuTJR9RuTBm(KXwn?)6NBei<)iZXc*fH&QTln)mGAUSG8J&hv;>vKZdw=S zc@b84$J+1YIc9r>h#=28kuE0dy-q~U&HDxy&Vyr)=gEAF6tT=~Z<`DBtDB?8t7zY* zu$qkr{y(QnpFq7+6big=LTJYx*cPU5f3LzTO@Y0Gm)38N-)?q$)}h8*j8bwqG*Og9 zt+jA+kxbSJ)5uB?O&(l^gRl61t0SQN=E<#L>T@Y(LU*i<x-%1qvxoKyv?%1`0@f}# zG;?Ya^Zi&=8qW)n5AFD!$B)y=+RqIWJU?i;+9=yZ0${&QZSMhV`Y6@%mpaZJ<@EYB zz`<0`M!>ix%KoKx54`-%kf2^YQ`^&E0xIsGrJUVq>+;(mwgx}&AjV4<C<bTcRX2*a z+gi)RM?~h`vYpQmKVF=WiVR;1=*cR`MB+XOz8{Jif32T~V<yJmZGr^C>w#BWKO4SA zI!|Tt_pKA`wA_{09;IBV;ZD&iqFE*!8ayfreaNE&?<qLGuGD%#1jD2AHsR;)px1%> zWraHV`ZXd`IqHIhB1tKV{J(ovc}ex4f!{N&Yyx#o9|oGhAUF%(dw5zsT1--3kyrFa zHgQqkbLRaM#IYLywvUF=AEeZIDF#O?<N+~IPQ0vDxI2hPc=$vH4X{dY7C{&rg7JN4 zq=tNs_o%0i?Rvv>Z#ApQw)Jt;p3$iVkW{Fv2Y|8;Stn)Br>d{5eF-ti9C<f?<Y{7O z{r8~{UOVD+;LwFn=ef=w@ylO0SN2=~Hs}-|*}OJIlvMr_HqQ8ecLAhCB)VzH(lg7d zr|6%jbcF#>*?euoIH$ZYg8&N$>s#}nACuHKKJ$8v*E(qyiKrD^%CTKLr_FwNILyX6 zKG^sg8BAV=QHjw+!#5HsNVkM|$`M*y4cfzf7HCFQ*bYW@m|q~E1@pQm!<F30^n^E2 zD4LFx&$n%Wrh(FQg`jKV<7&w8y5ZA`-aDd$ZpR*A#~9%ziI|mXYen%^H1BYy8AQ&? z>|#&|&)8yCF6j9aTs#{xgP~g<`t`wCb4%&ZA+8a7msWDn=J3sZ(OA_xQ%NKdXrXG( zWaUQ6<jHknUSB0QZX=W){IXBEKzOBc12d6Hvw5MI()9Whx6DATc9wW`)Ql4dEwNDY zZKN2a1mhpLI=6yo`s4iqM~XzWL?C^8)5TrhMzA@93xf?*_-EpaF(B|XLyzO4N3EnY zLys}=1D6db*Cfbt%<el8mGN<Bi=(V4o(GdiUl~!={(yj!Q2-kK@moi02cb-xg2)TQ zzuj+}IlFb03+7yEtq$^5=&YWc6ZDfy$CRNhivep2Atr%&Ck8<bj%B>A-!5T7m{S8| zE4=C^M69E<g<@m|5ZCH{#dLDP?;2-=R}28C^MD7A$kK%jPc44_Cc7O%=ab4r)S(rN znS8sr)_fF)?wqzKulzY{4N@~hUKs@s^AQZmBGDsBM6}<R5-*EZ1!K=xmKw!O|LXAU z$m^>PV-Ai#g@e{dq7agX2gNqo)w$_Pl+PYGL<`cnX=48RiVW~=ZCcr1y>#}dKo+SK z#A#is=}d3&vfIa#+Y)3eB!OnFt%Zp9j%<g*2ok=;YzWyq6`u88;g#jI#QJ~vLF-!J zTXQ@LIU#dJH{SpUxT@iBqA?!%P|ePTw$M-QTDn3&=X5r8udS_IU`v4TX}i|mhM15p z=dF*!$p?N$ALjtvUgL}{WEs;R2k5C^+t4%XL?I5#GwXp67SDK@?q#r*qGOR@*#3KX zf^afKru08LyR=f5@I;0GrfsuUWLnI?R->WjCN-F6^gaD%N}Z1mGHBTaFiLtf%4?3X zbs=Jmq|s#iDc*V?HCdkG!q)}YXdsSgEc5Tm%Z8{0+H=Fee0Huv`?-`v+K3}o-D<5G z>O-Pw=62x-2y6<El;e6<b0UoYupQ|Z*EhaNPej62sbK_yo@+aDG=~fC6~`*guA_}u zY(5L!Crz8L1{L0SOF$+DZLfVjogr;2ZaS>(?v|N|76G_K^7MM>FLjX>94#5Wi+&op zG~BOKy>!6Ach_wPuB`?CQkN+3GvZ4U%~39q&_n4>z4(qm<*IfjH=U8Cm9J2j&$ReI z&Cq{+J5UL8zIQHT8B-W}DUB~rr3M&Kx*L$-_8Q9RE<-2~+7t<(V#$r--ujPAeah|A zy_|=oXRP!9W4GsGeZnV98vaxho)DoU(w-E!Ht2vbZ-_;7it{XdinocFZ-UX&K|>0v zsb}^H*$<nuw-@9&TjM8;gbHU>Jq@okGUvs{x31L*vASN*RBjL!YL%i+3Z+TX7x&%j z(|OlVuKk7emqwmd(v!dT<kL<=WE%P*<?3ch*Up52S_Y0Z%v6hf2hYF){`WLK8z?9U z<}+U~bY*UQ9>Im#%&B-b3Qwq(;n@siSHO7z*-lLpQ@iePQIl<&>FXLq&Gg1eE%8vE zetSrNb4a1^_J>%Xm5BlF(>H#ciH$c-q8%xK#owM-qWjB8yge=4q!;H`A_zDFG?GPI z0T~a6r8sxg;u&(bY>8BAUeY?+u6b<k&UkjEOSV{DLQrG?1InRRe33rLc_)d~_QR4C z8O<kN-DSH<^VJS2iz(cf&Ka@InSBQ%L6$Lq-BcOHVv=`eJ_1tyW@K|W6;&$!7z2n= zh)ke5A2o2nBKhKDUDVwuWtcUF_gwFVa)aN7`v+pdP(O8}ACECj<*<jv+a2)`6S_O- zVX3hW^4cmHj>M4=Vy<+_a<4<)L_H~v@vDu;4hicd^CQF0jyhFa9UWRCEu5gu8_$-! zaFa{|*028=JSYg%t>dyrSdZt0O>_O)m=xKgWO~TW2YL0lBnkCXqKtnb)bzA7(zPId zSRlEqMVO$A94eOE%Ns;<!dW=?+8~FcsJMUNwX;wNuIP43ezeH<*XWaGlBuYZF^%Kg zjkpFcq%N)B%h^@n<}?LoErjluj~K^)3Ei)V^iDyaeD#k5zs!Y`f4*O4D8*7-Xp;e` zE2kpRaCUUDx*Z`yp(l4O5&ya8IcHi-{7FiAdQ8;$_x;wf5Eo`*wf8-n|62XT>X!%> z=dz~uG9Mt`E{{tP3qIeAnC8?ojDzJDmV3Z91QYbMq)^M~H{mLoDt?h?neBCks&~b4 zYK`hW`9I$YuQ9~(soZ8gWP82}NT}5_JeDI_ou=HM`9ffG#<O0znKO5l)Ry|z98T;D z&AD|3)53v#s0P~`j!T_z$^J}8O%#iU-h3DH#^}}d{Iv{ySz^m#wb1H`Re^_(bQV2- zCPQy+<i`Vp&lJMB4v7_PEsC$wOcK8ZQ#7baO2yHfw4)H!KW`!^i`;v{=h1IYy4@Tw zYHs4GGH!pzdUpSfCPaAZB@#>sEt&fBfqvu4U;@WEY*J`dZ%wCGbx@Yr%U9&b^R+vr znkZA!_2Uyp^CUSI9<TdC4F|Ie=7=l|JXas4OSC3=2lpwUs<+oCMEhyDD;Rpck3HSm za9p^J9l3r1n4sI9?oL_$0BiPd!tZ^F;Umfz!BD_`TM*Y9Q72!(Ateh|;^s(Sx`gd# zs70Qn7etyPd`es2Z4BGTv_${k-7bt=xRGlavg&s@IBE3H*8vY#9R#21RXCh`bd>P} zq`&U`p7Csxn|O2t@(8qWd0MpNFko#wQTXc&1AS(wJrrEP{}|qAl6h+;9^xs{HxrtN zh)BCcQsiRJs!VCg;_1td9b|_0i$Pvw@8HJMC6RH7<ijnkBU_;uT30SN@$%&ZP5c=h znFeSm6XGOvcaOa=?HEo@ry0ry`0-T%==b0?BRCf#Er&(sU>7IYMb6$8ffJ!qH4%Y# zjrB$~S&|6z^_lgNA)#7TQ$(}4?epEyZ8f{(mcxL<nD4_-;gBq)wjiS_<v52fUt&pm zF!VFUt=ASNfXaI56)b_bY`kB7z<e(#wF<@bmD@26qqL;^6iT9Fq^Q<bb5R6L?&<L~ z&iutOrg#kwYqNnCJB$zl^^#O>L3_~vk#fvHLRjCG^4!#caKSA1@L~Dr%0w?`>5q** zJLcAIj9R1T<Z{<H9RIm{1q2HtYBqd2@6r47zdavRVLd(CaL|Sk&CJ{xrzfDe;c$=F zAIT*1Lel`$n&LYf8-8C*FSe{3OHVc#NcKQopKoeMJI(~g`D6aA!+_8dw-5^8w@&DO zeIR_&6DFOvM9}Inoxod1f~LRJVT-nXaqQqc{AD0nX{*Y#ybas`XSk!|tU#s?M!o^8 zNVyhjWi6tdaz;7@LmmPts4Vo0E7aeq4IXQ+c@kx?Z%AIqBUZKiHE8C%w8uG(ch*)8 z!&R37`{H}XOZE*`)&tVsR<Kn`v90W_u#WqD5Q#9D)H|@+efvvz41`@P>$0g6IE{z) zw^gesz}*cu5O`COJ2!P96jKaVMgCqResGET@StCe_{-as>_-M^uv=Y9dMH*7mJL2Q zSEgJtILiY?XWszAH;wB_thUx$2|Ik*@%UZTSAGHh%$WcxFj_L?L0urLokEL2`5lW2 zIt$HL4BopAJDw@yck5h%u0PJqCzknsHkTiq(1B|ziKi*~!^Vq7lQ42~_BOq42n||4 zFF1h!I$=|OejY)<=M#WHZ5aWZOd4McwzedR1&Ha5N!@KPhDSRdFo8tBwqgK89JD25 z@qlm5oYb5l7J;_q8#*zUjes8jr43?=0S39u^Dl?ky(6Z=HtZ^g6;P#&lKW=Kw$-7- zoVUwe<Z^6fK!5c$VDfN?#jJ_vJReNmywrkA1dY~4e{AlU>LSMsG52(*^QJEjw$d>l zi;J3|0jXNR(dETjcEoIkDwFh{TZ7r??v&`AiQwhni$C>^C*u00tq+|ujMG~tAQ7R$ zqa`lB=l|c?M<9StWGjE)PAvC>6XIHK1z&~XH|AGQdWDx47NPax{ijVXy}^`JLC^Rw z7Q8$pm=C7WuWr#FKxf_+gd0G&0mE&3L#=VyMc!mmJ2Ym1e<Uct2e_#O-sFL6L?=0? z2hV`thT|(P%<}x;D1YV8tH&G1z&h?qMc!@~EZFABbj!jQ=U}L(Ud>qJ{}@RQW?SsT zf?3a>!)o=Vu)^trqR`X{t`1+~YqTQKnq#BE1K?qE)56&eLq%r@l9qn~-TJdDwA)Yq zLH%Tj1cb)&eAU!N)7Q^NU*m*fGo{`sJHjO6cJYPAvzz9<LkDqf)4(<##1^_+#b|PG z-MdUOJeypiv?U}5IE(lS8jczC`kYFFIX}EN4tyMnqv)~E?&DJad)%kq6F*W({QJv` zX<!(3+T+8A^&X#^q~h|Z+31K>fAT5Kc{2g?e*{6>q$3g_DU=V><T6flf>~339h>iA z-soszW#F1-U@i<)bXl&1<$1_)VK&lO|L1lgW8e5lbD#JcB|PZy@z(muYBW(6zUh~1 zp3FL++6O-jvGl;XuVzZ4NA9IAuWh9+&A}l;fR7(yOukw9-KVVjf<oXu0s*jGqp^Kh z|I(E>)m+xWhti0Imq=A5!KfAV@X;Whbu}B0p-%FSPYr&s9X@Bt@p{a1D;{NYxz%sY z0y5pMwx|OSJlf%s?gN!34*7!8SUqeKDUs0rKkg5w9oGwzWqtL}&mM#;u(W|#s}_`B zY^FHb6~B8$P3tmm7^mM9*5yi;ptXs6yD<#zB!?$I=3p7eUZvjt`I}t2@tTGULQ72x zr(UvrG-u@ZTdkDvnRfw5Z8<EpXEK0R;3ovq=P&%;=%KJu1yd)~v^f}YVTOPuWV*g? zJ(ytMq!kggaBlh|p`=@AWVKh8LZax;=SAo!h*a!bp~4vm^T0gXbAp+2kpkyBis5bP zs7aUpI;lIjojuZq%&_7y)1T@>%`YCgViddLPOGbv$IwzGfe`gv07tZ7M$4NDnFi^& z9x;8X`IpkC<hh1%dE(hp_=3KEKDns9CP+*#_A0QbYCV3nHWJE+6w_~NjqIvaixMyY zt#^r1EP8$=G9(f7ikvn}yy!~FUQ&idYPXdV&HnMv?#CnBc~0qOUt)Jhvka!kt6f|; z&HndttxRWZo03RfxkB$nQ;r*3*(T`0=>>}LEO9zr<m52xA3SpN0*#R(`G9{^mqQ7c z86eHLe%`7{-v*9!(&Mt!?)sD~Lw<#>!Trykcc2aE{F*D`9kh4KCZy#gMUo6;_J<AG z%IG8>g$QukA1S)UC0h-x0oQlyE=ch*11}5S(1V}+1eBLa#wH6Eko^;gm8QTQ(iIIg zFGC_@TRDT%w2BrF@+VJBISpj%XNR;Zqw0?_axL!rlxr59M}}88F9{^+>7gGopEpi? zkMXP#2{&iTnuI+qM|*l;^V4-9Sv4l>e@Zb1LeT9eeC`?W;gA-b5lY+0yY-c&w!2z5 z|3(MqT;O|$N0kbc+_GsS>y<vo&R4=PHc+QH?Z#|e+u6XFDTEhhdI+!96AT7lR9V4~ zAl;sLp{Y2O^t!P9BH*YFSP^-?M>`cF^ZaB{({C@GzcEDCf3N!R;aR*oR>vw~jc(Tw z_Zafw-yVm?=hw!#U>C#h!3gLlY_fPb+F~(^Hb?AF7rt0aR!F{HHrUC%l6YRBylB<$ z9IA4E_t3oi`5N=@@dgi&+`sml$Bz}xT@N}xSxpAQ2W<@nX9aW$Ap#NM_lEkDRYNb` zW=cfpzFk+0(X2{+Hs<D{{>Odj+c3UBIzudi-r*3oh8<*o?^eWksz++szv$pGEACHQ z$aNK4f5Bj}6s;G}&lko>*;Pb}m?8;$)y0Ur-tGmj>kLS-;1#Mkme2o?@ndLxHEoG$ z@2Np9Y&||21X!AUsJL9@2?At-c=_LZC{HO)UF-oC3gbP_q2%~by5i{lOH4wFkg?6R z<LY=D2$4(_2oPgFwGxG9;X;2h)~Mc}3z5f-WrrU<e3)mJ=DXOoHk@65_|cuS^@~N_ zvRT`8z9FyqPX6`uri}N#@SIb$nb4NbyL@t}_Cwi5^9-C|a8_=RRn{J^7j{Ce*BmdS zG<s$ZhZyCK<Dnv{TF;Ref3bq#=m#~MgWS{){364qdsV2$&6#CaFB<%uT)0K9lCNjp zk;6kx8HvDt{T5CDK#v<D1AcN=Y5KIb95=ot65T}H-SY+~4UT6A8Iv<_P&ldL$<+a_ zVxVaCz|))0-|(g6pwS6CEwu)dH(#!wNXUrG?ZLIa(T`kqfnkmqieqfUWBtutDa6r4 z<UA?<fP-VF+M%Tf%<otH&&S)CW;65)S4uC^_ny3M>@-B$7oWZuKtESwq6l0s^oWv& zl4r8f=0|^wM-+JS_CZu8KHI788^VTJ0|aevkZU!D<tsR{4uryjr0>n1s#K_x9mu&3 z*#*@e&)JnQ3Q@o=2Y9KcpZuet$`BN=Ly-OtW-y5-@t^Omcx`Owk+;?BLtjfAKDR|u zX~a4#$Kqe<(VrjK_9^q`C&y)d;Wx0QYxmI1R3506AQt+3aQr1W%TraR){6GEw4?OD zha@V4d?2s3ys+LzPp<RbfFGPXhH?Duq7eMlJ*O8$;E%=c6!3(`Dkr7O3sR0_ynV_Z zzYkqoXMlKihz*Y|OfpwDq^Ie?0VbM?qE~{f7!0kzkK@0}kg9HIf`-trV3Nt?ztS!t zl5gy`U41ht^gWJ0zERWHNfcXQT?DEq5&>~V5`_#9BxJI@T>4PvWW~(`lsHb4q*<6I z*HcGizB`ed2Ie*U8cw2Qx_810PsO2_7DkEJ=!1C<jD1dSP>+~)D1#%jz~V=5ed4E1 zlL+#d$Uj6j7sH}le+JR{{99WB&E=6u8~nJvb!;<xIS;KOZ!MmWP>K~2WzO9n_AQ*+ zwTG{D;Ebx63L-^3<7L?L^Q}nDf<}Q)-FL<M>l#r1)TkkkfPwt`m!spwsmBM^jrp=V zKjIlnt9|yTfbKW&5C9mnx}p7C_Y_RtEfINhDvpf1!{bTqb-=eC!^QIg_}MEPB2y4f zbIKW~+5CqHPwdMr8;~HM{CzN|LT$=`_=j&o5AI=`MJWh3s~k{Rvr@BP&vU@0MWgKQ z>Dc$4#kSY=_OKRBVF#mF5)|SDXCVtufw%D!5@nY;!_eN5^rG9-i)Gwm;t4@@=+AY6 zDF)H)OB~wgr7p*O?YtccRO!(FD*gY2gVcIZv8s(3r$Ha&>%Mjl{#c?n(-dz~dGpyu zE2wJ;qBXZ7fP)VQNV%pSf=a}&j`HS4Iuh?ChyOxDGpBw(zE6B;9_nPkA6K*>E0|~h z_4D%%ORvuWq^EF^9H=@b6wpYLYo7-<E%d!l5MK*7Aw4qq3<t7_nX)Mqqud37T8R7i zm42T;+1<m73~%nHMp}sy7~2^gSvmS~gw`3!E}9*}fy8nMRm+;r9u|or0VW1y+c!nS z?V*l8A@O;8PW7zy+aplz?vB?98uCc%h6G3;ApQf8+1;KhHSkh;dxWwmebBo!f<%v` zRg6T6rAo5l;ES+<Ss4o!Xg0xlL`&~>;{;y2aw+yl-+IF|DZ2gRga7*PI<$KW{N?G0 zkgR~NH^^L+*8h3_LF2OpRr)M2-k36*u<=MvMl$u$<{+Zw&xdxM3kq8sO$_ue^d#t% zg8`Yoa!2X0%Pv?r**r}cf}rF!c9N$-3r~ML3SnsTsij3Ok3VfNlqvev4)v^2(@|?U zt-bix7?PEugcOl(;p^c67d_CCi^P_PWP>7*5`gkI8a0nTaov&_uWe_hHCrZ<`h$X| zu2;L3bP5t8FWR`fN1+}v?URF|3~vTgd4Hy`oIDb=ek9Eb%^oq-mq#~eRjF@We;Or& z>3=q6AHT&S(YimRYN_I>Mrsw!9<2ZQoF8mP2KM9e4j1B^21Q0@n~-+SKWDu<VUkOc zL#@crzk*tWMLVS1XiFrNW9x!?GA&l?lQX~h)Uwj<H?O74ts@>;D?ixSaR*yZbz~0l z2JPi>;Ht`0F~Aep6gKQIxlg=(-XPH2POAL&^D1L&=N-BCTyKKS#fQLY=>-U2&wyLE zx+6t_yvEj8x#|V@{5v}WwI$$&8-SYC^o?^;?4erYpRf<-M~VcqEc|^Hudlnus_ZK~ zz6HBN)KCCH5(7b`BuPE<?GhbRkc1oJJMkDK^Ru)_eGfn|4n@&e9`AZL8gacs{qQd* zfC-0sTrc#c!6VR;H6X2<$J;}D8xu<9!}ylT7DA)%h$2N`I^W)i9%U0bWmaz9cVL*M z+9d<l-V&Upi1Fm_fe9p%7P+^MFNi+$f#gXjZugc(3&N?EKOeCF-5RGu%pJtJS!v-! z%(ZRTpb$3n6&^kwWZo?jn`<=3#>$I#DdSzd{XMBJuI>C{I|b&R{?|Vs0QvxJ*$^V; zmUDcKg})3+|JrT^2)t@az5;xOGS$p0L#%j<q;H+%zjZpv-5uXoK}nY*%UUdP?B$Jl z{Nl~$D-^RNBgIhdh0W~A{wEyvYJ<+5*H)*`uvwC4kp~?*$kbDtj=COje}O^0!zu7J zFA)e<NZ^MH^&N^d9JVHBZU^3Kf#y4C`P5oS=yR`>_)oDF>RfE-VuwB}X6)&i1BEyB zv|Z{|0M@&*3$um^J`zRKoJCosc4$^7$<}B&H-ZHXh=M?<-pi{xj(KwtiDXV%5>+K< zd=7*&Uk|I*a~;sa_f{x8Z2>a0{`SBU-(Mz>2?Ky>GhmA6dQX?qwH1)LN$7~=qVnM( zyu-m+$Bp!W;dl4EUVFMxM67<h=uBWRYyk@p%kAe?cu0+7!Z>4v&-C_SZvAtE(ohZ) zkSpus!Az!W__MXl^=Gbw0APIwxn|CzbtbJ(g;TFpYg%C5d-yjsL%28<(pH*LauTUO zPh8cinqb!V_)R5Z-(HzQxXdA;kt2tIE{^H=U<X+x)$+q|eD3?7A(5Jn2Cwny{ur;{ zpDdxK<BbhzV$2_<`uMI3`tEK&q)fI}08Yw`h9Vv?+eHz?#T@fyWC6aY>;G9Qu=flu zT6!eLq{ss4h3^AMUI1}h<Dy2f5zjMT<MWl0`Ab`Yg<^U!05Nm>D)G)oRT-WS;@xms zVzCxl>t(j5_A+7;<Fdv!WBcNig0ntJxdI)6nxvc#q=882Vr#*_C+pwy5(+>AyiwC4 zWznrk=$;P(iHO+YCY#K9gCSq{2aYk2dq3p@wbRQqB)EcQ$hV)eg-+(GqnXWFuNcJ_ zs^<L-zqqJ=drO2j_g>QcyD}8}0ieL+3w-L@0X$XkXL4cP=e?wx*B?E+Zy$lY6?w8V zbNj5>J)#1*jp<o6>EEtPhHgA|@n#u-S}4Bv=wf@cxS)j790=JVMT}>3GvY9elWGc6 zDMb?LmTl$)(UNKOabfc8Y^?7ltng-fldRQZ!H4CuNa1;DWZnI=sHf8SJ6K;1kg6%1 z1zT%9RJer`gr5OeVy;O)0QGy2SEg`C9_eP%Ru9pr%DZX~ZfbT1f=cO585~<3Z!XNR zi92#fd84$RpA5LfbouyxK!K+?u*sMBDFfg7V?$sdePMwIETBgSak$}j((FDMQGi9) z8>h!Eck9lVG{)(4t=3a@aMcU%t2c%CsuALtH%d^&z!n4!jis9!El}2k6#4XeWaw8{ z>gbhy37UwJco03Bwo-UFzrAc5^K_km#vtTSVFW%QIAZFnI7*-f`0%M^DpD6t-2^!= zjKMJy*?hl?+WECNUnFi9zi2C(w$!CA#`ra6pR%fCi<Pgeqjc`@w{@nY^nyr+)=xk1 zmqU5!!FhCC|6W;se9281c%+|}RNH(uZtZ+<J$NmH26DVt^t2`#JM`P^*4B&6-&O;N z+4mlwa?IF{E?8;s&GgR>(az;D<5#=G`r0zxv)7l_NBW-=t9fC^<4=%PA9n?(n%|io zw~?1(m4PhZ*OlSI(h<+)7n?hvIu|5XvsGV&R(#%~;-YSJ)w1L}?kJ}zoW6ds3!z9N z`$CpPc6rbke=T-;m2`D7D-HLs(YDoAD~7m&|DA7Uw$kZ_5ASP0d#O>6>tvm^k6%I0 z%2Gm|TySsw{Eu|@^uZQGjvx!t?8Oxng>~FZ`LbCJ+g;tgvS|$w&yHw26C7lELy$z? zT3M7emi;P6X`(!dqqj$ZnF6)zSfVF!xv!0*i<vcECUW+|ntpPONKBoaY}31gFPO3U zn-|T(McsjhP;+$q8nL{H-uhef)7i8Z$rePN^+XO0RpvQWW-ZwI75Wl;Ow0e>1#ox3 zC{Rh)qd=vMsY{=xueOTzy!OW$)kiam#p*q%E!ddRRwl{<m`5^fjZrGeb32+y-+x(j zdR?1XEf2#@8B(jVx9$=p*gkc42T%JLKCXo3K%64jUWsEU^Ud#26RZSv$XBo2n)1`L zTT2om?fl7Ee^ev>L&UQS5xF<FPkt^SCRLZp!-%7hb6e7AB+fP6yM%-WUwh%l*3mr3 zGwt`mOzY*kC}=&Q)ID%ZyXtF<D3t(*Lf{&EfqwZ-m6a(evY(^@=)^dR2G&9ANI5$- zSks4Ptnqb}S?e%9ILp6_|3}o?i_I6BpD4bpO1T2de*UVMrTVRCu4JCraKqHP>~_)* zA|J#5rBJ1Bh_o%G3JFgy4br-iJ=PLAM~9mu>SoP?ynMWo#AF60*!`=l-ZpEpl}jOU zk|dKZQOg1$Q?-W9Y-`5zuRqm}HC5ixi4E%HaWFbW^L+F~4BVy6-7(W}yUU7i?b}eA zFiro8UNJS(!qMe$hG)4Uu>Kg23$r{bc#v|`m+U=87AZwEZ`w9qEoQvgo8YX{Qv&8R zy;@H5q>wenLiNfQpU{<Rl-WQavDfU=Wa0YmA3s({wO<E!J`}P~qxvucq0qcL*0~y6 zbIQ@r6izZBw0>ju5CeaCq-^?Nek8U2TM{JeE5o~^lZY`XUn&8#Ne5;20$nZG*YQ;F z$P0p6+3wh}yQ{F3ui+yusE4NaV=9(_IZaS6TmB&i-ND;yShJjT>-Jx_;z0ba?Z4#9 z^-IymjN9Vn9W5cpAAgLp0g|raM6%=Qe2v(W2eQgqO2F&;h@xiAPslAVNoZq4+-<Sw z=5|=0nl#{`tJS7!s)UB=^D~uBR?c{BrbKHrG;m{FKm*!7u^W2JOT~%jETXm0(;8LL zn-Lfqdf!sBLDrWiO$Op(C|=T^2gXdl7Q#*PA%ruO0oUsvk}req29<vzVP(FkmE~Qx zj~<~y78q0<*KxeSOXpA%$1AM0LKh98*f9&qN<{e?Nc2BP$bTKcW9~N-S(<g2Ap{10 zX+Wygm7ZtzSRr^g$Pj9CMNL9m7L(PQ;v{(zCu=K8Zce<yB_yVs60Lk|a<PS(hzyk* z9rNlga*vX%baF$Pz_;5;oO5h|3K(&w9L5;<t!pEz)naN&4~Ho<y{qAD4i_bzuH`Hg z`!Y@6<i%%+PsaB0La_cdcJ2#t*#x%U7Z~1-Q~Jbf{!N(52x1FUuCIXim7y{#vptTq z+oWJ1w(72icl8SRsuU&byNd(xp7C~QZ$T?o1*ps)4&`^om_OUJ3UmeM=mqcNG#MIk zVM@ajC_}6(B1hY>s;r`K|Mmv%5GB&luZ^TR?zC<EuET!bHSc9C(68Lu+#-9Zb}KXS z<O4ZtZl;CR6iCgpzR;>#zxvCBoiMcSq0sEW7zFvDhz_)U>9uQZ6nr4s3W<v&gSB3& zrQ<2lpNqvF(O*ru<sY=1E(YNX{Yj8bA8U;MsEpT`nTW<r-8W0&3sx~5`w^$pKqaOE zPZJU(h`ow2ES3UdNUl`3?zdhHR2JyYz5Yaw#wQXTId$K{58kdU_Z{vT+!?1d>{MC5 z&GirUMgMD$7CrDnugn$89;6N>yy(amCM+C|6QcCw^W{LZ*8$gPNH!18d{Ij+sUZJA z6*aPgRV#bCE*m<>Sg2ZYjcu=u>_<ZfPC#0T58LO^30!;eo=*6mbQ-`)4kzEP+Ba>A zkAfn7#&S(>0rC{<2r~T|KGm@qc~7Vw^ZAwThx+9&Oh#RKi$rn~H#)@_M1<@tCicn# zoP3D!G9xdFKFqPnY_}Lz_cFq;;Cz-<c0ZCNm0}Pn{jf7#lR)(+Y3n}g05ii!*p~ll zVDsm1jF)N)hbl=TLGf$DE3CC&3nAI>=f*=9i4VAYq&msJsGDJLsc&68R2PJ+;B6#( zZok#sR@D4R?r7%>%)~%a(#J8qMy(e~uS^*=dn*SS;^T+b>v4?);ER>eT8!8W0HMan zVvVwNd_Tz8#dP43)l%jEyYLe^hxivH$hSN3#i#>^(=NlI**cUr&4{*Z?F`geU+_Pq zcx5lI-~=`HbOXV#mW00mPOzcqX7HEUgXyOyRl*tF8w*%mlvkuk#KY1HgY-dgMR&9) zf(fD@`iFKl*lCxpREg@)oLsZ?wvO$tVsn#xkH{SebbB%%>F;EAn#L^^=a7IcP%-!+ z`A__M3GgOctQzNuuT0mjQSp*42COEjmr1X*j3~)NM_jfyhf4D;fk-fIl=FuF*KJdG zB8Bm~Jed0Odm=dgmhJlr0znWU7MT@v8v~Vit|37j^d1aglEhbn1ck%!?YJwFj#DI; zfhMF@eQ_LMC=s9;lJsB?{EUo{toFr+HPF9X6;KH?i0{of3on-7asFe4T540wEgL)s zUTS-E@gT{BM~T+R)!>96Daa`g6D0qQU0qWX(j`#2kI~9S`675fQ7^dcp6$oj=0X!& zTCx`<O&nj^Ha$>bSpyrG^|DWqQR<O>7ZWYLv+RvdqEQF;3}I^4Cp7y@3)t1D3?Kk1 zH_hFQVi;&{E0t<BvrZn~NFi#R;ifs8hpk3*W1Fsc?=L8{-;%%<R@vh!lhcIs>CJ<r zo3#gbO55-InS9rUh}CL?+e<b!Qx<9*;MBDSc`$2K*d*}0vgc<U?q^FQ%Vso{#vM$b zj1lP)Z12;|$k=ME)Y#@6mnD^_W5^6_#VMPrt$12RWokIF;|6RGzktp?4(|p;`o)ln z9v*8X2Y)D%(|q_P*yMqspB#9lG<kh^SE*uEU`;+jMHLJ<nRfX?yM@0OFG3(9k{=vN zx$RpW&guZKOSt6T4Il&*iXn*%8;ia_Lbab&M-uUCi4K8qUq*-krDiYEKd!QBf87@8 zTOaKrr=Z%$Wlo3f>dhB>S9uzr!0%uEik`F3^seROw2|LyvE^Gno%JluPuMkBcUV2c zmR62a?_RVzv4OQztLLb^`0k|bhovs_wSw5r<%RGI8zT>-E<?xj+Q_6MyBoe7k}V^O zf+KTB-(c8d(zT~V^Zd)KG&w_Q5Aly-osA%KqUia~?nqCIGq$OX#u4I5Pwti|zop=~ zLkyYi4UZ^h%|rR!tha|G7g@kR-VS_Yup*^Bc^?VwclC1`J99m<H~2+>CloTSPe$aY z<7<G!H*sXwHT@A;;7Zof#m*X!TBp}@=?V$q1s9#<pm%d<R2vp0c|7g<NtGdbo5kh~ z^JgbBYqTBfuB|(W#I{iAGQPDN5lL>M>edCdBogRvMa=gO10zHce8jZDhu@l)NCxvw zd>`*WtZM_R!DhG1-TeYPsimhI6!<$#`D11{<VAh%+eMT+qMv;m%;%zMgL7B9we=g! zv+ZovE`#XQopkC~Wk!<p26YeZj~iJ;#m*MK-29*xHhQB9TC1(JKQgrk!UAHUWqJC` zRf~vBLrV_B5qK9VpjSyJm)6q<EdGANF_CLwkRopNm}1nCbZe@<IJJPQh5v`GzmAKl z|K7OKp*y9!L}Ey3=|;M{O95e!?uMa3q)S3#5D<`V=@6trx=Ui{)U&z2=l442x$oyM z0bj(-TGv|dYkk(<I|QML3E>OCwZs{K%6Aj^d!h`wP!fQYcY|1)#AK|t*dmCN!VQZr zetvELGaT&Af8om<;Nv`PPCa#4J=%+%FW2((d_z9jn?bf(grG15>lx0NLm@*T3ZjDS zRw@m{dj=r>RkJngT@`Siz{Ibdva1heYw~?9Van-$zM@$`S9{9wmzDlIq%P_~+`_tT zb$JH8C64QVRZTPscHZIXOzweCyxF`9wI!2n$JBXa@Y09>xZN}Y_Eu>5YP<8PyYffu zHJVWt$R8S~_x7-3vFIHr9*%5Ka;0~3=cZHiR!AYHg#YP#$lWJ)!f2`K0od$v2q5mm z1;P>%ftoC~wG^?(v^i3Fh&CX2_&%7gvTky?3qM%~DbPngG-mvI5slcA3#cBx&B)2S z5QoOc&*5MQzy(~pf;E1Q_!A9%ZX;BnG{HKSj}>IJ9t``;bEMWinv1^7K#{B18hrER zQ2!6CWc^pH50D|A&Nx>5x?fEvtC-Hc`8%VZwcf9LDFZwaADiu2)ovhJS+!9i69&B@ zYG?c5`}T1pg&fq?xGCcs+-t#a`V|o9g*PhV_{Mn+0`d}}O|n9R!G4+j>)ny2YX@>a zv>u?Af2ckTz$}+@FgBvR)L*3{cktHTK<KHMpm?h6t2FOWi38J-8-cF=r2$!R=Z+mI z!B!+R`|6JUW&d^}!P2)m^GrA!13(4-<uNJ+PKH6YKRKFezT+1*q6z9Ht;x$4Xvwh6 ziE&$!_f!;EE)-<s?ize4^+f}$gk%?EkxsegIb--9J1%01Vi!t?bxpD-*^+lOegNYX z@I9Z<n6v8EBL8(I$E`vn%HXA3mCoZH@Mnmd%I0zCQ<~qd`l_x3{%ZKSYk*2%3eEe; z^{PspLx#YIit=4MAf^m;Q~+s5(!S<#toJRU;$nvroVlBsd)pv5N25=;v>8bknDi_J z%x)Y;LaB_-@2v7Y$`J4gghzOBG@DI9h#=?aDB~UY+7X*H4f#EqOoNMIq||4lfem?F zYZ(F-2A6vhkl7EH!YT(LKB{-kO*I<{fgEn$Ob&*cc00dfQ6S*39>$3(e$BquI9{dt z+>^Tl4baBzjgs6ULk3+5KMTt5z8sS!KPK;L&1Nny3%Vommz@*r%4(?T@tT_!MpIvf zQtHl}9!?1(i}5BLF{Qqvua0x5Tv<=cG*sF=(jqLqc8*Y>CsmFY{!rQdW2UsOtb(nB zn%3dL=qJ0(M)df1swKX|>MW^<t~y^xQA3mM=%v2hhLoV|Q884%$S{alE@*J-tU)tY zht4eiDZruw3>$M1d*z|FkGh9coXhr_U7yi%fo}phk5dL}_WQVwyN!aDQP!TEF8QFX z>FvPbWLUNpN~W|6fzQ&Z1Ct*b^43OVca{u&%Q!%IRrI-sJZL?1D^2dMyit@?3W!WE zy5m=YB&f2g8~FU6E$~EaEKs9F;h%$@Lt^f@%f$?JXXs!BKXGHJ{!dbfrG3!uWdu;+ zi7LF?KYm~GC3)f1|Efa-ZSXzc?^F$aeiMHYG~FpD8Jth7vYihm>4{z#{QfcMa$Byu zm%PY%efykqq*Nna9A_C>tGybdQGv?^76WJUG`CvBQ3{1(6>n)eo(G`<9}fPSeo1aJ zhm=wDYJ-}S_+=KVNwz`w_;agOi;NqvQ(B*6CIj=X0K{E^3LZ?^_qx*6b!sd(UAau> z@aDY}h^G@PtHg4q1h#vo4VX_i?^g`s5hj0Zl+(I@Z~?xq2D?Lq4+Qikw`dmq1H}f8 zSfHvOcbI%n_ydaE2-J!tq9YYN3K{AVWLMmIeRFV1XOL!MF6+OwVfWHl`tvNd3J^%t z+CfGOf~AbZYHTumcmt{hztYZ|>Q3HgSHt)|Bub{x6|*4QespIx{*AO6SSRlkQ6Xto zI)i|V49&*O{AfA^E@l6iO3omgUelJ`6N@){sn6jSe&JhEj6~m}5cyjNIz}$-PPlYY z$hGB+EZEMrs0d*c!gVf05IlhG3|0`}`F4pA7q+_7w*<OQ;i%y`^AQ_(;4k6Ri^R&- zUibayoGB3#3nXaH0gxvZ<$hZScM7ZCsk<HZeM2Pvm1j)#^E{cK02b@J9?kH+|I9Xa zT%Z1yQmRj`h#5Ar_=!`tv)r7|9ZM3R`JWsc6ZgpeG4qhrc};y?u+tXAf)3koFED^d zxHH<wv~PW#1yii$!KIDqPcl3?<DFPacYQPpz;EygGQ!NlqYn)xm7B+hw%GFRWJg$Z z#xMq#I&fg~*J#<6;JW)p`kfb-DvknDebsmQ-TG0e_~-1t99k1+hrTjhe~yxmPT3Hb zYJ-95=d@UBFg2(fHU4~~w@Mt4d&Vk??%|hcBc&Z4p4Nn?+U=G+l4lSMv|-zrvWg$i zkLpRW%4UtLxt3}{)eN5uoN=6=LJ97nqxl&|Id!&V5@gGKpxspi7T}fBIb;*4d%hG< zKV8<zyZPZJ5??Hn-FViVoco;_&Zbtc$y;0IjTh1v@lFJ!H14zJne^gV<jq<r`uRq4 z=KQ;K2;GYjs$ZBZ537xKPFb5?%6*q>J;XzL8p{kmO~Y(_u_o@NY1w6WlSePF9G;f( z)albDaN8&XBA?j&+1YTC+=?NjCnYvJ3nl_XJp^h)MfPo8w`v!oOtO#78Sxgi`BIsp z#(z9pK9Q%hSk%HLm0Das9oChyI;iPodrS+=1Bd@R4Tk8*hM=i<pl5Y}20a$l11ACA zN>!+JCT@8%Icl+;<NLs8i{ELm!^Ik05G;fZB}+8A3kuL-4%b{cCkMKwfIb^8RZ!*Df2@jutd zk<J;fv8i~@A$b5Dr0T7hcv55q6r%KF&CagA?$2=7?-|8n%$v(0Y#m)k3|$~hhxLm4 zh@AUsc&*Afi8M<@!$48HS*ZnB3t7<F$?moH)k@2sVU_8V?^A*mEFWQFVVLPmYaKN6 zx#X0;@6s&Emhv*t#%qMQC+{7=2VNnY24C!{&?n?*5by{JUF>|JgOt+lI3u_bdko{2 zjM@kLP4s3sD5(zAlwv!epEqt0!lm#4PAFp3Qx#x=px=AYKe1Wh<A$Bj%hmG(@H~U; z3C({8c+jtcaj`L+1(DsC>03vcVpmVSa{9&QP!vDVZ=-xo%t2jIGuWOk7}5l-Xx!uW z0zmj!vwchYzxaY)ioXtxsd9Od-o@PopAZswZ);pFUth8@c1R4cvQU#)=<9mt!x``P zjNTYd-PMwj#3P5oDpfFH`CUjQx*rodRfQkFNcuPZ3ysZe8Kk7}oxXToh}-r86`<1; z->*d1>^SfSAHkM1){TWxiiBe*{T6+?7=0pk@@~>_x^ZZ>v34wrp2N)!#7&9w417D> z$<f3Ea1Ku!g&loMGw_E0WRxNlE<R^!;yI|6zXVz(qCy)5U;{06gJyUYexh(=>uHyK z`p!Jf9ln=og+fYmQ20Juqx;lB$HBwI$I29tH4Vht?s>%Lcq;MwCq27Gdq3EbXQBEB z^!n-njCHz3eCq{qN({iqz}Fv+Cv`h*VZy$=ZT00ZAr*jI3P%*R-UFRuQf!GAJo1Ta z&%vbS0)VdS(%6LXy}<NvtIxl*p<`rbII3<t05nKnxYu|=7~wedzO@7Oq&<8{&j2e9 zH76~!k4Xs4PSThEY~;oyyIP1gG(xEZRr?ok?S{4gaUcixtWB9-9b*Oi-v*s5vo$ER zk;S=pb{H6p)2DK6{=8Bg&njE2*8hY+MjOpw>2_&h5l%56Z*4H1*24L=TAf1*aJEYX zGBsKX{rwfmqp5IzPb4%n#`%feDAXSU+&&lLA^yz(L%)-oW*77)(Nq4l$~^dako3Os z`*Zl|)4aCD7GfPvVIGeYY)RJp&|CgB%OST&OWQTzJ%Mo#&F=;I;sb(w?3M2oa0kn0 zv6R9&%bmmw>Q!7s$x*A%3v?<OZO<GY?ws<#)2aoL>oY%t)3R9H9#b>F>d%HzZp=J2 z%qf~BgBc*!v4in<?5&@^qdR}N<>lNf=x-E|3K?`m_p^C&Oo2DuwSQo?37;qz{K*qn ztE|Q)f%cjCNumGZJM;TK%nnh$dCeeO`87jPADOBo@#W4RSGnCsLqKMPg%!c8E>)VX zP`pY=xbe^FH}s7-oqsjItPi$n2<O6cK_e@vfId7dH-dsY18cG3{>%dG_8e=F*w2q& zC{0dO5;mFR!@ty9u`Ua(+LOM}A|^-c{xN_)u_^WbHboJr-A#ZmONUxD&%SKB9mkk3 z1iHT%w<c2o!P5UrZN~9*;EAp|vb-_1nv23)tuD|h-;7I9CU}I|_%nsdmQ2^T{%J95 zJs&z2s_kRLv_0%9*3)-Ayu`E$L>Z7T>b19gmeFSZ!y=F|D&^JYJjqqC<zQ;q3>DDa z3Ci#OZ~*<$gdq_KY))V84ItRRXI%n7bA)P++pG&To%z!+jIY03)+M|g+N!uxsnBQ4 zWM7B3B46P}QpN@*s<cr=yv8A)s=Zmc;63}y)*-;LZwS1YkhHa(vzMD%#r0!@r-ol_ zv(4wS0nbU+ty%;44fBRCoxI~xZ4^vR0PGy(gmwEiKx11p+8(ufB?)|PmKla;M8*z} zV_gyqI&I04wwqzUfR2fAZ}X+(EW=QBb1RR78US6Jke=RA5kA!(d$d+GV(ehQyVWCW zQ`j;{a)$5W$_Y1y$zsl8zJUz~v_nX)GWNyV-=50ZaIcKzrQ0nW8^%u@B-)GwB5+xJ z)D{gop$4t3j{S~gf&fE6yuT=JE2rtc%|gxTye5h1-CQi{0UX@)0j$!vUqyR#WwC<b z6u(-&L_?}T8G^LO@V*nvLs#y5h<*{54Kj1P+*Y6<hI7u-rCM^}wa5bv=nAO==7b-L zpm;iR;_<Kj=d$)sWt|-t)@}7)Ex(AE;amHicRWWcS@-9_DgCaZf3f`Oi2^VE?xOib z?AyPNq{6%(EUEn(P;0!DlWxGgv*NKYULFpn!i4I)utJ?NK6KHWe!X&dDDe{+J6@Fb zC!rzd*X?PMvv|Lag2CT0-$)!xZ)cx0NMxM$t-d8@m6?<PK1@c*z`Gx;91cDkBw^?1 z{?VGsXE#@S<E}12l&m=86OhmXv;6VxTgROh0j#7xoFZPB%;Lw^%$rDxN|%5b^z=bS zeFs#*BY=;nl-Y(AA==-77+a%H%<;-CW&8#{-b_ZRE#}a7{Zl}rGapU?9-%va5i%4J zMGHQx{<X`Z>*#%B*9Y{@IAap-x(~qH+i!p0XgF)mzhglr>eGq|5}IHv0|jS4JGTH) z(HzxPzD64Co4zD<+r#qVCOc<b*k=Db;G&nLNPN1zE_DiC^ziv}9zdw`uzjJX75kCH zQ13HB*SK#Pe0S;<!G$8r+(DZ8Z8|%@iH~U5pCmK|&x-=C`3u8u=UYE8^#t5*eErEj z3^M*sp+BV(aBFX;0N&LtZH-Eg7TYg-a}}Fut;m9?^!bQNbmCY5)_u(%U1w_A$4kcd zu&wigJi8dycp8PRF|SFR&g7s7t|vY#Oj#>gdfButOj1LKfs>0Y`0q=nB{0E1m-i9y zCAxmhu>)N5dzk{D1jU&;p=QR&KcM}p)zNg#n!TT$0G$EgywLubgp3>52z{+uf8k&< z!~R)(wGjn7xG52QSa|@eYBK=vNT>*FUd9=NVSpjC`WyJ|%Lq)G4pocmG*H8V=?#PW zK_<+D_~}q&y%o9ksV+8EejZ~v)(4gFH#L9JHwqA&^?i<ip@{Dz)>NJ(9Cueyy_oiw zqg%Da#_*|2(n(*)wm{R*DWBv>As#D@LQ4B1>8?U%_Gu9WdZP$APg(Ey+T1}Wfk)bv zWW-S|2iTZ=W!Vmcz6&ct1+NPr!sHNe?0$qQP`K5Oj*ja<!Dv%=#FGi$<JE`NqL~pa z5FsHdxrUKiZ`+rNr6>BX7D6#e>dxh;j=KkS!bBtd5AdxrPFb$P5+gL`-IJ8Bdt9Yn zT@_H4kB$vy@#oj8QiMYOFU7+%TwPOs=U9uGc0KAVlTk)n8c!?BZh>PjRcaWUn(v%& zBi<8B<WQmXB#qE^Dl>@3HmvPDh-n2~4rspu0fIOGiSuSQMCp}gKBC#R;XH~UYAvU1 zwN7Oi<xA|~KXm2M@3&@73Fz<aW-TF`&(%m@bgSkMolGc0Y0lV^0OK{&7f+tNiw|$r zsH`w>W01x314VWZ+f~^E?9P@XN3(B&f%4yzwv?{pz4IdTYO~tS+Xv>!2+XnH`wFC~ z2%xnrvwJts6B4cQt(1bdlHaXdy*+C8hd{wlg=>ecVGdm|47T1l^c;DKus^B@q{#6> zod7!ieQPGebY$bv0riDv|9Wz?N|xo%3x|xICV_fr3v9ijL8R!bKH@kbK{McL4yrrE z=P7gs5u<{Y9S92l{?ZGw?FvRF27Ud&Y4B8#_oXjvI^wdmW1qs$1b9N3HVO&x9E6`h za+GkbA@+bs^9=wr!)USP#)bs>l80%!C;$l%VqcR7wqVrm-4`<k<UcCvmk$EPo&0_Z z{vns5fxEkc`JAomXT5=Hb>JOiov-JZ_joJDQx_R=2^N>&2FVe9&0?DmH2r(tbN!QV zjjPnN>$CZvc_043K*=huKkn~|G&`j^gS2wpo{%n(FAS>Q9ldOfkJr-0E6K3DKa-JV zIxza0!hQgCT~qePgaKerlk!P|B@^#c8d%9XUi}+>mjBxYc%h{6w3E`J&p2_F8pJsL za}`mQpn1Vwv!bHu;#4fujJ)(BmKAi$g4o7M5b=H{8DEUX{jfX!8GTE(&Szo#!d43D zi?Ov5>PX9<*96iRK(ekXl2Uu~dn1eS0-a9451AQz3R^{w3OdLbh=O>c0_DUI{ceVm z3aeWyS!I$vA^tDJqkmO9sCFj1)W?0G)qj!JRf8=)_4ma0X<VkzVInj84a}+M@Z{r? zoA4GrGWiBRbji*bwNoTYe0jpb*hgcdgE%X3t#KQYLdsM<^Tr4Y=jbSf9S?fn&xgi6 z6_)4|#)sA4sXKR}`lzLI1np)jp3~-;uF<{!oTmJlh_ii64KaiU{+YlI9=of!6828( z1`KoBKYdxIy=wjPJ9B>|Bk=hT;b1Ri){hk)3jCU0=E?ZKPv2l~(~N99otnFW6OQAo z867)CS4YzzCo{ZPIFST+%{3pu^PF#8R5=)ozpO=VGA7B=44Ev<R>13yiEcNCG{f6u zp&ica?({CJA=ZZee(q!eQi5b4_Ht<jF>Mj^{>mY_-!$l!O<cjB6e7Xz6}LyI6S5am zVh4$aZ;o%!4bnooYFhMVWC|<u_S?*YE~B0m#hV{uwR8d2AO-M@w|*yGwb&i6#FuXB zgN;KO&IU6=v)w!5jGvv)*YHDgOGX%aDhgmfgq_tn=~CI(TQ`f==4UO~X&@=WR2UPN zYb6FpzOG2$PzBW@_HsDwsuxX`$h?UN%t#3eUtu`kxzpd(%2cB^Ke)2V{)MiUXlm}z zHDM&J*@<myK#x;3tEQ9O@iYD%^iHpNvrGLfRFhnzP<;aKs#dPw21}!xm+vtL<O@$T zZ6<m0kL$QGCS2OhqyX*cqct=<tO8_Clq}OQO;q?7HfLVn$?s1h3socW{Bc(?wwlhP zz@RM+(>Q)IIjJa3vKw_xf8Gy0!80xwhI8PwW8p7ApRyj+{kEI1V&$^+WE8+}qPgfz z(7HcOH@;$r>2!q4wgg+h+IR|mUXVc;s)aw_ikp((WwUDlfdXu#)<Bov#FsZV*!cUO zqvR@nO<KJv@AjtX@vC<c>I5~(9EA>=si>fI8lZGXSu>(HDF)j#f;&!wAIKjdP6nM{ zCcawLi0bR&q|^N9+9ibVcT_@eY_t~a)@QsMbG~QyF^MlU5(h3zJ-hg4f#Xeu{oOVk z+rfi4NXQwN4LWYcpX!3)9H+4v^^7sz9Lt9oiWsX?wRCD&mKB+Q(ix>dV2u2mVVwSV zs%E8N=UKjTF^_Ovq_$rp!<Md*-62+{+*TJ?qBy?hT{-oe7kjDn(V~;hyfNDpfo)Sp z|JVrG2h0PHdd8-jLasejGTx|X`4NTs4GX4AWPI%uY=pQDg?FLHk<d1K$Y$EbTFLoF z33Y-kK2~5He(q>8giiLlMb?{$aLFdeWGP&9YqD>>4`-y7N%BAU(;1c!`aLG@m&pfG z;b4B+uJCjT8W$-te^D8RnQTwsaPGh-9sgMAf<Sky4HO+;(;gS?N+2wVoCLK16_#yW zYQc&C#<Czx{(JFe_MbSLLId}Qr~nPKzYGLEKHshdlue#z+vSFBHs)eAH~R_rJab`& zFD8{D;VACfgk;rc!QFhz7aYqao{2ERE7Zc65FVl2N2d?ln4M;jzkisgIk)7{{$@J4 zl5f^+*AVWuDRbHi9cQqv1OG9^W9yI*h|5?-!RdniID6QQI(gcip{ACe25@BdWp2IV ztrqbd^9~Quwe`3p8K+Y4`13-Yat~y|>(X=}TQ-(%xV;lldbpuzOLQSh_m?QmM7LqA zWzajKQ*iSGj~~zkPHC`_{DazV^$2``{`Wf74wAy9>w0ucg=!^EMdt8l*^cZJm!v-l z`yJum^+Ve)rC2w1{^$(j^`j(LtoTB>*_niFPZs3N&Fyn)2>29zzx#(>1C;ip4WS1l zk+bJN@`-$@&0KB$AcY*e-(QH2;=~&ZWLf<*qZm!qfL)y$qEi7Cygn=Dk~8QU`&U@D zGjcnojVaU&?3FL`Gh(m4<t4rEDqsu6c!~CdKH!VVawh3fBP#|rBFm8^{Ya-qQLG8( zl=b39`}b(puf(q~q@=Wmt!&S`V$R%9*ETbNWMBI8Q(T!K=z!&P<Vt_)s=fYO?AQ4; z<A{4-zBy#}a7b+#noI?mFR#RiVpS`5g*9S?i_QYcarPNAEyah5CP9)!<f$14cA~0I zLEQOfwFCWcSurdUPJY)_+9M98cJ&R^ow70XM=}_wlD<p-hD9l?GU~jxRVChw#Ay?g zn&8VE#;(2#@XgKoJVXZCVW*w!wq8TyKt(OR1O%6`+-l&1-c&GFqIlPH3?V-YN`FoQ z&S-@yog;K-lG(b948sAqX#n81&OF-9LturBO}Cc|R6ryGg=W75#@w1(kTWm{q6v~- z+*Q!3NJS_Rtfiq44eQ#tH^!A9kkWKSF`V7_f7#cyG(?5Vi#;>Ut7ba)e(*%ue07IE z*Av!Hg`gihzA;x?$D)78Q4oVrE=Q;dPFdS|QS|3v>&<|1nk9e;pQL);^CkkZjsTzC zI4l|I(O$N8)q$Dq=HNF!FcXds21sJrStLmd{g@u^+)=k3sDp0Z)3;xJ+Mj{2$tK=J z;|IJvRDsd})kx<Rm$S$Y2m_rD#I6)2?H<x&Hyf=VhCWeIFCqYV#P}9i@k{!aGOP(@ z-0(fi{7{Ew!{BM!v!qx`G^?vm>LE;LiozNHzB~V|*c3l#f^Th3Nh`?1{YFARXyyhl zGklLU{|8W$GkN?;^qCb^bs8IE2D?uPA-k8D-r0BTNRbFcAwAO%%#oYoBY@ax^(F_? zD}+QSWGYtzJiM)Anz#~<p@QLio+g2>zh^ybz5DvhHpGx+4ifO5V3C35_b)<8Uh@Xi zN%4TrNTA|Z<KfWl{BJmN5&m%9NlPm&x`v2^TCuN|j{-9B7exXIdD);#C1L{}Dfa50 z`Ru{Dj}wLu1j2$DVoz{2TvncI79YLf0e0Rxohd+2L~MQoy*J&exY8+j-qc)nuihas zdr+4ohnp$w2yt7tv@ZjI;k!7Bhi+fipSmiY!=^KL68I;|C<SYdI&$$?*(`7VydXu3 zw~SF-xHz8Prg3Y`#;~WlRLJ?d5%cNZ?bFpk+xeUs2h}1nI9>S3NU?{84`+KwRtTgC zi$Vr%G3brp4frDQXtnL><qf`x)-ExTWN5ZQSA^sE;A%)`pcSnHh)J>q?w?>%KR@cQ zmKKfQZcuf3<-n~9_`NQsU+77`e*7jMK%Mv2Z4~`fV-b6YZ|{c%kmNQ9P6xNnUMxB$ z?DWMKft0TOoNRpW#T0{!Kbe$YlGGKk+L?RO{pZ;!fz|Ffl7H9_sz<$T5NI+7e&`pM zlrQRHjBum-Js0(FM9pU~0)o!^(ZOJTaJ|c7P)po-r+ZO%S{G+P-dd5g#p~8QKq}CD zz^mWsFcX_oEHi=$0z`elx51{hShX0-`^*w2Dw2^b;TEt5c831e4g{Yas8^{M61;;= zTINxhNiVT7PWq$puZHmrP$?G(*+`Us0TPzn683k6P})3hM2=3h6q_oO!cUJd`y-3y z3+Ik|AB$@p`Da81;)hVSly&{R+|eW1o_{g_<Fxadqx;9WuLk^a!tQBn?jHkc3m?Z@ zl>vUBN10CmLa<I0PuJ_1X@++;u}??gXps!_ByZcnm_9ZDeCXu)&jbd9j@~^^tm9V4 z4%RW#`_|CE7K~!6bmKdO2DV+}B93olGs>j7gwbHc46gUQM!h!UwEU}qEaQ4eA;KW* zwLUh@aQ2z)kGn(Z=dcnUg(Se!obFD&dbf%IG@JGQb74iqsHyv->QA7jT+(-=oPR}z zFz#x)iYP0q7QTnuM$v*VW`0LTFOq{Xfz(@3lg4&&;owb_qF*%dSKY#pa7l=`E`=_( z+lcK%WwZ*qg}C1-BpHKZx+X;8$Qotk*%)rs9OIq{ivG8>+b8*FZmMDb;FxIsa#zDw zG^FI?IZ~JOsX-EUGTP|E`J$|yUqqRgy$M2uVjYl<vrv=NoTZtldZ!^zVWZ0OCXt$8 z!0sfkvtVvh)XE*=K1Mg=fSq?-?N&*!BbR^j{qRgsR^R>fw(D9U691gN*WU8w01D%@ zP%X8yQm_Jv#+PZ4&};|OzHNIqpr=xiM}LT=q^#}-{5q}POQ32yZoUrIQLZr<|8@rs z^bx^QMG6!WnZDsq@9jAu)Pyzo@^kK`Q%F!bc04!3VdSQFD}zNUC)yL74GS%JPT<3b zaH{1$muvw3K>SOw>rR(|_b<*^o8=14a@f-eY9G^Umw{6UP;Z50IK}E>I0Zp9cF6A6 zG|si}J$UHeHaRPfk0)K|&MV;Oa66vpIyAI3FXc2B1Va3!tehy=+Z*M?PYhehu5O{| zdz}EmUsjg9ZF*S`P15gH4El7qIN*|2lQp{8yHW|fp{DH=L7k7Npwk~U1jXmuD`q%j z_=S!MZ4~ml^A5F*`aSrCrC7v7!$8CXNgZG@{4b<0l4zEMGI~zZJ}HXwqS%|o_iw9D zu2Vsnq1Ua?--qaw(apV-WXL1X)ur~4r;tiRk`nz-3-1*G-By3;<aPV|4soU>X0wQA z(U%!X=3}6h0(P`Y&Ebcu;aC)Os#xvTyChb<ckL8ICggZ4OkacO!rP6*$|~4q-@)EG zx0}gV>GU<rAgSidl}y<qfJi;m2d)(wdUgp5prW;XY-fN{WB+%CEzSo5h!Z}nF*DZ1 z1Q@{ML)+gA6ulawXdvh<F*o+tG}Z?2^OH6s`38gTX82J&J3=)>7YBSW-6$*@%lGrl z^`=a`xuZ8fUu9o~>-t2TxMPJn!-4+b+$A6dz@-7?=jn`LRb1_Hdz_5oZHo}`8Yfd4 z#mk)QX=J>VT!34RHNp)=0Wh~%@dgB1%|y&d6Lx<w=-U9zKNghR*K1;;5l;`lbVm?m zCgJ`?+jaboexy+za=!Hrao?X@f{OOo7lrtewW%D<F-T~oo%uC^&yqI}UY@n<`|-3Y zm$@kvQNQ%Ay)-(TiI&OXwSy@`qSw0qf!?n^G{4uc?q5Ag(%4Ka_2diR(|bd4dfn<m z7c2Tl?mFm;P?ImZpDnuo?sg(^Zv}mkkz@Nq&8D?Op|lyw2Tr>ael)nlVA<?}f!Esg z-kf7$jyJ!wILe1lSQ~!c{LqYLInE@in1u=aI<Fwgi-SPCsL&gzcoZQ2|A^bNb>gwQ zs?(uuMkZdn75btFmWKfXj7p~}2mM+a#6h2yjh{H%=Wu(kb%t-H+79CDMH^{deD{Xm z^qa|Rvp}_uHVH3pe5pia05sWj!0AQl7aE(bJz>QpLyQG_`ZdY#aGZ5?djRPIpr&?o zfCTD&#O&I0%RtRkvf*z3_`Q7j@w8RZfXH1r33;QA8%<C@Z@j3=;bx4fjznl<rmTWu zR%OJhX9{j=e5qxErxLd&Kf`C@&x@7Mu;IRVw!Dh&%r=<rm|;A!w*7#rc6_YxbINz( z=_y#^a@U4LuG{1UpMzYUiT5J<27lz-*i~p@dCa(!3sWapPkXvbA}8pE#@Vnd6KR%T zwYQ?c!c{D4Xu%`rS1XETwbd;N9m3>tx^mf!?n6P;_;*IECjRnQZ*YyV`fzkqdya-s zyiFP88<AT(a<fba{29WEUfpX{m7D%k^+{kQ>#f#|TW6)p9FwaT%JF{#?F9Mw`hFjM ztav(@rKt&~T&1C&<qC>Pa}&)m>!0)`S&hS^-_T!kQ)bb1P`pIvB5%*bz&(T&29gRT z+=#)%4l;?NP5yj@d7uU2?eS}7F?K5SmiqBi-H2iH_%$0TOeSY6qpRd#Y@h@rBog#4 zq8RQ7-^tLJ>YS|YuItmCQax=3_#*%3E}17di#D4<@{hWJevkHv<9Y*xM2R9x5Gn-B zjU>DqBXv6Bs&Sp<Mqh;Ok~wV+r;SX+sw>I;1f-sXf*Y6)eXshi+}@!h7ion1#?FZn zZg@ikqR{)*M$xQAENISY?Kd5}Y&<0WYAc!U)JXy2_V<YGLo;s&Ipv#hxes0Rdml93 zVL5Y>oxvF^u`ZiB_piCnKEx*4cX4+$H#E{WVkg@t52tIwW;Fr&duK(kXf6JGVYbDe z)CZS7ar&m^&;C6>lNO4<2Q*ydsQ2=d6~FEqJtOLRTsA}+K;BrkIdklvJ6@WmW)KLG z5LCzcH^)?r?|kLh=nFZzN|%ENW2Lwq8mN=HIs>N5<s=Wi>G{$u`_Hk3hie?~gucol zId1H*6u*|g%WB)Ny@lFC-)V9o(lk3#PaKuYF}XeW7Z-q9)z8+G?7MiaAcFq*`=aUS zIzksJS35$w>TX=@J;Q9F68*4*H)5t;x#e=dX=66JAVkhel2taQvF_V&@Kg6c8&X53 zT5Nl$DT}_lKY9!5GI!VXHMusN|6v&kUC6x^gJ$I3fC+KiDX4nr)_<O?dyoev(wN03 zUigt&UDfL#c%Yf#RL9<kQDJQ$d=WYGYwC85W9*C?*}7H~#_t`FaqhAVmi_l~WZqY7 zNg$W2pN$<<?+Cv4ZqNA+pD-A|t8mm-E}PZKp`;8}0R9FaeonEeYJg&c|5=wbOlUx1 z&O&`S^QYmA9<cXQ1U<VPULykpn_1iwn=Py|=CU!LKqgH?4l0*B8wPs%m4ivPiR@>+ z0k5d+jdy^tIcNR(RJ$!rVsc(hvh62$+d`<q;=vfsd^k-PHn=f^o1-1Ghgfn<X7TUq z6Mzg%wV@feo8=LwkeQwXB+e~4x_aU8AW#$hx-#Kppt71M%R}~`NdI1;kiG!Ec#bC_ zNhp+4-`rs#DZ53vz>wFbY~jy0TlS(BXvpxbWww}9qga+@%;a6j$u=Qq-Ykf$EGv@o z8I}eUO)J`WK*s<Pz<n*BMadUh7=D`GuDHU&llY{k5AT5!yuVGUF(>)^$ce%KC-J2p z6kkmD>la4Ytj@#38Z{yf`6@MK2pFQcJ(8CCPP^{VyEEteLfF&tWq1IlgU65By#0aJ zEv>EUeEd>$xC8ecRb|-25iSNlwx(|vqYR06F;-<@qSog~WjqNw68Ftsv$N~eT?1Kv z%mZA<<hxMk_ZZu~C+lfI)8NH@q#@`GZIS6zn6lS|?9Jfk+>0T$toB6PGwq=k{T227 zu|BmsNRoT=ME9_)A`mOhMN%vnC?fgFp~eKs?0QK@^w9s1zPbS_-MGDA(jXChyMsgQ zu$ois1+mmB^+885YOwi5<7!-TBTv3chr>9)Sg&V9sya>NgMLOJAz6Zg)d|)JeYRfn zZ>cK(+6Ba=N_=|TQJIAN{&`moHiI}h4E0N9+H86rKbPESk}%m9+bo8&*b=}7(ijFC z<2m#8u?+)1P?eK`2D1KB!_lC(_D2^}GN;x1KqMf&auym<Vg|h){0qfRp?R$9_Swn= zNR9v7(LKC@2VNgyF*cRY9yD1&Cl#y#7^6GTJ+*uu-xp6cMl+9^J}q1k!f*yC84;%| z-8!t{1Vp$*mQFF?<<UvP_OYVr@jV7$<KRi9fW*W0iGkXZBgPF<m6@yl^*1mPnK)=B z{qJ(e+28wiFAH+izmIjxYr-ViEg9{(Dg~jA<GW9|Ft132&?xJW4BlxH=1Fw#h?B@6 z3+bw1Mri80j5yxsmfg3jmiOcM;L3WIdrV7jh66Y-zFo!Qv!++|;Yc!?*x4o=IMtE+ zyYP`7JeH3`pV1v(S4f+Y7j_As`2oHoNuQon(G;<`pQ_+*&T3J*e%OuJU}s1?C#hhr z+r^b1ay#wrHT1^4GfIZ%Rc250s!Sx)L5PuhCt9pxSMzF5hBbfYq40mlIo-U=O&6iy z@=j_ulBb(Ezw~S2`X>1Pxu|bvWLOye1=`?cXjcuokInRfQLO&v&WJ4$JHP)cfuHZ6 z<6n<#9r~u|Z%%3-YA~)5(qmBpfyBJiI@_2MhKfdwFFLe)C&<k+7F7|@-^n+GN4Y$k z7sUTQ`?YlQn(&&{!X4ozK3#b*9VX=U=Bure)0#F^pAoRjCwLc!SlJq3*5tD7#SZ%q zJ$U#+B<Arr1|2BSaRy`X=FmOz6;61~4=X*SY6c63z-K_?F<%&U=&Hp&R_8(ji7(H! zA|CyU{lAM_4xxnQh%}wXeI4E0ZJY#|oaXiBfxJ<G+$5+d5%{zoZ3YsrR}koqvC{ZM zzl?p7p5e>sRL@~prKOD2Cy3VX*{Ha>9${74S4#%G_|x!k*8J8SXzDXrF%tPJ2$I)^ zU$;&a{HP~__6qv*)sr>CpbJA(JHrh|rhT{ffbL&DBKG6gIT|@yoV|CZK1ur^^hy94 z+`8`&eP==)nAo`-h@?A3A?*ej^>r^L7G1}9(Ei`nTME!ASN^fHkK^e2{K>j@mn(So zWkjACj@;I|AYw6%w0k7N27Ti3E7!f5HA5$xm@*N#gZJN;00f%hB=pJ8X09@BrMAW# z{P6#{+N1D5lbyNZrihsMN#Avg{NI=L26DM0(*bs%LOT}fZA<lw=J-w`usNgmK^`~% z=(w)!4Y%8NA476tBMLEnBeLeT!^g|#OLE$esZZyM?m+j@b=rFU#7=+%3^xAm8XJq+ zQ<1Dl3ioA=Sf~e!FHYelg5BG2e3=wQqjU=5^7BUt;TM*Nv8dflvVS$JKi<vmaDaM| zFb}dK&CN#vH|MHF`q`KOqHLhH!_%177i}7F>RC>_DNHiHQe9BxAap1x8Dw1jQKX}y z+L2llFm=CTQNl%eBkvzr+;6iU`bI@|W@~TUS4jZ<@KcszfgWzw#Q1P-(zRc82R}5= z&ww7i^TR3r-tDWg5GFd+#I(tAXcd_Bq?WqPQ^2kK`4Y<1LtwBpvv|Miv}8qM2mlNK zzwEr|NU3+X=lG!c_HtKytML0Sp%S%bd8mmoKz=73C;$}|aq7OX^3;!7WlUvX-|0mJ zsIkWD>#Ykr4I~+h36RX4+oqPyw{6UkQ-`hBGx8jhf18xpD*yPl@K4j3;gG@&_fk#% zZtn0gh4kRP@N|Fhx4NT>b|;|K)AHtPk1J}u;~_iuXuD)#5REy$-qVcjtu0w&-X1-X z+JUTHC!u%~6WrD!b)pr`$-Xrj`K;V1EZ%>z?xw`@u{HJ}q=e3FD(6<L5TS8X7`iGW zI}u`EEF87-^W_HONUaTSY;f{_tiuFB@RDD)WP?GUAX=kGJ0U15RqseD;&Rak0-mDR zwI@r;VgW_FV`N&Pc&&c1;ydp7+PA^~JGILVTj1PwDbGx*MT5SsHn(mVF)El-_HQ<g zPR=VQF?OW)nt*Z4BP(>jU)7(NIf!^#5b&FhGBrkQaCx5BGwMJA*tq<o#b0%Lzt^*g zL0$Va`urfsWuGX3Y6a^Cb0UQ{RdKD=X<x0CK>*rO3g2(<T}J!Z#1i`lxs!o=p00JM zM7UE*&;PslqLuE9YVx-Bh)QBP2v2G4^l^edyp0#`VBo*q`7N`jsIlVdIHA%KuUWvt zy;^>8aYWrt6E=NX`i#*cqa;HtmCI|I;IY^|=HZse@DG+~>{s!DmhwC$UH%8)i~c@k zK9$e#nnWIGURJzqyZIWaecwP==w}EbEE}?_SlukWKhdbDxEa}>Jq_742oKmI97a$2 zW161WXzuWB{OK1>wKqa<OoiOOo}V~QRcQ8C4xu~^1CJ&wy-jnwje1TBU^f!gDgbpJ zjUFd>#S3HS%fT8~drs06lXS~ItqoQb;O9q#burPnhxIAkh}j@4NPjL}4YO7a#6#oP zgnz17pV_-S=e`&79WOw05GcGG6JDYfi~`dgc6nJni0bIdeJ`wy|8M+jqW?ba?~GlR zb!zG2=rfb7>muhYS)QbTf+K#2mXLf95~px1-{ax-CjqRtgjk-8=}{ZeTkKJ8=)Uv? zE$tX+@4`JJ+B@2Q>!9~(DO%lgF$$A2S)t0HZ*iLl7f%8IYPi9LJhHp@H!9#s^N)|H zb(S)wtGPU{Jf;~k%PS~2C9<RR32I#Emb7B0$1b!8UDC9K+FNOz<+>b58@nS0Xf^ct zA1=4v^w?|GXKub|haH-$#S8e8=(*`QuyKm#NljP(@3??z(5T*EQf;)#S|GVQ-5Lop zg81F6Sy%xOuzJhXR^p2xITV6A<uaWa-0DcppvxDJ97uFDKLb!ogaLG~63y+Kg_1_e zX9bz}n2{sS9n3Uc`;t5EBaTs1JA2!LHfGR$FGLsu5;~V>#i)Hhr)Kt3-PPW#x~PU( z8$RsY>|V;vv!^JRnP9{o8ZP<sB({fH{$3$D@Mg!L3N<57&58-?yhLrbLJ4}bDNS~~ zv-`hY09$l)zDJtB*DhQL?s`U<7(T=haBM7|BIp80ki|xZ)eAp^=!K&l1En25KYme6 z*$^2vd)l)4(RFQ&%DI|#2(FCm3Rcfa@^Gp~)zy_>cmOZV!(JlMyQgB^0yiH~^E&t9 z&Ig@&HM&k%F<=fB_UlVh`a?5QU0<FA-oG!a3*zTMP^{7FiPs+?i}U_kvATL0bmMJD zO}RkWA^!8eaGjL$wkflWlcBSC&OG<<eE^U#U$Mi`P6+q#T586vl$-!IOcOX)+!+>X zufRiG-Mrg4Vgs%9R(0f=r<nVQ<DquJbKwa_OfMI#o_wX1ac@|16J9hY@7}BG^yJZ0 z$nhziY+jFVgN-qgyIH5h?Z^;;Hxmtze+z||R1#u0pge2%;|;!*c!a;IGeL%vopRHo z1BM@(G}-a_vmm6Ar^^>JHv6{_Yx^(*g#-}OY}eAl<&$QPueoK9f@U2H4I-sRtI?QC zst@_&O;Vq3`l4DzR7bZ`wo0GQz)m*DC5LT7xVnDb^kDPPNsNf_uZ>hoGOcGQ?aY{O z%*-FQb?h|=;H+zx`3lWO1FOd!5#!G{lw<M7p2JTM0~3M1a{4qyv_?X||CrF&PX(AP z^Un5g*xQ@A@!w%FW$FmyJU7|LMEfKTEDTS>Cj0jY#tdduCxnQ+*r$Q4(Kc1#by2AF z*JTZ{H$<mYvGH*MpX>mafJh^zamWA@+~G!stA+0obn+-nOi%?j#%X=FV}-e7BE6Z` z70&9}WpFEg^~iO^!jKqj{9aT+M)r6RXafT^^NOTYKi034@}ue`NPD~{?{}sC?Io*= zpW`(BdH<BJZfLoK<4R@lO1UGoSLu1<GJp{~de2G^0qf}YU1(w6H=rmTX_A_8ITxB# zZf=cvkN^F1$;#j%(ZHBs)%WM{ttt|yXl4Y%85wP~ReNl>kF!{8bTdv|Vn6=bu%b<t z)s-ipei@*}a}6laVNuogy)Ggtr)HeKnSv99xAPvr?1U9eXHL&I4Uv}!#g|(nZor^` zgjuN-&eBs~o@n)JXQ?iZ?p+3}E2o;t_3NA432YtR9@@l25FLV6Z^fr72kJmP;K!x> zA)#AAj(mIR_q4h*$t9=u+u;xODJw&B3#%^W<*RWCChpF(KK&@v^$%H9Bnh_eoeD3T zZuiAqV;&4U|8UFfyz%A#vw3CA9d~J5E&cFx!B8xvut|VGR6!GM6h|BHj!5D8^{O?a zb}y}3g7jANQ`EsDYk!*yu=*tS+lY9^*VB+qd=(Kt(I$9}Js~Y@MugdZ7Gfdfu)oiJ zzBj|mRxct>OZl7p_oIK}jrtf3m25+7*-8c@1w_itV4Udkup>oh%F8NBfn-e+nP_-s z#VzB31|upEFU><Jis5?^wAX86ZFl0dN+^?Yk69wIxJUTc1K08{BqfLocZYk<?lP<A zkZ@g3b}KeD&+R|UKkRQYBsupl^;fUZC1L#kOb>VTxf_=M+#!O@IGA}F^Lp(4?)+jV zPt>X<ks$sGRH;VS)oJk+AD#xvzqOv}ewl`NSP=vukb1h{Fid<V+!>1E|5A*3bJiu` zZ9_2R|5+0#@V5#tLBSH#l+0FFS-;BU9Ck|;XuG((@HQ6-=EMl}JaiYVQ088c@(`U{ zu1caynd0Zyo;ob~$Z^VbysD)Z9gv>x`z?#VdUt*^L<A%2z5G<Td}3)5<1Z*aeN#_T z9VtFw*ATwQmHyR*E-txar#|V)<`_NF2r`o-v+@B(l}u{RA<LWpkDa%Onmgy;c;U$i z%(HE_KbvF5fLvTu(iwJyu{#G+t}#Rd^1Gs!ALp%Fh-$Jn|F#RqJE$H}=saCk8PcPE zt)y{Uo$u}|g6*9Up-%vDv!bD|4t<H%f)*KjNdATST&UTLT{PzB<x#b|9Resn5vOoo zP6rS4*VT^#yJziOCd||^d3FlLBuG4w+Bl4Cfuh%;)&ht>pD5$)`*GnXkL5yLW=JsQ z*b5ymyrzm7WHi0`yWm&-m!-=6-cPsc09<ZNNQZ$TtH!K=G=}iZiOO#5<ng{A!@A3Y z>Z|IQF#9gpqr$Dqm&;SPLdL`6?U?u2k3VJybw`2UD*F2B94b?**tki?*RO?=Mk+FD zW=?AGvvu8Y)3FV=2pW871FJ)G9NZG_P_E@Fg%6f&5^lYRR|33;0!Dvj6ye*G#LeXV z=M=fKkS;iU<L%O6e)nCP2zaVU59ZqLhzNHd)6=}`8;~u#`6>VO0VCl3T1B$K5i$D^ z!t49enwokV<-^>J*v}RHZ6<*{kv7axiH-F=73hk#=Me_Q?>UKN<30I&Z9o(y-%|@C zVFcGeT@h+?C4X?v?ER53%EL?9Q&%AT`?r&H(Hw%|)|xA{q@AKuf<{W9dSeiGvbBpF ztMB)A=uiZj?6i;;lLKFq?I~D$5<oACz(8*FYVGfTE|szDZ9~H5G=H5;h>=K---K%S z1|yJ!Q$BM1HK)O5sCKxqnfty=I!;e?=?DBh%c=Iyi&hy+twf1>T=38)Om=(6_<s=F zD|JR8{S20%#j_SA>+xIswf^x(L?~(_cE~Pd78+fP&mR|<sGNw}U87Q<T}**Eu%S6l zq{ms=;}DB30P_CHA8jKN6_#zBtX&z=e%|PD-M7;K3#E|EJIu^ph72QmRvJgL#@3!z zCDWPV{@Cd1C*hkFCWtA4VfsldA4r+$x}L2WO}E<ExcML#3HUM{#I2<Maz;8cF+eUF zg1M0qUFU)wa4F#`I5cOE=tfHlLsXpPnNBqHlx}2*A=IRbVG6f`$2~i4<z5I`%ky9q z#PMXZ8Y4HT=)qFV(fy}?-#Chk1)VNEFHuUDzpb&x^I?Xo<$j|_@QYl$iCN!?x`M{Z z2M2lGb}}3*Z-E%WIS#2VM#j7``ZR%)x|?k{H{jg77vCc<@#?7dsH8T*@@YRbZb_`n zMh2Tf#h<C__O{`d4zgqg;I>VyM=6u6eMDyBHIyB>6Qj8rw{Q>-X%wuNB=7+cB-ogl zN7D9@CQ<_qzq<N9jz|;HyYlhU&%~P>lxBIVnSB496$5ztK4hBE2foM}T{}4E`SRw< z>ZrEmyJ3;O3<@TXW@8I8ejH&bRAY8VYvsi9V}5otMPEBbvMj3o$%WLKL7O?B<1H0M zaC(u{k}rRP>QSIOU*`2NnVU(|Vxp`_)TW<E1*RizbkqR-Mq^YMDEQeuo1X|aS)^3E z^7k40A_yzP$}g>jDa}!LmW1Se^oB}@$VNpF@8)$>m<B&ilt3dxPT8>}B8i9`?mI(g z@@K@VHjw>wkP)J@lhFipK@kSCc)!`lVz=|`#{2p;avScXmsTIf<)#N==jDC~|C=-6 zPg3keb)-dayY?MT@x4hDJiR{9V5Idq6?^7Kz)e2vAGncm`<f8*WsGU6bshe^H~$dv zC;h+;{Zxnvcw>#-_-2xCIA2N2b?qV#d@!hYXcvtTwn1=?g35}-LUV=vi|u<o{YkA| za7)2mM@dPF3)w|AV{h-p<H&0EZ-4!_uaFW6Y;=l}BMk6*yG-$p{G}sO-}D6XoeORy z7rzpcy{wJ?0{AaCcA<ty?Jas%35nWw!W3edWT2PHAK$hOkK;wroq|`EmoTek!od(I zQyno6m-ad`&4s%4`57v>!YlcPI(?-=^UAY*o#+;Fc=r7)ceLB0<cod}v{R(EsQvUM z@SRQ<4ts7NMdV1rpXb^BTuUn;x%9&xmxcSk!F{F2Prt^&G30#4QmoJTAr!#0M>w}@ zjMGV36Xj$@H+|MHL*7{Cl{*;(jMN#`OQ0IQ(F6$sd2nK&&1MIoQM6-{MRxzF!njZ! z-8|iyB`j6sDb^1g=(|S(V*27rkCY7%d}kiE{?R^*Jc-cKVOG~9Dye`MGI(74I9r}6 zx&IH&NKz$1g{PXAIn~Of9r<|i+pbK?<s@X>d%<s3cH)Nh`qthep=e?$^Bpj9_N;a& zGwGe$aI<$c?Y<Mui>pdz=`@(-EE5|JD6maRHdP((3;iP(cGy0o&?-TNGZCxNPxC|% z@<!RX;Djk{SZCC=(+^Qb+p?{-5=lJ$%XMy&upMkvQ>94#Bsrrxr-&*s%wNK4Xjpid z^`febqGb176OBLaS30+k*XufC^xgCrP-b4m`5eY-hm4wach+9J9|Ml#>mNTUiZV3p zSP+~h-+$#-5cA<=>KO6Gt=0}@z<~Bn)$gtuAp5J8!5kcM|Lr?Eaj-y0Q=0Da<JRM_ z5*XIIu+{v8r;59WbJ)0#urUn^PHZ&F|FNU<@Fz}4&eKCcYRm8@hk;kPzHoK(^E#1X zD-oyIUD<>Ta@hOpKCVRUQboUYdk?jz>lBE_=}d{vt)LWr_Hua~2iJ6NL^%u|xNVvZ z{w|Xdu|Nx=2v&G}nSsqABo{;fNMlm4x+$$$swf;PuE43jbF-g!OvL&=mB^Z?@LF|j z^B|Vzi_?{rX@!qU%D56hhW;X<5YhNVFZW<Bw-}<GpD4u=m%F}SA~h!VT-Ofj2ow?R ze*v2J2S*&&;0ti#eH!C1&U-vsr>pfLjuLDn_LYaZ$|rV;wAuQ|tt#=9tKgEJT=tyk ze)T&d437l@?K3SHvA&PKvivJyR$j0cX5@j}^9bJ$nUTYCJr@paTR};)g!r#I+?eq0 zn?~zibs`rjnFNZ)>5d$HwQQzE?ELA)tA8bUy4a2&OZb**u@QD^g4ND$>-<q$-wXjH zF7d7E^ku$rBnu=Xv6O9xMPbcw`p^xTadsSqC8nZwU7+mc4s;<iOr~8yN+7@S_bZ+^ zRbGhL+;1ImQ3|{0ZLD#VcQsD*l75tD)V);51xlxNf^Q?DX5vXLe-!X7>5YO>G$BId zFzRgG6FsK^sOG=R#5)5}(@i+|n?&u*6wjAea$kySzei&`yQ>%0EyRx5o$oP*9hyFa zGS_)`4zg~{-Gg_m%0JvtGfo~1Hbg|UFuXtAd!#v+d!&(&pb8yy^DcceyJ3dI$m}4J z(;N2Zt&@|ZWJTvUrq*tbkhyy?;C&Agr<CJO=}}nx#cq|QSdF@WjXp31$QnPmxlB`Z zpw}Of^cb&;9xkNwJoHO9N7$}`D0NO>?7Hx8<3{AbL@VFfjLquOqQM>AoOx~2GVVJu zP6@^uyMb#RF9%RCgKN{J0~HPp%AyD*$GA9UPWOdBV(T1drJ=*$O^)S&n&uf^W=uLY zoCMp`*`3)B9VzeazGEzT^F(^Q!<nC4S76Q_@E;XL-J2|;@6|S>TCBtTArJRV6~?~q zi+-$7%10StAS(y-2NUwDLsK*CYBgRQa&tWZV(R7|j|_M41}aAb-I^QGof@AGCbGTr zo*1=D701Ju?xLiVw|s`Y1LYOf2%r~uoH?m-G~%V<?gCLs$KhFtpP%|onxIdO_2q}} zhNvwX1q;vE9`2|-t?F!&xmxfXyNiGR4V4@1uFa?ujv8lWOf_sugt>7SugXjXvr-~T zbsf@O6I6*sF(ltB+P<$p2{X(ICOQ@A+IO3dA<$+*peYU45wT|!7`X|2)3DL{?+23n zW&Q$lxVhYC5siU9R<OsG#_ngwe6r_t8ex6Ezrga|r@rJK3B)Nrnadzoh&sZ3+G<-y zf%!<YkP`z`450QJmMV71+=<y;n#J!j_OiZz^9W#E7b_g{T9h!8s<0f)DNYqyf}jAq zFhmwDUbSZa06rip7ggTT09;w*uGP)vK6={hD|kQVc?NT7Z_jhArn#39nGix+CsSO* zHI;D+H<LgCOpuV><dmlPK<aMMnlQ;pyX8>_l=-E%xKQlabMYIo+2h#Gyg0hdq4l-? zG|WaRVfowJ#cX3NF-E(sGq%8vIXr+k3w~5?H8cH)Jur_SEpX(6hGiQ~G=Ia*iiE*c zcAc*e;KmhebAI};AMm2%X`!0xXKI-jRZNo$F~S?b%MhcIRql#Es>m90gR^QBSTdWi zWtaqrgf1u&DtK0he|Z%gcQW8q{7rB@%CSWQzLWKRJf{|v&On!E)`X`!1vxlyR78wY zkLhKbY?ZzPW3QJ4`O_r&zNm3L()yO#H-pk9pD0TRgRTGm;cVl^1{4XB?Mrq}!(eR! ze0ALw1!3?A-5PstPmH{|roVnX4MsY{cUCOu=UV7OM$yD>a0^t}Agz0}tzFn8CfHzd zg({?Pw4gQocdu77wQr7Lt)~--F_b`?$Jz~-$g1wkxNi=jjhFy?=9nRE$-fyh_UrYX zJvXW9dT#s(-RaJR0xId{9^)&xK1%7Jouj@IOJ4sGn_BW&VB%r*3w%|()9$o}7&U@C z)4l7A*b+z$olXYV-`IPxz(65I5jmKUh3M05K_(=~yTdx(I=#Kt7m~vkN|Opx?ysDC z23U?88wG_KX&38+k@4s<S9kl*+QnpYTdtckLT$JNi+V<_TxN-=JR+2RS7Xdu4q*47 zmPI_Au62&e49>$>th=K}X584P-3^|yA2MTBh{N9ShDp%iS^E^B-OqA8Z)ewZE7<rI ztBG91>i?|>Y2+Z+;?n>$GtO1dD~4)ys{FbN;2gHypM3B22!;I127LLwiMD2jg$jWl zKy#&Lc@MMuh6>fNXu=uZZGtr70SyCS08VrivnXV_H3H7;O|*9ZhpiBlYn1VtQ$L%n zGb76cfZwpZ?tbd*_I9g&4l-74p$rH2hP<lo=MkXnQ)t!ueuS?)=9~L;&mg8`dEONE zCW#IqAmmBHg8`%ADMB9G{K$EI@PG<-E^5h?#9mo)H-mMz*GY1?>)tH~*F`qC)uH}o zb;SBJItm@Mo+RhufRS7yNGMIJ<xvPzkm9WVm520ox5EJXvW{R?moF-}iOm|f6>b^| zG!VwBm|m};!JRX7z1vofl4b~Py(!PXH(Y|SJf)_;lCbIM_PD4kI0?(4+828BlYBoO zW1epPlFQI3MlNMG1H&YiukP1j(uKtM>uiJfXDoQ0sjknxU<4|~?*k`ZF~<wPHZlyr zjYRfP8nNXt^zr!;n*<1>0*cmRF#{A$YHdM=N;?hd>YX$cJ<gV@ST!A7sqUZIwFVSE z-x+9FkWx&sdz^H3-YD2;C7xH+a;n3RvwM6cMd0J#RNr2FQk=7%iB5ApZm|oqb9%#= z%b>0Mx}0l;R+2e=Ai6!b%xxGz^K+ha;jz8Ke&7rEKDYo)F0{p17-DOPWIv(fsUOkr zx!7M7mxiKyxxIT%L?>-ERL&9TD3_d>7sMZz2i_KG_^-mgj}KDaAvV29psn%>u{O+M z5y8SolY&z{>n3w<BkPOwl$iZ^S)C+ofNX6;5CC_U04j(0awmmT=2!bA1?Ex)BIR{I znQ0*dR)?f}y48Z@OqRfwnK0kR(8iTFf?~!eY4i}PDhXOvRtZ5F!odKW+S@E1&8`h( zz|aQLPB7K-lbrWcy?qq_J!(n9XeSayvr7DpAp1Fns6Xd|r@#It!*S1vYp^wWwyUnF zC@!Hsal<qHZ8t)%gxq=XGVx1FH60HZav>W8PQYQX#lHFei}*kH{%W+S?#PqOUX8dM zIRN9W>}Sh!r<vtw_o_Xl9uxU=#%Rlu2ze7DOsz9Hd#YMpYMIZd5kw+Ti18j@sxjsb zZ*0ChBF5UbqF5rVYNtZe_{C}!Iat#K_eHE7v{oS2?E4hN7S|EYEx_RdG7Qq&-MtSR zEN8=Yap*STi_hu%e*W8(!GUUFLJGh%FokxeXkY+e_>KtL%JL+ps_`Bm_rP%?=1|wR zMh{`5M@|S>*;ikMB+vd*vErGZNC6ah*#zZIW9|ucjrUzO*a^Q)3M5D;?SbB*A{3p? zHBi%0iBOUD;lv`$7;s5Ixq5xP`PBA5kW(#A8G2Vm2=jivwuDl=zyk|WV79YoMZPs{ z8rnJ&@@geDD-FLMw)*klYcgXJ4lc~c8~fzP2kkL7n$Vc-+(`2FCL$P8!3F$lX|)&7 zpT}3f5V2)Qn-II|<h0yTfP2<@5!|jLR+ULM+BfN+h>@S;a(>>Drb2!v>2z*W3ZO;* zyPX4AP&KxURbgPeLf#>%-1e>=a+|Np$J~e}rmiFWWR;Zruc4NTqA9Ml_2@T55NyNI zxtNOg!-yue&?X?vJFCziR%Cvzx-sZcDjTp3&kfjx@b5ldVMV93A5Cn1b|%CFwWog6 zgS)z;k&fdN#pzAz5mx-W|CuyUe$C8@No<%WU{h4`<j|DS<$pNyM&>l^%63dM$UCCQ zR~VNi^V1VF7Lj{!CKohUmz?>QB^{wn2-)N(;9psAGM&yF-GVgQV<IGmHUux8{jNM# z8kN(YuWKQn&>?~KMV^%UA%TLgSKi2o=E{kh2CUyswFjb8#TLENmz?4o)!U!R$WdQY zyGCyKc3)H9gBOWl$DlMN{KuO&4ydo{o>g?Q`q2vD)R(zE`1}b+Mp7izG~_TNa)poj z{15Jpv@}uBo)!b*Qx*%d603x&3Az^fFmE>*tb^rV%{4vbfP~3=A-@VVSV?LVmrz>B zYEhE#cdTpIJ3B$LNWhz5coV;;T}ReYmEq3%{#ik0@6DCf;jmUs%u-aaK@7O?uQy+~ z1~|gnPlP`0vKj&o3sx|fjRI<SysS}x&rcJUHy0vZq20193A8SrJ*-$akf>(k!A-jH z?YDoi&2YxoyGqie<1~c(10LXzq>uUfu0cdQr^1l^KOi#H8~48yBX!OGG}kT6Uq?^+ z?>yZ!KYQa&G8R}0ST(Npm^r2CC;o_G;^p6j3F#$9^WNrVP3Y`0i7^WFA`|NOF**TN ze%E07FQu!l=Mt$0Ckn&(uY?Mi+emM_En^kzErF{pK+K}*COiu!9QxR3`Poh34$W5o zAw*Pg4~W*Oh6J;42wb(`9<y|u``w8z0<YoQtb2^fPd|}_qc@GB12y2P&OFd~4gWH! zb+=F+9$Jl^AvJPd*v!f$KyJl#K2$4B*vUF1tg#Wh>epzPbvx&5JB2&0FM&E7i-!jE zHm2EFgpwZCDd9YvAC?wup)!=|mOfo5N^AIPHY&S9K`x*yRI26rP_WsPNfY*K#KV>u zLu8VVv%C<GEp!89m!2PQ0d#$1cZHBS*5r;*?-m;blcg#8gK^z81HL9EfCWS4+#bpl zi~?G!b;{mc9JEuM+u-U>oo-f|2{F;oI=gTQAG*E9N5MVE;8pl*LzZ}7Qsel85PY5< zql-9DxT5OIA38x4*fJGsV%9hGxRVgmUl@qj!+K_zS|^^4oV?2|PTIqDeLq16v9>3+ zR9_pSYBZ0x7Rc#MUe48ETDbsAZnScWQ6Os=1v*F0Jzq~$2uni7J#lF~jv>#<Qn-GD zPx*>s{VUW1DY#CsC3(EU+shBFWcLWXqhzAXk_BtVC-uP<7n2`VGtn&?HyE8GVLK4x zMNa6on@OnHSo3%dxPS(db5#%A#TvuFM8pJJ9!ez!b8B3=tpHv?p}%$4*NS#PA>coN zn+7SEq%P7g#8fbF(u)a<^j{ZEDD;+O-g>Kg;r@HS$*aft1pQMDc&s#MH7|i7TN|!~ zbBzMZ36hkJH&TmN;Y>8okNdRp+|ngpExA;tjtsBArlO7ji0hZWLij_N6sWiS!%%rf zqXA!Ds~`yQ&hM{ZgSy;P8=GWm_^LXyx?-5|uBzUmj@O{~O_jKr1n@*c7{U@8IG!eu zZqUK4vl6$QDaOi#ed!1|)v$G;PJ9y=6=CA_1>&7=I&z*ZeoX2ZkLWXw3wQ9u>O~qd zu341g9cIi<(~Si_P{W?xo#5>SptNZ4=o0y9<MR(MkzP8Jiw;<+<ud}7Vb>4oO_iI~ zNz3QwPXp<3divZEMk@8q*$P*c$c-BdKQt<>{ldJEmA{3_W;i_o@LL48f=^E-m26aA z`)1u&P&Th8xp1|@9~W>LYg?i;7b;dy&?u-It&2pUQYH4nYGDY;(PH9lB5GosguCWu z9b2*<s*i3@C27%{Q<nK9OH+rS^M3}7^Nj_4lbXmNi9Ip;lM{oGg*UYa(k4^E+WKaP zUNeT!liE<r!GI(Ken8e{gp2}|HRSrA(G`o2`gBp+h6^`gcHiqaVJ0!?yM-GtsPWtW z{s2Cb*GKPqb%mK&7!nm3tY22W=1OUNsgV23f=r9qeDllra~Z;D_I|z0wz&@W|J)1m zmF2r=3cRSN%hQ*vOh3}Zl)AP%5>}*p*VsjmpZ(q@-2^<y%^OEbq1ZfJ(9M3xI?;Y` z3BpTVt3rSrBhX|ZuMx!;R&diS0Yj0^8GK*L;4MtpTcxXNu(B7aOqevfh0ky3ZRXDx z4oGSum%6yRi&18ZZ%R1sroy^)(D*K}afOjUHFY$3bnEm!#ggxyYQ8z9$%u*&uhc|% z;Bn=xO8ADimog<$vJj?0q*PatBueymUX}~@j~suIXeKKF0T7c+l)797?;7~G=}EhH z{NFA>-L&S~NAD&ZglKo%2^*4U1wzj4Gy^-H5+Wmc6+BTT1G0~27WmQbBrmQ!3H>z5 z1FKa?CX$%~n<kJzLd`+CeZs-u-rU;YTLX&SldJ9%O~{*+Td$u6Pzl<Mz9)!uHpQ(j z^8I4eRkSw#V$1K+Fm+rIGKBcYR}?wH7JfYIIa0Uj#v@9Z(GRn|)Wzz<3G7&mvSE($ zYN)s7%&IjR{R>G&m(2ftB+Hj6S2!#!nmV*zYTORw%nf80b4uuCm@$_E5AU;Xv{pTf zJ}p`@GQ^PW`BNdLK_Jwk?_O20<<B{B^x}{X0@*OU^xBThRd*q$z0ZFW$P}S)tE&xI zobaFOO_*YN0PZ<6XYGO8JlJ*DU^Ma>|FZDE9l<Jw-<wJgb%kqLGO-lP-^R;vcNAF5 zv55*v`uxUf1OV3>>4}=EiRSj@k1N!C8;cg4;|O7R4=t%x%mSOaT&q|zf9UlyHd_Da zeX~q>mK7<SGN0|%qT%ZP;`Sj}fgWp3vDON~|9A!DozSOXJan?HDGR)iH@w=s16%%x zUcSsV1(gWw?g{|7z2T0oXt}UK9&*Q3@bvtMjuKCUVxcJ9#50iC7=6ESb37@Ikth?+ z09d=B0Go5RvDHI`T;=Zts-J7@s73(wGFHPf;!94;f+!wSEZgeKXD*rrDB3BKnZ}k5 zB1#bQkNHV4+i>60CflH{nx7z!@CtR5PF;Y<Yu`XdGV;{d07LoZUFAT_Eb3Gp=;xL; zq}7oMu0t|#T~$jo(uRwXo_}Cvm}>ZR)kD2K<I_=u!P_HA-${x1f_-$)s<#d9v<O{^ zf{M4dXs<-rta^uU{~S1e1&68QeUTTaW*~d%#jZO30<yipJzLLj@i&s>(S9d(FaP9< zK5cYuE8CIaRD|x-WTpw`^2ZkgbaQa(D^~Sdy5G)3S3CEZu$EqjkBpNZumR%fvP-W$ z0j&5WRY$Gg=LTl2ZzRy)Hq|jnJ&vg%Slt#h;qlyr5hX*D8-Q%!^|`Mxe0lCVqQ)rc z)yKlHF@(KQza;#HC#s#$>)&JKlhDeUDR|1t6nv=Rm)!m?Ew<E}VO!_IFIHZfn9cPr zYymD8$%<85pQ|SXsP&;*=*R(6#AmR)yzYCH0(J42PM-=hL8)RjM8i}j5QVb!;Uh)# zH#vkW)7DwCd2+ehOtE`~5xaHk!q{pG5Xhs}O%7H<XoN7y%7%DQ{)IagyPM9m@bk&+ zBt_Dl8@MMIS;-kVQ$`wi1Buk>0kbuH&hy3Spr>T}Pt0obL@R!_$L#`(bPb>QLNg+w z{;kPj4zG{4SYAJ#V0790_xa5l^k-BDIlLb-sm7L$Ba8{K;Kp`*KE&865ffr0-?J%= z@K5y;bt}A-ny&nbV6b&roC4`BVUqw6MAWWDl6*W+_Zv*FR_31+kfP?5HjSmV$sT%H zLh`oy&o~n{{qK4H_IOM_d+#*PR$O}v!-4}9FEd*VNDj5%M@-J2*<5AEQSE+;QS^4J zRvNT_p`jW{>T4U4ewePG)6m5+r!rFTWujvEklFUuWJWNk9T~_<9|*^-ADl4clW3KL zKWAixdQ?qAB|^4-(oJP>davvc`40dfQhflWGcY8>fCS(!7F|9N2iTU{w>)5S#j2xh zdIdAhcI{duNk7`SoTRunw?=p4*i})3i6&Y0m!65PWPXpQ3Gr8G6C3V&6W|~c!+LcW zniBh(B>g#`=FvpT4B9=p|M8Kg1~A&pf5wD`-5k~@Y=>v?(jGUmtoV(}OXYRFFR|(I zc}do`eRFmX7Z&*7o+N44q(7*M3`uhC6C3<Q>YI0m7*B)$T(jvhZpkj0C7eF#zIy#l z^cTE05J%%^jh}02-8JCQ8lv}ih&M~7Vv{hHG7VW=8aY|E6a}H=5SW9IS0ioA;AT6= z=h(YYNKvwI%fK$&iV528nD(i;>b>TP*N_c8jq2v_Wdr~X#h0yD?4Jx|Ot6hWqDytM z++#GG{ZIf4l=<b&`4IOnL}w>s!^dWUCR<VJ40*s447?Jdi=Dx0Cr%!y-z@?KCwdyB zyE{@qZuik`k_WCRK3@SouZ<$JCoMI8O=$K#{h!SrG*7>2sRl7x2lzbjKqUI(-Pung zv9VEq1geBm_+c2rH-6vKvDqtW|8zr>8QR21Zc?R<y}VSwvOyI60l}YCwM|L{QUA}d zM0hVyHMhmkR&_)w6Tsn|XC_FIuS&sH2TFhWTI6>i-pa;Opfj@L9NCuM%8RFG&GF;> z_4kumw+C{oiA}dJC*He6J|D^AcfYO@K%(b7fOEugo@6BWLg=L*SCi3byrD*N4lo6B zo=ki8$0jb$D%cg(<#7a|*P^R#b6aH-Y)9n9ZDW5w6^<E7&U%by<!;g?;k6EP6ck5a zrAuMwE2Hnf4<Lfj(hvvDx%w5=2Pi8o9538WyoInodEPd|9BytWxB<3n6ad$WE(#KN zk4)fudI)@wcFGMlMjZ*hFx;bDGpE5x$xEO<dj1zL9o$8K1}$}i9>(s~>B{1yS+04F z0I#ubf@ovksi4$4JsL!GItZXnTfpO`P)Uzc+h2J~Dy`2NYadVm<OfRj>MGMRX}&H2 zn?c%WvcB#Eqz<jNYn?H+>}#+>w+(kfY1qs8iG^^z&ej9NMus)DIpkU&Vg;|tui%Rv z1Hf}6fIzr&kV~dXLlZxqnBcjP1iQrT?1MS;1WV?et^(D{!7bflFv*6*5?$dKTr9U( zp>P<{V1_TJc>zah?Q}c4n5Df<W#v<l70r{~aQi{{#pPUvNGN>s?Udk55a2ab1QN$r zO^}l9HBUZN^y>zcrY8mgx(AukNq&~(rd3{_yGMG1<Nei(`j)cHZ3y3oq`=_qQ|_Pw z?6Yyxp{sFmLhQP$IJh<a0caTUiWQBs>HcQg3sjjVG^N#@kpuMWMW&xuyCa%lIzO7Y zl-AbVC|q@CvEY;UUu!bvUODbC)LYltBuCBF0A)ZdZ^+CfHOzfCydr&wQi$n)=hcoc ztA>^S=_Qzj`tiIza^W&uuIj~(O;%(ZF`Bx>bqyvwSFeoP)Fz3aC46>>G5Zf*gnS0Q zUnd~ocku9KniMwi6_0uDf$MaFZji_CE3&dYjcB+99w%X_9G1n&v(`NMn54~*Z2k5P z1?0+10yz&L26pQY6tO0Bfd4$cRI^lWrKOI~i>Wh<LXY0XS1X23wMzj_C}+O@`?sIj zfHiJ?GK6aT$yzfx6d(e&$pz8CAkjGaYNY$i8;+N4Y8cf6(ivImYq=cnAj31J{D=b^ zJBO~Iu6tw0>*|L~cVxgq46q#@$JR8H(Ojxqzf%@l!W{xsJ`yIyG$s5rY+h)K^ofGE1ZsJu~b^yrW$uhryiMNS`-*Rr!uGt_fzr7rjbz zQPjQ=yX>eO(I;)9o7JoP=othmc!N1`U0nsa1o!H`jfGY)Z0~z+zy_^We&r$oUn<YC zbK^OoqZSu<>Ma&P<e@*bct~piuy6|v5lbEbqW(LriLxp~?qk}bYshq~ExKsbC!883 zBB7flU!RuvgtXxCKUDvjIcLET2MxFrqLAvmt$mP;94=TNZmqD(RcI6%I2+xGKwUoV z+FNhpZz=%S8Jno2J`k8vcqNi9OR@pyJHA%6_7;fr5@_fuf)d+54+)#2XGqb8KdNf& z1^B1?s60br&;fPrFFrk;NWn`l(H-Wcl%Z||srI69Oq;Q+r0KMc1Vg-exx)Yi$7^UX zY;hn1&6&j^fN<YAmHXn-Y1#&fk%tV>Td69y0}98xS1h<*saNiH0~Zb*#O}Rp95T(F zpL$FF3<Xr`>>g%K{;;{06+wfMqIxmyPbFxUU@2paw6gamT$?aSaaV<OqjQB;k|DRx z{$5{Z&EQ51lMjcOM-z0qtjplw4`+5YM;49g$l!{vh$*dYf|TL~R);oTl<}s6C6m2- zwK4%M8&~&p1Na}c_-bwD-W=0a*9g#kqdxS0lQv2@A|^r{t2RTQA7|A(04OyOCzrQ> zV+QD@348!1DdrWvNQgT9WKZZf%h7kn>@u_vq2-6;Ho+9wwi558)|VbNoB0QaFgdE* zT`1&<G9&4?ckOO+Y<OrJnloHZ2d_3^uqLZf7SF!<_=@4JbM!tZbY_pMWtPhp_L8g{ zy*MVw>A~~k`X!dG(4y~ZhTdTl6IL=#T1*I>Q8ukbeJAziMl`1)L#t^xHA6@E1&WA; z0=>-thD-@nU4$+B<wsX{zjq4V&1f<f<fsY`M4!j|w3`0-BIf=u`{Gj038Y5;_yE4D zovY2_`zdLcG)sKQ$WOkt`^DY>P1R`-sM9zU_-k+8pgYU;zRHHhVyZ<C460!F)M@@U zu0zIgZay$fvxHRpA!d~rriD{Jz}=Ctdo1P-o~LOFxJ?iN#!$hp2u=AQ_xU5v_LKP6 zWhrRioq&3Hb*&3QYZn|F9XAJE4z;~;Osbo(_ddkC#~0n3_^$5Pn1hH4B<IXnaMB*P zJsPa_pZ$7#zSL!0;2rken{|0Sz#$AF^*(BvY?zIC&9!vZVv8>;#7wrUVH9>*i6^rf zj;bSXKJn(^FN&`<xkP=>yb^${h_S!BHG4W>P&+oq>Dcp|(Sd}3!NEXrug0z9$gCJ+ zmD!5xYm4z_i_Jf|D45voTIcwzX~{5t@Q719{papnGj6=^6ke5jDpVY^x&V#N%2Ef* z8UcNf;({hRQ;~4h)Ca|I%hi9?VX98vM0akGD(_0&`s9w}Tc*$_k{!B79BogMbLVyi z2BTNZuwsSpy}8;d1qz5)$cUZ#2m?t?FeAi}^_b|ny%>5oeEm4sFSjE6kl<01if>D% z`0bPY$|J&QQeo-tee<jw<~j<o+3rQ716qT#MA-(@`^zj>z0CL29RDd1gxUy9)eb^` z-;i+{b`@OCSZ9Gg+4HJkw(AQf7rI~twn&7x!PalauCl^%+XX?92x<mRT%s{hpkgd8 zYa7r&HgN)O-=U7z?onXTe;8b=j31#pn}r+CnI|ij3pzgh@zL$6PK*LTP@wTXxrT-B zm;!5k<_-R<SCs1>Q1rfv&dkTD<-jdnocyEb$wpHo$FWn5zC)CcXi#myb!7MJ{ur17 zcoAJBOLV@ygk1bZvqW7JjD1|;^6Z=#-=_-y8NYR{_v4=y0#>>3n12RX1TmkLS2D(T zbRWDc&}gEdco%BVdU8|7QagD5x?7-{7D-X9OdH{&00O6Yy~I*l<s~)4=kM`Vr;Pjc zQ7q{>5UQu$hJ_HV0!b2|CSpzVQG0HJxb<IknodsF){keCC%W`in7s?Gf7G}L_rYp3 z21p5&4=HDd0VH+FOdYIHibJ+BgkYJCbuHvkIW3?;k^b;dqgrv|{E{qqO)R>X)n&sS zsea}D-F73G7u}oq!854q>>S6W78C`hb1qeo_UgkA=}HI-et5<6(uK2wc+(Y{<PNV) zql~aNoc1Hy((!Zt*ysM?#)MZkPliRW^_vL`)a>f@2vRJhkI1WNo{hsxQSoyfbe1q% zvX{A)6Tg!tK;V^2QHm_d+DEzGl*}xvXaAl|=J)D=nis^Po8Ms4I=u}68(^W>U*;uj z+KN$cmt{q|U8B)sQHjr69epIrNLU;CN#$AP)LTmdH^#d!Ngk;XGAYua26663toY4w zN{wx(UcTXt?aWIo9NO(VuoagDGuTvhQaqg-c{P5M-Vh$iD4S~0-i{5Z05rN|#X2Rp zqpRAp&>8?(r2)^%aAlID;VnS?s3qUMrzPS|E3zgwyy(}Ghpbj?63)HulYdm)=p>q* zwG#6x@ae+)AFk(=Zf{6i%GQ&fhEQ<#eaiE7Z;DPaDrw`c_}mIb9r6+GQ@;z|+d{dE z{KP1NxDtr_-0+9v=wJl|Bn##&Hn4VlUIN#MEKZS%c-kmK@)&)}$mZw|GX|Iw7kj<^ zrLYd6{^eIM%z$U--j2$Yh%KMARU{Lmv!a>ckGc%7k3k($^i^z`-HqwyA-e`S(<5^u zJR7ind+Vl42kh)u6g3U?-4|d<**wSb$Yhn>)7$R)G|ji-rQynW(Pi*`g!6Gh#p1fA zKXF7eE(dSEiDKz+xe6AIJrCQB-qWoRHQf@vaSyTJ;n8eBMr@Rpt%j-!#>hzX=GJK% zsfA;zhE+O$43)Gf`nFU*IC<7p*rJ&O>X~QrzZQ9}$dGuOvAp+kQi<0d?qX(%%lJOd zGvq&u3K^Jm_OwZP3Dy81YCWA5@`lPMhPGE^fyY<&Gr#Kyg?I_pcd^3L?8lcFu}s;o z(Ij8P#wEzYyK3ea7IY?8HOBT#u<`EfzZTTfC?Djc@o096Qb>zr55RM&Eyw|J=*&Fd z$$a$)f|dal!K(brTN7P|T%bTiPHefYb+vqc14-_C$Wcl@J*vWpL)*Mri{A!pT0x2p z^M@~kOA-OGP`3Od#==Mi0woh&USmT2&khu7%fCaIAVRfnD4+nI>H%5e)qyS>GCbeX zuWlYMe<5P=DD_kIIe)D4x=R|`Rx0qG$Xhx5NC&6dd4@GIeNyEWVj0Xe9FC}U+J>)B z3?#+=1pcq=wi3A`tQtcM6W@PMr8fOu(Pu(E#9y#_<MvJ6?C?f^yE{v2E|c1TF#%TP z!MljktW<{{_Hk^zYox#sTO|@cHoN`iD@1ap)%M}`4Sp7?f8bA}GJGH0bQ;`XYr{5s z_$`QAl)8I!h4stZcfsSjVlW)gn8}H}NOsTtD-ry-&yJYLF@rr%XOz267mA-W@|?Mt zUmHTBVU|d)tiB4$yxMgNp&aht=8Z?u{IRGx>Q6~pG_?lj3DB2#0Z&Cw$(bY<t?GMW z$n8+~ZHblsUEQ}FsA?96zDn4f6!J8L(4q3=1JlzYtjgRm(|?|+tF41hmvWA=w4eLE zf7bVl6KsV51WM0K1az^Uax}uRs)ZJl!@w^auOk4!V<cdvAYH`|Z5e2fQ)F2EuHHSo zLbeD~69-u1FTJA6&iXpkprZT9WhD9@cb>G~34L%=c8y)4A;Kx9DhJ+=T}Q_l0C@}? zeC}Wf`SgC`=CFvK>7_8$YCR%&<kJ|dZhVDEKr0^TH1l{GaAbgJoXq<CH9xBIru5w2 zBLOv(YU%6Gw^p*r#Mcf>fnp(mi&$B0X)9*Q`#6*ixV)gSCW#JkY&3(bu5Y&+gN$q{ z<#Li74d6UkghxKH9I$+ly*5Bs2Xfc`ht{{dW#a3pwGT?))cGQ4T`uXe_2GTl6{=Y6 zL)rHXfHeMi+@_Y7X=Q}bhYtCJBSzGtYOJEib#!=6{fL$V#1d}3DPCMvhQ3)3ey=F{ z$5*!Zdy$`>t{B>$++||ankRJrm*L|%!dl=pvU~~Sd|e>xdzc+7zW?Kk=xLD_FXF-> zl^Gfg-Ko>dd@gznst(a_xIVgaKh;E2(k~P<<nmKxM2v(+2OQJW&Z(lKhqraZoj7*b zUm3wPPtv;U0Av6>r^oQq;ngxrmYoZ(3|&TzrjfJz2XNK5r98;9Q{mVpmRWnO&)cqk zxlDo8NIo+qSiK6SbpJlC<RnHMTtM66xU?1+9v@$!L>}SgkDatHVqMzH`lcKBXP{2A zSIf}9w!OW$_!qX!^o{??Yi}Zi{Vxs_`l&xEnoc43W>L^a!3Mfd=~>x*vSKtjeO>Oz zQL|ifVaBth=Rg6N$!rY(&~i$wxKxHfxQQ5{Tm^Tc_RGC?qi=T&cEX`FLJue~5&I2G zbaWPWpX=tfkia*7iyyTSt!J&aUsZq~(1#WVEv*%*DSc*=4B7^&KNC%~3NBATg2U62 z9lAFWVfiyv`sA^V@9hYDcU0bPGPaujU5uo|Q!X7812-nvw9bxEi^YD0`1+~C8`<nn zj9X@5h#Dxk?{f3UNRTLbU}8D9#D0hhGqR+|TbM7Z{V=VdPgaKq!p=}7PA$b*y)pGT zD~&S1d$T!#PX;=1e%C1a>Y3WwRRzyCR8a#vK<f~=8ExSZ_R|`yw}|5cBfMI|90U@V zXu@5{iMefRmc&=Lb-l6^L=;C$IFy6i*`9$Q+e6&_yM<5N@?e)M668=LPJEdQ-WJU- zbcLk*Z)!FX;eN!m8Hw}k9A3kSgt4p~b9{cB_yGx-rwp%0-eDr+(6oQ^CqN9z#l_7x zW|nrI4t(pwoZYyKIH5dJ>V!^w>5M`(V8!`CvLkJt>FiYK^5g?f&3|sewyIUg4On~5 zz3p8Wmv6_@dwJ-aGY07Q`hs(u5<%SPx-+NyoQ~IMpqzH~;c>@4mxztGCIS2j#Hut- z4vvyt9ATEwc`X`!kK0?aoz1uYZI#rBPmhSukj1TWw*}(=syD#ZN|1ox0N__+7_?$| zM>nT^5wDS9tzD2rMD@Y>GaWvewJ3Rx+)1w}?z=Z3oqJWHF=nSZqeL4pwbg?N*xMU_ z^Zmj+Yx1Wlgf31uiy=*3%K}n@EheH0PlQ>#BH`xKP7%dG|2B@nqL#VqYz3)m)FydO z>r|qwNbLAk6&ryrws(SDyRtM8O!Jm9xGk|J5{N<!m+<c;1RtQcwzm^A8*Z<?e@TR8 zLJ(<>_ky)aV0pyeB<YuG>5R6=Deuo<krFgGQY1dVP2QP0{Pksm>i4+K|60J-Tmz$o zYR|PK>GM-9E=Jo3M3wbr-~YYad~T4|{kN?hAq#a>&k&k8-uD!7fp2K1JN+bIv4tH; zx;>BW@BmZtQ~+qAkV~29@_0{@Z{}!ab#C(;1w(BIt@3~d@Qm%#fb0S*N4gx%y7v(c zMuP3cT5|GVN~^-S$ukQ++oEqdVdKviNYD{u@!4K0kG%8zVB_TeL6VE3Q8;Q90{Db? zscEk+CeLJn@Xwgi$&agXkldM+VTJz-5wEowf=y1cWVzG&6<of}f+YlfMI6%dD=5a6 zDZ?4gyo1~-wii0e(VrF;D(Wzl9Y5xqdvilg%=%p0$3u4wriGu|oEyoR%<Q+elxZ?` zAupx6>J}JKJS{X=tVU3?lfEttz{Nluw-V1|?bUs}bRq)&SE0e{<5KEi-KmJ|*-i(I z{$<$86#Ta1wStVbW~Tyk>BiD>pf@$)%CeS^z6U3U=m;H|`nuFApYMwu_-x56p=Muj zTQe6!t~R{7!nD}W>hD2}Tg3e-%g;~i_lL`C!VMZ9o#n%n`%U<w{Y+ElmuLW9oiP=w z9b9*wL!Mj^O*l5gm<3P0j<O5}3Oxeogedy8ooouZiH`u_&7^iGMMgd!Z<qFDV7!2M zyRqx2@*ln7xw+#aWWC%j;O~{vu;s}g+J---&H?qJL+D!?R8`jm53l9LgcwP$v2mL9 zOs&WuVie@N3Ej=rnKHoIK^^rSWt4I<+<JHYZ6(QuD0zLmzM6iPJmvxltKR5d=84w# z2X<fHK1VdjjlEC|w<`Z7MktDwpCW|*yH}RDaNG&JbGR%^mr>7(-$a~@jw~Re^k9a@ z_a>wM*|TkrU{l$*&DtdR^;1gU!RW|t4I41*<kAL73-=GBi}=}tUeO=Z7Nf--VRaG; z?Zyb>Zs_tK_)X~wySfi+|C$#5n-l~;q66HBjR;DZgP1c-3P1dDB2qO&Y1QX9%4?qy zi`Z8rJbC9FQlxi#YpTU!Ho{uyKoQush-bKVIx!m|=M$#Q;9^WlEPAajcj|3H@=8yj zu#%-j5oiXs1m(Y_O=i@u(UN{t2sM}175jx+LhEFv_(u0ahgeOgh2Am{-7NF6q9v3( zZP+H3GQM%Suvm;4ZUy>o^p(=?>3JAJ_{LkR#d<^rb5_Y3Y*z1CzO};&Q;^0w5o<nU zzBc^)QR?ZC%&*8-CsUb(o147<RD~!?pyAVsX}d<YE%}l+4=PSq6hAVzDpFvO5PF_< zO{;wA$e;?*wI6d$RXu`-^JfPIEKpACa;y$>R8i}zWPSc{a9X*!c_0et=I_b^=u?XZ zU`kI%9udGU7i;a6N4|nF&61~wj|kybtU2?Ym}XJ3Et>Cr!k?wOJt&jv{@Ja(1VM|W zr`Q<hwKA!mMo7Mmp?IG7mgD&7I}D%YrUcCstlqH2;dxa_wsY>Vwn!!^+G9=FcS#q| z{@v@8&|t!!2XkDL4#>`cIYMG4TI`en;uk)M_)-_OTIzki+NO>++a)~-g_80R#W zM`_C=E!S@Rv@{~`7^|vP0APZog%F!lvt}FaS8%K_B|{<u2IL@@sh)8l?&O;osbZJ% zvGZ*I=>IPjBFu5a{%;rHf76A(k)fccv&+E0*aD6GpTsPd?IHUMEFUtd5}aKc{flTp zV@og8lArMpk3ZX|;uNQeT;;I-OK~W7TUn)~5>DtHq)cfd$D;%gVE1#tIbX75Yd3ma zM<}U$T;&Ku2+LH&ylsn|^17qLqDsg>m!y#k2ETvWWalC5o$5CHZMGbz*IBXQ<Z3b_ zIM)hzRG>|izAX@x^yLSwP5&_C9+kdrCZ~yl+K9wbR`*X#Z1pvy&Y-a5S;O5Ss1r7* zv`&sugT`L4htCSH+uQqo1tbsczz=)qy{Q-kIPnZRnu9v+31y}TsOG<7*A8ZTek1eu ziWkz2%S&<?(E;%7Xy)m0WPh(`MHmF+v`WMXm#w8lf9HN5<5&LLQHh|IiH>ZiygUW` zZ9siU?AiLO)XVHfIye{9j@$z>r#3>9Bt@5O;ffi^!0tbtOQHW_rk8kBp>*54h>!j> zbHs|hJ#X|QP%4J^71ZNj*!R_7A1v3>1T=6DNEgq9mLY(_>G2WXOv(MX#_eyayf!L% z5k>*?bC$yqBDrQT-ORN0K9-#WAcAD2L|MM*Hiy!0Cem!#3ca#UY%kUrIr05?G%*ck z17Acd6A+l&yojc*VO?`OSpEF#Wh*s<O|ndJOi>wGg003$^1D{aIQuvD2_os7XW;KB zAI5g@>*3g}|02qu^zZTyOJVeHC?HGnx3`Jcs818Ra#v4=k6o3=N?%O%qWF~q((HqL zp0*OBHebC`X?+nRT=_~)?YR7R;HfYZI#qN<mU=OKq{x!bmzc^xf8mkt4D63fu;5SA zDMsBr?T>iUIf2?}wIXKOYZu^_OB9p8WXuX91DX#vI1KAr>0xeQ@mED&syA+3GLvur zZjGaEo$UiD(wgTSGSI~F8fF9aI>nhHR_^Dx>P!yC<Ucgs`4f#$ioJ2XptB@6I$tcJ z58r%Cwa{F+=3d@E=c_*W_f=cfPbDh>Il#>>EVe({kp(5IzL-|cnC3rL*w%HL{@>b> zE}feTDL-$WbES;`-L+)UA==0s?oDljZM0TYuYW|LT9!d(sn!ndazpQ%jM#e#@}884 z2N*)Ask~AnPz@Q8JhLt4wovf8v;B+$23yZ}sph(E3nmCC;Y#PnxtYu7>UINn{A8@e zhK2<%xtYyy3z7H7lNQa_77`q$-z$&3Mnp@Lk!DkVJu(g$O}3OC{iwMxYh@H}01$d* z7hFSx+-rsaMifouKVo9d46{^3UbGsXl4_B3^7w!*%7F3e^EQ}5^vb%Bgc1J+Gue75 zixWS@-Xnz0r2;Iv=5f$>ekG!0kY@N1iz#oE?(HVI09gWqaXar7%731Ly&8cM?4;Ir ztI%`G!mv`yQjQwD%P4iB66p##BD~?S`T*Ma1K5Hs=fe*Upqq7138A#|eIjzae%Dq% z!t7rZUmcV_mq~BHY~Fy>R*w|`8yIcM4vS&CbS4M)5Dkw@G(ybD2+Z`&;tD1XyF%(` zu<8vXrN#}=-6n`|T^wq_7pTD!`S{m;#@WUk=`AoAv25y5uBxJOTk~JQ^QSYq&DWQZ zdvKB$7+l&OBsTg2Mcv;u_#*rx7IL4zTYW5%FRhVsS_@n&q|3seGt!Yu{%IN7SYP1# z;m4#O<s}p1q{mnEdBYp$j}<^%2+(04BZAx_WR1uR<$+2&z>D6m_1yU*L^MA3`o88{ zcSKmW5eQV<)m;fyOubZmfP0foonrvNXy~nnja^WvLwC~xo*e!p^_P?U^Y*?IO=-1P z_u<D=c$HR79Fgid^mDCZv0Kw3f5M+=pSH%zqOVi}7UZZn&RRy|q)Hpvoo3QguNf<2 z=o#=>+y2~*rzauPycm%sMv|c`n^n?^TbCbN0CV7hYrmPSDQy{4PQIUD;ix_{Wh<T7 z4K6`&6CgQ{7_5Q3OCH!`iY~3?ANfwoF!1}w`gIznjUE|i(pQ`pcmuU%#<HZ)b(Y$5 z?D(>3jc=a$u}qLtq335_ivKZ}ofssbKmNjzfLB&%Xqbsp5(!9`H411LF`6FS(Ro^9 zppols&Hf^ns(@7YG;%zRw0%=X56kIT#8X8Qufx|BjR8g5yGotp2|3flPQhV7_qCU) zGnmtIVS^F5Roi1`n$Vm$y+twZDSr=N#|N#gMUsp(b`%X^2L|!R+2tc08XXWQ=_E$C zT)oHEKF9F?>LF~CJm6G(M|l2fx%?~<$q^GV#Gy80bmyOgY-hRNnq_uOxhbBM&&N|C z<ZU!K8>jsw;Bqgce%XKu1*6AJy6A6!E#<~`<s~{v<Bx~3Ar5T3Y%g18#eyh`S`9fV zCH8jNka?M@TNvAG7x?GelJR-lOfqWn4eV1c589mH9IXBNP}UGCsqqc^XXlKa8~YSb zY;w436QBOz^LC~a4UiKizCz)|%Kr0)Bs2Y#Jesf=4RHL^Dif9ZW*w3v9Y$&{XMDf$ z={j=9pA;zDwi-d02&t<;{Et4!l^q`7FIOrz*cd)<6FPTL_1u^c<^SFfpJUC;Gi}22 z8@bw0`(UK(T$I9;DFC>CZ7@D^kpMDcViEo`-4PUN5v6dsURl<`iYr-~poy1X<hoG^ zRcGSvc=HNONujHUbfN1Eg&jK#Ls<cwxQ4+pBqZC2HLJT;ot@$Twv}EM2y3J5Qosw` zAM+gPDe$HUYA2KN>x!>D3LL3>8Z_k$uB9A}sA9Fp@-S37M6&_W+`W`OX%uWQ$fM4V zwG<^A$kY8%=4BYm79>g?feIwZQ+WB~i9VlG#RfR0(K!=5;}?C_*Ph4fWV8}&dpRck zBAR^n1cxs7$L3at+N6{QGd|Jz(IpM2O9HQoK9{K+2vE2bOIp86BI?9}m-TAPb1WWB zX152p4H-~45{}Fe<hIu5UMZ<8lltD?Nj&XF(@Sr}H;$90wG64??mAx=tZ;0K1!#`D zfe&&BYki0dZoX4B0>BOdXsw|!{bMy3cqcYIrh;kmfHvwiHI9cGhUfs%>ydL<<VlqW zU>~Vgjg5%7&ZydO34nO7%c52*gnCa4Mg$zD7gSDY!(WkZz!;QrTCOO3bo(Ums$U+t zzlE@`k)hU2F#WmQ#rg^ktH#Z2<$_AmSwPrA+0~<J3YHUpu#dhnC5sGMtyrrbkWnnI zyE*%5bZX*JGkKzWTDKB(p2$`h6QWE|04@I3=BYx&$}wJ%Rmq9pGi321FIqN1mn)A; ze$8+h#Y&rwMb?Q!ZL6I6Ss!VO<nJa)inf-N0k!El28ISvHH;4y)#IPn5QnyTTsFx$ z<;%+4o*qi?mK^?$RFOADX0(tJ`k!2|^keSv79i|B9%BYqR;-92fOctd>9h6W`(p{P zh!xb*ldET%w&@<lGbVfy>|FgnC-%B$aUC_cuS<)dOfQ96irO^@P2=;ij$>`pTmnjK zeI6bl=w?ySqg(`J4y(eaEAHPg$21BwbZruGSQn}-GmPw3<9><kszZOl`y4SO1ormk zj~$n6UQhHg`?{Or;I{5)cJKEK^+?xFFU(gW**_<?SOI&K(Z&<BqsGN6Ol(eLfRjf5 z`M2l*1DU!$n7Olk79|p)V|ufi$&^mf_Wb$h?WuL-r>iS;l>_Eyo4=M_`zdZ2)L5LI zw+905F=we0Q+lFs1sa_d%lR>lQjC7PFp}X6GK@&LPqncRE*!$<T-uk>&V3dom`+mv z5}TDnpZ_ek<-wgyyFlp4lP1c1X`=1aN4RK$RdZ!47?C#-6Vwhek}0p>JDLJkGvT*D z;_H`Ig?V_RpX|ZmUJVUJ%`3LPX`}01F4xeC{d`^VPVOj~UM{bDx>G7ODg$eu1{ZL6 zx=h{tJb|Qje5a!|?k8WkKaYnqIn@9iSv~2q?MYKQpz=$JusIFL`cPSP%^%><^Juoc zBZU$?vt>URxp(;(!3EIY@D4#eB!c`V;L4N^hXw_^2OmuphZL&q71Ha3ZUY{{Pga=0 zkDJb8lx&s!_c{}!6a6GC@?J)lKc`s`B)0`$r+k-Y-^#oLf6o^#R*~fx!)AYi$58E1 z60x)W0BNOtdeke0TJnM-roLH%wOk5XMfx4Lbxm*Eg$*)5@dI9!!Az&<0BobKt}+$& zr{9aLr^yx9`N*pNPqZg^-%m78XZvl7Q)I)+v9|gvFyemnop#R(0H9B?#7l<itD>_{ zwYp4qoLIfWBpo5MvHsD!cdGfr<XIbReL9{-hzUW#10lwejIT*aMF;R3vFpO3v{^mb zhsIyOSz2nYuFaAbC+pB#?L}pa4OSR+KU%Ko^-90>5y_4!L0C0ALL9FVDhEOc0c%5w z!mZw7kITBA&yWdtA%Cr^FW3l-F{QJ2xn#(^eY%UzF-w)ly`SD5Y)pz!3Rx~Gd{Ee) zk`mHu(bfMd=e%+Ser%J%Gqxfi49zLhNW*{4qMWNe^VdqZ-ss@qV8-6b{OGcE+I!0g z=Ijq2<=<6VJO42gnafG@$`wBjwMZy1;v!rn{@Y~D8|RM&aPC0ApOKUM&R@)v#9;5T z79$rgm&tHsPlx(%zrGFNmM3cZa`TAb%1=Fd=AUb$)t&mHdfmgQ#uaWdwcw~8T~_xN zPSwLw=ibqLLk0Tk_2|E0!<~zoqc;+c#S|sk<woVNM)^T0Rg3PYDP3~}X0^;=@?a0p zRhYQdCK!2CW9JLmu^I^l^=LSgB$*PvMzdopk{;}t&_$F(D=o$h6L%2FvE<#Z%AkmN z`6Dqmv}=g;xD+%po9j8N+J=Pd4I}7so1-Y-Ex5_BQNz0bzyI7M_LzIGL|9c*AMT8E zQ@1T#khlzd_jcJg5mHI(1QD=-EX;AQ6|^+rQ(?ICwge|!{G_^O9`T<F{E#Uf?W{`X zoJH<?9tD_)iSOrrgqafJ$1yWs0{nHShee<}t5^7wRYo)3y3ki4w5;Mp>e7jpB%LG~ z(HobH&j9rI?kiHaBGvt@t~8N%(>p?&*kHH@m@!YDlpoiHS@14e(&D+R?%N6RKM?G{ zfj<*A5YYtY)IL^IHcM8C`h|tmaEqI0<F<-wb{wldL%*0j)AsN!p0O#ACiEeEma6Em zt9QCwY1ec_xMFUY1{XZ!(G1(PTyi;<F<vF}<YbphzB+dYzKcEx`9(E<QeG06N3;0b zQYeHk<e9#?R4w|AdyjvQVFIJ30=3J)Y11Xg><nO(RT9_1l1nV<`EBx|1#4@1n~Lnz zQ8S@#c)z+_sl*pFQUmZMPc%T+lzy7xQ?a}$yGUJ$jadXS{eZm^?pIk-06{LkV}ZH` zC}GS2k=o=`SnJn*?^trzyRSZfzTnaPRhwG{&Ot|(@oAEj20nxQK#`t6(b{VWL5d2Q zcrc;k<Iybt?v+)>B^Zzxqt1>+iz~ZlRrs5ifyb8=y>d`{t46&^^8KjD7m|4!tcQX( zft>g;<B+WMX378m$OHcbVf!=X^}eVWW=@r*ga^PLmQ1F}@CG1oIl-8KX1P>KoOUuY zJnQRP!g;r7HZOin+jpP$O+?GrqWq2^gCuR8ZOC%0A#`rhx5d`@KiZ4tzkMQm+3x9m z#4DROpvWEB`_VhAuF<%lj7@x1vM`Y;Ich*)g0Y|o*0oRhqxh%aa<5_RH|N-pZ<A*U ze_WRw4|-yT_shU}1|La<Y)+}7)+PBo!tP4_-a&g)Zu~bNl=4$`3D;_k@DrYE%T1NK z@Ttapn_L(AH28U0{91wgcjDUj6t$1zrxr79ndB!5TpYAic$*JJxN*pZH|~$3J<={w zGl;EB-)W;aZ*+eI)btrlukj1MW}z5R_cG@GVcnzl4B^Y*yPl%i#yv_5tLx#Xm7he@ z@3#tDtt~-yJ}Mt!h@`ajJ<PH5Exk(t@K5D<@7jwDborls=zD1OeRwUVLwsZLD9Uj# z=-vLMj4i=55MzO1EhS#pFm@MVO?MZcM&Q~q;K=DqhM){PmY~^aew$XJtX6lj7fHdO z4033<s0rP)?K&rWJ(i6$9iV<`@@LzwKU*c;T_gJAwf4rU!Ak{wvJ*{`n9B{K!{7H~ zXP0rwKST_?q5F`IWfM1yBF&{k)b!0uFl`aVO4Ti7D@Mth`~MmBvyeupsJMZqgUB>L zQE&TfAefy)HbP3tUF2`zQuG_qXmx%4Eh62qrMD=c-^PwKZ}}<WHon&hW@zvAX8G(C z4yTeXlbtD?cEhyhnFs`wg0)Eq5}v<&J))hgM;TodjE<~Vropq7Z%`t?q4eP0No^Jt zXZkkwPFj_Y3{&M}+UmOlncYvcC!Fjd<H9v%UPc^WUn3$Wd$U>Xebajr2$`}`KpJ;r zfehJ5QN&4W>gIGTU{}a>DWJm5<(%1t@C9F6U!&)J!?OtR;MpN*=Cxb)+>j^7>Vw?L zKO<B^K@-#`Z=s!39!WF}K*`&MSZI4*%Oo#GhScCYcl?%rr$kSZZhPVm7q(gQo`?XX z9zY3G!D_dS4USC|0fA^M1wDiIu<se0;DuN(+i-gnE8RIo9R|KigyxP6<Hs<oq%RF{ zrsO553+i>#4$(X#j_ZX#{;*RypNDt<@=;`ClMm}3*>+TaH6gY)uu`8|ma&hL6u|TM zhup>=p|dfD+O07y5}NoIkR2nWB~NnNsuz#!w;v-&ON4#i7jQL4;cWaWu}ZlVCmpUm z)geVUoe%+#VzFvKRt_ljYU~>r5uD7!GF&=0TAXDNpcO3Hu2VtlWOQf#HevO?P0`{^ zGC?FCf0q2BoW-X_^1VU;&%Z?f?erDtSmeMbCXw8elN8F!<`zLB-M)p^qfZ37Mym;% zuJ?3l>7)hVsIs%oFx=i}n7Ci6M-4jyfr2iCEA%z6u-M4Uym&zOGBLvS(pHeouBoQh z%IIL%xfMB95*bm<YVUfWdL3`zbpKb3()J-qNYorXeVzt)$+Eb_=WBPTQIqM?0a+9V z*N1ycG`l;hd9CaPv30jWd~e*I5cDeX6X_EOzMo!dkL}3Am;VnLZvho&wr$}S1QOic z-8Hx;xVyW%y9Noa0fJj_cXx;27Th7YyTkiA_ucnS_Z=gnZB$hk|JrNLZ|=P|#tMGR zre6V(;?TV7@1{HbB<n?ZA&j!VYU@8jVK7m0T#+f5gg&-PYJPy<KPTeEG?O>e&k)gc zS%*sF=c8d*;;ak+v`ZJs`9f^2QbDs9#Kh7kc`Z$d7?#$j51{csY($yzRc<!q1HIK{ z%nE=qUrLc2T33jY6dSuBwP9lo*6(E$(bM-Niu6&(*(|=UMo|RjIN+^lezzddqB$I) zqM*_FQzfbSM~$wQ&Rd@~5U>Gx_L=WduzP+V!hR{%_uM&uYn}<1`U3IPIG5)sd7Vs^ zYEC=77ncPa*e5*YVh{Q$awN;8QYU)^9@dAd%&dT_Lxe^Wv-~l0n~5{Cm5z56GLD6U zMh`P|El6my<D9en2OYR5wWqQ$@MJB>WgFVG0bB?NZ_I!)M&qOLl-6WI5#t=zCi-XD zBj4bjJ7#xdRb$mrI{8n9{gnn1A^Qtz8`IWu%*aCBFeiqnOT0^)1rW+uV(KJmXgXS# zKeo~t+94?9cUWODuEQA#xiFhzO4A*hz=nl|=OrX&wa>taD6j;=AavFJgbk#Fm{_s) z?{bPKDR+j+P_^d``C2~tB&);-IDU?4G^5cRLs*qn{*GC_;MoiAu0IFW^_)?TGCHSg z#<jDzEm29{_-0KvVff}{EeBP~ZcoeMaaO_z#ioOnfG9Zfv5pQx+E2b|i487ok2z@2 zy?uQ%2qT=r{=kBg7Xe#}wjgbM&3iHGG#kXukPa^rbU^RUr+8Ewr4m{o;v++zD841F zLz>PG{lua6Rb{peAwZ1YZtC0=izhKLry=jhO2C~MoLx6z=Os)DjCXT;qBF5L$#blF z@RwgyG|_s+A=b$D`cm-j4D=M1!;TN{T3+AQ|G2bRL`88LL(*9N#r|-KmMjjY!_!Pb z5_HX7RwYdhtERHC-;aspP7u;CU+`_6<Xlr4?Z9bBB(}l2@Cck3yc@|xqp8<&Dsjcx zWV4O|iR5x}P<TfP<J4uU^-K7ry+2x0*cW!`saz5%5^eUdzPy*O3`nVpu7xrIbYWPC z)7M4z=grpQWLI8ptUYM|U2ouTUq9$sRTatY-4)s)h4x(x9XhH@8-{~6B2~X-O8v*^ zPY-a>yiOLhjTlO_eHNqqFPLsCsKypi9d{EcO3Eg@zqP=U0S~V5>BN4Syv=Nb-+qzq zhX|O_Ce|tYP4>+RRs&;dyrX>{={cS^0`^c|fYCf|cFC@wNbCrVii*RnD=dI?F*4e0 zx~+kko1jcLIK$aC>>?)WKZ(Kw97nCO;xzZ}HnxSM&0_c)pkr-I2AZ2_2!|^b#NmQg z=GNaPp0KZlt@Kc$TMM-<cvHfkt)$UFcr(ILy~`M16j&g^GYotoI#=z4hFCe)v@}G+ z_iE{OeSN=>l;7GU$6)JzqRa8Cmj82(@jNBP2nNzSE()Uh(R0`IRa%({uNR;)=2fe~ ziUeW0^h9!s!^`;jeSCzC@AX%TeB}Ivvy+fHtpe}mJTz04@S8FHN|pLWycLo#iqc_s ziPjzOGru~=rX>lp!kmN-QR7kT<Qz}<oobTN09v7J_A-oLu4d>F!w=??8heBez}Q=w z1kq7<>I9KEBmXL4$R2=8KtpV!fqxx_jB6DO`WX~)9<r}PG{oEb#XJxurWYnc9B6Dj zR*cw?Wn$9Q!PZ<pvFzmn5$l~(1qXHdDkV|te@i=SG7S!}c)c3obGo+URZI%rvZKKS zP8)BHBrJ$a!fP21!8Z0jRU$`GUM#l22;B*Budi7^4uU<w3r9Hze^Ai&UJIJGVCc>K zp={wH*e!R*!vuK$_Uuk@&{|iZzGEAMS6+gwziaF3O1vyuv&}+>x$K-q8d*-Z6_%Zt zkh_}(^a_P6cJ#LWjRz)3UoQHNP>zQ4?VhbHE>uM&C2046*M{(m(L9u@+E}0rhKx~; z>^z&Gg7WdQdXT##$)OcZc*)k^8&Po#u#iRu&<~v=^Hc2ZmjeE>;?ywogqixH$|3`e z%aj(;zIYe}J1tNeS&v0M5sDN}A~|8ZHX>m6_EzxCkY^NzGk=ncPQMCN@cDihF%eNO z;8GF46DffG+nOc=HHgC5R8KLh6zAw4NZI-&T8AQMI5q?IG~&AETmhgIEZEKGUe})! z*M=_vLl<UBBR#$yGm%sJXitrQy14s`<4?gQ0DbH@Pv;eoQJw-~KT17p-lWZkOKR9X z@hp+?WU3UpW(ysnAV4g_bHs9f8&T?TqUC&~hQ(yU`Q_}-SzluxPLR-+({Z`4P;I&X zrvGzy6*&YtY+-oN=j+Akv7@ARcEmzlSd+MxqMQf9$A309DP{rq@7!B3XSn-nrzvZ+ zzx%rPw-vjuzZJ|Yr~uub{|NBXC)#0YGh8pxi|ZStxv?z&<{;Ub#j~?|;#k%*Xlm!! z&dudz`V9|+tQ1a_bXC{^A?6h;kBAZtT{?y_-6HyPJOb7`QWPouyKqGSf<aB^KZPYv z)IZNV+tQ)+@0i&!tr`tJYw!#Cf7#oLmxYTCxj3ysvByhdqksX)n#XE}G|pkcKyYW9 zgA1(Ke$5^UmYY+FOUCo<vmf$#5y5Qv__9!2gI5cKS0%BP2biSu-C)wPm4x)q8A)v- zrNohH&agViMKbTIL~m7Ue|<o5b&VJ`Jw>aWG^oR2f4h;_7s1QA`s2-zly@Yfpo%<d z#}#XxONexbl~xjIL3lS<I2KA~k4R$FFLCL15cI{*eY4i)#NE-%ZkBC<6;@G6Z;>P^ zk3QB;zR;N!$&~-;?2p%ajRG{zWP_%(h?_rENqERudy~$3l*yH;zQJN$<YJhc*gWJ` zgVYZ?!EX#d0^{n>`S9B(0z``@M|whDkY~;Wm^Q()qr)7Rf0a0I!8m*d386)J09wr! zlUxK|s1gyDLsdK>RCL~4h6ItxU^qh3Ws-y(JpkX|@62i2^Hu0dXLxUvp*@cuX^2|- z-`(BJwEE{LRyC`f?F<@Pc<cT|g0i5wd_j|E#JQm&8`CG3xUI7cf+4Nn`S$t*0~8NC z78Oc~{%l_fkFXfPN5Myo;V*XggRt_`^MX7dDodSsN|{;tnSV)%yKgfPZE{NPPZT~0 z`ws@EY7{hXXgv*_|H>zfkc3hA+dyoM5`VRNqAI*CaXj<-Y7oD?M_IuUu*d0L?*rBh znI-ZE5YDaPD~_TRB|jNh)2}F$m>q>zBkigXBo25B%8)>#?)^ZPqru`(XCUmH1Nnv0 ze9`>7@DuU?0PA(ax?JZLT->^|@Ch!3`^=7_mlFdX!1KLZ48GC4j#>g822e|PUCm!3 zH40&Le1uf_Sc*%C9_DA~R&16w*ESvzKdI&~bu4<{ro%cm07*c$zlr#@Igl;#g$#27 zf5HmK{Nb)~G8kw@c1PeZj1*S<x-O1nR>5H`teKxXD4gLnDN9nWs-o|icvdn`EQIEc zH=p^Iq$35l2O5JkOcIw?M(_tsro+(y7@i=EAEngv1<2JV$o}@cl{M$q%oYb|EeB6h z;?h4)e+}USY3+CDK)f@vf=7Dp7fdyCVFK>+|D6ROZGc-56a9gJgBvFSNviSc%XBd6 zc?TOLzv&Wpwi+ss&XOsO0*O*BLM$EYw2%#sm4o#AUuyu4r3Qwmos@XR`cUWukI>RA z?Jn^7u?Q7-JWq4VUw$K7xQNmUtapyDP=7{=+}f&T_=(0<Jx4T6lOZ+H!t^(0<GV_J zLC_k=e)9kq)D_*oXjB3s!jsx)6vMY)CZnUz3Qiuf`MVtD<Ib`_I2TlFkR%eBLMJY_ zW)2R*Ta(6vTwKAt$P2KuW9v1j-?);wB0k3xt?3iyv%vi#G|$w)kovvmz_!Uc@0?GE zXp$>mMAIi58eItz9A8AmVaxLanL?MD=Chi=Ql`Cs-Wa<p{I<e~R#`cNXuj%xIiux= z*!w(@lLK6`>B9&c*e<KvPnk2G%4jZ%F@4PR(}zD?RWrhNK65z@E<3EaF9y9!yCVPM z%SLs)Nck!F!>cNb;1mRctq#aP>-mP#WD~_uQ~D1_YSH;lwDeujHw5(eFUi1r{Kcdi z^T^T^cO1i9L2P}F&43Q8e@_e3I7)9uhsf+GwCH+ICjx#Cgn|l*-t>A5Z;IJm<ziu4 zD8t?I<qN7!f}=k~6l9IFus<b<9Eq3oQl8U39|{_{|GWj{#1XO<D_{vO(mxq0;FO>s zf{NojhePROg{>9(g}KT?$>YwIgspc_0XC#KvrQIEt{K8uC`SR`TzMhK8_XwZ5T)84 z0&zR^=ZdvHIJtHHE5Boz8l!(1U$gpNqA09cOw-Z6{4wJ9c5cG1Y}j1mw)+ZyXaf3- zJpZZ<_fv1XD`1rTT1l;wPoo(a_S&|E;_K#6^G9Ct>|;UUDY`SsMS6s;U4+rwxoqf2 z9tc7djT3Tn$O_wX%a);EkeH&waG*smo^t2k!+$inlYYD~L@so1a#4hwMBeP6741fy z=7!U-yfVN_j?XQp9Yi^j2E#tg52M-UcmgXn{j81fXXZO+wyi%M{qq<t?b?n-=k-DF z>8`Yy5U|^Yp9En>sZZM@Hn0?Ya&G?nTat8{eT^Kc8x2wmJo(S7dvyVO6xu{?xL#9B zJmGGM38rYCM+``c7@1u|R=_Ix4b&BKP(~OZK2ps7(((g98a`<ypG{}hSI3f8-Pid2 zWFmHdSqD25MxBClIhBJ+^m9&2ifwSY<D-0QpMe7&-MOogf{2+uU1$>i2X#%Z53^1% z(q_J$^8tA|`V&hYTuCbjCYz?~z8Qji6yd{=pEr$v2hCXe(?Me)_V1H4q-(~&M19#P zh*`MgzDX{EGLilnScM^%7~#F9V?cvJcULyT@U;O73vu_95&8c56~z-1DxoRoE=fL= zR#hUfmxdT?=;Tr2CaDOpjDHb)EW8jH8H&_al2`_n{qRD=B=7X0>x|ZQB*ew(7FV%| z2Ybit3gIW|77oylw8y(8{Unj&F=T<894DyC7SXEe7OYxWyn@>GHCz9jBF;Se&f0!q z>XPso4lR9TckgNsezFL^3;UIG3~#G-tkcG}{^8++qRf-;^9;nX%5XYFK+gV37u%OT zrn14sAVeg-*LNeTxZfU|KD+mWQk%$Pc>tjLiuV1UfM!Vbf@VS>u8&xLbq|OATi9yz zPVJq=Fc{^9WPB8soU1<BH_mvOTOCw?a-y9ve{Z;B0m&RF4epT@g|8Z(Dr^}B*!Ct? zPM9&xwB>s61GX&wbkG-VqTKExgS^>4PM|M?%Yfn+qO*7-9BZ3C>rCko?Ge;vyK(x( z%uS4F^2-_K7(d&mg=*?y1LAH}AKLVs_d&N1-D^G-)_!8?<0J=4Um`jAIahf>tr@F= z#YC#)OppT=&ftL+y#2C?weDxkT%dCw@1iLvh8cv=!oE|?+jvL(?zKrmj-V_iX(-_K z7$rj10@U5L6q0=?00i`S0zbuYMvPOC_gV0V<_tJbY30Dr6eaRbgi|+33t-U|PyH70 zL{cOJLJECOP)fWL-FtPhZ|e%7v_T%BwERi%;9`^&|L*WbCbTc#d~ZMci{oXLG04#m z*Jj@Z{zYLM5M)mGdi>b0%fmi5%9_#soP+!Q6^dV7A@T6r?}4GTJj%bnFlK&6+0*$G zo;CLF{j4?<q1IM~%?Zofq`%jK_u0q0Hkz+NLE|i^a@6#v2KOHi<K~+Vhe9t-F6#Q5 zOod`G3!XF<fT$WPi{47tV=0gE+GGQYS|wd*u}27JQwZ5>`Uy+cPWNoAg9-%qHuBm$ z++=(IAL6B=C>Ct})Y}bGRiWUbb;(5qr^vjPCxb1AhRUPq$KR^*n!h|}V*$8N603aP zKL;6n8X}nVt(GrfTMd`!9FKopJDw{P8uRy6^w$;7*(maznX00)-}ZA9VfN}G??sPQ z2M=kS1q6DVv*yd&jx8-G0%sigv?L{7#P&BKMw;+;btN5ZZm&%Po}MWP*K!(4%Q$E; z#&!_sSXU>^AwIdNV-qyaXD;+0&6ub>{u?L$BS>J)a=@J`{QI(%L4q)xmB^9lkL7!e zz#NAe1e`AsVU7pP3P3CeWqkP}dFT-dNvh1OKoAn?F6f^{Vp#gyXvULlKb@9$!eBuT z6;)(Sr-NC6wMUu1otPj*<!IwKeMR1*)FqNyQLEkxJ4uDSa0%D@5l0c18kM#H1MSw& z|I_XU!oe-sC3%Gag?QJLj9w@4e0*+NUy3m?2`ZvtkA|LpIQaT0=Ys6EvQ*kdz<B#F zJ&MK6gQt^1z8z~|>CI}g+Hv=AxJ5y2C*W{ID1#mK300xI;o5!WhJV2&Zk)|!k(0*2 zBfe_fixY)A$>|!|#-id{{?5@xy9dh3M{)QJko+f-dvlo`vb*o!qOZyChFU}~pQ&?# zCy2kxIr&47Iy^heMbxEEzv$OXH+=!jwxV-iaKawsrIuud=II22$#5M0Pi$T=rBmK# z_^}pCG`?mTyv$$_LvbkGZ$irOW4Y3E@?Fc5l1%8c=HJ8BGK|XDT6^}k!*9;FDtva0 zz7F_ZaCNUUswGdc>Vg)men=p@%*^Bb0$*rv>0v#jDyHIe$R|*Z2z68anQ|-6Yjrd@ z1Ms~j>nEpzW@(YA?WCh@Dw@~JHNyomuva=}h47rMG+4&>Tu_~h!5@MSEiyz)5k5CW z1cfIG?yD?~M#aOq|0Jc&4qZcKNQX7Hs7G?1j)9t=45Oqp@%8G|S-~!pn_^gy5OrtT zDChNR=RBv&=x0x}A+m@2@#h?erGP8%;mwncFY~znI$+bsiY4}2u{#<(>IS(oq(*@k zdgRR>XaUxBg?Ad`uGrn^rfCo_?ENE`^6$YBF{^WozS9`p=<qwqMbvR88$Fa4(a5e^ z`-}X&NO4t_K-;L145f&JDo7x2ypG!ZY9*kmDm&Q5szCY9TVAb@7l8p29I7%XE|J<q zsIjW?6Nf+Ot0V<W=-Rxf{Hz#T<#`%GQiV-~6bV6}a_=u}Y2S&-x+K7S<BtT;q{w)k z1ram@Il+Sry(H)6XM}?fgOv*Wz29AC2QJJo{6m&0Hi5tw37NalSq-BafB7Jo1mC$r zx}HF~jA@+lAr#AL+XS<~>tvy$uWj;act$qzW9~wA9a@gLHdV#djfkRohnGuG@fRkH z$gRO;`s7U)eV-F+rR=Sh@2=NT5EoOy5AO=ite~eybQ&Yj*{ZIEg*zw=*~6S(ZuKR0 zIhfCCH+wQ)4BsSkdwLte8S$~&?SvPt$y!rd*;Jw(*)`?opC@Xg9B*0NgAFG8uQKFW zCanP3Be|1QO!f&ck_&H1csfA-#K(KMPFko#h(?n6^vU6~{Gjj-X+=}r8XnAExC+W< zl?0R`m)Z}t?q&iTk!^5?H^Ow<Sob(dZG(TQbwOM;n}ACiT?yi@y<TLH;k`~o-IBHu z0jje|MBSsk33a+^#KCd#d&MV3ulR!ian2%i{?$coG(X*3P|JbqImL(9<s~JxA%*&0 zGo@8RZZe8+xrCrWRG9I#Dbn&`im^kJ&A*}^aEMw@Q!6~-_z`<pErg0XME+2+tA9w! z+11QO!M^wlQE&{uAg8xXK`fH!>m^>gm5TT&VO-QWLB%XTR(BL&?XX0S>`DBIMc*TI zHIG$gE7-XLA`uY3gf=|zMjcf%8cDyl?PK)?#0ie3?XYC<IpsnF%W1Wg7Ae$N&$EQa z{@RhxJ+s%VbXW!-0^e@X9w>F<PdOnO3F6=ni$*!)f7nP+q&6b(VF7*vN(ksL#2}bn zdo2<q11)tiM=19p&h_?mJi?zuGy@kG2hA*z-Q&d;Q9xJlma65C{`?@az{gVpI?Uyj zixc5~rlKFjdKW7ssvSW&BEmm%3!a1y=xrzkg(Ql>d^%inAA0n*{C-WG36G3#SXu|& z%JvT>*<kIh@HIV@u$`m#T@>(3RJDO3nDIAphn+V?ds)hg{hf2?t?;>KLE``8yh<r# ze$H_B4vqPQQc_N0nlJX9_|?KFpXSs8CZ^ke<%((I|0XU0_{*Wa<I`+yn|fmY(^oUa zJeBCoI8=^QFi=QA6C;^|pHc%6iX0J^j6Nq)_XA~yX5Q@IOcWH<e4ytfu4e)DjhR<A zM)Um80vi~LGk7CjN+$@Ek6FP^toQ!F7Pr8|dZGEx!b_JGvw|D$(<Bc{-<ryf25dVR ziRJTc6+Y;Ehu!HeNMys|z=Cqc75c1_jwPdgejx&oTXy<%o5NR-pB=;e2heRr1rr*S zGvFCOX?jeOs%$Q_;T~#R;ceRwMXk=L*0dCY7lULYLkvSrG_c<H&{W6;gXX`&R7Oc2 z8ikR`>iR&2%mz%bs}w#;MFxg@MYX%nas}d#3^Nt}7D<O|a{%HMre0nq;*VsiLKQ*I z#4l9kdHk`;_Rp763&zNwrqj8DDn^rwDCzAk+I&E17-J$2(r0-Zez_=6KxX#4pq{c7 zh2s5GDI^-ePC*ls<5C&VsV43l_Hdk+T$H{AgG?A_nYjfc@>j9s`*%g{3(nA^ke2Ts ze19~Ngk5iivmiQ<$C%Srj)?M~@fvo6$71C;I5`CU(^tEbhsky}-cJ{)LgbO<XzowH z@f_ELBB~~fY4UmT1rB5?SZgrB)_U*8ssgMWlvBc4*S+$R4G8Z#Nv!JAoNDqo`(5;w z!xKnVMOJKQR9c~sik{-Im8U$E5*=@abG@oi*v&ukqY<aVJVfT6J(1LNqAtd(DUn}V zrDs)99#VuPOl@ZEq)GoQrVi8~%DuOd%ABB`pR@n_As8npq!umw2++x<<%N*u8Eth< z+qL-1qZe18FWOq$tQF~!k@c){22NFWus&-rAVvl`oGN@8Hf^ddv7{IXs4ko05LmbA zS7!?UkXFJpW+X(H87N@wjr&$~`%KDXsjyFxl^qLfOor6Wc&EwS`a9@EN{V7@2+lC) z)u$3(Xxrd;Ss5sEoT_3LHtNlo2tXB-GJiI>5Flk~<A(nx7gg({y|dCNI3=~@{NzMB zLq)ppWHg`_-fh{IigFQy#9z@kf$vZ4uyeMT2?lz7e2tUXo7N$n;>?K822d*JAePF0 z5rlx1qdqDZ9+q>s@uPk%{jIDi$Ibp-d1tz_fxi-0{ME9TrLX9VgHpsypFv-W4{(wf z2?el;Y^*u1bW-<BTY~HW=0xc%`v1%_c*LQ65zkYh4EJ%hF3YsI<!J)wSm-}=3=?Ag z?ddHK!y=({k{3;8qc8-Y%2}h@=mKv>1H}Tp?`cGG!zKCdXWj~7T4WH+qM$a>t2mt5 zSzV7sy}ljB-G@)Vx-9x5#=q9xMwvv_O;g*eJDd(#715mcV_YRum5Ou$7D)`SMbnb@ zACFg0r1JJ$bzLs}H9S80!o$>GMKre+B}`FaifHJA6>MKnAdfW_!ejMWt)!KG_K-5` z;Prb0G>S5n{N!0<*(eVG-h3pBgNe4T6v>Y76UL^GL|5srroBOeBnWBv^Ml+i(ZtJW zp6QhB*6`*zMO|JIs!=9}azwi$vt`atoj0t~^-sVaCw(Rz3x%YLL|#JI)xF`9@PlXU zw_g5})%u(0t$_#zy7J^`a`YJ`0Xh2RnHIfqZ9Ae^&1Ea%b5ze<85D!0e&xG}67V<P zH$2{n%~CfEnMYjC=#_!_{)C1#1#RECFcARI9lz~%&i?%Jh1e2cAmPllp^XL!<3(B0 z3M@{w8ijk`&@h}rI?lV7Zpgg{PV9Zy@!B`76v?l;@7lXHp<`}`4B1qtUWKGWmz<%g zJ+#Nydi<G8p-Y`9AkXmCgXLcZKFDLQ5#ZhbLYKX9Ri6Ol2WQz;Td)ZS&L6qYZEj?N zEo$w`v8n<B$6u&YyUeU;9Yr-W+9ZS%w0HJ^Wx&Ae^*xRRb56|!(*;IHb;WYO-<&C2 zu0~k%z}*^UobMC@gtw%g;DP`OnBqLtz5VsuruXoHMcRy!-{-r5FT^s&*iiEyz5?{r zGaVBGYV^>)i{1<j>8ph*mnpn^(u*=?1+~o1uM_eh!iwUq6%x#_j-hGN>{fwjYdt?f zvs)7{;9I$Iq$zCF7*3Qpy5pgQg-JSn-q-e>3K|C!0Cf6G_HseOA1$OXa^%!4(TCl* z+vf~aL6Phc7!^p-=@rZ=ca*{-oQ>*{d!};AASj5Hy#D90M~1rFXv6v8&!f^#G+Z_q z;+pTfPWz`Z#ezWusOWMu=OLk1fA4pa?3c)nIgq+wX8IDAZ&u9@aRw?9c9M1e4kwe3 zxROvjA3Zw(>v{ez(RdWhc+obA9tww3t)RytPg+YsCGt7Mi|q1j;|EecJ*S(71Q)N0 zFLao84yIb4M3x)7Go?`abhF|QvAP5~T9d*Q@(fxM@J&ubv<zBE23$0e?tR~-=B=OI zSHjvu6q$$O7+|t#f%dG?_6UvGznX27_4|mTqyMGYzds^M3u|&2BYP#`y2<VH9$*P8 zonf)hqvb9nt-gRjg=ckN6jbo?!s=R9!6nen4{)6Bgp?4&>NIt@@X<A3+Fd%@XTpUQ zySt;Vq($&G(CjxQC?PU?2e~rW=LCWa@jn!$?ua;K&p6+{t2lX_yRQhf==a?VR-i@w z_PCBURQ#vp-&=Igk8obkHQUt|Om!m5-(1jNV5H~%X_+2M1eLR{8E2+F&z&<(-|_m8 z)*kP?zX9jIPBu9Ei>b8oggsJHR{PgkYr;9@u|ORRgLqa-A;Zhdn?WA>^AMwZZzndg z2oV435K?*@)2k*bTgM9jl#-(UhOs*jPEXJvK2_F1cfk^L;g3OvuSgUTw1CEUn-hh< zq?J;JX=22Nj1;(a{&2f<p_#U<DPnd&K=1XZ`ZyqX4}@dMg4Svujor=!@IrLFP^X<e zo-wRjF?;(X@C6g8fwCD>iGJZ1A%IV>7>pEzHn`mJK0k^H-S5c4zQ5DR<MzH88WXBL z-k^^N!<uHU4Q8CpVJ9X$Y>Ug%q2DCwl8SS_<(s)-_w_y7@HqOG@vq1*$4MTwO9%gZ z?K$O7VhqPMkg6Ji0%#(<2Cp7hc+@6x6zGwVR}Ra6Pqi<&%8{sYNB_OGjZXk#=p>6( zC9I$d;uFi8EnY4M`F+P7T_x-`2k+$dj3P-w=fN0b&nWkr1waSMm66eZFmDp~H@-za zYBc%zYKE%&G0JTj6@Wss3lSCBpt;d3=*)>t{$kRJ_12OVRtlO#@vZAI(<W<-V_n@~ zdpa-aKQFtD=7-q*(fv;He9Kbla2gn)l!rLkC0(&LY<Uyl1IR*Qc>(b*QB@Ko{5opT zjUC=>O^dH}J|IS2M1zqYE~=E>fZtB%OXPj1FwaV!kkNWRkRl2WWHLpQNhb$;;xsg} z+BSaH$W^{Gfl32=KZa`fkYwnW^*RXpW*WX(mt{l^Z-oikrIGbeM8qeaP*!wEidg1b zY2pob?-7l-w$pB>Nih<Kfg{+A9ZOJ)^IVP0e{Wj<6H?DsE6>tMWHe`#M0DOaWPd#^ z1-QoR^(l#vLR2U%O3xI;tH&u99Z5{@a&6KCW>cB@33mU>fNoiNN)TiLA2a*2Yb7M` zvk9DOTGJeI)lYcwitibpn~x_5<b400h60-iUy1=MN?WlHxu?|6y3I1v$_Qj%M{aCk zFa|HvY#(-*l@_Hi{-tn9?dlOt0R^&B_YzW=JPxu%Gisi(y$m_(Rw1`#dEt}`0PiB! zY<m9{j6ta&$3s_IAWxWa!SuI=d~cdsh)C7YrDN9k0}dqDCn}P1#T-$DLh(0sEX=IV zuMf@~bJ)&=c~?id^H_+3RdzPyWf<Mgw|TeE08V!ihM7c#;arNHFK^FNQ9Bwu<#7Ei za7s)rS|?~90Fc|~h=#fJhcFHNr$|h<!OD2?QpUzP^AXqW<f18nZ`Q5E9Q;2lV@?E- z!PslkLk+SR<uLFb^mVCYWtEi%j))59gBQZ7sIc@U<f`d`b&)CLeu-$16sQ%z>y2^K zWL`BItYE$KpDF1V4x&svNy>7~G2`?@oL7}Sv_N)8AZYy=9tIu>gga^nawLD?O^diP zRL;v)gI&ejPQx3V`hA4m`IH&%EE|KLtZ0>BSDZte1k>Ss1@7=b=SglXtAu`Q-Nd9w zVVldiQNSC|H<ymrX9bhc?{K`P*!BlQj&`$u$FEZF01mOk{_y%@k#uq8Vi-ooz<21k zOl-7w`FTdekFG*xk_%fA989F|hps!H?PT-k1m$iI!IVGEaZzoCIq8li8@!n8Dc)=T z_HfmBvcX~F=;Q(pL0hXH8LH=PyA4CxP(v7(XFO;!e^254Rn05?Dkk|66?$zNcQH+N ze<0^OFQYZt$b&^r{;X-W7Cz7CWck-F7Z~U{eqPA@5WjaW)etQWNI_i(JmvDUD?z&w zBK-%;<yD#x-Zd>N&bR$(2E1o@J;8@5R2hkjK1>G>jaomHmGPE12~F9^-)9A)Ox1-6 zo}AL_tIg05HJ_?W9Jy70%6$OAnQ3@tHjCJ<6E0~7f%Az{V2w2`R+I?;0VpcVE*-Iz z6&aPy<zea86|ND-v%0Pgs@@4!JTg)!IHw4EYj{zM9<T(?wq_h~Io&V*ssa3LONaZj zY8xI1A?$L_a)8cg7#D=m+I@U(y3K)wm4c}*Gt{(Hb^9!A81}Qt@m7_kry2smraYKa z<PXW#aG=vp+Q^M&o@zl6GjWCRxoKC7l$>6!sV&%?DyG>ecR7YQ2EleV)_Z<Ni`qV) z!x1+uC`wrCzKFS+=yK>%<H0l?JwR(Ia|e=Og4y4PBaG2u?jt8nhl2~NKoTH4>%tBR zE7wYrd~06@N9f9~6LcYM`S{XwRq`pHg;!nPa4p_xSMx(aET?N_v9O<E^KrEl(!&s7 z-ildn>C;0S!@Wa49G55ig*Ai;jJl7R?YRR~%?YK*Skfg$_xYGv1x3E{Gb^aVmc<dE zCiD*d3Zn(2!vV&DoG?2elvY^!SM+DtncKbvR<~JSfbJZIfyyHV0{#{vBS@9nDxUc- ze+PkH|I#Z`y?R6oUR~J3b@G3U0&=e_9cxTo%X1B`-Jsw?Z5yjw-mHw{(@R7Y5X{~u z3D%Cj_$v)OeO!e-(DqvVe!58nm;j)rwGM3+&_F0ov;?GGJV4c*&*T9on%w?YmbMK6 z+e_`|*FPC>(2)M;e}gW{2XvjUpQ^1ipu_7-HUj0DJq|pyX<6TB=nIC9h-8B|>ynGY z#Oa|4^P35+<Dgo}h>&FRxH(VRZnB%r(0GzYMI5??vpEXGXo1z5JSXA!tob4A&u4qR zya?Khya3dB9D^kK1v7d6N**=Q?+Pnchav#wH!xCv4f8Kzo9d436JYG{D*^XqN2Y;E z&x75(Pf)8GA-T01r$dv=DnG*$>`gPU*3%51K3McJOjm{d*19hG`ij4pg$N4I*;@I| z{u=|#OErxrpMVwkN?s79B@vr7Lj|?#+TI8%D)0Me1wpqLfdRQmx?L0z_wK#kLd-Ta zcw&+*@i01+LSJbpXzt>cw<j^?{om^xN7ZFfON2K@@PXq2&sSdhrx6JSO;Y?<v`bnO z#!0Eg;&iy{7rMNkI$fM5cA;WN@X&v!a0RzJ&YR0Xg9-^hmUo^Zh$|VOrqUNh-u@4@ zKaUmg)1`0sZpDqBes})XwC*oX7xv+ZhQ;<xZl`Yy!(RJTyfibGsABf+muDg-?exkg z(f6U@Zgae+`HAl$tiG=f^wWp-2nstV>QI;fPxZrb%vr{2@)yFPr?dlHu<r+Gso4<? zu~p-n4+8dv-zIfqPK-s)Kx{c`glFL_c*O7cWU3%K$dG5`=huBU$%5vpYS$j0FNQhB zWO1ll!<~e#`am=;1iqA~rgN;BFsfR#t_=v}ZL!gDZi$cA+YJ@`LE+iC622BDeWBXj zcA$)Ytod>~0|V}%_uhJ&mlJT*HEqrA2LXmQh#y*iun<Kq&Yn(^b@uzlO%`F>`COqJ zbzO|eDEbEo|92Jusk<XerC6Mi6fo%Z(?&2qgF7+q-dCs!{*yk|7<}42vlhAOhZ|km z;DKIuGZAb<E{v%+UOAF_{#9ie!yL5jhp8_RKqeP;$VNS@tYA9Umf(A{h5aZhw9wi7 zk$h&Q_-e0b?`OAvZfgAqNf`$6t9_)WgAK-qB-!^yj;>R54Ns;DQ4wUq5hKgwp^$X@ z{Fk(1GNEP!m05vnl^uM=byX)pOZ&oNYuH>jK>k!CNhg>JMtMp#XSX42;2^ggq)+yR z7^)fgC+*uXk_T-B;(v`PeOH@Z5ftGq-dJw60TwvFc8ZSzJSb-Q)6@b>I6bVXfotkh zS7<zk)~}MTY&<~`&%C+9kE@6W?~)%eP7I{@u+Q<!Zy@_eQ&=>S{>?GqdC|v=3Bpv) z7=9PeQ$+=`;_D6SnIwt_XE}zjp+sO^+6nwBsr#R~7`7|3UycQ4(^oKfn$pTd1$>>@ zKyNZOD4U^aKH;IB!iuOk99w=6_8;sXQ%Qz7*w|pk2+z*;!g9m$ss<Rx5+0^Kh;?t6 zL+ub*ip;@S3*LQ=Qz^3VV=<@a4m$8Q15}0Xy&vzs`#zqQ%<%zMs`jpLfebl`z>Nf; z%#FlU<-8<h8b9B4tDvr{h1P+U;y=?Y0U={PMJZZ-Deos5@oIX+z)O2wu9yhMPmSeO zHjW|~iC}nd?JAh*>+BA&yQ7kH)cNf`&M_uKia?6ix^!w6i?L?*Wv%J_bcDf%Mh7fV z4>MC}!^8VwT#)nRnpq*ItM}vwk`!67VJ*xwx0>TuZ7}ButB_fMB+%N4+tzU7-r;O| zeJ>qJ&CwuUc;V_4UZFUr+?!$5=PM%={F4*r5bD?80s4U?OE7=03St_j*I7jDLWK%W zxrq^oAI(d_lYsxN;m@Atf8QiJ3ue4stakB#IJvu;Xko$&-O5cc32uCw;rbRYY>Cev zDj{jci`QEjqiYmA7@ZNZmprcPxfaxzOMI-8!lQWPp0WGNgak7UExLWbsf!Dw^tL37 z;(iA_Z&zpumz?k0hY_|Y#q~L8{Cj`JbHNAyn$xyVK9}002);`ing|olAmH2Q+{VWm z8i~wlC~8|0+TM>J-{+m$bI@ksVA^k-ia@Up{%GO8CP)_f+fJIuGGy;D{(Y2FGfhVs zz&`gi=Frn@(3+k?@Bu~88u-NKO0O%Z%U@>qOaM)01NawC8x(eW*0<*)UFXd)KSEqf zv#-B5`5*U!FhPD3>?&3fR@?sx`zb9S-#>R%-DIIT$LXaXx9%=#vt4DUC{;!{-#Qv* z_2pt-Ct}7h=W|k5wmDv5MMuCO@pe4CN<q-P8UT;wZfLFZ%D<YrB+}tzX_3{;G3Gs- z?VC<MAHZi*w_&(9**x?M$2!S})BZw*N@w4K!9rBH4nD`@MVQ7#`Lz!}w1=mgl)#Bi zWvUc_BvPl+LiBfnbSZrI>X!Sa0u|;f)r2{1)-F;`c*8L1@aR!ZKE%HpxEJnq^3eku z&~0UOPLEPZ-iggG(V0Kyzkge?JnYSBhU6lx@93P57Uu;NomSfJ?L*g4+8CK4ZHQ8y z7iXx|&1zA~N$)UTtfs(<l^F0yUT+erq%}&s@X6T48L#<u=Y?U~;f2xpC}^<4a-Ak) zA|}@Kb*nK;_r`uF?{F$kms8Qmu9^n}`o5R8TS!u0kmF{*AFC<`M^f(0>k6Ig4^`2= zFSsL($o|Ke@j6kMzzxR}8EWuiG5C05{-F_r`esVg=}u-{9BE$H*+4cH_G<5MsB){! z>+5RiFmf2BH0J!<v~ZNrGRBW@-|0qf8%e*Wdo4r{8#1nGsD32!is_4KOk>7~+`6J? zOFpRoKmn_w^XGn~HKIP5%D+!oMnn4!{?o<NcUNUJuWFAeZ4}g<AF<*k*isv3wyf_X zMVlw}RTi<P9dxG=oo}ybc%PonPV<YiVyRdF+8@(#w;`4d)+dwIa4%o2n#kn{6eXI3 z%%1uZ*a3tnYAEb1As&`;CrD?(pyf=lx`eJ?lceI@au{v)qF+bc5?rEGfiPQ0C`_W* zHao7rLw9g(L}qZ~LW;5@)LAPEyhZ5#S<eAq#^*J>pshR2r>V8G!RVk`=3b*?{z<Ov zRsr_i=s(<Eh42U(eS@XLGG>JJ@V~On(6p?~_M-o^Ou?x@BG`S#ltht$EVN_qr3hOv z+xRBlFHDZUVtGs&s|jRLOZk0xX(;r!mP;6bQcBBbe-}_c;C)6zzrV%sc>RW27%78t z(c+5-uhY9wrH?UeW*l?9#fgxV=_;t8;@#lzZEo)and0$Y>-+VF25e{FysP(+%@b19 z=E$w>T6(bcxS(=*=i5*WgB;)QqNw0-JWLCa(5FV_`2Q5I(B{Q`iQg{@*38JG-x;)s zIX_tOhqSop-f~Z{2_FT}Y;~&CY6w{xnvUjclsJ*DO&i$XC<~&7IRy;<S#`JD5>^82 z4CzrGwca3c->|8zM?K6e(pcqlpi7m`*7xcxgKkl40j{cK<PDL*aG;X;<5*yrV@R#m z)gDa1Ye(4CK%QSjbz5M1LvGJo+$A^Loqg9gc^5o6x?~*N1Wx5CL?OAT5~-BFxHnq( zGlPF=m?o^sidmsKxBN$VLk?|Rp<AST`lax^MD(I^oyt$az5ohCYUcp?;S`}om!7M( z>{1IF&pH*(b@Nhh2x5%y{r?nTCjUms-NrYioPm!{cZ1?g;ZAa`Oe1?;i9iGHWp;GS z69vTl=agP<=U#?>+A_Ym=rd0ER#FIl@@Dl;<e!%FWBA9xo_l>2>=g}?`fG&fT+O`M ztOga_aWG>C{Mnq60<U9tGYeM*i488^Bdo3;0s(ibf1|G-Z@|KSK5~XU8S<j_K8RH+ z?AI6;Q=l1d_iWF<Z)HW3lW%x100CpXlOa~{s#nYEhca4ZNR(YzOo-wArYmfL*U7y+ z&yjuNX~b0w_xqU6AP{DqQ`6}DKPdDDl@M6mB)MUHZGfuM5(&%+izKi5pZJ`7T5oiB z7#@~PCDOl-cGrJ~xHQRu*GGA@*ISDI`-o&t`L2I`obLnZdBRIdQ6MceEOkE&8(#Q) zHHu>NnyZSkyl{Zz(teR_8WojXY9s5c?w2oX;QL`$W+mVb*(Im}lk4AnVf1UBgeVCW zdQIZ>k$=NKX;*;!_cj}(LU*ujL?|mJTN%^YVd+S+^y*YTr__son@*{}lO|QZ*CwL~ zH=WCrn-8OaQV`Q>z6=d>oX+Axw?U8I;bl4Cj*ZRZb<)+LOjQ>rwOlaXYP$+?%u4wu zLtU&#SY!)Itz!|?!RvcyAeWeVjEOqj+TsGi9>Jz)6u;P|77}o&uJ<XBc3-?koTsX$ zJfsMz8cfR%U2bkmNMV!??n((B*$psw?Q>9>dvK)X&SbH4O@#HgMg|gKi9az?_&X~) zaHrf+vdY+Et`$`_23yNFxDZ+s(=dnKu4A@kjTm<)E)86>XPlv*PsU6Gji9~TYzgAR zQ(YX&OS<OO4!f`LI+j#FsHiZ<i4>Xp@&x1Ftg35k29DL&N_2irB)@CqNJEMye;@og zUo!cfqu(U2qC!$~&Kp9?V+p*O7XcbtWJq1R@g^$!)C3bF5yKz|gIaZiH9CyjqaJKi z9bC+nPFf_@1OKxIc;Smr3C#1$iWBg5fzDQ{8z(ExpDCv>@0;3Dm^$jJTzog)U)&&n z=TTCKk9!|G@)=%`z1CPULwvgwp!GQr$myqgxq4;^1&<MEZ{^(P^Tbmu;rJ`^1UhXy z>`qP9P}k1HKA;HeLr2Q7hy3C6`_GgrV6_rR5D2;5D^sc%u^}@Q#D<DwS+f38sDYPA zYUYV26}&m+!e23~FGCv?4<NF=Jr%TFp)vdmQL3-aOQ}ri5++POC?_Z)<(y$TEV5Bz zh~Om=o!c*)9Li#65fBfw{QEddg9-hM?20Ai51wfn6uGTduM_)avg5JpKb@<8LT+Cj zj<tC|&D5fK9^rL<T_M!7Wsj)~ABg94YK3G-3ye`s+VTFjyzJ0cYs_%)jcKz{tP%`F zSn=6SPk3A6*}D@Tp%l`pBtj<F;FSF?yWS2C7Za^ea=g~z+VVr#^^zjIipX5tsX1?$ z5(my^jRa?27<aEm;)+|E=hO;IxLZ<!{wv+Ou=LOF>=<1SNEOJAC51FiaItMv+2HHF zthPB&;cS49W?s^Sgyf=FLHf3<5MrvA==o`l;wXbNI0y!BAZMVH;Xf%@29*ZLxMZ<| z?o`2ff_(}0bpG3Fdfi4z)ppx~MIt$)#(k)$6@H}?+*4~D!K<a>+3wt^f{<KS>-DEG zZ!%84`#&<V^vSTkGNB9(l~!&zX<i%*NGpsnL{v!%BXQsT!q0fwzBhm2mFBpAy})z$ zOcqD;+NqcIW3Myo;B|6nSDTq+2j*8;L!7X>39>&FP^#W=<2Z&Tnyh51N+CB$c~Pw) z3<z@|=J@K@p-&k6G*q3=DHn|8G(;mwREr49;i`T0Dc}nEW}15Tk*ikN$24n1)MqyU zSP;Aj*x-W(eT3uK!~_3^WwKJxv;f9HKISSFy`$mF^QhpN^EaPs9HVS3ejTM~?O08* zqf`(`Z+HIy3kz|3WrpK@Pg5z%BX5ook%tK*e6!XCy-H#icwJ?zcqyq?jhN=aMCbi6 zyeT@TJj<XN4(iRwch~pfo7NgQj7*lOjR#R$*0&kg>6ag4KFpj119mao@}I|o?vj#z zklRl-oj=ZhI>CY#uJ-NqcE|sG92ct3>R;52a(^^ZS+_SIM_wf~m)I3Q!OMg(&`DUA zYn+O!RWHu0muT`dai__Q7rN0^aHyP@GANr4m)pHhrq;F2h@`MNaYiToGD>nu%`EN) z`99#Y{KEco;#&VGZitT@2%CRL*VoB{c0(FwjfG1N%;wgw1jYqE4TAZu)<Y>ttg0f4 zzGDL>fy*yTSul2n(MV+}%)n@!3Na$Q-q;M-T8!Z%v)4CY(x6>mHYAnli50$mvDFA! zI=ZxA7uXuiB_5l+bI<e|-X$B3Q*P#*E(=Ji47dkjEv_;Q@tj{GT05a(l4so6VGYAV zMdv%ns0ns;D*P{W4{fc`u?&r0zKqkw-ATKc(xQZst)?iQrR2cz#VlUmrC*Kmeu|k1 zcUS!Cw>A3jyO#VlFhqrCbtJLM_U_wl=|M}Bw)J07Ao0}APJb4i;dIZ;3#oJXe%u|q zP9D!}nGFzD?8Z#nO%t^wM@Of$WsTpf<Zvtb;|9O&@brF);s4OTJ0akaiyf91Fu^hY zDJ0C~Ng2q*7e`S)gu%ob=0Mu6cm1Um2E67T5kU4el(0b702eb9$D;F>`}00?X%9qL zVgHap27qXglBc_~-*2be_>o<57BvgN6wtlQWchYBBU+W3=2)^*U*B@qk?c~N@qfEP z2bfRKM(>B`8#_G(4N_R4HkgD+|9sM6z2HUapEFc75VG3!+K)n;5AG{VG4Qaa*`Bi9 zd3!SGG#wq+D8Nhg)---zJa`?WxMxBMR_6uSG0X!1$=PHARzRW!v0#FN>QdT)%gFt) z+T~(JB513a#p+B*LFM`6&P*N+{ViVAoF6@FCS08)EMDz!vrdAus(!#7iHzdV!%IN( zT~xvyM>7)JCv{OEpIsY+n(Wqw&@4Ys5YMbvO&Bf8=9G)0;mOn`(8ie4>d`FG5UPP> z=ELSDP)2=r0crLgPfs!mEXWdx*v82XMM8xnVBk6U2`y$ZQ8pc>?g53)&<gi;qyCg2 zm1X2FpHfB&zaU)}%fEKHUZ0rIzJSMaesiDn7feDwqtCEnjoY&HLG%=R-^L_U!OMgP z;+_b?ofr|yAmZJ!!hW6M-Q{u67RY|bgu_!bV4=N@tp0xD@%hO46w#M6`s}PBXVRp< zqdvhHI-Q*2a5#d&8S&FacgbhzyM>Kum?@!;uqwbuCQzW=<DvXA4X5=N$6H?~o>;G~ z(N3FP!R#KA>ZYAo+Zg*r=%t!am{=iO3K`dB#EX~q7v_FXMA7_pFQdLV3!3-SJepb; zpuM$?smx<Wy=!doBJ?kKE&7hH4xc=OKis?9m{>MfY|on2i|h(8#0g%#G4FTS|0Y`+ zCX6<)=Z!qGYt#>(@Lw%u5n<DfXpkgB^Y*QUwi63jXe@?Vqs!`KsCa(CbI5v*347`} z`oWA7y4Cn(lgu&}<fiu1B%^+W#J2NzK%D4(#;Dt5MAv-63GZ8n49O~j?FgFX^Z_oy z#!{{9D1+k;T^*%aK}<tUfiT^YIW4w?$Pi9vVl-n`a*?ut)TzcINf$-@w?s~nx`cTP z5k-Zft)@$!+Jw*`wAvbxKp6~VsF^miuA@JFJ-m3NtPDsoGceJ6Mcm3|aZqX2Q{&Re z#JhEZ3TTmgQ`ADF%I+C|`DTRO@;fFrlZ&Nd{tabe*`Ujp7X)EL3Ga>y5*4b9C?l7# zjiwboV!MwYnqEsjvDNyhYs6~or;j7vEg^?f*xUEEtxR;TK}CPJ$mRmIVZ&@3j@T+s zTpHf+UgcjR-f6zS$b80IoCL8_Cm_y*>tSs6<E6KZvII1Ql5K+<Jf!`O2WE-cQ<Z20 zn$t4*G&)kG>>>R7#AmlS-X{(<A(WwY#xP#Inow~%u40bASxHCTP5_qidlUnLjM`3& z|FYe5`3!F<1yk+$Ix11CBoZ~_67@cf<hUFVd3RPLf#flb8>g)NybVqb7)5kYa=6IG zCSZ2DZ3KN$NvrCb%=ja;QR|%(20<_zgqXTS7;;;HypL*9ow@v$S3wtJoPQr(uFsvb zM<8NWsC*i{DB7V{RT=BcsW}e1&FR|i$#vcOw$uP>lgRc_R5+h0e?Pxzolo_B%WAmY z_ILs%s>+JR4z_vi>h1j}d<_*?-WP_di~hy6NznZDiJCNtvjxR5WL9viNzmEsmXoXx zRq~rzfqmqCy6W_VAnu^a5UJoO@!ne|bs&u0a7w&aVqa!#5qrs<brNze14f}+h5J>q zOpN7-M)0^(9vok+FjdTFXPoZ9f0tM!xCKd$iqokP{eMESwC}^$BM^?4SarE8#x5GC zw3*zBb#Te<>1!w@dV0$&cq`pjJljq|?VZ-s`wnM$eJyk2qy@LvmgxJee9i323$h#y zr$?@a*Ee!d`FZL#)93zTht3^(oEEVvpDDc2sZ6_gVIb1_n|mv&bxm2p%PX_(yn^ah zd|CtZa(W1f-%j3<%q1#M-dkrUZ|^{`zlcJ4#dcrB=nl%2AtRz$q(Y*WpcNuBE&1iq zk&hZ}J%t)gonDY;$&weVcc?}5eM3qo>p{Z-Z^PvWOP247e?x~tTW1YkzXrdr5A<{6 zRo}}+=b34Y^Cc&lu#v?3;5~mKdKMP1o>&8v`_f#@X*cM$tb&OSO)dkwtI|yq43uRz zM4$wTbT?vmx3uB%J9w4wAl+*+dTkTbz(@}{;lLyX{<wT52L=Kho&-%s8l`&re<GMD z5W&u;9v_7JhI7wTO|ehr9yJEQr``tFJY2;b@=qR54-XG3qQSvPNTG?5z@<MEIkJy) z!DB^IX1IKt@-VYT&2VC;*uzVx4J0G;4^-Tfci}%SQI%TNX}3z;`~Jc|FIH)DbGngI zpILbN^tp}Y*OLZWAc=#pd*HlnL-JO$Q|1s)t%*VM(Ktg$pg!w>huM{(gRMlP{uE7L z<b-4nx~;}jy2oMDiYNa3nHK7f%OWupcvhDVE2YrH48K`sUueosxLoPQw#GCv#8;&M z@6TJSxR&3uW8;UI7v#348YJ70v2(rGeelxjq541W$1xj8Jow4XQ$b@pi$UX{^O2LM z{kxEh>3ET5Jpm01lk``tbFuT8F<0rVjh;l20ihE;+xlEzvdAR0i6Al4N=6tAcVpa~ z3y1(}{9Dib*~~GckV8~$S5=$*e8$IMq5A_-TGQRuYMZu6o|F!KGvBtU@Yh%--C`<< zQe{Uj>#BTZEqrdB51@rK;un2%y7OU_9B4>-KB4;^Q`~TvwuR)Kmm@ZXES;i3d7=Q0 zxugQ<ewRyaS9K5`zXogsq`RAz=cCY|1tv2S%0T}i!%yjn-lZCBjR_bG*l`sXBCN2@ zS(mFCn0}Xz_7x~tKTO9aJx#A*`|1MJ{+Ua8UcS|r*x^DmOXTo@i>)Qaz?_S+9xD|{ z1iaEfBK0aSEv_v|R|z+xdC<6u>qc0!Qk4Pn(`zlfRZM1)AX#EpM`5CVoLVrsNtj6> zU6{Q%iKt+8dYo+pLmPXO6OG4dwTh`|l_hOQZ4Frug9bB7q~j{rgozkQwjr6Zse(aH zbcE4YqUD>3l(TXEqz@N?hNt7a2e2n}6FGtn%lb*ekr27f`B$l3eB;y^9JNJEwdcSy z8;$LY#X^>*aDoaT`v3lfzVStB_)*cIrbeiO*(r~X-JXE}fe5y5e;`i8lo3p!_%l9$ zsg{ZyMR|V9ZIs=dQ*wVVNGe?F$1#tCSfADsVqbnhoQN(n(BmL@a^dY-9NYdHJYAL` z`FKRgr}k-zX5+*`DuZ`#A+=~}e6VS5A%ap0W?FZhc6lLwU9*0cat{|Niq_riDxmJp zt`^3g%Nj~-8%lVK)3X30&b)sa_cNsmMbojo%7&y5qAi<%aDRYBa@Nk(d=jnL_#fi; z-+Xe^Q<l{^*qunPr)v#7PIuCgqYq^iCFO2dQHUR_Y&YT1_K=ncTNhzOR4yJLA2a}D zk?MT5&xfwj>DwhAI87R<N1U8w^J9ZG>!M%&{HWoKKu{T20&Zu+AjHb<8kX?>+m!|j ztu|aF-IY*N&9wN_OOL<Id<Wxgufc*fm0{(5%1(T}U#_6sNVF;Ipu&=AbppU1SRS!^ zt{VwAS1DN{iOEXAVgx6SAo*qtipQRay<(3Ty03p|k|O!d^p)Mm_|0BZsR*!JQgG-R zl>){r`{jv7UCb(#-qIgVM<Gt14`4HEZ42{;CO!JMP<pB%dho(xc{$><oqWa#UUy)m zcA>DYugIO$hl5yBwx{B`(p7ATu(|)Mp&^(PnPGoix$y1p-)$F@voH^B{|0KkA?F*I z<KXR+paR1eFJ%5Ly8`#_N%Z^=YAw?uEp8@XS)qVqlK^-uR!7TpBySS_L?sm~uUAVA zD!$J*-db-2iYPB1jhY_fYRgh}!S3uCx|eD<DbM^k^8BR|FDAcA1`dNbwSih%7Bx>9 z`|6!u#CffY4F?co8I3H=*x<H{WR<#Ku9+nm=m~xr(=`n}Oc=a#)nf1`FJ-1~Y`fy9 zA($=u?bd}j)<hYdB+O{-#YqAMs7uN!vh%HD6DfMtTIg#gYD9SCDx-k5jp&;=mRu!W zfJhaQC6OWjIWB5yXRQk{8l=X~6yFE1XUAN05hb66e4p1v3<y0v^DaOe8rhSw^#kH( z4~@A>)im21t)NT6YnG8h`=(D<F3ceYZ5wi&2ZYP!rwKh6yhIB}_spy|5k;!ao^p&I zO#;HMgXYOCRK7Hati+iIv5aJ}#I`y4iA|R?syVLr?it^R@baS!nFcAvXYaMtLZ+&x zH#!dWk(kywQr~IlY@8zYJC00($#C1L29L*g=u>0r0!!ehROWKDu%LeytxO)H+I<^U z8v|xx@5fg2ey9-4Afo?j-~096WXRuxn2U<rCwK=Dr`<%dDsI{C;h3dTFmMy!+}hz^ z?cplRsmC=eoc~&XKn>qhFLAzoawsW5C7<zDSK^*MKUPyqeg92I>|*)T#4_d`Zce6h z!kO_ZS}Lo)k+riK>YP?2nWLAlH;_Grm^klxmlSnX3$v=@iYu(pwTFpA1eM5~`Qt(z z687UW@{0AhP!XrgYSux;&AyDM&;b<pd_&#w>yh~+90PQ^h32-&bGtcL-hrE70=iTd z=$Xsa;17c_6Msk&<<FOb9{>P*r9)?f7U|DMo&900dc4>}(_TYQNV80^X{y9XGhAS_ z(*{m)Fz$GJ9%k8x3Uhm+4$(-_Hco~S(~pkFrva~llJdOLBRqN$2<~fsoMFd${j25% znO%Sxw|_=GKk?NkhA^D)u^c5l$MCI!eCS$AH#oIOoX$T+R=IblYI95`SJ10)^`loJ zPmEY4V>mgAcCUG@p@Y4u7S~CtIxp6cPBWSMhKoe#pbWw!*J=8m;RokTVd)x2>fc(; z#=6`BzpMXZ`}lerI!w{%|IXq`F+x{2BtwZJ?Te)tzTyO_^#3TfEM1X;kC{OzC9?NW z5H3x`3LAJ(WFYv2=65vy-zMDmh7gDP(0cMxbc)xtG+j)Ue$4#ncD|TTK@}dpio1)g zigO_76k^;@TN)1kwp*SkR&?qec>`OJZ5}><emsbYlTAf)Ydfk_eEpCQi0Faf#f7%T z{#T<rq6YfR1hmwcL0T4%Ys$T&?2@hydK2sku(G9LQ}pwh8&!7`>b)ZlXSiRb>oN2Z zrUr))M%mAIYAKUX`LhENCHiF1XKIyf#Q!@BP{G=J^s~yeo3&RnL+Os&{%s1Xfu9*y zwmgm&_miCR2hgoGwNcNJ{w~;+I8`{~I0w->?e@(LT`|iK6D*%&Q(6Mv+wGuPCuXl2 z%pCo0eWKKhaY6#4gP6`!?a>lHJodm`=)i$hk4eIAjwBp;rtToKOykZ@Ud(uBprCKg z?btwrx7Bp8a!ty#Fb=?1AmX)t0=b_RlMngs#*(}4ZJ7Hgtji;<>)G~|4G|nmOAv;s zg4v#oKkhxh?1)~&hnx=-e0EPaT4nUmJi*RV_qJ9^LnhD&P+?MNCX<44LdZ>l!^hf^ zjNFF}SaF+!JpJy^<jA*|^)uT^m0_n@W0-vT%;Q+&RU~LWFfT1%+Zrm+DD;BNX~mVQ zBpf+<VsSL5XU~y|F+8j<G;3rB{C>ri42_>rGBXT@nU7iUv-5wMGL#@?Gl;81Me{_% zj#rrwM)cwZAgPO?g^mSvs&B`(p9l~_&H>gskHS5S-aBvp2<lpkT3kg1O$wk4$Z;$) z8RfugIYEv2w#*I$Zdrvp!OS9B2wu6do5<;@(|uvB*f3oEFq-+dJ2+@S@D8>faRU&5 z(P6>gil*63<CsYcd!4jmGHPm_gp_A4`r~Mfl4i2Pqxu{7v-zU;z07TG1rVxVyX>i+ zW)6YcvSdHFCU#)`{wx4rK%l>G<I5STba!gBS>|o6^I57iY}os@*69XHWP71DAI>%e zzNYUmVqjfEW$_3$0P?9Jsg}4{x0&^Hd~EeQr`l{7WjKXVb7F@?0Z_n60dAe|Kwq{m z4-;D+;ASb6f=hCh7SSNQszL*uB`2Am+-nLLt&Nxf!>qG`$$>JRti-xH9rcZfX58lQ zAxq(H=;PIDEL8*RM@lxISa~!&URCJUvG7%Fnlbeq6urkD15{!u%^j3Mrqor9?$B;K zA<E^wbZDL6aiEbKFGeO)^0aoOBhOo9FINywd5)+tDKI87MlV{9L;KN{!jLnKqp_=- zv=a4a`nR}HN$J4)PaH3*hQBZXHQtF8YY;-C!}^?pwW;C$53=_C1_3fZ#UI!i(51`d zLzXh#!+nL#(y<j}&FngLX{Jqx&a~4Pyl@#vP`yF?=ulpaITAsc>z!CV`5Ye+6-thF zye1FRy>WvY9v(B!_64Qf-KqTINUh;+TlR>wj5;HH`oJUD%(r7PI521HfieOv=(IX8 zfRT}{+qTxw=s_B2P^~dU1)omBQmMimqKPoSuOefyEH3hB=w9sfOl5ar1E}}+*7({8 zxUP1ZT_0OD#&s)>M1AIgER^wm`T&(Etjv*mCIc~}%)bQu?360xmqbhM1qAqZa9*}K zURHYf_jzi7p6Om<ZT!Afl%N8|U8v82nxU+@mdTvStX?|ovQq*1-DPT~KbtXpLXAND zBzA@eHF&<*%zdxz+E!!x2i535NN-5(#_!RJe}Witv2xgKagcW5_Ij>H|59xQJrG}} zeJQ5?xMPh^;bGF2ym^=8xu;jr_^Z?of>C+2mn@6rq)er%Yx^famw<$`qp8V|i%P37 zIFN~!f#Zsb86FI!AG_^JHyan@js%J|6y|A1PK2u_VnK`Cf86)5)tMe+%-FloaA!?| zl}m^x)7*4iK>B;0Lv~hX@2SB1+zDSP<rZo0t{_b*iWf?2ick6zocO=Vx(@Pp?3Lyt zNr*fzR@nBDRrznH#fz0ou3)nXWq~hZorDu~X&FjI-|p#9Q}-l&BLfZZcP(Kr`4D*1 zNU0sRbUzWmL7cCI3;x}6_u+dnP_}@qBECoD&}1GWH4>5V-~4gCaN>H6@bO|aT(AkB z9S$4r3?b7H=<-IK*8fDP3(xlmb#Xi_$W8_?%7WnP+cx)~5T(O|h`Qq1bZj_BnTwcd zoS^#DP(454Bw<~}b2|RcN!|b_LGoMAO$)Si`8;QIHvb9C{sLiVos3wRk+0WQ1Fza0 zklnSw<68thw!X@r`mHJqT-$Xy*}xf)j6vIa0F5BZv^d#c;>*IO|4!+pSDFc4l*7)f zFnVm0t$zAeYJ8BC5y4Clql7E^iNqXGjd-^ud3GK`bQ6~8@g-p}*;e>&b3DR~5>Y0U zUY=#luP7|7W|!L1(=V?RZp2U+ZBNRNM=_Z@ZhG$ZJXd6FiYEKbWUF1~GH5Y*%hEE+ zpP73c%tFWn6U)w>Bw7~t@b-Q>r=di&9<L-wIZp4yX-)GTIzBMEE7YyOA`NOJ2?bEW zVC`zUTS&EF6&m%8_KZjy3YUuGZWW1>{&!7ZpP@2hK5(jBft+C5)B#?89lKF|SHx;l zTiNXUO{W_GXIHrrX-;B9?HdYUVNIpGO5&)4%{tqrBjs768|TMHXwW{X=TC3e-XKB1 z-deMMd)dt-)-F35h~tW{s<V&VT$E#Ef4_iQ4xc|N^uq+I4A8u+itpy=Rd!M-><eSw z4INe>HC)ds!&5Z6EFNqCnqTedw)OAgui!%mP#0=Fz=TUdSxSQ15||N`Xy{@Se*^)M z(9)tI&q^iS<0!H|>Mh?5DN<*GzcP~s{b;6u0r7Jyg}4iLui3!HA7F-%^%&Il5aP5u z(PeMs&anL;N4CpX4%eW=aL+*TO63{lk4cMaFS0!AE$C-qc3WDw9=pHp-$YfBrs{A~ zNPQxoASeH{AFB>dm{H+BV$h3=J3~8WED^X$VMvD88+6F<$MxFisYY;gXd@FjE<pF+*r??~;!Mg@N<%G_yctU$Nc)sx^V+%BK;D9bePxmhOriM`bLt z8`)VqU!1SaNs}ZhVAdf5$&=<~f8x5Z0OG^iDbc?CjgnIhaR<`bX$x6QrP84r-xhI5 zJJ0#sj4!Wpp3f*v2gNH39nh78RUM|viO&u}qR<hPG;*P*<$jSl`^I5Pmh9z`r<T{h z1p|&ZLi*q4yfqPZ9!A0HYbIm?)Z8p7ZL=oA-9#mJldyeyAz~nt*qS~oECn?xXiaQ_ z<BN)ads^fS;kz>GSq6wDo?luTWj_YB*w$Sm812PrBqs_{RTK)`+K%%VeFXGuL`vpe zC_F`=fsDN=zuSG9Qo>LtfYZ%FyQ{whLAipUikeUiW6t{0Jx%$@<Y~Ur<v@nkua<-p zd*-n5pwcqQ<Mg=IxB9eye7F6e(m!+^F=Ft2j7Hylh3U~R@pU0<E3*m)!yS)Z*bo|` zo(J(G$^EV*D$HfNyQlUe#e_*ns^gxXZC#EVQ)m*6WZW6$4c(L1@o~tYM*i$8{=vbg zM(gk9Ce%q{LSMao>#<oVJ*tc}43;!XyZW|(qU-5de|fWqs<cZ+j7eYQi{Fa_koT!` z4HDGW$nvDvyH}Iz%Nc0Ip{2k%8$vHtTbRXL6FB3x#EciYRXzs0S!d=p5vmFXaGD=v z*BX9AO(t%8Eq*u*zeHn%9$jXt<4{l@{A4q25^K`P?=#*ncibtML3?GZra@(4{mnE< ztc>AVgAs;?3I?Y8jLRb8Iq1FJp<zLoSw>_NCm`jHAhpXE2Zoq3RX%1z?>S5K4TmLU z=2~8GroP%dmJ1$|f3*7wl)!pN3^uCHLY&b4%SZ+S@9lp!xwwM1JoD!=;RjBm*0PDd zwa$n23=vq<rJ1_lKH=J60l?<jzmhKKu$C|S4pFo`3ZG{~>aU{o-b!i5&O?mcy?m&T z*=fCH!{A+6;3N<;DuVjKk5|hW+3H04n~3e7a*@+3j=wC9hN-J?qk~GrYSgD^$n|us z1({F=Pi0`^4lpI^dZ@#ogttR2<(x`suAHF)Aib1m+Uc;+BaYl`PYL=S4jJgE(*sSM z1`F)sBCu?#o(`J119KhPYF!KzsVd?%oAUr=$tW@vbSR&uMQ<$%>nCMaZn)W$T>Vg% ztmfB`J<Wkp#TuSd)rlQNem>rCS$2w@ML{g!Sc4Nc7T#$s>-#drvpjXJk94O=U}&=l zN5^D8!D+4f?AeZf5g6dJjEUW%w*?I;pkr{FBz+pA%%JL)({aVD`cqa)GB4`<AVCVR z*VV_5A7$&OGmpkjTuL8QR^@kJta2}f-~jJ9+Zb!J2$9Ub&=G`$nfX}lK6|+3)f(Mq zv>}aVW7X-5J=1#IUS3#6)Cic$83b4}L*eN}F<uuV&{GF$ctGsr*-_R-Gg~J@$Z~J- zd=#WpVg5fhz63Y~0exe%l7b7`1@fjCCT@y+n_<N!VcDU3B#+IDI!h%ee<m_$D@)s2 zP#ZIK4=LQ&GaI>vY^xrx(zkR6xrB$nNNAB2&7_D`a%cbHBaq43(=f3L^l~mB_}eEz zNvpwXb5($`O8P-!VR6W}FHL@btN^pt`V3o3!JOTwG|U^x@7;n?0&~2~-BN@E=&K2? z6NY*3{(BsqnC&H%a?j5(9z8l3LFYrauWo>q0Z6LZ8KEFbYW+Ta8f&7bJDv^X_p&@Q z^J)Aqh%fjHXYj-XN7r7>_Krhk<@zG&GLjV4{f#N^5+TBN3T1@+k0gd`Q#aG^6Nu5w zcY|IZ4?bm$MC+3U+cC0{0C_BkZL!n0u{Zb#esv!kYU2TjV?#+k#ro)U_nVTWApN_B z;|LVcJ|V(pV_Ny|yWt|NJp$~B#w46c4!oY|odIfU(ET|UYDs6c30Py^GW{}AGzHS` zPv_E-;Up|(=Ez&i1S#GKtTd{sK5??~1gr}S2F#8=C|?&f#py8zv(~X;vej%Xl=QGz z_kc=A>So@plCUj30<QWUWVzL3qN*S@*2FJNJ@Ht~wM83lkxfdFH(cYXIs^~Si#&sN zS^wA>xgwEvUcMNuSqu)5RdvbsA__H28XFLHL&$#Mk}1j*GUrE&+zP?9N#2UD-VW0U zHj7zpj#<k_(pA?8<t<!2w^l65Bz>9U_@6*Ux*k;?5f!o|ux2gvCXQ8EmI50yI?b4) z;<r3blcX3j6(VaUoAtMu?8L&Bo$Le~ZfjoagerZjzd(d#AOm0P`_0L$DI6rJyU|Nq zp1k(p_78oT*lfbdM4U5Iti$E9RCQh)v7=t%XV*gftAafP9gW@Vn290deZq|5ejqTf zrePSnbnd(HJJ+N__bbuV4{XQUyw^z3g>u+*$7n3z_<&Rb&3^aPXZPEpa-s?q0@K|v zP#Ge1I(L`$i?hm#ZRU!3H>20lFsf9`wxXwfWq4qn>T0T`?rKSpXH(sutCItgq^lz! zP&xt$vSoGNHWfmgOPJ`J-U25>V>=LG?)d{+rS1lYoo7n*P*~`R7_8lJSwh|`*Zv%f z#k`F*WwjdoLBUpn!)+%n6KfOe*ORpPZ$647F$UC;Twa@ffw+DS*4=T2_lUgX*WYu; z<0wvo7xz1{9WdBRATmt|5BHCf1pljyZS4(Yh4Rn8A3g#S=c{3-eK51a6B%*Cr~a9T zP;PXHgZJrSha%7j`k6drQd>a<k8d3`MYB<kSE=`=kEDj{Ro&+P83S7x2dv8s69+kh zb|DvftTt9&+1t5+AkJLI%O^`oPOoZHXZGdWils*=TfS1fpaXtoSw3T3En!xv7;pAQ z20iTbG$TS98?_K(KMJR30RkWcV>btaZV`~F>e~JJEuY@8YTy!^D)VsU{+ss__(9hN z4xk7=S|haudfus3&k?Zj_DeSIe7#3UzvDueo?grWk)ES8HEQ_!C|ad{epQcA1bXe+ z)P2~rWLZJLZJ?hxT?6^mzHg>%GR-ljLN9i;gMkR2ho><sZPdF;9BbevKfM@udlq0k z=weS)W`>ya`s*hS=Vw*0=RQ>vR+ce}Oeqs8vpr4f`M&t_H?sD_cQaon<>z4r@i3!o zdt0tqgurwZ?vBy1@d8dX$%Ri^qa)0OCls0MIJD<Tlud)h9NV$+knZDY*!Sl$RB8I; zPw=ZLAhK@kv7rVvZl#I5TiOKu_laWsjUVK>e8ng*(BHyJfu1it{il(pLot@qvGUp% zXMZY3d_O6KlO9pD$a4~w@@=b~a#wiYSKLX!xKBsX{eAIhW<{{^EsL-<aa`2@Yd$gv zZ*G;4EAa5u9!^ikLbPMh-^{7)HOvct-xIIPi5B*~T#dc#qQT$xSy5BZq#W$_)gfVl zM+hu%&rjd)Pc2#A@y1ePH@l-l`{C6R7Wl934lWL<^4gSgJYM_Cx7T8a886vbvMV-& zquv}1jANOv$mQS_bFM~ANZljo<QhR++ydHGA3<#`3{N=_AkUBBoK9!_rhi+j^W4KX z7b_Xr^*OP+m1rZ7*|4@sY0fM4PJ0Z&))tyT+2XDeZc=wdva2?OIXw~!b;cNIDl!yK z16K!&+<`d`$Lq~l@ji<|^Wi01FM6k6>tGfdeJ+YH$$Qt^=O2-htXirpUs>s>Q+vo( z<9<^fe01VGrw|<_qw%Il#HrB<G_I`~CP$64tr*UKBV+Dq=QWH*CXnDL#ofMf;Z*O5 z*c+#y$>(LD@Y;*@mC8Y{`F`e>w=SfBcJDEb`Idhs+^{Taa@JhZN@tDS+s4@JE9RMj zGm!!P538gUWXNvPwYVAoxSj1fzYUUAb<57{iU{{mf}i;2Qx60XIJ*k^A<g2S-Y>Q9 z8Hf)TV4ZL4P_k-n2Hla+>U@=5=f{{ysX+4a+`bMg0S}Rz|B6KCPC23|l9a8s?i+c< zhFIk;%b$oYH}04S|51QjEykYCe>H8_%*Usa4ov>y;K38%!d4CwImrbZRcC?QZP^i0 zAOJx|?B>DtyU<~5{9SeJ+k(;6%i?*te5p5G5C)SgryBJ{0NFP3_O;K6sVlN#D>>2) z^YiKk1?Frexa30x)~Ydx7((OmYrr?sZH~#nBFPnL&=xVwIcEc;;z~y=-SL)9r}E|O z%@Yyu>Gft~=c+UV1!k1+tz0Fx^X6lBn_h3u6U`k(Dn4e%XH#5m0{HFx`YR@v9N2)a zHmWIg@N5UUvCg+E9Z;7*rcUa!8GjN4+X&x)ktr6CR`k&!Dhe+|XiK$WM8@v9mEo@P z7+0R%Zn;mY)bC58M;T(g8F)~jJF+{m{aYD|_B50^>$5u*F2zIOUrs^?&?~ZiGe^Me z5ng0oqK#Eo`>$RX&cp?&P=q3{+yJ~Qyd!@?apWC+0>t)T4QZV9`k`rcF63|=tSn0a zT||jD*mr+BB1#?&{mhzfj2i9jSP>P-T9p+H?9XX{j4A+Xsx@q;-#~#jF%atnFF(6- z@Lr+`2KJs4Ec8^fZ9^T7RIiY#tFXmn_U?p>$jm>S-V|PsLW3rl$ZE>Z_U-8Wg@H+` zX1+e9`d@Ee2KNu|jP|A%|I=G~c0fRAnd9_f0dm0LQ91Bvi+*ptPCo32(h^)hRhtZ1 zhpKj;7e65SmV$$h7Zro;>00wz?KlI^Dp(D6$q+MjRN&Bmr*_=mI+8wy2)Wz%P#0JU z-dW2A`@Zxf!uT%NLl7(u1lMDayYk|6+chpR`R)o^>wd;%F9j8@7QkB#B20F2s(tdM z3J1uQ9Mk2oYK{;GUlizN0fAM2BK0apk^M}IF75fL7^eh$byY>bg#4MfH(svmJ*;DH zYgNv=a8`c3kU)1qKx6m+rbt9`o`Ci;GF+VilBKf{@+Hs<`9Px_FXWq<N~NVZodN6P zVJvz(&U4LCTXfz+cEU6C@`@J+)hc5gft9%)8?pYh#ZrAP*}}(pdh95U1PLbe4Rz~U ze1(Zm^uLbvzCL>}Yx@DF2L*Dc6no6^C5z0mbJHIX#%%aG!NmJ?^*<-`!zG4I_yd{2 zy?d<L9?|)tXZlEkrz?Z$Ky0DmAUO1OD~A;7rdm_i3eY~lY@Z$$FS4zLIS<KgQeTeR z0w<iqhH3}f5R}0Th{e*?jRzWRY==S}#G7TL@Mno9&}lY<D)q2;#bQA4Om1SH6fbIf zCmcn1TXL>&7hR=4JAM|a9Q?J$!rx#=QN@dpVV<w+G7h|KI{0xB1O1bn^7}Ea?;we^ zy_MXU87Hn36{m9!4q&kv<vTyfk>h0i1it4zS^994EIn3v4AK3R&gu%T|BU<iX@HOI z?X}V^n~G*_wVA59=&IQ{X=I-d_?8G+MZxpbn`1xE^z_{G8KA~jT4Uxizw)+PGMLH` zxMY!$uTpm)@V#6#7G_~NF_!B4Yb7Fuk>B&eYPKWF)%1>nR!OhCFsw<m2q1e8Mslt1 z<k7~nI~OTmy505^B-|pM_8A?XxZ9TYMpeF>eD*OwUw9f}yKaQB-Y1N<_taa_3=cVS z>+3ASlDYW%+UglTNEqozcg^b1(nBrFQGNc;cJwyZ@ndyH+_an#qN7a@yi7r@!T$jA zc5TL<;zUi|D^Y&D7bGQ{3g@7SoWY#Mk8x<NM=ae#|HV2e|MtEsOo?{9sGdrJCP$tq ze?Ige3J}Kpd?MEC*fM>LyhkS?E{3d_!&ldA4$!k_DL&vdv*9Sc*HUDOU5#pKn^hXs z9v9NRogU2{xbTP{-;Z(Jjfa3{6DqXKF6q+3-6c(xpQcH2e%{35=h7Oa$(S4eUQ(h# zn<Tr^9Mcfe>u#&UELl)HA+WsofwBY)^tMtD!O#k?+WpydzmjDGal2G1it4x1=AueJ z66Eb4Z_Y$<+__i#dhGW1Lz@a#jjX>;HQ8_On>SCX^3P|jqDe5h-zTPO`C>lY?|9ON z7d%!Oc^F(~c^S)0XI#E^aIgElZ%Eo{K$(Th>!6g|OOga2t2XDAbiF;h<6^*`uPI4Q z^W#=Z2@1Yzbxyt)66IN)fx@P78Liygt4k8B9DL$Dz_J~A!E|9&5vq}a?jJ`n+-1aD z-cUIp++31o0}OzE)n_L6x@(b!d&$@>X>B53Wv9i93;jYB9@x{!D@k>D#(&LmmC@w9 zr$Cgdl+FN!(PYBY$+>D`X2F!nlO~?zp6;6Xaa+9)=^y+5{51?;+=F)CX-3aVq+{9N zEXnNsqC;^BgEJq(Mv6)8OyJfwm$RyruQjWzFWg7c`%O_?81K)SpOHL2bXD`*P4S@h z!OCHnpodfH>7kaKv55PEzO0L54ce~1pPXZ0n!4G6x)3=uFWku@b!cIT)#*ZUc-h{% z9U7DuYCZhfuP1mTPxo=VD;t;OKhq=fBz?~IYyf*q!o=M~9IP^P!lv*tVJ{oAS5@)< zFjz_ig>k&vg5;`zI~Qye8iPAG=f*#<IE+BYkRFIm4tWf1Ly7wsBd3SQrxRgL=YQu) zC)pzBjUD{@{~zP7>SjLg@fWI|#eZ(<Sbav~0Q^LO9p9w(D*jD7QFx&)yR(D$abtn6 z4;5z3%km;wBt_pKL8{sv{OifkgAirOhT}q&msN|rF5w&kWNuSgvzTiImEfkb-lK+( zA3@~Cy1=@B3ApcSLI)LCohM=GZJuv*cBeV|Mw|_l*i4dG%A^l|0ZkGo2E^Lm%TS~J ztVf=$SZAx6J3r_}o_UgiKE>XH$<kJmbRpk(Y64KNhBlkg#3iL6uk7y8hD6SSFs*Sb zygyPU=V~{jEXTHw0}pEmj9EsiN|(6b8P5ghLnrD#_XtG>AjQQx3C%1C^<S@f%Tjsz z&k?;n>LIhu@$AYo(v+ya{nh4!=nh!LjZC5`M+|YuuE5=?r7+Zpy-?hYkQz&!Z2NP5 z1BmC8lQh+<YxI2O30_x1FaaH7W~2zU(2X=6pVB+<&(lc$Dxm?_NQbNr4CpPidT(Yi z)Ks&0v31LDp~JWQ)^u6^`6ALqnKs1^_s;aC&PxqQ3?a!sonr`rrR4y83@i}&Ip&gT z49a_h&3S#8+#5<h$gF;M_Y^@kl`%ZU%u*WOKjL(bqqls`jQjSRRi6Ms^x~n}^RJf) zZ`KyS0}q)xeIm2m_M2laWQGr^yMqigg~!fc0nBo6ZCB)Magqa#$r-}8y_D(%#UY+j zI-e;Hw4S?EFXQ>)Ysu=ipEzZ94D7#rIRiP^8T`Z&r^h`_paX7SU)SXt!9YMsUmv^7 z+vTplf5mHE41WNg(G{xG=S-6kQlI^a*be(tb>(DrOU{#HH&&FtUekI>?N<md{>N)c zk#6h?tNrnZRbk-i2wI=}<6*PnRootG>4*o@Ut&<0o0Sj&ekOy#f)>5+Kd6RC;>@6@ z8Rb^y>_lA?iB$0`n=QUzFhrqQciUq7w_s}<uVCS|PeQ3c-u_ibd%sQetr^=k1fH>y z<}<Gs5Oc=bdlx#)DGJPx!;kRhrU{=Mn*;=>I6InFAhMKtVC8T+Ux$We-#2zEOllQ2 zSTMo~IaNM@?zJQziBP}$Lv^&y1qAR?>dplo0v;)_ZY=~@He*F*L<*{o#tbIt{A^pA zs>4@{3l~n31o&XX?T_F2zJGmo&P5M`)U}?UX5`lh$N?wa{<y!cYhjomn}*S4VRjlX zeE<u(KX*r`!_e20eEjM=E#P9mI?WQe?Y5-AZbdRz05yxxPJ6sfwwje$E<}Yh*t$GC z*d#}Xaogvqjr&Mj68?QK#p~}XT6WX;{-i*7Ndv!jg^ypW7M|z-&H|uc!BnYhp+#|} zDSmf3cPBS=fPBi*Os_5&voO2i|3GSh$EypefijpUr#O{$-8uUwVt7t$;knOxG%dEB zV*DuXd@RTl$j&cv^vq=vxG%DRHcQ`**Gf;CoOO%Sow)tH7+;zc(7H4q)nExjK6$yI zqfrkR!;0S;3f5gkkD_eqJ7^IKnr8+-f8?%%;f&w9#tPwFJ#ze_0QPo9FYC4hcD}ku z90mwe#ZIz_R$t#%dPK4@N$?xbX7Q*aB`Wh@Fyenq*@!NI|J{^_8a#C|yd~pcPmp1G zPV#M949?a^tE{9Rr$(Dk!f6f!BIGx`%41;%f6Sv@+|Jjeq_p?Rnxvb2dn~Aa6?9I= z2800pAq|V!KP-VxY>4vwRwRj-g^06C5Bu7DKn-uLH9;}GA0>>1-Yy(>fQWK_pede% z?#02V|NZM?u)E+_`<1GOl6JzzR6@hCXN&jQ9KWgT`}?nVn@Vi&5U{G4Smu0bs%|O# z9%@uR6zcRXQzsY>$-c?cX*4@GSK!v;$5i_q;GyL!b8FQ1iI-GvZ-iN@9@IHGESbei zM+WAchZx@9Thjx%L$^d+uOy$rFnZlq%<2p&Q%fbX7#qXHcJbp^{jC0wL0Z7*M}NG6 zL_=QNzk_*uWP?GXY6B?XdKWoiF?i5=m*QpYLw&ijXte}<S_l8cx0yG0Q;Rt#5E9&= zeRc^d3#C`JQ_w}uIB_-Q%L^dAG1fC5N1H=lO%oAwCEx)A&Vzq(LfpN{_N79RD{yyQ z6;kO|SxtC8aYA^Z$9T=|TrHR_cHmYve3J=*8Fbrn6tB{Rd=-hb7NY8*ti4MuQkt2; zY?Fdt!=ckaAr4c8`{eZI)`P-~lEWNy^l!x$0*V|zBJ=(jbp;q3<(~~v@#4@cE15A; z*KJRPR0fU8^qA-i<)3q5qspc&X25$XcY3QK_&X-MrYTEjXrmOl^qxRbt3nIa#u%o% zt?&~B+&VzBJt1sg4~kO-S5~r;u5XJM$hB$iOrJM(?^Q3KydTmmCIk&h7XF>|)rL>Z ze066e_t}WGsZt+cV0%Bsebt10KgD$(1~>=ucN}`RIIjlzRc}4Ubxh#JW6N}%BxRNo zfH@oUr_X0b*2U+i4cB*BEk)ukG1i)_v?pb1b0Jd--X7Ipukvtb);h`3S$QN@LT{V$ zXrI0royNK~78VNlDd>s4538;mb#3JgsdL#`4%C94WWTj7MFNKY!h_jMVOlBS#ASWI zDTxYTsGD0Jql==&G2WMx7k*ymM*T=HGSp8oDkRxd?j42%dhIbI<BGhza*t`n-HuBJ zVCy+OwzWMBVZhqL+j6EzW2cqfbJR;NVssoq5&pV?S;%7zCGyaBz@PM8EB%zMn%6J_ zt3#5hHM0!nlFqQsSVi#b<fz*vPsHY`rexS&nYqcVG4Z(N=gJWT5fvG7L-#ep{~mR` z*fSVqb*IAWM{HbT?x!@`i%SW9+p2EGcjrXwfu)6s|9)ZZ?VbwVf43{{`+kHzQ|>yN z`FCKhpXEPObLj6;NLvfMvDei7cH=-(_24Jz%hats79}l@JU1Vrm1HgAEZ9aZEId@8 z(L$}o*P7`e%37~H1eW)(GgDtSO`WeOnaDaJNR{Xv(ENU0d)Qjt<_?o7j$8tZ0n3X3 z4Vd+hU5&|AQZM$Td=>78zf;#DblDpl#W<W~$X*RU^V?(o=8#}@j}_=DH{2M^<fKrI z$shc!S=L8~fcuoo>7IiVp0m}CAMu%?<eKv3(+2}QE|m|B*1bnZwZ3osh4>seUX%Cw ze$8SOUNxCF+~m*p_0XX6i9#0Geivo*`x8^z%N2w+bp=EB+rKC5*9Z_*7DLw3=f-lr zpsuIR6);d+P4*xA{dEqszPlt`X1?_(mmQXe6-*5jffVrq_W*^C>`rST&H=9Ld3+k} z52mlqVPc7OK?H!%veU@QQF+hmIEXNl%MxyCT0WbtOE4ryhzW8ICxu>EvMG@AqBv5% zO|Ea(eZc4t3DPO;zDyJE>q8AM#wjCyJ4;uLyZMPStN-6~GtYL0qd<R3$v}yry0_-^ z$x~&@E8}skgVI#GGH(Vle;h^+HqAall}f?LSEz8CYy({iv~pXmLx;g58IIh>ezWI$ zDsqIYuVlUc)nEnE!Wa{tLfgI`imkl?`gvKf*XjL~R>wMUf_gLm=XDrBk9911V#=j) zTpo=dY!E}Ltrqd5$8e7bE-1)Xt(op$9VpP=tb(s4EbC|Wi302@SaXRc!uHhi3-#J+ z`bvxg6y8TE+P{Bot21S|tn)XZarNoK3)|M~thpY1g*%1+67M`xrg&I*1i+AnX*Nd} z26N$=i#`=nw;p>!w@Fpe<uFP|>mMlCA5$-}l4oC#)T{`9nU^4<n+!zMOiawa&j~co z4p5Ves5opiN`|U}F_zIY<1wk#^Y!GXGSJadceP=o!hc%*6s<x6JcD)}xh~V4D;L02 zYK%pQP=wO0_9uWwJ%FtY%Wj%C`NWBdF53#9Q^aWK7%{V26KF1(k$REwkc4PTc4SM5 zT6hKbLaw0KC+tLF2s+`}l<rG*h)hQIY&CwxDKqZZAsf(;*`0iCJaS81<k5h~m^fq6 zkQq?;Zi21!J>iMxAM-J<cw~)uKnPl2Gw&5{#Aht~&Hv}4A8JCz`>rm_h#9HCVEiRv zy5T{L8#{KPz@u2t{i`T$ft<ZT62<lSfL!C!lmN;=snzbTY*xBqg6h-ztGJ(D?r&sy z!eQGMnkL<gUi<SY083kFxA>a+M0RilRZV$`m}PJp`+}WFQ*4&z6>MM80=rXtRb7)u zbW%3LAovG`RBVDN`<^Fl1n4XXn`G=r3j1?oc(N&OQFDHRO1kWeZqWZbhEBy%<ZO5l zVfsFXYD3GRt-L4<CZJ;zylUF7#l`=26vbzLfZcOgbC7HUxTN3rLE3C^cMltC@Q=Nt zUpRwfWaoR1>Wq%27d7&)K=#k7xSC$U=f@?6(wD=*W&-y&1fY#K{!VSF3uA&u#K+$I zOK<!FS^LfYa1Z+t6q0I)9t8xw5b8TfU-(3^1`8oyeuox1W(RIHmm~_=y^`+F%)beB zmi~6sT4Ng2YSy3i-IwWClXaqY;LyGBFq0na%JrS6%P`P!O=E)M4q#a#u$)jF`3b}H z1>w$|tJd+7V)};kzVEnHzg2EM;Qw=m4IyskYN8T&PHE^)@d>gi^2&*?Naf(S1yJ=Y zQ<Hq5r84d6s+`axiZmIYFD`;a--q$m<Wm75l>}7oJcS!rfp&Z1Su2(vfx}NP3r+Ui zl7)NNnJ@d^d`>ae8s_^1VSOm~_ulQh1QK%SP5A5-Y6v0@6$P;Hh##xB!xphuNv*r+ zNU*}TKhVEi++{4zAnGoD^yLh%WZ)oP-|mX|Sp2b4sVAZ3)BfSzb~9x}+-a<}@7<A9 z6v*$+F^>^^6Kh=6<$e6EPz?<y^W{Pl_TvZSV{Kiiq4!gkGb^c}J+%oL3d7G+7v>P1 zE9N2>e|XE1IcDvXA0C>y?}ZeOmvs>edlPSp9aSLtc~zmmR&7+aCU#lO2TlUf_a-C8 z;r%d<fI4FskESF%7Vg8Y&|oQ27<tuOF?m&(V0h(sBlXfkcTNoS7Nn&t6Xf`C5vQU) zlrZCrRAl}nh$3$xBNhqx#<CZ;o@!|z!Wg%P>L<^@#{xaqbamDi>acW!Q?|m7(*7~R z4SCx|a)nL30E3yL?>sje3#ej8=;l@Ienj~Cd}Gd&`2R7;FCg{&8MS%MO(#kBogtE5 z-%aV84|RMv-O>Fl3L7K*%AZ7637^<;86|@Q6uiCK(INS<Cw9cMo?Z9&JwpWDEmV*x zjEkIct{w|5L7=n0;)L%$x*f&-K33X*cN%Y3QIq|ubtJVJJ42h1T-h6}uHEe)&sL@G z_Y!;ni`()EoYN(yS&U{^Zp3qrRO<dll?N!iu6|RIqa?|<wmI-p{q9#d!7JrduVDGb zxe&-&iX89g>dB|`A)LM~m`slvtgqj}Jl{R@f(BSk6J<2A@$H3<wbhtzT7(8OTN+e! z=hzh32$@9zIYsx&735XR>W?H!FEUIhgPZZQKnv-vGZ7MKpbCmjpLy@D`LH_k4b0F+ zFk98k+yC(0z|#8joMn~-_M0D#5L)EoAO#2LOLq%=DS>7@_Fdu)tY4HtlT+>kBBSnY zve1%}8JZQfDW~bsF?3)UuaYEbziGnmF_@1#Q7eQaZ@HY{Uu4J(S7hlk^bL_wp~PZ0 zbo+|DBd}PuoZA(LvzE;^9T(K$F$UM`VKADEQTb5{SDoQ8<U9wqjYkABMS_I%UN2sE z)5|=g_Bh1;vHg324B9BQlBRkcNNu)AkS#8vvH$D+0irv=CoM7w$0kP9zM}#c)=ai5 z-l-5P^X0D~DUdYQG&vXxz5Z^ba08y<#g5ha4ZzzKYmdNLAiGf|c>$lW1q}%V52iBb zaB?&}F0D@*C;)CAAD{wV)!xAW$JO#QHsJUaIfiaC#EM=X?3rHdQBXk{uX7avpb#mp zbd17Nm-pdu7g#g0Piu?!cg(x5?#(%U_Eh{>p&Mx<GRbj!eFgmkf@fJ3^}pPhLe=KR zgfd5>WA$&lpF8WW2fcVOyG<I2@ubM`X^OAmAkMdEO-EC<`lEN8HWJ8HC4L(0zn$cN zgo7kmXwQeU)%c9}*!gzEr%u=9B}f19mkLUEoT|X=G+*etZM|W4nRgkz8JmS`8u~4q z;C_s(Dk)l+(VLP~Tm(%7WN<|C#l9Q6()WIreOE4^4iikN9yX(lhR?haSg0KcKqCTe zW=6$e9)|UL4O!Z~)lwUFx94y<uYbUg;>$U3Kw5qEB!0b)r$!?B=95~~{kiseyG-}W zoSH84{dJ6n|C~MHf4>FxK04;QaDGSw<b$9`Th?1R1FHwP(e(Y#yrqQ#w|4BZdiTA| z-cIF^54N9lhhzDtR!Jwysrtw&tG)idpwhiuobG<^b@CxK@OCRtXcmJDTmzl=Myb9h z15J^zY_C2G%!}R|)!Rp{D7{WIB0s76)#TW-0i5sGpFrLY)yRPRPLxpzuIQf^mvm(- zu^~agX6o@__I{Kz=Ws*ZvR0uSHrvbf9w+Oq6_cGOLW?pwn+viBSY3Dv`%@LPNPjo# zY?TINTWfnd{0lmHZe?ywIU)d_@(S$u5xdej+alN#-P<bfiE6zWE1*BlWuGvN+<wCy z-B_YeYw7N+rj~MZP@w!<aRDsb-BXp52Xc5}bt-GAzW<1U5GVVs#J%r}_oot==k3LO zqt{@yIhwFK$`>&~1w1~L@4Ss4DsAwdp5zdsxH41aT8KG=>s`|l_@D`+9iX$@WdX+S zQ33qxkWKwr$e}`#BqWN*hgh>7r%XJ(^P`l?CI>Sb#~$e>YVWcz7%49xpP0<YPPcET z2e3T)n_9{X<j8SR92dRcCaO909(%UyYTpW8VLQ<Mou-8U)qx$Yi^2Y1ASx?p0+wTS z4}K2EUcm!O=jN0r!2S5bsj?d8q2yCUm0{_ATPr0q%2(4s26W%#0e8i<MDO>n+BV1i zH9+ptG(IMHxc2^#a{+N{otibn=eUpN6!T0j_W0LzMCgwjyuQbU@o4(b(^v7G-znTw zCE=KAn3SLPQ$pXpQXBt$YJiV<#9qOnq6HOR=fgs^GrOs@vjG{}2)EztD(U;Syln{m z5y+Jctv?A9H})*y!cheJ3dy**lgqUh{eAQ9+n6?>bGcGcaMVBE9(EW&8+MwHJ@m`! zFJnz$*6a3A>pB)akrD*FSH{esFDQ_lWL8TgyR9QK?_)t@GO%%L@P70(DBBp!Z)b%( zAU`)ZI)W?DOoy=8Xt7?-Z>{iGX0m;|<h6t8_*sAM_l?<}v#D-v^?u%_xpG+}m3x0M zeXqW)5LGIZibP+0$9Xc=-y=44UJ0}icC@<?!)N|D&NGr=0fkK#1?rvH2TbN-ew57X zAh8D0>>?;r_1F9iwpdy5Z@zfny$f|JyFXu~ZOiH<-;brlmZe>nFO)6iP!DPlYh3l; zt)u<J69+}_@Bb6|?aG)dlv|drk=QamEGV<%2gUORn;~Y{_?6ULhs4VBqD5_&meQYd zk+-!JES%dNp2q4(nE~W);ePvFsUG-|8?g%I0GjajsfUE*r_9u{NaqKblSo%rClcD$ z=<c_F{P9heR}EJ0$M4;l-9+D-*1|R7)gOD!i!W{xDB$i%-MzNGrLQ>`;?E^_!FGtp z_%7FOFBK5K27_5Y^%|r%Ek{pdqgI)|vbygaA4JHF&k-X<8#L|`T>SQoGdNyXQAYn1 zttM0lBaz)g7Y20beeV==MDpYKV3YO}h*lD&sxEmp4;tftW+bX3lD`9F5=CC+ruC34 zk|1V!0O5m-Dn-R<--c2{W_Z?6onSb`V<j{z#imna=@mF8Wop#jl*$^@J78H=*ZFj& zcluR9`T1(m#G=zeqOQll=pZ8d3xt^5?E5HMIep5EKrT>0A%|BSx~#D4ppl9PaZa+M z9F@u7txf=52ZiesQk=syI0CgyZJ|za=<EwnrB@bn!_JzgF+FcIIcq;qCK%sn^7<o* z-J}lo`<k(YVI`V>t~QSoh7eTf5Q(3OZpv|#m>VM#{in>b3$BY}Rq|_Cs~<ps#Kze` zpj%s3SpjFnj}FJWpI|7xs<KC$rVmDF>HjmcDIy_z_dA=#1&I!$EiG5E^k$Q3e3tji zLs^)*ilV;z?M%cd-{o!a%4sa3+^k?7%=>|B-r+Za3XU5?nFHmYW2wLL89yVQ^Yg34 zxC?f-E@SkRzROVoqP`I{WQg1>#VY9<-N+|UllFX634pyV?ik@P-qdC+%98)NP2mg3 zBnIq;Yv?FE^Xb_~QU`C>4g&rp{7MT!yR-y&s_(JYay?m1tI>07#K)Qnp~a}8R@1zW zk0iT#olJLw0$JY-M~^%PX7z92L(XUWKcY#$$Avg%vq3dUAGc=Y_v5w>1OCea`jT{4 z<Q$c*s>DzaJ*lkctCZ>lRlnQ3ro>Q-1A;!e`BVj7dPe#eW=}+RGy(4%m{)nUCs(?F znM^K)d`3fe^1m2TyZL|I$<okWah-&yxPk|UvYUDiNP%3z&Wtv1Rpn08eT`FwWCmoD zT{j`JB;WKnTR%JM9p?r8`hq9p&)ILgJyV>9*m#@=cltmF<Iu5$W#!pt8gWr9i-byC zv|nh<L{QB8R+(=VcTaoM{%cG2ic~zuj{^XC+s2zsSucUPL|Kso)~wCN+&$c1R5Z7H zNa633<gUfgwjuD9YCuCW{Bg^z_JY#F9P1kO-j*yztOqhU-YL8<XE2Z%NP)~CRT{be zHY7=b=KIZrn8L%Px0cZSG}cFJgjJ#u#+TElYlQ=^ha)MC*(Ly1j*&4?%(VA%6OK(? zK-=o;`%s{jphIr{fPZ}1^x^8s4hR%71|xySghJ37dH`gQy|i*FnsdXMoD@(USbky$ zR3RLdK&O1nraoFL2fg16e@l^M3uB#E5zYCloeE&ZuaAG4B&lCsEX<C02)Ct8K4FZd z1fpLJFqEvc<Z1CdT^!&D8$q`<Iyo%m44dMYcf$;#+;6Cp12yq#NG$YWKPEsy6Y1_x zm0hv$NM?SC_4Zwozw!On@j*o4BBn6OREE{V7<$tjFDt9m=m7D<U8F9+Ki6`P;!Rdn zHEQwss}G&Z-%T1dWM=i7<3|KKaLWFyYgg2Q)-zUR6J<BJcxZ@YcC}f-%05Q$To_qS z^>v0iSh4A~ZFw!)3K8LnkVp+%Kl7o9e4YH&!}v1(%%;a{mVp4RI(}z{o@|^kPbu^d z8+Aa|)z%30j;WS^u1b7eXe|D7zS6si^sUW>kcFb9D&ISJbJ4D{@$=p9!>#nw*j}?k zgKE%IBTnIeJXT{d%wy)Viao^ZuagYb>u!q&*D5JtW|_%pEM0;qHxL``n>%nv!YPda z4|T^g3VAK|_VjNSyS1g3x;=g85Cn;BXvj~pb4+)ki5=B27@Q|0f>V9TU~6N$Ax$%v zP`JZp`md4DL%yf6Hu7kZ8h!5@?7*Yspnu6`;a5P8>~pwwrq@y~CwzK|(X&i1Kl~y! zL6oVX5vUPAFqcPeRaJK_^7-Xrbm98b55@23N|QWTeS3R{ECm8_ZgZAZ9h_<*YyKcz zEwyloj?oC3mzNhUuNPlqao_zW6I{<v-#Hyh@!#(+SLZMtX-J^iAG-301}L=Emh)OY z3Wdz-r$|wr!?i>u8f{Mj{f7c^%wZ-(HJsHUFI~Xs-hU2SHzT$RBh2iiRj0Ebq4VkP zG~fF9BTZd7*~1q>;t$yog;j?;h77~&PAs-w2)3I<%`Pq4cG*J>Y2t=fo=3W?YQ~_0 z*+2HoV<OH~6SHe%UG_i~90ENh%}Vn8ELZWD+*#Vzh6%EGf)_E2tUbgU7rUC<^PSTR z5r^Z03+n8^PtgWAYG%dv67Vydu@i!aXGK(RS?Ee2V5XO!3NH5=@U~kc6zn?2m><Nr z)r*AbNa;b4TrhuV>;3|vr)$}RmW4V|X?Thp5#&L+6;>^{uV+`E`<@|ab`1@Ob1a>k zKXdE9-c?J2x?XKy2UkW|Y`a!ikh<>XHRY8z`fu}%Xfp;F4f%oo`_CYO=8tC{?i>|A zB^2bys^LuE7f(bC*y(9PZe1HH-Njd`lvi~vcD`*5pJvB%cl7t88XLw5O{Lu_UP>`p zRiPS<nZVuR-*KUU#THrn1lGfv8O!*Btf^i{>P-PmyUWxxOg4uRHN1aSBu#h4&HOga zsQ{73m>MbGLhNo;CA>?ziH*~Wk75X|3*Fqu$4bB$%h5x=tUiW0sIePdMbbr2Ja5^- ziNS1|h)94c<eMb4l~@*``hHRBt1NW$yv3d_Yf5wNU|?(CK~*;ml=cCv>Q(==Vq2Vx zhzc^(X8fj9(s>s7Klb06pdd9ef6j9`HxPi%#|J!u_a0vifT$0z<o(%|AqAkBLamd1 zT<GoDS>99R+s7v-sIk^h0rxlKK4`KR`rAFDLM|DM3~UBeSpB$1yF1P?c$_M*-G)ON z#j{I1kxpznR9P7@v(yKuay1{Voc-<&f<C^_JFc<%j>_v1J|2yP1m<k@qDoVBxM@Ec zKPztA9+9qCehX#0Dm0i%moOR!$o&<nl#JUx2j@Q*3WjHbA0J65aOCuvkh%xW)E~D` zWKsltUkC<m8?&>mKs<@#5>mco6PD{YA%mqLV_Bec-mmsBdjsD0po`6@V*K{9SO#7( zC-4Oz*~+rCB(|6As~gBMvs$0n&F0KOu=KXoXzX}i_4cj>v#Z4vO}I~_?w%^ljxjr6 z?=(5gw}7r_S>;alm!KR7gyz=V8C?gYvE;}(R9%F_C&5UH)6fbC9D!m$M3mA?mZGc@ zfz#vmpY^`TV_YyB)Vne<MK(HpGGfzfUe6-aG)NML;IteCsS;zzQF+JRyzRd@+#A=4 z5Zgti=+uxP4b#U`{<CJr9KIjS_X&FPgLUcX(*sR{;v=KCu13b*Z+<maqZuM(-*48! z{}85K8;#{}o_&OB)OwOv;6~4%xq_P@;8H^b1Z!=s2GGw5w!7cBT+@`8M=ew5`bb)s z6Qc(N4;#j8%51BATlkHCu%P?T`};-zdf~Zyj4fP;DH$HXu70>2DQ9=SeY)r=*<!s5 zRjKNt4uk4nkbnNZJ^BK;%4fuz_8JHgg{f(l$g|3NebWxy)<jHG-cm-kj;2XJFyGzl z!F`R}SA>kB;C}GulVWo02{3Eq86Kprpc2{M>rY)YUf)`$!o}(QSG6#4=6;f+q3h|H z`^li4A9@-|yp+G6hw%5rZ4D(SkSbhvS9`s0^4C;2kAhqAc8kM>M5}evOSx<CjIb!X zj8Fs*m`+2tOr{lnv`V+@hhmPnU)v{u7TIyqOKz&g4r`mK$VVOh<L%Hw+$IYU<)aPR znYHD9<*b~;%3|?s@`dDFMvHMq?SQn3%Dqe;<8$^phtFo+G7${;e9iyU)n5Qb`F?TZ z@FEJ*-LV294bn(04Wg8UfYRMv5=*C)G)gzp-Q6u9-5?=d3$pI=-h7|u|IW|HVa6S2 z1n+a5^NDlLb^AsoC0K~@f?W*tu@F+=Un|k)i1Otv)b^z^6#Gfu?S(bg#VW37t53}4 zqKSvdln8O(8x`j!`H32)>-Eui<il7h_WxenCZi})>G&DERjHY{^It{vvSu`J@rlj@ zC6#a^{4jnxB>hbD`wjhJHJ;3tDltixesLItx_52d%u3o<%r{=4D(5!}2jcvsVXU$e z!s6FnP4@nGE5I_YUy|Mx0Yy_OLS|OZ;<9KL&W0%tF~BR*8%sxm7F63>+VRTUr59j* z)Wj;+W@1>Nbv^q)Ov4+k?MYW5^8VQQ^!U9R6ZpIB^;wm9-LvfV*yt#8X~J4AMbJi& zK^lB}T*)jnXw}RWH}?PA1prFQ$Ge1p7m(U^I&}2ak8^cGOV>ZzKD>GZIAG)7k5iJB zZ+*j%_KO3V_IpC3EBI{(k2!n^RG#%Dbxc`Ty=~%ZnkM79SN-TA{kW$&YYnVq@Vv>o zL-a-80qtV2sa~>S^_j1|fSP~MB?9G0ggdL_B^}+KwsjK?yI#+Glfr^Go@61)<%Q#8 zaNhdxoF`BJ_XP`CNo81Z4e|^^@8_dKc$o~{hKYM27yU`3!Fd=*YcILJ7oiwRod;R` zey01Rt)4T?JAa$Ig8zDJ7+^a44J(j8z;DkUmKSZ(a=ag=OhbzgQzk)|He^yLt%ir_ zz+8W=&<aDns^&)J@+fbMyeKY}hNkSKDt=a`ga0H;K>_58MZK)7^&P`k@4jP0>GL2a z?K_js?%YtE&)Y&?H{uV|->b;nG7ApU4P!Slz*n|?<mLhxfA8y?=qixssG-^;5Qmtw z(EHVZSL$s#Wc<PaiOLF54qn<Q)^O5-l98VG^WOO7kJeWBz>;=95+g?D<R6S6iP=oG ztvw21WT0VkPH86c7CxiWwKtt*uL4e#Gsd76(!ywDH@a!KsI%r_kn?5xc7WA7l%cGk zI5eLB#?JzydB#5I=LnMySpBm9@~VT~O6Bx^%^nXqDV0*@(heCdh6nB;nls#sS59N0 zYB^cgE{Z$lS^*+@Th0skn?BG_Ex}B_n+TO;fsdz?Xz`bbe`gGDYwX!@Gt0wDA9)KV zQzB6Sq0UuN#dK|;t7GX2)6gVqp+!Gixp>8VMuF9jmsx@eI$E~<Xf+EV9B7=^J-=V{ zKD}WbDZjrLbDLayy{{;*`;?|%itC;2p65|};4iO^`yVds%#ojF^W<aY6W8*?1L-mH zB_BP`f2^Re=(`K=731}`u$Vk@+fx+ZYMwhBY+6Z66Z>(fd+1kwGt{lN0&(!MJZ_Yq zXo3wAW3xmB&vhJEBz`h8^HlHrWzEz;BNAn05^DHotXkHlEoXoU{`*Io!gdJB4C;H~ zBw6fY%(LOl7F9SZKAX3$uE?3q49N=jAJP@>S3auOi1--=3tQ1n9v{`jw-)EW0?=fz zaqzgF;zd9lFCJNcs4(ij;%1D_^k|?C+Xks{eT}J*5q?RP%aGYK*s5Zz9TFl>s_b?g zwdLN^7^ad}P>&kRo*wx+FSN_aKgK^v=Kkim667yPn;sUK+L&JEae4Xf!vyknR4hSS zDH?k6z5gebljv~;22uA7eekzL93u*Qfydn);pwKWrg1Ve1`CXJGjKlv8F~^SOV&1X zE0F->K84w2+5U8{k?fu+4Q)dAz*)q#)s#ld!D+~ldWVg4N?T`YgzcQ%x0->sJ>>Be z8i}$>#Wgo%OdVMrV(NED@=&Ay|5qvmEQ|h(W4@)TcJ~phJkG$EHi=VXAFn2ij0nC= zJyAx!qHcHUw#M(IrKKAoglzS{p$@&smZ&C^>8E2^u5T=l!@LjUMoiByMh<co84k*# zqg!nV_}xT1*?o$)7r_8YK(@c57BMVoVi#*ML{)Z7Q%I1^jF64U?W9T(w~+bP0psS) zJ#ZS|I_Dz7PQH;_LOp%FvQa>1J{a)aYdPw#Q2T*!Ni}v>f_=o#9J!B&3L71Nh;o8= zN<dv7P83Uul9i=Bc!*MQoGR*3m!V=orPaMv&J&)dH0Y}(TS|km9$7LLqS0h084*VI zu-Da9j>}F}PTu^kO8quBljrD4{gkVj2q%kQ3M=A&v;-XrJO%pDm#ux^((0NJD*E`} zRtBChdA{83f}gd2v);?#EHngF$lMDc;Kod<)*%^&&(aDr*913&vds*xat>4|G-Q-$ zLKA(B;*PPnWHNaySx;w13a0C)*9~T6c#>p=4OJH|h3QWa*Qe=RX-V&p2(=@^$;{Ul z;Wrj7rxy46yuB~6|Nmc?dwKhPhIv%X$cqcB03}~gcoEO-V1OKUOq!>2_s*0-UG1G{ zdZp_I(rcUB+)~H#xK%{u5lFw)L(WpK193ht!W24(+}kt%Xni`cjrC?3eA?W3f6ZSj zb*Nk6zSU|lVK_Y`82}3#%=}I2%EasG?8KN`NULojf-8QXLtC1=QRxu|nQ6J4KUd#o zd<z!DPLK=1vlciJ4bXTI1!TRXXc9&p*R&2582F>&lI@ZL&74JibY*>s>ol#hR9;$_ z7cuzmQWENaS2+famT}j79PRB3l;Y89Euh$(Q5y%pW@MG$NVxYj<XKF)R?|Ebj+*qS z;cv>f(j3-6=m+or{&EMsg3~9|dz(tvH4L6lf`9wKdl}}3CiQ@CBHC(<7Ml1$*4m10 zXUF!bQiz%LzGC6)qUBKzA|3CIqsNM<db>#1QzT&@JSwt`^4(C&Sawe*L=hH3MXzF+ zeORG4t@IapM@YZE9u#>|j3S#;X;u4{W_9+I%e=*A-?Re~ag$)2qD}ub<bsnI`+rUc zD*g#a!mo2JnxnJcaEpUPo11rq_;zb>#`08obNESu^w+x>RG+3sTA*xx60#LMlubuM zr^#FsP;#$UkhfP7c@EHEvsh19Sc#3NyH%5~)72FTwT*pJ4P>q|Q^#5L>Q|0j;s><3 zMD3aS?S)t0nx_L8c?S~5);uk2_(2=ZB%0wxfyYsER8BzA5HN)Goi%zF1`BB3Beq#S zS|1L~j20RlIdT_c>atwV-3+3D9M&M{BwCI^7awiV1@2dZN4TY{jbWaB^um1gw~Dzc z?(@04nFFKW&F|dI2n4C<Cp)TW&>eiC*rlb0t4oW>$#&a-zmji{o4<D;oZg#FSe7#L zgnKz0I^|F6wAGjk@M(_2S2EdZrzxnww%_G|y7|?%j@RTKs0?X0u&2nOJNy$4XILWR zVJnb2N|Rz&5386t!s-`m&%)F(Nse7_EBv;WLcVlMx3gN1_4U^hW1?<<qs9Kso>1K$ zJ8yAucv?VEk5u1HQG93TMe%{Tx55G=;X3%2@JK<;8|;0;MPBYv2~pY6IivqYIONBx zbV}Q$b<nc=+3!f!Vmdv9Cu@)jEUFMW6V>BF5BrIX8HhS=g06Xfrjo0JXoW3<?N(p= zIPE7UBF-1Y61a0UltZYP^+%9Gr%PZW2b$oYF1=xtS;r1t(I>>nPdCp^Z6BLU3*lB7 zdE;nkcDt~Z#!V~*z+_kd94@HO1THhJ20odQ>y<pq-Xii)T4>>~eOb4nXQiGmkWqiW z)<Bus61u1L6fT7^q<mYlnd<=6h^9i5elI)qsm7zh-vV0p;p+z?EhCDd1!X*Vu1H!p z1U7dE3zM(@sg;R1PibW`89TdZTUwKjZtM_2du9RkOq9K%z1dp?=Y=M3#><MKoBb)e zsci_V#GBoA{@}p{@6B7`S&>w?g6DoLC15u)ka0C)Qk9-VUr>%~?lg8+r8BGWm9&Z+ zT_W?XCSsna<4q*Ik@vPo-pJQ+vF2Xc#ySs65=qo?t>h3F%uQ)(hwhrAs~u&Be=V1; z%L<of`JeEU?@r3bq6`(lggOwv*k7!@3(y42GcwA6)?Uin15<@7oqmq^$%ar@s2)=e za~B(159&A-R|6b2*fSEJQx871kq}Ml#v1)DbsSrEY&f$f41|m9&0l0*QRPNTA)B_4 zoyKdp$xNoOAl$@!Sn`Lwx3!u*g{N&du~1A<g@57gTKc7sZwU?FL{_*}Uf83jwAKK! zwEV37w21Mi&W-W>4-(A?%AOin%;J7Z#`{zhzJ1=GM6ORj(t5)nOn6{hc@*5(xO0RT zYwR9q0ewsPirnU;sa(FiY4_u?g}2R*wWO<Kyx5E4MzlAxOEE!>dhqRQ^j%mJ=jfCS zz}q<J5_Y5fN66!kTyWH(j5QUrz60M$q~~!!^UJHXQ;iU_E~l)6*7f_)@SN)!2<B<* z>{Vl6XQveADc9#7IGY!Z{*dtIm7hJnv{knEjeISat8qh^MauJtoA(4s!yR!tM6zIf zZNf!HB%;7-k@lC`Cs@A(4u38IO}dQ08+PL_$59uSj~lkLqYNQli|qNGo#d;W|8I%x zU-(s3(x#O~rzC5I3S1`~u#1a%V*W}Fuy_iS?>#-%=J%!^*vpvZ8bJ5{4VpTR-6SEU z<uro&+#gbWY+7Tqf{tOAw=T>@JNVhtFM*>UU~tiF=B2g5nIg*|%G#n9j;3an-!*%p zPRrMfsaCB8@E*5!k0X1!xUQ)*Ib};intoBI;Bkd4aN0nH{FPK|{_6W9!$Vkj9qDQ2 zc7jA~D(b6WD{M1T+qHc*s~yO-Ua9(6{ws~L*#>FojbppqO@%jhaIV}>e{$e^<I<Wy z;Zt?_cq9)kQ+LiqwctBzZeggs$N2n&iG?rR<Sz$Fd!~xlZ1AzUL0i3!DYUHBLAkQ! zuZ{TnQUvt4lFJ&p1LXw$wSm%b>Yw%yjh03(fsu$3#SPH+L4*}+E`gY9w9e!qzB|UR zE5DGw?A!%a*6^Be&XZVcCYj(2iRRA8VvJ??DURCRs8kCSg#|Jcn<dQQPKd61#A_t- zj;}b|2WsDd{<9-IwI$fsh(4iUk<2*=^HoB)b&3qOpa^p&=9rxEKgaa#78QRINiI@` zZL|9s3z5=+Y^InOCVB@Oydzu$E2TIX%DY7YptW_uDuc~Y#c3nr>0rSzjJ&OXy#U54 zjP5zY=#{n+JQ0p~J2%jx$*YJPDZcn2%z3n{_RV+0v~&jpVu2;t+&6hdh(K9}Aj-B} zVk=Dcd<IUn%5UVb!+$L%lEYhBvNV^}w+ERu@eKLNpxUmj?lbzsd>)w^Nf4BaoCK&B z^OG(O^d2b)>biRbr~Bf-B-GV^sCT=2cAyVKe<n3F%1%@AIa=ez;WBu#@>@U+{i#Ot zukw=DCcVkqJ;)}geWkD(8xmolVlZ&BK4ApwBhaSCe|O3sEqE*(;K@n^$i$l>(CuJF z!b=<u$KtJ3gJ!d-S}yjW%wsz4Vtgg&Qg+Wh@@cf;I_GPPcueh?xl7^wahsAZn^F8z zrk@>C{L{P>lQ8DGtVlI`4DV1=CIw&URZeIXSNI}X<WPqKAm8H48C;+|g*XKQq}<sA zsC)dHl6=OuY=??!w9#>4@BUW`jAfyB&Kxd+E7`NqlyDq=JKW`<B$p(OA%#?-KN=w~ z)|TM;e&VOcr6Jp($}()QhU<%IK%VWdCP>);dJKEQ;IL2n(t*ti+Sb`h3Oc*9PDgON zd%l_*`--m%uaquwY-fwGNKv{}igX_J*NgMrTm(nbYw3D<M*p3Vsc1Nu#yPq@E^~n1 z*8f<8g;+q_YOKv;CDq1UrH59{&F9?DPUe0;M4mDtxr8B;_yNU$vZDml*}mK4FEvyE z8bp%1L+ySJnI7xI<WG<?mzU1oD~*s$1DzG*d1gP%WW3m>IW+8q)gB7Sv8`U3p8Y@T zVfI|Qd#eV*CfmzkDyPv6?QF!RQ}(WC#aj4wJb<9wLZrH1KiK{3R5Ce5GS{d7HuIi3 z`Vv{p(gDF}4dyG3Ylq0v;jr=nvW-&qxX3tB9!C%!m^m(0!)00{mK$0{^t9fuL785* z@!?!hlf)R*Z73<<3dXfxO)2e!=JQ<Te0ALr-Sht+&D{I<ea@q<pD~X+;F=5In-uMX zokg(93h%2~B*_2fX7<ZbERd?j)MDgsO69`l{8|hqkW>65mC3h=pB9yygLhF6#iYsm z2B?e$Js?48k?F;4yA=Qlr-`5>$l+c<GpYP{(w$FjzlUyv99G^N8thZPRg!(rgE~kM zEehbe&yQK!`p8E>?wQxzo+uDKXl)0q7dKUqzcw)~?yu>iJsQG~;swFX_68bF($R%) z>~3#z)X4>Nb5js%p3r;Ysf}f@eqLK#c#h<}rcd3>cml@I+S$qJQnV26yna{Nav;Dr z<6$avX%ky%Ni(R&cp$*S`n2pl#@6dMc~cnT_ad$_G|bW<^^=oGG5$K|@PYy%Ww-II z+-S$y*ZJ85BxbpQvE@tGBvX85O#Fl@3jiglhZZsNb3$bucH|jr-pIg0%6#c8Qm})4 zb4tI!o;dwV8&j;pjNsSisppOoPy82`M2kUHR#4P;6tCdhe;7BJe&O+d?1@M|d=57W zvVpcWSffb^DCY3S4-}zOa+is|n?^2tI--8adxO(&;qlTvD!)6o(;pqa53z`?bANs| zJ~>V<(ngIp#<ezkb331--n10oMHE$d_mIQ|A&dAAcvM-Q@pGG(Pg8PsmO#ZUzMh6p zuO;AkaKd;gHAf6!Yv)mkxq2>SbtCS%1{xRH0@$zITj^MjrLDD|vZWAK1G#{ZfnvV3 z1ZPolqCH?c3#Py^aZv93$yb`D7jM-`_DcgRarv@WFdHDErC%#I#tPh5L>wNyh^3^~ zg-`mrIfB}%SXcI~4&QDZ2H}vuBkeBr+FU=FM?Z9GE~m2DQwhvL$6FV5UI+6p_l|cw zGn2lejS2CsDCR&kclb)yydj?F%rP@a)XDv^s#L@EiAqUwD3#eP`KzyF9T&U0sdwBF zmf(jlV}l`VaQ-otF~d3^Uo|0nrd&xY5!>P0e8wXz(Ejf|$&j(yDnN++qSWyCMd8NW z|4%u*Qmq66dJP0r?70>Y_rIe$>qv5HHotf4+pBu?MOy`Cz<GVBa5H*;?WGYz``K(} zFc_$dPJ##juk(?@8oCe@ga;d10H-((=6`s3)3BxF8;j>Lueb<SQy;t>^<L|=Ffgsz zx<YohtgE@etRLj1=p^~@BDnU`&tLQUfE8i#J_P8K){NlC)3v{~HqaGb3P75Yl=Hh) z7n&!)Gtd^nYl!{?t0Q4|Qj@Th?VPrwcw;~^Q7^T8@$?z4lYpb*+w>r-51$i*RJgG2 zl~oLEdn?u_jDM%*q;iX|?Ef*8$Jr{urq$!YIVhvCG%&TJqH5Ia<>M1=w0<$IlkQ7b z8_Fa&`wUycM<l?~z>;#YgSj@CCb4jV%w7O%Tp9mH-bw+E<J#jt$m6zOsz`}8EYLE_ zQ9Z3R(LwH?WI-rhqAg?mOJ^+DZaMtT;|aWAU&(fep1Ki5I@OSV4K;wG2cM%&Tdq_~ z*?)J8+6Me{2=m#WV1rn1*Z@;_P!^2`El#O{BrAcVM}BNFU9Yd}VJ$li!3H-{BbeTp z#vTc+1@4a00627L6NyJ6sw+ZxJ0DvVf*`1x9^PILQ`xqbf26{Z8A)druYcdRGK~`M z{mJ|LEg}RaU!lbpeaKb!2R3-2(=Yuy50HSl8<&Xd{kQq&e<Ke9g6Ner4Jjx)gr-1x z>eUr}h{ihijmAQ@Cf|$lhep6|mNEk%8r=J@z69k?!sh6VEt?#WeN&SwE`O;hIX@2e zP?&I+4W(E3tS$Lq$DoQrPsdc@x#he8Djr#VXOe279j3aLu>Sws2~*)L@45ZZmmMik zoQ=nCT==#j%qC^X)L=niyd#dh!c#gLx92Qp>;tb%F+U#{JkZiWMybX(zV?mj=b-7y zTz2a(sEgx&lPnmmNn}5|u$mCP4@~plR=`Q$naleT`Yv4#tSAde^b+iv;2e!K8D%9M zgV1-uotppJkAOQM{hQnziJ{F5qEqnYJPW60G36SFz)=M%sH{`)Z@%AXJ*Vv}cU*P( zqy~sM#8Z*)Iz?G}b{6%}cCb4%gDIyJQ(vEewpiaIXS@-ztJ1+(2kTv}S1_yb%;`(7 za-AC}Y<CM!7uJ7zi}*$G!ymD^^JMm0d*rX$0n&O1sB2a;wIvdI^!@TUHd`|OwmRt4 z&%Wp3xJkqCN@Mu+djNUlX^8BTfcI|Cw9`LFF8<n_th<(@UjOS!2^f1vm59@;D8zNs z62V}Qhf-i+NdQv|4Z7!HtBES{M!`?sRif2?s_r7L2BT%J@l-LV$H|kVLAlwXg%%IG z7B}?0c0j$(^1$*sO^}tPw#Pbk;)hU6SEBURnnf}*f(JF`8u|r?u12SYIoi+zUz(eB z<oR3T${(w;mM`~exN1=2d?gLi7<o4$bkX?Iay0rRL|;#KRM~}@8eq?6)9;o)X80IX zQ4&rr+_J?7&mH55quZTLlvjdSgula5NSE13(!r#9_P?U(UbYzcsVON+K{+A85DPmW zz<m@}Y#xMc!uq+C%8Orl;EWc=4%GdSma_S;Lfp@$FG^M644ESvyszQg0n1E=t`UXE zP#Pu>sIn4cGUDtgHa^J2^S0vbDBi)(x~HJw1b_{YhKJI45&U=mDP9#s)ZVqI>b~#E zTN<(FQ^>Og=Q@hjVQktDA0xD%`>0+GXX;v(2FjC?8YKL3`umm*ciy1y^La0Ki41ID zfQJ9!xUIcNrqgT<8H51pMI7@3XP)`t6~mRxP3HEV>bx_K&1vd>WgVt<B2e)6;;!EI zzuv{mIexI12E^1y-H>9Ixiey$2B`NfpKirdxJlneYL$iQ5!PtjP)D|4rEjYYD?HaV zXz`446$m+9<BLe~aF*J)%&H2L<9vLnp`jHrrFFiWe(tOcL_^9nd_SUtct&k@@TOE* z)8ys=FhipbBh?mH4T?-PlX!C6KF=S&O>aV2z$@@2*dy(KJzw)5HM65w`IGehtVF!6 zRlOeK?1$b)NmuDB6KR`!uYKaBR&`H5E5=2n_WP}yc>~MdH6k(v*r5FXY4?tl9x$TI zQh8(qm)HQvA>SJ!@U3MbMs`L%&-!R;YKaS%ugjfUwA#~pKf9PAvnK_eQjM0ss#GR( z6lO4)`{x3uEL{YpI-K@XF8ufuiVAA;JpDX%^j|m2DI0Je8XH{pFnLv%n}@vr#1LbV z{N8A+%31A0eo49mwC#LD)QE?<zZ^7)Ocl2$C!M6mQumO~Bx?Vf20ki=9mfLVNlnH? z)6`&xvO5I$2Q~vTQgqwjlt<e&p<AR{*(w_zeZnUO?{T7beT`#xC)g%N8UGQ3lt7y0 zi|-~{%?#zAtJ8dTMX*L<^9zE41Bd-TY~6~<c|dMYn7)R|re%%uNW8%O*`ccWuDp~v zyyX>VU6Kx(ZR`DebMF7mbU}zU3mibzTSo)2w|f0iZ+hReBBo~}4bneUdoC4!fenUv z9~v&>&aH~jSS!4T013Vgrc|}3@boeA%!c7HL2r&@oq9*5ZPwk6V^iLT;;{m(c&j*# z^t9dF`42L{!HDy|El2p)M;oRFB<rL8Jta)=>|YZH8et+U(H28iVp$B^$ICH69u2f% z6(ycVzg&$B@*@TR#$;LbcQ37TLr2QBHTWqd9P_-lV<;cmdG71BP$k{!LMY%=rhn^% zr+>=!b=v6jT1TdeT31=RQc<=<nR<J|2C4AIFQHoI6jfL?T)_ynsLh~UPh+bS_~b9Q zo%AYzlPYzk^7zaTR3jG2T2g%D^E0%$5~{hLUnrP5^R(p<v%sY$%OB@0lF|32n;K}N zQ48%Cl9LcBLDxI7vF+aKm5tF`7?9_@;uouweq4i>=qriCPR3UIe9i3l)C=oiTy3mM z9e1<jkGM}OyZ={}{&A4--G@2CO-8F-nw|sRs>N8>a<u?v?{oj%20B)_2%comjN}m% z$s><JZL5`@K&JBhk&`M@kv#l|x1ajdDOlj!1xdV8kjwp&(cAh1%#(CsLWZ!!5P=p! z+sXht5l?$Bl9~ph1?nSZ^RwYK;fI!X1Y=Upc=vH<rtC}smFL++L@M9Avbx`_#;*b2 zv^|c#yQ^GAX4SR348~g()8T93ueY@8Kyc@?6Q=u~&)vKNq|+D=2whCsHLGJG#;%hu z&wAx$*|!AmqV_^4(v5ft98$mLf>i_YZzDS7fjxNz@4;Ur;|chM5S<-bBrAZ-<C&_c zy$@_&BnyUL*1maugr#`d!Y<{ob5q5os1+6PTG)g^)_P~AR>$=1SDuKQ9)mPlpOicT z)CkkiCZ5q?X>9h>C_O3tw1O$?{t<SZ)pKGi(D47NnU$5|LRx#M?Ft)UBU3-InMZ?3 zb>ZEapG<2S5)tQPUmVqq*N3qzZ`*NhCaF{!Ac|(thc??}Q1moxFq|+bx3N(Z6{O$d z(PD{P7%8auL09B_^@sUe>Q_&1T5U!GwK#n{I%xs<ssHg6O(S;ABO5Wev?fW}hwUXY z>vMiZK;2}h%ZHj9>;N`Np)JLiV6v9z%K`h^dVDQJbR=>C16}!>yqn8+2dF2p&0}xa z;8(oy!|E68q(8h(4IVFoB~JQ2c>sRR$p^mefK_DNw_#bir*2O%w7>_KdZ8^!Hmx)U zlW_7b#CKpM?~eoGs+0d37J?zvC*ht}*a==!e#$QBX31I|e_Ao77<Y{2U^&xi(_yN` z*`NR3{9s=>UjZiDZ1&~7dD4xM*_{95<TqtwkzQ=I;nGygC{_}K|AzCi3gp>Q?B#sR zS<0Wrq&kSWBWk+=n~}l8*ajMt*}Y(7#&{fC3AKkE<5d#qVh^IMt$GngK5EmT_s-*j z4UV$G=aE96dT<xj|G!;;JIv%s%BbeXXb}F&%4(JL0=Tj=Bg135(?h*NB(1w}wVwPV zX}9{D!e2*G^!1sD^Qnx4mwqxKHU{MOLoSoMh8>7aHFkJz7{ckjy^>CKj$95R{=PY+ z9(rHVh(G})=Sa>tE8RbXqn;gM(YzLfZ_S7?>A_9h@!$*|G+TXl(VmnJP!H^u!mWDv z9;_6rrSn-n<sSm>#N1iy(noB$c^_WHtscBe#FW}a=D&@8iqIh^WUFmEe1@L<p~8w+ zm96$^{n`k-;><d4#1LEU$`RJc)C&(NYBkRr`l^+wg7@ZXZ@;FRMV_`~z0dp?ZUqDM zd?%4p_0ur<@n##L6;GWJq^Fx%6C(bt#W_&fM$p8eVL&YWbQv(3E)SBj5p1z(DTWQ6 zVPZksZHz7L431*w=XYwjB152i%V3+`Xpdv8^8NIj$(#AScD4wz_sa6@^io@+9PRJ( zMAnhoodOmH#5NOTfWc`l^gMA9gKz)jul0F|P1HwJu^}Yr;utF)K+m0!T$ntP-=YSW z@W3|v!RwP%dTi$DF+~AoeRDIOBUktFperwmjoVsV$FTg7F6!zmf2#1fvMPQXVHx=r zk{a+a+{OE&Q=xT)Wq1L<=;48xF7&lLQPcaJmy~~M*lHC5e!Xap=Q5jAD0`fsQ~9$f zNvH4HlACMq`LhIOaGIp7{m<0TR=tw@|ID)7AE7_%KsXIP{>)y3WCC-+r3a8r(6!sC zrAk0Z{hSC+L{$4}Hu?T={e$NIvrb_V%vGMMKTCYJ{~e*m@6Jpti;W=z<c*vMkT*Dy zBkc*7UeOy;@ZMe#v#j+g_Bx1jy|LvNNVu2Bs1r!+7*Aq>?9*C0-6WFy)$`EKl~vw+ zeNE!Nx2VH)LmjuqP-(RX3%Rw(Nb%R##R=Y9>9!t0WKsE_OK+~vIuehV@ML`$CNr!% z`Nz7?1}}j@&TQT9C>Hv<E_#v-jp{)^l;d8q{?+ZN>T?8gMVxHEcZ6Mnv+5gPakk(E zB1tD$&SUZjYioqv+3*jjV(cC9G~yr~b7t!GIy$J2{_3<vB?$9Ni6r!tW5%((bb3Cn zwsbnb)8-#%v0JbY>T{>Iy~{xX68+b&&46A0y^77jfzgNQI6(UA#LUmrCX5rx5ZtYG zh-#y~*FrJh5a$bl!#VZq$dwf);4!ro8Xcf3tVeiw>m5ViIn1FT<EmVGGJ9H6C}{0B zMZB+(2=4C*gF$2h*{4PDpZWM|yXVt74{7J_{)69W4WW1V)-Vsy`RPBubKWCiv<{Nj zX@+p=l`ItIF8GJ<(*H#p(At%Fe4$HV|0=GB9@0ZUcDbh{;2|GHo(Wu-g;Ek87MW_9 zm)IM6dGIKGNc&Z(mb*;G1Ef^_JGNSl)Rq@D0D%B_Mj9SOj<KE1#a7#bG5;)7;L7oi zXVl+rxz6zufP<3{(z8WN^8n6^<M9)0)SjFheyC8`_p)J!U%r2&Ovve3-#_s8jhM#& zsI1w)wmicbHaG&ALu$)cLENb!^OZ39Irp>8OkEbZ$@$ffVoH(O`(_J+9YOS{MX>)@ z-}w1`T!08a!er?gDE%a1VNjZ6x<`u%X}Lh05<hIEPwE|<9mjTZu!|S7y4ZBG8$m&5 z?*o0SYSBPvO9+?9Ih3tLSW<)iQKeOPol|d>v+}J-{jma3OM+EfleKxo>Fj`ow@pq7 zYbMKi#-sl7Z_kVgs^ubRwJUPJ8sdYRsmYc`*c&%Ft9haXX3v!GMzQUlM*kHr8yitv zB6D8EN9C)d^P8^@m(-6Xt;O!5tB^kovXZ9wE6d<Y)ZbY8g+hq<JF7LliHO38wq|fZ z#F+QwKcQ*6qV!*g3A(wN9bN<z$#2BGW{|SEr#g;3jm_--^F8AoY|zH$Q4QD1f1LQ6 zJ}B4OBl;bE1_?~w!vWsQ&>2By3canj?}d4~u)#DM9|Om4V*t9fycvF2hKcrh(gnzJ zDIh_<O;?C{kl^f9n*2F(N)<M@G~@vJG<VYC`oEtW!>ogVvH=PI9-Z=KK6_yOB~yss zF5vLDdwwdHeG}}4`Wa~x(4<R^cEstWX^I2bZ8~qmQdihCKa}zz%`D*<3zSb6@XhI2 zmW!0t9bEb=v0e1LF?egC&paw$aU8{x3^q<n;g>mgmdK_~Q{f=?{tibMi58X@kz@Xx zieN*p&ErHPjQ`z?aJiiRZqr`7`zXEAHSQ=D2Q~G-LG3+0e0$s16>icy@h}tVvC4bt z-E*dY-^Okn?#5Pvy@mx?z&6RjpD~XGjw|}JQx`{(%w?+=qiH}m0G0=zh+;fjcz_i^ zgd2|j*i{9@byoyd(_DPl_M5^d0KjJ*mjhPC(czX?%(t4x`}^c(Lwu0qVB%H~Wo)cR zhQxdN=rA%(dOLJM!`g=E#!eA5J@xb18rJC&uP3=W=_97`F9bYjiU5z0^x>-O&{D={ z9w@OPo5bf@=3Y1QUZmU+{A%>yG6jlXwtpkSfcK2nvG~%w_|uw<@hye&OvaVDRLXkC zCLME>_|>!7Gnnn1+!w+%P8aA}cA%-XCu-(&J$+k-CCzK|j+g(iB9j=}vv)9gtX1Ug zAW{y%ChOmx_Eu*57O-KYHezrI?64x(x(~UTGvqfo>ALCshEWHRDYty?2bi(r)z_l6 zuDWV~o2G9;(?bzo{6J<61p&qL03#)v^e0cNA)*~(K9mQaAC_$>ETJI!=g3Q6w{UVw zS{**dD_*>BZT<;+6<ZS{YUI3ax7h>R?d5};LR|@?rBdboF`k&<W8sKyGXhc1$sJYr z)^cyr59b2ZSk8(*I|lR!Iq_dI9eu-I2LPK*^1G6RR>Uihqc#JgfU<yR^f7g=FC9S* z=L~VIoGUZtF{OrPfSGkT6JyUot-x>xd6i^{j9uT9cUcdXv>I_AJsP2vE(2t@q9?Bm z?^204Lh^~(?KAkA_Z-2iOGdkdp5@WJD<AN`NS`mi_X!Yb-)S&>uGMP+ncLShOisv) zdWigb^nkCCxf|PJZbPQW51mR_$hOe!??H9uMr_emcA+UMP)ue=;N^P}r+b>lhb%HU zasUB_*Wot1_`fYD>mERSu<d@vDo5Pp$bGaw9q_$mlER}%1a++of>A-D?V>9kLLLRE z>tHLXpG`*E;@)jT(ocor@6RiU_CFV$U8L)f>l>k<e0RGzj-5Zr5;0^eC=0jLSAUD6 zq-hA4fvY5)I=K$$c)q0U>9_P}#)Mj7B~ko}iAHgcbl^SyIIoF9&e%=go3qHw3>bvS z+wXiGGPODcI1|-zN6Y;B#{1Nw10S2VT6|1GH0_0s{4cd?@z2Sq^wnr=Qc$jc7RtU7 zbuz5>BDLjeA@)oQ;IFWs3`xU^fZgK4xkrRiaw;x^58q$sA<m;dBj_Hr2OZ&oki#&& z!O0LHG9plsunA8}74`}lSw2ryQxRP8<@e~CYG)b|7P=ltVO$`ON}Z&+-NxdkmZC+J zpCt`%#mlP4E20bL&FD~3HE2B~w$FLplpHc3flSr6kc4gT^WYH%gVZJd+TsP3?Q-{5 zya_C^_$&vgXsxkaaY?)b^fRT_t{{X3^^y8}BWu=U8Sy^dT#cnd{tJc{p%7(0IneMf zXMvYp3*B6>&6LIy0(E(SBC)F7kFnDD74s!S`fB4S4bz1Al#;ab@);!cz`N!KaYtB? zsjvEP3|i$r5ScX{_7;Z*ThOSj!BZK5yseG<bjp}1o9H6(&miUM7BvnMg+K|<3H^*v zd-drl>1sYKY;YcuDFsmB-;0BQhY8500j;eJd+v6QNH1!;2aQAbA{&i1j|(<hN)q|3 z?JHc6r;i$A3t@Nk$^Y%9JnRNd=_SNr4|m)?B-nq;LEm3mYqQtIpDuzO#DxScsEJF& zfDHQz6^<@_;KGSpRgvySh}NVOdoH@U!2=I9(%c;5J>#kpO)Ch~7NP&vVQL3XzpUGJ zJ9A-sZfrTFnUw638=j-YlO!qdT$<5?rupsHcSGbPHEadM0KD#;!NQ+96qTuc;f;9y zXf%&!E}rfP%Xl{m2n(7v_q=fK0vRfQV&rR4!BJu~QkEfof_of=;IeU(|BaEoy~Z;O zXmM#ESxT^l10Y2q*!~DLC<dUsURywe$A~{IfMeG#@8^&p|0uiFg}YIm&lFmrt!%xu zg5vAz{#2_hqA#JjQy7mNsW;k>`BgQasBmSFru(V^=>?FaA<V9~+H!!rT8<?<zSC(C zBY#?_%s_-H$b^2XZ9$b`9qDQHb8N~s+y@SL^QtL1s}4jCvwe7dA*>}-3aI{AHp&BE zOyA`n=6rg#K)~>vX!`gS3FTz%5gG@RB!@pNUqlv`hLa0#z19tP8{_GtWGunA8L7># z9Q!h?QvEh#Z78LV%Q#tb(x(~2S)%RQDDlhz>Z{Ef#O~yqN>s&Kq0J%T4KYI_(Z_w- z4<mT>tj>b2LfSY<SL5;G;4Adt{{=3U2+W<MSomH{?|x486m&DT0RosusU@VgfXQ3S z<2`hh*9%~#92-`BZCby39@ropsHued^S&)b*DyZA)&vUMCA}!;(Jm9LBKjl@{k*!y z!Y9{zmD}ASOvWR{-MJBDQ&U$*v4Y^#s0;kOEnSPAMhLROQL*@8O0B|~5lUx9Afset z;7Vqd4Y(;le~?pdm1Gu8T^`4hxHz9`j7`g;N$4|lP9e|E(l7O0=H03P`d(Iw9mV$O z>KZn`e}hpymu-Vt()^tn)3`83hV>0*HD|4BwcP6$ZF+zKT51cWCt9oc;zDXnAZ^+a z*RzZx<Y>8h3`mQ!xiGbg?%J4^1d3_U_c5M07SGc+`n7$EENPl18gMDKa9D_iA*1E@ zS>t3D1pCk_kI=u-n~Z#DHP(oVs<wt9xU27vVq=jK@I2o50Sh=){!wh$X?pO7H)R;3 zi{M(RL(T@b?XOwsGO)oFCwe%2cErseBwC#Z)A`B;>x!_<U!?K47vSC3bpP9g882&- z^Eh3ig$-W)@WSa_s|O#8A1s4I3wM=s$Ywvm!mKPkH}&T`RD;Lk#;$C4!0do{dC;FM z&}SN!(4F~6IFZtbF)YmB!_-sQajfivt$HkoTDMzYQ4+qNZmFMAMmqm(VoItE5o!k! z%s1;9&&%|cY(mr2#81+u(b!!gL(r~q);ho5YK}ljRxG`q3uAl-MCwi34K87cAFaj^ zAHpo~$Sf<w>{(i2`MW3`G~35`_TIC1>tM!xJ@+I^4x5mFd&;W7sX9Hu*^m-ADM3Gz zUjp+if;pbUx4{s;Y~J|f8i;;#BM=`eFZlL#eeH!*rnlf<fUzu6l%&UIQEh;~ea^u8 z5uWRrH`@p~;W9Va`TfxAv^8jVfIjRg@-#%7>NBj@LNc{KMi2z$idhF_jvwAMXhyBy z8#=*zT05V?^RyqfvH(jBGNb^c0Jfd&VD|?U05|8D`%UMWU)9O^Eo7JA|B(~7Q#E>A zhKEH@${m+mfqQ|b&0~{z_lk&-@<$FKx_0_kRC<%#{MtHd{1TMpK2=55sb#)w{93M0 zj~7$Ql0Ou@5X`13e&&r@sz{aWIVn|^v`vlw&t^3h>rZ6yeLD^MZ!W^)ShRc|9nsGG z8o&rvqRfFUp+2m3(6@cXbelFkYpZ^bK&!~6<7CXTOhIuE%yxx5zI9}AczQT_`qN8} zVvah9zacyqD3Wm5&-ylr0{?BoY%hap&7MU6^?`3E@r#{yR>2f{8L6$>W=D~rk8r8s zpPyiZE%mkDzC|s&=Ah@i#;SFfGHMSk8sX_Q_Ky1!mMP?rSk#83diCU!Vw?}3%1O@A zv<oUF%W$Wqcnv=3hdr%MuHm|Ce#K?N^SJ${UzM0(KSSY1&{4^&XFN7lrs+tYAntn| z{Nt$N5{CGRFJWFW$Im2n0siw=D5E?)y^&gyi6B?VuYFEbFvepj@~oZgpUs)^5XE}P z+A>E9!s&2>8Od|sFr_<*^t`}pgp}TmBa6koN#vFF9`Z(?AGI`BLY*YFCG_MGoIY)0 zD^Khd;BiQQ#5d67UtHj09>@M&>LL0Q0+aXSi2DE`F@;_gyM0ZRgrS493(+)(7crps z6&5gg@ltvq6VxfbHT(R>cCYi$Os;AA*Gsfz_$nbwIzg}sQy@m2b57K42)!yqyaCo! zEs>0)%YmE~XIsWpl^f(M^~%v&*6i<R5#NXu?d<(!KY-2mzr0W!kV`*fHzp87&(E4S z92Uot-O@=7m1{wh;M)s{kh0qO>MuPebI@D+3@D~>YJA1=!jh^L3(0Yr*A|R(Bd?g# zUu)En)>(A_;{rbxYrstm%D*AbM=nZf3nl1Y!KK;kpnOl^CjDd8gs{QSkUpfRJP+Jt z<;+=B2%3BE;-DI@ut(`)Kx-}Y;r#^ijG0eP6fUji@AlmriCj^Yo)!3L$p$ERiLu$7 zopM~v8VIOK=UJ{-#>CP>Re2L49!di!`Chk9^d+!Z#Ujeu-3j^s*{=(tJS!MruP*(a zr?&|U^RySn&1m!IO>x+8z$!um?4=Mt7m+ayH(y@@g|TC8%v&v<rZk@7xRN9xGl%9^ z&k}VV{29NZN_`?dX{AmX?#RYweXgacQ>fg)_18%M%Pl*-uTH^S=jJg_&H;gXm|O!F zu?+gB@^7DWW+(r!{6DF4C%*_@M>@+rthO0CvcOFSUxT{7v-P6$3kD&aijnl=$OV?8 zST`GUm^P7Cs>MV9uX`e)9T4n%dzUt1aFg*ij8w-rvaw4aFLh@-8uhTPF#&-CjebWu zFHH0bZql8oUk}3P#WA%*zek>HWFt1`Ta-rbv8o}?lRaHYFne3ErOyxfV>cwCNy=Sy zZAoPBN;ZiclAqTE>@!Mf?nY95E$Si2LocR;A#LJ|RM{v!nypZH(en%Z{39%>-nsm+ zMyeLpG}PP#7m2oK-invPtO+jk^?oBXy9Cz#FI5<HP_}Au@_DW-Q1DUP;rQCh^<3Fg znX(fyIgqHjo!V?1aNj+ZX{cV}QnA%jwy-;P*QBfF|0hzyFJXgqs&Iyk`t!}TPxHuP zY{Zx}PKxS`GtQ{_=YcwIX(<~A(g#fTt%dlnsOF8@CHi?46TBB81fm6c*}hxf$}?IE z(eJGEP&bgQh+lWi!C8*YV6ldJJ|*h!9ysO?FXGXD--jHk9AC;67(;^k{P%VizYDqF zDHbE>GDAWgaQTz#ARun$I~ZV$V$(f^`v8G<EI+y7V}qVNK^qn?-5Um7L!i`!+G&`p z(y7^``HrIGl;K9o%HW1;gxB{?g#v7K$xggftJ+tqkYB77<4O8XOBsU4nqN-61qibd zI<cs5l;wta>SypkzT&uBs)*akK$svQx7+h~b=SITqY^I;<B)Ryx)t;!duTA8BEaT( z7LLtgoMzBAEqZv~FKZ@ut*n$9NT$xa|FZ)V-D-WGwFs85e`v8t0%E8R;N!xW&&P&? z)wLZ6ZmXS*t$O=}i*gRY*!Dl55nyWprQUZI$xPc()P$h3b~}PN(UMiTJ@nz8+9NL{ z#QYrrQ_WfLW^&`O_tM?-mDajAT^(#jtbRYd=xqLpdUhywCpEgK!=V$Pcn6c;GMEbu zRVL<syApIGSb1Bb`7FI#gQ%a%F#b_Hql+@g`Z684f~`kFH`k{Q<382Fk4F9aEn-Vx z1@5Ivr+%pOD$xkznN~?b@np}Jp|E(}))&0b^Pv?tf>OGbPfi_zoAlX?yBY#yN}-*Q ze+@95_DomTBADuC_PP~ujy%y_XpnAzpbfqiZDwvN!2^l-*>o??#rV}jbRGK6k0<*9 z;md`-Q;WcPm=5d6grRP%+I0iieEjEo#)8Y=kHrX-r|_-TtgmqjW@jV6(_UV0oNA~M z`}h_UgjQ@N{oK5P=ARQPe`}8vVUsty*e8^mOx_+^5}^ISgA);#FuyvCExw=@Bw79R z<ST@wuDS)@So^S~h<=hD94|ep5N*hX9{lcm2`0UMobRx;AW;bA3Olz?-1lo9e#P~y zU*b`mziVIe_a)Q;k$NMa>^aimkj9Mo>T4vs^BHw?mN7F#n{9qwE9SErK@y)Dac)vx z3FcdA>2Jat5mP~Hvit3(4f2pm#(&KTtrYsROhk2s3~XTB@L@SxhXua<$86@Wn|gm0 z4f^Sc(2rBtAbP7!{K$fKV@o4qQw?CS5!3VYwf`=tjUR50zjyp??EQbjb0}T3@oWXC zrqaxE`LEnf?1A!RN;u`Ke=n^*wycF{UfN50b!881pW4F)O`_POsbU`{3Ww6sO?Era z*uROtsC#vPkf~ee!FWFXJIy|!*|U5b<X|TbXuvZF-YTwAftdkwBzfTTA*NBc1p)r1 zG;yDBlAT^vYnC9)nW^mWe1J;cQCU=Xk=Xf+38-fKwV=;Q3`W#LZDgqD?51cWJfZLU zrm{=wj<942P-(6A+clcJ3?7Y|t<m*((46xodV+fX_ezrmy(4IA5zIS?)1Q&ha~vBB z!>dB5^$_nzA<k#F&I*w+>$+1ue?k)x=hhLDN{7)xNVk0rAQ<81@QU?`%}*9hz-Rxp zN?blEN#G+$DP_s281|^}Gi_iin|$b;UriC|uq!FF-NM;Yn%73e)5C`UtzK_0R$;J! z7W9=Hg*+vfk>pRyx0L)sK++i5@bl<U0R|YawDfW2(9KcoLldg;T`KD;3Y(oMe4Fd$ z?ZE8^R{ZFF1q-Y0@wH*Ew4`@+IiY<AzUm%Se+s@<rI*s@+U#tYPs-$E)Xbw4-M@z< zy%xhlWj%M{*9<5*B%G9*5CWYG1Hn>@=uUkqShOhKQrPp7&zS*Y{W^H<1KNg=f<k#@ z!plSj$x}39kW*li$v&m4aZ_`rKAY?Z$$!U%)Q^?foEO0}(va+Sk&sI02^4O!ohf_{ zhyOs{y50jd>hZSYNux>&W1ZFlco9e{&@=_rI&vjgTV{~=P0%qONJtwlLJ4)~71PY) zHrMvDJYN1#x(V|1IoAL@--XB)iw_XQURL(9bV0g0y7oVNGnQ7zT_#b5#tJ&m|4-0B z8~5J(?$yG~8<e7Olj-8_CI_U9cIc2dvq1PCXQ<dx>laV2Yj!}g=Vtn<RS7c#wiyxN z1=?YcNM&&_P_^!7@m?Bs?#HX<M6!R<8<fbXIhDp29`1<yL~8tm1fjD(L|Fc9<tzt^ zPQnvZ{c%c!V`YUmYbfVNr+LadO;Q%xDV=;&HA-_fr8PyNU}2jN_j*F}PmkC|)fM!` z;bBB=vybl6)`=29yo!A3hBKL1#T6r<*Im7<1=MD}<|a&DG^u+JoeF&n=@}G<kgSG) zHVncjf6OKIl{OP)hl#3#JiQN{m@&`xbI)?*W(wSGA?|3rgLs205skqDMvz7Is0kU$ z%Cbxr_CWv1>tj6WUO;slSz2%KQ#;uAcQ0XS^Z8=$zNHS(mXT*QArsR%Sp++XzQild zz5O19SqUfu<82saqP&vmK?Meu^*hoffM$y6X7&sDjNFt+UPK1_5?rxI{uJK7Pts9~ zK#8@WR?P~L6g4~bbx*%#&m};`wH%O~rGCaHpUc8Yb;Sw(1i}A4u#@%Vmy41|J1NV` zN0hQ~NrOrfZo_5VFYkgN6DUUi>`LTYdLY`xT;bbUkW4^s)3$rlhbGBO*{rWF-Y<f) zz_v2p9;F7yv3FSWzHk%d&Y2{^B64VHp{|HDx#Xc45L)q37)YzqN&S8xXaJS{-?S3y zx)&9Ce^i54e0>zVNunlN?MX>r7~{!`Riv=(bUCT?kXl4hY~04G#MR+KW?Agc>38L) zeyE_olR-TlXB|O3Hh{a052~K?Eecd#gq}-_JuH}qcw5}s^hEL_9%ez_Bl-nT1mQ(T zsF|{K)!|R8m0{lDZs7FGV7V$FRFr>8bGvwgeI*5O!vofM=8rzSBGh4<m2mi7`_Rpk zX7B}X31gc+pSSse=89UYKY9_W7hKp$?rxQTt-j`#&wF*PyVITZGwfOy@pt84`4FU! z8W+$2(Z|NPLJLNmzfr$m27^z(gF*1^$NtEANXIK5%J)m#4|gkBbImPX=4&BqZBT*F zadOB-Hkt*$BW&}};L!dVc?N5=EcSa-6}<`MOTNChG%+*Y1&LLVm|i}<wi?})PRJ~C zQ;ZZG^=ShUVE4M4Rad$A%|8uDRtNxIsQviogQgO9P&Ko(<{~ol`8(|P|Lp?YoUZ{4 zJWCvKxuXtq#8*)ZrTilI#8T-#yIYMLyBu!-<y=RGVa;2z6OxvsvvY(sl|EmXBRQin zy~p}M4by}JC{909Kfj)Byw>eQi7kx_rL@*>dS$g>MlrP1cdbhpgxOqg%5zvRQ-N!@ zP|(B2*N4gz`fr$G_0^+dVS=FSMX<qDH<Dc6C}eJA37lY0Gg}E849#$bo18{mBJ81U zotKYu3u98Wl;!*I4~rtNY5uQH=W~9UOF%=hELl1<d~xGG+vVhcZ6l-bi9I_a(*Y{l zp&dMn&VS+Y_Y)~cc}52ywxR@S#U55}_U<4=MMvJ5Yn{`ylK?vItg-wQGXqcB^pMs< zM052ABwtWjLOm5iv>%3>1v=IgJe#{GwQ*0c3MtWfdP&kGL)O0)iDD&)KLcvY^azXl zh`y52#T1<zL4#C+3gYO6RD9omu}p^c<pA61%p%<AJ>;tZPY`C>Ut+HJVZ`<)IG*8u zSbl`Z*e09v{<Et96%|8!HvV3?s&?0>a|x`o++FB<jd<9tQAb~PuR2*f0OIlkYy^G& z{3!OtL)%vU4J&s(dtfm|+x-1;`A=2ijqCbN>1da7ngySHikSi2{>a5`8M`jkyeTB; zqK585eBPb9t^JqKTRi}mKrh`$T9#%yn9ZRe|1CfFj))p3`G-m2u2_^S8bF(;WYv(r zOKqW7c>Ej>vth(AAA*G~<*i;&1&ir+mp3WjwnW%*c1n^ub~BtRHR%n3bb>y=oB%F; zk5G0QWt1Y{k31~{9%)NdTG<?agyw-!ig@;6{f_m401;!atj9QK8he_CFxFQ~-o-C} zSg3<1{<-g*J-D;gF6QP)y-}a^7{2`yFmTRC)P9|7t3Z+zG}znzx&A*l2wet3=H4CS z4WfuI_!5?uZuI}s%*kRgf%-JbuOU5+LOhYpIdYS`_BjZY$CVUIRqbdE#~ab`-P<7g z(Wz`^F&7DESlF*+utbMb-1k-Fs1Bc=^`OCN+SW3d){kgT%*<d6d3HvXU4s3fX8Vz$ z`mivAuZ=H88X;P+2FL|OFmq(%`1FBHtKM?&=kVF`Ym%cU8U=dL%sO5c%Y?fbyd|dS z4VnHX$Y(^YdWoM~XsIwWZ$pq3(r5jgMMSbk=KN9nK`-a9gadlMghR7rNZ%4aMlYlB zzAABuDSQam69DxC_UqGOe6-jx7lx0#|Iam-<}>tXzSR)@7YpFi(+V1VI732xwcpRr z`h^nWJg~uzguNf0)iii3epCavTzKWa79!(F%R|MjL$J!tFyOo_W%%~6qJtV6uK`!~ zEZ1gAvp~N0^rH=W2U`^cR1IUawif#wqyht;Ry4PelLvR@uCb9itfEBQU<Y~WA`y5L z+p~0{fp+RpDaV?@VGZ4xZ}4~_4cKQ3>LZ93?a%S@+tF3P1w5M+QkZ$vo>!=hD|o7& z?E$I$Sko5Dw<t9AItX3jBd=F`@@zWu-I=60|GU|I2$r79B`tu&W)Z!d682rv)iHO8 zjM5Zm`zQWkFQ1)Vs=w0_3WgM0_DRg;AjPg3AqCL#q;K85XixvSk%a>N#H|V&{9~gB zl+)im1((ic@Tn~XMN_k?qVKe_b4soOBEF;^=E*w41Slj|&5)e$VwCCf%6f9wX_>IF zFtgtZW_G5wKZ3^>!L{Dy7*U@#cT3n?5-5CH8Y@yBnnK|Nr54b?cHP9EDRs5-wJvRX zk7EB$wmX&+85}uu1%F_T1X!GN3jP(WviUn&C=;&=$Q$^~YJJW_hl+nnWUlB%?bw0u z)+Y{4I{yClYh4WBBXoh$$ywiCmF`E}i;vQPv}T#L$m!zYzxc$#eMG3kQ&8z;2q<xW zwd4|1fWeePa%Rv)*A!VwyHST#Z~Y7^8P7YeS$KnQasNdccGhPWP@hj#1Q8mflUyb2 zcF?1oMR4ceP1xWQzQ1ds==PmB+lotIevl<>a1Wi5+gSk{?=j!CSmYv@R!ut0PQ;I> z;U%0QD;4511gnFXU(*u*!s8c*=g<mnmE;1CWamLo^Uzc31FFaO1z=h}ZcEIc{aO3; zFhJ>aP~P__wd$Hjr&6`2c(8<SE^L%s9|uR8i5?x}-6QX&;tFvj_?&dVsREvDEYRrv zzJ<JNKI5DXN=%|J-Or&Eax}Hf5W%BdfxYtZ01aX3QSX;HfGvM+w7{5R!TqwHKs`*6 z+PXOM(P*6Z55QE7FDWFTiJ~T=(%YQjS4z&WY*zRAGrgX`<{n~O`u7zWq$JtP;EV{q z4$+lhqhF-7C-U&^-u7$I-8}MkYw7@{2EwVZ2(GM1M-eksot;7MXNVDwQ(03#*a;Oq z_v2VeS!)-Z10Xz|uum3`zPe{&164&}Us1y9j&$doMS@lwU8H+0;J-nS0faf%KwE~| z4J>T_^4vce&Z&pTG-j8xMKC36g)D(VXFnz=nL(K!D3BSCx=}9r&pxB-t_3|B&CVi? zmBYUK#F6Icl9r<+k^Gk1blxT{RL-7KewCeK+JA6%({SSmYufsGgi%~hD=KY|A`1Xd zLH1`d*g^ts?a5==QUm6>A7}`q!%C-)u<8|P)o$I$6)c>+WD2Y|6?Tix08&7$zbM)N zVQpH?0p#t`28-*9X-_9BGd1-t=>g=!YCc5ZV^82nJi;9Md`9Q52~-*=FDmzzMX=32 zY_Qiu1+yHd7UCZ$aa#Tp<e!3igbtuC$g*YOWEngfwE*_Fptiid8&tPERYY3?Hy^5= z|3Th8EL-%{D^puF1$!4p<JLh$JA|kFT?Ym(Z<6(iV8bT~58DK7Og^g48+~5iguF?x zEI#*h1exU2`wMYY*szuy;58NX^CH0e9D>E<sk`+lHxkYI@i*CY@e@-Qv~P`gU*mY* zEsj*@Tk|_-H}2wk4h5_gmUT;i2>MwhDGRAA9We`4U8l>S#so)uqQ&;<*7)It6jfUO zWATyN8WiyDTIr&fWh*@l9!l8dNu$W(C!jXv8puT4QEVly;HI^FE})eQM+K{jLQ@gd zf)>z3U7`jn6}xN%N>jjEWFSLyisRL+Sy?JSsisL7X}RVKiBJ|o6>JT?y#^sKXRID} ziO*#L_>AqnCUe@fW}<DgG0sM8o)6ofXNYSW-~Rl>5aZw{8WJyUtj*(MYk3S**2A^4 zo7Gn=v&AU>_sf6Th@W`6_ha{|Q>bcP%QMiQ1`zLa)T7xLYANazlDn%}^K0&isUBmE zx}vtfW-D;*LLn^in;707b;&DB{4(J^wIXr)<(IvAIIm+G-Me}~5tpFKz<a#IOy_JO z#_*T?2LnDbw~euKzVnOhli)VCRMmWfA@I*Y+y2vRKsDrdFrqrq5Xy%MH<`ON%Bko1 zZ{=N;AgLPiBC!tgF#L#-u7x09*Fic&mOfv;7eNIcytrg@222S8Rj$vA0Jt;ZNeNf^ z*fsk@8o-NK4*9P?C{(tG88_EUwn5<2ijYE9Pv_US9=h|+IB=D3gAeyM+}@r`Mi0W5 zzdtls_P0i+3Y~;)OnT?GAFgeD)Ma$PMt9A}`z93odsnOMn+QtMc4&_i^>g@gM;xYL z%7@AVR?HHk@2ti&_+ABxB@DdysF^63At~Jat^n*>DX6|zl<o5mOQ+Zp!X-pxP)ry3 z5Ns*3XqwA@)n<{UB~-KsoyvN`v9DK{jO_4g=H2lanw7p6`FH(|x)?BBe8b3vyRU5s z$x&onEhJN4v;asSn!(9t*dWJ$;qqP%s)bxwHBE&sCEIB8n7n;Rh5i6E0RQ&hE92Ee z0Al*<0u>v{Lp#ZWa9{D>Xk_)K0r}@TCzO~nwB~6u>ICYV8T~Hxb-+&V^+Ru(AuM?l z`G+VTci8*(&X9pq@3e=Pt<YpAE_LB2c#8bKbG-8rXwB16zhYBaJB6W<a#-)R4DOZI z5YrxqI)k8A9sx}Q>hrr-ynWx3ta;SYL<@0cbHoI>P6M2A{9E5eexsn5DnsYw4YoAE zw?T~ITQj%GxadFrG!q)^tJ5l1BWybVg}{a%;t|@E%%01T)Nn8ti8}4_Z><T<BI_Ww zgMci?afS`fPQwNPf&308-)y$A$hgUtVUPA-r<T@$kMZGxZ|qH^#JPoHSz?Q4JJmYa zZXng@SCj9%+w9$1@b4dM89fH4nba+7gHHYrTBelM^V0#}^XbK|wy>6Dn+2D@)VnG) z5v{E9p%tiij`BEP4%p`^Gmh~zw`Av-z5biXTKz2h=+dEZyxFp@2R9KdjHTK|A5u@R zO3sl+u~W?{!KCLo^fv{-#(@Uk*K%fE$(-W5^p4n68Of98Hgsq6aMLwZ#=!zEX&gnO zRcCb3#Jv|Zm|VOY5&QnzQ)_UPPho(;Q19^}v>9IUC^oJ4Buy)m=E*Xx&>1i{{(nM~ zk{pVM=?s(4&qq}MpEm(1EP*#+!w<Kg&yQozzCE2pdYTVwBz};yJVtM|DL9IKMHHG+ z2N7R<AM42)^!|i#0W6~2HOnvBDY}9ba{kQ|!>`x<m!;8otm;g194=xVH@xI&{MxLT zWGZ9KaONa|oS6T7D3B$`3(vcBG6(tBP1JSo`CH0Y3wr1pe`^7!hFDtk8lPUPe@L>H zM%;%ai<ecuOdo6i8j*=O@B3m!{*E@_7cPG!ztK7pNe<c=53@&qmVQ~PNM+58iSKlb zHKIi|IveL^>4m2?G*uWE@PVZOg%FkYpbb533?Cm|)Yp^LIod}myD^J`o@}2ZiGtpU z`85vzofr9Y7o3*Pcacb3#+kZjuA?-c3!d5xvqzlj4(P^vk^VCi0f)8JS-V;Wd`6tF z*>k}ee2VEG+(RR6$=e2?_N1@L)Lc%|6A|Z2>1jD`H0OLBLd+IW(FRLQIqb;Ld!!vd z$iFCAgFYTt{MzUIlOWRfmhVLjb+D$(Af1Vb0{S=7`=hW=4}I6M3s!6vvY=Aq=r$i9 zKEAbxP3h|0dJE`ShuvdRWiU+(<w0-8fAf=0cL8jraU6b3%Je_5!S6P*u-B?4*L$H+ zLeq{Iqvo-_S5D0ytk#h)%>hBcIftTlL2DXHiCU-s#x!(FT##&EN%WP&CojCjgv%4_ ze3Vgax&<<V`3<_+-|3jrMS^>Xq<1?WPwPAs%#~(A<%yBx!o;$4m5jWrWB8cKB@9Z` zpLHt!$b9H$Oz39F;*zS-dYkdL@t^MFU#H-4;yY8QsL!4q!W!yxtxhzKyo~^CdoAKI zKsUeE&el%>!90N1+hdg{WdlLvJY3|+G|-Z5far6^x4-k<W%aXf3l7oDdwBbY5bh(D zDDQ`xt`>Vz2~m7|K*@<Osy{58xQu?s=WpATKApUNSYT1<yConAr|gc_1d{qPpcy3N z(xGkgvlbGH7rC|hL>&b1YRjBWYMcXf2QM<WF!b%*K{f9F>DLg%`5nT=+b0wf9xu$X z)|p197V%TzB8?6(6ion3-Mm!IIpYaf<4L1a1Zyd(&42OgMKAFPZ*a$n<Hc358OFu| za`WuzWkkoj5gxY%0gk7uyq<)KZ;2y(;!&`q=KI%a51J)c48Al?ME}!NGkJP4i+a1| zn2?BgSg>I>f_}4X=Cp&h)wPuZCHs0BsV!z9`r>o()AH+D$Xuue)U|Ksb`bBHT;FK( z$CCtU8!`Ac@cWx3u!F;QG*Fw@`ca#l-|0Y}1@tqOehh!3%8;1>aS7tW5VgYX#o0>a zL2-C`z(9Znlo_+izP<@6{XVC}x^hy?w|cb^LOMx~+GU4Nxu#h1F=(n5qOZsMeNe<K zO*ghJtnBzHTzYa5+`N=IZa9h5<}<<GB{t0(N~7#Ptj8osqa*afy94p>Dbe8WT+rr+ zQX*`b!aWq|aMJoj@)PF2$SSqt*$m$`Mx6Y77y6cGJ<LJ;b#PBY&=k7uOF6-yosQU! z$2scgk!bI%O6%z#?XcY2{rdtM@<-^;09l+xBg$w7{p*H&{F$11ZT7wk=c;fCY!a5V z+2OS<ZPWQ`8Za(p21=vIRB?CaMWm<Iud6A^cnj!$dL)@vVgm&CCxY`Rb~$vfJnQ%B z(B)C=wT*?OCb4#?B|hogiy0l;6{ns?2&hrA*ruIwIulX73tN6^HEVdkr>1_GbaOV5 zybdUiRl%Y`i`#&;lmFJejEC#=>m^PS5xZH++tb&aqHWnX=~X>G1e3^H13@?gcr+W2 zzikZv_pn!58~W&|_x|3lkAarrk4JO-5;++)WNCEHYz5O4ONuOSj0-fffarB3+in17 z5Zs;0FCn>~+^5I_eJNKQ-6XkRS4PqdVApK?@KOL9%H=T5r74fJ;ylkkW)3?5HIB>A zR?6E$aRlkvER*elIJH~wxbRpJ`=wQbIR8CzFg0uV-@Nz7ny`!#jSA;C!n-s8RPsNd zhs<?!9zLf=XOy14JdPbC4ZimSO6vCHH97xtQr(C5m^8y)%aE}ZV4{<dEd#V0<Pmv9 zAghMY{lJy9I6Yi=0viuk&>wa*XRo04X_PhY6_TkA&^EP~v&^>1ng88f%j~YJmacZ) zT?o{5xP4afr#FKMkb$4HDm_@C2#q;+Ak^Da{3M5`r+?sxNw@b5G=T7Dz)7icyxZ4@ zp>OPpS+a^vE#n8Q?X;m!X)z2hFdCs;gbY0{^Hwrn@|TzFn|gh-t0({BO|4d0pb=R~ zvLza5R`cW4B)=O$urlpu3gIs$>|!>u&M#l^*B$IRx=^6X%xhTkK)ro2rI=Fn2){S6 zN95q3=lt(`-B$h*)A$35*~dAXAjsqeaxNA&7^+7P-%cXg4Eo~p-@W7DIpm%KFK7MW zd0!6;`8!gKa$k!<3{b&wZ1VSv1@|NB!f1-XU%b7w@}ltVW;0DjbXo98MMy=7r<<l{ zb_;;~Sw3vLO4OV8D?Guz@$1jV8X*_xvdKB!6QkJYM}Y9%?)UaygBmr2SwPD&=Vy@k z^<uoz58JEM@}^K?dzPqOGwKI!S^Phj4$u4B=Mw=%uGade=)X}716Gmo>{N|@y`Q;) za1hQ1S(rk#WW+stn}kEeZreAtAM3Cuz7mF(C%QbwL;}X)FL)UnyLk8)1j>g+Rbe5Y zH;vQipJq7Y=z;^MN_5z?Wcc>X<_xbr@LR4n!YvK1hIJ|YpIvpdIplYWop$O3d#sJV zQoO+Y*E}ZY0!fOC1%#kq9YG@1zaNEg8tfxzGMNsaTKanw`|iIv=>0ux0?rlLinz1* z%^9AXYbg1IKtt6eijkFa){-zm<fkW-d&1tIubHQIvE0YX4wNL1y+1R?uMw!KeX>{< zg^V55be)V{Z$9z6?7c?*_~_?u?mmt;pXP#V>`DT*&vk>ET1+^*Lca}hNIo;%7@8X+ zc!O{ZJc+&4ra7%>^niZ6`%YW0A`-F!&T8YSgByD`%DY&A{W|o5($rrBuYiMUrO5^* zZw61IDHwutyFEEBS4=v;W<ed7hfWgC`c0bPCYN90xy^!n@x*;}R71sM@!&2z(iXu) zN8bCFw~k{22m&Pg2-T8f-VT9Q0h5v2r>oQ&H4Kvcg8QjGbNQE)5q00lJ|{;0kp0Lu z5~s~m<bv`ewYb{X{*wZ^OC|}2ln0h;`QwyJ6AtlUKL`4dwR~ny-ic@)Hl1oO`pNNA zyskqAIVU6P;7B#sa#iD5*TZJD37l8Q3n>3gUSrLIL4+qrPY*lm{7#}R=N}BS;)gx3 zf??B}L4q)al598wi#S?k1->J+Z+ZnR->}rmMXB3zzT7U%o=TzO4)v+?QnQSwi10Vs z*zczwstIoIJBdxYB&z1&a2kSQwP)CJJXP6C>e{~CmQdb(nlnW6B6*=1GUgI=t}DL6 z?E85-RLfTX%jb~VqR*)`N7(0^3#TD3u{XA9-sEA*a<@drtf72s{}_0S!FjYsj6j;W zJ`sEa&g*E#s;p3s-ba$RK}gp1xzIs>*XQ-ag)Jtg$xht$*m{3xvb~F}(oTA=T|u(6 zyv5yunYI3mbMMK>@)I~as8pLrS&!{0X^wiUR-zM&6gWEk#f5KN)KtVIhi8M%GZmL| z^3VVjlt#Rg6j>^8P7mXmZ|ai^J~h;r{R|gn6+PhW2+Mz@<E6!afvo!Qn=15RHqHzK zy>V&<%r*AL(G}|B)J{m71%?Z91s2MbGh;METs6Bp1(#YO_L_V^ic!?QSe`&z1*12x zzi5T5L9GIg(}3Li&bCYUif+PPU>|wwnF>cGZ!xt$IqGc`WR2&0Me0zN0WqE{V2vy1 z*#+Bc<`jGfJ5(CrbH8A3<K2Nyq=oEe9epIdrd(|al;;p@a_qz{d40Z6!}sZR`-k^V zoAwzxgjop@+V8K{6W?f_t@2+A^0%q_3gKnBZ~6UHXIILwKSY9hOzgtjpVYi1d^1){ za`#2&{kQ_lh_ikk7I)s^EIzXoQ?r(7ac%|4sSt6F%{GJe;|%P?RAz$4Sj+sx<$~@* ztT=`O2@-xeI*stZ0<UvJ3nd;Y#J`JVmsB^MZbvCpHA0HGW%9#iU+(^J_<zC~-h=N7 z?Q7<jzZv{lGg$079Y8a>`^?MwO7J=W2##OaNi0ksucKWvI{%jZNSA-|Ax@q)O00!K zKwY;`yJiWsLMB!#r4_fH+v+9Tiomb0BUNwEe<GZOr1CX{`mf8IbYSE<E<{z<KyaUW zqplp{HA8Ui#v@sYoB2uFQN_Paumx1GE|7I2xP`uFS2a+CxN)ehf;Vf|*UMx8*hrvx zL$}N<8)~%C2(fwDU2b&q0)BdLzG%YN;JW?G%!S+HPG)&AAzAgxJy<+`bExLAlIDJH zXhqi{*%1f%_E6c`JI~+j^-uNaNpr$lv>wYu-yhRob!UFA*3-vo)_VTkCWJjVO?E$j z&m6<#Ik!UJF%coFrIY=vj@XsAOJ-6afqAeuYMDN%@zvM3Z~<jpvVXR7{_vW*(7Hm8 z^aa;{Ae=-iHHHxJX`)XKrxR=~CiOYwvj)R_7qNy<VtsK}89cscZR(HnmMN*ww?blU z$LsWd-+1}lURXD?5SN2RZU!;f3T-@Z<b^o(WIuR7I@;Aj4$iqfO~w^&<nbFTo^@8C zC>^(Z?iD;q6=3=FR!4OfMDGC&p82ueU7ssAmL^WHthIop30W<Z^2kDWC{wC+gOZ~; z{+1#zeeF!lUz+9m>|Rog$6Td*s~MxAR&u4~5!7EhxB`P+Lb`&QK+VKfk0w`kKd6GF zr!3sY>|5kiNHBv^h>Ym`XE{PgxHguDHSzndY|<fgS)9OI{NEkqA9AF2T4yvUYPwF9 zp1&Ir!z55rD8~03crNLr%|-OjD|IL7^Lc_>A?}s6Tvxa)5a$~6gjKNeD)_ja*2krm z62r;9t>eoHQXzG}Ap-}%yrZgFG8d>uZr*&57!~hJZn-F73-ZEZ`qy24R5wpRiTn*Y z*~J78spYphR_wx^9%yi17BaXuxW*A>7ecQTe?EF_y<ZxLihGjsB~&YMuF=>`mp*x{ zHkJi0+W8ozx9cPt%Pu4rr4npFoJc=cu$h#^(qOSmHkVgcO+r;`ZZaa%XqP_=^@C%9 zs<@a&KYjm7doKN90xO*I(Yfx4YR=69Sx&24zYkR=dB0f~xeHmhW#p7B>7PUkYFBtT z`^xa7lKK$mqj(#441|E}Cmv#nTsH&en#Y=&3VZ4EIb96IEM`-RGqT^9rKFy$mTY3S z*eV#uEu!|}{<F*seUWqg2hZcT)Jd#RBjVk?r#{PbjF^+ykwRRfo58iC&r^?B2_<jB zN{1E>@k@wLklH*JrN>8Ue|a81LW7wvb6vwl#eK9?BZV46@dV5lGIdl}!b_QG78-0h z-w`q`PGnB7p%|VbL1Q7mL*Q<ygnI)bhexYSfAA>J%JT4*Qzq-(pr9@twiicYVcwsn z=YqfvnhaJWkIS?T?=$>d${&^MAv|65C|#ARqZ5VCz3HA~+zt^&=C-TpEzbsE-B?#Y zH=`6V9S6>JkmIbdL0hd!GgvuN?n`jw)T)&1{x+k=(=jyfH&5SOspb>cOX#Zy(--&z zfc~QF?Flp;k!t5g5r;&DOD67_Uz@6S;OTtH{(hB--B{SQjS~mA#Wr4Sdm~dvfDiuo z$jPupq9|q&RR(VN$iLz{`@fSr>39^E91oc86Jx#7I5<OpPSK{T-z$(|r}SG*`BeCJ zIoWZm{KPsmyf8-mNH;0aDq&y%@nd!^%HU+q*j<X+U06og_g<b~_><VJp-D?Q92FF! z&m8z1MV?x`v#^9H1z90KP&V9ff(N=ih_%Ls@MxBRK%`d>y8xaDPj9{Sa#iA&*xx2N zLh0Xlu5PA@7uyVs*9>ZlLxp!=J>}2R;|!SucV!-hfIb(;zte|;ia1H=<_bb&k}R?M z4;f=swdX${v%QPs_Ace8@~Zx{B}IpgD)e{cU3IQwbjJ{$tRe<`%pl`CMWQIb+{x(> z%y=Em_?&QJb(`cU|CelA^o|%!Zw5HzUT-wxv^;$(M)C4A_GDId^ZLh~?c1C{t@IPZ z{SHTrzal@MeB+hm4nJ~KGre$eIk;Lce8amv!F>MdUjmUu^9P^I=GJ?I96D1K-J#S= zHAAqCB@4YF4r__KF;Cl%rk%4zEs(z`s735IgD7EA*F9kzP46$Uzt0fTtb&=!3y?V} zWYY1+3>gzUDRgr0&pV`5`lD-@n4z;Vb^sUg59@0PxmQ08Me%7{T|@l%x!3*vJ=;sK zK&-DROM|X@ZTI*%9IHcKMw~DDTWlHpVvzQvk*AAoPf-}|9@RD1;;nzIl(?u9I{KLO z=-FKlV(@E{<-t)e{40;tNrGjq{3OKxIm!cx&)vLqR@1pJ!|GhC80gt48Pew&{Me(& z_dbk}U5YIH_B@i9UAl}{X2_S$k&{33^&`7@aAYE(Gr{d^&POTcr0U*J9zP+-3A|_} zCuZIE#Y?ooKPAh7n50NpwY<rmlzUr@zt2IC`txUYv7}3r<s)3Ol)^56yMq;1@9gfF zamfym%$+9xatl44Cql@j{*k?2cNo{AJnNHH@CVXKKvGjrvhlCaLcO?c2@9rHPy0O@ zt?|L%x5s}10G8Q#j~`twwouRd<aL6HokgrZ4?_X&D^~|TkL&Gu5x3_zgLqJlJV45v zmK*pF6Mbx`y>C`E^+RgGPohJ2Pk_Q$j&zM20K)w6tt<F1>E67XZEQge4ag(I%wgpb zAJaEoPEea$2n8~-iid;X`!peni~(BKFk8Uj;b8pxWaGd$wdV4iZ`zTdn0x(ja=reJ zZ(}dXx`$j&HTX6we-|yZx#I3lh70D!KWEuG8jcEi`WTyfspIh%Q(1<HD^g3$zq5g6 z0gNrH2psw1R9#0W>f>e{`7dKn8Wh%pCdr<)Jl&sXCw%jQ5W+~W(ZokWSl!$GIq}_4 zZfLV(QIsT#b^a`KZkDAU+g2`GIiDUKWP8IQ;T<hrs#M6lO4RXmIWAdc7jNN5`KfxT zKPUf8B=@4IU7>BQ=Hgo>Zp)i0SYry`eR1Qp=xzo-d)hiXLVdj23B^$LeVVvwxaYp` z5&}Gu7U;}ev$Kz6wzuprk9<+4kP(w~S+qQnIn2e2)n7}t)B<Tkg2dUF<v&+!F@(YI z^Kvm{@jk?5@KagwZUHA`z$yhO9TS@paP%4qxTEP^%&j)rTD9>=?km&_TE6Ut5~5c9 zxBcG^oaStIeyu<!ARy4+ESfiVSnbQ+XlLWsn9r4B`fa|e+od3Z^p#Wh=2}~giviAd zclpeDN9y$6f+QVUW1_P^DfL6aNMxMJPVDxN7Rft{J`<Z%)n9WYj~~_j+Rn~1woMt! z)1g+^dmPD*A+PwuT=wH*`Wq%%B3T!=@F>Z|Mb*xy*Ue8dBxTf4pXt}esnV$;Ii4p^ zRle6W9jcMhzdKBq%5>AA;UvD%1a!bYJpn<QXyOn*O7;I<?h5tl7}B^IEFURiwzusq zl;w@*p7ASz?kYaP?ma>}>i&kh<zb#z3$MBC(+>Mig#&o9Q0-HZ2j8Ck#RKXZ#65|E zWuo|ae5ZVUUhTR1kgO`ux$Kg>lpUl{Jk=3x_5I(6Cp@;N*=6b%X@PWfXaxWk=V-Nt z`RY$RX?7^ew<hh!I>}Y1zxo@bWUmu&cgO?`y?(ov>Bc=yG4Cj$IauNK>VNQ%o^V2d zv2|kp3ba8CH~K>8_tOL0Uj^NqPLp^dr1c&{=S6!nMqZQ|h+;+c7>}%^8_Ow%aInT^ zK|xs%f7In<Y?cx-7lZItqT(nYjJjf0-pHsmF2dK?k>YPohw%xBWsDPLCP)rupOUB( zjTVkiyBbH-7k2I8b*bP7xoWPcN$Px#9r;Q3tW32+GM<q+@@<T>vlZ*GlF<Y!P&8kn z6v*)T(M}y~Ln1eBj_BN*Ku4f|TA@tzjqZ3G<4G)lVjxN`-k3%Fm|6<Dgw8XV-O1Pv zr<;ku$IGo<Z@kYP&~L(wQpIR$*f+C#_fjC%@{;Ea>|awh_K`x~1=N7KLf6-StQ4O& z@dp)6y!|7Zo@SLrp6|`z>hGea_XzAoo!V+g7%?Emn;9SKc`ezBjTi?&un(${uYuEC zkF#$z<z%*&@G_y&*Gmd~HS;3fp?5Ss&pL1w99Di3->p!Rv*&*8b+&FpqL4}+q-V1m zhFmFNIYSSXQ$)Zla46GT&j!-#0E6+ei5$;>5INc0i2?$jY76gNhGLP7XZQlN%Q}`$ z88)x~4Pxug7lUd{hO#JY7%7=pAY>?xRmmmcOz;>kYw6H56V*7#7CBnLqQ!+p_l{Nj zEeAf!uXDAi63yF^f`ifxgwat5CIOSQ<0};c@K`1`!Oat2twtFf0<!pUa+!1ze6UO~ zrqTvn)f6L=y%zPK%ZuRfvhO_NOMs?odcXX+=T6I3Td4O3;@nEId2y!7>_?p7b=b__ z`R1h!Nw|xRr^WH#Vi%BO!4*O2SK(@xKOdhn^#Q7Eq%oNC!GL9={JoJQ`LbnFJ(}aa zv(hdsYJb?hY_rE;l)H?)yi`QNUjan)?SVTEpyrGYv0Q8|I@@(38ctArs<=_BIo;0e zZl7W`s;5NKz3xI*!98p+MSDk}HtE8S=as_jikXquM%-qcN)(&)x1ycIVhH`CQ616z ze7{>`QA2Vex00uk?3+`tGP-&Gk3P($HUrUL<hARcVT|rE;il2}oeX1zoB^k7*sMaI z`9?d}M#~oO)rms(-{k_9-5%dDh5{LCl1F=(;fyVX5??I$6u&%H%7HW*@_kVVLp{dv zQ=g(1ln?P2G4gNvmhwD3LGsHOJnzPoIiH#7nf6;1;+TQgbreaebZ1|)$40(9){IwJ zM}J0o{?EHsMIk%Ta%HEFzrmxtvLT2?iUt=Y8egHClmq0DjxqS)3UN&7diANw+gG<( zRfI4Ug?f~udIbzyrQ%l+iGRP~U-nA9nv-GJ9d>w_1eAT1$E6hDiO*LE0R!QSdy?>= zS~QW54|&XmS|AgoiQRj68-^3cA99AaFSlLoF^pYFyajN?p^fH1`L{l`PZXEi>?Pe{ z{~9%$FPSq^pc}Pa^<?#6g%Ge~ea_He^DquO@4NPgc%Kt}^tAB()VG+8?{cnBW1TL1 z_WQTSSSpXv{!vxqQS674grHt=FnLRy{qgTX!TFK+mn>-ax{!Cp>ZUGguXT97&X-{} zJ!R+KhgLJ0sLqmqcpp|cw3CV5#i~RWo<*Nhh}Gf@D!s)&@+M!F^*f_bC*AJ0cuUF} z{Ef2v!eONB5jmQg&&zuQW_k@(`dX>n&~R1BX0-m#S$Q8TpQoL>%r0;e?0qgAIfGku zdi^U<=uTG+f#_y;klfgOt#+5BulZ86G?Ceme1|SzvA}ta-sb1yS5N3<j{_ERja@0T zl<MEc-7y_^2P8~m@*Uv*RuTF>Zta8^M5~^?-H3R2HcB+ds^?|D##<Ns$QXV0M<8k^ zM<|~MY_s*Nrh;;KFPl-wTKw%FcO2c8yK`iy>)X#1pIM^ngv38}6Ox3k-aD#2^sPGA zN+hkPpPS+lm4;@)uj`!wfU9QmrZd*F-qFcgRC79#qI+)j@*NxX>hEFlvp;HcQ<0;1 zzvKA@QMfp0DH2}1A#~Lo@Sl&JyolU9zjJb2{!%QJv?wdVrsQrDc^xXU%1B4A5q>T9 zwCQOv4Q|a_GJcIuRxK5*JJYUud0bV1K^|$&3s)mNh<`Rn6aD^A<D#sTTQ4X#1~b6o z?cGV>`sG6A_tNBIN!Q+D%vGGch`+l}=sR3d0>b_wO1~lHlh_2Uo59VL<5fHkJ;d#= zHR-WTVU!Ok&zC2VXBHf~E%0h@U&^hOAFE)07Hb7UN9MsC@B9L)=8$OZZ=(GG?EI|9 ze0Y38@69-cqRq$HsDqp&(we46tG1`&EYR7|uVyM$#z<H848d`CSZyGWr;ndco!5_W zg(62lw<v#P4Xt3ked)cwhv%WOQt~Mhy?%V5%5(1N&G1<WyyQ*4`OOfFks-MBjJyDl zFB3aSsZu`+<8Qzx^g~=_@;|rTZ4JcnT!@&WQ<DsvpSJl?HwLHoR<hG@lleh2+EH(( zowM4m-?`@4H+7kW#i>hYQ%OBPQFwn4|E}h_r22lrL5r%@-B1&6tB(Kv7u6unh-wnn zk2wVpGdd3Gz~@s5bO{sul|lMQnvc0~)W?J2{;CATs39_i-0s%lGMXikwsJmd-zf22 z41$eknQKcw`=ijQ1zog0701fTdh)N;Cj3#G1tR9J+tm7{K8i2`AGq#XKWXa#;o9r( zH_hJv)qS$kvbB%A&8xwX#VKECc}`J6ko<e|TieG-i7rR>*Qb}aXFsnM`v!mC&ZlcE zFShl_&59rQO^~>7n>d#pAN|1U2l-3Cg8c{UJ|4B0GcWo#aKa|<uO}(_>TkA=-K<iD z-xgDL4Bb!uK?nIW^tK3wPKsL{c5^}Jp1q>OT~3L0&0_90w$1{tuN6zkPlDEHcEu_D z8UW?3c6f<rPj!HNx-~~U3pwm5==>cg;KC!o6}{%WHBI~tUOVuaWptQ&Q#`^ITIZQ@ z?qpy&_u(+nChoaQfRcxG>Zn&FZ&$&{OT(@=+I^T0W-=%U7k`O;b@-Wcdv_Cqb6Ak& zidxsRei|H@^5^m>iTwNzMB#~qUIT^2lCigh&IZMpZQ|*1MJ1TnAiuz3g2-b+PkUlD z6ID<SV(nj<9aIi--c<z5_xcNXYFPsi4QMNAZIN;pZkW_5;I}ue<iTqn4v&yeNz+e9 z8$1jE*6VME<He^7VSJ^RVGX&wzE*s|bPE$<<E#BQKyfMmN|H!^PVLI9QTb^)AaG00 zbX=(`-PQYM*y4}b1FAb*(hr`*&v-Gal2CwU@!h1Ne6qmMd4X;FpXz0bZ~DGGJxNf_ zPn?V;B8wVJttn4a3t>$u&2C+f;%#Phw8DgSQ0vV)Sz#hey+Wr$wM@BQ%Y`c4L;%%s zu2rxoR%60q`)(Q^F!-J7K^XQpr}B<j*kbdnZ7-Uij_E|^N!60J<zG0Y-pC)*|0r+D z^Osm504f#`%2_mrj4h<jXsRKYIugbB1pIOY9(;2lYf@7E%)unaeJSiSS=Hf=`QN+4 zx%PCF5{&$R&t_xU2j!ymn@N-L^99%#{%>?M!D@nMzhXrINr91E^tShc7_LynRq;MO zUYTmfZWWC5519G$%RGNZ&Rgx5{W$N+cdLN`K!%I+uDQcz0w4NDxWCwI^h&?3GW@4d zxTJF2g`V_BKe+O51;a6`3{1{S4}LziszRKrqeDO7R-4A5{7r2J;@F<!VRmu%dp7)p z=yl-F1cENL@2Y=?*nX^%aVmA!#)$v*X+;B^>G@sMrJY43u|RggcRYtmmBAg1iv8Ns zK(K?>BM|Ol69hDaaBgoRs4bLp&kDXg1Q`6rtIEbsSL5dOEkCG^v4wuL2TMP`iJ^tp zkS}*&0j3k)ulwUaD?%?u5eQg4G5~wi?8)yQeE?$YNF5>cF&J}*g}|WZv26TnvtPSz zQ`=pEzt;JR1}yu~BZ*{XinAw6ALWLYPMt>o3&S!b63S$$C$Z8Wj@CO)_pdiP8%yKK z!9nv{WAzzg_wU8hg+HCoMX`j()*D!7)wIat3IT>2DCj+rLilq4kaysa(jRNQ{vLA# zD@<Mm00?|IUIp_jWi(xRh>?zc`>YgYu{`1D^wagfX-}~Y!-KOd@?wlL!+_hZFmWnL zYO15#CyNbyX~xiQf7Sw*d2jZuRUI{UGPeB#>2iw-u}+UlV`(-k4{UE?9jar(rbwk* zP0vB_h9<bC5>s&#kK7Zgj%FH`T34H*bTe#Ya}+|~_3^9}bG!s4oWoNu{j<L$5x<PE z^v6d(R5(%4!^2g%Z|8)aA~<J+`2#IxQuZ-@#Fq&58n<E;=mYA>i`bDN-*_K5?vFTg zZOwD7fr=8$*H1Agre$$ZBqbGQ@$uh0&Mghxi>WUr_>7t-{{J*L@SU*q;bmBV7-Qqo zM4x<rN0YoH2n7DzWbzFbHA9B7K4(bj&~0N7Jg>Ner15*Ev70V^&F)(u+}`!n;!qHr z2DAS`U+AialIyws{rmNoit5T#<k6Up!W(DDteupemv3*vGT`}>+r4D(M+o-j&L)Jt zZ(gqjp*=uy1KF<eMBV;Lf?+-}h&pBpK`;T(ebf!u_~J3yn!9r+keJQ2c$H<TVF%~1 zRVIszw>P73s^gH-<O%V=SMvOXF9r-v3fon$d!rTWTwzAbk;KcXHIA+}-EUa$wMfVZ z76xfTay=CgR99v<mZT@M7Y>@q!{_Q!{j->2TW@yKWphL2e*MOetf&0I6!bg|A!0fh zPr@P#FrISs)K-?p3g^~ud@_FKz@FPk$~v2;6aSCP$dZ-m-;(j8z(y5ndesZ#@&G*C z`iGyXqTL~lT15*JyQBiS)%EDDS`*S+`Q*!sdCiO<{~$ojCRh0Vb!;Vlea^jbup$2E z+Meb?OYKILG{h@|9FKCFXFYx+Ep3mxo4wsqc{y-Dq%3-5`M8xo0>s+UT3k#7_m5R3 zz(cobV84EZ>rhX|Puu9ett?A4ZQf@R6a?QH{GdsGc6UB^_k>Pf^7*6CfZ9LiH^X0T zjzhlGgbJ*%`+mOCQICtKZil0SCU#SLwy(F#uMes|5ZnRAa-1WyaLChPMyjSb=R2k$ zet(#ntM$~{Mp5fi8T!u}vI1Ch7<*_b`>txz`RdZ4>kiK(9DBo`lH3*dp~rK6sXkWz zq2a=<45aev%PYnf>!fO|2uk`GOghPcGZ9k!H&S~s3B{6r13;Y@4xJI)bNsWdKN&{w zNI}{L&pC=RUYvpUaK>T*`K!`iBL^S>F|LAFoIh27#AJUHa}sqic-*A<Bly8O@VK=c zA6dK~**yPqzF8R3a6(iG@mEiVn^sEa&#nHp@I0$}0(ggKGu^(<yUr|+P*BkgCW38E z?jOSR>!)+yKCAeGB^T=|JM{B~yxl_LE2@&$34o95&_Y4&YNg__U1e%V758yze^kv$ zBJ#d)Av5hh8>L<;!;{5@lyD2k%7m0i5U915Y$=)B1F+E7Nj%TrMs`p9WYHpU-YGvm z^|1LdwGtvY&ml3rqy1(!JJB^th*fS|=)o>1{AqliHfmCxi5+m^VB9x<n*@z|O0uo) zN%Q$7q0VP@S)3n?!kV+>(Rotre%7D!N*{lt>{+LA67Zxk&PCIU%S~?M{WpmBc=kI! z-RBs`w;<rxYguKP3Ms?D{~u6G0|XQR0ssgAY+&|OL+};zE^Pn+kaqw86aWzbaBy@l zZDnL>VJ~TIVP|DEE^uyVRa6ZC2MUtfVhWPlVhWPlVnw|PJe1x0KYnJ6UG_>fvL%f? zmJ&un*|LX(3KON2eXlH|%^DRVL|MzeMfNFMQ6$OEAWL@17V$r4`h0)?=hgGVea^Yg zwY;zGKKINWa>hVw2g_a-0Kg9I)9S_mFsK4RcaMnyURl@wn*x9!&{jWr)+cdhpyw&R zE9T%N|9%mMCr^wmOb4oq2Dgp=?3~Il;bs;DIN|qN``U<p!+<`74@<rsSJ|_g`%Reh z$NAo8+HncV+cVXMTSMDRSvUY9M?N-KY__SKc-YbN@k=_uCt4?2Hm?74m^=aiAG7mQ zIOWy#jkRUFJ)V6WmMoNa7N(ZGX1@XG=E5)miimD`eORC8C;3^lI6B(hq1Wl(QZ%aS zw9B;WnRCk9Iktt$te>fdH)&%SG)8`Ex?9Sri+uwq7iB$sj|J2wW+*blcMpQUUs-6g z6(>13c+zA=4+p40XoOw0Rn%%Q&$h<?fh0Xu@NBM;IRKk{h!&>Y;@hH~)%}lBly5P{ zHl`PX*#TvhhYSEd?n-B4OP^_)1Oq1H^C1ZU{O<us5p+6+4h`m}{QL^}X1m_;8+!?W znlLn^x=d&a>x<!%rlcWSZ`5KjfWpO%h!q$MTMapnc$p$ikQ7r309a$kassl5OWF02 zKmI)Fd~|er9T`7G_T8rk6nRdxD8zH10jlUX0WC^BoL>L+G?b<$5bYH#JK#mU<w#VN zK53bpvbaeHsDU^^0JIK{aZ5Ry6?*aPjeB7_pdrT&H({iaduc43H!ts6>x8sm1Uc+5 zN78m76-9JcUg38hH+{>xLr;5PrM)Kz2PkGtXr#aB`e^4s?`b}g@j27o`)>o_8v;2X z;j%I!ch8?|ujJaHr`}A=`i^v@YzVMGn%gmXw9GsET7|3!0Ys);-#Bftj|qU}g8&2g z9!Kj|y|uL9WYarE5IyH9@39B+b_f~cLp1l|loNkg7JmgVxqA9f+R_d{HbnXh|JHYN zXIb_w2!a(SQ}4%)>WqLogxJ%Zaq6s3SU-qo#oC_Jk@>>`$SO$M@cyEykv~rS4YSus z^;4yhl4CDh0HBi5nuDZ{--{z&`~=pM<i+zelWQT}@w9sotorj(yw&#dy;dH3bsm|i z8||-mx@%%>c0jyWc?UFwl|#I8k&`?Cr;xBjLafiC6aSkFUnxvbsRMk_fMlegCvJqr zUrzi9noQVm!;bXHTccY5WEh||M(OHR6&IR{t_MldlP1o2?ru0B0m#}2cY6H^H+L@S zABAc;9^)2K(J{sVq_04zfDt>RrrE6h6>Q|^MV$PA)QfmlSFaz)3Q5p7hUVJ}DFR9f zvgg`>Z$~3kOMfgw<NH${fcz7Qu^<IqCx8CFAjJonURocK-6C0fyZV(yjMQ`TVOZNS zAVV9nND*_4SGF2(yeCLGgv6cL11M=od22aYv!i1Jy)T7ae(Mkl?L7h^&j=7?sjNO; zDQ8H0F}qLs&t=5RS=x%M44yk+v>>nYr7kqVV|2~u5r@#}=2M(hA5Vf-M>@?mT(p4# zN2Vg~J3z~Ez~kl19e}inr1Xs{ZCgCWgvA#o>N?QO(unj(k)MYAJ<jgq?K#Q@NZ)8v zWAoY;`zlTUd5t{unyhwusB$|bYt4mZHwZpx_tbA*1jRNfKyIfgMh()DxzJSsIcU^D zlsTqNB4WL79EUSIGVz|V4<zXT`2<2%0ne^fx~A(L9!5$P5Pw=|cB_Y9L@bo%!;gy) z?MNC@6JloOY~O^BXIaFI;xQNXtkOt{Dtf@T6Ji}4?}AtxWI0J5HPQ+3q!}&_$=}T? z#N^@-FR79I>&q3mnFwNgCF7?t#ETXe)QinPHxg$T?Ru7zNmWH36J+wsG68`T2L0oL z(91~ka5uBn1kOOvM6#U5LcgO!+d^mj<MSU56QSBnoHE!AovsjpZsFQ@&)v=w36S%( zEYE@aAN>Gm(npe|o<C>VFOh`?QjB%}h0Z2D+DL+P?_0}G7~~c-O#8H2dr`26K|na! zpBw+yS{{v9q(^s8!rc|lBYqi{oGhBM=AbUA#n30ySYaSLgy72eZF)mL2SNvPK|aX{ z?r<9IK(%U<H`;fU4*#lDw>@161qxpgB*opsq9dIH2mg7an4?D)2H^S80HaVWjDB5C z7IciSb%_;&OU!^uQ>y|W!C8%yH7HQ+G7{RA3kvOW=1(+?Y>GNitwHIA#Q4@%%7APu z1l32S%36kYEs3iOQeIlfTYk8T0TFkRXm?BUDt+8*_dq8Mc<dgMF&%_(L5r_01<;S@ zpDshQZHDRhA)PB=k<{$He=9=PGx*_}p|Oi8-=X<j77#k{RS6n9rz`fM0mr?T@JbL3 z)kZ!ihSX_J5gZ(hlr9NlxEczc)I-tSu70&4%408eF>o+zR^$d9+{Ya46QK#gU2);K z3y%E`T2V(^@v6ixV!Bd4Se2}Hri|dWqK*X$>a^(wohyr8RuD6)(Z)8Z$QFXg7798o zSr02cQ2=W9Kn}tF7)hS$S(#&N=?#slmq??2fJVJK$vI{2E0mch6H!>8Df@c5`o*DK zl(db>%pFKxADX<?(YhChoKtwq@&kuysE|O6XugE#PBKH3<7kwH5rAdC|DQH_&XxHc zK-ytEiL~>oKR>~|bAUGR6A@ve5t;bx%R_V1xI;8e(&kRWjPl2S6mau}Bg(@xtfecD zL7!yjVv@dBF)PA)2?H2J(T*kYk_~<9c9TcQA-#w@zGx)3(S>uCpX5KI?Y?<vBk+)s zEa8KnQ{*BAd_2;5(ROqwibykettL#Gzz9vUL1B@N78?%yxJXOz3c<Mjku)xlj^e^I zbQishp!TI@^kaottubK#bF`m!Auqp=Lpty6VCXM2S9WvS<@t?WBv9*Y88XNI1lqKU znj!U~I6j{P>CvzHWRY(~(e(DjSQ3iNBg{!HJnJYBj}}Ct1s}6|m7QW~`h*cD<ETFe zpcc|NDcSJkNoWi_u%IAEqyLaL{WioPEe7#Cf;cZj#+9K>uS(Rt*vE)fdZN<>b3!VD zzN$KO7g`RY;L;LPe<I;$5Sw7|f<y2BjCJM>qP~Kn3J|z?bV$7qQkgMJcJoL&2Ec7( z0&*k`-Vw$QILyio1W8gpQucy#g>q9uxt}1#-_tKt8Cku1H}ZGi_gQl`MySvVPef+e z5J6Ph-ddb(U$KXV<hoJ8OWaq^2nsk5NY=t>W!MZIW~CWf;xA&JvKx9xS=g=rO}F^M z0t(z|vqND8NQ+i{uZ?xS<+{SsrxN)TnbGHXeu^$ENy(3)R%Ma2Pm#3y1!Ic_7>{@e zQ4Ylzr~LFp15aoJuYMZ$=c0X6uS=*gf^Jb7_jfBzc}%Atad%foyL(g{A^OOMWar;@ zRvL0S0^N5Xl6L~qRhkYS!f5rmYA*!Wy$WTGX6!jYwp7?x0jNvHAs<AA$GFQKV)M6_ zuJ+YF?cS1T4jOXaF8{UFC9pNvq@(Wp>+94<G2`~A;Et$SsjFgKVq#)4x3{M`0_G1G z*m!ZfD)wz{{yt#i^=tU5SnW0&XuNFcU6|9m_VZ%{taC+7-uNliDhgDv!9XAe0=1s% zsweAu+}!8z`{q7l-!;$VvcSg7J7Lv_xdP%8HiMG=vR*Or{!zvePlPBWJg@I@*cagt zQ2Tdz-C<+Z?mah%sQ;W2ksVg7pwel+W5%E(-RG9;uA@?o0H~+~?D3~=>an^dKh<6o z{`FhkT8)~u3lNw}3%+KuKEa`KX+@crsB$7?Y4y^_pdsr|2JiRqfFR*mZs+lYwc71p zN_Z1&rLj&(h3?|-uV!9=EHLcIQlr+)r7u2z_hImgAEiB=nGt_HT30<m87CUBsWLfp zU}W=ma^Qz``}*~n1CoaKMSxOGg}!U;^^vwVDOjZOJ%&{eY<Ln+n_)l=gm%q~wm!8r zxtMFlA##p)BR7MHMoJkMh2xb|es1$U`eeryn<?h%`e!)5Z#$7$6LhEcnerP-wv9|} zdcdIg_)xlfhgjQA$eSPt?B4&f?6rDF?5mCylI0iIM7M}nZXsD=YYO;h&($v`J+B|@ z(Z2ZHDZtP5md!<GaD2(GCS?0h-;g<OG%XCEu{D}OS$_mNPzLt$!Fs7Y=n_>iXA z!}F3{re-NqTkG4CQBlDytCv2E{nWl#&2buk0kd!dx)iMW1OBd~?oFgU6K|P3dhz&C zK=I}xOW*Q~c=ZSGDPXkRM^WoOSugiHYa{qis?m9|`QsW%iO=ghE$X9+pDkJdrEXYh z7H2Q{xD6lM*Zr_!dUSKf1~qFDPn_+-n}g;e^sQ6obk6#PTn^tk^ddUAqHk-XIA+vi zSD)&S%>zkO+!*TN!B5$1`L)WC&y36|>@b#GjTN;!+Qth#K@<$Xis>F4%&*{1a60~7 ze0q-5WE^4sM)ch5igjL(c711$w$cfe5V48Ac8i(_?83=pw|<GKHGx`KhtFtsE-%jf z@};p80q&)mtcrdYpx@tUvDobv(p|OfEp2mLZdy(7*NmSamQwOxwp^0+^QI2n{60z~ ztSSwqTGeb}kSkk!7=E`a<JZQerHqc@cf$mM|I7n+_pv|DoPf?UG4f5`luWpFbf|uN zt1UVFJ=WixAR4dS(7FB-sutj3!N)jJH~Ysk*0v*N^6QtK@5(-oS!>xnf3B%?TqWe{ zM6u5;f9^(kIz6>!QP}uyMp`GaTe3)FO*@cjYaWApcfX7UdnVX+I_-|#ccUThH^C-J z=hHN=m{{NasWvHtk)8&L)~jk}j1=YnvL%zOmo+b8R3ygmmd&pIQ}o<``qG!jR@&6s zX5gv$8{&D({d(%_J^>#Tn;Puvm%=QRDiuP+yn;aZ*FKG%+sj=OXnBs)hC+aw49YB8 zYT$ipuZQT<`Qs;y_gC!Yvq}(l%Ep(O*8h|kS#QwZ^pFV?n-Ck0V<X{Vlo}|C*xsbU zN-J;H{l`Tcy9{waxyz*5oz30%#kTW@x#ua4wI|Uc<I7%WzdP(&-1Ob|K&hJZ0l-%_ zWIUWOn^^quep-IvuMWY;`=j{@7;t}muW$8ZI`Q;#X@^MP1ZGHLB3Q%3radk0`DXD^ zbv~?16@t)EfZu*G#QTf6nVneRbI4hLMz1s0T&|DHOz{NC+im?SpPORX+E1HZDwe%_ zur3bD;qU)sL(p-2C|B>xe5-IAww|!c69dCRviAFKN%Z2YHO33P30nPK#JTC<;*Q|t zp&+5y%=esRTj>B5mg(k05>&>sxu_)<@?9E9NarqeaQl>i*H`g4CT;mwi}jn7frx*3 zd_&vrVuj~BEcXEGU%hAzOk~lziRT}%g9QyN=YEHQr*UP(?~Wlh`Hc8zIgKjIiMKsJ ze7sz_YcGBp>A5de4}xA95}nNSH=7J$tpr;k7?IXH*HM>%m&Gtyf6Msgzp5HBXvLx6 zldhf<&z*g+p+{n5qQzp<_a^sl&C3{kG|cpEd99;U{Y?9)8#F(gc=?PCrVyOq=E;y? z(}d9)Nh8nmC#dGj>&YTTNr}nz$$19Q#1g(*3<_-WVd7iK+dgyUY`(F^I<kJ;X;|PJ z2<{De5^b!Uy>A~F*e@+^TDC*h@G8;2Jh4H_tXQG!FphLaKh~zkX~eKi5{6O*V|`l0 zs!;`}a(cO!>?-@{_{x6YHv6z)DHL1m<7CD}Avu|O!h921Z1P%mVYVVV)v)I%)bLT9 zAWw{Lebq-->j~&boj}dJO!T{BC^U<T_2-e;7K=}pg+OFhbZ{BuG+#w!Uj;Aqbf;zL z1iIB?$W7MMi`DHn?MolGsAJ^h@(cB;Y+ZDU8bvz#+5FXm+*D%!$Gpo@sS>6-UMiCX zvd&HHqmXV7(Ya~-VcR@%+XvB+npRh9E#xz3)1T$eUqR&XY)YtD>{S`}JIuZ!EnhI` zM#vGj7O&&ewLgRMa0&+n8f`6;9Gh(adJtK)+`vYZTS(vki@sW~O4;}UH3}yva#q;J zYT|A25Z&5IeF4|%W>=H3wU$l^|57m=3FbFB|66WcvFtK|&fhK|=ClVRG!MiE_lY-c zdv`S@yjh^@ey*%hWihcfzo9&6N_=8}3*3fv=6x-Rg%j7UVR5mg%J_llH*qAdRVM#G zImVU4W5M1DcyH4P>pZ)~iEN9+kgpgo*l&L7(%<~qGlsZpJmLY!D%@mzp|Vzg4To|l zmCi@KT)p2Ex&*%VV(W;MAx;QXx>aUDK$aWHQRE5f>V0CizX4Dd2E<c-gAo<+@^?5$ z=IQGFU40Xe1#u*KoshQ{-xq7QexrOSV&aV~6v?a_5lp31ID3baJaE3t(ji_s$?BFR z<Nmy9leCK?9(L@zfa*QbNiCtVVEKgEU&FUY^T>27LQLyO+8p;ZB@YeIG;L=uq_{9U zl_yYvI<{e*9!$%XzC~B(a-z#+Wt>ph!KUQAQhp&xVXSXLUYl#J(@5K{6uKd59h4K` z1Q}mP2X7o~avWQcb?Nu#a7(}kK>tn7w{sO{!uS*bQ$Vc0RGRXuSOl~C-c2lP`6AUi z1B=lG{V8&Ea9phb|I+tKK9agy#M^bB=%Fw47<>o^YdfY!V;~*f`%qv~RAsNPIK1ff zJY_kFCEPq&WH6^J_3zf7-?B;8*BCKt@ty-3ur2%XKKuBBv}LkLEcemeGC-;S3HF$G z#IAWh9%(qWhSAeX5Vn#u*{nF-{`=2KP&00K2}<me9(@f}-b|_wzD@*Bn}*i5nVfx| zUrdoTwG4s3U(7fD-MEGEJ=Zs3?hp^V%ZOkYwkS+FTB{qUsES%oZ=<_ODTG3YjkTpt ziLGCkcOC863%00UJ@rf3VG7HSaQj~v5@CR!`Btq3NEKDgCsM8?j5;qVI~^Woq|_ds zryHsLykTD2dlGC}N{Tv}LA7#R-J=MkJ+Y6pzGTcMMVhtXt5*%lQd1`N*;gX0cN2OK z{Kv4?ZPT&$2Az_5NBSYFOh9JlA<q~|ayiQrx9r*&De~DB+yM!hKE>aUF)kE(>sks@ z>Y|NPbWfQ;CT2iS)Xk_-yC{)oBUqR+>iwSE_KdGhcUWw?5y}`}^(w<g5(YgKd9a?b zBO@~&s2pGzK49OZ9A0^=n%f`D=rnWXoAni%KP)r{uEjZZ9h^SFd2NqBzr%uqI-p1d z;+D^wzQD}XY-E0kS3bcZ>6o;=U$YGDCI>#ySf|8`5d(NcK~JE**$7fdHa>3zGh-3* zHrH*_aj;2~%BI&nkQH)Sn|lGgfohLCg!#a6nmBSRW~5AmWj+c-X6tg*{%2fuK7H~b z9(V9iEO*&q*7m^sX_H-XSP*pptQ$b!1`MqhUaL~avf1}Uul4x}glV#1_1bJYG!N4= z?0?~Ug9F3~Vm`=Exz~qX37s}&-+c|Rt4VToW#eoA^SBE-U{B=}TrnLa348Z;X4RT^ zRUa42Hk7~T{-C3BI#xK!f2ewT2XqwXRld5wm_UggyO^Ro_!yAwxyVYYv1RV#*3*B0 zf={`6m6dblNyVYXK<LI(SWHbTp9COX#|c`)(7d+cCy-$93*(}v>~Xh$ngMh0#ZTj$ zDJR%3(RFzcLi0-j<sOr&a%#ZP@}gbtG#%AEhI`S@QJzV9$NW=IA4mF{v}kV2uk=`; z7X*IrJavqyZS(X4;SE7fkFFf1$24Xe5_ct_PMz*5+b$q2ihUIMgWI)QXYu;8Iwu9P z>qpU%&Ld6PreAv)!@ond+tln>pm$7ui0r8behp?EUM#yQ5Z0I=NQwI|!BIX~QiT+5 zED1wFkR+V~2|Chk*iKSp^^^gD%eDBXiooD;LCOK&?xo*eQJ-5FH7EQB)W1$K_?{eX zkpj|OQS7P}_{Hg}$iC*P!(>85w%exSe5(5yrts5}qH|qdfgrhSnOH<L2Nay19Iz-Q zZut*s4RBa812tG!*A8Wx%f5FZDUI)g*q(4~BHdiYfJSFG%!j71RzESE;7Hw7wTK(6 zUjrW>5*-;R+F!v&B_De(1L>{liv#;V+}j0{cygP$tmu~VeCkg>1JLAb@upo=zADgg z`VVi<XAVI6agc{B5s%+CPrGL6hM}@n@GeGbgqA-xr!e&+6TWx@lMr8dJENdzsYrgF z8F9vkjw+-R;^TN=mozrJ!kxnG`xI^2{ZJ9uM?E$JzO@>~fARKFZCq5J9(t^=L2MBk zfAtWG_(pU~#<2ajni-ZNbHk)wWt{Ld7jEU+E9>_yH`a#QvDeZDP=X&G0XHi@F1pz} zFoVj+x+o}=CE%6MlWjdJuRoB)D4b~|VSue%7C0~#JhY22Ctl`(>8`F6Zwk{0{b9?X zaKtp56}MJ0i11gh$wQWXU9Yms&p}bj3Cy%XJFjX8=+7@PC`eYQlG|h$SOH(Q5l*m0 zt|@<sSJ4~e!{!&d*7V+rllpcNi&1VuWO5>uK{+hG-h5i|0}HR3H>w5Y_X#n%C^>aO zA}U8{L{fLCx`p@@>bc$+Vgz&*(9KIv-|?XyI{Q$PliCpuk=8hQi0+Z3)~4-XQ-x<Q zj<O(U84~bmWAgGZ3fC8?Eu9+(yQj2vlfV64dGvbOiGhN#?~qH(m(XHlPlQxV6m1It znM*MXT!s<N^RaOGB~}VXhX^A^sK)4B76k{$j-fq5wdVLW>?4kr)-YBA?XW4&>}e`p zQ110VuO3!nw)98K0SN!}4q8^&Dp%q-BlT_nIigjr@rT(!HP6Z{7!DMqEt?+?DB^(T zj~8^0E|#XMKYh4c8bq`e5f=M|@4NO=guWu4`zn2zKzP$T20=gnTD?;D>p03{Rt5KV z-0H9dMnT;haui^T<T}W>hb(J<+x*+Dc`OOnTe4$0;lMXW_LhvF{9f4Y6hkj(EEsil z!F+%=npP?&uu@*Zs-){?=)+b`Dy2U+0VYiL(*)68D`^%GUU!mSFift=S-1ErhA;D? zu>XY&b6I15s!PtaWW|qi+-4MvseEB~nN?v)($#_&+61IeI`zxqO@6ZlTnc#a!_cu* z-c%!aD&W<@ue|0(yIDad@=u@Q*2TPEJ&gDVS2{JnKG;!ZrV}EG?l46RQ86F-^dr3Y zF{%Q+w#tXBfHM5H41(?S4H+>YjlIht*p<!e?Np1EzO?EYF>QJT!_C+4+o3ME#NgAm zpA(SS7?@Rc)T=H+UTa7gN(y1|Isu1yV5(E^JHT$q;3DWI*)F<!7lu5#GKo1Y$tAUm za4y$&KUgDmKJ_U)eF>)`owlA4k^+Nv{!xfJ1-Hn(<R9FNHqUH2){W`Gwo^xpPa*Fe zP^Vp9Uxe;dDR3fpX_{-tKB6h<)ja{QU;)#XybzPLV9S?4jz7^Nw+T?X?o^y$x%y`5 zWa=(|Kr!pI3>n&0&57ev@0u{5#$pE1ZCiYCHKX8b_05XO)VbBaLpU&MwA$BZSg92# z)b9*SjSCM?z$nSpcLO~6Rl1bQ1qsRDxF<+aos!e&C|}-DC2-fYBpnNy?42>E#bJ88 z54jQPJpgqe(?yR}S0{)nqB#4wR~P)cG!e8w2mCK4l*Y2m;4u3;il&5bE&#6f@(>Kb zzkbdr_?`oFS7&g9wFhctvf_f7L>2)#^-TwW1@O?*kMG?<_uYyi|5lch<fbD-B}SjN zf<7KjM|W}~zP2KLSV@?CdoFbv6i9iRjojzN`5Yj|ntw+(CmAWwTvWc<12Eh#x;;yQ zH34N1R!y-jypmVwB8UAQ*>-WZFVl285k&WhW4K9k4Fe+Wp#IBshC6n5m*uq;7E(D5 z=IauR`gTK+)`!85TQN2Rx0tcyrcx)}i~0SHxD{t~vl8IR-(j4ge%L$%e%Zltg-HdF z4z*;|C%ma+BGrEPyoxzOf<ENpQF9yxqPO{ekjTq{E~1m1a#Y~o_&$1URM$!m`w>8W z<!c7qtS8>);!6PKC9F33%j3XId&>3C+d(0R)76u!odIYXO`v;ZtM}*S|2+$!5%sVa zkm-JVJ-2ON3ujnKjSfz?6qLUCoMzAU3~;$4<}Jd-y9%p`ZV#txbQ>~5Osb@*^S4z2 zS>zWLq-l%73iRI5oj~ED=*ZX+jVNCdT_sF%S)~FMY$R2`=Eh+R&>B67Ih`zGC1HGd zUIDl)xb^ruC7i*`)ScSRq?d%8v2g7=c%obH95yJ#0`QNOomFZrt$>%KsrO^0i=?j= zKgh6bX18Wj)p2OLR-);PrL^03tho2fh!)&nZTWKP>kJ0kw_!KkqiNHk(>o!qGY-2} zyPd|&z*HseNQ|9CcVV@t#h4E;XA~ib7G97Ob&_KzkOzL6MCjY@QPg{eIFVVq42rI~ zRk@$Rf>hTFW9G8TeSrhdoa132V)%BR7qS<qf)n(#9$D@UV*}xzmld@Jrsr^8wjIA= z#Jaak&{{kXk@_}(85ILI&#LMHg)e4y!Z*S93ti<UxQ`iO1&R|izltEcJ50H%7EpZB z@epysEvjUGbBEpqg}|TJP4=S3Me5H9aPy5$`z>z_x&20m91gQ)M2I!-LU^V7iNt2_ zmk=JYi?SW4sH6ubg+Fzw1{6wwe<Bpz(y#gP=PwL^z1yK@9D;)kDBobe_B7WUP@B#^ zeOZ^bzQh6WMLo;SEi6E<b6H%gqq3ZNGw#Y2wq1IrC^NZG>?%w#qzYI76zUBBI=CPb z{_f7tB1RlgxLlmSEdnTU%Y>26W@8WP#xkKP<0mYg_*9#TZeGRQKtT`oa}+of^b-pu zdh-Me7}2?^`n~i?N~A@X<$*HFr6&@n7y&yvGF%&&HjR)YQgAhGS+Et(cs2X*D-N)u zpuT1a<6<n~;s`@c(^o!;xU|GD1k#h}z-2o{pDVx1$qhS{_tUtf+DJiKgQj3~dbs(n zh~R2{`~#?YF3A~p5aCu09a$;=oIR-3vF|FzH{nX>12IOuNJLHukxM?SQ=c8<CrByN zE?4jT4NH5aBme)pY<(_ta!~Uas#l-3jV9d2w;eW2*YMW>N10Q_p$2`IxV^L`=pdqI z>a(KO)g1Z-)pYfL<*$|<2NQ6)hJ!nrjd8<jRYHzozXJgTek??Km4!;9o}5x1v9m3q zUywHK&~oEsiR##Mmmc6bF-%~A1p9RT2~{4SI8#T6Cv;MyZ~!ezfX&_8Z#$Igi(qw< z(J1TzsE?Q+AI`87?7E?A5SV|X;)k4qo?f!skC6-<aN$Ed$U{$fnyaQyojzBgN^(QZ zV-R|#!8aB*4Ao0JsE21Tfj`^V;r1+OdrP;TIXcYRlhU^Km86~0qSgDj0VNO}q6|60 zfRWGd2CVHMU%JV<=5#Q9V9_EqCpn_x9;OBQ?DGI?VyqLQe47Zs12L!|f0*;~AHK)d zyg;X~?%0fa#5gBnT)>WZ*TON#)p;67&@(UHAqo2I#|;D9xX6?e4=WZJz|i@amvC(G zjno2in>3U>J(`=)caI&g=|VAPK4ly(yw<;lQ`U#!h6bB2NNj^@i+%U$ed7TxqXDJq zYfyuvOjylT%8WCtiP#p9&U-+a)X>TJ@iGUUoa64bfhy<aAvfZGqEmhNVf%<6u`=>m zk@y>IkzjVv3zdXKP9sWEu&~Z^o5XBpm$t27DffQ&Bzpsr0vd95n#SvYWx#G8hM`Ll zmjoz}5JOwh&`68|lv-rGIwpz#5z3#+tFLlh!)%&#q@T9%=F>abDq5s64=Ac=(cplC zo5BWAwu74oA=%E*uBKP*I0=-^<*}S`EC`7&kv6qlhs=Z7H%&T!8--rQ>Ybcl5&(Rt z`}e_%jy$|SNzwYQuj0W>5h-ATEkGz5kTo^4=~2XCO63|!?+!#83tKQS05(;qR;8@6 z8?ZCY_3Q|0!sy*aTXUkVQ(@QXIL3(!{!p&ovG*>$3Cdy8ID~=8xhZ_LJEtIo(`%Y& z0D-nWhTFAR8+Fj&wkm1wttBZ88H3n8DG|@@IWLXN$eS&0SCGc+dPxV=5X|o0taP1Z z=7Y2^aVdg@ZnP~aE3ZDwb02R8Y(e7~2CM+Z78&ktMNb-MAf?3Aah?cxNdIs8i(X!t zeEwicbPTr<bga~?|8Il}oA!ohOnT=#SyV|g2zIoiR=$hLB6A*rl(Zf?YzGPY??N1! zeG=x{x4bMJohv<`UE;{ftdQ>}<n`>QB>OmVags2f`ulNvU_m502F8b1Dr!m51%B)` zzsH_>6}RhuWZoTusQM~#DrgZVYq>dg;6wB07ySrrS;mt8&M{9E&ocrabXra=n8XHZ z!(y<p4fzT>!6n~43X7?zH?X<UL}lmyF4{uOn+>d7QeY3iki1EN(gdM!aT?N%*Xem6 z2s2M&>IVc4<VEaHV3d@EX4piTWj}h@LBSkN73UX}zD2kJFRq|xyYM;2!gJS|ne_BK zM1xYL-H>S_(OEmb<mU6bJ<KSaN;{o0_;*@NzWdZOkaD2Y5@s|~Byy^MbE`HKgThjz z|63tb-o_XU?-rN?6n|zkKeok7NKu+!KNcVH{sRhpv~y$y7H?1XrUTOddBV&TZh<<m z?xPS`F1&wu3%^0(ZQ$h#`E<DdU6z$l3$lk{;_Xl5rs&8S|1cvG7BXS)&&pbc+Hf$1 zKV^q796}~ADo5%w_J+)uLuOb{0`duz4z#XxKD`!I#~sH4BSJqq$L&T>pSXC;-3Stu z-szc5hijC$^87jUUnFX3@in)%(kvZky#3Zj*+;KHq!bulRoe|V<BUtoGK^c>Gx5aO z59#X7^8wFw)1IV8ula>slN7btP%+X8iHeF+2nkjQiF=-?uI>=v#qE0QNLbIz0lVTT zh3B7byo&xV_xzM-HMr`k7?p~Rl!`^SD6R99?viG7Lay~H=Sli{2Fe`4LdA#;2~$u1 zCTR6#PX6Kb(`jGsquB2LZ!|r6_H#4$<87CwU(>c?%J+n>W@fs2DTaj=cPOazZS5sl z&)vW<>1lL|Vwl3CxnM=4yuJ&=m=PUZI-fdgQewG%d(wz~&E{-!=_S4TT1mq5=ZW>} zJwN3*i9=h<BQp|%^3TBLBW1_kDJr!KX95dvC_*^pD0>vN`Dz2O0z(H~3yciQMrD4o zmI97L0v_Fq|GD*S&42gsQ-AZf=c9IgLyyJ9q~wOqhL!x{XHv&0tIy<#N!E$5S1P#b z*%$Cv02^_xS=27Gh6jL3F%XFP<|yFVr_t%rzS2?AZmzSrKU6}lFWEBjd1F+|(%T9J z`9bX3!Rb=<Sdmu!_jinR%hi*M7UQLj39$;^$r#X0C-!iG$+*?%SRW<TX=9e#&A)4f z(5u|wYuPmO<3OHd>&VBkn@Z(MWtaKavTi;f%{M%8m^3pb+29V9^wo<a7za^t0>d<; z-At78+&x_}5J4U}=|(8DujrPwR98pR6laI|+!AHOC_4`RSc}XomR6u^%yruE@%L2r z*hAT$Hgks$6bN8ByM<mh&H3@gdRFp20Lf3?>a#vCcHE!9hFcshEPN>~N<a?smy=B4 z5Er%SC@IYAebwtU>83e5D*fYQ!%d~zZd`^^QX}<moa3rCD(Ve)tC?YDVCp!;RZ&g4 z7tX{0Rx|*1=(Qp7X~MyCo;(&UE2-JNl3Ar;Jq|o=d6FX&nP$6E-`|6Mk6g@K1y5NP zThnGaTzL^;k7i~xH!(Kuvu^|)s1yZ(&S&3PN__YHmdj-pBsjs{qR#{WneD#1xYUvD z<7Tg{px0hSSWGtLPo%^hvy=jXk9APg=fDXr09Xr6%k4@~R9wpBI5)6jRF<u9{CPv0 zVgAT^RG5N{0P8{9_8)86S0<&ednSy;W+Exnnu)DyTJoUa0+w^_PNJ?vwxjpS=9`ml zJ};EV-dZ}1_*>E_WQxT)MZLqN;R~H~m1-9z_#3n4E~*C>PCeYoKto{iBlnPojEIJe z5F4SP_U7{XzgeN{6%onFR*i5yPDt7<>|oOp>!>R!2R6!M+?mR4mpo7^Sb=d%;Nz7_ zLz}|9YI5Xhg6R0PBGjY5zt>Kc6V>6*+RdePvh&oNxiSx4qg*>?8JZbe(@5z~`?0Yb z6x^;Msyc9dh)p;+o}gIteY(B*N*`BI_cx@kwe_Fr{6f-lqBia0YfCXW9OU^HMAw;S zqE5)dEp{;T#F<@hu)=B7$)aabMo2)@_CI<3&Gk&N#hEFa$tPs~_%19bUvcApPQKiW zI*B?ECH&lEX$$?Xrh%eR^oZL1z_i3syPB;NOyx?er|-#JGf|JyxtOG=8Ysg}rubYr z?hlu^_cr~2)BH^vvaZ7=bnPB~7l$NAd!oYDmX^d^72VzO5d*NMUjK$+2{&qP5cc4E z9qpbN<n0Pb-c=UT1PB2sr(N$kl<h6wERNW5wdf!9AW%5Ymo)Bu9|zk2SDglBO+YHc z3F@8d%6wa6**NRQ)1Z6I`ixFU-`K%C=h*gTb~CE^G9hK^#QdckoS?J;VPl2?c<F-o zuVT1mth*L}4ZP3esL}3NhQA5VnVEk0L{<22Ux3f0oa^(R(mEEX>Wc&S+OJnATMamI z6b#>Xq$?>0J0iXmeIDkcZ+t!bu>7vfR}7pM5AGSo=id+s?|ud`RAV{C5GWGmR-dsP zw5#!zVb4iI_!)v|(QYR|3c?A7>m(QDaje+Y<c<Du;_`Ew=8d=y5o(niCMm7+ULTNR z;haWjqp?bjlBYIBT8^<J@YkGauSsJvqj^~ap9CKv?8~J@lwG~F!Ta{Zq9X$~Jn~DP zyt7}G?ilOzf9hIvDwN}9Wxt5(2R;FqcMUX27*Kft48QW@yZI&ycA}T=oHM;~U>80x z26iDjyI$5Q><Oet4;kG{H9clob*rpkGV$aa%TTkjuvdNlaPKyAROEc~_?Ya-Cj_%s zfi9La;wubq2^%ph*Vs?Bidqf*XIqmOBuT$^@1k&4>jZuH<1lGyWiOZkX<J8gyB@V} z`kS@4f_LrihUv2Z?$2Lhz_yb;Ou0`W7s`_5|Cqey`}Rt0Uf)aIz_#;Uj#V`mG@IEk zQy=BP;>M_miN7&3S{Mg~*97m4)(U2-e$H4>7mis9bd~Aa5~<`gywNhd3CY2OOi`fa z{ZMf4ZkLB&RfVN`vhTYwpWlS0<yqrvjEt9aS#g?8SLpb}_+j?WV^USPX4=s(U75a5 z6`y{w)V41xV_yZYpzt}E&?ig$*quY9m20*!=-H}al4HE&V1K?u^f(06;<*16?;Uuu zoQ4PcS&|2=@z#DT=VQqHTx6F=-#zy^&!dMDkGn(hi>^PAq&wIKttbGKnr}D-3%oSI z`*#-S^r7L<Ebq$hdN&bVpinNvt>SZl)6ASi-HAGQf6~HX>aC>%q_8sXRSx6N{tC9Z zoGhtfJ^HPHl{p9Ph*9%>xmrKYy2~Hr<|RD;yCt>a>=+^}^Sj^FQ!@U=X->7&2d&K? z-h3iSkKX6qTXf_|jmv6L|FuB+28(P|yunRA`gnWt)K*na-QMHk0e>1ZV^8!riAc`l zvsAS|fxusUch~_QDmBW*)i3+kU8D83$`+r1E7FR;her%5@rORn{ym6~Id$_MYKNIr zCkMusbDs%>e{FM?8W}mygf*N!MbE_Bgy%dIDQEs~N@wS1%T3+2cfo%*K5JYY=wGg8 z<BQqwte@?D$rAnJ+&+mzt>;kfMF#f<`}+r)Y6q+4Z}0h18Bl#wK;C=RPl`^n0n!U& zfi!phk7mQ)TRhvV(;F_Y8TUUpvOSbPzr*#u*Z~k&)Sp|e_EPpdbcrBAF#OR`u5WEZ zYQBFmP{qeba`3h!HRR%;;|~1?clxtH;7IpwI@&yKzqddAYgZn#2wZShKC8Ljeb=_n zK_qYf#Emnd$8YN%ia_NhY*GxTCdzi(@l$pqMxo3bRt({H<jl`Re74)SZ#UD6L%%p+ zYl;(8dM3ZS%hlDdZ}kZEhvmhg#)PoxnpjK&4_Vcs<lUVjrehc~>{S*H<T=fabgh~} zAsI&DPghU(uGJ$iu63=BlU21#%<mUDl=VG=9rp$|*~MdZT7MJjaHxg+ZhbX@HHhe< ze!*S!#i6oQNF3nf#9{WdhMs%9^5I%n{=DPGON<G#-_Lj`9C0jof%iU7I_c`Gg{9Ft zyM5DpSZ@E!@SH!tO6^fz{)jOhfNgj?#H9K{c3;#N4EY4JszQ9&bRV?-BynbXWJ*pl z?}V-kn;GOx<}6wD=GjwpG*Y~Xt<CSbo(j>)Lss#OSgnEq&Hgw#tcJOBDZB1V=^Jgb zpg;`6q_sFNzgt;#m|WWDxH<iKW5N90@H0B>*jslC5Nb2e3T9vke^*`pHX@;N18J+g z`a)AeST^m~a~Q~-_3fmW2W}jNxeIak3Qk*FuBJP$unQxCAB+LGP}ef6)oL7-?6DKp zlA_R)OZ%i(>5?dFVdXVum@#u_;W>}bfx@pKP#hd?{Sz{-EVj$ld;U8=zVGj?)SbKV z-OJTDoDPYBDOzI-Lu2Y>|3Lnmnmb~@$4^n2f;@7I@w~%U0ISjCRCWsW@>ovxQ`3ii zZY3R8z(a$uiL1U)>V**8;3OB6dB@5>IHJbkG&eUoFs2WUC*0rfT(`)=He^?POm+_o zY6n+@z$K~a&j<b6|FGOzYT3v(ckcJP@8?*?A;cu@>&@^|&FEe{thI51Gh?x<W^!p? zQfIyP)mHJGdM|X5RrLiEG>V0sRU4q}hf`+8=aeP$oDet%8<unBJY0ah(?d0`IaAG3 zMi<}G(YCwl^t|rpg3|k~63U$;IrpEP;YE7&V^Zx7**D>G9<e)eUSrqHs2xAt9y150 zrF>AK%~-RuW2e~v8GHUrsUUJzZshxCSH7w@yUfq<?i8dk>04YDE3YgujLVfz@VR}n zWAzB>3xxgfQ5=7B(J^{{(0v!&b1v#}7@ckK9BKi|@aLNgZUsR%2KX;6%<(@xWu)}= zAEl_WSa!4FXvfk%pG+2<mscwNF1A6t;!bXEmZD=XS!tBC`W#AorzxPS`fbF+Y_|fQ z{|a8PWvRZv|Iz~_STpaRogI7A=OGOeX5|L0uA4Geb~}j7J>($2yO2PKZRq}I#j9|l z#xf&YOJB=AQ^A7N3yuY(h3|ubXLxrn0<tBus!z1HnY`R{X~8~7#*+EJOS@r3r409y z7(asrmE7b7(>_POEH=8|bH6kzL3iNENon8dhfpuvx6cET8J4qV>eu*ptpjXdZWV`w z-53`2&F=FYIt*4kr9RwCai}}G1I)n0XI5P<t+(ev^UVG=FZoq=3)1Ap!N8))>x^JV z2fW{HIWX8TP@P>Meb#$*`fWw|^zA*;hY}p?tBXzeWYxaBl)eR#cN}t~F)!J_Kj`J{ z+pj}eYhoZX4p<mQwf2JU7;vwx!rFOc3R$jVx^LsHb!992&`7H`D_cC|cNc;Jlz1&? z)htWp1#i;TH97AJmG>_k%eXH5=l+6k|5chi%F};49fx!Qd;JpIkS41HpE3$GSp9#4 zKc~hGroo{PP*~l%FT?E+LBlWr5|vtELWZXOdVJRHg+eds-Kc#aeI0Dn?z}>|5Ecni z-xKsNmJ`?;jC$xJ%X&2XZ(k&RsapDHP)K@f<k$H%O!_b1x>5VP^mV1Kw)oJ(9c@QJ z!9EOAfUB#c`H|@6r5%ypS2-1F0<qsb2nr6vv7$kTk@2~j`71!n&D}d+lu7ByE^}!I zxQy5KFy`Oxh9ymbzg}Ylo7%Cg5A<0j{^{&KxToSO%`(R0@qQG>k4qg`)@B=aSSzt& zm})z=SQ=06lkmYGRV8)f1kdnA!jMM?2P!ML{3+%a2VP+V^Nldrx(xbV(G5J%&Zofp z`8+57;P>WCs?=$@z91Ef^qxEHSGcZ2D8bB7d4n-UdT&?RDuecWk^bYV_usjhv)o@i zO$Uy1k~z6Jj$(Wdy!UY^y>K*u$~6a_>s_zY^Vn0`Y$q9kmk<yVE~yKY`MSbh)5>{; zPY#)7ZW@Cqb8<n{inN{ZeU1<zp7;`<WCutP$~MIVjkA9%plS?f=KN>vBzzlsMX-0r zPcYJRUBjYnN$eoJ`^|(v%?C~ozS3MelS2<O_s}%+w%il2*m^p$Gx@fkhd7Yka}a>= z1c2KqC~Z^b-8=Ly7U}FL9j<x!CIgK@Cp`K6wSoSD8<}j@FxIjqz}ya`ov@D{S5{xx zkiG|hn9(yNi@;?j_4H#4JuFCRN8IGul`s8<@=A5b(_z&zuCUWKy8OfG^ESEN1cS9M zWoCROeRiLy;2E~(tPsXbs+w~vgP)!Gj_(v)xFW7fdW(<40?J!vc-;VCQ^lC>OSuQ) zAGD0Jjx8wBAsvNx|Gj1V2+zs&{><8wH?g8@Pgytt;FHIE2rggV;p>vw#Ni7s@ky>T zM%zx`X9F{;;E0WrFP*^J33A(o<IaKadeNsa(TB}MylTCu%t{NlL2{XqAUy!!?g6l; zu=2K;BIWMw{|czZ9{uEDV+?j|LH6I~add`Mx?0ACo9t&Uy;Z9DpH_OEM84m;1!}p- zlnJ8B{o!7n|Jy)x6DS|V1sXy`f<KwUJjf!K)9@Zxfu%~2JYGeQL<3;-AlO6LDM)GB zl%!-5RqqdTlm4fM=96LzGPSG=_BT!xfEV7#e|MuD6+U5<M;`4ae??W{zxDFffsyN$ zWW%M)6qk=Gkb!>4Kspw;7B@t{Cd>E=iYKi{Tl*QKoTAU<8?QwNuRYKPM~t0r(IJlD zf2!L5x5^qR1n3Au((8;1GBAHcH>L~x)Aeb`fn^4=R?qKhG>0UHeN^})00_w7_?7EY zF`&BGj2<BggGNE92qf|M5#kR0`2yV_rTwA+xzQoOln#JGmO~qB!@>?$8j_4lBPdOH z?sr#xWD)sCI6>PnX-2TW!HyYm{89ezX;EgT1ujP#i-$s>P7~d+;Ed93E6Cq5$Y1%- z9ljD*Ygs{bgYV)0@x0E9Qy%xmD1Tljz*THfa8>_r2HGXshgv`#v_4@LkR!)tVnFi9 zM|g>R>6g9=O+DG0lHd%VxBm-#($#-P$U>`Aj<6}~D=^iK{iFwES9ca=V{uh-B(vsl zN0kf|pA?tq^)ULb0oC@7(VA?75%^O3Lk9~3P$pHx)NCu0aZ68{CHdgKd&4^1dWRk~ zA)oEYd(2G+|35<h36N<iGL|8~AcKL1qdUtd87UQAHwxkX-o7iCID=D0D9(f#IQE~j z8dPb13KUxi9HLuO(uk72h}A<xl7EYgQ+U=W^B7;NF|d<Cm!2tFL|YcNObUy83oEkz zSYcg+H}^vrI|mLQsbd77Q6IXG{w#&Z=L-xIZCUsiSk?KehZwRYS^>L*O-(_T<V-B? z!QtCv%s<p;OsFgb0-SQ&H1`ADEzFp72O|{A@XzBL`+}0By|Ug>TZ%IFNt2SSAx}p! zA3hM*aJZKX^xE`HY!>M_T<A-5ua>r8x?)}woLD*zlFf(?P@m*?+~n}Ygdy?}W=#ph z#CE~!3O@9IacfU`-s>3dx(}}*pV@EP0#7b6(b2ppIL~#B*|t+IhLg93vdO_$`a_hl zf#%W+7Ll;g`?SPiodG5I@AiY2v=qsR<xIK3PkwK%-<vTnO3{YF@xkX$;84*2V(R4Y z?V$E}s1K>E*=W)iSaK78JOdO--|sxc%xhCwC{X9TKFp}LuruZ=j^VJVeB;XlA5m^m z1*g>2_1?S-Y=3qwfYG|MoA8cgA3*;vdn{NO!a+sGm(p@~4A&IZzFc~HmUzknm6wt@ zLG}7NJlN3Y+YMu-O6Pmi|9ckT3h~4y=E28Hg#XK4aEG*Ln-MvM@Wv8HVItohsUv{@ zfj(^h8b#m)O6G~$4tB;y+uoal!#CoaVPRn*IvJFLA_*<`+3~>qwhPO-rU+AnLkw*0 zLiJGOGQ90?HioyfJqV)n9J5{>R@q)S_OK3CHn7gZpD%;S(GA;}4Abea&tkCjAfG&g zvMLtWEVK=P*H}jqElDSMCb|2tp=4ad1GCh+0IlNK41uj$Y2NEMwRg0>!rY$QJm`If zCI2$4DQZ~OSWN}bNIK3@UER=_0nGcsp^|{4r98XN%9wUW5+kN$V6t3|MJ?8$Aml`_ zjH-R*7GW=j3;e3rr+J*y=fIK*X$|K8h%_t&*W)N@WqX-fgm+Td>nRSOobT@lZ0B{@ z^<EzMzY5C!JFIg=KN1^Cc*qo6R0!D#uwKy?Lbb?f3%Skh0=~I0&daIwo&2@4WXcO@ z$1BK=sNA&ZC7mQbg~i#y+&zNQ*C1Qr2}*zx0c)#smSb@xsI*>@wV#GsTwO3HYJA(j zho(n~Bd9{FVOvWXbNIT-O+IlmVz|%ajma*)it{^n^ER+?{;O86eLv<DQAh4Hjj-tY z4ZHT}@4$mkX{X?sUHk<wv92GXW}kD4tRvm@AMW#nGpWxo*ef5o;c6|o`nrsx$VTwJ zcOMB2zP&4OIiBvzrM2s~%?|0HgA-Jtni53IK3pO{EpBxrc0*@=kpK1l&d|rkU(pH0 zGby_LSBSIy6@eIS?Ty3T8U|c%2DsRgAXI|d&cMQ6dGTg+qKU*+ODN`kdt$;hOUC1q z*V}fmS+;&`;6HSl1r>zHF-(zOatUj3_b{gk4bP@Hx<lYThRcl64G5>`Gb^yvyJY@Z zu~VQRRl9SQh3wZk9-wOU#P2^)z-Z0r8&%v>f98t9C8B7t3W)>O4{KR7Jd8Rc8xXER z`E)hft%P&#LD?=@=iK20GlE7*%mm|uJXq~%JPv@J`+_G${=#QP`DrT7-h^@EXO^_x zPL?ywM_wKhM-7)k!+1h^^hl3e@9Gh9q|yaFKf(9=OKR^N`6f99x%m5!i<!&H_Nh0f zU@N?t@jBaF&oqFdtXS6glIg(<H46`KdayD)O@0m~=~(n7PTyvh_Thncx~Cb(tYL)i zV?sGwD>5S1(`I3}aI08*U(`9++lh!mG~kG0LFs4s{<Ff+y1$m<v2R)je;-N@>Jgy$ zS19fwv(sOL{EVREE5Ef<Bq`HYSLI}chuo$0v-$1{WC-m;cf5t8MbmkIaX`b=aCY}y zR}Lx7`vW^rgTAwc+^X+S>UliAOKZHDP!qX+iYl0t&qjKXxngr{{x<WOaBW9joan0^ zszE8&0_ed^OP4ZZ`>{6(lMDA+&sx2Ecb1q^C~`;mTTdOEsEji==#G`bu{TO!efE0B zj5;_i5b>ew0%syLkL~77Zysz16n|eK7ioe<l~TtO#)#Rmo{K7%6<$EwhhBn>eM8dj ze-yHAOeu7*uttnKD2L?9<nCd&|E^#e$bFV*A4_-twNeM5B;f?{{XM?d<uLe@CT8cY z-vy@gw!`Qz4A~q*)%wP-7|OeJ-o+{3OT{dV(Z=<MbMvXx3{RHGozd@r$00*GbmAD5 zkBdmjbE`7{43)w=y6(3BVY9fx+t({*XV{>nl4e#oK!KPwGyb#h*GAv3$X}|~(;hZ_ zE5<dEwiu)9ASLt>-R@XOXsY4*_;<ybm#+_Zo^?4u(9rv|O}6QFKV@O8(_4!Lw|U4e zX9?*(o^syqj9v@F>oSIn5w<p4jJz5!6*tHq04_{5+zJ&Lc_U*zRr6OU)GDQ;t8@|2 z%MNL^62$ACyganu{@;zP5c{tBbsLCHl632MRGcTefsw)tdu!MiDp_FBeLE@oq)$D* zHis0I-s_Q=v|>%_zio0H(!8*d6ZjQ@Mr|RT5_PLEUaRYypA?<Jxvp>L8{hGq`HQ(? zFaDp%OWBw`f`EcyQuQ$=X!v^91fNg9u7y=JFAl7~|Kje0g<(xM6^jdn{{sb_HH%Vt zqKWUegS{GS0JWT)DGDJ~@&*Qlhq@>KcXKc(VUBXw?5cPw_4PMX^$Wzaflnateq9Ts z2lzWu^tU>Wc~)`XQLR$6u1`C*k1?tF;xZ#|dak=q)=MSvRN9@nFWDAdd~2UxRVyVl z<=j9xZmuf)8~8-F*ZQREJ(x~jDqvoCFKO?SI#&#x(r~Wf`mQDIKB%U%#z(g4bUL7l z6nd>OAV?StACSnfRI+9{$rpLG#UB0+RoMRQJK>`E{i3*S%$T;-cR&eTJ5Rj~V;Kwp z8&(YXfpwd`**$5{Hi!N@&nSK-9u`3jA5p-dTYN*&w)iY2e)3Rnaf58@_<N4YmZ~?) zfnVcb5AoU*hE_)7)oQTT?e<+mhfAfldgeC4<xE>_v3YAr^_`j$(|hX^XP#!X4#)8} z+cGHvmqQU41?@2V-BNAi&_3+r4c8?%$w~j64N!GG-zjkBz<)5<tGRMhKE@mNuFd(j zLm{2>TgMCIO3}SpXD5iOCTQ>|*dtNT_{z9^&9LOjPnL2d?@3EEhL+k>9I`<7=iFGZ z{j4Q69fqSZZNh7GLs}EO|2Q45=<ib#TJbBu>_KWX(MrX-G40rOW`lR9piN+{7Ol00 z0r)3U3=A*x+%^|{cUq20KkMlFZo0W(v*+Q3*Dgn%!f5@t>c&f@tZisIx4jh7kDTY6 zne%FWrQ#bm@0&b!uP<?p!=~F$<C7c?8KRGnvwvXbzx(8Co$Ak}hLZVoiglt?285gN zlOjI_LfAp#f%{m`hcKu;rae0K_a0wb@%n+@iqL@C>fq0IeXDMK<%z~s5E>;A8Y~OU z5EReYRD+Jd{0DjE!7$wDJ+@f46ccHEtMeP;RCJTf6Jt{U2|Do;2-PTrcp+w0z7h!Y zKkMS-<9EK?h2AcZB$b-C8U6lsd>JJ9`r@6yBlZZiPj;EJS?Mg^-gucjWYy@EExM~I z#yE7M#X=(Ej=X~B;o1Bbr%esmwO^_dM3J@ba+A-5Lwb3yM~9pxX*WE^&b)$u!7$j# z$fg<tD<ET3NpL%0LC`oZGDWGR{(K|ybK^r_dVIO_-&EasXI^Rn141;wHDBIh1TNRa zRS$iIV^J$F_x|v&{&}0ocF}Uo=cZg_-eMH9TG0$XMfJ7flFEzI2&QW851-k1>hlNO zE({&ZnZ8Y6gLrHhvdXz9AT8~=Qzn-m&OVsCdL;T4^cSEYZOzU*TURgzxkfS${Dn2S z45z+jLs+NY0*3C&8Zo*BYR@dDx)wvOb1P~(<ok-@rn@V@vt*u4<?L;Z#H?uH*6|MW z&j*LGd)Z=PT$O~pT(m>a;2i{)&Z6iA@w@!j^y0;#m1?}fCm3kgZLWWSVwh=p#L)2` zih-iW45(rOyB>Hy>C1PmI?;16xh&Q-`@ip#Z#;LlJw5uj{v~I&K`^su!Zkx?jV!lw zfja;`F`rR0`^MDTaD(`u^+0|8e7<cp>{<^bna8*%N*#pdo1YZDLNwH3v;jo)YvXEW zfDZ)s+Aru;#_9L^c;Do4mddlWRXx4vrc)SiXhWQi?oqq6OP|GZ=EX(N7?>1K^~BPF zCP5JB)9sM_S*$S8YjNe5;-J-F{W(tK#AxFjJIfq99=csG&s>GbX+H>~v-z99MBsvh zCHCD!6A19ac>R&jW1dx&RqVtM3+cRti3TGMl56BArbL_Xw;Eqwj)E~JJ*!BU4N!)e zRjE8~28#|d4?A<hR?W)LZgTsyKYaO-XhWQZ4EmmV$COinAK^H3;VMw%)xCWjQ2BgM zQg)vuHbIbN_Z%3sR{6wKZoTiR|J0Ot({;I!hLVSAvC`p<785svo}^y}iqYcfX~z42 z0t<#o>Af0jy5!RiNlE9qk=X{%{{Dg0Y6<19$2@cFIMikXU7yJjdYj)dN9W`oHnlo) zi0%u9Y|BNa$j5u?f2ue**Oh=yw&wGlN}8sOS_!+NBzJYl#rNi(;mckMxyy6tIcD-q zUb83zpq|DF7NkPAgQ6|1%jP*bjSh6`UmVI}xhWo18qrV^X3_P4)mGZcG{U@Od{g!3 z!Cb@Lhhk6%QMeXLK9SBVlTZTx6%IO#jQo+4%%3m$pm-<mwSc(GLC0?~bq3UT&xR+Y zS;SReTr@2$V+0Xu0LyrGENHk7>ICxnwyNe~SVG_1>I<vYCGW0Ji`zxXji2J69&J77 zzwd>Islf{7Ou>12Cg5@a%c=0Bq8S0=SOAk+p40ru)VO4x^So{4v7<lSjYH#P_4O)) zRM?M`rJj`$_NwrlsWO03Qy(psz;gOvJ!5Q<v1V;5AHFTGjLc4`d|Oc+R(ZQq2s&0; zu5Irz8T-9QPmr~aPvhe#d?*<;6MLXLYK`h*lgxEE1QwxAuF5?8Y`3q=d)3w5TR^^S zH8qYO+Qq|>-_oQh?X}3^n~Yv(%(%k7&ohPx!Wv9+=MbRC!2EZWm>KkL(2|FXtIx51 z_OD<6V6MPcjdjz&U&ROA#}20lO+}RErM%9bj92Wf@Ty}~2u208ENq|hny(xJ)L@*T zi;eN0+*2v9MN&5YCJ*JyyWaK|@SfK1AIKl|uMXK*KKMOBKOpR{evJFK&bs6bNX@N8 ze^zd{i!4zi@kRiBs<eIfX(vO~!cVX}jL-&Hx<yXul7RII$kDChkjiC6xdg`?`GldZ z!A85{n`^f#|N1Tbv0GYLl`Boo5&uZgNDHbp(RpkVDxUd)xV_>XDn9Xns9|DiG?tS> z=i`<w8N`|@%^uY##u}Zoatd1eLl=(iA`I2b^c3?%L;O>UxgM%%QND}#Xg~+}qBRmy z(CP24sP8aonzm{mgI;<TJ@|5lO(kgY+Vtj^B%VW0#JvEudqxhB-%U;hTZ~HcHrk~8 z-N~Cv3zkPPOhB5i?Q8($6|~uvqv)Dk<qkmNoD#R`>8U{967|9Xg<)IwPypE87i*&j z<Mul~=Z`owd>x(AJnnG>Kujt#_-Lnqv^WeG4#dpUM+^Y<L*fBAFz@@MPQ!(7H-;(t z^CkzN61rXC)&Iom+Af73gcaF&%kmxo@W~xGKuvqD?{?NpLR#F?<k>dnz6nf%O7zFs z0rj#dq^$$v(fYkaKrwMi0U$A_SW?Te44Wzf3$jkcp%|$N0}|7sg_8^&O-bPyj-9Y0 z70GgoNJ9^pVhwfza#Y$Mx<>o2=N>19pK51QWduo~w)BAd<JA^<G5(GIkS>VG$*UU0 zkTWlJL0WjYs}<Vy-_%q%H4RN|CTO5g)doBO^>w!=lt*KkF}$lJyRO>h&;=br5h`Fp z6s!O+creAmS7wp<hfe1zOnnQ{GfI$)MTZo~heHN5Lw?>_*xDI3anS)6?jkt(O-8HJ zgE}T?4WJ}?94hR9Qu6p0ZhWII+~V#F9^j+nwI8U?Pi=nLV&Th2{WOmH!C1$rd=>yD zA+a5B%u3Jwz=V+Wd05Z)p}RX;=U8E@B!<3B=2qu9uES8Q>m8*L2k7sQn4;3s@Y5U} znCxt^*cox+Qa^0bT%{ope6D*5099u@{ZNg=Tjat7Z-y6je6(lALwfuGsJ=-o-WgbU zV|wPCLO2;S2~-7q?crr}Pr|`BcRBfv&*qcxNO6DA1D{D3bvTMufL*WkyF+|rcJTWh zJ2Z-0+d<;>N>0A&L=(O97^d*RbKa253^JzaMDT>k1y1Uvwek!FX?BJebil8G4ifs7 zeUsgh63DcqLXx17N8e$S^r=L<(7{oK%s3uEQ9ym)?*>V@!Ct~hWqB^+0;#w2an!zH zX$H?R3%F#M7Yls2CoCgcF-!{y<tt{=d&i*}{0dp2bLBO2NnI`Frv&^5@yQpa*hdGz z-vTr;H};9@POYuTIKsI{Q+R^6X9)_TjvhJaOw)G#-s1+gkD2|&q+SAw;EULCE<p7$ zu3u$HrW26arfaN&@PA?GB@8I-O38e_?3)%BCa&E`7LwjY+q;Md?vV0Y*h<gw7+D3K z18J~I{BMDguYA5RVGAfj&kfhIymA`@UYH?EP@h_c-W;u`TPv<;Za-!^)B=)%r{Ffu zULt^Ua*TKJ`Z$?qE&D!{P@Ja1;(f4aovOUazVtBA5IwSrPRjn+$wL`F<!Bd9IY^Of zzrwv?2X6YEod-<D@~{A^pj)U<waZ&(-*|}7SWV&~;DVhw4a-9xV#gnrwW@M}(`-QA z&D;GLfZGYj2(4nJJ1Lo+rV$}%Yb0PMB?2~`x&~ZBH~i>*1L0*!Li(%XQ3miL!0P~@ zSXs5Y$$Ifpc1vVJwMQvto*qx817Z|cdQfmQH=mquKZSS9)nRK)ljCIr3S3^IfMNjo z%3a>Mu(JhrOx$EKJE(XU@fjUJe(qcQVfc>N!ZB6|Ll1-#gZq}uVBs@V*p(amFuoRD zXPxfUefVY?;Q(Nk6ZU-wz))H%*HGJ=8f=Y|jL~0=ZR#Hw4n@5V0*d_2>Q};*-ONhw z-L7vjhCj@b0@Ud4X8=U5IK<n2KdnN}Pw?_Q`_-5aeKDMi&Ws))Yd!mhfW%H2m4H=p z`$wY2E?+DVt0ypk1yiENW<k#T#|#U61dUJhg3^kPj+%VH<vi`P8h&LT+TXS_D}AlH zAuLwAM_LY<F0*kC2i8(dV{JNnkATRlYs7Gq!_asJ;R8@E3&)*{0~e38QWvulZF)Ol zKjmXX(>nTaimx$j-z2hJo??8%#!8M!F=>9F84Eq(Y52$KX=*mVEp|wA<1nAt5)2e3 zmxHiivmr~@RjyDU)O=3MP09W1Md5=n86*lH=LJ;5Pk(_|I*ef-5uLM$&JYA!S$equ zrA(J#BV!L6-7j=BVyI2>U;QhrbwOK&>|7Qn`#5TdgHMDub|n^zz67AyKH|!a8(_vR z9m4x5s*qk6>0*G*_cWhl#s2{>6EosL$AQ%&<o#!f35W>^F@7NJ=DBmR?$o>!$vaDh zR2AP_hy^YcB|quOT)KpjCXJnnW?;kIV24Uj;dOebRpu5I35Rollw&33=JBSFlQNfK z=?IR5$4v+Tg)2AP$9<IFT*8nGZ#qp9T>y+zKAooD&tZXrJyCdMOrojkjXfNVJ4UeD zdy9SMbu(d{2SO_c)dL0t^OZ3IyG%>Qld-Ccz2YOzx>A0mfEN3Gc}DMi-o*UH0heBX z4pq0%HP<Ul;vhPwnPYxqrk-1YT>K0=!a0H{Qb*Kk=73IAN8Q6Su-8A6#Jf0J6sq|L zgQt92aOZnd(R^tWHcwMqzZ#C@np7oiJi?H_RwYfueKQaz*C`};`bl9Xjc&j!BMp-K z3t>s!mMM1>oC%%iz-PBs@+*W_G|Nn*8-KrF8DSUz8|A9Egw$2y)8`jbfV4-8WJAj{ zH5RJNIXhSkj5#1WY}WmSRaR$ZZrl?D(r1egHcV@DLMyz_$v{tlmX?+Q@L)I$b2>D* z_P^|FvyOn|(mOSLVosdS<@Ay^kLgMa))po?AkAw%@a6~aVn-JH(q}+YnA%*}^3r6+ z_afnMJ*2||lHmR~H(tBfM`kw*u>dwz1CDvet2~sK$2=qKZ$PA5SdM-8I1C_5k;;32 zX7L7GIQKG=0VEdu{<4ylT~!cRXYv<=awgkH`GFnJp^@4w#puZ<%eRtjzcZ<j>mVrY zA)TZZGeCLdyVQE6b8O9k3A*D%r&3eaQUpVUt&IJf>cGdk1dZpj#{hY_+kV1L`QxJR z^$zHJBkQtF#Ub8DU6dx4^3WO2jcL5w89+MirA)X<Y;m1?K@V<u!|870&)M*8CE2N+ zD-4?XFzf@qxau04nuG~+ue<=DYW>vmYdp6?#nECFGSkUJKw9DUyp_NCSsCa1f?(m> zxMOG+tGrC$XjV3UNxK6oJE_xDj*$uQCEmR_wANP?YGEsa1BO?=r@=p1oUN(dt#(-| z<lu7~hXIMq&P`79VLF*{iW4YQyk4O55hkXaGpmw=ua(qd0mCHecwC~eKkprwQS{?^ zRV1@NSd~$D%s-$1&zXFhpkaa>d6+oKKCZ@e<Tb~7J`40ty{X{jdjb?5m=%J9C-=_g z1M(%swVe@=(D_cZ(ThBPpIR0ba^{g_S)<Cu9qO;P0AQFtR2j!1bXp9DAy<2P)*I>$ zGcJ_0PFTVk%Rp5J#SKzHL}}Q^pTh;3&<>Rwoc?cpn3dA=UfZOM?cn6{jQNa(EKk2` zBAA|IMo-1~13ws)eZRa$<Yy+2KNHv3^fPTrBd*l)fM{D|l`56{0u+<%Y&>g%H&xy- zcP|^@%M&A>TmQm-qxVn(JvslG>_>|G3wfw8jwx}iQXvc^^l>g`9Jv}d)XHwX1YVW@ z4i7Va2}?A|$$;}1v!G+Xy#2LtufVBC&p2^l3r3|iqczO$N#E}pM`rle^lg!=xER(X ze1u`gbZ6N2pq;?C;F`(iTgdWXZGz3Q8yi*(F2ZgG?R=Wh?=DJJKI7$r2risT`~@gk zx{GC3b`FNBCZFq&6DLS4>_aMSox_qSin2u8wr$(CZQHipz1y~J+qP}nw)xKVMchBA zNlhv%*E;?6z4|zJk~&xY4@}>m)>n+XFfut_+Bs7?*#1)K90iJ_gsU;4<?9w?*TRy@ zm<LCp*k+=Iwr34MB}b(ExAg(2Pz5Wi^$Wx`65o2Kp}PH^nZ(~l7fJ)hJc32WXk^I? zE2K$7yY>U{M?_%kuWjhpqs^a>O5E7;`DS3LAA@<lmkTlEk>Tu@zF>Oik!<$Lhw)`N zyyVE*s%Dd59chF3XA<IF0Jo$m2`3WqD%*uR3MwY_+2TzppgP_^aeWSZG}FgPgZ&4H zdla$1X`-BgZJCvv=a`#|2agO!30N;OzOf5A3nCtJSAk%!V42f-iXO@-Ob4rL-MHU| zlQc^4z1BKK2LOU|TmsHzC(lrJb@l8Ggv4#iBkPvH2<e1FZ=K0nvG+`c3g1W#CN|1= zB=8)^V$V6OoGJ_dB-x+lLh44sTzZBx@|%i$e8(u`x*yVv!LO;yOY3oys3@#4Cti`m zAp0>I2WEL4y-$)gJ}dXb{l)|l#wfg!YgpktLB_|b{{FWn`>3q3LwnE!tHXgr$_+}9 zL3&=L2G`Qf&>q<<Ou~PKI+S&l&sdT{-M{(F3(hM02b68<3nO(+12#L{<NYgYAL;Hr z9>~ug4S<CIgUng^hC5oqE(!Gt3YfEINIK;`1L~}$`_lpN)%2j#60{%J-86A(As4(u zY_6P$mz}z8D4(U4?+P>d&1P=0Q)G|@jZ;XoAr3K|Dfei&4phcbPPT?vFL$&4xwK-0 zn1J5E)=+TQUpgWID|w{b{j%N~W=e9uh<R=Zmcd|_=Sga_A3iL>*0Ve+z}S(BiW3h} zLXaaF2v=Sm%Hq*V*sxcmZ0o&2v|`Ba`Mkk6sAi~U<(9(i$x%D3GKbRm3Y0+AIKT%5 zhbI1t;i*Okaerqpiq62yYwemWq}aGBe3nT`A#{=b<yhTcjj>m-UaxDM(;ry^^XsIi zwClPHB}~rkjcavBg~ZBL#!aP2Y$&o{Ss^~dbgss%`~h+VuAt4=GTmN(M#!}8Q2uEC z6#%kYNEs$sf0{zO!C-Q#$#e^T9!om)`ugv<K^2C>q@#UWGyq~Qk~_7YZNZ`bxf|BZ zkX&#`y?5s2OO9W-AH7{0-H!VK>_zeoo;t`?>1>^(dGkA<P&rMX4|oH_O{Km)v)hhJ zfbyMwNs&#=;Y~|Y3@?#fg-@DlL_i&AIi5>iCE`Dle<Gard`n^XPfk5-Dw~`y>?$a8 zP;Mr@=Y!4HYABD76`Yc>>}Ai;eb`+qSgzE!&O@btsGufE4m<jasLVlPd{FK~`*1`{ zz(>adKkHM@zH~L)pOLO&@F`TNI!6+^X*sn34f)*7*gxRsd`&+qmWzBem%;D|xS|_6 z0^eTRp!O4g2V|Bm$|1KA^p>&!`r;p)jW@)a<%tEo>K)!6HNE)1khrqH7J?9L54r1< zxZ%*;%8e~=ifIP%%mR3V&Q2Mcsi8)LtUJW7461Wuz#8^Y%(-IOU`(BLao8(W7%4L_ z5=dF=Y5E#~@1mN39mrGI&tPbPYre=_P={aR5zxTg^yRwH1J{Ih1`HR!%!B+^f)m!t zApL2E(d1^j)(}s<Yxm81Bk;B(L%Xy|FIQ24mz<Q~_4<bIK#FL#!*jk-zw4q__4-f? z#J4)U>bjIfdLJM3dQ1$5cJh`;-UE*V1ItB&rx$lt?3P_+e%uw(!*%fws0seV$#Ctf z-|vRq(d^^2`oXFOzO7%ujOi2Qbcil%q<qIBNI%94@#>8%HWHF^d$~NW{|G?M2x45M znYpHp@o?*!kM2J7JAG=&7DU)jY0whVt0HUNP2nxL(OdsqCqAFSS>)K-Uk2$wk;$vN zV+iTd7Jn8{>bta6ca-~nG69SFWkl+!v$+TaJhP0?G>mLyPYQ2*uuw|exZI)a)OBnw zx5N#EL`BLs6vNwE@E3@$?g|D=4Y{Hg)D1ymwDKt=bfDF2LzGJ-?0-72)pStsHI*?c zhi~x2c1cLde#*u%<RwK5fWyOqh&G6zwCt>Gf4Jt{KJq^a$)bU1_<ZxC*~YCpW*9^B zT5yyl?n7xo@i{l!L3RwJh9H^v7;D1}hgsZ6JlzMkBFnh}_OuIo-qj&jKPFAqwn8G_ zs^t|;4^dmX?e+oi0iOu(V=OIfe}BO(x0dX9mOh2U8hls}sowZ>ed8t6^%Je7t+9$Z z6N)zQK!(Xn8(MFU!Yekd4WB_FyKBq4Bh{tbWzCYkpt3H<DURl0o&owPk_kx_G028Q z<Of%~VdZV=V8tkRr(i(3C24Hw|GI@I+OMj0!N7{~K-e2%8HqDWxzBPyyllZ96P*0a zOu=d2pLO0!_2-Eqh3wPp!yr@dI8K4*K9mmWe!_2}W{Dd%KH<9G`b&>r-#RLsB)C7? z?Bhl;h}-0~M4J*aOjvF@TC><dVk$XITlM|b$56n*<?}$!XoQWUM(W^Y1CQ<Z!p|ZT z>=#QkZoy6B$?h-@lz*&>&mMbkpfmw-^h<r0B}idr^eVi|JJk|1h8ni{I2X=~@&h>r zE-xzbT?ck{eXVt2Bjxfi88hjf3Z^$49}%VVN98tlPrc<SbxqdTjTYu00qWyqOtNG6 zTjajB>EI+&6WwcmJhg#AGGsv}5}I0i3SSjEqJ@30(ZiwP4P^m+KmZlP3AVNV&81pT zrpaqqU-7*Ez@0%GU>y*@c`}xnzK1iIK8pkrX2Ae^DHOc%TvKy~03fbnNI^>3aBUgS zE1>7t+N@+0t43f&gxX0>9O2(O#OK7!gx7Qx^n_xWa{zc|Wo2ss#Jo(v%56N?z$M&C zottrrj%NRUFqyUrvQbons_gnWo51#+qON$TVk%(tuw2YWgU)RsChbQ?T=C4xaS%rS z;LGW^4^evoI((mF^=c29T&q3<Tx)C3a82xm6Q^9c-YJ1NLKVh`aA9&3Fxzql1JhV| zS}y$9A$=oq*Yst$+N`1Hx<@A;AfvzgZ1_?aC6KKi_M1+k_&t0sE#%@0$*|kbprSAD z2%#b+v$drs1A3d)dK+!QnT}#j)i%ZP=KI$^7|0nXI|?abilDd`cOp$28f<xziRwsG z9)QEp>sP-jp|2-n_QY-wr#-CzkH#VWcN5!5K^pZ<rE};^nb~1eHI2<f(o#;RlWK== zjzp6Ft6s$Q&&fIJz*iVv-HpnFgw?}x>QvL_RKSlXKfB~>&J;!aPo&zr`OiL~%4hnt zP;UCUqgj9k0h0_s$}H|&t_;ugTeM1WY@ycjr*hL6+`$@^!Ss`_;RnwLh@{6Jlbb+K z7JobsEyu|P`R{Ivz|;=IKN3AJ>8NrCd+gSGGJsmUv0|OCSrI}$!b|OvGT{Q^iZJvP z)Lp>th%oGm78LZ?#qD=EdV}AO+fmz2!WOPc0Z8$LGHemVGw!eNuE}TnyJ__&xmbDQ z@cAq#(YZuNvrM9~en~UYrZTbv)GzL3-GSd{O(0@jdo2`@wQQh5-nU!2qyQVIDMZdG zB&e@yq{2tjW9^Os=BNGCJN?!jtx=HF#&l!4t`^a7XZLB(sH9L$^)Ma2`d?eOhgD6s zco|G{MxkVnCDerFDe16%o8TdEQ<b<izmk@vnc6S|C=Xie1tvTF300O`uwi=xy<i`I z7U})*RY@nabZOO=>8@$s%fsDk<!-C?!<T&8LGASAE89t6D{|}C)m|WY+;Pc_dTo~M zJK9Zn#^5E-Rfm?R&XCANsGMN)U5QLa0K7YN;uu1A8b8@){kO%jTK3w{%m-QDOp2)7 zXqXV4eDo2vH}0EiE&y0*shw&N-faU$MAU2+H{eJXMUw~Z#+P4TK>c6mGtE?IRCilN zWoKtZeVS>oU!WEv@yM^+N%gqwm@l6@)o@JYW;=jqZdA8I8FF8rNv)AH5eK=`k*%rI z2_h)vQhXbn9b8X$$KJVwPNHB8`X`0r6nuvrAOdIiBEpHckcU@`lI_zPgL#d;zj907 zd|+^_zq_~i=<z{XbTYZQXx46XmZHZfk}?#cO0+|uhp)A7?36H~$RBK+f%QqoLhX3| zZSRhTaQZZBp$*sQN2!M`$GEy($JXC&$G#zF7kX!I$G?9{8U_ER-4)$xM*>V<M=l8Z zX88H_aYk<Ze~39`8V-KZxfbO(`SDsVCUB)bxq>5~s-gpowEg@U$2^?pf_}YNd-bET zTYi6J=Sm#4Dft6oh;B6G0G{%z@$Icm{_5XVOj!7T;YFD>VUm_#)X8k78o|qmsZ}rW zL~p%La{uc&Z~g|^?>!*ze=VO;1Mwz>Rmh;maK8aprVc`81oPy$Ex}zk9*Et?Hx4+m z{%sz;+<|e<MU-u6w+R*CZ1?VDLxb{xb<yJb-?<#1=6Im0kpodA(0z%)`w(xs#JGAp z*)C5+%BNx4RnNFV%y@#Jwx`!pH*nmzc01t;cX)=c*ZYW$c*BdHy?r(Phg^-det%!+ zeXEu3(wovh5&ZYFK4z7r&Ch8M4?)^1i}G8vUQhNzoz_1i==R5}heFvsjX;<_d*xw@ zE5w(Wb^S>FI}W)bC|{eu-=av4=K6Oth3;+&RkBs~B6~ljJ=%?*LPDSNE3;qK&FUVE z!;CrS8;c3dhRPsgC~xDH)R&H^)Eehh`**VsyW=vW(#4LbJyqyJ9ghf-KD^&$1pZkU zFr?r0cnY9UK^$ylL*cZma|-k7o0VUFir-(%*LG<4`cQQti&nzl_M7Z$t_WlekAws2 z)#yzbXUZ##gJgKlbWDUEj?9F?O=~Px8j7t&^>caF!%onq+_ieuNop0m7^EIND`yV6 z#)2J_Vs0!6LciskS~S3YpWw`(Ng|J9k<LWA>GFM^dZQs*tFq_i-OXnqJd^es#LV(w z+U#(L`1un%cZ-9&51z$|ITN*JTi}>1!;iJII|fmnF<l8YR?{QwV_sI`zYGgu+oM{6 zuQPS=EwF7we9MoTG2ntjK|%_n&<3v@?T1$g%;(Jv$)}&&YgV$Wu|sfQ^92GTUJLgA zCHa6zE7D>j$|}QT#XTB!w)fuNm{j-MyHa3?q`V6>iyMH-^%?5Q=#q*PllC!C_1YHm zY`mN&D(fjQ)uwJxEPUgV&^_xihhgvS;-I$4+BOeW;{8S2Yd}G}1bL{}I!4Hl>3?;% z+*=RM_9RoO(qQ5972LBhIp6P7dKtISC*(|xyG<R6ZS~WX@syj;y9%b0OIWupgvzY{ zLuDyR?oyp=1P+D;7A#l>JG?mHqBpe-%O&6&gY42lQ;FKMF-o7vGu1#bskTeb&^R*j za2u3ashwRq1kfjI?><8(6bUCD(8xR0VAj$mrtjJFEN2xmdp;GUOY9#x=o0I&PfIuK zXJ8M|e@_6hP5U;_xqD^P^Vadq30J#90Msik;6WNrutOYgcz;|s4`D9O$N%3NH2%#y zNUMwg?)3)56kK7aEMQJ#D6NJXy52s_D1jV+?LI9?`Bx>gS^MezaCQ^kvqMSW#y>r} zyc>fHb~!_JGyzGMwhxxL5{9U^SVoU><O|q;Iy!z+yX>`8(7cSG$_X%LUK<7Dohb5n zAA-_V9DpKyVg1+Ya#2ggyJ1(&NV(;6{6ljVMpS@8rC|slI;_BF%Kw*K+mwCPh^%mA zv6K;>Veh?uvdv&SIKLt@MtT7-@w^w_v^-ihzfc4%<<BGpuTuyPb@&JcP%YZr4MRDd z8(+-qk86AVfN+rdn!<qMskszx>Fe1pe2zUApWPQ<B8f!`cr@R}3y)7da*(*$mtI5@ z@#oGfZ*`Q}o{H<*Gt5l#;0Fg_dxx_DxNdcR>vEG2wn2Di#FtnN-h&l%nf+qo(#q12 z7{da#V&K&P3Y<7t=r#Z)%)-0g^|(WcZ6!aa52I0Ds2G=Fr+8cQZZe^;57tv84+f6r zgd|Ov<Nj6!N>LpWe$VA)8j*jm@<agsBIQzO&I6_b`1}}NHQR&Dlqp)}!iUjk!=jx0 zdYQ5{YiiZ#7UiN8h}<1}(R^h;#?XJ_U4b=cH-)V5Z0_@L*a#U9gB>ID3Y$}zi6mhL zf4ylJeF|(4()$;t<FiWZH}aQ6niREN0|*FEY*8oLSbo0oA7b}4ebFg1e_<uY#52%D z(uZ${=%Xybp5Ap@_%F|l)q*~WGg|?f@vCGdaX@rQ<187I;I5#dV{XCexJg}y6#GSa z0^5Xu=!VI9Y^}syf2RWLVu4Mcz|m3-D{cr_Za@=CTchGyX9pjt?Obqs$Jb%$TD6O> zCIT03`HQ~|AUsOcChPTQwXgjVQ*5%TOtH4mlIu)Iy;=T&MkF{;G6V|XsQImDSil;V zBjtN^%+e)CH0@^IlV$?h&@e0^k$(2}iltE6n^yX4M(Q{D8cl@#DwIPENFm*lJ_xCf z#s?!c4FnWYT!!LW0AG&NoSXSX`3G4@bpQ>K4Wh8Y%{EiJcMhLxLGeS9#T`Dgi&{VX zJbBOK^C*Na(q2@|0<Lkxv>5g&(ZaCI2P~n=B<k4$UZaexP<{0uL!HrY^4d&zQuj7P zF*n{br?OH(it|X{uoDaNLcHiFyL?bD!#wPZeCbRv<So>WX(uQXkcCQ#rHY|4gGGn& z`XgA%Ti(?CY=i`p9awE!oF&$E+7R6Z5{rdFpG=VtyyMzCm5j)s>0KVoExd+Ag$y(l zi;cU^4oxdgPtW;_*d^><5Jr4Bo;85clYb<UWvnEu_Xgz56_e<Y+=PI8(OQe63+Cq) zc5tiAW>h?%n#`|!oJz&0QtF%qfG;GXs5h0MkHanCwlOWuLNUmN2l`D2KmJWw$JF$) z&+d&XhnY8E#$0wptLrB}ExDxe2-9!`OI^?i+6}H)nm<YG_e|=-#tA%A9hXd6QCc$N z;{Ldd%o`*}sbvH^)HOrIh<7Y4BXFYIApuB83EY|wp715A(=sD`^N;egsY5bmnNrK% z=UDe!z)kgtz^%$*zfXqEG<soy~mCk&XQL_1nDtt6fPY$BTSK&s@LCUM)l6x)Bo z8iHbtX_m<oR<DIn7YLZ5D+QkC5VPcZDWC5@l*Icpd^L#>i7?f=!AGKF<3Ayl_d!yY zIM|||zY4<b#J!C!I9M0gJZ~CkS~|oywv8P+`%V5Q1HlOC0c95>BtbzUNLZa4F0#vH zfB66>lJ5_oZ3FO40m`iU3GzpoWI3UgMcLJ7Od~cRUu=w$b-&E|j{{zC$#TR`KsY_M zGTl&%yf!m6!ngr_8QmAm0M4p)M~=+5&hnHX6O(FU<w%sb9Ja0Vbjx9@UX#fa!%?8_ zyogaLPTptQP3uagd|i#A9bs#|qIr2V!G!G)^iyoqcJuupCAVByiICUI5{jRLQsFEE z^-_+8!@Q6!3mUPH#wwE-9phAstJZr{aL}`CJ>Ysu=(o;l`;5j$xHm3)fT%lJJ(r01 z-`7m?WwF>1Mtc~Q$bym(_^#oQ+H?3x*ZDSn`J#+$hf;9HBzyYB=NK8Ta`qZ*&G(Nl zpyW4hoDY7s2f#^`N94S7CCPI^8Y+_*o1JhTN%v<Z2{jaMG#W#M;C^bRDTwaAI}a+D zo|?A=!0fU^efo+TLlOgF>t<$ctf#)Kt-aU?I4yo37}+O0uyO0ue-0$Yz)bZyC)q!4 z2H+~=v*0EA{7eAo+$PO4T<N8eZ$0w7qMHRvo4Xn6(ETFB%;W@XZhx=Um;YpF`*N~B z8zFTU@?IZ#)C;c<JrJi2j#bVjbJfud4W&ieTsS(~4T`U%90K#B16-qTLfDG;iq1u? zvOgYEnOWM!box?%3d~O#2)c^S3-;k0|KN`hXNYg-S1<|2%w5}$zk;!}ecvVgkS3!6 zGR9B-Wz8OLzwBeF^W1tPXHrGK|5s28YMY*J9e&azrRQw%fQA3k*?eJfJT$o3RhbxY z2))B!a4`jm8b-*hWkr|FKCNq_EBg%@>Hmt$4w!u1ax~X0nNJEskvbnbyD?K>JtqwV zwPWBG)LRCnc*y-!ugoU{o-c!&fi@H=M1{(i<;hXE{Y0bA*FX-bCpg=BME%#BhVXk_ zwR@8jhhID3aUQL~g=4Ct&&hD%5kvJbgYqcY#N4!H82&XTFY{T0cWd6Shbncp(?gvB zhlbWnDrUw&VR@Md992Ls#{InuNgDyA54bv4T)^~&n?=7u$i=wwQOFBc&50ch*st}< z3~0vGvX?$wUeEJtt^@#6FlIXq-HAkEiAo(m*_rTi$>6nioQdOAMaGunz98BA5M@Md zCdBe1&Ita=)qlldfS2|%RA!?uWhd>=RqlnIs?IeB5*9B=DyJXrtKGx?!ZgO_IWa6_ z3>%pj+21{7W_D>iH+fX)%BFFF&8^b!0xV2JZi|o6YycI=$a(ve<{ZasZD=bHHjI*$ zMH{n>ANVWbnC=Bs(h#~hj=>X1tjX_j_Jl>wugcV#d4)i7r<iXzj}E4kUUt}V)|1Ou zX6%eZ9qJ(~CPXz(vK&1AMoB%h(4wU$xXDzEX8=Z5W{|QvQ>zKPSSYTf;PuZi4GjDd zIjOQ2_lBMO6#@$SzqI0|2&X6WLDwG;Y~A+{u4sE2Oyi5i6C*Ukop3v#IN~1RD$UIR zxq7D9WQ`Sah!-L8h>uQxW9RLWv)OxjjY*c`AGBZA(KOOknzQ=_`+S*13oFd>lU%~> zxBveauJOCWsoGHj0N_&pPvIKN{}isRc)juC=s*7wXg!Z>OFm;Q1QI|9C7&-4aUqIm z7QT@dk_KBSBI`b*_T1E>A+cT>HE7kNRc)#AXU)Bx-QnMV7`mCg&N|;^IM4asdY-!S z@vN;CcX*zW0RXUQ%`Ha*1YpRu@8%N_e=})QX(G!d+vjC`0R)7<_61Q8tgFKVv;)wx zq9zFx=7e1FNRQQ(eWgf|msKA`mUS_8MLpO`o-quVtAvy#3e83AUd(9>5rahz)T9l^ zijnom-2NAf6=mN#?))id=k;Ygo`}|XwRT|s{yOB>UkXX2PR^e*n3MbQNv@AEW~oUF z%(8(dd1F)$m(CNsXv5w4<_Gs{pLF=fbcxr;L^(Co<zfL4MRw4IL$)EI{7w6d?a<0` z?0EHwi&|X%@b3g8|DIw|G{lYisr&EztHbFVXU6Jl|MlGQyF~tLhXLSXWvDx`0(?a} zK~R~hd1hSxIS%HqJxJu+^SsK>+2-CiobB{sT@ylHf=5Mvr7-*9g+d}2jDIr{Rr&ME z6&Yt3QTejptfNpb&)ht|iypW>0r(aJ!*QYiIO=(J@KGlfMF&{#DGlg*=Gx+Lm6E<_ zC!NvXq1O4qBKBDTdFnP_&m7oLThJAO2Ee*|EsyPsD8t=(Vo}MmlXLWM-M%)DXa==c zyC>lV13=5Ln;Wmw^K<&<`TnjITMRof-Ck%-yV<LIGoC@9RJRF6*Q3j3QvZ2_A+hz@ z7}KV`fMoYd4i8Xme4qRy2YY588E0*0Kh9d+^yV52$Nx{X!T;`13#YM89h5Mh<Nr_@ zx%4Fy#PcB^j6{Z2Odt#d;8Q%+xXr}&0)|<=<$9YN7-h)cR}xPIxw9L&J!NPei75oG z5tOsAib=s4S4$R%nIWotI(*w9I5+Yl<a!p!|MUAZVrX8*Z{}8IWll`410yR9?}<~H zHs>2b`_eu&eRtS|sMC8J^^D#%hwtz9`&41u(jSYDcz=uroW5Y^dd^Gfzq3Dp_Xxu_ zsy1kX<+DvM>Llah$_F9st2l6JsIy+%lA+I;k-@!}0hj2k!T>N76=hymd569mM$yJ4 zkxzIHP><A<2F#!^0Ltroe<nz3t(Z*8eNf&J2U#=Jr+jduUC+$rA*$i*1x5L60BBsV zO*1Oxk@T(T=pHPZ9CQU+tRuL&-9h7Qq1e0WuU^2xv;q#$KaWpp4L*46a3rB%sy=r0 z-vGz`NfclXmtAsXRwG$n0GRzNvVea-ns?E`e0hoK0hr2TzE(dZqGv3}7*0c+PEfD_ zjzG4NJx{)x$96+4vPUP|uy`&k-(pIWzm-BKLKAv)vN(3?q<E9EQSw>FF<W@=cDc)) zxk=aA-yhTmmsoE$(%S?!;<nqXfB?%B=p1^s@VY#tDT`*l5GP7?XVo2CF!|87f$@(z zH_TuL(YvJk;4DHbfnlwz{$ha;OBk<KvaK#A5}dYyKc#%sGYyM^UnH*BbN(=;sk9mu z?nLU|U4!IV1PSf>n<x?feuB0A<iUVd7v8uK`{{2J6lk7#&UZaWYG;B6R)kBD^;eLI zm!X#7k1N>H&w(4S7<cY3iIVy&_Ba6d0<2Ielwlc1+fu)#H7<oYF8#+|P;Ncqr2Y+c z5zn}8d!)e$oUrP&g!i$_4tadbYdTm~(2%TZV-v}owp6(^7$m*Fb-U5PYF;YL;VY<g zj)$C5984qiqAS8e@9)-ZBOliB=(~P`4eA=2)_pgkz*_O714D_m2D`fDwifv*^LOtv z4We)tQ03SjL+<o2KeoSVK+a=^3G&|o_Aa(#UI3rSbvBmAhc5_$wHh(@Wi!IY3+{(B z!`6a<KenUZb1}RJDPR8lUfSU68X0?Xvvv<0{~;<mG#@ij!YPQ~8y$`>^UYJt*Gu^< zh{}^Du@Zzah}G*TN^hw0Gf+N`q{{@h)&O9Nr00k4!K0BMPQ!ztX|%l_vD)_h%EaFJ z>q7ob78meq4)>q+2SdjcXa*ZaS`so{w%M2H#J!cjs7O2rveN6|oq@m!vZO!uj_KKG zsZLv+%bNWjhv0iPwn$Zjtxp#A$Mw>G;;nvP^1iDMb;kF~DGqUw%|Q3abe3nV^=D6) z75xXYk-mNSR_Wbt<uE1zwDVnew&rc=HESlD^Bh<ryDcbKEtB8)&pPwbjNTf|gCU6} zDNpUZaPg0#gD1$V#xk1jPP}!q_N`RB^%@L6P3iZ%AQ=8ECg&_^*=W;GPd(UdK^b_? z&RrM>{UB_w=^Kg^dS$$(;L&+k>#oW|f1tC$;$a70sXemKn=>>d0*%I?k6joyI2JY$ zZM<O*VeIA`f?p8Y&Yu+s-RZL0;*KqmfMnY8-yDr%s|xyh*S?Z$-)HBTEtD)VQKB(U zokaP;%VC$Mtie}0!2J~#U+$vvxc?L&)lA(SeA*o!ndr#S95uI=n|sb~fCTxNku5y1 zTieb!;Vi$!KXM-UR6#3si?-s#W^*=6;P+{*3?{z{poA>&p<PM)J`U&fbnn>Hg@V+{ zl~kqrHQTxe9-JGo=>w&he_1I`Dzd>B{&bG{_g==_8o_-t9EC7BlUZPgvKVN`_7Y+( zOnF+Sq_7<CGb5vQa6-Pg`V|j@b9&Bsxg}H-X7O5}MaAzuXb|zQ=n?1}o|rYHfxlK) zV<G||O=pz{J0f{m7hl1`EqpE3%0UuMbVQrg{5+ro+B<3+ynmS1h+P`81l$#UfgHXg zyzV9HK}<#H+zXAfh0MV-qAh3Wse0}v=!k!L6X<4h?Cwh&aDIjrKsH(<REep&9A~{) zoG*O0vSPYcS?&4!^+U61FH27_lcwkh^eoj;ByjOt?5T$5O|;~JyhElQnHw!PRSK+R z3OC!mX3S)`CqF+(M+F!<MU>~lERsaIBYzL;(}+C<2$Hx~?=KP2$l#4OOrani0(&=@ z<oh!0MJ!~;IUYOxSQl>s@0H+u^aq6Z$h>%Iq4;;gV!!LSf6h&ee!ApGTO`Oitl1@Z zlOHIbAH=r`_~KB{Ote#vrh*v4-r0H(9ln`)M_Z3oX%9JsB!F$Mz!fU1peVb>#sX)) zh0KsXbIU^<bqOBYz*Aak0PP9w?rm-oaobsxkmMOyzZN06va|6R=RGYnUnJnI_#EyA z1uHSWTiOOV8yptWKr{*TQ@zorwHbPUoS48)Bz{rU#|BgFT<Id+55&NS?_Iok<21p1 z;vg4QTbNhdwo>$a`D|I&{{k>5!vUZ!O*h0tEo4H>EK8bFUdE@i7VybxcH#Kr&XK7n z<!%!I-MnBQRX#1{IA9RGk`*{L=8RDycUwBs7Mynci`%s*Fmg?~TwB^qDqY7M634NH zB9kesQ)IKv7kbGQdc4mB@fWJ^4AF~TuWnkjZ&EOexLd@#@|aBqFznYII0(BS=xVvK z)NOp%f_nL~cy6TWt=FT`6rNJPHjvV8Y9T!62v!Lftwu`3F~v$@PU?erFYr^4^n=pO znizqt6!lGP&y&J_Z9}4_0eVbPs0Mpr^Zer;{M-nMF)(*k;>EO;4mMR(3;F~`Z)?G8 zd}~TmkKq}SXEQ*EQN0OjD2|d4JYc2w_e|MuO2_sFyn_32?x_*W6%D-F!iw3GmKoP) z@ks#NODXq7n0v#hRwoJJCsGk_+k>RXLvWSI*qd9d;0(8$`@|miA>mNK9G#=XC?uIi z|6Y*8jGC~tcx2FhzeFt#27IJmf<--s&^#Jx8)zmIZMfOSgCyCl#1E3R&vZCOSPTaF z)t{0#bJFwat#5pen-CDTBpd^z!+~~RuF87y!&L_I(|<p-BZ7)^YOjRr54m-<U#Gpe z@uRpmPnsaKs-p9AN{%FP7zx{|iRZBY{kAMA7=zR9x)cMm-Zk5yUtept)~daQtx+=l zr)a+$H~rFP->X`Xt=^$SIEd)&wLrtqBLd>%mulyjlHe**^={k~XiIu;%9`oNwRHM* zrl5FtGq76CtcHkL9uOt^mvFY;nf`B%O#J=m#8Y~+uiF(hHOWGwuCsxMSJlQD4}{Zz z3fu2@Yf7V(;^>O~QXu(m5yj$*Z-94HD{0U~Ab7nezDE`aCFgreP$5iBmFF1VxUzTL zvhQLI5Khu|!7SF}Yojb(nK7hlCMhEwjaS8>JS7FqEVvR(`BPm!)!#?4e#G<jVo8k{ z{|Z2O58>jNwpuRtsiq4+K@wigCwL~}C4~5_JBK*W-I#dl7f94fd4I^NQ~6b$*p|GZ ziifiF$VRIJf5s8|0Nt3oNoUV%@_2TOg|w!tftm{t`|TQ#V2=Pw^!cTk>&|<V`Q>m! zUS7gJ=;v0=x7app=szk~>M(~89dh@pPPg7aURU^!aDz)fK5%jXA3qs@(@<lK1^+QU zA>?j`vN&VK?{Bd-sph&KvSj0vo~)kLE+mRJT#WO5^CCc-H4A@OPato|OE4p{`xz<F zz!~ml>5^V<yf3p>hd1_^ltW>|5ZkW}L(QvQesJY4XjjC==zafiisa_66-lcs``;V6 z9fhloxwW#Upy5F~njR1^R`FG}CNUCUtq!7#7?Sb|xeCD8)(nMW5B*r9@=rkdoZ=Ck ztdz&3jW@i;(hLgAC9tkjf0M!9*PijiW7+{mjFtX0fP0ab0l}|+u0%RX4?&fZ?k(-q z?bq{|GJcGN(zJiG2-hlk3aZv*@4u$Ux!UJSME2U?ZRE(<q6HdD#_d_L>u2&R{)fU+ z8KyfS%pP|l7Fd!<CJRt^>yMVlkqz-5b~YzVv@H;t7Dt*z7Lfatzom?HqiP!3$N+NP z8!WI$&sjrKq1p7?1#E}jN!y`QWjj!wOSuV<jw3^2HTwhHk4<Rv4K*cFy4z*fLB6u+ z^i2DvRAYG^dAy2vb?XC%wkfDZ<gS}m$5F!1&ILnQI_*%ArCD|vXt5xghF_7G)i@kj zmAJM%3STEmOHC&Sv_!naC+zfn8xo4mC)~pS$&TYPBR=<FxdtdsY75G><(Fr9ol}GM z?xufhspc-#k&|&lHnreW@m=jI6>*AL<4!tY^`tj%_MKzU_k0#3!?!nFx(6|FFsPD& zpOqr2+C(cm`qYRR1XW~794%)q$Ie?@oH@XKXpcJqj#87~A;?F25sF>Csh17#H}t${ zi0yXsRWov(dB8<HQ23yXOf7v=Jq(>+@mkn?imKJ>|C1gO7{^>nAFe<=+oY%pLyf21 zpy?}7t^)iO75V1e_jJwk>*8@GAe5>Jqa-b7Yz@a(w+OA<m?HU7B;d}J8BiF4d*hTv zY2WvzI%QC}NFSBep!mX^yx0Z%!jm}sNkGjTQcofKWoN%6ph&{7JRF8|E<?B7fYXbw ziR8y|9?8>;peunFV5@vzQ_o`A%foNcsVy24zMiWG6eK&f5ev;mqz`2yZ-1}DHJe|O z`a_8MH+6Dhji{MRk@0x|HdUL!_Ku?dTjz>cmRb7q>f8Dz^gm$q&gI@VeO+>_`M8r2 zctTTe{Vsvu$)vL))faz@vWr?L6*O7xBP5lO^lZbM!%m2gOXY~q=2v3~llW|W*=~0^ zIB5p%i7{EI?2gEQ^|<3>G;Gxf4)(4mJ6F?ZjcU&u*rDQ%0xR6W2KA^iIuTBsiUm19 zlBCd(F9$)s0z-#C!;>c^vgnOUo8G?zE|TQrs*;6GOs8exZrcC(puE>xjmo(DoCb+V zdaUpoW``7%Tsh8fYdH6X4@M^l_WC7XIthr3n*aB36ya90q2?^KZu`ncS~Q7;eEmTR z*_eD7)*rG&$+Aa#-E}UL8F||lKR}nY?4JjFjp4-7{~~jHm*Iao;nYY<%k{I=Bk2W= z6XM=KW{nH%?zRsgM&~#vpfS)uOVbAPPx6&#*CSaYh-LiWIX<PVJ#JeDm0JDV-|Tj| z0E)Iy*il>%Dm>bB*mf}*POoTL91{>!Q`>;(lhf-i^3bu}rVpSvBNrU>+4R?If+yx> z=SGFt^$%T!&XZb?PnPuSa8yp<g<WBz9XZr2`At0H#IR~Y_43DqcjbLC?9Ejsby#ia z-13%SEuqcvk;dJuYj;_ppa$`Ou(Pc(>{sTVj+~eXx~kQvAC(fY{fceEr9oc450MJd zKLy)9aaLl^im#BuJ5UCzo`fO$QhG43%)`mWF#C*@vQTwxoxhIsA83DPOZX{^$){jp z<vH_*{T7z?jWz0Zxb=N2sdCR~KFybQ`DTIRIX)Pthw-s5uCHaLV-dol-zV6{6!A}b z@R|C?;~9CD+xj<XP&<9xY!KnP-fXccUPH2p=IJu+p{=GDKG<4LF2i00CWP@5j@_zh zNIi>O*WT=~?A0*Kv^7v)=#yjE3j-&<GESS#Z^GL2v;_Q}$=&C5G!hK*G?0z(gejz0 zs6>(LYjpyKbW0o+(h8giPP?x-s-^CpA!%6NS3^STuva%NO{wi4!|Uv0{KuB3fT}PB zU*wx+BiG)-LxNH<Y<|uf0vhJCW~qF%4&Ml@$!q(nK&8FXWurEAyOeEbo*94WPKyUW zdLt?367)G&LN-VK9w%-JSrw69)SkWM^Ea(MF1X$?yDDvJBxX;G6HnXqJJ)Az@8O$; zV~XIF<e_5y+tj5iDzq+sh*|y9H2N>7<?*p=Rp?~2Fo&lsq_D^T%yl5v%G#DEhLgSj zG)h|!V)i~%C{M$re9#%;gmJTGfo97vDo(FC5FehTX5=rbPuM)Nu1D#4sK-9;M--lS z;iu=}awxp&Hrbq$H9d<#@JK~_3uOnObuG?wCrhpy3$j`v-;Vpn;gILJR^E?H6bCDj zMnxm3(@VOhQ8uJ<Pg`3SrUa{ZlQWx&Tisb8pczU15T2F}cHL-f(XH1x-N(}0+}af@ zRvvAEN`y8dx0{A;qO*)4t0!e|2n2YOIX#}JtCQ2!0GM%B7ev-w)ju1@7qBMgK%GP_ zNgZT4k#ymhA9Ueu8?N@H?39+#CqGFrCI>8Q^m;uYHPcPvlUvB$t$9J4B=Q#aC9U3! zWNT#J^ek2=2D{8}uyfB1Sk}!aNnxWTF5J^u3dc2P7PV)~`8~QOqV+DExfSiF3B73~ zf2+c|Pl-LAZvLy0de1e^Qd{aw`YMXh7PgD1rzxK=MUk&+_Sh%qj{KIt!<8~e_!Nth z#GUrg7ESq`o|`P;LbPDoLI~&0utKM?m>yvkET>QH1Jau;|M&2yG6s1O9SqCyaGa5e z8gLtS%_}1j%)1N|?<hW*TjzsJXZ1P$@DAvS|2$><hqu1)J(G-gDLv|16eBl4qo6L3 znLjUJ@tZ1V74hSPMyeXOGL2pC=~W4g{-DyQJ>N{XQOg;2gu2{)D;uNgRj+ykf@b(o z<<G>c`omzY(@cTe-0~VWD+^3xb87gakj*!Vi3t3uji6<HM=b=3?CL@FNS8En?_7J# z$RQKSu6YV}3H?kd4N1Ow5E?JhHTsnPMx*p20Uus;ShL@{1CEr18*rFzw<rrkTSBC9 z>?~z!9F!Z%T5i3iHm&-pL8jYq?KGHik+RaE&65en*{?lOy@@ofcKw@A**>4nm2-V4 zI5M?WkZL02;w|>mh(w)I0NR@+567e~ICD3?UP0b353OU7i3OgL)Hr%=8|1oj>vhT# zkju+dBWPeymP@9}eo*Ta@PyFg)An$*LOVe;`?KXsRHfsUk^GtFNKNIZTHY3mbL=1n zHf7wG&6&RBiFws}L@Ge?;CS#t+<p4QwzyzX`#LLAWCY*Tdnep;1s}N;cUndt<Vl}$ zd0A>!cRHgjD*Q-QbgGR1dyDOaacpgvP><g)ma;YhD`b_tdm7&^FP=b+thoucrXtxl zIaY|nVU8`@7`>ZE<C|dejrd{Vc(eYn7|QJ8+szwyux5G@`t;VLxi&<fsDb|g+Hmo) zKDQ{`C*FqfpC|@2gl}gmza_f9cShz;<HyfLW_RU!@RXwj{-xHwZAEVfmweXoRd+6d ze&LPYDod>4t}<uAMH*OtyssnNtME^ZWozMdOucVUM)Wuo2EkBr^Qk$jD(Q(s4;pst zBpQ9-K%vd1L=LiRe3<7+xbh_&^kQzKWv-+nA$R>leQunQZK=cZRZ4ABO8$-MM1?Ib zA~mOrPgVcYO4^mz$#`&vf-Z#A$Lol9$*^`av|~^iKWcW-ZO2g2nr~&?Bp5#gr#m|2 z%$D6rbjf$c%-@va=`%4bLx*y_Z+p(v^ZR@2ZW_W99#%anTGy;NRK4}*A~a)n;vrIK z>}2HGf)zW&<{hl*gK$pQbx!gN@W{Hf%V6anIcAn{QLG{HlBW%I*7!Bu`W#gheY0D& zHS1J3g{H();0E4#SLu`jMoq|nG$0JB&=+>_y<^Y$lXb$UHX7mN-hFyp?}qM55^wTF z!ynDwn}wnCMwpM#_lc}r$piB(ZFsTLB%y_bE7Pzm2?pW2p1C2$NN~ny4l83^?6!y^ zcmKtA;DUAN&k;o=M^yLN_wDK#Q-1xr!C!Moh|XVW>|=8m|1x{RsZD82@)&d8u4kp( z&rcI~EK<VB_{1+NmfO0C$?FRj=7{pa`QOfJ->@TsN#3{i6SL4$xWH>QlOg<gIoP89 z#7Jw>*9JN=mN6Kj$>X?#7&^i17}wG5RaCp`f0n%$9W^1=F>xJRL2(G|I)pLg1}7O= zIB3!f*ZYE`Gt05IM=JFgj8n_(t&HZ0Cjc#kU1dLL6kkR9OI#CB5y)BgH8cbWQ5MK| zCT?F-_ui`M$Xz&k!LIvKoWoSIM8bQ9!V5GxCyz-;!@I5v&aXK*YnZuFtG3-BEy3AI zs($MHh)m%VG0$Kilz&N)$&udih)o`4OA8_$pZ9tiAWuSto^fB7({j+>dtkdcvJ9_i z?>xr-bx{;n29MtL=L9ELMf!@J2-jt2wSD0myEl7A4asq6q3cC*6V#OOl7mMUo4Z!0 zA*Uy)CAn3eU`p8R+}#Kl56z2?WdUKJ_K?g+8<G)SX~oQ<62hkSi+wH?xP_hsowVTQ zpiAe6y94Vg8n-!;kCQMtgYJ@f6GA~u$R(Om$bVu;11xi6ZiAtvNXZ!e$KFY1MsGpY zqZAZ}h)QW6E=hXzQMNq#fGB$dT259j0)3?~jKG@UzVD9oy#`O>X7;oq6KPO-sDI)L z`9Y;-HGFkI!%Ls>U!wc!?xXB1m~=2#V-OYeWoj(ik<^P;5$2J=_R&C>zP7m~o(5^q z2APC~{Wrk9DVVj;o0;6A-sAoeo+(S(|KO{&#NUvu%&Y3wXeupcq_U(DTft@`m)J1d z5C^IA;Fy$)mWPP@dkI}6d2WsTsx5fwFV+YG<$8EHio6-UdiCyMj)m1<UfIS+XCCO> zjsJ5|vif*^7DD<KD*c_1(D-EyvdXd09^z#};^fCuw0QmzL$^_Lpe9Rti9Nt3GlG$B zb)v7#lo+Z=_|N|y<VT2@az^JeLbaSq!JByi5GEo_rZce<MkQ%pCnyYDtiX5}HA$nJ zHg(?ZON*5Qa*GO?KU4!7W5;aWDRBZsittumwiRe3nr>9PIzSv6CeQ=y%Md^yuze;` zf_}e&OwBRbKzyIqw5F_vr4HP;3bC?YSnFH+-LTyCDbk8X>rEd3uFWQ61N6V78jRXo zMD2%wUZQv(6fR^A24KV@lUau5ooE`Br2^YlPx3>RnLD)lCND%#A1~?~B3Vj)=^6oj zD-7VKF-14neT3hcEvUUckBeIO)qnmV9*H2~P%%W8L)QNsRF}BrjZr*vWT+Bz4XHes zT;A1$l*DElo$9e$hHv0klKKZ&|GhE^K{5FhTsYz4D=~}Ux#b)cJWEuQg>6h{VH4>b zVHP6(zL<QZe1vU9Oxo&S>|_uQW-L;hBeLW5F21r{`=qpgekM$klSS1DM#oIoFud7R z0yp|MwcZ_3nm-1tHR`6Isa25c7&+r%?`pXOcaDCEyV1I8r@M3=U~NUN3|R-!q03N1 zivn{u`mHD=y^)=3Hqj^05IaQ|X37kuW!q@Mfph7~i|vo$SJSX>;64PyQ1kKlu;s_P z^NrpUyr)io68oYFVr7+WaCdWLDYN%w95Kfl=`L<|1)9RhJB~?Xw$2Mc;+=&L9gv1B z!OIghTuF4^F_j}zy`~~VCk<7euHfGfjG)81r7{kI*_V6ffj1msqtcIKA!8xHbeUez zM|79Ep+I8gmS7{zllV;`zzp5Eiy2M)q%2``mj<nF#3-`jRvo2AkD7!cfH<!o6J&IU zgo#0^TrYwSXYxQJN(BxD9>f_7Lvl8hlQ!_Eo4c|yku>RFqk?7&BX)jXHcF3rcA)&^ zA7Jz?$~)<88Mb8+_Ek(j$EI$i7gYY4AUKPf`TB$U6D7Lan+{C@SwZtj?nKq4K=^}d zX<Qo~%gG;{Mm3&%x1OK0tk1oj43wH&FBo<)jY;<eodb|sPl%Nlh&W--F4iBuP2>** zo}IY^W6Z<tY<2BOkFkprYc|>3fbI)kpLmKZeKp(X#&VI$f-gdT-dH^_2GE1+FNz<d z2#TY>`u_(m4~|^U{fXVHd1q45QBO5>-Z|kke>z#UJ*mf`N(n~Km|Mf%0KqaqHs}~$ zUTVl2k(iwBmR5{trRZ;4d|WT&yE_2F)Q;jIc2Bm&8`$2%k3<<Bi%t1unijS!crpJN zd%8AbKR&zHCA<=K7oz>CI>^#DLwMCRzKmb)qiNItXy16MLleLev|H@;rg1K#9BtjR z)`?&~6J!U0k@kEJY7hr)GoJU+f=;?~G%ySo60N5N@l_aXzJg-qi?(WWiP3X;4R*h_ zy-VMLFdL~34$c|{z5UnR{BZX~=lm8^mx^~07nABKWSi-3uiBs$bvV^M3>+VCP(I_Q zAXLh~^`^aq(!y{xWzZ#YMb+2k@!GK_$G2PEE|gPtl#b0LWM<PX>Fxd$Wl}>!a+#88 zd_jE2^>KKW%{#kiV@fzOjGyO^OHxoY12IBmc2w#>p7=F09c6Ro@)e8-cRwJ(-r(E0 zi%p?6tK0_qXz~4o^<Anuuo2CnGtc;*(qyrL%RSovIlR(L_=ZdYT+=`G=7f}<HuDH+ zyBmg+g5@^smwEMt@s}8I-4Vs^CRl}7n)|f-UwlFINsQCi=;;9Y<E&fEmp4_rT9#DU zFWBxl3tcwGC`!7Z2no=1o8`M^wn=XOyQIy)y{Ws%qxbSDH9)br2dPFL>3WML7ADfs z{``a~VOZ79bhe_I|5mJSH-CT`R(CV(HD%Hw+odxur0+BzGuV-6p`B46((!^h1Yhf& z4>_%-Ia5Dya2VG$)o2xVBTI&cIVTn@6D=i8O;=?VH&iKTf){qyS{?*66nYPw=QIpG z{lW!#x%OWf;xufmOKHZTr$l(vJkaX{EioJM;VPX%Dre;-m$7=Gd3K5E3Y0x2G{#V4 zs4(c+bbtieAmZl+PJoUz*;9J0F4mZx=TWW?{$sp7``wkd^@r;8)fdhU%}rI@Gf$U$ z%XovP=*W#dWQ@zs_Gol4rwJRPPUjBBpx5ZV>#j~+k;3k~!fMIiM|Jr%wd(+=N>uY6 z*Iw$`HC9Ev&pey7?9CxSTnAC!sss>Jo1YZSt@WK=1Ml&+Tqf(vT<8(~t4N`p_HWEa zDbRke<jIr~4*e0IFKYVd+i1zU+baI)oCn<j-3c^qXOltys~*yycs07YBH4KeooS;O zzRylc6PmZvBo48${5vC(O<1kUJ{;5Bz$w^g@|(gCx@*!A(V3ejntr0ghs*6->AY=~ z>_-*FwnfEp!P&K}2C^twO4fajaj5Z|TG|chej_!=N0KOF_!H<fHn>NI3%Gb-KFd>1 zn_}Y#iovlHy!Y5QS7RYHA?cx3oiGf`ZY*y(;w<g&sws=uy*$=_eCk6|-lQT)pNl1Z zuf(m`Tke7>vyr=%=sht15*^vZjLh0<oy>)(oT|;?I3!c|`lqQ@uh56oWgZE3#0`b) zr!`sd7yoyAxSE_awN~ahqqC{@btygLGo*Q{JPFN(seJD$w&j)9_TGrsd#GOx8&<vO zU$2EjROOwlal>=Y+3p0X%fB@g2PsYE`o!mXRU&&W%^&L5u<M^w*b#!O$~T1N4C127 zU+IsNFxD`E;^IT8O9X$tKA0{@ax;AIQ0Y|A|GqC>?X9Mmm^NRCLHTk_u2SE+EkEtO z-i7rNb88$Y^5c@F56P7%xn`>C%?WD~V}V-amQZp~7uRwW!SOYbC$T|Ot!q<dm3zon zsS#)WBD^I|>>g0;ohj?0%ZuEf^g5hT<Ym2GBCdWYaXHrFD1>sSQk@?0kTjQ7_vRm2 zmPS~r-H1v>;I^D-qHN@uAIh$Z{w=G9UD03A3VB%sRmE%?1S!janNdj`ww*{u`|_89 zyoC4edXy96I}a32kiedGo=+8jtIZMswWS`QJ{AUoq6bCuyR%kpsi_b%(7g<ZvP4e- z%e5xgCjnmpif0LWyUlW!2yY{QTMDjj7<yg#jZ4KUFGMw~X9b{wDBdOOSgs@Tm7jmU zjLn#u)p!fe;eGPt&7P+ea5m{*0x_G7Qou2=jpWNF+EXc*UkT_GcXyj{Kv%4K&$_Rk zygN7-<^`3nIl|xG`fhpMi!!xjMH}8kc*T@%fd422fn+@4#6E<V@!AANy+*}TBqttB zn0IY3IQBY;-k^470rkm*R;3E%DfG0HyOs%kv*;e1jRgvDw^*muB3`L69)l|BMRw_Q zrtlxYU@F^jO?aD7rIr-fr(u<+nI1k`S~+-q3;G{d@km5i(<qXucY(Ah68*?%$gNwf zR-8#tRH&z1bc)E9Qhr@Z6K8BGmalP%xfEIT4rFDfPD<k@?=+Q04-PE&Vx9d*uOb;$ zz?RdjP^46-{M7WEP?w(qDQj^ihqb@C6sdf9izClev)MPp(?8WS*nZrt2GhZ3Xt1<$ zX81GEozme_Q~J4sI5Pe;tB2&;5!>YH$)lgSd^j6m*^C-x@9QFNg?oO<<>5wM+J?NV zbB6DsI-v55H4bT*cbZqp>x{dVmFekvXfkU<;?GS!lzz#!#d!KJ@F+<+2+;pj<<0%O z_TlQ*#jZ8{SD7s)slR0sB27sw?-Po6F>b2zK<WW!vjh=(!_n6s7>E+8@PBl@bBr(1 z7B%>5+xBhSx{cemZ`<y^ZQHhO+qP}nw(XvNlgv!smp7H{I!Ps!obyMWv(~P?*Ak$+ z%uX99{)k<(SFI;&SxyU5V7DaKNYtt1NT&>>*Z2ng8wdyLcMGrfNd<nU!P8O(+0J#2 z;%}dM#+qkTVOD3OYT>o^IbJWb_p3`JaWX4V>Fnr|zim@=rF~tN&2%K5!5w*=h2ZHe z?s}{d0GOfm3UBY#$%<K1N0i^CH#L~fbPM%`1nOI>p$1U`@PQ`OSm`vlac#^25Q3-! zd9<Kfe{t_%8m+?|rexKu5b|~Z?b-K0-Mk(41KO8|1;`CL_A1nGY$%bz1L%1#4?F&R z^Oz;>_<5N{fAwV9i1^^l`@?AekxvXJz!Nx|BLV!1Dbw({(`u|Q?eDLD+G_v`S9b!O zC`Q&<s@ku(H&I5fX;b#J_>2JfvX1i*H(xyqL`n+8QP`h~C7*1p7MnIYloJ39VRe<z z9Wi|}FN>dra(h@8&@E5xdN2TQ%;Z$+S%}(M)UfB^<SEPfK`g;gpD7FIm;7w4d<Kny z9F*zG5Cfi*1ILl3sc)i`_CXAlFAL4YZww%0_heTNMs;S7S|9|;FF0TykLjCi+5E>| zm09(RXU`OjTR7Yzn4H?@!L&i1&kPu1>j51pK9dIn0AFodtgrw3NVB=NhraOo3{_7_ zW6d%>NEMlbtFhN1rSDj4R@c_U@Ti2Q;53^QBaT?jypCd&-5&zkhi>4Utv83JfyK%0 zNih%|6~x(6>;+^0=slfC-xoEMuL9Al>ZUNI9#T&Pw!%RQL>)Qt9|3ayCXI}V@3J-B z%H`?cVWm3f={QPPKzTgGYCah-(cNk9czxxh#Tr3YXH6Vh)$E`ApmW#)l?F^k7p1=S z>T~ixkoF6s0OOH|*3_(-xV`}0e=_)O^&2!j#Hth6Eey}ZLTctgr~qh}Zyl|@quuXM z&arRr`Sato<XzGQ>K)D#1BP8|K1nT|N|8mnJ8!^$7i@wmQOkgW0|05*|6jqTgNc!) z5&i#tXQXqnv`|un13*B>t?B<iajB*ezAl35MgPDH*~!%=`Gjm;W5i`zpB`{QMk;GW z6J0nO#UjGIrG)}a>PmwuF&~#Ka4Jb4vCaof%ks&ZUQ|GN@FQ7tXJi=N-ufHS#G;1v zUzhz+y1nrfmiWJEykb?Z01jai^Rp!^g=JmzSfH`JA}`BsmGX0JqhB}xDW;VL@|d&Z zCf<)7niYL0sobGQ<~Fc2x4spVaR!rtL7yx_;*{Gi!cm1D7v|_le)y=CO;nsF(>D=l zxgv8cu~xP7`SE_ju$-rZ=Iv}xZ=LO|)ocB)ct&+dqKs={{TcaEMWmHpU!{*(C^*|H zJm8ImS2+;7288I;Dm^}|Ym>90my@9%09_TZimfGHP0pjxS=zVLgYM?KkxkuJb^KP@ z>e=4V9d-_`)qOsF2?Yot;!!XMJ8#6fjA9>@$hni(Ye#XwE%!^l;G%v>Qt_a6`RD7b za?`2Za+3>6MgJ#I7MRO{+Qr)US>?ue^{j;-jGhllWVIK1?ZJaQW6}v83)zDo%G$+> zzNYvFY%E4ur8K+N(VP~HU3_aFfTY<YS5!L+3C}-ZOW0GAO>7A<2&Lmf9D_7ASY-Jm z75t5^qoN5F?L!Mmaw(5Gi}tryH2-guNJXjlMCBRs!Qg(jHn&$vr_0CA!Bl=cS9jJ% zr@P%TM&KS;%wXN#JweyU@%nT_H-Xpl$JVkLcjB%0*T-u-Z<jnsDy+xbq<=U59~Zap z@PE8p3OyPeC*wDs2?AwWexhqiad)kh;69%pi!4tlK8BIX=n65u0;0ZGbp?K1EI^nP zHkPW7JC7OvpwVtVUW@~8wBw?&<N@?#reH0SkXG@U9L3>-s&yDcY8Ck01mi8`0Nk=6 z_~gBHyy%xWQL1=7U}~0XU3@#lepsf;6JiKNss*cGinr%<VRizeF{bP>OW<Osah?nR z%nD&B4sBBbjvdrptDRMiP|B&-J^fU1*U&ynWQ0{Mx7?V_F;rOosN*AeJ;-RIo#OaP zxH4GL4zP@~Z6IQ$632Etr8Au)%n_Uy?JjZ3u^fUBR0r_CghZT1_)~lw3JxObgoeC? z5MGeM*3kMANW>h2Q7!QyVk+UD9YI&iFE7oxTgx!SW|^myG=SsIyfStOeO4O~73JN+ z>J;wZ<&B@W{y8}sTOW$GHYVM_a&Fk6BZ%|xU3(#4``9{x-Fe>g1b0vGeh=ezS@Bx) z*we=~5)!NjraD|=d4(`+8KA&Amx$db$Xd_r3(O))+-n5=?V~U5SF*8%A87nhS%cCa z)dm(B?5w~fEK-<fToeho6UeP@q=laRy-DgXZ>Cn?u2=<F5txFRl$shxrY`iVX~9cR z$EZvh1Lf9xI20H2R}%jXjqH1GM?zz-K!Xj9?s(p<iYc%7@-@$Q8_{nsDdN!y1PdXY zA@Ql^z>a_FI8`CDt}Io(Yeh4MhCF9i9v73O2Mlhb*0HO~j(sM#E`iPeX*sZ_Itll? zys3e>>limWJ+!B!6yX&qR;P&ADjMAtW#_l~8B#jun<LXWMR5g)iF}`s3dc7pV~ROu zp-1JoUeBsux)H=tyJVGKmwOg-l0R&)AZ9IVoN)YeqDVrgH6$Ij;e_}#sXuXL^zf@v z58fe|@@@}Mp2gK9&{*MM=gppcTbkA2*nIsUI+#m>kEw8MyekyOvOVV<H|YGK8Wt7C z)BYA&+106pq`18_5Y&=!ZL`V&sd7|WV)2Ay<Qt{Z-Xx5lP-RuoQAufKIUWu-qFDdy z6eX+v{GzVwBKBOXe1o#KLd=(R*B#eK3+GToQZ#VX>mPyN?me2uz=WAb$p%G{_6rNv zsoLXkmh=^=j@26Wc*_-wok<Gju2}|-f5tBwF4s3GX~b!(aodNl|J@kA5s8ebXb%<C z8$6|k6o4Zg>k3kYCo?8#xnePUqSfm>oMZ20wH~f_2F;tiHwMk0EpEuPYnumnwJ+WF z=ggl6Xm`%GSDFU{Uo>URJhnfkSqJJ(K2G|1b^e9XT(@fFFW++1XfEzLV$S}Y-k^4| z{D%4OW8@*}F1+vO7@7GAQ~(md#>Ro((#X(MkKWW$@1GIl|E&9uObF*ffd(03ug$lJ zGioeEKE9xM){Nt1PSz_9+^4X|ViS?1(`${;98!rrZ!ocn7eW!CYfV>xOl@LjJ*a}@ zxN<JO=KXzr|FN}w-{IZ!-m|oZYzJuz2>|fbC?7fTZoGovn9fAgrOU3o6S^>f6MPhR ztJpv?#=tV%K9I*I)^rJ3*Wsm}U^%sidtd<oVEU8N7lMQK9F&TT5>@+U)D%0*`daZ= z;#Bgi{~lmu=oCgJ_xgK1D6mT-K@KQr#gqY&P%ON9dB<oof+J!Cmsf_cuFuW8sXINY zJ>KC>I~qGHZ%&4cX69^q@%sW|4z$&*I3b4vl4(ew(rWbQ{On#(E~DqqJo#s_0|_=c zF%oMLcrxZhVi$GS*FhP&wbn(q-i-`9tWUIGYdcFi6s661np5pgATM2rSqkMC68UX| z`O|guAXrP-fL|e~tuEN!pwNPl3A`H6+^NY*Th-OW?Z6(n!HBO2A!vupjZoDq&w0H^ zk52)1WS8N%G(BmV2rTl!$JW_6`^RV7Ns`9zw^h=1n6Hf|Py{!BcH$Wlu2KvVur1au zF5o<cdtz-uv_}WA)!ydJa9#hFiJ=mZP?ShrViP<|_LUF#`j|27UZL0(O9wFKti8Ld zB6H_0m+O!aq|nWM6@$x0S8<qdl;-1wK92t4T0NWsAO-sov}J`bhc|4tM8B0mM==j- zK6{vJkpIy)t@&2@p1rhu6m>TaIA)vxQrlboz>->-oIvI${jLG(M7k8Dj~_aKvrn2l z>a!F$iZY8JVObBz@?O#HW>Ecc?|f^xqt%2vW9^)EwM0FN=6{lGR#9r}T){l=*3GdX zE>Xaon}>>vhy&R3Q7hr$yXu8UOUncmL+)h{!kHE}rbGO}W|EU%5bE;2u58#yXl^}y zD*7kvb-ag{G(1Jh9Ka-^BCBK?g{|5tYs%I5=vC=3`Cbl20D@I)YFv%SrF2a<ow>!i z_R<z&_n6q$xHS35{)lRkm=&on@stT4=KS}?E}mf(&YSeJO>&uP=hog*q!@gxe<)L$ zJ14ezUj3V#sxqPf>tk)Z5$QFTICNbVN?8hf33<76w4q8!@Y*=``ZA%e*l3;UslM`2 zJ2eKm5wij{@b$4v3xBvyCoJnrX^*{6Q!q&Z{2w=af$VRXKeaZP0!ot;E{4cfTMVv8 zdkcL-6j8&4e);fkI|rU`ZADd%ycm&6J@8IpAj$~=Ii6qgrC*#)K79``hkK9LGUxYm zjRWMe@4pedoMrr`%>!wYE&`;o0;`Vt`)>^xWgit`Tik_F)Lcc<S7sK#+|x2+yi_)0 zKs^biE^;b_V%BJnXq?Gm&YQd@;S!(c;WXKjYA-l?+!FdSxCOY5X{RjYRJbd$1>vyD zat?cKZ3+Le#m-O%k|To65l|`gfAcFT8l3P_zfg_w4G}*T@e)lenz-OCEPZznCLa}- z3j9d~>+<bpYBGD!wrzjh7HSG=lF;`gC@8Cior`M)&Cia<=uXE+x6ppiCoNC7ZK5eM zZUHW+#f~t+cQB3U%B?xW%ykr)hpX=Qjv3|xbcV!tKA^Y~x7bJ<^bwBlg3W~KBogp~ zVm~=xC2!LPs1irv6ps*EYcQ`Df$jlKn!$1kwD60<*&Ro=oVj5AOIlW4yKW3JMNgOh zSWJc`s$rZAx3zLr;a`)W2&>FG%lH-(n%;-&6q}V^7W79pWR{K2(kI%6BauVt@{|ZS z?RON^w1<npjVlfsBoKD8D{YKA4N09QITv?y2r11qjkG7R(9%_eCx7NigsOpQlx~?x zKf$~iu4m}i5+UPr{5>m?d~z+v?bvIRcTT&jaO$j1WAJ`Qn+5$i@;R)IMP8pB62xuG zp30Mt!`0O(&V7Gnbr!%|>NVh08MQnP?QL{)<V<kne`IHuF`&*#eNHqRm<f(+@NxLs zEghI?LuJ%!Q{~fGe<q;~T{v~6Djvbb-p%IY&UwjE|DxFgYc&2~9;u*d?&KQ%X<wj7 zINaE9W>A_}fL1qYV2jX^E>_(sTxw!^%5(aKHU9zDlCqpM39o#f$v+=uKS%60#MaI# z0)G3PO!UX+!%-)^mE_P@sl4vr;As8&7o$+H#YW{Ke;?7rVFmO=xNC86<!U|-IucwT z(LyIm)T6vwg`si30D{USlIJe~U9X^%lDfx?IDX{gF7@EEm-%pEPk{(b!2|^T=GQ@0 zN`8Fr(e^36R%j?N3#TN(dh;um1XtYR2KXDoFhOP`y(2C|d8r<f7I4PPx8I;@dU9&p z@Ynxw2+lzZ?0tX%04e{QOELZbaH-9(A1>8J|9}U+$@P|eLAs?o?lgC0g<O}Opc!>o z%d#3fWHQulE|5c#94KI_Zl^%ec`9s*BbF0bBwKGPktU#>OFYU;?7kt54FMbp*K{=D zJmq0OHNioA`Vkl(;6t3iC^cVXoW;!IGZzDIgU#A_4$-Nu1rpKk0DzMItC0SyNNeTm z#{b?Xe3*it@1)oQhOIH>em1G9UM_@?OH`Bs%~LRqG$z~_{nQ^8AEq5@mbU-q0d!9h zgi<PCmAao09?9kH+<Lm(J;!po!a4LsoMRk}aP+BPUrepA2OfU%BU)OOkI4p9Tmc0H z?&KDTa~JzpjP2~~Ld0JF>H6_wEAp<n18JxBZR(jc8hEgBZnE%aYu<iK)N<N-v&4IO zOV##c+t!9QkdGdPv00Vwrc?f=ZLunpqBfO<^GB4W@=ctlJJ`0}y)~FM{mm3~*D?$` zPXgazVfjs{HJA+8HQmh?^cK51-f;B}jGUB>TZ<o?<}|!<eWqYgf~I^QPSyN<C8dY& zT;Zb9S+U2ay5tUR+9PNVB;CPpFb^gHK}={(0Myk#%!@q=bQo(;g|Qz6w}>pg@a>Ot zRFy!{9dy4qCraqmFp6Uk)s$T%Ycm3v@-$G_*Ms3?S$yB0$lCJsaC=UkcYl_-{;H7c z0G$_8_PG7T@b<o^d^w+OroZwo9Ad`$9+u7i^Z6;s8Z+MWPlxy8{<i-g0+07szb9Bn zVs95LZx59I4ihK%vI)^q5hmcVetG_P2w@Vdy6J!}v^^eJ+xR~8+Z`x!Nl)Y7MSpgt zSW3m7@O=%mzIR);BUPY{(0FK@X!*IKR67~2*Z<Hc(*k^MobeWOMEuer_@w{PsDZd) zs(AhgDwb+wBs<JpRNI*6S-}8QGj_(R7e|C(EF*`JUTN4hL~1QNpLfkl2PkqPI+T(q z=RtONcD{7v#8-IEGNQpMA0Z>;*f1RWKE~kCI7X?Eh>bvQ<=BmEL%qS>h;T8{5V;w= zUqgzVDs|$4S5YGjXEoQc;_|}AxCCV}?J@FLtGU7au<@~R%rXX8??_yzlBj;=3Dn{< zXYixzMDPq+I9E8Bx6AA6%ffa_^f4X(GD@33^A<mU6AFgRnG%*1Jb)JeJ9;jhxayj| zIGflStFbeuJ-&BrIi$g#vGCdcB-!%af1pBsKk|h4&hGz?=J43`+VVKkCNbCIX~Hm$ zYy9^@NM@KV3%O<_oc2%O%|8nfJyO8bYn&l$@X(<Jnr=+j7LI9*x0ib>dRGkA0G(LK z!i-a2S16SNbxnO;I2ViD-9b)5+TJOd3iX%Hh;VM|sIb~z;le#evw{7+Ftt7tP&32Z z8A(BJ8HoiL)V3EZa#1ZMIviMd+p9H=10|LIH&6=iu1#iKtg3ZP4nKaeyf^x0q^Mga zbNPG|>b&`HoN$N0fQF4Sk^&>lejs&p>)%U}L7WRoaX~uXIJHYE_8{Wrv^F$P8JEz^ zgt)AYxxb0R#tlg>YPqcikPD@04-`bdlP8$QFt7R0lWX$IGravc#sIycs^@l?Vr@Id z>Rq>2apsuUS;r5Dzw&nx13i8!X;D23k&Lc!{O-Z=VCLR$cQ7ADf474N=4)<G;Qj82 znC|50No{Ds(AJbtnXgoJb!%G5i;2+xT}ffbM87-um=VPi?RR=t;gAUP{?{5s>Di*N zu%NZb=f%8!Wu5vCnOb9VOzEgi<THZm_6UqWPgzBwesN)GF$xYJvS63{Jp#M-)U2k% z%<)uH?LRbX=8LxWj%%-llPn`K8dzrFj{w7eXq2A-=QtfXZUpnjf)$R{I1~+g36^8C zhP}mb$>L^`mU(NHrIXhDNkb)9A0@YpR5NZn`PIJ>!#C`rnCgx&apU0&dqQak^$h<< zfmRnZ1NAZ$MhMq#@S2+m%jq-L3z7A5)(hq8BZsv|b>f?~#wd)JOl@+T^T;hcI9xQ{ zVk3yC<;rDlW=ONBe+Liek!jbe%Hy{hk5%(+%#V#JuNU4&TYk$=y#LLigkp_HBB23* zke~P;9E$0Gawwn>Xy?aJIT=wnXzZW&0C3`BLh?Uj?N4w*{;)B?w|2|c&j4j3re+TS zz##u8faW&6J^%n{PH`cAMVE|AEgg&XA*^nA_vSY@J|r+qHdOZ*^?^$tz4{Ga(;C;> zj^JGCBy}&fAaLJ9C)H+}AW{~S;GDoh&{c*CbHn2Gupgx^vcb3p`vW-D?-sEF^wk*) zKEr~Y^9ynfB3E{gyWu?t($ah>HGO;Do*MqU5#rbO>#pl(Ptol`4svYlzeC9n>+>O; zETODK2-5nIBZBd&#CJ0!OCj9<@1y;3e+Q7!e){5;NrQ}f%zqtI7RsHqFAHw~2WbPJ z*=NJyu6!8AA(yCintl$PJvQ<T<~}U)31gg$+llU<to9Pg+>L<FX6Wvzy|{o_CL)tG zB$gcqXw%`_3~MB0?)H_?lz#^i@-vTZ+XUvg=iQnET9fzTJN+QXvF(&9G!5IoiYct> ziqA(?PZjrSM#PhHE=F$8sxd4{hF^J;O`9Q3&VIkdp$sY>(|ep&hMJqX-Zh4qn|iRO zz22TGp7O7MJxn6=GTc+OAVWoOvI;;VGRi=%qU<!pzi^=lV6YPTb-fI1yBx{#?SwVB z`XVy%L$<!>ZxhIPc|4Jq;)Kfrg+3FNDj_{{UHPW+lDIn=V0-pfwW4f)9A+DAfD<GY zwoZ~`)#It;3}H@da>bXrHFiFS&NB|Je4}nay<~nrT&_<0^@0>9%`X`f8(6UpSBk`^ zq)P*LS5_VcwJy?Vz}4SmcXMC5T1NJYPK$qBwz4x#7^_XW<{duQ{bXN%-EJYs$~wW0 zbUnG$_F$!7@$Kzhjt|${c(~cJ8naKtwYIWaS+a$+HcD&z4zx^?D9>lKIqt5;9htMt zGCLDJZlsUKejuy1)bn&*he7)SWp}W_9c1{i%~i1qh{Yn>Wee(pe*CFg*{px&b`ogE zLK2n*ZV%4t#uUtMj`u)^vD->N{@0^kraqw<WAA@U7GTm$<ad%tN=Jc+8MET-Kv-_0 z$qq?Xe_Ej{G)o;isX`dT;QbwoT##ArC&Nv2IzXLr5rYQDdoY7t4qFtso*ZpXjr%vi zDwM!$m-dEM6qpUCkBu1LQg3~+`b$?^?VFaD1GYda&*2y>=8DWp%SHKo3`wNqY=D@Y zez3(-g)h`(ylJ&!h=ablg4W<%u5>6R^C&{r>fe3>vl9;c^fc&QK3>E@vb=IW7CU?T zxpIE1l_l#rL8qN+acMUIGIHQurz1`;0<Faop_e1pM>3=KV*4JY$`C7y2cqqE@t5iG z&w{Vo>a}A<$Q>?GypNZuD-Xa7Iud(q#1UjGCnDdepvngY6Fo&S%y^J9B1k_)AV3o2 zZF-r4^gxw<@~XPX-q+6G5%%j-P>#@6BPzxSWfFQy!pPP+PvyHn5~dP=)oCz;YUhbc zT`+28Wf4OLAaq>W{YS%PC_sN(!n3OLq5&b}p8m|j!7+{3r^g;IYLx+YA4Vy^QflvZ z?!64Oik1LJfegp+;)+*3j5t-;$N&uHNb>t@fA-hh8XiJF!&ONOf9SyJ;9?7rZ+l-O zbE@Mdm5Bq4k|eI-n>hEw$Kb?WZLJvUf}DiGZ#b?-6x~niAiV{xD3o*RvK<w9iTxG) zr{qJYIgY&(&cOitghGRkD&nX5Fi%{QXNfM1eue~N#o9~>93^B3Pt|`4)19e@5y^ka zqim<*<<T@!nYGnv@z2)7a}v;PJhRukNF%y3zj_5bsc@P2DWxTWuDA<P7m^ah7(6JA zn)yQH+kA()umoQ@^D%3T4qJTXISCQ`a&i)y#P$lAb{cbe^MS-wWBk1(C{fJ|1Kk~) z{9`jf*hA!@pE>9+u1>H^jW616#ZfQ~CkX$F6cC(Hh*@Zn(mO$WxK@FR@PTQ9>4e}& z;6qCbSOj-d^Tcu^)?e6XGVusD_cRMp;tia&L;tir(wOlPc=n}Mc3h#2a?{hqU@Eny zAcv02!uR`U^wx<&u)=mJYmN~s#X^=C1^|1gGL<H2$}f0*;s~r-_a1(s_(ki)kPM)C z@Vi>b${9S@l?V#7=gkbQvdh(io(<b{yUOw7K12VDPz-ht?Bz7V1fTFRQW~$WkfAZc zr+GoL`VLpwTj5w72=sU8+3)vx*<-f}GylUt;vy`zCAEi2o<C`cSfmAk<)9*D-bp64 zt{b})SZY7eUpDsXkG0cQ^KCz<oFL!LV$n5>tg$3H1i}uy*<f2UM91Sf%Mj61t7xKR zq2krn{WUTwsdg$1j~hd=x3Iys*J~#yF&<YQYZnSLwkPRhpTm0ryZ1-l2fT!66>sEN zs&#<{qu@(vHu`CP@t)`1jZ7skJ?11vtun9tsA;N>`kQA#e!|(yDd+A6#v07BX`M8t zj`ygDY~-tM9mLrmhf+AgS=BNRn?Uii&d5{B__x1PN52Ik75J`(MHRw_Mt$}0r3kYX zYh}wK!+w*gvKjsNZ&+#~lyOVM(}|s_nw%P7a+du?802cO7iFQ_{`q*z0gs1+!iGhb zdb%XztMlL~3svcI!*u1V?rPq7+F2@jGqzKv$VUmrQ;JaWD-p%NDsW?ceDq1=rJP61 zKVPmT(7dn0_{>uzydA34ePX9U_nESK+~~CveySLr4&<A^ez!T@QV{|FMHT<At19?` z8S#&19S`<nBCt?E@pl)(k@rH8L&WD3K_YyjEm2$2k(>!ep}@_yonKXYLf5Z`Toa{( zUJX0K?(#XH<$(e5?j4m#^adSPMRh-#zw1bDb#e}`E2>RQ?hIrnxvr>H*Iv&D`=`&^ zZ+hv0eS3L1MxMk!dvV@65<LpkMmQ%KUzKERcQSl>;6DFoPQp^54;;7+)M9wv0(_mD zqlE^4>ZKd+gPqX1)`&k0cw@N4Jx5CmZxqmtq*;K(O%}Klwf(-4@M^(2M#`B86L5Ee zJSQm{D_kpV0VToa+@*^j=$8~P8!U17k`}j9wB$w&dBsI~yu=f~ve+kQ>9ebpV#4g8 z-AL*)#kGSzOv)ft6p<ft&b`HXiMfj0bQDx0aV}Ep_4gHk`an^cBp90HxJ0zc7R;Z4 z_gmX3Ipac0z6!1fbU0y}{V>VKTh;vQ0M&avdWCnQL^>z@Fai2^XnD&HStA^SLoK?^ zdxnYDZL75I2V<n|6nB>Up9^c5=TFJopS^5}ldHY<Q=Afqhjx*r`8&u`+Wg&men3`6 zZGeqdzn`%vvD@?2g#ux~6-rylgbu4!`3R=+xJ~CVZMbo-9jmvzC-tkpD$4)g^0+%5 zXr>D}0!@S6^e>WxHLxYFTXm4;xi*!;%uf6YPiOL*cSLjO;4vSBtP|2_Y><2U9=|qF z)=p%h{$9Qq7s`8GC=eVpK8Dyf$J=90){0qyZ4fRb2pQVqi%R1mv$S|RUoAME5YPRM z*e)7(=r%(UgJ%Xg5+???J%I_c6mj2yMf2{|xg?c-G!SupxX52K-|K4sC-(X;IF<(| zF!Bw=f*A%ove4B311$mK!ZJct0=j<xjb}?ysv~oWU;sUwF#ikBGXGCJtNCf9s43l0 z<;!-3{cENL%=za+m_syy1a*d^i`4LIZ<mY#M1ngvgE~WkLN(V<uRePnFCh&1@G~!| zvz}*8bD38WsVis!!Qh3!0{}G%s78%I07G#AfDjf9>nWbsj6M(mK;sivmRRO`e^`$@ zPP>z@A02}Hb@*eaF?hamjUs}kBz(6#g9czthth}E+62}CWtxZXQY6|NA#naf7o2tz z@r@_B3p0_6yWhj8za+93J~vymOuK(sJohzMKoRhw67Q)Puw9Ii*LI_AF0`uobzLb6 z-K?VRo_XSSCdLu_*}cYerCrsL)|{74f2%|sDr+J;f#27q;@k5@ve3eHo|*foG+*AT zMF9b?XC`<Av|OZql?1%7vTZV3rHUVN_lt9}+3w!(UqJ1Zi6~Z#C0CuZP4<F-VOIca zk!)npO@}b?eDZQQnErVwP?3a!;6<BPw=PK8W&XXGr|=+oi&8uS1<F_0Hff0F7u;5w z|5cUa82t){IhgqdqUsZ6M-2!MaQ=N=NDcs`wFaedn*O;87T)5x(&E%~&XdqwB0JKH zw;j)%Aw9skln_-{3kE*xR$@22n=X4gk<68u2y1;uBo1q2(AW3iD&ZOJv<JnYoK;vq z!ZTTyA=bz)MQ7`U|BS|N+`~16o0ebIw2va=5>lF*-Yt$>(@ya^w-|v#5KLKBFOvte zQ9lUF;Qh=OUBQMumJPcLQx=GT16l*Im5Vi^om(m`GDlvgC>#cd@Nd=xWH*CE(aNB^ z?P<=iZQ`@jVl61VkJ!-f@U;PIS})oYf<f#HvGtya0ZjnJ%-KFJM6I^_^t(sMelRS2 z!`Njej$BTIccFpe_0kNP*0-VjBycc)Ank$T(8H9qf^b4E;68((98LbBglscYDUa_} zeSU7rS7<g2P33Nn{LWwD!VM2ej`@2AXz4%@!USERpC^^ZiSfRDkNA^=H@#Ld#wYBd zt!%1m`{*}`G>R*CkROP{Nb=tx(Sv<nn72$Vxb`|XQK7FShUq3-<kW(Y3H=Udi4fmH zh-kP`gV)oO7+0<p6ygjq4m(nN0&P$s-q#^`oQ23}oFS*PR)yb)YbrMA`;<rurXz?s zhaojOp~G(gC-1Lq+u};NO*m}PWU{}~Lxl~bub-ALh5fa;*ni#bs3_3q4|h50B0RSC zd{y?f!OM5%`u(kV;-_r9CBXA!?><Jw!dRXHz{{LSIlW)F#4$JmpWR7bZWTLXPjVZT z%h5K48Mm!qmaQUJw>@(4Yf@);z*-#A>zVpuCbwF1SKW|7A1oW-M@JsFeBw>StAu{t zBV;CmO$s_MReSq-v#&qYP_395gsguw{bRY7d;|6XCEbOu#>dh1#!(ahi^4s-KkrJ` z8*KzDgX_1xkOJc=oP>MQoa=l=dZ5`Lk!=1g5M0Kel%{^K6(p_z)@L$1Wx>jL?zw9d zEx9)XDAKTqEewqL5}BZBb*nxJ1P8Z#z(OMhGH=mw3*M0-3hV_{T+s*RvCtPgs5j=% z`zwuZyI>-qOd&9u90gK=rkW@d<d8C{sh>G}bDOsk3cIlEmuEiDZ|h5;?+3}~;O`*( zS^SWNc0ZythHh+fg)7Knl7Z~5SU!YqjG0$zp%=J4uwW>)coU9Q6Fpx-uctR6(UIPA zPso80ThqFm3#NHJCXV2%ldVYpsWFVJpB2b$9D>=r|Gr2R%Fmz2qQ?ba8e4T8p)wUu z=Ix5#-Hb*Z0k71JS)Jrt8cQB*B;~yvCtMH4IN4sU2g+i5&*#7MoeIo5zG5b0i?zP2 zh7aPEwDMEU=>?PhQASwpz|UC|cs7HKH3*pst!1Ko<3Obxn&WO%ZFXw7@tYUw)=IMr z@Qsb&?0}&HpDp4)w6^rTam`z+=wcBz%fu@WIpY3q7=%Pg<7YOl(JkgXdOYBx%oRGS zGVxurh{+i3(f{@dg-%ut99}a6vNREWv3K;zxdz(;HmR0U8qgbv3NAMlr>yCUIhxY5 zSH8V}#sR=urv{4A6_GJ*mzP=LHa@v#OqKC>I%InBi_-#~qwa&ij<viFjSKsu&{zB> zcVRKp8*0(5RwiYwvtN15<$;to?6s|Ft=AHLj9MRDQES$c)myX;9NohqZ2tCS=J0E5 z1)q)B;H_bOGA3Q&yG$L4W!NoQeFK>0RGf|!Yq7Q8v-C4ags5H772R&5K&ILR;3Soj z5FqR~(aQg?YA(+fbz@i0>wvjW4^?0w1k<h|UFCVRrlE6!!^syNTsc&QV4W>>R%njl zku~#s5k=bUJ5RBXM4OjU6E&rz#B<Hd;I1MU-IfN=6$HL8p+Jy^$FPRI(APwBy$>=I zX#qj5lV2;&zSF4zMC(VrHZU1c8*74)tv0M$*{3YnP}zxgxvTm4?WV*gw3o1G5!T8< zLg^M6Ww}eR+z2yMyd+KdDUI6?;-_NTr7Bye9z)|zTcV%U7d?ftRIwWE>;)iGvM9?} zWKM-66vP_j5(TlVq*Yzkr3^0`!J1;mRgZe@AIrs_U(@w4q4cUyrw~JUMM)*VP5lH3 z6}ru&Vm3}2gFv-e2yEx!$W<x~3GW^1K%s>Lr#2q$AHKiWahytGdd+$1iiXKJGzdDc zQgrNg2uY+l?^*0`f<8TgE4C-*^nLAOowlz_xi{e?QKlh^E$!-O;VW+H-cb7dn+9rE zE_C!9w;h8&at5@J{PY6KmtUots0mtgTgUj2<-x2#xYd(-vjwT%`ABG4NOgKz@L%k) zZd-$$J%T9d4EYWEuJg|FOG<R27+#+(?InpykdH<kFJ9DRqC<PAyS+_3<B_@0GilsF z%ON!dN*@WlN)88gCdY7(g#?j$TGAIN0#*;#gXFko*gr~E8wwiIs#Ar06zj4{G~qGo zc%JGeZ0MZ+)uwt4X_m=cNb&d{;7T-Lggy&>yp2R-pjc&=-?NPZJohNAVq*)wz8q12 z?XwniKNYhs2JQ9+MEwbM<e|+u6$gH7)Ys#;e(<G!-U*yN2T!ntNy7T->1tb-D@G6> z5>Pt~;If|1528#eMdz*2Outb3Y#`)R%>g88m20aLX=h{`>8_jnE8!j6F9y5-$<Y1E zCHdr(&xiqQVx?lxnratA7Iva8FL70n2r)7%IXH_<?~Pq2uLi?JLI7p~;s&?7j=F@N zVAcYng<R|;%Z-`=IP|v28irso_Y~2un)g>PCynXf@`w-$RKws)thbx-2wgoEExHJ7 z$=af2`oHA}=r3<-X58g1<^S>vB9<?3(=3`BW%GWI0->`k5YY<sX~Hv5WRSN6o_7&$ zuO(*0uNRqm3G$6?--1kOF%A)_n*Ujdb&z22QBB7w%DtqDUXz>Xj<IyDPW*a-CDM@k z4X*ED$TXhwmwO-}XWMe~IU|0T?Bj)vW?|&w+#x06<Tx%Y*yiuIj#xQo+EbN$O2jbE z&Dtn9l^FjG32FNpHAdktY_C_jwfEcD(HEFt1IoDgdBIVv{#_d{BKyw~c-DR7`i|Qt zjEB>#<f${PX*ZlmWB)p7%9l$ZZ|}dIXsTWsdn8m;a+K$4I6fF+t|Qw5*rqnuwBqF` zVz*xfZEm^iVRVE(N*ih7?A`}`W_rm>I>(r6s($K;g$Hi5p;-iW<bpanlB%0=YEqx$ zqNo&N+N&ka6XDhhMryR8M^b<&U=aJ|PR-Rw2D!z!2sRt{$CyUaFS>XxQ3iFP-u`*j zr(JF9jmI?#yHmkPtVQs!sm4?!39k;U)Y4ryj4cFtxfKlb)e9P6#vyK*Vq=>dd}dAC zUc4VG17s2BW(>PwjUw`B=#sWKHU5ZE07nj%Z#5x}@Y?Mw{e<1upmQHo7RzvMw*lh- z<apCU8qYYo_7-F>P?Cso|J+|X<0`&!T|C&26;Py*gO7M4!wbQC88a|&Qx<524?~Is zK_WcHsi|x48~98jE8-oV9-^SKgH5}ujqsNnae5xkDeS+ap`6$P9hz~%zY;#f+oWFQ zAy7Iv|H-}0tmoSjJQ4t|U7Iqrkw{vi2sSA6<GC7nXd=Vsp0a-w<05i^wOd~7FQ;yU z^3J74&`N0^?o90*L@FX*>fAh5&wO@D7SRVGZOB4Rod~g<Nr1<+)={}hfeFbLsCvK} z4Vyqos?{?LpU-Q#DWgE`UBTvDB3l+yKUHEMh;qq1*4+0Kkv@cg8v>DTbNP7oku$`8 z(M~p-6=bc&&sf}TF%o4Uk6w!UZsY52&OB3U+k>*}zdDUKjOrP>-uYFP!XdP;D~#`9 zB?)v1#RS-GyTV@fI>jZzoF#p+{R!!)Eql5psvWW0J9|<nM#VXDJlX<egfr%J!;$&Y zb`UH3wmHVqdIC|mgN>rU20ANQS0&>?Yp&rIqY0iqt=pf<UD;(ND#Ph1Ru3m_(?E2b z<-SK|tH=w=TF^*osuDM6OVb8_<JZ%t5BW;VAmZ+4d?+!gVz@fBS{QV4a0HUm;J9|T zGLrfMT>%nbkYt2=)<wl9F02~qY6C}B%*72kgn)J%eNvo2r%ClWLHooOizJ-z%p6;= z;@1#!@WmtnAM;oAP8~37U@zP{<fq32jR`oxT*{_RdDRk*;5r8g$rnqI_on_23_P5_ zIP`&uglhFhDmk6iGH=$>j8ovV(YY{)QRssq#u5!y(m=KP0%IH7<1~`~WV4<%R!^=c z_7L{))Kqb*2u*D?hK2_rNvOPhE?v^~VXZ0(t|!!3><d`Z|Mtb0NqF@g5A`j*iBu$$ z_XLag+=q&qqnl{=;1Mvdxsu)`vU6##r@#ya%M$=XLTfNjlhvLnl%S<3UJ~0TbPMiH z3{{|KY*pdKYgk!m*<IZ>EX@EFef#)gxs2yOzd*&?Sm<_`#W|P}J5Zd7_6##kWiT(Q zbzx*pJ5YX=F{g}-f&S6&?f)31C4K@)?f9TCq^Rjo@Lo-r^fnlaSm;sA@K(U8X9ypm zm@>Zt7-5i!yCLqki0P92MLxVO)%(Z2MzUYj`5JcFd*KjZ_ibbLaPC%~i~lhtwkw@_ zu$9q00Ge?;EoinLd=xw2A{Z?(uMNhwWqxjfSMaf`BV&#(B2{OTOjp-2p7zXEE4!AN zZLL$}m4J2L|J>yD44G(&QB;~3NUJQba?Ibd%dAY9eC_#Up6KgA$CvE5cz|jcj;qWS z-ee~94$QrrvH-6Z87t`pkwRJ<UKU2}YcDUXiUH@LzKY<o<oa29?KW}6IU}CJ`zQe~ zJFl5K1}|g4`8(6LTr1xrGA~E-+MrtFJ5{31CFUvYi9Z2xVT1C@Lrr4rDpu^AQxJUt zby;79NLbQDGq=#rKr{ltOb5+}NB1vJEJ!a2Hw_sQ7_2MHe^3Nvkw;CUb{k=SDO!Z2 z*39CuQQK}f$y0NG4n-Q_ec?GxZr?1)1m{h3f#q+5n+WxyVb;@SORjb8Q}MY2c)YXr ziO=25H4YNsFAQBY*5>YYq;a-fpaZo3vloID*-`-V!VDxE<KB0>x58F3ZQV`)4Za$4 zictwJC545^7;YYQYwKAKEzW%Ng1H{aCswzBVSsfaPr|Dn85>t_E8#DYuJ2*+<ymsW zA3vg>$$mh>K0rw@%iozQcI&xS`_E;NUj;Y!;kr_OR6^;<gSgF4Uq?Ii?a~RL-fDrD z+8?oX&j*|nC<y5~jj|X!U3C(l@}YrfYJG3-z84{@!CvcoT0G>eJa8nwh{?x{Y-vS& zIfl1%0BO=E5Ik~IV!+<se3&4Al|n=Iv~>-yQSW-MXdMGWLyCzhq>^?A<JCGE3H^RC z0SeA^&wwGJj-e-UzeEC4pUtPCh<SJL8~8;|X8Q6%?s_T4%&l_d2=)CXOb@6SGKnH9 zhmj^;s)XsFX4lW#4Ku!+jWG97o1-p(k`A!9l?5NlT;}KBBrt$35};tvjx#ZbRMB*& zA_!Z|IajF<0T2FaQ*z%@q0*%$PS~k*f>JXPKfTL}#sA{uo$2l}`h~zoZ^-P<Gg}Z5 zXeBP3W}o$CF$%6D0Na1uTpGjYd|11Rk4yZZh3FhEXk16?94qsEVtHXynbhQOyZDwp zZ4!{X)NVt;^7~C7VM|hBXz-F#3WEC`hj8u^E(I-9&ZuMe3Yx^U9>6X0Llu-+{qqnh z8s9Wu0=j&u=6tkQvLNsAs=UTJ0+6;#kciJQXF|pTW<jmChhN4#WN#Cp=+@y2OYC5V zD0}@5Svv!-2fVsN%@;txA5T1idc^8lFE-e5ZAf~cX}vyJKLz@#wA#eu%=uUCnd)Wr z_tFY5!6s`%J6d$i86{}E#U8>PbKW#lL_!~I!LqxW+9nfL4E@!);RB%It5ZX0fkq?Z zdTeSvBl~P$)&ZAFFnEd4PlSoN3#XO#kS)01&I?eev~Di=WR^SRAvfah)>pYONpIb- z$xkXpqN9?6hEG(ru{96{)k{5$f~{LhMh6M55TfY;Wae*NvWZAy$w>~Y!CHNHSx`Q5 z?Nk9WYCV{9=TX%QN2twb8RGz1C}mkVgEmj5yk<~JqXy|mIX}@7btG*PG9wR$+tAyp z`88*K7}`}QG7AY);zV!^+&6e5qU;(J>|4=*?(71QlK`>t`%X2%2Z=kzL!M6?gQs_= za>_}}vdUJ3c`D_0<Zcq@IRDHFOayBh#^T3u1M}Ytfru7BikF}u`uMN*7Qb|jM*~tk zpI-Fuiczy*a;oWVTexx;+1F~xKHUGEzLPxB*oMeS4=9hx@0?<#ON1EAzKKU2x~uhn z{v{?yd!Hd6Rz={5TL*C&TjkoqhS<52t=c8H>a=GUh$^T;bV&cA7YqzL8~!n-Uxz5X zqn`f|G7)SNg!PGI<nZpA_Uw0fFxp33&vEBx5rp7A#zaE#10jG0JTVe{xfE^;RlLY# z7}eqKp#+~o6kpiRVAs=u-in$o$LXQMB`LG(YAJe0V4`trowDTdboh0i6zY0#gRdMW za2Lv_u=gW<WW5|TMIcEh`B1=EFz_F;G^WIgkC6ahP`ggsT_XD+yeuCdi#vb!*Q(V& zO8-(Ko-Twg#pwH^*Y$$9^C|1JbK6E{Lhqv6dLxiM@GWLXHkLl<TUm@=^8Wff0koyy zdXlarI3FNr&=Q-Qo+gK{t}wf^qO77Bd{6@+bG0b(C&zW@D`nS<xno$U0Bne#9i{VO z-6T5p?N|Q*-=9?{+bK1pxD`6qm4p4f3t|{gOv+F$!B;-dnJ*)Tdzt~eGGN~}6%O#k zP*^3C)4JbID=tu5MP=EBJ{aNVAD<B7i0Q-HWe&b5^VYxl?DmLlk1P1ApDgM9`(vH+ z(}x=d3tDRXh4eA8T5x>xWMsdq>0%GE3OMF-TiT((kW+ELD#HQ8i}ea??ShrzwXanr zRK(NLrp>xx+N`M<&?BM2M6@#+23A$FNx8tx43Uup>jX)2=q|a%{^=!bDZWuzaSw?4 z#dCj%HvSa`bQb9ngk>V=ls*Mdcc5Pp%K^m+iPP{Z?E2A}^l&g`)Y1`|ouQVVkgC9& zD|1qL4%IF6!#L<uDeNDAq`U=u24s6O_8OwM9__V{JxSL_)5)$(Z4abe=|d)TG%~7i zqStt(;2OT?!ob*r#mB12q`Rk?f}fVqftgzREN!sEHjqZB*=7=xtptcF*hH(Y8SP_J z_;q@IUB8eW{l%fP?)F~XLUD}^^bkm=-xj@lMmh4}nB(9LBUy?Ac_zYF!GxwT&afL9 z0B1aUo~;2h0tgEVFn)tf<P8Ly0$rtjOrqPW(Aph#fbA&3wd>o4-FSCb5Xx>}@H&oF zn@n@ln7f0DYFehw(z@-C_Jkkx033(K0Rl8UvzXYYFbcu`Q#Mye+~gT8f%~sdv5E$| zj9WLWUAkWvCAEX#XKq1NT2~C3mJ=Y<9F8(n-MheE%Aj_&bCAm}dKRo_<`Rs&2Jo_s zf0MTy?SBln4mNX%^<u2y-Jz0dHI+JW!^Ey~2r(8M{+djZvDZb-1<@;^aL^_YSz?{T z6>1`UP8>~|L1-=8%>@^ta34dG8pX}?>X?{wElWM_$|iVclh5l)zdH4Qoba6^HuwV{ zZF$Dic8xIxka1_$O4jT47p0XZ@ZYhBk|mg>!Atfl1+M@ZOW~+egPw4A|1IvgO>~VY zOHYuDGWiy`MVJ2B^{zYMV2&2mY|+@BHtZ`m7~s8_!y0l&9+V2ekC-|FPrNT!aIc(u za<CaGhQeF_m}5vEVu*7KZ~Z0v6RAS}({j_5bau=xxuSlg&V9><Y*;{8^E?J7VENA@ z#mM{dwb<FfcpC(K`1|_zUmWJBO0HL7BQDM2&dvK+ki_Vm;wfL0Ro?rFah}Ke8Zk$4 zs|yJ$Z|~ljX(ef)ekz5kU`=RXzW2fFf~rz-TYmXqYJ~heLqh_!f915OeasKGNns>` zUw5>>hZgfmKXvh!5#AdpyeAqw-b4yqytdup@rcJgyXy|B@jlp|tJ#(`=~pa$QV4dI z!L4jQhaCTMuE~1G^&?<yh;`!|%Y~_P0mtLU<i9b@Vcb)r10@B0vHXcbo-=85!YcAT zEQg)c3N=nOqQH<mINc;=A%q-q*03`aOj>vU@ZP-^^BSB{44$RYVSPSqX?1H0UQTn& zNO>77WUYxVMO(Q?tJW>Npi1E5fUnR^wT!$awkd)M$K1`7Pe6_}s=LrY=DPg5MX2yw zXdi(`&kohqB3$Vy0M(!pqdlzQR*6NxBn{wPYy}^0X7pPQGGEyJiVK{uP_fF1-N~aT zMCoH~7LBdo0*6&9+iu$kAJ&`7Zisn1J4gPZEJC=z49DB_56oZiwp6o{;JYzJIhH98 zaL{IO&@uN(&53-01(S30lkoP5oZw2>9R|{!W*KzTIaOC<?Ng#@AacfD{C(44vgX^= z^1zvw<uOGs#)&XoymLEc3tG-Ib52ttdy2>J{FQL9_*+u)z;#<LcCpvH2hcyL0G^z< zBOg7BB>DX0yq5N3A>y;a&KxmK3k{<d79RZlGC)rO%vT%XsNvriZ6vZ*0)@|tYvG$} z)Zkf??5pJ{dYo!!x)EoDb0A;5utmjJ2+yG2n|XI<ATzoK5fqiAtSwER2T)&`p%VO_ ztGB^TeBgeW&Rm??-u4rE2qEK5+d8F=(F{*FdB{{N-#r*PYUV^Uhz4L9nl6qFRFHkR zBXr6)M+euNeE|zx6~;$ljKa<7u>cTjHe@*&3#4&Of~&JjAEvLFj|L_ReYFYG1Qu;? zaP<>)BlkFbl#N5t9xQ(UBr#b$;uGF`MFI(51P-;|0#<4Jmn=dHnt9e$g)j!Tixj{E zbCB6`Kix@TUJr9jPrch$ii*z_<RZSYXN54?ac_)G)2A$n%PUybh%dPqQW&a&VP`9% zOgX{L&bUpfB|iVU#87BY3U;u_l)>#oH9mk++D`Q@TL+sUn`x(f%qrgor>&4ggnm`_ zHj{H7ifx-|Xvm;U?8hnccmy&{8Dq|Nhhgg7ki{3qY~x2+hPhB8LPRgd6HuXBe&;ZJ zKW*WfaqHM;pd9PzhIn#wh0zT0z8RtPKJx}%>)<<4^cSilR5pGNfb@&>ojiSscz6;c zpfQ0VO>rC;1XbLX0#Ql}&ncz+<mmhL<8LqKp3KAi7y2Pwc&FP%R+|3!<`gia9=ykO zaavM^cY$=+cU%ThrF1e^mZXWYvF|X0+m{mdIQaHM6)JE;brxcg60h$tOAFSM&rK)z z%G6F3|Lt+xaLbB78fpW=31q^)Yog~FG2$IMzy#Zn;}?^XT;$H<56%ASb|+j9dS@1q zh9SZiPf)v)Ct<wqRz*qZIL%CiUA{h>5T;H2n^AsGgO$rQEy7|h(u$B%E1fC2L}sd; z*l~^%^M#B$eg7wgD3_bx`xxc@c|YtZ$aq({l+Ck3%Tyl=8g=lG53X7jF=KTX6XitU zZ*<e9$jg~VAf2vhmlM2?CgKXZQ=Oy1owT*~R(Au#+~D3aCgvD$@GE?SIBJ1N;U8N} zE~W9vm<1=ltT+}_JOK-IClI9(s2}0$yf0t=nB}gX*2$k=E7UCp%(I)FE;<mfex~k! zsQ;W3+U9)jXo%BozBfW1a!?*yZXaAAA3u7#(^c&M(4|DvJx>b0(|+qfJFtf9Q}38< zD+8vu(z?29j4Gy;fk6@UXZC#_v)Mg&>7iwO=;1NBE;I?DxH&-WP$MFXPjm-u*&%4( zx_~ST`qf(IAp)QqIF|$xB85=Po0qgz>e&mo*B~>yV8}TthY}J4Q-JH&XY}!R_|y?1 zt(}d;2N}OIp5F(K98Ww_iLbQ;)Xw`M%JE?`0&QBvw@M{^1K!k(|HwMpK9aE}_hNe^ z2b-e%(Yj^irWNP`#uUUxKb}(=7J*#Fjv>Hjm7fgwQD_U;ta~sN0F*KPN9Iv?>!2i) z<NIQUfB({d=}Y30;^mS9Tb}vTY=qatxuQ%J<S_1@vm0+cs24!1A$7C`Qx40xYE8-7 zKGT76&|oTj>QY^_{&BEvWX{e2s%`-9kE3kQxO7L$-1HBRTz$THbEqS9z0v3xSTVqp zURuX0(^)dY=UjH9neoI`31Q_zm9@VpF+sT+4sD|<Q#N1NTebG?^ZYkVBF|K4qTW!M zF5Lb#>G1PN@gGs=^_KHSLmKobsX1DN=iNVz4VbHw-7U&A6Jjf}+Knj+Qh^oFp+I3; zc|CmP2hYdO&qS8cFC(b}>s^i6mi!f`0ffKVDh414BKpdltQY_CS)7u3GD(E8Os%^Q zha}qo=G<+C-6KYKs0yda+YvgYN<VQ5kKO$XcS<VqGjVHg>9M}oVREt+Huok&9JY=^ z_N(!yKwi*aXMnRr2KTtpPevxUNP@G!aP{l;3zs<~VJY+jlqp;3vQ+*r09`<$zo|=; zR6B$?vYEc(Vs$W(NF|5{`W#ZXxCBU}LrxqH-`@Zd1xJ#G5XJto9B?|aHglcN{{8(# z;o3fa{*<B38AcOFjVbs!n0kNT8S~Fx-V2*{ZCQ=|k!Ue;LxK-kp|h5ABrEFWf6$?B zrnN*J(lDczkT0Kf3X#KK-5wwCE-#21dZnnG(cGJ!#C8bzbON-gk{1zyx$%v~yRUK1 zri=&tcrm7LDCKXX=C$`u8Y5c!&PFnsKeO=_HyBz|Z$cOyQF4EOE-pgB&ywFA?nIKD z{+ZYxv~&gsXrm2LW5773gRy`hf)hjJhG&@vtxFr;bS>S>2Uq`8JvP2TN8|Zqnrf$a z2S?YqW7`GpNd0j%RYX4iNs5fHr=vnYuBU>q!i!$cLl+=|K;r1R@kX2E?UeOnGK@o& z5v7R>`>>cImR?I(z-bMdtEcQOE|b{sl)YST!90TPQZm`tu7hwAT{nlx_G$98BT~9p zyC8t^M%EA+SeBdu?EdBXhHI_ekw6OPE!@IAHr<R|0gB|o{f{?oFbCH*Onk6ysN{I5 zi4MzhAXY(8=37K@^?);v?V?cTY%bRu!ZIP$G5sAUnOa3;i}$kaU*fz3#r58*wN%mp zVp)Z2QU>4+4d8oCKPmQ=uURKCFo<QmqKVV2tEV&#YPM+a^?YooVfq!L{Ns%&;nhms z0l}4`8BI=CaYEbJZtUI9XC-N|a}Y5_0{mp6;Bt~s<nR_CZCLsKfEuBOEp;U)rSqbt zb^14#x2;9}!^^{S1xryVp3E?^?X5tru*hFJ2ge|FUg-DF+cD=<<CmS`p<KUkOqMrL zsN6BQ3xkQUWnbVS+iG3j|EKaGFCH@<1HU<tNQ0KQQT88e@uF9WB!vZHb1GvZ@{1T( zkb>ACRbaluwimrmk|cGtZ`P(wkn#U2LAk{1?rBYn@jb}NxY|A>(apbS^+I{M6@AM9 zixm}kiXaE=oOQKKlqbvk^)%imq7XYx)WkaYbaeBCMx0)xQ}8$}7hy4oasu*`3gdog zt(;+Ag?i0h8U2zb@i!5$D-jY@$H=$bz1IuXHzGhAeggYmY7QC3G#cxnXI~Un$1k+% zJ+u(w#^m}5r0lbX%9UX0w+vRMPeW-E5LmBo-j;gJLJL0<j_DT?L^S>!0HpBdcOMEY zj}}1a8Fy*2i(Ai68XOSw`wh4C9V5t41r@d<SOz#I-wPmv+K=z9&{sB?jcgA86#U35 z5{I88!<EJf*-fNH5ADTACUG#+|BLO5X@H25O&cpX>m+x_;=T^xZLUR<GfAuYtlO2F zMMK>#*kRF4C^@{M##RrM1(aw78xdK0%D16N-g_8n`*b1+MG^fua)y5>+Y5c<L9NVo zrTmw+z>mp)jEHtW_<B#xJBxUIqb718&R!>NbhPUa)&yeiyLX6R1xmnEQfXc~rRO5~ ze<Y2zSt)cyx_23AV4S3Mvtip<>?8_M5&`Ukqm1Mc)-r@WSwLX=02MCJTjQc7lRlDJ zLD}4}5p!y*i|k|5Fmlr^v(>+kb8lv*kKh4Pk_T(f&YM3qddl+7dV*Ar;ijA$q)_~j zpMH9kfhLLj6Z<@}J7yo-^iAs^XO@a9BY`1k2vW0PqPdfkQPAFhpw_%>QBDAsc=ZO` znXtovbGIu3H!|f(L)794!9X*-Kbh^7pltGgof|7O+xw@>0=y@tKxhZ=Z>&kSV9FEZ zEO~06k^5g%yFo<t-vRk;fIuf;wLP=$D=+2SwyWm1`!B5Ie4?C-y9cF1o%)K>F&d;N zn)T_AwiL?IoE8t9BCPnJLu5-TZ#T?7yEN$3-DLk&pr<ka3(VSZAf@t;fZ(YQh`$@F zOs46{g&(=}aZPPd-AL!<Le4Crq>ro`3xn?w)>*O5Ma2&_NgSxt++^CRk@^u%*s+k0 zaC-H6XXk5}OH_<)9^JRRWI_}|DKj)SgB+w-)Y;6+RNh`$g5{2hXSSm{LhxmXahH#z z6#D)$GYntI=5PXQrptfs39<x}v4RJapm2?h-BB|3)f2cBt(}x)9z)0BCUSnG{nZUb zS;kg6I{Vm?GRsEtRXbB?Vb$~k+l}jlSvo$xabVxaN<R=Q#hBUfa7Uj43ru1e<M9CR zl!CLszPHYgE}x==RCpKWHWQ81&*OBgJej4oi=4c+_dfXg&g(5*Tx}Bp0J_dWd`g;h zWy8|g3#bsi4J)1TzwJ4)WKE(_)-F}ueH{;^xe}^vsoE6s%Mr5Ek(5iTlJkt|J-3n- zGp|?-&jY2C$xqF7Bt?p2eK~%grFeDkZ_ckT#7QA3Ewu(JDLQ)P!%KPc-dutV9|$zJ zj0k9=AF_PTb=f>3KYle!c!QA0K)@p4Q77_W5K@LIajy-QhvM@*oaTUWEC;qdomTK` z7hwLO0bE~8|2=r`RUQ!O!FC0j``jT|ZZ*aEcRCk882R^oiELlRp}%=hM9X;~FCs5A z_)T!cr9{^gw~9gsQgzEi54gU9FFA2%Ze$JKZtF#qdoc!m*2K=yMNhV!9Xs|8mYO0- z32gBCvp^B~RmQs+q!vHcEe@9nuNUFRjV+9n89|&%(xw`_GXYFbx)=}}dd*h!i6PLB z>xaT~OoyWeW*E^{J*F*poM<!dZZG)B#HY0&%BD6<JK5M8l&;#ur@RTZkjs$U3|JPZ z4ZFi_kdjqE(H0*0E`&To@$tZTr#q4y?%<RC!l4jd*XG-b8O2U<vI<W5pM5z4w2=1_ z`o(&yHWfM*E^RGZeOyY?@ZqCBr7TyNKia!m5U*jCd&1)6kLgV97Dx|`(Q#vJ8#k6l zT*b20a~pKjr_e`I8#A{-r%n32%4@iU7}1zX1}yt{1C<k2c7)|F)!<(vXCKp`bubF_ z%iYA?cHQ37nu_JOh_g%%Z)Z<#5+?7As?wvUG9A<-=2UGO$+>5jU?dvDUH(XC-yp)S zHTXVQG&+%Cr%GrN8WVBzwKJap&ZYp>)t$YeY&ZL^L7m(*A-B)7?n=8hwki!+Q+Q+c zG&qVn?H4>h#P69=hxPy`$q4aaYpC&>CIzrXT>S@YKBe&!y}IQ9<?wgsPM<aRo=W>$ zlTaifL?^~n=nss<&gD&^=tB;M82*_hndi~9f~9+)vqv6cR`JOuEoZCcg)49pg!z1P z=nFZKBVTt74y~kSnL?5wIM|EUjIM9)vwJ+w&29eYTc@szHh7}G7882^L)5YM<dw)6 zQ+fkAgKEERO4m+a)TC7lvkq@o6{DLQQQxGA8~M)ux>#y>#`9ulNjkrh+VCa)gY$<R zV$f?eVLgbh<p@PW*ZosIrIAZ{m>7hSoemQEmc;!$rGY4I{GNjp3+%~aH5Zlpl)~$u z<mi|NEloGXp{d<X1pPwKo7&izV}_KR+}Ecg7saxE?~a;sH4(X_wqUJcHqVChX9PK4 z2n(@}a5;;Rw{dQ3R2s)j*%u3Ge2U_4cZ=l*eCE0M@U+z=S|)G5UUMQIe{8xfLmKmF ztoPaXy`Ye8ZR~#az-42ap&o&Y4V%=S63{B0;caa2scfIQ)f%HNB#f*tgl-q{B?Z-p ztXnA~r=gXy5kqd+kjcZmPh58^i_r6hF!VeoIFFBc>SRiLRTQ2ELM6$qiz3I3BG>rP zxS=(rWFKSr|6imwud#fdFUg12hwi=B{+5B5m-K~(0`uPf+0?t(kFe__9w@_;+Zyn$ z;@a*rjIA37w(yS7h*x?Q;{&(!_h_2|OJa>q7HpS+=@$Gn2L8m3d@3^Cd190rixuh3 z0mcXhDR!SQjTszJ@Jy)(hJAdeshkZH167OD=J$~+2Ei`++NA4_#xVEExShHe_`UDv zEY+ZKtXdIFT<j~DuHRvCjkD`~{j0l*8S!0OhI9=ltVvMvT>qrEUnpq_qnxF-tUvyb z!Y33-gmwzgcGSc+ZR~Ys$XJIcbAeyqf}F`uG&z%RVWi;^>M&L=@Yv?s#+-|Lf01Dr z(&M;J<vV@CIYm1$HGh&HHzXsV3De{;@>dNKb_bA)d8?sNK0XSWz#QTn0$Gg4f-<B_ zZSEo#=6^jsr9VX#uvgkJSx5z_v^C8Y7KP0|bT~aa#nE87h$(5D7bmZ_4=ZUm`1Fl_ zNg1{!O=bbrS0XN!6sx0kn-0R(kI7PiW=myV({>!S%I6-`#~LAu2$`D$Nre%TLQct3 z<&LA|;9*jsd0(-l2BMnzc|UprAWCyY3_QH6k*d?ck|AS$^MBXmMMg_sn_B2KarsU* z@JauM@_62G5#K8dIeX@H>%KpCyWiV(n0*sH^I&Gvo5dmI;sgjYhuACS0rMLXynQsW zmrk9O+|6U#RZlrpqTkP=mf1jTJ$0VvF&eQSb(>STiMGsq{F0piRX09eG`q0B#rU6k z2n2;ho7CT&uiWf@^oce?<-a>k@ubCi(mPJH)69_dp_1(DompeoN>&!;n;bgo+L#+` zws3C4CHRvFt4eMIUr{BFH8D=zw-~w@kK3Dfmewv&yt@HHcP1pxemM%f)zr&URS8Fr za}A0F$ci!%f`tcC_&tHC3!1w2s*-j1K>KY~rGflNiZblfVP(=-HQEhj6JQ`0vT8DJ z$|-j|ha;<gT3_WVR^bg@A5DS=^BsjUV<^lb{v@OSx33t@HC33>H#~Qqn8;(Q@n%Bf zaNir4mo^ONWINo&^thP_32sHEK4{OO&m?!QeZJvW?n{o{|IivVGc1l~<J{|5UqM*i zf{GA-qNMtCqpHzesb{Fi#t(sK?f6-06eX8S^=<n^)jrfwZMw+M5l)hT8%2~R=H3S( zvdoFNCl+l!QF{*@t~c`KB!&1^IV{A>^;yNbT8@^{wc%+tbhAE~=QDL}<huZBfm#%* z_y0RyfiLbXya}Iyv6x4>{VoUd+i_#fH)52&0yW?7^{|k)2SnGpq+h3ZU2Rx<M0Igj zt&$`B#y8-$oz|?3l)}g!x<~G7dzPTP<Bjq~nD1PIac*83w8j$minWka==z4mW~_4p z9V>$9Fgek=;dC7?9aKV#8L1S8mqVr+hK_SO8QCKS{Nw<u8eXK#xd{mIUMT6+UX1|# z7H6b3q8rxlcXUFXl!*B__2bIFsfwe}!m{1+?b+%bnJCKef!SQDvw%6?&8Jo2vT7ut zT-93#OHCa8*D}js)^q(A6x)Q;tIjx9K!xyh0r?@P=Hn4#e24ZDz-2HgqCd;k)17-! z*sx5qH36g`J*h=Uz;~_9p5T<#`lEJYz4LtnD;k%YjB3*%%~L}<uqqjOW>H(>2P<vc zaEC8Bu;QxTW56k~$XaVK({^|m3;w*_c($PvfwD|k$v0A--hwSLjI52;ujOyC2is-U z1(s!dE?v7Y{wzZC<743Vgkm8;U~b=96Q&AJj<ISolJwXJrfRz>V;hm&P%Ay1$S7Tr zwqen-wf1=zX-0?|Z9`273nxQ~OE65?ljZB)OFGub?NKSv@&YTU7C233J|iFst{b4F zh#fv$C<$g*on^PXI<x<Zqt^H?-g=h(A}aIWj_|tK0(HpnmCjQE6lTC$E8zf?3X%|I zMt?KD`o-N1-VG7D3o?Q+L)L5Wx=?A-*t#kpgm+}u;!}r+q?Upg>G3o%g6lsDbE*gP z&B7=Q^?rn_7eSC=qA~>O@*Ggk8Mh@oIAh7?+~!zcJ>L&N%1<lXT1sttPe*oPySL7w z(e`ps8a}J*6euFbUiNLOtd4+~)^_wRn#H1qzP-`Cs=A4>PY*9oY|GR>6owJCgsEIn z@bO?}q|rJ!@~`Z(QuqWjo^P2_<)tXYQ)T;=@<&g2#gNI(EZJ?wCH|TtqT97_ofwc0 zTVB2s(THHN>%z`*avqpT1M1`rt3ac1Z#9?s@qbc%W`Mw}HsQ|kb}Bx{H>Ahor1{Su zxJ_oV1PixPw6Za`&5A?p@_VL|Iy4rIMRnnEu(k7wcyrc$_oq1*Y0!zCO3Q?JJ-<-{ zF;Dk56Ki8ZM(BnPc;WlnqV&5M`G4yp9Ybpnbd?CUeO({7&ScHF*%k?fl!*~au^V%= z6?-rE+xXyy*rlVms1ioy^onPyavj17y}!wqi!<X&2AQH0Ckh@|dpY@64I9)gWy~U{ zX_lLWH|ix=HNj76(&51+-TGg^{iki@ap~w<v*=`)7=;h0WV5wuX!;hdHdbsB`+q>Z zg00ky1IqKdWgPp-VeDDmw0of^WC)ix?(C#}t<}4njt1KwIO7N}XrMrk=Nh3A>s~jG zOjUmAp(n!_>qD`-VQtD0HIHnbfn{ui%`UXniY~E;6^B$C>wN*@O+|9PFlEf<>CU1M z=j2($ieW~Y49ObZiBDFS)+snI)k77M3z=v<ES3sG`gtmmieFRsH(3tP(l^8|OPTQ_ zFx;`oqPk?K(&X;Z7=fzd2i4+0zE)|18oHniJ~qk;+-`7hv|@5lY+M8Gsw5*q#Vew) zVm8kpT-h)!o$atmY`rh@p1zJ((#Ie9!w7&`Mp+6sYo(~u@LlPMwciYfTrTPfDpF(e z_SGyQ9%{qz$jo1I-(HP2D9Je5M@MSkI+r-l1pSH5Z;MUxUH;dM{crPO$38h5(Q&b* zZvz&rL~x+?uh90fl%l-1U7NV@=uNEOf82&`;-1j-_?BUKWMv;ul!twPDLqn|YZ4s1 z;}x$+DAw_cH%W7Ry)Oy|z1K`#q>rbZ9g_Ns;7fPg`IT;_s+~Spo|sP>lxTqn9YIU! zEIi>wH!p@Uatc2Y)R<UC!ELYS!n%4W@7?vr4TLK=B!ugc#1?bi>~B_av(yT+ZjJ1U zVtM}?c67m^ZyoVjptpD4|6S+v|CYBCz<~pv&$#5uMu@^5)$#IYNH+P6=;qoAm%Hb_ zORxrQHo1i9UoQeq|M#aH4xdc-)5R?gHJmGuK*V~>*qU3=dk+lc?HAD@_d(53!`M$O zpM{Mku3W??jVx<Co}_5egv8lrziHX!MC8!;Ok7!}Q#60=NCIvxv4wGGmcnh4@9e{z zdxA%-yuGznuvgQbh!{*j$7?>s4*&#G9*PTZ)orRSHI?S2sWAm>uTh&Y1~=UCjCj5I z>g$_<{8(H*{pEQQN{lh%_}DSc$`Z^T5Cm~XmkqO?-=4jCMk@JAb_f-i#k06ysfIZv zy5Ag3bO<izbKYM#@4F}ILp007q-Yn4f;6OEy*1Sz$Gv7w$I`v7^Z_-^dByv;?el$e zhOugF4ZwD>!eCIkLZ<D3Tc)8yLnVE>30#31jzR6a(a{`*9Jh1JHR=DUFVjHvlCpWH z*-gT`_@n}%!EzLPA6%cebXT`)Pxb*FSn9`EaP`bc=WT4MT&Tpucel5V55{)StMg)+ zBPoETxw$SG08p8OB}9*j!fTYEOu_v{T{)|Vqm1PCCxMx{y6>06_Jd-`Sy8lo0mYCL z+`K??=VZi0hsa-y#{7UHNC+2^@|?#bNq-#mK4<93D%{!@*81!1O~7$3;kT0y09kl1 z5@a&!15|`g3e3RY0$eHj+Sd9j%DOej{dnK>3n`+=;KBcoYE%;KcXKZ8dVaNX0nE2E z<FB8>!NbhuMZvpru0pzJ${cc7keC}_G4G7^A3Uk_Fu|)*ZSVQ=7XRxwd&hIYzfxva zz4VaD?Ap((3El0Ca@INJP(X?J*KCFzRdy_e75vYW^#`@#2o*hfMP&^bw~Km42gB5Y zUO_6d<m7DwQRV?PR!98vt#K=QZ>w%<ZpZ1}DJDXkyuD~D{+j-0o(LZztK8wYMp(6w zq1LqJd0>mKMZTq35^^TpOjZcGw$4)6sd8&txHr5!JQNp+Osfw!d>xD7(AM(u!enJ- z)L0UDyra1)4R&=?bfn&x3M^yXk3x_KFzsWresfe9)?resuXe#s&?nhW8laUV>ZP~@ zn69`MY4W4D_@CY~vSW$?@`=zL-onjyh{dGFGabaO&q1w>S`5>g$1=Gra^+wTPL^S_ zcPk_z97Y17=4b%k0Ny203>O|T%xRp3`-oI{A|j>#DFpu8;xs{33s8@xf!;-{XBgY9 ze<Dp~Kdw}iG1ZuDa@SIFysUR@s4b7m<%%$(*r|+~+N_(A`liO_8-)On!?#FI0^QQ* zP>dPQ*BsMEMW_oy5Bc(b4;L+&e{@zi!e9jDw}f!JQ_P+>K5b@VyWjTyWPk0Z6ht7l z?G4AzP6`c$2}$tZC)-v6=tfT~Q9Yub@bs*Cn@HJc&s89b%x*9(dgxz&U^tl;Znu%7 z72JG{8#Vv67K%PT^1s*9jG6^<C;!u(7Sv*Fb7^Blj?9<NcgJPTwV4nC97mTnQcVU> zepqRuq`~&^Gz3U2>ZXz-VZOGF{Kghrgbd;wv_G^fYMuVkymZeJk7pDvt4#*Z8k+u` z*{sFi&ii>tDKD=}zJ@WY2>DcntZl-2joU_B)ZDpswoZ1#I(T+lFQv}L+fzr1lK#2K zSFE|AeJ#0)VVkUN&RbV^C9m0u?!2vetVL0JU3ItV76sMjpNqo!S)!4QdP5_OVf`m3 zm4CSveJ#QQb=yJ__E5v#9#IME1^B1<3f~I6M)hrHQ}2c@WMu~uU7kN}X#Q+L(b+&> z-pO!bu}+hcFidu`yAk0+MhQYiAA*xPv>Gf-eDxr?CTjL=A#opJ<RRnKPEe&lVHf}9 z5sV@^+|fvXIMcyK9L$T&r39{bAH}Aysg7+=e!=C(7P@20o;iba|Ay^uvN-EtpQK<& zFgjXWFsXLE9bdOUnO|O&NEt*4Q*np6-)3)Nc>RM_?6H00E<*I9@ge(H`*e#y*H4PE z^32CrqqL?Pb1A=%bS{$^5dA0N#O<ZTI5xzw5Dc7yLNcow^_F$vNxhs9gITdTM`<P+ z#|Q0S)S<?@HLm85T3hg-!ySj*Fhz4gtBdSLA~8dQh{?7wvy1$vJV`$WsN{j6*Iz8M z5!8q+oXO!&JEH5O%M6kVCSF@!&Sg*cTTJMka>yYpb!87DZNGDs|9O`4?aH(SGOiTf z@4Q8Z-DOjt{}u`FgemNaRg;}L=3xRfehnyh32WM$>_C^s_J6<cXRw<ty|Xs!;jj8; z;<qHi|2R*RC0g#%=ImhkaA<#CLemSE*&@6IKi?vjoNmC^gmIFx_lcz__!p&n77_eJ zFhXf%J3C3B{e+W0eCIT0rN=TzJrIddBn9KwmJ;|YP?r=SKOHEs<an{|Euf-sSN9y4 z6>P(Hsi{qJ!3%LV8?-fA*&rnJ3O@o9z!rIC>A?lsk?bUHcw<s|*pUH`hN;wTg%&>t zwUD#)X#`O-d>V~F?(0ZTC^fICEx-&#?!9w_0)|1ylY|V317(M9bxVEvUBjCV{?lFY zOUCi%1lNIL?Dg9jGInfM*Yk{CqnxhL{79*y+oH5~xPuWZ^%*Xhnf3pc*1DJ+TKBO6 zREEHViRshr=4<Mjza+QjXdffcke*wV!aK++@u>|(vaN-cNgj!+uW<x4aXnWQQC;#- zY&ML-DS_~ixVoJY+l*)@86cvj&b<A83BH$~t(bp1ZpSxyyHZg6>oNG#2ye+|qRu2e zgsw~lMZA%2@CUEZxSQ3S=DHEv;iodK;2}CFFJ$V`mp~b$r&Sl}O7yur)c38c;$L;M zV!|O~F=PrKGAcFceb`lFzcP=k=W#5YYkOq;%ELexcA3OQLgene(VWgnK;G&l%yd!m z$T7~*(G%~$7L7mJjk_EAt<=ua5rpwn8S1wtZ)FnOBNE25C?eBoDD>a3c>|P&(4bvi zNtQQE5xOwW*AxA#2|E((2JhS~1a4n$TO|o1h_f|*V>zYt@|SI=z!SN1TeJG9JTAe} z_-z2wfej`bAB`cr`wz{;OA9XMXzQPl1dCj6xt!qsl`c>}SmO;3C$%AI7SC_!2Xk!? zoYpH=>!8oV`H}?+25Zs5ZBpWyS;1B34qBPz;Z|8y4>b~am)ik^e!!c)9bJjwS<|=F zQ__{D{<nqhE6pzS%(eKtYDJ~M><_z4QrHLxo+b#?t(zyaS+ncTjsa?j?W+%ccIjd< z5nC#IsSR$4z1;qY^1kz=S-CZoylbKH^&MEo=4Z`G0Ju1Uf1ukxf{tc+rbFbt{q`RQ zkDrY;Ra((z>Au^@vOf6v-XTlKgkM!Y0#^`Pc+ok>X(uMh;9wltnQW+E=#{>&6eTA$ zG<)#yG_GtR1fV>K>ePmA2g)2+U@(8}$;l;ByK5HMXHIbD6IxGN2BX+c&XK}TyX|d$ zqlBMC5%-+TCYlw)VU$1N&Ain$8(iqb7yG!KZMjRcKIvl;l+2w@1mBErQ$z`O%v*S4 zo~v2BU?PE4ImuN~VN!JwrmZmrHse6-hfE6*Qw%9bkl`KFX}^0F7=uq7%l}tQj&C}@ zK3a=r+-7HIJLNEc$~MPX82*7}sh%YN-%U=h=1?Hehb;axaBER_Pz>E3@X#ZUX@43# zAZV*#&M5Ah_*%Y4i*Xg$*}GR1ij=K&0nJ>F?sANctRTkT{oh^yitM=9Lq;>L7iu#a zz-84(m)?^1i3v9@mxzLF_$Tw9-7&U%K3-`mbHW@uaV)KsLi4zj`2so|N-YD|FC+h3 z^vR&liMUHcfAlNRZR*|esG!CKN>M&UIec@kUX4WMbU(8)Y9gE|!+73`-L|#MOwx-u zdmBF4-pgm`VJEU|*Wiq?GdZ#v%heZo)EAMKyQ6Oa%0nqeS)fK9jR4@mHKWN3BZnBa z;5%^CcPwcRwhG9}-Ljl%INUHR2G@_mCfQ4|Z{PHo>Z|GFPVO^pxQK>)oT?<=3!{+R zVj3U~+2wFQ@IZG9VE2GdtP(o32L60B;<kG+uL$Y#h#eE6_)sgbzYOZ)C%Rul9@oyT z5s+ncP5LNOrh>oy3-jl%m%V1fX=pH){6VXd>tbMnF=KVkT9HWUFQs4~b)@4Aaf11c zlWr}$pXVMF$YgT(R2sAdE)O3fU$ybJ^WnNeoY}*+zEB`QaU-iQs-lG77IfWqR#%7n z`FFY%{yh`oLVo~6X*RDq$csAJhd8p$D4+eOz8s{oXzXt$P;LyN+kFtF2|Ru(!j31i zbcR9d7~aJnXV3Dcy=i<`vBOQq>?|AeQ@Ispf46U>7q+A2=h2q;Bg?y2mdy(^I4&Xq zJ;Z_S0b4mNdmr%km?=@-#I@Awgj2jG+_+!t@yyFGU5*nLZ>j%Qh!soIMBZA$0#+mq zQEzIb6w$~S+c+O6yQC!UYF)p%p5effZf;oS#Xm7F&;x4qajD2mOlIG_GAKDRV$0g; zPLktu{%V{$l6h=suzDZV8!;KbSQ8i^yu6c54UsNRg85r{8p&XWsSABAFgpM{VnRqX zhR#1p%JSZLYu>dDn9HR)+h^01N7+3uZE1x5krW9d#w_bC7m@9;$01;-F*%`c_@DnU z4dgBNif=gqfA$F!oeu=&>Cw$grIDfe|2v<cVtK<bmT|lN%e%~+Y0_&u(i%Bn%HH1m zLBu&lnRXvB#w5uvpSUU-@im`_bvgJd<=@jV^Y!7+PukjQHz943W?zDYOa{1r@9ttv zz26P2Of3c3H=(#Y%j0=y_2GHZZ%~^Bu?!p64QqcTLgCde!b68lCkWR8T&Zl>UD;yI z%gWRk|Et$UH09KINY8+B>g)l_UY)%jf_4rhcx?Z#wtfa#_m{zNlnT|AAB&+&dI*lE z<%aJZ{^t}6l-u}b<-PI75N@I+xv(reJmZ%6ht7}rHA6o}+8G^Ld$86CDHT4FO3I|d z01?9b&u%8L>Y)Vdv0b^z)c@L0?3=65L*6nVVB%If^u&2_?m6A9mb|hykaL~yb2ve_ zE8)+i!*eRVl9D{A2t<*tjhXxVOJ_k_M^@?pJz8eM)iu0(FlxX!-}5|i%!41`EJ-Iz z<W=<;+RIG3;n2%!hdax>S18818Z>CA^+^GUr1;(J_a75un~&9U^aRK0$`eC?MOnDv z!J&<P7iah3fr7Or$90QVz4~-31z2w7Eqb5iRtJAB9I2ls$#V1;mR{xXa%z^Oz@auu zVlXH}%-$IbNz?hC+Vc5D?(FE*a)Hzn%&AdHz%f_DU{4E5WkI$ClO|Ci-z{d4OD~vl zcifmxD>#d(gI+yp7Wuv;7W?G)0iDnv7hq))u&QyWvsBt`@qRHI+bK7Ne-SQW!vP~- z@jDHcS=`22lvgu=+`w;H>Rjk9%-ubo7JF3eZRDp5;uDW<VMc9?pFI@!R&sC`d&}4R zKZA4rTTM112TJg{+xx#ijRd|V=D_9sdIFIv@0h;zG<6Y5>k_D47h5$s$A-B8tVM`4 zfivtE69zO_w_{0vPie<Yuigup*oW4QBiB&8iV*c}l=e5SI<67hhPCufsqMv#Rp<s( z7ZvIOxAYy&s{=*U<Z<w-H{^`9`h7lweV1`%?L#Tq3+d1hy7TB2hPaJXB!Bi42PVo< z<Yvp&LB`v?LVLl$onuul?wmM}+C=37Eg+n2W=Tdgbft~FC7&=ZEq@1sRAa1B1TY#* z>TV!>eg9O_EOpYjCo(<5j3BDSeF3VL-W-T;)1Odp(C>_-XwgkTx4#iACfs)M)<(ON zTH7C+7>__-=t9l^mvikn{i4%)q)DpR(fxUdWjQ97Tc}d|Wmc@tIt8UCo&W6_?4=<8 zScI=K-VU7WJWrg<p@SNW-eN;;25r-726IkotSs7d2iw2KNl5$!kw)T~Lut?v)>ZdX zOz8kQGL-92f(~rogZJ#EgOAC!r-VmZS>-N%N5RJ%;aTP~ycJPrbgXw_PZ&#^KtRM2 zKD@%m^L(O9^*m4y*T+5eUXPM}Vu|(~*2fY4>(@wRN7tWNSu$SW$Fz^>gI}Nsrk*Gv zqxo;TEnASm!uF>)o44yTm4J$uH#idZbTL-o+z`z1h=_RpJSR$d9p3bDYJ+@K>*`GU zLMZw>`{FOhS&jt@7nR3z;HeYt{PH`+&&i^5E%8Kr#tK%*6J}k<qcr~F@LnjsM+7KT z5}tXGk}!ED%$SfPyg8L@%olRN@;ttITiJr$pRK1>M>tKJCI4;tiUy)Bel~uHG*Opw z^&8|U$ozw!%)2ofhBrUwssEIwdoQ<4M@+<a@t~-UT}kn`$PSV?mBr(@_QydDV?F3E zO_}UKoa2mm-24(ndWedf?NatcbGRP444<5Y4IQ*pfT!M|!63Wy{Jg;YH#ay9K2PT9 zv&hn<1~t;9k(!+bb&V)LKWsp`E_z<er}DP)Ym6br=LJwq$=tzAYqAtx`P?2gSM+=- zeI`0jz6O+MToy=&if^$2mqqtVBfHITa};g-LKy$$Fi=)Nd(VfV-VyaO2TCTO1DrR% z=5EO69lEIvpWl<5V+&Txn9iRc*kB#H{v3wvA_Kf9=3yll*k2DR)*ui+GbWZn9y$~4 zdg!K0g{Fus^}{PoxbSp6U-&9HUhZOYz5?@pa;47^%$+tik4@FOEh(P*F1P?Ri}6Z* zJ{#qBf9d!m#^fm6RCIM9*VUFnvW*!Z@cEjSGwHK<Y1nKIiFPY`Wrme1C?1?{k*w7T zt`0&#MxbN-zvED%F7&a&CjJOlXQ01J0*APD>9Z;pi0%A<L|=iQC!GIbuOot+Xq=|M zjCK?o6n&+oVyjslQ$#5&k|`WPf<^SLc&P6db^W4y9vzJ`_xNyN>{A)q`G?^YHh`Ya zOG_>F{88dfPlzjX{<<+YMJ`LYpw+`!9Q%#fx+%>svilqN`sf?untAVKG~Lg$yk1Q= zujv_Erhyf7#r%xPr~-3WPtV}K%6bn3eT-NoASib@^XG-mjb#Y-;|g=7r=8x#fbV|f zQCy{{)n9h<rPmKexSR%d2tV=3cPZtE-*0X!g5<Ye;Z25nWWM1ew=6R-1E?Uhs$_K^ zuA!QHd0!}a+92Ys)W`H`{hg)Fk-eKrL?FHb$DIa>@J2mv&tcVIZB_vgnE>2J`;dd0 z;A!MIxGJU3Yb!@B(E(?`=twq_i|ml&CU!+TMaRo+dnq`Juk`Ka*0u~+jA_fAF&vds zonOrKuaKtw_Q6Y5ONm!W@9>;#nSKrZnMm!aTx_yFbcqriuu8V#qrs`-aAf7@lbR=O z(C{Sy$9*vYcqh0;OB^hGb~0d_=nn?w-v{N&V|$X*#uin{Yz4`YfC_5pn?{U@@5O>c zLC+3<?zus?-+K46Us%-W3wX!m3qI0U{=R(9V8HtzM1I4eB#!j|n|Vf5?8ktZiXFqZ zP~-KkvG6=tk`3yfpN8&!_`2(~Zynjvx0MC#(x-(8{cU58cN)_F9EZ&PAp+|qk0m5> zLtM-ia~b=#s*kvbwW$dCjq?c7mk(rlZwK&U3i$lZslg!)l!LkT{)|U%($Y^?dhaA6 zE=z}{rQ5#X%41EM5dtRKn-dlByVOPtkF1fb;)QX_2CLXtL*aKAz#g#-{F=h0Rr_SC zB!(g!iE^6QV-MznzCO+$Ruk8#O&_06MDALB3_WR&8mBC`<B%`@b#GxRO%eaOhp<Ca zxQVo9KujVj1J4MG=Xa}zm)q+Je~ESIQ5|&*q>Jz#Ew)o+Q_mSqYZgq(^5a6;G9ce; z^*AT}6=~EzSi6YL6{+~?Hdehx3l20Y)@R0La5ey1TL#_gHtoI+wUg`!qTRPqdRc38 z0;<5Dvy37#^Malnq$U{ha1GV**MCgCW<{>!#)?L}^p3E1zGi*ZX3{1#xJrAE8T(dw z&vMPmAcZTbjLXUPXy_C-`2D9WW3qYEpGsjrQAhJGMu{r}*B7tzH|>*?MkP3Ay?lBv zSbpnfoL|NW$|NPvXcfQKz~+W%^|p7SKZvxexA|Kh$&Fj+-h{~>I|)soU6ixBIod%K zO@!cXl#l`$*I;&U1z0@7-%Ni+ao)=O53x(c7Zq8x#yR}&{Qxxd{~fM0Iz<r;g8lR5 z`B=_80DN}7FI3tltmsytXVn+$$jDI2r|CcS4p-VrC=ML)*s)<eA5t3()$rGG6ivwH zeX**uj<eXjng|3GC``8b-iGbm>xF#WzC7t5@McA7=P`@Gc4rMPBX1C+nY>(+9Dt4+ z#zs2EdZ@MiX_Jdr@?FiJ{xl^nlzDc>+y4Wp<=vY6t_uTIOFwU{i-3xP<;PU%oguy1 z!S#h1Q?R#8&LR4mJPh5llSsIK(5OnF0~XKW)@H95!gv$w0BcHvU3I)xy!lb>q=wzE zFYTqx4VtTxk1CGT8+-IE{r9DB@Gi2H$Qqvh8gL4C#}yd!9ZLz=g+-h-C?;ouk_Sh0 zlzqF07u)!WY*-o`Zu^nh>BaCTt{?16QKqZ<tNg$TyiluT3-Q8!`|6=md~bH9A5g$V zETX_1!3ygAMaxw~cH)(b(&v0VV8R+vR|N8}CQ<0ib8{!Or@CdZeie<_fn0#DH<7gP zvK}n#G-B`TGb`8r^vxqWK@{TRCI9`}PaC>h^09#(>DwkT=hU0(Qj(ZAQ!B&PY%Y5I zX@Y<+2jDQDq;8+t0k^tiPn?Q#mRQ<-CWRg5-<wUoCqQnfv=FU~{ajAQW5z16UBK69 zDS5=4Cc~}lLv6BZ9vVS}WsOM-BI`nca|Pa~YR$qy;>R!CPwt}<L(_G^ae_rbeuHF6 zsud%=r9rX&`}36zM0!=_G_^@6;9@19*HI#9_`)I>5$S)&ox7vXUbgkHc^1&7DyhSI zxFO_wtP1!tgbB-L#15QBGJyv!hEj51HMg{r_A$dvh87{{YW;R}6W%Jq2L}1&j<NQi zB^_K-_I82un}>eTK{wDmi~(4oJx<29tU1GXiL2X|EcFib$x(ZANTHOyKOYU1Vd;PB z&H4{$#hqO-R7H+bwI9{GC%ZWGN2SgJ^Bk7FNl8EP0562|2S|0x(&TSuoR}*2ZRFno zTt-Qcw;PKe2Ju`XG7+-ph-?SJQT-d7d$c2;`T{@6=z}Fm5K6$?w?#)X0-4c*$(bIZ zUw9wy_zmE=(<^3U9>}HdP~tF+zH8Cxg7v!h9Q5r&8<Un>biMZS@>ruyzv+p_7(LRG zpnTcX#fPl*BnS;y?Kh)rcVI_e-rBfy2*I7s(P@b7fwbt_zftuce7f0NY+#oZje7F& z^u(H=76_}Xa5`YpFLIGN4BYw=sb~FHafw&lxZ=vRb$Jne(b##iK3h|4X<24l-VT!ngJaDm?zB@f@TPpin5 zYec!%Ux@GP4~daK%M5y{{F-&_9<R0%iaOk_0t&P7X?I+6;x+R*B(p(m40sGO4T`;f zahS-8n*TedS#s>{?Lb#S44FWf++S%ICH*^AF2g4979rx`6CJ`I(k}g-IuD-As~xF> zG|pP#<MtWp1RaC|taP6^4FpWA%5wX9H|JZ9@jX4WzCWh8HiwVQ1zbwB{_lT<ww<;# zJhVDCh`mYN)CkQUM}`|w{qu`i?t{_ir$2u}-{6!4)Y4TW5y{1^B_T_UO@FwHUE9tr z=1Nbo<{bG;rsSyEs+*$M1!te6skTTLn-sWRBOjcL^C^b$C%a!n2><WMQaFHszm#pv zZP#~_le@_Kz{tSB2MW%*IO4tS*1rcmZQbVgI}YOUqglduWz85Q<kpuD7aTkA-EIB> zsw{l=U`-W|OK)zdCY{z&hI#RYh-PJYsc%*KtZpAgwfK02!^>*uN~InQe7ho&-(mLg zCNwZYZTtYbCD+=s^%L+>v_S8=cNt|1fBPQ*^^Dr<liGA|GX=(oML!|EXNJR|QV~2q zSdjyqiwVeHR8_EVN1)nVwg(JheX)I8Vu$^=l%Dq7DHo#cp(iw{vf|qp5VnvS*UGh( zp!}xogNYLAa12el;%7N7^)b7su)=$v1!mnEaYfX9CD}V)qd1xuVzjXW?$!*TyD4J@ zX6j<%>fb%nUo9GvoU(x(eI@LB2CpwHc?t2OpWheFay1uwj+2}}U5Ev`$da*rin8WX zc$A96b7cMUa6X=8!eyID$n;C@vyw8}_y4LwfWj(0-|8Dx2)1l)a>!*94$7kOa|>8q z*;6$A$-eXzt2|UVxDKcMwh_?d2>keUM?O|SU3mv^iV*h(;Jx1BT}g*Od1;eIOIdHD zYKqIvQ)(18#lR_?J5H2PBHDqEK@~AN&>B8eZ{NIBiC7|4T)ID0=Hq$2{lj>BWx)!r z??)K3$>a;55;Ekb^Z^M_9fMc}7FI?|Y3XZCGt9t;%)-+B%gYcr;76G<No-}>GJoeu zoH}hhm<W_C$C&((5!UPpj#=8+gG!6&e82S_ZsB3zyk>Y=!d+Z~VjS?gM|pqhyX8P= zHCFME-8{7`j?j&~<5C)g<@W0^9rM40ZwO?HA#(I~sK%}MV_5BinS0o>nYqg)f$?G7 z%Zu<Q#vUdkVAbJ>Ki1ixgbdha;dwLNk0y&o*MBW7ng<(UR6B%ZY-~Ols%x*CW>)e* zcRM~_nW7V`)RlDkL<}J<=)Uep6t`!U*}BQ3Hh8b{8ybi?jff8H!xxz_hL)Mds<FxQ zi3?AT*PcC4$SG%MaH*!9`;xVN&{0aA#I=gEOjj@@U@E13zm%}=@OezW@Z(*7X%N1f zYGdYPc(3I5fh@A`I7c}%)cX=TDev)Y6?eZisJA3n-@nx9e0j*7g-SCjv$e*5T4ct0 z$=O!~`hg_QG5_B4CR8K6kk+R!^B4NnI72x(lK&ePFN!e1=&03t+WC8&S>fVqwy-qm zOr^88d^w0P1WpXf=9sbdUssKwXUJ6sHY;TB+}ntk-@mN2_Qz_JW2!2DB#o|P&^Ivx zB&;D%k-w#*6t$=hhnm+e9(#V>_Dsk6E6Lj2zlEI`SosG&ap$hRXkTtHMB`>h?|lH1 z<7NGuWqy2@K^F;?sYj8GEuK`=jtD$>Tm##)lZHOdsfxK*L$<Y&<A|Qm-pFIq>3`_x zofNM)PWgh^9PU%mZYpV?6$q(b_OdjR0K5}Vbyx}AE7ZmEd(1V);AyXPL69zGitNZN zsvQ0|KSFd#LTbG#%~oK`I)XK5l55;b^_qC@_HlsuEO;u*xX=aRA&O_>2Jwc5B&Q`G zGSpePA2xfNoA(n<e{TPDwY;bM>gqI8`Jdy6S-9oi8|bv&oKu%HiOu9$pX6a>I9j<7 zQPycTlit&IifSO568SV~SgaM+^@f?Lm!Sgd3)5YDbi%oh>!?zn%li*2<z%D<yziNn z{T?hGa^($GwOOzCkL5!(fnD+i_VksWp9WngIbk%_h&adkx85Jc@uPsnTje)ADtNTV zEyTg|3$)O>2STNZS3UVBg;W9g=bHs(i2h;Fvk8sIfs8RcmD~Qe+^;avTfDunDN*H= z{QUnNf$tnbdIk7AYvhS|o<H%CY|IPtt+)WF&3|Q5u5{}{cM}eP(xekNsJ%ZDc*I*F zgIigi&f!FW?)KtACZ<?<ZDqL}L&pUH4e^|M>MF?47Q2s5F<uXAWB)*iI8}~Y#1_%Y z=$-n%gGs?N%>S%K+n>vmi>h=W&KeP99%dx-*sCczTJd&I8u%ff=aG%bEVTwR50<t> zQS1`WP`*Rvb;Acp-hodAF=w*w8c+g6NgT+V-xnRVzQ_524JGamd2_5Vm2x<cX&1?a zgY>g=)W2n6eqqD(jn%nLwcHBhN75CzJd!npAGRyrl5Ta2E>Zj~!7aRi_k?KaZ-H;# zFD5r!>k5O0NGJuGP76WBl=Bjf(QgU4BGyPqm=C_{z?8q^k=26CX{7VxRr{N1DAg~r zwkFK+qd&jm_=z;SkU2`iT8O~-J5K3lh?Xe6gb5|Vi^y?YpQkmNVwp!Dua62nIu3B$ z2@O(ikE839aWOkT5)`j~`e_@zXVGC?l|To|nc4Y)t#pKaH+E=|-&w-@n-%?)aB_-L zPa5x}GAXs2@OqlSGLG7-x=IOHG_qOdT7$<-OeOXI9Wu8bYZh+sp?fY%yB*0<ITbD+ zHGgYkh<+q*_y0n<5m!?J&Ept2sd*$clj)#+Icd)-X(!Qq(M1cFSYoSgdElL@C*z#f zgzna5Ah*ox3h-~Y!Zq(a9(0CiB9B`UhYtQ9uONsZ&T*ZxO!luz>_kOI`)lsGnc^-m zhY(@Go=u~A;d*r*KS2b}29roGrfbEfbjS;msKkAY4F31x#m~-Vk`F#{KM7m=gXlmt zDiL<N(jKJWl?J(#UVdBM?);&aI#2@3e2A=jaMojy;1@Am3i_+%8CQd3uOzvr&DcCS zkI>za;a)myLL5gFxaK)^2PpTnhs6rvp1vtuATC=&t*pUCDwGViCWq)qY({>)p`W5( zsBlKEE@g5mEn6a{Sog#g*$1mA;ZI7c#)CaQ?YB7#q!NZ+!oe|)v{&t5>RZ9}#LyTH zP}1O}s?g2z{o_SX`$4ozL>6qBha>BmOOsSr5oNt!1tkv|s+X&u81tBc*tq<F_nXHH zkE%DBl{ME7r^-zY^ern{<m`M5EkbtI*7-M%>4`H^rfA%$uRoq4uQA3-5sI_~%rM4D zqqmMCs7*er!B_sT;{%rKqyVSV`u5^gA+I&@21-88LI8h~#7;Z2Z)yBQ0&|F7b9rS9 zj6Y^AmY9oc3s07vCGA2b$PfL0sz!hcS8I@GF<;3Y?%(MUxjl>bS;N~2UV6ynUyD*} z{+U+mH@1I1>pSkD_;_gh$$^c+6P_bYmW<2)eKwR3?(ol3Czx?4NgKGI4RHlUA6%Ix z6}a-KIr9hwg%ameU+E|<@WHqUe_eGroYn!<P(#1i5;l#jH2Cj?+}IPD%qMMVArX2D zXLEn~{q`zNv{rHRS>DhL$0+Wfx-r8wkCC=nZO6#j*Whl~9s!Zr2N1o;qkWqEhCTPi z;HI?&Rc${nM6+9KY@iAsz3b~NMId7~w7aUk6S`O4+}}yFH}EM@qltK&sYC_Z8K04? zO#uCl_4=loomU*dU6a?!)*vIVm`wJL7g{k@8UB5sRE~`h5V1hle<mvN%Kzw=s*xlM zTfYS3qnB>y_r-BT<FzFRqlU8C9>@#CcRECf3FaB_dR-cRtPE)BbEozPOdwXzn!#Fq zcDbK@lXwgtG<r}(ddpJzH+}`N@BuCJ%^{hfbIkoPS})u)3-{+X>-F9S<^s(&bciNO z1TmLA{;)&WduGA^u2+V`5`1sxQs_n1Gvm0$UgcL}S{;zDwc>j;NUvzSf3BqmofLHo z4{38hO~TdMZu`o#Mj31#M`obAQ+)KirQkRioRj7sJYzdQJmkW&m>a-vd6qE<H&Y|n zEaf`o0|NRwhAI`E1tiE-dpz$~K5zeOo4bjS)+QDGh~!x#J0W!b;YjY%G#FWRzCuHf z{wBM!A^zJ3bv-s-{+7X3t@?V#<V^nIo3=WYOAl!XZ#fdy4>%yNty6FcL!iUm9@f~a z!zwBHQ=LAT@l1jIZ!$GRs4<g2VJ<VbH(@n_qeW_gd4BTpaB0ZeB}@qjO4bTkGwD&V zFQ|7TH2BLEUnI7)XN;`6!dy*mz50Ctn~+IA#k$#-wg59%B}7ebcu%l!e!$iB(dDJ3 zwPkRxHeA!s?(vNE+u>cCBOL|5V+KvZWA)7&pfri-N8qV3ch7;(=PrzPY7|2A)nK=X zHKT|u4CWqy@2A8ose=;6-S#iq9?OQKc^Q>MovGxi-6K}8$^GTyOSmUR8k?iyqgxY} zH(%-!W`qYyH^2DCCkr*6|J?dGdJ5A-3e3j2C|Zr9W#yxe!vPBO&`pg+c!=)#vwW#y zFF%V4jcOBON;W<X=!?yNm$0xFIb|rEIWp$jILvLSAvmD@{wAoc<YM0#IuY>|uu;2t zyo?f|<3lbk*665*;w{mNwOS$!3}*%A9v@~&dd(3C%vs(Mw-j%Qq%pvsLf%5jboRqm zaY1Z7j!671viPv|N+AG!uL2JJG}*046Tda7nCiVCy=ST5pU4{TETJ*=*W^9)9D-}Z zT51%Rr6la@nAWg}WdJrw<cctommlE`pv)|7ScI!*Qqoij=rg3!2}3@qcoGK~4QFr@ zX@eDQsG48mXQZs+BK9`7FU77Y#rkRa=o2f`*<Tzmsl5Nt74goR=tp=5EZuHnHi`CE zM{$VvJS*msH`iJl=w&eA>CYi<-ZkL<Z!bWTfA&|F;P@|7C4G}{19O?k$FaNDmiM(u z-m5KkbR?9q|Ejk(M<HYMyugZnNv7nrKYxx=Wt>n+rtf2KI;a79{$ftwga+7aAK<g4 zT8fIxTXYLNc#0~2a77eD=DnFrK00ty34&n!R9%WT%Th0P=+Dql<4;e=q(U=c3cLm` ziO5RNxRiSwDfXgn6S`T6STlvx#?o~P-@X{6xyUCq{H6*i|B*0!m0jSc<~G^4{<HUL zi->6OkTK`a!5bQ)+fUU>M4+$qnZHKms=NM+&N&6znq~`{I(xbwhAT#~9oYUF3owSu z=Q=<4u*PG{C>wOxaGi<+QYn0nm*4%N+CIo_<6`AQn0|S6*vL;pz7d6finTPUS)Ja~ zMB8XkkH8K$mRn*X5c`#f{Jw0dR_~z|TmTt59#m$lYt(!A6(N5k+W+$WY@cdYWVdHX zsya)2-*j7ulh8*2c+#Df<kp~BS51!f{S`!K!|K^GSgK`5=rKKYgV-e6x!UJZ-n^1U z1L3tx6({~MnC%4)<+V~Y?fqkNNgQZn<Urj_ogzb`_^qyi8@u$ZV71SoD6~go&wL=* zo?Num(>!2+c6YGoOS^GZ8#2JJRAGhjboJX2p36N&ci|D7pt>e~gM$EFK%&22=pjwN z756!j{|d9{*=jtsHXWYRha<+}rba#Q^<*VD!1#9(%D2UO#wAzvV69H!QlH%IK$o5` zt|M3tibbgRvE%L3HYydV`e4p><w^`AGMIKbkyctaOMaEL)-=<+`T5hK_Pu9e=+`o? zVb|jQDT&&t?+Yecs{;wvO<~Ctv7+Q`Gww0K3auxIzl*mx2$M0H*azrgP8lwAO~kz@ zP5Nr%yOmO~1HtNCe|>$Kg6a>F2-3>XSz%6)(Bj!f(QcYSvuWdr3!{RF0~c^f9JE@j zBT~<DsjZ|=GmX?=e`Q;jmB@UC!zcLP;a&=?xEe-FymU(@59*$`OY7&2y|i%=UAgj* ziH<F({|zPKSv6i)*ICC_G^uuo{<OA(MjSj5(i?#OAs4IigK!20ykJo&o%nFZ8+?*Q zcpMm7rU|qBfK7ZG8<)~-=H3mBh>wMB^^lGd7z25GQfhYU55NKLqeIAW4xOfNF3e-a zb8Bw!<4=|RJD4bH?}Id<;1aPohE2U=IgN^aD9qC|iXHx;^>1H_5PYLe(mW>3h*h8} z0BFdUa>94HA4-HiNy*_~;pAu%%Ph{ecFbBkF*;JW2#8F030RR7*{AXTvZj;6j8^e@ zMwdsCywAeK2_I|t5Z97Zu!oiK9qVl*@%Y}B{AaccAf$1FN6deA03oC9E=t9*z9LFw z9+p%U#B06Z+;<Sz(VI>2#=7uyi87%G>e#FmddhV9ByBsTzi%GZK$cwN`tpv6o_CTj z6uW~Ond{)Kn+)vXI?lPj``(zZJ4Sy1tia0kVq2^|W>%wFpNx2U+R2Qo^J0~|_s!~z z87?6FT2^jP$luaeySemI%r)Gt$jLD)@DuwF#P3s2Pc2mpt@>#duY3}8B>7M#8#J8i zdO#{nnbfeu(Ndb{Aaii11O1iVz+Qppf;`Feqn`v}S-k&hpjq{z^4ZObbt7WwLo9!A z1F`#))g-Rm?FEEx_nZvqu@$uMcGN>LsYmtrG#(62Z@-yy@ihIf-C|F4E{)*!OZ+|M zo_NY=_3Vj=>vSqUlgOYe=5ZQ2MqT~lt-R;4x<5xF@o0IUsF!S|M<$^D=zN>?c@|5i z`QS4k55-xx+q35Tk{SYti_v4wV1@bl8`zR{0lcBwl!6RcliyuS@2eJ=yJ@G8Ch=cu zEf13>Qh*`;WNr2}p}q#aqb^4*q5w=SYE0{t8M}3xD~3t_ZKh<K;#j{|Ipd$pA^A>R zTKmr7TAj~GB8A(JN0u4*@Km>y2L-#Obo@|@&zze&jJ@x9HT1fET5C9rP<f(G5mR(= zcf*Xx<&p(sOJw?-+zt@WVn43BSQkeO{q14EQ%KS-(M#$H_+AtwGOlm6WT*R$`Y>>u zzq1_qD6_ic>`9GHtEG|$tuE>J^tX^UZX!%;^>tMa4Jcgm!fQ8S&K1`<X#Gc1>;$U~ zYi=9jpH@I)=H6dK=)!$73<(6-!b){F&UlCHJxK)iUDhm4jt4#%eeN2vxzCEj3Gtwp z7Z8u4ln%;LRs8(5u5{(_U6>|vR?IP%m<nCI;8jh`t=bogn&NwJ`dc^<A{A|^Gq~x# ze3?`y^4-&4?R(67P$@D<a!`<-RZwPdwD{Mzn@_L)>jI*iGK<D`wsDG%1uZLiel15| zM1DuMn535OM}gvbcd_*~%qfqybQd3$<)h7LspiFnzR)Luv;tl;DKHcB|GxvHq`Ch! zN7G<I<KGcxd2fd_BrFUu{5R&8TY*QCf8`}guAaChI#-ShenQp_6v#=Vyl)hMBFoc< z%$2@NZ?GQR^+X2b@<x!348T9QD`$a^)OsYbby>(ZRa$g-;v5=lAM~KR1sTYH&QuXV zYl<)kq!)}qyl=Yc+H7g?_B_JpwD^e}4Dxr*ShX-y`ggbs8|>*V(2?Z4nKh{5^@K>T z*rS%fK{?fERe4tRDF?PYO8xOaBlG#Wh4Jg)MDo5IGdKiLw$}|f%Mf#NwmB+i%+qcL z#d4i?4UtTHq}<Di{hV;j?Znc(zp33EIA@WF{}z6KM;3{eDR?bEH5`~5_%83<u0);< z6WDR!H9atv$Ux?UPwN#i?6+xNpla*OtL=d?Y$UrL0;Vtz;9OILII2M-DMtvwaX;xO z($3(f-EOp%Kicoi@?(xG34c{miNl%EGy7pSc8;$z)V_D?w(?zY;MB>&^;)44NspIb zTZ?Z2bv<#IjRXzkB9qGReM~Q&yu5X>GmaslP0N?-1-~W_NRNw3tLgx{IoCjjTHnnT zxh&Xcb4|n&-;4?}6;W%i=6^)vG;2M!xXgj33XXT(?AO_ND;lI6a-=PqnH36r?O~Yo zhyOf_n^YII>yCZAr0`;5Q+=kVdVKCz!dEODwu*53DUA1*VhSo4-(#YQ?k{l#RfTE> zc7+Mr>uDJtOtiRIlFu^<{u?WJw^N;!d09XxetS33zoQ7Bf~|)KT8C8F@Z92GH}(}1 z{1rvg{+0H-77f(N1&q60v{fKr;NJN4!@G*JjSSx1hk!3QtKGV*f+-ObaZ?Dj<K|m? z@!DL`RfEDdeM@k&aQ?s%<)iT?sZ=gQBBt|$vilfPhpT3{7Q=}JD>J}h+Uj-%!SW({ z9Gt+L%D=>*OS|f!)^u-|?OopZde+^l1&|M#W2d#^Nko#-?nEN5@0{aW!+x95%dcNO ztq3T3#G6smwai7I(#f8l>J|iydhP`TZz9GwmoFuXEb%+fmX{sJ0*kR`Rp?V)p5Jnd z7=r<=K~zF}BPmhL*2$<w_}?79MYW{PRvK5f;yX!>NR|$;#v(67nlhKD+4?@L;krb~ zC0S|F6@A*e016}Po#mc5^Qb9^U^_ZQmub5Xf90yIt#0vVLdx}oUo{@gHZxW8fKf;0 z0n_=fgEDeafqgK8g=G>H@BAR+Uu;-UWEAp<JK3%<#w9eSd2dFadn5`?j*Iq^Id2*K zZ0B2(cOPB=r(1|eb4?A0G{33_^7Od=Dm|1Mr&VVfrHSSG5eNy3tdl3Omngn39Zr}u ziG)7(oR5;8QL+jB!IMi6$=M2<Klih8z8fNzNuL&C*VsEZz0c)_S}iHVl6&O}1CUl- z&+Y%I5Ga*>1zHQvFXtqlUJg7&@jQ!LByQRIW2&i(o*H+%=ilre=7$-Qv++Y@iLh)v zKH5jutr5j>`5Re>+KY9bRMKk?BME&#^ht}Cv0_zMP69**-|FO_zW;Z09MWQoB$*a) zKO2}5$fgf;Tc4VI5_!MGD-H0SSW1(nCm;qH?&~Iaob|YsU@=RLCMw$zJK%9ez}Wb> zQateId_R{KJ+y~(-8g^ktl2uXn+V|x@cqkDutw&yA7#VEIL`LS>9n0`+QNHGBh_EV zxeu#}_mu3)j;L0fo%SqVSzY(RPo2LdrwwDxit5kwOu3LJt`TEtNOG90s)tHxik1zE zRGYkYYX@Lqx88y~77S<DF5Dj*hXcq`-ga4&CK1-(n1q>tqm@v%pY7Bq@uc`Wfi7SF z1UZwk)z=z}Iw3XFJB@5SbEim?#+I3hbY4lFvP2)4t&!-autI-?AB-<)uUecj*B1MI zE8!Zpk}lnBfgtByGm?5}S`HI)D!ox9qdobCGAEJTlDc|{CcFZ&4fv#)<Gi>)1Lcw^ zS9&I_!VjWXQj3TRstq%NKa|kOhJ&r~QpF_sx8!d*lFlZ@;B9Cv<FNj_ahK`qX#d=+ z=i)x%Zr=!+Q}o{uMEwJJC!crKz-r|${GA*wIKz0`lBJJiAj5{gymhC8z?%`tN}Npe zJqAQVOl2QYeRxw8PMpJa0vVexwQ9RE910^)pClX#czmjyi2^#S2gf9ktJOChdV(G& zV?{^KsW<+@O`olom_<LDFgkLMTCGnt^~+D+yF1d#GKQ+LHMmg9-q3w-q^iGeY1>14 zP?lF*sdVDuj~04&Bu<XsD)YLA|F5guG2_zP(G#HLZs+MwAXwi*<Z;2b$-HqT-?(h> z9dBxHwQcEh>rPwCV6C1RO@-o-m_(N}zN&qw2h)}I8?R_C3$0>9wG^%3YhKMVYx%8* z_8c2UcHVCOmchB!@M+|1IDt7#fw|k^#C=+B=<eu(?aa-TOYaEhk4X)?kM`WQ|MQZC zQ@WY;q-KolcEv|ah#Z-jQz_uqcWWMAqbnT~4Vm?tK;W%@^0&p>Btrv4Yh*jpO*e<y z(FwSypHgWOPsOy7N0DF(ue*dL_3UgK4EF&yWkN%4(OU^fd=y?R4a6_s>3)lnWd6lG zwMCMJ5N0eee8pO?>p!#ZI)6a@#(uMZCgivXug4PlUrT@$u*Pq=gswDr)e9FLRi?dN zL6&>U7+%%ZIB;Bp&C+QFTaXG8R2enj%}G1sHEuA+;a>K-^mjfPblv$RS&HWq$=HWV zm;;;baUv+M;VO~_k&;&74i5$-e-ic0)eh+};VEF66a7)jj#0*?G6Tmh(DlEZHcKV8 z5G9C&94OQ5-Y#SNWdHr+#fW#StNjyd?<zF4=O;gsNq)4bO+VVHU+!0t=;IP_9-P6Q z?mII?{U8)e3*V0{vv1A@Vq5TIgz2vm>4<mQsUnSmC83-3<mH1RLc2a#mwiX;egcRb zp#%gSxAtz?^K=pc*W|6%_I!)E^b%NOPINz})qL+HSnlvG5~OJzG8|@gVB;s$GgDH7 z4!cSt+^Jkl!My)^tKGuii_OWoCLc_9@qBw`N7mh_oxjq7@(Zx2jK+fY)qgE*{}wFe zp?PJ4Ss100vq#ru$7s(6cb?}7ubhSbF_1?DvUbPA<k;z+bfCHq4*O}{ZQOD(YOtJ! z6_O_cMMC&CbwfON`dBemP`JlZ@-uASuGr<nb%E7nA{4JNj5>N$b#m8v^JT%Nrlh%e zy1Ybsj#=?r&~K8^s;FY+R+?{t_zhj>|F!#O3JLTs3^WGxY2<%`eKpZqCgR_T{BwWf zm$zXJL_swb;!GMe&po2Kfp&yuk=#UWDTrQ8d-*r=T4(9pL|$`<ZF76Qpz5Km6QZug zjaEJJ@<K(@*j};nb*Y6&eNsK?ojMN;(2?gRW_!-d+LPm))f{6n-oU||4jO=1khuVx zaS7KCEB~)~0@Yd(m}zQi$g3N?L%Z<esM~RgIeo23785vxDOwIi#r(_jV<CyrgpG{l z94~B<RMI58(gn%LEz1K|DN$Y@6#q(9LO!eO7+5aw2sf{MD)&|NNq64IKL08-w@2%! ziO{q7;|ql}#eAj>-WT!|R_Ut<(pJd4*-#ovuR^wEE<@(qQ9V_)f9-Ktg#l-pJ18?g z++zVt5y;0=^k2~8;Kr>)_x8X`g-PG&M!yUP)&)opbcR7~?u`C*7Pc~)C=0Tp??z<% zk+Ml5hpVu;PCB1x(`68&K)v^hN)DpuI*vbljn|jZYeDBI>8ni(_K>_$`n+JhuB&7o zsMW_H7AL~sGJKs0yV~{CX+!SCLcC58HJ`MXKP3ltdo$UERCDOem3eX<U5&}lWSYpj zB-Wiw>r_<s*^`pb|IbpDyQ?Y=G$*eMKQ3dBpc4t>e%LFC;1-8C`$q-Y3(MWj(%!H_ z4~DM7BDjfydgkraAIJgT%qF7ej9<9u(B@vhm63l@Gfy9QLq2Bs{LM)d4Wb0xxj{ol zmyFJ+%OZjrt_wCDq)s_4!cP&FXc0%LHD>1;Aj~pDB5Nes4m-YO*@jm22hzcOtx9Dr ze6UT@_6KgKwvM_9qa{C!E4tVQXPMl#Tp1NdO^l6zKmF{sm|rg1;*Xxp;od!c%0MEc z%c#`rK5C#GJX4^+yO9x8_9(8k`bitV+uYz}SFDAGw8G;=14XmXmjCqq`mjn5*kx?F zrU;AkPZQUJSRd+i;B+w{YV-{*iQq}%UvmHO-w~IsrC)`qq1KpK<-?@C^oQ>y2`($l zqK+o>6kl^0+Vjly3-nsiak5HPlGasu)+Z)=Yy6y|0Fr2-D(%$40=9_7v)do@XgaLD z>mWlaE4v-VV?2{2PNhuxb2oEL0UoShv^~?Jjqojnl<G6%46s%*T8O&z3#xODcH~=J z2D!$;f}%=WJ>qsjPb0)tCDJUW-}eZsXn*}B8x<iM^y8xXEM6PeP#%7)nk0YvMjBHx zS1$9zU=*-PoBhA_c7w%M>WAN&@8!<=enO4ce`v3hDS3K_79zOglqdSKBT=Y?jF9jQ zBa?}XX`_c*S@;eb$M*8GFW}*5c$|_|uN!Z-`9ur_AG2+9&bXj!AUY!}Gxd`U9E3=E zayYW~bUu9<BFoEI8U1!6P3pg<Da;T{>u+owO3b{a1AAKS*ten(7YP-P%|U&r70h3; zd|sHmwr&o5Sz2mxpljuG!TcS%V22y|3#k2-Srlk<PxY~DYvhNOfMx>tFa`Q7gFPSQ z;bT!dU&<qFT+&7DZ%!tOKj$Vjh4FfM$GmE&Oe2&YIsX(Gge*^f3=X4-l@Hn?pL3WS zF!nv0>U6w4;Y5jRSe_p=vD=^$h6w4WAl_JY+lv?Q=6WGEwdOO|tbv8c>bvl*{dKKA z`LF-r2rU)R-s{id04OJ!CQoxhcfkkk)b%4)@TKNfAI?~MOas!Zu)79%^;frH3{rtu z-4I0+zs97O3rUK=9kVb)ul8g8;*)D7^bLD$fI+O4Z^7ixjWWK=1UffC-4B94NzJ6% z0@4LU$PnE_jRYYOw&#x|dai3;bgJvT5o6)VyA(h1l^Zdxi1SP!7c!@RIXaZfrn-vW zk+4#~Gb{?Jua892x`79dqe}b#X?-Fs$43v!?K>6ZTd}Mj%HzPYSJKn$<+v%LO#h#q zYa-0PgP)v<4+1D3HE83v42DC_0GI6!SGr1c*%Rs110p-^Fnwgj_#BS&=d`T3Kkww< zTQ4?T;v7x=lt71yt2R)~!|-$JR92S!uBA%WK$}kGj^N!M^9vRn2y-DmyW@ug+(+h+ zVeRk4q2ON;PH(Xp<LGJkOA75XVQG?2t=38%)u!Ij?y$01YEbBx5SHmy%-idMwNkaE zPn(Jmd6KO%L}d8tGOc}l<m#u3prdCiT_r~<oH%S{x5Ep}SmNMjTX%26^E%Eb9dR%n z6L?-g6c9lZy^j3xmc7o){8P&by%;g^hd&-_I2L)om-+FbvsAw6^oHtoEZ!3*KI|r` z>^|xLv;TGT+=wm}JjsxdRmvm&!6&ZE$WzN$4kpc|rLvp6u`Uu4ub+%Ds;h_+OyC@` ztknB%VN1G2(|ftOyac|lo~&TEibq_TdmD5w%EoZ8<bS8v`IQBSFM*bOg=p^M{Hj7- zWyxy0BW)M8H*Df#iJNw>!^7R^2=pWu<C*qPes(twUNy|VerOyZ#`vG}e3N_PN>m)! zUV^H_xef!J)~AMX5lE)8xn$3i-5yEYBw}gfm(Ap}VP83Hv+Y1yt@wH}5vVyqhvL>; z!}DLL%W^UPTaCSyw=agmCU7-7@zlGP`nLZ6v`r&-=~Mrow&_6cI;4$K9ql(9X?+8e z3;+6LS9$TxHF!<1JE+KdaoQySV%RucL>y_dKpuZ1ii5h_x+aj{AenjkpY1IqJIxyp znYA9H?^ixac@y!|Vx=etWcN+(&gj2d;##~b=yFxy3|9$yzLdPh@u)^>h4kqt{gO?W zHB`f&sMR%EP=q+v)H{ML2o$>4#DhNZ463yEi_yO+k5KBVM2!|y0J_j|NwuboV6m=G z@AgtTvZiuru1YdvRIq&^UzK#Y!7*f))RP4d=B(^s(f?J^OGJ}1nQzG#zZH)S3pwkr zcN%%1s6)mv+2ns(8(zs3;T)}9n)-LRL&k55xQOrLXymU@)r(ZDkRPN53TX^@PGwA` z3Pf)r%F}@wCfs_N2zpyTnquR1#tcO-jJW~pXW#N{-+qyT$-B#X;wg<&lxC{(ijdRD zgr2_{H{%j?cZETx`-*F-zB|zcX<F!`PD;gW=aN(s)KE=lLf&fh_TL@Lc_gor#AppR zFxC!_|M?O&TW%Z<B~Q@hP#P8@srOMHE*6CZc2GZZ895Zhg}eUhoJAfpB=)K>56Iyb zW&l}z(&a>U&N$2;ASO*U<US|<XzDw-{0(mpl1AMY!xJG`SjTw%id-<LevQG3sc1un zqfqEX_>qI0`$q~px$7wz-hWFe0`nE4*pAgIymqRy#JwC%MF{8;&k5xIFUx?xWbq@l zdJldZeO88rNXw*>WqmVn+bb?oG?SM$0EHn3m^)i*1_Wy`=z=|ZyBsaq)NAM9Q6C=b zi!2v5=Hb8^j~KV!0c)*xCGxqNY>OQW0;`6iY49h?pLr~Vlw5e!<VoyLfzcVtg-Jj> zudF6o9M*559K|2`JSQ=u1<PvO+t^-{Zog{mpu8N5L?a^uqyC)z2%Ed4i&>|)ZJzl9 z2f@cUZ3FRP*`_v3e`PPBWPa(}29*DzjsJ}n-!pSH6TClc&AL$1@;yHt5sm-b42CV) zP!;6(zB6azX|#mx@b}pliltxJsWsnAlNrOqT6ABy)rK|vaF;?REGpD&)z>Fywd^D8 z3oe`A<Xmad;hp~)@X_7+_5-@xal4=^IT3y4UQ3OA+d*CXb&N}h{UAaSKqLp;`}_T= zCTHj7w6b=0Wb0xaf-{BV!$kkZzxLPhhp@^Kn5}j%&9#koo~&oIvlIDs;y2>RWMYM$ zRwF9-Dx2*AZlZzIA$tX}ctk{$(iJQsYnw3IwmuOIPwl@Utn2l@FeSTM0%Jb<jyI(V zNc-;&k_su4di^bVs>2NQ{(D!kFo_$DW}G)fnc((o%BV}e@FQL7=2np?gp&h*;^wyN zW66Ih{#!$8!$a=@P@9zXnmCW>kA?*23Plht<;a$xA{dhsOSHLLuU6O|(A=#x$SgE8 zoqqzJW<0C4HI&mkYNvw2=lx<zM_>_#k)nfIqM>hfq=A)^<K=xP{S8y><=QT<Wanu+ z1@P$0M_hp65`2OP94PoFUH=)9<a-$8dBU&Bf9Cr2I5*5CZCr7st#oRdGa;%`pFL>s zlTcT>=p&)06KLa8l}6KH<=Qc5WHsPXssj!pppg2<$1!5--5Jh%8ffRH^JHe#I28rd z0imEbz`n-g%nXx)*opPb5GW(Tb^dzeyDV)|(fq|%70)*6kN90<Z*d*Yvo3j>CKT>7 zA8-fm^a+K2XY+8IarR+fcRBMqblOZtParT-(5kztjd}K=Qbx33-J(6+Y?cl}%euk; zocW6><j3f9OTKVT_?~c_%SRe$q$K_C=!7gIUoE!$79tp?>o8eV%MB8f08-{4?sbbK z$7w2dtTFEHP9qzl1E-$}emLyWx<ZGEqj3tJPlD~61#J!0xT{M?%Vpk!qCqVcbj)7t z)|i<e(1=nH=U7VUUR^}u<md^QZM|<<YOE$T1qVRML%pUsX)dLmw$e;BW?vJvGk-CF z&I5O6Io=Lt)5aWfduD(*ZNv+)S>Acvf79I(2p0s6kj;z7(pty6{nm<0lDAJ~C!dW9 zfLNzHPs9-1h#p~n`+tHXbW+LFe}i|K_kY~GUZA_P3-ey6<iWg=_`IFg>Nbuo=L8Cn zVG-WE&E32)bMOA=)e}6Ks}zyk=PhJcscL%9(b9B9t9T9uVmzW$Nujri*nl<T-L=|q zuD&0<Lua?QmXnrjL<29UjcgVLm=s>{HZ1)eJks*S+<(?OJx%IXiT7(MPF6$n<d2<F z%<N@aq`_fEL<J+ev40pYsDEk`DyLj+R|$1XSyc<rPJh8$A`0a(Cq~$-Js-GFaNCkm zFI7ElwU*%af7WFJ%?KC$`^Vh#hZhUnoX6uDzmMYYdtPrh^L?vYhk>JoQIGRYCuN$= zE}=Wdo(nqJToZ0U%!Gg!SjK0kR~EQTSnu-_A{n+|G6^p;TieJ`0`7U{VyQC*YLIt< z*Q7~KDl2AVD=V-&sEOuSI}%Bye@*PwhBvgTl(1^3D*gVM!mcsT&Xx4Py#O{{0^;&k z{`1m1J`DA4{t0xy+DXuyw+v{bO`2Q)9)OWK;#eAJw_p%>XMRnS58tLr3uECWn}=KU z*{ZM3!rKnibz3YT683nNPf?#!aDI~8y^`c!I$Y=2Y;FQQr@Ya(ue?qL?h@i4=kI|R zbM{75{XXf0*%KhOw#aTM8`{1t;~HSq_^$!Hec!maJLM639A-VdS3Be;=b`y(LT+oK zE4{}t^^jR+NUo%A*vG}WZ&6eN@<0t2jlX=dH`Lz!*BTdDru*y>u+hBChi)YOYjhgN z%w(9l0T3wCAU}vOo7QSbgm!*VhV>z}0p@v^JBIJthI|OAAutC#JIw~EAUa77F{$E( zg@9fau1kCtnENZ9m6X}jlP~MPQnt~c!D~KiYJojv!3-)A#x5EG6IMt}kY!m%hK9AK zgkZq>{Sj6jr5fBLj?!S}LA>WX6fdTf*O=x4W|mzqyJl&bl>tjlvLqi(Ix-_^(#DGy zT<~614MC;8RM!%mo3jTFSMTqqMCKDZ{xsq8cIM>e1pov?`~G8LMzSCcAaMxKNq%1# zmMZ32<=Dj5Mf=ZC@08Yz@lytf|DD_LuQGS4=I+Rv3;h+L3y-r#G)62NxAR-tDXPH_ z8cDM9aG1+ri?|OC%K}IIL5fAF`-xI}qU=eQwCv*WOV0JKID@OzFX7_rfH6znd8Rej zH48&0d(wPrZi;e|9+CFUm41K#1YnRreD)^n+i_{oiO|b88#XSG@uxUNENVz-$_1fY zyy(wKVrua<zb`bK&RYxcHboXS|4((*F9tI*pmFcDCLZTjqo&P1tv@gR%7sVCSs?go z=STF2*>K{{By8Sw=#!iywoo#809Z_aS9$Ay^Xe3S%Jnz;5PBkC%>UrFA*mQ@M6uWQ zhPgqMDqxL~j%)Z}=*VKNQSYG>Tmb1WRD_}PCk&4z7$Kn9Iim85sBk>yuP8#w$QRn< z9K#-Zdn@#YNnp2`j^vSV?q_XTEyu>I7b3XKf?%g20nsWZlXEqjl$svSm_@AnRKg>Y zDh^0Pkeu*tyZbuyEYlxCTG7>+rGLbpg3lHIW$iEfW;s#q|CHVgRO|#?mG{aK#1nor z%)qQB-n6mF>Ql}KH2pbif*usf59fR8?$9w_6=wkzj$ib!8Qn|QPQ}z!^AOR%ySa%! zSTq*Rz}J}6RV*Cupzey8ASvLpfZ25tC)<N8p2gXlyLQ59Xq>(OM~7&b3XtH>iFULn zpSIW+)U(sKLa2DY!0{Nkcqkz)<0?6t{!BP#ZUwB4+=FYCJjs!l=(Se`d5mNfWA$h5 z>jJQ+ibk?Wlj!iYha-G1!lb4P?4%^MfZB}BTU>I<QM6MuFe;Pt+)$pU95sw>O#1Kc z$0O?XXneu;wWEw`T)~~bGU@ZxtfXD2k9f8C7{fcxOJRV8j*9<As|Dsm;|R)v9NJG+ zG#k|K;#0_2Lo8Ain2u~tW-ar$Mk@Ia9`yeTsObZk6m@1rmmVquC2LImIvON=#12>W zCBjvVyAO_mzBNP}II*@UcQye16oM*@{$E=H(#bQe%>fdRo!WK_;)IQiyG>n(8fluy zEuhGGcJl9%9`q@x+j(;MFRt5X`Ie2rp|dF~I}YNvC)OxsYI~wrlFJEv!6~cxo=pEA zuHHH-s<><a9zr@tItGRY0V$=sySqW8yGy!bXi!4BySrf!kWLBd?hpiocf6nHUXQu*n5Y7#Q+uVsonXCJ;CgkPG6SB3#AYs!6VW)a~cil*46^K8Cz_^5y~tC<VnF*Lln zTj-5zaldy!O(F?)CQ_;jfGF+N+OX?SWP;v>5}8Kl+ZbZ4hOwj4r=R{zuR`a@m!3Qj zLq^AlViXk*sj#_}&E<TV=@zS6f4E|4Se^i!@FDDUzwhx~_RHnbWnL_%82&(hFini$ zeK(6AgllQw5hJ_C&eTHXW3^|t$ulrh%Oi-G^dBty(kNrdcZiv;{QvNosGCiFfwAK| z8bMQLxDng3zi$}n?ny^rHPKA9H51%5;Bh1Pblc`#mej0$Dbm5bC%2CjRzr{LUuy;< zyxRR#gNw-Y(n<8oH;|hHrBdj|<5$hyak1n)6Ee>vGOf`=d1!x&BKn~k+1I^gU2(i3 zOppQ8d(b-hSCYMPAQEf0@K@LH%x_+`ZZ%rgc1&Sa@?m(^v63M3FFoX)t9tF^O}RBv zN7YQDu4K`n)biWYEej#lZ!PQ=P1pHUe%p%h0%)=*YrM(8iuVy49-V1*zj`lly4>XY zdFdF5LCIX7I0I|u!WAGNh4JEv?DHSLRMlBj4ppalRsUN2EHUVwLAXs;5ZkoG<Eq;x z$7Jm8UUsR99wx1wXTkFK7c_s5a4qXDsZYFbw(mGSUa=0(L|1rKh6#Gl(j4bxa))>q zGv-iGa}SgYVV6r>9cSgls%%<n9gNUGie+bxM&xd=YkVk^vZ<60Qe-KUihyg#QfOvZ zr>)UMhh3>6(_JSAl0yB?cczp0Z}5ZSE(2#$GwjU)Znsfb0d};J9&WcjwYiW2Enspn z5KXZHTa5}sWK&IEU3<}k<=;1z4-m=_(m6M-x4e$>HAw<Gxu%A<{=V$-aP9NP7PYwB zJ>>DFD!L%Va9JM0e2w^(0Q#Eb<vtrO>NWa?^P3Ab)InV6d4*|l|K@pi+CjpPjT-k5 zEfNLJ@<Bce%7!ZIiw|&eAs7mIUc|PSjRjcF!_K&?ogRJ(3zwp2`{|3H8s)aF_hWH} zYqJV<;t+9v)i0PWGE|b2eg1pK@nWg&$W}>p8;P%pa;mB3B1-UPmKOeMXM2v~&tg%m zdl}YB5q~Jh#5f;fO39_r^k&aX<YYmOL&3xQS9!ioS|$!5X+F<CnFL>*C_?NT_U+h^ z6lM{xgOM5*Wt34ZYJVjh8hxM72(dCQx;2<_calogsId0AG&hisE3rSG!9!H+L6pLp zs_z?U7Tq3C*`*m;d*vRPLt0;r$jn^NGyKQQYiQ?AqZx=z%J<ee{l25CwtiYC#$7fF zyXxD$j-p!S$8=%kUa)+z^Q1P=wX!<v7iAi9S4$%)&~<`s?6pGn;bjh#DG!6h(oJPI zQA(H_O3d!b@%4+VLLtP<57S4O(Ov~L>_?H4ep>*(WNachDH-fiwz;bP?~x>-45qw` z{r0dXg0FkTY0^kr>vjo0Omq{LofQ6zR)IUQzD|`E4!fE74ALtx!KO64gwJCF5k7D- z#?Gn4W0~ox$w4VROJ5!Wjj0%X@T1B#uny_rX0gdjq)$QObw`<HimP#uNukFTVo_2~ z@v<k4LWUxL{=k0rad|mlOr9YmUCu;bo^2S0Xq9x^bK_(N%8so}O`>GZ<MoKw0wh(V zJ3A|d3N6b={NsNjtgt_<VbA@}#432PP5L3igpj9b>2eYmFHT#{ol~w!G(+<+H5pfj zXi%dcCuh}Y^YeUCWN(EAW~+mg-eZYW&d3M;%OhQfsx<6-lCio%4t(QddVCa}8o;<h zDD@V`STNAq+`d=d{z46{($<X6Nm%8pk<f`l(eQS&<T9s_!~XJg=>8;4O5b+#P<1LG z&{|GvsBNG>p0vJT=OfVB@5_FMVFJw!zHyW9`rr2;bi;RoT@%>}CX0IIm&HiYCy2FP zmrs#U=aq1MwtGHD7{t+4e67%MTr0?M2(GKT!?_;$3~HbnrcqoEQ{IJ0$ElRQA_mpi zRz8V|<jh!n={$8l)J~}*$bIp@>)ah8>g@xB2XqA$VzTp<YvtSE7p@DlIuEjaGgD|l zoPDa_&HR5}{1bVXWK-B!*Gihe44YI)I!RSN%|N=Oha0-*=?uEK=+<AHfk})6iSv^q zpmq%&mREHafl>1Ag$UtV<gJGKmBox_mIF!nVx&*EVgiZYi5o4yol0#O@w%(^iEQh> zOr;$$QZy~3_HHWyM3CJCHJ=@I(3wjZ9VS2c=%82H{`j!4V3s)hv)#?4w6RZ~wu3Lh zT1jf;-2;@gtj@j^UV=1+YmW<WbX&A0&-UBm$0oG`)!{w^MMAEPEcdB}xgdiOb`FDK zJroPdRClR}aF=lCT{z)$-RZ-Qc{o?JkigtJy#Ps`D(ZX@V`u&S)P>hEI77vEw&3dx zLlV)oK(`l>`$_v^>R>a0A-rwUu#S=y%KL?;X1VR<d1O7DyWNjp%-F@&j4QG(H$~$vw?ibyuqK1iFs8L3unxGMCF|sA>Yv6fltaEG zxTTTT^d$$|?7SlJhHvRTe61TsNu#+>qUm+R@pW-TO-nQn3&HpmV)7deD0%XG0?mq5 zc3F3+5^bO}%!34WN0NzjuPz~V=JKTI_OTs>Z_Qa^osAdzi9}YO13Kj8rMBD5au;bW zF>o!<e0|oOhI@Jb2<(xm4&q2>b-$Qs#*5RWh|a5BwL1J_GypKnjA$~`(Z3x+{8zX` z<ZMD-e64el==fus?rjzENxgxacW_ZLA#;ON17;#Ww!Ud9OJwQL{toOLZYQ{J#t->U zkekkj>-+Ir0=Db0p5IF2(tC~T+eaHODsj@79&XHXEoyn5?yQVGoF5y<?V{9}(Omto zY}~73!3=6<VHc!|SN`Aq=*o$InRRW$m%`RIoD{67?Zz_Ng{Hun!E+tOqzboZeSmvK ztv%kTR-aA`Gx+|ECQWBg-4w+SUvUX5@c|a3-kA%YsQZey;XHdXJTH?N$;=}%$!C{| zBnhJ;#1G5IEaoQI<F^of0!|v|&>cefJtp%G`y)M-B28mm1(PMJIF-(jO*pS5j`@rG zl{>BC2ut64CILVs@qn3F_+SQ-87-cXN4~tp-(S|tJXFc^{pL9*bjHiA7)^w3XicEQ zs&tJQpowmK$m1eRkrV%vGb*)Zx*}$U87`Q-4RjdUPHP1(v`5zrUGR;b!_sTI+J<!t zw~&J+aoX%y?xE3&)RqOkO2?vTnuJc=NYWup1nm`>am#+)YF!KTb$a>EiW7&FYg!>1 zM(4nd5w#EM?gh@jNFk+hbEPz^42#&_{TyyTe>C2^r#Ok?Tp%XMns)u(+sg}>nv{9= zyL-5#okb*Iqr4vM<S-1!xF$A_Y~z+7%8vverg8El-J5HP{F;}EGo)612W(pEQA&<9 zPf~|>mbo?ie|(`fMcxC&f^E#q&uB-OJVg)i_oo73(y~5to7@Lvyq9%y4W)($WJ+xv z7r#Qd@b=EqgeMbQQ4We1K0!2++w#RB{IDcqVTdkZCka*OwczRT5b;6Ucn;-bsj;*K zPM??P;FXk!GUcJzRbWJ?+|%r1!KH#1Mw;msMs!qMkK{_CN%FX6GR$>pw23L<xNs`; z<ih7>K7*Y@t>rFm<SV*|)3~J`?9hY{0{+MfY+*PL;;@rkL2>Qfe)X75RQGEWi7)7p zkP!=)=7IIO4LE*9AR*UA><+J%ShmVf`Uz0}X7}cCdh_kX${>2E!q{4pbpG7j%geRS z?%k-ASUZ@)5+j+5Zpr17;hD&PUW}<uBws0L75g#ZN}e+&C?Kdz^><5p6sK2q+4$O! zMRP9}BClX-%VNY7wQq=S&yxQ#x&GOqq^eP|qg|h~AOho2@WuSm0|}B_wto&?gFm5x zyy}lnUR%`DU5bZ;6XWo7*JKZ`kc_u*Z&#VMjXBR0l89z!j=|H8*$#UM+V28?#%UG0 z@_WoOgi0%_YV6|)g|B?FnyZfW)+%hxu&^WqXI(G-BFWS`mmnDa`wUl7wocFSw%K!{ z0JRI9#*2&$LWHVip=2hVNEgsZDI9qcGUZSeQTK_y9eckheRwluCHVPrqqFzS7xe6i z!#_yr<MfNJzteY*t1f<`Z@|1I9@OHF^$;Ln)MqU!N<i=d!(sG<{8x+4zUmzx3e`tK z>fyj_qI!k^kRj2l1Q{A&lmu0x%uY6^o3-1Ie1%ufx;?8s&Wkdu??{3<pMIiDZ`4YE z;H^LCRHw-zqqed-zHnraHjZbO{`)%={S5YWVhw)(umu{%-s)&FR_|}0Vdvs!8iN>> zY>jB{Yk8_E4T&QhNnJwlKKDW`KDoIi-}Q<!?A}r$LwA`4y-})T2kfh+7~(?1TGOut z#50tLSGh^5-fzSr*;Z&Dpb}r?NaVM3Tcrlwf*AKpuMn>daz~OpPqElUaoECHZ#Qd) zUl<ZFYD1P{Hh;1rQSXFNeELrG$;%(xa~ntY8F3$rV^q-a0cYEp=zOy);+D(H+q%A& z$fH69+mJ0P_xyz`aU17Yps=|AN=aYF{3}K#;(p(z=*!j4-4Ik|E>80G)k1_6Dcq=D z2};f)xgYU<-6_}ms$ewngA`Zh3XGVm&Z0B%y5HiF2p>?ourxh17H4Y`zK~JGt?~=8 z?h}7}y-EziQ*`g3-3;LjAJdJWN4x{whTkA}foJo}JkDanA4Y*n)hR=$W-pue&kTNe z$)LMHRKd5{Rl%;H*szQWT@Nk7JmfapX3;rPECkIQ6WyYkh4kwI4=+A?&&{q+MAk#Z z;-Bdm8o&!j{$JmG-G(C)-<P)_w{tSEY4F5-wwe1*+y)+;z=w+rImdqcbLAp{Y2tCs zRl-n@fR1@;3VH2gL}4(svMk;=u`>Uh3(q<n^Cjr9QNba8%Cc}U6JZA7&K}9&8bjdU zKKW0(1OV0%jJXAEtP|+TUMj~3sZrl&54ThyTK4X1UYebxxPxAVejVHjxf~T?2bQ4F zPx$)z7pg5$r4&G-w7q7~)uzkm*(v(6?(UltOMPA4D(A0*Zy;mv^NHdO5n7woba2}) zQV8kh!h9sh7hPIbK5-IG2Fj5`@PVwAT4#--R6MM29&)|nA&sLv0v;qQwfP;Rz)EA@ ztpS9C)V}5tp;z0h4)~AE@+!LlIWfJz{~Rg0sGn@}g~LG*cv-^na~)qrF=1>`{xCmR z+vIOSBlO)L{mG%=k~0`@#D61t!sF%%!0_%*EP=O>!-D)=dlCD5gw(`!(6o%%t~Mdw z#$5IE>AUubFQlD&$&DoY{RNo7A*V#AyZ=(uCMH74^o=zNi&)megTn4%c5~~B+71m) zC?qN#8&Jw0T|6@p#BO4^+nP1y&VCba$LC^&C(BXBy;H`s-Mf6VjuSvx%(LIeGa#9| zy@f$eF{2|eXS1kJi-`JCVdK;H2RzDSrxyp+I^9aDmoU+te)f;|Kcj7QhZRXmuTf1H zw`eSuih4}g#2FwG;A?Fw-dKpPH0tlR1xdC8HvQ`7i#nD)7$ExetK<*)MH+^o{*G3Y z$`4VJyOSrW52(C^*9y5Z$v<b*Z?nK3tIzO!x_<6a;b){<<B9zD?k5UIog;^BnQv9a zpWgFGTGg#@j|GYEUbhDlU5XwwYqdJ!11B!L-?6@Vsx2rG$R|YPi5!F%B!r@%bOgIe z7o9)}3T=-s?5U?2Lzr>z8~N;a?JF=Gn$bq}@T`NeW9-!0>`Iu=NPuE$ea^bO8R`4P z@jT~srx+l9z1?iIcumnaoyNW>)3);Bxgjoxc^d6#MKb~0M4_WvWs&YqRwpm#8+V_8 zmd~q<{a^k3Gb|^b54=*$FV@9Lki98ARNTfPXYo|{44gorPj{473_6ZQq6OouM-f5m z$kzgrnvt^5_&T>ylUZV}uJzPqg0kNFakjS;0nD%xKZZ*X1U?8(EFVuX#&r0+^-Hl1 z9{YWBUnoVg>fkH0-3wqI!$^<8Koz!kI_rdrD|Ue=l9$~5cf8Me-D{j15~n7DIm6xG zRdEmcMrU?b(Pp_?;tTOvI1v(H0%)WRCODZ#XT!eipZM5fQC0I;>ZHx-a~8dPzz9LF zKgA>|`#Pv+5w(O0(tK`b_fU6=_h~3}p89c`Pu1iu%mXB<ea%_g6MX8!j1)xe@(C%T zfaARZpNxG#WWzWxh-#OC11RxnzfDCyqJ6fMKTJ#a$TSB2zYaiiW$FBrVKp3h#eS*P z)qH=K7jX;HZonXHNT+7P8j1>7*o|331NDAS+`<q+NOeS>)-sRaY<V{%hT3;ADRYUK zJD+O|^0nHoV}?pQ!3h%-2Ivt;OIzCU$7SmE^Cl#4@P8uO7Cp=9km~1C34iqaVY9G^ zCwA})6QmcSWevc9#j1LRNucO8P<%(Z;+Lv!7CW9O4x{TcUC74B<3}eC8BT*|1`oDj zhEXQkK5FHklT&d9pvTrsQ$Gfxm8$3Js}@GiwBh_SjOMj&Z5n((?R&q85pbYUhhoL$ z)R`}NIdh*+nxe-CjK<LohYF8=xzBX11|Qz?y)n*LM{3cJVwJ#S5u=BeRp;$r>h2$4 z9;Wntm&)g!Bd!0!FyRGQ(c1j@#&nX|k85V5I_=<tS9bje7n)_)!e%eKcki=*@ScZ9 zR!BPgNbC|-Uc-8YFA_8$k<Olw`G&AGdNC$PAob5>YA6<Q_~9P?#89aE-D`JIRbk05 zP9L`JB$1^)NsvYuk>1$+^xVyn#gJrD+1YfgV*bstFMll1oE`noeWK?W)Mp>Qm}ClY zMk%Nqc<DGd%^G0Bc!vH&mbCgVh2aAd^X9RnQHUjWI+t6jf(|hc%=;OHdr@O{JNS5E z8%#3Jm|?&)`KOGXZwPaqOr<%JOD2x$7MuaO>Yk7Z*;+sWSAFRAfZyu%4cW248EF{Q zC<LK3V^>G<<l2ih)IfumVCXlRs^{`cS9mkl=MA0i#5W&u7d_}BZ~Dloh{O}I&Jq|R zpH4AUDL5)Wq=H{(UjT@Bs9O*%a$*ufo<D_0FC>l?BqC*V@aMtxDy>$Cm0jxRR*A2X z+WBG<hyVWj1_$04hj;2}LO9a&3M*bIr-|wZoynPou82&d?P}EytS}~dr?wGQC4;q} zwlOOqC{?;?8#am5U!6L9Bf=3Z-IR2c8L+g6H$To6sP5!v>@!vqK+#{6o1G)?>pd0+ zoOy+-jgKw4x`tul<BfRHx_9)Lw@34z312=>@^(RBUtRgg>E)N;5Do`=AB;OpfOWsP zrE)Nnukg_BkMQmC;=a~7kHuTgUXgq&0zTRq9MTNhr?qxXs<#DLlDHP0&JhS@8>M0x z`l<9I>lcny|C%SmZ4ltXTi3*>bM^A_1;i(_%{KPh&uH&$wT4}4Uk^mX<-s}8T(`S3 z+69L$3wm%&B+ahZ)ts@5DpYl)N)g=Tet%aNF{7dJ?96-S(`z&W2*i#di@{y-_Uifh zzR{*d=9Lf&#JFxnCgfZn)to%dBK&yBI)urB+~GaY9*3oRf7bN?J1ha_sVVz!<SDF* z`pmgo#jI*unP<7lcX-aH-^8$18l~i+q)=4e1iY=2O5Ao{Kd;}mh}2G85Q+g@Z)D}+ zh@Qwqq(aZ7PXG*O#f#yC{PvW$DthvU%$h_DnxDNIG@BQGXCF+zIU+E{DCIa3%-G#J zsn{(0@M9xSv%}Phi3j#=X{P2#%G`oVeUBVSkXjl9`iA`4FGPzDf!{Y&WL{Mhlz6%T zcBbyT6BC9(gO<DW9saSdtt(6d9%zBEblhr`MK^~H8^(_?6hp7wp!#f?{7Vx%_YBX$ z_LV&|4xa_<-tXnDk`!kzyTi7Ni2+{|twJ5`LtR7K$;2Nsz7?}KS+7PFOpK=ddm_x| zCSK(lI>9d)&aH{`6JKq7i4lVa#QgCd%hg88_94lp<q=Os*YJ*J3Rv^!L!<n!7miRU z5N=h$k_=n_tIbYmy0o6VULpKT?7@`E@aBu48{5QoKFR*n5`G$mGx>Sh_J>*PLR6^m zG5m7m<_Pv8fB!T%ZeS4;l_7>>D1urtGD2&+In9KUdqjtDG|(N?($rt9p0_FxpgQt^ zU&YmGjh9lV;np!ihaJRc0h8;-AC#LI6&%oVKF6F^chHLIZfhM*mMJWZ;C-vGEER_O zLX7m?q7f6<mka@FX$hQ#3W)V7;XKZM*Fr?0SoQ)@WW%ER==K3*o*z)9>Aajg5~ePV z%qp=ibHP?`STN(U%&LfpM%^NvUOPSrc~kjdSnL6!nfvNx*nPu{umcVFAyvc0+H9Nd zRrQF+Oamu_=6kL=($?&NYpS6kKfOgDfWh2Z|IJ)paz5;i(xbuh%&G&;7fQrLacW`j z$b(L(f7Qj59M5?oS`c=O-%M_gIuf^jlo4?tTuj#BXT}hv^B~0%C+%5yc*On5T><`; z=&SZcFFQOv$;Vcl%_nYO!4~NnM!xE^`Rd6K_Hf-C6C;`o{C(Ver6C@O5%H0P8q%Kz zlsDl{ISR<^pSy+LF|k~EQZ-4IVDQNXM+!M1V`3#TDNlCyNW=YCV1d5}yqVq?wtnd$ zb9A@+-0lo|LAo0eP`<DZ^&RAc1W<%jP?Me?d0|XoOb`jNLOY0I@%OGupnYf68<JVo zUpzaa7Oy<EjW()@qgv=u$`J$^dpZcRDPitj1di%x=mulcf9zF%?ie<FW10=68Vpn* zUy?C*{%OUfrfw&zWAA?^1XsrLzDtxGEx94oJh3E$@SEc|t~<~{+*+#1n+C`g5n2(l zX(*Dgv*xj_S$0J8c4&Mk=Z9cw#aGc1l=2MP&w@PyUCjshLk;dfgc$4SrPY92;_C~E z5?u&1K4el~Qi$=(Cu0`JJRA%A%qynkTr!*{YMBr2U90E&7rX_y8b^Qfk*}BC{`V{Z z_QZ%}U5=u#ht0N=zPw$?g=#T;`n8{$b$cCFi+-454Im-o%9OVo{g@ZjTb#$?a!ii6 z-D<R>qi}$k_+#tin{S)@Wnax~2Gj3Au#Pb#Zx<)Rk2lWRBtxG1RBMfoYBC(eo-0!( z|IsLG5ssI#X{fn?sKpd#oHq*8K-JeN6R^T7c|_SA{tE6vH&&C0Cps2!>8GI&`ES?h z;k>_xCaiYVBV=;WG}?NZc_fNYj8p+p|CQWl_}C(^Hx}dslF<<A(XMmSu#WHtKB1Zz z!UDn0yZidQgLnbl`<~meGu-na$4rpEtUu{X3zHP)D4+f1ZeD~dDE-=b=v0J(H{c+z z3d$ELYA(z+-_>`=BI#-P-L<mfvcgF4;CH7ZJ`X~*<tu_+X9U*sGV$H&qPztQ$v;#j zejBdq+j-Mo2Y8*xS{BhU%Z>SNf%!cklDN1+({-v6h6GnAfmcF-#R@6cXs<7XD(?W| zefeH;qQ{KE^)!TmDlWuXS(~jmD}t!V^a2!?Sm!k*A`xMPWliSpp>y|vjidH8Us4G3 z?@(n{^-uN;B!fs$+^S+BKQG;WaYX%Kj@OReS1URZQhIYeID#K*801KfYY(~JBa3fR z;p?Ol@9q93vvL!lM$Wm$gVtA%eDjPq-(5=!#m3H+;bpa)UB#R5UVXPSbpaYdM8#Kk zXgGW4zzrPLbsDC-3%5FU>PTHeaxPYQZJ-!CNfHWK(d!SJxzUsjAj}f?QvcXP;dS0e zG>|V-mt&EPm}#6BSHM~s;#DDflabE2=Y3T!c_cjGeS~+UsgqrkgH{{NiKiRPfj<&* zaLK>Mkl2%Mq|enQMgM&w=oKIfPE$##)H@OMXC3lSB1+%rg!W(y^4Y6ez<<>qiV=@( zU%YPzFAkPyvX9z3H)z624`Y&mW0$!LU;1XJ@X3nwA%cxw_xv^0F3JUOKlD0ENvaEP z!&p!T>G8!oH{X=9-jezIV|bcgzZIDy-EXDIJ4@i8W~`s$CDLgqei<q|He`}t?0hhX z17lG0N5Qb6X(WMU2Va94a3nb`MsD9^-C6m>*w;+kMEjJ@d}tB-098P$zvUSXMp(d% zM{J)P7S%)cym02<#9%CGE#lgwNkIwMxOiEm{N{~qPZoQtk~WBCPUhz1^%TpzDdW)( z6buLmo?_qVjL;ycs^{O_b|OkfBOn8zMk_p}{n68pDCRCLlByx|Tk3DY5$vRIffj38 zrG`ZyV}~5TJk}j&%{C??e5+I-FvYdfQsbkbror^WG<%Es1!dxv4f}fHJ!fah_NhOM zX_s_AarGW=nzR%vXofK)Gfu)0gJ?w7xrwJMc9jp(QB_!t;kARB+OB+9a0T+Rn_s`| zBVMqGkNNEu1T)1y-Kth0xnG^)Z<(Q23WgjJMEj~OJ6x$9O4vX_g87vg5RDg+o6B1- zvLsqR`fdW<E7k`osuw{&oV_EXg2P)@5-dv3k&PshYi^f+fU^hXJg6oU)WkLNI{q() zgfuGYK0PiC_(F~o1qmS8{ol2M*nwQ-xFP3zxs89eM`kV=|A6i=B}JWwFRVWo@QF$A z;Moa*cn2>*rm3ukF9T6sAa_TnS(V}60?N*Ud2?F&(!a0Os5i+7=e^~=XWuQkAwkG3 z_V%NC+hOcyR5Aj)cqx*(uH`7O1(lVg$+O4qq&a&UT5IZU!f-gar(pFaM0qPVC=_>? z5;2Mf)e<L56a}e|2-vsY6*K6KZ7x`O=d>`ugS{<tP`l|2>#^6=$N)-Q8emcIDyOv= zyy}+=;c7=o{Rksox4c?|FD3m-IWBmpscD2geVgo4wlRO<zF?66fMBlS*EOO(9=+&q zENfn8kJ;Sy;}#Xxu2<s@*ny+7=lX4=zxEiRlA0z)bjf#b?a9tE5jLqeTfa=(e~m`2 zwa0g80S+fqy77+H<rL9lkEPbNF3WI5hd<Aeay)lFknIbCY{DM%xI@)jzWELQ{-cdS zPSLV*jZU$Su%fgnbYlUB=jzTrNf)Id-19a%-uHxI-7=$l;tDY)Nvp0WHIN@8NuL<4 z>{h+6K;~6>79xa0{+Y;>_v)t@Y0GQza2<(2GP${A&Zj@Wx1UM>SwOzs`S|8?>TsGh zF7E(VZOzn89|`N<jKSd?ST901Qxm3!A6t!L_50ch4FZ+NoR#nc2eWHdKnrTbkGql3 zcd!yUu7F0pm}Br3r3nh}er!Fatx{^HZESDdw_@!Jo{6X6BRIh>x_l-%!o91QYF&x6 zFnGIu6cT^*fS)q2%!=7ZtOYK4X+r9VFq0`c3~|aq8Lyv8z8HRW1l<tC9Eo$EdViy* zLpTWE+y1qKlBfXtAuExgpJ*jul9;Gq#$ck9A=CAU$-8^SWti<m!cAKl3O_Lmktw-! zI~2?+@SpL)-WT}8?B|#bm7jgpCp#r`zy2o)4d}1d_tRY%`Vwq5Z4lW|pRi{g&ucD{ zI3=X}(edY|bL3s)Ll4%aOUOa5NYU2yMx~FU=&(1Wopb5NhF&Ui>a?yj>08+L<oR*! z5?L<Pn|+M#)(OLE+e!Pppqiu4nU@~UWRz3q4ygrJ9yP+D_EBfvF(r@!sk|XgrV;{W z&@ovT*t01VwF{hnO;&-5HL!>$RC(=XCwuP{A3eLzdmEAUXfVwfqF7=56$N=n09Qwg zm|%AW|MT6C{A8p!t^=(6P(bcD5SDAG=u4o!gp1UP`!I@-3u&LVDhwj#a}(28$RE#% zjQ!V>)j)b-nP2#Xo{6U~*(H=1UsIK&4aJ0DSd(=NxJ|_)hF9Rihq!}`LB4L`X2n7^ zXpy)S-M%nCu8XLfLwDh=Cxk^Ym?%`$GxYz7b5}b-oAHff-n?%efsmwmVXwB#VfKrx zQB}Ow8fMxqRe3*XW;oeUK*lm@o!VzuHANc3jNAIfA~|0UD{*+UZhlD)(+i@jg!|sy zY*J~652B^Z1?K$W4GDFHU6!tr_`a}p@3x>vJnH_4rl<p&iy9B11d8%j=woUTJjUcu zoNGUC6iYCt6B~+>vr$xT&1<Ee<j{;7;eGu3cc8!-4|*?|>w*qyTntIEH)Yo;)XGDS z{wKq{jWhYE6J@5JxMUd?cs=TSH7_7*+Ny9z8ccIyg!0%`P{UJabsdaP!ml5Bs&1Jj zJ&=MViGj(PqW3%@+X%V)2gPULCIp1kI%8H2nkNa^=jDBs>-U8Sz^;xkBYQ)Rtdu`4 zvnmwiBVJB+{QIyA49jPltt)aFDh}P{90n80kR6h#h0VO;VBd2=uLEq|uVum?dU+!3 zaejo0R&J1uaSYVUP1H|zA+n%NS^36D+34)|5oIf1ZCt>DEe9l6dgmObODjrwXTMZ+ zF=)ca$GHB%qo3n-<P;OWe%>huDWW-OPYph82dg}gx7dO{=Imp`?(SX*^1F4jGDG)P z73ycUCUP`dYovZPWt4yFN1fUEl?D@rHy^{BJ7mg8Y4}a=XJkS$^~Cfebfv0O7(YM7 zakbjw71oWs4jSV`123Fz*ToiiRcgx8?$z-6Emt|E6I2yz24RSNo=RvL9n#g#=pi(4 zvfxoRex!^)dHyN*XKg<OfF%$W$CK4^)u-G4&6~sT#aM(Gxs1H9j=yi)DVn2||0;zH z)Kk&3&D+sRYB5ED!u5G$?(6F<2P4ulmgej}Ehdb4WL@AY$in59SJmIg7c}(%P!uI$ zUz-o?e`&2K6GqHEpk(6y>alu~GGxDYPR1TXHMA=r%=_g?Hek4#yRf&OPjIg+nXZ+j zjQfM;$JVSVQh3Bo>a1C$&26&XJs2|C<J*)0l+6Z*n4vcByY?-55v+XUpjzsM8713W z0?KujGYvekM)}zN0kaeyF;m-BE_wi!UB`XCD2a6hHFZaWS?in443dB4wnTF$>tcO- zfC_r`3b~(B$&N2h!s+Q}yO;CGv-sUeInldbm<#@F5!At<9me?Ch3s%7Dqwow$&?5o z1G@j%Iu19W5vN&Ls_XsF^8U%{ax-tf)s{vea4cFY55%8#k>jx6U9_T`PRvS&<!+>o zk_T2D5nT+|GTUb)u(+aQ*Bs?(G$j&{u%OLCD=FJa?a`}q-I?qQ(Yk$e`jv-22cmG5 zLXGXLHL!RNw=KXY`=&?V!ernhCqPr@&z~=}dl6R0DtAaLM&d`N?*uS!2`zkn-F4m3 z{1R?N^Kb2;+SSqit@|JdASqp2K#LQoxd6uvol51a&RKJfl?wRD9X>X5wpRIC9gpO( zQ%^r@Osm<*V+~G`){k%+WIH|c7s66*3vhI)0ga-ozO`ca%zYFXH0B-d?d-#~=-TM+ zWykeCdsTAHBC3~9!l3J8K=?H%n``M8QrsN>-Pb!j+jnn)8r~e%FEF*EYjj@v#q`fy z1i%sV31waDKw`^%tneMgLl^dOarFSH0YBfNp_aJZu!mGD>H00-IIVBnq?rr4gdH{0 zUm^m8n9-P}u<|Rf?+K8U{wCH`ig#|_R_`20UFHoY(U~E!0@Dkyf!V6OlGqqXtkXjn z_FfG?`5o$NFmYATvdde;7z(&q;wHzGigRTE;)drtzW%luPNicpZH-`2dP23EC1=ur zD2XTW>=QnLWnqBB$DDFGIfxZ5U^)`KlvqS2+5a={dWhm=tcpX~tW~W~>`DLX<E7(* z_gt6gnyuStzj<V<TrHFJyQem8asB9(6*sgr8*;X>*Oivb%d0Ggk?3|IBL72=S4W>L z$Y3RQCz?zD+&eEI%?tifn~d}mNfj=GjM{?Pe!Ez^G0r;p7-mf(JkU8{7YD#xhk%il zaCQ)na*)sATNfI@`^$z+j;Y76*>&-vmsQym89?WtN>}r+0u5`}yRmDynfqX_TOr%k zC38IZ0N1>VD$)4$KVu*q+?*G<$~PW^M?v^I2BA!f#Lxd^6V6X>F9SkEH`mqIf{FT? zBK_4KbttMmdAGo?gke*5mlXgBmH+aM%CM<!;XT{c-zD4z#(gW1ai!4ed5a=sok!zy zFLd|bC^1OU(rNbQ0!v4G&e~=4DSwdwhRYKPxh{f}bePkDC1NsZC<YqDdqdt@Y6yM! zRG9Cxr3x^3wlgf?$2dNBo<dE?FcbMLrmWG))4tPZ<tZ>s90<DcNGM5v?wZPL3~3}7 z79tN}8&05&%_2vQBKM|RH)QOX6YWe!s%q{a;=~H)C>qIRQdWvr<Rf6pYg%$ctID@x zL&_aNOp|=Du{f&YGR0AhXYDI{W3E|b`TA|<`bIYxO3|zGk%mJVUnnQNn2-@V-<jd| zcd-iBTgxya>2l<{nFTehy1+3A_wIM@%4m-3h<q#C4~1pvCLX~p+uTHw7X4RcAtI@? ztp;R-&cA!uL_hf2;a8HbN}_7vw|zE}$C+QqJ3}H&UH&704}Tq;PZPr(SsNqqOpp)w z?-nNNDFW90KO;b0%?zAOhym8~8`XZR-Ui<pinnMz7B4~C)cl-T^p;XAn9-r?y1ygg z;;%u*+(5<F^^*CqM8k-c-|n;G`VjZeTQ)*QBA0;FvG-_MoPHVm1%o-_vDf$AiB@>- zd43set!2I;nNt0spAss(J;FDW`uq!~NFy}ZU^j+9(r2Nswhk*3C%u5hVjjCXLET5K z*g?LAJc?@gB!-Jv8oX4!4^}Ra-|5P$T8Sbb<zaZ_)JDcnu@s|}msuJO9^1~gCI`rL z9tIB-s1v*wAV4CKODDE?B0T)PhTmg`BiKwXX^$z$DLKmiR*gCO`pyTi!?x@JgGsar zmiEbcVu&m(dB<<Pig?V}g(qzAt1pnyk9hndw=5`d1p|KS#lF0{(|0n3VCl^=htRLL z;RbJAm`BqmfA@&l#H>_dWHW2X_zALaq32TlTKTfd3Sb*kHyAJJQ9{V(@Up_=brWb~ zA*ea|m0JpmYxn)JuUd#oAQ`Ru`#r7)%)e#+;jkB?b%dW{#?oK@`h?$fS8mn7i|;{R z_5c;d{uC@k{Dgu=`IxT|DF}y3!SgCwtV9DP7VJK`&IbqgZi6<O#{%8<ckrW7P3O6d zuEqC*@jT<#h!jc;VfICRcPfbdlj;U<uacuvx{%NG!y>f$d`)zVTeB>ZwM{)ow_s@5 zB-tON`Pp1ETiB&Q9Vv4?H<3$+1sE@>bNaw9XHa#W@FRZ_OHJQxxX&9oaJ2V2be2*O zcVy;{U*<*sA{U(Z9&7Yj;b2MlF&0j@KM~c(|LWqQbDzV+o}7;u5&P8R%>*3KVU$ZW zmA3S%#h+~5mun{f?Dnh+72w^^_I8B)mtJ+U60txtNfXx&o9P^Fefh*9?N%q0?uLo@ zxDUV_jX`*gw>%h6xJ`D}9C9K0>O#8#{u<ReY{7eV9tdGs`<UYbYd;2h9<JtWELarF zf=h3J|0{2!JgfG!&1wki1>?!zaE(E|&GW4_v?)#e^xt*`_+uD01*7cl;(nmM(WR=* z33GsGs}MK2FL{uxD4n0Z&OK=LPBb$bhQF5CA(QxLjR|qlpUo8@)};|@l@1491T4Jm zkj}che_)ulI$F86)Qo*#`^gkiLyEdDSZ&FxMeQq!B|q_2{M&Dx_t|}liqnQr4_`0k z$$j$@N}hp;p;oaw@vOU6TLzmD_Kl-R=%2q2he*N{EqjS-tJNwi4iU(#nL#8ZQXIpz z%)rWuo0B))UG#UdYqnf@%DHk82auLSu6z7Z9+}fAQuHF0!doZgH`ft)k4~TIZr;Y% z4x491yeIhK#n3@0(D=vM&zZq3fe1h6TG*thk&B?q<sf9k6zdiCgi0~I#lfZ5F?73A zdN%pM`QT;*NWwQcwlj~mf!qQuR!{iI@cE-oDp#b?qR0{-BqBV1WdSZrHDzJQ?t%R~ z59CpAtFB-oT!GDC!j*Y+mY=cn&dZAHjD(N7IM{$D2GvZC{;+e=)-z{4f%0C!V~*4% z{=QQ5zSY*pYP*-H4e{;XEOjHm<ynv{?F*+#PKnO<`UXjB!8YN2RZo&k2MWg_B9-DD zzbt&!n@EWX#eXM=EmLXxQ7hOrTzM>gJG~RR+mZHtmsFb56DNnmQL|R-Ii8x3k{w*m zU2v>t0@42EZDQybCj5IYH8(hb1$noiS__m}{=(UNm9lh};HOyOLcYwUX(G8`W%_@f zb#W3%QaSmX$?}OzZW>nArXr!1pj23-DuIS=k1wWd?0gWsAl^A9g7U@|ls4JY)R@iL zqJ*RV6|sW}y3f8t32^qZc!|TJr0BoxbS6cH=E^o?Bygk<#i^`RUa&y@nOmab(yw#q z?GJ2s$r>*^Odr9)oF9V0ie8bmW&yENa8u@KKk~KHs1_R6P%QzJJkqHyc*Lk6$N6pN zNOzDT1BYYN%20#_D$FX3G;aV_L@!H%?!M!$NBTUL+zIco?(Cf`ypC{mwP|>i$p!TH zoqsY2G^0%*lu>dIne{t+;s6|Mqx12yHeJ$SGO$4UicCU1Z015TQRx`-5_FfxJ?KsO znoK*!ncSpj%d#I@KkmdnIdRo}-ZUf*D+k&IMlfe3Q*;|&OX>NO(G5}b54a;{-89BM zNi>ioL}q6`@}I3DMM)}>@q59}l9{Wa$e<zr0_PPunyk(1dZKr^KYt<pY!)Q?yNM{; zp7a$R{^jch@NDY$uSh_Po*{Wd1w+txJMp-|o3mT3OIZ7Y4$WwpM%4Iom@cD7i?C3z za#M??Loj#feB`7=!X)R|B*{cn{SkVX`h;;TfIs+)WWigbthZba;?WZ;sUOkaVpS;R z$V^03u3<tjm~hu<v*1hd!0?L|>69!5(^(Pu>tL9P46k@UG2*^VunrYZFE6%mfH34V zz%(2Cg{-n*aa`wNod<hcpz`*9nKGDNkMS#NJPmH2=s*JPlOc*B)FfM)0uf@Qe-kd( zkF3_GS_p4J_bFz;T!c76OYOv<<ZeZ$kgP$#f8OhjNhE+{$&KVk62jiQRS;mvdW{<` zuCO!@=9uFy%wr#1J~ugou=`#e2qYkGn(HbZ)58pQr9FZJ6bna)f9sUZ#~kp3RLtyZ z-t6i3C9m)?W?L3va@a3>ODF9+mEj=Fi7ZZ33U@~*WBHpt|3q4t>tV!PxrrWXbIq8{ z+Hk3zBMu4R>!cCySp<i^5W_prT$TJ2>S)A@b~8Z>s%~=``Pc2-_aumMkTLjcT=DbG zPYSJH$8hfu$bR`IY;ZIa7N$1FO{f>nJw(csDG~dvsnI>Pk2<~Mci@>}3~|(#bx2To z@;PCf<b$ky8N}-&uKq}z_L@qA&%#Mxz05nu$zY<sArgOm_W5FpaYQAfn~9To?D{Sg zgXp+4of5+VE>{8ZqjzvQj-yfTCk+1mklRgL7ZD8jz8aw-^a)BHN+JYHjI4-&SUy=I z1h3Y@8o0pC-?66`?|5U+NzN8tp@(1J{P0ok+3$>SjWC`qy7k@M4(KCt*DZ_{MZA+| z;z<gXfCx+O{3h<;d7~H%WgDj_x(Wp=zba=IO^izB`!pe0!c1a4#e`sO#s3*OTEQfT zJ_El-zga+H)m|^`y~L{XFxy)zSXPg&jClO<iv+tWc<x4LEY{p`FC+Ea2kzDD(h3bS zo>MxqM?GsNb@>q-#U^HT1J?Rv<h{pr9LX-QWn{6>I;ji$SX~bJxsRVuCX%NjcG2V; zzx$9JLUObDa)G`f=FA(iCyX-tNT=Bj&{qv7<}r*Ira$Hewy=C5@sB#91o}_6p-S#k zr2UQ=$P*XcE+2Jf_x0v+%z~!FVqjB-1*#CswJJigQlk2<4*P&kL=6O(U02Exq&#++ zsI!oWP^60F-G6DVOV&j4!xzW~;zQ^Y6dG5KK|E|4`mUAFjV0MnKV$|+qqW+kaid2A zuYG-Dhs&8=zvT9qlOXx`Y+Zrbq*9n!{Rr_46EZeLf$i`5hgIdnEONFZY8wri9galo zZLO$N?WgnV+Ox9c5BDxOoLG`^oBNXi=h};ZjLFu8ND)6fG4f!GDLOScxwO(eO%m{6 z5mQb2*fTDSo^0m>NcPgpL~_tlh^2F$*Gu2;3+l<{OBakQm2SnFrlDy_{{6j_5682N zBp8b>J(w25b<D6k#QU{i{|^YGw^F7y$AV!}C8Mfpz#pf?vmeU*_2m8_Wyo-?K$DBd z7!Q?|-p%l7iL_tLapX|U=MAPqGoG?{{5sA?*#(?bHFOL$(Ey?2Pi|@>1zT2=@Q2>8 z^)FB@(Qppe30T?<m;9XduAc=MMW+1EjTyl@7I^kQ0b}B42N-o3xOE>N)zW178SK2p z3WRx>y{}!7C@YT;B)0jXj*y0;Y4jHx@C|CB4iuxW7_Sh4#>DTZ+}~pkh(gR)$sEJn z*?or8retk$)dar_Q+HN!9F+B=YuYm`EcN~ED+kOYo9osK6n<Um)bOGUk^O4^(a(oH zK~$bnFb>rCeI7&VgV|X!fw9l17ehwUIC-8;hR3`6r)G^75bXNlWh>Is0XV$WxBK<= z*t=KT0x8W0O|V@4E4MN$=yY^3Mj=-wKsf;FT3BaQB*`zKANG|#%RCKr9GzseyP1_! z!oc1a6MvO1YC{LH1={xYO&JS_<VZ086Lz@8XEXm|qloN_X=^W)4=Y0g(EJQKKNW?% z)gjmK96=S5@qWQN4c6}*GC{*?li%jnae!OCZqd!oHjXF&F7TE-(x$m;VKU;^pg+fj z9)fQxqRE){1ss~9sj81CL*aIq^IX>&{i%RaS&)CuizL!}Vf(Gzl%|T(l^#45^(Dd} z2Slr9uR;U=63YzgapXGtfn(o9LNCX2e(6swD<C@@Ll3}w)9qkId$Lqo6XY-2PLFHu zoprw<==76mwS@!&#@Yi%p_;7|zN_3M*yL*ylBuSK*+N#AfTM|xYJYNYD3uk)dvZxf z+ALGmLY=f4(gse-CdrC^N}fs`rB~vg={lanUivA8uQ-12F~Gu{bbf@h(}bWilqR@9 zhW9Fz4CMVF^dOsccYw61tb0H?!>008I<=_Oh5Z}vdxB$uqdWycj4@vGjQwD$YNI^r z(nCy;SRsMP(CKls*3Ylox6{L$)oDw=!b2gU5$loGhJ=qwSVsj6obeUEox9X0m-)F$ zxj&F^(UshUuiDYr$aaAnm_IX5xPiASw0~9hM{p3pytui<>{^4Z(vmk#)2I2a%pI@f zc4^db&hU%M;C#J6K#&g&@UzmtU9OyWK=-PT_*oZ!Bso2ToEruqM&MnHm&#GqfmkgP zzhyPl#|Y|Gd`R}NB1<39g*AJ%26-<2+E0*g<Bxo~S3=d%(_+ILG~QP4c#wt0A#Y#9 zQrTm%v?JMQN@$Au1Cy0gvC5kem`zT)jML#|z8Ij$PLizU#SWQU)}CT!l{~^~eU3&< zv<j}u2iKuuMG0&&h=bh|r9^iep$JpMVm8>;%qghsT9bSVp&JZ{(rIWw!S&_tY1@vK zua8q9+oBWMx^ybLG(Md}@3GIT>`SH?nA9x+qY5UfYM&q4!t&QBA96+f(@-lXmyT;) zQ%*v$!z*-yekZc_?hAM(;W0|8D=wcI>90E6UFwcewIV8$jlfb^OCaMH!~dQI!2CmZ z!Jrm&JjCVvk?;~fi}jkSZ+@%Q>f6_8+n7ha{4}Hsku(>B372ttG>wSH(T%!ktHR*B zo%l>bMy+}8$>c<tou_{=CF&{3-toeI1qKz@BmHxVmKR-TeMAHM7V$QNCb0DJHWM_; zQ#p#a7?b`e4IuIHTf3PeXf0JUm}r<DhzA4ZonT>lJDjhp`Mx<-W!OA1CK+vlLNBf( z9L@S|1;+8Rb;uVb;?+3~AtO3??HIcmrt^I<8QjsCNnO0-F6lLWJD)Hm{>VH)n+#nQ zlMsOgnUBRZag5Tk;agEAp3&F>8Q>0az+%`@;!B)6NR6MtJWtFMS(06lJPczZo*9<` z7{u%!kWKr8&kej#K2NalxW--}GsL=eN=8m-evzB{G<R&e+3!^*!@DOLEt%LkYIAR- zFYum3U$#zMfCojZ!7W8aI2`sZF4F7)ZZcRuLebYJ+2cbYP!Ebc_jh0EN*Tmilk}2e zKBS=<uv{m9ML!ojBMp0$3R}lvQuuncR8-fxCc`!Geh;So9=dQhd~5S)_N{AF+pSsn z$pi>wX4vh5;V3Q4n>w01zj)>~Uq?x-r~NB2FR~?e3>0^*Ir{}>nK=fQY3A?pYghm0 z`3jZga7iM&-eiquY(W7!%w<nsrPRUF?Ls4;7D_ne`pGI$L_gx3G)hZ<2NfEDijb#R z;=IDJlt=L)N0CGbOKiknI^?UsW@~BvH-z4OhV9xzuI8CuUI^Ew&JH7i1xMM>9lS>O zgH-VnOukc-{&JUzCDvc1D0R~3_B_wVP(Ed<h)b1)({2xBe{uj|`0tOM9!*3I64)GB zmyMlwjdefhe_mojw_mFc6vCg|Rkgs|{iPMMlzlKw%7tvPr`yjy`I^}%ZxMkqLUxT< zzyqyIh)5#+P<K1-%Tx^4s&uL<&4vaXj1wO>%5Oj;h|nQFz0fpwP>a6z2GwRVIZ3A0 zcJrBOR>X##i{psUmOMfZnW*;b7F^2x14HWRSM;)<(G4czg^^#-U|zAZF?Bf?!ZoH| zIe8KtD?#Nb{;$HsFl=9(n<JkJEJ%hQ4~>Zhp@r>^@>ND(R>!YwjLV4Y{?-vS*+1Z^ z-|?e}+EpngqezFQwtI|jt)v++j8XO7Qt|r`wVX0yukk@F61QwV>8Vy+gJ4=`K9X#l z&dB<4HX<aB%gd^CfEqux{+2%NSqSQ@5*k03hq6>KiU{jJUDi)yfj@L2jQDSUh>^ss zdtoTHpi+b%;KilTp42dD2h<Sl=V7+-<e-rY$G->mC6=5-O<m>~Qy&ZPSxlF8ZNRCd z;F&YG@{jCZE<g&BkuoWLc=kQ1#s!qw-X?1w6C~2L3X0i*5ZaIz=6|<KbRsur5C7?7 zdV!@Y!LNJ82!Q>+O9QA@pZ5_(J4!ZQ31~X&&TEO6OGcqhPr<e1WOO7B0byW>d0^=2 z-gP<98Ow9UAJsbt*8b%pqVSp!p+P@Q@8B_S4+7PG^Mj;i^fzTDI+`~=lGFUa->y;r z2XH{*u)l92+#FO5F)Lnpr-pQ~k=0FXADcrK68N{T%Zc8pl!@OE0Q_|DbYjU)8fP|+ z)8r;<KJqS5XVD{Iv+y$T@OQ5a{Lh&#ZkbmX&Z=aFR1Vot`>NX0cRZGV$A#j~wb8xR z(aIOmvbD6-$-g{&>P^g}QeGkf3^d2^#;%@1z=Txw&1w-z2I1axY}naIJ+5`#90dLc z@d-b~K8GaP!8#g4mns1@o_SN|_4A%mnlSmfAbt`lwgp+NYXS_$BfcuK!EOXCv%o&Q zcYgw1kEby4z{bTvoM;Ji<8p^4kvRirbVE5u&<SS2W+0^uQ%w6J|1<(1G`F=~GAEzs ziin%Q=Y`acFN_tV{dHd*Q*uL^0{{8tl8pct+HhiPJ%hTzc>On4g8g8bX&avNL?<AA zaVw+1NS?Fy*v1r~`s1rK`eAzbh%PVzAaj*;D+^mt7Y&p%_&EyKxHm|ofV?-*J7>d8 zNKg!Y$@7~)BXD@;lhGbL;e4Y}6^x@lMgDtF;_m(~X`4705TX0-zqgzgeK&kr>JHy= z^j&&u#vW-T3~wG6hj8?kD@gInG`inEEERBrt_?P}IVifKHA!M>GN(>eY3`j0GYe8- z49=yXpN=Pfn<R6SrKG=VM_cF&!+~S(PgiV8#1Sh}`Kbg^Carwp;eVVuuvzdCIHklJ zG*i1r%iYY$o4X`g-laI3#G2+L6RCad2^cvQjG~&kH=GRRa3I7)R0-80A){iXClq5M zN_wf~G0Tpq!}^i5Bx=mhaBO<2JdB4Sx?v)Nh^i0}J;k1j(H7-nKh1=0i@nuGB>vgu z=yGH*(_<3@Lvk;!Pzn1bJRezP;NG5a6|~u1p<wcEjE&zMInfyeiR%|H*~~(=>@6<@ z6_;&AUxOf+ZL%k<QcMFd{ud%7Q@cZIX$s}Q%7Qz#`64b(9MMrVsAU7_6_9u0E#pS) zOQkXm*>HXLwl-tK4ek@35Wy=+&5xD`KB~i;dCMIdJmxwnc&_g8D-a2)^N4?Szo4xO z|BOE@h4ZO_NgDHj;_p%Y;0Tu+_C)*zZ&>KGN)b=Jn(m@pNBG$S%v`6G4^$ol{+7Yr zY|GrvAgVUabZiFdTPM<DP!Rl{E*b>&Zi~u3lq)#%f=A1>3Ap1z=dg79o!^bA?#?0$ z{NNL4<f^?{H%~*a96Om0FC1+(ybElm2_JU}@=nVi|EUcLx!y5Sp=%`!F6hI`#@kHh zF>h=a#Krh~oQ8TABWeSO3}@5w{2=d-awl>nHQWdvur~IZjnzQU2P;S06$7O&0TuY( zgO#Mus7T@Qo%6c5bp$I4sLMn7L563aK^-(Y7693Ro4PDdyveaC8e*f8dmXQvW1>n^ z({8W9VPAWQuW_)36Kt+aqm!enQFP@NR>c)qa<@=ET3cP5uFJoFImIN<=tJ*kph2wl zni@r4wjVkrTh9a|;;ZB^^<#mv<~hUNP1Qm(A4i!I=Z>OvoC#P^70jf&hpEd)--CM@ z=O!M=#k6e5qtq$dazsYOJn^p(*o+AMt6RKL{|!OH)UV<OTyD&%%1a3)C|Ld;*gw}t z1;CU?2ZTE?EfeCXkGd}|`e5fL`r!2ET%SqD7>RqNE`;s1oI}eDB`(I|YjU!<#?~s@ zMt24^px6Xhi$_^}9I7O)57b?t#V_tz*f1iF;KOi0wv_qoJkAmQ&8KDp?HuluEEc>U zf&~xPM)_&o0uGSH=`<mOW4h@(Oi5(ug2gs<u40KuNdyR|KuU~dcamD!`osaeSdVxq z_<5Q8({&<3zPIoE)5q+H+rTDaNU6^=kB0-16l;bXJ>U<o*d$Ce6GSf(e#~qTJknF+ z(s*D5Lv8WGAd<up#oSgYL33%%GYGm&!3SU?|5tu*Sl)Mu&657G6sw%BAD^I_0L|PW z-Bqm)SzDk&+ed4elV!zyHlU?%`pT%S1y%n`!;eZyV?&1yy(L{>@E04^tS0Uch8C?^ zmdO&K*&78Xx?$MZxo2Ew17d(cwB<$4=(Y!OZ2m-<4>bRrQ=y`tWej;s3Pi2mpX0m) z@}(5WAJ>h)_S4xZ2+xV*x^F++?7MKzF=tmBSNSVk5nP}cgN*^)L>*<cnb+}<ifyzR z>@}LG+*2Wo)<wpc^QO@ESi6Hd%-AL?#H&qc3p1yN-|HKyt{jSn#7m|a(I<%0B%>`p zciLDtG-D}7o)K%w?K4WJ(q`<}2#*WWPdsMhm?1g$dFv>{f4ks3zm%`rsoEslh$VXy zMI=Fj)fZAh`*fmAz=KscA#M}hkhCZ5iQJojeHO1lIr*uEa$m5m*G4ipkC#FFEk}@U znu%8DnJ->$X{#cPK)$m+zmb2HCK){Rxg#`-!iW6k>{6?(w;dLZzQg{gIGhQh`tCdV z$(TF0q?U@K-Z8&!)!U(``1<u%I1kDMW0GxJw!qE#-$M=s{OXP<7Yg?Pwzm`1ei)B^ z{;wYdgG*hU!-F4T?Y@um&$^BS)q<?s&WGW+mPrj(*tbSdZ-^rV*woDMI=Y#Jld|yf zC^r@glNCV<`W#sDoC8A0CC&T|$OvuU;T3WMC<vh)Y<w1%_HRrp2LwullFcLhJ9H|w z`jEB1?K1OwTOA129=<yx#XKha2n!CJAHTlYzF4xJ>k2}@)EV1)s_6J?o+bUp+TFK= ztn+Ro%QOvDLpPY?wdGs;m+X^l;-wDGr{~9kpDU!mkviu{9xv)T%W7O)GU^>ZRIH?n zTi<AMU(9fZ3L}0Q^C{aF(o$@czP~>rib~}J{BQmP+UbS7RD!Df;9FDU4e<MFG^Mh| zPj4}BwO5S9ZAcu@m9nYEI0St=35Kp1?ewB|%`tS+V4!qk<{B9P78|)gVktFKImT}$ zjgR-e;1EYDF?8Nfk89o*hQ1EIb6`Fj8%Gq87zT%C-%WFZELQa)RG1FghC!A3c$Ez` zX;CR^SZ*Y#67Qt{4Wb_^um3vhI|5Cn3z+Sa)T^XNN{t3hR+!CE4)H-?abEA$<p)6} z0XQqlo2s-6P%D;rMIFYgL%x&>iftM=s{|kIHv%3=SqKz+B}2Np`_79DcKxRY6T`fY zpTh3uCdHO-_X)+a{+^`F#DS!u#9JhqsnXSSGp+lM{&6f4tzbz(Jxd5Ri!4{jmHE9x zlr{1*=z8Y_mWfCr)_I7oxkjU1!v*kZJPP5xM}LOpzCSsR<FZN(<M6l(D8tFv#dFmB zur<H^sq@aNaHx6FidNEqT?#8!QZ#ID|I?WJ=vH2;)dOWcO1S%HQ{8N+u2~k;pSsTa zT^6!hUtRUgxBduc&|QZT7Ns&zH6d>~YSDQ%)uwsm)0ZElW?2JkTAOvV0D;jI14i}1 z&wqKC_J^p#x7P+)qWAwfEoFa;ocN&vHRctpmS6v$RhjM*K14o5femJ<QdNzWzDGX* z@vhpd+&keL7zOh4a3l$S{wLF<5O45>snB}dW*1aZaVrD|<0}F0C^bJ<Asu%l2bQMN zU4Wb$>>u1s5+%&_q1!&6o|?(7IKeyleCKGVM!I%BaqTStfpUSqdKu$2d=8UJ@ru=C z%}WdsP=53%L*$bsTV9G0NpxM3u(OBLa6%C*IeMBwef0#ZG1>(9{*3R!g>%qD)l*}* zmp@|XCKId}<(=JG9C<U<dWA*4*{JokGS1B@fj?#%=oC<{32DZ{j_WU;y~t@dVEss( zX2B;r$QwK5@)wtOai`;jVWDKD9UHoM4eQE9G;I3=Oj(9c&hPWMC5VASM;mTsE<qL4 z<e!Cm3?m-(%vO@G>2WoNyR#TnV4c|$@^2<-;24y2ma2|-88j(a)QERr#*a7t4#khB z@JKMwB4+)#orNP#vrt^%@b?u9t(-IJswdf3`|AjIe`6FJK%4qe{gV_mi-S${Vma)K zE*~P)n66-jB{02)5okk75%%8~;gK@eMTpV+cwt)S{h89Y0ImT!w^6c!*@xVRESNH> z2;QP!^#f|OXMMl03(179)iz~Z2nlP`(DjvPA8&n10S=irQ$iPK9YXG%VhO`Sc`CtP zt|tw8b+K-ww{OK~#~S8lwSqGYyMsd6*YVy;`B2-GF7?j!*^CO^L=(fDbDpBcA;XF( zHzd%`eQSn=jsl+0ucAX5Kbovf7ZB1d{d#d7mS<eQx%~d?=t(9ef<eJR#R8`l2A%x` zr|4}xg{5J7T;uhE5yWcxb{T-4ij(%6IW>fwb!5T@yP0MwSWW+*6=H*U*e(#XbEFfi z!)}uWU5o%_J7-wJQ)q8f6=T(Kk0A=NLizbftS{|hxU*rCX6i3NlZNh)a2iF0CKA%= zxB^n+$76&>NIK8-PWb|JKw_+a%*=#GoH8?&w!3F*)0)rC(hB$raNwr^wzHXr+A_FW zv6C@7-ydmHnys3|Ys!Q_5GB#)ZG)91T4Pxg@51i_-xJJuwPRpmo1ZrP{2=o>Ucht& zcyv4hd|%f4yUA(2K-h_y(cIJ2Aed9*v&d)KQjW{wmA6ep?>jA#7h^Xtu9L_N_s?zt zRt!IHc77e~2<_Qu7VBs&FK^xOSv&ufYupsNN<rLMmXMCR7QMInHLalDA&wL=>|X&; z?w{3&kXj>!4RuP>Mr^aQAb%J4AWy{OsZbJ=@~dh(2WpWRoHN@fIti=Yvff>0s9$gh z9Wd&t>))+aC)$jTpZ7@~xsz(VtNV#rqfZF4>3t^|J<8wZ2oO74lqoPkYv=$A-JZPL z-sk2=!6>f~Yji<qh?Jh+PdOdwp%d-vlLP#INZ-3{I2bFYH_V2ci3^W3bDChZmWIQv zOmjC4goK;jRRzC~*ILqI{5a%I^${uSuGBY1&&F*uIIMn8GN=16`j>c$^Fc~j;||XB z-eL6PADnDz<=@7}D9<3L^#P*0*LeefE;_O}cTlC%61-CBF%J0|7+&y0Hm2VkRT9e$ zzy${7jr>}BR|DpFdi#miXFMA5`svo}q|tq;kt9>;oQ%$buC~0s0TgnyzR|7PvEMn4 zh}!*{A|1vladgm#>y50<{LxyWOCoH<bfXHVMOc?6I=x@cn`Q(G`Pjp$nBLEuJ(&gX zw>q)<U_kg45v%uhazBfeV4NLwiD-U=PrtU#W=tG;u{>93nH{MwCbt}o5)C;$>VC<5 zY%jON6j8E#`gD>UsB!k`6-~X}xg`rh2qH~FVVXx)q{%0L9e^oO_<uh3Z0<8IzLtQ* zWpoJ8Ui8u(NgnKcAU&Sch=BoBZ<yD4Lccsn082mk{TZImMa@lZ><R(G2UIG%@`Ywx zxO1CvBN8dDQI=pa_$%Bu7udN~(R4FUQgrJoCo-HK<fROj6t^<yf66CC0P)B4y|SWp z)>r@hdo?70;<ZN?)T1zxnGrE9b+~?x@HWdpP62g6mG{?yEFLeY)0R<{C`e89TrBUK zeQ*EBVJpt2Uoa;7ox8*m4sO4&G?7{~v&+a+_v~STbo!sSeFy+1@kf65+0Gs(P8}xA zpWQ&gVvg(fPNlquonK2g9>ND{Y9^YbtK&o!sleLPHKWy6ffhy1Eexy#8ESG~XJnuT z8SpO$G}q}%lNI&8Hf-mY3{S#H#sz7=6$~pDNq<$x5pN}lK%+bL<BO^INJde4Z|6Zm zCykSwyNF_%&FvW!mT=Qg*#DHayfEcr@#EkEQc4@y9~NhpIdm~W(!036Kcv2*m5}?% zkAb(S+)cy#7QgrUHaFm($0xnjZT<K*y8)<d0q0VMD68+0Jjb?n@{}#Vscs?QCkE&d zSbE}Oux_lxBgTlm@zcX=sGI|lp@P?lD2sX(Eu3b@ja@LN_S;AWJPIPvQ>1$s@Y9NN zn$mX+#1tYNqHs(E-Id5Z6|5Ld8%6RybTgZ#1Zr)y;7hB)8^m4+^;skiNCE{7BJbA= z#TbEnXp&;mWrtl)2V&4r2&(v5)@Q1!c*Zy}bC`NFuN(7ZMvt#dn{p$CYUe}iIjqq9 z-+_l8BJE#hPF3;IxZQ&+-u=8D&TyGblth_(Y_P#_$lNk>wur{^TS|PRg0|88ja`lK zq-5>j(q0-1AI_wUt<^Z|eCmRI%ha;&kPHYs65G74=X=cf0<hzk-cpEF5!-T*txHND zeAP`LlvXsnR{w+p{RAsI=%1n+dfAbK_|R#~-fpw(9thDrwGmJ0AKl$A!isJtcke47 zAKR~zvY;;+N_aO9|Kekgv3U9ZrHgzjj{RqkpDWqoptEc{Ad0c&`{A_S>r<kOswO8P zl@BBNJZ&{QzB&|_bGj!;qo&4MBrS2gzi+!!!O#o0f(S@TK@Y>N5yo#B^NX$!Fgmq) zy!8)s>fZ{CaMZLZz$uQeDWPfbYR_3zvI?l+nQzE^VMLqep)n#TxX=7bSbzk0Hubj= zSrS-q1wsyP^8o`7f$JYz5-^>l9l&5jCh>{*b`@b}F_z*`2bvOTZcy}iD$U}2K9{zu zkHVy~12$y+;g4&LO~~yy?UB0oL$hlnYJ!-_8qq2%>p9LczfgTC)vH<uv{l2UA+9A6 z_&{1X6HVLIw_^>Gmu1|c5BUsVj%L;qJTC6rNlpC&dw1m86fV43{Fvq99_J4Q^)Uw6 z0O*vkzyI^mNe!#ZzK4ihFU8oEVjb)njXkN~cSZ2#5hCU~#MM-V;o(I!!Q83g)VefT z<kcZJJznAY`OhTMonm&_O=dM|#kqX9pG``8>FutI`n$M<6`O+UOA;B_H4-0OQ@Z{O zONdS*tl!?SlehhZ42f_G3uF&sej{2jmnl}jI3IzJDT5d31m>sM+6l~E>A9n5$Kk@$ zQWKMnMo<e5O+2)8(-lDj;)eEq+P%H;h01^v)cTK0<fFn18_7}G6<ekgxCbSKA*i?_ zJV1Ukp%-IyBru?WrV;3t^NPY{@JYZSesM5^tu?YQ?9ZXsD%Gy&g%w)Z7P3d;J<jyU z>4FwGR8*NjEf<P+o~QV~3ecBsuvYr0rCdzsXj4nyesuE%?AUl8vHW13v!QjKRmobQ z75543ev?^HTG1AYeJp!#6(PPeyKfP-r2x0l%1twjLc4p?1+Mt9F<Ty(wjZNaGxnWu z`SOyw0Gl}c_it0U(Esi449}s5$d@~TUTA3M=*IPt{j}EpuV5WzRlN!NO6Ax=7x32P z_rS~XU^j}_-44=?)b1fq&U<JJ9vJuSne+rPNTyg2!PHsSH*p=r`NqZ2^*GRE*T8{H zqpl{>v7WJet-XJ*1B#VvWdcBQpShmM<;?e%`XbSXRct(+o?bE*1^4Y>I3)B7*&8*H zUDwZ&r0tl(O})+va*dOU!O#Qh)e4?B1^719svoD#mFNd}V_8omA(vMA@>R7A?+A8p zW9AJbmu^9seW(1~jY&G%Bo)Ks4}#ebf;m3u#|LfYVw)btS2ty=Pi2|f_fFs~Q*N`B z$3O1_y4kL*(}(;h`c(;KottIs{CitYMGJMbNbbh2eZ>I;LPX(htjvLI|J$M0XQ7Ng zMkVLM27A^Sm}6NtUhJhp6P#9v{Cv#cj?mU=q4o|;Y_+-KB%w_xpH5pzAKjv`Zxt5{ zC96j$GtvrpU`=L=!#n9`#-O>I!^}Y-$2W#3$fC+=G3#w*=SMd<<*u=c>Q`y0{fhS0 zLLZvI`Q-3?$Je7Da#eutqGt*134|6i0W`&>Who<NxYTO|cZ=9BXFVRigW3gw+ka%> zd9+Y1JTe&A4Tt;esRFtqtJUj10r_NZa)TZcJH#WqrbOwz>l!xH#1sx#{IQEicmOy! zr7<A~muW)9@=MYNn4kd}$rUv~jGVdV_gPstg-F!Nsv*}iTwJs0y^hW$vfT4I_5F)Z zLLo#+JR_ptJLdi7{ARN=mt9jkQ>`>#$|w7O8+3tLB?Qi-?0k>|2S2~9ILg0scY?$2 zz+Dr0lrm)U+j4OYH~kp?3Mc%3o9`0}YVYD{<o6BJxs`&dUt3Xe^c@`U1$UzndiOP> z=1~WV`jDR5ih|u-lJMv;XT%lm7iLC{ifEp7a##xic*fUNMeCSVG(s%V$@yJIuV=ZY zTxG03fd{3dBbTv2LQ;5o)6wU8#{N#A*-M-ZJ_b5Zne2kdYL*c;VQkbucesLr^|U@( zofnQ#Ig}u=<PlYyqqF<zvv^egHUYcdgD0c>X|--!fmMy-ZgS=y;FF=|_9-1rlCd{_ zcU9<KN6gJ3(sDa8dW%Thai1l3qS!afn!Jw4%<`Y}GFQL5MP1;+ie!7asyj#~{_8OA zGT{aDxL=45HzSXmhEAZ7I!B*L;ca6+&+t{S{mqWsvZ9%s$NTz=KDP09CjU2}6r(~v z<WQa-<IbYLrC!eQTG3vdyZ_!3ZN6ofHj}KhC28+;Cn9_;sb?PnC@9@{nuGIkM0oz8 zmNj3WFH`NRwS&dFaXew>2A8UO-`Qyw=Bj|ITs7btfFtIR2|uJDCIdee2bb9gOH_q8 zIw@$!KRWg6s%~)&2_%q6uWa0c$`eZCq|`?$@LM@4Vlsf0F+~2WP+i@ZnPo7g3K5gp zR|!bJK@HB6hM&TL^pCH;z9&}zxq@jtv@x~pHBx7$5cDNXtd8eemasG(Eu;#)NsweZ z5Z_7omOz{pm0NGCnepRmoj*Gayg(t?H^fcYdL9@cWyQ$o)WclYotwPv?x$s#pyGV? zGb|;rWMa#jo2t-_W+H1L;?{?h!nK4@O-y&{XYWI_zbb4{|C!hUVrEJGp_B`2)s0_q zVcRf+(Pq^YE-Do$4z20HU3tEdsT{bDmr2ZTJyT-lfiP}5TVBrbGca0}x)sNmulNcy z5(r6EGQ~YgI!{OMn}cbJ%cuv(nK15g>WBqALL$&{VHcE&G^Qusqwc06huT$SRj~dl z_Dlxn+Zv{OJm-TZRl_IkO2}_KHXj%FdmQ7ZiMob@DPU?E8->gX;GlzdDRTY6|L6C? zy0HS*xeoU#9g5mx!R7+t8y^{%G}M(>zxLi2A1roVx^Z~h$VEG3@EyNw*KbhWvhLfD z_nxW$Jqr+An>3eQ=fL_}NKJ08Zw?d+St;&4?a%VhLX~DsN|AAU=qzXTdE4AI(6Y); z8`is)KX@7yupjS@dzlK1&2vbWr|O0^+B(|*`LQ1gEVE5s1CC#7H4Ue8ODS}<8cV)0 z`pK93W6wngaNo#WCj|DOkvPJ)h6aksKiL{)F#}<$I9U~T4W}rJkmsr;tDHZi9{;+n zk>bNkhW7}OS$}?^Rb?CUmo7}0x!Io~!~9RvqL$%yd7#-<hSAgsw<~+J3L94}Rcjg5 zi70`S0-KP^fPlv?viA8at`=Yj179ys1wKr5dGqp8Xg1}5Xj&I|IMO6hBPo{4gilg1 zmGWTN^7A2bZKICVz~j3L;ds7=_Tg>D0W`2={p^t{1y5%liMuK2^WiOob%R|R13pj{ z*b)N|b19n8VnhK?kGFm&9pV!QA$$UK<aZSMux4)r67q9Buy3570*(<72Zy@A>Vu2w zmWgJ;3us@{h9p-;*f3m~{%JZ>FI6pvQo<dUU|5#<$@>s87<u&_LG+mVc{R3HD2F*0 z(Cd+Fl$hb<6w>*7Jt89!8b27*k@Y5ELSZ~CGNOz^LT;6X0c{UR4lW8+JilD!Z^cn1 zL~FTqAC2*BV_x=&9?{bxsZc9mS{DXckO<wy8z2;*U$A5QhAnj<qE)Goz!l7OpuO+m zd>a<u=;_&+<A5Ssu_=3!@Yo%H=OUdoa3FS8<;~~?5XmcRDQ0}fblv^9LgUj|06iG- zrh3KuHZ8ReRySw4u#DP6^5#FHc8qZ_Px^QYJcI^9C-O=EJoBEho@m1#@YElYgY=Ie zN$|^;&bpo>bo^XmGAd#l9=ch7JP~-#F!L6B%D+o?fs=Wzr;^mw7^5B~<L@6@jfG*t zuli5G9)O9OKx3MZ=mPB#H&!qA@-!IWr>m)><=9~?*W0odxxX&H?*LKvVf0hD_vOrO zz%5F=H^23O``8~AS+jzhjmf6B39)egwGrS3_fs!s9f^qL(puHbInN{!aDoIWndo~6 z6ng_>pRps3pk3b+?F<NBVo}jxy@rm~LquBIV}>uaLGQ+)K%qE{4)HNpQv;{bq+*u& zG(K^QDO@ZMZTbbqp-xD*;=Ewzg{(h{#VqsF?|lR=ho4*#t>v+i0Tc)XYzkC*#Jzvp zR$?z<!gWj!e4G|XF-eq!*b<cAnfJOnej`q+C6rkF-kB}h(YIaK<f~f3`tB@qYfC8_ zF*?y_N%tNH93KjiM{IR~MJsZXKb!35tT^geU0|Bt#jx&5Zp2<XbPBK(gDBRQ{~1`; zu>W&XA(}2s82?Ggq2AHo1jojo?Thy-R$W?ac6*EbjDrhsIOKJ-4e8jmc8K2>xRC3W zUGW=txVUc~%LX+Km!NM+w<m_;9G5ZtnXS*T@LJlPp9w*qlG`eNuQS<7@<_y_MaNDv z7%KKnAW)Mczjie&a$1syf*pykMfwkrCRT>1$OHy{K&hxdyFWk6?l^&CNZBnsr6nR? z$TVeSgOhlHpFbhxnNt;qPD|ZP6nNrpzln%Y1-hSIcuj&J=EG0^w$eSG29e(mRY{o3 zkE1|Bbawm^r>c!wdH4&nmlnl$=I1uYC(qt6v|lsJiR`gIzicHnZMblrg#ihgmG|=} zzV^Tx{h0M6adX4}U<d@v{y!cY5gIC15#uZF5dv*FMIjvN^K{MQfz2u>;lFe14BisX z#9dGom`~UIU94FMrh96FAsntI__D_RcF*OM@a_OjK(fCbFrZR71`hU_HK&n%Gp;Xn ze1cLm#i0?|L&bME!GkF+1f2m8d!yYGvBCVp{2N|A1SG<XIn{s&Jow{Iu}2bwLqt9N zZgRo)Y3gFc0vZ@_=4%Mg5np{t0T7Cv<wmwaf>+TajPv{IRe^G{R*WWvfokx2a#pmt zh4)j=iZ3xZ>I6JMzgQG-Ux}Zf#68X>c^m?K-~v!ekt$*}1|+=V%N}Je?%^HF3h&z| zp34PH1xHBVh9E)^O^6Wmj;F9pdmwV)DGju-t9B&_VlJt``;Zk+-;*^^)8}{34ou1c z6J1hbfa5Pz$Zt<^K9f->vqUk$_wq?o8Bw|EQC!$tPVXrt70=yw@^v}d^kk!Y*|30C zaM@`Y7-8IH>KKU$>s)p|<t}hs-&(!j^-lv>ez6^ZNBLh{VWaqx;w##WkQ(>$xOW=d zZ!W(^qK5KR$2y(Grr>)<*4;z^p9?n~rF)@Fo;phh@KlTk@E+n?-QV7&Wf2r<-PiL4 zgt^G=sCXZhhI;BI;&4RhY+ji-b0)CWF}!oI1Q~&nftYK0@^9wF6{gh8RGFARi3s=W z%Zh-WlV^h_=m`h!46$(nfi$63wBVw^@fO)2zdw{IQ&2`qM9icxO4ZG(OHS0AZ272A zo-af+gD8W3`jM!Nw1XKqaG@xnM0fd6Ph%*qUR2kGdEt`r;xhg<oN)U~a!TMda_sxu zJKPXVl*<uR8brA&71F5ksZzAxXNg*`!E|oa{s9lu>aqIyYL}8Q*L(M6tNkbVn7Uc8 zP0%m*PZ0-N#SatB@B6<1BZ8N6s@!U$HP^7=dm9}Sal=TCO0h}lw`$~N=MLU-<~Ey6 zzEH(S`<lKh37xY)zi^kI)=)!PWszHD-8;tA)tV#ah-jUFH8}l04X*BV@Cxp^t9pGE zouf5S*p+6%&{eN;-dXg4gI`67Sg#%D^3Fq|=NyUGardnG?tVcplq|-*hbO?@etfra zvP)d9w|t@1cAVK+ft}XQSMR&MzeE}SLep@4yOO|ygd@U_=>qbyQUkQ0;;A;a2WVxb za6|?<&=(ArxX;*lExB-y^OJ_HQwktcQ;p78>bT|pRZ2+MTZIz9LcfUC_O20-lH^Mt zlSJd@C*gdgQAzI!Jt*rice|9#N=*Y=<f+((mFIp+qWIlz7<qsM$;KqA{OMTsEzu<g z=7n>bLnSz`VFT{rM8xdwz`$5r{_T|AvvAEJH={yGSi6jNK{3d^>g`!U#_0F2^$iZ^ zbZsj47wntX6pE6U-e1#b2?$f_D15}>5fL2-kvwCr25!P(bu%C(5cyx13jb|=z!F7# zIcSuySf}-(*CWXPr<HPz!6hl{M?u}8V0RO>8lr<M^Jv+13(o5ty_o$zaX_mhS|zFL zFO_$Lq5EXW$$(W25^m1Q$eaU~A#?Y%tvaoFuAR=aqmAiTjpnSWzu@3Stno<1yU-S0 ziaNR9W)mTMO2t~AuSOoSCDB_##~vwMnN`To;i+B}<lw+qXRpE6r_!t`#`s?gDy0b7 ze4-ok?;u9kjS$5|t)fKX&h!s1vhHbA+r>sCa6zLo%xH1NGukggO1Ro9eFfyQZur6B zd&gf^>0HnF*lDBNj#h;xDj456WNzhuiit`A=I{fxR%7BJV^m+wgt~>@3D^_a++m@- ze3DS8dy&+oML;mgnQAZ;`q@|fZ+=Ahr&wi9K?cMH{A;P~Z8C*`?n)+RC8AX~^Il_^ zTF?R6m6&Dj*f)<oB=~*s^tQ&1+`zALQ}<!s%_=-mBI!L1umOtYT-mI*g(WOr>bU3C zRo|S1OrCGL&MBY6!{oCF5sY{wR=^I_%;TvJ^X{8lF*WSXc&i+r`At^cN;Wtmtu$7` zwE8&9>kX@fo9@%GG$dp9EhFL=GTSDG+YX+5B*I!!vgWRzJpo0kH)}QDPyXP*(AAS5 zGd`YE4N&o8qxf^ld1NTIi{HHrBw!Ygkm8NH$ByE3s2<uXi+ttr^^iRwRkywL$;V?% zSuZ=59KDWnBP!>;r*)VmXWWJU!?=8E@ZEcUZUwZ@U7vi<?lY+C3}jlX-kqiIW+E$s z)hJ~7ky5^(%_x&sHzDj6KN2~sldisvY0#SVH1BOm+iLqFwmo}QFZvaNI=O5LKmInf zFr}6h{(Z>62E63Y6p{*0r!WN!)?8ti2moH6I^i6t8lmu~U7>3s8o&f{ENh>Si$^T$ zNz5{R-2g*SKZ8c{f$1j$PpGY#T%#~QP{5Ao-e0cD1#$JZpo*>%vUH2JGCkn!Vr)fQ zTVA?Y&?+XO#*HL!7m?&th3Ie$UokvRbu%avpHy;Ibm82=!0PkFD0b}3y$8i_)!(Tu z<-Ds&$HD|=3Dt~pLnS{!6!$L@UW^zSom&{3X0v{h_QSM@`X9Rens&Nz>CO+&Q&svD zmXJtYr$p@M=nJXoa5i@O)WTy=YZr+M>kIqy+|<GJU2oQSL=qLjX1vV$>UU?XWaC{p zVlL7n_U0e)k$$}zY3uELk2W@HqFd%k${LX|wIY%qiT)T=l?0zU4Qq&O?K@6kZZKUe zYtjZTuoAsi=z04twzxW8F8SaxaWFn=I;?BV+zG@e|Bi`2^Jvxg+DI%19rqLl6aq+u z02CQiX1O>`i)tVQ&#b?><i7jRSD*0jURtus64&<^v~R*fI;z)DeCUu6l>*S5Jzy?R z^+Z#;$`akc&s%I%QsS`+we;6Z)iIhPoxuYA^w{p^-f@88sX|>2EC);fW0b=07Nnmn zIeUMHX6kLvqQ=MXPi*S5YQ1a^$}m$<!RWrv!Gfl{QXY>Ui`<v=;?5%!9d~SWWA;h_ z`l{-wY3T+eX0VP8Plgnj*+)%l^4BU$^r>lc$;&8mTR=GQF-cVQth!BpSYSE~R<l}A zS4{0Pm?|{a2$|*Z!wz%U<@nQJhKYZndZd$(*$wWcyLBf3=4nJxV$+s-2M~G>K;Z3i zQ_9`<1T4v0&9f$Jw6Lpe0}z1x@kgIIx6jRcco`gcD>)Y*W;u7~Z})dZhP|%mb*C(9 z`PE-63^$4w8t|R;DPY0hjz0!bL_V>gdVJ^+TI}idLwCvFQ^q;bL@<gGds#BSuyrX< zv<qy0hKZ|VnNCA-4HK8o|Ew>+=41e$e~^)pzX;{+Jn;Z+4Q>652<S1-b6jgs0IP4& zRy*r5{DZIN$#eLmw}yxz?56&ME!mQmg1e0{ch!PJh?rkc?h=ngjhWe~{_MEHvne)M zeYX@35>i<mEuYcp7FWH#i)1vd)$kI;H&%WTl4n#Q36o0{FPsW4Xjo6gdA<53Z{Pvt zsPhx=))a4lxdx339z|~MQ-G<zgyXkVE*%Jt>_sF1jaDU{Bu=$-?9NplF8KhrmQ)al zG=c5*kbzk~PSQQwAu$8k+y!m+^o@|sd*xsgVj-wJjxQ2`4APHS6ETztOKY``j%nwi z^XP(#$G^b?EVPNsja}ajgosm%p=~s`jpsQZ{ADf%Od-Rm|IAt9KXYarF8-~pw`aj| zQV7DhdAwl8uTpp4vrvNh2}b(1oMukA?s*p$nppxLnuNB_VfprzMmT7DbyM9Dq5G6s zN*Utb!@%mHq44>3vMU4~w@J0tKDt6;HI~&RQ#%8iVbVCrgsmH}bMfP&bYBK_iWQ|i z3RvYx;Da^?l<}J<W7ac%UVJ<XAutQO7TkyI^D=8IjVyD(rk6LqA4b4NF*olVdkg1J z@WY4Hs8us%v`(w->t2`kW(UqRCa8n`!!!a;@K!MaZB+8&j~;2l+Hd{R3aIe#ibc-q zlcW{%ad42T@A1ek^Q#k-WC%2B0w+?jzMCO@Lae;unC~}M93&hMmt1G@TJ^s)45i?_ z26<BF@Wa4h#>!7OwRC+s2nyqP#ebMI-K=)!0EK<i!PKdRVcqZN+Q#LbgM?gf31=3O za@ByiB@9vZ(sUL}u&3X9H#x<QTvG4X9Iau3u&ct*)m7Wuyd)jrF@NRoAs-{ernQ!# zS279uvOB;}LEu)V3rGdk<QNo<oQ=vUKw}*E*4Srkg%p3rz|DB@VRWK{3~(&8Xe_z& zP>KoT%oMAUGx5=V-1i9`0}+el<a6$#=LHg%$*AOj)3*zW8Elez<jNlkX{05y$w9(m zCk>x~f&x;6vNr$~MJ0&dSNz#Kg6{oaY;q=sq?I;;D|do$R=zMMK9d|To@=#5o8ydp zvnJCI-H^H0nZNNIG1&OfkRx$gcH*z9y1LzV#&d*O2aEY;a%^&jtN&>$)qlp%7>nZd z^J*-Sort>JQ(gIbr`mE@WRGi$v>^j5)+>|T>nb}WOiObW^{3BU-ys{N6~1A-wASrx z+xYV?*>$_lH8QbX>WtMOOkg?=4wf<<1q<<7%P<zc`_*wl2UDiv@%m;Va3W%P)(k5e zM?24{wj7dNam#%sg1k~&mpwnDM)TwHQ~&6}Fo}W1gvKykZGx4lix5==16K%MND3A` z#l=uig=QXsVtfy$2plmIbRE`>NeoSaYFBGMta~O*#uSy%18N^aqfU(~#B#9$4xsy` zIU;u8D#7W-bbN%%{kOwugXKfG1atdY{>BjLadP@aC*Q%0k)ege7)5~2&h{o*;wPAi zErBFbE$p3OV-kJg3d`x1b%%^!%31M*SSCHK3<|hmHQOurN8)>EP<yv0w(4A`qN(c2 zUxyn&Sk|=Bg5FkK6$alRZZQ6Q0dkLQz;`<^j+V2Qe%(pJ@0nzA_bx=Nw2A8&@-8~A zsS`?njSZ4Pg$aN2wDuST!k9;j;9)M}_>EZ2iYde>#pc(iq_#-LzDGAF!4Kfx2oypy zP&^ETa1xS2fwZq0@e<U;q7WGoQ}A$p8=%2~ONsP$#>65UUWKFthKAz3rYfzVqYEN> zZPqPV7)k_$w`x5x7aO6EF8g9MHs%UOY@{NLRRv1TxEIhg5(tN7Zu=_KSrrtx?i;u3 z#M0#zaG+`CRqqwv_sB5jwcwr}Ovi)3bd+Gi&$i6<19C>rkA9Imzlg{xOa63C!5@#B zENAHcBt53i@r|(G$8q(3C}(fA-@^^|41vxHheF0yJ-~DV%><JysdedkTc32zoP)&8 z&;FCRzP|b=d=?$r^%`fwuyl1F<5vp@Py4w>!t>#v>Ga$&`<_F>q@`O34Ip#XJ_+cg zZo6v8)_9eeul&9X8PQ4IdX+U=SIbK|>~OM6IubW^T8En?#_ZXvGAiYO)4^3iOQEs6 zjq%X?SS&}w=7ky++;0ILL>C25@ft!z_%3fzqPOI9b#N(zc6?_8Q)WCJ17>GYj;eSf z-?>%qxMhY;2)`_&vYR^1A#;A5-d@_IM*JlvU4~!21s!(#oiP=+b9Dg8Z%IM?GGn4@ z(4!+*EFpOmA}$Q#lT1tPYhP%%Q@SzlRkxgur%@oHb($rr{K%v%oRUe8Lc?t9l59Zb zH<)tK*x+@<Y(^Ea^rybJT!<z9GGnm|d_27I+z<5lTPoClO10}v9947yE%&<yoXiBf z0lab$F#vapL78E^-WJbzF-^zhg(<DZc$RH)bbgUuC$P*MfzzvK@5HI@H$V5f{*WAr zFps9Tdhh$?i{m8!2lm1yurxF6T$q$P6PJ`>%D{^%3cH0g5)Sog0dCYP@$Bj0SF_>E zo|nzi5{W<qy2oQ_ai_$g*Sy*C4{f1K#_7QiZ$8bZ?y#$-%pV{`f!-(KxQ8wzA!3W~ zrw@X@4{gBGe*r1NFg3Sao`r|}_qTk0kaZ+GWXRe^!qrEOu)%T;odutTKXkMSC@Z?L z%ercWKyJk#$)dOMD)Io2t^sq~h6`t>Swj~)S;oz_0w^ZCsC-a|WR$!41OcQ9a^Fm9 zd5rnDGP?h$+|O`Epgd!cuomsn>+pb%zU}kVRzh|q=OjSN?z6k?v@T?n!B01vwGfc9 z_+r1$#sd*cuGmSjs#zpM2dkk}+6rdkzylT}1#YoUaT0K*Q%H_&*6m(i!mn|&(GR4U za+E|oB1-+2Z)!HAO!lY;5s#^cMXKYc|1=~R%0`XKq=dm(Tke`&Zb`h*s&zt5SxE*N zs%)5WFs<=m*e>-ysl9JtznZWLQ7d)0{(S@XroX~cBLPfNV`)}dnBrDG=6r%60=05H z2;L`L)a95pvf>I|)F+EauYRjzBW!)50(sKF!=>N-#onirT0sB*s?@lnq$9%fc%qJH zT;E#0*R?-36%u}705A27&8)AVt#l#E>fXMv<wO&yKz9=XSb~{pG^^)B?O{DmeMc}g zV(#XNLv9YvF?9+}orR%wsVC8hQWrApqNTCZBkHBl=cM)>kiG?vI7*=47AO<>2fE{i zKu~H1u^7t&ySQlFH1xX1o*xL*sM4i{eca-W2Dmn+d667|kL%*OmtZq)uM;H5^e%_H zEUtEi+*cZ&p42`hfqnSf6aZt8yO78C&G+(*rnBnMh{=8^Oij8jywG=0s@70QsS0zw zsyif|J?=)qLNV=1Xe<|p{r`~?W4M3j<Me`k^Za`&A;+^$I(_PykSEqpJ#@H@PpTWm zyx%dmsE2Ia3qq!W##$x#jmm|H0`6QFasUTgl5s<hlN<2XrVNU%HWGJ?w|o>Vv=9sY z08<u+wyWqYl6=SS5Hs2qmpF&_A)Q{Sg@kg*<uY+GQLB=A&yTR~`NLHEHzFy#RJuvS z2Ci|OcuERGoP=q8gLn+~-EV#hm|J#TADnK!LqX99D=cjh>(L)q9a*DVSwA<_5(BuG z)s>ej_@80H(y@o2<cXqK%rrb~4(1gS_1M*D=3Ol}sfRih<00~QQEMXo5o5T9FoAHe zo;cf)L0xhqz^;;v3{30&Q$JYFD`=Alb1v<Fkyan1A3c~PwqblcOI24KeBCF>wT$U< zWMaqd<+q|6N>o>lc{a&ReFxsmYg)pb!@jcCHF4i8H;x{@TH39@(JXRa96w%&WXvNU z_>{mH)?1(7XKlUid7%)D5(N%He_R65zG5m+A-T-kiq8m00(eodhokIMSH64-#iulB z6e*KEVZigRrkMWY$~@<8?lmo_W+nUQ{m^4trTS-HUO^wy1Ry0qBdkAvMn~&`>AdI` zH*?*Tf5-sNiYfXebIfo{e7rxRV3BsD%+qzR?staAg_oUlY<w2YnBKO7cYDl51}yN| z^Y@1#GCDc?5x~Zv2Ic>rjy)}4yx*8Sjl=;;s<Fgy*L+a~<mkslOo*aw%;pas4Vqoy z$aXIMN{=B7LBDTqATkum!#^V&8Zsn>`PXiILduMgcEB0_-h#B<mCCze!~#UErs4Wd z2j_<X>d?q_>6`cc?SNzKOED>Oszfwe)dL8xz>B7A6xE6yWuiHdzZm}(D#NH^180sW z$D+!FTCm%}8>d7&7&@V5spvRh)VX}Oh==B0Hbrz>t!j|0vy6qcCX<g0NRc{|9J94k zmJ{LkvEz$aM*;+@1)EhL{mz+vh%A{fO<!}9ga7+PY|n)qmLxzP+v`>JmG92pGAo|j z_qH(iq64_mqbIkvabN`z{#PG!a9%&J>$w$3TmKJ~Vk}f*-`kp-3a0u67~#`POJTBZ z953`g1h(fwc|0wgGLaovRXXSX<hL%V;;Q$<xbH|N*GevIrCmgGT=?e1uGit>Kq`8K zDQ?`EZ&6qGnLsTce0YF>M9AJ=dyWfd#bZbU6h~9+k5r}boO<TOF$=!k*{B7dhG9{3 zzjedY>m}=Y5e{L)7n9iE5=O)ZB#7lQ;eAod<2YI~tNOJ<@S5*<dhdM8cG_ImP&w;H zXseBW(>=PRLO#shyq4kCZd$1T-OH{_95I)nszWl!!h-er?AQAZa10)5@`b6&!L_9I zF+#UJi$4gEmO5O5{;c)4FR=bkH!+gE&&WX@1b_=`T{HjSOlsQbIiDl4LcIG<=DJEH zQa4&a=EP>5d!$Tj1*XF!v#c_}BV=G;0z4RMAvw?@kDSH`x6-#+=6Vq{7_}mhl9ibP z{J|W4<GrCxh&C2&7VzoDiN6@}xKzS-TnUkICdL7^z>2{!MI!H2V+xy`2;;ZkPr2ZZ zYgE>xsZDryH?OZaJ)Bi4Nm~`4-shS3|BmdVaG&&(z9>bH8tn|gAQK55zsV*&5xrrE z&jKw11%Ej}*7GPDR>YHD+ZkrYkiD)s91bj5I5VUzN^I4~YrqS~PD4CcpRrugK>JGY zDw@+Lht43<YgO0I7ie=NwmDla;@xM?0V@jYKSgm3y~Pc%m(roAE9DY;s~m$*Y%usU z6OJ|E;No!b5g|n!=AKjWSbDO5;VO&R0$;t~_55Ph2Nrrs;yQ*61lW{vO?TCgP5eW( z;JM@a%D<F^-oFFWHBw7{z~q$+AH-quf0jXTqM(xcx*-;LYfUlh_B7c7ko-+Vo0l4x z2Cs+8z>Z3@RWf-AVFZUFQXJw@p^|}VT1AxN&lPDxDK|@}@U)9GJ?0L+9t+B%5*ZF2 zz%ZS?^*(<<{I3&h2&-HGWKyiFr1=qJ+eXL$<zi|j&{XpSDZ)B(G7qQ&M9g%ah*@4R zGlr=s)c*W(b($R=z`IN^#7s`rh3U0QE|FTS(Q0f&rxu!Vv7~3G7lD#H2me)TerP)U zFBH7~zn%R+Cl&2RUX#}uSqkvp++9!9M-CO6KSq&)lIFr&)5JSmJf9Sy`%G#qJJj~S zX94a-64k$^mk?GdD;R<@C&W=q)~r_N($T>HHl65-Ln&-9Vp`L%y?<BUA>Q`}($Y6z zxYF3c{5dPRThnb5x`+@6GF)#M%K7Z43*T6rM)*&Bhs@D3s0?7r!a&473TO}hV8qZ~ zJF&i<k5P$((Fq4G5@OM)VA@cbmN36)-HUtUS){6i+mlz6w0T8=-_ir5#1sw;do!r3 zDr01%>(jM>sd@cZKT37UF-tgffP(FP1K}t;{paN>I%y;^SMB7~$+>NZtKFpHj6s_A zwbeJ3=ZYw}lY)ZUk*H!SZgckPxf!BvN6<j%uc8a*7G@Pg%Kt=OYH3rs8~-+A0-gE2 zty2q_bFcm1@`GrvXKE#|r<vLe-~el**W0C1gqL?7p|_}tjF%R=Vr8>Pvy5=cT|?^f z)ATKvm}e8&j*mE(Q+y{#*o=q{1T>-J>}+>I(c>kn&&3)#+I!^{sp1L;1|r;EZttmR znN%F*;w1BGW>j4;&EzhEl)#dq85;=o890!^uomGxBOJKwWXFh!FcAWV;>ka3B#}`P zovy{N<dQ@RiUN~>a;OZl4iT~&Dp&jGQhE2B(G4W9w%dw%#uCZpf-lPRuU)t@lppJ9 z>FUC?l76TTecF^09Xk5X&r=4JnOno0YfG#@sAqVW)+EJg-hwOw{kcD3mi|><Zljp- z;~VAk;XvqGt7qYNuwP-y#VRk1pxD)jAJ_5++uJ&m|5B;vKM#^KUi$JV1z}$|pmHpk z3<*}2>>>4iFkrO?V`2WV!V9}j=Ti^KJ(>2m&}&?XA%R$7uf2I~^?p>19HS|>kANp= zL7IrRwi+{S-W|D;YbVZ1`UnG+@f5ie=0_P6{GmA^DfKu>fkdw38Xo3@Zms@6HacW6 zIj?C&7dsws(2moedrshQWHq$X6XwJuhjbp7LK!&5p|{JnNdO(fvg0914A$P?q2|+8 z(G5)KQF7{8^AL~@KSkM~p8!u0Ktw(Yc8gL--1DltvlkNC+DXa8SZm)l4wg^rXkNEY z#V^N!CaZ=L_<7J+oI7&2AsL%P%>~fyiL>lCiba>!rmRQzGJip#Wi1lt;L)pv!Koob zI_o2>qq0r^=_pJ)q=<+rak2it2i2l1+7^;YKe*v){%41VKR>q;=*W+LeCRCn79Edp za0rG0a%vE$f!Ii6SLS*iIRYXgL27^d`_lEia}zf%z?t0=_8W8-RYElPc&e>UDpv(L z)CKjrKRXvrtX+}yK(SmdJWEZIs3YVKemXk1+6Edx`-u#0?w{_m5&T<_AvIXSPTD18 znQ==_O<=v8qrp*J0d-}4v+UNFUP+y4_5G`(&tz6LVGxTdXKwM>1&152C7o6rFrrff zgVQ3>2=<)qARERt=RfO-aZ+cYzYn^ncV#Lxy|0dT_t!U__Y(lCEEo<Xt_$VAPd6@L zlulh+{qBq)y{fRg83!mf`0-}x7Q{+Jlx+y!eZ<R9{)4ebG__KDzM2a>Vvfu>t_imk z!oo98WeaEa;9;tOzNssi0v07Q#EGTGEDNJ8NV>%%Le@ci(kVDQK1?+f_U~}b#L^`p z-<(~(N4^ORg?$&Mi@bw~GH}ecAuGe<SG=?U7>_Z=OaM?R?qasKps;q2AdlLD?}f#E zV-kkn&cELN|3bZ~5+zt#uStXMlTu$BHg14p8CMG%Frad@!GMgNR-ie;?7AbYuf3c3 z&H6(mG%deb24z}jat@bcdL_{Qd^#R9Qk|e#q|EfC2k)5LN8W5?gUU><QEgpC)ZH47 ziTbC7)3^b}KJ_q;seh=u+jD)x_QnYV7cc)Pvxi@yAmw1>L^!h-;yv@usUfIH>N<Xn zn~}Ehy~(1loB7$T2&;O{I|6MSp4TIBb=GU$UaJgI?ge$_`%!bS0ps@)I3x3;3^LPI z$DSkWhdO(XFrhO&AfVd*^$y@a-jUVk-1oa)?Y@y&3Djwi3~}U-!Glr#u)S-})P~<+ zOPY^dEU>ksmI9G7Xrs)1DNZA;+o6=%f5P-*Bx*;W`K)g%PF~Sqy_Qbu!<zQ8KE*Wu zksOiTYPtj|ttufG#@j|QQ=tWsEbl06+y(kp*^`ly#RBXqnrLRH6sdd-im_#OT(ka- zk+ta+!12JdrFy!wCIeTP4|kozU)3)l@9)+x=1QWf9`%+RHhvB79%aXe{Ix^kNNuy2 zy`fEBOkwE;YqCllCi{OM$2pkhzV%b=qTMW*T%#G2+x(>aY2;7*UoHv$N4q#>QN2!> zbM&zpgC;A0F|V)p#1&uxd<hdIg$hd)Rukiu=PtsL*SM*Pt;T7Dp7yOcmvi1HKFDB( zftTh5LTm(M&ZWpx5koLLZHkncrlIAl-}<#eW^Qm@F+_%b%Owfh33Azn@JCQWqZbE1 z<pU?7ZU#?ehTv~IlVxl`Ndh6E@&@|i(7q(1MF?^qbr9M?g;+i#-jSH`+#gpa#vrtL z<0w#AnvMoZ#gR|G1-BYRh1<)AqOiA|PSm4%ALBPq%OSH_es_|)IBr<_*_)6Uucf#H z=?7-Q)c!yDovr+T1<0H9pZjb8>%Qk77#BfiYOp}%>EiZ&W5pvB9W^Eiw4J3nr~dKJ z_C&w5Pvzs#Zb(1Q>m1+c6<8nXTCZ|_`~|j?6R{QaK)5BL0Vw9xmU0mkJ(w2lg6V*g z^=usN_f(&(gg;CM%j6B6P)(mpDWI;?FUf3$^8*EplsQ5vwULLkR2`)+MGeWJ3c<*2 z0`O9vPF^S|DPa<Z40GY5V?SN*lo|6H;7&KD<096x%2fPyjcQc<UCiwGdk87y3!G-H zn9F~+NBvrpCcovdrgiFI)A^3`$o+A%V60ynCR^Vr<v3wiS<?59EMdUxzSec=2BZgP zthM_so4{9E_OCy&xRyYPSCWDF)xu3!jH(k)MUsbrt_ei~F+YV;^stp-gQ6a47$WVd zSrCFlN6b(ppPv}mcf1~v2u=M*SVJ2r7U0`N^rQUelC<EZW`0Y%Q+C1zvsHwig39n0 z*!X3?RSe}svbbw1vE~IMG{a?1Z_o;1xIpGjVEB`}Xvt`)rzgSC-;K57d>nE~geoxR zp*<g2!~tTjOfJEgcx(Zi+3BoF{-wwg2MPYEM`Np~m9W10_DXToT(gIWUl&X6iECcx zOU^JQ9w7TCy?m7N`OgzR?A~_p-B4MG&pvhcnTu?D8Vn^SS>Iu?Z<bM;N&#A}N7|gr zyb^%5q~tkzdU=LcQJKRgx<?fl_WqGead<tP4<SS|8fY=tl;H}6q2kQyGPOb{+30{a z$zmSr0>s!P6*-YNa4fHG-qIz6%7}$SE)QG?`2BuhFVPoQNTD83bH}Ly!+_d{X{~e< z$sOiSxFK;)n<JZv@{9C!1zcAVCr~h*o4JSKvbgamo?}yM{lTXAU@?8(EJd5(Lfo*6 zR0~ui=Xq5Rqb;I<1K2VKAA`=H94LEVYlW-~$qs|qMh^VF!z=&z?8lF0a`)}7FjJA* zJTZc-9bDEHF;r+4IR{8hKS-e9VrN5}JypauKAOTZ2r+9jZ$VE>Q2q6F^r<c8Wi~{k zU*Mx93gXe<qd;6kkVA~$J&}yqFXF*5Tu*o4nOl)Wr5a&0Mp?YXB*er+npf_4C}h?0 zjFgDg??qsMFcg{*m=H+x8VEE~Kta7=H;%_;pHUGUY$W80=Z?|(wJr0MsEhH1^(8Bt ziJdm~z1angSM2*v9Iw&=@jNCP8*y@w@R7S7#dQ466_MdmfKm}SV!po9s07)`>5H9j z%lWX1nu)G;<wp<S(2QDgviGN8C0kXdzdL9HV%Y5S5eUT&uDvo;`dgOHe>sX4))MZv zn_~UtYL=)(e_acYmv+#iP6vP~M4=bsfH9@E<&jtS1^nw3rRi2%N$QTe@<{o6?eCq~ zL4ye%7(~qO;Tlr^ANy|o*2WgLjZ&qw6e#W#cXuyPio1J};O<T-R$PK>@#5~*;!bf1 z?(P<XoT2UhzW1D;&L8mRnmyOBn`CCK=YDRPS;=Bx#|&_v&f1oG#rzBEA0>{S^xR)U zJ<%GbmoZM3C5?nOH@S^u!!Dciyz}FzGQv--PcO?vkuLaGHnAM)$>4@X!_sd)Q@y5t z`hA3o{3jJEFAb>z&V>j}9Q6yak6hzun=P42KzkNo$ZmF9*!|wlASvewIE75)wij}! z$G<lCB>F8v3<)w!Y&>c;nK;`&4v%%>I&q?af$H++@h2Gi0=WN^>!KxoKBgh`>uQ>E zK2qzhn{PJUm;<K4asy9?UKAyWVV%rqI&yrV4Q>kPu1pnsg}|)O>1yeYTOF@yu#i}k zkf>xL{(+Y;%d;BYv|l8@eT2_d?t`;N6csAkfu1AD3Q4zrtc?_O3kD;)yOJY;*NI=v z6<K5QmyKForhBLO0i+K);_>~0{#4R{(e*au8io1#+o;R}0hu%Ycdnv-{MBObbB}ih zA30z05Hu*n_AUj}q4v|-<Ria>_>z>SQm%ASB{lJHV(Hv4FE><~Rx#<vcDiR)ln&CB z)zm$SELq@H1ERCFhV29fP;mJFY0F(cI|9jBjEiVA_O)I-c`T0?_H@J(WZpMe+knXo z4So4-8eKT=AZ@iG2St4nw@6ZNAt@U5EsY1(?@0Z&)ifR~w%xCR6K$LI=?%}fNG*E} zf=GkJ+{vBMC9~+rBuN!^BiGn)>4FLFu$cnOU0&cM=_uq1tNbWBx>73Zt-ac&M|h!> z39THf3VlKSr0Lg6fzxcT$Z&j0z^|-{s^-PTmwd+WaN&{_SFH1}=^q`k`~Se}ne5}e zQA{}kj2ItHoMIY>sWrYUwtcDZ24|2rp+jZ#{#-;AI8=nR-Tq_Z#k+e=!W5q0*syE$ zkC5I8%WF?5Ah4goqN2Kx1Vz=OXHLdupP1&#@6tJA2PlSWWG6HH3i`GfGmu^PgxRJE z?f@c#$zMuf^+H}-)8d(Pi<k|+LC&|5MrHLW0DV_3UNrJcj@Cr)>WbN{lMQN*95`c+ znd?bc3^jDw=OTgGPD1`4W^oZ`kMw>q0$b;!3YDh@29pUQmB`@T`xd_#)GMiQkdwFI zt0;#9EzOPMxK1lpJ+W6GR%J}62`$Q>2(PcMNw%fHMWZs+e_0eooZ8Cdy!<MzLZz&k z$wp-Idr14!H-zj^Ti@r%d%YVcJl*|Ns64Mp6=(w5zq!2IUX+yH2^i?;s((m|N0lk~ zjgG5AykynX#Qd3)tJ?6xU<+ZKg8IbkB1I7$A<vzjFI$V5czmcoT#Og6=O@ni^q!XE z@ufREA5m#2<6eb6ees6qaa{?<|LCXN_vs!%Jp>J0hnTpWPImFXnRs^LakM`akRLMa z!$0}*>l2?drr%q6MS}%--G@{WmED)GW-bYdyS*5H7LFawWiTO-_=P&AlUl=lXL}vj zCt^oGf?Ak(MM^;ft|R{GhRR<Y`Hi~uMn-5<<<s}yN@0^dXw8=fX}Ndy=lYDZ;;$wG zgmnO3hSl>?xa0laWO2w4Mb6&P9c=!z;t_@b`K3P&6&VCZ$;cL;o4!#MO05s^;HyJo z`1lHLKy$5Df5i{LnaTfb6QXa(@AO<S7qI0`gGUBXRqPhOTLG!`(A0Js{q@zr>Z<kE zQBl4tq=RMR+@Fmc>eFX$&=;`F3HTbB;lzKu4sepud2-b9RFM4hIXttGqn+M+`hXA7 z1Eo^*3Z^HeekOsg^o}$5AdJ<$cVb`T*SD$Iy3{Z<y=O+~o?u($945E$2IGo9|Dvem z=4Lf9+Y{`7WBHRIlu(~WIpJw&NUF(nh(E4nXRQlhNfEd=3)$2;jX9>(zagY7t~Bs} zG%Eo@O#rkU_WH4BIR5W?gg_|V{-?;G62HiIfEo7IA4bJde9F;)$kpu+va(&$CVaCd z(y6pnLBI$1S;cIg!~JsQ^EZUFi<!$O*>Ao){;X#prZbAD=EG9Zx6z)K>}7TIcfv-@ zAG4UAexk-EU!3eZEm{@vzd&H<Zuz~^apjMM+l>WvVAA|9|N4_p@vEZgoR1`HiyJHA zaH&-2+<b*}uFY2#ncnYq50e%h$i>gqwKE4j0s356?mKwb8x4x>EM%_Y>D;d0EI+_E z;0YNsALhMhd0YYfKYL5y6`)+zY++!<Wp9noDmzs~dj)3z!^3F~dDhkQwbOL^Z)x+S zDz;~h)fa4O1>dbU2zNRong+q`A$t*rDrVA5i0V)}EPG;#=E)-XpoqeKkn~lQNaTx} zKDE8~H90+!ef5rk>^gB-`0K^`?lJMI$FoqwOv4az*tT%bb0^o2VPer1Jzs+qUON#3 z;X7C1NWfo?x<@N~{XFq<>k5Vc%l;*HC4^M)Dr-W0`lS>1(wQdF$;8|(u7q}jhH0_+ znbN-4|JSo@`U#~GD#z&J29Fe-?o$;NP<cT-#1ZB>UhdtTDxM{xa%cd`l*#g%GyIdz zZqX~WDY5FcOvaC!zLrWqh;|X(WWKE{+JYT^Jt$#6fg>k>P5!;+ON{*y_Nd~Af(*mN z2TVm0{f;1ilpXt52n-*ukC#M|s5^CMn0VUMLOLTdc1jS44SFMpcaL3XMHNj$l#1R! zMV=#nX&r#cMl$aQz>|~5#|bOxs-3@L1`?$uZ^+TJ(zQ!CD)Xa;s_lbcD)x13>aht# zXgEMaMI!v)=N?Q%u|ViAclh>BogLQ&tFw}e=;Sw#V|GvsYMoU0B%(-L?3XD;<)Q7T z)miQ5D(p7;H_X|g+owOLUZ9F3D`rwpBJUu&y&+aK35c9Mh<X8crMH@z^Iqtq#1rZ# z^yE3{@-g@*PrsJFu}>EFEy8l`iH$N4mi{1)t`z&B{nIx`{?2bG(Kb>KDBckYF&~jy zusD$zk}{aRsh*TG7#u&zCJ*X4F`<P+zj^O``%SzEfhg|?rOR3-n>d?{n_tokLv8xw z)8CPVkj3mOLh2{NQ4m9wp}kA-;OFr&d-sAKF83z0I!iA1Uc(JnQ&S~V5zfRAef%&2 z-daPs?l2kDn3?XR&#Tz@RpPJk_WN!bS)cuSUyUuqgl4-R)k(%gObC%+l08Nh`T6pr z1(vXRfknfB#%7R1QR9SS!t>qSn{B8k->$->PQGYCW7pc~()69DU=nA3e7;^I^YBf7 z9j8A0&n^+TCvb3Fow72vbc*pH20@nl+OjUmn4PR4w3M?Jb-USaE-~Fs!J~7Z%W>XN zOS!$4y+Q^JJkTu(Rt1rfZryA$=j>t&1#RDMP9*UjcsEP^^SslYucOb~3F{Br$RjBf z1rTQ(ymY;20e|!^YxEtT`vAgf7o9fyCM%f8Zs|iX-&JaNQd?jlO~Mn(fh*7_6(aj? zmFPkm#%l~?#;N-jrYg4-jRn57CS^=f)gF*4g^H?}ifT8Ovpa|r-&$^OFy4bb#wfS2 zvb9<B5R%5`k-6!VGL*(cnIGE1Rn1ap?^x2NyJs0#mS=WVx@Xa3%~+1Fm61AL|Lo@q z$rm^{IPK>*78N(P6)dIpUC~%B-|F~n><uiUXS4cTl{YHG?^TveM8+A)dggYpD#~PT zo(*3(IPy=GHgaQ#+$_8X-gKw~uHg~jQv-SNCf91oYMhT_=Py>;uw-k=nxD5BKRoZY zo)C|@6MJ%ZmGjVzF46DhQ{11moh>=*qm6mDE}=lSad_Tmj|-~iO|xhA0grq)YZ7pr zxVw*-U7ejymMLT@Y8oe4JN?>IS9?%dWm?I<x0JjwtwpAx^{G8vB5oJoCvC_+6S^sz zrm^tgqJb$IQF<{>2(H2>H4f#Fvl^*l-=mc3H)xpgv~nDN(0Rh;`5Xlf?n`LzX7w;y zN+_FE3TaWcwztt~mM*&&gNXPvxmFdAoYi#Fv`k@T?`Vx(L}@y#FD&nXMTc!RopUyc z-E8g<XPmfb&Edh^g+Uf(*wbvyqE}rY*OX_ejH!WhRbdEH2C)d>duVMsHC>r_H*&E@ zE7F$*L(~f@-3d#B_Zk@>XWk|w!_935MN}chGKJce9Q|`fj;e-62}T~OTLmRuy0@vy zpa^=(`9SOqI9L6@mn;o&ax-rl4n7bKAxp3hbJ!PU;1En8Cfm`A^Rm}8vCzyvXxtDo z^_hNvawX6EF!5;-A|`-*-ZybjS8=p*l@6@#7bXnsx=`|NhC16Q8mMXPM-qTkyEigt z6)LfA(hd88D>t?R#a>7_EtY!Dr5`XTl~qB)R6lKSH>}cVFv#oaI!uZcGFX5W7<2@i zJU+tJyCS>?V1!lBXm&PK;=R@VWB1ChdB(JY-{y3EljN)snK*$#q<5C5*0PB~tLi>( zrK+o-Ad0j|rF)C|L$yxAPV>-kbKh`QU)JGKXkkA|5%~Uw1dXI)%=r%W#%<iFb(^IO zGKeKJH=bV9PePl`0v5sMjqxrtZ!~2|yZU9gSPjeLb1tjJ1z9Pk)s=bFnpSb^7&&N~ zG#K(_SGKM0_U<;!K4H_Uc60YgAJVAO{=T@etx5ECWMh~ZjzQq*D>%5HqSib|SAK(g z6h&(^32nW1?<F22578i@EubA>n(d7?x@3}4t#z-Ih*Nm)lzaQ@`$ubN_P|vSk|%!q zx^5Fhbaf*$O1A2H&=H5dm<gv8(Q#u{mjT-1n~l?aJT(wSc2*>TN>U&3-CY{}+&*1) zkE1uu9J+*RkIIy4VR87#Qf$xRbTt6fMobx>Vr7iJZq0`Wv?AaPHI6z7LmFxMb-RP{ zqxRYtF#d?r2t~s7C0;lNz9-M&;6A^XWw`RIwn_<~RA5-bZrip<bKaCmpVKumS(LND zho}>Bq<5i?IrU97BNOwUQHX{Vm#K1Bvhdib86DK|60;ORq_^@*2PH$oib%j9#H6sB zx(-)U0muBH2+;-O*4vYv{;Z5$?8pJ{#%vl^!Z;K5%`};_#)YOS^IAm0CU{P8p|&nW z738FtKHWlk);P3zK09h?mD?XZ>EM#KkY#;#E}J%#CYo&B(CL-iU%@`D{p9%e51^mS zE+C(tUy|q~XjcmKS6rNg3gl!k&ZW+17y($OyHV58t8_*>Jhz#%98R{BO#vzdQZO=f ziY2AZb~r6O#mbWMdBt0lGKhIs-J2zVA^HgveewgS&o1TbLYC~^W5RMh>EzmhtQ|#8 zD<bY>j?hM4dPj7L##o8&?E9<Fe2uP8C#{cX(vD3p)5gMF%0OD5BG2xQShT8V(<f)= zvH1H*H1rDWjV|^XS(he(IV>I?hg>Wwo)wA<9#n8tmcf6)l718s?C*I8kGu)ybqXQj zcE-farMz2=MuXh>n#SO35NyoMH8gDbC|ohGuUE^CR~PiNh^ZD?7KaV*ISG#B?%nw9 z351-7R%2Zhcp*x}kCTXYXVa_|_Wqz@Ee#RzdGFI&qm$r{!@Vi<;8mP(l(NNDK^1DS zbmff0Q%Eu?YD=}48yP$<3QmI-AVlh@D4eTl%G~g?VXc1macKjHPL}~w5QCpX6_&f( z#a-wD6sgZ^oKT`tpupbIEB2zQKJ?X>1f)N3`nj7ogr;@3{z)aiVZWD4OjYkz$Y9*r z%{@PZ&8+EgB90C0;6Og)xM=L4YT}`pzth-)T`ACD3nm@`Riw%%9?8;8+(lkJbT!e1 zgcXvk(cq|n3JZJd=@jEYpPnI-$v|?=8YisULbJ`9K+D@poH_{tZ~4xaJhbWa%|6}v z57ig55b9_zW!y~{3~kEfc}y2vbc2%OB$6g2l4{<d^EH;X?OJ=NnpjNbm}R)NOg2Oi zT1|s2G`H4e({{2JU`reaPkzq6e-yXo=YyD5>GR1ZCX0;hZMVH#c(mDAcOzC!3@PLH zg~>pd0t(sZ?gN_SZos9yqn)TTmT@+g*{vP=L08qP2m;``ThHUDCYLs+HVXfxapzK4 zVu5UAkksqtkN(vOEtMP^xjXG>5|Bm?O-v=7A||&<(0IN@6N3&U_aG)uYOYo)LBN*H zDj{!RvBwG`7RgG$6DxXyqI?-`sEmOVcV}=4NPWK=>`E>7qRB8X)Z~Z^M-3#nz`XNN ztotKzym~?Rd?vldEI~{p8$jYgKK&HM)@57nPIF&h8V{gT2Zz?k<AiXjpg%k&)qC08 z2TlnE`UI>HH^9-YAt)8<UuPmCdq`KwZ=)2~_gBs!YBh2Rysv9bWH4nCDyb?3s1v4N z>C`{lwCP&>_z`j_BUvqTnMa;ni;R4i7s^T-3PO}njFpHsID!MJishKt0^5DK*GX`8 z^ImeE<t39lZPt@gL8l&|qtxsNq>n~UG{PJX%pe0f@=KaLSgcVUxh2HVAV|=_0X8)a z9K9JYve3q%%TxEFJ1`ZvvUjeZ3Xk@#G}@uSdM-7UV|HF+{{S6FO*Eo7+@a6hNkQB2 z<<BnB$4+xam`k2?vo9LXvaSS7%T71fp2^O!gF>B~yQYalz97n?I<*7PumSO`Nz+!f zCU=g#&4+S_YCQwkm3&`X)tz+4s;!c11zl~L?n@q^-XwrgG1~WL=+pf<b7$h{L6ng^ zNCn=Xie8-vy4$*u%cHwNh&8~`=s#6f-szAcV*8{bm}YO6A8xW2QDW}@-&%l1hAPnn zw*{kGQx>iBU*>Ig4PgXemZEGLut<5nF^|n91^?ziy$YEIj*5m}NhNc^aNm9U-CXGa zKq;Hf;Is|lvxPJgv5}P;H@K)*kCMu0w#DKP2qbu%hq7*uE|~$~1M<D>N78`OuB7A* zU1s$S7X#wiwrcY5b*IK|XL6G-zjlvB&oPP9YdeuKc`${ct978iKMP<)J!Ju$I4sXb zL$!r-B|_e+ya$K2+mHctjg(joy~81HBE7xK;=U=z=n{=8m#)d(`u^w(8lYWbgAPi0 z;9g2RPW@-SS7uc#3?t^RByPwDQg~%*jh$jh@QPF-idDBZCYN+#W&ttJYP&b7NJYX? z5mlx1LTQMCVb|Nvm9}-8E7T>?HxBMnI8`;pdKGLZRFuiaqY-AG{-)bp)TtCm;{@DQ z(h-E4MdPqrgEz9t4)AX&<D#{BGP@g{eK|B$6&yTU(<@JYI=uS;%+JhOF-oPkb6KhR z9D~+4kK9pe@@wu!4nTI!&I->L%JfYZ+l0M&j*!hm$+8uqC+*tc^_`TtiU|?{SzD|I zz#+JzP-iCF)LkeZ-DhvpW26iMDW{&%X0@uEbrmFX>Qs9;P~XLh#nr^I?19g)@Gt>u zZI)KDQvk<G1E{D9prXUO>$YAGaIR*5F3B|>kZLroP`X_PutJg)=S@-3a2{ZA`hZVq zfE{&IDOCV-s&<|_0<i;V*0I7fg^?02o|o~_)KhewGBxv+>0vFU=N+tdXYJ(kZaRTQ zz2=m~VhZV4apID~LZrLB_PN4Fi>&AN2UDcC?qH33m(In~g&PqmebAKCnY(0;e3{xj zC*y(OLZGiJ6pam?QfuPOZ9P82)pPxEYN?|@odE|4OfCSZig3G#;?#u?qs}_OCuI*O zG}x>{7HBI~KVhv;uE{_^joZj6CZQCen-h8|uxDo*{vRfN=t8uyWyZxK+*<JX<^YiC zG(99{@0FF~V&JF&;pEOqb!~KIX7)roIS+utLW;ckoHOG>SU*b<m}ZZ5>tU|8(X5Ky zs<MI69bNQMgN&?VYa~Er@Nhv9a8CgqJDW@5baQVS9&VOUxf~dbEKR!;?FRT_v)BjZ zws09b5Lp~vSuw_#(u#5!Z!m3T?9^l<_tA!rhNU2Wpj=F}TSfoZjmDVM-7i?y&dpB+ zmx6?8b^d9yZdYZaW<;emg(L~5>(X+b1?%I)L!Cb7UCq+U?W>7m+5Y12qO<!Wz%A6q zKk&<9<!ANG)khNU(PjbHmh$J?-f)yb_-b?>%{EmCzD|+7rIn*B(rtdIciqp+VhJGc zMTS@wM^rL%KfwRWx0qu%6Kzv6sP$|U3_%x-mYCElVACM%k4zAB*1fg7IEB^W@nAYV zct2b@wr#y8$X0Mu&~B>!0g>JV9jmjMUD7i!j=@LPNC@uO5oawmTUYV#QSxKLDEI;I z$e~(PT$bAA#SeFE@Taz(1G{<1#FQp7W6rbc1RF6m3aZ^E4?k<ASkl<<jCzYD#*WA} zGL$vizJQ7I_Zshc^6oYBHYbR^J#G$zNwQCs@d0C!Z4W(Di8lBgkh2$)cVPIb$|lQ@ z(>;~ie&1X0=I1DU&I$3txE+PgP3}gOC=qX7D96D)LgYsJqdv#kImzC`+=u~iX;leu zq=yiSPEmlS)L<=qzzkxMK01sqHd^D(+}tG&_W82o&Kfvz4Mtw67Y^0W8x9)x2VrVI zY(`Q5(`%<<<OKwgz5w120^$&-0qn7Z6vyoj@iY9OhmF(aHo6dHP_#LYSYf5K3YjP% zz&Bg{BwPH6)jDk^*^lDeSSz*QWCme)G#oHNEUW1}>zG>pvkDQFv=E^tG?u2!HG^i& z0<)%;8D_0>wY-D2q9PjD0s$?U#R7<%GAvH{cP`bu0gC9NQ)-2eCFP)I>|c5YHzW5* zhRdRRV~o;1?jF$^3&zSA+>JcLfZ?tC(XbZ-sPj~_V5b#?0i<ybCLXZxM}o0+9Y%yU z?o^sKvB@-Hp(K||EnMmo!`}_HY`ch}cUhxIgcu$5+>wfgWIgntb6?!!=t<r9o#Z?$ z9r=_>O_N)x<!F71z{*m8nXKSOvko{b6&0iAtCKD}&}5RMj_g4|($Qg{*%iNn5eq{l zOJOBXL8ZNKz8c_u0Z(vQ-3Rni-K~g998i$E^t2j@jSvpFmwyy>xj31Aj;}?@#6p#l z8sLnys=bQKlwpYF(4OVU9FULE`{sW1&q+E7=~?-3ur-Zi3|QpM0T*>4I1L}-J(hKF zV|cLOaDC^qVbipQK&{aY_M%)C9Ss88<ERvZe$U)BRPJ|3)uc)m^aEB2@w71qU|?03 zB>LpRU5+!+l)I(h1`kfEK(spv$oQT}|4458gL{LR2a9S=9s%=nMzNE9U9hDWaC}66 z5af_$)|5J5;9x(e7s-wj2eAHdcYlK*cKWoH^XA>kk>zNP6iZ=9aX3t^p{%vD>}po< z;6(9WAhpkWKXH1*08v1$zbj59Br6g>d*d)d!H()F0LLVTvf4R~2@f!zXiS`4TzH(f z&2U$>*b6va#J?vj+>1GI0|V|pFO))bR4xEthaX6T5`s`Bo$jbK(Iyv}(f%KUyVn!4 zFNv3P^Q9`)tCQI8KK3*pE~UFEkM)Ev6htgs1#QR;IF15tApIRI#(SxEE+>+Z@nRYN zr&PipZgErMw0fjr*%V;b`+f{YPbxf0>%kXig}Pad>e-|VH5?!aklfXLXc7YI4DS{` zE~NonKI0r+vUj6lMHs<IGgk3-KF=pmcT<I-GJc^Bi_^HV$D%QhMP-%gP0^6Od4G1> zT;T&NA{?XBqiKZ0>Krca0~87vAIT%q@ilf_oKxk_8g*JjT8A8$d{66l{d$eGK^IZl zcAaN{yA5pw5>;7wGUFrpTR{ZY8nU(xdsr8dMvZz(^A6IPH!5c8Oue)(ln6_mo_*P( zc=Y17LhM!vfP8|-DV)ahXkfIJ5ycTK4RE9S6?h*py-;QsvgI*FDO5)F{Ho_+pA*^x z9Nf3nCv-MtQu1bf21m)MSqfz%34*S!tRLd6szg)VT8=b}vU&lhvMU*PA>n5FKmfN~ zj`FC(Tx^flp$ag_6bJTpH{FtLJ<GxbmmF4gb+0^HJ(mu(-U}@9YZE0TDTBJR+i6cm zvhs9v)g~PQ_1oP-BxotzC!I9a+vnPEBRV)8nI6vSb6kXv)B&<{*g$cK@?9zJwC0na zbszt<&+nZWX%iU^6PemAna0uq00-T>fSa9su{5H<cqKlF2`g2fyPDoBq)UK55mha` zkGol;DQGr$;I6Ss04PDdJEBW>-*jA{r$AH%BT0E<(Ws|>H=n0J^s~*tJ#C3IC7(0K z4rSOBMgG?wVrxz~+wDJWk8cj-9-y=q`NP9mf^@nBaT<CAAVWpM<R8aj5&?}1FjpUJ z>X@*2_^Y+Twm>sw%!2;=<h(Zo&ckte2RC(jK5eFr6EZ1XES}XP3fv(iIFbEf1KuHq zY&5J4p(28#c8x%vYStx<K=$e8CScC4fLgQARPhwV!;JS&;J#G-afQoSqt#xBv*}Yw z40Db<lp<4VpENRJgX|UD#sQP1v+D)_aDjt#ADWecii2^7E}`*w8Rq$g`;_>FB-8`m z!B+u1bT<EGrURd5Ebck)tZXv~n~os8LmoKD9>@C=r~)gHVt~t0y?v@K>!9&Ixq1UB zNn^q2;qanT9Izbir;~P0R0*Zee*QJj+OdGO9&R3bB)%*Oh!c+5-G$H|_&y3+ZV^wM zgG^$zOX0<3+Ei_&SZ5LeFA<Za7p4;rkZ%SPbqqQvnx%`iRE{RyrZGp#Ir0@ic6GOQ z(>^phDQpW4au$4B399Gg44?`;+y0G-fr7eFuQ`2%Bi(?ho(O1`SNE2fN(B~=YR{c4 zD%|qzA8S~@?W9x5YE#K?0qn;dbqWFG=Jd}!Zq24;3Fb{oYGUjQhmN9xUZYNTu-b#0 zNO1K)a2OdQmuf07XVhbi9*q4tgZ8I6`)i^Nsh_ArmC$IiH##NlqI<%}*@p^dnDy9_ z(rPn|u6T<2>f46RL7pe~NzcAy{%Hy9ScX2!MPrlEo+!74HX0w6-F%U$ZjfsCq?C2T z`5~Lw!%2Zz<Xvb-XqGLxl5AIm+X4et+?5hHEL;qv`U%JrVUp7tPks`UJvK9wsSHFf zu7=fyMMpLWT|)K1;Qd`h4D`@Q>~3&IAqUw!yRg>?hgbDeeB862UBZ80LJq3s!Vocb zN@2LekfqHA%pePGHVy6CDLE%Giz5JK1s4wwUQ8!Jf(hq*VX<fd=P(ya-a-NA`u^8& z46=W?icv!+VGvU$&nX2+8jhp;Ue=X}#FyOKo|piPPhS_gE%<129#o~{h2Qj6urOSf zR<O)If$JcCyyl;Z)8vo0Bgfq!a^L74=CtERnqQjnp^7q8-(?yqxZFjiaBv^wWYdMV zm_?lY7&PME$aI4HS^lTjY`-kff@SGD1=z_I;{bn2B<hSjB}NMSIGk6zr#P*HY31WJ zDU_K_6?5{Vzn+E#=c0|XwEXFp1cpcbfNOoB6VsJ7)V$-@dngcm*PYF>RypW8A%`1Q zM3P--+cJjZD3QFu){~|4GO}?f>tJkON5^T`Lk)eQ_4lZcPfs@RuIBf8f^fEfP5d#5 zlf*9YM(#VFJcj%!iz_we@Bx9qa~senP@8KLO^^rqxb^anl$@O#FMOx*poqo;!C}@- z<D2Xdg&Mrbc;<rLC7R4<aIQ}t@58}yi8*)lHgn(oZu9Xd)xiLqg)*6nN)8RIu98j> zW7b127Rx(1=b+KiDj`p5?(QhT#tM>a4Q|{K6aeY%Q^hD~oZF~GkDksIDonN!nWH>~ z8%F*!ZiX*PO78~VS0a+ijOXq&vRTQ#fzPLosiabjmry{b2FHrF!Dmy2v|J5{WpGkB z!rTWBAFQXHb{caIVmNdfIm{Y!c(?cF^66k@Hr0sS`Eo7wm9OEr68>IwP9uXEgu^LC zNeM%Th-A*|2x9#J!y=^8javAvm=j4qdsiPx*YqxrW<XiA4ZF4QrU2s^KHSfMKM?-; zp$2x}zvKjnbiv5Q(STQ+fr~xaY#MGf6Wo{3KY9$j5F-XSo;)6W`Squb|M%d35B~Sy ze-Hlm;C~PP_uzjI{{I{Z6{K)vzqu3r^A}tyJuk1!qQi*V3zR>9f5uMdVjg*L>rp#B z&Q|*4nt-%$z3{N?d|$@fmYkoiyKd8VL-XIi)Zal9GKOK^cNR%QklXnY?TqRB>q+Xy z(mjTAte1b@b9`_u=W{(Y4?BS=VTf9Lj1NKgd=AFQn4kPLHQK577x{#Jl=lmy8hT}? zMRkiYM~xf3i(AkCUea>bSZ!aBptsNca@EpcTtfJn&+VAY21u=hZw=?a>o6U}vJyDX zgq>3Q+&fw~dec9gUmo?6i}j4S%fkJ!OmGaZQ?!7gPOF{Ol-X>>mDQ8A-A<)cH7fFN zRsFH^fUn->zwhKby8o$m*2`%OjV5ZQvw`+-<`ssp3NU{8J7Ym}cgP3p3of4Ya#jqd zE<UTf&G-4GGIpDn(X}!mrF)HMSLA;O)@-YHd)hZ|cQnnKRs(JDvDMK%GgKqIzV#g4 zjPN)@`&W>T9fu6TXk_p6`y6p=uW=dZ-jd7y&n-FYDYvUMy&<nFo2I94{=AjTQ{axM zEqdveGt$VarkB^Ih1_R@mjlW3e$;00)Mw#j((^1><9-uakKw<I6`Lj}dgv5^BDY-) zX}ep-KHObu*)Omc!QUsh-Oi~ldW=k0)=aKD`CKL6o?DdJy}<lC5nOCC2~7{sJE)D% zjdH2itoi-U0pmz+LIm<Hd&a|fzWtS0ME*|WEjXiv*yqefJG~Rt@o%+IW|BDEmiT+l zu=HjJT^1|TT^24+i%V32Gd>)9L~a>oxH8d#S?bz0HlXQh_zSR9+VZ~>@n&}i?6l~$ z<>hvqY1aDS5xHU2W^34;y&5*+qI1glFw_B^IPxa#iHJBWs%zup)UCS@Gx-lBU)^p` z-0qKf4+qxdhR+NI?KQmbFQ)V9Ms7XF9ihu&M<ZJTJ|xrH{C$Egcf1Zz&`2wV)PKnM zwuZdFp0VJj$5HoZ8iwUsE_a`0EG2O?toikv3Er<7SvR=xx7kDJXVrZUEh_&zYcq^U zZ*h>|ig3hpaWh=dL&tkxj8X6y`q(D?E(;0pgsGdb)-82w7$v7Mi@@2BZ{*v5KKaw_ zLhoU{U>=5tOd)z&%efGB^sp%Puabwnt?@Pj4ZV?f+Z%3cXWHONCyIYyIooChDtWs} zN!T}Mp5)Sekart*G{bcaEhAhSE?c;`u(X<VTUheY@ZLSb_mr7Bj6nI<B3xUI4A4$W zqM>}jGuH?mmf^B_Z>7>E<BOkqXC`{CJT6|>_jH(6-X~kuy$`pX47|tCG&8VX(^jh| zls2XG=U+?@m((7dMo03;j@*wbHS88jcyC;$ICO#5p7{(Bd0zH;u5%I%x+-s8axNtv zK@YRx1s>LeMHlaU%QiB_@}a(J1g!tsK9%=OG^Odt>%HFfn6Y)E9sLn782s5ENVn_{ zmr9WvOWwN`z@MkX5bNOq8*N}xVMKF%9*510a{Mj5OYRqOZXJ82|L5EAv>-BzK36C6 zE}oQ2cOj$=2Sc1jAp6aO4XYH-^)=)TL7&4uZMQD2wwud@twLH#_<I}Al>thJ9{5NT z0h_bHj0O&$y-78S;D1>w)r(S=?sT!~aD+5+_*6vDR>FH_t5iw_!^G3O)zslC=x8Lv zOP`ffw=G$(;b0S=-~Cur^#ST2x7k7D^FF(>S8K`D(0dscao{zKq5ik%8W%H$XSY?n zZRwP96VPCyCccMbCq}79?l?%JXmg%E@x0iBKo8aM`wnaxn2X@0L&*9lAC`JfgXIL0 zFT!b#Jokp6!&)5aCvN|h)uPq=K^7SK-R!*iX=9s@lP)Zo764KwFzpUoCw!;dY=Y-^ zJ*S%)ZTCMV0FJuPSaPRoyV6VV-2k|>sBS67qEy#y%Hcl_RK1OCo9Ry@@_c`hHI#Bc zS_2&=YCZqCMdaofe>LyMM=3jahE~=}A_!}=KuSeVVw}6Z5hLs+dbrAWxN|Ck#%b9M z=k|1uK#K|9{~dPdB~*|*$wTl)zMsTxAf<HRs%3ZEcf{vlkN1%&s#+G-O}tNcn=dI# z`HrCn2NXw5TYJ!cFJ8AUm(nc)n-*$|qDh<#tbaX#wQ=<@4u)R0xwFyIf~<Y^-a<={ z)B%79KCBua-XA{$6wc;GY<fe?`*>L*no^GL^bmPIL5wJ63%>0^eeslU+KBw$Xpc!e zPsby-mb`XP@VR;Vd2O1Qr}eJ(z3^dPmyxpTq(mNE*$UAR?~}mh)22xL>svo$xwFNl z)^s$vNvKv?D_@z<LJhnwc(S%n%x6!C_unPj=s+mippeK-WC0J71U=@yChI0*HC=A* z<7v+uL2uTK>$INA3f&EYy2V5-YfYfn7#}uN53iR`_N5`sD<-9V7P?-?!WYo2p)?|% z^oRQZ@P7<oBLnc+ZyUZ;!TTz3!)3C>BJ>i^p>LFRMB5QyNx>6S?<-`iS-AH9)&ivW zf)XN5OY4?W6Lh?6=>SGQRTj7gct>LKw0rMt`eCl(S%#on<*;BAtQEh_htlW5hll2$ zfH2NGE^ekH3&b+sZK$@c#n;T=PwgRVe_CYI5jY<WI(;mxg)T>5)1tRh1Oe~$*TRw8 zMKtJ;9AC`jB*~HMfDBMWD`4KTmlC)5iRu}bJnhqo?lPs$-q_SH{?`|8sv0KO?_30< zU_^<VDrI~zb<I1CVLc|gz07HK4X|mV!GwEz+PY>>_BO}8aQN<+QYr7fCBB%)b2XgL zP(4zIw$H(?uim)YA*3I6$emttKp}WHS9AvU+1f=9_>Xnp9Ipcs<Fa+<wtpge-;Jyr z<8vEmp%`!C?d?$12Rn3se<fHBR`VJeZN6|bkN{@-xXqQy=Ny`UT3JNlHVv^E2AT%> zHu?TqE@PO#?c~E;=>TK%O5^P|vQF(4H`+hM`x1H^#q%DzGf}3Oo+T5t(UrkqYPnnv z1HE9mDYv7vp0gRwO~79?vI#!$RTy#DI83)7uZIF!LeE*UkpLimZ_gwhT_R@b?#^Zt zkW4aKFiBktbhG&sL+pPve>N;a&Y@=k+1Mn%Pw={c_6+S|Zv)`mW74YTqf+?O38m26 zgN*uBH^aV7Re;R*Tq6XThORuXM(1xrr%hM{9O!o%*U>UO*&gm$Be!C*vzzy7Q|#9+ zEJob_4{JHxtR~c+?h(0j$&7CjwXG!I9wY18FP~j`c_m*hoqce2PQLBPXr&Rn-}N)> z<IG6hYH?Z2=pj6!6kR+Iv_MWpH%n%CxHUxHKz`T@)^?gC12`BEjScXYr|LfmPTz<W zcyJWBspwIR>(laHnQJ~Rvj$*;)m9znA#naVnF9*V@Y3+UhL0q;z7;_pIbB4?A5lti zx<9li?Uj3IDFRNDGz^({I=X|dCUBgcrc9j<)Gelx;+gzkp-*3VfZd@%4}9*zi%a6& zV35)QdPbj13?-P?VH<y1r1x#KGAO$49=vzje<Z*af4iYpcjl|tCOEE<F#Rw%2|an( z02l>Kxz~JEy4LXU%S`t|EpmNIuX*LCMJ4LLs;KWauDjgdtwE79+*rgS!%wB^bQ3Jf zG=S#6Jv<UjTDqTJ>fQaL-Zxv}<UXhQlnzH?M3N9Ex3dww1fpvTc)g;F@SZKV5%`F$ zV9KpW0%o(ho!vufrYPEr@ww;|qZfkzbFP?L8G%c!NML4<3$*P3b@PN>G~8C6;AAX? zlV{uy0__o_uxJOl7{QaeUvA?|ihP*LPLl4Qzl_H_4LRa*Rb1b@I$HN~AsPVyl5xwc zwn3@qG3h(PDU$#Y_UHTUNV&wnv-c&TvGMS9WyzJy=Q3bu-uA%Uy6vFx*_B1L)hXls zMmBVRE4@EXE#hprZYgnqk=J!|6`bMC_i(5bxz!s@^Vqo!CxMgCG9KC!I3DqCq~HRD zPV1$#K}iz;S3F$Z2Rq_UZ@b=gZe81C|2LVs{myw-hYeRNo*Ndtfb^-J)pF`3)J(E2 zF{@1L9NzVIK#zP{lkiIQhIp-;?g60pc<)8uZV7tQsA&rf1BCvUcP(!Aw;uW2=aJ9r z?%FThCTSyqvw|rxfoVP*AdMV4yIb=3!-+b+FaDCB%41^i+46I{j&^Ik^58fPwP~hM zQAs@ktWipn;I(|~>EwauG$2w_b=nD&aa*C}$QyDGo~+Y4O))O5cY*l)_O{8_X>x+; zOVA0<%8Es~ka_#@U%aA(uBMbnEqnKTcjqK!ZWkDCcXE2*%IfC?e+M0t?rIQywR9oh z3hg8jJncwWH+iTlLe^&Rwyzq79l28>^Ro?HweE^9-sS-(l{vg!7J=?s)482FX=r(+ zOGGbulldI$r4K$zJV5=iMP-krek7PQqDH|pjg;xO!{p}8Nws}1+5gI$7(@hpm~A>@ z<Sw*$fE`H^P+FW)k$jZx=0fqbGPHe~Vw&{<Vc#ReXWIjzpCsjT%JLVqmtrw8Q6Ii@ zaR)_U47+)AEufJpzts*W``k9QJGsCbkk^zKq~at{b9L$VSxS(#A*!f#q5Z1VI(Wg` zl5hEb$SW-3h3B2c+j&PFv7z$yR{ECntAvK-Tld4p5?T&A1k$15Aeh_P0ZwBR_;#cl z#5U2R7IM2*BS8pt6O6F3n=awkb`<LPdL;FRj@TbX_|<>A)i*{D_arGUh>8qix7TwV zt#%rQ`<HjmHfGD$caN%%?}`#StpzzSZI|M8KlOMrz}(R|@3{o%sN+cp=NEh6VXsrY zH3L1SE;?01;BF5ivu}5&J8~3}9$NHq@=FHsYr>Vky!wBgQ4gib1#9MF`+eqDEgSQ- z)zH<T&?AVR(Llr#$=q*y-V@!N3>F~^tv=re?^0li!vWfNY2>%xKdG~@6WA}scbvbC zZP*3|-rB-jtN4-Hbyv-=`Fz?gIhpUiEqq{SU)+1W7WMyoPPnpGfuS|Ih~)-Mm!;Xh zBollccIG8WlLOyvFG}WDh>h8n6xIZi6fh>ShT{5_Ip@-PJ^?x$!i$EZUmamG&$aE$ zfPvSu)+&-Avhxz|uv%3%#@t@rfY{jGdggVXqWr&S)!{HVfzs^~$~<P4628}{Ucraa zbl0Yvwt12tc%mKZ<l<zvnT)I7*Tn5C!1rYg(`9~6ft8MXUTd|rq-Fi|onXB?!V*l@ zV*j#BvGYy~`E13PBtIj5Wzk8>qP8yv?&F_Rc@mplywj`x$>W?`^Y84Qo2G9^9*n~T z+t?&T{03U^nzl{lI`27sJk7pt>0y(CD`u-(Q#J-xJ7RoVdAio*kk%S8@eU7H2ia$5 z4wfJ(CIb=P?ecbKZ_~7ICa-bGz+mDBn*rjNLHz)L_+6H!&>$3V2E$MgKKvPLr^#2v z@71OADLtBI)f^*Od{f_PM%XvqE-vk6F{^yPy-=?W&~dZYn%Z}OJcYc3)Y|Sh^!%GB zyGrU8f<ET{YI+%YB|~eA;R|f+jlg7DxL!gPblu%zx?d(_Snp=G+|AJE!QEePA*6fh z$6BU!@b8%ik(aeF50MHIbym<HHkW|k42PGY<6zUBJ#Y{ioAWHEs8!o`)DTo)l~TWm z6dWI+^~s3+H*2Z*lOIUKK9~iB(EJJ<`|*lI#Z4PJH@Zo5vioABM3PB=Htx7x6I-&A zfKDwkLguppDtbTxHncavE=<jscaxnfBHYk-O`Qvgt2SUyQk>*(&DFJqzPnvl=r1m$ z<>yoObvva^fFc)IB&h+|y*-=T<DSz*yR}rp3TJPR(c|ZAmtvF~`@MZyCBx57D|LUH zVCQ`@|EeH%h=0$W%Sy#ls|5K9%k?uvKZJb9X}a2O!>0>b`RZ9$ZIHX$-U2@Vg2aCX zILT%ID2XQ8Xg~7RBUc(jtR(xlxv9Pu1zY*1irS#6!AyKX_YYNl_0KBljB_xh@4u^j z#cSrs3ZHW+7%dv+Y!<3ST-@VB+8tyzzOAX(mj>*~SH)`mgYs&uWJn2b5SQ)u-kqZH zVl9XSiQWEL*!$o6?nY4y9<S-N;*Hi8bc`$l$mNjEcK61s>&UNX^U~+^``(b=?&KmQ z<7yu+%!sI&uw3#tL#GgVi4NdP8rCQmJfTu=D<C6-{_}MQC_(O0sZO5=@TM=t;r`C2 z08R;UaUfnM#kcn%=n6RqaRvK{HuuEN>^Zjh9zso2O{j2O@hSzW>hmaT9}8a!7ox%i zyz|ebDE9wo?4yxLgV|9ljk4MhC*R4gLK>kQ{%<_yiG2Zl^-fX0gfh-X2JB(<2NhTv zagrfJ5O{9a@?IPZ7GR9QTU|lqyo9))uRPr18Ko-BbX)+=t;j%5;?O=I6oizAZEhL{ zk;5^zu>2Zt!zD?oo-MD<-;|DCd6)5UwJg+4@vPNZg0*gGBG^jn9~FJerhXyBKJkhe z5hIi3S5Nd4u{c9kt-j9?OzYeYuoWb)@YnsVKW-0Lbuf_FSkI!p_qo)hbdLMaL-plG z%=9<uCPOdD{`JihCJxMUH^_U#wI_NHnxue;K8FZgUMh_fr_{Y=;@WmtdEqpF3BE4R zQ4evo-GhTij^i?v34H6~G>Irxd$4OV@;ELzU|e#Rcnl>g4NGCis~O#9KOCU5-GuIq zYbGK4yz<NU2QBEYi3RHm!;kbPIXn)jpM3iRIIP(2YKzw-GAO25^6x&zMXmLce$*+M z|Bh;@Ec|x5y=G`Ag!>0(hAfvLdck5Aw1#B!s`5ShiS#wu-%hzU*daQfZ3abY3#=E? zrZn8}4pl%R!(Ys|fxZL>e;Hu3TJM>z?bfa4U?(_Tj`w~U<jK%no({3_Cl4^_+$_1n z=TcrDWUaKUFXH8(Q;<BH0s8?`XZF}&BYB|ei67|D5eVzPYjvc!nRQb|XqnDf^)l>V zAv~Y>M;Fi>Ka;_x`6?OrD;oYQCdINX!JD2MiFyYI8Y9!I0wD{uZ_hIkO25jZ`M;^F zphpWNqwy7Q2k+wj1(CqW<pE=b)z*8E-pQJUX2b2+wHuC?7l?3P;DbQ^^`Xj;wiC!x zorMR}_QCH?TKc87w+2up2qsaybO2v@O{DKH7A&6vUx@YLx3^MXKU6uX5j8ChR9TvZ zWLT@?YEeHu?q8yGT}=|=8!=v+BODf}I{aZp2KVmI?BS2%-pZ?Bc4G*cYHCn>b<!cd z(eCMX_~m59SH}~krP?PLTHWoh8TX+RSvt4ZGu<Lu{6iM%H}UV}fB9mogZF6DZN1_h z$=kZSobWdzkr@dmE3G6Dm$wQGw54sOaZ+u#MDgdB@ou(Sf>6&+mooDezzP61fCblf zX;YViQn<9fxxiRGhVdg`c}ap_kR;H&@oz1fB*-Eb3_e)6-q&T{ULuoDfC#*6?QjMX z@&xU*{?U~{cJ)g^`M4AWKH-{j{+Ji8ags;~Jgw@nPX(Fu#pN4@9xUr45JX}mLj6s8 zE?;2&g?wtVu9sCHWd>oF6a8Uhl^^Srrz48|#U-yBp|>S=?n;E#Tm#?`PJh9R)(WzT z0}8%#!_lhBN=JS2v)22x;oFf;OOCNR3pdVbn-&r)+rC3z0&e}m=J1T<yIi(N0q$Nw z-Lx#H;GPFd?N1gKtBDY)zdUq;!_-#UfsF3`BO?8UzDPSWu~>W6u{Pdx^psfp@8te1 z69)7o!M!dA;^=Y-iX2e<Um4DL;p1%<g5}LBOJPy9awr>5FVk)PFyb?GJi++s7!~j! zqkYNaYaKCli~VQ64Mj|shqZXk1IaxEsVcqH1VMTZ;}-{>Er91?Qs4BY_mY+l^4trd z@b;AP*mwJOL|eQ6*u>nx*Pc{`519WSN3e>HP91(^(Leb*(sqS71tip7B~ib*>ovma z*Bfw6cKg$F*mKFBWKu3kG*?Bnog}H;03PG@UsTJ|0Zf3^?Fx-E!v#otc1FS@1q-%x zdmo8*d)bA+q7mdV<uo>qMihU$mNCwEG59JtXQ+{vmm9du)1x|jK5Yakz>WHyjqth? z_ISdO(I4@XtJqm1Xt@D-z|f<P84#PV%T4I;A|K`<?dY!Iudu3w)4hk)KY#yc*7Co; zSB|Ci72}qtdXd-KLC2@&hr~KD*BwfYaNj)kMfH32Cu)b^L}uZtxFtenzctlr^)D^9 z8zh5fNtbr71cYlalrQ>8-;`S^z0=qDtYz#SsN-er2hy0~;EI6Wn^d^BS1XUldW9bq zz3`hPz>7f`XQ17gRUc!J`b*JZk`Ok)kHm5=4vsFSe;&U<!o^!Kv@T=kgWX~?J~)Ns zeM<1)a2l;86QFZDK?bJ9WzDDxDP_u~qWTl4Z|R<UXnX__EIwzc4(ZyRJkjstZF1Q6 zbd3UNsG-2GOdDU1nuTZctS!X@hu{plOCCP&tYoq;EmE>FtA~8nBp5FF7j<?l*O~2% zw35E1&k5a~N9SwlQA=gUswBt;*G5*qy3;qJs(*||V9Dxzjwk7->JXXT`yAU`$iQx& zfJLyre7|9<s;4JjRJ%g@!s(Z`xZ+zC0R{+%;E0_i{u|4l_KIIlLoH`GrZRcxc~1+9 zsiBRi{VIhbG;zdzIRUU2h--gonhVEMuWD~ae{o6cGc<$@?{JqaP2h4;LLtX(wcy>N zE3258$5)v>UW-8THc#tVwR;{J2k<~kN~3AXyZGC~t2F>Mc8{pxbgZbR1ne)+VynTF zL3TQ!P8LmEu)*tE%^(k{`MR0}ZGqJ$HHH;<wYu(fDbZ-->9xD&%T2a}5`=%OA?pty zqd%`Pd!2TZ$hRRvlttk!p8(M$fn*YgZZylUPdS6WrszrUMX1keG%erIK@hFV0$<m9 zeH0C}8dB9!uB*T-cr8LJkFNkyEclS*6^W~yLj!xi*)of%OO9=){bu?}Ppz%aUM#-2 zu2q5x4Uq!D>IWMAXvyTCvj4p5?Z(-o6WZq2-rTQZnYYu@vMibde2}N>x2r|Qa!-wr z@JCk~$<N%L^3XRrtAQYe3z%%ZTXSG)I3ygvJtK!Z#u6pv>&R=jH+6<adzOb9(;cTE z04C{IXO;_-awt^RjiqS=ZHxF#UKQvkKQDC!=G8uL0HD;Vlm449zICBcSIKK%Vu%VR zx40AjK%}mdps-X#z}sTwY9dukW-5M;PwYRcJ@bwRQ`RKIgdwNAoZ!tg$K<=(7q!o7 zK`CXkp;!i~;(1mH2p+NR`&E+f(Ul1;inDh$3MWZQEuOMWv&UiPOEP7}<|&uf4kTMJ z8$;rl$Up<{o&M591o)&ciXQS3hXA2reZXnn)yrbPL8#)#OruwnNYFs4-KXTH!|fk9 z@s>;Mor}n?>GaZ##v2(F3$Dx8M=1l{&X%}&cv0u8DuCFk@Y)+X|BA7VMM9}+K#r54 zgu7}zqfF*xM#+z>c4!X5)37{$Gjq^G`SjjpKtC{WK-<-u-(_LWZ%gB!n&TsDrZ@|A zRc7srJwFSKhj8SeMIi9SWQ70hP-Zg)OccRn*Nyql69uuTco60x0i@lIrmkNbv8UFK zKxxQsw+)6?1Q<B^K7R>gAEK6$wZspdXLNki?Ppv&8Tq^WQHm1urg0!GV{3655KSr> z;=8~34vdF?I$LS=EotYQjZaZ<QJHxNe{Fj5>&O3>sh`29quevZS-aZlh|{};q2+>T zTVFSrWMTwRd~4Zkg+<iWC8l}<%SA<dOb`*#`qBfleqRfohd~GG7pw=iVTU$CVzBc} zb!pJJYWE2G&H<wx5Wn+Ggj=0NS*P_N%+t6U|L`D3shq4xowc1J8M&(v2NGh@2g}Zo zfjQD0LbPii-o>(n9vF`jw2Q0I@J3Lr{&sj0w5MKGlAP*hl_Gm7e7hAsm1kgd>7wN3 zX~eWTGx+8s9bdwX@0ZY$If|n7l+W-qK4=o5%4602F-(8c)3>=x0;&qbEvAji)j6VC zTPWzHqg|}~DTfWAkv+}&=>Ts1WsnpwP-JTYBiGKYRmRB^FdoEUgxntbt%Ua_x95+} zSrd@DhnUGwxe=`N$s&+BCqvNjrmvzR5TvRDP0|TAbJZx!%<Z8^;Zi$5dTrghy4;+- zktfQHS-r8~y`I8&12K~LC(sCqG?Cv7xJgnu;eR>ND@p`Ow^OX7xxZ<i{7(9fP3Ze8 z(($hnJK6A|yd1_H0fv~9MF$D^TAH|NuS3X1Q4*JyES)08TuTE$Lofn&Oo@?psl=tV zzGe7idkrPJqFJWSS{aZy54~08KUR!)S)@MRHYBBbW8Kscel{}FX}vV9W;}37d<y+` zq&qnnw`3i%;BCaV>`VVlS|-4A?etSAR0yzx+!&`n<DYyA^kTTT=dYWeA%q0dCPdCO zmt=IbfQGqwJ9O$?x&p}oe%(GHUc9|xBOs8t_b`;(|LOc?dNFZxh4SUk%KE)228PDv zZI1sspz}Abq_;8x|AeJS22_QxAlA?0wTj^LXo^=DLf=nB0Glh^^>s=KGx1AD#W7zK zi$y!)=Y$tKU776bZ$h+%q6dQ3PeTl5t0QP&#_69Lw7rU{5{A66lWP^dUDx%SoRpIy zKpLhpxg_wY=}9%K4VVS~qAZ|j*|{7=j-6Pm)_At7;2fwf4+t!)RiS3=g{%LAIz9qP zL{Wm3m5ln?M8KbEgIhj&NL@*2!zGQj1xk;XUlu`xdA|}w?kvFeaaL{KR)<#aPV%-n ztiuabYfVI!5qW)orFnhn10*q#jwi_0JDmD`oVX2_@FnaWF)+?6W<J#8IL7HSFdnZ# zM@(heY-M&v3(>kp4NDjQo`-mT>df?ckYME50M;k*e7Zx8y4cAg0iO5&`J`8xLcfry zW6{Y43#)5c-t_O}$nfmM@Vqd_HGM0TbL@rYdL0)6=hW$(u45Hx^c88O!j62KtF$^W zsoB7Q=Cgq$GcyhoSZ#0}qoJ83Lv8)_JKXT#3{1kWTIy9xPsHmf62&Pj@x|1PO%vk{ z-;^fvtcovQv1_XN@v0P{K3P(`_Py_&rSCD&h?3>bQNo<9PSOJpC4M1GsrWI#W5mjF zp^+jzM*)Uj`}XY*MxAO)F+zMD?XABw{=1*`k?~$XX6Zpc#&QbO(a7Q62(Ey%-8uV; z5fVLF2HY^$Rr9rEbc;vmzN_murr!Wd)9N+kd{VcsAB;bEwtg03;r+XvQxI@&KQ{&P z@<i_U@MM6A1%&vXzUBNfj{7Q==de_PTG0x8v86^~YRP0(*~k;w68SHMz{P$wXh3y; zKDsYlv8A4)gp`yc($3pZ#fRxn5Vspail^>YD%1XAr0PUF)ZgROFL~rmiM|1kff3zj zPZoeD3=DW!BJ)YxO%Ll7!nx?A6BYEf6x9&kRB8m>6wBzOAz%USOrS(FJX)GgmMa&1 zJ=8&8I`hYgS2$6kc_tOhvzdX`?kkLdm@M_*o2@y6Fy7U{Or9~_><X*U#%eb`CykUF zo|HhIpg?!v0N4k0yW?GbbJhm=Fd!DFsy8rH#Zj?nefk>--%-72yPm{;xK)cFr)R*M zaw<2H@O<;5?ZF{X@7_M_WBcY|(;T;zif3+b+fx783>xVS=Df27-c}koeBr+3>dn5V z>9_a4=RKA1^q}^h>h{O-!SoP#Ds+-ks6Oq|%_pGyIS6eZHU&O)KW)8?d+BX2;+ZRs zZssh&^E1U}==W^;x(^3^$t;D`Ut0In9||Bej&h6Jnlp+)N;>bu`&?R+#JLI!v3EV6 zgkk0lDO4)XMjz8@Pk)LJiHz*qiCU?MiUzh5;NZ*X3EUEA+j9$D;b_U(YBnA=&PHI{ zv;&KXq)B<Dd5vw_Ok_EMK8cYZzuFwCuAmnu8$^u$I5zm@<e5yxk6tW{fUgDCeOTzM z+@hJ-(M76F=;$E5p+HhG$y_?zU3^?T{A67G<Ybzwa0-+V5~>8+43{DnMl$k_@qoV> zQw`gk(8Dv<Ws&~(<VJ;^7v-$wZNv7_15;mUTLzhuNtK<B*pOs&+nrUio`6YvjFXGg z1fta9txH6Yx4>7!j)S@yhr`*Lj+ld{mk1(V^qh4LeO)KdAg~)LzH+B8^U}R8rIsr& zwVsjpf9^z&j<kBcP%V*mIO;J4U+m(I|7FM3P*Dr2*hov87YNf7Y4*K&_}W{YWtD;b zgFeU4(43!-wu`V$`}&)JZLLrd-i$yE7+$7a%H}D4P|@TU)y$65U{Z@a+H+fiXML_q zr10~5jhPDvGX@JEAqxv86AvMa01oQ&H&<;3nsjE48e{9f=k`a(*2m`8e@`sO$ZE{Q z2ONApl(WwKou7w(Ed;t0XPQoaJ-Ee~R4q;+u()h5_*;79qx1-svAx5U(pjr2jnBE6 zI1gxaX8X7Nmb{(`SO&tz&cnvR!#2sAqqJ%B;jaRZ_$f+MI848SA;+q>@C?oIYD!Q< zdMRe2^TGDHd|*9nL-d3xQ*~8F!B{X>@2emQ?*|wH&{;BgygP@|oz@ShdimFrRfc3r z9Du7gQVB0#59f5?yE)U>#+zDP?3*>|sav^O?jV6UUnnt9m%<eA)U+{y?81&=|4=J% z123uVs>^R-v&U0dc`M!q8^<1LWg_`|cSzu&&~NaJoORH%wk6I2EWvFwPU-#44JE1Q zaG*5{ohmkYTA;5|ydD!_gkoowj1R`z^g}mv3WXZY^kY9_66Z>{c5h}ZwNq&zE>Ujd z`!aSh`e7~A4GT<Z+2q2AmEfqA=r5zeUzjH1aPafOm87zzl)zF_eo|6k5h<{g*Ob5w zk-*D=r;u7(E3`l$_|+yYt;}FX447n<C@Gr-foMLS@3&@@AW5j_#9&_LdoqIbSh+D& ztck&r7jW_atpykl2`-50qwZRF6jv`1FSsA36|AdRR1U4Ksdsd)udZvXW^2fRw7vUd ziBF*H`~($NJxqRn0$Ujw8}TU#%bnU$Sfa@Q8*il5ojE#@&(yd2H8vWm2?0#wZXMQk z=an3f8408(z$mqO*?nDlu>0Cr45TNXo&6sK@wcaH*^kvZIy9Orblksu@TTn%iF|AD z#ASZ2FJNoB%UY02d9#(?OIr4Y=USz4X<IG-<%}NnHI(tC+r|-?jkD=r1Dp*YV?Yf) zwxSOYVcODFQeXMk)fK9`DnE-f)eQ(TOerUg`=RXOiKMAvW>v`0{)(jJoA4Q*B8uo{ zh2l-3Z@1^AWt4nF-H&;#s+B-PE%msqNvp3Y?(hTnhgaM)YMaMj+P+tIRMO9BYP<8G zI=YZ;@0@R2UPQRHXT~NuWvX19XoG?gtZ9zqh5~rRh|E)bAeBFBe%VPgt@2<-7_RVa zTI6dwjc7L&2lx#<;lomtNKqaubi<gUj2@uvrVyr}$d&}jcFwr=b}F;Mt}Jy^alS9k z?T<BfW_ksSX%$HUn}eSp`LAz(?b(a)hycr3p22mapP+;(haqGwgOO*F<XsUu9s7dv z#*>9)E=#krG*0_|3shr#mz}R3+-T)YOumNi@tXaJM3zdw-=KQ9oo18L<m0f~Hj<F? zR6k8wk~xM6hK>JTwjT*(;1L9}K4UroaZ<H<TW!j?T2Bx;><Y{6vxi`pVrR{g%?9t1 zdGLb3D>g0Xi%Ji<^ut3kK}h+(0O#5IQ4-AfX+7kfzLBbg6<#HEg5@0XN_yg?e93og z<)_GkB#2lq3H$tI##pZw5!_{Zz^W7z2yqmz+4XaRNzmY^YHWRP#V4cME3EJ#bh^B6 z3d#4gpGHKIs(s^{*mAJ_KA73ca@X-hGf4;)^O2Co<Gwd7WaqOAsinARW9<uusOE_# zgbbRnh71Oaa~(mOp9X1^8X7kP9(Zr~1sRb2P(RI8_ZKP$DKGi04F(V+*x2b7t1@w; zjS6BjvEeiEykllIqmhWP)Y)|VUE7&mHI$pZkefY}-7*=6srfe_<?zg_8N(v<U%Pcp zs<EFP*mR8y^lp&UTH+ae{=IeUP&Mx^Wnr27?Z^T!fP;(3A;sEpMt5@&$@+aAk#El~ zdEFX$!1GNNw9YSs6_3wZNpIKm#_2Rx?T)$`G!5EOOIGUI@V2@HBb3y(fTGB{H?Bd< z@3s!`k@<PPj3sMX?=REpS%)onQ()OYOz9$B#c}V2A?_XRQ^Yy`wJ@C~8B_A-r1k-} z&WR0HLOf>1?m4K#2pU|M&qOPVsi4O3VnCdt(Wl{y=>v1B-+>h+(fldaUkQH`mdTNx zsaSq}`#RM8%adBe6!SpIJxU0NUv=bGSePfXflt{;5WE!rHa#l`H)j{b`FqijA;={J zgC8N@g|aV4uH~+jz3P_&b}|YzqD*Kt=~YEn^XE?1m2X>`lr8N-v{Wxb?E9XROcoOM z1S*e_Bvnf=7%ZdsCkrbm(3lz9ze7`c*N|#pKc^fP78da48TXrHJOUnwP9ra0BM(2Y zM-cscrx)Smevt&3pHCRu+`3sGL9dmo^~J=DdT+dyNSK_z_Dzj@X-gjYWhzaEn&krb z$D<XNtyJ*JrPkcB0fQ_}96B!{?rMjZsH|3!@q!K!DV>{9V%=ij_(IxpdbrL6XpL4X z-Q9S`pPZiX%6hj{L*ul6iNb9+fs_mtb8pJoZYufu$$kf^z?GH2;EYl4bnAR?38&Lw z?QYy(6P}?Vl#@vP2|a{3&Hy<kU4~;LN{0Sk8ZKA*Sdk`$CKCE)3TT6VR$sApUMDS0 zGb>C;hy1%wg9~C})%k_PKIKIvDVFo*0~FKk1<&zAaoApDZhp2&LPk!wUY1Y#75$xM zV;-11^~Jc<x4iMr6vvnijfNG}DhMLNGT6KQM_b#q`lWsdB88c~J=lt^>V+khlH}tw zMK_%KYVA?VyK8S19;yYKlvU9~@@PPpTNHG!$-8=8JAd2${B7I&+w?;w*Aem*3w?DX z4__m#ueeE5(>8|iU;Kw|gma$pLC>*Et?VFHC8<uvfS+t_WznLIBUx&w3_jAv(R;zn zj#1&Z_r8PliC$}cM2fX(2~ND_EQh$BPm;rMpM6h>RYlLw+!zB`snF#CZH2i?$c2kj zcObcbj@xxK@uEAWoSe&74-V&^KytV?H@mQ<W-eKsv<|sxmnugyz^nR-kQ2^NNtL3U z+!e(i-xX<MdFuURp*+*KP(|@lY{k;*COgaC9G%_q;Vd<^=h0c}%IJQk&e0fy^MT6k zK(~lf?knY~C`{gd&u;uqs7%8%*p%q;tG3Iseuaml)M7DXD|JSHUsL2k{^z3K3jr?e zO<Nxv6*HU-F3f=@v|`=#)oKuRyc3zMJ9%d?Dzyws;(e{q#+9p4&9}V|?Nx))I3xZ_ zlyjEYimI_&LvJex&;oP7msu)0{+W65is+#ZFp9Y9UZc%Ig}gk{mx0f2;DsOeFQ4^; z!ao_BmE&)lU#U;UeKxD>smw*#HJpR{d&BPC)`ps~>wN&im|05Gk-1^lsnPzWhalDI zZ&K3dt(!MQj4QNy!DZ+;xJWaNR^JK=qHMHBdy!k0@I7>S1aK<d2HqPQJ^?~gI$mig zvXnja+mP1FZK7lDqg1-OrA0!IbOjpf+C%)$ORcE+Y4HXfIyx2l09UQEcHG`&C;?n` zQWeh64qw|=#oKck1pi8;tAx|}w5AN70Ojw!i*F<T?-d8p3!e=Qtw`~#$S2rIFxrO} z#gtLSlZI@V3elz+wNs>(OOVTza1%<J-O8`QCo{=kzxf)$9ifxNyfWh&$BmY5F%<tg z1Cd<s<kv6MqXXL0dtX%O*Qadim^vkd`Sem1#-bq@Qs9if*O5$P>-Hf@Ur7=osp8N< zKGyZF1;r<K{nPyvd`$E`bYCU4YGTR~-xi<GhoO(ul$S_;P%h{{L0wkgyh@f#dL1U+ zPn=dMPA=_HsN7BxUHsgYI#jx!B97-?KjA3lN{KEdiAp{RCx%5|TwCKlKevYaq#p}I zNFJKRV5G#cbKZXSgI!uWX_n;f*^`!M0?#^#X;?B}eK2eps3eTcT|iJhCo{EikZUMc z`uoU7vpNuPQ_FE}L%%1sEA_p2t*or~ea?;^*4<Y7nDOzfTXN$ZhKD<?eYS0rtat;d zF-g3S?~H*YdlE<DC(?=_l_%1AG4!d`#pxFA@+9~RJSQ@c!j31)CLB7Ptbnu&Uw1yf zbmXwupmEsTLh5WRfnw^+&(RAxTHijDJRJ{Tn3(Q5%5Hlw4C%?hX?LRMC_dQSXBBLe ziU0e+f(vB!Ho(4Dnm7wT5ksk`_J>r{1W0>cRP)C)uB7+JOmv0wNo_o$0Yq0>N`f(j zEq_%Jd?{?RTghI18ea63_F;h;OxIF=Ue<OeIZt-6R3N-vU17~swe|Y8vPdRPr%CXp zHqdn8(2l3p@=0(I=+SspLVb-5fb>jbWWZuTLBtGJT7PX!AzF$;|BBJv%N?y0fyxp> z631qht$p>)Jc2Z0-K5B!Ew(@I$wekY=ed}rU`9aKZ6aM<bzhDZi$sd!97$TGM7|{p zPKsrBo`416v<X3Fk{o7g++8-rh?^lUqk;>A*8986g=*hE(ZE;7F_N^3NbYj}Ft%rY zPl902+~J?P!#wQ+UKO1}q;f4)>14_c3VKd+5qKcYjMC&We_YuQ`Y^UgLFQpzo2{Mw zb9EON-nVa0w%E&Vtpc~w@hIb1;z(%KI_th93o5PW;l<n9g(s1~Bgf4&dL=4Sug(!M ztb`1#!IvW=K`j?qde5bM<Cd&9o75(M(BUAvejb1`G^C(wIJvo;aTqa>sBqIFf+5Fq z-&M2i9qp13C{aJnlbI^h!_Q^dvpu@WrPFiX_agh7R%E%O#|F`bjYAwJ2@Cv1yt>KL z95F%ZpPZuHf$GuG76yq&7$&_~&XF49Z73;`-XoRaX0j^o_tj)VZhxxX!~@?>w@V>w zFWMtE`Wopx!F9{;smCP-P6lEH4R37`{V$FDT<*PUbbf+9rNiAD0|{n6OeO)qKM}An zV=!|QFbm+slnurvdh}s_uPE=$A=s_Lbkay@EJi@y-IKnMXEBSG27=14rOGE3yW1@z z^nnmh*=Sm-Q#YmH75I?%Oq0Si2A2*hG-e^>ta91vY#E$zB^Udv57A?0Xo(Zkvqs|_ z;TK46FE}oMy%Wb<C!|?YO>wgpCd7jDBv(SCG2;jPqwliRRG1jh7?Rgp-ntxy-nu1s z0s=U8^&?xK%SL`Je(CG8<=~Q}u!_HOE!Iponmi>tC{ZN-d;3*Xg@)Go03WpU3pGC@ zel-H3WvKPR>}?zLfQ<1D6cYF{;bL!YdtbcsJ`5U1QnxhMtzptNf<Aku8y!T1L!q1u z$lk_)UI?-j5<Xpp6D$frs?=-)uckdlC<DF@iHV=!G|h(dYymfpTuF%-+4>;gr+2IU ztZLrP!UXV-ipQPfBDZ&XO4YTlw~mI$RwXAe@xL0E$|C7&kcT2ql_G>3Z>5moTp-ot z8fq(AKP68mhTi{11bLd{&D2hg$QUnof`i3dp&!RyGTh1(`&{<Je&Gl_+N@H5FL$pJ zD<sLCb@|Z=AwqY(@*{x?`-768==qFt_ETm!!`g9qt=%7*(Q=ii!opr4Mgm(<SlCO% zNYV8-qY4n72vMb$$8f6T_n1$WvPDGF8bITh)EXGy(XWMSUL@%LUL3M}uaQI?Bdt#L zwkrlf#NJIb^G9NzC_2rE!wXRc6HOV6kln;Miijc0_hU25zb8yDH6FjHMP#gsN<~+$ zrbP|Fi3H>D@p)xgAJ$+P>TinU;^*8%oUTdf!CW(Vw#VfozXUQWPCj3H%!UmWVo0bm z%2k?+ehs`)T05ivV-_)|&y_o;2s#jv;k9kO<5O(R3o6RX+)j6x7hSVIXchHzzdc~% znEHVZ-9sD^5R|1ct2!*@P%RBBLw7p}$Cu-`YLDTywkhNO;&pWhq!=FQAItG6n$R)P z6aBvXXXLeq*g48!*C&yh4Xc&c9NMJWPp)hZ4GmZxpBOY8CSTWT3Volwmlr%b>>D2k zujk{ro7eWad$`E{tETp3=H_@n)c3KbJ_jpY7KYi0lQwrv3#u3I0t`Ot>u#@bWA4OC zQGlKXpjkOH^T=1xmuwQ{&T>#}AJd_x%Z%}}V@+<o5gzh@g*L;4d>3G^<3x>njq!&y z(l(pfHDtBo!}#A_Q)#A1KF=NU9><NHitE|j)3m5Is1@$ERC1HQ<D_}eWyr@SM8+oI zB<`8{D6X&jTVDfH{kQy9dCqKR$!vB*Uv6$iqwUeEIt5$#zTu=;>J15KGvc~651$Ud z_^=_5T(y!#nLk1?ijgYMgv4QhI?v(VIP0bbD|eT)fN)XvgVsP`w>w(Mgo#z96Ngih zr25!$)KKCqL665hpd7CQ`hPo?RM3Sw_LHPk*a@zTB=^x?646yXd>;u4>R-1Xwe+Z% z!i=1x1*f*s{0adDgIQ8_|Hvs_X=dgZKqZsXBd)tK-g+K2$y99B2z__kUU|2;q-6lD zeC|?aMF|csLx(Pef^T<5lqRNmE!CHFs}$Ea)biX8-Nscd?iwSKpUvobcm-w%a)<0` z&bx{6nxx?f`WXR5Zz3ch30a;>ftUx92O%ZQRC;~!6j=38tFxVqqpyH$oxV${yRti$ z4`v<dt+cknD)@Mda5CVNvfQVK_|Fl6*M4xQVH(9Syv1=*C}imOCDD6L9h)^9uwb4m z#<7ulOuQ+Xq(8MGx&3Y!>5xgRJ6#KbhcEPFyKc1`Wseq$xwDV@a>>=%{;VEZ$cJpR zQWtIyr$C2kBlXENO_W6{(9<v`me3KJ!snQhXev)5#FJh?&6gD}B%ZQB0=0FSc?el} z-Z8P^GVx$4QmGm9DBmyK6pJW<3${&5UCgZQ&8!^-E`{q2wPtDy5bfy7O^$}9wIMtk z9kfhsQf-RiD=>#~A$+_Tgn{bAQvn^6d<^L=Qi^<<x}AV4R;Zf_S)9kf*T!NQ5r7S{ zMfOk=4rL>2$@5BPPRh&qRdY*J+9^`lS4Q%gSuiVsn%?_?kj`&nz0T?m8!_|g<?L?? z$t+aKEp%5X|2`J?f+5GwHds7gn!Y`Tm(g}M^V+`*Xg266)kh+@<TjKE;XN`9ZCMtl zcD+er*7f2SvnU$qzDQ%^B!F=#T3jC-QCyEpDY3C}S*lMfu+l*X29)@&+PQYBhi(8v zK)k=4(u&npdFcSJ^$ve}^^ljB>n!ZL+-St(g)<-92Ov?lR-~2bqAsagSn@5mmUx9l zTx;9gJ*!(p7nIkra6RNCZNAR8+pVnq=anjMKQQaO>P;BLxSZrrdy9j$#l?6EADt(U z*oQ%yB}x6oN`zt~Mka0MQuWPKWW6EPrVqJ8a_!1aWM~}0U_Og=a0tl|3_kSMLoQ+g z7IN)7J6$3}Xi~;eQo@tq`f*a8^s9JMk0gDuBR3|b*4EO&24Y;^1oE>=suhn1wc4np zLpZ+co6;@Iw~b`pvjo9BjZfcbsk5`!JGxM8TVHMOi2t5EBw)9dGsN6yk1LGnpYyz^ zDU!?$4q=PtfMsh&+q1D^bym>h_xO{STIe>dsn;{~+#M~u{_gkxwqc*Eqq@<e!33e8 zjjN1+SRj)Qtt)q4e+0JPnP!-_E`93zGMSX(OOAwE%!Da&hJzA@68eX_&pFDf>u+#< zbU#NAB?=v9TpqD1CX2K@Av$ENy84h5J=)-`VKqc(AuDIUxl1P1gqBh80RK1Pxb7W1 z1zc62)h{{kO8>LraO9_Xc_g)#1jdeR%UO(|`kg@XiZeXF4`;pE+52u~A4bN=_KwU2 z&AS&p9rXJU>81D%XXSwsuW+tav5Iq8ZGX?^7oc<7VFXjq_03o|H-&Dn(@5!hc_mY( z<91hAO)W0|;x;ictOIh!$<Nv+#>Ruv(L~;L?3Y~JA#BKk0=;_=>3JoSYx#Kb{~8)C zTRkF?=6P(tF*EbZ+=L1K?%1N8&bCs2^+bOH$?bQR*txGjt^nIhOjCjRb*nk_<wiMu z#V%@;_2g*uHLb|Om(={gRL6crM#6A&07_4UNqzJBH``=Gu}0EnSR9TfZp1?5WT`(^ zgc1Tr>aIh%6&@rRvbi>FaQtj&<w=I$9SG?HdX5xp(t-U(X||$zAiIfF!bR&V(0bDD zCj!WmQ`!p32ofYR>TkaY%ea1Imx{AW>T;egm~X;NAE0I*6nG_#qDVvg)%I|2QdOfM zw#M`z?e+sJz!hBREL^Be9QuWy@=PMEi{kob9IKlgYa1M^-GDuvnX{n6q$G;@DRei= zIovAc{W^FMfjhon=UWSGz_Y$>u+>jMXyXAbDQpNQKbPz59KA@5Lck7>;qQtQgO<}e zoOB=kugYVahrAH=3KoG^*toA}YP}MHudwmX_C1<11*_1})E?n){?23pFygR9U`1v? z6Wbwwwr!Z*T*WIV=MwXFj|X66IRXBDi?Wg5Q@a&rhLkelJpviyxakiUT!2lB0c@HF zhw~KT<3ePKbT98P<$mMwMp;1KGlWhT7oS3icJsBT=54L;)U+4T|Ex|~zVyC4U@SKW zCCj*6MGbNNz29tbV)_<p-|Hxl`W8-6A|)_PjKa+m(h}<_T8b@CHBvJyL1DQ&hLp5^ zl0kl|@Kqeh&>_C<SCe164uG(`q4E@Y<X(C(`1hQ4Fwv)ECbp{}_<`m#A>S7GP;|+6 zpQB|U#Tx0xLm_NwCBd`(FComK%adO^YOK&~)q6}5olwk?F5>{RHrTp|`mE#ESFgpX z{YnF~7>ospcqdBJVD2x18nI*k(G7~!A&Cnk`mX2rC$pbB+3CmlM)sG$1nJbd)Nw;r z-bHlNzRLX+7tEW1w|anl%PXTxhV=D)3#L{gXW=GbVKHxyhT_A|(fW$J1c|8yiHW5s zv3^#R1T!XP<W4km6KlZg{rUBCW_^B}j0Ax$z2({B7?d?ZCDQi8I20(*>XQ0@i?{RH zn~(P-bfJ4}GH(g@rfNnP34IprmOm$@@rnU4U9dSXX~3eoFF8E~(9^^f{ftnCLHqG= zDFdw!aguo@Q}@q6su}S{2LuN>iakhzUx8*{BW;FR`{qiaS=KjI8LOY3<%_u;)R@i9 z0qs7c!b<0M301g1tu*U!I?6jt*6-W189d$wi>Uuht8=pd<#xg<N<k@d?{cOe_{o!j zt1P{y&Uq-^@9)CwZ)>t<tV@QCD5#>wtzsNIzoRZ9EFcB)W~VR4S80?d^*1Tbd-Kvn zZOC(K5OgJ5vy>xVWjA!tl#LD3q%mDldPMWcqMLn{?0x6&e(6>-q)>`-x)}7r`G^si z)+}bBsiY#7R2TQaNhziJxGq<ZcR^n)UU+o~5aH8Q9LWcZ+zBW=|89pLdU*Mq)+2`Q zNVdG0Qi5Xh{eyBob6Wxvo4z=Txe_}nJ>n-iCf{!+(Z`Q#dF<pC-#hD=U8vHe`0h@! zzU>K69wUjXmY`F_&Wh!prA6N=RK&;9?lCZ?FmR<aG9@#z<@#*IR_y6a1L6KXyE!_$ zGd6DaHJY5Bh#=McZ9o=@p8V#6P2zXT6mIV$8H;TqMAsuf77qbB79Lzx-Tbcp4TNEC z(jg6t7_k})v_E$QDP^(E(_QUT>z0PcXOoN;7E0JAdi1uh4$}b+=lGPfyqTg|fBf|t zQ@*2vSgZCeGe3bH6yyZRI(@}fJha*1Y)a_m%V)#9oE=tm)j+4#9^o24+@n4={dC$v zMI8B~mmAf0J{qoaGz$TG{>K0zjGy*}93T6jMcL5rsYAP??!%e#=gT9Ea>oN(pMccQ zv9K^ysB#iVa`y~$xHQ)@;rNrY%yhHSVh(Gc^zYI;yLqbIBnJOM^rs{sP5#Mz9o$NW zQU_1WUADY5)lwAIIff+KHCF1N#`9G~`3y$IWMS&8ZN}o$ayoHJD@BAL<uL*BEiPrh zw}KNNecL17hoDO`dX`{*k2TP<NpcbFb+G;JKZRNPb}Kb~W7T1o%K>!bUu}e&f;j8( zy)!5%WM6P!=`;>U-C9U3rDu18`Z2j=Q3hYVFh$FuW&L#f(_cl%*0JUrXh`K78BN`T zMNys{OmhGL9?L;xA*%xZ^leFw(o|NB^XcQGZK`<bSB4rCU;31VU*~>y<je74`tC#Z z`7_mLS2D71)lg3}84~@fYKY<E?L>yi^ux}tyKlm|^#`{wgg~F&+gUM)3)W8-R<hTK zJr)@&JZyq}iCH;2YxO5Xa{P(^R$3_Y`^?2L6+CjhdKJacL0!#M@r2h!4gLrpt8YSi z{n{mYF*m=r{=;%63$Js8Jl!Xt$V1w8Znx#f!6#8ekU(raWauurllIjbdBxU~2JKEi z$V(jDS6mObh;{clCC2KNRxlJ8GA8%hIigF+!4I7HeRtQtzs5*6=vYXr&<~zE-hX3w zyTiD~#!)}tlo?by{J0#12y>>fD#Jj+?yknl^DJaDyEgjot@sC%=rQRnk-X3+n!bi2 zUftRETu2<qaTIE=`Y<~BKRATOnt)|^jg&$mt2D1<Jkqj=-aS7n<l_rfZYTB%si_(J zvn0KDX!2M;M_vs7ViuDtLZ+QLbfflJi=Tkae)`Hmi(7x(RbwS>SJ&2*-Kd6B4yIe6 zWDXn5W1zXNtk(k;5;kI?H!-%I{L@f0L`4eCXuPK`d@fj#E@{_y$Ma)B@$rDe8JlFQ z?(sY_oBroQyTZ`@jnif!tTXTY2#cXW#Ytz4bQ8@;w{%e!v#;%r{r<=WIWjC}FB2)z zHtl$7xXyS7rSZ`u2a!dz6GUN2pG&!DRSSjNB~`v{CF9_UA+Z9M?buZO;lqcA&mWFH z{G4(9mWLXmo?J_g5bxqacW|OU3jSU(>iKe@l|oOxsts?t=EuMsz`73)Z_vQ+j#~8$ zt`>n#qCf=rX_6K#)yFxIy$Bqt3L^c(^`8w$j9`}vpSnF68ge4`yeG8JR?C+j>_P-@ zy+bUg^zRxu8k^RzF0Y!^)<?y}5HRLlMc!cPq3cltKBL?Tg2KxBZs}f?R80><kkQbR z?(^BDes|B)*83WFZ%->vbrycK3eevB$A{2*@;z391v(m)AlQ3&By=DM1U5}OcL$P7 zni2ZgC;GGqh=`^1$Z=jw6r;PX39|Ct&b<HLur|fe>iA2n4i)_G`HUtub>0~<YZpq% zFK0SjR)z~4EEpF#YL|VdG;@wR$D5T}t7w@9z|=LbDXW|+^!sMXhfu|mC=EURoTNdR z<S)Zhb4_0>fRrmevjUGRD4z$4NlxkbtY8H;0^9z)uv8*g)~qV?v8PzqvynS1t8<VZ zPE=Xl<Vj#m)9NALni!wkr{DER>=SFQYXcA><!M{a#`|jS%yOz&+^)MHy(l5yRN#e) z>)>O|BB99Z=$E(dlGc4(()Kz;TQ{1Ps$KjEQJIWNdySp;S;I4PRR@3KxBzdo?;oQz zW-{*d*&}X?%KFdfSg2XIdDAMz^JP9qNhHyPSl+NWIsUg6U@ot8m^h`PV8FX_N^Y`0 z%D_xNg>J-<BUK}8H_INRDqc`5l=3>napMl3){{CO-Rs$tAopiCFFoDi{bon<14Iq| zI{HBf@fT$36?8%(X)+8pi&{18S~}enX}YN#u1e$YY!0YThYv|aNH=XbS2T(>($;UQ zSb+p@CrnfG2Rp4)H#eTn`}pK~-|9~xZ?&NZ-7^PqUroHZhb_uB)yH-#R}P(%wN^(g zbUpZc#^oZ{8ZlkwNBeOsR%u0%@Tn@iwqE^PuQ>|>1pWrz3&;s18KKw1F3I(~{gLnD zEpZGyNtVaTIFGY&_4_6qd*e&|5D{;*9rbmF`eWYzwuG?%^f<y&Z>8(%cG9VcBY|UV z;p<}^K>|z8TGkh(uotoR%&Y!;yksEsBe5TTUFw~t1%6K+^`2sab45f4O@?9=ZL+H7 z<SZe=NS?p}gL#cupBnlAaX?I=a#G??^0aaZN}aJjFz-NzwrJU4iRMBkruEt!#s0B& zsK3QZ1IMA*pufCim4}|M&#g)F6%x99V%O!_NUwcg!$q-fvhKtc57X+|;UbC0CDsnn zrAgc3*tY$q8TGJkoc_j`(Z26#9}4x*wrg*vQRlUCXQy)S#|>}uxxp;%#>~Vd5rqtP z2a???q}gH-ku(I17=%!xF%p#|EU;wqmc&Rmk1S4xUV(fsmh>wnDk>#?)Z||q`k+>E z6q?(ZJoTxnI5d#Y;!ZpBFuwM5R_pL{iVKYt%c;zY#k|bL%vS5e``+)FJghnDX5awo zLz1L&<09pVt1TwQWCH~-BaL$IPpYKqUgP~_t2eP<Go!zBcmY82LOQ=e4>hlq%qbmy zPC^?`VQS-GNARYk2Em%u_<>H9w{o;1s_rV*)k4lU7~!m&1t;ZfSk_^M+pLiXld~87 z&rgP$J#6HH#WJwTLzZv$QY=(K&wV#n#Khbl?nnj_$Td7nwDxW7z6iFl4cYkcN>Erh zTrF79?MZZ7x0%RAixJ`xD;|SW;wMt6D~~<|6Yz>154;m>%nOiW47Vwo6kM)y8+Z@( z>{L->_bD!4_Z{+k{K=EM*|TXK2(AZT#(<dR0`t#bBILt-q#ZXk4jlu6AydaiTVmJa zdK9LXjtwqe$O}6E=f16{rT6#5L3s3j<Lxh7JZ#1~m1bA<)ouvFU5>=5Z&m3ANK)*7 zjMS6OcWJQG-Gm5Jv#AZJ2_yG#sI}$CFi;<@2M`M7oOq$R#y%6proU~qO8HH)qDh9j z**Z13Xb67t;OddAwv?_<VRQd0J%TJj_xI0$(3w?9i){kBv&+S&N1pPZJu6uzW&<(! zsfT&!hX6}jJz0;t`%yuXmFFD`ko)*>nb<H{STI=xFfz9;P^*|ME-y3^@?HjQehSKa znG$at8OW1zQ*5D0OfFaQ9)6H6y3)qln`t`!^-qWQ(dFV4R`~G!xsvY{liZ>ilSAT# ze<?St(_%0{n+p<o;-$MeV7bGY1)261Y;}R|cqKBE0eXF%mXN_i@%;Un7^s|x1yvkI zKo)}U2cXYq&wI*de&c@X7Dl?fiTjWvEg)F;EIEZA5Us~3>g<|>%CQqx@LFTAKkWY3 zmxq0Z)5|8&*P>_cnp!#xJe(bFCi$j6V3xI!f1E0p#{K;WPP&J6$jA282#BUe3y=3G ze}>xr47;$6O;XkHuq{L`enNZ3=RN@8{$?5{Ia!;d*e1V*{eFJ?g43Q4I)PnkVFv_J zc3RQJ1)b&5o=?Hmn^P%}`sG_gH5s^lh@Js#SpU|(Gt#HpU#g9eDE|B+!OeCLE}(gJ zw<x(`w?BK!Zjh51=kdpXfnrZvJ?#kU<|ha}!th0t#nQ1?FE~xMO|PzZx^vk$yN<E} zTl05G$44swIlV8?2aHDnkw~sYs4RGZk!U*ofI14~;3vLto38jF=P{AHAljhWh);DI zcd2Tw`*>e5N|q;7U~4s7dCNKWPLj7so?bnwmQLvf*p?o(G(4f)R&evFIl9?>6=#p& zV)}}o$P2hJgcQa!osnrq)9+36_se(VW3MkS;#^H^(p?0pSneLGt`?8%bOPosTlUUz zE_N3^40z){d=asE^3>lkKh>etX9w1bh1wGgj`~ep4MyQ2la2H^iYG6U8h6pzyVDOR zo5q2}y#Lu+CY6q3Hn*tMeCa-Q#z%f}GZ#Oc46>Ul5wA2iTg|(yi+!K_QM`smPZC9O zYItA{6jj5;<aCz=2`$jeYNQVAdHU(ovp`DEZpx>p&?xy{Gcj;%jO+aOlCJOBvsn#& z$_8S?-*fvqYn5|m1jmTkv~H8}j3iN#=JascnR7Ok%_b&S>c1LD$WsN5=LZywXMLA{ zZSl1uuG0`#hTBhj>V2A`f>u&Bsu&B72m<)*H`XewpLng_ey$=~oNBr|{L?~s#EVp( zExVgy`){sFY4o_&b(-gwKklQt-q4Nh;I%#A3BBqIRwDF3R^f6UBS$1pemRiPIor(q zs}Q3??qjUp$G@*mN(}0i$OqOwEgOtJW0_k1sZS=)Ob)JHe_j%hhJ{1ty*-j)t+R?( z^&E)gW%rJ$cd!9RXAQm+SNK^=zgIunFs?g@D8(t92z`qEMBnTYjeA`y1nb?}BX;=r z5bl_&|MXt|9FX9{@--?3p2*Z>y!&Q2224o+sBXKHNbA{w^I>DQH{$g2_nydfg7<o_ zpz|il*EiFedxTOd1ivn~;JNH7`(wK7(if*hSTuZyysDdiN(r{0AiRI~_ch&(9DB^X zab0fZw;3x+!r`$Z@=BrtSHAH1II|jpRs;X$>OEr*a_qK3X<$O97WvxCf_kCB8(0XT zA`Nl(+4Bg-<7WyfwyN0zB0-6{{gZ~ZA(f2^6sH15`y*$Iz9btVs6_D$-yF6A@l#ZD zD~6y{Y4NFiTjfXUNq&?x$~wM*pZM}BtleVX(t?ZCQ|pbMdT2JkB949UkLnX!Pi*oW zDYO4)K7+;F;LgP=d`tyGMs&rOQG|`dUM!2L<hdU+wd~0$bei@r={3Nc#^laqtKoXj zbd-*0mDF?y8lN=g>0{R{;T6(ufdw|`a#3Gs>#a6E6-<Ptn90-1sVxw3lHRzc8&#sP zBq1kJ`LCZ5qd}uQh0<>B<0`b`bEAj0jjALa&289s4p_`AnD<Kan%?<GDHlp2Dy;ta z#8;|K%(?dAop1xQY?>3d*Hre=S5ErI?zNY1n&{&hgDad>Ql;I!+x!Y6mVYY*Ex^;B zBmX!(Hxf1(ZzR*=AUCzSGpa8m`S%i__Rn0;7sNAp@O_<@h6y3Gu%VJhJon(MGmKRv zUk=qXT|LVvI!d<H`4!3-Znyd|j$CS$@6r_Sgr|o<vHi%K^B3d@y>A0C-8~C@d3m!| z-*#)0E_iPiqbz9xF(jbVme-?md+;M^yPd?2&pnyRPAgU?Ec3W~2H(Gb+xH3%Stm%{ z{>CxR#2Imw=c|oZRrtufQkxjL-mB};%O@{iYI9hNpY<X);YK{@`8cFb-*XA`m5MzT z|JMs~(g;K#&JQVuD~5$!Ey{0|=iBn4Wq+(XT12Qh1qmyb2F9kL2>!spvWN=9Awzp< zH*nolGLwPIms%iBYqJRzmyp^1oi7@ha^RAH8j)Ube3>qRlu__LcWx0fZBp-G7(cA) zfmCO{$vlEszt63>x_t6_qYxFnQo@g&Hl|oB{(GI$+se2v#0VXsFT&kB6fT~cC5MQx zIFgf@CZpo9=^!8`=PgRzh$c7@P@F#T!r~i#>w13S5hi={Ud6ZOW6U=^M;Fa=#~Hfq z>Yc+%)BeHck^EHB@lw>x&9#8~?NiZ1@cUF$hjmdW93>$Qb1lbMCIehaY-Y!|<Ig+f z8DgNj-xA*ni{saABAvvZy_~T443S(8nRS@9Q7Cv#K_Su&Y?M#CDV}yy3U^bQul9m6 zAllvEvlnt&x^hY;zqd?gm2}mc>3@{8#m6|<fHya!m*N&)wY$rEK{o<U71*-BjqN!Z zXXuJijAwhx0|6pOScNetHR7cmd=<!uZh6fM<5CAbdJ<w~2cf5)DvKCN`i}mu(N9Js zb4g~PV^k(1jX>GAGU2s?yLOSCBMDqwcR-WxP7h$ovyHi}DDn(%(jm;kK5YXxP7;K! z-!ZC&N!T~gaSWI4U#AgZ%31HdPieYjZVZ{k-8#?_t>pI0&)CmtDQWfC7;0OGu02Rc zN$&79lz?Bn<q==>Y3pV5W)A^b@ZF13(&F++^*3Liq6kY8UVFo9S(hB4;}Bj#A2JS1 z3|N*Ad8_7q^u!hnk%*T~+Heh~J=~I$5$`i7vA$yv=;axXnrD3b`;rPkHV2;$nWe1b zzalDSq?!mB7m~R&j-i<KXU|7#RTS=eOQrTALQQM7jM_zlMn9_j!8<Dm>y@^ed<i!{ zgRZlI7LT1)Fu@5oRTG1n$fBV7=jn95wHGyw9{MI>atm{vo0B-jZnhrhZyWcywT&Mt zSOO%!y(C-XDT*i4sNj+{De@W$UZwUGZXjhNx5S>S_G|y0KRo?Bd~Zfj_-DYo42Ne7 zCNQ1h3y)ay;e-P0{6*Q6bflC;hR{RVl=%7EaKHR{TC7k3{U5S^a~nna6P@qIC(6y+ zzk$5%S8H;VEA&fgZJVX)NR2Hztu~Sq%OXMzB$!xsS=j)Whsq>?!@`UsU!qHqWA;0h zb$gd-XJ4KlAE-{!%Pw%jnp+{$f?cfqXKdDh%_=XMz)w#jQf;~H`ZwC6BBKgl2_&#; zG?5JNVlZP~%vIfc*JEZz;q$JXp4`9Amu-6W-rB-)E^572D<+zj>@PK~F2$Twd?8>A zW8%TIg;-G^!i*g{Dh|Ym5}=c1luU@O+rKzeONx(@v5AmpTD|-$>@pxnrug6u_ZTca z{FP3GAkk0*OONK3Ql*ct`bNB&yAKyYa}fG;@2sj!_0zedZZ{7#Uv2QOaXDvpbg9Mb zv*$kUUSE~_mv<-|x2@jCH(z=CW<1zGA0L~&G^H$3ojQ8Y?J%{{!~61w@^d|y;v2o& z$oR(TE55$Vv}gDNnt63Sn{Dap9~dmM2nc9;Yn8*|C+5puhW&-l_0~^h<p#IDB#)Ks z)j;%q0okDwlqzLrM;hbd9sg3SSCW%o?AcQ>aV?c7<Cw&|w(_Oc?S+Z$w8@*f7IO&* zRfkrhe>CuInnOl(Y+Wrz$UGu25QJ59z4mtLuI7^s71Zv8t}aks2NQ|6%cDMLVmq`u z{un@-U$h=7@cmsCTRfw5xxL-j0G*2Dq9=|z8R>)5PV9Dk1aH~l!E1^i9?E<A9FX#1 z+BYw~JbldbEsPX-LOm=ouevqnEyicfhaewMhX7h^(|@J^9>IUEN66L5u9N8}i^@X) zsNk#{zbVf;@O>=Tu(V4rdTp+|$Yyrcnt`^QVnJa<^hsY-Utg4g22&C;HsM>_RH=aI zkHXnS9a&WiIZYi|`H-xJ;a|(>LO-%93MWH7gdNBF8s2$OoDz#gaHsO@*_AG(MLdxr zLsVr5udsGX1xf9@K@y<Cy*;qP{YAYzby|D92@3~U3H4NQ$k3hz_J8yvv9hm`kj5CU zP~h)*AtmE^!+JsR8qTIwV>z7jEJyJrgwQHGzwVw77Vt)3#F{8i8wnc8xPINfwI}u= zZs6;|$XiyX<pSXg_+6|*SnGOjf*6;5b^q5F9CCb95|zUw-<e`>_qPo97nQQA#y1PB z!n<OYS~<EQO|RM5llbl&u?|Y6DdWk&JaU4gLtkGqYX>1ExZURpeU(4`c}FncTH_t7 zUV(n>lYX$}**37NB2mjf$GX5?kcLAm!HHsIK%p~x?Ko=qPwUzQgx)76!mo%(Qt>{4 z+A|UG$9=<DkD)l>-oHW-=9ewNU7aNC`OQ9tuyI*#%^|k?($-68Qe{+?6?|k~DQGPh zOxT_Jnkh4CpI3FgjA)D7CG+(Mi{VYBy3KkAk@)qu@#AlvcvHO+2`2h+C5j^XRsIDh zw{GtVs|r#^Aro8SJb8RUg}uVp3tGiu&D5U})YE|ldKp@4#yDxOxa?FB2q|Is+AhZS zP1%!15;kF?{LGkFb8MgoH?=aUf*Z-N9}1^eaofL@7EQOaSY(NpgxwJZphzOxnS*x6 z?+7S5w+epVuJ)8FlVgaXykw2UlkD9R0aDLPF;9R@05D*IV&6rYojYndx~QK!1N&s7 zF|`MLgiMmgJP%>Ea3k#o;ayQoZN>=NUaaR^H~hor4XM0GN(@C<i?!^kbfFdADqrIU z3>;2f6G)%q^RFDQEWXYkX%v4S$28+E6;o12)@!`knoa%B8?AzWw%%cQ-=EpB5w!aF z(C$r7M>?PipAP8B9G@JrSd{>F$tJs@;hwp-0L;MH%oVZ~;JMd|dDzUab9IBZ_GHA8 z$k>x_xwgct_3q$C_Fa!cg{H{}cd>T#@~GGxUI;nxnZXJ}6-@e&lg_m?GSrK%7&UL6 z{>2vdiuGVwdnfG+#r85iJkWIMQyH0;4;PNeR&P6Ft_10hcSnMlWx}l@9jlC;yz+au ze~di9qy^X32wmpm*L-2T3>x2a5Qx`5|H|Bc*(sBjuKo1vh)DzGUtdI$BEA4`d@-05 zliZLsO+s4{!ARK}c%n}=$|m0Rwo>Aa2a;4bft-Btjj|52&eybZr!fhzKYtt8LHNVu zn}Wvv4PuMrpgdozJu><<_4&jz0W^7LwWIx%^%8!!(_A<iznV}bPh%<8q69L$MoE8p zYa+qe=e{(xNWzmHb}vwek-72t6jml0Ui-=`DAQt6&NOli&0+MlN!fW;;M<?3b`&@; zP!98;4-hM*;SR}A3}AHw3OGC#z#KEJpm;wLfr9e9KW+`S%T^yqWuUd&)7Y1F+TdCm zL2Ii$iATbSCW0CaMYG7$CXOijh^-U!QJXYLo+MyPBJh*v%a>j+1D^tW3W^RKnU9hz zW_|(um~Y(aF&!ZQrV{YQB?>~iq%efk_Yi`+04hqMm2R8kK$j{!Gje5HzWvhE$I1YP zCSx0z(dpqDb|gd50E;CeFsEgFbx)%r_T8c!@JGBH`RdI~k|_Vo!}at^nGgM`ppA5l zB<`bseuFtdv{#@0$SL`x1%zJp;YOABC%yO2Fm&CV@CjU(eKDuX$^<KX^naVcF7+jI zqegrLda&+E)m*gosQfK`tP_6`N6O$S-7dpQoCww?3qQjmh=(s4iZzp#M}v5AL&!&t z@Hb~FUWa0KyPgJ@1{(Cq=@RH4wW8{zamew{ikAK&shM8F-$M4mRjbg1G-_0rdl&v{ z5C|f&I?7i@g7#x+J^oi#KkSHbqdp5NUf18n<(ENNRjsb1{M#UU;qv0ApbTMA1fslx z(bS0OR-vAs8?UITRiD0&OFqsNp|FmTO2T%iE*E}9r4nb#%D!TO!?WWr#KYY7PR%z; zIW4L%pNBv1_gnF~mnVrr^XX0MMFTk4PEg39gaDuV`&Z=5Qd^f78ixyGA3e_Eo;mbQ zkTv`)l8J}+try<@Egyk1Fu^24FyOypm*FKQwJ)HU&cJ$PUNc)M&@sinV^JECL7U_6 zOB@O4AU>~Bu1~L6(U2r1+DiaX>aASer=ll5nn69Weve_kYgPEJ{xoZ#UudOK*eTGz z|1C)_&rCAveV*|?IgRrm6PuA$`x489QJb~6LG33JYpQqeOTpjvIt^&DXfVfvA-K-c zr0=G;av49pCfDYvu}XCgR4?Q-Zsifl(;-%2K1dIq#SPAJ?lPIOd-2Tg309!j4deAW zvTLllf;?)lnfbZ%EZug6`ix;!`80_F+5*0sJVWTtE2e=l@qEP93T{;4kQGN9kBT4j z#A0$hVd1nzp;i{fy6=Ew_go5V)}fWrOV57!TL+9t4IBRiZrhTz!NDRq++yvFr1js; zgO9iTuSELFyi2t453DdF1*c}Z6sQ9CUA<#}2}NG)fp3>R=->8;*t99FU$teB8SnAk zo8pBgOhkU+@tWI!VtqR1`^DKdI;i6^8M%r}^yd1cs-uwZwv=t@_LG!X1sT!lpo0kF zTMx@t@}aB4GRAminy)4<h+{6ppo`sgr(kkkUF_AF69AN5t~bGlFVo2TsZXa$C6ZI5 z?_mYHbC5k=Q6wVzv-vkz$ItqZTOq%6T(tQmEj8huP&GX9gVLaG4|euZ><a!D00rTN zC0~OwJiEkRu}jRw*7lJNTEr{sA!o|Bi?yzj1|&NUQP8tUI1H;gH?@9OfBS>$*LjW& zi*<}d;@R$p<7Yx$@043mMiQil*o$IJ{EW0SroYisuPpDN`rMg*UE898t2VL%;Mb{x zXWwafbAHkMVPYQcDWm+z-Rjh{w9o*gjaTJ}1mp6<UqaAMM>9!?@Tr)&3Mn|1?EJK* zb7mSD2ELX;b#@M1zk*E&B2o+O_rpXQNTS3MMGPh6!X^h$>9kPtixzG=(S7yaOoPMZ zUP@yMzwU}s)R3nOiXHfBAgTkT1vWM^?ddH!5d@6nmwCAkeUQV-MH}M82m=Q`x05vO ziyJi$x^ejyf<Av)ngX=Qg0qu)S(Z{ctS=^GJO%!;t1kzBGCBuJ_ZXSgjHpVJ5{_?a z|Bn5#_nJn9n;^v)J4$++3~d@y?-Ux<`bNO(j&KX!^QD+qVrf#eWA!YZhH1r*Y2%Zp zc;jPK2`^-2sMuw~9VHK%W?P*I)Z}S`&4|eer|s~6tr#M~B9;55Q;GZhhv!rfI7&mS z%6rn!Mg|+aBd-J*9Ig}nqG$;BYPG=g-WD+vZ!rhO{=+3H@Odf5NQYD9xQzi+zVpvg z3li>MR`fHroWo)mpU*qU1(ta?6dbxrNnYO(QO;gCM_UfB2lqgBwtp~|<8!I6P?m)~ zIsS>PIa{CEs+8mN(-7v+0ZbsHH*t>-+cr850f1IkKj}@8!v@|C&elbBI_PMXA0o1c z<!tIEY{{aiX*o|3ldo#+sh3w_<XVLo&t3?*K9$=ErN}-+FRy4|Q!r!SdK=yCq2s9_ zbQUGP;AEylr&!P9fT}|3ISL#n3Zk^?iHMNHSROrE%Ef2?e>Q^1FBVWz=~%CiRLqXy zdDXf8ks5;`0h#ah5U5oB%vMMf6t8$GH>OY}Wj|D~j1wE+;3nm;mj!I<zW>2R9A_^6 zegZ{ed_wZ%<KX*u<6A9yzmT6F5z!qdAot)TDSP1!c%XSYTfD)G&qwgr1RcUy4<iP; zkcu`p%js&8mpIB&zsIA>rj?y8wmyZ)#UeZnHZv{ONM5hKz?q_x8s4jw#e9mC`onhJ zD6R@i`=gbUH;-AlxkM`aKuobZJ|zddg0O>3D>e%U4q)Gtdf}y|1EtX?pdq9Tc)TOp zAw7;P5`NN}q)AM@#)vU?Z<{vT6YUMj_6yE%nLV5hzM!Cvz>g>?$ZUjsSA3^j_;gxr zRJm1e4;Nwm{D>w3^$osB_md~z`)Ku$WrCE2Dbo~J#VM=+Jg&36ObV0bu!@q|Qwx8d zxQkf8^>nFhA>(C5^0onFE|n<sd1emqjRe6cU-Ec9C`u4C4g2DJ*^;<{k9%)_*gVqk zB;kD`^m%Qa27q4xhIuVrAHBk<m>JWW?JBm-wPjxQkvY8-dxnHxYJY4RXFt>sGk`PS zDA3nkgP@tbHPxa*73f)>KPcv*!WW;}5m<w8*h(*B0u#*VrTs6V1_k#;5%7M(#<`gF zv<Nx!Y-%Wd_H_CGVd@*BBip)YyVFTJwr$(CZKGq`wr$&1$7aR0ZQK3Q_ulWlw?~co zQ6o7?)!1`QtaWzXqo<%cNAJ4D+jw_|ab8t!ZNUe}=X_dbe*C0xbk?x+_}yvU%GT3< zh5T}1Lt1NvJlN=H_NC&==3r<$=)%vyFWaMK;y%4ozAC3;8j584sg94~z>(+_RQyzk z=W909*0a0C#*HNp?sb6)C_2u~ay{_`?4?Z&r|34D|B(*b{=f)@WXh1+>CKnw^yTfO zpTyP0RSY^^b62k~^_E&h1_CQx$P5UgFk&S#!*o1C_%qEg_@7e26wKevCy~I>BTM3o z`#oGtb+10&1@g67VaSw!6egkt%g`82YRIK^`QVc)nLp7InZ`z<8^)vDxY>KScIBQ2 zE72lyBhY6Ver;C9Pnzlg1>$`h50bx*wMfF(?ATH#Yv(db`Zu#?OIP}JhwFZ^nG_^e z`5C{>GPeR*h^K39&)Zu><N|Q=qj3Z$t5K_!cCeEDCqZ>Ez!N6B)b`8N`r+HWa?j1_ z)fubDFG%j)I}h>D)5Hk;lT~nCGIC+iaqTd2plrLTu98V97O-2)CNi3ipfj<i8P0*G z{pKerOOQCZQ~C62c<!?Q<=XYy`rK)xIqIaZj-f|Z#t~mmSh_gcJ*LbIu3HW^dJwB1 zEJqPhahX95^`jnL5S#!#%W^T7-D3Lds-qZ%@f_79IHaXXsb|5bm#HzP)nza-62cEV zz615Y)6WiG1H<LSzIa{&>g0*dWwZZ@7$L0K%+V>8>bU8|viaDQwNA=vm7h@)|H&So z2z^Ps$O%e%Pbvq{C8!L8TOk9mr#`N0aq^0Hve=!2sc-GMBYuNXaeFFYFhD#F(rg+& z%;ub>vVgmQ`=9HL$-U|TL~sJgl7DpF2a)i+t-RhSeDioxeqNaZ&_g}<K542qH+l27 z?Lp`)vyY}R(nuzkM#qXEzSVTc9Zh^W<2g`St{Hw8)epzw0Opd={ntzaQdth&xfI6# z%>r~>@6u(HzD#;mt#9&Cop4^&f3)I{8uhAn&yFAQXl|)9aP8g|n9#&d{q#J{))K5M zRD*b)X+UkE+phEW3J>v7+af0bet%c(@3`~!OC|~U<8990pIYhQHMsy1OD-Zwvu6Z5 zHhnxP-1%SE;15*dMr>Gq2yS`O@k*gEjnRZTeE=>P$rz6jsjr5M7>!XvbcO?iy7mL` zV7TmpGRrsZrD39R_Ndu5G+rgj?XiVl8u!x{`Jx2Yv9*7A@_+VR2Lg0?FpfTcfV}g; z#h_biXBgd`LWPY<oKPzg8dK!;H!0Zw9=N2*cZN?OuCU2$pOw<&#Ha)f=E|8|tjFtr zv(nqFt?};LT??iCAf<?mE*p{G@I8P;v{XwooTvv*o1ciHF9Ief7AWt%o<EQ)RV0_E zyr$*xnXxK?%QJK&Ff?2@ah*4@WH7WO=(#hNP-K!8WM$H@2fe65sbUW}%oJBl;I~*L zN}xY%3^DGCt0xJ4E_WG#HU2ENC^sO`IfE)|_NN3p_)Vuk7KkK)AC#Y~#z~Eoq-Nhp z2qzt4sR2&V8fhO{h%hQ2KX!V0mo_avE~p!NBtH5jMqTNls!(E_3<QGU=;)3ePAkVw zcw)M~!@^52F+m}=ty#H$Iijc4duR2+cn88jB+2|kp&2m}CI&NX?WJqak+?mWHyCAh zuSMk#y5OPoB>E<6sXD`%bzwtsa8jA}jyt`uxg&FK{0owtHtvaF<}jbrDbfEW88B~; zs?US8L;L|(Ud>6+n5U5F-+Vr{2>#r?5{+o^zxIKGoCFCBJ50sUG3__l3C3Uf)D%^> z3xPc^)Bs+t`w^<BQDk{$WE>;|z)E2y-d~sYmYat9VVfKD-Mml-zFd^|?J3zeSnlb? zTHlZ7Fp4Q&UMV=SuD1;p>+Y&9v3ZxxgOwxDvP2Nw4|B+z_U0}%2A0D+pX|<_=hUez z7sHp!=C!kER4?7zzOeu-Hl^a`wZH6-pHbEw1A{|Tw>Jp+00QTmzsIO#o39i5Z|Rg} zQ>Hb{-`{zacork2N;gp#zzOspvF9s04N!`cXiW^yOTWlWOO$g~vU^n;PqIQcOaL8O zUI(K@MFbOX#Za*8I{{?ayBF?)-gFlnf442~9>u(hvAb3R4-1D|t7qviMn<=kln$3+ z=hScVUO=l5Nu<EPx|(XR@bMcF@C9zuw7Tpf1|&D0Py#2n@<|+HI<ELs_VpSVkx1}Y zsRF4`OV{fO$1{&14p@DJuLTJRBLo2j!hz)pL6RE_!N|8q!!@3UVy=@aNRW{H5E=Rr z4ETEX{4%$JspN-?PElHuh3o}$>xMJ&jHYG`BgXe_GNjUq%?nP@imEfV!PRAof`Uut zC4Ybsdj(39KC($|x!ASwV1A`hOj?ZM+cQ3CQ-pk}Tar8f5l=bJ8gEr9ZIameNm50Q z*2wThb2F9`OU9FvCezW$4HH%<;)4@cs)Jpzfh3DP<M1wS-7i)Llr`X#Ou0iXa5#UP zH47Mov{a!At1}jkT&B`SR~D6{g6!ktzA_Yeh>;2t9#k0a5`^)9Q9`RqDq%H(w%$nH zUVIR@Uuk{gX`$P{d;CcZgR9Jq-x}Ggt*L0ak~r`QJhUqOpCCOWBz`}j1^Ik8_H)!Y ziW6N`o7U7Fjs^1mSOe#It`)MV7-<5mnwjBALBamyYBmV;#NSrT8NF_-nZE+N@fxA5 ziMBhI3)<X7Tf?!jS*~~-%5eL97s*x{-43(5xWAv@ihklDyE)U1(Oct);a;7rFM1e^ z_j;pz-(P@t-0sC~VnvaRR$aO2gX710*>qWJsq#~s<=wvBGoh8E2=cs%p!R%$oN%hq ztq$b6TL+oUbWm#~7}<+)j5FOXc6-Yb_x?Q7gHp7h^7TChX^pMf28k~&6!sv&dGP=D zEqV%Ed-l4H6r6(iiclEOW;WH1uYlve*jMcdN?1zPu=5!6^0O#s>Qn*;3Y35Pri!x| z=}+yl>qe2s6=^}+eUQ%toFLr2z-gTBy!vwk!rveEz+XcuzB&FLXfd#gexRHku*ym; zGFXc$s64eZ?%BEMOgQJ%Ab>+yn{Rb;N^iFrsVlAc{Pkpvj`gtYP&m+4fJ_2mZqICe zR;itC_;3sSWz%PVqr(#-!38V&2X_o)(f2DobgZIE{Q4%SDiBai?&4p(goUATp`;p( zBOOqVXzx9}w+_;X;bS_`UD(je<jAom?apE8&OznguI$pUbQdVJm`Ti-9|3neI>x+1 z(xLA`<Bh%0bj*>;EI&Y($j0Qv(Wsrn<j<EB(w=P}CZ%_*HLJ>iI>n6?@5xV>rYe(p z1MbAZ0{>NUC9qnL?Vx_Frb~0IO0BL*t!m7lSO&tA=V>4(mP^Qe3tgcYwPfjJDyrY! zM^8a4(U!@4wC#k0hTaGS(MGXQB~fc&5Mgmhs3tR?YNrD0Plt=27uP*xV&A&Dnen3t ziBYoi3InCmL@+ojCaO>!IFc&N7!T=qlTX`tqjc>eN}FzVkPPQ+B06FU{!ft-<l}tp zl^0r)<>qcF7u85nTr=XO+=%`MB3?JQNCVPxDjlSwxDX9-7C4g0Y&*BlL3u3I>xUYa zyR!B(Q7QK5?JtYZ?y+bz7|sUEJ+I<YNe=ve*u2;A$2%+;C4scrX?j*eH}>T&!%fG> zAl^{oXv7Np{&7BrY~w-3Z|l<<Yi-f(y$&Xsy3FUj#Y8tuRR>#mX*=)dntC^l^3y9o zR>{@-2(Fs)<<YCk^R)U^Chlg$7ngf(>N<4lP?M4C`6If`8iRbN*$3@lqB}Z40`vU| zvD4IuHCDX+<{RfJNZ7w|njw6ke^|Wi%*~8%i_vs^7<`7X>d--7h><x{k%0q&=d&N4 z?jt$pjw6&LiC%nGNNPnnszP<J(uS=&vD^5pIH~z%eD_?3CY%HoYvC@qGcNh{<)`=% zM7fKBuuZ(|*6R2vG5PM}`PhQCZta^`T=SC@16{sKS~KgKr@3M@CyQ~7t=2e50U}R( zOyY`1;lQz>Z}4ffS}R%aC^5J@$9Y>8qhd6;;1XS=BsOAtwVqTMIx09u6j}xp8|${6 zb<e@MTgpt>FAb3|OBk&Zkxdh^`L|V<G0EaExtF+YFB%~f3<q{VC&#O$d_VJTPLAGz zkyirmr7*H1iBo914FOPr99EF+K~<bzzuUw^o6{gCHbg4$cgE%G0RSQ)N%Yv)*Msa~ z%Ilmctk}qJ*r@zaV?F1y<rZ(HvbBgaRpiFGc|Hfm#m}wT+Pel%Nie}0GOvara%^0y z)G=x>cJrT%#-v5cL9h)s@`FRro)cS;IHmQT%qC@bo!5K%WbpcN+D@J@+v;QxUzKq< ziLBrReC4He_z^RvR1u$AW%qW7<YFbwthMvMehfXP1aa>qs_0+2=qw$N>)Bnj<4TtU z>*jq#77&1w!BW`r=kqYwdOP4}MaQe+0^la#iaC0bVxKmAWObR1gc2-KaeuoPVq*hE z*76K5tLsrsTEg|B5!|^`v#@n!|AZ7Xg1DxeegxA-CSD?q>%s6RxAsF8al13}^Mu9T zGJO;&&Y7Xv50jBiFJc{cBQ)tb*JnQ%7VApdWGE=tchk3TLHa!=ymRBM-74LRL{P-E zT@1sQox-bYR-bQSIvSePzYPRIR<grp5=*=J6@~t<HdPbAPosK6qToRYvqJlAXc^xS z$_Qa0ubKjeOP-;m|0u5-jT%q;bM6DDxGYXGy%6EB5@LlG083m{ZtoE&P-V&j73H{& zm&8Q>2L_V0FtD7`wgYYnQK>Wb10d;XYZ@;=EHt;BoP^$GZ^GG$?Vt$5#dUe}xGB!V zCO7Z^(gu2#T+(`!j75n`Y|=@f3$~EPz--2=4#no$F`lQW91KXD)=%e%@X)W+i2o%n zi#0ZHJOCxw&%|`FO4l>(2=xO>IwJx6b|%a>!30|-$Az79TfTbSka;C}DE|^I!ov#X zVL)x#YRWC{(GrfCp9n6V?w336TW?Y{8Z>jB4Tc0#9hH?k@1KGj&jT1cEq=MR4-Cdm z{F~)-51Q(r#PS~nTJkf-h(Z6f0m%*Z84L}nT8O$Jq0<{cv#?3Du~9a%NH(%iMuhfA zkAF&lm9>o`I5u$OFRez$&G-reuw-%`j&T(>@V~WI_MRf!EmlQ0)E*6Sa25(BEvlLe zgjVa<#fMQ2X2jL`!ak`iyX5-si97xptVh$d5wEjXx0G4u{<15!vOz99RPq#%Qi=v= z)Z$-$p1A~G>%ZLz|4mSkXR4cS)R1SJF=z7jfc6jrCqS!Z`|cf*5Gfo#r=1mm+7)ZX z2IGE|h0y)hPeiY|_g5CQ6@J!j9-H<wtc8pm30`(_PAqjVYCX|oiC*_X7G(15)q1-5 zhv1r5X_n#y$E*5q40U}Vw{aw?#aA&drrRfXym`khrZ*HeHhM!3o!Lm;zG5O8&XUM- zFNnMRsN1j7cJsblMXO64Y7%W%>#FSHbKDh5y5OYUZu7VCD#-G<D!W1|<G|<jz62_f zQB`Xr>Q#(+ij^q0T9k=NE<}Z}2akw$d~XA7B4+(Xrz;GEoyOK$iu!MtU4Ii^A-?8$ ze~d>!f=auD-5@S{>-|r^9$9MTpu9Lay>!$eI|9$BwOHP{Y)yLf8plc^GiBbPJxz3r zy*a#U8%$Y?IED52D6~W8vtN%Lh_a1wP|Mj@JsrE7*#R<Q9bj<0+?*cpS>F_}xO_#) znirH{vo9Y1<IU9@$B4{?m%!BemW<_MH9nizTK5!~I9i1e7>`%_0Tzb4hy|6mz28a^ zBCC9Y>BvWMqi<)E2|bojsh<8tee}@8)><{1d&XqRf-+eS>~51g`|KeCX2qpk2`U2P z@ta?}*1)kz!-utbN{cXX05;W)TfphlUhj+K346=K2%6Yg`(`H)fDuYaf}g+7fg3j! z4aB~X(dBrb%PEvWlrNyGh8qbiBuVWH2LIE6q=9;4TS&tuk7GKLYHOGJD=FHj+c>K) zkidnjNDDdU5aXrDRK+@#J(dE1Gs}Mw;Mx~YeHnR4T_0af#8^e~EM`i?N=;;w5rMZh z-7|9hLM4>pbk_v&GKH718?OV1mtV4Je*6azW}_JEUF?I0QDMPuV@rZ?Vvks*w~Ot> zw}WtkA<}0Fp0CwR)Y5Tq2>(@8k7yhx*MkN6zHgUrDu|j*i!PW_8;7Jd(eR-0Hd{;M z$<z-vUt0DPHsRd8M2x0{Lx2OL#pUglD|?Gwq6q72qaU?AF|M>N(IN?CuhI8y=K_YJ z#J#US7TXMDwo*E39Rl}Au~4Y%-F9!HgZ2Lk+xjcMplX_klAPnpGb(r>?}rTeO^+He zi-<u*S!Wg`$<O;&V4HV0f5+8*-kei&vgGp(-QB?)sPFM1KFfpDm}jD42Y289Y%zX7 z!L(Yg#_r7gY^Sk1H_d~)71+!>2O**g$Uci~x&`Xx>k3B&TY$9B+7<uLJVxRBDJ+=e zAH$1<<()8<P&0s^75}+HMr{`>v^QcZvYc%|;vtf&2HmIp?kycFHUw2qp787>WUWK1 zgGZ+FgF=Rldj`FkHoPSrKp&R4?do5Ssqi2$AY3uVt$RHa$909BIdDfDmfFkR%yjcY zU1d1OieuowUQPSF{mZZ0i>voKFg;akF=Kl!BV)ORVPpD$f!OgmujgrDpbfW_Cz^6L zl?W=z4U0$p@OXtHoAg_hu(qA`TC8#ZC{fwKyR4FX_WryZv2*6B0~!W&@m9e|U~fGL zeKKuygQa|A^7{GH4QZB~m_Hx(^0VK-)54hxy|FY>9X0gW;-_A93SDIwe)It3KC!+S z0gumQ?8%g=GP@!lc)>`a3_~8lQn*p?bgk^4+^Hb`96$UV31Jx@7$%}BY7)q=D(<XF zbzEm^)^*=53_+#}l2mRl<|o2cjfLV+H&qdhK*gnNuQy#{({r?s9wJfnxRE}u-pDl> zykM716Rw?t#-Pks)1(}>nfBXzf+xB+&lmPlY1ya6AD7H!JGjyAay_%F%(S|KJLe;$ z{QaU6!C>!u8>ofqVC&N*6!yiR*PNsOLdF-prD_D9cY|zKt-an54NMM(Z(sXoz@j^2 zpotmByEMvZ>~xC+jOg$9YCs5uqs!XgK2#bgw>2P|v*Ui2Ob=}9LxwSfbqQ5X1OU{; z%h@+jIJMzo@;tP3#wko;)ax(>>+snDI9;&Aaj(T5YkP#&k_{s!l~GY|BbwZcX<|i^ z)bTb7{CHD_TAGt})=p8oz4QRl(4@-tE{|ADe$^jYYrlQJZ7vuvz*xh%Fdn@9(yEXF zIDd{-yl-E8J$N?;ytYic^>L+Ba$^#;NX%zcxTVGQm*fQ~3Jq(w<?MlWlVx0J{EXfc zXc{8^6|KMuc0Y!~alFZ<nWMC32~z5<IXEQ5#PbkhX+6O52=dcsS<;@*g?^Cd?E~+R zmH*P1!$W2rE;3df@_sQ$%<>f=?x`{Qz~m@IBsp=5Zb1Mlw-y^zo>5WkBuIx5U&}oW z>S#3acY%>Y2=up{-M`b+e7UcpCOXVLcHz3ZTf7wC<c=-b4Nh&FJY+_{+?XBjo2-Bx z50Xom%%;8Zl1Jp&M-~Xlvrtp4lPDJHLaM(qP2&~~k6aoZ&uAdgTr^&8qmkCUd*}24 zko<_wuD0J-3S#`&{5@=#R$ItAc{>1OK%Bp5mrNTux8Qw8u+59X8;d0AUrwo1*HVEc zG$*`=nguIB>?nmi?2+A32&^UZryvj(e?IV!Qb=f?AeSCoOxctXLp5TIMdPh~mg@zR zu?6dTj9n*KUSMpwrpM>EbP74yfukBmA~52l@Z8h!7J*$mWNjz6Uc)Z9S>9ttHY7T_ z;~C!LJvRxmZ^SLs$4zR>77e+8{N}Yjrr&93)%B^L*5QLnH_uw<Q{?zWVDpUVIbiH- zNA~xHl4VSLQ0mPjy+h34?(LX9Gy?eK$RNliix&E3hI2#AIW`OM=PSAg0o+C;x2N=| z53B2q%*>=kCklN#1u#AyHN)Grubb+f1Vcx>Sw)Np0{@w@YD9dZzvutpdaC7DP3+c* zu9{j+d*BDz+jZPohiN7B{>=|;=sru8fH`%s_RiTuk|+_lo_|?v+}iub@Y39k=}P}X zyPg)bs?<>Lrrq=G1~_mA{|&8P6%cdYEPs@U@$9Ev^h3owTdrj8eqJ@rJL#m1`Co7b zpIo`9x3i1{!2Vu9mDK9J;}m7H%O9;bvcvKDUDvSxRf-+9`O+?}GfHyK2^3A_a}%!t zO8}Eh0$FEfDob9cw$T_DsBI;Xtyg!<oc89I@}&$EzHboGQ*yohKicfUXY0-|EoGFr zL?mh2img-X3;50dt<ILVT)nO%gExYFgc)>ZGMZ?t>|;d4NEJK@MmcneXl)`iMsd>V zrVXk5C<+RdWPlK`r0Y1D)O`h#LoDj>>mU4e7z*}4hSYyZ;TeaCq!ApBDOxl6#3&Zz zq~(@$LdtN0g~o~C=g1R(==}MW=<+0s046Ruv^(a~WVaMt%nt7@^QioC2H3-5Qx^~u zBbB~fnIGV8-lwrklw#-TAXnwX12Z{H{mzVUjn0u=#=%J?*w3&4;Yk~N&Z)8c@c|+O z%VugiKou25sc5O5qxa%J&;bFR7n{j*^>@4Pm1Jq;wUyIcUDm2MGEIgH+o3oCjIrsN zw!pr>=no6=<f@@0O5|}+ha`^rD+tR`1wA*8oMUcatSQkO%xM*yf|qfy)9md2Y?Ziq z9YjkP;mS)W4<jlo)IpSTL}1>*OH#r{I7yVDDAG;wc-I%eFH^CgSNFakH!tVohF=O@ zX`n>y#!x61f0uANq=!aS0M8P7Kb1iu|K-Y*d*v^x+im|#>hR;FJEK^{CS@XDCxaL= ziHv|~v~gzw3^FZ|pNfT5K&*}m?8n2T_y9A>Eq+Ke2NsV`mUHlaJt*c9iCQ<wj2ssj zka!)Ht+{~M_~J<6g9XmJ1UNvpwWGUze1wrEcen0xJzoE=*s%Y{9}zKdQrY%*Bh|Q1 zNS<`iGgac2r);JRXcF50F!0$~rUXpe$u*S5NJE(naNG7vt{C#tiM*23@p8)S7cIYk zT;+Nd!#r{PSd)?h{yTR*L!YzORNQ){DGg1iv*p>)gXuGwAc1b_Q5luJ`3f%wh~eyb zo+abQdzp0kJ3j0UJpZM>V{)+bV_{p5vY~X}%)P#lfqT1W@)I2!dbyr`;$zFIsy(+z z3x(@#9qwqVy;3)4zxO8w+ZQyVk3!h&%17&qz?--i)m8thnb!z-p66OVi;6)X?uCtM z@_HAau&f#=zeKL*51FR*^wvWsT6n&1SiFXKy2N0_Rc0BB^AE_5Dj%_sFBE!YX03i} z|AmO-+dutp;zd`KDSst2iCYYHos2jl=OELm-+~E*RSP;N(;&!ET0kWE3Ji*Z9Rv=O zP}P&)1(OQayml1XYavnaOMA-61UdE*C1hp*S}^#@$T{(mNe5t!?Spok_}3T32cW40 z4P5*7V6R~AKJ&N~Bvu{hyWCwko2$kqR>KH@&v`VqX>p~eS@*w9ui@-%QcqZFXMjL^ z%1X6!cJOJ<Lgsxhu5QDVk_1#g2xwW!ZStPqZhiu_!=~7B`4#tuZvtzw8ZOr|FxOyH zAd~K2k5GupD6`uwre*(brjA06*sat_{`D{moHkEd1KVRqy!YZe;@LA$h`>2?cgm!j zX%8kng2|XCkxn8`3dLX+pfro8dG;%G(0Cn<UNVbB|J5<9C2uQ}vHyWcZ-RT*-M$T~ zT?<*Mf<j~DE{Tv3DsgV$A&E`i2}DM@vzZ71S~^R@>h%^$f{cE+Fp(`@g2Ij{gMQf9 zvED2|>hM%R9BwfaKN?R?*W;L@oR%nWv)du+h*C9lPohw1S2CaEF%>$$V$_I#%NOwS zJ%`Z?2Q~QPBt?z!7yn<dM1XL!P)iT}CLCZ=W>Vp*p5ic`E`tb9LdPdclY1+#*)sT( zM<FW9F*l=|b%D}cDO;;&<?nd9nqxARk|@E*EfUru!%=0h2#*CA`my;@+P5i)?5T^; zz+}CVxIIa2mhRB-XFZ$k;x?t(Brw*gV%PIATZ$;~zX=Gf-s#w>$t(jYDbRH<)$|&# z#<INj7Bwh0y(6?AKXA^Lh@Ur~G)`qs1MH2s{=AbNNDQNPPY)dNcwC6P$N`+YKPT95 zy_JfK2LDb)n3<LFCa*M<^iBD&M_2a>@>&`^q@THjd%jRgdp7Zx3}4qyF|LJ>BPr3p zt9C2sQl({PB1n2RSx?yhalwcnp0dO(?A|ikcqM}UQ(JI}w)RBKsf)9_oyXAGN&k5_ zVm%8T{ryjqMZE5Uem#yyOU43af>Vu8&^I9S!M&gn3T0j*Y{rw(!5WKrBDnZo&!lkF z_;7Sbqna97qW_xbUm}-80%y?NR|tU>T7%)S(w%YCdRS<r|4T_blbFpU)*C<gIFJzq z+4JR{5(Wt^G1rS95T!-v@5%9%?J8D+1}a*^YPNFk(i<!eo~!o5Ce0P>>QJ~7St27R zhNjK^=zuhU>E2@Q1Bl*<<yH_6sa{$hH8n~%MElx#^>V(Eyo`w=N+JDVf@YzTb(kt9 zabGi#xCR?=jGRJB{+?W9kl|hh-2Qp$20%RLQP}V71bGeN{`R%gI9Uu^4FrP^*WZP; zkVo-<#wfEn=J%c4!3g*ln=u_hEmBF=x|_utLGrNEz%C_3M!rQxf_^<i#ehUcf*?uk zATKTWI*t~STTIUyPA4k!o+R>f6eY-D6vjJTS+=Mb8m=<$yWb)#g;x7nRlvZLD{Cz! zdgN;;@A8)skSPm{8X-?9RhM?_x*5_7Qj`hBNokO(B8sNlgG#d}6jvhPmPZfR0qa?z zVv>A$jHSbOFMMF7atcrisBc7dsR*{!OC#Iv@eN1ZlTRL*CwIrVxBPS)H8X2gb+v27 z1snNAD?Ln1v*N^_6BN#|l0mU$1domqU-fBr*`>7aW-i<Q=%m(DJW_L!_)GIRPXx#< zB_KuUNw>_15i`${7hFDRF2H-XG>?b0QzA(KL8~=TOqN`U&CM~tT_x<1YJa|~`1S7m z(g1r|=SE*8!2fUFABfGfaCFL>gC9=pvc0BE&yJm}*AQ@5fCPb`(?!~!(w%9+#=_}7 zuydfQ>;w4NGTT|yJd<sE>)Jn19b$9;J?gKM0l={$RW{*==viwIfB$?+7(nER;awfd z7k+>S1<10Ud)fu|q<B8HQ$uGF9KC9Nxm~G7ikH`=^yho-hr#$>{FsZsA<hq;w-qei z7kjTdLr;cn056WA<@iz48pHaZtftq!;qvVjY*aRfA-%zHqBWeea!!~O1f92jG@H*W z;FaIKK0GVZHnLuRrnbYKZQmH2Li&Y6JQn~gPVV;L=VxkO6n=H_W3E-Qg`6pP)?T+N zm;aK5Cj#96AH@(`B(zPUjaKZm;O`m1Hme9^%c%V>l!{arQV7cXRgWN74lG7K1HB*` zFP`3DA1}27;xE9SyBqxVqGOb!Rx5X<TPhT6P@xtyx$ge`G}FPo*boge_qW$zES)vx zfzJeCqS{>U$uCTpjGYesI1oXS`0lg8J-Oy_tF!?(H^0(B(QkEDUzm{61q+3Jp1!QN z7Bv_h!S2wz)7j}3Ut0(Ezgd7s9LhZqfh1^JX}hB#DvOlj!y=#WN;!buJtLUx(rK68 zjL#2$>kMeh_)6{U{LWsAQg<<M1&Kf<#8t(V{)ox3vNLVNB>0plU&x}^9r&EQI^Vhx z-?|&$UFE=N%b~)m!Q85md~%c7ct%re22(2r%(kCABVu{^(^{(AZU}$!rCA+~u_&6H zC!W@o$X#0r$dUyiK=|{J6v)8C2UpF=Gf%#?My6K9jiED{BpC<|T9Nk>WzAa9P$_5g zEM2JrkP|8GIod|)m}kQ<Q7O1&XIZ!HUMm434K#v;jB)BWE&Mhm6iT|kdx|?3G8@TQ zr~?y~;oFPNh!V<ugqD(e9IiwAze+tQP3e(7fQhA2yxz!QHyucL0Uk+`@hPpk)#H>~ z6`v?1y6taQ+z<ajEyCUEvXyXR)TmDVNeY|u<T|BUSv0h|cgP9+@<S;&x%gO(@xLkw zPrl>xr+N6yW?#Gn3dg-PNjTzERPs9(=i&7z<sPu#e#VyNZqphDB*|5$?rw8Ung6|L zbpc+d7D`90Lt@t*4W;Uk+jH;h2Zll)?kC&GnholRF?9CwqKv3$09dJ)k@stZ9hCN- z-%ky-=B6$@hkMtg6dkNVSfZ`=?jY)nvj}37sa8uLYcv4(%g~Z$wIr3>;|l(5knfZi z4M4SPeikp7avLxO!@zWIH&)EV`_AvN0V1nM=5}Dx@A<o3%p>DVMr}w+Dt_z@?~zh+ zy}kD|g2bMXDn6joY`W5ljX<MODa9eIGSa6bL~Z&0m#EW}no{K4<cpFK2N#bHH;A7V zYr|C2qS3lHZo-KTD%lKMwvqiCx>J4^W7kg4&Nec8MKWS7RLc%)t%u5znkC9g&3NlZ z!_VCXPRz2^zyewzjgLGdvbqZwU+BuCsJXx}z6t}vz<}gH^xV62W~myUe0_nAY<qtR zpy%OHAVP{aT;E<)MrWy+jE%%JO%JcGr~cc`)KtA9FAX^Z=i$-%JMIn&;9|-pwy*;P zL%CQE>&y}|q<oe7b8d~po-hc(0*U)CvrpVf&r&H?=dB!nu53A>NW7Kz4PW?zf!R)Q z5LsH=<kThw*0AQti9AX0;1KNzJqrvC8`8D|PI_{kEs4q0oWXQNCJc*Yg8fH@3{`4% z1q^h*+~8hYb>3Mn=IK*gUj8}{IZdoPn7l)<>nT&EmmyOkrw}-S#zttN#g2QtCp}RP zY#LRd)S(~=4Tnz<AHf38crmoSdVrQnN!4KCKR4kJq-An455N*7)#si{5I>%-I&v*e zu*p#%_m(-}luWv1@|?+$g`OxpBpXNk?YdLP)ai$DQ-(w&nuBQ9QNao1TVRwWBE%JU zv5EkGJmOT=Ud0OLm3BFBu1T@jNY$HZ?}kU7Q(h`A4Hr5hj11B1luWswzt#?f&6SgW zL404axn$)x4-X~kZew8VlsAQ-!~c}g``Y$fyzaZb|Hm8Uz2h3!yDeqwS?IRsQ5J&F zvtYKG)?VIEP4%|lU9tGY?<YRD?-x}-E0uqn^T+3vv{GNL!g7ngZ&|G;nVP)IL058P zuZ1r0eOGnwd__C2b7ObJ>cSAya%}Ai>1D$LabWK+WlZi8KQtRmZ8Gq_y|4wtz<$<7 zF<T&f37mViBvf4td@$mzH)~8ymL=4%$!sUrCX!^&JIpHR!T7KGh0E>W=gG63?NRS} zc4p-i6Q`wmy*|kwja^e~DxX<`dquK<M{-ucEv)1H0Aw2lRyo#Mh)QHMm)_Oo4a<uJ zC8c8bgP+BEHm<Xatm@yq%*Tkrx<_s2PyN%TjlELH;-%(-^2UPOZKMc%A|sw3pD#UH zZHyh;GTM)Lv7=1h)6J<6tQhDaa4b4>abE%f@W6T!S=poNmZuLrmlz<0CsUEO?W_4W zt~*D`xw7&K59f=<B@LQvxZ`wth4I3Kepp~c;u!l*RwA6J>9}x&EPfwBJfa}?dF0(u z2;8XMdxZr+4XYDrCD=)zIG4LoiW6&_5QQ_}1bcfSxA7@a6&Uzf%ki)K@zRMLo-dfi z5qw*EByG7$)=|+~^GuSW?BKJ%R!e(wK4i0R3kUsOBE48MT<<QQUWnYwkksDa0p$V+ zf{JRj+{iEi_#s4-(mSfPk_}E&Fj8fwv``>kBZA~~hKzZ7w~YSMzNd3kW1^kB4FXT5 z3Pp@E8~z3aP7wPHB$OK+7Thy~1+A?p5TJvK#w0DwV%8QuH{1AHR4s%`8w&-~nu%l2 z&U{SAwkuzil|#5VW6V$iDC`CpI_oBO(Il95{?=F&P97?PLs)?`!njOu5K7ObnbvZL z<cl#)b&4ZGm<dHIZze{VF~%x#ZZy3QU5@U#oBHgAmp?dAQ36Dos}dDg8$;fL5C=yd zc-p`CYSH}Sx-wY1#hkdgNfmKP$@AuzH<B%xslTsB7Z59F7B3=!d$=MWQ=kb=yN{1N z@{GoEVY44Ucs489-1}aq7WmQttwI&n;Hnqtnh-y1ELNt4d*C1xAwny;=RgbM>D8yV z)J36-V+R&Uly5<$iDj^nP6T-<JoOeG3pC2iUqleAfI!d0K#onh_{tm|`C|F;dmJ^y z92ltHEGz0valMv>o)D0jXnRbV;lfMBn0z<mH1c2(zg|bb@cWGD-?gusBY?kMlmb9U zb5w6+=%u~1v02%`58R*fnY=rRX4uG*XR*4pL@zmci(k^o*^Zzszkd*3sc%h?Dt;+^ z>+v0Hn2M1v173GBNp8QiqycvQdm9Yk`IIuF)uDi^t*HG3O$D66jpw~qhy;754$!6v z!Jyfk^n9mFQmfAqV|}9E>wg$0-|npH`VnPEz`^w{$2ykGf+`7vU41hvN%;Kt9xcZ@ zYlzACk{rxJ73BBh5bSj~QO&uvlu@2;H}_b^A2gK7q|3Lqx?@jo7cQi(cQyuU$wLV- zj|B@_x-!K1qp0z{0#WIhv61NG>H4&xiSaw}f^|4W%#@g<ECETS`2Vaw<;&K&SQuUD zp;H6WtBNFXW|OX<0`asS5`}yS%mj|b`D%41HU8YH&#?mfTKqeNV8B7{k;$c~uqB8j zC$5GfG)WOVuKwZJa&=yYUe#+%iN|q~qBN~QZnoox6IO)hY)apLS<7bTY%PwB22G4z z&;-HBIsCv9t-U%!SbID`M^mKCKe|_2Z!6AXj!;lbj%E)CWstktIMPj8X)4JbK$a%V zU}`b4N`|gzKy}g@PgEfOb+yCb0i(>ueGX*a_prKxB3T{A=#v~|W-1*N6)Z=8k{+5# zX>U5pE|1E^RMqH_uYj1zwP&l}bFlB*-&4!El9B)YLOnpeQ~uRM>eVBEJPkR^eyd+8 zP9cngKezg)AA-0)A2^XtuJ@AbqKGyJ89jiGDH1F-xVRcqD=s>VG6)U<5V!0UA|`k> z!>p`htu8^-f+3(;MS_+ChK7EJj;@$Rg&5?kK>j>rmn?O9??_%EX45Qg6T`3iHYhwL ziEl)RBe}icp^#r}uPP<{%{2H(JUYvk-L`P34)M}(KfTy&Jj1HqGH!5I7{zLi3@HUc z*;N-lv@L;H*(EUZtxKuGzw^!F{4;;_xJ99fV-4C`En&M&*$&|-(-#t-JZZ4d*EAg? zO)2mgiHCPkp{EHO+1W>@-wtF%C@^D*wB_b?Ka$5sq0g_M<;qiyC<T@dYS~sWT$7ck zgqk2I@So-B!tOMB@U^SSRe`*1Rg*cpQmokzD;I!ky3+T~3RsqO3~r_cv8ho<l_>pD zb#adN#Y2cCsk}danT*j-#Sya5cE<PL0sr}Ia9*skxJ)lq0{+{YKAEGDOwr)FKRcvX z7ZB6&Ap~4%Be%6nWxM8=6rCMh_@KBxZ2+A(29n}jnUN=ZzT1WIb|(>9pKv{z!ro~* z#-6WhA3iJrW}KEg%0h}H(<6v~!YaGn9Kd_(UiZ+psdrbuxIG@X0RFs8d~5BP3dWp! zzuodkk3I<UUHYW!Ym$Zd-HiFZwD)oUFf`qTMKih?DLiDZEk{ZmnQV2d98;P%lOruv zh6<c(>Jf=#^{s6VW#xH+av2Kz?|PxxdGWug7i_%b6B~fyP@FN7eT5_^SK+!{5U~*p zjQ%Y?o9>+%2N&<TP@wh@2MrLNCBkMk;R-u(_tzgRI0wdC2!C?y!^37ZMhddW_lr%m z;5pFn#T9Fu)mai7BqXXjBpBOHozQKHs=c$tDIChgiO8`$?>sN1Bu{!)Z~%#>w8iS} z-6Q6C$?s8{5f(I9c_(_ZJT|;pUsP{U#MixD>8j~@oPtE6<T1sFI3j7eXrrP;EjB(U zi&ePL<c$UH`tnn3w!cSvYbr7^>|+(e5F0$GP-tt_n3f1oqNKvn;zFb0<@-eXZ*qZQ zi9N^fpDC1qqO%>@oL3JAe8-*xV=5sn(?J`)aFc;;^jV2^cQi1WG5x_}cD{rs*B7eW z4dv<dAuu7fBwr1`S4pRjvE`kaoLEZWB>Jn}zP>|iDK&DWUSGB5T^p>{3VDu+<1&F3 z7%BYw*FJp?3}4`IF%cn{-Y}Y0MHPDWkalk`S=`!fi?>(ys@8ku#zz&DU}N64zm^O! zAk`KDtc&xPl&l$^<fBn051d?dbzHg492=Rnuo66=RYZ8g$mH0q)HRQO_Op2B0$(Fb zQZH6X)7d<(uo>{m34~fzeEd@9I7#FwV*70_eLWHlk#kx7ixYve*lrG5oTXB7^0<K< z`1~b*=%;1`l7zpSl)+vUxwTG8W;`Dv!awVF!{jL&!sp!pM|;V2+s`?<In)ja4fn}y zXV7kFh-<M%_I57kccYdX6U*V<`klc(372&j`9zG*`r>V-`O+nX&AXnz7%<MK6RKn~ zlZ*QP-S;Uj&M&RUO>%ZLVNlN{dwWZ1;Q3NCk;yKPv#~CnA9kh;_PmGd;Mr6lB^uJ3 z5c4#>S?D4!@w~=M^1L0O-x*LC(zSW$go5j(v`=euSWA@!z`e4fPClo&X<rfz6LMtX zUhls(n&6a_$*y-hUEv=^?(KAGcDRD&NZ;JNBbw@B8}<`KHhvO)nF5$3Oq5zJMn@+X zk`iHuk!dSNHl<tBhMqx!LQ)`5TA|+u$Ep3xB&djB{MG03<z)<NV@fkhDvs`yH${Q^ z6NI{tV1+%?j;jhJCtp7fmM5_sp^R&neXW-}ac%Sa0(idyr)f@&x-vl;ji^S>2W(!| zr2TtQy6l89x^OyZm|CFWx+!`YGu!2LN>%?kSEi^$>KdkMAE2)c61OXM*_n>qU93!> z?+Kgy=ERR+Fg&EXx6MfXvb8KiU0V^;rg8U~FACQAVC79293KyUPQ9C<zsh3m<fP?2 zh{P|}wTlRhD7yxWGkYu4(I4>#%g-1UcIP&hm7g<P*hVjXz?3K?W>Z3^G%ybijro~c zs`lr<C*l%VL}gbZBeSAdB1D)Er^3m53wTE})#=B5di8IEEe0To{A%3E-`nWyX)u1x zgTT+tlLW=tIJi~~z#%6c{FL%0NrKCVkI?Z>nK<BbsUj&|G1;4U#HL8{)#CZ(I&We+ zZ(ul|gJeD*MdYPT;?+sg@Fr#akbdu|y-L3O7BA6w!)0PnJbAH}N)xpi6=#=YK&mB^ z>CDEsFD+u!*etBp$~1XPjMAV{xy^}+uk<9{ND(InB}nKMhE|bYrG?M=sDz#)R~@@) z9e`OQS!W!?+{!THL_BCucM>U1;;1k(ocQQ>0p@&JR`<}ru#k>tZvLgLMygneO_1~s z-r})6$~|j4g{nxzi5$C{@dw+^5a&)S!2ew@kMIJwOWnxJO`TF6?Y+ezoSGcy-=eWy zTn`THEH!WYagA46>YOrfZuVekJGr6_B)#tosG8SjUwN*&H1~6^P{fF#zxKNLpYy}M z-s@Tb<5ZLa1*qqh2l{0z=bGcYP8CJTaG7E?g_2K8t0K|gF8dVQ+mq_a8Kc{6m`*(P zK>SuW{p6&!5eEnK=U!M>@rJoV-_|Ejug4YYurVRmjjN4h-F^TpWXFpN3}yA*K!MkI z&enV8^YjkIR3}^Dl_buyFe_`74GytNHSqi4$#<EoCiOO=UW1IcDF<{5Z@hiJJdp`V zF_97+D<hBZ0YMl#cqd{q+FWr6A`&b?>GpA@VwJVEH2<j0KRAI(gF8Xx8od@GjvRCH z2#Q*Cw)7OyvX_~gu}y*E#-N?}3KHSUIiA9UKeWYn3QmEMC~%@Rb+NJLMu?;k7()-+ z;ArKnV<aYWG9zQqF-BVQcH1<@bD|ElKkJ=RFMi(P5jnW;y&D?9TA;Gvda~GZ@lSx4 zvIA}Lws&yB`FH9jEw|Ci79Aoo6RdYojKNx;7c#DS%CRAP;;(qL47|19W@0EzuBvO( zTX%OwVJ4S^N#{Kk;XAr^4Lku`=MKOi8#sOr9o^!D#3-}d{+4JgHjZpxlU}S6t1~uB zpKPj7%=e}d5R-vn^YohCIa6dQ3Dzp@J_^pG_i>I4x}&bnvYOd4X!5-JlN6^=)%D~R zc0`^xdN*|?lZGTL6=nKiLUORm*!x7>L|Avx(20K(j;}g~PEeFSP_qb}J)0AT7F&A? zFZV?dQ`4nWJ+XkV$8~AQ*@$>UDEiFt8GRb(n&Bi>0{h2|jnp_Kewh;SLi*|2^lx`P zcYAZ|&@xNGR)SjW-n8#Ah$dLkIkt9Z{(>wPwVri@<whtUUW$l<K=|Y-z{>4Tkx7ZR zx4*|sJSec<XGO$9H90I)hgwg9i7p<7LDt}rB>nN&G`qa5kHi=;{0ASgjUb5mg+k62 ziCQm;_kZViW3*Hou0=zv@lfuy#mby{{#j)Dx<GdWH|M{K8-J@%1HR*ympvN0S>3T} zFaWkGx&~;uv7rz5PvV!*^nR#-Nv5&79R9Z4UNU;MmC6^>Q-gE->*e+k1`(g=Z(g9? zPU+~B_GL2?9v=^nL;*3JTz~q|qA6RhwpKMEsDcD~=B6SUSPtzr9>BeCuCS%CshX%= zcLwF7u^rTE@rIHoHq@l``Mq>+M=K1l*wl);d4~{V9)2T9>i8IBW^qb5I%m8C5IcXf zvXdqvY`$tnKk*JHOrUYS2<b}J83L*ax;?y*w3n9OZD}c!S!HF=rrh3n|8Vy#w~R@j z&2c?PY}%X?N=qmQc&j8%r){9*D8M+$U4fLfeGfAY?6Sl%2$x48UNdMhCG@*gifkGf zCj}AsXLU&@3icc2SLT-yq>G4hNKo*2g#=%KMy6<C@$v~0BC?uF3YTDG6B8$zOFV-C zi3^2TGDwinGwuiiA#>)c-Pm$}#~{jwuP1kqNVrw>x?mP<<+fz~rc|iV$56aZ$RPjt zJhrIU<W0{HCuZz4@ceS&rPbWhdW}y!uf;!cQ-^KW^kucxltjfw9;Zm3ukW~;5aD8k zTdb@&U8>HAvNBu6<f=hEJ6NX{JKZ3Vais&4mx@~rv@s(Nb=EnkitM-Cy9Vxnt9`1c z?NG2o(Ku#8MFysAwR=%Tm1+Pzr4)>^YVg&X>4qDlOb&0=kpV^MMG`%#q?RzaRW}RZ zn9VfBX6Zxcn`9A(gKBJ3`qn<@y6(y@jU=^JVch6xi!Ie!NM8z2`{4bWOI(gN+-1XI zbHE+G{S_BEjyQ-Sh!q-|FkcJ*CRJvAHWWZew1=UhM2IpMwxEq(SL&=>;Q!87Zsjx? zj?h-EU%z`(v4p<sCXs8}BETe_R1BacV?+fSvga`g<^ny-AKorK6#$x^HXXwlKVeN< zvte*?PRyn`Ft$L7Q7xAM{suj!kcG+UgqKAb$i!hNBEl7&WA}V&@e{y)2K9I7>eT2a zIVd|<##u6{fnKGqG`y~D-n>tr{nyea#TWmS%>!f9KChx-T8r6Bdx31V9-K|&H_?dT z5qWgizC0%&w0inh_ogF*TW_W27mPp*s3=+Z$MBY2k6beN{mjCKzii{~za?I5#=%AX zSBuSN`Z3bbcBd2Sg0);MB0X(pS+y>ULp;B&f$+SR3TZC>x;tF7h9}?Yd<yTlvyOA5 z=sTRqx_@HLDRIW?rL5U!yKS6!f1zjLo?WqDZ}9Pn+WK_H`p)&tM_Qr6jH(tK!kz79 zov2U0-Ly9Qe!baLyq6*&d_CS!00qVN_e_-DpPU&(9ji_D$yl7$4c8hG6B%t`%qJ~( zTq9#O(e~GTNh=QeTsLYKCL?FvxCVep1Z{1SKQFjmzl}0t6u17+P33H10qPyIJu71@ zP?)wvOJvsG57WMnCi%8soo|aiIqEp#nn`@h?N`tg82!|qOHFDN6Do1;<I!<Ot7$=l zKR6DR%~Qfw;u`ps7km-)KWVm_XqBTiG6)IW25MDCwlZ*!jZsZIoTOD=t-+ENiSAfj zfW}BRO0&j;XoR|zV#;BNSnM9fc)SyfK+z=IwM$MK2ue;Vz+$FTr|+OECb1B_CJ3#m zKLd8+8YpCGZl^IAKBc)P`uyt(?TZD?B5vlQI@f>af5bnb0+~n4F2FBa`zD?S$AyMx zgae?kRIeu|>3P-}{q{f#cR^ihu6CQwI6|jt@zA%&OZ$Ivk}kWIhT@7*DVp@3vi#+v z>ZXPtFMMR8zGvX;?ppCKezSQ$M1%lLJ#_Q?HSqGh0zJJ2$UGaW`_o|*3Z<WkMvw@V znsLU1eFMr)@M7RU`e{O<7uY;2htl9xg-O3#p(hkAsZnK`*iC3fxSqH3s#LD{hxyCa zRgwfs9{5Ty=W4+xR`}}+%T<Ms?75k17TS3;ihbxL2)@|xjPBQYUDl){&01g#RD~i) zP(`&AB}fR>Qbh$8ku+4LhI>d56BNe3{uW9IMpI}2@!mksKQn=xuW=;jp68un<{v}> zemG*178`P+I@`4dnM#0y^2o%wX7d_4n9pTB37nk{RmZq{Ef~*1H0tdj>)arTu6SkX zXk(;8nG+{2ZqAuJ5Wp9jQ|cZaE}i=9SMK84mEsU|Z-Z8$m8~@|Tc}5yyHm;m6dKeB z=ZNAF{e<E4Y^&%y;U|uLbVOh8pcy<pKxwO%uLf13q%a?2Vq!QcLoNz%&w;^ediiA$ zHj^1s-TOB$^LB{0G=3EjE2DDtu}Is<QH29~eUrNEWbA)$-680R{byYfv_C1m?BSA5 zJ4Wfgdw59JeM=;}S=*AfeYTDI8-?B4qLwM$In?9DzJEr6KVDYNt{K$3IiOlmqv#?< ze4py38=8&<j3$BOxaM{q<X2j)jebe8Y*QtJyF;34^=VJ}l`zCna{V=bpSNZf>y70O zDo+C3>-o9<{UNU}b9Hl<!+eEQrUWd@%{{&yJNEZV?zI&sFWFX**&cd<1^`PGn#cwt z2iZA#4?!w++uXkM75Z$?j+!zx0^;|V33{IAQa%=oYhBsN{N|Duwu|c&<!moIxTS>m z-6L(w^=apkwQN$~Z%W!Zz5Y?L@zqL^kK`PT6wy<1b-}S(iyxEJDy(Nf;mpF{iT}+O z*NP8;BU7}oX!(9Hh$lSme}Ro3Z#YR?q6uOuCIg;hwhq0OtXzh#`h3?7NIJl=uaMeo zveZ{gLcHuyvGf_(k8h4i!7jjZHZ@MnfreRCuH1e8^x!7FI<6jSHf%UCvpjbot=pTS z&!gReO@~jEV^o&qvEFWB@MoX^-@;=V$9HEh0k|F}M}#^sJ4sUWW2r>0%}>k7m?xQS zkiS!vml<uXURG<7LAc~Q+jS6EmuN?03Cc{;1(X){Z_pQC0x`nuxTUMdDQS7<Ri6R0 z(l2jGIC{hy4Ev7Y$LdW7fK(T0<wiJ6LHXk7^Ahb$wYXK!E!^<^G-`xP_jaKU<7f2Z z^Qmi;0`b>7VZuIq0;oAlXBI6Dl`NRpH^K|V(}L_nes2}v<GD(p1eMzNB7rzvZtZc@ z?yi&tD}jo)i*l5}R#cJ7p@NEGt`=q9rDwKVKYsj1jPSd!x*bSM6&tg<A`>;KJXZm6 zzT7{Z(C#ch?TT_n*;TIM$z|Ts4_8Zwnw{2KQZS~JCQM17#)Yr+tjsV_N`y2aJXTz{ z!vbi2M1GGQvrmX9pJW#?nWf17c5Kk@pzsYe@fjiJj0jO<>}v2PbL!-KjN%U*fK02@ ze&@*6pg#QJJtkEuqJd1eI76Q7qk)igloADlf!&e5fEYnubQ+;3_9J%r?E`)DrI4SS zLqVl>+^<1}iW3LU>Ox1E98rSmz*u9TmoM?!glz<arE;S-(lYsahOq9cjX+r~Pf@l9 zri7%=!Tn%LN1g<C`w5T$3p<toYqjbh4~$(G>fyvqX0sg@AyD_M8ic(R({*n36#Hil zFYtqnX!=msek4F(W5eUPnVNgywq{O6&_*#b?ArA|h<iUaG$li}m^1fE(ndMF2lnR& zp}=y_&&+@SJ{tD6?y!dx&eOb^ei-u9B!lq$wgu_=Y!@fR(Pt3j+`OJ05Mus5^(PV$ z%yk<TyHb7b3x%%Bdn+cQ<VaqZErk8tF03x$Qv05tZ)x!M>^YcAq%SX192w!n2lhRR zQ&5a-$93il^8@iF*|>+#^clhtyOt~KYmQhL!0}t3)`?jj68HB)FEykljgH}-O%=m` zI(Yo^EVypZbX00O91~OFZZm+u$V`U#bdr)xc1b!<mcLkd(#f%qDxho3)-e$~XU7bT z>_2@CT1|>Z%c*phaCg$eFKYe@1C37{6fWAeiytRM$brpx4qcb!t2L-h>A@_f32H^| zAmScZcKE+p0H7c^=$(GWAK==A*sQ}OPz0)c&#?%j%sC1R{g4=lAsi>q2T3KI+1pn+ zQP(lp1<THSEM~VhtWUR{XPn*eOXy(Y3oxat-=ker#6#01?!^WO6Q0t@+BzD&BCT|# z@B$0Dt#13FH`Y7M5BoxBi8x`9++0MX^XPy265qwIJ8NSujYsdjnAg8*)d}Vgz%<Y} z3rQcGo3fap1IJHwQ{0VoA&APTd=CXUE>;cO&Yd!SY^c)ijyi+<?5?)kuAm5sSs)=@ zP6z{&tPX29$A}QV+fyCjb|8iWvIohTq0fo4i<!xsx^5ArIg%9#6DKDHj1-s6#4(#q zo&Gj~t~Wb~m&^C%=Wy~qpKT6<JM|cMB98X(?rp0U99Pm$ggYfFR&lYMH<u79Q(7SM zEFvIN204)MWjmsu47M-3V1|ma)F91@j+G(TE2PHEqb{InFvH#oNiPTt6B*AmE5C#p zYr8!-@rzX=<>dM%4K6kEJdcezsL)f!h(jvVip6=skj+UMI#306cbIzrByw`XGF<2g zB`9p5p3HM$D#V7_z7U#e?r1}_%TZ0r_FU9|^s_vZtE#OOO3+|s7tKP2NR5rxdE^=F z%dCz0_oxD#7|IgD&!qQA!i#*T9+j3`n<XYxX2LC0NS0f4!jK0Q=uTu>GxP6<oN?GJ z?<PZp?O$>?;p4X-q07+0@qY;7*mUdeK7*r{i7!@%IviP@BuA(HOMkHyqOAn34-0l* zj#9mYY^Vk&RbvY<Qvg%bQ64_#^ISlMSt6&EJ@&%&=bg=9@9zZM%Zcoo1_>b+cR9qY zwyOPBOoQd}^t+os-|gxdqGwl)fNadjo@U#~Z#0YZb@iPn-hDc$C}~)iI#c<(%fE+M ze<@I?HJIm{m^Dof;lGO1-91o&eY^U~r1kC6a&9dq=8fxPoNkXj2b#6$c||rOg1AVb z$A_1DU^;dzeL>v&<ClwK-GCGER43bjs_sH6E9;l}n;?iY{mlMz*9pG)y2f_XGMNxF z*=8uE0#^#cV*+{}0g0DOq8}W=LcB(5e0pzEvIuFfmm}uGBI6j22&99DMzK0yJVX9p zB>Ly4cYmI|qGZzE3|JPUt!e2dT#V-mF<S{M5q8dJxeEYse{`}i03V&vRCa<YUII)! z?^Lm}T*^~=X_!Q67TiEYCLUBLSHF6cxtk}ivW=So++cJMOpf4-@`j$r9`#0*bClM% zLonT+d!e<Dth(XkoIJ}PUu0rZ%Mxk{2C9bL3}R=%Q<|G%ZcqHU1jO3b^4A>{QCVxO zb8gg%%qzTOV4V-hlz<$uRcNIg=0>5gSB~94mfB!u90p+KEIai(d#6*!NZ-QGIh67h zAo=>39d_3{IQmbC$@5k9in#fTFlzsZC4K0szPtu<v)65G=+%4bWhO-+jGshIkj3aO zde8+bU0t;PNfwB*@N;;TCAtM#io6gD25<$7df9`-+<@oYc>1>Vfas}naAT8PT)=ZM zfL>UEW?8|nHh_kaKVo~Lf(I(;i*2CWS5F%YoemzzJB@3fcAB?<VeE?4A<0pdfz|4( z$I^l-nSa;dmXRSK1wmkPQ$ZTRC`{l;E{c;Pvm?S#zR|RkbV}A5nO`57y+2(!rkGQb z*G<u!*Qo|04$idy`uC;tY*mm)3kmO^gwr_33^y~$F04ksGtC+N;ldYEt!bAR&>;go z=ae&;`ow4rb1&3aFqs%-J5wP&ZV{6&0XA3WKgk40Ees|Z*DO2`<y_U&d6}f$g#D@~ z-Cu+zcW;Zl3!haiTa0m`5$Ngq!OXK<%pm}!y%+q&dfpDFm<RVM{YwC>&l~TsIQRpG zRy%F~HEWp<NuOlFe-eRDWOj$4g9BB2r10-9>)D4tU5qpyy}o(gil?z|QNTr+zrXfI zC;NXdCAdw|#Q`)CKW%30ENW&%fPV8h1v!ZWdp}jhrqW&HiXY292P?Ci@Qjeo;G{hX zwZ7i;5Z?SW@e@)wx}n~<pR$Jk?lgROpb7vB-2Z&zY}si$G}`%_tvtPxH4#3KcwJa_ z6umgZ!nAUI+=G1)o3@Kl>)X$i=+wV?|MOKz$jAYg^=7OYd2%A<cUf-6fiy-K$rPgH z`m(2ZFUQ=W0GoHSz^b)~-_7XnONb38CohK`VONsj2fpTmCbk1Rus&GrzrW4?%0Fdb ziPDMHpD-vi{4t$SH>{?ZGmKutwogIRRy>nYCpPix!Qx-qPr`$X_Z%#cQ?4*82$nJ7 z5FudsSjb0SGwImhh4ia7GfW_{0(V$7+Rvs<C2Lp0!krEkC3Gyz7czm%Das@_34+yD ztzpDwHJ-<w?Q#B6u|5ok6!{i~h@dAeZt4}CMZQ&U4(~e!{3H@M^o)I-tWFMBQQT_s z4}1y~GX?q;GBF~FvV!+wYH>E9;LtmJ2|q?}W|s8qu7a&uDorzP%<r{&_p-3}EVp!f z?uh6G4IXxxSgEGsr7?U5LXQW=+ZqVnZ_p}?fd%TH#uzl8kl0w{elRKAfSsunwi-Dl zUsfQ|DpvxZb7~z%5Gu<+v6XvbM5%9(P@)p6wUUY3EV1TjN;r*!=jpV^N|eG0gxLy^ z!3%<8-(uAXZgk6wZM1lkYpK%3-=R;qMMir>9sz|T<4T(+B;0;c-lp+v+=AIux})J4 z0f1PA=p-GX)KQz=HuCjBtnkL?^to%6Cb%N#iqa(XtZZz^dx1Grgt;;`{G@ID>N~#D zkx(7gFe(tlpl_G}UzfK!#m}QKMFen!-DDXOZ2S!Q>bOgpfG(VXY-@wjItj&IC*q{l z6?<Fmd@TI1=K~u`J{sKX2k?+RQmyD5dlJGtN9}^<wO^Z=Xk#ctsjQ?N2Ka>v%9ELr zVJIa(xp}s9_age4&6yuK4kx1R`%i(#QZ%+~NttmPwBW_mX<1}X2C5E!)+O3LhfXX` zjb>uVMW?PbNLg#==wD`%C57{ei4RN<7t&zIIMa9G2clt|Et0fY_1_1<kuMl@y~&4p z;`fA~Say()Oq?Z1%l7??K7neec4y`1xtzP>wjtU}8<T_4MK4@_yq7WEThFEf0o9a| zVo{EhQ*&;g4hxqc-cNklfoa!kKbT}13+mLrXD&4VQO8RQt#y+mb<hAq{Gxe>sTg{$ zLV^OEXCn_q)IhlFLru3P8`_yo>+5HO4M%5|t>mos(T<xT;JDDCV$n9Wj+Pf^EDoi; zBvrsQ$opvucBS^578Seu`r*rws2x_Xtj~HcHFYNOj{ur46DZYs?(hV=su@n)3Lf*v z+dZ_7KE{c)@JqLHOHU;zl?>D6T+uRC&<^?V&_`GvzI*L^#Otq=Xv8@4c=sL3+C-JX z%&P!_Np+(R+<*iGQB>2KNv1lMRFcD<Tj=!2<prZMU2-;}RsYNXlwq;)0t<w?k8le5 zB224u^0O)U=elAO(8EdpFR`4+WfcM=8RaQT|0$*~5*Y1>M9JZ0Cn9z*Os2#IgdfHf z7!yc;q5lLLwR^9>0H_j`QJ(=zE9B=wX{}U4BiDOUb@TqSgBP&JA|iD3w&Y~DHKa3Z z$Bb9r>TfRn;Laq%U7VNjdore(BV`6W<csv`y?k)Ui5obmy*uhcoFp?$I+_UJY|o{V zT%7lpeJTSJV`b1PHIwx&cA3%=`N!q-MaMHgN3X;30ZmhomRqVy*08@uI)GVgM(WMw zZ^K)hX$ln}pLZ)LJYbU8dA7;?!~@*C=vAmC>K*-rNeu7;iNH<?L~=7h`SD1DVh&4} zsse+9k8`oW+d$J{(u>Q^G_);a={PPO+=qAebH}zr0YbgJS8S5R1oscA<Cjqk6|53A zDf}d5JiG$sfY{Oz54UJA!n2yzoAzxi`9p={bOhnZP!XbhJs~^<`9G*Lv=`OSEO81| zmo8X-7v)bierBcKA!<@iN#jWPL_zTgqPK&-H<_~51ivi%NOemAmRWa97_k#V$0sbu zmvqOM3MpAxap>TL-gspy%J(U76fhLl<Sv7b9^!?*z3?$L(d=04r*w4ZGB}iBhJnI& z`ju+>b{GD~zjFk^4#3io&<QZg0x4>3ur$5#*zc42FTIeXvuxu^hZ~eBcPlj$el3Eu z&I^<xyC;>u`lbhqaBw&BBq*9_@qAW}r-)(^O>gMc-V`H29*U3-=Bg<@1ZYj(%)tq4 zzO@K-q5Vq7VBLx}+zZ|}0;f1a02_(cR^HrFDON!&jEBGMpdNIpK>WkdXY?-vbR&4< zx!q0pBhYjFovk&H@WNdP-#$<sV)vfayAg=^iF@9Y-Uk%r)1kfH4=ZWN2%5p-!cbB3 z;sB2SGM96EzO0^CF=sfIEW^Q(4vAP$z%#|eDw4O|aFdM0`zn9O6O9-9e(A#g=p|oN zGqqnQ+Ady_kpt*{@{ViXQjv)hZFX!%GIYM6xqCfhhZ5Y2`$BAe%a@zq{*|PvgDoib zRSjqsE3G&A?e9}3zQDiD_MP`loV0m8-pu_iPcLPQi&>~_|L)_e`KG{wBmJ^KL;8B& zA>h9Nm9%M`<Lbj%TfFRCu_EUw-8e8HWc2-{ivH_Q)k!x@ThhkXkqb$>`u)n4>%Rd; zAIoJmkQR@HQ(#c4CFkTxE@QL^m)D4Ti$<~vZ<3v#PD^SGMc1RT_}4Ux3M;lsB~C$n zyC6@H@_emu)Yhfbu`g?VK#Nc1H*r7g#1ASDNkmYLna-vcpX_0GV-AYpD+SOfdja9| z2N+TbkeJC(3Y<@mAar~9_!<N#J8B#3jly_)Ti{}+k?G)-&I64$ev_Z#4nH3Khz-?k z6XI5Nd>LzkZ@S3flQ=$${DShP86>WP{~m;S_I3p#GS920|K1PgZ*6P(>utqRXDLQv zY8>(ohgsirvrBJhvblc7sKD_NlsoK|Lt)lf6trKAwsTvm{#BzJA){E_>KT!#>2rt% zE6m{4Stjr?C(=RCRXdr}_ibRgDjSsW1(*4yoTT^e;_eL}`!Dfx0WhSXS~A&oZ0yI| zZBERf;tV)?Dzb?yUL*}32KP_th6<|Ao-4MMz)@pu+lasjylj+-^G|#q3Y{W^`6Q`? z@X&K|0%3Zd&4KV+s`Bd5ly)5r=CVZj988tR^PEgHKgscQA%>-&p<>FdlV`wl-i3TG zBrwj}nC3st$3%`VSdPzFPA=$=FX(CBI+GQ$9Fr`{QGei}D8ef;QZv;o0*gj-V7;#% zK8vFQ<bMX~9aCw+8LbFJ3_=>rg&QCMjVdFbF`sOToo)@!Oriog`^Xzjp)!XP6C*r5 zrLVhs#V3tTx&)PC9W)Fc)}`{SSj>jsWKN0ZB(AvBioo${lJrfmlC(POSk^<5>5=2_ z+h?-)#h$-(485&MB#r`67TcXklUujpvtJlY+YxK>k~dh1f=neiI;XEYh^7}sRO|36 z{0qcCEVn_vsygUL<Gz6K1C;KT?oOlc>^;-9fC$>?1ls5ICi;oaCqqpUqt<E!bQqj+ zdK2eF=?o6>Ml?i@1b7t|$U}hZe%xfT7ZIrp8`qy%G-v5+8(zz!FEQ&9xZL!2T#?Ov zekUCSC4<F@1=+qZkaa8l*IE;Um3jaG_saUj{pEO%z@{^a6lclpe#ZK6!ipz*rL|)G ztQ!|V$HZcDYJ8J_s6X=gp{(QPq!dQneQInK(f3#Yu*~-I23tdU-|v#K?rwDZDc-ex z=aY@`%W%NpBAp19cbW5~*iKu#Zr@-{;yF~9uy7Xs^Tj&aWitmaDf(JB=7G^AI_Pmh zO#abmS1~*-{y`@;{{oTG@pY}3#`xb>g>=B?Zzpw16Uiok?TCoPvBZ$6Y%s{lKY@*E zO#DS0rQ5R~-x6L%<ZLoi3H3MNs7*LcaNK0}yUkdI3B}z=B(!uHk5wXM))H<%@4V~0 zGmNxAaTa!moqky0Ac=x4L22ibJ(4sbLyf@`KuAT$<L0-YGD!S=(2}bye;(DxPeT=( zyeJyK0Z>iJMEM9%@R3>5FR!%Zg|)3d2t?t&ETaDV`(u|GIBs>#u7joQc8fn@Nx9_~ zZ*Na2#!v0Job8`yoa&uqUcw}e70x{+ZxNmyoKvoOIIMG+dyi*pt=49*;f@|)_%}e} zaAKC4w$FtW47~2EB&D)CkB+HSI&da8?`$W57^*D0IRtSwA_C|SrKM@rmCoEFb&4#a zvh0~?j%ZlU@cCU63bS)Y4Bfn=9V;kzZw0?ix-n<U^DjMbf{3mc9{5U=Z29TTa?^+u zP(>2)@;NA~4e#e1;RPOG*qac9FbGnsmj+`~DZINifTH2z&86eV-XafxZeM%_#Dy)Q zq@U-__3KT92<oV^)D!$e#eHh{P1@;;mP|ND)n~}=v(LfP^zztCpZ=T~(EN;9&SX1? zr+vjsN-(>$Oel(=N~UcxZ6A-f#xJC(sG*=t&?`l&fYe4%DCdd9&QX0n4GrLH6<Dl{ zZ1`*=;y%jM^2kOI$aMFaJpe-u((hT6r959%9eg4#E1Z;OB~o*ZD(Y%rM&4LBrc0yf zqJ6P+Ns8eim#-3!7tgw~605s>9r%rHa}d7W86)xai^33J!g!Q>Yl^Pq&#BPQ;C}`c z-)(lrYAn5<R)M3bTb^{3HF%P`-+sa@K5tmC7y9OWRA!ykSn#aC$WZ}zJkPRy$;1j3 z;^%{p3p8p1n!6WYR2?(}*RP$v3jFlP;|`3{_s383_eU3YAbhv&l&nhi4J|gZ6p$${ z&e7?A`wQ>NqH{-JKqEG~V>g3c6rElqF;*ue39a`nauUyLTX&w%dT~-DeTXqnTEA)c zv^M|b4sU((@Dr5XEhpm~PMXmqd%miNv2LOP=$M-<FaJ(C)^+z$)<h$Sjnw!oOgLGj zLkbD@)BGLt73e*B)NFXa@1kLn4pSUd@KubNi5?^{WB?Tb)_Kjre>|t2n=`o8l^riG z*boAn?!uuK*A;7vr{^dpqsqJh@l#)UPW0fnr2Tc>p;l2Qsvq<}&}D=daIkm0?z@qg z&1PqMGbO>rhlPvQsa!#a9XpQKvKCr;NF{Q0xZ8+nGDxuKNpX@W{OwRA)VP*ssw@o? zLDhph3}NF&lai@$QADRtL<up~iw7uqy5|5`K&QWtif!&Z;lf;x_<=M1T6t%JU8m1b z&q6tXB&gn{&q`E|nK!>xl6XebJ3~cu+94c`u{km74}T<=9f!=*pTH88a|n1n^<i_& zA9(x#86wf*L(bT0$V;$z)r6fd>Dx~24{5(UXOkPa11ZjP*obFp)>#^QSFdWYq!og= z4jgy_@$Oj}<7-6*6~%_ZskmLZ(eMINn~h^u_m=igia@+~6beHdH8T)mI#_Ih5NzZV zlYwr*;<mc`GGmH@lZGaNIP#YXFAn+=_s21f=akPh1g8R_S7Wb5>D$mWwzJ0?+F<ld zQg@Ynw^lQuqxDwENyNZ%sN4qf&}S4#sW}mQ66VZ)7p0R3(u$-JgZ4eoLOs`^fbGyJ zq28SHZ$JxXvs(rX6;p-Xs@hGg@ECu;VJ7<mJdDX*fW~3=Q=f^T5;T}AI@^)mZdA{3 zKF6_n{FGU}j%hNS80ErB@sB0~n0PBy>0&#tlp<k5xYj(eJQc_nIE<E#lqHOu-d-9C z)*Zd#jU+2au0#MyNRob|%8Q9;i4rnaxQUeh7o20~%i4o>#9=Ly4;6b<>W0!Bxy7@r z_W041E1&8?F}##}Zt<2ReOb-L>YW5UR&`F6>qi$)5m-FCxp{S-W|6p_w1T1@sZwzN zq<!}6V&AX2boV=-Bn#s?U_Z+PKp-_Zsfv_9cCI>9iL%14uluvcv*z4kJhmgpAZeo% zDL~d=KA>DS)6Cdq(9vw&K7;I(-@QzNuY9^6yqc^j@0PkzLWP-GtWGUkrCaTCN^&rb z2#y+dijkf+mfqLr?0{*zxF%<6tPW{I>x>jt6-z?luHRVg&sUX;E5^1*NZm(R(AOwT z#G_-HlZOonxn5jpxi=;T<6X8Wub;YQW5rImK25I@{}~bsMqgOI6{C&N9I(aaRM{&# zN>to0d2+h#TwATR;xEIR*PcTd3y&4Y6e_@A*8EbYKd`tp_P$71mTOhEFI=wtIdSxR z`q9r@sl4Dl$XWV;E^-k~Wo=?(F!GZQs2ibqZK8iN)A7-PFd2ORieA@2d{t*<yI*Rt zIRAWnAaYq)FwUJZ1lX*{V$!_n5)x$dS|k!U2*`vBY0>fN{5E0>@-;Ki^X7+AeYsYk zyOD`<^<K9|%`~35Sh%Wu&$S!A0tc3LZu9daM9}fc^i|5UMdeet%`ms0+4S#x4Bf1~ zv{%O_*0P!Q6M&j0cr^IG2eqO9F;064LK?;K`7lg`<-r9!5p!F~e_kZ(SZC*7@4Wbz zQ_qjOJe^nmhKv6J7_<EF^bd;<skW%pO+VPoXg@y7bn^^PwEgEE80qVSFp6*3=m~3! zO?GqTRAoYE;Oyi*(7@h!H(boUmoF5_CsgKtk|=OOViwr0osvAo*;5(B1I|*4Tdak{ zSGZNTk|>FxV%$8vMi0*tn4`0tZ%!$%ov;t@2i2HphZ-FW#?z4BWLgNSQ3S~F2c8x@ z4&4xF+5WIV%MUOy<;y$0SUsS&R1Y{O;>{dGn}y=vJTEu|gMDY#lzx0WtsP{-i<3h< z&89_1e?Z5$K|{M?XFQG@djTUSb&3ltVr-u>l<6MH^hQo|&Qsg|dwAP|(tC2X#lT*< zgF*3D!BKL$YK1?d36@NzGrQAjR;29N35#0Sfd0ZPTNd?gDXDG)ExGb!IBQ+03`ddf z?{iJC=hM;&6OVFFul4VES+nZREWNMH;_(l&H|ElE6gkwovZPMCVP&oQmZG&@CP7oq z%4Lhdb*1)MRJvGz`uUp-ab2xaGm%D;XIqc7sYfL+&*M|Nma`_Nv1BQ)@0&rHTzj`M zE)tnIjx$bb-7F(dEX5>Gg8%gbi^^1hyS=CZaW&W|<1x2qKRGpq<ov?J+%F!$VX&*| zU1SnNa8E5);=b4V_(Uz~s9MLpUD=pON0^fM2K-El5ClHuu~=g1j!C>;>ONd)tCC`| zxIRv%ad%IT836^=%J#C3lpx;z>0;D+H+krVo)o^FW+IA)b+1;(H5mZw%o2tBz%^3Q zjeWH3N6~OJ;A$!9GFKN47r*4qJ9)W*?A})J1xeU675$M6cAixYqBWEqUYx6f_8_&} z$#%r|4_r3{@hno@D}%}N!=pjn^P1~f%6>3%w`)I~WLjwjs-Lb8cbBeOqzNn}fSMrx zDVuEcU%!U+Cd!e%v}(v6aH2%-{<Bg7MDS^Tpwa2Q$(~~R{Y{V|oo>M)NTGf?s$n@I zeNZ|;Y((UTI|EAESSnJv+xPw;3~RiR0ciKx#mGJOf3xQ&z4q^j$SLMt`8-DCJN+F{ zdY=MHp2-ooVvf?t#U^`)ze%;QWMe7W=T93l&Bk)QKzE_|Rvy#HJf6GwDj;#KzTjEP z{yiu>L>o6%jXtX>FpOCm5U~gT`FKL-^WlgFKz3{#d>)zbqRPt2KLky<p#!HBXcHb# z4p5jl!p(`gy_}@i(w&ZrzMWfp)quc_cTWjHlymUElgP!STy?=2zw6Bghd{<<%x|!B z!gSeM78Z3rv?GtEe0KDSgLRgsOIMAK4|3RDw-fwXfm%$H?m<};j(g`Bc2)*PxrMrA z3vWucBx1182p8WEs5s|Q+IdFDl$-pb$@og$G~=6f*RjlvG@F|JFI2+dR@gnKO1IiO zhdeo^Q)Qae*=7$iJ5-`S(RpS73+yf<tR*c+4?F-_iiUwkQ=S3&hvPV$-6#l<-54N@ z7~Z(!5zUkquft|Kg`fqC^v%{%Wf^h_%qkQe)QJcwD{<DG?U--7+uN`Cw~^(Y{Zhxc zSzb7S`cB-ZbXpx7j7e;5MuhO{rk{2uP8<s5mWh6ghIN}d{F8|YUV84!MW$`oFxWUJ zwl<89BsnGw?kU@O>$xlB)Zw{Q!_B&0{S5h{R9iOpzO2aHj0KB&d-Y7^F)9YdRHPQV zq0#z8IQz0C&g{DvOW7dqH*>aZghy4XD7(8hqz|vd{WB`n(=5VZkwXG`&6GYTV$MgE zl}Gh7d*NSb7!}Eb>W%9J@T&9%X^EQ*-n#<fMZQnX$t&71b*E>{El1H%OEP+mCxfvF zFy3Z&lRt^=5x>ur4h?0*uX`HYmiq+%o3wr^vwN)`B&j+eg@13}NZ-wFXH?{P!a{#= zdnvLTvgi4Gdd7&C6*T}zp)UkC`5CYVqA&s$!!<jy-dcrfWwoJkXyZc(*T971*3uZ! ze@E2qK@ITx!E8JcUT@@Jp?5e8pOK=24sam;^LgjISS88Q>1Dlsly)RCa^ShRmAY@j zdt&N7X};!vq>HxqY?mPnxo5dLzu*{o;TE5wi+(Vzm(l8w&(%~EB7|7?cjmg2XY!I8 z+1*|0bMIy|S$`yF3+revCQ0o!M|Lv5z2c?yhBODot?Cl#<>3eS{bTC$!=TMgAOg=M zvTtyR_UBf~PbJcEYW2&uhAatnaNP82l-WXrU<5u47mOOV$P{fT?SgLVXd@Xt<h;O{ zdg-oHJ(2m3VhyFsXa8OS=p|IcJ(7)+<-{N;a^eD`5YL7FP}6&(N^()Vf9_y<zZ!Y~ z8lt3Ga939$K*=Ly{*Zx@gNeF{4>*Hlg02rEyBIl%fbi~QE!4V#78golL(JN-$Ruk= zXG+Na-z-2&wtLh`i@4@&stPQiRq5Q<bFjaH(-h%B-+_{2!rtZk)dlu}tY!$AlGbc; zZ|9lEmqFx2|6zc^ance#mp(e3cL?0k>5$mWi&=08YKTa}+uE3-x#XzDpr9y00uqx> zNisI?BrS~rFo2J}-r2;uI!7zfe;Y6WZLYC8s&>jMOkl)KiA3e%S!V7feG6aK@y)Z) z>ZY1_T5_UmKRVCVl33v0byLt@#0Elj=YZ<ONm2Sk4~5;}jbL~07$y6Nyy8<Bepc~x zySifc@36M{>eZ1Fdd4-oXXR*K0SoEma)N*~1-#x3P=v743}M#$C14U*Af6UN!YIdH zxGK6v>4!v;uY&MACpu91W2<>0g&D6$r`yUK(NWjPmMfIoWIwZylyn6rBUM&l5n_zR zKo!_ci%dPw_pI9as|4|^LgtU*5)mntiMY_VCgd<O`obA>`yw;PASDZZg`P-ZW(4pk zwewx;Aai9~_vyWR-?6gqF^qyVpX|GeBvy1jGKnA#1>-rGMckOJxpdlt-bL{ohfwXV zG)MxD()~=#GO#V4b}d6Qd(oq;i@z?<$tsco>UGP1``N8d+Q{&Ww#vl25@4<KTQo~a z=iG98bK1y5_NP~K>)r{PizRAJ!vgt%Nh0$q^Gc-Is1B)GP+KW~@Awg2lSGm*35sQ= z+*6}(q*WX_oC!uHOo4TM3P8}ss`d-CKox3zi-u}&FCmqK#9yf^8G6$kQ>yqrVi?$N zEorxLI?#OB0`cEnW49wEMw{*xzGmj@K0ch3$*eIv=C;?r{<1IqAn%7bChPjN7S*?F z?h#C%)L&Oe%CGLyUjjJ4O4zUz={kk=&hyqRE!sJNTC+_9B|??bA5{nEXkI*IFoFul zy|m##KYOE{^8FJQQOMEtIgcip$_z){vs!V#y1jmVp^sdF<|o&~I9R_RPK7Gz^TLlT z=|O_Ezeh=tk)E#Ax+%KM-J~Ch>$sXF(sozUyI3aza4)PlCZT{vu5@q>o-P?Wxo6y= zRPR1sA347W`T`sQJnPLzh1N9%PF7^NkYLNU3yV`{uR903&=~Tvt0AD#LLrnd_XOia zDNt!P6)Po+)c0E=c21rEH28fXb^T2lG{oO1NWKc;TwK$z*p(NbnD7XxVro=Jhe&1N z0i9;GT$RXr)(M?J;@@<QMvM1Xho{POsHoGbBK_{niEJrH_OFh8GEtz|u&MDpcrfv< zU4_b5F(P`w5<+Cfgp0WWXCQlI)vEi2#E3#_qsd`m0zV1qq+*XQ_jSW@ybPui>RB;x z&hE_ZMp#g^Y}?Q@j^?V%{bHjFA!)DKi#TyKMI1`D?CmV=g7=R(c?xH~*>Kw}YOi%W zZGdnVkAlF$P1!2Y8ghcaq>$<qc8u`X1(Z3rJGJ*Z8XU0JplkEtFEy4%w9nc@W$gwX z7^9)*U7s4Ta&XD<XT$)6e<yvKtF1_rLNk#$x%`eGJGS55Y_)$dD#Y+JI6(;#ntM9b zx2b_Iw{{PFK|k_H+0R{c(QqT2=}e{Y*s|T-s9T_?j*%rKT7}*7_t0|SpFed^n^#uK zVXKdw5$+B97$HQ3Pn%+BU|y*}P=Z(e>{oBHUR!B?dClK}evCuq0V{}$)fBS2R7h&J zS3iXiv&%FXab_|yicUGb)bEOEdf1FCuAZq+Ilz8w?K|_{83(3uau4r6_Dl^$riP9N zi;`T$PPQ1{!JK4Dk{pSFxy<ZIyq!qw;bSR<1v2Zyo3Q``L3nplB)}~wiS*Qng|_Gl z&Y>}Y06BGZ8`9FGHZh?|jTI=sCqkvf@8~IUNj0QH)q^Ax+FHKY%mMY=)<~s6E!E;u zmUAUz{N}(|2n$jokWVsIBgUBv6&1~vW38fK96%CWkV&761!vq$@5U6zo04s%%Dcdu zNU;?o#!?W??0Dqjm(A%9qKUXerJmIOO^%r|C;mmgzei@_PR_4)=92R6(7=Wr7-kB` zV&N5Tuge=X<7(Hh3V4;-9LKlcg-5a!lv9}rduBoOjHj?#ajNwt3aW?hz(SDo^)7;s z1i{!GCJh1E2&6I@VBbdqhtiStRH(vo&E&{jmCCOM<>ZKUNXfAGO?J9|fNrTq!R5&6 z?R3CNq6C747-A41VZ3dvX6t0ovL3N}sgRtYOu*VtVc*c-C<Twz18cgVtaP;pT0y3N z2?3i>dY8v#b}4A)c{xF7=KCw6F$BwZqJF;s&@ZG;acxLB+#N#>1p3x=$7RO4O6{eU zD6T8~ydu=Kb$hGgr_rfbtHm2I=$4J*xU8q@ZNGxKoeP6dECF@BOgn@}g!^{#yWgS) zmX7VX)?7I-#GBJS==N{|gvBd~5J|=DBnX8>7U#uPCX2!C?BYAs*j`?ULZv#lyTX1F z?^D9aJOF9rNL%N_0hhazMe>wRGO`{}QS)H`=|7mc!k_I^ZROaoKfx3IN6Gj!@f&UT zJijS$!@%9IJ>8$nU4lSsK2LIxWr;FumGBYfOB>BULc%*fsw+p_w>OOsC&BZ`AnKNr zhD4>8(D3k7;hdEd&<*^OV12X*_6w+0d;sQ?wI{S<KZ=~7h9H%s6aB?EW62Yvg+k@9 zPm+Q$%uDlvKV63Hxn_wY;_*q<0(i_krGP~)TW|t`^uVKhMI4yu@<#q>t&nKeUkCE3 zA}b*72d6ek#VM5|>&E4Z*!v^v3V?+pyM$urlR<pFK(L!J?JTQBaeK*%%D$jnZqFFM z-rAC8Dh4Pi8|dSh$<=Xrh~EQexx(I#!1mggVA;u?{86FVYNLF{ERMS~0)jky-vXuZ zWCpR5D??TagH9vduQylyo#jg0fCFbHcgU+kbETGmIS&|q_^Ia;5u|G+>rg7i4`_WB zXFu9V9A!Lo7=!3&^p(($iSxZpi}`Bqpxkx~>@fLnlQ#_)=77z!Jn(2FykfASpi&#l zWQaO1XTsK2yI1xIDms(O;aNz15dj~6zQG2X-o`zYy*c=^OaUh-9>6zL+`Lt6GhOU6 zU1T$j!+`Ef`RrC#DngMrlQ?Y_ZYD&CQCE%+7hx(ya4MZMj~k=aZ0@QQ6}z)w+BPJI zoqp!4CowlrN<t=K6qCQBK;ecYNmEphmVVq-jT9QlgkZ;RhaGb|U_cSpBBCfzKwb?G zQI4Rm!)y`=B?oscUM)grd$)5EO-Yu*9T|=$AsgsFD~DF5*-C<M$UNT~fnq`<CL&tq z_`*fBi=k)(K0Q-DH*-pemZ)qnQ_8Y)+LX6ir6(fBL?E51KeD$?9}pl4<^EP!hYnRv zm5FJ1;t$sxX*;9MVkjV9pGP!h_`7iG*Qy>MhWHVep;nu}r=-?XJk_a!02qiO$e(E* zNqEs;7!ZqP&)vKEBLxwkC#SEkl|PvZ3NfN|U~jbrLC|DU-SfpN`%(u}IVfq2z*3FX zJ6p7F|K=hY$fI0YQ<3zo^{N_8Q6z2K^lKCT-HAS;509%IZ#wCp-$M?@`nc}birZ#$ zgYn&P0Y2q)R^>S*Ipr~k_BZi^nl>;BWNqtSE}89T-%^h5Xly#@#av<rcZK!5|Ge#& z?sZ3`P;I(;#VV{EY<eKBH{!GGesIHnzN#l{w}&$kGk;#|pOunK=Lv#ddC`SJaJ>jI zLZU=xrk-5ZxjiI#hZBc*TuR$sZG^#J<={9z?@@Xg*2A3HMBHR-5s7lCzGRN&=v)*v zPZ_Vwg2nK%w5i{YT6AXe>gr8q!qIXq@$6b$vH34;ogXaUFicGFct6=PT3LDT(q9Ba znlxPw-`tRX9P=b?y_ct*C<X`>%u=;(8q~8Ny@G;?Ddusi<{5GXzGEaH<YB4^X??Wp z#NJH`nGQr;@6=<(Tz2@Gc?|f+U(hE*4&<Lqr_^k_`xn>dBp>r0h4=mkX%9nAoV0l1 z8C$sFu-{5dZ1{Wq55Qk9bQ!8Pm(5^3$dcvBSK0}3`4y8f34aWb_CVKRn|aPJli+tV z@sKd^(+1}LVl$Lv(OGy74RYLt_Yx3~&vp!YV%6233Zwc4Sv=V4;zl_E?k2OhQ>SbO z{(TLmWTmAjL~4^@d#T07h_YL2&VA5AsiK)edA&jkHpy0w5KEy3t$RNl=Ff9p4)xDj zwI)%5{JWlX6>D7%yS;vAE@zy{n~7?s4|Pnq@hlXhi+td$D!)AC8$43ek2e1rW7kN1 zXDC$`n}$1EKkc7)h7mAe$EG(9Yw^I8hoay=eQ@S_>p=iADeRv019fxAmFCJCic%(@ zm2{BC!D-%-zxs-O;cmT7p$+t17jnS;42_g@P31fP*s@3G`b@`>h_2#iHKL2Prxr^& zkS#!klv6N~Iw?qFj0DP*kBCy_#aqsrg<JeVIvjG{XNzalUrli%WPWiRxd#VM#8hEt z|MKBtjm2eZ_ru6qx56o&y~Mir!w1@CnfY4A7D_g69~9DdQHBD9@ChRFWTgl&lnl4k z<bv1t853Uc{uSjFL~Eo7$p9`C=tAsC-QVm^)qN{>EFuT?0)<8DB@NmF3nh-PVSs&l z8KEUc0e$$iXgQ=~OxtCj!tq{0(82r=xLAo3DorH)l|H(<<A(&>enpaWXSWQ(ky6+5 zO<nz^O@^TS5PvDP^)3<-s&W{=S!QK?mLcGfJqYJ3>V}7(BVact5D`aX=9NNPn2K$N z&vrQ6I(l<1ZVc+EIkG#C%<_v>(UF{GjH%Ag<_>-aq(n^KmzCe1tV3rM0O3pjZaj=v zm+2VZ<mdA{s_^{lYeDG({{f5Bi$=GzEdE)u6y^%T_gB@hwq@P7r<9lHJ*aSqm=B)8 zK6$7gu@4G19qeLx+x2>anI2c@8+7dM<J%ukb1gJnukA!*$x)tKP1LS`0+>XjlhfAG zw+B%*M6^xoygcHjx`yGdE4co6Le7cq#AdP^+zw^@NG%?-@yXb4Y9z#D(AGw&d2fwT z7}@LkDh7<<>I`(p*8tv!*s-=sUDQ3+Zt*Dd<oBBe9Cr`uWZIb9=POO?XAE~7sA8*4 z@8%rI6bh;A^P>~eH8ZnC8@6IZ9M9L6Z(CLq2ry>vmpdrNQm|2`$(h`$J4vi<)|S5W zOlnN%RO-j+0w(!9G+=y9mNU9c^2nw!A)%nBnD^k{e-I}~J+K2tA8on$b@?&qytRu6 zaVkA>F#r7spJFfEzp(dGuk~`egsd?0EpGdn6pstvP@uqc2b^6#JN)hJ)3ZH$v{<t3 zmwqb_1VmVEOfk5vpw<$h_U{k{a)y&#QZ~Qv8jDC+Wqh1l_?TnF^keEoE1u2OiRQQ0 z8?Kfj?(rX#t1V6nsitD2D2rzru6Ay`dRrq{xL!-bOTR$06<aOTA-mPLWT*;ZH%jzd z6Deto931C<6yDrC;l8fa(?(rLn7)2kXta2V+Y5xD`s%Ojw0EL+ZRO+{wj76#zNf*f zOh`_rCywAMD}y~N0r9A3?akFpQJ|f4U~wzzzkOnfP9?($6bmO$MA?5~c#h<Qi<ugE zY;QV@Aw)Kj&26)%OvSO0$df7^+j!@ku6aFowH);Bk?Y0d2ztZ#xT!Q9>-LYuA)s-s zZRXpC6Ua%WppQm6_D29qS|;a!TU<;M;#FCph=Twr`jVOXtT@SUN(9`-BYEYKkQpWr z>7<&hcb@mATiQA{Q9RmJs<V1>g@j@WXOUcuIp)PZdJ3Euf6=_-_=#4-yOeGd`$;(p z(-tI<eE29sEkc}xvbaZ-tY~N5hlkYd@30AG;)ErjKbIVXOvNyeA4sOn5rEuZEoE|= z*}N9_1(uA0L#IlnS9bOm$-f^?K+G<d$DFvlnY-a2jo}>FBMay-Q~Tq;unM}`zIKd! z_8UcK(N%;&rE+uk+z#p;jzekPtq?Y!D9}I#!aX~xQ_`h>KXCUC5T&qOQ!ezG<_Al4 ztH@bX6*aTEk*5$>oGFpy8CDwy1;C$gx~zbKKO=u>=LT2)*uz2@Lo6+fDa7}dtzUOd zKt=JQMEQ0{ZDf=wK|>$xE<5pq#S<Wty0vmjYISVm+Aag3(TsYte>L@&u>Nz-K;1hO zg${!gpQI|wyTC;uSy0>`0?qSI7I3sM^#+IYZlD-VtqH+I?3nFUohFW5&`gTOu7BOD zI|~Nu{bU+nBq_pb>U>FcyK=<-?hP)MLvLVckgxUVx>xmzjxW%os(bL_>=3OcwFgVv zILiZ3a(=BB;IfIyCy$iv*^wq3A;RJ<lT&s*g!v;i8PE?~qSnsAvHL-*!{GMN$TKP& z^LA;0u|Rc#Tl=z?<34PRZQad1Y2&luxj~<H1P&pb(!~=J!+T=#tH<~<lWvN4iATSj zRoC{}cJEsVOp2-btm|bNOtEyQ^Sg%P;60mdOOGh-lYxf5;}77WDG++gl*>%NJqQK( zwBb@!qp>_v-Cie<k<gsO;pJJZpm1s3JpUtpid|A<XsP4;{QoqKH#92`u<{-u0v-lN zw>UoVK6HfC%urRemb8f1fZ(T{Y}-N$KC)&tR5S?jwr2;O{S@LC_FL<vV4s<yl*W1U z3M1g;D%lJpP$ud22<iFv`s=wr>)KPgFVBnh-H8mmFLf7&X3?dI2sq-l8xzI~PL^MQ zd{)*6(=Hjp%WJ*$!bPpG@Q_m$2$KoV+((g3$fWZsAa-I!h)T7WhD*_Lx2`Y;>_A3R zV}9CL7<|O<r$(k#5CdzS)?7ba@;`nm^*Dj>caP4p+o?=OBt*UxuIwZvjO}qR4c3pr zhTK_h<rvV>M)hc}0#)k9|9a^_^UL{eYQ2gBkV#r`=@<xWFe=A#B58b9=i=;pN7qYF z;L*ar)-uzYkAztQS-J}zk91dJL=47+EGHlxLsl-^Oy-?J)uwUQ)H-K4!KppLt_?}U zW>}csJT*|r$eC2Zy{O_z&)E0qbf%p`1cP1Q89|WU#;5HG#$+ZGpW{<q$V(@$devS+ zYkqlg7`xj)vq<v~cS>8x!#f)*#Ltf$PAyeMo+He-8$QHlP*3rTl;ki-7;#0CxSU2@ ziYMgJE@Cg6SuCGRo;9<YF_S(S*h6F#!4j1#Uo;3auO~oKB2m&iZ1KNCwUWuCXSZt; za7TM0St(?^Q{ja?3Qk=;!EIPkNH_uyCmvyg2V?3?-$YAhqNnc7D**L?Nj^EPg9plo zPbz{GtkgolPwKdB_!4G={-Ui4AQ^AOYWBZR$?>=M(G#rN!!tYa(l8T9Us}AJ5~H1Q zlTIJ~`A5Rg$KH<W;T7`L?7=~izVvp3rF>{{AWOAjlo7b|IZfR|2thKj7|Y4Ji%H~* z!&!|}mj*yqY58|+Pfu>tR7tJ1Q{sa~0W0_5{QqE`aQY>BpEj5R%t96@jobxm3T`D_ zuMbq&yS5aF;FnxqPv%3FvzXJ00dH3&?B4l(zstU7dzYsjJ1JDDp0!^=c(#&@5>?)u zH%v%naojq9fB*9=`c(%Yi4ZtwyQZZy*M=Q-(<;X-YM|-pel_U31&ZRBVc11pxn183 zF?l>Dnp)4i^h;V5)Q>oyQ(do^sC)7xp=R6Yz23(it-<1w-(9u`fEiXT?g|rT@Q}(X zf0YX!OUdi@kPLP0kT2z(<3Wzh?d|3h-(F*o?3#_IYfGNO&48W}l>-w$#$Kt7c;o`x zydJBrz`_Ok(~8BL!tWx1<Kz7Zmn1G!+b0@O58T?(zxe_3dGmk=alOBXO_sbD?p}^K zH1_mG&@Pj?maTyw7}!oKW(zoL88vcD*#108(L!K<&`3fuPxmB?fh(I?XYv01G?UAf zwUMDP{rq(m#Y8>^hI$g(vLTQ&9D9fCxRpQ<;Jc+vBOOQv?2MR|sq^4(&zM9%5VwQD zZjC}LNBWR~wB^NzJP|pp@pI*vdDb&bJzWKAAExneJzc`IW=OE+mur6~aiTQGM!pUy z<2yH%jE7{jvw2p315=rlxjoLxk}`)G2IuV0Gjv_9uGE)T4h44V<G%=QR35DFKU#Zx z_V&S8LoOsS^#m(CF-XTTX@_n)pR#?|0{6qinQ66>k8g}X`10xBw+7IE9<@_iuA~@U z-Ec)i@@N|kuA?>6TIfrNen85fCY?b<=TJ91nTG9|jHWj6eP7M+8qa_?UQ`;nLz`HZ zLuP-eDW8QaEh14edbTnmGonYBmvx=quyN?B=xdckIck%F5JnY_d&@n8xS-~-J^`Cv zIW({j$yrRaQF7JmL|7;c=Nw0}<G$AN+Z!oN_CWsqdFvJnxSB(9?0g)Qrbn?ZCZf{* zm5%dx!0zdpo;eN!n%IVhVc@MJ89UhqRfzriiVeyD^TRB|axw`Dk$xQQrtCM1#qY+~ zW77pQo3F=1l-q8r3cWH55$X?Ne5BaSSogL{Q3aAC`}f3=Fhx+*w(~qkF|twy6A@px zh5)G?6g1SmzAv=quiM0C=9nrGqqW>dZLVF_KK%;&Axe=54J+(-qWDp%fuXl~PN}-U z9*w7aAN<VPn`_uMuP8gSU~u;_2?UT8`{k|~G5NY6&q4YU9L<TK5+-5|rPG~_C0e@& zKv?r8(^mrCsT~R*#7Cipijy*Bt+d1xKd1*BS_wN}B}5iZ!r;QLBbsPne_K2ox%;)% z%dllhu0X{R*iV7E2vBR~dZ*P)Tlx>)%opqG`!+sPd1eqXT=9lCWa5G8;le3Tn^U%j zl_Qnt-?Lr0m??a*e%Vg%Of-Xjai@AKL7!l^6^0YlZkvA$&t$ESPue33?iBYHL;1+B zHGfzhF^Bz9ev^`%qZ|to6wDX;jSZHXP9DBG8I&+9$W1TWi8=!#lC9mN!6Qx4s*%^z z3a%~B3_^?r*OQ_}c}3cGXVjGzdg?jKsU`-C!(r%eKVg&Ho<6=KZJ&^8s<qe}HtY|G z2e58drW1Et7*Cv1TC`}XlJJ<5ANYO$0<~E5=*JUr>s9u?Q?muymrN7nIjX;D@OJkw zQrIs#;;iNbb-^<8L<=6P-T-N`oI-#qdj~{hjc4Kru&=1XB_QDUIn5im3QQ*?1Pcw9 z(3h2YGZJdYD{GYJ(~;9RX;f6|(aXhhmm7c-3Q|Ms@4EXNE~^>^Fo9<Li}2Gg6K*+D zC}-sP?3AQL#7D$bM-dl)5=*0|7M;l!BkD;+_(khV^DX#6<_yHS7KJ3k(Bx<=Y5q}! zTuQ?D=r@S4XM11zedt*ZX;&{xXn=JGJYCS_uH$9Ftql~)vu(%<GM=lYE#R@Zr^UR` zeHQuiR-4r$+JsL&m6v*G50fKp5vSOa0|`1sqOnUvo+y_GVIB<hH)a=YcyK?j^Mhnd z>qUIz%gX{=6zm#uYVmqV_<>zD;1?i|%A_4iE|(B_e{+Fcg<4FCOj;q~!1bJ4#c*sB z3iWN@wTyVj;G>>oktSM}3|uJz&i<k84BS%E_SC<(SCLpIlbMd1-7QV(csvb7|FQ}n zfu3DO5oua^n#qamM6M!eR;lsTOTSSro0M(K$nG$H<VBL?3+a~a64NODra}g*``_kB z-qL2#a~quAnH^Xq^V_zn6}fAyFWP(TEGiL#(xvmsAb6x@^er@!KJx!K5Q%Wf%F$Z{ zhoUh!GfCSE`hPdlLVSKGAHq4owiPqMVqj0v>c!7ME^J___Bi;+K+sr#yP26eG*AeM zQNu=E6Bu@sDBIVAJqi@EhDjLs4GfS~Ve?kNa5<>|soZb<s>FL|9Foe&$VbH0)SVVh z83k96-gNz9*toX93>8hu_L?vf^HU;|n|2OkCUi7>P)~&hJV8wBlT%;a9wdhwW-s4o zT5l{GC?s0t8n`f>X|Xz#&Pd{0wSQ~O!Ii+^{c=;qz~lxol_p$7+26V_;y>N;jEARc z>;0hZ*AIaDb~p}Uf0aeQdRlqcqR~XX+|@qtm_<xcEUB0f^TsluM&}nO{x6WBKV-`k zZk}BYlKVxWNThFX<`K)}zi%;Tahlv-zL`OQ#I&;x6w1p1*mmd16TVdQ00T(3J6*3; zb5y3(H?kD2O?Qu2ha>63ahTiv1act1xSUG0d)K>(?=(8~sl2oUh_Zzu+Ryg4hCwcy z;sz^!ztd2Ep*+r_1FC=Tffba^XVY-85^suUjzM2K`KWhDcJ}?*AWTW(=paQyyjX;1 z>kH%tbH!LYp`&B8O*8BgZN>mt5S|aFsI8jYzPqaNRGx5k``U5NtEYl*Q(Oz~LF&6~ z%zJ_`L(I~7HCu-tu&;GiF<ZQ|qv^~`43ZScBk+z?X<%E=C*RT{`^%H)v!A`znD?Zo z5ch9sisA!Ef89NyKVHzrOP#)N@k$kUYU4E6*VlX*Wz#4SQ;3D;a-&*91~n{B)PY*9 zw!0L{x^#e?q!ByL2K$e>n@~{4)jfkBh3(n7-E#Q4bvI@V&<rSu#sA569QA0)HbX@w z!$w&?RdJcxQ;7Ye`Cq*Ql>+Go`0CQkI>XIy{+54Z@%>Q;<vey4dKB>$M=?}Os-;fy zbvVDw_bDiJTsX)#Q;4&@>izN){q9~(-K?YQR<3W7Cd@a-uQJ6=F*XYp)us)07OWYt zPy}4P_u}w4Thk-sBk<wDl4fdy%F`tXFlItOUPA*;(r<1qviYUf2$AoUqhgdc4g=wS zY2XAO=%-d|ZP0Gd7cp?cnzSsd^7HGx?!&=WTN!=cA4{j5OB`7>oln$%@Fj;6t6I~h z;vArkrKfsW7>-ZL8`!W__c#Mb6DB}3QO-e~R8GXr5l83HlcCc<z(pL7XW;1fR?;>9 z1__aZQC6N_h)clOOM;u`{N-?}A0!#ZIQhR>0L3GU%vLo<u0jn(jyaAWQW;o=tA@N~ z1KpdhQx9L)r^Ui5d3A58*Qqd$AQMaIEg6HLH4A^|I_l67pNtkQVt^{7F*hDIvL2p# zSr5jKN=>II7R}q9&2c_HaXCJ52&Ne@4;N<Q;PiBKeomdQo?F?$tP>ddZOE-c4W4(# z0FMA6!!=0k5yw5LThH#%yT1++(fgaQVgsqgDLm)JL2x_=8!G{Qm(5>b1hYH~;@Rk8 z{(<K3Cn&ZvE}6r2te@U!(6<H?V6_H<zDTnai?FD0(LAyQ`f>$kno~ntLwg!cAF}!@ zKJ=vkAt|Gm|3lL`hF8*c-MYh$ZQIU{)v;~cwylnB+wNE$+qP{xIqB#9&cA(a)>XUK zy~dbxtXi`S4K}b6hDxepLXC`q$79AZS1u^aovJp?lzDY7#zDe&0(-lGeo{4FFVg-E z=u#-C$+S?8PxJ;$V8ctDF>B%HtE#<@U|G06m+jP(_vU+&seu2<@oC@Y@6qUX)d~0( z%&RPjcwP+hss`#1kguO_DICB+NkjOOOr|d0QoR>z#<L^{N^YlNCMJ_OJR6%!NB?~B zzcRH=#BIgT3=tNM*H;`JUqe5uMg5O93iwZl`=Rp{O@qBbnsjhko`vys4q|*o-lN-5 z%a8k~6&g*fof**t;$k%`&Fjs#K%A;#c^wb?{leb}*DvUpP1e-0VrK6{zG5xUVy~}f zI2m1&5)J!BtYogyUOvrN!*?gTbI%}H^l;3QIHIxi>==Uw_6{`Vj<<<DTvrcyR8X>f z3#0kLs#rqBCvg+)><g`_UXur%@NX1o+Lzt*10PQ$H5fzgcqrj;1NqGJfa?LiS)8{r zp`*edUrz@zyL}e*D0BA0s*8Uec#wKtE2_ea1!XsXK@1vYw`Av%+sZL%3;0Bd-{@^1 zOA7q`RVPqv6$2d$=b&tBn-{R>K_U<@Ir|%r?LU%Q4%chXl3HTyYZ7DL$PUZ>V6aYc zn#s2s6|XZ(8e!BKZUmrO&4NLj{>I)V$GeU4bf`3NFN|QZ`7J<GD*YQ9Sgx|gD4Z<X z(J?AUs%MveOV{9R2S^LPxG~uM^pcV$6AfEcV4zm(v#BAa`|5O{9t?MaAMay;<WMF| zzLI@8`sc6_KS?1n?8&nTrXP0kSTX+F%WWtSRg<J*{}laFQ@y^rqjsR{5Hbd8+ARaE zt=TlGUjn*>)k;ntJ@Fg{w5gE0o;5Wyc?{fgg=h&KmRB?RL{9=KH{tIPfQ@G6_G6JW z$zDN;QE=>=ZiZU3wQM?0bxUz_nSsZ<Q`7j&oUzBxq8$u4Gn#B{{gn;~X0p&vO%*!R zJGc@$C3fe@{r%w4T1czlL$a)uxq$IhB%@VYAEG?pt+qK0f&Qk7nk?dKadsFs;dfs1 z$amRFI&=XQV`VBl)H^0Np#=gIISBBD99qn8{rE2iwmJO*`HU){ADpXOr1W@v(tL8^ zczjydI&Y{*G0L^*^D`bYYZ5L>^BWu&iCU=@6Qo0N9k6{UOr5!uLIO;k4D!Sl?DO2Z zb{w8FyX#;HmsAac%KD>5<{>nxxRstvoAt&-h2ZY^Vck3I0ewSM=c~HA3eE2ywlb%c z>UjDm`3OMW0SFEP-D<bj7S|7@8f<|DYPZX;g8n>ju-{WNTse&{mce5rflrRW-x{Qt zGQ(=6u><X{4HcuWy!s9u>lyWCrqKZR9{UVCzAV7Xy|%wU&`)Xf${d0z;socH!*<}G zG0F0B|9at_*t>t4KhDyc{%_8{ibbfk){LWPJDB#qJ|?C_qpPgB9sL7}?~{5sJOh=L z#hdL@pJwE6Z{KbW&FYhG{Ph`MS>w_4@2RO#WOC|`r)nvq_eVDAN*x|fwU2xAgyt>0 z{(8{vPv?L}OHtWWuRH1Nn(h(gD2tA3FXpT);;ERY2ab+c4ZfGmzKb(M?q|KZ--Zto z!eqjeSqb8CrrGA0_UAio0q}eh4Ys;rO|1Cz-SZ;c_Ir0UpkA-)>9}0sBpFVhcL%Hr z1*xPNU8A=POX@_3Szm6gQIq06R+?D&jRUN0vZQzm5Wz}Kwo`W_x<7AzqUd;Z1!6MO zVG9*g4z;N`TVX+!-9N5&JlN0|pWGZ1(^hJFrcn}sqDaC82ZSEEo2BEBcYWx<AJM0d zr{NwJ9g)Lk5sx7m)i(v@dI~sjS`-VJ5-Fun>b2u(tEY|r{^`8B+tcPbGe;WH6CYOo zOO#uPMDFWX4Y-)A7Qf=M=otoe6*nOUMXC`jw6?N&#LuwkotOWss9z<iv+zo=tvuJ_ ze2;UyRU7u)xNvZr;m}gizOx1!aJGII61GAkm8Y4SIUMY64iGt3Z6;ypvE(v;wP8_3 zquoK#vfb+!cpj_Oxd?rCk^)}5?me_iwRNWI3y$pVwayQ(`o@g-9fX+Y=Z7|Nnk>u` zgAq7+6o?lV148fq@QQS)wY>};5U;uh_&z6bAt#^K;w;!Pg@SCwu{ahc<2hU=?H}*T zDt-P5U|k!`!+Mh<%6bRupiec{`VN-f73m^e=$<iX%N^uAN{$OFNP2zYB-CjAEr?SS zH=xn9wdEqAdr($S8m~d+VmiO8#Y1|_BEa8b&^dgnBacSX%U|aDDzy*{KgV;rn>X)3 zP3h8b_^hwzFatmJYmd#;3>W_pFqe$h2;J+hUE67;B{R_S4<sVbrBD}fOG&~kNG+5P zXP%zOp^*IEXxFMx*5oOsfbz+a+JE+j+KH8*C`E*%4g#j~_Y+{q-F^D%KviZKhha44 zEHnu*<NSW1Czpv%rLS}<qN9{5Wk60jqg<YaGLbsoaUfpQwMJSsW?}#@;u6pEcMecJ zXL&>45N*P{RQtfxJ{*2t?0e@OH-8<?9C<eR970~L1fWu?rP!(kkthh@O!u&w$!X}Y z6CZrU*ngo0pdatx@NXOcITzmu+IX+TUWgR6iE+KTV0qUULkfpmvF#DyC#yfwi(siL zWF~Xsz$ZypbZdMl#_eLguo$Jp%I)&5X0VivgsO-DLqVgBVepxW;M48(HJEQ$Q;#LZ z<<(jAH*OF02j`mi`)(6OgDLpnz#<~vIhWD(L^5!2z9f5L{mvr=bxPFNm4R!GRB9%N zDiByQEsWz5E+f*7??t!u|8c>SQrGU~xDSS0HbW|F_vmIwvA_Xf@vl?%mc<V~M^~W| z@-k7AajLN%JJQziut@MPJAxMKw!dSfZ5WZo72);i4%e-_b5e398FBtn*H4~fGUF6n zk}bt(nurp51j%YMUT<m}mW+l^-^I|z=y;hqf^7?DfI-*&sT}`sCd#UI%aOv@P4|Kx zfgbAqUN>JV9@o5yw_TD0Q!E2}y$f9>xVLaN;tY1>%P{O8Xw13l{k~Jgx=S3%#|{7a zx&&BrMH4G>`rL!J?l<5J4iGF#k9>SnHjt0fbLMV4si64=2SQl+`_UM#lT3U~usP(d zyXo*V1h_JieO8~SM8};EK5+0+wuRvhk-650FdJQPK*ZkY>b#oN02A2PSB3UH{BorR z;@-$sbDlX=H1+TS2{LFbxY)(7*9fw-_+VMZV=E}+QbPw}2!7ih65C}^rzCOdhrm(l zCP~-Hzb;@SwcVqKrDu8HPCun4wub$gB{-T<$$r5|jjq!@%_j`p>(4+STTw*&|0I7# zLH$WQr8>r<@g6ZMtW>JG9#^(hJVxV1d11akBqIk^@|fOCzQG9mvfHvK)u|x%5tH5$ zvQfB7k}VO$DOOo(jvnrKb=)JP;vW)x!8q|0qj|Q=@S1d(IpeiBe%_6l0liJ4<E7_| zbn*AYrf7R>O^9W8z(nYlD`PA(<SXD(eP-~~U0U#Ih9&qLIwXY)&1QW!%N@3{Q?B<4 zG+aUgyx-JFYFGWUK7EY@Ow}Yh;6$marByR%=$ETYystXLl7t)DV70m+TdY@5LDfua zv-`O~`v)N1F<GeQuu{+0x9F{Y8xm1IEHo05ByJ+xnn{7^x96tT7Y~%Yx1)XFY}OYE zmm@n+vS5*b()KFlf;ZZ5rDkuo>*~;+qYS-AlY{=Tl7Ko;KPGDm8=b|(Zr>GP?m-bA z<TsUxWVASsz+4P|Vupzged#M<Ecm#DHun9WijLS(qVR-=h~^zDP_?5-;;AGRFm$Yz z7ms~)J^Ci?xME4GTHP~g7B*=M$8|*e=@z30@CVz;k)kL-{yf-sWG_X8qPjKJPZE26 zE%TpIVitrcFu5GgIcp2@{TVnq1?>He|JHN;c^C}gMTcNPw(0{3Q*AmIb*<z2R=bgZ z{(QLzxr&x^t{61cCjuZWz@HSqBhSR$K_y9vqV!v6(6u_`%!0Vk1T?eL%wb<G7&?Wd zS#SZxWaHFy=bgdP6jUUOq%^gDP=X8ywU^LXC|k7k{ASM|iSLqa7<K<>;~W!cu`1H; zZ2qrYuxb<s5=?2o!2^D`Ih4x<b)C0rSp5zn1O-hRzQIfYf=`YFAV0cdw7g{LaBRX| zCa3Y2Kjz%KRSVBxqWEVU=TJ@Z9z@d>)xR=+G3Ea+<0Egoe`D_Upc%~LjmAmacp@C4 zTMfO8OM34AihO)2(RdZtGehR%;oH@)jF+o&_zfU>U!P3ad=mi(-1l<v2V<v_13A3b zx0jygRH!jO@x<)jC`^FF6nATK4wf4$#3UOg9j6+nnV{MwAt2GV-nFycr1oBpG*bcQ z`)9Co_ijg70CHL7R94!*j#I2LW`H06T6>>w=30bq?{y~0G<X~w%naMtqZQu!4s>UW z!Y>as@x;-LFnxQCOK%*$n?{r82vfXkOhnD!>czHeVJa*EwOAVVdN!g;uz28MzpXyx z>~9YeE-r7jXA>%r8p|Fr0Wv;ISNKs+i7&3vTQqlBV$7FUYu2Gj4uBVGa(XX-KgmsM z=tyz7o_2`b7ncM>$?YT<&O|2VXt>mE{|>H+cBo>eRDz~_Zo&Fix5h=0f^*$b6}j6d z7mScVH+DhohflYNqCofT51?UHD~~%=lw4xOaxTm`W~)~yL*L9ZNRK<DO1%3rDTyGP zmhc-7s&u%{7pQD<F_CwG=qa20udbP&lC#h9N@h{fxb>U=b8r(0KO{l~i>>rm9UMq; zro~0xgUA?O;F(%eDJAv<e*onOFflQbg<iP9ph-)hw${Yuia0uX+1bW|`&L^eP_MWN zY%3}&*ng$Q$E%M0Ik3kzx$u%;HYTD(iUnVoxpQZ=Iop+zg;bVbt}P5Ezw8KBbMwk6 z3Y|J||H_ceJfkkK{2uyZHxa=TpdhCQe?*r>hjq8QxU%)e{P}seHbsl|5Mj)?Ys-_~ zR2p@buH%bC0o*WieHEM#<>d&s6+ysQd43@WZr@hJWUd;>LHK7*wZqUX%2SOwA!3$W z`5(`}`x)BiKHSMe_FzEWqiqAy>vi1Xk_qr@54E&u=e0QSYiMqLcr|_i4kvSm=MO5M zkJW`^)G@=Y8Q?Ye{Z=LE<bGmK>Z2jGRt6E#v8g3-dQhh)bsP@u!{;=n6pxEM_ZK4p z)6GbPyW-F^USlunMqiuOYJvn;aZ}uS_Y|o~!USirBc6J7>@j__`gaEf^>mDMsx-u# z-;u#Ty`lX5ys`rNW-)=f1sDjBMcRt<spgfN4OblEx9Y*F$raI2C1tX)LvpP=)RO-; zffds#3N)@It5-P%<S{;6SAZEWcMI|xL-^r_l?n-9-IQv4q)BiWBgUAstsfEk$P_`z z)z~Z@1%49>BhxKu{vms=bl6c}H385@r%0G5|97pJv}NAdK5uRJT{r_;8!g)LWgk%D zweAs-W3Kq_^ykD4SWC3)FfZ50D6(<%#6q07zeo%1x5a@HpweJ1KyV25Tc}L0k)M^n zxAk^#@F&wiFnX^>)x?3`=C`V~jo<x_Gyu5a;qa;Jzg-d?(X0CjcvehWR}j%;qsOD? z2&0c-aZ%vz3%|g779lE7c?JnmNuq(PGq4FU5Lng)6#S5?DRD%n{k(C`uGYa8_J45< zSa<e}T;$BFQmwFZ^J;D!y}Q<P2+euB47Wd<zxlX80fxh4eSUodZtW0cD6R964r-(( zb}ljhU*gB&*kq&$O!u93sCt7mJ)TOIdvSc8^1*wMqk21n-r>ErLWrv9W_)hK>CcjD zREx7_obNlaC`0M(d;+D(I0jFTJe_C9$0UL2RQh;2rT$St8d5az^K~E0Pxz#h<LjH= zJ6d8gf*-f;DN9=zxg|p;Gx-cLJjpl@8pcD>L^-~3eOHQZm#rqnviL7<bXv7;9}_;K zq%pd@)BU)vTF}tl200FNHJ`0Ho4gUmV?^(tGjRz-Me#$HHBa_C`2!uT{Mqhp&PomY z4{WdO?&ZDnls<SK6f6J{7|=q0Mz73o6YIKlR+CQZ^SO5b7XXyx)q`np3<k_}vvW5h zvC!?Ec9>z?&~JeCb#x#ub$V^6!8D++9xsj_Hfjm2to(c;l*ZS+5@igD_hJp*Tw|H9 z<T7%AE5w4DBX%5A5%FBj_-lLANQ8<g0rTNFT}ZUjXV|^iicu~xNzJ+rp^i~X1eQ%6 zxJ^QoNbDE>8cEto%l#p>l2uBqYymA^IW^GS|6wN%A)sR?mQtPF<^hDRFahQbGLmt} zwb5#cShJoo(HgWq{ae-`Wcl6fc;KbwOIOp7rw8~%9Uea;WA(KXRwI~&?}zmFcD30ze)A)Ux(l@a^i-g`2c6HU;mHV%5H!M+#O*U%Gi{xztE~ju+j#S<DI(C+ z@dr)LLVuQIhPcRwS-AjBAu{ZlvuY&7zhL0Y*&-ge0~)XP!DbRIcWrT$nppQ?7pi1B zp79)Z`X3eL;D71BX$Tcq^ts374%1kAS6DeFEnwaxSZam!hWcQ)Zv!?YdnD=gA(-B0 z8bLwvhs0~Wj%XyD!(Q%hy|IBFyQ2_)SII{k5iER8fG)l}(UX;HaMqjSIhRhq3urkM zw26>fJNsmZCh?vIqIOJ>Uqgx%Tn?4}v0Io{QhRPW)EwE*R5qURjuXPw^e=a`g5`gi zz+&6KdA8HVe0$SudSeS$s!{o1^|NJ^c?nWxfB^uJeyac_Rx&E@Os$ApVnp2++)DJ{ zrt)G@ST&ub>Jdnr=FxCUY=Ly}kWhJhO3VNSaWb`V(in#UK{qxZx^7)Uw1wY8N=S@Z zZb~A18N0XCadPtVB>f!<RTW6HevqIj0{rIS8&=6-#*m{SY)bUS<p@yXiY3|IEZO80 zd6U|;?4C3Gz27Fa%Zq4D(_1R-yr5t~*0Ld_S`xtvP$}caw01}0TWAHtEI>5dk1554 z!)al6UCK{(MifMVx1?TAFgy#kgDt=i>V{`*TPjo4G!ggMR54_-c1a`}qk0_#NKmPP zXz)-6RSx!=>2n^0llb|9b+M`dPe8E0X|hI_CIt<S`VFQ!JDuNVYS`%bLJ;haiox`3 zM<e@MUg^EF1Ny9$F-W*T6rAx)>M1qd)OOEmVE%fKkpxfHzh@RXyQaYYrIR!d+b_Ui z`iQY+S`4)llg4~Mp?d!>NC<p<+2sBe2=E4B9ZL>!KW>&5tauYu<h;24RxoXC)@b9< zw{KhIXC9TtkgPuOJAe5Dqh0X71%{UDgo<s=M20O~G^C3ToqNZ_Bf-&R#&{a;{zyr> zsJ7YslIh*5W#IlTT=%nZ<j+glNcLhx;I8$=y|*jq{#`2i&S{A^3bJWga;lDx#~;<y zZuhQ~$@KVX+W%sMqdBj`hd7HhF;VF#BS%`F&l30`{|+(K{e0#Sky=EOG)7hTY;RXM zA&nV$-PadMyT*S1-g59yGO61|6t7G+jpNxp!4&UCh_SmW27Vtb@>C!^@A=*kk8rxC z*LzM1*Kc8G2lt;1$rNzn4TY?SZ}ztSPoJ|9`4rr5MqCZ1p~I%yR!f5N#;}%veE6(T zg^|uKAmH185-wA@CM_bMsAxBDtyoKfqcFLRMg`QhB68gx2W})n{HnUYsho3ns2QID zIBq3GJ_>QKu&L?w%ETf+Mrv~ofBS0vUHsq4KTSA-tT)ckTIqc-LY3s+FQDATS0uXj zaNsug+8=c=Zk1IP69yI%+{-C_42oT&QFjA=Z<C;6tqT%aal)WcTdoc*ry%L&MMB;V zVXp?5TGT%K$&#YpAZPv>P^C?qOJQE|%8j{#htcD}YyK1Dez{pjlbwy>jJ>2-tar1M zOxJ{i^COR;fVuaBdM$Mxhvazacd)a7b1hHEqvGGL1a;o`>Ws@CsJ3E<rFt}<#-=Et z`_Z0aefLCaxPx#mBZ_YVv6D#0?1;qaw|O;s`qlX2^fPD+07bQ{0vw-44<S2qe!;yy z;!NF4RP#@&Dq_rW3amG=_e75D<e^AZRf{bZ_Ut?@n7Yg>Rkxh;W||J=ad!ryL73N8 zs-qY_?1J75Pbu0TxCbO0QRDEcA5MqO%5|zt*D$$yq=GdFj%TA00iqYyRV5+Ji#-Ig zRSC<jB2Qs=#K(r)C$E<TWegr4*I<mSX4OMK?;oO~)s#v|i{ir1NRSt5$fA@4zEUbH z5QkBHl9fN|2T)1XeYypv=@qG#G^JHC*y%Cx2J$6m5KzM5S_9s*={-=OQeF_2#QfES ziYN(T<BT4-!2_XYVkIa@5<v2D0fHhLd8~Nu*#LKm1C3KjLX5;;cXb%3**|%_SxxCv zGkHzzKl6k47MF>kaIHBLR=uSzU>M4@$<aFPIZbHZe1Z}4sr!kL1n5A&9o4dL|MoCr zpoH+H<Piz}7+SCzH=ol6O7IbX*|~iAqV-7|XhuwO%P_i@&$8z3(1$Tq@!t~af3f6^ zatfau2h7B3>i)CkO*{2uy>HHNxvF9k@&}Vb_tK=Jli<z$7Cw_rf#I9v`8n#<-uSER z9PygEQWMj7V|BQtm0g>MHG>tM-Ek6U*M0pX;<&Uz-1gr}pRc_BCT%bp$yljltM3s_ z3N6UCfnfE&MFoVhdu>&k&{nTxq1BY!?{e{^5oZ-u!0b-LdVA!UIHK3v^k*PpAVy4Z zwp}b@wmE(A1B5<LV)fOGTQi2>zAwLcxBB4O>I?>sYwtdNLcb*lL4tjYwRNKImxWW` z{=af;x!?WPJdl{HcFzzt^ZA-;apT00B>kUQ3?LD>T36k)7+#rzvg`3V+5!hLI_>)B zyE7(Ahb?c&%T)yYo6nCAIA4#V6s^qz^fSYE3zP<u6vvkuzDEXzV+LQH)b^_|WXLi5 zr3al1g^@j3-^+v90jRs9VE5~ueL0O){8;F`keDiK&FjI8PMo*0@%<4X9j`pxsU+oA zyAP+4r7h#<_XrE=#fAhkiC2aSY4n*=-b92la|Y|XuTF=PL2!uSh`djMV5=28WOPuY zDy24~Jj(bf#A-+3N^;N-u!Kzgy(MMN-5$m|9-O5DHr+g<R#0y$+#7^XMluc@*=gNU zxzgolK+>WbNc?{e$f@C=1#hKZx{D?XR9W5(>P<}O9a(4N*dxGdgh;aq5%@h_KyhA{ z2Ji_8Mu=sjVG_n(LOw1RpgJVy^tV=_iE)}KG-&q|;3i4KLEZ`ZF9;0_;gw$5mJY#e zTpC|#cC!}-<NH;YA}~URm+W^3E2%m3;Gry)GUf7k-MrDc+$8ErHSA5jn#x5g0wBpd zG^{%2bm{u5%j#-h+#Z=vRjHf08@I+KHb6i0M|!P5$(~X*bBw@5nNWd+=UuhP&|+{% zRe6sXYqrHx82YKwD(yO`)7;&PCw6Cz2eTdw8!VNFw6`1#lB{|3zN(xGw46-zFTHe3 zos36Tt5L1BZ}bNrsvXa?vKoME&^lsoJRRv%oovQR^m<M`u#a34hevs^wD*FDKk9|K zmnIEa|8RaAwqPZjd?+ZTd&!2`NmEH0ZYm)}bmCnvXlr;UN#-S>@7G|l?Q|Z!^&H=^ zmb_^pK^n?Pkc^`OdD67lpmV%5=chiZRX7phZ8(wtUO8}iaef7p{I{-2C;J-QIOi<M zkz|nxHHV}*b5KSZb`m4VMYxwFHlVq}UqVKK!h6Y=?AneSX*Y7L7of>-9zoqWBNO-H z4Hly1K}x9+7p;g9zj&3Fo`V2N3eS9QuDAlrp*zbB@UQ#2{1*AWq#1KZQZhMgCztj= z(pVuwmB?IQQyFRhcBu2GlR<R2@bK3i!(v9NW}rn=v-`{%eeE!jPo+W-s!QA*fvVN9 z_x_>$w2ZD9yeqYyyGjtxo{=IPLptYBGa0%>TIn!CpU6Qr`Y5NUOXV~Qdij95!Pfe< zC5Ad@`28}MZ=#48dnFtu;Yg4O1-FC7frkT5&mt~q(}!ArJ!swUQQR|wN-ZqBr>pak zIkInj9A7ldIH|Q0eZN4wSAGF(&fwEsFkH<;%8jm};dI%_Jh;BHC#lW)fBo2p#Hsf8 zg94b6Nu^X)(!YB#3-Fw-I6X(Y!)=vH3VUVbicT(zswvL5M!`?K!+I**J}+aSXG>8w z=@39$-nx2o#W*v+2bre;%#G1dqY32H9d9;RW62_e=`00&OI_Z^yszwm#XZQfg{geD zMm|Gs7=)TlD9>wK4MBZWQ+!*T77NQG38<THie$og?j$4SNyPX=0}*JxKAp0Q79aIt zTvsi1>O`QK-Eun<Y(FW`w3F#$?6x|^N1WUFZ&@=OU-oj^POe<l{!omEz(Oh&je>`r zEYZ9&j^g>gI<oz1zNDk>yTUia0nK>xCJAY^6S3^OU!RzQcy-f?66M{@8(IhT-F^x3 zM+pgZn`}+$mR{@D=;X6202{U3hDh5cUCrRZpY8sd`Ttn}B<Mv|Nx3GRHb+!$LbGU4 zG2zoIfg~$<5Lt%9q246%=wvfLBe!#&O47N!8o3@99wMNuCN;a>in#xpHJ{C6_1a9v z5e5VN5FGl;D31vcF?=_2iWASn-{v82doGs}i2(0b+AO|Vu1*}?3TH`BIhT^N?xPX+ zn;iK@qv`{-x+U(wQgDQzEA@)fMPfE$Oozl8M@J7)N|j=JdrGQdQ?AaA=70Z|P;s|- zAjMRk;h+OHA3(Rx&yEVJv=c|+W@=+RlN;+jY>;n$%XX<4a>JT>j(N4TM)aB9`Sp&j zNOOCbk|(4Wh3T~i#P7%f*7c>}A$~d&@n5th>8WDj!_CA_epG0*S{mO4QTKy4plzMY zG~9{7&AH65B#|;3R;J>Y@SF@?C5VXrt%>wp*I&i+jNV`IAP`l}feaV$Y{*$d8&Gc~ z_-yzwVJRNdITVh=p*;A98zJ_$IZZ02{>(XpA}26J-Zm8cR8mOD8I%@0_fk7iD`Ps! zFL_iH<=zct<<{OvIVE!uieCe0TIWqI^VYKqwsXvS@cvJ~m^jlDz9)Jwr>0kP%bU6M zSqLzeAcT|&G(uQRdFcc<zw7d5uomL^U;gWC(jd|a1RmPT(@y5GW~UQ1Zf)wf-24NT zm_#XO^-4wQaF7(B@5o2a5VFM(^<XJdi=+vz7~|}P%ycJ_f!3;5?C0FVy;QW6S&wM= z*0fA%bF29=p82h0V@QcGHR<WG(>G#j0=q+=nIZ#w_wEr1rc{}nmhu!Wx1Hs~PQ&Ax zAT*iS`QDk0;sjCA3i6Bb{s21zRr`NN>LV2P5s!vBHaSPIj4bLPLhxH<5TbS7{=gN* zB22=nWFk0Q7pcg;<z{#2=v~wn_9)kiPiuZv@1~Nd7sp@KVW;3fAzq-@syf3Yq)rJ^ zXQvlZH1Hb1>brjSkc{j6DbYd)V6$9z70q-nsO;*93-SX|&KBjpLVzh>Z>1YNMcuJ) z&~tE4na~VB=d;>&$4lS>S#Q>VACLP#2UC7BEFT!dX2LK*b^Jd0%6|j`Qh!_CzGN_x z&k)0{rK_EcaQ%@Ctm~abjuPJyGxPi{EkN+SX;yF(RzJ9(wC+kzp#1QCC~j9wIo^GO zOR^;xEf<e-ZZg==m+zIM#f0`=jxt(}Z-;YQg9FAaYv5<+4D0mxf0N_MMm@LEgT7xx z&}cTJi;)06uNAPX3L?RtF6eJ|L@@!V*&g-5?sp=*(f=CEFD87^#BTR9DAcN2TQrCQ zSjc=?faPa#thxIZOThroEAhx-l#`2w=e-;c%6;wRn%{PBZEg$C)75Xh!v{E@XR;gj z4{J0U2s_p7>2k`g?BsY$HH;BBs@IF{ojB}jufFG<PoCNfdDU-|^&X1NBu^op&5W#i z;gpb&q`w5nN!~KwM6*0yk;MG1AV7hG<Y2(DpEjZC9OQL7$2kXI^l3)w>xxK6){RVS zuH4^S%&S;307E!i&s`~t$v<RyHU(%*5FkoHUnY3>j&F#3pB3S&=~ujbiPO)Z)g^@& zgjxx*>5nJXm9%o)hK(ecwC*J2WyL(oS+r(y`8}B;IikaUETP};(^5stlH|(%J|iS8 z9HW{5o<^xsvHXbO&0SPh)pq`<C^vF98iPX>9Y6*tmNER3KAO5erDPj)Ls*oqWEBY} zF4End@2s_E<yi;~7hRG{GNR@;C{Ci}ML2?jdz(bX)~^H^HR2%11cojP1tVR;h?jcL zNUOoS5-+G*+)MuE!QsOD6KlP(Hu&f&N5-<eiScjLswY`rPIrfp?jV^N)_Ox_+E0}~ zv+D>%oYCnOgb#(Zn;&f%-X+X_gS%;v*{wAR>KF3LI|lBFH27=E307?(1|C7MM9u7n zsB1?N-XLCGra#7R!h)so)Y&-p`W}>zPLhDWeR3g(NA+)2ZLK;J`|zkSY%?iPh@X~w zaFNBE{28|JN6X%Tm;(qH+~f&KyQfi<yW%B0?HXl;@}QBP1k&hiI%Rie3+1O>4*A2$ z-wZ{Rc3B*D6+H9K#=ysIA&f*kd6v1bq?F~9P~I>N1X*`2ZVSa{^%KF=tRUvD&tCxP zf+EIWrkZ|}j|6kYL1wnlQZ2WKB9QVdPC-nrA!=A%a_0nFrtIEM1(BzJ`SjrYrxvch zBu3(PoPN{R;)Gr4zIE&UN+aB<eGIgNx)sim8Z6<vnBm%HjC~w7;)W_Z1;W+OBsJiq zr6seb1zKGL{?kn5XvCdxo;#^umcM-?AO?^InlNPamfAiri${8W<&p7H-5KY|$kwTO z{fw2upvlBH+38?lE(Rxe`s9&Sp!il%iziWe;guhuqd0ulJ1ylQ_B-zkmMTJNjv(wC z_9VgieB&HpB8i9!V~jk$Glv=4!jsxgzj`Chfmkb}=4P#S-A`Kvhkn#-NhSYFd=6iF z8{??POJG#0BN~tNGK>^5<~b&gym&n-M<bV5$1-?Z_=)0+F*Z6HL_l%N)|+<kx~nA< zqygNoH%AuKU|~G|<;)CAsD6xR;2wT@?n+hI7g=jNFZ{c1VMppg@x3$m{_Y@6M3GH# zZzwSz<7`joF<pJp1|r1gytl+TpAA;$0ykc7Z#*$&avL*xYs4P;&Ir|mBNM0Gz073< zYF)UfwULa@@nN@9NkTmzU#YuXP|ePp-QJGT8m7Z^(Yt?r(ENl;HZzC3KCPfNEY=4H z=l(BwmLz;zfX@=i8GYvsrqAcpBBZJ5x1?i@dxv55)%17kE1MK&(fuI_&14+oW95B1 z4(X~RL1byW^(bAv<M?eVNTK|7&S2)~og<?Ai?{%TM3%L|<>GiG-VvQ<^Vu8UMcD3X zL;SLX`KI%JP>iynFjQ;PaG{+2$wsOSYN^FtQ6|$E(&tVD{%A@ym6di_7T=N(jZusQ z)?g+Bzk*hi+3S7eM{(ZGv#f?%Ba{E5wlBX+F%ipxlyo9Ak-vYwbn!j{gA%EV5l*AZ zNqnE4IYg|EC$O<tYq+2<e-VGW0e^b_9vg#}?zC<#<!U)v1ubH>(w67HQ@`{D3Q0MV zqFryCl>Os(2n<$!p7;V2?8pOHYrSB#hBGRI6P7`bI63b(b=vd{mB}ZO5fh5t?6k<< z#b6x;%fY38EtyNmL}M$|^Dw#p6kW%&fzV>+4L6Rd5`BGsT>g<wpSFg1bTHA-VrXIg zQN?!JULpMX?2f+WoHFekwQz_1a`Fntso9InggPsn0^ij-+Eid(7(0F$d2{ZaMUxqq zYw(6bg_lemq6oT^E5mJo0Grm_L1(2}YrOU2Yk4Ea_^rPeJf_kzBlczoI?Nc_N>t9? z%LCln1#iOP)&P={R62~{smgpe`yeVPAR%W34LCZJw)R6Wc`jwt>=%_yy}mmLc5;!} zpzV~KF~si+Xz?ZG2*a%;4wojWx_pzr1%!cICc$ZZ%o3t!js7hh`QW3|sDc7Z%CBS7 z^WB!K{d4dN0#~_XFOq2JHOpEZ7K#*<b4ZkspiU-E;AtEz<Ktzc*Qqpq9`*48n9W@^ zFrZT@Ze1GefLS?=_-g7ocD+&y;yER<k?!6AoT-%MCW+sXpngB4l29N*8^tlf3`guq zUjlMVrbx4#NA^Kq0%SSQ61x4j3^1lwt(b~vhZ9v2qFI%Tl*b+jNE4~c@y2Q#czX3& z^nJO;8w|wl&i@RgIijV|bFpU&K^ZfRXCWK(tTWu1#(b?h^C(9dNBxi`GuS#RU5?%# zzF~TUQ$D_QoB<?3sdsV@mKVkCgagSH3+7Rf8EI*Coz`2M`X`uL17KIzq%O6POA2Un zG056Pi1K1GiWF(e!b`n>N<IT)VZ&T%p&H)wGK7^fUK$ZnWDoH*?H{+D2Y^E#g}Uwg zqeQVtO|E}q<@s<8sr?cChG!(Pi2!~hMQ<}RjFt*xb&ysUo!xU2Sa0VY;%Ni7#1Q7M z#s87Qzg*tq=>z5^U`qRJm-|(${Ln&TD9-ENKH2-H#2?n5ZkMfOtCk&KPOj}84@dm7 zm^rX#hTN~m$B==9+HL#SC2T(_lfCe~2u41hNQZEImz%byd}SODD+emm2zA`L(#)*x z{r!z0H@&DQS{>0G4};uyUdVb4Bc<Ega6X?)_(zR%MDfM#r+C8TyEpAgY`Zvy(;84s z#vyJ_sc8#*LK3e>`0A~;biT>wc9Bx`r!mT>!}Xlz`diWn@Mo#&m>WM<o(<tB{3<(F zq=E7xWOrOWyrXYW1{bG>Mqh6`9lIk5g->z6@>cG9xbBOxQp>?`#;0>xd4F`}QA=i$ zT&xt2{e89sG$u-wa`(*F-72A*GuGjb=<{xdT$U)#<a1Z!iZi0icW%0Li4#}aBRM6j zzw@3dp_OwoAqn|sNzIzn-#<Xu1XwFJ{$eH}M~!sR2<YTnd(f&STE)bgGZ<%D#l^ib z)T33f;Nh_u7FM^NmY;2DSJMwC<K7y>Q`Y!TD9-%gzk9^M|5gQE=R~dEgQ0s+;1R3` zguhkPF!7PAi-B(s&RPkh!ba-EXokqO?P@#L`e1=5R(R9$120~2xHAqKK6v)W=q5%G z=(!mZV4*X}owR<|v)cMNr*)Rhi9te_kh{HRmyKs&WyGc_)p_%-&-5L=z1s1Jn>wbJ zusPRT$%Mxr$XB{8B>Iz>Ve}K7E}2EJSgBqgd;;-q%*lRFnup(1(7#(<w8zA6svyIl zj*ijH0=+z~sy$N+xvEy0_KQwth^e;Ke+ZbjR-e(Oc{}HhKgbAFcMw)KbR4>;z*c3g z_0lmA$RP}R{k-)KJEQCql%AAy5ROqiqRwPjCDWA4L5DIM&p|bw$)va|4q*i03=v;g zp7yELD6#6<Yp08F)MhnpqmeMiuX@!^`h7Bf4#VhZ@jER`pHpK<x8iXsv2rn>HJeFz z-W|b>xAZ*{=aWaz3>0LcUu-+aHXI_4%$-(K*;su3Fuj-wx|jc=31mE!q^LZVO10lk zIXO07K|GfF`Tn8({@(K*zHO=e&kul^xq`{?pJ;*$#cvIf)(o&FA!a9BxO&jr#v(VW zzx5XHqWB(JySv6<3iK$|3+fXY*akPah?l9%yv+UfNr(oj?MZz*7Eue*k9QU^W0xSL z(K&zYxSg*w>M6$Ck{FAX6%mk><K!qP?K-Nd55-6numcO4xArn{!J@Mike_I!$^K~! zMxNg)8%st8R-407qX%AH>pI)lH&6-!nh_(~mU}d*=;;jfhx6(YQ_W}?828i8Y7I<- zAW!{6*0V6ShMPwf)?jdWw1GkD%!1rrzVVZfVHs%XZ8%Lf)OMfoQ6UmH+-|x7i-)fP zo!=K{MRi*j{ZQQd#~h94W3m`2Y_?B%SnD3c{@bh8=ew@?w^~x6iMj6Ii(=Voc*3W+ z*$Gt#Nbi-EV5v7bIb{!CpFO5LuZ5~RY45F=VyXWzJ6|$p!t4I(Bl!5Bt56wqyB!H( zj7pXo+<WTAFZBIu{7{Y|%gy*`8I50a{m5k=<Y$_ViH)U81-beB@k6zGnMMQU0G-bk z%Q^D=E&gd!*75pR+T!AmnvZ(t@zEOkrv2r5Qc-T3>s3o@r$`J_h`hn!0mQu)Wb#q3 zPvK-av7?lle{0SrEE~Oal?yJnboV3Z8;<|dXIty9+|DHMg~lX4*EGM~6dB!tz*cHz z5FoPIzKnY`4(;&yu1WJ=)j0@f;`7W32?n~)nR*hEq(u(3<KH{pI)xn;|M+@qEc?@> zvt~Nsz~j!M*@GHiY<97r;yzYHUjtrgJ;E@8rHHA+BCLRE8V+jnqfj-0WRHarDp^vu zM}aypA1Hlqk6GatkDl=;+)2Dd5<rOTk@r6|f7z6?<E_MVjW;pCM1_dO8UgGyPvx{^ zV=1{%$_GWKr^#X2e%ghk;v}zLicRNoAf}_7<*_GDw@9xe3?YBp5o1wnLmB{wBY0w7 zEFC9%b#6uX_|}ut+=40*2E+5WPQcUUa~2rNHG1i2zJSt%d)#y9#hpOR-T*|g++h!D z^MP0hd`5VGyjzR18IP4vBJP)Ya;kIC3$HxZl{Z?nRU<-Y^b-%JMj&g+);{Q^$GF_f z)hFKET(7FI)|i)tSrY|GKq*`47D@Lvnx91Q7&qZh&Ms&IkvMW1a<_E_lR6?b8#}z7 z`b{joF`e_o4c(FM_)TU>Caibn`%_LdM(ug!ku8UkEosZrq9NYC);RKvxN4(D=TJMg ziblOj37UR$f*QSFotsT#&Z26h-0CH>+sLtLZ1-F^!s!w#i3^cAm5X?M9aG;#8g?e} z^(pf@p*|hurjS!NTS5yatAWsx#H@T|@7J$1Vq{}jDGyIDwP+?mD@{1^dKkr?17bcs zrv5vUgYaB~k)5_WJ2hgg8OU_3K=qhS-k43Fm@yu>jZV7g0#-S(BouQ?*0fbbJrC1Z z^DO>!8wK}m_ILwz<@GY}x!<DYWPeFqC(z>!#O12Rz-RHaQ>-RkIbc-MaEr?rT~%U* zp^0cR(W}$k^||5&dhkO!VpI%`R{{b>$If}wFinD`tl?{Ilp~8GdQ(F}5~;l9sh|rJ zQ<eAf7caz3y}MS_x36cQy8J>Cdrl7!5658)F$%C*3d($^4ab_e$z|6p+POfiw2)0V z*`o>wA%Q&MlUJG=e&ta>1OqPB@sFw->mYq&9v<DjZk)53x5{#=B+-T4?G*D(md_{d zH^4IJyD1$G!a>rFMtUipwhGDz|D(idIrR3faE9w=I$6SvdMDAKES}^-{~5;YrZ*|? zrzf0W4sWu-!|5tj4Y%xVGkn82pImX{!2ZiohIxg*=iwVvb(g1XTryb#x{g)Zi8DI= zYR8L7y2HRxUZ{dqo9n$0IECCZ{#Pjy8N9WO{g$_3_u(3@Fz*YAC`IATY{bNPI?L;w z8rj}WJKHNJ&b3-Q*(9<oAiB+N!kN_9!_kk~l%`k~{&sY%YKhd*HWA^UX886n)9Z!f z@x`a?zaSb3iq#aRg|(M{4>`M>Q`{ab(u4)|)aYb5%#p-g!FMk1ZTBFpH61_(JL|j| zuhC8*$w6k?x}rXxHvrm-Z{`&zDs?cs4?6r1;*rV6Iv!m3k`EeAvcY}shbLf(ls69M zwyv%}MM1RMtQZ|VQokNF$Y-!m>j0ER_rd$8wUqj^aZpPDenZcIOD)Wy1b`68pTRyB z*hf+ZwW@w5n5bx@{bcQRwglipO^7@<66u@i7P2lc!V_vW6dGky7E(+yES#_0Y2<kS zeBrKLgJVwG8-y}39viKHrHiTf#Q1=NIBG7n>hdf|ux~HIzl-RoFxVf9BO6P*f<mR^ z93Wf5h?ai;*4{;+=s>9gn<V$Egaa=fVck;<b;z_fcNPUJHWJ({QZ@j4m)fyd@5PS< zC$)pakb^fZKF}EY);MJf{=WW63fwO$BE$XW6B9r_q&uSD%Bu-?f44Jf6ONi9#QrzI z)wSN;c`fKsS8OEO(0udbl`1Vjki_VA`IWL#bNTlHq>=L>8xCNwvIQ%ioMa8Y<Yny< z@0K*hZg_jgxr+NwvGe%dC8T)Ku3{5d6W6?AAysBCP?n-LY1cZ}a1uW>tQr&7WWm{5 zDwp-`IV|PQaVwGT)tKF@0;b<$$d3#amU<ua(`020h0-g0V;3dgr-P?RINX732H2$a zmUT<VXQjA;t)vju)~RePlZRbUYV<+Kt&r2|84^;bCyq>Z-JSUtrW8*UwqJ9A0RAYB zIf2ppR6Ko&v48z2`f?V9XamdT=)X;*E=i4qUZu;xv2NKRN4i}8P?ObUufcLjhUwr6 za}Zz)513FELVZx%xDi<4bBME$!AchUp~;DQTu>A?TuV}6zgRGlAT9ZR$B`McR522v z8l)mXQzsZ4>nloNjJr8Kxoe%cw5*=Z&YkVLFGV{7%HcBz=eR(entq0mAMnU3P(hC- z<M^az(lB_7`8@DDA9p%}^(5J3FdtcYym9|Bz~a0+3{h)i=nZJiODEg6t*i?d0qipF z6|YejNno6F%I)7{VgvOTa8@LXsx>o-FzFKnX~3#gD^)ZFjJA}r+$4;>d9{}efA*nr z%OXXbRBE8<_hkO&G?o8IUSmsd^VH_uN>@Ec)LXnKc-llYJ&X+7NWm4Yw^ohYc#~Xi zB0*$Z?l5=Yj=4j}<^7@>TEIi!nEw8u!Q!YJd2+VF*%e3D99!DyxwG6ePU_^KR#(G- z;=z#;yR-jr^Lj-&mEcuJI@M$g-EY7t%ey(8AKX|(|6|m+=cn(O!?|1V<KvHRw<dF` z=)qVf%ow&UiMfrvdMELq93Ev&gF>}?_p>Q;Iu{O_7UJ=SDL}NkFqqx3URrlo4*%TF z(G=@KA{vKFWv}k0G%*<WhZFKxa?~dl;dX*-{rR$bVP4Pvg6iO5_&+c7DZ*EjzwQ4s zp8NXmF{(~c{PvUY@zJeuDAy&#UGE*OA(`-|k7+Ei=%|!A{Po$=>hGZ_{kwcE?OFp2 zthyF{K>p3=Pt3=2+Ua?eZ9W~#g1VDeZv+7a3W#rcOG(oHgtpSz{)@=``=iCvya$ID zGSS2%sN60WqpA}~QMz60lbIZBY?AZ&STTK}l3w@XSX=1aFK*D-R}vfdXV#+e6D>xL zc)lOCIbA*}#*zjd_gZhxLt+r(bXU|MM#q7#P{|Uisho<~M4%R>B?t<$2@MphcsqVF zrc?@!Rl+Mb$CG6emBnhYhiVrIwAr!u2Mb3bQdy7l&p=0{YX!}EJ1+r7LYVBxm=K!P zvbsIJ4&DOA{FX!jLcyZ{98PzFmToL{>prdWRUyz#thk`nuG|&2al1u+mzuN*sB~6w z`3)ncyFe^uTc3EmU)c-}JR-F0yEm>ZgIbICgSvo(18IuYh%gZ(7N>L=!Hl?_AdYGp zCF<JH11Ohl(TYPY`WotZI?_R7s7Zs~>vDybP2vT_W6s3&<|DOJ39XdiQQU&{`+0U5 zau*t0*2K-^Qc5eg9HAb@dUJkolw<~GoAg<m2)9A}@AbBFlfocB+@U$I+Rjj?NkWWi zcROe3nDrGAgT%8DdoW{7xjL_P!f-YOm}4P9@Sfbsyg7H?jRo1K+})%qo!H&Dhbk${ z_6Lbn4P%agEKx_VPWlNwnThSm9K?gqMroQf+-{q{=a6AX5;&^cO0e)(;LA<mpdo~7 z77k2uEIhO7DI219=X^Q@id8KZ65wj>>^<qEkm=YyY6U$mB&O|DncS*}_wEq_;@<S; zod0}}tw@kNbFY*o{D&lek1gp`%6<fIQGL1@U9xvLY0kIKpiutmBq>$P9~EnRaOOTm z<?S7xosM0gnYB|-cDWb>%%}S9znx$O31H>rGKml&8jA@Ld$5${AxE7G^(}qkMVzwK zTz_pIj#{#)6DJV*{}Ad6$7G5tTvl_?5-&=Jic`Q%$@}P72`ogIUb~ugUO2c_&KOhG zc6hP$L)(~6UB%No{6o-C5}LY-_!p3;rjo;~M2--4++UEeRe~Lb&^K>~Gtvr;HYBUr zXClUsTX!7|F@`3b%FN7udL)73_eV{k(Y39(yhCKq-N=#G6E2C}u2f(}0dnYD1+6!d z$(VZnm{LU55iCm;QzK6+g-wJz<@X)xBJzAps?!$dE^crzPYk~61r5LoOXVdr+}<S( zooYI4byyId)9>j($Y3Qgv&~R*Hle$^TWAK0#;MqTn_e}zJq8g!oXp0U5|m)KAKksH za%WPH(UUv6Y~TI<QC5AExWw`<%dsWl*H>JCw&BDr#gk2Bg2ZA}?0?SbOT5ivVduhi z?jGKaMjdBoBnJ>Z(t}avcx3f?TWt`$-oQ9{7#hz~!YrHp=XuQYUl^r8RKaRl4qNs1 zn;zf9`nNNhuWrE4AqMDQ8*jXC+(T?zC}O12I$m{QlaqBf&}&Vo&qE~~`SOA2x@HE4 z<1<%B)zt1s^yc6GX?h0nn^EauL!#Zy**umvhnj)x(fcDq*y>#1G`txPFB@mxFfeYF z8mN1wvMf=rFh*SQd>`h14W`uN>8OWEDVhw@Q3~R6<-DqxAtFRJ2w|rXgx}Bv!Qs*= zF5nri@ns2K{%yI-xhE*$B)FGR<qn5KMb)ssq-bXG{^|JVNZi34zJh4EuHo;dHy9FR z!q@Xd)kM66dMvdY4u{I_9X%69@gOz5l>SWb6+Owlw>ayOd>O<nX37&E4nfA<atrUs zRJK|BB}S42Z)-;=!fiSblb7EZ+=no>_S~`9LU!bEA}%=DHRr!(j^2aWbS@8S56%#X zKvzCh6-i_UH88PdBaW1I2@4_?n~}GhCQXWeew6A_;QT*JHAuCB*BUQarom-&j8!J) zX9SQ-u-AzgZDQi3nnW=Dn@fq7naB@h0Zhr<4;N=a)KaIB$FlQONd~x0T2ss+Eoy5v zj)3b*#7GxWG;mlu_87g!EPv*7=9mg?Z^NWnCMf{Q?)C+LqP4_z<w-es&g|6K545du zcvrxawy4yd?~i~V&!yz(db^38)TX`B)zv<nFCt2ZvqT5fo2x^Im2y7q<nj|4AVFd_ z7RivF^Q0YgT5sH&TEPhJeJ0VqyLn@mJx|1xT|kXC$+qt9sTLrm7xQvq%|eDsk;HEd z)qB-9#Q0aHt7&w%_~Tof6;$aPyzwfWbd0IK&7O0|4>*tjDH?9<qGYJB&8{FRpsFZ0 z^i`8_y<?BV391(B=R%FcfdZuVUVVJFQgApFjgI2DP1{f^NHC_=?L{LSCF94_SZ|ak z8qFBa>~FQwkdLUeS`;wB{UCg0Apd_BV2B7D`cO!XovXJa4UwqXzv^1BR1M9@0WYmm zl=G;9?}(d;BS&CHbaU4^y|@K2ELEH)9}xyCC=hEWR)nE+JXlVQk-1mj84gwu(|7Bq zjqev|Yc)nS#~n`+UY)i03X&34d^o8cZW4pN)<8W*S9YdlalbT+lCiS4U%05V0i!oY z5N=F5Nx82q+5Fd5cn?wVD(jfaNGxFr8Or?cAZ3XI7hPY0Qt_{N((4Lo3x7WejK~M~ z;P~9L`o063&}!;$TZcDXo|kVaWzCkx!ZSQ>PMD4@tt?Nb)Jue<a@cER*&PxU8xE>; zpu}CQNC6d{N#S^2C`@(+gf&w-IV-HMLK7W5ni8u}bxM;gdd+RX8FyUej+af&;g#Q8 z?M?a$&RrOUsR**($U2$tu8(u2v5*|X>J>Hb!8?Z9)9e|3zM?zmLNd}aIckh}nTk$` zlZk;3x;?L+G1WE7n0mtqqt?aV>y3?M_-M8zr66FNGnTRjo%uPb!X0zMkLS+7p%2kY zPx1zrxbkWp=dePK#<u*2a56n<29jL7D9DhUwrf>KPw(#l13-l~#^EZY4N>9SGAuk? z(Gim9TGL)HEV%~|W)0z6>J8kk&Yg78zq~^yVTBDjWxuE+-yJSA4NF2j8%SnXeUpg{ zCfl<*40F!XQ)acjxnC6Dlo2M%G`l+LNq;S%d27V(R4MpmF0kXdceywSAs(Jji6$}m z@JCI@I=2?OGj)<=0AB~ka1mX`%Uv(`m)BjYVLZssv5u!DKnUE_M}BZHv?yOlXD3~^ zXF-m@=Fz6KIG#HNi;2Si!`74ILH$Jjfc(FsN-kQ3{-s<pxHo7gU11FQc|GJanbn-e z!_`ks-v~!;S-oKN(q|rL*1v7*E9rRe7B(48(EX|W=4=9~#Nh&#<FFzsw%o=tG*dvD zo&oYc<ojoC{`zCjf-7EYvd<ap?Gb(X(K=g9>1e6Og~4$U_OA<MaK32XHZkcvJZHz- z=Z}N>sTh2l-MpU}A>E74q-m9*d(UR+B24C9TR(s(xOg{Op#&r}b_uZx8nttiPS4&U zNjSkJSx@4bZ9u@3Or2#n^Ut4!fT>`aHpN@Q_vSQf?YNae7Ly@l&4^@g_~*OCAj{1B z4%LpEoVJ$!Yfd-pLyC8u$Jem8ESx5Z$&sT%BErXLb16lT$W^)-jl#(^>QG=YnMZ;R zDJQrwzX-(Ba_o=N2?+f48&vx(<g|N^KuD4nFIipbv-wjx>rk8wAdx(z*E5K0L25&V zmP?5BD`Okz(aYEig%+L!2E~eZ-91=QH5{XD(D01Y-D7XwUe!n0DyJe4?Q3~yqB_Cc zOP9&lA~S_;%D~3d8n>3MoX_&^agq9*qpZ9IZBpX;Z@5Y^AVeukisb?kV`zWJpP6Ix z?T||KCykT#(WbHVyHQ_aMmlp7HHA8_@t7z~8eW?SpcEMvJ1B6}?#64RS#<W@(3I~a zAj16EN^SLTpKH^s2X<skHC_bm8#sp@Q_UcveS)Vdpx#9sYHr$2D{L?9l+~gS`MkI~ zG9tGO5#ktBDr+W$u``gB3;t-uwd2=_!j`RLv4~nX_dxwiow#ykR8cliXo2Y{4u^KW z>oo2s-nkicy_ri8m}9<_E&PX~{w6UgX`v&YHwfK_IoQl4_C3aUOCL^f+z7PxoEWJS z7Pb@?5_nxHKa&kY1eG8G+Jg9Cq%T&6p;=DiPM+RD6SeKLZ`gIkf>w1oOS#f~p=VJ( zRgr`-f0<I1{Oy9#I}7t6R;l(J3ld|X(ZAc6iuZ?pTFu5XnMq*@Ra8vVNGg;8&jUH( zCP_e^A?twgrCW(A&{2bcqr4Gg&4h_qNLqc*__NBP&?#1QS`IC<d$6i^m?49ICV$Lv zg8XR&H8%%*!^=%7=l-QT4Ke=rSx^9{s)tr|HjU$XkZ|2T2v!v>*%-R$H(~^s?C)}3 z6n@p^PgYbGOU2*J>|84JzC^HcJ*BWaPKro~3(gw#wNX?g4~FDj67!$z`Nzco1aMU2 zf1gyUeS5=>->*91XM5GM3BYi8w08$hz`^kZDD!IVRHHnugO=qBE%E|lliE(tCZciG zV{lkl5$M6o9hBmGppmF@ON-GPq)k_J+ime7;0bS6*;)(9iFVIw!8J|jBPQGc?Ro?8 zKRQv$|B=hKd`uN*^UX4S(<dg_Rmg3(1eRn--wPhbqvOLRoq7Wf8ePckb!1hM_$6R! z&9<b~Zbtty6M@gS>BJNHkS*a#lJ}irY}5OI>Z*WMMvU{~W{3}VcB$m=K@8sv!(l%1 z8ru8Il=)<4V=4!8za%{?GNxf<yo_hZ%^MK-PoBl<sGDb5(IeL%ULVr_vV3Dm5$PTG z3U{ew(*w|~w(t5s*3h^g)j+V>A~&aF$6nqao4<9KN2M0(f&ZIApSTutE|s|GrD_?; z^S46NYCWwrk`Fq{w(S7`g5;76iKAkS)`jMFo_x>u-rX}e90fXV71o^hNC`;>0wmhU zEXH5&rkFC>)lE+45xRXY-b_a9B>EKyCTv{~l@&;gue*I0dJ>z?V&sd6h7WkSWeu>f zRNJgK-D~i-(BI!rSQo3rfh{6asNGN^76!@?149xu5}g!5K$RNBU8@5Qppf(vC`VRX z2on4=Q*d*#y}+hY03slN=7&)*6`IlofXu=|%}QrlFlS@k8PybU>n7?5qGrN){N4nZ z<o=APY5`!=$!>K1SJ$RVvX0SODcUbx$Z9K&gUBe%2NLjKyQ`%sBGJ7WPQ>BXWfa;) zOc*qa-6r7^gb=UZk1fN(H(7WV6CqP^&uc<=Kn=B$SN2U4Vaa3cxhJ4N=GC^V?WAHO zLCV!<T1OxpNe-dvB55LizO}>O!nqI?8##5C?r3vIyNKGWFr!-I4Rp`27XA6WtB0R_ zF_#H(yL*_n-kNJJF!aaF-Rs(#P51mt@R^~JrMJ&=Ep-Kr6k}RkMA~2vup;Av>gH<6 zcGM<mhGnHT+b_%ZXKvB$qZeikHIX)F*17nnkYETC5Ac!#SvC3dt6aLQ>q7!{E2wl} zdkV|#a272<hT(#VgmUNkg-G)e&Y?~6hKDm<&`N7&7?(N!nb-|JT}2uwb@Utp+&RF+ zIumFO6^B##TZQ4ESF6mIpV#)Rl8P_VOEML?--1t8JzgoqOw=`yMrYC`RI9kBg$%x@ zA)-x$)!W%58lAg*NR`QKkDca#{YLz%?h=VEjc#+XN2TWN{P;#!O3xorU6CTLd8$WC zC~%f^Y+wLuDu5I=9ZTvT!V<vCf?l@r^DPStl~CoIi0yE|)bZo1%RXR30RlZ4x|Y$z zl!;10KF?42xpMa-=%6q8vUFFf$h=FDNYaWqxC|^<*f3ZM;IQJxu|j>Ed9iupz=Ci5 zJ15ySkqBVY_;Jg>qo+#kv_}pq=#J=DGSBKyE^k77n}P&5vlM}y{$z|F!_2H2AjO=p ziQh-cE=3|d<YF_hASpw%B0z<EAFHJ)n$mK^1EiTeO@5<F8q#zTJIxuo6HgH%Op6T; z$!L9#u79_L*`8s_hL4LKTuqX{)WQ|*t*v8nz_wIwC0g#P7`_BC=Dtctthe(CGSa%? zAM}L3<sOOd6mGhr(&vg-Q!?GlvcJ?o&XO}u+mn#VtY2=b82+0ZTHTjbVX)q=zsnut zpng3OP2>rec<n82DH%JFu}hQ6cM~p5xcy8SQMCqr4__)#n<SaP?yZWOtn)vOMX;n? z7KO_NEkw*2!?XDJ)_Bhl>2gDJcTd(qjPm)WAgWRmz2b$}^RaS(%XdVs4B}sRy;wRd zT}PARx#LA8T`~n1jZUs3Mq~T@XmaIWTi#0Y_PBtO)dr{CfI8vfWe*?x_`*@Wm1$H_ zmNmLHcX!q}l<!?X)<K<r;c5-g#z+Y2_5MV|<%()%0rOvYXVWw$r}SF)i{*Fh^_^*k zdXv-rzNBr<*jdd}!kFjx0Ub>?+D{W;%!ds<T+yBn8+rTOt?A4L;#n^CyPb}h{8AQ1 zl?cDl$Kbp<-L3jQD>>a4MeS?)C%Y6=d|OOjnT3A4&NYft#kOC@es@PShm){(r(@Pj zS%QR05=N!*V*mi}7g66%0qN>$z<Z5uV}gV>mq<4C$Ucu%1*dEx1G`UtfBV&wVLDc~ zS6N^%^n9as_4B?1URTXyUfm1{&g{qm&*#>bc55RL@Pe8xKYy2Cv5aYy7DAYYaXKXz zC`?qeQjlF#g4)uLgYb))xbVmdk<lBl&Q>T?)l!KnqZSjgkytI=>6B&)4m|!jJqaT2 zorR$$atsQML@RhjRl5x%qh0Fg{|b>lX6^zC6z%&Wg*?4LSw<vcL<Z6AWG5=O!6d3G zkWji}fGW-#d}x_A3CSB~941n9Lek>u84T$7Ordn(T)oypXgHll>P|*H0+z5RrS(`# zW!<`1aYrKd%eTeYph~>CQ=c=lbH0q7z717MO*}<SqK?;TE0u8@jHS0^>l~?>o#7W8 z{Hqfah9d-6Ebdl&Dn1P^Fh^kLm~ZHK`Qqbytx2yunoEGLbhJekHN^M#f`^rI*!T<w zZ!%rkbdJ_RyZ<tL=m7U=D$ANowgeGfLQkaPEsA?k;rxDUT&y^|owx8<)SxK491HJa zb6mJ=vM}+ABh659XW)IIviIouB*ht8N$NsgllmM1!ZhShCt#o~xnJ1LjEl^A4IgsR zokMra(ZA;OHt#90Q`l;qbk0NlWuc!hC4vo2C2+Vj$yDzbx>7lzO@-As`9^y=W;FZO zLZx7Ux|9NqAE1q`AdKx`{JU!~@tVtRUq5*@nx=lO7T8V~(O1pl9@O)VhyFlCx0M1j zlfVM7rUOc(uoTH|%GC=jPhV%`1{13*G=3Q#Plbe3ml^pNTYgy&`U)^ug)CR&RFi=y zZxm6r4Z_ROr+~fW6R3WpONrc;^(bK^!Xo9WakMq>j)1h!S)(jShRS$4k?F(=etJ;> z8>Cc4T;13}3Dk#W0~zX6s9?2}^0#K00W_TpM`pX3<7K`e=NYVSPFZ2keHoC+6il6+ zjGMw=OF1%`y3$mpYwx*U7ZOof6?U)6-hnZT9yRvD1~2;{<*|IWDyv&B;~=$#CzxQR zT>~1$QZ2-DUO9s)f2N}PzW}{~c!;y5en{{?JJv9vPDo)l3jwH-0oLtM=Ui$%4<sW& zlcxvrXp=Fq632$s>m6w{n%4(SL~n3O*WP9p3@u-mpkruDa3Q#53gULhYQb4=;V4i6 zdUAW&5B98;5z_2031e?o8!G$TbxaCk#m*sa$6cVzrc&!IDhq0;T`x^Sw%vinJ@LVa zm+j>ImKzXd|5f5`|5da$-w32x&l<ecgL2-@yej{}@bf2TbXMgwBkAx|j&(VuKafSo z=L<Sm*NO^3-1N&pgY<a1vL^F%k>r0Xukt9|u0KJaw)j}DK=hWXiSWO8L>Y2#)*Txc z9G#sx-cMu$6GwUB`7#aWIt`f_WHU?u<paF%vwhm^$Fb@NMTYD4j5)akJ6;{2Z=R2j z^shFNu6$$3Fy`HMUXmG~4t9l;Q0l07UAMCI4#F{dVkNxR$JtLWod1=<_HTKgY$a}| z1z{5<EpFlwfVG#zmF7;<!PEW>`F>WX^zg@UEe*Qgj+i)oXgFJR9TUD=^s?y(#J(S$ zbvo%bs<#0Kp{E*km?e!CXeg-~`T;Bg`dQr_%zsZBjQ{1A&U9U1V)lakym|_hs!*bX zoE5|q{-qCJg+tt=j`(!W^j`lkWYdqB@X$!ol0}hACuz;(whtYCy<bALR<gALF%?>B zA(+Vu|6Wj&RsO@{;ebjqoeU8dKF|AWOj+v{8tn&d7y|5`8||;QeFnAq8NWrL)Opah zIp}0b-=vc`n4f0iK|=%Nm}TL6%yNH9TX^~Ba!K)sc*D{Y|0`CmQ9>rt#%K-XSyg02 zR`YXLl093p)LF)zLDr*&3a}(G_9KW7kY&4J#K*>ajgTs`D8pzMFk+FQW@O&T*YnJR z{Tx!HhF7Q~fUW!6kBp^kBbGP15Al<11QrO&IK^saAOTo#u9aKv@WQt3SVps-2%N9m z6g;NV27iea9ur^N+n9HAZlbk97$CjZgKGWmH3vYNx!KYz3d$P#>F#-E3=T~f7du&e zP-UgIE@jC5i^xDPa_+~exMs(jGuxYt@>zokncHJm+4!X#h@!5Tv4<M3OcGSJC2>4n z&s7Z$9ux0pT}96Kp&MbXcejOwURjayLIFC_P$lp*;R|0L?Lq`rMA-mnlaX~k;vg5& zge*Nc)1h;?$kO?Eyo!2nJv3X|Dtl#0<NK3E;+I<K`3FCLq*oM%4)`Mre`_vziVF2R zv1PrPOp39~-;Aaj7}`rAu&`UITg_dv4_8Z(Q5r>Ox#pv0)6Uk*iE`c4bNpf>3%n^6 zJgghubQ>RZF9EwGFqCl&sjFCpowUC!75x?ue~h%Wu@=f*F<RBb6iJAr(vSYe^wxwG z{1|73Wq|!y-IDe}xPH2bKcduY^%m4l&SM^@h6HOAC(ruV^m$QM6iOoo!HjVlB+q%O z(MDgGnqd(ug3-v3UR{$~O$YhIngL+LO5n|IBBo3NZ7SfMXJ9cvRNey2e2gD>cYUMm zuw&u{8txH6a%?_z6VvGP96=IIh-|?4nmcI_la;od`iCf)^sIUgh^Pb(w?>|tw6T*E zWW7aN`Ec9JxxJQg5c?!ctvgX(j62^A_lSRivCBDS+@wc2mIZ$*tfhev5vR<9M!2wY zfFbut86mOJRS#2F4NMUWwGt6Y5`ZkRa^%39cPss9nG%{Z*HFSw6i<xF5|}Iy;q>DX zm!{!L4sr~se-9jfGeK{l{y0d{03;Ak*DLF2-y9k?ilaf$s*9dc{}4heu*kQuN=&wf zNdS!=!f`5Oq|^3)na8iMG6h7h+ZdcT_~d`pE4Pj~FxN<W+UE_9jP8yMGTr;uw`x#$ zJ}s_e?vy+Cw=4j9JI>)0^v(I4Gz&I;yKBnx^OZU<P?Tx54OT)7P&w6EK}`MmO35-V zedn^2<k<3*Stwk}%b6!805{vaIBbB0#$~xxF^wiKcMzH$z-&5sTr5*W^xTL4^W?NX zjg5XBnuS52>z!!|UDKi80KD6)(OAmvZKu!p^VSB7kTe5ds?N$hv7f^0PlPtBZO2TE zF(lrbJqWc*KZO#t1gthO-cp!wl)jCwY)zl7?~-WV_T67^N<5zyeYY(K_oVviKUDAx zCb5%k?}yE!H0s^FlL;}+Ffq;{KaPABXvE2+NUk%soE;CsC-Q^kbv*Q;{Qb&Z=~Cte zD0ip}3iEnM5T@PVHh3S;si)VCZol5!5{irc3<CCfND$yK0f5xL2<geps_S+>tvmy9 zJfB*`iM!xRV<sb#Eko{F`yq5EQ|jex0!&u(iaH6)<3^qZtZFy01-mHI-N8rDPWOjb zwdq`14xj4K*!Z4&>88r^%Jhl_4P@^^s#QD?VeFwh$e)RbOn95(|7EN%689i)jZ*>+ z<g(B|`DgKRFNs&`dB(9BV2ou*3jD==Cm)nmPsujF#S7WpW_kMPpu<9sxR6x(Zi1MZ zQY+yAbwG;0OMM_{K#0toQ7d7SDB0C61itoMtyPX|cjtJXqdEW=Ph(}$F{3yJI$x*G zn~5}~r(>ez&12b@6$D9T+<JT9rwK!qu@~YgVb<~JT?sv%eO*nYxml&|{J3DnYU(To zmg@xSueR;mo+g_v4o(OGrV8Rg<|pTRHxq#>sX87B)Eo)tS(!PMb~3as7NLy?P)+#a z7bjQz)_hTR2KT)_bfht~dsFQud_1GA5$<Se2rwrVTCqBNcVcT;AOS+}*^?5h9>bv> z8ZNk_;S?T#-se4qYmJrBO2;$2!h}=f*3R?@@K4#~VU&<rDNg7^kyb;I#4>AslI^X2 z0t|O3rOqX}cmoRQyz(a}@8NklE9B1CtL8S7?*pr@fYVmBqSI<@nLQ(Vw`5VND;@ds z_(O3`P$~;4w}4h`msQD5ylk@hx(ENz%nt!rw=}dd12;79gUu<46Ed}pNnA?#>AprO zk1D8K(a|dGU|3&K07M{frlOvVcq+xHo;MIPr{|C4mEVxwB5~GZk~m?_f`vI2fF=D8 z3-+JJbSZP#*-Z<XVYO>+@iL7V(jpJL2oWcPnN@be=6Hm7NmVTwA5;5pMs4Rpmky65 zHW5G{g{m>INqMgIQ(<eXViF4CPUoG5|BWldCEPxD&-f6P$mF#oE`LyxL>E?TW_skY zYrBX9%@70>BgaHrYl%UUPbz(z!Tuz?f#Fm(@_ubg1Crek4}!({z9%=>VgvE(hi0%x zTq<G`09#t6Hm31T2g67ZZ=U1)+R@F4D#xU@T;uTFA*lPk|9sGCo|Y<8?BjAn_juf1 zc~?czz<%CaJWVMgktehEh5br><KGqN(QTc2g5HlO8M;<N(#+4v-3;3Zt*-J%?-^Xg z%MFB*h60<Q`Ts3HI(@!@@_nNatRrc0w9XX8lUY>4Wg%Hgdf#in;c`V6AN&{2tTUPB z_*<rk=Ic%$X#B$chhw1gX<o(sfIS}mGkIrv2TE~O>R%N55bM(LAbxwI8N5|4IQDDz zNZOF8qcDh8^VX}8MV3ha`c`tnFdatW?-t)ky`gDb2zY|3u6dqwBtVMw?CupC<Q|^A zQUmkIRF)-@6AclV_no5eazhv^L(1pD;;a<mF`RU{uHbKq?%@n<R7tj((MbGpDfrlk zBI>4x<qzGzvUrwyi{lKR5Ugurdm!7rU=d5cTQSDac)pckQP{}KO#~TFH|2LkH>u+J zoRg=Q_RkZx9+W8FtbEIV``{@Xj7YY%<^TqaSwib18O|?XK68C~tHu|rpi|rn;nnc8 zLATfCx;bLU{f1=O<nDVhJel0eCaZr4zHT(gffR`oZmzxj^-F`?01nof-B-W-n>SB@ zw#j4uFxcvVUTFF9%UJ(jRAN4O38+Bc4iJO%28+-dAT=wOsEk!#1NjXK9>JOxADCw; zB_0wMWtcApoQ7x~duab_Lv-{J^!v@>dx%W1t7P&Kr2YZ}#<_*Fq%*nVlH5+3s%rn$ z>o+92Vo_*gzPV+Og0nD9hzJ)Sna=X%RV}Pg4$y8o-&V3s-pS<`1eB6>kiUHTEIbcK zGw@;+@W&?rcyUx2)c#PejaG&Q!=~>M0wb4t06XK{qK1wmunE;T2$IFh;3y0{ilc|N z5Mlud9z_K5c-7Zn6Y7mrqSRPtPeeAYPJ|Qg6=>ZoyBPRYg}&Bm_xxFepyy#oKy@5c z&0;CM<d5L<@`)oxzx_dzleJso>dfFM;k5q4#ZO>hZx5HpieozFOq?^lkK5apyyD92 z?+xfcc!}O2(k~<^jBnpqcU`ptlTH6}`j;T*@{(B70Wt&psmA6o4iW=jA>aUlW@yO4 z>y-(vJ?4nxRU2<Bg(M&RsoKJ1E?i`HW`sT<7D>i6Y1xHgtnMltqAYTpE2X%_Q#hP* zqEUEi=p6^hhNWnR>)3AJDXhR$(&*M=mla_;m5X*fK%LRVDJVoyHNBYNA|#J2Qd$rb zt1V9oW^Ot}Iy#I>_5S%Xz6vI0j1>e^HIA%MXvvv#4P^Wrg1LdY|4%f*$TOeo_yKg- zRoRv{zL)GSblA~YMzL-pW<FVsG%|3=qik?#Ork-kn3d$VN<}@O+Fr0XZ{*)f5*Ly{ z^O#GY6sJYvjE50a(38keW9=(|a4(jkhIH{CFf&`&ZzuFiQqg)GjZmpkv5ban0J1d+ zd=_s=MwQ)lb4Ma3LRUK}Rw|Vy72TkxgQ39`bjX_qS5?^%mQ=l0-#BQ!CBH!p35Qd~ z<SLITt&%ei*BWTCI<nqMe!uPKnS`($Mc7V~*Nxi6;K0fq>zWH{>$EWlR)YzsdNY%V zWJ1~H9*f_SZL!p(>DeQ2XpAZX@M=kFr7o`NXXdnBQlFdiWx#}~=H2~0Rrb&=DI%+_ z1QNbz(r_$Qa&F0z;nOEk$>gdSVH%_Mf|_&==M7fH9Xf8;vc|SUb5wCp{Q%-+Hy4L_ z>C1{EtFARQ3^t*oNyxW$!f-U*%6=37pV~@LtvkN!5mlGTEd3`Q8pyHI)C~{jW9hUV z+>SN?ftWE#V+HT`bs>xsL4+?|`*TybR$KA}NdUJ`^a&|^kZYbofBu-}O{~J^DZ_(s z3R&*WU%4UoCbBhS_+RW|tVi}wgP<|InQb<=pC%64Bkfnl>>hulOhsc;bZp4dFg|!s z*yEeG#2s&qg3T2JJKi0}QW2gm@lv+FeEbA@j=H49S#9w;2gmM6ZM(A$m+P1=F8Foc zjG=EbxC_J}lSwI1K)GDdmK#dMNXqYSBWTAnIbL5jeQWzYuZm`zpKoHYQh9j*+%6Ft zB;KCiKf?C49z(x<GzDld(@*s38LFO)5Go-1o-wqnoj(Hx&TQ}X*8*}r3&Yyk$ZCFO zg2eqUuVI2QPJTbK^`JoE!Sl+E6UDPoicr79OQQ0mLsFLdrM*Ov?Dcu~U_+-{uWl!r zn3A0%FmOw$ngPCRpP<y+af$V8C7CYEi%WvD==M%tC3Oaa7?WXE;(4bqm&=1$Ru*rb zuZ19&px5bcDUhU=09MG=mCIHG6KVIWXJx1l4YL*g0}NXh0%_+*)y;H}DzGFZ#~7iu z({&I5nu5siMW$EfKi3~%F_3f-SJRSc<=UdjgTx>%9M~_gr|Zp^juNy+sA|6;goqH4 z3P@Rw7X1HN0HMI<fpc7+ulj=R!#0sqRuWzuS!Knf@&%>1?fvqyUmI*pU;~OX&SsHd z<U_Fb3#`c%>#=6j`^N(~w$`0uUFWll2!|;drgfLmhv{36!_T$2IfmNqyepnbJspBf z2DcH?%q_mcYeA=74x}l~-Cg5N#2^rm4aGw4uh}xm;}X)tQVu*le2@1xH`RDFYbBJJ z`y=gKt(M}*sADB+_MxpT#np&Wsr|%c{_^>2*|Ao9nTJ<gp5o|Qz{Qgv73nWGuTA!t z_|-LSPf0g<<+HC$tX$D1?Cy0ziPP~gx7V*Gml})gI}#Id_1Zm`h8$g+IeGMZxj<R8 z`j_e}f71s>Ahnwn%6nRlB(-FB-+-r7zf`C^Guz~L`d^qjLEy~F2hCkfQ-$yHX;Kjh zQJ5H_5KTgPISlty%9nYM+N~ya>e)SK3>ZA4R&k*$#*bkb8;JWW%Lt2|g9azcpG_rx zpK@H!(>K4Get{bbEhSPS0Z^|95n4X%u5U)~NRx|T5KV=YRi@`5LQ&cFLsvxz=Sdt} ziLT320{0+pNtMeM*tTcat{77vLy_49%L<|&fBdVzH~l=xG?-m?JM+v>Jav>X_Gjyd zggoibe{IR#Y>q!GD;!I^`?rFGPTRST7Dy}~F%axdkfw{cw-U3*9#?WL4ket|=AlD~ zcod>_MlKF%Qv1(}r=0&B>FIlw8rIIFa@`I}P@)_av;=8hB(z`^QRF<k`K<H6&Y5jQ zCQl6#jN)2gr8;U+fix`)1eo%~qFcA?TPRijB!!@!hN)ls;$RvVH9KK+M55iXS#V9$ z(Z~Uqzu%y?Wx=|ms=+#orh-7;v18Gi@lzKQdfR*#eFyQl;1j92O?oOJua<ser-pu! zWu+R<p}%K*p+W+-V^+6WgSBbg)g-lz)LSCK(>ki*O~5exZ9`}Ef3=c2QquD^)!l?C z2lnXg%P4VHzF3T<0GO#1tCe`uwMXE%-;)WlfO<Fii}MPp!K0}!mf?en|C)}6rco@8 zEz!6Y@4AnhZ<68EJ&PZ`h0VtPz1WafQ9t}U*oK?5D%wkqs-Hef*`6jZ%+nT=VxMRu zPzBU>5b;Lkl~0)ahTQow$MgLHMk@o-vb!3WW~o5a<Pqb@WHP-UKcBA)XsVCy_V<u# zb*}C<zZe3q_2-JolIgMC^K|QuZywh`v`+u1Gw}6B(6h#v{XvPqv+d&erP@5v3x=rU zroVrb$!UB$$%SbpT6=N=s8HE>PnDWGnrMFIaGf+*tVF2kT=mGhAqlFCp-MJ-b$N>> z3WZk|D{=aKKWajpW8!i_dD$JK$%`FLkS#t*MTu8dWh=$qXzuQR!-vT|gR1FR9}RjW z2yri(Wlx))4$TZL7^3R9lUbm7(WaI}6RrWy{24g=TuPhI;kmd^Z+ow&!JCn7W&F`b z5*#ntN^+)F<LyOubZh&yDeRlmH=1OR=UW);ARf&nNSNd#(S7QC<Ndt7H}-z-m@TAm z)LOEZI*nJ@O8JYSG*`(=)#(V9ySvV!qN0UhL~NrBrX-!H4ofQT?=sNI501X#ZZkr^ zL$%mLv(g=LK3xbV;|wcd8CF1)0~ZS<;S;rD)3p~rH%cxk9uAwpAWOA<lzQ==JU~k# z8PpXd$SFyPM2x61X7z7p9L*51Y7?af(tUYZIB13_Nb|mHYZrlP6NS<XVOx1DUP0au zrkzw;E);5q1viS^StR%<sw_Fhfm;j;jllI-Bbr}x80_RWN!SYIY0N-TRwFwT_>&Ih z6=GsbZZ01vtQ#z?HjX`ic<PO@=Wb6%(!E+sGPXD)%*uNUsL5}8L&}6i?ct<`_U^QK zyc$ce$8ODKz};>3P*`cqY*Md)ZeP3irhnjDT@mRz{0?@`*5QkLfKF$`(IrbOFV+E& zNXJ~mZm+Vu@SbzW@66%y7(v6eRoh+7s^C>1+t4ZEG404Reo)D2cQx^Vkn!P;+TR*L z`cYmW;;GM#hI5JP<SE54xrfreHN1OK$PV02vjiWwlC^r8r>iTTw%a2LVEJT|lb6>> z)k9a~gmFI|aY{#LmDyD*(h1Ed1*<C(SEizy?%>wRcZy;qok31IYh-rm*_{T6tJd(e zq~zuHj+YT0N<}dkI{Xf+>d|z_{+ii;tB)=-ky(lMng}t$Q4$U~1OW>6qf^8%G^UPH z$)>NB@;6s*C0xLT1tk$ALhAA!L0Ch>2#L`TqYm*EBUAv3dV+1a*K#>-J)d6Ko1Qx& z@M@(8e#t&f&1H61@cTB9#Zpi((3H(I{AIiPYq#6LZIMr*eW$6&(JaZK`mat;oc|Ua zJ!T4*c_?B+m5pa1oAj(hG?>oYhNLFT){#tL3(Nl&Ny1)KLzU!xgG*X@s^IS;sNrcS z303PPnp|JG-5h!%ov+uz#OvaX_wc}Nx}>r{FAPJNUaV|zP!BR!+<z=k-V`giN~*RA zwQWNE7L6hhJ(ZY*i#5^Ah8A{8VYo}k=j+-gOW8;vgug|UFV|xA4&n#h@v5mQP`v51 z>Q@>|gszN#3M;F%l8km@BNa%b{%W*1FC2MVgT8-iJx(93C#~<bpwYtgyVME2Xb;D! zx|L7Qa9XShYp}B4$0v(o{l4TawZ7O&o0oPHrs}m?%>JDmQ&tw{vYzzbOPkOMe3<FA zqk27?AX7FLa0x!I{_TPo=5I{Sh|X4OV%J#m&Od?a`fBSPRU@4w4pP&zF}Fse6khMN zUqM@~s1PL0yFVnoW-o2f&Jn!?jPYP2bKlEZ^naXRIJ@n^zGT8;BXQqe4^OQ$caIO@ zA58<?UJjBGSEvW_hjc$zMQvmHc7^42yz1N;<bhNP_KM=!hDF~$-?+(T)1^`|wsk+3 zMRv&`(RTXKb&XeA8^pMaZ|3KurE<t7Vz8r1nyx6W2U66D5R;B_ED5uc*Wg2x6d*s^ z>^HJ`NO_-Y@wHXmJ|0{+$-pS*e;lO?Fcs-GQXCG?F!_3xz{^7Dd}?DmUj2rv7XnBV zCQbhwI{C4|!}|4jwSf{r_hcnjXW|SsbR(}EtfWBfBJEta2eJ9A$tD_|WNrz4yFO>_ zBn5>Oqpdz)2tgQh_TmJ`NJ>W5=PXTv8NDCSlATM6R!FL&J1+roOr5q*1qURpV!%>Q z)B-Ms{_Bi_s!D6Bq}fcN$tY_f$jD8JIv#hbq}xayfD4>1VaY8-#Qn;NtPAlkE@8Y5 zfw|N&$l}3~EjwdJiN)&TJW^XsK|%zC6sHLd2&Mk<pfyme0M-WXoaA)BXfLESMXp*m zqH5$pnp;+A$RCgBEj2ilL?Z6o-X`G4EyT_JszEe%gGr&W;89oSC}{DfR@wpq$}cUv zq{O@I9!DGMfe5@fWxEFtKb}jfzUADKOvFeN6Mk^JSL1!oz8G^2CTUvqGAGEKHoxx1 z)_V40#RK?D&c%gEu^JSJC0m^~jO;3nrF@E{w`Hr&YI~CJ`S;h7GM@Uv<lsP6OLl2G zoI@`g;!IfR10s1>u;0JvYe#2BS7uao#d^CE8Lz@khHjrXKFnB=!H7r2DwTt>JVdC{ z<P*kwt*IZgwy_+_p;Ywk@u~~jc<EKK9!XZ4+ToD5I$TaXi|S43<Y1BcrA|7TJII^} z8K;-I157dGJOAO7+(~(*GL+dg*S6hpVo+L2lm)Jg<?keD<jT|>0(WRPOk#6_D~DaD z;5}2=Ngbw}@&}1>@Hwu+9Y#-&R7zxlFBIxHZ(TBS7)iY~-r@s8We)7#6cONI3F7Y6 z1kxW{33BdJDG%!5z1z}C47o@Uzt{_r!b<yzpz3~$d_RPu{4yWG*h)dZGC?iWaa;)i zQYS`*+wd?EyLi&cfPw@ydL=~aQi$012-xIJsm4?1TUgm+V%S#V+jB70Om{AJ0ZpAn zG_nwlZAzwQQ)(jSAZ#q{E~e}+xXp}tXy8M!p!1VjJP;_E2-}i^5{4I+hX6-C+`=^3 z>40b`2^RUp10By}QCZMA#8wu5;l<%IuJzOnc0@Nu%B3V#$EHpe3JX%!k`0)(JlYmf z)?`!I@*9iJk$m?k44_9zpTinU5lZDD_9`mZM^RQeqFeTADEg%uv(GV^hPs>G2+2tX zF7l9Fq2%SWEWiJk5M&7zz-G?vpc~)n3h<c#(B=rt9Nnu&Y<NoU-{SfE^|me8Uv^RJ zG>17=1^E#VNq22&5F|LyI0q|_8Ca=dljGs9{iMyfTYhm2`v@hOB0*DBZ>O3(MV*l+ zwfb)+x72zVu?OAyQqwz{B>MisKKLTFhPFCSm@Rax6^-3cTK53{U~>E#dSUqlYv`_L zrlD+aV~q@F9gn)SXiiHUXyF*wtxjO^uZ@TaXHpTEzN5|wOdl>|MnjL-6kVG#%e=pJ zd*B&trZ-wW4O6UjmC<{ZMeI1L*YgP{hzXPef8qJio_9ilZ(0WNb@0=uXSc3yQ@)Og zQykTs=_dDLSYV??gWwOsMO!&}6;Z&X6`%L#V2&o$$5Rn^AGUOJP%zv04(g|d@J-o0 zDg~&jZceGKr7j`Xr=JmkyWXkB9&v9mvVGdp4#{A7a^qzz`s$6EtS0UjRMqqCqf~V) zNaLoffip#GFl#PW6!$;M)o)j+Fa9)v)m~6*#TxCN?mwI~fPdYHz=!PIT?b0jWa10{ zs7n<o*N9?KItU-?{_sRc=aMd#g}r-cwwB67XtVJTArf*nqX*>yORI+Xsl+)u({_r< ztvj8?R=SKglRH?bRCt+WLONDdqBpGZ8$1f8M8jOUj)#apDy-l~Cc2b)p&RdlM%8pF z*(}W3p2JMP!+&>*>tA-mV<9F{ZB>X`K*BZ+inP?)Ypdhdl>^{}7YC}->Z_vu4gn_V z<D9Y68?TVBNjiguLJjS(C)GxRwkR|-4D^6cy71T^g%cJeW3I-)F9_^i+*g$j)>?R; zW-$v76%!Ki&9;Dy%9pPyh7z|CvrBwX7l61$P0?BzM32Xgj|5+F*=NdV*8N+{Q`|WC zyd-K;r>9X~ZOvIN+q5s&q{WT@_?f(O_10FFiiey*^nQ|uNt3a`e$;304VOcG-Sa4! zc|lu14TYWZ=Vq2iQ9Lr<{${NR>FU!hOfid8Nm>8m-Q-etQ-mOQ^iOCx0{mG&v4-|x zID*}_QZ{^(%M6cRei;>Z3gE7P6%s&h%l&D`?XT~FksNxUWe*FSE<jR=2xpPmBDZ^{ z?VWj1{iD`RC17Z=k-5UqsrEVV+W~Lxf%&W_>?q`f1@!JeB0N=_nJm2TD<?$srj)@A zA>Nv@P}<SjYN}RnLrN23#DbjVRx4Dxo%3kuO~n!MfUpw$7Ijjg5v%p!4~TwTTl=_# zFP4Up$t;^rNy;Gw3l6geI+TiFFx5y+Q|$Y)rmBLOD^Yr+Nc0*-jS(0ruo|ZD9J!|a z_WkC`e9t@@Z#EUA=+&Qh3`4Zl@75QMU8nL(yuw;9Ka~-K1hC>_1t=(X4&r`$*-9q- z0`4Y8OfpkT2cNlKCVR9r`K_;FSzm4<Mxn+c7;tJWey!G&YaoUUPFPVxq#tbN^epbN zhUWChu617DvV1VTasadV<Hz^6&Xs_s@{$fmmJyOQ{k#s&)#}1Z#fy;O9aMwO&J%&~ ztENtr;4PWTz~MDfLB_guLz{$daMKB*#O=xGk`WNA7B8b|B`YtF{k`%2(7Aq9@9CQs zC`!d1O@JV$*2FNnn#8D)?tE^spi%`)i=`~So@=4cesGJo=9;qXTN`;q4Jcwsrj526 z8fR$RRGV0o%VIaay+|hdz(ki04!$E=Z=jQLygPO?`T(Khv!ZvnFN6dpa|Lxf|0Gew z+IOEX?}rkOLGDgF=a9=&xcM!@a@ol>Ichv3U((`*@55tIYit^4wE&^sz%&`sZqP@T zjwN4q-ry;lw(&NWS}e<uTk9Yk>0Dtz{8%3IJ$kT~TCnDB_Q-O)(@1lk)LIC76Jkni z(|=&dcze@bc{6;w!@f*)!femt*1Yt7$t>1yiXBh2{M(x+Y-r9I`@wWdqvK5{#9?6X z(=%b+b!%b;gXQ6ov*V)~h)F%B(RIM>y-rCxY}$G)-0RKSUrgv=K{Z2k-{{Bttz_C1 z?-U{oMaR3t-ERc9DP*sA@#v4Yu|G}V&wKcq<`P@)UOFv$cZZrEN>q3;Jn1HVA)o{` zO9%A;UN7BTrJ<M~zTO2f*?6H~(8L}0?aBH>m5t?<TAK%B^p2Sv)CokspD8X#Y&&?b zyd7UVKi-~F#7msBSLTH{ixQ+P`qC8z{-Wy|Eq4|CVk)~^ccdjjq6*JPh%xWqTZ(!5 zN5}(J%zVaw+mVxI#XExR)Jjkl>AG@<!lk&seQAk6<cQ*%?@X>B-up=?zP_SB{nE|p z`+DkbA2zZ+oQk@cg}xv`UYg=dq~1gYDJ=G{ANVyQqKe8n`#{e8Dv6d>A5~511c*Jh z<IcIHQscpkPg0A5xvfXd_>2e5Y#tOW#Fh%wDqD!BjD{RxnAtuiv%C!v^d0HF^N!ay zFO4j^EmDa}qLm~j!J0RZ1{3Y{{r7Kvw(h?K)St)!v|)xi!_VR(kNbNK_w?7rLN4Mf zhQ*x-_fMaMgvfDW5jup!SmqvwRcJ;RMvDEaXHlS|M{<8~^rX|T8C491su(+v6tLxx zw54(D#?r2#j5fZ~L?ye~Nj<2O&gtjs?Lqn%Qxxv;Pd+9;k9}VhI1Jxt(Ai+m3Qd-+ zv_v>|=S{1Z9I^ZLcV&|)=W|_Lc8~;X*6s7MjJwG}pzlE`dC#${rniKPYsHuI=ihit zN*!M}aNGj1*dI=?sU1&yq;Q#|Ahl*D0Y6p#%w@(dJ^59~|5lm9bM7(;okDZ-wM0kv zgjEtY-smOE)?)L2EZ+Iq7k#G4=uK4|$_(0p0QGMNkGR^9YAT#(+9`BC?Za7PWH2=s z)9|6CCPrt0kB?S1g|glHi(koAZw-ks@XG!J4an=w^<f-}hJmOmO|%nmYpuKsc~rBd zkf-4QZs6Ht43EtqzdcjxcQ1B&pwlj?0Gd=>!-ZawJ5v!`>c4GTH|#!(+skQCC6m~x zO-A5gz)+6G!D)QdqwDH3Uy1!AX8UacR-2>=Pvv~t4(>5hlcbt<_T`Zf#;LY+U}-|X zg_Q*elk9#Gq9{OuDfbeZiv(Hl1=iC^%wa6PLxL^v53~3kjU)wRlPmIt$V;bS+<IH9 zT9#RfVwog^L|+(k@Cs-(XoOcpC9O7+scbyCNfDzZB&^?*YDgoQkr+~q^iNd8dg<z= z0{7k9XP#ck5un5mN;2fGEAXNYUs?4bB*Nl%pPB{<jQ)m!C)6X@bI2PzG)S2kkO}pV zWPZNt@f-b9#$PN8$z<&it0d6(r$4t2;ais$7}k8WEkZyZLwzfl1E0{oA(-e)h6+8g zZ?|JS(n~RhCSqpOcJt9^=7v{%(C{S}ob#kIjLw4)z-1Du-pn*OenOaLL-FEPEtT4D zc<M|IY+LNrW4Ja&`iNh-{Sr`|I2m3fZ!!gg2t`4Htf5^yZy9s9Q~<tZo4_3-C#U}s zPw`Y46*G!}AW$#mv#zth4h9LG!$scT_rx-Jcg?LHp-kiX-wp_|{(H}bbDU3GS$a3U z!>NOmZ@w(cZ4F|1+lVk?#6}<Kb=ZW-w9B5ky|Uej6lgpEW&N3V2+O7ZRDk~d1jN4q zHpoIZY^25e#WXasC6%7;l<h+_feT9p7Yxtkn)H0wj#FNKecTsC`mNa3n$TY!L%H)} zM;m0>>g@DClG^`0b=eNQQ#*R4V}&)NR(f)+9|+GoO5`QacGc$$hVPwtuw8>nCIfN3 zdL_zA8syjQn_&9(NK{rhiT^p>8-!S`n|yFL$%QGC#hS*;(|@IFiOD$OaGu)Jp7HaV z+wJDXB$*~`_bos{+~GjTxdS7nLZ|?%wQ}t1(-MCrax9(2KHH=Igwv59A}y8@jfW~^ zDn<9;xWkCi(j;|B*A|zx^PkAweAUG7{xF%|#50;JCL{X;X3MT}=iT#$4^wOF8+Mrd zBO}{_3{SNNI8(RXHpiFo?;|c4lK8(UOkSC|=#uiRx%V>TlWhB)*RwpIf9_~P3=6ZN zMv#y~XZfJT@uM%7@=n#)oZ$D=<l-EElw;m*!^bTfJJyPE$N&zZl{IcA8ze4#irtY& zld>7$PoG-_#4G@DOrK^{k)(#Kh)4umh-<Y}QbHh|s3xbP!D7LkNSiVyj677)JAu3- z4<zADh(WQkPlW`xiUK=}108LSqyRCD9nZ1r#=GMuB1xmf=4$+J_T!5QVdnYK3lwF< z{)-!_h1UD3i=G054y<pme6l{oDQTXzvK4q_VmOg@+`?OlJ$D8L8VOsF^n17*3ak)n z*4=oSdjW<5NQVBxAvXTe8R<a}@GG88jI~OdDK~I83P)=?D#(ou2d~x6>GttW)|GiI zprV4O%^9wEk|EX+J;<+|a-dMc`L}(`?E(D;4tIjE{I-7)vfE3xIY~j3v_fi=sP5+O zm8a*5PYeFgL)t9b4m|vX-p>7gX*7?j!?T?yx+eSxRW)XU0e4GBl=+22Eq2T?Nxp}m zvc?cS%8Q;QTS@!qkIL+&{^AGZ6SGdAZCYvgnEDg#MkGFz`QO1xM1;7?RRTX_j-I`a zjN6#WsGz8iirfsexe`KFYzo>k8(%(CfP8r4haS9ofwCSX6)QF4$?z6yH%<#1spS$^ z`~L(KkA_X>R!j5|=We2WW>a&Xb1H48^nulb{X_|lUPQ1&FHx%_kO6qT!Gv1%99)+% ziOQ(3FImG)R<o4=kLTd(Z;n$m6bIE{|NT@gw|dsXt8L}pp8c;Q5j)a~GKNPWCs!@8 zD%49QEuQ71K+fBbBi7HdD=+;Sxt?7p$aCurxz=Q*-fY}1=Sj#dn_iqvjx5$hTbkMh zkfq`^7SzMQ8>p9ROg&5@#vhF-qr_19cjI)(Bqar6%#=YfCOX6Olf;l}%D^AaeH{v_ zMHWm&h>&b>eR$#mN(mIoju5}*2=U7Jb`+@I{-u0B^9NcZSU&_|;^gFvSN91N$$pwy z!p2uu$3_GdVKOW}Jvobr{UStMf;fdLp;yD<FtNKYWE>_>`!?Mpy$}(H!Zv1BT08C# zzYwNTksvRM2j!~pESIvG&^e1Br#H(Re4I0d?}*ikV<8jD>*A$KVU<a>Erb35PG~f7 z^dH9=>f~?vxplAaHlfyB&=_g>Y4Yn`oD&->b_+am+_SfzZPC_TP)|C~^Gj<D#1r2x zZ8DGaR{{iP3Y6~I?UuKP?LnrH|1^TTUvIKIo@KIQx$t@SY<{3NeJT|z#fQZ%j2WzZ zLzjOWtLroUK-~7xz?{Gn#lT8UT+>V39Zegf=>L=>UxSuvt+QsF^;$&k-%jj!t7Qb+ z)K;gL`o2(n)0X8E21kwGra9(Vh?zV}FC9akSMYY19TSz9`Z``+VMbYHh<(@YUwt&> zGO1EoNc#sVr;?cv_@AHF*%w?S<ogRLXB8_{C_JC6pe~=i&=bUDN;sm|pKqAaI4sA< z5Vx;anj%t*C{TF5-VHgMc%i}(`5n&!bH5GSHo6mE?i*-&a(gXn{xCV3#2Uy)R|q?M zp+s2rmp_4PYqR>kSmGzuPl3RbxNm<}tl@=V;p;fRzpt38d(f}Zs9_u=rD)i+$*xom zt@)l6G>jRXCL+*(RVNh}W2=gDMQ>L%zp>lb_Xa`o|F?m!L_3rkuTmHN@;g7@+hdZM z4P5QXiAg+V);z<58jJUxb+T>u6jF34_ni_ovq_Lx(Y^jr6OE?b^%4=j_iE?`M7CRD z@Xt%jwoChidQrM7xa>WBScKSO0oBdFF5U`pKQ6*v!RZYBGbKR=`q2Xp)nb#?K9r$> zhm&c+M_J2(t#24cIHNMs!FLXgv4t_U^9zgfybz?7&BMUNg+;o1G4>hJq(iM%1|4_; z+9VVKLQLFERH^@!bC++u_*Wb#(&$j%Ear$2;SiwDU{!xCQujT6Q%NE@D4H6oUx4WX zu~pa{0F(%mVx<n;#~)CcVaVUxQzzXEMQGW^bU-~Qst6EcVtsXrT-Oct&yPBiBydvX z{^bC(b;DvKR@Fs=xEL1f%)7EMGSp7L)5d#OQvA<5GZ%auY8MjJn7-5tb`ecrE(KnQ zzCPRd(pMib`)b7dy1SWZuVGPri_}Cb7hLS^ZwgYX;3&)x&~I=BdnW&hI?YUP8dB}P zza6;z*VN^~-OoEfPUWKYucjs`xYYs}oM&BCU4JIiMQ2h22OK!gTCFmKnO~^Zs5o%v zgzv~R9c&}+dvfE<{|-^k&!eu8_QH3;owz-i)Oo#isI*`DmX>N<{!PU*QK%uOQl`PS zzL?w7WkdqM6q$x!Nh#5$#Qo$jIJFc}(nKJ^mA=m{LFv4<rpLZhT8{68<GB~+&Y1Y> zfg^IIX1c*@e;qbEn}Y7(&b2M6&qtL4Sn62N=>3R3+GH4$tx00jp=Ps&8pO-X(*gHo zQqF?!(}#X&H+!_KZFk>6<k+vpBHO=t^k;e)pUO!};pMS1W`H86^f}H6$`{>>FI!gq z_ZW(;6f1%;q||7P{VKmo2pBMw-klv}%xwA>^rCp#R+Gp?Zz$3jfteCHC(6V^e+S|L zLo8`Z^N?>#y2}_PrbdXNbTC1Hbcz?Yj_1~PHfo5Wp^XYTrX)rzB3!iVco{#?D#=<h zrD0UgV$*1t$xS(22+66)B>*V-{=D<}5A&fUaKQ<PZ|%Cvn4~AyV-GqctBJ#{wKFcR zjzIkXvj7~Bm`i|QF4Iu;Hj2?K=Fp>HH|6Y5Mx%_d7EXiR{E8v{qiiJ680=>OLQK^b zOXW<|hyr$H87Q$w$pXmeJdxk@xs;@s|1u`x{f+WB{4|oa4<$tHPh*@lP7-^Y50J^U zSlX+-^<ZzlRkfD3VP2al+%d}kN`#9DQw89Bw8=)=n_Yp%GMP;XU3w0pv7uMeOx~-< zHC(Dlgrrbl=0TNOXoer@%c=S&0)I~$(D*(ScJI|kBE(Aoi&fzbR_6EJ8?JjT|4N4+ zrf2=)2~*wUaT9Ihoy_A2F>EvQ^UJOcXOK<SwDrcGK-!9K`#XRN)d8%wCR|>t>lssZ ztFfcJp9)s%v88V>M^kGZ%^ZT&+x7O|0ipOZi!3h8Fgf2g+U_)RU>uWB$GxnTj{U7j zCZl-^FIVlp<?EB=X-U3LnaaK6LB%jc+_t7qcMF3+*KWCmkb{Uo8{+w~9ayvJP@Dvy z<6D*Frj@Xl*VA7mVl<3#I8T|-ymc~E2R3D8VX{zOakUg>VO@MQf{na(>;4r8lNQ-` z%3{yTv*6XYDnECBa#{Cs-3RjlLU(r<;{K4-lo34y(|5G>H9J-$$vRgIzH;xxOiSyJ z?I89|=0nYtpA+%YvW?TT<q1;9eU~X$eV$jkCR?9KVTpqgQ%#JHB5up~;a7rP+x1t! z;%d5ae{4U|%j%u%_AAFY^6=B08ED{zmm@%wcHG%KMSTMhnS#eXA$|b^T?nE@3owEW z$FE&Pj9TV7P<#gMQ7#oXQ_DlMR6uTP&{|M2AHR0ps>Q&76Jz&_OhN>js2L}wD_(fO z#TJsHv$*~so>CJdI<&eRARJhj-&}HO@^1$7?b4bmv1&z;Mt2mOB`%blBgSj>E)Knd z4lkDSOjSPQms1rJA@ST(A(iqXq);N^-gxjr*{Av{R<j#d))4rWr%-{A_<$`v^P^17 zP72x7c+5E0Y_Ekk9QZ^n_8wzA5sR(RXjHsjOs<3!Z$Cv5q~m5o{WSuOHjKd6OAqbr zs5y!~78w{SM5@TGS5z4#I(zDFXHo_VHMB|T_ZA;Rmh+tk_NweR0F!Z}wJEL-E^XRg zVS(F5kzJ(?=2oNSF_p9Fmt9J8;G3M|=(+lPv7YEHO&7Av^Yx>Q0Mm9+YO;g7eb(CN z9NA!coA;pf>vKJo(bWG|dMUxA-Irq8gcGIF&eV#KlxjO?TMiDPb9s^iv=!C5Thc_Y zEDBgySoZ`Wo*$Zlw?3Kvu3SQe%cU-389cnBIQ~DH&M`W&u4~twbZpzUla4#KZQHhO z+pO4j$F^<TPEMZp8)uAN|7vX1s(sD-UUSa1N`}F~!-2F3G31I*5tXpME=-}}xO^t- z-sSuagr}@zGcgP<_gJWpNFhLNr(H*jbs`H(#&I~+0e|-M2&7{<<_l;#iO2Rh7!78z zdxiqZLf~`YyKip2Uo&2SgXm#n*0vXaJSfN?yiJ|>V@NOurpeh<`;+n3z>1(E6cpiV zHGB&jmJ+8q%4|PCUMbUUUisa025>nbkFvg6LK#&FmF00sm19%JJx5Adt@*&o?JL<x zl%f;?jw(n%Lh#5>v+9L1i96yy91^SEj2s-CReJUI;|~$fDv6OgBiWnB6(vwrNps>N z2eK45YI^8+>oPG?h5R*(2<e{-!i0@$mwRA$+}fJ}&162N8C#srE#Q-Em};aXG?|8A zGWBp<_;;RxBT6PfQ(>VIq=ZyQ4G^w7a6C~94iu$&cp9~oA<D1!(vLcfEbLbiVy|Wq zuvm{$>OCUvx_S*5uI@5^!mZTfsJF0KtjDNG8M`)c9C=EBC1bDWh^6I<R953;DREYz zjb$<wNi(Xia}t*>uAgqvgu>w_!bTvInQ=EWOyFq1I>v(p8mynr`6PY9snkmXolWcO zI!CV5SW+v_yB?p8(tk5@oP#J!hiWhlaXZ-}K^~T4R%RA(`OqTCe4JqkHkK^dXrSXY zAqL5-**5-BsNnFDdLC5{7uCwQh}7c$%buKnvpqhKw^t~ZNM~d^<#=&VX1lU=v!Bk9 zX2SoSvTK_@oZ{-U@+dDOTne>@=KUrb-ukUP^9ubKIAxivy6uxnj<n?V)kbzSRdtQg z?uoPIQ<AH-WV*SA5zC{2f4%=>hk4%^A`ANNr&$}!W=9^iHhJJ|yEyoMIAU-31I_lf zcp$sC#=-3^%zyRXIUY=t+Ln8NygRR<dEeNFyFW=aG=aIlt(ZL?6ROOa^gXTjUX}$> z*?MyMm3N9$HPjfs$LdA~LSxV0@<xO?2NQ;|eJ@LtT-<m3QQ&zQxX~Bty(2(#$GzEd zeaO_AELDbAA0DD7k^HvC*=)NPMSXkvvt5PUcHJSlduH31sCd8c>3N)V>eJY02kxhv z=GJiddi;A0(s*sVHpfS|sT!NWU;8bQ(`I--3KaU|q7pYfp{&;9iE&h3@A1hQJ&zV^ zT+1%vYqq9^`>=B8Uvhmf3woxz+kg}l0b`)EO2Oi%Z|7xDA%eE@PX@ALA=nu&_(q-- z^&!-&{~UwkXcDbfMU+w3er&LEf*2q)sHmh6NW&msUiL%TD)lQtYZDvJtZ}GcXt=c= z^Pe5JgK=iTVICD!nV6pwi`zPx$nejgZt`;E=vKAdF<86WHB;iugoXYdur-|fO|nj` zYwQUF;0ai49Hy<@aICD(0?Nd+D~sd~La5>RnI97BsCmqQg34J;Zq^Ga(T<{Ry+ zbh#ie__+!HkaSGe#a6;WiDc}83YK9(t*Ok9nx5RflR@D2>U#4>BOSHBRn?GZ38!(i zob25!yl?kpnJwZJ?i6`<6Kj;*-m0R4a!(nzv#Ywh=R7<(Ji5PtT<NV258nZE2{^bY z@Bhkhu0P!3tAP^p0QEld(AcSsb4c(BVP_y%rES0?D7d_<vxCiom_hVu9E@Z4&oU;v zFl|^uFHFW7jGg?7@B~P6VcLlgrQ%rl>HPbG^Ga-V)<?6f)_;Nl%f$0{t6!EORqqW( zP)x9lo)S^4_li=vC_l0Z^7Kq^%#h{Ah;V11jcFbJh}{DaL|-)8;J}~I6sag>)4{`c zKmMETJr<qAtw73GMy4K&C5?-Es9=@xXgUUAMwwezDH_`Udh{A}yCxkMSe}*REV+E_ znnpSP^p`S_aB>KA1TYkg5e}y(P5Zl6JN^2@u~v{SHDV&F04}nCl+}-K#L8<DFKH9U z!tHKdb3z<>PQC&4d7LJ`tSKM)TyR!b2Uwo%<g#AkuM^ngn1`gPRMAOFEEC`;K!T$J z8y+}A01YOHHWR=ijw;-a9C5#a<3Q5al)ZTZ0|lov%6Mi@4X|Y|rTns<e4|w#w9%+f zTrKPC{N3KU3KJ>{?uRY_JTR@rz~L+c5c((|MS?1m%EdCex?s4!hKPl_(@wM=7ZQtx zM23?jHZq$l>R8s_&W8$(!3s1Ph$<sYp^vGxvpHy2iZF(b5VnmoS2XO2de}75;O)Vo zxc~9F#r2_pzItK#rOL3vGNp<S6a&U&w?N1ksVT$rDWV>{_{Z@oTF#18(KbVqG$RA2 z(Tp#k)Shp(odZg9rim=XgZTG^LId@e?!3SIx8q+>;PA<H*8D%f4typ_|Jzb0L9vdA z0(JNC{Md29qjuCM?0%`nKtJ&t8{0HStE+}p%|m|%LcN_~EX3J916#|PI}4`Y^x7Y) z<5`&kMH@x$3Ri!rDkhe4l<EJ<WMJxPa<6@9>Md0fwN+cMb4bpYhC_q3x22kCe*_wL zhYuZMbSd|(TL!75$dL)m;*Y>{{UdquQjW@)<5uZ2<KA}B;NBo*E0v3OP>h~=UOmp~ zR@*0<Yr+qav$-%aS4@1}a<iLxeP^|<Lz2DVe%XXZCXMy#;r-D%>Y2&xR=tyMI!B|+ z>p<M+{~ML}gCY{pJKkfdf7O|p$@y~+>s-G-T*mSWi3j#$0T96?iHz}bp@+d2A7umR zx<-(}N?$J?)bpkzo=v+^v2I$29~_x~wy%bpd2)Q(!#kEps@DP9xIO79vfqCFrnx4R zs@!;91m1!TMNgfM$I@HhdVT`4#)}ak(>&`A^Y*&3HIvx3+9rA1`d1qi^j#|=7htEj zyZwhgp{`q(#TDZwYYPazZ~I01mV)4zcp=kExExQoag{0Gx5sdtWIC9Ft<?mXj&<c_ zv4A8Q-JbsMw^*47<Jiz^TajBY-Gv5+CauGO7vMD{!nyc2FzS@^*<@xrZhlUzJX)P^ zzi9`a_ItAC^F)~Q#y@f;pmR7Uv?IsleQ%|$cscYZ^y&w&*wV?6F&^m@{bgnna_#%# zrS6v8N`Dx>On!`_)gVA`q&?A1tb`Ja$N^d^<-ZYbkp=9_vuR7DL>_9XV`4#`kqFek zmB<6+i5+-+<1TlV$PEJ81(;}FF<KJH4LI=HBBZz=2vtQ&h=AtmcG7%f5dyph3IC+M z_$e*EV2n3g51Zy0$=4lNB12m?4hX`^&cJWVj>6X627@Rq?`-+5JLL3SUyDGf@sy<h z<zdMTmnN=BYfHi2^9+!6b*;Zw`}+$Uz4`Y2-4y04$HQoiceP%++U)+bSH}ex|KB}` ztBm+fD7Xnj$Nmwuj!lsxkMY*q6%jcdsyu42af2dvy$4aEW?us7{EnqEi&pnbS?Kli z^KNTEIIVup_Db&<*L<FzxqFfndjB0*@6>Ld1WP3%^d@^q$GKU^bd9(dcU`mh!cgc< zualPpX(leX<A)cE=%CZAQnGLZl9k%hKvFY9ejW?=(4Bc{8s1<0(FSkd82`=-{ajAM zi4bFHnp||-uzZCYCil?a!;(1c@&z5+)ftdfu2Rs<wkA=hxcV%h8x{)tCUfOv{!%g& zs$bkM&v{f-85+zyA-PVj+P%eik&fAD$L%z9F6wD1f8A_;w~rM;@&jaG=4SDX?gkKO zPtT)&q;8N@vwH$~^zrCH(DA#f0?pUrqk>>@d7dRyJK1DBA0Pj68?9DJ-N<ur<ybu_ zevt`;xdbaNQp(Pgru7L%h^+4rX`<ulwA;fI#~cA=D+GRsfLZ{5aP!fxOKVm~l79nF z|4PqXFD#rB&BJ@!1I&a-u`shaI9jze?T!Kl!{^CLrZkcy78!p*DUySy`<jNeITEq3 z)>=50(rC)jxCesCv}SB!aOUr|2N09P!r?Hnd-BV?iS|*Aqlu_D(RgeYwd;>*kWD8J z33CIMlz9$c0|G^1ek7X#!Fd5N^pUVy7m);eDQv)A;_WUus0~1BYJV6P6b?7}G+G=P zxKanva4Jepn{3jqea8I$(G|4a0|x~ZZ36cG#(PvA)3TZN<kWGct7W1tk*u5iBn{<< zorzMpYb&h93fUmH!FeUihpC^WZL#HjcY}ym+PN5sugC9pFKN9?xe*V~k}0Ee!H8^? z(lcv(rXSHQ^z0532gf|dbk35$O$|K#nkx2aG!XC{aX0?YLAxd()Y|%{+jfsD(!JAY zVjb>=Dv*fk$-$H;meBBi(FoEV*BQwNk>lHzS8$e-ZKHqO7{=4CLj?&^P1{%)^ai}~ z9se?&R`2X^_fr@>&gn?xe$gwae&?J<_Ig#$$#qRNw^?#~OipP}h)y}Y-#Vfpm%;kM z>RxiH=9z)I^|sDIrY%$u5mZgrTwfICA6*18kdGTde|#Srgjmau-A6P|P8**~x@51f zJCVOUn`jND!frSIB=My<fv~FBq(MeGR_huB=?gFO`0Hs5gns64C{W7#zr%!B6Cl(3 zc$`}Met=8>Lf^B{*B7jcEmBR5F0*hZPyfv2b!U$@{^b5PO14zpwMB#Z)(MSH%lk?b zsQ<$4<{J@;C$)X!W@$2dH2FD4qn^DJY^q^9g3Jh$E18Xk?=v^e*VF$2D*ttJ7NkEv zSX?hkc)i=oyX}>F_%h0LX$|zX{mq!}bT-ynr1nIypn#7U4QQO2MK<1Y>i}Oy?R>G~ z8c!XRpL$Fc66I7_F4tVYKOJM80{t1`7Ci+P<K(3xCGQ^i10#9eQKCN*d~b{9akF*& zd@>48Xi_xG#7Hw{_=2=5uok>>&9`2;ZWMfy+(IX4QW7tV;{PfMsf`8NMHE@Y46=}a zV&bQu7zF>SOIaEo>G)vP6j(WhkRa!6oCuAVC*P6kW#DQ2p9}uD_Hv4WexL-z&y+eI z3#v@I)v@FUAwE@c(LfU7w^E=3*2V7oyOy;VJ7ZR5_u34JLQ+Jc1wM~G4OG}rDfz1s z00j#v@Xr~#d1fZLG^Z6AaL8JOUY0{m8mv_A!`2&ca;4-|2!VrGl5vOMUW`=Ho6ng& z6|(;R<&NYchyVKzQwDIENIky)btn{K3;!U;$fKc1sMBG~={jkNx!7csXLkSejQ(<{ z2Ij{FAagsb7T@3?<!7m6<=(aB;MKjn+CAU&#%Pw5BpPAH=4|zpht9cHWZ|I-iB#22 zz@JevK#X=f7@~>i-`_9Md8<cj2gIzsAP6j(Yox@Ux*6TUdBz;Bx)Q}+O4Pn;N6vG% z7Nn;<RH=V@<S!e&chkJfpxATg`T=SUbP_sJ0qMMDU)X7x;t=kE2Ob4bO!W3AM(NeO z9P!2G428rK*~|qK8AzB+vsBSAT^UYt%A+*$P1Gi#DxbEEx{x7<;!gr4gRe4?Q@q&Q z6;~`X8E_2V5@Dx_f>P-i1znUkx?lwO7BQ{W+_^dQcAMqy4wL)J!a3`Hbo@K*U$KT! z5QMP6<0)YN=c9HZ3e186P`f*qfnCsq<cA#|xOC54Mvi!^oub`436q|8JPbl*Nh+*@ zPGrrX=_@+E8bw2#j4<gc3aG(iLI8A|LCe|IOS^}n-m(TX@6Rc{XiZH^KX=Ezi4Nk4 zBFO02V`<4db&JzzGoh^@T`tD>N%spbC6n!%AwA{ghaY1}6UlfzMNRp_e`B&b{9N(5 zSoanMO}H}x8F<+t@t~CgcG=0*SE+_Yj5&{>eB;5C&#DFK^5ab3FF|FL=COZ3+-fPD zl|CO(ui24bC63EubGO+HoL(6U=>1V-SGu_bC>CCp$r01VbfLM=$?S?%b?t^OX`xq= zb6XnUt>e$e3grriNY0P!7i)?IzW;>hQB-K69j@PocFzS#L2x*1ZuVo!5er5JhK8CT z$y_(EROSa|GPQe>*gXX5&587rjU|aH)fshS|L3T4bxo(#yl$Uyx_ICc$-&*uZpi>r z<{vr#7`(basD{4+Q4=7erDgvxw)C!5Zs~+R^N!5SpEF!fK}_37Ajd90^U!#`*h~83 zH=~3JDfv7LFgqSCJip(&$GUD|?ii#_2Dl^YxOJPWUG+C%Vc5B!UjorRuUBdy9-o%X z5vw?Q<m}8(J6vpP0;*X5o!7L?a0@uh-Gku!r2Q{BEd_BCx~wT$iFAJD;&xsI<NyjO z=DYKSQdZ>Azklc58;Wnd+S4OtSuxe~QI>6|maq0;pG7?+O5{Vj+J0X`r0W$=ilOw{ zkH412F)(mj?%W{ajDrqS?&PBBb>jmj`%m&msg4$$&$D*ZQ=oZE7^hB2!s&Wt$HOF) zXsS5|meWroA3)O`PcKd&#fIWr?e$`(kycZW9BI=%uX#O;{t6BlUu&YwaX))A3g3rt za7Q0cINpt{0cZD=anS#IjKvK!lvzeKYM@KG%rA#JZIodtsQWCz`C)2kHTB17lem)< zlsr`j1-U1*fHDeMF_E(}llCyExbT@ycGe#py4ZRoON6*9Nj?up?u8k?Cn)RzVyq;q zxLKvD11h%P#?aHDN+f)iUJp%bKF*|e%?7)#0YYj^R-5IE>7<e_=c-od((+<4%ZC41 z1=9a=5r+!R+*B!%y4hQE%E@YC<Y);MvjAK`qrbxzU{NIfE|gewq~n-b7%?EM3A+Th zVLp<W0zRm`ITh@!Iox|{V#K(xh}LoEc7>P6<8W;eAn_Fu0_|fzno=m~{MBd-ZZIM% z4H8sIV=q5M9Ys*NS&K;+`yI<>WVD*-`)QGKN}CQ5(xTJp*(pbDlW~uAu`HcAg~hah zKYM;tc<bwy+uJ?TiDty|S^79<@KJEoawt^aJ?oV6?)A#1otZ2?Zm8j$?Ea-(yilSG zBV{<0i}TfF+n8IGp^kKb`J7YD-IRG(-j3W0--mr=n4GJfB1wA>F`Il@`rymhdZk)+ z)UK`~P*_<xEZBKZ{}RxoEATI8pM!UGRdCubyt-_I2Wr3n9u#mWUuX0fMGvxC&_6AD zkHe|`qiMs#rhZpww3(_i$ICw~=u$7EU;Ne4JMV@$_M}0{BSkgpzhiNwl|qb+y7Jb{ zjB@4iSNuF}2cCa=y%Y#GETPsqW4#T|%F1P<?CVUIKbnp}gdImc${-^@VYRjz8iI}8 zM9#XdXLs)1d2mmh(($zGQ<K*p3nG~3>YF%;0}M~95r3N{9P7fJ;V##7g9YkL<*_J} zSqHRN=0crpIIz1FI%xTuL(<HboJ|%GAY<;v39z#?FAPi`xCcZ~GQjj$kU)+ZLmE#X zaeL5lJv_7}jjMJL#fJ$D4-h1hgQc<Xe|4@N)Rj62jIqju5yjHt;bJ1`#9C?Ex&J$C zVJ17K({OU(a-;JjNS{$-r|<h=oYW;oH}R_olT@z4>TuPPjBp{;?a3n~<TN_YU-SCs zWhm3B@$fe_A;Uw3bf~f_DOBDhDkL{uW;!Ius_LX@gqwBDL|QIMCzo}<z6(tL6x#5) zH4<`?5Xs7gLP>47ZEIS)CxIp%JCitP>V2tfBphYnk!StoEhH|NRLWE@BK_d#^SzBG zs-+vZLKB^=9=#v)&ZN!5Mp2J;@f95&qVm~ZO`v;ITLGC1jc)C7Nt-w+Uiw;I%*a+9 zxn1j1fCmXgE|YGxt&SySHIas9)V~JOU>agG`s~4bUH8lv+yy?C1e-pW$wNJm@dM_x zO*Q3}|I?9$6~6xtD{36G*v%89EV%FVB1k0*3g4=^yjFJZ=^K*9c>mjT>LOlA8%#jD zFVvbV!t2`*Pg>FKE}VrrC0YwySuy{l?)4MKbV_3)3-QR6o^8<^m&<wVplebcW_~|D zRAIy0)!Xk;u|#TXGpm;gG?pjBV6#156B4HX__7Dq?ka0AYgJ#zr|mW5*L4OJ>TA~h z@u8!Rd+{sac&Xk?Cadwkx^2K|gS}wF`<3LD)5b1)Ku_2F^k^cPA^^nw)Roo^?+*(v zi5$;#?B64CGN-SH5;iiKB*!z>--TN7)MXETMwPf68oPn;%pgv|+uz;ETt`}66fzJL zsXS1m@Vn4cxec#-mZNiChs7#rw4GZthyuU|k)*NE=rr9gOo8VRIo^O^*8T-MNTA>X z$+83cw*Q)Wz)CUj;QuZR2*R_#ey<eZRCspl-G_QRIj_^GW9%=ck|RJ+K;$Vo7@z$P z6JedB<j8$`RsHnpAr<7#zdv3kLyReP%i&vAPO3i)yXp+57ZO}lNv|K|TNSCuAb(V$ z9o3-zy^ac7EVhHi=fP)aP|k=f_-pmdhx$LosMu(qx_A%z+c?r|kY72U6paWKHm1E^ z0E>_<y*`>AWVBW)XoIS-&&8NWWj5(itu9Z73X8-Cn(OnwiAwEw1U+_D1-z%Y?!>ri z#2OXN&4{;-_yady;r@I*PWHtYBR)m(px-1!{+c?W`)&?IU3#rA0%S}``s$9()IO=# z&<@HzBXawOl~M3D&6^Qg&e$`k8T*8Lg*&2)MjX7K!qD?6HNH$(c^qhYdaWOip$%3X z3y}pB8y%(De|Z@aoi2`+iKo$xB-w=fg$W=|u>kwGPw>a=PIRGwa_%}nAo`MQ)w)qV zZm!iRz`*_Id%D+`yUPt6D4<vB3sV)((!{8iUQH#(uOHsq#=M_pkp_dLn6NhoYvJ6j zUVWtsECT=N$?H3Nni97v#o6=jPcmGtbeG8Tj{tuls$+tT=JqwxUhUR5zBO}Vo1N!* z^a{+OT<I;2MxBw**m$Leha0(J#_>PAfQ+Ev{^CwKyhtJL3OX|VBX(`7vyt~$cr+JO zrs}ZzW*vU|tqx@jFN{c&g=xBfXL2+dw#ZtIB-TIee8{(c3sQZ)@3EtM|8Ghs(a@AC zi`y0k@3>K1KV=KiboGP1?Bx<)76M2+)mlco^k&^X5;~hKhFmUAJi$CsU?K<0WGIPY zo-7#R16ifaEr&$_M-)p@=J64${9GFGuo)AMc=QnjK-oqZL%i*%N-AiRh)EPjCQz)R z87ze*+y^yV8et6O@uubRZq-iD<@7jmFfwyYZa|et4w}wQ`EMbH02di}IUPGNEAB4Y zNtmJ(DYC3E!>mW8nOGg~uzq;ZCKEcF&2(CGWzjHVSQ%|1c_PMR62U(Uf+D%ty-?*9 z`%ift)=29GhuZEx{onl$a;RypqCu?G1ruphsyItF?bM4I!E$oeVZHWO1(VIW5m~&Z zzXK?7`BUh_XBhc?;Frg-+f+=a)V*4Y#Y}5xkzpMBDs_=d3=Q)16+w-PS7Ny$E_nV+ zikB6Q{eC7<=l(l)GmyLwaVH!*Z%XTOO`SN}YS!Mjmi*s>e5@c2f27nSm9detdyMKn zkCB2qMH%vHO^mZ1Ee(VU4c}|Cd2Aa#kBLgA#T2asJpEuT_i3`w+emW_r;%~E^y@us z)1kBHti(xKRp=t?49uOR!v8mKwf|P5QoMKn8SCzHO^G~%%4Q=~t8cv*Vt0~BnP~s| za8FYrquJPW%6)G%Pe5Ow0}In?^`++*nGMHm8sv7{b`-*QS|XF)`P^M8*8aUk^1PW@ zNqtET^6_Hmf8Bx-CakREQ+8Mm(m$EgVkjDK+np?)n5t`Gax@X2yS#mUccj^owv_Py zYXLqV;Mq5tIC~RiV_;OKVSZjO>DMgQiaqW}rMHl2#){<~WOA79_iDe;oi@`9_3n!! zm_&)e<LE!{t!}d>Q&|kLyb0Y7^w{#^B#jkA^4;+G-dX>x{#R86^mQm}&BA*6(p?!& zmFgwb1Yk{1vU{Xmhw}P#j!~03l=ZbT9b+Z%?7yKz;ntcKRYsl4YJS<Pfa%TaJFjVC z_I!F2$LqftMc3k%wL6L$Rn<L4fY9+Siyn-u`7<5D+g&k#lt>R|XO;V3`Qj8!9Zjy) z)Sx41M)gidKu_nQB-wfGRW-@9wS}N^uQNz`W#pw>X@-QNMq;g_?2Yf%wefW~k+n6D z&g-U-MX_{vkPK74B*dFpMHN-E<RrJb^*^bb;2nqFBE9w?C-v~fk%1Kg0$el6AZ!zd zAK7F(J5a0L2NVrCI#PO8VzqqiFk58M0pc9}BouanQEuo(nBTe@p*5HmcG5Utla06s z&EIP`f(@5)o?k)r-<B673^`E$^#W21-&1PRp^g_CjF0-pEh^0BNx2INwxAp6BpyRY zgb2<$F;qy}*_sZbjyQ=|TPc>;GdW2U;<h>CAl5+1Oe+_~SCm1Wn#C#6FaQoBq!Lz) z#^?UmP4naIeiyPeSwcoDH1SfSB|NH^1LuCu4R&x%8LHtmkPW^1;$`=5jE-_X%@XSJ zJo%L)!IgV;mqgP0o{B*9&Z$d(yymMrH7=++AGGqe)eDX$1%_6MzOCF@<{o%S#oW`w zPa7N!ys7?LJa`S@A+NXEatXhx<lp%=z3$rHFP;9pUT(aU)=t^L9_rc)fyH1T^|vDc z1rCbSI)2UVo=!~s<<IBGhXfI-vuV8%ovBr8RUx@<TH=#~&)bl&p;|BIFs1tJe2TQP zmA<;VxjMaZ{r>4=js;(7b~M_tK73ig;X^o`sjIc;r3xvm*y?JItf?a58o56jl37hj zQt&2CTrIL3-{8LWdc=h8Nku_bsjD<C%htT5@PYs=wcZbth1dVf8k8tR<T`Hf`2GF$ zN(&Lx%sTAmrkzZMend(v@I;|zFm)U5<`NRq5f!$qQZq~ce#`@l`Hv2CTlYU_5ElX` zCG6wnNR2tx;5a}WwL8u!g~N$ke13tG&|(R!3cXaFhkimx=7nuRxsgW}yQ#ySRr>t4 zYKZ>iuPSN6BbitxSC2Gx#lj#my}PgNd@p>Ob^Ms5@)cec;UQyn|Fko9gS28MPML}^ zba|AJ!e0V}lp#WeKrKW7q*ybdzOlcow%hlhD#Cgi0y346d@zu)VT6ANidwFr#{hXa ztpa>d40UM&?A%C^O3}0J8??T3&Z{U9#06mmR8r=%=}Tx>Uzj|HW~%{n6gRE;lKO;5 zZ9D+@C<wxo!+pr~eXres$+8AiDa9-Lcscb(f}sLXdBEbYU#J3GUg+ar48Da}hR(!* zsd!|vj_2f)tHkBNBa!ST>U|n*jD7}`bZl)54)D4#5bq_<EW6wK{$_1Z87HM*X4Xt< zbu?oSPqkY8BqXlJG}p+4I|u1dxnAj}dNYEGpwQ?-tBrKxiv2HXf7?2TO?8hsTnYlN z1tlA%`k#x_ISjpKN!tR3N9WNz;ZrD3d592`rLhw>nwV4?<cNc;{7@u&T??x1o;nAg zw1w|LW97v3_qD~Bs>7qjwc2zZA2_YnmG@4<nfgMdL=5+}AysIirB_&sOP2MgzmP;@ z(pO?|0BwdkL5tLT6FD4=Q;DM)l|P5CNL!5FdNuHRGkTqMt}^xBMh__uo&54W$bV(! zcjw%{o^538pN9r$_j5&35o$eM<70Uzfo^7gn=e&MFYqQ^LGr$`Pd{mcDu_qt@+fB_ z0Nrt2SG9n1EXwO2Juv+JcK4Q!L0nH^loyRnZ<J<qJ4y#*Vhv;cugT|Y=vOnT+d(|b z`O@YZ?cL`yny-g<oWkniE;#c>*Xf)5Tw(7)C|u^niaG&~irZCcbjv}6Q3D=**T(;) z$VJ+Yb5P11ymx;ew0}qc0cW@GlzLxapy%Eeq5&vSxuZl9+ZTlgv2kDAY~#b#d3*XR zY3#SqH_xzBS<E+swq=E0x&ci~8(wz<=X&Q5qp7;zs!lexgw}9`SZxh98x;(e&7<;u znT5%z9ljoCq%*%u)D1X`5>=uI?;4a0>TaKl61Y8~)6(d0&zatM^Rpf6XE<zThglv# z<9$EQ8Ap)jR>3dSJ$`uv`3cOD=E5s5056A@Qz_Bprs`hqEu1pVmx#K3%#y(fZow}u zV+REuKnjB}CDMavb0j7lB0`%>iHllV5Vht^A7+UU-iik~Ys@zVjyVDZb@}NWG7}9A z9e=>>s&n-RFNJ7G4d{54PYjX3u*qOwQx26j^{XJLYPg?MI()=hnp2lHh=k}ZNW{<| zWZ-y=O<0o6!jLdqYJmVR$0%58$!Jlbo1S7_;f7-M%8nR~ps0+b53H_MgvH5IZZjiR z6hZ<uwDT0skp~5|Amm3c6XDI0vFw$%PkX6Hl)EsX;xQ^Q)iH#Z`m9Ui$Mq>xTP4zS zy#zoa^9m7A!6aLI>B@jF4+|C<7)GLCYUj{n(2N;^t|Hiqg@gsMz-43ax#GLpng1if zWPUk3O6P7Zcmz!I6SNTuf?~^x*@$uC8Tbwp)Ob7Rc#Y<h;_eQDn>JW%RizUWWMc}F zrWQ~RCJ`Syemrl{)stq12&I``=k~sVMjP^iS0B&Yw~efCYwZb@XeDhsi~jD}V2U1E zSRqR&UtHBZs;Z&4f005Hrl?Fy)j!WbGeE>81c?YZI1+ly*l(24qPUq-)y}%4%BQF` z;m4KT;0Zoz$Hp%_j@0k%ukYH$Ad*%N6HzK4jE3eR!@s=Re|aVP)c_c9Gt)+vJT9_% zzo!Sm;nm(5{|t1}qWK*Fa7vr3I8*Oo=jqI=_|hD{ud#zzsSZ+#rBjZF)eux<U_s@v zgJQ4V*%<})j5*-&T@{i?=?fXFe}z<`m0&VGd!czVbg$O-W*eSP;jnL(GL1zoWr1=Q zkLH*!oXEt~ziK@BP7|ZvP8E>Jr^rlvO%N@+h=(V8hZcr!AOfBh94YOjZkF3u^L^CS zy`4@zw>5a-p(%MJ)~5su5~PZc6JRMvil!JST)XidE})tX6QL<Uill0}Y^_KGp1-TZ zJ>BE?H&Y`-ioXgE_sNAM3@&z1*IT^<F~b6y_;{NxQM)_sw6d=o&%aL)RE>>3kIA}F zQZRg5U}yk@rfuOB)aeX67pv*3fDn+cAkAV!LmQUO3P6mIJ@3Rx4y#8RmQ3g~7SR>f zx$#F0x{BD2rXcX5OcD%9EDYVBbQ(2y`i5W2WV{G)TB^{;Hkb%!DG4OrJO+gBk1ey| zsfrI+`hInJ)9GH*z}WV*$(tU|VK4)NXPttbq8T++xn+SuW0GGDH2t-<h>I#{bdikr z*9KbicT+oz7naf;(efBvUBarKi-!m9f4yR%NZ`G84$mT!fybn+q{wns)g4};NTMxX zG1v!QT%UQ8AgOS;xA!$~3P<?2*6T|LI9u)+npA3O3v$HbdPd-|D-Ah=)}@WDE!tmc zV3K=8n#F63*Mo}oFt5H}hTWuyORA1Ukk)1RwIs5t{~X^Dciz2UfyTVw+_L#6_QM|# zn)qV#8{FMM1&+tGTkpdN-rjVM$3gBFqRuTwYFgTDS;Onsa1K|UgN-hMB{^1kb@@-$ z4^M5KuS*1*JZzEZLocKI=@~D&ztHJdJ8zGH>N$Q!B$2z3Re4^+!A$Iqx7`yrg+B6r zz%V^Si`nxz#qAqkT_B`y+DB*l!@cDw0f)ojZi*`~56b7w=yxQVHa5C(25)dd=rL4~ zACISmmuH?BS>b)(y)+B!=7*PyGgs$_1O8ya@R+jwQkA$E-<xv~eB8U|;UX`cmo1~M zPLeL~eAqdJJ4_CrJZb`DvYQqe{!8~xwktS?U7nC)Vy~^wrW6%IWVxRsv)#oIaPMJ% zY{*Jo1K-b8_97=)Sfe^cMH~3}h7$2sboUyj8wQZ5dff95q3Vp-`^rhkFZ=Y9|C>$m z^!1Zd+kG|FOye>==u8>sUG0p#0S(DlNS)<y-8wi_?Xbt`Rg`6^d#Xl>A;y?!XK#)L zh%bpcSIJYffB5$FOcal!xlTmZJ^F(=;UYn1JDrW`Y}EczsOl~N3Bk?~&?Hky{I7qA zT4f{!SD?Kw$;mqQHzefcRJvNVES1Gf7R>U-0@4UYb#DPk)*tfWAylB%##2fq3UxYt z?Y_xjV0C<6G$8ePlRPs*kRro`V|%W|>B3+HT?i!oz&AHD0Yk@XmteC90Va#M2#oI} zx1677{Y|MH-Nf{Jws6m_pNCvJ{@1<QN$&Ao+%O4+dcwJUbM`Ko>A;MbFbvWxJ{Z8J z4X-T$dEjg`M3bm8F(!1#`Lk1JwR%`?6ks-{C917Rx=(DffkrJ1QZOkuI`n8v+)C%; z84y7avYG%=_YN%3E}^Y31oL!A_3<^&e8I`#2cWRhW(+pH%C;ZBF0VgilB>1n##fdX z8-{7ClAW>xREVw2xLNG8;Azgs==48VInA&ijKc{)(7`LY`A!>8J)$tOL=P{w+`g<m zF%BzoRLd^w1wXrJn>>dDaRWK7BX!z+OPRDpZ}I~(#I?MP|4Ci7xB3M#VIAAx>`Xn0 z+15JeJlZJnLuPGMQ@Z4r@#R#GRmyD4@ne9y!#&CxR?T&qy|=&mErlvKjj7NEi<2@` zCSr12wZn&3JiN=3!&?Cg?~$zJ&3^RcM6Sy@WT9sA;mZX(%RuUTD8|SrMC$AO{zglA zj&MU_p5OVKntwyTi*eB6NP!GLe|rW@7gjh4;hL&0`jjrysx!;5Ke8~6sLazuCZ6GB z0gL1jImD-*4AA)P>C4u^z$z2@RQf?+nWu7K`XwUTL`0pQNm9yCxc{K66C`0~YM^>* ze&?{>5@BW{!BuakWc~pVf8sZ1v894p>5xEhf3I(7H416@jIp3<P5J{gHWS!H{Xi`r zdEBj34!NzH)O^1Kh{+&4Na{btgO`<NCu22#=EAoZ?CvuGDDrRuPD;dOu>qC@@nkn8 z()hR@Maa*PS&7B+A)|Cu%waHvxR{{ge{LPpYv)(<$uS5GNbKe)Z9Q%eNAHe2{Hn2% z$E1`ITCGO%RMA@a2KLG6{sc_c5@}*ey)2*t5K7WEf6=-=S86JP<Ltypv6N3btsEbM zMn@Hs_34Bp6Q|~c8B^#w-Gkz;!R<ATDK{4S?kQ5dp73bup83M-PYbDPU#2L|RYudw zs3<n?fkVZ2c1oMTz_hzpRCZRxkqPt4_)Qn@*qH$#MiVL)7hVX{=oegaN9VYp5&!}; zW%UN4p^y%w{i8sqtcDi{P5<#tCM@^U0t(Hck$b;9M){i&bgw6T%G=Fbs2p-L8>UuY z$B0))OMJ3gt5NW>oOd;)!<~2}uBRjh>0C1<<9_WQLbG-s^R$l{=Vrf0Tx{wB6mB6; zp~h1O)mu1ayf+6nC3V^_YOnR;iMN%3V_+vTaZLv6*<B}KzsFxi|Bv4U%faL_Dlab$ zG@ssd^CiJ6Z+sb;%tL<=R4ClMUhGr)MWqxVqebziYTfLuW4>pbe0{@xz0wBnK{T(V z8_W&s0V7lp1!2!AFW0dlawx(0JPG=X<!jgXPZzYey}t1I=1{V{^1jivc7>eI8V&+9 z>-+Il=^1YL-Sj`)=6JfIRoKqE{b-O@ZN;}y()CvUFXc91KsC*?Jklu7_olyWMZlRy z5hMVG@13>(a?50Gt?%=w)lb`dJ1nc@c76$jqiOdHK(SOA6eDZGzT3a!i2d8SA!=JQ zd3R`!=iVBlK#9N`05LCQKtiO%B>cwiuD~Sx-}=95T3sRo5TUFJ;;_<zE#FN4^7~0O zG+=Z-l*en;6uhU}0#L}Ev<b84UJvGJxLgiK7fwH({?M|-AW2f8=32=NX`5#Va8@;V zi^j<QokWVP_;?yrSzA9i&Vv$a`5h|8R2&~>iNmdSFm3x>Ky@=-qN&!%fY-`<@Tt#T z9WN98@aydj_iOvReL!zX|A$`BHr4$zsAp$UmN+%dwAHA5zwS^&w>q6nqCi!2O4%O{ zhObU;{wqp||AQ;QPqL&&R7Mpe>Z-%ZkbszdWMniU-QzWwU!%AC%6n>NwqfTujsAd6 z>i~!@r(hu=Q9X14bbAqwBp(*lpT7?Xaz5VLO>QJ>j5~PW0i?T$8Xg7PC8&^yP+5mA zs?#e+-*R<;-K`mERYkT|wir6K_&KQ!_$wFxD$-O&;0;Ddj$(zcF|i~ou?R7}^+PZS z@YU@lFk4R$gbdE0%pqeqg38tLgh-$j6G%`ORV)k&k`T2V%OC^a0s7@e`yPRJiTwbv z&j9sb!S(%m@&PNX%K5yQM3}60IJvH_&UaH&&@0tDQ)QH2_xWuT7HzM6RR-@cXjQu> z^-2qT$~&^U-qWh09ti(7p-GvGc-_xKYUx2<6M|;nyYr0Py<GA#vxmXu{G46c?lw}= zSz>^mU=whe<QiW;_~3PM&ITL3u@b<hZPQ0HK%3g+tE=k|Z=bVMUyXF>tI5qQ!|c8z zOpcn#`TW(yh*9UmqX;F=1#HuMyqwbuP4Dym?Wt4dY-|igrC2(uYwOCf@r<SXfl&a5 zz^1ATn?PGs1|{6-a0K1jp6zd|X8HwfO6Kk)$n3a2O#T*Ctu=c%{`uRAi#^Ev6{CGD zBiNjcwxW>NP><_}+qa0spB760AogNHK;b`!CXXEk4X^9CJ7Nw_u2PXFV9f)aB^4@l zlE@N2c3bfdBZli@n1(qevN&zWG9gh6<by#Q_G!{kjlU*Vg8cT#%e7=@{_M<g?aXlL z&Cg#mB{^bFwDnK2L+~9!os>(E701h1kRW4?@{x!Q9ww;}(SZhp>j_7daLY#EHPe=| z6W_|k5CboT{d+E#bJQIYOXe9v#b^HIhc3xWIxqMFr3zNA{H@C`Pl&oKMyjkJ?#`<q z4(TjK>dYi=-O6~~>W^XY3iN=@qAfxxOf=To3j2qe(C9(A?P4F~of&2{tCTgN!guD- z>%aPoOlb6)s7Z+dWfK|rdEUXiG97ZXMLFfuTJZs!Y2n|?hyr~INeZZt)w~WHMf+K( z8x;K)>G~<OG4{tBBd~=LojYW0oVXZJ;s~#kL`Pbxb}y}?)!w8Y?}tfWjm-$y%R}jZ zxdc{|hEJjS&0z8#EFNK7y_&p*Ak3|o)az)b9-3!bUkRFNSGqe!rn*S2mdO+6R$AG5 z$BgUjt4x2+ccPYl*&zu7=Y9fKsZB|EU>KcM&cx&39%~Dq%)Y2k7^G+683ukO&S<D% zy}c~JM`^YKL0}{%f4eUD-<}T!8NBgfV{eQ0OVyazt_L2*>jB>2k{4^5M7lR}e(sLM zmAbekDPGV2iS5wX^ozer1r?gz+k1@3#gT=T8ff_QEcZszOFxIuQaUqQu20VX9%&|k zEW7I2RIPSrX)5qM`5M~gitcU@-Q7yG*2g-4R&&l!=MNmL`^RM$Kj)Oje=`|(;T{^A z7Wi27sa{`qE&MV$l`~5wH}|<qS6Fq{z1!Q^dpo;Kw3A@d+}i7g!G5;glsBix3UO|4 z$FMC?$-t|%zWdQYQ=ql?x!;{%DR8LM$RD3wG}~A7a|>oS701|R74xC7g-TD9sG>rl zYEp3ZonOcNbXuhhzCJ-EzFThdKv?5w7n_;~`?3zDRNQZ3xYQ}bHWXgJ9-i7eA0+5s zvxe82AeXk12b{g-Q1<F9iAAVUb5nIs_xnI2+Z>6xpRJJFt3hfVPVZQqM!~~{{_BQa z%Y9>aUNd@YWT5{jcYo1RPeEbQQstDI6VJ92+O28<XZI=<v$PCD_uUkrvYTnoAxL!& zEsQ{hbicm;0uQv>jxVG$yvgmcF3#`8h^eCj8%7B)HJanh0NhMI;aqoZ%d!{T?9~7m znt1x;mU`_$+5vK^CAvTb-(Ld3+dV{v^=y^WbuQ8oYEtk9bs|&7sA;?`2RgdHfH-zN zIV|_w0@~fe07BN#=<CVxYKDj5d<2~+R1Rb0h-A!Qd~FCbx{V_#)=J9xq^Ow82cC^? z`DIknqYPz?oD${6ZM>htr!<T#$sq$TEy}cn2OL;b>MJ?212d(uqeDAFDZeCAB)1wV z)$xEa<CCK>Ncx%%D`c09K4qza)M7%-C3_34V)>H!`^F9Rqs7EHdB`|r&H%$?Ajadx za`u!OS2y;``bXiVGHT!YLKy3hqsh2XsF@aHs@z5KF~MQmU<4m$RO)nsq@EZUc#!4` z(*JnNi3Wclerput#EC|P48OV5RB6@*b5sEbJ3=B*WH={W|E~16=lcMrs|_mMElhX& zZ{}pAhRvHcMH?Y;U#!(r=*t7&A6x5hy!ofJMV#Y5n#T^ujhW1XdO|m&Xt><F#9k|o z7Jl$g&id=T4H|nNZ@ua?rTUtM;|^Z+!kM;QAuo2ee|~dBnhEXyWs^G0U!*<RN7&Yy zKA!*d{_q|)mOxE);vPsrm8Qwe7FjN)X2e{a8LGX!;*WG~(KflhB}CbYITin5xJxwO zE@*-1D3-kk#Yp&>ni?@4raB)aP$;KEXHQq?ln%1r;r$$UXLY)|q77VoMKRs8rdM}K zF3<42TemC`putBzBpG_n46A=4)IynmnNX0_isIz0O8vLMztbtEA8@lfl>41SIw|Yl zc7mLznxy^t42^6ZL+6Rfp|pQ6if>4z>YpxYVjSpeW4y}3HT1B&v>eiqfN=jr8A-$J z9dSolX1Oqa?bg#9$+w-!x0Qp!^Zs4kXc|e4j~rXJVCr<H$mxuk-QM_7CTm%Q^quw6 zA5Jx$SRE&^1B3bL!|Y_d5^fMw{ZOy8|0{x@gpcDzo9f*mqw6G|{tX2RZ_5sCJ(*l& z9_4Hf%h}u=St&I|Q7^t$fTBo(5FR2Jr2sM5Os&e@qHd|)nt$}63}jZBI3~Id5;agg z_C6c!m`*LLM-P@66J$oNWPZtF<_Fweq(W4rgSqS4s_QX%YB>6~LPS)ftwC{_fa%#p zve201HYatqNI}A2u47U4I+mfRr}J&gwrT=h9Moczc!7~gAqv8si)U1qE9!ZB8Mpz~ zg;OgvWYf`XMkz;-Bs|FR%;&l=4OM7DT4_$|)ZugvRw<_H80b4~s#mXW+G+oOV=o|S zSTIdCQgw#EOw}0E^`{L#`n?N$3?-6xwzdxt4SA)3i9hd{ECruyFltC~UU#h*?s!b< z<u!G|0B<F;xbg4Ko4<NT5fjxN5w7A#R^zw?{XB%F>Y#eZ*^~ZhH~g@y%1T|yzhb)A z97}U1wH~tGJ>hsrR3^_iEjS!1#}hSmk$;e8w#;gEEK>zs#K>ra|I^xu&JFEuvqy!p zj#+<g<7F&2e04L7B@6fQoY?UPv>%_^Cejd(Zt;zWaI#53F4mL}=BFKBx_7!g=Qp|- z83Bfz&h33%zPLq7cWs`A5#ZOdOCK-QHlcsMxc~jj8!u00#Pe*d2Aoi>qjlb2Aq;mj zn_Du!9L~eC_O5z*;OKZ)<ytKnezt?ea%Z(2YRs~DZ@C%9H5^k-q~q?MmYn~<6jN6- z!BYKiSbD^8Q9noKquXn&Hw;W`rF!;G9scsB9YlX~af9RY6)=}8>d)76yxZf|8*H~U zduGh<hgIJwGVwD1l&ICKZJCPvZh2hXF8txSWX;3e{C=&IcvgvzMyxhw_^1MFu#x~V zR%^ZV{PCfxN85}!qpwbqsqZRFpToFkS~69nAbGmdE%(d5WmgujF_X7Q8oI6-A(H%W z#{R@WGyw#-ap%s0f0?$=jwf>QDJcj&?sdUV62r})g6iPQxb|T}ftOx4v%hq`lSz}8 zUN4~)!v>WjKso-!i<uQAzM<9}yAF?k+&<FbEFb&7pQ*RA^8;ka(c131_S^&f`9r;C z_XEGLI_iD_*E7x}GgGb`?gzXG%p}&xm9`4OoSu|A6RqBQwL79p4HM%nnMp4;Pg|t_ zNO2jcKZel@SY6RuUZCTTVZlxriiiUHS*2{&vE2s25&MWstQj`QNjg;qgZi~riuT+B z84_f8M7V7{C8LjH_n^X-LDYG92+-qh*=}mzC2aoWmi1)yK?rFvPA*DT@bhg7HxQ>- zb#W3bB>B7FR=d;a0`1&XbfoVRv&4vuVj@m`f8*{CJZ#{#gOzrk(kMd1e?<VI3d@;< z_VlCM-O@%t*f)xP=^1)5&5`3m%e!Xwi4H!U(5tD%Oq|LN!JHvGWTJzQeJqpX;&5{X zRhNCZNpt<(X5R<g*iNIvpjtx#0)G*;i+D2)ghz7te4nb*!KaZFa!y<2jQ$?iwA64y zqlOa%1s_hmRX6R3>}<Fs`UwE1YGI~V*;8GTnZr(>)lm4R?U5gbuIR_@5~WldJ)OxV zY)y#~(b{3?z)v|i2b1*lbEypw*jSk<Z1q=D9trZ<LQ>>-c$&!WwI?^v)~T;YBft7m zX<~A>=7+MGMS}3QQv)>H_T=kC+dF6DoID2lRHdUq`i4E%JzG~S3n&y`US{9W08LSw z0Y1*zt#SwRJil@N>Ixys<ua)?Q1ln9hVM>mBrhT?E&e-XWXs{JyQq6ti^&eHe>e^Z zQSuIRmYl0pPb0hieaiw?4>vrO^h5N4U>lB|0J$_a(t*7;`;-aE88z4Y=NN=L54B*g zcL4&gSI#%!Ao?4SeqS=78(WYKw_vXN+x!4g+aAH~IKgYb@qclSpvU|`1&GOSQT*Cl z&b8?OzZO8Gkg-rPb*^k0Lx}j!Sx$MhQVvy)6;wH1+FM$AM(Opr1>5ssnr;|%B_$6@ zs8V^lxIAhvBxnfjSc&TOAVL9!5{28rJ=dz&nBqL1)-7rL%NZX%n!=x=KvGp&qPR`o zRHDJ@mz0rv4vK)3;?8Stqppz52j+fQ!1<*shi87@>OI@Gt49B<QaNB|&4|I<BFw#^ zU&<DK)5UP58T7Rv6!~J`V%ETJ<Zwqmv41;x6igl%*7=9UgK92;VU=fWq!pwikun=t zR$G5|>J4q<`-jKecn1pWd%F$9wM3pkaZ+yC**)I1dA~XT!bsYhFQ|7hO;wufD~MZb z)tLth;^F(o?+b;ZU;<=W-F9+N=4}ZOHY<bttfmZ~TZG|o80)A4q(lz8r72VBDzlG) z?mpA#UzBKaw|G;3w0P?bB{3rU7UtoXwD{S%Mee{PxD}dme7sRc_06R}64w(NC7QQD zNMDAsJ=<1tt2H5r(b4;qw{SNXVa@k#>DXB^<5Hzm6!b5z!aMHX(Rs9OJSzLAtl;aw zYDv4dJ5t7@shp^h|0N>BYkufE%{y&>rxYwCu)pQ`<IOO!k(0cf4jq`T&Q2H;jRf|0 ztIShqFyHMIY-`3le6bIHR6FLp0QarXXWE8+HTBC$A`O>oD#^*m=o<gAo$<k<EMAT2 zX~No7Dj2wyj;EpDmQE__xFPqK+EGZ%;;i#W(CE4?{9b!NF1OC`SaOTY!Si!R=bMHv zfziP0Z7lPzpD<TkAA1w1pO)riQ$gjV)A+hy@tHJ^2hSU~n=`o#UbGGbJz4p3v7&Qu zGmDhoI8~$D>Ws5Inux07TZli6zTs*c0qQCgE>slx<^inW+cSRsJ@a4xiN0XMkEcMn zLz=3lfVvHmV5)|V1pguYweD4NoyPbc_oLD8@&b@bfzf!_P}Vt0%t>Xs*UpDwJWeiJ zv<<|=)M*w&45*Yt<|JHH*W|fyk>ZAf<Yf<b?=hpHC<yxQnIGMeK;N1qQD{&J%-{bE zYTGqG+_H^kX2JBb=&1P1|6D9aM?2d-`rLfFo7=W~J~E&3$3pyuMjt2}KUwygPL+<$ zuM7fwU*dN?JaGO&=PP$6MJLg?FS?ccg{g{aCM_Jkd@_Pz;+bR=rDRE^aBs-JMe&SI zQx6EN9vzNVc0%B5He!}bh<j*P3kz{G+gQCHl=vm_>}5ch4G?k@$VfF_H?B2OY}SSZ zj|mYQ7WgY>lzjerKus4MaS%)qA;4Xf7<NKJHW)Yh_J@8NT?r>P;!>gclfd9aqn8*7 z0`EIw<<E2~!M(sBu1g-pSlB!<-mCt8GgXY}mJ@{v4mW<%zt3c-EDU64k@7m9w)((x zaY91G#j?myh)qDEa0FGg(-<hjt`d!qb{}6)G+a@XS3LzdT(po-2`^&bjIz}D{^aHM z{Z>w7Yxi`7I_!tbxfXzJ!>#TZ9O20-8M~ltp+o>>436I0BgGpxkOC?J(_uO)Bg@Bl z+_)A2f|mkCDzwL{XXF-|!%6yZc2UvIVPDC>@P)Su3V(AID)-`A-*=ecrPfOZcY5n@ z;8P~|aOTh5f$F?p03WxHnYH(wxjS2_&q^tB3Ne{Pr3))CX!EWtPMW^I+iB-g!Xo}? z?x`_%Occ^Ig%<7zRP_0~Qkgu_0Jn-+nOKWx2>eZ_ClxurMQElEH$iActYK5rnv`=$ z7hLSU|B{i9s=tEECJ~qDCKyaDv?6drqOu`F7wmOor(DymxZ)0X%DAh^8Jv<2?-MIE z6ZEGR*3oUNRoe>2dy$3VvT0^kX$zZ_P)(Xd)tKl<3)&bJ>~UpBN=bEpKGWda$Zi54 zJrw~%Bh9wXXiCX^VR9lu;XBhP!ufJeZ7bIE%sVrSmh+po@P8svi_B(~@C%wo^V)jz z>ZbC_WK!q#{8#p%Lk5%2zEua)GHC-*NS2GJBFx&OoaU54rH{AQw5fxfFx66G&0`0Q zfr6qCMMm8~0%ncZ1FZPBDvhA=Rx5|)ri}Gwj2Vu1!QYjW;%%>uw2BD}=jV)O<|^kG z^kx?9-e(PzO(jPkey6$az(i8+$3XpPRnyeTwrgvd?6R57bC{kUWXNds`97L7bd#?O zY*D2}g+jsu0^$Lra733V1iPz%!QMjSZZ1-HsB+-@BO$dmmZ1;zcuN2ob&72F$$lIE zl~W~Kt$W=;!}&VVJ6uxfN<bW;|7k_a&<%(iKQk{PJNu9W_3Y;U&EZpDEdo<9>A;#Y zQc8}5*7#UiF`YAq*MoZuG`h7M%74vtJKmI77ATk^sppVyZ`v+b$-sW+P#T&r&0DDk zPZ-4cBFsE=uIm?EYJiGy{zViOnsA5dp|y14!+P0#3gXd+UsN^awby*<)*aCO0wZIG zj8{6DSqL+3-8*%jy5XOpV`-?64BGV!eeH|kjKXyb3c&@#`Gv-Cc#NmlsgqekTE@41 z6yvEwX-vKEng2oi`@OtkefOT;F^gTE5KnQnlVeo70*RFar&_g|_{Bpr$F^A#uoLnK zd9|8^)sT1X9#GRgb^q85+zz<e2{gab$i|p=wUn*t&$NY~nLn>L(@!GDtEj+qvQg)~ z{!niJqoFCleIM!Z^VB*r+2uD!x?uKJy~OY(>Mc)8o$!P^=eAH@Z|*5VO2_G@SZTbU zOM%e;D=azoxq#ySu*+z&+(&`pHCBYe&meonQm$qHce_t!+s)&5+^Z<N)L?bmboE_+ zqp!|e4X*1If9w=0ZfO~&`(1vU5*63w8Ts+q#jm7%xEne@k%``QswZk%GD%(Yq(Jw| zeZ!YQD!I4f@AwC8UaYtpNA2|5^|j{jL)>_ql~(S-tmrwT^yuqN4H6Sy1ZmH^AiVb{ z8+9tV+u3M{-bg>LOETF$=V%d%ngnTXs?KSO!Ds-*H1B-CIaIxSo40mq-2K^oyn*x7Au ztWtk;_Aqi$A(-^OU0`dDtnO@qoIL|eGT>mPu&JEXuhX1aE{P`ANGM=V&~PVvqqOoD zhE}Z>LV(dg9v#|SFWCU@bP0n73}hBz_>Ga&lF_GU(&bxPGc^ZZb1ZYaVW7akOqdEN zyx@Ckm#Ot~i4g}1H6H3Pu1$y#OtjDd0pcwA0hWE?ofrSC)2Ql&{#8&lWx_YJzYTop zkooF?^y-5=ir63wQ{9a9wdk+l*%<huoA~hUEyr5z+};A|GNRvmg@n-|MrpN#ml?YF z=ZD4gQw&OtX5zx`xBeWJ9fh|k!yHPr_THF(l~UvSrgdGsrae9Bc0B@u=N0}#y9vv- zN5G(i7Z?=r1_J1do9~}o{4;(CHP)6K-Oay=l#fk+I<t4&k0ao=anAS83%yrjrW=Pa zrnmnlk~Yk-+FCj}!>YLLM?&MUXa5F)HU+quIa4=i?2{N8eqYt%<i<Wd-0W`QNsSj0 zV(x`YTU)6u_?3_K&}YyYkN3l)DTP!ggpF{2okKzk{L5$N`0B3Wvh$*-?B0J0f+swv zLm8v%h&5jIaf|aB6$Uzzm9=}W_b_Q04*SvPmlMb<)ze@5?%f>h1A}-RlN(z2dsoJo zOLS8kE>rK1<whPjyxIr<Zh?>KM#XidmD5;R`}$VxO<F|5gOqV(VLDihw7<hGsQRbE z%lieeNzKeMh=gPG{RP{OvLNx>!L6or>tDVUg0Jb-51{BG3P9v6l9#{&pOz3VY4z7K zU;!+_Lp)93{s?=LEfL4Mls7MnfA4FqrQ(63ylj;1x~eHp-g<I92OdFENK4iHxkz3d zrIo`%DsG;_KV=@hM^L%nz;VGE@VY+fK7Ydrs>cfK;K&F3M&#oxo5Khrtdi!enk3A? zYP6U3*KE#HO0ky%#)L$RE$fHNyHzQ>aD3AWM#e>*(ya|`sWFFgGzn^T^htVcAl`Rr zQ=(ZtNr@pFU1?kElCSfE^EIviwo`{<`Z;x-gLzc4q+yZBW+n7L8p+zWYjC~$Rw`mt z8+)2&+7;K*fogBzJ7IinMYV2{p@?EeC*fXnhdKIWxnZy9|Mrly()6D<J@7t@D$`%8 zjAAsjXeEn3@^G#%>?7AbI>on>S5|AInflC3VEyASl4=Z1r`^2TRx@zQOa_t0L){nn z3>aF7!q@i@yDhj+nB4kJ`UbAWBE4I!%*a+Hy>zf~;~heL&etBS0NGZ}VK;D)nGNc| z0Z)uj$+m%tKlRp~U60$FUr5&RjCP8jbY7l5FIcIWt@pJt5~O?H-i`~0L+N<HmFR#V zy1bIt;3S_^9BHs1O;F@rPi9&F^}KAhON^$t+Dh2l-jT5HfTwakQpbevoj{!WsMg3Z z*00HI#AMjRrrl|Df29k4dg++{m%eZRZ*>JFXSs&JzbD*;j{GttC!NSdgNLteFH65( z!dPclQn#0UC+U8izR>CJk^94CcLnk265rW>4_IodF~n}qHG(+28U_-UX~#b5no3LE z-lSWez7X1~FQ>BS=9x$ZS}EL6(u!gvjh0|c&9?M+v%~5Fh{4CX=0-!xf-r@_@Nvg? zpYZigE)r;?%(8#9daGO8y>xFzO*y(>+xbWe?p|ciS`Bp$0I?kIYX^^iANSn@s^Cr1 zm_@e=Mf#}97Mg70BU5Q~JcJ`iHStRg`$I@pvm*CF5blCRh!}}p{%gTkPjGGX6pRqX zuP#waptB(a$*+~r*1-3PcH~Ii{_GCz=FLp5K>8Rqj6Q%)fG(g&_)ftfrAU_G^>r(j z%qeV>$6M8iE%39USTK&V<W=m3xBV&(?RtkUQpA$|ZVcvVC|urXS#8$Sn}Gupq4|2# z!8aK^t`o&tb&%y5d;U#2n-adnqU{EXPGT~XR!NJ$cn`Yi{$D*HY(b+%w#h?q-XC2; zU3<uLswzW}BHdjudDM*IUNE53#uHkx84qq6{_}n7@>hX4+I5%|s~|rkr4mBCoH&uf zW9WJSEqR4^ZfU+EI&+w46lCUBcYC>k*sMbcww=5nF<uzqU!!}MdNOE{HZI^$(ZSo$ z-5r7we_}#f1fGLy-(tfutML%4x;;Hl;tl`O{KPP`0b*ooZmnkw8r625N<>B?JSMTh zC`OJe3(Ei27^8_$LCvX7h`}r>Xn~ilsi$)&p6v_eC-d<vh&X?RNyfP|#zaS9Q#wP| zH{j1&Y|A0~KHi_tYEA2(QOeQy8%Vw^P3(kxEHLYUIkvu%6IxDTw5MRS=3Wq+`uFd+ zUN3+U^C+0MVYRjPG-X%~l~N+bib%*Q`bUp{7<-Zf4rg`n4}-x?8@yZqN5_|~yn@1^ z27`w;Z8Z2-=R~RwKM}>J*&ItVg*CRqUyVik>qD7b7yqjNS>Ho4N_1I9f3>pF2|e0A zv6}wHz!(4e@`6a$MNGsQZ+&Jc1ywqauk1phvb8m*6V9w$fV(^~%;JxiE(8!bmqTYu zVdPX!`F>#xzO7ll_0RjT|CW|AaX6iV^OQT%aP5|&Fetc;s<It_^u-$8$SMQ#T;Mul zvffMRf<I}X0jwN6=!j&cp)>q(dJ7pj^5E_MC25>$h-)0<BsSZhs>QpO*|)(+J=A$x zM~#&pL4^J4!HQOng;)%VC?8?<p({I4TC62&moFKCdrYsc)oP``O3a})8Z<TW#L%$T z-`En8K8Mm?Mftu?xsBeM!+k_$w{d@PkmH(-LLqIa2E!=wnPUbw<R<Z=u+c!{ZysAK zsH8kJCQLLp`XK0i2t`;jPVch*0NV-!=V5eD*VbtitK>=@2bXmOc8X?h&1Po3WNyu5 zVbj`CjUq6H`r54!D0QOdWF@b+?2X6kq*ZFSmvj&cW4uWvnp0*?h&B;ft0xl_@>b{j zHxrdoLunJcE=_>Q#ri@?HMYMcbPVUKI_gkNb>xEsaj7zl(R66U*`gIu7t0=TflBK~ z!S2K}t-GRQPI#0;(P*O>p6+4H)^6}qkTjIrf`NDG{713VKcGJ$g5<$lB(13eS;~@m zXfOZ)_z9oxcJYbmH9(ZTvVNBi6P|U+QuHy)dz+FtpH8QdACX2K!*Kiv#o5qI;k7$z zkcs-MHq-REh17u~wl=@kMLH|m(lW4yE5<2BX;UD)^<eHrp!VA?-I^=n;4a6>iYB7g z-Z}vQ=@$hJWICmBv7vb&^^Z-QltrZ~s?I{)OJKi_FQ;MNlm-r;+HtQj7@d3ji7k*6 z+K@&EBm2f%=D#%Mcg}xv-QzX)OlMTpbw1u7&B3vfsaCu%6yw3rY>EJkkCXff*62r# zF?*wXujOi@+0wDXSflE5nO1dJxb~03P5$od#&izi2}Rk3Wf}xkbz*#<tU(5puYK}I z8V#lO8SS!z`=#|jr>rUlQ<b3H@5&rE*yTO1sr|)e@YW6EIwSck^6$c{6icw(eo_46 zm1bgDva0(5*|V@gWrVrpY$-FLLRBdIzEEGUIOF9U;KxVK9*?Urh>D8fSUEM}mz$D5 zZ>Q&uYTevJz8^(jA^pnT@WBDYqPa#KUZqk@`L`F2(NbN)A4gw-q+8yu2+F~s%_eCa z#8LXCMRRM;;BlN&N^Xy`UF^*}x5L<JfBy)q!n793M=MEm>|t=xYjl1L>qwBshPEu# z*;pr7scfn0ULpZerhHuWw2vNZUv+a0@?@S<pll%0iHY<O9kFIQzHVN3oLn}kce3|( zWip#lktAT19W;3ZjiYrw43B4BF__yhx$UMZnwfXq;Xnet7Dy7(zY`r#slL2}cm4XY zC6tv~89$O{Y&55HMmf0IsS#k7eCxpf3oKBq>~=uokQ%P*6$;o)DyR(mHvz8E?`m>e z15e)Yu%L!mRs{hF461RnY6}__Z*G<=k@92ckTJH^dK7^<`M@_JH-Q3I5PmqXe~`1v z$xaI|y?b@#hi^n_Ch$aF2pAa>+?B}iJG1-Ih(9(An36yvMt0D?4ktEZe_v~n5$cp` zm+vAB>)Qiy>OR;APK}Oqd=MJTp}b&ZTIA+lutSb!xlqo9QmN?u7eQr3Q2}8BGJ!}G z9U-u2h&g<J@sEz402wrg73`Ko5~9Pzzr%9n>I?me9i)^*(1hgP=g9g<Kv7+C_HLII z_g;<POu)TsuhAb*{%tHJwi^UBD|o*_-D#_#Se(NV(BH>DuJ++#v`6$$sAMZM#}dy= zwwb<0@4dky;Xvm>K@hbIEk_O(>8Bj)dZcJ7@9(AO-Q5<GGIZz5Z{+K>=$?{a^|p<t zTvKOQlkuy}_sP%KZO53}c3pUKpIu#Ud$(+)#)}zI_e3q%S6W-`)ugZ_Uj=H<JNUOg zkC?nUBE`h^cRMuP+@z_y=_%6alKnIbDdy5KV$XyG|NJcp<#hOP_C(L-AuBHs+co@L z34-4pZwfK@RHD&suNcF7mpNd!V+uWV6Y9gtOj&F&Rwh0j7+{I-=F;4$_!P`~=?3AW z0yOBWhdfF$FOUwSKN5P`d2w)Dwb%1syXmd-9@8na`!tWFOOoY~b2ZY!68={Q=q3{& zr9f8@>I<xISa81_>^I)UhKoLy^|iJ4K2BE6b@xmQ3&y-gJYf~f&_FAt?O_nSiC-QR z*B5pUm33yTs)fj<OnZtV4}qB=tN-CAAXsI*9uRS8xJKmWs}zcW(uWu<cJic!{D*oO zHAx!3fhd?{_>m%+B&y4Iq_AW;zht}DzS>L6Tf|TzQpVFVteFx_F+(uO#)0_qJwQRd zUO*_$8!d9AH7NWSw`TLso^fQ%J=-xCt%rvQyWXTUC-ilg!*M6YWXniAo_4@572Uf- z*h-`UE-iAGF&7ZgZst|j+JQqI_xiIrEX$N(^)?nZ8nTz}JUJL5V!v8K@(&xAtMbEl zyNjaH<#p%>*mepinlyC%*S!_HBt-yWK%T!EBK}juE|)A`)7w{7j&={x<_;I-fM%6K zfMG|wmh8=BHBrYCS{)5PQ<?qsrnpKBaq1@YKxB*~T1OA<-1cz+*j4o8xrL*xk|oQ$ zAjAo~s{ZsBQ*eMNOL@JGa+b5@9xEgvfRcF1OE<3!YP86S{goGo*QDOs)&I-Ko%eV; zy4GBKF9kM3qoQWpc-kK+G&ZTus_h%pHK@(fH~^DX3MjUTM$_&iX*AxD?1$+6zPz3) zX@jmJKc>S;OD6Zf#+tWn)#E8muUqAu22<Ju@n~sRavSP1D3as-{b>grUM;d5xwh|a zmI~DvTe-5r{yp1k_=HIh8g-n*;aCvqPb^7@m4=oP(OfaPH$iwKwU+9q5t{jj*YS?P zEOzz$F4_Tl9~D{e=s>LOY_^(jcR#P*{Vi$AtL=nx^V*Vz`J<-gcghs*s~-BvuIC~f z_s$erxAQ7~nJk+5CA6b_@HrtvsCK$#%=nWg8I>R2y&eO}<gleP^7J)Kv%utP4#)S2 zvVu{esECuXf`M!6yc**F!1_qq9M5a#ZJ5l9B8B_TJyw=?a&}fezif7AnVv1aJ9z!> z+}fS@jX{#V@~#lyG;NLS)pQoS5<doq_Wrm9Ob&tj){RGTO#p(B0S1z$M`M6%Q~&PF z(wn_{8aeh4ldB8{vs+Ghs|;0{_ARHgPNUmtF`k5REO^UOgONPUe_I_=CTVq5pPn}T zhwhO>EtM)MhvyI$53yq2LS5AXtg-fw-DEmCSM`Z3#NEN;5`<V?_ZTf%29^_pRR_KO zn|LC8Z?+$gaJ!Damc~p?<xU_-C(*qZmXj6!OG6PcfmKBF5xp2e&kRb@0!4ObOs%5b zEo_KU$UvO0J^b`#KoE=8&@RF6!w)`*WLii$pAwM}71z`8-y?|kAXIQfV0AeQS>OJe zOj9+2fS=St9vv^E0K|yax78{@F8&W=co;t!77-^<+-_zvz0rJ&(fCl!`8dp>nHWBr z(AQ%0>FC=t9U({xwL7lL<1lKJiK|(;#6VntD9OvKYnWaI`&R9aynW{`F`H7dn~)Ef zL4KWVcWe{4t{emI9U!XWHwSEPm>Bqw5VLRyD9AkIulhKc^P>HH$kkMc7sAy96#Mc% z(Id8+bY-$(xt)o5meSZz@u4EmDfEC?c$eEX)#H&=Tmaj^%XHPf8gIo_$a<r8Zf}6_ zDV0sw;alg|qdV`~cJMXy(nQ5^3;a|uhvU7;JH(#>Ote&Q-J7Ro=nGCpzk<HcaSivQ z986ZhQEl6STX_at-q+^LA3;u_H~9gUv(1zUm{=)^4?^&AEXr-^X&ce&CBs_!Z?YtI zi`7`G5By)9qx;v#p)lP;(kx3bxC-0-%$f><TzP9hqN=_iG2)_yLyFh4w||e%=HMzF zC0=D#>TbBSq6Hc+&T@&>s}hZ^+R1MY|N3XQl+O}})*J%V#Wq`K;^#^;0!|=ArIgEt zbF-M5C-|9E=U=@WWsGdJHHN1jN|U*u)2Wlr%ZThb_z<|u?Fet7R^42RdjoAuhY?<X z|Cqp}Y{wf729VIg=KD(QdlQ_`*ys11UQ17DF_ftZz>QKf6jKg#p30jvhNiFLk)geA zqgpd*VAO3Q>JRjsHO;Xyzy#M;7horh-_{@rll&2qYyQ{`w-k<l`Y;o^v-SxyL>3U? zN(cO_AFO>RMpO<LLb-F-WzzG|ZuhXJduC5NDs2ibm{F^l-!holGGXYVm2wR9nT&Q% zMpj@cRx2ea4BBIK){1_r7_Sco8AjKl)2e^{3K$F?pStPBI&(&&4Xd~FNlF1=aYPC* z5kweM&RHyCRGd8OMoMnNdBP{LyUYzh`Xx!C38}X*@mof2l$=9Cfu6ek4$}eE?OD9d z;x@c{j3G+xIP@O7z|>En51(DhgTLpmCSTaF=-AF?di}@*{vAk{0TziSv|7u_?>OI- zH=$9kboc7znG+Z~?uN(0hQZxQI=HcF_#M+|&Chmif7dv=^;@A4B2<~JI=aDUas`L1 zFddH|I1blSBF#A0Ovt!@jong})P|#sCMar<3N+q?WtZpImua7Rfr*wzKL%}u;I z(L@T~{&|h${wRq2z|m?opnq8E$w#y3kDhBI%Xy^+n(1o72|V()+8u{S=ftidSt?yD zd%^JpT!UF}5eAcb;-jx2B%wQsu216eo^a-WJ(NQv6{*9vk}tJZqpvG<g<(H`{2E!i z?V|;0!x$T-A0C3^n{YTRkR;B!U5GkwF#1~AJZeqtZ}z~>*)J7%NAynTShSMnc{*vI zG``+v{yw<FJ6|4jce4Z>VXS6z{T>z*J2aJDava8O!hPTBBHjAt8&dteC<8;IX?@)P zaTlsOmxU$6`d^(C&s&)Z=Sf9Ql)5!P-2L0l$*0;fm@vqg<57>Nt!hKz6(k6Si;Jq` zYxrv&@#CP5Q>CVxjkmHLj2eZfGGaOu-{il#5J#1u<6P^`-CHI6_pNuqi!E(}_!+kk za_5OOG(w-m(&<f4sE^Ms!al-e{7(u&%L;!0Wl_R16!Ndon56%z!%>892KHg4(uoEW z<isLKRiRNzxTJo91AX=R{RuJb1l*F~Y?=s}v-QPAFf>|^Z!vVkMT5OzhB7tsf2FYl zP0ts7p;MBmI^JEWy@Z*hk^9`wPUo!GbqcG*naP0yvtdK%+c5Qpsxj@Hf#1i2E*Y5u zMh$eu^-=sPK?nv;jmq8x5(^5#<HcMEvKfhpbF2}+a_CP+RVg&+<OPQ`7CGyv{d)Pl z<duVujDn1etY{CtR{no2fTB0*a3Q&FuLF+(VRp*G%U-3_aAAvFykd5Uh$EAOCM@qV zI!v;W7P?d?!rp5@7A1CK%rWwu(%kG!(7?=sLdv-~|9}HycD#rcO%eFtKQUzKmEWJF z*|>AF`fUmqwVTvjToDCY#4aBlou=h<@bf9xj?4I{)~Ivgp{xe_**De#-IkQPVrd>* zPK>{+!wUFljN)Rj2KtccJC$%^wf+&7AAOe;fTgGT^8(ex(}TR$qfl_`iZ~V-5;EP+ zSZntL`FX9vHB%dEp6wGV)WwHfg-3FHO%IoFtZS3}5cKFO{lm?fYYjFh_4pMg2?vVb zONFFpHVww`1S%KzES^YWG{1^>%(i99c<=%{lA?bY<3^gBklYm+F?$;R@#bnO@+T7G zDkgp$<#SBfw6QW&dqn-$TY0+U7N9-+{`w#XpK{39#W4g8KVdK%Rp-d-Mab?!H=L>K z?9km31)#9fnj4{KlO@K*-_HB@dc|bxvpVW}e4qEPT{xP%9uORtZ?O8sKum<VC@$n2 zg@v|VLZ9OHoH?F#LGufW`Uv3uaYZR*+udfY2~o<<3pmtQ;pX-gih{+YdQIq8eFtCl z<%AZ<=QY2XX(wBvukKI#)$2=OdVkmwc)^*_@5BuwZTy&Rex<1_t2rONY}1z-khKqG zwLE-pgzUYr`}@wLxFYYI3U&Rsqd^!hhhlEi*1rHD)~vFVx%VvC{LA-g>t3?@PHMZ$ zrCe)~gUU1?L_$o=$iEj1hF#y#(9>jU;x%<jo%ufV@HUDO4kL~MBTxt_k0vO{!K$oS zCb`1p@}c{<zoTLyp<Q!RA+Rnsr^&*(WkI{i@_OyGE%&|K#96lM^v|LLckd}QYfN^T z!=6{N*KIj$LDQ(g?ge|~(U3aBIlkmg>9E8i4*z5_J1alI!X&fbd3eYUIS3W6q*nCY z97|XbtP*trBI6@i15rAQ*id5)&)4`fD)T^fxX4CKHMOZ2_t)Z}(W}2hu#$DzQaade zX+#wkE^-__$OC+<R_BGi`@cfpfBp6-`!WRv=_XJAZJpaUp%a<T6E7mD0^F35r-0h3 zLopzNLgK}#Mo~>onetmp_UEOb{>^JTz0B@B1^bFOvt&^3pq_;)x!)*j@TLGo5gLO) zNeak+A=nodUS;h)4z0LY(<M}ud*8jlM7+{YG+N!mXs>3)fwbX~q0CQ|*urRH)yd{m z-7l0K&$@O5N@MLec-$2C;9T&Q;4GGH!=weld8;4u#806}{!OE}f0Yc$RwFyRVYD%4 zYU4I=ya^ux)lH{=RS6+$WuC#LrCESQ7;Nw_-jMD6Z;e6)q=I;$DE@@qbHq#0^5&xy zeE$r)OW)Bv4{EtGKT-bu41ncah1{n7`rW@sP3boJ*N^h#bav*-xpsU#nMW#_Vuy`4 zxF2GnzRvi#+p3(>wOj4#nV8*Y1<ud1p-vf8^OQ|cpFiMk>xKet!i~Xc_z6SWJ*OTN zAseWsr+q89j0ZBCWxhL5z@xo_$}U$lj4T)PtLC@=J}FhI#5PhQIUq<ppOW3bKarBl z^%lq2HSx?d8Wjzk#34JLlH8xWh^nbqIw=Q<;aR0QBF_KyQrUJV_dAoua%b)SDELI5 zScQM@_$aHl{PAj1$FIj4ZI(y^Af@N&f4frlBZ-wg+G%w@?6GNS|LDT|5UjSdPIv!C zU0av(c`|q}8pvoc#ntgK4zgg?>wjax{sR~>dVmxz8BgW$`TQ%0A_)Y~voc_)$@KE| z@}tPUK2dc%i9_`*J`RG}(CFLky_G5g6etNGNLV%Rjx;&Iz_?RrBk%k18>KOJf4u15 z561C2LuCz3X`c@PE*_qE$mzEA7IZgPPk$k;<8)JvlapF8QrJ04L#dKU^4ye_r(>Gg zuqkHQmbpdanDf0~>~5tK*FJxvs{31V&5W-$C;<7h8wSztm!2O&$=_ewK)|~7#*)y_ zl@haaRx$3<d+iCxCFLKtvVlosK$+K;du^ti)omuoz(3)#95?S2tE{NE!WQOsaF?lz z2l4AM*CZ|sJIZLWsowasu}MSX7m)M*f^Kcyrk~M5Q3)kmnHl*X1g)uc_HF{?mJ<n4 za$NhQiguV(TqoFerd!H74hx-s$pr=uMh0ZKrz=SrdPpP6I3iTl83paZYE>SnR<XPF zf&?JxX~LdV9-6Q{=fQD+R$)sbCR*tM4`uD#fGU6we?o)?3n>j!d<{8~fSC9qEDCh* zBX+cn<g&7rJOrS7AK`VFh8`h5Q!pI28eI$Buz06geq0V-F&uZhXgV-S&vR^3$r;$< zYjG&6tYW1_Xn_EewFhl0EJ@CpJAyU0e4iC7lX3j#0mKFYx+h5r!k4I4=v<xhF=?EW z;Si@U51rS1Vo-%Rr0sy<m{@ZJUaMHI!Cq*-<vddT*`#(X%QX6qkL8&8&hJ6gUwG=P zll1u7e2xwmj==~CUMDi~3RRIyPC-Ts2Lr`O-(OSWGTL;=u^1nA_f|P=u0ztX=gAq< zVxzq^J<mo#h2Ee(U7s}l!C17T5Pv<L@Zf2#vy_NMt7Pe;UJ|lemG&k#KVgn==O81| z@zMqhpPi)LH^BrPd}_xk@O2M%PH~W;lN~eN%*Sy|8fEdidD}zo;Cx?BkUF|?fFQ?@ zS#J;CY%&x~49|EFnZ*XB_u@xc>!)Cq+#maWVzMZKYYlutj`2^7ZJuA$+o;yYO3omx z{_us=RGr3!VGI;-_H)F#y1>_c3*kXNG!D8s2!fwqTcoFi%!GGCU0;vi4VED(2sn-% ze0gfLeqW&}gj-Ip`%u`t<ov6G##?R!VM$W_$Kpf;0Qjw=5wQMTvEeupcz8+`QJ{`I zWm2-<M>xdzK5-t;*x5V!fagE-UqnrwM!FEcQKmDfF;EZfaoD3xM9i;!JR_Qe?!1=! zYga==80ShT%awy9{k&|W!!AM)D5>l*W-M{T)X`vg0^Z4m-=<lAF|-xx)QIGx)s)E5 zlx?ESgjoL>%18fK==tZr4ec07F-Z2oZd+Z}8D+ca>u|-JToy44&c`?qV$WKV%XoAa zwFxDP<i1VP%iFMHH%D&bkVG7Ky+7&D-+Ab?95ANdVEwuP{HB?M7wU*dQ&B8_>p$@z z^q<os7L^4RS_cQkhsj}Uf&$0CdlIB@^Ai{tcN{L|{g+cLABye=7hyGf)u=<sy+6?k z2>LLB#Z>VSG>UD1hBBLLL}|U7YsS(YsWR9T=T>Xk7Q=??EeX9o$>cTnmA6S#;dv?T z&nhFxGgd9@Oq3IH=%B|JMv9^-eMNu?S3UFkz;lzz)&kUo3_mkSo~tCKDP78S6sQRG z-bID!w4C?@e<Bn2lU&FV<qbDM6cRP$-JoA!C~EEcGe|ZrnkJrw!D!!T<YW##C0eo? zAb&$Iw7YS&sYGBBu}A^z*;cB~M|ux%{F*^bk&>iWZ7Jc0)m04!=IwGtWq%?G>S8;F zVYL=#G+BO-^h&$0Tuj9NA{^WWUU6`DW;C;?U+3Z+pgi7#r3%4Ehi><xmP{YJBw(80 zfHR$mY`i+hE{Q%YR`O*p^vva4^7XCNl%Y4>4VCMo08oPbUuqcMNUiha3By~VFP`4| z>&?bLzH+(`R6fV8Gd(9q6C0w#YjyvzN}cY}b0PzEceO<GB%|O)ry4@Xmw5aqMzwQF z`P_W6d9;&%<FsW>Uw@|^3gnLWy~=k#cP)un9Zp)<jT|4UhG1gdsdsSxmq?Yhz$j6J zd6~2oZFL(pew}0Ae)l<-4wb|at+mxncKyl#hyCy3td@y?K0A=fEjsTy5WRHU*j1_} zw5Yv=oaWLi`a+Xx_dki&T~Wk}VSK(CTs%B$E|C{30u1DL-l4#**aQA{XOO1euhudS zDsJO_>&!lr5)<>*bmbiOfrf5vQS`jHbCp3({Z;70UU#@yQ!b)3yqjRAeQ**UVZq$z zblUQ!pZ4T}B1s&RUf8lpkjN;SH-xXd_$V4#vL+TP;FR?(NycO*{u#e?#w?s)@9;^l zpA~{9SYGd=Dpxwm3jZD%Q@Z3HINa;UEN$WT7eHjaJEBGLI$hKj>`7M<obaMC2KG36 z-g14WvMTD#__K7o7X%Ub2(JnKmBxxF3sb5H{T6iXYLyE0JcXpPF((rpO|;;tuCoue z{gIgHLgUpYAtPfJ4&Yf7`s~_7y3h16u(VIh?1lNHh2T&uS8`-0m`=u|VC!}02}y~K zQ#-2wDK@F_z{`+?^DvS%sstp1wf?7Xz>3SG1IjEi2bNit&%s4!Z!6Uqc{PFgu+q@^ zi{-tjtdBjEoo_PIRY7sE@q%rfAUXJ2zbU{`4N)1L4GKYGZ4*}H>4%|fwR0m19lnGy zQuFiU!!Ss?MN+|o<^y8_cv3BO47)T$vd{H>NZ~N)5m3tUgx9TER21a{0YX6oEI<og ze5EJd<w%Y&JSe<K@#_}<Bv3L*R9$X?odwsuvh()91FSvi@9u_=OF4j`J?1{v_aoIf z9j!!zkQB8Xj7jIx+C?li?3JOEQ*~|sj(dhCh28B$(D{6gc&*JLLtiyx$I-U2e<|CD zjXu3Dc9_2GdEw2^xO;rUboZDq6|LY9MZr-kaR<dkp=f_~mgLgYqs%%-lP|m62fmvo zX6>PPBS3^i(Ai#{9ryS5zxeB!Xa=O>W%ft3DZ0k}N-D>z@peeZ1qX)&9=(`im#sWE zF$qPYg!w&ZAE~sF_MrE#m@rfI@7eKA8L*fd6W8SZ^K-4)(n<^_A;h4x|2|kWpro1_ zU5MKPp~-1VyX@}CG!Tbdoo}AS#AV3MMDb4r+7@^0lgT0UXbwGeXOC-8q#!E`%aPNt zyPGw2MQV8(wXT?!YB)|c`3?7~9*n=m99H`h0tXQw#N0gXt!Z+Eni#GF4t4e3I6k6^ z538Zwpi*~h;H=nOA-v`)jVwq>D}G)%CcBC$sSC<1Z5H*g`V}%|N|vF)(!)TdJHmlS zym}`Q7QZb^w)rHHngXK*TLg{OqA>tSh?X@PEs}yz;Ff6tR)xD9v5v)H*9Whz(b7i5 zN!v1uUi-V88RVZmN@)LM($0<t@H*P=Gtx9N`_*ENbIVSXvhGTSF&5`&E1n24rcpvU zqXsxdNg`Ny5Wk{C&*@~<dGJJBhFO?)Nd7>a(8ZCjFZH2&K6MdUoPyvyNjO8hMZt0d zZttK^YPTdF`nxurj*H-MsK(#RsuUza6Vde9VzT>-3?wuuMRL@3JDX=mEp&mi8r)b+ zA=>D9bR0NebH_U?SVEK=ucs&oS9;l6FLSRx>~B7?v0}Syggb5pWN6q`t$)>@#&BNp zgO4OB#rD(nAlS>K=GKhL3o6103%F$F-V%s@s$kq(pQR&Zaq|p@NeD=>r$%#cNrN8C z$zJU(6I0s8TCxc;ryDK2gKwTTRp#_T2RHVa@GdGCn71>|gZFMH-498dz||!KkzR~? z+r3c3GD~p+Or9o5wD87&f&N-ciB1FoAjv|+XdZB?i#5fed%{FUH$BCSMe03dpCjyl z@AVN5xRQQUD8MdPbPeD4R5|40Bu+~;GIrM)C}j%|T7eRf$5UJvJZifq;aL26c}?S~ z18NOay&D|5o3HtFAvj#}`+KDD(u$rRm6&MbDFdyR;sGf~Tm~cA?TWs($>XnH?G+PW zzm<RZ?4_P1jXgh+<NZ$8&~S|NbtjV}`H9EFgC@(nwGjrMVX@l0vv~>Xa$SuOd(Qo( zhJ3yxla1-{5;nPH&0(ck>+YCA8*2h!nYnvCR^D1kA%-A{wKX@H2aGldbhBICmn_#q z5WZe9(^jf`8*(qGIe&GIkJrE`mO(Xh&kYE|1IWE5HQcV&U+u%a!N-c`!T!F=V>cXc zcx_&<DIZP#Jq{OQ@p&j@TU(#7432$hnu;fg>wFT4`3+9h*rNHdcZ|E71&yPsKn2$7 z{KvSDAouz8Ck&OU0OR>~hKJ%!M77a8_J-{u=2orO!@zpb=pgM6;=4+@Rqeeer0QZG zoy<~MTcb_?-5#6RI%!>Y5cs!bt<Jk%_3vhyds9L*l+|QIx$7r}<~%nai<3Ebzi+a6 zcoH|VL|-2KTKV$H>FG=)MOu9Ma>T7v%fVTGj34*RVmH4(ZV`njIuPAH*W1jfI2V)n z-?HJ(HET(XkRTsD-|q4L{IQ-Y#V@1q9h7L^7aD%mmW_>R1EP<AsuB6ll55&wl1t#I zr`PEONx`K9uPE6$MMMn-X|i)Dg$#g{1pl?6i)HMg;hvr(WgfiFL=%xVlGti@-T?R7 zt(xEPuPMxmiv~uk7Ge?#NX#)tE*TlEWmYz$%atw>Tahr1=TX|kNBHm{suxn1LKEd! zuy7Ru&XckEY=sDfC$Ja$xgH-?v`_3l^KO-;ahKugA8X3xk?UX#05Stg0mDv%ozkvt z-Ez5t!zE{6%PeSx0Dh+O4T<nDM)Tu!C#A(l%5{l{Qu;*1h}6?Gai@$nyvK5O-rxwy z!79-eelom#N`2|fnY}llwg}19r}$D4O~*c>#9AB851Mt})%w77KY*y2j7C~vdpP*? z(aUpBPM&S61eyNroFKH@N6wYKZimwSXo}VcU!ElvE#)Bq8EI>6dD@njJ@OK4;#BI+ zR+h$KwK7~7Xc;{!3FpENm%NayF02>dRcGh&^AiHd60PxWI(D+8<MC)JqT*H^&mUod zyEilx%>Da@K;d8c>*R;QIJb$+Y_Ys)sF#ylSkDD+o{{H|;nH!lV}sw?^pRX2djzq) z?&{0T)y_WxYcww4Zf;KOFfqp3@N?>edTtrzIp&+%mBoK-I97wB)aSQNIL13Me%*M0 z?O8|QvEc8YEdoj@OAI?BF%TghI&<<3w&nt7cW4d*o4A&~djQa-OlH3Hc`+Gt1;E3b zyy|U31V_YHn{PC*_xD?BrqAN_-wFxdAQ(K%vVs_7IukS_r3`0MIe7Q>8j|vIY3)o1 zWBV!f8GUMFvQ<vZY<?{YYq@tHyrfg<W>w!DmPueV6<~cv9+S0N`ec#bCm1DcX8{tD z<S1UX@a{0i+F@c|jP7}f-E%D-&sZh2(ZIzy&F7NX#7JT0#7Pm16v)bgkRTN(vz7YN z(CnU+#_vgUsLR}`n#CbVVHW<XMlb?*lh;`Sxk$^^q28>)4F(#hvk;{XRk%qJCo+u| zIc3a^d2A=i>oS`sBU%Oj5vZoF!v$rmf#ygl3#Nm$UfUEE2!e^tAh-b{sS86AD45Oc zNkOnP|9AKSntG3}P501|e=kVuX&E{Au`2J;LA$20_|775OM$se4*H%|TJ0PZbP-(? zb1d1-Ex&&=OLhFd&=qKIL8FeapOXxUHW4n(Zmm`hVUhpC_Ym$_$c%#+>eXlW;LUgH zg9wR6U6#LNfJe%siKq~`#EL!%GHWSutCRC*x9@$Tl4(jpqopVa%WIjLO+>=v3{HHI zJPYWp@795>K-8e1X0*uAYuP#j@sE_|$a9G&oXT2D-CzSo0<6VWU&Dy^CF$s6dEI6O zafXEZRmZ%()f;bmEri25aAqf2hdosZ3T0p_RA=5uk%hM1hAv~5>k1Z-y!Sr<wHA+y z5TPz12-})KIYUDTxyACG25;l1iwc9~1=iUJW5%nFKdgstwc+Ioh!=mAc6air`qiB; ztj*cfx~O{3l*7ekiMJ(CC4od^*Z&I<7w)MZ*u@p|KVAky5^XST_WhBe?rPyDMzpAy zPIGwOsi*G`ThmAyPM(ouUP;PE#<|}XjO(_bvpWvu7Y`bZr@&OCklUQ55s>1rtL<jH zLMd7IX0SqbKdRj)X-6J9{A>Pu%<)ky?O8GUoMUVJgaYC`jM&-DI-E~$#knT!^AOl9 z-l6uvcek|e?s8c@vu1FUh`vVt+0x;v>ULj+lTz%4k8CesrO6?CY4NY)8jZuVduSpZ z(dTJzzy?xI=DX!vLGQRk0>tfVHD!nsPx9s0Vcf^1tth*5`%o5#yw8(?r{PJjv$B@T zCL~U5MQf#E369R|Cj<Yl>A%ZkXP!1v_;Cu>H4f@=^e<NHDa5(Y>K$Z*j?+ytX;gVx zOoCdiJ9G2MyQY85ON;~3nh4@Po?7~Gcr}W<CJ)+7*H2C(Sop4&QxR^?azj=-YJ?OM zNAIVbnLS;cHl_^`#G1Rx+;GB+dZ%?R40=1UTk@0SXkL?ke*YL1H`fk>&X13hO&V<n zXWZ9rBa-udcOXFi{F()0mh)@u_gRVDjr+})N%v=!i^$njTq(b0h5Mv)#PxU`D1zMN z&A59epV*oLqDEq32O{3(iJ7#BStjs7Ct+S*8j&JUBs3)^6$gqH{P@ht*nqec;@u_m zsGNB3B&}e{JsJ+_W4Sw!U@=xRIszjsr^2kJPqhamCFKg$?``w|qk$q)%=D)fDne3Y zQ6PKj>evtwCX2WjO2z|Qd-;+V1mJb(Qg<L$S^h=-CQKrLLny_wpUlFCiC^va>=-<V z4FcQt5DI5?in&?zWkC?!CpNuGTQ`KZ7_YJ_LR7(cMu-eiL6+EP>1&g3_YfKnOOx)9 z)Sj-qS2jLGM6+n`)6MV4_S>*M@M42`SMJg_pw$RLR*(=;sq7S^Af=7=%W0`LG${OT zh)ooU7Yy1p7&MEI;|}uIhZlzS>f6i3u8)V_*P=bc8r5}33_7k>otG@}$dno3yTMoP z|E8MWLdr=B$^Lq~;mKBBrPsQng9KQu7Ms17ui9cZ77=-U91_s`+T{o=7MGAt{r%hR z#|o`s`<6p0*UVE-Ita_(cWipsS$B?<oFQv#nU&f+VR+dW{z|-@dJKJs8cRQg_Hv)& z^CoIV)4x;Z>G^Wy-8BGk+X8j=`hK}#@cp<!YD*Ahvbnk0#I4k<Y{e`~6X(>I3D1wG z_U!z!|BLU<7=V(Xt__*f(G$7|omunBLzz^oS_ZnXQSt6MpfrCxn&vL;`1TUar0EK0 zS5O1;Z%^I4+fkQ%d<a1apg{~8`}`bzbDNJ7gN_i3vC+|)?wR@rIraqBMxaYd5E2Yg zksL|hVA$wsSTYbU7iX;Dd0b#bZdQ$nd~_&Tx>7CaZ4BfzgZkx8DVSbHncby1peDrC z%(A}Kl0U#0I$<K0qltZfGzkX$0kr;>$4-!D<%BB9E2IH0P(3!ka(X9h*lw!-UgSGI zMBl8@L`p+bN`r}vb`tQ`wpvs?nuUh&w5*&{<98@S5yn!GBUhbhCKL|5<SebQoLD}J zB@>?7?^a_WELRB;QS4{1I$Rx{5>lN4MuH4gy^_FaX2WD=&V)@AWNdC`2J14c3M%WW zC0<PRV<q$S)3C}~IpL(53F$z!@EkZ?dk?j8``aSvY(}hSSx!zHPp%X`;;v*8ofNvJ z*P}-r`!cOj$t&WcPDunI-0M*6PQoUSMayA~7iChV&MLJs^d`$eviFV5I`Uih+yvUR z_9Y<FPq@iIaCpq`SGSnFKgUKF*Ny95w@@O{21=Ex1LlzRe|u9EEDid^;u=B_c5TK( zzLFv<cO%?ffeXXoD-zvA<v?iSO)&UQRZ0I!9SfL#N?G-+4cHfBq6`eh7i;hkHjwBW zTQp<p{TDaA^@&RNRFUM5I=;vK#uu`bGMa5$W9mVY$Qc5-9nE3#d{Va466dUP+<qfD zSCxg4tm#ndoLNkf!2AOt*G<pi);ebDNd*I2F};zsig=}&YH(VxVh!zEc-|+R`kAZB z{$X5ICk1^Z+Gc7T(1AAGt*|8DM8)o+5KdS!#R-z{&X~NQ-pM{TCv1;45$SW;S<K~J za<veB=$Swtv*J}>F_27+Cv6@Gi>+9xo0x^b&9jPyapUGH>R%{oS(LyD|2N6xvwfi` ze`k65a2(IJGkt$gI5o#6(lp0He+fkh8Ui$Fn!5AT#Xp01rIT_pMU+XAlT5pH=dR;# zOx!ehrEcm0mn@sCho8RDz;W_+?2PZK;cGqnwr91m!avvT)XqBA;jchtPEIMGw?vn< zb(>C=ct2bn&$n*Q>8{UIoPJ_nOBM3hD_2b$PQ8Qngzay_@mWJ<503)wS2yI_Ahzlo zAUPV452~Q@8m;sl@NLUMhDJNg>LFv{LeBIkte2IplD;3CL!-DqnA=!qw~G-K7ZFeh z?oX2WxY|xD+J<v8LM(0N-e|sYuCtu1g?Z!l*n|iM&W%PBb~`7_MaG@F-n`TEZ5rly zZ29n{_HhG#>EseMjdJTfTJ!B1w?ACr<fPVlQwZnbIV5{Xk^Ec7(>twSl#1n#=7;Y0 zhP3E=beH#Z;*S#Rre5i&8JLoVCQ0D@ez?awn&@ti8B6vP;D<dWPb8bfOk_T``kJnJ zue0uLkZo!(an2Cn*LE~wB0Ft#mxeFXf_!-#|J;Wr$OG~J>Xe>@7890kCm#ic3_6gQ z1?+*45P@w<-->U`b#(7I@G}a}F(yt?*7H!sO!L)+(38+Y4(_L&8MzETV$v+#0P|B> z%%*oc14PRJF9bRSVWLt$F=QRMSg<r<k=p^4brh!oMgvKo`K~$Vb*Nm_DA@v!m7Z^z zML|B%i3WsH_WoSD*o&~toqr@j?#9Yjsef&T6}8x?bV!cGYQR@<6Kp#PNnx<etuQ!- zZ&OXzw{fOb{-m_#yeG7jX&Ab+T|%y5)6#zkQ2m27k^%{>mv;Sgg>pmr!*(}n!FjP@ znb;bM2fvw1dFL`tpah0*4!{QN{3%1(f|rAGs>X?1m@te+qC8S!m~+O0qbiO?zF2&W z<`4Rptt6MBU-qkczivi3v~+6?RG7b?kt5UBZ)5%}{Qp`24i}b$b5NL6?F+e5@nLBV z#fVuJEvJ{7XPJik6M_t|*zL`6$=C^E9{)7@A`)GBKSxL*K^w7cyX5beamp!}q;Pex zzn#8pvNb&%%pggT`b7tOpyl??<^xBI+1^?>)kv{eUcUEM-3`^A630#LH}*bxeVU&1 zjt`v%W>z}0Q?d9Nf|^H58N#|*v^VRx-Vd-UjM9P9<Lj-y#@MH6!esh!SwxZmqxX;3 z2I|fhUx;b+hsGhdD}S9OdUJCvc8M~ON{7jkBQUYDFJcRGk^-{um+0g0ee|);x_c<{ zcdB1Bxv58^(b+VZ<N}sd&btwl9iAbpz6D_@2~K?mpY>!av=a!CrPf8}7EqKHR5JZS zQ!#a8w;=D`H1+p#F_FK^-B*%WR$J@SJyls|x46CM+X^eRVA;Le`_Re9v)c6b!3m0s zI(YiVg2h$nWaii1@26uBEOa4*EGD4yaiA6aO24H(O~X;3Zs_`lg_O&{V2-#$L<M>c z2MRShRB-F0qK_JdEhEJ>8^kReggqO?$*MwVS){FrwN;n#+TlX-3oWUp#Fx9V{ynQI zE0kv<4JR&S{hIE1^9=#23o{Us0@b>DPw*1|PmW0d1t;v~A4CGZ3h-6$=<b`9rvd~W zPtZn-U^3>wXlco^FUhp6mm2Q{ymTQ67c+z;{HxDN46wq3c#TV95N2FgcP~IwnU8Va z=sE}m#d<MJokY{PsQdOn<=eR`*Iil{a9Dv(7lY$kWvHB;CBElSQv*Y-;qV)<YcJAy z&@5HR)a+FaCc<cj<5BvK0;<hPkg&=ICVP*(Kk;%eDD5AD_JSH&Fs(Fl4OaKqn=&8_ zcUcs~QH$A<KMQNN_q*UDvpRMN<QbltT*=cGvD522igZ-LyuR*y{2Pu1TLwEZV*h64 zR~Vixs|)<ITRNWaGKRygMtZ@*y#$Np;bzSNFP%0dH1g2uyr{qCOQ!x!mr>ntbj1#D zEg`#hyThI!0HL?&94#dwD)HiUt-LHkRNY`Mm;h@@j`p82|96I{nf?&HfkC-D!4WF^ zoW$YY9s)3D`GdL9!8W?)X_GU^o9v)9x?8CHgkQ<_>nI+gQY~fY$Ap<oe^_W^{=_L~ zz|gHCt4x+1g{nYFV_BV^PLeQm0gVnuE))Kd%w`#vvuE<;+r^sZ(LW&PsLVfq#)e?c zuQa%M3@&!!reoltaCof}!_KX?vJCdSPBpvP%2YsnH+A&3yP@jRrV3+CR%+>34~-`e zf&WWzlrh6~@t{rrUFRfy3PVW1#YcJF2}G)Eow}cv!E=J6x;txHZUFH=D6?&;_4zy? zs(}I>d~aR2uD3Fey7uk43~>xjl6WbN1kC_2vg|cjTc&78-yI-R<ybP+Jf44J?v42k z_XRWJc^8SpdPWg@`60FYJf0Iq4EllNiQQKXXF&F~QgJy2#vTQUL9TDp*BXk(D~;`- z(>rg};^K(PQD_+l89Czlei))HqjEngK|fpLc#g<Gi04yaVA!p;vx?GPH@xM5Y=7&# zw=SD0^zGD++v?z%*v%OBeqhjd&oEY>|6a%&`R?Wx+Xf9yZz$+|Fd&!S&l*3QNLX%x zb9{@Ec6AN%{Y=GESmt;u4pLYxQBq=@=lV-sZ>t**FiG@%Ki1*otQ_*3I8@3?MjKKm zH2}-?l|S;;Z39-g+sAid_B4sgK-R;+vaX89e(ItA4cFuI%Jiw46%HCVB!M*udTJdb zn*qzHU_X+g4WnIH!Xe|8Al<;ZPOPeI6LTe%^@0MB_)UmOvq-V%MFfy>C1W$5<(Fvs zXe$pWY9T`<`AoU6<jX%xfX&7(D;4(S<fM&?uHR3rVqfU|H7<9v3wXH{9gI@8A)r{r z8_WnrhX7@(j3kV&^Z%pk3MvrN8D4P(GK{{=K%QhMG|Xh<l@{{kI{W{4I>#W(xvpVP z&vZ}Qwr$(CZQHhOyL(!vZQHhO+t%0jTlIWZr}8Vclar*@wXW>7c3Qf#6BPD95Om4n z`yqoO`oOwz$0zeFgI;e7fQbc%-#Fnp_&TpMNNczk9~w3-)rkOkh|Nw0@QFeLADMJw zK}owzZL)*6nCpE^NiT6x>GM}F7}`128~>dFZj5L-SqE6Dc|b<s8Va!{IBuEzpV2ga zNdgZ^n1J(gh5JzzEiBt4vG}O19lV!|0l4qmWko0?D~>sOpH^dhSekRJdv<MIru^1l z2=akVN=acw`|km~muLI1oYVU+0mPl?UytF!R2S&m$TK@3Nl698Q_#16Mt!f@`a?rO zf!yreQE9n3VwV;sGY1;uFct0>f$R7GcHFKKKV^>v{Ee+T+Z%?R%wuPNh1_Yop-*yM z`Fj18i;ataLo8_mcwJ3trMl>32HNS<OWwBX?umC4W`e#_Uztc*)P86f7$KVYd#zWe z?D%JEm2qU<^KVVI-;z_%wawM8f3hm=Z);V#T5saB=)FUteF-ykNi1HUya7y3P_|js zzk075P}5u6gB@F=+9R>53O&7wAY1F4ed&_Qzc@4rtkkypv>g-kR`MJ^m90iAv16;E z*e*V}hOhdCtyJ|+?3O!_GOuh*RyP(JeyvqkTTt)Zlrp@>rm)YOD)JUhT*cHG=tm$& zDmXQ$iILw1%B_GU{euS!2Qv~}04ua0*^(OYE1&u;2s;QSeM`?I-3saijioxnd%!?< zV(&h3cvmA?grIfLMJ<i8iH)LN3BRTx&7ncHsF$QgShg^j)&}NS&*1bpBMq$x+CM`F zjXf{7?VBiDBtQl~X-~wgDs05>#*I81F3OZIf0;sxjo<L83bNWEnpe_w6d9nkWlD6c zSQS<-$hylKQq?n#ZN1BK&SY-eXlBV``(95S6hTn75`f2rJ5*q?_Nju2Sw+dder$Kt z(I3tT)7l}6{da!Npia*w$T)IuA{)K4awtk$@hY<i)ht7Xp(-e(t%o4!VC5786h@id zxhW(LBL!p}bx_?=Hej`L`3{LlUrCJ^IP)B%G-$7D<H9j>62z;mc;bst*-JMr4AV+0 z(`c~{xT;)e(u0wQUf5))l_wM%H<fL<_-gTJDx${6IU&6>KC?}EsC@nyYim_UPj5tY zS^w~kEtY#l=nX{;C5N`vYj8ht(>Nwqfh(51zQF5zm&D{jM%t;#k^*HMmgx8$>j|qQ zZt@KcFci{Aj<b@Mf#hgJ1rSvn!h=hgeoA_^npVa)>Td(aTrM60i7x*e;!x`65W#F5 zMPD2lD(c0vsd#ixYsICD(8#2+U76$C_KHrZp8F@X42#1`k?gNuVe9BYj<WrgdVHaA z!c@8@HTkYW_jqmM4^t}W>C}!j%o`d{e|Ta#+J{zeDr|F}=KkX`*%<AGe*2`B|AA$p z6eFd`{<#eJ*;;Jg9Wwt(?T0v4zTG3op=Cmb9M85gwdVbmkhlV3JnPyf!!ZcVqITDB zM6uj!OvWimNH?cd2-jVzLSX-Wj|A3AM)uSzZT$7)YLUv@n+Eb&8rtc~Gr`*S@F$0t z&@3N~)lK6v`n+HdRrO&NU_S8Xa>KqZ@cAl>Lf}CF&!&xC>v(j@2`jqYM;&re)zUql z=KMH1gr`{a^IR@!z3xIvpZKq?>QoV?+uay#IhpIziSc}yggiNj15|=}B|+vKS~MOm zVOeLo*48&Y<_WC(Ww0>{j@C(Osh|!4Jg_Sgru+L74B=%Kc3rL2;3BO;g7}{r0#vM9 zM=P~xDb~$QAbQuM+kKEsd>2nBZx@F^*G|2KasuwBo>wgq7*T3<%f}TgArwp-l{(U~ zDeong<A~7j<T^dG731~XdaVvM!><muZnx6&zoE(3l6CC3v`$4`?S#Yegvf2}gdgLy zo@N#b?<M<Sb?Ui%U<UeG$yJtKEsWEc>mgx7PC6g*tkjbv0%SNkl9BF{rrKa^-c4h+ zKEA<TTZWHiOc`;HtHa^tII=~S5!dvqY{e1hjz#}${MHlXH4+nZ5h`1F{sd$ACp8cO zP>Mmuyy?{(-~{Hf!e(+Jq*kH#-U50RqRYw$lBS$4QZVBLC{jeL_6UfL_E4-xN2uE+ zMN%*S9+c4-4+}0cW$Zzqd?-s-E_e9V6_Ctt(!KMbGmDE-BgpS#E+ah$TY(X5m7tOG zw#+X6JI4T2F$2R3s?IwCs)BVFr?(5kWx_3nN<z)Nu0yxq{Snx_?3q>H-{zPw1mv{w z${?}lZ_z*7#$gAPL!yeY1PV+gsps+FA#iTPZW}qdL}*P1Z~KQAhpYw`#Di~Dn$IyZ zOM;S=EPz1P2VImMw`Z6Y=pz9y4{h8Za5*|Pop3V{r)lDj3<5?NX(G#zxTP)P=V;U3 z_Jw2J-;coW(?+#U*~hF?N1~ZWaM*%gx4{P5NabgLSuDt#6tTIwo)^Hrzoy8m4y-c} z;s2X#$I)Ko-mT43x*rLKf!3ZklM()L#-_{8fooo#*nRLL*P@qHQj|KUp%uG^*~7O0 ztI;BjZJ&%G&`?l!%V}dT{1!_U#BMJyocneXT9pNK+~A1es(nH$UN*kP+f%cMyS;wL z)tZLOlo;RDgz;;h6T{<p__&&Xtb@(hmnQPI5mJ2vSq25$u)x>2SVz&aG>R1-g?l8j zwio*288B3e!;rwnoc|1B5s;jtg*J$gaecd0`-YKYbjb?LG5%ZB|LN;$9f3zn*B<c+ zXZ(J)7yhqfnK^4UX)hp|dV`r(nkt_p#D?^*1lY@-Q#kCiDf_IduwX0qmF8mKQG2Gj zgmib<nOi_XG35oP#@<0Ig-(m_^l6Oa@&|C_5s}znv?XwCxWv2ws<7aIobLG*#3R@@ z_s3@K)M#t|^s6NEl(rMwvaX@tfH0=>;`*EwLxCbtxv7(I`m8nc(`Bj3W)VS9+ff`p z*-q3O#qXQ*y<X>W4cFMTziEIFa|^YQr)VTmE!n*m);2+@KYR3nD`@iS&7T=nMr_CN zlORy0+#&Tmg6g?m_&v8u579{yn6uDkwzVf_jApjXr&m!k^ZL=8wJh@DN%i>(@*CKG zVMQ&7wP`+@GAC9%I|Hj2!!m0RkL|$v6WUA`HAX&3?I^=)bfhkl(8%BmR{Z2h)J)I` z;DHOy@tT7UJ;%CAtG+D~EY&O~qUD2ao(LPAT=voxN(JsZ@`1vDJZTP(G7V&}rtZG0 zKgJgs7Jk*;q@!hr;c{w8LQ>IAYiV_iJ6gHpPq30&EeC#oBaa5vnmKx-u12VD`3r*t zMa!(dTZHo9^fE9omx$d@x->0qR+)QSc~Z4K$Fj~H`TOdM=y5#B1TDu8VuuyVz(O5_ z@j$Y8bPb=sC<YDqr~tL6I)hm06ATde<Viw=WrXmG(U{YT7hAf!iJSiw?Q#L??Y#q_ zEr(InKKP`&m$EE#Eh|DYts$RqDr!u1lLf>Fsc6-)4ENU#8UiQIcOC*m%dyxk_T4SM zGuR3H#*FP%s3hYu^v;~y%H+V<>;Xfi^UN~Y_BZ{9VIodPlaXYhBOfoSG!q-8oR6_O ztzJD}e~h0l%N5Fiom@03bTjoHH%G;VX{7-_LGPKD%3<f8Vm53F@Sb3`mey5?R;gHw zz2(6<-1G0hQmw9gBgpJ*#cmZ`tcRERb9NdXhjd2DKF8^%IUbpbLp5UJi*?=I%I14u zfxDFy5|(XN_om&On(6UsC`P&y$LBJ(ZEt|H!m%T{{_zyTb%!P%%KYmrtVT6FeUP7p za`w9r-mFulJ@nJkI{VW_`OKEdZ9VF`?VFFcZk?@daP!t^V9+qGrOD;mfOPZrmp8J` zc1AxPv(5`YCU+-Fas*#URHM^c%MsRTTSBTY=ftQYv&m%4-CX1)w2BDakiwcvnh(5) z@g=96$@vmieAtw%@7h$rD=P$h6EzvipAS9<<DSDwYj=y7ozr5C6{l@rnRtPoK}j0T zW)pJd-#9B-yX&$|QSH{0$i0J-Fuoq%X<j^fml;UgzCKp91F(h_5y5`TO)!j12XzMS z3ArCF_kWL_N)dvpU=MM;z0c{2W!ERNF%NTnXC<isS*5}GvaJ<=(K0fq=fwYz>#u7H zc6`g{NUa@^@?Ka}%)ebn(JUu>-5Q6h>f#n!fLgh?Bp2tL@STsV7|AMnDX^|P(}dwV z@UM}Kg53V;Jv4w`hZYloZevXJ<ZfY+Iam30%0Kc*w)CNC66j~42Az!k!50^!?o?>Q zjY0{RU^R$u>xq}gu0NX)B_qj{hzfS6oSI(=h)|SIJQ{d#6c9<>ha8I$Z9Uq5@gIYL zVFxcQd5yNokz6>Qha6Cj$Afbd*xMGO`?c6p5{chdrEjK+$v}ZXh$PXsjZNKSUb2m- zum$(}k3^bSA*2?EA?h<umDKRu9#3FQTzdGdEu?6fR7TKW6n2vq@a2jPO;S{N1ZiR8 zxBt3w)o5>qfgvwRib5Zz38D4XY&5{8!#8+K&dI}kefD6#!1NRJ73>pFn81D`CSU$d zvWl(SXU6Ei4MVTv1}x7i-~Wa{PEFV+ELt<o*rSlK<cNVaUMJObwznnlT9N6ob<H_^ z-1L6&KiCq!{5ao_JTY&D|Ahl4-nFMt;vrTFAktKnSD<&M>db0<jqT1cx;~|9tGb<d zL+`Nr-T)8%V@0Z0c(LPl#-@H8;^o6K?ECe|lv)qb@iiZMRBQbE#={U@(B@|x8n}Ew z?<^#U&-<)9gmG+>R8p>O`mnd;Iw`IqBG?^rZr!DQMfFJ2=4TWV_8xrTG3)ffx}_(8 zO5xW+mftc@>%h7v=*=H~SIeyHjrIOD;mN}Nqa;%2;3O{xw;*2cjcKu7Vhnn>yDgd= zwQb=EhLQy@iKcBkH1jqQ3X>ll6so*U{Z=FM$~vJ83_84L;Bt-Z3#BEBDeyZxwCL$g z6n4QLji>cI;i%A<8Ay4&oVXU3ibO1sdwM;Pi^&eXLmDfKZ#6Rs099$Ovyit~i*Z*7 z5d?|ZIcbFml~H2z(UErj<J2gk#z5P<w+cQtYWW=Mk+@CAL~MiB<{%tIFMqb(sHuUg z5b_Z$$xQ5_<v^wq5aLZ_a5|9=Z+I0&R^OKY;36tE)cqBrxXFzGd?qr18i425llrpX zqJ5ShhRicz8%IYFREWYMi1mE-7^Y8VB1+|O9uq#=$paPR_5fRgR&T|FrwcW5_-8|2 z3m1GKA43}(g&RAfcXrWyc9rM#9B5hbR;{UkB}u=8twiYKDV^xYW_$ocw}~vKZ(3!_ z$)F|~bhb@<;8f~xnGXFbV>cnK`Fjyg&<dlNt<VY-qJv+8$T3*e@L)AkYF$LVZJtUU zN}Xq35e~|&(8UB=EmcO-$H+XZ+5j!^8mVmNa)gQ&$}KyXfr2uBp2d;cL{p27XZ?7} zK%NX3Nz}oW8WLgIVrKG^&qrclue#!iDQ#ja%>=O%t_JeKw?#$Q>BUWi;wkovHANG> z8NqqyrAnEb8NfqQlO-G(p8F&`u>ZjVdg%01@*+bByh>tlb$eCB;GLk42#0Z;*qK|E z(Q+3<?q!u+6-0i@P{tzom1b@}IpdT4yuEP&eE~fSZlR7qPrP9Sq67WGpi@J7g=V7O zW7%o+@bAWJ9Bv!Old#ECMrPs^iyA$hsO0hejYcA#%W8I&SN{Wn-0|@LUW%2`GdL*o z+t{$Ev+<4vxXT|+N5-6Yv?{uu$!J&N#bI&k7*2OV6i+YEQAa0_?^S4KW+0rrn=rE- z-1mlpz+g8OOTVDuJh`7|a}CEXo7pnD-)T-#WeZFwb$;;O?S=~Te3S&4TW~$8A!05S z1Dv!KsQz{|F%O3)Mu6W29&4UnWOXRs{?|ZaHSV9p^_Y#aRGGcuowyJ7bz_lIFl;e# z(fBeNyN=mUAs{wpd{`5gr^%GQAWi~p(X_)_4dr;%(Vrhouk)h69<-i6b^PLH8ouc{ zMuhN}_e&r19#v{%ItAgs`YKpnig<BMuWwIlq67|xDBlW5+=6B2B7&F2>d=#GSM@fg zDM((c{yHY-OC=bLzHsAHql|^dc~4FVE8l894&%E>-3_$F!;oXuW#oV654sL3ZPcQ8 z$%;mcKOW;Zo~pg&#Ta@C_Cr=i*o|$bqxVNHahhw#!-(OfO2Q;cAXx5&0mRsCvJ@tR z3JIWKfu3_s(UD{BEA8CfSJP@_$qznZ098P$zxCECKGp^2{qGMGKgmy+@l;ax+h7_h z$^J*8)~wKDaVo{)#>Ig;rU1UXyK7K3yBZ-;(I8x|WpOHiJ{rfR^%8Vdk^`~c^%sHf z*EpRI-fOR;w$<9dt$G))e`M6!rXr4B3h}gEaavRBD~bmJVn2~DuCgU9L}VJtu<{2P zd3TjSbNEJqNfs~u|HyIj2(h#4B>Ba}oAzQN1|wz?S{}`jdEugzlGO6dXMThyAxug# zQQ#*yMwQc4(S`-xs-;(x;gsv>;9*R`aaxHiWwwQvu%Dte*eZyV-wMBg5$2!m3GTy3 zAoF|wW(tDwMP}Aeqj%~vk^ej{hrP!*9((vB_?=ReMtio~0u;j=VFihX-%V(OK0rW1 zKmU^1<%>_O%=!;wNYg!!tpF%IOq>Gn6kEL(yay7HaH&|Qy+JqE&+rh}tS9|`o@&YS zS{8`Sl9vyVQ6vx`v5{GgW<9!J=OIJ}ovvo&k;+J%#hfx$=mQn4y76twCDC*^v5vmC z-PV|B1F>f1DvnDK7_?-2gc20S10Y7!9<%^eUvO>1$*W9SA8mIvrm0`D>bNb8KLQgT za_nd)#Ar4E2%u20zoy$wS3DVjtE*2BgF%m3gi>xP;C_ZGl6#C7BM6b{+Pmw%&fPyK zVvv_SZjEMiciERBKxBFsT{hb_q`SU3=1ygEsST>?FK~6eF90=(7njOL#4kM9{QT4L zc1t|gBuj$6JKCtt)z+41^s&UI04j_8@(Jp#g;hrnoh_>3db26btrjBFdSuASUjU97 zi&1Dma(gl`?1$)Wtn>cDFx+2Kj{L)q_SVc-ML3?qpp0U?v8I9yK4w+B9XEgO;X5TO zWM%j52os#`8Gg_ChmExCF15qYPj#4VDgvSbs%+0x*883_l(uz13hTBTZAs)}PpVrN z5g4$}zZiVfH|&@!a>p})Mtb+{tXee|+TOZXaSjc_vkjyn&Qp(-n&skdecps;Hs`#d z(R-HScdHBeix{anqaTRedl*h+qZhPuGgRJeR+k0Ez3@<!&7r>dN6euYo&LcO90wj( z_}y(xVfVa!r$k#6fnINkFpL~+MyCxs7)S0P2+*h^t+hUEC}aJSL>@##AN{Z1Y{bMn z$g0pR?{sESpT1x`znQcz$|f>K#j@|OD_l?(oF+TIlQtnds~B;^`jOkhK4416j?H^( zcLOBVN`^U%8QNr8ZYr)FWpLP9DE75Op_NWzQ4VaDnL+$B1k+V+Ru>djb=9+`PfSPp z)YVn3LO0v!u#PSMMuZWJsHo12&e1?VTS_8VX@B#X7!*eJzYf0Ogq|5<%4>-l3->HH zGARH8N9n<&JK=KoG~uwdi<g!W5vCqmje+@(Q6xGwWi|sBR<S2w<D#y*)<j%OYGg>` z__9sb5wpU`Zd9E8TPi5Fa=9*-BYROx89IVCXW8Ure-`P)QoZF5-~%rkmR<c3l{}Ti zLdCz&wqkWQ&Ub)ob%klg?z4;0px47L+W%TsrZ$lygmL?4)N84RJ~8K=V(85&<<Xy< zQ)k?~;%1$16UMJTkzsHf!GDV{EU33KOm$i+IBoVJJxrD<z+>^05!9XSMe18nsiPSW z)&WbR_;~N!Y4Pklv|<#?a%Qos7N{tGSDDk*FB^P)klh~-q_Ow6{ZZ^zbhS{@Zaet# z6$o9drcx!4&i^K@NLx%7ANVHE7q_qL_WKb;W7h@@<_W!&$^$O1QCAv^1(@>vPM@t? znDyR*c~Y0RM;Pc%>fP+4Oml70>((Fd1(ln=*kjMZaD3<{`(ceqys7uw5-M$veuAci zY3S%rq%SD9ba;+b{mbQZzph`m>IeNy(bJ}H78X}3-zY3-RsxBe0bs-G{@T{R1IeAt zoa1_RyKh;3_Q4}hMWQu&kNHh1yL58a@bW5&&8jWiMf=)ct`37+HMeMfn{C?+7i)PE z!cx`4%XM*I{*6PBdB4(vKdHDa-^X7>L6#aIzd;q~CLjvtW~iCM-9FyXsPS=^irvtp z!+pKTj_cedMg?%ZE1bk!cMu}P;C&V6j6~UTquy&t@Y?EsCieEG@%7;h1tZ$_?22YC zx0MQt`yEl_=P-DDXB=y78zbjP^k2KlJL`6u$Znei*{wG}&GG#kCLxj}Pb|+|Uo%d- z3KhBP?})tff~%XC>F>6Qk+9*;a|W;LR~RPjF=F1RN~J$Y(&)@_=Pe1kpVP)MxfKki zDoMp%n=(xK@nUEVOzO*4p5%C$_b*1W{?EK425A`GALg{<DI}QR)raL(SX7HMeP-ng zMER9AI{{46GF<*1L@Lnu#MYx=m5EOAJ(qvxf|H<<u^^fvOV6E53=%!MS*b+v&}i6` zuwln%PQ|v@?ia=(feDdA6E0=j;eN|GD=+yB-eThI9|b)o%ci{x+(MOAMLfeZ0F#MG zCCDcl4ZMi73)(a%{dHK(lmBkLIzX$AqN~PAa@21qILJhyesWGaha`4-c_b^}$pBZE zo)60y+k~%Q*tbPCWp3->V^YIWR`nn7|I0~=uK3=o+9@5Jlw^rBSSCApA3qaTF+M<z z&}@H!as3#f9P6cA8}KUuKJduMNJB^RH}N{5YL#GD^35#6-~B&36MW&{$F!s`b=7=S z26y}K$2S+9^)@e2V&H>x`E+n)`pX$napG#wwMYH5ps&@>GV}@#Csq-+vavKYN}m6J zT>ztdZR~xTa$Q%mpp7`U5on;7{o-Ty%lb&SE~CLLlCMWi$n;Hm`+98&@w~F0D}}P@ z1mlyAr&VDWthRup8gq3}USB7i%k<G~%|G~~soW7wp_jlHY)m~<go0q;<Ht<5k;6yy z?S@|VrW?i}PdOvEV=<6gQ;T6~9GX|B2kFwCOq&65zwH3s6Sl5e2Wq<D+KRuPOj#e{ zYM~^WV!_g(;1x-+S&{iZNkRkaQ_DM^?0G|{k(3t}JD8?zuF@NBb|J+pQRJLKVmu#L zlqx|kICb={XStd%;bPIaTH2ziE!RhhY<+oef{nIke{()XGyOYa<S^i}lZ8A_WrmNI zx<Vr>;!ttVv0~cjtVw5iqf#dG@N#eJOD(2^b`^JAJGdGoSD~GxE2s2WkKP_t8iYw& zvF|+^0Lk>~E%xcNvTRbLlMKgpG#xOrd^^jk_KmavBgC&S|N3k^78FPgbLddhPg>f} zFH{N;swAn=_6M7cX{*9GyiNN`me!KYGYF+%o(=1yml7L9!t*3Mr>8q`bf4M3`!}2n z)O?%1{A)8PX9|q5jmqRnByAHB{a&PX3Y>f$h(M0;FuWwdLw4As*^;7<LidJ!`Pktq zzyEOD#xQgGB)Y~+Jj*ze1XeZWH$@&@ApuyD8NEtWa+2Lsz@9V~=i_(n^VYTf!tvI( z<=E6yK8^ZSrz@r*rc@|VP+U+PoPyYt`&4V!_w0SvJyBuYK@UDSc-~(yAgc|^tIkr% za_f0ho^4#7cFNHdYw;#<cGzd<(*&w&6H`;u;*IO~PoGiGW;G?l$vfcZ3hAZ#3T|0B zDp0m6ED`acMsP;9J~$X$##bZL^e=q${dO~-B;|2LBSwx4f>&b1-Ds`$jX+W9uP5<% z19Bn@vI-57;J6`j27|j`zh@pQhl`|OFnx{CURB&Fx=zPCgC_0Z93PhrqiuY2)?}$N ztMvr^&$EM|<!cQ<D4g9#(%@95v6g6@%(>NihQa070QEIxKb%C7Ud6v;m06}>JR~f3 zlhNnW?LSEWEfe#&#l$%5{;5xfO$$)Q_M<oIKQ_sQoQGO<E$Q3(B<Wuy8L2@3d#*yN z*2Lzc8e{zG)w63z63WAPZWARYq(2*gHjXm<V>?f+*n+}f+T1jzQ>$6r#}21ufh7>z z88G!GLh0O;V;!sV0B0edRL85-M`Q2!GPR`mXi!*{lk;bB5+#)?sTvz;hd$}&@TFHs z7+i0Ky$AD5Ckey*BO=V@VjD^cN-*HuD~kKwZAmtnkvHdr`}iyYq+H|Rj`!u??@y{? z1Ik@@$yntoGFLv66+s`T(Ojaj>J1GiUdNfyQkg8b_v*IQ!`C`EMtX96&D~#(A>ffO zpfDL9uaEe0NI5=b{>qey!2V8NX(np1ViH9S^vB=*qEufmr04}74~o$h8q8moRp7V) zWCLY^Eg#pkE1Xo}$U?$>m2-0y0iCzaU#T?g6FJC-v!Zoq^2tsXLSd~<G};dCr>uXJ zq;iLG$L+tp(>;uo<)W`JKA*d2-42uaV{jPLS*XV#d2LFsA(@{=N~whLxbqVxEv&u^ zM?7(n#E6-FKK4;Ks@=PdI#m4BqnF#<dJiXE@60H;o;y)cVi{ZX*Y7xfvLeER$>zJ4 zyq$Dg7G2Vmg}qXXj{&c(<8EJGKf_S2S0h4A)>t;l0KN#K7(@v_ca>tfhu3c2Yk=B= z`%B(m9N&i8D;WDMIPJuL_iM)$THr6;v@Z6qW&M4x_Bg&mZRQT_*+vEz&eg}@fB$Op ztno}#af2j~NBjEbC7#X~m5)6iep3p7>AM4Mg0MT!CS|Y{7nr#}q*x*Sqedje&Rp>y zh6UjUft-gHL&LaSeF@rk4MGDdJkJpDG`W+48HYZh)@W&DD|fPzxaCFu$!8CC-hjXb zi;1xbJur8Sma8G~n>v8Z#L$?CqB)oF9?M?eh1UmRg|Th2Vm3cXs7BDTFwXe|JbGu8 z_CjR(X2d=M4a2)Ce67HHDmgf@Xa`Coa10v>f=jC4Dj~4x1^Z_jeNP4~D+TatENEbd zt2wED8MH+ONeVrRvu^`51pH3jkgRd%Z_nndYQtnm@)9F9-AU8VLy^jEJ@evvcAcmc z4m~%z@Q8(!UrM6DaMOddzT5&-XCGc3x2JEX{Aq&VHo7aKb9uOO0S}LTe4}@06zy*Q zQJ|y51P2O)!&{Kv#$WrJ^Ik6IXo9H|ai&+<?t(lLa1eLMsRo0Bc$o3hrDWkHLoxfG z9WP(%e<NTfPtkZi+-RPuJ8Q!jOt2+s_?5+`NC>QWx27p^wFjJjn>3QVo)+Azu~>RZ zo;M<g1PCaXK>X?LVszhHU6)>cGM^NF-R-YmZMpFXov4%mW1H7LI)tUQ|40DNvejA{ zc*e;Rx3saa3Ch9G{Qi1Je#*fT_*Y}06H|P3iI=@_p1xlO5uPT(fzxU}pj=7wtoef` zR8U#eUusN@lZ@*CX|Wf(Pq=Xyy6hU9S`fHdBrDp3#D2jGj*MYg;M1TX!gGyQU+Mj% zRfK|at=rcVxtv&7D0wDtCSm=-4<^_uOQWwS%<6VHg*Zo1aO^5t?a1X6z}WJSi7KK> z|A>-(*LcD(oS^Yy9}{MZaT+JL{c^UmKG<<Pl}rvZyZdZ@@pk36E<+xptw$0_{oX`o z`akk#Udfv{8;H@>9}HbbdN6L=_qFjMD+R~nmH1Sz(Lf2d@kfOTEW}B_s!0)N&kTW} zZCyHO`yU3a*oetVd&@J62_1T%yP9Wn$?C;81d~Aw7*dS3Xl%pigL(hK(dPd7(WrWG zzx_R^ttE*lRKQ^5gaWu?Or)96RdOqIn;;8BAR9AQi1rTVCp6oW?sZ!Tgk6WO#Oz3< zj<-g_pwe<KKn-VO|E2tipIvP9_<GM`QOb+ZW#gFln9^sdl=z-7N-K^f0)t8PF_1?h zt1T>}AFK52MaN?J1NX#^M9E3(dIZDZ_&Y1&k+H5RCs&D_BOmPYOBG@>D|p$M>6sPV z(POZMfxG?K#8jGaj7UqB5_RT+2~HLk%dx8M++T0{{*b8$w`RK^WU^dI1@;M0p&4%U zOc#zXC4+f{$Xv2BD{#BJpmS8(Xt_7^EKtT&Dw80^|LhLZMz6e$wPfQa&$w!sC(jO> zW3(Q)PN{Coq%xEgIP8&xtL{tdS#mF^98c?zwoRpD>khY=Adj_kBX*PxMK{iBDdAOZ z$z#BQNT*jWR%r>Xfgx_uDs<wFHqVHt6Gs|yr5>N&vAAvSR_QZ)@p0h@4Mq~!AdkI$ z48TVAzk?-VP-!@_xUXl{j~B1Q2}1g^(&djP7}A*cCHW7=-*PomkR2Xc2IHrtrgZJ( zkb^-W^DES|4Q~55IlTyhf5yEXeL_&JYGGnMwOUOuxI8;Z+CVQz^*j*^e%_`{z=ct3 zAR97-H7zDuTS$3)(gYbZ83}O~$MJN!t9dXarTTg(=0axFJ5OPX<x0xFxs?WcaWV~e z{np@{N6PW2+YJ#IXgqum=<XoLKb@53nD%ZC2asedun*K3b(B;|?iw}-DhJ&>>4vU$ z6-d#P-+mrvq%GNdPkS`n_{SaRE^ng&<Zf2mh$r`1?IRZ~^m>j_yU$GBR!m=i(hFPZ zL<#dk1y+|r9Bzx-vGPDLplPo8k-cDhcbrNQ6=FogRkal4yE(}}S}kVvdOlglUE5l? z5EzrMGfcr!5`-wK?w_>(EeHn4lRqxzwJEAKKhR?1xRL<lUzlO@**N$C%s@T`@0UDe zy=io`D&+58JN%xeKS&@`xvp;a*5oN%-&&NBRq&Ens%_i>d|jg6ojBDUYqD^Cu3eiG z8H<Dl;pQPwsNO<kVZzE77)~@g4eqzg+$$<0in_KY=SNh?jQ{Ac;2_W$Gsa`sYCuD| zzV=PEp`hF=v~mu5t)YdWqX9$bn;pp#J#t$=jt}~J;TD{71or)vc*?{)I-O<?a&XTh z07mZTXBFd$Oob)eM!CjV3oe|*=EJvK6O0OmfdHSOSPQOO0iA*!B84g~Z#FF>GeTER z5P}Nka0@n>7}bFA`!6NTYeZz3fTYD;tp=Vg2LxbTZx9~}A2W6)DPl{7aQjg(WTO2T z3|>sluGgWog|I5lipxP&f4qPaOn4Jr!CrKyA*3pS?t!CtH#c4K)_AieKu%0Flr}g9 z<DX8HJZE8je@O(kyfz_*e7778+B#$nR&E5QUaL<heh~$PxF9KfVqd5a>F+O6Il#GM zlb1x3sw=uMQ?k?s9(Fe;ye9H`v0j^!7P-Y4#=)LEL-+`G<UM5u!xU{vfEME|CL}ID znVaRevd{f2yF|+LMibKa*NQ;O<b?L~O5Gu&lD%CyyvAxFQnux}c9WOS`>p%dhHo+* zl9k5FL^oHRU(?3RYsFmNZal5$A{uz|kW-KoRo@{{;<wi^lPC>LfhEOuiz&zUD%W{R z;u`>wPRYTpJYSYY-_HGCU*vW6{+ORQMcI9)b-kOD^l(s9^F|I&KXNJ^lGX{MyP+$p z>YKDd$PnxG<-ut5JjvuMSnxm7kt5jk>bmn6ygayx+>|}h*eQLT;f0>ve&g8XCf&pS z{?9Nzx_0Wp#LRVb+o)yyHF`l}<kZ~8a4bxZ5G$Sc!c1<`J20So0P*WnlQ~rmI}aO- z#jFa$(pW>F2U2`K-@=R-8U^wEacAeJmxogt9+>$U2A7X4WM(RB%(+yCmG)`<tKK!< zdkpH0Apge9N=LrG^*M%F8;JxZRPQ};&FVc!746N3T~tBAP<6zKGR^{7)4*vYNqZ~` zyF(k*pa=-cq(q&*c?dG3qN~tMhq`iw-~O?*Oco=%b8kh2*4!dpG2_(7Dmcni)cmZ$ zhoUg2iqxtVP4XWJ6Fh#uWIqY^LWA+Yd5VVSZ2F!0WGy&pJZ(rw?)<(5DpzdXOUSEf zu^14yX#@qOP^Z7c&>?0^Bq*v7V$F&6AZ}YE2&xjo%v}rfuG@ak$3q2XFbd5VNz&l7 z-~V!s%Y__=DOJPwX{^NzCo4p#EA_c#dGh9W?H*31Nu^ZPrg3gX8ut&XBuuB8UxPAn z7D?k~9GftghZ5|y2RV#z3i3zlnJ*m;>>Mti6#yHtj4t1#8J1no>NG<Pad^>NiXx*- zAyR9jbCKk8hZ{5DAA~7e7b4DVyM4zB3NR$KcDbZ=Y?XxgH3<!WrJeg<m70f8{H)<& z93IrH(&~+jR1G^Ja2C7m{cH?EYWc0uy@{xLCjq}=0hZTjA?bCEy>@T$``E>b@{m2q zXwZM%oGew+QY-YXmmWD>hPTbK5)V(WB@`9f$p^jEr{c2rOKCW-`nler(lNOWV1M{c zMUzBv$LKr}*q^E>$x;g4@+ct6{=WZ5(0>8ff`WlVP1Fitt&6wwbpjE_=;?q`h|>qP z;+Y~!8eCtEy#;hoxP~U7l{WIhh@#u`jD#jc1*+i3^A;zC%(!w=UaXpLx!^yb(h`ec zaq9C06`GFETKISc>M>aLY#ti~yi_3U-1#+jI#I-t22>fi?S^uP;VH(!S=}dgU-|v5 zkTjovbUwcc;DgiWp-m>~{=4`OGW+8r6}0EMO<JmUcS%3QB{7}m0M64}njoW8B~t5R z;yE?>t{i&?euq(6sV$h;i5q^HBGYUJs5cqy5j;enU8sk;Zeaq-#|!Ei`w(Lf(-=K1 z{^<Yt!&BWIf4t!yx|9O8?N+8gmxZ_v^E$5CkHuv)H}mgyVm^8zgZcK6Tvfp5JCt80 z*FKHDe`nQ}b#8{P7RQDM_oh7+^yKVGt%+%BIoGPkvAnPI7dJsQYL&OIG~+?H4*J2* z;H{4NUe~Jtj*m8#WeD81DhaX=OTm|}opV{18lTU~Yf;(kI`_jxel1bE>m#I0)}moB z)cwULY~n31PFXI%?dLU1qUB6Yc|X|Clg&{Ot)GDm0Yv*%7yHE%%WRq8b$=?tBwY%N z+Y*B$tsw6Hi3Zj?P77;yktXcv8I;>GBSFDDSMQt^CxG8`PpnIrxwKkaFz}8GlPGTa zaS*Jswmx)4dMF`QO9lc&Smy9iGOBrf5I(4^^CFK~ZxVBXs86Pi3t&f(b$)9Y#QkFP z1CVolf2yF+N+{t{YU4Ix=aWISR>%<KIefH?N`5a&!hv<YOHr1q0MKaM(oD!eIUU!~ zL`79o$9+3igj+A_?FB<7F&PWzJh)NHRRs9Db{MmsU&hxze<;joC=&JkC_q|T81gGZ zI9Fj*RKBpikj8HW1k59Xg?OD5C4N=~F`NuSfZui&aPcxgh=JW2&dD)hL8Jl)fsrV} zjblWB48gBEnrG%N#1#Bw<uw-tz7Bapy~d`DDym7sQbeK;2k}ER5XC#Lj0Aay@bz}~ zZWav6ADG3_U71-Wp#~vQ#|9kkhT_X>Cvy3@9XKN6cHj+Eu*6fdmM|g^WKayoQH<}p zV6o^f9qZ05!tcERRgr?gF2mkbqjOdbs-eS2r&YmMLg45&9HpQJr7fzl&Vz%Mh0212 zi7+LEh;Wr5vI2%!(j-=O_*U=8*KqhB9Sce+($#{Lw7MztP2eQt^Yz4+f%!J%Mh6QN zk2s>9vHF!o6y!jf0p(RKnAn*xx)b-lTik<#T@a-$Q?SjG`;?XdZP!_aTJMlCm>6Bh z1hj($LZ~D;ur1Do$!Z=h(b<O+D~X$K9POU9)@W9(?Sw;mwG@JA00mPafzjSy!1?{% zFsi#@HIn?&q~(DwP9`sno3|6Y&WPS<Z&h8=96k0lYRAK_yGt&Hko->k;-#1Gy44&a z+;wnV)uezr$FE4^SXY>bn(GNT2#9r+hMP}NlXyw#D*+BD5JBTq*QckO-d-Il)<R~? z{Z>#@hv_{`+v?2ZOW=;$_RQv|hdmGcO7%ce78g2O4T+)olDMeTLd3VA%-c_pP+s4; z{usl+FgTN@!PlqH?20r`?<#U7(zZ>%2y8u0{%qrarHdriN`y9M4^ZqK_2sGA!*@aW z4Xi_M28xuKDJ&Z-D_US|UVsr$Pf&L6qJRJa%PGC}Hj*ptctVW$)!HiDy|%m$9b=Iw z8s&ItX+hO6vxpCM#bGJFLrI+W7^Ia)b$>7Uq09yr3@fb^{m(h7)`v|;RWY~L{@Qwy z;c3;Djs1oDW{i6HlnKciBbx;GdBbLAe^*vXFz~!-RIiW_?~t<Xd*O6bO%`LEugRsY znIc32lM<nV2qXfiRkm1_VDPvY7-{8F5EfyA1kk@b9(RoDl<V-o`eEk~R;oK~4t+9T zRCb+fU4#V<2aF3E9|e|1lg!8n^vP~ogvkoxs_f9CKcS&0QEEi2$VjXG>aTN$gO<Os z>R{Yik$;t>s47?02C`|*J_Ln|S~tJ4GJASXR5|PBFvOtWxHe5{I~I-h<H^-C+~Q?r z2}HIv{Lutm8a=m!X{P@%I8`wP)d?X@*1ET_0vPz2fD8j5uf*=IVlsXoCAEs}ak)`X zCMtOx;lE%`uC(zCQWW9T?C(^w5pg`bcwT3z8%#JX9U#YHxl}DtXK$V0q)=cLl0-Q- ziaBcxJZBX24>A?|>&ZSGQWc9&e~T)RnKF@y`E2pi+QADhPWm9$C1s_tTL6vEP{#1Q z(_Do*Qr2Ae-n;jUkYwF8g$${mVw!O92s&}!oe!Bn2LcW2Znd*|q80MaTZ@i%sQ=m2 zEO(%xhCSjGewH}%Xui|<37ZZ)ATA{Z?7!k?uiHs%d}cS#qBA50f&^Fwjlzrb=T{@s z@cv;bA+qgbY0QKQ-E1^M1TD<vB6En<1`d3Dd?*l7ne_`!J%^(XU}K>Ii1HLtwRQ^e zVeFW0bnQ)UoM9P_A9Z46Q!)-Qqce4hD*7Rv4qUE6(B!2`D*;HnWGXg|mec8ZHM<aS z8Gx>{UvG&jFr5*~#6{%VZT@Bat?tT*U1sDq5rtG{C5y`#5jY?w25dZaP`#Cl-Mng0 zs7woHrLlP8YSWkkp!fBG_G~N8=z6sP95K7Nd3pPzOYELYfL8K8!dRnXsuH)Ho&MMe zue#2lGBU0Qy$tHi`9zoQEOx{D(B(TM2_DSl;+L`gR`Kj&ne4jPPu$R&ia6`_IW9JE zm61|KmhaC{d@Ry~-B1Q9-He{nwijqY;$(&4!!oC5w~wRdKTxQ@o2+EChu_g;U&M-) zpDw8Hw>*XS?30hXmIp30!(?JG>pWf4ySr3{ly@z4t@SQ52BfRO`{A}cIHzM|C7BKg zyv{YF2l5v!A4?=iyg%v0ZL5cAeHKM);q1Pfpklcb1i?oCGK$*sFrcHOo3G<{`;_M1 zqhcLRM&ErrYo4u>g8>H%$aULD5<4r9C-Zjm4CHhgV_-Ue9R{;th|mjbsnTiP+;+ez zCmW24u0wu&UV|{8NB@wKMT80+I~F;-gz3P^<%;TVNK<eCk%ITto|DmZ#M)9F|24qL z8%;iWC@Tg)ezC5*m#q3e>l}>x`7e64-r&creDK0Vlrb<L=+|E_)FV-K&xTwCa9XPU znadTKSWX5E4P${C#mWuncVcZH=GXUY+~gB-KlC(^IcU+)?(E8EH6|w===7p~DU|0$ zI5C+;2#C7u)!eOZmqrK-6JcRDBZh;>xp=)rC<u)bLuDu?{z-(y)75qjrr6*@&z^&h zI1hbDwW6q!6;d>p5hlfgb}6_Eh|7zRoPFX0W3Ue#!j$6OmQlva4LFpyH?oqPi;MD8 zV!CT(&F{n;aQH(ddxvO21tcsVc50FRcq6>a{n4%So8A6GDI2Ttn(&s6Fce)|k-p3( zri3Oqrkz`!Yw=DL+_B(U&@ZekAxfg<?ihR9#1qJPy;upE#=k9*5_y>v8<K6dPAfOy zRNlpFpd_u_>TZfYxC5^O5?5e^{L!ip&l6EpTzB@!^g7$*J={kL1V?vs^oL=cFl*Kv zK!V1Y>*ckA1WZKH^oVc8RVc5#*ExGiuJJ8-_nnpX?iT$Im=M#*!=@z%5~$${&hbjE z__$bCyQ;p41QMQtS-$R0Jm<&TT1aS<(DF!Om>55R#B8s=E7n%M{fHBuXZ$!fyic2V z;U2K+D5F>W;M)PM*>~gh<(>&V4yC%7xalKwOyjjS7%xi(uJyd&;u+EOY(uAFA1L71 z-r5*7JYO#+S^&-42@Le^XzGkq7$i+xaI<r!EI(%bN6s)r$_?HO%GY&qdwi+w<zNKI z3nyh6abNjfT<gMr)pnl&r^n7vHtW#mu@F>6F|dyjULsO~QN75lcRv(^^OS=o@(Wv< zK4)WN=xq?X*}LoEBQ84^`u-~i=q=<h=y6Y-97k(;A^;tntD3^a?Kdx+p~hkc1?d#D zHgW!VSndck%~qhC-Gx><c4!E@eV0I()53pWshz*0V&o)&eaSWphnv!3dA+a-CM>2v z8b@fTD5Ep=h$^~Iph{0HEV{j7ZUiU*uxB`TW_b_hIZqhaE*O)Z(P>^2fcyhmj=WN( z&y5l?vJNCH?kJ1mWy}f_Fis042)<q+z63@vEr!b@@N$rZuvBxJ1$A{YJ*&K;tRba1 z{~3&mbJs)ssy=+*E@48RGmo~?AWWP)Xc8N@PLL@#Di08+))=-Il+qjtt3ES{!hi^W zd7+73uf#)2OZjI2;!G+*jblk54YZ7`b(Zk&E>cyy>Paa(;#WjpgG+WRV}3(3#(@Jy z8G-)zX^;q)%X_tH1)&f=da87g1N*@Uc;s}9=EK9Np%_zHjhB6Z^7!6Fn#=w>(Q=~R zeMTTL{JdE4Vy4c%5(R!cOwy|3%s|6$Cgc?Ah<bOyh^7><qJ)Fmo&&zqMh@?-qkdTl zty7m$aQt%>Qge&2k!e|nyL^ROw43GF2rPCJd_VI_c$^O2$pCglSq3!i6zsdx90pIA zG&L15g1nm@Z}g?gEVk)CBE4th_?@3L?a%32mo9w%hmr_fPP!(2@|w#IYzFkm!2c~m z;4etRk7s5!v)V*FS!T?ND)7N4U~XBP7;X<-B0#S<e8un%t7PX*=cHE8F$!=VJ^xo# zq@ZRREfoaI(011k^bVuUX4fLnN|idhWl`gzob>}~*Tz|1x)aBTput;2l+8{BD0!r` zEp+|c0JccfA#<Cz;Q@LLm61V88dO?#t+oS)qV-D1hF{Xs@FtUS^gfKmqUPpH-FAT{ zx=Y`h#wr3axeV++eMb}Mp?GjonJD_Jb8O?OBtuxNS4PgRo>trHdn53ONWsbD`&M17 z(xUH|x{gne?_M{}zjLu0#fq75yyzz18b`@Row2!X?v^w`LLhm@Q;Gi%N0IzZ*mp~u z{Xd{hkT&P~bov8%6q{>8r}NsiQ|TJA+So2YQ+|8FC_RzIUhCgVht%=x6CcY%9xqes zbr`PoiKcF7u^|S`>ojuExP1T1>mC!jLW>@u9vPVM-@|O5C{g~+@Nx*7(@J3{b>IDT z^Mbqae)9QPTE!)2#Ko#6e)`Ny@BQRNOK|<rJ@EJEJAVugv$-wn%Nio|z#c?fRl;Z# z?NJu*_09SA!+u);X?MzgPV}igJ8mO?yn;A~u!jei3RUd=g=@wv(_uynB{|+<-JREm z?vI*1q=}1$_R8v-Vd_Uj1!VmpLf|+}8ng7pG1%@xkfw(Bc@w~lUS!*)LxO^RS5qbx zC85T~u<hg=5XBX*J<#=8lhG`<&pszijDKeR<@@cH#=3<?5U=FE8+v)*z>!?n(KTVj ztWa7TSRWdb^m;kY4Ym_5nyFUHBy3pVlMQE_0raY$`%yEDt9wnF`@GV^GhV-KA*g)# z&cQ}hJ!(jw3@FdLd-`83z~4W@$;)c{5O{PbDq9H&HX-3jr*BTn_{WIH;XP_VMb-&^ zcX&t-$%USSGs<g>wc@fop8R6E@)4*ZRkJDK(rfYx<q`XgaxQiseriGm#K`TJ7rwkm zP?<FS07)|7(=?}`jZ^SzJftM6*!)X<PoT2=xQNq2L-+*O(prvq=eqJ=7i+54Z#tE2 zpcYmBB~?E7n}5C$DUkAcj4%G`bGKPI!T3}nHJ+W#hz7;bY6LAd9)=3E#bup?z)CBJ zVQM6+Gv1Egb1E~>7Ffmh3|i9NJ86;XZ(!#!fPoN8wsC89qbL{0MT&}(USaW$JpR4| zNUkQx8?*uD;^;<*9x#XK+kAR_uUiJnIcaxZ1BmDAKYU|pjcnFe*a*qJqFTrmZo#6L zYs4XtQ+2;Csjjh4MZnzbgh6@T^=P2?=>-2B&D7Ltz3LS1!)GYKGf5vxxrYDu@{qJW zLdZG#+A4i;{#mNqykenoBTh}Ih#vW{XBFS)wb>C02^&N4FRzCgj%I3;)JZ1`c5ZKi z5daTKMu+@vtvGcwl^a9hFRzywie^faj79fPUb`DH9X>9+wX!)Fyakbwe{-|ulGAF- zQM$4)1@9>feR~(GdV*d@4;B5M%4&Z-M{-&bVP1%cXz006X7$=pTOa!T^t}5Xu%wk# z-0V_gZa(k4q&}WZL$Qt>zB|txEF?vWj!8MAbJpnQ?FkDyE#@*3wZtZCZEm{wabfNI zHI_2H{S14%>(4)C;#Wmpp`B%XfA`k`9eWwuvz3If<$!)EtVG$gr&85GZ{={Fu>XQX z;h$Q3JdYz_aJ7SCxJ>v|-1>M_NzOO|i%0pWz8*RK5wZ{gL-L43oq@HtZx!4?F{~h6 z4E(gF8WL%bq|<X8{1o#6ZN&2dS{z5ncdJ0HQ4SLSY`Ex0Gw>1f=!@sm7R@Gv%_h#6 zj-2L3r%6>FT*^tpR&t!e7xtR@AT~qt7P83;o@?ollBoGhFBD6IoB=|u2nsBJA`blw z=>MsKSFLX`&kCyIXU?0CnEhmm7;_k{Sv2^k^1?R96zzm4$?_7e7&$aSQ77b?_&KVE z21?kNiEuhxvUaWGhabeDKfI!GZ4XlB7n(m5auKx*I>r7wDa}zDq=M>aQ%uEKs0I%1 z<$j+YHSVmc9Q?%}8<?Ap#bcvDF}l1o^RL#zJc0SY8i@Vtg1P7&Rd<|5<E;(*pL^6l zOwF^Y2(Yce&}C*EOYu~gIEhlA30+av7Y>*sJ>Dq+$5(CVmebp+AhT2@HZzZj%Pwp$ zRPp}9bL~Ypu?nd`mcco`6K|~!kj{fA0shJ3T`njbcNo#x7t`k55B!-VNqX=7YNcW+ zwP`$`R8P*I<&=UO%MrM0h^0B0Yxl>^U_t|;s=>T^ML9(w@i8=6i_{$<)!G!TQC|I{ zRwRm*_QGp_CmDxc@T%z_>nP$d`Ul?|TCK$yT$PY(b+_qEq4A6iJcGmcl{&J3!enN# z87qgH=#A#H{Rovh9jnK9#q)aUu0T&MA_=L?4~`gqQ`uTAsCCdy?Sa^v$gp0Wacop* zson+9XuGs{E$-hT7hie&`N_ylq*&AFH}&2c$g;8H!CRlYDrnDL%Br`I2gDN-i>-ck zm-m~J2_%j*bX9%;6YQ-;MB#K*Zn2vs$(&oQp&t!#F6G?Y!N7re+3Eic3X_f&(&w!? zXSJ1-<6w2N^KV*r3+w0sJ@bepyV|$X-~FECT8iCcV~@7_m|Xcci<Q{zK*6f`;Pc~y zN5{t*o_8lsxeCe4&@v{;$Mc{-&v-SA!)?NNMfzV@?l@wc)Y|e=`wjR;2to1|uQo*p znrYweRvH;?NQr82+}jq3TBMuxZ5X@5vhg`$`<&OOX#L|HQnKX2_S?X2WH#?LKqYe@ ztnZA#6-fa2NM3BJ&pIv8X}uxWlb8y_lR^d;Zp?jBXiQqi+ZkRN#I#Rwc&np<Gh3U+ zp%;<JWoTd^53g@+>_^S?k+gZ&n{qnU4jX=d{~cC^rGi!1u<|L=t2FQN^!h|P;(q9K zESoSDWuY9FzUzSlJQK3dvjgvNjO4F(Szj)Klr(^s7a9bVU>lE;^6s-QmfjD{CaK}S z9*Zvz>Nrw}u?Y%r%g+@G-S;o~dA?fCs9xnkGpcqx@jZm{YVjSgW9^2EL3BJjbH#*q zN2{A^tjq(PJSzAU0&7yoc{)FFsy|y}BhYVN2&K86YC49im44s#-(fIiE{YdFymj5* zU3=P4`SB$~GFa`t;HSF<H9ZUf3_j#$xUKZvfksOX!lj%z)~bH5cJjqVi<+eqtrr-1 zJ|tuHSrn=mTHMLRBwWtwI^6WfS!r=d05~?a8@T_D!T7)>M4d4e+rTEl)PZwbwJ{*_ zA`wAlhXnCEAOy?`jYA4VG>MMh*#*j(^b8pRK9vUZI9qL)=?88Pr*}&>S7*wi@wG7@ z?@`-<zJ<y7kyA8LIYfkDc(KB7O73Yyz_CS?{TQ4sa|5;&95Gh+*|?O7NZiCihok+L zUF(g2V~so(gkhEOol}KjUpJVWLqp*pA_&BU35^ip_gv+`8ntr0)ER`3jG&|h86?h7 z<Tci1A8vE6v-7)8X40bW=0lI~d+wfUS$C_Dcq%mdi2?IT40Ix`$^mjWLpq~S^xC=Z zm*!uewZT;BJUmhxk41t72IJrnMoI<r*grUzNExpFc8PI?m4H9&Dyr<bx#7xSWbM+! z-VJF966h<&ock*%oSOUj2qj93Jfoaky*)q5m}!cT=@)0y3M5F3It=?OxHrEa*F|er zN;N(Va2qW>@8&TdC4QI#%0E(b>S)|^u<5;d!OIBsdx^$u2NZS^P+-58C{%DRrJBCo z>6@;oDp^8Np}8_5SgturLTH4*QTlSQq1=RdbG4<jwYC{~2+UMez|~k3_^!gVoJo=Y z))GOTj?*~)Z-i`iU&Cg&NGFol_WEcho#2-vCjwV%YxbcdWAi8a1-8TMzcJX`&bX4i zdLQu+X2|+NM8aHV!hAg;rhIsiemPR-s7JxxT}9z0T#TayV?~zUJ&yBKlhqCeNzeJq z_0M6-VMuoSs=nQMWSOjLy>^A*5rC5ll~k>Rk3!!9X$@saUdI=>0Qxdgh`<+3kenY_ z@CVI6n(z4bsBu*DpqB0o@4?)UY4M)Sah}MNy&2*b@{tt%5X;;qY9{Gt8<!snFE5WQ zr{wOnge1oV(wWg+T{_0Q$rl3Fds|32U_U%mCd@>ak6|x}Z?F-^#o*$;c#<iwTC4;? zp5zs=c>QY7V~77w3w+4gSh#=!8hzAzq|m9(JbLJF_K(^?t6u_YWfaMm5tAm*3ftlC zvNGeSl163h+NyT?kV73&v8J>gPB3rImSskR#vaV&O`I{PvQP`ii?>y*a(-D+{-CQY z3nbV`KwxC?Y+=1Mk|i`o1B=so*F9m7&eSBynKF?|ht5YR#aI$X2yP_nNa=1VKN`;N zDSz@w+jvSlfnLUX62568(V+JN%~-NcMM*drCPqAhuK*iAf&d$z;qPdiR~-2TA}S4M z$31`il@7Xbhmn5PFwRI^roe>+8bsT>SJO3x<6e?58lS0X&@j#vgXP<S0g1M)PzRgu zs{Xc5VqQlmfYM4M)!-bk5QGhzqJ3x=RA-+cUA_{d_g=;D4x@78%}-Kb|DD2QX-g0U zc5vX*N<i53fH{yEoCmyqy`jD9kh%e@p$T=hnWlF*C$xFH%Z49Jfh!~o!IbFy_#=*? zF&P(}W(;!1hD3=J<tjvKom}FY=bP9&^%Zf6rdBdJP3(?KRj^b8`w);vgXz4qV*#zT zz9l_)K~6PVZF_dF5#vRaHr|?x`LLJ{@BmkllPnZ{57VTWrt?fC-KA9K^gFKJ;7FL_ z>6I)l^B*UlWeRq`&!^HsGQI6XJAK$}AErtE^K?;O<7%63K(03wMfSXvXz<EbkzY#l z9S9qFv8^jIk95^aI_aG`ulQBLDKip^o4ishxP@xHo}z!A@=!Q!c~}?Zi_2{?yYcUS zvKTXs8T=^>uEx+byt_-4PZ=ra%_C;9oMg(0%Uxl}c-3WOC|Z1}N=70cuX6Jt%|J!K z=Xnh8n3ioK7xQrST5M~0G6>d>QdQgMejP}n$PW~E;%4U0J}ltX|DO_6ZN;x~gpSWE zI&E#3NK|6Cr&WL^i~<yl1mD|C+;E*SI8F<%BuPPn)Rx<e$9oKdZ5Qz?#`d=j<Z6}+ z_OaoE_sn8BP4|m3ZnDHkL9CJcjsHbSOF0}|VFE{b!$-RV`_6IqNkQ?j@oF9Lws#Y{ zw&Km7-Wxl=ePFT(fi?&S*Q_|*&V}LEdzSm7!I$0pN}&P=%;QjREK!(wBSwzV!iZyV zpLYq~;aHV49_}$&pA8wVDmty3TB_F-Cy{bk?_m6nw@{y_OWN6u{QD2r^~0NVKO+gu z)cxD3_P~yB{Tw%~{q=1t{n7jb=e=ZHu)m<(T(k#w$f3NSMYz+bT=!0tKX)iukgT5v zd0tc*83WVVK)zKb1^Z@CQag*oa7*hKkbC_qX9VP2e6%c?gBTbZ+4_O>=y6&~q%0eO zG1Gegj50@Et@vR1OWwa`GkN>p`E6RqqcWDE0(5dNXe`=H%6aU_gq$E^97?1CRH=Cp zf^vU~NDG?1=ShH(tWtL)A~D5$L}~Qn!Z))4C6^#S_LXqC8~R&YS$x<@VRpp2UGqxG zeR1eh3@OoxJSrMYo{lMb<b+n6IG@67?b4L-n^6f4q5}`>{V>$cAC2&LRMiL>{Ah_y zy)Q~$fl3VS0toCl^!cqk9f8|GS-|k7p6Nyzu!BXn!Fv*R_msq}(&>ZP(9e-DISFi< zKg!k%%tpmX;{t?OY~o_J(M#Azmep&$L!^tZ{)wSsK#!7zpG-Et2Y)eqA7?9Kb)}`! z-9j_EU3IY=#_%^`(ka=~XP1e=&znnNpe=V4hti6fj1>7p{Nw?+HkspwmVju=gg1S$ zt_yhv<3E%b^5!z4;piCrWNycNsI=a0IT4qP<;<hq++BW$`+m!!s{fTDw!Y|x0ZNz( z2}>fz#&LCbE<d${@GEk+M`UrbT_sJx{LaPghnx=2VSe{&dbYp5)bq&gYz<C+?BuOB zn2^$_ECj{=ux~r|;r2Ejh>KUx#4-Vwn<3M<eh4+fM!C~H^ZV_F!BYkXsK!ksWO%um zzJQsZ1itmq$Ikkde`Fg5=H@MiCITQ!QFVU+fWgsOS3qUdqAj$Nl&>8UpHT`n(jsM! zIRPT<8}6N-yR9`d$*A6#AG&L04FSkD$mmeqFLQrlajO2sOI%oOY4HC^jRv4k&%#6& z+QtnjaNoT~_vicjt$3NFW*^F{@kcu;>nb$TTK6Xn<K~Bkr<B?3@&|4mkv}L%OUP06 z7yFRLkBie*X`XxWk^)4~AOhe5e)Z8+Kw|Ps4}gj04jLDj92}oZDi#^?DHoFY6A&`> z^UbiH%rc(LEgsL!Uo$A(oJA_ig$*ikXh3OT5Hhg}nVHX+kD#AqApH#}YaxIOD|>M$ zR}c-y&!E`+)%LfoEdSK23O+)y6b}oip}nf4`zV8x2q*dd^pfeuTURVjpT6Wy@pnk5 zcL)T~Ye(quALbp;M|T7HA{q(j1`#vs@R>C#!+4wK06D#kMYjq$2#DJf35HS`^f{fX zpse--yQhxHQ^=-{c+snZOKSL|$(TAP{Ven5UPicli0Z15$Erw_TllNkbBLInx)s-z zgF9tV|AV#)jSRiXG2lz;`12I=418inBB=6yIdXPqw{q(Lro0SY(+fzc1%Or?hK{1i zQzl{!SL^&~)Zs8{#ifcMfJmn$z}#hXW6OFzTIH9jW#(ov@Us^HOzyr9L4%&Y|CQCv zFsU_Dj0S4XD@G_gX!j15!*IGJv-`@|MWal`-j4iH*T^JYj;kIt0P){>0Lkopr%aLn znoS!!@>JMpw=tN2$N#4UUZP}it4NXF5Md3;v#MU!HwRMMFy{SSsNPND-fvcRPSBL^ zpuTSm(7n8Sagt3h7?u_Q8f_VSa~5Z*l8%=sd-Sf*f&nYN<7ZHGeAK$UV{<F)i#Jr+ zG+$Y=sPRzFN|r<{yke;ChXp>SZOh`Yw*P@}ty-jgi1|FhPnKY~`@x2Nnd>|7&}giV zpIYsqb?MTwc4%KT-dhp1fk|E_peY$NH3f!k4G(C<Y-kql0<Q2?XRYk=$(=W)n#yu! z^W}#jDMrM&M-@?L<DL3=t>wHrz|t1z`2k`3a|*l1gn&Gf3RP^qxnaa<b|PY)tx}Og z&v0(iN@sCYnZtTtD4gAnT(IjlHb4u$LJR&leAvOrW@oNr(P7J@-0w2TYBS+z7nCva zZ6ZYisN2^%Y~IxBM=M{Znlni*Ccp)HGi{;k9aYnvH1=mh>nE}?3Az1G#;bn7<Lw^z zV@%$f^ITtIF>)JPFTdEFRt{pTq4UUYDs5Tn4BYqHj6waQo|&ZCHxwv>JH9+}ym}4C zkDzqjxm?FBLmZE>eBO2csHyaHJ_A~9C654pPWVKGMn9-qt(a==UKHy%8$+9XMbj>x zR{L+3%`ImqQ<k;P#yY~G6(f;YAYVROOGL0bLQL>S;NFdC1qFFBSpctZiP6reK~W<J zceV}=dL;_rud9*VPO5_m$2r#g<zHQL!TF*EbEA3Y3H*1Fy3Y=~0h1r@_C61REa>ja zakJe8+PHWi)2Tko!{La?9GnGQpGu4w5M_Xwm4CX&I1qwvhl@H-*m3J8t)}Z~jGR83 zpF!rJ2cZXV+3c3Lsm;WGpP|!@^<L%?cyLfkgYjZQMXlrt-6-TpUSH4C)iaytbha`d zOTWb`hwixdh)7m$XjXALg)xB|0HmY@VyvOkWdGQai}VBNwHhhZa6XA&H=@M@hsf=? zt!V#M8yR{sjFmBSznWEQ1Pjn9#ZN)|X>kb{I-Ff4%qrV^-2tq;%*zC5Y~rLh&``YE zjoWyL*NgX}!th5+WH_E)fBz%Z(4iv;Y4NE%rL79IFBs`?)m98IafpyoL|!eFv*eZh zb;|pe|G0**II7mYCYQiFE>6oE$NTQ@WWRBuSZyhxjZ_AX9YVuSsoSvZSq>2#XAnvX z0=o`5%ofC?Osror0F~X6w@Du|sI*kCfXq!1BP(}Fby_Asfr5{o7_aGS`3~9BzzvZS zdn$1il5eNFfx}Nm6t<3K-%x14(OPIPDXPBu<bGOEk3bTmcbP@<^?4gCWsB815+4JL zT2AqcD4!#`^xW__Xao$e=QR^9?zNyIa*i5fG_F-9Cyi9cUqjk79qfa(w1}mG9G-Tj z3EvLSj7V?f1o`aatK3P|W#_Gj7M)0d!{;xMV5>R2)EW10JKFBocXtVZsHkCpue%eD z<?$v4k<NZdQh8NUSXtfuz%So5XXIh%w8fMI(%32E)rs&(Waixhx!V<AmoV4oM>!^L zhf%N}S3_A>X_6Y1R&Db7x*0{@;$0!F_sQJ%aux&~H!&R{AwWxv(uD}t8#WF6u=hm$ z(+@*0cpMIG%~e|)?WWWZ3xYgeZ1wsm(osf1R4x;XImoSj#`t<q%I&;sc-26(y|vVv zpRS0?^C73V3M4v}@^aIIm+B#ngtV5KZ>2svQud0DK#$xnXB%lv44l=Ww7dUD(95Ms zhzt*BakYbBd}$Gy>G*15a{B~Apm!9K1XMPK&7mzyF&f^&l0l7ybueEYJi{TrYy=-9 zRudewEdO80Kk@`<1w=+AW&ZiH-=d4!c}uvAOV;{pK&b6lG+K?Vc7wYTxq@<s#C`{u zQkIM-R*?*yZ=Lj<t%f=OP^yW+{(uFQbPbjHA&SKhRCn39V_>|m%E#^4N+(uJFC!7O zQTRTCAc_XXDV{bV>a_>xC2<afkqtm6t4X!)_q-X1LlFK61p0K3^~aC(_u{KPh}D`` z>K@LgsHEngj)vFBa9YzOY-koDS=6gehI4S}vWnpwE(nPVY|H)|12?mI>~K~wIa&|1 z>8-OFog!{dl}@`mR&R=?n4y6DTS~HTuHSB8)S=STP;bQadlv#UHp6+w*)+6wXi+?c zIwCfG0ji&3pbY^pE;=k+L>3tWi1R6B#dl!f5qPv^2;eN9LKU%WI2;wGwPi#yRgEa1 zq*jMF^tLGeb5=wEJgp%73wE{L0&HT6<Tx`W{c`|PCMy8&;LbD|$B1g>azQgcPiR=7 zLMwZ-<8986nC68;&GrCSK&Zdcwe!H9$^A~5rXogB>acypgt<gS+7RP|msc+13`U$D z7ez1+v07U^an<=>Wxa&C)n<~xX4!c$y(Ke;f#pNpkR=JSBvAX4@`~%f0Aopd>%ls< zOqRkEvq-oQhm1x8>1bGnwg5i6yQs<Dew5;AjUb1el-7E~3N0Md(fk)}>%OJ3=IP@F z^~ibCArWKZM2a70OJijn`(Xc8a~(OspaIr8O$ZoSq)f0rh>j3eQVKp2$(}O*i+!mq zU&wveYBf%K9;q(q{$G*8RJJRd>r{M<jI#a_R3ONG0hJb9ap&U|q|cAJd<h~yT~RW! zoy@02*4StVI4kEp$}E`e{?XeHL3-X!ZLK`iZQZ+j%XF{Oc|17@yLqf;kxHwjZ@YW- zTmE7iSiOh2w1)3`bow(7khWnLjmh{peAJiXG+O^O$MMiJ_~(dEq<IKi4L!HHPjBjy zMB2T?=UC5^r(e$PIo@%5M3(`$sVv4+?_hJ0+!YMExq9#Sda#cV(F!`wwFDFxUUYh8 zvol+;dw=5ie(b|lk-D9ov$IrmvxCmx1A9IvyT4xs7%6ha8}ElKNb9P?fqlI{3u3V= z<P|aZEqAT)F;q!RiJEv_jrIy6>wNaZwLxru+A!9eijt!kZ75rl={=lxuN~g((Z17B z;=}SL9qxuYv{d2oUhKX%cF&&sGBO?9*XuqoFdfv|duP~kEh-(mw%8y?<jkHQ=Npj! z=XiNPj(0eQwEe2WSmfYm4B|{9W}$>sY#rM1GLA!|)sW6fI;4tYD==TQq8K@gp<PA! zawy52#i5<oIJh&+d-AXG@eL?T;~+Vo42w%)@3Z?*oJi^GaX5P-2f5$n_uo(=FYff2 z(L<3plTB`z?{`yGvLvsi3aQ(NL~AnDdw|*W5Xr(woENO+TtE<JkP|8u7A+C>y!p7) z#Va36m1hKt3UpjfxU7Z2EUbWsq{}As9192wm>9kBKPvw7X3WUL(16}Lrxr2@CL$<| zgdyy36NfVPH)2f<jrm%z*7hE7bnO&Wxh7(?)pCu4M0xhooTx2!k)BO5{FW_n_#o$A zyq0h^Im@n*BdJHv#@GBZ29*3KTVeFq=f-g~+gAawzB5;RqeNN0PIrVbjX$Lv+>|yQ zIR&|r<>8!<)$qN7-=wbHEsJPO<BzqS|E}~(lJm+32nb<f*Ujm+Y~1<PP`RX*tEU-6 zm6DaH1SkNT^1J#S4xe%Phw^n=9~PtxD6=C2&~vrtvI@=bTKxdY(K|3<<Q$yTVSr}q zy#T)3dylfu<1V{IilipZR5y29oHV57SuB0FUtWabG)i~;&F(9{?}~G{YLjly?eCQ7 ziQDT~Y9pETN9jvBu@Tp<y)i9wXpBVpxo|KDIyDEk+rWA+uLf9Q|4`MY`vTD8gw9cS z`yfn$f>H+i)|}#Y$&cf9Q?_kI5|bYTTxNCILLkyXG>rhn^68mTpn6b#99^TH;5Lnt zKzDg=Q{kx3v+VBMLEGpwa7{fYy^deeRKchTF(s2;rw_5RILnZQoUh$|#<4y>+#Jic z*KGP}QS|L&a;(%fq+2;S(5p7CxpGXG`*uq#`vn6^xjF#J#VpN<QRit*Mn?-7oDLqE zgviS_XKEGTxS(b5x{k%fuR|#?Dbtfu9-n=3ZShpBJx&5VoSFyo(;+A0<M?61j0#*G zUFpP*bF9G0vH&VlqvLokT-=HIR9AVVv{jV-ug2&K?IiT&U4}&n!B=+<@7A#gHpO0- zgJas%C3Pmw-aU44jCw;}*gGyF5Ho3z#;1A}MApI=O+*$F&DQ|h!5ErMM^&p)e7Jlc zoGUBFw0U$x5z!>`N(Psc`z|4HL4VwlzeaN3ziH7ZNfsoO@eoQmM4V1}!cI134IeI( zaFsUkV~j!<rcF5p@-c2p98`;gwPj}(_vaSR8Pci+;3I+hg>m7Ra#X97Sqf&i5b`>i z1w_mFEhU3OCI-^&V<^cofnpT*gT&<VT|oVg0O$@6NrR*HEUDFPD>h*Y(Z4j=SjYBW z?T@CjKNhU0eJZr#>1)f%;>1-pF$++TLjn>_t)H-2*u7<7Vh0N-%2P>yY)Ra5o*C}k zL2NLA(`sR6q;LTo92J0kcbbFH4y#my%}-TUqc0sn9BDwN?5avYLO4xQ9}5X2Dyz}) zE$^SV3#W}prJJDlc}8SC8Bcy#<C$|{bg`k@>kPcwFednHs@6zFfBM``qJzb2Tx+Qt z?6oC2kIZ5#RePATP&mN8jfzwj5O@q3lUujy`7i2Rg|LEUo2$>lDLOn?0cp;Bbd`QG z?y`OSVpVs@9{9FpjQc!cqn^gOU!>DGG^q?;lbL5E8t2?SATT%mVnf?RPYlM^$wg?T zg=g@N*d9)fDjJL_Jk4WXd|flyJOqo~#NmW7v0VG^=kY~Gp$)4wP|pInABy#BpFeB~ zU_7>x$*pDgUaAt@09spjI+~28_qB;ipO2=E8W#wf;XRq(JfGXVoL#(}-8^544aA$S zj)vy2u7qD(bK=l|URxtLsMBR&|1M63qhmWjgFO)VUoC*+Z9@N`Bn;|Q`vK$~<Hj0> z{#6#){n0=g<9ZsB<(|vZ@dSIQ_xl(YuQ^bSlX(`jrQ$?7cBkRHZXVpt>=VKJlkzWe zuZ?EsJt_bu_5J2^D7(`LLAsLL!7kPLGJvFWiXaHP-AD`hH;xxwzqjUGB8N_f$q1(H zA-mg3VG(&B<F-v!oF>2}+Wy5Z_<4(V?=`^sxyW5_eL#yehxBFs+#Lq1VrC0tw|$xg zKDvw*nTIc@UB}%y43SjYWIEz@<2hqEOimx{uxwpENC8T$m>C8;<qD0k?B?^DnbGws z+ORi(udb!(nyk*zG+j+<_kG*4^>o|MXsq+$9B4|nA)UT|r*_zZXb&SjlTP4gzuTcq z_dWXL<6K*k%vockasu_h<sqYN9>d$r?Z^Grfa31ifwo5Rh`~6C#Y<ie0?2>G%ZJCb zPx2J+Tn~IPqBv90_TdBj6s;Fx-==mm<&nhCHe)v{gwW10BaKzCaRkEBRO%gMqy4al zGmr6Tm6qj7FfXsPZ7mLq`b!gNykGLe&Km<iz6JftX5$AS_v$cA%Wj8cViJ03&UKnw zvXG;CMJlfygl+{Jl^<tw2J}t)dLysHTdlA4sNz@?pe)Mita{2@rELnC+8E5L7`EbZ zSf7UTZwC2&)lJr%>YqSdroR+s+zBFw_C`dO@o94Kn9o?$jy-}2@Cy<MI8tz&qNU>{ z)vAF=4jC{P<s0n}C1nm(;WDV%lda-pl+DD2B}fWgh3V~t1_T@`&>1^2{xD+@dd`&` zr(7ilS1B9+`$uM8Nd~<E@4ghyFo}QuOvE{&-~kDc{WB6zG19DSY_h8E^qk7Q^St-$ zK7Zt>3~XpJ_B0-aNRh(}1Pj1F#+N$FIaSlX_0;hyC+(S_WAvlS-9K(?`4wJTRaW(~ zG41WEMWt%;CMu`^7XA(0GwWI~<f!OY01UQD_ee@EvSAJ_-AA#g>yK6t<5B_jSw*gE zfp1ZE=)q%>{JrO<l%?-R4?HO&NQ^ZXj)4I$_?{^{J4R9x)l??}TqX)79T5!wnbR&; z#&_Rw3RM{hAR{XHTUuhj%uWh8WKgRk|JxUoS6XOzS5I>9jdhK&v%SsT|C;j~UT{BC z^XR5;XjSmJEOYnhHcUpFi|NSaf_Hs7c8gQ+`JcEp!vrjD_H>}6=FmjebgK1V36?6_ z%tq&1xY9KLd@{D2>F<l~G2iR9DD!rztoQ@nW?Cct^%rP|VeHcxxPd;7$5FbXh;dpM zt(^ix?q61#vlHd8(?u-ww||Op?F9e+u@_NAmRjHM=I!j8h5Tby)~9%GdNY@@IzTcS zQU-y`KCfS+cRyvy%I4tn%a3{-!`)aD^s%&5mJl4Mo#Wm8bDz@ao@F*{sGvO4-NBoZ z`Sx_MHM>>g;1OFpt5bzfS&4<V`go9<F-+7s0wCGC2i*!ufKTo*(Ek>+bVS){{MAsO zN$7t=Zz~dT%+f5S{!)XDJAX${P2ShmHGO;xadC;ISA!RdvqV#|d-|SfW|@J*dU({f zrK&%iM+GW-V5fzvt*YM4HYiwrp1#TPIep{(I&s`~*LB=7$LwCP4Y=2eS4<sG8oS$& z9AH9m9Z+W=9hxv1^-i?;yV|0v3?i7xA-L<J%)mXR&BE?EcyN)-5ZHRwsElt!*3c|` zk_Mk=Xp**C2``|V5HjaRECeTiDluzkwhc<Iy_g5iZibI}6Osovrwp}kdyR7IU1Q}A zqqbComTwLRZ7I}u=h>=iyvk5lW&j>UJA%v=A)MRWA!*w!D4Q$U#g@U008u_+#*ns( zU?4&_spXhC0=|rlB$0qf5Cp77l8;e)l0E3xYsa`d5e$J!tEqKSM~1}B_s^UHlB16* z1J`)8Z$vJs&uHv9&*<+JH2%y39~inJdTZ8j@3f@XlY6>>I?s6XG(^3=b5;=~q2O`t zImDf?uh>VFFjGQ!En%EZRm7p=j$QgDXhf29Y+PQAhj5f}WI+%V2yxhzgj782-n-q4 zT6nAr>IkZr0KQry(^N>K{n<I-nM#f7_2Y3LE7vu{ji-U>jO$j+18K&y?vO2@w`2G= zkpvV5l|0$YKt8!LGr>xYmHk<y@rRM;kXXaV1Emn4e^NxPqo)Kj6Du@O+ArzZi4u^F zjcW2FYb-|OO4N8fVUt!oYr@Rm&_epwl<j{|8;7&cRZ1g?Q{P)h;<pI_bWEdh@m(>n z>IjH3j4Z3rM&9pg1UHa(25YOrd&O%uoY|=Q`<IIcb|6klghhq`KDa2dfJz(7P-pl- zOI48?|6lX+?#3X5>9nTSX<dkrop$KcD*VwjG-ETN)IBO4H*Ye+@4tVws-9OiPGE%M zZ9J8{P{e?mOK1NTsY4J_PvU1_Jm9lk^PY|CHc_8k*|%&M+ZT-k%Etjp37{5&oid)D zX)!T$_s2n^(t+FOV@6sq*yQ#HX5m^}1+~39UC#DP6%pIYtjZ+&celmvF+Ms1@=7cf zvD>vb`l|u5E=Q}4<$ioOJ)hz@TNxQCdJFUWH=(@Hc8?j-?-g*gT)LwDNQ5ZUS*16_ zywGv9ZCrM~0i-zP=n-ld)n2?|>SLZ>ZRI_+`^FXu9JJk9(--QAp1Ko8T0Wl|ygx2O zsXE~Hu*(!fNP@&u#``?3`#7I!uhz^m<v6_n!|e)&zg({NaQkPMFn%UX1Zm65Gw$;p zl4%Lk>wP_X|EjnQu~zM7<yJfgk#vk{0n_W5GkRfBw!_wuJvR5NBejbsR2b5b>&`C1 zNP#eYVW<NY66m^%bA*)hzEBZE_gjQJK5SwmI*57hR1-T+G&cF=@|vL}!YN|HJQj+7 z99j?po$$Ifl}7nx)%Q_f9cP+Ld-&}=0qQ_YYglw1$zracdUUzn`s<!_Gf4s`mPet# z%~^b+&dWuH#0epMw$FuR{|1-$)I_gGe{l>L)<zsLretB0C_$;bef`L^yMv!(zs5*B zOI6pr^>8~KIrqXZ@CIZzZYcBm$??N29-UF(WBhqdjM%9z5C%X#82{EbQ)10yM>c%k zeLV!4<Cz~%ooNxuBj|qc?W^0cIN;_Xj5%Fpm5C(g*`@^tMo<fZ9OO47l$Jq0ps`7g zw|NiJ84M8|5tt{=DrSYDxRi1}t64*5omxX<SbG)ZZ%-QxhyTxv9V*3IYFJPaNul@P zu`|c7nOj%nU5y5?|2LW=*-cGm$9HuT-&H|*SwtDCv<ax}yHkUZkPivXnSK_@n2cDE zAKk(3W4mp7h;kX#e}taO&5h6%3j$vo9}5gy{s&sW#%*b)QIV)a>xhG4X<xRKkqq>+ zh13X9=&#rXg~7-)n?<w+1vpAe__@4Xb<2X{tRj2sf{_P;g#;;>Yw2!B4)$)}Ad!7O zdf9nSFaGYtBUgHT@4haO8rSD3*^j1JRlxTRt3|>3ovSB)yIn)QPn*&)B_Fd+9cX4A z!{O{_XwzZW31bc;mOv~FKv^L4Uv&tg)_t6GGHOj{6dK}p)mziVR$8DxXFYiFH<@ks zLDMq@v%+faKW3+vuHZOoB7B@9LaH(OhyAVt(xAis3&D~ThnS)-xc@1*?0(+Etc9yG zU3r+>JY7`zwe&GxJNEpCzUV@4ohR4j>Grl3$7<MA$1>pBHg`Or>2#3CS!e3@9Jbo7 zwmk?yZl$x-v&=eOm}lbAb9w$rQtj)M+<#n1S8u~lP0O<)LSZAv#GTdiSY!?{S|USG zwz(wi*tvb+>*DITv(QtsZzxGQek>*Pa^qciK5<8H9ZR87viE|;nQAC|{3|#ivZ~xl zLuYvZ9Mi0#({ZN-&hA1h2Rql8eN$Ng2*XmqN?m*W52Z!8D2Xq$6PN!ngq3I;?qyFh z-5rA_i?)n5)vSA-kgW=b+RrUBhTN-APc!<uI6*~7He=^Wtx{ogTs_!8PQ>(nn)!|t zQ97EAVQ8in5Y<dVkIplv|J4;m9G57ktUq86QbqZjX6U9qunYl=00Lj|Gm}F&2y7rO zBGx!E&rxvRSV)<Qi+#AqY3v!qSW&Lb&8?S*!6|H*DF}A+6K1oMWwVoJ(;LQHowa6P z0#tyhY;MV5W(mvSC<=~IQ_v6sq>I-7)Oa3uFKD2E;&$ag$S+(144pKN_Wj|JUF$62 zmYw_4Ay5hVs7X|<iEb?a6@D+#>gA>DpV}RH3bEMy46*`vw%yCp<D++PsUtEB7L7fR zUwSbD#kmT}N(~1O)1v8WfET|`Ao78a%)qeEYIm!as@;xVI5#Nd0R&G51ZB#QS{IQ7 z7a+fk;&fm|I&PiX^?Mfq_nKOc9%QzpZw=X=r7C*7bi~|?yYrLg`g+9vDc}GwaSnES zK*-F*Ec2;7$K+kd9!ofEM7UMwWigKt%avp>m@vvI6%?mfHTduLq9tHIn<Up;r_UL< zv5_N|C&}P-ZylD(qbtj$Qt6;BAKrN++>kRsP*n0_O_eD3Sx!l<m1!vDJ<-tSdvZJ@ z3|67CH*46xpBM%^zE%gKMo%Z`eQC(d5?T@B-}#T~W(?8Ot8AXwzjV}3)J`$H27FAY zNg1E!lZ~ecr89DV1aFG|{OQv1y$_H`M^uW3CyCIO03@>`7oig~So&f@2IG(kROP{Z zQP*lo*;r}UYC+dnN!?sW#9_z;acPFk45thXC=ASKUob-5fIDw~*=kC{nJRXzcANQi z()urC;k+W@Vndg-rzg70`u^vvVn@fHAZa)}j>V&KWRV)IUqYpea@ge@F3!41s`*0` zT;GIaH`8=EwZpGya29K+81_k?RRkU^F0F$=SVyEt9?FzqH!n}<MrOrp&6Os-;bC@{ zD+&Y%aw}h|$)QI@$5^$LY27XCgC0|23rnW1CogWtBdL#=z4wICA5(&Y;^_GH$=Tuw z{egJLi@;`K^>{X^^p+c8<T*r>wPdZE{zFqAs94LJt#58`6NoHt^3hlH9kw%(=-7S0 z%5+drqGrmpWwj}r=akV^7Fe}cx&Fi<EcgouZ28{(mad~#mzKVaXppam@kK7W`f~O9 z#|Nr6k|fUaX6jBJHMxQz7#iX8;q`ai;mt0>k1S7fDN0h2D5}qyTTh(tR&j%Dc~DBS zRoq>wVu*wAISVU`5kG4F1(wNXczrzYbmQrG5cuPGBt(`JP;!$7oDl1!(r%acV`8h3 z)}CCSO5Bh~qBmUR6$^_e&0vPhwksbmq^xAgTr4(Hb@tv7LJEY*EsOfs?{>TSqqaKN z#JYAXE%<}WIks&eVL8+7ND(v<zvIJ(EW0mvKZFxO?(@B_IT`7kg1>w)mlHb@-Z%^w z+Na)eP2Ao)efso+Q+3SrC&v~_-dpazKMz}8&PQ#$@XaKI-ORN)rz<nqOTm-;>!f{W z1(g30BWEYM{dUN|5t%C7dm-v$K(MSsq%HV$njs+RVIhOymwz~?S+e87b82QbCLqxW zfgJjkAH4rcL^!AHK$_pzi6p=W!5U}`PX8Q?hcYKF3XR~}3dErTj!(EC(ImO*P#gI1 z9fm&`rzXZyb&b67iu?F1A9D;Fj-7HIi|;aG^^iFjLmNm&6lc$Byq>3YTcc&m1|g&< z9^{;_?_S{xf3Dd?{QOVNK4c)ZrYb%H!xh;~hk6<HK!SyRe(1g&3x4!D?SgsD#rvz~ z8lw8L&F}Dq%1ZjSJ6COBk7cxqOhxOj2pDd7iIZ2*klj>T%J6wR?cK1qc1zAqm;2+# z`95U2yep+t#}D67s4M=tC&rAc^_}sY;V`|%K2O{4Sn-yX-6S_!chot<+}dY_3Bp9@ zN7EiW>!w1)gPmiwvi10OxyF>IGmMt>@^UkUURn;J%9klOX)(BC4nH3Pi!AJ%1OxeW z?jy9;2`WklU0dglhk!gLt}P3IIRNeVKYDY}9=pHyFxP=(t_g*yHZ|5eyU!<GL;r4B z(>-d8Z7Y<+*Bi`Ys^;2|@w`6}O3$?Xr*}V8y!`Uu#+yT{#>O}bnYnIO1+CcBp)XHc z5g&FYL<%H#joskpsLI+dYjoq?o0Y;wYm-e+zT1CGG~VA(_$~$Bq^Wq=X>)xG<bpG9 zpg|KKH`K)Z$kkRA?zA_BiGsXt`h5Jy%Zp4<cM1qtavjmCz1rW{k;LaVUa`+XVdd5f zOSLVrY%0K_R198R8EHzJ+VMfkzg~6h#h=h(wF4M4rAVE@)na~ZzVf^ig_Jgl-LZ9| z2ou?>dTc^2Z63v#-!lrNo^Zmf%~Kv!HwEE0MN>~57guav)aThiC!7MBz4q^_bTABQ z2z^0*JpSF?8W9GX0&9Xi+OA%u!;m!O(<wCa5FtX0T2Hh@Vr~4nO8>Y%ekKCp2#bSg zYe<`iRjp1F$Ij&=jb=(h?%(o4VEl%iy%kM#^(H}S-2MOZY+hE?Ul`U(&Bjn|<-&xO z5N_86d2LmHm!$E$)`cFAos?Etq8!txZ=A%-^F$B~#v%XMMK;lL&ppUsfNUv2Y*AcZ zf<zQ=X)e0ms&C22?mh|fx~S@Zjb%0Z)&c7LLoMpJqpF#(5dsWV@R<h<UB{3ySgfn9 ztg<FEf{J>hePooWgJQ(WQGTopi)57RC>LwGdds~8G1NaSW~m6T*PnbS4w}|2yXhqb zsoJ*VgRjuS*srxFS5V9XL+JueF#Y=@9Mtw7N+8>a4J?>ezHEaXF{7L>8+c^}7?KC? zH>>doqA|(0T>OH8Q-rVpwYHNdfiP>y=cMzkv$h*=HkbT~sZJ1&cOyjO-VQKW8;Lod z`=!5y+(a=TUU6<cpy?+%hu|@}Osl>%BaN7MXtKo2OH~oIX8u~fKtVS9H0cuHK&jPh zS!~90?sZamYywc~SjMY+V2&oDU2^iBYIp3uwS7gD3FUNgm@cuTdlcB0`bU%C^E{MN z{nmhl@07#$fG(fdE1k?OozO0y)Eu4AUjEowG7a?Jr3JH@l@dkW^7$1rIo)De&4v%r zXkEbR{3c;G=MRoHH(|ItuV!2mq|7EV(DSWL!qgcBCeq;BD38~a#+`vlWizqPnb;kN z2A)Cgk3`iQ1vr|no;b3*^=chW{p*jV6~v>Zf3&rQ)_yqG@vLFg^ZNMY(lL#jazasd ziOw?0^2jLl@ksN}fdkHX>fp<mA~R8OPvY+ux7odDUXxLnwhCR;<5E%!5~qJ|TViPJ zSsaFUqs1UW*Y^vG%vM^tSqtoE?*Y$W8T<3uAPVByq&Twk3nkksFL1wk-iW3_agW3X zn7SS(J=WIy!Fr&CAg2+@$^^KoV4(Gl>S?-Ps(s$xte3V^cUIwT;^UQZYNHfZk1w15 zo?bSqcT!A6(k@7oZ9xL%;?mxS@|xITyB+KzWwH{JZsaymzdYK$u{k#NMWN&8c+`cM zDYco|x~M7f{@)T(2Z>mvNmHy{DzZc*x?BbDr%0{t*s$0XckQfiv(Uk*-CJVbficJ6 zPSSaRCl#CdTSQ|W&q`R_-g?<(de0`L{seJt5xdO>nd9lqj}KMum6T~gO-r?U4u0*+ zmH2`tYBu+_f$Q&?Q1dq{-@=sP=GddGn5d39XLh2;`R}&gM@*Fex+R{*snwdMd;B_N zh!Z(V7jEn-ulujR7W#9%1Bnnhs=MaKK3e-bL3agBdQ#vXECY>oIPJn+Ic;}d1Kxzv zY`1wsi&G|BtOd8Bw9s=%OCm!{WTkBC?2U+0^2BT2l!Bsuu$5T7^B%C~7WVeCpyTC@ ze?mFJMyaiAE+H%?rO?yr&iQu?Wi=t1?~d#2D(+an6(>DkdbW*KAdD6`I06`6RSQ;H zSxgveZg&0ncDvG{><Vr@S+QP#$4C_<-b{?8r5h^x(syB#7Qe@(Xhhzg+e#GTFRLsV zdWOVEoZsC@D$$sQ(Q1|KstY}JYTYF?I5Y$>4QaI6%1hrA<#;^2lly!xB!^T++28!( z&hQlm>(t%^!O;{NTItHRiKum%?br(L;`f(XUD<hVwLBX5y?0pJo!R6{I5vsDV^1?q z<^*MmoG~}}e%Qlpucx8MXk=>>CDC`Z>!>w8{QcD5O;+wuNYqlIB3?uVe;dQ~U9%3| zK3txSw^lqsmJt)s?*@LaVGf5BDPv=-21Fl2GAaKYgaDoKWL)`WRCl`m*@?F-|7IXV zMQ3%1pTU9B&D%)XD%PqOfFP7ol>hhBJu>(6k?Yt73H+Rb)+S@n5z|yA;+F1UhJ4Iz z0P_!t?Pd2=>$$L#_F?)XquZ{3dLjb6jgAe8?QJpl^2>`FZq@Pp65QdU=y8p~)WPmK zVY!uiN9!@iHO|G5GZEcqI;ckaJOZu-AP7oXL`#@t7=9E5Yiq+hJA0U+B}dQ1FbNeW zt2g778Iea&Ek<_rj*b#1hSe)O0*xZRCSo6ghi7A2H1wVLn#$s4#2cEcu1SCF-J#+P zvtiYqtUqTOv<53TuBy&n9U8W>(p04X<hTmIDVeZF+kgLUCB_%hNlTeXk)V*AKPka# zN$0Z4Zbv9)TIPV>dX>q>HoC?~J)<#FaiHLNN#B&6=a?olt3&PR;1%H&PeNE;&qOjU z_)`9;dH5vlcF?G4yYkM9zxF_$%mZl*K}MUbZH`|q9@=C4sg~N`d|bpNxs?7(MdDQ& zek^WYiN8&>yif1ZvKnVQBOeZ?G)NF4K1_hA5FUn7h~Q2wCJ2c@KiN%ch;XogVpa?< zXCs*Fx(rQ$rBi+iju1|e0RAw?t6H!MZXPot9XzzikPxdY+22IPtIBy@tJB8uuuXcI z8FT%%6oR0(WN1Pq@F^Xh!z9$q5+;xAhlgqyHZLlJ#hlS!ZR%k1NFdXQT4#0a?oAVm z6w7>yYILl9V}o<(4xB(k&LFP|vczx#efs1<X!{>o){rqyDXYFMV!9$SCC!a!RvNiR zs{*T8IHOpzOu|PxvJQ3Y&$|QYiLoxoC*y1-5L7yF#)}T*K|=i)qlFxYhJ{vdUUkJI zU;Q9luoem&nb)#4ChAriGDO><)3QmgZmRwl|3U%%f6fuCyz$rpnI`!T+T;ii#@aAm zDtjBk=}C0egcDDp^9?MrA6ayDRGN4ETCz}^h_2U^b`A4FF99hgf!44j>Ri4C_(F2o zfXC3TVJ8bTH(KB<c3u7BEdtfHLQXRi%`i|_Vl}4gCF4}-TmktZP)kBJ!shZToY3i* zq(aG|l<SE5V-dAFHUY~-r&r;=vxb;(`)2K)!*Y~i*)*pdCi3JzFyczaqxoQws3K{s z$C2INP)A%eI#qUG`ICd=$@s$%VmDsH6?B)E_&-<P+=i*^0Y+>X{=rns;|=TWt&nbR z{hW^OWD9|~5|aWNngiOI<7fNmJjbq}TKxT|%O`W}m>936csZ|nJFk1YsCl_a4FhFi z&O92u62WA92_e665zjf3Y{XN&i<Zr^tFP9Ogj6Qk-l}&ZU0<attj@swql#13OV{or zXtbE~exqe~W=8L3Ck41%b?AC!(*3b)lJoko#i><5JA3MBc#cY!!#M_N#I30Li=ihx zk)*K^W12^CxbIalvdtN**V7l<=y{7^G-wP`x6*L7Pc!sS`JqR^9N2EZv$5Cms3HmV z<X>9v&YUCht%3;Q*kzq@yW5Dti&gz5-UO2P84@HOzO7}S?{_Ft8RfK9lbbPCOtB&+ z^grp(_S(3@@?nD__4zb9buW|E@AQ;BvRv~0DU;147-}i9G}rqa4(P%8!?;@`3AAlo zZ(<pt%|)aiRZ{b&(_I9dE(bGAZnuLTDjOk)Dip6D7ss7H63pl-6Lh&gPlRX~iH4WU zy7eL$A{ZLU#DvC$$tFA$QC+rF%<0(iIrVF{Wb8-6{sB~SrbmNh9H97LdwPG{e#l1< zPxC0tu1~;u?7X3!qo2B&hU<23MZ(<-JZY#@OT@`+VX#vB3G^Nwj564EZPKO_PqW_i zgv@sOM;s=Oj*XP7N%cGLit@Hfxbzs012A%Y0r6h?Xdyb9#fX^kE;}9pxnFk}q%tWb z)sVOS*HizB++RLd?t#5OV=jop;paSMw+>7_Y3lZsSYwVAQDJW<AF;VQ^P^9I_kzwL z+Z;&_e<^Kc#K^RXlLtqY1}^e<Nj)7<B2oV+)LcT0RBNy48V<KR;`+U~5L8A&yt(jP zOV__{IecCF8D-|3K&dZ(=L!t+pppmyYbqgWDkoLU9^_#{Q<!#vd=WZ)oL0|(aiit_ z25u=)2m(UVr2>CWB8v^4sRP`{L(1j*qRjr}Tji8<P<dw7aO^e_HPz4!Z2ix1Vi&)T zBPEdk`Vidu)tm99iE&cqk85X8QLjzfc?KgSw;Dp1M3s>e-~)w}a#bd_FUL>=0!|Y! z;T@4#l;&pPMo$)+J`HT+eSNQ)a&>X|mXUI{=`wAt(<N8rMpKJ!c0pFBN7MMNshDgE zzO`I)d_A9`imQ&mFfnLtui_@+GQT>_C0)YMYs3-Y1KS47fZUcxb-wNc9Ul%UnE(VI z_XYQ>b%o{|mt-0=s{u&nO2Tbo7JGlIDBTQgQEe}}qAtNxCZukwWvTRJ?pFvT8i`m3 z^3_U*yv$D`#w<B$Z)a<9g8Zl@G29<#TLowJn#&Ca@ip!2xN{W-5BsM*SG@Ca@%8%q zJaoJp0s$GN++vYEmv_7II9u#9f_Zy!G3Xr)&MfOH%rfU(c3Qd5u#Y!KSC~l@G^atm ziRYSX44lzrBO*3j1e-XCAa$@QSX*23lcJ*U_FB0|YhbioY=O{`mc!m+l`9GlWU5+a z#clZ`V$Ei1geXhsRO}ti-KnxMMs{4WP8&O;(UV*aZC_P<!?L<GcfGw(!?Z{Tal~B9 z;Qy-y5T4t~V}7(!CpN4qGYGYQU*V5R-j9%1RRu}!$C*Qh(#FmxLw~JMWZ;I$8mT?L z$6|e>J`IvM*=S~(3^^p%IJ@R*vdkZY;>cpt-CHPPIIc<x#aO5<8JlYbN12YUEg=+n zfc#}4(@gP`2>z2~IZnWK8a>kf`&ZimBvoLwK<n1_HNDJJ4EzgaE}1V#4m=cD06$qw z4Ie`R9Aqk5%<Vv^Q-G)fin+IJR&B8k%l}vcf3YseNgr4sa^KJTT`eZIuf~s|<3Lju zN;v*1Tn#Ub2oYm6O@vF2nP`7)Cdie*#Z%9onWS6`JPp5>0xg7Vm@uBx)FSFJ9a*z$ zLbK_EPdd;|i4X-lSCJ6-!33+Vie0PKWY)Pq<#oV+28lt*WEzUzGsKFIWeGir@@@kd zEcn2ub>1YKugeZqqPM{iuKlnj0MS$`CYx#=QR*lZDp(kjph6wR@X8vnY%MBB=0W&x z9`T+l$S+bG<(-Gp;Y|w!SBzANrAoTSMmft)EO}Py5FRG6ki{Hd42;ct%V>CtYqOK4 z?04jms9Gn13<Y^Hr|mHjTKS!DEG+M+V_|(19K>Wa$2tqCIu|cPWeeLn`~|0)(R44u zVVx{nevLH-7c3aTGz1U#CyOU+Qj5!`2w9DReUxYuprkx|<I{#{z8|zNB;dHW*b@@# zoQe>*p)thGOfn((o&fQxUw^05swq^EqIAKmc6W?9QuY~%-LdJn7)=i#8eD}sG8$n= zWXM^1u~(lnV4rjhi%Sc`A(#k(LJ~zJotIULqX=}l@HB94m}0kokP_v`(z4jB6{yCX zVMCEnrXp*c#FIcA34IesU!;Z(`;a5YRjp`rtK!C0ujv_3jGij!u<HdUa*zR)i!XD0 zi?*sUgd;}UZwxS>=&E0>)5MAPf#>rhoW*!JizTItrPcE#m9r(4i=~zERq+|%d!}Eu zr51l!a~(&afTwZQWBq|rrIsKu+V4IhgOoEe3i|=2^2LqBLX!3Ns(S}l4O+5xUmb(D zQw+tjsz1r4volAz%8+^|fs5u-pVL^K7Yq(Xt*LH&FHmYz6P+fmRE^W^18_uq@@PxP zGk?s~6hnB>Sd+CmOGTvY`P+eefOb3N#S2;NHDr^O%<YX}>AC}lO;uGnOSdPXpzo0J z;T_tvPmzljX(1+?jI<(*z-gNR%lXYwE-3m$yHy)+FJkPn)Z0g!UGLuGGGh`2&U0nt zea{e4X_CvjVKwjmUAgY_{5t9lPfq2aBgkt<?Ec6|xSJHQ{rvsd*B{}pk7Ir)!QI2u zGxZj`hxf{Tuse6#5oYvgbFFrh+xBhK8}49K-4f%+vzL~0<MjZoDZ}F{E>KvM@L{H| zcMC%6W}snH1{&U1bJ{<FG(S@8_7Km+%)HiO13w%u6F+Y%rJ*6n^{GTX8^%x-hY$R5 zm<`0UnM|0z;P$oZF~^J%g5P^+7><tXov@$nS}$ZsG0j5_QfZ_>$Sx9v+_Uuw^7T^8 z<0QD-TFq4BVC*#kL_UpZ1gb6Ll;ZZ@N%gC`V`HEUxt|*jA5Yhg97zia$-=^kK|K`r z`-7t>e;9H7-2Gx#gFzj2{BFiMIOJ`nWWP%5>7_YWr=Wb?NJTTq_w{Q+J_=|2Y19ad zOE)g;yZ|K5BKw;1?p;vz<-`d#<vczD&C77pDo2ysQXo~xSDphOaCTzHm3x&H&K@mB zRq}g^@<pJ};(TwH+<!C}&PW2mqnu13EFB`#$VeG0wo3qH{ub;UBYN}(n-!0G+4P^0 ze8~t^Lk1sMYv#o-d|(hsnV3{-_g^Fg9Hn9Or)Kr->M4{U@eX(qN``Sv%IFTig&t^g z33t8^9k_7Ule?*wA-^s_prd!kqsqtxt72;M5SEw)+TMzs-d_ZuddH<bohp(6WCOoz ze**k9yP~NPdyed^(}=2;m8%;E2M&vvu#>?v+0v8)mxCa^M?bylX&S#%#BytI!XzyZ z&vd(J)h=Z3AIQv?T|-DS8BuhqRj3r~AUHCJLc=_8Y~n!TOkFRhoaY!FP`&d66Q7%v z0L>u(h|73%e6OfMnA0=b+w1F`-IGHgDCxt&chmc5>C1fwV~QqGfS$bl!5<|Gl0hVC z<rUAi+}w{xtj<=5#&EiAPa_=7RB0^A!`A@+eCaAG-J60C5sIq&-C3M3&tqe$^@2|N zDcIb!={fa8N0p>M_Cqd*4~M;s>RYcD9Dqy4a{Qs^=4pL*(aFLTW$Nuzf)&%_x{lUo zj?F(mP&%YM*L*$uW1WaXB0{YQ_LMbpvmRTW0Pc4RTWMz0zsCV3&2o(>pDpC%U;`Uh zYi@gedDJiHt%Mc(rj&--G@&<N_oj(aE&y!MaVTHqR&d3sa5EDYbkJ|YVtc=ogX4ld zzW2)GJPIevJ2P>V{OIcS|7bePsJ5Cd47U__cXxLuKyi0>x8hFl;_mM5?p7!+DemqB z*P=x(-;cXiR(>RtIg@>6_Pd`sduALT{GQJLl3rb1l~<2K8awFaNG&Zk`x>J2pz_;! zu8=7+aaj-HchO6rh~cGAl0oKl>zY2!ip1qH?>s?>X=u074v!q#U{A(v&%@2t5l8P^ zArK1a715|!0BKveLbdsMruKl&YkJfUQ+~6bM(d3cb6hGc-=^lk<s@)Hwoo(t7DkBE zpKMKDmK1STvX>N18jwDDtu9J~mdqxCCiXT!?cqmaCly7~#&q%SacwmUwF`4eCWQ!x zX)#}{kDa2BpLAlP`AYUU;)NA&Q?f^2nW9Kvn51}8f{xGi6_q`AAq>BA03{?c5Kr~O zQDT5yk)E*YUku)I>W%iIeI+~~a^;|?I*KYEq{YN+klJv&)%$}om7HwE{u3-itsOX} zDHq7t*wNDWrgH7#P=BJT5|f1tsiU*S_SOvEU{H@LrH>=a270qsHoC~fEP~897vqHs zsDQ){JH{$O`<|wGQXVsAS5{ESBn)N(5Sz-{-Han|XBZ{PS&*e#l7Vx{rzQ2fqQ4{O zsRcZ+k0)iN#s+|BmwHS(#3w@+1hi%v0V9XM;$3otw7x>|TZRF>Y?B@`)qKKhG#d}@ zPPQPz<5C-#DrBkwUG6^sC>2qVb0V(yVUxYVR4@OCFf~jzCvew^<rTbNRv)1{(Fo(T z)rXrPNv`N;fU@vp$?hS%4l|4{;=h3^j*&yhpbp=z^4~X#7}GdIMf8ugsb5|aCt;^C z`q{{aL#)NAxPGp9xVk^``g*8$iPEQif#lE?{qJlu2dRv;EIrqmD@nMo%XRB+dF*_^ zHN+{V8Lo_ZG)w2-`!Wh_QAZAo##8$)>BGYyY^^%&zc7KGUo_OL?YaM(xva^AZeAY< zn1}l~(d^wx9G7;cOm-hf9FzR`-Zt@*Kv45b(C76t7b;|IO6GKD7#AZ(gM>%9Or70D zzrIE@Ph(_Yu?=z3rU7Iv=!nyzggS#ll)$coMeeP|<@E5M%!hQ(?|v_mqWw!mEcm_j z-;}+c(?gF87%sWlijh7|%I{bI9F<BMb0qs6_vFEeCihv>r#wz0r#cbl4@a8;oC0z> z)gp)p>s|QbQG_O(pQIxb3L7k3qb5-(%bAk$1RQU`?M<H)d^8<-{fDDfEi6YMZYP+C z&*Op~HTnnOP9BLNEuKj3oHs~RWF(cGQi~Z|ZS`0AZ<_q0$YFIu-^Mrzgb~l!7{=w) z{9mqCXcQ&a2m3afjPVMmy?&=D2Y$S9I}A$84VLaXzWsxBQP?W62MR$wR|xN~OQioE zaI7nMo~9HUT$eF0Z-vU}>bDacWa&#AKa3OmUM&)&#SilhZ3>Fb&ih%WlOG3E$H9Z~ zcR4~DWrh7a|F-Rmj<^}q5z^^jPnX{^%BJ54lKxANd4dckJZzd~d9O}qFu=aJK+E$j z3e%Q{?>2+O(<mRa3Wr}<Bmg|x5simP(pSbl^NIe}3m9*3)yfkW1wVsNt?dw1v;^9e zA+D!<bUb`N$5PeJ+%mp)6EF9Xd$a1zIC6)tf6rJP(YFv$`0Y0jhC46{2~Qr)7&7EQ zSedGkqtkoQ_;dh}XcWu$EtGnxPBw9T!eqr-y|~V@rJF6;`ROrVzm&zS*~=v7Dxlnc zp+KSYJdr42`iP4QI<kYi?F&SbqcfY@UU2fJuUl7m(IG0znXmhzd~a`^pT6gywA83N zDHvi55+bUOu0<YA`SK+wFGptlAp)14sq#3*%!+ZjoX63WpBPQ7n2*a{N~TrvR%DMX zH_ZGgZr_S<+N!`VnTJZ52P<)Y##6v>^v3tLOsscr$BP}zgT^K;5kq&Ud8xT7qOOV+ zWZ*1$jiv5hk!a|S>YF%u{E;rp%IL;x22WHBnpxBfiDS9*RKo($x5czn@eV#1L*Zee zBaM$=vApP4L=lHZ3A7lh{+*GLMBGdC+2_9rEzouzPrcZ2wE)QQ<C7C*^UDq0_`bXC z!1t{J6Ppg%tA+YMynV?S)@|_^$Ir4!#BCObsNWH%ae9E)^nEV}0E=}qMYW)hw<q$n zY2wX4^}NKZMGC9%1x6;hFXGlI6)II7ua;nmEr1i25iB>e^-lOY&WtL@!?(PP7jt-Q zi|SMI*-9jRN-Yix|JN-(WTUYnTl(o*$Nf?!A`D5gXVC-(KEyOTUou!5{MJfTt9q=b zlYijOEV|@~)1Ic*;L+t4#Z#)umIDvHy4Njccbw<JylOX;3`%n7?KS>vspS^=6M?_J zBE9EMyON2*SAA2Jbr7)qX%-5;ce|?#H06&?b3ndnTLDVe%^6H?W*g(PC}=wNFn3k9 z+%e3e68g4L9~hq}&^z%2R{ENFM!kc>VZR1aJ1i!a9>1w<S~#pYiiSpnRFJD5BuAm= z@4Z?<!Sl;Mq`uZwaCd*pEH8~TJx2$^51-BfS%<;FZ{~N%Rqzbpa-fq1lY+Ym<2s3Z zt_E!2au{{tGMR<y^0M!&g%OyvTbQIIKv@X0Z6SQMrzz}TTAB3F<>X8-s?$x^_)Rla zT;3FiHf)wu*T7yJuH4ax4m*#(mNp$m?Kcs}H_Oq%v0K0xBJW=$-oFp)f6a-!U+i97 znV)X0sv*Mb7#5as7fKHoZ0u#r3r7mLYvqi0wngOAF~uR%n9M3ScJ)ZIsA<M5?3S#h zBr6$16MbjP)gNe60B{M2)E@{?`J%IfEhAd8du*#2RhQjsEtt~eDs+1qo8L7&q&Qu` z&Z<0G8uGMRTM5C`gh@FGl|%liAR(M?#yb7x&J~N<O<R;-PLjc6HFyf>HF=71kMf)@ zR<Uc1AqnRC6xgZT8p~YK#ktg@irFF*`ZH^ori)Fq)oH_{v1IHFLeEJt>#A6EYa4Zy zcB?_bQc>r^`lh5T#Z>8xF-<_fpd;vDebO4*u|ul8<ZTbKg1eS+sh_AtmF)PolTo;> zHh#Lks0shTxhQw~zf6k1MB|8i+1YyQ%0r!?yR3HdOy4B4mvy$T8vkpnyaA9}H({2L zdYv>4_YYDv1v7WmIem0N>JdxJ^J~^j>^1~nv8O82WeN!hrHaBrWMv}~Z=@JM+f(OH zMky8U>_fBVoAr;~LB)RymnGz7G&$<3YVfs5fmx!lw#U09iP2|)8gG@B?_b>S3Yt=* z4v$Oga2qCeNoC9+FqtiaMF2}sV>NSao}Rd$01S=}Y?AW~J*D6BW`8tziG&Oz6t~Ee z^`1LuRUWujg7!`|vOxyeJYBhgDwJAWxpNtt*p^E*sLg977&}+1Oe(Zqh=|_iF#0aQ zbp0)g{Ks*ypbMX82!iVYcO14Hq5&1YCai>dkx8nPI&xCTAbeJtF)lm1`aG4@*-;^s zM(VU_8`ZTGpaEEii5ALIo@k)O-dz)gi!MNql^=Ctra7b>V!GJL)<kX+`bjjYNwG6- zy6=X`OO>^YGE`S}2&WEO%wXr!nDI;wtSO_49biye8Y(DFQm2WQ|Ae=+G7Yuq>n~5E zM745-0kTy0v%QTzGCn5Q=SdAlZ{Mco-@R{8m=Y#~FOchPWo46D6NiBJ+bPmfr4$(| zt~~#$utQMUlxmOD>|T7pL=uscPAB;YhteWCftYx^y+|Xy@0Y@akcf1U(8pUhqJfq@ zHcQ0qUbK5MM1OZ)LH+XKWIJ?+?{Ja5WJLWhWuD3_E!dSCl{gfS0~u=d-uG7M(;uAU zF5k$1Rsda-d-WflCvD&KJG4#uduUnu^o895Zv8|Gm1A$wamna>L)=1nw(*U(-y!br z`Ro0=ZRCH-z|vw0%1V&T-+Fz#5q<_PE$!jJ`}J6}5oHa~BUE^N+H?NL_}=sN&;#dx zPcZ>Xu6*$yuQohyZ_Lry!(QjJn5{Nuf3A=r%E!+9a`<)1I;n;@j4CN|mnsy_%nX0qGroo=CP#_@W*WJ0_ek`cGR@$~JEEb$FzRt^1 zJfn2<7VeqT*c}z_lPx@MbT-IJ?_FX)C8A14$)Tze^~+Tpn|T_{_Zh+Y{v94-8Ac&0 zZSXz%t!EyXYd219Y7O|+6YJ<;T`uH*7ABDQ$_Kiak#NgWO_bp|nrM^rG&DpkAAA_g z<o1I?=wF~{4NKphF{;`5r;Nc-p(Kxz#2liZFF!tT2UQuNzm&@zC}_m0-G;|$G385M zqeg(DgsaBAS;b2XoG&z%Sx+der2NKq5WR;VqX99VP{E5Xs^<(?4MBPDtD+5YOHC-7 z*#72x0NU{VU{3`j(AjxyC9Igh42&{a1(E9zY5b%hJa-i9Yd#raDFPT7uQ6Mq_FKlH z0=^V|jh7s0i1iceNVn)DE{&2a+(WL_)A%bbj)?v!{kOv3L&(X;tJjw=Hq?Etai+z< z#Ao{N4M~9D;Qdebn~47Q_Nl|jRF1K1<l(63ctF~ZeKJ)QB8wn<0XH&G{FbnoR+%_? z&0Vhjo!1YA^$N@03omn7?$Rhsp(3)}mji3sZq)1kMuOM#!Mjg&Tst*;tsli{@^IK> z%7<g0W72b>g+z{(mX;)z6vZz)yjh!)dwu@Rr9W+T(ZlcG;3vd!HX2}D>mmjX&s}#_ zTut9Pj`~?_zAw+}18*F0wYMxaU~NfckNXd5LhN6={t>qW51a|)fHj|3GaMKd^-!AS z*4x|Q=F!lOc#U3`;yMR&24AO+Y(biTH&BdunR|<){2A-~&LzuU?ydEIY)L$w4>m}@ zR39x}udG>~s<A6F;mwz0`W<@<kr17LCpUS<QVG#ja;=E1cN4i3LSl9gwc|oQ(&#Ty zeWas^`EMdH?WHuY0*CV-|2C9!L|;SI-lOGp^=1A`U)ppQpEjN~87=e|;!7H?@d`nV zT|`jbXs1+AFnz)snXy>VA4_0kSL+;s|60zBwF-0#+y^5(iNY_~;*_nlRHb#=CubjI z{Q&mvY*-{uPh%Yew8)LB@}lwOz@s{R!u@-lH_pIsJdVMr5Yy?S#U!trkNr4Jku1Ke zZm6Q~Ji7>0V`(=V@S?Cy!9S}h_Ghvar;r20i={<w>3-O{;m<)MwerWhL$}%ltLuxY z94_=#N%w!(uo%jyx-E4OkI~9wX|Q7(BEw63pv@K`TcymhYyRT_*%>6)yOYe)aR4tA zS_CrgHzNhJW!yPQ`ATyo$!TCF!KJ#%c3G(QV><f9Dyo@9n4e!No$Iz0XcNat%(#V$ zt5aZSc8ProH($W&-s>Se4zu0?0`nr=p_{Cghh7F>^8jN823cl@D_IGlxY_f2ZBghM zoML{pQ%m#EYBY8p3y>@tETP@aKJpr;x2dV&Ol4$HR+SKCD{h8i<l{@Cn8&u-+4sBk z%fi+cwkc?Yve_~uY_D5g<5r|>u7ns{^!BfX0VftVl&G}YFSd)L?aF5AE58&Pj-4W# z25+1H=3C2Cxvso}>TJ2YAF%j*W+9AN9ThV!*2_lj0!_-o_hF|DE1a&SBSrfu&{bA@ z*!thjs8PU7>3+9g=Lcu7=44{^`^~_4zQ19AhC%1r>m@N7VG=xg)l1r8MQtS<Cn#>N z#kd&s&+c115Yo;qv(&#eTZMTUiv>|36p4X&f{*LzNhsa30Z)xTjA!<*!Bog3Ovx-> zuuz{hQ$-im=wX$2o@|xjsb_c5OlRo#nxYtR%-f_6-xdGKC$V(!G1u+M?AEBGIllDh z*sz#&U)-J0h!&kCxRtM{5|vAy`h#a;`G+-Q5xcDMeM$bYZ`s8_q>_>di%N~S@32X! zl5$hpa=2VIk$F^BVnnj*rxRN#{$qYTwjQTOKdcC64O-mT7|2?j48NMa<KV!LlYTf( zTz>@i{Z{}>K(xQ4`at@uoYk}zulrg__c}Dxnw6w>6X(F(u*whHtIcN{9ie<8y2g+1 ziSPdDWh1DMjxo*N7O!>U%b#&r{v~sRqtVxCj2eS%<Mm*=xs#LoLw&6VSI?jE!fDQ0 z+1%qD)s=O&rF(Z%KEa>TAx>X;v(enjXy|s<+-o5tluX3yDE9L=HZq;BN5xqFHu2CS zl#-yz;0RJXOzx+cYG3ntZXLWmx?+NavWcZ{7cfp_HnW*P;P$?0m)n%_noP3ZTXiPg z28KZsI^UR97H@At|L1D|rf<mq75|&uO8dj9j~<8_B{YC@+_lkbtv=l3>;IPRKb2e0 zT23**u>Av9tpOiSnk8E(z~3jZ*DySlVc+*{_~z@$qR(NkAC%B5ZM?~Ex$O$8lfB5$ znoHvB{MVLr(OI*LEZ%rQRXKja_vToem)CO~LH(1a|7H&6l@@1LjAIyj`Qmo^{1-u) z%@(>@Vm;Ts-)fl(o#Pu_#=)Ob=yIx_8Ri{K;@cP6)uoqjp|3T9)73Uj)9p&guU}BN zv=c6DUCQP}93R!AN;ybLy!>Pi{_=6BDLfl7A>79w>=vuod0tore}7-7_w#}#`t`Jx zK%Ft4rj6(Np!mM{!H3$`Ow$)pp|FrF1oirExz6?6%f$36<bj;B=T?b1@HlHAv5xV> z?;76k8NRFP`rsDN*H#RM>138B1$9QPB7ui!pi9=)`!+5n(Jnrsa4snhJxlc4C(?D@ zVacyk;LlmhNR(|nJ@|?krJfX4a#9bphc3ox^`auC*g;RY@Rw54i=24kZyq3sFb96? z&Qn^LsfZ1Ykc#Qv^1>d&P4yivH1Bi~)mfH?oCojr72>kD#6j38u~S#oL4xk3obfTu zgBNFlB2X2gD8r~PT#ZI>%Y0Ns1NZ-RY&CT3st0to54eaZ9%vB}YN%Awv%mdH*_Uao zvFld1qq|g>6Cty!nA=55visRLe533Pi2CmkR6N~2lUXquH110svD%3T+6?Y8wbloQ z67so7HUsGC(q8h9_jem)qd!IT@Jh7~`=ts*UcCjFLn@)cXIkV{N?vcL<C(9=Zye`> z^YIXX#<JKeA<lSpyCL<${Y0i!OoqY9r7rP|V}(X}D@V+yc26bO7u`5(X>hh4zn8;c z4ciq?FH8M?XVV{F9=FgJ@eD6<DcGlu=Infbr@a0mF;|5U61)8Ak<j*_Whu>Zm+>Qe zyJ;~E%()xX*@O|22e+I5a&7CT=T>d}JN$%*+D*c~lTKmUMg5$YfPK2QM!6#C{dqNb z+S%%R)yVh9F5?waMdN7<o6sZw{BW>XFas-p#4Y0rFxMY8eBW*~hRdbx_H;pG;Oo+Z zvOAcQ#;a84SXfM@$Zv@nZ;b(O++I_TdM=cAh|*m*Cv1%YX9MW$4W;4XMB#HJR8nT_ zPGMkna7t8D4;2@uz@Cl7ZTG)YeLA*OvclfR`BM>pdw!(3#FB@bC6w7UXM4NVD}<as zK5i0LG36IMSEG|djlERjM4}2ypqh{wH=|nRbuK70RvzB`7i>=9qNx_5!0<z-k5O=9 z)1_VZ$>~ToQmh<-P*{&Jt4n@}Q}d5fgNsN|=*1lS#lKr12q6SvIyvA`kj}|VLxlnr zP^MZ%4+S?Ks}j~*Z#PvcVCGu9T-Lo^#$$$}FdSs(#j_l0Q^!$J&s9;sXj8!z5ynMV z_e73rma)K37g#mkkEozF!wD2#bf3|{`{&ZmhvV6;uhk@Gr)SJZ@sLX0d|hlpH?cX+ zr$YOTc%%>QQimyV%e<PyGo;e56_(2r)x$!K@e_BhV1CVfX2E(!+jb+hEbL5{Y^Vk{ zBq2zYliq-A-u>PjT7Sx*%IQ5R=1)}=V^|@3^P+Ko4y+u`a7DJ|KBVL|$;4oh#3GvN zoBxDGelg7iA-`c!_p*qJIfw7$Ev~KBP-W-IU1*@`7j7KUf)n_Y5N<lpKf?^z0*^R+ zJ}S3lS*LE?j?(P)6!PPU)NJmd>MlQ6&B!Q2UW*N&nu1kfb-HLL*09*J@Wtk%zN14R z6EWQEmP18J<ST0jO_KBo^VN>DS|CgrR5bVmBv$j-eQ$8Fi5dMA+yz1cI^NH|SjmA6 zBg~@0=C=nI8_rGD;dp<LLD5Sh-w2)PHya^KUzr4Y_U&O9O;p72t*Bk}vUZKq0GaL^ z<^znn)c^b#(rl>7&Q}Qyyi2D)Up3m>fC3UOlyGrxr5kTn;qErzb5;hKAqJV5p4R1^ zS`j_>{2AxKf&)kt)-D=PR`D{V4`1?et~dGqC-Ap!p{`(tj8sxZwP3zx3PycY%iUL4 z_s514fmQrJKsSTt4v)#gvn&bE_+XAbe8&(>OHP76Ie2BIs|B@O;(nVr!l)1J%%EFm zeV~z(R6|?H7hA+$tyWPoERAGE6@&E0mxMyZx3`a_Ph^}jVCD0f+It1!*<-;~f6BPY z`zvhpk(4y$rG3&stV8%4Of(^%?tnWK0*?4<Q=lW&|8oJ{0)jeSFBMx(rFRFNp=>or zRv(n3y1GvCmuVE!fd6tupkV~DnPNWWi)%q?FxG1?WjxyvS((<mrjMmRIlkP{L|&a< zXt;>b<?9KfEad^$GN<4B)6thv0T3q-Ue9Z+cUCs_Ww2&wyvyqTP9gdyoJER%lIQ*S zsKx!g%$AhVh{<6TZZ?VZgex_w&`7sOKEUF3ecQr`s9!6;+G4XS<e)Sbm04YZEHfdo zISS(2H)i1v2@=0I<g+EJr_<)vc33>k-_I2gb0CZO?O%yx`Hw4IT*LeEu^-IVt3ewD zqjiEnWI{&t_-fy)Md~$6c|cCUOU<}#{k@rvkRFNr&GjG`##VEcVq&jQcql?K;4YQ_ z^z1L(a1zN!O}4F8srKzH4}N7efdIb&?C~`J>*Li+hfC?eXBg!F^rl&42Fp;IL=(=X z-yatbb9~M?yN138vu#V2n>Ko_ov77ScYU<(=iB6(;3f<HSKnrOj30M~20u>Qm$*(2 zdA=nuM)I){{{1=@oW0uN&x^isXRhA3|0F&@fA3B<Q8pSM;E@`wC4bZ+rCf)cBCa=i zkxfSNOdK1@nxA*Jzx<Ec#cxJj1Cv;9Zh(i!ZN^X-A3K?Y$QuC*vw#mPGbtj0gKGU- z0UKT>ySi_I-Mmo>>-33>p!|AqxpKdUpeb2ynYsDe6wES?xg2(9Q*hCDdw{q-quZ#0 zCRu?oA7YC6LS$hjJ3qCz<M$)cu@QrQe6ld>svPML0`YH~bs?x<(?un@$0hrI-@F!% zZ~v&Q3M!<3C3)Do6Rzvle|)cF|7Ekl1ae82+qhVX#1K%VfP?!AF%FGB20g`>bN9+N zy>2yF_ucv{I%&!1kfQ16uSaIksr^gMyN}`PQVgYB6V)nR&g9$kSklGpA6<^>tz|z0 zqfH!fHw_6bEKUuPd2`FgI)7j&x{|b9Edyj7c()5;6oWS}d_T_Lv;26iqBomD*?ro2 zG5=#rn?W?D$sBRLzX6cLM)5m}yuWETP?56&?Hz)UIQ5WG2U%ji(3*Gu`%z;9rl4uz zG<KC?6QN7#?3>QlB9W7ah%iSc>5Zx;s%)dn-l26VDzKTmURFA>uDk+g#7VTkY=I;{ zHl;U#R-{e$tHU(cdq@4Z(R*znp5c$X0~c%_nyUED)f+Tq>0JtMH8<5d^Se8PbgwII z9#PtJ?Zu&ZVja;7O4b`$&PC~2QCQ$NJpu#`sC0&3Q2sCPP*Wb3a6jm`xA^nHm$n38 z?v75$PBQi^dMu=bIG9x*hd`tAo&n>n5@xi6d=i5{-xwSw5x;I@Y2(I9Eoh`-Xh}Wo zZz<kVWgoePkO;L!#LCflw#sW_?NaD9@%b@<*2BB-{^*Ji;%{%PO{irb{gFlGU`*$E zxW7K?cd!E$H&Xw>$j;K~D+yC)WM%LeON^#?_4mXv2)1xj*qyzP1$4V3M_PZ6vI`TN zb!xQ3BP*>++QvYLXBTv+dq+#=d63-|i-@|O{qw6muxz^ypj7wKc?R|F;T0I2D}gCd zD1>DW613rFs!s%As$Q*#EYF%<-!zgT=YmWGi2DO4%CP9#YHLetpQkwD9GS^>bUiaE zz_)~g`NhY<@wR(kHJRg@O-)kL!jv@@t^rC>1U$J>4u)15siUG28Z+v^xTHFGECs02 z+mEQ%x~c+pe7W6@pef>D+fC|a2VDI#ZeQ%5Bu1rloIH>=_Q-7YbmF$I5hGnYEl`nB zsN}xOk!onRfB->*lRT$Qy=dM!K5_!`tg-^zCoy~s3hv(HTfj*HJ0i+FwuV(KM2IN- zZb3|JS9Vd{K0KT!kux4);_B76L1ZzCHcVPy6LHvQ!PEuon)FU^tUJFeelX{PQa+K} z-HT=i4OSr|VOmYBK;)i_pvWjvG(tM!lo1;)e&w}TK`;032`aR-_HY{;_^Hzj3IJ`I zh1e<vgo2v+fu?y6>&&99^OJaFvX!jRwn&4ue+UynQ432{%s)b@pDQjO$dH(-&VITI zr@bQCzhK~Vc=ZPENpoksj9r5y5Ja_w#25(Yq^T{bS%Jia!UlWAO0I}jl%%ecQLqF{ z;+6FX@&eR9?D*o0r{5ubkdN3DL>SAO%xsf<mPakAsxak<tyt1lJsW=SB*d1{*=^y1 z3u`0snDW7~Bc`iuqpPma;c+;Pb|U<xH`m;B+VWO-_Ie4E-P%I)6lm!Vh5B0-k6VCI z#S|xf5qn*;^*6Ys+Bn6|kC^Bci2Qoi&M#cN2Mt%oKh0?5wBtxIm9^WcN8Ykc7nV-< zm(WPjlZqzXo=MF>Es!+RDZDQ7LGw_z8QZ;-LtTq1X^ijzM`)n~$q7$#=?YUu^z-X9 z^-5SJV=Znn8C21tjCTJ_zn}7?gW;f|2_61wyLsrix$FEzkuA5gIDz<DN*~6_1G+-G zSL4}uSNV9<syucs9o(7FNM_Jd2n!=rHonXul}it?F~TovrFzOVn$AeuIjAIuK}kP8 zWse-?T&j<Dz8YB}g2ONau>u}^v#h4K0BuZFq-U!`)S6X&+eh_|@lJ<PGG@V3YD!BD zZsUJ)S3`q9M%xokr*4s5EmJ&wDgr+(RG8&Pr6h);LrSkz(4JWg*}X3AO<bU~f~H9N zxQ=`1eNzOZB+_#QT-`h}8FNVXLUB&ZCdK)IRYSJ*Ad}{c_2e3D>_j#VICt6a9jMo{ zqkLQ2nPk|DUN_xHEv-;&i1GSUgU%&RXwh<)h8F+MIxKG|9HH4Jh>d`N;Wqp6o3jIs zdivKIY4zgz?Y+fqBol!ktG=|OErnzhYE4|S&?Hcu0pHY1T_j2GhL>D<@;)pw3DfOS z_MjI;9*}-Ajj7#Z!_71M70d!ni%Ixtmb=z+TgQ_;Lfoe3=jngAgiShaj1!)Djv2Q% zX;jB2T)>Oz;J**LEi93@!RcAlh{0ZY#+3WUDTjWW>sQFG&n}T|ZLGrYV7^5#&)XP- zr~E-G4P^a$WB#Dj9VaK`Q~zUDX|@sUo^!6ci?8F9JJgjQ>kv$L7#t*~p?_m27Rb~r zZPm<aWyF>09FRJPN7(dq60l`#JY#xa^@-H#;kPRv|9*PeNpP@iwkNE^kwMKD^5{u^ zQHW%{X_&gadwc!yp;3p7tsH275!=&YK_-VUm91K~KbOp8#ut=j9T@iXH&qLCb3C5P zW(6nRP8i?Ya|M0VNz8%83YkEsgNS9`qN%_sZD98>5PIQ_h%J8`7F$NYFe17jZs{59 z>YB=wF27o2JQi7JPWfGd^C?r|M2R}=xQf1fQH+0fC*4PO=zgf;uJDD*Nq?0wpPpSz z#T-LH4YTirTp~%9LQ?G@r07)2RK01yv6r`ICC;%<mSY%$y|jmXp+i)iLReqLrXogh zdTVW(3m>H7-f!L1Pfo-d5I{b<;^ONmwd%pfh%^5%V$ow;b&5cYpID$sTi|DcW>7~% zo5d|LUwg?z+MeApeHY<3@-J@R`@pw7{4knXM1cw~aaOF^-RBE$-l&l;x72KdjiS`^ z)HehhN11V6CMa~WTy;h-y?*sCB>9*7+a89-td2=>Fwe6TazOL@oKvtT$G#c;?%+M- z72(MqxSK_doe-Og>Pc9M(QKHK)tRhBnO&9B88D+xr(0h16;p!Ds10cGh_xlS7K|G7 zFOBPZe>80-Bde>^PJmbps+oRfXpq1426c1L;{ARzI_L5a>WoI-CO|1@*^wjH=rAm$ zgtxew{tYkK=&DyzDj-o>djA<_&Ff_=%_bl(FCivgezwfE;*Zgzr*mm}U==-}tv3@) zlEX7)&#`$6=$|rsd%fBJ)Yot?b#UXo!nyXmG(Yk8{9)t%)iXZBP4{5XCKRTI$$FJ{ z@AG$r)^St|P^tq8sFv8Af-F}16Irvox2s@De5S`Ls?)kyr-fLpGzY>%s(doi<i@Xg z*AuO-#!Vdl$~8O>@Tm~5uKZpr9fwQQYo=Sj;q?_7m68hUSkjXeDP$uu|JSA4R#QcW z-|I67mumTOPaM1tb|vi7Ce^#f6EKOjuvbZAieYPa-g_^oy45bXfzKk}t*N5Vey=+H zsEPBmmv5I11GO>-+ZsS?bt5|b&Fn~Jv@a;+9t-OHZ<*ih8m6V<pcS|xyCx)Ilx#G$ zb2|>9j^pJ~W-~qO58<+VXdrSI^(wAWnk@qe8#hfWH=$OYmUcKn`l%TTgdIhkyNNCM z4SSFRc~B=@Ub0Dgq)8VO3;zs)lSfvhq?7Ht>)>C41Bgr=ecG-?xD(^wFj>=q80;EI zR)mU1w642NB3kjG`xCrT=Bie!MXaFoFr5|bEa$<cyAq#bZG3k}O0%_)`!>7&Ojir! ze8#z1i?0b0m3F!qX8UU^9n@iJq1yjYXB#Bhg#>rWvt6If1M&uGqIu(dWB+lF=rqyF zQ>Bm+FFGI?=6B=;4UWp4Z)H;${e^|bI<eNlD6Z4Y*Zi|Jslg5K@K4zvizKf@aBsy| z0_YDmQE}iT3MwUx19Jdsdpn5`&p~puHH~k*ypQ%#)7JRDH9N*x#GmTK=b;LZeSgo7 zBAj5pc&jHiIa+5%<u9v+l_W!FZ0X9J@0$g_jzq7ckf!Fm+(x&WU#m1T8<Dg-sS+hG zRO}2$1+k}De(aL3_QaUz_OK2e#j>R_#qD&kzf=#vRQ|5AVyJmQ;U(nPJa`Rdr&yiv zsBZWHOj&#s*Ph{S9=ll8?A>v>Y3dJ^gHEr@VD}h_7yFToV}4V_Du*4KInVhleu<;< z>3uKSk55`pK3|uu$5-h^(o_pF^O#xqpSKCd`Um37M#=mJZjN)xs_^Mm@hvdjc3FX6 zfQi|F4G%W~9HadQ=RPgu6X*f9@5AzElIg>R6cUO#j3(>Ea@bNUEo>7}7Kz;+Zz|5d zguL3nn*dAokvBWRGWZ0REWRmG!~&ics{s|?DNAmTDd@Nzqb9vFLj#LPqkG;wpa=hY zUH^oPzmzWgH+f1AuG!JVb4-koC9l(*7EGh^`nQP)gN!9j#npSS&lHWL=vPO;;7ba* z`3w81FTGU#!Rxq?^7F?Ea@Q^f{d!lHEA92)*$ZzDlIe~(!=<Sg^jx^?^sd+P!}y$= z#&V8OS$=6NaTdji&S8aWt5Z2AGu(_dk_UME;VNi(y+5xxJFDl>v|pIY)TzzDl#mE$ z9<T%ukzp!7O?jSDW0i*_K&bbU!eDOs2oEmWLfhAp^?s=Cr)*%79oP~Bw09i4*^j#h zJp1NZZS+@Hw)uQ|hpPKX1~?5o04aMnQuAtgB%y(E$iYS*9)bE>Ci5eZ+b@!DCHYFB z?sM~Ix8*!xxWsKbeausL(_HeW33zyEDkpg`0WToZ++1i-y2SH)^duw%JjB=`;VlqH zq7WZwu^#mCVu1o?Ny`vs8EVh79lGQ5IB8MjWPi_FWEFgW9r^MP#UgT8-T!uQ$yq*8 zb=<;S9GPF;7`$AUULBKAtM_B2t5eeDvG>t2KVs{=B6{CLG~&?9%}Q>62oZDTOh9z% z{^-j}Pea_*c3(uQtGU@Y2Ky4dBQHnX5IO{OG&O|;f`Nv$;v`}Mvg&W#zfdu2+6img z)+3Wjqw&KN{~ERLZ&1f|MofR&ts!B_N2O8Ne{UomzurU>C0wRZYa35v)F+F8cK`8u z{yu%`EelJ#>Js(Kn4dSVz6+YmwD3z~frpgBB1=(70y6w+!?iC@=v7_Ch{xE)dUhGC zbNdgsy;ky}F>NG;RGz}DB6SI*&5uVG(D2{fG#bdTLsQ;j({K*O+9angr|;~5fv*<` z;J%DFx$%_bV~h1lSq`j6bw<k2%;_co87)5dYE!VuxP|g(=a8nsLfS}O7Iv};%=dTt zSyzZYn=rD>J-Pq>AjuhE+6|$UKh?P7Vw9KP>yxLJiwBW4vCK2Q-;KgtC8>j#26A%7 z6eor|T^I>U9vD$Fn7;n_<&$Uo28EvZh2={755}1;^{=r%>Goj=*li5TSmQxek#e)^ z7(t%#57!fy3<n_YyHm5*>CyBi2NUm!dndv8LeWqHa#$Fy(>)Wy>HX#I`rFG{2LQ^Y zfi5VXSWndTWl2p~^n0BhhibxaHwBez)Sd?!8lP#TBHHV*EX&?@v#(r@C%MHX*SiT! zx(Bk{S0rbLzdOkQUkTDmfG4}5ElbmJ7|wrhVe8M&3#=;SSqmEd+`moRWs3Q+b5;{1 zpS@8TZZ3}BFz8?!oB3opIy#m%Qj7PVD>Di#zFruAr@~%}km797b5oQIMS<hVSHn3v zYep5a(=x_orjp}VB-C<hEB?KuCiWL4J8<As0xoZBZKx=1#XjGWpDUyF>3EFQM=?&B z+ahNziwdr-zTQGd&v$9mkL;i|<RWPQiCI+ZmR(VQ!u8=tWMWQ^E((--T8o5EBkM@f z66{w439UERByRk-lI_F0ghSXmkF?Gim7}?P^vz&wSYZ!Yjf{0na}&7`DAz$oJ0y%~ z-%i4+PfFPBn^u)~BKmn4;f!X`bnp-F@6Ve4Kun3=V_K$V40fqa%tdXe1ZVEu1WYlZ z>PTC%10>b)YgUDy7CtfNgi%!Si8W%|1!CKQu{J;r6-d%dWg8phxi!L)QogZ`qu=&W zNFZ<st{E>`<e0eUu-&p5<(bpFY9_;{gLTketf*0zF7{JNNR=yYVL_g*u(<>ViOyET zi+wd9!&`<6r52LfE|@GdlZeY_Hqmye>hn{H@ZlL6Z4_nHO8^NhPV?g@ijKL(orM;S zmWSV-3#$$_0Zdh5V{MBW_0SUubK(E^g{f%9QLK1&{LcFZjIt16tZMRiPl>hNFG+6R z4~~iH=;>w{T#bf?%~-}isFYIsW1k0X3bcR=YexR$H(r;f2pd>cxLBf3-Z0`4e3UF5 zfkzJ8b$(TkG%E+eP8WBwjSa4&Ga9-0kd@3`)28^+D1Il)OsV-P+P}Z=2aF?RFkK6> z7Pq(y!~K*_rL_%A;)Cd72y<G}PAD~r2q1BekkQ`nU2>w_rbyl7g$_@#7$jTM3Ve;@ zt_|u1JVy+(YCA9eUQ3tvp#EV7=+Yz@Sai5pE{38SeYC{n)BM4=Brsgvc0-5n@WC8b zaGv2hPXFP*9w+|@s^~#RL)<)6xkrigefXCbBJY2UU0rtGFN`lQc6L%RXB?F1_>&4> zv$E+2q!V8FFGw5``-;(t|Ds5H{JB?*jyt2yjLGq+kU3%0Mm6n!B}D*-UuA(z`BPas z2n7uHjvL9}zHyJ2jFcfcbJyhK?t9Usf;xShc&2}fLFsEXI4GoqlgMt)cJasU%)bFW z{8C1n0GI28;6$QI9k?(G3gl1E&YE7I!N~*VbxF|L^28=5I(8>sxU=VdyT*&J5ji^A zeOl+9@w(eeCdtlBur%Uzbdp79fWw18l2zt(pq(h_b2n5(&jK)--jl$<z@n~}A34<O zBP!`$H{E?jHF}msLb`vk-wwB1I!rY}ncFmLI?cn~_TpCPJl7y1*lo}i4A+o_^|}g1 zB=Jk3NL_e-mqYrKx$jDsV5%;}QY^-$K$e*_$aK}4zFVy1vOwu>_%1S7g6cVVZLXfi zz{(WgzBMuPS*s~9<*G+n`0#m}Q;;1mUFi|b=R~T+S#>+j!ZXM3dHVSIc^o0r^^yR^ zCq4Rgr7>k=s0nQ~L4v2!z22t9Qb5e{LODk_qd%zqYWAghq>S>1^WWLUdv_Y_ZKKNj zba^gww0FHQZ;O4`jQZA;0`iB$?%@odJc3DF88_F<b_>to-CMsxd<`|7J=_l1n!Hy` zKD<!reNiXMW0-MI^%lmqwL82;?hB}mpSOx$ScG~K7Iq*SCGEuXAV#*y0VIQQ`cC>A z1$%F;1*<hjWQIx^#PP<`hkdNPfoJA8g1xA>sj04Bz%z1ujO1#6vrf{)f{`3`$W7ry zq8{!c#|NYRr&zQvOKoMqllM?N>*QGiGqYO!<Xt>CSSnB<kL`|EkQ=A8pReUSejLLl zsl+^4i5$<E-Cov2nq0uvZ?}@_5;C@KaOHv(T?p(~J~2hu?6~N<ss-_HCFGt{q@4zM zZ8;7s8OUWUJTUI5+RBnIzG%uP)5Y{tu@hQ{SE={{yL{Y1aw@p#K;egdJc1h)=d4#x zIwe@V_Fb_nh4o>N5j|Ho4YC6SqQpQ++UwzKfss#zq?#{0=myvs6{rL{eWxK#8`!a< zxVKcL0+AWH&}MkJ>%~C2C86a$8AMH-;WAz~Ke9MIO`uj4HP}l~DAi@l0njN+7#76E zC>_3W*Q?jr-9;Ou1OHj4yJ@xXTniKH$;#<Q-C2MvI*e7@=m$m*Vo(ALd&UFKd&cVK z-zwk%ttQOd0oG`dGUQm%VS`TnLv8>}QY?fd;z3(}9|}-kkIzpAKVXqa?v;byZ;ou; za!gkM*%+ohyT7mIcdbe}>8VkeQ6J#pVD-TScda{`|LYU_lG0a05<RFvlNFdUhNu|& zb-$)~;fwB{Ha;!W3fIE<+5<&LCnEnX4f5L^^Z*D63J*;c|4NY$?`%~u^!Ft@!&YFr z+^DMii~YQ~&HqVjP*9il_505kcNuy-zs47`ZCPz^!{Z&)C89oC+H<YUFnPin+7#3I z?PMu3)O`=_EltJz%OGDgkI=>LezI6cT})S2<TaTAF|);dv0aBoTg1LsPH&dgbft-; z3wBgd15hHXyp3~i&dHO!g4qN6dA*QK(Qs-XPK3PbW+#iESU;OOH|M=I6)f`@aiLC_ z0I}}ar8TA8#?;~TYwQFB#qWcpY_7j|8_KrCtkCeoIY;^Wa)el+wPx7|iP=5nvy{A4 z`%kb^^T}6j0MA5_CY{G0TV#yaK1wq^SUA&KSc*7`h6~voi(xtXPI3_gGSur#gBKi} z!b2d$V9Gh_e7G$Hq}vJZ6XP)IC|1fuP|~hud%UtT8NLb~9`Ua?ZoxP1UvJpI{J5X@ zj=4g=E2l4Iu764(-S3_>RM#wsWajF9S(QRN>9o))`k^BH#<ARP!;tI3BdGK`!))7J zXrf%|O#RU8(grt~j8wT2T=vZ;!exwuJ7TKsUucNZWadrV?RNd+%@)W+EHjI?!Ke$1 z&?`NP+~o|N3t=aTOdTC@Ia_i=WpUrTIuYmh=YydhNSIXVeL{S}BexH*y9w+RTVpHi z3jKM(zz0G`<MkkOeT#YB@rev15=iruS)Xnfx2*)!?bHjjJTG3Zear0c+@;V`cAx6y zd|TtD!?^$h^p$dvL{7euNBL<38<)fAvKRBy3F`CD0oo|W=Oo$#6i2ZRT!_P{%pms7 z^l>Z(_di9=2L+op-Gakxa19s5AyTR9y?C1Hu~yq_kMeSIQFzB`NBZYJja)`sco|)d zF1E$KH=dQ|&$_cL$kOR0poR_n5j-=GHzTtFcZc`l(Df$nNy=0emdd3LUSTQlAvlhs z)@5~HHhg>-1f5=wZ|+wP{}g-lOoq*Z*x0}%&i;IeF8-Z+B3!bBmV6iu7&B?U;T#E* zRi&&|KC4Yq(x_72C{kYdPBJi-UK%Dv*ww|@<;}?NsQvfv7{D)ZO*c0bVSq7%#9Tx# zBP(m#Q^1X|f7R9EKbt(e;7O=hJEl9tKMW^!d;j79oL}E;0i@zEMSk9&nc4-AI!pa` z^3$nXq^Iy$0-m!@lQu-P)js(Rpnufo*0)0rIbXPkV!RCoy`oALDgY;%JxyAL6hG4o z(Sxx6pFp!}Pei5f{;IAfW4`Z-ea|&nCpYX9$SAyX&7{doB?70{fQP9q8r)yWLG^w+ z0$aB0yq(62BAh~w-tG5#^~q*^Z=0y4Nu$Lm<=XAcnpkE*B6PkRzJg}!L0SRALz&G~ zx?tIM=>gBytTGluUI+;d=^+hMHl$Is*LM`L9DX%Z2e|~2o(1K%+{P;-?lY7@TKKY) z+cn!k#CYC~cB+03quh<u-LBh5S&MWfp>fw&^F+7UsrY~uPO7`%JIK|X(cM9y$Hi2U z_4S-5fzFc9Gnfi6c4RP>&vJ9LKDg30%9B@{ugXY=CCJVfzGWEAvqe~>?g8Ap(IsAG zGh}oo9KUIJb8P{`zTc%9HsOWaqm+EAzc;3Z-9aiTx=Lj&TtP*`B>(IAcK0zsgH9j! zl-T;gofNt5J=>x?Dl4n?&ARY|%Y9aV&l2m$S-5NDXv^sb3X&dfn0{K=3u#wfgJ(e4 zcHdSsvGVha8q%M960(bK(Jyc!)7i+sR?)-xCB4AvI6RWF8o!^T^{^G`LJ+YOK4~SZ zjFkq9j9n6vcQJK0)lZAh%N{lm%T?9a5d?8*v_WcC+hoBwN`VJAlL4#H{gnqhfq0IJ z)UWKzWe%AH?sBjj=MDlLhw!fD1Uok99<nk5)BI9g9hV^lk~6hSJ3{>6^6RA3ek0*` zR0JqWy9bUuewdRyx=dsVP@y@0hmaL1ddh34^)+Y|`B}>E{SasxGqcN~N9eg>rY=Et z9!+Qx&^_BniSq|5U1~f9V<+{Y@Ti-yh>Y&tk66X5>>`PW(8Ypa8OI1BOO_p-6b){J zOG^Gf-P%kC-i;xJpfWlt+-w{@|B;c3eD;kWvwtE^brI~(mU8&SG7u(WIPjj$|JF-@ z09$6pW84joE)Je#HUU$JTEJr^ZuIP5{ayF3Wmcy2)Vm)~+e$6X6*ha3eRiFQV1<dc z9vL}t%H-l(;@AU)ch_YLA;2oaZ;ER0^<X%T8b-eFiyA*Cqa^$sc2y<3dnD<NbYQdr zpZ~+91oQn79E_WxS3|57j}lW+jFBY5poa=pXH0t6-K#Gc>!lf*tC3Xr=_Z%t|G5BO zZfNUQoq`;Y2eH<@b{t9VPJ;czbpS`=^D@sNQv5kDe?0;v2W!dfVGs5Mw&#n>vvUES z2ylN=8ZV0wd;Z~FQv1iDOqH_76KKm}OL#7NANGh#;(4h}^N2^14&PzX9S5#*h~jHe z;dm#p8G~K}(A9{AgqY;FGo-=^>-NUdz>y6sNgWMs=BMZlH}ssIRrgB!9qWh1D<LK^ zO}IV>+x`HWx>C4TW-1|U>&G$hdT|eKBO^H%8^NO?WKjTm8sm^aYV82*Ek?JMxZfT< zReF|oC%v}C&E<b0qoJns>BeZ$q0(9;SDLEAT0!WZR9$BtTuH5bew{<1apdU&Nb-G! zWwfmId_!~3Dr-36I;=E+>YS&(aCXL@XI?A*Ia*LvXTSj*Ny$D0BTP8R5)O5K7IO*? zO!eM`3c2ZT^S33qrg8ih-@ZnKa24gN$fu#+x<^|)caicb&W?E{l571vzHIE6wVmCh zArQ6@Qzzr9f_BXg`eO^nR!=3ZXB#n;!TW6*1M^cZQHZsCjlIeF1w8sE&y?wX4&<2g z7;y1DI=AdyPOAE68gd4Zj^Qt&2Wt#>1;om3vf?Plu%ygtM9EUk^|RUOtE#6>KX%E> zr_ve>L})7-JS<|E2+TN_psIe)>d)pEsQc|4bJFNC$vItX{}hBlz=UV^{%$dO3;S3T zff`)}`3=4@M92&mSb5&~Z=Mh)4$GNHgul}Dqm1`Va}-u-&%e_E?yD7Z%JcdtA9OgO zI@YBD&i=0bINqHkz$oUFq>az5Wb9cES`-%h55i5Vl<J>cjyKn^3#+tjq4~ik!3Pq0 zmlu6FGE7~)AV8B~f0CYfmih#%U=wg0O&u%LT)(zUkWk9$$t&^KKZF=_15AzoW-;v_ zX{_@glWcX_CnlU7r(y8^35+UY^Eq{l?IdiBoSnIG*Tpw_`Qt8cvxt2?OuI~4PeoOx z?ZS*=XXx!-E-N0~8^HPo5}saII^Jl0y~7dv5*9|tY{1dsJ$Z2I4)UxXtE!*ZUct89 zh2R5{<dYj7f|ScnX6L~(%Z{_lU{+RIik1nU{y_~R+{*f7hr}-aap$V)d0|(lw}4R> zLXnR^F{OI9tFee?l~EJUs@Xa8l2)p*jioQOOoc4w0vN>lU8YXA>X95)po}spTib+I zTeBKNyj*r&>o)gd(B8fv-&77A24a<6FVED{zkSL})HVOw!JS;s=8fYf>mTsfsiSK1 zVZlni%*n!iZ1Nw0gLA`Vd46R}R<zFpQZgeQ3{fN`ypbHu)$4nU!ia3V2Ms?gQtAVk z1S_i@*>@=tl{>vBckYE_jd6+Ng|hYv?Z<7pkvs!(_J6-a6gEuo^yOI|MxAt$2yf<t zYuh;>gW-*Q_!ZRDP<Lg(-`V+q=9<jlTaZ?Xp80(h?zVSb+V}7MZEvn+bhT`a6`EKP z@KEtay>m)d>BCWniEzxwyHXa1ZxuC8(p1UrPxp>6wCRF*-t3cYFw|Rjni<BOJ;D31 z9{vf3d!_7?lOq04F8h!_OH~h>Flms97#kkv31>S-KrCEy+>S2g5jJp=l6K7cw0Beg zC}?SY!J*!o^;sE!9bix*8qDC|4(GwWSkEvg#(r0$daJu%`##jANmA5jq#>l}i(_E@ z_cI(p%xGpML7mY-l*O3no`LwDDp-_nZ`>cZBnIZq$d8UPO^1fh#HBwVC{5Qw4!isZ z4<769XXkC3Y6K_ZdxhIy_&Vy0XToz~#OUu^=K$AJFu^_Dt`XYmhXm7{Y~_672DOUj z@`x?uufH|solmAx8V%xIfAJX#uZ`dD?%9VX6j61O<|P!|{8cEpiS`2;t_GwE;`~GV zy%z?#z1b6Zae;*RG_zDd63K-@MgbmNgi^*qP$9_HG3&pFeDlxI_^xInI|b0Jz6FSx z{XS}CdnVo(|K4iSjfgET+l#77kgTHTX<M*)56L%3t=HB-Sigp;5L%8S=gKqDuvvv` zy5hhUMT4GTDot78R~Qo(uwZ4>c4o5XfTifT>VWmdkWNDdR%0kGP*QqX2xoN2O|A(* zIFTkc>sHOC505%WWzL5U@9VIacj0{iLhfwR@MB@nPZSsLt47nSqj>`Dp7q?$V!?-r zsVQWDxu>n%^|Hiyzbi2E7Ehl(wVJ#i{<_mAphZVH>uK>ro3_gdFQfld$i$*h8<3;| zV@+b50<-Uz^FG$!eZ2vRTk@G}UJ)dMZ6V>B+)BJ*6R@=^9uej)kZ`BBK%(XS*kGQg zNt$I^J!H8f%IEQYIh`&3L_F0>-{Hbt?}{i<1;BR&PST&(B!(tnIJzRczVgU)5*>Mi zy(KU+=mvKp`<<PBXprAxeitlI@ARr07Fc!r=cv>7-_JIg;y&u?AQO(9c4z(P4M(E$ zU3Do*Ns~I;qx`n^$*8+Trqx$>BODUKi@^p#d{vX)?&8>gS__j;o!_~gwgeYI1pm6} z(hW{kMe;iPLb2>+0`L{MPcYDOz0AGQqMw@v*Z=uEuP1&*TrU;E+ao|}Yq-zr((A&p z(^8aAmtTf?n24n-pj(WtQi?-qyu1D)F-V3!x7t`2H_FYG6tns4pU%YV>t+`bABUty z%STIZXI;OWsNl}{BNJEew1Yip%mct^^tVGsPEurR43bkqQu72}#K461%;{P_>|1%0 zIeeVC)dJ*d5B=~j2DODUp>^s6aQ|W*x>bD&uWPCFc7n!R-^d#2#a%I@eRPw#f5^2x zFP~9clkc@t;XwjR*KIXv`6#_2oa>+IutV9$5F<51jL3<PIChqh5Ae!Y5(O1lD2*VI zP$%urhQo$q4lG{LCnm_!R-i{$i4WrcxAR>Q8q#*|Q<JQ^#%hX+PAclN@^>=y-hW^2 zW%=p~w38f=rnf@}$wIx%_gYAQJ1rG<kCrvB?|HY2DD@e*Cx0nP!oSlC{*zB&Dxwz= zw)UONO2Ej&?;%E%l933FBeFWH#sOPYU87L_p<~U&=_ROtCn2U7AsjP}CAP`ZB1FP| zcfB_~jcE*LqpHD6AWy3D!1+l$@!M#Wx$Eslr<Z?3Z8ip@4k|QRCPiqG0Dfy~hX1#D zXGkffv?s5CJo%~cESBho(>&POhz;uGc4u^X&D9)GxQ`2=poS={b<O;0FIWG>!&ps@ zbR7e)Q^{D~H{dN)yt1^(dK%>8wg5*S%+qLS4h0cvID-Be=hqG^osdzF1?B9#cP{hQ z>oH9;fV!RD(Ng{|WoS(7HmKD`rtyI`J*gCR0xqF-x(X0&^+fL;(COALQb~wuhKF=t zFr68``QjZC!NL3T2cq2UAeQMGGBVkYZuxj&vBXp!%YFxhftpSu<Dc6HR(F3$$pz2! zKbjl&0Fho&0$)*S#l_zVlg|j$RxByi^H*Flxv3zE8g1e-`%Ca3Vr2^I%(|oNMb~(0 zHMEvM&8ZLqyt_>-ls(x|`}p|lUoaq3IGY|*@CAnP1%?nB+U^DBTqYDP&`Y$qSF^m= zu)J5XyiT*cQ0TkDDM?-8da4B+G|b^Y0oG$y*5esrV-CRH(>DxM#HyAyNE;hCc29@E z&QHyBBS44v<jWj@&cV<LdTEiALGIKV7u!-@+}3>s6WPu{DSQ6;xa)nD3}ac-{X3-I zW$bp67+db?RXgzUjS<Y8QYm8tc(9Igw>53%_fL@}{%>aTdY1gAV?-;z%4D*tf^dL# zEJ996n#LDUh90YUKn={>8QkRiBr!DP%KtVeu+>tsi&3KTwayyQbBuSoc1m1p89|s{ z=BU44dTdI)8{a9I^trM+?r>mhry7giuBG8Zf+^jHeSb|y`$XS4<@&n=3@%EHtR9#c zTQz>Eu5L#Eo9eH(!1Qp>60g6Bn4+*QKsY-XK0vyBtYI+{BJb-f&Ksf?A#sOrzgE6{ zyerjbyE}WL&n8@T=u4eXn)<8zNFaBf9haLwA^#sc2tCG}h)|Eea~miiCRN^_G>m5W z>hM;wo_Pk(j)yatz-BiZhf^VQ@_HPuz`3B*gHzoh6eSVPVKwn;zYN=7Fo9xdXL_?2 z>G#^Sn>a3=rzRCXPT+`A_+|TFxuoVM2Ek(wg-*81s+bDa99`}d0d(J!21(oDO)VII zrH77>?6#_n`}+(IW1T1d>%VCqS}X(NwLHtsEZnLxWg~(dCnN`*plTv2{|{Z^K?-gH z9?Ivb_N=OJ5@}Spgl!}JQ=zD@m+^k*!YO3A$k!Xqu?x%4mGua581+p+EA=m5S7%PA z(&+S<8w*CBdjWkLo`-Fs5f`#j;U+$x?t60l8d6GXR5{V;qHiJ`{Bj*qz(sWEqleu9 zG!Ybo0v0YOz$Rx=rkPi{=*Ms6h>W{LLY5Gim#Ixc%@+zg?sRMsb@IxOnz1^nZxY<! zphgPp1PA6k5z)(%iEC-hHSQP$mueXedW@$r!V5+4VK2x?LJW!JllUsYimX1+fc@&e zjp;p0f2Sc#X_QRd!6C8z8=nQ#Ag_@hO*Lu@KkSI%`}+l5l^EVS#I5!8`l+ash({|_ zP_?N9G>AK|vY_$Frg!eZKmal}Qh1Ju9NTOkFgg^1a*%&^+So|Q37C-I8<0mJ1m3T_ zuLX2@$6?x1{KTvExsuMzzv%g04u(<2@^abKH{5Cr5vL?2f~Ts+2V$ehjYv7c?-sjO z3{7u!|4w8OJI<QmY5%jI-^QFnim2TN+QGH<<}6XeK|#mA>yfHQzH5GDb~39FXGh<G z5x~BA>Pn-F7qL*|f0EZ5v7$2jI@inku~f+H|2C^3TLuam!4(EJ<)$VFE{~?2c_ZR5 zx>%g7L_ZB&=RdgL9u+bJlp6e1h=kuKOm%;h^N6Ukm-3qNv8V0r&%gP46_G68by)dF z{g;aR9Luq<3R@z!pRD$+r?D?PF-V58;%>6m6?nSE*NnbspmaSxF7keTgCq%$9T_oY zMv$f5=d~b9h;%|(^wJ`cpLBA&)i3lZx>Bo7GQ$wQZ~fS9^|kqPTqb<P5`(4Yyy(*B zTC@c+mP+Eqc3tNH&fimm-%=FPy~M!`kKEVSVPQ5b>$RueMwz)VFnn&z(PwZ)Cb1W1 zKY-SLL?<CVBMk=Q0u6R_ZrTsx8Eti<qy^}N6mG|B)?(`}fVezR<D+;Og8}*+F;ZoX zQJOiZ3Lm@W4|AJcmj+{ZPN(j{`5`&DKDEj&)cAX;pMOYdv>BrwYAN;2v*ONFNeE47 z)o#t8(}*SQ8EcO7*pb04Rl09~B|k59^~5>>Y(+@0e@!uqY)H^80x2Qk+Xh6J`A^b= zlKg%4OD;yxpnIX+#Kk}pRM?40CUF^)FWZ%-9LKv6IohzN-BavwM^C@v2q#`T#&V>T z2D)>t_q^+8=xBt<c5tgcoKPUTfFpMK;6W48bHb3eLEmDqOy*Az7QPSL^}@*C{W+d> z^sl%_70gHX=@E3r{x~8v8XHEK%NHxVROd_aQX25i1C1QoUrUo%LZ0+Pv_HRa<Mpfi z6WMIh#0Nu0imldJE;!Mpp`z=!PtD3CQn#c2^{O#Kat|ATvfJMYvUnh3cDnECiLb6k zYH&A;aj!PD#y=Plw+|JiuYCF&N;)09UoLn4&N=EN2~Sp?CZX-BB(C^liqz894k@;y zr;lMU69JkwsI60k*q?N~sO`FDPi-R1+?<eKbBGfvvSY$*U9BdUZ2DWt?^IB?+r4zV zf@5E36}_D<fyHQWrHzsi0vR76R9`;^@()a;^!UdEKF`@NkkL3Hz~g>Mgt83M+LW_# zOO@3RLPzX^kU%*tB%ycCX|4bP>s*Y3pa0Nntm9*Bdt*o3HB2`gCSmX%w^9Icx%AG* z(m(sr_)t~Tm$bKtO~waM6DuUi%h2P0G{^Nj>(hm#Agx{_K$Rw+>4uMI-dRi;5W0sA znc_37m*O^Azn^<qda4ctUkZUd!!tIHTWDj^kdxqIpYKE&^-)V|x#Z0Tx0TM_3Xj=X ztvNXDICyv1S<hK{t&_+3y?An)K7*c5@KJ=RP_QkT=Wpf0Kgs$sesCU#7T~DioMdsw zJUGZbh?ky-7QQQzzKa$vI$J5EiBhq!e8R~CWo<oU^8;~a0hKbf>zC_GGc#Gie%Ekj zGnHaKQzEEqXdk~?OG>Akeqy83^RlS7^Aplv%@YNE5dPk;FD#$g{bK1Kac`vm?%S3+ z*>(QP3Ys;O7%)jCLZMn^NBBv2;N$vfo5$_+gd3*Ek>`p1O8W9j^|XQTI@$D1^_-Gk z|7@)fR&mFCg@1Fb+rDicqB&dY15%VlbDL&&-C8hsgf7~B+#}1qX}yO|gWAwCN`1rK zSLWk~2A6#-Q(E~onM=+b$?ngK^)SbmjXF)VLlh|Guwm+ZY^h$prxy=T<K*>y+=%di z$4P$8`Y2Ue>Ct>J9K_dDbycEK{!ZWFo#j5_p(aQrVS_<GJxL<ev_k<&MjVO6%Ry~< zv#WC8makQYllCDD3wML@`;$;7SY!%^iay|D@JtNx?`n+!#{T+tRrUg%KCSnG3vwO9 z%5ys+m?g!=0seN7gflTmoU^J!NMFn8$@=FnAJ@-&F6`YI*~!Bu5duTO7w#fc2MUd* z+5$ReC@b$Dre|q$QnSxDK@Ps(K?l>f+T^O0%e@{g3aLZ&KIT$?N^>?UFtrX&efk53 zIqj+5=)qVZh=#b<;`x@gFhSCwR>*{a7TbW?fbMQB|KAvnzK5OCU28dhRlaNG`QX$r z?fFI<)W?l1j@2|)#ysI(_B3aryiB4#fom;$P9t6F#tnq@q42*u=+!6=3OviJR1yE1 z69v(+qfk!jLA8%9%(%EZ`A97kkL#&Q2STNp1lYTQUw1l!?a*YTXiGL(;@>+pG`@gI z4QRP$Gl@tA$#BQA%|X~%RdWd$f*U>7e27Pr-6Jqx=~NMM6r#$4%jipr$$k`h(zN%f z=Aj-;aCbJv?n+1eASWcngNupg{s)-A5Vfq*dtX-gecW&bUBL^{dyMfQESp9HsX08k z>y;6Q$xqqier_UZnGEv{-^75bLauQigl@*wX5QO}c|^Z%Mztg>L598%5yn|WmYeYY zd_faOLz`yrGD7>OXCPQw(#>?Y+sC(JVK|Ra_-zM*rar!azQNCeW4p`otLr?P>3mFQ zmHN2b(_~)t>+^4SyXF5@fqc9TxnOe+jipiY4BnWVi<09PQ1iDImza0G9_=%{J}cAI z(X6yo#O3>1tU{XnZZZgq!j=#-3=t2)cfUd1Wjjykt?BRcb4pa2Mk=U+S8~h%MX%$a z#mo2lr(LkCH&l^6c!_sOLu5@v+Ty+6|3c6wp+$>7?s=LK&C?g=^ZKQ#;UL{FN(y_5 ze<B{}2M+VHSk`cni2iT6hj4F3tXvtmhE|W6!rwRTi=sZ!ZaqxbIF|h<xElJ~ebq}_ zR66UVrwSo;?8xcL+MWK_b$rZHL<b*V>v;5haTgJ8#gps)S2b+={ItMlhP0sCPS0Ta zjo~a3Qk_$Q3T;+Kyv0V!6)z1mMe)|t+Ltc6N=7^j^sq%hskhBYK`~v+i)mmG(8vof zq74cD;cld*F@{C7C9p6W9uC81m!9Pn_=&Z*V_{(eaiQoCiU#9%{rz933|PL*sNx(Y z#=6_-lGUd&jt;tn*f~YddbGN^e^*|H)!bcCQ(EwRz&jUY8z|(^L6mc`NSls#-LAr{ zUdPC<gcZza<a2KPU5Nlycb`)IVVDlz<l-EY8g0s$iSs-+tZQ+H>=(@KH;64pp?Zxw zv0{FUyoKuk9~cyqBRj;2?i}l-9tAy~!5pAC77#7LDM}XV<h0kaWu+3w&`tzOLyS%$ z%cV|Z;-ko8DamO2P1~J<G(Jz8Dj4Ozkh~wE@;Y`5uf<SMO}R%uo}oXT6{5&a7NAJQ zndDsiBN}FPhz_sm*;<a{TNOPK((LsCbF2Up2pdz5IgA8UT7?S7FjTzO($@XcB>Rkq zvCd<H+Ps&Q9}_LMg3&HHNZQP=0KXj*v5NAQw@ILKLfpb61{FPie5|sLI2i*xk;AW7 zbR5m;-pYTbC85*IF00^jy5DRf%N?|T2iRka^%DPOq1M^HZF$uXpqWl}5)74w<*tuz zwlE8Fk|xV0anF!8v3ObU1ozLXQF&a9Cr$bscbPlZ=wVTzrLWJ~X`>qa!oGTEk{d+= z))}<%4iv8^C6DkbluNQRcRwESI+ul<O^lV%5G&3KjV~P5PTVCZWHo_OZLwkEvB%5_ zISqE-6`YBCSlBKqYH#FGB1Sozbi)7J>h>h+z?s<&K>>tjsx$YCnrt~pTt9zC|MHyu z+1%)-D-I%LP*%xQS}YrPU3~1n7(%Hi`Xm(ch|t#cTM>G$B`lXCU%chi^^+i=NLss8 z#x^!3*76l>ii1E?p<PB&C_3`<>NC9l2`is#+t6w>b?MwO<V^r!K%T!66<Hcf>`X5& zfC})`%t&VL+FU$;@F~r$iqWElb5EMEq3XJN5P$M<idwm(*Ee=>nsPi<>lko}olAMy z_gHz4SplXT?0d3aH<Wi!S@hZMl_iSgg{sMOk;5gpM6p#v#q3wY*lJfRrJn5|XUO5A z9QEmR{V1rDBKkCa7e2nuToA~eWO+)h<V#xJY^B0Khs>}qld)gtPFT`WkAR=>L~S*d z!spW_-%BbHj|HOGXl5TMf@;PnbJPkA0=)-AArsOn(*i%kgS~zjbVfaI@Ssp>(r8`0 z3n4FU{Wi%;mht+xNF4#0t}dpnr!&}G1MIsa=;t*Ko2)Dd)hAk@5DpwVTkII-sNgil z`8(}&IElq9S7>=&jmdo2Q^%-gNPH2CFXRX;iRf<{AD5mFk+kpMch8LKEhZ_M!(}zd z+3tGP_WrK2=ldp!X<+63v%DxljvPOo&<Ngs^?)4&htwG1&|r6SDapcmeFP(R`>i}j zvn(ao&5naDFpJCRDEIMav!UVtOZj=pmz;4A4e&0EI|Pw0J~F2#|09AeLYwrgrR{ls zV9mb-si|S?NU`v!8VSFzRjJ>Oy*xsDe;;lF_}`y>b>U05N1+7XMn*P*+L&_5+o*E? zUG)kKEZRaN9EAg)|HWdo6*tzQ1p2|;5&|-4K8bUmgj>ak=RM1^Mj0Kpf>1!y7+i<8 z$CgX-(U6(OHpt%DLt+6%iH<)WGPR}D{Q4X#5=0go@GgQ8jV)dkuZDRNf#+i%@K-!< zyZ6*pJHN(kHi$K{Ly?{DU7Hfpya^eH8SD9u;2Un)XtNSegV{Q5xEuQlu<-b{`J<=* zev19G8n2^D=p^Udt~KNP6*9ml6|>668-LHG4OBP!9iO3!X{{(30mbEEa7=<Fn!*;B zz$Pj^)o?PsN$et&z~gm4<Nofw2c5RBLV$3)aN4=iT@WX(UCxJ>ndoHPP5etIxak5N zN%r@%yyFI_O)fxjV6s>wcf>qnhtc63ioM9T!g$Y%II`g&X2XV}-whxcMGYL3RKfgF zB=V!Ezk7?9n<!m>mD-V)H!o&PHsl-SU_MI2^AWlzbFxWyiv9C1^s8c00zonZsuJ4} zh}(ZSiOz4^rTR+nL}>z<Gi<$_3Ypi>koPQ(Et%h&IAqhrRtZ_W0%KaE!syxT^RFaI z&fws~HdsJuIhX2z4J_V6gB-4g^6ii_T>5)`9tL~Ku70p&+FUG?C?1R^hZ_qq@wR!W zJ)S+;A1~MFt4R`O?0@1(?5)mjCD|pS?PP-1G$hEdQg2k+gJP}#tAhb=7wnly60Qmv zANO7YdTHD-J~@YD71g3ThJ+#C@ZBSCX52s?&x5^ZuO?Sqj8Y9<wPE>y*{PtBag)8a ztC<Rb6=j7=dIED&f6jP-uT!L;6^t^bm#-g!@JgeT>a}-i)kZ>3ECawzqm&!1#H!;@ z->-nk=uO~&NGzDddVkeNZ?@c-k=s6gw?|^t<NNpNhJITgfs<nvbmS^PyF0PbIw1Ww zV%*th$RmeL^i5(*Xk~C#j^c}*cGA(mcxK}%&P`gL<<vZgzV~Z>a2;4heWjx$O=^i} z;<znAlKiw;u<Y44?yT|bi8Nq!UZKqz1I`xk%K|yx(T<SD>nA1#d>E$S23wI7XURBh z!A`|Y9@9!sYkmCYC`=<!ygK7=wMVXIGlR{Ttx=iuRg80C!2uW;m}BA;F(MFnbhWoG zuB{9<?Ls5HUiIrQa@v1JFBjQDVTaDw@?pPdB#+Ni>ys6a?R0W2&$94;Sbb5>x4B2m z%IVPFd3pv2exoiZsBCE98W4=$uhGXWZhW{@dfwFEqc+&$A&#lmpDlG<DGC@Xa-8{m zFLWHc%{FDl7Rrk{TUa_?D1%ribDN{f?aKP%&ZT<%)RcY(Cokv1E-%L)QI&&ipePzH zieDJ0y4h<dHAZ(AB-MMY{MP_(IOvZ=+KnOcb5d}|kaf{hzF(_K@|;XL=Vw*o@)YOI z6#9MP<tOZ?)aZHqc{Xi_KxIasl!@YH_T2`43&4^(SBmrTG3QB#iOXS^%o0o*0_2H$ z;8NNbrdW}qDLBoq^Bjkg8~PX_s76lFlIo~Vm4iDgmE=||_`Gr7H45zwBkmcBH<|(b zl@t=B#XT;ek<-BHeYwKp#t-YC!J|<rvdmTRwpWoiJ4d|Z9g1Z;JN(6_lk#QF21-r` zUWxG!hvP^35F)9IAo3a=EULrkAI&z#hFw3dr?#8^qVQF~*BIa(CSJ&>s+l`)R{;X( zKZ<_=nf19*A&#aIZa;_5J}?kPYjWJH=MD!cE{8UWr6Xj3ew`a+op#a{DX*3=-rZ3b zUPWJmjvp-cz)NQCZyWIxyMXuqT!0G{N(ThF`rm_sWcwAWaPFcMeokX1+l3ILikOXr zu&3~6OOl-dYB^nOvs`A+r0@wD&?M$|cx9tEYE*H=EVG+5#po1hu@A#!mpa5I?>#d_ z7e;ARW8hL(A_=lR1hTF&Qo!*sJD=au&TA-pW=_wPsyZG=TaVzt?Za3};L~(<m=s~1 z0Z-?ajmulu@J>Q3>TORc?Tj*sxnVU+R7*%j{XZA3Q7cuf@7GQv)XC1{F&#1Hgke(V zW_8McNBDp=)q!=W$aEnCRWYH6pgtG~_}z%8Dq2V}_^z^oGgMgGWcb6c2AMk#EsQ_G zZ~&!uyLE_VEZi_V7kmqp`2^%i)zx9vp%hT{i`si+hopjRahW7d?$QC5v~GEsr8mSo zjz-w7^LtW%=$*?pn?igRey)$Eq;?~@tlrtCf&iYL!6vrP;~^ig3lZXz(sui6Wps}= zp55zByv|p%t)|O?pKiw4AV!KrCNXEY6Y_xX=@&{9AwZoJUj_JjgK4`wMEk<b^>brs zk4*!fL=B*%l|D>jL{jGXy-TR~rghD^Q7vv?V4FTJJ`nP!)T?cS{?y^3FtYP~)%a^0 zDGR_T0JN{$$ry?<il&Y1`|6zL3P#GxhVXq9xL;8E`rO+o^iDbIb7chwiIwLCkoY%8 z8+lM${~<3oFg2aaz*eupTzw|P(?WQhfP9!OvQE;Ie>fQ5T#|&p9Z;E=#`p8IRYT}% z4@mqoaAP}2WE|yr^9ts_kZL0hl_j7r(aX1IEPuQ!!*ZCZXkOU*2BZaD(tR+_sn;F{ zwuRkwm4Gjft6l!!l-EihpGZ~dy%QaTY(LOu`-~lgHgXS#B7@wbdR{-8AM-Apv%zbZ zaEPoKLWB=xqE()9n(cNvmx_BUihI0*ih8zJZ>|sFZ`6)khm;=PIlRM)`Uei<Rhn0+ zrdK&a71Qt6#$hGWGL#m4hB}?`!K2FPa3=8AUmo3!mRG;CS1PRe^Y5z{^_ez)x$4cg zyppo1QsWnXHKgF`)g~XdgaIWv-JGT<vQ}Il=@s{M`h;l9?}u;O78QzEnJ@HnS{!I7 zv<lgf2ybK`vD71)ep>U%m#CHry7EV?wDm1`^bS&N5ZP+#=;`0tpx40uYCUI@vtLou z6$J(NaFPI=hY+XTO)|I}m#|5@nSM&FyGmxnJxN3N(CZq||Jm&=d_oXYzlG1!Qmte0 zm^!A|rRTN$*{F$xu8hQkB`ZN~^31YkG=gO#ir;ek3PMwta62_EB*+_^lgQpCIo+w3 z>Za93zG;}Mvq0MDt4Rb_j@7IZQvjoPd+0c-t?(+LZi@o`Y=?cRDi*1ta0Na84Kb#4 zWYcUwg-Aln%{spLIVZyHAqk(9Pag6K^fD4L0_2LAjNx|UWO_*oGGYi%rV$U7H=<<> z%gM}WbTLm2=WwsE3Pg@QFyE?#kpv!nS3Yd0Ahqil_SN;L^SRTuedc3UtiP5HfMH)u zrIgi#?-DHzpIVC!RhtN-+IVcDMrO?KIL@Pq^B?XS-@K~z#}gGRB8#M?DZF9g#n$g} zC$f54KIk0@FZ$i|v#KdxjhE3q7;Q7=`EI<z4}A5B$4sp0ryU&k$0zR?&<sV#%y{tN zWYgCb;+9<nZQhs9z@0P6BQxIsK1u{eYy1I8q-Fx2_DHT_QN`_Y^A)d)rhYlzApNj< zgnAi`TA&v7{pcUwXm2uE`&hmY!TfQ{4FNPW!azY|gV2r}&42W~4HqQRZX0b%gZy|t zM#tt-fT~xj(H}RVv^CZ0AQM5o-s?^Wg1v;{8_YD`Vlv25!MV+2|Imyi<_{Nx1<!?f zLLkodH-EPiYfGO(qduO<!itpbu(Dd-PDKiB3A06*$&o(0qO>;t=%1wc<)9vHlf2!x zJiawA7C3MVbSCcXP7G6z@Y04SY1UZ>kga(B$Pm6bF)?ltmtOX=bNv=??~wDiciq27 zqnFYw64OHeZ$ubGNKo=-=t<6`(c|CS{u>j0C1s-J=hrrBkDBVv3$hT=@!ek(gFUY1 z8S+yi8d#d`qpMBq5(YnB1>q~^W=)<<!waV!2JU4Y69uKDczwBp54|8?KdjcX=s$~I zjiuzGI@Q*XMI!LU<xaEnS{B20S~BY4T5LA)R<9L{4{&sgV2b)<8z>P+V|*}%^vqyw zd41bv_%Jy1%yfz)!C`d)hQFg_|1^p2H}MIYVS9(D{u;VgqNpGnMc}?D@}r8g3WGlj zg-}c58B19MqACXb6vGlcpSBMx+bcH2IZCmJd7Vp7UpVt8@N^*9uAeH`dEA_6jxXJ9 ziYnPz#>!w0FI>Kt(634!pC9&=zB0rucE}8WyhE0~PQ{2}xU|99)oQ@5`VY-G)`l!* zN*$dzg=$5H-$v44X*CtIAxEe8WX%w4Wt6C2>{L%0sr?-iHWTdlQ|<c3qrQkDf{*AH zB2CeLqhT2pFR<<R>^u~I-M9}SMMZ<RL`L`WP{uOAU9cj8;hh_loZS9{ULbDgcpTt^ ze27P!=#f_%EqcC!U(Q^b%oIHLZK8&VP!*Q$`n@*>Q`GG<8W^n6BPuMD%}(t$-@5~N zRQ+BjDZvAILk7cVFG+NM<atqfJ8)YF1c8XCNzOqowIFdc`0BK9FDEN3uI3$JV9d&d zxgaCx@GoC-d_0&o4PeR^o4ammr%#f*>a6W>bWmcey{u8S_w^<G94-dc+8(*-Yzs1a z-NE;Y86a$0%}U&uno-84!3gyA<(%#vOu{K96^7B{8P#r4en6Z^9<WfM+KHxbcEA6N zv_dFE5Bxe@6tcFocwD26Z#n;R9OH82s9r`jW^OPJp+XtX>_OyOQop@-4wdW*j&^%g z+|gV-V>H0DTtydi5qpm;i#8oEZUz-qukY!m%UHE*ME-?<h5pvUdD6lOV`HCqeP+Jb z%(64xB0o=Y)=lfe7w)^2oM;EdCu2kp7XbS^HQwLtpvD%vuLugWvn<T~ywpUxk;<+@ zyvYBL5<uBGQL^~7rQmeh8wrtLzeD@rypx=0nGv8gqg>zYB9W2GK+egv)!9!libg1` zWBk!ixVeels2w<&ZEDvg;Jt3_nh><q`%OpaiB+!gpwU|+Biutn!TH;t7J!n|wNu_^ z_k4;hvFA3?{?C6Hym1BA6DV5BS`otw*>%HhOe?<xCiDDs$W2nG{pzB+m*PeV1$yUe z8OtF3cFl?gcMeV<0^UKiRP+0V213WL&>t4#M%9FRQAn9JgA4&A7Un}1^CP%MPx^~7 zVVJU1@#%)dyMHsuTNm+_1T#$ytDQj=L$fO3IR1RnAAyr$?kXNz`6&Z1sBvS*BWIx^ z>)5ZmrDTeE%yV;u2Ljtw6vQaTS;QwT=fRa#vg|^axZ_|!!`H<x%lryyEYa8ZR-<1} zu+S*3f>1-m=9pYw<P*2wOkg#B)(feDPBoH=STRClZiRZEszoHj?71DI?hbHhT<J^C z%=G`TBBu7e+J_+Ez%y#2?sYoys6#SdKU0`-$5G61hMJ4+D+S=~Ww50AesoGE^>TD* z|HW016H?}_Q9X1e`M8}xCGkrsER&2PnYAt$K!cZ3SC#Rbv)Yf{r098Gf=#R#Q8TJ3 z?CdWnlgz)xqrC&f<&NDfty5TM4Y+PQm_DmM>*T@<q`wu`)u9W&193WYKufVQm#exG z8b8?OH=QAa#jxWTU<v5!e+g1TCDgw@3EoUH+54I(fLdZXM=}1Ub&`fjs;Q2s!I61A zZv0;OPjPQT3Rn!tt@uOS@FLxtWp;B;u5U+|pXL)4*(I_Y>YTTm`17;{;)m}WbrkTj z<D`tbB2K)-W4|CpUe^#{ww<vhFeUO31$|BJ5|210{5lXvgFBUJ9)+Hg7X>XN5!AjZ z?=IM{-EUfBz3UxRQJ5G735Im-(}4TRr>2+>R)G0QS|Z0r>G0}0oZymL-24ZQO+IaZ zSHapE1{2O_@!KuKvG8fuOJ<C5SMs4Z#QOb6AK|lg=e*K5E&MH4x1##X6{%Ya=x!n? zoI(OcZ|w?%wEz(kOut(oN%?f*44_UsKpr!zHIKh@5<;34gB{D}HiL?ORD8T!7R!w} zQb6A&-R^47rSYYGwySom8B_Aix0>$!`o*Kp?m$3b9j=1DGpPp;1zNqTNCe%)9=+x9 z1%FcK^*k5hTxcsgC}#KNT`amX`*&Fr$f2`nqph%7T?(mad6?ZD8RzLl+;VIQ=xgso zAn9}p)rcD8wq;4_xC=M)O__*;zAi2pC+z8j0Oy2&K@|(>cH>+0N~<Nkm!D~@tC&6} zCb~+lmo%6p+~?^nT#HVZ*&d0_|L?J><_2VsA@lMb?&LVFSi<Oeo?38^cLNT{S!a$A z41?0%TtejxvRClkS}husp4!{#G}(IUh?n0gqsKq6?Z$3!RoKjl`v^L@z0G6Z;@t?p zfYtpm2xx0ew7A=&B<F9OS<s)+TO7ra0-pS0?t+fC{+eoVb_R6uQG+_Z?3z1CWa-3u z_*pb2f2S>-P3|3tDP*|0JnbU|(`X>#m)eih#?|ERes5oo7i@-IPl9XwQK=%oPEk@_ zW28G=hNVGSgx^&*G45k93_Ha{J>vpE&Xc{{nl<TymZha#pbR?K)*4P*q)Td4diVZX za(r`>$v8S?g*W*!Rb4O<)kb@kHljUCJUCNYyM+ZYotm5&$B=!Iced+o@%0;ktbcLd zC(Tjc;;ZOaqXOkIEd7^oCT|#~m#_n~PBx@l4wYO)Rij$9<hjb)xk`l-$~OXw&gtaG zL(4099b7m_Omz*#m>*wXrRd0g)6$j64irqsA6~;|p8BA;VDUdYRTQ!M(Z+92eVgZW zBj#ef@J6<ee=TCODanyozq`p<-GFMkdbP94<@4$|CB2H}{Dpqx3L`E6&Dj*kwkmpY z@~@^Q7K*@+f#AHa(a~B8%<h<-OBVay#PI0vLVb(IIzADpas%y)JGX!_YydnIUNkza zG#MqQh%ugm03n~o&e#pWtXHnISJQ0pl=e(Zs{HjMZ~HpUS(gJQ8{sRM8T<MAds>_W zf`p2-{oHCJm7<(j!$8m{=Z<%9Q(%jC>MJ=NTjxCrO(cP2$jmP$SUqbam9yt8Am?J* zxqBz$kq^8A0@74vP-833SJ2JYN1k$uPNJydn{i~%SMx2LRwPwG1F}KKh(O|<?chTT zwc#eHazz|I7xH*}gsLhCKm*12ng)kioL3&H;Lj5k%U^$y)_NXyJ5c9VP|cTrIj6Do zI#d2hiKvZ;>CJ%O4CMevpKs<DH%sw<oSt#EIYu>lXh15cng3meR2iPpNQzwT_9oPl z9{tk@z+p+JzwB*;BD*vsF&QQ-eB6mv;X_%D|A-FNFr9aDap6mE#*xbr)H;~cP<sa? zeQW91G(JgUm0J^QenH%bL?`}ii<^74oBO)ky*489YBF^HXV{==glY3*&c+52{U2o3 z$cKR}EL~1U*>8`K82`T?z3R90W|(OdK)s#q=4Xh!pcp~*w{%9-gt(*v=Fs@*CbfN! zD)rkAx6+}|Xlfj0tnm_qmcW4^C}_F#5ba({`Fq6NFRrzp^7RJeN+^_6uKYJ+8{d3= ziMLwQmwmPhYu8LE%~S=R1ZBfW!f$gUfBCSQ%Fxd}ruS=h=p7O<kXHtPUtkRk3@QX^ zSLqEe8+7UKO$QK}xGh*rp0X<W)^*MOW<emau$*xl2)BSUd>*9@7n)K_hQD5{-@tWq z$g)T@<UcGjNu9TX?|B%(?JB!oNal#{xdn(=wNHXrP&jxG8q8%P>H!8E<2ufRV4u<< z#{dEGO4^P9s~{`}3Rp5$#PQ6msqyUbuAV25NS6<zW<BEFAFUrM8siRhY5L0Mgg*d6 zy=6!!0<W*bU&F%f+w7w5hH$DFJ~SD<OZ+UQNDC6G=03Gk(8o_QVwXb{JMNKTWWV*m zPZdy>2oiWb$N6^P!i;iRwO0sJP2IPJF@&z528R#d_j><j(}0>mQ}THPvOEGcVKR19 zTf&d#D!LDU=XDqY;VAt1-ID+|R6PX73{Q%k9W%75Bqqttpx@D7`1cJ45TC%^|LGU? z$!F`AE9mKTX!ob#4ByYb{ClvHrsm3fF=d)mfUc~nlwb4RvT*xjx!uo6av_Hi3;nd~ z%Je6n#)txRi;LfQqc6f)q@qD(5M{-3@Vpwmsol2o^Iz3!1G9*GtE5*@^H2*QEX*FD zWDKeCehn6yGWgSM><@eB`f;^hWZun5DeCK~CxB9Kmo@hX6$09oY6L#%YBmQ^i<;e$ zGQ`(?9zwT@Jm$q0S>xx3`BNIX=&Z-{dL#3@Q$=uMPh?%?MtjN6dPhTPy^Fspl=G=y z!d$6~fp7`g49gT&{D_uvD|J$TW-6nn1t%t41jCxCb>`p23y&=PN3Ht@JOmM$zH3lQ zle<}cKgvTjmqYGMQs|F|r56y}BfH>$sq@%ykx#a}T<<OJzv+=t!;c~_=e`dNDw~j@ zW+Dwu45a^HE|{|0yUEw7qj3`axewgm?j~;gIDU%f`9W#(wUpfH7^_k2?a!}z4m!{c z?HV$boMgGq)DR(ZXhI!2JT#@T?gv<+9E&MEh%T473`LWLL(sHP0LM{-dH%udDvI06 zhyB&&L!%A}4EKZHXsav1s-2mVU2X*C`>e~;MIOVejS)=SSz`rTziT)4d<y(O99Psi z4OO)Lu$Wkv)w)q56p!086lS$1ee4B^=ROj>sjTPy)r4gPlCCmU434sE+Nd&+qfpO) z5wgc#2XS`#!Yv63ODP=}SFenu+G@;^JfV^_vKpr}JNfkHFA9nG$7~#4Uz?1;qU+Gu zTHm+cHah0yNQ+hCLB3`PllV}#AA2H-ZZS7Tj)o;Z9p3>pcaypHfFA$TEMLFWPBNQq z`-)0>a2LnxZZL9KGxlO5>GsCr$kgIJhapA?s(BQ$8DDm^ppGHmio&!qnu6N%UYcdz z#u`7B><{Y04&r)}Q}E$015DYZ+?(soSUUqlG4`tMzwX^Cxxdm5J+Itd8U@0uehXHg zKF$4_T%bk*kkMu^cNVFAwJjbSYqHjsTvK>_Nehklj7K&VAimdtR@#^!deGo<{ShLP zNq68<+WuP)CY;xuD;O+7UepMbh+?W%Q<rcL5=ot5+$36F{#`NdBPF>K;1Ux=*J)^r zL$lIJHarJx6mYSh5ioZ-uuB`XnnNtL=X1A!)c!>~(gdZlrgwOA=)D6ZjvK`+IB~;L zJ{;<)qF0qxHvbb*H33UC{NX7<_mN}HNmrF0EoA3h+C8*bN3PW+7h_=#W5hjz`J>8B zmjFo@AMuC>uVsONBkLvanARDp_f8z1uMQ@U;lR~R&}bpkpH=<q!k1g`K^#elEX>ev zKd19}_q^H523uY`7=hE#Rnk%-v?YoVtpVt%EMwUPi7Mf{Y~lST*@Y@_nVtYP<`~$Y z*vb{POO^GD74@@~^*7Da$*%b$f3SSVDrkV;EELBs%tx}*cIFnz!OZEr0iEJPS7fLa zv@P6FI-Q(<ZmCRusJd=C(&=JG&8_0k_)3k1P=}*Bbruip?gOWCSTvS8u;fJTbV-Ws zx6EOB&fwYkv_y-(QdCUwdRH~C9}IrenbN;DOR{zMu#4lUr_$aH4iR(lX-3N+lybV3 z&O<>qA3xF`5DC4vEuKS5ngb8%vN81wkd*Oxl>}aRsZ((gZ)KWKMy*N#CZIz=H}et? zBxyGW{RIPYlg@39antmslg@9E25OQAgu)s-Pn8gH3>Ec@KqsrcvY_FiCPuvIL*6+c z{$qb<@F4e<f5Ps<D!HgMnK}4@mmz)AtDD_aj@w^-*b{E^d*JD5<I}NmoSGH97X<n4 zm+U2}RTs|~ZTZ~4gg<p|MC$7GxAu>303;+VtOo*#F$DuvhbBw4aZOI|=NQBjH%_ZL z(Pu$Luthwm{@<fU(*?{ao?eI1&1{6X#DA8Bk;>tOYxj&98@gVr!Bi?~{kKtG^YLZd z@p<F%W#h=>s^jCRDgI<E|75I47QVY~R#5w4!?WkxBg;Crn_HHCuc^zkY~&>|LC7aB znVsyhM&l5)u)uC|Yrkq9b_LB_MHBMp?9X8(7t}R*xQ9$;n{ft+GA9d=`NqU{zV64W zDCW^8$wGTw|D?P-!plfw$%Do+z0qqP{6x^cKJJlS3Sd&>7bQTV>99+u!)hC8x+`7E zhymrNWBHFI4PW+Q2a7*>7GXYkN<o->hFvg(oI=*!V3#F;=<w63ObYx)0c~lgr`dhX z7E-&F98g=n9I^HY#2cyRV82Mb-26wPvD?#Xv*WIT;&^Hsd$=Mfb@Xw9ZjEjqdH?5X zvN^nTgGXxMbzuqSjw`dMw3GxpS_Wr|b8GPsOMsww;qmPg1>NN)SvVY#Rsyjr-LtdS zp%;JPXWJ+8ekDoVZg`&AWc<cuz!n@~PeLg=qpzfoonlV@<mf;PZ@`T>*LqtF3Zvol zOT;Lr-RQnm-?5eTnC1SabMIeudkZ2LLOe5zb@mbZ)H!Fn{%OPG(q@qPa1-qItM|9A zI_dDSirD=tId@sHc}#h^>u93~=Nr?XZEdXE?~>m_gTn2B)?G0@Szd48t{|h2x_mPl zmxaYsz}ql?R(7n6JnA)&L}+^d7s?2)H=`VV=?#gnbz!e2ynSd8iU3TK#{N`XaQOV| zrIKF(t?y-`ZW>FhsvbrTCY&y9SIkp^8&kpcfMfT`C6~@G_9+e}?gD+nv8ZLG`)i*3 zVYWX0iN`jUy{*!FHD-N!ebkZ+G!E*cC<Sa$b&1`=)L36zTY^QEU_)Wq>b3Z}u0`;w z8^BO_aj^cu$b?ppynueAuO-pZ(b3G1-aC4mxIXD(E}u?@N1FBf8{rD6=x?Vj^A_Vm zQnN-?*O+1Yt9j+A5@WtkPRgnfA+HG_*AMAAVbyJ*)ke=S#7c|p5;%0Y4k2}%$fyZA z+<_BOR*Qr_guE(8QqETx&!C};;KiZ|sqhW(Tk<Z&JfT$4u$U;;b@(lBJ(5za@tqsi zvda<T`DIUOjQk*<!6;9d?~KP_!gRD&_6~}86UXZ>95b%Ln|U^NzGW)WcPiT)EDp9h zIgL*smgL1HEm7KjdTn`VHReB1Nbj-HG6vDZtB7?0Oh?XXcC6Ga%A~uD&G?zWouCH@ zdBvI$QPBP#w9N)OfYE<o@W7ZUYUQE!0DHpof4Tl_%#m<s9MZbd8C!#*n~-sDG!Cq? zPPj%4Nfk>EdmhgQ9}_d9BH8#_fyss13tP$IQ}IZiBL}41sw&7Kdt9s1!JbCuoQ|_O z@OLEfj282ICtr8wo|WUuL|xL0ZmAbr^!=N`^Z|l1k^AsV%<?z+@r)*h7qQDUqu?-e zzwoewun^oy8OyPs2!oL7p;F5{cd@zl?U0dL9b|k2%NW*GqGiT+XODF*y#mo?biU56 z3`Sc*jw7ZLI@fq09mEp3*EeI9a{iGo9iAG3+bgY3l5G0(_K(HQVy{QJ$YJx?WE8*a zTJHfZg+H@8*q9PtH5X^|!H-uSF6S=z5-KYVB~kU4IZ|@=8A&He415Q24ie{FLG+Ev zfzrn#m&|m&e{ZJP@NV3@KLhc9lk}i{Q_nm>ny}85RG5NB>Y+NMRy&={tRcKiTOcuE zU&iiRF-6Wr!u7DYy4mR3k4qgb1^V}K#r00&zbM&+g6X@*&x~(_><<(b)r^@Wmcs+M zciEz9Q)W@@%;pteQv>(9DKJC7f0y*D{0d9U6V|?6L8vve=;+efJeGP%P9#V@T%^}% zJw%Rg&qQ{_h1bFzma%M&nk6<gsSmn?tV3u6@ABVT_TTjBd!9}+JlVF@71;V;b{rv4 z<gXcScZ7VI$Id8&jO^aWFOIooEx~mu|9vU?dnQ7`GhbpmVR9y7@Hk^o+Y&HPr7t2@ zSgBavD0D1*y0Co8kq3<<su&2K_~Lb-;KF!2{$<h!hEXw>!D+Wi=A$4uoN%tPdRC{A z^3UzCiEg%~Fy|pqwS^WF3hPl)evp;gu|oSVuQ&blE(X*K%ptx;_S{Mb^F&zdtV}HA zdSc@D{Q-%<1H|lwZ-d<b%?-b*e<dsEqW|5d;Eer;=USi6a@h2%X>*9SK-^BT7@yEe zeyRFxgt$8Qi>P#!Z1(&@0QK4Jh>wk84jnl_#MLZelvujSY3sZ`nox_C|H$b;{AYap zc;taL<L|de%Fj#lSDOvBK$^Xm*c2W+A87wf1|JBuaS{L;_Lmq@GVp~<ZBzr<gQ9%% zAI$mu%L1<p+9a(;mvGNCrOFJ1>*H6lI%-eoligPXXr~L!_@X3$v8^sT848}G*4Zos z0X9YjD#p6UFLqVM>j(Q3z$pVp722_BdjPTV<OHm(R=ABr#-@8LYBC>RRM2#5ClGRd zreW|on(DLQobzN2;#bIE_-JhWmiBP%IqWWr`Rn-_->u^E>7w%KvhwAk`e{q^KPLKf z>CA0MlDT0oq_If&v9ThjKfoRvZ{0%wEOb<_kI!2^307PyU7i9Cj~)RVQm2jbPtvf7 zsz$ydiM930?oJ`0RQ%yM79cCzjoUG%(L>>H+cMZi0aFMbDjf?n2xwrCaoykObT6a& zFDZ)Ta<ZVxX?h8=T2tcnFM4PL+45i}>|yy7=F=I2*(d8|U&h@&6>H#zMcK<077^yV zQ{a3K`YmsUNf;k<^CdN<GVM;&D%auxNp>g*5#AE?c$nj}_NUFOa6CNMPAj<>DU#~0 zlN**06u9Y*bK!);nNgsrN@~5Jp4@tnUVUR7!_zuLF(GeG4pT46|8oI~yJYuoMyo3n zPlon+tYmV9)OH>Na7XTT<dig;?Q}BaM~0mR@%l4h<)h*ucs<CcNj`XEiUv50($F+T zrQ40TX*S!)#6}EkvVzXw->>IbN0p9jtY@CLJn^NUoP+8Dn2fX7=@}CfY}dz=q5S{B zj3d9Tak$sy?PRej#Lu#o@4ZNC*dWHQyq<&K%$tx=&a3uzVMc$RcJ@e7@Bg>97fv~K zX3U((|HW50Sd5y0dkA=R!mqBuFV3Fn%q&gLY=GU_1G?)wF0Phim(KHVO7oo(^9qvY z{I21`&N0C$=zkea#WYzMb+`XAT?d8>3nzl7N?+b4Jlc4MP*4!@|N9F&2~MG@rTk~^ zw{w5b5G_LjN<vlO?cF_N4oO*^X8ytP#F4?sh@HAbzYD<s!4$^~FZ^Fysn_*8z6%iM zP(MIY{O=d<@4H(6>Tlzd1-(QYI)tWBJQ*$L2eM=Y1c`9WO*f@spI?qbKRtBM3Hs7E zPAV~uC}(HE{_Jv}=fhsm-?He6r~yAYf~ToA5A20M@~~*Xk0H6G?f(?ev;Rw8Owq3K ziZ~`LD*|aW=!dyb$+pR{lG3E^yE;|MYo+b8X*Rs-`-w1?s9_;12EF^wQ9&Lsogj{9 zBiAJ)o6i<VE<AxH;3r!{5)#?tXz1(UMw5er&*1dQoM<{2EeR%XWHfXF;nd5_EL;z~ z!LqB9xAn>pC%UxHMn{;Q;W20M&!SSixW8xKJ56&gyblz@gXlJi^8)q@D(Tt8DA4C3 zpuh3N26Szre=jsorsF?gs*JIcL++0EyjvPK3<<nPsD7RfPn+Fxa&;JvJsoOQ@qazy zW4^b5`vD)nwK!3y5qqrrMdPQJb~!zI4%%{|RmpFqEx>etv>0vF!2X%u)6|qisx$@2 z1CK5ycnnGKyE`W@)hYars!`g<{RnW%EzSf|qt{=FK*>H+xRx}JMP_&KuVYX0ENP{6 zLSPjsq_2}@;K!QZ&%_)V1M(phV%-5j&{>&XxqcFXs)sdfP*z9-jCyGLgWL7(yDe{> z@!~7}`+g!7V@2QnS{l=8j3twu*3;;(0R|W!uQP2H*ia_W58!1#_i44mCgj%u*~M+k zez*Ug1C!(t{=R_(=_UI<7II^AO>TtpHBPx(dhOO$>t9Y{z|z|3seo|Wx#snW^5(Nx zS%2Jyqwqf;FR*@Lz@hYdcn31tMI<oEwoCDiC?U`e4dBlz@02Cn$_#{4;E^a@SRdsr zwl@Ee@60Q(?!uZKyx(#0%tKK^oaa;if{D!|@x1W>t=T?p*L9+qIw|1mWEX-Ghs1F- zs=$<qV*!5oajBctQ|rEb16fDWKm>Q{rXMfAwL4TwXvGXZ!An`z$SRvzBD9pyOQE_e z_Mi6w?9nNEaHmk@JABxDb0M#CEf@-|hMF>BaB1!4m65KHJ85YRv$2JnT|zJ8b_ctZ zIkq2gg|me5Labx0aP!8E-Zvv1E(0n+yhsLWv#kNWdg7MqJ}I)q9?yQL`=-(>8G618 z@)LI@-&JV4R^oap2|!&3x6Bk~%x~YggNq-`NxSJQl%W3GKv9*&%n;v_G%6#FG@S(J zi<<$zsA%E(zSkI-3>Vjf*R^mgRWZ4a7-KYz^xjL}Y<Lf~I!&TPz>FJAt(7p@nQY2} z&St+hB5Tz?{<9dUn3wwKqx)TP(osh^6N`KmR!9mi)SB}<fSrRGB)zsf_@*Nyls0-_ zKwsBn;};_#<Rhw4noNqGm+P&`F8FXheLK5Lm_{W{31O#?WAT<n8)<E<cw_DNjk~@t z`Dktt9ag)E_Kz6~Wkq%7+jEJzH)1TWuP@_tV=|PTl(Js!&CHvOCSzu%&$lvo<kg(f z#C@P*e)?4GGm{AMT4ss;do6)X9*ryL&Yw|p1$SDG1kWAl=$N%%9@SAtik2R<Sav^a zBP@_dLqvFJANp#)d7RN?e`3DsNvnmnb^3#=ttP(F!5(uN4eO_*23AsI<z!`M+IQ}| zX#+-=chg8YEm`gN5O;;xsjgHL&H9)>xN`{m3O(%0mSv)_WBXuPsYtnWIsFbhc6N5; zzFOHIj6V>Xyi_tCphj}??{ce5XN%jni`tjVx<8e4JMW7Q3@UAvs6nix*e^vhv4j!m z+%WGqqbP=3;nF#qblY6&WqzhQLx$OHmh9@ngoyztXasEB7A96}2SooLIoYb?`$Lrw zQgH_-$Lwr~sjbyTc59f$hZuob>D9{DEA7Ig;s4k(sID;3ghF7#;|^BdJhJqs%qCA+ zvw4PDW4@4n#?SJ(DvajbXSeNIQhe@Z-|c0=<K?O?EQpiZPhXBtTD?x<2md1R*XR=O zov<valQ&Ojtma*j!V%1+7M;QSJXiuR6o3J5hvnrsiqx8oJBc^-(_0(4N4n_}>!QK+ z0j-vjXg;Amqbva&V~e)bcVIlgi_;vAu!B&<&DKA>trbC8O2QpmqgpDRQjPD27T}S4 z+w1NtORxP}71P--+wYo0ce=4MLE@yOnfQmUZj}c&1NG1yE{o<WJ`s+7#dYYBJSrKi zh;-(V5bz{^DZ7sKaj2XSzTkEDmVazIdDAbn2NoOZ<k+Ox2u`J+sB4J(yGcLq$row8 zU8X$Z3|?}Cka1oNiMAvO|I@<13no8+z3FZvyIVd<zVA2qA*fh^&qHI(fsHMLO8Hk7 zPBW(an{dS5q!NvUu^L#U=$Ws?hquhae!by&#K{j2tV%*EQf6=JX||b<D)inxFKeh; z0#PmPQcv%mS+L;{uqa_tcCuxkM6s|Wz0!$#earBzr_U-yTz_BAsHVJhyr9kd_L(}@ zW9)#iC2+uc?FgsuvP}Ed>(=$&PCK16J^g<)onvq$-`j>a*<@qe8{1AM$;P&A+s4MW zZEtK_6Wg|Jy!pLV|1Vur>8Y9S(_QDfujwbxIs9q-TM@ND7)M*#ybPK-mHOtcGsXSL ziU3q?PGRurQhlIp@g_BHR4evJR9KmGBn}jzY^9|zLTM>93kg}fn2m}6qz?B={}sH; zG-tXf$fdf%RC7~9ZK1x2`(g6lOb(@d172U7QNTDjZZ<RCH#BL6i7m|L2L+nJe@|(` z3#y~c*&7?uV80IpBFaL}3a6dew&U|l7g6DoAT3@U-?#r6+S-?XF@7=ptFPTxSP(37 z%zO_2ttn`tLoJ#G=ZAkn#ie0orG&i46!d1_@~QlYvPhwQ8bXLNL}%@9s|n54D~+1U zBg{R!mUr}4Hw%|!lz$gOFx>k&xxJ(8RgNk1{u+~sacDpjYw;L|M1(uZ8MBwG)2{Ow zNIIi-4hOx;IX#*Rsg|$PLSGbqnF#<cH<)>_5Bw|ltsL>~^#1!aDQ5O`IOy!PbE%@h z_><>%@8Rh6MDO7Nl?HtG$2BxPK}+xj^x}B+?w5xX=fy)Ei0ukpzk7t&$zq>qli6Kg zdy4yo7<)G2xz@r60=|}%w3mfqu32m3zErqRwlh&>LO3`z(dfcoTt4>?06F*Y^iL|? z%_hHUtBe@?fG4@<qpg`r+7jxY&<pnNK3kq9u}52N19HVe*6Z7?5E!+F#vio08U80s znXI*AigEf;-lieXA0bO48Sr-&#P7#5q?Or(iCRBe^C!d>`yK(&I=FiTA?>56xE3hC zwtVym*OHee%4%1+HTG3)o$a3cD1KC6kh!}Yd97yTJ94=i!?4j`o$UN0{%EPv(>F{s zy~+{wbd1#MEfX@K2uGlVvut+iGKzrzTHYGY2!W`<i%EBjrMI%&-E?kbMvs)<I*@13 zw(@0KzXLnsuJ>{?2<+0wdZ{bs={;&<t7~ySq+85TUiuT(i~#4bErmUd7U)l<san)x z>&-gR$c)nUhs_RmssHxwA9*<50qeItrnEt4wk7U4xPnY2Xhl3GL!PCOs?~GIun=*Q zx_YQ%W7cx|HueNry3@I!f0!}1$~3WHHZ*?&6n<_In+W}7sb%sSAn)$G@5!Q!*{XvI zWkI#dCy#2c#b3KG&%|@i#4Z#U^;DCG48Ot2IM4+ClJ8XHcDu(v64D%FjO+1VQwD2~ zH`>=<7ZNC_M!4#NSu&D>v5P~$X{Gs3EsJ9k8?E`9et!{oZHlmX-JSHOB_Huu9mkDw zIk}{1T{IoHn8eddm?)9t*Nw%DYBcnu-dLV+_)BdTDMi;ZDIwSXcx7Q!8H^u}Lve@4 zpI~O8T3SmU`mMPrs$Nf|5XMV^&co!cD)L(!LbqGl_)ejQ!;K}x7$#poDaut?eHQ<A zkY^MkO<D<cMC9r1jp>{(e)tZoj4J9MPJX2(XOcbBT$^3%z~$5IJ-k@<@aqB+eiuEb zWwM}p$1y<zhgU;S*`09U5o7h>cAU02dc)+p{;s>f)MCLl418<HaNf5h>QMOm{r7yZ zgRj>=S<`l|Dac9o<)`pXsR#|#*09u~@zr0NZ+_HTtvs)H5RNrP-I(WmJ*>4M5f~Xb zJEh@rBp%(j5=E0UI0dz<h%VRgO3)yeUh_L`X)~=&3AK(@f2j@atg=SHs7h#cvQ3_r zR?n%mGmWJuAt^8iE~Yf60Xf|SHd6*nPBg?zwCQvx?RONyfU1&-?;^y|Ec0g#6YOg9 zHZ^wH_L9GP_zGwwr}@m78O-L^Oy{<2=h*cW%Nd%C0+W%T<#Y?=RV!wua}`yoH{8CW zXI`z8^0sF-3}-hi=T;~Ur*GXc{sN*gXdq`7(G7OI0)k(;QJQ@UknuCSmG+No0VPwY z_B>{~dNuljiOSSO^}Avl<#n7XJf4oY9I1m2fW@llI!96e;NZ2h8SM_GU4rVEnI+q~ z*~<F8Y%o?<?B6d~wW(YMYT|_d)kWE!<M-DAT&!eox2uE()8y`}qoQ&n+tM#HcijD5 zx2A3%+Z8(8cJC-JHP~P9i~3+GqklF7wW0(z_lo!s93Qp9UjA`S@hZB`ITo9H6f)yC zT`)4}-MwZQ8r9)*yAHVT=aplHnPzE|b$?DEo>T%~o#pXc_|)xn)=RZiuWxfipP$X5 zUtfRA`Z6kq8Bzy~RUh?9y=S#)WF2*_{UNH7(F+`5Wx~fHs1z&F&i2jA`3sWqaF*}& za)J#C0=|}9g|L>~CzM2=3JKD_g}ry-IuuF{>UGr)$MVv*O0pDErJzm9X-+PC_%d+? zfh1NkvdVh<LG^5ze!c&iSspJ=^nGYk-P59kSKorZu<omiRusS9<hn5hdjFvLzBJ`2 zUV?YI5odHaL=t_G2d-@KZdMt_%5`|1kmJG(FsOG>PAthOB~F_!hW(l3P7oBoU0n@3 zy=GbKp`2*z+X*GDXs6XX9UHU<2}}G(x-q(Z>}h9k>(Sv{D0vk-i{88T@6a#9_@Ba% zm{^Szs60;6dG+lBwmPRE+Zj`A^|`E4wfp&JAg7kjsDy#3bgQSgdeJ#oodemD0Y9uX z)cPIQFlsyG!{I<N$C5E=mybb$4$H3_P!{K)2-}m{ueZZR6p#Xxgi6@Z({D!S9>J=! zjt}WYxm%eME6&%No0{s|icZnHX)VW(;vtPPm7VVw<FpiWFe1@tgFh~mf}AZ3hOAi& zi)suEHb4jqJ3gFxiEKHUu2>5bV12pZ)Ycv-p8dso;}ZZN!Z-SJ3aG7kNGDql)$#&< zCt{+aqj9+gbN1vQFQ}-Ib;~=x-YUG@(PweZh5zWUMEm|mHictiBN6|Ze|F;FY&ugG zimCg7C5L7ZJoz^w;Qh28_{}Q?#(=9!t?`1h^dqOw|M0irnZ$Q-)#CtI#WwIVpYvM9 zMh*<1QbvLz$Qexrzn%=!`8>OTiQK2bj{mjgt4I0t&+12EEOR>Z=v&lfEPgJRi4-vE z8qjMg>hV0-jxm~qi@rGg?2E5GRQ{s41odsAW9n#RqAZ2-C@{$POAT5xJ1JMXy95N1 zA^VF(jqlfaMJ($B+Hth2ut!o_s+*7{yZrGxzq16vKc8@pI9C{hi^~Cx&iGSSx^|L> ze&&+FN;9|heEnP-{lY%AZ^%o(V1xugx?Hvd@Y~znhjw+V_8H<E?X+T|{{pJ<&+`ob z)ahogu8t*WY966VCrz$&G?XN`#=z~i(9t#`b-nZmTxuw>mYf{NAKb?L^nU;Ng8)8P zM2NO4$*rNz$;V%{|19qc-J2^xREY$&!L?bX*Vf@vld}YWZ>T}H07dDw&i->p5R%GY zwATSiCyfk5<43ga<n?77Vek-*5*iz=<jr%_FO4&k90I<LFYj}K;AVIP`!41Xe*r<~ z*f;k1I&0_CVtW~sAb6;|`~3oL<w#XDEPW;hD~DZ$WJ3%GRPSDUAHmd#ii#Fb_e{0@ z$zdnda5~ef!~YQZQUN~e-h9hhE`36yiK##O4jFM20yXuQ@NTPU>?-LfOrk?k9kSMY zICL+vU7l5%Nue+AM_jA~1BGxLH=3w(y#o(_*?zsCmHe+7F_X|dWVXw3A1IKZI_d!o zeHLl|9Ad)8zA!B8B*pQK54H^+^v(eEXvrWaTTH6EjDT@Vc&2L3f%n7h!o!L)Xa{gC zX40{q`x*%vCU%$Jfm^@`2C3h=Gx)dd;c1g$R40zStjCIR^o$h|F4DwIE@K(2%pxhc z)CLMDK&II!=t8#4n%8~VMb~45yZs@lth3inly(&^lQ7$Z+wSm<svb4}n1;n^49XuC z4RJW<&MY#576|TZQ<hhugOR)$vuzt^Q!u63yL}8XkIqhv(}Zi}da{bHw@`PJfpa3< zzP<sy@=heoa+zjLy2!|1Z)asZyJ)TYoppDNQ^R4$F?CQO{6~Lfmm%gnJ*$794$OQj zs(=dm#UGgc(FzUeW$zgZ;WCiM{*$m!?OyC{Mg~Ng5Q$()fj$}VNHAIdC70~gD>#SB zRvBeCl|0a3&psG0%0=DmOwB9S>fjzDDC&sIrSN;N9a}T~zy6Gj-3z6mRQiIq{D;`} z`|fq}snl(1$+;DCyACCzNfkxm2{mPeBjsp>i<P01Vz4*gqq%QXkLV!x8$HY0E9E-3 zeQN&}E#jM+T4zkPz-L78bew<&`b5Pim_z9(tQQ((u8UcAy&3lH=`C{pv!DI&*)S-h zYJ`GCRVpP_Dg|9SCB-5RndRjs!{D#36P1Cn6TnU0h)<u8?C&jad!N?~OHlF9?|&2g z8X8544s4gDvUObT(lWU84)02TwI)fGi)wwm6XDMCmAv~HH3bFX3C>6D_TBJ>|3;k^ zthW=3FIYo6b$+nfc5n{8z>vm|{#auhHnT;@E4@u8L02?|HN84%d;#i)oSfFC@=a}* zk(Y}Xu{fxw<nvAIgQ4xRhY{l9Iz4|7gdATss?Fl>0%ez!4ATF=*Y4NhzvM^mC9dIM zD9~xs-OLh*e*4omcdw88M{)2=k`IPW((x($9gn0o-Pxt(RG)8CD%4xw7h|1vdb<MD zKW|nk!a-vIi3WQ^%e2Ik(C#t1A11NXc%<l!LGH(Sg^>vhMc0fQS1A(s-LDgfDRda> z^Z182x)n*V4VCBO;BZMw4t1E*bCx#|7!V^y+AbGTw>1d#QzqJVobFP>MA)N&9d!4A z=ee8^PA?8g>8#18ZcSNdiSHn1Xr5vq&qar94~3<Q`t9ufx}R)P44B*8Tji$mo{&=s zyAoyld8G<klnCxxEpq!9-KWF$V7l&Y$?Z$SSa*1&;rX#rQomANwV2&MgLJ~dQ-<-& z^j{R95@LoxNl;c3Su2~Dc1xz7VkbDQ+PHf$cy+l48#NET_Z{I^I)Ff5tb4*+sIFV5 zpXJb`Kts1>5x00oWpuf4(v+N!x{x~zm<Bd1z{8*i_No7X;ocG9R6w3S%-k)5KNb0u z(aT-M&p<&czUNCoIr8j*Ats1LML;Q)!VeHAf-5}gT@U~CRDNfra@i8kxp%KCQh3+M zA9hpuTwU#*S;Edt_@tV3CsQL46~S(yLT;}SjVFPzp6E+A*X3k~MMNy5{q+{m(dab1 z9ULQDF|PJqd_Q~I7EyJ#X4y!aEZZEkVtn`}$EHD9NCX^_LA7KV5}Cy@XhF**tj{0a z@j2)8Ib2O~34h}hq~%MuneDkDr)R^SxvrxrRE-&R9K^E^=S`)TBSKlA{eCblD*L!< zV?OW@2*-;KF_#PpH1?G0z*LcgJf#X|qjSUb*k+FNhUW$LJ5av%Z3?A`GUSdOv-5pk z%%#RsI`S|HXT<a9V{gU|KZQ-oXZyYZ@B%ntd3u;N*W66j`Z%-R0EBL5LiAJJj&X5X zVdbU02^oj==JvGqf(2CAnF}scPbSYdXQrHUSwqvHUe0d<T^-gS!RWbWZIS3w&|TL^ z@V~@_OE7qU{8ufs$3AKA{9BZ!@FwdG<L>$OuuMg2*qFpL?hdDYCs)K8pl0vnCUAW? zqod<?#dOjkY-t_%<>p3-vsz*M3@8*V2s{{}2s9ERM}t#n(Dr%jRo3BLjyi&3qpjKr ziJ>XB$G(0YXv@YyW@G^%_<U@l@p5s8`uFv_vff0!VW{Ny+9-o7LK7tK#nCNyxEIC* z92sTK^H85XKL)^*IFGEC-xdRLLOfsI{^HjOhm@PeR<Ey({d8p=05?F$zc;tG=jm-9 z{`EW;vQg-WURyJC)XY||Z?8OPo>$JaONE}D7OGRH<>CwIsd#&(NZjZ3@zEqksH|=` zrztsuf+po#9m78g2U7|Xqxkbjp2N;0k{$k$Ila+H(aISv#<r}a$>Op4;6a&1n-{>_ z#~l)a`AE1)jWOiDeW{_+JY15g3qY_M?r-4v-Z%hoO{oI8b9aZy%Z@>&os+y~4yI2S z;WH<v`K&<WN$cE|(K1v?&C5GKjvOmau~;}AIfqYx;8l-_UUA|wnzRq#F-0(aN`rju zaVm33h_QDWh9@1w8Mfe9l1fZG62(0Y0Ey%?UwVo(8}LB)0tK?qy9a__UopYOh;qvJ zdMkhPRPaeF1PM{&*#mZBB}gif;UK8Ce7|o`2PNg1`=Kn1E<s|e5${%%vm#>{XmBhD z!a%RIKEfa~qw=@jyIkAp;*zOdjq1@xx`dsX8#ioWd9%`mv?b)ie+zm$?}#_0rx9r1 zQzNxIdbj{bC1Q+J7G0*ba+CIT#%Ot;+UkLUXx!XUxRGPk)RdfhC!jAK4M_vXb^<mH z(-2%?S!}>&-40ih8<!*f=-Pg?Rt~jytO%*eHj=S>u(W6C?z6#1PE~B6QQU7#^J406 zjN>^^Dyi!Aw*@{}=2vRafk&8;{CP*0@jtP!TR!}UFq_GxDIlL)#5wY@hD>9_et5sq zWYxR*lgXk&?LJiG=Xv_ish`*G81OtiYy^0dvumb#rBpa7qHfz=Lg1xb2~<*g9>?hd zY-hKdo46_5g(&uevkXsHp<D6p^1tQ|sjdnnlnuPb7VW`8V$ha7fA^21MwIuR9w50` zMa?*EGzG=xi?H!+s!0zuYO+-YLLAX!aNgTz-=!E;6B<!es$=P&>>}Q@cxfBxW5F<~ zA}J5`ztCZSCC;yzIv#q(NvaMF#=d%FDFgfd>;G7Ld1yI>N@xTh9eeh4qmeS01fKxJ zBg@j>dq)%wDt`TK4dYLfYFcCWX-dy@_IeBG9VrF+U14Hj)?i`QVPRpp!X-&QIBr{( zvszdd{!vi;R@Z{5m5B$wvOw~n=)e3Ky?M6<6Wh4~=Hl$F`BW_PmJLmq4J>Eh+xevp zb@YRO7JAb=%QpaW8FWl6=TISKm1<bWr8bH?jl;>^PI+f7<`+HL<oYA%??jcm+{Eg$ zmQ!2X0L-wBvOjmrmJ>7H+pt&p2a5zbLKvoIbr^tLOuF3Z85sj_#0Z--j9+DNu}bk$ zDLF%6!r*@@9fUxrHzlgRxy}=u-?tZ2yxhU4;?AS38Vek?gd^N<<-;ckDQd6Uj@mHi zUC$syhq)e4u~6$Ud;R-o_$UZ1g6_AW-IhE1M3|y*I<`~SOQS})Enzv-?-b{kH_HNC zZu#F>OKy*87U*;xjdR|5(}zJA5Z|ZOVriXtv9<>W>X1r=oTU>=fam=D0`n6Ver3Ir zcW5uBXylM2Mgnf6@$7YK;3Y!X=OcsAYIv`V++w+bk&Tqh(qJIb8ph}43}iBgp2@eX z*R^Zm4@<cMjeBGfDJBo*y)gRMs`-<q;kl1zqMOv7=M?MoI%=X!^z9VREU7}*BESPM ze5Hd;l-sw|tuY)w7-!CZbin1=)f3TuIqVGJeNy`uNvwR}Bio#<)uy#?O8=;zto0oL zZbteS6oZk*IuPa@uz(!zH&X#dvup^L<%c(-7Sxq-wT$k%84@Q#-bX%cN7o5Q?Z>B# z>g)JBcQFgIas(vE*xmRJ+P&McK^KsH!DDX(QMa2R1tcige6KpxZN&y_bUSi>>8Cem zJK;Y->lil^=nPizZ(>CZ4FD1MYDW}P-yS=9$%v|VH2W)itt-@h0f|QRGyA}eq@U~I z28Wxg7)5}sdFeW+k+#xC2B{nT-q}DsT2!}qByAJ6I_vz<tt4_qZ8LEnM-#oy`$j4D z?IDSB1=d8e1-}btFjeta_el$^3F-3sH0b;gTz>DG;wU*3AxP3`sZpR;Jo$UaNi5y! zzBCSMP-<Qr?3s{_<Cdvn6*+|(yzp8PM_w2W9uY`in~FZiJA#<kYf6PgU=qEPTC|gM z%jG_dmasgeg>jtVLl#~RUTuLEsV20mFtEssGbuQ~oMLvu$Sfxv_|qtXSJhzz-8#HU zF{~Ks4Ev@=gr?B3j1MTg#Wg%rL0lT%XXx5^z44YD8$LnXeQ$Jx`L%^(+A^QgKdpqX zu{2I>saYC<Lqhx-`7CpQJ(>Rgo)yvIoDTuQlz;k{be>dTUjn|s9cAvZ<imgV#-2EN zMz3k$uATn&^TdZ2Z%y}qwE(E#`0deH3jcLa9?d{=5fej@Lt!S9j>$Qjyxv=yvd?3e z9DuxT^jvi_a6E(CQk`?bn$$>ou5?o?;6f+KE$?vdh{4!w72>j;%Y?oQ5Jj)IznKW~ zSVD<Bq-Ao)`P(ziy1VnE8t-&R_Km9+FUI(vxX=BF!77gF&>@8eU4eQ;JT3kHV>Zt2 zM9dq5b&RkyW7m@%H&D|QoszQ_y14(ZBXLJZbHryYa<AXm5j*?c{G&=FCx=*|U%-*b z^M_~FeKb1b{SSn7<*8&e*5glUe|@mfkb_#b1n1s5o=r}!kuBa+QpK9E5LVviqPUPN zo0dG_pgs6Yypxl(5$s92!~i5B6gVR2CJ)od8N@HKBWnQ<zi*wr9U1b7uU)g9M2Jl9 zaCQrgk%=@|Wg2ogE2na?E-h-6(Rpvrc4Aa->Z$XtH3W^sHo7BKGZ6+ub<$3<FZ@(| z0&uuf0<#T?GrQsiAzuJXwBj|!&hZB@2CghiD=vUZS5yvf&Z!eg_Z(xQj1FsBeU+wR zwHf@p+QWqIlMj*#IR`8(M@+1GEE(>|V!T<-5UWk%1ji9HEinHKdATupmEbC5c<}Eq zODI_8B}3j<+P@^d1S2aj3N+TBtD**nSc{uPn!DXkp*5-Liv9}B10FhZ6e8br@80~V ztqCL(>8G+M(7}V6I`^1(AQ@;i@=!}gB}Elx5+v%vyc6%<$|lzqeu)R02>?SB?Ptf( z4Hu4y#!r~EiLm4$)9zFO4~CaZm{sSP%C*k!?OXiaRuxa%;!_zdz)^@8vk55HFMi9R zZ9#?B8MH=@DuqSh&g9VC-fsmB$_IcbshU^n;Ol>!LN+e2^ARLTt#G*FQmzXT#UI%h z6xZ!RM(0r0T-haOgSg*uRa1^MMM0_1!|Xwg+E9r8*GqDAc|7R%FcL0+DDQBkLv%#W zh-N1IE2s0xE2e^X$(OG}s`_-$Az>Zoa#@d|6Ge<P!zx}nzVq%a3*(57({^fwH7WLw z02JxH0Yj60b<1dz(F2#a$-|ZVO%|4TlaVAFqJvEKS-K_3iiQSr{i!40(+8AzvxHE4 z-q3tc?4Txr@$o4W|KFkukjpk68BJgmp60h0YkSt=^2!g?@|;>Y;kSt10uB|>l7-l= zW}R1zzVZNu<~Y)-t=5i-+)cwK7sWRKtSto!(PXdy?6Sm(sws!>IT%TxuO3+dS2cE2 zh9iiGFfD=iW!?T%Do*z45DT;EhguuQ$i-TI1AXQyf*sH+c9&#v#0n30rIK2ka2R_3 z&Ouuv{e$KTa=ME{E!w@6Q?Bh|goCl3$qFU$<?)D1GLu&`|1SP7ae{2=zXkP1nvpTI zJWCsH-DKkZa_2_yls73lXLYSpw&N@M_QfBFEG*Az^XPgvyFXwK!9Q(wi^?Zn<uhg& zL*nE!Y8gXz<V&!7nOpt&qgD$=q@zTvXGN|5iAXDyu$7_2Y`xz+UKL46#*Vf`mRKp6 zhukox)Y@m<Bnom}sI<CK$R)(i7)nR+V&izRu)Ug<wsWl>+R6(GvXRT8aXPmRT!%(Y zAyB7;v>I!t7UA{MYscOIdNE8T&Q}r&+J{Nvrdz!|BWW}8*)Phek^sD)B*3l@PE_#4 z>WG@pWXQj{sJujRt(-zJIW)J6n&x%xA)1T9tyh~QeF<}SKlr;P?y>tIMh-u7bg&C5 zhK*+4e{8+U;59aSJamp6kOd;-&;`YePF#JTD~3*DRa_EK(CcZmLY<I-kP0K*W`!r; zK!eWL$2>C+DI@BP81Uj|-Pp>fh*dniojaJ}D?P`qH`B#2GAFw*b-M2Rs1?T7#Sp#+ zdAW>a`jE~rQ{y5nBPLrtdX<essB71HbxDH5CPbO+2|g1lL*vpo?Q^Y{t*S#HxTNfJ zFZ)1aju1cUff{iz5M27+Id;<}cm4cu6?}ZcsNTvnJ}1kXYwplesB~Li6$1@3c(=W< zB(mcBTU7gBOb+jw(DzlLI#X)Jy=jT8sGQI4RR6p^qyXt2tDj;~+{%@O;i{gGD{$9w zGsl!xb~}&LKyLuQc~Q2od@!Gy8kX6A*^3Z#1I71liRQME)N$smxaI|@GVoqr?*auA zCGcedi#=J~@sJ>Cm4duixfamQja?SlL&v2P-CuRz7d(Qs!VutOiwF0>`<|cxZ>7n= zWwO)aZzp%~;3~r5KqIMGkmLI{`d(+bNsK)sPDVZsH5kvW`~!qi4%P(DAy{y_MCV|f zW14k{p0B;9wbv@?>?UDt)jSd$i|R|Kr)1UxPjpyHU_>zkqs~QVqLLn(?B}GXqA>5X zfuA>q5#8$UD+S+bQ)(8ln#cRp!+$4}f3oJroGOYPgnbGJp4k28+C%8G^Qj>}DEo;K zg_;5+qZNj>Vi_EeB8mR4c=|?Y1&v6Zu&o>!;UyHpTelsh{{bxcLPCBZUS8}sJ;%>i zq4ODb%GYB8(kEd~bDF{E@M%JF_hOl93yr}Ad7s7Z)|{dfF|$@wz&cd$uXr9L$_RY^ zuXBU!uE_FGeE0rhJ+1}w`&eCK^!c#h_v7+Dxwe67Ue2iya)>`Y|0J=WS9pMG^LB;| zXPY-fUoW5PynOTpNX>NS+i%UZ2KL^OW_C7o7{D91mphx!mN%l}y_p%*Jzu^Se`Ra& zI%6C8q7z)0<9VSE<~lZ-;e#UY6!)8YI+|faV@?0Bz21Wcc3JS&wP?|Dy?AQz9ja}` zvWQ=hvRs=bx9Hs;&!AU$XAr2DI&<T)S0}k9zeEEsJR%Rs+(>r(M6{)bOr7EPpPyVO z?YrnDdrEEs@FLtCEOB00o16*3((<LLY)7GFq>ISVw}n*0x4i7)b|U$u=ci;Z&5tG* zr0Z=yV-9E~4nnJ$JJogGI$~xb`I%0SPO>6eEVcJCwXi`cFxie?Z{Lk=2~0hhD0-q7 z;NFk3h1qGUvMxq%-VoYbr*lN*(QGu8hw&`2LxY@9l?lH`@mt|QC&*LwJiHvd5>@%m z$g`TEAXxF&*9ZDF)1hSce%Ika*(L#Epk|1Vmmncn1o%f=DbnZ&@bGsoehQ*W(B=6J zY2%!_+gYO2PEQ~pY8_KwUw$G*XHWeGBQf;3Tu~d2*0h*mQHI7l2yp}_)KoRDU)ObU zdG;QQge#6~7|h<Ie9RI{pp`vpY7Sm$VjCSo3#-6B*EKnapd;sY#O2F5@^VFL_X@y= zGOx6XscGXG3m4WG=(SbZD>m|gjnROOQjaXg9ja$Dqzt)<jMA4mP*mQ0(ECG-z8E^l zva7%HCo+iD-4Jy#G??|>Sj-Ll_m^_g4_r;XRs2@}NE#+7jJagcusydHI<@E?Cg3D_ ze}#xRTKHx|G-{AVoighzA^Mz{5bLgdmXQ`Q(%k<ylKv=fDS~D$G!ioj%@@NLEu{(e zN?X}XVxq;;HclqYOBY#rarl_(xzp2I-kmj0kmUKb;hh}mN}>8a-+SxF2GRPQo_Z-M z_y>R_nF(by67OpGen}9LpwB@5LZx%c$mG!8zi%~AMzplNsn?edY^3gEmI;9|nj>Qm zJ3@ky%-hi@38}(Q;DK<=<kc1U5mq|%D9y-LozhVvwb|Q5o$HjOX7u<|8jWy2!JG3| zI3-utc*EkvE-Y{XXE)%7);XK|SwBlaKU+DdrAlzCsc2?fdMiP9kl&7cM$D7Z%Wmdh zJ8<i}cYu?uKX`p;X1Z23`N%#XTsVdK2o4^PK6a`d%%95DDyq&}(rR%n`T~+k9ioE9 zWhkHPXFocDPkcf17T7>#5aJwap`$~3BeF4TD-<c1lMd5zC;f1d%?Ykm<<d$Q=@6}D zpJIANGOcjZs8{SV4ah?_Imep0-L=`@$vSGGB{VK{aJ4QHp)~+s*m6|BtiD2KD(#;< zXc8Cga)Xf-nF4HK%$PD7T`G4#1O|99&z8&)WLRQQEIsk(ls#DI2fFqKS&FArn}_td z`0$CElp(*S--|T}dc%vE_2X6p^~G6L{0<|N2{YFz1KS}3lSzU^D-+#Niv}(TmT+pQ z`M@6bO$*>jh=?jKRD>j7;%VABeaIKcM9WWj6;IuUdVA}oP2px#R|WQYxPO-8bqTU! zS0!yhV(D~h`3>q57S>nu(xvWr$CIdJ#A!Y~hug$&Du+i#tvr8F0aL)$>$%2nN%PLw zMr{jW`}el<Ks}#K#Y?m`G~U;{c!t_ocQQ8VX(Ve*ZKGu$jcRFQ7ApFzRxwG@m5ZLS z(lVYo0lU|)8GBkCM$^mNdpjZV^NY{r`A(%YURq}W3b6AJz;OFj$#)d^cp_V=<%!Oh zLFSd9>-(8Q_jg-W1Pz}f^(d-&zviU?VWGwuxX=kUm2ipVo{948g?*Dc)+!UAs)N_> z3?9R$0Zg7)x)fY)`kmo?a>Dv@#%+G<p7P(5X}jdiSnV7m_p1+<zqx&a2#Ymt^07ki zt4nd;(d1=LvH%hR-?t&z{qEy?o@7K0tI)0#=y@Y3e!1R*tt}mr%{I>^J0VU;ni=n^ z3oyLh!o_KRIj{}EB4}J`BOOACS<+88UJ7w_Zb-I<`F!4mEa{?Pu+{O)`7FfRD2bI= zX<_Ez+<g1Zx`X;+kMfxtt_+g3bgU|DbG4bU)5tyq`Ahk~uU|auiHuVf=qd4J?s!>} zR|5CB{vczkY=5n<yypGWX7_nNi&zE0_pF1G!9GyPY_#6XqV1F;A(&O&w)OCc^?p?C zF?yigWGn4(bRmv?T9RE2J7;VqB{Bi=lgii2Ja#fdcohTO{ZZ6<KjIdf?R%COCa*ey z7EZZI47&CGyzzT(=1#6_bEaZoRX#K-4Hu9k;uu8w?Z=Zv{O;gNu5AeJq`Z^I`tSX@ z$%RE&pTu?&+krO=v97Zq+tk&mrp4w_nrqG;YaBB*TC~{crWfO<mz@WqETl#PVRn}@ z<5RUo>!FcDuLI_!#0?Sl{R}4Drd(Ai;_U|xeJUg&f1C46PvzfoX5~=_Ec#Sb8VG6S zQc4&?UAFU9qgErhj7-AbPW~Jbnqy-0`;B|cmblwMR3S1xDmVgVdC22(BZ1@e_g4a$ zxax+$AHXD(nMIPk0#M^BEgR~QU%_9{dBod_-80uNz?-q%3{;+V@d@FaV&q55z_D5t zU2?Mx6o3DdSbENV>2@j)u<u(dSB7Q3B7AZsf6%d={`xgfM{CMZTr$(Q)07hjeFAsG z=^yqeHlX>9=$og*H-Kc8;g_2%JS#ON?g9$?f3NrVh+iMQ?!io?$b<w_oArrri%qfA zoP`nS(d2styZi*Bp<n5{%h~n)??-P(STZT4VXrSQoxm1L=etBhzYC8-81$9=s2}fb zsJvu?bK0`kL%sMuU!%g|#gd|qkzWtn4k}I32q>;R{8YAal=RHU-<TJ7l_=J`Y1dA1 zyE5a0T&^vTGriIj_;5BTav;s9%?vtoHw%}L9v5xXy92s%b8cpdETQ6WtqwieYI0C7 z{=FD^uJos@j~Q}6ufDw4k+MbCR&=+Lq~7ZE?v0c;m`g%rdUepN9MFV-Savmm-GNdW zkGZ3NqBpsr*`QEe>}lyG;5|LuZbgNzak2M*V`Gs|f!uy7BkAi>ujQdSfa={;H0<bT zkJ)JupDwZADi*=tSQNO2E-@Frr@%yk!&1&d<mm(HT+RJv_Z2?o;YNU9q7<bUpr$nr zqKRdL#a955!-KA$8zQ)MS`|!BUNJQb=S;1ZA>10~oI2BSm87=+N)_^WDF(z|t2fRO z>k(Jhu}RZGsE;s8Q<c2cTYEwk+dgTMGm|4{Z@Cp0!$WdmZ@DA*M+FyArA16#Dd~Mu zn{+Ytj{U+Gi*-z%yd>`s%`Z{w;Ni+T?jTC`V4s{o$VGCmc@nRAQt$cXZrOncbC9{M zLI>Qx`lDi0bI8g*XktflzjKlAN1tiH-4iq^+>IQW_`2onM$vd24zBLpSB`<`WV`Lf zT|aLv2$7T7)f?@j(gQ`L1xm>BP$I^Pn~WnIWB|`jCq$`H9E?j2+WcMn@>K3_I-G45 z!ETjl5^f9(1~UtmvkSxoMRjld@+6)HI+A{iWCXNPJ_3Z4VCz<U7ZQX*bA^b=&}A*r z+Yxu9(b-h9?&6oW>BTjb!~?Gj`YPiL@|p+kiF-{f|Hf?~bv%c0Wx3CJ5|6I!p~fEH zP}#PSjo%I-LAoW__@EN;7plg>yHwPZx9|GhU9P6&Y23j+pqnehYFv~<)r5$VGCapq z5$$fJ!dzXAM~rZtr1j@sAziodbLQHV$L_$idC=P*O<Lzkh5gVZ1=oF-*4^;skf4mJ zp33Tfg~VVmz^0ffnI1iIWUvRCdc$$0_2(slRHk@J^S-laq6_Gmd&aiA4pfgqmRVu6 zb||9Z$In5^c?Y1s@lHAJN<mGb1PV}TE{e7|J32{Zs*c7EBQ9m=D7ESw+|r3gV{keF zWT{9uoWoKl!;AP;{y{QUliDf1rKr0ID+k7k*%^2&+k<6k|I*E*vu~;wDkE7D@#*f1 zfBa3I9P~|fw<JVGBmrn}jB4CLj3_gqK6d;aR&DoeJ-w0Q3eC2~HczSB7pS;DOQ;%} z@8daFrr+>xQsKK<X183{qf=%AD43@>tr8}=h!tsl8?)08VZz;*Ov6b&$-!fuIU-a! zn18%IA}p2iW9%0F#@})>K3!?W>lak7Hh;E>7k<UEp<?AR8U)dnDqNNtn!jfwIcrrt zG!b7S;&pYf{rwC=&J0Ed9e-4M$Y0>Y0!5h06g3OvH479Ki8tuC_RScEk+fQj><*>E zzB7@7ddQzY#w)YcD)&E5^p@M{fjfraR+=>)#;F(0Luw7zht-~Vnl)c~*)hDMax@;_ zlIn2wkMY!kgo2wzbScFgiuawO|64bmw09=Ckt;RO%DH4siM@WnMlE;To^tSXlEEB7 zJWnP#&o7;!7znT2<dq@DoCa2f22-K)=y*6s&Y4Oyu)VpTzCEz8NOi`<GltN$cI*?K zraM8tc|+TFBpH150v;N9eV+TdG%`%l*R*A0Cp=Ik;Z0?5&R<yq%Bj4rxScE2y}e~Z z_aHy-kK|=CsT6dN_HKqP%q(HFo>q;Q$gwuP`J^cdZ<dK!Sy)E$+Kr@gW_E6GEB0`C z(+g^Qr}(}~L4E)eaiiU=%87sGR!{A#cH<SxeLH(LiR)HUs-7!_gmUJ;M18mS*H*$d zIxHG><lVFq97-(wAOTKuB9&h?DSR|j0o@(EV_hHWrxxDt$2r*YO2){j8|(+T#9$q7 zKH&(w*yPv??z=Z0*r(p}i^mHs^`i&w{;r!iNBuF1VE))symL~bZ%QR+Mw=n!R8G2V zZZC~UPG~;wQ?!*@_`UW<-&zbUz#p}`8s=2sm<8_hpv9MbV!t%0(PS+nr+b#;;HyF- zQIheeEz##Lg!dH!)<zv=4`R!lFv0#hP*i$W)(LrwB*j(Slm;GuG<W^Zx0C$GrP}Jq zlq*f%KNEvJDh;}yX~@}#^P)fJ1FOgH6L$xzdE5W!wuS1dx?5@EY^^o;`5$bz_^*cM zydFOwP$e0EcuawNC<-eH?@S&<z285=ACgvg_o{B**ZPZ>>y5&A5V~Ec(c9)6_uqiQ z)&AyNZwn1sn#`C<lGhfQ5db;O2Z`7Jf|GV>&(`bEi>F(m_``Hw!nWIea#(%R5{W_M z5FAxbK_bBW{jL=JR^mX^pl@t-oQO^5>yo42Bf)ufPHa&FZ^(p@>fg_0y7cL}Vc*-h zZl*s8Bgczym--#Zh2UQvNN_F+6{rP5s#L%cx{D_%p-*g;i)s0Xg1sBJ^HjkQx@DHD zy)UYVAHcxp$ZR=Kr9;Nb!M%)2hSA{v#UEVH9&L2ATp^PJi;Bnw>bX-KmQIs73Hpt| z5=PHLJlrni5WxHM=<xT`@bCa`z;ph!gbGK7;qGqF;Di*#<MgrSCYtS#X8Ni+3IL(4 zKZ-u3mzJd61wQTd)m7$>nkuxmvb({VS9Vu{w*(-0Pke`1F%^;5f*2%URqB}FOyY*% zD!a(D@DJd8FD(lX(4g-@(LoND<}X~Xw+D4?4((j~V<tEH3~G~ieaf+&PJsazolWR@ zFaW4le{FI7x*xxehyskmx(q8N=&rinE!lW~h&2kfIxpQjdZN!OdVH<Lwh6*fa4AxY z9)1gfczNDO6zEAVYJ3NJ<FPDh@$oe(fKpCJnn?5VF!qHE7yg)5LfIdFqB8;3;h-$l z31_76UK|7z2)bqK=_@9NG_%y_GD>meq9B}snT7%~%HUm#pXaJ{JVYg)S&}^2SZ<#m z(UIfAekGoH?8Bwx@2C(jq6&xO$Hj^)^RfQqQ+05AyW{8OU<p5H5%T9ku(jUZoQPsa zy<=^)8s4i%+3Rq%3yibJ0@iu?L|R)~q;7HCxKoEa(Y|<NgXEy{9@Y`SM`E4xCL4T} zu>{>V?BBk~+vuhkecTSf1sGMU5>rMLnAT^WkI%8{Dd|djTBbS!3)bscM5MhQC-@2X zeU3eD{k0(7;Z8gbeDA>eP~7}ae-f4t%Mwy`GuKMZ-D66uz{aG(MrlMwt{L6ID|*8@ z__yT^iF(h93jWJ!E0nRG6{V@nqf!u(S6=x&gL+^Kirc+{%s@#csi%%oh5nsQ6Eg&6 z%N#xqlrd4#Dh0`|;zyP7;nOlDxy}sM@D)kp$BY`CqDb;*Sy5ulN%pv;AG+$+c7O*# zkc9f{LGhZ_OknR+aW!0L&v~OjY|OgjbGDXgW4qR^J{JJ0(OhNY%+$NP4;MO^I>Qv- z(SfddeCLi5|9N^9VvJNMdaFOMmOdPpTV2miC>y0fKkA{P-%0}`t%;w05G}+&o^GxL zi1T*Fnj|f0w{4dFE$c>ibm{puF2<p2%>$t#52sGYR_cfemgR`M$gt&=x_BlNV>PH# zhud^%Zdv|Q2nQ>T?2>sTkPv81wqdn~mgm6+`ZSVu#q|T1ADq7+tWm+)DkJQ+vcf9T ziIyrPXp;3kGC8z&kHY{>w58&&E#F@6T+v_e(J7FahJSD<-cubHTH*ARdj3iSECMP( zsw<!iR2^uQ$-v^E$jjd>FB}zUZ64eOxIYrm%2BnNmG`Zp={Id)8|$<}v1!U5cvSyu zU)rCJ11*_Mw8Q-?N5bL#aEq8>6Sk=&*g`emq5v5d%$lFT!SdhQO$p3L5}BN;23B7F zz0J9_J$0n~$+S?j>m0Q)%ECk6VMBmOKk69Q(Ed;%EmG38dOt+#vKAAwsltoaPfe-7 zIy+FiIf>wJ^)&dabMhWEw0mn7ngsqzC2CZ?`iTV%IuA|7_zu-wOO;XFNV<nKL*p19 zhN_qE!cxMQcDVdszsNRNFs0EQXz>&YmP(|E3ZeXi(9uu;f)C1W`Juu}CGZ92m+55k zafhDX8h&ld<k$hf3LU~+7squHXFNdG?l80W=*`hdhXpc7iOn|BVeMZn<@6N}?GhR; zm%?^I46~6V9n2v_i?d{6vPw6u2&C*(dTLpqpCLJP$DK^N)u!>o7(=sl%r3R;<&?_v zHK2F6-NEa<3^&(vyNjgRCQ5lQJRC=w8i7QLeA-Ee;du^Nuz!p1Y87Mu^)X8M1f6s| zq}6o}KTnnqIXr}${j~=f(9d?Z82Iv-;LPkOPBmV38#|EQ$r+tRp`clDGxat9=gt{7 z{KwuNe7C1hU>;#a^dsWdrwT1=<C08?opx`9FV@j?9KhL`D~4A~lBO6L>TF<djvxYV zZm;!7w8gG=U{{#G>q7{yiMBe<pFhb+pxZ)|*RyNjDu-amd1p;_zRtop&}lIaK7o1} z?{`6-&%+tvuMip=b&P}WopGaF9MK&%<>If!UZ2s_&;2m{nE>V7qLrzqt~t5rL}f9u zDs&+p1f3TkWDdbdoYX1c#f=9JPT@V(hL1%$rn`f2>~Da&fqYiZM?;W1tztEjmMnwL zq4%>lwr=L+-H>JhSU(lt*C+s;7FK}?Ff?o(h&Zsz6}BwIcX)h*JJreXqlXw_zWyee zBW!=(DM?Ewe6_rMyVd{eMVr2?VIum16>$6K=N=^v;{3uZR0!GQh13vXR{hKIoIO0A zctPf|WZ2jHKA_~4xiq}5!1Cy3@8Uuk^3{k=3{X0Uil8$%V#m|_Rs!+7V2Xh?iUsD4 zEo)<DcvNTdqt7QQS;$O<{Zs&wmxE`Z`bkUgH*rv`r)tyn_~T$bx&Z8&F@s{C1Ncqu z`)}R#tqEP(d;Mj)MkKzijfPlqwsCS6!@}^u!j#I4fWiPPl9)s3y5Oi{s(E2hU5UV? z3lApZO$u8ve#*f0V-KAQ0O1H0JZFEg8K;8*OD+=J`^8|a#7dQFv`%`cULCIMSVxF# zLhI4zts^Uf_M1sNa#uLAK$od1&zQmRyd6Njt$2H>aAaprnbPe&3li_QZoPhcq7_5| zt~smwtg@=IfR8dXzAo{wp#x_Xc@}=K;7odGbGrEbj~C9*2Qh@Hi{zS1q2=M2%j4}C zxVxiwZ0KUaCbRmdb%tu(a}x?{#K$u)*ENCc)vo8@{4oXh2wiWd?5F4lLca;ThxhZY zBBA%L+Z)NDN0NRYWc@8x+fV4=e#acG{l)+uNW$fLond->Eg8*=ftOy&2=<kHttMH; zvar{%kYYABk@{a>51;NXIrt*VX!x59F{Um}C@|U^kjNt@-c+``ZlKc2rBTmeAqTbZ z`v)vvH<O%gAuvLqT(VbM<HQ+<+IP!ltN4bThREzfpmTg&oFi9!mqdyUX8)jW=H9BO zU_sn#GpLr0B9c266t?A#II1sC@{C#=7D8T56eB3X{#Og|fwx}Qa@Yn;e{Z`Z&2ZY> z9VtS!CBW2UF+_$s^|BoX#b2NI5`616_Uvf&^;_b*>SxeCMF#o)>v-EENo}kQps--V zzSWfO$W4FAc=G8`UO9++k>xrI@83M>zHs_cSlwKInaQF5K826~*G|s@d_w%m?c`s= zO&$iR8K=^)SNG>d6PK#$Zu1>tO*^-%ZH63toC3X(P@wY#W7EH?B056wKi#@An{OYd za2K9c<Qy)%z$#+H%rnZ|TttL3D_zZg>oW^8u}w9ll?MwJYx`rT<bG2}*howYF-E<W zKFI%?W;T;Z&=Apk1;rW^9sNC$Anbnt%Vt-fzqSkNFw41IXKAf+A}Y5Cf~m@-a_Gjv zZ^pu|#l&UC!fg~Y&7_104Q9bUeV-@yo+tBWNyNiTFV-Q=)^gNF<y0;yyM3rAk0hRB z;SA$T>%WzzB_vTDU?Kgpp2Y%&bPY6-X2{)41Qy9Ti5qJTF~gTt3Q{Ti(D~8>jAt{d z{D?wDSS)tA9$2|(rF}H8y;&At!o0*2s!?v#Zq@Qm;!%*HCh5wL#vE|@RjUVsE|IfR zq<)E3o^}uBV@F_ssjVOx48~7Ovo-@{>)69dK}IqT+>|niYGC2la5>etkIO)VnCOl8 zD{`dI@+-BGy2@*bR^aG_4UvslJw7n$mr!u|l#QPL;tCcp!Rw#w{&uyB`u0O*b<)3n z`vKzz&Z>d2vV2ntOkll!eM8Pji~pb%Gg9$aIWvrX>ga*lKNXC`NR%$SXnTj8<8azc zsnL0&z2)_;dI2X50aeuNU93aV);FACya{ReBBOi9Wyr(b6uX@GaBx1C-PDuer1gf; zTBG-&$;2;h9#XuUSvv-tT^2X~KU}xs^ltpqf)Llx6?!TMl0^3B&yuc^_8_CPDeA8D zqVwe4E44YMrXK$>s?fqnN9j{WQ1$wW5EW0hQd(&ECzOQa^2%>JRFlT^ruWrF|JGy^ zIaXs~F1gnr^;4MnzR_;9?4^%}MpFA%9EB${*<02vm1V_lTE^-g5hYW8nd_3Yk}mu* z;OBCpI?8GFi?eO8(wtthwQpU@x9!Pq-l{wtP+fg^aOOR1Oy02kH{0n_Zxz^`g6v<8 zX@H4eMXep56mKK`(s%}WUT0QSHkP=Yp=am+T9l%0<<lM6eh*<9P4VGLH;m+@&BnQ9 zZr3%Z=O%OsK|A52LIYE8Andn@vrjkCbPFEyGvxN1FO@jM+1%pR@vVuXxiZX)5<a2) zx|Uj!?W{)6$B#CnprH{wRCwX64ZgUd%O`>TGyTvZM%*wUhx;mYMh#s?5agshRXR{z zHfI!AU5JTatJXv^kg!!wiauAU=^B5H6lF1Y8;YxXz4>O&yOBW5_Vc(y>2~DMNKuDU z)J_B_A1oS;{tP_ZgCr!bX0uJ_#ryN4$X}F<o`18L((P!2g~uBmm<;xxwlDFdsDf3g z>fjZ8`?9rWWC(tF>!pt}jR)ZAok4qp3<e#{?fR2sC)9~($|(|Pq~-I$O(|8WjdD<x zWiPa%o+frY=W_^waO8HdV9x^gc~T~VjqNmEr)b0#GCEQ^LGQ~dL}l&xW^I4jK`ifl zB}}9$s)!YA6s~njHPb~gAc(M-e<l_zdTY@Xa|Z46B}$ph!t(5P`>okH-m3Qe<<*>L z*JG9inXmbOtfMCBKb`R#N6P{Vi%BtYns2mX?9@!Bx>yLVB;v%5-``hMG}3?W-@>Ow z2IP-WRE>fTlIIk;Jw)k)@+R5xtd6X*&QM;$ff&ugxB5Gs9>UOdziZPE#t$1Ju-dIH zlI)ptS}EvWk#kTUQYSTuo8tbr>|}kGyGD8d3T*5~R{#4`N!EQ~_&0*Lwi^6OnrMjj z=MV)L5?M!dLaugN@NKh?k6OJku;|skXa1O~jA3g$xbIiAVbhWR{YeK<y*R@j?mK$y z0ci?p?6ZA*wi#K7ME@=R5Kp&yoGxHU6M6>q=~a`_jeC)&$2H*3+tq2$yS38dr)Kwh zA_yhUZqE}VB-W;G)39R8g<s$v;D53`r*um6w*uRNU7?D6B(c)MNou4-9_0}Q>h%!t zz?0zs;IG1sGhU{HM!Y?%<HWi4CLV|#HI_yf9*h39_F%N<semG=jOJDDuVZuk#saRL zgd(j`WS-~MIv1=f3<XkkwBrFfjB;T5l8&e9bJ1cDKBw<cR_-sWcx{=0%VJ!6d?iid z0QjrVnP`R4AD^&kFdK3?r!2sGat-;?*d4YF;((JRgMeX(tj4py6q+m?bFwJ?gCGlg zo4uXuL>6to)^p9EtJ@lh@ax>M(t3$lvtcyJiVpVZzlY_MDV(w~HdcGXt}d~VQ=Re_ z?eTXvAsZ<SG$HQJNS_B)q)se@6p0z1KH7v>$-{k?);igU9gYn-TR!XJ#b$Gfu(uI! zDfQOsf)8I>lwRLMY)$fq2JoO}#)(gVb#@rUqpj8iJOyWczk*1vZJ~5|AP|xHiaC<D zS`t()%%I0gvgxYL9Hr;$=pirpCGYpP*m#}L&MhWn;?r%lWC$>gV>c3{z@09O0B_+) z+~eE2+~1Xp&XwJRXr|xSY;Mw4)ho3VoOOq3rXkbDr@ihY-?)!S3H{~l<2Fq6&19yt zJxAeZu>;!gtk6;0og*2bpysA02*cOn$UB2InXyDA3+a-Dxic6;pFk%@Htc<tu~J){ zonD$Vf~(H-V?z*J=e;Gw5QF)LmAVe_>C(zj#~YH+sM0WRUyfzN0)h27C2HKx&I6>| ztgWNnH`EnDVuu*(;cleK<WfhM&+>D`$#@07vw-y5*ZX$rv2d4&QKwfr0HaL{jq~Im zVBS<9U+e35sw!l*cPF*>E(CbwiYA_wTBrw;56+d^$Zrypb7>v@d2?9NnG>_xE*{TL zK?g9zm6xG)PCj5cvc1j+a1nb@fy1as9u}j{m43CX!r3`W%KX$3P|$U)MWwS@xfHkR z%KXBgfTYIOc~iTx=7GU3WWj>PL`Pqe%9%yf!hf7S{)fM<rTLMU!a&PHf9tHM69MF- zny&#bTK1(a34xg>63Ty;NN^;V(43Un*1X$pquR4USC%Q#>X29nNyer~Fy$b@jSb&{ zZCcj=tSmMz6XtXWOvx44sMW}nyD4g4f)#EOR0Xs0rx~@Yf?63~cJ^o6QY?@<q*(g4 z#IZ?eWo5`9)O`JmV%{99-h+4HfO-rGt#h^tICE*m|BA0B9I(KVGYSlI6_5qE2sNaR zHop`5i6bdI9{u!+apH;^w56)>avQG$8b+TzSlW9a1uAU0YOPi=HR1O6r)@yge}9_1 zANU>U`7&}zp3X2;`*ojwl$()_{GZ^H+M_?&oe++g#lMkNR=gww8!P(f2dXD8vZc|W z@vkn%?Dma7rUHsZvLIZ^)K?ijmyC+`AI}{2)v|wz-l4+a=f#d~aPL~JU}nv+?Q{4$ zrJcxAxc!IQ2#4|c_og3DR~=1yjIC00#90}kB$7hLRvO>n32CqYw$L9zgD~&w?wXmT z5vD#D3B*lG%5kvK=8x=z+Xl_Ora4C(zVb|B--)Q%Cc4htJ5cY>U=w&+rsf7&m6PUp zk%D>3Ptn`&%tE5bt0F{9)m#Z(Z)5%3ww`cuD$%>^A$O-Ry0;D<aEAdqsY{V0%tz@@ zpGlynE*cyC_*)u|cSVi{h9+s`pO}+N>@$7EH(ob=5;k=rHbEjjeJZdIAa1p^R4e9I zcT0+9WGyT9!=y0MZew1*WT6l|Af)J=)3iD$h=1d)5u?tk&Eo5w#3O!VuR`yr+KMO8 ziT3~hv3vzN9JE3uxW(BqaWLZ0=RLdX+rsbN;+}ZL5+>S|cMN;ID81H0Eva;`-JU*B zLl7_^e<?TFM$~(${}5I_B=K5qLZy2=2O`0i10KcTnkyref)J(>1o_cYhMa~gdkG^j zbg@nC%#e@0X7$3%C4NO&N0dAMLxwX`_g~t?Ji49%eQ@TI{i^X1c?#AaIpBy!{W)tM z(%r!()3t5?G|BO_>1@3jf*8+gzb*GShF2y4bn8V0?`%o5>Ww!la`pYNxj(W5cd;tW z?g)<&87gPLe*BvI<0pFe=LTYHCh$>n&uSGh&fi&x96!T{;jll3spE}5+)QmRM3xmX zx|AuNDmPwA=c4KOg!yH`_7^2O;Ig|qnAMVq!zE~Ir`^JiD8un3M;C#C!>rc9J<#(? ze9Uo{CHHR3^Yd&A&fzAWUsKa>n4qkn(b%IT=csq2bdb7Qyjjvx($Dw9{0vnew9t`U z@z8r<kIS}`dFb1<PjS57cTKHHP`Jt(q-&4!&7mKhKTn%zz&ai-DXx53L`W)cvdGib zT8RKbGn8PFQNX*{sS+j*v)ea}H+w)YLigJEn6W&QdRT~AX-<Qcp4Ym8)B0f&`>&HT z_W!!UP5A-{j7dyGC4`dBpf<TyrfeT|^g8t7VBcPDng#)FRdCwMRiof(TE%-et26l7 zTU)|SMkp{ZZf4Fft~A#9q)6p$k|v76b2|@vogFTfPr-q)@dr$aNj9-+awUxDg+}ci zE)5}kc;{q_bx^M?U7h;8-$re>>U<Zd$6^~#xmx<|&_*<iQ7WSjSfe<YO%b|Fr7>Vt zV<g>i<wo@-;poMCyK_qMgq#oW${Rx5*}rW^LMs(o?Qw3+g~ldhZK;;A_aAk_-0QR% z2f=s7xBdJaI)XI9no~nt<<MRnh2s>99d?z=>KOF$`5ilN0f<sk$!^)DK3DGf>rRxi zBgwvp(0?_v^E*{2#{yA`U#GtTuaPbCamcD=q6k`UZ$=7?t4yV|*M{cL5$GWwjIPeu zu{TDe4awh$Wyh;@sPa{of;|@Ue`Uql3ZaX--6F^?aAXLnq5{<AMVVe6|Hew&n5ZTP z1MeqPtfN$iKk=V93!%Gvc|ij6UrT1cxoc0EQDNsk+DK}A8%O+l=;aJnASL1_*xKj{ zwFaJ6w6+j-OGvv>g%}odZDbsN`5eJw{JMK~PAaj{9d~V}t;E+YkBm_eewHf>doDp! ze$2r+*xKSA)@u{fX6c!_(j3dGNH5u-hY3dI9cS7iL%LBdXti3}qkr>s(|2VLzNo1r zoutQC8>(}^!O{(hM5`Y`w*vF`lP#b_@2S!9x!VEf<>dtHnOu;5-`|9{Fa<%LO0pVq zRCrfGJF$DcyTp&y!W3O7RJ*yK401%Kb}-%{PO5i1oBk0(A4wS4S4`UY{+vD7usC5e zdq2kI!Z=~O)h+au`nRg$TupmQFhkQ!;@2UrBRE4M)AJm8=lPofte<kkE}+p71n(b` z)LMaDyiEBR<4j4)-xPjp5m)gUC-<iw#4B9fe4`e2TCe4*9)_Z|O4HJTlHp;Fg(P7& zIh-fQqgO7M%74W8j~fjre;_%Q5{~xz4RN`122uR&{usWcYq;1{7S$dCjXfbjPCEK$ z>eZt&M`u~pgdkTSbpiC_;Xz2rbfLMHsyR<e!r>^dB>aLEUjL+9NDr}zNx@*F)3wf7 zTb5OK6?DU-7K@3BpS_`BH2ueIp(JVxI2lTw|7B3_{G|@W{bL6nO$-sDr79+GmTn2J z92dvHs~xu+TD85DWIOJ@de>9KBh}wuv(G9%XpRC)0T#eSbyks{WrxfE6)U|JJ31YT zD*SENX_bNQGF3uaMMb@`jtM!*zX-my+M@U`U{Wa?A}C(6c0Z}W4pjgo$js<5GuD#! zZPqwJ@hHN{1*>qD$wfst?;mMTI4Qph9o$43F^EFX=;4OLuda27-I)q<+&T3SVsaQ< zE|uTfHt189kM+*piH+3#ih*E2WaS#pM4aFCRtit|nqJ>#d~!$n<6Gy~n>a-*Bf6oN zqlK#wbh_(c=l15jIUn(<+Sv`LG}(mI+o`0OiZ`ZtnYnE49!0Sxvs3(S-tvDSY$aqO z8?&s{S@)`q?exrm4$Gj|NW~aMO?tbMskJ+}FsdY_k57&q0^so{9GmLFK)KK%TE8dv zJ55s*J|0$|u@WGzL$_>R$&}I3Cax(kM^Q5(hr4N5y_JULqD_T)8;GQtkix1R6}jT& z^LuIsMc8V%zeG~s;Or3cd&nXk68`l;w8mK*+_q)4>)Ac4{hgE)aSzv((>>ZtUeI6s z2d}8f-28TJ5vbft$&Oat9WC(3wtKWyCcrW4*H1wdK)0Gwk)eGo=>@-rrk9&Q8}tu< z{wOt}kBpv*AitYL!LM9l-R{Aj*omGVC3&!1GRiDBX=z@KbT1b67jd#rB%Y72g<Ams zmY?vGafD<FY#W_sYO$3aof*vZ3{s)Dz2D2fztuq}$)hc}yc*j*JGg0)l7gKvv^WJ; zY6LH{ZWL(4!{qJEg$i_c8Xs2etV8)Pf7OK*q*bGdm)qHgMceDul84(^k=Sg*5g|(* zk$Hd6X|cE+G%_ksrhEq?z^56lKxkQ?s1Pxepj6?t-qIxvflsE$9O{2{SWyWB-`Cv8 z@c;x8yf4q;UcWVrkHhFD1Va=H%YM0qx33w$BI}W-_M#4E#))4(G>|1aXXNhk4GWY% ziNLEm`arVUJI5Ro8Mn*RHM)QJmSh)u>b*2>G5KtZJ?Dz%=AA&K*19(ukI`lWnLMt= z<?C#G1=-h4A8ZM2-CNZk4Jdfb>nze7demD{9aH!9C%a7}>k1$*%TOq`B<kfMGS%ux z>htuDSVir&zr(eP0f8id7;Q#k_^SLibDTQi`{fX;v})2HOwnvBxqU}DzxZ6NUE<Yy z(Cy3m$G3Yl{t;2uOOlDN*mEP9^q7Fb{h?9*^%pGHsvzJ^3W%B~1X<n}Ts{ht!Pm($ zK1zSv&<OsrWU2`jq9ih8Wd-cNQZ1{_c=pVOpzi_<d<K}uixX^pxu8g{_A55IPN76b zucRi6GUPfudi~}5GKTDy-B~eRHM4<@rEeF&KK)Q`jzDB!GnwHtyPiE0j4YvPvXZ(j zxN0_N2R%5KQxW>$nh4W#Zd<F-{&YHKqQ^bXH)?Mn6MR2^Bt6&K6guJ3iXBz1)Bf~2 zX7c4)mhN>D3-ktb6emHbG|s9pd%9(uK?T>5^73*I=*r%!7Sx(h2TB<S{1K!P0~{9^ zwZA{O5%@0qhTZrF>8iRrZ2+=YJ3@z^7pQ7aT3}7#B$_1uESW_@m|mErRoxc%o9P^O zK{!Rds`-uJ7B^KZ3j+zY8z@uR!t)dNYQ4bjt7Y6%IzXY!=+v0DmP*Qmesab6$&9c+ zjc#@uw<fHkps@$-$vCSh1%^;>km#B!lj{IMr566>%W$ZbPo>|w9_^-<(F|ww{bj^+ z4L2()g9gbF8L39PJpuDRRlf1oHT|ziBqu6ti2sRF8f$qzBIOlvoch3M)}`bfA3@HM z+7bt}-BUWckHavshNUUF5-M$o)+nK^*kQ0fx0jnksB6rV0k{9bKl{&%F0{%lUu&B| zDQA6(;jg<(br~(0JSw}dHkHfvqQ<r_(VtwSBj@?AB93I;uh#&A?8LNKZdLZXde4+u z#Dw7^>Yc-+(h9X>izm%5w=iGdCmIO)$nRW|z24?m;z~otAicLyqa|`jCbCk5jBqk9 z^ivsQawlT%eYoB9gn&K{^6h0*`(oWw5*YcGydS(=2%S96v&3?0;3L4Bv;=>D(|0ME zD3ua@Nb&W$U5C|smQbO`6?s%i#ZIz4=XN#n!xsO1*qLXMR^oOJf=g}M?n69P;s7p0 zX|s<(o0o@mJY+b8!8#=fPTt31%V3eNt=4+?)-F!B+c%89jhO=4N<#sd(A->GL+B-# zFTiDccYCSB%f%LX1huM}4{%=cQlSe~WY~YSUPDW56<{evfjU`=tfW%OuY!k{XTdcf zB#5!K-MNH=dp<&RR<_SflzOq_;lHvA+xTYgRt7|F5${03TKaNZ-J@g}9}`VXC;9M- zvr*<>#-HG3maz6q!CXyMGMn?i1z4$OkT{~P)-m8x=-Z$(kH;O{rzr#r^!XKI(IWCI z)ldnMXUQi8)0tRb#XlSjbApGYCY{kZmlSvV4ir|Be#^xwzD67c?HACBX&PSR;BX$e zD<IkfphO#S|5|!-TrQ+wlvBM3@^**IrXW7r3Pc7QL$!Y3<kPsopcX3r#*9Tu&{bwG z1T~?@p3NfKX@+0v7&gN)$eED7_6hX+^Cz#hcetbY$DPJ|1M6Fvw9cD`G9*PBvXFWh z018Yge<uSXJ)lG77_a7e*DI_F_>F|<{l(v<6*sje?x737z9q0QneVB11f47}_RpU- z_9|4{Ld}AK&;MFLvs~vw<8Cz(atQ}AN^!pEBGDO{e4MAx2N1KhKN@j5H-(bt<}D8Y z!y%$crN?<nC(8nJG%nbO#{b^S;nv`H26bxTWV3;3JTW#>xpXmhddld2Q~=xg!K7e* zF@}h+p4CyMXw^oQ1PB(fek2%mJe7i)LThMxcE7FyyKqdE>r${2E75)=m~h<52Z5$h z$KC&IN3M6^Y{{kw$Ums-GcFD(r@BW_KYyheK5-Nd^n2AH;I@gX_1U<8x~ZbZ!xdQ| zEsTqtSl6P$!Vihwe|Z<n!xnDQ)A9R<Q&6dc)W;yKoZC8Mov$DuhTc0`FFfg-?(~GY z07*c$zmS*Nq(T{7se_dbYSFEuoO_rA_*j7?Ork;sOzJWmcNp32#PfGC5K=X;oX}_? z78Z?)YG*~uszN?1=g-g|aX8i|NwmYlYTP4;$rt)g6Xj$`d_KM@W8-)?u)LaC+|I0@ z7qrfNMX7!H&aaO#06aXT+vqi&blFZ$n(eGOTenuvO>gpl;9c;e(?WV#3uNs<%H&Y~ z*Y(>mi_}S5|Dv2BgI!de;|qxMTnn_jljQ@(16v!KUYFZAhvHpM%v$4?sKGJ;%KH~j ziiL`FFc@IVU9=+B|718Q@X+d`0%?)}pRX?A{h}}f1=ulsI>5dcCWn!S{RbJEe59yJ z8nNhT&i9idd5>3`?>zIe*?cBOvTr|a54KXNiN+(ypXBCcVRX<d=&s}Ih>IFTj-Nx7 zsWj$Xq^C>6`J04$j6m)MXla<qrEQ>7kyGNk{72g1aIac1T6_Ee_rIF2C*y>dyPtqN zr@hK&jhxHL>qk%Xl{@d2VCOTUCA6x?OW^HL2BnuzPzZjde((E_n^X~!a_KYlZy4Xv zN7}tg#kt>s0&eA`oqv~-mC1V20h~ytB&#Fy%dVG+of{foiq443WX~p#FPL8rzSS31 ztI1Zf##k{?POOM*C*u*@6JUHt@Wm`<v2O5C4k_zXkuBu)n(f%N%`|O$dwW(88Ld&N ziE?mKl3v`RjH}APcB;os2ht7L`Z#?0snw!pa1zfj_1S_3ezI<-&CgM($b7Q8+63P1 z?&C)<b7W?5e;07oSW`pGaL}0sDv4lu&X>A#@gy21!t!}hVl5<~v4A$qAwGhH9~r6X z<c#6|@<0eJoC0z6?`Q@Bn~^qUh7rg3w<5B7KUr>B16hfPW|1WN)J6Ni*|5jAC(jOH zez_beEKW)?#Zu}o<JU4_>}yCbbevrG{k75I^}_0RDGLL0Gw{Zdt;&(Lf}aer8a1KN z+|_&Hu+2Izpl4+#9H`L_uKQKIhkSF!G8FL4f;Rl%c4oxqySz21R~-1QgEehQzHQDk z4Zv}1wgPvQ;fGLgZx*4S?1O(su-FX2S4N;;Sx)nHvk`Y&@K55Ui;Z@Y_iB;#`D%L_ z_e^Y>0E86jbnd`nGcJzoKk}%3yisC*ZqeR-$=5?yk|{*>TZ~ObNU;r>ywLVNiOD`> zip;C2B$8r^mAXo9ZT<44g#0K_V!mRIv6d>Kw+1P=xuw=RiP(e*w-t-Fciz^9)TQa> zTqslF!4(A-sV&bHmGk*q2?9UrQGU_G9z0KwXPxt~!}k1>#Buu`C@zyw>vXN;y*TO> zBT2Ss_L(26zCMX5kFE){>MZ1a@8{XyfrZsokLypl-pyGIxBHP90cdYqP$Qt$m{&TC zAssp_HfO-O=P;>U$n?Yhi4=CNsDN_v%fk-K@=($x=)x`XNcvX9*g~F*w-|+23V86c zk>Yl62js}slN814cGKhhH`g;jyJpN{E6;Ku?M70ni1DyT4>KHag8cQc>CVf?9$riZ zXfwy>YpeGb!HD?bAe?d25vG~lRc0p`?GkmTdzD#YTPXynyqj`ubo_cv6Hb)CN(QQJ z_SKN&a-z?3Ze|_6#L&l$X|j+8{8u4nrK#h)@zkm?dqM=#NltI-=IBdcsGcA+FokfX z*3*fTZY#!tH>D2vvd8f3!tB2Tlhi19zpe_Z%p~Y0d{Q2Da^Ji2*<9rdHE(a24|cOS z@>-;kiKSjiBoo#O0_Cc$0ibJHF2Df~ItBYXT5bK}PmtkG01lSSPc~MWjnsoKJQBg8 zqlx}Bi3PmBpuJoSGOPZALQgZ&k9~tzZ7uFuA$pD2JR$}@>UQPE9(HZ8gvv@oy?-*w zxuJP{qV=F9pT<E<wD5hi|KGhK*gb3#hdtp`>m{fP=bg8YVXS8IpjtPLjCEhgCus!E zoHE&!T~mdascf91_8?Owu3RqfNl7QIkf&zs;9Vcfycf@9bah=|EPHhFnYjKya!vws z<5FO`-xPUCpf~UJnXjh&0G+5YR<NoI^oV7q-XB8DSlrfX30Ov2{=9vI^n9)tOz5$* zq8a;;|6fTtqZcV-htV_KkquGF%<`7GnzN_Fgut5ilQMUR`fJiiCbUX&h8DHMeJSE- zbadjTK~gn_U$t6THYdzllET|s!Stbyp&~iN+%lU-b-K=&MP;R67xI6#0HhAosEL4> zlcpr8$(`+5P>7g=(WH#}3m8zVEmUJ+QB2{iAH%9de_8&)DrFgyOscK!By_4rXVL7s z`5S4Oo&`fjV1UiAoT!Np+;g(0DPV=fxR`Q!NU&XIU_05Y5v8H9um0it6plmSn_x(G zm|<CNq8!?29)<!tY_jP~Kr#yuWXmC#wEy&XN~O7gyzS9;bWG(i?#-)%D`uwiMA$z* zW#sP}GuFRsCFZR#)=2)XJ?aFpE8n>~LV#7j(n&v6o1mZ;KEz_Pg=-8PT5f>5piXiA zH-eUGXYS=A<{u7@2xV@iL!jT^#?V%*^75O#O<HN}&M1LA$-c#HH1{rETsDWYngBH@ z=<dBz9m`~*{JJvlA;}m$97RB^1DBdjQ|x29W-v&S?1&!Q=^?e{Kry43Uov6ecHHuT z*)}^z$m{WKc}e-je|S4~a65NG?*)^aiK_mCT$QM5X8QLYR0g&;3(GMJ+q)p<OL3wh z%&%Ztk2e|*&!Rh1Cn=HjW8S2fe?I7RkacEpIpEfRtFxfyHVhs1#r~p{gr^pZN=D>N zd`AdfjIO-rvb1l6^YZ-;icuIfobmsG!!B~7hD(B-)%nNX_~AbN{lR+lrL<yh#m6!e z9Om5-o%csHKK=Dlvmz=Ceg?a6tD`6`@Ua+@AkMOdImplZ&7tGN2iq@%AU4-YIE_Ya zgc8^H556n8?`AQn+ra{3bPmnz{PA8+c6mvy{%Na7B9@8*3Hq}aRal@5mGRxTvtr@7 zF1JyR8OBVEUz9TB-wLNVjqUt%RfsIXZL$i#{Wok;4Gd?Z?X|3qO4=ae^?459LZ^e( zsox?5xZVA;=UvMn&7O99-{DICuU|ZhwsM(3?_NqbUVin|e@j_DZ6pj3#8$<msgZrN z`}R=N5G;TyhEGM*F(F1yj5uw&<YRp@i~e@)D8$aHm&bLf=J3n-s&ng%YKmpuGijru zsa$#8Nb_=IXo!uC2MP>1^$#f6tO=9p<d%aE_tCf%Sr&_cI3$=sd6ef>i+D0kg=G8E z!W6>RCY9O*lhjD2d$nYoVd25TV{_L7@7CRV1*npAKhN0(ih($rrNdM*!}q~3pQxQJ z$4cScBOJfK(DxV4lC3obzZ{}CqdXQAt_-03ioQUE4flQ@oq9XIT2gCf8@Zce%RONm zEmZ4332Pyvp`u8p@p%R6aJ7ez=UnZrl$@HE=8XKDb;@vC@2SHR;7{uA<m-z=p|mL1 zet&+W{T)WZ79(0rc8I^hx8{P0&)DKcJFIyHub;{`#mgFl_oO6GqaHcnOd^g98yhyG z!uy`%esU#?@iLeP&)df2_tPqqU{91g1@WeR6cr9oKHgDkI~45FW_G=1C?Gc@ov|7l za&)CWzGsPJ+R3z5V@23?jE>=<*x^{4QWb|=M^bC5&O>jdJMMp4rrN>vhp8HA>J0P} z4L72`&MM@I@8T#4MSDH+D2_C2!}`I?b&UvpQ7Z6hIXaX{9Cg5@9Ms0(vps;*J5E51 z6rWmqo)Q~9oCfK!E%bT)i<VJ2of5kjT>3{Tbw%UH0R>TxW|p$yz3-W?4^}b{l|v#d z%tk{kZ^GGuLQ>sw-nKKP+dO^9MBDByMWS$wd@aazs}d+ac(>@FBgABFm(bswtM189 z*}>;_6CX6bHebq$^b!bl%>%bKsToY`F^PDg>9bu0SN{|Qr|A@$?WYzu{Ud|ybtYe# z{5buU_mgF5AJ@`^e481}ySu0f+DfaiU3uet9|Xc2t~18Z<p=%GyH3md5@;bWx~``l z1$_0TP#W>$VqvC|1lq7>ffOn=3I45%y~4eoPg#iP6^JGAeJAX4ulMI2V=HZsb_Tsv zwwt<KP@>>Uu48;_Kg-}j0tDBap&1+4IsFO$Z|gl~LZ6p`cm7F8HQ<OHOsO&~`aze^ z&)#nymE$`-IaAR;5<gIok?!X6)JMswwD-iwXhZN5UpZ8Uz{#$YJz}lsdj1i;tF_a3 zu`1l(ByPmwxLDe^Zh)KowPiIyM46<kt~JioWpenc_0Cj|pV|FRjNViBL2=f~A|JoY zdkfU1vOGHh2H0T53t%3=fv}CEO&1El&)!@acqLUvl{_??&kAi(fO<7?Q8)>n5H$^X z0q*cR2q#SAK@vn08~BE&3+EZhY*V(PhFLZ{c)6LRcInT|Yt(a$FEz2&R2rYY9mt$o zxJDz$M%z{Kz=;V3&|PlHO-wp7`hT8Os|p`aOM6P4Gi0sprjURMl4r5EEXVDgFR+YO zQXWdnvummfue4DKOkjY?6X>>?JARn_rPg+@az?|Hi0my007+^B2T7iIs(1Q()lEBj zdZnIxk&ELms-J2=nxwyaJS5bVQXYCt(=0i3f&KRR<ffw1LP%;2OGGWcmr0mSPeul8 z%9Cpt!LX*0^m5s-fqXXd(qXh^kPi7IL@HRAE1BaiWsYY68kDOQB12J++uqmYiVJzL zEVh$(Af^{1Qiqcw{VSkA_Q|me^3o9y%cJ0}XnqA#YyB`OTfa|+3_(?)f2y|`JkKIb zzl<GCFQ7y3mgNv2)66nkvuo|_nNj5AvV~$3QdZLkz9MQaf?vNFft=E%qTcrXW5RMY zYLhUQg2$V3xYfe%cY^$7#8w40-82v)nRM-LOyn3^haHa7@g<&4y)-5-BaQE312wzI z#lGBO%#F*LwzoY)^Wq=1L~Z}oseifRWePx`U{<a}=kewmmN_^+S+FBf>t3A-coGf^ zHsw>Dcj|>GW8hIRPw)<@yMMG0L$1`=Ir`MrKQ#%JccfsZb1=w@%MU%2KHxHOL=TBE z<@6y7sp53=X3}H_Tj?To%23;u`xT<vL>l4gTs-7WWbCl(6s>p!gBsz_y3#fc9C8N1 zKGiOGs+^+!bK)2URw)#UCW$_nKQUnw^@xMr{L1o2ARZTe;;F_$*iYG-7qlKxkV-(T z>UVl@9T5`zxDI4lqB+-kN72lTdVYaof$ub?w@gL2pkQYP_ym4(gNM2HaoQc{b3U*M zFIYtC7X;iZg!8Wu*x(SjS*)|B96b8S`GwZf=(2g0b`$5#ujWIQAb;tv+{r)PExaEA zyRXX!8MNq%<~H{XzFi@QA{ckr>&$E!-J#g{jGV5#Q!f$j$WRG#YWf=%e3nbUE|=jr z6^)tDL!ym1?Wsa+mT9zi4d;S?&`RU`^Se(D6Uag?^$kjbzx$;9%Lu4cyCmLLy;6I| z49n<vQSrygB0aU(@H&`*jH_Xy@&fyS?%lpOG^Db=ImID%axrgUX@6N%WSv*4C@>Hd z9#_^zo~d!jXmP4g-Ahsx6(gZ(vVy*Ts2(KiIl#+}Z5~YoIg;Qc8@)>5bYz>#*^>Bi zy}!rEW|P|Csu_koZX}Jnme;O%)QO;gSv-*tqg-zcyuVULiyq9`lCrDUEGV0qh@hWG zO7HD7$As_x=x0!^Ml&mQy?Yoo7`L>Og)t()XM7&4h7c!_TC9Squ{2Hf)1`yKN`Qoq zMpT2xmq3B01l+i>vNqD?EB4HTOlD5p46_Hvkv@+RGbT5OJr9*#j#@6kbiB9ovrHWR zg(!F1|2vuhA*J|d{0+kS^F0OW);%HQGUn#EzZQxwWi;K03DgKbsys2Ajqk;s{-&k( z(OSOiMTmAK^P9{>qsR-4&Y)Ao39K(MIS&jBxwTg2ex_aOvNUY=G71zL1-s%5rMIuT zzc_svB^?Vw2z<MP3`RxRt-N&7PM4Q=34qAaadSsZ=O1R6%1O_?ceIrnNQH7Wq2xi& z@``)-0l7!c34fiS*6d5++(Tb&2&7g+>fZ15xXIggw|laiJh~d)dBbV^7~zlzdevDZ zcip3O@!EPfB|-IOQ6KIKv?Z4tD{WM$WAJ{*Es5<1p|x6a3|Exc%<`rRgSyb$ZVzGw zB5pKbjiY|UkvB!adzqaIj3c_Ad@1<(qE_bn%YK}zDF9*C(B~Ez7`HZRtVA5JSK|Ll z#+5;Nm{=K2DCrg=g8I+I(;XX)A#oU1#jdbZUKLvn=jEz`A)yqklekncebPha?D(EV z&=2dQ%IGo$ZRc$ro+ApR4U>W)*uI<rk@pUMkZ#aK;0x50op(|J3;c(*E|2n@!cq`i zYM!*{oAzo72?r1!X^br`FA}>Ax#3&m#hc9JrYCNxSO~iUz3JM59pCQ@Dzq-83&xma zZESX0v;GBoIpWmA>*DQ_6X+DstN-42zG;k_IM>pVoi0FzX}Q_pzw026JKB2EIhc>) z2&cK(KYZ!1+cJ2^Pm0%%8#^%qPQq487F%GuC=CBe_TBPK0`i!DhnRY9jGK9$J6n`r zut2i3xe@dUrg!B$vg2O%OMUO_TSUIMYp!o-rq_fJ@HPZ$Q=gUq;CH5{DNg-ykRRJi zq1$R`LzZHk?q1`*(Q6_snds~7L<w_NlGCByBuGSV(ACp>reIgb<O^_1h?zv#UaoO8 zrlsdumXLOHNxq7=i5oddbc*mA-7UELiTmz^Iqb4LjlK7VK%0$nBsgdNsExTV8{#Q; z==6OewpO->H~;R6jclY;qko3b$6OD8Y($c<df_LDHnY@t8^Z+~M;!W-AYD^|d7oC| z;uIU#f4xKc@-B;VRqx%EdKpXd=x(esTwJX+g+5Z6p$ktG1Duil1ezmNl{wbpOs;PD zUw4H`#0@Mp(R9~zWF<G&Ik@(KHCEBO5;wi0`X0c(vE88`2sTyvhMN0LH$}+WML3UU zj#}&&4nK|0P0`B6Q{_ms$|EI{7^O2DFR-GurR)n-S>QTt(xQOG>-Ag`mUCGL3sXhN z<^hs;?z|V{4j(4=O8d7hM#&A&YHbXE)<F5-7F?UJ_pjuGPhv;Y_My>FGR3QYt1O$R zM-{K3vO-8V&#+|Vn-rYDr`yO=Mc~gGF&~J7RgMv$s*A++?xE9P>NE!q7i>R`JyYr0 zfLz|Y8+YJC#b^?4CqO+9PE9x$?HL(szz@dT1s@xmhH8P7zM%qiW5pEhgAyeskLzcy zFka?zw4F=O;CX&xcmCws@aAfMl`wK#JZ@FhMwW)NL1%GSo8Q&vPrzu_M20~a>$!(U zT)o0L&ue!UiNX-T6=e_$-uty=i`qJ?BQzJtT-Y`?*oNk_Sb49Alku{mGb<FZ$^w+J z?iL#1dl?f%^zVyP<ebzVE5Ly-r>eCn%JF0mDXq3o$`~`W$HI@1A}Jkz#UDGehR+(e zdv}VCzubNrwbDS*J7DUzTLv>FsAui+fN*-el$~3lB+5spzjyd1^C7$Yp_6quX@+-5 zeI|fB(9cZmaEE7x`_R2dEm2LidFVSMh={-{2^*Xp{`S0toAN07vX(+f5%L-^+S;M% z^cH|rZ|Cay;O<wN>glKf?*7R;Z@cyg{Gn{#kjRo@SmJ=olSZ6UFQ?6fv-rGXFMHf% zEsF@Anuef2Ip@^k);cm;&uQ~$_5<uEG>!^{THSI$^LivSI2eU@)t-oOXnBj76mUl+ zX7Zpy*ya(MJc^|E-2|ax)vMC#E@r4-O1bGG7Pzt>?n)l0Br#{j)y`_;WU=0&ZlE`U z`(aCm!Lrb<-Z0X?3$CM)zMgZI`XQWH%nb{728)mZ8-@AbHu|_wahJ#9ebcj(iItVk z!T_3e!N$T;$$&8_-QqzK>Ek&@E~sN-yJqq_bo4s3SMH_5l-ck}o~3+te%oXd0Mcx0 zbMIyI9@(nIWo`c{knM;80}FfX24JdCeN}IsoXQ8^obt|Q;4regmJ4>ofc}m)YCDE| zuRq|NFR=y#PpER5U(9sFQA!-d;s;(Eeb}rZk>M)91YHm3S*1fhatc>`83IVe*PDq4 z#*}@|xe<AP$YhP(JZ{CSCHMdIBs$-u%uk`N4UdKkhmM=Rm;@aT_RcAMvD3w_7CkJp z9Z+jE*!7gDHA)yw#Ph2YqM#Tu1G>1qRf|VwjVquy-n_dO2NznVOH*kF7fK?VP9Ac) zkqDBIY@gnlhH_HxTiZOCcRaZGyY=a9r2pRXX!8&Op-yOe9s~w_pJqeTtJ`fD=7RE^ zBX+w@^7DdiFa<iT%Q}w!UGZ;aB(y8kDI1`}^PVMfCU;Ij@zBIx%wXw1`I5*HP!2na z{<W*f?VAz6jT$R3`2|vTN5%!0!<h_-<BLD!LXzzU80vhI!mrk*fNmDC)eY-@cLtNL zci+9yaM|E~yo-hlOXROL%cJl=U}UMh)9pScPGNO_&cloW$njj7k}+}q_`Y>NKT3E= z6uHipg56F>U)TPgawa%wK+^p6>#O!%k`z^qYa;d0@u~{5QlasH1w$>*H!LGaYN?ck zC+BdY5&xZgy>~TXy5mLg(jiPlIuNsp&5qw3dGG7%wcu{QMkJtv(PliCLY1GvCf^;g zy1gF&OuGd8a?Z`F_=$z8zFSd&)9UN~)2CS?X-inz%tKPX=ogc)&#gE&L={}vFJ0|W zf(wnl<e-K6=Zl*-6*m5AiD9|mEnKAhL93uxrInA}-}&MOAXCR(+&woq#P6>oaCA>4 zAj@?%=|}%9c9k4fQ614XD5o-D`Jx5gNO)DrbXihi#cA<99Rtb{1x$z;CYr2<2{oC- zF`OlWgJ_^s#g>oS&b+%5m}oNm>3SA~H?Yx!w8A58ar<|Guu5NB>0RRvfk`GRZg}~W z?6sD}*miw0@}Hli$lO##8IPsFg4`G=HnfzGDPn`o!&fYc16Ci;(u8JNS3@=U2}ZuH zwa&y1Y8)~=RXm8>bp9%(9gooNr&hG@k>byZ_-hoG<L#9ss4C>O=uM6Dyz>D}Rb^#Q zbv}|y{xZEnn{*|YH%@y~S-e{wGC3vY&Hv<fOgfMt>wYN=XqMUNtHWb!R=KN=X_&!< zk(-x7cFz(>8{Bao9RO7fn41F+(7m!Xy*km!9JA+bNKBs|5RW%s0Tt0P329MIQ?tv@ zo#n|q;@fH;Ypo(Fr@FgudI30I^-*qcd#ng6gqcCQ4W?eG7)NX29UfgZGpEwY<K16( zLTI+yDt|O2JVCRQBrVnAK{V$h!nHj=_x<*LF8sFl`Wm{P7<~1<@|Su;$K&AT;d~Q) zZoAu8$g9j_;%apk<+tZg!GBg}S)1xC>S)dpcUhD=e9Qe4dAQ#JWIOoRw+O$h^Iwuz zz-XKMe95zG2e_kxKUS6*9-T7chpdsJJVG@MTMa=1T{xU5CvhNzI#QO3uBVH+y1F`% zx=n8_Emq)z;_V#G+oW5MLa8L5JE(kO{PQJnISG!cMc=Sw&M4{zIxEWEtvvgWK=EXc zV0n3Y`aT`)9l%k9lb7dJ1_d=O)RdxIkqzq1vd@a6^dU`$2WFI86xZpnl#}c$>V8<J z=z`%wta{$!^5*Q%C$X4t&iTIh|5#HIRd1#Nkm~@gzD>5ixu+-^H^pWjGxF?!EOekl z1EE6WXQdjZk$%FHWGBb>#fvvj5L(qEF^(6*Dy%14xs^0#vyG|?B1>ku^c5~Ek6fbN zd7yCHK(=Y7Au3!ynDQgai)<%DHg=6?Yx3Se1;oXh<Y^ixXB4X+2Y;mbTHltx2Leg= zp2oo5nS83vc3(Q7cN{tdTE=}!JN73ZvD1nL`Rggst;Zb*ijh?ho+ja_xD?gVRK$E} zb|=oz1VUZYDGG#E_f@JVC$f<@J`70fFGAf2#N$&{uMBRy=wUPi6$ct{Z^7HgN8+yE z3c0!16&Fl{5R1;EkI&{fT{))~qKSe*wx{KeOfDq&&QxBZAWHBf@CGF9==eOdLyEaG zxl;C)({OJRTihhk-CA5FQ;Q-xh}gZf<`<pd6GqDmS8#db_O3@^Nhb)8Q&wuodd7-; z)-P8$p~xz#Y@)ioGxJUV(Bx}w9GXr=GdQz0i<(Uq?@}hjAQZP=n<K3S2YX=XdjB5V z1$SlpgeeY@X0vtp*EtZz%*mt<6QgSK)P%U!9B8sJ-((%4<P!O``!seBk9p3WnCJUP zG?{d<`mxqi)JTMIfFZEHaJLQe7ua=|gKlbZ{|SscJU%d9Dz(qLZhbh~vyX*c#>&c@ zt?En$7gvz@SIOi)rz4|iEybhp3@8Fnqm#z$X4@g`4S1At<b=l$nR8M}N%Tfi>x*o6 zpz${%B|;#Ol1~lis8zjjeK?$L3yf~k^z05@fJ&KS*~uxn#iw9k0zXQqudf$GR6qqc z{rim^Tm5}6I*07-B~}C8D-uh>#FlOYMn(gA95zhI?3m&j1@;z6@uZNVLc}!a%BAHB zWmO7c%9KjNTF+m;`?&VFJChP5(l=-rTYKUOLVdYvxRMHX?Z&4T+VczLEc31AsYm(d z*>8?fG3k~?bLbd!Xf4m?+1dDb!f|GrhlU&2eAd=o^g`FCE%LkDJ2a}*7}xG-D%H33 zHvhWMdDGu^!L?mE+&KFG3Sz;|=?^;aX|h9<RoEjzZn_JdG(Hm9c4v`fvzS{y)LDwU zvE(ysqui)7M-{D94&vC7wRm)j33f)9W>*z=P4ZA>t|f=A!$d{!;p&z(3{qFaJJxHO z-Vo7G0koyvG8Jo?f=|=sjQl@qKO~B1ecs*(J>FndXrFFmWmRQ8roQiUF6*$?N|HRP z>&s1+?;}<F9=yA)DpC%(5^;9iS@VQRnW*m093kozz^h&2o6E%bQpbw+ZgV#dSw{VG z1LMFFLCnOl0go@?6m@mfZ_ev$LHWfhI7BGf&d|cbmG{#FelBiFmT$hk8ZOK)wH7<2 zK$eJQ{tTG~`$;A1U65WR`K~w_BR#j%v%})KB}*g;Kjqt=txRou6~ql+$V}FnIT)2e z`q{)DZOrZUmUFsXL&u`;Nlg5!*m&=OV!(hZi(T^led)uDG{P3318njniX3p3n(N(@ zFO8N)jr4e9`P?&Y9yzjZ+Cte08@9M<83tMS>oi7^!Y)5{`H<7OF1h756zoix?Op!Y zNP<JFU*B1P=AX^-ciQWC>xIOiGY(a5eQ73`D5)Bv&8Jf|m{io<!@nRDLwMJ{;wG$) z!1x9#`yx9r5c%T-*?nT*NF^2HMjBgs|Hn70Z{`9n?#W=>w4rs?Sz|VUXJxmZ#qXV? z<=zxPS%e11I_l`3l{VqG0eJtK!(bB@gnC+qw3mS|novHDg$b4cSR{H&bzIq7O{t{L z38n`b$rE}ixb>RKr8!_WK94H#DKYEYQq47%|IEX0-<t-lv{~dU#W8}+^jG{56qw;N zxl<hcv_`*$env`?<rK8f_|}~l)M<`Pdww(-R%)&H-^jNT_vtKY-$)-S6dNlt41pna zz6Y0!&4OY0Efu}nS}mqjO08izJ0BN^R?kY|tTmCZS1Y_|cqj?ia4Uf~Q~90@z*8K( zoskJo5LL$vYJjw$?c81`Y2&-rf3?Q<Qj2oE%!Oqn!e+dd#$dQM-cFwmiL1IEIR|Lf z!Ya{M;M*vB*$DDt&<T?zExEn?f$-(o2(ad^v<SQ13t3a!<oJd>pyFmOrt0pd$j3_5 zjyHRwE7tgqD9~gjv?|e<yTkDny?fI)z-lzNY-~7&Kz(wNlofO+Yl$L>e-WfvV1XqX z8R+tSR;JnUJ_-j-nh@m7|M?JiP^r#v!y&Et=Ntb&hmnXZX())=sFLW@-XDA5Hn~;; z47sheRe;@qj>O>OeS<jjH4?{PC;lVD53R=K0r(v@LD_D9bIv=5RwhZxiSG6n(X&@- z_5Azy>kodc<nt3%7_P9D(<q`j%yFjfm0W2bEsFikRXu2ZL%%s5TDyuGl^8HR*=GgG zKEoZqJDkzHABq42P))6~=TzHtIHrj3GoN68?}*cxTo>~rt~D1&qvvf1bx&YWF;UzQ zboaU2k*0GojwK0+lB{so)25xt)vScPp$arPdHg|0g4dn7-}sXUmQ12Wo9U^#Vs8}h z4)Vp;RzodWTBn{Ov64wjGjaHvfE3T2eSZy8*&yf#+~36b!Xl%~N6xi0`<I&85n;AE z@w#1G20VvDI3CRv_W!*px%{g>{Dfl#^MY=p8&c8k);^CV6^F#7gNmVoq6=hluP4o5 z=k%Z)-EkEEl|ZCX&U<L`mX4{ZDjX&=$I`hr3!5Q{$2qAx<<QDZpY9y5hPU4IyJu|i zH#G)CDYSR1!9S}teF}XBj(p}!7BM4OWXb@cF_J81VE*$!0xcoZEp=c36@T}CZN6_Q z1N*;U(xhM66parf#>wd_6^8AFI_6BQ7{QRebeJhv28S-zjd>yU+XYHi{@$&C7QSgk zj6w~Q-<~94PoAPix~~ZQ3B6MzKvMcGPC^2^xI%pbf3S4hcI4&*J@Y}yRFq~oo;>+{ zv&F$pbST2r=!QX*gZy;KwzJY?^UvTnys@*IS-5PIj!%|E>n};w^Sc&>&p_#E;V$jf zCy{xp{YbVhpfAD^<LMI(o9Ay`jKiq$geQH|k2F-F+G)&abheHAsraaqUrMyxb?p)N zp$!2sdVhMaGTO?{IqZr$d-4)Ed$WF6lq<PdLDlLz{{W)XAkB3+%5g<P5sJ!~P*}k8 zclW(6_^8m{?LCMK9rgIz;XdDM#B~ysh!sm~g^vd}`nYW2ka<D;IKNptJ6U=;)=PiH z>C0<2s!b8SikX%3G~H7LC(5Q*)9TRLA9rVD`{fV)bOl*&?ya{-v}z{U?R6;#5>%y$ zO@J%L46yn=ij1T3w$f>6A}Ur(qD6&fs<_V#nrPTxR3XgENhE}hXm7~f6s)##m@y4I zGxo-+$vg7QBpm{i1Fb6NnzpucH%g;@Zak<!;Ot!04q6nT=AJpJo@z`;vaJXSZX7Ng zBB=^9sEA1PzghsTE|tQ9dKNCQ#rYPs+WFyIV;v1_a#zw#vcPo^8t-BU+)#4ZRolel z3+7`yR8W7zh+2)lyyBrje{_Vq3_wFeOIetAEzR^)JFX~;ZipzX$XNb}-8xAc%ZO3s zngM`+;EzZjbY89iNhM+!MW7&6Z!Y59PyQr7*-x#iUJT`E;(;oOfHt|B(F2;<v|H6x zqAbQy6I)q1$PhG(axEp*iur->NLDt#)Mn~L|KX|%uyHt<1I6H-nA@_=r9h6ra98h~ z9WGD$q!;R7mJV?|g24r3>YFY9##K>kChI9z<}J^!QjZZ$NHXTc<;>no_-TIYo-r8F zVYP++9Wp#+kTkxzzIH{{>ec#(B;Rf;nt}Fi(Eq~E*QF1l=cL|!)16&hyuQ`eG!=p% zG#4$1xD`1I4L)3$HUaPL1qS@{J%uB9=lVJT$>kza3bBt_J;Fd<YST-{7?k4U^ns|l z16`DU1#oK@sLgF-O1RpDXeQ*98!${<fCKOQ+z;6g6=1C?0QhVyr<~e4zB-bo)26u{ z&10cU8EDQaE3#g>zbZ^VuzS?{+x$rteKiwOfD&z6zWOAd-rbqfb0+V$dxKe_A~TgI zULx)D2;>hAc253w|MwdUi;5B#@8za`f=`a|Rv6Cme7bDUrs!mosl>ZEgWkh}5AjC= zv7H-=_v<1Lbh?g@Wm+I%Hp7f_M#U1$xi?>Q`Iy&L(63}#Jjc7pm;&e^B_jQ#h@8Xc zi7SX2Yq!glUn&hRSXjegVM6mzcY}}7pnPx6^lg{d+u7fuug0VQNu90BRTLj}8gFkE zlJi~{A~dV_6iwCjXa;xF;?`Uq-bU6U!m?qaC$~4{i<e)(EIS9F|9b3y2^648s}$!V z9!f|*WxNq&w<=VX-E`97^$5r``R|8x`X^fbqj;`e&fZZuw6LL2+p&f5<csUeL0%u{ zmH;6g@_px<g@q_UO-FWdd5<+9u57FhPsVBRWp6Yivpoq+Z_l5qtJ@HY`e>qZ84WJt zuM<+g1LT|5d=Mb>RN}g#AFtpt3Qy9){bqBKGAPz+RF9)Vf0Yd>CnG)gs7d^=<ip&@ zvmt>Pum1<lKZLuDi-_eJ4Q^}#V{Z7c4w<^&WPb8F8K=2#RT=H>6D0D}l&1!DItQ*O zkFC5*#kB!u7DW-i+@&j{AKR6`<(u$ogVpUwqxeFuvZq?QH>4D>udI%3{KriRDe2zW zPxnifzP}DUb)5nRPeu5+#rxN(%E64KVyn#8M*eD6qB%DzOFgc&aad`V17%(07HteP ze$H@bGBs9*{X1DT!4*-p`g|Y&&|RNYU1^zK^D$=1tjaQKJ_I&HeC&*LAKfYg-8Nbw z+U9nlhC$k&&v|$h@<eZVbX!)CQCwjqf8-j{?sjIx-ex|B3Uj@o{m)8QCBPQ`#;b&T z?|s-)^#p%(&y^a`T#-c1#;!OY^hX|vM-V^BY?|j^#-WvJ{MWK)&}AF|q<T!!Q{&|{ z_z=pl*_gZVmaEL4E?p~JiiQIz{gUIl_l4KzMINHeUq*3!>N{f$6)%qBg*ENPj)hsT zMz_E(@bAb_nxR+Yp6^cVHP={&L`4|B-w{iimuK@rQ&y)9FmnZy;=0HA;cV1AABf`N zc5?aChyyyh{$f1RWGh>x*|lLBMf~E3r9AHN&W~Zn6DNVf*VyWDY{x*(7J^K5;gci_ zC_}!=!Pol=B9sD}@N4^B@pYso!I=2y$g12_P7*vhJ8sW1ME?Y)_XFC>vfUZu=J0RY zA>FQMBrcsi<5iy?rkS<=$Q!v-|2x3p#x8@FMx~%xBhziuzQ1l87K#~5Ey7_V$iX|@ zF#K8Q_^X`C@#|Fse{Jy(iQ7}uE0Ddu!__JjCX2|YK5rHH^UP9h1AE9`D01Q1RZATC zDSM4}PbH`ZpjfbMzwMwJ9dNXpX**@04sVk(9^3@Uy)>vc>-7|;t*G2(W?xG@+-iwc z<#HgZiZ)C{r_%UKy^&*N_T`g)-kNEx&Kgr3>mDHm6PFP)^bB^$Sp@mO>)gIXJ(+}v zKS?b~!g+wSE1%9lKFMrEc=~A&r2DD~S2Pr%O<!>~vyNLRkp${y>H@tlQZi|5+ES9m z2)b_}9;ms0hkoM!O!qlSrrR*&6c6=P9+>}!gyc_*vVM}9P!SbT7X&DD9oS$zGc?6h zi*Ui*QR^E=*;KN5_;Go7g+OwUA@O$3%N>gkPV*~^&ApkEb4tqsxk^6>ML5a!-~&GP znfAPL#DWihH<Kakw3P7*sD%y%G@+0(xYx>A9A&Z<off6tqd~T&ci+XOy=0}vq3Orz z?+A@zi$#H|-&M7HQtO9KtPDnW*FwQCDKKhHdf#CP)#xl3kz*Vy5k4QpcUvvEpv2)= zWCf{?tEc?H$KNOI8u$5k6I{vU!Sl6Vuvc&2Uh+y8<v`U%9;Y_OoWp-|{7H=E@#Yju zvRHk4v+a$Pzr&qDt(=NKm_N}f2|lSkZioqAOO*uSBCOW#@F=etWRDvSopGSy85RSd z6od$+QhjazRW;HOiMXSHlw+HUE#gy9F|f0zUeySb>Q0hhXRYWbeHMUH<*pC!6??;q z%g*6VH<bqCehZEip{__f5Sj$^o?mFYJiSw<Suv{XLlY*|DefTZC|uF%RN0+vBwFHz zP9-Wz{3EBYUXg-k&6`YfyXj&>B_L*Om1s=Jv?<-+r~nVTo(a@M4QC7Z`75CRmmu*k z@1L)wcfWeB6wPdq5zmrM*e9a0ebpdajX4Wv_tp`h5}aJ5a7PZvFvO@xL43L+x5$S$ znpOLbD2MqyjMnj?sx?KDd-u@btWqQ^rCcWjM$nfAu{Kouou*kKfKC)AY{e&XvsMyC z4gjN>Vl@YfBn(`s#w(C+DUxypG?h>h;M6Qtl9^H-+2QN#P%bB%)02f(m)8DiBT+x` zFS_P|Iu!zH)fe@y`M01}`8v)B!{K^dz9izDdUG2jy3s`y`kh=VTq8$-b<>62t5i0^ zQ_-jqO**#rdOPiSe$b|R1nM5J0T&*3yyhwaHhQnd-a8f!2ed_rkv;8SYP^Kz`^f~- zDmTmNnKs}f3bU39Bds#bJSt`~-OHxv1m4%3yEm=g-J)DM+q*cp*!^<G5PvU-qh+Hm zl$|DqwCSSe=>s(f7kNf`%cnRvD92vZCmAh2nHbsDDfxNt%-#z4t;&X0n=H;oPK34z zlTh*>(|NE*lSgG$_BXRI&hv{>cT$2viFmx3`d@z;dyU-JVEw~rx39=$O`$@Rx<0Hf zB5SRF25|9x9Q<gl91MQo$N#c;Xz(JIu74S<hB!H=nw{Q096UNJ%O+Y>`Y|rO`Nhy% zHpkhgA4K5oyIFW+P!umsWNxqqk3oO<V&@z0r+WxNKVj$-;d+1ce>A;waAeQ>{=LY? zwzIJ&wl}tIYh&Bi#MVX=+qSjA#<n#ve|dkN=UX*@Ox5Y??&@=@uh-Rm-`&AAG&?0_ zWh$@yA;y#}9rw>a%cOU_Hf;)PXN0*;qnQQ2y+^!dIAJ-y-Y5H7L*+bbA@DS-%eD;D z{B`U{{sq?A*fH-uAx>>}Kcj6tTf!vIL57nlH>Q8>sy$D2&eY~3*ZUa%;`2tnk^=d( z9X08`&U_p#NkKah+lD)Rq)~FrPIQ5X0v{(cy0uTr;SSb8N;$6qQICDpn&ZeS3Vc5% zK~%uHK}`p3=i^{jXI~s7qj8K{QLqUz#8zAFSe4_IB2H~UW&w_}I?}f)>-ls}(1b=h zD;qmlW9*qcQ3=B0E5ypE>Xh;N^j>X~(Xy{K;fR}d858CtFhr6>ZT?ETC+yl1jorNL z>YmXCZDXlGxf`w;-8cM;Ww(%7CC-@}K}RrwF%s-mYh8tr8?BMpV{^<1?+<@o6M4Is z=ELl(BXG<R1X(Dt%8-$LBTSA{CqH_6sluNb7m^rl5DQpNeiAgjD;H08D2KHz!hg6X zw{7#o8K>u1byf~1zz`3!m9_3s9n%G>mbP&5mT6GG?PvMM{441fZWe)9<?IzsA$zs` zWX{$Qf3SzD=%f3&JJyfMLYl2@o(KAa+L+0L58y869$TW0W&T`$(a64gd4!^Ns44jV z*w)wS3Nk%VPW5kpRC~(Rzq?5{Uj8MZFv#G)&HZYkZb_QzPf&Th?~L*=l7_qB^3L%@ z^YFcSX9G6I{^UZ8t+3k}<dcqzm%wnA(f-okuZN}j^`SxbZ=Q4f$MY6<SQR|+SN-Ls z0qOQs8H<C}CSm64MEWT7G7?3ME984w{O+m;^T&ry_12Zl-b1y=dteB!$Ml|pdoh5F z?1nq#{Lff|ef*>DR!>*d_t)2cS0#_^=kQn}zPcovaa*YB*y;pZl<D858l56bmwlIt z9$*U&KW<OB{yNQN{B7}AfT=_O#7~=Y@3r&}<XRi3dwuM^&bc>@rpdA=Mc=CtBg}<$ zoFpD~<_L2(pdO*&<?&a?A3+j-C&6Brj++@PTrhh-CU+RbJv|OZ1VSz6u)){KbYP8H z?14kY@JHP_ZZnE<+UB~By6VhRJ}whUqr(&2uGad9m7^t{fhGdj4ACkRrCEMbPj`%O zgr<R{ph9hL_ut`eu}BHD8Sc8wNVa9WGjs^S-`x%qYHT=t$$MWYLyriNovK8^-`3i> zhjxZ~g1!C~jk&Ke6RL`ktdBa;C9`mP^N;p|VNh|H@~lhm>Wp=xz0_2<Ujp?w=eQE# z&NZiWCjZVTW9zPOYV4Y>*Zn+A4YRCht#83zg&cRVxBhDHX3b=#+O-O78EPWsuiufb zxN#dZIF;f`0vjhn3d6+oqGb2B2$I-DR~=O+Et2BGxhU2KHi5=O0XrnPuG?y&EYc|h z8l;kbL|c#RYJ<f2$Lw08z1VJu=%O`WItX!Mtq#NjY~WHAxoL3~kFzAXjpIi(3z<{G zp=kR91+>dxRSh}fYh<W?u93}@*vHSO=m+y&NJdaO(XV2X=;j&3I+}ay^$NAl9sIH6 zT05ILYSGN^EEoCs!@n|e<7t|Ky9ThnuQADs4aHs59rlTVA>PMcp8hqmE1Bq&dXv?a zM45~kuR2pQ2Kx7vy$VJq9K9sTCJMWJjD4Lx!d@ZULBHN3%DA`=Um&wU0af-P#_Dsh zxq?qn5yEE9L(I$sqpO8x4z{kDh{@0umRc63$4q@|+q@7F0CUcddlo6el*|@w!kj;y zHt!j=IUo-A24<bZ;8Jh!d2`5f8Whl%ny5!Ec(y!xL_p$s7ET93IdG{_ODV!W*->E^ zQFY#>ZU+d&7d8%b<MH`=C^#;iode?g78Q}mbuSyx2rkOqV09guWb@+9V&oh$H(xSC z`#qDKdUGcWP|z@Wt*?#0O=eI*ts;=_BK6uk&f;-OhwoF@Dhmciow%y>Xko%aVBs?P z0&!|+7!RjY`#IyhJb<{cB@o|kg8xmQ>yp#!(>dOGMtIBNN97Bhk}%jvzcn;^QdV?S z+bh!iG1Lq+P#C;S6u=5lUkoYHo;_0xmCUnX;kEudXKr7vPRo%(_G{qwp9<WTi&H`7 zffxrES4Ur~<vBY^nSZe~`VrrhCEqaf69Jw2erNzRg`BBi`IGs;X2nlXhxb;tslkhs zyA0rFZ+@I^`MyhKm@v~o!P*r8e3eVsp|^(;qtSz*7*zEt%vQ%vky?Z8yD@+rxb}BQ zZc*h1%$M`&c3bCUPFLRHB3e<EA1QPgwOVX!^nG7{T<VG(ask5yJwFOqM++r=I-|}X zf-SU9GFf=`#u`a3I}%OEENf~8`=_!|NKi~!Pkys6Za8d>%m6NZ()yaV-`5Q<mQhL6 zYZ&3p)esXd2xA1g*oAm4>s*ZEhP!b4&oSW)Z#<Y%oz8AZBCbT--MDS8+tovlFJ?5l z=7*be%3A4C<mRlEaNy=@;`f-z)+xcg;?(@_WU^$1H?MBLEi7|h3Gz_gicSMlAKsy; z+iX)bR!(+#rWfSk=oVeVOvbi$eJrQ4r_o}{ye|j2PfkH@*N2Xn-F_~?K;XAK7hAn& zTfSNx{G`vZd3vK2wg{cfdCBK}{pGx3g)NW$`rI5STxSs<d+FEgE2a3C5npTv($7nv zcYoaD_ivq7FcNNQq}*EZb-emdhaHuSe(^bxKAMl$Ac~XmY42562{IX}j1cMM(ke`& z6Y-bC*SmF;Z-OC2ol6po6-rd%YO2F)&3wj4M6%$a%%G97fqMCW^$tGneQOnc=QV&Z zfBhmmiCy*X<3U#I9G|uTRa#*(Wym@*McrN8n2#S+DFE9ws+*I{H!>wiZFUj&3+))H zND&&Fgh?E#NEx3>uUlTLw#idJoUN<tJ!}YqKa`qV0s^g5+dxCItzHbUyTi+lBiPB4 zUZQALG-#9HbZ@er4?9IxIXU;zTDPa59M^mue?}(r-8o*`hkB#)FAt5*nPq1B@mHfe z@GnrXC6~w>NvKo`nVj>G$I}P`{aw+QrKXn9!)At@c|+zQtlFzq)e|8--bB`2Tk@ON z3k|GGKN=E4+yeftdKco@s^9q9Ouu0jJmpvv#{b-2=?2cyuF9gb*0!l9guCmyWpxXz zGSg+sjFM?H|COob=Gsz(@z8<bJ=uIC-^_!bXBP?5V-cy}sG(%9*Nu$UM){+jN)jdG zygz;}@klaWN8l`d#Yt0zSn&EWDVdTrl3>vjgO&2G7z~tB#U><QFDzL_BdIizM4iBC z4&1Di8}(|*q&cCm%Q-th66YRGh8N<;nzq#*NX$Ikbt*6T3HH{!EosRHq4ND=edTXk znr0BNG-p&rt`%Fw1kdxqU8IRB&C@Z92F-EobhuVTX<ze}(OeIJp1j@EX#=?I!*9qF zH}Q|Q7%1Cnt-~<(sj4#K+*GpS$ipAkMZRBH7Mx3k4wj4C-mJvS!Ot0bC<lLlX~!*X zu+bXM6^Fx^+Uja(wkURTseToMxw}^ud%X@l9q^ax+X9IAYmzi9ZX(p0EE1@k(oJB> zz7djq-R?WZ9=XZ&s!r}bg_YlI_b+aq&UNLjvKNLWpNWQbS1k)71nS~#rxLj^Cd`EY zSogjRAV1Sm<=Evs<wQIV6l5-rC44B#wAAC7m*uuoz`DDc{T{X4W#lP%P_Oz|230eA zym|J&YfJ;&QBrBZ15FfNwUwqqz(ectI_nJqmXT8^yLehHk#F>b8yeF?MNECZScbWt z!}R`Dy}Z>I-Gj?ObX3&L6xHjA3$u*hG!^i@cq3RLTbk)_?rS7BX3Sv`woBg5X5r1T z@Nu*mkG!x*c2$SllP+laa|cS~>j%3m{r}0o%7RFO;b0)+Lsf;5US&8u3RA#0DZb25 zu=%*d)^9hUPw{S+mHaN}mJ6-5CW`4{8#Wy70j4Uua*-2-c@>Duhg?|Q&*4^wA??t3 zJpuW2wQpW6rqe`&eW}TSc_}4G6_Wv=-BW0jIn(WAO>7jNu?`bYKJz7kY{nf|?ie2N z6n<cEQ9_7;2SLO;SsMfGd8H&XgC_Z;BvV79!ZySDYfsWg6(DcqPg3`IWHe2X(m^%V zO{zXwtxc_z>f8X$zp?pWLM9O}W3{?YHbWY&9(T4YWa;dZAQ@B~;TjdC11cG>S90~w ziJ2GEK@rbsW@*bvFD7gyV;U+_J7RbY3*g*&*5nNHr*)HuW63ekVs1t^zo1-XST@FF z44bcF<u_K8HgAQ_Nr6kiW!0Jxh&(uM%)_ZQn5Xo{@r3j5zXFE?BOsi5<WXo0JV0~L z7`*ajJoVWY4@!29IFZO$%AGIYgMSXzSl5lygMWBCQS)<7#?e?lFkW0><nQKf<I7d& z<h(G+8?q4!*EgGc{#l;-5)pcc8K44K@wWdtIa<#J!25J_gc}%!|898P2Dwa!$4kK; z!0fU3>2&u_Sg#8Nr)kg@LFH7F4KXLWH2ZSJWI7xdf2UTTgY^N2mxsH2a0ts6Lt0a8 z#8T!%p?rLS{lwN;y}jLjoabi|&)zY1A}`la%dBq-a68W+8bvkK;O~itL#eEpiRL%> ze97e5m^;5#Q5ja7Lp5~t*j_Xh2M;m+-tpKF9^9~-GwgBtboD4KukT!sR9J%@riXsY z#yCZl;KziGXMTPJ7$Fo~dcy%5zA?1w(mJ*b%&ZpCLY-Dtx(#&Kb=DEFKj>^tG*R=d zT5<HZqhZ8H4tJgFt;4)G2r;zcg5!v8$FW20D_u5ckIom5kIP#`f~oSUP{AkbtZZ$T zmbZ*{IaVtzDIb!b&R1&`(-uK^fDCs(O#+_+kj2Dmew(eC#dSU57Hcf!!HbHzn?*_w z<K{seFiiT^&!}al4J38^sBTPc+0e@`Rv)evMPHp&V;Eoc2522U30;!Qx^eoj4_~9T z&ZL$9qkXH;xgbSGpRsV-mQXDt@%C<En3P!i0~#9ad<fQP?UQF@<k&WLAJ{r~OVGKb zQo>MO_LUD8jp~5#9wYcV2Ni~}@#vJL&4&x8#moDihD=Wb#_`jXNdN5xM0i0geA?PY z*Ng3&+x>MI5-3YyWu*C&7C9#v>*jd>TlE`P07%n&Kaa-sqNVdGdn#@JNPF7?Cd`C& zavP}{(W$bNmF}{?i8!%w<ZyDv$8)z5qO_&AbG4uM{ohg&m})rGd4VLI)%`LEU00VJ zbK>D<{qPjzVzSgE{PAb1ygG)Fv83K4A{HyRJXcMp`4j(1`nCOJ4Zh3sDNd$LDl;6p zSrc==y(beVPzSkK1$n<{H!5#Pw|0o~+TKiU?l=HjK%~FBVpv*UU%g=+u0vuq1HwdR zMdqwkM0a+-OUmVrDrxT?==&~7u##+;BlHs!Vs#+p$`fO{1VGqzvP@7yDT|QM2t4N? z<2tVoovW3k@1<WgKkRlq7~<#3AB5OV8;h<EY;=NFqX$H-)i^60_qG1Jr}UR1nVx4= z`~d|+dPRg5uo}1fCy9PdizD5zl^tRNLmF>OdnjcWjVIY?k|4d^j*{tbtD%8dp_!e1 zb<dV7%aoHetNbrYrB2NWuiY=zGyF+|m1D1SLqE<e%ZKX-yy-(cX40Psh0{^HIp=#{ za_@J)*xVWVc9>J2W|%{1xZq<?B}-tyS0S3YKL{bILorJv4D{0;UiUSLvWgbx#H|4P z6+j{&lN}|plm4z5&Z_?!I<bd3v?X^yHUOu(Hf&G?bN*`kCh7L`#7$8bQ<;KiW0UaI z<g!T5c@D(Bx1T-<=k9F-wm@sN(1<o+iwu2g6`GVCr_lT>i6vUku%%df(|$cooMFaZ zl+M1KAXsJcN4sgn)D6yDq6hpCF`7{})Q;WYfCxEPH`wmHFRJ%V6%*;3YP`efPJ7u% zNu7$Vo`imxab}gZIBOh0TV`zHhDrV1I;mU!--tu<AVM=Y1$OH{Ki-4LbIv6A?X$mQ zo5SXXY9y5%7t@>D*USGC{F8%ZQeBfMZr|830UO;BW$h4&__^RC#lImj=)vU_d#W(* zy2`LP!#rY-%fsreOlhLYra4Qzxrc55inH7|=^RrYlPJj2Ksmeo9z4pnR(qBJh%?Q9 zJxCY&Vm>CW<?sUS>u%GxSLJW#Ca{of#7GS1ntd5Rm~JvOfdzpjb}|xaRs2uRak;+k zG21c`Wq-o{Q*@|>2|SwsttMga>O=r`0TV^7e`fe58?K_pQ>&ZY!_BGB`5s&1!ZY&6 zvjtwc7KM2MI%{HlMW`)oiY(a{h~}q`+j4&I_=|1LgA7sAZjG@Afq=UOjLTeBH7p02 zGIBbMUaFAGNdK?00l!YSm?#eA7W8z=OUrF-9?Xf6c6)!FbUdRK_DC|81p4cj@4C*2 zd)F-{IU7v5luhihW(HFrnm%#;{E^jRuhz9}v4rg|)jQs1^WG$(85x&XsjN+3@5Eje zm}+UmhZQZ?>dIn@GYa=G0FHmJNrd{t=FZhVCu)tOV6gc^LrtL~r;bz`xjR>pLoQuv zcoQrzsu@>5xuo0;h!{78_bL6cwpEAmm3PWQbLPsSrYu?WPgl2$;tb?e$C$RMeb3}5 zt`!kX3<ns9u{_Rh-c6AigWFLs_qo8>I=+L&m!<l=j7i#j_lqt5G@Jb>O!I1UP9Ltx zyNhq^h>>KqHKWrj3&`VGkkC)6GUL6D5Qn|=0>z+S$)pcGp_Gs~Vv(S_KR@B1`~m9k z?ZGPVT#_jYaa6xCvwcLly`<M#RQDDPV8(HS{M%L2LEK1_;11SBFN@L#1${mbR^(_d zDH=JnVNAz~5(VQ34Yq4@sPZ#095+_9reZ3RDdh<PGIUiDiq?M&=Jc($Dm&a~Fc-+G zD6;su;$5d2#n-B{1UoQ6@rAt-eFkKf%=lOn7&baO>ZZv~sso}vl~HXP`|U4P!6@tY zBUk`fa))gUQPijFu68R0AQ^ns29;w`r-XWSsIIG+2OqOEmZ#>wgJPRnyD8d50a`8h zwQouS?<+@b{ZF(%<g&(R=c=QiiMl6-*aVv@kd)riF@oFZZ~9ycW<}Bome!iKcapzB z#hM@Cq4rJJiR!spBcLIUVS`9@4!(MPGw@<h{*)d^*2(L751Bb)T&3l@-s!TYFEdwb z8nh7&qZ_faI&ErSptLg9yw3xu=w#jAC+cm&+-LXpmhp?Hu&9y&B!<bKroP74WeW&& z;hiH*ujBNf7xxl}feI_C<R{!9NLQ=D)*sB@(orE9rCEzU<&g4r|0ye9?QRRuKQMl{ z|C=<--%G6c?kyrrLpXg7Wwv^C{Es9|-lX*(DarE5sgCs~zR}xnfifCd&LPDBGhi+2 zTM#$p)L!eOrJ)LP^dLHW1!A3RW3I;S)MjF~Bd?BVO&ZMa92spLI|lp4&ViUIRM64l z_Ps<OLEXS`!l0gzV2IERMJh|}xUptW^+apD=c+HyPKG(04e}l7|HT4es&QpZ@1w?u z=c=Ez?}j^+Hc$U4Rxc=)FZTOI<dPc{T-Mj&$?+c*OgYVPPRr_6p27tvf7rbl|Fd8F z0}d4vH;<UgT(PJyI3-~iPjT058xUuG9t4Zq-u=$vO+I`b{MKezYtR*&Y@>%sf4fB; z_27n9d#AZgs<v<RvhdSN4GI(;pHa#>dC>1;iAXe>-$ur62VG~I-3@@Bc;_-(MSQt8 ze|-FfE1Ked6aZ~w)1|oGe~NOgG-tz*!{~k<!>QZMs)gm@aZrleXK0$GEeyTU`-dcF zaTmB)hrh9&x%YPlFcUuJmQ!lzJMR9#w>OrBR6Ow%o<!j1^Tyr%)Xz8?JPNcS?z;b1 zCOO<CwU!({o`8eP>i#x~BGbQ(rypDEfg6yg(I9CqqeLCm-GygvGGOxd{6*fc-fV@b zLZjjMWcG1Ro79Av;=vl`dT-GR)VYvh2A+9G&&40va+U13(&3X%m08F8>k?+Q2>0JE zgQG{3ZaWF@y~SM;Q_-i2GF#p(@Hjlbu&ty#d0an*uC66!n4!sskI*)2ADnj&wt91k zJJqKWb+J;U?7?A{CT;ly_tR|0McVLm+&m)}%bAyyJAs2P*^Sbg>}?=a@=@-ZetfC! z<{H^9uoNOrChDA*kOmJJ)1%X&N}^2as_yR`MWBB&LiA?!)%2zn1-=?JIzT5<<eU=< z3i{y_b1mO*rjXkV!SjoFOP!>l-^mgnLjohDRZGeVoESi}6aqf2nN=6xz?nX;t4LTR z<Tn}0Y?1{N4)`10ygk#1O)Lp>;m_;dR&(A9%>(x3Hw`***Z;T@b_L!A?l<cBrk-^+ z`Er>%OWj6O*4iByu)l*sk)g@Sl79W99o5P;?q0vV-_U$2=71)fM~<X!>P2|4ZIx83 zE||IXc=o-{#F0!fk#3UIKIKOwU>+gl>s(v((LKzO#&5;_5q!Ecyo&W##nlH(Ja0C` z-bn)}ylN2G40LfYrHY`D=56T6Ipknd#>sd$kg}u*lH7)jc+^n|9fF8X)MfHb#1b;_ zBp#?E2vy=j)%>oSQVI_P{iK2+YxVkM4|SP+MpCRD>_eZU$B{aGVF8FFpq@10EXvEo z{1h(HzfRf%u&WLdCJ18n+-;V-iWpL_wtXAb3{_GbHVGMmH0Jr~n5ZPoR9lKLp7VZM z<{?4Iz~J59^et~jfY)08#sCd8c_biWRL-*ESP5BT&-*NdEP^V!&oAiL%%q7vdd97* z@9aN9tW8B^4iT`Z%rGV{0AwR?K_RPNMzT-9XsmzI9e^h`ps8tsfF_GIk#@bWWYV#V zPv{q`(U4_$eIJjw!I_4|zb5qfc#r}43l)XetP8yDzgUEPTL#ftb=n3s^$>jno@Q`t zV+jrJ?;JmU?7jb?BLDrgs|jBuh$o&&;uLZ;Ycy=Q{b|Qrpy|Bkw;YZ@n;i<=?>>&k z4azFu)tvm4lgrN-an;9#P_YY5HSH|I`xY`OZ^GW~mR_zI{<NK9qUQgqCz0mu>WVOL zZrqyISB8t1zvkT)P9c|iyPy_Lo+Ds-_d5Ks0;L?>L9f?g&W}`Cm3c!<TdWOV%<9;- zBtV=irTI5VI=+@5EH?JxrhVOptR7M}`K#}3&o{Mcx=dHTp%!AHKMvH)`@~3yS0`BK z-tG-htF9UX-GS<aY4SG5F%PEP3`$2H<~gQZ9bP4wo#s$qm%8#Zur4g~cv+nUD}H)M zgAn-nW`+Y63<2YYmd3$YmsVza=XbkQ#pQ5(lD;37JgHvFBdFFoD!m-+^Gf>L-PDT2 zDa`KRaeCKW+`c9Pt>52xo!ro9Gf1&PTb_k=VoYOViY5-WPf3>R<Uh7|?Vw)5ixFN4 zlc5$=ueU-oGPT6UF@GLc*v=76Uhj`m4Ku_VX(AHmjx8kbTkGozYCb+s6{o8$8l<cb z=i_r@33Ch<PPYw`uXTa~4^~#E???6ka(YsZ6>L)>K=dZM10uX~A3!>u!OYrL1BzKB zfD`#9nE3n5tGWqH>s7s`n53vU!ira2!-HAtY_h3=hJQNT!+z**Bw03oTq|DI1@}_= zhc#EwK%;7lTc+B3j!l3ex6sd8{E1TKKMKjOZ(7L?twZmx(<IRvu6pn@_^gxkRY4?C zFt)Mc;U4;nI}~%6eBZe{eQ<-GULQ2psKnSYq!RMVCS-M!qcUhX8dYt7m+3%wvj`O1 ztP&@O%|ue+_rkzHnoYr^S2_1@8)>IFrPejLm`Ivh<7=N?rf?BrPCwL|1jO3g-(SLp zQX5skK7E8h{%u^o3sMXsrJT#+%%sS!{T28mtH-{EVlw(|GuX=n1=S|<92t5f_>~2X zp1#TSX~!U;T=yF$fAh@vL8Bnen65?&whlDZ4|gB-WEt(VmDH`H(GITy8Pi<?!4v@c z>bcp}b&hX#EI(cmACjAX-QQv1hZGsqP&1{r3r1u%PG{E9V=#`)Tpnm_^1EAVjs3<M zq|8t~OK1T_7_hiyCH*^D3LWM|{An#O>^>(6CT(_X?oCU`sgNo;ee?d3(@#0CFl3>F zX7}YL>Vb|{Wrp(bCFZEZjmPPXGS6q{dm<^vXB`kUvwl5IPbiz<n3M{$X76SVxE~Pz z$8nuA@if_#D~msMdmtVDoFK!%^Jj3S>iBDg25!s6-lg*?4}YJOA{mq7MdrJwc?RNn zwh_&H-#&aTO8H}bBrFzKi+3XTw5V(>q>4v$A!(EL=G`uJ<j*l;>FpAmU`o#=7Jh<N zws+I{-$lE>bH#J3)pMVJ1WK@)iNjx<Wk28KZ@2gMsFmLjvX|8#m3}d}k+{yT77e=p zEUc#EC&at|skCb_ZVm@N=^e29bkfHP?K`p$%Y!(*0kR+da%6>dCbh94a6Z8|uVo4f ztwkl0!vV_0v))bS6W6s4HgOoV-+}`<4&fVZ!brvE&R)HftcQ$7XTM}F{-CB)HYfM~ z;{0II@pKRUU6>oJ-Ld8+FIkIo;c&Q1QC<HI{0@ag{&<wAhz~`$rr4J<xt*^qJU4Jh zwWSOlvM&joJPIGRsz#cbE3UV$&86(t<=@6-)N4^dkB~3{FrSXpqF;7liK>z1cy<J0 z&{A|)AGK*9>P`=v{!j(tOV@$tumk-2z?<bpa&z-Sot9kDKv*b|5C2{$q9F-$8N#;i z=yNw&B%WrQu%(jGWLmEG`x)rai>sKh@fN4?+fJ0>P>sI5xoI&jS6)e~lB@nyD^Sb= z>Vsio6jt5qU63K`<aTCkQoYUiyo{`_8+HUv^pNbv+bQErN$(09an7^re(-7Y?k^I{ z1Q{)fgy2Qm>t}sP%kB)*?Qa4M{Oa1#ENC+t6bS%Dy@S3}6vW=m_uAM6ILi#&PTm(8 zgba!cw|G>nJS!av(D7B+;xnfUyQpYu6w%wCoXE(C(=3_vfnDS7!vguxW$-?9eE68W zo~?)?xnoAmFrBg@KT{x6JS&&GMG_J}o>0Qpp!tbrCv)^}kAw_mBF6WSWQ>a)@Wxi$ zl-~y^sFygqC@SdnDnx9J9_P64S09X*u1XjP*fcAXDL{0-B_CFmzy`pTdgJYCi{HN^ z=hzF3uHMaN@@+dLQHM+%Nf`J({@cS+dfa6&Y6r5B01{PmHX}qmxs@|+3rW9mjxAxR za?IPw^!w&IW9m)MJXGg7Cp<aZjt9Gh>IhG-heJN?&?RDnL%tJ)f1}fwhpjS8`KL8j ztqUF83f2HjH=ylaSM>4>b9;a-pr|LwwiKThPQ<$EeQg~w2kRkc8bU3XAJ=Ix1g9%@ ze}l>!Y?(7=B&{eS$x!Yi+$*Z<x68HJkF&n8n#a8MH<TgYLYt4AYc+R^b0LZ{^)?Vx z1bX$k)>wO42eL7UtXXdyp3_L;q8XxVj<u`p84ZXDHYl3Hh(0Ywl(*?=x^Ao+qH{7* z?9Nuikr7k4>%#IkbH3YhP#$_F|C8O|S{cplZj<6IK(jCBZK{eO7(cPckG!@PongHE z(>BAk!j!b5-p)|_k#Avdm!>~D?#5uCcQ=tSn_(C~l0oKVR5o5?eV;?LWjE|Kas(;6 z|JAp_7zGbYWn<p+A=>2e$sCKz-T~Tvsi`GHe1RSLwk@DTm~JZvg_kd#?QuP4+}pka zYSlr5r#dT_w<bKa!{7FxpbEBcSY!U5$S_ooz0z)KuAb3!tFMXVP9D#R$MuDWa^HYU zzY%9q;>?h^a;w8(^}}KN?(1y<TmwSkl^1%Kn>kBtm0g+|Fa9(_tqqE-D&{TnRjIdU zey+e-mk^1ug8IRs0Abp6hGoy`?x~h-_;lsf{_@ui?!O_nOB2;_*F;DY=7w(*KPsZl zm=ZoFs<jHvcsHcE%@uWb_Cp9Jt+iO&k1B)^q7NS5iq*Ni72$;dx!Qeb+IVUDSZ&ml zLSpsqZhjm@1Q)|K)+b|c-iK9U3-kc;a!s;&p)WsXuI{}sg!C{jT_B<Zudd&F`FAV{ zs<rpK*phkcN`d}v2M<->1c(c?_Z$PMS+VDqy?&?FtD|uuCW)`{w&Z2BtEFsWE;U>7 z;ByI#<?QzB97}#j#X#Y3tEM&|zhMr1&m^j`#}0DU0%2qSg%4W*qMOrGw#+9FPB<n0 z9$N?G;F(xD#U;eSsm6=GD)Zk<(sSY`El1%lmd_N94g%q^cxH7@CXnUR2feaZ$yu7G zq@99tQ@DwoPCE6YUiQ_-1x5UDeh3bTh$tQm##@zt(RXP#K`F|U`nb|a=&Q{gUp8?v zR@AH`8$hmhGh2(xq?>b;Fc;17qPIec$@I7gAG`_|-29`M6^PE9EzDV>q`jZtH6$xs z8TS19q43DRbb%$YQNr|$Wbf7W>!e_Zh~6>sHP^W=SH2<|)OK7+xl6rweC~dfnLuY1 z9tp1W+%QR~Q19qYj3rlAXWaf(gh}l+5iCuGHjc@9*)NoX^Pff~3Dj`3e)@1f&{0B| zg7%M(7M2<rdiTpUzu^Anvu+`kkWF@1Ye_L=p2Njqd-A@dqMVL6>dc_Q%3KW9;N9fd zHEnOwVlZ89<(V>=|CM66e)99dE^4B!_w=Vx((|)R7k5tnof70|zyTLOVF!nh&*TIY zMimA=WEeamq3qmxrf`D6a>AE~O$<=S?a<{hh<c|Oc37;Z8hJ|ozRB(P*-GZ0^D^X$ zlM|h_My83nL1p2kLGyHr!4iz8wr?uDmJUZ2kp+}Wh0J}X?FKoiF;+nUi|d3j=n{@_ zE4@8P*^bj>8(~&6`vaX6IQ6>Q+mpei(kD7SH9By;NuHhB-1d(W4;osPvvg?UkjNo; zdR^4$KlkOhZS-rwb?~w=ga_>IB~`A9YBV70PQ7%4t$Q8wUu&y#IGHkL@TeEp;a1Bk zh&k7%yqqR~=gj{u=3<FKI>Y<q&oQAZl~lSaD;Fv0?t?%FesaMJ-P)Qd!t%Lt;$d>) zso}D;(EE+5^cjcHVWLinZm5Ubr!>Q%<L6w!TnVQGZ^%{5Mc^Qu&-`L*oC!>>Ix%{Z z`5<~*6JUJ%aTLD2D;zBfM@6k=sfK=}45JqY@Mn2pa9orBk!olwPSB?^lc!nCqQnga zaS|9{f*t5ndui~kTKypB93>-D)bHOpsx=UAU3}LeienS!U^W>)2EjJRH$SjWDOqF| zbB#*8MZ9nBDqSvj^lG8KAG@u;A1S5I6s)nA4C09%nq-<1S0Ija^UMhC=eZQ;@&w45 zCXazPEAz`7clgGe2zFqiWb{fNo`N-A7TOi%vgMSuPq#x3X{cjld?_69iB%{Q`y6IB zs;+0IuoK{?c{N9G_UDj7O_|vXU=qQH_1;aiq4_;--O8hN<a0>ZRvDA_^LxAU;w|n> z(yGZ(>UtH#%!73SE&9Odj4Zp!8gL?tHB^pAS;9ZsVl!uo1d7pMQC72?jhDU{$Hi=N z-kU3t;&2-t5%J)yT_tiI+jRYpuGn|q7*$$f@5^HvbWv142AYj@UHXt4$L*A<1Hh*N z*5l@O1n3}dMcAn(%mK(W^Yho(sGqruS6^>9_;f7CmDCRph8Z}JaXD&szg#OOs^s7( zX_eiix<P)9hn#Bi<4Y*<#-I;j`pr#5{C=%s(7Hab#>x&oSN%Xh@3)a}J<)K0g$iZ4 zraLbzhN<z6xVCv{?guE*WX$L^6g9^qpHLHXRp$g}l9PIJpqyr2mvV(BW#(z}oz~l4 zYrq>&8gVs{A(rwFhS-FHvU|5D%-qxCPJzd#Ky$5Z!nhpI!?k~nT5wmHuHRlt_}f?z zAz~vEI4sEK_CVltCK-XZxztokk)l8wo}%t3MRw#gpLs94rt9!|=hbx+1MzU3rW{w= z!(qGwMo5AflQv_a#yb2F!q}v3=(k$4`=L9f9pSkNS!Kk&&cB|y(*q@p`^X^;Im(O$ zCb~?2ZIhl&`r4ivYq8;B<5pFv*Ne=t>s(n)SHg`7oI-Fse<WbrtsG*F#y9qv0jt=# z(=m$)OKc{6n{zO<gKa87(cbY_*Kzy@lIfbHN}9@#>wLX5BZe<(!|k$rt4k8k=5(tL zBEiW_kev*y>#(2xo0lHNbl-*AU1v-{<VbQKeuH<dcQuSh;$Q&cDTwy8)k;y8X-p!X z>>FX~7UBdWdzBkm|K)?;_S{@2XHVpil3uIZ*Ku=XT8kCL(F!>dtNhH6A;zo=?ERRa zb9hRpq-Q>FzZY*pJzYO#Aw@Bkr`-+q4gUEE(^Wu8%+<g%1upIP5!7Ixz+NUavG{XN zZ}*O{&5JG>5-SD$ligt?fLZ@*<j(VelF+;>e(k07YZY|}Qh%MtOSzoh>MGDo17HQ% z79i3Q8AlI{H(ZG>WKHm(2%DzMhlP8wAuGK;)m2||X+w%zs;vtpT4Tvg*t(UC`o_6d zlf}z1AWF7%pj2%Ts&gT|<3!8rbg0wSXy}Pjq|j!`k}xlEIGFxNeP7Bha`U3CZ>vO1 z^6wzrLxcTvWCo5t7ITIupr`-`Q~g<~!>=SN#{#ihe7m$#*4xQvU6!j~i7S!g-uY&E z^sCGqC~tO}Wi|7YN1VSIc!NyS*m+{_!T0aB%$iX*HDQ#^Y&8xJTsV_t$>YLOqvkp< zDzAk5ZHK9r%V+#t6YVda*s^$^jP+1mxw9S9$YSQL(Il)^KVpH&wN5`|?Sf#s?8hx- zWsd3}3QH7gU26E2U$?r$DFKqb&%!r*sHKW%7~$5RK{b0JzyR36OrLZatnTPA!4o^C zd6*ZP0*_zbX7G!v3pqD)ND^7%<ER)M>VNx&vqh24tGU0^>qJ>k9Vn@1L=oW7>&UX8 zvqTEO{ZP?5@o8Xvv?zU0*1x-J=jpm|#CO=p1R>|k)c;J9dG$&ZjbHsf*ST!E0N;+C ztg4}=IVC*biK_Q7DJwIz=XQA8ft(QA8E^VIKMS$ohvq~21aZF!L;8HjjVR<Z3?)ZZ zvM6y;)<4b58<Q2zHXl0(5Y9nMAlwahUqcP>54^<OVS_czKpbr#HxlJ`(m7u^zL={8 zBc-_fBTNC@)*993j@6|*{a{-sj*rC-JRR0R5JN!Bm2fz7j?ALJFqA%cS#F?^7{{M6 zaL5uOi)*<rEi(Y>R0nW(JwrOXp3B?6D?zRXoH$~gUP8~R914yRF>L=m(`Enk@$&c4 zj_(QK;lInk_J^U!;7p%-Ox0hktBAQWwO)Q%BC|v1@k>oi15F6qn#0!1O~NFWGwbC} zTNVjG`fJ;EBTN66CUG-zTb!q39lq&XY;4vgH%`e-f5e0Vg7LStPBx(@grAi^TOh9s z$+I{Uw$9MAIQe|I^$BI{n^Za3$D~!8Y+&m>O%29;oX*WL25T+Z|7WmsxBu3%X0Hpm z)6yv})o_oDVSHt}Wz7+ELK_yz8@O+d_|#~<QHNH(;U52%SSr|0wXgFYJsUtCca@;9 zVQyt2CgX)$jI`l#c0K)^r5$SN#O?I;vIGZA|1Gwbmb)sepMt7}M2{#2dXL8(1|WRC z0^yAeh>w)7Ud$<~c-Y~G;US+9o}ogd3+?{?<p2Fu?rU{Og@j6S`KQ{JmZA4am=;NS z9Dl%)egO7489A;0u9naJtDKoDpA-1GHeUx&RNpnaz-O48Bs^esf4`8+4ImCeqnyp+ zOs0rurDkxdb!^Q|!DJweMJ9ZEdThyz_ytI^<izLBFqz&U8x59}jmbnf4Xn_>Y`JJW z3mq3I0XHKV>vScMqN^>pQ4iFScUcaGoT{D<0xmlR`i@FQcSQM{Y!P?wBJL2w%!W9* zJb5Qyh=6~r*dNxl`<i(AO=ex04yN}}ZDUHSI6fWdI}}qFcUEDA%>J@DO-VHv-H(0f z33)AE!u?E>l-ua)BscW<d``2qZ#pqnT?V<C;HE0Rkowmtefn&;6t~rNn0naJ`9F<X z-kv#m6`9s`R^1kUnK`i(a$v3ucrdjfSeS-^Utjc%wHBB{u0y0Xb?`TyOrJmw6&CiF zr{Q`P-7sdqMlDL>g8+VBvAVHuR4i6bc}9wOid+<D)tvd<*$Q9eI0A!rbw&srMHF)i zc`&MO{V~yBkHc!khOEJYSd|)^(@#AIEk_T?0LFVSQ){gs2dlksaF~|rsQZjJD@0O4 z5>4C(dYY_XeUoQVi5rG@DFi-b8Q$J-%hf|#E_0Ya`>Se7Lqjo4K#@ox@Zy5h*@+9* z@_xN4dWQKXDOfmS$xfdtLzaKFs{UeOBg<4gI!wD+O_|)pNEha>pVu(2dbY{cGZNkl zl?(6inD(XVW06*Ne!*SD#8`zg6-$6-ID*1lTlw__N!Oxnl7pyXFONXgpOXSAjIA(s z>Xy^$Fo`LFNx}3ubViL}hV|ocTpGWFIU2&+x^#=@^q{7Ko_QBilG*%fDuRB4XSrWO zigZiS!|V+|M`JGd5;ErF+fQ8%8zH^q8~?D_>HC}E>J=QRaNg_T%e12gY<=J^W7YzW z?CA)z3S?*EK<X#lrko?oT1J~8pyP~vC;Yn9Ipyf*+!nTo*vOJLk~fBm1SsG2!pkgW zxbr&~8fm=Npckb$b3(ap>$)Ey9S*1<_Mftx6q)9z;wuXjAQIhk((jhM>%J2x255&9 za4Clqv=M_!hEqw#-ES^{eT$oO>rASHEZla47h9G6>Z2!^g0W-k(pIf*mUR5Fk>aY* z?&z<CE^6^^GbX@IzvUru%62B3uqQTRy)Lh>cn7+hd5Zp}l=YCy9Xw(QKaU({*wgkN z^mRZsjMV<?c!yULDF-;M%%EpJBErk<W-ofQ=_8fk4sR=6Qn!YrT{ROD-|dmK<0l^w z%h1P*1Fbrg^5Z(}<|=#a@B+t<k_r4cMarz?-cWGttbgVeE0b0j0}{AC8|ygA6oSQM z_}hgZyCyaxU8aT>WjsoaRID^KQOF4CT%E_IJxBG04Qa9FL^;fLE)u<wL;w7}3i3{~ zy#;y;F}>7x+XS4T%?sPz`b3{E*7|yrNEg{|!a1R)%Oc9$qZRIw4{aEZ8G}Tw%})7r zp=A=hbzM1^Yg}$ain3g~(EMEMMr5Vn?HN6}hQT<pFfX<Ft2MsKBnYz&4ca8zC2#w} z)Ca`dxUuvkh;`n^#sGqHD_htkYaT?eX?XBZj$A$rLbv+<^(2C|rk31P!weYzi)uXd zvre$LvJ>A>s%g};_sck8z9d1l^mbRHs<&}yUl?fBgtZrgc}VoUG*U#|FI0CptYt0n z8yO}m#M8k6u3CePU44$M3xe6x?G<v^RE*IIyKn4Rld9=|E8>wOca-5a+AVC89e?xi z<l>QB=rV<piOW~BS`)VB2O-`_Nnpv*6*RjGgAt@jS$$-Y@2pavq~t>v%Bkt~CjYX< z;eB6fM?c_r)?i(n4&?g!ySo44(T#Q$voHKh{YoM8eIZy{6=HW_H~y-{wi3slwg^v% zY~moe1k%_jeEQ*zOBld&2|F4c!KfGOpY8>YNpN1srxX}m`&T`;UK}qIb=tHGJ*BJK z8pU;|mvOQ_QTibFo8q)hn3-j0RY5hvVCx{@_`j?rCF&^W1+h6BZZFm<SE~j$i$TG- z6B?{>tREVUtc<(vpezcbBv>Xj-~W!NyDRK6gjO2~AeDTE9CZ0p);D;-My$qwwB;Hh z*(Wkal86zQFiaO5m(K1CSpca|C}F>&gS#3~7e2O<{Pke+E{`fu78Q1af2^!r-TW{| zafLf1$nYJXVU;~JeRZ$36tc~h)7yb@Du9%lb&?o8uJy7Cb)h1QV7lN+^Ey~kJay>3 zpBggE1zptW?bC5@;PhVRK8=|<3E5M%$h<(hbS>qY7)W>@tf+o%vV*}Q;GIiGZm>?E zcF1p2iO12mClE1)^g^QGa-|6}U4{sP)m{u+s-fVN1W@_+CsHf>=V3%7;K-0ZARKwS zkPVL3<G{}e#{Woq17ZkDNhjyKV_l5~+cIy!-(+PaaoX*|L;>kzq*LqR;iFvC(IW=o zIsn>d=GTGg*Y3f{M)9M|LePp}p%H-L_;ST$ayeI3gH?lzNrYG>iOl+Ga!Iwz-29f| z_BWy!4j9+mvS?l~RVLo9h$k;|z$=?mQ;{XR&v(f0-?`s{AioRmNRP{USGTKSmzFsz z>VcFLFP_8Jo8KuvMHC+X`1S$s_73kB5n4UAD$2`%s_?JEWnR~Us844YS4@s}WPIDQ z6b0R<BXv5l4!y8NsFpW-O863m`9wvh8hP2`n``gAHqkDYSErfz29=1<ne{WV&hqz7 zjjv5OIh@a<t>B{s2*CetlC)c_)S`oWss^RmO)p|OdZud=5j?0bfW3Xz3LlS}eC`%% zX?^==1i3trDCPfR0T4@B+T03f+3mV{CR!H&Z2##0^W63t<mt?{bi|P2LNr~L{N;YX z4(|kz<^&9Cj9POki5P}=<7;hdyJtP7!d6L@9b;OYF1%9&y4j-hR=szLx3O{b+b)pt z4sj!bRbIcQH#Ol`zgvduOdaGwNw+$U?-^D{08wCK#f=Ur3$nNq^Sh?{A9Bkx7UJWj zR>@F>cptsxv%rUQ^D6Bg$1ndx6&@RljuC4$0*0A{oCgdh35at%JG{qsYmm#6$Ctfb zI7ijPP$9m-R(Ghd6!j#GFAo?6ZqKY2TyJdVYc%z{<y4qVo<#I#U3UnJB>Y5Glq3WA zzL)DMSth=?C0+L*qReH>Xb*^s3gi_Is5<i_A>qBAsq+mOL1uD@F4ZvwnsSN$d~P&& z>J`k^e{D+LE}4on73})3J`Z+jvI)yG{N7)4?QZhQAM*J$^BxG0#{A*&-rhI>Ugg18 ziwGWS6~jj{yqkJ?%j%2+wT(^sb<T=dM!*e+=AjVC)?axf!2si{fkThG`kr6i??<`W zE79Iw0v`>v5NA6-9w?{sGZ-1{vgIZ9pi2<FicNLUPc#mp1y-FR#)Bkv$|l~Ve|tDc z!(sHMf8Bu}2l1qA@7DWxyNj_(j(xMu*_@vsr9G)$?Xbtkp87tEp_$KpHdrv`?G8%a zB(fmQn7wL4&(Y%uD_)pPM`g`n0YKh3sQETaxh(NedmiZMXKkK$_vN_~2Ul27?YG8E zT3ZlCQO?Lj^%jb$aX6I2CKDqCoU)?Ot!^he`E>Y}WCJa<euZK!UY!k@9jJzMxe`N& zB&qWjB+gEdu=4GoRmF7=(@oY`Gq*{K)sGyR%@Az6z%UKu=5BrH3+`=p!;g!xK$Mf3 zYgmAi!{&g=B;zf*%zCOV+}>4q92_4xY>XNE(_t%5TP8>uhA3AhyfyhiuapHvT>IT_ zNkTc^0`SVa>juwCgzd_F^7CWwI^1$sq34QIzr)XL^P56Pv6<NmC)!{i`cPCZ-^NoC z@s)fDMBbLR0IcTe;#Ug81xg;HS3jcWS^lJfQzdr;Q-X)8l1cFk4`_FDUs)Wfy~n}g z)Fr1bA{ciARRV_fdjDB}ymj<%qRg}qux@&fX+WY`mV|9{9tQh8M|9Qrr~4s_uJ%R` z)Tm!I!mK;#9e?u2lA!n?I*k{vc5O&stq*^+72x#wVr_PN5h7JoWx5g_fd=jCkaNjV zZp)Iw)<zNrUc}ox&ZAsEow1Wk9Fahaf6<)(BAn?eVr{e_Z_)17mKsKfZO8+X8~8oX z)_Qdtn8K{*Yrv1N&tlAb6pGBxoDpKHb;iXqa9I4zBpWt}V5sL|KuE`?ylPji9%|`S z<C4a4@5+QczN3cGRoexmY-W|K8=qI1Kf*9n{v&Fsrzc@|Wh9>&T@up|?1hMPCp z=&X#qmx2AgPKq0^bz!|4h^b}vmnSrYt6I_{0&h;SX*A6ehcb0-A*L~3+dFM>a<%t` z)Dw`pPl`JkV!l`Wj<^~*(86S&^3|4meq+b)Mn9Y@2+}!``mUgR@CgFR)_RKUrWJ{X zTzxZ!+()4yw%i_h#ua1`{;T^5A+p>bTb@mPgX-qS4SKT1tBCZXMuV@6nJKAt4djoF za8sqxgRS@I=GBE3of#CFXwgiX0j-Vvm{Tw{7IOZrE?s_-Vd50#@iLlZvlOEZqTJ^3 z<6IVP7LJFknOU|4``u9jJX@TiVN;I@_@zfiRA)G*-g{{z+pf|j3Bl8pzxMg7-Epp4 zMUAC7Sxg*wy-d9ML;hSYFxMB;^xKbEurFt^QG`;FB#a&^+ODdAA8Fczm;=?n?HV2= z68A?WiMr(?3%5NxIzODC`JaBx6;l4x0tCGSc6W=CYxK&y(r8hN(=AS5TK;{MMEWXq zumtK7;_aPPgWjm))9)(mVO9N8!+lf%+EfT=C_CiCknmcmqG5`=?*XR_cIM4P@5Yi- zx)Vm4h=j2N&#J`il`u-Uio+RW9u(1=wD=S(HWGt76#Dow_Givo9q3RP3ze{S7F|f9 zn0-oH6itW8<+wZ#14kEg@um^v;EpvP^WYVl2ifyX_c4>j4G2oPVkWv0fV#)g1}f%c zW+#=-mafk4afd651oysy^OXN~vlkGyal{F^5XojSkG)NjR>?o-<NCv2fxU*`MdO$3 z#pBMkNrD482vNf+2YewMe8q%}=h{b;Cf|i&5DDb-Ec07yw}C&k*@G#4Tzjt*Mkk|@ zluEM9oc_yhqMU=@3u&%XO8z$<)G&b&qX7dA^-nuvWC2`7wT_$;r85NTl-|{`3Ju8X zz|NNfSlrh**XEMLd2?iWHUk_8P3#n*sa1FlXEun}XwKEy#L(3E$B<t2B0yqDbWWYD z({~Em$2s#Q88%!^$p2=S9jcHuby(iIw5=GwlO<pZ_d|XUf(#Od4C?nVB(suF8;tX} zkB|~gk1B&rzF|%tlfuF<r6<|;%eFZ8b4~~K8_XNHkC@miSYPH52j!tK=^~Mg)pkt@ z3ui|Sc_Q82*$Q#Agn4HtPp)KfrEbrsv)ZUTQPmCXi2AD0Jt(VRQl!=ohrYZ9COXm5 z=WDF(jCVQ!3FQrO5y6Kq8r>8U()H>hE9-mWRvD93d@%P!GFxB9Q-3VAQA?;6c`Zz< zH=WyW86?Q_6AdyGTxbxOoUi;OY!<P=T<o1QXYP3MO|l*`Tg^skvW1DC3O8q#G!v5f z*SODVe^m}a<c%(zLQeQ*Mt!;v90`mO2>{1qO%LmX@$p=JxyLRTc7yw2r+u1la3$Kp z$Hxw;zx#G8bzFM4GW3cQ4PSYh=DgXGgS9A((V20!%W7<(Ql-UIw;LD3j!&lkcWQf1 zS(amFCJ33_Sr;C|=TR{lScMOF@Z$dNrK-&R749tBSxaa9{ka+CQ>_Uek{mxei<E8K zb*84^co6l^Vw_H#BX1nBK9yhiiA`?fI+uZX#+7Yc|ARfcOseD2dlKTmMfT`{;FA2Z z!0MUh<lV*YOYucILcfLtx=fNlc~p)O69Bp>sAEEPjc}ch>wVhJbF>iPx~4odw%-f$ z>(;8gfOfdrcTt+zvd+UexR|gyr)COt%*a}S6>wY!@$oiJ{|v>tPz3`%7ca*l!00@h zbs&k>AUYzNcYmAYU*V~ru(`R}P0fIY2wvi1tti05^vxC0JYHg1qs&DDZw$YE>YIRj zQ~bWP@SrJmI1#xa*6hb!^W4;7<=dCF`jSv_wRyCwlB6GN9Ox|g!=Ezy_G)x#nok`Q zw>apwIK6%B;$(K~c*gnZuaBb4mtDGYvk#v~a4=oS`Sn(qW4*A{<s(^e^flM>1>y&> zp*T4JVGr`I;9}wP=t7rogvpeP?ALoMqe9`|2WD|+8uX(7WxzuFSu&1Z-s>A~?h}7W znHO{a|5n|Z%^9<18E^7MMJ2+S7gt^Nb@2CMp;lXXsdkvyr_1+RW$6HwQ8K7PueP=F zworghg&*n?Bvx@ObSj!HLVX<m44W6TGUZgECJ5!&F#C!>Dppd>IbV51&EDi`Q4CEB z(uMY@UZ1qIUfj*YhKsgTKc4=ag}66wXoNNcbxfz9d}YRo&z!DD2x53U>H=o};N?np zmWCCnOl?&P6LdJ#WM>&FqugA*HhJ)Nlo_s^{ubkqG?h)@`cC`t^Hgo{3IC=wycof^ z{)L1`{w@&WRBP;MyHk1i*JR<dk>>l$oEoAIzR)*zx{AG87pD^1J4ICcX{nk?985oc z`(%O3?nv8ZfMxiVJ`%l|pln(eaelheQwwD?x7=gePJLb5Xt{n9_#%&9X54JO!_oI< zi{xaC0`~h43r~^)V;-a5-GD9PJ))Pj0QZz!KgWpgSfO#I5q1@&hav3;C|N@U23qW- z)Y&2%dD~9qD#2^+I<Uo6LyybDsYkeSXt$-je(G>YmFc)0dQ`&!B5IT=tTp&}qAApH zZCu{eW0$VF#5qhQ)YsQHKH%k=tDy;G<Zq&eUMo%Ezq~%m3B~5P_lY?e&Mda4$dl{& zZQ1%kjXb^j_pT0kJV1!G){2BfH&$ibme$dM@lI;J^?$ujQxFMzH6D`WJZkD#qKK-= z&`&Bt{EN}K96(*d?HJwlTao&b$O&CqTKAnPNU1<&IHIQAa4%&wPCnRFT2aVc@!m_- z>lPEBUikHUuP-+g^9X8%zRnP7rj<omo6C{ATK(gWN|LU4D7IWU<lnjj#)s;16HV~a zUZUZOMQDue%28;LA&?0hwrDI6W7~1GC8_VBHnnIf0PrFQv_D$2s6A$Do|*>jlUHc# zFw+{`T8}&YF=rfJrlp>0AU{4D$Ea@}BcV^3hN~+iA9)q~5Fqb2_AX+^>@R>M{rouu z%_NC3n<mI)k||-9MjKF|1B*+iIj#kCBZC*ocdy4<bV;-(PBE{6^r_MLdmM8uK9$GD zI?U_H`0-g3S^S~I7lR>+M${i(u+b5vQt`xFsyD6Uu)fvE2(Nk}3JS#73eZ2$1AUY2 z?Onfxf?~OZ&pL#K6-7vgE){L5o4wkYWy74+I5Dj8;zXPtJdI+Fg)jezsprax%LAtf zvo+TK)a0tD8rgQH9#9}n#t@#A@sVIMoTC#@1#}=gmIto8f6{g0>UoOA={%<g{ily@ z<t^0xGNev-U2i10)i$?kq@-^zYpo5qjBzI%Z5Yf$qeje@NRZK_N*I_8@olPto0;E2 z>6!JOPl0&+&TQDty*p&hY;!%>3lSz)$S4~&TQl})*fCjO>|4pDY)QV2IQ+R&3XQ#w zMkT0KK-Xww?OE6EPm*O>_b50aVtzc6MrjQB?u5t3+fiVm#*2hJtU+RvAhVohGiiTo z5-GDlfvwW&W|ihr{+-44B0U9}0aga7TmC?*edyv1#)#>=Du&QV(<BF`kn_4Bt0inP zGBRu##1PxEW5#4&0rfqRWP+3?RpdYh#@8lmctsC{@O8!kraZiQH+$!M3w*Aeo%vR4 z{#gjj32?1NPV6%`M;SACB=uNo&U%L$j)fr@!kd|Ea@*S~Wv&tj5)$DTCn)34U88Gh zct`a86gCD#zQofk4NW~iQZl;V1V~+F<!)z7pvFUCBj3K0VBN14bvke_sdm{!{iWL? z6l|gE9MVGm>iaddD;pg7!_dTj<R>m0PITmDfrC@N<iD?}+Ms-yq6QHe%G4B^q~ta# zT2(4KMLW&HC-w4g_#R|tOw2}%s4O^yOgK195re}wG8m%yWkN+|N-Z|O%hpv?+s!7E zpSfu=8@asr`&+>{^v(M<fUuNSJ+*4sI+OTnPLnOpK2cow@WTY{*6RD)-`=$hqv`dQ z+s|4@#_KCTV_XP3I7VZ>5eHrfq?tUVIyh=(io*G<wX(?wuTQpGaJRE=`1l2P@n^4a zb39l_Dd^>)!pbnH>1Z!kOnUi6Iqs;0-Y{cr`Zh!>i1dz#Q$c?J@2;9vmh7gdaqa#F zy@^?c%Y$}#bp^c(p*d@@T})8=p?5IF2Ia37+V|TbWc3xtiQL2e&l0F3U?Y5}S<5Jq zvA$Y@HQRIv5l$q8{_RP(P%Z}=S(}*5{}$byD>6X#(MKz3#wO15TW)^%WI2qj=3X#J zYaE(M_W0Wql10JVqI38gzLaAMD(3yq$gu)i{QEx5ThE^ZlS7!@?aLWx$<2FR>9|mx zxu)%4y*(vSOecfJ|HeBsD2;=Q$J=rHmLYk@HD@0_6#QMxWju>Fd1r1~3>pGm&$l*Z zD72Qa6T}l8jqOn!Dx(<@#ZpPF=VOD67iQkAJXwYz_+K^&8>0+ftax6BHNf@iCK=HE zE=<&Bc0Ce=F_C*IoIoZuuJWpE&p6!-dg?!YGpWaXxTHGVexbZ4c5IVn{k^q>7#}Xh zZUvsxcV)(9X+51%B3x1w1ep1gDY{Nx*4Tu7Qc!j0viQd@U{O?H$E(nH+f*IrB=o^p zX19$>1ivRMBCmTOGW^KvQ4v?e1j^-B%043_D}`^cFipZP=T!QJ;(P8igT1AK%(btR z>GxGEHI(btQW!70C7r)AnTtsJ`*-~Wd+<>!s6-#FK3}yD)pZ{>F=#5&Zz<~r>LJ^; zUY0$Ykmg*|)N%HbZNSS*ynOC1yjyEU5-MRnkL$1*mf%G+-Ph}KS5(cQPYz)@J-m6$ z7?NbtZnI>G8%baTbkLJuQl)p)+mQuxB1RuP{RDpB#=8=Pbt&;l6CkwSb$+1wQjRz7 zZtKKib(jQq$54(oeuSM8vsk1+c(vvlDn3;cjGcg1fm|(3eCC33GgZ;*+&(7wE2F+m zbYVn(<si37r%orD=cZ-v!zJPsE#;gu|Eu}R5y;-v0<`5Kv!+avyOxc`wRR#P9{o?n zbQw|e)1_zI&SA*bf@P4P7!ZxP6fm!@=7(B&+d$VT5K@y3?l1O~)kGGQ>Hnx<+}&NJ z;bJQ+({4PI{>h>^B(p@$^^}pI+_%9zL)`Kuv$*f}sBZAi18tWYRKlKSfT9&P>6-no zD^jKizTiO&e$I^$OD;eO40s}?wZZ~GdX~H1*!R^n`*=4sSC=efz69DsROH`{R$Yc9 zpfYhZsG^fTeYQu$e5f(^Zn;#?xABy@Hc8GVB9&;fJ3I!CawvG&!{XUO?~$r!WLVtd zICL-<$@%8+`#CmfG7_ZpA8Z_`$?^@_9S$bV@P@A!j3tG2Jo3Q`!^G(OI!5?Z21%gu zwzTD7UDy(P6BK{_#ca-;fPPI;N2ZAC%)*(mo65uBP|FY@p6uayszbQC#7G+6WV$>s z3wa&=74dfP(<!KOs6Q+Hmzvkadh-Yx(&R{SY7=#1?bq)<*)}+3Y(kL6CGEH|fO9GX zg$?LdKO1wsH?${KYr*y0GCpi7N}EQA%Y2{gJ69}GwkdeEbi>O2jzgwtv|0z7(^8)k znJ_9$*mNE@LpQ4#wZ=IktV;fk@JFsVr#)bG+x`^#^8B=bBSSQSjGc~pcZRNUUUkhA zFfSo=m`Eyo#>EtEyVRnZJ~=+#VrPSaQDnP)G$KxPyckY^N<uhwo?u_vC&)p7L{hGe z&(ATofkx_#2#xI^`F9Y6QDm*BC*`s{+1hWW1lqSRWtqH&gPGEkjF*7RQ%)h*I(Y+F z!PHsn#jQkE+u_(Y8Nmegmh>u27?9<m#o&nSesV<pk~2U>P(uNnewF9Xea{!?=W!Pi zn&y^;*T0)$S8B<oyWI4Jkdg(nv>_a3B%QtO;!marw3i;$=z+)_ZKBJFiR^5MMpB?V zi`*~jSGTX<@L{Qf-~RtIbz#aygkZ^ulkF{T-uR1Szn2_x<Vj-ylS_4Qo3((XS)A$7 zy4E9YI!`c%I3nugbC?9{xHh_6D?Co{@K_qGi1ezU+9_e_#IVrcNWFhD+$tm?UQv5{ zDg`dnK*A(85t5R@$f&TT8lcJLC>*(*@xL>4J3A_(W~1L2%2R)6F70HyYICy})*166 zi6)0bB%el7rkvZK=!E)&q1_@x+Wb{GH9LJ~9LIW^aYku0)nq|atEz+%3g1@1Rctjj z^&h0;@6bz^aK8sY4~G^M&w1bPQ$;j{EYhvPx!J&Ps^oOq2y2T2bzgRzo#C1fBFTLT zm-LuVLHU;4(G)VXmYHbgvss*(LyY)iQYx-%7>4_^>Ebq)8ORJnb}wKo7Vj<&IbOr< zj6CF>FU!$Ou}!-&IHsmrh?H_gPdf&I@o6n73~7g^pIroJP}T`KWrSzdS@$Nx{1E9F zl~F4{g5`=gGLXQx>;2QW<H3(fcdMuf+CZfu5J{}DpOE@*Wm&LW2w-b}@15d=#q9hL z82~|MQSne?5)eBG=cA%3^XAQw{5gUX@F~6pbv7t?uB~+9^0{($xnkBTEpfeqswTfr z*Cs5HCqhAx9KD%oXKwhlHbd<~WH8=(y^&Ac1@WJ>!)b<0z>X7%3okAkS^zooI`70p zWW83ez(@re?l%mvS0F}3dC2?q3sbK7weje*WqM<ZnJ!Fbh<*sRD1kkqP?Fb@36~>+ z60p6{Mxi!w8vh9zr2scY&Ex#GF<I4QDbeFSs!TtVqPf0fhYRn}rhELR-M{l&hRaF< z<!aCyVl?DHo?#SWoZhWH$QSFeCW5K#>AHtsfm3n_-TG#OkzdNyAxp~a*HIS-YPYXy z$#O3x<H9p1vUj(uY)~=|J?+M}GvrpiTbzQ8hvy!>nYB4WG&`2WsV-;JN*|p*TXfqb zB93qPFFf!dh8Q*vk3ZLbUss;B!=8Fve*>Q)v39wOuFr>uWC=5x0>T<kl4MIAI*dY~ zTKD{~``w*jf@G#wlX%O=M#2sg)c_iC-MAG01r1R<8}sj*7XifC#p-%bQ-4aL+>sZ1 z{I8JmMK<=qUldRkxm+kFGwl$9Amn}9jigFis^AvGEF&M6O!{`@{Rm02Yu%3mm@m4l z94GGF)ge)Jx)OE^vYAv=cb+a)>nvb>!yfrUw;ph=-l6)P?<@dXTZbX$<&+4|g|nCu z!N`H$UqcwW@J&AgIE#wteIFgqgL?x-X364_<00b1-7ol^$$IrS2t`~ZJ8pI8;IJM? zP3Vl6(1snL4|0d$4yTS;sC_>u4MW|}GBGABZ}X{8llN`stx_gyw?`r%?7CR|Ejf9w zH88Z<Wo7C{OhUfEDX1M7asIyY^IaF^HocC4qFrvN4W3c_?g9I!&6G>$w>0=!|2Z6p zYptQ)S1-RnGEQRVVlOewXcPD~c@|audh_+U(N-=?N<pveCNcF;LHnHU{Y>lnJMy>i zr94EUoa6n}mnz1LnNoNU4@X(F)58>Htm^<%K&-#X5fsLRnWyE8DDMq!|8vd?3##qz z3%!xPlPiReO3US2a>v1;hp=MLr`rzyw<>F@{jk-8`U>0UlDGyl=C}z%EyN;UVqS>^ zk%b!fLk%oD{8lLvE9Cpu$Emhf-r6S11Yyz~Hf*{58XKzXb}A%KkaZ1KaNJvJm_4%4 z$OHS7>FFyC*^PIccSR(bpk|M3>86h^2V76-1-2jW($Kc|UdrQ|Sra|7kP?kKW5U9W z3|wqkxTMA9eBxgYZQyR)yv!%5MAQE){u(Q_bc%|i`QdL4vEBf_vSJ}hWOWU4qZNX_ zE)hb%F8Rokz4dFxWpK6tslNK!0HF4Yfx57Ss`M9>&Cju4lco!;hl$G%2_!Q#c{jN8 zsrmW;_188T#*v*!zk1tQ!9CDbXQJnFWX{S&brYN(G=8@kP{Jk7%`|79+^=<!O-#er zTqj9pp@<}`6Zw0J+H?52xhR|Y0Cc@M>0(dN?A>>_eED{v&*kGhcSmED*5OhU)Q#UJ z#ci%ccyrT9M|Y;7C%gse5TX3<DTni;vp#tthtpQ|pmfsdX)49+dM6iU4c^~h8^t!` z6j~bV1@-l|K#l&E;;O|YXL)5J5${k28Pa;#kky7UV_|T-9iWJ7FCPdZYGE9i7HAdm z<CPX2>8E|5+p8k~r>yq?8~9)$HSCD5BAU;8M7-yem&tBNbha1cLvREd+-ZXr@Nh=~ z+al8@{{!SxBTOQ@F535m1P>5BG}N9t3jn{brl?)-06kPDel|^v!SP==gg=g*P!JKF z8gF_K@7U=ojYjckl|WBd^=8cgLeaSR1(<pcDPKlU*#DX8>8;F6wEf_qtRk<cusc6D zI=uF^9?vVK=@CBtou*BIj-Z+=wNyL>o3pW!ymhy(t8*qtB8`fNl?vX|y_-*wMW?dX z=H#1gjmQs^PKI&EcqRPdriWi=9rk8k(9v9-+N+45nzGbUktN<ducXVp4CGrq!5_Jr zQ4hkmjWJwBEF$JuRadXEb)b#}K+2stT(*eT_S1=&#(L$K8@IL1W}00_pa8RoL^%ez zYCFhBvdhObXHef)^nfmN2W!dblnj(yPSlcBjCp6O8te=MHz{ADGJ}-m@ZU&ja#(S~ zPj1E8p2J)qLlK?}aJghn;8?1zFRw?E#C4KHb&^u|x=HA-{}OcY8JtxY!1g%GHqSV+ z4{^4%0fJWPc3q_1`IsXC@&5p`INSLWMT6?hHVG5q8r3Q*B<a&{3~R+8$5e>#u<>zH zmKu4i`AWEI)U=A!2vG+?hMXi~)SF8;ZKmG*Fu8~K{c|qs#L0~#2l)2ZCS038GefQt zMzwU#7c5WF10_CcAfGIltHsUaI>Xw2bKJ2JUI$*HA^g>zY-WHaZtdXQpQ`6rvyJ#K zcfJ*Vc)Ab=9}{8q*Du3=318d*NDAtFjnchMKm7T!QGTb6v)!jJmfug|zW~WBJF^B| z@yAGLv=>4&+L_5X*>(kw>z(b%<}lmu$vGXFBTR)QHB2WXzeF8AK||UBk&H4BUl1uD zcmA|s{&<63We;BJ;CEKOL=8Q*KkyD^K%&5o&KO~?=q4QjR@U!&_=giokqvUWygFxm z`u)#O2Q)V6<Ca|G-aB!@vFOOTMvs#0cw?Qh{(?Gy2C}!QfVF=>z$R`&h)9y8;GrKo z!Tmbsu(cKf|AIt*Jkmc=PNQS3Nn~^v`Rm%f+qG3ibf9SBAnoXQj>}P~M(Fmnv#@Ju zG9kn_1#qLNSGIBcq-t?bsiZce$hPr@DzBAgH)(%w6k1Ne{Yh<ZrbRSSSkD@Df2Y^P zrVG6+dwW$)f~j_c<Fq@fFjBbEQP3v&I@`iia9NLt7;A?4c#~2}SlQeyeqa4vI?8Jr zW2234{hNd($L)}<jt<i;Z=e01lP^T9M#26Y1&;|k0?zO!CJVThJ#kZZICYWM=<bz& zyXn@`#GBAT{=qY(e=4#2^08~Nt^NOE0lb;($nY5x0FU1|XvUo*1LG|tPlK!Wxvbk_ z@^~!Tgz3!_N4fSKcRX{(VVZ^Mc@&qZ@Tnq6P$EW>lA*)BB_qP2Y3VS2?P|N=_++y& zn*3eK$h$L2nW9I~Ot7%Mud%MpEs}l>7J>y)UkEQp>vo6*e;cE7;H=}yBpp^d`=Alz zHB;2ftMfFCGnMvE5>e@Bu9?J#`jjg0@&zZUV$jKNj@4#Sjk+Z_<-RcE{@#8`S6}YP zs#Spgg*iABxrm%zNI4vSPL;+6yz!zql{KlL1-j`0qSD+5RW8!4BX`+mAQJiF8-MhY z#fSH?$g46Ij|!7mCQgO3B2|lXvR8F(a3h{QF;7j&i(h+~c7auXL}5m{G0r)L55vVd zNBq$z##f45oETSk?6`kMUe22QF9*TqbilU`v^*dd(o;>Plv6|kzNRESdnb|O%nHla z@BfE=IrQaPX5N==_>)3NN3XIeX*FxTZ;&_L7sJZN@Ok3VyD1B=f-V;o)OoHwq*|n9 z5+rH63AST6pm1>6HM-dc5@Xfn+|8)#1nbxxH)bC1z527bv-3d<le7#AsH2;?)iE73 zv>1wNxt9^w+rx^lUqjUODvD}1q<IY!q|*Cl6w7vq4i5y}Ij25JWMDVm<18Nb<Tsx? zAFS!_8u8$6kK>Y?LDGW&{!skZ;N?P{(bGUzD6)x6VMoi%O!{tW_vO%E{2br>4DzTz zGG&S~5=G7J9Q%$mP=70!TF<XIR%Og+_}-Dwrv+9LRcL4{PC^uy!PmrT;bVHkt9wy3 z*RnfT)s<o8<eyrt3EpbUmL4M{lmsyhS<ja|vH+Q>jzgV80j};Wr^yMP^tiZhoJoJb zgN%DR-Lz9GH^wi#s(pPQt2)V-6X=%rWN)T;7aQr8Z}ha<eHOK*4_hxY^*jFxzwE;! zxbXWv%?()^m{^GP*WpWndSd%2cM`u8D&S1+J-jf04{8ZzRt+s>VPdPaM^=VzaOzpj z%ACH#_%;@2Cw4lJ864U)^12<8(2#QQYvPStM4LOCND8q4^tjzad<gP2>rEBOr#F_R zl%FPK$;Mr=CHEx{WIM`aWasr8j7D)VtMO0v?nu{7SmQZvmO{-4HU2Ro1k2d=|57z6 zBYD>(a$D30-Mnm{I6Q=M@Lwo{mbbH{4*c&XV9CQ#3yLy8$9_S*Mzc)ieI6OZMR#8+ zR+zp2&<&%!t*zN`0xr5HNdXq9KvqQ*#ClXj#`qAo-I`*_Q@CbkwNVpC9#JDtzS9@i zt-1^p-a!7koMD*AQ5<GcUKcE{8r;|OcA~uhp%yh!j}MVHFN4?LFhf@k%?Ef{Nt86K zCdqNyOsd|zoj>5v{ShKQRWovYz?y3Z69L>N^W&NsFTH^2F?5iHk+-%nTuoT6=R8o# zu)MyQ(Q|FxB0W;}a2G}sSotgA4y!V9LXqAfNn?lkT^<9=Q{<JVmpWH;)!}hZMWFj_ z2bFXbpEx&cxT)dlZ)gZhnM9R(2yguKG<==aCdQ}uzv?9uRod;%(8+QXx#Gwkc)ZWK z^7GMs>uIK|+-c30hJIF|V8#t4Cu<?@u6YIP4og{)6oC88Qy-5+h!9cT=*kb4vu#ww zC}UZGaQqZ?o=n)Rn72x(8C`n!(WXzi?bA+YV=W3I)><RR+8Ng#=I?K%S-tLBXVn17 zq|nX*oixWkK1m<1HQ9OYK#h^{=?lyKi`8lby<Dv}OD44mgn*h&VadP!7shXA&yLJ2 zdsq()W>103L5pzzT?$bl$V=xRyW0~0SJ2^9f+X8)Q3?ZI^Ql~853`Z2te^ml0vlql zFM9bYl(>8S#{|}wN8a4#C*b7JiP{ap@9|$ZR#v6e>ZxMgTm5|KXfcPNAJIt!T{f;d zov8Y0^_`tMgqIvDZD{wm&*4CtN?br;wdPTiNy~dRz1W%!n5Se*<jDr>`z-w3_0G5G zB4>0>qn9zMuI|>*n*?oTDo(_#t}K&>JmM)AkiGv3tiY-*gZXG5<5&`liE7G~m#%79 z`B~bjQ{rgmnE+pJD&-IkHd;Urh9c3bT1uU%DGqtPM!@>-eb!9n)PyVxd4~hXG7APJ z-0K=MNf_Ey5<nT!6kgjBy9RJX%ij9ht^KNV*MMh-B+tIZam}yap{f?D-a4ETA#~Uo za@ZwQ%tegimimwIEA=?)J~<)HScgioM=2m1f-qzaLNrCe<d}#(dcBDto-02}2Gt4{ z`I>4AOuNH(ls(C6Rp*$ICL>!Yy90C07T+X6A-hA()T#x|+SNv47&2QTC8@GxB`QQu z6%p<S2bsiWPCC&D(AMZQsbg=V`}X&{t&??EH*IEf>soek0gJqsIq<qg@l})T%uuj0 z6$D9CDVwi&`V{(0LJ(!=VN|3q@nxN(#OX{XBhkFhC;_vi^rpsFHTd7S5DWXbj1@Ck z+ZRWvK8{d!V~4~}s6>3O<X%RCSKkO(D-vrBG|aKgwbv$&#vRE-hI>jbN0Jy*K}{Lc z^)lortRLZR2q#Z!di76x<q%N7q8b2IZ0TBkW3Vc%5C>aD;`s7sWrmx1WD!X*!=$x7 zPQf;(1>iatCwvLh0cR^_Q-@oVjCw4mt)4zeqKEVFnFa&fVWL&n@M4PMfuOI3qpmmB zDbrnYjQoa}{j-;A=$%!LgRG+N?P@i3u#qq?<%=Efg4xwbAWj$dC{rGY??RUKhBm<o z;Yw@ORyTqNr6)}AVJwIB_}uZJa%tMY9MQ?IYV=5T-jZ9O^EgldZrCvmg<E24)?|n@ z*OczW%tkyd``VjtI=Ri)l!j+ZZS=HzoO&HmiLb#Uks_?_R+H<cMaPK84b%V>ltt&! z!oiVnLAPo#^;|J_7ML4VRZ!EAv~Xu?s1^g<NoP{>R8~F5+~t_bdPiE{mk4nh8oZB% z-`{23BwCesj+5Yy=lX6KlAA_MAVy|b9azk{C?;FY+S|!wwFKnfHs~}lFLCsV3uwvE zU@$5uLUeUFNzfvoPe;4WdmLQSQ-sx<hn~PYPRvZUe>}-nw7vt}D)(T^;QG_@Q-r8$ z3JiaI(3KQDL%G}&NjR)cru??Ot#=fSJ1`T7$1A}<R5G95f4oYB2@OM#8dqtu0oo6r zjAVUTmif1wd|2r=jDw5%({%VA6&K4hLT=PBLz;jq<$&Q*K5o%^p*rfbFmfbKL|!P@ zm&0D-Y~5-gBd2wZqepmHmp;&xr%Dy0gfK!wC7p?sG_iL1?gaXrfGZ>OmG|AAd<JzN zca^$Y9^?$m>wy1w^S?L^O6)j~*IFq|HhH~O`DqxG$Q26_K@NP^PVT-|Cmc-nNB5J_ z6Dwxx8;?A8>R-_sGW+AzJKnFBSrQuC>BVK1CEc)TIz`XW5a|5RWK%Q7l4WHbye~47 zY+sL+SwzuANmA>d`p1P$m@zlo#7%-_=w#i}K8e}e_xj22TE1VWEvcxLt7kf=jJl6& zy|IH?cf5QyO`~|z*Di_SVThVe@#!#kQCY8wncX(uGG&C5?m>oU@%d=Z!PSq<U{rXs zy0EU#DTdp`@xz+`%{wqw0I&Zr`SEG)u7N(oQx*ZuA<<ebOI$_Goy&)PlE@X|r{vY` zZsYvo)5w7}Z<&l~i1`YW=AsQSTju6jTiBv)^0P{_;ikGBCoX21EpgT}YRDzZ1d5Mm zZ>+cP9xGabybnnu&;iTIL_|LPeR!7$dT_sB|FOjH>kG8^<V`V|NbXEE(d2Bb@zQ#? zv^kF-BsvAX9xGt+?cy-)x4RO@+O;_B0?akwDMXsY0Y`?M>4%H@x;rYD5UBQ-H{8B$ zrYQer(gUPu?3lAq30sPY8TN_wuR~<4D5{B$X#(SB<5DR(8n1fBj(blvb*+UtY=roe z%SIZBk3%vLh48V00iT7kY?(5q5?KHpWkRA$9F%GEY$;}oy>k5AEdJ-5^Miq}bD<Pn z_4$aZ@uPT{yExemX3&{Qe^NF6zNn9m{iVxHvWhp=XtL;eUV}X2NRxJ~XJa!av1^I( z9H&2s_?0JE4Sne(Dl_VdfivxA$hpHw65e4yH#vHVFqd<UKUFY7e`IerCIERvm1GGc zs;I^>db-o8L<O_md~r91f0?y49md_t83$qDVvHkiZE2`GewO0xMBQKK@gYLw_jrT4 zYl+Y;zMba+=V7AELM~Wsf!K1dc1)d4_~Qu0HE;Oe^nKSoiZ6Ki2e<gFyGlAymCfFD zC7sB3u+{GqkSw#6J;*Ik{lU%A;b#Du<XU?j(A*6GV&(miftqY^x6!ApKEr6GkX1E& z-|r#^RD>f>|JJY#*PXx2V?FDv${%X5+2Eh=kJ8tpC{Jfq4Sh;|Nv)}?t$6gq$NC~; z;tbGU0w#s>4hU^n=H6A9UEidpdVmc$Qg&<d8Uy{h>|k7qShTTC*%D`xLTw|FS2X@g z1NKDY$)AUvUWYH>@Q<;@<H>z%@&bl0t%=<U%0WW55@l(4`3i*B4ow`r)o#smJSiCI z#5`Ipes^~)!oPH!is~TIED7c?TZsvRsP&fT2JK1YB}c{+c`{nf|GjSM%GG1bpE|=A zx*r-4sYA||L=H4B{<|J&3JEr=rD)e%2KK8Li@QHX*$yS*3U-f8{rhLFr6njiBFuV} z-b}vuS0qRM{<h|0jfxYsnJ)TfX&uh8GLzSC)DrVJOHvJua^nl3>X+CWeZfvCoZnjP z`dRoGTcnm-il!Hu%A;-^3ktZct=@?{O*Ubjl*3Ct?rDNp5)JdAOC9;qDcsu+7s`X4 zdk^8>g_+k}7x*LB%QGm5*|EkMLX{0|mBBpf$@L9Puj-cbhpd^qSZMfMxm!Z&Vi2m| zRQL7Nnng7`TY^K_lnsmgaZ>i7YYdm^|5E*ehZ@g;z`ch@_N7;SgeO;m3^M-a3=gz| z2Ob?g7pfMJNq+j?q~Q*gfsU$t;Sw}6Ww72`bsd>+?iUi0BkdGZ6;T;mPxND=ofb<i zAl?Lh7p7df2~5XDVa28wm~bsUD{X;5I&EN=VplS#w&e;SPbLE!W-;oZE4N0yHd~?) zqoVF!T6wReeO%PAm#IjDbyhp8i8q&KJpmbHD||`Ogd?BU;I`j7pI%Tvdnq@=Llr4w zlN=@r_Z^^*|0nN$!N1H<P6!Seq0vHv`Wxn|Ys=sG!=-dq^VRyLCeCh+F3z53RTM4U zw?*Et&}~~~EQBe8UpX^FXD4HO)`*1CwGZ}@)>C5fhLe%V+Uz2Vrj}Y_qRv1~<d6)Q zU~3K1zFA`q%K&uwbni#YEM=?#u#)=u{yPDaR_0;#g%f^l>?byGc>`qm?a*Lp*SySO z+$!LwPir$${2@Fh&Aj{eMj}|xQwN!h9inpW&ci3m4qDqlW}YJnHRW)Rroh~(8gu=G zc&6{8KH09;ba@@l_q$$t^^%1;UM!L_6_DmNKuHiCBEF=<k;RG+(FmZMu4e%O<z&5d z+3L?2?~Nd6VJWz`Hc=CpGZ80|LGqKU@KeR&?yUM2_Yx)=t+n@fOqp%p{jDtB8$*&! zxpa<aIo+7XTkr8lgMW@BK)~U40QAsJBr|g}Xi(OEujVgjj<)_Zf$VXlHO&ClaAz5z zVcf#K6pM@%wu=`R%NI23n;VSu<mB%mJ(`}JcCgMrX((J4fmWPk3+#Sl1kTlSm0Qq; zll?O9QB`{-)v?u1DIc*9kl?o~u-sWAOU3#tA;fwPyJ!KFz3x0!Btw6&OdyB3OggC9 zq$HL^_3aLxrbVaV&kfw9T(85ux~v=;f~VIRb0{U9-j_oVu8$B=Sy_1n*uec=z)fqC zJ8cuDu}N4Q08`EX9+NF+mKookKL)%Y6&)SVKtq_=YU6I*?-P%WtxeQv{~$Va^1gY3 zczc61HKobq5cxFs-gB$6WPlAHzpOd)`rsgDZFW)3Mj8?490hk0+na+`;|BdPWz~Jd z;d|`lWSYot<S2KcnEJr)UJsNWAHpck??F&fnq90SB$h^+JKpTLIqPjTyHYs<o!mk+ zHVzN>8Z$REsm+pP6smaSGsiFar-;>^Ok<;SI44$}yibWVQtNEPg1?eY#?ZNlm3u}X zgL~opu+7{x4uNbazPAQX4Tn}Vtnp+KHC}68cQJ}`Su)D{ySvB5WmTG+pcVDfvJt+O zyD{igdUH!l#G8pk)y1BA88L`j9-#2gKa9Nj;GHT%=k@JjB()ktDKUweK3a0?ihRY| z%0qqZ!ft)z!5d_GUNv2BKxu<yA0H?wiAto8CT0KXro2CkGd&-)GVUZ$Ns6q1jmJ>~ z$TU#MYcQF;pK{nbe-L}TIprj0O8(>}NlO`WOfWL6-fI1b31H*HBB>J!HTWBBw|7%c z=yT~WSg~Oj=gFbn<Wj&x&BL#(|58<^8NlG;lZfP!JvO{tbx{5q&v{GEBH*4N8himo z$_eb3C#*C+|IPHrGR>7qf)Dc!*+FpVDtzkW;Z%--0$!~;`eu*R<<V!cFE$}OETJUQ zrr*l$?)quNA&)r&!5{r(E1Bv2JSyro+8o*wgHWqJF4x++%eKeu8pZ)XG{J+Po9Dj+ zYtu$f2EOU#Y|Ku4r!_~qrCW33<SIQVp@Xrn@X9*u{(X2OfvcMG*n9GWx3x4R0SDI` zM0b(9Amd#obBE3b4c%U@j_7hTR7-dhDylj#Eziz|wf!xeW5ivJO6kj3pxzj$C#hW8 zKMs+<n=yEolQkv8{r5P@g&s-Y+FZt{g_bY}-8aIJ$eP?90NRkU6;=9f(f8~#{`D~1 zm838q-ln{W%Z-g+J>`Eg+0it!O*Xy^6Yo4A!%Z=SyYnY=01`ZcoHx*A*+*?Ap3Q70 z-s#H!&ND2rV!Z2(U{FH_j-r;46twB{MF!Kr!Bo?X4@OM+71mh~cP^(j1sO&#s?1^P zBUqV{LxmsqmyanMgee7!en?CQ28|?*wx0kynASnk2_kdLmx?f+80eY@1<F1h9Uri7 zyP9MM<2y8jn|0x)ci_yF?l$=GgCI1Yj$2iz{!(5&)q`G_7~ZDV^zcn#F_x(2zSDdf zX2WipKf{1O*Upy^-S4*~=AJsgI_h%Fo0=6>nIGU>R~;k{;ZeDQdfjuHk=z`5Cb_jX zwMH4-=nV}AUs(w7x4<kxydR^YVhJ83Uy<Z(^#?#rQp_0<=iw2>8V0CjI@LfO!hHe$ zj$hLnDRG<qb8d7yUT!jk($>SoTnOI3O5vzM?6?HQaRRebB4Wi=tUU~u+I`Op>Dy|0 z&DgS5d+Ra@7Qc#E&-x2SEZPR8_1$h30&HdG3|*Y4yF2`t;Htph7>>fIINzb5s%ex7 zuj9wkc|R0+py+`l(x?xcio^1*;Sa+xG?nQxWG>FqC3i|(iRxWvdopg{MB|^{pScN_ z7o2r}I=SpS=RIO)ja>J}e+9Zk?{e1oI&jHvuFKdwO`7UvokW7eVtI~n$NrQtYp1H# zIJqGFV?q%T*lc9aS@3up*W>47iZ<q9T@3a(yZEuT0kCFq>Bs!VWG+|#8~R06$hXnL zj;#@}x_!!G-0`ML)bD^0OXKvAK|{Et!eeFetTR?efQl0|4FuL54p5b51&~Mr?0|K5 z_prED-$+i!POF+ZTDNdPlf6z3`~uukhkrE2X^i<@*A#mX_KSjpHea^_&6cvdl6J0I zIn5c0*M}PW1Ixb9YV}uGL@4O(3^w#OSp&qgO0=3-CKs%lXukYt{en&gBZ)a&9>`sA z<wvIZ>L-~}Ll>6Q%d7tE=zM!{bT-{83*Q_=%%zh2Y*7JM^Jhg|xG}fw_h$5$DF=#V zvL?Q#&fV}~1FYC~nQwUG=`KH2QpnInHF(hfgy&1`tnFU@P3^EqEn41dI6gtH7I&-^ z-m|NS-{tIcG&fl@vDPs+=`*ojGjLxsAhDDq`r|S%@1U9<b^^<wia}U5Hu%u|P3)#k zA$V{7Av%8~I7kS?v3}JV|A^pki#z%7r&fL^^+XvF>!*>%`k_(FDI#5P2_jCvkefMR zyWWO{Fv(Zfv@NQ~9G)`a^d^}cN&9kLL{4+67OL4yBePd#AoppQ+lUwHAbPjfDvD+1 zwvS3#^$DbyxVNi3qyw!ru?7!Q8D*hF6N1l|cykxsXZPk9(C~Rke_4sPhRIs>12ob9 zka_#agO`8X4{W{354Fxy1F}{!-n`AtssGjQ@#s{`j2k*n7;J8{QcjsL%4Ci?B0XG& zJFM<lz4cYAXVBjW1``DL<{4WWvXJ*it_H5P^SSC8C{jU*fc!I$^U6q6Hg@AVUFiFZ z^~rH?Fn*f+t3!6PiBV#M<Fv=W=9elCDI3{c$()4v^V$2yV|Xv5qR1x#xKkhNb!5Zk zgr9ZZbSkZy*jt=`mn$8v+%uf8>acCYy=)p&8)=2tx&SKhTiNou2mo93-~5b)PS;8~ zQ3PCVo((%L=A0EZ?(w<gm0z_oMA?7Q7$?#}@Jb`YmfOD1bhtT%zG04)I}g$1KzVfb zxegr)>CQP~W6vL-E*>8*9-YqN5OA!ys8NXq3Wl_4F}Selomh3uFL+W#>6W9{T8HUO z5ogv@U|@XsGwyX;T_nqC>vZMMIFL^l(R%ElLDrGXwDb(`EPSz1?%AB5Wi@0|SCD(^ z=mTAv{X-))h73b2=5pngrLa=gJ~dso5!AwZ`k|3s{I(<Ga<2oF@3QX|FC9CGX@=yN z>E8x3pq)L@z#vxW5ty7FppK0nnD458!6Nd-AFd-{uYjvJb6HZIDRI)0PLzyV+{E1% z@&f+2)AM~b_z_8yXO);P5w96IOMu7!#5+}-I}Gy!gV3iXut^O?k4Qee0(q2gL7a4M zdR%M>UeDVyt=BN9(W;O4_U*<9GNdZ%1urxP0B5gMlYG{abvURiyaz_y?Cg%VQP(sz zt^X#mWZUBTsnWS_kLyHG#~1%Jnpj76W7TAN%w&~)elA#zJAOV0#l~M~HFil0BPz>s z^)*~YL_?$S;0W(*5ZRw-g|F`9ip=j(j#aI99^GTwY#8`hWWyV5td%N~@qO$2QeX`E ziBuj}P<<5RO@<`4apTJ+ks_MuH663gVViFb{!yuQtQ?S!Pb`fZDZ;$Oz-n^x9Lqz8 zl>M61Mq(hLyrSyyHq>T0nOeS*-a+<t8bNGk$J;yfusnz=%HvTW$A)U97^8`Uxy(2N z(YIU3BRvdBfM7oeNgO6j)%Us{vO^E2zXs;fbZi{t_g>ExHQj}MSTHSq?M|NKQx{Ma zHTXB*7W(nOZDsPrR@KyY$Jb%I_7M}hi#3(8Af$P8ClOFztc3=-+KwQHweO1&1LYK1 zN!isWW*|shS6oa$AcImYc{*G=!Zy!4WyCm2Bc7j#cv5N_8*kbkXjMqe|6)zwTrYoh z&Bgg?r@@*8>2Wcoc46J_tKdmv$C!jl?2BPYRO=rmKaF&=TFrwkv3KQ#PN=&$LVAj8 zZjDR<h9sp%Sal5#=}-v<nLCg<LbfBiexik~^Bjo#<S?Bss>MyyrWVFngPoK*ron7W z(S)YjIO@lL%?|sdMvcV`-5`H7<fVJ1Mj)q}Oc?+w4OiF&tEK*1y3k-snQ=e2$Fghv zOM!cJb+sZ!*kMd;m`j68%a!fE(9>Y^i6Nf``w?#nCSA*;pQJKE(q$dt4B<)Tt8mB3 zCLL>y&d)#E>}HBzx6!+EQQ)NLsp84eHQoJb>d0`hFVr;?B4x3uSj{LZ8Obbf%<GeP z6;!I0s){RAUti`eHHI6X>_z4Vvvb(iFU`+ee#%v-iqiMx<l`O?>7W=d%b~dL!NX0~ zfI3qm0oxB$5FM~ztF>O&2J5*m@y`z?``2YmoOvTBd}vSIosH4p4oW;TD<ijdt+2eQ zn2{<pd-~}m<g6&TblrdM`m59ZLYj7244H~&o%VB$_c<r^?>}gw$yu*;U#PiArzy@P zb0U%8tIqUxuFH*;NBE<S8D*9Kx}z<v!6&N8l-u?<cWYCCcY1k)vkU;vX1nwDk`=x_ zBow8<yhTOWSn9H~CmHth_6~T%5|8tLQRBFpBZvwQ8QA-C9uB$@QF9Y!BbN#!lrs0H zAqb*=KMw+Doks0Gl<;;{rbBT6vY2FaH~?aEi3=*k-BKP)QR*0|8+?bM?(e&<L&~_x z<i0sCYIxeIQ@%1z_!1^A6tjt%WTu8Q7Cv{U^zYt(@W!1rx@v;`y6l)_|8e-zRZk(r zlSe$n-rmey3tB@hG$(`W?dbBWtS@Tvzwjq$22IN&+&mql!1w33(o9TW=nmWrWd;TC z^=tY*jAF>?Mg&1vVJ6@740&dh2?f7`?G!*@ip#Up-8bQ&G?1)~hrf6egTd~sqqR5$ z1?YyNji;Ax{KpY-;DmV@$>U>NY#t24C0!uWFv=IY;?-z!wk~e2p*-;J9xGnAy4h}> z<3(#h!V2?d*0*yzm3}nbTq3;PQ)Ocl@VC%P>zF!Y*&pK>B%AL2y^J<;ZiQUV>{H8A z&eyF~G<S6!<P!-YhDP;Nreu;|6hz|{O%%vrG~*S><Io){lJ~zYrL`BSP?*mw=N1%j zjPK{*^9g%YP;a&K9vB+R8sJ`~;r2Z&Qnf>iuI)DLL+f9ie)%bhYA{eB;m-Sw#$ELo zRH^fhYnp+`<tEj{_y+rjrjO$1R-)bVie*!sP1p=f;s$Yc0C7w_6N->PJS!7|`Avs9 zsy(P_jMnxa{|ODBin{0Fk8~O7r4Exil3}3~@~>Y4!S#h{rL&q*^{I|ocGI)Vr)CqJ zeL=ns^|_`|K>%BrH5FiV6%W~LBL8Erf6Y+abFJIM0hcp#Ki@C!rT>csI0oaeV%e`P zV4BQjSg8^(cZkx^g<6`Bk!-hqB_0k?KCC}m&i&&j0iQ}|1y{EXWSpsK0V-ldNQe+~ zP7iZqay+@qXDJ`naRL?Wto5++8kgnCoSkaQ3Rs4ratDuzSmV$&>Ujrzc#IbP^IDTY z%eM%)XFLge-d=>mn1bD#T|7g5p{?b<Rgj25!jN7_lsMSTaV8OLw1H<G^?Plagdue{ zOg<Ue`Is~jR3ixk>0nL%%}f&m3GoDjr`a#79H|QWEMB%UBy5)2yAR{_->8NI#<M-T z_|tZb#1WyGk~`jk$fs&yFi;p+f76y)G@;@%n@eY0!U`zo@C6d{s^zizIZy$=uj@TM z!cC<E!D{fb^%su87&5nzYTT_IvR>lAdmt|s&rKl<CaO_obv1Z)Wyf4m*?(3k#CvMU zbzu6F2qca&6<2tm@zP|>l!}PQQS;)2sO&3g6z8lxU!0#IogqUZ@NqI3(>>#lAE-a6 zp|tW|L3=+Br1s^g5BF1Lma}B(?c@ogbg@yL>2lu%8F)UV)wzx5{v{WGdi-%+T+)6c z+1No9%;p~!+UN#~<7d5_PaR)~LcGzt<^5wb6)$l@`;Y5!5D7;AE+-G4CTg|~OxKYU zkBzIo`bJ0`9W?PZc3BRF?e^5}TJpcL%8?k(ES#7R-=kvAzZ{sRLX)WP-*F5d9nX}M z-`PLtk|!m5K!=HN-s@Bx0kb8*Q(k?{r#a{36`E)yxeOZ5k|c-5DPWMu*q(ef(D6ws zN0ja>p<iL3f&y`R4m|b4i>XxpqENPSF-yn&5Y?y454udQH|$i9T(Z>@U-*I2`$tI9 z`6kP1Gl1;!)fB&4eCOJ)%t&%|ud&LKYhah&IsQi)Qius;n6uvF8!{S9V*3SPo97`} zR@<*i%_nJyH#++0^#CcTa1QffLwRhfUAlOkG8Jt>tLc0TJerhT=G{fv3q=%z221_l z)&{FprS$?yP8vKnLrmE%lEv$Dh~O+v;)`pF<K<M{&U>^xHoXb*YKm!u^U%&>H^HB3 zf$1Al;vDyeQ0F1C%ti(DbVsZN^f5+!y+>n#Lk6?b>bvV8D4GZ{begg1Nk2zxY{GvY z;B^%G2J@2A`|I)CMJyJH0pI0lAkI>gFj)m^L`lc>J+l6J=AVj*aRy(l*xm3&VtiB_ zQDr}A3ghdG3&VRt<eD@69NnHk$m?gzHh&`Eu7cVL9gVVFw(RvPmRAiR%+9YoGTSW~ zD-7Fa)zIFZ`&Ggm@c!1E?d)o5X$^lPFHm7@DE#HPzyAAFStxcg$_GN`-e^Z}^?gJA z%fy$a^BOZloR5boasZ(H+N8#81)j_?x|ofhmuH0X5CUIAk!Uw{byY)+!%KLu#u{?n z|Mri19*FD<u)m%1#r?X+bcls}#y^abofRDP53WkFSfi=mo<^R=Zby}@EdOhuI-9@{ zGj2Pg^Uc)ge|Is_V{VPg(#`#n5JPLy2z4>m2KaYH0Q|V;N1=+J8Ep&=?-FGvFW60Y zxU#RKfu^g$J|rzZ^oHQlj^5l@XYgUcdf^SEVD%W%B4BH~F(xUrgEPG6)?JO#T%)8; z25>}-`*^x!j3LEhGn=6hY5{6j@Cfnq8Y$lC4Eb~P@y~SSTd2l;p;2E}K8Q-rW8(|! zYc)VJAKDl;PK-($_JiU}See8}jlc144D0Ee(Bp$%nd!i<hD5ty8VFvRuhou|hmGcd zNm?lGr$-fmHcPZ?ugCY5AG{4!@pV^pD+(=JyMv!_<$yu7srRqvL5%@<>}x$^0K9K3 z2|uOpU8p8Oe*`bXndRZG@&#_&pQOVJTjRmN+0zZX6W=07$kD6-+Z9gEvu@5l9&s-T z6X!Ci*Voqz_6to#H{~s7)}rgo>6QOl-m0l;4g6H|!g(M5?|LD#f9&L%Bt80#7S+|= z-+p0*n$}kk4|T6~2RGp|t$#x2b%n+$>{bEmQLEVXSCZ!4kZGPJp9ZXPho##5ltb4h zMSkJ57TXmW6ILaz`j+W^L;YII4X&&Mzl*M(;|tC*8t~PD7~%R__yc#($;nz=UEB!C z)AJg1_ft#uOcF)ki5vaSlqm~Twfw4hzZswsV_W8Lv15x*bn1h1!ao^ImEgyx&dLhQ z^wpPdA_cy@m5Fn7K>eI8hOp;wb7!f3{+y+m5#XvF{R2hLjK^_3{e2eUP*Ywb{e-YK zR!x4bi5$&Hxip9Mh5&1i_RGu2f$SJ5zpwY<w+k)J2(zWaI!H|$M^?TgW$6D-*Qn>{ zg?Pl?udIH-$r;(brdq2ni-cmICi1ojm6bztWy&x_k;n7)@r*V;caWK*z`wexbWvSv zu8Qp8Md$it$DRmj7=9l1zU3)&PSou`WB19X*80kV9=8h>ZPwZqc%b8!`*6fmPnQ4U zAZlr4r&Ps~MS0g2&<!=E)5_B1d!oOMD3GaOxt3I6%yYO%#f`5vJeagBCGQ)#h4v~U zNTQY@ONKtf3eX{Z)jIj!zzPu&`f=Zst)6NV1x6gNW0GZ*#hXKQ6}wkO!$~09Rvaj7 zTqG^<Ec7t#eQg|T(p^e*``aK1Co3A@FF$mtZ0m7y<5`4fw8EK)h6!WrkZ7W15(6Kb z79D-c8KMlKPN1SlgX@a$PY-kcxuo)bo$<84>4%B5xsA0IGv!_;G%M7|DdHi$spaL! z%uFI>GOASvK$?}|w%$lGZa*q0*t~|OWyV#x%JVy!kl;*B=d(uXDdO-{A(uPvr2pz) zn%Gin4K%~^^E@Me(1;lF&jDA6mT<9y1L;dn`&!cBVlTAYTexIVtHfM{a?;O<nA3ln z6c-b0^9=!r?fp6kaY(-}7&zp~puHewX?c&<AxWEDP|WQ8tQr{65;06#>*5pK&Yn8a zp04JP)#-!lg;d<Smi*n|Y3Jv|Mfl`+jwP<W{U5hq=9k-Kqy@GmPh-e#b}>q*t=FFB z*g~30BfAm7B12z#TJHh5KG}tSzdEom*`AiWxVX#d(rlq=%ln%8i1Sc0Y<zHWSeE?A zCTr0wS%u+40s6Qmb8U=pC*E^Hi=7-#IaEm&aoAa$ncF)>y!}<MqKf1xbci*-J;Iwr z-#r2p$0tXrI}mdMZKe@$^MRy}F!Xw34#!eC7kUW8E~Pgf<QbW-0P8D7-D6^0MUbYt zk1}j~AfFojCE~ke-#rbwLe<O0!fl|Eh_S)QpK5($lZn1so5*y{IuX$jA)DmX3>t<; zHodYkl|bK+EGt?UHuz7!`MS~VV>aTq*tpNh$Zh*~IlZ`Cy`Ws%*jola(})RaQdTbm z^V!n&Mp2Lbh5LXrUo&e=h9>CSSBKY*^l2CQ+@Tp`9ANH5+@kf#sW(8MMn$zuysgMa ze*F;b^A&VaPW`Qsl#J+Wnw-)8M)XCU8{F~I%lY;OnT$d6a7JagJo{I+cWJsy;$}Gq z#zfKx45Fe{hk$8a#&-Hzyc|7=cL{VjkqOP9LE3EZ{x6HPb}$2zww0gvx7~E@X``Ye zSCp6Qz)~wI#aWdSMbrMD64ctGMq+T&`Bf?s#p7@Ngu1jbdBXC-jUPXj&-UI_V{6)J z&Vo$2I^H(0p%9Bos2*-6lvM|Ji-QzMi<J6KmM&8xl1r!}2U@|JdcLL*bIy-5NaLE# zu5ASW{*}dAi0q%W!ZUPpN89w03Y3{lo?Iop4L2^-#gRpnWXeAr@Q|Jfq~&+$?6;c# zre-+HMEC>^odux;awDc>gI}OGCE#W^r+*dC>rq&;_1e#8d=^c;uhB7huZMQeI0PI^ z4g6zBUFxF)!2yOVkKVBR>LF?7PMF=kdAU^=ymYc(yB^MArKD8;A5G^NUP;rn?U_t$ z+s2OViEZ1qjfw5-IGH39+qP}nw*BRPzvKDSf4Y13uIjG7&a1lCT87NU`LtsO`to}Z zO(7?zBXjGh+bw3Nkk82$YZ<ACY<dNZ2)<q81Ya!OHz*R8RzC0VC7#YY_mWb1mW+Y< z@;5;v8CUR*<0`=SoGx{7k>F<42`lt`Bk*rR&^@HhcDm%{=&4+KQ$P(5?bPclbg8kp zHZm9PV*!f_Pj<(|T6kGH;>N;SQ14{v4cscrEgX#n1lHeuy$r7`st)Yoq?=bnjawLg z?aD`dJ<WYvNI60&WPa_9Ze}e_Tk|=_g+)u^vYX2hzQ<NJnzgl3_sdDuQz^5QU$G`E zgL7Q900lfW>Zo>un{UNF=bD!ww^KxVyqO20ch=>7rVk~!{tU5LNdj$G7WH0Yar#CC zzh$?yu1wVFyc(W<r3|eIHr1G4D3!Fpz-l$Bwo$duQ*7Bo4~H)k*Bm67#k`Hhi-+M_ zVIC`n_=Rd~13eY|bR5W$6ZEUh<DFz7ohY;Zf2VG0Y}d=L<fZH0N$mzmQ>XuK4K+#5 zpAcc(?MhEra+m-a^;SnpskTp)Ohi@HBha47U$p7h-71o><X!aOm9lEi+7nWRo@rwV z$}Gq!(0*=R=s!XMXi21C2jOKbFI)RBnI+Jws$kq@f|Fy)um6U7NxJ@CUwfJQ#o~1^ z4O&5PN3zK+F!IORS|5HUKY-dY&WSS9Zt^aU(Y(<!r#n&%r!3r7pgja_6m~_C1^|7i ziMq^W^&NRCZf2KKJf6(i3oojRxkjg4>uXCMUa7fK>zgGHrE6Q)q~l3fA&}oKzR+F= zYe9Xe`BxTu5tgR-89J_;^|rPKDm&DManNCCdf&}I1XoY<dIMJ|y8E@~ZQ-v6(gZ&5 z_9CMSSgCvYvNu)+W6&DJo3}~wnd4a_B%$N~IA5R!+Hkk~wa0GxEDBJYO>5)r>RsxM zUcgj={VKG<NJhx}NzyIW!$zIO{IZt~zsbECYQ$}=tv$lOwI=Ff?dl?;T8AlhFe8lv z6`q<QGRqCzQEOY{TtE|3A;Vv7_7`hnnZRz>T_3`76bd1~ZNHX)&>_JJ;7cBAV!zpN zS;GHiR@P4EFDF}fj5TpR`G>C(w%~@6X=`h_JGKdss>0~dG3y-3{`hda+2hO7m&b*^ zJ+y|s+**EHI1dlJxE>fW(A}8p6V{|azP{cDdb*aEiZTOcJ?h*AzMmOk5D@CkVOyuI zG)CR8(v)~8IFb03mcocDyUGma=W1&)7GG8e8vEt==D|*8qs-$lqZMNNckYbRmCo8- z90jj^=g2DAsGE@;1<}Mx6)B&vwngRI%f{t)aQyzHnCdVVnVSxSR!Oj@XV!QY4iBo4 zl^E3UD0MMnfn*gM1y%Z(S#1nK6@la~tg)Dt(Q0e1H%IN`QTtpPsj1(c?okgO#@JTB z0G5!mvxt97_!zDLX<bdV)?)4Gg@FcPO9R#Vt$`ImYA(59O@Gl})&%17ZbyQNz=9*o z<?H!xzLJ&MgWqGM7wKeyqtMSCOeawT)2Th()sx-TqF-Tu_{f^o639x&c;^>h)#dl{ zJ6DBl9>yP|1~TKKqAkz^hR_6a?G9^BLP*jNKCsn1Z=D}4VWY#y>j6+&@dr|Z<?6Vk z*x7HdnG-N)By*@Q>IO@$mW5N+ZaLM6TrRpnX=SDTr3FN6RndxSB#UBe*|4V}BjgX- z860Y@cixTcJq5Dy7Bzn-hh7&9EX&#l3a_+pMJqSlvNrUjr&nkJd72sT)@z8lH9h=S zzr7H1`l{ebUrzNStQW~K6I#rylA^8h?sTsJV?^<d$LEXBukr~!M0gTF^(N~6N$#T} zhHncmY>CWqe}CrPz(1m{-HiSXCZ=zP$E*g`%qnyg=S9#*DrE5zUmsFxx85!E8s1r_ zmhI~eoTIm7Jy<x4EtxXJwC6x$jlBMevD6Bdjh*KbScsT^nAm7X?5xT7Y!xVv>K+qx zrh}lix4a6)f`y~g)sw+7Ja{QiQ9~k$BWKC#jU2-fCIYLPhwws$hxOwSL8y{*cyw-u z$IS^vACB2GjCCAAsPJR+OE1M`H}ZOC`K5}|E?eVo?uCxfkLsK-V?G2Wr8tIsVlZ@l z_L$f+Sh!4>n6uwoEX>)N+h7CKnkwHeX_<!5|4TT9WR3$b7rLigCEQ)K{q*HSh5tpP zLTxj%R5Z6yG_zDSw^kNE7MWRp3ymNH<HN!ZW^Q|rMALG!YPgn{n>Cp_us#HmnMyw` zMM@ikC+BqUo<75vXfJN?a{D7vD^NIpbidI|o@=tmdTr<Uh9&1pf{D#mQ6ab1K_|$? zEy#{51ytX8e7ggIoWqYujDfJu#wtk$hnOABa%&~|Xv!{{k;$^wJ~!6u5|EoGSwPC< zc2>@O#Pt4B;oztd8I40yu7e^fxLhYnlBlZ0oNU8={>d?!U4<Of2Q9}#{6mzO3Z$D% zqdag2OF1<>X=JQT^!vW6*K!OSA*dlj4vP?0wT(s>m#tH-^CmaC-y9flwcP=1V6K<* zRR)&&7=)jj4VIUTqr6{S0=m2zVz%h-?ok$4<o-M}m+-agmbeq-=<S|RSemCf63Dov zrXuznfLYNF{o%jF-d%rzg+YIQSy5sgFbD`p=wsS=Pf*M)<n*PU7^{NK7r*Z3SE)1f zC^j!j9+PWo2RS}ldVYZUsKhRavRRV^jjGPV5*q)8hp%TF0wE!;F<?l`Q}%2g)A8x7 zb4GS2kDsqqP!CbGiBuoYo$v*VKjq)3a8jwHloIiTemmc-sewlpS{Z?C&-NJSMUbJ~ z`ukPw_!`D6{tm|B;78a7R=&@nI+*a*(FE;HLuYBR1k%wl9+BhQ&mofcgFXY0pTT1I z<t7Ue!!A2wYIZSxUY&``tHxs?imsa)0u3<y);Rxix~i8>aK{jDOWvPjf_WM%k+yKL zmA_x1DM~)=&ee%K#@S(8eN&B%>kMnZ2-BD`Wy4X5Yw8CH5VUu!{XkTJ?)oaf<m|FJ zmwr`3izB!f+Y^auGOxH?L;LZ~Mjujh_;yw#<Iy!!CS7nu{bNDq#8ZhcNgtTB<VZUj z_@(ClHBSopa<V95t*1@v&14fg<D6|g`8(N!y0;T21P&&71Z|UZhMRV5?~e-1H6=0% zR#td<wP+dw<cv(lM$w!5i#|nQIBqH6royCwr=}zr9D`D$QHZA~(f*>wyHrr3Td1Gk zuj}Cjc)?-p5?OAVFe3vymd*Bne_j0CG0Lyp*zdQbSA{zyz<iNcN@Ayp86r=ODw*() z_?&XRvS<)whUIO4{6`gDd+$Lm3vzXRWsn#fo72(ksn#d%zH?$z?Bn(5ADVt<E<P30 zvjoe_wvImue<5N4D7RFgAJjxuTxR;o<5=yrS4?)ej!TWRKlnS!qVdKoD`AlE2=lT2 zIrZjEy7nK4br&%ujNgRvrf@9aiN%xQtGD?VU1<xmaC}KPKs@iB6HfVg#^(xWn|Jp; zEz;?q?Mf<(6q0Tikg~WvXbj0m_^tWGF!MsSm-hE%q`NyyG5f{_s0>f0g78TO3Q91} zIXSd?1$-_0#K+{K=K6=4xdL|EtWK-`kS4AzIN)9vGkx2AB=wb;zR)3v=Z_;i(poOK z1A)(%&4F?qWxlh$Y1qh_B-u$Y*?9lZ+G>oAY7dJkv`y~WP#f-YE7~KBrv?RXsq5E; zw^YDkNZ8(eC2y9uk1eJ|KvtQh$LXc1<l!^dY2k#sBuSYDsS`K>9-jW!fCBE2!Ciu6 z_R5N&iuLDC74YDC<VHYuZB2&91o6J)U0;b8!MZ$Wj?t!&%iAGSC&y)m8;DZvCxpkX zre@T7{ga%wlK4-W6K^4KFU+R%RfPV-h!a(0w=y~T-QEfBfQ(($535jS5e(nMN718j z7{uG#)jMb|1%>0ck4W5=O{u|L?X4XsEUcWlx1(_oy<AN02^+qO=~#r~WoLc@n97nL zfesv(^V}dq@aT;thaSfgrytqC%_HeX;BGtZcA`dIbC3*;VLk2hSx~W_PKS`kq?;+n zR@#oE9{3z61cV0Aq7<&Wp0R&-5Hb4Uv#WIW;i^P>On}|S8Be-TG^Y?fKF&UZ8mUUI z_v*zIpnRwmydLMRyC1S_%P;L<Am05o!FpRsH|IRO52)qD=xt6M%-tsahZ&o34{v@C zXW@)s4hxHuH**@6rN+zju%L^5=EJi1rlEe+cG$~Uwf1k8t+fr^LpjY}ou^UD$2jC9 zZd85W5xpczM$ImphS$UMHJI0*RKO@O2Te+7y_1xq=&&U)bz7?7!f;WLgU9Prl+DiR zTsi$iY%Xd*#HqDrbLy}G2}lq1cUZBeBxg*<PI0Q?=fXzO-M}Zu(P}VtUgPLk`kD|6 z?KQ@ofbHPu>1;A?TbKAWKV^9)uo1l3$tVfTWr<qkNHHyQ!c1?7)0rpGf-7l2xzooj z>Okr+<>+VLp9JwV?epQ9FY)y7=08g$buL0d7a4~|3?tGb_wuOWllal}Ph_cKTE(UP zzz3wub<7T1W*A{+o;1c0<AJl|JMlSy)PIZi&!y~Nz2S%c)G8+1WaO21@H)%%RmANm zEiXRY3KXiEr3`-NOH5`?8E}J?R%qfIK0wE>F_zFN*sgBEf*MN~2Jx<6{}-GvI56fx zzPsB#ag_YuSL;y|BF&5=;E++eAQBT=kgy%G6Ja*PNpt3rVi9DVtXcUkBNw_#aoOEW zd-u>R+m{Q)<&jo8UHK>U8^4;$aCt0=1rvuk1BW#O$3JG4JZ3J<VWULK=_7x=+&o1V zTO%@PlLA97PIRTn>37wO$j`RQZ#lYw3hWUG{3F1KJH1pDFAeR*R;5;$yD8<96&u1u zFB9FFhw-Id`j=_+Flbaffe=+0GIZaghgPPJ(}le6MoEKCZ-itFxrr94`n-{FK_z>) z5e7ZB31rfFV`qB@Rqs+JL0WTu!Q<Pz_Ku?MWK5F%M2h*?DMG>J1Pb&TOq3!%orme5 zwDYEnn%Zo>>1XB-F$Zaf)p~o_>-Issv`?)0VI6(bfeB->*HyTJ%7I9N$fOvH_eX<^ zcd!0ZS-$g=d3^)8`*Q$eK%Bp>BLK%y!vP-^lCodYRQ0cRXXa6XTF8j0&1H)grKtV- z@9XmFF=)^rN2AjZFHhFb>sf}8q!C_j!*#FN>OAU@@HSPgUTP^9oK1MUPLg@zWHfx= zN9Biq#QFAJ^~*={;_C<yo1S)2J`l)BDIU)&bF9j$(wjxasPREy=A`8blj`q}Pl5N3 z2O6D#ag<n9v>pL!n*?d-w|Q}4s>2-b2KJt{tLWXk(f9KcY|ZpvAW2a;sX(D_`ri^e zoXzv`d%^the^1yDKK~|skC}h7<O!q-nx*Iq$idk7jL!>pp5a3>i{&xZMqX6O2h2x4 z#&zf$9Ui(~PO0Cw(8W#I{d}ll;7oN0X{bP2v{;&Ew8Ol0qRMwoN=`1uWQ>^SR-g5x z9x6dtq(u{!oPOQUTz#)#3H<nUa%L8FKgVxTJ_vUub6~mIp8yR__gxojEo5m6e><{c zFG-k}=P@4}SRY&k!#|lRca!6HJjh~w*;SO_Vr8hT7O~f~*L__aVyxMCH&}zOySyYI z+hkq|dFQuL7qkH9R5yVsdFcLOj&PNAPGYCd0t|gl!Hd+`V(~J9>=$|ZO&n^vD*R53 z0ine6wLtc|s}Z1^JjBj&yVnrS98w`C2>UCRSV0Mya9c2=CTcM9t@3(vL|1w(w}HBM zs;Qy2#>BJPMz!ht8VmpfFD0~_spTJd;``4Zn`7S2s>>7gsv_>5QZQOtWpRkmkvq!S z?FKtfl**#-13qaL<V;*ucqhBj`5XIik+pHLVvDTMZ*;NVbA<i1czm4f-D41y)2u)N z5LZCOPEGVgy^4%vJ5#y@v02;<>~G>-HL4fAztB`kwkseZ=7!iC0@8J0JkSDF)zr5h zpEzOfYLsKH)6!BwrRjnz2HFMZzZ0%Ypna$Q^&0U(2Zu)uwhei@znQZeS>S0TEO*wY zhc2<#loPp*#S&%DJm2luZt|>)aM^9Ep}7L8b~e%Altn*83WmH@&^R~t8-8WAd;U!< zH&wuYyxq^L@OFE6AaasrmuP9h4`y(wqE<q_j#~uyK8bMaW#WPAuh}f{xIG!3jve~# zz}q_z_H_BV|6%TMP!>77JYZe#YRy*f76KfTAUCsNIy6ce!|6V^XCcHq?*7n9QN4?_ zqb(#y@2<Dr#R?Rbb!RWD6}B*ce2<&?H+Yw$yB|3xB#!KT6a${!X@xYieIF^j<`7mS zVyoEGn-3rjXok`1m`>T>a?2_5Aq?LtyX|i@^{qDODes<Wmdr)EFHsKaa90kFm4m&0 zo8k&Hb2*g^<Z;u(In%20D|f~X6<(w~3@MI~?!Vf}-}`9qtisu-)=(rk_~wHdO^lYy zMrf0CwmqyYWm!t{$1DPqryAeeRuLtWFtaPGj*?7-xmr$N&dEw%9cQ>A1>-ckiprgu zHgx1{p}03`mt6Ld$Q;+1%?#lLlgrkQgtx`TykXR2bl)7}dHl|ngRuW{NGJ31I>VX7 znS@_7somyRJg|cjfF+BGW+0!2rvje5&^$xx&iPpSOK6~epf3b_=sVF`X&N=bLg7M8 zx)nViPeW30?{dUIR&*T2NM35{2yob6fF;?$SV{I(Ps5!4!TKFajNwQwjGqLM(moxr z-yR30SVO^Vyq4;!pz0kwC@9xJ?y!hsU7Cf>fXTv|)RuKBBoQIDLHASD+A)$a3L}#t zT15}~Jbl6Qi>|d{+#ryPj4YPkBu{CYcFt%wP0YDfaiYj^vQ2F`p?1=*^)bd2w7k3< z9*7js0Iw<~L_4olhEhq6>^vjt5@aAuzxS<*nxfcwq8cE)lb8P#1*}%m$+!h+QnQ!9 zDkwv~q6K`~(f#(ZL{lNcYFp+}QJD#YdMzp=z=a4If_)8P@q8Vq@Dm<No2{mag(9r2 z-V}2R%o%lbC>OTnH~HUMfVpT1DJ*+=<uq||^5d=-a+}=30K_;3>5OdO=sP@4F0b1G zaCxcx9F?YEjZRYczVW!cXqCai#sPT&QUD6<czajOFAVylWj7X)w*y=@M5qz#R+7=d z1p`3=us%c?pNR=vD6j*pibm72T!X-=$3adXqR5NiB59#6Wxe$*(9KxkltGpGq^TDU z*&V3|eY_5$Vlt>`wq3NtF%x9UNfRGDCYI6BINt3PJtZ(2xLU>>-gahG(RaglKit&G zjN+v=GQZE;u3<?l7h#}unp#9=TW4f<1Gi`9g$63br2ez(N-&%1Bn|%;K1EVzA{4~U zE@D?K%`j1>JLGSEi^@l1ghH-|FYb8$?}xxn-1s+juvJED*V&9AyXtt@crFe{<Ev5I zI6S+j_YKYUC*}#Ls9l&WTo7TObx@Yd_lfn5!u3o(l>W$*R$~N;r~elM;ln3Je4?5A zN(!t8(`Y2^PFU=QTPh)jbYNDnMGx|CBag<`K0*DxFR7NTy-8L1RfC*d7|e&x`tt4G zmC)N<GQ`$ghYvwvsVJ?`M3AixVKs>EHXeslM~1^Dr^80B!+Ng6CXZ7&C(wTWRxvRo zgC=7Pu1%Fx2@XBAMC$crM!EY^DVuJ`#bd?9XT-#2{N7^W&dxkY{MOLfGZDy2`Nj%3 z7;p9lKCT$^%A&f&p2G-`ow(|^v@^mu3yw_QoP+%|00!M*H6V15oWBeRVPSD&q|xh< z|3ig%M+@h6*wngnIb-{Jhoz-mL`lhC=By8(f!j{@CM#3-vU^7A^+Yxe7kbbX{Jglq zSXyRFr*=I&gX*_}N0HOi?Bfw;vzDi<>VB9UKfjs1x4<qYQ3z12f~~O-LXEY;LXX^h zcK11VPiNo4LeYSIO0KzmjPtK=3>+evvP?VRxPD22;(K)u`2G9vMy%A_<^g6vUr{@; zw6uD?byfHLIv&-oo%z37H?MopKzbA;SfymlQfj0~kBBNYI<vdbl#r9=gn|mP;Y2y< zQV~-npX1g(0zLd)K`-FoS5C*1Z_FOwoDY8%IRq?t8YrYcXC!C%DA0H%!9)XSEYYY6 zZ<WLAV!QAmXS<=*cE;Oit)XfkN2ZZbfh!?7o@V&tH}aohOzG?sZ@=eB*dNHCKgAzC z&(5`iL4JZnr)6i`xphsw@#LTr$nnnnW>9~{Q+lTzL+xW+U_=_>V6wa&GlRe+Xj*O{ z>HT<GQ0`CZZw}T)jY(2(aJR06@$>PDihUvt7ghFscP4>*z@Np6bk>BVnF(VWXz|!p z24Z|M1cCBAiu1x?cO17ymyXW&H&{(dbohw)-emYXYGmlFm3{xVq>OfkDz0<^ZL3$r z`$>ZV6KABBUFGhdw^QmXpQS%DL4PW_&C{iAqD8rE?yjcp8Ca~VU7XOKHgtr@t#XHv zSsmb}{&_Jk1!vQM>Av^<2o&NfQww=1qDZF}6lF7G&PJ78UTub`5*uvP$@VFU-J_VB zUvzgrUz4eC0;8UC;<_>V+Huf*HX?{1cKYgYDc43X>|Bh@OX`nh)L}4KPYCq|l-+&# zIA`<X^@(@ulwrT*G|{#hl%s`(cn;ZzEX6$3HaQ7P$I?|Em^IN=a3B`aEV*FOL1E#m zbPsIt&Q00zcZrwkE27+9_hqEmKa~zz6csqN4#>BLT{J6$@yrLcCu3L=s%*2rwYq;r z{?yi=2%z?D_kyybfa0z^V@gLe3?vq^Sr*&pno{$hpuf3H^VQau&`Bk@(j8r7n`s|S z(mw-|fF`HMJ%ym0lmv{7h0@=x*62F6iu70A90OH58*;I73K_DQ#nFWueTK^vc-NjW zmrU%27^beegoos@{cSE-z5T?v%hJiQJAr!%bYX>g7ToTr|HU=*7v+6sx#LyBfX(IU zFYm+kI8wq8^U3t^M{?wURr<X<{_Lxrp^Xo>Qy09hE@I&JpFN`kMYv(y5?#YkOK5j& z&XAje*XKlhEb%rHVn(pF%%x-UBD`Nvab=1A7uoJmAL=Hno2#$>%uDT7rPKWjN2@s6 z9m;*d1Fx>t<Zf_AS9jSfUb=_y{ONi*h7CWHD7{oY;%fwT92!DIg_M{Nfv79OV1=ja zh}aGn{YHZZL-gfDXH0`vD);SF(%8lKWe1FpgKTjrL$l1o{ES%BGT^(<K?@xgbgHD+ zcB1<_c)m_VZd)a+bi({v%)rjjRZ`S(1*Pq!rl`=b5#h||vQc2ib{2l|zS~}jIL{dz z^iqB~UO}U?OQV60PTw<e3sXT+CpK|svp!D@WwpBrmcO`_TkMCr0dhUDO(B!;u(?Vy z-OD=_y@6Y0(~NODM|N39y}z-mO0SPERq@wXz56i#Id782qh(TxB!maEb{@;zojq}5 zN}`7cxAVBX8QN-j8JR-*+i*u6Nh94Hv}Rt(-5q`Sz*0mCgW%(LH6&MU%rhL}K+ZWf zvm_nFdU<hfCjZc%o3;ErsT^SGKfEOT+03N6JrLW<IUD~&o2_2W=?XX)5mqpacxxpL zQpd07Gn2LZMDR4bk|UC!e^iRyS?5Lcu;dYSfSIE`la6ddCPC~8*jBpsLYsUtcDK>v zKk{P!QLcfylhKB)v4Who<dmabcyPUP0(wP&zcX5#8l}6Ax^I<nwp^cAI{Uj87o*Ra zoDUFMmZGMCY*<_<X<iytIO;who-q^ekR=yOvFzuW>D-Abpm<?4l#aQ!*dG?$)k-yY zV##7*-^$#VCZ)mU>9|Z*<iAx^T}s<u`iMw_4)#Tag`YT9t23BD9{z8{e3mr1LEMD4 z)<dhCuns-VFzqMV&Mxr;!)-1VGGFX)HP8g<E|@gD{QkB|Mz|zD14R~b&XG|Dqr>?< zy+9Or<`_tXGNYMD`XA2lAq68}(*(T>7DGOZ;5%>-qCk}dfsB^_UOu4a7P<v9lavOQ z3U<@0BkPfO?s}S}=9Q>TcF@a3gZ~<J`EwC+GRyvV&PSx^O)`GdH_N-H^1T1AUT(#T zm{(+Mqbb2nswkaawx>%xTAKWC^8FmVFz3Q_>LAFU>IpmAYJU>VYVYrH{Ox}Nte%|a zMhR(Bz)aUuVt%az$gt7iSLFfIN10hLhZ4}=V!s)LDbO|yyf;Kez|}TJUaw4H8jlGJ zrw+9NExX6SvE#z8o_*kkSpyft(u$?A5@BZbJi}>RwM82vCTsF$GuvU-0wPw-@UE4x z={#%_#+uId)MaxkaevnYsiDCzJf~_)L1Y5A=ypsx)_L%-KMi+C_K3kb^fYyF$u_*! zRmFbsZL)q{5j5N#;q4cb+2rAivtNkxV(*pGas%1;WW`bhnwpvdMvb~jkvzvg#7t5) zV@I|ef>HZzbD-f&&sp+vE75oiZLZZbiQ16MMi_!(B@^@Ebq&Cb8>YE3QY=xUW_+sF zmH)vd?*%2Rs9U~LP~dl(%^GdbkclEy2J_KvCRYZ93bFx<jNytQL0Jlfdd)mP2}C!` zz}rI^qTuL3D+7bIeQurjQUQqCD_lf@C^MaKFH;3A-ztWO#{6!6rKvBmUQ3}<FeJr> z+L%i^APP2CGm1=FR8&TE5OnzY6dDZ8kTKa^y5C};Y+-f@J9qobV^`dRiI-9LRXogx zBb@;YuZ|I}$Z@kOqI7=AYJS0^xJseK?s{6@%_izvdz1k*v`jveBgcyuIrlHq*)Zjp zGv`wL(LIL8WH!A%HvGc_zO5$Ce+4s2iQ~uCIASnw5p5GrNN~-xNQ}t69t$~L1v9OH zv=4PgQmKm~o%9D>wRkBX5KP}FD#K<qvw69f-Db!_e?Mt8?501woxC)7+?J<=v(&uz zNDZXF*~<xhw!)<I^P%YZ6v7e|NNcl=omoF0I75={!l_Yo-q=ZA8sczZ64R*|bi*(2 zIZCVsU}(gLg(!n8d0e4E!~40L1kq2Tsn<{U?Zqx2K~tgpb(A1RMV9#*IZL)_Yrk0n z%^?_<*Q&Vvpg1e3TIlCwwn?0V=^;c-qM3w7ybRsq;U7Lu9f`3~z<(BX831FzI}=Li zf6DQ(4f_<xdax4YxwWS)rQQKaixMHX3gq5FjVEn(Zt1SdA;?p&Z}~c7J>Mh)hl~^n zy>TEqeSIe;mZEDh@q4;u7?Lx#D1N%$^RpzyRTYoYLM;k!2U&jdh*;Xh?KzA0xb=Dv zCc$pJK!l|1&s$|(O2*)V;dy&UgY7$*Tq|2?B$Kqp-V8kxBsOrYY3sJKi;|~Y^}gH0 zzHDyr9Q`D~Vyyu{<j9fhUKp6GA018I$4jQIyGpULUxmffFBeA$+eDj1VD53)-#BJt zd@}qt)D9!t%Gd{t7y}Y4P&ANsL&XxQP;LINs&=a*3;p%Yb)ZZ=;97>pHz<I*hB~^5 zAM-G}DfAiwwexO56rJ_0D2yQAhzo2(K&b%g=RfUG`q-N<Z~N>&%Gq&hdlYRc*U=3! z>`_*XHao}1*dw>2@%WvXi1Dfjw&sU#+^a>=Y1C@1=1iG%yC5zGj5~L2LL2Sg`%EDR z)2b-DMNP6-)M+3bY9`pkom9j<2Qz@K)wPjM#l^41Mr_}DFDNN;PU48diElQsT><5x zeuzKon`j$y<av4#;p1ZugDJO;x}BdKu(pZZYo!a%6d<N&@-*v%_}N4LGPh%^%Qq_{ z+XU&Ug1=cGc4e(A+?_9N5CqCgy&!N^zJU!vAAP&~DV2GS1A(!~KIHE0#jUkkcsbTi zq)oJv7aS?oosaxr71UlAd-_5>>N0Sqz(9K&Vh^fZ+aX2gA3pf(*CzalG**oVs}zP8 za-bX(TV`=nO1!6n)~@+d7jPs6ZTF1~Gig6{d1qyY{vv*9?h4?qu8(e<p^r=cZf_kW z*3rcf+|aM>hA?}5**_<2H9@(x;Au8N+S;5K1aSD-w;nXNyR^q*Ji0QbQz2iM^0YT3 zUs+p`aZJ3HXtAvXNEDhUyHgq_aPQASzNvuVqixiBJjk<mt+|D3&-`OV-xhNN>;aSE z?mVxKffF!Zbho3qwy<*s20X+0+?p%%x+I33htIEg=eRrkn{B_h)MLW*_Da@(*AH+o zjMhE7!^uCk@Kwmsug8xmSNsfuzTB^P0!N5z{)Q54)Fg2)vdO-@)MgOJGxyh*kt(2N zV&|H0S0Wnooe<kC11b^j_%C&ON`vRPiM5wZc+3*UPdF;|@l-<FgFdKBGJBi|^!7LQ zK7O3*sth4qX-ZDG2q!rvw-AYj;~>L%45LeDdsGFYqzo#cr9m_T_Tw|O%vf`6xGU|a z_l1o|)d#nug?utQ0mRdnYwiAGb{Z@f4s1$Tg?-)bf4Xo_kLKq3)EkAYbm9oM>VnWF z?yNpz&EP(-Ef5HDa0h9B&RuQJ|8}ZKy}$85BleB<cYBPkkLiT%dixjZ#EYe^KQ?QL z-(o`qV_AteZLia_IE(>sY}MHTP}UCrgMU_j$H$UL;8;oCUFcA2=7<B+m(fZJb*0yL zP&!V(m~3G3h(w5qx!##Us`Y@;2%x1YZLyM~wSf~LBF%vJlsK=hJcTQ+4N^<IDMn5w zhf#lIVQ(zFu)o)i=%7H>K1Q1&*;ZMpEse;sGOA~roWf(vaMWpLi970lfh}sCg^dpX zrg8J~yP8Jc{?h@2)r`Wa)UT=Xyh{d_LS`mgrgSEWf6~Z%<VI9=yQ);|OB8C|MTqdl z!hO*3{y%<&{DSWBkC-Ca%h~U}26ABOH9*FVtb7aMN~Q?8of0LdG;H5My)bEl0aS=w z=e9C7_R2dc(zPXyLJ4(ZYJqvWeKD#9vSPR>+6`x(cAahVz@T?7s64&R)?Pf+GZ^z( z86P<A5Sg02B+4X;A3Z8+RgbjShKm8I!R$ALl!<XLC|Vf24Y@!)qiJUN)YIP2C|~tl zB|B*M2ttCR3jU!d5HnTAE<+I%=O~V&U(V#n*n7rkfoASMOIB|p?hj!lCcpHwD%xu< zFzN%-=BYDZ#10wTQPSY!&opJBY6g?i^jU8w>z!r$5}pT=Xajey$9qQ?TpAD+)$(gB zbiy9d34FiKGeOl-E}Ff4Ir_xj5>Q=cjyL}!go${Mff~-3u@xAQQ$7x3;*n|(oj7j0 zG@Pkl<b=B?^%J=$8k5??d&_iiF8G(7DlF}$S|EZn9Jmq0NcUs7{E2&eJ{GrNZKOd# z%Qa+7dn`U!o7oc)L=7i-<<5Nv+X_A6Bc^!9P>bb|)mB<T!7@rloOfWM&f%;~IDEtV zl4i6qxKj?t?v4ACam6uI<=WW#D~9|v#pb3H7@p^?yEi7(@5nRf&|s+GA+WMJ6HbTP z*)u`vM`$9=m8x`4b%rHht<xTJ&LhSY+6+!6LF3B63&#?zqum4IZ`=S6xtBc041+8K zn$pw4@YDnDXWF~Ds|IaX&=TmSoApgJq@y7|{BWLhTbML{4&vb=+s5w%$r#R)Ce~Gj z&w(HbVMbF5=Tpa5n@6dNpye4P>x);iOn#O1TVjPs6{1q4OmO^TMjxq{p|**aT>F=x zdeEUur;$(`LEXQH?b1N~-DyOg^U?%=m~(0YDS|yjdd}2CLBv9YgxVT)ExwGfDNaYh z#}1YG{wA&S^Tp*lc*Yl}KU^BHPokR99dv3w^ySG=Gx?9kU2@B$n)kT4@67SjRA@k~ z*KqSn9DJ{09Xa92T*V`5f+UpkL#sBBj9whS+All4rMhVg?`S(7Hl4i2$0|sNyRQy8 zmSSljQsndbNMUe@Ru%B%G*)R|63^e}QrsqXRKO3*oL#%p$T?nlVXz|#B;C1(En7m% zdxe0@_Hzj9Z=RUEFt}_h(zFk)C6jMaBiAg@b!z`^{8Sf*pqpNN@)!uu<A$a;U)pyo z)6o5$CrEyrBrd%>9f6&%v*6)Bo5HO%MRZ;%H-#aRjaIpQ{q3ppWB$!$<TO;lc-bk{ zZ>0g0BDOF%g^!>{ij?7ymdzf$Y2%0gb-nC%rryM+j-+0zfuoTSCW;nNaOR(Pd7Xg~ za(q5Ivx&WZa>Y(4(W`K>O#DcrS|Agi<@xjhdgYTuh^y#+TLa$Chozljp3HXfFc7Y! zq5Iq+{`x$~>%e9cB|Y|5ZId#?m>5&ZQ}yKny5{O}pX=FZn|<t-S~zx``o{*QQ(Q&) zz)>z<k7rGa&&=t|$E92gFYhn6yX0it$Wmj>p5vi*%+{BMzx3j6jMg5{^#hcd1hq;0 zWIAPpuue3FO7gHV;PWBPw(=fBqmgvD>9VY-Wao8Pj3w_Tbg8oX=nhmx1sj2XTHL3i zsg@T*oD|lP>`!6tq*uic5JSOp_8h(a<b2+5J*$0%{93{r(^%nfA`Lm~wJ#Je)pvXy z<)A0HFric-JY9O;nUHF>vzc=l_>oWg_qb4KxJZ%UF@E^u-BV9(z@^4PftA0*WCism zPdhDd#9nmBLAx{%zf?$RVSyf8k*BUGagW!K>!A@1?%jTA7utCPEP*qyCNl=c5a;KW z3kLAA2KPT+$%c2BuF}EWJJE@3Dd7w;;f^wOnH5110fs?z2!CYb&?$oT9X1&8zJE@e z%z`EURXg~Tk?vtEMT3+hS*o8fjHBKdsHap6?`gJC&E-Qja+jmCzg?j41IRAyZYajx z2Ar2g;;<efQ(}?8kclXC-wW}kM#>T0mg>ztQlcZ4>e7cq7oMr7LAgXW99`9NgmqV$ z5&yEwAKvQJ?l*SSSf_-+3*nt<rc5DaR5_;ncq?<hhb@F|_pJ}@!oMQZVTdOSzmPh6 zUK~VcYg!sV3CIWZ9>7Hg7$~rS`WZ8*Y;P#3aZEEt9W>7edGplfC)=&hzZZ0$H16Gg zp7`o6uZeuQ<5v}4Urf+`?~M-gJC)gU&J%m##l9^8?GPla#!GpU)!kwD;=+=_fO=!i zUT#Q*U~3xJ`1hlR@9V&vfc~OQoT&)q#_MIWQDnWz;Agx>xs96IlR5Cq{fS46E`~@7 z`N_`q5Tc1r04Qv%(Fxl+Z)_+)FR=CSWOt=rSxc(|^su*riQQTc@ta*eZjGD7A$9D% zA(B9@@%N9H<5S3K=9%p3a*D}TAR2z(ZX{c8GkCoN!WiF@hnL5&4v6gbIOuG0IR<a} zI>u|y<TcRsPhDz^ri(Ch+d9vg0`iq84~9cOuys`q52o5Y?&9=AthI5EDBS3CEzoOB zWF@X8OoO+Lmf;DqG4}%#g_>i=1_u`2udO0A5OcH=+srwl%v|_5dB?d!-$qaYh6V_7 zo13GwR;EXyEv^}CRaafT84#6!GvMJC_%1i+hf5DB69A7Q{Z*4t_?x^*M^8ET_U%r% z{tuC5?)Q!8nrDGZzLfw^W0>9(1ti`iMd>)TlHc1p7%{F<cc+^)_pk>)mzx2DO>VUM z3VkUUFyJU$SGc%_TP2LrYedIND;<23lM4>sx>$Yo)zs{7d8it_WyzojGMO-T^MFn! zMg6I8#>X7l1o{Z_*;^nXdsS?mgNU>4S-<tD!?vIua1UcPvpJ3^nKeFcS~>h6GN4=o z*YshRVIjV&V$Ha*AOl{=2t1GkJTRZ@S3Xyu5%@^G{jfCOyom-ex<W~eXPBDBys|~V z5x${8@_!{B6u%C~8(xz3nv;tw@=jFyfBaDSStT}jgtksQha3~F-9xTcJ#uJ0%b6j) zNS@JD6h;#)Vee2wsodH9UxsiMVMx*ih3L~_$#O|DbTsy!;5?FDH%Y;SDGHS9FPrTX zkqx2@H%X<z-k(UfG@$QwIRKeLK&xk@_9@luf)Zg`BlX;De4OZ+ApN&Kp|iO|y_$gh z?5TgQ9qMNl43mQ-!k000pWk0j0}M^=i<=1dv8fi+8n}ePSqb)6p(Gov5qDDPQTA<s zP3?KYV<B4YtxWQ~!J9SDlZ33ETCv!!U>j_V61L>or}~GPMuaSIhQk?2L?TEDhMfu8 zw4+8Z>{1|SXSDs(ZoRy{Ig)t98`WQ-t0^A6;3l!w#K}(CHpQe9lQmiPVvu1v`D=mP z)+o~KqGdb@*T6JKlGe!K%`^6W#pdbS=`r4>0dt$|jqd0(U@AW6jqg3s9Xd4DWZ8*O zrgM9Hfwa*krrJx(IHGOul)6nBdLW##tn_-m8FdYb;m!ww88#ZyR6{B;R!6I^To);I zc6nr9GVNkK8-eM?!$pVA@mV;8eiEa40Fj|$LRXa*rrNtCwls{(4!s+7W(e)fi-Xkg z7ny`~bj~O75XKSAJpz_LC>;x{dAatX*}?6P=!d1-<wB>Rpny>|<fDDA0ENVf71BYO zZ&3{q4Kj}tPfY|Gg}-t|i%jUE)85avPfPKzHN9cZp?Vh>_T;WRsj-&qqrW>MY1Gj! zp;<j0r`ku5CNvJOPH`ABqo0%u(HS{ZxPguagcn9M56R09V#Iyp{W~92j#|5%H(w9_ zjVCFo#^4poRK<8eYII#s<9fu|NUb(tuAsP09cX`<9uisEhUy$@I8!L^OofUU0fw}e zI>A}sethepT*~vy?|1)ozY(=c!PJ5Zb&VyX`Aw5M9_$>Nbd^M2C~1nefUk$Bm~u-3 zRix7qOy(Ko^a9y##pxMOxekeN>?$_gnCpls#WPU^$j)DX$El`Z{WLl;In$LVjr1L) z#M9KlRo0)2RWQi07J8D;_IMl*A~CUi5{w+i@;Vg`OBV{Zn(X|l*=N1EeOQ|x`kC6B z1}~2MPn&4@or}yxcS<$K*Gq25xLgTjm`N=*ZfKDhZ(&L6*zBI>F?+W?LlS(i9Kl=k zPFo!dEG+K*Fa0#TrKZUI{QPl;6HUm)5&c34i`9l{IX6kcHc$q9*eXRjU!I=MzHhUL zC*>15O)3scc#Pj*pH@!^#3k7YbBu<(9x0O8^pz8~=6&h#TwU{Sj`6QdX~9!#6Pe7K zy4$@9Wu#3B#V<A(Go7)T{2sv;4tmE3l>Nk(CR={B>?3-c*nL-O&qWkx7FG{N>BP6A zEO;!j(mZT6c8XY$X1>hb-TpnV4Md$!8(g*Dqkm8|fe=}xhzDcn4}S;S_@6$DU598f zg3`Xd_&Bt*^wX2r1)sOX_SaWP{Mi1$t@49HmpMJJ<B&e}-u*}?&P`uGSdow`zp8jv z8Vc}dXps!z-d-1-(o#^CkMkGYDLy~2IcJZ1Zn%27TcdP%zA9-Rz6Jv06}ln0!k0a( zUc9?)_S5DMVEE7Xn|~5)X1SD14-NRJB8JZM+j@R06Y9PC8>^6dU1h)!F1rJsOOAjY zgH-sPzmg2a*XL3`nH<S^otr~_Pwa@%=JQLQG;cmU76~I7#Sy|j6)8@5D<@!ajxN#0 zF9+GO@VfXSAeTCG{jqksf(vjz%1nk^4w`YBIY!6CT1QfziNEe1O{~pJvLBzcF+}S` z2JZ^x&53<M@Pi{sG(Mk-FgTn&%8{oY@-tH8ak8<s3^?h8PCz&}2FpfSL_e1Lk8m$! zug7@tG6|$fzSXtTVi$sYjb@F>CUi$SK9dfY%*9|UD*7vC2X@M5QN<y(+^%x>L`O=! zi6O*xHOkoKHYB(ZQvTJNcmO(N0*Au$r7zbOnG-MP8v~+gdFo4oPyeP!&ydE?F#?KM zurA1UGqO4wj41me-{@~oUWl~y6?nS$*4A2#O!ipW4GJ&f=u(X%$U`pv0t?4T_-u3& z@AXtxVrYJ>0A+GPM;pmyc-&EYBCd;>bVUa9sm)KLF`mCFt;Sp><5bq@!g1k4bUG0; zG>LUZ&fVlBqHc?Cw<_ZgTX8!%2G53CU*3Be=n&!Do9#XX@t2nceVkpD9Aju=iUJIj zSOCz2%G;h_?%7Rpj}FyNs2C~13j&=@LsL#z|62=C7u~i9cvhT}fh16KH;}{l7y(JA zzMFuX;HfFgDwU8;$g@bKfp!DxBJmO)&jnpOBuiOs1rzx`%z$}{I+>S__i3%U8;hN_ zW5RN7?CKvuPF<bknMqq;b!Mc$d`?^l2RcC%7Qv8D`ONlYh`rkDEH9%U6+Hnc@b4M3 zmu6(*ZSe0Y`vtSHf(zPhZ`R}}3_HF_?Ru^)Wd=9L+_o(Yv*ac-MkRtJ44kJwAe-uJ zL%emEezUE6(@AJp+}kHnKP2d5?y63E#t=ZWsIL)F>K|GfXaAOUiGOr-rM-P?5Bw{) z7p}GXJb0MaLTh3x?uyJ#ihf&tG|n*P;~noj`IqSMKio07gG(inw{%B^9jqgF4S)A~ zHw;kYzarDBSC_vy3f0r<EhL-EiL6o+5fV<wYUY^CfOx}{M!oSg#$WG@gJ^^aS<oJH z)#l@2>?h#AAWCKq2W7cjUG6R{Sa@b(BqO+;qLsC^Zy)~Nd2mNB+MTT4LfLE7)L8Aj zGrtoaK(|}r*s3%7gu!SfkQ3pTaQxFSi^JVDbBVuA@JjrrgyTvl@#IHax_RZtZLgS^ z9<T`k-l3f&d{2;P*I;Rt!)lF0Nti$cUEZpSS{qN-<`GVF!<oa`HItWOuz8ujKSTVt z$x*tctu8@Pr{^bpW7=q~&ZO=r<V-#@NnRkLZP<ep$$C9tJYsP=v!51msO2o+qP4j) z@(hwr`eiHTY`1y$aH8P;V|JF$Lvj`j7sC-OBbPBSS0U>UW7bZP1ecMjZ>2Y=XfL)4 zBZ7+qLIWehO|hs;vZ#x?kcvROS&qX;tUB;QRh_hThsi>1XMr4Bh?%u-Y;DBYMo}Zf zc$HKoU0ueE_NF6Aq){FncWe#WK|cay0f{IiNDw>zZ<t7NL~(!bZXv}p`*yH8P`@rI zzl>CZ7!h&ep@qvK!6I_<k~nL_gNq)6g1lBI#l0aENRChe^HJaQTpTg(^QM-fkj9Yn zBTh6RBGun%$IvZ4->f#1GpCPXz$>p}U<lYiv<N_u<z}?gq&tx~5AoN#=CPeuz9e8- zcA^|8sq?U2B12YOZs6=KbRp{TrwW|?V4C3su?iKF;akr@J%__M-NjyG3%0O(oLJFO ztdyQS%!*CGr3t5jd%$+Pim5S#w~Z`oa@#fseu&MX-d1jVtm7J-g{<81=p)aOT*YBF zaX1qT9TgD&7(;(+d0Q;C$T*)%Hi>LT)N%VApfAth3r{e1J@UztRvs;uxZFwATUoI~ zwX&zCwo+i2zS~NTs#u8jx0McU#f@R&r7}QYB}m298otIusCo9f)+S}1RCUn$g)p&9 z-k!skYbYK?<24j^2J?{ypmlE4w@MhP^>L@0h$jZg+R}~~hiW1SNu|bQ;?S7i-E!wa z_i#*xv_gihpk4#$jv(`0)$&nVEGxqz`gZV8)X(pFpS}wP{rbZzsfWUQyo|PtEQZr_ zX47sWRV)Vr?M)bL9vaQRuL;sKypz}8u)b6!f`&1yoqY_w{)=*<Cm;LL4GfRj%fsmv zF;5lL|2FF0y3MN6bGgMS{UPl#jg+7X){{gj7_!4mSHkoC9u~3(vS`$mA0H*ZekOkD z0fWLWo+Lm)sCTNRDM?YFON9lQdj3k15=R#Qoqhdmq8l>UP5*l=9Ul1LLDqwGH}THZ zMt6^JoXM-V|1FNcet{=|(oXQHRzOxe2Ir(Br>@rax0K7<Q{N2jBuH6z4$XdxZ1)aq zD7@JWTqw|#{%k2oy|rJ=7~dg6jlby*4~*~GKC{y|P+okeaYMn?8fHq%|MYUkV~^fQ z8;c=Kt!&-PElPz3#A$Ogt<K}~eGoIPe4=zgz|{@`C9*_V@U&bwsU~RT>Wf9vt!gqs zm7r-$^BZUKi{;T2%us*0Z0y8V#W<cyXM;uKcRq>JMi4KaML;@a4LMxPhb(R43aOCc zdo=@-X?_U;D8rF-tL*KhJ6)>*DJgnbJIfMCv=8%7IK`EUGcKVw#^LmN$=U>om2QvT zz+HMjne96%@2?wA^rjb)@`vWI!vvG?(o(4SL5J;!uBh9UPt=74Y<|zu_*HBf*dGP` zdoUs7#I?Ws9X@uKK1h|wo6gI3JH7S-;1mtr`^y@rmh=lxZr`sUIPXMaf@O3&A11I_ zWO~mO!iE+sVgs8t@%BDqkwHP2VtJIOO3`{Oswx~kGK^>Uk4FFmKIz>@@h>w<G636* z=9GzjYefkZiG<=x)tfie7+k5lT>=ONWB1z{QA;Zx^+qX%zlf0*N|RcJCyv|p3E%zD z>!AJJ58)LVLGis{gF`Zo9xyU0#bs!f@td6>Uyo(Bjv5(RYliE!G`dKlqi;U$%0n!8 zf&yq&VuxFPK53B~V5?dmJoa|Kes&4kL>Kj<OB71alF>=%RHOuo4SMXz`7px}5~kne zXk+dU2&J?zWmD{{cvv18b~gAPhQ!#e+*81$78K4|4S9MT)!RFsYbuWMZ#nw#iEmb8 zN@LX6q^M5|weKHttY&Q=<!Jx4A`KKvet8T*$KP6Xm1$Qk)n`gTniISEn{rx)?Lt@G zWR$9Raq-U!5c+-CqRa$OXGOGm$xiYDEz#~WJW`IR3|0D>r;7pQ1hW?xr?UnJps{}N z`~M)TvWkr0pp#(XZ6N=>Pmhc31`wA!kL^q(ATlLT?JAgD>UG5pH8vn2c#fQ+?{Q`Y zSmci~sr*Dx=wd629L%o4rN?XTf781+;--sM@x@<T9b8(XOJ$SmFkeM83%h7GCquLw zF8eHsAUdcW%?qQ_h72LYeoUmNXA!An+2@TI=3hd^QhDLm!mY9XIml{LbgO{QRT(lP zQ1Vl4)ooKEU}#J7xVcr7S>)3*FSaS>i7^R1?U@Ec`KBV8cD=LoCM34cK?gcSrUx-z zRb(#v_6uKS@JgX&I_EH%B!$ygqj?a>66E21WN53Q@Kvx*6GMYb(DhND_-Xu81=#HN zA=ugF#mGuV)Tj?RL!wkq9YdiJ@K=pQIe=I115@^q^!Y#x<2jE$oLFML&iAL>Ms3nF z+%B+^Zp>9213(A+&BXtGK0}}Kdy4S%bv$y!E<4;rti}ypLU_1+&!(#tNi0<N&slHD zWSw9fyyGgQ&C3?#OIDu_bPHh}aM0Q0otdg5a7h@&nHT$bKfgS%)>GAb!NM3u1?5<; z4i;z3x;9XUuR6y-G6*rLYvmm5TCdA&d_6JP73ni&DN_P)vJn4_K8=G=0b-3E^W6DD z<YXglKU7uN?Ut-zOi`jj*@g*lneA??HWTsYYxv&SLSVekJ@Y`vo?9Mh)#-=$+Y6C1 z^-@tvA*&7EzWZL8c#7SEwo}Jm*dBCF$T;otoD?FOdxki*I~2#(ZBUUy*=lJ`p)@ri z!A$7D{^FR8-)<t%&GRb{Q%hXwD2&lsT8vPy^$)R&`Eh8xxP8Fe;q7jSx#VDB2YIu6 z5vjh$wxf$CjX>m`w8UOO>Iv#|%1SJ|a&vQA<Z~a58fOx&Q)cx%_y~?ZKb}LTy!n`W zx7Y5YA1C#T^GEuwuWLngouLA#2>KCil^8laS8M=VEcr>dd3<ba?CnYks7T+>5fc}y zpp7%DW($jbyIn~Jo6xx|te9*$hgKRbB=&rPWEZJkYjq?O3n%;0Emyp1ZHOWCBj+U~ zf2lPW2V9IbG>q<;z1?LcoIB=)g|P-w2~_8dT!p~gAla|5$?am<M#5dM{@_4i%3|bL zOBCCf;*@l1v?)O47HNNd9$<`;sQ>{=gvw_axs>=L#l9T75K%CqHPBY}{JxgE|0<E@ z`k@85*Bn)3GpIx!o+LtS!IWLw-=%bzgo&|)wi`woDQc-AOoqN-UaX+8d|Z&bDAfJ5 zpdHH<gV<00%fCZcL>g+U@6T>41BdmrL(6Y7w|J?JVCdn^{1Jfpb#3{?RO^92=@Cb` zk4y5O$wCcuEL7rLs6PV?+LO-v9F9y<YO&^pUc5|aYG5n1bp5@9R#jNeePmfR43brT zX&d(Wg^tulHBb5>eH2WnG8k3lH4lXhYiuFGG&6`*7L=q&@Z*(4N|j~7aUq(~HaNWi z+Xtj9Gtk-L)DbO$7^ljzAC+Njtxu1bFgQoPF;2LcQt95VlzlacoYHed=t?b5jhJO> zpojOqHGmZ3@DoN3L&t0NkWCt{A69DMFRK+Qb=lih47`$Q7xC2rV#yrtEPdI5Sc(=f zD#^=@M5N1<%#cJc$jte;HE3{h1O-e$hL>}DAjuFjCNNSgdAXUdKW4(fQc7kDnxNlV z0NFd#-u|*O`;#b;gu*eCBMU8)fDm7)#lj`70>=#9)s%WDZ9l>>SRV;aXN+wcE+wWC z#BAz_b4h~|3Ku!zwD#Y^)a-ySkp4mK_kl@nvwS9X^|Rfye6|f%2%^iFU?c!)>34S( z1CQbCT-n@Q)!dR91Dmbv%SLJOXfK#<Iu0)jyN8AKylLiTm9R0|1+=_wf-q>x7R7Gi zXZ8`#kU$uINTdNrY9Y5sggog^w*o6x6?v`&G2H+qP&+<Es74-LMmQ?RpgGw}Yz;gg zK-{9-ZzhwdU@Y*cXgp2Mx->R47St!)dzO6TiRP_qu{mR-XQJ|`WdYfn>Ab0CyhD7K zV#sCY$;+&fF*yl>(Hi0Gj5cxvV39GsG2|~(d)8<HFa%>L#DvpukIy4VS~lLetEHUv zuH1pa<4#V`q>0Uus+L1m+p5HccwR_}93(gS<>q&b<&d6SE<gpN+HPVQEIkgl2bUO+ z?p9sJIK3*v$BOM9>L}QDaB>|DrH!n<zeF?2=1eG|DKzgjQUd`uFb*ETCnT{Llb5>; zqve>f3GV!IEj-ki_qedwjFX0|j=cZoOeCV#&X>^-zafcHeYe@Yov9`)f@{L5);fj1 zi*vB2Ps4JLT8>vkPDR;-hpN)TSR{|ST(^%`!VHk@We~Q>m&HmG$n(0vrL01n+(;c2 zXD?2Un~q3^J9N;nB(~xw{<|^fQ{We?L$r4fQChuym7$wIhp66rUmPMiy64Ld0yfn1 z0rau9Dru>a($C8PBqs4(eWx#<2I~!6Qyv2Y?*H<Dx-2M%h~=8!jn@TgUs6>!PfRUc z#pIVFLYF8BCp&V&zwaay!Q)AwR497f#)GeFe#~|9l_ZIfTh)BYM@+&0gA7&neeDBd zk!ih@BCkkb7Rn>P6qqCB+hCt8vxD8aqvH7xM#+tf*lQLhCLVQjJoz4!Z-X9Z9Z0BH z*}jHEWm1#KOTqok0-gGMH<a^(yu(bHZE*)FT^9o^xSg(Ev>EKmDnaqLPMHATX1ez? z<`hiaS&b&H-VL|;yb`8{hU`%v?@|_bGN}Nm+sROp_J<zCpIreg*-IPLU*j0Az>8`2 z?4yplU+oUN(42jFwD`Mz8!ed+%)gy&hD<1RNXxXIS<^CY@9yO2?Mvx3b^>`?I&3u6 z`uDdUESTUF`0+&sU3512xrdp(xUoi1!=G8Rmlp>E*;(Z*j#C@^<XgXK=f(>90cnfX z7IDbM<7xcIl<(qzeXDqP{_VyDEl<0IaV~e|nEE7P8pa&yO<YQ;zuBPa3&t-h-@2+q zp_HNSU|Jg#LGeO!rgXH4&c9*><mVl9^UtRrUyCI)?bTn%eQCs{#CH#@GCVaMS*>BQ zc^1ss?8E56iWoN*%3wTo0b&S6k?qdg$aYz$ebu<7fx7q`tE22o?0PB83Cy6@oJCs8 zm66nAK|a(wU&dy`3o0=dvlUQJ0k+|gv~IHq63E4l8n8$*;iF5nL3z^J!|!U;7&m;i zco1cz_UbW_Cfw?Yo$Ohl)DkEG@kRT2RFSw}SV;IWXO4fJg4ko9?EgBU4!PWTDcfqT zbT_dzR$GU-^YuAWYp3NIsO9C49?bRsbL-CkCb7pXg2RF-dR0u~GYplx=NQ*UK;_Hq z)J|euAkUKp1+P&{#Pv;orK=^0?`?=krFr}UEx;?_1nE9v@chA@2P2e;=k5j!K1ti0 zoxW;MtckX$h1`8&O1DZI!?9I@n!bOp3-`=u3M24)OqL!}e;!<-0lEZ0cOOpWmnixD zo^U&iIN$M;#oQVkhE7FqLsTO21Hz_+0Q)Vu?k<;-5q@4rxEQZW?ySMzhumC0E{<v* zwUX_SPy``J1QhF$s3KF5r|5@h>)Z3l@thw}xY6zbRp91y888bcmPyGari+jfJZ_4a z3NNl#|KR&JT_Lw#R+m$a%3bLU-WHxQGia+Za1J_w$DHL+AukXSG}_#qi($N6@BjGG zR9<;>!kscM*^j)Ah}Tye9|!t%P^Sy;8bvH&|0E;B<Euq8gTui=kzyNBTo#`+*)|06 z{JsuZ`KwGTkLROdpnhR0)@6n@?qKDK-m#NCnpDbK1N$g@0**xmB5d-frEaD6%;8kd z)6HY<PwBB-#>=A_Ev@BN9=cmCn^5Z>Vx@X=6V%A!kiT+SyZ4kSh<wQHwMWn!eICXV zhli{VoegCtt<(1_Nqeovx9DE7F*h?c2FMoiGhOAJ{gtc^KvuD9kD%inrK2fcdt44r zq7ktnQI0K=W&E1IgA-?a>+O89JWTvEmW8!=DR(J#xI7vA!eXt)3Zd@veXC>!i}hmW zl}}I#eN^Gt@XIlQHcrVX`mYI6f&rv3gw4cI0zyEt{n;<IPGJ9%I0KKReM#4EHN9*p zAF#o>!z6w*D2w{}H*=fYIqfSWgTPq%ZB5x=`(((_a4mG>LJnEspd@$O-Ioc{`Qixs zsN#rJM`abF81vID3PIz_0}er90D7?0KOO)L5xIbm?hNKjDSn$pOH?#W>btpMxBXB8 zxKKWLa31%Ay@QCVpU=9GP=%;ZLujjJ^eeW_W^b6(2o=zUVLZH0nz9)2dV=3^p;m|P z5tY-gru(H5#AweD?{`3YYG|@lFlO!FomYi+_R>5e4j2<6(qjy|^pS~J;nCge5rCMi zi9`x<Ew&{~<2tIr-0C#zd91gB{{-!tNVdW4*D3Wed}xf>vKyrg7X@Jw&JyT~rxK(F z5KLbS7#3s_@Y&L#+LupGa4zF`nrYv_%Idz{LM8o1Ob|c)POMM&gywM;=-~MV7pH#_ z@#AR|p9DRtjl(3J?pGgp4&La00mn-rVA0rmUHR#aB2L^Xs1duY4K^t>fn0B~##p#a zzk$oOe8YHc`ND$izENsJ+!pD=D#9YF+t=X$f-9*+NsVGnDC90?NfqPQi`Gi}l6}X- z-3j8;dU!@1Hx75e*k>Qspb~ll=-BGV`6{}pLy3VBCC5MN_vn@z0rHf+=FBrn`)hSz z<ybIuQcK6cP~iiSDlNje)oB|pf*Lx&G$6eVUi)%^b1V5s(Ckm{4%8nad^L?4((YO^ zU(JkxH=e|Xk(5Rn8sr^hv7ItRIO`#@45#6vi&3APDH;@5S^seuu+UB4K$>4%K5EXd zuW&y<vXpO9MUC<Y1Hchrusc{5yb6QywN$afE>wm0sSLxOuKe^aT6aIp)9G5t@`|jz zN-2q@h+||_g4a}OKi;}(%bW@wb#64%LY65)c2p}91=>yVWx`nas(6e@HW{?(Trf^r zmH(BMb$7>cR4okh0<;c|1`>WmYIZC&<BfSI8jc9;--rht{gCZyRkVmC8FIwsN+3$B zEsn7$*Fe)hi1@J+_nr(%fR_cv_wHVLUE`!>yt&2-n<Do}zVf7jy<xA>MK|2xHdNVm zIjI~PYy3RMy@%?Ok+B%ua&QQFV`;M(pZL<=XJr@Txa*vqZkgP66{Uc(bPZu#O3a+2 zq=WJ3lYLlqMLNyHwAINkYn1=}+Se8CBkr|sl`I5g`#Gd;`hKGb2+w<#rt=0>mX<ci z&mNkV*Q=+;llQ{`A||ZJHrvSmzA3>P^*-eOH{GI_A=tCiL=QK!qM|=y$iMZa%d1-@ z%w(c4%q{L1zQK6HN0`{)@!0h1{_&(-6Kg+Q?5xIS2el@PsmrL8dv87sm;S>5at$de z?om~b?6#D;RCSr~K(YYfdvoRs9_pf61?_NDQG@Izob|}H$fA?&m77C9c~nw$cO5u{ zW05+DcFF<bnoYmzU2B$UM8Q0-Z1sLO2UAjl<m0~drzS{1!A+huZM7MZaMRN+>4^`Q z3|Zm7*q&(?uqBt07z?FG1W2Uktf!&p>p4bmzTh0bj=0Cg-v`T>ILwsCY`Rr~HVt8p z+>Sg0c7A?f5(&?Tyba~LNNEc1!x+||7iqQ$RDm1Zr7JBe-4|9?JnmAzB-6?V+$HY^ z_85C0IqjV@PpJ`Nz006Z{`h??f2`0-wYbU5!Ts?QN+bRl;jznX@6A>Wnzb1_dm(6| z%_n#M0GG+@UyLIQ4+)FS=Y{h9lz<2<0WruKRN`Lq*yf5!Fz(T3At}_h?CXpW5^BQL z<z4NIgrJX~qs1on&E9NC<yK>pwm>Go1JBp!*aZ&<t3qP{tnECY__VukBZp@S{Qr<1 z{MF?Ewd5IEq(~Kp|H`)MEV~IodWb-_uz*WL64Bt~|APiM;{3Jd0O{2rNpc}-vI2jV zgSY=OML(M}o<EBGRBo|bQ(*%L1N-)@#+!sH3=Y~Uf7Qs)ug4=c7=a5O2jc8icxSo# z%RwL52sWsMk7qy6b^hvy6)MU$RpUaa0HHiZ>e#l^a57J>H0E0It;NEAJ>G9XYXE}? znNEa&g}%UligO~!N_4w*&$=eu?8{V@Qe*)mbS|=)iq1p(;s`@%a6rkqftE+3LPazv znfR*LIO@t&zaVT$wCAxK-T!7_gjLIbN#W$JcjcyWtFr4lS+^Z<lqvp8wp}fNBveQs z-I+su$4BcD>nWldP7v;?c7NMP`~2>vz!BnF(i$%j-dI~ZBayjx?5~4TNCK~*YocFn z6*jvgI#Q4?Dz_q$nMC?=&B}R)0i9`ELP90PQ@*o3Z$+;T4jOC7dlXIdW(&Qg8vJY< zwGv0PvtYma8eg8r3GMLO1beF0F)`?(v&K#jAKJY{o!*DujyUG2h*7V!*ZMy)w5CxR z4GM;l6}m!8%e1lPREW#&$`AlSK)%1Y-M{94G}E=Iv0W#&0TnRNCVnBkkb;8Mk$MYz zuh!>D`Vmk4w`QhK$H+WlJaA3Z{r&LKB4az`fFXNs1Xb8*_zDR=`gRKc68C_Av*Y)d z`ycb^zPTpaoyiBdC7;+f?E$!W(o!M(cirSJ+{-;TFFFMV>(w)%_dDJ(^#$*}B}I0; zL8bv{c3~A%KAx2+J@`i>PWZC){P+Fr0w-je(O$7a{hFspgH3)u@t$h)QuymY?$wpn z^Fc=Kxdr>$;X48y(=UykB<&gGgFiMf>aB#*?lFvNgxEE91o+zzA0PXX=r>`Zp>9p~ zW2>5^5|AV-0V)pX;tBp#p&x?xsh3kNbhsDN*G0SmH$+m%ZHx2Q+dRPtOK8?9c{_3A z>F2zxqn~w9wH}NnZ4MSu-0X`r#e57`RIek+<LTax-br$?u?eH$d#)Z%VQcJ*wFVmZ zG#J%77<Bi>oYx`=iFg*Z1y7PH@<uLRsc1Gtr-r+)_N`q2DP%_pP|7w^V-3N0sY|Hf zgg7FV$uf58IoIP$di$EH-%Dsj?nxBPKLrJnMc{ljvES=iUd$`+CQ2<hwj6Z|voma} zX(8s2aw-y1i5Zd7i5A5f!~T|n9G8|Lr@zLcRTX5wd(IRTuVE&>8tcj+N7GgDT)}?g zsLa@7VzZtQ%wu7)VajMmkqz`O?Z*IvQq`?X@21tS&~nb&`^yepqb*bETD)5Xs0xpS zeg<#jau6+*3D54%zu+FV-rhf+C5ISr{Ht}8@K=%g1<>8kP?J^_z>sk&OClnG9bSU` zRrw2p4g*v!x6XgB**v|!6-}Vg4z{k^U>9HRciu(#h@S>IkJL`Dt9DH0`0dFbRHHrg zT2S^1_!<u%$SSdQWvg`agmF;aoXS@SxXrc1eeV=|@TLa$l}<)Mt2#GbZ$$sOqucho z5e_3L7?D2}IKAs0QfPlX{LAkCljtm;&{=04>HwHA;B)iSqvffU8G!;<TGkH7^qSuO zosfno3VA7c%|#(%(?w}|{DA^pTmL;JI=M(@Fq-!EatSVhACNd6G4U_X5?G6e*1z55 z=2k!(YKm%RYsE>rNz5<3%&EJT9+ng-S>S5(;G+x?TP4ii%s*tQVipB{F}~r2<cSqr zzU+hjG~B>G!FN@aa22VKay=B|6~nL0rIOLR1&W|J9Nt0Y)m?3~_?Sr^ofH??d_bw7 zR%8y@h3~3X2k0-RmV`NBU{Ey<toMrxxa4?UfKVgD&TOhazRnneR3YtaC8UC}{`6nF zZbJT%GzfV#1#|2B>G|#4nn@v{z)*E(LmyVy9q6=i7$gNbCf_cmqo-FjjY<-2+(IgM zTp$^!f7#VvG>LNxqL?r%l!pD|cQGysy((?BFgM_V;cD-WK|0w_^V=82!u=2=c!XHj zk2AVH`;&`>lT*5BkDB3R-(O2e(Wj591XAd4>aELi=UnAf8}=i{fSy;7cKmRA@rrAe zL&caq$4l=&LPOuyT>iHb8ITUD+OZ{P5FFuC(R(i?9JUOSAcwSNJs$<0>U@<5m*5VK z&wA*fKOFbUFO!(jc6xpP;L~o<LWAQ;d{wx2|3Gc1d0FQlIbBesiPXCja>9RWOp5qp z6Gm3o>-olGDh%Fz(@KY<m$tqs;>izt=lq2SCZm1bPY+i{NSF>h35)0igX^~aen=rg zB*W_}rp84nNVyeNt3Xm&#bT}!Wk}Z8<D~&9ZhI#5RK1S+H<O7H<#GTLay&k(!T;6* z0HK2Csh$Y(jmW!vZNuUf0xz_Bd7gj66>1<eS!2Y?6~30bSL7Nb>hZGwHf%>VczCd! z#mdlDea|viZUJZcT=_)(ucXTm$z9;p0!pOCacgwpsInfK2N(m7^=+5mh8UAYjfGOu z#u|w^ez5z)eN?h{&kjacr=Xl&yvPJ!wr6epF-t(22~=E*L38`ZC*~2|zPaW7^&9~m zsdnp=18z#Zf>Xee!bK05uCGnp6g+uJxYu*fQ#y6Wgu8YJc>z&MoySLo!6ShrGF;jF z`4BBjawQ%fgeVGltL@$sHJa|QnAf2DL$m;oZd&N2oxX!r+$y%*0Y{7GJ0=$E^VXEh zcdvNwWqU4`!;(lLv$AGKaC4_L(Flp`{2g`jJ3i1B3kjC-?Yx^H?=?U>>HK;UYBFCf z*N`9h@>!D9++&u5qqqYn(a6dcj!8jqb26X|R8xBXd}QlvD>-P5p3Adfjzf-DulXBF z-8D!f=H;>DkI0Z-_Urw8(Zt%W%XM_MTGHRy3M5XqGkgkFCVR^-oS)!opdJ@EAN+Ep zl~QXlBOEwbix={(Eja)9b~6@B<QZ&qxmU-ezR6~Rwlokwdwp|~eJNbMSbD~oG~bA` zE^+{b!-;H!{>j-sPwlt*nBZ{4Amkor;7$9VGr{F5WCTw$G!kQOI)Y5R?Sfw^$M|F4 zf}y9iF^sadrhy5w-As29Ai+dm_?I^#Y$)Qn0f#NMwsn9;to3Cs-gXwOu9x6tvQVVo z46$YOjb4jo<W#i;imLWqNH^MFtz)P2Rg7xMh0$iFxEgmSowALx(03}!32?mCN-Dt; zr>s#aY)x6Kjby9ba_;yt6#c;j2%X{zc{vN$jnT#(0DH$zZc}Byjm}6fYUXv85>`i( z!P%&mii!%y5TUuzf5%5!I9y1gn)2e%*<KLZX!j^jX{RGTz0~dU7i(;sb<YaxTv=r8 z4JCCLIt9mHZw~t}*#9$TuYJ}f=kzo)o+Li)w<7UCCRMm3usq&4_P>b#*rCUpObxdU zKhweN8def1Re1PXlW<AWflMdRpTtMgEv>U|e$TBqgiwe-s3x8>xxHuszlr5_Hgt3z z7JQ%H_ylrrCKzD6PF3+Z!&;nF|Go-q9zFP6c)M%Y(qoSWzVCkqTbrk4$Q!H#2#Zo= zGtR(r2HWQuCGq247;;o1J+!$SXfbbfR$a!V7lcRkl<Dd0^%-p}_ZBv^hIMVJ%X!do zjqNFhzitE_cGEHeGWc;%b|0!%XPgs5ZV|iOjTxU7rCfuDg*xX%1)k$#5T<C4GNNp6 z4?E#~{hDFsYBkmrN54GXZ|WHw<{Gi&PW$JOu}@q}lE8VNoiN@$Z(zSZPtant@p^XT zpC3;(eXA=@8mk{m))B$>T^NoJm4`UGHeG_VXIKn!A~71-Z-#y50+;OEZN_ogg%eSN z`I-{%Hc;9>O(6EDvTnmt2zaOa4;Nd$A;y3iIG!*IpnK?lz7|IiVvP158mZGd^RRw+ z&#Svlp44pbXiC(fcx9v&kO_}9W24od$TNIrhCFYg8AJDWaEyC;a$%02g?iQIX($1P zUX=kj0E!w;j-xXbqsJUoTy-2|#-vLSZ=T1v<J^3g($5UE8P1Cdzoj;alNmYP9is9v zhK7&P@l!@WXrw%>eb8pMmwvr<&L?k=?e%3gbN#UiT)NP|yG3?gR}*zP$>LTeWG70+ z!H#2}V%rGBE~@P3Sc)f1L(zQKrI0%P1+aov(7L2yf!J>lgT|IE!X>pYzI|I_BsI_s zh}mRG;Zo8*k)Gi#-iX`N!FQR{J}W9&l$!(LKM>LDdONTkt39x?(rl^1Wm%~1r(LoP zC7}o_-gf1N-W~RH({P24N>7d_d2!^9m&UtdZ_7!i`*{)mFKQk;iy@2xFt|q^NWxXq zADuXk-xL_Zgt35TYe~a1uj)}unT<zhxxy(ct~nUQRcJ5R3134IU(4afIj{g9ea4HO z78PY@--e3L`l4RL(Y<T>)t(VzF+rSNUo*b`%JUaFy|5%*S__vuYyaAUla~f`Ue#UQ zO)o6D;!iJXiFLmgsS=yua<fhh7R8Po-C9UpilTQ7{or)!pFBuSj8_dWyW(l#Yfmx) z<4(A;N&ILXFT;8_GkMhD;Ama8Dkvqjy#X(ZXx5()u|q3PgtAN~I}eoBTc`$OtuI3m z&{`lPYi+f-JPCh`^nQU|Y9a0C+RRvFU@#|J9Q4D;aJ6u^vcTg;qC_63<6HGv>$rIp zdvrSMFvK%3!V!_kf>8hQkEq_+Z$b5X9Kyt6m-k;B@NKk<lGoz>@L(yE;tR9b%tlD4 z`i7}rV!N3wNrOyawoSdIXg}G?;gvLZNwce=$1$taBB<R)$7%oqX0elLFjSSgV+{C- zh9y%+`U8smPxasy<vBTLr{KWQA5CIJxS1Uq<{ANKIvR9(W7CV-2KK`M*e<YN)U-1A z=*k{c^iF8Y5WZc3`ue`!Noy)Z_%sx|lo8&v0iSDrmxd0Boj<d_|IX+4mM_bFwsj|a z`NCCR<1(+dS4Jf`ax{|xByMDQ=?tB5zl(_6s&zCHEQDxU=8wf{DtS}0$nAmraD~hM z)BEe-&M=&v^vh@TMHOweldR?#NZ)9S_4k2)cqck(;2i_eW-oSKX_|bt_MjrqvaoeF zG%DRpP6(0$LdP!t=1vMpCB`0_(yJU?u62f{n<k2D9JjaxERh7qawBnsio(ifN;~c< zC%Dh%mCnkX84}P=@U7c^H*Bv`g9@bCo^j%`gR#}C;JU`bD2x{8kU%Dxeht0e&G_X! z(xKALEIddB-?ut!q3rOg90SDFkF^J*jiNeOe<PiNyHSFDTbo~MrF<fkAlC8TJwbeU zWb!Q^puSCn>o|FWJ-b3iQboQ?j<Xc3;gkc~)wbS*As6I7)rEUhw}ArsPCfPIgC#N` zTQ6;!h3qW-#uEhR_hB8i;YC3i!R2uRk&KGLnHF{+4BO;vwEo_ycQ$;zdKPG&KC!n& zZ7?<nS<|e6$RubWCV)Duw$=b!)yel;72|yag{)i$&(wOon_+(s6=UO>Lr@%lD8*|i zJSeOEx<m52^^G=rPg0E=6KCURI@n(?mINjB1C0|3ms(iFi1x_Q(qH&7GO6!xe)r!5 zRBarelj1ASdtp^>LMu9C%(EocCTiZ5U05<RCFiRiO@Bnm2ul^G4kX0<K9#Em&{Jmj z=y0eVkZy^v<=3bgp`c_~Q>Y3sxV^lB;PB!TkciLt`ltg-LLIy7u<5%lj;Yjo_MskV z@v7$cW9l!`gGGTY@qW50Eh)K0C$72mOTplO=S!Z<hOKH}fdk3*YE1`gsI5}gJ){aF zIEfk<PDSO{mJQx|uZ-;c16vW<$J1E{(j*ozojkX(x7#3ek$H?Q<U+~QR+x>!&a%mt zPL(gk*oPXxys_8r@yvySm6cwc<L9f-c!ph+1K+{9SW3N1QjqcP>c{QJHy23@T6Pxs zG7uxe0^D>5X-13lCCT(=sJtO~TYY{P<OgZ4s!YwX(HriK7{N?vCg0Ps#>xB1Uhwm& zKAvf$e57rN%i~F%BHiG>v}^e?6Fl>p!Fl#V09A)>q4=*y3QvEf4WoD0uLiB4xPfGY z!8u1S!QabAd8FIfN{JGXJt-*=9v8p4v+^ZS^@kE9eVa?dUy)y43u?(xu&_3E<xvG& z+yPU7n8YaCo1?jnc9(rFqY{8^QQ(m3{O!j>bW*69U7@i|q%qwjh1F<=Y^)O5w!^O5 zSjfHK*Tw6`(nJibm!)b;>Nr%xz<#e#fYt!qnm<k!5xfXh)EM>pF{Oia^i%5X)(d6a z7mC!6Bd@`iXKDI2`p3jc5x9m$)SC(~D-V4Qv{E6eFg%aVvH2wh1ymkcEVBcr688<} zNL#hny>_SOzzq!W>R`fCx0~@+@a%TGpF0}FKh4T`*59K)E}UZvpluVxu1X3hIXIy% zoVahi{{7~_fKXRtc7K|7+2nV`o2V|KyS<rh3|{ZDHXRb^4DvT#q!eBXUyqiZGLLYB zcd>8a|Fc$dz3~vu(^L}QjmK8N&$BsE=CvknNq&GtKUH2~Cejfl0qah>WyJP}LQiZp z<Yl39>^`~x>P5S~K0kO!Ria2=_Zd^}B(*VWH|+V}U;8^RI?!`Y{_ZONu2FSjDV3U( zuZL;FMOr}H0i%r;18_F{U~-6V;lHx?3>4PJaFI<<dPg69S*e8+5wC{6H^aoIW2U;* zmaPNkOj`ElK_9jezvx6!xaj>{lLJ#i9XPgUR9M@aJJSAMJyyk9zzimGh1dW2z3oua zKL=jr?HfJD%eYRLd}Up}mlo{;2Dxm_N>!K&D`WotlDhBBp&Trxs&e=K=ov64tTL$z zG`UML^6{?j%1AOrf@^+hi)KC7)^Hi(d<~_Ky**6Hf{ik}Zq4MW=}Z?}QZdvB5H@An z9X(No^dS4~(|C3=(g?M=u_kh)k1g^CPD;wd(}|U}zzIblIL>1xtz1O23Hps8o`u8R zASgd&=v!lkkM?&O(9X4W6cFbw3t`6&r&}Cc@$mB8gk^c@DW4p^N)_1vG-*#()~g_W z^-jb?`%|j$#M#mrnO3n*jkG=2LE8GB+VDWu5cLL*@!40zN^RpHF0rP;tR%!~=3<8u z=7EDr(k0JXu+*}?TzR$2EL0v#?;wz^%(lG@Ix4<{_0qwA432e53%UMtC*2oG(G*Q% z4omVEZB%Q(83j$%!=fYlh01o!U8n8OkbcB9;KZl$YHyMhlyZ@?nk=a_cnI7pc-=kR z32e-%zTD%*I$d$)wY=6zZsVwwO>k&J-ih6Bkr<Q&fW6?qGcrv1BV1O8wpr&4_w~Fw zekn1vkeEvV3W{Qq8z&k%+pBsf>F+bauT1_k5RbrA@lhXF%F!q|OQLN_v5>x^U2WSj zeHg5?I#ZFj=(0YrkUutK63@z_j=t^qEB~@1m&ri2t)=b`J~4TJai-V>rm#MRI7-6= z|LzuWhi{M1IFs}Wk$a4qV=vy5N7cl5TWJ?<)wukJRd^Oa|0rjFYz)Fn^K%KoF1FTD z!+!IKYc6SbAo-C6B8D6jhuML{VD6OR$u3-aY$mm&wsk*nzls}A2ipr_NP--|V+*0R zC{_Goy@omrHEAqa3t!0P5EK^^%?n|4e?Q{n=M)%fgF^zaZcPqmb<t|1C8ak4=M(Qt zpo-ipO2p-h*C!@ll8Sc0U#x<!DIO6cMz~ic+)k7!<+h>32{B%Eemd3e0PaYJic%l3 zK?N%V>EWuq!@Ce=SdVPTCqN+AFS0Wb6RLzqcQxAv7an2N)>sp$%ItHr6?gx&&dS&{ zgq}hph=}OX|5$4TE2#(lb9AMpLl^AtcL_)^9xe3yZKf|@<VQKy{dZ(K?2pe}Ln&pc zq6XbJEJSDv3o;$j(BsoUyYqMq_HXH;{xgvf=wWi4nN_8GoJC&0S2o$W{~|ZyI&e}M zb{KVhx}NJ;1j8>H7IQfCgleRG=P{z1l}V3XcILus&UB3S=I-GugYkT;y?;D)ei*$% zVdS(wcq*G;@-Q#Io0Y%HZ5`!3dm{xko>hDvuF~_?rScwE6CO6Umd%lIcvnuy-UQ&s z1|EzVXKG8-lo9R+2e{Dz51(G{TTt7cWEmLD5uwV;^)L+YUaxI5IO=Si?8W~hh0Lzh z-UG*K8>LjdwLG`_sw^E1->)Jh@DNyP8f~7J3S{iljyo=PU8||<O9+yvAsHb3&G*Sk z=J8w<@}9chD-SCiwpD>*Zs<yCXF%_gzlq%}H|{TzMK+t>ZecVwSlDMgJP*btJlS`d zal`kMq0)ng(Qe=^-mEf8fw4z9G(${aX;J&(A-$*d<wf~JyWZDBNSU$_{Li|aGSPg4 zgKz+)ZD*;ap@|{GPdnwJUYM=2zlDP`06LxS+&Je3>5p+u;C97R2!{)~fJtzuSx$U7 zXhfbgjt7|ijbpmn*6~m+DEAe;>B{Vnnc_R3dx`hMqshwzO-DZpx|Ld}$7NcC#a5BA zWbY(%`UC+#c3zd7nTC}=fp1moHBUqNz;SUnVt{zR2xW1?4B&IGL3g#Xz{2+SZoG-6 z+UBI6ipFKjaT613&f~1Zw^BE8GDq*-$j2aVpb<={4?M&I>6)90+L6fG{p^De9uKdm zcz9roUq!|vtqn1p?8{d19r8IVlat`61L5t)6Sw`^ns$Km*wZ4sjd0&wBQh7Mg^v-g zr^=7QsFtmQ*7R%;Sy?5weLisL;&+V=5jYAq#A=Ag*|Ljhq6T#z-)9a4MqQ`F;kega zLS<BxK|b~Ml9SK-jWR+bqO~>Mp5IniSn2S+|MZPEAX(^7M0M=np^=9f)UH*Z;QS>q z2TJHIO@)bAc6O8wsw$p}4A_1a05^m<!g@1D3tQ&)l2@f9IK=h#tfX&yK|wV=kQP(Y zoRsBP)9GKH^9&?${4vb;OL=aBY@l}(*uYQS)%pGpDQZUAj2&U1@nUxY7bT2`SyV*2 z=2jRY$axo6e;GvO3|rFgpN)Xh?cit`03d~7%bQ1)$4DRQ&r|{OO$(Gq(Gm3iSiLnL z*V>qt7}s&m@Lw)e*GAQwj|Z9giCy&36cZRl4J9Uc$92TeyzMCm3~$?`@__NL`LC=6 z_IT5!G(JAwC8@0->+R$ao^$I8Q!y*D0fDJ{LkMxiwxt4eOnloSPc4NB^nhP#A?{DZ zE|ab!Q+hfQ{#TV&+qqt)NBw&(I#|Gop&~E$H+cx3J*GU{zFtRs4Fw^M{?JlNP#$XE z*hv2&&LgPGDBIg1Bb|1Kzgf<U|0s`lLbbHqtxYb<D@&tn6NXbsS@IFX4_!(~SpwOg znw*|b5q}_56z>pR>Iqx8e*(4qjV|)v9hU|`j`re{S=YPDp_@(#&lB^`w0~^IMHa8R zgp=5iaG(a;RcUlbuBCs&#j+rx6joGGojMzH@5J2#U+R8Jj`pth634fnzth6@F!lMM zeKV9ZaD*f>$R_)VK-5)cFMZL*(O<>i)@!ew57<AT;Krz}XfPZ+%H7(Z9(EE!40wWf zz1{pn2RmlE5<toCXFOAmq|%5eP3l5E8xjSjppr@bzN63HCi_4HYOSj|8SBc1k=J8N zGnep|I*e)T97!*SP<yma*ht%4R1=oNGd~_s+frv-czM<nNzz_Zl$cusOP4ZgWL5e+ zc?jmV|NNtQ8f))?zH)9crT;|P-QEN&wxUcxfK5|iQy9E`Qm}tPyYXc)WuyLq!k!Wu z2bgqy4@~ETA^@5sF4|z7{gpGdq=D{N1oxVPbvnQ05QLNz#K+gt8+i1RIs!;;R1PMB z>t$n_K9wLPSYVMjZS7KWU(uK;Y@E*-dF1vnkmH<%uyRIoHUz=h@Jh()L_1VaMAL$n z3K@tvrNWIxs?Xql(p%KW4mi^}|7&*U9XY5}wx!nn)KW=HA$#}<oQE(kfmsKs{pzX- zit8;fkZdl?MiDIpjx)J!yK-MQAF$qak(3H8I~J4YOZ>IuOP)Od?NU2@^HUm%tAtTZ z&m^3J`Qpn7{3|zbpjd4q@D(R8r4P*h1n~aS02jUQ<s%05t&-Gf2z}M0e_(Z__A2cr z3gUqvOJoa4J0dI&3UC9L?rN!R1?@9+iJXB-oZJN1EHT5vjp6XBsHiV*8x73<sE9ly z4?)F5Ea9>05#XTg8J^of?oS{Wlao{v=L4E6B*w~=^#LrC&cWwU`xDU9$-g$Pl%PTn z`6_%1Nct`V8Mz$wAHT0(281ZCxF7ym`8TkeC%-(%-zi1OyOn)#IQ36yZ$yD_V`ZeG z!f9*%l+d>&JIRKU&5|=%`!?>oHxLo#wwa&VPp-)$tNpv^M^*ngy?F$fEOzfo&zErx z_D-iWan@g+nB%LVk@D46na{b2gAuEydKTdf*s7qWR^z5%G*6=T$zI!IaJpNTD$SO? zD0>#Huzt&{oEW?fGK{5w+IsNXXx$3j#!J{X8Aq>QdO+dOH570<^YkpZdH_J*;Z?VA z_Olm%lq$vlc*<-u?i}i$A3arsoN*DD@|QI$8eE8x{$oZwfCwd1S(cW8nRgZ-Y^ex2 zGW0rb)~W-EiOXhgCFj(@D`gfNQaL67D)ML6kOHQZmu22VqjlI#>V7l}_@g#mhS~<r zF#Pst{P$%hXHKn6&vY1-NW4JSf4S|6vYusZdHl_V3;qp@ke>dd%v03f&!gNWMNFDR ztU7wU4C)F-ZuuiVmhNnv+L($;ef~aed}+3S!<UmVq5PtP8KQjPR)9E@<@B%k*3FdL zc8>F=)K9+1?srj@o?{~_5l)kd3EinB@BBh*N!gvEDpOk^zaEfGypYUmu#qCR=mpxn zkgD04Y~rMjicS~E7)>j~r<w9xQsIKpPvR&0+>FCsXaW<1CwIHhgGoXHZc<>&W&>IG z*tv~I5GXjz(Zc&?n8}gW&j41Y2JU{JiyY8|1Z7%kJbGBwCd%nR9lmy;Khy}R#V&H# z;1@#lJXXmFj~|0_U$)-GJ32eSM_iYge}^WQ+J5&5sa9oDT;X~*{YxaMx765W9MLbe z>M|Qp)xjwYu&wnFN`0^rN-c~+@5nkc)|WqOvV&#fDy{P{3W9J$jThHkUL4O0uinX* z6I-cs3&<;uB<NBPUpgX8PI^M>*{%=_LA)L*GV<;;ixM9mK+r4hK2jR7WRq3NEq-1U zuZ%Li$*F>ycHk9~s>>O|r<<(kb7EAT%jA#E3cH(xa74TfACmkp53#1B6_08sou16i zX~r*etjMgVl<VcbrgZqAIG$wXQPSkb=j~V_*x1u@Exer-GisQnllI?vl+XhMvfjGM z#-qDx^lo!=MKy*RVRpRAn)dTavJPhZ1ZMgSV`o?QGaF?yv-?K`dZo0G$Urho>_tXe zEIk!e7lYJ*t<IUgG$#jYnhx)ywPaMZ7D}2l7L;{>?>RTmC`Aqe3Vh4+2n-DLu8~9y zjvt*TYuOrX^f3OU@c4Ezd)u%%TP(kJ4{t>+hOX{u&zZtOhySn(+Rz-A4~oUNnhq6V zywzCuG>RO&-^C0tixNQn?30N8_K0gGajZ6<Hcu+DPf>e{c;0q4yi-+H-OMuU^Yh~6 z#akj8(~)`I@i7X%4M)&f`Bd+=$pqzg``l$`wqYT));;=yBqeF?nefykn_B596s?2L z57}kfSW$b<lsqktKk2QlsTqV5G!k=zLM&E<y=_MYv$2Yb#S%1hxtAyPrXCGf1Aw=P z{G03JgNIDBtt0ltQj7K1ZCOdd?M{}5eoBJFxmJDem-^foZ$>|?ZK;mlaIiJfBjJ!i zkTn9;H7ShLza_GIN~Hg&)#lf7EtsD6`O$;Wg>y`yyuVE(&2vvkA&xei6V*gDbb$C^ zTqNN_?zWp;tI)b132ekyNmZAkMj}1^echQgy_pyJ4|{IBavN%syIyEbTMN*!aI`9= zfiuT#7tWhzT&F{@f3@TUIhQ+6L)<4gDeTr(8KcjatKf?)DVq%_RQVa+?s*w*vD#)V zxjTw@*4pZm`A>_Acn=uDu`A62>?sB-{~f@NP|ut_j(pwf?yH0%S5?t=Va95uPRf!f zEIKIolfy|c$YQ0v<qMl2Cn2UyC7SI0yoan_Ipp%V#Vxk*xoL{d>7Nazh{AGvaVCW- z{a=o4B5Zq<$0_`_l&WtcdF^!d^(%&%Yt&efAE(FH5%jT;KU6M)BQJy`5b<S?#|nyd zU)^5Vuz7#@=bgQlqH>!EfuZP{=w(xy*gyJ{J@S_=v9Fo{<|VG|&6pgWL!lFH%3Kfg z+3CwB@TAHr&duC7yufKjnJzgYZa)OKnP+?~N7uw&FrRe)kN{tMxX}cysUse-<><SO zhAXu%xHoMpZVqAWPp)yJsq-md&nNkj>I(eqpOGdjQAM!37QfceajkF;=!f3K3*o3E zz2Du<P|naNcz!VMx!Uv$Tw>Z?oa`&g;esu%YfeTYu#H3Q^Xa(27q~mQQBYLH<o>O; zm0*mms_Hp%KsSuxp@R^}arPQNaBo{p+^*o&(LRp|^k<Efbhj0|DDMrm9W^g=UL4nW zI+$-7qbfoZGvp#5I5~Pwb_nu6MW)}{RG$bjA=8sG7V+|n&=Cve@U;LL14ggl(MWmd zyKoNVYT<Fckb5k~MQd!J9v7l=CG~EO(Wg-F04ueH4VU!O^D!tmTrG%)rsRvO?rTo6 z4HxOck?;NLDxudx8aGifR*^G1fcpB%^zT{<!vhI}KO)Zp0VN3U1ZUUNG8yi(32=fk zj)p7~f^)&nvd3(is%&|+8X3~E=FCOmgG{hkE;~0IztfB(nst!HvyVbKobm#<s*vwF zuHRJJZ6S1H(|@JXxbr%mKG_m(F()I=qNPj@AEjczZ_r(Pn1FvQO_cn}q#-qmA6HlB zR0|s;%QyAT#>pwNfcAuN@dU4Rez3T|KZ}Zz!}o&^6?AFI0At0+w)AFM^b8ByXDmKp z8~G=rI#maQ3+e>d-sYpK6pZMvJb36CJD6;R<q1(Y+i<L`zJ6|IV&zXZ@u`u4*~m*3 z1W6>H#YtogZr*MJGpQr%bgiB_$#=3$8P2s*Pu_ouX24@xfcVEa)e)N+(;4x0icccF z>c5&e@cqrRbfJcp)I8-HSjGa$I4UmRuJ-wm)5mJf{?<D|$7@i6)Fx9_y^gs5n;fth z8LKKrPI0DRjHf`=oZePuj}N{{q=YgjM~jJoj17sI(~D@JhFRjfL(P{*CNC6JX>;28 z`WwMeT81gXI0yVPQfJ}+w-(^iG2JJ0*O-ZouPg8Zr}w{HEf32KuqS|-Xze7GZUIV$ z71C3j`4uO^!4@ftAh-b$YOO^vb*HNe8Ns=68=9qlg!K>vrUua=Soj=i$9L%jX<1<l z+iUx&TEYdiT7x_;v|a&^$<{gQ?gJ;{+u`Q__-0a1BHsd}{~zXT>$I3shuz{{3t^CX zi_54^|NC;|-!`?P4yC<Sm*`5{==BTch+ou_IxLGG78cjD@<&-nOguSEv?DyD#{JQi zh<cM~ju;5J7Holi;C+4Izeu=*guuT&>P-;mLDT*j>NR(ma3-pVie!XNQgU-~siTs@ z;j3sR+LsQQt-WJdrhbmoK(|iE=F2S0$OJY%u<B{LTGr2xt`qRY@vU~HWjyoB9_sQm zI$~~)<EC|NBS|VhGPrS3cZ&~CPm$REo2a>OLB*geoT)``VAWNvgq)r|7x@8{4r`}% zGM{`ahj}E3a=5k+5T4Cz9PBH6AiC5+YBmxO`7x3-lG_Ibk0%i)sRgipytx>XqNLC2 zs@t3lXKw4nq)4k(Z(W{hBA}<@U^>#w($U!T^$VMENEDgibKTSvHVL+xoCHRu%(lP1 z88BgGG*}6Ki*@fs8V=3=_6~>N=NV;b>GiV_+5F=0&hH#KGVHV$ULG&Hfwe0HqqTsd z96)Z#j9S<zw8%f2%fnfh9-J#!#~s6nRxsVpFYRDwB^=~?9n=mNKN+R#M=zmFu8e<$ zqkVT%lFKc;zm9SBy?giBtL_;&%Ihpe!fdpNZ<}E`?6!$yDyBMdkM?v(+&`%0_!UHj zI#PCvtyZU65$)fVGu`+xduu_bcr+#p;hLB%ZL}DeO#dE*&}_c-{itak__Y@4{vKc3 z>nkmtN~%N-uaaB89KBY-z*TrRmg0qpx1iC)HX1V_k_zm;a*@|Q?-U_CJsr7jYkK=; zj21JEFoKW2h1Z;nGT(T*zY-isM~p;)HL<(Yby0Ys84<!oAjhXGz;d4V&)xH;@5<?R z#!Lv8i%nJ|Jj2hsrjh|xM{$4fDhHK6M9kTm==gHv`jNo+>Zqm2vP6&Yjjv!JJ3yU@ z%T^ki@JC5zTb>!u1oseE3kzc3mFmk(p=q{ei~b;tj36^+)EHItZCuJ;meKp#CJih_ zZBl5*yWtygqs*__hTy1vN%O>bb-IN=CNQ7gg`r#c&7uG!d925qx(k?<&f;C*5T2y@ zGDyTP+lXJ;IOsJX%RUzVDP5NN{J@?o*V_&kIBz!>Jp7ahTF}05KuuJPl8ZcFWMsY@ z@q`t`+RJ@=)QYAi+D?&{R&!Hjs=8*trj1qvdV#=HCfztY3{i&G=*!NbX}V+}J0uZN zPNL!0y8g)zF)mT}4|%WLp7z$<pl|juHqmj|adVy{2c|g(yX#OJR7J+Q9f|}a27K7` zwfh!lNpZ%T*cegK+gcln*vw=;+E{8d4*x8ZnQc`G8&kxC?&K-=#CGlbn*Y*Bo}qoz z!7_d-_!-j}E3W&ix|(UcwNP=94R}c2Xy@$eo_X5dA5-Gu!_h+^>s)gtO`mSC<50@u zEeE%yp(Lks^3Ke5NA^R89ZT-S+qpHREAyNfxah!%XRW6=GG~QdO!tU%&Ec@w<DP2* z<C=A`x6ok&JH+g+O}(X|HdTj%Z5Bnu1jsNRB+O=X#6^9<g7(x2^1eO%+z?vwIMRpE z=*!Cm49gK{_qGCG*joe!9XeW{u>H6;gKc1d^THmcI=mBTL=hmD9s^`6g4ZV}e4lq? zWl=@W)cJhApVNkHv~)w`?5E6Jjd5(3=J1((8z3XKU<6s`JKqFC%1j=8AmDp5oFE9R z))_P`G*_1jY;TEu-9QD~2sWZENNfL8;r8QN{r2Z)7{HslP;><qmXD;Pe?mf+WosvY zIVkt)JVoc;*C<jrSNLL-RNO6n@TP2RyV<2+6&0DWq>N#t3%(KdNjzf9+cUXxhvjEg z;+37%e$4`_Q|sn(V_cP)BpoVOsM7n5JiAVxg*Sfkm2K(Khzl#n(aCTfAR~JQ_Uhtl zce(&6$iJY$;BzPb(4%LmXi=PJjN7Yq*~=D^2viC~*xk^Fl?(|15^Uh7KviV*6sMWm zz(WtJozKcZnyZISdlS{D)6>$7JY(IM$XrFhv4Lz_^^>RadrQ@14~rky^iX)&9wjA< zDww;Y66+H!p!E#A)~0V}%*fl*ILzvU>PM-R&$+hF;2|1WFzcUcBCFNo5Mv^&kZ1=Z z(kAP$GI(t|D)(j`c&yMkt?I!9@VBX`nyYinzP;KO4OGXP&W11<nuwBCDd4a*8A)S8 zW*czZP%J>2jh*$}x%wZ`Z!07G($A)$>*f|@s>FDxk=#^qOj1Sk@FWR9+Lvt}PF<|; zAr4`wP|t<3JT7$hdQjKWg??*nhwU(w@^Foow1DbVI9$t?nrYa$JZiyq5~3g*8i+1h zm)yXW3e@ufY4uhS^7Sarq`Z7Bsi447dnT^Ok+5jph_T3y{zEg`yDkJ@)gDeb|BN%% zLqaI)5f1aut#Jpek$MrcDpcXhC-ZxFV>|oxB-9oQ-R**sO(~=3l;6L};_HX^*AYvV zh*0Ib&=pQhiTckJ7^Qn&Xe4Cyq?uWWNj!P+gBOE;s?x#K+5<x>Y$8FXeu2^z1=_23 zRAl_K`+d}X!%;+6SPl5IR8jr7iI|}(r63S6YXcY?+=-L1?DD&`dg=TF$hnGj*s;X+ zKXt?kRaV;RO&mkZxnij_fq}=9yFU1YQcRcWE~@oaiK9Ksf4=lbAP$OJeSI&3YJIDt zjOZ;r_=&%XPa9_FwAq9^XGCoJ9}6&JD5)3zt?iv4S&LL(XL1V-uY@s#qS7sf2a6Tk z>0d#8Ll~N2$<UWK85(3byUf@yNthJRWy|@(gWsTJi;_t_=SJOIK0z(CK!Gg&W)ss7 zAENh8oLB-{D-@~WRPj)dTuv?yX({_l!}R<jWM^kf|NTpV-np4UVh~^oOwhLtnV0~< z%t#9)l$v4z0s?MQN7CWa5u28T|IW8d@Qj$hBJ!i2<;B)(bIt`Ty5I<p$c-pye~bl8 zhgXBH$;|v}`j}w0pt|e_n{rZ{x%zf)&8C!4mYJ?~T80#1#!5-OihToRgfsZdho0QJ zUgvG^uzaNiKa(i~k0Aq_fo$uoV?ik*95)r6qoN{laQtquq(e>Qu0`$F*O%f-`NVPa z$Z~4Waq7TvYR_`2w+xCz8N>UoD>o&Li-N*VUhAxkOmIf2<&@6P6B(trQFY^4ww4#} zb-Iy^bgQKF>fDdk!Ie9zNnPo9*_9+zZVeAPf3GX3-G|W;ADSa_sON&cJ=;a-n&uHT zh+SOH?EY!mbZl?yRYcPf;w>FciEnH`DMC5t#x(O@|4-dfV$tW8Ilda|t8>dJ#>Co0 zPtHe?qq#h8YmhZlCS%nsH3MSZqU*l&VVjnEey!z~>tc~2rmi)tuz(Wy@{Hz^KoJ{I zAY4T$DqW<pUPAA;TnF+;+wUqTL_lL~c{Zoo%Zs>Bql#oPN6`0%$ng>EMe?EulgNI4 zrZENhqOE1)t7li$Kqac_o|)<YHe2Wr!1pL7rT7PP@(Q^{E&Wdsz01ePKSnm1Eb^V_ zMx83eAfE#@56NX!y);`lIz<nUFrH<lm9h6UnFux1TlUk!cdK#di2&Z|dKxsoIPn{K z@;fKlEBs0P^sW!o_PpOuFyX;;y*m>QDw;O6<V-xiAGr39&mU<~16#bhlaI6_!Ap+L z(qdzhKa0!zgG;IJ5sY6J{9I8Y(|DRYQWt1Q)Efy=lW-F<o{ml%SnS%@hJ?qB`(7!h zcvV#FLytve<Ep`Csw3rxC5R1f>FM2Omx^kP9pdbGwPmNPCMkX0d8i4zm#0=>98S@n zpF;`e(bfl)24dfhG#a<x2RH~WvHSO2uk){#6mVULg8owO(%I{flf&+gWPl>Z$=r0R zgKyMx&ajSZiE&GqgHM<ceQsq*nOC%`*tEV}5%XbuYxWX?+x4XbRAxt2XR2SPALGMZ zKlwq=DYQJ&Bl4|mD~qpNan@E&T=mugtHS5W=KvskmxIBkM;{<0*>v5Cs~qCf6b4#o za<_A$tIJIZmYm=pn!?6@cYJH994e^Ugc)VV0LX|_YgMpqN<G1qxw-9Rdpy`RQe8m1 zORS&;R6;TXN15W;<da(N1oUkM!)QT?sv>v&y(S%ai&}@=KlCAnxWxpzYtt#|Z7mIL z_V)L^vJnucF#kC#$y$441$7|n^37cmwDFBz!8ba!dcpd8p`+de!pW4k$vCfCo4^Q& z{y&=TI;f53Z2)*nDaGC0HMo0mcXti$L5sDxJHerNad&qK?i6?T;`Z`=XMQu8O#Zm+ zZg%hTe4e|#y(ai`)bZ3zS=xT0z0Q58sP~+wDrN|_xk6-+h0`DVAm5a4yld>5VIhAQ zuIh?vqN2xv>f*j%<NJ1!0*2N&z5(<G^?jY%6KAv7V5&HF_m1Xo1v+g$n`~r#4sFPk zPMKDaMCbeOgv$-cw}9hItlVBra)Ury<FC=SPsInhM^&etvKOBCDYHEoW!RU2;|k(m zniMAqzzVYL@GPLX$e!O)5yYQkqoST3Tv4h{t<A{O3TY3whWN3shdVeuDCyJOk!3r( zvI;Cd2IXq(=|>}=k`%qUBhs#wZ-sM$*~1{uo-}6TY};E8|8e5!N6@e{69-&`N2&7e z{px~>OA#o_$j>G1q)!Hlm_~SYx_9S(ew`E%ma@PXz)R<|N|;Lp?en83R;$y>jJ!h4 z;B*HEh1taI=ARwI=YBO9GrFTGCqB%G02d>6oyev;x67eE1MSAm&V6*hw_$RdqR&-I zj0#P-3g**@2){)8nb-KcUbpeTF(c*EUQU(T_%-K;PZ7pg^B=gTNsoS&0oY$&{Wq%@ zPeKKgxVbn1=iIS?mZfX3)_NIn$o1_<dCH^`%5OaEWC<a^f5z;#I9QXNzpUvC(|oGC z{#(trkL_y%(2v+aO+qeN|Fp$`o~$c!)Bfi^x7MU|dXtBT^XVuLskSc3*5jEQpge2+ zvET@sPJs{W=5anEZ}Vmtrf8DU%z){h@?odbaKe4q<R|!;RLQYqFMI!JQRaqDp=sII zCRHgGnGHY1Ho_afPoTasVBv`+1ej02rPG&y9GlTwtRWFG!jxjp=&6sKd0fH$yEmkc zi1jWDf9GEVZX;vyf)-;$wY3*o1=3a(@Y<>9m}H*Ejdvogk!SH68?ETMv2*{x^*$;j zLkv)fFvcr-(N!9R)Q7>>x5Jl@0h7-fI1QIIo!T?p9FuJu!$1pr?SM2Q2?wK2E<%(0 zGf`TZ3eySwa>Sx;G9UYTvcmxm`M$M_*t6L_&|-=5zi0DEu$f_hYSu9@#+{)uPvdGO zYvDR7m!PN0U%y83@2P-_7#7sZ8H&%qOws8z>5`>9rA%)NkATh!DjqqXWEW%8MgE<Q zVe3QuwM(fJ+o*|PfPQyfFL*zFafcK&Rj_rm_G`x%zQs0n*MC;}7b6J^)EROTCN$%2 zLioq+>dAYafue)_(696&IX@P2%JhOzt7Lipu(4S<J((uV;;5pVA_oQ1Gw21D>k=1~ z`t0Ad17&`L_!7<TTYypXXX%+G^#i$yaLCzViLxuS5ys1TpY#?(bd=AMr{!giSe*F^ z1I>h{jXzQqgi?WW9lGGSpGH}Cp6L~?2G!4-(9bc0tnwlp1-15ONe%Zf7ql_s_0Yu= zg-alo!Ncb8^c}C$CBn2OJ&D<`HK`-wW4ps6&^RkIq`x~S`aT?DrOk4`uS0K-rnIyq zy6H~e+yOtNNd0(hoLO#y0nfKw!#b9poV&uc8yu&iS&|eraNUeWZgPNhP-s57-Ce^I z8bdYBflxf#<I4bLXGl_1-tX4es2Xe*z<VW9v~c;SXIc#|CPyY-W(5{{KA9K{_%}VX zNrmpdjz!ynijtCa@RiO`7Dr3UGUO&@CbKJnIzEmDDOSqFxh}Ra@)h84HU1#rfGxTY zFP9@{ovxr4I@l0{_}bE3B4CXFH4lyEmXr7xdziMXRCbYwGm24;t9kZFMk}mTmUZ;P zZB?W0!JVo&T_HpY3Fezyh|Biyp{I~b)zmcUg(K28^<Ffb`07BXVHrw5l|+1XqA`== zg~hLP$Br4gkMxK<t=h%3L;~P|8kx~=ihbpoJ&?pe2K$hegxN+*=ca0ST#z@W01Wn) zY`*q^)IwV;AY<;v@`j4Rn}2>^HJt^>IaL_!oCaeaFc*!O13oYS0mEp2pd{S}Wu#u< zeW}s458B6r+2`Lsi{(1z!ACi3ObHX`$k=g$UXD5M^JDD=j*J_eSsypj!S3IR)-{n* z#Pp^EwU1Kp2xMQ=neXJCUJ7<!9hPxT4gzm1LtNc~UKc2Rh|#zl3*HZRO|m7WPLq#M z%ff$do>s&VQ3wErhn7PNuo43kIy;r0LZlE4y+LumL;`^oevOVX+b#^yUt;vOi;Fb* z%x?Di1NA%8b4%7CX0hN+*Wu<SC+#fOx2g_`K3hk`_z`V^`nuFT2vllo^szcElZ%4) zIuS9e=VOy^R199Z5rG9Hgw}#d*Opr4b|#sls+0GpH9WE3?^LQtpJoI4fq~igP7_$a z`-M*j%+z$uH<ww(quR<lSyy~<^Y-q(T!ZITgO@)v{GL=fk&v2@#mqS(Ygk9FaS5lr z4qin7ko}em^_n}OW$q?G&t=#z>%X3Y$aF$Hzw_D0tBj7QvT8iHYuLa{@UmCr$E^}c zHGrOAIhl2zsvPyd+wtFI9~USR<>$*C*ab={>_k-N6j*+<v6bFbbsd?Sb3jVHDFmuJ zf_@wIPC23qOV;7GMwimJKl(ABW#NID5U;mEoc$OsjCz?X)bg$J@@m!Z!?@lkG3dy= zkB=w>PF|QnjA23g;=L}fXiDkw@`r3p7Z#tP&FjobsZI8Z>~B)oJA8aPQNDWGNgxTY z{8dGzb9igZAR-cTj`n}Nh7aYJR3?H~s?zP2%Sd<llo}XhaX-X%SVX!FT0@nY=Z@dn zxHF`KMMi1Ryh>zbObVvP`Bf7Ior&<9gElxcgP|g$-M1j|K1QzD%fR_(j-9QEoE)!c zw-r6a6WPI#t&gi{VZMi_>#?+=n_ziPe=wGdTTP45n5QIuG#x#U;2&!Cj`%-$QE8A) zT(~}Tlr;hr@eypAZTUoSC$1y$xv~E_ryU*2Rc{e>BNL$O*Jo2*F6VJlaO9*4k!%mv zb{5(7p3eq!6_M3}(=*E_1cu)B=9+LuZu@7&QEaI3IOAnIMbsLX(DG8+8LCayD;^?G z{o{9W%U2vt!^0^Bg0*_82O(RhR#4{7q7=`HprI2*QfSA2SApIZWYb6cJTqf>2U^D) z2G#gTvX1xr64ww1fP_7QZUX`xx?BebwuuwzV9f1WYP_{x?0~DJ3Cn}$hvV%}I<w@v zpsTrKm~0(ADRVGr;7s<@Hzt(p(RHrBq3AqB@UiQ9kVw4@I;1tv{0tmH^mLt{HVp6& zYiw^cyU9?$KHVAM@9wRo9N{VKxRnUB<%V}{C<|M{KF-zJ_uw2ndjXXQ0(rUDnzWcV zj~Z^do2mD812ORYZU(UK3~`}1d$2TKc7I7c2r3S$>8R>h2YT=mVLl25`LG|1BM)%+ z-7J4>hcEt_*g&T*_QFVd$$y7e3!a3p6}Y2Jdg`Hq>9nyq)AE<(z(}~Wf3FkQFeUMz ziQ{_isTFTvp}>MI9c0CW83t3pFCk)b-{NQZ)*c;RpePX^n<H2sc3amkdsH-T#U>}4 zI4Qj8hJM}raB0PTL3G;7!U$fFe0ZdYv`QDVOLJ{KjG{pT$SIopx|zhqD*ZD{#g4Qk zfBCnCty_A4^9vkWMAFPNCMD&KCwB}jsF=N`IhkKpc0mj7uDAQ(Of1UXecX(^tSGU2 zWvMw3gcj4j(sz-LvteSazthpNcG|^)2&G#pCgAT+RB_t`kEyE(Ph3*25w_sML)k>L z>9#)gvttVH;QskX%Mz7YCwMN{%fc2(?qnb58?Qk$6{3(JU-x-pzPT$#6QpM!i^{H} zILT@%xJbzb=DLtpb<?ShF!-YG>X+mW-?L(D?Zp`F4jkTM<L}j>1#j8q<~%D+kC`km z>J(?{)^0LxG1Cw(;jGBdJW)A?pL^pbVD4`vZy{^cAVxA{j-pxaOrS9(WK$aarjpge z+H%<WsB!0&l_aj8B)OI(X^<ptATGv4PDVr4B|G(g%R$sR!Nz!mI)XrUm$U+vqSmtm zemseQN~b0;E{O_?qM1>Z4=-j+kfHn2k4{ZDJ^{>7s>#~*S0z2vqJ!rT56Z+0&cc*3 zz?9O*lrj$-<@kCO70iS(E-E%~0rEMEN`dO50Gi;s<QOROHt=Z;g`l#q6o4xD#k^Bo z!wc9odwyvcZWnb*Mv%=XJG4726T&~ux9!(jwMJdAy2OwhDZ;8~1fO>TXeMcReOc*v zX}@c<WXv-Jtghf^I&ZU}94)x`P~~W4HI&#b2Ykrolpj6cQCc#DbIx<QRcLJ6LU<%e zz~XxZXZ+?1+vYP&txuzWK%~|lepTa4-(L+fZ1vWIQ_AN57E4#^!arC#qHO#bfzFNM z5MAx#ycr`@d{jQZwd0ITC>JNY>?sI;?-(wdJtVNE;#D;Ck^9H1!Bx5qA9OSiOp2}K zscTKxucaM06}X_Oz7c{f-={yUK{IS&|00xJLC|ZL9*kzHn}Cuq(oziNH^c~)REZFi zDeH7;m01JV0@hhQHM?nLVdOO&bA8?$52ptSQh&tbE7_3zVvKqNh%v>$GZ+S?LhhxW z<KdhheW<Z8kvX}RjAkxKl-{rE3)$~BZb%D+j!A!%g^MYtIPbe!M`&T>3qWT#hYKvZ z_%%Gk_$Zgq?#+SWVpq1XATiJJyQPzKu_KEdJ#UMHQ!6I+oadji+o|gAz5x8msP45i z`Z9>^ucGCz_t`6jn>S?-f*v^WoQtD3HZUQsl9CG4+t@X5fu6n8X>2moXT2=Fu6xRu z0e%vaqA*mkqbFI=)!rR5Et~EPEpAwzJ~LiNBQ3uLDwmgaTUn37SP*{!;p*$7tw;RX z5%J*CrU4uZ!y=!?MIo>W){*KHS==Mm8SRy&rI^hT`7Xnx_{lFx082o$zcc6`*^mOq zsytAayeUUh<ezd<ruQt(H*O1le+!Nbh!(qkd*=2vR<zwhQN4HsF+}%uPSYDzG~%Ts zN?(bG5EYgO_UVB6#{s1A>xXcby-6iKJiy<lMk0WI3l+#C+6`@}Lba`%*BW#_t{#?f zFj)fszJCz)>&2l!(zKmow(RxZI&OHuNUsHnl7Cy!_VyzZ$igk7%ST`^eg{s#A^4jI zW{vghDQnmxI#eeg>Q184kg`TF(MmqR5owI>9DcLEgp%aN8Tyy;3YZp>@&MG=+|@jM zn8U}N^4g33JUA%7Pz6`xr=U%2X^1DrIqU6qD4i+n#}fc4yqrrcOiF=-RTwKr{GKJs zI3vRIdw%+qZc%shiyX{!b&!XW#SYIA8av?ij?%|t03R!?E9zSjYCOfeV^*Mw&D`}@ zN~=lIH!Jqy#Q-lEYnDd$6J-K6i66(<RibmR361c3s4hK&L&y0L2K7~Qcpk0mtyTMb zv50zTuiQpeky|+Cn(LZ{`B--&bPru+%uR~w%U$%kXt}0AMY|*pP78dz$|D<MMxrHp z`~A@8TAd8b>~iDh{SgzXkK_|CK66GOC%?&P$H;$Hg50DUsK!dLD0%g)j#rZW%)bK8 zi?&|+NLoEE{;{#70&hoQCxtY|mx5L;ROU3o1R4Q7n@(W61&hUV6UD4Z6~q1g9KY2t zYd8Re8q-MyGdU;Ob<ortfFN3gL|X)mOiRbgF9Ddz5NT-ODxJL8Ok({FO$_Q_@@sS> zi>>^Vy+Fi*<zk2jR$=*8g>=JgWSA=qCOh`HnXO<Hs4YJZfq68iO#ZcU^qcLpBlpO! z)iTrn^_tCI3{F7t+hm3PW=jK7@CGX&<5#n!WYcAf27TYUHG$Sgl~w1C2l;g!+M?Cv ze4~?1%;sJSm}~WT@>U=J{;_g}<hxllS2<O6f;%r#iuKB<r`oC`vD{6{gqJJ{bMROE zK(a~3-br~*3<`5=jiBZtcJK@<fS^jQa7p-nIPGo=x{Bn~_`dKnw6f9m!6TA_Ky&>u zxJYBLTG|{DT?bCty$o5Dm({$Lwz4eHd0jxjZRK-kQ)hgZTv_LWMU%<06)&qeWWaaV zafzs<MC*v!Y15t0iGN-vL*!j;HU;&!ULtv@$#P3hMXx9zKO^%Z+`0Bdayp-F8+ei@ z>t3%pqbtbG)#G#GGYRd_w>)x=@C6qfJ$bg9yEiY;&>9m`+rsTu#~aURmTJ|i@hRj> z6eWj{;NoPb+?Uiw1({(;-3fuG>3je`I>vP}j*#JNX>_9qoXL7iUIdA~eJ(lQ5h@EH zqrf6AQ}N#=AKW^oj>ppz?fcsv7SsKJ6D_<_xo$VYhj+4n?YXv%9%5Uz4tly>a8~{s zaN@xv);1i7ZER9TYx%NS>~OvC3wd4Gm1wPAN0n#~Cl-*~$<eJ%pW*EXFVuu71ht-K zv{7z-wcc~m4%+0?nYFN12=f2o3WvbpXeUa;PW>^Kt#oFK<bF63Jp{qA+Oh}9YxX`a zr8qx{Af*o@fe4nnn&z&N@#5fe6NTlXD8Y8FxJ@k*qkT~&#8^mAT?W3Vh1sk94gwXo z_@uL#_%8yNcHgA;hw|v$R7shsaXFOwYBR6BOni2@abp14mKi*J$`8}_wywmh0!5kO zJ~<Swx`qZHLxt@2OXnJz!5rk<Dc)334J=|kgYi1O6US%2adpw|Utx4?eE*vZ5ZTv$ zwdWRMrqk{~gHl;;JUgR`2f=kh|2NKj;zeF^)6+@Z$s-tKz09Ew{jeUxr^&T}8w}>O zOGuZIWk<*hJyyO{qWJMCvxTeY+w%|W6FH~=Z~T0LhQbgDb{?61wKXwoAwGfb>Bt>i zFzK#Gt(O<vJtKXqiLS0n_nA7?(%+Iz_mW`PvgOhGuf<jUOWqbiH$-rsK8~3ay~w2> zj&RZQH#v$Ka&Tl`#2<{|@!}oSUj1IHh6&~l)o!5ez22XSTK%=$$Ox@1N*eTi$#{9! z4_g}wj%57R^leTE>w(GT-635xg3wIoNvaMp8b4~#)!JW*?%&lK)3?0=V)_V!BrI>* zaOs+Sj^o}7EtTZu+<bpXA%QCF$Z=!T#OSO4*UM%gNAe=bTT{w!ls~&Rj0TY!9ec+) zP<w_FyD5xHVbClwr!9kFQ;ROVnKnXtnikaw74GAcEZN9~8r(zYTNq$14yicGLT)HT zYy=ML#v4FpY^+^e!LG347HzwRhe)wV>q4szZYim{n$kWg%pH__V4~64(j@D@NW3yv z)aa>)PN^#7b><owuuWM0&13AG7~60kqBC=v)0mqyE<v}~L`Q^EcVX+DGN>hGI@9qf z3A=5nk*W8Z%5TP6#i?S<&0DRkjTusGq~O$GrV6`U%_nZ39QAayE<)kuy1H9s6y+>* z!1hu9<>9LY$K1MzdU#y*%B$24p<rV7uqfs3=GK`+dFHptFXm>X;4cX%$R~tC@gIIb zfM2cS=oVXvq@_z=aa&}8#^Bv-3NY8@(Fpz`wR6f(o?r7}nemf8JAI7S3J_HWs00@r z2N;Rl0eiBW^aV3m-w{QF1iv*hGrQGz8Ki1J0)qz^3zoPv)YCRt(d1GIg|oJoj-Yqm zNxUx}i57heZG{dpN6~n{K|#aqXUfErQ_<7NIY8W-_9#7?+8k3G&NrM7`c^s5Vj6+V znsQ*fk%VNbguGOcA}Lh7*`Cw2&w~cmC-k%#`}?uehU!mo!D<@CimMlX8#Jarp||1! zfsq|{`ZxuZKOC$P)slgG`YP7bhaS!1nJePOL*3OA4H?#zYtpl`#aPh4M&XN5#lW5= zRnAK2U(YRqctDUWTbOtG<k%b8BE}xh8nP@-yhz-CC^oL{Wr)Z}OBjklR0E2~w)%7P ztsinyRy#^p1I;#y=W`{qA`J0RUV4g`Z)%a9jx`|mNzU5UwgwmdO$A4T8xYQaMcL$) zaHW+i@YyEF=mhj6HxB>NJon+SX2{-8D}Z~aS$pR3-tL;b);{+w2gvYVwnr_N!4AoO z4;zG90+7>)k$vmwUaaC+Zsg&%s3nJCB>Bc5!#fS3=+9pk506*LI^ky1Z;LP5QG{6u zIHt!b(|pirS(O4#WLc$)K1f@NyB3oN3X{UXV7HRcB)}9;Q1ZIdi;$Zr8|;~`9e*m* zd<we!LDCyqv{LV3&f`j{C?y4xqhvDq#l+nKP64hn+s!Lo!BQ(^5?S)7JzrIScXOFW zR!3;EnPDY_VNtdH`Hi-wc_aax`BPQE<1-bQ#q-spuinl4Pl@Zz62-vW;tz}Hw$ZLw zk9C5rxn*c7D#h$2BT=0+kmP}6CzGM<)zd|2cca&CF1l`d2e~XL9hV+;==fvny`^y6 z|F-rnjr#5|Wm*(gp=P<$ejAF0`Ay)~6YsVmphI7ktwF87aVuYG=;7Zc?&q%FIwi1* z&Q@Nt=Z_v|fX(Hk@P&!FxaGk0r%7QoKc)J){ymh~<Cm)rvX6a1#c*r8Sh$qJXK}}# zfE+E$bx>S|vT{TE>O8d1QvjaXzYDydsYaQ_8ZI6c5Vkp4@tpY4fHw=02=beXgR(#6 zsHXBdC3UC`8O$1WJbv_}Z5Jpe%a<t|r4~D_S0=r#3+Ars%?v@8rBe&>+d2Nz3S73e z{ziBwnxU`{M3`8-G?65I_#r0oihAu&k|@)u6M=2AUdPk2l9CcoGvZfbFVV7m!0Wrv z*Lt@CE1Sz3?hQxEWG+_u9uztTw4uau8#WGd(=6{NwwI?0;({)}+vZo{J7&ux4$_k( z8y3__<7MR!={(+k_VfD3g*R>vR7ic_+1les*~kzBkBCel%@)mF<Z*0DvIEuyW(TU2 zT=R~pD>TU7Ae{@|rVZ4!g0im;vef-9OO4}0TF;M7efCjB>at%P{OUoqsR=m7l)nWI zsZX<h$QF462D%7|V{88|t4=^r0J$}DN`QR!gfUZH<z0~KaZc8ebFEpD5n;<f^e>)T z${K$O&W)9I`QaT?$}|af#?P`S&Bb32*9~Uj$QW#TDQo%S>m@b0o$1&H{BX!(6I+^@ zeo$EZfy%R#s_sm*x#lGdJ39))hqM;gDKwY9>vD!!x+Rn@{aQt)q6y(SM@#!LsQR++ zDP^);_?dgs(P}sC_LiMZ^Sqd&Z#10DVj|kuL>?A#9D#yKB8*%S_;T{DfZ7n81Y9{R z3R9lGArH0ACD<3Np(kbXG{wt`^dQf?z~8bls%KfAQ9d?PvgPF0W3Z}deaB5Lq0gRv zJar+t$i657X>(j1%Y6}O%Kas^Ft?opB&a*nFGyyB4lcKlw+Z1jM-!Xj2k&RG8xXdz z1|iKQJv>Y_QWNW_d2d|V8m;5*&SzedefHK=zsVPrgP)czHAxu7r>uoJ4)SDhRQ#73 zF+2M~j}7G2P4#D3<2r90EaCMPKHJrqHJ~onNR;A%bixMF#qMr}iJh^p8l3Q2S7uSf zBRdgbWq&sE_2s2oVK9My;4=>Mg+1_O20pLEPK4v8g)j+PzYbnbsuJaDGH2D8CA)Cx zV0#FKaVwWI@#~|yCM-!QQ&8;hMH!iH&Z9bZ#*F*PyUWoYE>)et0SytqCo2Yqlj40m z>(&uzRjRCv2qe#s5}`Bb;-|g#y6uJd7DIt6r@ERwvG+~Ntbxj|DBR-lba1VBa(`ZK zq_|tAuzE^{1?mc8a6Guit?7j;@S~_XIQqmzO*wL}pHi|`kL5O1%{y!IvvC@^Cu}45 zn0@}m6g<uz2~9La2SDqkfUjoy#%EnrEXv9}Oka-ckR9%6R4~J{7)F<xiV_ljXH*-B zvrH7vl#Z-Oc|U9>IW?;%dwMx5eOUn~V>zU|iiHu6obt?4T>OLeB=juO9>Tfqm2!lV zNm!~bNVW8st8TW~0_6G_*u>tvUHMh6hksGVcBwN1(w%^VoOdUb98xyPTMXC~Lj@d( z7qmrpB5(2u`GiFUs3eawN__>IJEIgJvin$4?2EOG&C^-CW4E*i4udj913~4B71ga& z{ZCY6nvBTn81^5@u5KR(C@&-pgB376R&B?cW~)mMzh#JWvpULQA3{zaXoeq1(YwZq zK3ikghI+B<I{YC9S_FPN26q*7cU8k(a?DiUwj>~&1e64t!e<GvvN;+~-Y|NE*pm`# zs>zBdt-3}=Ip1S?cZqcK8oXgs5QOvn4BbVcC3QqwodTU5H}WV-!fnt+I0IuwfKsnN zyan`od^;|%)|6&`&*8XqRXxeqO<5mOD}%jVV;4u+PMp>a#eSgxDJs({tYGh}m_QVK zwJ~uTI?&KoKQXaROqqwgK=1R0`+5M?w+M%&z>mJ7up?C&>Vvzz^O(iVR7XUp+`*r7 z#s)b>8q48SxdvRVB{{>X0P<p&f1r5JA$Cm!VibI#N&`IJbib_O4klxw$+*gqf7@_{ zn1s`ve&uL7|5xhswAYL}qfJ3b7I`cXB!&?A{rE`B>tdF*^~b;uo$2kpnhvT&^2~i* zFp!<a-049*Nlr^mn_69?+0(~}RWAL&V`9$5*lWD{=tzy%nMvgRcLX`aPWR*>cWq#{ z)$6>nEsc09E&z#;AM0Rvgy$$Kc!;9TRxU0}uXk3GZ&^82o||zi9X_<ko$Vizm5&$s z#6TIHJY?`7dAXHrcp<t6ia}x?npW_l9O3K1#c_?j)y0_8zG(zxarSGIxqWiRZP}}x zE`fG+x3Rp{s42pMq!s*uBstLK)gs-Ndv?`ka(_KGXpv@mW*4}OP9lfn4X+?zfCCw4 z56@)kLAdsjNPI4}NX*>iQ6VI+9X*OWJW@M4S2;RXIXYUDrW!(N7X9O<s&$grsrkL8 zjNT$<f=xcd^)F>&L+~YeI4F0KB7N6LVs+7Hlp~mwyx)glr_x(DlzhuIf;mMkvyZLR z$;6x;TW7wX1-ea=yZ?$F<#xfXMgY!PApys2L_$Q-hgv4Dn#60h7By^@jj1>Y!noy3 z*DRP2)-`rj^+o|{9C(J<h_cMMwmDT$jr1OExkcK$QcsJ`+c`8@Hhb~+jqBl&qY>%E zTbFvw{yhfn!M{_cB$@oBq=6@ahkix&>1??YD=Lkd01PP(w74jQt$g%>P8;8Mv%oe| zDCT-ZF<6q&*a7RdEVQ9<A`{{zV#BFM2V5?Se7?}wejX3jaB{g*uis(cNMI*3tTCeT zUXB7;nG9vnE+GPs+H@z2U-#Xz+#hWsxHpK&GB}rO>G}gvFvnr(a<l`*@VnmbMPNb^ z!Hl=H9v-R6!>m-_eN30J+uyHfLp!6;ka<0~r_t$0Gd+EKS=rV$ie{)kzCrfaq1f7R zcW*j0(z(U_#c%5=)rP;p{$X=R1=$CUjL_xs9|kZ94C^4Jvc$W$ky<o<(nYd;`UqWE z_<^3<%vx2NLaN!W#_V;#`!&Qbf$skoe|ywku77SeSwciCeR+!&b6p#mS=!v%Bbi&@ z8DvqYsW@y6hERb{)sw_R2c92JNETEKs9<;y&QW#p>djw>?>AG>*8Ln&tF*S-Hp=sw zrJHj`A^P`rwrS-fxy(Zkmvv}_5&f}UT0_?hSI-;jf6W1TWFzRn!rm>PE1OI$zu8FZ zp4r%xI@g+<pBpMp=H2F3W`Mk#3~q0kVuftqyo5D=Sp?&oytqK+skCQ;9=LFE&h-~F zVc$R<O=gtqoh}=5KxzI7HF1-uR|$a(`WJ&hG5SV(&`04O!o;WodA{#A7<ypJ&X$^A zB&Sx{Y<&joj8AzxJ}5c~521nF58L~wwUk#cAwN31%vd|ywo~OHMZ#dRinIrP_<0lN z2mot>`eU(J)5FWtr%$ovfA;s*7?Tu-Tew{uVqP{hgF6x(u-RKjPH6bOcIs2#?3qw5 zXTRw!#|8S>h75cc5YueBY{R4%%eFRv)q2W%xyjYjKaM7sLys*l-~Yyst%mQ!o`4zW zDgmZLXoj0iXma=>^*7{UAjRGlk;Zu#J+`WHuWcp$iU%l}h#x|wO#%FTpGi={4o7DF zk^L9OFCb#-ke|A#?7B^ixUphRUSH7gd%l~Zq?@SVJKdZyDhRYRI>;VG0#^#ur&ATI zcTA;8apu{aN4;p{_bO%$+P!l#qAa$Z=>-~F!IldPvmC)zcN!_cm9MPg>|?ziW;2Jy z%{&;UVL@Wp3r?ZrJ7cfq!!rS%aQ?`^6|N8}rWr)JFoGf~Xq3Ksgf1lwWQkEY$!(}y z5ar0x9a>BS(kyQRsc=bcvq1kjF!@whR|YijswArPDD)GuX4dXenGv`cw9-c=cWPJh zp{nR|J$1G-nYDVmp2QJnpt^y%N@Ri)pLx6D*DA=b#X_e}P}E{f6R1<I+FqAF(8p4W z-5ad6cJJ<VeFxk1w2i&^WXijhACcnTFr`gQnx9snzV&a)h1))Xa?69?Wqi3Lga0)i zv5Utw@r%||%`dlTsuy!3h6>IbjNdb*A_DpB>0{T^kA^}WtFac^P?Vir$w&z1&-&*v z*LAU#AY0N9wfM(DFiiH6a;!~ia7O4)sb)3{voKd=n#bj##g-{Nk@(FP#^{&5FXM^$ zdn4r{l!Xc72qe7m+vk!eg_W#tTloa8$W(BiL@&k{=)^`^{Ci)cEVRW{>BHqK!%tk4 zv0b;^;bB)o51t?PesQVdWrfs!@_#;5UEorf?5_UhDNB(s!$R#OhN-jNz|7});mQq0 z%D_&!UW^6g{y-)Nm+D1P)|!L3O^Sdw>m|g<1`}{E45N=dodfDY2SU@O1laLOgI1z@ z-N7QrhQ$3Wfb=q`7bkxN1_Eqqm%9%M%^#d)+DAfh*=ERknyMk)Vj1@OEk-${mB`LY z_$+*wXXFp{fC!HN)ptSf1@+&<3Bym5_>}B0rP&)z-3Qpy&g<3>P$_@&+r64Y8`mj6 z5u{+>^j7lWmtmhLRohG3QV&%{U5})RJV~+t6gLZw%_@UvFJtx|sEVJ)*=|8~*!MM5 zLg(ZVZTn;xdwUwd^J}J5TN>cG?IB=PSa?swym8P}iSu|<$O5SDQhrbNq=Qjy^+dm> zgaadSVP|0&a3(EuwyB@b@y6QZz*J-`!|1h$wUjZ*wE!{-Q*`()x$S%Hncw-`Vp5Lj zF`bCMeaoUDywc5?=(ie%_+<hdn%*T<*Q%Pk^xfSxJ)-?$%bF7!rmS1{?K~7g_*Vl3 z2g4PGy^{&h$asXvXcf7;m4bxGMY|0zyh+yKe_~#=-quDEDAUP_drq1+v}sUJ1moH8 zqHUtYT|=ahdi3#T@xl-D(l||sWD>-!;{!+8aOU@z=w<cQliQ$ouY~UMT{XqycE5ft zRwKt%K4+k2%1>WC9(LJrPq#fg66Ht&$joWB=+yKN9T&cR<y^l>o=DG|&a&-(dSw%N z-`$sZj~g6`gqtu@Oqk#_&NvpZ)4?$xXL~OoFd>jG9$;gH5P!??wscgbQKgnr8sc&1 z647jMYNKkbLa8y)s3!eE&)a?HlVyw%jJndOv$_d<E+W0<bP)9$3dr-UYyv)P-oOUt z<3}J8EJAy_dN`Z7xCj+mbFKN(8)Zj;@);Qo%@R|F?y=SMIE5`8vX4x3xw6)D6f?sQ zQYp~+xq_GKD54yZ$7cm*#lBxiuyYZrR?GAJ;G4i1GBan}2K{X$>;JMM$}YdA7*l)w zW7m3T23;m`r+6omCxbK@Z92D1>tVTtSKPOvtvZ@2VOx-If8<-5cDe=VNH<~jK+W~m z93;S-24p1WDo2`XU1}p;Og4d)lBQ;#_>>m2XM)Ss^p}0LIeF{pjH71h;k%kabVebg zA-Lh;PlY?y1OM`>3sy0zX#09_I7F=jY;L39ErK3*-wmxOMrkoMTQ;*+JpJ*`{yVR1 z=RPb#ta;JKCi7!J{*<_?8Mrz2A@)BhSq?mp<iNaB44|T}lsYU~r5pb_N^gcq(~baa zxd!x+iK7*ZiK@JT+W0IP`s$}S^)7c^348-KKW}FqxQ9!#q=25>Omw)`*6^F!*y`6N zX66|y>mnjE0S4QJZZ#<b<Lll+&;OlG8{pt0Y_Z>Hs<szSL{kx@QKZ4coq>HKD%aft z&btT~7EV0l2+3!BAjgO>e8!zWa+azFWSc73){B77bfehCevm-OOC8g3qWSFgGL7Dw z`-l{P*E(JTf)jcb5M=|__(kVf=Fs=?qpU}lF1No9p-t$c{=T6hVE{^$IZiyEj?6l* zKhEMVaiN?uncm6@OPCCmpHQc<J)WJ2)i+pL{kgwf>KlND8ZGzd=P9_l(fWoPd1$AP zV|>s^o{1cumv{88IBRF<Z59VvOi<Tq@j9+ieQ7yJKi5y0NNvA9`Rw3f@u$k|=HCvm zcN#tOjlI>KVxY?KL~3zsIy7Rrso4DQVWs>+L6g#6g-0kJzOqh@K)2jRNhb}pooQzB zQ2yoB0Y#<|L2>)oxROz2KJ97q5K#gSmmR_SvsLOOa*Qgb`(*`ADclp5zGB*St@qb+ z^}oCMlaf5H=7>33TaNzfN@lMQuV&=d=+V}^2Vn?Ja{CV@uvHz)v3+D$z3duui(W1) zw<QCy>%RbwFP$iT)ejKI`5Ff|PuZ)!#^485mejplkEbwkH+MU_{Wj(~R<_by8)}CX zQHeBEVb@txCuxD9+<Xc`K~71PrICB1aw)#QT;}hmQ;a|ItxJ0i--h1yzM`3!D(nV$ zX0mZg2u-Zv?fCn;2d-PC&-~2j+GtA>lw-JfT$wHy)s_{v)(CC?>M*dkPWyfWLbKj; zqkq|Jr0#5Sc3FSYmNny`+ODS;TlXe}rjSYY=l6+Js=PB>sjg^=>RPW$8dMeLLX|0r zDuQ0j2W%Eug_OUUHHAJd_Sw5eQ9ARQXB%iudNgruxep^!i6<p5mMEiLkNy2qXP@zf z8|HC7eq|L;ZYz!|+rVftQV*L<4&96nX(c3XQKn>r^C0X`Nl;u$BeMmNsgogLLE2nG zQ@4AkVCf*8vlpS?^4~%l)4Gs%XgSjZ%*NmLFv~@5`IEn?vWU)fY@cH>x>kO1-?z)m zZ+6_Qy=<)#g>36on<yBtPL@|$df4v0yQj7|3G5o6X!hL3y{FscsdLcpu3{DkiJ|3% zrCw)V3UZ&3lQE&1TfaPu8kO0{`ZtXz4DI7Hg0pfWu-+Xo@tLthfJ%>s*HjRBm)_kj zLS9x{@B;4&Z|_lzisC9Ubpkeqv!aBBuNfV`F8xwxK|sXRV#++RoUM;*Ny`0%+bla6 z>UZnX(Co>vm#e~B($u~{7e!fyIVXniHY^>wLueEYjr)T>GNz6wH=|J7>SP8DzZJ<S zCx3?A<K2P<7nc%JSGH1CyI?OvsH1ZSGYr?Mq2|CniMG7XaN-U!u4roAK;!m3ZSbpA zt36G+s@E;V{mu0bIRseO%r*>p2G_Q<_>2xIX|!6SO&<2o@}--&yezQz3xGnkb&CZK z_d~r?E-#PMzuI?+)d1d~9+8j@(M0d>3b9@W?x@?D@EGoe#0+U9{1(fHewr_AYK8vw zym#epw6Du;Ny-swje457lKi)(q9qa=xSh#wW*XhE@wQh-K-kI_MlK`J*a;>%wNFE* zcF@L-FOU?dFr&zG9EBqGX&GFcKc^LbK7=_7g!6Iuwy`!p#;$j4Y1c?q2V(};&`nNv z*8=;L<>Q{4qlMClA!j>>`TQ`FFSpEr<mqc_9U?(lk}$U4LI*EZg><t}!=yf5P{P)& zL~OvvTtm+6^YKfI9ip$N(}cFIv$lUmcCD_A1(q>j*DHvt@l_F>?sgA|*g=X)=)2ih zj<uI@sdqE{6K7Z$g}PXV^+LVFiZ}uczfGS1*_lR~=OJRV9;ZxOK!_niMGpG8_-j&7 zQ2g~c3)hk8eCtPwQ>wkb?$}M+v3C9UEwNcfw)9OZ!Y;niloTo4$Vi02`N&>@`kH{k zTand?XAepX^+aaon9Ijy6Bvr^)HUTTvx_H}#tQn!(MLGaRO0^-0}>q7j-lChgOuAL z*O;pOY<1a)iU<({$6+b&hC76}cgJJ!nkyG9Q(%ABr@W7~Xjw}v>fj$gTjwxiWxVea z{a0D_PuXZMx8|>uSwl+1cCb{z*q!dRX)G|Dz!HMKNLobKsl-yINFPeBPpc@=yEUv( z`i2Kb;pGwbDMc@shavpx51{I~3{9-)$GO$2v6FhfhceJuJdDx|t)rV}I0Yc5p2Sm9 z>ZGE#RaErfEh)C^Y4<wg<jJ-0`iKK$Sli9#2kbTWhXm>^uI%HtcN|{=@kuK;Mk5T$ z?QU!H29(SyEY~N^zNAIzq&}oj_He<i4-m7;XF#}TGlfWsE95vLeTmbe%L45TaN56_ z3ZmIn@|gFEcqs<Nl`azs6C6NhS<&GzLe)$me@RcYVBo8U_LAU232)s0x~`5~PvfBR zwbe<Z*K<8DHIjXx0HMpn<myK;Gv&iS2yIPJ_zGi<ty*da|Gsc^hU00I2awl=UQsJH zEJ(MFt((F-qS#zQUJK*vx0PD!lTnvb`AqHA?h}=z2HyV4iY;CVlr<t@tV>AH3$m-2 zlK?VNWP-fz2Nd<VV3r%G)Sc{B4O+?c>1|@*;*1v5p^{9NGP^Q&A!^Prp)QD}_&6(E z!P<4bu>cv$>x+0oS3w?-;fp*cHYblW^~6A#bzaRXX{40JExhoF=A(|f@Vl?v;@3HW z46Hx_hgfkImK%3|o^ntf<9LG}UTdocz;>0Wwt2d5X238VUvM~r5*nMpJXE}!hB?fc zT|)<(H_nTR7-5U=>KXdNbQ`pUjTn8rdZco6qIE<xg^N2!En)CMPGC!7x-1UoJX0xs z=A3#94X3^aCr!xiva*+Dm{#vW8UgL|3H>ZO6PiL33nGERL3Ypg@YSCIVu;`P2-%QB zgYv>ol7&-1*LFZ%t`M^H-H#4nY&ALXG{~b24`3MFNpNl{>N>9lWOROxzKa3apXq#z z&|!LTAKmQSVXj+v=mItga2EFQ5x3b+2!=^mzxorJNOM<hrclb}_8w*<l0r1GCg7&_ zPfy^aFfm-q6q`auOeG++Gs^kI9VSK2^cl?JO`@H8X|h6|eqxb<ss<D4dR%58@a&3r z>vn@N#0ar4{(kTpE7ju0FXkK{c#uP9d6e*o#J|>_yg%+C88(Qh$#iq`4}%I6Gd9DK z(X>vyzdAr!NQF%7Uyw8ia~~CV<KwnIa(%KG5=Mi_Wsg|v3kow<CL_%B3fnqv;OKf? zBMmXBb5ufO06)4Q#~cyi)ui@J`g4BY_zqqu6e9MkhVD|zZ8m?Rt*;52=z6Km*)mB^ zW`H`~&=Zw-9Ao_@r8M}^M-r-H?zz<h&sBk<&_=usM<&#DJ0y~a7RZ><`!c{yf3bY8 zYMp4M{!jml-#5n>lb<KtYQ1#VuY4~;tf{<grTNyqM5>zfK}e7QZa?Aft67!N(X93d zea>wC0(%|gFrg#P0i^Xu<FMHS)1Uz4x3|4P8N>wbG1BZg5L6^VvDo%(AjQkotH_IA zFwSz>ZOi}W0%TVd)vj_@JmeB!bFZkj-@JWN4DFBYTKq0o=dXKZ=Bb|F!7y^MeuUF~ z_nItlB~3*^L60}ze-u{&xF>~d^FD>D*Xl$H`?7T>6FA$H3BFveL@zZ)yMkC8z6mO> zcTDvW6t`8|Wk_kN-^_kXQG`1umMe*(=ET&=YaNaxmw9<EQS|f9!&s|ds{fPpey7aP zAdyI;Ih!ux4~PV=Bs~~>Z3?wtc{x%g>3X>4nvRlGh)?PAcA{IsiRHekZ5{dUWApt- z=id<Ymz|!B%r^EAfQ&#*(MNpJm#>+mY9_t{;H~waB$Xg~6=$(D*k>qJB40*Q*dq?s zJ**)cuC5Lv5D=)iB~B;tRcQleYae%Qgu8?m6pc8dA!IkJPcWSgUT8%?wDB;6F7m3x z1YQ8Mk=C<myGwnv8WB`?XJcpT#fAP@>l3;>ggSdV++vWIOu`UHWbz;BmJd}eUzhOg zKt^$!bSaEqQ{ce@_a#mSL2)#CpffAwJMb^pN0KlpakslnBefFp*q6qid4^uazv*7> zD8U(9S^D^w2knM&D;0HCDugZw+AQEt-1~j7q~jQuv$+m}{$<b}|Fvi|AXnb0mdE__ zkQ?8w_g!wegG-5b6gyFV<~i=(om2az|9}wpitgxgO+kQy0uY2gkF5)~2Q``{2^$>l z4@Zk2LIz8Q1**#vXcoETUA%FNs8)%*h{q^BLbY*-i&1w3n7+n>TxQv`r#<iOxVwbs zB`B$4Y*8xz?60g~*LbFDcR#8dJ~S^7eEn}B-p-c7_=xJ1dYgot9JgV%&rJavJN*Z$ z7Ev{FB`}Uzhr72sM1NXk+-hPkE*wlYMvr+p3mI3a)8@mAk=W9IA?cq)U*8?^yT(#p zwGjGPTCz_%+GlDUW|e-7^@$Y!!`c<{7AYOdbp??EM^gBHjT)Hlx()U*v#!$+()hTk zkJ2Tu^dS;8jom%RyQbRw1}Id8U~x&B1l4Jm8n{_rA=kcb6q>e&vn}`9)`8I{^0)IE zAfU2+vB6x2%Zx5sTNid-QKE=rlX??tsHP@pbW+%H=LYinNua$bo#fm=)Y<sS%$#co zX=J~dj4UTI;b&yy8?^BAC7=B(Tsu>+qwrM!f8@amMueCGN)m^i#RL?CV|pmN_@*X| zDaD2_w!OVGJU!1=8zW!%A__Rr@v>riF#QGA74D_+o7DDO&Tf6oZ2JUTeuL-~nmnJi zQTzp_#WdOJP};m4yova=l6G?XypGOm?RkE<r7ohlv7(M_JM((F$RQ~?mJN`}^|Qm2 zlp9(B+A`ThV!w1PvhMKS*=R*Ib)IhNY7tT{)fbqH^oCk5lS_(V+2y(}?9Sb?#uyM# zrExj&P&QTpc8=`l)suZVp{}!fIC8S^_WS2q)x~&rxtJL&HbUTakI!??Oti`Gb-4Rm zoQ>7@UMgsD9H?-kt+$Jo$!7l^S_0MLityhbc%{+AzC^ISwIw`flb|=})Y=~sO}OMU z42)M&o^>4ca<oB1x5G!C_y8(zX7vvWb8T$ad;Hax8+lUjLLQic&|FTQ)`$49w(y<z zsnrb>k0!}S)wl;mDlvNM91c9ohZb-7?DYuE)T|?=S5aAYRRXO<Uj$h4a!Yx^a+Lv} zgVW(z2lTb}@+wEgrU{D}kw88Pe>+hWhm$V8IOqFr{fN-Z(mDSJWN{fE{HbK}h%Rgk zezdaA-1zq+8&28DaSWCJzwqrvHc^5Am(Wu329`w8TMX8oKV}f90*VL#<7DAPhChVz z?EprC6ER~J2ZK-mn+l&>#az3IzWYf-q}}1_UZ`rgHRpm0)WJADWF&q_Fc*iV-7@#z zbtoH#HH1hiR{IZWz$u2<pj|>v{eP#9p9I_px$otUFRri?3SwD$ii>GdHaf!AcvyNG z=B<kN^l;catWP-olh1S=>_5<0>R=p;iDnlYze!eMG-d7SQlku4mL5FNU_s2lu*4wb zBc{k^aiV4WP{&eTMc8$1NrvfBxdb`W>YbO+u<He+am(E@go0*g)e2(##jk3t=vJiB z0TvyRwtssEDteLuqZ6gN#bjyK4&rq5BO>EWXNLDcgJ;)xO_rog3+7K2g}#tcI(1N- zPk+)PL#AdO=dH$g(OIKY$m;PhYGlNcDnZ6I8%<<}z?^0a9Rp~0JH6)ur^eW5{!vbY zF~Pd7n=Bsda<3nJbl28SJF`+X&Ha03rFe$>PkzY`i|bG2VG*~&$WhsEoLCN}rTR%J zd@d8Hw&(%|&eEO&<eEpqy?8Dj%e=*5LL#&*(cWw1q?N4Zyfh)S7<o*|a7-Frci!*M zj0^`nSZKNAk3AeNV(~>wcNgb+(qV2nI0CDRcn65cC>nJ~t%-#vF|r3)fHhzGbc-!z zO8nzh4sI_U^$QD?d`roA9uf#R76Y{Q?VTE%o5zD}qy!`*Dd{E~ky);Np5HJaNBVp7 zW|SQ2S||twf<6?@9Mf-gF}!(2Yqv~jy5S2;Qc^GBXaw$)GF!EQpd#{m9#5k$RA!UV z&<n>oZMz0ABM(ifM-u4;3cOhzwFgOPG<aPEqA6y}Y~IofJbJ<rEW#Z4lpmcedfqmC zmK^$U&3%o(5!@bdg0~}tId;(VzE4G8F<gp--b5xcC6D|dioDal?^mCS(2F^A&QMQc zY_hV}4w-(zDh3W`&5s|oFE8_-w`BtDGsNsx2&pkuEnJ;l*G8@#tL_pN@lIC_`_Ho^ zFmV)!;*<UDNqhuGEkg${e*io0&**hi<b6pjbXd5GX4k5&@A$<i)nHIA824&k3-9f| z)ijHclWms^IHYO4cf?kn0~mB)UpAR-o%yH``z$=g`#9`<41>2#on!5BxvJV1h6)+r zj%`;3?p+JRU~lL!an`&^gz%@mPO?5%>MN<L?C)O~R_0(DVTB)m)DuCjro*&E=J;;? z^NUdwIz0d50(U7bGC$nctVDfzj4TpM=D~;EZdkvZ-i?<(@qg)+L|$MOP!;Tq&DHm= z8=(Ck)P#$yZ?X<fmKrL8ro$BJD|VF4=^<;h5kdAnn_;q)MK=p=9j^C4?MBLOxeXiA zWI5_MKB>e;8|@$g#gBjM_nTSURl+E>UAL=y@040coq0i$1#u>6uL+H5obgM4U-vAv ztb87<G)G6Bevc+VIwc1#c)UAEx;(r_Q)YfMIsdHPw~_$TxZM6HscWSzDJ0>lIVkPZ z(IcOqcd9?1Yb3uJ-SqHEYZwj}*S7nxILHo_fcC2G<5f%~%OM}>!SwI)#O$n}jgQI? zXJci3%&g2Nyr@AR02a6IR+vWY{oW}L*?*Pmc-hzH7Yhdv7x&%}5IpP`NqhuefqV)X z<z0}<Dae;fRNAjYayD_Nrq}SGe7qsb;ySd>!}CNQ$BYguR&8s9)6K`y7NfAPJINmU zl&27%Qsc`SCdRU1%9k9uo(p%D1m(v~Q)Uvwb07y@k@`u5@2Q^Qcs4MZWAcmfD~SgA zwWz+`u0NA`(g7hJ*xoGhOYJ_Bz;)LFq`qH$y+78+v`=-EGpt~>>wuyK{)%|UoO@JX zDf0s-AkvAn7?lavD5n-0)y<-hzD#x-uydd{GgG5uOwO$mgef=U=^4U#e%O^|Hfymr zRq=`&T9~^&Jl2IGwiG!WjwISIm|ni(VThIMIdPR|aCMI@@;p(;Au%`<;gt7b`le+6 z=iqTXT0Q8T8GjHaW)*jrTgm|h`W_~okv{5W<9kNg+_I93DIVJbD_d%EJ#oa}?p`10 zDVa~XxnJeZxF7E3269m;R1XxF6t~-}8w%agSr=FyDP$re6z-_Wz7VWVC4YbUb;Naf zR4C-<w~0*=4)}1`q(i0U%{CjQOz(+0?OofY5?Q&DMoL@$OP|zYvtV5Jj{3vIm+|)M z2DD=GSOgLoEJmDstZP2HyS8&Qp-+m9(U-9#YrmNjiZ~9phn~T;9vZiT&k?|te$^in zxt2IFS0Xu|-0_MA_-Wc6&r;6JITFFgsKUPHbdZxG97oPRbB^42)d3mqNhBE{k|D2C zh7$9?FI?VQT33C(j7joe44K;{A=K$JVMVTXcA3a{8tji}xyTc%#A5MO+3Tu9ktl%l z<j_RsK0*&4@dQ4S%%eTK44&dsLyZx+=k(&Qy^{~R_75*FpQ=dC$rGk7y@>>BT0&^J z7tyspu@G&VS|)AyEXWLfM-L^h^B2RKJp1!e@V0e++#@3-;2Hgr$7y`~N3%Q4#09bk zs6+0w$~HanVgLMx?tagMGA9F$88<SSqJ^8HKGDu@1M5usuc4C5%OY9gHFXIU<E?3~ z$65f7H+%0;acJ{A#VUOv8MpUha*emW*JoVr#ac#}7n<pyMMSb6xZtpAWsOJ%B37m~ z#VJ8bmwO`Q@P(&OCwh_E^Mw5enl7S4tE>136*Z}Yx0RTS{E7M(vRLFnpGG4MczeXc zh?A*qY^`2-lfzDNCrK7TIgqtVv`|FF;wT82Cm~blzXoo73;NmG5%XYv@%bSFgRjP= zQk_*YW6Rn6$=J&4?VsoNFp(;x=YBhi7dlGk`ztfZ2L?JV!F)lsVKA7}YAdO_Q#RVm zMr%$R(=JfWbI$y>2=jW+4NR}9w?U6gtKUFFy`4ChC$kvd0qaa}TaLR3%cZx2{5pN= zDAUpf2S@AeDp#dJr}~*I9&FNK+6fgWfp&T%^ei-p><8q-5y@v)v_S{Btfo3n=duZ3 zhVr7Kj)&39?QZM*G=4fMi;xcyTutVDb^ZwXC@9ga;K(rDCV}o41(DKG0|c9p!Wrru z!Wfq)QK-J4Yt?T`r;H|#36IVT-<!XYvj&!Ns}b^NkP>q{wE^$!5N^5`9(m<wbRxA^ z$2f)U9qNHRKll{+Y|$_2PuFz%7m#{%QqnfKw!_<hQ(<ND6ahi!stL?719-&qBDFd- zbCcQjWcWp&1~xhX#bSB19CbWg*z7!Bd_5xwaBO%8a2Y^3AG<Zwyxeuca9a$-Vd&R7 zB`hT^-5Bl}XBx=(3f|wp>{h(FHRW?7=~zOVRj|q$LiacIMa%szabBrys0mf^Dp`6> z>>ps6S})17*;!=coOdXt*Pokj{!{6Mh75;$r$t3eP^3W5s88m8?sRqqYqEHjEf_M~ z80@sNST!wNz|Qh#Mz{bY8aI)+n1^x{lBu4|UqTB~)jy@=nHHoDmzIl_8r+F@ZhP|~ zj3up%N1P>oABCd`NsGM9ypA38CyYIyOhFdukx1;C?0SCPHxoe+J}~7DZo@p)-!Li4 zm6w^|)xv}u_*|J8IIxw<J7HriUEHRH<!seKA1D@(xbHH;vEXfG<674|EoZQHI;2i8 zYym*0tJ@@XIpE>D!Rl~b+aGP<u$-W>IvFN~pfiA<v|Hz-6p~ZT-%EpHZ5P>noW;9` z1r5^-Rzy$NH8^NO*VL0Iw4-8<3Hi|uUiK)_(Y@V+m)qK`))oKAFXWvlf|ZcPkB&xE zRkpSV4j?6ES<kQO_I(wN99{m7K{c#_3sgdeo{e_8-|yAkcD18~eR(1%`@~Sd)oyA| ziq7$+7B_88A<a%y62O*38WP6BqCw6wGx1rw^@mqf944ASw4kfG9iVy=zvW(}esj|9 zZ4*ol<5E{u5EkT15_s$s(C)-LV(W+;0K6F%E3{k2Oh?<SJmIS9;v8;?go}vCY=2R8 z`!(e3f!8{I`A1UA1MKm}5ml)paAW?p%|r2=4mMt#qD<GcOM~)lFWE3elB3ZM_GTL) zdAL?wlM|1Ky_zvYc~}M2jZG)f-?uPjg~%G4`}xCdE@;fWTda?@_PB%#o;xV7tLM_Q z$_HDHeoM-pliS)=@e`>$S@2jbB4HaZm9c7;dFtw(50RGiSC3e|xg%G`U$4ZPczk@K z@@XhAg9%?!x*YNfmgs^AY-=Arv+xx;zsLvO3lsE{$-O*O;cM5C%TtynN*{f+N~5J1 z^@>xVbVm5k_0x)A)JKaQ>GzqlOMn1!^aR;R1L-2*@|P?9`ed<O`qQnfo3)qiVSDvH zQ(HB>_t#vY`Z^XU|Dc())CBFCuLQ9*o-&--0r?8$n<Go6atX5c;{^({*-hRED{+2_ zJ|&n^1?vuT_46l>LDiRyZw@Z4AWVr6$8yKb!n5&U$qD(N|9sNG<K8&l5A)ORdDhX_ zze7ocr+WJ!Wh{V<Tu*S4#ilzf*RcHfP`$<FU<uPY&zgiLcM09~b-n@PsTG|iWp2U* zV=?(5ow)b7dWiMac`&gbs6DVIDPrSnGlPKOaWLcuTkCBD9N9;U#|O-G8lyMPNKf6i zJoqizt5uK^g$+*kZZU`uscHkPYl~to?5y)ztsJ6F$E&6HpyOZqTg1SZErg!>@LE6e z2%Ckv<MqVMLEQ&W=)x#WWu^xS@L)}t18Dd6cia6L#7Ns$6(%>S<|U#nmwQ}1`*!O& zeKhl(JT@-Ql-i=sU0XM=U4{hJ$5UBh5`*JHdu5JGQNwTEDOxoiUPx|*e(GzKwyCKe z(Y^E$pT2l!!W$L`tnm64D0EJEL|+YtBP*_=8{gFa4n5#z-abOQ1vy|VX?<Yl^7vDi z;DX|_F`-U^cGI6InuP^rE&T72y(bA*2YD6y_^(A7*d+Rgd-Hwv;t8c;x__s~Kp6y< zuTdWr#$(x`P&B>iBd3)+Ts>nD5w_37em%9S*rj;}D@G)xD;b=HU)IGsI^_$8^pV|M zmg3)4mGqpb!Zru9Y-R7<aeNqVQOVJX6esI;>e$Aw-I1<Pq-nTff>-EYc(0W4F>Xa? z4afVx5hTTRd=VA%&YFf_7w2}pC!O~}B$J0xR2tL62~-iUOc6d4y)_4R&$RCkS4cl3 zXM@@m{i;1!W6R63+%wqaKO@H;==&L_i0Vv5i^Y50tD|(i=4I8}OzGq8I+Ey(Mm(hv zIW;0()emZ`%1hDK1}&a#zN!hfdzXHjt=C!9?}hw#YnGh@65ecW@MZkWG-9M!%D2at z?N6l+wFT6}O2j(7Gk+iXbL|Kwnqsd`zGS%~!{?fA{FUvz{k{{$l$KU%#xmk4bh0Zd zg(*|(WeoiKfsdgbb?K6j=EubD16A0kOwYB^a_+OH=Y;kv3GS4?`Agk@_sKh3+G4=z z%U?YqwIjQ$M0n$wyQ>fzY9oEZt%rFPS2cYK!P>%zR{{ovE9-l;qw=0y1PY%Y7OB&z z@Y3Zr@Yhoz@Cyx?<LO>GIDGY@&;h7|QFN;?wMax?teMs$Kn?8F&4LNyw!U#hwh=l_ zls-m)pcYMfGnXC3gcBl}N;fLJ=;Ppb24p^Kd&FwH_#9yLFJ6(+_qr5dIH<K~<*@Yu zfCRcWgU<_78$3&J;(aqqmjMG4Rfh6wsUygQssbiK?-Sui^kr~yUev-{fJit{mlDSz zd#TLDZ%M~4Sr32kxk$9MdU4#c#R?`4uT}Z&l=?|w=b(apu=k7**h7nQ#)3?Ba0lC& z0O51dhJn|g7K^2SDAumGrK@&I7;<6zc`J-H<;z2Vu|#w;4yZ%47n)JYP0L+GhdExN zw^Xt)4lpv?QKjblA1&R=Vu=XEIQH>3Z7M%!;{5#L7yR4b=HYNH83%w&7&#?Odv~@l zAhb~NPc1&u5%z1cmz0hUc4kY`ZepKVKL)i!)7Vq;XLoyKHQn}Vn5WCsiO_FD%|F-! z?ZwQpB8%@+RJoP1zlH7Sa#%QB*`%u-V3^lZ_xuceZHruLwm6?{YGhpH8QFahc^Qqy zlv1J@-UqjMSf*AG1b}3j!Uo1glUBtSgY6^ti1~=~+q5J^^Gc@2v(F>|_IHYOc?0NP zh9S}1G%@3INgVPSky;<jAu29b>hHk{&a_)bHP<LZnH4WUlt%BtTcrY($ZLMunlG2J ztdg|U0<RF=N08Zqzx^ps&A`pG;ks%Iic|icmhuOv!(|{yZ%_2Wlz{?Y!&GI=Kc!By z$|reV@hOGlhO6gQ`ww)fQrJiJI-ai)<Xbng4?Z_I?i%xXj^E8#Xn5{Xjt~*84{iMT zu^=EG=-*8R{URz$A~M?DE|I;+0*0(-r?2>v7)Ba8yiF2sZ6-R}`{ud5wfoe%W10z3 zVe6VMg!OP^>=IxV!WJGCp!<DzZsef(#!t!jpG^9KUrL>#KMhDI;@cR^EwozOTq^7B zq~BPY=x~+1{QiE9KX4Kc_i%7<SHrl4&F{}TQdnlKKA+b)F+RE{gw5&cyx&ilb5VvW zw0Rm#DHStxc(Mo!gX!*oPy_Pz>^X4NXb2NWoG_GkxpobZA2dHp|D+_K%EnytIp`A$ z_B8Jgfr%p!9Horu`#QP%1^lEfiA<rq&=a6HeAaoDDXo~8*#t7!vT;+WO8x$}kIL-; zq-6kIzpw*2n6Jn165d7~VLlY8-LN|O=1Y~7%xh`TWrmhz)Xvx49XDF5Df~<VD5{_1 z-SO&f+`0)w6MAsP>{8k~q8YWazC%YI_d&W`?tvxo5eOJ6yL_45D>uYTRRM(4AR7AG z|Gb+(bmMd|d@~uZ541XplA$zps$(4ZMiOiK+5grQ>qJwj^PK}RBVGlmullMPsJ^yu z<i9M&;cz(>NG0$n&6_~^KsWs-hEfI-haa9PReWaC@_j+UsB5$oOXTi?Q3OmS8=3WR zu4~!&Rq$2E(7P;lT_|}0TUgkyq%!Wsc!h<pG+yPaZGQV)u!HW)_M)JE3;1{EIs~Mo zx$O+W3^jm;+JQ_)lB8Q)E$5m{7>23nZ0&cw6~N^frD?u|iMt6snx=jUmAdr8dV7;n z_~<dT$di8bA4~z$2Dq+-M6*^W(pOI;-ZF)V#QuK*Xh<qeowUUjvG?@p60!&+NX8}f zcrnA%t5d9Wcl`ZaqU$^cFL|*1n$1`@w1s(BR%`7;&~>))zBGvy6%9wKp|z}Z@hwc~ zS)Lm&bG4;tUV5N3stTC|a8!hAGt7=jn6B;7^UQFKO(L)V76#`IA8hX#FbXu5!pJ00 zf1c@3Oe?MS7~R*>W%oQ2r*X_a5@iQ~)k7YR0_Ak{jN}E%*fWPsb(K#szF()MpH9~g zmJO|V-TR<~0B2Rvc4^vDs@v(uoY*2ACQ$4u@v$$mFZLIQR>Cb^MGa|~9Sr-`Y>%Zk ziYa!rq#QxDX3(gj!yZjsbuA_JmuUm+d{<G53oOpVY-Cj+O|38!-Nd|hbD8Zeta%>~ zJ&fo=P)<UFot}8W9~kTL?+|Vv08K!$zm~HJsD!5Xsu4}mE$a9F`F`XpQzJ)mjlDB3 z0ZuY{<_`4Z`=Tu=c+18y$<~*(@}Hy?f&A}`ZEA6-bck4a3A2TQ7^^M5EUixW+`FhO zJ0NBqe>-1JFw=&FQC_jqNWFK0D!Kd*!p3Z~x;dG9GsrY_i1&VkX1tomsUc@0=X_Ul zBEBZCDC~n8rjysD&)L7(<TGNK?k=CMkbexS4kz@76sczG8!3rdf9lffxyTm$dwgDN zm!ZUTdwsm+4wGlSsu+C0&3(OnM-9b(`lZ!6e(Y?=rZT@|7`=y3{IvojtKGL1VXazQ z7h~V?p4rUJ_bOohSz3S3NT{plKua8RZm@_gdu8>z#IV@X0r{y1mcCzIvV(5BTYKV$ z-*QZ;Uj0JI;}Hc!+mHZzsG?qkBMU=_683<QMC~e(ExpIq$o(=D!-GXWGCET3@hHDy z4lIxDd99dGQxJxbbThR2vy9XZQIh@TrkI=8-3(SI!OPT)k@?JluHR(MKvPjYY=65> z9~muY@1Cc53U7-<xLxF4I^yTzh#U&n&C=6{fiM{2S#jko5XKKob0X``^4ncDxuy#w zf$=FR_f6FeZVoRvklOGfw>&x|NNvj;*4A2LM--KM#1{v{zl;5WWu^Nh7bYvNh((@f z#xw_ihdwRMsg9x$+Z46BnoN{#S%DXk-JEwvQ5zX+T1&zX+!s_%K{yXW$P(1MppVp- z7IcWah9`S9h_ja2$r}P)u8q0R?~QL&lBM&&q7a#6lc4$4=nv|~Z)r~h_>rg{sp4-u zE?&?pAv1B2G>r?Fn}4r$3}`_mZ_|LBOyXULT)tInFof>EdyAgAHI(_0=JdJ0o~p4^ zbBtDG>T-M@K8vH$M}`Yk8!VJYl;Tu0jCQ)V3DTD3pe&OWIMvqZZJZxSg6{IulDKdJ zLz;H<TeE(5a2r@*d#=G(M2ntkH`0Cwj=X1s7PSn>VR}fjS!IeP#^fY1qQc9m$wg~h z9}F}YYg<B+O7*lcYIzW6ndH^^2z#k)4!{>K5r>$TWNdQ17g!kYpQ}Ed{?LcdCamk* z(Y$Q!>TITmphKDPv5O$ai_3#2pKn>kt}Elr2m41kO#~dme_j}NyU^Ru2>zLwEuNXp zDXbHg<KtY{c5k7?w-Ml&^VC+S=@e)o=#Qdb!qqkD)!;A_KnO!_Z@U%^%eIx3K!^G7 z$++wCd(a|qv3jO%wm;n%pa2e+6Z9dvU<GpEzVQ;5Vrc4c7BXMO5tk)170(Z@iOnz` zraARiPh(J60|OLoEo!o<a}Qw}osDg2t$p)y_I@3O%K1Nd8YfU-sDf>vI+)j)&s;S3 zu}Y~A^)!AmMsma)AmET@PY`grO31{cv#&?wQS0MMD{2|*nPm%p_B`!L@VXNC&Ox+I z7brcq`EP&{r;?Ht5iRiF(mJ~4Sf7b$>RrJwZL!$)STN<#ME{g)hSPA*x`BjUnpk~! zX?Pgp8tSxj?r*kmvFYjLz0De2ZinK}e=42oyxW$L&kfysh;k7=^~?Ljh0pW<cD|O+ zywOtq*h2s^0KH?gad;9SuVoH9x0G}E$^Yg8jI>UL+hq`X3VutO<hF6B2R1K&>B7?Y z3Kcb(?`!hrmF#a%54vPT!;%8~Ce>g^Qi_&c*GFa+;&VIXIEruBaTG(v6&fN3qKS3W z+vgTryU>e5Dpz=~mgsqq1s%wOJXaBLW)WVB$fCDQvVNIlZJ}l5nxLuiAS2er1JjhX zi+D~+3Eh=dj`Q+XWj+eZyBzzH`L1J=m%*NcY(f!(@c1fSZd-DBBf8iDTt<w=555)T zDVP=h%_=}nxVMA~Pd_);Z2bqMrgfHAxez$n^z%?}oH~v8pmWy%@0XVoj~&5}9~u)z zvMyIH5#loi^>aN>oFck<?K}qPMIs^(uxnBR#IR(COC>x~O8s~Q?6h>wm)#RAD_mc3 z+VvH1hNc-l#3zVHgU$KD1MF4g8#?xb#&$3E@n6jO;uJ6ya=t!0X>1V(WO=wD3VPll z9>TalPx0cyWk@7*(j-E&->q&s_XaU}eC<**Q}?V=(u7Wwkhf4z#zmB|UcgF?o1B$m zOlL;Z%*)d)nfko>VhnksBb<u<ZmNc||LeHOgn_)O;qi7$F~rL5Qr<iIi>a{J>%CYe zFF|qh(uhZ=j?8SH_t!U{Wv+j>WiR{DpJ75dGyykCaLkj!T-e;w)JPLXiY}MR&?$1; zQq1#HGXjtLIV0&&5<&SCxUL_bxT@+prby)UIxm60JH_nCu#yKTX;O~LW;VMlN>SwF zzdzhKNJ_eKIl|W1O0gnKeAvlrk~0ao?CJ{iJRA25k>Xsag1hR#v4uZbXf*be7t>H^ zcL<(Q#nGAHCGlTZkg|-Rl7kX>)&3fRI3Q6e!<6>I%lT2^MIV{Ny5h{z=H7*0Gi<RO zeHe*I*G_h7g>d`EWC=(mqF3>4MJfGH<-a)jv?vJ;O1M$TU{x1|O4f~**^BUL$Gr#P zecJhB$#G^p`)4T9?<|Q4xc!tWI*sO#gh0S@EfBJk#t*v4s(a=>b!_v#UtME2{PvOS z)G$I4>_%#9Y4<ZJzC#C)x*Vvt+=V)Nd?EdeN(!7D<9*KVn<W+X&~S4LzW2&GxEbW{ zJ8T`OGqN@v0?SGcX~_4H<GQM<Pz!;mK0}jM;6@dS!&n+D$qk=u_aRWc9M(A`cx3@O z$=()2wWhqpxctbgSmUt~RJoDV*M-xz-k%Q94=QOcTL{~$8=@`GZJ5^7)4=0a^h%nX zS1m+yN|F6g&O2|<W?EjiPQnomwe4JE!h%x+qcERAjFP%NFF$Xtl6oia47YY7^JJPD zI?}t^sscmUgm<ii>+^P8hUY>oTU9K|;?1*-&M)@z5h#|rpQ!fQ>+=I!!(z2H`)!k- z*VLg`5h4&rZK)lz2zR+dpGW?{?0x2*w0GF6nU6MC&!-Fuv&gaR8Sl@&;;1^k0KO+X zf6|<jdYEW*=W5hUX2MMhm`b2;7JYG`LCcB!ZFw&54ryHWwN5f3InDQH3xqyBEZ@_+ zZ=7}}7=!Ms4<gNj6X{RolJNGT94YC+rTJz?S!)UpYpi3Rio}Rj?pSHApoS+h`OX{` zRd}sWEHllXzI$yI!H`e4&0Fyg6bhKu!7(ua@!F;&)wPzqIMP$%fyb}j;DlOOMmw`v zKT|cD$N+yT*o&^hKM!2<5V08+qw+`O4T;`AA8~?5Z|<%{-h6(9nJbEcDbMv(CbhVk zfD${szozPvZBi*gd?Yzt6M921Y0`8bP}&F13)DH&Rd9+x5ie$<>E9$Howjj|PI}z4 z;Er!6QFS((z-|0pR~#U`0u=!hHC<=CI(CoaDPe!;2l*(jDt`0l6B_P1JE8hWaicHJ zj?EWKpH^Cb(Ygp3^7H((NC#BFUyp&YH95d)=N@R+jL5X@7c;oRkB4k#aKYEVGcGQU zcXQp4w808&H2u)C=xU0+SFF!9Q!qk;{Jjv8d(`nib17brTNDO%N9{Ve&1mVwaAUhH z)~zEKD9D$8Kle20&gxHW2>+F^9X}1IvKM13Mw^VlXqhEbLAyk~YfF`;dpYeRzB3?{ z0&h+uMYlWodt2w^lwFs~aH#EuNQ*-;<<SM__)Ur3JHa<WdKQ}+FXzBi%{bk*HTD_i ziZt11y+hIhlO!l8)9jhOM{$qW`&2$|wl{e+PmB-?j@--r9+A7utnO+6cmeuhy$_;2 z@8X@);A(hq>$~`{*$-Ppmwhq9sKBA|4Z2%C;OCIU@P&TdGrBQP`oV3-B9EsEEGAJj zS*MpjJHvsF<XZJGJ+)55Qajq7`v|lERFP1;x+mzJC6rmR#@?#@-*tZnlAVEu+mM3! zN(jhTW}TmJu*HvT6CAoK;Oc>NUsXj9=iJCxnWjEY&+`S~I&1ou4vQ9^$VKMRscjcs zo4+cZkdMS{@`!eEP`p2RW5;+W!lkjI<afo@gbw*lvV*oh;jmLB_jn6~wW&1{s#>&t z^k>bcuSYgWGpZ+Dz@5{LHjX}1wp<K_L&{kw%+!hh?!r$imtnJyo51Vkr5wl1cPKyF za2powkE4XU`1k7f_t`Gpoeo}+yC>D+EI#6S2Z~xrkSXoAQ8N^j-?z_IQ5y#UA0_Hd zjA`+npNZ1LEr&(*z;IutlpO3ts$Yu+sA8)zldryw_E+i4nHm9{{6t~5H{*gP0(i4{ z&6Q3KmyYFeY5=nJ$U$B1Gsgd(nWz1ia)RRMRGs4Q8K&sZNpD-rzZEvEs8HlC^ogvz zi&<O$1^^@VsMG<UX>8k|%8jt{3Qhdtr#S3Y@e=j@A`Z}y$2Zi^J4&nHJrg1Yc>ycb zhaS~u=PViAL08X&<~O2<wE%)pF^;JNm((#$-#~bh^XOUbKct^4<l61@nS)SshD0da zALxuU>XyA}d)D*m)W^vQU8;S}g2p|9uT~{zmufdp_W&dp3M@i&sT6u#L0(Q$%Xw?` zA!Md$rZRyPG^+ZCBW8MBjB@P)on`I2^*YjYrB<zYMNajt2I!%R1w5XBV3Q?vaGR&G zHy(lJ20&AunSgaKV?tZIF?f~?Bb?_-afMlOkVA++b$4t400ycNJJ*`Y1$i$7JEZTA z?<uHSBh1#uQF$2(4gXW+%$Pl3C*(`FFc)3DPm#(jKZc*`oTCw!jCCqqjp_cRR%38f zA8sGn15+ineH=Hs9I3;kfFU+YfvoBAReO1_xX{|~XKUVa!NnAsi`m{a_Lo5Tl&ak$ zf-!bH#%5#tEmUi}%c+Ia+=k_$8H-8#8mtJ;HLN^aQ6IPA&6`M2cUJjObh0#ll+t08 zQpCOwM-e;r{0MNYm#)mS5;|6j<C-3#udc!S-~4SAYJJMB&9kBWS4(C{tqi3?9&633 zsdL~+YR^NEB!CO+7eEf3latA&O#eenU;8_II{r{UL<4oXTG}O;XntNVZMw=p!#|IT zP97{uaZF@FT<&~Aw8uzsU8@}we%{&!B&G0=n2%3tJPhy4-x0~X>}sdW59a0ejNf@v ztTu3Yt}K#<kU>vnuM0e*6yXvqTK)038IWSoS?Fy3#j+BhK4@&GZ+Y>HGR4~^NK7&N z$&{*0i}9s(wUIQ9YpIU8=T|<Rer-PvaoO&=0>Z_Hb^7?qg(R<!K=1~`%^ppecGq`@ zaO=PAk9W|av4wO9yk5t08i0#SX4>qlM5P^{OKZfc#U31z3gh{RZbq}l8N5KFcDCM4 zx8yrb5+y+u1^Z~*bziFD)R*gIv?rKr4z3?wTP=L_2fw-z-ZWzt*Kui**_K+VdbP6u zq}{gL=x`;n5-HU1IB|^RQpk{-(D>h*?kKS8l+=sR1Ct1ew4OliPb+AM2-)wtL>?6g zW_rC>zyDw>rpUV$mbof$u$5jjGaFH4aV@n}WJY^PIPp=ImaTHzJI>a(tS0U?IY!0F z<DE7)Wftd@GgJfum*wS;ty(uDHImw7id_BvU6c0Ze~2o`%Ula90XiA$91jtk_YgmV z-+nbgyBKm^eu#J-c)>v-hi-;(T)r*EQFN8TT?u+~NpHpHet-RTmXzEwyr)2IwvGS0 zbtbUNNg-_%_mr1sq>UtcD{j+!k{S4V3~Po#pKh^z!}q5Y{V-BpH;3-$PpeZTn(M=_ zmXaD%VzSeZSC)e99)7qo2@j(oR6dS+{GHbE)DaGB37JoAqrZz?(|^3LvIsBFim_GA z>SFEYkQ|%3?WnIx0m{(EONSH04VJvsFvra$_h`I-$U+SUG8{j)Wf7@=6+A2&uu}ar z@#^r+&E%pSqvunKl-f&ITN^JsCXUzrNrvavI#(ug+Er43iH^9BX_n)B{b9!NWnG6L z;W36{<QWmCkB2S4Uu>YdA<pvEXB4z9ZxL>Oy!lO(p~~y0t1@$qz|o(fIE{^0m!m%t zB1B}TgV`=XDrl*K=fK8vvY@5va_WABmA}giD(swQCMyM4f#!x3RT;wxsn{sb`t0jF zN5C)7-h*DZ$|Nb037_n2Dz<|w&dP1teN$U3VE?!ovJan7x6-jp_gxX<gkb2mXaBYY zXgqZWS>;vP(V9v4;xXWpe}sA_&*vA*GIc{smh@al^1g2I^v)~94h(CyQFX#FXbugS z!_wI5TC(2jCs>G0pMRab=}Lfi+@eCvz0~rG;AqX8Ol@g%O(n9|(vs%*ej~kZX+X09 za=Rj4Eacaamt|Tbmy-+WsNPVO%WrQ&NF$t=fk2H3oYLBwsN2Kc&%Rdccn0xis%t)P zrkLxuWs_|@Gz5?LQkc$`!sx>J$iS2}ZK)qLUXQa5m6+u9#JXye9v<$>1TBxICA2@x zlSJ$Fb7S{C_~D*1gWAbEt?z@;{NAj&DXs)Wsv-}XA|J|EmPr6B`+>8Ij|1n#d3e#+ zKSP-v?e=@-Z<8Jk9vsL>H?%v<==}b@QB5FIe;fwc>#Mz>l>t`X_<89)PCy2F*B<~& z6T$hYRl2{|1vyR#x~Bnh_S(YetR8rsQWS_4I5L)W$*LE$@FutOa+>cTiQ!e+OKkYV ziTA#uGz%m+<CSG4i8T&Wf|`Tnl$*ijNJzNb@a6SS>p(;i?EB@C%ioiI4}7bT5p!J% zt<8`ipWcoeNAIVHhkvk*Nc@@$m)n6v>cNhJuMR756Sn<qKSl;Fw@OUz3{ek)86jn! zSGn#sIJma|%@q%~<PZ|z>@|u(PGk&w*zo(EoK<G)cvAQK82f^-bAklLfTBuAT}nW} zPw5Lo1_e~Tfs6MT3P+CN4qWi!J#x+c3s2)$#s<Iam4+lY`?{Pmjy3W!d~>Y)IrAjS z%T^+2ff%R*Q43=ZNDeY0=${KFB!p_-FZ=I8cM(>y$Cx}DVx;duUb}~D(w5BhC;bK7 z-S}uXJAK0#Yo&0afuSQD5W4B{##zD@4^Ut6if3h9|GojyTS>{~R8>@dc@*9DZ?Bz! z+Q?JPuu=5<r?|1h%ySv%ec1@PFKMdvSsN$D8hWXmXJncU!Psl^FM8_qW-P>7;naxK z81&NxA{@EwX{a?WGlW|H#3}NWyX3nVv0J|re`;}Dwi9m!pvHdnklcE%yNbrvEwxB) zCOj%9D|)*r`m||-olY$d+gJV7QoK%Co$L)*Ya#Q(Fv4*+m*g-av5Ts3FFhs0vPnwl zgpSMu8=95$H7hCDASu`qM^+v}ozpZ-r*;k}1C=9%jWLuH7`Qz+gY=nwl0lUAqtm?2 zp+vr&>#fEyqz}xWz`rhHK80TE6JR@&4eV8x-F?K@Li_NPV|Wj;?6JWkOhTkC4`=zv z<zq>*{tFN)A`dRU29FmLqy>Uk8+@2s3eQcT`L)H;&1$_FsjphbqUcIMAV!ZX8AB%U zbtsWgC|Pn|T=LeSEWoafMpU6N!*zmG&&s$}pA8r}=EDq6_8JKP2?GAnVrh_i3{TVZ zdubB8jj_%vG4`IC$CWJ_xcuK5GEUxjCz@l-uwxpnOoY_lvD7k!^6iFcSs4_k`jnGj z#J^A{*QQ3<5(<Ee?n_bg+xT7tTI({O{st=`O<EnA?KmU+y6BFl3{@;*Ma+nB!9lT$ ztTs__TE8jLu<C|`i56rypaOF&dD9L|tI^4S@i7dKKIyYt!%d%7Z?KoP4CaC1awrC9 zQy{F;R2pdUy08tD+_WS#ugshR_t;3}GJJyqWB6^tbg>KSLYyR)do^(2d7XGEnT$q0 z0t^^ojh92A84K!jng-;x{1kR-eLw5QCryiy?WklYW0GOjBqvmlB8~0ve0<hl!^BhG z%uaNuF=B`!ycHjZQNb`h#na0AT3N^0`-@YEO6u{X9;RCOngd*y)*yH6PoLssEx?v; z>KrZsM(lL6h=8@JBF4kOvUKm!&j^<-e7J7|W|WluZPMC=-1`{q@A+V0I7pM)EM6Xu zQVk|NNrsKCGlm8!0WNW7{x{WjRVlr}oO;`z3O9r|+2~I*{=_GaI;N_EIZev*){Btf zKO@0Bb#{6_m6O?%PWwJ!^WOf0M4jm)%h$i8kiQ+|k_;54^^|Z>pRXQU65Uc$=N?^^ z0%k4iQo#yR8L{?yeE_5VE{YTddixpSKQ5cf2|Xgg5%4sz0@@=_oWBNY%75xFP{y<%@Q&cXIZMp{N5!Z^7efi253jn>)CDX80A1hS|PFAraTXYfUR$h=}wrTd^2X z(I)`go9k08TWmn;z&2mk54Wf-6*5VmTgbe+#@Z84fi+iEC)a4O9IuV7zQC(FC*%0K z9<neZGTqCzk(7)jBG(4S{*@H{0np>;5{cj2sM{co+lNiP&X-%gnriaWGkH_CDm<uF zI1_0|%J$!g>S%1N(j_>G@=v&Oe6V-Mf)N`y9sC|lXQOP{R?t7WNU%EdP?plK5%Q;P z-#bQcyF=O^e7->Vp;C*+#np$Vg7X_{dktE<PEIDT5{-~^|6s=oC=aA-h^#WD9hYVd zkSH|q__IQ69g!0udIERKSh2z!oE$dkTsw(Sy2OAm%)~_e_erHH^k`eV4b_Q-anmdY zhBfvO{fKQTK<>?8P6!@>R*Sb79<xtA+)Bum%rtk4%1dgP&CB)%%n`}h^xxBioX(Ai zjf?Lp3WGGk4=OrB0|yWbr1dxBD5ZO)%^Ti_;){lvb$oLdRjR7g<~3xSGC}DCCvU}m z^@8`awYoduGhIc`zZ}ih%Te-y$%|4xJm%qQi`y@;u}o~3lPX02t~ZGFCl>CG@%*_{ z@+m3~UtBM+)&)UC1fHHiLE-kQ!0P~83L{iy#MvT&%_92EmLpPUKc1fV*Ad{4LDm04 z+s5kX;yGG$dtMm%=Xo+_w2f7g(pN3&hbzl9{n&#`?@WQNmgHhC09oN7r3;jUA<;kd z>;v8iH+R|zr91tt7bhs41W!9R!AS?3fkyl5*6@|1-+YHUEJmcsi;rv5pVtLg!}2ob zg4zYT3X`QYIpdf<jh~6CH3@7E*8MCo`dK!OSao_~c3-Gs_q&3xAEc+dJg>n|0hVG1 zBzQ&Fn;L6_t+>1lf_#`(K^*e2NaByTJwl2`81XbGVD-xi@0I2Qm^;W>lF2d^YXNNM z0%BxmIEU8Y>_4S~BO;~5#iH-FwUjjlY~Q^V!WxfJ<>;XRC9qT4=kH2nQRbLgTjJUA z;xW_W*|s%+MN=J^d>!;zeIio)KE`B`zc!-v^Uz1-ky9EZEoRvRqN9!W(?09~jy`ct z0A}Cri*mruYhq?QK2=57J=H0wwxt7XV9-!*M?Z9u;LLyFgI=r6JH8pn-q-H7O&^$u z_vx=~pMaYdJ4&U4HpiqmPa>jAx{M(wD<Cq;wEB65HYb~eI{(m9AGx!-GrY>tAxq=8 zwtQAA{?49KYYR)}cc^ncouT`SlY(5+BBGgkJGQUW6k4c)-!G{|4QWI+)OY8?-(>vm zthv`H=rU`^QZ5|!ABoNo_$t@58<9dQ<uB_#%HfOeIdi={Y=!CUEKE)h^O(-l5GcEX ztbNGZ1(smxuTCEdv96-Vl9)h#yo&2Iz<D_7aV_Yzl9ymKynL|A-H1+baU$96WwS@I zl!ASrvfLCEQcBy3D)i9?tlYHt;Ke+h|9qu*H{ir;p1nRZ#@*DgmDXnxr=~#74xcWx zM^4AwERF1;be)J26sAh-bkp%IrN(xAeDn5*lYqNGU~?;fwy*t3hlF?B+*;u$iBN6k zJR<@|`fP+EfRV}Y!*|jiNlmfH@r&}hrC-|r4YMsU8R$c&o9I&3@(oprKkjUi4Q_j_ zDt=SiSQ%5(OLt&6AE~u>&mlf&@`ees<OndNL9zd1IeRTjh#dZNMP~Ry7gLNPe)^%W z)7Ho32jOhJRr$Z0=;w^(B^|HX=MPWmNK}^=;ir9dh*jbdjCeM_Z~_Yx<8FI;5dH-J z{WN)MwObhz!S7&Wff=Y26MNHB!>Y>rMJGVPAo=vKvV=il6{&kFH&CiA3kvtxebiH* zO>yW24eKbg=NCxjE;HSnQn%Ti{-)Z@fNEt?6aA5p^b9mFuD_?Q6oHYF@Gp8-)*)yR zpV{`WSh+RI>^kZL%FgxhE;Ns~xhT+86-Y_nIl-{6(1{c(Rz!Z9S2`x4k(M#ah65zK zV&3%#D|wnELq5BqCvg5!V8iu+q3*VU+v{d?0b;xq4A(C%UV-`|;v;*28Qw(oLDEEa zX(04BimWtrWJds;Q(N$*8n(MKv5N|}i?Yf-_G}v(j$ckx-jaDTT~SCM+2+yboUrRB z{ia`3=@V(0;SOO9_szh7&uDOsaa!#18D)!K%iA55O`NoQXyJKl`xE%M$B~4NZC2+r z+MIbMUKT|2bN9<K$<s#$cEB4Kq=cA|H4x`yc%Ajc?JhjTY<A()tgjT+RttI`6D)2Q zYG|_n13$@YR3|fU7n3DZ^RAs>C3^YR`uF8@l`ywqgh3nis|k<{5Jq6zN&#*6SI@^z zm!zn1RDyChmDR0zDuM>-?b<qu9j9*TJE$X6>YTw+r|hD!QfXEv@l{HdkS|SC1t2Q& zEp}C_XU!IyrW`iDn>33RFKvp~1u))#_LWk*iEX%#A5x-kyfa#Bhi;wd)3b(g$zN@^ z<V)HU&Q9(iCvGOO)a>9V8Rh_M8Ln&f_AT&Q0ZN_A(q+>sqHk!{{F*ue+Ex>KsneO7 z#Ww=Q#rrv^bUCvnZfm&2^_LX+=5p4VpC<GDY;C{Tu>VPFMN8?@@YsGZ>b5%^S^r5q zt3t;5=ioXVcKySNL`XR3*9z6_^u8IeIJOe`z5E<oqCs3fThrAEPW#DJWU4ONBm%~Z z9>~I0$|^veO3-IU-^%4Cj|@#%&+)^`;cjN;&_pKRQbjb&KJxY>Nl$_@f`e-(PW!2p z$^M3ojM#^&(0wJ7HIgdASCS~7v8|uPI#MtmuwydH%l4XicFzk7z1zz=8$QXfb<20@ zNr?t`<hFSu?YWB1l=3OGO_1E87B_dtRi=p$eVU`KKYZ4ejF|4Rw_9ZErOb*eg1o=5 z-6mX0qMDser>B<wJdzzkjrp;sQ4_N4Nzll*1V*?lGV*?FQqwd^6;%m3RB0!6^NuiG zs>laKvdZHy?=?H|O7YpF!t?61tWK6De+D;reGZqOAk9EywW~#Z`}xqmT6t-*GBulF zdEW`$(c!h~kfy-^Ww(M}RMP`mLCciba=lC+?dhZY@qGR8%7$`5Z+SC#xxE%qDnSlp zbK;yl?~uu3%~~iF%J!>G_?sRqWoezRAdm~%bc&!DQu_$WLnIZ(Cq=^n_Xrww%OKL8 z;vA}K#*882O7nxp;P=<?S?l$eS;};W8jvkstdM%m@161f<_Ts)A`^kqx>CrbR(81| zD)Zj(6{h2hHPlaL0sWCiZ;GbXw>3d8zt_LCE#*DFD-h4^nq%HcBCa@Dybtp1cc9S3 z13lkPZp#e>y+y^jY|)kQ|CA1RlPJur<P^J=#HJWp(emPcC+wm@$O~DaP}A7j?o-Nd zzgJ26-ra*@WM?XqkE2kR7G<qnq`-2RS)(vvD19^P7{bc<Q4>AiU#N%nufKK&pAE;i zcS|rG+u1{k^aO79blvSrQgw;@EPPZ4IP7~xaN@%fZN<Fa_71d0%;kx_ey88sLKnA` z&IEh>ef3h|NlR7tI;%iKm&tl=)VQ2y=EU@)?vMRBDIzhDq+@KZzgJwP4|J6`8MsCj zeo;hlNQo-diBc+EYE<y*SNPNYV{A{s(02!aNRgVB0dzGfY*pO3AjeS|KaS6n$>zqH z$DD72y@LVYX9hp><$WmBy=7xuSa@#W4#>&QH6|`el|BEFEZ~p&cxEEI&Th~5y}s-Z zYaq^=N=YHT-~QTT$0eRFmjzG+1wDm1N(u}N#8bZC>_A*&3oqNU+M6q~n5!In$>dVO z24Mwkm(AwKeVrLa9`-By%m*P}UKd#CUeQlsvHs0niS`hiDa6S5f=_kd1dwg|I(hR! zh>-m=HL;iD-(f)|NZwx7Qs4AaG}yB>mEACMR%Gml+kWF_{D-aOb>d1%_U0@$r3%M= zxsw#k@A=y;rGeRBxlI$jvW!Sh_s(X;tU@Fdh9L+mf4x3zhc`f)t;Pz-_=sL!-M)~+ zN>hVqi-)tV&q4yi0l<}d^(U{lb$55SwK36Q>t3$}l_22Ei7V=L3#^wxox>t%5u@GZ zcS`=(x8aB<*p1cI(Yu)RNhDK;mEJ-Q15~<JaHXOJZUhhy01Hzpln6^NgWh1m+<->H zNk+nH!pv#nD8s^V(^dlOiH&G$Xjg~;rN>qkKWx(v!k><k<)~oER!x;IlP^fdbBHnJ z1&03(iv^dGR%nRm+KSd|ezUGbT-OwsGaY5AKxffn2qQ|jHo;``1GO#vZ!W+v5@h>Y zIzmk=Ka(&jVFF>AVjEP`kPrT*Ip?BfJ5Qt}KB@U75pP{cXxQ7bDsd4pv$lVtk}tc} zlCCTR`&@iRK@QeF-HGIA_If^%H){<?>T&mlCBgyqU+cr@phb44C0#tP={>e?apj;V za1u)q1^&v())I+%Z9_)xc24G>W}Z|xf8xfhV8ZsE5);UWGy?imS7S2r-c8l0(=%R@ z9l(S{^EjW)kV%Z%9#mn#>2uMkm|pfJ(gF3bXdolB>iW3T@H$-vq!H)uSrD15fVPbn zZ6`APj|VvVg*ZTHF|*1<m&=iaWH))ucUL{DkW=Ihl5bFMUy^#|%{xyDRvE#ePVM_J zmB?h2^>L=nrK9(==glxF7+6=5AJOG+&U?F8XX#khI$|zKW#q&e>=S(8I*d4U{c_kL zmw6bu9S7{Jw}zWMv&v|4Hrfs`=RECw(h6yJjir1Xd0q>^+jhG;d;aVBuX6A!oTAPE zY5MdO5?ao@FnH_!`5SKd9^8|@&&iu6@$ytP?NuqQ&p*UsujgS@oGPmLpWhbeuU0EH zN53@Pd+{t294zMib9NI5UD-1pDz!N`V)(g5mXlb$!C71fY8)+ras03nvy{{nQsiGY zW}}Veu>}qGSTXYTQBqLgY~O`5>SgPt*DhX{Kai*I#JkeDkvTkCLCP%5vXQ%{sNyun zk%b1G{(=Y(c#$S^o&IUe-aunyzY-p5){|WVCu)TXZZXrFzV}!YxZ-qW6R}oI%{!mf zU2Ugd+aEIFa=xN0p#?guTByg(R_0kw-0a_@6f={xHsH$$v^$KdZlsV0KHS}rtYE*( zuM9TY+eJdz%?&o%$!DNr^flVqo#H{MvQm%LlBO%;Wh>*QspCbK$@kZ*&NgZ%091&a z)%1>vT6@KSX&I$qk?HW<dnSuU!C6;L^efn=zw_W(3x+e|P|<=6o1zvOGU;wO;nfwo zgVpc?%?C;2*}{sE608m6D=g&Mbj${?Iv&70K-ySXkpjReJ>1v$--)%=7&%h?)(`DD z!p!2+0Jhn@vP{Kr<6mjDsf%ok89gS!*}nwVUcD-#{}hJXrRe3AEQo;uQyMKu6x@iR zB7NSLZHiFIc@PF9<4biiJCgPuS~z?cuZ`t+4A5=)zWj$Hw-{U!i3aJSU|N6-`mdjX zasF?>2K#0wDoA#p%u{H;rLRm@XjTS9d;OdunQIzB?8~p;ftTbNb6POh?e997JtoNs zsI_GBVhtI!5<GB4i<hZ`Il|#C!0!M@t&G^A^D6D?71JNfjXwu31QT}qTM&y()YOjl zufC1y)WBwc3k#8^r-E^=M5ZGYiZ`(nm2j8-Xx4TQ(H??Ds?|rR1sdZ96rv&XRs$YR zzvu13h6iPxu9BOM?b|BvVMeNtVybA?ic|W4+S5$_X7Z%~-?u0!FibsdWjaF7^m@yW z($Rw=@E+M8NF$?I(o^SnUFgS0>hNlHF!TbBUAP&*&&`$wVaKH{RaA}|l4Qh8IZfS- z2vFy9einKxECo(A{6hohfJ7B%A_keM)m;;b;+*8H&!vv3?wzdokdt`Wua1uI9W?;C z=FD0hgxUHUyGYl+<oGy0PkK)9YaZ%%Kk4LkE(|36U{;8B0CRYjRJb!9f^>rP4{kKW zCHCTit9S1C9SHD!`3sNSN2dQ+2Sg{2r&EE$i&m&i$Wm~o9gfOHs14eSvxEs;&VP>* z_*sUCp<A#m7WrQcc4gA*B)~#{h?{2Xw><43C9Vr9{AduA;)h{-;sUS3Za~pw8D$*f zlGF0)159Uiq!X4xIZ+!78?_^u6S(^4BcLtSm}~|w*R{O7-homkvLE#Tv;#6ot&F9( zIxs#M9dQ);Wnx80skC%pI?)=LSca9iL``$w{H&BT;~ZH<$NAYIHE-6zQ+sbS9y5jM zz^Rqe-GO1}?F<<CCO{Cpvt=%C`JRiJ(h3R+P|Wr$&%Cw8@r!oAg5H1oB|zevZp>CX z+cGw!m7|*)rtA|Fuaf1lp0g`!l$}n`z42zj=!Sr4tUkUUdm-=iPdr_Ds;6#pZmOjl zw0TsA=l8zA)9P^3J>f$9SHlnT3aPbw`*$F7M<kC5&*yb#+W_bqIMD%*_w>oE`#GWm zJdYuqb}g3Y(k!#J;e)Qogo?Eu{)9OjBXS!K#@3K=IEqH3@E{Q`%Q!8-`qK?GMLxZ) z=GVtN?qf?I2dr^&?D-l1nN5(G;s@w(pOFVj{<z+tFmtJB>@oGs+OHI~k8x7KoK8(c zcX^v(7OQPDD9zOtjOaPpufF&lTvLa}Qh6S9zyUUc9XYB^&gOpDwhr_cgh7}P+F*k- zU5!SrXSFJGOR$aJOc{yJ{K)*&TPzW0Q;Wuzf<|vmf*0R8M7eA)2c&GhUUKmfXDxh8 z-LK3pe`J%q+x+y@x12QqwqHhDnCl=KMk&y0gB2)u$<eV7X6z<*i{JUW2eLVC8;IW? zzd=4E1^4}jtQ45a##X#bikoq8P`%Zg{bg(IM7m3m&-mTcpSjh#rmimJ{mmE$*jYlv zUvU^!*#FhU{ucri3ohi^-_J9?P7LnF;T!Xr_F&2aXEOep&bTp0iSaU*hKSP05t%z| zhR1~d!JcnN0ajMyG3ooiZkGklaJo5j!%w3o4%||joSu8eB#v2x{nd60%q5#79*o5e zeA0k?bcoGxt+>K4JM#%?K7RX;KRLpgsMV_ze_8zf{b?AJKj)><6-fa<*hAfEztZmS z7i4ta)$6I-bK!E`;H~Rvr;wjY-vAIL#z`id%yft#U`W?^JllFpK%G(EKhV2xyqb#m zQJXFzP?nd5ZI}}1(v|Vs!vx1`afjDXaBfoSpvp|U(R01RUZDMYKP1&&OmbcZr^w9S z&c}hqq$=^}fdy-UC19Y7_|(kk9+zuM{rsTp9<W!#iG<)@4k!YwNOG1Z;N~6X$q1*Z z;3@9n%Iu~|AEbSFsOUy~_E=%IZWeNubk&yiu&Ve%O!GMwqe+Yj&O}0T^q(B=TD`I> zMqj-OV*Vy+^>Arxn5s&2hS6aNkoG3>u(>rXHpE5v7T6g8qWW&%|Ez_E8li#7>pCmS zZSN|^W6v?0?xsiA+VglKqi7KAVnIv&vs+pnX6;npaA;z$q1?Xmp$t%$mvP$3Gul>M z<$Ru=+Fc3n?d9Uju4HGG=kuAxW1dCMG&C=beThA9WQQ_)+VfzSQ%FcS%6d8J+nSFV zL^XSLs{Qa!F~P~)JZ{(D*}gQ9niqnVQcr6w8pv_~h!l754rLkc?k(MP-w8dRpgwm? zT8J61;riORC63gm@HRb$$DS_`xyhEPT0634#37e<=YRA$2Dk(Dzw5|)g@xKPHJae$ zg`K=IN&G$2;>8s?Zaf-qHq(Eo&NfpCHGK@%r;tf4n&<qN!$63B*6;`EJhwXCvzxs~ zqRg}m*~2W<uY<$)<A!7;h6MwYO;#>PmQDQbWKgc6B+Xi4yZq}Tqamdhz6NXcVZgbB z;e&ggKkz@C+6ZaWM;!0&ZuZffnU<$?dr(LW6hZT=kL6Sj(vp4k_L;Tf5>sM^?2pS* zYlN)=zW_1<wVl5lnSbIzL9q}jAUMEEn`34P6XNcw8zJg|AGQUfeL$8BJ$iOKM;e$y zk~?1O{H$X=kr>+8<%YV0_aqLM)@P?`%uS`gY5-kNe^Tnc$WX$aAN|>lZ#yoD@eG63 zhwhk=2tO!wxH^wFdGoXi%QRI+yS|(!l3Qx1bdM0U&^5<QjA9%3M;lHogyYxbGiz(u zlD&W1A(nY0_o+IMw^wZiUuX7*C4lVb`WB+U5Kr$FgR>n%uOH5RW$Etugv+!!7+QLH z$0f|#r>XsL$3~NN3B)&go`?}e6Xe^RJ32JckZfmQAT#{F=!|Gc00I3o4M<#r8-!1* zU<#Gjl8ZxvP?TSUp|)=|M2d!3M}*5jYFQbb_38cWSB!N{$){?Ix^r(9kygeU!;4%c zsWl|?;qz6JuTq_4v7Rx}(SasgyMLH)$fZ8?G+O(J=a>Mk7#akKlu-!<tftojs3nMy z9ge0RV^zUa&>Q4&Yb?c$1uIl3+bs@Qc$|7^;O6PrLRV9`Kr2-m@KiXp+qO)gYmw6$ z$60_}0x71GGO@b~v9qedd0y_Im|B*H3hI<zvI#toCzB&qsu;Ro4l1St4Z7kq;0fl& z_5PrlEzVMaZ{7zG$zyGQJw3l~2`qk(Ar$3`n~a1zG^I2nCB;Zz;EA9?Qp{EYo!W(r zG+W7QCAWO|A=P^!2=*Hhx1eQZ_YG~pxL8lx_tO>|C+)quKDY^^3DeJ5CN%t9$u&g` z-<ga&g>=XXT{rKUC$M~4n1@2WG4u&E<0ucckIi<TSmcfc#Cw~#$yR4`4%U=RqoQnw z(aZI)Hfx?4!h*279Px_AZ_$z`k!f0%vM>Z<Etrjbeh2Ii4h+=Lr%RAqo8n@3Xkj7e zNTWrb@aUuSbAg>V7GOKSIuYB6LyMQP;9a<kCIx5xNgr76gF_}#%0KRHsXbX|<J#bC zLRGbUDVzzWWzZrUwE>5CIQnP%N~!4|kC=Rkk4vn$4_ay_Q+GMX%<q!*iK}iuJQRb} zwoGLm^rs=>c-Iz!LAH@8ZHpn=P4rGH@iDDrgk%w_QJ*msjtCY#*h)dU{6oRngn@yw zM^7Dq?E+9*>>lLBwf;$VS}WZmaTK@kfmBHZw#DGj^S|2MU2<Bk|D)+1pc{MMhk-A; zwQX%}8(Z5pQ`_!tZ8vqhwQbwl+P0gf=G*W8yuWjDa&k^Gxya<s=ehIDOr_oria?`P zUA$RreB~A%vYu11ulbMOa(ADQ^0KtL{WrgzYYY@$jj}CRGX=B$tjk1%$ua1=dh_ul zfuruPQBo!Gu_)6lI(fLXYYrNxPTqu@`zF_@sEVh?uA~ZjD5DAaCJX1XLBow^E91iv zS!lW2X4>|B=psovT4#kM`OBa{wL`o|=Wg4S%H!%;{I!<=k;K0&RmZi`^x&dZa?N(K z@QcH{u}3=+FX);&VFml_aehy6an-oLxtlT?#jy*t-`M8c&0qa!Y!k+{ejvsok6sN> zbMq9{emF!Vn$Kdl$vM}@-dTUE(7o)=FX`B=y?w43+A;ZWfmBjnvL@RIhpm{AfIr)V zG*#X-whlL{A^F2|slfj-o%kBceR}bU@OHSu27}J__S4`6VkZ&}O7<@iz{89R)v}BG zufcRz{^&omSXbJ(`x0X{7>*w;*BopmcOL9xSb3`ERxbB445~W;5Ex;HPdQt$bytR{ zIU0v&3QILsgO%KrCl#aR-2{8m1~DPpoLj!R*%5V5S7{i7yPdIl=lpTR$PPEV&aMqj zQ~Y#gB@{Cyy~8<!T&^5)fZ#|XpXT`VvWy=j_1lO4Tq9i;_aE$|6D2Lq*R`iox|kAC z5~kA0(0CHal++Ig&f+}}n)@@kGm3II$G7~u!xjHY(a`5znrh|M^>Oz*f_f<vJ6?Jr zzIF#z^J&T0Mu*n1ELD6*J&79K{LU=!=z>}-vs-A-IkUj*N>puyiKc|GR#!^pj0Vlc z<;yY1=*J4d!S^D|AAP6K46lAN#2WcHvzD`0=`Qh4HN!l|(sb?cW_H>PO|a?~@HAQt zIkGQHxUMufr@%ohwfiJasVX~1itdn{SEr1V_3<<(P^C9Lx43)M-8mmKeMFqd9yZ8M z24hv$>9NiN{E@%s8Ivh}eJSy?MYqoIw{GOo<Cb7cPwN>BsQ}i;-5&-w`kXP|oT(qw zj1EE(xc3HA`bU)BRdMPr|7A5B5b6u*7<p-N2LBY9p%2ifblpjlTQ}7|GWV{&PN^rw zJnO}9eZB5Nr1?(BHfP-M*i1;-xU*uS9<s~*elRzVf0-jHyc=na>*?st`^lS`qyRI` zpbmK}VeoK66dCx{XA481iwm{~*hHhh-WBzCSSz4FBea9O=fww*is{ei8m)nJmpEb> z<jat~Haj#mrHyi79J&59#{H|SenD4wq@VU|)EcrjGbAsAi+}|nz=^WeSA;yQ0$WXZ zy2of9!bF#mUXyav+yHt^AJU?<lN+bVKP`Y=|N13oTxjHs^w@FgF{9T4xJ5v)9SH8n zE)rWl+8uS3@o@4*Yuw?Dgx8ilIh^pIn51HRL`d|Ir_5H9+Gm@Mkk@A&Df>2*y#PP! zS;^*DjkS)HXO?l=Qft$}0430z_;*<9-x-~4&fg`mo}Wd7wBHG>`UGeK326eeyS4dJ zELX6B(MH<Xz*HyZihzHgubjj1>r_YL+<6>$O@~xGV~_^8)_JFb&%#k9D>=?h%ryvj zd91Y-RPQy=tg504AID2cHU-_YGHECzuB<BeW$?6@SG8D=-tAU6%Iq+gStugxk}5{N zAZqof``Ud~xx^d4&It59Z|8&jCDIyeZ)3Sv>l*F;N~qV8y?xZ)&OJl)!_dT=eQTvP zDmfZZ5+c^LeX9t2Ne)9Y1ks5Yu$du-^jlN>VClu{2|Ow!J6=@J(1%2*ITf-vDE5!K zO{(m=^>P0d+Mk<URGz(r@c|qNl~SKye&0lK{5&-K=_8rUE?f~H8DV#Mcrj<Ap%#bs z4kGoon=+xxma-<U-2M|NG=<B-^BatZiwGLyW_MJb<y2s%74o#zK5U+J&)#1akNSFR zNY;Ui?bZuhAArhu1@}t`0A<>uz=<?{d=IrRbb7C+$!I#5+3#M7bEZLBZh0Ju@WfO{ zV^VIKwR6@pOH*8ov+^6~K;ZPn_Fdrj4o3&%$r{bZf+!+^MJb(&N=9w=elnhDJW>+S zd#TZ;AafL8#m1s~yD*ejQ@QaPMs=<s%v>yJaTCtO$HfamjNP*28oU9uw!F;UuIN%8 zQKYK>=JK2WXt>rk<3J9jtETo(Ob9Ycw>8DO=hx5roRf*Wch|WjY04fTfTggpHe&L? zw(T~m*%UT6O66r)hu3rDh}=Q4Y2~H&pPl$cGB0C)lGNsLPq6Z4Xs-B}_l1^e;a`P= z-{X~@#l=hwY+F+<tjn~zE291`{TZf*hz;gaJSuyS$0s5p+8Y_<YO~yN;#zLVi^@7H zJJEIW&ReLoVk>jHHO}nE+Ka--Yvi*_Q>!#ubPv+nMD4psVv=RDg&RjdqGB$zN=c^x zCzHVl<vvo42Q-n46OXev?O02p3MP`z6kuad%?Kvt+mj79G8e|}Fh~Q*amzXz=DoF) z&+=QRBzzm8Qs_*+V{*31P`!3<Gf{KN(|I30PZUp%)CG-`h@uv&g#G;FRX_FHLRMC@ zPMcAr2jT(^Oqk*q$aXQ=<l(!gFy0VLw8%4Aih=I%)FDw-J_=TfWsU?oC0Q=VcGFWD zu>n=R<j7TNPWI$%UQ}`E#Ch)eeXlz&(||v`dkJL9kQ;BF47X;jPVAvYu;vNl)b$NB z{i_E;>aLJ5KkV%-Mw;OA#MHy!m6aM&57}yMkBP>d_f^yDQ|c|+f<+QEH!sb>AxyNZ zudEb3kqB3^L+Al-q&<g;j)9#LsQA1Y;+!@C0#Ljh;+k_9qI1C``!3R=hlT?a8gs$O zTK^R{8P_wyJ>zR$;HtOfauw)*@irbnqhKf=0Jit@HRPW+Z90pwpWvykxN}Ke84`|$ zsObr7mR9L{%x|O5_4m|mI~ip6Qz{qCLh9!PzHmq^H&NI94Sy;1DDJxsR~S&Bju^}q zkwPSt$vwps>JB8xAhp@RPOB&JHc3kEzSga0$IN#Oe3MAP=gktIv(=RkZ(oF5>7o{P zEwmouS*@`U7`Yugl$FmOcQ{uKnF;tlxR;<+KRdl)EkdWqBG}<mm5xd`0Gd8>o`7MW zK9Kt_$*Go7;!_nJ$__y8zm<a$=Ak)NZbWLy3~ZAWS<H&C!eMLlDDXU(WH$5`t#{wR zRD$e}DA(f<uz6L0m8j@5_~;UNeT`O*3KkB5LDa9k^p+(L|1^(2+gUl2tk5#)CAl>v zE*RSzPmtFj`0qIR4mbilu%!+Ebw+m1rMG3)Wd}K}$txi15H%odj(W!pws_s&Oyfv+ ztZtx5(G^aw9xh&Q*PLV9N!o)?xCYc>Za(_QV{4ew#S7|2_hiz!P(f%;_SKIvYrMmy z>E-17dSf1%Q#M1^Ed6>1JrMDI4PC%x<8a~$ULwZ)xI2CLEMBX2efoJp==5yE9bQfY zJu>%<1}e6Q%bz+@1-RVCJ>knchDq<U%wbvwdD0;EDb&svG%{t1^0rq#kjFuu2Y;Da zq9iUn{Qi@Nd#31^>BZ?61%9PQV$jzCM^enWl}^rH(43|4pFwU;)ycyV5c-urwiu@k zp>Iim9`6{|t-#POPjx4AZ}K}If~#HEiw^+?_{&J7>!+HQs-sb(Pb>5Yc3Z0#ro4S> zZNtc2{_EVsVuZsSmf5n*ObJbp#Tzi;@qZ_lHt>%DlIwRp2=7&_sVT`BGtXE@P{Qkb zJ4e|}ZI2F@tu#8*6!tZdWHXH%z~du^kHK;l0YEpjOD7lOwH5q54_zC-m-dJ;mqw3% zV43oatk-Q%x(_XT6N_u5MVe<<6n3o3i3K|^TGxvTALUPff()B>z>0ltc0Z%`JW+{Y ztx4t=_<QKy>*XZMy4~aAQhG@VGF|*B%|q14SzeFhyK+eL78-v8R*toC|LO=lsQ<`S zk)1x_Y(1Eb@ncPmZE{y8b^&z!ojusK9*01KSvK<bmRi7!L_Y4v9%ZMjsG7Qa@KY#O z%C5@@)foEEg0jBAEk-XklSG;;f1aVP{>1<0f(8u&B)KPRd>NpcY{5gL)*T&Juw_QI zm7VGSeilD4f`?{xb&-F2$nO~lTpT9K<a3#ZS8vSq!Rcs&S_a@0Owm!f2~tEvjW@8r zv$JB3_qsPVfs+wr;sD_mBq8HF$iHt}^Ri<QMW1GhQ(AE+cinlP7CS5XI&;$s^3WJt zgvvy+aVip5PH!wCh^|g{<_+Pc5<GldzfargMi@m>c=Y@nND5{X2B(h_$?G1tOF)j4 zL8=KMZM8K=PuebgvqDUIT34O;e&1P}r<Lr_|8KbcN3U@ka$Xu{c;?7-3R!rK#sCj} z!5@}1rN@n(ubTqC2$MA>h@MYFMTI_&dUKgo2qYocrs!Fj6vW=29{Vf7CBhfH6b(?@ z<PsR+Ee@4DWGBOGYR~{5AjmAwtKYQ_n$S1EkBc+5;N9j?8EYQ{YhbrD2Pq;&fHQI^ zls{!q%Zzqixv#kfMXR>X`Yw<K6Uk;=p7;j7plpyZ%nq0sp*GDsP;<lteHw?O2!KI& zWZ%PO3X`HDTGB$WJ9B_sqt@TR#gDzG>7Nv+G1N*p9dYrs!h*`&S_0vLp}eTlYzOT} zWMu$HK)AoAS<Ooym3<EG{%lRy8a159W8W%8S50nsNL_})h#2Q5$41Wvsjn<m<PdS} zh0d?rvs&=;guMQGXKoSUY}@oE*LINfaW*y7)tBGLYz@OLp}kt!BT0Bu_J%}XsQH+i zL&=l}l3)H-$CjfBnE3u<$EM0eM4jE^LQ$}qi160}0`Ay%AAb!fUX6K1%@QX13>W>M zX`G6#iHYBpHu-o)OlcIBj}CQsS3Pbn57$urP_?2B{1*GYDXUFZIIJ^hJ?td#0DhcB zwvkf$)xU$c#&C*`DY|+8O`kzQ{ezFJ8iM|KT!!U2D_*DP6xaK)fjB0@IgD5Y=IMTP zv1+|E(3_S)a+!ifYo^Q4RR5VaS7Tdyr3%Rp0T(a&wuj?)yGcH!C$sG|;^Qg<x3%1a z{=moV<+)%=TKN|vuQXyk?t99R=hGe`MIvl63DTB-Ng@HQJpwADlSmM)*cUN{`@zSH z&2rNl9)wSie>gzl@nSNBr4@<s6(^3JX5xf_r{YN{=4ga+676ja#;`8!dK~dyKB4E~ zyG49Oh}X+RcS`Ha*IF9i&Px+U$8rc8)YAI#3Q>K5W6D;w?acewR|MJBP>9k!ETzvb zBVU#fIYy6m9WlM6n^T#$x98Fes;&D^Iq8}!PTqZ?M%q;AU!;jz(E-zGFybaZ{@RO# zg<h5!*?Qv$#C9CpI+&b<4DLiS3kV3ve@G(!PG>=C|9tzXZA_=F+^*P|I=cU855E=L z+(LIB+@8szM^B>8fH1R(-co3icMNnGL#@jvwvp`PC&3a$)B-w4&juKC8%t%;ifDO- zI^7}yaMCi<2a?IdSEZ3;&feITUM#A>v#NWYKSv&Q0a|lGgwCs;s}0QXcqWKYGBaYN zQ`4xI!taj;Xp-H_b#yyiD(JQTI)xXsqKr8T@K~?x3?Q}*GnOi59_pJ52}<@n$1D$N ztR6@2F|J+5@p+AQ%M!;q#k0cNAvwK9b0s<yJV%q%(e#pFDXV4~Qfy=;UH7_(BETGH zi9;2yh`WEb1xdR2xAarK3T;9|HHqJ=T1D{ot?Nz54zoCD<EWR>+jMA+5oV63x*<P{ zRp6t;@kS&^Mi1|dI4a?$9fHy8r|PxP;Fx#t_5V7=PiCC+ChYfs$UGN@j^bCmn!`kC z{1EvFp#aTas;AYlyq!9_i?=u9#5$G^+xzC1+Azsx*ENAZykp5$e5r&O%y%Bf&)b@# zF7SRv#u!m^+%rBLuDFx+9;b$o$=Gz!P6V!vW8#~T1IH=SSVl3hxl_Er_<ZrCDXcKT zndhtcM&J#wgeHc}lI^b4_YJC=8DaSVKPb<I{hoOAmzbgvS_;3Mz|SvVZ)avZYMN)u z5IsFSN~hJnI38t#iYW>!9{49NkrC^Cg;<~0A8Wfs{LkaZ@~c~{e}6u1XiPDeKeq%2 zWi~6STb-ZU@4NDV`6c@I`a(;N(FT$rm(rRjXJ``Q^=}%X=nPmzJE6n#vrLwr15y$h z7RZd2H-_m+;=hvd|Cb981Y4{^ik>v+c<9Up#1vXx$yBp)^5!SqobnD_&O75+l2EJC z(`XgQbMn<RVKJNFGH=~rxoc#=h3k{l%L-kk(XixQZfd!lJPOYL>%n{I6md+Jqwwy| zUyTzIHaY8xw^76F;^@!ciJxHT%aw`B0L7Kn_e7kT{UI>!%L~vEw)uxJ1H}wWsyMTv z<s!?ihiccX>fk92ZsW^S%A$Sq^m+l`B9@r4gc#Oxczz0Jrg1{Tq<>P^0C`P74_yHH zMU;tZ?_p!JOMoxW@zx_^ub7ppOiU#(Bbhe9rO6v6G}E2Vr=$#701-b8Rp4?1|L}bc zS>TJ4XQb+wp^dJ|RxX(al$urfhR+FHvJ0Kg<KG%fSWa6~qnZ!Jh<Yp*(E$1EXJz(s zbvoIW8al~Bgy$+6pKGNk3tjU&SV4m~r^%?)!l!ou%%!LCP-gj@aYanWo4)!+HpbS* zwV65_hP!=_z1aT@m2m|Fx=mbYj_P2M&6qQ1>3EugNH+tI1Y+>He7sU)gcz~9=p7*W z<C=Sj7MAx<H|LahpDc6wu27ipfLf+>{Id;xbWJ8dhBv*%hh1|lv%9^^?GA#3r-)OX z5sgukCCQ;i>nd!TRUSOd%%>*OHm+V=r_)xXE}Ax)R%<sd=td({|E4;lf0vB=5|&9b zjQ7z0p^ifQ_1oV9!mIPHqhDWsZ0Ff+yb4@_Ux82_pq1x3XB*?fS)S6Q7&0k%M2x2k z>wfHzLAdGpT01$5Stp5McD99qgM`vD)saJZzw1PSXDGM|Eu8&>qae85`yASf{tzQj zr2pm7#1oq<yIt3-DZ);iFhDhJf9#9SZFp%%t9z1)xk^yK{QG3HPHAa2)30<+?AX%8 zRKhDCrm>8xXk=(Ej{|Eth*w0Npfn#OJyb6FESa0l(EOGSmM!1HWHGo`cMQRpZ0YOr ztve$v3P!$-fkio`m$yGVGo<NuVOyo>hml>m-#+d_vkGQ;9&Dp-#x%rafn{m%vC!g@ zWV@uMtimC~5wGB!=N1QUDY@hf|A(v}K_alT3p+__tR!YuRB1;aURS6`UV9Myuv=@5 zVH@M8<Fs7ya8B*1j(OghA2;t9Aqk$RefsZj{W4?3=dw!XRLR42e|fekoOImYFKRVy zll|T=`eigXRE6Z(v87jjyW|L~8J?CR^fx?$TLs>C;xxrY2FAC}wFjOTr9)JLb!_7P znh#O*&)}K7zP($!L<1an0bOmm$^5jqBjw`Un6#(e-tfYuEMi#(L}$B5#rDec@VKM` zU0tpMv>BuYa6AcQKn>>cgI<WEp&uwl3)&|~2bEw?Lr3}$g7Sosa%>JtvUBIju}+q3 z>YKI1jSjb>lmIj2yY{EmB95+_Hc!;?gL@YGNE;>7QggLlcqM!mzh(y^4?TIdjs1LD zkynr^5`hTym$CptLM{F2Y>emz^(h<2myYo|(eIu6aZD6k6ciC~hjc}%<E|OVq*FTX zwNXGjx=I*>>011QV+5FDy2xonm_d@gq`}D|m2AF3OKnUI$b`&O+#}To?3~*{=JW0= zSMKG1>XVDX3pQGc&cmP=t)+u^2>a}_y?mKKK=Dk`lNw)ZQSb}qrjvInaD<G0SvIx9 z%us%r3l)`NkOZHwiT3C|wZMJq4*Y_)0YBg@*>f1o&evU-l}!JDdB;{u0YlVNwn)Wj zo1vf*9BVT})!mIKg^I#ww}akBYoW^NvFF0r&Epa1qF+e5eOPz__B6Ido6=ej*TFQ6 z#4YWRZ=%At+{m|lci5%K3Y0<*olwcp_B7Jr{euIsS1QdatIzA0Xh7J(fKO&bG;NnL zy!(s{?5slRj;yhF>$~cT6nTAv(!i0yD1mNyT>KvC;o&Os1f34e3H9kcRY+ZTE&<uO z-3!*Y*Z!{Z0x-`7yHMA|aRPO7JwS`B4!5=<0-(ipZc!GeAPR4G!_&RIHJVZU%tXIj zR}#_fXUg0de`2qxHfhL~pTHP#sQ#}U8KDIy?BKDNmq7P8e9vWsudy)ssHss7PCutb z08}B(Qf{=;H>{Y~!zj=pza$Bnvo`9yw&vlaGFS1VBD_z+pKjP%!uteYcIUHfS695b zd&49(PkD##=Uyg$f4w(EO6!mxxY`YmM&PR{in-SN^59-Rw`Baf*JbA=UdKhi5?fJu zbaEjF!6!fKndKrsTr>ScUW;Pe8TFRSakFrAgFo|NiRex?qRs1&FbK&}pJh<QUx}+t z-ay9TxDUIwfo9!0lIC&OH@bn-hhwQT-Xk7KA-3k@6?-MX<BJ}@;DpGTwI;LueNEp< znTzeb%hyX;Q<o`y8HXy?(a9Y?;ws(?1V8l#D6M(YOv1vQuP85MU2Z(T+`^_2rQT(6 zq4QyqV=mzdI9Xlp4<rlN$zJGooO(LMiNG1J6ZSWAo3|&%Ap&PCvNG%D$4yMe{uXVn z!~DO=!Xcw}(U}}lE>NFkz6@cheYKy&LV(B1ASK!T<zx31{i7pY3<wCEsE5pFjs_J- z^Od40oJ0+?iyJ3Wrjf&x(V*j6^RvyjSd=~d)4j@8L+dVqksqnFv?B?6ysEWye({2b zFVE~wIMjB}e%~Pl`pTe1(^P0~n;$3((%(5}=;s`7GF8IVs;G1v_8KMUn=5B_r5627 zA7P<0KsFq2BZgb^ImpT3da@_UWRBlHzc~hr1?CseoeKhqGdLY-QSp`_v>M42{YviF z40l`m`lt1#t~cMY_Z$g|Rm|>`1$8)sN-CWurEY1|gxEbler4tt2YHj@I@TTip|UnZ z8F%!?Y4UK){W%_=D76bikV0DPER&k0Lvx7kt*R<ECo}h>{3tPoZdkrpQ7zJ8c{EVx zr;V<&dx>YMlV_l*^f?}4sG*m~2I7raqR4OpJ`XhnX0wdhTpKYjM=(riQ5V*TeAu$n z2up6<_Z;)nXp1xlkQFd+SjA;y;-}QE{Z=!>KnVMP!;ehcAoN0iPYXH3ybN4itx#&z z>7I``U5Iz#KdI^!*4T;tUKs!Gp7kxe47N<HZGb60=sN{=s#b**z@^IVuyvL?eK<J4 z;+qUA8+%LI)?s1prkI#yMfG_c%=3Yk*z{zPbe|}PHE^%?|9Zo^XcHyX=pjQQ;o-~R z;W19|RB>=HR_=t?YvN4P%A_d~8W~Ql^yb%cM7~l!1<<EsQHD`P1P#+hlEi($OvSC0 zv;F;h+VtyhB$9K4gi|O4VsTiL%ZM;toUKMNT{t$SRD!_6hzwjW7pvUZ1B&tSH~5#k zGqkGl!YxN0h+z>Wvh|3lJjpqM!1N-qtzYrk8Deern8%mY38Ud=_P&+E-WeJ`6X5Nv z!&E4eib7UWW7MEC3Ur6<yQ#OHDJ<EktZ9c`+4RkKQvK$MS#kj&JxB#d?fPY3f&LRs zV(tprBA=&NcXG!8dU&`KmZ;F#ou$<IRy0C^!5q{AxaY$MjE8Jj7?cCTL%b<W96H;3 zy51aFv;yVM0{NaSFtXci0>hIhamW&QBx2zd+jbK?p5YcMbokr9F6nOmZ7=T0xQb%s zqX<eo$}Y`PS8aK-C*n!p?~mP+tQ%l8C^LIYPy4XrFt7Re6%dO!q=X)x(xpB;JLuj` zVO|f(*#>?EMJpvxXA$W9^f>{Y7##)Y3DH%t@|A&}b0j1ST?tzR$I#l#FS)Yi(2SX* zg_T;^s`RHp&pP=nx-45hrGJ9K_Ap9iRxFrvObBq@(^6!+rarm{SNaz}F;!N&8Uu>6 zD;iB2R9*V}j+~LB*PYf5;2^8t>vGDow6rrieLx`GZvs$iYE`^d{6Ls~6PoI7?t#IW z|3=ewJxpSfqLKF1X$5Ku(+_L6qNfSIdWOX!#i%Il>?R+jJ5cvs=&2lJyJR!;&OQ(k z9&OKX`E>{Szg2Q*r+4&eacPUr(RbKEsU<fL#3CWZfL@lM6w$-01(*6(lXtb&>Vh6~ ztsn`T15c$%{_1yT@A!9k1sczoPJd_TyK6xXbLltsDEMvHzbeD5C6X_u|K`f6$FFtR z`1rWh)%c}a!_1-}Y@QuhtJ+Vtt5$;OH3oZqX72q2>XmmY>m6#6e((P&Qwjr%VNZ%x zK(U{;Uq)pGDJZx)XfJ<jsEvulP`YOzSQ8dD&CZQ#ovv9vTB`{ph-?fCTN-pI`&Cr3 z=QcJUdIeFCLZkQZ@o5LI!>tLczd>^i^}rj6f#O^(3?K&1wSq-C{LdNg0yx`5h<fIH zDrCFPpxr}H8>?#69zdw9nxUD7ROwK?n4jxDq`v^=I^M;Ckp2o!j+m>EvL`|)ozjjo zTAGN+v7IoqWC0v5C{tRAQxTuVs9JcL*LjaQP2=fkPZ)Z%l!v6cPh+w9=Jt6JCm4Mk z6+Tr~=x6yU_WgX?bau-_dzMSIna7!r;FSR`6_^<~AL?l+MbHkMS3*nI5xDGjNp>2W zOrSFM*K;ySU96mNY9TjG(#3bDo7O)Zm?TwbF-jmWeZ30Lv6mZ_f25PC&lW$A1aPmg z50zFqPTfYOGzUY_mB7`Pc1GNRX|!fkL9Jpg$yQux=2w*8JG^sayHfdE@o(zP0pArW zEQ=`i8*vzgkEtvm+XQgr&*FY$E|f!uhOTkn1@>vS_2kIkUk{yZIt^_6q{Z`a1M_K@ z3HY*2tYl*g3VKA>Z+x@s>L?9htg_Foq*1)jqe5J9li>!nWwF|^_BVLE=n8(KCTm7j zpRMJ}`shTi(!B-0s4T!NZp^v>j2qHvKmn$y&gvMQDgXI}uOTnnUZ5s*^}3V5KeRgL zI{$(9IQHne6{D-BD%@7a%3+LDy0Wht`L@OEj@ZG3Y;vp1IZeUt|4#rg2Di30&aBl8 zNAxu|vE)O3=liy@eZU833Zn|C7{&wtb>Talr;qI%0cRTU2Q_c{7?W6HN#7Oeu1Xvk z%v_zv!}%A%wIwN*@>$)3qiQ0piRY)ec3Qim5RVP{vhNIR{ks}3_SZwB0(5hxdwo`2 z?cQdZou4?ebsTDFCHd0LzdZRa^HUO)ucPgchFc>V%!GUin+-F0@`5B5+a@pT$j&%v zw$)xA&HL%j6PxG}q&@vY{J6=h@fJde$&dAjK#9e9&_U&->cmashJMy}OFxhiR*Dw{ zr|ED6ZuZ7Z#MT*c*4$`0B<k*;xhqH1TORYM`BTEFoA&RV+@5MJ-N42W4>NCYW)PAb z=P1TSYG)o7BL-U{nualcE0>wU9>A@t>~NI+ZeHEz**X)@TX>0nm4$z}eg^^kA(Yei zR$lI5Xv?m)ljbSe%&5Q_+>?9aCTe_A4-;bN)X3N$JVln}t0n6_*44Q=eHu)%NEe0- z8%8A?D$>F&P#yX%D}OXL37^u=;&N+>tpIH_^DRJt5-#0`&f=c6dsITE^6EoPB^^zM zb5PW(bd*}R+<jAmivX3OI7+5gEPk3Q<Wyf~j^4>FUxrrcSY`^j`Ad;sddPsRKW_%> z2*$(>f9f1{JT3O8WFSM-AjM(fV@mcZMR&D+xdscXbcO;UIVT(KaIH2H>E6-CYq&|Y zGSEoJQT?vyuOEx4$5D}5J~=d%&BtkXcyh^@S4x42nfo^}Ir6PSANOzN3@;Q@*~tCW zK0L`KuPupbMCp5;mD9a3u-`lZez_{H3^v&IOvFZ$fF@Eboq}Qqt}ONS;R!$Jd%ZW3 z%f{~U3HnPcrDOpDK1+oTis>Xv_m^pfJ<YU9uWYW2-A)ll7M$-XGG=d|!RS(ONd(P9 zgD<L7R`bIkmpgYPK$~r$-ScKg`f$>?@9v(agaQ;a^)!wXlO>fni3{-^k#JSL_t3T8 z{&%lwuh0_xl)EXnKB};=yxSHLU?ZX@>gd;akg7UmBE}M9v&^+nro7ZZdZv`)wq}B< zG_;Jh`r}F~IbR{`$vvP|R~SFT%D722u%AXkzL3kCB(O|}3%|xHJck}ncwV(t68QH_ z5+bnP<e#j@Q=Swb1H}@r-Tq0J79Hgmw)s}gcD|l5z`Is|fXujTF+u}3ED7;u^?NR< zM)gtaYVwhpeJ-EHk&_e~XIp8t<DBMIUXeD+7n`kO!RaLFxdCq0jPAjn8!yvuT`RRz zpRI<4B)~xwU?>T&&;&SW(u0*nVeCYGvm#fmu-MgLF;FPKc7I<XN%o&ONxE+N45oL} z-@xbHqBuptRe@EJJCY*9?>@!W1-j(srYn<H?fT?jb5h98z11PS&zmrsDs;wc&Sgq1 zBe>*2jgQUDPmV3Rg=ym~{u7qN-YZqJ?O9mHj(RQr&ylycSSLhOd6pCjbTjkYMV*8F z9iD`%I{fv<s_2mvCs9h6-Rle}lU!@!zNNBrd3)N~bLMlp9SQwR^oP^nI*<6+MYFH` z?{uGkz4{h6{^^}P>MGYmMO{=Kjvx=iqfQv2bhCKrlY)9k^J#M~Pm1WG44XClogFAr z0O70+O$MuEAq1=GM=se?)lo@>qQ~L*!i0TJmbd5}9V$##Z#?OhAF_#ustM>D<FtSp zYh@3AExgF<d#eJ=`3BZ73w_tMCdOLR#Ot|fI_A%Oo-045q2NfZG8&97kTJh&BkQf1 zTx6}|XN8M#d^Zj`l@7M=T9=f&yY1AR3lde{yGf?A@1o6X&3+eVf3VGdccqx)IZ2XN zu>Zrkg;VceY&N!~q!tNEjWE(|*<g`Spm=idkCGf2b?@2~6?v;PueDhu&YthB3ll~E z<_Fd3`@`>XPJjg`YuH_*_NBK>ss?;*OBd@Regsv0KP#wc2<rP1dr{SQ<S6SDD(lk? z84~gOen(Q}eqdn@x>@pHV6ptbut7msAyHB}5eAa`J!SaGXUokh9vu!=b40M=hl<)Z zdMB_-ECu&~HYM^ic@l}WcXqdY+zHv$7<670XI#*lb&85^fN1A;&7q!0{YD-7P+NYb z!G)1Q#{exR7X1QEHV0}%tMb9C%+|Pl%I?$N8riN_i|<HV2GJrwn_|hYYOEm7V9js; z1e1=g{Ja8pW=P9ZLZ2?j!JkcjVEzwB#5sgHT-n1>OGp8LQ^SH}TaUlj6$_>J5QyfR z%R4!qi~hVEBq}#s|7QbJ(lwdvXu{U-zv-Pe9w-$+7<_f9+hanD*Nf^X18NsF7NW*H ziy(+R*gw-*^R%*sOUu)TESM%Uz8$K2-RLUEZ)g6$1xd@|v6?1m!CyKekd4eD!e~w@ zy7^c71qrSwici_ZeLCtIv&39UBGUh8I4Tm{PL#pG^Z~&2{Y#!#yTm|1ZG*rBXVY|X zX`e!y!<Fy|W9;U3C75&(kcUhvh3dIL9FGOkBu2UAg7MaKcXj>kQ2n~2iqtK*AVO2U z<IMduyK0ubvCLtO^-HLJ1y?MqW0J#x+tkO7GJ?*z%sc9V5y`R6x?(+5Zxz{WX_u#o zz9P4FcN5qC!(WbJuI?Cj(jk{~D0q|0+}n7dZt&*8T9}YyqTJZT8{=%12F6p+AO$Kc zto$t{)bl}@=*VtJOgC7?Y<O3jP<OFsHw4)V$AQtVKt>{nOv(d2^wEJEL=}VMJXeiC z{&WGdyVt`P<)rT|)LQCO!P5?hJY1y9EQ>K9+S3T-9cR`aPp9#4QTrKr+8=O~3%&WP zXD^fazErgcP<u5?EV$tw{Vqz_Jl8vir{iIFHi3vR$uzppp5R$IQA^Dq)#+H5(mZva zmw{=$n&<P-J4k2O(j1mk70)K<(H%Iaw>Oe7Fjd&d*HzU@cP;u_Ww{4uU+toQQ2fH< z33eg++=#0Z!j`88bF|xcfy5=8X-q{|kSg*ul`14f|D+6iHp5LKQq|24r3i8Fo^{6K zP}L8WzJWQ<&WZgvvalpw&wGJ|nVfz5tybY9McCNg{U-wO<4w`YUT;u|Vgmv0wlcmd z)VhZ*;-(;HkAh&EJZbr?;?6<!1D#oaK-$kTWp0wG<Dy`Z1Za;e9}mB<EyB~Hk~BIi zco3&IW^Ij;+qU;ygXBINs@7M30VhC|`xJZ}treTb)6?QlIL$S}EKebo`Q$G2?#G(Q z@lF_1sok!^g^rf;=r$aP>=P>{;E@KAtMly`6)Nf(rl_ZzIjvE*aFIjg*`5-9(5t+U z-BHxibXP5YH}Ajknel+p`WliER^AM)4Z<|gohC5sV|0Z9Y0~dG`O5+mx0hw+cP#Ny z40t{UD5T2D9grM?Xn?c3+J=6anbUEi<9#-Mkv&~3#Dx7d_&P+JgTAVze7x{>)m24Q zpoD`+W=Smn`QF?E1{;^rp^J6!X)0+lHQu81uFe&Z6fHv=1|jgqGpSl;=X7BP9N)mH zaw$H+qfg5CCJ-AaM*kJq^h0wN^DoEq$@GE$Ng>{1<%PL__DIvWu^BA}v7w6uft0Z7 zm99nIUNQqFJ0Uk)=7FPlke~ci+-#6DgE>&B5ivCA6KdON-(>kpXE=2W>}w>i6#sPf zlD6h)#e9n=D=BwkuAULmNlaN3M@nw~!!9@Hrm-(Nfu0aF4T-ZAxo0@bV<<9N4=J`# z;9er>Zl7(v;pya-q(F6S_!RJ^JmrUleRdYMaXMycln@2wWw}{I?I{7B)4pm#eG02Z zTkslry`5*AZBzX>Q56F&)bkSh?!dqPZgN)r4P2fA{lgNwQRFVBFzR%eAW;kw${6lz zaSC9S4!%J0Zs1QxSWmQ^>E0o=UDwcWQ{Gm8ACNFS&-$^mHb^h+N52s%2&i&XW<#w9 zEW`}6Pw7rLj2#-QiecRIAp;JKKQe<VRmB;HdDAE|-^uzxtkf=(q_}DxrV>A_H6YAl z7Usp0)K*+~u$EM%FxO5dD7Eeh!dZD}M2`w1-}oF1QWuMOgNZkgV^U@ndo~`43u($Q zDW{9Lyl5szS`6Li7h0AZC`J;31-_;?rOxQFWQ-jKd#H|N=w6LF=NJE4f^hJ34$M%K zd2>b;arzPHqOGeUBP>a^oyt4~FfJ_<Gk4FPs={BgL&qj)C%^XAWkI-O(8k@Mvw4_Z z+<lrLEs#}_bvCazOY?LY$6#@v;fbHcX$X$rAxZv&qP9Pt;%e?#boXRhR*p_XlPMY? zpNAog4|)-GUf+us&D=G(CJqFI@Ab3UC=E0)*+PW?z`e5ln2dBqE{PM3_;p{($8YF` z#DMnPO87B4Q%UUv55OOL%+Y^Hl6!MW-vViT-v)1<2CkfEm$&m;XT)?OmygWG52!&U zEL!zGZx72$63yOrFDeH9@%30NncOKPiR>k1s+ygB3NL(&guJAe^~eIB7TrCd3ymo} zzNALJ=3Q>%9%y>$b9Zf$)d(S3PiU=>A8zE6kS~xdase{jgZ8t_+BvT585a(H&?6y_ z1V){1Jz)EpTK&C$AYGO9aKk|+0U{v%De|44bwm1x6G!R>u!t&+!9)L|mZ0I7C7A`P zK%ibOEQW)UD4LENANuG!)-8W?XGl(OxDL=g*Ux+!T8&4~OIlY}9%3+u_rV?KFg7+r zjg8}PtZp~=Vksr|@If~DEEzE9or|G)V#%Pyd?ujOJF;+uw$Z`~Bn|8&8g!sVt?p2q z-VJu=k*(9($*!e~{Jk}Lb`|Ax=o9f@KJ%M6n$b&}kyf1SscGFeW5P<+>lRa<DuCx* z%6E&h(RziYI)KT(dekC%4Y-y$x%(wle`rW;u?i8?6GQbiC(vRrtG_VaZiZ8Fo6{fr zuYb+Rtk~DCJL$QC+-y<dpIHlzT&5)2nwWy`o{TBgW~ocN2d&j?hS-?$#j>`I*0YX< zXPANgV*38xVdDgrxTkzRS8KMSePa!~p@3e&x7yh662?Iyuv?z3$@d(!^mK+cy5t7` zlrn{1;{aR^E}8zXzKrr>hvfz~re{M`@}Vv=bkx}Y%_CGcuyuSg3EJ{^3N+OQya1*3 z-=%32;7v@#KC8E34>j>I@c?4)Nt|VrteZxMyJg(fRl9WC-`Wn63IFxZC}0Uuf5TW6 zd^M>q4qAR8-S}=}z3=OQTSA3Z+4h!TT@bJ&M^?$4D|xsfC{Br4jP*^OPQ92Q5@UNy zpd+a8&L||&^Cmrf>)<bk%Y$S&+Qy#GM?a$7P~GE(ynbtSmR_W_)V`QW+3Zzb-&MBb z7;(JH(-Q>La9s!!qpf8z&v7r4T%Z0@X3ru29*#c0N7i?ZA5><(I^+ghtMY&z=V@U{ zf4<>Qh8SKA3h6+@T#u>Ob|sMIW?+_fh_h7Z;ZQJy$}XRgvVCXcug2~0Yf9P5Jf;BB z?>de77&RgbAMP$vi2;%!P&(%uoOqaIBULu`@Vf;1S~Ea()_Jvk!@#En8_Q~AHRoFu zA)}9O)sujs!gq)is07_p1qVxFBVN9N7j3+ox-#yubReuchlJ%jRs=CCeWZ$>Nr$uF zZxM}9TO*M${WYwmx+eAr5#V?=TF~;28;>0fVT8%z%O6WE{8o;!D|r{^DhW0o9op}F zowd;t>Kqf=Etyqx+k4|8ug@c{RR|Fl%?ENQ*}7|e0jtP<IuO^b#pZ~z&FlRH{T<IB z_BIJtE<pJ35*z3y=7&3mHT)c@9<qFF2g0`$a%d0q^@s@_^XJE-e$J6n$jM~Cu9s`$ zOC1k)!v~k-iPBda14{dB4CBF@BG~NBd0~@zg^_Y(P`epXx2blAYg=s2WxIIW-x+0$ zZG#K_zUO;s$NJ=@FhFEUp^s&3SX_EpY4Hh#KiB3bB#%j}ap<fgt~(`CYW`lz>)1B^ zWzD8mZb-qqr&g8aiXCR9`43AEQ;1)#x5ps6?zX?>^_DgZQ47%8@v@<Z%Cc=!9J@NX z5)UG6p8Pc-4%UhH^z-I5*j(o`L4MU<`Cl%835&)&j>48#G)i}5%pbDq%L`L3rN4bw zyJtvKN4;uy^;W5xKrxo$_z?^2qS1w3^lE|&6Q=CpE4Q1zH(S1@F2|{DiSd9xnlT3c z>-{q^O0sjtmd>g60(HNi?j8;+BFxqN+_x#b6(axqc|s7%UfC2DnV0CroX@J0?V(*K zthc;D90b3<8!|!(;QWAFJqz@?cn9JHBlS0oltZ=#$ah%)tCi~Lc3ej-+6G^WLm!XN zsnYF`Z>i5$6o)SnTytQ&e*%>~KW>?bvT(?Cm>eW)ETza}ZOV*<`sc5zjRMLdOXu_K z@+?*02<phfCCM{jl1I-nJ5Y~~3$aBwCiw6bTkJiPDrspgE8buA()Xm2!AmN-$Fh!% zlq#5MnTTmma(=)jNKGEbU)GgZjBU(L&9m^4vg(u?Od}X_uwsG2N^Ixj1}X2|6rx+k zGc>%v=mz#{gSg&B*9-YEtYDa0`l${3B2>P}z7azCRfh$GJw-3QPx{Xi9KG?Wa#SeV zjbNF{Qm|e~q2qfmy2wL(2&a;Ds*puw)n&F_BVmr#>Jx@{IiNjCeqH_gvzhy?&F?G> z<~gf@!^@&xEdJ1o6A^DnKVoP0Jm<j+g6VBeyh;vT*kyx8@X_@S^KoArXwyU%!ll*D zHgXF1nr=Q5M#X6c+sA#ROeQP@SQQs#uy;7ON$)RCB(rhre^qDX<p|Mg`o(rGBM0b5 z2gT?9MySsk^h&45?9SW?6mbk0RwIJ}PCnGzsl{0=hs(r=1tqofz!a4QSUGKLCd9^) z|6_~%J>A<BP100>wBtPeM)<F8Te{dV1|GhAgvCY^!*u#>h8x7!W9C(WFl3BNX+zv; zsmaFa;qjVFbwOV*xMY=%%&0m^$4e5ME$_H%gWF$IQl<Whmn1bAb4-mJu|U&Vs`f__ z5)`ny_Q&{A-8pY&L9qfnc~hguva3N5Ih>C>UHjj3vIL$Gqsb8{>SRFg-6h}fR6)yp zya*><rhNFq__qqpU0MaIc67WXfni_c-7V_CrAnRkNZKq<o_0}}W`I@$o0n$m{BQ($ zedK7H9yDkzCax8lq)>WohJLB-X8o9fiEwFr3+zF*n$FkI?5W8#Eh7^B!rDq$Rwl+_ zKa8&Ro9t%oO<*`PZ`F>mzXls;0UHNxMoT20=I2iu6Hs_x7=&iadS9@r(heD_dP${n zNu_#8wYxvf&KYCwfZt$&^;6{?))p-RQ3BhOb&LDGBugPHPZ2X;84FtlGn=ldgD4Z^ zua-t!y!8gQ7E2qKx%K00XFB|_LyMyQI5v7RDJFvezv0ZOt^9mkbA|$LZ<7AUmXNI@ z!-I$~<CrhdP#7+A=rLE*l8;=DJd-;n)FBcPqNMU}Hqj1SLo3Y5c8qiAbI)lNy_1`y zP_Y!)1Pc~cPT+w{>BH#^+M|Br6i#d$r6&vjfLx_y&r1ESn?WlpYct9`Q)kH0BzeB7 z`iFdM-#{90IzQjXLb}%1VRpISoiC8E9i5!wd{woMdSS&~iv0Oh>Hz@;rz1C0o7m}g zH~ZN%Zg%Z2^(mIH%#C2L7{P8<c?SEMmp`zCo;6OZ){@kObXl`c4*r?WIR&L<%8!fV z(TOcsXyt~H<VALlkD>|rlnJ83uv<^!-|t*6d4UGsQpf9prq8yqx^ec!-D3vfUVYvM zy*lnY2St?zOGi{SXt?lEhZTw+kG7C@<H+?ryZ#)=d>`1QY3&FHb1ZZJviJW()U_(Z zQ(o^Y^FxOt1O_sRdhjXFYIY&<sM#ME-FUQ&iP68(X!ed0b7|x-XjxIOP?0MAb$fxZ z%^OT-fVw@dFrRA~z^|;wt@ZkkE%80~Ter7u++{XCc-6<}O2^iNA8}_48_ljZd^glc zv*S6IliOK9$~8ICzH?q!W{;l4imxhu(vpjS#g*O8RBLzIJJe%ugTzMwYFcn%U^RK? z#`#^dLXyFJ+hz0li8jmf{j!*I<N$%tzXVuJXb(Z0ttbU>=^%t!P_rxW=b5qPZ}0jc zl^}V@E<XE%?61K2pdiU9)h8ORh}>$fPMPFGC&n|5K<h;unRTLc<t*9sq%x>?JG?>% zdugN}7yXEc`got(@w79cWwgr<rRz1U`=!r%-A*tc+@ZpuD@wP>&Wjo8L<bBq{m?5x z^nms(7IZ+E`&3Wo>+3bb?2qUnSfZ_!);LeKuTEt#Yt%tWD{LY!Xx#69AME#QwahwL zs^Iew^$rFU6STYbl505xpY$@G5arkX9(H-R$iwsdVD^r>MuKh~YB&;<>c|l~R<IEb z$-wmZ!{pH)@<zb1hx~%nAv?>D8T5yCj6Qw9tXp?yL|bor4*Yd_J}0&mhQk=Dw>sO+ z>!Ihv{yfzw1-BYyb;NN3Dq1fSy}(JNa~b8((`M?%2*%_900CvOQCw?Hdvx~sx;SL$ zy;^Z4PkvZ2!8(w-3bF7QTY8pgTJAaRP+HJBJ-@;#rlyWu+V*&pqV}qg4q|C9P$uxa zollakJmALy2`Ao>n)6oQX<ZzJ462>ZK2<p31F09eGmU-r#a=WkCysnX)N?er+|$ei z4{x<xAh}YTRhC68`g=;~(_6Tm*YFQwKUZsV1$!HSmI*}nn&<THSZS5xyU~^!!`k)( zlm^>%bQYXN>LK<gpJat7vzA6my`F|vj+{`hVZWMP1%LHxy23R%A;s{+s$TDo`^3&< z>nMV;*Q)}h{Y_-7eVhvWX`g=f=K4_jBGu=Ia=D!d<lUpe{SQ_D*wab2l{`F;e7ah4 ze@LNLg^J2UH=!cm!oJVCL|>XLi9hXl6TlBRt3Gb{yyS}UwcN-X5o@6LNeI!x(8%Wr zxog!h%SJ9Ktna71R43BnPE=z|!~rJfwn_?}aQEDNfc-JkurIn~&NPBs?pY60_a<63 z&RX<aex@kNb7544G**x%C&pSMu$~xoVp%y|Tcamcj+u26SR5Rn^_Y7tc1LLx15i|i zQEF7N+9ub^_!FL^Y3M+9BSMGA2Va1DD^R{uHxlF$zZ82{|1d%PWAZP<=>Z;6Q@y9- zLMBkH%x7l%F5kDqu_Gt1NCgW73Z{>yvw}|!hRRu!8sTh*=Kfu48ZU@{xz}IcuURDK z935M|vDFt6Jhvr!782GphG{QX8xV$a-J12dfym;SwS@Rk|Izm;7G(@4@bV!fp{5?c z$?Kv`S-oI?J7oyBA9;wSHbjR!p{7p%&ok>1=*_nHB^RCjfAkUQ7JazQ(KzzxJi3TD z#iS`(1Z_r+Wk09h>-Th9)B5T}S$#M1V4Er{Ob0vu9nr9*Qn=g$TK=W&zTTk+HeG-F zr+8s>@QN&>^PSG({zJi;b)tz54%ITcwm_PuGEowaL5?LqaVo;!+=*u;V7Zu%t_bcW zZtSDc?oB3-uadDh$nz^qe}hfvdJ-H>B)L1U8G2~cG$q<C59mpBZ|*7{w3a8;bJTN% z;`u7no%q-Na;_C%F8K~LBwpzYnx+j3pVo#?lP+-JArBDPVMw(ikVShAg>ykd|8MHx z4Flpd26kfdO!?kaOZ)qOo20s=>2~o`$0dc~8Y!~G+o>2P`&HFBqr%XVk9;ioj>&Ku zb-KqRarM13$x6YE;{g?VxPQ$cf43Fs6wG>YqfYDrVW5iLYcwfzJAga?O3}0Uci+p( z`bL`&j5w-b_ms(4v;tk!MOmrk!>{RtP7H@%T+LS61&4aVkcEL054C=PFpGh3e@yv+ zQko3T$8E*T{9=`3NL8`S^S0^$SK99nY-0B5n8Q;=EAC`Mq^0>><Zd=F_0}<bNMF?I zCCS)7DHEzt*y1MAQ7wb{=;5M~^o)}yM4?_~$jUF<dmBf_<v=$&>Wm{hmzTRZ`13)d z#%5<D7<n8uv8yy{c?+Z1LQ=uT#q|O6@mMi{cFEaLNH4nY?Ln=^tkr+^o|;>KHVu_X zv?a!DZe+?7K|V*ud0#dnb>p?V+_BcFHs`Yi-a)>OIBxVt!S1nB2O782*=#osG+y#y zF_^VD)@!=0EG)EXHV#bJk^7xmUv}vU$dDAMh8M`2yJwd#1zVG6)n3WbIkb|a$jzVU zRxXG*2fnDhRo2mxnOA=|hThTFBbi&c=o`6C9a~Q2B6QKy{Yk0+A^a6;rX=xHI`~u? zD>)f9870^v*m?0X=tGS*gEefBeaM7ok2xBYIyCb62oqPL-x!t->X)}F(_@=&DJfU8 zu(?%KDO?A;F0l>XQEM<!V-EI+j|#D+j5K`~dWyuE@=X9Z)P&_hR}HtR38mxe?bl(Z z8~K{W#0t;sU)PdJ#1>1ExmuNNoUfvoy`^vScVab*s^!CTU0u*Cs+C?J|5Q?E$XE&I zbksVDV#w=<r5Khk;_?;<oTdd2<R{x`^46Pt4{AYEI7W}8z+wQb_>=tsX!G4Wkn=W+ znYsBUK?FBUjj~!I5-IFDaX+4>lxcN39e!=LnIew=$L&Ga3re&UCV?{WugY#(Y=?Ul zTOh?$;r3<dABNg%K@Z2ut~6OmI0<!g?I*>YlPpBo^m0$i-uwo)>f3Q6{MIl7AYTf$ z>v?%G)@@5DDxK+XHn1c^ciF6ct#w4$z=R@$@p}dPi4UoARKkJJRT>YRtBPP^K9%6n ziI|76`{?zt=lK45Pxa?_qJ8JAq;+EG3^T$4CW2k;>G|;l=#<fmx{Tt#iJHp}zUHAU zCH;Q(>D^w9=Iegj`!bp|Rdu11?NwLR5goiILvFz2@JU~FnnG}M^*z(4Fz4Es+KDQJ z)CM2QY4s8>quD15+Bv7~-`RS$72`2vzWIO;Fm)rMEF*UC)w1aP(A5%&UMn(U%5iY< z_+A&l^lbARtM{NFah~!WhmpP~5~<fYBJZci5iSg)V61FAV^E)=ry+IxyksG}sa9T- z`mLROmdy2Ob^DB5WHsMR&*h8t*AY{fAvBr@QYDQG4CWxD_u|gQh#}~Y;Y$FU`s0W- zWMDX7h@}#a1KOQJR}E2{z?lErHtgOB>BYj=_q}WYT@?b1q9;qNk(TPSp6Hu9hZ~{+ z(LuNGzg~;BU%t!Z-Ss3VpQx#=h?t8RxRIY@%cQ|P10~Bv75&)u;i(!Kkj7&3b9>~e z&O$*OKhw_d=x`PAOHr&K6$l>t?X5o9E)yu_*K$RJ^(;0pY(k6YVFUOnua(Y91hH*n zA4PO^wLkmo8;pmk=l5w_tNu!^k>#4(Fa>Cmde<~rRACAhVG3xH5X*QPi-H?mv5g*T z83=w@l4`gIHaW=thGlQd-~T219(rJEB`h}<#H3tV7hk9_p+~e)4<Pe$j5E>0_ZN86 zjTiobz<NP*i7gy&7W%|n-zu^UULRd$Y)u7;tlq!_Rx-}B7SJs9cG!6xTW*d$;c&<z z<m~5(Q((6$hF`OX0&X8&6;gc*gOA3aYp_R_*v7uGede1+D7Tw$5Gbmq4vJs?zaAnL zZ+5sd5syq`o;or&AMM4Fg<dj$o`rrWET|cHwAfw4hcWT4y4vK!G4C}_ggMgU)BT9g z#$_sZ%4kzyZCFuwVA@7Yvp-VjsJ?~7M<GDCl;Mu@5frMy?XFTI(!^MHkkO7gtL=Mq z#?V^I!ZFb?e{|b|AH*mBP2Vw_%g;Bd`{SBMuitWA9%|ag^1xbW&745W)tjJ&Wg=GK z7}@S?Y$D|nJLtHKB2Ng*?_vGE_FXfEsB^0~zWnDdep^#`_iE#pZV8fjHK{{2?`LFT z{UtpDa^G4yL67FZ#HC?}5f%koyPd&{3lDoV7jV;cd~<PZpdIDR_C9oF{RVT_#}tOw za9xlOZ1uTzkBK#2aVJBPE?JoXx4`(fO}>R;#)l1JmHAW+w0(mMt$~O|-rh5`GdH`i z>5GBlk=OTQxlJwx<MGAm*qf}4NQ?ABXWFc#FaVp2-oU7@i%}TT6hbZ@1??KCkNE@X zs@37)H&(eFvZu#HBYnX|8NPhfYbw6x`e=zI&h?BIv($5b)&cwbhq$IcC*F%owPr%- zp_AOOPv`;qM-_utqT&Y%p)V`mUdS6YC9z(fZsu@0KsEVRIoEzN9i|aX`@!G830C&p zww-w$xd9=2KlBA>r{BT(yV=zHhcY^ND~)Z>DsbQ;fMeayDIJN>7J<00e@j=#FQXf6 zbo7HoLIUh^%Z$Ct$~+|?UAe!FQm;A4c#e68{;B1AnT~OMOvFCvU?6Qw|7K%=0+_3_ z@QgSCm+1Cx3!6vOXGt-*7mi}Ui>hcDTk8B)gX^nEB`RRKeUf0AYK%x9)zk&h<+5bY z4=hO~*S0)1+bQrWxQd|O!tVUvG7?mPhrlIzQo#<p8M=q%YlmtXF0M>i=Qi=vqTnJ} zAz4n*pkF-Y@l&{_H$0zFTv-}A8=4%(C9zsPm6cg*ypmOkLIp1b`e=yyOBTe%NM;;; zj4DLdXVe(~w;sRH**iIvq&47=ku_W$9X`6iRk6FGteV&YSqAF})+9^d<dG}#^>pT1 zj^xShE!OcR<3CT<;cbgr{EU1qfHv;>ggt0xb-ReP;O|MF+pd!|L_mzU6M<|+X%KR^ z!q8E2>t^E7#2{Nr^#RrDQfrYH(wPRNRy&<y_HND%{|v<NUv!*9Fc)+vzB_*kQgj(U zU;OrbA$*(Jj_bIMHk$F;Gt<uBK-D4Q4AwCaKY7(a#iDZn@~j|TP#i|&>wjx|k?zyg zBOk67NEf(lu3+umioL9BpB?UGVbEpy7ke9Vs8PX&j^@r$-*A7=Q8<hzP-?0`nDkU` zAGpQFr*=9vjp+LGO%l~Q1<J!iBB|{7{Bna%X23X^3!kw0`$o;<qhzKE7Q}Et?$l)e z+E2P161#E;`{}g+Tg&d$<-a(%O8*U<T8YG=Q)!8BvV*Sm)N@d7dLzsIy0aY?bU6i; z)*`>u4#scPBMBkVB!N48(ro)D;~W@j*dz4M|LU*HT*GHGS?5U-L=_=RwLicn%iy+e z^V<ti4+}A4tRxX5@{LaCJil;;_2MO!7P~;1B81spd_<O=t<0&BRYD;rj4^_;QA#%Y z(2KK@o=`huqk+u}dSa$fwQRI1PB}9^YKeC5&PU*qe;jrAtb{%yDyjrN+IqkQms;ns z^=<muH*W?Th8HFjKPW(+lmu!gE>Uqrifa2Y@^|HyOlg@IPkEv=4w*8~C!I)h6Q%J6 zRB&rk!z8|qZi<r%)D(%=Xq;MOSY1?`_g|!zN-HG>cZhWvCS4)$5#r=1aLJn28$?A} z>DGwF?x0{4s~C@x5|smAwCa{ai?mExLRzYyqwtA91yjRNyO{zhpN+DG<$aB{cTn>9 zB|pl~6fB#V+SH*LG-{rz18B(1bHADZxwE4o_pt+8tZXC41FM)o3Do@?ii|}lPaF4x z3NA7rL2T+2w9sLHtclA8-M{(m!zc4ovjco;bh%x}EKzCmtCzj?bH>@t!<}IBGqWg2 zHh7d3cEUMN^DAtAUop%H@XajP)!kJ_8|XkwuEIlf9_b8{2Cm`;+jlJgl3Tc~ZiR4( zjkfN%U!(#B4K>lDbiJD1C0%t|YDW#TMTjNlS=|h+nXI4F*7#Wd*2pgJ-fK%@gl1|3 zM2wWniXTY`UQuSvtbi5Cy$L&hNahTHpm|{+GgB#ELDT*CT&Tr$!aLR7E3#w-OoV7P z&fU{OVy1P_p3goJ2Jhf6br7*vrDikV1l5!P%53VMZ}pHV)quwfYmt3tNQLt%vuTlq z=1mPWaTA)syf0B2YHipADo;d$m!#SMRvPKYrYe)sDSZ5Qt(Djl&-A$c-d?^M*OF#% zs9w)%;Kkb#4y*1;@RWn!a$M%-GECn21R4Dr!`n`Ecs^r*_%Vx-IyzD{fX7`5e`Z%) zLDA|YSb=?JbGP3_;%^ZvPi;^Hoz%Q)yJNfQJpt~)lK**ssbt5sDyt5s8Y#*B#?H*Q z7#QL3q72E8BfO)^*lNT*C43+E;cs0nML7Kp*pmCy7LZ??6WeOcl@p0|=AU-ntvfus zh_n(s%zWXtmRDo?Nmx@S5;cn5UC`MAa|pV6ujDrd8tB~Us}8)8==$=xu%$7Xu1Np> zPG$2w>-!=o;1R8=KVbZp5sEpdyF;0+77qwd{~Nju?})}ZT<_y=05yCu@l2`CezRXj zK}VN~n3n$6TzuKR6wx*2CjV{eI2r(=Vo|8JHX6>;<^^vFx%ROBv^Fs&XcZVMhvID& zNEo7);cKdkueP=6KZ%pV6h*XHE?3;i@a>TG=Nqn$S>Jw>3Gn@=d~(z}3HC76dMmI^ zV*HZ;hg$^LapQsZ#0Ve+j17eYw0zc?C#qvM|2mT)^fU#tcQh1ck>5QGp`~h;*(EH& z-;~J<u__`Y>M9+bIz*iPq^^oBI3XOD9qYPp&73HQVd>_P^mdIqlopi35GV`uUopH> zJ}DZMWSKT(nf^s8VL&Hy<q?w&f)@$*@qBJoZ6sj?TYYQLfYQ_@GP4xfH?Yx@5e_ZG z3s}g-b3rWTb~K4X)5{;Qnd#3Tsj#lxeJ^yiN!19~aNJej=Wc~C^CEa*Kmrx3@atYG zd{HC<fd*aa`I_1+r*>ntQ2A7AuS)Mt?|REc&O4cY@u>`u$ne#4WT!Mueavs)#{41s zxCXJyuVa5VH1WpR@-sw%JEf?{ryD0#nIFYuWBHNa!Pt_?LQ*Z<lb^J~LhxP6@74(F z$ZIJ6H-CBh<4{$w>c(D|<BnMrk*`PcxGxNT-9**F9bdOAVYJd#rdYX+(jF1g=639` zU0w!7xi-z?W_BT)#*>t(nzE;wDW41~%9<Fn-ggR(c}jZg{#TlJvxi+?(v6!kL!W)= z)<rw0nZMqskpMES?W?V;?d<~;GO1mVtDKMT(yJu_irAzfn_hvUlf@%?o*&jHK!dZn z{v%Zt%8r%i$-7&&roa2}<i$F2?CyVkOAf<Sf-g0RqUwcRedEpUjK<);6>i$PAGMoh z6iye@u7gi|wHXC<xQ!TuT~F7-ml^po{WZa{a2t;AE)6M{JMf5Fhv5haeC_oYRSbP6 zV|Ck_!`R)gHIca<Uz^8!tJE6LHPxeK;z4crpHvfgICoyF|B)p~aI$xS_Pr!s%5}M4 z!@a4-MC^`WO=wB(Wtl~>Q712S_@c+&pX>as!=G;&PvV)|!3bhJAU!O!xQVmgS8Sme z^_P%?7@{urUY3anJSD6oYK3L&^}lD_)zfb!>4u~@X!)pL2B~+Ne#Yp^gB+JKUGe^P zT}@ywz105}`&V4!3n1s!&`{ENdeRe_)ykUFK+9}R-*<9vgZHk4r~UMg*<Ap#jP`eb zW(FiRP8>p&6CzqBHg!{rik=>ecu+x0SF#u)TpZaqLMSy11`vuP3Ji^?4Kp#SD)i&! zrs8`F-8kxt@J!6QvORe@vCQ&IVvr?_(SK;c6omjqK)Syd;jxaJT0vUW$|~5HpTLL; zhXLlDFC+uP<EEv^$OQWQ;_nC%XjR3~^NfCwf#T9=Q&XGncU>aF{`8o0IqK5PHH_@b z)_L|rlIVD>3qz+>nviHPwK&%I++}#SJ>T3SVU5pFFo-qf*YVA3w3bBBd=t2A)}zcZ zcD2J2CX*uFPK0^RvIrSHu;!NcO~}iq4F$j|S)P0oJOe^$HT@H`1vmapFHq(wW5|^H znj_2P@KEH$VeYUm8zEAhU|I)R2T=}$Z1HyvYNNplpYQxLYh)!cGW#UJQ3a!dgCaNO zjbarluJ-=g%capCWa1^15i4;OJ3H%OkDu$IY`!%EK{;Lc&!r@a%k#W<j2pyf$TFAT z-rQ5mY8fICIf9rrX&uPd&}qD=q|;^;FNu3FdiALh0sEWYT!<qEK&@<Ix)m1ERf*x< zY`X#lmfHAXN9vro7I^{>R17({BZrt0My=YJ#*gJDX4#9NW0Z{=Ns8#3x5TZpR231{ zM0PG;lKyaKOL6gwujPLO3*lbr49@dwH+>a$mj{+oq}TFd$@Bj73GFaYm0@aB0a};i z4{jRy%6tt@9=JbsG+Z|*fH?);*b${7s>VU<cMJNA{)OMCi%6<ZFi$Fk=!#}I6-^yP z0S=M?Q{Ddb>r7o7H4EFDf2+GijWcq3ck9OWbSjzP8&B|JTp0Z+^uuQN#2tMGJ2v4Q zHl79!!IG4@OM+#fsx<UB<Mt$msY29hIY()T?<@k{a{}Gm*IxJ@>!^g)->Y>nUs0Na zhWCCsN^@b57>^@bE=Iqt$*9r0^yihNAEyTw>7c_xmRZF!rtgCTQq)k<XSEV-7Kt+! zq|9Y?WU<t=X$Ps%DjiTO9gw4`MDt;jF<@tE5-n7pCJ2~;mXU;Fkv_e2S2_`-nfdjO zkXjVCw-_xh<imrsT0=w9d7(LK<8O3&=MqX}y-RgJF~~n_7S`J7+&YxY1LotSVZgYC z({6gp!1O)6(W*B81K%$lRr&;}EKti3NQIg~Z*<pb^n4Z5Xn1iXv+0i&V|hthRE)Kc z53&5mUul)j$l@+dxpDN4!qPIbzsDh?lqpX5TnRmFa)g^|qk+6XS-V1usH+HCGlh<# z`L6u&Md;JdJxdax+|?&Mrbf(yC70GTwzD2gJ}WHJhCy#WlG^5-yV?RNriRof#eK{( z|Bxgn%lPs=*laXBm;x;&ln-3n>@hvgHke&Dc1taL4!#8EA+ySgtgpS_$Nn5ZrQvN> zzb+iMzVwJ5O>*dwOb`_dPR!o?Ciph|^|QnZ<5Hcc$m3K_GI<_`d<P*^x)~^P3*O;9 zk!>=Xu<Iq-3?DJ*ud&FCeRq|=57iLS2Vd0M!M2RT;(sgWl_{qUP`W&N{4W;(l={fY zs4EX%)#)!0ORVNsn_ir3hGdYNGd7hKnS=My??pJdm<GF7-^Y#O^0l^yG?w?HM?&hy z296z@g7Qn!bz9SSa^9JK(Nu!AV`#G910<JI<zFSq*xt{!+?n~54F~Ipr+spTL={)Y zWeZ(VsWGGyN=ltfa51+&EU}iV%q=W$ZYHqsEKBZ?uOqvJ1?-u47#;@~lI{2ip{hH1 zM>4#jKrfjcx3X|&8sc%L@exdHq?sA63xw--JBqCi+|<~_FI9+OgUxQ?w!gJi<YOOQ z<~R#qk$#?h8|?@gr=CLw?Y32px;Al6`TJe5yoKXOqY!-<Jt(VlYA^w_ah&{2*!n-- z-T@2<WS~}jALo~E*_sO@l4ZZ-*{|F1=Y#p?I2LDrL=zDm?@xk#HGAG7t)9wl!OV1^ z8r&PMQpC*-gl`TV)=^jfE{zjVo^~pD8AobH+L&LPh3|qSliHJwv^!jLb3UCWPp4DR zceGpnf#iAhhQH)n<n1SaocV9$4>SbKw+W$%1WD<<x(Y*DO`y%VrOovEO1n;@|KR0D zd$ZYCSB#0)RFkQWlOiTHB(r%q46&1Z)?D~Ye{=iSxG!JhW+!Ymnqh+}U<h4u=6t6f zI;LOvawg^0XEY-a9(8FB{2nr6BF@H}Z144Oc9Q#-j<aNQ$50h)Dvr|V<wg=j*(zbS zV|1WN;G$P?qRpQcX5=^d1b-W?%mY0<9L-rDs?)hEt=Hma;dgPeRHu4|hR#%BS_mN4 zIr{*%+slp2`cKEWDIvyRY_znez&a^)wV*}fw)$kinyG7Ird|AkTwO@&>_wL3EPu8s zaYB(f%b+5eUdIz%(s*tS*?B(CelE*r_<USMb6iBaO_Aij2!Xk?+?squIDR}Zi#yXG zPL^y!nr1>558#Uj&}Eyj{rB7{wEt!2w1n|)Ru|=OX`g~~A+m>E;Y!Q$k=~aBt0H9H z+gFpXPW2~*G7e3geJ53pLkYVB`%WV^wpH8NO;&DICAv(v-puT{)7ML^zOQ#SL^DYt z5H@=Hy=WP@D{U1%z2727?y;C{a3+b(_lwPu5$*#uBs?Bok;82ei_5N;hrF^^7Dd&L z?~Mm|LiS!?4WWn*_HH@Yl5V2CHEPQ2Xv|8tZ&T%Np<C2m35TP6*97Aai(jf8u5XyW z=%lD!PkL)xR<*_ZGaKL(i7ja+Xdt>c+@4Z#)Z~^%*>AQ7ET$XIh&BDIv&rbrIXOCd zSq%rclnL8)H8v;P(qo7w;Eq;Uyz-i+C3xmF*lc$?2fp40mWwLms*!(Q34Y=6s;f>s zwno{ZO6^Nx*wtmh0={BZSsuww)_7c4aCY;ri^+3p%^@EW5!qxo=U9d~ScE<Px^5ld z$SUjeARSiN>>T?O`QNCjmfV=?b1m_3`%9R6YCB0gT+V^XZPRq3PWn_5yU@ORcXrTz z)3er}t0fI_)*qarSXT$Rqww8=^KuUssLd)nE4+A~PC9QLJ?AF??Oo6ND2k^u&{uhP z`QHd@Yc!9mn`ULwb{AlWR>2|KD|g32!5C5*8w0K0x3ltV?<@#D8lh?vC1ww;$^9!z zNYB0FFDDfa@qC@-f4rA8rX0*ti^OQm6DFoyygYPS1e(8BTbt##`SVQ@A>BLQ&T?@m zY8>u>-IwYsE6<zoR%?@{+9@SGKIWmrEB=&8+E~)=Rj~tts=TkLB7$_19k~GOWxsV9 zZ_R4FxhDTOoA}&<L~C(cy)5JS@o1K7@=SX#X9pKeb@%3zsfw$Ij*n#m==~H#8bjqO zNjMsUO3GXAz?LKmYYjh$`s=9tns2@+BOei;mkLI9XL#W&;KIiMaPX&DSaO*$N11V! zdVppFsy}>b77iF_`s8V(Gm}E~RFk+$sa*Xi?1KHP>*z)-zqMp7(A`=dBB`OEy%H`> z?v={QnEDSZLxKuYw<F2mjbZd;D=6UeU<knCCNPG3uC%0M1p`7OSIF_q`plhp*QEg_ zyHB^CBmu?73DW6eM?qx~6E}mf7+RCN+V&y$muwpCvtp^N|Mk1wvD@KVZ?JKCmC!iv zg4er{6XfAY1|}3nAbq3-+(g+Tr*&l=ZhQiIm1@Po9_SoZ_w}}VVXNG`$+KEJ;!Lu= ze>B7Pgn!p1;&Y(@s6N`Y(>u;r)rC#6GCYKT&yq`p{d)fqFl!_Y?P<M5*1s3fIny*T zzK9@HHin-BLC`!ed3ip0)BHerj5kFpg=($i%jctj10atyFwnt-k3L*>CmW;GP)^01 zUuyBV?NUz1!*q{fh0l<b)y?5)o5SbNB1UCbR10r!3R$jaZ7|%S%wP>48hjA}k_!t3 zyR04t_9tex#SJvs(9mX{uPF5uvH$TLtnwfw0u)LnK_uf9Db=SBj<UiaW`!~1U|1Jo zOcGvhVj7EqljbPOwFY)WkgqkdiT0mQFQ%PdZ33KA5-hZs1N1d6j9oKgc^99t;F)qN zUG$(yf}v$KNC+7Oacr<TF7zxJ^rf6j`Q=EBK98!-xZbBUWua1k6{x^01Izvs7Y^j9 zOGji>RYyk>RG>luqz{U>m@u>vF1BZqu=fYbnpsWmxs1&(wP`A!6?9F>`DR5XZ1>%# z8LbwuQk*nM+I)!v;8bh$9X&lbYcDs2#g89ObezqQrZk3=2hA}jGLKqvtaQ{fC$oT= zeKA+gCnA-Mq-x^K8G57TVZ9Igb*GG()g)UTN?3Y-M@<)_!iPBncD#xI?mmnL$>2l0 z=48n<D~6Cjr0c4O>5C2LlkVwn*G^e-XjB)rx=;@mmRl-Y&RFOzoC4G`QWi0Z<cm|u z6bgg4O|&@b;01CXeb&pajj%b)8OgX^$i{kV#Q#;-`Blae=m;mJY<Qig7%htx4S`r4 zr~DIyzq#4KIBjKL2k7Dk*U@EI=t3j5W)6Z>V5Tx7_uOdtTAGuxbVT4{+9QVGch<vB zeXfmy-i4xzys)MP)WinA{XP4kF3Di-d@Y#-CZeRKRrB0gIraRJD!i`FVeNFT8el?c z?9mBp;8o<L9_Nu8!K@>d`2L5^zKd0e#sswOTX?>q!gFNJ_<Krj?r_2rCHdfv%I7ZF z3P|6{%;V#gnL;KNC1>&a9{baxZBQkre1FQ8HNVQ7iBC2BhJ}(+e)y^X>}Lx;s)27V zu<7-zjt+$}Ipe;*j3$06_4V=SyUSgHr8NlDh;=q{Fwm%w{lm>}?Yg;H!qfc&;%oQV z5m9ws)2iNnsP2assZ!S5(eCRV!Hj~}$rBGpMHX%zJAB5BBZ~jUL+R%)quZ6fKiqvR zvP7TlTLuK0F{Ybg491@g#)654pWe<y3g#dc1hgmLyhXbQn+#1cK_(Vt!`<&Ki59Zv zXGN%lt=$n3b=0DwEC3dqNfIekj01)`oJ9Y(QFh3Xx`svwkJnt>vGGiZH!Bc#R7|*l zlvX%ewZ=}e;H}f+Bg76WrGa1DpJdu^B@tYq@Udq95Hjj&(7F`{n|2;or2Igk+0@X_ zrqX-e-QM9pvrIg)U_V?GXpt(b$kS(VWK849OAx*6ESe5o5>tw~c?k71hMV0R4Of^@ zrwzX+f91^8qOh>tzB+<>1POiRwl9Uf_FwN#82g<8Dlqhh<{VxpnlJz9_<k2Su8SYF zqiovMVoUwdxDYoh`aPFsJG)uPMw`PwdkCr&#?!-32d#2}gzWFcRo=jv?!REB{EXLk zQO<7O898;<QhLzMI*>wrF}Q|qXPpY%ifQACp`;@6dLv00IKw8db~qZ1z}MUegZx{w zzwVkxtxx|bAY(^GSkhk~8Z<={^xFcPtPV1~VjE6U@=+J|Yx8!n?$%$vHQrIi7#AlV zq)fX~*#EY0-=OACp%Pm}E*f7Ua3CycO(9atCNlH+pfd@FHwmZ92hrh7wm9-I8${5d z+;D-oF!&fSs#UJhG9#kaat*%|76&+OSTD+zAES=oP_$9!btrQux=azL&4It%Sh|Yn zhW{qlfZCW(elCIYE=BMz9rxd`GMy0~tFv|K7v>yH0s8Z&8*Rjq7<hDQgzjZtW$nve zLDV+1v_7<|x-nE6Yv^F;q>l@t&Ga|e#5Ba-JUIK}cXKcdNH+(DF46CVPa@0%C#Lh5 zWy`VafeW&1CRQL?k{u@+QzuCKY@+Q-=eK<qxN4alunz81ACN+Lb1l+@8k#7yI_gVJ z8^Z+WrCx7Hho*&glgG3v!ffl47}D=iQ(z8J%TR{-ON~uNQ#xvws{!p97WJ>yUo_>c zxZ^iRiJcwpM#z&)rHl{Yi_S_L1AXQz4zu!l{zRXTN*R~vaH=ZCOWm;}4$im<+yb!4 z@YJh$&z0l)t&cZ=Y3O0IYa;m%HiOz>YkRt<nfF{2g{M5$w;q?BpZE?N$h97~r`UoX zN3fqi!@<{H_?3Dux6~FRtxsNoZj(gv`L_EmRR1AF3KE<ha6<8p;!spJl61W&;?Y_K za@tvF56<x<j^c*^awS=ey3xi1H16H6-=BnRbc`QPX}X%4gKs=jNxr1pvBb|y9>LoL zVPB`9z4^FE(M4S9X!L7bT4tl|3g}=2#nyTN-KXIlxA#z7`i-^Ze%tfaWUAdYAKv3- zPF#;8wQ;$Lapf#>Bwvpl@|4MJ1o_C5G%@a`8>M1iWfAN&26l?7;QGY|Qo7Ua>`XQe zTH?&rNgc^1Xl2<<<vEm}xQ#xVqwpI_KXN%q@l6j&6De$J4KFsW{A|E%M517My*Ne= z6~q~4vh9!$uB07b?y5ug_uJTaih!o=6;FtePYMPW>EO4sjlL91oZzB%<jww0Y+p*Q z_ZAs6$7E#39CdtE4pPy`yNwA;71s&?xcYHaK|4xV!vJ#e{F?!PEOmC<0VZi2MdVc~ zK=Q7MjvAw%erCY5Kc2K{EZ8yo*o5OOe5K5MK=R~_6aDKp3=+GbtfbIS4-tHN$Z^_{ zANWP<s~AuTy|yS00HcO^2_=SNkdyrH)-uItWgnK<ZG)!Gm2BXpj)~lxwwf}HBb)-B zlsRj(WJ*-loV1J?hcz|I@_30pt>#AoFS;TO6#nN0R5h7LQ~98%YUr+1yz#(gh8PW` z*<^9-iT+LC3Ak8WTOj4_9&vvOuhBk7b|d?Ptc1?BuA;a9^uSM@?rwe2wA}WHWM8V+ zKMqcKge~64LUwOHn2S<SDsDnzgs#-7)>R}fy8MmvTw-mCvqQx=ql^v(I!x*+gI{Is zKX<*vid$Y`=6s~XLbW#sYt_!nu+SHIsfmd;cx=E4`ZduTo?H>4*SKhfsL=~F*+MJp zk=Ui$lYcvTJs`99V;U8m_!V!oHbnfeMbKqwv#eWq#<B5+b59gKvzaVZXS=HH^T{Xb z1?OLyM>HroWV!+=RfXJsJo0>&+fKCW_51^RIx?8}B+0TF17LW(Vv!=U0@TP19}l*^ zQD-UHxjeRW!z(=_j>;?@=vw+Pg~&Q5UNO4GJ2}O*kVp*`d_K(la!%UkZve#0RovYe z*RS}9meM^kvLGSh+`)D)wvEHSLiFM3p_9we0EjZunb~ur@sKa&>U2}#tesBj^twvV zNrsNTNeQ<7J&G}r8nZr5?1R@~>aWe|R+N?FLD;jJS2TW8tlTKP#aK;e>enyHIw5Te zjB6BEi{rfV$i|`5w26}1w}_@EC)2ZYDYR`Cum=yc^GgvU6>ZvBca2jxN@mU%`7YvI z5O7OMp(3KDzUdut!Kz;^a^^%uE!?!{2qBOrPm&zC2H02GY(QXck|a|n%oU${!HmX{ z!=N4$Y&QWnMO6ykJI$p*{(1}3h{nQk5|ShL3{n{`d}EKEtZp~2bryz{ptaI%Cz%$# z-S*+a*U&my**S`gdQmd7#i3L)UN;`obwZfxm&3eJ+y3n^ac_xq+6&7z@A}jtxt4+6 zQx3**jb{tHTXf0`xIR4^c5<J`H(0-`N{LlDafBHBNat6VOqZd8uA#w@JHN$h5E?w) zx{{x-7Eq4Ph=n=V`8o4<gAQ;KC?|BkiAI60=`lUj6wJyK&r~a$@p)G91#o|6u&=an z4~TfnV4>@1gtbdk3^v}KKamj;#O97%k9-H5uX6~Vnefn>+6W(2J`CaHur0Sy_o&3G zO}%8x76g5#O=I&o3WVP1)Y4Ap_c>W9!_&l_lUcH*APp#Yd{0DwL4@5Lh67&<?85Ba zvmj*nLQ!&mNF}6OVQoD+5ftv=`R7<hjL^!VeH&beVY7erg)de)EM#1$%LAApS+=$8 z-b05j=v+mEFW+GTz9##7Si-onSM6F;T??$+rPb9Kn#+p2_+8igi4Qy3bp9NuS5QNX zJaO)uqKET)877Izic;3z-9Di#D=l+?l^D9yE=NE^!wppsecbMc(Pc=p_ifAu9+vtR zonV@v;Q}qu;JKiGs7+<Yf^Y0!;{R0hbqAeFV}%&)fXk9X%<nfoqkwP~6#bVorVu+& z-<-^Hts0lic?bBXd)DL3M#kZb-~~k*$Fj3Kx3?Q`5?OE-ClNGCO)0@=dCe$zZb+I} z?`Z<#?XDJaydLMl&}PKULW5mSE(B%Q+=t}1IXaxOH?Qt3DyyE4R4g*oH0V5LCKvD( zYUh>Xo`CS6x%%PzebN`@l4e1ieeaj*gfSc&9qp-)ryd$Uc>pe!>Ago8?WcU!*04_S zWt0!yK?YaWCNe5GBDL_`{iMf^iWsT<c&zC&k2~*fo2^_yWKw)xelU!72GV@xaGaqM zg)G}$Ph{7FB!0I$Y7{EC3nWNeE#BNR<8Q}Baw9)8@xkmgs9ISXF)laHIPtYzZB0Su z9Gr>-H`}ThG~cU!aOUP)MjPOt>@%7VHfhs*=WBMgWCoI-yQ1nt%y(=vJuSq`i=%0+ zBL*|B&-B#m0F75T;u}VC+{;*usuTaN)&4y>pYZ@15S{H;!hN?05px~s2d@EPfunSC znEiE9rY^f$y>Rhy*O&vy#XNg=x`Yv+wLLxj78X*>4k1njTbu12SJxoE9NX+>gh9=s z04ik%CbD{-MCxb@9tpO}a7Y_@HlsxDKvQ+fEY>gp+w5w^&j@GLUNapFb=pTg#8*3v zZkZPI0TU>r?nsuL$cWz=H@`EKyCbh{ITns+@R(03bd0~6q;iA+j8dOE?B~)^NH{w2 z$5b<=Nz0v^yc0~8hPc)^{{RhSq4*ImZAy*Zb=Wh~$Lun8m^Bc@=Q=!_ayX|SSmV(h z))!Y%vzIle`OB^CXqxt2ScwYF5*DIy;JBqw;S^#;2G3Nn!vRklwG5l>OusFKmaq0# zY-K!sRQR*k&~w{{6JA|D7V@rZ>#BmPFRhHu>YU)~k$X+hg${``W&D~0wtVxCzs60R zzFtaVRTEr^v&sUKo*#$!X<N!Gy_D4TCu_pYAsk-+9iVJ-Ey(ayqTIJWt!5waH5l1J z4ozB7CG3P==`nO2e(s;g&Xk#{))cR8P@Lka`y}nQxH7Kb+cwQr7Ty5lrM}jn;JIxf z3mbcM!i*fLR3#OcSC+79>-#c-e9_b9S_+q^?YB@;@O+bam&?+uR%|U`MO0aP)00vF z3-A@|-DiF`JjU^>evT~KP21yY=Xk5X?}Z#zy2?7TBO(1L=j(@?)$c9*bFwT}O>K<r zHKeAxA|tzNuUrUD(Vy`s%;6Dq|LI6ya5L5}wSfT!g!Ir{lXrO-FcDp?LzzD2cz()d zpN&r(KSK>}_XKSgp6jc)%3OtuiXU-8d3jt-Act7aXdWEZPP$guKr8K{F>6Fpk2i7O zg0Q=Jm-{WqBFA&Dmz#J9xAa4o$cqG6(tj(Ovwi2i5^&%)eI>-m(aE~g=F@wuv9&0> z0o`ugt=Ae~N)-er8EN~hV;oKHiRhk(8+|YI!{S{`sx53x`a8@lcN>Rw(LggVNjCmc zEY9s=6yUP>3utH}ld5+%uC=9mllEour&QJ+7A3bMweXUmwrt;6O&xPj$N|YB9o&vH zt?+V<4gB~J+eOE+k&(Pu<W>V2H6xYeE`HSrx_=6tjO0Gik^dBnt(Qcd3qsKeuIvnF zCOL4{+@_vxzaV#2#H2Cw*^1E>!_G%vtVPOp2fg;9<67Av1^s=qF8G&8Bp%&d<_SyM z#Z!3%*{}9GGD2FGGMXvI95LW?u@W~wV~8$R%7Ln=Zsr;}7D;fkPI%I&sXjVR);xB` zJWj?uc4Sz`;TfaD*J@$c;K+0*tOX4Dvaw864K8~b>{_}EQSBOGy76yPeS4@?aVwZ{U1&8i#cEpR2yF;k9B=%aaIvRAJ0R#I28vo6Dg^H3 z`pzH>nNCw@((IWN<iEFrTqRXl!stIfx3iLtCG4}A5y@7c4CtL<W!~gPCrM**Y&CVW zXEd6Q(QzIrWTnt(pY`z|8|sn7gbDwzr?BP-Gs9GhBuLjr!TDS^Q+8<JN~86vifN4l z64S-NlYg%NNDcZ~ZC5Jr0ZD?(QyrRwTqxQ53br25zrNNfU_5@Mb{Hjthdt$Ztr_K< zQ@})zSFK~VRz%F(3<2|F9#1rR@LH&<T5^7SzLkq|iZXmCYS($KWpSFo`fXlyOM4<M zEOZ<WGXZ%t@Xt!_;Y@1p;5apdo{V!PugX4N>pE)Xct-;RmciE?7Uy>8KitTQ0*zox z`Fg1$__~z<8Ie9t1o=u!j_)Ge&(HO@hzG}bBPh|~7MM~AHMSYEHGyqbl#T3mr)7Hc z3q0o0#<UJ3EI8$lFTcVV1I})*XhYDYmu%TKP`B8bA35Jx=w){Ki_3(u9ZOgc)t+S+ zr9aZjs4x#6<QO;)4!?r*9ovHx_Z+ugmj`ztm)h!eJAp-=KSf9_|5Bk&MiXl5bTl-2 zly*%0G1TG+FOXs(heSlzs;RSM@0+R%3Uhc>%^bg=RuwZFbVABlgtD+gcI0WEf<`^s z0Xb$RnxkcAQ24Aj^LAJ?YsG_&R^Snj9<LRXW|X22DUf0Xwe@YP7|nRm(0HycGfX{H z^Icn0igU`y_@==$EcvL$lMa`OWKf7=j%^s(o<4s6T65QAMG;&k3+#!9Gp^+0Mm5*{ z6;fZWT0QsGNU2jf+Kj+Exnao6Wtknfh1z3B+rF|`EG*oS-5u=mAHPCeX}|M**xXed zO}cPQ@7LI@+XW*biE;VR32QBnHtUz=-?a4xiH?zBvVO@>l&pF71D`S#PYsopx`B`w z>8S~?T!!exwSohzl+JOm$3XolFJZ$7ms=`Bf!^b3si}BwRVSE?A6CB=7~n{bN~hJ7 zv<}I1o%Z~wM71w?*?QwmP`-UlzVgfeL(Z<kA75d{ERbuY<A##%w>?5u-6aq-P7SWa zI)e#Ph3{wJ5h>D8ujjg+f$;bBh7gPQIC=6~tj6>WY8{A`(Lj6MKCpxDKiuh5vsqD9 ze&s~Ao1bwc@k<KTi;~-aT*`4vki|V;(VCj7EPV8#0T?;*$&Q<Ou!R~yKSa!tfEfi_ z#oY}e0CED^o)s~xR!G?$zXVZcB#YoX2!kV7Ku?}~7ebpJ=E%h|hdKJ%AxSd`Yrc9a zwsi3aAAU!q#a<LJEd;M%{>pQ^N@J#UigKNLC!t?#!~WhK83y<leN6QC4eB6;hYIBA z#)>~O$)zx!hf#H0OISPp9qwtHqv(YKlv^8}0qio;VTXGSW%l1Bp(L##yZL4Zt&6>w z=rZJ@0X~*GXaXtU)#5QH?v7&%o@V~IAvQ*auWZoLc$#jY3VULTi}iGFi(M<y^-m+Z zUcV2Lpb)7TjIrwAQa`{kQ=Ov;j|gW-hFF49oZntgEwB<x@dZ-G=G@tCCV=8!VP&if z*z%7}sX$zq5GGlYhmRMv4DU`=NRu@s&@G-u60ETkBtgF|S}-62qwFGdw>nJvuF}8F zBZ|+xzKbH+`}6%$=Triud9Rjv`iSsb11GkYU)aW*sN3-E9$C({@{8j{1v*G&u%BW= z=%h?tzsHXMQHhTuhv^<y%DlO4KZ?0*y*m<MztBz%V!sgX2&MlG0%qBh9^lD5Rkun5 z$?+qCMB?oq69C~dflBhOat;M1Nwgx&WK!q-Lr#LcDH?V8g`X#|FX!2sKFLno$Hg_N zJNx25bxD+2-tOvDn{Z8Y`lbvoqxFY`;vc-kg-IMoiwL@PKEmRN;ZpRyy(u?^n->#3 z{0n3y1q6U!_C`|@)Z)TsQ^_1__I`38!Fe}VkgWm?(HUN!*vwCBSvgtHOjv<t<jKS5 z4etK^=)}&~=X`looamaZK@IoD>+9zXXNsZ}z}lznY8&LmSzGzA4;oGQ;bn^)xY4^> zRJdp{acem{mAL~Ah}wp7VjlixVA5I%cQ`z-l*#Z7J``*n{2e&TOo=zu#Pk=~9A`w* z{aJ~_ruO($45d-mWjVINg5e7IGMm{aA&xc?CrEfU$VA^n$9P0UWRc(G!jVzoARt@B zMyDg&1$@?n=<Lg7L6-stx>q@M_`+)eJzitH^w&G#x8$%@xi?Jt;?d;U$N~tHKOyP7 zf#UZ%rS?pr48f16zg{o<d+CT9Xr`ZuvW|>bOzPY!I8=?~!V>?F>W=qm)pvZQv&gHL z6BP(RlRFzw#?^o{?(nO~=^bTbP&<VCuLI4ypMLPwqHPdw_~mJCN1vrl%Jbh~zRv0L zjJi<xR%=OWxp0<E&Nk;u+X;?LJ`L)FeZ>ygeF5#B`^P`dpSydoSKP&<c4e=Ztt6*! zdzSjV^TRQv&7A+s1(=Bxezcf?Bg)W7+L)b8wOlb}kCdI-K5wLYnTnd_C(Xo0NY=kx z(HvY{RPLx+vn~tZax>@6>+ttVQfS*-=78v=X<yQCm>z;16K-C-ZPg;5g`{MZ;Cdb< zTY^;nMn&I$L+-c80i{(t5Zg~36x5g6bJwmk_5CuE0Y)pcJos-s7BB1vgA|xB)Masd z^;i0R7kZX2bz3OwU<pbb^bdTtB`=GT`&rF{+}xqSt(TKFI@^rWvpOwgpB@&mhEIe! z5B&N=6WQSyO1h&67mfV{v|kmBWTB7$$XXakvN0+p8Q*rDBuaMW#ZU-8sqLM?56l-P z#)&;1P=QR~pEK0i)hI1>QPwypYMK?ZEsTsftBXFOUBl#@9!=7kFm&e~EV!?XKo1_X z#MI!K(``xLwNi*smHyI?p=G8O7}`kdQ=xsS<3KhUb!00<N}t^fILeQG^?Vp=Sjv%1 z&wS;Y0y#SlQ3Nw-svVlX3=wB6{V)rY3?5xlr67XYkAr4VYzY%ZxF?Erc-8$T(hU8G z;bx04*EA7n6p?@ENSib<qnHhLU3GZggSa9{H{~<lc968uJup8TLRLG7(cuwqBiYSG z%#O-GpcDR@{NkQm2hcN|xjGRx`RFSo3zZ)V7j-dJGhSLm{)|}ZqzhPOQ4&ch7U%`K z5_TWcxYF$uxH%8QYiLyE>p!ob#irC(10b3KG)SnJ0WK$=5Tme=scZsrn+@blm8cOb z%$ZaY(xxI?>!uv}0@;|%D92mVOw%D@prLI>EJ20{8)w@OA~FFC-h(@;AiM7#>oZw9 z%O_kZyt5YEj*MzrmxgnzU+@+msXK#9>SY;-kcuNm=yN1UkW(|ROtCo#^l%v53tHFX zDNxgt<E+cG=&bMmt)3S)jY;uXW3-aW7e{R|`dcA#_SZ-iiA~7wERO7<oaLPrw<l63 zb_tP$+#(%d<By?C4-fs;{2BU<hMk=O_}}m|H)WLzQha4|=*qM+Pm<T+NRr*BX`5F# zieXtLh=JDSTv*KHGU*aT95qbGf)A}wj6<4!bVN-4D~}m=W_<3>x7-m_`4lop$IKhK zA0wt?``YFq)*CoHZ7fj=VP_JaX@Nj9q{?w$I{W*HQ+y^l5}$&bD={$?=EyD`bODN= zJj3!7T%O`w`(-q`6;|L{r{I*?8ZVu5<TcD{R~OkA)gUDLX_e191`6t}MRR1(mqKAs z@;uLVTCCK^)|qFr$y4fGVv);0E8fEwL>azNdR+f`V6(#I|LV$NjuL%}UF4wJ0e&a* z4dm9&;OBb@F3afRSet^w_T1UuU*RGmh(@`l?YOpKAI~_FKVX8-82z-(u2f=o7yr~q z*iaF|*KE%`EBR(A9uw4XSdyQ(oE~>~D7!F;P?ywuy)Skh3iY;OgYXH|z5CZK82WEu zrj%6`I_sO8Ml5S{(c~3OS#ehu95k_bDtcE#Y>ton$ge!@tPM>bo+rWD>kNg^)(RBn zHv(T)s|%k_7@tQiITQqy27%GJr045bDpW9&QTj6GvVM<FL>v4#Kn_pO-5qI~vCK#F z@D^71jCc^feHZJ{lLBf|3hz^KHK(FF2l=jP9R*q<Pm`^RIt{*$eHZ80))v9wmGgC0 zHRrY>x$GRpwnn5~<nD`by~o*x(k3rc$avxPMhdQ0wmWcw+%J<0?ck{UOa!<cE@7ov z&%z|~I%0{LzZVdXg~)w^CkqbDam~lWjOACHTum0@BMiP_>4mAa#U>n&u&8?Vdm|FO zG<4w`4q+$fb27j<C}jBdlv?32ON_eUzym0wU0>#SJ#8cu;NubRslMs<uMZybB2s>l zT(5%N#AXG2_vc=kMnY;xT#&oeRqyrRXh-dDC~6^g4#Vk8r2g*~&yy*Wc+bT)(Un$j zQ{h1rdEM`@#&kGon^eqh!Igf-7`I#;3U@Xjs8Vk{o*d^>3wPYq8Q<gdOS(qUw_dhk zDcdL&O~a=vtIe;<tkAUvhE*AUBYbnn73_Ps*E=|s#4n}+AFq<1Tb2*(DT>hn&38Bz zm&DOtAAj)<w~Gc1{f8rClka{hseJTz^mg9d{kzfizMuM`1VzdJ+uLrXm*Z=#{VE0w zGh^Gu=^TNf22E_422qpjM|U7A<2Zl^ZDl-7^)}=v&k@EclINsM!DvmtWz??QgNS$C zs0y4Q?S1)raugnB1gX;nqX7bhnkvI@<<{>izsBUo8DL3ONQHaZ<Na;)+}(W>6K>{8 z=YD+CGM?JAS(^ioT)YmP?C$ZCNwFz@9vgc}gh$085tdlYS+?Y~N5b63UgmlFw(PVi zbGl?Q`64F}X2!(xN8`?uNs(Q#7iGeKH)@(0;E^YXtt+c&cWR>%&b74kY)00akiWqS zOQ>_sM5hsuhn8)R!V%hqvg~CRW?;TBB7#pr46C7gUn)u&4<dPib-td1ws5?xK}d!G zy|AMu#{5bSNgC_CBd}<JPygnT+XOO_Iqh7X=R@BY!H=52T2ahunS)jWnWw(RU^ooR zN#b~BNmCcPH8ZC4!%qceo~4Nb$p}|!f>PWVDbEdj>gVfhH+gt_rtjU6<;<z?T0Pw) z(9SZX#Y|KapuK{wYmtpk1{xjxuBQN>;&|LZ?CP+_iM6+*%I;@P?-f<1g@x5G7B1cL z47@g4yWXMfe?9J`l_hhY59#zd`r1p>+GSHDp%QLcP_rZzuE2HX)HZ65<O*7?C3NXG z_En+Y@~lZNifF~E`0r+o^R_cL6&zPM8N1)@lv<2F!G8;+ZmJHa*niW{>B=#oj+T`E zvPTdh%2x><>$29pjNMZNWUp@a)brvw(r>RLu?EM^Xac+Oua1NjAfy7km(;<#{Nq%2 zjGLuqYc*GWOx^2CVr->5uBCh}rNB^*CB;+s4dsG~!Y;1v*T0dpzRYAeZk46GD|*pM zP<mu6kfRMTz#K!Bo4kfCXE24{he!Gn;=SYT4HpnWF1eY)XBj$1n1}L9^-AXG@P?xR zpJ3m$DPoP*0`_h=@0sSDi#5n-NrSJj{^R^pJ29*%Sc&YkK#1k`(u7IdogWCo6B;4Z z>EA;v6DP1UufiPL_@$42kF=(cS(Mz?m}$i&NB8n^3eo7hqyN}(8i~Y-P!0=id!rC$ zv2`e<96i`1Bk-k$q;wiQYk;RKy{YjDPdT^~05XEmZv30hD}sTxiSA|*LU8@)0pZ#9 zin<0?`p8OZjs))9<f>|20EeSuwI+Hy8y0R9JT+{>Wb$4FP#a)9ho#=cOAE80jv~Hg z>NsdfR8-Vb4DFjV4-VSVMqjl%7nv2!`n(!<X*oKIwhWCPoK?&x=}fK4xV_6W<5tF+ z{^m1I29Hzoc+Ex0T8IgmOC?7x(7xJOfK{}*TEH~`m>Eg7bcj@*<8EfRv8LQ|#{PI# z<|zYAm1jgX<2PwR_f3>Mzg5#*yX8+Mr0J5hNfeR&Wsq!<B$GqT4s&`mjmos!0n^xQ zVVh3Ee%%57{;fc=t%AkwYpcyMJU!(3pco`NJ8*$&7ipUjkQ7P)7ekb-Kbka}@j}Vv zO7h22SS~nm_#RlhOA(#bI>ux}VZviBDCKzT5@kBpv!~v2RmJ3P2Sb0VojM5v%0pIj z{tWCXrzn|ZGa^`^kj`ncu&fZDmgkbBNU23x)RL)SU>D^{E$cocgG`Epdv-xo>y6|C zQ<J?~^%s#-`9Up6s%kr@X)?cA;4@f>D7ifNrW~@dRP=UChYykQmY(B(Yx+pLz(0bo z!gXFV$>%7{1?8PURuPw*_(jwMaYN(`92KB?zhr+QCDys}o>At{tKTlhj3zisMts<n zp}Dx#iC#>@zUdfIN!7y6p}t~NMlRXHPwIEV$Ap(aFc@C;&qN}1J@!dK8H-<zPv9?} zPE_i|_fN~f!^0VorJHx4SG6*v2)h;rrqf`tt36#UFyPY^uwbr4sYRip2{I1EJ+1%v zASACE<!EDo{E5&nJ{Kf%_nd&-fffquWE8D}zZ-YsnEK&ID)ndF64%&af~^?8G-L`v z80t3}+*0Hmi7umjvCkZMf4N0o!ycHu39r|=lDCZlUq)wenp?Qie`7X{Fp+Tr*bj~k zfG(z~`!c%~aBXzVfyGeF<;ODBcnObKJTZnrsNVQoTIK+)KXw64^os|;!d2n8D;ouu z13h$p_+KB@XQ6cC-^5uQGi;G_=82hncp^%smunbiOIhS_yN8-UWLj9e)_CS<_stAb z(!6@V=p0Hx4d!xQ>qCy4IIxfDMj<WrrXcdyZD*uOqO?LwjzlFCo#au?j;BoseqSwh zI`B=O^8zP-3WZ7lv#}0G=NtF?{XJKk5oq9N@_MW9{R`<@faC;m7N)U?f;~|1!xmjC z<fvP5GNh3+f<J`hks!nlWAEtwA|;SC#!4m3Ji9Et){Ge*#RP!OG1Vbr;-q{uEO=$^ zqHA)rh}v~6n(P3aHVhm|N|9q8k<X3>p9#X}Qe7t>S!pev)ANY-kqjf`iL;e~-*WDl zSrSZKGjc-jfht-%nF~f4a}et<ciqwdX43MyruyBxXShuKi)SekQ4pknRE*BsPE;Mw zL&#79>3=Kc2b&Gbutc<r<fyiZJvNTm6WO2UwnDglY!ZHN^$Plzhqt{xS0ghgk58ft z-V@*+Ayp&oI*t15I5&QRR7vZQ2GQg*gdFieTx)>&L7>|S+&|d5&l^F_`Ou}GM9|k| z2p)5)<;TM&nvS1>rL^O)1~Cer5XZAEH|A&Rt&PDzs7lKWcyT2%<7AD%K!_LOjn_T( z(q?6LV;7e74GQ{q2A@iEhFFs5;mItA08~z0l?7z#t+{|ZA6`eKN6(~UoFj)tEaGTd zWKs@7X3lEMO_Mp(_u#}p0#nySdO5&rink6kJugwXD_FBUS2M)l^Mhr$eaMlD#bAAP zAbXL9t$%1wu>^4vL6UJ^Vrl5{9ZCZ`0zd`g@$|DsJ3Ez8GA)5_fnoUKp%=FFJSsF} zL-+ZXl?lHN5V+?yqWXAb9wl4t?2F>(vrU5qWipa55NK`X>GFm;LmUSfdzBBk42C1Y zncSZ?_j;PFWk}!-RL+S!YGwy5KYPs}j~|Q9;<j1tC}Ri{LJ3X3UIvAm#t3GfAKtP0 zejdQ*N6k4nZw7`!JcH5a>ZB|oM=OM+(TLpCfDxC-u__0`20`69S4aPkrn`)4qxl*D zUZJ?VQ`~~P7k76r?ry<b+$ru*+}+(ZKydfq9w=5QygctY|1bHnIkTJH*}cCzdowf0 zNO@fHq2AG!0kV~{xY1p3$`P6nNT`{83NTMx|Dr7w0A;(lGO<-vE6a!<rm#KzC8N-* z1bVVrE|)<gFB@xktdW^~Y^;z$a@>$s<NI$Qr@}5MX%iB2Bq{eJvo4KE9<<uk6r-qk zkjG~)l)ALy<&xeia(Q&~9T^>}=c~PZa~$TA$@tkij7#yH_2&0nxj((E+UzEI4`btH zG*Ie@rPSB^p9Tvg63{^9;-$|8b}*LHzqsI`D&0Axcy+Lm{6WjZQ`f+3Ab1}|wd++0 zyrtOn8=Zs|?&2K+k$KMWWDJx~_yx#Q8gHz2{RT%{>QJ#0LSugBUMUs3@&}5{gI}Wu zby}wG4{%-v{i`{*iV^}F`L_keAGUfFj;ueW6<qIx@n0IM$Es_pSY%uae!o58!vFt~ z7w0B_jR<z4wClNC+#n;Uo)se5j$1{D6^8H!erZg<w+oQLaqN!gm>;ypGIwh!#0>YN zNCL*JMhATfrhJ#ufUuPd)Nf~xRV1J`2MSD$`km#pu{?0Oxaih{I^U3?a2U0Lo+dsn z%|392`f$Cb%Jx)Ok{@y<xH2*4{r&EX3ym7O6%`xF>rr8Mm%rzS^)P{ThNr*(m^4Ch zX&CgqOXUH@39|}Y0z5<EcwuaSEX_Oeo~Lg}po*hBip=V14@uxtx1D=@k&0&Ird<W_ z?=)<MoM5ZF`U+3#p7wJGpSLD!NlQ~Iv{*<n`HSJuymxL4({!m(np_`c4Ij_5;b0QM zE3hr^Gg-W;F1Mm)K<=t0_%JmTiLAsXVF@s&%ND8We2`-s|KCblSWw~ys`~Egm{HG# zISnDNk_*!cU*4&8+AuyJmrsLD&H^}|HOy95Bq<Bp%sryo_B}_Gm?+}k^zQr=G>=rG z8ZT69{!m3@t$Q3eF4e-<+ejkdh~ib~S$`PwlZuS64wLkCii$QwV1A%EA)8XLh^xe$ z@(?@L=@|kwQ1`qU2aQL^X$pzd+e8UE4mL$QD$t9l?5bE~S8y(lwSD1PEY;=P#8mI) zBfrEJPI64!2?H8VSm81z&I1y}^QL%wZ&2=lbKe04Y^()ryqOk219OVt4;z(H5)Q@D ze+hZ+7XMpyLSrhi-GFYhPL?W`UMYfN_n}Pk`td^JXD1tPYGI+kVDlF8zd;HSlHUaj z<9|~EmTHkz8sT$8ELMk-XvUj#1o$*}x6-RcbL6s!MaYhhSMjl)Z0<T3@VuOuO$HeP zp;97g;W~CtG!-IbrA@#5e~o7l3t~X7$MMUXB0==^9{v%{)xz0IY<*bBbkUa1$6-^u zNo>NrnB+<I*H73jHE4AXW)X9JdlD&Pu`zZp4%;wkH6;mDI!pVz(C3NrjL%;K8z=S^ zXeeN5!PLCo<Udmz=@7~Vn>v$Y?Qkzy+l`#Z4gpHWGOni(m{c2e)yw_-&EhJXoIHOM z-B0(1&i8GGh}5FHL$bw+s5ucX`$c23Ui{`Q_Q-X<zT;KXMQ5!Ct_;Z`$ywZ50=|vJ zd;}0k*Y%<6#76xVI8KrLB_I?icx9SM71Tf6OIxDNZ^ka1?{=V<30j`}gJ!$O0r+oC z3EkESaEE4(cLrW)!|l2P6^uD)Ir^8Dx{*qg756*K_PLCbe|nj_3FW|%Ptk=fYvYN8 zc)NAMKdzQa_pKNe8)ZvMC}yc-+Z_G2LPb~S36g%2$L5poP7o2!5|GTN*AT3<DDqaR z=~Gi6f<QURFro6+KFE!O<dA6&R$-K{FQuBHmif6}D(PWuxI`W3(udjVO{J2a6BJ7F zsoxTd2|gzz8XSL-S$=ykjr!?;^O_yM*@UPx|Kiq$U}u;*d>xV)|Dd+`!aA%doOBW+ z`}RXB@F&iE9%T;hRf2P5@F5M4Jkch=;aY`FT4VOl9A}oq#MdMY<%N7iuXzKd`u2AK zm-2ujIS{4;6RFZTbk&Y5J+k60<b`;N=Nyp8z8VEO1;#;2_xxP>VgdamM4!$#8-crn z4I%0j8JT;2e(r)&{0<G?W<SC&S@fN$Oc^XN<?(e=omokQFdz%7F#SLNtNi^wHSu)C z67?wrWwmN}olIe7HK(|~f9f``w&Mf}=pa=yb>ZQxf~NJxCyoC%2W5<}7nlUgK9f5M zBiKNRYLr-n<Y;CVKmYfHJj=o)f==G_o{DCMS*fWX5SZvZ*1v3ARakRBLh8xjfEgPl zT(n)vPB8npS{o)~flTWEJLuUHY+j_~l?wBTq5rp>wpV80^TF5g<bDX6w(Au$G>~(O zxr0w|9!U1#>N0P~$tnKb_kL%^)FJZ3LlD?R<b&ckB8k{tjM%HUrf?kttJ@LuhfC(d zf=NC*if`Oj?5ybri_75z_!F}&1EV}W1|pO<jJd24!ye|61qBK_xB;)7AE&dU)zl$} zWJdO1OQRp3osXr$Wf>f9&a~lpA6#PQ)M($<TT|8k8@fRk$@YedhxK*|4P;%#?%b9O zK4_50+ir3Up$*m%kYc&ie(VkAz$<upz5BS~n1Pp9Q`)c*I+(Ab$#xfrsH%mkNr5^4 zlvnFsZ~!3n{T+5!DHb%V!<<c#>4+0fSHWO#oH^Y4q7RoNB%4X-=l48p$uMCspvs;p z$-l;Dxg6GIj*Qjoc5lr{1cca=iA+QjcrjP*2y|-y;!;4KFPS_lvX7J9odu@8y<So) zxhwB@()mGZ4$cj<lmzW|CZ$c=9bF4OcTVBA*S$ia=5f>}EXKW+p=+3Em_hVxc@g<p zxPiQ@gDml$3G<42mBE6Y#gS{6AKhya+weFEGB^OQ&J9`H#Ah^xS)9pFj{_xAdX=9a z4H$4f@=Sl(I$7`Ay;luz{hhNlj?Juj7^#S|v99%br7TJz!^uTVhTZCVZJg9dXi=QO zO6AZCnnE%qnJUd-g)VDX#3c?O-9#1JTFv-0&zL&<_z!_Rq{tOkG(H&YWV?@)MTCb< zYq|bw7Ddf_M5+dzWJl$iPqXT!2l%%4mFz+KBO6nFd40@gwdT2jk?hLD>W$c|cEzqv z7?OXI!Ev-}i&s!jqy}{RlOr4v5ol%3V1z^-RId9$;l)#)hbhh@=4R<hG|rG{xNc~` zdA-5)QeP7kR>BU@m(V+Kce$lhjZjIrQQ0Z4eWGxOrJy$wn4QwMk|fSr&%d7e%b&Z| z@kiaI*?>6W1|&{Ge1ZS@cRNF0u-%!?whrtM`4s3O<sR-J7T=oi2w1pFZdB%zBra+! z%XYWl^sQsQ0*EGIQPx~y2xq@E$vn~vjCOs5)oqTFl$!Z<dv$#x?B&+L9z~kt<v5s; zxQ&jNY+a85XzKRaBo8ZIoci2tNB?(O#w>DxTbX(rqe8R?ipeW9KZR2}3f7O`iZx?0 zVfJ<wUMXcxcjxe{4pyxnFt#`Mbg;qXp@N~O+3O2VKM|hJ7aHkl^dS2&MjfHhw!zDK zs<+z<Q1)5ej*7**XvXla4ERes#Uc<1XA8v5qKIy0Q&a<9lmsa2ku3u7w!3;m4J!}h z%j7IkXt4O2x_Gg!dHGyzl8woZsZuz~YOkReaN3g*u${WAEsB6@EJfSn)Zy|t*;mho zJRP~hhM_6>2j-(1%@m}yrMpFr%)KKr1Bk*X)z^9(Z+hdN(u|S{eY+QBD%Y3GLDKsi zvi=5pttB|`0A;LZ3!}Xg8w~9Vg+4~0{H@}A+^B1pXIs4g(GYi9vak2w8rYUvJ^T&9 zEH7_!PPY-xLYuYh4*v1i+rl9={wP4buOW5bx~jb9<9$wCiG|x=+mKeJ80Th|kKYtC zvYxNX_G+3BkfJ776_KXU<4`x7W@FmTzS5fUO?wUTtz$5{axlmnoa?Ah+%Fbuqy^kx zDy|1j?_#HQCK;S7&8+4za0hE@n(F4nrzn10%Y5O~e127zl=NS-SpNiHcCv?$%Rc2$ zl1bk{RpOn4iqI;~%$@W`DaQd|*M(|2H_Kp(!9OAAkZT1D@TG9iBG-GWXkL43`Z<0q zCm~(N#~+^+NX}>3?&46at4sLhTsETuDJh>;oX2EQ^tdD<tWCARQYI+k*b7rjq{0Y? z=o`e$+gq%Amw9iw%x&fsH}Z%}EAxZD{wjkP&{?J#`qfbp+Rh!VUbbq(ruETdX~TXU zm-RMYX}E1AVW2^B1H5$i(bJKE-ZHwhk*417vrg(z(_gWyCcde?;|$*Ccqy481>%aK z5zUWF)i;m_h9DkSEZTm9l<^EdAYkODnX3CH4Zg-oJKIo8tmsQ4FFvjsi4eio29M~~ zH&m*X07O8$zos=X<pXn<w<cZxA6A0A1zt~@>2`Tpz<f!|#Bkw5%4~!CuALgFA#zBu z;R#Ysz&)xo%KOg+bG@Ow($np&hP6_AGVtG`dzQ5VOMuqrfRrD~#G~1kZhQ9GXz@~! z!zkti+*S9DR#rf*y3U$)2~(-r{#|gVkE3V6e=n5sBHjLIWb2SF^)zh_F2#P#BoZ`l zu-r1Fz(U;efiV;{SD;eFlnuVW1dtfoz=la+Nv2Yz^7!iXPJmCfu7ZZp*Krk_fNGq4 zc#I(m+i({-1Zx8G?(P;5qr)!E9|OOY^sGq^V)9gjB+Zvf4>Icj81b4vRD#i|{ET#Y zH*o7KnLw823Rcz{W<aXZnY!s6>o|#xbf{Yc00Xr$IXovs9$PL5b)cA`n402j6O!uE ziDNMRw&9|lYGIa1ficJ)%4@2xV3wU=70x8QXi~#aq!0mA`Gr$2V!;<!TZ$N7?YzF_ zr$62WGO^~Be*1+kG(yW+?=M-<vL@@FlU0o3m`S+F;{jA)S;w8<FJI7r$pn!@kj8j; z(T^%45pvXzlCp)fzMHC1;%n%3&Pjt@S@M75yWe<!NjmZr##+sml(q^hq}?;PklA%- zIA6guU(U%lU6>ZD+^LH``VyVH1qhFqA|P3|v30&3qC8jt&;IG{;baOFUL5wfwekvk zxR;hGRrGX3gI@o$Xfxyyndx9QAnI_W9G~%K8qB&<{+`K=wxvBG<dw4Z$1QgeK!HIr zk6y4Dsm_K<it%YAEw9qVW`3iVI)(d-_E-ZO(<3O$%>CZn#twQj(75Q<fe1nP7$N;h z^QXu^kC^*uY^EvUo||DpzaFBTs)XZYbt+=5c6YX6r&r#Xs=ohPyQt`k$;%@(!$GYC zZX#MuQ$OC3!6ukT;^mf`_-~mc${mGbu9r|1;cjE4eyQyd9@>SdPJnX!jw<hDFwGlq zQ8f#?CcT3@ODkyy(Tp!Clh{_=v<U=S!^-KrCjY)F7AyKZv%l=#k-uLFZU=bifz_F1 z6$hnij=7w(7X!#JJ#|Xi=mg^G8+1rRX8b&dnP{WVDmpMtbni`JbJMu}$F*2U)*&`4 z@YNEl|3_h4UJagz{SHsy>CyG9?0^X^SXfuwA|tCJs{Aa`1`#^Q3Gfq6862f~diEU* z2||7U@jjo7a3oX8YqI4+B1YUz5lAExj>#skZ?1fPQAb*l)?(G&`VFN}9T1RH>h1<G zc_d5|zVwRNS^)u|wH9<1zn=WDPXu|B335a-53eFuYswB)N6@=Fa}TUE26g?tj73AX zL6kk$>rEl1sv0Kp>I`5GA{RM0n@8u$;F*aD`+v0n#Cy-rHHl-VRTT)(i%q8Cw$!K} zSu=`z!gHDZU{qrW*y?YceU?zQ=6~;f(kcMFbGCql130pl#<v?*OlR<fEvb>d^vuQY zjjIClpC3-glSlrmrg?~mt9Qt{yEDn%&{1}XOv8*%Vt*U(CM~hJy{8TC@+%8|N6?S; z{ziSm)%GsT%_c`#_(%))fWU$*k(^8F$}A1ojjlR>`uHj=gAYPvCb(d0{M6X>eC$;k z9^b9;?0z!kyX&=b(meu_TJ?j-*gL`2W*gOSZi7uSHkPXB^qfsXN+}vjM=Q-PsLk<n z!W4TERKJV)$Kot-?CqFKt7+Up-&Woh-yisE(tGcGaJFHcru~c|1<^$`YxtNJ+<a%U z#1o>stTGaHx??qR)7Ha`D&_tB^5K~U1p^#0>@41%X2@8v+EMk%OPD2~f-1X0Q2gAP z4_BDYwZ<w@TiG2ttJ(ihh71I{x_yp!ta{VfkfIeBeY#7q%f85k3Au(IkN7Mx(+{6% zL@~z?H%Lt1E8NWcYq#^F;~Z5la``!EgQ~is#1Lx2BU%~y7O3gLM=q7;y}Uy#Xzu8W zXBuG}ehy&7OMP`W`BC8<JVqm-rC5_SPVFy1A73m*oPZ!ljQ7m$J0K0^C2+s{A<5vb z{qk8i-!1oKT-PMo?GqLGM+!3{R(!L%ew)$f@C|(r<s3I#xT}loc{c8Kn4}O1^sfj9 zf`qb3T=`b~;VD;W+m{G)F`Se?Yr)-4iwi$0I<4*|&iuEIp3Vh?hS2Uk*>V@lqJdA- z{-Bj+wKm2Z>Ll|3xkq@Qfd-t_o8P)8@ZZV@k?n2866+Zw#&mMKHPhv8EnZp9r~{(g zI&FA{6o(X+jF-KCj;}8#A6gvTq^+0&drOnT_*(k^JOV0-^E7d;(NWuumG_^(Jj~8j zR-ZHzyiM&G!I$TKzF69ZvUnT663I<_C<5?;AzuQn?<IYtU17Qyz?<C>(yf#6Z|s|r zrn;!zX5L1^3(8<;)K>Y!@=iVPo46MJJyj}p!rp&7h|kKgrn=l0&7wvdjp-gF%eBu> z8loIeke|XvLYyHcdQA&3KwD`ddBPy<iGti6=JF7~8gIqFrLO#e{H%TJqhV}JStGV& z#;dEI>brw3#8DP$(xM!+W&u>P3T<+I&$LqBXJf41Q$uHJZGq}S@%9c>gkAq`6?)7Y z-iGj<0{I7kdJ>;&bg_5yneM7|u`}+3`#mR6ZsZ2Lh%dey-hN<~r;wUDz=TF*I=XcU zjE`E;9uqKpK)+_N*EJfBYhDC6c6c{UTxiu;yZ%)ROG;zUZqLrKUy{RYTKKE8N@^-8 z9YM|XQ-5#tr8>D}eLtEeG|@0l0ZV06&QDLZk=_PX?`fmdhC7v#@J}jJ3(G;9f-LUp zKDQXBYbOlP&_yD&jGZ)IVWt!vxeUgCqKI<v2!qwGR=bCK=GG5XC!rx$&-q0)%>p9{ z=h{DD5`C&}{D=uLQ|JKwcH%wNytF|pYPn$LtU!Rjc8=WYr=UdmY~|XdRZudaD4mqn zVo4UA>A#>A?dv`oW-v>k%?jGf4%ueJLab;z#ISKG%w!JHz-J#Ur0(#I%I-{-<|)Z0 zC(`<|+Qu%?b$a-4sLrN^`}JGv?#!eIdv~HuaC}?|ACN*kpDvTNG8J~EooixGYuj9% zPd!du4f~^9o>L)+l|)!5!(@9@mS#>&(5RJtC`^-F>|=eelo*n6-c!)<Ivma8zBMe! zwJfTw?KzGvYdORbfn6w=kKLr8?fd8<-GhTMKKQeQ+t(B}0s@}LeVMS^G}oQJIaHDO z4SmJ=Pv18)FMmzLL&Z|56hOPd!Sr!?Q+vEKYx|I&on`=iKR1_Rl_r@qL%b+}0ba_5 z^*ZY4`-AJjB`Sf91VN{M0esnM>fU6q{edwVz)tY-xSN2iNUeqG+f|-l=HXrn1?pb< zW*yDY#5BF=00dVl<!NYS^3_Ws#FU%X^gAMTR?kmNE0)6(vTXXWDnpF#7FIhYY`Tqz z<hSU7hZVCS{Rg?9@M@FW7WAo%a|hCXMMz<<Wp)EDuIr1$>rfqAL$bySetFRpzB1IH z_Zs*66HUj6&6=7od^cAxGoSo!u3<%$9}Rodlt=|1reSJA9yVmkd}_O~u-s8r?Xs<w zy}2#NH?7fir;w)b#Iv`hnBmEmJw@-z_?%cH5JTfGCGAlYcWOX_Q6SB&ZS<CyuIA+U zXJ&0Lzj<8VEZD05Y`tNkDx-_byY`&X812YZU{WiiY8;xx7ne85?yNZoQPpW==$o+k zSYdW*{&H$X?swerBalomyQH*Mg0-ySb{c;DDq=%JC%rm~I?H`+sEJr=#2uAbVSZV= zpyt21x<_@n&`M#G3oF={ik?eU>VRjPR6_oenS?@qPtja%{Im=QE5CAaGc49ooi1~B zUWNr@??`*@-APb*@P9ko%UCGfc#}&cb4I`UF!k?f#(Go+3I3C~$fl@w5THt;8BPqP zk}p!H>3yDOZ4cV<6m-5icl4dd{_Qqcr>cpd==S*JRGX+kbiRcFK|)(Hpk2b3TFo%w zZ`)+oWW#g1AUV4D2a%v)*#0MVi`+Wqp5AeanV?<40KM;VF$%Pc`Tp%dfQ55*iQ>{p z%_21dAg`fap5%yX*!nbH3&-b6E-hUdkC$gB#khJL7CKspUh8V?)s-ulba2#5GSslU z`@CmwfLG#!Dr`t&=Gxxc_x88eq(L`$Q=r0oufDurb`)bHQLJCWV|-zF6FZ9g4Vq-+ z^NdubhjG}>!jm|i$&vnbo-u>{ahK)!_=K^pO{h;Kpwc1HiaqPmL;zLfuO`{3a&dX> z?e!l#qDZL?jv+K(!oH0&O`zQy9a#Xol45ffUY^5XaTH8ehaR}dO(>0nK>1`WacH#$ zIS}Z9o~L|Bq}-~mj+=05CwaB)@|{XmY~J3~1h2fR|LsMTr@U&~FsstrUHP*Im(lJg zFd@}^2hiy4P+7#)XY{s7>&v6arJ+>Y2E0?m<286L+2zNw66#Ifm51sKQ;Wxtx68BX zH$g!j2|u^PnNmdlw~nh%&(rb0$1s&0Y$00*9xJFJT?`((?UeN&I;0z49$LXJ0lbQR zg*TI_o-Iw<g%j+}yH6jdmH*H_Eqj68ya7C`L)-ODsXz4dnFV=%|6A+G9)ouK8xo(8 zNT*VHveZI$7ZoM`F;{#hr3iTF%4*ECxxJYc4!9e)aLuIuu<zww*VAl^Nl1#+7CA}T zQK42IG+is)KFLT6JENF2QkHjgWia%Qk!T1t_y=}rG{3iEo0ympM!W~*jGt;N@IXSO zS72dK!f3F1!q3DI$#`=~NwDpjex|@tbw)9&Lvj`!*HJfd%#MckFD<XDMK*_c`Hg$6 z_zGj@{h5B{$^vd_H_hXl&;8xDSVqg>!7RXV(1sb+s*N>!cTUC<a}5<83Ai$&H+-5( zccxcq9S`?r8w3YmGb&(J)9`SPE-s6qjd@dUZyWEnJg2v|w<q;YYzPR{w3yr7RXzBE zWGuP4e=#rK<yRD+%f?3C-9SI0uD`z8UUk`0V#2hZ|2vELoD@<#C}cn<?dicS0rYbt zB3iFR0BXGOL~dnNG9wp1?Y=U{8DX%Acmc`}^gGiUfN{X031~Ls>Au|3K6dMJG5UQu zjK8DsCE;%Pl_wjo>en4rZ_j6n+?6#?b-WdO3jtK89OC_OUzS7$YYjLd!JgvSYI)m; zznc=DFTYf8BZ<@ZJREvYqn5Z-vKx0-2A5u)_EpoFM+dp7?()G1F;^U-3x80$qkeke z0lRqfO3$3_g>FWByQ_mdK<b<Tng(h_i(Sec)rfGxw#D-3f9tfcPtZ<0SseGwikBD2 zXV7XFmGIHSSc<|(BZaVh;sjJzl!toraGA{Duov~-gby_fSMxR=jj6PL!fWuZAd4Hq z7weZng!!kVj^y#F$5B{NAc#s<u&yS->D?(~f;q13u0v@yYeiA8PNW3;Nk~D89uF0I z?}!NjTAQ5X!C{y@jFbj<`B?wTw!}p0@D6yOxHJ?9eEj=|T_LO2kAF-a?(cXCaz!v{ zkFzv~-I^K4!_^OTyd$@OF>I9A7wCstvYsfDwFN05!S2SCoJzZ+4def=mM*s39>1pd zw-k#Zwo6Smrs!o<ql0QnZTb^#^1KOgeL|qMJmo9+g8@IM(f-unpr14QPs=r+Mn;aE z-TNjXltuOBO*sw&MkLZq8?(&m7;9Jr42%P2@n%D2f>sJ%%oXPw*Qf_2D&E<g-0Xd$ zZo0{Pu0?wTT*JDE&Y4p(de;Vlsd0IN8sq~IMgnI2ujs|-!K!ok`T{1IzK7QS>o!%J zjwu~E+8i#K0|nPF{Y5fI9_$C@5cjR@kecZhIJuOs28Te=;_L}|$7>3k(=^EBV<`cP zb2+APyh0zXMB<O$7l<bG**r)%<%cqTC$Yu=`9bPE(qI#PvOOX-l3OPJ-b2**jJ}P+ zcGY=<Oae=0y5$qlSvKSoVh>+7U8du_fX?2;_k^u{3Zc)%uIegXygS-Db9;q_!=s5> zB6nP*avjzInFr%udD0)|op_=y^vER=L#)}Hn}^14`KH~EXlWnxPlc+CaZLZ+%qV_5 z%`{1xLbOzsY(ofN;L9>9IdML>Pel_^<Y1*JP|rH;I$y&y`B#CCiMg6B+p<yTl14&& zyIInLBCTu%e1KpVLinSQ?X+N4oA?#zego(%?R==`X`H%6`b$eWcu_f*d{!ETMouk$ z>f2@$lnnkHwAm6!rbuhNexka!uhnA(e=hmDH(1C|7LZxe+8aSN7?wg#x}quRVgE|u z)AO|ryM+>;xnsBP4T4QO9p$?lhf9WbS!3$59(yIqaD6W~KY5WDDY+n9-|w<x;Far7 zR(yPd_blogo#uNP)nGb4xl$c^BU-X7F}FVh<qVIvpnWJ`vShJKeX_BG?y7~Joq7`f z<}mFfb}@1$=3P%Y+Fun69uz}Ppn{St1JD|Lymv}|?3{>2P>Jqvhy0qbii<gMH)Njk zX#eIE_#SVao%?>u$P^bYg7!RFE~<r3Z4X5x`1EyK#9s-uBTg~T)~`DMwe`y3MBxq= z!WLSXn7b=j*$<@eM=SKkyOe+8HqbmMVZJP&xuhXgFOO=c$@%aW$P99oDNz`qL8ci& z8A%G$DUGBzil#zH_jTBiR1Xd>f#rEe1L2tv5++@V_V9%&U@cj0uSY6%n2Q~~%>`!b z&%~jEQXa@{Pa_T_B#A9)>TUHS)-JfI#fKgjrtM!NwlHcy<{?CRJ|>P(L%Y4r*Ed;! zJKSk}*ajc9yy-)B=^PClS}EVM=2uKr@9Q4?tmW{d=B_x(Y`zS8?{o}aR|?S2cy+p{ zp<v&NRd1{Pk~~d1-6C~UYk5tozi{#|Pj@iXQ+qvznu5+wizp(6I+&_zsnpZahMQlE zd>Mbj2)<gQthY>(kQmV+E{8iHl#G;f@V(yL^9t8ax`7uO{Z7s)RG6I-l%g&Dzy5Y@ zFYUWBCjGLLL2J9(#_Tuv5F*AvT07|!5SWtm?tO0Gr+c1Ecx5-+RL<x~1T2u}^)pUI z0ki%3?n5Bq;Z6dl2N&t<<uFY}<wnp0o8#}3AZj)Bi_8t42EL@X_w?{zu;fxTDs&Qp zQq(}xVu6KRw%kAcQCKj2AB_bK;tKLRNzl_`L7Vbn!f?b5t^s+!J|3AwQAe`~8I0y` zLJ4XK$d>7CaUEO5-ua<0vSS>u0y@@-tj;PBe9{U29wZZl;Oc<9EF%Va7CAEm77d-^ znDqSf1MQ>l+wV!swmyRM?ws=l-ffjPO6KtOSi3xLWUkQxpJ1L987WPE7wlwkuu_iA zq$u2T*UY_Zo=AOaE0`20KcsHUi%KlW-@kqpkBQLvczJsP6x!ph&7(<$mkyWgt7T1` zd5q69EGW|5=&g*q$bxV#JpHn$M~kPCql;1y&%u-B035-QdESl|eiFNBb|A4g2K=t$ z;&GOWv6Oq+cFH-Bxq|r^KjG!cY^iC6z1|Le{(x#oaMauD7B{O9S(2WIccmxc25?sY zC}|H9uKiA-K{V#XWd;5-i6Tw)1?82a0`C2G8};P|5+fnLK4sx9i4yY}gM*`!DF;Ap zyb6x9`oY8G^PcyyT+kcvib5!oSU7Ef(k^SIyUJ+D^otPE9?d>y(l&9|fV{NNtYTKn z=?CLpJGLAT6T}X_FMD_3Z435XJe6B*CFI{k7UcUi^yDz<FzZ%wuwfPuwS8IbF$1*b zOdIG(IeEapaSN$NY7O1J-R3F5&gS5-<5;J%BZkqRiR2;Z<Pi~B4~dSmLYcdhDp4Gt zaqxo6evA%BjleS!6;@ft)OC?Je3hPfi{naVa<Kq_Qf7(MMj8xAr{=Q8rqBhtm_w)k zvN94<0_-B{3fScQ_m^5g)yWnD$0frD^?<89vV*>14A>+JM^GU{l~bkVdI6ypw=}d9 zN3g;g8MqM2Ctz9mGg6R+>;w{<^ckDeW#e2=6|Anmrn`mTT?}p_vC7o3ay?cH>dihr zny^Ow(d@vM+wF$%t{KNl(G`JINceLnud}Fxtb=v!;rfGnL&M4615fmMXnUe)jrnxM z2gGNMAR`_}%|rLV#H*|BzSW;pQ2^-5h*pow1180-d$*zfsPE`gD-YPsf-_oL6X<M+ z74K-DPjgPa-~CDvSV#!AeX%yiyUHdW=-<uNMDcs*vCs$?9LWELmyLt~@4Yz`R3rOy zZ%xiz?&Z4^-ZL0JZCjiu^Xc%iSmF~$7A*CkDMe)hODEhX$IyyjRwEvzc65Wi-7ayr z;x>McDMy~}*N-hNe61JB;^Kam)WY%!R9iwGDP$MjG7PoqWOq<6G<R3&qr08E6N@#} z@ocG%?;lW&(&Wa@_U<VEz0}70&Z0ygD5}2h=34-4(#f(YjWK6UI!w%TxXE(JAS}|b zv&dQ0v7$Y`fwYWzxFfwT#Nqbi`-QiKT`#jA2FpK@rcESyHC+$oRJZPbttSb8P>#Pj z`zI7*#ra~C0>{13*vt_ppF+DyYLaKSm1jJoU?jvj#7Ksw!VWMMMN_`8KiKkUZj}12 zB@yp8o(}U81U$a?)p#NOQmap%GVgttM83tx9b>s7@tK))Yi{gw)|u1kX@+vniR|qf ztu~(v-xryoLC4E&4X_ZA?X@?yyI};e-czf0Y_)j8gtNS6?#qQ*ZC;&n5!aST?oO~e z0uB3s?wkR{Y;=v+tES>rVS~{v#bh<RJNrPwD=cZ#MvagBejF2Ei(Ka^o8Bx>!MXf; zS7Ut3G#X~U^fh4?Uzsqbm~%uO)=W01K3S=T7w3*mJ>A)vo_+U6w6h91raQ)UBy87m zHN13~_Q)A-4RW6JkVJcORH3+(YI<YFC9lF|YYS5wd8Uc7lKCNG0b34BCbqm7>%2RX zp%+a%3yw*FN&^k8M)7!YuTeC#&0;__<(Dxvu?7O%JA6{=jH%Uf_hQ42Jgqg;$wL!A zw0@$Cawd8DcXLG1mExXdza_?4TPasav)}8&G3@f)+~8>9TSD$nicSA7i6;{+p4Yyb zxXpi$t?y@-=qMT)FupmqexTa6wFm#P7}F-KY>5TP!hB|MOdC3h=8Maja)ru?+6y40 zHa)F$@lR%2^b<v)7qf%KBj_+id;QdZyIp-tct9=YT}&DD{7S5{+Cx8(LqrMOWG}B; z0e?67?VgS)w#E00DuGkQT&I&_=&+ewEI_kO9ygr~jaBc^JNslJ7$#cJPq3*nDlS#u zO#R>n_bMQJZwJcRaflvEC)m}QiBfq8zWtFwA$p|}`8j+(hQ{4o*K|FM)z?#N6Wd;& zejRrs%Rra)+85_WGTKW-!S!!Yo0s9nA!O^KKI_w_qFqHk9L~(cB+YBePt0dDDn8%( zA235^%%1kq4c>;<VP<_TAgCSEPOw7YRYuLHJmL)3P~Zk82=7_9p7Wb{b(V?>HGbQj zj?ld8m^olK%C+wTx28~Rc5nZQxD<SFLO`dwL}cywr_R&+2TsmUU9-NO#^{mEvqoQ7 zId?;bne|#WUV{RiI+qEy0O33Z>FBg2T$YO|VZBVj*2yJ08{8+G8gwf1%fBy}Mh{0= z7S{NvW)S{Jm*Cw7eREC|)&$O(yR*h3Y~2C|hM`~966D057zp$dlzV#Eag*B#_pN$Q zL6S6Pi4!_S?6BocvixR=O8PO%_(dEPCT9G}J^UqV+KeTQXSSQ13!UXr%;y;nHFNIL z&aF{PRN+IAROqwCOV85<UU}1ah8v$!_VoO`w!|m?HUBDOBJ+!i-x0`@dP&Gl-<}@Z zbJEA{r}u*6)x>nBGC3E#SNy$_W9{%fw`$&>+eILySik<g>se%4r6cD~i~IAa`rA0V zQ^EM|M9T!Z$SXz=D^L?M<uxK(thiKz2pyK*<2m@H5mJ{(vymC~$*EhQKazvbcF(cr zUSks_hqC43mt5opgY0iQ%-Y_Roj*^4Q;MXyZ*rfT-Ri`Kd=;Tax&x3@?}J!2rJSkR zwf%$8S}x4!>FM~)bXGbW?gk2p8?UXb?{DF<6%-8He|@kNQF86JK4ZxStBs3kh45yw zth_uP1tX)_+3S(*RT?{{V_ss!MJX&vBvP5Gru;C@*J*ehX9+*<NG^4A`QaqI9RaRX zxRF+{lcOs?Co44L-+p!x!J^MG^wM;B6LL`_fD&Uxx7D~I@uPO#FX1~~U|lAb_UM2c zsDGZBc6}2xqoQ%2HW-5*ElbxChu8YI|8&SI!NjpA8X56$-yAqnEvxb5U@w8ziX4-t zu(f$fbD?eNgCyiW%-U6KE^mHDHDH30iJXvUu&=c6P24IsD;TX?VTrg(CI$ZM$N38v zU3H9nbNu-ZD8%l;l{*fZb@|SjpPy1&7zlKTsJSGT$Ak0U&Co*p;sQ3%hvc|x+hk5z ziw!o}Z#{jF5tpVdtAt*ou>dk-1Z!%cd-T1+Iczc($bzI9xjmmmo;GoQQRVuTCE(<k z5T16mX%GxHwe#zJTF<XpqRl>3;<Gxm-iCQwCbE**=hWhs0PfZdhk)XKbo}yK!ut8S zE5P;F8(pVpON;jH<dWx$<6TKyT%rjy>2n(J#9AZ{;=CQ@L#n?X0<PZD`1Vl-*S)9p z?UOG!(sDUB1x2u_BQgRkX}A&{Nc!|Qqo6-t`227&DVR5IFg4D$r>Q4&q%3}I=0*7P z5W>}+dhpABAGO+-*v#K)EDqKt>iQlTXnVRd$#*~{NGV*$6R4cre$+(QKfQLlJv}b- zYkT5PDp}KswX0k&jeejJq&3eV;{?843jQOTWG+3yK4<>#zncsuwPWge4*Hp?Qvydd zH_`FT9LWq{<uQG=xUZW9_^m5@xPG}76My5VlJ$}quVZxxhh~oq?;>xS5irM^6UgCM zcGc4CTc|2V3^$YGE{0fFqt0O8f_;5onKVkQS(6!@xio(VQh@s;a<?RY{*3JU@uF1u zL%O(7%5Ql(jFpjyvgu#S1_@5SIERD#yc7ph7!9JIyG;yb8WwU%$Z<Xcdu5jCxq%iq zM;;Q=?I>6w$nrYvH{nT)>KPBcNiae+#+^T}|B)rV)O=m6SUn_;<VLHx!X>#`@H-<J z8EZalFl`hF8F~-v6d$~ps}IfuQa8AHyS)ITV3Bjnw~WfKvQ_p`Hy6JAy4#*Yp#0xi z`%$o~HU;4oV<FuPqIq@=3EOF7w~&8$k9B~Oa~&<P*Oj5vJj!09qsHc-ZqM80mpCI_ zbuusJN=W-fv~?}Qw7_A7+B-GpXoX%52SLdS(bOI$uTS|nRn}376K6$8{Hc(y^62;8 z5nl}4E*U#)Zo`#*9yfn7CL>4VOkun}_2U2>()maV2vVKZt#Ldf6f|d|o%9O%Q<k4j zdZN3$#rlT4YHfD}9y~D7z?Ts-iqX*X1uNKY22D}4ch=20rv^TQyr;DdnAQb=H`6Ud z9mo!&@9>btakn4sucmvqTJ~|yj<l1pIh7_A;h*b^=hQl1kHId-ndlC5Ke>)jO3~$S zVIqDTAe{~g!0{o`1K@D0`3{NScqLA}<h!%u*Qr4N4e(QcQ-rm?K6v@c&=0gxf~B4K za-IYF6NmWy?{tdCxsiVKcHy3u1;t0apL{ivjVYEZT>-#fX(E`W)+<MQ<0RD^z4@>F z(4hvB8|oy#@$Bp%Sh!Ys@*Pcy5JT_v*itSdKHi}%vqAh4Mb6{HXfN(YEAdUHNa1DX z(SA2b*ZnxU5ar%lOBLUcf7YqaA})ri)*-h1$DwAm1WEA?h}wi{xclI3rNt_7ce>>p zRCU?_V}8b{b&`a!vfavz>EbSr?6Vw)y^?`~+rC(odfHq;IgKn#7h)w|sBS0k<ms?U zP#`5U+UQRSy`xi|$Vv!x*a&CXh#ayqJndq04U%R;gtX95p`)!Svne@G!tXJJI9S7w z&!^i8pGO)<I5$g*R+A?vWQ(ySuf>U_&9m^hqWxqQWTLZy(f0jRIUHlS_UyXB_NwMc z+Hra1m~U4ej1uC^rY0#eE0TaBOr*}TxTrkqnNY`6^21Ca`kppJ%#Xc6+qbKV#M%>0 z#IB);gW`aSZAvWo$?f_C1p@a6y!H(im;`8%s3Zg8BTj15Uz>`D865~Yv4(Rwd;ZP^ z&z>cgn3(8CQ<hYKQa0YVbH>k-&M-PYQ#a^Y+Tl8Lhk3VzYIKTxIt+Vq$25uuk;(l( zDQ$%La!ZQV+cYwm?8MI32r04EVCcGu7jcl`AGZ8jEhOQ+pZj1SvRIlaI-P*Nl4g^F zvcxK!|J4GJ-=#i&{W_HOwwCqVNku&MyQbBTa8FHjJmW{MNf!x9(<^D&xV&+b^%<3; z!}{ln6N3-n&m|Pf@9c?ALn0Q;wWP4w^OU#W#yrUFJS1zT<|T&hIQjZH|Cbzt!_7UM z?6e`an2dZ<INViDj}52RaIvW#MJ_F|S`7%DjC9`n4T3EVHm?Wt|6Ofin~Y;hAlUdY z=qzIqL-0H#mW_c$pENkiK`flW)F?*0r^&4439GY6@SFLvhuX#d?@e*zVbQl!D4oPW zkaW_NeztHPWHR&<9t$1~iH9aeispZ-!sC8dt$g5j8FZ2GQ=}204uSD&-5&ezJ*c@G zZXrU>&q_jZZLXTQV}+uU-=~RyS&ggw?qPYm#<V!xE2a-QBsY>-V*LYv?dUPg$Cm+u z$K@Ys(dAabyKFhLF2Rw>qWliO##f3O56u-;?2GBtRwE11uR#`Ua>GYS(9{e{;dtj| z?{0SC+MrX+KIeG-zX}qSi8M<&Hlp=(u;@|L(Wc}1I!$z`A<-0BJmW_WuHL(ZQ%4u$ zR=qZPGOT5o(PcxX42!CG(6(scf@If-B=F}()Dxh$B>I36x0Ip=`^(FL|99a8_d!ZR zt7$x5H*)2`Km^GIosJc7W=en-GaBYK;~sDv;i2D(+7CJYxa-*@F{yOOyTdIqKF3Q^ zw`G6n(wC$Zz<m^=<NQY=)r@wi-Q$@A<8mD*3r`$==${O~g%WE0amSRvbE3Q9ggTbj z?T{Il`<6LhsM`=#5>Aarynab(?HFUAtO}j(`5NiLt`L;Sv5@`<wrvyh-IUvJHX-&~ zd$~Dmr0u;v(~up#W$FCyx0Tz*7J@c){`$!*LV6sPJBD-uiuR!Xvy}G?B;d8vq@xyF zr(+C^1m-sI>druwegK+RR2mqZFx|`>qo~s92;O|pe)d#^Dmtu_vzh$1qtIeBI*{^^ zjiE*9c}w~zHNx5A7;`<DbVnB@!R(X*XFyzlu^jU;1f-4V_lEa5S&lniL=V)VneQr? zs^HOl*5Qi@a($d4t93n=iK<A?sueT>7kF-aIL1u4#!(~3<tp4BZn0rY?&*VD>ukN9 zM~-4?+!f|WuC&XeI*v)`ZpcI~$+hc%F9|-EE7+77xZ>DQ-Jy8-wA+{KG=Fnfnukrp zDXe(z>4?P+trvXdlNS&gGe_#oYLoDUzt^ZsyZLD?hRDbWmmD?HpzGsi9_$GbU0r}j z$Wg8>c?M>%C)5_a?_!ev$+YH-J21d4!p%^3P4C~!AX4<$5fkw!xzRz!#_PMwO~u4D zsg-gSZ|Cej1G^Ey0p+2GQe@38EbpDrY;bXwBFsje<Q5&dEG90k1P1+w{rFDcxe)jj ziSp3^5xiL+p;)a6G-Qv(*v>|qU+xgi?JW$xW6}gp{JJIL^6QXde`#%<o)yZZK6SfY zba1G$tD)FYEkgrOVV5sJUlCr91ddL!#;~C6-lpP6>$r>PcStRxeuUI`(v2^mt=nu; zg<UoC`>Kkgd`-m#7@>v9U>3FVAjg|Z8`L<-MN!i21vx9j^txq9kD12b^esQlf9CnE zOugO?^7eJ4;<MNri<vD*chEUn4jAFF_4;nj8baD_;?U<y*iIRd$YVKrtU@V&(IdqD zppu1|FpY>H%6MvzgVbHUu=c(@vTI}VQGH)-@X6g=61Dnw$K9;YG>`l3d?Mabrzn~~ z4U6yZsM{Z9>|<GT*~7at(%#Bo(oD0Dr<7tl6)3*tD9<p#BUcoA`a1UD>SUAEcQ0Ta z&^S?OQzXpGm`BA}%Ewr6)|5moM-qRfdCoHXh`R`@tASNeNFyQb@T=qcNPyr>1-3@- zfY^IptW^T5#udwxOLIrUIFV8a;qS<>q;UfEQj12Toj1utmGxJ@&(q*)trF|&G_21r z%d^5YB|{6V6^HoB_O@n6Hyz$&PB=3@s;zXV1t0Yg;%1Svg40HTko~Wb_85|>D~%nI zR#)f0nS^^!p4)A$DZnhK274DtV&~`f5!cn5IrfHvQ)?0F-@$1)q=!Yv<QO*<Fx@o- z-|i$zhLlCx#`I}n>q){jr`URYuh_L(0oncES5bq<KlT3I!F--J8g3v-<qCP4?gr^> zdzyjH?GHX&<#bP=ZJ(G@sZ+goj%r_lb}z-xCtac?MG)TKGMKYJ!Xvgl2F-2?kqZ5; zE^cE=<c2;u_V^pq`Yv%#19xyJLY0)TMw7uz>Lh<Ab*xe^u1^yJ0(yG0vMn2mn1@7! znzA+BsyOBw2*4-iQLvah9*kngp7iF3up;Z*Q$(Y%bq*`-1#wrxtO7v)zdq%xd<yHh z_2HsuCqdJJJ>EYd+AtjZ(CTVG59!e^Lb6N~wgfDU@DEsgv1!8R2j|}iH4~oZmT+@d zXM28k-9%lp{i3^GD-HH@H9;Qr)Y-&^2%rJ-yDyg{u5uHIdsloz&9rHLQLVJKWrlNe zso}Un9?B$MYQFF>D1a=lpct>$qGaP;N_~YlLxxj=P3<ltM=LGjMjT%PMQhD%gV&4E z{~)T|{CUom(1R$Gq13&F>||+#3kmjgXZRjECjyG(GKYJx3SSOpG%;;Rbc62X3(gJn z<^3lGf+OFPhs=q>iMCBdBTcc4qiwQWy85?Ae6no0UySKHeTgL>I+vE~JR}#b_6#zr zZzPk<4C&+Ci+SDnqAemh>=h@cN-WrxSR(71_}adXoi<auHV+5b3VagO`x%$2&RI|5 zoQ^==T*`$d*D*Eo?yE>lN(iAgty~PX$Hy4+iGMryW1Jek<+1JMksXoJn+sark<y_n z&|bTYRLUWALtgQcS|W^CYF=a>OjuX%B>P#49Io+0CN<q0bE%=gVs_Z_s&vHcDOn1T z0s;jF&+hN2ZCZ->0&<*q{g;0`M}0^x#Ly49Q&~x~E{<t_gTShGhWGq*!MNZ|F1IH4 z(@7QElY^NmUNs8oT9zNc7OG0(vU|Ikd+RaB_lu|A0ZtcpI`*6QUr#}s>ys1YyxeJ4 z)wpkwAsQ`JD2*Nt>8Hnc4^}DVckYq~2^JLnSpv+Qn}^rq$X6tC><QcnKe%#4J-0Cm zOV+r)$fXr~`)~cpJb|B8)yQZDeX=(qq9OIbKml(XvUg9r9{@eJdCefO6%_T}iV<*L zn&5Q@Ha7wiA2|8*e{{p4^4`R7sVz_5_TT{^>DK~XHG<EIUc7E>qx}$FS6!@H<=riT z!t)Kn9G>R_6@d7u1Khh^r8Gupk+)vI2XWvHxwdfow0T+KRHninZfw`aHemkn!OOKX zb!+gBRu)#golW3u4@&=P)G0VN?V!3=qDTTBfy+P%6VT>EbvI;ozSaqI!@Etlc$M|7 zOyhb#ejSobj}FhCVod|pFpd)-e0V7_qvX_{f%Z=~L+@!r!0!}81mXCho8osrAT`)W zI*oK|9jr_o4%Mq*hz0dOjlyh}DKsK;uxPZ=;9|)p&4!3>e~auV$5_-WS5YZ$UKN)w zOk1KsV^Yl3&2nu_G2z{h#vKllJaEk~6MIB?+y^7i1T;1{?2asXz$rG)a_aMvy5Y8W zN%qiX-bqfC{AwM?Q*iZu4ig)Xoj6OFn5{(JvJ17hIt)xJ;fv&&vdrW&o37Y!0&ZaT z|K9No6&EW*2-grJ50#N2$MsOf(R9lA$+6wwAk8ZUifM?N7f<NdjuY?Hbx(B=FgT@m zz4!acadb<S1k2nS(W=+UK6axti(FGz)S!FIVdlrno!$Nm@-Kegphs=!DoMAKe<;oY z<MhnY!5Wkgu(pI5ym%}JNXJ>QDP&EZ4GIFCxMp<?P#XhMDS@=@*<1u9o_~O;Xu?Vq zvg{ArSY{7#D~h#FnT|;ck-q5@X8n~;ac-}sxnVwN#{LDVhb8TK(zJ$@)I{ayQT|uo z5+8)+FcCU{my8~Oj6pW*^}X)lhBHcHH9k*@!Ad6@70pPi+$yup)3axqI40t6PwY*C zgj%vC$N?{v<cT&(n*yeOF1TCL+*XOx$w_zvdn=E}-=jocy<rxqZ)2^9blUAt+nb6a zZ+~0xJ^Hh2s`4ZPzU_<refrQIG;D^pSZAeuXZ}Z{=X*XK=Avc|!CwDt5<$SzGdUGP zZeT}3i4;pFO+jwSsF~t6v&i3r4@aG@oLoTfzff4c%&x|pN#uDGK>qD)KGhWoKJAY7 z<FixC>@5G{6^CN@Y{(7}_A^6$Su_Wp>&r2oKYq!Sn=)6ut8Rq5)Q=&%y~}a(9=V+M zUk9VTr&yn+DepFVeHn60xuIs(O+&peJM1Sh{g)Rmmm9?5surhvxdfM)Lv2#^f^>IT zX|VW2%PaNOnJj_%2}5mh5MB+*O&AbZuH=A~U5_HG6?l^J(FYE(%7FCnD%Z}6!s0!a z)koN2j?|oRQ<_l|@AT!v_=*ry<GS3wq^*a*6T2w)c-k8js&FEFF??_9&;8MplgM!< z{SOV>t0$A!qpjP0t|TUsML!F5BGtUCzweLH6c)ivl!o%^%u=3K%-ha#M(M&y&G#TS zH!B?AvxAvw)7V2jqMoH+j`CE7=IcaAX|aaNLUM9|M`l=Jtplh=fu>Yn0HWZ^qaPi| zn$mk-o~O}n|2;6XXEI^jc0TR>#cg4UOe4Rz72%7slzTZIjP7zfJS}pD7T+;(YJQ3M zYoPH(5XrX5n0V@D9<B4~aSs2(I_|Ky$us8O0c^$rFN_dF{SPanZJZJ$@_);`VuZE& z-1DAesmSb-pQoCJIMbyi8Vo?Z&ObimNk1*prtt-8I%9A*X+r-id}6M6G60f<Stuh= z9KiaQShJ=BSkoC;v)>PoK5@*Js-c*mWyX$i&kgG)^6KEB>~RB;yw-X^YpEJsZPXg~ zCyMp^+HvZm;mj90o?2ZCt5_w~JkLTd5Ic+@!yN{hA{&`v{Rc(OkA#JLy><gz;8?G{ zubE*|lKXT>#5l8%wFZ*#+<E}*Uv=UuS=MZfIQTS*#&)6UOPsrn`l5R`3?bqj^DEw3 z;<KZFNR;@gvCGBI+Y_*)+Z!W^9a%_@DKeD>%!GNFZ0gQ8Wr!sXjSrKowWMdX>I*KF z?D3A)hZzphWt~&J^>(50ack(?8_mfVpwo$`^8&Uk#*F>u6Q%f7Ni_6N_fGGMQqH?K zP3LxiqHni*(R(ph>tEmCxF<zsPghF+1>UWEklZZdK0jE0@NBU1fH3(V)l}NN{+n{k zCXmUWU^iZyo8a*B_)Wmwo=DD~Z;?^)JF5=tAzmVGOfmYfB?z8n#G-2$g6Qje2OOEc z%-7&ZW#lC=MUEtasnv1*Oaf8*%C{n2i?ri@DIW}P%6prO-&XOgwp{$0JflJqD}$Da zDIfqBWv~B&?>&+jGn<xR9!tZu>T3Rt49sKmNM!352Dl{MWTDkwPwWQRuba&8@dmzq zKkC{L2(#cwSOjhBZ%p>Mxc~A}Lj6fuU(GSydSxspZvXo1Ecqx?#C4xTx|?Gro{Stl zVoSE&;Y6>`U+MHp-nanNg0x=U)jbS3w_}j))iWtJEy5x^8S>!tS?W)tfn%VZ4?YC4 zxX=zw(#^TCv`gFEjmtR7y=qs<q##En?g1gU2vSzVNBsT<;!{(j+?B1#xJ9m3CO-vp zk1bx#q0Z4!I%^tIO%q5WzE^deItlIr39}}qAXRI+Oz%C-y`_aNw={DJ@MsMF=ve~R zudlMf--D}jX>msF`Ke8a-8*>jD2cfH*PfWMX9M3H@k3)i$K)Z7X4535!@<`$u655k zdkhFw01~<QOD8(7{d#{1g(txN$$j1u*fr!VX7>KM7%~Esl6EZ#K}}=8ihsusFk*B< zOnO1FjTp((0n0e`OS*=pxj6#1<hOAPT`^TE>@OO!JxuvWwYnYjgrwAl64jbo^#CL< z8R}fS{2JuJ23ZRU`%&Q9cfo3o1YF$%2tkg5XKG1u@R&MkByaV5((k{aDBm3)W-~Jk zE?|J_q?F-lCcr;_!8*_)rlUm2dB>2U(3g&9#AHq+gkLz3hx}yGdfipJgazF;o}>T# zK=tJMbz=vTFcU@As<>jra5c!dPk-D~Ayyp86SErfYya%^@k}-wc06J^M}I09`ISI; z=_(XBi#9X_z3h3tg+V>R^nb%aei1Y*4;!kI`h{r<TLUg3>gM^Vs31>XcfrA}&saqb zG*JwVj^012&nOnO+Tp+8O@DMI=JlhPGTzGjn$>vSM(ybs=?c!N*Wa79?oeD#`SdKT zG%KR>iI}?v@peaOQG>~OuV>)T3`&;z(Je85Mu|=xLYM~W3WnKP*mYM;N>b8<_pJG? zk9mPf$}C%smxx>{0Xb%@2kGTDj@jbePWG9LPjbrV$F5IO0h=5})IUzh0uoKFHJmy1 zG6grfnI_h7$jzVbAHOcwl$w>g5(_4n03|-l4xFXx^l<j&5Dfx45N`LSH0MHom=n%t z6Xj=Yx6bVdxv_y)Zz%|s#eP(-XLeWVoLW64en2@0s}$FTA6G&k52#IdeghD$wJ;Hz zwnsr=u9GQoM`@9LU^#uBqyL~L%UD?o!!3?%ehS&#FD{;SQ%Cn4UR0r5;UIh^ZH)ob z8er!&`(8;|tp6s$&Aj|=gBoT62A*q8)C)!-TJpWBE;}GfW|^+8{wCP-&$KkdM}5!U z8B%r+P>&DJf`ic+8J8bV0%bm#Yt}JQ_nl##&77%TcTjIQeu<YJxJZTin12fRlBfJ~ z|GW<#B5-GX-_HrhvT?D7WadT*50(&3A`Kq%Vf&2X?`Jg(#a09uY%TY{x{d5IN2YJ) z0F6-ZgsF@bi(N|mw(hbvgRQ-tQUYQAWQv^nvT~Pt7l#NYqJh@oXnGsm@}`}fY~CEm z7!<iUarh9$<Z@k8vdic7U%Z%V9V0*=Uas4pdTWbEl;5tw(c{-BX+;JXv#rnS!DDsQ zZ@g>9Y`!$eT`OjK%i!nE%62d9^RP3vv{o4_1!5vWQiM(S$0@Qf0>UMoM)old<%Ove z^Y*2?-P?(m-2+vn9MJ6A{w|TRLqWyq->csz+*q=oLGI4&78Pd9O4$=P&uQT<RFSnp zy5PUf9Fkb;xI3<jjjGs@6%2UHntRH%aW}i8vU@H(+fP0m9?k0A>k3*C)QK>&5&Q&- zcPI6nz5X`%vSChw^JAHs<bcX^%vpyG$B$BZ0mPU7PT3;8Y;t|IH+yc1Auos}7LZ#8 zjnR!|Bre_PtA9=LKl>?i<Ua|%T9d?j<m$GDmaNB6yWjVu?aV`LOjYsTUUIlkZ3Q`u zlG11DnZjjOBzcQmudSnu|Cyj`hB*l>%efV%*-uNTQrX(oh<FA12oAFZi2QI65PUYr z@^Z+LBhJ7S0SG#VuGyk#|GjxxkN2g+RwVWRo!iVPKGxtIpwO#DoyZ^BH4dEHX=OqC zr9>pyRT>w5Rc%I<zq?|ZL207xtv_(B6B$`F?PN^)-Mwn4MN!l5--#9`gfQ#`9kD_~ za=3+)DQg!4Ww6QnV$&opPi{`-2ohQg|J&#54h1PzEe?h*KWV&};RfjB*5>uDbaS9x zB<sVcAdc(69+xo4KUoT49<YO*m4jOha7O$b7OL^zu+r+>Na{T=TW>V*cm!o**FE74 zI_-`65Cd_c_p>qN=uBNy#c@{0>Ut6vr6`4V`{S(ynwVoMyoP#AaZ3HufIA$$n^DNx zCOzG44X^o~!F>V!YP`BJGBE<*On!y(M76B-V4eE5!Sd|{v#zl*E_|6=mE>9l=NkQX zyKVga)RD;D20wK2&gQ{<e`xSATIq?X11qxEnynRJ5Z`tp_!!>Wrm{%De}uAT(-WA3 zx_(9BWB%!YH=qpjTjQ8^LNnTxsr|s$IvOn4UY{bwNMtoM?MG@MFkOVtE|e?F<3Mvm zh{cy<ZbWIwIhJC`>^()tlRbQ8-%j6oo#~UNkMl`x210SH3GV}=Pfh5Ih2|3(-Zdmn zTJf3Gc3?~YlNz|xezd=d7#TFuB&pS9qYZ-wH`ro@V~*X94AL|QtnZp{!-UsT@%r(x zt$x4jz<vjs$wL%>3sa3D`hz8T%H&y>x9g8(<v;Tx<OL>r6)%1!;zVe*b`-$R35#|1 zQ5~9|-s#6BQ|=8_qtp;LBx~=I-?wwSq(%bFz>go}C$O^Cfwp$fOl}+uT-glQjc6UT zq47(=Ury%+1D7dxrhCQbf5z<8zq+MSU|mP)^xM7b$VDxXe*;vDW<XO*un^MKRcA+! zR^y<jQk7t{Y90l9QqZ4&$@U5?3zyKMJa&OLlaL6uH~&j@T}k4LCA&P^yMP4q_N7w0 z7<F0E2ed|;uAb~`;Z%Hb4C*1uYrV<rXW8l<0)_u|CSF-l9sX}PDAmTrw}U<#4M%nO zEU_FBhyb*z>6DOyJYN~?bT?`zBmm9LI9RqClV<=0IS}5W8`$wK^lVMt0{&z2bG%xi z`Mmw@?Y6#yT|hwmz-=e)?J!d{kG+h7i@3r!iaoreQ2)}fr;{GXIq#gX^!Q%i?*#g3 z(<nx@$rb`sZUeeBLsXH$h6qM~%hH0FVKRDse<$6MERR-9Y2xfsW-RjgSOjUKJ|s;Z z!*nx%w>J9+v$7n=xwIDmua7Qdfx>hv8h4Arr0W|)e<d|TJ~N1d2izjjjERqUo_&u= z#tRwPADqgLKmvM^UxwNA7nocngZ*qyS6mqpMf1>w7jz}Qko)~<yn3Wdy->lsyV;+{ z^{lCBXKMXzAz;vx326@2{%<Crc~^KJ%}WCUtMw=bQwyF1Fw+W2>)%#2-5js@`1-dM zy76pOnJR0PdS8Dg{nSxhK+$9=B6Siao|>PZWp+)^M$z%?Ec$mdt7H#(${|Wpfc_AZ zF6v5ZtPN6qjcavBi>3bO1}gIL0X7<0F<{wC7C?4S8h4ghhBb4cjZ@{f6`k_cB4%Ov zT+Er#OzoWBQDO6zvR!xlNLzdbdsiLiu=%>F&wN8^yW+$^3`7CT4saCqfYt!WufSw} zCse4+o|*-=W~NuuiE$@GJ>Hk8f+BDX=%z!$;3v4#`KMzGJ0M(R?Q6oEEENi-Y)(Bw zPJ&BLWDI$Ua%nY<ZeoPAA?E_ny6jGc%uAi@K}FxgcOb%sZ~umZ6y!?08+Jbt66E%I zz)7nGrCVHb+Hk_HML=W~8#W?LgJ0lNl|HGtP3K$7s}zk>0!y+ak|aF&d=5>AiQ7$( zHLlkKB3w0?veCvPU0_Mtx~h}gYMnd>D-U6S1Pfsb%|4*KcC1G^F}st>RP_wvc)vkV zSiLHp4;TP$ios_%P`K7)Vv3E(S~wU~42^J!wp1ag>tE!0osa!tR}BA`N45GUo0xcr zj!bvHN^16ecswA9GZb<?e#<A!n`{aoFJZe{Ben#`ReWLEb}tF9S<e>Cf?SUycU-FA zxIz1B7`UgC_)IfV%VT6^@m8<<e|-0ei9751_X<NhedtVFR_$`zH;sR$HT|!Bp0b51 zB<p)kThnDO1sSoNOATXuurv8)Gv5FS(cq*1goht`t@Jrot1Gbq$t<5c#bCX<?niF8 zib7`YYLrGBhlmPqB}-%d&_wh?z<fJB2y$9Ck^nV8%D)l)W!i9(gSAXi=~Y?`5tRC< zJ4^6gHXN;1KliB}UX&jD#eT1d7zTzrtuZ9&3&v-h|K>?-^p1Y*$MpY9_)nY~7M2UK zn4VlOmHN~+gl<mbD!;s6+-&o_&wd>@uvVpxhI0Cwy>gy1Zd^z24f+pAgj=p7FMdZv zKo_^1Tmtn5Gr}VEu509xv1B**{>@vKMW$&E{>Z|WoNOX`LzfZx+=fgxqYZ9aO>!Hs zeJu1+Ff!yPm3$MIuWrl2=uPp*OhU{1eS3XgX*chF;v@?fB}C@0m`*-?sQ-;4UC$%a zg7=+?!-q+Pxoc4B{d9l)ep~Y9!s+v7c5>Ns52GA)OP0g6(++QY%VjvVJKCm2KT^Un z#QXMOKfQn9kM-wIinZ;Z>&HPZz-e2%bruW!?m)|zq76>s*T+*jA%E&My>7u<;3hKL z_oV}wNM12r+@k}t(uS^^5&W;vM@p`Zc8~kAt1|;KlN6{+aNe6`g!zd1vY~3vwaS!- zn2}@*I5pf*jC@ze|A3{i>&+$VlmTx$peHiS&L9Z~Pnw#hlHssKr{VFWHvG6JyVOnf z2VSmSc2|qmP-3EGG;qz9hdC_-(s$+*3%!4ZN%$3g)it9apOlv9$RTX<U7!17ud|kd zl-TNZxCq+qZa)>2frmwSJ%UP}H%^>tpMtpOHIqGa=IMd#jxAwfwT^qz3~d3k))U<E zh7*NrhLE$oO?q%1N*sGf`U=f*kSOJIm(P?m9q6kksW5f?6cE~dMf*5!H~8p>`1Ux( zZHj@{-W6Ffu`sf^T>bnY{ND_S29l{e`rzg|$Hj$~9K{!2fAT@Jz}0Ar!K8Sux}wc^ z0BB)&v#q4PpH>aFJ-dG=V&v+L^IN?+^bcNEo3AfdVIg730Xk|&L`tvnfzurt?$bry z-*I!4`wc_Tys@=qQ5SMRt(f4YXaPkk_V}UV>*LzjO(8yhyinjSqeBu%Uz_qzkl3uL zy}{5a*U}U4?R${%OFo=t0`RmR_oHYYqwu&3@hh+@kIZi-)@0S**kCY?r&$f}UJWmk z2-~Zg$lOpqrq<D+l>EF<c(2<A%i*fs<kjC8ue?CYS8%LRe_dCPs6=>gkRu+hlCm4} z0@_0Qqr8vsY#>-)ADbg@SBCa{xCtbCzqekW@m75u@qbj4xa6+Pi1`Z22)41pjV9!} z^tARygUoa{DkeWy61F=@ekQMtuK1A^;WXSm>HWW2fcww8QrlOfWbSU4wuHKgZGoDf zSsaanwyS?J9Al#(X{JUpe_cA!BQGL9Jv!q-7yBkrWzLn9ZCQ|(L;f*dZibR@JmtZV zaOx&YTpM`x!dh~%<5ezL*O9<d<CI@`c+X3Y#00{n_~E#kZjlyjvij-8I~IOt=Qjav zB9(~_cND-xFAkWVOpO>O*;l=nC`oGFcP5rnEUP*OQ4_{<F1<)DH3r4vRkCB8@#>@k zWm@gw8U?BCbh+;ha_|uh8e-%VoaqZ(cGXG({*Ji$`B3-MreP9ak&HHc@vGuLKB%E? z-e_(LL%CSYt8{kzBNwC{kLLW_4rU(rdSw%I=It)dVW(eN+sWoZJQ4S`aWWnQilV-) zJ8-6U-5EMKdZza4jqHBwSs?CN;o(KY!$Zk>pBVlJ-w~A@b_xKLXfN9m<gg0ig$OnJ zg8!Mk1)&_}ZZ`TZlg0}{>dzA_^b;)@*9#;V60qHrzKVX3h|4h>{<pin`9bCf%s21D zX`u%pI5^~Q9v+$=p%319N0hP#ByrHw1XAHH-VjGU4Vd=}UY@~H?bK!#Few8Vln?KC z1f2-G4;IvKfOxKKtws|ky5wc5>_p={>DYU^=FPZg7g?FM1O)nOMNZ5G6Z(%DZqMVi zNVivbkN%l_Ebr=MOj$f3RlZ(JICDoGtp~BkJK65Hcj`Hv>||AIZ0<Kx3ccL-aWzzk zinpgZo!b@`&lxvub&?>G*FstfGHi6ug@pQg{eYo5dW983Q)pMl198+zm$;fd>0?M_ ztew~SCp3YAJ~?T^?NUlSI$P*_(rC<u)jqKL%oLdn+1RX}SyUJ|{B%%6D1Y`CH2R<R z<8^kM(nf1XSZ}+ROZ|!PttY*+xCGYtQG@!a+Z-3>kyYTy&V&ka+TaL>z|GFxy1}gi z=>5K|!Jfwq(!J72#1lC+Wz8NrQhWTnS?y;sxG{`a`PHw8vm*?v%eyJQW)~((@i02; z^l5F{(y!(zkOp~vuRH1U%WIMmrcLaR<>_D|+tu!ds9)gv-;c%7-E0Aky;*UuyooSg z)m3{ZhKd@Y2G$+)1;q1uP|;-?`Nz$@MlPaSvx@8dESg1X<{npVNKhyms9~%^Eac)? z`MN)nocV6#BOO{to0lTBfL02`3rXgWA1tL~08`rn(NQoKC2=q22z&oUUA>#f7vCjq zHSO0YX_`aMq<QT^Vt$_f;oOk6)K7|<q*|@8x=X};XIdr0^ivv9iUuMM4e15R76e(z zUdm%ny+@na4OE*qJ+d4MKH(e&CyH~cX?ttmDpoWY6;`=5eQ%5%Gi?Qv(>5~t{LKiy zltzgfU7Osj+3Os4a6y`NKVeJ4Q+P^p5+N$21%7T?&X!-4gawi_SE@uQ4nUfAJ;%K! zhce2M=O>UT2!jiQM%nrE*)bM}d=yqo8jw?pl};<N7qs}xYu#1#58kn+>XOJ$SwKzI zcYxXVC$#NziI$*+^OIg;qjsXZk#b>$*rv;hMQXE;Zu83MoEA6;NM2%tp^TU+(cg`c z{ZojYbe7kZW~9E+Wlz?{!M4V&-oX&TF73HA60?JR1wO;iZQ-H`;~K2khEJ-!8fYD) zjwgBV;~kmP*&3#^a4fYv{CwXLTE|YdJHg6?niqB3|C2Q`ISxesZnYnZmBGm=3~rX~ z3f1mQJKgbv#KJg(tiQV!rUyGgI^FKCV5awji9E~h__fmrVKYS_Ndt}KUXXh_GH0Y6 z7oLa_Pufr<9{zcP83jk`^k*{AqFo}^n?ld0W6M*<35NDQHQ6Ome@yXO$49d}7eGIJ zY==pu5BcTW8m`kj$K!kHs|5hDma^EDWJXvM^I}4dGw>^H^XV{&w4PV%*<=(`-jPrs z$4n-q^PLk=MqoSe6h|ekG<tGAZn|%H5$nOcRD08C*?vW%a^a9R?tT<Tm0%?|*%NmX z)1P8z!)&bRR?Z>GPZ{Txg&d2*jLULU*R&{ZBSW5%iOrCWO3?c@4dw_{<BHapK;M(v z8aVb?zxFQeR01H;3=nn)>;8pp{DZQOPdYoMD9iqfDl*Ddz++MA)Q)&TtFx>+msyao zMDj1J5&TnF$I-SdGJUd*-n;~cW}_pfB$Y%_+8~WtBa(EDX_6}T>(pMiFqmBtN?c@z zo5{S@SfVVY_tP1`hfPo_-*<6wzk1c`S|JO*L(bXM<?ozBMn0$mM1Px^p5sQ7Ul(d( za)spX{<X-&jVy|osJ|JI{%O+u%Zws}o!67SKOu>2WK>g54qJ=)uHG~w?Nkm<_-cTJ ztiuE&9w|TntDkuTtew{1wm`4du8?@5O~Mizmuu%3EUP`B5O)tSkRXd2#;LQW!V+T& z3GYkm<ZP0Q@FQysU~uput=>)lIMpQ#8lpszVP$qG(puXitT5Wlsd&en>)nt!p_{J5 z(;+Mu>?tfnynE3NY0Ku$^)ARv0d?{G%dOE5p&T$#b#^vqr|JEB@nQMdwMyskV3oGA zG)EeMWa^S5p*D1bXFxni$rk`M6@i$<cD9BBU!paK&8!%@HgfRf&2{1Pd;KjU=8qr? z%k58FJZA{7*qE}x)&|JYDX<sw1z3$0<F&?wJ9{ZqOp1=V0bQ_DtO-;Y@m%xJ&CRUc zynsz<hT=v$Y5Io?hC(V{HxcTD8G;-YZ%B?whwuD<|HtcZB`Rg&$ze;6h&aAzP!nJ- zjTPzU7<yHvr9+^5ITm2zCB{67`MF81uIqXGVMgF8{`&H{uq_)?<WUPLTA%g-tgttl zppFr6YfHwRHRPtepl)~|kw{$u%9$UEw^pFcojLBv-HUgM7GAqGwljyUVTMV6VVOOv zS2bdQsTR}F8f~Vk?O9c(F}q$!JAF5Dg`a)O&p~qa96ZjU4hsSj5cDR?A36STrLH67 zsAo=sDs|8@sk|I>1yPZQfDoewQh|tfbxyQb{Q!5}fs^~>ij}n-_6yaJs8MS<WuxKa zB9Rg_@b%ym$)Jl|w^C1ib7(UPxoyy;J~yzmLsU>Hw3M5(p|Cor;s?>T1ECQ#W&|wU zGvJE{n?N1uo2GetO!$$mH|2A&N{7kKDb&bFa6?jw!@Bb3cJdH6brGig8XSxA$=QW& zB>us$#Edu2Fv0t~Hws#9MPbX3xHBnKIMo9BI!qq$WJ6mR2?$8bVX3aRlGdkI>Wp=* z#d>on$tz_-!{E9b_^H$}nnc$yL}^C^bhJY<3K!#KqEMld#f<wL@2{jd8-#vyh%G(F zp|1zDwzyy_6xP_J%9xiu<ZRIU$X<p01*21uCVK+9bP}+|zd0(w9u5PjWZM0i(!9}G z<s+)N1a1UG%W8*^(}=qd4zMcz@tYUpnQR}nmkCAC`1Pw~6J35XfRel<xN0wNSfl(g zO<&S$N}~ZlBkRx*LJ>`GI!yCwfG+45<s)m!w<^>hd5IAB5W|s>ovmP?hJ{@)x+k|* z@hNaIG94<B`Y?@pJ)I#OcGCwfab=0Ga@hZ==`ml>tg+b@iNxU{zG~0z*ol&62v4f? zybojkG52*MfpmI5M~*4wWA4`4z$FfsmtdrT;v;M5HT2Jt)>3P7qH3rB!VpReh#BIs zCTVt$tLTKpyTUfWa&Mf^l0A?==I3oj3BI)ME=IDnwcrYtkb)-*vtdh^xLJY<$GJzP zcW;6!pDw%Q%b0a_8vj7#2VdrU7-OX7AF~ma?QJaGe5n(uXd+*j$tflevfW+2PKdlb zVQPm%cyWk~H@60~TY2yTTl+d>4rxeai;a#H2jKc<r`cYi-5}(U`Q&FqKQFMUC-@VV zvbj4=qAsU+--^5-s+f@rM?L|K6Y<4Cv2y2F8SDku$Jfh#YCt7R#-0Chm@IEGrZN(5 z4Jcpb(k)RH#b_l^Q$pjTS8ds0=L1v8WZ+qqGg3t9Lf5l$o0@B8zmv$xp~MkPA^<v! zawq8J1&XOjB}mJ_6CR*Xkx@IyG5bf{$&cE%M2+KTr_9*w7O|UI9_Jo&I{>$gA8GEq z;;_+KlF8ywQQ9!n{u{sitdQPlV|#dfniUh12rmtKE;Pld0SpOdsXhXK*)MGgCA!k8 zXM)rd2MVr?N?S?Kq9j#d;wb}E9#yzF$m*>U)lq8xP(MDN(-{s1B{Y?-ji$9MHrU9n z9u4G9>>~^F35@h4Q6ejue~1i|Lwl&MH65L30Eb?fWQys`pkTPT)Ci1}$I+$L(B9PW zmm%}%ZW5YHy8TcQ9*{SPmH;GArS>wfB8r7S1_+2kJd00hw4c=sE@hpYMTYNo-RoB= zba7LPnb(NAnihR+?5<S_GP4*TYYju6kw1##d`9XZC&X5#Sc|sME_z9e5hAOEdYg}I z+hkY@zf#c_G$1lFW+@I_{DQU#_rh)|6ldX{H1%J%O<41eN@#p@8FYz-*2&S(e!s)T z#l#HAQ-r6`WVU6@;aq4dhu?e^v>_L^dk;yJi61%*uelEg)idw>@p19^ld`X5T&h_V zIct7W_YGI0IBGFL8yhy|ty9B~SKlSFhmfNo)n;rJox`r!=FT+SpX43zrGUP{Mf1mn zUGO|1Io}i&>2ma5+Ok7dqca=E;^Vb*NMWfNK27qY!}$t6!@vNwEX7Xal&>03X$G+% zso7gTYeqJ3XRCv|?{HC6PX3U#Lcws^>t5OU-W3yIUEy`J@(+h|X*#!1Sid||mbb#~ zk3vjgDVBL7Z2ymeV6U`#8_n-VioNAQ;{0aLe-sROc@&~MZ1Id&3`geHzfGC2d(z}$ zL)B3wDX^Q&TIFNHx$engocG>?*N^WiySdfW_C`cqkx!~RS`^fTwxJd&Fz1aU`{r)2 z(#q7l&Hy<oaEXnhbEBEr4^5C?SqC5e%-0W>TLS4@sL~!vx$@3Xxv1BCKq~d6Y+93# zPU`?Ts(8ygrxXzo4^)#-n39C2e=*wrmI_*)b9XN}A)CYjXOOlk=r@K-Dmqp$lC)); zih6d21ftHmxmAA}^RpF99c13Uo0=BHbk<M#nNR$Akm0kq?%#0NVY=>tLhZg<74?In zk~L9>l;C%`r5t!FsN2`NTSf(|U=jg%aw?;RO(Ai#78-+s-fLg+WHKe)0;eyNjs z6_!qYyO6{L0XDQ1Pz~`r(3Lzkhq`uq#1bX;vj>?Wb<uP+`t5O;vN^e10K;zG8e{N` zNRer#sa{X<tfXCIR*U3i7R^Jcmg=KSWWPujvT$$1SF13KfrDvmY2~5znFO&<Yx+V} zI(x<S{h`~f&a|>7h7g3{$hwhoHw2{|#b2NdBurt)kR<uORe4!qA$(CDCQk>(gC1Ww zN6<E#V#H`D5&94pf5x2m!5v0em?my($I~ffF+{BKL9ekwma4!6|C13JgDS5V`EcGA zf#kd*>5AdBf2W*P7mZ?vFbpjfy2`JgX+|V_b19rtD9pKmC7x2RvJ4jJv1d9Zp`&J$ z*iCNDj8oApXo*T$e!D-}@6Q>sJc*AxoL#IlBMabX+Bcb9c3l(k0!1Q9^aby9aP)Z; zg@b7m`DfEVCPs8IAa@U8@xT2!3-}AiUS)K0bY@&VTr(Cz$?z_XDVpt}=LjjT*AwGs zeEf+9Pt9N9SGC_XhrwFOtEC7ZL;1bf#*uo@203?-d>K~SnK&8O888>|NwmE$rpUvj zT&s+BkDjbfOHt6NlVB6lqp0LHlKE8ZF?+o|ewdXOXlV04&3a|ddPLh#_w6Q^13Z-0 zy;8pf0^NSaqblv((!Zl;igT&G^xs?T-so#Er0ag^t7GeAYpx@9f=h#hMTXnjeIzYs z0bA^C8dg`g7yK~I?Z2Ze-5%b)V_;mi?T+Va8C{m&Wt0S$Qg-xpsTVApVzg60b)*B4 z9D=karYy-YjjAEn_-<}QnfpV@<K~&a1cbrYQ|o4E@Gd3>DZj8|E_9F?DQ!&VU2_Ou zNV;CM$nr??esk{cw2u<$ZXAxDY5gL7t$nU8<>9#<JMGX%L<+Nkt``b*0o#xUo7${g zaFiXai|QwN81Y~nJ%g)i(4c=xX!IET+@hNK7l{tvyx%ZC&vG6J(}L}7Ow`p0G({h> zGn33B0V1p0{XZ)U#}bDwix&lZdVY?mT{%dmmtXDvLlS?vE!EDDIfVBn_Vf1tEU;c# zhS+vEx%mO3{_gL%QGi=pw1!eC|IQ(Zh){PE9n<^9=%_2?1E^ue%O>5Jq-*3mXRLa{ z(?l3e?$$;OElbD{dx7X-%R0Od@#7IX3wy#Ow39yWmt1djt%J>Obmf`jdecH|5Pkuk z$rfr>%xL+J2OTeV#^CY@@ZtP}bjL_N0BM+}vAa4*2xPl5r}wJuhV4gcp_g=t*tjz^ z_E}p|o|moU)mN02t(1;deTpX4;@}~Cg+4Jk{(MYZw2D#6M<xlYZtr>jZ8fT3bc05c zqoV(03qi><-mS|jD7W4m`W8eAN2EWo+Ef-3%Y>8sbO`5^?euO7WdSMRmAwe9FHICw z(u<{fH~NfFN0Us9=S!7f<*8)9*{NsBjf>Wo`ay?YK5*}~o-Y{nI=oQmPq-x2;NMi& z|A-SNdEf=OMBXPLd!9x!O~+lNX3kw}h|okS9==P#P;W3QRdYw%tcf!sItq=iakk)% z1IP+?wd6W&Ey`uQ-J|Vwm>{Mq>oFp-=uYhfyM6BRvP9qH)Llg1gL_~y(cL_cebHZB z%;y#Hf5SZTp<FSKeAZrceaqzE@cbf~N(beK_c=V4liz<Fenq{{A^NnFi?itG1Wu$- z5Y!LxL)sm5Xq_5+{D6;K`ZU^2LVQ6yNF(oOA&&*VFbMGt%TqjZAHmXfeWKs~y{<HN z1-Q(EEYm!$Zh`(N7r_IG{d~QM&}wpo94DJ3I5j!JDD{l&@BNKAJeDW!9=fhvlc42+ ztNHY_9-i7zuzSBQoH3grqvR@X;2HX$gnIpVR@i;e+(ABqOt39vBr1#6$&vvS1k|I> zRvRyeCCek*4Q>?Q*9bmjAlnXfW@9A6^HeY(khva!%P}~OrU0?8r>5R6<|w{n<_Kq2 ztE^rpbvs~TkoHKr4xlruF|h2_I-_wyoiHn78B4*saZ$JX0G~TwZN!+U;eGLq>{$s7 zkAO`1+<vDfCB+Sw7DjuFD(UDRy9Vya*VNC)Gx;Y1`F@Qf{cin*2f!(FRY`c85YcMI z*FHpfIxb-m8C%!%c8>jWU1c~iEXz>Q&6_NfnKTy(Z8DSmrd|<L5Xd>0F->>Wxo3X! zv|RiV&Tc)Z${4etXCTK3ek{m~ZPaeo55%7DOE)~63-gYnwxv7<DXZ}Y3AdE+7Fd>x zJK?p{?#J#oXy1OQRLtXqRk9rq536~G->uk4{unRuTMwJwa9LH=hiTj}o_(UBU%jax zQl>JfZtL`KP?R*eBB(v2Xf*yxyCTOO!b>j}(0v-fSx|u#)Q>2N$0n5!@`%2jk18^Q z5$OF;u_XttRHJsF0`&7C=6a>RU&W8^ke7WpVqy+%9+GhX8;1bgHF}l@8kt5o!jl)F zJ3ySrVEj2obtDT2!<9yPU1_A)sRMedR|gG=<aAaq8HEk3++b%z$X!#Y5qiDu;fshE zb2%TcuVKQKhgG?dYS%|v?nF~teCikzBQ9^Y&vn`jEnH#A0&sWd&Db=iiiT?I9K?Uc zR(^uP>x27vOfq(})PvCRcTPs8%HVWY-j~4=W^B7gjUadyA;qi|lFggfH^WrHm@Vk% zL;zYp^4tugXQO!fm!v>MEJOl1r^YZ@)Hpjt>Xf%}YVSrj#mAj}+=rfftir=eG^taS z+(LKZrIkljHL>DHN8(~dJslY`>dPrpi=)9`8*fERdgA4CY*0z!=VmiT#1uH3bn(8Q zb$s>gln~4}qad9A`Gpuu-Iy_j8=rK_g`VZx`+2(ppR<G3HmZyc%~to?qsc=pXcA#9 zx9G2KSFgPfmw<{^$TfH7$HxlqVOE@%X2s*XDsIEP3hiFWsa+0*Dd1}FZ`X8wMz$ye z{g55{vP!(PGu<IYow9^GY?vD|>H$9CI2&&wC1K7qc7g+iSY^wEtYUFa13R2(Z_p;Q zVzj#Zej)Z|O`yo@u!2SA-d5Sp)`ADrfGaDhQ3Z1^!-#?3fL_W|F40+Efg~nd5g0Ts z9At6$4FB}3FpqiW!HAnl75NjUGco>g0!@u>;(U;{!;y_QyRcP6`s!QinLojR33T${ zmcEI*)5gYie(k)Z;^y9lrh_>o-kpZUZzTj`MqY4uEfZ%}ij^&x^EF|iyv(`5v^=f& zV!(l7g&YY_7$DC%8!oM>lq>6eXz*#OPN#Ej)c;{p`SC~BcanKFWEb#~zYwS=esE}y zpE1?j`%iuppNn|Oh#`Gc$TH*Y?kI-vD<Ejy22vl+xY88hiCbZ#Ct;Sv795bbavumZ zOTJA@TF~J0z8|+ewY9u_Qs@wV*8m+;y<0cS;Ja+FqR%!u8He!5=z3)zITUyQj#(<2 zXGzFLzPD+16^?bj$rHD12gy=i-h$ClE=Hzc!#Fs(Wk}wC(k1ib?C&It*}bKEnOZ)x z9>2{|n5Q6K8r!F=oshfWy*Yxu_7lIooCz1W#KK)NAML_1h7<zDA{doQcl;F$A71+b zZ+|L<O%Y;+ywV!I4G}UOcU;%#I(My*?oM`D-wz(9({K-DTxAOB*oj%j+-*=NARLFD zW(`VEFsyT@T>sHNEg@;0P1oA@PEO;i13V7*-n*XICZ^J$iTL$InoCJfWwaS^Pso=B z;woYV+_{p`DoG-w@IF3Y@u=%wX19>4564Hb(>itW3~l`@OoqAeJ6fe7R<e<TQYI`! zN@&JqN7Y?H*aS(5ME*`w;Bxs4vp2#jmBvoo$U-S|XC5D~d7XNBLN=Li2c4Kr4;nr| zUmDDH3p(a>75XA*Ij0SypwB#iWvozgfo-|rp4x1jiIO}D6Y@DgAw*nO{#?qeMVA$a zu0N$`23?q?`O{O&Jqt35DbXr3KP`g(jKzyI%~ed79J=-dY7;RXw6;un#?d^Ay!z$l zLa|c<@V3`hCk_uA);risIz%@-iQ;RWc3uy-7PdwtKbbaM4G$W2`BlLUHmxieOwVU! z+0_04XYe>z`38|)bxwZcRGe`*ibRRs=&TBp>$RIkiL0`_UZ)i5a_xfC<k8jGg_OrC zzLQFIH)|W)POuP~_1<1U1Kwtnb>*Mi{Slf>kUuXrk%iG{R|xuG6Yyc<L+?{n^nVM2 zs_#~2WqP}cV=;HeN+?lgYK_~5)zNg4z-->HJ3dF6$EC%4-YyaJi__ild)umG#aBCI zt7oU%=z8~refW7+lAi8%v`MbJxHAYE^mBIkb?JAzY0+9=T^*Ejkz(&q-3EEge^X7u z0b6HZ#XHxCOlF*6@Q0bs>tIz9$*(S`jr>i$>Fof09)h|Y`lLThquf9b$Qv@#l?)8Y z_I_%5*gIB!OD!sB6z|QyHPe;|NpS|QI5V{NL=q~Sd;gPQamqP=51Do2n4M|M*Ui;T zP17H913Ei|b9aV=4gG*7@Suh=6mQ^n50WfA&Hd8f7F|k2Mrnywhm#ISd1ukrpm)c# z@C3n}8>tSqdNpr*5^gsE*iiCjqx!65F@HTMv!LDHSZx-$@_Q7M_VijI2&7GtrK6(D z9y}g|Yd?Wb0s!9?-3a2HY>OCnMr>MDPn#ibQ%tAI915?%eSVgM!bZKymzU#wiz<6` zR%nbRy3&5sUd1{&F&PH}+536(g6jlcTzhD2nw#12iTGF}cog&S;Imht<FG%$ee0Fa zpS%L(Qc6=01l)_l<$1(VfG~{>jKQ~Ftq?b`UqAyO;z05X2N{Cuq1)cW3g0@(Vd<5} z3{URBk=o<ZB{!*_w%59By~6Z&!3@gM6B!wp4bN$#`0IflrGjzd6l%vF-#~%&G_9=w zaY~653E@2uD`5Ig${Qj>27w}r)&|#ZZ%%wZv&E&-h>>V~IeTRm?&OTJ(FIhq>^=!a z>*xjg>OUx?j9GVi{!a6XNBd2LJEbX{+g+N`vi2deDJnJahn78NKx@tq{eI7^GyV6@ z`L{pd)zuVTk*6HB{b^zv)^keramKx0T;@n3)h8dYW8f9yUn+$kYo0(I$s`Z*cK0P= zT6A-AoYG4Da@1kg<>em1v8f6`lJiHsuc|eD=#UHATHhAH4nbuCk1_ZyTYXoio##L5 zFwO2FGyzZ;{QMZ7Q_U#1+ENfB+3fY2d#EN3(Ph4)YFoiNy16rV$pT?=YWnId?OE9* z<+b=+F&VnQ&4O4ZKTAn?rI&TAq^ZlNN)APcC%7Cw5x<efrP*x!+Sp&H1<1GMup2!X zg9%JCamSlP8SH)^`MRJAJZ>P8w#H`Lva@Dde5aBIe-C@z1(;zKw5zXV2GlCJRfiw? z;7xfr654I>4C9=HNm7(2O=Rk%h63a%8m!``!1}##&?otlFZlO*fnhag1Rc*DlKHJY zYr~lqV#xGa!O>raIGqLa@v=5sqw3iequoekQFEhaS1B{+i$4miFT<^NFh?vqFg7ro z%3|;_fLz%=*)WG2GMHVD&(gugNspN;ZZKyk+67fvKkRx&o$P=A{;H}KS=0{~K0wS* zFwFVo^IpxAD0dYypzNpP$0KH1?<)vG*r=v`!_Yf}NH@4da^WHlEdb>lf;Bg*k@$GE zC3OnXsZu=gTiQy4g2Xf(<gO=3M?>~Y`}1b1)5f@9O$S9s(zec+CBAQc?+HJkrVuCW z+Y6#m?Mi%kQ-42%4V5@LQHhAoGlR+Q^G0KHQTmxsvulN{`$U80+J^Q2Y5^RF;pi76 zBp@?T{L$$l8LJ@<NP{Pf{?eDSYEPW}GgQd}D(lhuZ&FhI)rks(3PbMvwZ$jLN*u!Z z<gx=U^<A5w%md-nX5S+i>Q(@`7<JMoYXDdso_^smL{3^elX02d;B0(96oGsx_2^4N z2|u3vdRKDFbY2Fx{z+KGs9bTW#0|fBmyx%Y_LzOj6ajLqH8Kj4sJXQU=U+~b8$An? z-8#^FZcoS3sE(-u4||@RMi1jBM(ol)WVeml^6yGlayit-gb-Kir%efxSAmVL&KIo} z<mqXF@`0J6<akKSIJU{T>sE#-IIvgKCUf{5BtLhFKa2DEz`4Hf$(jxGy>%OF=ef1x zg7$H7i>D1=jn!;XcKYnWUu3w~2eoLoE7g%j(<g4SaXC>Oyvc(HP4#}|Y19{_6%53A zNSxhYE$>mx`2yIdpFpNEuD4+y9?s!awfIH)^%o_~^DCm<b|f^+-bPLS!n!VK2msG_ z5!diGjehsAT{57n9G^_xl=4VNP`fYHB3!Qw;<U!xb|&Dc>6sphNhdCE;Zx_Ztu$69 z!`&xO(fLg8|GjQ^=z4>~T=}#9Tz7!1)@n8SL6O1By1_CU5*B<p111Sm883$^<jkH$ z);8|9)kn6aDB0;W5(Nw=F%iGfLa{fPiF7rGv~#-Cf0u6!Z~GYzX@4y94hVNlZ_DA9 zlP4Lzy=+H9c)dILi2OO%zaT93EZE!?7R!VL#Cf|n@yG3C7$j@-xcMQ>@g_yO(#FQ! zEYq93WdCr16cohsCOFWeOmqE=)AJX|#hChN)#aI9GJG5&_4YkXq>D{~q4;(t7qRED z@6XYLvjk<zk}7uOgez@E)wr_paegb$)P%*yo;!P?+4Q)Q4B!U0ocO#iQ<w>~(fH1} zo>Eq`IO**PjtS;p(&%;Up0sy)@OIA<IN!{Kfsxqnp`9innNC(CS)jB%EQvnHS;yin z-vyNnNgcE4_F>zpxMX4&NIo**SXeQjyMZ>IJS{+m+<29wDrgki`=-Pgo!RAW84m2J zs&K~1i9d<y&xc@j-Fu3J+1$KnXRY?sXD2`b?b)KNJHM&WG~$Oe_7G4MTY=DKQXjav zDg(m(dbrbTUmONTm}oyhwm4x_arN83&07Qf7}Z0Mo8Zp%c3+o8rqWT)!TmJ28t7@H z(Fal;)xr6!%rZ1@$5p!eAKiGcPbcBpGKcPKm7fHAt3y*fsNHPuz2a$~dLNAT=Twm2 zb-{Q><ZW$1lHwNAG>4p|9cOq{JZQM@o;18D`q9e?9wR+`g_Rg|t(<3YP#A~tp@o^@ z2y{mDPMX36j$WP6e4Q}kfVJ@+dD97RbvM3uHvOJFGWdm_IIp-RJU<$p=YavXeh+Cq z^$r;ERW^O)W9D4JKq<=HMOG%HcyaRMmTg>qB2ZbEYgIUp(p|#D$@`acH&%wymU*UD zWj~8e%9VdP{8^{JPKD4aZURWyRXM_ktBGO9$N6Q~sc5O`A5mR>@a~x3CSfB7Z)F*v zCV&sEngM=<t2gV&(<}V)XwtBabSI#(t0rU-g?x!KwV{FhkJDk-Nsdgz!}(WVFdAzr zI&Ig)k0e9+iq$P6**-{Lo9MZUJv;Mo7$f+Cu1?@kO*<U&0tKQyPoouN;ePz@eVpBX zeQazpxL?Sn^AtY@x|eT9JduZGD^5ykqz?{DMeIV&au#V%_IBEy-sSCmyhfC+jkK<) zzQB2z+LX84*TkL>>sv@7NZH5UX<R4&4j%0od0Ld#CWy88ZzRM`o5)x%(C+(#eKA4M zEp+ZDGkb-SVR;&D3uk>(3rrqJDRNnu<>T%3B3nSq1AA}+r)YeR)0NSrxVM+2-eM%x zqU`QqjmoLlWSbu-D4rSlHrk&gX4GvVWaDM$C$+u4UnA?U`5T2eznc1Go5IPfY~1?0 ziF`++rz$u_p8u9WzarI>l0P`-+llNF7Y82&hjpQf83~v{0lmOChCCy}ej1QqTTQCd zg=43KL`nrw46VkTcWd;v1#P0n)6qli%q-cUNh@^Wo+fu?Da0%;Zpd7UHhVI%YSKE4 zC;pF1xd;s}8POT=uqKtjY{*f&K6%0}+~)}tDXKB}n}7fCX|vj1UyJR^;%5Z1_p^>j zApeRyzm*EE`^|owlvZ=d*kL<gB8*XK(6;|sM5S1<8^4nucb|YX+?Wll#YbA>)vdl< zkHyx1#O9j8?$cjW7EAj(ay$tnQy;6$g1Se;(j%f3<_s$tfbPCRT=@bb;C;>{WpFHX z3u*#8%Atb`sCl@ZDY4~dV#@K@<l3Yv&9cr!=hN`FoM|&H9Q)az5bY+!7MG3Y*3R<N z;wOcCmA=7%p&f(HBIZk_w5D~(`0yo+RqZhEIst9AN_577COIug{}aFo+SoK3ZuN2W zG?39k_t$uaxtpmef0h@fg(k<_6)b^=D?d+Gmc0^!RfIFY&XYsoO3@xwnPEbmET&Sa zb3_{nw;w4%?{XZNvZmCr^g~vMK}&CkThZ4r^M)kTh$)&O^!W9buUdl!43(Kw^GP-6 zy0EqSBWJ30%HAvBLxsO#jRs^BGd$@Bf4_%W`?)6Src$5UWj8JOSeJXvt6eb&D`b{P zQZU_24r8~4fSG=rcoDksXu`88Mk`F4f9D-N$i>#~R39$UGs}s-1AVU2J?$;_Emq-M zq)O#fxm^~Cmxm{BRP;xSuO#LrJ$P)#udvKtp<1fFZnRU6SYxo-O8EY3a&Q?(vcx>B zta_Cpi-XUdVkBI8plA+ODSR?a^WzfWHqva!f)YRd?LKCR^YukGJ?RLdgS(I{u+l9w zR8bs2e7oa>J;Av<Ba6|DBY(`B!~Woi<noX@(*-2`Dm+-<Hquu&(GOAW@Cns-USuaT z-Y}H%KG~p+ZR86+#x9ZOx4WLrhsUdpqS;E+LPNV`C@z0p5{n2;?~0`!a?9ML!9Z5J z9L=_LJ$KKJ7mmh^v>9Ws(%(JWy5JE1p?)H`BLG%GhIPE!nem8LKZ5vqQYc;h1}eeB zVslqR8;cgzV@O;&?UNrJkUWvF`S_kn0s-U{0n=VZ_-K_sc;lIk&n*trSU_t|SI8N% z@X&41A?0nA)M--kFoVuqX2gy}m=p_CJ;F_Z<K4{KekPZtg;A}|LH>!l4pjpTX}n^a z818ijJ%ERJk$`lHjlYDQy@Xwmq35haGls6|hRvT^G*o3qsZ1iD)4a4~PSl|}>Brmj z@Ihd0!_Dl{7dCS}{-NZuvw?0Vc$dPu;plSoCt!6bu`-qkMmq;*rkOME=uF+jN{ANr zqBylDp=}Q5QfFDMo0{=a<}F{>qtOk9U3rme*S0(FAsHlfiXdAkZ+~GGCTEktT-Wpo zlZ7$OyL{T%jS8WQl<4EzKqy-J{vTpKQi!cKY`CH2(GsSo14{-E?HDJMDO>;cr`bm# zXWoh8IBaTB0kjKxGe}3D!^5_Mi*||4%}A%2!Lf|0>gmq-D1%L}<VL=ujsyiEpNE=Y z0`=qkdSNzi*6)UeX%1!0`3=@v4-=YYX~FW_Igq%!A-JJvYVdu-wmaBFcW*6Aj$pox z#Q&dez+LA@8Vddgdo<|rAkO^#x`wB;C~N&VW+8;(?I!D^l$2(RJ^b|oWO3LxMPlM> zrq^`Jqr+oq6{shk7I@aJ+T|E}<yROdIYnyfk^>a`{Yg&#9O%gF6!2F!U8ILAXpsE& zJc%ngb?qaxv9X=>?VUbKIkD=hmpiMpwl+4dV4$FF$M6a;Zu%10>D3!wvl)0=Pk6b8 zo7r+fGr*8>P6ejKoPQc;=^!A|UhQBT((W|?4N0IH;uTEBio>5&^^3g7^K359bMp8+ z=Dn6!tUWhPc0J}JLJO&^k3zTaTo3(XMtsn=16nXNah_`mCUvo?zae+UDDDG~f-$Cz zB2;yEcLJY81&XOXX(((-2bfh2`D{4H%#i~ge8|G%!x3Q5UrNbZRP_&NN;AE~8zsHR zbj@q`HIll?P;L*m$gw5&u5z6$78||?JQ0$%ib-ZTHx$kBLw1R0+ot7f?^toi>)q7( zI=!@ZRj6z$1;-lDRcQ<Os6Y*X`34}=nTLh+QtA__uHopzrERAJ<kTQA`R!)w3v405 zsTgTbXJaf=^n?=<16rxZ>sb$oxQ#zbJi*)CLrB@)x{X@L|K>*>@SnR#ui%WV-lDDn z&JNK!ZhcGspHx)?_5YTYr+pT9JYU0a06bDCJ6IRAPYST$jkf=!6Iu1js4PSv_9Q}M zs@+AZJT0Sl0n4j=Y-7hfvLZ9wb$7y-O>A@euM($b(4lp=?j3bW7>TMVug-h?wZv!S zDf9Gq{N9#s9Pw2+Vi6X)R1N&~F+WPy%_Dz+l=?2(4qoLC-HikSazt{wlmrWRJs1Rg zY7$DhxiH+pU{q^eT${zO)u%<8!3F_;7HH&SXdALmVx6mev+W8aKj8#d{K#sKEgr5t z-8n*Y{}-==%Zjb&X2CnXn2%2~=)#OP9QE4*eL7PUCBI;&zKH+PiJw{^cdX%Rfc2Rf z)!Bmz6_@vddx<NhzPmc{KJy#fUyxξ{~++j*n@krm?<>(ieb_&|P_9Hf63A2KKW z|0@iB)?VC7STWNbU~_I^8K{)*;9I18BuB9@BHf%ByC2qkyh(6EYA5IvPTkjjH((M- zOhtDUeXp|<ud#xh^X$r8WA~4Y`5na&IDhPM6EPqy_|_jI;I-ePCU(e$j$PT_X7}WR z37CUqcID^e9g^1_n30hFp-!YBKfzGG^5&QGsKcg(dZm}(IC$%7XN3zx_3l7%%Fln9 zqDx7jyh@6<JaLhBRg8RlasaNcIf3`>`Uqrj9KBZu66|!tP_}pIIne>*nCyohOeFs` zn9p{AV~M}HeGtHpv?#k4c)IkLZ}auOt6HYtof%66Sq;K<dCGMwA<yrj<=tIR^pm<~ z_TT))e7!`Hx9JZ3^~Kv!hFw}PDgMbd!g3P?=L5X@^C9(%K$<2r=XtFx8`932!;vl% z;h}Kkz9qsjM2jcIsu&&XVBz=h>UlbG2!4{W^bqD18afO2jV#gVQVK2gYQDZ6X&+oJ zO*PT;1A3-!2X2V-W(*!R-Hsjdb2HJia0gyQDfF3*US+Ny0V)Z*{M~=>pgkl_pM-QN zk**to#n0?iEcx*CQYEEu)b~%abK$(@WfDWz^LJb#EjQpw!@M8HJ|q-Ht>-&$cQBA{ zsY#c=P4};1)f4+FBR9S+;Fnj`i8|@(P2h1a&*%xz59y{#Dq%UILN~=0Q55X{w$Q_q zpk^7E%kZAFH&7vHjc2gM8AV|eFgSPwc-AnOokg(==Bd9v+H;YDTuL~mSEupQYH6dU zVe{5UDkMcyn;&(z_TCIy&Wt+&NE8Su)?&1&3lYWc1qiX`a<rKXvPE14F0m3L=<2E8 z67G2hWi9V14JLRLZ$@d7P+?EP$QWN|6NhSbO&RL1eWDZxE*f?{qD~ZQ^%YorHyfOp zee8joh{CNg%S<Kic!ZKk>WXT*<YDPg4^HYuFLofw=jS8c4x0oyA}S78%dLxjSGo6o z$h<sRi>Lg5G~ESI8(r4`;6jVLyE_DTFYfMM9Ey7=*5dB&#ogWAonpl`ID{0ppZA~n zW_B{k?oM`dcQ)rachB8Db-yh=IhkGHjQ{P$XD~GdM~}pB<KVuyeEhq+UqWt9nbAC6 z7DrMYq4t9<5Qo@pU0y^A*WALz&8*#jhhKDlsOzTMXt!|x&~4@DJEiGazbqUte-{eh zpem@h60Eh-N-8WhC+5R22T*1XIVd?^u4zu(c(SI_d_4&{ikqYej%x1-P-=ZR*G!H> zlL;U4$VScZV0!t$#OOYD#wFA?w3)_;*4xWGA4pK0T#sv|)BBq>!^QL#47Vm{#duiQ z0I?7$RTd}0lf4koi$7~+qo>}(ytok-+}3~F4}go6A|M>6n8Y+#fol)2X7JzM5V7Xv z5YG0D04{vn?q?%eS&)UNI6%5j)d+~n_D_dCV}`y8$=5<BQp8d=lD*#j%{Exbh+EgS zIeB>jZ7=GlSMV4=#(Q(Lzk`oI<8ojTodm+NaKpvKRruRgWpl4?aweV%N!s>`zpW+O z>$bYNS~`gzI{>h_Q}g?Y^h-(#sW3zi?MXRmGehdl>hDu$^2)`-^_+trh7bOU_iu-q z&I`sLe)r0ZwIg^6YruyAmB6GNdg>Ex0=|1TmW>-_#~Rz5bnsc1EK0MVj+>@k|8Qs% zEyb@X9~c`;pE%ZyO>oJn2NSm&{{H+`jU4>LJ~{NGZ5cFE1<R_O)k)RqnVV-j)!w)5 zXw+f%u?TnTCV;wl>+a&_?wZWTPL_IK&nqWL{%8u?mbopco@K%Ye1tJK*pntHT0#E& z1D7b-3WItnN5hdrCR^nk1=mM;#K9&TJI_Y{=Da%|R(>tXIGkX#UZ-8?GN5phhBYQJ zKS61&Xw<g#{v`=Ti&F-F$Fa5t73kxT@%<2*8E<qkWFflW)|iN8rg6i>aEk6kd~o=% z5UAU4KRtCg*Qofsz0-dAW4}1~+gVsj6+h5c$T`gvKuDX)w%W`+Muny|)8?eONQt>P zUPNa^=3g75VU5*w^TgI+1-|}_v(X5#ntRg37&OJB3@woL_2incbBf7dwaE1^$ZW2p z%?o1wQb?7HPS=$9Go1Z%n=}8olQF5}l48$`EVp25>cI-e07i<U_NS%N8$tKMz54*- zqt$VGZY|}W`{^IzG^hinDT*_FHDe!~DXr%LU>OH^rK6z*GobJT@5Tu?SP0f=)r?Qm z!9ZDSWdFA_kq(~)F5WiprwIM;6;`C-v*onrSd4fqG~V|?YW5tyXBj`VYtt1eKJtlr z1Qact4`NuNhDtZQ9N-BL?Gd6~lpp-|VIs&H`%Q!kmFJ3OD4hG}u~ziT3`jk?Ff8JK z?YpRS<yP^qd(ZfCz9MXRA>UB6Im?^(oje1#J8Xi3u7=@0J|nt+$0l`Un`CdI*}~XR zFL=8YJ;rtjlaMD%Qft^ET8qc}hPC%%cj}QI=TP|#vfZMgzxQ=fNm|+szeI}OhAy6r zegP#(XPa~<NJaX(1Ly6{$DxV)@rGTG|HBSTDbU5gztavD>OF-nyu8I2Co<&7kd;{u zo~qZ;K9ch<Spd0$?302&sRJcIaD^{USJ~EF3B}C=qwi01^7>3xd9E-RGB=R8+MDGJ ze|w$`*6NzW55cH$gjqe%=}14m-x<*+YTGhGZgM*RuKv;FDJ?nIrJRhrH#zzS!sp4F z3YxU@{-MFyOjE-@IzfC%2pWB6;l!Rq|Ht?6w}h6|P)(3-?8k4w<Q^*s?s2#@M{<GD zQiRULc%?7)PM+}<vL6)gLAakM+9Q7t#4M$R9CyH88tEs&IgBU&Ao&8qr}>-|I9xee zo5TW7VL%&#j$RY3D@~J&^VOo%jOw^$-)qg<!O&7OXhr4rCTxENq13hQoQKqCy-$ai zn>8KB^oU4_Kq;IOCjAFxrHdu~O#3f*JlKLE&OK8FXhvw3)Rk21-oKU5??y5vpNh0{ zF6*g{%n>?du-s#4PKYB^ummmS3W^6t7cwzZmtl3a4a5~foW#_4kQgSRm)P(lE%}_i zgH>vyojv$yiA5WRB0JEt@U-em*n_t%M{QeoHEE^d1odXYlBuoAx8S=I5lZjy=c8rU z+zoeY-#GiXwvXUFb0-bFS2R)6wXH<Fo@&u<VJ#o>fE$>Q<(jS)xj1-j4Ei`f6En%T zd#u^B3?{9ON-d24&D{(c4%6;>t${l)K7R4X9=|~R`+MVm3NxKO%ydUZ0b(APKd>gc z<&%Nrhk>nUbszbibbVFUVJv9dA#bHe!9vsj)rHO}=XkIQz|*XK-HHY%?)jrYNwrsq zcr|&}gmuGjC0shPNXY8zo+6reI?Ba-X>2@we`O#p<^1%l=@ArBB+p^soH&;Jn7s%j z@7|a5f7-HC_E7njW|_OXJjE%9JB^r_drFz`sn_85AG*CpR1<=IYo8AfS-?LM`&!SM zT^ez70=rd9Y%%1@B{eF-;Z^NFq;Z!=bWp6)A#3T8$>{rX-A_~Hm}`WcrLU(|WlnpQ z$+yfuLL?K6uBvmi>x0(R_`BI&d6F?1hPsiEPH^yLcgN$$s5(7QL>TWf<X_DZzl`RV z?r2RkWbe)KX>@TFhsbAHtKM9X#xV@Ide?ys?f9JCzg1y%la>_p0{%ue-W0lR4w|pN z^))rWh@PZ3j8Z4S*w(edoNP$;a$9p2#OA2z-@=mU@&o>qlpegO1NVgzlCEjXe2d+A zG|*c4me`7h=6Z1RrG&<;^scIQ@9kDA`GI&~`ZvJ=S5mfB{t51K@^;#%&dt!qPi>k* zD=|vblKT67?Jgn$!ZUNh&Z)_8+4d${BSw{z<t*K9_Y?M(8P3h3<0qABGoHiv#FM!1 zwZ9hzGw;YN4T74Mf8cGfJ=tl~TC<UAMVXj~TqO|irni+&5OF#(rfHN6+0pH2Tz5#3 zHcT??yF`v8PO|KKu78=GU?{|fVPeNP&Axq8|A`KTtRduFp2_faRW3(UpDqD|U`|ho zPti3qqD0RoGkkgC06CGsPa56ljph?Y>#Bt$_0R3tZF8y}t?Os(KoOW;ncvjkO1Zv` zUgczTtA>xuTOv19s99vM;vm#chK_Q+LxrzvxeV}|$4|;M&`0i&Zm`ryb1FWCx&G&( z%h|c5G>VjYhN<JwK+nHfLV$|<Io16Et3vvNb|apbEkUmi?2!0mXYYxI;MvMgxYjH* zeBSJ0D!tB_A4mG|LWHLpxvp#4N1>iC2Zvo-Iv2DHiG1Z>zny5<an*^8i<3S+#$^eL zj1TJM30>`?{RvPQ!u$aSW~0%QNPga*i=clNK}wP(T)n_N)A_R6#u)Dv1c-*2=S@D0 zxgUj@l?b$S5F!1mC2!PhCw3pcTQ>3xH<&Gy_LUb<F+n2K(CItE7jLknSu(nm%M}(Y z6*1&~?ita^6SmsjZ85XB7@7fcwxFZ9-N%Tz7tPrD>)~QwWw^J$bwShW5nPrj$5m2z z6u19X#H82R5I$5U@-=M0{XWtSC=rv?*%GYVxxrh_&k!6cClWqNBbm}pjKx2FF!e|s zraW>?hF!Z4S=H^)<>Q<XM}-zyC;7F&Jx!T9H+F=Wr<aj$VhX5oxl|8qOiM(LJIa%w ziD<FntxWaSs~_U6JgcA&rglfR+nv{KtiD<z#YkHcjV}(Mjw;a~zBkb~D=qJrQV7aA zg2m%bnSn7<Kmtu^PJEs26i1wPXf=4Nlp>&2hc!26q{13t=HRJe=V5_GLX3GSKlF&O ze^VV(rq4%5UWJFf`0^Q%#{V$Z2>P8_Q!G7t#KX)b#zv8jaPgy|1~4dqHh-z@H4~{P z<Z&vPavoU)wQx`?7)kObTjsbF`Yslw!MS4fQS`ELK91j>-A8uRWg-_rNroqi=J>Q8 z%`D5+H;s<XqO(vO!Pmc>sbDVq9%014@ws!2%wxHHpkg6DXwxfXwSl58|FDG9dnSyb z&D?s1j^9@ZRd=JCYUr|4yba{sy}%VUhT@_#NX7s5uuM-?$QWfH?0Yyb&p2s)rBhKM z#aHqB43~!>P|T&q8?wnRB1l?FU3R^Zw8YEKi<mM_C|MY&r|#?kO+d20cN{uSwuQet zbn+zy2es$1S^xBV>HP~pAsj!VD4Y@b!QqQ9VuvGm;%tyu5T~?bp?_OQN5*pa;OQ*% zo7aIRmQ(^g5`t%#W&c(j?ZYIT`GXKo&#R$uROaxl{E{LqZSdIMgrF4Ss2k;PNEF`l z$;o7$Yet@vkWmyM;oTdnRbfa<Ntj1#`oJWBH$HB~6>`X`Wv<h=Tc>8s<EG+HSpZ%P zXrDO-#->bu_Pw1yCD<nyBPPSbh$*C_^aVOY=NariZ-2K?TRae9Lynqv**(1mV#_O> zyL*;CJl57EO%n)#i}gM25!iWto8jZqh=GyWn@8w0-?sC-Fk&n0bu|WBb8XXGE*FQ; zN`cD{<E))0WK(ti9`Uup#wuL2H7+=o${QMzZ}u}q0p!z@PN;J$d8W3VdA+aNNXn&( zLcb45ev7}*!?T=3_ltJT4KLXtoStpGlwP&&-!tHs3}4%5^Xd8`TGH$R*_430_nX85 z>|*rCJEHH-?A$3ezKYtoYqS~~C*t*TW&~7vEQS%_Q7^bTlq4sSHARC)G%a2RG=8u* zj^d)3Gj))uuBJ{~DH1t(fyP_yJ?qVQirNNh$kpc3NTJ=SlaB<j$~y4<W=m>doS6Ag z<n3*XrmCV>52LGok02)C<pI%$71=b2hE!i~6tZqW51FZs@UL@ACcC=&21qC#0PX$P zA!Mz`UBi!vR^fQlS-AOfCySP8+EAp=C%?>_I^#`1p1HtEa&ok^zcP=K)FLmcVsB%n zWfUICz<=Xb9$0oW@Jo3liQiW_gpQZTWo7R>m&8|P2~s+-*^R82`sfiR8J~y6apQ(e zvEuDvw{`u8fr^fTv*8BvjK%OnZzxPkZR#D*18*2!R^C#gF29mIo!C3J%&|RHi=MiQ zT<g{*)%HGEyWfhF6TCSn92LsSyzGFeH|NNi1ilq%EJK1=tVtwFa>Dl*OJjYe*Cy=; zJ<Z+H`Y8pixmTy<mv<p~PQ_4jg3v;OAA=0A0}M5BbSFrq1PT_VuT@H^HULO{*}!Nb zA%$m?7R-^y3riECcvxnfu9`>CJTR4NWrS~8Sb0UZYxPCXki=qikI|E*W<myeoG-ck zP-3=t<~HPU5q##mz#eEC32Y71UIDL$(h^P{k>#W=(r(J>X^qwalughY@6SK2Nbi5D z`VKhET3=t~i<<Y0Gy7jHz*qJa!U#*?$v3<J{>?B){U*()$Ggpob6s_h#k&l-e|6)S zB58r!maGkI(&hyIx8quOxg>qi%iJm8!ROQk?QXW^@vqd=z306HbZMc(H~JF~BSzIt zI&eqRC+vz*t;+wvXK^)&Q?`FXgkCO!CRhLHD+8)A<RWZ8QPA?idy_OGW`){<?;=G0 zGuL>Pv|C6VnQ&7yw^H$<zw%;87G(mCMnX;3HG2w4;>^j*(IShn=t7Wbf9jp9Kk$7) zPmd|n6jS*i95jp_Hz?h{9kJ+W&X#>t8qhu!VTZM95i!cc3*M-aYR%4Pb(Wx%!x`kL zA2%cEl)-%Qb%I+NRR<a&n)G(wzSCU^2km#vy3cO&m%2F~AY*>&S7eVUl8q?BEdMr{ zIH;Rw8Ap6jZ+$eg+0m#0v9xRbUfFW#xEUe1?}D$_GTLH4Dc90aCM!3^pG1y8X`SzO zKmNQM&;b?y2_gPwYU6Kf1rm9<h~Lw{euOKC$ZTBL3inhwL)i&!Awf)bW2{an=gW5$ zyl!*7Kx1ANM}x7!vs2Kaf0F}+q6x7gq|;BBxRVRDuVgsI_wY@-!kia0b#|-(32J3^ zX%YMdP_Q>N?0>Dai+~k|_9eVVznc|)8)9SL65tuD6*;z|EX4TN{xB5!L!`d`jnFFE za{WM)y*_)9R_xSKPq728J1Kw1zJF)wvtQSbZ$GQPqhB)$b^Xr$km7cO#6ZjL>adIP z-<8?5ORi5bDNvp@wWdZs1SOV8^%AY}W??ZlWk6zzc6!gY&6}!Goyivd^_0EM!a-vG zysx~>8<9hqcN~{`8p8`PyP~W7i%s@3#&RylhJjRgm_=@8+yC0AQ(Gn5s<|g7TJSA* z4e$~~Y9?@ypQI80#Z@3j;~tYSu(9crr{tjiVD4Zopx{kWW5sbn1J@aZe-;bTT~(q! zrp0xA6(dH4FmE=gYGKr-tdx9S7G_CcaLnY%q{u&N&z39shKMn2+egO%`(J%6bIszX zB7!?1z0~kf!yzh1GmQD{$dC{|by7DCQk+E(7%jzYJk3h%vqQ+3IPe9(zqi=oTR5=F zaBF~Z#P-3Gy<Q+}zraD_y>6m7mpHA%)$n{gf{(;nzn${(cQeCRzvi^R@)%S*knr*) zgB<N#Ie3h~OmWI$w*$q@!O|pTK9u!%6VvG%wlf`R+lrh=!p)K~2%9`h(jG@`>jj*& zrYBkY&h-gbhw1M9n7uLHe$A~*mvM&VL>q&u0AFnUAi~xbT`+o{j@9%Hyj@xtJe<)G zWsU7(j9ax^TEoj*wHmC97Pg+*MI=1hh8B<A=lvg+>vO!C-&QVNlufXevs0zX;x=^n zS##m|6yuV`M4Vi2#6v&JBo#H%`sWP@XYFq^n_j9JBoU(`>0#QZzM01Gdd0b{VTd0Q z#-uQ%Q)|$cSnem%P;$bn>imFowd!2U*pp+r)>}#>PumqPZeUjI3oK-ZT2UWUa-r#{ zyvI+x6*9!;Dkr%a(s(Qxr#8dsEt3`%O!+NdHrbw)u9M^J?|#AdbvN7}S_72MSRP+y zb<tJU-qric{XC44_%qE0C6t7Y*(C*<_%l&Sd(tGQ()*479~uIiHwF-S=S~)2bG^8+ zV=fkyS0a7Y)tY3AOSH9Ei2NA}!;%lr`Kdb9bQKvHVRURPeMVBAE(f>ZtAIo5gEX7B z2<E6oa3wprp?812x+}(mAEJL=^emkj1x&P2KPbtW;U=2|*^Sw#_2d6cykA;N>cCRO zDRDN6B3QhiG6zG=A|sk_rnGU-kh|M{V<y?pdqYWY<IvYb1J_MM?ec9^6iW$<CC+z? zQOa<<0euJ>%2IizMsi{2Upt_5*18SI5NBz?#rve!3>dnhp<tZYJh(aH9+2VlwR>J& zZR_tOi*Y*uW{US0S&IF1Fxaco#q26SLsDv#EBXSG-~}k>Vhn^;WY`;GnS%Uq+#-vb z02HJa4YB((rQ{0N3q(}Jf*G`gF5u(Al#P}>0rpiMYK^2x_%GOI7<kq*)(^K=p|V9N zm%3z!31N)jY3E*!l-pkbGq^#qkeN#%QE$_qV3!<0o+04*uALE8ha)Es#m_y*G|3Dq zGh|e|mt$)`WMtba1CpaS(&`M_^rIV8s-XsiFW3_Wj?{W>*8Vq9P|CTJa~nJRl_oai zr(fqdl@C%Jkd(D7A{VPmS!a9S3|PmL`(M`?fk5kG2qEXYNO*ev)mvFuZjVr9YRH<4 zN(j|;<U@DHUDU^%_nRO`4uT+NqCKITZ?{#keVTv2QI<n4;mnBza`T0bc2#;iex5Q= z#@86om{Og$3B=|o-VEm5n*HT5@h?a?R2YbkM!?hY-f&YQ*4h60E8s^<lBT}(Itk9p zeCcTk!j?`H8OQazh)>2mdrT)!3S=Dadxo=a9FFCdZGv8fmCK2IYTkQG*l&y!k4iJ& zLnI_;2F#4;eqC{iRO$*wI<b?F527z;QXM{SP0hg%wI+6hXE+1Pb7kM+9(+-$NnBKJ zSZ9s)4%(@gQbgWXoSLxWyyrZkewn(|RM-65y~R#b`!@TV-PpU5tX1JiCC{<AWI~0- z2_2!GA<Fv;v0u?wWA2Z4!>apB(6aT$qMNg#-F~@&rVZ`QiM@a8&qJ|d2$pupwnat- zt>M6J79y=Z8KpeTL!4nm;Xyhh4_Umk9GNVtco4{Kb=2zKr+6n#n9YMQ9~SVL#HMb` zbO#KMP-AmU%f$5tYZ0b*&utA>6pfs{f#I-5mc9)O+Ds(^Tl^Fx=bq(SY!rR9&eRkp zuEw^gm{HMtPOz4NXQ>VdmgSwjx}r9kV?g`ieG`kz1E9x)4xz?C0*1o~xy?BAXv2eV zLIm|o5Gcsapci0r+{H@sv&IrRwJzPJSI@Z=qjXg6z)_!dj#Unv$1w%9|3HRDLb!%N zWThMiwxLpDyu*X&-_8@<e@#*m{2)%qw-b^O%Tjjr7{|N?liz|rajS_gVTfvBkbO)z z6lC>%=P1i@oroRdKy8|gMf~Zq=n|ypBE)Du6SzcgX>}N@r@^Y&2R&V!qGFCIanQUW z##0c;Gb=S*eSXR;wCnSX2jO)@_5}FyOIU660y`gqwo`3vgNGc-J#%gG6B@dX_MFm| z$kMD6nwN{ME*BD>b|}!@f%Cq)Doe-Qm^sp+L(G_4{;HqNA=Z#!{}#*dU#xZf&*=+p zq4xF=%iDSb{rCFl2?&|dUh&{2eyWnWcev=*-;p~@?!{O^n9Yxt9LGiGGFSfx{{u(d zpI7Y4Ldcl07W^WU1_Z0}cG%9V6CByyH#OEfIDR`Xw_M{XWJt-o>YlP2eVRi~Dv2aF z+1i>pl1hPm&%`^MJ5=j|9PxKZbAAzK>2cN}$}`-SZTS{IW?K+JCHCiv2G`x>o;%hf z26C}7yTG4Fao`3iuCDfVeRa=`aMX{s=34NsruI#S@mqYrZ9#F$I|r?`va%&;l}Eun zjKmh(8*(+)S?crb6Qo!udr{I_FcPyD=Vu7L_gnfm_987d>2=pdJBic<mqeaLIR_G{ z_pvcs$WfC1D<Gtu?Oy5+1BJ%ZMC90=KJH&QNJ8^E&e((kw=)7S0VbefzfIyEzEFU| zxuM3W#=3quENCByErIkI%X>>`VbrHI^dm8A`3paLZaB0sa-5yU-5iSP{dSQvdCpIz z%R8B6F4WZX>oi?O@ey`|Q~c7JX|m<<`X9V#z&oM@7K|@x2;9mFc#H&PvBuoq0GZX| z2A1DL{ogfxQo-n-5`D&6$ikM$79ZDFF<yjcBcX=!U(YK`Q+BUbjDvNne&2(2?rs-F zwLjUXa!Iv4w|vL_^F^WF^ApF8r=YW4t2(C8k$Oba$TOWZ@O>42P!7kwjP<_WPYK7X zrixrB%<s%fo)-{nqUhR0)t>-CxS8P>Aa!jl5uW*bhaZ(C0U^ZAD3|PMS%m|vd+Oq& z2D^t&ImDM(I~(u>?KApGc*D{mBFESw$5a+^Kt~&3|D%yB5IX(cvY{X~rC_-s@$o7( zC84ze$rImb%UD2xVr1r<N>Jy(gRZ!QgqO_OU#ToHs}mGrLsBO26^l?X8QALu6Bgu( zW9+iohgHaTk{IH=iN%JL=*i8F#Kl5v#zGVlV1$IP!4UEDf^=2%X<T%c9Opi6=I4jd z$$C>~%|kP<SR|bWclSejK8=S&YBi0M;`(J7g>D=1k%1a-%Ys?WRGObNC)o%sF$M7R z1@IJCMC$y`l;iV@40M5GB^?8kBU)<9wb7Wl6gNd*B0Pt1hH0=+HdkE|#xs1~srzNZ zus*;NiF~Fbx!S^@{DF-VMMtJcNiLyYc<#-*H6M!wj6KLil@aNG*0RLFo97omsPWGW zQ!W8sbgN;a&hE!9v3qXd<kgG07jh_OMdk2s{S_1|9fasM^9>E&YpSxV{B#t<nnBXy z=J(_o?B8d&fk|>68;-3$wAUxeSbS!V(6_~!Y`JdxqS<5p^>F%LMj<x71xD<0TVHzJ z<J(CKb3v85a?tb{u5Wzhte81M4%$5(pEE$JKjXC9&oWq$ccd(1;a|oCT!xZnyD>q@ z^tc-VDyf3Yn=9%#Y?=bgux7O(VF%6c`uxa?62Zk)s9tgR$SCp*9zGA2!4o7s7LOx& z7tQ*zsN$$#&LW530s4cU9E1wta!KN2qx;Hp?pf~35s-#qfmoGeWYkK-6SbT!4{&GV z7cCr8!ZSavC2!k`dkvla49FK>vBt5(ss+1Wp8#;5#Z@2f%{<ael*F1<xn&gTb*Xb8 zN<2>dqMYL(rG|Dn)89Z9nB)hl;j3S^@3^t{1X38F!9D9kFg)FXdu{1ORhmsaUS&Sw zysYG*GLBVAfXNG^0_7GnrV9q*nB;(?xM_y$m=Zm;1};v)X!Vfxbg{hx-#8LXmbmG{ z3B~x%J>wT>Oyk*G7{&F_9w@DFQqaObv@+R-p@I-7Z2(fenQgr6s+NFpF{c&7DdSGB z$8O=iYwV^EE#G>=V6kkKF5%uKGy5rsK^1S(osX=&%lTVgcf9G<FY2}I@d--`(w<(k z%*ov!9v&N7d_{Hd&XGn}(Prs9>n+Lk`<Jdlxog`2#@up>@Nkg|7(31qt&g_~5+9f< zDVQ206V?{4JS!Y~VpF;ns6mrT1wy*jwt&{iy(+t4m6bZzwdRwrC(&XYG?#^6R1J}p z$@mfv(t5F6w(=e&ak3oq&a+l=qv<?c`LRASkWoV#C{v*1{u<dm2UkV?;~jmTUlFWS z!jKy#VS86Z75u!@DfsmoOfCA{yu&C8&d^`3i4-8l{H%wIp{J9#;sb~Ha)#!UE_-Uf zu09gl%-%<f>!M;Fp;)~L;t;xDG)7+B>wm6j1JyJTgt0{uCreK3Eb)f%d9h3QRp*Jm zx<Z<O17=*Q4r@aNqyrQoXm>G?sO`JmTSg(sFfA_EBTOZn750N5i}m9jngBx?F4~5{ zG@X~G%Ck?G{>vO!Qh@&lqW<puey(VDGN7R<6n~*-g(zd`aBc4S%7o^<m4rnE&)iMp z_`c1<TIikg7NYibRhV(G*a`gxqiuJO?KuC!QK0gLoM>;bAP~vNySK`ev<%RFsSO+# z74b=ko#C2B5qrBKih_SIqDc!g)z?h+Mu0UeKJ0C(%)7sjMMrJ_fR=%z_r|28`rv=h zy~W1R!;*`!&}WlS96WOB@$&S9`Vvfk9nj;O7`uyYDaIPm?M85hx4}ng?lsC5@P4GH z4wFOEtoHVOlmmAo|M7GDqGIlAe$Y1A8I0UsPw|qkxq)CkzqGm$>G-u5D)lDF6TIf3 zBvkLx-$lEN<{k^4y~-~1qLdk<`+AmVyeMmt>l>Bihwyfo<CaaPxT|e(X{<je!9-LR z_Z$Hy1i{qesOU$6tGTWmG{SaI>d^gJ+S=66z^*L7ny-b?n+5C>1kuWJ)Iu8la=L&` zNYiy?h|dpusoJEvE)K?>R=Pz<(AhOvxRHj~5*sT+^XaM62G+0-Yj2b8F_sBGnWHKm zUSOd*-`ggoxoVaQ$oKd#q}9Eju=t;_yh9VcL)AZCVK^#SSlF#r&-@%QII+N;2tPvR zu&yI%(<v2-tvXhU6@#n-!vi^)cXdB9pFoNNVvdT-Puog~-Z>VI91GSZ9v@-4B0R36 zEiV-KvjZ3(+VIJv{*wo|j|^MgQ6IXbA}eVx^r%h1%9&u1H{noICD7c++>lUC@C<E| zXm6vjDOC_pN8^$G(};CNlmvsZz~4cG(x-7-*hs*Coq422D?<)Sydu(TE$BEm9fNuE z(Y8u#X_Qn7*Zq&C#sUk2&Wv#YxsBF>SUO(TqV~O~^H8ECUFkz>9~Q_>f+N>p0T1qu zf>*Qa_QZH^Z?;uD!*KzD`3(6FV2KL#N28mNv<)En2#!|>d|*+<$z;fn>GVi=y!w<j zB75X)^!Z`)H;X!dj!hr)&y%xE$L}0n)__Sb&z$|QVc~l}zA1fHad7xdqz;3!4l9)y z4%0mZeR;O^1(gQL*K37eM2I)|%emoVpH2%aC2scjQXJ^76Br^wEEzZXaq$69!&Afk zT<<SW1T%NE*Bv+?4r9vOniDb)nr(5w)XM=^p?}|ql=POp&afxi5*6<2?OEyv>K8K} z?VsJVT1_UNA*los6%?FOiqjBc=Uq768SSR|bk3nf6{D#2JocICgLbyq0Z|dr(hK94 zO%6biq-ZVa<tP`kHqYqe(~K0LD)(8$5L;wqfsrhS;OKUc@}`_}?@-~sslj3R+%Wk} zt0NyWiPizURV53xUDU<cNr;JQS_(mc+ZcMe)LSENT>2gBk{eK)#3Vsr7&#T&-0W+m zfCZjA=%FA#5?Bk=d+PLJN~EGS7L@zgjIrp4nK&cDgoIpWgzu}%Gu)6@s@BP!>dvmo zok)qvGge&WIGAup+U&Gwnw9@0Qz|@ca2Ush!~bhL^mcGs4_(wrJQolenvX>Q5D7VE zphQis_LM}@#I$+}WmVr~j?W_@pyuW692{CO@Dx&>nr`m#ouv)gR-#Q4Mp^vjNwqZB z|E4#P^G#pMRN`gB)8C3}2=%N&;qMx6Qm}(TG&L8jv=*#11UcFcIR=M~1XbKcp9>eP zs)x;AU|g|BI<Ze`sN>;jA=gHnye9!Am8xdJPEyI&1*?}S+V)Shz}{fvA9j<RSdlIZ zoZ;m?BTyK!PA0YipyLq0vSsJy$^Ao+gRaq4h(%ao?4GEY3Q!oLa@;e88mSKVE~~zo z*W51zJb@9t9s_@7;AP*Rd&&jB)MQ02*E1gzj=A-4PCnKU8+AV}{ApTYnl~iMZ(f@{ z9mc4r{rK{<27s)kJBRn=uXv;tC9w2bgZ+%rjO(>UWD*Gh@}P98>2LuXk&cw^GGPZT zX=&3`w$}Gg(x6W~yvSKWrRrU+PT8h#wB1$ALz_hVn#t|sR#K9o>&#e4okuvo3yFBh zh|_mAU$HD)Y5hkr8vHHOBileF-xf<O8+`%-TkoRPRGFduLwqjj&DTR$mAH$MD#phl zdRyzf{X5~2fPNA?^YgY!U*oTv<%)5ERxao6krH$ZHXTylQ-eY4le*o$j#CM8C1Lye zw-F~hH9gRsBIwcRb+!(7Ztu&kxXkH(Kc@j5n%VS~`B-wEw=Ik|xNvbL4?BHd%n_i< zjW#g9osHl}83fUst1$}apkc;z95K5pQzN62s<>VQ^%bAx(NP(z3^C0npH`!P-nDBd z%$ubTU|=GK+oYA3{`%OXU9;FlyoT(HvG_^;`6fq-F@OV7T^qBco}yvc-xeF+5)ukY z*Hj|JE&V2ydcY)Y66d&;A~7+Be{J9>)jV(6!e$moUgcNKmbhFIj7!h=vfFuG(C_ko z74w|5iJP-gr*&MKv~OU;IBLm*pC%)q*N07?6{f`|sh2|9;DiE&em!RFw6+=!2URUB zB`<%SMl}enx7LsZt|n3QH}yGt<iU}KDs_9xpCw8hRmc+dka5~(E+wJ+HX7_S=c6Y- zj;(^hAu9fDB(MBYy5Kj}>*c)-$Kps(fL0?twxpyL_(nc8M6my=xBfU`8lmptF%|$4 za4q75C2bY=$#VVyFcKP{uXmVNR4N_bUK{Oyptr#di!FI@b_(2OkJ0@z+_6q+-y<w7 z<mncqAcetq@o8(;XsiMBHPL<K+wcOp;8l5kkEf#?59hGa?LVA{&B;OJI9q@o_CbAE zWermi{7R^D&yFN^sFdXH??MJ+UypR(EsN(I7t*d;SMBA|hhSx6oHJE-zi6f7mxB-} zfldg(7Ug;f^u5-l0lx%TQ=v~YKMc}R<;F<!xVA~mWMowlRg+P=J>XH}jshc)4Ax!$ zz@C_(HIgr#v3LL@y&i`STa%TWLSW}bv!lBju7BV#mPi_}@pLuV1sh$(qQ|s(A4Q@3 zS$e`J!2_Vg$-KNRJ<pGG68Qgv7=L&{15InOV=j(bL34^c8T)MT6|3ud?~^01?`48M zPgTw%VSmdvcSEX#KaUrcLGJg5dL8sbI(gr-Th0ypEqo2(i4I+Op?U|HIzxdTD{Q;* zQKGM>(2Ns8(aPbZR+f*=XP*Bo63O1G;1*jRrv{rh{6PPpl>2e!<@aPbiXj(dhQC$W z9ydx)+s*xawZZ@O@ntK67ftTtrwM$`WSH|d)IP({n*l>XC~*}p7p;QnvNra*1|y3q zTxp@rqgaF|(Z3WD%F1!$|GAIsIQ6>aZv7Hc_&e~DR?Cv<?j4P-%AI60BmtnTxz!*D zB71E}qN1ZKW4s4%_iQP1om<&7{Vb6Eqy4OA5n;Gx0j&DDPLniq{Ic(cH+G0plx?-T zvak8!4L35Qy$}hb)xN??qQ{Zt79!<0<pZv_(KGASZT`sF>gyCigU6}AC1)a~x=GHr z#5fdW0iIrhUd<*%Fq|4|Ez?YNPY+v{s0|hUfsyFj8(T9SFo$lje?PEcLUMUD>cg6} zqLeuiB-GuWGF_blaYb0|6SRf{dfrQY@MS=R7p=AebXnZ28QLZJ>SpczDcVxYzvG^R zmF#M`&i-%3fbVUMRFhVS+yS@ZB<-;a22$i$1wS)q;SJ<9r^~$y?!#13Fu?C_NcXIj zS@YHEb4u#5oRYfvmf|9K6j$!n;STFv0jA+5#BBrZzo<V=o|*Yt`EhzNS9Fw*gCCPc zhRgE>2Ewh<EwqB>qbDS_X%ZIG#}IJ8Dld(f4Tm<0b&v-a>n-)`DL|JPXmqoL)Xgf* zfhZ4fSTb+o(|~;nmP0b$V=_`>3R0^wLVThw_9B+L1K;h^aYwN03m@vL?DDAO%n1Kp zVE){2`;36<729~V=gbhPkV>u1n^x~9$Lz&YQ(zwp_JCApTV2nbKz#^mIz$XZOpEm9 zCSobZ*G!2DX9dF`a!=Ekb4(DGvV?15gN2}XJ!E@doLA95pePIv%`0ib4rs`MR_(Y0 zR$^{FH*42_D2sjop3Z2KwpBx=0g@J@6Bi5lz(&!nh);$q;iSX&cc=BnZw~h`BaMU@ zd0BK<_WSd<N|4Nw7C@G!7+uOD|1$ST?VZ;=Z|?A!_QUyzRqpCWU_h>#4teH=sQ)`< zui&2;%Qb*qG<d4}B022ELd#{qYn;Q90u7`0xdWMQiS2P%Ca0^e6>GXqR~_$gmeg=! z@2?!_mm?xnK79ocJA*@}C|#e%YAk`&{@Zf{VQ#w<0#1V6y~+CHD_9X~5Hn9sZ%%@X zJa#uNY{B<A#x46i6a8{@8tL)n2nJZ==7=+|$;cnJiFMb>faJXvV47^b-O=aFq2fI@ znRaC~w8>O6iwrgYpk&dM7&THnmVKPPgGc6>ICiQz>g#*hBel`)eyN;aaLt~e#=n?z z;Pu>jk~g;R#^h_|hLyMV$5*4CD%2Ew({Jn#R>OM?l+#-slsG$Gn=_UJ9MB$kO+WJi zTLj1Bwl5A0RWRiOtC=dieb=EY%=g;zPsGRY41>mdtLwI<=0Lgi^OV7H#>S%b#AM+3 zpC#M9B}XM&UiE<W5+|-%rst<MH&1LOUa*hhMo&@n^dw_>v^Th2%6tu!>h$EB!Hn<g zY!+-37KWdRK6+Mi`pK)d#%eM$QWSo!>-gWQ&yQ%Vv_w=*f>XwqDicie+X6n66o19V z5w<Atk>oI2!GX~YW0ln5;35G3Kp=7?H9o<fb+Ui%459lSsBI&!*oR(bTa|PvJ$t~N z0n;PJKeO_cYZ<nz_Me*3(coF?@a<0{Y`u~;MS#J}dIP(I{FU|HJZ0%)fovNNLYjhj zg5^iPmquyE^VUsk1u{sb`C>4S-9UerL@n2s;73Z3r}C&vT%M6Vt}AX1DCZQYVb7k! zC(s}uT^T!4{93>_O(_@XqM>p5yJkYhp*SrQk+m6Ti+@<zu$F6(GKqT}Cpe#c5>u>K zk&o}5zNb=QiJ8R%#OKB^c@m3^CD;8gAmxx$yD7BI!8ZL!;9ZHg2cYnEjMEzlK?c5k z!Zwj9ome2n?7g1aZ;)}7XTB~frqaybkfivf0-t`-z3(XG<eS?pN<q3kk+N5jxAoPR z9KV6hmb$IkZm(oDjT4&EOl1jG3S7_W%K75&xMZaA*IPXZ9NtMkRjdXb)RwE^HAua- zlN(F&^}5=9qJ_f}Z9=8=rlvoyPw4f!zJY%So|w8GxJRO)DaOm5v~4z^Yx4|)Xr6RY z7pZjW#txBVvz6TrGzk}*$}8_~c3RpwWoR=<_a5*N5Yn`~OmcZW<J>M2@xR$s+}FDq z@GIzBn_T`0XO_bZTvt>w_#ici^Sle~U&{Y#0Yu_=)OAqf%NV`fRz~>Fv_rrhmJ}65 zQ5%?@)N>orm8Fezvu}lR%Gu+oB`;@{-S)a9rqhwv-18J}Mvg2_i4*DR%0WEmlDbCB z#D7zD!xr&4vd_lYxi|<`42@1q<qYDBqoA9(o)f4~G7n*23c$}Ul6W{Pf=S#8LX@or zZ2pmZ$7AWzUcK@vPQP;Bp#6frk0ZeCK*s;*_}G@+s_C2+|6W$`2(gyV4Y&O}<1cVh z!W2OPHGlAa?|5pE>TG0_8B>F>y!2;R1cBZA%4M=`1JkipGxFEVyM$h<l33#$HwCd0 zju5q^duA>DoZ)E5w@e<L4v4$qjN6-8>g8MDCk!1Qh3A(6tM{h;E(fGh8AhrNII^(o zdEWent8al4ql;ykQf@(U9+iU|EtIYr(BAb8{7K1Jn_hRmp|4>Y)JXzS>k>jhCw?Uq zH=>s&!0yyU>Rye7`{v%gQ?%=)Z)l_|TAYaCaKrG5Xo+>h0KeJ#K!hf)ThdJW2QkP& z0u6t(eZ2QLxw)2SyNuVeo&9uq9)u`c<khHANfd6*w$XkQ@t|FmSv;pU*tO{KFj0a& zK)Rz7KDsf+fs9-sbni<xSV%~;BK<f;wX`_nandA4$$aTYC5D$!rZ6<BfBm#h)%A9X zpHMfT(>vD}NE>kC7dgh1CA%s-Evz;N@PC1bDCa6Q=FiV^n%ECrB;XUR)C01<^+^eN zI=mlT+{<{M++w^yWz34GD`<t_cT@uIr{Ggt9UeB%B)VST=s&bWCu%TyGt60vqL(^7 zS2pqxJW}f~`rpui&}R0Y>x?JcXLlYuj@&u<f~e8z>nObE2j^`*oI}#Lmr5k?;{m2Y zVZ)0)`ZL_~$m64vk4vXz?u)xH(eg;GQ5puyCi>p!j_R)~(d`i1fyFr91~Zr7g!;AN zxF8w2hsUUHn~vfAIG#E`HyZMp*Fh@A76+_2Z~4Bb%O0Wk>rGS+y`T#N#>bb!q=Zdq zvl@y?Ol~dcL=ldXo7V02zT>uuzbP)c-rr4a;XT|9X|g!sVGT8tBi<Bg&97%g&v#x9 zxu$QS-qu&}u;A(cq2bgqXJs;q8plOD>LVjZ?5kXTjlFu`<5=Y}dGkeD(Aa(-dlMC@ zPi(0;Q~8v8oU`-pf59bj0*y2w@p6@CDCf2o!`fslxHQ_j)&A9(S8v^L#6+|%JCgrv z1NYz_oDa(l6W#K610U`Hm#aknPBBdWm;ir}&{ZyxWFqyYf&O5gy@{j{+x^kGuJ)nN zl~>(abe+1x_wt<+K?B>$Y!jZA@47EX&Um7mD{{)5Wf4!0|NdGnGt(DtxDZd3!eV;+ zU(ZWziE#cz*;vL0*?BcDsvcQWmi{If*dj&)hCkG7s{*=LDud(y>i%RkmVt+|7B}J^ z!$w9{;FAzH_L4(p=s5@Hy7>F=AU?CkeESUk85X9^eLcQ}qA4TtrdxEjr0Ep|T-EsU z^MoWS+bTZ;w}ILb*FsOy627xRQj8Y?h-27rE*adOJ+3TwFx-hFZoI-Q^J7YL_?BL2 zKp+Nhu%U!EDLYRo$G5!$TaU|FDAJ~>Jtu6GCTYx;_>$Q2Y8V66kd$FK^-DJkPm6X# zdvzpAbqX2MwO5P4dfrYkm2j7r<IgVIz15GU*W=tu_BPeoF7JPk6(sd+#n0zr$`fob zNz<aY_bGQU*vzF;kBMe)&VqD+7eF$YP3k=_$k<<6kw(-0>^Q+jEsj#~z?-taTRxH& zZ+Yay<3JAcMsEY@65BWqazm!xUpS-4F+sHFjR)Zxf?)%qRX@*o>+SBZ?~=H+3cHO& zc-JynxR^K7uaGfY*z#<2Za7-km#01)<y*z@v0^P0UvD3xL*Cs3cIGUd*t_dNFG1Nu zZbmBqp0?(g!x$GX5ahZ8dm@lD(ElC<=5*5<?s3ZiM4*ft4kPS)k?VQcTix@oEAd** z-It!jMdl&B!+x^C`%o556j&RixRqZlFqJ1<mz<)+IXJ}W9W<{9wTaCRQ~&c@;#h+u zt<!bky&&)~{8O!yW9^a3rBkVZ$g_)*q-%K*q~PT6zO4-2hd}n=@$wABzr`J^km_x3 zjup4P<~j&Fv$TPp2H?!5zfQVmb+KiO`LMr?7t2n)k`nOfn7k3=+c`K|ejAv(eQ|YU zuL3O>=%cd)F1}zM8ie2pI1p`#@(;yrcTVZb4_|4uUA5?YR+SeD?X{QVm(To07WHdQ zqQZj-vykxNS8+6v)zCs;Y?8(M!fCDVo;@oy2FhIOPMA1*@poc%;v0|w9PG|d$Fx%W zmUT!ObGC7$AKnH9efX`f!QM;^&8xcN;Bx)T>ISF>S6yVggCpH?WtZYEn^cMuu+cCS zYI%6BtD|J_I(l`-rWCc9WBajae|1=r!KbrjW7MIVJ+)Pm9?8cMfXs)An6{rEk2CM9 zn(nSW78#yNk3iaJ&$u4?s~(y}n1JQZ>iBq^Ei>KzD?<aiAnqSnn;L|=Iu==plq>Tf zhjm>1mJr)OTby3yNTE<jdO5b-z#-;<@5yfJ+m2cqgjuUmUZde}vUJ8MGeUf)$y<=& z`vDT|;69;*IpZr8<7X;HDlBn8Ju}hy_{G8f_#aK+2LcvU4-0$bzy1UX>KSJjDT9;% z8sRMdwTje58?GB`*Xa}GQF_WAMJK1M-vrh<uvK;ENv(zp(4+8RK~uiz`X#neiePb< z27jx2>Dh0;UPlv&MN+71^<?`JQ_-_lr1iFNdtk9M6_L^!zo16@ItI?AYzaACk?d>A zXb)X!`K<LYC`-hcaLr-3u+HcE80TAQHU8I8b9GKcSNk_O2r)}rMz5DrT<EB$+#yYt zsO#wxK1`*!p1G{{_NLs2$+k0=$*hGV$MDu~H1S+ClRS$PA#C%!t1?>2&J2PnT-w0N zK@b!~r%o)G<(W?9Pr7RCvI$>Vo-&z5y+E64`J0{t93D7ZIVV`wV0VvCH*5XLrsm$| zDwQL(b@qJqGu^;&#HuR;$9y=)*{#BM{>0@g7O`*&#*|3jR46wFPi>SMsh5gRoHMh# zpGYwgkBmymY5+h=#|dg3*Rflw8fv*Zyv|I{dF#_vWe!mT@@_tQf|bE2IJo~YieScg z%4OG;)CljnbChbaWlrUJ;L}AlRG?Tf7gQV-i;Q?pT#V>PgykThFbl%RhyQ{j{_AAg zYO>*kXzuuAc5$h6Vcp~#P}A#DBRFU1BC)Iz!%Wt%I_*iHj5}p9D=gGBY1(8sGQJPQ z2meMj6u;1s!IQaouEVXsCsZTAJei0ty}?2e-DbF>ZGn9lfJz5ivRvQm%0I#Fpco=I zYL!pWCa)PbWI?Fa83CnScckdWjiy>IF4iu%FpLh*2;~TSBX16Xv}~ME>Y9Yd_FDRy zLT~?gFtEE+$?fi2iQU3X?;V4=o>6H|PFT^A#{dSHW=johN+>-Bm?DT3a+J0O-*HQ4 zE%|_aQXDkFad4Lmh3zhvuT}QT?giw-o_9W$Ticv7m)%%xMu>t}%%B>j`m;z;DNuNY zU_7KQ>g(6tLO-moe<SdzmW}(Dh?kq%Jo_zNBp_)qw@ZgY@wOQ&CF6%z^ih@K^6H!G zklCeqXPo1W2K$i_55$U?s;@!<1V*>>Z(mq@ID)C=Ugiszs!XtQ?z-k(NVK@surnGM zz*=in<Grt4ac*g@P0YyG|FCX@B@k0#_OS>b1F^gh`4l6$d1}D5@5>VJ@e`rk?4<9C z%<WZj9Mx2EnBeqh!uoYC2V<bi&u%y@O)cQ#In~maAj*bXA(6(iN+KT7Cq33tmC~|` z>zjW`D2)x>T$^U@iss*R4_A80$WwUQ-Y*eJ*Z75*DH0asN>MDNT!}p~MSXj+%uCg| z{yaWFYMB8jjcwW6E+!rqPd8Z-T~EvC{=EY_xi)5xi6{3!ohY(27VF3H+8@sC)IH#T z(E6DY(b0$)g@7XpE|@aMbe_)p*qgJo=lc4`Q!FH1uPo>N<Bs9E@JP!wNh-&JSkC>I zVXo~TmzWh+;2mLZUo&eZ+i=!2P67fvaRrZJv^<@XPS(+FzbojB=>BCT9N#w$rDBK+ zM|G0ycVOv=UNP6(n-AXc#cX4f@RW&f`{wQxwyH-`WO|zF7|kVA7?MrLc>N;Q%iXOp zw10?bKu6Bug<6r%n`hdEx<yaD2S!|tZI>e!V<o}MW=&(4mp^<fC1lFT!S{#5A_|et zU^(>rN@XeEQX2Vz8`#>5)oQfiFOiVKpOD|!@3VHL?Hs8TxYyUy7g6m_w$s_UNX|t* z*}VY}<ktwH`JZ968*3ATOhiW>pM)0k4#>7dMu&f68>bD>Ioa(*piB>e_)l`jY+r0< zX^aJyqb%0}<uNxW9!gDGQf2Vo2-A&^Zr;?>jh(CwR}EuI+Y8#mD=jT*1b6HSi(?hA zk<=LA&IlMGw+;-FY3v7Z?qt^w@ixWNeW;$M_7tDAW#jv!lKd<hxDcyIhWvaPiesDv zN*28W(S-eBs?9FXg1Bf#eA+X-<VH6s60a7WSF!z^BXtd`d}KFuMS20c$muAe6o5i; zw6mUTrhtZL+up1-<7DO(Q8R;88lKzq#loKx!%BKb`Ub=AjO_~lJvrgD!%{2AeAD~` zLi?&9{7v(Wh4-b=&-TWe(??P%RrY}AARhAtn4DJSJIHASDGO=@u(~2V4o-*rdhQgq zq6FTW#w*NGeGUaNliz`8JTZ8dIT#hJm2sD=;vNT?e9bv;XNyMpGX(AHI0#K@xamAe z?oHuqc*G0WspgS15gs>sWn=2*lM;?QKb<%^Ryd|?e)rd=z4A;Jgg@KkmJ11Dus|Ty z-|S2KXh+h_EY;rxxF=oGjI3Wz%L7O3WPH~AJkcjx^tRRec`pqH28iJI8<%!x)Os4v zh;s&QyI4YGoSdxA76?DiW`|&3M>DbeY+{;^B|Wzz{L1bzRFl`M7f8VGc1U8id~3=B z(;-<yRFgx4qyzr5+@KN-VT7LBCju6f5`;%1p>79^Jlz$({b5sOoPn?k!Jo>#Sq*jJ z-Szfays@{CATQSVi4(45B&)Hf<+c44#Yrp5%7m%!%F*HCQmbJO>n{hd3NLS}ye%k1 ze;FU2V(;|&&or2F@F+troh1P4M>;+ok30X!KY7(w9Zuf2sENqb7ts4ET4*Ke1$}G) zyqiG*n6x?!<mmByr_`^go%YXB$hnli?&cLdCY&H=;_zawJopgPpA;BJc}@K6G05V* zz~k{0TMG(Prn!)Z7t+NohHHfwqjmhsP;de@!fyslbe7t+nRouBo#F28t{?d(d?JCQ zq?;RkuXf)--Lavz2^uiroV8ho1XDL}^%OIA@b~%-8F^v6%k>VHOWb%(yc!**^;hTk zov3K8^(w@zOobwsMh3&1m6am6EnyBC0;1nTheIy8!dR*K{A~k$#fJ8i!-T7BA{q*4 z<UI_D<ESIl0m%v&80ajv@{-BWk?wXgaO;6Jzlp6o)!qMDoE%TXUsrxvg?`&uMmJM4 zPnSXw%e4Fa&XT`;R@2B#d4?<@X%}vX;?n(_$hldcTEUEQsW{w9G2!(lub<samlDqq zo^tuXdzxk!!tlk{4fJP2@g!7=(R_i|@SBCWxx1k`Wi@947d|o5H-k?}D3ukiXdYVP z*tTWhdEJXV4M2i}1dmhVI6<-8Y1VG=l=frbcs;~+#&F8DoJppJoTIs$G-Md*bCo`^ z)nmb&l2}xdZII#bF^Bkw8Fax90F2I*th!OlSv#RpN9c|XmvF1`Y~nHxqy4nuq0tb? zG^L`#K%S5cyyU-#dmUtS^5Yw+cPnr)(YUmne8Ojr@mE}zW(ZvQJdwTmOm4`0bxvY^ z{|f>6a{)#O^O;$d0WJk$#(Ia5(dR+J-T<G~h_FDKYB3RyfJ3F>6rAkrt8N)gVtxj* zD#l46Azu|3rnIRX0|cplv7uI44O*W#TE4{u82i7O&_cdWFw?iZjuUIR)SR#cVJQ0$ z_?3`Jnt8#po4YXcY`(Pqmfsx%gPU2Cx~&{S`@*IOds(b33bce7MnC1PmF|cY>p-f3 zipKEY74(DbdxS?8TF4&*(X}FjtmnhUopHy`QMT#WxT;)sBo|yP!lk3vnHzmw;ysuK z0Jcaom0<m7It6PfPB#{Dc)sj(Chr*!3;qCx$+6=iBmkjXeH%^RfV8L<jw3c`YZH_J zAL2wT%)7#&L~(l5U^PAsf=mR9PgK>K;`8_g!92lf{eabcdeVZG;fkh|8N`)9!ohJo zt?d4z?NeTTr>e70gX{9!mWLlM+o&s#C6eM7{}98gPqHmye6u6@5R^oAp>+p@WyGMv zh@*iLSlFP@_7_KrPwky*E7o!iKeVlfO^GdP1wRzOukERuKC-Rl`iI2^DZ-V9nYPw+ zL1pPzYp-0UO_-X02lHG=X$B?jTQX<jq8H3ixLi-QRGD9S=qQT-3eJ+^vHSa0!ErN} zLeFS){GN<4HR}L-)DIuVFT?oL&7A0mEgLGVI3&vDXf7Z8Swjwsr5(4J%EA=UoTf}b zAE@EerqAX}+MRBd89z|usg48Bz2dBN<JOaaWIN#b?<a=}S)`>s{K4yD0-X>p-Y4(9 zMQ+Vm%tsyf7+s!+?txp1Nld!gBJbT{u?D@Q3$Il0T<nBhO_Cdb61eD>!`g$N>q+|u z+VFY_cE%#OJeEj%UMvQiR%?9wErd+JW#IbfiR*1>2#}eaj6;I*?h<4PHd>prRnE&K z6Nm2ziB{N^D9TdOl;TD&+p-Va^X?L74TNsK;;df*tbGlsuHXSUhnIGjo37qT)&Uz5 zqlbVfgCL={Lc}-)MzK-r3j5`Qb<yL3N?w(-z)t}$z|Y{-sa^wBCFxO*8u!EhE}hwA z4ueR`P0x<T-+np_N{Z7ZaXNQWGct93pvB97b$EDE50@1Ye9Ow6Fl$iMDE?Ab@lW{~ z06_8wo3WC8Bo(+Wkmk}%+xG8#g~#Ia9$399yT=jKy?!45J-lYNXF=Sd*-0Bb*ko_) z;}f3dg|g#0?h82y0odWO=x#RQlWMaoWvPxy=_&fo$f(dhY^ey;I{^Rn3tYB0HZ;9z zEt!pZSKqXSsm={QM%lidz>$<y49|4h0grS4CdQ{u6Gg|C(?=>+V<mA5Y3~HQOu|Uh zA=>L2jc}US^cRmsE8AE!2<+x(-L&bZ%_GEUO7CBwg+5&Gz=O-edS8-gxRxUws9!IE zajzR;X|j0kElt`tI)Z5!J^lZ#&q|*k?|ksau#uO!)4(feETu27W<OE7oXeuf{M`|z z>sJ4$_nQdUMXwUC5{6nrUfz`bJ9@GHyZN>LxXGoi{2K8lafdDVV}9;-0L);M?ixBM zpxp@piScM_tll9@NBIu?ipH8SWveOU>kE$6zBJMoz8dkn2c};2c>U^5lf->HYGD+q z@A#D&o_CXlF0On>3%m<L%05>jhZ5BO1OAt)JrQV($sc23Jlfz8XpG0+8@5B7Dw@rB zo#dD1J&hrLY6g|N(G;IEdFF^e`VswYwIt=rXNp>9tI^%l2|2E3+Qp0o=SRo45I#YZ z;;pA@x@|Y;YxAbO_M7E9Hro%0{iYAc7OO153SuXSU_Y6n|20>lsG}IO(%|5esZdIv zi`~nbOHOV3qbN*0@*zI{a6GTwqWzD3hgwGJ^hpmwtb44>!vwzd6DAF~?@U{FQ*-2k z8OPqHy2u4Jw$^}Quz??F8_cVGS6^xlzlqJ;pQX?Ac#tXW=;Q(LqNyJQu<Mkh8emX{ zZDR;qeeXz5oqo24^EM5j!^;kD8TMc&-ENBSOx4`JdE-r0dtBR^>~b$6+N>*se+Ihy zVYRkuriyqWT>D^uw2fG;kMi_yPCtZPzk8w4nrJGh^|Y0nC5Nc8tU+sYy_Ro}2e*ky zqji8SQO-UEnI9jlPOV_uZVNy-!<|8X?@_yrJ$#rkuwDZ>i(Kk!4@y)Lg+E9&8F1}T z;JVMsMNeb9`#(6sv67thH#j&tRUc#trq1cIY*kw6Dk|cLU}xOKdr9+-1N9GmoJ@9d zl0M5OPD|JkJ>J|&aSjYYGW&I<X|61K!~9q#2DcUj^3D`)W^40`&B;TysnRLp9Mgpz z?HPH8S{w{fd8v=xz{_B$T%Xb)3+>__KwsXu;lPCh@75jvk_DI1S58Ih;QjMWji8sC zLZ-3~IUm1dr*j)?m%)wv1C0<gt=3f^|MV5K+axuQ@B9A$frzI`XU0}fN9Rg67Ub#S zyy{|8<-iPzs7A7>&T0SUS}1?SWxTpMOe6!##vB#0M9~9OL7L1mD?${==rWE}x#_SR z@W&7ZcCSp7!?Ipo?H_*jJJ1Z$otrGoB3flf+Z}9yfl$_F9%y~uJfY9Nk^{euo3fz6 zQ?yo#Oqpj9>9&@=n77Z9so4EjV<ad8CkH~NM$m2^Y76i~sWdR>^#EX@0IkWtP3SB( z5hzs<ck}gwqvX`}=9>`UHa3<CEvF0ksy)Ogs+g3Ek`&8-L0nemfWH=VKCB_<(!)fR zIXv^OHQWvO4&PA5K2#8j&VAVPemyebtHA5v-n|;_63Y26BMXnTHF||+9~@rG>(lt| zlI+0F@P<RoK7^YT3q=Qc*@sO}GhX*}J%%K`pb}*n&X|4Zhp%8kP&41DOcnEUWKlvx zS=Nz0SxmD?=IIO9(nBrNcWg};H+^4{I0Z^<?5-Gt%@t$?K3*2%@%j0jeOHy(dIS<8 z_KUS1wxLrR3~grA6i0lJdIv>te1XCw2&Z0yle-K~T2n+IduL~yx`NhlZW1qKwL?VN zz%BnDsT<6EIB&LHi}RS&m}sj5o51hJvqE;%97Qud^tg_8H>2p~qfe25Z_D-k*U~jL znj_y<!pzV4Glv@ND<(EK+F54)9%4X4u(cvRE?rY~wg?KH>V8rWUQ|*Fb#*5?+xXxA z<SF>g!B)@!a!$koEqq(&T6%sw@Jnf$D*R1rrs>|`jX}Vjz_see*Z(*vUZuBzxzm4v z!!-?c^O25^Ctse=V*dUq&P7caCQ(Rubx8ucmcwYrLF!!fl*v}IE8y&)t1;G|t3^lY zw8F_pUOaj@;UXiEcP(a(3x4p~@byVv*O8Kvw9^h}yyWMwv0_>eRU9em6rEj*B?hrr zXUOu!8s<$^6q{-@BhB})v4O0r93sMp-IuY21ogf~gC?BPW%1n&XIwAUV`FEC+q(`o zki?Ce(?$fyxVcGB?Yh3?*Z|&zq~`QiHa*j2*5o|H6cXTJaRT3n1l5@*O9EsI1M0qR z|CE2vPxqY>e72~6@ek=BWcAP@t*8`A9u}4yG*fS-50y<sH}ysRyf3QoqUl0{GKe`4 zXls6q8_Mtnt3GYkP>LrV5cTXm-ma5okxd~7^553`NzLw%SAQ|C2fv<69E<(JX|1{d z;FzZkqqSy~!ac`|GZ;BcbZ##`LseUC370-QVV+w`0?F6PzsE;9tO12MkTPGISgsfU zo|l&QdkwZRE;fx@4EI>AoB0HbBmV9?9}QjmE@bNb089*$QIC!}kt|@*1|T%p%aviD zcr^whVpG8>(b96o=E%DpNM`!ZSd8zH3tqA0rCpn5@<bGcvwqoiJs|`9H+~Hn&915W z%fr7xtv}0#y|o!k>C{-Tp)_qF^=(LLl;FGP{qrAA*ixxL8yOmdtMFOi20L;VI5@T< z;w(IUe`5?!(f{>^4K9wh900jKumD~_p})4XZJ&_R-3!JBQ0q~Wx?s2mXXf?@iTd{B z%_HP66PXF!MVu~hhd4-3mM4u9&OkPbK~U#gf-_OI$orlOLbvTtnBRnR*yW0bT=)rH zG1@1@ntZPKdcD2jYjuuJM$c^Z(CH&+bdUhUgrxHimvJ5Vq)V%HJTooRE*5$P_OSWD z`p{7Bp4(TZXgcoY>PYaA^_i9MJ@$UpjN#bzM2#sn%-aK4TAMX5dbY^{pJb7~jFvPm zd|kd6rRR17=Lrt6s+)O&ETAXBVuC!2*SXWOf=Ouc&U~@S`;KmtSTv`oVPSBkx9#Us z<_YM*b}vk4_qDsQtJ^18_s_72(4w@^QLffY9U#l3_s^^W87kJl&W9*#eZ4vQ;LnQ< z1jM+?hhOKULa6wB>jIMVUK)s6WsVy2>~~_DErB^_)|++s#JG+L>HE0+u4aK(ZwHt> z*Q-G&_U+w);f<)7j_iB@vn;y`U*HCZ@GJk@kswIU(*1HxeOM#U_$M_2?yRo(@R@d5 zIp)20Ms$Cl%`ZHYtHVE!Ut&C<-fl8zhRl;PgNjZ|{5;u)?>)Vo9ogh8S4ZFPt`W8W z7?J623MT9abh(6T_#q64@CLM-Gk7s~xU>N8byMHp{@Su27sEdrz6^IOv{{dD5R(|0 z>%Bc!(w*QdW8JksBvoGswKe!F&%zul96YS^&Nz3;95jixv_zD)Htl7MPJ4IcLk5M@ z9yZl>_jH%gL6u%D^;IkaS5`Cgmo7c8m)<O>rQkLTPnKFxk7cvuXUBQ+EbFbeEd?sy z_n;_4Qn~#^8j<Fb1Xla+6nkDt6KB+}gqgOx+7@R139SKz9xR9yPT8kS{R_R$GDw0t zf2QRg*a2Bp-{TjN8!FN@6KSBZ(S8_3TWf6zY|a{3!{RGP<Ot(l*IBCJ7_3+7b>_c_ z8l4ZmPZbm3f?zSTj|o7MUV%x%`+;G<+JJVoF|N-8h|8^-byXsFa1pg_9W!Xu-Vh5> zr@RxdzG)t2Eeg*Xo1Gb&rH4%xO^I+4$`PxZ3FQP!Uq{Qo`#+xDlLz}x|5po8k`KA5 zH}-eCMl39c#;mKaPW-R4M@wUkxi{^%MK0*x_~>@O`#4leZ)|c#>(<`379(jE^PxKs z2J7F9u*A!PY9?7%z%OCE(0)Bot)o-v1+1z)(e9}n2<B`AH}*%DV@Ob%%;RIOLbSCe z<A6wytC!$?ZMG;I$&lwO81Ca3^gAL?7Id>rn78sS8e$AwBu2n(NJ6{quj{r<Gs*mT zocAH2h7jI@KW%TcC&xGxK-Ch^niIq*iW%bLgv8Auv)g~@cm37q<zLX`0e4a{irU*` zkb?DwV}&C}s`hxQ*%tPH(s6O5ECg=|;sGI&qTk$RBL#BXTXP!D+L+Y6bLykh6XPu- zfO8Uno!x=2iB7$qxsX@6F47RXE5kAKtW2ke`;t@ILfhs8d-&%~L&CA^S0g-p#e)b~ zVIe;iqWev4LC`F_1{?ltnN7#=@GtD%&26Q3UDRHk$M;pA*<-#-&P~Y5(h@(fEA1y~ zwj?ubhJ*rYMuk*Mz0^kQbA(*Mvz#1Zud7YByXVVxQ_qoomsAJ2RC_(W7T0|0NPcTf z$(i476<uU+F|cCL<X`1Dy*%%Q;T+*<373|ZZfk$!-Fy2BwNz(3^YU!Wd6Oq-dH+y> zyCNkUU<2T4K0l7k;4ZgprS}=Bq8P7jPa-`B>*|oWKpv{6tG-7hj@!}LG*CypV*cZ+ zAyU#%MR^0-{7k#MO=LO_ensu6Yj&9#2s2H$h>F?D7D!=oui>5c84W!qnTD>bpc#-b zIMdtW;#E8Sv9y(UbSoi2{NauV6UU64N~ShHKaX*5b^|?l+^Fy251*^YrWQ&v+^3iX ztOYfQ?NsJCvtjIko1Q#?m<CI4g2~JyJft6mDN{Dt7np&g?K52aw#|Rs%fj1i4A3ps z0zX9&y#&AJnE>{CE%mTr7-JTEO3GHGffEf%@RX<&k$i`bK@*}$7tQpD6ayq26v~L~ zMaRgG*+b~lY~x3Y4UgkMxmE?rodl^8SNXz#wy#&JzjFJ9ge71W2<9z{@oTj)ToyF< zOWL;-+`7~LBCc>ht1T%mNGZeXu3qrG<Wl18Xk5AtHpyClnWW17)AlE)u$xKYeT+KD zK`kk5X%f0hACr71YuztMJ-S|<c3H4B=iArZWt?Ig+R>S!$79*-x7|G@+xDo7Gpday z4qa%i5;xe4=vX!Er$I6A8RS@?`u^)H`yGi&!3l1^S@6<=wkT>Cib?`6$2NT>ICvzB zEY{`N9T8Ag?Ot!Lk({FN%KPVQD}c|Jah!;3B%F?mxFN=XC#>DiZmr8a`AfWEsgv&R z{vZO2M|iW@qnYUahPK!=U~auqVM)>=Sv^`yz651!8*ks$i}WXs!pnxYLh{q;SuM(= z*`FxWOj#b=$TP}>KdWwR{XJ9&no0*fPDW&V%Ss8h8HC=$<Ov*X$Y8^M{%~kN3B){N zdFOxbh+3`At2ElJk85qTvRvo%2x*r@LbSA}@~snd;o?5lv5*V?g*8g@Evm+j>Dg1B zUi6ov>$}Vnn=uR5fp*KZB5wo=^4R*GerOOYs13-k;N|q&eXB`M)##+Cet9qumN&|v z>&xf7Hz7{73aiBN%mXCp6W5Xb)ayqp&yXq2h~$~Rc$;)I)Tq&U_Uhx2EW=u8C_x-c z<q0a~|Hh%ImH_tpE?V~8SFeHRK*NQmjF)$+WT}K#EqB9oESI#<Hfb)Unr|WOmhdwj zr(kJ?p)liqNhZ|%)r$dJruE^stP8#jbU|2HoTpG)J+_cQ{3b+L3&PV)E?$KB!k!Us zYZoys<^{cO`bY$d5wds?iJX=yvU1L}>w|9M-HcGf=1AgjAd|Yz8E!O7ZO$Buv`s(t zj<1d6;aCJVoibACR!54MV<(OLg@<HhWgb(~l3X#0B9fsp(PLnL-WK8h-XXE2S_a%@ zg~ig%+9ED;Aw0iMWW*P#F>fE4SdcM+mAj(lBPJP|sH&7Zp><%04I-U}ne5nE3ywDl z&y2~$^*Ka>dO={FC#3zoX2Nc{!LXk^ca9weDNUiEY7C(s@Nk`kU)#kVXx|Dx471a1 z{eJVNzocl!PNKx?Eb!&nch9%FjCNK?bgW*3;d|xA%i78*J*%5BMHBwVDKb%@k%5=# z2!6(c<9Fr~Q%Z@t@~?)98&wu6H`RmQA<Yhb^{f}3oXtDMaSSrTsWLnob!=5LKFS6Y z{!{l!%@bJ)DoEe(w}ZLg)MMXwNs;|t#3}F`NB!{a3g16(%EZ4i;%G!pC)8FyI=Zr~ zB4X6Cv}<a7tZe`-U|9-K(_n5uVA53^3Qm_dW_RJIVVpG7SkCqB-;q&qcWLKTkmwE* zegBSyW2sS#Bfl5+eaCg(`*qXwjx1J9Yj+QB+aP?@JWuN7r-|sw;M?GSFf{7hB`cnq z5ksu^WN`mHbcfX*c(t4!OZ0tTFsSS0iJY`HXO#5&HxGj{u5?a{^y7|@Z8{BHmz&)l z_FUf{q%es+h5MDp4rW8w1pJcW9cQRPwsLy6-P^HjClyFsZ=0+bcbk_E3flJO&uLmi z8i_)0YPqkomYpb4+$ZPb*XwB=CzrDg_G<CHuXl-dup#yz0VC9wJ$?$jH*ah#yoT1- z+S+oR5`$Fpxrp2Q=o{UC6}J^x=f-N2+vkRXUZI8;5e<N-(mSu4^&q3Nj`3+EriV_! zwCQmaGd<i{((|M7R}%V;{*Dojx3?Ld3URmDvH;Kqx#*88=<zOTrPaahOZ|xvZ)G8` zSj&e|uUWSO-q=kR7i$9)lkEjXtvSwGsi_9QmH_A2tZ2s&P@3Z0<7VeCEDyKNj>j5^ zIaoJ!xDyl#G;<ORLV&9Db035zZ7)aYRiG_BrG^aTK;ep{1=X#v!+aAlim}Gd<)0h3 zqkB?y4=S4-*5ToHdq4eQ2nk1+u!H573a1Du5FDbA0~&gEjB@z;+6Kq5#>S6DR5{ja zSiJ^vv@~hg)fZ<s@L!w1y=PX{M-OE5@PXj4vM&`}P1z!>uwl@U^cjPyzDL(}uuuFg zX_!qpWVh^GfY}le?jxdmR$w=Pic4~cs$A`93p}mEyI`~qv%umnA`R>Q$EU-0{Z&Zk zz~`UZ9P&m(&SvH5!$2quSE}C+YlSOdXsPJQ&gSClafy_7-}I%HhrN+z%q;irO}xu& zA0*wS(_GKL9)wAjjnS2dgQC{c=?0GOij0`36gcUUenL#|P)LObl4PGLTu0rrE^wyy zUnG0m+aa0!?b->YJXW0CiyM6c?gd3ryAd9W@tUm8jdj2r0&_S_^URHf5;eNn{U4tA z1wt1eHaJW+Tj~yKRJnq5rD+OnhF8o>r>=&02O(tN$@XQOatZ^4Wd2<3&3ZALu1wgO z?qxc1<Z8<@5q=vyOAde91ZF2i-A{)70J^FO@@thgGmdR<G)K3DW`uoljhxZd$M|WP zh3-)(LRa23QoH2@s@{Lq#XZ+mo6g(pNxwOh)U*v<9YL5MJ#$r6^~eR@W6H3O)+so@ zkHC^{Z$-`ux872g;zySv(PxeWrFT`rp7<8nW2a%gsw#Gg1o1HMW<~d?O7XjV^TTvd z?-H5tB|o$DxK2VlnrH}`|J$~=OviO1A=<eo^Gp~k`{Jiey7hN#gyxX)awhvH+d2a7 zO2gTvYI){()+ns^TcP8Ecg|0pqyA}>4L^;GXv27>0Nzq~^g34<gE8AQXZ{P~PU8J$ zzgJ|Mo7K8{Z(Dw}O+yv8+Zd@Zr8T_J@n1;n#-ePp&p(}$|D^b|`$(XyYim#OX*uE3 zRyh7Xwqn26^Hp-lh$6Bs1?*us@U+dP9qp{))3MOaMNw{5q@sVUUgz(E|L7LY1?^Jr z=S@BsaYs$}H|bw2yfe$!KBmSdhQ1pZvA>z0HG|(@O^6N<q1keErWxwM*_1#e`GjdU zb}1VQ!e}1ajnci)_1$<jWDQ?dB$={x%TWdepfILbtzw^vVbTU>?ku{oh=E>e_@@cH zA?gE3joID0UAF-LsrZFpH{)}Od}{TFZVe)uh$iX#uerIupf@F8e!xK}<*Ria({f-u zNHfobxmLVwY9OhGlpPG|$QfN~UrH2cC=M1!l8qQX&SELr(nVp_9ebb9%e|p4r9hf# z|K(;Fy=E@9(ooCaL;Cc}uRcY4MQ{H`#dQL5(a?tZU5xplHdrE*DkbcD8RWf(C^9Dq zV%%%Sh+SlZOC$bfmM`c9p`nhf`tbcKh|D@ystl?!B<?$DTaaVxHTSSlJdC@FaeYc` z+cH!InXW9;D;W6kVuzHT;F6ukf&2UU+OvOcTU+0^xVF^fk<ES%?n{<E{fCVGaQ!X& ztsk0ad}L%v%yU~^8JKzglEJ8x9=!1P0<%7N#3yg)_#7iPo_i8{qrEWu^lZp0f;L~x z^^xB)LRFTfn!P=+e=7*#j#x2%l4z_UM#(Pde3iKPyaIMZQc;t!(A<<_J*p=6OmgH9 zCund~<6JoVn}y*9mUc?#Y8wxqRD9dKxmiIp)7~xsNqSV1<^F)*jY0!ka(L*j!V*dw za63Itz@Y`7(MxqOq0XID(*vExVr_dhv&fl`E%n8D^>@vPl3QU|F;X|zQl}`E*cz9V zrXmk7f>P^x2-6s-+r>Jx#sE2{0y(A(IgTDVjsZFDd-UiZJ3}Pn+8mozF+OT66hZnZ zzOrghHKW6!{ioKriH?MZba&hIBgv*)YN8AI*3p!Ta3w~6yR7IxsrEe7f{hJxRu%Tz z;r@e#jDA6gpCu3_s2KHK{Qd!{2~Rh;{&d=wc`WLJa#MHN&+M9q*tvEA4N$0S(&XeD z3T~TLMy-546od0gwlhX!1w^z_`rTEAxcNOZA=GlKpYmpvuQk3d(zS^g348x{yMsG% zX=J%AY%@>`y=B7Vt;`J!6y6F-JPq5gd(lXjf0CGaqcbF}DQ=LFHGVQIXn79i87jw8 zbQZ+O@u&d8-7zrr?$4mGt2{kPHLfH{!z!@nxHL6j-(_7*GfBsoY<E8hVE`(l*0(;h zII3i;G`$30dF&9`9y9ne>WkE<xq$igKex}>oynGBL0Pq;`U;OYF%RzgbQ#O_fT*9d zV)R_zPCP;dH<P741jK4<T_Qtiq*Wuk@g<VR-iG3A?Kg&4DmE{B<sv_xkgD`{L13Bh zAE|{afB!svlt5|s<(d!q%#{i0&|y6AI+u~~Y;#z)+Rlg)%VS42yEKoik7ey)@0EL_ z%jJhoj3ol99If^BOfGwD4yIwkRe*JW^6T$2Tq<+K|LzAiAxVWQ(Bby-u(D~vL5Q}c zF__b;$%d(+ij5VgP|#(6+NZ=(3|8qqw)j@pw-@5y1JV85zw>8*fejEUgX3;Aw9x%9 zDyE#H(2zerdEdJkxJbdy;mO=aELpp2t>TGbE!Q6Pe#nZOYKWBzGiZ(&Nx9cVI~2Fw zyD%w87K@H3;QbPX0x;fTMPN*Yktl@GT<W_>EeE)PM_b{5Coxc6B7$+Ee`FPs@*-W+ z&;yzA8C?YjDCmCw3>u`{dpS6nOivxA@>+2N#eP3eL>X+t$Dc7L#MQzXsCLN2wPr1T zSaQpWj>TK;s>!|*+2U}howL$QQkaqL=u5c7@7?gp(A73IGEaVYzeg<S$zV<X2!ueV zK(ZdM+)FTEi308YF&76=+x?cjf0)4azG7f)OQwwFEclRjr8`j_Rax`w^XYR0@jHmf znr}0&k9qy^Xc_l|AGR|Z;d)Y_Q6H9@(xg}2zK>NO&^l9Rp7cvAh4Dfk=X0Z?OAv#* zm3z8Oq3&xcvb>^G3J6}_oOx%7kBjmNxKbX0KtC*nilAZX?U#aj_rZhaq*tNl+8|x+ zeo&&fg&$U&qwdd9+fg=V^<h3@Dc+BiD3BD6qSbu4#FeA=rZdQ>3)ocpCGzbi)T*bh zrv49GwjDu<l=jj%gMjxmJ$DyLV$7v(>i(t+s(Um?@)TacU_moSU*-tC9bsXWW4JMI z&BePy%2>G}q4K;)^4@@IWaBG>^kT@uyHlDypa!+Rgneovl%DB~3i4e!;II54w@44) z(7H7&|Gcnq2ZOE}nd#(!yf%-tJPLj%wVBX{RQ({$Iw*(CQ6D!<aOA%mJHh>xssCA# z9~S2LeQ%5VHt%Vb!3Gu&PD9A6E=h$2)m$GpMU3~p#$l(WMIZW-^8E;wP+)LeNX6eb zgEz7(KV(U)$L-9Fhc%NwRCXSP;s<s+DY^YQRBO=BQL%fQ(7Z0UTr6RB>a3XOW$x=~ z16<5px=EXYSg%-!ic?Oho#xM$D`Sn>8k}ZHKji@tP*?DLg2k`AZl7OhGpJ^tJ!{KB zf`WKhVE*xP0dTZ@&G8TCNzZ~tc(T`e;`f_nZ&YJKsTKuaQ*$bl^{q%y1*Fs}eP{vk zB(ROaOK`~hP9FUpT!a7qGQ$63gyYMGa!<1x#eG#}o=Xk`wh?vvo~A<`ex7CH8t~Sc zRpp{xu_S-d@B~zQr9UxIvK9j9M^TftlKK}hNwM$t*L(LXZ!Phu6tCicmvFl`6>I=` zS@AlmC>Y>keEQ7(+{M8zKeJEMY_^qXknT?0#=0MG=V@KvujeyN-|AYkeiuBvg-plz zy4WqEY{nblo(qajBwcy1VbAWmj%{@JggP))C{VdKY)a3aksl|3up5hrXs?LL_S(^W zWG%G195bGImtD3?I`p8<y`|vq+XH`DDI+$LmXhQdj8G`}y8j4HySw8^Rgb5MFwoYz z={x%Iee%dLDX;uPNM3QM;N@KkGXk7(*h&M+jqdu;l<8dtys_`|IQid`;&d7-sn@B$ zt?RwGj`3J@N?ysv3e!oi`TU4>SN1(3WbC##(VAI4Jk0BCq|}+?U!(XEmz0)d5jAbS z=4ftf{u5{VLpVWPnm^u+xV{d3X_BTaOqe*OUSK@QRu-yGnmM6fBpk1jR?cuXn|YO5 zt9jVA{X9|nA~;0kgy1#k{=Q|}y6dtI?w}TOB*+_$-F6tgN&@>xHYLq6mGr-o67=fO zI)9$WVPgnAxET=R2G_d^z<k|2d-eT7poHfb6Vc00k^9trXPfo!<3Da6(dgA%;Q7Y= zpCtjI2Hn1Votn;JLG%1%0WBF4QCFLhCkKCyyE31OJr4!o;q|7}Ur7gv!m|@)F*wSI zKsj4saf!7ijie!_B?M}j8LiIObf-h(rae%Mqp<MI%;)pgT1b}r^0%vbzC2>3_=(e1 z^qCM6q5^>ZO#u;ZM3Zt4U-gyCdc>Cle%{iX$o??6eP4IkI*KmGh?vTODn<cb=(k4| zw9g-o0p4z^{q1zq<<VU}J)Chk1e8HG<{qhY*nxIed~mTeQX95I<9?kJdd(L8LTKpr z85Z)T-GZZ|VVKdwnigv#)meobE!-T|yfKy$(GQB?mkZA|0#YsD^FIEjpEotaauZCu zj|~6e{Msxi)HFd>NxH;)GZ2kqK6$}CDrgj|tCv+7@Y_5I@Uh}rGq=3MQuEG+g*-A^ z-v$YBDomQs&ADLW&YwrF4vI`LQ`&>A!9ih#cv}>mnUkZtkt%nRrat^E`G#42(M$%C zUTmIR!VF^l+C`#n&+6=irGF~Rzv+%w9YJyGPRTK+QNhvhwv&o{e0O(H`)USg;1ED% zu3v8Jn3mr&GCcr8nn|?T#N}P`Dafe^dx<)Ya}1aE0?9Egc$RMZF}=$;;wXP&CwyY8 zjFNOzbHrSKyqmY)LM}1JS+-4*aWY3!hp)WK852b?JlN3?{yD(lq~nuv+{c<`gc8Gk z0*29ajdj6|R5qm*3rY?tQ6u_zw;nYNG3$@11(^poW)7`W<GP%^0Z-hXe;s%Me+6BM z1v8HRv?GTEiW$XZ-P#2<G2fYr$!UUr6ccPlxm6qX@0_;-p5tgwj;D5A*VbAXred?G zH1;x&nl3V>gcx@Ac!rwK-l!1nNM*_8>h_Q51)U;{y}tfdJqWRRvM@{;b+F#<|5Dq- z9a)fWzfHV*DL7f`$1)jcA<xSH*VkBZmlCeBkZE*r7L5aUakY+i2=A)4i&nihAAe|1 zAk=i%6>)hq80qZ%5n1KkG~RG)=gwfV?fLFz0W`w~7};M8nt_VVQ3S7p;MkR-WJt@b zCSlnX(-{$IKkfch++oBUEsh2B{wT?_U*6dgWL&MUjs~}dmJqaMdrnN$C^gqB0(YCm zL>{Q6x%LireJaDHi5qW307%AuZt1Ne_`{%-$7S<dfPv8Krz~6j=-5gN4uRS(enlVa z)FT*?w;LiQ4L+90?;N-q?8s57Uum)3op0<jO++?hOb2wx%FXxxI<q%S41qA9$5ZTv z#?l8w-<pEJZ4*!2rldY)Z-m;>rn<;6jQAZ97Omj(sMjVhD;opi9oC*T!ylxRP4HpF zUp~h&tUnBzxI5QVDfz{Ok@-5A$`NDK8zDXh{#v9_)4CjCWA=Zw=Y@+MDWi7-ui~BB zRzXs~9pkbIXuptzNos{;ZTD_`FbE9`l^^)BD_y}P^hdKzVGy~HJ;YFX6y&B#>T<KS zg^}z3n<#8>B#q2|=P2uo#!$mIVAEGI?(k5fFRvW9&U=c1CNGy9<xL|-g5QDXze)&J z))=7SzjD;hbEod|J`3_~5z(D{-1KfXXQLolg?2(mTjKaPw+8VlqkXzwQbKxoN=-d8 zK0gZ`ce?Yq*}&MPT<a-IB-^NWcXUMGS=#S@F>?~k2voL{`uPsLN7QFJ60!AmBp(m( zJ_F>K6TCQPIN94CMx7B_dGr_>MOt022N}Iws^V2R*3~hN@wPU(E(RWVl~$PRg_!vN znK>(ks{=$Wp<s~eugEHm1!=Tk-SQ)})lRqNxvaY<rN!P|PxULS^H<aB0(O2geTnL_ zil4A6LJGv$^O*P|jQYajJtA$=kq>@JaC~!a%c?5a_Zs&Fm(Y^7+xB-2=S3`_Xz)pD z26a^w;%2oKo<M`(G_p^lT>Q!PGCP`~rg5PDo(?oE1>01jEb1O*t@zwu)gvz!@TL}< zb18vjGiT<x(n1%D;p-zR5WRJ^u`Fzr(u+MPQZ>Uwxc~Tw6cf-!WKV2GQTYN*!;`w% zku?m_o3uk#SJh{pjyML4=~(pONgTt16<Pu+80Hkk_HVIXyWE?yezm3lFi;~qN<f*m zH&FMG*nmQh8O~<h+h9R1c~}G+$GXFt7W3>K&MPr*^c3LM+WE7@F)`(80e?8b)smiw zaVio{y!b*=L(Xj~bMG3<PH9iX6IwN*IT{ssJ`Tap^<OJAoXKNg$UQ6gjljimtD`OQ zYO^Icl%Hp+wq^@VEc)XN0LL0fv1V^?WY|BLg*%6Si*X|WY7Rik?7zD6yzcZPDeD-% z355@ETT#c=3LC@bG9zgI=Y7v-LHU+JAkD7@%7_yL`UmiKm^Sn@XZLovop2BQ{6G&U zV|f?jDn)~2`?l~fKYJqJda;%Ddj64u+J2+4=a<ukuIxA1u;dE7VeDey?~^7CTx_sj zX@~g><P7hakhz9k5ZCqU=}GTC$x?5qkuahv&^97soFgym^97X<_>yK%FQp<r?CQdJ zDs^}zF87NncToKY$mk!k&m$pwzex9NQzGM|uFmy`?pi9mx06BGIg7#wxzBA;NUsdk z_UDF1)4Wc0G(xk#0wV-Ab9Pp)jE@$+63R8yn@iCMYHOu!`P3TF9(znhSi?vi&6b<y zzSd>cTR^pH99?F82ihnMHeH>3nWZYVu|OKZsZ%B*O(V%$k6mFXB*MKSCfZwi^@}dX z&TbfTu&V$%D||lut#T!cAARWUu>FZFmr!a6WkXr;V>_-ZBZS`zNZmJ!^0VkO(FL%T zR?lkz));dquB%aV_UqgQ_F~+8&W_plaWToCPN8apvUHLg{j^||v^4sE<ayl29P#@z z^p8)<vD{k8PiM>a^`C~AYO^BOchNkwi#Itn0W_R-rLhprT~g+QCu9vV$S;e;d1~E? zt6VJqgiKpe9XDd#2!g%Of!Ua(Y3b2-9Tz~uJ!{9=;C;2PW;AkKZPrmhCVDHE%s-U1 zkqpLKjbj!b9NszhVsu%&YLPRT&F;v0^cCS>)jZrrK%<%Pm*{ibKXqsiywI=zBES$o zbaQ-U&iN{|#O~-Q6P%7$Us?-?kQsX3Sv~?O^RC-AU!VKPG_TYke-55f0Q&QvE1ZE@ zdr-e&e}1K?ii}fiY!C4VpWMxFf^>9FN{Z(v2Y#@6XtB6!wAFnbIKyTCx)KHIG*+Su z{?g6iy>zg;MlCZ_gwH6RYor{}>>$Qdg*^Y4t<l+rg4R=mp!?tf@yQC0P;qf@^^wa5 zb?BIM>@&}4<>vV+J&>q_B^bRKUk(3b$Dcr`R63eT!f@tYy`s{_^^*U#CO%cB!GMA1 zl8*5(F7=$FlULDfYz5?N!JK<F29xFCTdSGeLM1mN|CL1N^>Z+1e%};wwx(geg<$p3 zrITi4_h&@uiSVbACoO}4)SeE^=FcNz*;IM|%r1R@^TlIakN-o(2Aa=)866sV!h!O1 zVCt-)l2lXLV<0i&jluxLGK_}U4uBgOwl;~Zoh6}=aJhZjEj5B$q<ZWmpDff_hqV#m zMmJ(3>}Pi7#<8DcsqtfMzv)R1qW;Bwwlz4W!gfbTTm=meXIwVZY7Cn%(@N%j{aRAm z+jrt7ZlhQ-)SNqLYHnK@r#1NkFgnO$mw6+kkjyk7UNvOQ;^qtBpB$bc?*5E8SXj^x z^Q}?tk0!sZ?Z3MGEhUX0>#d}7EX$0&jkIwB8!7E@>b2`1!Hw6Da1Jh|`5`hA4FUok zf{&IZS|lLRDdpqJ@9p_tEdYd8KG8mSkmJx4Zay4cQXDGdTit`-abwWfyMc}vyDT;G z9z%?zI90-eT#-A)k0C8}2EU2?plwzSqurvC2`P`_q|?29>;A-flqkb3@-$9`Sc)|k zLjsYj^Z7r;pg91G;f(8xdnPBS5gQTKQjN||2S&G7K$h(rT}tl3AE0m`%)j#BxUT+R zg>tB*a_n4H=<s9btGK&IF}p-jT#7^%4SSihEd3`Cf~{xz(27j^O?<2SnFa=|drn~$ zq4Fdq4)+(S-2!X!Su$hN60iKP8bM*K!m3iQ$o8dy-xI^_Y(ljxLf|pP7n$Gw-O*nK z5D$XtA*+K+RrXl|*H#(mDz+AluslS;HRx1an|p_%D3IMAzWKVK+JN@dWv0IM_AW8N zZ_^A)QWr`qyFHKYhf&izU(8a#-j1M2W$Ewbm=ErZav@6f7XeP&thNK{ct;chh)47e z`~WsL=uuI<`}YX!`=<~a7N_f>MZavP*|~*-!!1E3@Q-szs#t;*xWT%IrA9wu!IUDQ z(*vJvn<CH9RavE0d=d@W5_jW=ee%x|Fw0f&;OWuR(rhH8$o}It9s=IOMhN%~f41jO z+#&^dvzE7^Y-x6^EYLCii*Kymr!!$c{<jlQjzxpOdTTNy#HXV6apN>}{JJdicNRXa z&~2FU6C9+<1Z#Iaj@t}>IeJfq#rk^N|F5!&NvssJ|J&WHzQPOY&-!$67He`r>I$Zf z<IwTmmx>@xkj9^t9}hP{x0=bF^6c85>VxG43Mtk@k`8%iJzREdqBG^u;zV>+s1J%d z7L1-=Xw@0VlS3zMODhJZC!KB~H(9R_LL4T3Z4p|N;tyS}C+!*pD0w<1l#G|nXgT3v zh&4+gJ*|m%S;S`ROzcXV^e3qK<WrR+Z_qh9EAg2auVPPIO~RF<37?&LLq35o&^9MX~&iUG7)L(8%>k0gW_ea zI<U(!uqj8L@;R+E=NeSGH$3<T!vE9?sM&kl`_nPVg7HD8jvTih=ZQ*KR+5X|Rycui zMgfexq)}dOx9!ZQL|Jov=)~+PJ8Z7c<Fth3Vy$i?x{Xx@|6h^gRhFb_Jb0Gu?d<T` zWUKAx9I<58+5{W3YXwVRLuNP;J91KNJ#t#8dQ)7H4VhdTVK2{+q?&@%&*h1qz$*AT z-J^G%D9<MVQ?3R<IOsUa^5kP8n4RNfc{Av(nA9S0UsOM_cJT<e<Tg!R4u$s--F(Zl zvkleD6wr1LvQR!$1>uLW#JO0J|8fk+&wna2sWVE|R3if8N}-)_PR8~MCGHgu3U|3# z{S2fvR1!?pf?O*p0lHBaZAw;Bm~QNDD#j#w*wXiIll-zTqCU^*;~d!Wwz^I(oWMl3 zYjc#|Jiq320n4%ityGD?H@6Pe8$At|nMk82l4#?wBL5B5@4LdpgC5VGSoC3q+?e(s z>Z+6Mu{xSeoR$!o=R{j03W3E0opOl#*pyQLgg%ViX=`&$ZOd6eU1gtxKvzZ<Le;7m z&fsprR98C#l#DKUKxL{Sz&|Z0e4D=zXbp9hOSl8NGNw*dD?{{tI1@~3upHMk{mL71 zoiL?@NM<R*>py!iTvn0wVj6%q>$~x*f=Eitihx;bQIHaOkup_V_6R0?^CF%et?io6 zQd$GX|7}L<E}LM)DyVb$54bu93BgDPTlO$=1ATGGF)92Z2bm7?@-PiCJXYCtUG;W9 zgYIc7MgS3i@zmmtu#5!j;UbSfUUril|H5hTk$94>{T-q*$UHh+g&I5X=#b&;^36~C zj3-mCsJleGJ9}j~6*xhJy&~=Qa@0LZ+`)y~*Rf3Bxw526>TceuK+`&EXrxtQ2_9c# z_wOuC`mIYE25<rW)hFFr{(4YxFBVQZJW|Ioj$EfenLB#sy5kaQB_+lUJR2jgB{`<c zRdW%bzSK1slrT7RqUSk371&PtpwugIJN9S$WH_VqE!FAe7DQ?U#LS2aCFN-quBDs? zlv0UoogAsRL3>bfY(L<Ngv9E7&E=*-7qZe6x>nzk$X)$=7RA_6Z;n6xaPARbhLsvW zQt1X+|ID|_7~kx+fGs8^ulAZFZ$T;QcRh5FISlLw;=i~90(>U6OjU)^i6Uz98CDz& zypJj2XOMHB*cctwKSB6M;@}r?;)mAkmAa||b6M{3N^#_jE-G~1>k@=eTXj{X25%RQ zT!v$d2H2CTbPg2@E{@@{s0csj!^zACr&<|GVrNX$G07lQu%BuP;Gjt8fSedRFUL@f zt~UJu#|?UvVuOzK*~8q;@xSheoJEBIl|;!uQ30_rMAK|1C#=rpbP7IRv9WK4a+>vP z`8^X#3PEvy<?)sdSu6yB8yryErD6Rh%)w&~=;9yg`{zPL8D%7P>RfC!>G}8|6ebCK zU4qQ|H7C8KuhxxY5csD9TLLs4ZEKTQG}Iw}Z}yL{68yrk?i5*fQ6f8@!UiRe_B0Hc zzP+Ahg8h)wnj4$6F+14D@<Uh+KWyvx)&v4@gDv~PZnnmLUdg)hgAD7dU9>|a>yrqE zpk`&A5(E-q{;d~a_FWAzk3GQP;P97Gil&jwx3&(=P0EBnV}~fQc}i~Al8NH|LuB!5 zehLHz%TvPNEA#P(qKHvDEvT^L+c%Ox(+Ctpuy%i;H@wfz=XG%l)Djhuatk+EFxo4A z+v_>Mxu)KWM$B)~z{WEcD7QEvHk#gQe*0m}E?a`^J}B8BHpjZt=H`vZj3n>_axR*A zFx1}U%mRf(C{(4pXD%0&XLGQ~-3f^lV|2*J2|>@3p~bE<Z(KVjV|3oL4^09sM2|FK z)^!!n4@MUIr?TFuFmWk<;M4a`<<KyrETXJeSG=^8RV5&ycV1MJJ}2(0qzkhRI&#7h zEZS}Jr8jSa)--h*mc|=aYawbFO0Biy&cE3L4!xi^ijZCQl=^ge%JL-n2!<PX{p`*X zrqV%a`kg*dGtwuodbums+<hTO41yC+1z@Df<t)4FWW$iPrW&Asf-xK_*msNCgiX%c zy@5Z-eS|!TeeB?00lM?y&p_wPkRUVHE&!zlt_LQHAVbuIW-@=R&s(n3NyqAz;T9kQ zGZAG2@@?b*5f;RH#OJ{>-Ht?{xl~ZGFkHbS%CrvsXQg8dFWN37?&nK+I@@^iOs<L< zu|O(q(tLTPN4>dSvPb1-h=?a$L8H1Y$sqRgj<`=M+TDm;G4}@>oUcf5G^b2a#w?_Q ze_QIc5o0FQeb(aizL>_iBU9eHU2XUBf-!JJRPhnYq@`9TT-zu*CP9omo4T7J?)5PZ zPe`B0JcJ_kt9v5!noOxdE0v%m%po=;z-PS9vWCOQ*Vb)i982qETMKSg45#6CZKpgI zI!JfziW%khf3+7i6827Ig+Ojump(SdKo7g`g0fgw0+VK!InK$7>T;|b_?HoH`}N0X z&(7*EnsK3}c$}e8b&z@Xl&s~@RTnn`RBz8M86NBFeG|{cwY0+G`O&<9Zd3hKc=%to z_J)@3iieLna1nG`o?C`9gZE2{Yj5^5--IZZ!*0qxw@%L3IiW$GItRaeM(ugev8rIo zj*hOx50#_eq35TkJ>3}Q67_FDQetoS(ZTULuj)E#EIz{>EQCQGEXYrPIcg^z8PW2z zX9mr~oz1(uNrR~p<{q3xyN9mJ1|}@UdhVO8vUP;sfrd0mO9_@lODT?s-bn#3!!!aN zjezec*Vn=x!O#uiXN+&kjMW$_6|#wvT<1HbDju#!zKKV)WF{T8q^;}5fmu<nMVz=A zb?Y=0jD|0FA&z(FWHf{>HxGE3HjdXA2obX?w1u3hs?GxEf3Sap$Vi9}BeuOhU3ZTf ztaUkhR!Q+xnsYKwW?mN7WZ?!y2&GAD2-UX+{gR9g!GU_a_tBZd&uMQrO~=hK*UNn< z%6Uy2b>=^RS*ng|bMkogVEukmF{AO^3Eb61t8jFk+>?JRT?ZY(Lan;Fq?2_AB-FeA zs>sjk-R{ozfY{u{SmL~$Y(jk9)!^}4TbHh1a}<s?g+v#GXX3Vczk+OFTP2PzQ<{Zb zHL$eA?z^&zMt_*SxX((lAQ#8e5P4NsfO2t~WfPSw9=&sdh1~KwX6OZG$#UHtCH<6p zdYVIgbe2?X8OuZUEZ}X*LL&fjUm`UQ7r7}R75#Q}KfLe0;ni0KuA741mTrB$%^}t! z7j*#oW6Bnq+KACW$2q*odH&22-qd0rz~om-L7JOEXlO?`6g9G2HL@iNv=k`b6fs^c zF|<RS;jI@tO^({cDcfjE#OPwA{~jGuj2K;ngiMQwOzTR+_n30%Hr}N9U|Rz}XNc{s z&-jw(lbm9ySEd6`g0*ee(e^N1E@1tH`QI>oO%vko)vlT-;95^xrl9tpIel)yx@T#5 zUgkSv{Jr79&Fo{G0!gj8!Ov%e?bb@KU6SO}Y~z(b#(!~v2^A;zESv&cm2VeClD~XY z(jbU)vbB^rds!9J(J9FXPxYW03(*J1P2`8wI@;~lEZu4hS!wZ(V{>u9#E63nR;;k{ zFMrCkQPR#ZduxHv;5r{(dz4)(l$BNoy*vR{pqszmf*Jtw46TR3Uo6HV3lhrgWytN1 zBX=R^`f5HBSZmhLdoRb+ZrNnAyU7kh9mOFstvrQgu;8jl(+HxqpQCa^pzK>GLqhqR z!IfE;8qo-iRN(m$F6rii(4p6VG*Xj2k{YSgNDTjy{Y7Yo;n{q97{mW%83uNrf8sMs zkIyrvC!jZ#0D3Q7)<SDf4`-1vaP>3Giz9&&?|&E5dSA;vOL6L|6YV|U1I%5f&qv?C z@JcShIJ2E&LEqPk+JJJfKI`JzJ5}y=wz8H80sW3r9Mgvy7|XL^bq{coR$~9%fHO=# zIT{&Hw>p`~4io2|O~`||r4wPcL`22}>0nhggPu6Zw%g4qh;TPoK@_=K-bX>oTO#b? zmikT0U)r6_Nn#E~Hk9=gDLQL%t~07*TjC&po^#w$t>Z5+JGFHnV=c53K^iNCU1sqN zHjCk;9R96BAqeWKC|i77eN4~Kav-e@RKZT(KR11;Pb$m}StY~$Nc&w4wRw}DhqIp; z$vT&{8k;D9O3^9ytq7wV!HwpzX0FQY4-fz7ugHjg`|w4f5Lt@R39e|nPF5gJ1m>YB z4018E+!gb?v&_sRfhqeoLMIvOJGh7b4r6FHhnB!6^6F#p|1GgJ>L00-7i|Q{%ZG$; z4|AJ;9!X;KEA$Q>#R(ljLLRQc6&UhIeInLOZ7)L>WI*dIga4QW%fs8?XE3B+Mb-6E zZR`=)hX7CwbPsGSE9YJ4gH5s^WOZAN`;>{(A`Ss?le7>`52o$>pKg6>C@9AmSYpXR z<%vO5N-;R7yy#I|x?{XNsWq0JA(6O$<wn?x4gs`Gx)fIIWRqu@C=HMBI32e0n|Y<( zbfY0N$T_dx(FGEcsSaG4-d~2=mL(*bv*v{G2^t+bKM6#YtAzn1k!nX{Eya9PVkJs3 ziAB>`TvRhph3xgPtc(nt|Mog%#!q~=a1}RnnJ91p3S%&)&OIDEXRE}HGSJhqgbgh> zn>ucy4`0TAK^nkZ$43=7S}Mw=48~UU6`=^O(!-@DPS5MKxbe{Ub?2K|CyPrO&wALv zY;}xmaC7??`f0tw%H>Es)Jv40G(fhWw!b8W;_|PWvQ22{gd%tUzcD=I*lb0Y19wC% zEHwkKD}c3wfwS^i0eUm?0s(u~uB+^qAXFAl3vajC^i}2cFMw`)ZQZ9}1xw1@xeH9_ zKTAsgewl^{!<i8aYaI-?UDzArSv)HxECioPLfA5JXa1Z>rkrVsar6HW816S8rz9I3 z*spJN|DD$CAeP$nLo`K@B8^wJB;;qXQh1@*yM@rkb=gEYgh1IuadELWdHMfnIt!q- zp05p8DDLhQ2=4CC;!bgQx8PQ^xKo_qPH}g437+Dvfue!p(vROa^PjnMCo{?2J$H9! z-{<U}oK34hrejLG*R3Ct+0(?bUqYnhC3)+l8S8()yFOz+0g~q!=<&lDTyIAAh(8W8 zZgdM^OCg{je(^Mniy8UO7uUR7+2sKIm_{`*`#Fn;fj$|{rxhH&WdBdw(&JZVRG}Vy z^m3Yp9(4{@UY@~b{x{6R@2vJIaA5{Jt52sO`G%-S=?IB;!#U_tQES`}b~1-}OSm0C zB~v|oWc&`>LPq=wJEOhToElPeO5lAr=Z}0te&!JIKBS236d4OD(^0f*wnMcv8gFd* zuZUc$cvQV>x_-UTzFR^Pbpba@@bNW~V27IyE%&0Y&dQ;=rGC&v;kQd4L<$lAPonpL zk@7|&MU++ir#F1Ch>kH8<=Gj)x~Pq-$tAt;C#25(t@C^L;B_OFd(rqGxq|8^1o;KU z9W&%H?{3dqGWpBZtfGAsczxc`b|<gl*z+)h{?Cb+>nd;DgPr!~AR$NhgKHBSF1`i- zG(L>M(5kniU6N7dM|uc58MMN=czR>AuE#@mPr2Phgo>3mAhw$`P3zzR?s`1aQgE`h zn()grW`)^hpP}aIGVNo-cuG+Cngj0u<tUGfa((CsTkdIzb$;J!>erqtXSCy{ABDtY z4U#?}x7C}6$p`M<fKm+2#<uGgS1nc)gY-KNeuM4N-al9{wMucnGX)QRD=hgD9Af_$ zf!shxL@5rR`yOK88ZQq61882h)Z@KgLbRj*<3qqL*?;lRhfc3mM7=Z9M{UuznUdnu z_Um6G;)fp=F22_*@RE0RhC5~zE*VtXc8rhx3O3bwn+AGc4cU%kN4mYV-2Ra*(Epj- z9UaRU2z-Ij>>|Y}olyCmfR)szDPf`Vj78LIjv87WW5ph?JJx5Y=y*EKR72gJ6)^8J zjnsC9yeA}%L951{yYXjmEgNJd$8vc7GsdQ2ghde?AA-v>Y65;Ayrn5!@1r4|jPme* zd7)Axh|B4{RCNzoU)Bl|g?Y!N9aBkGSYeM(ABCUfF@Whg7lHOzm1)zWm%_x__iSRK zF=t|;fxjPBylOvlOP~(fNON1~iLHWjV+PwSgaW(GIqs?}vTiV9t#LO6#D*YGVS6TS z3IhL5&Rb4+0ZQOq4ddXz*KMkF88s=su?B(8uWxdjcWMibgS=#<4cAyM`2A}sf%No% z{@8fM272F-`qz^Nv`)6Ru<oPSpFr`dEi&)}1s7&;C|Z-p%2OUT{Eka$&kc+u#<;wo z@R1&W2T=x}pNka!j=HtIdH?O@QEO?7`9$!%S#du{zb>C-ySabs$cLT2X|}MQLl^wI zpN9g<T~!BfW=TF#F|s%+hayUuA-2K$*1gQb;zE+=V+*kv@*@j?;g>Xr^-V2s5edPp z!Rs+)op!pdE-rUSuvKK3E&-O_$0*W|Fy@f*4};^v663<=<$mJ=riKfbZ%Rj*5b|qF zs*aFs-(y0`yV<5oNzzxKc31T%To;?^D$^NxpXWWx6r-T7CS4`sraWV9;$+mXdJt#l z3lPBri|qyrg9nSv1B>G3?XF6ZI5W3kif0_-8P-?u2fo5oIm#>J7fkU7#2-od?+`!V zPkNrCOr{T~23mtG3Y9vS0$tG0gkJ&$7f17yZ?R{P`FEA34uqR}qF7=W4}T+SxJ$If z)Hr)9rdZ$*G)4%Hct6OpbxVDFS{zRG^RQ=fympT;Gz0~YTqAUPpMRkf82-HL1-oCw zKi6OS=4yf0WM<xyUv#7{h0(hfwI#w+sLZGI>Rpwv<>wtGsZ4X~a@nkp@3OTT?jsXz z8!pFKcJ&IP%oSQ5*Qp2^J>IUbo)Ye8e+UmvsMq-MUp&*@4C)8o7PkMOgr)zu?yZw` z(#DF=d~-ryrgaV7qN*m?wtC01Mn4VOJ~c4*cs;3Ah$j<d2ImzdO)_MpnV?8L1A{lq zv4a1LVR|0XMK>mwX;BdFYL9y3y#Bqe7FAP9QsVm9U|_Vt;;$L0F}k6YkLe@#<5|$- z1Zd=awjZ=bYQ4S#xOm-NNEBOwcU4iRgdoCcTAM6Jeg-`jIosC=`IH*)YIk=7qWspR zVy%g-i&yEL^sxVo$aZ!iHHWHK`SJPSoTiCq`hrjy>S0C{7LqRQbMu7)7AxMjw_Pcu z*Ji)btX$Hr@s-EhHjs_&^hA0=k#PWczV&S;x)d=WL2>LP`!4iv`zAo8dux0p7mk-? zy`d|bZL1+D^T+}>su1}rhv95lBzb@e7OH>hUVT1sSAb2B_U&Ebw7s_>=bdB4-Z@$` z*GS=%HHDwEYv|JL4Ob@PXH#=IiJxaoOg80Md<?uKZP`>*vxe^8lV0-G=AXg(GVm*b zKvGSd<h~OEsWwMPJSIKyJP^*s1Se{8qoFN&Zi35SwXPvtSi8j{GjgM;ZD=Y>0jMZZ zk)0U@(!{O^v&qcY$JaWx#(C$Ak}TJEWWba<M@UF89p7L7A!IMiOx?oOZ1JQ)9m_+N z$WxWvQ;o<)70+eIb6oMB1VAD?50~*foOz{g&2c#<U#-)STfsu^(W{^Jef>X_Oa_zF ziXXfyT!RcT47v&WnRnJ25G6AP!#dS@MsuV%Sn-IrxT$bKqN05U&ab3hYQzX9Zu-zf zo3XE!zoi^YvPOt8a%X0V%yg;9nUW!M(e||vO03I?>o*@Er2=GdKIKxt1%8-j{zx4* zzlC&fk$ED*th;T#ko0b+uS_WKs8s3?@^r9z3)Yp8b7#qXOLoW4oxXAafsho=*l}Gw zQ1_>j{Xi41!5U)6qky3@WvIc0Kie-_--MBeOOsg1)h`YGs|W8rfsBI}^~vKZ4WAEB zw#S&@FD?=qp<hs?xL|l>lqYEjQQ?xp5I+S~rOg+MYz*`vRgYxnFIIQA$h@^k8?)BD z>3saIg2M<1dqca#4P>4U@eTI&?nVai;9v`BYITQoazW7U{R(%ushak|VQvmy6H8{+ z$vk^?QvQczm^yT|vFm1zP(&(xa-!t@`MQy`|J3A^kW#B`DL1mz*QtwCq=(wLO0Wgm zExB^towI>6w?o}`-5`Bl85>sV(5QPte>DvdHO2lPVp3IpXXf!lbp}q|j}G6+UFtem z#->grmLy{)n`wil$D1%^9HsiHw)4J=%37mN8%#PMiie|+>AI8k4V<Lf>K~b}h_fl+ zKgug9LU4cXxoaU(?)rq0>@;GEyAM+3a0~^o<SP0Dg~Dy;`F_nV=;v4Rsce0Fe;xfK z+`6W0UY%7+h1gj>Ezu|T#9^O_-`*w1D@K$^v+j#cez8vaKF`v&Bdh}PuCOqJP<#FU zjR>+E&^pO9N{;$wL!Ap5X&(wnBvet~URnxd^QfPa!T%+(k+&X0GIn~%MX0|wgFYQ% z)TLFo<EhZ50K^d@PY(stm}waTky;hnLW18TC_{Uvq(VxgqFkjozHwLX3#K`U?_YUG zQ!Oz&RsT1jCjQHleVyJA8(+Q*AgNX&*J8bEbkz-Vwz&#m(q@-UCuMC>VevZ(AFjt? z5M8GzbNbQ`ZEp0m4AO6v24;8^9^;P}Yq`hix!>U5+XQAOs-`Ylv3XrETAN<qNZ~<n z<E|8eSAL}E<L)>6K0D2(kMMYz#KOX^fi!3ykWmKWQYm59mf`Tosw)IZ+`HpOqFi5} zNJ%|&a5y{0rU=@J1W(i`w>xBjK|zwrRgPV`#69<WK+v_+>;oTpHPabaKjECLb<Ctf zuOd4?(fb+_DpmzaqjA3z*!RpoB1hqoU22*ibz9W&Q){t)u^CNY4RQJJyTW6f)>xdB zBG!jGM|*d3&Rzcf=yGvNw3o^k07XE$zYhCu@rFQ2k9v1iT^K=J1oO{-TK(yx$IlH9 z*4>^aRcE7$F&(E3ClJ4mp>KV!`oY6g>RP*p6zASTPny!nt{9UivNE+2W1E@f_k7ce z|5=V5A14a;01L`9u-HkFa21h`;M_?=?*A+PrgC8Eluij}cLeVK`55Y}s*zkPyxzx> z1-8Ny>v(c~9-LVnw?gv-R&FcYEh%BuBr(KE$`7)x{Hk!~$eq2v5NnrZu5rB%clF#f z_%GJUP;~r~o}PBF2!~WKD)2!GAw<H5x0Y?MX03t)HCc8{({=H!AGaglfe@b210H`{ zvU(Ql{wCf=@mj$7D-a5nU?k?M3Ciuv#-8a~pVIdYzeG5Fj&NeNk~=vKDK+dSdIhV@ zBrDo41D|T0^zq*F{TuaXvaJM>8{|&f#}=bxAH~7;f3Uv6(%bxc<>keig$Kyibf3m3 z@ix1#oJONX^38sJIk$AM%^}(sQZ4VA;6mv1Ild1iDYi2L{xlci2)N(;)G@*dw}Jj@ z2gQCPCa$urPcGvBt^KGF6zo^0z7KGIY7pq(sI96hyx#9YH{zd<1L`qXAz$5>S}pQT zQEXRd;n(II?T!1VM_DhJ#cHDH6KMU^9Fk1kVhP2ZA>C6<@=4t~zt}%0JSpWpJ+Rl; zZ!4<yTn*RKnv;5tr(&K}?hM^J`@Ef2cB$+>xE}}k`26~fpu3*=U6$U2kGDS#34V%y zO*T6C!vg!azvHw$YJRcSn$nO@X1ZY(%G8PK3duJ_nsmtoTj`-mBx}L;0lS{dFoJ^R zfYy*VC2!w)yOgB*lzv|nQf-$`USzt}y!e5enB655a}|Z{IvA*`tS|+>C=v^uVK*2S z+A~kp*AOBIN*@zXrMyn<{=pPV({wwTxBGL5>ElIRLPYD!hJO8Ljy&FT^c`ZG<+*|G zjKm2^dEPL{N>}{bm_1IS-FF6Rf-gycE@j{PV@KFx`TJMmI;oBS#R53jDR2WEc|EIt z?Z8-An15x6kv>jz=-nfFlM1(#fFgi)1A8gsmC`WpY&ehtFNx@XK{qaONAGuSp0+37 z^*(Q7zhNb-?(Q55i=U6%b(7LF=q^#JBR_e<KKn%Fa{X1A6{GAYO_c8<GW<x~&?+AH z-apC<k&r#XnWm|e>}f0k=$D|+L!>m(#j=dwlB%~qgI!xjeXMS?ob2p+H&$0)TAP~- zT4=qknDtvmS}ewsEWr&8^ijnb$+8?c0?_H5{TG-g-#hGg?`3Z%Tdy^m-yut0|2>9W z2teEOo_f4rW%*_(u<F&&O5XSQ&dA$EKL-z*{xD3Vzic177Q}ZrB`zHX(>>h}_n!c8 za~{pa#MWD*J#NApU*j=FHL$iQ<#6E*;G8gX)hnjCDBNLc;Y1DX?HLs7OVXM<>!VJ> zC0s-*Ma1|Ga1Tawp90=*k!H$Y)jAm-+~2rZ=<e<)@%UM4Uo+Q?#l3Y`vT9fc)oHy^ zdd_Z842r*L!1JQ!<H+8<2zrmFHrJh#P6pA3-4_(=Hp*~I({#%kG?|B+A3$kphO7Tp zNy|W;OIpn3D`X1Cq1ebv@I_sIg)01v7EuwrOP66}Xed1+4-@Pxw|OLopu0{aI*n(b z(4AA&ZhVUx@<-(lxml*3trfX*{4-rkQ{yMeve*uKszd3XeBX>2C3QB~qe_Q}^9)Y_ zx`=B5t>(%Z(CmTHG)B>8M^l?eGdrrn%Rey6O))WfwYmB=OI~ighP@W-i5OvT(hr2k z)BM6|>J?V5`}1&4dE^DYI@u9ml=V|1<B=L38aV$qY@TgmX1yEXckxNWNiUNv4y#MQ zaI5Q~$x~tptNL{t0*L=O*u;*?bk}VgZBGVivO;5I)@XoBVm3{dG?z##F-ZQJG<3%+ zCqAdt5wZ6dmF}2CZcZo(keEHUke*-Fr=$dm=x}AzEFqsjS%-V^jGeqy6p|Z5<kUL! zg>emL0<oE!x;?W(MF!1XmH`f+i?fEm6k4C>lw#Z`K9@&_N2azfq|#irNh(H;-oWTG zJRoL_g&ag$To`eQa$!*nsr3w>HtL2%lg3^n@@JGa%VQ?6`S5618Rgeg2--zk8mX!? zhj1X6Hd#s|7g#uLVE-IgXn$%hf4b0~!JlYoDXXRKCD&@!bCnZ{no*Y@Uz$~hq?vTh z+?l&Y=ue`lHfN2!<p;#k=?D;VRAkk>I9+S)j5YX=@CUxO4DJm8Da0*#le{&qtFId5 z*kS8(YnJjNLq|02ET_fuu+mr^`J7KZ`s>oyVgFMaJcn{I>ZXX`aDh6d#sXlw(Pebx z!(#I%`pHfK1wRfvCBm-TO+vaE84ksmD{O+iO?CMvDyeXgB?vR#mh_2zU<X2pjr6g0 zbi`jMdby|FL=M^xQcRH5fc}0!q%ey5@d>TjNVK^#bYyjyL&l0z#6oV!?4heA7L!v> zr8lzH&hgge-?Z5ud=pSHZiq9jnf;;LhEBMt%b|GeN0~B0Qk>DRZ@6o?hOE;nFFCUg zsPLBj=q*r_t3ZYnpBLxaP91I<6e}r_6H$F~t<yN)TV+1jFgE-TWEGyA9Ou@#Q~le$ zpS#VQWjgf)iHd`=N+C(oFg2?MPjpr5{?|mC<1SK&j={RV0#TV<pVO1%Zn2`eBI{@} z5gke}+WuYCVW+7MDtg&5g*-&)XK5h&)O|{u=uF2=Z~y{NDr*JPhK6R_uX5*Pg6t<j zSqMv#92OK%(;5mM-b;ghC%_nd1t{=^?un~1a~zfFwo_7O;7gIB6O~C!v<tr$<tB(7 zHz@YUE#RU^;Z4WbLhC~ZbMYL9W(T{N8BpM5@B{^M4BB&x8|k8eI{VNyTl=fVhG7|n zWa~6Uhxg?gw63g!L|5Jpa32*2zBcl3l)L`b2rVib1SG@bS+erhpfz~-i~i`l+U-+> zP+{kI0zK}E`TaO2m)qnesv{6CSaee^-|t=%#z%V$nG(duS<G*z@{J0(iOL)GO-nq< zFV}enyf>1xvem(F%c0@~1Jh*zs7CjLh}L4!Y8prTF?r=CQhTRo4a{@12{Sv7@7kON zrW<?7s6gCpzFr&{r#bLB_8r5&Q^G4i%V*eOpBiVHagrIu0zHFz3b^gpJ_^Hhv3z)v zv39Rl7}|bpnCf0`7RVU|nByj_jVw{r7Iv*mG1F#Kee#JHDEONRgq=De2t1f(T$%AD z2!E3f=rP}nta9kS>j(7uI>L35_1xRwWi8E!5ZdUn<6*BC;8;_4`Pz`?%}n3*=*jG% z-u(;;t1QNS|H{hZnIud6d}J;17mZeTDR*?KS0|)YS1~+Pp|E&N;HlB1|H7E!u=;KU z@%~I0wqm!c4G$#7g>Wa&A$@|>9sN<c%1TE_{NdzZ{zhllsytkyAswpEZSz>ryu9-- zn#|;FW!VU~X;bp=qlZ082N)Xws(QO--rU1mVhdk|YuvUB4;+lNgEnYYjSi;`2Y+Rb zk9iY=n`Yf(0$-#EcIqZXIw#sr;??G(mHRHnT*R4C!bj(SW&U7Rc>W7wg%3}5&@t@$ z=*#51Y{|&UiUAHztmlrV&4(H#OseFb?Jk3m<dHZ0{#8zKFR%zZ`=7f;2Hrntx=-zb z6Bemo{^+FN{7qy9AoX+?fo2@5vbbnzs)<mg)D(ws1AMw-6hg4%Kd`=*App%CZ=Ti5 zGfg>h<zOQ+5?$^s6dUY5CLVZV%Nwp>+HR|i>=O*we!+=*{O}mK?W-s2JX+EsYJf*o zOuF)2(GmQK9m@Th?^^k!v2Y5Is^;?U!eGZaB67H+tUH)uz4@<BRsXjn3W~P0y$}a` z)}4B#8}3y2G*mQ|a(K3E?Ae<XyKkV2gDjy;9es64KuIA9EifYPLoLofsvpP6E@9Ak zuj{LbU6BgLzp%J7rBfqa(J~!V-JjoX6x}1^O?CM>r!n)uxxP*;;9VOi|4h!&P7x|! z0oBZ)#ED&7pwhzVVJLG6Gk9W{&$d0H4Rc=6Ee%MS4G69`Nw%EN{GpV_Nfq2SrtOYX z3kheIBf4zjr*&uu9W@<1YufP=xa=fTu<BzjRb+y&XL3;5XB56KvL=z&(mJhkO`hgU z10W&9O5oQZL?{Vo^Ac(D-Pbuq7m@9eo)LoESx9+7Xg5;pa|Qz~hiVg7Y4G0-<ZqN{ z@Ap;$HapnA02qMt+S&w{$2ZNVc1(GYxcn@922Fy(2u70_E;e^EUZMnbNqg@c&$n`- zbTYT{{_J5`KSh>sucMRP)m9$Xv!JE0nNDR?s#Q!osoY+!&#@*Q+wSZY#5M1R%g+r% z$1<?`ld(jsM)Wsy$~tMiuQu%6W2NiB*cdgnJ4`~E43{iDE^nP#$PlL^Z!Vm<dsp_z zzaoI%7oU3I=c{tkRoEwP`TmIw6$bIDVaHNO{GKE1Voj}|r65<na;yRRke8f4>Y||f zS7QnA@9NO<k#_Iiz_X{r?GuJm%~Xz`le^zCP1J{8Oie4%R?B{0f{2H4A#G4Bg9fhm zL%)BugCPf>qHy_<;t+&B)8_7z2s-jd*3$+_JudI_5LP4M&5+Wps%oZvgeNUl`V`A{ z%DI&AsIWEDBK~dKObwr_vr5u-DjlsSUJY1trxxbl%|`>SWD+U`?D~|EMug6XUwok( zwAYu5#68~D)SEPlIU|q(7zeR3Y&7{}_A#zO{F-*!Wn4GYFM6F#>)rhux!i!VkRRg! z<*dmX9?SLK`sjJTyTTc5E_*=A?h-<WfVU|wILW3K3}x~q*3r$0u+<yF>t`72_!}BC z5x-?Vx|f~R|5FRiNQ`F)Eb|mq;_jChbXjmr%dlYLOf{@u79rr`fjz~3*+J@HtU0-P zgO`HecFDh=FttgDRO0jW7ZG7PE?L%ojHq?An}o@x)_9ZqTHI21Rsa{eT*44<nE4r- z;KV(5rvEYR!|F+hM*8=9PH17fd{VI@ZHKeUm@b0U?Ne-i;!7iQh*A=PLu}X{@zSHY z!9|Q)wb*o@PBdt_bN&P04W7{-M!(<M-sNm}(+r_3)`5g+n4XhF9};q3HZh?`57~@w zaI`_Y;~cs3F+w6cSu84QTctwsZxln{LG%v}YPq4aBv^-q@cA$YciQ7cI2B_NWojZ) zSOJWi8t20o3h?^aOjjDyq}w-D=4`5k5@5x|dJ0}g8mi_JYO=SuWNAjJ&7qG7?}vb= z(T<)*<|7himsh>m7&4deQAm4aOW_APd;O19K%`ln14Dd7BZv|e%$9QKECuP&S_Y_# zZ*U>!d}@&4rfp_Jq&&L1_|6N+oL}zA%WtTvG{C_^ptO6pI;JoAH^s95poaf~G^e<c z4+)=p!Dpqr<Yy8UT_!7W@7LbAATL|LY{?0ee~EJFxyVJf@Sl8?Tbw4%{q@N|eSK;u zG##PUe60(NMOhlEQ&G=Jm$_gtWGA=lnfHi+{hUZtH&yn-{i>;me0?U|)|qm1786rH zp{2)xB*lX|XvWAql&Y{a%v+<kv-hJ@9=|yb|3g066!*rNCnz|dpI7jEa+i+@)hNv7 z4Uq0`sWMLvd+;ZbKh7x*r46zsQ)G*+Ru}P&_nT9)8pN4W?)slEXUv?DT*00k8rx_% zKXmjMn0RwKI`2B9Btr`a{4Jwo3)b{r91O^ct5;h8t_R{2BIS6Ck2Xm98Rr^HPEWPQ zNfa@r*ABP;#wxS^9A}9r6TW3#)I6?WpPYb)X5`Qy$t_AY2z3L)eW1X&&0YgaHhrT4 z?tlKPiyk#2w5FS>h585&`HRN*7o+ruLVhNC`opD<<8O_&@(O2l!=1v40VUNRd!;v2 zAY20!muZ~;5>56&{)r4>W>}dVSA-QJeU)6Yj-mQ|PH@Isw`NI7WIAM;{>uC|yflec zHX|5sf0XJ9w3@e&@)DIPjGQGox9@+NIWWgzToO!ncaM>wvNdUy<6iW&)!(r^Ko&bF z;k)x?R&Wk8bHSpfk=vd^qyP(SdJOJ95A%;IhqW!H4jrV}+QaHwL}V3;2rf96ex5$! zN1bGZ%gJ~}o0o-Ns%r0<Zsk&~>fxt*7yP14j6711CF);3Nb<gz#dV^{hC{hMr?<GM zDfEfR<DLTG;?Gcme^O*y0keg1c1pBm<jT-I9ohDO_{syn=Qi1K;>~jcX+Q%+H3>~- zm-9?Tq(V3azxw*qDJl!gfsX-f<azjpexhqiR3o5k)m&d&M8j6^{eDi*O{0u<AOz0W zl-yHBkK=v;MIyVCu&8EYYANp*KC8trCWqSfr4W^BPTq4vLhcWMqf)@_28-E%q~zlB z`4u!!YzSeLZXE1(S<SXE&p*>X#mzE8r>SNe@`6Ce?<Oj4TOUK=*O;3`giZx%BFxfI z)x=3q2<jcB!+V9518GY&Jb_HRC>YvEKqE=1mhlu^LF?+kQd?LI!J|L`qonDNWVXPb z@I&bfB?(%t;e_k-qG#9{*19r@*t69~CgPXIfPkWVms`IKy1e7}+guo0&P!x8jkoGl z1zcEai2!;QPsjoZR7S<C&=x<>zb-m;>b(PRRD+r}u+x3e%z`=2G()mbP(@@(iVAoM zLa1DBsgKk#7~E@7R}-E>BFfT`Ep?x_4JixQn6i*How?<Fv$ww?6ih8t_f|m^9rv@5 z%lh-)Os&iD_s~^Fwyk?VYP9CpPhv|KWMl`&TkfV_vVQ--EDn0=k-r7V8)<Qn|1FWE zXDHG;II-?roE!3#34P^b38!XAs+jiGmi9hY6f6Ct;!qB?_u`)J<k!Q0Qz!%S_^WH` zoWDx6^fT9&Ter=P9gm9~q;H5qpnL~&9YJeot<LUU?{=M|k{q>(4g7w=NP!mWylUCw zDT9-@rO{eU(wHog{5%+d<+$s$_Aqj5MXqbyxNkKT@uL2Gv{Cs6Sk5bsr}~EDA@=sa zCf)W72by@l@RwhKiwwK2OvO5E=hX1`JH49g3Ylf;%ahbRP8$?^mg;Sk$8@--xJEm? z&z|3P*s5yp?^SwDvW0#*43=MrDv`p`=9B6QpJAZ2Z=~wKnWOI&f{b>iOMi3!*r{YC zqrh<2tliLFf3JewU%xytEH;HH9UH4I&doZx4tFG;nj<`=oFktki;`|>yI9Y;WuJrO zm<7@XCXREAPAKKFmICAym)0zZd`m$V>19&r5lWdQk9OhXCH?GWopk&wBI64?vcN24 zKUUydTi@c9H~{H$3FKeoQVK~(yMzZSDQ=<5<X;m)p0u=KeI1#)b9$vTtVR$$>C4$z z(q8ID0%suy@9dVzr4_W8>3VuL@(a^{VU+F=su}1mSJoeIZ}YR!=^K>_LAJc}gZ840 zAvNOn2_d5`i;Z_J@~9B1a>8~6$4+MJ-D*;AsO_ZH$sgwwx;x_?hZ#T;z-6g|v!}T- zbwUamufrBgp<Gg3d|#nl(8-^B=oKZzrenO~&xfAQ*3>mSAXz)Nwjnv<bx~`rvn6|| zVUmxtMDx22>v*18uyT*eyEP|G>K)vFSGSh&26($L|C5S`#dG{CE=>E4Cd4Tdzezg3 zckXc`_ho#nZUt<iV9M*Ecv{ic=78y#;*<(5B5heqTC9&iA*mn7IIsN*)X(>4m5M|2 zDR9Dm&|G}a8pgakkIBPu9exMi=#Q+VyirgLuj^e^%EG24+{+h#CR@hd<~906{I!gO z@MViAZROkRk(IB^U^8$uc8{AeQ>p?c6E@Kfb=v$&U_hkTOhP^p{M5nM9)Bm4Glkgc z39TjB*t{;EoEU#o3pq141&+K8BL)Acf2CvP!y5E8S6Lw<T{k=I;imK7&Y|GWtmS0` zSv8KxlHUdvD3P*pL8I|b=meTA^A-K}W$+J!bMMU<$ZEmUW$6rlghW_cec5R6bje+T z0V!@dl#1ZOKIr}{i{^S`fuAmGCJC6EW!eA(b_>Fq_KN7o{xFp5VR^do?KY}jBzE#a zm5=#R8YjCAd)GlGay*i;^wxlPmE=kXk|E>&@OP+*g~`TZx8M{cORqaEEfIC}E5VJ7 zU9iNtoNwYLfYMu08u!aSy}%i#(t@a##*?lpPJY2a%mvPNoL@HQ)bR<rA;H!O$X_U( z8UjpqUgpH9@I>k~>^uKQt@z8XW9-w+l|+NvAZuCd62so@vhy?2^*G*?1!vWqSds-* z6$eKNCmtjNwLH|kG0PLZQ_?ajE0dEi)e=|%UjLoaNid9CuNX<^VOBob7Yx|(7>D!Y z8|7y%8{mlJN-s3{qd3d+6Zf5!LL_QyHKv)YezMc}Gma)#)KJ+52{2tTpf3P&4N!-t zW0U0fqn#WJ&6sCnad(A|__b6`=PfkJmY@x|7{2>O6O}(B-Pg*$Q&=fBo)tmczK$m& z&i~%ifw8z^GUsEhHOYiRxs3rdP6CHih{;S>A;#czS)*??^?mSbNfaYj>&=1J$T6AX z54aQUPd+v(NS{!K>?XAthE2RRb}m8AtRod215*;d^0u}HU4xSBBJO4`WGIAr^Zf3v z(KS7ap_-L>2%hQRR9#Oz#Do^IMU20%QzcE(D!Bip^?_ajv;{*$>fSVMV=bnwnui@D zR9n))as@dTmBK>wy&Y$<%aLSck@Wz`MjGT%`C+|YATOL)MLHiV(VI6*(Wozcsk_Vf z%?-}&$1R(dYIhg;%1;&gy>@A&L-Rdv75co+p6)z{S>|qrf`u-545s)OQiL~b7$BQZ z#B?zPRnU9Pt)9L~st8K)xeJQS7+w8zP)26_C>pFsA76IcW9^cqPgov+3NJm6ipua8 zql}0Yf45Q6YPhxUxJgy@u()tiP7{<h;YxsaFc4Qp{~<e9KC9g{^dF*`YzwnOHrRaw zyD-SA@R-W%ek7@QvN_g}G|Mw9^7n)hborHRBRg&Q@8@Dx@=Q}pZ@^*|92}-dbk)=F z0XFpP0gn7ll?jz08(D>&Y*N-L(cS}J(g2K12HcB2Hnvv{g)RZN%4sh+F(*VaWuY_F zIH=4jRpdmP{GPM}<BeF@av^_^30j*!+1SIPWQQzkUOvP9mJOeAx%nQvXHBK3Y^#7T z+F)<K2s^%sY=)i6s2cgWWjkw_?`3|@>#23${3Qy;uGgp!)w$~?C;8+vz(a&=FZ{0) zi`6(mUG>jy)Qsjg-w?M8=_Q#yHY&`<r^D~o!NxuOlKh2@{tBWA!r#)K6f;XBYvh?| z8_<xi$r^W?xHoo7#NsdeVVJ{G=sgd^c6JrQzcNiik2<0TZHw;Vr4bSP9#sN)`tFM- zZdpG0eK%%EjKs7#3@);+boxA;5ICm*D0PFTeK=n>h#WO9vdQhmFgtr0XM1d4#44(o zpStVO61#X^bWesMY4W>m5|<PSeRT^-xCp2QE;dKi=*KD{dNpj>m(}%sRS8U@c&Uo; zR)ZG!g4+X~7<MA1xob=t$5Ze-t=h9RruN5;|2o6uV<(XLRQyUaJBTlop5#@PM!0rI z5+Ukcf!@Jg!U%yc)zTG=!i_@-CVd=CuP3uGq<|YUG3Bx$bBu*LM~QysML9-Gc3x2X zIg_gkOfMx*cr7k=NL$ocLbIK4h=C0RpOHly8(T8#o?MW~-TUmwmT7mjF#1Qgkukwp za(JgsRh5%06)*aiq#5yEGGnh_eU`U4bk1MX!9YE<f&>@Zd1>uUU*9%uq0@g*x8phf zEGE`1{?8<-1<yzLww&0m((gLDB<&Mh&*CV>Ci&+huS>qbIcc}<`!4w<nIini$lTto zz%VX<^%Mk=XQw<PB{1piE;9ij`}YwB&HV~OPOPL_RmIp|V8A6WBYp;40+XP`4sIYn zUmpoU_&aY0b(XE=O?L$p4?QmaC5qkhL9#bup}!P-$nsrX-W0z3eg5C3My(%zA6tSa zmXbX;?$bl3|5;NS8~J2a7XA$R#bNuNNU=xA;rzQmHx&}cYsrWy?KGPE&njftem})~ zV`P?=8XB8p&GJxYu(Q5O>;S}`@<Y7X65iFd7eqQ;I24r5D)2L8X4f@&S0&0umtlBa z-VU28+PjF$wx|(#el@`25XIgezv9mJ#NF7QLXqh53<x?`j8*$FGrm#D*zT+OiABL% z<#j#PL)YR{V)jRBl8D3~HN-1AsP=l?AQs>xTd6G34nTh;{3o;J)o>$>T+NeHi#x6% zk-}3~(QcVwPO%~Ayq?hdJ1zf$$as5CIZ^UF_SwRNLj{|ef;v()USMYSJ!s9f$0@p1 zjClWrX%K)r*QBGbK2*l{yTPrb?x>vTP$B-M&^n8y(4isQZQGmFb3H!GNs@Wndz7Co z_vlcuHN&Bn;R?3A2!F0?*vvdKJQ-ca6X5GA_-Eq6<#INh*t11zlB&1kjMJ#~oiLm9 zw?AYF*Nq>S_}!&~s#>}6t_eEzZH<PkrTLY(3+3X98A}&YA-g)G^lW*5=rYyHC+{wE zx|vqyw0bOD2u!F-FOy%iy`cl_@3OL@eZ19KqypZLA%D-_e<E$%y*jLHvbsFM=<wdr z;mb5_s1VHSU0)iBcCFvE3zy?BP)4C>P%PN;QU8tiMYsgkcvpM<2lQSMvR`wH+|$^a zn$(q52Edy#;Vk_*#xCHeOd|DF8<^!gV*Y%crOm&@6*fqF-R^iJ9ALfIb&)q5w~iSl zo|i0Kn>?s3{onddtjs*FRo_YHD%i=VAXf{Gb{F~hl(*w7yGwAo7Tps|#s2r(D4XtP zad2SNyN|Nc(7Knkr?u{&^*$JSw-YK}ur<7N%iZYf@z5ap4~HWxuXm##Aziwj*`{&| z3d^~vs+r28>0xbAi|)UOzkyxV2h3M|mHH9Eb^)}ox96yDQf3w)b2(^IxbH>}20jJX zAZv2@-0Xku6<bwdF4=Jty8oTVDBA5|I}lL_0^sEo7eY&!o<^|$!yE+>tapqtUBV6B z;bdpS6l=%tcm3A_JyTkh(YUbi2x=U8zMijW^rtNjSe}^=;zEMHABO8rMU!`Y1r)gT za7}_vC`ZJDEw^2lZEG>=fML$QZKN%>{UQ+5d-ZIgLZrBu4OP|~$@br5=A5*o(b$-m zf;y^uWhJXK(RLI!c(4Dyp-1bdT1N3GLliYO#Fw~?oiL>Vk`h}7KV7WI;{&Z#huB%v z7(y&)1IgYg46*yH^LCx9kelSPfN}GpyeGbB4)@F}CF_V=a~5+5Ct8_sPhGZg+8a+a zNctouKQgj4ACTKI32UUb<CC7smrCI(d%7;3;eP0={=5^zFja>r#m(w9+P;~b-^eB> zJgDL<2w2sI)9K}u)rZU%`r$4Bup!?XOmti0wuL#ga$e-(vyt2mlOlr~)&RUM2rKRF zKQm(ozi>CWQz7ld)~^7r{M=+dPicOnw%vR*3BJ}g*TGLAK<TGKiSrbMqxUb*2El%g zkRXimdr%_dYovFsG?)Bb)4ES*uCO>cEupXN5t|-L37?{MftLE+o-rFW*fTR3y-EGU zwnYZmkfRQuN8&H+=f#j}8ADL11fk-Va3;+A=JQW7a<d<|0q$fqc)hhU<7!vG^9)ZZ z$h&dWZPsZ9Nl)Y>!z~49e_(+>?UUs&>+QN~Un!4|TYxmskF}R=5CLRuC|^nY1}*p7 z8X0qnih5GzF+#1lbvrGek5dxONBGY;eSB_dC~#ILqVdT@<XF7`ZL6uD6R|#DU7uFz z<C$z!^eJs$h2=r0h;dHP(`<qfJ`z#x<M%QZe$lA$7;axpEN*0rDvinz%Od+zDf0H_ z<;-5{M!Q3MNic*o_-NzHExyJ{>W}{L*JDsTGe~u|we7HpiH@l=|I~Kf#I|ha9MT)W zo|WvaOho-J7Jz=t>zn3bVd12dPkC~%AHw@uG|fiWyU_-KS(-38QS0>#!na;cP$@sf z7Cr4z2Tu%(tGQfKs3A6Kor6YMo7arAJLd_<i!a1K2=o$Mg>HU8#m_aDrAwYE7oX0% zb<2MW@@DG{-AMe=!S-2j$V|}xqwRNuu<bd%{Cqq3BxY6hV=JkU^btXfxSL%4hB!s_ zNML<2zp+KpX7G;^nQodS__7(KIdc=){=NFSo_Q7D%Di1Fy7#qlUrZiUQ=@6KiKB}9 zhnZZIv!gKMj(;zGZ*#ia4a2}3Fy${b&D`IufsdGfK5tfiM8K=4H1Ip@cO^bKyeKHu zO#UXjzV+rn4SWy+rlWyFKgyJOpPjk55ANr7%C|Xr%_%)yzp>EQ{=dW(cC>-s=KpPD zj$!cM?^-kJEC{|lmKIg^?WHj=XOL-&@YY=Y=6XSmV|38L*^kMq9y&|0Zj)mE5Fq5! zpS40pHy!G8ephIHc~6bk)C`9x6ULuI;XVl_7xdwsY-B?VhQl~#DQaGkVc*W+OT!p? zfEnkWTe=HR{n7l|1CyNUf+jYZv2&DQq1$);{liYZXWLT6w#}4Rn@cm#P%%D~5^bup z|7plx*o$FcCiiTR{q4I-tCNurrQ*b};_yLWQPZ-(iNLN)PGCSs*7+tN?#75busE{< z`A+G=H0{`w5dVUdbZ<X`azbJKd7(9np4FL^KA`Jy8j-D+BX)`DddS*NXDe4s;TiK8 z-9<&);AnR!LjC#C%fBs~x93IjqmPf-ucoTyFebM+dtG+HL}^vj8jn$*9gL4-oPJPn zTodo7j10B970DFMTS3a)Sr8(_-y1rg+q>>J=X;6V-o(=Fr-eKnKQ%2=bw+G#8RvB1 zePEz#DvTkl`XqX}wKI4^4ddJgp6acC%AtY}+xu{qG_0@ZLY4GPpz{Y=2F=!Rst@Rf z+b)-@VUz(rRU}!=uopunZwtezY!y-^+t`tL`i^mhGG75_N7P!#NML(sT({%3O8=km zac96($qwQ_&*GRlo9J*ev43Z;o|y^+x!yc1F>|t+>0+dqK+HjlnF-f`wla@7ho1$` z|7~@#7XAW6$t*5iR+CM|SXsS`9mRb$4Wz|aNNV%a{Iu0+Kb*9eom4T+HQM0=(_qUq zo!21Vzs|DL)dZ;|ZZ#J>erOXVJ{bSFB(NbA1$Szw+0S?GP|Ceco1}(B$KwtevTRMf zz{9-O=b?d@kPGl>a?=$@M6@pn3OXs)DA2K{+wfNw@>fUN>|!7CO_zx*84lJ?yx5t> zvs`a(h;5m8w&XGU=Ud^>^Cz$9%@g+(9(j1hBzTm_KFgs>`Q|EC%lfyzydXmfO{%Jr z=`k55Yqi*?5!}j#dcFAYUb>K>uaNm@r)Oc|)JXH|k1ddkHz9oo2h)ILQfR07p*bao z<{aAQgH7ZX=|y3nn$D9`CBt@1D_=vikIUuXFvcW}hbb7Vk?4ku_#CX0Y`wKK+K`FK zSzsvc=aK-KW3vwb!#DbIHgu26Tc7tYz*^RAHqX|&mYU17-Yhi_Glutm(}(RHIlQcY zRbVF=f<&lgh~G*5EM>Sb9IFgD*~x|iUZ&=Nxk6MKa?Qh{qOHw8@D9G7Hb@4P?(`B8 zWPT!T<DX2}>KX7>EC6gDu6ecAJ+;UKhLmLKYmfsFQBWvKEny=oUjuG8d8p*#M&{p% zt+yuexSjGT@quEQ+C9ehnpF3_pm4{MdQbucq5HvcQAMzsy&J<;r<duH5>+)9mi9Lf zH+((|6VCD8E|;*z4Wi4(MZMhRId=uR(26X@5eQLDaHK0SQpx@C+R_nu%%022!__n` z`Knr@O@z5TM@DR!TqV3e4pKm1RbEXZJ$h%HOzXl`*x5~6+Rm(Ou}7}h??L-Agl{~_ z(c)~z9hE=M9818_!*giKd^4!9=O5%$3~?XwlG#q}Onmi`U`@)5)EN^=K_CR-c>Qyg z4R)XFzwB&e=hP|RVC`pqb_zFzVHjL{SF#r7L00STx3Pfbe>;dv@P+THexY8C-P-Xs z;|5Tf^=(T=FR7rrTt4$hTW!0nwz+vA-8oj|ms+?evk&6VAyk+a+KKOf<8e#V!63@; zaf)@zp{%(Z9S&__uJ0%hT3d@*URJ9+wfe0lKc~og_r@+H2WHx_{V<C|I_&qgIhtti zS5L10qnJXQV-B8wA{wkM5(F2Zq^O#Vm5Z?`D&-wam-c<j>XST45G?>AC?^$U(-@I9 z_}-}12J^K%o3g?RTZIUq9&SS__hF3W5*a!;CYkx8p8MmV?ROdVzZi6?!&hw6EWE#1 z-PE;rO6v85k)aunDonI<#qmiyq048xTbCPV$bK9p*2I-jDgBq;nbSSE+8ukLRE6c+ z&SO<}w~YlX3AcyCF_gAaLpo9L%_*iV%TR-?J-HAZ=%Al7?WCmaCuZV`uG4jcvDKD$ zp1Ko~A8d!Pser$23G)9AM}MWpLB1f(-TxhiSW45ku(o&rQM(wl!Wqzg<up?bAH_5B zcZyA@8Lkf+A;$1+!JAt>(qGK9%*01f3H62^0qWa+EK$47+){ZuvKU<XOtFW0&k1Gh zZby}84_ZJReT2QW$CH9KqV2Hb?S6HHDJ2o+d|L^04}PVT;%8lgYxk1j7!GR<n3j}h zmyVqj%*(T$i4rctVSGwZbbTzcso80?*QZ?LJDl-3rBR39$;gd~1EWOG42v(!W$lOH zP>Oa?P4lppO_nZv<*fyeUNj$g3$K`)3E=E~CLT_ll=R&C7JXvKP~$--TOyS%z!dIa zKxTjmFV<+)Zp&GdYSPz2PYKZP0M2cs@5@^!RpubU%M6KR!ton$Y96rKF>P=!_}Erl zGwaW0RnAw)Q2`YtdbqF*6b?KyN{7eVM#gM1`&GjVu)^N%%V<DhxfXf`XH~t^{JJla z&A5kANOoC<182CZ(d2i}@u7hi4V>$ogX|or>}W2IAUqmW2}!ffqmKJxg$Z=Y36tb7 zMC(>0>oYU+PBWK~ek>Q|(-VS18EzckL-&c_8XdM(*R$)}B{d_BN9N*faqid*Tm&8+ zq$6=a9fOX{?fn(R^qP@+=9rQ1Y-iO0#D7GV9kE3da=Ny!Rs_N+vxy5LM;>B0l=EV+ zRgRikAKQJc=a>%%tL0V0FstlnlTaVtBa}C7`(<}x(h$~Nmp{p`Gz7fb=s|E#%Os`W zq2D_QP!>3S9=`6SFg2l9QtwV5B`<Gdu$$zh#9eTmP9`y=5b<XSc*y!XQpU|&jds-@ zG2vz(ZHt`m#cBC@91(sLZ4hmACe&x=Zt$)7ti=rbZ>vAOebSJnPUZdSh%NOgK5K|$ zqs|+4fQ6ois;aiXuWwv2a*!fdBDMcEk;A@m-Hj^L#$UcB${}B63txR9dehfvWT=&Z z)rp;Ta9Qp#b>eKhuQpP`DN~;IdK{g5=>Tz&IdbpI9{XI|NZC2--Ydzw<MO7&k062r zA()RNDL-fbH5<l`>$u-V<xLa!11LjHwgk;UnS@4aT6gqNLuZd7_te6|z|=$k=Zvt< z*9X*A$(DxQh>Favt6RkMTB-6{7%Y9u0kGXV!xW%{|9pt?@l=dk+Gw^vT}&T5f%ilA zNlTTh3lm&Ozct<|GvaelP5D6-Ve8*_YUKzxM58FLaJK+6HOj<!fos)_rA?xdgQSN_ zr|SHk5xOB<+ZKJvaYSN*S}C97n*fKTA+O$5MTzPJS&hN7230L)cq@-V3vcc?Q$70V zelb!1I2{9MZqC7ayDq=;^#`}R4M_C3*z+?og&`6|0}Aa8=#0w`ylqaf&`m4J!XMnh zWti%_Xy781gZ1`${&1E*s7d2|z1`IGhS~t=JNm!zhgs<ukRo3<VhGAsz~5C>Y}ek^ zWM6xIS=Uh<!W*GtFcMswdD51tU$f}(^rcR4D(|#(`<%Ae#!h&6Or7IyvHUr(-I~T% zYnrWVl6j+v-`g=IkNl4bAgOTZ;;?tU(N)#?7UWT3ozy!sWcEoI{r^h={xWps^5sw3 zed7*(XH7+qtxb&qi4*%@(|2n7UMvE3NA4E@m7c)36LXIDm4@1bIBUf8m+i9jf{7{e z;&X{KQ9)~8bD@h6Xh;E|S8#P$C_UVDPA9?1F@qpYR9iO<(;vGc<ELihXWmY<bi>0d z=TMBA1eYdr=21lYtIp;5Z<A+JG!9ivkIUOD{~S^^JXkTL+JtcrcfVwygqZHya?r$l zvh*Qe{Eget(h{VEHXNvyHaZzy!n4`SJwO6QXy*n{)vTkF=x52VtmsLb>%LRUn>u@k zly0c_=9k3}^CP`0-9={0JKsBK^p{Lx^prEZt3VcQEy+!z5o|lGh-w?C#qhfP)BYZJ z>hsKrg_G|muV&3%uQgal=*NkZY_S0An#@?H=e2(H&9R|%p0rO7i-t^X{^UkdEw~$) zg)(-;rNGwleV^06$^h>_-IWGJ(c5+7!X54LY#S>n=F7|_%y24u<1gAo38hHi$%LEg z(}c8Ac3q+~DubS^OwD@!5XN22I2jxk^<biR4w<*|UEO=`)XcgkmxszTQ~U8-2z;FM zoNhlfI>oqFaWW`$1BA~wLhU=XE{~P?P(F6pa^hv-YpkP#sCtE37j^KvJb*vTHoK(( z<!ZV|2MBjH7H-$i&=``v#w%fT<d4c4Q~RKhoaa|big4Td^70IdQ+*%sQG>yxw%SML zb@Y12UcuS^{+J?J?DfW$=-Lb0X{nHniunr47FDe6r==NG*S`~lX`j~C<R2C{SW*ty zx}&P>;GMF`c896ELwAwiw<gbQ>5fWdRi+<!*D>?EyQEleUYK#GjGQ&VE*FVCt660h zVu=cKbMn1*A}bw;N{2h4(%w7Y*l<)owL(ThvMRm*#%Jp1n!67I3J3v^@8`mwh;EZ1 zBdM?SwWK8Z)*6!GRkoARIU&2Y>HwcPQ!a4Bwt;q}b^?Y=4-@Ja+nyNzET)z28V941 z7+WM$i3MvEGCpP2iO7-m4O;Wo@xKW)0s%h3$=ao^qps><31s#P?f#lruVNCRzx%wS z-N;O*J;KB8lR!c40v38FADWgBbQds-ONX8)tn~iwX>dCJR70De;5Met!JmuIWGq!m zopedpnp%HlS7K+L3vyYtM0NYV(Yj`_&Pvp(K628K3~fDVa2J^tL#s5eX;754GD?p8 zg7t6fIOVe4(ObAh42f;3;d3JP_B?azz|K!ZZ-;x~+x56o%Ym_C@tJQ)J&Cv?5)9$e zkj88(p8y1<1ta1L5pJ!gUp3Cq7F~!^p$j!v9NRkP`vkIoROSWv71@|cQI(+RBX<nI z!_oKHdPR-YLDt3&n!b_S&yG_+q>vQGQ@-*Sm><z50b<H^x7O7gb;C#dlPOufMmXvb zA5R^Ojr(#)P!J!_jzI9vuJCREF>klui+(&ri~r%ss2FMy3I3<|LTigq$m0GeFd6CI zB3N`Z$%kGfgu%$iD>i-;fM3_pKPs{oV_R{<T&bF-hPo-pJ-*XOnbIU>nwx`gn^ITq ze;ixV#F#;zBO;DSl%-L(W^ulrJ<}}|O+fZwL0MW@RF9fI$I8K7(eUpQ?jyCWg{~Di z^YfD@-WF#Mn3EEF$<=_YRf1M*CNbs|QHBRS8_{Lof>4SJ*5<h0E|8a_kBqebuDqEU zX0Vb`rVsntfERU4Dnxd8wBpP<Qd2WOm3H&+Tf5!O3n9R1#IQjzPCIDHV?O$a>A<#4 z=JYu(LCvr$YeV4&1bgiV-9}fJY0SZ<$Z5*Zb@^vdCAM5hd@f+ABiY@ZjxcN1wRYny zsl4`fRs)Ll<)$Hv#2U;1X^Nx^4RWwLrzE|NWg0Tqzt!;Pv}EV5VCO7l=d6jYHMgq~ z$YPNTf6mVt5Jvd)u=~a|#SOouToU(iV%|TwrQ0U$d1m74fNajzOEP$JtW9(wH9tYd zjay({(ah|qHKT!!qGS9wl6zC%kU^p!cKk}hl%m$WS^s4=&XiAg{;cUk&!qd@ZQ%K& zZW|&wFedQTkr$M|)dI*(upDSUhqIoM5%8jvmgo3YepTnG85AyvF+C}`d%ZgLL>T*ep$=2n z>e}9^82^tY`#qEdjk@!eWA3OXJ5HXGXnXl|Mb-Y(qY91H?e;A+w?n^_2~GlI->&Eh zSFgh@TxFbAu(WEyUa8xuh3ua7%wLF5hMA#n&?tEgAa|DFnG91oGfxyUb5jEscSA1f zp+fW{C?|;u8a#*<k)Q$_01xUU4ew!SyFR5oM94^(#_5QcH462EonlQ0@r@t+(DZpH zdm>_J+{I1t<kC2qF-UrS{WDrIV%2{_w<ES3@*93nEvEz*5_%i(M#mU5ZWi_L;QqVU z;M<9uILks_X>E<2CwYzcrjR<-<aE58r-(QrlC7(t8N2J<41!R;!OT(k@SAzAyQjD` z!>m1jWzm%48WAkHr`~9&pL_VC=k=WZf{eVZZFU@^cP`dekI2+QFb&y+u?joJo>Z8( z|4C*93GVcH>7wbI>Y<edbDXVS3Vx>>hpq0{z2##$qrgDIR)xdb-UWH3um~7~%apn< ztpVEr9tivMT@<(2iw9k%)m50v!u(=V#FBZDdoE?Gtm47HfGcE?7nj9mf=g{<r<`j) zN?nkP9XNPSC(}kAM@hPK@*nJwW*Q^(*Vy%CZ-CvoEc0L!VN|IsJ-mz5UO9$fJ16OX zA-Vsq$``5(K4;Pt9K}jP{J04ZwMRP;X*5=uuJ0)>oXQygEus}9%0`RjlI$P21*0`| zmxuQDbjF$e+r=;crgi|05b}8$zzjG2Z=0xh6(T=}{cfPc7WNzk%oW&_(BraUgk6iR zZ;Uu<DmZ!iabxbvTo@g!+TgzNM$cMBo3-XAA0xUjQD_n&CI034foZ_&S2~Fu05BqM z#^KiitQzg!(DO}elI9~zdAKFo#IJ-0@ESfJF=qZ}sJF-<V)^9VRjLqiduO%TxGG7e zY0@|MqzV&Ei!2UL-Q882ScnKt_EF~NOl)c&ULs&6qluv-<%u1Nt|sVTeNpu5KaFVM ztN`)eAKB39IeG#F>c7fE)^dnEQlg6sxOE++K|IZ2DWCoc2g`Uq#e2kFpAS>Ud&Wbn zU@Qkd>pg`jXg6U3l*&l}%2)x5bx)F-*yZ})B;c5jlmT89=^wSF;kE`(_8}*B-rnXc z!#@)ED69U^cH?ja_%@__v7r?l)4sj_)1sE!g=6aelfk_Kx&fG9np!T^I>8-wRc@rQ zQQXis$miKy*V%2hd01nWAy5{P6vfdvjvdgN6SUTEp|~^p)}lu|luhThwf`;5eDjQH z_U!54B;1j4GTNR0M%XzuveByPytQf<{SkQOA5T-Qy%Rbxv(-C&VvWGg5<}*A;CFYP zngaEewTCZglQ+OR2^yqT-}l<Nn?#$;jbwP<&#CP4G9?7WJS{C<PIYSi^a^3m&l-?R ziko#^4ZY-OEcdmf9}w$x0WpPO2`dY!oZ9Sj>7N|tlxle-kLzT5TYYEUZcxwI2|pDR z8&bb8qQljuXS=-W_SIimY^XZ|>fyiD%U>RCYn&CAKRTUdjo@?c%vS-N*CX2Zy{j&6 zwsR5Btsqhy(Zsez+X$l89`U~U`_5Lgtl;;I*M+^M$IJW*TeOw))gz!+bXjRjlC)Fl z@CTZvu!}ZMk7aO)*lF%A!BgiEag<rI<++i5|K?4qMXj4-gJj>y=OY*9ihe6Sd<3>w z*mFO*v^YbyC&^t+?f$h8!QqQVQ8l(LnFl=md}>skn~-C6yXbgK#N%<E>}LgReZ3eT zcV9FmyqMPU8ExBz?Y;*NBQb%Y%i=ov+A6fG?KJrvdXURBFDi~y>o*<=emG85t;P}y zN_Tz-PUQ%+2$7F#EnvlAT=ZO$y;&KYSjCb=K-7oc5HfrD<@(ali9)e60f`00n!h9W zb<~p)WR$d2;&tgXQKj-?XK`OwPeQmgpZ)=+u2ecuA=rHK9H};HbfgQBwA@rKakAnw z{z}E}^A-JZ0kiE!JBo!FVKlFPdnA5E&40t`lB!nz4cex|+AM@wNyyV}TpxrzpUFuA z5+b>;d{6J!3!?}wS75#bTgyH54Q8@bEJL}cw;kCH8T_7Xfx&JCYTU`*;&dP^6AN8# zx(`Nc*|k!9ERPZD?r4Bxa!g}t7nVD>2*bjj32?L^1xvH&pGuLjBuQpUxb)K|`#z@I zrO`OkPF2MEHA^*ykV+9GWy8q*tE>$m$fMfF!2x4l@4~o_!H$v`B{4MKHq(rM!rJ&J zlmly?-`g&F4>|zA`<R8AwR*kM-5goLNl?LRlCd(9KI2Hu#@{+<Q4>AlaZ8c2KL)~# zrp<<Lt(~%7Ko&!fP|V$m4@~6H=Q^>|4%XfzD+=U~0}QUFem!4PRg@Z^Qi>S<{pRg9 zhwNpye<sD!v;>m3m&K-qml$g6;twUkCuWS4#Pdg}gh!5etOH5z9N4U&X~DWaJ1D8P z;(*cvs-iAdl8ujYn~x?*b1t8<l*~>#{@dE3VymmeEIh{F`6aD~=Q1+Dz>U_W!T?W^ zjq0|&j0-FNvB6sJXh`1a#FjZ+8+1JW$KvpDtWy>t!gAoPJ{jeRc6Y;dNSh(&iS{R3 z$17C>`gzo=51#J@jD8z+wBu@$Hda_gH;++r3D-Eks%4{So6{3<0N8BImGpxassl1l z{7?c~fY{=v6ba@Z3gvvOg~s0`SGzMglp0cloUUG4FfthZ9Ruyg=nvxt7>H=iRGkUH zhA(GUSDL63Pdh@^{e_JbvIAQg7&~gq#F`okASgpbDpM$AKgus&2H{A_N9W+;t)pta z&KT$#4N1ycn#r5HD_Xi6n0hNxlFqp)8^2Z3r6HNTpwUrY?WwMLu6O&O4Pn7X+Ud$B z|CR)Ma%{}NYF)jp*~Ep4Mmyh%XX_Xg{hA#wZT<?>KNvk|veYr(ea;~;Am<i&a-zY8 z&*_#^&PH;3_>Qd`?nrXI+*lMjK*J9!H9e+cop>A9-!0>_5gY%_0y=;V{`T*mZc~^E zamwGiz}ade^)nkg*(Z-TT1ht|qalVYcZlZ6kTZ84w=1gGiDENINDe%n!F_~4uYc@t z_xc6=EZ_*^aePl6*u;7FETAkq@DAzf!>*ULmbFT7pfB)edE`iqW0>%jiGXL8B!F?~ zBT`hC&u%5FQQUP56hXEGjeJvk`VD6#&BTABJ)T`l>)fChd;igXQ4Hg0ah$LoZ4rMq z>PG-wtUK!d2O&OpAxO`nLR+t{EK}EYEzB{o>Vx}}59}AD8GUDI59it^x-NqklNLS} zWMnF0OQXkbrWH&g&zB@<a34LT=`^^f`k+|ot)MlZYOZN9v5mOGjP=gW6romJH3R;L z`$S&CJdLO!9wTp`pNTN;HD3Iy)R`r-R=MkFiVCZ%+JB3~VN9xTB?`aFqBU!7>ed)2 z5lmwY)?GfFKHn~URrcqX(hQ5}eU|1bZ~9@IiMuag{o{8LNB@EMbvKrB0Kb%NeOB*- zGRkn6a<~lSC|p2+y<U-!T;ck*01KUzjGEB-vUSU`q)IZ9<{h3TgtQ075GJVxwX=?e z8XphSD)_zBOIJ*Y1n+47$+_+l63jjP_q?PKt5mwuTpjBqy2yRO<E8v=T#LS(6N?~i z<tjf5s&aF63IjUuf-Wxf`Ug)A;R97@aA|RNr9J)~m>LOhBrx|cUD)i#=>Iv4Q<w-| zpxZ-c%l>nqvjq3X8W(4J{bh?<TUX+=N%L)-q&r*jo-Q8z!84Z7C$Hu@CyxL@K)%0) zLe^kK@a|v_=D({~9>Gy_?`+Ti{>c@wq{+s(%b<_r5*D}~7$&hK^EQ8rya{TcHcFTR zrur8PfgT^1j52g1YtDjiM{cm$N8%P<+!$H>JbSr%$v0AZe0U$=QXDhh_FrW&`Xt`& z5@+sBF@-pCwg65v={yDQ6hGFduBS_B%3|*A!zjnNQ+>nsqw;4Gg*m193S~7e*^2M* zf<O*Jc^6yy$%j`4!4Wf)D69BET8LKSXhntJD&v)HE%u!0KO#G-npqM2B70%!C7sy# zIYJQ}nC=|S`__<DJf9{lI9*+aTa_L!TMkExGDR>|!4c^NA+(!`I{Q!V7|&rPiob&+ zvz41V$MAcvkxwaa?PHOBo8W>|MAGHulChQhr@)*W{)<FZ-V6}9eZIz+=I{5Xl;-M1 zGiMXVUz>9Ry=+!Rg%r+S95!bC@iy^C`#MuybZ}T1T6nz+0|vNNMWj@yW4m7;2xYYe z8ct<TiEgk*m3f%ivhc;R%58hSi4mNIaLTv);R4iu0}VRr`eS$JMsoHCSJ`Yh_1ym+ zr!_Y_>G_pONTMH}TfP&^f86)UQHa)?LrqRsxxE61kO6RW!sp)ww%5irdq@HBa=wYv zlt*U?rEf?V%tQs|N;g|&ba_`rSc@G=sw%BkT;1=yIPwYjp+cxqzC{7>6j4Zdqr`i& z`cS{pWPf{D@m=z{9(>P?a=Wh8Z+z-l;!Xau37Dxk@;h7S#05EVWUmRrfxVY!)H!s} zkN7sqMqBwVSJqAlaGk7OB~aCazM{Oavff18!}PU@(8}m9JMTww@z%RbT~*^qH2IKd zaLpLdnA-#i4~D6`W2K7SQ8)h=3!nzqjo#y`&GodX&H7MES50g{5`8tWLoRxn`vIk; zIqj0*uK61;g1IHff(SPB_=U`GnPuIywU+rX*F$svX~_4&a~1J%2-cmk1k`o@JHg)@ z(3|yR9N?KXx!HW+XKF3->9u`HQi?~8o*0%ApW7al47lWX@ZR`G;c-Dmy5wJKFIuJo zT^|F%Aq5FU6-%mOOUV^C?0;6+`#f6Dk^p_2PO&!B7iw+sJki?d(C-vd=ko2|b4d#s zNpg_Ws&mc94#{wPm&i36_g{v9y`_zJvhUzz$GM&~n>!fZ<xC&D1-x``J&Af!{*lGL z$RUL$_#zNSN3kjK)l}@b@$o?nx}EdS40u3VJ`a8DPGn>>WrWL?QCW)`ZWm~1%+)uh z8Co3h<N5iZUzz>f{_vO~A8X9G^Z8qhrX$%=lZyy&y8PW^_Y9E~6}SUiYJQoFKH4od z1vEUD>B#Ra4+BQoMg%sJ#TQrrebAQ10NqG5N7KdDuvg~z<jQgfBWtPxOr>A3qj)2G z$T&!;HU^Ywi>wJf8Mj)3mL!zDAA3jR*Bl2=Qd~MEL#hDM-Ugh&GPF*^Hhu?e%Xg0k zCBLjd3R>S3-6h^lGzw4(T3idZ2ges?Qkki-bc95=Dxl4*Pz#pqj#Y$$E&u;Ok`*L) zQaEAHf%gdS^K$C8lxMB!u${3lXS&biIdoUVvGR@lzO{nGXACC`{$+THL7K+)qucMK zA|k*vq?qJ)&nF4v#nN{s@iqOVhA+C|bja#+MxIfJf*529eof8yziONdf6<0hhW?k{ zdArrP(YuU@_P9wkUZQEuG1Sk~OfGfMT8&g76<{<uhkk$Npo_B`eq%~(4;7_N?_U+@ z9=pa|TjWzw*PT;D&yl^FmPw9PVwC;zgiX<EXxyK98x;9Y&fZ4*y*vU|@6GKi;Y9#9 zL%8Ax&z5S8#!~8_QA-@ZpHjT0EGWv^D%S&9=86FB?1s2%67h8pH=3PoO@33BBMOGg zt4^HkPWra+V5q9X9+fvaJC8v2#4)K*s@Xpn;Gyd)y$ST3Y{6j-*QhSC)Q%QbjCtl5 zw8iFDKsQ?HTPV3ljNUoaqGWo$Y~&&(BWuJVTMSpH!y1hS$pU5qUAAqKyl$nUXxsrv zi`9sAZu+0VdREbgR5c31Y)Dwg*ninh4aik&PK7c}{>{Oa$Ld@!F16`E&aE}GFlx1f z!U({Y?SGqT)df3%KLC;x3EHKNbfZyRw#qp(KiLR%BFnEmn4YWjiA;t$DQ*QME80mZ zW1>bfE6rR|AvwAo-`!AA2{IIqEERqXvd+z)n))=RmrRkT@pjhg0We1uUC=pV%cBDF zWJaLPhK;kF`gph@uwN588s=u=rrrjoRHfJoN0vt8e_cB*83)lTsL&aiNF~Low3tX! zkPyh=YWo@fQdCQ>XJRVtA;n3`(<T0n9N{rbCa!ObF4eVUiW)R6DxLT$k(2dk*Kb;0 z>4JsCcG~Dw0!;$P_)D-{T{!Sw`kdbTT?G&6gF~k`ndwx@1Y87_IIH)r!3M3oV`)m1 zc9l8B^CKyjJ84MpXDImL)|CdE+ehQL2nnS}$KaitvGp#Nf$1zp{K<Mo&HoNFLF3+F z?!8rq&UZcD!X3v>AEHs7uW2e-4zK$Yg0ZI#+@&Q)d<}T1Oc5HGIRtC2o(N=)PAAli z_jVIi78?EV3q*|BBk8zf3+;=kIC*}VW#ZRfM8PKX_u8^~$-n2vlavaO;7(b%s!1%d zoO(u0M1z1#kfwV`7EV_^UGxm~_0b?&l`hd2KIXz?;!Hc-f73oIzq>65z)o@3e}r)0 z{5XyO`Ee!I6_NUAs_tYb+c*7l4yMZ^5pR%N_mV+lT73x(_6)wRVnT`Tp9z4>tW2Y# zc>rJk*ejGrP6p(1p~ggIL>CfwU4M;Dh#v|2xJy#~TT3NpkVS#i$<3#G^6HyLGKI({ zcsLieQt*S{6Ih`R%sWzu9BztzDZm=jDD2JL&z5&8kp>`dtBgP44K0s0=rP{EhQ~=} zoXZ$U4kQJD7MDE~c=CMnk>t#jVbsYB4?AofN9W-A#Xr!3ClcGL>q$&8_dzoU1O9A7 zR+3&{U=SC9T2u4m8%L%mE86cqsF=G3ne@a-;pO^TMsh*J+OA$k1rZ;~VwEEK&%X72 z1pr=0K8%c@2wz{li%=OVuW^TYB~<4(3=EIykPp`Vs>v2)E14HemJ16RHS7Aj$ZnJ{ zdDpY}V}|ZKHzX|Scwr%Zha%v6n!EH~qZi*bsMA`;J4OC+VUzU)yryT({p40LE!z-e ztE=%~=&n@!a8a90o2cGiUY$v?-k#aV?7{%~2V@381H1flZKO>l+(LVMz0R_yQBkmN zuxBbr$ujn%K6YCm6YHmIU5afqA4bQcPq7mz;d$@<MVui&r>i}7Fj5=8yD*U2_(1L7 zP%%w`eglgz^9+=6{Mp;-hIiK3W^`Cd?VtP%$+9Mlg<cAr`RzPvk#7p#4P6?fYNG|* zsbchsEyomQF;`!~W)Dl6mf%Z?f1Iz-<y$jJ@%g;Uiv9D<kI>){dx=>~gO$fASwh22 z^@^{E$Gf8KGRAnL^7Y%q52MGTt&oL%^3&7fF$$01@k9v{91JHyNU{jf+<Ke12bnu1 zt}=gEW$bH)#O&F!#?l^>D$IGwL3-ye3ae?yt}@?&D?T#UBF*B$jPMX|w>mX8EC3*L zXHJ<w=D{z_;697A9-Ed)2Kv+)%d+OxndnDMraux@6&Q0mJ5P;uQi>4qIVBClcjIpj zKDSAT&{0Hskq0n#Fwy?BzP_wA6`$(yR(eX&jA)G`SJD`4U?;#xltY%W)-)Labf|p; zxAeO5X1lqIFjKvKjsBW(2KY=$LZsSU(tTMKR7k_G1n-A|mV@=~0$3*J;`LiQW8A=g z_ZX@9q(*KH6ST7J{W#HMwRcq_5J9fE$EKAF*2QubLd5-)(N%H%`;|O*b1AMci(AG| z*mD#aXrSt=Im4kodq4GLC>+>Ep~PoXesz5`<>+8&)cz}@QthmpeL7)_e{|L&EogL{ z4`>hVImsMn5KJb*lVUp*7CIYv&zEr7+3S`a=yS$Q9VLua8{@P&*MEK!$CaC`iz|u^ z2~CKcQJUpyzUNbnAwa*mKJj8pVmV^2#0j2UJzOEff{+oH(&Vpc2Jnft=4dGI!Mp^0 z9**9n(bSu3vTUt(2WK)xegFk4Ggs#mg=h5K3CiJd2RuId#Ji(djfLpz-_OS%xJi>M z)h0n`QgJ}A`lgA-rzidu0+|*$;ksrJ+nG-IOn2L%t1<^+<|J&sKVVaYCmg8L#0PhO zo5Q5D;ODWsDp}Fzw0VBGp*~R3R3R`Vl0{-$@i&^mE+OQnmnkqojqFb>Y$zA_U8Yf% zH!A1E?%_GU<o6`@h2}T3hG=D4v0-o`0I61C<N{v_FAGpWLhBo!09)UDKZ5-UfCMzu z219|sf|}h`GHm}nU87~8p-rwgQU{#6)%m)86k1x^c3=L+{ZWbw9Je-4G|Q^)IW0iO z$=b>7bh@n5)h9GM;(fOa7gdFfm_A%{Vz=B<@hAEV*uFeb=Z6H8PQV?QbZ&}85Durb zV8q)Jwz7<0+CBb{g7$8$A@m!Uu&N2Yo{2ZrjB``pa<O<#zDka9v0Cp}e(MTqR>olE zfdGWBy&-j5U&oy2_T4biC-Zclq25ZLG*1;iNg-0Ii#1Ms(KKwO|3wudn8i1?FV!T$ zSeZQi2QV*A&mG%Np^!%NMoo$NA+m4t*bx95cUM+wOipw8#}Z4-HP9%MyX2lIOQ}xC zZ?h7CVn+KRSdO+fz46~!L*#<)FLP>b_9Nm+mwG;MSP%0@^DxfJNz>N)s&NVX<n(Yx zK21C`y;*1)(!G^e4s$6ho;a!JPP}ucMF)Z#spx;JPZk2vMfHoriyl}lHE2^S!t7HF zltYXiiUR>pU69VSPu88BUH+d(9&(vwzp3w-KyNf1)-c6YS&~3WbyQea#-L9e-D*TR ze0S0h+p-@F`H&vY9JX*xl{zVEmz4S2yj91!O}FOw1HXF(D^B;FHMyMJ;H}qpUsb$= zl-jx+nx!p?M$Q`_`oOjSYsq9nMorg>I!>G>CKXQHA3FwQ(q6S+barPdRfeD#xux=x z(){#)L#X|B)Y@(e8hq`T_@9_wo5F$ITDqUXM;VdFhYCeiia7B(a<JP?!jK|leEg{! za!+8T3FJ>-EbYTzD2)R4PQHKtln<nd9|AJns)w^?wWw!yi9NQtX=tJTvZltiWB;xs zJ=d6%#Y`6<7qtFSRLEp*A${*2#7#F{B4;_2(!616zQD<5ul1<AhLzF$!;TO_W+0{0 z(Tk|iJEERr88wz&|4V+$B)1^(!<!9zs?FZQ*b}af&B-N7<a+wT%#OEe`px$@oocuc zx8bGtW;O$zUz{JC(=7WX9gy3|W9*CPJ1{ZSA5-){Wi&`eFaOHlGKx37dVqTxgQmis zhB(FzE#gyHflGM^BSznpt^}|!7+81xvZjbF8U#VH{7|a~_~RyJL3_oJ9D*EtAZQ{o zq#`moI#Oc2#`&A!afic)7rjcr_x&sN!cYKGYs3;AJYUUU?@X)tm7Kl(6;!&J(s2uS zaY~_+|Bhbc{j!El5p6YzDJl#k=?{9zG@Iqr4Y|V@67UAdIjEI%OpLz~({cwxlg(E{ zzEFMYTHK9zBM{1lu92^A@VHzK-kA}3SLbasX@LSIG_j5!im#Epw3)e`gJH&h%6q<| zIra8Dt3F9qsg!UziV*@P>M{~sDLe=v{OWm)YY;V_vC82NHax?fLUK*BLz9Yig4nA~ zOPbl<D{0Qy``zwm?hoNgp=ZB`9oi28AcJWWP6l{?KclCrU_Hj_>yt8gfu+<E$MSSG zv2`7CRF`&(o!zX1XU9zZnJ(^$PG57$0d!F}C$eT9Rz@h6!n+Y#+<<3q3Uk%4o5~PB zNAl(NLeN`9VO{+SPVp|UX5p3!etytOh0CYXMcGn@Y@}$jZP#%P?Y2ldp4ZWtP9hSv zI)8;v#*YR#nLrMXa<f0QJB9Crx;Op2g2kR~5nJ^S6A_4Y7Ra+x?^3};l6#CH)B?Ey z0g-<F+dBxvE6oy;`6>irAKuG6tdptydWOufa&j_$xwyNiDXW=?vtDgq;AW8?MX~AN z2MWU+#6(_n7i*EPtJzpAISUGpX+>*8Dr|!dzj6=}PG9{+330!(v@yot7W-!@WRzgw z>3HAeS;18Lc)Q0DX8h8V&P9;K&FB5lIjS{@sX#?(y%MEIPZ+C=>%AAED*9{_>^#<g z*V~P(`(di?S9!K!pI89z^uKHH^-<>V61mZc;~MnB4G;I@@ok{@;A%%x(m&UWRieUh zs|-}SYx+#NS;tXI@bjIvic3>qQb&HoKi4fit(l}8Hg76{tIVj-VJGyzSEf+@_pKom z>&=;2hvP~!<y6>AX{z3TOekcY%>PRe<Mkx(SzD8LHyq?#Ye1@UJ@iVhj6UKbWYN=H z<lhfO2M2HJgy(gwjsM7{PXfSJl&1V%4i93Y-R6{HtP}piDlt08D+QIXC=$*bte>tj zrSkj=iNcHnoD;QGkndroX~^WO^Wv#naS|<9FhL|AQWVe1eT|$giqpM2gr~7`L7w*n z#+~hP8}?QW!pNClJMt4*ZH`LA)LXFVr7Z-kZGQo-8CCp$gRf-}-hTZxAtZvAZRd?f zw*O_ck%il;&Z4@^4SN{z97S0j5vg#ogG%_)C^K0n?}g-&eqnUjR$a~+>=d!?7YJ^b z@*b7a9u*8+JT`_bqCu!Y+EJw_k`QE^;}3h~AKvcNQKUst!gH~%D_i5dQEBpG;0pgH ze5qW^g&$%lof2G%+#8Y%MwK0uCRL?jz|3q4Wh2_}l77lSyIRYoO!&oCjZ2ri2Ig(& zJGdFLb8BNLKR)J_V4Ige7X}chTlWsxENg$ET$WcePw$H{q1^TA_*Z3g#SgPuB>M_$ z>5b-^8$3$VOdb7=6gOA<J>>H~aY3W~P$!22F8%arOfru_K+(|~>-r4Ss~mjK=6qEs zJmDVPAEthJzI}-SxH94e5E!q_P5YA&ppWDl5lQV04}KKx?v2n;rrF2Yo%CPg+0zB& zA?8~PPbF;fk0zee^UCe^v#|IbEP664AmWxp76h$*9lFR)SNTmbbyc)9<MPY*!wM}7 zRIT9SK6*vODgbGawb0lV(Co{iiHh8k8WXy1^C@&nqUiaawh2QGNXV(Zzzv>sh~Wfd zb66(pej0@9L}PpbelS8vvxSwtnbQNM0tHJeq~`VZSmTkTPh(WgREpn^*;B#OoqB9H zfQ4^N`DO?}lv(N8SIdS>wl!T1oqg;q*t%hoT7v`P3rd^(f|De4a8*DBeVVO~M)R+C zJlzeSa%}WWXU0{H1cW6^^HuSjubU0Q?H)=Sn*RM0jDo%Y-oRUwSRA56%+$ReD1pO7 z9L!I~Nm=X6&2rf2Y4v&BY3tAK<QHtY;4JN>t1x|iwistM?qtQUosxes3mg7FpHQZj z7Ef}kO6=8o#7D{GPp1uWYkZ5aS*0lr!;&@2?>R?umjj#cmHz_jgGS^ryc{ab2d@wh zX*jf63L6Ix>QZY7t{xUWl0QPtyWAYIA>DFyeNazl$SUJ`TTNP8W@XHfzU)oh0lzov zNP$~2sxt1+=vs3n`^YIWEM8^|b-Y(^gKT`W-N~lV<lpqSfy`jW*WTTW)JJg$qy8)r z;S3is6FVsjyC4HA%~&%%QiMby?`|pWX`$e5G2>~e;At`KZYk&K^U(HYo`!Cz&J!MP zNEek3M@f?7fRCnY@gyy(g=?X0u3`+*tp>*?Q|^3ZnZ_<dj-(!on*u;?prL9Ps(?M+ zUWX~cNX<(1UP!c-ETIVTD9vH{Y`9$QVsr*&4mDYE@pBdzJIjvFrB96bFcm!MRkYm9 zxA<!jqUk#eLef0fNN+<<1!58AastxC4n~5ny)T)225flZ+2}jWuAL4?rNf|UZUkjo z0SHK%5ANspVNNkVAZlZaxu;R2sU84Am5U}B!iC$`uxI8iZaVXW5J81z&I2V++iElo z8Ms2q5X~e_l+vSvFj^um3pg@agWo|!LO4t~%dFIx+OPKK*jy2l`^tm#VCm^tyPL+6 zScz?dx3GU%4sg22v!E(9OQ!*@==JBcYOo4E(kJ66-Mee;746Brp^tecew+vJd`ow# z;x<f*IqkobY*n+F@!##5mqEI2U*YQ8!l&T%m%^6)6?hh|`{uz9x5KoJGb{!K={?$p z{sOn88T-El`eTqD$krQpCU2(_8~9Che@@s8`<r>H9>}Lo9FYnpT5Qb$a5&~pF+QDE z*<sZAC<R$6bS>c~sAG#Os*_d*2OtFG*_`X)|3y0xa8c%$7@?EI4hQrnN%Prj!|QZX zeKEY5JT@AvleLUCF-LJ|;67-1Bt*A=2>vRl9^3z$nYIuaC;3eoKRv>u;3BKL#E>UU zzCEmvDcr=}p*w%nf1$q|V5ckoZrU=A;k_aDQ~HeklVk)vt3P>#l^T7<uL?Oqr=N;; z00?|}lQb(ET$rEHkWWdYAgF3uynP>-u4CM8FmSxvq`;ruaus0NDA$&~dz)gfhR9Z7 zXR0Waeu(!`f?%fgHykT{dZ#WcORowd?@s>5UhSZ|7g11jUC2aa&IB@)j{JQo?v}X} z2RIlGw}?rElYA!C^yau}`WQu5IakT0hbg8;PeWTkw^wj1oF^bNCN?M7E=m5FqVkf1 zx8Q0Tfg?UwUi}-YpkDX7ivkVP>PyV)x^CJwu4RK@8qH=%|IUZn9+Cc|HgScb2!xA@ zf+EM)3mr%pN(PdEm@CyV#XoLos%n>wj?Z~Ltu4X_V%@GjA(E~gC+5*h#kRC;y*&ME z7o(SL7NTx}XQ)dNrTRm=#F<u9YZ(hsF59xfTVi6traFFq&h>!Z<=D(S;Zq0hfGkNV z?_0!<Yl24M*Zp@ZRsDuu8gAelyy9r|^nBy4#TCZXxrbq#7x&wJou1#|kDc~N@Mq~? zhuEqi(E0x!2@4)SU#sxBtZC2M`R_Q~nk2<z;kzqDYV%JmK*Z}K>M5>lsc=&ca?M$H zoZ3-k%c1c;=Xi?O!U%UgXwOFTdT(b9skWsqJ{}en_5E<e_8l8K>=pqhG#LGLw_iGq z<!0)S;M5_iSu!$#Z-ek%v<X|_%?^HxBffuVdo~62-lx}Nx||^#Vm^lolcj2&-x?jP zSYjsbg+ZlAOLw)o=jQHIGq)_Meg}yqii-5VGJlLZmVGBqkX%sgcx-rHYkWaXI9zVy z9WXaG3Wu0d=W586@~kU^R_(kVoM>tBUT^pe-S0||ZBVZGwvPHv5~GGS=XD*!bqa}S zC8&K~?<YQwP7jq=x?G3!>V=s`7W_J{NjkpS{NWPtYC+%`F=QNA5^}OQy=5;~tnpe) zk@xlS2^z2W)LHZ!ZvEK_qbjfew2nEZUgL+x*U^JIRRZ_xzXbsS&9x*Xms9$y-rnFO zaOP;*Cmhg+sO)fwG=5P`DBXoe;Sud!t<!#|kdX7#+;2`rSO$?4^ov(Y8OBYLx(Cp% z^6<&4hV~RBHXyU0B(3hV*~>ny{suUV#P%eE&)erb+*0_r!$v%cn*w4ZdlUv1%$oW0 z7rVZ#wH7j?&)Yi+Ou3p5<GuvmFTdIGo&D|cwmO<~4i<h$ZD4%4lgy+zYwz3HB*d=s zRr-kG;4nZLlkB>@2RQX$ZR-b3+CKvWF#?74EKozcg**I-ysB;66cxwIKO|+TN?H}K zv7&GcS@t@77b`jvcKem^#%+lc_HAUGcTP6D1yc(63$aEv$KkrTl0zOyufpsgOZr4} zZjd#1qBVCaT`CTWdgU{PDz6;Xz6&OEgO)fs9eG)hmdcMx28lwl21ocM$|A*s+C$Bc zgWTix()FO4m?$$T#Zx-B4=ve@BeRoQ4O7yFV-jv*>5q}=;dSYykqM>9Y#yc;beX=u z4E#*h&;w%e{n_YNww;3{2Agbhd1t@R)8jwJUAr`uW~Zh#Z%z$#M<>EnXay}fi!L9> zDUE~|XPkvG`YOUP^ESIe*R+<{e(4sZlS*d>5mk0@oaxZ+xGwXH{M=5Ed2DA-f-@OR zLNxBGk2^`%HiTSjyN3{9U|e?k8xC<X8l_JT@-<zxljwn`e5csu2)G+QC4SV?)98#* z#_07ugw8ZEZ;Facvfa6JCXMZQtUkn?f$!IE6kyEaePIkgfLmcMxvNXySqu0G!$XL^ z-u*;;ixkp8iTt4k`4(h6FCNuI2R|!a6PB~V6y=>W)X4Z92DTh~>pZvVHOx0SQR!M5 zZba}6W1rO<_PWrMQ&`a8>T6<7(v9=h>aQCLH66O3@{79UNMyWB=9_7R{zZJFw#}2w zhY`m!xWmZRiG7bk(1%P@)8x;)ZdkCWCt(pxXhdyxkuP)Dk}VW0w08e{G0i6dtiF!v zLW<OO7V6KsDa19xw%PH8vr>%!c6GKvw%)co0sRbaki|7_wT+TqDwrk=T&BxTjl&b| z@wZ0MUn6M6fZ~RX#}3S$69x*;&MaGyw?d|=`PdF1eB66o$Q+7%if{BaseW<ybHY~g zne}{SzAvqX@fj#YnddgAJg`}h+Urx6HJHQkuIA#`Zj6w=uAWe{lTC+QM}G2@{Q+$) z;Kvrr=RXjsg!yZ~lV!r0fLR&tlHIzsHa9mB44{1`7rtYGB_XZvjHFM%*5{W!v!v#3 zj<Kl|JDnA7o&$Ys!F6RU%Vr(ux@=cpR)n<o-H>FvTt@}Xm?Me(N=wC6Cf%Gh6F9hL zhZ|v9(RF_SU>-$PrQ1?pz%rSJhi9;a1zH-n$oN2Lhg(o^uy$Y%<F~A%|G?ZaI}%<< zJTQkf#fANLv0$oH4(CPl8K==yNU+*bu~rPSRxlZ8L>Oqmk$sjM<9+|RSq{4aKnX4^ zpaI6@tsP+3{rx9a_(m_dxbN9n=&b~h(cy4)B|TQ~n=f?miyMfO8RER<sS_776f3C8 zgv+s&Y|I4hSJwcPn_EA(lmSP@RQvf<NBK4LO6t{F;ly{Nk3D);s*~d+2N`$?`Xd+3 zdoC=mZb{?E21iq_EqsIRxv0rV)%P9wRHqiY$?2Nl=PE}O13ZAwciRp*PA;DJXPy&q zFY0Iq4%6FXD*%MID#)<y>3Wx@Z%zgr)(A@r9<TO5rC9)o;6vfNBNwFQ)6^DU!J_N) zez{FCPB~VmU1!<#Hp<C(7Q8V}eVBlr_qyl6k73KUGEPCK)3~dh9k>n-n$Rj^B0vKo zUH{*SeN>|WuV8<fUBWaerLg2D&&4|1o86>$Uzjf-x;Za0I9*=s%7WE<u4`>4X^fr@ z)jApuVE0lP&Jvex?<5?kno0i^jnR2;b+{!9%2Pn)2|i3CiVu+K_&zUZ&sx3f5tvf{ zD;m(hcth#Ap&{qEuny&u;*taKXlx9GN9tuM1x3?vZwj%GzZM}OS40g0&B3dmTQ_yS z`nv>jMHkA~u*YFEAX+JwcOYDm@@H-zm8aN@Da`8Z9d<N-1+J6!{FzC2?j<bd(n}-* zV9~qUl=f~$WlWS`+bZYI%tP{+0-Y)%`E@o9&6Q+=TC|*ep0cD$RZ0P&lP<m5`W3X2 z8%gSev`GEb>3l~djI(?{%X~l2NNQLL+EZhDA{MlKMWj|jJ7<bk3#T;u<mS^z`rm0J zoJO_J)}PYT;jpCYziEa9TXBfMf?Vgs{uc|dK^w)BT9IXwDaC6Yy`?S{B37HRyRPkU z3&nG(#uMZ7Sr}q;ZF1kh#R?oA<x%8de`jVhchIDSR^9G6d?z(<kS5txvKBtdvgbL` zwvptV-{wG-G)I>q^!^{+;82HJ>JUgAcB4Xp?JD5lP4M}<4((smLjf;JaQigsi-Zp| zO6H#p2OS)fm(0%|Jdm<UF{9B4%l>jV+szF=IcqQUvcZv&=J&u(TNjh-V;)22pN{O@ z6_;;Z1|NaK&C}NYbZfU*jcfqp%AO(y%%@9CM@XYQ?}Tx5e3x2ZkihsoSO4rvIn2#M zyEowP%D@Dd-^c_`o{3`@EpM=O{24(}l?S_am(Es~cL_+$HxKt^O6T*wYB!C~mY@5! zw`-s0R9G+_SC}~@ALL#psTp?NfG7+OP2VKlyYZsEd^+_zV9Wef?w$lT7PzW#Vjoor z<oY69Uhi)on&tHC^HHnup?rIj(H2*KOl{mw-Cz+0pWDV`I|MPwHqPR|5Vr$Rdbpgm z$N8EjxVzKNS~$EAq&TFZIEc%7{xc*Qs`mVsubYt8@3?@r#i{&r)<P5wHz2=bK59+G zKXPF=UFFv8-aC8MjxWKl;>RKUMHTD1qO>(<f$OtFl32HB^q}dUkg=oX6mmT}LllLy z>NCB7*nb3dNkA}e;o-TVHrO(is-f9t#gD~;Gh+4$cNmbmcz;9j7)ht;dGYHY@hOWa zfdLnnY>7rZ9H^7so3X2{a)%YewC?ARXY5~$m!%}Ur6b-CY*jVhW5AG!8%2J;o)IJ> zpQ^Vt488DcM=KkYW-Q_YeRCGD_+z&Yfk$e1z6Fu9-dgFj49#o>xP=kMD%p9jb2e+H zV-Shnt-hP-;SAcchCXfSNj=R!Je>@h`@GHsicCp%1zG5&-8dn9zdzUnT4W6wUz~3D zqbYH{ng|jUi|&`Y2~P$39^=+m4WLzPKF{1$QF1FZ(i_eaDn!}(EwDe7@lDV1B$k#8 zjBagprroZ#=h<-9awM{1f-8hw^0OckNaExOft~hvLV|~_Ejoy_a>mTyWQ6Ym>jZ<8 zYxfhkme0eBB`8MUl&tUqx@#lSRnQAaX!)A7V0@igtR0DgK)|?IuTR=_5ks~o=xK@X zs>Bf-d5=G1e*cSZLS?i2jltm4B@PQt^p=}D-cPZA!A{h~x_F)%JjMglKYJSU1qzA= z0ri;6|H2N=!0nEf8<ygcmQl8s8egf)5N{UGe!@CQ;nr`7l%QR9mjm_ha|PB%B|CzY zlG;3^Sn}2yLKo0t5Qf-FQPmZNn4}`aj|Iz!6^p~bREe6h`#jjXsZE7R<0wC<ifp(( zw>CnJjmxbry50~jp!H+#+Sjldxsn;B)GaBGS*4OKsnjhc%`fY(#hHK(+X51+2R$Z3 zcNY<T$QbPp2<u+c8ll3Wz#_%o7wr_c!Ex7T9f@V|8)U6_RHWf~XcGjwm2k4e42q~4 z2@CdZPP?E&1}s}$)+)Y>c3UDbS-BJ|u}SgK|AK#@GMDBnZD|C^d1rHyM=U42IXolk zPn|@OQ8sC3XFPtkPn=qOEad3^$8PjU6v;%NS_h}CTU#z4&cH}*Wb_?hOY>3YB(fTC zeY1DnJj;(%D?Sp?-9HFH+xgQ5fQ_(n78c>}ZX^X#oW`8d%7SI{0%^M#Prd>ogfbt_ zb=JmOffxCVZTAdb8{9sxCStt-D*RN$R7O1>qw-oj;c|zXit60QgQApvlXRD$v|$pu z@cR{g0@-~HI|*{~weBQ+t;Om4oa2EArKDe%?T8Onf{5Jy(L`#qsEgb(_bOhsh1I}Y zD;Z_1fr!GW^*=wC<fLG4Uar>tu|Cx2X&>>O7tm&(q}6M3Je|IqE!j5J!ssKjFgj== zDCRYaS?v1_DKs3Xjm%Rt@S0P!v-%ShZ<z=G=d|sR{5t0N$hJk=*7<RvSmrRa;ktwj z+!knmU04cI7?7Fq&V=4!I0M;#gbtm@q4_<uSW4CecUtIv=y|=*GK{6UYRlpDa&Xvg zX>Qhl-w5r#^(o4-s!SXg?)9yWxKoKU)vNQA%V68;iA`17Z8OQh2L($DmZj6-(a0&* zK8m1sO@m4JXm<8M7>|*qxY?d0UO?bB*IE{IqXnhhU3o8ckh;soCR9>u*eY3Pi`aB@ z)lSdOA2Ni#bKXWwxx&p7?>^%5GKNUkf%6Wo8y#q9Jb0F6SN@N1x5KJ3H<9^iW@tH( zR-Tz=2rfavO5HcKnu$?ojaa-zj!+7#$d98Gm=zwzF;&iCESD6jguSL7i6!n(Cs#Q4 z?Xlff7d7_ah-_+(FVoV5c}CK#6vBDrF{=hGDH%~vkBeAE=36k;c1dfbA4nO(Z^Xs3 zG}Tjk_&0NxLKB+5`*ZlO&4XF%&QHfB)bUq<!a~d(X*35lE0|S5DyW0372-J+*XgkN zIrCd24G(230C&U;c`unU>TlD%id-Z$FNsD(&Ts8b+bXQ|4o1FatR)_q`hDbJ95s60 ze`KET5$}BPFSzM7xeHuNg$6+}w$pc3V9>F0M4Y9P(PHzb<t9dNsV_HvC4XqkZ41NJ zG;zgCc@m|Ike}j*AC4@N+_fSLS<uLVtAwWDRdCT4+yww=abj%~T91Ql&@NZ~i}opj z&im<0?09jwQgB>l@ad{n6vS3yVTg`)8^@t+*bjbJE^g^gdL@wihpC=MIN5qbNidIN z02Sq^CeM@^QXIjXyxFK)=*%DOKsxPod%h%^eg~CGF&A9*7w|vD(=gzoQc)t@omH8h zJkA#0Qfju!0*0R`Vk%FClC}-fP2#I;F`T!~cu=h3Cr!RD7jyFM9f1I~y%gr&ieHmV zAeryHw)B)XgvG~VBU!Q}>22~Bj@7;?p_9s8p35W;?e4mDnSl~=));jbXld)hez|)1 z{X8zQp{1KCeY3fLxQ7(qq;*AS<?vuc$yBS=*s!b67I{>j*BX(sn2>>&1pG!w{1DL2 zemg3(v*Cata0UIWT6B^5uJL<V-bCcy)l+KU1wryF#i&3(H_N<k$SL<y$SBR;b&Q8J zs}noBM!r+qmwzU?Jp~_*Cx6##B?0UzvYWWQZK??BPDj4qWuqxd@r)n9@pu3AZeZSV z0eg$Ih*c7*F=}$DYNANtuww0DYgaoYI|~9xJxS2Z+FI61#C*kvdbM@a_?>JjXqHVX zH1Qk0bcq35l?<}4FVd4;;!rkprwzttS90Erzx1}yV!f+x7#ywO{byNsl4O6phb_uU z6yhJT=Xa@^?JZu$xodJVg1J_UVT^ZzR0@lUcD|Z(N%azq<YaH+-;r2Q+(jbO#JR&^ z?eJ+32uU|0vA*c%CvTnX?zC@v2*0cvt#FwBoQoS=wPs6=?UE9Kh#cKd@sE2tB4Ri6 z*^~UiUF1Yt<;DO_qD>T6vrUvL5xl3vc5CslkQ_1u5fp0Cyaf54)UDB|m6!jj$~UGZ z>=KR_OZ@HqJpNwL*R{&-`Z{ceH*(o%V?ab@AFppSf!62GgQ>;JNVk_pV<GjI1Jd)P ztCKmFfTzjN2=OE3hyp&Rl?pb%jF+c4%cvKwtfjWu)Scla$^9#Ba$D2uaFBnoU;k%8 zU3d3T!+U?ui?amSzMDjw0dLRE5w?~WoUElgHWEyvrelJ~{49ly@EOeJ+cukA&^!#5 zxa0k1e3H9^&Y&sxe1EwO@V!;uz8?3xU|X|s#J5jqH>*|7Rl2I}J@02{c|)<$N6iB8 zFh(VP0Injf8FH_GX@a6Mbmu9n&EA@9&MY)_kX7AykF_>O39@^?0@oYRk)R>Hm%H}I z`>4kXAlKCbvw5GTR9LfUc+L_VPjKHG=ohbJa8SyU>bH0OK{}U>Fjfj>tU=O0uB@x~ z7S-bZ;i7|xbi5vDnQ`G?^l`9`Fb2O4jE&a3Ni<3V2_5}6J1pco`m4qn7IINl+GF*4 z(FpBGdLC4nNdlh;`)y$ZHn>@IllbSw#si-q4A?%Y8<i&yYeHJnk>u?uC{%Knfn9!? zA>AAm&#bRYPfPVJu&a@lZNhz3cbr=F!?3*&VYfDlPNiLYJ{IV;J`}#VvSVCUe#qJ1 z+a-I80$Vs%NNWMsy{0`qK?yR72C`=|JLl6)s8ie|jg>RkqF;J>Ra*^{D%B`}o0yf+ zXzrIpa<WO3cAM7j|HOfPycNKOwCpU~&FX{C`-XFEl~<h)yDeJhdXTy!ByDhm_rY)W zUcY}-^;P1_C;M}b)ecUzG?g}lrD039bh{p`gc+i_jF&^NKqFC(HwT!x`szAPf3>~5 z+iEen*Hll+Iz(EFr;ZsV-H>*>WzS7u0v&0C-REhYUd8{n!d>V)HMTbskCj+X_0+|j zx~4`A!)*(WMw-HVHSyoY+U5jm@{N^C3jh^b<Z!tqxW8e>sb>KS{=nxJ3Q4vgc{2nV zw(NM0N%ar1mfje~t4RK4ub#K4^3dgy<D1%T#uS3n2)KPpbS$LY`>C)b)mH&<@ucs6 zjoI^C7MT7fj1WmX{bvMmZOwjp(@5z=vn>-}Z_fQkdIHAP)!h4$c{8*6X2HIXB>KzU zH3g@WAfr;tL~R8QTft9L8U4|Tj=aL?L<x}iQHB=H(tOzb+}B)zWd&}-K45a2qmqbm zo68DMuPBxRPalpi8z)H1S;#`P(*p^^Nk1F{#3_s@OuZ(gLF!`d3<7mRH@&9OX&#Q( zp!|z;*`{7q_S+<_p5F+J?g>0J`Q)Hd)S|hn-p6C_F7hY_o0xf7s`ooPwd?)J>%aF1 zI=f^C`n-^a)H55E<;-lfrK~M-=i{!>c<QpVii<+=NV?uQ<@s{KEt^7qyH3Gxr}RL$ zp}QHixmV-<Cm;&B7E_be(1z?Ndt0V9$C5s`h-!Ox&8uqvw)v)!Rqwh&nYk#1^7?&i z$V3oIgo6Z^;_JPtSg(I=OjiZOh+<!CqcKx6&Mn4;tDO>Gxl=K9E36{x`RWX%%f*Zk z+_2o<lH1!=6!Pa&r1DCzGIvq_F+4VQH1P6oL^o+0`wu|BNLJ?k)$~Cq0cA&eXhM|6 z5AAr=`iph`G~4<Do&i2Dui5XZPeY&|aALmQ$<sUBp1Qjucnj-+{#;6_xl*GB?}xY; zRl1i3Nk*mT(2^}Z0?4}^1+vx{C23m<lc(+Xkp*c4)=tu3zM+FoEu%OCqx3U=v&Oih z7U$~*fl3213}#Nk1(%OISfaur%3pb$1y9%O8j?1${@DDw+I2B_Dz;#(ge}ggZVGcs zbJGw%SLy|?x0mFeXlwXUDOT<1<aU>Z9dTgejM~<Mr^8ziNzx*0s&UXsH!=jG1oV}> z6vmQloYP+odsw4MuG<-}qQ62-!mnR!S<x+y$fr|C>_6{ZFWWj^&gorP+U6vbpoubu zEYUi=m+}lZX-WwrtEB%!m=8LPm5n_P!EY(FAEH#?C*vi(HKUg9@ig7pV}{^fI2m!! z)6+`3WJNP*6V)mhh@LZhOL2iRG>Gz;**Oc?aaq{OH9@k!s9IcCYb?`g{#300)^4|{ zxS7@2D=lA?upxIoG<d@rP?a*TlbP-Z8}iE)B<7zuoZ7bGQeJ^+djx9P9T~J*?hz(m z-Etz(m_AfpAWoyO<<;UUAySq^1t#dz?&lqEvMa_U6U?6qrEQ-MbJG?UH25e*lIb(D z`kuZiMB?1A9wAH=&R;tmC5x6+AZvfBTQz(H*+i~NAIoGk4Y5C{2r)Y1=S=*JwXwz? zNA7R$n-?T>QWX=uZ~Di(Y1LSZEuRn#!;;^bm;h$noZ{W;wNVGE&JZs_8_gOsAM0}} zHKr`ME3P(WIO4OF3r_ISc!1<>Md3UsvGt6aHJ^u22Ac?D82!BIm9+!W<$_NZL)*Np zr@FATN*Fmrl7_9)AV6wt?5B}&6k8*IzKLyFa=E1CHo?C0tV)}TEPpXv7j|_leb$J` zhRibqD_!S5;+Y~(bnVMbJ?a|T{3|XJp(lLdQW8Di;1UTQJ{N57W^h255`QoI0{RPZ z#;>5@la@vor687*U}k$5>*KOr=1;~BS7wyc+d@oEnIVv^-rv7a0XGgXXc~3UJnZV# zQ2oGS*p-4Q?cvQSkI`~>#9djq?-K8N<|lnuB3tY3Ik7>z<_Om<_4%o33QxuEFB%>p z;WR`{BR^1f=t~-UJ@z-v9p)HHmK$Iuv6WSmewwqcRScGfB94Uo^iTUAI>rjRrQ1an z6=9{w@QZ(q-bF6yV2hu6V)@#p4+}hq%|Ce8TY`48OYQM1Xi1qXc)5=It&)c@mFMC( zw>;%b-C6(cAN?73eKpf+Bc+L<K{L{7dD3kkkg+eaUUZXWb^19$XtRpDE{xgM;ZbK9 zHCBRwF(Tlh{5M-L?P<A*cdSFR(ai^6Eqz1-Edl@D<R8F4<ddC!_Ihh&IGTOUq-BGm zZ1Io__J12ip+n#IUtU~{0^EXw&Fc0>5bxGix$Ggve9XHpiKvuvm`DOvT{X$p^TIFB zh*3==w=7tq{!VA80ZZ;XLnrt@Z;nUtm0G=zn>jXL*`v3t|Bt3~j*jzr|9;cPw#~-2 zJ~1~o8{2jp+h{hMq_J(A8>g|kF&pd2_c`Zx&i=JK_uMnr;QhL0ubF|&PIK2=hJDE% zq1Dt_5Kqsm@8_>zJp1>=)e~r&=)bwYxxsDUBcjMb6Hk=qLs`Q$xnCxV+HmO{d?HVm z+g%dBY743S@9sEF(eCw8JK!Jcq0Zv&UR@0f4Vz48t_`jUB)abxmCNQ6n{=-eq^7$$ zwP=#_h4#2oNvN7~408cT$v`O+Vnliv=S3G83PaviHw6&NOPaDC^^5{CEX6iyQs!Mx zi(Z;~SN68!KwYdEDmygUEuI7A?G$ObHvNM@3Gs?*x;wj0JsVn{CQ4p`p~XW+=fc=~ zOUe%vU`(`)rO}(BKnAO*E#PmBQHaMg?5)s~zi7MT^+H63^ZcErBCW<80ZNB`LAB?& zs)Mfcm1L~3@P<s@k1IU1W@kv1>9)p#qV!1ESYEU5IK{GP>K<8;e~!7H#Y2^c|Bku> zbgdyT0Rf(XctBIh>x=L=g1|>G(%>$`T8q|oMy_$Zg)TCluJ0Xp4#Ar7g5vv@vGMlk zn4BJA*XwrOLTJrZm&3;_Lg2qOBpqD;mzeYQ&LY?{I$#~4IO(U;ie(e_@jQnx6-#aN zi4{GfwSm(1f8AMRdmTz>j}DJR0$z7RSiW?(2M`!{njBl8z|7a<D>D|}5VCZ{&6?)~ zdG9gR#r8iJ!+(H<?MgEX#>{llClUW^cQ$u-3FMM0+8TQBs<B+Fe=-x2cTCLl&JiWP z*c+H~u}>b9$kKm&27n>4yX}qG8{1E2AwqRM5$<9I|68Ft(;F*Je`*+JsREVXo_1{r z`L&{LH0r40?J}-qG?dZQTeJW9L-6{pLZ%!*ZQ4)RZ`AFhAV`#<kvM@6S*zZRaW8<t zQd`G`J$=0vVAvVx3q4<NU4d}5khOY<E&iYVmfD1RGk(fJq64MGhGr}lRQ#Rt&3aOx zNGn^s4MNi4{es7OS98)r+)mIEJ<@#rI7?(Q8;80i8@O%3E$ufSGa!Gev-@9Ht_Oua zh>7`Q9th;aX**DVIw<;{7?wIoYr@JCb;iT)p@+$TR*zD`lqMyMbVRD`(n>epcY#j_ zyF35mFNeN<MO$4LkZ8>oo^{T!_BRJ}%s0FdpX;M9aP72`|9}#Q&6+6dJ!P2-8Ie`; zNeJq$-ii>fpU$<dB(5t5>>Cu^#M9Ri3BEoDkK{0uy{GkVAH$X+UT<?S+_@0ONj9H@ zWpd@Sb5o(Tk@Li-i9?$87P(p)*J!0OG};VFv=+0eVf!-Je1gDc$k)qUtQ4dr)|%a{ zma4)kM-za}e7!7$d(H=AzL<d4DVOwcVNYUTGkeiiG-0DI`4nQpGpXH$MG*LJSQphp zCW&desXOU~mv=99h<)lj5#a>{y{?^e7Gs4Sc)ti^B+3rmJ6U1-G<Bi*7dI2B*d}RI ziCx4#8C}y7OC+4m?G=1##XrOU%dq)+21Vg%cM@y~Q^^PvW2#DIzOnaL5=?{Aege6a zGL9!i?<&pgZJ)MyI6o8*^S7*F^GXh}0nT`c(gN{FGbWJWUVL`DSX`s~>Q}!6c|6E3 zHW{oqXsDp%+k^$v0$-Fm;+7InuKRyMam|}=B(rU`+0lS;DYW)ALv*AmvX*=<|9!6^ zA)%}x<kIwg0vnPTY`J(`J5gN=iTa#>jSwjKVsBlw?Z(TTS3tqXx*b?O&L9x<_$L8R zlu&XW<%E)ybfXQFwe<IoE$wlzyg*GxLW)v^;*4O=pHd=PCsLw=OthGIG~L6gQ^LnH zKn$LUA{cXoN|P&UWDn*ZM7*~hCdaiwe&pf|IfT8~T>Wp^>n>$;{?s5SdI>F|_QL>q zfXzkF!ckXyAUo^Sx=fe&)S{Y$8ER+|5EJG7E5ItB_(GA57$=UY#L&{h?dP3?$tuye zgNOG0sai148IPQ#Bu+t|e1G@`EYFJPg557k={<YnXrylh0&w%lv5*)xbQc5b>btqw zvyv|U|Lj5%fC*8&uG|*7^Te6$VU81>!U4=*@-fUZ9QcTNl0IGd9cS4XSGR!VqSAhX zWJY}TI@d^e+M2cSr2q%<zBGoK-^g(g0zyW%B$doa#z8DXEQGXRhENl9yYipYVs2HD z)3%?4WN=#C+}}lBH_XO7$ImY3@LNhLQsxR<B;J8tD9?G{KAF>y09N|uU{70Wxi37P z{8Ss-#_66}Pe)B7MN*Hk1JLOx*!S~|<6efcs_s$;)Fp#8sGhI8KDWJ-K8a&*M8Xt= z(S#nCYA%fzFOk*wW2e7<TTvURy_xmL>3af9rTv`?coC6dV2Z<A7!w^iW$3S@!9kJN zFux}cjj7hj`g(g)uqOCTdk7AS&y9V6Y>U{;TwJVK&VCJh_dUDmu_iw=eUb<{cHigY z2S^=nj`GI2EJ1lgRYGB}pTsAf<~Ql_nTCYp^e;KskwLD*yHknv00r)}B*t8Q<N|zA zO?RZH4UW7&By!1o3z>&^4+Z~FqNPX1dB{4NwdZC9UY;abH?`lBUw{=pq8k325z0ku z?noKxrr>9`7W+6A?Q_cPSve~h_YGC^VFQ#uq>{JS_S)eRbn2kf@kC}GiUBb={l&25 zP8QjLuOwVW9Do?}q=<TSib9R3!r>Jbc8Z`pK|z?LX1PWlADy}h1%-l)AOGP3j`Q`o zYe!34pX61;W|Fl-*(l`lDNY|&tQ<V`aV6<sy#0R^_Vzme>P!0C24dgy>KB8%Yhoch zG2mKkw<&eQ5j#!hli8R2`!^Ne6blj=B*R{)QA|(hF&_p6$Q33LOYe2WQ$*KIcV3RU z&X}iU{SXFoF>@90{mhFgW$AkKja7IiNTv=YEs^LyW*DxVYG9_#XE1!@_w~JXe}Le# zN|$PCw^|$Snn-2kYMyuV!@way`6yYq|1<UfJwl~ptlfb2+2hDa0QC<lAaC)4_PMe4 z1*pX;WEJ%T22MX*{b1F?l&Q!|OyK~Zd$M>=zI+w!z5R<dyH>}Iv@o>a1X&g>3X=W1 zI-V!?K!_2EnZLNj9inJ%TS<C5a3w+FI97~<c@QZ<p;koxMOVP=>IE;H-<LtkVsH#k zbd8OQ2h0_ATJYz$EKe!C;YIlo+4${aN=U4XX0<-qKC8&W&uK==TUsp2axf&V44$7w zKje4u5K>Lt^>Bykr!9>G3ZtSULk#+Q1H(ouqJEDn2hC5<Sm$svep~mj<L>(tG9Kx+ z>0x&HUwrO+ajv)g!7ww9(DO<$|B|#G`*``E-<{1?Agq!UE^hC~izPkQkVLv<!m`+K zrnS;)?5(%Jrw)<$Z28&s{hgYgMR~Su@^qCk3lCz{%o7Gktl901^{<cXTb5n9G$LMY z*B8LTUyaGwVFpcxDvTJr&Z|}UlIap_d*@r;pcO4#{^A(2B%2?1+FJyBnW8AWx2rz; z>XTfHi0^+sk|}bNJN68;fmX((;>~jYr?VFJdRVlXbFzgR_Vsb?Cz)TTUf^iGcUJ<D z=lAUr8eQkLuHTG#Lmy4>07*c$zi}7RSUO3sz483!UiXw)6Q@u8pL1wMJglh5<1484 ze7H6W8Fm?BIPv^AUvF8bl9W!@n;PP$MO(4adn#;U7ch9cZN!ymD{d1+g%zxvfZQY| z@3%{W;|aprUH=xzd;IF~67&z9dg_v!Nb*}K4e=FpX=EFxEo68V17D5krb$V9Pg9@z z4DFU@MbZQvb#cv(zm|2zgB=Sf&hp%tCW8Wwsj-f~5@k`nzIEA^foO24(w6X9zm{*H zX6E(;B|Qj?T(_OQo>!->ch@^k;i-Hrv}+%O`xN?T6|!~{*UNV4cU!9w9L{6S4Ra>V z?Z;l~56?dtbs9P0wGo$FZN93M!?GOH)0;h`Ik#py=|ks?r;is7jHNo}poL!Z^dKLI z5L`6*c9x*+)9amrb=6G<9S~113N-F??{T|Z_p842W_ij}>u-1@M58`BTqAY_(I=bp z5yx#oMQCJt>(YF>O_fO}5&i4XF{WlDMP@$H5UrfIf+9+ZqEN}rO%#O@Kl`ALykazu zbmw|o@h?NW6C0huf6uuMOch7PY+=kAyjIZ|#TEcJbHyR^)I~tC3Ky=XnyMt!xVZe2 zDdT$wAC0~v+lu{=9m0y|0e#wM)dqyw<Npowtz*%!$ED5bk^Hc;qtVaMZm28T#d2yk zAXc~@9y8e#5*{?yQe<JRLAdEH#`Uan=!Mi5q_winv&_>))5u|(%FOQUc#byk2q~is zJ`KnScX~M@BbB1I`&gf<U2OgB`~mrEP;>;#N}5UPLF0BgOzT-?)6b%O4lDlM9X@Zy z;{dR>O#Xkd0K<Jc9MgN3hWl|?62H@jPKx2TI;%qB6mUI}vF5KBGJ|XT^mT}j<F3!% zjZAgJ<a@GeF6|)~C~mwrkP367gKJ?tpJUmcND5oj+ZCd8HL@GZx1jYduhi_jOvsau z(^Q$O(s)s9C?z~PfnsBwi#?>dq{XV(&&tZnY6=8^oGCd?pPj|7c_ys!nb_B|FT-NN ze1)M-R1q)BXNb_(<c;9HB<t~W(v-uYIm<bRfbxH~dtAPB-wi`v{CmitW$5;sSfk|f zPheR)w?^hKJ(D!K^ccRq4t3eBXy|AMgkPE95|Ft`8va5@%;8_3tcf=iTkvRZ(Y!kE zSejD_JeTM!CsHgnSM!;DbrGx-Fa6GRYt1zBu+=&^3*OUV!bG!o*ao*$4Yu@3J?c3| zqFYZHWbXRa80801#!WjwrX7vP-t<rK0-V(vgZb3A!@aY4rtU_b#`Fypi!2zvDs=}! zY#nWk`B+>nal#ThD-rG|uc3x_bzdC?b9<W7URt;fmarWdDsKJ>3U_+i;v4?|EsMwc zz?JU&v-VbsXxposD6v3~N5tb!=|RXo=L>M9r%w8+yq-}0myCIX-c_5!<HkLV8HLBd zew;cL&CY;hgX?rUA?ezDE7Ohyvn2E34I#fKm!!0r4{8p{p8ErJIMe|YUBZRU_I=y} znF4ZXJ|Qtb*}=g>#4*`4Ig|$u>BWlPKot>VO<fafkz$Itq^Swpe_8Jjibi_|PQmIV zb(jr<mT5Y=msY3aY(#6~pLMQWv~d}5OiL%RX-*vn3*fz^fGz>9JMzhW*46(wBR0hK zs}j;sM6{M(bX6}qsvWKqG}}$04`Uec4ax<)sD>${JaCLLQ9JI)NV=;}!hcSU6V?lK z^|D03B+N&zy<LBsh$$la-zt(oNgmFXeP-ux*W6eza@+v{KA4k0n~hzeKXTqAuX|NW zp(<k7mKWeb${>DA_EL<HS;@C$4Ff4&bD-JICgJqxDk_EDQ%8h!sJZ{MIwBcO2NsGX zq%qqCe@@OnG#k8hAqSmIq3D{NU!Z)@o~u1%f7AN^P1_wEqo49BV*ipb&_6Y4;<$lJ z-$owI5^OGwEV^Qk+b^<K88shP-oQFw7m;spfx{AWD1heYgs8563@rz5o!7hDnN(r- z*|QYj3jF_O4s!vtxP03jWJ0+oH~ERsW72H;{Yp$bUBAmymhHIfwVKHgcwOj<h?c=q zUy@8*Pra!B`-gPxt>E_)&Z)*AeL!-4$lP^yhm$XPugXk4R?4DMD~cpbV!ffI6FaR= z<p3wdTa7P?Ia#vT3M)=xTg@w+H$n3FXcCGR;Nf_&u0A}>?Z*3I*_{CmeYg{X&6qap zb2)%7qcj*rr>Ur@#pTmx;rIJqQ)G^y3)(Puldk%bSPgX8{Wp8Z-wHUji7dafTwdl{ zZ(;az@*JvsJmcMK#tNPSJ2cU>a#=0C#EX37AO|_4eI6Nkj0S3buYPXzsJMDq$}lZP zcA15CKY)x(eSl4IjsW9Mn-Jec=gOz5H9Lkk-pnN}Z&v7y$|qdL9CqYp(A1WKM=f=T zK~;UHuzFR>AuXgFkuL8KO38p8=8r$<DF=<)uKF$l)j{~Xdn|^mkqBXS^~G7G?LS&4 zt*q1jY#TNGXn=PCQ$}5y9u+*svKskMa%M<IF@6oxjTcw$<BIOYXc!d2s>?IgjSIsh zLqzx5v8G2>W7@VJV}uQn;D3g@{fE4NbPP_Wm!#E771UYSEvgz)&`<GG`tM<a10ZYV zu11h1?%IJ*-im6Xtc5&fBzyfH;UeJ6q2qwNSanlp5|_|Uh{2BikNH9oR1+N>R-9>Y zGVc63z_*8m$gPQb(bg4QMU;+fQff<k{n%(mwcW7uu!2ttzU@~iFt`{~(cRgvd#SK7 z7H%O@QAH`<)kDxAMO;y!tgz{SDcOBJEK+s#$zJo!xZV~{YnVdQ9<fL>#1XT=rw!sm zKe!7~T~|WN4J=HrA_~C|=j(3ZH;kmcl~f(tWf1kZ{JHtgbgK2_eN!iJ<3j@Ab>U}D zl{tjV$Zbp9Ety9BQwsayRQBVvm|U#KV-|j9kIw9McSwwjgtVt8eC=UM6qJ$Sk*|)J znK~6y6F<ZI+rrE*u|{Zx4?JWFWWz`qv$zW`HKEJme%ws(`y6WZZNj74B5R==mJ|Z? zDbuHX*;)+apoUPOf}u_KLyD2P6yzcx&3=ox_@>;t(sT%mVK0Sax`#{BDJWdCD)4<J zLtkOrRhJz<H<3No=6Zl@N4tk;KTg6dGz2xrzwwvss2KHrZ&2DJJAt~am4;GI+-*dQ zv@?Iz>w&g*ZTW(7dGB5#6XpU=weHKr>1F(NMFwoG>{S(O^$)iWd?A)-0-z;20>478 z*S#s|^0gFe@+Tds{r2XXr1BQ@Fx}1mjeuBgw)0N+vzk@%$G-vazD2fjKz<V3MJWt9 zVak}f##fO#ks)9-{p-tRu9Y{_$VC>z<FnNot|BKJ^5Y7UaA%<PZ`skYkE=-!uD^;8 z{)Ls5nFCP<^s5X8zfVNGePTae?vVC1vqxHZZsPQ{r+j~89tQvCF%xI<`}O=3kAIzC zX~qF!ytOnHpKj+hoSCEpl@X`@#{PbB4&K+uezU81g1jtEtoefwWOHR9PuEF~?FIA< zuPpB`9ZPjpZT6ce>~3u`nEZi3mWjO634gL^A8;hGw=lDE!fjl4$Eml1T2dHixf~<n zYAy`>sPs=VHn?8@cqRAvonpSJQ&JxG0q)j&>T=3|x~+(hItzi(&^)g1i&VdOHm2X+ z>1)rTUnh>1Q@bLz+w3;4!TU%u&6~!o@n#;<$+TxMhhj6<oS2)(DN=;Phfc1Z*6z6I zw6THq7u+O>j|o}D8ub}p&-B%Y94abom|nb#wLbJK@;l6`lM6*1507*xM^=8(PoWI* zZSW5DY83x#s9ox7PDgaKrQa(~=NJ#*J^ZO74=A!g1(EGExk<Pu&_SjA8R^SD_gHW1 zPJgZ~`O=ElA0YycrrK!)$i%l1FTx}cZLs+~%zf_>*aQ!mK=C+L{kzW0c35w&eh!Dp z0p(x!M~MW!z2le?K>4h08G+yL_54{VoLkSdgkW+;)Do`88Yehq+MnLW0=WhXi{_@a zo%Dw;G-D*{EC6(A>T-t~js51;1D1Kbz+Fg0$1#EOPQC8q#05{z@`9^joqM~<O-IVx z>tnXkoKIT$pNJ7hM^iI1=ol%={bsCx0_mLrTbJ=S8%r$ge3`V{o>vEJ+O8kz;h4PS z>8g=d7K$k_VQ4=?ATp0NPM+w1!!p#ir+Z<$W$qDAMh^aD{vzxhl?%7Db%grz+p}4t z9O2cF@=SYs#M^VfMV6!L(J@LOgYj<oa?~S8k^1&^dlD7Zn0SCvZoQ)@opr0u*67OD zhQK4FtkGHhYb!BNvTi0>_w3kEA2d%z7~MVB?cl{BO$<^!g8?<at{GPn#B1c`sZ^A9 zFgxqy>9xCAD#NZ?jVlB%;qLa;FTfm0e5l09=CFFQX$fYXM=>SDO6KXQk2GJ7pk{uU z?t!N+NFAlVJY~#oJ_&<`D6qv$to8n%U;OoY9%Jm#&9VdTCzo`X?+kDavFE0F)cZK# zQu~^7jI3En^Dl6Qg-QmrMU32Y)s}SKm_<o|<mo#-O+&wx49i;LRN}V!c<_5URhSs= z&5=%o-m0=SM2kn{M@78oYSVpd4_61BM7zAp=g*L1)#(YYftTBw{l%cJ_80)XM}+cj z-MnK@jB@P}^Z3&2#p0#_v!D0rUn&S+8#VmizvqKRJ#h%EY}uQ|*;W3nJYY(x4(g&y zf#TaDzPw`>5zwv}P%zjH|E-xf={v=&V+^Xa05ifKS4y)uDdrNb<N6yBg`<Y-@qY>) za_r#|(G)vJQtm8QvU3MD&`yYJ$=AB-VaDLHPf+GoC~Ha1vQZ6dVW$@TibVvbJN47N z=6X~q3&%ubvnv^S1-t+OI)fmimNY=cH+x;YA07=(V{05)^HEk@Tnp$fMx?WUa_m-J z8S-5BHDU`&%&6xHF=<a%U(eP^O$@U}1(#4#B;~167;m7Mp}*bJ#E5l;@Ne=F9-JLu zW2)#Mm@XZnSD{emj6!hZ(+(u+8eZSeUD}^H$op2c$X>kC=U0!qt4|a235fYP#@0sY z#>QX+YtrDHD$JMCuj=VyH35;(+1mBQ{z1{R*FstqVZ!<Y>wb1mAcCD+O_3Tb1qAjf z)1)J^ahGjjDDD<rntMkix1}7{ukT@7^O9WOvFM?OyH-7Bc|m)V11X>`YGNK747eAs zj5;%gBR!0&E2A-YG2#Xm7R2AMpi^0wqY(TIKj<y$?WQ_6yGRG3U>zp4D6u^^eT3&4 zQ9}6z=$}Gqv!D9z+QutkWsKWJzPhL(urf#bDF{Jg_^%Ul?k>dGd3&fGlD$1#6oon~ zok~{9=`n`%0>1V0b>2Uh><a1@r6j6i7AB2OP7fi@Of8CofvMw1MQ)iz+lbdwdx)7e zH_?4prRb93!#BtYW3jPgqtWaN_%8fXdsR%7#a-W^h?4$f|1plVU@7@&-$6na1lk?Z zY^N}&3pS*^P<J<k#{{xZBE6_<u(LECiPz~NvfyOl!`JH;!Az^yo3aV8;89M89<k%5 zu>-KiC{^{33!BC!$F*1;CXM`WB~c6w+Z~hT?aW=<Tdf%3$)I}93BB*dEr2r~Gy^YW z!~Acmh*IpOH69ItpNL*XYM{hu^w3}3FeI;qj42oAt_68Lz@}5C%Z#OO<nd{>GbT8% zz_aql&frc`lPi&WO<AMgEuPcO&e+1=TOQ+6DoKO8*LFUw9tDB@?)<zrw8Z<4J%|W0 zeD1?A+H1^9Yuv6gWo&KAb3HMQP~>_9Sde~rGfgY!keFLjE5F!^=K6J}|J*YAnr$b* zmyLO_V<!grV#Px3^SmUne=C5tVK_9YFF`$*pWBj{XhL|kwlwVhmhBP@MTEAc4v@&s zs;?zkqFjoE7?a{+7?KhhzZg(etR5yLDHe0@BBULq_TTmpQKqZ3*%{L$Y-)3!f;c!y z!N>J#1TGweX-`w?!ivM@_giXxbY!IigXaEfVo5Md#X`HFCQ)KRg1wTSlM&M}nTs-u zNqI8O1En*!btJ$L&Tu|QkH1S|Qk{@K5A@S21gP*p>lQ@@biDb?T65J`MsHib?*E+U z>u<EiWHmbRpj@Q6Da_L+IFb+T@A-bft2L)`N|7@AJ911mSyHnN34+{merZIu+fswF z=c@O3+1;MZ?eLYz1jxoik&pf+;wSfq&($=T?5!Se>}#%HV^n}3qr#dwLv^BJg}1>c zRT;|mmfe10!ASN|aUX=t!SW;Lq<>4^f`Mhvb=gvE8BV7Db@G7~UE%w>mp+QJ$a?)Y zd#Nq#)|)QeWp3u5x?yn7^PvExHvc=#JlACAtQJ&8cKOf8nfEf}5Afym9B-zHAs{j6 zVOyHvb>1ma-9s9a-+hC6*G=Wn<7RC>#Q*XKT)E@bSQg>aGc#kgs<k54u(}T>KTZVT ztNN~Jr^_#-0R)C`Ebk>Rt1GQv>|5bwmylDuSQ2htBi@d}$KFm)9~aMKI>a;#Tg6xs zXdhSVjGpN@LxoY_pR(=RJP=TZOzDABZgkJy_aP!2_0o1>2|e9@BzAbe*o_T8RdsFt z+v~n8Z&|0jX73~xFK=BzQ7}iY*(bCd%u;{cWuq$HDN{gsH7(s(`K^{Bw#puGWAcX? z{Bpo>UO{NbizwbIMOQPJuFOw^#@Jv}KrxA-cCjQM?#Phg_pzw|D{C9+y|SV;HPwvB zvl#L5edXXIRe@8neI(fcKi<vc`_#%W{5_Z@l;Ujyd;7@RI`%;T^FgB)>^n6UZ+)>_ zp;_$G6slXk*Vh4T@?i(&gZ1|IXb%(<uE|zf*g=tyn%(-fbY!@xQ9{;S(rsR{f9&ZK z6q&VdQZTulZJEr>2fUqA$DQMDBQ;mMQ6g$SFf9Ya-AxPYP2KT-*5XI#m-&n!H>BI@ zK553J=ZBxqQ&k9fn4lSVdeFQqEitujmODm9R&;7%;#T1z^sGs9(ckWQ2|U$mw@zPd z7>r~*R8hK;u-T!T4n1t5v%n?{48Q3UF1J(@CP=_nK~3-aCzzt7QI-$a$>Nf(F7{?P z>PKx^$Z$dnQYEFaE7s~#Q;N`uB?KtNYfS4zUv~N?xxK0LoonT+&ySaQHW|28Ga@n! zJ$UFar9NdpT5`Ri858bZZnaM62+3q_jqzR>OgfyqaZ3EK^w*+*?YAiq+QwEVlJWDo zmu0QDocSCWYY$b1T<sHVip7ZQ=;-U{5tIFHpTFPjlNZzH_jP+dFq8)?#LS|zV1_9g z(J-EN`gs0snU4EIR9nQ|&wFVkWj1tEKPGnOcj?bH%!+!)fjj+aa&K>$Z^~zm!)=P2 znsrL<N;fIr4FAQI)U8#nw{*q(wJhf0nTGtZ!O$M!0Py*`fQ-A{!hS_DeZr6+ulDV+ zeij~%i2DFFV~pH1C_jy`7+0?UpmvT7a69KG0lG{Gfv!0DD%4z(<iH3PNuM~H%EM;u z5uK<*QgxpnysUSF02bEW)X#%o5sSzjzn80G3RPnWppT?&(0Z%PhE80^s1x__i3u@- zet8^_I<BZpF%vOHJ$`tzM-BmHM?uHYZtaXyVT=ga06uzV+^9u8vh&HnRsG<~%7?d< zHqr0(-1YT8onk(4gLntn6aa-F(;xWxZBF>&gWT@uav`Sr*hJ)xB{(hWeEDBtJi|sT zh7Mlmqo~?VlEE=|<73hYfxDiFR-<H$v|u*!>;=m<abnc6MwIB0qDn&K_`_C?<N_x? zaM}*>EPdNPb`o`8y0zWatRAGes!!n{Ho{n!UDlG@H4NmO1)y{e>HTMl6P9SN#3epV zYtjDP@F~}+KMRdo;wJ4v)*D%R%W1cEefF^pn2vYfS{t_uyB&Xnx_|F)!>Rv6wuDNF zt_=y`m0E712?o=*>O>K^$dhJR|72Q7;}T-IUCnb*GE_9hCOq?N4%b~c8#2XMyY<bl zWVtVV+W5r|D|0KGJQ%(pa<Qo{CeifLe&1%Ux0mKsKrBciGY?<@XA8CWMBi1U2Te{K zhI+fyF;3=Tr3~&eC`E+5b%5Ifv{#a)3X_TGs?r8yF1neVNVCmN<@+2{mOF&|H~hx& z91IA<BkLL3S=N;pcY56$T<ygVduQcD__F?60=xzid7Z`9TIuft!#ho|f!<+z{WdM= zh^x2(7qLnV#Lwiza8_pKuDhU?;)RiBfS7HC0si6KI!%lwf_){TiH|e&^iVZdh976x zZJ3-yTo&N;)n2cIi@orBwfVs*o_I7jf6<%^jf9m`czh1>*o6DOMz2*tQQu@aE}EV8 zGrh6+{)(FXyy6^zOE>+L$MQMus}ZB)(%lFGU|2(X_$D?M94l=hJ&ZF<x1StS?XBu8 zAStOry-!ZusEX^UqPg>@di<_#_~#ovn5{U4B6<wNQVgGdQwF!7x`w5KI*phD+kk3r z0y{Ezz`RU<h->KY`&H}2m26I)>NQTbhWye&GzV0dldbct%4J@j?*;9Jcv^<X96`4K zX0POW!eb|o|83;??Lx0ge2P^HNGOFobM8B<S8bbcZ?vT{{l&;BM(~j<bXuln>{n1U zJxCy9f51(SLpS@*&VRkB2DDgQRFYzTD{$Q!*-@_-c113Cb=Z+Y%qJ9O-p?#JupXd4 z)X8q*GenMy6%wO`Bxwo%t=#tNL|+w^7}#r@=6zMoaDSe|oNw;de`kVkx?RX*pWEc1 z_-)ghcbp70)~re1|K=B=rvqAsWQMuw;O~gFyi(Zd9<K47y_8fLV*l$X*smf){JN4x zlOym@7*GHHvceu8$$hf%4wjcT2I4Ax!US_YHe>eeQ$)$j(b1%e@#(I<v3)mfcX?xA z@iu-DCxh^tuF>lNJka)L-^}Bz&F8+ivpmY13BY~j?T{KqY;d7;{UF*FT!}Aq?M%{g z&LT69GE6sk+9`6~o_QDX&FuBQ$)uB1P}x5}K3rgl+aS^O6H}hy8ia0l(XU(kyA2P7 zo~$K~TYoFOCR&7Cz7=NOlE~?0b$!;%m)H{w+LaM1!&La*`Mmg@ZhENnyW5TSmX4HE zW{SNMod7*%CIi@zW~ADt->v5o(&RM^|9JL#u%tD&$|f9X6g%hI;h>Qob-I0e8G93h z_u|}M>3^IudA6)(q!;0?XGY0l)*|;;%Qun9`Ed|h^wk1SOKx{sWMh2O0jKDWgkajV zNw2iZH6uqsz&H8z9E~LjY$NpK%=xfoBzXA_l{jhhdLGo(dyqqIrw#p7QB#%8Nvk06 zm*4WjP&LW~7)u-4(QnbBM&xS7*qi&Ymxagg?2`HuJoVxK;oCgztY;lQW=$!hHG3^k zr2)784`BJYWh@}`p%K2I3H5#+LR5-kxRxq+pgElEqxfgybib$}<n^q}NO5~CE9-IY zqS?pcrrePYIGUpFkzXbxD#AdU$@t3hKJv*jouN7v=1LY^nR`tM(%#2s<mHaFR#GrQ zZ9ynF??uYp3DmCtW1|ScktDV@t1jnMCRm$XJD))J!kDdG(m^)B;!>E8zdjZt<C|n> zyoIu5&z4{x+U9wopHSE&<@L-VtVmBqTH?sBd;)4$#IerEGS{^#=nYi=>adk>ZU_{) zYYXGunwq!$XAnkRtc%1-HEU{il&`{~pzV+x1f_dGI$^70L>K@C!_k(-%*`yc8S$fD z^fuR(pm=OsBOP3TARvupK&Ujs4wRfNmQkiOqRS#0sC0sFXk!;wZ@X;IkFWN6Qn~}U zY`?-^8W2+GM_$@6-PYMj!K|$@Ty+#Ht9fSOWK0G(kbCnvfSvySlUDEa&d*&EC8Vw) zY(3Mu*w7g<Tg$SET>sr6%c&^6r)$KwGQwB_H%3oLS`znm-n8CRmgCxkR5Ks{A^`0E zbd#1YjdxZad`HIxOmb6LH|K`mvWN~nRFA^t7;2Ko>Gz|3`jf4@U)DWc>xb3h1if$9 z*=TFcq-eHU&A2Diz(GIYj&et@ylRa1C6zS>AFIj^vGj>bk=w%t><J(}v6a^oJC1>F zuZW*b)zk!X+UiO_L?ny0M4$dn?V1l|*Ps*m2)$%oy(gNc{y5vmV)X9(Wq@s^r5fn8 z*%ltXedhMOaE6{mjd3lA;7wd~tMVZU?D4y!Eb%R=)ukcbTA6^{H}3!;PUR=C>hziB zMxVZRL>fmAR>sD-ABk%B#|e!z7Jt7HoN<pEj+cF@;gwkZAc`F0QSo+oXcy{c8{7Ca zs%O%e9hau})2-iPeVc_1yR~hfRPuNf(cXg~-Q!ynl$vfDur{k^t1CLYB7Hhgl`ACS zdGGc02X96MrVbNki&N<i*sBqvUCE`&?E6>(s=G@!YdG|JeK!!UIf_UmNtb!YZ4JI1 z(lguL9`B`i1@`hiCIL|CQaf&`Oj<o~tCNC0fHlXknVrs=*x9k<`MLfqeQoW0iTiC{ ze#gX^+e4EMCZucgvVQ8;-7SW$$L)P}3Mrlb{<57t&?q=Y7h6W)Dk4k$4U~DNC}LOD zGZmC-(*GKDdmUSLzq`^@22-S@d7uViA7pdx84%!H{Fl2neBtrQ#bwFOtEYm-OijoG zg>K&`kE`)Z1on{Qk@}3j+KwAkI-$&MVwyXs|4@yX4q~LKfW0mhr!2r!wxi}ij7pWJ ztipZImFKBRN#UkIo+!<nuUFg2&8I*sN{QfqX>!X^qqck<l;kLyvm^10i7au|MG}v~ zsnP#0qKkzwFo7g@g!X1fn8%;x`c0a0=wC1=b=Fc6&Ma|KA;FisQ~P>mE&dhqw1rVT z!VcV+&?U2h%etu*4e+5yHL}Gq>BNlS?;<N}foR0gquTsga5*hn1>xIY&9)ij5Dh)5 zY%G2ntqSVF6(Z|7T)SfQue(lo3JeBE@@~80oz&sb{ydI)c&7S(iHGfBM7*44mC-*R z{w&3}pa*ejqr@NbKlV}6P0^`vf6Fi&G~4Jdh`mWHn9<Nm;+}22_pyf#xToRm%4ZK- zLX+|NuqWR5IUbp^p)X!(e{I^L3;$&AChfx1oMXj8_w=T377Jilw#Qss3t10PfWg^0 z#d4FOH8%>h12w?p$mkbjj9io#)_EQaCG6JI%rit44wuEqZ3^O0WzAnd*$dSw^C_mc zpEm}3tA;B1t!uG(miU~jq<V`F*t9r<CowM84V%AX>u90uB51--!}Ch_@^+EYsT0B_ z09+pTv3*v0&+F^G^nV8kQbJcp@2YU8c&kbF_3rv7&OKYxmatIs`>OSBLcNL*t^M!z zz7rf2mzXa_Tal*>tVpe$<(aa{=xi@=x1jFCeKqBF>Kv^!!R5INs{!B_6mFyk#6wK+ z;J~$Dtf`oV<<S0v3oeo_U4a_&(Swp{8K|1LW?Ejxtgc3GztU>w%^Cg?t}yc4oE=2n zSe*K^X|^Af#cTpB)9BLX`B;eMmTH~lI5ikhxpA_iN>Z62C-QV2X)NR5v(&KjCE>dd z<))i3`u8Zgu-Vdyqt-_ek-XGDd$=)@K7&dQX))mfc$0UIgeL||T?r@ck$Ds5cgKIB zIwCc0TQdR;$p|u@uIz)+rfH&-zCU*HIId#<*b@*H>*;bQy~ZXcTVjmPg!$!Zt#KGK z?=od5n|JIyU;M>uLr-avqxC=S5yPiWtxi%RnXTO2w3bhJ5m@7m_+*)JAEF0os8l0! z?58gApWhu@kTTST9y%~+OEh?zr;WR_{x22)?r}e4p<xrurfBMtrnuQlDaJ+)y_?A` zl6N(4j54>DYhh85!RlY1Q(sF0;LMCfm}#4Ywb*IPt$L2QeLczy9HujO+$20q@~e;! za%us$Z`UnvWF3$N&dN}hxqNm5&n;rwZ7h|`u=}{~J|<D`_S~}8@pxtmkq7U$P7vV$ zTa*$4@5mS@!lpl6^qRvCk+Hp{=INOgzAk&D(l~y*9QhAA>{_>fZ*qa}Sz`7)NX8%j zSf@+Sl1#^;-iB;Ha%m6=U|(Oupis$j|1h2HM@5{JF?p%zUVz+sK)=<F&H%S(PH<zE z+@x(a=`Ro3(|W}fLkSvsdmnEREYGl<_Ih}`zdFicZrxF@sWR0vBk4P@PSEjK=xj<o zZa?uy6H|4V7Wzl0&>0gu5AwGh-{yz{I@+kvv)7oKs{C%t=S}u>71?495Gtc4&Tjj| zD;cc!)1=AQK*8Lg&dka4yyWGS3>4`C{z}}a69zobim)Zr_^S!07iWHE|2s|x`z?d; zP;XLvQgGfWEO*+)T<!i?Lh<8;vfzwIN==|8OpCp7D=#}v##2vs(678CWWnat+jG`R zpck7``<`g0NuZ+)Qc!aTP7F1BW_soXJlNi0#?ZFC$K5mXvNM1H!29?*rPbY9QS_IO z8v}z`odBjoGrySa*K>9Y%k8+#fH$$$`+=by#N6KiMJsn=^z}u1ij#P{E`M&M$LGhl zI3zBH7*&IC`gQUi5sGzkG$+UH(-*B>BT23qWLWiPHF&XF2t8|q&pCVO@*mD@X$ zcM6WRS-o{R2;DD>G~v6t{w#vVJr*!%jt0+u*r((FQ_52gx)<6yS<DwLZI_Q>-|}xP zltz$x!t!F9o5dp4K=;<H9Ua_Htt@Hgy&k-`>{QAcHA~gR<WH;2H%XF|pxbuc*4=h{ zrk#KNXN?BO8fW^O7GPl{($SFiW@lGz2b|%es6n8h*8ZYPRQ&VTJ)rQ(`uo)JFS&5D zmAT7DL(fm*vaUgDD5f1<UER*V$PHphQ+M|*p!Y>I-Y}CB7*X3#Jw60&*qTVC<#Kb2 zE&heIsX<c5d!N77R2-y!jnJm$^LB|f+t@2Q%HhaO$<k+Bp4C!vSdM8Rcjr6TGT=E) z&L(k7bNo$wjK3F#6#%-({rZRDXm>UX=<~zvt)B3f6U+v1jaJf{#gDh}xjXyfluIVH z=>BP{+~w6?Dqe2YLpQ?*$*RiZ&VM^!M1}uKF_i3jtvyXt<C1o?`6$u-HUSpiGL(Vj zwJ;{25ZJ3AUMtrf=jIl1R`K^&{ntj=8|G4)KmSK7Rm?Fmuv402pm8)b&#MSDI5x$U zCJ&07<%NDA5M3;x3mU;#{u2c&O5l7>&QVPX!hnepP8(h6!WE2T6#{jQYNjrH_W4g_ z&Vq-XavX{&8A_-(1ucTI5KSPX|7(NaQe7Lr>*OgWL0Va?0j5a5HoqK4{qTH5yU)%e zj{AW5NHk)%$F$xFr5l+jO@y@4l`Mz{=^zjzmzyhXr=!MbSMmY+(;1k}p7g&+Z|ghd zWK2`fR0Nl{|B_0M^v?b#HShm%r|>VX<htG7-^7>*&C$+a?!EXJwk}qjqrwzOtDR2} z7|@vUZjIYAKW=s3cr_Y7Y%vo2y?iRoI^CG$_+Yu{dolHHU$@KjU5wp8if-VuC$9{v zG}Q86!ozn56b;zHkjMc?nj?(<O|@yP62D^a!yl|95^~fC_mvg<ZY@n}SeYHFMYgau zx{~b^*h$%*NJbey^j0cyMUH-NKT*B8qtYZLE_b(slsD#N^(W{0Zf`ZU7QN30;cNWa z#F=QQbbp*ib6oVarK3zz^nTJ%y=mf-JC{Rq#lTk>XHN>uG1_iR5zud1gCk|<?E!X? zR<2*=F>+nZ4j7Ib8hwj6CiY7hcnyE$A&tr4Jw-2&q7l}NQ`TU6F?p7D=yE%U;*%(4 zqkrBUO3GMhzqcYSVaCuye~-+bD+0Wbwwww&QRts-7d;ojP<T~LY6Hs6S=%&u3`Nu| zi$1tODNgx$u&(YI9={Y_%KVr)QV1PCi7w8pMzn3BHe!CJsfvasbzy}h4n^+|#O;bL z2P$l5^s8vtmMuFfjn|77tSflCck$~8y<cldlQu=t71Rh1Kc^k^dEou%i;iJ_`)Dy9 zY<3v*OEu3xGGURWZr#x=j|fI*xDzcH@=^mYJau(vw=FCRGH~LIf<=fjL8_RzuP_gj zaRP?b7~+U^`XOdMN}vR{6Vv>E4L6Y?Bt-pZ%joTvrY@EQ!}b(|mJR57&_|%L6JlYK zy=^$GLG|6%jar6Y62Wnum3<sl{o{UYyClXP-F9@YG!>sW+0+N6p&69YNWPUW{=srB zR>z3n{stG^V7Be$6+YG;VQG$nJy+SY6~dh<!x%xTLx%a#DMkXLKr2uV6veWmF41=0 zTUsisx(>a7H70%Bp4A>mDC0j(6b4GAi=L|Fs&j>J7s1x~gUJl#4EMshOXDjsUqy1| zD_RYC{`cS3$W*=5l3><+R7t4%sBO|<AiKoR@iBo2(MXr8N9wW0_zi|S2Z_WruQXLR zoEcu$n1i{0!65^z@li#UOP?rkG=@JiJv??W=+RcxH_)CYqSfSm)mj<)^_~Vza-yX= zDm7f|NAo8coOvQaSWEc*=!c%Bxb${%$T1rmd<=ia*}XOX^*e;S!VOFGS8eSKlo_4i z0N~?Ky5&&;oPyH3cZgSluMjCYN}9$b>_Q^arFl`BE>3Zoxw?)J*=OR8hnq(nhEALP z&vrv>qWxd%5Oy#LvQ+R1z?|$wn94Ss#t87dl59T;gwFnSqL<+yuEOI0)AD|vhu_D1 z;4;?W5AG6Pw~8|rVaC`g4r6~pNq!3A@kH!7b!KW9$zQFu(rQ;V^_{}@aXF8nb-?OD zs!gQHFU)Py9hK|WN^jvs8mEW8Bq6IQI(`q9vB%KZ0TYwG_AhI^Fg7->De{1xo;4c^ z^jbq+q!DNif@~xbdJ(>~ZC7R3EP&|)z~p{Qji=^6c8FhQqHK8~XMf(Ys}6j)JxDlr zw`ghPcWhZ>&HeR^u;yQ_X;$DAbkW*5W>R8TW1zZA8pN3JVB!fnsWya8M0Mb~sUerM z-X~k9&u7=&fJom0cs1ph()m~(IUe+Q!Qi;29#4(nCB;-`N*K(EoAb@x5qNdjp&IzH zitpJGHZ7tx5{-)%)yQI+^R3w~^fI&OWpM|=$lC(DL}ItEqe5qPw}@$9$Nl$CR|<RJ z(=K|u<JIz8(|X;PONoV01qoGTBT>Go;{?o4i#;x8WYH%~bmLmo3#hYW_>my2T>IL; zUNm7C`Pjv(^iGMsxH6)6INtd5p|hi;jA|yj=<+<i<leb<Q^}cSM~sk_(qOx*=z20g z4046V?4E^D_xM=A8%D4OmjBvVD}G^jiz35H;rO_Q%a)`w_jF?1i`Osj<$`}CS-R?) zvx!Txj)w$_$~qZ`YgUQ8?=mu8w^n^G@3ZDI)=97lj3_7a|Df9d36K@E_YWBdI^ZlE zRO?>y6J*rsGXK?R`w~Sax-^itr%H(dXYAh@w&3t<uB)M(C^q(h9XSPv$cq{gX56(t z4TcLxcs%nzj>2tjj;PZqRIAi7TKta0fBiD}-05Z?OD3`ww_&-%+EWh%*g=%TzvAPM z-SBRGM3%MoceO0sJjv+cb(SP{U;V{!`<`y$=SJ{x_<r}v19SDm)|3$l8qbE%NUG%7 zd-U&1Te%k0NoIBup+UF3zT!E@Ssjg)?7)dA1C^eX#I-*C4C$w!%~n~h**2#D<{+1m z6FU%cF~Y2Sj<?p3V;Z~<@#~c{UJZz--?8Z`PG9@xXmQwwE(v?`2UjLl4WVM;t&m4+ z%%(N)<WE+R$8<YQo7iU|ycwoDGDf`L2LeA8bQMS*6fiBI2hP|WROJpSNqD%azzW#M ziNn!^dOxXds?@b)!tM3jQ0;!Ww}3U%6;k??#!9QL69#`JB8(b0-9MI-Y)=E3Vu8Mm z5oNK8y$+BDL49v;1&Ok{@)Ou7O2%HcT770{1JAD)Ph>_Brn-TFl@YvCXaxkcO%!Ok zZEcw^JbyQwiKUDdkW3@drQFpe7u@4$j)@hVZMepCObLA%DAu7J(gO7u-zrP5=GAse zIIcz@I<IxMl+2u5X?Z~m5+CNkzA@y06awkpHr<*AJ!(QqqfeaDF~l+j01|ODe~A)W zyIW>Pz8NjLV^5OT*c#wR-x_JBrfAd3VgES^%*g&9Ty?Z3-#<I|EtvF~WCe{o^W%WO zcl!JO+{!+o0%Cu;1E83YZY&ONE-Zj?X^`isjnRebqa%|EmG^z#3dG_)rDxqk5|_qG zyqa&W7Q<<NbwL<4dA$$*kt>rOn^My6x#&IpjmH&fYB(TNRgNSjJnj^iUQ}4L$=C?q zau~U+H*1Lg9=(-w204~6q;^C6-{ILEX524JOGX*3)OG^XBpv+?mv_l2n&lFtB3%_> z`b!$jjEChqkmr)eDLcGlLcp%)^5fa2*5@l=q&OpsaO$JAbXXZpa?QkKHdfy0yKhgV zd`Hy1vpu^TonX)mX^?*x%L!FrDu9n}|C<M3Z3^*DprIO2rfZePz>8UqjJK7bDq`*G zhLr`wJGIECJ{deB#b;TeK3rv)1z3moEv9pH2W;sP;_eUv+$7wose?%cftFW)*RqM* z*}|#&y7W&T=NuRjeDIvAQz^SS#6fbFnt=~}Uq%EAWHHy9>e5*^>P%NKtbL@cgp&3S zQY1QkeDQT>%POv};ySe4=A%!smM{szj7i)3$&^q{31<ur_ON)D=JgI(_j_YbXZ=w@ zZ72Qz1?To`49EnyeDSPgf!ww<&FT1@Z;8?W*FDcEi54Su79!GuqD;|0#Rk~y;Oo1U zd2ZzZ;s%ee%9C!)%PQQ(2~rR5`4|NTMSd$89%U3@iAWRV(R6_<5{ie}8|iYZaL+2z zH<vRf*R~5fd`&#5)rDSn&6$oW!P(>&ocg717CRD3(q6qj@XoAxwxJ@{dwV@-Gx4-S zANIfsaM``V#(PdKy49iH{^6z{$;>#=*a9tz`{&<?=1S+33fIV$WPD!~amXHjzPeAb znk{`iOmr6=LdJl&#j+IjHu-)F*1uKwClcr`PjL}Jv7YRoUdPw}k$D}5w+@d*iy7hm z@%!zGK@g5FKI@)huSAuNgYw{RM3=oFYyMYlKuA<#KgklL9FqZ4vnEabgO1o4{eCS9 z`aJX%l`>H9f0vP{NG_GNQ%C|q@kZ#k_F8g^#2r;jLk>Enit4Y1>MJ(k5gRPKb?JnL zI11(N_f|)($;Ab%5?r(wqSVyuEJ%!5{*8ZqO6k2YZ;<jfAa%PBD~^w(=e87s2iPiZ zS%6(}ZD0yy4|FV>k6j$FM%a0_jBk0`PJZDNO1i-&SIn(OK*Hw2#}xX8#G8ilO{DYp zc5fZRv&`U|O+Zsthi7_&g<+ziRxR$o;9AV<m2?=Y+)wxU#xWIbYDkJpYk6uji?Y)G ze)kr>&Y>+oxtxGlNMy_|f^L)%7OEyr&@;WxNoK#@+qvA)`A|H1300YmaMG+!{%nJA zr`zI2=!YJ)Y@x=cAP!`rh&tR+P5b;1%S)r)acHiZGk>fkN%j;!{MUeE-)Wu8u03ce zK`~jrf<|WaT?+b-DVID$MTpI=yAIOVzyCxkZDB{Isl8v0sQ1(<>)kwJ64pG^XS-bm z(kHnnvKQovH8E^#aq^@6qFzGFGyk`wG#bI~`#ksqG;d?#kd=U9_sX^8;|QPX2+Zf# zij8Q{>xE#6$CVQpoGH2;sztkHsE@)d<t*711%!Pj{#t2sJLS`9z#O{lAP)b;=Pfo= z+Vg9NIAFjBHv9%T0TMZc1aQWx<cWH=#j8Rg1rlvE^0ecHp%@z$(_egW5SXR6UV7?X zdow9~E!ncBFYmi5otXJO@fbRxVZaO@!4UPgu{5BGb?&?#9TC26^R#aFP7mSH-dkAf z)riQb1}9@ac+Fzyyng!`s}ejh4u)+D=H$p&8nZ-EBk21nUp&aomyP>kAyk%}VI>_A zW#`04E%~QD5&hRV6)Jn2(N3#l-H&Px6bgS_sf1l&&;SL(NU5ERV~ovzmp{_o@YF%? z-^cb-Ki^Rl5SKf74z*bQ&-8b{O*$*F6-!Cj&yV53N<}S5SBlH#2iw%BPR^gLsj3dj zvo`+DQpSrDAiW;;UbTQ<edp^T{y+f-;Lee>ttA?#>Q?mSxP45+0O$0(*bM7`$C%>Y z{<j+lMt*{bu<LC#u^mnozj0(N@oDQqe^kn1h9dTeHVo%;ObdxhY8$7g)AAa7cjlBM z(uJFF5U7ui?F!-LK<VV_UWbk==MWVZ2m<sQB3S*)Ne7^H7eBcJN!rN5O+fj>H*p@4 z@>h%B=W)|^oJwgNOpKIMfHJVZ#2R;XpM>z$h{)J5^g$JyLCq!(&zK}Hhz&gKA=Z6k zKF=M(JeDdilt-yc%`gtqsk%zBg5z_cl@5r@>UorB%=?q=E^Wq8O-T_hx6U~TlvF$D z5n34Nbx!wS{3hhB%^jE<7ai%QbZu=ae|Qu{|L*()J7S<eHz+Uce&N@g-65tZY`EKN z37LDcEd6?r4D(t`DEmL3!Gu`p59f5_PQKnz>v+Jag#Ybr72g@I2H+|Hd4OD{6_54Z z;r&)U+x;K4jqTM9B-g3HHvBOOd>X5~Uxy7M{(be9>v_A=Mt@=}B=jVU1@Oq36OR8` zXr;=Xa+8RaFfyEwbGoy!w<p<;`hKQfRcVOvo8pX~dLB`vCi|xLNaFRr2`cby{L5$g zd)}Y*R)M&r-#h<iZ#xA!|1wa5G@$X`_LAHob(8)lf1r8$;eS9Cf2XKI;(psB+?dpi zC>l)*B8av`zgaH3LST{ATYSt~nsO`Tl+Rom>v<W3U0edl2$i<?Ir|g38WA|N14nOz zI^E;JW^#m7M(^h#r#2O>o)(|9q{9(m5-nS)P=N40V22k8!EWY}eq4H}D)G;ujf?t8 zuWTU+8q>#<d76xP!#|wcAP=|U$V?~rJ$|zuC9-*$-D{il`0w7byS2h&wsS6%8#r;D z{Vjukl{+4KeZ^>?#nD*8I+Jb1?und*bZc>N_?b;9E3J0vR}cc*t?5|#)Ggi1)6lgM zN4<2|))<~=i_2DcyY6IvWq#5`Md9sNBS<|S?YQARKiTqdicb#z<^UrkT!kw{z9)vx z(eZy_)nLot6WZl0<jX~@ljKR7M^VK`am7cu6EmWj6wDP3fz#);YIrwuDu+cBXL$@q z#T?tkbC>xHN6*XYPHi-H!C2@3NT%#qERCCD;Z5vd1M-M#ENy*}&1fbCei{^B6^@7= z!)v3)vrX02yv|{l$<GH<3w+vWqtT=#l+@tuJZv43jXgP~d!;E%VIfo^-WILepa5<` zJ;n?VWacIo<RPDHNisOrxIZVfEFEDTOG~$-&C+^@eA5#hfyKI*8}-rBMi^)xU*1v( zj6SR*u{MIW)rjt|{ufQ%QFamD?5Fzp_>|;0oWgJ5NtEE=v_H1t&;VkPnx#t99yOxz zeMD4B*mcD(9?OD+Kh6qf$I`fdB9KT&OWa5^ui;X6j<$!9sNlqOf;$G_@LIq@DA0{F z;nLd3bAqhbT4-de$0y2*H5wtcgLm<|Nl<IARyWcjRc$bF$%g98gXt(WlJ@rXEh~f1 zI}ket`oXap!q`#+q(N33kww@Upp*+0MiuW~$p<W1Cx6_G!>}L^yR26EJ30~NuCE9= z4KSyvXUakpQmRaH8@SM&uL>{%uPotGj)gSEc(+>pQ2dsdCNhAB;n<Xl29(lgLk}a0$;z|;(-$kvgjJF#w$X+o_<mUkmg z#*)YbAy*erh6w%-2AaKx<)?m!s`ZYh_x5$==<?g$YpB40#spBMI)VFj@4WyIk5ug% z6Lgm;nemjLF@eHuLyI5ZEI(9ldNYSekRKyswX3ByP^_HV_ef>**-J3&XvafQ#{DRK zED34v^;tzU1dD(PH%j=F;c0(UnvlVfNe%6fANAzrCeilM5Q5@2N)fu37OlDf4+2~{ z;E-f8wexDI-PCcS^J@AcF^^&j=Y|U^i1fgG1UsCin9r+<+3I7_R*QGN)y<-tFy?^Y z#U|PekM5X2E@R4!(KcYck)i)EjRIKi=r1_Mw86#>fTG}rnrE{b`juJC|IMFSegP0Z z+z_iYhO7+VXJ#%=o1|rFp(ckL`ADJ>YN!zo(g@Ag2nA{2cE1RJe7F{#gv)h*VVoWl zc#cJ}XpnEs&Tl(#HCV$|<C55yw&KRLi8I%u$;3@ER+kIY5vNGXv6L_{#FeAmZ&4?$ zS10vUC2hp|CwSG)+)Av~8Ro56B7up@^e{4wl%zRpKYnl*Y&M`~8_O(H8d;*z{>*96 zp1h;x1RQHMc-H0nQBt=kp->fZD8P$D0T;Lx7xUwDB2xy)__Z14*FhTf6LCV+@vw+R zi3%D-Lu?RPCWbWwJsl7mnmrs#E6Rz!9)Yp~rxUlDk9>-)$OnGyrGUDa_(*qtX1@uJ zFSpTC?z-0#%5J;DR}Z>MR#_|VED(sxYG#IP=nqsn-edeTG@j65skx2t8sT@R3@^?~ zjUZX~vV-Auf;ZH@<;>vZ^R<i)87YpW(<D|x@;YaM+-EC5e0mj&BjlONT>oi+5(Ly_ zX&bqH9|zwV^oY_APgvN6UBkSm#0NL()Y*+hIm8&MOd52T{pNRT|K%&tWZ*3+<jOc3 zS&}9cBR~YzI|J;a<2R9is1dl-JIRESWJwfBXPQJxYcMdT+p(xx)I}@N6N}<NmNWUr zQekORWzH&%Nq(#iliz7hoqEzu?3VvFU1r+GTT@Dw+^a9(9axE>pYkY_r5*BJuB<Iz z7<pb0S**FoYG;rzUO-ei5?9Qeq+M4feTYK~%`CRIE#jb@V$7b!&sD+CN+cj2n->Mi zETK?nWTB(3T036NXh4eFHUWllc4Lzk18iga$Q=AAn#=<1gZn*J1Suc9dc_nunm0ZL zgG#c6+?aA{=Jn*?_uc3CvlXQyJ5G?TE*0zEPh9y!$xWN0p|C16`%PMYw8$-65>GoW zt)Bv?@dkhOcS*3&<p*m_{+EuTfr33mUURgx9y7s|CDjjU!hm1CdZ~mC@bnj9OiDC_ zCpCfFnYkP2$xs72CQlO-y@c-Gte%CP){oSG50TJ9X7RLmJQ7d7%}_V5|KCm{l+#yx zd$dnOgbYz46fcf2`6~`<pps_q4`%Wm$116JWeMJ=H?(c^oShfjQrgP13>rRlX-SWm z2Ywv#1$^UY7$*^OSH{U&WIkI}DCSP4M;X9Yy-Xsgj7K7&54>B$$X7=^)q3*T%_AHK zTcUO2_)zKf-KpZbPDF=uAgAzdW^bqQj@0RF=lPW{x9GQuxcX$51)B|?qp!!eH4kLo zBK+@?v`>-m6Rc?U&?Zoq!;#><ZmmiUBfgC`)P}8py~+%vHDg$7fo==X<`>D0tkk#e zD4Zh{ee@B{7PcWgU4MQ0+L^HH89SmmobMC(cEc7`I3CcVeLK^&&>%9xB{eUcGF!XK zq>(N-3PI_9Ng?%pskhf5+ONpP36@i(uG9I1t?Y*TuB2<BkAnzdMa8kRRjuLk4)C>a zbyz;0sGGmq;honopS%6np6My$z^1t3=i^f^Bi!8x8^nyLEvr3Oujosmg}BNip=*_I zc3O|K5DZZc-MDH-f}Fq|#5(#kVcv|}B4uu~y2w3GcLTN#tA4P$O<d30ivlvTm2L-R zZ*D+)TJ-3@_o7nRf<05d>hk`u>a15ti9qXmT4B}7NQuboe-@cB&ML3*2%pq7cHr?< zL{OwA?((fM22B*0Up+htA+`DJsxd8B_Ni0Wii0<NXIi!l8^39V-o(+IhzX0B&bEz% zDzbs&VSADZxjEY%qNlxFfbOT2w6m3FuJjgj;MbOa^AEm{D}KU!_PFoQ)gEWY`f(<} zSn3;dbCi|=d4P(unBw*l-ScB#9*ZJYw<j1eXL*y$?0M3hDUB|3-g%YjZ|DFkK-9mw z&d(se^~oBgf0NE0Tn27=xntPZe3JJcLB6+?mmV_L{0^@%f=jM1#HxBj;}rr0V?v)Z z9sq%NG%f0&P0So%#gqv#-@@+U+XPGM6|?N`7;ko^S1CNcW!{NhQhz-4(uA85bSe=U zuWk(Q@p7{W;xeXbKYbRu^U*{UXi{IzGm5pARfgLBiR7Px91M>9CI=?$;addX($)O2 zhHauiGhUw`HaxYpWY%Y={Cs$*k)M_{0;LBW?}Ym2)?Dwf4XygBWB%K|X7<muDJp$J zA9uSwrk0rz&1lO+btHDw^7u*w+KC@bjG>|4@k!q4v*y+A4OD%VS;#f>w9UCAVuPpD z+s%6}kv7J;>iZq~%$T3q$3QoKjqG@QispIyFPHv57tVSuQ;@lNT5M&~cm;KRumw8! zdl>AC0S$)xS{duD8s5Fi=LhR%2K`!%?B2jDbY5+oYiJ-YA4#@4|CnZ0g4c2@a|}3j zkOXb@Vg@4k%@9Qj)so#+QQqp{z^$JJ{`k(48e8eI{mRCgOZvx*3*kSr%#4T@9+&Ci zcAB<==p-$Esli|SnhuN8**uJ0dp3c7<q7lJlBtW)45G>xwl5!}ewW|dE^ZZX+a9z~ z4Hx*msJy7G(4qhP2}O-B$u3_{GcKXKa<iPXjnH8QIU~-!-rvKpb^E_q0FnfYI2<_` zhS}8b(WbQjeSwxm=O3Bk*HZf5cKq@a$3GpjD9O!M4}v8+UzQE8!?)fxF9XOf3{-FP zmg$QvZWr4E17979Lh6uNA|?iifRC^7G@&;yQ8rQD6&j9|n~0Lo%H*ulMy%hvf*e9G zyWGO6lc+zFQf1*@wVlV%XO>*quJDXiP90anPm?&71n~W$R9NrPf=4cDsb#g|>U;9u ziQM*YT#R@scuAjEIiv#4%}n@fwT{Ty{O~+Xvi<$K@nZP;ssaZznbRXXOd!)y0#lb{ zJ4jG6hN2B%s=}J&W~qJrg)yQmxSn{o>-4S1TMO^dTD(fz0GEBwG_s#Ag*6)kjq+rW zpLwX`q9?4dgZA}njCT#ZurnkMIoI%RjvbJ!;$S!xW3CJ3Dar0=S}91C8WXNJcx%{* zr_~6ru8RE9H&Y3|nnERy%J^rdhf$9i97WxLC9);e7;waRjXS*vI<)>yRJ5hcD-NqO zWcZqOdKX4i?@*&k9VV>-A1C6&hF}l;$Lk&LvkCUw-biBUG{2I<`7JIrIQXRf@Ow14 z4P5V&4bLSx+TRW{u_w~v3VRCaz-!2NF<oN=U^t~s5SBje)l&bOW+to%e9*v6w?Nw2 zv$}L=C!VAL*V=h-D_>aWu#4MOTdX;kGxs}fp6;1CA={T$UDdg1;+*29;j)H;qPMwP z4Jm1zyHosUQ-{~+B9^^;BW1;jEAak8xB3}!3u<cz9DR?^Ecc=wsAJsoceVj-CLt$N z|Ce0_ps}}Mwo+FhuxRLAa~OmH*{nSI)iN;#IYILBe^C6)Pk}+RYjzaxRs>t}C1X*J zw2t>$r|(!h&Ow*yaE1o6ln*#E$O~&^ASM-1GO<LO%e6X1|EDG;o-{O>r})e(_w1KV z`&L^-)K8E+*&&HY7DXL}<WZyFx2JmO5wGnLBWpkfoQa~5GV@}p=D?lDkFk+VA-sns z>(XH<5%(FDY8@2Qjf%O!q-#ne1=<CqrYVxecvo2HQIayI@zgRQQ6uEaP#kqM9fEZf z_grP76|&`6yozM4P^hWR<?@^726m;%81dk2bnzc&;^{Q;@}>Hc_HGenWW~%QY2D*< zVqEv_WAoT?<bvxHW2)@>?e+DgSGZ7M0n;&zPb2^Qq-dWeyC1H94{tt<cz@U<16r=y zEj%3=tVW*ICWQ3=phMvyZh8x|>myK@hnhilb$B$=kaV7JhQ!9@K`q!>xPYTq&r7xu z*1<Xl>&ok!QDMzS7GO`sbo0<&m!DAoPKs(hLCSwKeRQ6ht}oB^pFWbMQRk>R$}pus zgtBz&9Q~srV+M@RW3}xG<hOdwG45<@d~pn{w_NY9C92!LOnfI|;!hL8Fa?+qcx@R4 zN~Bo09%%IW%%ULarX#>$zXpz=EZu#hVz}%S9lmx$K%VbE)mm<5pO~6F7&-^=GMipU zIWTQ|Ohln^wAmxEG#2r>GK@bl%H4FZAQ5)i8(~?3S7(@&d-c<QG{Qf`podB<4gFl< z`G;!B@5TSWU6;=hw4u}CglLTEFgkVAz5T;crAz}L=g{S+5oSaRvOad^5?yL_%WF4H z>>b6}VfXeI4)=eS$7kSV+333xYB||tNr$woLs&GVlK`#-ztXDqw#dR`+{{=xT02u* z!oBFwEylgux3^$0vjXzsz6O#eR{Zc-1yl)TzBbpS<bwU&ia)jaCQ9Zc&LH+Rej6x~ zVBw~d0e}+{#3K$pA9uP)_|(HtkIz<@$EWk{>9UV`&lBw3g=o~`oaHUd;n?!nu}1aj zWJEjud=kJCiLPhTmoz&JqcNL%ap$MmNxf#^#bJVz(O@wIxIF0r?XqnY=kq)N4y~q% zEmnRvF-fUu?J{QdZ#Cq|LnAQuY@(VJj2LcPPRC@A1BaY-7x>G6^R2efHyx$O=BfLV zt8dAafBpQfx+*ZIk>0W5=0&5w7-qR)#kE0+IY0Za^Oka-iBws7m@DvYoE*YRN6+YS z^C;0&sn74BGg%*MN1cMTl%Ka9cdah`rW^PyF8U_Hub1)obhd|*nkGQ^Whb-K%$!gO zKJs!mYzxKtQ71K;gHAc9J!&p7#eDU@<Ud^dz*%nVwc3Xbb|c>a^b+;mzKw-OCRB75 zm(6XZw(fRc4*!QX$9$LUHJ;R)HabGf^<i2h!i+Vw*9&HLgQq8D?s}h%zsuBX!LyO_ zELOXoj2fvO_=KuYiwz{PGMX1%1<`b*<ub_>g!6L6?${CT-$q~cWTKtkYC{aBcDp;u zmm39Qw=Vzq14k9sg8OEPS-W|9kCE8R8P{J|GBOmS_JB-*sSv7WB~aYWMy}`AtD!C9 z{|uY7BgvqaP{dVe?Ob<kL6E==0E5NV%!L4HM-QnS=GxedEb2z>)eG?uge0!?^})&5 z#9V0PS+mIhFa;o0%OANp_?cq9v5d*f44>!YTrlJKc)Hfo=eNvd&2)z$?K)-uWM0gp zUQbHTbDu?ZBb{zNd9Rhotfa+Is80SdZU~hwwOoF+p3rbhkZW8)$%swq-8IBmU-fk* z^Ca%ux7Yn4R3XwZ(Km6%3Vq9jF`$8((Z?6)fnCvV&zw}-tH*HK?q)aoXdzC#egB}? zp2rRTVKs&|T<x2h3uAT*O1_*00=dJ)pTNY7pKE<})h_Szc6gB%T+J-y+tZiEV#|Je zM6re3!}ARF)TXVQT|E6Qn{DDsyloXt;i79@pk8Ev(i-lpSY2#*oO8(QNvLy(P-}Zm z%~q4WQe~u$v>99a!O(oySqHTa-a}3Ko?S=!WJR8}9#4>0XI5_Kl9(2+jta)MvL~yR z;of>rsra1?r$6N9m+Eip3wi@or$pC$I7var9+>xSheBy0IciTUNvK958!;vb=_B)k z>9q|-hv8C{HY<f1*^-Oo6)}~@xnQy0J@V}wfo!5_+fL`stPG{Q<cZ@}Vh%s8h1<bl zS|C`|D6-s9uXH$6BJT=ft!GA^X~vWWmPqr+x0&@;w3I5)9h_3sFcC2i1UF}9u^45D z_nsFrZ5OX!77K0X)elOvZ2_ca02VV69-}XHb&B>x?%;klX7*pEdg_iaKUVGz+(%on zGc}YTiprs8BxazCs6P-HNrg9-3mvV2>I3ddCzhAx-V?kRv)2m^)=L9I@{+94<ca1Y zO`+zps5>ME%eNe4^+*etSqW}h*D0~Vb#FsdA*C>^?7i1rSvqZ4N&BgjVzr#r=FrI) ztDyKSO|eJs3l*ZbS!7h*-CrJYuPNCI^k}WKfEbM_^6dGs6ZLG;cLGVYpGX0!-5n1c z5MLN3-|1D@oXxh>@|jm)gYG1G(!wzz;Ci>tF}@iIcHms0;&Jt2F>9C?pq=h;JDeGq zv*Hydt5?9Zy^D6~Xae4q-?c#*!0a7MT#_o=@|d@o@nS{0J#S&*B*tR9X5DCreOcsD zjLK~@dW1g+OBfsZ4zBk(FlU`U>yc-$tF2||CEMx==AN97S=XI37fNGv^^_M<8V_+K zj#gx_yE^;iFIVxOOD!#0*9(67W%Sukx2&!bH;}Tgyyi@0H$6r@gU3@Y#L*LGE!?*& zBr#W0Vt*A5kcU$k+HDYvwZ#ugE}PxjSmVKYS7i=JkN@srZg(5^xl%r>;KVcu9`WU$ z6@lehugeFro*Bsl9v7j1s*_;k_*BGwQYUIee|AOrN>_7wd2L4G^e?*{$0BR_y$m=( zpWA=r;Wl-pw7rl^J%iZ2diyMQrASg;5Am~qZ6y82JKc3FrYk&`hQtRMaP3D#)7vWM z7rNR5DQj7lVa3x$8XKmU#}r0_i_<?OC5M@+km~IK++afaD?S_{7WTIbPllEWoc0+K z$Rt+CCpA^_nRt$z*j^ZEPv);CKn#Si$F4VrR5t~AhkIMSolvDr7y8-s^}s8&jo7&| zeOwNT`tWMS+%8VoL#RlnzP>L^G|=!+cd0Z8a<DKi#(Z>fgRbtVmPaJxGlI!^UR>(f zg4EO?rOaUlGQffnAwz&hMq63cm6FS{?qX=KscyfR>FRukoTGPK{qKGE?;NNRvFaF< zQ3Dh^i3dTAU!&q$@u$jZ+dxq~HdWhdH*x3*H+e*l=`edP6ydQ$n!{#<1*&ODk>gjb z0x<s>ed+Mq;NU(WJ*g1-tL;-(^G`*6hr&H2<}54CK|;VTapJenkIFbOO=zNi_Fvr0 zH(eGFTK=u{!Y<a3?5+1#BRDYdt<r(sWU@Y!s{Bx`+!90KWM~=;(S(N~QLjc3c;W2y z5*WWmVs|YM3k96^ldmmh)D<`F!)nVb;UttDo9a*;d8u%~)%pmSxo!{g!Ntd?j05?I zG4+>H>+ReKFx9$$v8e9i0e(N7eWTiA=vfo(A5#!-EUj{Guv6f#iup?U^%$49{aXP; zPoP;Mm_*#%+HfCo{bE~I0Tc}xt+kgP*1RW+ay~OaHf$+n@wy$`Sg3T!&V8x>lD^~~ z^9v(wfR57r-a;%Gz$hW)ZMBekJh{S<%^p>R%rxJ>lSt3(vg<708N@KY`7n$hbHs-o zRdqUWwxY^kfNn~4(}!h)QFq`z9vU)_q%xM;m$#>iN)nSe8VS3)x`=tv*##Q%p;Is+ zn!o)zS@o%@x+!~*-OeBm>8)BmxVCH#JAH-a=CV|&xNd!cMZI)@kWJ#a5+AQ+^hNZr z`;?)a>$`lkoguxV`e?gIuHtF_7shm0oo+7K8P=(=s6sJ@OL)~A@yHJ<OmSq+OTICn zR7;4pT9iq&tYS%rsDhVq`o%j_SICNKBOZLbj#*X2upTQ)6DjaS_^*Z%YxFWtDNs(p z?qI`xcMA!{Em!-=4@V-pMy_Q>0}IeH%M~*Q3=4f^F+?ROQSU!UcHuA7cU9L(f9qk6 z-C!HCDky*Ytr;*!9x1dFe(k-lyHuE2Ikphbg;!JDx}HvnyQGR8MT7Ke+TnztqRxNk zU2fa2tHoy(ptD0&0wfm1f%GQ1giCV;L&0S&hPT@3^IH_P@W=wke-C2$NJmiq?<7Z; zAF<8xTsQ|T7d;&(#r+Z45g<BFm^y6=V$3Bn{>k0Du7XZCYwQS#!|o1-Hb0pml*tdp zMQXy_9{~oJ&odq|+MA>Y=Uy_`KG>u|rQuaXQq!snOq8l98;vgf7UK#f33(^S(^qG# zz67N6%k?aSSZE7LQ@^d-`KGi}Cy9;I#(=L^PexOQiZdFJgB{_oe~s7`6t(hD$%r5s ztaoN>n94#L;OsTa!+_uElRA=A8QlEt_8>1&d^&^O{e<@)6o92RDwKIscSV^cfWJuC zjT$drHTC1Bo8eLT(52|&C`n6N45_OIO%}ULtNADVs5jpglu!!2fJw1oNV|G+ERf!y zL#Aw|lhQ5bMSt&E^&A&fF%IR^iUz%g4XH!_LAV~s7doRwcfOk1!3ez1A{AnRGyb59 z`HmpK4zP>%GrPGY6Xu>`HNK!J0lvOd0X|`r5Pfa+N(WVw^V%1i0W1Yn-}({$0rAt0 z8sffatxATwEH5hWR~K4}#IIlqH&Mm)OwmMnU-PPF<48AK8%FfJtQ<b|{A|)|!7(Aa z!Q;d$AClLHOQT{h^2t@4BLACiSov2}21X&-r)i5Hd@&|^8rr_K%#Wv5)y_M5p!6Y{ z*IU-6-P@_oz!rzcA#nDqqmyVJCf>)19ixtlXwRwcSR<34YeT(g`p#CDdwBIVmmQ(} zlUJ?|plq6(3XeK{;SsDo<(4lf4v5P5INe!jTvTK_acv*_Ar#}dn)(dVfEF68C;T{W zLL$B-ELp!iG#0H*j+^JortRPtH==8|xi&WH=?(jZj|0W~@%&4(L4czkNKg9#$hy{u zw?b{2X9pH?9PJpN>GmDM@J`e7GH1<d#3Q}22f7x<<XmG@)TGp0=ndy+dfc{ui7w{u zZoA}oVMU{W@@mw$Z8Bv3yDm<3U~ioI(R7KZ9f9?UI=Kc*qu(k{W9Ac}T2g91)p@x_ zJdWD+b-&BgNN_2^VvVU9@g|H!VWrvp`OL3?O)Lw`6n=jwvC}TU_ha;!wkG=&@?>U+ zeBeW3M>Otj9zf;ARPj6mN_^5_?;dOIJ{C3E<6??wv`t(9xB^?Xsp+?v@QO}o>!}Gz zS)>%fik@MuH>SV5lKHUz@gaB<lf|(8STPmwJOS|W#J+B!%!^O+rWG^FVPXxVN^zMR zM90ok&<b{ps1vvG^!qJIw{c*zzE1^5e`#SYGhdst)#3>i<(Z|*ocDQI|I#D8AhD!_ znOKVI>+Kvsg;wqGhthlR-HfWc#C~%nX+beoE}Kg(`BPE-S>QH1=M{OGH$`}RS>xSj zh{njF*3vbvSJv?A>P_BF5B5Lxn|J#Dc72EEnF_0a1k%h(n=0CEdGnPxQW`W;6nQ?v z$r)1O$2Ih@+1Br;9RWq5;r~><=+jq%0;WxxmEC_5t;s#MxC|3>AILA_8C<$FoB|f> z`+Y!s^Is>4@T`gCcQwpO*Xn-?+nvtdzJQn%LIafg10Mh-avjp@{-<#<pc7)5Bn#4w z^$D^wz1S`0DXC_Ml+hDOHNtQUKqLbcUi_&57sQXs|F%iN9hnZno5bH_iGy@?neRNf z8(lMFig)sj1@3^xaUE6azjfui>j}XnS#x*7@c{q5_XB$auG`?MUKILTS>k#{pP4vH zx!1@4h<b!KLmXD@4GhM}HnzkARwkuNDs2zjC}24#8IFgjgwF(dzw}O}ar-}QT4+p# zL};LkP|BsXC_OZM^s}{_)HkvWYF`=-M;BjBl9>Zfh?Q>Mc&lBC1*56^4ry@wZ<?iX zHDKYN5Aob!`cdvHBsN~}tyzI4s_G{PWrBEhW)?X0)JduUHC+sd&hLk-R>@AyUe32$ zoUnut!+&uWD(0CRr=p-M)gOpMYJ`5uXbqQV<WY_Blya5&8dCv8b~*-lgIRb&A`?4Y z1%$*xg8f-^u*XE;FPM`HBKP){79-{5KI|HYdV2_IRCpu&{(-4e6tjHp0@PZ}@C}|W z^vnP;5UOq@DJT4SSTZ#RHzgxSG_w4rN#1u?)om3-M<iY1>5>;xl=*zO?*nN$(As{< zjdw+|mL7u`TJSG%3nI9SkGeV#E7k1W=bKEiPbX^)_Y}T@{OI?O<$LU;kx``Y^Jx-E zH~Ep<EqvMe^llYjmq#?iEm9_d;^?!q#da11{ysln+*NhSns@25cU+)=WcXw3Y(O*W za!k1+(~ss`ek%ASX~VRvc0^W`1yaI_u1{uiD$C2a#f^#;;~}Fc{LVqsEj05YVb7Wg z8atT6E~y!8`<uxiZf7B9YLk-dQAM%Hgrw$~BG;N}TW<}OzoLfeu4MCHdHc{<j0<XR z?A&I?SLkmC_f17-%R15r9_n$&mFx(Z%!EyD7%c7syCDtin}I>GNs-Y^a`w6;mTTc^ zoh&p#BB}5&*^f?NrMkLdM>LEC+4`emOygEHPA!%WUG;FE5#Ss{+op=DJ&T|2)+GL+ zS|(XUO;$(<xq97oW+IT&Ui-l{5c3I4t$^j2z?P~72{M;enQpO~d1^KooL0I#!rydJ zNfYKoK@zIe&DAKkGufJ)!Payc4pDDqy}sA2QdCMw=J7dk*Ux<z!})}$QkJ(TY!4f% z>;<2|8jO}azE1`&nE3u5LGfhNt;>CnsM1z#<dSvyoh!uQpi&=aFmF`7l_pw(me_e6 zJ5^8}C9a%Ufb?MhsWo!7erWKvc)^6H24yR`)<TcxdQdVn4NQ;0;If;!v;1j#ZNYhi z&h*{gChXbYsLSM058eK9KhuYxJ|V}PgLbU5mlBLA)+65gFe~}Kf=k^1d)%l??Cr)+ z6C6mfi%r0ciyT+xerI`fJUuI%Xz}CwCBu}L2zJEpb%#n1B-O$x8HXl6dG)`|bbJ^q za>4Rq$k%>pS<<ut1{QjrvkQ4Pl*uR0MNyPd9>I|vnBOp!q@LmYCdo8cewr*FwTGqS z32<!yG5zQj`nz^r6k0bBS(YY*+CY}Gi<yUdGT{~H^v~ggS8f(<F$W4El{$x3$KoH@ zj#AfNnkn9DtxnV;{(m*Cl*0!`@<DufBQp-T+%Gyk?V$iW31~<5bd3eXDSmbhJmsUa zAlCk(3OV@!CDK*Hq4c|*EJWj!y>bw0)Lbo}<uZ@IGsn1s6LOL~(0&E|a7TE7R}z9? z6rrTmH0Zp=RhdvhViWjY5hzW`K%^D+_?OO(9zh@mxkQqItl`WHouQ3Ae7xS?Xic!+ z?lN}Ulks)4;I2}KkQ@{5V*SsS7$29Lzox!bIN57umX5g9>9CsThEe=<g$lbwr&gZg z{GnCP#a`E*YCnxq_dgA+m@KRA_XUrbB$qh*#qG3~h_=7!<|Zi#H6MNA^3{Se6~LjR z)@X~>ROswb38i}y!h=hri;+Fm#}f$NTs!s8G_S}~eyjwUwqFO=Cz}+3x6kCieuhj7 z87KqNN=8pwciwb(NQ7;2{PH4x?J(JCg+HA@aFtvrlpwF($8k_bfeO9-AIEqZ`!!j` zc%m8$yV(yi-q#C(O!nP3D^m7GbkDoZ%)6zo<<1=%5SVzoY`J&HLru~c!Fo#t(6B{Q zU7ef4eAyF9p2f6sjsPPiP4?uhts%XNXgrJ}e^vig#I1a2##+muWehXu?hPCp3u!e| z!0~db89q-gtH4~+;$h<gN@-5!5A5~$zfcOl+3-}+Lr!yzc`DTB*_gW@Zh25ii1LcZ z!97pU3=H7IAk>WZVRcW#Q9+BO<axmRDG}aEkjL+vpIIL-JKU9}D1e>d&`zcD;N5Qx z4q1?R_nU$TK~?I<@u?!AZkMlmj(R);QN;8My?d!rsp*ur{nw7&L8T<~jgS8hE#I9- zl8Jyn(j7Q~8c|jr2B=Zxe<JXd?>_TbWoOQ!<Kek3B2ln1M_O*4)NvWdy*DP<)gI|! zXUclfTD*?y(6@9?R;;dc<iMW3S$%>E^eRpOIo4O#rHXcV@dMnfRRGlu0qpN1S$M~! z$~!Is-lpnUJv|l_-99`t_G^ddF(I$pDnwLK#56{9$_|DT)#(gs<-Z*Dyg`U2HDBPT z55yZqfjc9YO}C3-Q1(B393o4+m`uR^D>%!kwu+K>KlVJoL$8~bFYaN-^*^ji`&^r& z(RB<%?GP?El;;RnoanHj&Ag7NVg*MUVoSw#CjR(+k8-WNq;0a>I1`(MjzUbIOUJ4( zhfNg4B*)7{jp(^5j#Dg$#7-Kv^g}8B?YG1rT=H)|O>=e=z271p0_LFTR>0<E_^xie zSG-H78z{wakGh_cWr#wd(t*WlEm^*qxhkJWDCqRa|HR%YbSwL8vO$;$Ti5gxoJftf zMu)?2)S)wiJE%&s`s?j~D{{2tjdB=e1TU3syYOG}(c(VOHjX>RKU~d?k?s<>)U{Z7 z2<L9LCl>2F3n{Y9*Yi8uM3RxTOHb>_!;{$&`S`nW8nuMDPkl$^#KaWIP;>X4SiB;P zw|biGaOm`rhEHcC6!*WoIH=4iP*II-21k4Id}iWq@jFA=J!OI*Sl?xu<HCSlG^yqB z*;Kc?;{ox76(tyDO|RU?U%^ea(wX19Uj&b)J8R^=$W=g8U}jih#JAQy1|^2!aX0{M zQ;od86_ah{Z=FI+HjhNMCzp2F8ITzOflH+R<UuUsPCI&<c}d^nC+l)^5#acqMk#!I zOzlfd0DJe{FikZI^;J7g&T8H75l6cm&A$Lkk70HGfBt)=6PLw<knJkYZ$d9q+@>~h z?P_GkYx4qB-T|&Q?PEGQM3hjZB_Sbr;ok3EO0K}M<W+Lxu9~!kNjJP&jSX|5qNMR- ze`k+W?f8e}(IX9LVWEI&%nLnDKLx;~tlB|lmjf}MC^QdK1?$e31Cq`HF)iE3?fm|n zd(0N;`A*n?u(>O25foleiyg&7Rn0(sD1Q0`;qNC#ff9)+iN7SAfijdQ<>dZ_E~6X| zl@$l-f{uX4Q5&C;Ok0ke374bS@0W&zGzEmMB#2(sWrtWT+$#DPZ!>LMUxcY_j6_9x zJ0Q|y$F!)ryY~laXDb>C3VW}`aaI+<A#A|Ee7-)Q0&Pln<l<<QtRWAmMP>$zr(kkN z$l$Yl`WP>oIkt_hP^tvxL%mSfZ}yDwGTID3EQ50emm)g3k^c}kYLo0|t;>=9tZk6% zE7?bPpTFFtZ3eNK^fli&Dh`PA4%P;nL~@V1D=F$GJM&9^8!j5%-J}TGCyv$s1gAA$ zX`JmvaV)7RnLux04v~k~l2*v=YgD7y(vR?8NlXP#d{wfFW=uh|MyXQNrA!{PI_E`o z!wP0i8R539JN!INDD$+LxNLfT2uW8j#Ho)EydAFj7wby}w;MH(0*PGs@ZWs7ro3VB zss&A@1H!Bh=ZBdptre#7$x|urtOhf}`Xex6L=!bP`szIszby6_lNh+4+{^yEg@ZzA zYuAcrH%2aQoHqsn7w`XWOc@;Ft05ycaTbc8?rUE}U*k>1{3lRrqO^T?T<-K8tnd=v zw#*W4k<R_H($)ql0=(-&Z8a>^xv?7sT7}9g4oaN2SApOzN<j~HjIA^RFPvu|<oyd% z*kA1Q6ukFyY|9xB12LR%Om#RYJzE-B2L#C^@#9MQ{&!O|)4}F>nj5CL`@s0OG-kv# z>F--?f-WM%L=n;igbRt(Iz64Cel6NFI=o%C>YPlb*TJ`?wb_$rn6{_mS5t6%pbk*4 zG`xF@(|5CxVzp0!#1Krwvo=u5bRP8qvv6)S^0`rrePYumy~X7JFieX8R7lwCkpQ{P z0u7V!X#X!3pq)ceaC!`*KN?Jf1?+?3Y=f22WHAD`?&w9wUnm-(x43ker?dQPuusYz z)?;;SF>tqs_BYLaD_w`-U!cz9iBXksedqr=PmG6n>G4CdD2QA^IViq+hxkpRty3`m z)l61HtJS*nT1ERjuX+^_5ND04m(GW3!2x?hZPh0V%U-BbY!gEv2N=||36BhDe~)FN z2**L>9ilJ*rI@jP<ZXbOnKu(mR(|``4UCR>5FExiYL-aU0t~8OyWA{gY&jfeX0wY5 z1SR~ufI08P%@!C}g1Ys+GGJ3ta0V<rYnD&Y_#yOiS1t3S5Jz8c6$06D?AYu)`=%f+ zv-qTT6@0y;6atEe(bso<H+x_@fC&u`4xd1i-<?ZbUj{f=oAPo|X}(rGm*v<3GwP#- zGvGr5<zkRZZGEbETcHhmd_G<GXAGQ@TWZnAmG4b!hZ%LMgX?X8c~DeMKb@rxF!J|^ zl#roHg$8}HPgA8KeSVOK#Lp@2jsCpIt?UaoQexGo9ag_jj;ybz8HJGA^)`~Ha3|tK z)f0R<CU0)xMT@;!;|;&|H79Lv0S+O(h6cxHp`ye}ad+SDvG~H(GwI`RgO$0b2~*N0 zfuCQSx?~%7arDku$A5Cg<9Z4TZ{$U0<(RkRzn@@nC4Z5y+@9r;J}NT}ZQsXXJX}@7 z<6$-j>0u4`js9G(NbKgIfkvN;Fw#vy5hXxcgtGAZe{%mx8o?Atp>ir_DJ&%mJyeiV zvZrOYXkN9AWR-y6ICWF%BGE+|#@D@tQFC52dErFyi^}^4a$k2a>prHa1Fdmu&Petb zy1um<B5ry6A~2={3?Ol_73K}FEG3j6LJm+H{+?6Ndbr7okgt>Qsdk2%{z0az5<y&P zAt!8LO^B?)K}~m18p!tMSedKN-v*(cNmc)VzS!facxc8Mbskgv#8}iXO;T+yZ{u#g zxtf@|wBkl-uy&YhmmZ~O>6b-c(EAjO^oYjAs@BlFGE3$ikT#3+F?ZT%=j;F;jGKDJ z+TD3m>|)EA=I+5~0#24RToxQ+{_%|!badDOx0XorSRj~jJ=!kKv}XC8We~YWJ&)&% znMYaqUh;oSN?4QD_Qq;sxtE!QQ8-}h*kZ{;dq7m=U^@?JpVf$8CWuQy!2{s~LZ_uF z3NX9#{qNbEVZ^xGHz!9HILsmXao?xes4?yTD|a4dNrGE3pCHZ(t;x-SPfWLWGWXnQ z>Yf0EngW*Yb+3u1ej0+y23^GMs+b1`fxn7)t@Zmr<uI=u9?S>4Zg23Yl`8>8!Sibw z&f0c&oy=?HCfB=Tq=CMLA&s^wME5so+2G~cKOk>usse)V^^&8Ed=zdzuNT+Y)17O> zeXr(E2BC@lFY*=Pk=L`(|7}nxJZ^lYJ#`a2iZS<oa%Xii!Y5C{nH(xwpgGgk91&); z6~)yWjbJ8np=45Y!X3l_=ZsSDBF*AA3m<Gj@>M5_5Y_9Fsd4B`k@^+b{e-qO7$Ql= ziGgxspsBKI7bSOuSu=7VeK({W6O9N@!+C8Nk%zS$gr&bX@b?GPfIbAyd(U3<8#}v{ z0p9)f_Np|g&f0&vz0Chr!PHR&ahAl+%eQ887(qfi%-S8g-MGeXW!jhhOulS1e!muY z+7G8C-C9>H3wpP`*=LY8B*}?vZ@1F?hF0a!d#V-PpGGP7D6CW$)arDB9&N#uBlvd; zOy@U)5(AS4)$I-8Xl~J%KK3|pPmz?S%H)g=ULAV>&gwri_8(Ww*7^3W7t>DN<YWsr zNzwvxpl54H&&waIjanT8!~T+HmO_43=jV0Q{y;jYhe=kB&lYM@4-mSY(%dD81J)+g zY_)*SnKg$#$fm6&)d`E4O&j~?B@KV^iG4hWIOYg0D`_q1&Z>;(3e^VFaP#JHB7-TD z|H_&V1&<vhmLdB_v)x<E@4dWKUma!!Qd3_T8G^MhZ1R}+Zh1KSP{w+cYEtHYX4!=x zyx-q}4M-z*T*kg?1+7hN-;G_;xsvb}+I=5-crY|$OQzWOy8gGJu-s4`I5owj$s1M3 zHOHSFzeC+4FbBA_CTvkZRA0lr**~9bJ;cb?ECpHK#CQpYNl5UP(LY=tpCc`|<v*u` z;EOF9c&AaKXf<C+>2g;$CnU0nW&kmg(yTXW=DI%#6gsDLbM3?*j|!cbLZ}tio7%&b zw`PUxVprU2m<teR+@x{h%B<D)w!=)~4N2)rvY-P#T~dST5d9Mo%$yXP72+<ADLa{$ zwq-0C@qEg&!|uDL^@i?n%#SMJ2%G5PPDdQz7gJgC3ZTJJv|Bmzc+<Na|LH;?4->t` zTRq2TJ493NCBkqjs8SQ(R1L{ZXocI%F6JJJTY-?WU8+$EYi~=w$^{qOk}=2i?J^U; zj<huYuC^b9Nv(#ER1B@f#o<R#?s$$4g@>(`y@te4mODmCYde~b>wN8WB*>NNJAFTb zIt-fwWNAoqF)6B7_F>Y8SgTo4=g)~I7kTkX2$%tEBB8&b;{JWoQ8~2`%T6dJ+-l5R z4y$L9wM0%Pz@XCD4plsK@c*sG9kaQ^1gW8ETTCgoBM(XYU}BUvv^T&obx??e@wkn- zk+TBq(vu9-CQ-9L8SeI6zsvx#<}-GQg+!F}Yjk45zAAazf8UFbI~ek22M2rW(WP+= zKF!f%<yc?_x~}kmx`5kvUNT3d=&08?F<<T1RHUUck?b)xaJr}JI5KQc<!;vk1{xnM z{|iow30e2hCx{_@ZTb6ylQ}CuX4vPYi(QT2TaWhPFT;hiRSl6#hqi6f*17D%UO2OV zD2IvWQB|k?LjKx!AjueUn|5^8znw@GU33H84<nJo9tJF#*;(L~0KXy7V6OcXH4t6m zTRkNPD&O@Bc3)Zh@9nCAf`6#dmt__vKmEKkCPrn(%mJojuVx2N<n!Foh}^jI{QgY+ zekJ+lH*NnIGhkZH-1rr6A7!bLW<0KZNkT(frcyt9o~*{8x}m+o+-6GOI28dN&+~F? zd8h}Y{NcgBS(GeqHM%UP)G1B)UkF~KX{Z=@Ttc+rQ`F?dp0%a3$^mf^#d>HWJt043 zC>|*`Kkh7ke@)F9R~*#z5k`c{-Bz2>O1I$TDnHmcA$X3^c#d!#n$A-ZsS!6c!nXN@ z9m5?;ja{a8HpBy0M4s>^&Y-E45zS_1N%4V3_E<UI`TknVci{+VwaudP?;Q2iriJ^j zda~(*0!6hfzze?WQMGHm$*GSK*fTkHkY`fdFf`+2V@WH2u?Q_6G373J=lfv57-#!F z6WG#OvZ#Ys;eUsLULaGMF_2>*^XasYj?BRX;<8?;t9wv=d48VeNa2<%jHToqy3~Y+ zJ^TpJPoI1O(~I!o9K0S-H=}@YVRX7ENBb?wD0-X)H>1%l))EzusnuxHY5v=kQIbAB zo>bF2+3z-V!xFKV<Wdo$uZ9z1iK<t_LzOZ$S3KaYL32A42RV<9nW6oycL7-I$%H!x zL|X67aCOFW;$aDWWI>tAWv}t3-3&@J4e4}Cj+5uig!P`espz>DP|Y>(oO{Xq?=U5E z-QBSW+m+7l)a%G_lhxJ@4xA+fmK4TJ4)1$BVT1Pc{Ib4*frkY(LRU4TllEiwtMwvi zQQz(i#YOXnDMZqa9!ISaODM(7`P_r08q`Eh0BO*lct5WV_#P!{6jK)zx%5&dH<Pui z>|A%3GG;OGF1hjBtN5!3%m%s=@_emRWW%^6;Qd~P#K2Lx-d^>m%>CaTS4NHWwqg&O zlklN2H}=4LQ`XGNKB|YM+bF-{`ichKl%z;RpX-6+)Td2lL4FSrdAF_v(f3_U4jZfi z?EKw3dkn*t$0vm@V(*~P|9bmGKW;dHM6|G;BL#$Ijqw8%crft;BO~7T86>0i6D4Gh zg&r=6K!)kmU;j}k9eEodexuUueoNs|1RtV_Hbf2!kfmFws~<B5mNdhBqatu0pe0;- zymwm~Jx~;RIQp8-iev)BUBDsj^hvi8Fk{0U+j0GV6h0R8HYJ5AmpyXfw154QWw{~` z9darf^zzlPi=L;F;UHI}>s2C~su1ZL``Q6I7HmpE6{1Hw@3?WNYrKy1-X>1dYr{s> zr$@SHlXjiD9sD<(b}&U&Z;#bjc)BbnOU5)TK#AcSscZPy)>%jYDFp6H0O#G^i}9hl zv}<R`2u+stw(W7}<^1(o5-pkfy6sa?{+`EJ#;Vo*lGUS0UaWP<l30>{Jg9SYpWn?n z;C`L&(1#4(voUAYrH=R6QN7++<0Uo9OOz#uZglytey>?!$ee$A@8dDzUyHC<tF&X< zJ0?-kG1BL_gf*wExJ`Lj^Epo4_F<|)xo#5Fw=Scn0M5!Dx-+c}UwWe7w;%qU=;i@! z%Um|O@l6wFR-k`<!pe3`R7II9|CKIE<aawO;TSOybpc<KeZJ?t#8+%V1yw;P-`3C+ zZpgfl3MXPf^-QL|l0r<Hl1;LdA%u{s=bY%Dnl^f3aFpO$OxK@z0k0i_IkdFvL0@Ud zU^U<G%EMg#=h*D9>1Sjuzq3su?-Yu2G2Pc?ZxEsvOU*&|f=A=uFjcx=7k8&x9$}B{ z3F>@8>prAY?iSxh1f_l6W${J?N4}JzygdF*hY_l+HqpAeH<0ILHWJ(znci};`kpgH zp>SqhWiovNJN|VS`cMsenrhn<djp!cLPH7iM3w!z0cTj+E(cf!&kJVM`*~~th}PR} z4oY@B8eeTU@<x$|I9^|!1@WHE_{^hZczJLC#?#!w7KbdSZwc`Be!>Dx^0+FY^X+Ic zZ8K9j_R6Lao=FeZ192NF-gCbHZBtAm3e8n3vA^dCrAU(pg_0C*zl<JL@**4aPT}{v z4tQlM|1ZRLWP46qt&-E;K((H%nlq!}i-o&+7LEd&I34Ms`aTM<2J8m(O>TtEN~d>Y z76i39Ned<YZ|c>^L(LD1y$My7woZwHUK9jh;#9beLO0myvySmBE6J(jY(~4sn~QXU zzSA%c<}6uxnw;4fCBaFyr=4z|_?9>dFlK_i<9?Z;!XYx+5;7F8vK0y?eVlgugG(i# z*7!otaDZ&HA@#<_^w3eO*y8r&S|re=G{#$=X4~Ut@ZM6StqkLVS(=Tcjbl9FzImQE zefU7d+uV*ScX=+-M6a-6c+h2{N@W)d(wb!$OVTAU&Wh?e%bqGeg+!JMgj*LX$u#Fm zQJngIVf@7mAuYrzg5TEzd7!cMyUXp^TGnz`^&wT%A9;xTrU?JU=?ENtT!n1%<f>HB z*^17{aFK-@E)nv8IHv>G05&^(v30XDyYT9aaPr~bCU~n=vwg1FKep93ZZFY@%~h3u z%Kr_ps~)N~GaInr31ERPqutsBqks@kIS!^WlzLN>C}$roXs6ZAr>!b`{Ya5^le_~u z0nI&W&kP9+i7zY>v0$31gb$VZQXs`(qWz*IV`#NPu+-iILqEX{`@c5Hf6-zLxe{pk zv)ET-(Edtl1liqr!~p}kzTx%mDCUvW{}9r#RY*N?V3KI!pa|`{c%9i1L5Y&9y`z^O zqzU3tmy7?cFJ+YL4$i|yr7Fo7hudw~RC~~=aue0kGrQEeNd3NJ6lVez;G3@PigTqW zsJ0UXnK^Tf^kHF$@Db5e0KeByJTGEitgB7!O1sQ5)9&2u7FI45prcM1BDXK+?8glh z7@T67f|F@Q^_SA-5+lsgp@~CZZxia<XVUkJ0tWt}SS8WutP$>Rt}%WJ_PW|P{uFMX zyKVRgCCOP7sGER)7q&e6bPf>pa+Y;Wywzl4K0*_r@*UUlbq_!O2geG~(tXMla4=aQ z-G*umQ(JKUOprsGt9Z|IY(3yJ!MYJUbA_pE)NrntP!*&gySSZ&#jDW!b_QQtP>o#7 zEIZ?+S-alRXAEU6-XTWr+FM>|(cV8%{P<I3ZV@(xaq}ufLqa8eGE+#1z&b7BTpC=4 z@bO}~;zzi9lmGd@UxzAD+Bg?+P9EHIZ3GawWYhNL!;%pl(uZ5OO9^F0#INPM-~&ri z=n0qF)^m1U{h}GqZ8&rryw7!vPV&p96x6dL(uV@e8P~}&Rer4X=OxJ#SwEHeOC`a3 z<Gj8<xs2w!WWVPTzYQ>iNc1yva1`VC$b=zAfHX8)OBviSP}|^PhBQ2WvF~_*y}LLr z5-60e3%<K3O`*vEO`Qih=xJqiiiIm=Z;~>oO*_ne`m-q+`=P47V@_o`1MHEcDG39< z1;foRWEFX_MI<Fyv9P+;m9BhZi%2>XvWl)qOCBaTSmTphdDw3xINv)Hy*Ph9-z{(^ z?k$gfADJ4IEdekv7*yIYn>^Kj3H;<VZ3+$7Q>8M+DQa9i;`|B{g7}<hcDB@l=GB3K z4u<7MPtReQJPp8qQyyjv`$C^>?QsbYmk>(@#(cP_+}<=yo4*(-i~SL>+#EMTv$g#k zIq04fWb@N414|>l<MB=A)JB)`nWxx>6L&#{JL!+A*2$pYB+%R4U~gplVP-Mg<oK)T z$NoHkFB@F}QCnYb#zg{qX}^6nXE)RMU!p9b{g%P-J+p=PZIX5a38y`gk*`@K??b}& z^{D@Ql=Nav&XbVsT7F&b7(THe*4`%%UHM{n|64hvpNi<8mfjO66B_KSUk3<P-%eTy z;**ZKj4ZkaUd~DrM@uSAj+p846qzigLWR~vjvIgc$?i)c)?dnSd5D)MM$H^|eQ1QR z8@BK{o5vdWtR~p>&F4BE-p8rG^k-I%9Z_FPBvW@kDH3T5CRf_i?^Gx=Q{pbMD<btM zJFC-vj?&j{2nmRfsHpSrWY6m=M>#`r@MsEs-+Ecu&8`adrV!g8Yv5YQQo)s90?(|$ zWl8ZIr$v@RAu^>;xQw4yv{mlq;Bn&9UP*=;uBXXw9-N{J`jAgn<>%lJxp+qw^~uAU zuYWp$q|g1`mY7$RA8`DCG~H!T8{gLe;8LWxyA}w+g1Z!oyK8WFcZ#*RyK8ax;_e;_ z6nA$C6f5@fduRSLJNcBkyZ7$yz0cX4JrRYeKga!fC@nhp@1Rj@v>YKXz!&R&!`XB? zz$GSn{~<2GCpV#<w4+(`rg$3k@>@)OHYlKL`t{}uqqZ{nR}K)REZi40VBxST!`thA zqaJB=V;OsIPk<MbyD^LPyb;~yco||V{gl#$Zu6AV#^oNZlsI5P%adsziiR^DYaS(C zWd`ZZi5qmGXMd_iz1iIC6qn>^we&^{Xzp;=A^dCh^_zLG*ob!G+x0*A&|SV%&9o~= z3O$J%&<t0mF<bIz;+%pBQ49t7#n!cQcHQ()-rC%Fj%#*_Cfa|6pbq2Q2`G;{(iX3z zJeww0hkgqs?$zEK9O&garL46S#46c4lrW#=v|zGhPF!^bE%G`^wDL4FmG4amq|GXy z&?eyUy;T_RsGG?ODvBB$Du7AnkSGl|+M;i7Fn!(TuuZ}(;%DSRtC9(TPUb#C-VH8@ zKw4<)62$~9ub7;Dcy$!xa(io{`MgL`Ks4jefW3JV8CUPmkdRk8OCM9W7+_=)KvBX% z!Y_P2#@tRvyKg*nHmiY9D6+vW%aqKt)7#^_XDvFOM2yC5@mgC!=<U?LG&WB-Sp#U> znLpAb%re%=XsXWZ^!Y;%|ANe6S-1^&U3omIg~?1xZa(ZFtt@m*Zp6py)rxj^j8rjf z^3Htz47~nTqBmxw8q*1-bj0`Wu*%{pYj^$muaf}Ld=cl?4#tIcf6ythr61{BgUo?j zA~>c>v#v!BP7wJxyU#UjmDfv#l){6#cAL?&MOpWoZGr{Cw?g03DLFmz=v}wbwU+iD zUu;jV+DL<6m_@sn2}F`?LFLz7Ei5;8-hDN#p6+CZ-K8nlKS?GUB8s^RGLW_lK`g%V zErev@W)F9|Y2I%qh>;-ZQmRGnO4}a7wiY4-|I9BV7rI1o@81d$(;9*pxfi5|jvKAw z_g0bEwNWf<P061Yc_v#CbBXh43Z@vYd;g}z-Cys%*cWN!glLF#I|ndUI=YZH*=Je3 za_Kb3s3kz#NIQM2!U%+qhFO^wm_Ubd<l2gALu)3hZgW(LsxlU6>g#*GA(R_}U%ppl z{rZz~)%1nw7x!e|jj;~*NKFj1&~xR8NMTpq?9Q%i_uV>(kdIth)y#K;58E5u%(ue{ zW)VIMf3C+?2X~q<O)1$QE#q1<^-5Q$pX~x@wLa~PCJyFQ+CKgz;~@~TTV+NjKh75M ze;~oMOQ`pX)r!4!em>!CM!UrmBJb#m$f*=2KG4{-O4W+Hb>2EdtZ;}pSje;?Us6@l zf1Ipc=agvF<EWAm4T~^WS`Rg+&+}%I1F-XtFvs1z7CVO)QdM?=j!X_SWiPbVB*cbB zNP-aKAw=2Man9{b!^?MsW6?{cA5Itqt8@rWZu?oQr)VBtg#lh>8m_ZbRF%Y!N63|} zQ<fSt$#tM@Jq`tD7HYgj*^rVj;mc0Mf4HLl1paxL6t6<-RPELYV>+UsNuDKu46oR; z0ra0xEKRO4l9n`sJ#MK<7kS3d#fU`?C=6f@VLgbb9f92q-Ry{bGErI~oGOxPM(@<r zxiD`CO$eV0uH^edV}%4&b>Tq|L8)2^U~4cSspLjacAja6K1dHTSZDVy%vJAL(dAW# z3WGIl7MmbTGi3P}mAu;d6#SZK5Pt&pPJIF5(XY+JbZ%zxd8XLhh=#X8URdfKuix6| zyO7oK<xckCIZ6~M(OFD1Bk>|dI$qCaH6O>!#Z9t(QC)1z8N-%Zl*ZN>mh3Z_PyTOz zYaN^Ky{}EO)9x|Yu(5)CNVGzi8mk-9qrPksM_E66Y_ig_4A(PR)!ba~<r3p_L4>)v zQrIGZoDe<Ps|zS%d9+CH<<^g!l(Qvup+hcj%H6KsHf2)wv>F=krx#~z8M0cb?ThOD zwZ`h55;X6DUlBBa3%ri*`4Lm(#i?&m&Ae}}=t^0DgCES>qI{Y)oK{z^&<fIwmj|(N zo=Iz^IO!al@h^x*U9OIJX_*1P-BBbGv{!Zdhvz97WY@J9f;-H*R|oeP0vEX`7d-AQ z+nl&0qzp?4MOxf`#N9HARav7!WKdPOqQqrs(<WeZ97PaepgDJF=4~qp2Rd4zw))2f zrlN^(rp79TaSKB*It1_zd<W;Di?zCDv%q5+OxHMF$}NJLc-_Y;_W=thz{r+zY@bR> zA687?4Czdn|G+dt5c0k;!TYuypLDHC>#jjwQMvXYc>U%P4-M261BiwHVC>l1s-u_W zUKL&J&PS%o3s!$_99_*b`Z@O4Gu_m{m()j@(oKnFzQB`g>Le{O9YxmnJ*ngy##D?D z{vRK!s{1LQCsnQ}w_!jI*Ug#~mMZ}&goWM3On(1inRjG*kdSO15rM2qA1pet^TGV_ z*vq-bdCetSM<iacQ~_cj>vATatSxUj7Wm<Q1Kc-m-p7~2SoI8LPGQ3oWRhsjk&k+j zqU!8+gwx<?^E0K#SXWc<BKB%FUJ)-K=9>~t1dNOJ$M8Jz-H{U?rnH3C+eLlps919K z)KK}OWGSwfYQO6B<$Vwi(Vn912RbOCZ%(y7u`y*y-TiSoY(^d~B(7kHZNV#MUgJPq zNHxEiB^l^+HwymxbsML{R{Qr6UUUo?4hK^ue)GwjM{7lu^Ut@36E&2wY?_a=toFmh zT(d+$i}!I(cdFT;#2AJF->~o&+o(Zuhy-of5p&hb8W#m!j8iQEe?)+`&_OXAhXl7_ zGr<Z<%0ctZqUqK~+9{qq>vs-%ZPnOtS7F8GjU(UxVvDY@fOfQmd6~XpI+RZGbl0UX z(Dcy@CqW3KCDh{wEi0|@-*$Z#2?@s=+)erN0va;vo!up&)JYtV3vny0Zd@W_)oH?S zI;Y8qW!j>&xxeG_A~I#SFTA$r4Gh+Kq+18aEGg_uD*6=^LOjRsGvC{lR40ub%#dSy zz3}XUdq#g<PSd&aCM(O7p*sSx3w%Xnibx)QoNzYqD*jZecA(U=B<h}$=B6`p>59Kh znhFm)K;$-OVnjEA;Xe~<zUq5kUTmi??DJ7gD<JaixrHE{mWzCIZV(59GXSuNG%NP* z8psJSZ?iqzCv`D?s)Nx+Osz2iZEh!ktaVtf)CZ}R>^bX6%jIcD_Pt%!T$)l{xG(4x za)Lt^JA2YqIdYW`X+E0r)<Q##{M0fqvK0(a<sE1C<k4#i1HS2@AG}<Y7;gYZK)Jso zL6zEIPg5L8E>P$WSbczM%LDT-?*rtAZKp>KMJd(IkU;9y-f#(+<X|Rx*h`i(Io2)u z`Uaz287=Buj^S}`eWE<Q@ac0garP1UVOZGeF}V_!lfc7xjk(~jcK;2uCr@S!==qBl zk-`Dulb&E(eMX1oALR?r-Av1yy;-Ad$IG7nwr;{iK)t0onbM`UyvA=aO`aijuRgpT z7fc5ENyv5jA_}D~vE1X@f`qF}usri>sNDux;ur_XcPgi6dB<Q3eo4Mf0>%|#xfexl zZmqhS@@O=a@p81OFPVF9EO;`NdSvoW=5&z#AA|&-c81c~Fwx^Q(2N&2Q|p`SqZitL zGf9xG+vpQTHs1GtcFdvpoT&;^hWc%(xhk_dYNAv=ld&OP&t2g9o<kfwr8y7*Vj;WS zo^R|L<lsjK@6_x!3D%p#Fg4xeEoJGYGL=9Bd<w$S6mR24ty;;DS9L4Bz4US1i-n#Y zJ_)6<U+#W)(0RTS#}M|Z&9RalIMjSNyBiYh_U?;j#+zuC*+*67i}}TXpGD;%PI=^R z0_GO}@(1D=cW<PPUr9Xi@UN>HRNKRqek(0F;dy7UpA#iowbam>IKs`NMskOBCxG-# z&s9jqI&=ty!tHv_b9L+(Sbb~U?Y!xt$r=1+c(EbSUh~v_{gMrb#IF6nTmaYUb275e z3^LyV+TxJ~O90tqaoGktnP$=v7f(ArkDUxaZVG$j#&{>V(PBgQ(me4#kvGC8X^&x| z0R&E_izuS257!5M5GnB7y7NDI+Vx~Xh6(&YPs`z0>rMc3mFlYW_~L)q(c|OjHUP+- z3AfZxDN2BcV*Q;|^4;SKvP9S4Cy?@)QAiR<O}k0?w0ejMOC=yqotX<1>NlXJto1wb ziWzeCbq$~mV~(Mc`|p9y*3Es*;AL*!R<5QM;u9!sT{2`kVzu0<hGks%^$xph*ZRLg z>+4;K7zVUne!zD&O1FP^$Xo(s)GhW!R3`b}$1s~53v!9@D4m0cAY4(@7w&UZsm$?{ zk@atSj?ss4w^%ZGbT@pD&o7K^0e<U=1cdFzvs{UL$FN#_b2zX@PZbQ^buB3?zo%m6 zVR4B3uZA^Z^~pcUnaJ7l#o0UdUpAQH*-r~HhkReHKiau}?B<;&KRXaLB>mp8pm_uB z$g(c$^xv*9vrid2Ra?;fY}`nBcB+T`f<u%mur?jRoZ#HlurQ4yK+@*wKE#Aml?rcJ zBl$Q5rGyy7Ao=viM}@Wgf%cYU()(~@-b4EN$A13QEzA5-k>%=AWhP@Lg7gGH>M$9| zmp%#|N{~w;<rjbq31QKl)vYcyR7CqYR9g7m?6hw>z{Bo>6+MS|UAcz$VT|pKV2tyE z+$VynY|$IKX&!oFi&Nmst0bukv6O5F)rcd0J$y;fj3|w?&F>Vc`Kc5(1WBfrE_hIx zO-NN81c9J8ToO3e|ICMk^;UD4UY(a{^w6<%E}SDj>$Rv2AF5up<832dHt*grs0G}# z+dr(eNNQSzN^o1ok16OHk2a*&c3x~Md~ZK;T97f1DW@thNxJfeW8>WPCQ~SL!!U2- zkKaB~4*iipdJt_}F1S}zJvLDRq^MR9Vh}~2fzQprO0OA(>oVC~Kk;O+0!9$Q1?eXc z#^Lj>X6(616&xKps_0*sOtfQqR-vircVBfyTSua%s7vl;(nX5@ZgI*T+3)836f4EM zN{>4z6xUxfwZG;n#RrooT4RK*R6!L~N|;QpEw20x36`4guIo$Ru^bWzh1h28to4ih z1UrU@1dvp_y?>Z<`>2hu$J;g9ONWly!vVF?QVLJxZFbBX<%nz&y7NPYzazxO+%GF{ zgrY3p0?C`a*gmS16I&)`_mYO!gIiLBiw;A;`){`mcWsVsjLR3RP#HlLK`DT<LQZ%5 z-n=I;xTQtPc=`_cVp+$3Akeql2wTqPsQs!2<KLjR@=9ui)sGiPC6~YQr0aEv4|pD% zV92`e_(7Qhaz))K16HelZ37*=6tkn#vt9N;X+d;!#8YTwU624boVESkj`MOIBRgeJ z;3@v-u>8X3gatM?oN``#z2hmTf1-&OeO1aV(!V<=2TGb?9CXRj)qb|)UlL%c23qU< zMcY3*8~eSSlkfRifXm-RL?a|<!Gfh)fn1Z@=a8v}89o&$qf-PZAcjXJ_g|*i^b|ps zWx>zPXoWo@BDJVN=^qIZg3wm(3DK30xDtDq$zi1GTKr|zF7;I_G7=d#e$)Z4Z*UXA z+N!2hszz?2=5B)1OX5FfB0i2K3*8F#C}DBix;qe)tZ}lqZvJgE%@j@GzR9j<#1?XN zUauQf6UJZU^)rYke-Y!;Qw&*M__y53EUgh@YJ+~?3dh%>PBZrRPG=CifYtBXE^zKJ z$;_4ibP;aJM~P-43xD${2|_%WL|j789@Q@*fZj3rUr8-r`)Dsw(}BznabNVr6!xE8 z#o4Qqq$6B6&wr_q=PDSu-J3r`Z^Tez4!}+Q6G;>Xk{S}_zXk2nXk@VWDW5vI73y1u z<8nzbQ#B^md|&TLkPvXG*zo2)w5&>cFFEUr+S@hsdit+Py&1*crTE`n)bt-VsbG1m zIiX%$OkY=*`b5xhHm{Q(;82tsDi3KYD*&nCshndBy9Fmly>bP3LLdH0ksNj^a>xUL z8g5gd3gzt17l&ZW0KV@9(!S6!3vS%`%&}xiP`+_eh^QHm(&<_+`|`DjVB*(97sh;J z=U7yMw7LfGp+?ie4RHFkBF<A$5()n79Wk0GHWr)r5P&elME2kgL%@CY#2_{?#(B*) zG%SrxD7T0CF+uV4`MiZ?P9WacJStB3$z-*Pk6T0CN&1@e5&DvMf3;BWT*094dtDC< zgb~2oSM21-#6p2jnvt3LeZ2s6zU$$V<vrS(?&(D6(5Fh`y833Po~p2Tm}nhi)!8dR z3-sRaMfA_>U(D4JlW0rQ?)*MrT-ZFz<kJ76K0>f9P;n#$PS`&mBTWB5>D7qqREtF~ zp#3-A;bpgLgx<zhqY}vSa@`$8D1bh`omO?h@a-RH07@#LrG7osp*v<PN>&Hj%T2Pa zf15=Ncv_)B&KxUkX}ZcFn@ET!RN9Xc*=Kj}J6@dnHCTbx{&<Q}U1~3>DJ8-~D6>}@ zIM4W^2tx69`xRCi=K*_FZqMZVZS|TjglZyCy5uXUkZOYJ^Gm;SbkDM9g0`l)pI>^< zH!mhG6x?yH0W(krZRH8Tg?O6ubbIY9YOUJ##QiVm53~vV`C}t+!Nc=}8mwSIdtPTr zV+C+@@veDJXTJwZGWk`6!|Oo%ofs_y8a!Zw<3m&3Ol?DolF3u;UorAXQZ<TK=VJPQ z<%^u@*y9{+_L5e0uR6}sQ;%?!%($-Ge<-9Pww}SQp{&m9$pu%{pk0sIPb@F%xU1z* zmY7G>X-|EwjEpryQJL&y&)w-aispDxDah#mV_O01z|9$KU5ip*!aN#T(c2UGZ94#g zuw=*xBzEr=c@crTzDv&>2gs0Dx}-oVW4Ui==kCpH$2@nZ)Uo~8q8F`;>^891@01;s zHth9uO=v2!O>ySByu79dX--K2)n1#nq>Q4k;x0Qkj?8{kyj8re#ChqQ<BGKg!+r4} zU;i^|nw90SqB&Jy=2^&*Fn)8=MtPS*L6x=W#K29iXE=hRt6PTjEj9TQCr+q!{pA{_ zFz=rsFZQqrhh1t<?wh^4{hI^$<o-zx?-;j@^o9>E%MzZIo8}{Rpj?5CfjEq)=%4@C zS(MgWB0CoUOnUbW{Y<`rHkv@B<cjm&mwXE`Q$ET#znNwO8q!YAah^L*R{Uv|1J|pe zC#^=$0d~%HK&pxi{urD@D&kY*;E3R19ek&^f4bwvr5QW;Cvfk85kt{3baKsdEL#>p z6OI8+MD(#>lu=*bv%GY>N%H(gXN7P|-0yq4%~jQ^2uZdE4{{LK%ab>jRaIQIUA5r> zvAw&SdXiuXBohE$R%%}Y>N-+>dTx^(9<O2IAQ|7_$?QLtYVo&n;*OZNK<mkveBFFF zAQIXw3c9{XB!S!7v4?SYGi=FU>t%e+Y&n!R)*H-xfK#kQu@>GJIYQ{!6ho{EnhOYz z<L`mPx|1uw6riz{0lR)C%oAv?^NR`PDxV3B6ITW_1jM>pg8Gm~k<;>rVGH`yh0SRd zeC}IlM$YXl4cX_qnVt?cPGmkZi<CIVCXI|9p<(yYLnk5lw<~zBNm1HS_<b-l^h1xQ z7DtvQ^Ax(PP+8{K4_DJpFSqa8W!gWRdEg(nawe8$HDf_?R_!v~R#@7~Au01`;()q| zV&8BR&0wl&l|r|;qU8Xa<QA6bsGpKX?xx>;94k#$GsnG)Z!QVcr}li60y(ryvyUU$ zGL&Idc=f@TmUH8nS(>5N72t24w>|i(;G78U+<LDc&~z{P;p^xT4HNpNrEPEljm3cG zWQ8-Iy;pW%G^Q{k6~_SOuJcN~J^O{pef1orX_mL=x2e^W5?+F@xR~w(ndAGTd*X@; zB6ug*8XTjxK<{~RHOoq7OOedS!r<v@L?!DUvL2}=0Nfg~NKeq$`c|U9D+H6XAB=sH z#v&X{{Sb(D=&_l2NWS?NPRpCS%??4-MM_q#d<b3zH8_q*ATI8#YQAPsIk_hHa4#O3 zTu<8bdzRi^pGw8>o0U^F)XV7`kw<x=0(I1baU(F(CPEj@3oC`EIu8HKCl+V?R?9i> zz0@o;NM<{LLXI+k`vY=(7XAB}L>qr7k@%C6{PjXP;&OJ~%2I>S;EShbL)9=%RkP~Q zPd6~t5dm`2kcnAA@5HAOUT=EzRB^wUEV8VAQ0;yAWQqhGQcZ|OI;kM}eoD*mD89Te zxyrB2t|k+eWtzo)PKng9iLha!|0-8uuR5Zz@J+)GdJ`#F4dU=$W=FW3n0%b8vnq4G zIeMA@Rjc>>VkYE>seok5Jp|l!9w!wbIBaU69ot8H79zQ~?_$F;p^Ri1Gui4=NTBZs z{VrSLw!zCiww=W0!UvnCW-)SZe6g-0^2pV<!*Sk@pM=4VvknX1;3L`}e1yw%pp>h# z2#LGX6lS_5Ut>-Xacz7bI{4#gMRrpoVqk*;aI48U9p93LhHo*UppurOX~95q*JLj9 z!|7@esIvXFOG1Q8rsP+7FI1OCRQ5Mo6r&#zvwQLJ1pyIhg@dXI`uKo{Cg(Ts%wBQv zjF|m?KM@*=$h<uJVwq?*I#J$8=<4k&&O#=$Xv9b%{O~YJbZlj`JbrpKuEk!cd_Y-a zdaW{^hqA%JPr<X#r0R(95>o$eL9ee`q2>w%E^=|w@}}$s?Bq<C5jKs8K6zUC&Eql( zDM>2~SgM9vyO}N0-G9zU2~cOj#%~tj+2r=QLpA&_HHzZu5It#^1JS^47`D{rmd93C z)9`slKQou%<m>r!+}*coz0-Facm||;P6Jz&C$ZXgn?L(ploxsYIDOP9%aj4tsQiZW zCccjHe)W|~BrqT{H3Lmw12N)+)h8kk9+B`AI3fn&MeLGj`WNA1OK16e{+-iFDM~`0 zaC5ziQkh5w)DGR49Wf)KcE9B5Ya&T04nI6biQ%dzVXV<6Q;!wZbteH3Kb<|`r?;R} zL|xr%qMCy1?sH|itB|(bR_IuIpf5{5Jb{lxj-d%=4@cA!t(HEIfzwKsZYIt#7e7Gn z`$K#Tgh&Y~kL2pR-UuPv%#4p?@{v>a<m7enj-G~%l+(Fh&kJiS>Nk~rLdl}@Gf*|% z{K4iAoy8QY?WYx<{c4_p(;-&U-p}VaV8T#+b8hL=`a7klW_T*kuijlV6!9ytkb@`- zD2yQ4@I2sIt2~<Z{Azl8wgDbGTDl#3KQ;RSzJ*CM5rQpEVGq00)!F9T8IU7!6L^3O zc7-O<>;7?Nwm*xkX;)mF@XGg9^Fpe<Y<D}Zbu%-;IAiTI0p9)@wWL4lZI2TywJ<Vt zvN^FP;oqRU*WN)h5u~-Gr29EIILRSo&--bsNbu*;3J3MeW+xS;61erjvVz6ekO(9L zKGx_>%R^zorcgWulv?xHoQ%Cw;j<50al(z6)g);PRsqz~spjDF&fx&R<1dPL64ng& z*J&8lczkeQ6_kThrp52YGvD+83Kv$)hXFojWd3P6W-2o<%4ALo@IR*;1`}zzeU%vB zL6M%>EI(l)m_eJd=*%D?2a-5=R?dEVz4nQwx%ssS|ENTvE$p}$V8B7BfQ(JErRua| z|NQcbj;>EWVBZ2wS+Ddm8)$&{6lX7GOMsZBJ5>nxb4dA&;<|Bj2R~w9G*6RE3Q@St z?TmXRUiSE<?5-zCCk~os5kK_nyH;yC1kZ@aI+At@nwvNIN#MoV+x!$dd$*6Cs=*I) zaHofJ@MX7q2-J-H-BV-LOoGl*ySOtdztOP4F=i@wJL-0DYaSnKPA3*Sh7$#SeuV|) z6l(WIG6?4_t@K~abG4XhnS(VGP}xSy`5&n$*-0l{%mpPDwFBh_A_|70zl$YUSEJVz zj89+73Nu!I{H6Zyph@M)5Z-&rh&3}`_<c(>W=$+%Nz8X-kFl8iGcK$CPyZcRbrsB` zCo7nhwn05Nzpt^~2E@7Kk%u6=mAmvC$C+E}xk$s<fq&m2!_AfE?5WE|k~IP4$IXsJ zE7kWml+LKCc-M}xzjr~}4=dt$ZSeWwKvtHwk^Z_u0`~i1rZFAuaRzxwn!Y`Xpu5K= zsJVA43dA`&?3u2nPLC<+Aj?ne^bV<X2OP1(CZM8A9Ei2>TpxF6Vs{QJPB(lmjFgYF zGhUe;$d`V2A06gT=n`h;X95DF_vr3y8Iw3}0uPflDZW;&)Z+>dx$ojbp?&iHccrnD z@zGp}K*`SD<nkYXAo*b;Qe{m7;O*}T4dhm;e$^~@X=Rf3(%=V3W^nf8Pt&=w*?1@V z^TjEnY)v%qF-(iu#rSiqTEgQ4WZ&1$X98r>`!NxmV%7fL!9bYvWpv-UyZaK`6iT}9 zPiy$i2(M!iQX5`}nX{hYM!pUzSIdU`g8nYbHq$OapCbnEDKmG!_*$VgMcwmffGm>t z)aS(UBn`B$R9o2k9!eCQ<BXOF^`NDBW_GcPKpu!b9oScb10FO-rN;VSaYUYJ3|MRd zO%3Ru4NV(-zLAulCkP42<BX-BydU>IXLKqSZw^tMS(|J5Oew5eS)d?Hcg;=QNd22Z zO<G~cpjcB?@)1LfFeyzN5t4&CQU8rC_CEN^Gr~_R5*Wi|?(5=-QkgnMW9c>kQ2Q-& z__zGC`-e2KzS9OIl#U%<mm1pP>5Y?pUqezP?N!`^-Fwc)n&Sgp4UU9Kn@(Tfa4kjD zq)F=~^NfxK4d_)Wzs<xN6^0BK{n2nT|3`89-uxw}6`E|1tkLh<M!r+{Zs<8#TeoxX zM`0ek`K`CFt3|{0(tck34c+xi1ALHLS|RCWv{MOVY)RITsoicfo-ub*=yEH2^d-=K z&Yyr4H7UU=Hy=tGgu@pKY>XaKA1-_}!H-y)E}<DE0VmR-@Y3A~yieM}z8--FpWbKM zpGwc<*DFwO2j;RH&3q!@BNa@dnnY^2Ik>EXub6n&Ju1*4aSBN;%ngDWR|PyvV*fUi zih3}U^O+KHqTy#y-KNNI%TmGr{}UB-e!81gdJO(6yr>;`g}q0!8w5!x_Akan<y<d^ zZnm9ob@I}O;_2SyNh`)_h+Y!VZOM_L1|u)3>HSyEG@m)W3%R866E&aDxOI)~%Sx^} zVJor(<fYM|iHA-q+C5FCQ8+AieQoy+3Cs@j{tO7*Wp12nxj=+*<ke~uBdnc1g~dR{ zR<>XgHs=5!W482KP){-8uwFS|W?ufk*V>1nGLqEZUrjU`)4r@$SQ%~;9Lng7Fkmxo z_s&N4P~*TGc$o&f=JXTWf@7j`vc|OyF8eOkf?ZrAp4hW^yl$`HYANyte>07Xd60Kj zMv{?CIGnV;3pjy;?T#V?fUQ-(YEHhS*|(9CBFF4z>55RFEXi4Ny)af*2iN$sX>6kK zezC68*!kx6*HlKR^^XZkP&9g8`1SA%Vq52r5mVFYJ7kY_aQEkB4b}3ZsKb_3b86gl zGUdE!l1_K3@vIRlfGR(Gow36Ar{<K#0_)6PX7d;TN5R~3_n>P*5wiE8TXg=6ApX|< ziuUS><-o~@TP}yd7ED~BIdTX)lbHnY2v1XYxvH-%7GNom=%%Njl+e6S`RP>aX}NA? zIudx<c|Wy?O(};Y*MsFYN0suYZ6&Wb05G!U6x%l=xJ>k8kGVAF0D)(MMDQ0bh1`qX z1oo3~4p;Dc9zZ1F>s`D3<%DM&7B+p%kA#oZyWT)5_yT8zrJka{CLf+A+scac5|9vZ z1BLPlufE|ulZSjw_<rM!CrCc?eamBvXL90EpVE+ZbU&C(7s!~5TOKXKPQOr6p3KX# zD}&|0^njK$+j;5{@%^BoE+?`sD3U#_uB+UIIU`;lF;&A3c{0-sMUri^*sATge!C;K z;#vna?tsseery><1|igS2`^*5T8R67M)z0vAdxWW%(Mb+BW3TSflw?`C2{e3Gehd< zoWDIadg*artmq7XS)E8L@?}$y21GRnAy)P}DR0X<h7#Px%&g`WmyC~@V$9bWPd(rJ z(@+637V0fJrK~r>KvF^c?IA6xF#^<!Wlcz-k8MdZehK|GGdrJ%QSkE}xLKM;e3y7y zNO&{^g6lr7DD+e>X;YCcFB#H5y&X@Fv09t8ngTfzyjlBP$^s~>^nm7faV3Y5!aXDR z_4eB?1=?H(<=wkp>t&C#e=>X!=V0PVA9&}Kna=LRF`*-AZtr<Bv{<RB?%V#F-HQCe zXJVYGL~}}k1^_gs)Ti}NirFo)u;D*96rtKcb0nWCJ4o+#e0ipbO?t^tW6#;)R=tc3 z!<z3kk_a)cKKs0RjrSr!(#%K0HxVA#0kCHE)y@2LbvlPb(Hwt5>u1^u2EES3ge~1^ z4{BH?KNr5Ng%H9V%mvq*1d0Ju@7DtovOyeTffn_vPd%ILwuY9j{5V)5HR>rSSbduT z_v|@ZNmUMLSA(B|_1);U(#;ht(($QH`CQ<W2=35ax;Y@%k`w`VL-W$u^25P2n)*#X zCwhO}lJXNkJ-+7Q90Ub_G&&w9YJctC(4)p3_6BCk-v4RJ7(0$uI`F>zjTp8`Moa2) zP0`bkx^fbtPigRla}pz9IcCCqce?vGWMx6u)h+`gQG=75lPSuP^kj#C_6gc?_B<qZ z{s&>rDpVq4k!=K>LI3xoaDdMbYAxC_^wx*zI0qvQ_wRuY?1`fVCv%jC#jsp+*tUn` zvaip5cl3#H=@LKHA98}%(AnX0-tKSZI{mG2<HWX=$hD_nZ4W|=wNnv+apqjOS>jEb zLo*jhul@m_jsqbJ`*^<gj!%Kjn#E2x;)*oydwq-$igj1oQ8yFnaiyW?Ds-L+SqZdo zs<X|$B<t?irjlCP-DB)n^)kwJx+mFQGm5V5*$`RuLM~k&7CSxh`q>rxT`vDWVI}Bt z$Q$r}>7A2mmpR}Z_d^$IG=;}-EX!-J$A#C-F;k>g!{h;xhl%!@j~uEVtbg)L;G8Bs z-@c8aPEVCEZA+tVX|5~na*z><TMUAq6Ip6U9AG{I?naPm(W?HHFChv?Ecn_3<SAG? zEXtph^IMV=%Sg-onN{&U>V2zQ^q%Xkzx;&FmoldQBSJkFYL**e7MmdcUq$c)?Nn{e z9H?D=vBCS)A}c(>==W|ju))5iL~(#YNbeI83fn_U=dPUpb%leG4lCi5Qv*-`*oKVc zZs1>KJ9d(+@m5C#v<}V1E!Xb1)g_*cgOH?`GatwJDx069b+#Hzaho%v|3Zu1jSsm* zT2sPXRMQs4sit3121vUFLoL#iAG3YWAo%2~YprHO1M<n?aTMM25}Rhk5~&ZpB?v;U zo~NMVanYi%MVe%C4y2hDfsu#19}|BSik#@!Db`o|lLS(CyCPm{kAYzVQjZru7*U7V zdF|Q%%WfVcV@iJ1lk4_3$@sYG|HA$RK{tUBSgCjz-{5*Tkco9l6$5@Eb4N_wG@ET~ zD}F@PxaVf)<V5M9&$&(QHU@>Z!Y%4Mu2lI_tYjrPqPWo=KACqfuagEPpc-y^M&M}C z)-MBu+M7a@)|#H%hwkJJOxc;*&-bu1c5qITP4#h}Z@T4BrCftM(Yu`jNPHZ#NIHdZ zGL6|YK=I7sCIyT6n0I_jo)+O0WSye?wR3vMyKxi-1ECUTEa227;ri%E<4kRQ(sR<o zw2^;fcy2lsFTUQF3=X#76)x4^s0BnRo-9gNm4z?SK$liB<er|!kdYRyE$sqPtiiRX z)g-a!2W5<iD%sK9t$cx#*2X4PGY#)EIKev__kXd&E`qK<vw{w#`Vy@iQLo3=C%~Jy zxi`zloxld=8p<!e4kSXQf%e0Px$W5drD5NWNwM#gvr^NbdtFSwm~_*ZbWlU7`3wa4 zM@cNDX54V{Rv{NL^J`tr$Q@ME_4N&_!F~yiWtpyY*9FMOY5#CK{l6tsrvX*CaKNdp zg-y{<Jo9zV5)Ymh&MA{tovTFKUQ)?7T}aV8Uz@Ae2FNPMmzIc4H2k*w-h8(^^siU& zcO4?QGL<fkbntg)J{BgB1|{)H0$roUucIYz8r$h%))Yf3;*-YflHNZn>Y^&@9=fQu z(%mnfr_rZa#|{--Dn2jC-cWp3ODIjIUt|EtH(Eit%ui{MYa)J03RdGNR178(M?^=u zll_R8Fn*6Ue^Tugy??Tw4PL5Twc@Tp3QT0MPbBk3LPu_2J#P-wgWOg=>#F-A`GE2r zz_KE~oQb84JPMYMnXwzV8E1c6Rdx3Z%7?|&a>5RDc(%Xie0PKr5iN>|a7C2fn!JXG zj4&blc}M_LX1wo3qYEuf|Hef&Wvp87#=0AOtO4zc4+fgN$qiaYZ?wzG?7&XjvWbgv ziZ10mF>rr0dA*H%XtEYVr7cS$@LD<ule>d$&5Qsea$&=Kiy4Fc1?7+d{j3SA@*B** zjB4U5s`1jNomc<pMj%7t4r)zNQl46kHB3%w_n*q6A^D!vq`X*IcUa6MacgQr`nvde zhcH8Yf=uD>XiFI=EzrA=fvxLi>Mgw2QqyYUP1M<QvQisz%9Fy>35%8T+C2g+cm60% z$7=9d?KeKIVD7v|sX&@VWvnDJRNw(A<|tha*S|Ahh;LE(^q|`wZ>^h|*BzZ`(Jt+? z27cPEMt`q#EOn_VsW1U;8c!c~UXw#g9@A-%dMck|rWL1x@qNNLu7;jOWwq*vZ?}=l zwo7Cq84|NwF+FZ|%^GvY9k(!vCj7g)vP@B^tLnu|Fc7H#TWT9=1s&$d5+?k%KM6X< zM}R2NO87@45H@bM0s61lrmAv5StaKGU&m2{pFjb45-QQ04*f|mS8WdNKTSo1@>>5d z7XbRrZjq^^dy`cm%2x#Q-*FYhOr0iSR;I`;Q6@%y<8v0rn3)@Nl!V7i%Gtl26#Igz zyl}}(PZ0}vQ8z&s$vNRMw*O1vvV~|Oc#SJBWg?4eT8?83Pd;I~By;Zuf4LJP>a-#O z-8@u7{D=2ZD8xw`S7BlRonhjv)j!Nef9}`lz5-M^rd-))2#7?Y5O*FLi8}YIbuDMx zS1Qsq4O`rl_}zw0l`nQWBt{BZ6s2O4bC!pgd}N~Q?u>&{g89x5Ude@}rtkV`N>RM% zs0<X~39VyMkx85)e!uENt&wzx<8x-9f;}5NvLh*|`QQ6L-K#gg+%=pUD9wo+17+FD zd=H?f7ZcY>1PDZ=_{fQI0j;_JGLPAW4b}Y!Lqp~$)wnT!7=xXzjsPsr9&qb*URIu5 z80%Uzpf_w{e9S8*c@sB1nVXlqI~*mOHFrxQf#&4hI=OdUwL1PJCng<(#!%d{lhfDL ze;KtDS_$`r>1bCCm13yAnLRDkJCav1JUw8{v&~4lhoQQs%J>s+E~Cv#qu%}6Rr!8e zTRo*{dfv3ZaD)3fnTDwuLITrI8OBTJo!YYddIZ;}h9>A&bbNjPicQ4RIG<~!PSs|f zl1yGH37-M6)s~yfqo)Hpy&?P;I@i0^yExB#i?HtyeSJC9YA9H4`TXeI#4@$%cgnt; z4GFscbNv*@J^Am=x6jOuT^O&d<`_TVX-W|xl*4XAdAQIg)mR4~CNHPq_g^1fV6=RA zbVpv-()9c*=c!i6gJ+)OKm$mU_F9_#k49T5gm&)N5ykk`<c*)32Q7H!Y}eLMFKD`u zRWMg#UV&kthMudmB<nAR<>NdfY<3%Aan106p?}+Z<F}_*sqoWXYa=(ccQ}6q9-?Zi zioKWh`cGeaabZ;ZZ3(0vR$tP7qehip81zB#G|V($Yv&{tj69gb;RRiPg<bZ{#ZbvT zcRU5p_WuG&;&{)(lcnivo21}#%tVjBL9e|PZ>7rrc08P7)V$*(b2%e}e#bRZ9xDq3 z{a38=n)gEW+3)^@`1S7(F4tuG58!ztP=*)>DA2)~?d`lfs&kd3?^ON4^S;(%8cjMp z+lDoDyzm5pAQW5B?^l+#W^pxtuc6?t)cuqwVZyQO@wnK(S3Aov>g#4=V(GQ#_NDc9 z)|%+4=Fss+<L(ztg8FFL;^`r&7S8&7%4oF&B%f?Jy{Jp7NnAJoZ=Gp|*+(?BM1MjA zeLW75$*pR0iq|ml!TjZ&lA7}g@mKg9TE39BJRaQl>v#7{=k*3=yR{0Q6Ldx(^KmQm z+nU@j%{DA~IXB<|m+AONKq(RGPy^~Pd-SktG{6;As!@FQaTy(J$PhP6zHM4&Y4`IH zJ~yvOOIP~(&n@>AD6jbM=2c434!efnRR=L1rvLuxNTKAjVDcP1nFfzELGZWFYM4)~ z2{`ziQ28I?nprs4`hj8z<!Ihz7(QhvKIJSo$^_THl@E&ld1m_+WZ`Ez{3NCcEF{eK znQA7MXqtQc!E5=CO6^WlacFn}FJ-N<B$JG>a`S!{-6Y$q(lmK9n`p}|?`o~~s_o(T zd5o`>8m#eUOmStZ20)NAr;35U+Y;aRj60*=D>n`D*Y)9=7rzd4cCfpedh^@<wk0{o z1SU*i_+3_t|7hn%69+fYZhajV$IEwZbyANcr%|Y8LGFu70AFSS{}#Vk<g>0<!cE`8 zAe10BGnt+InD;MhG2*=zySt=SH8G<Pd*7W`cJg3~ee|d<-^aLg)NRoDFv#X}q0OSy z;~tW2^IQF0I(Ies)!fpcLRC5gIfGKVXO^NhcKIm7yrbPupK9YFwwxOO9#6z<m;MOq zDrSvGJfluwuJ4P)1-)xc4kn4|NYM3xVVdkzf=9l&s%)zgqsAQk_`JzhdLmzfthVUi zd;W8cWy6&>b3gB1e@A-}kcdjr-58;CsS~l-bmfWFMoEmHI*JArI3|_7y47Ny5zgp4 zRDYPfSdcIe)qCnPmnrb!oQm6QA9v!6+GM(xBJb|<myzJn;0Z6%Xb(+#KCz-83yLTx zUSt<?zm)Co&YCdwDmBf%?C}rTw!$wp+3jAnS?=mi{jN*7<-Fy|QY|2q%5ar5(AD|P zhH#w~Y_PlAcwf7Bhc|Z^Y8`3Im@-$g_xE#Tpio+%C;9wtIirfdOIg^2m`vRkL<7(F ztj0o<SvPZN-}i`6`no>>W}{0m!dg^fbg0H%!_I*zkAZvDEdRub&#v_hg;C%@3|I?2 zSavoL;OkcgpnP>79eN?LUG6IXR}!}wgDHc{yMVR59*davNsUnAI=^^fBvr%QPG1eu zKoVT8J9MQyfI9+dJ@A~v7S_cTla$*o80wt~*(52TPuZ4E-Hs3pN&<({x>&75KPo0V z@$FHyZ5OmlyQqih!*v#@O#>sGRKbbLW=PAx{3U>0L-Z6vB!Hz&>}8V}ehOg7DsF5& ztRt05BdC~wx8nlJC9RVWCT7aVR;UnHBd$-D1=O&Eef4TT;9emYOOHC1QXLh6tV+Ab z6-;A%QuClsFjK5D1n2egYGvNO4#sg!e*$yO`+BuwV{>r{I@I)tM&)yKxh3B9H82ij zIn_eYHn{9E50UFO!d9v*tKfyo{b(${9Um3Xr9Lzv4PcS2I)dq`8XtnJjxV)S3bOoA zMvlN=M#J{6jrn;we3H^vFIY=Pbhv)w43fhIUu^31<(y8?mCf;iia-8Sjr<dcNVKbG zDT_(jM1Ij;7@dN)K~pIwOBjRebuo_x@uY#Vvb}>QJlR^cql^5)1j)H6cl&ep&or{B z&ld^qZ9zZTw08MHy~$Z~juRLOQDYAIo*j}m@<Gyd=KA3n7d5#pteh0c6*8RV5z0`L zvd(p8*DdYf7b)PVnS}GvM)m%hkL6Hc8}f3th+uIc2^A~PUY;<|fsJ7(Ppl-b4?TUP zy+27uv%1s$!IgTw_`JMHL_r8@)byu}raZT##<avvS9VFuTIC<BcG#6Vop!5)CTdSp zhgw7>5>(|$V-erIJH&uqXvW6r`1)N$8>iAx1F1wSJ<i6_hQUZ6hV5#w#-jYJ>^vM+ z;)DVYrGKr<M5;K=o(n>Gv`~(>S(=I+D|h+qTwbx|XSr!*{3g~fn|!3~F-;DcB!Zkw zu5+!EU1c|wKQoIO5!$lZ@J`O1M%6-~_k~0*^{nzyqJ2fmbUFeMC;9mJcp8z7y&Dt% zi9OT?z98QXKrJ%7WcTN@)N5}M<vnDCOdG}hstB%6H%Uc{W@*yjL2O*iV=fWe^pHXa zW5;6;q=upYYH-^<yqHwoKH`f0D4rH>L7rf!fxQl0%Hvp&@Q@fjPj>FG=OK06MT&{i zw`TSzIciM=YO!8<+uK=TG}IGX7*I)Y>1(rDL=ovIhROe~UBj-Q6Hea09l(MZ$QO_R zE4BVDyK2E#9;o1~A*z{bu>BM~YQ$1H?d%MQb|pxJd-k~7&>dU%Ow~_Qr#Ej*KI3>H zH=ftbB-oLOF?{hz-YqqK@Z}~CC`&!hnkaeQWT(vhGinx0%tEM)_;ARL603mwFvEgy zbTKizcC<Z5VgIwDUj$H*$byiQ7FMg2c^o=~QX5<Mwgm^%(_iRgYgKl;<u;z2#^+F0 zC*WijXxK>ysulWG8v3Q9g1`apPe{zXxcGisS}0K#UES>+Yu>j4WAu6pa6d6a(tQ1@ zM68sQR-~iwYE(t0;G-98N3)iE*X4s5jDE}2Bks6pZ274NmFm`Ik88+GgrGo+y3?D! zMtVuebfvO?j`L;zKJKRP0mJ{-37Egy4m)f|otoS$WAKFbSBiChbBb>G86@me5tGSq z7`QjmCg<G!`oee=IwmFbyZ4jFB4ow0_zW=7K!?FMw&(VGkd-4ZdHvsyh<*YUGiWHa zQW?n9EaxrIaAnAsn@WSw5f{64ZAh9>8}>v4A<?vHCa@_bw_Fc*B5>me=jP+G#=lRE zRfc3cO5JtHVfwk__lW;UgQEaZ)}ournG|0(6|_7f_Z9qKpXJU`bo4WUzK5myq`dsH z8X;Ld|HgGH82vqOA$)L%Uk|MkdtPtBz&UtwZMBKg7AD%tlO=m>cS;P1Ey5N~7uM_Q z#G%Xq=Uq+pz7mCYkXk~7g*sKn#|D53iJJo6FVMtJhH01YTaJSnl2DH;JVj5Vx8{Z^ zfT`h&U4yv$?~uiO*33!hrXl}y$TqJA48hy+wtH1=-ue{M&afwy#^;2&x>Z2MM+bD= zfuY6<2qY!t`8d~O9RJFw1r%<MBF-U-c74hbM0!Lz1eEjjmE*|U==POK<<}Zk^L>d? zgrJM7m_^WDSnaq9XoAK&{D2J=5DqDyhoJ}|&ViyX=Fv-g>k{rG$pmvzasiPR(;1W) z>Gs~ZxZA7KxtF673AMH~mNOf3OWWIQ8GRo4L<#nypCqG+pT&F?x5I=Q2|02nZ~o)f z^9CmTRPQ?mf7_$^dbv_-$bp8L;Zr5po|~-3ib%>bWfbR#l=d^^_cNsTBP_YFB?PkF z45$+pOWI$JbU1y^cZS;!-YkUzE*cNQM)H*pTvZR;RWDps@tjmH+*K|-RrfvLHK#_T z{mt^l<b956H!i??!;3^0ak2^>Tf-8;-6V~ScF^wRA>21}OiuceR20Q6K_1rMobpbo z_E399#<Xm;M(w`}CEmxApPx2J02w$Z=`k_;zI(Aik6#)rUK?2@bs7`a-|7eE(~*<m z>(g(R@Yc{nAltmcUls-;a!r0ZH{~hW8TNIZbG4W)np6HE685T$Vl0#a7~QY%zi#Df zrlxqa$w$eHP^T=8;r%s%Li+PZZy3JF9uX;BpYyP|7Nw85E>_s&u5?9)Miw(&Ah(OK zSF#aKUG<OoqkBfb2NkCz{m(PG9-8y(dTCF(WQETYwq()6jb8d5LLHSUKC8CU2Y=~Z z`Y)St?)V*efw>nk|G{QfAYu4@>?gle3w9S<FVwSOeV}od>}3j%%P2}Q@5>?xeH^yU z5uf$85hH&+>f^F=%sOS#S>Z`g{~_<3eZ`N*@XSmaDR02_09{>we$FB1956F=<umm2 zLQ_DA-%q7s=QAO~x^QTbQGZw~LLuJ#R-H6JW-5&>*jb)Ced$2G)mHyaYA+O*?x;VO zHfix;Y@1xsQ!3s(0%Lt<wDb~O574E2S5=9IWC5Q6KVNUc#IAOzvXEetC*G6>&tlFD zU;5T+t%tKUYb-#{&QO17AS+FU<PP(CDJ@$faqRSY=Um7@a6?Iiqnzpf>ewgERjWhW zNjEiJSPg718PCT{#{KMI9y?nYOuu8wiiCY;SGyBI76Yp7;@TNtRY1?n+Zx)1b&CuC zuzp~}(y^e`Si=`ASC7<@SkS*~;pp2THP?B4f$3<NF3#kUVGq`T<W4nJ*&@FvR;8I( zr<f8@lL`q#QjCqk)H2xi6Cdrs`ojzJ`^lfO2}@`WsMRnD+Eu8yOWrJqd4OydqN!gQ zxEZ7qgF!)hATMcbKqLPbYHNhy#=mhE$62F^)2Bn<okfh))A+2b?o<tr^P4AS6xy=B zFUD%9C#0t?m0&+oAriED@G;5E{@Db`c$uu4iNw=IBIaw^VS7k0C(^v7e)|)`X6~s1 zLOzx(PY3+@=1^LP+BW}DfxDK2XfZwdFeAEBeh@`|P<^-np32!>=ZD&wMg!nu$0>vU zAFYn^S~nG~_x<*J&uwhcXakEP@3g<MDGlt`MJS$Ufrj7jsrgq>+PB2)o<tKP5YMf9 zKg_4fw5O#%_(gu^TkZH7Q6k)q@zS;u4HEr_^;lP{mh@dL9;IGSZo!RdNk{D=CP}T; zOuexR`&Ihec^uqkE(j6Hp$;IXCBf7`UN1{<VM>ytw)hTVlQjb4%Wd_f>zE6+4Ir#* zB;Cwn-_sunq%5R_`=V)tmYHeZt)6mxjKuI*E*y)0=6|40pOfTU(nSGe>~wJU1~C4B zGR@MF6nKcpS?b<$kQ6-utnN`I{5)}&<>nd_vj>oOL1e1VxJPaDfgE$f**S9uERvSJ zeTXQQG@9t5NKj@nGDoe_foiE{A3nt@TpvIY$C6{`m|dqAT*#LUy!EMy%<xjAQ5YFZ z^?|s*rn3rhA}as;8R|Sq<+>uGVAKvwvD1By_XqFgPOd1@7}4D1x8ukm_+Jx#lr8BO zg5A+_!h}}YW8$Sw=0V7majM4VnqQekIzSbnjS8zFK4kv4wn02)j?BMM7qynq{P_Nr zg%77IzQ39tBG)etP@jMz>Tr>%@|Po3KW%{J(Ug(nsp-^R4kSW(XcCD;<kNFJ$%US* za+k`n3H8r^h{qbl+3LzS#KdBvLiu^n+%Nc+nQ63Bd1IG5h45a{sqP1N8@4^(P7^7W z)x*nxHu+}rb_&yrLoeIPgMKvwlz+(3pLTGYO01_w0U2l=`rXzf%>gLyYkdV0je-c5 z3YYBy@vwE8Q=8pT+v~qgxjFfoJM*@sl%1V@PU>B6fJ}jPM%JCCu&vgkmCiwigi}Q( z-^9s@=KEYw$Lr1v$&#Y}i)QA`XK%NGx$~ogp{!f+!=q?=L&tcy&)2wBN&d>4@vPk_ zpwLe%$8^k!_ai6)aVjj?hK`+v0loL9oKXk%x;rYoygc_o@ZfjuN0bwWy6dkp4E*xC z?d9$9^CJa^N>Nl8-^Y#@n1~N?hR7<w<xB^VjsQ`750{1hg*H~%qtxARFbJY&)pa7T z5Rj%_!zWR^R^=rf?y9E<Jg$upgJ(LOc0HLbS&7uzW|Iy=w4_D}<oz!b_%C{VF21xG z>&WBIlhzdMuU38<@qSG)?sOnAe4TVzNsW4JN=7pw#LxepvxQ1hHnC3s`uORKnJa(X z7xj@)E)moLs;!pkF(}>k=oq5#vjjz`HMAUqr@>ZtKl>1%N(>E-1jr?aWedJc2*u__ z)Kx7E<oVU7{M_vR{0O~^K<d74G_Xq?q$PJWTWqcXn<kWGM9c5h%SSnl%5bJ02KZJc zx#=82!%mjl%d>s^de0kFG%hl4SH`q|y!N3g32({)YOZ_NxqMHc7V>i1CdZ*N<{7q{ znyd30xNp~Ic*DSJyH)kRG$DF+X%nOraoM4L^|G4m8r?helE;HaEkZ&_oxgj!@Js&* ziB8$;E(SmEqd{;g0!09H-yP1kM^}qvjFZW>8%8Ko<#E$ca3W+Iu3F=rT76AwL0gl) zaoEF2-meo;hew18v#Q&>J%a5&%#AU?^G2Kr1FTHrzUbqYZWehIkvE0`H{?mjA9XV) z9xKBZu`{<l^EA*Tlla^QsLtxuwq1>lp?_z{{oRU4P#y+zrhF|%BE36G*x_^Pi>@p% zywB20hTgg^sVx5$KInVAzQ9(tIo|e*^ky2fCtx=N(neGT{fe@n>bd{w!fMa$ElmgX zJ|29l11$wO2Ro9VP$fdtE?lprI<)Ga5LQ_!B(eFr`KT%Oay90C_wFQBNK?e)y+?P` z#WeLXcE<#Ty`GStAQ+}P_|;r6-A<m2p3RdK{A#}yX5nMp3<!p}W%^I+wq2K@_$k<* z?WPQP=cZYd?r^3nq!R~Y@lphv%YO)DPB_xjn$fc|+3HLwgZ`#PzS8I>sE+t)GU1O# zc}O>a@=t)8Gm8SHCu*-7#Z#Vi?6D@$N$VElmN73<ZeK-Xk^|S}p#i?0kfkT+i|i0U zMUcHTfP3(=IN*?)_baZ&88=uka&shqRKDbzw1dBIRev}8JWlbv7P%*ijInZQLuZVP z39qFnTpQ7QYO6X{#ozDS_j`nbp)-U}J`3|VeF|utsnf#c6%y{sig=G?#b32ykV^H3 z?X|9W?bNt6!}uj1k7peCCB;8&*~b_Q)tkb5)|7P?XT?8;$N4NSTxWD>HdIZ@@z*9W zAMMQ(g@8M%rN7ZF(j*VRkFIB3l-4xb$GUFH$+Qc@sTJ?=?bE(rphUhHGtGBUdF}SI z_I%-xHsG+LySd)~q-mIj+luvHy41h!sO-}?DmiQnN1H9EK&CkKcSFfpSq%;C!AlL4 z^zC_tX5)lV>?3(+buP=sCU@~2mZlc*3>B0T2Bsy4y~h>eV@M`<9apQj*Y!%s+z~_T zS+ixjs(Zk+VI3+1&`2K#(9?6u9!~y1q5kh(Je)DX6c_@-jmAv<^F@j|rkXLd1i-j2 z)!gx+)VGJ@)j)BuF2zn9xr61tyJ)+miH8H?5+EZ@3GHfjOawHybBDL@``9<nsR=Uh z)}|6NIsWKqKxqD!VeC?&DApENdiSfL*!`lwk&Q57|6$`)ztc}8-u*PIU$D74p}GBo zNSvR{0>Ot0i>uRJ*yrbSp$6~wP9)KKHq}`s)fs}yfMcDK{5)g`)>?KCUqr{ex~2u( zxyIu#{yMc;xi`6M&?s%piONk)VF}?YE2F9M#ROf(Ku^lCfH>X&q!kjev$n3(CI!kh zbQ0#LozA4%PYOKVPdji=il}p30OTMIN&+9p+Wl??t|+Rx)JQkQLocb|78ZG@dY)M8 zh@HO`2*NEbsWTh6gQv}fB*0MPDb-b^$=7af@T81O!el&6ym?z$znQE%<wW3Kd{G-* zpgEFmee5eB?Ng%LU1@qaLCJa_O&OExoa(9hBRj=}tskeRPpW*kLcj)Rf~htY#~`c3 zjkHWXm49xJf@oqdvm9MybipVuu1G9sVdcyaCzDxl+!a1al&ugg7%y~@22`<edF8VH zD?J>aFa|e0{D6pbnhl?x6`w%=dv7!|UR31Iq;>`#cf3GS>naa5HKCrgo0#}16pA}l z?s$DHc-h*gg{oE)nG_T)wd@P|-^*FKs$slm?B|Tnb~Y#t-AufW??FlY7!sBEqC`u@ zG_{?Yg#qJn6{Oyk4LvV{U69!>d_oNUVnclxqOji>d6G(#n<srrIJ8!&%(nC_*+H4b z!|Th?|7wZ@nB(`znq1GCSZdBk1t*GAf2ZoKSeKi`IwGIEp8dhb>=6a6sU92Y@=R^) z?CYRQv=GYfPTmSxlp>14RmP3zaA4UDy4T!H-l5ClIU<_8KA4eVHo)^Hw_SY}^fzRh zu)#Ns&Z8n#?SFccH4GKIluQpVr;8lCu*W-FSE(<v2bB}gwjBo=@P58X!RR3|-(1}V z%mpGYdrR^8c&cMxO}}+7>ezX&Q&E_8i+Xk&x$Ma&!%7W#$n{q2?|4-k(q!6M9HcIt zvv2E;jvbL>n$0ZBA*qx#|16muT38ibs~6&(AU3OSO|5HHDf8wpbj@d+3SmwlNt{Ba z`BBh2F3IwKq*XfGg%xWe>|YermvFKAFK#=9Qv*V+k=%6`dO?Xx%%#!O0=iQLHb7Wv z?|%r5f6)()NG92d)GWKw7OQ{PO-lI1WDURDr-_+i!g6&ez2vHF`XCw%5Q#vAwx(II zJot;wg@}sJgN!e$z;g=Dsp)a{+(bSzC$cKC!V_;6tIz)ZtW2C!;u=iq>!NCw0$-%V zy+@BRBXLW2|7B>08qWyC7w+0**5q=ozkpE(`Y$!C9B<|}4lJi+DK@-E<rAU`mCEZK zQyvJ3Sg!6mRAO@@6Q)l7EVi}z`NflE4ct@!@PpiRXmjxuQ9UGpNnA^B3$x)E>%YQ> zG+f#W@EQ&Kga`Pq)`kGWZ&R!ZW#gfDACv@D<;)+?ATQdYIL7;5ds);e7Ri%d`#{3a zL!ZS8`4+1F-bBRxQ6u+|@6p6wHoMsmP8K?x@&tOlwiJ$H3;ybeY_f+jBT)|~b3J>m zk$6*14R};xNm5B!U4(!9BSnmls_{t#G?Yjj7N>B%07Zn!%PAFF7L+iV9F*q@TV!0| z5dJ42ETtq>Uh8}_l4r;^Ull(^BriGCs)64yt@^psm8u^jU?WT+;qiGSv#iF&m>9VI z`?k@=|7L}?$KM_<O#c8wxGVd%^3XzUFo`&#DAF$J>gmjP_qbB8JJV!-{Da}knyenW zx5%~W<_{JBe<s4rr7_bl1}M7RsZ&5<xBn8!ON_BlmxxHmpctDy(Iq;*clVj#IbuN8 zoHMVP4dZ&F0f}6ho1VgT;o-NjJvX6eqc3s7+HvN6qh9D59EhJt;b7-h|I8;HP;_s~ z2$nY-UJwi28YhS(jvdJlUN7NgtT0UfNnhfKKcMK@9P<K9-%X|X9^+J_B=%-hK{kC) zKc;mgRoSB4lp5-}&Y?-l{cv*zI5cU(AJAaB4eVWR9_<z1ha$G0KhF=Gmi^_c%|a<4 z0lxXxMH%Lh_wFh`M1`%ibu=Nb{{T5a#=jy|*c+`tAP<Yl{ONOYgUuK7cAA1hdY)Uf zcDg70rNIHe+$bG?w_LE?_Twx|Ea2girE5f*YNX=i!y6R#)GB>M)24)2yk18AQNPmw zKzW_nSJQ0sy7yzgF+A-to*ofiq~zz#wa-B3HxW#DjOxl=#`|WbBeeh~mkNj{y5V*R zM-XA?*uQ_Q0S%UD6KPA;XjdCX(E;BYlOQvI_em(s(QzvQ?Y3;Fzk4Jf^P2ad2_*|7 zs2;TGQyIl0AYS%pk7n-caEQ#!ZLmpez#%^?QJJeZ1MIWc3Qh@E>oZPLaZlp;uaKiU zMb6NUi~Z;nHOa|xV{>dp@1-K13w3&`hPtq}TG6O{e=lqGX(GaBWHy)jMzvg#=;YTN zDmjbJlE3%hRcD2)O6!Q?biSaU^zM1Y#gI9Z`{S6;GCy&nq$2GRX4r1yOPXmj)cEE} zw#BCbwBM+rUjz2KJl*u~y-S|5H%Pu+!u1*qDn=wr%cwVMfWRK02?gh<9QlRGs*E<z z14z#5K`J1r;}+H&?ti%ec9uI!ns&>Yq*AHocya~E^pVL+0!Z;z;<css`j-?vuIL}I zKfp-KvU_$n8JU22pUxWZm(P8A?)_XaUB5TWQV8hEE-&jS$~|6RClKg%;W!(75g5%P z2t!u8&mxX|{9D5B(UdxEV`JN{2xQUO*CXd>Dee1gGI6HKfgXhvHm{CZkO&T0grHyV zl=}}CTB9Ps`m9WNyZBI_YfzwBRl(A>(>{**EFKX@A#a;%(B!QyNcWo3W<<#bJp-zV z($=F#x>+wjXC^-E&lni+&&L(ma3;5V9n^SuFpHE)o8y^SM~F*`2jm>(?Cd8kX2_Z$ z@mBjDL+}J!jhz$Zcr*bS`y-z^ymr?<w4;-pM0vYt;lPwC2>#7LeaO-Dh3Iz7vp0;_ z3LWh(QvCf)Pi#N$-`yBM!&o`gjnyA!<ST7s@KC3^*SrC+8k}RFChr`!wM3Y4%MsAh zx{mQXPlmwYXmQ3k=}~3k8*x=GOGk`oZk6ffh2OmJ@bhj`^qX*BFO$XiI%v&hqv!b2 za3HHi$U`!ynnil;_pJ`$gav>1nStc$SBE(~TU-`1+xkv9<WxCDp&%$J&!91zbA?Z& zA?XE8ZfY5`3pB=Ob!nm9t6o&~S0KlQyyJf<<E(hoTkhIkHcBWMYt6ros(fi?k*CQ{ z4q`Y4$|@A?%cE#Lxa!*42;=4&%#5|?-8KX{CTr2}v1HAlyj6nrmAPTfe~dVZ!%N{8 z#UKg}S<zI}o3<?=-UwApA<2S}vdZa82ffr?F-=a@L{WxHYz0~0-)uwMQM=+v*cM3% zIhC^BUOs4O`xkK%gcK;2yiVVOgARwo55I?#WWk<o>J1I27Q`v|F1o>tD4O9a8lt#V zQA>|}#pPO5E@yPD&!_3lloZY-is7YH4L=(5%`O@PkYWLounK<!;+XIaU`1BU@MIRb zejc9h<JAh=`G}g)f!j(3)coURU3>pqbw5A9|2E>ld|Hbi_rq>O!M+JCSMu7WtNz>+ zkS!;ZK(fk$t?X)Agm8va+7fRT3?nubrE5_L6Q=*w{5(|`c1U>qNlBvNZw!DaXPlh~ z!j6XrN$?U~6F52|#Drv>unRQpE1ocr{z(=nWAX&){7uA*u@e2d;;uhp#=Zqcpf#&e z<;s~@cZTT2ymRU^X_89}FD#QgGxska@a93OTLhXenRKx@tdvFw=8iMi1!~{;*6heT zl+Z}2sE3@CqAo89OS0;B)?FRkjBsCt7;B|UnTuOrD~H8wCb1jjYP=!Hu1E(oWhY*0 z=I)JEkO;|V>X;HYB1&Lc{D<>=vCj7GlNupvUHi~Lj;^d#nFq6+_^i9vrCI!DkFcU( z{#IR9tEDCV{TYM4iyqjZ^Qbd-Yb#9c@1aRmb1lZzZ+$#mCYbI@8~*L=t)HjAmq`x0 zk|_JxkiymnyX}kDnz{%NsnW5R^@^eZhop@TDCB8G67vsR^65Nrir5jd>GF~uc8E^* zHQ3{k2f05Xvc%g<Qxln|ON;KUUR=X{rfPa!%zE)dLMWbg%oc|wAJD_BQ@`%kWeBOF zDg!H>uSJ77(x}}qihjFrs3^EAHrL$LJEu7Ig~zrr2sh<gdM}+zc3y-~FS#j@TBg+w zwfQnZwya)>CcZD)7j!L)=_X~Jxad+k^jfiRIU@~Ejm-E?cW`3U!^@0IT_bhR`d%i; zR-(p~5E067@Mao20j9)R1x_EAEVxuO97@~QB;7-DPLMy%<9VEMCwz{Vtt{fO+5RGe z$Qm19!Ui|UjkRdJ9T;zpCX?UGkOh`3#FUV4E1P(Z8?&24b9lz_{mv&l=VqoMr2+3M zu6c7$W}<CsQ57;nhX7lx3Co>@l;!=p1gR==_G6V$3V4+g7tjGoW}amK;_A?zKPWC) z6S{O4X0#SJWhbJ)tl`|b)v05l?q+4Q&Tb>zA5b%Hf5PEC11|jXUjDTp<=W*sHgY?; zA6m$s2oR6*65YRo(lhJDZo6c(KE<luT`;uK2m^AJ!v}-qAPzX4@z36N?;UnDAlbH2 zN~}N@Q1Y#aygOKa>9x}|WuVGu=;u-;ZGGgEOyn}~wvG1O$m=)exqcASu-jA*2B3_D z7aVC<A;^B@5hgigBusc%uKm=uLQ-13F%;x80c{5@owbct>gwHWcn2gB7*Y&dab91& z%3iE!G;G}z)F4TTvVx!;u%>_YlxA1<c1{hg($%WQ&D4Qn{Ya!&;NR{KeM&y9Ldhlr zHo}HadSaB#GUCc(gfYrGoJ?y+{GAW~SRF}8ska)h!<4v88VP5xf+$@5wA|4A|6wfh zeRDzXneNZ?txj2~$lA^5SBcQp8@9sk-@Xr6nfh%NS$!Jib%2q{N}R6s{JyJOM%Yg1 z2BA<(NUh-VXuHQ-m8r6d`!JB5t|D~Nep|;eo8m<u1DN!~(LX=rA29*6D0;~5XTv0$ zZ9H?XGOr)o=ncy~wG6SLZ`BXKj={PEaaJ*g>Mai)x(sLg%cI!qx7TxxMEa1Ci^~0( zmq3xk6!l>shf(?z(lLqrm8I~>XX2#R`&fqV2kqU!`<Hy_)VI?f0}CtA*quVL?`io0 z4TcDF3u@lW_S3(-Gh0(NKdd|Nl4!#&*2(*gbMd+D(+=IG8FhXZ0=TVp2;1xP*H1*? z{fMdC=WQ~k^k@XpF;HKTn=1hSs=wUd|Jk3X0^M+JW0b&?6Y@<vuEZR;8@Q`{(!A}d zBO`+>%<GlH!yIG8LGpNz%PrKDZviQ>lf`zx1kYbBm9Bp#2<?9$#eW_8!ni!A)4er3 z>yEf@QjZWQlPkO-wW<EGXKvi{u6cb{!Nv6UQ_}Okt`@H_;jkI!)$f1A-5w*65>a>| zw;wmo3HPPKI?}_<ulPWMU5yz6tBm2L=IoJ?LuP}An7&a%oVDM8JAyt%Ss3j@$rt}t zsB)LP0=ec<c!E<hu!It+h{J%?HG1-?112S|oa2m#2z*O?l9HNiA4pCjmwK8r1#~9x zCtu%6D@bziB1;NwOcK?Y5V7V0#b4h#B#0Lh8Cj|bQA{T6wujQ=7Du^~uboLyxVixn zyR*vaYJTq#Fv=_!KGR@8+c`e>JVAX^TQV7wd1LQdp16c6_N4*&_Egk>9vNQJB1~G$ zr-j9<-caHSSmp$o3i&89BCv#}MWZ$dxC^Q`W&Sjz4Va3et-V=k6H!f!TsPTyz2y?D zul_M^&dO}D02&!-b@E-?(1Z-M%;PwLRa|zWv0%}&Fj3Z<bt$swWwt3|Z=wCrQ$Qo~ zzW*n~jjlkS1x==kHhOyE`d{K8CYLOjZ?q=Q2M_M=Beo<jnY%>!{dnR>$3(?&6z#vq zp#+C_Wu1Hvn!d0qs8-G9Im5^CPy3L?QbOc$G)^e&TNxCg9ZJ=bBD}T=`Epu0#F5WD z*zRPa^DxRG<bWH;segFeDE7R!ZY!>a9b-=Z`tYjZ+CRvpAg(5%3TE@O;#57W-*yhq zsyCB7u)K7?=}?2U%7ol4uy?yF31~>%1X#`{in1oqFijnVMhB}tZ`~?F?i7$<e0;tb zwssMXFx9|Bmf%EMMiiH}QJQX}PItS;Y(NPWvoeHR3nQeO=UG-VXy}Qz%~HK|Ea=jA zT1IMI?E#@<R$B@7x4y4;CGcS2O-hx`^W6Z<>vqs7fP;OAoFs2~rg#0cG8K0yg+)KC zkPPSfY~4XpjQ$;;7>@7vA=&MB%(iP%m>`kwL|y0;ovcs3Ip;{w=X{}>Sj2o6TV15Q z9#iZ7u#(dv8myQ2@gX>xMs_I{1*g4nKzUW*l!?h(i7fesid4d3p(~FY8RS0H`+N}7 z(ns{DJv?c(BR|l`v9f@wu5&xEbCePRR^3cOYJn3VQ|QV%eq6(<^{;T0uSG+mJ}71i zhPwq%<)o2dC+GTO*u(lmedIwqdJqmh^Q}bdAA(}j&ytd=C_6G4n~J(QVa>!C_U;B1 zkz{WmxFFq>5*4R%Sy=~Jj>GJ>`YIr-W+hhEa`5~=rAvHzadUHVJ<Sa^n{l!z#g45d zU)58(F=A*kCLJdld!iF#a3Qv7J_y#7UJ}S2g2;k-udzSGP0WzPsorK)hP^W?8l$N( z7eQmrCX=%p?3E1^tO=pqj;dCdEVg7F+t20Idcuj8FPd?md5^o?>a2_7Vi;f4aapFm z#LMr~f+Ysy7r8ux_><;&J=g}f)kH#FYvQj>NPHX^Ee?lw0)OY*@Xxd^q4T!^n?^dz z9@rFub_s&#j6mr_R^MaJ{oe($HNhpkrU+wTSaIaPtrM+<9?Qm?+h-Pxb}n?WqA98$ zVhWzI0?X{)Qsa>Fvq^AQZr|%X{ME;^Go;YI_5`bh=<cX$MF)+PrlZQHgAguORQvrp zCh%!=CiQBa)FoAeC#o80`#NY#!fA1{(Q)oCK>HATnkbV3fGX9F{Jh(wMc-ei75K}m zrDaw}vK%8S0Ftp^ah#7MOQC-(@VCOmI8+3GM+Y^o)caCA9Osals$#~>XwHVhrx{mG z-<X!YQ02q}`NLlq(_{eH)R$r65ki>Ov5UI5Q;v#Y<#<<To|AWLpR23LKV4N-gcUPk z<_bdVSPx(1@Wfq;!IPtNy8|2@$^2f%p~cr46`-mdx96PaFK1{`Q?nki;M(!Xgtn%= zJvxG97Ni05A2;D(dC4r+Ai9lY?BJMfXUb62=prIw1rGiMrdGLY4ct0qwQbD2!hS`W zdc3$f&`y~JzgU$hYP~>oo_0mAs@z;KE7e3>pR`1)pt<?0cu1#@c&kRA8E#F&b8pcM z>$%<(5AV&BT8}XwN8#wTJ-q%W{i*tC2eYF6P&!<9k4Y^9c@DyKk4A0rKWXz+TNgL; z>e>YXtO}byF$EB$W{)ysrz{HUAu_f}QK^zVX!Eh~X|STwQM4)j^*f^!jB>a_Zu;`2 z6v8A2lS70VRkEfzN$!kYzj!+6uXQc>K&h$~B{&h|0JWVAdl!a@Po<)I$Ff__8B3m0 z^qv=;x8545T%sz@2CT#(H&mNOaf4<CLaf8}bChd}92gsFePp^(7F^Zt`d4b#^|}Ue zM4O~FagYnRfcqUxoP1E$!h`qqHiIBJN`1OK=g7ZyyrbvQvCnT;<8>d3H^Ia0DMDE8 z$85Xz%piy*JA?3}hVWtSU>RK#bZErZ+S-l9tB1vl0vlG0-v8zw;!OHvm(RG@*=q$K z*;Re8C@+;M>sOhC6zCXgz^xueLi(iG6T{=*t~s%w{BS~lwhYwdsc^9rvlt5D&5;Z_ zV`5u9-&@z15X!b$lT{FbUUvgH=JKT~3u4Pw!ASNTWvPjIwf=kt+)x`fWB*CVzxia% zvt9OI@s6v9peDZ7R!m_yJwF{%b@iOQ*MIy{N(!nvcDt2I+_MWuIW+$76ZDZdK3E0X z3d-&#+<8o^*>y{QB$)oCqGLu)Ofc|@XC4c_&oBSg?=wQ{wcRA*wv}aQWqcaC)BkM* zyN$3i@z|Yz6YIc7xFZsD><gWdyyz}0sH-W&u~ye8>>P}xUL<H;AlRLLD+yB9*`9f6 z67&dI|L9}LtN40js1G27xNPRy<bL~gOmVwBRChnUIeU(eGrhLazs|^b;Lff`6mv~s zD5OM3?|eTlo4YY1&YpD`$m?LkdiRcsX%<7H&&g)?F?nxSzjY$@xn~o{t(X@oM$L<t z>={Wv=a{m+E^4u`<0~}Q0DIpawlcxYI5P8u6EL%ukt~;<3ReV<`jn}O%M0rLJ>8C6 zKln(=+G{vcMzIyg(xXMCy-(lQMgN|ts)Bk)bNJ2m)!4=Qs~<IG#7Rio4DZeuo;XAp zV<6Tgk$af)S)spYMq6=tSm71srK3`RR%BGVv^mIk=aS219%mqC$-VgRttV-j$ne^> z#uPMn32{}`*hQmWQ=VN{9cNIWu!}jMUn%a+slgHXJ5vmeueTOQB|aNbtqniD3?)4h zW^2JQ;pa~TJV7u*N10pq1fgw$q%ebKN2#GE7kc2nnpAeE=NnpDjglJBVG^;2@1yvi zNy)p(bfy6`=EVKfA}hC8NnT;ho#(INQ9;H<L~65@l`nQSAPYHD`g4tLB|w9%#aPAg zj4e*5yLGVXI!;;Uca94ydegUd8*c98pB2PJG#DL=>E2ORoP>3{gTdAYf3=VLw#J=; z4Jl4{Un&C~v7EqOZm!fAo0^^zrf-_X$NXV6(a^O7hkvCz1qmyv<1eSS<$t4Y0+-Wq z;Lh>&H0KI{IgOFya<ot0uR#VT))7=KF)SB0+kFa6ExyvqTsdBnz|>S^jCf$-4{6n% z#gT7(GaL~xtpQ?8hFz}kLlb6yNxS$VhCTCRPJobAi*2=*c^4laK8ql%mi53*bMUXS zSpo9HCr1OU3*@APX*=636i?3GUzsTVQgoC^{^26x1&{i!BUbuEkykG~{H^@hefBNa z`vSTTe-GOEc3j-3WHOZ5qe`NzDoo<gYSnsY-yPKZXzc%d!Brp=aq>M$xZROPSLeV} zOFA-qT6T|=*xMnzz~=e6%fW!3?R&+sojv{b>V1<MS6Gy@g>}0kFC~@?l0*1B0J1$z zak2e-U**Hay7H9PeKRw$4O1oYb}*(Iwspv69?{Nd3L7U`b5rWot<P$?!Pm8nS~oIu z1LFO*pfB>`v%FOn<SVKZI07W8G`=77TFG}DH!n(T0inxgd)*52g6(QohCAiQ;fz`H z;UmUFraYVMvM1MHgAK_~_EiJKNo%WVeEpTE6{5n)VV!aECK>p+`#Gf;QdN1snP*d{ z(T<KX7=(p{H7{IkE!gPEIYmRXh-CJ=qINqyeABm$h<{s`U%PA`FgO_Mw;$1ixzZj% zm2KhDU`E!0!Bm_#0diT_cE-Ww3rwiqnsVDFq&bCVt-Cq7o&Av3zxo5)aX>vw|9&?i z!4uV>ste_8Mf;zzOauyhcXG{zZ_ohLk8{GM<0#Z2FEmkkBt-NJdj4%wCfHLk0ir4Z zYU{bcpH$syp`_yL`wx4AnEGL6I+O{jqvL#7!vLc~#g2%vy1^~4$UZ11tf_TP96-h# zP5|ix^`B%ut17oy?en7IVFih?sky3l1Zc7m3X%#9ZF{?LE@GXVCUs^!qJ()n0=C|% z(kxH%SB;R$;`X&Zd&U<#o#WC9H|IqM{V;7+%G~&&CJ5j=<Yq|w79Ggv#y@(@h-D@* zV8Pblr;p{+lB%5HqXeEoJiJ~-3r7UxEjE-L66%L>Xi;@Kn-%nmgXeb4SO0z3muM!n zS`e&FGRoi2ZO7g&_LM>j4LNm~AQpaVPE!Tj=;n5CG2dMGvBl=a{j}!S*ykqiX^Bix zkn=>eXduon8(fCaUFM-;$4u~^0m+y2A-UB<Q9@y-;k=R3di1<QEbc>mUV@*vJkwh* zW7#kC2HD-ws3ML-SLJDAYX+7XRW=0q`+CEdl+I&50y`@n52o`BHK{U4LK_L`ubIwz zC(YD_1PKmak|>8u-fw#Qkf3$lNbvj)B~!%BX!RORRJpt+HFg@31c1LC$L%kWkZAe? zzeQ3)%9MkH?yluJ_Fz0o2xgdAHcBd0J6fFO(HVZA^!+Vd0~Lf3fm%IvrL5Lj+3@^l zQ=fv0k#Wm|s_b0wS7N2|vNlW6sG;x)N~%`;Q=9j>pk5|ork+!5mnc+<12xVve0UEW zV97~L$5^kbVp9nC{GnZ_CFA=v6#^}2_@k~(`4lvuYFvO1kA_yTtPN%?n>U~NbK<1# zBT1%tYTsv4F>fAwf6O5hZleZ5RuY14itu6ccb)vjC}|S{?Mx?nUxdub%LPRpe50+7 zVYaEvj*3kF<BkPOpi}{$n>yfZ+ww<`i)hki$1dH}k_v7B+aNB){hWNE=I_ouIQZ*H z*KOCE?`cLH;UA473PtB<`SjdZ+#w0giw*tpn$?djZoWtDOR>;a-g~|rAhe5{INmI# z1zpKys|yKN;t-NUBiPzPdWZ%!%BYfLJ^aU-6>_>eY>%fz_dH-roy|)E+-ka7R?=#8 zj==!WBZdrlkD6iEV5|yWOj^kw9QF|H?aUK4X`qw0)neDqH5`prcK6{1+}sESVr4L$ zz6d@#-7-C*dDD)Jxf*Zq3;vk5*_z0!w%pCk@`<AQCx=LE(fB<lkC$X8t%q#Tj{RzW znhV#U^pq8EJQ9&EDq>bucbgo5o$|QRxc)Z|u-w@lPD@@znSkpM(_pfiy*c2dzSHyE z8kI1^S*g?I`*eK3*D@jxrN&Nrtew7%PvGpnvLf^GL@xX13&D_CczE6PaIWW&wQou) zrEvUNzQCo6IA>(XE~csJ%s<(Azs+0QB_P{txozm*MOHf^OP4rg#i<Oo$-8}-lqK#7 z@C@GU;tHO!+3PTLFjvT0GMEXL=S_S+xhfh5bfgm_5ctPaLp|873|ie*KRIjTC;Wnj zXKvrN7vFl0{s8Z0Sc!#)e(IRBO|_=2*GsbSn}D|~c4+V<4#vXGXctNpO`bT>MhAb* zTb`qysH!{ps``YbV`UHh3WH&vS?b&0@esbY&*tP$3R45Ws;&<|)i~9;W`Ca>5Ad>L zI<<w}*&&omnylch0y1>n1@6;iXgoCX)H=1=eykms?Ahqa%$b@)1LjzNZJ)9Fxn?_J z&w(Rv@fcvxGdXrD;){;*cGA6En*}BUn+v8=RwDAYRGmC8XQj2VW7BN?x*mC2S)OaI zBLTcU0^jeBetLiR9saaX>Ln)0?r%OQarPCusvMsyt)6!V$o>6Pd#6?z{CxfHkrx)= zQbEDus@TF`Rt72$!+yKv+%~~<*O#WGy0FY7i-V}CD~Y)q)1z-!9KYz_sszU$PnRW5 zG5{KpGxRKeEnD?kbKy*nlAh-58I2J7B_VwcrzAP~Xy?da?&C^7|09k&<!#e8L=Bs4 z0E-zzs+E;+=fp~V&-b7NDQmp5suIOX*OZOqH0o`Jls7H3zti10*s~@Y-{?faocuxu zJl345YG*+WHg8@sW+kl4P?!r08wz&E!idPMx$!?FWZ8>VbF%`u-#jcxUKpq~m6?Oo zD@tw-LMU_J>e9BAu?zcpQxC8&3=J9KOrqMh0(I!9j)xO9Viu>-ppEw(h%^nYb{0ZC zjTs}&e^}^%R_%)Hg_zUQfJQ2+KBEt%8uB+U|FkI_b8!yCrlx3oT{mSj$J0K!Uy#M! z1i_MJpJSMC5-v4XB!+P>>^N&*34k6Buz&{@+B!R>VeMY~zrxE_mUV`CF2OSH2{`(T z5hVao8TwDgGz669SvRCak(Q4$9a`R}&*9%A9Lu(CeRQF17CaI+fwHW*67%lS2(S{& zB>ri|pB3F>#UJ`k$=qVa>va`;x9=>38oP`)ri-mUY7#3%ovDP)i`TD)uA3a3qfkE| zomYw{V&lPl+T7TL-06y^9e)MUW64_#i5Jg=k2q{sqYONsycn=I$oe$JIc~NjHlJj1 z$Q&|g%puV<4kofkRyhAM4P1nvCX6%uN#%VU?y_H75afZi$)9!0k$W-D^()P?rB-=A zJkRR#t%)a{RHmBSn32b2fiKx7xuTyuYMBq~$!>Y=EoKv~T8Uz)B8N{|O>;)3_#11` zMjrNky0VYaO?rC|7EE&68?9CPrF5_t8`LfMO;CDm*b*j3JDtA;Q>P8X%R?*=x6j?z zy6Rn)?IJR`@TRVwlBhfVJfg)VhwV5UOf`@&>?<uKQam>nt=lpA;ZWr8+7>G`oeK9S zzGGT5S-^t9`|?`p7`5^)euDG}gmxAl)%51m?JhdDLd1yvY&2uUX-|dOr^v1~wEbSZ z`c|q>>-Y=YkKnl@ONGKqQ|CX=t`${P36KM$1~8rs7EakRDJ@kF9-BP;f|djSyis~C zkZZr7aSeUu;l360pckmnOo~4&MgJa$Tl`sbE+mN6O@L=v%ghrWi*yPB%=P01!eo0; zlOMXRh1Lw1@ycyVN4_QizEIO6jHpR3AMdX2v(CNaq-|J2t~zVjX0d9qlpVP~Se20O zv8?xRMhXNuRZ0^ZbMti@H)nD8eX&J$fK;#x=xTjhYA6YxmH5!Xg=QkthG}ZfP6F*< zx{;KiQA3u3gnC{6#Z|*Xf<@3F(OYY33P!8;kCvqLk}$yrg9i{>*LR+p(+|pP2KFxq zdxQlQFP)I}!xp{~tn%Qh=rRMNUUDB79rLHX|JubbqQ~JxFfLU~HrHa*IZDyf2%R<% zABmX~`FlD=%PpE5ef25K8oAd}X%uhu=-$SUl+EtM-5zkIoV8B*K0RJ~uUTimzC#Ag z1j1#CEB@rpLe1_b-QI$JK8}uDw6}PxVZT^Xb(5nM*9>k12y^Z_XT0|##8uMLF%VV? zcs$Ccb;3Zp<|9RvrTNc+zjm}j62PAW?ZKolJMd^*NZa}y@tL4Ta)#4c&>nnhIY&%E zp5{Gsk*KRd-dRH@+Id7G?^?_V=}pJ<o&;(ypMetz6UPpMF=coGY1F~rmoU15=xc6) z|F!f_xqYjGBMVhMbroLBEF>%y;jm#%;ifu(Dg{>ca19ncj3{n^(~<gCGey1}HLjS5 ze43R#*Vv7HVoAKYS7j{ieJbZQqTFgxC9PB5YgAP=duOCbf?*xytFDvFf!y5JISG^C zk{`LA)_Y-8w;9YB>5TL3tdsUXua<AhF@V&B^8G3%+>;c#?xyq=kO#BWZ8l0(w3rei zQiY_^2r|veh!qBbm?p)OO42{`ycTTq_-YLW3DSt32_+Hko_teYYb7)i%M!cnmduiT z-a`GiKX5%dBHYgnR&=gaoDuYxxAFCAU^zH`i52`W7a&IyX#}?+QP#4>DK%Qjth}b7 zF~F0krTT_RR(;G&Jy3;6V}>mQ4fhGObPnWHI1EywH1M{~*4DF_BNoQk)Di)Yo!Rpz z-NLwb2)U8PW+PtjoEDljF!*>TUzNY4EZIw9%Y-<o58A(zC(>`hy9b9B681Rn7$$A0 zaj~ujIdJ!PQ{Y{SjKYsCTj26~`Rx@OVZ62N!?4^{xR?6Gg`bvzD%*K?L72vGs;;&4 zcrd4soVND7KFgUCp`2<bIbgwoeFgU3ZZbyq<CXEQPjL(=4yj;wp3>mTi6{pp78$o> z(J?mQ33<LLCtiM86$3Cs%R4GtO?8o=!O_cRMOA;e5BV`rOCKik+^}L~*1DULS-xzr z9{NqHYg1(;vt>m8MFV<Wg!sz?VK==hB4R3GQ6edz!TpBMM+}Rfl74afJUmmo|Iy%g zbb*Ocuo#tP;I2&2+9cXO8k1p|$bPPLY&LBq%s{qeBSckCUa>^tYbb!;*P=RYUD1)J zWdz*brf@Dqcr~f(7*nP9nX#+#4X|BbeA<0J3n8z<$1!{h!f&o(VFo#}r&D^1sV_iX zMP5%1wO}5`cc<3cOt)Vji*2!9cSf}00Wq~-mizSuQXze>yyHJl+c&td4mW$;V#~!- z^{0vjU8PXCezcW7;%e-E3af!$w^9BFjf)>#$=}YTBSWW+^Cw+zg8xKWB0O&UEGoNu z9o$*uuC08BfziPLhMc$cpQdx2znz2_`#aU)$jo?|nKEsz&GA<*C#Px*7g_@}Mow7| zHx_&4-W$joSd7Pw`Lv*UbKYg|%1>r73?}+c)sphQ+(XY292z2rb0r!?z7D#=<A7s5 zl&<=Z{db5m@b(Q}_q!^snDTlk*|cIL=X@{E6=QD|P1uQB8@mEan|V~uJwbc~_MemY z!rr@JJPr8Zqch=cagSU9tC$E5vC;u%;MHKZtVeGeckRO-r6eH!_dKWZh0@4d6fxXF zo?%lwG5Mp{gb6#gqHHz^qDz%!WDQh%n`<8ClP<B`lCsv|zm)=s^Q^ZG2I@+;xRF+V z{6bS+`4Q>p1nG*aO$ABVYCMC5MR;v3-NBX24;OL9#NPE>*ox4*eU*(?-a%>Us<aVf zV<|bJRbAP#3^o{HwX-^KG++I|F93l&Ck=F^jnY79ecDSf24-nP6@sHnvb3b^JF&>3 z-i{89)_#>MeaZ+gVIxAbvuEC)BRMT&x!r2ca9&Au&{%ZKX<?4OT1#M-?5D4?z=?CL zK6DkxI&?oimUsP<NL0*<XV*dq<sD33s*St7?yo;JGfNp}$JlK5p~*^{*+ZcGCFFBO z+%t_tZ)*!H*xmJGg^EY06mJu|75&{&D;XlWU)*B6bV_Olrzp-1#|}!cvFZ~N5ou}E z735zZ^|?RRv^he|G<JDLYHp(LeMY4jDs6n9XZ$LyDl?f-j}SeiS(&o|lGJe7CT)*d zanh<gw4Z9B!)+pNWOvo&I~ey(YCAbkltwH0lsk=87SuEj0?Zv5H8X^pZ!dWKp@rH^ zlCN8_7UY{7PI6GD1Qo<#4(W=mP`GSOeyM`ztFN@C37jycDYa*|`?<GKQ6gEf4~f6I zaw@4+3?Az8W|Waz*82%A?RN6{NZF&n4sYs#hNNfvOHD{_M*4nOn@gLryX-?vW7?s4 z6ldF8Ls)KT3-h16?6hEq$OUX5`CD}vSNv72XHi*jT|&8AX<^^^JT&wO7P%0-zB%3m z_N%;pOBtuzSsIsG+BfyHvk0sQ^}HB;A4nUSaWA9yxL&IH=21)kq|L4%fKbr+%{Sas ztMoV5RXgZxQ+>=Ys}gDL_k)&;Lu?hu9{`q^`MW%W9PY(aDNzTg!iUvNLMnt&^bGU5 z?1w9@g@>P9vobPu{r<&vVtH0G_>mfUxTT`pDz)*8F~k7Hxt@ih(Y)7~qrRbUVg-T1 zHtShE?YV^mH@}SdJrDv=;wX%Z@31EXt3Q0n80!cRPNK_EK{>q2>RFs~_$?ZI--%PW z<LD0CXkhw#NW6K#V%#rGVXkL2M0=+pYSO!9AbOGh`=&z}QH!fH+Ia{AODKQ?xuSqz zNm;Q2DQ$Q6Q`rD#uRwxoJZ^m-$O4wU^dZ}|O(3*%_AffkF_HZ2mt-Tsbf#y|!oIKW zZ9xm)TDHdjv|qJO7By1sP;Xu}Wy1fNZ;M9kBVo+Zh#1@p95vx4A|#Y^y|77^)2|Qw zysExya$_T$r3HVr`SH2JhX1`&ROKJPq4V445b#&qI(0LSchHs`o#CKendGJTt;#N^ zM2*Ongiwp9gcL3wHcz(299G)CAQ=b?LQ*#15MY1(X<Ke$`|6$nTRAV?+tKQkpFzV& z9Hxli{c^=yUKP1&Y;kWdaki?`Y$qfw<(Qp@5$o*78`Jkeck#j7%y1|hiwGqpGblW) zfL&@Dj?bMhu;NHvi`UD|k)~3YAOJ1JrJgYnlzFLHnXr2}(0Q{BNG#gD2e-bjrUE>8 z>n^>_8JZEpX1EHiCVmFaReQEZoKrujakAU6B^D(X{;dnhE!R^zsj1N?%_EKg_GtKd z3!F0wE&EBo-~dPyX0X_tTB@OQ>W3il2e?kTJm7R%4GMt*XZg<xeqd61cGpVM-rs#h zYMkYdrxp^0SqhcDRkk+}6ztr`3`-<R51b7N$-yZNuuNg8@Ywt*5`Q~3YMdqVlxyM4 zSB2u7J0Jn$$vWpEUmET%msWYEB71RS`Zn@dqo^JvWc@CxT3giEjcVY?D|99TWST@I zIow#}fGO$LyU(dYTBnL#r>bI6STU)n(U!AQ5I2o<^VT9;tWgpOuD363h>o=+%o=AW z!kzx`Ia^3$|1P^@R7R{iDH40NArx@!n_(tPnMCrLH3PL(AGlUCB#c3;#&B3G&g;x9 ztK}#PQ2*t#+&V0$kb)zT>yh}-m1^GjV~-S;9$$;shi3fP6|2BGBvq2&eqCd{0&hb? zzvU0<o?r_8NV}!v-k-J!HiK`b!S!Px`zZ(Vw%Wwum8?rc4kC?KA@zEt$d5dRhoO>l zf^V~!T`%<SuoAq@(6Ol`v&vLt{RHMA&L6ex8q-Lu6<6JU+(dUiF$s=TB~kKkCvKSt zgt_vWY6%_+qrw*Uf8}3aO!~9P`?xm1#W~-GzoyuZ-shD1BY~5po4enObs$z@=)LI` zzUi=r0yeD4f>D0vQq0NMe*|4_hDr@J>m!RohH)Hez|V}tI7wh!je+xK<-HdC3s0pS zjGME~`+VE0Vp<Zba?b>LdTkJJ{Lnej;3)ih!0_+qG5);n(#Wujn$E{pOvF$?B0Z&l zb{pYAG3<bs9{%fI1|H{pJ3g*3FcAFu9F`+5Z{BLJkA-nrThhMfob<rPmO`1M!Ipvg z{4WKD*+bH*#`C7s(00U(8}~wH!ZG|xRXxY@tvjr+6bOB)dR}#`E@7v|H>ZiIm!Z7U zN>vyMe7)%X%+e_oK4E=8VyN9WtT88lVI@yRnp6i?P~Y1+aik#IZzK3tuM^|DAA#>- zZ;;OO?d&WWQx27X^JP}Hx$4QvuQg5;;fv)qBCzp!B#q@a8*y>lp8?PN<{5+SocqA* ze?wTW*Ex#s0ww9ts<V}#heijkQ+?g%>Ao1ZN`Bi<L6IMBv~y(G-rVRRj$0Si(Ikp0 zNzlmouJ(QY#<1bE5AJQXlHfQ?_P5^2_NMT!)OI2?RsF>bd9#QjmkdjTK0G2s;NzxY zhxEO8HbYNPz<sZdrpDCz+9(6@ZapUvc*q#<cT10NWl+=r);pU5I%{(}@cZt5yX7dW zn$RWhgv>2I{<Oq~MIc|-p3u6q0$;1Y)Njai-$OJcsp$nhP~z;W_FtRkaXakgx<?HO zk#7dX7LN!c-f8pjCzLpMV>x=$8jo+-I>Sn5??_i(veN^_V5FZ1=MX{k`L7km;inMH zhWhUCQcn=7oM9QR0xc7L5g_GP(dT`*1Z|yz6YXR<vHq_3#1d-B%n8A&YNWdM6(yhI zyv#QUDOI0%>P7@_SCVu4i0M0O-ur4PVGFOvt*Pm4U3=YFF+P1_^Oi`8NYTWp&nbc7 z5$&>f0@szaW4vs^U7ueQUOh!qRfTTEHH|4S8Rh9Qsih@V_<W}>d}%-=qUlbmiF03F zxy_+_QjQKH<@lv+j+bCdE@STfG>cekNC-?GHR2{->S{=&ZQ)Wi+%dT0Uid+sv-|w; zTLYm4J3R)0d`)|T;8L57C4h#8esGRGB3eFo-ja*Nd3DN*OcdaCd-h?vYf*tWqj=Et zu+p>H<?`Q&xx~U~#js<n;UR(4HyIgr4H()uM_V&FwTN_3Gn0a{z&y{8Vb8M2rrF1| z^~tpRs;%v*+cxP6-?bzwZg@Sa6Ps?5quuqS=lLu$)K5td`rO_Ao+S5GmEFg~G`Xor z!;Pbv;lHo>ECgiK6%O~+V4u&rm=lRYN?b5D+Z^$1Pd~bLRxUZt6p7PO>H#bYe^9lM z)y|0u()6Cz<`Ic5ZpUiu``+aKm%Pi!L=U$Mo^3!Tyy62D0Wv7M+*8!Ph{#LAVmOxX zmaj8KnYivzcL&E8MTEXY_(SePSc%aDopjNZF0K1c^;TZhICI9VLJ8t-Zx-5&0TP8J zOG6YJtK+Gu`w_O#Uz3{@$Gc5QV(+1`Uq)0|%L2g~5wH-Zb}n$S?ICO<zZ@{#vpAB# zDEiZ?_7?hg!(w4!x=V>mftH>gFjv5q<Jpm^AURXil;NyB^*3h78yfVZ-zAGd(D&f( zn@0`kWi&y#qQrIY8jgj6q{x#KhOmsq6Ix!)b!MO&I%FrV!POA?U!qE2*f+6*z-2nU z51LU}S<B(`cKs%~Xv7p~CEibGgqQk+w27FI;$dW-j>VLEANyqmNO@f2`whLKoXxRL z3GoOaN|(kXH?Wb-w$s5f+Kv2B-Lw(MbpO1|EHR%RDJvh$9v#*wFFDwQvkgjU6&I|Y zd^jbl8P?kfSvCWOW1?q)zZ%<%MmuT8@Sa=91I3J`ha9+==tQkDy+&bNplZZp*{zAP zQK#CHs$*uZn<O%W*87?jz2MC9OhVK-+lybBSG-eR`uHEoVPa8Rt3za*YbOFXP5Vx} z-BDE~XM;Z^tDt1#G=fnNTC+=(it1AmICtnX+$6=531hb0(y!VlQMwJOihqAeF7jj* zSyWCur5@8O1p5x3uwyCA861}6kJAj!k$zsb<KA&aqC75CWG!V6tdA!U&E}gqQuT~Z zN)y#Pjv>g-JC7l6uBP8<)_8>{8EjziA}{~z_MC8uPZ~5+j`}H13A!DE2?h^1a5dP9 zVfnPAsq8djD=`dWH?%Tm#=yDgMGR?PDo1Kz#5lLnA`n_tdp2^=27`uWShe0~ZJxO3 zo4b1Y_p4~sb~`txc&*zSTCc_-H}4i}7=AVUv@0JBn6!ZPbf7=@vA!?&uj<hqMan$T zIN}}x*XG5A%wJXJ2_0Qe;hblFedWr)rc&RaH*O;Iep8S4j8meVAco0vR}q!oD8`OJ zDZSG(88DOH>HUO5DnKBq;^wQ!;c3TYaeuG_rV<gVVayz@PMi6@*}?lM%n5Ob?;FGD zqb-}8Le<0x9=T@im9pCQs6;K3FY4yWmmQ=KZB@y+LGRJi=6LCdgQLd@HiY59tJFTD zpKXw_VGW^$mM6OF>3~a4HAEP3`3)&dQRIoKGQDFNr(yw-O{2v6G16o`0=<F?7Xe0M zJ<fSP>l#<AE2e-grmXq!QuWykYt8V1+$i>EI6b2G0RKTfHNq&hUS_73B5xc!Qhp>S zF#IE@QSTv_3U-}}j#**RsHjYD=q4jo({uMe&*)p5)@wFaq_nsRdlF?txpL}Q{N$fM zc9b$#Fm~!G0%ahAkE-VHKI*;Bc4}Opu1t`wESg3BcA?qtz_H_z;mnKA(@CgAm)(KA zzqU`P)q!KxE-4q3#YFO4WqVJ>NL>C)Q@i<+Iy^VC1Sf(%I=cA3M?8;=Yz>Ly|1^Z| zF6j&F9iU%|GvZydrleKST{ir_j5!)o<d+IdxEJS0T~?YYtWE{Zv?JuF%d?joeQg!$ z<Y^URCra7u;v3I56|vK#jytP0nvPXP4PEY!ShpymGs;;+a(#74&g<co7A&vxv_xug zWRg?~nX4|cx}Yn|a6j=4&U>@?URC6B7^_OYr0Xx&C$0j2x%-@gSlj(2w!}v8(TT~Y zdHN-q7sun`UI#Ih=Jn+8i?}H=#zp1UHc@Asye1+|JFv$3(S63<>#-WkfR8nB+ID-@ z(4p^~Gii)&$qqOkb?%Dnd+E>Gx7o${eaLPLC624^rg<l82!jkLMl@@Umozr|<9>wK z#UwHkTOi=yt)^_09ZDp{;-{qNp|~0>CF!-c%4|P@iE_He=@rYzd+B0$rR&GEnz_|H zBm0iLOaJ1gEz}wJoLMT88loVih5~5NVLPuYo49#KPQX+3Jlyj_e>Y*q=+7x5uOt5F z>tdk|LBYsP+x^pk-~E}I0o$%h9TKSTC;2^Wf4-Z7@xS@^Surf5_RI3*f;$Zga)~1u z(Y_^%n`ukNV_HCKWC~N1T;)Si#pmzeM;YH5VYR$UU87CXVlL0@O<nzFI;WmuXXxIb z`zUZY;0pur*t;iysi}u<Zr`0`pDB8J2Fp)H#=AUTOO>h%yZWOlj-yA|0S!DTbYO|y z9`g2a#>22Wu)Obm4flni?ibs(x$mxIJp-Z<BcUY&N^u@Hl{hbi-&yP&_sYo>ZZ`HL zRI$|}K>V0a+PrS|fqA6IK*q{58~S~v%l9aiiuglA1sl<{ONsF4&BzmBR0+NF>I0L`sC8M{~&BhJs zvu-&N+M#_$iLXWlSB{%z+1fg-p4a=oGOa8B&KevSR?m)%GYFe+>`OpEmR}@(MM`R_ z5JeO{)Y%4NbkH8>VJBDs3x9CU!+12OHdMEv)(!+t+4Wm+`-5<18!DX3Op`ZrPfAV2 zS<M;z6v@~1reR5J(uR@}G!iaZ2Khq7bq<V12;Xr;lbTwW9<$a{6I$xQrPeHdHyz_% zU>Qk4(Js4K7LK;k)1Aq(ULWYPIW?gmhYXFDrz*rXs<BA=zTiWqd4{j1C{MI2^+|vT zxx`6(($`-L=bbou&0k%&`dO#R+lR$LK@%1S2~4+wzw%S5?$_{VLu}~M_i8s!_6BO4 zqY+>+9IAF1J*#_-xo{L^2US&#8F;rEc3gE1zhL|yO?Mg8M%M)ZxKP~PHMqN5afjjr zcXxMM9D=*k;u74wxO;JT_u}^P{`h7xnPjq)z4xx1=iEKXB13=D=O>Di8{*+wfiA)0 zPHt+}y|>`uLQ=A|l~2Md|LKe8Z;}27gKn`+Got48Uad=;{ojg>w>o*4_!(vCXll_g z<owV2n$z2jbHT6YznOQeGs4(;0^K(0xj7jbG328L)fvUvY3|$XEwVKcyWeZl(qbP9 ztoXAsqn;MtJx=7-n%5=)JMy1CJjjNicQnM?pQ!J%%A9;21a!4_=M2{Aviw(}Bt=Pn zeG!Tt;As*sBiC!%eDhC#Vy(H%2Y9G2tKxmPht}=W9cL!>`>*BU&xv_EJH|mH*1a_n zoVELbVB{fyb-<kgDJ)CuZySC^Y=^Ff>d@6p$6P@bt{inu@&pwb%amTTq5-?!b2N01 zCkvwonQX)Ez?@w^8d>?2w5bh)sfDK5xQ(@OdLmwq(TbsPxWPI+q?)3}bl9ean*33D z%}Ee3B)gE>MGYSE5?Jh8(>@gHoZz7raE5n*ZD7?>s&$PN`p<q%jio)EFOTN*_pXM^ zepNXY&dCQU-evr~{&}>KhV-+>^cb+iRc%>O#H!BM<mV6PDq~QklY)sC{lv6-)bB{n z-QP%<2}r-w)qkj;DsV{WcyJ5|6GEgx=dFtUG3_~Q+VKR!c~yGl>})FcUe|m-ZsT3t zgN~1;B&nkWQsvBl=Y-Htqly9NC&`TUs{uv<xrwsH8YZ7nbuvRso0;Q{E?<xtQIZ7R z9OFux?q0{W8#HCGS8u{iF#S`3`?6scVXjOQ^yQ=N3^euI(5@^~2~dQlOjp{vDjPl# zG1S;{L@zmaOsM2?=aXHri1`nh2C-I@j2BReOmf0Nl#IPvn<+`szW6lr2>sNi0_V&J zMaG{q!#jt*-9Ny(9=t;`Zo^jhdwpoqT@q}U8Cb4yC1}QukFIg*mVWJv<3LX{M}L`z z;&Qb|x!n>Ck%Md>aIp@QGHqlS3W|6A<;D?E?JX<L+$m0HAj~T#?Fcz-UFPcgQVg&e z%^BMX{$Zul>1P#PU@2bOrlb*>6MmmuZ=DhdeEA$1ugg8kOA=HJ`C;C3>WfYN$sFBO zW-z6TLR_s;SRYNWn?CM~lYUm3@?~YAPlAeWeFh1?QagSD#Kx0TR9{IjA9;W8Tl?6d zoBcQ=)uHMLkNP3Tug`(?j8k-eER0xZ&qA^TULIbY7pYHZTPk8c?RqanFdd!%!DMJL zV?;uPJAE9+#l2!REGXK*)f033tnes|7iq{MTY`R!Cof)B-RQ@4i)<9k-x2-G3~ZC` z636%o`G@)bHlycYUAk=Y#*|pTZgCz2a+KAZFVn6mV5<-S`{FYOQnVQ!ks=3s?j)PU z7dJ>@2E|6^Oq-lf`IJ?<FpiyPDU?xi(7Rl?!a*!Y&sjhBSDTj?bD$^V5y^6JCzuN+ zQ(+`U9{iY+n`FzxmAd(8Bcgs4Mts+ET|VXBbxFVSVQkS4a{bRPE742mA8u^AZ79dl za`Xj>lMsEFvd+0vpv=e+F<xrS$dST19w)XKn5Z|LD3Dz;3>XU+NXO8mqVG^pXysiM z`$W%RU8s5j-iA(E{;_J@yU)&avMfxLz_*FM{iz}SPT4P+gnD**yXJ57A|%a`R(j+q zUlUjDr2HHZJzj1kCnZ$3XXkl`rb1d5aEDB|>-^PzbhgXUvFQ7aYiVLQ2mmvY`ACUm zZ`*mKTiv*%RQ`<iJ*d~Xo6f8qh5)NjzYaj0f^UCS^<8t22i(4(@5qMQ6M`PcgEhR? z53GfyR0rT5{dRnXw5Tu;0zYohhNi;lnCfnx!fmf#7)uFSh@_%ko1ibN>k<cVyNUPu z=E$R7HHB}DxK1^F9KA0_&A0|>*onLXvoQ~QlcB(VyJb=Y2k5uE@S)$;*Tk`4!P#AC z+fQjQtXVOB_Ar-ULxxGSo!_TGUx2c^LsJhf_o^X-I=Gv!svN4CE!+A^90L%m+4+Ma z9o)lN;e*#c<AS%XQku={YlV4q0be?<UW}RbK{fe3eWZcr&<<(dqSw1(mLa6CU_{B8 zr@#N*e;9QQiU~Fy$y~O$|Ie&z_pzxPVB%a??r|k)qO^SS$P7ktj_yX+l1=NgONOtd zNt3y>?(<6T6FgeG9+Bty)~x&qVw#*$Z`^_oh*9OYJl$tIef4U|X)8}Bm=g^=F9@5^ zvI}@Q=^h~Maj9J2+O%erxbJ(-*C{laz_|;<tBvge9vH9fy8u52hK~bXTdPvwJK4>U zMm-c7TFG>`z{XI$v~Nv@qTkcK#eJj3`06Vv71jG318xf^(eKv3eIHj_Hk>(-d#_Tt z5ml$JH;?WC&!Q~UU;Rv#8RG2Ap`j{_=*da$#{@k(IPwiPE;F~LQ1!@j6Iv@egG4%g z_rV9L#it7W(8Kd4?BBOtw`$Tqzj#~Z;~m3vhLd5m^R*pz;k%*WLztF&Oe9gwf(d*6 z*Ui9^B-dbLK@Y^u^~J$;1_s<l<GI99E6$0_N#v{N0dy=4Q(rZ@z&a!uAJ&Y0=}UL# ztsA&6x><5wZfe9_5HylXtBEd28j6Q0uHvt+eI&iIk$|)mmJ7R`9(S%##FXMwN_K?W zXazY{Ry?E@dyCICF`urX;u9CB1bBnf3iL6*G-!Bv+emY?YbN_MZaF9}jttMCoi#8@ zB=mew>>A<qSA%~p!HAZet2eOZCMacgQNeUl#dK29I?G=>{WWe|vUd77d=?(3Q&*0z zV3rYOnI2)89&L^nQ-~K?i2wOK)mmTyrEkP8rkDUKW=B;lYRzLu#dhT!6}eF5BnF}b z_Y(P;ylBgnSTnX24CCkgdxGZrtXOO6Mu&1!u-6*v5-}bo(7j0;sZH?>ggO3H9Ku8t zN))ay9I%tLR>oFN$Y=GYYQ!`YM#utXMQ8da{5h#^CyUSkJ3z$0|GR%#0=6DEN1VOG z)^#QFqp%6qYGf{5fX^cVaUW!Fho>U8;c{ot3E_{Wx%?qcyLmgPwDq7N;|wbGyi?R` zo=Z53&>5qx--_;j)}DwEi?cVnqGz{rLTayj(_C#srs>fz7eL(!Tt~;^wM*@rWM2Tq z?b^130snGbxiz?gVMpMhvY390GCLVT5U*lc=8yTnX?h?#9TnZ{&KpU9>luG}acx;y z$mN-#cM@y-FdPI~5-8+~pGmAC!`W3Bf9$HSS%A;Y8>^t_&(|y{tPO#wcSTtQwOU4? zBrB~S3WFqxaY-j9-oZ<?=QIaSpE<|vzg!%W4V~_--~&z`2^cpboE~JpS-wf-jaDgM zI+bnLtC+X*GdtaM{KV>xt)w_S!Bxz?P}8^mM2vk1*v*!b^AFR@&c5BQOM$6HM;}ro zA9DV0L6kDJxV1@udB%|@uy$R}lC$29nZKv6^S#66eVu3X^7@{~ZT17kn5^BHhnevm zw)p>R0R%3Z%rweXv3xI~zF~BlA{2i-zg_3xf1&&aS%~$Ldni1`K@<-K)BQA29k7x2 z@G|gbf9qT6N0%weNaflj(906{Z&o0o-=XoUKa4+jc_I3c`Q}0qbEA`Y{9&_e^3e>Z zdTg*uW8O~J;ODwc&!sckzwx;9gla3*1DeZ+tCccQ&h^5ozkQ@<*2cR#8IYmInT2NP zprl+FHqWKXM?G#o=GAD#_Q@Vz5ufHPj>Wz&j8*Vg<FV8W4Qn|s&OVC$<_5yte@;un zWElvU+f&ZZvCniger}qx@KW5GH_GsyL!!}VyQX@ZV?D$cdENeFz0}8}NJ0OKI(7<L zYA%k7k-yB|_H9nla8vS><PG2&Kd$=BsMfw=y%2+~nJg4-*%&gTgp*;S5-_6_=K5JJ z-e2re#;uSP3h@c1Sa}nStpI(0yozgL_7>~R5@?b6=~!G;NnBJ^&hk5kCA|}p>f#YE zg{0zN<x?VCW=4k9s^ZHkP@MP}TZlE+s&wny)$rN&MKWd)5)7`Bbs}D)_Q1Dup+AqQ zWYKQ;=#ZD`m|Rp1_I?!(%l=`&BhJSsGft4$%b7BL`LlgY9Y12zug34<(B81h=sIXR zp%DhL-UrApF5nThbcAgDV%+@Q@c4I?&YyW(20^Gd?pM-ph1&cTY#Hf0agTxko;8bv z^ay&QR<!M<Cpc4d^tA6-HTAzc(<>`LWsDh}8O#hYGa*5VFKd1Vgrb}0#JFw7E+?wd zJaMse9E{ZaS-9RyzJYw_6A&h{?gX^!O-8WNmX3+Io5a5>Xd)?P8~*w(cQqwvy5Ro) z)4N9XL;#|Fy_pc5)Wc3_pJ*fzZYzlza7V=bp(qjXvN|;A{oxh@24f;Dd7F672YHdi zTl&ya&hdXOz~2yH6TLKop<Jo~^qaQR)8)XPLc8Q^>QOM*{-De>qwa9F$__5+r7aho z&a(_zGpHF+&c=n2eQl2Nt}}7kQwZ^lRbs_SaLvXN@#RjN?&8&cG|=ElkG6$QOP;c) zYWZQ`%lW&WW?*~HSjjL$LTy6NEHe#T{uK-~khs=&F(AW5#a)!K2s!Q9MiY|})}hb+ zD{*^o6Et}Nl}R6KDcT)_Z7+rdoIUH56dWIgxh~X+fO{qjMO$Z;Ep|}}j2ao1NS%T2 zSv?|=!Bj?ILki(&s2Y@1t4w>ABq6}@rZxB>FENjlNJp+i$Oo}()4b)Xd+h~Av`F8u zFUu6=w#E80Gb0;nrDw@r6)*E?rhHjaW%%nqtd=5|htQa4hk|jdQDfFU=S{{bP-6oo z5G8#&P8$1T7D>fheXVIcNSNLP(xa^3G~Kc0zs)JI;}cJOLn1LlVh83Zc(nZ@XVYJc zr-ZK_irS=!&4I{^+4&WmXd+NV4qG&!BnI&kKKQ_n%vKnmFi>|O8Q1aU;BF0H+c9&R zC;s4dp7*f2A0Kbhs9vt2@e#OAVkD`H);$$gPS}r0aGZ>`LyUqb8L%oe&^C}n5Uw1; z=RrMs)uP}$J$b=oZl`b9@oSL_IbyJcm)M{><@=vWEA0aw$7rW#Kcu{&LGgC_CFj5q zaNpN3V~iYi*`k3bR<s)Qs|lhD0=&tqscw=jALXb_dY&miH*_ZCd>%3enC;T&V)*Ss z&b@TZ$$(ddki0Hl8TQIrUtK-{o|MD{Nk}p0Ke3l6Dgo<nbX{)+B!hhj6{)b^eva7l zDOCa+j{TVQ>;BdO*C%9sra(;=mK|5+`6+@4bI2J;1-&cbfa}pOm;2e+A1AI8>Z!{5 z6>u|ZJtiZf<E{xgm@1*&zEz-~+en0qShvS<i<mL=R&75;aO2!v>B@UHKeqS}nFmVC zoo<Vixm2`VE4~hM8oL2NjHhB~KELC-da!IYLmqERvT9cut=dMGTB6I>=>v!ag(n{Z z7Gmb<uYKbdW*0Di<&V3MJ#lC2q9&A%-*%sovzJ{RUHtd^DwK6rJp8fz<6dGltaP6@ zb)DVnk9P#2H`$fUuYTua@`yvUb0G<lNOfS$e|&J*eBafBs{;?|aryKAYWO~#B`I<) zJRyvk;!y_|;JdA(eHBDu*nAbG8B&T<Q#m-OSLU9X-C~hQSl0`K`1l7pJqrwsxG}-~ zxK~~&qkXyZO}Q=8g^KqhZWEpi^w|g0mES&=>j>92#g6{4Rbn2lzx252U50pN7WlYN z*#C>=EyKW15}s1NRf!2>`3(5)5+H^mgPkMOp)D$N-)RH6Elgh$KGp=;R-KCQxo0d* z-Ru4sZVNA70sGNGpuZdRSh+>Ht1QrzF;|jDA<88|2VY}%*^}S<u9wWCB9z6>aeIWz zonwczSW9jJPu@(${cGOX<jm==-^&(PUHRm}0sH&iMv-gKj$@UX=I-qG=u6VB$@y*B zY;MH7_1RvvQ-@8YtV(87#hYeF{UTE{jFR<H3I>~{&IW|;F{#?2TC!AeshOwaNRj}T zjx2Dwn*QE)y>6zr5pX{GE+3ydGFncs0$|IJBinn4Q5C<OEvjGO{QjiPb7?@_14SU` zFW6X>>pxZ@5>NMWTtujrFQYj>V#7ZImI|bl43vl<@2f=$p7|Gj#Q4ie2;EJ9_BwLy z0}$s0wH6Cmv$Bger3nfdV`e^}l<hrjNJ!*z*ziwmJ&<AlTxVFs_mT2Kvzd<EaaxHv zgxa+bU&hMur+2wG=5mlABmMn%%o|nAo0?MX2wqZ)g)-|*XlL;mBz1p;Y=KTKGsw3D zO57LI>{HNm4yF(oCo;u-;LNVV>?Ki7j8x1m$~ZH-MR-!)5|($3>+{W{z6Xf`a17J- zv^3X}C=(1Ht|B!vOzR_hg?8B|CRlkj+6uAJDj02%j`cz$*!VkvW?^BSgYjKKIo+{y zt|vuwTXT6qv**y0vG}(_|7&`DmJ}{Hw_~o)CgExV;PXX~H0HL_lb<(0QK87uP-g_! zlc`lwAw#*yEatQTKEUgUfTjvDd~u~%wd>{^q2fNGB|l#Ah<wS*(?xqu{~Q9gD377f zub8_DbBRRu486G#`(})r^>;4|z#8plz$tw~p_q9>xX8xpU{g~Db9*wQNnu^N*ZHs2 z0FbWaJW@bFLpbSP?De@jdDrtayAHkOA<szWq=X(bk(!^9KoJCaaR?^+$D;+Tqam8f zop^=K<Ld=gh@b1_*JdYiFwW<o!vN^Iu2;<YVQ8FJz=EBPk;--s>1lBBsa(_;-p*1c zyoo#Eu<gerF}og1UKX~Pq?_v9zoeSW2|pVwR3K}>yD^k;!MX?Nd_Vd*ppLb^E;-S9 z0XNmTEV<}Jlr_;CYo2nZtFJh1N^|5Kaj*s1hFb<6{IuCkZ*4$bl$6Hsgrx^}ePw6< z6@M{ZQ;eA=RZdP+v&&NGT;FBGdT;9yQTAT=rHAW5TZF$|HOo#$PK>LR6;q*)RMP9S zj7T_h+;3~@fViB>^L;x928RAD*~ADGH$HF+QSZ93{<lSSO=J{(0@IIU<2D${g6iQ@ zqr*{z`>L}1y2rj&T15*^C66#Z5A&egb+#T_Rw{Zi<^>iy<GDIj9UDK-*J$KVSSh%P z>m{G^ya}Ox<;i&WyuSN)yU-v}(z|F4G&K_Jo0iDziA3td#LsWVW2Jj2na{-J7Zckm zrALoTT<c;1{t5b$pi_whezKJ9wSWfA-~2=h{xp|0LJxfsXhgN4EXAr`F0`d86b>C9 zNQ0pjp+GNzA%+z>sDVz5gUw9Px0QNl)+m>Z!$)^7K#Q<MhsaMy=ki^5ySVKvnAA)~ zJ=jZ*fryY12R={w%O38^^c+&sslP1qri@dofYRmn;%PtEb};9Hmv!Y`osBa(*Zzes zj+iPwIt!&X83sgk$~UD3R>c;!_`RzqS{fE9nL`3srbgkWDrSrIn`!WlDSri~VyRW; z*7qlW?w}2U_N%t%#Et-~Xhi*_^ly^2Nu60^z<Esx`hwr3J9m)60zaYod5aOr$!c3> z#+v4-IRARVt(%khU4GBZ>*SVM{6?UV^pXno^!QanJ(YPa)B=x{Gj~6x&lEaW+PxK| zd{$ur9P6#hOD2lf(?qIzpyKml@16F7shIC=Y8(*k=uF%qCeVJ8vxF9xnv;B0XEhq) zRJbQ4Is8)#Z#GZ1)qMTufZYSk(rM4ZajD9tfL@D@!0WWhnPQ*mRLd}_8%}dHd~Grs zMSQlQK6o%c5W0x#hsHJJo2jp!G36`ZO+NZklK&6YoRtbQt#9;3Q{<tV&f*Dj@#UYY zySTz{%YQ*=F0M%FU_8AGIj1U$$$?l|Rcmy^6E__z+nd=g-r*a~k7zu4AX@~DI{S?} zSox1-UQ%~`JiFrdxLjdlkXqky%`Y1m@dEbGK=1Ic2oEpCHTcU;3)a=Lb?NnV&9LGd z0QGL3q{Foas`#S{3{Dz7QrmLtZ|GWNN>?S-R10WQ<@(BJ8$U51a6ouRHp$X^ZWTWg z^`T4|ngn1%bdcn(09gWQa=7BLbL=!Fq9-fHGiC=S7K#5mE1M6T*KN7!T=O!u=xgdZ zuvwAiLNf|(;l^D5GUQc1;MltnO$8GSx4Huuq<Zk}8-rHO`;vT7n^(0s@N+5_lk`qx zoXRMa7=Q0LX=~?V(ygXFB0`3s3A@eGRg(EZ`2(a*9c--_$5t=nT%UU>kHJc=o#CCj zW37(fPCYwT^hKB;h9j7zGYl$8lpXjKtqqd>qYOBu@D$jl)LKjV<?OL+rBewSY)<ix z?%C;aS55lL+bo_iJ|{QGlD^ShUxsDxK)Td5Z$I`b_KfiXb4AmbHNAxN-nam+KcN*# z>RK&N<3qOBUiP$6Ki8R6G|yVjTW2}98oyF>Ts^aTgonnRRhi7Kp!Eny80>qKmP`(L z9Z#Thu5Xn|+b%U0`7P{oBH^KqnVBPpuSd<%d6Dw?sI4_K4&&xpGhQ(%sC87EooGgQ zAI3mU1$^)yH%tzZlo>yyx(xOLk=7~k+{Q=6L4(-utIYz(q@y)%&Ob!_$`cZSFo+6Y zrTWBP(-o}zK5*A1Ob}k0G;aRwy2~W;Rz*jf&$#d6T<?ay1;0MuL39`h<oV>sw%JU9 zcceLsSu@n}@kXxt4Be9^kNi#w?gU#p5&Bs12_}9WQ~%8B&$d$7774t?pfCk4G~nKr z<k{z3uXz7x9WpQI_$$d?bZyw}o^jd<pUMgSxMzy|SJT^xuVlg1fR*m^xM&Cay|q^8 zwO|zeo}4NXS^4JPn)NI2{ynTXOYp@HR(dL0P3wF=@Llc&srH~*Ke3$fKo9rd;t=Mm zBTKd^XRf)vKfK}6f`WLY<K)5VyL{j4rlW!AyrQsgASP;~7N#QI5*R~+PkQiQR3X;; zO%Y-?VT7vM-Zl$~uBd#g;SwkjXmXt4fP%);^WpXgBf`57BN;TczB$f8NMONv?%rp{ zm_U^<@3h3I4x`s{rWvb8dgy4-t-x97WN07palGw8e-Hu3u8`!!9B2TEgxPgxfLr3z z=as|#?lojW0t9kY6Y5|_SYjCniwrBrKEw}~bEZB&l0Gn*dQbFjZBt)850H1=<)*_i zqqcb2=zl#2MLB6Rg$SZRUOe$cn^=dElC<_9T0T!BC55Sy=4~#FE-dJl1Yu8*<!Z>9 zY5XNxnm%m6{WdihXzIv25*O=nd!M4WyL7s@YkTVDr*WQ*c8Hqq)+aH^hqb3SXE1|g zf**R_;sgvyVo$OTm60P)9LJct#<Wm_w9G@#XfO1BS0COb+jCbv@l-kRR5@`~J#$sL z@KhmjQ^CC1()-hJD>lkG(9l{;SlSj@t{h2J?l2xvKb%GxIS8hdbwg5iX|oK%TsNl1 z0Dk*(s<oI_V`>e(ilc?$6v&%*tu5GBaR}pmXD348ynSz7iFCEs=HtOs-F42-G10Nb zHjtSi3~kn^eZ>oIA?ALjpbPM5$O<MdNdKldJVC?5eLd|Dx@cW?Y2q1w*f`zMtF|h1 zu%kOf6wtLULozuip1}mhG=Oo05wj$FPcddhcrI<f^wn}s5g+YU>h1b#h{GFhta~6n zz9<!)z<l<<c7%~7=XiGlBwm^+>MHp|WW7CkKE@Lk%s)qbaA|;BtE!ZhqHJ%yvpwHf zXjbVYzU>}`^dtZ;uN6-HG<cfUDu~u+Tz@s5Y9Z_$xEnnsOl2#9@QQTRexCeD)EogT z-9GqqaGHi6T}*cmZ!w&EubV;s<c_H{OzDDx-MlVk{U>tFL2@2Bz#AM++ClT@6jTx9 zcb8z^unq&ZhrCV}<E6r_s{#2lBhBr#HVZ5VYO;!ZFjwz^P}ef>A>%dNsWFy=(hEyr zx&>DzUbF_|DZPx$k@Gg!<!S@pmB=)BB8sr2^6?D>1crZt`i|O05;MsRSDHi28xaM< z_bWUZM_e5}o%7WqY)^H@9*0*X8R>6T_naA*Wb;e;S#pmKEyI0e%sIsjXr|7r%r;Nx zu7xO0`|Hb{g!b<J+ZB8Bf=j2G96gbg4v0ui0`=$g#xLz1&4A~f`)QefMq=Ru{2TJd z{KcS{5Zjhp^Me{eAm?R!zFLYQiMmbwul|&Y+w)1{9j*=`>YCz-M(%2CzM5LK0nXRi z*V+%N*1$tE>GWXSp_V0L2BIOGF(Er`)!xA-b^`j&qqd(85w}ei>3Cs3i-R5ZKGta? zh+M}{#&tfE3KR5L2#};769kT|-q638!ee6j8IjatM@~sE)r=W;mV1HHimUHxCq?;7 zlID~1#tHq6za1vAfC{bwW0v(Y+F%UsijWC_aXtK(&PSa#ON;SvU>JEwzS|@@JMr{| z$KDcEm2cJ~Hs2EaZW4kidWMspg<v@=NeVuSB?3C$4lal$d|l3ZT2wIu)F#Kmwa;ub zx|WQyPT*WKJvwAMpr%tLO1te0g!8%#P!-6TKRS|iIhG1ST%^v37?F{Y!B9_a)84=` zI-dpT*!X*PzEa04+4ifp^5T6aOpO@-_z@sM<yqOC1iM=qtXl1u>0wr}RgS2&?(Xmt zJd#-H5n;_nJd8+o!h#9r9|>%+IiO$oVq5F&W!ZP<l4fRK*I8?TOju9nh+zqy_tf6k zIq3Ypk`jMssYL`95XcLMFIyNyk4-GI^Sb%Que4!68YXl81Aca%^Vu_iW(G;FBNBz% zgKcMWsEl6t>%A`elX9FvCIxfOd}oN`i_gAn_496*2K6}@KNPdy+tcNxeI4W^&z((I zfNL(BGp537C>VxuBqlyw-!*0jB3BO$ZoG^wH#$3zn_2XyZViS&HUYD2#0!8M{Omo~ zw<?_LfA;I@+!fgbcv4jpZTBeEdPkBi%b>p^Zc=~a6pYJ`bUM>(sImL~D_F5Y%uZiT z@D%IHPfjHiEpdcTQ;&HJoJ}<M!}g7C(lBSQcb>NZ^U0VeDN_!2O!sR83(B<KVUI~d zJT`hvif72$8E5O_=qOC&-@h)pm12MIyzQ+rWjDWv<-T(YiCg<T&q+{Qq8z5+3Y1mf zeIhu&YEaxh#aGDzWSkBelrw{<Vwgw?Wf&))P4ix)>|X9bW+~ZU0M4}H3*Sv9BL_g9 zd&pk^+w4uX=aCw+>!&32bSE_dLFygA3dJ_dgRyY^&osmt$QEy&12)0(A|Y#%_hbf~ zc^rP5LkqeonuOA7!&p0#H_fERE>cQuhSBcoSGFzi3^Ns-N7@;o8w#IbR@tkcg1^a~ z^5qLOPi#h2oL<iPW6@YsE;QU_zyDX0#cxY`q-S<N+ZAxsoRETS;BVP>r81h!wC{>Q z+GdOqNncnGVCTb2#|N6@QC|`x-tL_C71s0X@+4pNca=j*%c>yvsz6I})vo@c<P@my z<J|r;10QgALRM~Zb9Eu-VaI69{@XZx>p=&8y$2sRmQL_tmxRAvjq`8I)6#zh;og_D zljUtaSEb_&jxkOrK@qFZH<kotc@+0D^GJi#W}Fj$PHWL4>0bL#+cFeN1-qJ~hVGTF zg^LlXKB0D_YAK2)=wy~n`rd{buDAorbFgquio32c0;Gfxh2oVS&kMxwbo-Zpw8e~9 z!`O3u3OzJ=qK(s|6^DnTCa<(p4+Ce!HQBtLBl+(gu!GaQuf^w({pR{nw}Xxj)(cFN zaRi?JVj?G}@RnvvzD5jam^g>V62b?(yL=AMO_62hazioJ+>h;R1@gfPuva+^D{ta< zb+>n<wx0Revuf9s8^fIAd43W?QY76EZ#&iP>i2C7aSH1NMwadCPA>K2HcN0pWT^ss z(T@A76MyCFL^HE%C6DM!A|ThVH23=-rDdXvZ7}%u?ow~tPdb@O5#s$-e(caK^0i6s zd1Xo|<Kw+H<?&#6D9#+~J#JHP>-Af5n+Z!`n=6}qMX=YQm8yFT_2UBz!pz?L0ee@Q zC43|}%2=#yO7^Ij7rl@3Y2!EH>yb7OcSUIRg+Xrt1N1Hhm2Gr?JzjCd9Q{2%;zQ{n zZ2o`KPOJ&Zt<~K9A2-8Mx_bDL;8ATc1@4dz6uAy1Y7PX$z+D8`_Q5M&yVv6jD#5=7 zLWc;doWZpcsSWwtH9)>O((TsZMVS$T3LEj)<>0YWy39>UuyH1m#GK#Z7T3llR?K|( zitXdg<Ny@z5~~se!4zq04~tTi!lU`TXzs?ew$nJ&x<`~?thWI4;100s;hpQ=kf4`U zaiu)S&w0p1a|(iMs+4~OET_5<f|uwj`KWI~FBDiqpltT^G-6=D&+|=Zrbd_P%%);5 za=wwVqN{yyc|F-8oi;NTj9=O+75HwPsWx{{2c)Wuf(vQLPtxRK{9zMettN}HX_-)n zPlFO}kFb*C8TE;gSLQ6VNWFW#>?pKo;b^IFhxFF)pPG*=<B`N_Q}ysfWX#{sHRZQI zJO1gnLhKmKbxfjTg2Ts{>t4>zMQc-2SNts9(bn$9*D5^1TYp38s+jB1<$zcN!XZ}0 zH55YMRIS?t4UkoqslY6<8n3_&5x$0{k51P*J+<8$3Ij<va@KtB$m#CuqZLnyk3@%} zZD?Kz4^O?T^}bNO+2noL(?$>T<Xwc+$@77#aC2u0m4+mxdE+1AVGz4Vg=D{OE0mpg zQ&bUluE^2=sN{JDIrsoU#BgnWFzletn<dQ}VMtYQ=!0*Gt=CcMK4G{#8FtOjdCG(w zVQs*dB)ahFfKZEfjSt~ZmHE7&e;|b>2zr7w0c}TO`1FrAEVC>p)oo6*fcN>?7wTTN z+muduOJ3B(IyuhYSRtr+V^Wcu-XK<PJlWf`_c5Y#q9KdMtGz)V;rdGGDaO?ri*yN0 z_9XlsN@s1RWEj2B^SAyx_+0-tgs<CJqH)1fmpbF(6^^Ls$`)L`k&IEfyJ240k3t>+ zuK96+{L_*;3)Wz?@%WTG&sfdRJ<tiD>-1}x31_2=b(|&cF5iaV9u)OB8f@Q;ZRSwb zafPl(Pt?XfI#%)`YXOzEd+V#S+}d$c<zPYqpK;mk8q++9YKli)IWH>QRTgXRE(s+R z3ym1vW?c6%P9`Gg6l|qBcv^S+Hx(v#={u;;L2?EO13yJVDrc0oN$zodCtYySBMnzr z=`g=)fivx@EGLE$_=mrv6-%Q964j94FeT|LQkW|`TZ-^KxXQv_p3NW)xq013xi`c( zJ^Kvdc4dTo(p{PjIqAn@&&IsQnXWDu3!DA#qEeWWHULo@=j3sfQ%|j?;f49cj>&~B zf(nLHKB1T!&jp!{42Cup{0P8!A`)*QyT-UN-nYq!DS`+<vU9NO##rXk=$IJW#Y_AK z?<1|YqZiA28UBirS?<TF@nQ|WpVdAt7;big*yNnZmJjXq*5pxe6MA4(<P^Hp$$0bE zWy(J`sh3--1Ss`6U;{=j6S++?P3Sq95Xq|e?b{ZNldf9qyeuO}+ZN?4xumG;q9y90 zrOaRk*`q_usZCraufG|;_Zv5V*P!o@KVioO(F^|7@VU6D$L<!$&5lZUSsG9;A98nG z6zbarP8w$I*&R|Y!m8r6x*xl)YA+KQ-OZw%PrSG5q!rTv(5cl-c0NOG&sYnc3xi;p z(~(`exFsNT(9*pXM0_f@+)?KRgDA;4HSn*@I#a9#Zs`#FjynTu=KE!CHW|~YSGJ}{ zHH)dfFPu0J8>{mQQ&436x1Yy5jlA97o*@@KSU9rzom_t=?~49v`CL6Y5EHbjWl$3d zV{Y?YqF}~U@ap5-+tKcBpJRJ+K_$uA>YdBpEX+7pJ(R>NXm672L<(u##@3FqXfc*0 z${?s*%-%s==D=af(|YM~ldS0sRw0|;>I7ywU@&~Uloan6z9g$S>hL$qZjM!gBk#92 zT`X4haHP*tGg5I6UMkeIf;u#`<%XconDx3eOaD4VovyGi@l+)0VNYMsxB<%84eodC z4efIv$Li29OJ96u-`Z(}f>jP{^<(;3Oej+<VOp7`_z<dH-(j^dxRi5Z(bK!zgz;~R z`SnMHdFvATp@~*dte!d!9E7=beV#c}Kx*UTmA5_Mo`yz!=^O*1+6podt>lXaj|?Sr zDZiuFLrdjjXA}Oa0-$V$BONF1CsOBEYt@VlS%e~Tnnn!=n~L?n8trA3E}H-ho9AS_ z{PJ!>6S#4^e+=a+5ry=xB1WP$hD3a9{SGNL%T#s?o0YfM>#5cezOWi>-#IaXTp_HS z=QsTpNltuBEkv5x%wyRPJ;m^SrobvUs-qL7ndKbHq<Lq4a0AzicGJ?-&A>a5=2T-M zz2~t-YnuW?jn@s(`y10ZA3o&<gT_`9tJc(%Za~u0`JE?3o-6~?qQe2P+@bDcy*B8o z*3y;^bxrE=OV3sWwYq{hZ>JdfOZ4}b3iSWi0+8qr#ZZcPJOAj}W&{y-3cmFNY|4u- z9CzVUwDnp{9B7Q9qsIh4>J8d_)HvsTp5AC|o%xvx*@M(nRrk`>I>r~blZ*picfLf~ z)R?N#30$%ibo6@<3Cr+T%sC5<uo#dSxrtevj{<~WBA<hNO`9(BB8Jn$WT!8;`k&xL ze7(P<&5h#bTAP`#{(Va=CX9|@XtgS%iw!qUf4xO~>+tuA{_N$)I%(6+!!q1Z{}*3i zr0c?F;E7nW<J%F;r&{_qY&;z4@)~8U38@SCa)<V9odcdmzu+*uUR&w_J3DBb?dn0K zQ8rg+w~M^KbaMVNX`8;_*dJ3;=4Gd;Ep;P>a-79Z2dc@q_o!QL+K(rPICEWvrD&Zg zDWSmyU^9B9t_p#kO}|t6<LJS@b_s<Aw_F)O8Aj~Ll08oO=z6r0*;9q10RSUuxv49t zbCsSBffo*%n1>0(xW<cu7<e}ULW(nAYAB8l_te~VSt_kc&vC_8E`K%raEc`Kch+o9 zyV?wNIKC{rVmN=#;u-(+&d0H7MQLU*`LAP`z!xQ0mK;*bt-9NNV$kyRcXk?F$^?xk zR2Ka$b;pp*`0#EoJ1Ue42~DmmK6`a2z2-BCq4vJlLoF7JsnRo`&Pex0J67|0ltp^< zAV;AYar3&I`LqVF5oI0y$Nt?IQ5$#Irum`mOX~WL-ZWCuwY5V$LN{V_-{^lcPV1{$ zvZDkKJZaaBuxTo8S&SbNn&yJ!h^&RiH+==`L|wwMa~9jE%?($P?(Vk^Hm6}DGlaXZ zeLw%Z`r)S}V7Ro=Yx=;H$&qSXMG#f=^x`StEi$yRR1c0)24i3Agjw&nuE2W}-5!Me z3sv)bcw^o;M?)TKyrc39&>gcMKmg9knsKpBR2~BWqs9ZL4ZH3uH9*SQsKE+cn5Vmp z0GM9BVU5<jxV7epb@>Wm&Y?ekCl)jk?`&Kt{GLhFBIY)YGHPlit=3%~GKqn?@5@ov zf6KbFoaCvk-yaByBdrf|N2GlssH4~_k6lXYv|ZFnG_Av?jhhkRyaQa+7ThKur1`u} zgVcnKtKtR`>qHfY`wkXdni^8;^P3*UCp?K`i@fjFzOdw-(_~|{&Vv|&1-pt<*T*U> zd7*DEV(pa9hRbz+`jW}@nm2FNA@=m0*I=jW&me8Iu=cYkxy=dX_CqajrCyC6P%m(& zZrr}KaH8$6UV1ojA3kbts*jd5bE@g?P-M)<YgE<*5Nq0s(zX+q3Km$s{?q0W;hR;I znki*;xqbTFH|7k4E_c6c&W9c)%uFLEfxe>uH}}$GMNmCAY1zbeU3-V@xi29%Qf}l* zbSXNA{7Fs0`pVGJUxag5FY>}WM@oQ73%m}e{IpBbBLLOu-<0Ra6LEPU$9X+^G-?sq z<deQflz(#+Jy7y6{L*mOQrhRcd(It``Rj3)`QOwH{tOd5>X~FQP9|y@I~>HK0Gju; zS{usD?JP&V?e9ahnxN33g@v0|;>t${SH>|~Kqh^Kjf@Pm!|>Av+@{w#yZ<hop95ju z>hfrT?dgSAZ5ckyc8HkZ5VG?!Snnk6`pvT~g3?^hPpPZMldXNF;?TdZ_*e=>tlGt# zY>*}Po|Q=U^8oYmk*6TtRFB(5F`2ics^Aw1xP<BE-w4kqP!C)4vr`k&P18iXVq}CR z=@$;Xnx)+gECD50!IVsl?h>AQ*~ouo4%hgWRe#a|FCqI$%kyR-QV%4hn}V<F*<I8j zaoBg{??%cT_8=T)zoRztHH$hW!2*}F6W+^gQeyx!1%$0ml(&f*@z`lFVpM%*1+^Nz zV>XG&$FVW>4p0FzbphJj%AV_ih2iC!DJ_@&kNPQtIOnrb-jZrb74-x|b%Q+<4fzNS zz8O;=ASF7Dc|AgHuT5=41TBac7U&8&w2tsid>cv2hvxW5d3uJ_l94{CyTEgaiBs!E zTNU?L(TcKKO5C(#PojM~b*4rB33aB!FYCdE>Iq%JLX05k?V3n<jq66I_*dqC#+>U| z)0#k<ilfl|X5CP{9cTX*BRxf)V^YOAp=1*?F$+Ic3jjR_iQ0Fp&M)RX=rPOBa;S|d zK|LzE$Hi@C?=xyZNwbGT!cOk2FPSVMnCx2SW;yj*rrGD&dp636W>S*ulDGEWu0J&F zMKzmX;2CR-Z8PI#5S2g<5i-?39u}79=0X^Fb~-%y$CqPeIoJPe*VNSt^-sDN{Z)2l zgo|iYwNe!z#)*1G(Yv+kD5>X%RZ^<?7{)7W2%BTh{z9mUg)0mjw<<O4*bR;3Q^LQ> zHiGDg%E6o3W0Rm=503ccQdz~nH4SjQO?t=EJ6<(02}RcY^~;%`nI*KqLMrp)?PNO@ zv)iEe%Mx#&DPYiM=vkFy-JtfDR7W|X1PxbRozYd!W%gd@u5ltT=GWq&xGuwzu<~PD zM4sw*uCE|Um-|iw!VK`FFAeolpjEcIRNsD0jlVygFL&Am0Tm=96lo5Y_bHBSM2IW= z_e=+u8<Xhfxac{aYzT$&F`=`y@4bUBV%n97KdLN4zwJ8f(zSu?0fv!<gWDYFN`{f} zsZn&3(qlSrcG|#xfBPP2M8`Tnemj<A_KRTEDk3=<L08T?9ka(k>vRGcQNjo;bxImP zaABvUu}9iGLk$Td{b@J)QBOGHpxqiyS_M#vjVI~R9<piLCoojYNThZ|I6f`HNa8P! zzaxu1S9tXXk(VQx;$TCs|5vlEw9G|Kg`S|K+#-GyqW;!I+yLpi4cx79#T#LonTaW` zKJjf{L4E#P9@XTi#TXx7<&L0TebgyIg`!^HD|2=ldD`PI!lO1X$4u%f4)uv_^2cuu zaI?lepJzfRZ72Ri96_W$Gb7%y#tq6vA62&vnFKjR3p@LiEGj1972Fr=@`uURZUi0; zk{#v%&l!Cw{o}BaPzGm|TsYTOj@Wq{V_-#IBSTOF3;YIKuYJ|%kiK=;l8D><-g%!X z5g+D&ane$IWj1WnhQZ@^u3#C3h$0-s5SL&7{9+V`Utd#1C-pN68<u)#NGdZRo;BTr zWz=6gCg`D}m$Qw-jBlQQ{`ZdpP#|pKw(2M*LOD2TY)<|DnUpZ1W}$$=B!a1r{IvQs znlf7V>;5i!9RfcNlb3_?k(SYyAsVlz9CU@gz2l+NrCRR`5;?)&7%>$xiAJe!djk+k z`Vp$#!+lx--QH4u$zZ(bP;;bpvaM#^%)7FN!TKq~!;?l{dEKvm`y3OcnRH8Jnvpjc zi{PPuX`3VmxYhr5-B-PzBXt(4XmjtLzj3(qhS@kh{)KWRBBDBKz7_E^c81tv>W|Yk zEyIwFsTNu6x!a%|!-ai13I=_evp$M6vQUbb+V$!Y&#_A+Xw&x4*3hQl_kz}ssuB(Y zrSO>1I=buKvwhmYhc^_?^*z%U8*ekMyXeJ9GcGBbI&DUra(cag$i+|9n{5*8W!Fbl zl6E?3L5ucT+k3+w(ev~>3-4nhpCD56a`MGq<yJRo{N^6&yYMpNq<$bG;`{S=Ez&BF z`c;u7&ZaB)G+blWu+w8^Ezmms$Jk_`*N*UtBj(7zomPnViyRcntqkOtGhIzdb0-hx z2;)pYp2IVz<;vHmV88`krfSV0pw_|RDu%}FeJX9z)!QoZ8G|M8dI^C*4l1PTiwx}O zR}P5dPd{xfdkQ3A=SXWUT+y_ruHCG7b4OU<L9L^VzA8~;um`@aP)+`m{O^Wm%fVwy zE9^XI3#^L0vKiVsXEiw#&RuWsTqf3`1K1Gn6MbXW^f@A&EEOlOdlIN3d>itb^HybW zSC%iSb%ie5F{!s-Rl2ShG};C+c<ph7Te}j%wKS7d+_2XFSl45?tsWA`&2teP>R!4# z=j-+-*;z5}Bd+RNSEdW$iWo*Y#E;uhnm0~IyDe7+m2IQVHI=mWb$B)9^(_t}%&=tX zjxH}6Obiy!qNX@H^Q6Q@k0JtA+?*-X#D(=Erd<tLctvb;Q*bpxwi0b=_o4Bu%WKW* zwOyw2M>rRU9MY-vDV&u&l%3ivgAm`?wxdN`&@}(z)c$Ube$gE*V*v7Exsa!*xNWra zkG~^|XJ2Ieff7U^^ws)%m7vksaL|GjWudU!ZN+DFI?l_Gwoc!V(vDrS?la~=D$mg2 zR2OHMcS4@3Sqr4}V5-<j$|AI8?tb$S&KngFzUduW8N?9os!BMCZzr3S`7vhPcZiig zl+)xd$>DXaPAVcu87n|uouuq&eQ@3Ae!JqxxlWdw6_)0j1pb<U)y+TCH}Fo&{U0Lc zub1taJfS^#6q2+iQLffjiTl~<sSIG1?HzWyo-rt)mO6$7KGM6Acm|&aPqmJ+WVYRx zAJ<|vbJGWv<;>IpbkI*IDq3G04G9iNH;;@2bBo#cwv|cs2H!xALK|7dvW!%p_NLa9 z&F{aY+;S!(CwThsJAx4ra``GbCcc(7qt52p_0MiC9-}+SO7(zr<7n%RfkFmDu+9QK zu*DW0V(OfQ`*tnfO0K8B-?$!4xx(+^oSFGv(s_wdu(9>0vV(Omm-4j$i=RTV#vnCE zhZ8u?RmhkUo<y%RLS$)K>{@VHi-+aZwgl#>=jUm^Dgs1Y@X+Go&2XC}l#nMZjnEwN zK`T#{GsO_Hx043)l$~S$evP6e!2t@aK?!o6?w@f-9;0ctcuZlJ*tq*Jw7ivC)<Nmq zta#0SD9a6Zue}>QSmtO9WrqCi#=0PyOUGZud%@cdZb*aP`%7fu)zQC?shQhTh#45X ztn`tQu@MhH_T=XV%zl+05<>34JU`0>B@v@fdP>V$hNf%n)z`Nbr8j~=Wem3nD(n1I z9!rb>gdKw%Hy$nCDyLe3!O#ml+;-FcL>ux2z*cR2%feKmB*e<eS58eI5htAGaFr*R z(0u&Tax`hI`4)2-u|&#j5ArZx;@;5b)!YVl<n8ZD=9W_CKqd@>H0-!B?rQ3%bxo-m z*&=sUAo3g;tfdzG5LOrs`@a|qycmm~WCTT~cE$XvUUBip@IeBW7!3n@dHrS~?y|Os zQyFtNg}FZ_wObD>SH5-+9Whzo*eji%e6q)QcHHi%@#CUQJ0<I;7q-kbbR!z&K?imc zQ_pR!M+IK0OiqMB!tGXG8~-}53kQ2RFo^_(dL$I!&XDIxJgQhsO?^wJw=~>cb&_=8 za3up)JF2ABCurfwYg>kIH=GP3V#Yw%Euk%k56iSS{5buntctt=<h`KFSXPph&s_to zi*EAptXe**@97?wAa~mFc)<#*96rN|zJIf~VWY_ee0<9+$CseinAD5Bp1g)PamG%Y z>kZbW_cC%_4!Yk~(4@&U^(oElX{~VH5a1G}uE4xnej1KNXaX~}?$#tmrhkv6Qddwo z<3=11-R@7o4*p6r=zV*{o8*jKp<yyNYI1MSl$8=^k{LfNX_o<)_MP_Vk3S*AiH>8G zXKbA7y$jJgs}mpC&Om=W_O2)-=pNFI_-3_#Jvi5V;FlwB-!emz-iaJ5J9EAtu?HeU z8kF`bb2=2_vJ!ip)d8~v+{mJ~_Q6dfR9ZFF(U}s?uVoyN#2kPJxzXUW)9PsgwW~~z zonlUJzX;^(?BZn(AF1JfH7?rs9d_1(9NB-*@=*52zi%VGiR1UG6gi!7DsHz_(tE1t z?iUyLN-7qCW=&{3vfL{0cCf@EhRmOEE%nDWGMPir$O-l^usOHSI=t_{j|ws3)U3Fm zXjG`<z1HkqZZeSpUHTGmAPl?bgc2fw5v!bv<V)#%gBcDAt@6nF{cb0j5m+e}9a79U zWAsg)x)+%}+bwV3B<U;X1kw+r9HUPCtsVXq#bXnLB=f5V`x2>1L4+Ngi@uk5tEnlj z<0*ENipL!<EzR%0k))L*c>|c`0A(ur+a~ijWapr-$tk>7FBjwGnUy!rT0mgSKQ-%^ z;Gw?kHncwDw58V8X#dqQM+Tj&Z-Czz@>c28UTZi}AfnLIV0E3t{bnhzhhbjstp2`s zdT%4$<!FEAguf93l2NgX_C+nj!lwZ<b9o0(hW}<nvj6kalwSu*mZAxJ0_X#A32tp$ zXM697R^(Yjq%3;yppoiqMO_Y<aT;426$a5)fFJPojAqF^R7&f7v%l$>U*&V}Ml^?I zVnaW4^(iXHH&>p5UG`O;)SGc>TgRQ>Rv`tw89I8L*ydcU+1r<0ivwN~2S1sx{cf&x zAc~dCm+bhshZTpM6nUODl-v3IY=Y`AX!72*zshI6)<;p6JFxOo7nH(OcX0KWfzWX@ zydM`0wN=sh`XAuPS~o3OB=}-O>t82C49wlcEN)j+?;R@sIArO+$`o-8_5uz3J=0As zsc9KJt{vaK==NJ(PrcNsQ&ekLE7emJkxx53?V=9@T!<?acQS?um)g3(e=fh&BBRDd zmOhTM^W>~McfGG^sLyYGeyY8K@yEDXRYQ1x@3W)7+1QBUCv9Gv5C5yh7ktzHT9Fz$ z&6zan@_?k})CD7@`Z`~a>-y(j((mMYaMQXZ8%v(ypnCHDw!m~<Cb2*7Qg`&Le8s`* zPuDk<_lM1Fnp~CTb<Lg<Zf;e~o2~R+vF+(b=l7F&P$70s$-?~YaSU=aRUIC6vR6)X ziwtMq-YRVMb$wDNuRX?xjVECo7%f424&pc<%_(tD8SgCtEAVL+x+;dMl<EHFQW)R` zm>XkN9CTHo=B{uG_R8iCaBquq>|6{5<Dcnk4ro0zOyI-AaG2I&O>8Y%zIeZk!fAr~ zKU;H^p{R)1=0p%_`8cRc{NLOVrR<rm!9d=bPMwivn001HfOYz1$D$-JRdHZ<OJ~YU z)>!&@X(1N+I+jzU7x-zZW$Iq?apU)C_9?F78dK%I-~Ic600KFg!;V^%Q&=H3aUa%% zgt8KnihFP~GwSV0sHhLML_qbBwW+*3pTH_Ta8vt6fF_Kwa9mH*OZY(C3ef8CgDxa7 zOMX;T{g&%3i1w1Tb#XV+IMXeThHsN}ThB3_qcdR*s<pJ(MdXw~UVBk}aCBuld=QY) zC0OFyd)Cd`@2e&4GIw25-W3vlSz+v2F|3tb0&!Ww6GZtLW)hO}0@oZ?FEV6qZcW!a zoSo4mIj;Ea{me9ol^v{p*`ZKRi=8~)Id=utfaHVOD2>eZBcwIwXSAvNDdZhUul9*l zZ>>|0!bU1AVZGkpY@-J_ymGj6H`e--2ni0Nhep$kGb!r{BBRB0aOPSQp@5RRS~R}i zhqJ6?KaLGo{5}7;{iqj0@2dS^UmU{VJ=Y}Zstyx6pI@pJ`@(d?e?XkXO*C=!-?gO+ zq5*)cU|U<P$lAOPnmGo3ij%6;2n5Gh2Z7&wA#oSAlz}gwj=hs`TB-E2vE}G)ZoN*m z?}ys44s{Zf;^?m}UphpaNLvf=x*CPsTnh}X^-9Ia1Bq-b4o;f8N{d?aImif3Av<f+ z-GOcwlu<ozcg1<)HFEYF$=~Pu<PV{$aZ_g`u0V+{<P@vM^;fqPLLDAHU)Dn^?f3nx z9SKu@KXEO(_faM$XDC#dVa4!FB3~~&k-M$`>SXTMA~BG=weQd2OT*@!;hS`Ibe|E( z?RTiZ**YP}U0!J+gBkhP#+|*@?&#riF9k)pv}`akw@Pr`de&c0Z*w8FVw?omLj1Va zB*5L_7)|*&^OKP198X$Ir{*fb)4Q+^@J<nECr78F^oU21qT$R37HlaF8{(N)C1`1X z2)w-%@-q+GBqAIZolwL{@$vptP5VVfI@hFq6T6}s=c>EDgs2sDW^ut0M-E&PeCXUF zAp0bWl>`&H;MY{o^8l5dJxhVT$`+2(Yq&}oc(RCu+#|ai-IO<x>D91yO4L^k-M%p( zbpf`FK6gF;?PI<Th^NBIR>}Y7S|<ar6l96wb&XBfl*%Y};=;O*(Q6(yfvz44dl1JG zNBX)ADQ_FP8zgkNP_t}g#3}z_mH9q{)LCE+Bh4PV#EprrqGGs@UTdXcpmS;&CpCwh zB%wo*up1(i7_w+jwUw0z=hV*r(+$N&m>~7|NO5{Tt<aG-)EJ>yQ9dWmT^<CS$0?-b z?fwnjhvrZ#L62){j)_cr$#{)gOt({nlAXKdH$)j`z2m;R)Kwfpd^$=yv3@mHp8h(; z(fRt{ufSfj{WFbS9_>OFH%ZMI=}i-i&g;+!HACQ_&(u25FMIRBZhd=ibH)aOtO|l< z+b%jwE{5>!JgKUhdu<gk&)Vt-X^u#)_i{*mA*uW<-48~{$XtlK-ao#mhnphMFiY`y z(JSy5p#NL-_S3@F)l3_2@6ktV!Vr6%cS}-BE9mevfdsPAq40aT`9kY1tUYnL_nEO* zC5|g#Hb8pV;lNL@^7&BrzKfeihnZ8tYce6<Y^5R);I2QvI|eYN&2iI^QW}1G&6lRP zBamN#kvY=<MCf<6^j+?AcqDYrEOBJ%c{MKX(efsb`Z4GWFx4O>c&QIl=SThJgTVUe zX4Ye`1MzN}G`Z6V4l>oc-@u12w_(OEogx$Sw(wPY%F`V2%t)?F#5gz_Ev1HgMYV&9 z@||f$M%x$5t#UjHiF7e$IxPL6{6si@Bn$=*uQ@cp&+Savx8)S}bA~aP0vIM$KOAM? z#gYicoR)Ipf{R_GBq!z(1&I;`>G9eMQ_^QVGGO+0KWW@t5!4PiES@fgM=OVrigivE z5moj~SS!2P^li^;T~1NeW_E#8*s#t5{cQj;g~C;@62qDe7#Z;nh2YD4YQ=()@g6a2 zUQ8_~JQaooMCi{s?|VqKlv%vAxkINI5%OczntZE%*M;e<K88j;HZR8I(Jkb60;5t% zN{W4eCL>dR-8kK((0hCE03l5O4nkxy+Sfjn3<?^G>~4&q%lbNBTl{wJ31ptBG%&(q zcs|^s6fG~dK+!QZY;5%HtS&_%2Y=Qg*6nq8g(VzTrUTk!t1uXc7KPs;25QX0J>c#c z?UICK=(P4aQrcF#n_hyqoQ#2*J1e5RJ*S>2W#RD<_nFU!Tg-ZRWEWL^M*Xm;q2GDv zg+_y;WeNSTq#NHzkg?v{ovr)BOlXp?-(j5<f2x)<TZw_^S@m@*%|AV?$1>N>Xsj(G zduAj=&Q4Xd4vt59qsaNjFZnQFHl~X3wTFhFCD5L3H-RxDI=0Wa$b^89(r~13a5JDA zRCNKxbQchCd98C|D_BpWt3F}mCMeHdbUl~$a(p2_+tm^w@?<AZu4K!6z3XF`SRL4& z<R!OVE5rrX1x615R8)K_2&r;r@JYt5Zna)o|DqRE4UXjnwpM<@iR;JOk)5fpDtE$- zy<_QO8=f*e9@wqD&WPix`#fI_-enaNBE^`qxdq=~;NtR|2)+a}GyWkJn(NI+;L)s* za1SlH$_z7R=gkzILmun{c0KheePRZr++5c}_l>(k4Z{T^eV@Ojf~F_%X$VBAMxPgu zA1Uq0lIb7(L`*-zsmM`q)G^05x=DIONoD)`UMwZ-8+e<Ii%oHj^l_nec$6zMtBJig zwyJAIe>+7-@K1X7bpY}32vq3O5qmGj+`VXB#J<(F4;8TY%=_Pr3I;GmNWKCgL7V66 zECZy2U~E~;wE*9BzeVGfw63m~jsF|dB}JuG^k98y+s{q&lC?_{*3^S)!_NMcZCN=# zrFXkcc5be9;dg2}+i05p(=|NhoAtg${5Z=}mg}2F*tB}TpV1&pA>;Qvo@!P+#a++k zr?XUxTy1@j`%lj+e96P1q4uYdND{1xUyXo2X`YP5oy8F&(PDxOc2^GVDZf^KPPtoB z4=i`VZTf!@9Kz=RKofhn(q)Lbb?Zov7+LBd1K95D?bHCTc<rK<EO`HNO$um*<AXq9 zVV__TH>D%Yl3QL<m$Hf-Zv5zWFa&Cpn3^SiB7ymzbPFdMCfVUyikjr~#7UcpCQoWj zRc*4#Whc+!ftnDe?0p`o*~h?dNQKVw;l2y=l(p`bpdYKTeo0FZLCx&?XHF}JX)(U# zzCn3Jrw9Ep&aA)Lj}CTE3BAlT&V_E}6}H|g3IqdNK$F|NUmoVMZ?F6tIa6PpR$Q2A zOSZhnJ>$3)l02D_Z`Z%(AW6;f+TrA`P5+t8%5o$mv;=5#T}O-23pApvqiiEQ-;D?d z_~+v)@@Th}MpO&dB;T(*DYq$CZ(C(Lc6o<B2n@#mP^{b+?5c`2sZRQ_s+6$E=7`Qz zaq@b##TDSwK&Uv?&X78%w~Y%aDaA@xj7T~ld<e#6jf@_B*gW4EQ1izN8@b=t@H0nA z_Yy3?kR1*hF-BL2jbBu0`Ef$5d=s-+?bPNA**@Q!L`e8J-jvF>jvZ!<Axqcqat#b3 z-044UaBVS-cI*lWP0$XDpXx~?u`->C5|CDhpP>PjXYoxY1&b3?yv_+M%2;Te$ocyK zPe8E0?f)(UTW6A%c5MM<8Suh-BCFsH1ZSqq<bHPy50IW)n-ATzhLa!A&xKTN^KSZA zfa-;eS&eTK5xQ!sQ%<IPvn0My)FMrF`^S96m1b3dxDK%J#T<apGQQDH4EajC)igDB zH_MZ|H*|UDbaew)OgCd-*k9twS)0E-`SLTLpwKMFOjBH?WGjuk0$Pz{DbORra}t@N z0wy3XCk|}bUqFb1y)$=F^l7+7W#sFVNb=rDz51HQkT^T-{?Wnd?9~KW<_+V_>EEUN zna;L*i5eI@<6+h=T>^tMW4n6Cc_Dg4Q-e(y9#vo?bG0M!yjf0#q|;z{B}0(QyH50J zpDde<QP8TjskitK>=<%QPUtea&i3<D&(^vqC2EGMwA-EVV*K=C90@X?|JMS@O0gj* z;@M}a4TS{#v8|P9`3zSMgd`;?zotYJE-$vGA5@_|lfg-oHb<@NgBI9|n$=_XzX!}l z%0+iRs4hGE3fraxH>b+7)efPM*WJD<N<l&;ev`o&PGlO}6;$GA+GpKu^}ReB=V<qQ z2wQI#s5id209$(6Pc0G90GsT9no?q7Vq^(W0P(NuZb~V)BM)(g8t!2Zl)gfqn}^4+ zZNJM;v-#Zv4m&m<Uf%Z9T_k6I)N6-)!Ms{2=EH{>y7`B)-y)n@Vo5tREP>va9z9)w zz;9)HKeMq@(78O8=;LTEl3DCzUwBKOY4HWaAuZ+C<-!s)2ZI)dn7X2Z?E}(&ixbmC z<4?O#)5VP)^RY~Nhf4$&T55S7sIP#m#ov3BNYH1lN)HhIY6#VN>04VPc*`Alr8=AV zCJ*QHV7&v}=#G3T00+Dw>a!hG2Vzz)7ZR_taL=t{EW4nJM557o)R)x-snSY}Q$JoO zQ<@&VA{&@$;+UIW;~A$L-?Ozwx?Uk&TljUzC8DjBZ>c2)#M`5HL`HSa8WC~l*7+6* zPWE#l>YAni;NE!>d~8lkK{<>&7qhUBAqAl(^O|u!J{6CWcOq$I-{mK&0Ab}Be<iX7 zy*!Cm7o;7YpI8ueqUdAye<}a*p_1)5P{U0+6X2Y@Bk!p_vAe51oYc{5hPCKijIu#f zuAq%Vk$Du-4B~<KO9+$QmArFTfT`EU472x2Lim|T*EnmSwNC)D=`|65|M>a<$SU1u z|EY)H;gB9Z5T!>r?0VsnX(cA1#+QS`&8Uhrg6pn&Jo|l+365MXucV!4Y@g(sOHi2Z zQGf_XhfoNteNbc@nrE)Kq3bcAz%+*yGp}G!!K%cFbJY^Uu&1dPR!qlBD^3C3<3Nyv zpF_)vp)oCgIOfu-uW3_G6cX%F-lqf*6=<ASBCyea6y(mH+>ALI3Qgu4$WigIJED5e zP;qfgS2+AV5xt%oPk&j_Z<gKEnEb`KRt_5_bAVpk8quC`Ac;P>02)Rb0SN^ckBEVl z1luJ1Gh`c{ngHv=ixf#xxqYo1(us`&3ufJt^pq&F7U><Z;#Q+JyIbzMwEyyX3lCh+ z!87ZR7}d(TxjzCwL(Z%Pk0uDZdWgP%MK@xY<EP#TM9Jx=7I%lscsu?1Yye8aPM%Bx z4xsVOjl4TSDgzndw`=dpkgq#>mYG+R8BpCm)*+EC<K@_&==e#U%Be`IId;H_LAU*U z)xs#z8_W0b6gdYUaDPTt7Cm}Dq2YJdLrp0QNL6Q5RC8hv;_*<<?M&YZ?>?i+P+6`c z9~WA+Ek)pihj!?)ICLR+L5aP+=}}?CiJbB)3>9$9>vp8CfWcJ3*XMC+wd-(kivH@T z{9SE-E3Ru=YAiWIaSm(Z!%k_yrt!NL#X{iR55sf9z1BskNT~DI8Qc}%%APSJeF3e{ z@fzD|rvSU=o{0Y?`%KGtDzb*4n<K?tV-;T<wj>uG2qz<A?DZ@oV6Z^a!@gqQwR=&g zbu)uLKq01+-<x}~InV`Jk>}}5I<2l_fT#LVh4$nh>b}=&hHw??p7t`%R^U_LWYqUm z1qRAF1e}V{Fbvjp&TSgyhq}uxxb0uTQy&}b{AtkF%B`_%NO<^D1vW4V@kyp71+Q0W zLcGM9T~DD(K}AcOVLG1sdJdVa1WezP-K+GcuKEn`j2h)$uMY*R?Qaq$%N_+iYykBy z!6huzkII|vKg#j_?l>4)eC6LdhW=ct%32(QD^6f&UNBz|-*EA#uv$y%V?{RSxGpK( zMdzO?aHm|4MtK_{a1A$?d&<Me<^vA15!F6Fd0@#s+)8mS_g8wKLai*|-U8&R)c~mo zATNNeYrDsQkLOknJv`YNjO!Z~QXP5Sm~@E=2FUoTV`}oa9D=<1I@*po+}+Jir(A6% zi@902!0SH*<rWg2>BX{~3`xTk+DzYfJ-1y~yk3vo10Fq4GaatBR;arIl!rJM{*1FL zqEBH@jbLfy;7%gfUY?<SA=TOJEfCOJySnC(=TOMyT^WmuyU#D>XE=HFbGL*&)dhfZ zZ_<aco?e2rmI95TFqhiEnbl`!M!?26FgTIEbg!gE4Dy1|74}Q)ozzpfxK=A~q8Ow{ zCHT;Fbrpv(L}7ih1Dv47c~ht9EY54M8HT~9bU(o7VjuK7q@^YG2lib+6Jv#OUm~1s zrWj8s^~aQUnDs2_n6owIK+!hkVR+)dXv=gTp?TGP<K6!j>H{09N}j)L`Dj~FxgfwY zBh_D?v8G9@erX}nY+|f7*7fDGcmGLuh|0EpQK##?0&Y1=<tqR?s6$KcrnvSAy1(-K zvpHinHu3ciH8<21)L#ho9U+zvRvbz_4%CuVNxRDY8C;+zS*Zz`95j;r*ODSTEuJ>? z_)fU~FV?a~hf=uZcPPtRr^!OA-O8zo+pJ`$ohZ{!j{)I-t@d6-+_@slQ>dFAa#f`> zXdbsI>kP}SZQH31)Gl>{aj5#cWu~2_ZL+%hKa}lkiz=DFP4ANJWxV9uSF!)pn)*cB zTUvy9)L-azL7zM)t<SAWU!6EiSK5Xq97F<Zyt(#@*2n4nzV{`LxJ8V=dRpi7Fz%ts zMEumwm`qna(%j6<{>Gak0Jdp1$6IOPafVRqalTgAZO+Wr7kRTKkV{eHR@XPlJG37w zTq<Q#_RqNyS>|r{W&7~8t%{u{Vw|1+sO6<i`*C4_=t6`A2unlUNnFq)Y?tr-rAz)_ zwD}dkou9)Z0?CGpt3`xY3}A;LL2Vj2_;eRPmw#4yN}C{UeU!$7ad+3VfjRTmIFp)U z1X4t3sqd$2!BLo~w0L~=#j%<D*iIP4Xv$>8>%R$-ToJY(RrrjKa5s?xX|t;56$-ZP zM5$4$rsR2t30}E08y%BB>&@YOe@t!64IVT-g;LBhN}diAwC0By93aZ}&hNS}594wL z+<Az+Y!ZtuDwabkk!&pV<|-;8#*(+I+{KuCUp%5!=aGodOG*rP5}tTF$#cXc9P@k+ zqXQ(FO?*>v-%HdrDxNm3ha*Y;;g<?X2IDaQE8%tWNiIk;!NNv&o?pf=T72gBaGPgb z(s!vyVK~Wd#W~!YhbpO}lsUxyroise1f|`~*uP><zCz&N&B2C`Sk?hf8ZIrYV;=#_ zu~#IH(o?ec=A^M$VOuDOG6y@AOa^WIDptryC8Z#tQuMYurb$FI*H>a7DS>Vt3tO~i zy5_elQn*)j%a)G76s<<i8;V`D_czRLg_fkzLR;1L2wSpCj4*gY{_<CpGnL&tMnSZq zzv}Z4cqOSl=TIiCvzg{e+&%dgYby?{y0;ujPREr2h?xNk(k3-Ua^zndxIorReku{z zVniuUd?6HO!p6pITpDobEK7SU-(uBpKSO>l9iKR*CeuT`xnjsfg&5CUXF2nZuS?Nj z>zpywS@V<tSNRF`(A1#!`6JX~_yCuWS|#YEX};Fp9xrQNjJrC4o=w_L6FuSZj`42_ zOi6oE$JGH|XAz9AmhTS%9!(WYk1Y=!c-S+LuoQx1u)p-+QlJ+RkOS`Je66`LwcW9z zi%K}cx_1OoHrL-YdHWimiMZyk%SF1P5$E`GRfk!TN48L7a90wAB+lj8g`khs+Hhz0 z;li=7(tLYT56Bi#f`z5X3uMCR@Ma$*94a_!i@1EA7D8TIz;3fnV#r#QDds|&`(r}~ zaap1uVt6u9b2-g>SY4bDZ&l`6e^{l%?HOtbPt+Qu#9o<CI0vNQ5eSZx0ulMp4C<Eb z>>==D^kUapE2dK+JJ@M%FSVqY=IhPraTYBV+bLb?C}k@rC`9tIr1gzvqKFV`!2(yE zT`gp)$ojF*g%HU1M-Moe@6C=cCS0y<!XiUdmjhAS(<cpE*OXsWSt=)Tbq|V?<>!%I z_|O?j3Dxw-FA^E{gmR0K`^*HHIoPQ=1T~G!Iw+$RXp<I!MNAFaltB=L^XN2<8Yl!d z*_=Er)?nv#&W*#sgIVMxFEL{?@bGZR_^?;POeBC}S2C(j1zp3YoS4!6W_pFvWHFO) z4P>$NEpmho5u)-t+G36-qL&c2UstH1NNIUbhP<^>wvy9<DuF)FvG&1klRJ4T)3xR^ z0ZCfu_p1ew7fE0?i#hOcZJ$$GnF=p%w1Km2xxONHbs-GLEeA+@)UOuQY}^d`8Ci$9 zGuw#N?Pna()dMM?x%Rs8RS~SiwhpX5rmhW9b@mSlj^$gX!eq-B$|KqG^UQqK!OinE zgFmknHlZu(H7-L~_v&QAa?ka1hz}kr2!TWq_H+C?mg-Z6AmBjYZJx=>tFu+2{4lqk zRMa{%!6UpVWq<eD8R-(O@g#R2-hEWy$vQMxg%<cYvS5AX+=qs)S_j^B(=MZ93vuy| zxfI^$TOOn1PkVZLK3sKfXNp!Hw#xkJ7=>tRlhc{Kw<^*R1|~RLU;dNRtfeLpE)Lbd z!iU2&%agooIrT4T!q)Gm2Zv;7UHeHyZ6Iz7i)7?oyx?{3I3QaIF)qM{FQLZO;JSd8 zP_H%jKw4Sf(k_2^;gd+uFXt(@?)()P%A+zkkzoYn>Q-$dpB4%&D9Pvi+xB=yF{V9x zM8z3us*S^L2Bg{Yyc$eU33!_Q0#ThK;_ueDwRA*%H_yCQHR4YqKV0ZaPct>>WwZI^ zGt&utPMPPN_l}@8`)mU;S1xc7F<d$Nc9ZmS(Bh}a(~b>yW#qUo(rcB5<QE9%IX`#6 z*vHGLWL0z#a2{>%!`thv!^sKru}4?v_2`^r&4a;kZDw#`f1VR+-Sr?Q^G_1Z^J9Ck zR;|p{d=BxM{@fp#@(ANhb#LPO;wksOy_fLnoBrC<rAnOlqg*B7hOX8dpP@O)SxMw@ zjr;%vElQ2=PjM_chn2RNP-`CVc8<8Kt2P#$#rfqNsmuUdeuI)2oo-N%L~ggwwV>AE z?B8eo*X0dnZkEpLta5y@@3Od9RnqmZk1{O5*F+k^G=VOcau+A1?c2MS3tnx*%?9oL z+YA64TT4sgyv?rcgBs77tz!mL>#jE+o|5MsnZ*7Lu9(+t{d4uF?47}qUy016R$)e= zpKXDxB3!j8K_IVbu>!Zs%^)E}Ng2%3(Guubn}aN(^zf9NEy#KXwk7rtxk3HqgJ_>t z0y`komXmvlN4$NIR{T2Bi?cY&7<Mw}RD7_?%)M3^(WlrDNL%lXdj3*DAnwK$s=bKu zRC!r)?Ut~}5_@IwfOiO+1VESo%*^9i$oq1grb#%hNT`R8Syc7|`Rr2(E$%l<VRra( zg=dDk>Vx;pD*GR-_Dpqkj$5Dym0BBA*A$COZw3d@bA{%oWa@rE*;!X_&#k7;%%Jt! zce{Vz9@)SP{CGBJP6af0R9o+%UKp@Ba%!kxSJUWzSCLmV&cgO%7Jz8}^0V8=BmJ^7 zAfwg{qI-4l@B)J|Mz<9nGdm8V>tO{u(K~~_8x-eYzdsqvFGd0zu(-pn#ez)rv>=b$ z!kOJ~Tz`{6JoeOozrVzYqv~Dsx0EM=60YqKSNO~1zoDn<7iJfC%9us-LsXB(+ikk> zco%r9Ha!e%IVFq_GlNp=-uHTOKhF;;48G9fn(*pN;6xL4{bIa}IRe6rs$Z&PVuV*t zNQVbP)Z}is&*MHiL`b*2H<#gNdlZ%HkHwNy@QDOR(i&R#Sgdur-^Vu|$86m3_!l0| z+oE;i5S*=8Omst&_QqN7k0;Ep9q!ghKYSNBuZmvyafrWad9(|<g7XfQk>a&D%ioy0 z+zep_+D{yhUC9{uyZL9QST?$p3>HceTfM!;Fcuh*A@YCk-Y&tno+IMeP^(G?1eB(w z{pS#5ol`$Qk42XzkH3>o1d3`crK3uy^$qvhj2I*(R%pIN+=GeGpG(K_OvdIPQ?<O@ z7x@{9_xT<urc-ygQjJ!}p*S`1z<;x!9uU{fYIQXIN>YN{$C-fr6^JPo4n8X7poU}m zzAessrb(oE{ZN(%lF;04R4eH4u?eYF?bom$9;kA6Khx8a_TPKkP8rt<o)Ns%i*&t_ z%a(sT9(}Ju;9XuKF`kQJwM`2TEMPr<&=~=bdgTv)KD0ldRV@S!D05Y0EHu>Z%YXG? z@is?>L=-#mF?nTklPmDb2ZgBd!c}r_AH<_Mv+tZ|@w2nirQj8RN&1TYAX7yPz`l`; z3CdSXMmE#<bEaW$k@@tx-vGRBwTJTacqJh;?hgJjq%_P@{3ad{{y4|eo%Ku4+)}2A zRfu{_1xI`Xws=ragZ8BGRtMU`p;7KLvxnq)@;7zPunh)Qp_sL@lTp`=#Zp#G^wvqC zGNe5NmrqK{78F&uX;UY+QL?rmz4R{izm4y6CGu77a9^hoP?a!K@p&*$HueyG;jZXk z!4~xZSDV;NUxhuOmQ(+j-1pycj*46%<VvkVKJdCb;-z7xWJO{t>b||V@z~S^ZJJV~ zsL5J3B2>^5>EY3K>K#@Udmr4P`-I=fq=T(d>pCezpgOpNnzt-Q54b+Tq7DaHEbE^F zg1s!?y>Hys<zG;r*xC|cyC){0NWgIp_q_z~zn?dPaINJgT57cuz7FNPJ(zvb?q(nE zd*Gf`Z?Cy)J+qUs;6$41H^yCU{5Xe4$%`&Hg}G~F7H&8_5R<{*VD1+ohYYdgB!ZPf z=y3Cj_MD_)b4$vs30_~dS*|U!$!y_FLN#Hz7R3R4D{Jd1yQSOkqmlA-Yy!}NFOlln zD8A|U|6H`E(2hE5OJPTnNok&E95{G7kCp~ycckz9eWILECFz`}u5Fu`Dy~91<%i_4 z<L%lMlWE1EOL5hj)oV-r?a8XlSO!ShNj>L|T)<&rNcFLHysHI|sAVu4*kwexT5wmZ zFsAA|n+S9`tac>uH0y*Jv!iR_fpG9aqtQyqUHO1islR(VHqD5CT;2O+75hc)`(-s` zT4Z`51iEzHeBMlH=NNeuuoJCQB3pVT^eh0ytmr9`C4a4}63gR*i+ylo+?jh)%UtKa z?~HY%sj3It8I*iSb3jEi$=Ec-&Mt%Yqck7bIvc>EnWEzJ<%`M3`{dDb9eM9Tqi8&( z%Twa_%LX)*ahAWEV9s^24Asa%Y^7Xzmm9l8H_d|jiK*P2MmP6ykNSxx!7y1sSv(8g zj_^E<7hxhL9+h$@XaCcfbvXsIa9zpI)x{|f8%tM$>*Ofw%ocsk@&hOT(#)Q&ucjSN zMp%@Qu%3(cmRiJZ78o%gU*(cMG55W}8I81RbFZ_JQ;A)Ktc8%)%Si%AVS#y#$t;B8 zHe;7ZuVlk6R*9-#^`8-p)c@CU*r^4eD1Nf^6AIdT2emXWv{;<NZOxIL4+?Sdn(hSv zD=$Ir@;)U>co^xM*K-j)bHOU7%UA;8yKO3~%n>he#P2L9`D<?u+fBlP*VknTJ!VAG zz?x7E2FSmY+h`Eva?z5Y?9Sx9#h0*n#;YUCl@|MTvyWz?7%q)hR>j9<SO1R3XSjr4 zN!5W($l-lKW(lR$xlDl3s81%!20W^>lqL6W=*Rdy_sKI<)1}R&%U~r?Mm`hZDut(r zsq8wEoF4djChp7o`JMDt?hxVTZgAv9V2@yP>M0SvprG82{zkW{(0g4jsF*?Sfv-SN zjH{Ki)G(3F`05yUeX?yF6aX7|-N^M<vmFng#i(A6bHUf5bBLvjtsgb7Eo{hqcdC0u z^6*CYvhppi)EZKzb#PAd{h(2v=r~gK)bl!xbX~@F{&gZVSZnaflO?yL6ant3k5I=7 zY0|?j`E=YUDDdtKh~XW&&T#sa^rD$K%CLt`9M>oJMg%!pyFnZHw8J+GouZ#}_j>$R zK|dJ<W&~6s^--R=f8WO@#l!SEScmuz7f}{hTW$Z%ywF_WBV*2mco|UVVkTi}7|;ke z=M2UDyV|AbJPI4>BMiwhJutOQ1s^MznXya8yy1p<U;HC0cW^q4(&_TPl(TsS*)n&! z3Jrc*Mj}w*+YgaCXL!^~+x*c}JvY~VZRO<4jtxaePSBji_HJ|YO<8577ZJB}Eu(EA z0s<e96;Du!5F(8@&-Fd*K!JSk-hAHAS(>l{7ypB+{;z65>#qnx_jxp)lf^*}x45Df z!OVP5fWQRz3ffIg9l4BdW!^o3$e8ULXk)V*l)_a0Z@>kq-{s#>{Xc2fe@bTfvIiLo zV4V1w{l)-IZm45BxY{<h;aQtaUk^UULWTa`?_uwQ_3Yu*(aw81$rtDegiH|UccK?o z6&AkIOd7(tlZn&YHB5|yCsO9=)Y4V4xBnsoVjq;gpxyI7PKOl<c6g64L1er4VSO_N zR=j$*_-6Yb!pL89U_5}U4sSiHjE({N-#JcuzXx^up1VM21}u*9zdKpNR&v!pA=VWq z(e>nx8OcCoH12vXGb9+$_?r4XG=kjX3TuIkf_3I}dF}PYn}8>=eV=yU?8^?H$Sy0K zlJ&u0!YuE-CQTd2NlAga{0u<g!-=^89pAylvCW?CgFD6zzw7~)syB2W)++YR61;cL zt$~^3oMcz$2L|k992o?vddSb?OK+ux2um{rbE~#7rN%&?kcE^4&X4_pTRl95t-966 zGyQWvJKfWcnCNUUx+1QM+(mNyknGaoAAoF!heLYzYG8)8RI%{hf$c-J+0ZB<Xxr6U zT+9J>D*NcLBpiyv%-l6zWTicGaxhfiDLI3#+~U_MH7rZ?&6&X0;c_Ku(;tp!z(%XI zFo$$XSA=lp*y}Nh#S9s2=haHTo5_7Yx7AtQ%)!qD@vS8MY38SGe?5CZa}F#wPi<wr z=9SW!W{`tGK%9TiVWWiR!HBqjhnEYQB!^Yi&CQEInyaPOIrxxOF-b2H7|&pnayMXu zoyUZ3Y$=)eD-bZmf@*kpR}V<7pxfEr^=z!OwSV(<ShC6N`N>fr_;&v#n2imhvx#e5 zTsITg%^01J_*-1l{VzTkrJ{%klU4$y#Qxpdr;nA-n``o2jUxLfHc~2MV)TBV>ulq@ z^5SfkGTf#Oe(^|350W&q6kh<}sCGV9JDDul>b~AuGDML9a0$Qjo>dwI=D?fa;50B| z%{1kt4vDRms09GjT_(|kfJ=vDd$==d<as$Yn@ZECWEf~-qWv@kp52N+T8-1Ouf;Wy z5bC5<*l3fx7TxOmiP&iA!?vvV8ZflPtNjceQm4{n9GZ1X5#TNLDQQCv%6~20JAHdS zW>EadD316(iXDnL$XLeb5Dx7~M}7JxOro()nS{&sJ&ZgvNjMF=+tYYP0~&bfVkqTz zXL(FGVtTaWBV8xgz~g<acT&<iDXzHmQxY<3LhO(2P;-RdTk9y)jdzTh5)+>erJn)A zXS2QJwjZCMq$daP2{6S84B}##^o^SwOHF{guXz>uCh-c&H-dg7gybJF;rST&p<jon zz20)*Z=l(F+T86!gjP>Wt348AD)vV8;L~Eh8#zyG)}hUEr1t?twRC?FXO)+Mc;TOL zr(hu>sIhZ>%p)*y6Vv~EdW&><{ZIKmqOIQqSi!*bV|AB^m!wGh@AZqFU|oB{IU&yE z?T<3RPq7cHpNnyl$Aps<vNi7h>8R^-EnB6P?BNt@D-XiW$cjAP*ITrXc}hkE)Ssv! zSpyE8>+{48s=5bD$Q97qCQCL?N7GhViEZ!qnGy+OORFjN=r8LHT-Yadq?c9O5|C21 zT$$#dA@JQeWV<P~U}c@?flra@EJE{6B9gXzzZBVq$+o>dE6fZdKZSnh;MLsQdxE+& zkV%1>#)z{li@Re81{>n1bI?Osz>!Dr{tE4#b=0i0VdXd2b8$?4-xds}fF8`3qk_~* zR3NZfXLP)t?fN@bhr{BoF)2xUn(2@@by}oda5J3}vS>Q6>m5iG#8d7kYU$N6ye0E< zCK7<@9O|V*o-;FiAd$T}UI%0f2^IsR!kmRb?qqM@>cBtSJ$7(+kPrsMofrFs|5qc1 zmhA$q=md1(FN==Ql(Xbw2cjn>%g`0IP$rfAMavsfaxbKW3nl)mDZmgkREYrNno^Fx zcgx?JA6uU4iw;<D`R#1o+A+C2MyHgk=<-`2xE%k#xtJE}{=q7;#(C!L@8j@cMSbMx zH>(VcVFRhw2(iQST|`40icS}*1bv*#9o*xco|^S`=nm~=@h)j|Vw992+qI?R)rKSo zIUMjE285{RRfiY$T=h^e>u6PRVk**!lmO9}Y@@q+Ts6V>ak80~@n;QD;WsD5g!o`} z9jX-UhbZ#yoNs@GFZs1;PXzCJ(O_d0(5_a!oIJmtR|-Q46aN0Od*JXVdr&#=_;7fH z7os~yTBI{tgW-VGhZ`w^8Y->NrqStDA^XsfxaYF*dVbSza`gT<E(QBjJ5Z1wy;PQc z*Pgq6mxrB3nSR@*V=bnx*rEB85(<M7a6TLl8RdkpTZfB$egHZ9m?UL?E4m5fi>P1h z^*7KtkuBprrn?<JR?$BeCq<rIV8_xF?%mbrjW~5A@&Ey!dh-l$iP^O@VYL2t^NFEp z_X0|TaU2n>`K{p*S`qKIxcvO<jBwp$SI@rW#oufsxDR6P8cJ)-gva2~z{g3+DpU*Y zRs4g5P9`Y-dj!f(z3XH#{sN;$9k1sUh}hhy+1ah_PqApU4x&DusfSW87K^Evnsxkf ztwwSA=N7$UgZrr+=JH;pFlof2Fj><a!o%c%F6&+vgQHz7mIrhM-bYY%wfP8g6-}U) ztr7%ONa@v*u8^RAIcam>X!qmR3L!h2PXX|KV6FsT5qqhIavZn0d4}j7E!T2IFg58( zYYHJvoACd&0J-~X-xG^84BjtMtA}<QFsA6VKk@d%R+ITdqIkI5dz;7-7Lzk<?R6}C zVMfJ;=#wzoZ8Dk*PAiOmVf9nip5C=%18+ON6!L@$zTUzv*3=n$?8?j_56(e4Tr>d7 zkX!KN_MXOYCuayJR7u@#r$~-W>~AMHdR^-VC7Onf1gDha3=Vf>Fyi_K(=H8q`Uo>| zxt6Q&sg*nDhEO+8$g8awD{rpLm@2`J@R$Y?UBVGCQy|N5@3UzQ6JSRC(Bxrr^Y!%e zLDa8&eCmvRx#C}{f8D@|Ayei<hM8VD6-svlPd&OxHUDDd0e%6#goLRbA|AAgJWyYB zIq1pGI`U^Y684`Z!ZxhJHX?~K^4ZUw1JZJ+Gz>C(4Rin`Isk(cNQV>1i%tAunPS?^ zq}^l4-D3d72qeXbVBd%!#mFn?H}6)PSLW3DXP^N^SL*zuw$AxWjG<R%@i3XzKa3w5 zm`OuX7V#-uN)M8J&O(z#+hzmIo#4T#^&I!Lx%qGMOD|o@uEmJ-EZHPm$C&=n#RxJO zZd{>H!v|Dndh<1<{`rK(P5?SUlmuN&?VfqeB1`P`N+|g(G<NtzZ!n?G<KL$JztEej zX8%HeLwz`1Aq-VZLM%1qhq0WW{qhe}GiRRZ1IPl(`^|?A8#E>vw4`SJ4*yVX9HSc@ zuG<nk%~qihh=Hbtd61HBgJruOe0WM;Ol1D(SDZZUOroT!GrhkhbLHf9&i7$D-hEeh zUpa;Jb9KbciGjcXX1Iy=NvwUB>_CAe8S0pDkmPtANH7R+Iii=GH!@d?aJ<l;7{%}X zW`N!+ZIFQ_T>d)u`}nw{_W{N2_H`scLCxeL6Q;{&v)udVyrc$AW-49jO7bBVbE2)O z_4|D&D4S5ms9Dy}Mw&2ht?MidkYJqNUr*%#x77eFy>It=@QHT3Y*#l9^LyG*y3k#0 z_?5Mwr$Uj+1h9ok$4CoH6m%{Pk913jnCc<DxY+8tiveNCa;=jkXthk|?P*EBv~Z^P z0(v%LCj7Q@J%XCO41^Yl_g|_Feg^_Ta}N8tjdy1TixI2FJ%@Fe|9Ek*sZtnh1n)dZ zl}V3FN>BcV>iHd9?61{V8LzPEdia<{5j@f5hfmONyMw0Y|8A}dWbWgJLkU1p>XZxl zom`lo9r;`)_+;ddf`-Dp-XF<Ez(Er>`>`qWYt3Z|E5AVb^aRTL72F_6g<S#SqS9~e z=Ayyqm}P($<=Cs0W0ib5e0ZzM2j`CisS5+$7eY|Wta~uxSL+R7k)G=@HVph)1K(_J z?n<~%6JZl-g>2$#j_R3b7M-12d#}2F7y{?<V{!3FSXe)eM8v?#n@f|LSOTq@@ng}x zgn6%!`z)XNEWha$+eHOi&kJkoW0+nb5}{5>Wk!Y5RrO0l1RhQET-2(04)?D@8<-KW zTpQ7G3TCZA8CWywNwq%)s8m@)Z*hVAU#2@OsW>dFI4r8D9YGlohaA4H<2)Kc<ijA` z{N^8Cl2vS_RP35`S~2H9wbeL*AID{gjU8O^6`xrj*RWIkY4l6Pn6)u5DXu7nB$daf ztl9<rYURoo=P)z-ZY6{Hzk=vZTdE`MiQ}I$kd8T#&U<#zZkk}NyLslO>bM$ze{AEA zwZk(p6^W)Ys@(8RTZ*H`%^KONQkZb%A+P;&=fRy`*`_9;;aq_eE8FX+(uBmCI&Ii+ z>)!Tt*<2ykPs<$ZR5SglTD2{W;f-XR)mN>0pAl5PAl#XC-)=gxLA~*9CoDEkWNA>q zq{d)pAtBg3%HS=xP&M4&GkxHx?{alU@m^<*EYY}uj;VM9ZU~}(I^oAWz4OC?jc`kS z?iM7?D)xNonJ*&RKLOfN7?uvc-kCXgxAj8)ovq(F$UNpDSY|!2Gyg_tD>9Hv?UZ)6 zB5A8hK?&m#+r7vYVr$KvVc7CCS#nYIdeSaWE90i^bfjhn!u+m$6WgBo+3lG<oFN>h z^Xww0nlMW(^dXzRr(y-=goU#NPl?}m-E`m;Bf|;f#<B&|_Wtc-2?cx8R?>V9-$FG) zO@K!H{=^2bTSRMm#7w@%Ed&kYs#65eQk+#-Pv6?1q_Tid#K2CHgipZa<j-ojyhtVi zGG{VaN%aCQ?EP+Bt}h*|1LK+95<K-%ZgmhP>^rXp*n;VRT=5{7jO;;e1?mh<8FNlH z|J?cEeJ&U19Jk_r^H$l`Y#c#mLS`-eeh2Ie!!${!#%xWnrfi2H)%m80@xqhzoFbO{ z%|k|*tP1yc^`3M3Vg5{uU$n&$o#TX`r$w=4^Wc63xvU9#^s8m~$I!W7^kyaWj0+Q) z^spMnhfI>sOoa-VSOa8+Sax+cT@5l@9=g|Ul`Yu|Spge^`Rta=#k~IH1M{aqg<tlO z%>W;D>FgwcwE>Z?M?0FZ!~6i$PKVo>TXw-E_0jp%?t{*9YhzfBr#hydM0938L4OiL zok;|FTH-GpWqQHpz>vPn{+d<BwLmRmUyu0-I(~Ckg6oDT>-3iF-a9rmvdBT~+{e2w zB`nlsWiHpps66!^8fY3E5rfbLBMvF0QEPZ^0S6{gq#xyZ5~|xxcg7y;D#1hcy5IM( zzj-Q$4F${$JxV0pRfzi?Csp#eb(CfHc&YR9sju&)O`*E9@{E;xh{Oe0Jc0dlCan9D zb^^#$F*p^z=K2}`NZY_GqTkz!>z<yRwP0BWOEH#_$$nSc&vx&UGgt4r)8<)xt^?bl z-VAS0_h4jNT9KtK;(@Te?^BGGa+IgF4-W$0Twu8pWPci$Kcb_oz&{i3-4J{{y`&vq zOw<%}43ql#@hxXZQOf?+Xt(r-(U>>-*jCB)3;05rRPAp8t;?+-#e!>|Q)`7j$5|HH za^+(eEe(2Yztl4l)G>NFAh_smM~_>T^KbNBu>=!k6cJwS-TG&@Xa6$wjt_iJ(bxm= zXJkhWnHN?0)EO4pz<llV4!B=)pL9q3@?z*$3HmYBGwns9!B&bQaINeN!h`v=qL$bB zIr>TY+Uu<&IESkL)s*g7w_2aQySBn~lF(C<$Lr!BTHwP0wtC;*O#A9n|3T5MFtE7v zraDhxOu*lnAjqMsOa6-bB)Ez%&yYu<%l8VQ+pC1Md3`ibWP0GdQsXmjmtr>!xm6?@ zXTJ7r+X@CW;8x7{E_!-gCB!hL1S;cdP_s)SVFHR|nBZp`yw9$<0z5iU;U8b`_x&tR z>-ZcM23&`a!bGRf$&Q+ClPEf0|1G&I%<UCqrC#l~uQ>8w+d-Cfh%uJ@cj>6xuOu%U zT-U}noOf}o!^uPONxKU|EwBAo)-S88wq9nt7$?E`8Qpjb5#SR+@BBEL*!x5+P69E9 zu9kwF7fl`oOiQc@GJW+CEDiPbKNhuHp37J52M3|q#0pmh&Az-F44JL^G33IvMJer? ze>YsRXZ(teU|eL8=s*;;(c?w{`9Q`YtMWfi<$tW$4Xp>YMzJu--63!_glUYclYXr# z4eyd2p}))?Hbl}Qgd=B3_FCg6F<}@r1L=82Qc5_<X)3UJV!)B(k6>^LfgOEWP{cpk z19MgH6zyUeX9NjPn^s~?f<6NRafi%4gG_)yCI!ig&1<t@Pxmx^pE^w_3b7;){haWA z<}eoDD(T_BZ$TF`>gFPz3$V+r<+1t<gbw(Ae)ar3>07O8Ux`{+gTTkU_L{;q#R+k1 zP09DrQne`*l?dfd1S!y{Xc?uFlBOT6==V9qg{1^uIXEQCYokL=%)V19CLE!0F_jvA zPq`?XJc<b5eXoi&ND0&*zrA9IPz<&kUHj70?F<b17Cov9I|Hs~+@K{b$x`=A9Pga2 zc4)(_>)QDG7cX@uGIfpk)BpUu?ejZKkykK_3R(NyJg)9vKR0QUb}W1?+C3j!i-TZ- z%i|5+$GJHKCaO2F-~NWuJ=igKL64!7zt*i5;P<G<UG6uxP9J7`vo;dY75FPlLDbYc zC+`zl18qgF9OQo!#VOQWth|W0%inhRIG{s^47x{MX`a~>mul-`tJk{|pQm2|8P-wm z0O3$V)pO5;;gQ$oG-l^IX;yLJI(PWI&I*6giQ}Mr^a@^mN)vqa4>t$0pPl`rPjBt1 zy9N>k?Tmg%60U-tc0VZ6hS(I6R#z&XM&EK6D_gl>|IR0H27ZiUPwK^)CQvrHso!qd zGf{a&<@{KzE#*a&ocF$e{Gv?KrquQe<C^d3-=z6kcdd0Mo=&{{jI-KKrJW{x-fHZW zc~)cBL$sOKYYa)O0Z!hc`JJ$Erz@YXK*eVL6<aFp)xQJ?lx&jUWT!2}+)bYIb*Ao2 z<d=J`8`jM`F3C`FguDU=^y{pA8^q?Dk;aq%s96=A1S;3&HHKihd8QXwSFP^@lJg0& zj}@KvOp-Cz*<7f8a%|PsyPI?AYH8FraYeX8^v0+JMV?T3SwS<~D8YhGBBX-ZpgH+5 z8TlJIC$J!;Ij5#W&;+P4BrRfLp*v7cD8%+kt6gT$oK<i=K#Xp(*;$o1J@mCY#eTq| z%_z*<H%2z3UuujHOLuf>0w@(BtLA;@XhaF2$;M>;@eN{(RG7*P{d4r!4GNq^tO@Z9 zC_gjyT|u-VHB+LLMkVw|h1@$PvYp{Fe}29R9jr}(^G)I>%l71L6DMqXF44sXObC6T zfrloJVThg9lZNtaI7tj2I9JQsGdq?87$SuHL4U_Na$2U#`$_iI-SpweA@X9r9lK}2 zWS`19Ke|PGvQVjTVuGM-SH7+_{?0^Z5U;<8RFHGl1zu<4fF!1EyRFrhIk(4Cuvmym z3fc|f5amyW&em0?PWA&-f!LL=eqFP-Ol|^}aO60MV14wxNkt9LMK3s5N8}LSZJkUS zLlP6GjvtbVE&ht>aT}{Llr4|8LKCdVq$9UGS*F>?O2$XiUHxN27mhkuQ(vhwNa}2y zu5~hlX-xVP*-_d<UoJ}b--+E3ZA^Z8v0!GfXAOu^9{u|M*Xw<Y)-fl#;FOvR9oF{( zZ2D4M?!CBCrlJW$J*nEUJWicmoR!U+X7sU&`7h0jO`bsTKRm52gfLvHb<sYOsY#}U zUWpcK(idFcx3g{d(F{r`z`#S25T0s=wVXE5r*dsRcShtBP;$@@sDgiunN#fLF>4pr z6Iim8@cPpYgjQt8xh`GS))x0EYf1l@KmTcsl;Wqtxj!Zr@wxC(eJ6|Bb20hO279Y) zN!Xk*dD0>t0iBaQnY40XY-EezxwHE`vrd*!Ln>54s?>ub?1+Mz0*fUgf1Tin%xw$U zYfVh>!=CA9G2I3Wkd1b<cZN1Kuoe|*9sKGm%1yiHt_n;MQ-PCu$`}1@^*xy@N>ZPf z0yGFP0VuLMcGcp@_MSIIY(q9jbh))xwh-ayF(W#pX+%s02tahB2?ljNP=8sID{Dhb zi>ebfSYVTH?=eCD;}iEOegEADt$Cy>gDK|=mrRZ{)oA5mZAOfou{S$COfzw<nprH| z-f*<aXjLTrX~(>z@Y?ApDl7wk+o0VN%)(g&MPw3TCre~qZV8-5O$D*ZfySSUrW6<r zNh8)B|DN%xN%5t{Ob(j}NLosA{}4gmQJ$IxEQW*eI=qaM(@>)#c2F<MEvJOsm+W!2 z-(?xnsUJJI0X<KbDfPgZJYkMMGoHKZp~QYi8!$SVf+k0Wquz7A41GTi4Tuk(w4`ga zsf6E+INF;RH?G*8@|8H5O$n$eb|rJYEPmJ->{2}N+-zM80;@V)BvJ?HRS2E8-E=-V z+V!?;n|-QOUpFyD>R&~iHzfrqiXSc2uEc1ZuL3f!p9b@F-7R77$Y!)R{dJnU=kM)l z-K`ycu{7eG!koIF<4HHSw~TP~3mD*3k<>&QERb~TBO`MARDOB{?$ha|frXdg)MRC& z-)j$5&@x-z<8S;|m(4FMUED!)#@m4}H*%UyiudMN^G0U*KdjT$!}ULV{T$}<`r>Fv zmZRZiq=mW4qh;ExYYlc*UJZW=8uS9oh%P*hRQt3Fr<>2M(7!+4=3qq;Tqg(3ITZc& zP~~JpI>H~m3NERdnM*S^*Nqo>yRi{;Al$75wEB%Ou~V7I&nb4@1%rq_bI!(*F_D+S zHft4~k0rU4x5esoffbv_O;SCMlB7SZin0F&A5YU*;>Q^TKLcr?%jKwd2@>+$o`55q zO5bVCHLPb-t+Q-;*e}>aL7r1bx43IkgSKy?^G{0_<jnnbbw<8RjGR#G^(4MKKGEHN z+e9Nly|MQM?{><#@2YCrbI60Uk}grPV-CNCx2pcEDWg(8R^U#t<ud;#9g&wU9fCtE zrDLjM>GEGjjoPL6eE5pkkIgLErewJV<VOcn_h5tgz8+RZ4DZl)?O2*vgTu!=T1`+t zO>@IdtNj=*F|lg^?a1a?_wf8Rl0$e*_ySkGtvRtliK5xnCRv@0MG*pmNI*rnVYk4K zVnW91>)WDsEvF&Dj$}7cDhd$DvVA^iimw^Z#h7<QIqu%&ag>*O8t>-ndNsAq(|%4- z^z^c*nEPyhHV;~oCNm{N1{Z$}E5cH;LrIVZv<v<<jw2(-bz3qUoj37n@M`B`VA|E( z<A6P+zI0m1y;VGVSorxEyv+Z6&9{>=(B~~8&!fQEM+;9}{HVqw2MA}Yxc-{YXH~Cr zlr?<g5E#8Hr1EUqI_lxU72eujADdHgQik|yakDcAosu?%a`W0A{7)$&>!i3QEzZuM zcjIm%#r2P0k(HF>*)RjaN^(^!rEJT&<{AoNEqHv6=Gp7%3@y|6Gc-RgosW5W-6jGj z8wM6qX0SxOZt25WK!{m)@)Um87ua^RTx+*cQcZu;nYz2m^1~PT2=9reMqiJnv2z9Z zepukSaYK2#J<xMAWs#l<Y8{8kw*5jIqwR3=`Ak2E3x8R0h6(wdccrW~*1e}TJ>57( zb^9L+9)>5T&{oCS+ZUBa4P&DP87`f+l(j69PTUwi=x<3VBY`Ndhf_7XYU+`zU2mMB zHE41ZMn;N2>LoGs-L4C*hil)mKW=uQt73|;+s|Kns!&K)1bGznI215|8R`afe4JqQ zmmF-AK13SWr+3@+LPP{64TJZipYv-TUl%Fi9Ap?N3J9bk33qxOQXa3fw7j3SN!yHF ze6x(g8r0YIjJ|Vj%Z;S4AG)vaJz>6e_*vl1g`5*N3i<@n#3Y3BK)Ur&CTOI~;Ch{( z!Lf7;gn*A2EAOt4-g4|5+ON4MwRX!OKdx3Z3`BT>ti=`+;ZPl|je$9N@k6yoErjc= z-cNtg;<{(V87X$%mmm9cDg`^tWkWFm75o`NXa(;6>>Hz(I4DD{3p*RNj3RtaF%(qW zrsl5k%4?0ut6G0M4hf$Tzsd&OX$DdS(C@jsJY?!LRbu>d){?z)S`IyOW>Ea+rD^;z zVtn7pp&&@{6(eT?Lb#^(C$WCxCE_oCi{rMQGFy0*JkrC*eY}BL%MSjn@(2<JU5W8% zhjgnpGzL!n2*Nf496q^CLTV}5Ep00xB|Jznd$AG+;yslTevTDCdw5PH!PJRSdDAO5 z!Rt35=qFlc>R)fG^6P0d=Q%WIHA0VV4;>mw?BLnWLxh0L)4K>$#Rv)<B2D<LiJ<>( zSs{CwfqR?9tcW?0pAA+?b{~c94y98>JM_(ZWE$qjl+Cabvk;`iR2)^HG^fU3H@!BY z;)W^hUxVrNC>K}Cv|VQ`dzjTbEiPM$35>;y97rwBDs%<F46%m%+H%!}_i`j|Ay8(} zJCb$1(22TToHdjGZVA#bu?|jaJcn@5B`$6~Sg8K3pw`b;R0nujSH%(QNP2+zwAIoR zlw)r8FH2fj87M*SrpgMF!(w^@i`RDqN`8j_(R2^Mku+}uzz^ZYwryJ%+uYbTHy7Q- z&c#mdg3Tq_*tTsO8{7QyepUaft<+X(XL``n&+nP;>Dkr-YeiIU#4h+<zpe^o?G%ce zwYstWg4YPk`cTq9GnVKTG*J&{)e@rwHlE$bN^|&FyT8lA0T$5AA^WzvM{7`iJaM;a z$9!?wG1s$p;=PIV+?gQ;4Vu?mKKL#h-5MUMYzOT*CL3EW&Cl${-5^ae;iq3xM<v)i zeCcC0lpJEb{4?46F&G#HHS~rJF>M02P4}@OY|<Z;GBqAKMgMfEpk=o4*X2VvktOL8 zfu8@}ha%!Z6|<DG_g*7sb|?pJ&%H4|Z)9xF_ECc1Kj&uq)N9mS-`TQV+Kq1pEiwjw zMc4^aSP{l3N7@A*n@3|n5(XoGMaY_EN1YOsELO3(_8jgJB!h7&i+HsJ9apl@v`Q>L z5EnXwqn_22g+0zNBT@Z*1)aoB8|vT)Zc?8mLk)U~G+9+8DFJo67X4;}f5X^v58)%b z57qzSpQ*{)+)7N))G9S$9DDrL`$w4T4HDKMR_*W)%PN^#PN2^6fr(9GW{MO~j7Pb* zB$^`65RSX6cNzJYWN$LZRHW3ID?JSH;lh6~t`Xi;BQVQ|$3<(lU0bwn(~OI!)8OY% z`Mc|%s$$fk<9$ueM5T&)0_$!7m3mYs+z8a&V;BCtIj_`mbG^d!^f0cf()J)A$*C3s z^M5l_1zuC<%^w7hJ~GfTyIVERCQ7O!1qut43cP?1;VMgdL>yix-4orVcvBH)dM%mY zNg7a{bjnAB0CyzBJFA6=Ab30eud4ytNJJwzA{U7xQHyMAs1T6M;4kpOe>id?M5|g6 zXqc<?(q3zIOt7!teWI-rCjWa_jxrN$W`+K;-6Wbow>AIp5HuzshK!bqrA<4?{{eN) zK^JkhlY?Sh<(D5H&ar~b<JYelhOE(-LyL(HDBjx$7GHRYoc?X$kyp=-s(AGmh`Hr4 ztWm>DHrMUq+&oQmxg)`+z^%NTo2Z>y;`YnUq*my)_y&!XIVR^2v*~k(0(o2^(KjIn zUHodXeVh$TA(ch13KnCoFs%U;m!^;L@ww6u-{+n{e<g13h$xRmog*7)eaUs#%5R|= z+flwplOJ03vJ%SmYxKxyBxQifpZWq4?R%UO_`O&0{>FY7-7S4z`?2n$^l$`AX@@#H z?0cm-#J8;>!*xMnr9mgiL`QwbKHZs`CI@aht?2>G*6+kW6XTC(m;u*|RFT!=MZ&E~ zbEl><;Hq(<(^g6behLgpbodYwA-|YQ>v)5eqsJcQT6J36=z*xfEmfYO3s%L(<=m~7 zI4=&t6sr$FwLd;4^PXTQ*n~*Pb?s%Gu@B*JzU|yIJ73BrXr79`9j3N`ejUHFrQAR| zcx`eHqNV^in;U}FChLPGr5Jc`r~f@Hzo)Z;xozYJ6#7Nbi`n|aC8@*z@k^xR)nLEn z*|}}O{5d)AgxS*$-&=*%csRrf`7%JT7CBSXRFDF6QQ|ias9;J-d@RKocc~UpirMJv z06H_-Wl+;3CVGch*C(MtJkakVQGAu=A2MHYyl=N@m0FUW&dzp!)hW8Qm*<sm7-md+ zt&{}|BK!Nd#^n;X#F{W?A$=(XcVvy~Y12Fm#T%L~kt2!n1h{U{*RL0-a@Q!#>^98= z`MytTszE0|{mE2zw6V|>NBzjN2F+*=41qV@z~(`-u=0zmM>K_*f>OF(ZBNfi$Jj;| z3^criWUgu|wqDDsO}C{Bfzz2qme(pm5fT6F)CrXQBN)S?7$JigU!eGik0mu@?XYj8 ztH#W%RDd@<=--jKd2%aQRU^b&O~w7HBr=$i+0&gUic<68v-*fdZghyV09c19!8tw& zm%cs0t{;LKQ@;@$)Dx^$BeVN*42rN!J81r82^TNUG3pJCjOy&2ITzStiG~x*jSy<% z+APwwqTSEy>JTWQw21j}{buS?tWFt@WM_M5Jo|HS^J4I>;p{wm!Fs=L%M3+Ox>#8W zku1-4gXWL;a9n#hLpWrn=>B!@v3Y!3w5`&BLh&jd0-DecVL07i?C+^6P~!JE3fFn? z`ONb$(c3zf(<6|CF~^a8F3k}0wXuRFNY#ul?M$ID@vs1eO;`*Zr?uc^C35-Sd7>y2 zW4Wj)ny?rx&kdEAhe{f-?wiNB8<J7j5q5BoSH#|8j9|k934L9x1W4972`JltM_NR_ zyxOIDKaQeOR~D9qPOPoP4wy(YMF@Nx;P8oG&(z5ES>UT6p7M*EOJU9)b9Fncjnx&d zF>e(W&TT*;xi64VtK_8|AXuU!wZBrKzgy?lBZKbiyo27}+7i@Bc${mJM(O%3qBYtk zaLn}Y@;SKoMjuz<qAZo!)q*l)z;UO>tKoX8Ox|g6GHW;VKt={i2wBV!wj!Ho%csJS zIzG_`&gbDNM{{+`WygjfZ5Rpdw_1zlcG(EV%ggU@Mf<YL>pCHZrCQ&uKpnt?%s!Tq ze$3VJ&MPImWS}8z?#A5sddygZyTWcHeq4ulj8z=cpCgzLqX}1+B`Z3hp&d5L{95JQ z8bio`x#;8yHS^B$L_l%U8y;wA*!EbObPuu@r7%d_&a0MrSmX8`e<T}w#Q@|0#U%{V zLA}HKpK{lmvc^uMFtCbJ3|+H`&SS4$s>sS?3qD(eUER(AVL+b0pQP$5O8Ox6+tnTS zw9#%0iLLIY;SDT`e+Z}@!;*dG7iz5BDCF%n-s=`v6~^xidENc9C~&9;lR=PU3P<ib z>BU8CP;q}$d1^57Oxiv@EeeK$P#&dhtF{GA2rAd`Mo=I5_cQF?_Zk^eK<_)9h_dMX zA+d~`4e9H9)&2UE%Niv69-?&4fvb^+Awjm-$1G>6dR}j?cjm&FI(SUkBD;P+cIGpl zlDMW=-Ey93uQXqUB~Wiaz*JAEr&UN9Nlq83c|r>JTf*t<C?aU1>GpMp2lprCr!T)T z1<scsgoHnPM>p36yd1sTC+?sB)>O@v5&ds0fXL9^--1PyZvmq=HPbqK`GxZnR~CjD zC9fJGR$fdKO=lp0bCwFGeWX~dV_y2UAeg}P$-RE20!oss*AP{jkQ)IxvzF9rRKyAo z6aiM~nvKazgWIgtyJ!Xj_3Nn=w<a_}pD~66%~aFl|BZgc&P|DwDjh>kg^HGcmrV|{ z8jZyjH);m^p!#k}gJdh&z+4+K{?dd&CDDPd(^|BPrG0ZEX7}uJWD8y&?*#Q!YP@K3 zHbpcaHGJ2~s<PmiQ!?G-7kN`WxG6EJbhHIww<exYaz5mCp02GL)oB0{WyCx`i2zS( zm4(Lxept*;i70p-jIBjPXh-B0*r}66AM@y-qP%|@qLX%zb)saj6Fhd@7;{*%v$M;W zM4Rr2SYDP^uI|C$=rKzZGoRlEnZw0p&P>Hi4!9Rj@oa{CoKpPxTemvin|JhQZFR0w z<hc=pks<+nT?FS+-%MkA#}x|&TYd1lBo$QgVH7}^YJjeIUN^d~Ums#~!zb$qlJ=Zn z(HUj@+@?La2i-AxUWakDA`9X&6yhCTp`ljc3R3CpdTr3Gbdz7oI*$rpR2wSY&Y<4J zm^rE;lFCo~_8c4ScCicPy54D-yx1;0n!PeoT;^(qOPxrUtf7@9zN$n(^{dc@U1Mx> zH$)aWJ9>I8wVyMDx4mR(;tq)lY=ozadJK7Lma6=nhSTnt!OEJjr>~uWuqIoMY##FG z8`M|N`C1sAHFV=WSCS8#4kgL8cWSxvGD7*uLx}W^BI!-@*rDs;p;Z?k+3ovjwhDKM zmWM>clN@Ol&b(fVN5AIC|C>?VGd=UkmIsN8*p}XDv{k$A3$8$EK3)frDO~t<Z62;9 zO}KM}z7KMh9QqxdXfM4<ra10nsxCF=b_1e@CTrJK37Z+N1bwrhz9)iGgM}fDio4p@ zbTX!a_Kdr}EL%G2*WNKCL#+k_hKDgmMINXQs?vym45cAID>gsrb%VyuxsY?CT{ah? z@^{!jcVsi!iLW;02S!%+p`?^#h}x?$@pFs$6NJK7w6!^JiO(UKx?JLOP}Epzy{n}B z*B!^uhKFw}=zB%sQOg-=cWbXi!(VKS>n1*3M9*D((F1wnTS))YJl!XKUJ9y}VC9sT zCq&>+X?-?KB6+VS0n9IX*g@w$$*i?PFlT}zfI0SB6xnl+d+TK7H-&%|?A?)E+wOpD zxW5F{@t1;;B|EMFI+T`5oz2Nh7yk!+k_4!Z=LqWh4fK9iQuO2@h)0$Z16E<V-FO!W zexi+kFv<xT4UzX@SKLEG+nW|aV4rX@oCZrNJL+1Q<u*|pQTScwtJk{c=}#+RCsyoa zHpC$3&xHP0`q56W2kgy`S9{7_Rqbu&hW`zSY`+X*R`TlA(K_4O@N>YT;>c^{Tr;Ok z5MMwF^oOMqg_TxTz8DKQk^0j9a%gEwzor959~oX-$od-MoM2|nIf9aVOqQ<paM0%A zd-4kgQxlFN0qVaWtSWonQa-Mnd!c8K*7)dQ8NHb!U`L_y^;4VMb4O&zp`>&_XDgJx z^zlqg3nZD0G_${LA~1;DG`<GJCcv2DT^G?j0ryr>H9zwNTt2`Y_0+7mnJo#vpC%(K z-AESSv^<Q&t+7MQJ~#I#ybR!sqstE48yF5-H82&8LJG)PpT{he<{kqKkB#38+2jO~ z-(D%~0CkLm)?(B}N5E_?`mYOLrWI#)X$F2gt_x_hDn4|_QVX~Ed0*bneOaK$Kj5hp zT|Xk+t1#-2;jeJ<k%ta&Jul&d&KSxP<7B#;6C)Owa?g3c)P-%su%Z9T{I<KUY4517 zV<s_&Bt`A^va5sQ<R1MIR=jGpu3){&3hd+m>?eIh?jG%jz2eXAJ-aDSthuYrt%D74 zjVHl^chEde&v`a)Ti<zLTPQx+8>x;bHt@`_D;KC}P02zKFpfiiX(n9oJM^(cQKC)I zzC4Y7V#y*V%|Q2Dx%Dt1)-~!GpC6XwX%qg(u85(T>-k-uA{H|Px5kqJ^=_hgFv`?S zDkF!pPDTwa(DoMrc_-t->A*r1dMF(}RjBHNA#l_kJaChAGD~^XN`(c5EWc$sPS0#< z=`WiAe3hqwSGrMfuC@xi4od7pSU|5x)XN-ctSd}l8W|DR;87OLue@I+Wy!%eCZ*1z z=AtqrZYqp@o}XLqbXNW5o0e4qUs-C&dOcR7S0?$lXQvX&z~lpNm2OG7B&U1bztdFg zE08aXPe+=}EaskLnd!cf7<6A&mGBQjoSX{VsAY7uhUk7wahPYLqZ@dx#x@lhYOHOB zB)-0EZdxSpg`igiO>C@>_7EK7_?oJ52AM07rDI@(q)I0W`m~0Xn$dlPuH41-|K{~! z8oEqaaQF8wNF^aTlF~vt8u9f#i^bwhftDa{h7xV~^m*fC(L9a1A_s4q<j%m9J+X-W zV87T$tGdPyhF4)Kyb!Z`xOOMM*UOCYPYHpbPi+_pabqCZ8eGD#g>r7BI8sdz=LDi7 z-KdIIL-nRY8`(t@`yp6%aq5?SB1A!Y=2cO)Rq9oTb~oXNI8n;KQ!L0Q*=zM^fGqc_ zR2~g_=w~2uM^@gh)_WXP>^$ysP~Q!uO$)(|T$c$wKRq_3P3eMEU$^+^0<G280-cs4 zyQP)>T5<N(oZn4i$eK0C3f9;CQeJESQek)b91J3OIa>TA!snc<U`Tc1aWy#4f2M1s z7;)cklM^x<aYj3Fa=d+H{Vj8@+mFER;f6>t*cX|-8dV5HI+j4GgYmh6D9-JSp!DsM zQ$%R8rz@6C;cG_8i?9F0xB6P<^+Qu!YCcVx%!Q#rdKwmK@9P`5AdGEbeY0?HkKXa( zGQXFZ4O{Y<-HC`mKLbrDF0S%dbR;apvki@&GY?G!TQ%ld#2$$`1%6oc))}_(p>lX? z4pU>&-I|*6;$S3(?%AZKrgZ`nhDK6*?8sQSOv!Fj=u&gK7sKX#!luc{LQMW=4E+;j zR~u5<cO4Kdy*&D?_LB|(=TB3=vU*)=hT25J+xRn`BF^JR1{p|3b4-E@k#j8VR?snC zV!m;W8cPE0^4ckiH9=c)R))I*=Mni6a%S*=MbELWzW$0SL+U~!d)i+wPWggQg(Pv1 z2&yFVfUlnrG@uM-S*|Bl4*!-9t4B}iK5R_Og68tvss`a*Sp4KXN~mY(2Lw#BPUR-o za<Qv;sewXT^9`Ymg-pFiSY48C%nDx<03X>nLo<(<uz=x2-3S<ux`<iHb+Zkgznq#C zZET9@c%-qWb1Cg{aR|@&x(^N~qIURLx_{BjJ*(Ar^LlZyrYTErxd?U<`-@?RiI5`j zULnb-O-PJ0XTY(c($66+J9DI%xr2?_j4XNNxb^0a)`^%vS`$f5{zTB<ib-!Fg|V5h z2&aB&C{}h|5T8sdysFtsnhIsru<oBtfFxHqRkG>zoyGtqtdi1iZKPo_Wa1_Dv9jZR zD{lo&t@#KV4VQOII$j?^ZZ(^jwsR@qu}tvChTShWKF@#ibfD{??zgeDaOJ-&Xtd0D z)UDApWCKFlJ~kqPl^7#PbIilg(}~4urvw#bgRZQU+XGEv?(*C_ni0-G$jjGt82b^r z1C@6w^%g7X2kYxhwCWykUY7v?ns_x;O|syJRqiitaAfMqL$>bvN?6eG8d8l+l(Kp4 z%VQ-epO}yg<-}u6IaAiCGrEZ<o<+ug@&*)DcVn4iQln)dBM4Uz#U1w#`S-Bm#SY#e zSsaoKO^IY#7*mFo;P<sKMp3G&?iZ8~D=H>uF3aK6jjZ;;HMN@lrn?XW{W!svy-*f( zTnXzh)3LS*v1Zi7g6z>L4ct;7V9RzpVu*j!D%Bv=snqTJIjh!tgi-_2uh%v4(^!+x z?DH774f^Vt30*W3IK$jN;UyTSu-i193u>VeUzpQCTh~YPoL=9y(v<&wXZfCWUaE^K z%nr@A=2(ZSBX&a+ZWf@e92qo_*Xren-ot5Qb5rH*2cJ0~dch<L#iO`oEd%-><!Lqf z=V#<NBMc9&+>6hc<fXm8LkBFVe6xXQ%JeT+b0!}$+P+@`zP#Z(uIN+imxnsXfH?3I zptd?!V_{~38`g;+P1-P1oIyTbT2<Z#@YI1e>e!y^HxDU8wu0AD!b&-D7|8q&YjHf4 zpi?Q!tI=uqpuyn4lA{|$%g4Tvpuy^Kv-^dM%^V9JLV3(ORJy{<2R~0aF=WoMO_JR6 zoz5wj6wSuRSC(28gG2NP;T>;{|6Zl4uH{-*sy<F2__{Na)s9;9cYb7m<R8UmgSzTb zhFeFJB7N)QIBvxWNxx0Q#Vt$iN8!slPJB+R-0?k}igMzCL6^gCXm5uLevNBdZ?`xr z{|xriwO?ecxZaKga1PHDtMb+--fuMoa`5iQLrvHPQ^aSGUJTKAZkK<d`QMBX>nkw? zT!d(Sffio5{qE6rv3iz6DdPV()z@(6I*!NXoM_IvxyzX{tUO&Kxy5<nAv0S$xP~%b z3;0m3EBt!lN+}yo*OSlpsf1x|5n(~@Bmc>LU;EIG>jym}S^V;Db7PKgOj6x#7;X3+ zu#r7uF57yvFZmo^mZaxv{E;WU40#^rR}5O6ZBgTT`U8MKCcXU#K>8@%%Mt>Fmjk!x z@9coKXSp$8vZoqPtoQbI)#t0=t0zvg%~jz_=Hu?X)OPwy>(86mEvWaszM5z%i}{7* zivW?@JA5{>bag!C5nPxgAW_l}$$3Xgs_WDW{Z03PXtj#O_nmf4w`R8Tn7#zKW};T0 z<!=(AQ&AoTVqLwSg}Ykjw7$RAFjg?8zR$)ysRI&Ob2v^$T{|C<cFmnA+~T3XU7qkb zy^~y4u(mv9fM*UTKNhsg&<@>i=7Feub^3KJ>kLQbI=d`c&|8`Vi6_D&UekbA+#E}i z=l5@C0kC9FsAdB1B3C~`5iIW-4#u5bSh9hG=4t~d<JN<UgqLCWHATx=Q=!kz`a>zg zOcDwfzm;DFQ?0K==QP$IG)4zzC$yr1$JDH80Yz^PbV`%sn&Ov?0~N8?hE7T9er(g# zx>@}W2H56y>UaXW^wxUVFDf;oTs^ykdvHDzNG^?bh-IjC^==keajR+rPoZjEH*BC) zBHj4U9Bx0P6DajP85~=%QhP#I9NSD@-6H$ti(tL)bWrl)@!%6r$C7<*2VCdp)&!T& zEI(>ZRW*O-Km+(s;jpqlj9sry&9@?HvMbB>X{5x338c%>Uyl9ge630Z%Jxp%7%TWr zM}N|O_{(X@?qRw@GrR!R_CxM}@OgTFfp7FOKvF)lDKv#=v!t$k?}iI_x1=$X#p_t< z-_gTgn%Dm&nGjsKv_rZJNE0~i-lTj#o<q>bm))!dJdQdj3RdM81J4F`xl9jztMK+b zmf@bWYxu8Xjqo4@6$S+X<cf=s-TO1cp*1_F;D}5((jT13(hR*}Nl(Gz;t7-=I&CuZ zd$~Autd8uD9R3vW&`GbgFy=oVeB4AvO&pfZ-jSG<cb(0{QguH{3WE2U*SMZ*(H@64 zWMR&?VNX|$uz)%rwv1Qd3?ez{7`+_X(P2bKaVmizv}EESCgpfG(<*?l40+cFrpjG9 z%^@Z9?Y`Os$yD-D7JSYo(dX?;eT(ME4L!qO3638Q?taL<j#CjSGb2$wt`it!9mbf% z8{cPG_&O?cnB;z7k0Mz;GR8c$hhE?7?2&+G0geQODlA;%#<#Lek3DxVT>8Z{eGGw2 zivuy%OYvfUNwpt?9b48^PY*A*u`Pc8sISJ`vh>#_BMULX=4p-DU`gnlsmb#&JMpSo z&rxX8{YYlAV_FD-C6OjiNRS!_ZiFS@54z!WhD$LpHqgLxo(ZM8sxT=9U&J#LD^v3V z!(PjUI0Ic+cu-x2zsTjUS3-?YVpbdbkdC1CLyWZ==fVR3K=7xH?7N)->I5w97e8E! zH1(C$@0v)M4nJCqjIg69@v%G+kU#3(D-TQLL8z?O{NON5bsi2&$jQ77+iuXO*KsWn zUGHxVEnaobG13ebnF7py4DZl>3m7R5)9Thr;{?hr7d?RCX<^myNTe=F%$%W|;};1{ zjn4rS`yQ;&%4C~WTleiEe;#Ll^s0ZeYDU*Tk)2*jCD;6!DsX~5&keh@$P5+V7oHLN zIU<^Vl>ihmriChInVvux2U!X*%@Qx7kyvk{oLWDCl$Y(<TQktDLzQNvy-d)N5060V z(Y`T)WwVpH3`NjQHmY2v0Z6Gm-Q$X4a4ySCG6@nF%?ITnNtS7Zylh=juu?JwnyX3- z4Qpz{XNr3oN$aifoO*qU-zM7GMyK4^6nYB&E{|Z`&rQxZKF}t&+Onc)^ZGLnuh8_~ z-TIsgRu@GYWRBp}`KD)Cmmh}88gldcla2ok>;bj*4oRQu_s`dDWjcz?V0LS;GnKz) zdv?LPEHV{vZ2SE<KHvoaB;?Om)%t}5=;_j_^j@D9To;*wzw%s(S_;4EYX|yC4;(gT z^-7R$*0~PsvwJ!)_w3c8XKn|Pn!2o`EDACl>z|D{H@hVutkG@5vwh#bUS6uD@7?Dj zTgJzMG!O4`q8A5>+y4?9oNc~Gv1)SW>+55XWxltFd?5}K&#Rk~Hj4?fNOl|+N4Doi z5IvtR+OaAHgA>Ow^N`TS<#M$f#rCtGxQ!X<XLtme!f#M4hOl|*)XSCPM&wS}dAO1t zk5Zb7%Uo5_-Txd@1C}~jLHYh`(1zhY*l7Dasvx>p7xlnjpv*5P;B+2dDNxDaml{PB znPqT@%y{v$$B4T`(PA%pg2fxI;tZp&3ATRGw$P*^hByna%I)!L(NhdLEL;(|N6Wc! z5wz2>zr0`K$jX|vBj*&#;Aiu(8#16i(uHbQ9;Ok$TCPWHn;W!m;{j)*r7*>{Qrvo| z!uHsK{woPtKQLTEdT8<p`LN6cQ;KSPhe9<)=PSOcsUI3%xsWp)_tIc-8X$HYQn$XI z@t$X4sx~$_Fz@^oDBXv$3tDu_yQEWT{^>IzxIkahRr)*tyggM#?Ago_C;=XfTlDp} zW$~ni?@b|Lgsq7I7TJnOx!9?%gRFcGj}&Y2#s_v#<}tI0|Nad6^S-}wchV=@{(Nni zV3X`{+~a#z6`I*j<GOAvNS$9o4I3*7d>(|_`W;l^=LkI(!*hqg!53q#e<9y33hSR6 zbE%W#<lB+i{+Cg2KJ0NCLy<Q-B~K;qkXp1OJK<PIe}^r-<Ixc(D4&nJjA5&5ZI1T@ zn|?&!&Co1X+QR>G_>;7fBprjx6^#)<)?=^kzK)|Wt{NT3upx#-c%z5lJX#H~za7`n zn(%W%xZ;5gP5a?|qq%bs7>jgj@^+i(uppI<$10d3uIbV0C}3ei(*Z2Z#W5ry#dN=r zR<1XzlTD-6Na3$QV^hG8BIi>w2*0XHefsq91X)?E|BKl3b4vzWvklGIznx*+D4-!R z3w)U_oqBzdUH7w*nGk>Ej}1(+#hGcX=DTxfhwl?%)sSG^+Daz|3iq29VWP;tguKI6 zys_OX8T2(X*|(=LC050^iDxaB`)K%;bc;0V4t}A*8QA72_r!`*$1O90W5^3dhRM~~ ztHI0F>?h&W?26SX1wBpUbs2DMJXFBlaZPlQc|A|^r4xxx(3ovHOhL<O(sT9#=ZJds zu+eGT;IDGFFOC8MKi+NYCyW8sp+i79YN}FRFgE>H$5mtokj>RK#;Y%6(t>ksbIYU7 z*FpI>t4gc7gd+#N9J6Rlj=$nc#OQo?7#R7jBT=N;$`S1YMl<d?0!tIhvA4hDxiW@* zUxxfjZ7On%JhIDTZxt@Qo|&geMmF7+AG#eF8f*O0(>S$n^PDkUS8zC8eDZjPy-+;e zTqu7*ofrc8&e!J^{0_&+{3EHa@;D-;l+v{xgpjuoWp^<R1$aj7AYtK@eVj_g6GP+k za-I#^RrS<2dNiSowZW+Dd+Vq;B<g1|hXbn*f^5*7uTG_uSQX)sfzn+TSN^t)@jEBq zqdEN8ly0Q(<aZ-GN)a2ET3eG86)o&-8L2k?11ir$G$77_ZIDplPB+|8mi50n4QQaT z0aMFL>Q=4Zklhcq>7&pWtxONyi%LD0<uW%z8L0%m9D(_PsG{egU9J-?g!}Tct%%c+ zVxv!1Tb6Tdn2_|KHA05YF};!(!P>vS?(i?Y>lGpbp{LBqa>X%#EoQ;z#0Qqf<S{*# zTUAUkzLwH6iW?*tXe7y_CFWQ3Ai6seMIPW~(xxviXsCa$(D(H0j_UKw=Vs}Im(z9R z@!Nq)0OM+1eFp6O!nP-z3C*s@rWX@99!+t?_j!!jP(&ac{sdq!rtVcyAV_LD&+Z+g zgLZ}VQFSUO*h+tL;!j-0v=Ozs(FKl?UsgH9_&Qo$gU3@el&CU>^ABLKWqEVtT4T3^ zABuC}-|jTY@*WJ3b6RUc!W@e;-2(M_6ijQJ#j`vaSP0J{>8}Rn*Zd<4zAtY<r2y@K zYfBIIQgp=;>(B_zFR5$&BSkR4vo&GP9%DbVv<i_)C9}tFe2!2)B9Fp<{Ld3{S67Fh zG5h{B(RVJK84YDXGcMSB{1q8*Fgnk3WBt`f9vnGwZrD|wP}n6CW(vsh&d(Ib3HjGp zSC_T1R1>JyAupkibqAX{C)VjO0IA2xHgubFW*mvzXdiyNrZARcthl;dGElU)Gf2BI z!KGemHU4H{Q8t*U#u=1vuyZ27F>0>cXIoWiWq?J}QuZrjy0Ay5Xqa<rcaQdiGP|?M zxaia-9f{A}nr`R)_;S7oB93;Fo+%I0oL@D0qQ*sjW`SLfY@_d+O>ZQpO&hx$&CKlJ z8_Mae#MOaASqXhfC3yOTGR|j5lvWi=(*haH%`^r|45ddwwLDNZ6)2OnqxX6f^E%dw zT&78RtZHd0a}{mBD|IP9a%`nc=&+v1Yn}s4HpDHt;bHuy7xx>`9Cu&s(?u`p7%TKA z-cl@zW<t-1p9`^h>4?#m2P7lYA}NJVyz-RHI20z7qz5%KI;R$rF{yiVVz}vw_G#O} z1=V62l{%EZ!~`F4l4h<*PQnTP)1xt^w6;;CydRy^fLmJl&T7W~r%bJ6XL&noQ9)!{ zUNklOLojmMb-#{H=+ICsuTwT|QK`1`!bf}F(x6d!oKj70N0qveu0X%bg)yQ5m9WtM zhq@Y!dm@5na=rzZX!GAwm}SRui?#gG8)kZ#PUe=y8C}QH{lLdbTt2`6q^`=&46lVd z6$6<u2j$BoPr}~PLRh0SRRk2+0r{%;wT_X&$QR0<zZ5M3!sp9Byrr)CQE3EEcFpc* zD{bbwiKszzrd0{htQC3qgu+;R7wNdomet_ZzI>mQD(~AdBlQ`@ZP~)b-W)pXJ*=SD zfdTKGHMq-y$T9jV2S51x4K1$YC!=>=;)a-n%<wPqIynuovDatCw0HpN1Y>c%@D-la zDV0;QWUVR1sU$>b><;Bou)CHSdm$TZ!k({JLX>tw0Y`T{(Z$kID=1jePONtJ8T-aC zEgb$xLQZ@EL2QuRfWf<OQ%yNCc4XUbxcEyq{JhRiVf*q}<PR34Im4Ir`vHRtK#AjT zr6{<}Vo=kFMIWRJt7rp9ttz;CQzrJWYI;`{;n#dXKQ*Sp8Y*FV_f9vJXUWK#MzR1M zJe-P)>?HFzd;+fFWh0dFa|4^_Fl#UOjK<foPi>o<vp0u>@`)$`q^{-F<C{@{vb=ZG z8oh7tJROx>=<x{pX^4K}Vyo<k7?l6Y+-K%@i!7Sr=A|~WVuOzvXpSjoX2ddk44r)$ zuQ(VXNJ?2z*JnetYeIBjEd)E=uV4q1X_XzS%^LI@fs~sj6_22Y0y(7*vrregT}UKh z6y@_0X?Z%Z?3@YE!;f*0s$%|B@8)BNmdkBc=2YbMWgliSA|lVxXtYp-R~FQl_wF*W z$@qdO46TdubPDxavmsEL(G}$sdvWyk-;AszO$`}!4&-Xnw#l?80!~MaqYN-2PZlI$ zO8-4U|F|3EVZWjCW5&#oy$ns6R)HEbC%_^60~-WdVGma{sT1^Blxp;s!GV3`DI=%V zt{}67q5#+A*1YTDu%kw+qVT`NL;Ue+;n~ax>jyvh0_eJU0%jGNi>@yWxa{@S1J|fk zRfPpI2RTiQIY&_Z*TubzBIl(<0v`J63G$k%`LbmcU}g#gPr7aEF1$nzwnzJTnMPh; zj#<ikO-&3h^PPBm-hof#5lP)SdJK=-1KRpEOo|vE*WE4_QNxH7V6o3Dz%%{p0J%nT z%fn6uSZv0fbFCn+H)O%5>;WzPxA*Y@ElV3;@Qlq~T*vBo$^J+3XokV(TCK#oNy~r! zNhvFH)2Sl>evK7)g~7DyeeAxvZ~%<W0;7G4++po3EQNntnSl%q;dfjEIZ#eAh%hc$ znkZ*D#}o|BDARj5$uh>TQ!5NfsY-n>>#=+tSFZSSeZf4#M(w^i5=whrbzCo*A9<=z z!jIb*)__+jnr4%$2*ukI03c+;BHuMu25hdhH(?|^aJf#K{2AwcE8e443nrX$kDRoP zezW=S;q7+1X#3?n73SFHWz4OwhxP~;Nw~WqMMBaPV$h!zQE!uPw?`5g9l%3D?S6HQ zu+^6p*m?aP%%*m=>R}*%9Ebo&$i3dk+Z`8o_vaAizN~!Tu4QF^uR!0(Og7!A-6P_w zK_Hs*#xnlf+!?oTR5Za9Qle1~{^s+!K6UoOKc>rzIfF8LM@Fi6b=jdWrUxIXeKQd- zo2P+*xQ)Nd3)$U;FQJ=UcD3dQUT%j6G#7%sIUYz>YibA^3eEL>C+L4;0W@*aYs$rX zn!U)!y2|061*8$wr@M=5@|yxr8HSe@Q4K3=_5&8`K1e6DW5bNt$0vdc8U3yRrxX&! z-Z3)X{DjWUol;#`oYm}YdMZ4KuRMGrB+_eV6?Pa0`h1yl?pU#XS1(r*NPLyykMxf) zxUUfowm#w<!KT>*S^4TZzwP9lu!~hej2Je~(S9>O^O)}O)6eUo=RDtc6`rCWA$BDW zfZxyabJfk<l(>8$GQ1OvsMn822YW8<HSg%D(uv(`9`Z~bZqf)AZ;wumZjnlAS~8GX zQ}ub9hV4qgqL1hA+_se{ur+7W^Fv$9^3uAR@cHqWW|e!+d8<c+wlYGMskj*($;z^f zMQ6-}1;uU~--cO<#@Z&1w9n%}Q0fpJ{#f$ox6QXXFcatIOtl<i8R-P7u$*6w8-=+h zWFV~kLizmek1b4QrrhJxYiTh{i_81?E>|8M9sp~g@Xvtg;(4c5V<2(n=;aMTcIz5j zq-0<i_x$B<c9~nGGROvf;$JVjH=B(>5P>U*rGKM+RdfT0Uoq03=%b5+shS+mm1mRQ z%3T+&q;#)vf#T$eCcjq<*ZgqQc6y?(+4RT3A%i*sEXT-19X)>A2Yizui7!wXJl^y= zx8G_<;*z(uzE?JXcx!h=_WH)t*W9nx?&@?5Ry9K?*5RK}M$zBfOAI;)mDN-H{ecuw zhji`6xo@6a6*Eem4n`^x3qY}b8rbryr*sp<9&_))+=)}ew2Qw-fdRjV?D~Mns61IR zmG7%?KFYDb6R=i23GN+AwkTGPosLcbGDDH$?Hm-XK=<E&t+9V<B2fvp)`gxjKyr!a zJ%U=f*93D-O$}K3<uOf5C?m@MQc5!`IX}4~YVv#pcWyA88{~<;zBc)-=BFSmIbgko zaA!0b7w0)K&@9CIQ^Widprtj~V?>;Dfl;`7*GOzAQb}q4<1)$0Gs7hO7fGHc5v*5$ zT2x4I00Izh##6#qj6_a2^z78DZ+A4&KA0q#WDI&|D=0}=C`OQZW(F@f^c>gwTQ_w# zwJNc5yaMWUJCCa{E)?A4s;m3wwix{=@X8SjoA{H+QZ&9T^iyLGiFq_-rtp(6c?f45 z`)Y(1O>~8RE(Xi73(UPFU9^-z`QF{P8G`7tlp<==0^_JLo1bU&8xxG36%Z?Q7%MF$ ze>>R8FEv)1i?aO}Gi8d+UB%#B_$7jVl>hs;bxG(%9CLBDL|biYTmx8a<{w>KVX$WW zE+nZA!1~fA$*bU-6Qa0PlF=nll;7&>oD>lpIQAuTS$?s(Jjwa{NyFCWs#0JRJ%e5A z-8imKoP>%-kaOqw8Pnd$x_)~BOf!7evC_qAW)EVtd6f>OCm7-SL5M4A+q;u<#*C5P z?ZP}Mk;uh;&D^^zHEu&)eB~-cKtW@TG$$=Knq4u`PnrgJuYfu8^T~pkcuBo4w0=@? z1BK5CRi1V`jYV{l2INshxG1e8?R`3lOM#Jx<~}lvdcR>PtG*VqpzSSrQe(TdOttBT zdNbCcOk2`*>BhFs&n>!9$vY7egzUJ1YuPi5N{yLKPj%fW@2CahgErKjM8d@#b17sQ zTPmkK6#L4)*-&NU0iU@LY;E`xmt7rh>YHLf$AFwM{G~xvuoxs6Gh4`pzk)J?rf&QE zMVMj4t`)4mW#%CNyM!v-xrVueE=44JE)q>2`@dH@L{7BS?$nmxMN62&NV_7&?%_rZ zetb8D53#8T|EDr3>Kzf}JSb{2C<_=AwFrs2s{A?;Mw=0U%eB|figa0H5>9Kkmi2~5 z%bPNWCo(|`5Ar0i>Hkz9nX&x`-YQ~_JQz93Vk;<t4`AiYInXH++qFgbl>!ht;M#XD zq`z(aahOAO;~orm0GM(8ti60>+4GUB(hcgq*w`4}pd%QFKq8?4#*TvY7ex+hhpU=q zuJ3L^I3K!Rpy*vLtQ-JI>}u#b%SchMpXWrnv~!4dIzi4>7#7>wd<_qHF=IVkT);KD zl-&!zhFRRH{_CSbM6|L2UtdIo9a(37HlHYknMwn;kJ<hO&$2-tAG!-EMSR=iE_HHZ z?Bswa>qp)GRHl2wV&j>}r0%x`56`*!RNTdte}#IBh|7xdZY<%U0`C)sth3JLE~Ybk zted+ANHD)&5U62&i&M7xI7NW7Zp$h-$ANYevCptZ?_wNdNT#2-vggxeXk`+@)iawq z(y3ct=2<7&*~1si_GaR^RSf8Gagz7S0dW-|_-yS&-+L?VaEa^H`r>FBk*4j?*8*C9 z(l<v#wue$DuW6nvla)~R_NR0#+DNvF2bZ&H%7E)pD$KskDj&PYgEkMIa1t{Nc2~om zL(J~Q_a}dxBIaIe+l$KqBS)I-DHX0RqNcYWrsOG*#|7BM_cL12j%*P>TO=f|_3d*t zJgm4CDT}3>rp?YOwzoH{H61G85l7i-vr7g8e)edh0v%9@oEveo4MFv7KOLEqsQoTo z%W<Q%GN-$vHeobyw89#u2mW)@a54V-YaOx_2H%;H!5GO}o9j4T^P5h}`$H+m%>X;N z9Qn$KWaVc7ap!g66y^J62uF0$mAw=Fj=CPfC7%N$LbFx&I@d1}qNZVvunN=U%?~#` z958tln8(P-^|LB;8^W68UT0AIPe^3Ezu0}&bSl5NJ|_W4pGI4@nPfy4Nn|B|oa65E zZU|=QtQE4+9?igy&kwUHF#h-TSZ+BNiZhfcnvuo_N#LuS6$AGeD)=U%m#sC1rL~Xz z!VOZA*rxghA;7_lw7P6L{f}3I&3_%IV*Y)IDZNJ<xHbDJ)TX+gy0>F_MoM1uXA(GJ zuw*bJc8na&SpcpX(xJ-n%d45f_dR<=l5Dq~YtGlxXC^S@ckxFy3ns^xSqc=85L37^ zilOA2BG?&BmT_rW24m09g)S~@^oKsNG9~{)@teLevW=l~bC07w#Ld~=b`BihlHJ8? zS}hcYJwBGx(ZjLy^GoY@eTPk;YxzA)j}OZnQ+>b6TJ$3?FTx^zaZ;y0cAs5qK8dx4 z$E-%jdED8f(LO~|@usA?t7}{}M`&Goz?twT=;~AM;&P{fo$b1pnb;f>vH|`MWZ=gE zZU)q!HtIp~<72=EDzmF|$`=)pHJm*GCl41B)>x<$KwC78SDhM1-1p=KcQw9b4JFCB zKBl}e`YkuUix&Hn7S`_jJ1;cFkzhZioYl4d*W*-}8ZFMCT#~loIAjB=BJ0_dAKs?V zuFH0EaLuQ|t+A308x(73Z)bJLFgt(`D;YJ{#K3aTlFOnOXNd`xVKy>vdLeA}u#I?T zM{YgMA7?92TF{F-w)-0iG}NsD(I@Efr*>--DL3oYkG!x`^`;R0e>~8O_(8sT&lxNF zg^M%>+_o~On`@bnCrk4vf)gYbA(RI$tno=9;jSi_vVpLU#e4E@KNqZ0z()!NyQZVs zofcN?r59z|EUqTb=q+>IMUGC}5kw<6y=v@eG0oPxI#JTwd^rNk@&lce+)=$|EBFti zL{SjmwC|jB*EL>0fTy#lksx*LqdkWE`YMlz?F{h2%S*Q5e~SoLsAJq+^b(EOl)?YS zHr*xUM(}S4`e|h{76PQ7m_WY0xElKJEu{6UBUWDJn|E_q*E#A}B}yRDAG92?MM`1N z6+NMr8LjTVzf)t8NK5%YH)Mx3%wA5`FQfEI;-n{eA1;zs<l>Vtl`ev@J<E$Xx5_*? zwT)INGhGpOxw_0hLS<|DhO?PNe6Plz9?LFAmPQybHcTF1onL79*R>htH#S(LWJAx2 z3e$z<VaX=>6tzfO=f6$~i3V&+p3-=^qc{NzDti`dSLpNHAv&5Q`slMyJetiW38U7% z>fY#h$vSdm>8jyH8ti;%MM)#ayO`NvaAL9~$4o0Sn#i%?kDzd_Iku)tc%@S4BJrQY zZH@@UMM!ZYkpmV3JD6yc!VO5dBcT&!1CaXd`{m0f2a>_NoX8Tn5&oqtE&cBUNx0kT zB0nsO3lFJ>z*79B*dhpyMaIC<eSet(%^#s0`os!u-lTnVe-XVs<SvpfeC$7ReE{IR zsH{s_JQ;_QOpB7kmaTqtryA{QX~S#h><5`d0wreOu9{IG29e7TX?7WzMF(u|TIi*E zP?AU4UpvzMn&c9^-UNDAe`@z1jyclI6>bN!P|vY(9N5WhY&ON$Zs%pm_WE@CFhkLD zd7Xq+E5SiMHJxseCY>!-G{C({+#U>eY<TW+M3;|dT<mifEiF7R_S%6Qh|5rrw_9(3 z92aEmx*DKIB{0vTILL*_>rOu$1sfWnNWXZBeb!VL2z#zmZ><znf+s<PC6&+aL_`GX z-lP0<tSjz&l4EO2k3%eyo(vr(-rJxv=^o@KO-?9`(Z~7s@A8P5mu3yf;_X*3or^Jh zA!fd9_h;!U7n_X#`g63AV_iL15z=ZoAAlFJ^z*e)PS(MN9AbnsW0}{YmRcLmDPIR@ zcz<w98Da&FHYbyD*N5q7ZK3<Jq$aBvADZTygirX;Q^3&MV@F)dhSX%kD|z+~?SES^ z5*BEv4O^TfF7WGn32cEkXU9*pA&YD$Au}%_uM*7GR@Y|?CqJwmp1tJQteKkLG_y#I zOOX<p3vsyimz(=Gd4pGuTBP16W@#3}SijpkSW1GIh!;7EDn;Gb_I?9EAyh&rB!jh} zQYsnN*U)bISLRv+_B|WSd^gBbvx$k9iQNhxJ&?%RVoRU8B)shQgn@e?;?!vQFu}CW z@!#V47Gtl0+hlFTX+Vs^XM1K@bi+8Tj)nTo`(e(_?PSV<iC$iB$Am1fy7sB%$P=pr zhp^9Cw^cy#^LOe}c$fso$+^V+K_9lKu<E2#z9uItss;yoCU&%ay?LPPa^2Sb^2Z5| z{37wLk`nO4`*+luY{{^Jpl1M5=DdQyl>%wJhHSy?Aq3XSi%yAJ)Bj0KWMHBnK8(=! zj^cK90SF~8gD!S?`}6i#eh$(9^6HZlVdSRE3h*Y!*3*HZ<B)sSJ?IiX#9V4G`IRE; zFs-0@dQ3f6Pjs!C;Q42>33~cqqPDxf62o4hQZ*pk>21e?*-&YEop94G*N&N=Z5uvB zLJp1!Ye5pQcMY@gc8H~v6*Z-@vzHh*ix8GJA}6`XRk~<~?|h?>L?XB%t~LL#`063( zdLQE$s-R^iC_Gk)7q|EL0TXoPeeatyUE#a$LQ7fPA27Ml2@ZHDV$fkk&waM0@NsNY zMT}G!G`CRH4`?ZSxfOADZQ|(*oip)&_tO2S-MgCEDxbrJYw{Ami2(1u(TqzL)4E-r z=je({iXO-mV45a=LoNzAa#g-OZ-2Q%eSdht`q(X__ZK<tvUDk}0(N=~HoUMNIgb$F z_^%x^!Pg!6MSJvsn_XM(+KzYLhmCpqZ=|H2v+)wK;Jo}ynD^r{W`1e(RW*`*5us}2 z4MNsc1;ZVY4%#eyEPtGUw+EP%)G;C|j&#k38k`9iOHw7j#U5?1I+cAl)qOWLc4>|S zjezL)r)j=zK**Xy^2<<Lsq-Q@n#zLRyX+IM*G`rTTIK@co8tzRp`bwch~wV<x&6+s zx`nd`fTS5CUH%b_e`@x(4i!`uMCGeg79(S8_K`?ek@vGMF3#kMHl++l)*NiSb8Ok| zi#<3IzGZPkj>Rec@s1{|xx7!143n!w3hl?KDnm@oqNeT%^_G=I6{BiO;lUXvFPBCi z!k+>wr4Lu**d>9ER~bs=r3s9UVuHy3KbNxI8J!0P@OT?egx5Eu-5PWN_jqy#qH2Ow zQ0H{4iIh^B8dAI@R7mUsrbP9?E1~o@vZpYv@AzbK&(Eb)wlj~GWS}}E|JuNndF9az zwPD8{arF@F+pD5XmBMh3qm<nRu~;)ENSHOnC69=Ki;=3znOm)^j$XBN=Xoc&x_^zs z(fH6rD*oD!{IsH#RAu9hC!C7ZQb+2!2$q~O8>;L{8m&-9x;R#U?d9;M+?-F56K=1I z*Tdhp#9jj<&M-Eot)E6-bQcSkO9lH_I5@!PwtDa#AIo3z+snfo8{+5e3Ou*)x@byR zuPv)}CAR2VmuCo}E6*XR@m=EOM1HE)rEFyu@J}VGnCXu{`~SfvLOXQ&o(#FmQ@t1~ znb;?zjqU5rtlbUkCzJ_;AEJ90+=saXm*n+AK5)TuggYmYv!CfB!0YevC9|*FOpo9p zJA15=h#MUcG8C=r9{spReq_tN^>uStC$htD?+fH<hxZg)*iR2bd3D*nr;4n|T0-5s zdN?VuSE_i!J4WSpoQiBPTFH{`w&kI%McWmUam45JFkL+?LC=z+8HgU2h@Lyh_x9K# z^m4F?b(JyxaSA%#H|cd#$4FfM9l>A>2_C+1^7NY2UF3_WdOx;(R>1JA*S<{l(Ne?G z)p4WD#$ZO5#K?+VP(rCXZ*`V%u%m+%KQHfNEm|^cQBDC*Z%8MI4k_Y?Fq~H&UvjXC zmvveSCVrI=w7R<fCLw8*BQI6i_PB~KyS3LRvtLS}Ov4b3`+EO{pgICPTodNwy>;;E z13Flq*M|Zbjc#kzd~qDrd5H;J?A5x_Q}L8jq&K_{z-%owK(bNm%)q+3_+X?`#Kw?x z!@~9E{xV7dV0B7ls3I28xz_DV4=4N&BEib0P}qi9)GK~gv_MhAnIQ)LYTG~mp159} zi#vOqm!TNCZ5oUl3=tYf_qmXBqAKs(Ov+=!|7HGM=qj&EJ^>i@U6tIEpzs<gQeJ1B z#9kR{N7o3sXlV9I|1jX5=Si-ts!LKFGx@UKr>OJpmI6MIpuUzc<?H|NFS}VHdsV^a zQ9<>Q1}Qa%W<<JA?wlzak4MM@N}PIc9FQ>2#h7K+-6x92h~w-}h0m#e7g@r@F>QvZ z?))H*@m_Tv1p|z?<cs5ewSJ5HLdqKTmdny*ivyIO=NDoDvW}oX3rd3!(t|p*8$P&) z6R1`mF9CdztQPk8@2otWg&v#Kizdn5F<2x6PQ|T%@|GHynlGZ6irwe+Tlb5Q7oX72 zuV#46C<TYaGA`bvV-jM2C%3vzYp1o&tt^6aQ(#1rO>hpux==kWM0t-*lV<b2Be~-x z3YH*(($5vySzwn|it%_iRVkWY%KQ-v6E~kUqT>;rrOn(16FP>_@G3Qr@8PO{y~(2# zFvg8!FZQe8tXgO!^(6;~)>h~jn^ZZ~C1z7_U0wMkzWQ|`v0}s;g<p2Rp@q`8E;6DM zXeU>i`O%T(iuc+-Vo&HtP-Et7@K9!<!KvO(3C)3>;F)cVM(AKFIt2O&q$xf~AY73w z?KM~FBfpeaVN#Sv{52o2F37KRZVW@YSk;~+eGUfM=Zrq4TVz0^(HCMjw1IJ3e>g{D z;F#jVaL#!@4(4Pckf~qXxqk+VWPY0a2+4cm`B~>mpH$Shw$?wkxSrWp{O-|Qm-AZ` za_r`+`Z$ODH~}Fa!A@rt{L?@%LjffzRK(nvsN9$OFSLF(mpr6rZ5ZmuwvnG<I~JrS zj8oK!60@3l0rsvx^s(pbLKYkOdoxlxv&ff|@=bN&(7xZ_Qv@rtovBFd`)UW4uX750 zwL!D9`jQ4*<<`ZAPW@ZhCGA&dB|CH3=P`(-Pd3b1({qfLcu!LMiOluEB9wytBWcgy z@s{d$lQ8|J`<d5B5F(prqL1yVrg~J++AHh5C<<7V<vk$9t@N`#>)uGo*jDVtpx>zy zjJM9Y)XBMozck3%(zt7M_&`u`v2ztzEnJ2R>x?RjsLx^&i5-xwV9DRqWr>kXl51rG zaam(MJW+DJdZ8@hr<N_^lIu~bcce8rZe}HJNWO_Slcqh;NlM(!*wYL-$QriJI+Srf zQOME}RQ8L>g!N=GyIxL!mgKdx$kx#p<xx1{Mku73iLI64oT#`%cG=a4{<ATjf3H#F zX1Bz3FIi&Ail(ljv4u~EAYf%c)5Ge$qY`X%N+hO=bk>xg0DI3!k&YevIZTmP%8`2i z9@!H3G@y-}IXKf!-Z?-5F0AVJneiAK;>WlYYzxBke>_613hvG!!t#BJe*!?~r6ZzL zEJy(chmzkoHy-?XE(?Y!yqI?`pO1etZa=W2r4E^Ud~9Lz-nd<;0R;woz;*Pd-^rrR zu%7^QUe|Gzs@8VaEq*7ff}yWl8sr|?v_V$zb_tuiyoqg`FR@K)@t`?ln?U41OcSa7 zA%fb|v9xiEZ6S(e;+$x=N&ETo2iW&8!jik9jZMs6Foh;jvkK>j-uuo94sO)o$+A{g zVy?Z3AbsKp0<jKYsP1+9z&yw4)eMIymBt2qdtIblMy=u;R#1b#ql%ZQnAbcVG)KNj zCKAw;YSg~2+zHt%o~W<->-S^rI&xfwGRnM4Mg6efvhHH~P1OHGL9N6D0Z%@5HV!Yw zxXB%5RBgVFgTBU!9+x5t#^lK~Ian%{BqXO>lY1^lJ%(@FRY)4pR!+6JoiooZ4}C-a zA7StP?$_Mvlp5QynJD3Ij_~AI4bAf<zXLS03~H{rgz1>4D(cwoBMVE;&WUl>GCIop z;nXc7%XR!{v4k2swaSqP`kkTAFW?`$==b|N<Z161gAWc(37sx9Y9P)~W{iIrs!He2 zD9s`zpC&}_quASYQF|=}qgDs#+|_B;b0mZEPS|+OYzd`3Y3XuTPtw={lbw6dhO3LG zWl6;qX*KqZ#f71+ayV>R)B9oi_R9Q-qu*9jI7(J9+rHOj^6oLzReDT<?Zr70>&w9t zHa(n*YSmKYMZeWO*owDn(VSNx(K+mji4FYHk6l}(H<B}wQiC{-dM@fZPh)agA*cxq z;pELW38TgO#PZWZ)T>DO9F15Xg-M3wCXWPy|6R=JqZxZQoxkH$0WwV3F(+72$0l(U zIZ(%(sS@&>$PH?flr%je!s<&%8A^k|CCF3yc#U*A&q4Z1k~2egFhk(ss#3IA{hZAc zV=(QH+2A&NBh~&>hh&W~L0$)~ON)2o>YWMXUf>&$1eQ4_k3ekF$JmdFWMx|B7Co4x z2Q!`mAo)F}CUQKY6r=Tr<Ilfojh|PRHO6tgxMvJ&+!tBDp93S$PtLcq<pZ56UA*ax zme+<$0ES+2H!?%EF65f@5}zK|0-4BV(Nm?+eUHbKl<t*`MYrFOJOrCsLew^<!B>!v zgK6djn;MF-2*y4$)EgUUV73B8_)O*2NhoclzZ$$e6*&KMFi;&|IM<W>*xModoT2FO zvuYXCoBv)R;kMpO>H2NMr!+Hl{dj=Y1TsvY(_EB2JXv>~uI^!4ESTP1P`Y5lz|IG< zH74)jx$|^>x#Hz64T*Cy8n<#X`ehaS`DYe6A-?OB<o2IgNT+3;bAeA*hfiJ57BB_9 zB9UcdZn*8(4&tz=KZ3;OvTPshr?k#1(0hOHm6)Q5KkWDN_FB4F>1$$Y$X&q}pD<KP zes&<^6>LO&NRhbkkKy*J?peFqyRW-RlT?@>B6@ge1moqz8RaX6jlC8_oI~jjhZiTy zw{ZbY5PTSa|HFE_qtrHFRf*u<@!x*z9etK()Tf`!-KU@PrXFA7g>!rwPykbONW70X zM2f3!^0(k;b>@o1ak~PmaANEzW9)D^0kkHboZsGO&MXyeJkfc0NzmDXo^}){_Tc_Y z;kc$ylPgCE?*z$Nk)4df7nX{v%Y!?9M+3kwN8CZ%zusj>qk;%Jl+Kv3#Y!#EVTuw` zqaMDegfbWXJ`{wltf6_4;iY3`g{vMT?A&E=0smgY+hsy2h%g9G35%Q<)nDE-*ikZd zyX_sBEG!H*d64gN0L_l9go$|g6YQu%?AWOhy>8L{772J*@P{zGB?}f5yKXAmUZ^+x zaL=b7PU-fi`JjSx=dTH-Rh)OicvJP`cy**J=mlB!QZfcHi4mMda=FiM8Dj{B67&rC zLB(J>`qISlVz=GQD8DgsGROTuCAk;R?$0z^KZBe*MQtWU7tb*jes(_#K&#}Ui&GW^ zZqgFcIYMAj`ZYO&%%yt2W4R;xIx>7dUqud2$C9UazXKhd$WP7Xnwpc3Xn2j=G)%7_ z6xDSp8#IM|C*xVQX+XVUT18{iP6s((Q%&PHvoQrjwRysj17dTcTzB=8fNBcKDKJE< z&E?T6^Qmf@-1l7HnOO*-N~rT%zYvqzjxBWJXa8REF^}%C$~Rq}G1-dM8*aLvmkab4 zxD0mYm1RUu60XZxKp-PnmT&YEr~BBG1gdJ%P;x&1davKtsgg7Pn(99X&cG&;r_-j! z`S2my$T3&rHeJ`W2m%kiYjsiE-rvb$smgvU*y*3i*StUQQta?CY9X}nq+U;!mq1H9 z*o4y6x9NwwT`kH$IQ{FKf@iY3>sED+x8e=vz;<m@b!;_BVm;1stVmD2{%qHLLHT@! ze7wU|*K7*noS=LAQses+*DoCS;6N1iHhqMxpiyv67bC1vwA+g>VH4}%w8pW;>o96* z=9ggc*n4O>ZI7U#0$q3i#%%0Be^}(qkh5Q$=h?ZtZBZ`U@Rv)~D@<VBEh}-K-?wFd z399!@K&W}x-yxeG2vURZ((68910K2eIk_BdW|or-pHV-3_KeJ<^^`5ZpR+d_sa|!U ztJ-mG1Bhg1wk)+Rt*x5xC}wRx@GrFW)!R1}<EX_*f=y}QumD9sy1#D>Em_;Lngd=e zLqDm)sc3AkJ_}C>;=-qG@mX1pzl=Zob!<$;e8W&@NSym1u5&Su?1pjVuXxPAbQo`1 zH4#*E%qjCeI=VX`n+U6AyXr}`*%$YB&7VzkrroF2o1SeAt+9e6e*-ATI%P8ABPwqQ z+x|Be01?9^T}Hu@9h6u61pd;#;4l<Hru9Xb!9N!(ZY6NQp$k&A?E!yzvKIM?rv@Yy zACbl#0#u{I){daT5<}}UN{cS0R3EM#&}F2KeASW*LY52U9*!c?NERrj_u9N)Yb8V1 zoRKZ`P_s$4SHexCoJzZEWJLJLjWDzC7+jRHvUfFnf;DvWd9AHp<^G$_`d@_$+6cm- z6mrIyo}d7wQ8RLU+U6`FAJM*sPm;Zs#a=b}*}Cp{WJ(B^Ki3*5p{h(_$aOcQY4|9- z7b|Clqxa2hXAx|9wxZg#wlZu*7^fpfg^q<R5Vu0Us8K^$9cAG1w%5>x7z46#xVfCV zXX!ewXHEAx@r{l5r7IafHzeBLYY44cQCJO-rV`*zVLBj0jVTSLz`G;Dv)YJ<UuEXV z^#;e+jaUspQO?j~@GW|GTJ=Gys;%DPl!Z3JdK~vrgjWZfvGN-J9>e7SWn2O~M<ihh zfXcYW-6b9%0f&?frGii2i5PSvC%Ll8<6=4qzkZI)yKXb`bUDa&3H&Tz<XxSd0U)Hm z43?u!5M`JBSeh4TpB3=vz~kAH{{C=i0k&q&(0-Zp2s#&88_JZHqPr9TUiBz~)B0X< zGcYeTENkEa^AF4S%&1Wet?%o)Z#{k<(fe6s%mX(MB`;?0cRr^#NR&EL+mN_i9mB={ zZe9WP8_i3HvvruL-HF=oZ!8Q&I29(HAZ{dp{^9-7s?-m)a%PClxYLj5FFIJ}{AiD| zy1T<*tiH^Bx8|x#e&<(xcu%2PyR8%Ir{UqcicpN1@kg7WjqVTrcQO1(=I>KY(lOKj zem#h<HTo6e|KAv#j)t$2Gmne?KZNTn4qFK>mP63m>mgsN^DckgdYssn_S&ZW8~i+6 z!L-Kuu>Old(4!W%rLQ;DtIp*-l3qj6iZX?a%8s|J8;QNHiH&&TLYpOPXS9>D&=5A@ zu2W8HPQi)MQZr^M&Dxx=%yQVbTh+DJC$Pi2Fk6Luq{LR_{qQYW!@z2rJ4H23CfsJz z>xbCOiww^PPcoK288vzJ)$*2y%nAsRy}3BSeod5ZMP?vr^?<(zgUJtc^+%&Wp9qPJ z-rpHnGN$|;wAtIqB=810IBbz?<glxjTk~Tl!dLV}PMD<6S-3cGra;*{GVdg2rcUeo zyJ1S8je+7dq2L5cZ9mYMZRYZW8r?m1;1Gcdq{#k71Dmgy$x|J}SslY&oxojPb+=&j z_<?7rE2oUp0L~fX5;4DulVXZfJdrMxoK7mwMvD9p4+$%EOiVmIH545s#=;O^zKt`* z8xoV-0w~=5)sztnjy#+Kmn5ocjNd7{=F#+~x64*Hg=e_tCYCW-tk&g4rhMB_%<Ubb z#jnUF*yR~`J|G<7LXdB34e%ps(b8loVXGj3!INYNC&HtGP1f*OZ|CgKar+uQP?JU( zk<CE=c#u*!o60Dd?_Ga{7k9n$RU5eT!U|K_%spszW^H-OrGzCpBWoUf5Z|$xNa?)H z2+Zz2jdyZI4o>vFkBMsaFv0y9qiErKR<3n4g56OT`q{wDrTu+h@}nS_&N6xVhtXK< z3<lq*P(-`tuJhRYs~#Sf_|cMCs5RfW9PW9Z6jWKu2oR>bc%#k>-<DZ90=*&+@Jxb4 z1h|795xtr2d$_&_Zjr(rq{sgYOzFkkqBy9-alH}^hkCE>NHl`*DiLJJJ#M#+6w~GS zk&%}2{{_}}GF~k*B|V%hGFrm)(6v9h3P_hno3YEb2K1l{SLMUs3+7G;@|d%yqg9bn zV^A5wYD?|BG^9?<aHMqZR9;08DGIil3<WZ?Un`~h_G(X92j-F-n35*-Iy78d3S<Dy z#n<wfbv)LL+39BZ(06#keE61##Mq6WBfsS=&WSyKS)*N;e{6@_SeohT>%zsZi70c} zTWzVA;|wLzdSO1!BA>OVV!)puJcS$vtx-<X`!~d(I5-&JKONzH332{G%V!w-5MY_; zoDL+!&Z;ksN!l9X?C@?06QYqkb10tZ%3s0X$JD@9#{-z17n|hp%??;o22pl37mA+g z8TBQ&vH$=K7rs{(H5o2CioEt>3iY~*3q;l7MOf>CLfxe_VFx4_VvdrNLu<$MO?D1@ zKG-f6xX#|J{qeEz$VRwUl&KANZ1P}xxXO0A!KW0{;jcV2BfjP6$m&&|Y|#LL2kYi= zB7!WLX^{*|)+AGB!M;rie8mNXPJ1*CYf$Z=lJ}%&(}t`~r&7~K{Ie5mECK4*_d59* zr2o1nm;>$T_18>OoR>#=T`zSWuS3eCWQujf$P#`>P-Er6hsX$ei4?QqCBpaZ+ElqL zG%LIq5)}Fie0(fKVW}iNKRBlEiJ=wMRLMkL<9zI$#S^ftW1h^=J5680PgS}qBtYm} z9!ZVK|HD-OAYy6?!wN`l0L*<5)XFGnV=Q*Bs$EvB98`+e>;2T0nX*+U7A~70!9fj4 zX`aRT$W!5C>%)dD``WoQT9%sYgJT$i+_)3a5B1ICJ#YE^&K`+yhH8g12L`-f7jd`J zKIN=0V{g7OVI`&VrbQ1Ami&@UpuN&5fA(ECgZ!-_%keV{uX4tY0+=e6<~lSasT?(^ z>(@Ga4b3($5<pT}P$q@4Bocb>-ogy#lAv)W?AZ}<aTTw(-%Mf~q(36XlN?Rlnzp?B z>-M~nH>neSsmq&OlHULgoMiQ)z2(`uMt_^$Fb-p$g?Ws#MsIaGWyH@3Ia>PbZoQr? zYn-#}W;q;`4NY$YDVg=cyhFF1!5*~qg}CVJ`Ae5+Jfs@Q?K@4;vvqwX#lAT%F)eH` zT2m)%74z_1qNaOnZsu;M0EYe<mZN>x*k}nhiQUQz*#3%%*3zy#0V`WZpE`S}Z;5a0 zp-qgC3lVMNR_U3th(!XAc%ll6DySbn4pm(DRU=vPU3i42K0iW`LIRFV_<YQTp0-4Z z@o$1cX)k)o&);!Yc(}4NJXzh76;G)0Up?_t8*NH%CslSppy?)Kw*F7-crg;X6xpf> zrj0$0{imEeuIr7T>eAQ|FNNi-H2Y~RsKo%(W^!a|v>7VlG{L_=l&VfLG^;c8!jm)O z*u7V|>74crO+YCOFAC6Y!t>D(@Df=nBrIy14P*WsaZCrb4@L^dm=)WZ>RCu4;+UH& zUbJ8u^csRR)ojpyr4Jb*d_`07fQJw3QHa;(-3<IpQ21GZ>N5eAC_$m9fd9tJ*oBvR zbzb7Qb-}dmmXARK_I<PT&NnN8ye!+eNq?$X@?#B6UO+?l1QWyStY*`sM?UEjZfLmJ z{WBxai#Io_Z^R4^IiWD#zNt20=3MW*o_wR7{9$zewQsUai9)}*yFp`b<kxQRc$t#c zhke!x5<+nv#Ix46=rB*svG9Un0nh5I6Yy`}K6LsHV0l~*jrd1hC-$jK(OZCmSGJV3 z@))J2MP95Jv1nSvf`lpGv+~FPts5HXX`#3IcdM`c2YnpT<?P{<;p+_wNM}l|H<83K zOI;?a7n8iIw9?Ih=V4skAj>wlplW`M#ILpKldrZ$_LR#O`eh>%=5s|eAL3U-pu=yY z4)&h|4qHP5Dcda7rUx*;01vp2k^Saxmti=EC$g2b>pkyJ5-Z?%<Eh|ob4rHZxIaNg z9kT<a&(gH;%a6l}4jS6L5G;|8Mxx^Vg4~KlNlklipCgXh!lukC^e2^RoB60^L`3DN z$m=e7B>1{FEX8%;bT62?rZ?dma!Yz7I;3`Dd=QxNe!c?1!&7#9UPc#wznt%W1gLt1 zO3fU=Xe32CsB2_9y)*{pTT%a`ce~m(W2)tR_-5zX^Yd>NW;Iw9-Fed!@Oa0<e6_!Y zMn97EvIJQeb<TZ>)14k@_v*xrELdtQ$q-qe<9Co_Ej>b%{HS$Z#c!+|0?yE~2@lHm zWt-!GtJ!N06W-xm5ueZxv!sC3-t6y(y>}v-`!QZ}C$cOlGxqC4(S?8b2zf@O{~VFJ z<g$<RB|5{0R2ZRG-uY;0T<&F;@q#VM>Cz*D2VEF07cZ3~W~Y&Ya!C%i!e9m1e#Y5@ zAs;Fkw|?8r?P2XauU9>(k01Q^vSUZoI>i>)W4n*iz;iv=yzI@Qi};n?Cf%8R#9VFv zaHoy%IH%K=`?8ox{&6z&Ns=o^LlN@v@0SM^oF#q6`5giR>oP|2&1xpwX_3;Smwh0M zh|sE}oK`WT>s4`?;)$+d1m~X6Z&gmyCQvDeU~v>ARx{^0CN}md)>H8!KS;Zgm65uH zn>*#=AoRz4N7UlqC3=#~WK~Y~$K2|E8BRqb+OEz5R1_HMMCjPTI)Y=bCE9B~xaLzR zA<q{j0{_$)@>J)x##3_PK^u%op3)^wCezd9X(Y7blsMVpfA~XS-NrtSZ&S6KeIEv! zN*a}56sM$`K;`}3s5|V7T=Iq4Hqf!;h1oX95r3rBjlarK>o7F!EsNfrw&_`&hbu>w zcZFo%J|N94XeyB4FZHISj~$=DGQAGBwEIj;SxyAhMD7V>kK-#P`!~zP-g*nHRwutT z#7pDyVFAJEYU3$$Oo!!jt~Fz$0a})<Gny2&N&uy2Me$xwCjQ2)opag6l&)s4m1nK< z%5-Tf6q+9U%;8oo;DR3vB%CRt6^}p^Sr15uD8p$>+9l^soZ6d>CG<gfhfBttDf?KE zJ!&AUq$MTlM*CZC0xOMW#W$h&+#h_oo~Wpw!I9gpPJev3!zOMl43*F&%fYU<EL{rT zVA_t^cZ1G8g1?MOWtkKr?y+dN7$Rb7eaAN;E!_`}drA5`rZ8!jOC5;^)9UFM?sR@i ziaDWz=X@RFv$8nL-V&rbhtz$^7@x#j!CPi2=j)lpjerN(DSEEBxcN)`p=|@d-z@7L zfmGMMG=ZC;!P@{0@d3tkxF09x<}v53^Ih$CrK7)<H<}PTo}b1J!Fg<G6A1}@{xs9y zlsndXE|tgzS3Am6lsA^5C+eKLI9YrVl|jJ6-A_(AL{f9^DRU2xFKuPD^P|G>?rr#p zg%59bsk}fFMA^VPq&`7kJ*GW>8pBkqj_aqCv*N--n2IdI-6AIscD#vgR~>J6H=&Q~ zAro6RSyQ4_le`QQA8d&M%+eCPOIMuOa*iyzyTABvQ1sd#_RY<z)0kC0<=}ZShJ+;V zHyIHYA`;3Rtx6pQdws3pJFLAVMHe=}7~kI>%We}i#mzqb-JIj}-DC`L!gki!JUpE- z^oE8M*Lx;SaEZ}s(v_I}0@C=s6z?=!*9V@&E*Wt*D>DEKnC3HAYK}I@%sQ*XK@wbR z-+6kKdr0r!d->KTW4<6xv-WNrl54tYb@i|!_LJkm^v@th)8J*vaA3;e;BP(lm^P#r zGkU5KJF5Xs{;(h932u@e)R?fz%230*5lh)7ux3(SUT=`48K_FSNrjVt0q3xUDZ-I4 zKX?DC9g3FYrN@XJ2_^@KxuiQQSh7=d5D&4UCA-BknBjNyQi@hhC{=Apb(&G6VMx;l zA(xEk0}WC#{e9K(lC9OKG6^_84hLov6pBSvZv0T==;Jsoq{TGrJQ7{8WLM9@;xi4C z2eED{5HNRAWQ}IpX`dV?6iF3=YRa8{(NqzM7+K=hYL?KT9KySSC&?pmvk+SUX=Ofn zdVVt#%NSpoULxUJv!gK^!hIx!KQ9JEKqy4AU-*^c2C^NwjPJYJQ5g6n*N_%C!86&m z{fMpGj2xz<e6iYYBGrQj*5Wu`d9gRp6O*hmQ$0&4_IP=r>{u4)Tr5D<uHR4_em+ZE zYSopYD;ZB-r(_`}1hsL*n&5&R>9(hQZ2vLqtuC`=Pr(hCoA+&MNC*3!N24kKYs|v- zbSgE6oE9QH#d4xzRKy3TjgE=$iBB>9_dNThn+f7qTL%4;b;GXE<SxFAxX{m2!3vyY z^SGX+5q~zg%_<ogj$8dq1KYv|aFHVHuIFJ;TDVhdEF&iq6!s*N1xa>c^o8>OBEl*K z^InWYT?T)nroCLzS->`a4n?QOnc8fvudW_9SKwrf4>s!yh%siv9(R5ci&n=W*FTg0 z0|^eD{*%o$@`10*DsY!NunZ9dM^*wfjGGCZFl(Yy`mV?mPNRt~tBI&2W6Y5WCu#8% zs^)%6)ij+-8sGd)t09fbmI3-gcU3<rRX>+1@7UBR!Nx;QUB7z|^GxU&sULGq29IBx zg19D6HuwE*np0dN)Uxk<hOdeYUt7k4bGk{7njz!m5G==Cn*UEq)HjVDxZ6<*dQ%b` zM$*CM@XzhY4FJo238T38JL24O*Qs0?Yb2y5^mH57B-N*v6y9QO1f0i(q?8kEr|rgS z`@_+&{AeV!%o=~p776{_79=}v5be@TA*URGj`**_t;(?}_qOy4^k=aJvJ{nYDyX;t zd+ZG~$NLzRZwmdG>w<#)Q;CVuAsk6ir>kvc(PhW-IIw29<oYt`P`=!)#0bT;{W)JL zTAQ7cz<D)~DW=5jEg1=&qsMhXv2dDDGN?Jz4hJcX$`ZU2A=Y6xADAI}{+4=;i$Njs zG8)cw$vH_(6PHfza~EYRPX9+S5ho(zo}K#Y=W)6DvI}+mS|gquohkQz>S{s}jQv8M zzT5Tumg7b%>`6X_xT<O$%3*oJ8{~qAePw2h*x}WV`~(zX6}`oE1uZK^N}cgHa<syX z3I#35ibzYh0Hm99w%L2Tsxai*Mz&M92yR{=ZI`4YAU<M<afLhSGJOEwN=SIBanxL+ z-<*5vTIb=7g`aOpSXMqL^?h%q3@9}3-4`dLu<z9F_iLSOYxrTX=XO?eG#V|c-=bTU z%-{X4_pz&@<)g)De;Lx6XGUSg!#Lw=nNzSRc3a+g4oi5s4G<YHSFl`2krRIH0(HAA zxNmK%Xa*(xA*xuBqc6K^*x;K8DW{b`ZuLF!i(xFgRua&T4q>NM|0W!VR538T5a9l6 z$BM=pe0^1vYoHlE_mum$U`S*BVI#mTGAf_V(TQ=ZL$J|S7x_tpSw@+*i)X!2hQ0JE z{lg#!{h@rhyji1HRvkipg;TsSRK#!FuXg_~#@Y^|tT5lMLfi<C;Z=#8FZ)_jw!D^| zbrdxWclHMtWEjT+{N5OGLh~8vJg<$2^%eahU;#6DF(6q6e&)>dZ@Fg6Nv_Y%NgY4l z7<;BT9g-zqmV!$EwSv-%k6?B#5ibetYiG>{jw`SB`&8fjC!n|SLh9;1zwNeTEjR=p zg^Kdhaik~kEfH)(q<z9c<{87SzI*F?QI4o_eH<^>1UTNu+qBfOrUTWk#JYOo5d)%~ z7Cmj@bW7H{`$b{R4{JmI8j4mn>8UggJT+A={I&Dn6=ViDzD0nouU42WTaginTRi&n z?t#kTxx{DN8b-K3LF_DXYxA8%WmxC%tLPw}(;D?G_^Rj+;*3}ejsXQJ45K7coXJNd z*!4E4N407uLJcb{17;EB%h%*4&5CA^|MW5hr?KY-x#lJw{jm#;I<!prg*uzmJ@#F- z;_bdpz2BKj*Mc!+-`pr1W6gv=lsu%(f%dk#t}t3)h2Ez1b5WNVeZF<8w@DgA`OeMp z`}eURVgZ!0(w)B^bxA--N2jVsK5A)7%3Pp4l@W3&UeTDCoR;@n@283E6RP}!##2k; zCJXpDM=;H%zt_=&G4D{^z0uZOO%U#Pw~$n2M>~^|YS)5QVQTho5z&!gL!+BdUAYf^ zf0_L~YBQtrRMk)RQO>L_^z{1ju%nwzP?Z@Z64)zp2zHxx{CYXQiN<BqoLO(R*KzS+ zYR>b-qgJV9W5{&A+Sxq}&Qr6}HnN{!V|@OolQZ1s+;LJfzIMv6P6oJAU(O8FM-m0} zKyA#`C1`Sky))g}TeTT<cgt3s00C)J-`73Q@!OCpy)j>NI}DQLS=LekMwU+s)HMf9 z`=V6~hRz0UF8*mw9m`!hjN;z$K@)2;{dap<*Tkvju>|CH<Y!cy^*hy>-cKq#9lkA@ z;Jhg<qD}dh73+3n4yfKhj}ivxuXkB^+f8PE|1!oiLP>KwDjZaEmDgCqDMP;3RQLts zDBUC~&?P-*`&wEd2xw`ntIRMbBt0&*E9Ho+$CdX?e`7gs@q-^JiK2B~y5O&vKuOaL z{ro&0caguq!XcR6Z^?E&c<LcoU-<Wvd#a{ExI?<&ADwRVFUqm094iI)D!hFxAUKjb zDo5g#_0D>%z4PYFWr37k9;f^2_ZQj{&`!19Vs&e@1H<rT6L=9E2yN1k?y^pbL6@xQ zy>kQi!K8u!v0jC_l;$Qc11tfp)Sb+rmODo|9z^CF$)y0tXbK$a@IqJYfUsmey+C_= zCX2OcQtr}XQtN*izbp@|@vWO<O9&2hm1YOw@oW586wB=5Vr9P!QJM_5jVDl&Cx0;L zhjijiOyL2EB0Fomgw{>>&KNaDGL@38oW2HD3oQzNG2G&%j|2226-zUtc?_wn7*y3R z6k3#Qw<#JTwu@0S9op}63kxiRPs?sEzkLCtfqq-AI?l@qGceZJ>dhv*y}!YYik7%h z=6JcI?ASx75e66y7U;}f+vEZk{sJC*jwu?=|L8na0Y{B=b~J#w2rA43yw9Jw(<ud+ z5rh|Fq~{T%3xjc|@e12$Li57Y=vwA_r}0tj^j_?Bh)EAxE<Hj`zH`#y%QTx9e^|%| zguojg+`Upnv*_h2)~NBb`e#s?o%~{bdGH^nCvVXOw~2HOR>XJ@;u~ET=FVTv?Ht2V zu+rA&=*VkF>@+A2r3J;~^6Z6qX2vyX@YqY(&?pNYz~>vNiE{!=#;iVjt}2tJ+|!06 zHNbYS*H<)|W@IN~lAR@<uy88PEKiPmdwQ$;yGVi`%7yIoRu#R#y-wP;9$8A`k!5t^ zB>>kB?u52_I`My86YBnN#^dRd!IX}g$d5HL^I8Sa&-9#DqS98g;}2g<zoB(WP5rGN z?dtK;7-I<jm(gXeL7i-dIEv+DiR-+tmedv|Wpf_=8NE=Hz{`o=>X?aY(E$XIOb)pc z1%1T*tPaAR&LMaukKRd6qOU<9ewLMaoEj5N=c$SG3U?_AbZv=55gHxLG4!=$h2pF> z%HH2@sb(Q=pfU2Q)}evn6mqS4Osq8Kp;|f4a_sHEB7VhnhrLIlssj3Pp725DT)ken zm=Jb%B+A1x<tdJ|0xw#RWbaUGSDx8MfZAzZ`?91%Vbt{INz?Q1xWQ=|5a(73<v_h_ zhO+<;c9c5@!#V2EAbvGCG5OX;JPh5qCgU4V=~(a>yI-TkNW`bdG#W*YZ(sPrL(7Cm zo_hJ9F`Y*G8Uvj<c!@w8^1zmil?Hn)n#4JTb6M1lCb3F1=Jdx#w5dk1=R#a7mOkqa zbc%Qlm&H*=r@QLBzJa6pJexm|z#WQ0(}V2|`m4x))dU8_x5$NyHBL!h<BH@A{3G~n zt1V?&a}L)ntL02RsEX%6F~p;$EXzQDf+a9>aNKLYxdoZ8U}H@}^>%t&c=2|`5R_<# zgI4^#f^=}M$jronL@3snFmZr6e6mHi5T1OA4BX_SJ)4jEv4&4@?h7c)S;KNI^3%Oz z#h=#MUmHHJ)L#7gQzBX0OF}_eErj_ct6e01wKiIleBtZEi$EB_6hh^7>N?^60?X}= zd)i~qKqjcqf-1q5ET@9fIFs5sI@;=CfJEQinsaO(sj&6ET^Ai5Z-`Qr*nKmt=hXGY zJ^Wm7E+X&SU(5S!&6+oZ^>`EZ%*qU^w?k>1LlUJb3qLw#|3>&IK!)}UE+JZZ^rU$T zQ$xzt<hX9hFd+w2AyCYMJfX`xf!Ck9*U9j(=eYigCZI8^pP!{FSd2EI&lH<5wm7b1 z5o^b(!zagFZtv^;>}A)Q{I?DcL|kI!#IX{n$lw(Q!m+D4r|f(u)}f>MPjP4EMa`>x z4u0Hti4hVtyo9E-`yWfkB4n#-F(X_g(`c=#*xz<Q5)gY>t4sRdZ&&eRJ;QXg&UPw< zE3rG=p1SP?$@CF1A`mx#JLvgSocG{=y9{0pV|c&vZ267+nz9!Jq%K<QUr12OO$|<0 z`5v21E_#9tUT$P~kW14iHkQQXn^53sZ@)1QL<flTJe<9a2>P|+wDgUpdeyr+#oC}N z4F|h^+EuH_&ZB!yO3-{WQHJ$lLENbZJY1D)of#VP?L4Yi59{cEH#6YwqKUB5c=J~l zfUSuB?-%(3x{GbiPt7q>TsR(_=<?UcJ8guGf}xbMtxg6^%Jz1;?xAo0b(S60AwPA? z3L-O{8)=V#3JZC`mM_dJdB(kFRfroK0qH`JFxH=%b)SV>@<aACIf{OG^bGRh&j#*v zIkN3k>0R)GXY|pDdQ@}xm&e-W&2U3SCmkSNb6kRzpiuS=9|AWv51(sO8R2TWjRT%& zeRamv#~dwA_G&pfH1EX-@I&<nEk5y#({h-}tlpK5@i(kR2M3Sj*y%uGqiF6o48xLt zuDs<)IOB!>%CMW<bt+-LYP}YLp!0s`T)uY1$&_3jO^Aryf(sKE@P59+6;CwHQ2vsl z{k$}*-+yPZH`^wEHsb4H!P$RJ^StEd_}l!93$UTmE#5F&Raoe&r8@Rg%v@JjOO|1o zlcAbYmKXem`M4JT;D-_I5DSXe_0iI2jWyDPs_QN!B*E%-N7e3adoEn1tDUdfi*BB9 zYpm9^*B8C97WRf(O4Oy;>p_nWNtEzjZ*4niZFr2O{2c=8Bg!a-WGN}|KTdpYeGpm} z=9x<X87cogGA^OJrw|ZsM0ALT2$LBSXK%ARwL$=b-$5wT(cPDJGT8ST_%VePq**5_ z>|w>xM{Lz46>2^7zp(&Q+qLQNKzrcHHOufv4P{wB+lIil43^-RY5KRjZ@4a(ROIAW zM@sRM;Xr+oR(fc>tBcx8Bb#WO2{XZ6ZOTiSIJ3>Kwch6&VnrmUOLrDyRsduBoIdD_ z{W~Q7Z-(*)w`Q8?ImXMyeJSFNW_LqrL#Zj;I15)aJ9Oc&WYdc5p45Sd`BI{2iD@W7 z&o^TTyJuN>`<a*@KM$0>Wdz0=nSXsnl#Cjv`+T?NzP7r~!4a}wmu%(x0j#Xk%w3+a zAGomv&Pz;!?S=984*KjBHE!hzSTROKM|-JGUWr2`NsrlrzIsHNdLwX+Cp@)q0-oN1 zB<=p`<?+1OH4)GAn%56^Qh|mh9kEs#+cqHz<7gDJfrncj;W}kYvFAX}9`)yD@7r0@ zW=9q6?X63q7<&U%&z><`10ESVe25RZpie<ujZk8s!G4V!q~x0?82o3@tjC7Stf5_C zU39`a5GM}lzgY;`t3&7PO|K)_J)Qo6>h{}Q_6&%lT`pdDpC@A3(|?P8$sHLk8|wq> z;TIGyhyB`A{s&EFa^$7zA9g*3NlrgtpYTm&j2fP9;e|U>A<gxkic*0Z-p%laHNsn7 zbLNmx&iOBooOD1^)N7U44hqypA*feUy)Ly-(-6N@a5l9GAtv%zbKNBm0)@7QdJL^N zGgW)IF;L=p`ewLhRU^xb1m<(;wM4_Qn$PSVXiiU#8<DdJCQWdnmJJV$W1tCNRj`th zn#YB=z(umaMJ~jHx56V-X2T!<o%01a<|Z!p)zfxZUn3Q+)6O6yv&0mF)D_RQMw+7* zQHbe2_DQzef@kMmXG8O=ys8JY`v9*8Rrg^O+GmXkO@pSW+p^E|4bcCXj08InT>%i; z5TH_R+DMyAG0XTH1_mJ?33aJ;+Haj1wcglU3$VlGgf*1ZHv8r3Y-5kDp>tw$0A*hk zY#5&_bF?FF5-j0rLsMXVe_nUf(jF>fcwabDGcv5Q;>BoYP;mY??#u|q(ja?1Z8^z^ z*H9gX$ddm$yjoq&lN6+AHfyeAl+1Nb2H02(2?cO0&$rn6yYax-82`ECzCKdYAs0jt zobSp^F1_>cD2tqxMp}B11as<ZY{k_uMxmon2F}BX)sM;jh|A$Mm(D4Wb^PtgL)2#E zy*^LkMb*B2u0A(^e~^^DqF?z^y_qxTSdO?Ep)iq{s>g@ARvekO%47DDVC*>>sUGip zW5Qz(qx=8Pklm4>Oz|X$iLpY>*JD+AE3%Db`ti8u$bmG;UA9&miD&g^keKf&dEMBC zo8(nP`#C~3G*ftW>cHX2W5OB7LbN5;UmymUN@3~bakrodm?f|hXK~~peJA6u6^Fj# zdd%1g5Wx*f;UTfYB-igeFVdk4pk>DMh6#_l_MWM1VHDLIvn@lmh5<(xq8LyHq@iY$ z>|2tzWZr$sx%I?@Dt=XH&F`uup=x2l#>?mNPT6VCZBmy}2`KFLs+z0jT{u1WDQ^Bn zemoc{sx|eyX6E^;cWT(0W4{T{m`{!}NQ2pf=HMWDW*yHAr~!9er^)<5wkq57I1p71 zUW}<CPq<=4^N)sZX{~uaPwLTQr??NN_3qU=kI0GK+tcMHe|2e-v*Hv(+fw1mq>6my zMht>RAgN?s7&rii<_fJ0EXC3m_IV1ws1O}%J*aAASE*o2a#iX|fM<P=V<p7)XgZF! z4h~sA=f=Q#X-=t~|K&W;`HjJVuFkt8Jj79fj2gkPT376=^Z}Y3A!2kkEyFlo<$(KQ zrE&e}X|?mMYZAMh{-d<$Aqg|FpR_EV3IeeI-QW>W_V|e8Bt8W>Tq9q5(YKu#<Oto) z?$7TKFIu#pTzE%)?=JVh80{{9lQuVn$E#VAATPey@b`_d7TXeUIR;v5Be7yc3g2ej ztoG3wy_>)ug8RREX;wLi^CcH@^u?LWSuo;Uw%l*BIuR2Wf_uAi-?qLD%V%qM?O8?) z69x+!6)pF?^xU)jIr?ua;-5V=lzq;oA`pvfBL^G`IjyaLf@4O0*NhljoO(`7kanWE zBp9NZRl?%h;R6YL`PjLe5AGCNv38x>$vsZfq;6os%yl#*Nafk&j~;h+Zl2$JUTiOk zmb@svJ$*g?cc(0(y4ys08Qtx5XRx(x9nDqu`RzPRdt!tbcw~*TAv78B5e$}y#ssTD zp6iLrzedb_Z}+YX%#-iSO80)vacu|fRjTY~6aDu8=ayBmPhRC&uX#0aU;B}A$7^O! zr8x)jI#>?-#oA0MRv6%Jo!{$|Qk9<AmhO(U=vr}(AbzD*Cm$aEgf_NUf2lhFXSA^* zN?uy+FU$76;x|IqG7iNb4%(9-9~o+A6%knNbLLbmUg%2otgrSUc7CxhJc8*Em>NJq z@k~h2Jd$7a-My1K3UrLGI<DO|f}$z#A@B0qXzpFf-uYy2#|()$Rdf>@L;9LfZM{le zL!V({%#|szGoLe}1RF|W<L{G~nmUf0F!)a<p?4poMy#XW6B?RuKZ@nrHjF@^zJ?O% zsmYo~K};xXs;h2!q%4bmsi}T0kIq3&QFP|YoZzdwS0sP!z4wuQZVL|f`RwKiffNSD z>)O;CRua_PuEhps_1<dcNaS3>K7klQ7+EJsIDe*;GSiWesO)W-&D7PGYQvi{4d?)S zx7Xr=0k%J5$v)dL-YqV*fl{6q=2bk#9%W}@Y)qx4ra)Yoqtxo-TVxU_Eqk^>m%s(6 z4#DZMs&W^^Kimgfmx@TMZ6!|z$_d!Pac*J{I%+5TJ9?Q*lR9E@S_ruWpRO^d%u4=w zIvj>}m0H0(cIl<!MHRZNF!=)AC`ek%OuAHoC61`_BfV<dUx1`p+dR@fydta-l(K@Y z?Xk*^PR(QkQ6K_ApS*_7ecF3Ipzn&BmImyU`wl(aoJDT(t-Hf%3+rgW#!QzCXUvAp z&X7UbY6Ga**|$2<*_V=Cn~3Cd9MS~WhWv++yCeMD-}|ZZ=+Z;kS>7+-_Q2^>>|@4q zoXO1iRei*t*|=rVBci)eHd;qH2A(H9f)q!FAG(DcG{$?p&{uyWMt~QU8ph<RCdLQN zGn`si$BWNUKd69W4~FEg?88(jujR^gC6kZ0nZ+aiH`YiybZ60lTDZO}0%f%wYUK+w zxVU@3n76M2#cO7rq>EB^wWB;#d3DNHJo*EBi*B~zByBF~&iehQl^305bti^K;*)M> zfftYMa3a80cF2#OG|C78Ev>66ffO}7_xNGB0aNyT%<(9t7U<lWNFQWTwBU=&sModD zA9Ae1M{=va<^$6N=)#ENoT1aza`dIHAc4`GnI3)OXfoMJmHoZHF?IF;!_b+xGu}_6 z8Lwf?(bwHopO>G>Wn_}D`5MpX>CX(cC8xe@&tU7q{3+&N%ZEqKA%Uno^O{X5jF(wj zT8RJD%LrsFyBXIxSH$8NwZy<qwC3J5K&Pg=pQ!~}NwDX;x{#(|2%75SMPucGzvnR; zTLBc&n7D+=Jd=FhG>ce0dcJFhu;!I$FA!9h<d-}pd34Ub)@M+$rQ41x{?k=hWSmB7 zVRE#LIMj{N(5kG#ygee`HLG4lzV`W6jUrv6kEbvxlx1qqKDKC{a_JmuPE8ZNd&5}@ z$ZH;z^b5&s{)Xd$<#;q~fPig)B;ML#3SZcn>9!~lbY-b9fuvZ#w@kc$Qb=piBYU&T zDj^%6?NR1G&xA0odv4&~qqTrU9<gd(W@22G1_!j1LbNcCp@4L^y7)$){iQ@l7tM_! zI+kCoYDaueLa>#bgYM<`nUmbSU#eu@6#L=JKJuZDrT1~D5=WJjn(FJjZ(3Yf@M!{Y zY0n;=#|tSX1g+lg(U5x-3`N>TLd*Ix29sl^!X(&J9!^CP<$o{xx1x8sgwivAnpcO+ z?&m8@Y%a;GOYnlp*~2D+fjbAdRRw`7HhWz}$*Xl$?y7cU#ew4VWiAg2;SI`Rlbk^% z?64$@fS%_05Jf&3HTrn{m!v*Mv>SM<iQa<IsOK;~XVWj59JH4!jb8H5D^5)5w>tRY zL+dj7ym5?{Xck<lofyg`tscHv3vtnCF{Lu$X_W#zDOJ@?aDb*^*v}VDOb<de;(<77 zem!(|M7f*p(n&*EiwB;1i<Ru1{d1xjM}kp~jnr!0P4QOVz_pa)cBdY+bdFSVQ}%Wa zW_`RS-sXKOVlD1x>yqnDPrYxkUt1KzQx`^_jI4_@!UyE2lLJ||+;u+6sge3(QO*BR z%nw-g8>GSmJUMpP7+TYsjDN+>YU*1B_1&_Hg;5!<G)iFra7Z<NM6?ut88)#Mw`^m! z<!X86gomyI9-MP^9vqv5s)WY8eNUieB7CVNoQ-7-e3YcVwjN_gu1jiYyu7c9n;nYg zji7m7+LkU`Cgq7IT8(W(`hE;Rky4}lhN^Kkd(%`qtNkx#v&p6lKxh5LOj90>LDv^^ zY>Ri&J;?fmes$G8CHQ+lP`C8CapdbjzxQ)CDgaQ_K0g*Z_ql#m&DEfxSAPX3c93#L zH&&T4Z@|#UCrSH0sw;2oIMUl%doHV6di^#&9=gJedqJAL@aklp%us|gvd@0ItEHsT zN}5lrCPGJy>F2l~!l&$x*KsHjA5ffzuEh)!)oN8!G<icv0<?tTAwOaa2zXaV7Mp{- zb-xU}s)EsC&J<YZO;<}#8#N_GW2|Nu%-GKqX%nLaU36w^`d++cba!MzA}H0rX+=d; z(<vDk@Boh<g$=#!(zbubu=wXeSFDJ!myJKH*u|YU_<M%r7tzqNxLg)0*QxM?4JO0J z>y1)3!zR3Jre@1fKdee;E>$)+R*JYqkT?+$@4<E)_1d#t{)J7c%xelSVTVNTWXP39 zhqC`G>EiHt;#(pH{hja0ecAfvOU!T>Jv=C(^>bt-YbLnRZ=nC-PCb=X9$ne@U&LvH zB8e`dWOeU0yHZ%l6*`T<t4sS+SxqncH<VSt$oy>~P^jL95Ct%WH{ADI7mOZoeR>_O zP|)ZjkCppqJc5J-{Tin--8Yr?!G~f-S5r3G|Hi6_@Xt!d&kVmmzj-j0rXg32yNOO$ z_fN#$Ie(aA`A<}b@B1=d;Lt4pv`|-o-y7ja{QNaH=esqY;!P6?ORfI$$We3%Po)Dm zg+zJPo06W~VF}Ze12Qblst^M%SMip^@@HYzULJc&ZD`SAo`;eYXvv_WO&hX*KHH8C ze~{m(-8tp%FYTT%?7R29oYumq28yPl6=OUV8x=M~>5=d0oM)`N;%2?xLwEK_qto6= zeW@Ko8JuOGlk(l=^b#4TqLrN+p3(A>+~Jqtq+%@DAz!Zz3&Y{QBYQi#9r1>FvxbZ* zq^}KYfg4R1Kyc01MBn2w`7DxX($6hg8ka+3^2IqtO;)6TS}volk4pG(^H&_Z9BMua zRN=~QJM9s4tIi$C??yiNT3T#sP4LmyTH~~S8lztulyuuA=j-Jx%6SfWw7)D}+Nl8; zZ<G#4(OX7{<<o9xRPVA6GBv@dzrE>?6$}-O3Vf*KAZHWk6@Cc>O@<dEH!e2T1}l#3 zfy)rut*Z1%*Tsu`#9M!OhVw8ZCZ>d}?9>+)3O1IfjE#|dO7Zm8${8LE>hGL=f^U)B z-4iI&=3`cupK>=8;OS+FbDt3+hK2h1(vykb)Yf!jz(Y}iC43aQCip{-qBIq1kY0D| zL3fN=@Q$u>@0c(*2uJ#HoB-!AQ^vR^4Y*Mz|1h{;h{^OlnjMi1i9~*+zyho1cR0vA zM`UTB9iiuE@4m&JuOo!r)@gFe4eS=^bk_8J0!UaiHrms`Y~o{A2xQ5ijMNuPGJq3o z^I`1bG31*V%0abE?1gnKg<z~?Izv{;Z6qlOCk(L;z=4-+E8b_m0l^g=zBwa3s)EQ2 zx$XJsVNTgZ)WpgR!P|h{RY`|V2bu$H41o{C3>SZHzkZ_18)BRj<uPh?;%nea9tY<5 z?lqBB)kgpN)kFUCu-Wlqr=k2}#Z2g+xhu5L!gs5^p0DfpaX5-&3y3|($_f!)P$oLq zj&T$J*;_uRDcEF(*S8)5uM=v5Is{L0S=)_3^R%=e99T}UI<3=fbq<i~L6TZ&o59-F zWAU2g$>}s@tFcq0igR@Q(|z9h7omUs5=vyzC%q@N|M&03N&W63FK%^%6Y3nT@WLdq zo4_%0_J4j#$F1j0m)03ZC+Bo<B*~&QaZYx-<y^^8w%rUFO7!^&36lP`AcCwj`0M2% zvL~8ea(6|)pC}Ga#)>`LOM*3;v^jfyW?x%>n1)-cNhMG^0`Pa+^-7l})m(d!1G__N zKoq4gktKis!R$;SO0y_AZ_A~{S1!_I&UIh$lQeK*)l{#?_1N~?V~d6M*`tdng1+GF zSZZob9Uervg6tAFgwUG9Fq&d;#6}Xn@s!mGFWW|0>#0d}KCegI@#NR)=Zg`#xfp5P z+NfOlE-|8WN5Qv@MX#B5TRt~<MbVZhvFFDR|1&T8IdQ5Lk9Fpmwo&uqy2dJF!MRNr z0=EA>`Y&3#S^|T8ClT-@4LxZ%)WYbNern+li!|qm&j1bA_;*?;28UCxum-=XK+QQ< zhl$$Pks&AZ)7zW}ZuY2io>>Bd5F7Jt|Bz*!{%&k?9h1MK0kOG-`cxoPn6JU{dL=*s z%C{cSm)RbVSwTXubCHf}1L(0&&{;ULf;jBe&KX&Rm|xikXXVd8>bH&lIHM`jwgQcV zdE(;YHQig85d@qV%rp~8Y9u*#UWgfp8$48xtD?a*_ZM(1M1<7IQ<u$U|IJtQXTo0` z=cNb3Cdc37r#enPZm6hTQ0l;WMSl4<40U7;zS$O|Q*Ms&y8woHHGZEz!Ffk%sG?mY z4swW9^X6}vVnRVaGD7ZVQG>$FkM?>jWBxdbD-=0CI9%sf7RLfh7Vp--51vRbzK`=p zmh89yntasxyc`&_xw<76((i<8^b|3lA(r078C_L1CWa#XO4=Q~0jV%2t1fzUD~@!Z zBfhw=QSPO&od?4HR*2B4o*_b87TBRo_(n?I;-rUV-c#~Pz6ATNdEY3^T1<2%8XAF& zbRI$b2YOZuqiNui^mGW#?GMIUt{(uky}XjuhzSbvsz^a>{RNW?M&Jt4RAm%ZMYRCq zzP@0}2>baRLy6M6b7W2z<}1aAPi7FK3#Pct@M-cXjd22HLZULh(ad2f`7$HeNYZ3$ z4H<FkjjAE@GiQ-?z&;5#3rpfoxoga!iiw>GP@ZdM|Jbl+H(`T>@ds1PnWD30fwJs0 zR|^8oT&i3YLdjrAkPLi1H4O$P`}hn;B*Sc*PO}wzhfu_I!KRJfj#$TGP4kwaWYiNZ z_tXa`vd&F3U4y}C&M25m)`r`bfc!X%7(;qFh*dvriQ&&_99)td!X2~t3U9{0uDj;p zLFWpSJXzhx_0^W%Xbt6vlPWt+WNdxk!vzxA@YX(sDN3Zaxd5XVP-4j$@Cg=DF4}$e zv4y{fL$<PxdxWBn#pe(W1ALOK?vdl=O6>tg-LPjBWSbbwjVd}n$C*B?qAXGU@}Mo0 z)rMP`H`*2CrKxJLMZQ_1Qu~vu0(?LyLa?vRa)%K)Y;UMNI<R3BXGe^j7@nZUnocG6 z;%T@h(#=tU`~k%eSfnUnD7mj0GbT|bYF4d`CE*x(C@S=uw?FQT=%2*al+=Y!2(2rS zm;D~IU39P<mbc_*{4SB;ciKX9gG_C0N56ed;sCOa)fu`}Nio;$vgdYr*oB%nI~_Q$ zxlE>6`B#C~7TeT|((|*(=wxfDEeO-Q%=ac9#<p}#BZbcj(W!`op5iZKaZ)!+&Us-C z%Xr4#=l_PnoN#jh0A@f1Uq^a5B3=-<EhoV5XRgpn$cW9}&_G6$pTkfsB$f(OEHThq z%V2+dw2w95{?!vx5|SUsS=l;dgeqlOEf&0TdfvXFM47V}bU$}}@OtakUjNRK#7R7X zyOk6@N2v<f?KR=Lo^B$0bDV$%TSkZkSaT5&fI8qZ99hxj6Gv@Zfu6r1N+_Fdx{p!P z^Oe;<91AN&vbHDuy%M^HI7>@jUk=ZbHAXRll2kd{?@Gcazco9&47D-P-u-9TpFW=7 zn@b3My>i2Qs{snWHdYKR+VIc6^A4l?*$d3ETKW_u<MT<ot(&_#2+y`@!kXEBqB!Yv z7d3E?9Vy5R(eGR`0yKMUYE<^?uB8TOH-N9?bN~}GGkBvWD`={m5U!jLST%LYwg>!4 zjG|D@;zm%mx7+qRw#D&d^ReOV7ipXCdhCMZj*1xI=B)Jbz_I~|&%1xd^^639LpaIS z+u8e3koC8QbqEtFUCxK;h3g7!L@zb*Bqe01YP10eo>5Jt;fPXdt?rgTg&<)F@mzJH zJYKb0&eC>#F@@(y(%Wt2t+aW^+UG{EYe^lMW~%HSC2mLZ<|*Y$z551KJi1l2-H%<e zN_YRq(>X^+?!Rw;QQNj{bL&pcscjpx)z-GX_13nHsk^mpZ>^`F?>WEcoH_HyB$M2^ z-$}05mE6f4!ZSmd@4}F>`K<$qzWFb7Yh!KF-QA$tB)RQI#R)R?vWt71#v~Fe9wuTV zU3cUQP{U=a4DZ!mN91UPM%$juwz!@A^2$+j!o}A;pElh>@!#$0uAm%MeHz7A#gD6E zC~b>yZynn^xq+vdF8U6TNY8{#027gJdr;%u*LacGu;{C$L5gS5f};PL7OitLJ2^?q z?Oy8Z^iwx+s<!=_GS&u$7Y}lH`?A`8@tQ)q8RzdDDO32b40y9MYu?Re7-Lf7Ee~RI z&BebzbvXXlxm~h=r!1pT$rqF7b@<r*NDB<##{<gkDi#EL9qlpf3q1up1srKG-u8g{ zcE4FY%D*LZH#s?~I&ZH_34LDnFpA!bMos}I4fuDhEXL6a8JZl@#NDqLt+o)ITnw${ zJu&_;o1R74@PVkG!%DoqFaYgPovVuR7co#;lqzd1|Mc4rt)2SaCY@y$^EijgW0Hh~ z|N6M@yxH06{`$@mKN`uNfs$qi)EDL-m_l|>i04dEe|hTjv1?#Nk+H|wVMkRkk5|tY zBP<Z`sK^xu7V{k))IT&hd4bn<CcWo*@ebRo_4iCQV17k27I`~cz#|q#<~Bg2g;_j~ z;%A@nG8&fx|2{qa)dT-wc0<obb24KCcxD5=6;9nu+WM{;gf}+_>8YVy`a&a-{{s}r zz6nIJ4q{cUWHsPuFWcbY;b;|$mm(4y8tP=2e5IMUrH!DxI=9qOHxJJ4a{n8FEwRKR z;+g{eLq+A@JL0_BID3Vo-SN+u+@f%ay8HvZcqnOOVodd2TaTdKRH_yM40IH|`f$uU zUoK{5lm0s64kWM_-*N8d!sIrDMO$Ciam@6L-~6@_XQpM<U2R8ISW_FBwsi-5Ncl%s zYB7F3YNA*4O?7gW!5bCEHIpcY)6#gb+^rwIviQ8KO1iFEN(Cm@Uvo^YtIHxBGJ3x2 zBvCeKyJQO3(Dk5UBhn1DBYgQ8{)9pg3c#jx-SlH}+z+%F4#Z^p6rfj->Yp*e)2AQG zZe+X)FuV$3Q+9)gbzP^Ud}5)RGNc5l$9Qs%rQDN)IXsE1sLY2AnOe<q1E!T$_sox) zbQua1RdI3#cJ41e^~0KGrl_R<hOV8SB~?Fx!7V*8yE(buOdjCB94}WcHzW~M0zgab zaFHO<)45I>%jqvT6J!&mE7;G%FRHLX+^WfR?m%75FWFSZO~yuws(HAgsmn*dT3!O_ z(CREE@7yvdsEsau2BLV0`@3G)pQ1Meb5OwD0kJoK5Vo8QOV*4c$$azLDJDDfGcVTk zy52_{ct8fdmVWU?33OWG^VCVp4ky<rlXD{k!juJ1&%G)-ASd%L^5O{13b`uW3pX8@ zJzebZLeFe{VKzy&N~7lVrP{otcJ5?V0q{G0nWLkrGZR!bIAGHz+XJoDgJ<wGbePAR zDyr;6a~us{1A4isE2++yf2JkC-_ZrqJJL^a56lwu-HeTCZaH;pZJ!6b-Q<&(KtiK- z<pFC=eA4nyeZTLX4x=cO)_5(pMWwrpVUzFaStkv`o!@1mG<7LAwUME0|7x^rs+<?M zF33xiqF=Uek?ZPwCPp@*g|2_37Mc*tyDC_0oO9jKRG`1dG2=ZR<2$+4C*p`3-!ydB zYs;x6@%^E5Q$njzCaBrH)x3VGXg$^a3hl8ROmg$WQ&eHiR|Z#>UvR|ho6hC-gY6-7 zQTIev?qhQDBYc!2(S)nfHIP8p=h<bSn3+{CE}nw4Pjh_7Q-{I$%b<0975+XaZt^jn z^vrtdZx0fQhaU;9K=J#OM>__clcLrQaGfNx*&zI>o0(a*r7mf<i@EkVRYZrVrOvpQ z=8WrPgA~uBLRdYoNLx`aID<<VjMw=o#26s#L!zv<=xsoH1swrCPR->J&r6KLml}`{ z>%*opYxPy$A3k*6g<;*QSoA|Ofj47f@?G2%?kCT)JiZg>d>ghRw3snVz7_&1nQt!b z+^*|e`^_OB^C^@zd&k3KXL|$u0dsccpYk1lbvbbppXO!XI()pprOu6)5Zmo7sJkFr z9P`Nqu@|!80Y5!J|G<OqhQv!U&1ZD4GsBs%a;Rh&>K3+Sf%zvbdO(?P8c!nFd?wzv z!>M7E>Kh&&h{zWeXif$ZAz-7t22Xd^a~Z`fzsFvQeAx8tOghik?Pslrd6t1DsyQ;y z!E)ytfgqtVpfR*sU>RsQO_4x{{vqsjNk}>DWANn5cgP~hYi#}tc7)^y8S5_+oF6I( zWM&a5n2g$LHQWRMVL+b0)Rmh*H!p~)xwG$dY#M*oQK;65SBi%lqqso8#C-{q-eZAf z4+IF#@v2un3|E)1ewTv)jGp>DaGM@v{9i3VmQeq+o}RkiUHRsvSNFq45QVcO-C7Y8 zP9DqgPERfDiH(5wfj<_R(PGqID8*@%g7g47o3L+H>UG+HosRY6Y)OhyBOI9<k9H4B zaOECFt7*p7o{M0|%_K|jufXbedw!c##pc?qhMKzNiofb!%YGbVn{Q{|xH5x<A6@b9 z=Jg4X=-t%2X5EB2=}pOKZ?mbVl;b$N9+mL<9n$T~@BGLZimfsd7l2<rE%Ddpz(60? z_j7n^CD%Z|+JZ#Iiq>aSc~i3;-rztV^jA|q<}ZHUi*OfNq_QSxT3Wlp9j*zV|0ol) zfB#p7Sz(j5TKzA*;Jf!jHvAU>_ggl5U7&=*f)jtmUkE{VZHsa9aLD{e{+whM1c>;Z zOlS6(!pGB81=ghTIUwd1^M&3-0&bg=y!bCq2KoYglp7uvgv4&pE`rpvi3F$gVZc1e z7m&nZYr*%|GecrtEfX#EIN?q&O1sFjHctQMshF$vb?h)RGrCtMqV}R_{8aS>I?FxN znR7J9Raj8gt@d<UPtL8$>(x5bvkC7R5Z<HOY71T`Ri*1kf)uy7{fHWvxO^~R*r?yC z+1Z?Dl>cyeX^~T(O!lNt-`={~7(6Qj<V<>7u&sNiHRMp=8dpj{4|GyM7;5FoVFbhx za?yiN#dJ4SdhZx9UH^vol0zoCikK~?qw4eX4y2PBIqf^Gw3HTv*k#W%R3gDC&eD&> zjGiGW#$P$|+rq1$BMdmdo@`0z3p&AS&0n{jt#uarE81DVOH1ce&0q+xtPXa;E6e>Z zT^pX{M67V29ky@Waf8K7nsRe9+|lLnq3wO}$UgM+BlvYrZ}aqKcg`Vx0E8XMP$>SL zK>MdCMk7=nV`xK=dq{Eflqy-{50V$i)(e^+IIpKFLPB2p+Mi>e!|#f^&T?D<f6Je# zZAtU6?XnE>Vh%JNhv?_{@6Er89X|eQB6(foVD1a;-UBk$I1P>++~5wj;71r9i*ZF2 zw?GTz``bi8y*;z+$!C<0vx{Wczj}HQG&Fd%QF2{4);Ryd<YEBE<mrh|?>dK|^G8ZK zbbB4Wsa<})(lp9H?qxnH`f8SP2O+Mpg^vs10CCjbQ(2IyEVyH^JRqMnJ|&)`7Upv_ zU1N(M+ZU%;38v6*ctN&O&>mIg2Gegg-_ko|80b56m=Q`m4}J)LN7wRZ!teF~vk|Q| z>}6mW%oGkN-n-r|gd4f87glnOXk6G@$luNbP2fcoW<5{V^>e)ZzDUejm0ex8uC5$a zAji}Gp=1Ni?u=bFP1ztPjg`ONtPAP$aD?R_|78q#oJO3{%SjAwoZr)=Ydc{e;NhMG zhccmprI+l0_Ij$|k|w6SJmU*5chYIMz=z4G+tUZ=R+glpfx=e4p6{9X%S~lJCr?LM zCaeZsB-oYI2q)6oY_V!|dX4I5xKp;@Ty_cCQ0O6B-8mqZyP8rmHPm-9```Z+^m)qc zSZZXMtUD<@P>(8V<7@pcTA4aYVX@HxYj#n1Pi!}RERoXkwS7%sa9&h<tCI+=IZIQE z!bvOE((ch>#CjEi{u=wedpKm(=xqs5mi`-`3Irh67-vfBu+UWy33(Kz%B%pamdWYU zV{r%1%k`X+Y;|U-qRG<!L$El;ADiJ%%JZP0{!2JW=(b|lu<)e0fbqMNwWkhBSY&hG z#(+D>&5*0w2m?0t*P_C7cgx|M?Qk3uRNQIX=(M<h)jLATPt_>uz1hpos)8uSa(c~m zEbVCzx(p=;xiZa;D&zMd1{3KA!xV1h7^fpw0(ou;_kK6bwXWKX6K9XwFBJ*n;jGK{ z^%3@Oylv7Y`6S03J~U(HFOs8s>bgkynG51eEo=dsCd0dR=&+1JIDE<KpzUlUcfuHB z93@OAr^6JyrYgp6s#CVPpumzHftPy}6V^{b>WjfIYx!7clQ@h%3IUK+vS1`HxzUV; z-x@P@ba0N4dvMm7qUPL1SfgYn94jj!Y^-q)ZL=F+EX@#X^{$>A+ot=;r_)<X%m@3= z8&jgWCIwhi4sK=l?{>Uz(1bTcOqd(ZWw2eewx+a=m5&B=P&5@`&Z8Q2yKMCNRQ<l* zsKsgDh-Cx*Q*ron?+kv1OJPRD%GJu}=SR!X(_<q>_&&>v+EG;o<&)~1)t$EQssSf~ ziFud-$IV?qxBEN~PcCLoCK}+&FS5B4Stn)!Ir*=UcQbX{R<W2PL_UFoF<J=7gzhdz z`XP18z=godJ$}GMe|pYE|23B|chTK0ofZ_`J0lv7gBy;86C+c!o1W#bX$LGLQy2qh zsRijJrMCWo;V&(BMu+3M_N;){zI-$3DGXSkp<|a5<B&X2b?%ozv{J<*tG2aHD?_Qp znCgU-Rn{ZJ`%)=E4U;*cGA>cibfi6pm>6ICEs%VNlZD~0fG8#<Oic<DF(aZ-3dggh z-IW47lfek@$UZZD6a$QeCW&FLvLM%@`{Z3A=)*IMoEmM9GP;<Lxtzbhp&8=p<?ON3 zy>BrMlOw${2^@LKny9|)XBzOJIN-!<XS=C8NXV@*g-c?ekuNKpj@r~NR2_XY?K&@Y z`6H!7zil9RgQHR1p6E#&{WK-goU{LzrVLf;Vy(9Lbn7Pf3-3u++P;+H11ksccLC?f zq#b9Fm_i5BX#hjD9J)f5;>}+DoA@r;DPO<$(_H0T9eGs{3A^e4I&wQ%HT0l&A5o^x zwS2_z5p@(eWk?u_Ea1k1aoR+9jwo~~B<0Zcmj%a}_3=Juziymrnwh~fwG|azMEvGU zy}zAaUEll=eVu6W;<&`<eX>E-<WQR9lx>~CLX;SUr^Whse2aaIKVD<x#%u6l>ow}k zoT#2IJ*HWSWlbkQNk*Bd{**~QIXj<fB%u=)>cO>rxAdp-UZ1l&0W)ys`rBJSukW)r zb9&Yo`2*MO)_HW%Ef*f+?_;Xuef!rzi_+rE*KT3KsjdR$GO*xlZ-E_y0ba)a>S#o- zbi)#k?)iT7L&(!;z2IYq`}-3%5akMfwxw!?{ahewn6i#Hc|%s~eOqJQGGvrnXmvFD z6dSwoN)a<9Q4H2aT@ME^kE;+)OugfxvhCsI%P?Ue@bY!EqtAki>-L44vAyg^N;2or zEaYT#@zVzXx~W;R6gSuH(u7902U>{L%|N^0>)DpX8WMi2gN@1ISR1ckk0K)F(*tuB zNlN1Kg8szr>dL5eK6+u_Wxg%cOX_vhfI+8cf~pwc1l;kO`La+`Ax&i&0^nfmSju*% zpZ}^D4ny;YZxi$)z?@CcXVrW&Z+9->sJ9z6T!2q?oh4WI+Zb}}mFeD1>gnPFe$Ol# zabo}VSdShX^HDH??kZdF5LAtm;5&8lv+JkLOTJhdrTU>C;n6O3D099g)cL$fS662s z=AF?jWUyK-%SnS4EaMMM;|wZ?T>Sm;&UFOpTb^^^h0f~8rM<Nl3o4u2rgNR7!c1Jm zEGSdLQ#%(|!TE6qBJ`)p99;Hdv-r}I%4l2hNET4{qlBE=CW~0!$(~|xIgi33Bw@gX zE%A+%s3bWV5p{u6QgaR`ub$~&?TWU1a2bBbCi~<mb?EXYCT8zVPsB4@Q<FwrF>Qd& z7>{A2rXwZ*DOK-PPY(FYD1+b(_wYYceunx)#7T;byg5BCc#0?NTGMKuMsS+Db@<}N zyGGr%mP!A%R$m++4W_%s1|Ux%Kt4ZBb7t&ZdKhf|Xdc;JZfFP?Zt|E0vU_3Ymf@RH zB)f`8&~9h|%OSgUFnW+Y6tCX&4sjw5uUZMbFAmHE8l2oA`@M(XXKTN{`z}JxLME5} z4h`kzbkTF+{Tds{mg}P2drS?r<NY$v?iyQk&1dI*k>XCYLIZcD1)z*q6~|`Xa#;?C z(4|y)ks&z2JzTBM*;iqZT{_&MZ}xCLL@?S(C_~RQ&fE7`rbTX%Df_z40(y587G7DG zP*Bm*M&FBduQGI-J6mVP1yH77-D?5q#l4yOgs7JT#x^fccJ>Rtr%|od<%d+Sv$|Y8 ztI=fiiffaV{2BCdB`N3I^x72&{W(;t%^=X?1e?3rWZOG<WGh0Rk{ppv!PYJGcPj4! zwgTAVV)wn<Pv?bm-@EXZZi=8~<Tey)1WcFwmD^xtW-^8o-T@*FPGSzUJx!u`eom>X z6#l69Iw{YnyQuB2O)+N2MNb+V_{+nnx0M&LtMS5ov*!O5E<#d$WP+T#vChTkEo(|x z0(}9<t3|IDO2T*HV-L->6}?L?(EdS|-Vw2CwL5uw^0c>LPG><nh85_lzuidQ-{EN) z=PB81>>queyw=?s&pE-a<35(*Ujdh3lJJ-Y2Oogp#v^{z<hdMHMCqQ3W40L1nm_st z>o?nx(dvq|y^fBU-qY~QD<?vtOQ2PZ`!LTMriCGc&a<Do5weYTe}xUBiMlMV$mOtN zk9Sg>dZ0LvG+8~Y$ZVE3SzMBox)j4Su%kjXj^m~-jU1E02XB-MvnXb&l(A^;UGX}X zG4&&Im^A5g=dS$ISF`)DB%9r&pNbeOi$VQO|M~{|lKE09&gJXeD2fPM*gD3`zZvL1 zilWMhv!LXTLilpLa>#11%=BrRxx^RaYXLm^Y3{6oQ<ab^e}?ZfSv3T`0|CJ&&fIp0 zzI-VVS{np~d^<x7Sjeg%5ujo1*25Ca6P7_sH(H{&beS~E=V^8pH+jy77AZFzU4Fzc zVAIB;{{|*gBe}kVlE=ZLvZgjcHpNURHoNYZ%Yvv1U-`|#Hcfl1IG|X)$JEXX*TcTb z+{^}MF341YG!fH=qhwu1%ktg49PlTjx2j)R-^U@zQ@huwxz0(QH&a6j=J8B|(%)rf zaYS6@AibH{Y0Hz~dtxyjb8bs(%xOw0<CsiELvCBI4s?D;okNnV<lt_T(`KdHT5apk znZncxoB>s~?*)(>-hNRRzN`m!`uN*<gotV>jIX!}V4DH<{KtzLtr1LDeJ_Wk0t@sn zu3XShf3xox?6Ou5{&GNqlExx7m#msmVGV$ARw1MQyR7=l{A8ka{%+Yu7oDvsX7cal zP05p`l#s*TPb8|s9#z~E7yY{gf{7@@rp?Z8V=#+uA*BrNxi5nGkD$uk5c@QWxiY00 zjCtfwPKn7?yzXr+96A0%2iDW=ChL2~B-O?{0M_{?iNky{z=w2<ODFE6Ya}Z``5zic zN&TX@V0r3hf#jU=T>`VrBCrC-^d?oERI}%_3H6H4d>l@TVFwVrZR!8{$zv^*j>4cB z8B)JQd^#8Jvo9OV{;Sqz_2+(8^DvL>?0H0u<wGsc8meFyjobu{d>8FAB1vir$^85+ z+uC1qMg_GCvNnma2T&sJ;|u=6#2E7=nR6qU9Ij$(iu%pjzx|wgAAAC}ki1b2udaE* z8)Vd5Bk>o+HES8dN;JjqTLy0Twb@K%+%<3^`+xPu3tSS1JGJpk&}{8ZW|l8^6<O;S zrB_5$AWLATsK?j9S0CP33=L8GKAn(ADNw*bovrzKeP89)NP$~Vuw_9_okp0!P(e)> zZ0Am0eB74}>~L|+`ZYE5-Q#b)D*z>Okb=OKVd>_iG!<&8(E%Z}f9z7QB}m6Ut(_%@ z*)ob6L#}_|u<81SpS+{dAu56m+u)_stU*tt!onHvx)1>dzXR}1&|vy;W6F!?C!L5* zL9FnzD71ccw58k-2f~=>ByOz8JfiPES7I+D$<nBn$5%1NiVK)2o&!bgCP1AeL+RD7 z!5y0H*jjTzj?{%6lipl<#gMp4Tf{3)IM!qJCjW${+)fI9S?lfrUY>UOjjmlu6<(A$ zd{#@`-m%8>j9X&0Z*ew0H_TxWm`lwZa152ty5;cx&QQ{h*1!SrxYI9dWp|@U?#a1s zXj$<q4_{5g^KriXt)t-uEj}(%_-#yP=Ey=+KG`C}&W5fWO;MUaICZNu^|@x1@paUs zTyynlW{K%T_1FGIw-5Mr@uAB6bXJC=-;_e@_wSQOJ$GwS`+Tc#2O*cJUhy2lY|htZ zJ^Cu+P4#s{9(6;S_(T47W|jm7$K5)a_i8WTgq3jZ%PY>uej__g+2r>{&Z{RzSy+&{ z!T691oZsCJY>a`-G{*IH>O*C(RegentAGMNXK%TfvupoexJNta)AZYN(SMT6ZsKXC zjHx7WA*`5^qn~8YNd?z2xy|C?F6!36Kv2HycU^5!mhgIO!j0B9f6R450mgV$j#^|Y zZ-*(!jmzww(}vq*JG-@Jdvi21uCvQe<#Wijph&0QbGq5jOm(`<2$2wu%Et{SK0Dr- zm?QtP_7^y~+uWpTa6n0oUFk$62GVm6AfgsJJX_~&GrAc{H}d^wk8E=MO`$#6YmwvX zXedPjRWOl7E-`@Yh5$}NbfD1EjWuU~Tq(fh4OUX6b=HFJoBe;xv8p)~@ys%T`M%lq zaOd#7wnFaGGbE=L0b5e_lT}!=Mijji-A2SL?81`o%qpxH3M#1{@dY&!3x_Z2$<I#l znB%qYjEFN+)E#|nATfPsDz}&t2&%}oofvyZNFt`IiMj{sLtk(eB5rG|O0z<_nYM@S zPmuS+4U{AnAE4iya(KPt*~MUcL~W9DrMMW)WOXQoO5QTslc1>TUL6&&+b5$8zXG|F zua_zbE7FUOs_?0B0W^XX67-k@9ZW`F_dJ$)-DpQWHU+@xvan}BdgP6opsDpWNynIL zcP4_9>@B}8-;nof2BMN^uPU3JNzS{Z7rmg)NP4*_%G=j<ox>#`a}0RLhc+nRk0zwC z4koq)Q8N0ykuSc@*=!$Y1H(!JQy%)l{r>R(HMPxMTN*!XZq$=-4WD*RuiyaGtk590 z6r-vSznHw9)0ed3OrTxyJl@>93)Oa6EmUO$<g@0a#H;y4_@uzoU-iX*^=&DSloKgx z9h)NF=u9}xILryN3=t71h@+$V6~1aTeCd4k&tE79^g)(k@2DrsySdaFK$#2=wiyNE zq2t18amJ}-ua`)I_K!%)>}#w6xCWc8Sxp&(%k1etnts>4{H0MmKQ$9j?>Tk7I>y)W z^pw5j#C$`T+dEGre|<c+&!>g$UL6v|$7^*0xgD?EU|~jeLAtNWL`>F0KR?aCNA6L` z$I)^(IbPl&)?XClpO{icR}>}(Xnqw?pchJ|+4vN_+s`@gUII-iFmu6^KKS^pelBwX z&Y%M^KaSyBXs9J0V+?ifD;~SG+OC)vE-n>Ssy1cLi667B6!SlT5X*T6%B;;gj68&& zMn{)|kKi8Ms#IoPb7`Bj7>nRiX5dQNPRP~7P`%gW)>vVU<X15jEhn<Csgcz$Q6yDm z8F^fzqt!?;9&+!z(44HQ+Vsdf<Nz09g(gcco~S|_<;9>(k^&6E)MuqPs{18`&Jf0= zD3YakU><hi5!$b9jgqF#(=iKWf(EHI%py-AK_l**5K@tjL4gREi8mvZSgc+eJ45kr z3_yYX8Ppg_BiRn~613>LbV+jNf_B4Pu~m%^)f%9nFdIh|sW0J0-8~$$DA=C8-`K|@ zR|gsGsxP4)35Og?BI>=d+^wjB@H3>&)nLrgh(v74Fyu3pzF^0m(VG;KY}o);E=ZV1 zf<hOvKX?%)DVx`M>N4!8q@=ll;f3S9b58fUStRMoHHM@Zjy0cb!ChJTyVczuQd?vJ zP)IFS!dNtYyd2TkX5{=R7qEyNH7%G1$-trJ)#BoUsI!=4QmYBks?lJ6({`2=j3ucS zNK<nu$TkV@6%t;8ndOe3xhT2R(WZ;h@rLvbzF|2dBJcW}Vz+O&$zh@)>#;4;O;6?B zCtFmNE~SoIb-Z4{d?HaiMWFP^Xn*r!y_x)Aese0V`A=75bI;ozoPK54%!$5xe7aT# z9l>76kSB$Se=J{f!IEqRH>VyUyz|L@97b+lVbINs6S6^;Z2+<&U8IhOC0cm>oWpb~ zZ%3g~uoqSJcS{F2$HnM*-R2J472Y&SjxYA1$s+`xoDx52-Qi)I<$)9pUx)ms(zU*- zAW9t^@Ys>xgLgAUh#`QjHbIgOl%*4E{;!AFuC7DKCmnt2$tPCI$&CddEmYH(yhX6_ zWd_!V)Td(T;$jv^S9#-*nWBXl&93L}n`&g-Vzd84KAculUD6<pusfglx{~?UzzO}Q zw57?o>5&QbF=xW2=z83~e(QGS%B#Ba)R$>M6|P`6!4nhyuAepBR0V=bF?ijc6wOr` z*GWZnySQ##LZUUYjE#CbuKusxn<8%FNuZ~U5g93Zc3k+7*$_2FzEisRNgZVRgmqEz zn7mJ8=(9Dq+q^zr*}9tKTD^WhyuW?g-VNXKYmxvi{i6@ktM5yIw9#Bpm#h{Np`zoS zT0nS<c+cV1bEBE9wuS;|Nqr2-i7)8+R6CqUiz|%Mj6&j2E>$U27jIHkZ~Ndv$7boL z&tS(C-5iD%Mrj4k)Hfmi_}}%eM2Wb;*c$}qi~ckUp~>yd^K~vdcBRuocehw10#fFo zR(<WE1+P0rB6YmcI$XdyI~Pn~`N&Fn6vOyUnF9;>!FQwoO4I*-fyCf#yiRK#D^c1U zBf$zYQX;FF+IJcJIgN2K`F2pTajVsskm^PRBkzdLBRS&sJ2|N9uHaUjn!<inyWfJ? zRx-iWm>q>u!~U}S<BFg&kQc~+c-@Z7kXO3Ez58f|$HJ%lL&dd?+5B-C9-9@>^K8b9 zQsrAjIvzWX@Z??LV<z<^8Kx^yOL_bqJ=xNEO8O}Bx}j-BPrFopM~4keGkAztxG7*? z0$#TN*Y>qQ8Ch6108);u@+$Y^0^?0g3+Rz_ebhO@@%Onn-ZSKD{|rHyH40qY;}d-6 z883&VPh+ZsuN!89?Qbin<oz5g6J3#6975)rhY=j+^EUAwi^I&=YNO=@KV4jKx1Hw2 ztKSBP8~XcW%>G(u8PXgE<gJ<r4f#nQk*WG2bFT2@XdZ<P-q_>ALp7<RM9J~qq2wH- zZ%uP1dp~W8I^-jAt}eF)mZS$qzk!fnmZi3Fe}Z#YZD;mSn8yNSn0=bJU-ii26_4%f z@nmv^6^#iQy@|*lkv?_|LL`Hz>s);y39{-MGb>8JCKt2P#}a%hbggtXkzV`8|Cl9) zIY;%8xjN^-a1-Lwr3!c1Kyou?W>Zd#;_YhTO3YpJoO!e09721wjY!j-;*r0OPGbIL z?6a4eL-ck2omzqfhbi^R2Gw?#hGy$Kb`g`Yg^#%oxrcw1{%e@{{WSCObpiOz9=gpa zfyq4voB<<%&_W2Yj<i;ffzP?Vm7FN{`nn|%lK7OsxnRN7sD!SaW^p3NB3~~Za<o^1 zLbhua4sT+`6jjW_o<zo|=lk0$i;K@%)O8_56Np*Z$o50^X*_4*gWs5po*f6wh5}~A znVLbLn8u#Kh%87&{l|0k2eH0`Y2apsh0rYzcV3wo8lnD(yc%~8Guq^h_1-Po>7Q}O zUn7GHkJ{SCgvxVuhH|*1Fr?JCf_P4k*doxy$QOqkJW&-l0xo)f;KFrj^aMk>{_B<l zS;T(+sSX5wE`i+DShz@=l<Jp?3g%sS?&eyj<HmgoIb#O(t#A*ft04etMpp;ZcxqE) zy_40T`XysLkxKkO6yRISC&bx9`!*j1;irw<1g;-0d)Z^iwYW(z#;z}j_$)VSUH^+J zdYZ(y;9bE+U#88T_x=f1!2@?bVp|2PDslKe>mw@?ABoK%0J)N`rT8^!DyXFCs^i8> zDT9@I$irfnF(@G=c1Jtc1>W8z)Yc8fTp;~;zO(+e<g2X^EmlhMzz&Zs#nRrT4ZrLH zrRbGN)o3%UwRgocJ2+7DfPE-z_-Y&EnmnVS*ZPFOR?W`NB$LhhLSmPiP`ThCY<s)I z-e`8{YQ;Vlc{HtHQ~e<pc>*qcOkZs1wtVl)iCc;~Hclht*v;ip`D{*jp~X+Q6u~k% zzV5<NByN!wAXmk8zI`OjUaQMDpAm^V4j3DK=TYoj1P5<p03(C5Pw}31?7%QjRd#E< zv+TXd8$61enpmOhWA~hHXPWAfQ+C7F^(g;%U>TLpzXl9=USE+2Z>~xe|3>@A_lZ61 z$hOuQwIX6n2}HaAi5YPxHIxVm_;zEDpLEq%ul`^41$d+t7GQo7tTorhLvt}}vCy(( z$2<&z?mNFCJ-}RUudp#c*jev2H8vWf=Hrb-z+~h!eD@zE2s8duBo<Z46pFdZkeu>f z%TP^BX#Nn+$_826qt!|=9^=-y){<|%!E%HgSQ|9(ayYc?XRf;h!hEX)e`n%qNOtk@ z3gWDc_j7FmUN`g=g%bqsf+US0htSYWuD|Wl;_7i1mvb^;RfNd})ocQm4oT2lQU5K| zBDcXl4K86_@kIoMzHvKuL|BuQ^MSOe<JCv@IZf52R9rFCgF5Ik{3&e6G&_DLjKb5G zx{6SyE(Y~&-}qyFU|r%ec<OTX`9klLVt=|X=^g-R8UR|7pxDY6;K=Uz>l$b)LaouF z`=eHywp6W3&B_}i&NSQAm#x1bjd<_BW>p8-iD^^_(TBVqtP`#82o^7@gZ3c*xXsbA z6qNI5-;=TqO33I{D{>4+22E7f#fK7Sy5kC%-X?9vpikk_=f{R(BjCZ@-8#lu?jW%` zDHB+0s7k1`p`*#{A0yY8mNr%AklzDAydjC+q9FQ+@%~p1**iz}i+{_dW;cY+-L_)r zydj(+%mzj#v{ZZqrM4jgY-F~3;@nh4OMT>_BqSU6;(bIka#Ozub<~wKXkJ@WMLsUZ zk7xNu`}KJcBA+$f;F4&&rxYi|epYFBd!`)^JNfYIpq#8^^{@Y{1&ECjr7CeM;~%}~ z-yJ|>V=77JZ(gXm9m;^zu?r_aN)Ax59lzpFla_uxi6))Y8;2n)WE`PxnxB~wXy!~Q zJQ`4?D=Wqx<)rSVuc%=9XW?lz1w%a<`Q)UY9=Y1A<}w!&VbwjeUxDf*|JaE%hIO<m zTne}BMl)9H0?VNnSD(!&vfvhE>42n!<?8$Ax2pu^y<=iw#iAWK0mj4laSn%+A|=mH zCXp_d)(`iEhR{}fP+GEGFK%w;Cp$(?z@)=3XAQM>A*=^#J%`@v;*BQKL(P1D>~K%v zde&+hn3|O&u8e+{aNAWB1tQdeX4ZwDDqOHD5qyYVLh16Spw-!Nh*EKwR=A=SqzBL< zMtVj|cM4O8Wb-L|teR0^+hHIHlY$Av0~7*$p+&k2Jm1eDUfo~2Y&1}ObXgD*<rJtB z)uqii@|fhxO`Y*-lSIiVV+7+>rW=msnYVw}pq5ARl$JTd_7x1tx;?$#OT!1-r(wYH zfdB<0_^Nd#6`x5FuwU(X_-*w=!!JZ^c$a`bn<PgC_VKJj2le2Y6O}I&YUF@}jTf;W z<4Jg%HpP3fZt6Oz?=fgRUbRn!K3Uz$0oL*5lOem!?RDM(BN4sgx{~w3vsE4A>SQK2 zklENCh_?&v1xF#H_l)Xm-39(V7~gc15r=l!%BX}4v@SB#2WN$o4u_}y&9KK6wQdZP zKX7e7tVS;TanbeNCTfHj-Hh9$dhTZ%RbavAcGUZ~J5*+B3{tUixY}~TQ%_Mo&6j^) zvIBNqIl}93tLfjp16FB6`z76i%Q<3y9`@h}`!*p*4)$GsDA0dShcl)uGOUHmH!VJV zeA+<Rd=7Oftf%8|`rPSK_{uCuT@d?CO?5?;T{i>?_8SGsg8~)a_fz?`R$QN+QpRWo zRL9i!hP^@yye|*+H0`ju9;a0@PP~_Fv8>AlG~)kd*s}-#w+8i6Js%vCZfYWh{k$;| zIX7lo)5f=8pawdy4J{d_{9Z3;jbXzxxzwDdDiQyxfr<&+t*`(Dfd12_+kxsfUSBQ+ z9hW%amod7}#A_|Ugz9SSS0Y3ofSevkypW?&VR@exH#Mbv?mjLvTqqf&o=pxu-cHd! zb(VRvC27jm`YVZ+67H0=CL@-0fc<}sr;g|6&iI5SRR@Osye$bid&{ZAO9RF%%X+4e z@9GcxaQ20;{q9B^8>W=K<uKLW*WsyogwlR@je~_(XL?Vbud?oGz1s3$Q#BNnmE4H5 zHwRMfb;rbkk}8Pa3i$IP59*Pr;`-adU9J)2Z>)5$Oz%4z^A&a-wuH(`u0w2S5yiVM z%cXEI65+6~&w(Oc?JwWz%xhfK3H>~EhNHS}mByh*=?9#hSz*9?)Gt4mH`!yr_WQLu zE1s4<a~(wcs;migSIrJt`=98<m6_ZQT)0V>uT+Cvk4(|-cJYn6>?BY6uPgJEgWlNp zMb4DT)QXeB2*Uj~tDOcN*fv6lHFoT5Doj$vi%T<__+jf>$Kf$;p=PsVDPwiB42*W2 zL0O=i>AE3DdI@*NzA=NW2gigoneYT;pMCwT?nO!Mnv}_aluvqUaae3doP}h<S#x+t zK5I^VSTUt!0%S-c@8`E<0w`qXDZ$zp?Nd>QoQW%wziO9#YXCxNYGXbs4a|w=;TOXg z&m&;SOXb`=yh=wDU{mv~VbjMGiNppn+Ns+b=!4seVVK&_$&=}ALPj@k3j{n`a(BP? zowo2DZNDSRueDb>&2%@asgdnR28CKh{Alm*WYy<q9Vrq=s;M#4!p!ZoqNP8rX5{cj zGb#P1*tObEKMXyCkZ3mlwaZhMpW9tcF_Y&c1kfb?6C<e<9vR<%=ZzPHtY}K%+i>`; z+S?JfpF?XNXWNE9rQX=TcS*yTCTBO)s}1z>m!;UME}wM#(!s{UP1SUUj<BBtv^#*Z z>31qnTOn@NGof**JIM&P0qmP5fQ+yW8-I+Pewz3R?K3X_W(B0{&gMz>`1n7tpr@7W z>@{yl*5B4ppOEr1;n8s^45HW~@lQrCGt$4CxlTdpvdOX`ws*@znH6gbUw5lEk&41; z6jK?q>F8A>6Eeoz&t+XNgc~tnEwwiJGhbSk*v6QDLEn}j1dkmR`%f4bk!}4)ggVT* z+iOZ_CH-RsIyxXzo70Z%4U(ao@F<2MWOPZiCo--0q2rpHV|<;be+wy)cI6GZ#Q?f$ zXD5Mvm&=Fx4{waQpwm?Kt9ky^IW>^op7y0?$R+moIYz9dzxsoM_;_KDdM(-Refr7_ zdPhrn_*B)z_&cNP>jU+0Le1HV_WFH+nN?IY80ysI;Z=V}I|w2N1Eze^|E1aTgjty8 z_!*!OCzO41GsyB3?P7K5U*71qb(Uo>>m-W@<Z1SVukaO?a4u6JP<;4e0cS0JLu2;! zJMP-DK!14H&J>L7&Jrom+Yt;l)Lhz+kwe4bHth>d1F5%ROD9gA9Fvc9rww6Yk;|GR ztR_wIs*#W;XRe0SIhA@AiMiouQ=pL}+0>S1Oz$<pcM}j(^x+6N|F^(=3ICCsiq=6s z)lMGWSuxd4aoM<-{E{BS+1oB%g)Xc-yZBr<gEWfCnAw4=<`qvcXUZz*=_xyrW5z5; z9gw0Acbp|kMh|y;9VJRvK3S&X#9NURx~`Vo`UkGPl)*&>(;Xd_&xzj-C*<fysIj|L z?Z~}yXvt|?%}>A~hpQM3i8s+|)V-#Qk!OC-a-`MdLkX`Jt2~)YE1-yP$4DzMmy%OR z8{ZqE6RGe0$?n%dpfZANu1rwU6XB<lA<XR!1XElR5g#r+L9{VlG-Jw&tu-_y-~*E; zJelOt>p<6;Cn4bz)}&{--G2xa={wvUlk`FhOyT*ELX$HWfi*5Rh$6Xxp3lxoKY2(h z=CSyS712niE{MpIm7Vx1ZFO<Chukoep!F7$kiT8^wo)i|vW|?1e{G)_TWH)D=qT9E zV8cZC{*&44=`P1e!M&&_Xut9+QD=F4F$jZ4LsVHJ%u|1X*PW}EUutO7RNb41|G~a| z_g-EdUTCAEFnO|b-MWb3$k4H&2fjU&cb$ABVlw3m^2P#-g=APbO#?MMU7OWbO*qpT zJ-mk4%r}P%{N2u7R<(H)5Gy`ii;wIb2Y)sAi6n$1;`{AkpqvC(N$rPcl%Uj5D+c2i zlz+=wi>T&rV=#8|UC3^JfCvS$A~?|nvXLdF>6m`=K^D2m2QwaTzTQtbGJ>{%GZR0Y zB{}7TAayRnoTord7`0CApY3!H@Q*G2!c5DTUQvUS6$Tz0M-1<s5imhlIragT2M^&P zSIYaQa6VbtT`4!hfXU}D+_{$fT<>xg8UK1M;wg1&;)Ezw@88h%qodWf903&z%~Wus z)g+^$m$PDw^sOp6vs)foY&`|s1(@hJM!W6#?VB+}^~M_+xajp$F*D}_P9sh?_8H7= zF{z>JDil?BPclX>5-<qm+2c(K)zQ;!K>%ul=}~O)IT4|1Y?s9<@1I!g#om2zH5KC` zX6Yn+bmaDQ<V<wr_1JU53~K8?=wM_u0bDY-B&l<BYMJmO;k43xB}|1pzEq>vE&yjx zbX`s29etmzCShKIL`A!bR<fLe1b2@;`jd#zM<Z%xB3=4zC+@}v$xyiQujk^%{WXva zqU;Ga*Ci*yOmFUJIG)sq12q9g8M_v%r`;4xbq9L{g^g`jRY2%PSqYo7R;w);+*N5q z&3A-nf}~(`VCDV|-c-lW@aBiuZKqYw#|z1YDwxCxD@_I^BIk*8bhhvfe}+xJve5Y2 zZ<Q0iL@(Jze<u<x3Xh>o(Amo9Fb1Z&oWfNPRT*sVZyTo=3T`4uJmtB=6{Km(VusDI zO~TbV(qE5`^*8wWL`<Sn9lWce+whocgXFkMjO(>Zs~o31JG-7XXcUDOL)Y#1RXw<C zjnqxG!=4*1x#c7aAa5X}4>xf329_y4hx!wbQWeQzsYa1ACq(Unp+oy4toqoi5wFH= zz6X6*=z8|D`#d(Ub7Zb_N~aMM{qqDqP6ve)45VucC#Q0SyPUO$Mwi6>0}8hvcuS+g zEH<7tFh1^}Ek^d$g=#zfD^KZ5=^k_?4kS#_T02O_ay{E3bKVh7H6$Og4YUDljEP{I z#}1^j;#a7?K1T4A!O8weDbC%z(EAO(O?Z%S2js1=gr?ja2lJ=B*O>DDQTO|5+AZ4K z$14;@N!9IBw_W=S*Dedk4|kxw+Mk~CB9lN_uXkdn<`i6}@)kT=TX%EhuQwxK6f%Py zHtHjER?IaNK55p&-C(QLB=Aw!ooI7mXrU<C#l0GN$mO*iTVa|z-b}(Sth>Vjk*hq| zQ=!+|U#9zoE)pC4aj-Y?^{ss!hsxXC1wMCkMVk&Mjf&!itu{-uA?YP62{bstg)()$ z$eg{?r<rl`J5#vZ3-c7ug4q|Z7(iAMH$tCpVn#8De(4@h_ow0y{H=vYb)i)b$u9l1 zzDJTnr(4W*gLv@fU<r4VqpA+3nf_ruTzrQ8)%eU;-@5A1tO{lHo2#PC6sMPn6*N{8 zG7Lss042Q*ndJ;?(bCVs?~@$z?%DYJ!!JLNV)tvb8EjAg9L(YC9BCF-j(M}l)r*IP zrHUvlv|vol5>K&WOtB|0v1E;?wgd=#an!6-gI-sI5=?s06ZcjS)u$$nRmE6|Sntv= zA*=?+^jo6_7xTgew;8D@iT8Mk%rGBjjqJRdnMJGVlg1|k4lq?f!Pil02nGwqn5tCU z9{hjkZ)b6?mGSSVaZn3~6W~6EGgghr;QAu$e`AeC17=Ow8W0CMea&flM|&ZLq0x&b zpTjl><v&SEM<47aOGX^&Cc~k(wU5kny#pO6XF5>$9<m@qv@|`i&{P%-DUvDCCx#gm zS_lJ<E9IHyoQxcX3Nxpuz-qCRAnf+oRnew9L{7+p*FYndrStaQK5)0!Q&wH^kmnx3 zx)ia3n(g<4q)ks&^KGgQEkTA;A50kgVz9i?yKsLZahY3;FV2oOMbI%KJIq8%i}&Bf z8M{lvm$4O_XL&_rs>gd93m)#Q0juVl<4W15><LEc2+6X?nr6&)&3^sGti+?Lc#h4V z`xqsm15Lgjrz%99wQhJ$RVPr_Q6xfg5$^E5i|W?N-}RKc-d1o!c0pvm)UlhjS*sd) z*|^{G`zdnJA8M@v!1hG~Bu%9!P~Civ@zf8ls!FbWCjqbZ?HaSZ$k$29YE-jqWqBsG znqe4~SbhyJ->QkwDHa&%t)ET^!KE40?4~y@Cb;QxGm_FOt~tUyJ^T{*1Lx(|Pl2oa z2NT5U5r7?&Ptv+W4)J_jqBNZ_1SIDUU!Ltf<0i?#_j+pY5WBlwFI*eRq4VMQ3ABJ< zqxXfr5s7&7U`tH*<jfVk9-T8uqC*n6(<9qk@2KkN6z@y?$q*_2jdflb0pi7i*Ka25 zUiF_c%Umc#nHqV$>5S}feng9~N4e&I`Wwx-R-fmq{KAb6S2tNM75aGh@)kvH#sFNZ zX$a8KSe)hwR;trtY{^o!{YJPTfhpG(%HH9=hjy8TC#Evc*i^;Yr+0d~{8#zCHdyH) z#(c?-YRumS9YKDNHS*zUWr2;$4Oj;PQIc*taD&NnfJb;TbNmT;7Cf?-(jl(z&fLOO zpB~T}EWn}uVp;KTM)SC+sZUmZ>8<t;x^HHjdSE~WIW1m-v(~(E<F8e-ejRVdy^I;x zKyhu#l=$!>(;cf|O&O{bptLClRRS4&5rp#YSCsW=QtW+FY%^c#__)Z3xWs1}=47K( z5^7;lXFyPKd10M4trYmU2K8q3x)s}@nL|K-%hVxat`ji%&nzzDR=Ipo)TA-hEcz?3 zF+{VA;xVsM8=>G2%xGy^argv~g0UmtFp1vsze_`%ySuK)=B%hqx;nt*dOI;pMmLRW zDe;_88j_6S@O67iw6xrYc=f=};USRQCd@7@ZX_g^tK?E^W5`KZrfGbI*3o^j=sd!P z5XOFyM<~FILl=o&=M$qqc0pxq5BYy7RbySI;+=Aq-NMy?gXay-FU8hEPO^d*Hb)5> zYJrJ@wE8RTqL)PkScbPJFvy!TKL*L*(Ut=w$tp>}P|%9Q%U-SofLU1RYyn3b!e-k) z+BME(+4Ld*$QE4oji|qqgK~Vl!c_GFV5|(#wz_mqHP^Y?or?-pMs0ramUn6~Ro9+Q z^EeRVpf}lK!7nl*yBscLB<z^7(UT`Dv#`{ziXS~EH__d0?>NSIAjRIkU-KkXm}vjb z8|x2AHnVO2)FxEh+7a1+f6D5l&0TCR102Df;F)^Zm|S@l78M$wrqTuQ$|Q>opJ;=^ zC?c&{&>q!oK!kYMM?r1UtZSkikmiBvmjBC;2^)5(v+IM!QG1eDc0R!s=!~Hh8^X>e z5vE%o2KCP|RcpS)0)>%XW5n&=?TT=d@oUtJaoR{iOd*bRowBv{*F2yS=XU@ag?JYU zL*^{*%oo)-*P8?qA~?vrUw>U)CNDElBOk-&jeF0VcAVhBvazfBb^7p-K`N9Ojwm<$ zFpz|lcViA?qbnQ|s5%LQt?55ITe5&1MELr#b{iQ3OF;wSE`ZOia_V9Ztin~(Xw~W_ z>$@ulTiRd2ex1T7O0tK+uQc3RIYXlU@7|!7Y1a2)V+4dlSV)4iCGCmIOu9pax2{it zmJ}#TstcnV)BRk$+PvYSKMivSr#MxK)7uG5Zb!NQGrcsFIy+7*{U?g7Tj!DO<jnMe zIf9LMG^+K<5*J&JpW%qw%25Fe${gQI)@96EZS=qC&Liabn#C<X#Oye)wD?I8df1hl zbXl$LUpXiGZwn}PE-5lqJAV)&3V2HOtGh61afV@i9}oOIfbxrgAC55}PrL9@QL?tH znxoi6)`RxVXxVWzBZ+jV59+(wWw@_bshwxM7)51$gO?kNayA9sh50QfJZ^zAe+I;L z4=kAfv2vsw4k0H0SMEDEIU~0hT88KSV4+9AgJlND&aHm6&(tg!7xl#n0X+N&q4r&# z=y8nU%r<+yWoF7<fM5X_dJ4Li(GPGsUJXEOzK`-E^zY4h>1Zxv<#&wx%->-vjuo=O zfdGfl-7P)R4Ly~a){kQagcS8`rAYx`yMm@Z{&Qa(oXP7zgRDbugA6m-0PkD+a#&q4 z^x+TMnzUlg1q8}l@7r_}1Zw!T73GQUl~%O&i3syF1nOJqGUYKy(D5FM-^&3g%bot? z0KI&9jjvt;tf{^8)&=|S>%a}EehB8)1E!6KXec1wZf;^=kM!ebJPu_1v=+_LQb$TC zyKQ#J*}r2ahge5?-^rP;utH$ZNQmRCo%-+Ek3>K{Iqmz&U}97uT!lT&uEAz|#8}V1 zaa<X`cw{<}LVI*szWir2um6593ombmT4e|{<b?~jwAv}$h_K7;{CAIxlD=HP%k`H> zd;XFgP^i5%c*@pZFDXI{=;qteooYbT7G|DSVGnaVayQYS_Dp-*hDBMfh^^-P^LOfD z4ASotDB1FF0=_oTi`=P-Ub#jYrj*eQg$nRg5AEW$mM8C-#iKd!$~kMBVjdjdd)kU& zV%Mg}4~mi(82~xRZAN5@$`mviF#g$}ZjK!?pEf)^i-Z7;S8FL}Kbf}~ggBQ266S1e zYSv;%deT*c(p7t0|D+r>sC6|+$Qfnqdwmzleo@0TsuPOZyvXjI%?Vocp<~At36i^O ze;z63As*H=n$Bjrql4lYYy0yGBXzOmVbPzT6xmh9sxQE$3CH=+dbZZt<PXiokmp1s zs{EJ-Z__9`bJ3r5<Hc(W>`-VwA`<2uU=Mu(U}JoaqDQsW-V7t-U#7l3d#ZstHsR&f ziBEi)Mo4^SL(Xk4jpheNqL{05%g7*?;yA*H8nK`se+>xxd9Nfa>{FdtQK*9JdON7I zvfSEaq}&~7B?<%r4l&)c3AbAV-{edwzu8mgc9tfGayJ@wLsj~6sBc|v@C~n)gnVr= z10fo0Z1~UFQ>vou<@TFnZd~gRXT4;Nj0)7Aeq$!aAAqpGsMtRBa8(i9_fU2V6bDiz zcN6q!3k|L~qKRD#Z2I1DTzbTsG;4u8RoQdfLAd&h^Y9LH9G?idqs98vxXPgRs7Gm2 zAts3K{gTYC8({|fr0f0E<bKg*e{pM|#PJC&2~>Pzfkf0sxrx}Z2v@rvZ6h*tjLBc$ zuX2(r^w|77)9up+*!w1D1_mO6J1vGifBF&EmCXUMcTV|J>#dP?-cNS1B8EJH2R}5D z4v~@KMn-}<6@<Eda6PIWI*O|XvkI>xAAW)kdcKqut7=^A`pe5#=%JDBxuN}I>cYQK zT7(exe)-l}fP2P8&tGk`#opY21{(&bH%~LY-PuTp9F&h73|KUy-fGSG_X|8Q3=U<^ zJAq0T!H!+~+edhMBE)gcnv>$`ZXoR7%Oa}3;K*xhYg=vjl7Tn&-JZZ5-o9icz>(i} z@$Y(tHI$cP?DcG~tSe&4R~qEDmfbeKi<T;TWr`)^Y4(Ke^+b~nFTOEP?Y;oW(Dkur zGgK}QptG3Npp-GDJEOFzX<KOhKZKHF!qHjwEXw3;A?!a)E^}(<C8cAss>!h-GR$|F z8?ggr*M8ieh){vEXPO;QAy5B{hj8cpy2X}Q<}2kW-!5&srKqt0Evo!T6gA}#I@?TP zP$3RU5bigu>$7Tv_CFCVR#o>ix`zdMeX>td7!mZNe5D=Q4Xv!TT9pt!?%x(IlZ|nv z-DvxdH!!HZ68`Cq8K;pUQ*F6SZ(tbuc;Vuwr272v>Zdsn4(lr+!5w==^3DOT5<~*d z-VCz@iK7ywBW=1%SHMko>T4}c#w%WVY3p&yqZj~@l71PAql{Dn7DOIbt|8gWXh$cS zP}l~}=hlydpLo_CMdzR_E>zR@FxCqhvVrruIx~4l?#lAtd^=P%zb2Q`o1VtJ3OZgd zSQ2be{_#H!FgC7r)gENnM%00#`z>}ln*5^TuLZbHDQZ=k|GcrwZ};a+{#TOypg6Sr z(908Htc2@ydv%UztJ}zOiY1SY#R39+j|~2$5wu}IFnYbiFGe6p&h}dy-^cr=2@1#v zKhdUVR9l3>*u-==q-!;te@qpsFbMM5q`?jq&)H4jBlfT@HJ{6HKI4jPv1gY#&T!<n z6BmUCL$^BT#$+j6UDU!(-WRgU)vN@a94{aySLg`2I9`axf#J!-GbtF%M@PepFobwA zw*u>FC+~`6-Tj4Pqvr{Y78*h|*RlEz8?onsWDGve?Y^<uN?R-S5G8#aDEGm<jcVf_ zyn~tt&dZ--GsB-&@SqaY)k{!-u41KU+AFFx0<Z}r5z9F3<XCtt)_T%~1+b1_2F_8x z>{H!}3L)KXc(Wj&1F)Vf6O5DCbg49Ufsv4@a}je+Pn>SVoa^EVu5fjpBJmhBy7pB` zoZsbhZ;FaZehH`!Nu`2gCM2!ocbs&b+Oe?V-ZOt0DG6xs)!CAiCnBPV>d}ng^6O8n z$shx`c;>Qq{sv=EGZ&_Z$u3o3tz>?$xIm~aW*3MiNmH{dtPgms(R!LTo%&=N8!su) zhj^5(f(4*6wY_=Xxj$nhf9Q)mcR01#O@bu>9P}B)n*xVC3NiCJ9#yikR=dEs7(c!y zn;5$YU3r3BWQb+=Fw+4o`|CgKpK}6F-ooF-cvCo`AIINh|Im4$%Z3-X|C$mp#Tpz@ z%Q^+z2A2H9jg_siguhOINuAc@_j@BtRtFSfh@5l~n_cG7U>ac?d~`OI2TY1^0OcqK zx+Fv=RYX3{eM|(NbcunP!OT8o$@tuA5i3_MO5rVf?q%TWri%zlv-kVZ!(+nnx-!85 z>Py?gwmv--4P97uPMmC->Gj<GQf%e~u#JH8CECU649mICwJ}rp#Lx64X)}!XRpiNO z_Bf;dGB}|ZL-^JXF8U`UJjXWv(Fb2&|L~yk%FJ@mna4^os%UMH9AEjC`)X<Fm0@j< zjaTSXsKrmmc3bc3?IMl^PgqC^u_?8}db--60ddiT@RIhh5>uj%f^exzJIYjz&kbKX z2cDF7&UMxM(SScZZy3IdX)RQST~Qn8zu{A6e|U(8fB7nXfZ6pl&f1ob%f%3W<#4GJ zxoFkShfT4!ee@&C?_&pmF|n0<d9>Blh{*0MB2eP!Of%}?u4hO_@APt`{k~VV@4_}{ zA*u4ZdZ>s32H4t`Zr$o=TSYxyO(`X141lRa9~UwYr(FZ5?5*})bhH6`m}tD)*Fa9O zYkF#%*XG5knwM9cug!tN-CmSB)mPV3(sa98xboaEEre=NLHmE7W;p!bZfK!)c{9j_ z-sc6&57c@8wDpPuUH5YcWNzxe`wY0SO<?+dhJsn~M<+{A-jCsPYflNJK7{W#_}i*p zx^CXGR_RwHF28(5Im^!1ln77wqtDPf78AL)^Jumpb0AN}?!Y!Gr=MlYhEDAif8H`6 z&y>JWo{&!i1XLJPf60IN>Bax{cHQ0rA^in{bkymlW3lb@8-%CRMeE_~n1|oPhM<To z5Z;54+2o-P?v;uEi3s{V^9YC^Ui^5m?S8LEFaQBu#JCD3jI_$w7Ca6C=mNuw8X0hR znslyP&mObqux+W^sUMfGnH1a=zbNG#Zs*ObuhrM>v`y{41r&dtM`jRB<)^UTIQzw? zT$hH;{_AdAWUaL?DT6viRjm2L%6KPH-6!LaFRqh|63~}w<lm`)s(l8gF{c_O>jo=y zY0$`TASd*&$aAcVa}U1EA)rsNO#h>uYU|~6AcfCV@3U{*s)_iGYODGGdj#laPKa)b zXYCT2bb!pFn&j>wf5_*>>flE#b+sf>VuCL5TmS23aKrD@;o6j|BpPJKnR<BLlR<Z( z2^1=4lbR2%l#-bU>Hu3nq`$I;(txFdEm;p(weR1p*>PV=3oCiruO;$*Q$V&-*W4Ct zXbKtTT2NsL^_lTzK}~%c%_Qt_Y{Qmd|1<J%bzO<L)|xLGM^raLn1(PT`K`G>WYcQ+ zFatzhh)?A;d4Jp4Zx<ys=c(tOvoza7j&FU?fYO0gN98?jLK~dYOViD>0a&y|XrCV| zX#RV3&4|dIef>4y_xtgTdya2C`sZ5cC%5aHxs@@m;?)N1d##$|F5PxKRu4OTUHkVm zsJ$NF{pl%8lTUud3NLjg-KoNOs<XpTR*?#M?=+SWrsm%kkZU|X>F8OujfO}BzxJ+! z|IlUSea8x;#QZdx8KhjYUvo+5C;-MhNjo-P%-80pFj#<{-n;ov`6)hqKTxB|nDkVm z$_tC`nzEwa@_-E<FULN{jofuve%iB>7pUoa4uN;;=YSo?6isX;#iC~nMD_K&f+OF? zc+#iNZ7m3I2WpIaji--4!VJwdAc=e4YjUp_u$}?oV>eWWrJClaq%qcEGVHHrk9~a~ zCHZTUWO5dJeNM|;>_A$Q*)F%$pi<@mj|aVNQ3n`6z-mhB_4O(q4fB;@232?i)5y!e zc_tS{bAkJbSrH-yn%6VOR1zVM?0j8p;uYXjw#^uJMHf4}|6f8e<s9LS;p-+=*L8|v z6N}XwG<yRrNuwC}W<89=O?itKN18!;>X+q*Ns^hQ5QzXc#INqv)uujTTRyd>csPpA zN3SqaOff7h@el(b{Y}l0O4$g_Ii;&E^N4YXxuEx2h}0J{-HY()6>KAlq?~*H;8rHQ zF`vJwhtrzdC0*m8mp-;akIhK(?9yYn?F>(J0EgPJsny-OZ6|H}v4cBF7zxaf0NN1h zS%jDpoE&L3mK<{dG7}t)RU8V{aoT+eBDzRHHLTWBhI=Kwojei?BbSz9Tw`B3Yn+f8 z;_FtsTcn@4h~W)G!7(r;IssYdFz8c{cRG~th{-}+4DdBwydTAw-xE;^gGCu=VF=nM zMBh2B;pcwUpBo|N5be9lO8;SFz~W+J-nvH|WT?vNf>vU;&N1byzxU9l9Z5HcZ!6*- z151VS%wa*vmC1IjH8)1J!BvyApakcYeqFuor9i#e$rH(k#f$|H-8V|u>Z?nSCVg4R z6d|j;UORp3aB{|w4^8+LIehuYwEqU5n@sm}?S^vON9j%*JVK&0WjpR#tqwN09uBmf zr8d&@hyg~)NepZ_8+_coIu_KQr|FFU+R14Rj`1eptHvj|1t=>Y)oC;AJwdiEvM235 zaX;6KOS`3qhB{Om%DcQ*c#V}}=>P$`7WG>7y2sJA4@WE|Orfj@s!PoFblXjcgL{v* z#)R0dE4GIZOQR2~*c=uT#&pn%G1mv_PLfonJp;Q<^-dt6ObzT=rStaV9qR=shAQJD zs04}$T<e?!Hzp5p-bK6vT^(^vGt!Eq6S~d{+c7hcDpTXWP=b}wG6x{YQ%@A~N<SWI zv_X=iiqztQyIcb837bggK1a5Qv+Wt(6^Y{bByw&!l_ab7CXucD-;b)mGB)JKWPNKo z0ku?6mFg1A{x3-Z+JlHukrjLN`+yujNH)`(7L17>@e+1FfCwD&xwCN8qyXa&!)BeD zRSE(wc&_$;U3|>1Ha#2zt#O#!S0ok;tq^R7z4oICL<*s13TzDp)RRT`G>qA-d|tap zApoPUM9fGRtyZ2`N<`j8RH2ZswLvi7xDje&My}xkj7SUXjncBZaEw263L0F+YqcqX z%oDqll|>xuB!@?Bw}CV=p#`E}kDWDPF?f0m@vdvVorq%Bw0iS1PS17J*9`^!kkFGE zaK~MyDPQ9t&<ng7BM(o>#pRxE1tR~gaWea5NFz^HX;LeValm`ka=1ZWG>fO$Jw5Di zLhdODBwAA+wQI)MR4TH~U?D=gml4~g&GBlC&AaAku0pyh9X_#8+mkRR^OLO8q+xR0 za$lA%;_SM;MT*HqRM9)w26s27&5~i4nX?E`sgdc&`bg53!`m5k-S=~$0iyYvQ|jCT zYvi)*nBp-5<F7G>C!=n6@ZXl~u)6*Y7%wnn3MoR9!^Qszm@v<4&>X=3heYwX>R>>I z18~_qPhM*;2$(M9GsU{uJ+C+Me!$iUqvjOy_9H|-FKauv91+ilLkdm4Aw!nF`X{R= z&|MuHpbM?&TND0Dz^`AOy%TUeVKJICG~yYN(+eT&*_54BaUCv&*Ww{XX{BXh$q-Bd zP)m}VB0s)}y=~rX?a^czjM0&K>XXXwJFScI#V3uHoHLL2iy$t^zuh$80hi{G$W!vZ z&KH!Ax<mpPvs7>*VQF2gVlsOj6NG*45%LQALb(@i_L@R);WcR`O6(}c7LgieSn*7( zKumtu(`CHpl>xB9!hYKf*ie0Hn4V9sF_I_nZx~P6^;nK8QYNnthf{1AfZC?EUmwmN zaJugF<jQ$a*L-$KkJ*cuXa;=TJ;LV>A`1vax_YD74mwdTV}oXCxZuRXfFKy>$y**J z&Ois^w!ZojuXu{^*iG$W^vn|n&+Q`h?CTae7Sh{Sejfr$T&S(>#(8gZo&Jhtvifbq zQ<zPj=`l+V`JU4~vF5*Zb!-Njqoxem2VU&1F@ui_y<9PF5nJ=w6Gfl@*{#qbQXP#` z8yXt5s^0-?O3Pyv^GlitxRiyyrH00{Z~x^_O>*8WlL4w7bUOs!wi;#_8)qEn9UpL% zmz2g))LJ%3&qhrpP=ujGQeZ`5MQXC?do62I(ymTe;>f9zeF^x@B9EZ@I?f{Tb%JGp zvotdxjg@WcCslc0R`AluyI!Q`K=|-{wOzUeAiz-cz;uzPq-}_I9@A8S2~LtLa-b~Z zo4p;4xr-R<{-wwe*jC9cklc>E!?P`RZhcp)ad@4cuGK-FGBTpXVH|M|qlvIArIBQ= z1SefKAqZ?gXoqbYx@t5LL&+Fu<m*(C`8_psT0YUZJM)uNoIh5|GP{VYB~l(erBH|m zeX)r*S4Ltei$0x2msR?1QXJbrIwQWR5I$0K)K&KP%6~D#PD>O-S_WWrokK-6oMHe& z5gLHD5Hq`0Gs8mhpJSN|!Y_UewX5{(NbDqflYo(@rOiH14*9Od(a`3<^;K0gUIw6S z;7!Mz3y*n!>7>)U)fDB=p<T~xE}`1acqy(0(|MXQbCjr(aPz+uNSVRka=&-4I;}6& zee9qpcDkq6T4v08a~rhT(CT1K*`i{}mdlBoVXXg1AlW?q-9!Hk0<v{(bZX=5$2<aX z0pn`_lVO<Cef%qr$s#Ed)Z!`7Q`aSxV<M$Rw==8t4zBi%C}1!2bObG~p8wtw$iujW zq>Lhl7peI={*HDLB+av4Rs%~lGiEG;LXHQ9r6~rhW9}U3&<8qAv}hGCtcy7ujI_i; znGtWZ7gunQN*tFe*BZ;RLhVcQcosQJI=5_(@S<<u7FRvn-4Fl)(a{p#C!a@%%<E^y zEM-V@X6u^V71}YoS7SB>Upg@XWdgTAZf2rOa!MPmo!u%(G~znCHYoInp=5s=uT9)7 zT@RGGpc`-G2YZy>1K;LzJ@lOrE9a9j2<GggL)T%RVp_Je3tgSw3pdQ9gYE}hWs`W0 z(8*ZG$3B>K^6PQDp1$W|(I#eQBOjA5s}40Ic~($_VopqVAy&uHj;-7>WNyiiH*Mz} z8vD~q@nT}Fu^|yzRtuKh{S&<-aX&|sM#eMFTyq-6ZrW@;vo2%CGvV8eW`$Go3xp*% zEfZ!8GiKtH;w;<ZN3Bum;H!sa<ik@>RG2x<^sQw(lCawj?B2}NsIChoDM-KdiD*ji z|8!uYHl<3Va{V{V>uwbQPlyU7nTV5SDC!oT>NfFIVaN2lY20fLQfGn%R%%ca#@Kf} zmy|~!Ly6bfJd0Z)noWR|!J95(ZLO;-sInZs1k=uRo&+ZuKo5mR2En%}+}$a;DV<C<+XvglUyKHILp^6#LvHgUGJt&>Mw8@ zU>i(D#-@0Ayt_9@5@J>NXLeZ1U1Ltu=N9YFr#j#z@VZ(@iIogV7jxdcArW;JB-q(R z*wYE{B`>6fMVzvH#_0Vs3mrQ!tr*~w96NkjVQjS?T^TA*f~5gFjDf&ja5jqh#2;uv z>)Yt}3muz^MPAvn)j<b06NojbnU>X16+WPbAeY4j|CGL%0lQ0@?&A<^J{3G+Y}6m& zZQos#He@YKt3{2WtW@_z;_kc=jHn>15hX@F%;P~RM@IU0(_er(6A0Pjrv7UT-*ac` zpRWmQw6yLZ3j``#uE`m`f>Raac<Tbpc_(YsC}%BrC_#dk!C}0pYb<iY8g-c*CZBcK z!D|W+Ms0!w5BrHQ(HN#$Hprjf;)noA0<#S|@l)H5aHVGj<3_Yg<zs4Fefj5$^y$EB zYN<c}Fx)8t83=f&Zbi{(QBwqAMMA>X!u;f&dpQQQ<&`IFsY1(e7q!R~>9o#)u$l6j zCabm@-S6_tD(eic{o-?S@rNwOufNk4&Bg#&u&L_-b4IA{<w&O$y9xPtuK$LtE@NC; z$;Xl}a5C(7YIL-8FHHt_bb%cE%Gw<DV@oU~cp70;;wJusWZ^%awZaDQjTq7ndTLpb zvQe}E`-ApeRd6*XCNpll0=NDZcyd9e81p^G@i2RQHLHwTJLEsV?|di0T7;3rl$#qk ztwSB@7D8sKJnDEIB4H-Rz#4owr#b9e1+yX~UjMf2aN(=KfXw1{jpX%V9YFS7mf$I_ z`DrB-yQU6MZ#@jTtt-ZliUAjzX7^J|f_BeQ1(@)2y(@BbfRI%$Z>6T;^K{DEdwurx z)9b{C#D3F5BjOqST&Xt${f(bkF<Un|B97P3GCJj?TXMi6|2S{+CeU1hox3=+`=F+( zv0K8k$xFYTnBo>9soL>4^u-|;x1ex(kl4?B*=?ChV-z`j)|lJ9Ja`T};B^jJXNDti z%DcwD5e$ceJgQlNw$C0<Om!wGFcRyx4%>4m+?K{@Q^GwiwL{mdgx9_<3aW+f4{{J( zAIn28P)qvx_!^p7qZ2&g>?Dbs;KLj-d1V<9snPcdY1D17eplD#T-CIa^9WE<2{=?q zSn|lS-LvTX4qa|J(sJAW+4BO|SNWSOtVhj=DyPza|M65L?YBvYU^$V$PUOgTY_Q2m z<b-y=_u!4ONz^oyvEu;pj>)ja=Mmp;*)5I`sg`Ec`f}ImZ6#sr?bH4RCwQMuW5&3} zsP1`O3lr;0h+VG@=2sJ2?mn^mJZ8BIb-JOJm%-6Yq<3m2#BshqCr1+45mRot-E0!+ zj@I1>1OU<vMNx2qeJxV{ri)LB2Yg)b@bV4s{Ka~HtbVBc-DUawtJty+T{yjVknV>6 zn$I@t81W`qgP9Faeok%YQ1McSwc0i|D4!KIwUq~Dd)UE)1xG>o%;P%LgK2xgCW(eS zpyK3pPZL{__)>BnF-2qV`g$T#{7Zw?j?41sEsx_={m4HBhqw}?hFLy>K{CKveSUzV zt-iR^<e58en^A&NgWN@M$~i@QMu`z6sZEEs{V(jvf2=5Ig!yKz_7~dvlX_q<tzYWB z=q05bx+{4B2J3*R$RAocS20r~xsWw{s%42Y2Ry7u5*;c4PNu|T-)aRKFcLCTV$7TQ z-KV&gwelqEIDO0X0pb%nj)@}8Ag7=7q47`QTO0Gz5bq>znF^UO&dHVUvrZ2i;RA!% zvCP19H?4kln4eU%U8lo}+B>M~Vpv?xFV1sCvCMj$E_~OCUpzX~gzEe5&VBeI?)jX* zLm*Vw8j~#x-sBAQCA^N`-T97xvh-Ioh|SE%u2EW)b`Jx@&P^AP^BIZGi%yFGN-r7U zOkZ!5x|vgjW4MzS6IP2nK}EVyecOY{=8Si9s>>zNGNiXG<4bq94QwR%a8bgOk?Ah< zX}A;H3OCHKS!S)iI6@Ch@3>N-NpaO4{B4XCIe5&GXLRvF|3LZ_2Cc@+jWV~@$BBzv zY{r#phwYknU|22!8D;RMy35($MNlNm9iDh~r3c!fGS{g~W(04ymZOd?g1?mr8q!xP z#gW$&l;&{JIbca4PlCSF<zls50gv2|0#fP?in7Y!u>-=fo4!tMp6yUe@hQ1wn<YPa zKW&(CjFYp|=BVICj#`G~bYAB2&-8<-Us&W4b+EB-gWFS-lv%o2=fxq8p?0m%>LzV0 zpgqsezLXWu>869RFSN(%$}&}H74nOO$GPttre}#I>!fWBRK`M^=T-HN^x_8lEhz>c z9-8YvvPKZK^s|Rc+!>2o*+Ml{C==SWe>Z3|?zNmht~c>k^NM)8UiV!K%|<BrPkoZv ze7%?6puF9<TR#P@O*#^Ybl(9#tmZOXL>oHzXH~60D6)N}iK@$tSN^xCA~k)%`Kj^} zC|tzIzWtpD-HT<V(R(w>OHisAL(zX%KA@+N=T?|)8!NEFIqx8Cb(F`75BfIKX8T#> z_(F`c&Jmod*yUsmOjnA#Xr=}e%5+oIBBj)4Ca~lDLZ8Hd5<J#qKJ#?4#t8_uJ5I|R z%@-W&Ea4>_#sE}pfpku^2wDWi!ee}S7Bmc#E7OPY3Ap4z{gbgy2D%4TgNvfNy&=dz zacvBteE?-azf6qAl3eGiN69HvCpkc&F{tG)W|0d^ObV<K(jJdiGexdW3bbX}SZk@x zllEN**oabi*h#N<jw7##dh8vYJgWsmbPn-zZ^#5<)Y+JfHdMp`F#Yqx4Q~l@vpYao zrBVS_`aC>6GcLPFe4mbV$xW7aqLEjVK{Pt+&||AzWcajEx{yO(Kw!jXI7C@3@JChR zDtAhqnffp9kLXG<bJ4{g0VNOjv$MF60AqO<BI0#DF{j>%au+n(=)77CXvNs;gJoFP ziQgSd6T2S3`eM+#%b9wgNF4Td+892yB<~#FH;Rl;QTQok#${u|bcCD0kfKZqTIafP zAzWfW`))$3&&M;Ob4bO4kQks#{b0{%_VT=g8@b<Rgq9)N0?Oiob0(}uQ?eS|Iyz?6 z7v}2QO0#S#W4d!5W|UZ~YeP|It;;)2{Ccsd-LQVf%kM)wzPx~v%3q+xDQ*^?siOh8 z)FSXh+3-ErhO3^W${fCxx9cgMbF^V-|DNWsTD)b6$V`C20ycQ(8}`JVuk~1mT2hM> zZza!}XsJv66HPtQOQ9f8MFJePh|~_*y+}1w#~UMzwRl7%H!Ya<+k*u#^&_G7_v0(o zX5hSaUdNJzTRMq&nap}pY8aU*TV=dT)LGMnQ7RiRPWSS7T<h;+s)(|JGO9AF5mb5h zV#rLzV2O-1FImk>tO{VQRI?TZ16GYDL%Kz+fx(gX0LP$7-Pc)`feu!!)ag69H&OH$ zlmmoen?~t5+in6RaF)%Wqg-Am|73Cwk4BqG-|Y04X7E@(9`Wb4WSqMEDZQEmaGiz# zIEvBaVIn0(ycxz%=qiu01h98TMp?D_3V5=CK+gR-U$b8a61<PtC~5ZQqLb7vqu%<; zVmywvNg7B<3DVXTS}9X+{1((g9C~rsRuWSQ)QeDhnN$QqtYhre_vkTnw%X`hfe#Bx zafc)X>R|)w6eP^U3RQmg->C64p0-`q3HbRHd}9)!J=AO5LGK;Tu_{*4wQ+sZ(h-OH zrzVCJgC~?v0#CiqxF1#aVKpvVtd4w)7|^<!6ycqr&`-zkf;?wfLbrLJBQDdzPLY5c z$?%)y@+YShS?Tp1vBCD)K1rnYtGA&CCWsd);(L|W18Ql5<in4E+}F0q$u1l){_WGv zC8t4Z0oB<bwKMndSu$j<@&Q?gf46hkZP#s;uc3;}MRf!Hp3*sbPey%;`e!?Xi!WCo z+t=$vu%@nXrx03Xc~t1EaR>eN?>~HgADy46N1W-P38f}>5LZXcQouKpm>We_XU8Fs zzrN=$cs*&<&q9Lt`<K37p_vtH)YD`6O&t@M`cA7Aj=j?NdhRh9FLUaB)+-^<Q2rc} zdw1!GIXl=}V+CGXPdaR?A0$D4Jm}@}1(l@=#0FLiw1o^IXyxHjiEU%hs!zGntv+6M z3k@%Kp@7F+o+3jv^rTqi$kLP^kFV`>yh@NmC;D>F^oQ<?m-}bF-s=+VeRR0vPOyMn z?J(O@QdEyHd*|7EA#!+^`<s#UdO5c1SMfpKVu%suENJraK({rdc*LDFl_e#PKnF7n z!cRb(I=9@LX`Ej~%yH5(VMzJp1#bm@318|m`zys49nf9hm;Yw6ci8)GQ+{an6(yBZ zGN0D>PJ!5q2_gR&ia%5KDR4D&G<RQcG9*trqWaQd-}2>8jfs}tV82ay-My4TX0kwR zjZvHO_8<gO6VmM)`T0LNiW;qfQy*7VL4W+Eujy12?Ca;S5@6RI(zB2(pnw9totUyd z-{Mqn3hG`I=pf-n*Iq|=Eam`B#(Cq#e*OV}d2nQ}k3uZQ)K6$1zrO=``xPtAeM0UW zqej};$*fjdlNyr>URRJdLj<gp#x5wL;1=srDxB1KSEs{R@rTLKM~@W$1YS!m>$Z#j zKOy#FMz~se65*4Q5MkUr-K*N)U#oA6xDikc*_#H??to4L>{ZrTpB(vZ>)mAvF`_l5 z?r$S^*AYSz$g=9I;*cH6a?MK`l%m8{UXPCE9dAXu6JLPp^|g64?KG~Mm5;i8WOiNY zf~ioVuebhO3U09ct)F1>_%DX4>>D?gj+r`jhDvx*as_k^MQ<LsU%)G$+J^QnSWkAz zJMh|*D@tNc;O-}UwS}_~7Z=9$bQ>Pr8`&1a)Gmofj&(yr*==G0;p;1-QFdbmTQ2jZ zzKm+Rrt3(C0t*v5*tSN`ogPwXIO-(TQ+wYFdd2hIl)25wd39E$%kyv+w|_u2Vp5zT zyYX<$X_fYhxBk|6N;AuE%_V#;dv~c4i)dACc(|E!yiFSY36~B1zdI=5qTM5iyeoWt z-1?p4N<0!hms__UTrMvRy{D@2Nt{C_Y|d2N1DAET?yEGL!qburMaqO%*MnXuHQQ98 zqXmFuL$c`n^sEz{Lyh5f*dfzzzSOzv^W*3AW7rMK_;6HDlc$vgtpeYuDk^BVR6RIm zbko~^_xW*@-u&BE@b$@uR%idie0N*AnyCrQR^%v(i<96kpa4ATayhRpdhi-Vifiv; zOSOBxdpe{%dV0$;K2()wc?^YS)ym3^;T_8j7h7fM9>HEew~Dld?0%^zrQf=?bE_z8 z2jM5DPqX742AlYFIN9T9Vd9dlrlvZ74AEgFuX~5y=uW!@CTdVE`MIZ|+wC5;g;Vt2 zWC%1dG8^62?eN-dZpb1;QS+{1?&w;CMXr;g9Y-;9D{1T$wDN@(&4U<9Cn;-wtQKr; zuZt;5*h{lj=F_A<X@5)Y4_LJ8e-TO`wUP*09a7c!{;QLT9;rRKRw*NA8$wVF_NNru zzi6uXd0M?uAUvm;{t3PJ-&8NFKUb=Fj#E5P`V+9IF7XrAq{9}&m!O9TrcZDgP#+?P zJMUE1{#nrAJ}hkt6D81{eK+xyi-FP5%I=~A6C%PKC4x>%*eez+`Od(_KNB>z?J>0E zVH|W_bM<6jaqqM^#Ky(I++!XeM5&}gj)8ugHBT0Q>9Tb@S^da?8V`CpLV;F@$+wo2 zY*p?n3(-Auk5qC!*x+&4(+=9Dn<73s>?vjCSVxgb)R9?kAgkHxd75K1@@=h-^^d2( zDj$e(8}#0ak$L5Q`dLgHQ|(7F`o2q^WrgXk6lwG7eRM&Gr9R>Jx`2?VBu*MX8~00E zbia{Xif54s3O$AU;O1yj21|WPw;~fxixVcq%yhnoOr&Zvo^ekx$V{J?Z9Gr4V5H1{ z%4By^zG%%!b~Fk^rD`CXU_J$%{!>A_&A8+J{=b_oEb{2F;GqT1U|R!?s9_Vz6qKfc z$#Krw=~sxkAZcAAvi#W<+<j56pr#z0HmZBG#(n+ItQgLf1!x6&Sa?lXzFHf3bcv5p z3{ja*8o;{L3icJn;2e)@|0M$?VYdFMx>7ONHdAg?bd~bj5ZvYqPpUwVjXXd^@q(yc z4cX-P6D6ZO{fA6>j4w0GomJ?-Bk|!#CySxjciN<^byD0gB4Om8_=#`2xq><rP1=QW zBrPMOk9IcNEQocj=^0FaF%uzziqq#F9=MO9li0+=2G+cuM~ivcccEB`H5qZ;BKFII zQw0;9*iy&Hk{6CnWT!bvoQ?RNcY?_CNoRKJYFmUt2i<(J7GM6*K1|qLD02o%t5L>d zxzx>*VW@KB+uLV2wvzYFB<^PM5PwQy8NEP-9*`uU=$2sb8M~M)9n0Ciam!Jg$I~{+ zM@mW>jCY!XeYI5;fy*vLg&J)W#8!qJJ16tI2ei(2sNxm$Dczx6y%28dLPGaSjM0tn za?))|*-MpV6h2j~lN{SUtK_d|`}(t1+4AM^tu8jS`;=9n_`>)!85RbY$2}Z}4#B8( z^X>4^lcg@F1HNDRcu`R$Gj8a)8hdFJs(71ETKv?L(52=7ZuS)!id&S<s{2`k9mPfJ zq(8x9@qD=LdB^+ig)u7F)ZL!W=&%@#z}*I@%!ZBzh`zNm^8M$HofkHKalZel;ccf$ zoO2_w#>i<`Zw5{EALmA65rVIqicEvMO%tWB({72?Z-0`TH*kx1wssV|YXTDTj~hqD zRZLvTf(P9~_kR3eEx>;ODbG-KlkAXP;=$5;&^Y+H^q={xknQU-pjxjLC%ll+9_a)P zWW>75iLcHb?(hF1=}XIROfpzFawxJFM%$^F_a0kWyPgAOk3vQ*h#hufCib}>3;jZE zNPVtK#ST7PHf6Hhw-<F%b~6^X-@vM!-n)kQ_U*~SUWSzTY}-r4uqM|W+l3MRRLXlU z*NP4ebq_lzMXmPlCo}W)Wh5$PlR1%M-Y?Ubvt^Ui+>5sZm3J-*JC*&)?`Mk^xRFK6 znmQv=-1G65PD%;88IAn6eLvDZuKRe0cG-0BA|7MgQ@1^qVJR`Gb^@XiJPG%_vgh9K zudAH8ZpI|~0Kw62U*Gp~_C*1#kj1chro{!=BM&?@SA3rBE?M2HF7Zk#MiLT4A5IU> zbca^x7^$3-5225T{pYSRgIBF*-rG%77h1|rbMRTadb{3se)K-Q5WcC|igtE}7A~~4 za$&6!2_sI+qfV<1mV(9^RMmQTJJ3@6I0)2EOAG>SO(DpeDzX<0;){(+9OUIl=?!Cb zS`-3E_-JS)UeunuH!LM>)OCs8CIF<>jELoiKVcyW58W^ym$<bJV@3WfhtHx}r<uRq zXxNJQ=L)NMsAWAXD(G5DNydW7Do+Tk@Qp58zbd$gPp#WG)|BSO5z3Bf0^?&dM(xtO zme7|8RbgYF_Vl8LX9Ya!LJt)m&=gBQrS(D+IJui?U0pw?4FeSb>+31LcVrm?aEgg+ z*HEh~t>r<lvd6p!vInJ21y9c4Yzi(7#V??K;bNlOtLMj_)8uOw6`Myiwo0~?kr;&# z(qTl?PmNB@Mt=q8aSi2L-E=4jwHAcGEHW^R^HrV*yaAzw1y_RekN;vkdA_Fb;mNu< zEi>*-kZ+pMZM5)=aO>L`38WNHA9lzfkc4H0x5x?jnC$ek$m@eja{YV@k{w0!nntEl zJ($hp*YBM5wdT^p#s<u;+k{G@e{F`dvvX0IM*H!423y2>6yQ^3;zc~ouFICfj0-hM zsnVgd;;Lh3*Fp+GKj}mJpaZ(P4$-JrhS_^hIR$Ec4z}*BhX0&I4VxyUuc36$^&0Yw zs(LZa@uKzbHrx!{OA@sfnQxRucxs!F<wz<c{v6s7@T$n94^$@Lf{(SU+9%h+V*HaR zoS^n}-Ru4tFtOHrDT3$Ic-5e-zHZ0w=!*Ok0gsB%T;gN093btO%We27o@PDG4~8P+ zqr~h;pffv`26x>WfSzxvV}7FE;Vv$T^QKdQXj2>Pb4wzGFo!YtP0LkP(GAscg)z%M zcWXb<=bt=9+^-2)na8aKK0NT|8xOf{)ez`ilh}eU$hnedYVdorn$uy%4W!xKc<_BM z&dU^%(@~#v6M0qf5_nR*XsxM^1E1x?mn<I0yH2#1eNSS+FA8Bo1`P+ur&$~=d-et{ z9M+e0ZEbdDt7|XJ$WOZp+QhP<uPNv(MBGYJY&m?(pc;u2=i3#|C8b<bpci_0u}CyC zRVUTH_g+3n<0ax3Y99HRK}_te#UT97$_KsciU4CQ&dp}m^lQqbq;ytMwJ~?7jNk;^ z$x{*)U1p9FUXI&0IFJA<H>G80_^c*}MmiG|VV?F6fzt9c+_{Tfj)U}|f}lDYQTE$^ z)e|Pke)@Z|+N>}V`wUOJZt(c!>1`hJ=#!11pz|dbi|Qa&d2#pt5Hxpt8q!S%Y{;!3 zItG6^RTOMrX#2(2s%}f&{p9BVp0#439qhTRtp}<9x|0=mj~litAhB?#?6t)~EC${G z5O&BRgjUUO``a&=3D)ecFqDMsk2b`)8Y)Hg^>O^ABtDotdfVb5yDVRRPW64XJrwOf zac5j-Ws&D%K)zb4qLYC?EIET@Es;0vvth&vm)6~$C-2v_#2)LPkGuuBYCv+DaocBv zQ*!pr$nA#Ai;7&#pQUMvnryE2pYd~v3Y2cw=`1x>rFk_aqo(y*Q_0307mwhL)^5hJ zz)4^tW#R1ij4G3{vR-m5JT7-tg@w==NM1AAI^DXQ!z00C^YYSN7fSL~&MlztI$K1g zOj^1#Ya8sF?cRLBPr*hRX}``{WC`N5;$X@`slbA772@~3oWQ(6>@O@}o*cY~`L7J( zd1u)tbC66~Yp1wtb~vI~H-+<{!=g-ff+d_<%@|g2wc)Tv=hN9ft~F)WSqI8>($H7{ z;@`J1zLNta1FXhvidjBU&nho5z?(W4gamh+g#o3TgvA%Eo^twDuj<WgL{`P9haQ7k z{I%_C2=Bg4|9Fl;V)^}iF>5wEYSYTj>8O)l0vlaIMcp1=ayX`K%9ECJbSTDi2--hH z%40%|*cn4S*u39Wbhk<x$3;ylC=UCB?A+hSJ&EM<oFfJs8PYA9wdzb4C)SV!zr$__ zvG>-pqX&_}NkA$98AnT6Nkf0+kQZp{ENT9>hC(Mbf@TE#wxW_!gym<P`=zr8)pFV7 zJQiW$Fh0+wMeI^41Qn9_A1F-f!>PtyZhdbrU#e?@0id;tCW;&i#b*E5ShF7N%A?qP zF{3^gWG#~sT=SEHY{b-$_*R8K8D9*$+sn}@2FL+5rgm*p$YSl^JRx(VjO2pkbEU19 zslr}$p+Cogkr1`(dY4`<2=ih?e<+mrPp^HWVMf5OFiLe>AUG;$=)F1Qskc6R$qq}% z)sGR8Q;5Kwo>HPp3t!X3Dfw+U1Y{o@M&x-D7;UTN(P=Wd6eK55YV4s&L+_j@bNZTl zslVea6|^4>dJR=%6j_uX60@R+6bIEF@+EL5FFa;C=oJ>R_vKp)e;m7juV2m<-zKj- z@c;og#>o99v|TrUK>?`g(3gJ>{Iiqil1NpBvFCz5@mkocG;;TFhz7RhX^y$7kVC8{ z3TkcuolYn=dZ%ap^y02L<nexvap?@J>#>&7R;#|Ic>beXtnKYmpWS8M{r${8`7z5K zVXkocFe_#1`gz~z-F!;o%llDP(OP2z!%MxTwiyQ<MeHCiQ;zW5)I+TMmdnaxWGJw< zjLvUJxB{Q5<Y(aPdX8+=u$emt=54M!GZ-t&T$HEi3Y!_G2%z4TI(2SYxOAC6a!KZq zGTHB_vi;$6{H^3C70pfiqXTk<sTGK+%$@}e(;cXgnVeu_+xSTl-M)8Z!+gV|w>*!D zUMaP;7tb-;6D+u~CE>+twpd2ppUQ8r?vWl?NzP-3m9v(koG|WE7+a+7>r|I&kaI>_ zY0bbmwI6$_FKM?O-R@CLm}!4CUaIf=2&4u`6cqP>u|1f~<>kM|C(%S%hxmidDTf(H z;##@n+l+3;p1%4%nnM@Vaxk?gBisMkzea3yf%<Cz-_HS{;{!+p{h?0}u2?q~;Y66c z3*lMdolNgCTo@zUa;d9j>UnMxU08sqA}{m}EuTh6{FHM>F;phRpcWpSVn4F@x7LYo zh()axrARgTbh*jukeBV1^Arekd%6yBf``z&o**84XHA1M3l~+^Q=9LL7y*=7T=0{C z{C@jEv-VcUdH6Td9RB70Ua;6FL3AzlirLtBTIz8=ZFp#Ou*)Z=<iQC0)F+bL_2U!+ ztg1rS>FJl-S|GYtV-~H3*(n`NyKrEr9yjvnJA92$&^3YS!-wun=IRr7kgtHF5CB6Z znrvwyyLbVG|F9MHqFsp@OCR@xUa<*9#GLv5wY;0RDL5Z;KP#=L>o(B)^bY(f<j#Uf zM9Z4}#UaN3RrKl~cFZ$=Ise2-rzy(GJGreIt;gvD32#?0nXWrMtpqvFl<VX7PhS1@ zarQ)t{UZ9>PmkToMlg6<cRNZLEzps7&?cIck1ID|YMkz98{03_b2*UBOI!@=HHCQf zw+kGE4u=Uz)aCl1!o@k+wIw}<XTplhi*BBK=%%#gLRQWv%=dSaefa0JYak+G@ay|0 zndFdq`p|Lc5twjPnr^fsQatwh(-X9?K%}iTmL*VMT2gItcRR6?+Cc0&b5ZXWCHfFp z;r4PEz09Hsc^&pS3!&8w$x^>O4rc0!tH8Aq@hjRoZ22S3!=HpKASNzOB3&^%=#t_j zU$>tN)U~EmP88AL&i^)zA90F2^%9Cel$d|IyVm#hZOGJ=8N6(|eLT=6YAgCV`B9Ba zHQJ!WS!~MLu9Z!JNytSn#f*46o+%g=q^ik?<zB_Gd(GIWwz0*YgRD|F*;OC-`g|?~ z71$@_43Z~8wktEA+sS`uph1bEC*a{9z_$oJ!o_q6-L$h99#gS5P?r>Y@+xOahZQVv zQfQKQEVBzp>5>Klj$KwYwKRIlB%UhDz$Fb^n>i{RDQFTqhH{fa)GDGPNeOpnE&_u4 zFAX6=T9~aTTM(valIB-*xo}cL&1?H;?uA6Dh#r#Br%qZ<{E#A-PVn@S29kN(4{$F$ zxnA2FFN>m!h&xu<o+o8&;t4^?A&YkXrwv^tUr!RH!F;uaDd#_uDVzkKI`2>6w#%q& z|L{Q@H{1=j&f=SJWSQ4-nAJ-EP5$q}<k}X#RLVx)J<s!_5D|_%R9VZTblorAQV_+= z4buGKrQ$GQvW6T<2i{UaiK*0erqUuYfjX(!bygC;+HUYK@m1;+XiQ8X^Hqfxx%r*g z@sdF2k1U}Iu?f<rnv7KVshG}F2W%(w-hJO_i%}FKIK#k3q;b1h9@rqZ%G!rYqk95; zs+_-9Efuy}>H|Y&kS$q#)(n0~pSW^FEPDg)^vSY^HIk`mS(ystr_*er@erX<mze=Q zU7=KW3d*rnCLT85`t#E*cNISt$1+mF-{gO)d{=YmF`*2J7R4tkZEt5|?mZt!otd)> zvboD4wFh6vjmw5YTOCJyt#Jnk#jdMMNX)F6lo*8}ZH%5yoHwY%d2wC|RpJovagNbT zg}_K+P{6OX<;T4=r5dD`u$IPz4GgaFa@v?OecDI<R51b`p|Qc3u#s=BI?D}pamn(a zz2|dL*i-bAgkV>nKua7rslOF%V;p(y!o9~}Ql<tew%bmCe0nM(J)CB9!>>B6Iz*~# zeN@s!CAGkNeUWKh>)7e^S`xOe<?8um1O2m5!V`_W9P`f`=$RF!+T=OY?AEODQ@d_D z*Apz}8w?!lrj{Ioh6gjk38tP56IU%!Mrq65s9!SW^GOy(NTvXQyvQ44ZuKJjGOz$Q zLhw7`2v#BVunIy<Ar65&I|p6ZA2n@=9>ub#lX9QG>OVidvWnJ$mJ(NFG5$dP?e8>p zJ*0ROcGWMBwm3wxE@$Hq4%xUCo*coO78bi>-%>dDQAb=%53uPWK{1fa#pzT*1#mMh z5wM>+zahXmR0>Z@;2xfxDYMksc@~08Hq#<QgPtUmctVZ?^fY%MmQsw`aa#2>)SztV zg7;b(t%xnmB2{2BowSX^3_QI5cRiLTlI2d{-jq`3YxWi73;o2)-Q=m}78uW(-cK#L z?Bxmr`*`KUxz_6Dj(_N=MoOR_&!D8cHLzWCGfv;x(c<?dcWUTRcx|MNGJnGchlMSk zjPaC*5GVtuH#ZrakLUe>O-LZbD`Qp~8Y`$4xoI-IU#EiRIK>wdN)9Iss*NNs8KN0? zyOC04Dk?U9-mp%vl{X!Uy&>Z!-?e&QY-VQT$k~h00YCmVLB!Rm;z*D{p;#=lr4nWH zd%C+th^EwPulObWx;J}TRozg*E<nW)DjT`3dmM4y-R%+IP;q-ajJMoY6}ElNfdxQo z@>@jt;nNS>^>XXZ)D)_zwtpz>=S0by4idsphmkPVRiHPM$T>T_8PBoL@hwHq9iB`T zS{Q%E<i<|D;@1uS7nvw{z>U<j?WFls|DvI?=Rs-%#cR(`>8o*Hn0uDKHD$mfr7{C@ zw)sxHteNS9D#4BuRj9-fsN0-<``zf>eTtGr{{86UIB2x-2$AZsT!U$ri@;2|Hn!W_ z6H&s&72_miR5f(P^FWRH)2vcAbJn$RU{}w{0Ajo(7p6JneZ4CpFNx0w$a)i3gD6uV z#8v1_oMwXKF5OVB`06j0A#(WF!K%>JzfYiIt11s%R`D&)Vie2yOjy&C=wOn`x)ag$ z&|lwdQo{<>fNC3Aco4s-)3$7?o1N>t2+AdPwmHct-pu=r`vJk1gy&mD>~A>5qeE?? zU7jz-W#2c-L0{^Wf*-TEoY(Go;qx=>uU^xId~e*bdxN5ejdt@m)x9luUolDN^ru(= zbfUNkYOa3~j`OUc{$q%Lp`a3GX$o444@JAY*!g+LiZVJwE6_&PGQ~$uJkYIeXvZ~5 z(h5IjnvbB!h9gBV^owt5_MllSL-~k_nfg~*`Wq|^o(`q7p4JVL7bZmKLbo6#Q4DAJ z4h60SY-d?9RLmzL3P7I`n1<gr;LLHQ0)B;NBxCYDGEl%JKlC2esB~T_q2C1GrqyJ* zuP>^;x-#O&?m{oiRMye9+9D2>QqJN23}WM%u6D%czGh8?IYq)wsMHFG*QJ{)<@xFF z{b0SeDsC}AbRn!5Bf+`2=6lO$CUo7snfUcgSaW`M1}74lNcXIl(>?v09K?9ScHeA3 z5Pv+$fhRlcH#b_0fV(izlTfaT6o}m|o^+rgz3u#N*Wp=)jlR@Xn8du%8Z;|_eBB^J zQx!KxqbYzy|J1b{9viNiQF7l{bNNb=0P$eTCRRn+CT`g#$3cnJ$<!YF%dhRZ){do5 zxWhSK_Pfz1qA1$hY<+@Gy}PFZ9S0R4gP=M4*Jk*HvC&7cNY|4#e6ME4=W4pUy+$i~ zPZL=X5)E}pvyxa@oir==eiC$ex5efXSW#D=Fwjoz%04g@wHo_&Z6{(G&`OBSZ99Tl zn6r*3D=q(~9$Xc*r`FWnADpKr)D7uW7QF5`Li?cquRnoZ#lbE=mf2`w=AaH^fwzMn zey0iS85jJ2t(2Sg&6Z!r_G`@Q1rJmi)ZGF#6z*>S<tYTf;#Pwv$(#RPEgh_AMY5FH zqbS18icQ8fenHBF@whjuz||KN>|u9sXT?hX4E9W4V-%W8LpAB;BJ#F>8-uxHeR#tI z3NS{8RGwT3mi07M<-EJhn@F|~`*J5(0>v}W)Uja)48MyGUaM`3x{LM)g-S3(L|8jE zu@98e?`E~J^=gWbKO{gzWBM*|W7SpB{?IGE6daWYb;l*RN%ql7vKg(BZ*!n4rz^=( zVQ7R8B%cOISp>|JZM*9?BHXpu@z?>+xV8y}h}A<Ya4g&WD{zl8(x}zuNs5jrRJEHT zf8N;Y_m}HJcdzE$g*>#1OS@G~iR37{em}6tx%EcsxMgtulOaM@nJ8UKb3)Ndg25mZ z>-llX>AFsm@;97n-qx}mY&Cd^S~z8!szFgTyMVth;}^BCfwL~A!C%)~Shv)lu%eq$ z?!v~4g*MZY@zg=-Z7;&mq2u>bDjsGPf%HaDo!vD<;gF5L`&b04f~(UqD~g<{0kKq9 z7M2judiWwPLym#{1eg`L5x|(=I$CzRC&JHn5Ra>qpZ9flU@{SN`7(jR%aEAD*A*3D z(q$^9&AQ}ao0b}bgr;cSq6ciMW-{)-`C?y^?A^UvTv_rXXhQhSnwe2hnF1Eby?;A0 zDPs-BPC@2CRrY-E`64wLm1jj|CSfn+tbtjcX<`2*3o%g(EibLFD2Aq*nAlu^X4g@3 zsk11`t0`%s-P6;qICRRy#F1gbrTSrRnHU<DiwXJa>Kv1sLR4*n1P3TBuO0YYjIQ)) zgBF%y^?BK(Kf-8WD(%O1FDlI#Ds!uT{&kH<P8iV~0_mk!#Do6)9138AR*ZIj+{4*M zpsoKiJ6v`kkn(qb%UzotqQ7rcTY?itqH3idw9a+r9?s5aq@a)B#3~!|Ln}TK5e%={ zPLaD3v7AY;VMAt$W+hQl#6H&A1Y@_(3MHk2^94#e0r07O2W<oyC$AjykM?QgEZ7|V z6!FtxRGbJtDgcY#!=~Naj^;9ibrxJAS$2*T<4@eU63^(3#}M0PE3KF~p5J`<d4_So z`)QGB7+saswhC!B0m}Y~9cxdq+#d_9pxhWpGs&U3D9E`eg^?(QLR{FfKN0cSTktmo zYAK$7Xi(D`l8fxeA_d`_lD_BZ0tz|uidCw(Xr9)&UWHaW=AFa}Xce-MolivLa^4}3 zN`l?Ma7zuvabsxQ*GZ1SHLF2vc6s6kY(=OD^fYZEQi@r-7SxufQSrOY^)|A!9&6gp zdisNnN}Pe$aRC+Ma{3gic+6+SrkALwj$K|}xDV^V9Ln=g{`XXp<d)M#q7UYV;S=_C z4<Hual&2}HDdUZ8Z%R(gG$~-&<gIQcO<%CQjJXDD{5(EWoK`yDy(PBGNFL8tix^Pl zbI%n21g`M7@kKw^;K?qY^3=WS)>sa6_=o@A083S1-3If5)Ka`&-fu$t{{F)F50SFf zO`h~K1lTmswZ)GMwa;H37v?mMjw0(_m6`k=M-Qw(IEll2eDPH2Do%WMNmy+y(^v=P zo83_rC*C{T5^If>0-1}f_)jzQ*t_(b9X~kooEI0Ig|0`)Di+5T>x@}AQU*Bk8m0%Y zZ_x$r=76@qaN*a^A_j*s6HB%6V6(vsD{G@)7ydj3AIk88flfe1+O1fjPKFo$>!2}9 zmgoudJhDV73!JM?i`69;%U=Py)CP~5?B!V4uM1k=-*o~^Gm4*121VW%H^7>d|0})B zTT*0TG_Blky|7)JO`gH=yE)?zN`ynMuG*31&#c2&?&rXbDGs-IH(<%TI%Liw&rksw zs}km})mbh?tLrX2ZhA30)z~Eo#AbJUdUArt4w^hbZ#OJ{%@1S|=2!l1oNKj(80CYa zwVUC7Sny%>KBVtAgST=Nrd*74JBk;mDViBZY<TkMslkj2PBHM8N%``Jnpq!Dv!J%& z-M`q+kIWC%zwNO&B^fH&uu^B(o=Duw2NpLi^=j}SwhT{U47>`|HTxd*yp5#L`7>o5 zp8GBdB5$MLDzi?~d&mF+HEjusc6KDgc2aYQWVr1F>ewPKiDf9m3=+s%bD(WGVPQe4 zFqG8wv3{F!kgeVXBD?58Krw!yTKwJr>**YTBYDC$e#iwE+qSjwCb`(=#<uN?Z95m+ zw(aC%+xA7@{=cg4+nU;%s_E_R?wNU?-!uDecdT-d-~d48pFd1hq_8=D^c)MCfNHfz zIEGsmSkjCo+zH@Cd`=_YVHqwz*hwl+?|-1)M-HE4iO+Ch<Xh4W$y0I3(45tP%&127 z!G$Bn9YBi7QX+m&943TCCgJpTMUJKX6SK6WcvpCoSeS!!Ipb4ptKZl;l4~kh_{%Tt zR_Qpc7G1qFg?7lg`4;-6Okcx_gngHji%<yG)W=V`5>XumW+N*!sHrU*;6>aHtoV;! zgWjdBb8}*BwFjmO(K|AnUBGaVPpT#~Z~3$HZL^8OMpMH>yVo}UKD1C7MX7Bz%Z1jb zISVi4m>oZ?;CVBb{W1Gu7@)81O{}}#7$`yxTfd79P5yG&g@Mo<I=DV0GU#RG$ooL< z<DkWX$xwC*IZbf28xpcAF@p0j$mQk!q^P<80j3&381iz2yH+bl8cF4iZA@F&n>|we z0<@^ZI^ah&cIa0X4(LH+5(xn>PHT*BK1YDHKjMlzIZw?ub3C1?6z5v1LztIZES4i3 z+@&+(#>!-}xFXoE6^}bqpVwm|43EKf%XD5wU^rgY;wYX|*bk<X9x#G~tB4QE!=pTU z?ep4Okb(<J*mutaww9;0t0qmCW6_m!qcW!j(nZ%A6ZK6;yD;O){)BB<!)bN3K9I3B z*rSe0?q%ZVUmZ=mgkd6gp`+iccV$!P=-K@|_+Z-FTpJtgLc)j$s+5vy@l^TIssn`) zF#;UDn~=Nss-{B5&o|Sn4u~4J+3Sr`@v@V8kKAc1qo~+JF}GgD+jD^K>pyGKZ`Kf} z<z~z|Jxb$fhaN-&hp?xr^8MM##;Y*;ze#>n-Cp$}9E>q~Sba8!AMh&c?OpL5?lj(q z0Xy>H-o;Sv7g+-S_CJ_F%7>;)rw&ckRK!Q#%9^4HG{YK0Zm+jkM{R;7X|Ef5b+tuZ zzRogV7dg;B7FRS1(X&2o$h`Amg8ivQh0KG6cDd5!TQyKH@hedJ9&>vby{2H_WN*C? ze!lqwNA9?;J<r{=+1C+rhn{5uN6vyJ6c@#doRP(8&&U*Us6|Rx^Ca|7$m#$CPqhV- zfYRL31pKyyk<?Vv&5jL<xHIS2D_5iuXZdYRzAHaGC_f<P*X{sd_g>pnkDDYFfa1G5 zy=vXh#3yd7B{IY5xW9FQev>q4xIWeJXYi||DwBT<nPfHP5~Vg2Rz30xiX*X&gKUzQ zj%MXwK5L&gckDNgvaXJ#udwcQU@&T2!wZDNP(;Gwt<W(?quWtaHjJ_|jOr!WpH_@q zJKI;*&o?<&$Z*%{@LkK*$`ul+9(BI@|L8Pi>df-_e4d2+`i<yoykzUyle_45=z-pe zG^MSp*LNQ;<s=>ancEg?H1~_<H|(=E0YGWIxaALGvg7(aCk-x7t}(xQVp%OD?2|9B zxZkWam3oVe$?Msrq**aRiON5J9U0`{=a@bg)tL)=x+dxpVD0=JgeKA}MqF1Ie0&f* zMjS@l&-hXpfF!ud2kbk04G}L=>9FB(t)emPzg2v*S(CXD_%fvxeml?c4+~4quu<F! z1R673J1b2k|F-X8oIb;ozFX)D#W{;T2$05L`}cAm5Y_N^a=Nn`mjabJ$VhU}O)T{( zCMHh2%#D|wudXr~-&J|4HLaus5>-KjQ<0qNk>?m&@@8V~{T`t>)<JNjf6c-S+)q{R za^z@OzX^*tXvm_U@<lMkjH2!j?*a@DKQC3hlR}`HRPBe$=BNXh>kN>h51xsj705Zo zetB=A*Bu?FB9S4@CX8!3+58p%zg&O__0EF8WbP|^zc~Q_MZUerzym1I4HJ%29z81o zUm@B#kZT^B9<Nw3Kz6YKy}pQkB>u1`QpU9(i6K>(hB8nb<?H7g7IA%&xgcki-KAn= z)dyK;KQ(0Vd;)|96{E}C>UMtPte9nfPB6{13=C#kg(wSsX4uPK=bCx{8S+#gVm&pc zR9PQ=e8e0MyZ}8w!oM-hpi!QEqusl2+SQ#DQ5yIJCqiVQL7gX}aZw>~|FpvBUZUvg zg73QzQ7JP)k~0gkro>PSD^w;?2ntITBr8IS9wk#eO}wk!U{KJZgUAh6#C%xb>diN> z@d|BK=G&#onw2oE9#Uz?Q+?B6ZedQj$o<VZIm?QQ$B(IR2Z);2Hy+F*VXvSwK8Po( z%R`kiPi^hZ{Ilif8XZ|`DYXFKha99XcwpoiNLoyZg*g6K#of(LlTC9mX;LCKid-en z{>MC;SM8jEss8UV8gAR)Onv27@bO8`mz(mvdx(EA|Lhk@T(ZtP{BeX5`B<rT6dS64 z+iqo;(v4OC9q#UUT9}nR?Kr6m?=Rpz?ukq9RKE9jJoGZP>0b}XBF_RcG!^C@YaADP zE*j(&PED@j6nvfyIKW3wV%Qx&7t5=VL9?)4vA$b;QCUv=PNBA+Z!C2N;G=+AD+T0q zlijBk>h>wFr@ukaTOTLnBrrix%_?^*F$}4X=`yH8g4lB)8Q-Dt^*4trB7XN)*qHGl zj;@)ZI+0%7aKhoK;OFt*Ex!7xUJh!gG3%Nf7wXv|$+&F-B54^Mn}qwAwoXd>j@MAS zAOY_vwb0oj36+(5?+XWAFf=&v?8U)7Sydcb=4g01x5qgL53#C~l~msAHG^iH5^UeM zfnY>e(B9dh&C!z9w7mYr(tqlw8J)ndeAFh`<L`Dsm}Gj{cwJlmt2HDnIYc9&jM)ks zRlK7f{QK!m0<zz{iN0bRkx+xrc#bPx6`I_bE?z$1bI;NgJF=j)x-xw0x86wwhTR4d zLlhyw`H(@}bJpvco8HR#6tXYv9?VC-R55n6vHFsFA7)d7LA}OxyOr{@HmeQZY(wAg z*8{F-7rCf`Z^&EB$pIO!+Ad@7YKSyojB>rw-5*SN=NfURCDdHv-0NKe5N9Tb6%6>* zju;-j=_T5B&fCx1Ab}R#J+_Rq`H6pZo#9Bmtnx;fG30y#_Iqjf-Y&9bA^Xg|WNC9& z>U@Wn*wGkd=fg#T<?$2Y5rC8p$sY2a6V^&4Fcdx9f9d9&>sKd<=r`FREkAwvTXd+2 zB6wSfO94`01hSMxmz~_p791mxpCFL80C5;OVQ&vySInuO=H*Wdy9T7JYeRxj7?VUU zH66ZqVHu}V#3lBr1N-d&{qlfGyZ^R+J+eV{AP*ZV8r5C98N<`O;!b|+#I*lU{>g(6 z#P>gDB(h(^i}H^lC1tPW0Rflt@%d^)T$`*4NW7UYw78m*t?iZRQS=9H_|2GJ7T<>3 zhTL!52%#9F4ZevGKp|F_?d6~0l%|`KsxH9KqK$FIJN5TKOg)Oc9Gvh~?Gs(lo=QDW zEUL0IP<4~<P$a89zw|O>^DhdivX#)g+^z6n);StqBzms_Wa8_REvL$Y#IcGe{kJZ9 zuIezO2X7+#Vji`33io)a(ghqve5<!O_?aH}f07&dv|OQ7=bVboOQ+MmdF@<^SZT?- zDB0wBV~W1CH}hac7C^V)d%bLm02_+3g+<BZQU18V?Br2Ba@lEx+&FCSQvJR&ffAYp z2*d<bpQ}%Nr#&mya<U92-ZgRP3+boW{Yfd50pGuWu;&eY*P$GZ6qPE>+49h%E>AbX zm~!eT%S;R_N?eC;vHNh(WZ%UOy6W@{Q;UAmPp5EgQn`7^vgU|P3O5bB&OOLelI&yv zm+1B^4*(Bttt3i}t;KHrn#RqP-@_lXU2jUGAJVDfBS6oZ3?*Lu9h&v!k)ul;&LeZ{ z5fQ5b6-ZKQ9lp77&m*xJKtR(!l8=Readkz{_nn}XvM<uMm=zf+lZ9SJ-rrRQZ8BYU zd~Vv05HQ$fme=_D5H~vq<T<1IDImg&FD;0VvsVAAIR^-fX5J-Az)Q!>2QN{pe|<4j z6<u^c5GS0*Kc~o6wdb)0*5&%eSeq9dV+?+q56n*)a(DU7c;rdSRnnY8*#xMuc3-gO zu{Ce&&4u0Tus4Wh)z+6*0x(^I6b7dn*%~$>RY$GR!^iP1v5vNb?5CcDVY$wnjR_VR z=?wdKSyoTK6PB$RRTWx5zVC6#yHHK`sE2>tpc&3u2{=uqY*^&xEsLmxWsLpF7&E|3 zBHwMT7;zUGn(l6hR|#;FBu-ZhBS*_?b<40*6h0J2{aKsXC#;1xeV4Q(P6lz^IAU20 zJkBFIF6a;js$sN4yWw+QsIt@r$DLVn;l-zNx@g)`$xbvYPZDLL_{ZpnmSE;+G64@) zvF70us&dKjH|)7z4YZDB(DDrF;=hzLmfXxKU*zYmMog3A5jT&SrBMVf)BTtwp*_QE zM>-5pGHh@SJ8{mK>}w+@x6)PtU&5?g;z#ZTH+a*e-4nQMNg+bmo1B~zUGsY*;eNyB z2b=Ioz?xRb43+e6l8iSzhd)TCVTr3RaLJNpuUo9wTkA5TXeFs1d8nuzCQ6Z=E?(DN zEiz5FPAD_w?YQXH>%07iFRR*1A=^w+owUMkZa0Y;?n5mHAEcz*98ABf6yD*EjU5X6 zD~s-pw8A`QL&uF;pkZ>ky=7}ORhDNu?#~+`giPAx{=NFs$um`cg=lX~^p&DQTVulT zX;E7ZdbC|R52g^wScUt0<eP)8KL=u@-Mtsq{Fm<Oq3Eb2t1V?N@+nIiLg744rfzEk zlCtaGFy==BLQ1rxII^(1KM9Re;h^r0z#*JzdYGt_3Q@AEyt3fXiMv&pe}kPhc{rIT zkq#ZCeWkF-b0GXth?M!hu|a{whNKz?h1rISV-2xTq#xE09UO!^Y^^MyD0M|ruw6zl zJ|>i81tb@GQb~}M3dp9qa?&;YeKE7Xo?ksKES!?-;fUe16!P*Zjcl<Q8>VvKQ1v2s zrEi5fR7$srpFE8etB;Hvmlih4g9#GXB2Gu5%WxB<hg0sIkQEEr@SmpD3bAPpwYY7e zYjNCKvqE7AL5~oDGgqhUGv^0AyDp3THR_tH;|p@kGwVxAn>;;k(;KBO^DDzCFwRoe zXkmrT6QmfPFenq67v{7J_wq+q&^ayWSQZg6pL$n3C3Ay~&N)lcPc^D*U82VQG28#& zT8-*AZdM!};J}#>O=~aPEXHZiHz6$CyVq3PMnCcooxDOFZ@{D;Nv?DNg=Ff=B=_Wn z#WBvOGk_W)D|=hmGtf%Z6pS}68%q6kK_ZSCRe3nl!hvp<ldXKW(FigeE8cp6YFqeZ z$?~A)yi~b!ivklA9%0oV$6E7n=j^Zt<n_ZsG-bU~S8&(=JOk9pVcRcDO&;b@DpVy} ztRwI^&iS!|C0-A(_&qCAHvP~hA9T8I{|cU#nOq5sh4(HCL&{)!F&EE|x#qM^%+90! zRq=dY$^l7xKP+s?83Ts;{Sg&WoTRyi%G-KlbkD);Bcz<%_PnYDYu{=GuDNDJ0V$}8 zem+q55`X`w`r*s<S&r6-_E|Bdekw&|FpE(g4nxY9`rl7!Qs=xZlG=?STd%hcG~-$v zX#6^!w!Vbje}l%&5ANg|>YTj?8_r-<IIsxD|5!qj3sCZVH)imLh?SJu-G%6C3rNfi z&Y0n7b5POR%Q%)c=tkdS%H>eTDY_e&lFIS@)mlDOp40>LqQ0O^D{jiXBzOMJ(H7Tu zs}!;Z4p>}ng6Pbk-|EpVKgm@DzI@$@ecnrvO;81NxjYFHXef+}(?#f~C%$I>xD*8B zU;plQOMlG88n+Day1Q9W!a~AUG387an3us*h5fwCLYRUV1?k}K^YgZa_t149_#!ey z-5l9ACB(B4XtFLCvnY|*(R^N{9C7_+lU3=N<Zz+OT_&x2qWM;Zy@Ez@UEj|O?7U(T zzb@p_bhj`>Mae_vjZ+LQLL-A2qv*8t?bjy$c*XtZ&{dQh$iLiZrCRJ~lPX;xJTDV3 zT+oY%prwCB-y+~4DDkmdd6!8Txl^a<?j-X)rn0p7?^&u^SB*((hf`h*;d!^T;$jJ0 z%gda0<+-|swi|B|j06ZBUJYdQ;(^Eh#=zsVbT67%gxlfc5=%&UZa^0|Xw!JzbBn{* znj7{nUUT|aj#jt{w1Dt@oC-dOHMGdsgHrKch73Cr8d)EZObt+{P^%pl2-=bniHks~ zPC%)C&Wu=h@h5=NDTc3}4_+hAKALx%gG;E$i&Jrqulv$nj6T~EU5MUCou;lqoURH( zULUv%>Z8V<O#R@t#t0iDaTVw(rM;PpcWjwBbZXNs#HO&2T^@nO4>yqxTLRZKp3gjW zAH=mmXbfba`%O?BHCbtFrKvTEUwPo@pE%vTi=EUwg>XH0!}qVBq`0e+Vgw8~Ew1L1 znWQB~GA&Uo;i+B=krJ4r@dKmTOx4-v`5cMD@zU(gs<)P!m^B?XJ~xm{i;aC^B0Ynq zO-;AgWLT~G>16ddqw9RBTgmwB5zB}hkJM+Xi%!{Ge<$S-UE-2eXu{XMPA&)6yA5n) z{YJs)7ne9eOZn>lVaE|xAsMzbdelU}8`t=7X9M`+6h-lT#xd<!C)P4UurV_NK7@wQ z&=78us!j&&hL^a$ow~>$xBI(uWh#z#Pn|4`lAZnbr5$tES!aV0&`%aWfg*F{P+a+K z45x*n>`K};)%N`ssBLKP#lWMx+LanpVVPRUY=k01Elq|FH$Py5&Jgdb$<(03KRfNZ z)hQ0FoRL2~;Bcik)E<8bDsHGimNXhI<3>RdsQ#X^F&4w$G7%x>F$)*)K!4!%?#GTZ zZVQy5fglW07nQ!ZY;)7L&BhsEl4frTH(r<ykcq?O6AYtkpGLSnt@W7$MS&H6tK~P$ zTJqFZ5_I2>>%Gnt_XBnQHk%pcoxK~LbddbT@KuAtzVif+=-KiClH66-NYW03YQ#W* zrRB^01}s&EQ`I6|f{`eBTqlk#xx}{1@=dES+SL9uf6{{6jyxkH!6|vt!gX5(&_#?i zW@{F}_|?2f5s<}O9O8bd#~47obE-M7*f-q7URzXn-z1}qAY0(R_e|6-2Ol>w*xk5* zakKqTqluyNZAJ^Ke+Ld~RgB9?KQkiW#^0@`guUmm=_h-$ioDW4x$)bP5pHeLZ~orq zOtMRM{&98~^JubANLo<_-3e_!5#bLA{+k~yv9*-WMQPXdV=S6aiky`Ol{v^x%Y=jh zHGEWh0KLyXNS<z7*y;9RdVxJ=@Ef@grLlloFTIlLegW{fplDrY=BQ_{qZ4&FSU-Nm z>>FpcWom0yA2Q3<yB3FZ8)QOeC(41ATBOu>n0qg;$Vo}5$`p}@uc{3Y=B0NV4(lmZ zxWXtF43FZ%fe`P}{`2&B2`j(Z2cRg2v40vf$s~~E1hg-y+C8O*W8>Zjf1NE51QzNW z>^6X?5IAk9Rts2guJG`8CWZP35^z*$t+YYCRh0|RK$l$@bkgRI)*2!THSY48AwT3z zAV8SAe9wMuxv9-xW?YJz-eqcBJDzcp$^EQ{iSYuTENkJ${T%3E%7$oF+Er?qRgve| z!8>938jOu4V;D!)WLvU*bKxA+65FauQivi^Qc#ccDi_3Q#~oO93f7gE=V%XhhMYC7 zJ^)cXn)?$`dJDM-!fN$^+sB4a8>FIM-<XI1!J3YgW&b&HM4LWJ7&V!rf+}BgXkFW5 zIyGK``|CE9XLNMjl*O_Y275K#fnTKxKsoFTu@_1qj1oQa8=;X;6~TPqV-?mFA@1I@ z`wm5eI12p(AA1$mK~<x1^FFjh5nCS24;j`tI;4@o&x0SZ8%!tX(T;VbW24c~d&r>B z4h;46eba|{6jgeLJP*b7RQ=Ft_UsAmR}Hc^owdY+O-br>0bnjhs+g(-N%?VPV4c$g zW$WJzBRv4G$OI!iw^`{^?H^fak|<|K)L7+7B(K5-Jw9=0-==B9!K2y@mQOQ2FjcQq z2&m4E(m;A#X3Hu>W~v*;CjD3<%UTR8R<6yS<Kif&h?~SQGU9z|R|?ZG+3B9|Cxz7* zxnFxRACIki$z3xa+`~YSZ<eZQedFU1@d0nO+M(6>5bsTEhr2BbX`#+3aY0Hfj3d5C zyg-}Y%Qgii_GD$QCF}!b&%}C6L$GoSbZ0e=OR0C~1(L%CI*tK;AOX`+$LTSsZdYKQ z4^vo}T2ZK@NQ)^sooEIIvpEskliC+k>J2Ry(Cl~H&USEgLYJ)b0aTeM!TNPq%UILh zY`-|mYK#PY!5E{bKfhpD0yBW}v$o~=-FKRgw!R+_WVl;geUB1NU7@MkSLJC@!$YS| z-#5vYGR;qF349XeZ%2$Ik+=@ih6lD(9=4q^r_Di&7)b{v)c+<M+<Mz5iA$aM?z(tg z8Uv8ACmM>U*$IstBvH`W&FtI9#-6@b`?T}R?nT2@O}<$X%Ww?9k;ib74hTPznuqVY zix@xW<rX!M3)p(ORZKUvQ%n!WYKt|7ZypbxH{bc~)0`#M3A4yRd%(fp4ADIAp?xF7 zA)W1Wh|-RTpro_A8$qZ$GB!9kuk|Zkp9PpKss!IbfV<^>h*HcL2%1CL-}?CH0A!#I zFvJF^6c;SBMXfpCTZP)b*WimVKi>{x*4<65Qdj@?#H$EfIkDy1{Q_)@w%#(7?%^mv ztp$O_1U9)%yJ{2pYbr_*NJz|TpO>wu11vN-n|~)vugpw1(?{(Etd#$4h{xNJdEGrY zo_7Of4NFt_UzgLV1$|9YBL`Rt(D939cEv(G+@AWN8wUwK#`nsr&wP$y$Y1s_<yi5g z>g%dfKd<AGmV$ILdSVb<ZUVk*FVmsuZgqtwIS-b!N%UA3_g!VyzPQ>jjs5mIfXgkI z7&=t^xXwlYk=j;)9XZHqq>P`kAsO^ZL&lq~`W(@`y7Jo{FK2$pc57>>Q>x6w+q=w$ zDK0V0^aoX^BiYba_wP7$QDbwN*sZO`$Y6J92#V`}X#yV~?-68mG|q!Me2t}PZ196< zp7?hb?38sh{CvxUu$2GgodbfBzIHiGlPqeZViw?1NPx(*XGcnKP*4bp(Ywc^r@2(% zW}O0Dxr1MJ{1}4s%*pf|Eq};aTNw<}vqx2{l`#k-a~;XXvISJ+F{4bg;Ebb4nqbQr z!H^r1NTh`sxr_;qNVB;g)rikI=T5m7k438SNp~ub{oZj=r@m{adTOP5-~#WIK({#f zhop>=EQKVy+K}+kvVD$(;YwbfVc%m_V8F<5aPnjA2-~Kj@}l-ZM%k^ex0d*~W2n{U z7M=^)ucY>zY{KYptxRvil9sgjZCL0J*WnOoZjJ2X3Lm9~8meV;Bq%gce@k01p#C!c zq=U7C8RCf*VOk@O^2AVnxYR`Vr*L=C;VA)>ltXa5+nT>&q!NIV6Ch`6b1?hR7X(I; z(F!Dj`7sr#8>>91Q0uD)rFSpeD-jY2?C!PR{{ZJXc*y-X!U-Pc@%Es7Ht*b|9a&Vr z%}#<V;4Y0v(^hgKya+ve(=l#I_8tuNXBuPAr_t=+2zYKXIrSSuhknmEzE5l>R^0S= zrnvD@!c~~l9BctwtiqXMF>Ujx?S-tHB@>@BA%IH7#)3C^to!Rk@eqjB=G#kG+Q2=s zZkU02_mJRJQJM!Xs@u?^qZdEuEsu9#O7NarCOcnqWfCPjoA%St6%B_lfb5&iSLrQB zo6xKCOR~(wQW}@LY65i+Art8ROd~Fv&`|XnyZbp#eqOsEBhmb(fpObQ3qzr^^<H!L z9n#D(hutxVX~Ii=Kz#36!%e9*tecn8o-;o8lIIm8{>h%{YgO!+MdCkgU|VV2L*)Sk zuS+=aE(EgqN$h#^QY!NVhE&3C8qCJcok{5^_MPC-7>z{AXT4P^3R$BL^v)S)r$-_A zk5Tl%jDpc8)?;{Nn33UTWcW@m_b@z9Q%!hwbkOfTF!xh6BFK8Y?0I=nG@aHKaSI$t zqMf4ePG`T$x`xCd(S=;lmb>d|)59M$yK)lilJ3A=<>2aXwK97Q$BRRQyBJK;)SyyV zS{YgQo5V#;b@l{X!oi)Y_n?<kEf@tZcwR|%gReQOh=vdzUFUSX^KX);S=s$Y-SR_u zx=s;HTwtF%pkH0sgf86}ND^_?59)&v$%L9Le=Qm$+4UL=U?`JX2P{3CRop77?X+6w zC~(uJ8@?C@O;V`i`aIq54QSEOo;lqQak-KYtyDpOH$3T^9`k2NX8)nSr8-u&xSdHF zZ9*f%5jv!T(yA^RqJ7N*tSTQqxy&WI%E2@IOhYP-4Bb(m!_s?glVoS0&03t80|baG zk|!ZEpf)Q3rfmUcd8d%CvO#XvpG2g&bVRARge$5-5<MWZKb~3a;SuL|Z91c{#I|^7 zg5o`<M^g(2Rv?h5`;5C1{8ePdU7zRob3Q<L9(E#B7SP8Q-?fS%$MtSfxX1n}2jS+? zPhXH3yLh9o-*utxY%1NI?HT?%2@G;tym<LJKl<+V3XIc6LG92urOV%XhuL*?y)ueS za%>RO*W2}MFgq}Ia`XgULKK-F2F7w@=!ikbsRY;oFpbFt;<f~4;l3qS;CR^?WHuv4 zGU1^FC|XZ`C0N#&OeY@{pL0?eJZn<G19!*Bp^yb9WIAx!6R5nM#d)Es$_P{EZAflC z>6ei~#391x37}pU$YZA6O{~)1>@iDEz(<yK5<VsnM;8vhHGnF|z^pe=K$gNp+o{p~ zS(WaOL?RJnR<yR0yab;hESdGK;F0r3%GW>T{G&-9Xxi^EV1ODxc>(-@k?>Fd$pL%% z1FOAuNJyyBb#X5N#;7`MWQ?bP*M>Ow%}}fv9Evhgg^i3)kqCV!EqcwHx9!yJmIp~c zaa1OW5*9{{oa@46DI6DwGskq^HB^cjmuMuE>OOgGqy!{uc^sxtQrzAQg>|MHrIk1l z!A03=<2h~_FsPduTQ^jJ3}?>MN^SZMr98bW5zJFMkuyA0Q?5~L1gcHw^&S$jKj1&g z*Ec$@<Itj+Bv43tE1~^S71Ej?V;qhLIOAFbMba{|G-+Ecy<a*Y3L-05k&)ln%T@B| zj(f5kna}x|r=)BVnYiPONBv2%mqB7{{-vGJDy+~!#&u<WlOzhNyP3|Re_W{s5p|Dq z>uE)`lR}CK%nKTp!^$#R@Kwj8vK&`KrgWok-jAx7fXVt2QpmdA7Q_dI^~H6mzc^`7 z<wE^};{PP5ZQ<`PJV8RcU3eXo236S5X8*e)Ww|K`pQKO#9cDXh*j?{)ZhgEMJ8f*U z#x&UtpRx!lFl*^3aP!oYCCfkm?pm8l>Vk+!|Mqs7k|OJ<=*vkNy+42$vnESZd5gJa zX-X1*P>T-_e5tWh+aE-XQ28}`k)UHpQ+dPRwKVl2g^U4sep%nEYydnLX@_71kIuM3 zs?5gGq5Qtvll2HevC>fKwe@y^VJ{EbxdDJc|1D$gAoI3#86f2Kniio>kJ9~ODYepZ zc*@&iuK2vMOF}vL6^e8Z`(u79+kh@{r^-1A*wC3>XRs7<c>0gOwg`skOTa9k`}15v zbQhZd1RA&9XivQf)Y|q}J|YQ(o8PbAy4WvN`kwfb`L;y4IKxs3WBd(OBF#>+*CYuH z9aQ|h>rq?AM{;~^@e2?29Q{glLpfaz!F!#k$`I>sqhe}x&ycMTVxAPwhvlXcMk)ka z3ggA>>~X42=c-}hmS37*!i|+b&dyA^=6D6trbh|+>->`v((h{{Q|G|fJxOx_%htm8 z=`&NPmorx$u&sS+RJn=5w`S#*y(PE&mY6-&`aPRxaU3dTs0KvuWg`U(CW7px0tG<j zbyjD}^TCRMwBDV+L$><bFXOn3Kg0GLOAgjiL#)8}UgJ$J{y>-tOPT}ACpwc}xJexq z4sj#4_`38Ab&M$_U0Jx%YQlNIil=>K4*tnupB<bp7*PncwWqzM%0Cr;t%CywNqSWq z)~$@sJV3(u2ar2ykH<(QtATEr)LcY*^C-x-frP~gT}7DxKq|hVugN%zEdE)W-Ai^> z8TCw*(-iFR2MH(-e3qPlBxzD_FwMgMH_bdestU)9)6M(-QJQ4@KtV^pNv}=)ZjA<X zaUEVO%5KjA^VFl*PgFKzA52XR+7?H9a?6Y{8w*7n26PGP4)>xQH92^uSVzylDQ+(# zs~!YeAP(!i-?ttkCEOqp)ag?dfv>_=VQa(=OS}lU*dlvDhTcHWf)F>+Uj6zSOBG(Z zjalhQAjz3YnUU(j3Mntpu_Yq00y8isrlMR-kc2z}Iy<rq-6mPfg|<uUZCyGF5_Nfv zxv%+2OOGhC&%FLNOlA_;*lPT9X;-xHzXks!ft547+50P`8x4rUHRADK!nW#D<1<3* zm7D`GV;-;HpBNL8RV>1Jz06+?RxKjL4{Zp}RU>?l+Afxy`_p<fi=m!hT^W!hXq6$f z-paGAtt{Jdl1i{CW(%YN^nr+)vd>fwa#?i>&H<)~&UgKY3<)ZLRf_;G!zBldg$cSp z<aIQtFxVof953WLP=h*gPdE}|Z&$7i*NbTaOgkS*jb6^f29j0%L~Ud6$Q<beAyIX{ z5!tm6zu!f9@V_f$y3lsJ9DU=fEqn?7CX|hfB0F|mv>gm5UGV&o9dRF|=%&ri*It=4 z%+5X~r7Ug)=o_WeHiXgPTo)4ijV2Yt0R8{D03y4&Y!6;OuYKkUijLI%0QaW}q^&jY zFnN-QVdJA-w#IXH6{*&(pe^3dla0$-vaK!eIH4@VFIMX6Q<ztp1O7DjAClv3oKvQa zeIHj&`w(8u@N00cY9J9XiF5*8Yf{`a=%EP-H~!j<bCmDZ(oN$ZA5@}#A4!iM)<5cf zX#9_b>Ut`NMg7f^JM9f(Iie9+;*jhE$8r77HFSp;n|@j~&*)`U_Q9lenu@(_zfq+? zio8W^(A4I&23AVZF1NHq=4C9K*ffIW>2Z?^-<z4?e(;z;!T`(UtLBc&s#)d3yvClX zKx0mF`WKbK&rki(cPU004lH<6?4QP1X(LR4IAq-r)&U15qd!D?NzeFyRozNxpX7CS z3Y*qtgbJUE@{7<OEP%=8hZK#xBm`%w6d6JaY4a)hndfkhU9`a!VUBt8CdTHD$Qj8g zbuJ3bT^UB(CFueH`^MaJCum}$TMv1*fPDP_{<l-usi{@mj;DI5r7{&ArSexzw)0X! z`78T0)$Z!n8OnIa?9BjR$H+8L?GfItmeDV8Ain4eqIGF*+k^=FwEuOu$(t9Bjyv&w z3RLh24fogTtXFpBT5}QVgWi=rkt#JXdNFRE{zpJX`g7_R2TF+Sbrr@R$T4mDEXXQu zSIbnM(NXczmS`{Mz^=~d3*5592OabUBD4erv;c7}{i`thXjf^y^qLmxo&+A;Dq3~v zDr#xOa$$*IU%YtQ_ByUFzu;>#-*7cPyT5IEtfrfGL*<~<8aGaiZ8OPmZeSlw2J~lk z(=|1RqhRthE88!vI;_iD$|@tTqd3US7*rcBR{T3#5T_c?&d<jKvI+ngs+uLkGr@E< zl-y|ichdgf>*^B`1nduOsB#r(;(C$0fp{8I?)=PFtb_GIDs#{}|B4lgHT_pr`k!@P z`p7EAHYn6d>au!qWY_Kk_n#Mb@~K6>EW?U4;TFEs28m!J!533m<3nliQ~O<_4JzIV zzTo&&j)Yb%<2_y^uW4P#Fe>Dbn-P9N2gd?9A6@;@oib)ta8TZT)u4IZcHzdm_&XlY za~?@cMuaWa_&aC;woiUDO+Sh3oQrutzy5z`l&5PROuL&dl@4sFq=E!3{8AY3NL$Bl zSfgvn<mw$V&v51k$Q<KJ%=%D^4kvMDX~WdjMNeBA4(1WjVxZR=*xRLlp8^D-(j+5& z)AMOZgtU?U0+2E5M%laYCe7?Z8U*OC^nKyEsxUa%-F4s4#S)EPh{HIV$;-6t2UMf; zeFN6k`=nogjTN_$9uNU0PFv^G9cS9(Q^ey;cg&7^hKSy@S_5m#{hY_8LdgRS3zlsu zIi<Az?kg$>5O)8aY!4B&=b{I`*r7gIcXbJEF-Z?m)EOClZ`T%FlK%KON;$@su5GJK zt>$aA8#^+=Vq%XYPGGa+Br6-+P!kba*nVZy(x1*%C>vY%+Pjm2e!dVkWWgv8DyuuW zQF=K&kG}i#=?*Z{(mz_X;QJIli+o)-66iatbu4A<-TJIRl}@Mzwx(8|(Kwtrx!f4K z0sC`4-?@T^=B+e9Lxw!KrR9&(sQl93g9XjeK$K~V&uckODB&jVPGaA4d<uRb2})Cx z@7%4HQl)uZU9W3)zP&XvbP(`#zrPq)Xs|Rs@#2idj%mGbRDD2vzSzpeiI)NEI{n%g z)uvk3br&j=09X<kY^?k7A@MA~uiqrvge3k;EZO33$PBDFcqZ_N-5q87>f=%nV*A?; zJEngq$H$4>5?88-j+Wdqa)1?!!U=BhS@%jCVtyZ&C;56NeAWCnk8Y9q?FAyk-CaI! z%Q^eUWM{-m>-oRM%2~H$e(x7R7O6dk+K=aV?Qv!qr4|7#_AyhvfYjEf>-(;8EDA3h zN7kH;b;Z;UFm%W(QY0(XXpoILz_a=0ngxH}{sXOs7$`q$zx4`@t842zT#TnHnu}Bn zSCq~3q3wx5wL=#hVJJVpbV4Q9wpjSQtl{@Ff81UmFhmd8^H>3EoBS#(4>&It1uN#Y zv>{T4QQoe2v+&Nceto;tRqao?(hwh{OGr<*foAZlh#MUYZMoo5uNYVTQj&umdc9t& z^Qeu}&m`R;i;GBCy|bg@+>p4HEwS{Hob1YTe27LVtV5Ja%ms^-aQYG=5?`ZER*{fR zF3}=FCJ{=CA%SI9%^NEBA#D<VGNv1gU9^lTt@Osz4`7D7X|zel3V#0WK1=%PS)W7} z7KYg_f-?OQGU?w>L!mntK2*BNB-Sp3cZM*_A4m80v3p9Cp*g<NRuaEB))NA$&LN$! zw?VAK!`9O^g$xiHfVZ|SKa6X9sL0gkA0Gx8tK3wa{wv6l<g~`n;;QYxs6mIw=n6xd z#y{DKn*VOZmgT$FYj}p^W*~$**t}dr3r#5I&=;ZxO~|9V_{Rd08bk}=BU9>0z7t$| zC?b}741C^dXSCDjj27_^QC+$jY{yhM%~+FQA+*PoqBSy#G7~*G*z-PbXNrVbudRu% z-e^uO%2?-ra*e)izG`6Qj2qf(xEY<CTyJe@tMP8b$M7eh<ZFHpUXvgGFN<h)DySD) zwmpfGqxt%T2NP|bYDrXkr4l2&(<K}jZJsw4H@^3_fO~`uT}*Yu^>P|bzTTZ@Gjt~@ zxd=^e^c6{@##r(V!3qO5-R8P)R>$Z1gM6+|)KbOw_uWk0nP|SuL2xRkwd&Y624$I} zwRRr&yF}jwTV0(=HP;3O9jCo%mN*6IgBD^8iG9USqb+m<muQ%;me%;X>s@9#1|lT+ zD6*r{WJdobp7c&J!_6DL`#W^~>zTAgrEI5oZs%Z};Z5!_skfV+v&ddv7ni9$Dq2S) z-2w2seX@8?!G&dH1{-uaZ3!lGB>ySlzNz@ajw{-=qlXNnoj!k6Rh@Nz5oeqxI3|u; zy!JfzdSizn^v*?_zBn_PUO@)*|DoI7ot1$<*HCj^!$LmtAnEXE$oY<McpMzIrf>LK zMnj;ZE2nhurq|(E>ZY;t>y`5=2S2w{Zrw_QOnp|XuL(WL3Z%ijcRd=SQUnu_i+177 z%>B>6>0SgI#`GtD^BNsp8GKC%LytcWKWy1|<)oJ1=(-P#4J>uCPj>ON0WklDSxBIK zNQ3~T`w+;bNcyUv^Ss(IDZ`{~JAkSOHSCnO-GrRt@ElICjW5}bW0-{X5xogZd3x{5 zC0589C8sObn6Or8G6o%;#eKbx1dL@$qP#OIM{l?Vk_1hGqhRQoIq7i@f<9q{k^AQW z)>RH3X{IFxW7(7aRxr(_x(>VXDhKIV;2ujj%@mJMOw^w(u3|`iQ{7C=E!_R{LMjT1 zN@pJzo2tCrIokE4c;Okw==r-9MpW}CwMT^8N95i@8d&aDTSN4W<RnEFA>h20g&nXz zX6tz8e2|K$wxcmrcWpsjd+-g)z-U3w4A}2E{NMa+a3ZWFG|o4pS@0FQ+}$PpqyGJF z$|lpZv+Mr?lVAh9Za*N?Eo{y&S!F^gR18|*2M=oGQJi*bKrQPj+b^zAoSxJ_d-8_9 z#8{Q<KhVhxbR^Ic)*d*iQ`0+4(ENgrG;wqMtO>oJgVREQ)m%z++`?D+tI{H23?ShO zjvXXXIB(v&+kE!0FJh7AoFzC6KqX$S7KUZ!b5<c}s-Q8vD`SxixNBeJklDEoBS(h| z5M=m#!1_`271MJsvkPl)Vi5YhANzL9S|Tpspi+cR6RV(fi1t#1ZD;PL%^K~+lpwGz zZH$IHtRU2EXrh(}$o@@dt)bM1IX5%clSt%BK0LdZth3+1fQu1J97Q>~)w~1+A?_ay z#{-*=WW)eB8(f02C}o;z+(P;Hz|X%1;$2St!m3Wn3%^ullvQfDZ>s^HV-@j%lVBH> zP_s6`+W_7(N%#N>g~_lk-O0lPCeiTZR0??a*AOY(LqdLpY=n>N_a3CbJ2Jx)yJ?+E z*zGuEKGHHPV#7y})&A+74j&Y$&_XF_UF0~s+11z~-A0eo<=Cr<Bv;|%WSIhsJ64Pl z%)czKTOXUMR8dZx{Om{@GYicBnXbRvph-oK@qOksCg$e$Qeeo2$m=**!c35&@>rc- zo;!k8VP0l)lVbwb_KB1h^2xSzH=pNJ+!Vkv7KKlmaQ0S+we>MbE~uY&5aItelu$XZ zx4)E}hZ8AlGy}Niq{rjs>8-cD*RSm}C9u|iEh;nr9+<xeQeGI?Yf@A=rFru*qwCiN zv%yCkn&x8S-GLk(S<<3-0ou6>Y?ARMNL#47o4-d+=LGBouUCc#x3WqB{YFOd&$UO_ z(2QLhV)i|~SKjW}^sQgNAWyQ@KgXHc8?oTDUsf5e4V9UHLOKk0$){VXn(C1a&QEIz zE(!-OMANhRBKgOg_mY*<b$T%BV_kP1G29+@34kf|Z7L<DzQo?*HwRuq*burF1MPw_ z!IV?*%iUGBfC3!fs~PP$2F9L)Mk&M7+bO{Td&+$wAs*n<Y{?;gykkCnUjnp;n8Ppe zY8SciF!(kcQzaM=0lmTWgD{^H6TPn8F!1wZ$o-3t>ye_1&UdCIr+^*x<j68sESbBd zcAhX3wCwenk?O4lj}6Fo&n(inm5hs$vMEDL+~=rvjNOhY5#KW0w}ngC4i^)o?(r!? z-VXmm7RI=S@P%*aK1-2rfsZ>_TV4-z{k3qk76ETJq_jl?9>ywJwOX>T`|5Q4fS1u7 z8y~wru>DNW1OF(xywuL%E7!v+#)Kt_lU3brjQFoyqroK2*P0v0Xl0$X6clZq-r?cl zd*x-9CahXmIx%d@-Yl<sE)Y-ljbRq9W78u;YuE!E>z}w=S-`PA?)muCgU?%R+&TA< zghGl_Xs#|gOs_}!&^!<Yq{GG5V_6IZT|5B4>Hm`-%nruGbEld%>|0ZFaKw@OS!jY- z$o>H~>Bn5IK{l!N;pCs{#<g}Tfwki5^cYr4Ue@)J%XG=uj3!R~1%^~(wVB(q%vd7R zozy8CW2;3hO>`A{j+TSgU)OZ2gY(Tdxp_u#O(C(Pe~w!@w&sMWE!8@TX!{W-#sD+k zQqM1u;*8m~Txe}V&{H<JFE}0RO#OB7P7h}en5F*|E%#G$u-$E!wQ0IgY14W^th*5C zZVfyZs+c7N(nOH$I79c&9Ch3bNFCWlUY(!po2fzjdajl|&+$f>QDtd5vgU`HKMSk+ z9vDsPJ+%rDf0S@Xltn!M^R})q&&K}n&OarHxa;2R>ba>x!hpHd*6HsrKfB=^j4EHU z&R;$o;0<}el^yl+eELBQ_hk)S@xOO#<sTw<0t@gY5^3rt@z*<!(vDtVB8BJP9y0LH zyE*+ANN#FnCcSLd`mi(Vu|-Tt;>fcyJYZWc5}z}J3~$3Ok$yjj@^tP=e6!)v?Q&&C ztgg&?0J10H8lbfh>lA0DL_glX^JWzoY5Oj@(i<D^MJ;)QL1M6;s%<+MjIciLc{xW2 zuKA~s<v3C=OYN)bcHfWo_a%*#`y}jpyN=e8Y%`B3^N#_Eo-eCYFCwNgRb4k^|7Flp zR!M)UvDfFy>9YJ<x!{-4mK#%u=5zmnuEVn#Qk2o4{O@JgJ7Rf8Llle@(<KHTXv~#Z zcCeTW4-k=~ePY0T6uY&T=flG_5-%r&AvY6U4k(65e`*D_!-GA|jODJne@((aOwhA7 zibLEk%=kME`-qq1FZXufo!8sT{xyAXsSlsZh21;nVx2gt3bj-EB6S+E+|&`zlcKhn z$a8FB$(gz1q?S6bjXd=r{Bz!eh~jefG{Vf1%D~((b`j^3--6(!`joI5puImsIp=@G zMli~PJdF}v4kuG^f-j4lvyX+00Erv5z^7r+L057!uXUDx3wcS%idl#$1;feWJ8n#R z-0A#>3z~V~K-YgSOMkW9@IEFS8XvW!{JO^89LAN7Hs^4vMPW1?Nst9p``c}uJ=}X9 z_iwPiLmunIrJ-SFE85oq_t&b0gZ1uOkDs(;ATvc=bvhJ*oPZuYY&>2e37u7*ky)1= zz5i;wi?+~k0ByNs1SxiVZ-Sn70{bGa;IB7p72v*?jc=TH<cCK|NgchdR#o0<GyD8A zAp}=Ihp}9j7fDHImFJcXL_`vt>@iE<5EJF}@cGv7`{RL+??DeW0{4hdOCAYNktUT1 zW9oJ>SD)dY?2G!6YTq7*Z~Bqcyi6Z+n$uL;+0!c36pTj7D@sR)YiI(#{uc{cAh4q{ zc(UBY#k;&sfUF2D`QR>;s(hu&8kIVVcUaW@>6&UM6=`!d{rkGB7`f$IxP<ZjH>VAo zdU+JPZI_L8ACvSxcjx_ch+>|6ty8%_mVNLoEwj^y3&s_?8Z3;m5&FOAsQIAgzm&_6 z9M|t<1o&cx(PnmH9jqT<9WjJKI%Jd0DxVqJC*%ZMAgUPKSgFD^k4w(N?H)`f+oX~y z`MVb!DSlm-rS+-Slb)d2PX*iDLQg7@E&1?E0pe&fC9Z57G)|ZY6@t@pUVw7MQ5g$n zx=H+)nIPO~DOHu0bn=?@yF5wak!BHf^q?RbvVmVRZfd6a)Qtajwz}if+Txo~e2qr0 z0Wt!Ll#Sc13jhGy9~&H&i;ER}tbN=TR(0TksZk}@t9%(s7G`D~vf;mBGnf|fCF8<* zG+aRKxBt{7M2ZKB)+ssyVuXl+KxdA~q)##fbWP35?~Mzk8e2323G{xX%uL^-!$3qC z4z3O4odCnV%=1v9uMz3*R$8F3;H1KNPB=$x6HbzZc#%`FT3tNbO@825`4v0{7GXUM zAyHnEATxIVmza4;(C9?1irBR5^}Lz~7UDP<G4@$w*irA-uwzD!Tes*L?KkZ@jp}gt zy=p@`#l&trtbi}_q-$3#%qjLP9a;<UK93F@m>#<gjS$bPN)g2(CdS5DwPAE^2qIs3 z$VJqu@16+o4^B+0ea&xQC^77&hiF7816lia8Wgk-({H?ujI+95S40qUeky2R9$Mz; z4CEE1U1_pyAnk@&=((!Dtdwuy@n9P08~Sd&%+-C9=S`On6+XZojB!OoxZ5yg(685Y zJKZr!Zh|yL=NF}9DPYAZW)OBeY-G@q#qE9{EUeHVfwU7+NORjQ^NrKp3b(jU`LxR> zH5L4;;_-4Z%~)9LVi7|Tr;HtARJ%t1SJjQn&LXn=-;TQ#Mp(6v1&ni&juks>V^a3- z#og2Hzwwvv5zUjUe?qo?+fhf*exH}+t}D8utj^pKe}bq)_xU&vV{^-54=%D3&=QXy z2<u|{+$m%&K#yXy((W<6GRv;37>!e}ZRp$TaE<G-3#W%2dwD`+?6&EzwFHh5cG|_? z2q!m26~1jw6)JBM@&8LPg?brxW%z?lk+U_|H@w8glpGt!hF`7JacOBAs8lzk+p#d^ znU(*n?ecLEAk|vmXfW0tW~@vRZ?Mb0U8i*Ds$Vazg%@=<ximFLC_AfsxEDj9A#jH0 z_VuPhee<Q4il6)Mq&iSYyEf$a>vo+xE2{x^($#tA$eF1y-D0OynVW+lDu#q0hs?SQ zu0TwvVcV?VEI?+{obd4VwVDY{X0HL{ZlL{L&c=#{Q_qC9A0Tn?Wt&=rc0b+2Vg8As zJqfiFwZp|DwqJYixK;Wc+`0Aof_VB$^reHYH%Hoe0JDjmS*pAl!a?_RJC{j$ha;J; zyP8C=OuT24_%6w*2|{GB`5bTdzVa2su%}?=C49mZmm6LDKwsGxT#Yf%lGae&>UM|^ zb9y}6V*}#d;)=l3eMAObO#jeh;ljCw%5Z!-(Jh;S7+<iI^3;YtCaBD&-Fk7TtPHnf ziEn}t!PU`Rc%Y$S0m9wEk##Lud4t7~{J%e_<O0{VhOZp1XUe!QwY0)WT_fv3bkCW6 z2Rrr?@Vl$5+1u?`+WP@h3SZb85^r$VFzb&Y*HKf^?2{Da9oKOs;yFExGj;JUDbnLh zsT}Ukp6E=5WxmXRHNXxk-fADA9e!n!QJ<BcK*dcjp?)-IgsyR~J^H72=Vcz;>lots z67s|tuL{th`S!LLAO+e`)^OvGE0Ct6ujoZ64>ITu@U?8aj#F{=Y5M%h&ovWNhFxJx zeb7vxCEE}8#SS!|CO$$|ujV*9{wAB*I&BR|-?81g)UypiDklVKPN!UI11uqMLof76 zsPj*hT8WE2DW4Y^r{{T+2d<iK1}`GqjI{UQpN=ZZP{U1O70i870vx^dyY6HubB&U3 zeKV@BwE8xd;E1)V6+ubzf}*odQx76;48t$it=3*U*&@I?9}}XtD4O_0_kSA^9gZGI z8%*Yv47(9)n6)kfCo=Sm`DQ@Znh?`R*8~NpGO2a1kL(~T4K0N)=|>{+)#IW)7d@We z#q07;JG>flbkEO7vK4N)t%0?zVKLS=Z3h(nqg60IHv$~RZIrRGW|c74qdXZabE@{5 z%d+{ibk%s5dy}XE1;+5@KiC;d_v4}-D$LqCJLu;F9XpX-a&Sz3zhZ$zYI@Skz1ABm z;@j0!Cr4|YcxaLpIXCck?vt2I+ejlt>Vt4!Z~sIT!VBD((dAW5yq1raetxH=KO>u? zDXoY$3O}RCSqs;f{BPYBY>7G6%sgAN!E0fcx$8hXR>0D;x;!mGWuqSmm)aaenXEi| z$VrUQ9z>FZUww9nbCDo551$8<6lWI<+iB13u?v<wwC(c+V;lCSq&j;L^(334t1CF7 ziVG5Fpgw!s@C^FAMl!4J#nD|6;2w1D84k?Rpw#5CjeK`iuD8%fiXhWZr>IR7rOVYz zeSt10zka}7=uuBs<Hs`kOhXFRR|M_uZo;cHutC+R3s+c~#~E&FCC=I<o4P*PZ(Bi+ zCYn_|)>%riS*D;(r}O)CviQAI3IU&N_`%-@Zg$px>z-$~x!(YZ5K~f42qbSFdy%KK z!$^p0JtUarF0E2i`h}Tz(OBw2BXM9&-3>pPFkeyh`tWJT+}^slEyiu}o)Y7n`<Ss+ zGA`S&u*R=XHw6%~5OQ%T$OS0do0J`=gU7J9es7W&lo_<~9Cvqdn&8;&3Z}Xu#2oI{ zN{4&7G}%_{S2Z4}la&(Lv}dVG+8AVvr0D+w5VPW_a{lHTYaO5c2B8!Gr;@y92))os zU6sY~<E>(RLg;Yv1%{Yts<u;zdP*nU;ZiX%qLZX-7SOAoVpei9r@mKMD0|H*`7JtQ zHQMxT?H5HpvYfe*qrHl1dEm5R|54-Q3xOR;(F}iL-fuFQPx17wH~{G$C=w5ALzq)| zJUk1mCnYql3aaOMoO+bo^_c0gE*U>!#>0n=GuRl8a_Rs=Ey7Opn9P+2P!s|jRmkEd zty_!*BKuv)PfzuqGW{dp7iHjtbM#kPDBroLp9tgbiS+Ab9IBV;m)@nF`wMJ2Wn6XR zt3Du7UK1iCjbVqMf}(tq>8|TbsC)V-J~Is<**1uh<t2*P;85*#kJ0V!UPL3D5y@6u ztuh0O1<90XR1R!Z8`10ADpOA#I0Qc5Qqp3YB8Ef)>(=ypuNv<zbCEaS^a9NU^$&K5 z2wR(7RCk0pq`|(wp~5gucs+ZI$D8otQtmcCrS0TAOi6p^kd@Hd<Y3nTjDv2HLM*xW z+_BfA&d<uBSKTurB&BsOAefvNv%5?@#<&(i0K?SD5u=#f<s_fe#{OtX#&Tn&%W6}q zc&W6ok#qs|m%ECJyZ58&nx|tbHgtlnn-}uG${twQ(|@SA37VtA=hCznzvr8O49{P{ z#TctMcLXv5yL{_FT2=ooXqzpt6exAJ)_rVb2bko=Eq}hH#K4&PQ6ENF^p)SIFhcF= zUIE4Fc0~+RUVA4CQe=9`j7o^5@^;Ekf0LI}+I(h|(94<}zSYlPT#Eul$&Rz)Z?fml zT9ccCu^jJLI80A4;h^0t6er7jPS!|Llrsafdo7YmD(|lkp#r?FUZmVMRDGTzXm5^M z6v3>Zx!e0*X2N)qQJux+s*9CNvc2nir8`!ao@buWnr?G_Wb1q_JIur;!14KRXjux^ zf)!yJX3Cby4$CIc`{M*h?lxpPhb%F1r7<t~(^71$K~zj~7AwqHVw8rTb7rvg1NuMI zxHBxLewyafCYUaH8~t3`^b}jNKT^xi@!;a`2+0)iCF;c+%oGkoOA;w1cWyqPO5WJ8 z@pS3fyE*qT1@bh-Tr^Hc@+@zxS-aXemoLPZNGp<1Gn+E|3zIl_^o*C@ekdRki5n^2 zuJW}VZGYkHDOXdeK2_`9dh)sItk&KabWOeWjo@ExjTJF=S2{!hAP&6LFEPv!j@PtN z<b2*<qbSReX2v7=eyh&vfC*Q#J-p==1|8fSBzZZnb!h%9ORqwel@OjAa`Cqjf+wY> z*?RpGrZ(-Wj{)K1=}kXfS)SFjoNwr~^*GGZ;nWoHg!4M<oF$f`a?PW8G)Xi49Zs{t zwrg$V;e!*QJnd+4;kGA_h4i<uLTxI9mux?QWm{NO*-3|UZAK2htszs~pmp<g>B0ig zQ4XGAZQ_xZw!DBm0BLle+tJztl_BE?Xn}JUW4C9)r|J<$(NX|OT?buH$(#A?>?d_r zPtgVH1YTX)>|eqoLABHfZT%`2G12cVUnSpURVS(S9x}hFE}})2(ecTewM~^S5<hC6 z9*QUELlJ$UEeo*HR30l!|K<xbf{;JIrO$TMMYmj8WDXl1Rxx3D#O;0{4JBlsuh(Sm z10z>msc*jUx5=5c*G_RCQ%uwSPLL7=8oa8jb+rGHfg3LNv|!!5+oWky$Z!%?@G=TD zc|LCZPDeAn=h`%F`U0T&sxmKO6h-tG*^`^tbj7}s$Md&u<NxIXj3M%y6<KnIjoa+h z;~w3XHnO>**;Scw(Uu^lOPCl--esP5nIepr-_?R3Zr5GB>T7m*7EpG1JgeupG6#+t zZVoQ)+}wf`d{fY)>{z6L`B(!XgYsU_na#l&G21f>d|mC;alLNI2HgqO{58HZ@O#FM zq7)&u+Fyz%rTvzoSvk5S!iN}R8gKh%RfR#u3dX+t%Z;i3=0+FLsTEA97)TBsgudDE z2sB6S1dg~qaX4H{=ICoT)rD7E<%HPc^r@+`1@DrCRUnfb)q%oH$-0`aa8h{sm+4Hh zSC~TNY|Aok9+C(epB0Z|Ox#|Kcv84YQl+l|i$HY0k56g3YAOk?07g$nYu-1@@H$+x zvKq=%_dL&ioe%5X6>rf$Kg){1=*Zx6<3rm&O6P9Fle4KfUKETn7tbPj3Zkd*lBMN4 zy5D@OE4z7IvC(<{6D2M=VBK8fsm<2Dw6LxcT32+I*+H-ygt%&U$p)NCnS{BWDAG_} z+(;`sb<wgwtUofMq^yF^J>%wUjtWszyPi4y>8~`AdkNva1AyW?-|K|+4m1!AwfCEz z>Kq?i?y5)(_irB;O@~1f*)#AAyrb7=Scjfxj>UP;7&g~G$s`&-^QX%|{X_OVs<nf< z9$02U#sZ0*M@9O=|BbI1-nFWqi?+1ksnF~~VrDhrPbG)*JUhLb3=JG-s_ucYPhpIE z5+6;3cC!;}c)TPXdBRwUug&sKi?!QEaytc&SZJ)Us6e8!MjI-?d8qX-3Vve(^-oUq zX3iXVsqhk-v=!d8sWM@d;3#zH=XH!*py~u_WL9{Y{XdITZ_3w}O>8KL@NX_IRrLDf z;RZli*s>y2d<8N+b)p}g?0BrogMlO<9iH|69Y<m#71HhIT4Q%)+C!*X4G7>=X%a+2 zt|QT8#4FG9wFd+~xV?Kjlg4zN{Wb2O1-B!0LR*3h(zL{zHhN%fr9Zx<l&Q8;0(w+# ziMXX&ysPZ}>}-NC6O5IP&WO^J8gi!J(JS;EC}^i8uncQSSC^_kL(IecLXrf!Mj!N5 z&ZfG6^EY=;g2H)tWC=qB#qE33Y_RW6>d2bdE2onOl7iw*3*CBiRUp)2QZ()33079s zY(Xw(HVvT>-M<i)4p#?X#3}grQ5=kd@k6NPj=In>1Im?kXa1}<BW|iPS%A&{{y+kY z48A=B+i=UQHP8^^E5_1Mt%-fC3T%Lz*8DWQvJ7Q%Y-n*}hH&VT$-dQu!IrSZ-f9%5 znudXvb;RsK3ITn^n$@=jV}jFiAYJ)%e(vID+=0?axF|_stn_%kh>Msk`fj=)I?KYN z2NbK*L($2x+&ph=kt>l58N<fyZ+|@qM$99gk*76kxYg0=cY^yhIOh=nJpHG}pMy{& zk%d`he3kDq9B4S{CT~?S#FB93mV2fFk=>)|&{z|pU-ENqpxq5vupd`V=4GIu6Gr9p z)F=8P(a_T>1Wk2=r#8{Dys5c86rG-m#T*4AVDbJ-u&KP4*F4ad4T6erKO__sRhA$# zo&)u>Od6nEyH`GIErJgI!ND1Gx$B1-9)%oZi|^TMs5cSy%)NY-jK~_g>-}xoss$Q_ z=1M_>k08>kgT~`!9r-YP4~-vNHU0r~u;p4%TK-uy_p@I?sCB0yg9@5^D63dreShhy z!SVbYiLW_n*j2U8Pza{1h?Ua{7*VO}x9c_BFkRHUL&xt`8WbVJ9PW>hy$%{}JNU7e z2-hsM1Q!p?Qjst=dhA#lOghAB1e3_)y4M)Rh)DPVS)M&iFPVI%Euo6>=CSN;WsX)p zW1{}rszF!m_&F9aO$Pz)55KS_GRmot=S#*6d6lf;tLkmP$%BOWNrx#uMJ2YjfAeq0 z2N=Q<2Y2mf%dICSiG4=<Vyen7i*mSJp6;QmKN)k}3oxpeB+YXz1#b=QIHkxKZZkSB zyq2+wn&yUo`}mBO^pRzcW7Mk4Bw}tTo81Soyd69-%n(Y}yMT~$ybD}1y_3i+?-7b- zovG-ZZsxjhJKDMfyt=bK-`-FrOi;_ploXHOMxZa{m<asK%>Qk5yGC&^JjPzt-i17| z)wIwdep>&K$A1n9SaN^y!URX+ZV!ha&OthP*kSU5!bpDxjs^^yktB^?61Fmny*USY z*<Rk7hm)fzRRCEZ>cNQx*BSNN9ZSn%GuC_4u8cV>=UNL+A2&13I$T>pYc@MiO;d)B z-prfS4DrIMht*qMeK(6pKL~g}FKUhdqPt^<nvRUo$Yul?<QM{~4IuFQsXvC#FwJo# z6*Z4{K0S=67hakXeCo=OB}2(Xu*+A3bBFzg^>?&PQ@h>ISOUW6?!vv_QbJN9Juif@ zhy|w_5byd)>F<T-A=X{G?6<s{CUce%ZRe~{xNWsh4{{JVP-UbNpEKV!JMYvrHGk33 zqfU>RwMCDc^j>A^pp($hRR3O{oR(`qmXUhSROPETL5Qg?NmogI3gtEmL{e~I{n9=t zO+xEf<(-OZEu?i86)pRfCctKK0llWJ$d?@5FNPlYwgu~vZ;s<>2zV52okPtn<mdCq z7AR)f>c1T$lA;Nqt47!~czCqWHzu0el;Z91Y>g40f~*|4GMaxgSp16~sq~>fL4k+C z`l!%n=%Q20Aqb<xJ3qQ96+D<QZnCpuj1Fuq3ZCm|XWVo~Aa~yp#=X)x5l{vA6F~7` zB-K0X!+cG#PP|XO_-4&XeVhN3;r=R!8D7L%JkqZQJ{@~#dp#qa=+oi_!a~G)-|$>u z`HGV^chEkcH`y4RgPAiR2sA;HN6m|S-9n8EVTS@;^`A7_{nT16urU=CyPH9U&v>f0 z>yIG!&!<2oFViiRXb$WZ^q4KBNzCTS{<9jAF`BqUaRa!UxU1T|tiTdWT=DBk*DAYO z(#T1J-TI7EHy7`Vl6XUiW?Bh6Rn!-qVft6^`+r}yRy>nF%+kH81GYMUe|@6Q21Zy2 z=Q11Q9Jp$XKCR9=KQG*{``9lNDPSn?-#{TUqyyZ%A;3x_i`9F{-6rr1lJ2l;NaC1w z0n08fZuraTR8S&>iRv4E?em!UPilpOjfjo&_L+#HlZuMTqccRhKOT^$gJIF{8?c=n zb_Gej>X0duee<|S*Aqjl_R~vgzm|5y4f*-Ks>8B(&|ETth8LCXKj&^|Gbsd+uDR*J zQB9%Gf~F*W>I0Vd?M)swfEl@Xast(|+}&d@vz>wuLHFbcGeqMAPm&nA#>NME+N!KD z*Wj_YwOL3NfS`S8Ivpmv`VT%LVHJf@uA<!FY&SlpL5eC#h107r=R4u!?6Pqzr%OcI z11xN-tvj~V5d<H~k8x$J@Q6%nf?cP1Buq`xP_FoK6Xx0)?ik}nf#fB~66zbT^VeIL z4{sv+vH>NQv`n^`Q3#zB^c+vG5j&RrnMF&Z2!QL5`KfH|1TSUJ@vj`sOGBTelwb?~ zJDSdAYZEjP(&TuF0$a$U*L78|OCDG!{D@lN5%I<fuu2CVLKCu!jO;6e4uWJC8L5r- z<^;n{W3l5Wu-s9?^N69p`83Z)@veNh+!wkX2@?)81|b>4w@(fv9}EIpx)SHUQHJLs z%ZhXH5ZZCkL3p!XEyhrgZF0_y`^~?H)&*}F8jgnxs<J`Uu1q{{V7w8WwRlyZ%*-Y2 zW4_why^DT>P}d;TdusZ5sOolA;+82+-QiIZ5nu`xM;6uRn<d9DKbbC4KYr(%x#gv` zD`^?|PWcZT+O$SP`g~P>EMIfXR1136IkeEofa|u;gl(29_V7W7*Xh2{VPEoVd$XD% zr-Z)6e-~A>RKeWOKYI>X$&{obokkk^pJ6_a1XrYK$+e(KD^2Zz0Nn8*Yt4D0cqEB^ zx_CTxRDsX?uMc?@_Pc#ZP;!VftJX%yklyU<42(t!oxc+Y?mexauVyyk9Jsjb&7G`} zjH8mHIZdlX%}ykVh$3l(RF6hteO*u8?=FNx2MzkJ8mH2su?1Kv?HcK24K*XnE15l@ z>hpisugUyPa#vTrD%OvVSshzJFQxRa!d)^ZA&)UBN|o7m0o};PqO)igu>RZ#!2Sox z;)IAZAU^%e1W@5a2V{VKad)}>?lSf>GZBNQl-gNI_55vsz$94Q6b;N0_xn@s(|YNb zesDs_d)z2U(9hP8vkK-&_|8d}AWbBHfm^b<pJ9I|A<07)0;dfJ4>GyJ&}GCkJD4VJ z?t~hgDZt}gp^m0E`t}8#TokoW+-5dw-_AT;mXjiiW}F2($nZ!Ij|;OeuqT;K1lZ6R znMW<Yr?4QlDDMsN)?|<25tcZS?b^Qby8$y|a3DZ)%<XyeXQm5lSfVtiMTxAJ4Qwy) zHStJH!Fdz-x4--~@?mSSaqxUqQB<PKQA1Ed6#y9=^%gB9gRJA(98pnlvmY&)y{y0$ z%{1@07=F^=KWGq`rAbfWgultTJQ!i?tk<0OGREo%YVL@QEMZ|v6j=h?zJcTJ_T&5K zOE&u^pOujz@JXGX76ZagMld`gKKE@#ISLh1sKe(EY|h%y=i^`y;P0lErpWG`*~~xn zTSF?6TaK-6VN=_9HmL|VC(j=k5n**Cl#ehLVM54pn|=WPjd?*a+j!4pwA+vzUCw_M zl10XlA@%AL-wFpggyyTaLT~=707!nbeJDw=tR=gGWjr!c`-D&+ubk!Y8$j4SH}P8h zuY}6^u2@%FR#iF9DCy1jd-u^+H0)Hj2y~l`-Q<>ccUa1lOFY=bMP1y1)DMei&aj?h zKTg7M-;UL38OnpYmpda1(ZAN!N$S!CRGdO=u;22!%;oj{-f+}c-ndDTW1!sP^{Hbs z2zwB?`@)!c+GB$8oB)McZ>%%h@`)eO%=mQOz1bODbOLOwOQ%#-md3K<`-bm!qs+t4 zx$aNYbEkRcZlS_9o5>r7u-|?GvEJ;0A{9QwPhep%9iqKlY0_2e{SnxEVJ<<OSij_; zL67Ef0k+f4o9#oJ<DKf06kQ$e406>~*|P=OP$bl0y4h{L*@*3MXUXYaAIE+{Xs;$q zJE_TNJ`NR8Dbr4W%(%yCzI(lQL7x8PC9C^c8!0TR$_)EWrx-n_pW7J9UR2TjMGJ~C zvqL~q`I@T|=sAt&Qk{v9%<@fQc0~NAIf$HegG?Aa0!f=xDQzTL$KkO_wi*C>x@kjq z<JiKauNa9hH_QA!gMHniW^J-^oHBR6GL!u{mtGA4Ps0*Mwq-mOCaBJXd>BbbwE)+t zkHU*Vn?RKF?z!>TsP}u}NG-(XjlNT^mx?S+VeL4~uQlnDoD~!S=Ob|ht}Lx8Y+3m- z-#fgD0uXs3*Zt~%m~tCRlL6zjrWIQ0&~;^T80Z>8Fprrh`{GK3Wkm^B_SeVZG%obz zJy&&;RC@*_19K?+{HtT-raZA|QMbMcj8<vW-VsuiboVD%Pm(~=xCt6F!#YjT%OgLx zU_!i>soZk!FIGD8eOK#izYgHUSHflpB(E#I)f~A9zpY^;-7JsMNZw`cw_4XL#uo^u z<q+8Ha8Rx)0HRbHf4qHsk0_zOk4;7+k?4<b-cS8Tuoj3d`{gEbAO?Z$ZgoW#AY*#x zZ_w3bNIcj~J%Tn##Ftl^fuZrTsR@%*m5a8u=^3O{Nemvb91Wh3tyQ4w9Po$4ES79& z{!{j_4e^%gunn_go_nlqw|CNJsDK%NcfMbi)UZ_Ku;7w2_;RpQ6rOjkFkuyli4s!t zc-iSSLBUQt6-3nCYK#Rpkd=EWFOLNeQzDEd9f2}Ku*0D(OIV`_aJ*a2gS*Vs?Iya0 z6A@Wp_c6r8|N1BBaFdflKyNAhXP4KOmsb@JZU&=E;LAtX8Q@_EN!so+-od4cijbVk z3WL=rCHFB^A|<2f46ki{S`LAI9#ht^KGogGnLKAxG2|2B2|2R%uxC)m$GIgcdk5ez zvAsE12yAypPziD+<R*}j?67Z(;E;7imXb>S;pYq=1ng=GCuei5*249x>Q9QM@|<>d zydNWqx1iHVQHE-<6`{t(MEgzl0+}E%@09Mbn`uL^JMo}zvoB8I8~zQm{0P0qL+2|j z&3le`AAhg5fC9k4JinjIHEqu&{idy=rKn}dGh`0nOks8^Yu8CCIvqPZNU7(vK1KgD zCx2nMgU9bk>oroB`*RksL1dvVy7OVfYGy+zNQZ%H6B3kM#VN)Jf1|H70NpH7T(v$P zTo`1frN~)G*j6P(LXRplQnI=XL>w=$Og0kTnMwQln00DMWdf+D%fZ~veK4jgW3!SX zy~$A31Y0!V)kOOPs(Bhm%zfRJFkxQBj-%#EU0&!yg#VD19tOLnp?xX&7_2AH@v)pf zJ4}Uk;`F5_Ep>*U$Y0@Ocw@JhUzo)X?gU_`mhD-S{<6S2z2&b}B&JA`9Lu?cwbPUK zbr%MvdA!e1lXkh*<xsdep7y+u<>xoiA~7ko_^pm5k*h!Yowd#?$T7CGlw164$RuMp z{j-^h;$OOlMYE46R)|J%LZ;xZ7k6}m4M->wdfLc;02@lJw2)ruU9=};duL};c4tbz zM(aRhW3WQgmEF}l`S|{mWOQi{16IRd!71Y;5R;Y(@5L)zV@AHuD|33XO^l8U1*b!P zg~(d{iD-#=RBxfrC-S0nWGE{hIFW}0L^hB}8>eSxU>7mBh+#z=MTTmNUNC@An67@D zlRwI@n)6hfzJgI9W=FMo+8`Xhz#<ogWW5h^&<((bB%R~r_>v$&blj|fW+$(uSIoI3 zq0kkO=bKBER#Ecr3O%f#Pmip>Cw4@Sb9`Gq*>8s~cc&t^Wz^k>3m=0<QY#UYhnkVS z4g}tHO-y6{rp@t}EUZD0qWlmiG17D7tZ8a_j1DJ-)7d<=KBW)PgagkRadc2?<No!| zq9e2}x1d%-2Eu!h=OYr8I!#<!aN$oo|KupFkd|5Gwq5E<ZEc`-#(2@>H%Vi(U{XUB z!bi>QtGbGtLnz)3_nMT*61%N76tF1|+p-jzcM2vUDUC#q*Fj4C@aUXFIS65FoWmSb z)ZII%y+Hq~=4on_lr%*HhY$hgT3h_{!@dXTByyXs#})U#%8|O|CF!!C@)#1z_M8)F zN4VGoJE<f5ZyjN@lL{DrU!MQjvc=|@Ql_b5{WP6rjy5J?6XT@0?e_UAt|XTE!`Ua> zyCyjO=X3#$LV)~e>}XlXqYmZ~ZvS5u_vd^@dJ@jVR`lqwfn5}nh_Jc741u#H+kuz0 z-)+Jq)b*ZXY)^Fb0GvnIEY#?bomBDpC{BK#)--SfgfwZN-%ua&$wVp2XE+iE$*@4` zq-5ix5yV|D3FTB}L-mM@bsiGEE$0Z@0on4aH9s8HpFgUr9dqqde>i@B8@-bfFF>2a z#?BcQ?FDc-<!oOP9~&wLh>gHk_m3?#O`7VL#wdQexx8PDcfM_OiB_2Sect5`T9q-f z*d)3ICzkBirBUDT2rRv{dq<tOuZqP@_v-St8VI5bbDM@a*HZQ&A~eUxp>=hXMo(8{ zu^OigEOcT0eq8+#oIqlEh<5$*;H(U(t>l8Qdmep#RIO{kNnY3575dp=iOe1m=I55& zP@vbGO8v++g#1NJ1M=nfW~(F#ZN0M(^QZl=KTL#OZRCKwqVR$fDdB+Ok<%;F@Ajvk zaft)*;lPjmUUJqZr#WV;j;@DIwyJw!Fk1tgn}VmSvNl!ET<(SE-uipb@N8kgz5<bv z{zxk0DE_F9m>LHx??Bpo3vTuZn4EqS^)TsMJ_&`LLe`58ry|2d=>Nz=uBt4%(RfLH zq)b$lg|42Z&f?j!497Z`Oy-@r>S5R%KQsozqgOtZj&3|Z_ph9GTuPhZl^DU>zfVfQ zhP<>hLh&)4>>PXQANs^U-c($x+Fys(i^_V0gwk??75BU*=pSXwQJ)k97o5mMM3ezw zt;aLR*%!79&8{J)Y}TBhD@Ukls)|iw`_W=$a-O`t1ZP!IBt%Ajvlx=q;Zc<!zkX~1 z(#e`GUi@2=`!VJ9gswuG)lM)UFX%}%%7fX?l`vifK5;J-|F{WsbllZ~T8&f>3llEh zPK|J}B??E5wwpO74{{HZ_AVcg=Sbs{Bn~e@Ol|p{2()~~@EL=`bo4g~{q!9!P2WWp z)a41b%bz%E_7Uj2`>5lt2wSE$VK>0MwL3<Xvmrn1@4)YqVy$|lHV-E2tx<kLGm`XV zD)^S?)#xBA3o42<w!RiID+Dce*00n1;V3do?t5C4pH6?mgjI`Zw)zRrH3r63HR(f? zWhmp(!U`NW;z(DB4e1)dJT;Bbe0`R{A+H?8<{ac@xI{ujK^&nhW6DX4A|=Iz9+oDU zqo1?Dnt90MS?!SLj#MwPJ<7)BWwSQWduE6%Ck00ynMqwgD%>?JIxHXm9}nOLz<?W) zv&NpYVOcZ{=Z74@*v|)xzY3M`c58-<pGzj&o_54Oc~JVmRzLMmBI0Ld0E`ZBZfvv& zsSTn02;;U<8(tY>9dy&}&D4vyX}zoL2<_{63hU;kf*!;N<^RQ|eE}Lbn>eiW%<g>k z3qSXav?*2Cpq0VWm_zm&%Tv{Po{@^-)(e3Sw@1K-IAs0Gz#}=imxmO-ac{d?vU8B) z+o3uS6vI8SC5}x-5|nDv&G9OYB%h$vh`Qo#XN31T@4V2H-OsO7@NF%&AnLW06vcby zRXNGJp_OEPSuNas>G>Hm%<Msu8YkJ<g@+&Otc*Fk*fbe@y_Bi&PTG`7Y<&|V=KI(d zRP4a2lge^MP|zU*X~y1I6jfy>wbNux0*W*i{)*$bzsc>?6ONG{ot}7*$SkN^_oYmd zf&1L|^cZ{YCM+<S)_8}<gGecw`J#|HAU%*afo3vhy@i0?Tx)pI892z+1_CLj`@>Ct zYAVajb8TQ9UKsLfT}cx`i~e~DI2&JXs6djKg&u|v3X?!8n)GkMZ$>5l8k00x9<IKE zG_Y5LbU)qos<yN<a6s(SSREj*JYd3B>uikN-mJ2zfGoe1TT0tI4%ODOZlL~Bl}fnH z+HPTz*vX7hSB4yoqiQhBh+zNxMue?Eeq3Mc=}E4shB2*PYp`!8E?yVBLKb_}=upTu zWxIJ%V9OZ*K0o7Qf&?pCe3fjfER{&I;$~&RD^`JVF^zR|08Ss~fiuGUnGIV2H`~Nb zt)(G$IR=F7OUJND)C3u!5uK<qF_i4n{Hiq)3PDPc@!cJ`2L&C=#t?;DBE9@sY-n8J zR!o_E%|XEGEHlO3^CbN#9r*cW46$+KKS_lQstnL|b;Q49T21@*<k|XdXyXVBqu3%M zV@v;7&hRAe7$_y;Zb)!@DBTCK<gbYO6Ui&==5?)(cUUkwmUqniY@&9>*kooHNn(@N zBEiv0Hjm%da!9}-n4S=f%<$?_i9!a~2j&~d+H=$;aOm#Uq`^E_?jNnd{5#)&soa0P zcm^(J!Y3FjCtX)#r&S07h!do#gD3SADew}oqQe6XQNUVc_ZQ1>7}5{ojs53$1j(Ox zhR}!{FYbggs0CF*s>%*7l0VCSLI>YYoYigHgG>Rc@M0peI#`G2h5G5-krZXY-29fw zhxH!zNDzMN>qNA4CPFs{59(Lq666Qa8_J?Pib{z}gb1@MDMd_Xro%%lmuvDs>yIt< zTLY4Xki1ho;OunyYkL?4*&@T_QCdhD^(ZeaOWv3~XGETVzfB&~7PD~{1xmv6N;bQ! z78c30rQuRCOEM#zeCAc=EU<6nHMYf#w=V<AQ{32yU{kes9#KWE<ubu2>LVAfEN|}t z>nVn)2h1LC+k+<Hz{868_j=ho3A!j_QOSSQDMDmXU8@6QXN|vIl!d<D&=7lVDM?WS z@bZBhD3jc~L)Y!r8P$~w_f$o_Gd}%yt8ThEmQZABwi_QfJN%?;)n~zc!!tdVUopbV z_JWMb<!GLob7d})sND6e%!_E%wQ`-Er2G#O-tuqlX<Rek@u3(a$6igw%le*UY4weQ zs*|NlNR`m1e7f|aUG4L*u2z00W$&u7$lJ~lMx6NQ01631NKkxV%$Dji>bj`!mkx)n z2wTFA=y{8s^0iZt`f2gsD?Bl1JX`o1{>_%ag44HQeE9sbP-Kyi6}rf-OUmKZ=g}MX zbr;y*AAz|zt@xzL>R`3o;#wY%XBqc~4S(5kWk?51U=d};KVMbrZac^&j`?P6ZD`0@ z=cWi&d(RC@k<s5^+G_23nWoMGDStmMvm9c$hnX4+!XT^6U-MX_xt%wor3i-6{k}Og zW^fUsy61l8C(xLv8@n0KJK^q^h%;j_B;KymXNGxuZ;$Hu?foTWVdBa<V>lmdWZB%h z?Q1g#y=J6=q)J&=hfi0UJ!56t6_m23YauUFerFAc<WYjF!Q9#EpdflmOR2D*Hx*Xu z$A9*kK-b)rZs(|s&<S~c*>_nTZf)KG;YX$N@|VA->Fp$fqJK(o(rUjha}A20{qldz zg|HTq(16^_*ES)gy5T9My;a0^QUY(t;LQ#>^H<n?^;fVzL>iyNl$pnsnI{~d!IhZD zmzYPDjdIzK?y;_y*FMf|nvnvJOdAQ~19?}wBF6-pWb|<?8ob0Tk|Y0<7;9!5@~-q6 z6EAYWJyQlmvMS{AqI_SlJNbTV(R5ZCebu9|`-2q}RP`fqISxX3T9(w9yMYQ@V|~M| z0^0@=j|024!(~VF{jmG10S6{eKlHc1=>Obo4Dr`6WGg08safLtq>5Kx4sKKx^CV{s z_v+7%Zl6!f?2o9k+Bt^f2~_I^JlwK4k~Fa;c9tk@ugg)b3xtE}d?Svoto6?N=6LF% zv;KVff}#0eE<idHMI8$xp5;N(JiZYbxKzfpb(N`<&<#Fv6k!wM-9@LG8NT>-1IW$B z5nryllAM%USTPup)^|ytc)M1vRJ?r|`B3vpE7zDPdd()#<*KXrFu7K9-U$p7W@E9~ znv>tY#^86KQQYL7U2h%`bTxO!<rav8vNNjrYxERF0*lUsl}L69YGpE3guAArm-NYL zOW*G8U>Whd{VFUfD(JUy+c6Y*qezI-lCY<!VSYgP6YzwW-Ml|l*<U*l`hRIxRlZHS zxEsmn<t#D_MwbAR=ALoiME21Zb94H15(@Z2C1cY>{V{bhG@vP;!IZf>Ok;S|J{E{q zDT`S5vR)EYosy4o;OT>jBgD5d*b3=1Ym)_|oY<1Gg3|t=1;%yz`LkAieH_;s_W*zQ zny{2EUN4#5=Nt=Pv-PDm`U5%0`07Omj1iJl*@Fh`wT>b`a#nyLf}b0hr;Lpu?k8qE z#pxkmsNgwQI;(>5X~!<P6TKnQtM2qQQ(dQA9B)^V!prp8GSs{Ogld<MgEUxQ-3O)P zP|#&{ad(#+zfQ3sl8%XTT69fMmAU^|SIU{LTiq6OsmR$zoq)(QS~e`Kqe-taWXBd! z>GnJfkE$qf=wzL0jOJ8Z&2M-lQ*h)vRgL)N9hAa#pkpx(Ox(xKKJaONsH%1rSqL3E znAPIQSU3)J<)Ir;WEp0}6}fLB5K=jCN(FTn#7>Tfr|KSLG^pcB;b@<=RT<W&LqDG@ z(HMPM^@#6qt_VR*iTZQyyEFpR`k6g98;L|;tO4`Ss=f|iy1@9qXZIhd-bThrzQaSw zNg@>*v2xkNl0Bw_Kq*FAk$LwgVZ!Q;EfJQ=U6=Hg#;!;)_M|Oj0diWLqYRRBuD>## zwm%aj^zOn1v%9*}eO+A!Bq=PZ*ip@cNRObnJct8H&Jy=|+&#p|Eio`B=(IB8@DN~B z=4+4svYJ)}yI%y@ctEkHO4pc!h~?IKoJB*cgviu<7iR63C(!m+hS5D4*u>ml%@|YC z;aN(U^h}q66`Lx$O3D8E8A(#aE8&ACL>EV_yr$cs<~n}6#P%Nvk<AZ1=z{hQ4*H0m z=*EgG>`Z?2jmApj{xB7pMV9_=3g`AH-vc9!o%03#DXlQOR&sxXfln}v;24eg6Tu$+ z8;XkxFGH1!9))Ixedbl|aMj;o^G9AQbCaZqi$6J*n%&6BZRZye%bE3#tjz$II8=3a zEC`J`WqGRjHjFMqnWiXSgr0vrmAdV;w4rG<i58z1Cry2ia0nfjI=ezBAwGaQM~@*! z+VT$2oG8jv?2Vk)?>(v6c1gA8qUXe?$aH~Kjqu&DX+eoJ%5A|roV_@~lKdrhi5E>p zGDJd)-AV*fnDkbQHG&7tN|>U>V+T2jl4mh5{we*t{6>S1G&4IYQoQE^8kw$Fz;cpD zYf!?fQA)k~L$xKKKl2e+-6$3#)zO+mS_l&X>dAUNFK$0_+JOGXzlC+UzQB~lOD#=- z3LXbgC)o(E)a^}MC7Dv4{by<Ld-|3o61=NJj#)ag)&?d^ov^Gf4n<rdh;wQBd&anW zBNJ!7bi9!Uapw3xyJZ=)Xa(<MZahBL9@|G}X0)j~I~#%=_m<#Qn(5;$Qu{FVK4?P3 zXY1!;H-?h*skN)8+uKc9G!^6dQ-h{T>Y*z(zPl3w*L28SyX4JYKsDj<p@wE;I11+U zZw~^;a*C>`0+ye-b{N_mEbeavhBB{vY8qT_c{%alpt?WTU`2KL(U2v`;J@V+=)Jj> zTVC(-Ty*@iq2y~$G9{?c_o<B86+9|fGNrLT?@wB!>h>we2hBeBB{;6s)}AMSW`w@Y zusz?D(|0`hV2ZrRcHOiFsnb(HP*C#c!Gw8>dAPa%h5|e2&+8zO3N5#KKgDD=56CFE zqPcHSvLQdTIW~`?gtE}~xt@0~J;HxxCZb18qr(K%lPRKvCHA@gc8`+h>=)9ceR;d| zP&5z96^ATekamx=6pe<=*}i0s{_=JCcVkTVrYCv^X#0i!PF?G;c;u+ZHDh-Nto;1m z58uKnCQ{fJZq`@1d~16yVoYb8sIIYgwqL96Z(LuizFiNuW7u!`hk2iqnup;ENpwB= zu+j(EV<i52xr$-TnBlX800(Hqko0B8F4&lju@v^D+6IzewbNmi@j*dFXK&ADxcoe` z!Gl)2h?ln8JLCt!DY}Ye$#F~>(r6wR&3Mg4XB~EBS%mo3BJ)msokhWnHt9UXj<n@C zV3KfC9kN1!ZoA05g1dWq#g#BJR$bV?%OOw~j<Y?~#=41|a7EBD{Y=t<5ZLbeLGI-v zginr2<y_=ncGB^o&%qCzlO~~6I(NJ+oOEpct*~-D@N3=~1(d&?9*0KyYsIAZjEM!_ z=Jyw4vLv-B=iBmmj!;u0Eq2%#`s)4C1r;<mJ`Jvvk`g21sEP`bF&fZ{JhF3ef)hgV zaahqwSV36fuxFUYBt^KlY`8Z<xEF%|e~D}ga1ZT~dT!PI;o~N~=B!&c5G16f1;S}Y zRk7I<V*@Orrk-@9$TCuaD4<{zl3d~BeXO;zTId$5M5v8KC@p1(jeH}q+AVjn!Sgi1 zC1)}fTyid>1tM;v0~5Op1gD?`FR%<7n5ItckP+#DwL}HgNJ$7r^DxPaF834!I?yvD z^qg{Ws9aJvQaSK+Gf+WCq^nG|{}>4EBPFFZB14yGl_-Gm?`hnmvdz4j>I|8hD<kS| ztc_-K7IAg{V2uaMDbMpk82c_ZcFz1*@zT=G-}F-jSZeJM<;zuUDG&7te*q6ptLEh? z>hvMpqqgVKIFmk!IABT?m?w^AllDdvPxRJ5Sv(o<ugmwW;VA3fvQ)FR)rRLSEr$-w zCm=fG09zYdBRiJwU(U5udsD8mLI$l!($TQZb#B`#AT}PUN3VL_g0C*Rhx}+ezW`f0 z;;Yv=J~8~2=AB5W<HTu}CM{5)-K_RoZ64IEFJkVVY;|`O)v!Vq<b{FtT`ql3OUzbd zeK5!(tUrxk2zWj+y?6b_y}evNRf2a(M0}uhH(FyWVT-41+tP6JzW6gka?y7<)CJ@a znhPYd;n2Lj^;U^YFivMY0xi>JIjNClB94#E(x?2!-_N<MrO7Z=AfMm0VT&gTTk%UP zkk5UdHTXScol#`MpEuaM8oUX>oU%SUKu=2D;dT$nh~Ms4Qj!Rvb*`h?zgzZ&p*;<l z;=Q<nx73#ZHs3CzWrY~<MH4gWI_Tmd@yFG~Ej--r-emnohuc16TtVoh!EWvXI<UU> zu_|C#MdnC+?+YWLb#W_4bXEV`PkuS;3jIBQ9;GUoKs!OBt5$-?>?>k4HZ+H%A2tN) zDpQYzh0hy=F>D5O<o357p@wQut!||L1!mB{-2EcpVI!7n{-m}kUUi4r&C6Y1;g*#l z%h3+ZJ4AON+3~=)cculq$NWlE#^Ev0vWRjhrI!@@&7h8L$3y>D?KxHL!0==pNb^(M zRVHvGJQrHR#3ncvs)K`P#}jfMuZw8}3R6(nfTZn9;frijC7sFHEy*p#2tZyrN_>5} z2%+U1<F;cyfgS8hc_{z6T{#h&EA;EL)_OZL^DHInGsET!oFKF#C-TK%J{gG@80&ET z9rP@QibanC#za-pMyS_Q<@}lEqjesIuFD&<By_ratmP9HA>T4Jed<hFZ?AJx73d@t zH${)u!rHya?}Q7kSEu`iXiK*jH_1AE=c~!eYe1cbI0f%;ddrkvrl5VelZLNCm%-76 zY)ev-E=$G`H-h|wASDS{oy4lv*WvXiVpE{M&weBRn~QDrAFps(Wza(C0GT4laBA04 z6WZ-!@23NAfcYlZ;_&PpF&U^|pQGMd1(}B<Q8976coq;!A+jrBoTxlHo#FA}%7dnI z^w!7}G6m;QO3huSW0AUN_+BT-PB)puj_1Y_8Q3=*Ka{G6Lp>1PI#m}xR(ObYR2BSk zt&wU}wQW<Mrq03<gAVIYmzCoxWfLmEGDa59;t>sf<6hzF^e!7%QGg;xQ{V^!`j6I3 zp28ZNoruq@$LUegL}OgZQ22$DU^=VVSkQL-m$yfk1`=SPEiIT6{i-{SK48s`N>HqT z^qE3)dcqxA7fxkvR8Iqv5SbTHa-IVPDXR*^16V-Lf2*jI0eovttMV*Hbu`%a1vNQJ zGwW7KW3xz+uReF(0yDPAc|`l6uvk)E(D`e)FOvr~+fJ$W+!HN$!On?WmgL*4KR<_D zVcq$7_^J;Ki8(3!D<U&llOju^%dF{4?6~M#vXaenVn7lH7LJj3YNTGvSi~rp;0oxn z2=x~7ypriha8(k?=YP(&1XdiULj0Fy$lJs-X7MfH3*Q#j&T|k_N`_(T4?mgmpYD1} z)JcV`nwV5&Q+C2+St?90ee`9B+9C5PA<qwMS@#G9rIokW_f;0jQ{7zbQguUm%OhJg z8b8AQqp8F4B9=(rjO1`TzhmQAyq~XXNGkLQ5Q#}jLxE<G5sf(=7zVofJ4@1s_SR_K zy~Gv@UVg;|3IjYWm)$kh{B7UwalD1Fn<^O&VdW+V^*L}~i2AYTuzzGsN=xiKa~pBe z+)m~I94<sNUmU%>PW>$Wzw#9Rn35O{6qckw!{D;Zi*b#4h(Bt)5!2NW_MWUvj_+59 zQy1*BU{lc8?=wIVFGT-1im9?Y@kkAFyn8-1#T7S>OrJ8^7o(%To9CtXvMbAZ^UdOa z$tqM%*|JhiREg^H1B90;C0-5e)e(*2Y`vYJ%W6R@C|&N{#VqZ)q*2p5MJaWIZ{N5U z@hiP_!j8YfB;<Fk!(apIy<jAq)FtoXbl&J?aP`UvDKPKsohNl|W*PeV`VjHO%lJ+! zSp{O$5j1?@?*v!;yq7Y?oQSs4nHOKZ!GoAUgoP<hC#1S~%}JN|jHh)Rey#hYMMh8U zrEiGe-DqPFL93u}f>8W&bHg6p1gE%Ndv_#9SL_pR=j7X&;`x&EimL#~Dppms-|AER z#?T*Z!GgG^#1Z^5-pqhJJ#wz4JodZg_gAppj;vt8nkJzUHFJntvL81(*U*jZcDrNY zodx`tGI&BNRRS#y1fiiv<r*a?mVm_+?BTmyOTzXliSblfr){%__h?OuAzNqAcWk#> z1?2!yTjqNwYzyb=@{-x(?B!4fiptL`wW>N?OJNlj6SOxso@<BoZ|o6xV83MwKaQ`U zzzp+^pxro;3d_?&tZz=2(>=gWa=-v(x$94&>C#_$P0m-njkI4&QBUaT)_?sa6qR?e z)3U|W<w>Nd(#X*;v1LuLWy4Y9N%xu}1X7pjf_dkaH!dAyVTj95&7fYLa4~&>%~^ug z0bViS_bh|%gj-($H!wyJmgfmAI2oz5za)`zlPw%8w&MHi#eSQ7XP$C}bG#g45|YS| zHK|WkS5g~Dei^i?V9Zwe@@O@~f^_t7mv!F#S4xA0f&}*n{cfO)Ms<oh^^q?g%{uX1 zT<Yf-mT?pjG-svg<H%^TfRA@w)*~^goBjJbN%orhc>GxV-9~rPbFAGOJ+QMW*>q{L z*StOwGL5nx(!D5(ly_+D^SCFM*86RH#@T~}`oDp$DnFP%voy6r2l!W1ph!t&+7ce7 zP_CL0O6xJFxjCtj>u$0WPLsXhDiM>@yq$})GG?{-Rh-gMP48LqU?}3)p~y&?;ehY| zb}NYWCTboVauL?PftZHaBo&;oNT!<~hM`}DvWSr-u<>I|5`N7Xl1>}9AApdi#oz9F zDRlVP!ivtUG}VWeTmaImqd6ng05TC)qiGx5uQ9po9n7iQ8MfLxf?`<Zg9G)rhu14I zj>XE=>l5(ILnJX9l3=%<wn+T3lU05%#tH#s&+hK_!<V8h(ndSu7FI&pQO1y2Vuqn$ za29=jfuavg0R8Mh@NqT${=|?D9PlP7sACa=i7Vew@bRvQnvzG!7@SZ#vwWT?YU5G- zS_-x_V8Xh|#mM`Qu(Cp~N{xhsnB5t0-EC-_Kt`iqoC4$D?mT7iy4k-#SClgDM?6jD zSM5*b@HC?mf^Pw_CDmF_>j!OALXd<p7!P!~Hm82k8A23K)9#kSv(c4hgA^>ekGa7V za(8&b5Uq<VJnv+s%9??Re%BNJ6GKH#u4DtofI2K+4eDjvfj=s%R$+XsO_A~J5VOu+ zfjKG2RaV^FU+&soaA|bKP$K_pk4rgB_i*@{z3GoJbxHP-*ktGw8)2B?$Txw6FX%xw z7>kFsE&_b;Y+danyyPI#^bTx6n`UgXesMp^dFQI8LATF-0a+~qLDk5Kn52iVm)hEW zx9)!SL2wf6e*;e{SR}V0I_9A=Oofx4WS{OH!*u#cUyveT-Hh@DAPOAu=X6YEdzm91 zqyWS>t2>tpBxGB*rfXvci*#d@{I(vAW5S{2#yaa;y--I`3T#>7BplP16(%bE=fj5i zYij#FX#$%(3vxj7eRp7MW&G<>%G6l8>Vi|SW7>Z|Cchp*axP(sF6sB;5rRLL>k}Wn zxyBrSLOga_LY}r{d|<W5RE>9Dl+O`H)U!(d188qco-~+%N=&M%8gH=d4B4Ryyu4Wi zj5hT7DZO`i*5%kq3nJ+q_!A-8(B<n#*ESK>evE|%%Y-f&XW8?Os0Z$$h)suZI=T4z z<ytX}_m8Cqy;$jL0vS?_idx9^bTYJBb1i57VjpQ420BLd-v`y@|F}O@#2m-@MwgW` z+(AR=Zyxw1UcA7_30|7w+THru#EcMtFN#JP<`kU?R_djz+W09NfHRrdh4kEN(zd8A zio#z}*jM)Quyhs<=Oi5q+I8g=PbzvlS?-T0DtW~dW(<(;yv@)7V9&(|Fbu#IuM<^O z9u38rOU+bZ3WX_Okhfl@qp)IUWiN*jVA4rJR;gRTV<sspsON~GrY*}qV-;D5Ezn$g zH>p2Kmc6bWDDJoE)92W0*dhb+$-dUC2&&p-vnnWK&0~g6n)D@+niVO+op3un7PdI? zjs=||r>~-xgo_IF^wtFfRp}Ax^s0V0m=qd1eTbo=)LE(Txo@c6detlW#E1Z??=EkA zqO)-e_!G&Gn`<2nsn-@U<Wd!w7hL+7`?*()IpPSN^q66fxidRa4iCKXo$d=t7+ml6 zrz}+I+f+pGrN%_({cK7`{69tmrl5jZ-khf4r?jz)sJ43h*Jx5TF9r=TsK#6;N<c(O zs%BOZHyNEnK9iNVw{OK~rBrEd=kw0cL97KVG#K^BE;h^=ZWq5W8M_vuH}nr*<QD2} zM2KU@p<s+-$>59orEeg<o*&`%dmWiBi5sI4tZMWICj|u$&ZFsH+!RPp|4PT)YU^EC z#Cl-k`#6@07z!#y6cOGX)f|o4>;?RO_|yS+Q~zklA=}#wK}dl#!;0nB@PFAtr?8fM zY@LSj_uJc?CXRrzOtC3b6bbH9<+LGrT>Q(~mG1s(6xR3=l>6h3#smcw9QUxc5@cFJ zZY|r;^p=^30$bP3x*&TsgTPp+<czZ<taiOk%?pHU$R{FB+|9#^(6#9o@Jm8OR=7$~ z&;Ne_P)h>@6aWGM2mowg_EeLqeVDTV001Nb001li5dd&-bT4jibY*i*VRLk4a&s?V za%F6DFK%yiWphnob97~LF)ny*Y%X$TY;#pq4FCrUlG<VllG<VllG<X8&%p}9FboFZ zyWl&N+-)}n5m~p32)oLBfYN4NacfIk#l5|ST^xAu5=g@Tg;dRZ8p#VoG|qA;X#oVS zbjn!G;oe<$Cm=BitHkIma+onfQ*Srb4M&l3C=SL)k`)^{3@Q0DV^Iz`iAbGCn>W1+ zlSsJ@nt34~LL=K3#gT<?1L~DYTE!u>ssz%_9{;gj-y4Y+C!Z7A^y36eIg1$-L1W@T z=`vaBfo2a_U9r_~^#@Q(0|XQR0ssgAY+&|O&F8%6Vrc;YEouP(6#x+caBy@lZDnL> zVJ~TIVP|DAF)na!XH`@U00#<^+F}Zl+F}Zl+G1S2W3Vty&?R_n+qUiJ+O}=mwr$(C zZQHhO-+gCx=8KK})g9f@l~t8l8Rt}WoQ#l{6@!Jsf&u^lfRzvzRs;Y5uKDlY8v^Km zJ&_s6`|kqiq$nl`P&<or0RZqfDIqMN?5=zLW9DqUmOubg`nLNeO(IQn5C9@?51QZY zR$YipIqC8?-NwvkdUk#H!F+a|+q9Qq=T_$BxlCI@s^DB$MTIu;xT`kc6$i5Db+<F> z1DWqng`!a?9$`roLR^S+w}Z{T9fOU?4zzcM)9upw*Z14@CtJAWpp{1pV{M=h4XlN+ zKG=^2*2+*H5<m;{&A{Nl*BIo75xlE;f(F*>hB2OA*6YS#1K9k(UjOee_())^HwO4f zEbVGspn><uVf=BWS5<uT2sQ&v{--@(ehhz`@Oxm*+f~K3|F`Y`pSj2YT5k6!^xsVk ziu^e}?C`$jZ$D(IpIZO#gZK~n5m~LLZ?ED0)5o?F^1pwJpITZ=ZY9lqtN?v;z&0BL zduEs42>R6f5W-9m!G8kPE&K!t62W(Gn$UZw@gPL;A74GM_&~_EH4k4g0YGqaL`iuG z$n!}cOdnx|<ba@iZvQ@d4vFp=5G0HbQ#s#YD;@>IsgIvDo+nQJ&~{uy1QFl)W-vo~ zUY-M?L$u*~sgE1}2$F}`{Vva|>Z}1QP{;Y8heC)l8UYU2jl*E;2AKY6>~#Ua_?dcZ zt^VfVY>W;8uF>6(vUq`bV1&IcpH`3up+&rXsm%du2bMzWe&1(uk#rr_?JV~BAc?83 zKY7Rm_!oogzTanb|KZ!eki-6<!V`lk=3n#vUe-eCvZZ`FLBJXd2R<zu6DWP~nJwE{ z6^uCi0tEs)=?~_5VWDF9vVHtw*CD7M$}QSg0UY-|MDJaXsBq|+--t~3=4ziEG-W`I z^!}O7_nd2WSj*}fe1@&TQ&wP$XU(8ZX1V<yy2HoavwAj;W6bqK>iMnJ_nl+)opSmo zPjmim#=T;a&M664@x0<H9cgJUj2iqZ2WWa=BM+TjUx!!+bRXSUsBKO~bWH16S$!zA zO`#I`LSqxEn-EONQR56h&`&=O`@Q>pkCj-Aja;?u*LP5E2-HnZX6f>|<~L|xYiYt5 z+wVE~t$wQX#|k5-^gTQl)Kb~ZTRjCY1)~S_#*Z<k)b%<F%00}j2f6cb(ekeY%IP=T z-dR>vFr-o<(`gZ86gZHM$#!>Fwcy~_YXL>n;o_LjAyCQnI#;%pv=&I8Hqe73dw3Jd zp{D$up9pPLwGhV5`~>pzlIncm=qN%`-&8M|`N)b<1o$PS@aio-fK<wl&z3D}*vos9 zLjm5LumpUL-_Gt^|Mffi^Sc))ZLs@;nvd<@i+ICDO&r&2SfhO!Fq(fjGd*Rm1ZZb? z#$|6V?P}}M4uhNC6x5O4ssV$MmpLlg)#W-q4e$q-dL5+<?X+~3&)q`xV95CfneY|) zMX<~U7}Z_d)!9`pnth{raR{xS=YtYVN&n-1UfzNa^N#pd^7}C*@ZTL%@Zf&EzN)28 zpk7WvHR0R~q|FW)_|uyI+Vdzx$7_wBL5`vA(!H&4%qR=8G8clg?iBAICt32dII?1% ze{heKAEzwt6B+>g;@?~T8ZFr6qTMrX5mpQ#D(R=NJ?DC#%zc%lG%?u7ojmxH{^LHU zZteb@NrQLBK(S3*!532gg7P$ZdVdVPU4wgD9yec-dbNgoGXuI0>;}wA7S{XwYzV@Y zX;E?fJZz->=xzz3BS`du%jVkDp&u5RhV%0+Dg<GjJ9s!B_NGeO%YTOw&h?j~GY+WT zTPf^+FRgdI*_wl&+s0@c^i>*WZG_oK9QtxIr4fQZ>)yxk#e?PdB{iY7!@Zl}D7#76 zMm9X41R?}an=p3V!@Q>#udMTeNzJdhS=Sor`*ZI{o#5$GW$>Jo;nwAA9wIPXM@u`} zi%tFHs_!l73p$Q;ma)s-Uely%Rj)}n=EC~t2gP8d@8oy2GL(J(Somha3=AXRTl*^R z^>MsE)Pe9b-#`q`b-CWrpUwPjcB?_(YtEtAdduVLsHWwlgGzsw<s{ncX(_)<Q)~EF z5cI{Rl_@zw*G7#a<%b*v8VhbbaBxJfSsao<YG%8_0V+}0#DT*_m@?^I0~cs>jyVO4 zlaw*tiEj)#5_oIkrd+E$|F9v5_1k&S4k@hZ;kzQ&^az`d)ZfIg3HAr;UR?h$kfQKS zed;QB_T=&u$WV<Jq?!kg=zADAqVIpuptg#Cr4}GiRK#cEl+o_DfSO93tc``(#x*r5 z02trSb&-VWz~QVI0Zu+P=AUiF4e4)TeZ#~=q?gOhciw+@VNr@?zoBgCurP^0EdoQd z`JoyhV8+Yx2vs<*K$jFSgcF@AGh$jgX12o^B0XEYpRflQH#Y(tHCr!Td%P%N#qS$} zjl}7rUrUtQ59sepZ+!GC5v50@c7IXK0|tXb5Ea=R{&eU+PTKzH_231QbcNSHo<Qax z>G!*2get8_mqA5m4B94QNmR$?>Gl(W6J$BWu4jaG>Ja*=sxj+nHLgv7pe8`;I5@fC zX0wQ@yD5HqxVct@l~3b{PGfoF<-XQ#^XB(CqV;!SX7?M`rW=;`cT~prD`%Hoj<6p| z0}@wf&^TVpPZ{Uq;BHAb7f<mK4LhMmZME0$RfQs^tb6p=ax%nj+}hk!U~OQmKae$C zA`~^7uUvb`$VSM{wTo7uNzOqH6u1CrfQKUtx{Za6f@y7nI--#Wh!i)3?uhyHef*vn z6}KupXyaU_&o9Y^JvD6v{FLjikU;phn5kbosFd9Xu?q!V1J|O9onJ122iCvRdUIW4 zyu;)7`*{zfReZbvDJS#8l2;8ymS`BwoX|grve7)&%E7^jFTuwsvR_AI@v_(BA}<0$ z47%<ca*;RYRh161ujb(n>OOs<s7#5$SN)*7;HLh4#)UtWY3W%A|Fpr9Tj6t6Mqb&z ztTLd1?GsZ?Pe6P%->b_?=m5TG)}*^t$Qrpsb<#|P$>@mAg!#2tO+Pk2F`|b^taG&D z(x`-Egj>Ui338Gb`#GK4E?Hr$5Uwwds^^hg6yi@0vaPBYs#=MHsJ0@TpvHb8aXpnH zkpSP?o&xY_z$rpnUwXXuaLI+IH9*o%g@m~Ge%$^~cA0YcxNe^w;aYIFvpu~8I$6+^ zE@^fk_SLuxFtq57*YjFGh$~IJdZ_`S{V>n{rbHH(FHIbc(ceNwdIe?Vpd!co9}~MM zL;M(;{Z}+Ia=VV|rab-ZwkJ#OG~a=Jd|~2cDpKQ_>7RD1IZgFGxQ)GtukOjZ^{^Q> zPLA_fE{1x&3|jdl`yQ79dH%luJwU?0p`^L<IiiBxjio-#q`G{dt(hporNgK6cV2^Z zl~1DhHH7xuG=E?S7~impN!EWHCUFQ6!Db#v&Q9|tPNGm$A;HOW$B2+@1WqwHR-aAf z3JGjfgH58hE}o9WWO?eia!Rj|8fqoJCSwBKod)EC4E0dckpe&tRqo>^kfttFoH5bh zMpi%6a`U|jX#ls%>&#4CrjR6gjA(!+EJ{rk`?;PxR|5x&Q>xrCb@5M_5MNi#8%eOX zIVOPu>fSI)rx?Du*DqOF_Tr#5<*_Q#KuVo9(8Nnm?ybrX%dQ_VSN%*CI5Ss#yeg8g zZ?G{Q5s_`Wn^lHMeO$Mi%~}8k)ULz`xJnxB%Fec)hK?IqV>KF0AKF-ITOD^VJuf8E zn(UDA*1?uRd>F3wNGU413Z*KNs7w*cG^*nv!ODY2j-X4*LKVwr_s}j}CE-~xUx%E+ zi2M*r#g**mC`=XUQm~)j7eIimotsd!VL)sh`IUvj!$e>~gbXVQ?g!zSi;++{g2P2h z6x)kTG3gTbU`myVi;6LVglUt*h8^02WM@JLAmy1j5e6*E=gLea+R;&Af)OmSlWfUp zR>eH|*_wK~g(zo70fk~9=Mv}?mav{B*>a-_$(l8)bkScmQH0(~A(pnTOtNXK$(1RN zkc7yv<V+x``K^u0v}sf*O!<NY2-N;kjq&JIl9kSf)=ZdjV?qxo5P0^`u|#_-1^Dew zLuisgO$Du;+ic9}l4Lov@x7z*4jhn*9kPVvCW8UynWLv_SX9bLwrpsT#*mUW79pyE zQo}_T+H^^c8D~0}qCL7y+^n||ClMfmbeN7KkTIy29~%=GDvBV9$uXfw1PAKkRy*Kf z<Wy2rR4k5Yl;|*H<JuZI1;KM9U^r|}<@3hMUfFo1;-w1I@5$BN2!x6mC!v!3poFNf zq)vh*wUx>O6J$abiXI*vs<TriPLe(yx|Eb8Kn2Qps#7QwmzFW8SO#plrI5i?Aq2=! z3Gb1WOgZ6FF`z;gOkIuL(zGVzfd?q3il7W3jyVD&aiK)}Y1EbuG?;)<a`{gn<;3&1 z)Ur_XcqqNM@3u)Dcc;Wn`0@U(!!!yys$kEm<L?{x6p7Q1#g~_kHR)2s@*bgzF^Xh_ zCPV=k9KewIhW;y9(It|@Y}xMp=yQkT)(SZV%F|?K4$49z8QT4kA>S4_3q8#UWKhE# zXIplE58pduO0~`=8J-5+eFT-|Gzm@qdqj*xYMN&APZ=QT0NpTzaYNP)k&=}g4<!Ok zb?3FBoQ%Sm1%-ljp+N=d@etrgnCdtoq_q{x)WzT4EQ<Q!R?#KXg4_5qsB;SAnA_`3 zI$>XjgS2*;{&HbDjNU>at`@dT!f0#B7XI7E+B7KOCOJow%`K={@t}lJDEFWSXG4e- zTs{^Vs<R~rf&<bLDk-Y{5TSxRCKf6Yf!T7*!<I$5BSgjD2_X9K76eHU;y~)6AJt2Z z=8&Z^s3yH74o&nezss@N1F-*gJb?f%Bo4yedE(;+QC5^wfHnpCOL#n4aAZy(9bF;{ zgh`L%gL2CYyBnnm0Yc)(4+4l_a;qohp`MZFA(h$UBIbk-Lo!os9<#4LZ@PwxntqIo zR{1;6Ew+~NqsJxB)YMX~QVg*YNK&b!mYEFM&}NjVVp0UT=<uS#j2;TL;FQ_q3M+vb zRUa1{V3cSSCfh6cIXXJ_pci>5Hi^hCg5?=%n6X-jOi570&-ybYm(QoDo1sDk2PsH; z3OIy{tJ%#tm8tZIOp%#1BI{cfrKCsrT>zNPoQ!)4fR@7qN2T6@8Sg_59qPX~HH!qO z=|~n)a`{UTPKy>WviY4fsN{C#HGqs$9y1K`_+Gr*@W#0^h--me6D5+NDEArUVeb6> zQ6MT49f9Yu@ZpWiJsFLRy@8sAbH%Bt>FHOf#wq=hX%-uqe2$*7K7|eJp<=WY054T5 z<0Xrc<R1eCY0zX$FmMtIwChyGPtLs}v`1%xixR@;vI?>!OOBM3JYowa>l7!2LzGDx zGukj25MH_-wRKSWyv!C$7g7f834#{HIY6sr@&g9}qbUahCBy_G1-Qmx3|veqB+2?m zia4qIN-ML2qP`Z5iwd+!5BzQFXhCsFr$v4g)-@SO<urzh{ZSu2675655+Xy=(9sU1 zO=8mL*?H5ZeM9JZ?pioKJ{{rA-MGZcR2{}K{W#z(VdP9xR8&@#%{79(bBE>2jim+I zP-2lY1}m|M#{oIB2ADY{Q-afF6F3x&Iz-1y6VHK!Dl`d^50VV>LB~-b2oea(E2xyF z0Ads|^Dv=<ZpCn*Jrl_l)GS9F`X@Z;LU3~iH=69wCpf(u{CMNQKeQMnB4|DqdT@6i zyxPjN-AP6|cp_A7{W(o=z(Ph4(^AXVi>vukDJj`2L6z5A3mM}Pj*-9}mpBtQH!CG` zP|_rm+Pzy8mBU4fE@<vau5n>S*Xc^~tqgrp0I6;-Xd19M@NX_~B<H~y_4)6eXbl)- zI1Ei(LS!k^9?C(v)P!eB4*Bn3WEB)G=ZAF3hDV4B)H8{fmQ$_NNg~Aw3rrP3Qmab^ zGvdSwtGYo5Dyq2NRGI0u+YbQb=;6eSpyK0e9;v3|V}$?FnI%%upf33o6n6`gA2AW- zA14@L$cB3qDC+5eS(BeEJ^1=jM3E1UD(h4h9xN*NE~-}^BsTrZ!))I`BoT0+hBC!O z4;9z1A1eM^H}and?CsVrOQt+VVh~4hWUQvZkqhFbnSXZ?#n1t(<VA%NW)7cU3017; zZt@Vc5b4nD9^g70TF$pE)+UNAU9n<Cirs2GpLmkiwEY{#5h?~0sZ73Sc95^;#L|P) z;v{=PvZO<dF6O^HkS1J9Nu%VL5GF#46A}2RjuHbHb<g}f%IW-CtDSXMBGKMFflo_T zJMwly7C^E#lMIQLnjPo`;D(MMwkQ`qPK{V+?86sa;J^`}Si_K7K?0<`jtF-)0gGY5 zeL&@aVz^w*urJnUNC&l}F3;!Dt);G^QJ_LmWMjO7AB`s)Is&H4+PF+jU7a6-9+J{S z-2wIDS2o==Bk_CR?I@Vopj0buDWZc{O+fD+&l(F3AopOhfi(xhOjGY?pfn8=B9sSR zF`*JfV_q?gC?riBQ(`qittSu97?w_@P?!jjCQ3J%gGL-+6V{yD(YIH~I2<CEwKuHQ zk0eRFw+OyB>-*_H4N1bx9YlD&-hmE)!pb?x>;2j-87pAX)!S)x%1V$B{AB{lUAIjC zJSqW)srbDQSe0JBc{K45WJ{97>vZ_k?n~i6yxVSTs?pAsA%7BP3KA}2hL{>^8$}nY z;eKt4gr4P3B;I$@2u`rdqo?hd@ID#n=^^#Ts)mi`Q!ILTow<tJK~b_&s|ju8Fbj%F z9Wf}go^+ej2?8$cEIb(xQ1#`_8a^5ag-V;7eox(dQ=eY9&7(%h?0m(qGVS8&{aVvO zbJH%Wy0&Ha{|6duEDsq+=k4mV3hgPWYPh|SZ_>ya&_Mln^#s^H4!Q{~SEK;7VN6w4 z%i5x%<~R{iNR8gOWUy6vb4@ujL>VXmk>>Y4VZpAmzR{vYKb`yaW4H4f*jsw@&USFZ z_q~7@j{IM=WC#KU*9!exrz3Gzs|JW{D6ra#z=8w#*zfe(NDCyuje=6D=FI`$Vy|Y; zd}aABQLXtJxg>^U4u!cESNrs3wvb5#<HYVRc0tD#qzlZbz3lXG9sWlMEtci&{2psp z?m__$t-L0|``({-3gnHf)PhnCa+?&_wIPU$aVOt+yDZ_+-5VEYN0A%@%*~lnjs>7a z>1ebDBNu(VG$|KG_I|QB1r6-3HdRRB{(kZK0I;FafU$cjyzUAl7w>*Q+<tONw!?u) zhtja%aLh|UXw>R<Tai`BJ*mQO_cEVKB|r$kD{2Qw#yR+~wSY?E;C@L&*J6GCxhRI4 zAW))cEB&OQ&xr+-cD=DckALX1#7vd-3l|<>+v&Eunk^D7u3TT)Aj&^r;D+n4mYC7) z+BX?@x!xEe8%?DmsEwO2VWtjH`*m~Xij(oP9zl?#@^8<ZJHqVvd<j{t$5ri_Z0;4i z#%;g1j0m8V!{ctJIKX^c{whZD2YTsn<gap-0PA8f33c1u#WE2Zg^*)c-tBd{_-zWD zjJLiyQ-1^}ToE@r<^&HF7GLrHy#Fx5#|F<0$gY|!(!=Rxz?Vu0$EOl?5Rzl5tu>sT zfc0)6yE`v69m`^5d39nxv+#r4^Wg0%vpr6{1eoV)Dp*}stBzDRDZL7YD2(Pak=^<5 z%CY61SKe=?9cf^NjTN38q0jkz&*Ky{4u8E~(;(LXZK(h3-`0RP+0HYCzs<X}nB5%! z#5d9@Rd~E#dJ}~B2jk#1+`j+nK$)^-5Y7)s8ix3O#ofsjKU_9u`p}-dr`PCVm76Ow zTj1Qix9sVho29mOH<V?F3WDR^H#fXrFF>Eox}%BV!>i)i{yoh3p2ijbdlEv&k1mDI zx~tA7>M$HyK;E&0V$>K%v^Rzei;xSg)xPJr5mvGaixfLJJi7C{zpei#Mif{Qn`Tb6 zWvMKTQ{cMQIti3Mx;r<c>c`cVYfn8Gw3tVE!YZ>>wc;?gT}-N`Kx#Cv4*fRgZ9li$ zVPzL23cv*61&q1IvFc{UP{HM#AA|t!iR>XshdQJrqOCg1{Zj>B_x_OG!wuhz<vt;t zDO_Z7ReeUMlj%CTk(fxQgb6A}Wo51yWFix-=hlT&&_1cZxuh~i7(^t{y{XFjcX0xq zyT0T>DZ=r@*<IRQx>X#+jE<*_++qLq)Z~`--QT_CcDH34Z^EoEkQmOw#Chn?if9q| zFAScoieo}LRGQ$>!a3XN(8Cm367^^@uJ;*<_Bh&jf`~CM@X7D->J2x5LQU26@;Ekn zE@O~cn23(9_xqKe?{PFhjZhWXmi)0bSIA3}lCJIT)FccSNhy*ryNp+O-o_qjDlo(S zc^#6H^0sxh<65c#$ZxM#2MiJ#83(AMq4e&cX6uNJNoup9M~s>%W(SMVlGTwnDz)P8 zdGhAdW=92T@vu8+_Jnc69wnvwYs5y5r;f(zzp>AiRO>hPNWNX1c->N5OM&n#R?(+w zffB`!Ras@hr<5Jgg7NyiM8)0Bf=1B%wx)7XCMn9Nyo5IkL)rc=+?1HWN6=nvs?Lxm zWT38i>*NYg@O0Xb4AAU#bp=RGhxQB31!0Pop<vZ|`<@&GM$xU}?evLF%>?a*g1J)A z|AzT_+HpW=B0iHq4ieM1-SfSt?d>)MuK|EDix`wwB^>v)Go_9LBdN_p*>V}lBt_!5 zyV;|~4i5|FN~hiNwKj=P2XNq0AhG2L5E_Tw<>tAPS7Nmah(e_a^n849qmO#`LlekL z7r1&!al*>cRoKY;Z<3PQdhERNODn9_mvtqyMNY(CCN8Dj0clKGa(imQSb2FmjSQ2o zefDoPR8Yde38>hNS#e|W7a7fdv5571-%pUE4`rP0{&>k`!rW6a$V(khp3rA+KN^L} zU~+7qJroP`0ESt^5u0NEzFcrKiWdwFz(P5gMGY`I_-!JSBZ=>$0|sz;IO^@5iSM5i zA;!hG_Iypj|3efuEmdzaqvw+&Sj2n|5ku$gWzLyZy4-YiUM+9npvJ4$;p2Nhm{Dk` zy?lo=nzw-^9p~YVk{#dW_<NYS07xO+a<ew8NzR(pPcLSqD83%wfo{V4n-v;!e$OXY zMF<C>vHTnz!>8r`!3i<=%Y~!Nk>CF4x}@su_O@Z8Kfm3jJTsn-(rxu0({K1za@*}$ zMweBJF0K99vNF$5&J@o_E4SvQwasayqetDb;Xvv!+f#rz@6wKi2CU*vr)FJ!Tc+xd zkpVauW!3q(md+yvbLd7gGBU%=n>n4`{yo0YdP?Up#IIiuuU=gZjrM`^ungBHKaLP~ z9zr-Ygc6#Pi(UTu83-xBR+_T4koeifL(c0Y;>cnB{Lek=Kb#q}?R`t)Qy%yaxSmO| zGH1c29_TZ{L0?>sj0^`%JcQuP2ea8%ZT>O~twv!L%0LPfFhd_B4PkkF*#XBy?PY1? z33?=$$gTzbhy8uM%-uK=h#-%-w`hcfxY6W!N&Wua1t~E(UtX5y8P8Z`$gP-JCJ`h{ zE^aFVsYU~A_k4Vvcp|dI^UBYepP^8cQS$k&&d~S9g?l{K8E(b=c)3Mr?5E(w@bX;8 zZhBqzLsCep<`!?WI^F-wf}8-N>dea%UvzkWZq3%p0+(}kR$?0}08}0}CxDT%?Ysxz z#zKq(6t<MdVz=<Nv0)aAPYMS^<mB?Y9w=s4-IO21@Ma`0x#L{Q?R-B6yw2?2XhC02 zN;t>%xA1pl5FIAmozHh`#!ih*Y8F@j_M5VT3~*ewW`VydMWCai;PeO(#Kk3JVz5Tl z_5Q{K`>IFx@j5@kmeBEONx53tOaEgmM%QY(J93RYziVxC+ZgH63@4(bx7YZ*xUQlY zKpsvVL^=c)!_ix6vp)|}TBiUM4&K9Okw@n5($nZLP9$8AocHFVaMs5S)4Lw?c_%58 z54U5?aPynuZb}|4o(=>ednSo{J=`>k<LG6kMD;5P=`W?3=hr=Zy<WGg$yKE#8EN-$ zF>}(HJ)T9ooSdCF(Hc4nkyJ5$rk1nlBIJ1D5U14s8Kw+=42_EdT@EEPsFL;`{(s-I zEl&6Z1OrO~cbi_%D?YfTotvqlovWo_NdiZi_}<U%O!SKo(7y?sUdwk=^(T^|*7oMS z6KHNM%B3~LeSUw>DP2LS3_fGItMA+M=x(E^qC$oij;qM7T|kYBIs-jCoLwAdu&JvU zJj88#AJ2zEPSrJ4lxA9*&tpWoPvefQ6$0)jH}JfjzJI=Z!Q?q_TWHmYiW!NVj9jRZ z!8weUGN5jU5AEo1gZgR*O%Lva28?p_UIa~W(w<OaAD3~l5lFKzWz9vk-P`IqqjRt@ z{HEloNHa^>>wB%=@0&d#0M=mfu7x(&oE<VAKT&Z8H}ImS8>BH^mhW%1+P6<iTQQFn zUunK?7a>}}%*GNTc14E1t1B+&<~ao1Y;D)@p+pYe8bUpxNIvduc9fzORH(eY&bLL- zZK+G&I=CjM1C)AH^ef4%t612U{Tc*M)4W*e%|TWA7M4s?Y7q|u2^v}~`%;W2SgPLk z?t~FJIsBZd*jF0+@VX#=40vpaN^`$KFOE$f1Gk{L(NU6Ana<Z05gv7OukMRVw$;m% z<-qK<-i|i`^tte#+X*ZfA?=b&uW+otPg8E*`(VPdgyQeWSyU?-K)U3oJng?9UuU+{ z9*5c`2QNllm=b5liOdKvCKB7BrBvN>JXTNBGIC?)kEK*9)2x3J7fU`<1`t6o&oN8N zsDsfjL2q-~w|R)zSW_Dl0}^gSvA|(ixd4>QD(R9ONk&ZtFzx_Q!dz_)mD^Uk`|zR4 zvyr8>bhHOkQ*Hzf!2ZET(efI*R+aYjbFy-AdYub)Z(h@`dZqC#({dY$*QZ?n7%x7* zr!TORW?_O$nx>P);P-9fd_R8A+6X%AI2DYRJx|Nfx*LS2SJwEDXHAtRq+OiK2u!jX zgY{#}eg^U%AZQpaCM9C`er|`N-oR)vRdqV{7tZo@@Z1iaCJuhVgI3!W$n~-@-2^|0 z0jq_x$GEtUida+^XTL9Zn%waJVWhvJV?J)cPd>}d$;gIGC?cm1-j2xe{rfRzOpgxE z=qydzVFe7^h<26<rdw!Ur69N4W;hcm**^Ee*W1TxRk(56>oBmoVB!ET<%sDKv(m`( zc|0IbyXD1UpQ_s2Y(9Rlh?;BSX-+q{Oy2eU8{*UL@#?di#*<0tm`oyvyP`;F@US94 zi7um5DfLts{l|2+`^*8r0_A}#0R+5V`)eOfPk(^6?Xy&?s5G~Lwo)_q`@S2p6*qQ$ zxaf#U`e1IXy4UHZhWWA`cIW4LvO90hZ$)!v>JvAH&Ni0-ssxkVz2<Q89m61`T1m3Y z<@1}n0m|k@m-V=bMyKt~A8&;^y&e)b3-3kjFM_4Fp-m-wSV8Ljm;#;W<9txdn(dPt zh9Ib>nA0E`KF4s}pK<5o{W%yEVIR6a-|`kNVWgv3@4;_x=q=;nMCs@1ID6E@hv$~6 z>@Swb>v;A#mUh>E)E;l*X-{ZfPT9oM`+1u&74&NDCTC=9yPA2D%jF>~7Zqce9$hj% zS_&pH%gl2Iv;|ZR)LYpt8hwYKC*_^OhjFMp+?c89JNg~g#@GAoo~Wg%M>-uRtKPJ6 zKYyOs+|9z~ai)gv?a^iDK6yHpAl{LFwU9m~U#8Xmdtx`I+qK5tcpTSZ({zf`)*{W} zd=#~p*Wrlm=)1g<vvQbmAQ4z@yw+;jXJTq<db!v#rkb~A{bZ=XG@sNV%yZjFD@V)O zP(Bj5#x8ew%UvI3iT~~0|4pLo{|I6%25$==z1z!nBI?N`XM4H3R739bIqPLsyOVc+ zQboPe`fG)+o8|9+b*;YlBT-daOk|mp?o=eKxNdt0D79x@Tp;jpe-yXd<$R{Qmrk1) zEOZxvEH;Vx(7*{jXq>1V!EllLx}?YH!k_*mOT(ovCwGwUQmW~>&SU^dV6gQbummTg z{#aDREx6S7`!e+8hR1{FfQChddfM<1Tz&hJ6WU8{w)=bi`7=P7*zIYT^!RY1MHnk7 z;{5$PO>48$I(%HR1f0;?iX`<H4892E2&yBqH7of#619f=0F-S6$ljs7d8Xd!exR#c zt@@yt#>>UG55@1UP(H6_L6OGyd7d=omcwx|t2#4%1Q}TQ8B_FcINZi_1NO6tADN96 z%W<|N41Uah5s7r-?*U&<&z)m*d1Y17UTA3bGPj3&lG1F~<L`Op>nK+{Md1ji`(cdQ z2vm_54Q{u~)rL;6jtN4vPN$25A&Kbe6_2-3Mj|tv-3!p<pt`oSH9PI5@6UZTi&?dj z%r4jOF6wGY;F7LBR+L-_W(K>=bK3{q?`PnHy9ipjLUjtN`^hekc8p2eL!u}(iJ-A% z`nh9nHoJEf9GqvqT_BEH$nf;AfS-g?Aw>~+6|o6FyqAaD)l5IJsIoZpbgfGh&;&?k zCSkTwY>iINBT<}Wz(A~2O-+UI9x_4M1i$a$RSX>r?H>r4wlSCDgalB>&wxIQK)JcK zJOa=Vvul`%E1|eeZB_n3Ao^Tx2S;=AOtGnGXb*`)2Z-Cl5_6u8ABxcxch!4QT-k?; zP2COS$d1&L`CnALN8~A2j+?<KmNcOqPk?oKWsy$~AI5p+6v_85gA4(m<MS~c@!diT zbz7OWeX)nCRgsji;LlZ=XAiKN@6T^qo7m}uVNEQy@7vxi9qA)u+{^C|IB#NiV3H?` zLFf-GZ?K@Fr#Bb<GL)iI-{;EM+9z0;>CK#qy1Kd}uo>}t;zB}zh0RqiG4A75*_`i# zJ<?99K-w@=hViiF)BgA{$S~tQhhi^4X;ydwyeN}4T-I0!H%P(nuYp=OfUGGB!Bc0> z0Y>&CQGz*Kj@^TF00DlzT;{)hed(@LGaCVvdBMEF!FBU&llO<JoZN!0J0I66<hg+u zz>akExDjz<thk{AC(6}~hXK-i{h}px!n8)Zp-low%%~v`z~iJ5)cHo{qbJ01c3H8~ zvKa|+41vO^!eI@hqS{`GnZXbOIY24lA*By+UC$H!rraT82Xz{4JRT^L>s$tXykGdI z{z4$cdsjwAOb?tyfjVkQ8p<`Ob!RRr+n_|W{<<^u#=zAH@<c{wL&Cr)BrS|rH5#c# z4w_GRAn>YTf8U@!w5Os-{>7_H87w#eOi_NcdtvR%-xKD)GrphCzt5Atfw{l;Grd1Q z-?s;80C<SuX$uw<tiE(gV5fmZ=!uB~2RD@LZH=epeL?@yWG4S$if|aE0EN&JyMkx7 zXSBg$n~hX~^yo3deK74{*)9fNQwT!@qY8Wf)s#Dg^?O)Nj#dh3&cVIwCgQeRIASAc zBQqXGvmCt7=j*dR-?O;3)1Qs<kD)j^S}`VjZO}b$l_ZJe=55S2!%NhX<8tG}bTb3% zRY16R?d30f^Gup#hzezQg1kpKm|0Rn`P64vUcATz5yuwcK|-N!jN5KNFMnhUYkl+G zyyC(fu)IhxS~|X1ap41Tpj;4wK}*Qsc$e?BzK<Jpw=eW=4i}LQm=LV_ZwyLR%8=A3 zLa+~ZRe9)Ktzb(eA*us%BL$*{@g(K1?c@GJ><5xTWW4(K_sNs2p;KcbHkM_(7=OP; z05Ur-rIAJTzixb-11mK>M-8Hy*45%8B>!y+a_Y3Oc8s`0xG_g>77p;dM_xRfuw(}3 zAXEw|lJ^>9vpF3%5r^842HyHY{fgkgHA7ecm&OfooWiqsVSyxo_y<-3i`b8eUr=^; zX+~e)LArEsGg8LnX(SgG%+#?@GoK2gc!I{+4&V6&%y_4e+x`R}SSrYO&jsjuM8xoj z{l^YDdb)Qe!msP01`(hfP%3?Qa}LOk7!bqFw)-o+pWn-7VmZVd_nQ~um+k><cDkKw zH(_QTI&cqUwvT>`Btqdt-m~x$hmhyT>uh|W8S#Om0HXsxk&fYEOVS1ed4R1Ss5&&0 z!;L^BD<^|&0AR3dr92<k9mJ828Ka;l-dthPaY0om$obhbMxoaau_P%@jzT2+26K*F zaRJGQwTr+VD3hMkam$YRHWpTsSD-i(px7{CXqt>{@Lvr5GFJV1ZL)E_;U-cfHn_w# z4(olD_A&(gYwX70rsSDy^6`<OWE{Vbm7NzXxS$aOCIS^S9tsW|35o=hZl@q6Tm2B{ zbtWFu(Cv7f03ZdMzs2EUMF{_hPBSsH0LFg(&F@B*d}um87}!}gYrguu;l9s<3uxdb z`|nUWqJ5lPXEz+))ly3D*WC+lW>=aMILcI<kQL=Uk}|U(1CFmcc>||CC{HdiBns{; zD#{FTgus;jPonu^Bm*wQ5dlx+Lz_-3hf2F$0Sf+dSPMcTN@n+;&6VE|VIoc@5LqN~ zJJ6KudUc%rS2@um$Z;iqm4;zOHoR&Ox=;x&O2%crcAQyxwG=Id3PJ<l#NtlO^nSkg zz&*>bcEIyFaT>UCVgi-Wv1FXqBZKMGFlS*F(}Ze@nf!Njan)cYrt$;pWljd`P;q3s z%ga0LsYOynzzH+FkK@N5kOb-kt2g|Owd$mWi4hn#mToVH!_^x=e1_Lc3)oV5)nyFO zjx8VLeNy!%Falj=T{Fdlo;ESGhI$fvzzq81(CR4YT8Lsg&@{B_UXXrW=>Q5_#*rBS z<y9(Z{r)0WgGe+f(lKB%P7rYdsz;I_n6PO9Cx#ical$AL6rGJFi4Xm~{&4aD;-O7O zVZ)DcY86QUL}|DvU2#~rm_RYq3y`zp|8f)lZTb*Z2Mu;BtQ_3{TfAH_9;`G<I}l?G z6hg3&K)WMQ$2VOXIL|+f76fGwth$<#&3~*62eK$C2=|su$9Q;6Z8#j8Dzcx4KTGW7 zG!z3!7n<5k$88_}XOIi_B*4iO`xt_l(CMTK{EE{j`Abvt#w0PhVaWA+rcZ+640&<F zh#iENL&%QA6cUUu=`b2-G`k${iVB)ibpJRR1{d4<T<1AlPX@`?K8fw~GG~*Z&kO9M z1<ZipoisQY(8{zI4r7y~glS#baWeY30_|DusS=3y4~Ym;?f;<BpJZn@`!zJSl?C{r zoPDK)di>L2gbl~>CIYv_UmmUK?dp;nGHBR>;NAh#a5h^JSQl;s7f@}Gt2~;^+v6%) zDDANQnlbnzLLf}UH3^+mRaDjLPDl2Gfro*t!YET6#0Tt=Y$Jd>GLoOg|Mm?DU;~3n z`;nO-$3Eod<T#HQ=a4uGkoJuU_Kon`h=ZluDVPojCWZDROOm~D27}UbjYoQ<;Kj}e zU%|AXQ+<0nb$9_Cok$a=4&R}Mtm=9d=i+=H2f)p4WebG6SIiouD67ze`<Vcw4~vqJ zO~sJ|vMVMus3Z4{$i<7bB5C^I{861irh2rPJ9-V}_!T<<r7_}%Z+YCWjpJ+&Uv~t& zZ2ze1uFDYy5QD}H5+hJ}@dbsHdE;b;6F7Kecg-~5Od~S(cd*xHb$VTI7Mue{3;RW3 zxQT)U3m8AFxe`W${b>`#PZ}tDNu5IL_Er?gPad3MYiv>yaa_wt^T^M!y8J#bU!M=h zSHPiDxZ$!lH~8g1(NnWIpe!t|AI{S10_bfxlZ}=rIQ8}DvIGenKX{-rrjHyZ+=-Hg zN<_1rZoQ@K!UV{W$|c=w?DPwrLxFOIk?%R11s`Wu=<mA5>HEAJyJYE&nccm|X%gn( zcX_=YCTki@5Y(7RLhLc)TL=&$hmjDm6Ok>XD}+fxaxjyPc>r`_9Y>uGJo8peIlT@_ z*`ck)4(&UXi2`8NqA5wp(xigI!IDObkpjN#5l$1J+?iHlZ&f*i1kD-_6rp2AQY3^8 z@sI~&cme>(4hLgMiBSEE(G%V3d_2}9xLlz8X;7UqjO#6v8th3PkIA7T!ozn6-3JdI z1`Zci+pO6o33Woo&Y(VMcoKHoYdWL}5g~_Zb$U*=+gA{URNVuBR7?12Y;LXT(Fx7d zovGZ2$tV$mO&TsJ1b|P74k2J71W8aHr!2Mnz83*WnV~6dQLw-tcR)HPeQ;G+^nvM; zf-S@u>aDuqzJId9mZdp}2y@cmI_R}Kdof0imVUR?df#up&d7Zj*SYv<E`U_LT0FhY z`|)UVm-vN>XH1zj6nosfder-sl2>tVE8;X$ttU{%F#_l=HWmue9!DA<cf2+u227s1 zfp2XSBQ6HI*aP0^wsFD_FJO=e<qCk;5+sxX?I}Y>&zJ~XXHOX}aNy!3LW<xZ)380i z=Oq&GxgE=a;kxU|k0Gq-iv1r6WjB>b!LiXDN5bQW$xtMRfgrdP&#eiPg!=*e<`Xv* z^5bige!|J=cS1iYt+`MW+b^VJm4`#T;hz~u^dUW*sW6|+P$aFiB*k~Lgrcn603Q%0 zP94tMpMS8=>@*zcb9h>c8l<Pq%C@IoG2qbMf+Xy37hAN1poO`jK%jEP4<dqb2w-w) z5F!YBpjROxBWJ;4z~byToS{%<ome=S0~s?l*tVXG8*MBBfFD-_@c|)Ep%HKse+>xb zEfPmgqWr};C@vuUmx1Gr_ht%0R0s^PNt0Qv>ySz5b-KNOPkY3QOg&_*ibBEJ7}N+3 zoA^VJIDqPB{DU;)Z<(<mISV^tYw>a<Nzful1amFEeurqe@;Tz@Z?>Jz@BV&k{*K1T zm5clDkD1J8WpG->XF^WXfJ<s@W;{#ytIs!gYyG=`(nY{AQYD5B38)c`@ge`4a9xD} zkNfMUV#x&g{yN)R->Y#rLKCH)FiGMkg5x=Vo19^EVri&#Y5RqaR2oJcO5+S3KTHNc zqh%z+#S4=3L|H;$F^6;jfFNitn8N^Ly0~U*-P7dOYg^{Xcb=Ap3;nQxruK874B=A< z^)lxO9LU(+_4m`MF=dOXKync(Vf@{0xNgsrUGq?&=D?+WvM@k(8oBbyWhiod9d56S z%N|Pb?5Y5JZMKb$_V6^7TkERSd-ux5%^O-Us00e*L|jwqz4>JoHLAmhXI5I970GY~ zD1VBqT~T3=@^4(RID9KLn4Na!19CjypA|ZaB=C+8nva7ty-U`4JH2k3F-Se%rxPwn z)G+rHk(rTNolirCX`iE%Gy+t>!Huj?41<5lWMN~aXWyxOzP^lA=D%NRuh_|oaHMV4 zttJ!3XVdfO5JT)|Jd|uXsY53fFl_Qjwyg;k(vXtRXUzQe;wX4&pqR$>NAVLVym3N6 zKu(;+@kR?-Bu9tvc7)Qpz1)dp%of5t*HP(A!qyT53L-@D+PvXkrDe41uNLuOqM$dk z0pFTX$?*jV5-4C<5|mtE1mk0<5GG6o(zRT_k8zz-9O-I6(R_^nt-uZZCDdLwD{5E! zOc3p69g(|uNs9exR54zztY+I$Q@??&txXyUU7i<@AJ}gAFf&n9Sy@uTB5a`xur*!3 z2jpW?9?dOTd+tzOH6@JA3_OuKaMZSw`Q()L9jy)C4%YoR;s#*?;hm&uXf)Z4pEoZj zg1z;nH9e98qTO))1Gb<vw8skKAYftSi9{(4L?#gKnd)>%5${|=JJ|Gj^Cvg^3}i>h zakj+Lx}D6~M2wimg3~4qAx<Fk>uU?SzCRBzv6DcTDD>JxKe3}X;J>%WvXrPfSo~Jt zz`k~&i%UD866r{Y5WIapV+X)7hEtE)sU>0Eto~xPRUF+_q*u*c(86#z(j@|eD7enN zQQ$~0NJ619AcJyPMHPvtLE-qO7ls)A6nsLC`^ypkSg*g*Z0Son$o;-0lcE7JLG_j6 z$DQ>Z=Vu9W<B^Asn2cUY-4f%WH)?eSKA(2WK|#Q$HOC7=X>1ADjiciUC%|68p@PI_ zv`%TIeRSM}LgMMmEp6&l9p+D{jalTayx_ji?Q?AQ4{{{*#ukvnGGBtjy#~+-6zq}X z?tn~t+h6C?2!lRn63hVrAW3592nlsTufoSq9Upb46r(qKnq;Vtqn=l~wqQiqu>&Rn z>L)7tKc4iakCyqoZq$`BBBzQaP&%0~t?qYMnh*rk?*&~E!@<&Ih~q2rWlM+v-*?L6 zv%$C#^Fojioj40xCyNVr{CIF?YEMw&+X*<813iv!%iz(sUb~+kV?{gU`6D{eb{LTe zH~h}P0Q??a<pan4Z;&2q*S#t1lt{w(iPFM7XvVt;jL2~8mzBt}_Zm^AlMZV?qQoQX z;HSMXrNPpn-I-)a&;rc?pliS#m8dajTq1f8$n9`e5Ps0<bn{+I^*x;HT^L*-Mw^B8 z-kR9uGL(7VaouT78fZi=w%l4TguN9cR&HI1Np1{8`K&<%BS4sw$5|pUjFaHi2WP#+ zH!)~>wE-vjo1gZl#<W-%o=;UdIeb>vWPsn@4UZaxWRjf)iWh`nqZLb7F0!%YBK#bi zv&Qr<Po(d!aCiH(_)Er5x;qxYgPe4AEp8fgwzi~Wwy>xu8Q+Gdi6pkZ9o0Z{h!Yiw zY&|EWbXJtH^hP81yw>d^P_Q;T-CQy)mjh9ZAIrRni=ZV6kLMe7QG<j}#bst<Ry<jm z(eVJ|ZWEb>51*f(Z_TYN?JQ_emD0{iPX(8W#a_!foY!q>>God#g*DSaZ67+!{qtrp zHM6RMyS=uyVwhKy0IFeNXSg&=`@3F-1BCbv;wFAIma#F?kx?m1<>uKmlc?|H=4x$g zQ<ka-K+&yS#RmO=bbDQ{P<wS_q3}Qvui7)Uw4_YSI4koh5YH{Kq(6(3nHgzhsR=f4 z_;f_s4ImDy8i8s5JaF5J&H=wFf$5b_ag>?n65_0^FEir~*Wg7A<?%<V8SG#nV#WRW zNXXUffw4}7GO{s~0_JYuNs9mbKFI+%J_>USvw6@Qr>|fHidSN8Lgb(@2+M1MceSI( zmN1^QYP$(^rXrlco2692>QLWa)f^%%&JobQdX2439c2=@eGHlMfzHLDOB!F=<Z69u zUH%U)NeAc_E)5(0md@(Z#ucbU)X>qZQ*p70RL6g$ie4*d^I}dc3g_tP<j}^jO0Iri zKNs%YL=C$~M(*_JY)z8v>PG`}z8XG0KTESfuhLd@mK3!lb2D?@MiK`Bh)~o6GrU4y zpN?AvP%3HbeCZ}JIDZ}nQ9#)m(a7|N^{|P>%eU3|xQR(g=}0)+zAs_NbuYkZm9kr` zD+HRW$!TF9L%x^s{@@TbA!dOB8Ip#%y*ab6w`N$146i>=N9Wc08Tmmc4J<%HLNk6w z^ypYa=@1b#DyRHwAw>Z*#$st<XKz_kv#$W1+P;q7L6<O*w9<5QX;qD!h_zR(2xVwC z;+^=Ku%f@Su1&2Er-`Vo*;p<<k)D&Do7?&ZF<pDz%?T&ZnlyI48ob^vY-)a*mwU@9 z2kq`|F027P%IKg3$emQd+1NVCYWK1l1jL{aMJOj4(kgR}46pbda|2H$UTG=av@}Z6 zW#D=@cOM{U&Wyc1H@C92uArs{u}*3_<q&y1&8kzAvLNZKFX$*3TJD$F5KSwj^@4j# zh4fG)<ux?IY`rT_W&oA+G(7kWn&{^um@<*qhwyg}zw-P$SmsS?2$m(JdKryPC8MR~ zVz41}02sdsnCNO7#ob@hjaWv5&@8fW^D=TW^6`qQP#wy`>2@-+hpZj!`To?(Dbb#P zWtDmHmu4kpVK}2HK9pjsYcICli+x=U-E2JtgJk4^IMC3~G+w@lxQbaJ`8y6XqnBwn z9BCdmyPW_mGro~(WfAM`YAdTM5rxqL$2`l-%5ep;@{0YwK9BumBE=9b3B}Tv5}0Le zJ_o(<*CGRnt@QFT^Kvo@3Flx1CUy4CFiRxvhaEzw*!y0va&hFygT|KjpAfYj<?XzN z_S&8mF6gcC(o=)h?^UID$TAzeUhI+4q>?H>MGWN7HL8h4kbOA5R3z=Xn;qEzP*%9! z?wDEDu5pav;qozqaHI$rahebhowgeTDU%&yo|~Jdqm!m@zrZ?b*xAV^4+zV!*n9p? zT<Yp=UWtqZ!;~NiatO>Xt17ChDG?NhF%Fls$q2~nb^U5!max3J+}YS&S1yni6;jS! zEI)eF>ouHp^7QoTYGYlwct0=?Bwk3CGH*&^Mx?p2`~lx)Bl4J8@OcSlAz?^v$+DC( zPE0p)w5BX(w%uCOP#s5LK~>qps#+%MweszkVgCItp;M*vM6b2@fO2VhX<=P)k=$IL z_NIASK5=0ngjCsj#kr%IdcW4w?aDB`%B+Neg?)iad|Rvmv<rZ%=<nLh63D<#w(jz< zbsea+-S~PUwsGdsEu`LBU0k-5-#i`LCRxEAbCXhkMk4i_z};;5^AD6wr6g&+0FNWr zVR1QG*x9-9mr!Em#?H>wY6f@eit7UdrJ+XA28z+r+nd+b%W$6Iw@Ed-WDk%KufF4~ zFH;;$prC*RuPFABi^(2HVO&~mI00}kFq+UdQ4*8WGP1G}S#09qZNmxHI*5NwDPw81 zx!YaUubg+MWloAx4J>aKkd>21?ec83u__ne5R(mRB27?JW4paEXJRE7sGvriiP`M| z^$?7ohV#9`Dd;xP5=$|5Fx(DJ83$p{ENuMI|97`Ia@9JX^iF#Wi6PD1$+FReew$y_ zEAA0UMC)$z3J|-yva_|dnt!&mxIrTvCT42=ABOt7e;io7R3r-_SW<CqPM_qw2*@yD zpnj?_j~w4v-Dv4)X%HaS*3Hh)QBTiwOH4r(b9+N!oR|nPMN3Uht$A|A@2mb@pQYPh zSp@^8yv)vRbDv)^xK~fO+Umk;d9Fx+qz^umhhQ;o4Ovbp_4&7@iDkK!b=l7OH^1EN zF<}jTOr6zwa}oHx@|f-NSR~~(fr>kp#lljnJ~%x#aX6|evzvxwA=NB67`?LA<0Low zeSbO6#9<Z1lQo5=TrvaR1sejRtD*`SScC}O6BPt!J0thTvWTh8kwS0cPVUymNGV+| z&$Rw#zlo@{){J*+159aKODW-%Hg<~pIJ*18>KH37AjR!)xeEM3#U(aMyKc9Q4Y`kj zyQ8nqk_vTEVa;~XA`plZq2u`NPTuBkB(+js3Dpva&;U0_OH0qGB!6RNMt@y%L;K<= z>gsE{sT<$x*$%BC#x&Z^r`8;c;z*}1CgjBHk#fOr=Vj#rNry%*&uj!g7XI1V2A4rG zvHz0Ao`yU<nwi<TnMtK^aN92*O|-YOv#|lCVf`VW3iLs1+33ec`Tk)=-X)_#M3z8I zZDGg8N`Yy#)YO1e<Mrk%VR*WI0|}8~FgvFmOXPb|GQ_G_>0$Y9`IlVT2wJ<<x||F; zBh(g_Iv)8*+~vtH(aO4Z?{IL@0V+n|w7-&fU4a&~puQo$wz>_%v&3$Zy870;*<m@j zASr8IS4xOX2S|o9Y)K`P1Kv5Hwy>-(AAA$lkEbE<L9gp)0US>?`aZ4wV0$Hcg)Feq z>m*i_4VpstoWhD*kDE1#G!<p)2h;Vd8-HQtYF!19UUsI9xX$8KQSPxpT4ODkUcGQ+ z<Uqs<4Vl3U^)@`Q7W>K{N@=}VSQ<Loiq*5nWCA<b1Kpm76Qa1y&7HNCd6_|Z#!$Y0 ze@Z!C4}0*H9n?1a`nUG?x+mexf$ZOvF|0p7kJp0K7osQ<;f@ABqPmdwVNH`#uyF40 z!ht`A{J^rEM#9`r9U>^kp-qJsViku179<ivP1rw1NfAGmuNeO=G*B-LRjDg4&&EX; zR&>jAuP9;qtS84enLsHG=0j>6Jt9Ovfe=J(F}@({A6R#6_)L=)5p3kalrjT=4ge)T znncNjDoX&-2+|1-nv22I&Pk}Fm%sJu_T_Td_w!&)0bYPjM28>7#leA;BpU=w#E%>! zKnq5cHUprOD@Cs8fkYBSOrXR$-Zch;7VUkWhGX1o=ps_ist*TwfTL1B6a6yN#czmt zo(bd$VQVO03C9mcn59gV8cd=g-eVScM1meyvd;wDpAkN0Z|n|uShoI-k;qKx4`cAI zL15${PPp|A1AK;y6$A+eyKEao?I3-hJS5^(O~Fr-Pzpp)KkJOd)W`4yJwjICN!Jgs zChI^##h)ZjCV@g_`OpHG1lpdOIbnbZ4urWcW&xa`3}Gk%a{qmrU>7MnaI(}O96OL- zWJ3&?@(%%Qe-JV!8hF@O1yd~^sPmEU_q+XWAr1eZHpt#?s0>$9(U1c!6$>hX5VWJ! zfJ{8v>g_K*cS+yJ4yRp!cnGl#4HEcdfiu5&UH-kgbFgUpX|}ZRAth1FY-xcx{BWyb z22T(eYo~rai@HcM5q6CvDGs($g)x#gS5^8nAfcmhKjl5oJ=7@G)jB{rU#_r)wFl2= z(l~7IV3NIS86!je8VLA<G*iwJ>+P>b-F43158}IhjS!MHvLTTpI)7jzM|wi+gE1Tf zq)0Xa9UxxRp?Cy^CQXJQ7~7Dj-ypMnWbq;aC%8|J<iJEwr0<x~HArGT;J7sjP6#v# zia!!a)412VynGJ{j!fm1+mB(|;m)2fLld0%J2%b>2ErhPuRl=&#IRq$7{<ONMIqvs z9|p)eE+padB7h$U^3DiA>m*5jvmjh8iNFaKPsH2N-@Dty*PYM$oxiKb2qE(+Wn=9l z<?pCt0z^96Bw|O2pIc?s-S<US6CM}xJKRyK3dxYpygO7NQ@GlLa536E>b)}&3TW<L zw+n7CrN4!mI~*|HMH|XHBtgHTK9dFkdb;&#5g|txQ$Ie;QULG7fp~t4Vg=1SkP^g$ zawmYSCY2$uI|tB05^55(AiX<M)`)Oml1vz}d<Ym%6DI_ae^F_8GtBmvtmy&UG?}b} z^(#;=(5;WW48aa24kioPxneONpg06|z#MTJ@M?+TeyTYeT9g1{9Fd&h0UJMLjHJLf zzMKtJguMn*GD)d<RPu-k0#YNw6)@RoZBDIsULa2$5G3WFAlzape`q>^HUVdcHB9p? zb0uW2KL>%ZpnV4m1aU;<1G!-n2?goCMEio^z@Zp|ZQv$xy&o`q(a-)wu}42G3Wfec zlq3hbROta`^xk~l;zmq*FcFXZM;Oc&I`D#_jKvXD1xPrxqO=?{1^{G|Vc>r&^|Ayd z07N-Ry1?Sm11w2ML@fa7!5riIpR^;Q3IR0qN6jN=c~OGwnX*mTUqQ<2)SgawJOv67 zFQ7^|0GIeMko2PJ)k7WRY@~oZfEZa2P?rbLg)2WuuFLa^n#)6jo{uYEh*u(K3Tc$z z=TcJ0#ns(zdf@eq3$#GVlRhZI&!iGaT{cf*cIW584d;4CfR7po2r(T4aDLDDTzoSq z>k^?pC=X<dga3bsj=vz#$R&h4DxCx|pdG{>gF*GxSsXaZjNb#rrx|pZxEKh>W-T0E z5nhi8^L!Au5fDiq_*j9;iA>C>;k<qbMP3GCeWKhMEGd$yD&G=m9AcY6u0;Q-jK7sa zYUvvvPR;lG)vE}BQ^U<UsC`?BCqs5r5#ewM1X<}3lq@FH#;|^!gaH#3s4>1T1VKJr zEMFcdII(}FNAMO#nSwB>pFIeY7l%ldQQ|a@%Y%j8>nA9S*&PCjfswW$(0SZUMvx7l z81>Y_7;hcMd<?LO5Ho`8UKtCV&W^Yj@QOmJC;(EvIX0dN9IR|fyq<N4wk0h~yzhI4 z6F(W$Kwdzea08spkSrx|(WbvO0EP&trJRUA4E@D}EeXItf8hPfm579U0YgLaNpJVE z<Lv^R{Zt<AfhsBJH2Ce_VjYwTw79&1O3YpgM?R=Aah>{jmh5m}5_rIXA)R^$x?u!p zP8gXIq9l;B*>dmzGd`!?bnxWS84No*xA2V(FVs*c{2*Xa4iIwd<OxdyfSeztXWV`L zF9@A9L6i0g3Xowv1khC35cG@t*d#EN-cV7i>uUvVv+sAytQH0i5$)s#4P1a5uoFJ6 z2Nat%C3Zi!kK_okcs$oB0<E>6>}DS|?2&6mfyOz+WPoVXD9u~7RA=RjLa*|DR8ob8 zCdl%{0|fiCC%u38I2DI$dot7~N*K-Y;;om*2f4_QQOo70+3M^)rJ~^=Qm@u0Xd6-P zQK_I9uExbot|t@v0!_Pspq1f$w?wQ#n~|~d{c)3L#P1(4d8@x!fClwzOD1)6s?zkh z1|N~&%w%VS(){In`6py6?>bc!rYUx6r|qna|F(ZB?4NpuC#eFMPKSEjrOUIrM^$*+ z${1q9>Ox~W$nUZg_JRtIsf_~lQVoL14ZYqP9Ps7((u$%kz-{~h+|xAMi?Jk6`A6X9 zx~H*PQ>u_NhtH9Z8a@0LLBPp`mKBP&QLhV&$aceI)ktz*nf*s`xK;wi6$4~ntx-4X z?JrcWcWAY_b$a3~nuG>t6LGyGp($vf%HqGNr1b9UfKI4`)5nI_V=S4x@qI2v4diTc zn7&Ym>zOlv4!}h6!!`qB>wH$8TBEqKKJc(S=>+(Wf9fsOhu>Kn1NG3z0|u)*`J*O{ z&Tw%ktv>G?BHYH$H4<yc`*|E+xdb-<7_!D^)yy-=8@n5eVLuH*1Q-^p@4rnC8;D5c z6q(o3U2yAsVWY1W+I6)VyK9i+3%mJ1VM+@bO?`dmqRJBPn|F0bwme<hby;gj3vC1U z4Uvo=W?FI#ka=~po-lpF6<m4}^>!R0-~Q#6=f70H;q-Ju`mX~}C!uLL$k^06oPyCd z?gHu9Xn~42PhM`pyRcKGb94=HfA1g0K*ARnp=f+j>gSe=!(<=oslAX$iY7~vezeb_ z4kqHOs(`4ANLDalIfEZzZ>Hs&VqR|ka92&(n}#mq8eUE@o5g>;8#8b7_q71_Ws<Kk zPn%Mi!&Vy#4ug&KD8L%24o*tuH4)ZU9;N()PGnmb1V!&VzW=wgX8tq3o-Q)dX}e7> z*$c4(wy$Q_QJvuauLF?KP-W&<hZUutBnI&0i7uOy`8u>xO71Gtkl~ebS8HJ1$rVR` z#XF$uNnVaJ4(gOykEH%Z@9%sUrE@UoMi@Ifppb=UjKIT{JkTscK1fZvjdMqTuhy-j z_U7@btzHH9VOUv<_-zTo7mq~b%B~1X@L1g>q$~jBAq*#9hB>MJO3Vtbf~d+`SxtPP z`U~uLV#A@lELtuIhBQF@9HaZ=AP17ev39{%W_GRV^r`rrvH)5@rN5-U0=K*4@LjbR zw7wjsVnP}2C3~O6BqJ-kxv<J{Z*t!}Xgp!cs!B>&8ev&^_`%&AZt*_vb<$5N$p-ex zOdr784ngUwGBbH(z+efnV)9BVWJ5YvkWeThsDPA@Y46XK_k0)4+IbHv$&Z}+Zwery zvpA5?bqB7qf)9hvg<sI1MHhtq2<qZ~e?J&LP%^6o*^j(^9qaju0YEERUIEHwl2Gcd zB8l|c*7oUnpN1sxmlpD3t;Rj6FK9}lfK}Pb1HmJ}ifXnaLBZ<$N*iD<=S*XvA8!Pz zmam8$@J~AdED>rP0AxE74_oiG=)WQ9qweLY#mC{^68@Q}0j3{AtjM%zwhu$#O<Xuo z6d?b-GC+zF6s;=L26a2}@LsdM#SHa?pQYY@CRqf~tqEl7Cw<2IJ<9L>Lf4nX$H2yr z5`8kixeWB7;$wn1c(9pWc-Z?F7Ob(YjBmsb#KpO%;>FSWM5TXAZ4HPwDoiD(SewM( z+r^!!GC<fqp`JuTZTfieyxlNQu7=YG13I_4wphRxBYQ_#9*30fd7gI-_m{ddxc&;f z#WZ9TSihfQ!tIf2YZ>{Wg6->*(^qZnXiA8-)v<Z^M{DGscX8>@*2UTUaf^^&8(Vqt z)L*ROU-kXt$=@zmX^p6#v&li~W3=ouk}m8dvQk(j7b)mtZ1-cP7X*Ve(Yl-E0>!SP zZn*^x)u8i!y1c>UaQuecjk!Ze@&o05w+oHc^8YPi@R#%`7?j`(7lNj03)aE-mNIzD znts9sjA+DSul@0Gy=MpXyvpe#09(zI&C7i4y0`rXRcmEk`Cn>U_c!|c5lW925AkAG zU&s}H3fveWGK@udxc~arxZh2mgSbQy;zJfOC<5;X=Z)+Lb9x;H)ENz`NtG9vBT$V+ zI6dj{^3;7yhNP<aYf)9+$+E+NNJW@@;?l3H(1G4jET|<pI}##5mwOJfXui5U%|ccw zKrgi#v=w0cDnCQ3T?{vIX+0Bv50eE)?4o$P&!l7gSytKme{L<<w|9S9Ar$?&6;D=N zK-Qj{nI#G8jNOBPK5N6<Sa1JFdd%8jAC%$#`d>$xUZ6A>7s-M+NQm^dt&{!_{C~l2 zPZ>43KqXS_J$m3Ax*vE9oiP}{Ffm_YvJpRZ8N{_nO%2AJM6FUek}XZs-hM4E1PBTx zQ=+^W!C5zStK$ZE?g0@PO^6f&*fVzk<jR)R%$;o?gSdDE$r39|No2$iriU^fla!z0 z=t4!<5dXrF^NS8}YE=%Q%9<Qc>XSx}zs#86^1Z_D{E*=H&xbu=?6%dHJ?}+edIeLS z`RYu=lb^Ccn$$q)U>*6P>-u*+&pv$98dBcLzl!zeY^~GQ?|YV3s#Tdfgl$K*j2OXB zAou&}0Z46h0;&WnvAX~0N}xui;OH~d08k1?=E%>t=j)dIPCHM?=lAzp!vLhdhm>ll zst#vXcCVZ5;L+>acbV@(4i7upxmKLa2)SC78s$b48*r*MQ1*segy#3yq3;AeAA$#B zc5hnaSxfh4)&Bn|ul<%X+`oL`aPW9ME*6Q!_IMbUMaFvRV%FWART>15G^KpO<9~E1 zflrb+JDXgH@X9kqQ(f=$v=s@$>~0-m@8hDBTgBb5HQaOf=xpV3!72k2Ep+T~!~Z_N z7|~kJYGPffO#^(frqFISSp7{HiTOHOrzHvr-<kj<maMy--_z^zs*{;?Q^aGJ1?Xy_ z)H?1B4DtD$*ym(-W$JzqRqY&O0z?cd<MTBr4QXB&-ot`_POkN*&{0=ZB%s~$Va1&E zk!D#nVHy-prsnjyAEmVE{(E_1*Zmp6uKWFtQS<dS)PsEM_=fr2Z0vkR27l{$n4I|M z5{XWDt5$=0g|xc47~dKVPxCQuJ+ccN=KJtS81x@s9{+(I52!6qy4Y&H^SHPl$jjz} zAyrcQLaKoa^*08H$Gm#qcihL;`}BZfL%?b1eHf#^J1GvzZd~pAd#H+mYUlqkOl&ux z5f>Y&f|U_-ZH-uqVA@tPg`AYdyGxC4h}HL7fv^0QQ^EPyt2L){lX$NdVrKRDKdN}| zmN3?a;6<6CSHAhcNj8rMcXE19W$`0mLj}4<a++T?&A6g<`nW++PX>R%+7{I<;Fd3K zjeG@Ka_Y1(hiM}bx!sMnyN3)TboC=+t5`U7-^kdgK7E^8Z4dyjYb%tH!|hhzZ+Y4; z{`g+7^(&YPd8;d!2XEwF%(?2}8h&qAejoP(NbfLFcc>88t2U@oad$gjEcREw;f0;D z{KVu!vv0c}`h!WrB0}{{u5$h!rWOoPB&owaseWH;e&1tqwqQtAKVgu=#a@U1nQ;)( zN;mWO#`{^ddslxTIk(_^?c3$PgDHzV7v-yhq`i93E}s32*#9tNlsJsMvZOX<nUt)W zH3RUnl!g(b=DX6T<42brU+p&)t{{_xK|RJkYi?N;IST`~IWWwWU_>ntA4mb~mwP~R zji}^+ipPd+7Zjj5)XOe?_e6xm$O||_;F3PQ0O|?EcIHm2d6myJtgc3wXY^+;LNONP z>HL29d-D6)>ftmu>QNPUWX{z-xj_}L&zcjFRcC(H*AP?@Ns9eAf6(WUn*J=^`#nx% z2BMR(CcFaZ*EFe1w9DbI`PV8~tx`Z0si;u8I`baAuWw?WKQcsq_x<?y{j*WRf2v_e z(@iIz%AQh>$A<?~T2F#noqCrUT}^M_q5#$~wHxk>-3&;Umd_*}Gb5usch2|oME|$< z_tl1<-3R+~6Zuld_E${?S0k}R<(sc);CsD`{<mhwrxD2?x=IC)4#g5sU0W(GOji3` z>+`#wRsSzk;vMg(4K*fsVus41{*v3=1jDc9<%*WhB}PpR1ACCk+Q7ypBv4?-zZN!K zW8iWvpkrch&Aee0{_3Tl9mD=A<^L)?+QV3nM*--}99!sdb;!vI$=K$ba))GgxV=to zInh~&JjKDaf>`4vsLD!@-0E?=xzPbs=1HHiHM`w0Od60&h;6&o?wvD#CC704Eoxcl zrPr6amr}_Lc730OJT>*w(8Zx!NWMP5CPS1j)Q=rZSV<N?l>GW}vUgssKajDaw<?)8 z3lt+%6T{DH<I5mTG(L6`Z()DTJNd_F-F3ND_%TVVbUPUK1)^c&u%)fChMR{RbfMG1 z(hC6*MGRVAUfxzLBHcqiRY#R2LPI<-o6XT6y!@RAe|^l!ow4SGU824Vo(`liuZ{K? z9<{Q&vMb)pXMy3@&v<(r<l;irojJB_#o;hn5G-5b_WX=(CB=V3o2mq8JRT9lw(<U% zGmcbM)ZEn~<$N5Sy|OgFAoRT^rJc)Si`3{NLqH3$&+X!sQdR14cZUVN>2UhE_D9|A z_%%00dtY6DbVc!&Pr#93mkmF^c~$Z8Jskv71G5kBV~2LW^5I%_J&#;OS0331Ax$3f zb$gy(7Q?eXcuabT7GCpwYkEOC8QjlaWDPY(#`>-A9kaswI-c5!tG@X8m8>1vN0B07 zg`l`f=X81QB^l&-e<WujcKIDVVK)VA<_?Wz4hN~x`*NoF-W(gSGV^jY=U3SzGe8l$ z(d*(cl{JCL$gEv`VHM<&J)isg5(o<(Pr32JT5ZX?sEuSZm&xhXFS*#^?ok)G&vttm z@MehE;57x?c*Q!WA;|hYk7!fGbh`7Wm;>o36%q^!O|hwEjxUdY5aw}1xwI*0jaOGU z9-)I<())h@8cCrHj@Qe^mOKCT#v%bWH^{{9^thRri|TeAo#aLu&$r+ZU^Np_T(@(4 z><{Kd=p#-3E=^`~!Dl>|%i5E1*<XF$SYV4RJ;R4>De^uQ(=IK`ONhVQX>+aF#hfU8 zWbO`iEl2G2c?A$C37ECo%&-=@(T{KG-O!oQ!|ibU_{3|k{^G-BeoGDIW%uBViqs@H z-StcHrFz)@o^G-%SN6-IxjR_QB;3ppfi>`t)5Gxs<OT!fdCMHh#kMIu9(d*LNn2RC zvZZ#E;br%1;7b;9Rn9{h-AUQ8D4_ja3|&R=DF2&YOi}r3JKD0-ekUQa;$AHVqI%Qe z^RgHgIg8NZ_Trip*54=pUd8^e&s>8XOn>_eK{1xCE}rMJ^7&`ybPA(xzmKGnAF)3z zffWS_f$RFp4mwUjW_3GHqy`M#?bWCEu1V<<fvO~@1z~BQWJ2>+fGeZ3380yIIXnz5 zM{#Rr`YCdkDW*@wJM=vpg3NzQ_;n*s<rqB8maMBScN?l;Eq4WUMr@Wp$8qR0kcMBk zLEM$3fMe4oQcW{rZ<m-IUTeI4+(#2i?pv)bZp&%>N7)c8kJE`b#BsKATvlFjeY+)i zzTSTN3;0jm*#RWQusmx}bn;Zvv|d?N8Ohl**2Ik>On4UuEpv8T;e1>#iGdk1Av<|~ zA1BS^z!J3bUZssDYf?L+T#%6^LC=GmJ$XL|+sY^o`%6mw0}=fje#iL|Qw=k4d$(_{ z_&db2;Q2=Od7Oi4X*V~wG>C$7{MlZ%$KN+&8ZKLVHx&<>)|h16Hd(A@r2k|lJI31h zyclu@4n!I!fxkABt?S*4fY)sIa@m9qJk4QVM+eZ%zjEoI;22$BhMeGS0HK1Eb~=6R za<H6D*$({dk3NN%l>xkUEyW+?+YZX53Z>+_J-d@*VqJ;f=wy+p<yunwEulb8{hoGH z?4~^afcN0qQv3e5h%NwQeL)?Qqo-oVN=k{;j~iLfaHglvY|FE~JyHB*ll$Z8>14Ip z@9B;JpG0F*$1)Ei?)VZsj$ereO5Z;QNZwZa*gh{ar|ph<eP{>L%SxyYJJ0XmcN!%f zGeyKOu^AeXmpDIXf8)G%N5AouGdEUjD8i{2t)N%&!eMn8XPF(GMyo0+;o{@|p<Ylu zZLPJJrJoolWMU=Lt431ohMFeLc-#yP*)xh!F5>3^Zy23lq~)8fOTkl2uk_}p^NAeP zW$rXPc=f=~%1uW~i}Tt4I4626sRb(q4O-Od`m_X{UKexw`J=!bHWM#;gs2YOS>g<7 zo%M>+PY^U7#TtapJq{eUhCC5nJN_I;|5_xDD~qpA#rjF4>vO9ElsjG+4=XQr0FW<< zsEkrkHe#38%Wg9LN_S1lv0i2ic)>rV5P_p~91XY<CU;e#oK<#a=Ci1LT<A-RC)9aZ zdsEA8;2Wxj&VA$B=8^nn%~aMDGTlkXo7w)tDQt;^Os)cdXQzM9fweWZfwiTmnf1t< z+GN3&w0u|Cxh(=`%o(lH0&(!Lv*hcAHZQE2fCl@!Ibz6D&L%Itsx>B#rW<L?*iuHP z6_{!yIc3T#$tOEgMp3ggv6>oI$7q8-@So^M$F;4W<BQq<vS-cmIcZ9Shp_sb{tk|} zyFE5e;ew4Afpp}FN@Sv?gY)4Lv~=|bvOIZi16T}~8-QAjXhUjSjh4#yshNr}Y`EdG zH@8;xS?-}50^2`phRC+AQQid-A_PrucDv#Z@O~c`a0n2!2b?<&&g$?AKT7F#u$jCR zXLSCRM4yj83ucqq*3y}o{A0J{!)Ot?YIR`~zduS^{nQzYTeZJ^iKElFnFTQTy1j{R zH*#DMF^H_JdeIm=><L&P5nEHD&cVxzGks9B@z61mknlLE&7FN7+@ZIH1#h%3mAX&H zGT>$4F$w_-LUO5y%)r3Pq+ewVu9Z3&^;Gq?K!9T?KQYoZvHrRkKzn)~KMpjRz@lMp zS&MKudTMnh!;L(entUO(jETqbWnd~>RwKPZZiTQEBb#5v-6`$zI=ZZ8kGN(gU>DoA zmfxzGk_?haZqe!b$8cv)4!M0)rdyHkc?UD2P7{kF(p%Ow+QxGSS9aLIp_9*&THazg z@wonvT?2L;Grf6Siu%QI)Y|WFKe4O3KqufWcE$@u#fFc2y%Pqv_6#xpv$WNd($;zw z%uGZbIbqhOnkvk2+EnjS!Yp1pwyuhMQ`PZrbOlom$aC2LPf2t0`Ez&lBOz=^3HoWZ zTzMcJKM&s65db!pu##@+-1&0faL+kfg_KY(-N)uj7N^`;yX!~a+Hy7J#M!PYl4e$# z8;Cc|hBLm3Eo0L^EQS=3{C+)j6`(2;opqu7Zu{+VcCkUr?N&yEV?Mt%+71uPouLCJ zhlW@nj#;x@UJA{0RC_)N<Hf39psWlewjwF%t9I`yPbZyS>v~rnYmj*kD`S0TRh>oj zh&tMnRU4o_dd~?dg*3XHcE;za1Q>H|dH;Daab#$X-C5;vOw`Q6P^Tr7k%fu4&XWC+ zIF1a6)&_MoVWPSFl&`y+yMxF11rcR%*k*5mn6kaB+Sj}WT_Q=cdHVt!9zS|6a9>@g z*FCrUXum?2_SW^UeFUmwVLHca^KrKXbk39=@nDiBU}2%lN>6Pma(Qh{5ZkrRX7>`3 zfutlc`{%RB!HvewpLeDA!U}%$r+|;$;|IL`$%fYB|J4HLM+C+mOhV9-6U(;yJ7s4# zO<Z{)P1yL|`#XsGK)57==er0$TW!%ALRN|cGh4KdMeyvIgoP#bPL=O*@*1nXjkRf^ zGGEuwshsGrF_q&m*J=MKxAQi3G#?d3kJ8{M+}1xHO`Y}jFfw*LJ!qL)BhRTwcU!#% z13voPc=Pjf5Hw)9f4q&``@Mf{uHrvqU&h>U_7pODqGRzbiWg11l2QqN9xP<d42R$8 z+hXVasJCMhFAmRu;nCC38}xL)n4CG7i1-D^*Y!l1DNQ|16Kr6iLCQ39z2;FCa_RoM zK=&zHk`4btlF;t0Us!Im^7@LMMZ<J1KXo+F3Mu)_nJOYiM)R{KPUDB^;y;i$IbI%r zmPQiOjk!52h&s5>*?JQr2m2z&iKtd4m=*(KZaRf<50-Bg9yMqQQ2<`Ai#8bi4J&KD z<4~4z1B{OoE9*}MgXRItb*kIDg6@wSJ9`5goc~%f$_;|{_P{{+6aw2pb8~MI#mCF+ z<L&jl7#wPdm`GsG^R*?Vs7g-$xWMFFpDOo};61PZBC=?nl^(Qi6-|mb_<F-5mX-y* zH-^lDb@gP?$Io*zeZZW$zCJ%6o*%C!2YhauqwA<=MeP6RvwkVgJ2pC$DBcc|!vE|0 z{TSMi2b2C6j>SC8l%(K#_uS>z&QWc-@wF7Rf((y0&7CjLiI+Wq<m1!B;&%4n-srC# zH=otiS{s0x^L2E#HcDm+e!KI1|LJa_gv@t~%kI_WFo$kNzm1=Pch&Xt+u`NxVxp1J z+n^|664C0`4E*KNmZ}7C90~RB-*rx#N0IMZj@O&m7#V&X%|3`AA!MRfy>3*7G66!c zZ`%H<h{)ChXqm_EVNBo<ZnjfL{MaFsQN!&FZ#fG`S!-?PRQ?KUy8nTj8+!zXaYe20 zOnymWZbL<hJKbFqOyAGJ2zVUc-)YWU*p5dvD(lX&^<-d7i+}V*N&#ZW#Fi&KTfNVn z&*w)`f<zWQ;rz;S`MP!n9#|Ofy$l#+#B9|f)p$p-je)@gHuZ6!+HB6p;qCheGrqUI z*QSk=zuOKQud|cAv9rD5Dr%rEHwjS{7;t0jZZkHp;`Fe8aS=+|84av|afWnhx0j{< zE;Oxdyd?pGpzTvMx60n;icKZTqEejQn+CE)xS2aml+&s{V4Ao4%l6n>sI4}~Q`H<k z0;pt?tozHL*&AM5jI8uO-}m$F5Nshfy?}8h<usC-p}+6AzpK8#$DESx@{Z2vZi_$$ z5(0+zmKCa}Agwce7};1jzt0gDE0Tj&nysG*K{iHiPF}9CSnBa#+Dm#KxOG3vg`}|( zw6fCwd=NTz`b}xSX4@&Rza8!4U@!rj4x{t)J$>djN}v6)|JH`)yh27Ar)gL&gmGmN z@OY=4p_w4(Zw$(_IxwK%$HdM4ygv|)Jjl+1(^OGWyN~gG^s#l6)D&m;AJg({sO*rC zARGytZNT&bOKX{#F$iQnf)b-#bW{pSpG~?uzg*wgS=cQnM!HBb(HvzaJw=>1xA`zX zj#&2U0n{VNoGqncR$|AG-Cq~9WD_B1dOu#D!EPfryYV}PovrDy|34)R;4y*a$}R?8 zhu4;Wu4{fsuJ-G8yHZmqj(NB)Z=+9U3ob1v5+fVw4yvq~GDgl$KkfdT!Jk`vzo%FF zzx#)csW!Yhu7gSB)fg<#eSt5&>I_Dn+?f(&NS++(Q%3nB1~ReX0;858g5PXn24iwv zZUdx|-LIQ6X39)e(!kW+3Td{}w%nh4AB^uj->0y*+5d91*>Ik~MXr8zzrUP+z;=%@ zQ37$~Fc8x>B8?Fuek8L&N>u~-Lx}%ahJJb6jqO>Z_=j`m$Xbr)1;6X<>fc@3-)kMd zFXvTk(dn!@2hwj8X;&f7xiwkN3_qnc#BmU)c=$TG-Aq|q%Q7i3Arj_C1mkkQAs~ja zH6e|`Q^L5uSpX`Cm!SYb0zbC3cyfrbL~y$_S5S$>(0Mz|C#p+E7?aIA4*+IaRqUFsru3v3;O|PZUO&1R#fnwQye=+TSfloY|4UBWpS{l}E3@Yt zd!OIe-`7;z9B;bdt-LdA!rFp1ZaRLBy*`}d^MnweD^CdJ>Ab!uPRQ&LQ$VRiKgn>P zgfLuIh@%WN3Sk~NCrXAhmCktAY3T0n&t1U3-w!u@Z|{T8nu3sL$tJ7nY}`qXfMGij zl4Tlz!qM)jwAtL>yuZh+E40IfG+9^dVE{@Rq}y|oCQ2L(K0z||dl9<v!4|)KxWh0S zIL#4Y6(@~%JDy{Xw*~OOcdKY}zAop3*Le1vAR2^eS7~}#I?<$zmT$Lx?|{j5MM0lu z^WyUXVSME%;0KaNJH=x$H@8Pl6n_9n6gp;yyGeS#AhegdyWHRF$(#dH`blES{C0tH zD|ULXgoL)#Fu3a+0oI5E@hA=`UQ7^UqT~1PBUFODpX<XAEg?J*W8O4T>H!c8cX}O~ zW^n$;lu@*QHw#4v_gL{1th{{gXH$P4Q+q$3Nz?|JkK+r(w3ck1peEh>NsM>f)xcAQ zBJ=#B$l?%jGoja>$I&t$WM(xM{LnF58%<{~Lp!LRF#>vI1_#}}`$@Z#*v<5KX)`2> z^C&tH6`=Vz?t*|p(!yLo+!{43{UU;DC^*$}9QJIOcmPy|AWq^mlqyA@G+9~S>Z42n z;qYHLQBru-q&|3#zRVZSRG6I(w@H43<DXq}z2AqQLnrn~xxyPmpvMgSob&2(Ycw3g zN0>x0q=AdrA2_j-hmIH@#!L|=aVVhpkZ{HM44kA~w9I+IU8qw<@V-x5dp}EdyT5yO ze(x70*l*;t9W!;IK);Daad)*6KW6B3J`Pui@8=TAjb;|!+j1A@)_W_u=o$Fg_T&-E zhoGS~bN_P=;*I>jHsAUmgQoVppX@Q?Fd|P_P+7rWZ%{^0#RjX5ygHo~3&IuDq0l|O zyrzo1;bJ)WIC1);F0ZIt6dPKF&8k^!t*S{vadZ<e?cI8WDe_H$d^=C|)ryn>ateU| zgErPSCSpb|6}`<JB^8>p5$`ubMo|(xcl#Ab+?B-(_R*v(x9crU8Ui?&xJ_SAq%A5b zR2hOLRBKmRGBK!%hs)mPT5@VBnp6kzw7ud^Yqgp&@l%GIXJDyC)vGr%tXMS#y}d=1 z!LqV4&oQ1Bl}F%RQy;_B=(De0<6WMfms8DHj6(;I;>)B&Xfm~{n6M|F9q|(fkQJCx z?e$i3y|PL!A)0h35G<dOp^6z}7O){jJTf7L`+aZuevY;lyM|9=1zYr8Rb^|+wek1q zwslp-7GtfBoOxr=+-5e6*|pW3t%6F1<(4+($qwq)XiEkesB6!7TML>>x<u#?BZ?+2 zGOT=eO{T)+Z~*beRp_(N9THuL@mMwKCT{CUoYgnGN%$N_1YV(Z%9)k0q@<*<urDh0 zcw|`uCadX|Qo=w5%9ZpBYHDlFwpRUK<n((v5NA+KF$D#RWz_7=EUH$))@)hG5a5=Y zotDl15|Jy|mY3@)b%>Aa(rGTMY5t?-C_W-30(F$E7@Ao!GM*70ro(#s%PY#*k}asL zEo4QpL;4Nk8=zIB8AE4H$-74MeH~q!Tx_Os1`2nAbbw$0s~9Xf(!z%GCs-O4`jr#Z z(qGsn>~uP8Vf`2YMj+BJ-VEnym)KpI(VdBk_W7+T_xL+KD}C1{5>lGfQpuV&A-Z~M zYwN27dEGuox8sT|W7W3Rt5PDCHLZ=^hFVTJ@d%kuOYpb5r6|xJ$;G51ds|y2Dfbue zC<>K(wv|ZG?~*nWA{G)hHZnpXOs0AmT95O>R7$Y=ieUzdgN6?f3SG2goSlAqtzbpE zl!*5tn~#&4uzRK&&7De{msCZXbYt#~6%_;J#d9!nPgUHpZ<)!0z4A1a%vb?t-Lg^? zkRHs>xjS8?3mZ;v<V^My!=B?w9-G8pU9d!#F;Zsu>kiyrUf5GDnv`Y^o<yQ4tjnt9 zB!@^jwUw2fEwwCHx~;+$UvT)AG$~N--X*og1-+?y_cL8cqc;DzFQtZo@YH*r6H|3y zJq!5LUuIxuKUp#2MFtpI*|1ciHx4KzC6*?9bY4<Us3Q1DQdKaloU5O+XMo4%b9cOo zA3El4YXBl-`9KYQ?i$)$*Bm_t8x?bcg~}A4oQRcbX<XI<h;Kww;-``-T3TFMEIl1} z5yeT5EF$&2w4_8TYDd*o^ptjXRw#$OMA3mNky@lHLC7rUp-b_0dN=vNS;5(-v;ep{ z5To}ix1?X<`xSL|Hq=QC4^qiW2?CW&FFAXgYFZ102~VR;A}ceo7zugqpoTd1b!*D2 zspu6_)KptrS=OjDn46RkQBv3Qkp(Qxc`kl|!4b(iAd+5QT7b0e7f_=?3<Z5OY%)X% z(^7~sEX$Xm6**HYT4CHnB_<Kyv5X-3kjc-dUIaB=&8^jyR~HoYYN=_hY-|`ODA(+E zGo8g6g5Vm8s~6>=GKc0DmzS;OGsJE+k+wTasd9v2Do9emgt96!Q(on!IU2LtlmVTv zvLCOC@kU3AK^pmaC?)S=@qpP~PA+Mk&N+d-lX~>8a{lk(gD?zF3Vt-P(z!k_9qq<Y zgfv-By;jYWlvFK=!eA)}&a6C%^@Avfbmf%ko7f;*my4^Z>1q;E{l$K+6dCbPTdf{0 zTT;6q9G$JhM-X5fd4L(BB3c+b$|LPYHG(M2SviW}>P@{T5(*q63qxx%;exw0QS=4e zXg}nc6F1uQ)Kokmf<3%+ri3$FMSRe=)Y##0$5R_FXJho-a|cd<{qp7OLdLW|G!jse zY?+CHf$t`oDHBD7x;|7RNlJD`frDEt)sX@Y+SGR940d!NJ|jv@*<r%RNJarCdDIA4 zTa25<<3TcOuK37MuZbScw4NZ{iOUx4E<^it;zRhzZFDKq0Doy`hb$42${-m{(JT$8 z6G)_Zf6PaAuKe<WGxGU$@!koHFb`c9H-e_CI|U0GFRJfzx!(e|#ITY68rnHg`zty$ z__V7TNiLvY)0~adD1;*3ih)k99vFcUfH4D-+~|;$E4n*GUJHhPn~14usvz+JPt*~+ zXzEghG6m2MCKKG$V2&8G2Np`i498g*Z|^4hq(3{gO~a-=N_k)^4*n&6)4Nhd@X{5b zqB&sO5`M(GHZN8Zs`J*rg775+=#qyIV}QkY3FrUfD?lpPtZw^(1j1fq0!^IJqPcm` z^W{LDA~#wX2#uUXyq_1AR2$kL&c|{g!5>I%#K()(ILdobWC~n60p<2L=<7T-U=EMo zA5y7VMP5^oiHVI1byNw1#GC21%i&=%NCTZtFJD4RE9E1KeGJN2kq!5%&*x>c9o7=o z3m2N$lrL^((uAqP+0b+UH_c6S2_`pPx1N*dz`h?#+VMg-YvlqSbdVB<4z-1&C&C#` zyYNDI+EOQ%RjX&A7=JaHY(c`k&g1bjoHIohv>R?*C<VejM0)XrzZ;HjRhXsy_!$KF zwqODjC`DxS!~kRM@%c<|w|S(=Iv`zaf|h>BAJYD<?p~URnzDv(QTKEIvc$s9a^*DO z(}V^x?yy<oG|d_h!UI@N)UZO>c%qeulM&Jkm^Ud?7C1Tpe64mj*A>AWrXn2uWg{*7 zmt@?8>%?u#CV)hapnuF8&Tsh0l?+0fN4wey{Ad57Sv{0|=KX~~x6dTTEJHgWT|{P> zShZ^hUB;9-BYv;t93ouuGR`@buiMiC>N~0mWPnQkSg`_yBmRIK^+Bi0(PSHyT#3T4 zfdt)wUh|&=2n@`j_N#C|z76}_j8_s48mhAZS5gLU=Z{GqrXW#Mk`a8^%w?tK*wE75 zUZ(U>u2w7NcMW2ni}NU)XL)?=?Cj<`QLdYT>n!pC#IQFPBN`;#2JQjIJ}<0s;|IY= zYI?LM+Km8K3|Ili+u-=cRooB)x;q;y&~_(Erto;&7p{~n{-XT_3kq{9I8ukRyR#vg zYCiKsJ4*hDQOEm8N(f7al(=Sgul;)8H55Rc2M(Pb2Ud(InkhLx%yg-RGgU7FJU6|M zgU347@aEe7Q^ovuW0J5@AV6p~be>MfLG-Ck>IS5ia=!t=VTmE}o1M;W)(*;O-EIf~ zUqn9sqTRI=^H5Ujb=%s-aajA8P0jz=wgO1U_n95gGW+_w^830Y;WDPwXH6$C?79td zgx(+YdXSoK3%gV`NQH)K5&9kKWV@okfg9jeHiCfGC>&ErAb6&GwBzrNr%P}=7(~n+ z3`MGpSfKy4w?YHjv$APdGYw^rQrl>N%dKLRt$qNUB&B`57M0m1IM?~c{S6*Nd=~_a z5)E8ve);Fsyz%#Q%c;f^bi&!sRWE<CDM%3A*{V*n9YJSqR5K(Gybe1Zuq#46b7n!4 z8xHM(i`h2^zc!R$hF0Q-vKF}r5?O+qZvdEIpl%IGi_4VHhyft}JU#jeubwnO6q*O* z2s$)pq#O=c)Ito6Tsj!Iu-<3Dx}F%tPl#{4@GJb|*f0jj)T|0(kJu(>)MzfmbCIig zT^<S>yz(-*3Y6_%B46DiJjwxhg6XY-&Ey|V#@$+G(EGPrjyhTLFD2vYxRj?Kgu0-q zJ%x6M9NS&b+t+B)@+l+<qOD2=j_uivmJaPDTwRCzI7a`SKD3Elx1YX|WRf;OkKt8l zS#N-3l>^bILjXxN;e$qwmlRY4jUWMl?=dnp=j5F^4Ucr*WN<}}ksfGj0>H2uN-beq zy`h;EPGDUG6J8E5$Q?}ZwW<(Yu0}Od2pPTZ@E<J)^`6c3D_npdj;!i#V^^U4>Eh74 zCxJq*u&a)Tk+8+_oF5oQ@R$l$Z6kOnP&0wBp0Ztn_|;AqJ*&snt>8Xpp`E_HIGw(O zI}cn-{KP#=%UGMmocHq>qF5ln1+*MAT&Ybxe5JGMGV_(YFY>?!NK#c$esy9YlSTlp zl5slTknQ9kI0lFW8V!sEcCxUtG+Eeo4l3i2?yj=EYSp)aoc`oJwlfkXTpW{us{Xoh zgqEJo{}fh?GTOiTn&^2~*ZU&5R<RCvsL8uV?2iqcqm_Nm>sz=R@s7~@x`pNe*aG%> zlN#%s9I5vxBYuTGtBctJu6OI{@1p-4*Q7O`9`;*kYt7vX2Q<D$!~XJRH6@U1+iw0^ z!41`>5-M0Uz0LW#-vwGH@Dq9;mgGR!?Y?@|GqLc)Bp8?+t_AjHT@Z+jaLMtCwWTNT z_i2|tKW({^ry&APQ~0AQ-^g_SpE{7gI!62Smf*zFhX<2Okp@r;s@I~cZ5;yvE}cle zVb}umJI`0HJAP}!KX3IM`*EyTXfrK-@Ku|dLu!WmkPFbD<6Zm-0kqLJ|DW2Dy}&Tu zS-p$sKy?5Mvg1<1d=!)KHCO`x092#?uyAl=buRyU5c=mlAa>gKt|dRo7T);GGV#B= z^uKBur5P`dyGHNbHnZNkz<%Wp)9z3it_b}EpRM6a9=y}??vl6nNcZP(zdR~0>VT$K zi~q09GmLlJw{#iwIGtQ7-(H_%@3J61K=jVC#Bms^lM7V-D*f=iq`Woit1Z1dc!Ocs zZ$*mu3gt^pr5!tuANz#J{(ObLo23n`WKgIW(T`jXcEF_msy$S)KkdP43kVYVIUC+L zv)M<Tq^~)UJM12~$_Qx#`H8*rlbW>uTe@?f;l3I-dgq~^cTO~40e8P|W1I!3*WJr{ z2fS<Y^*K#%479x7&gkwS56|3SUzKjupbn*xL-OuGsm=vU+}`VsT8wh`Yni#+^d_pH z%^mn|<HQ^H*za{O3e~cq;tvWEsy|Ek^+0WxL%S>(<%rLMQKa_Q@(h1FYH7vg?}yrJ zm}Fe~H!1Y*GYrs`N9XZVi|>~5z<|`f4=QP0WQi|@whu4V1)TGoVVdXtF)o&+a)Gr6 zoqslu=`)H~>)0@wE~_Vys|ql_4&O#mDF3Vqd`G);VW;_wiE6t{S<UVD$Lh=E7}X>U z_R$9Ux9X)ov(pEzL(NjKk3u~^Q~c&jw!5P#7HX!up!Va5QG1!tZ()TOA9cip7g=9O z@Am>^V0ZI=GfCz~L>b-n<Pj91iD)ou43rVkH$XsFS@pkg|KFaZhOsWs3dJ&Q2qxG4 zT^NWBJ*`YE-@1;jZs7xMk+i+!e0D7J_3-7&{#a$k>a9XG1f$w~al_$q$dBaX?gO}C zQ<b9FH>ashmy_bR*g}7mHOg6(jJ>vQh~vX)4P8S3^pq>F;$BweT79#h4QrX(`3Ckv z?J)QXP-{)oIx7>bN)OKQmo}LgzINvMSV2QrH{aa6;rrLprZJSO+f1f#6@Ay=@(Xh> zpW|Ow@%cba|I*C1Y}IjEQexhDPrKvbO?Wx<T3l(nrAF(1UqAPINCUA<4jr4z;aXg# zAsIVI=TR@aD(6Qq7c!23!%>fIhTF+}1U7cx7Nta?ZD75#P%^0F#efrD@^LxIuE)8t zwK<=EL{FbZT%jTj)J(E_kS1%RhFpeblW_+&;4e|)u=T6CFa!>7gLyz*m&>uPDka&D zu12-ri@^EY9kyRdQ}H%mMSo{$V^dy0e*JV?mIXshK&|z<B7y(U+ZxtKB!Q8`Z;|T_ zhkKPoFFh}+b`=RYpm4E6k&qZu?w?g0KnJAr@9&S-L~MeVk}Lr`3(hfAur?MioQ?di zA`oen`R_ypvCcfZj%*N>FXeejQ|t}@p>fKVukWM2Rmq~A-t%z2&WD-<X*pSJ<Ky^i zX2$?H@+?HeESK|POwo=EZ3}8ge<EppsE~6ad+V)_kz9?J!=T<Z;qTg){{RJh^WUMd z-6ELJ_*$(@kYuT(NuVGV=!~^)Izhc$!lo;(O`1t5&AbB`r)NHrYed1xixPOJOiYeV z%%HUX>}{ClX%=0lJORY8AQ_}*p0#R&BdQcXR_^Be=@h-oipAjk2TyM-i@m7Xq%7{n zlniI8PedP+<DaMTPUe4D!;czc{Tx2@FzsUaynpB`X-XPT87rj6z=W{8QkkuVhuN{o z4rt|+#uwHlrCwS4zDU2XnnO(CiR1dqu&$zIui@32!V5hoS<Uay6*sDChzK2>4c#%4 zV1KD0W8s&ZST0(BnUWw!LCxj&-JP2{#S`d0vs4Inlg%j-9bzS>CNTKp^_*#wSB()Q zr64ma>nS#3%qiE9lYDu?+N1}9_?}ynX3%(%iQDt(frBYfZ7+<>N!w&c&aYW3vNP2{ z<~nysIA0w&HiT17lM+!dX^Y3dqf_x3R@unPWS2EeI04GvW0@K5tLHpXSYDukSvdMo zFK@a7ipMiw9Ve1sJeVgAZx_EwtV9s-vh)oI-})N0u<pRpgbQQ_`L$m^%yMKTEWp<s z)oRz%xP3k!TBpX%)_fXE@CPc2M$NdD$adkd;X>8DZry}FY;I(f%&ZWkHF=Dm_K+># z3X~#UTx&&p0Alw%OJMa(RJt|{gz@*X*k4q+4EBqB)X|@MI0z!wWta9naxleh`N}Np zYr39Qu&JjWoq^LbhQABb+`B#0O*xes6%*In+iwv{ALR=e9X%vl`${dW@gPsWX8c3M zxn^wQ@=gv29U@8D*2_sp-@qM(AtOpwnjS%e2oTv)mQSXdl~ZH~VNKZRza?FdV7b)F z884C>Ea-r}0ifcbm5$T-k0GH5GMHv^X{Wlt1UF=9bsIqw2TwznvZYlvpt?UI9>#f& z<di(r7Iv2ZFID9VOrov1`lUu`r+eCTF=wiZT1M3Mc=U+UITIMgES#1bF890|K**iA zBM)L3IkOfDg-i~ELA<O+9JACla<D}-pZrgIiAp|}_OfNK%g=8#EufZ5KEmb)9Cc*s z^n10VK%|YICL}aj1m)jBkISNhH)9+*d%9-%Z-!SAobo7RS_YPfx0`Y9G@8RjIrH)4 z`~4mb)tK+mK{$PcB~)#^c@L9b%4f`EH$|>Eb*=bqB$HpEZm%S1wFG<lnad(<IbewE z&#loFGBHMK#sK3opXZZ0YhEUB7D`fe-3mJa0g%heESU}$;6Lm7#PAD}h&s;RvWb8H z+%H~xs@m}9zKZ01Kz?6g<O<_;>7=$C&c}bbRBkQU_*YQZ+%cR@dG_(LTI+=k!4Nws z(I9m|5aOgp7o8VwYtiUX8_rhE{`Vibyhi##d>B^BsR6HuvmAJzYywTRRtO!`0w)UT z-JhG9kWnC8A{00h1&3uGP<p$HR`K-{oJ3W%rIMt^AwappaCOVrS5(eGV1yVDXzGcl zo01*=Sk9mpf-XWj9jbICN5~eL#RZkpWhqIA3j{37J_k>~PYn^19*v}%r&vL%q^0{5 zn~jT(DI9o^#}|d8n#6HX|K=8d?NMBsMS6TDDw&LwTr#4?!dBrFTO<jK!?pv6DDu0O zO;%16Mf=e;@6h~j;>f7D8>)OCe_sYp=93;v_NiCc@b2cfdpuoM!??)$>BJ8tvo0&2 zu`qMQLu*|^kx1!KV^J|)UR)H}Fj0IcaOhem{K1wDT{N6>1ZYi#7}U#^D^R!F$>aH3 zB=d9`y^|oknygiVqTTHV3m4TeUbteC(P6=nDy(DqSuw2iRckZ_=0<o5I4s*m(Ak!; zUo0V;al{clWMW!~92arNR8&@yD?mG(Wz`f+=Bc0@=%phx4UhXNDfd*(mMc@JFzHW0 z)llFh9gLM2yG%GmQ<keRgpQUHX0`%r0AX0`p#(#E3re-iR2l3g><GYohV6}2U1U^3 zWCw!Lh$SR-l!_vS?m+|VWA-hy^_wD*NW(-C!%<UAG~Gv`S%VIOQ>Un6aKElN(CM|? z#Gs*cM0y0kZ@Ia|;AZw&pd{#S;YF7OQ+f+3wI|C&ett<XJNHyBQo7s6Y@EPPJ|#`r z;z^*XCY`Aek+Eb+@;$X0I>1S^8A!t3T*OTAb}^a^L81E1M3)7yJD_qjE9T3MVFX9< zW%Fy8qLflpR)>nINTbpZB#n7;iz@|(h!jytB^`-Glag65Q!?Zsj*G|F^>eW@-JHvr z@^sp<{XfAWk{rylkP5=DRH_pqDhl~9U?^jSVSmsHq{Qfwp2Lj#G4vH4Qc7k<k;oXO z4k)jxCPiSf*YL-YD^5l|jUuvj{mGALGHOdolZ9r#yd5kgL}2}Ckxi2nN|oWI=BYv` z{Rl!s-~f^wg|-Gne@~#-1|A7ck$3Gk&8wp~%Tk%Q(S&JGv*MqFk@Pp1hc|8JQ4~s) z!_^7n$TP--8njDx<;~_L+?V~S3oB}aTtgfDvxw+yDps4qHJIceNdO3ZehDu7V3>l) z)37WpC0Vgr0wbi{1N*_oKcU?7Rb+~X<#p`kg2?TA&R{qY{CSp1+8qxvNdr4e1Na$( zsg!COgo#V`Co++IIy6&bL77l=jci!WvFk^G4#Z7GIwc;Ff+||I3H?PGNE$RtP?(8x z0i2Zt7GoThg~8um$k6fium#FCfD$aqYig?I?JMTR6G|2<L7M~j@B>t537|+*MmHak zYBUq!!Gj`T_TvXr*;dppl@A3;vW+BVUR1ILX=G5@mX#|}6=Q<2Bg-Twt0r5ZYE%X0 zhJ7d<ZD8kxOB5=Mfg<-%`O&!X@?ygT@|kdCVj$k!z41Po3^&2u;mN5hteH|J*N5ea zYE;C}%0#sh>p>we7bi7^BofFAvWobUDJ~%Zl1s|D7HrP@Tx_;6g(@rJgGAF`<ww;u z5VdpF?@Jj>bO{#JSzTTv@jzh)#6h^o0tV8_>k|r9`S<34N=i#Lp+8CXV@>Q8WkiHZ zbce~pega^003wxXO+t47k+fFj^(qv`*NdH_$F0gMDHf>AGlU7CWY*Xpnt|3(DXKR& zHG_0Vj1=2}{vRgZfm;}0R}$T}ZQHhO+qP}nw!UrKwr$(C@y@w#-I@6X-770yU6oYg zY1$DdEaP3cF_{&nM2Q>_IX0*$V*(&SroXbSqFjoC<jhejp;ed)R4F`ht$u?-Q7U}3 z*`c1=mecjikrfX0K%x*|6U*wwIA+;4YQR1<ik@B*U_Ni&@6mFi)uJ^)SX__`dwC*! zpvu0imQJNf0+czhVj;+E`u&gN9j4%h*9EMGcF8gY3XG9BX@W?uiaUxO%N4OqUq!7n zUAj?G9s&e22Rk!_T+YVUcDMumj7J`vt9K4;0L|t<2o7juV9d{XO%vS=C=R3ReDhT0 z#^CaBBH78k8H;LK%5<^)+|Hf`PAi?7g15J$t6!4(G-AMjSy{QVygnQxtiIG+SEf28 z6(2KO`c6s?e_OGnAciNCgnAMVf4i+`J`A3YRQSmbZ>tVnktf<jitzPhA3C&JT4m*Z zBO)IeK(0oCZFMOF3x*oa(#DW&LgCh$4HGsg#%k;WRLy>TJ9R*@0!u4vszenzc<_Mg z)De-IpU*OuPzX8)d^TQHcUyZb4-*U8SVf1tY?EekxoK+hKCA1EGgZe5F?9wxy}Q#D zx{yhKD<6~#3>GV*{I*H`RYf9{D5IsTy0vMs45=wMl|wyreQ_y}L6c59E7M-YsgT_P z1h|RkzG`Vn0+l_KIAH=s=<4aTkiXU4&eTu7h;d08Dh@qBEUs@wi|kxJJTlT@kk@oK zAD9LeszH$uL86)p2FS=}{g$Zln9GZMQ!2$5XJ!-jJ2@G4S?SSVTXVa<p+|}y(JUn@ zsVQ0$*4EvQ5MzE)0!#kpUOwy-DM68LEh9$y{P#4{k0XdDMfa^K`NzeL0hIDSdAhsy z)<QYLQ=y`!uTDQ0Zf1Lnqq)AZvb&;0T(r=V%Ib<buhSWbmeoQwQrGP_T$~CmS_mcl z(mHzSR6=puBC{oA@l^`-dUr)j^QMobGkGvUsv6tXsg-3-McrKf(4eHdxu^p51K$Mn z)4Mxsh3f3(!6Jclv(ZwvMxuR=?S3|KGJ1K*RHH|U3i&U*_Ft>ed7d`d6?RMG)X9sh zF0bkF6S`e{Quz;~jrYse8}1#$V>?c!h~An4IdNDRIgKS#Q;GXu#Vr?LeqDl;)D)FA zR&zT@le2e|A~o`qs%sdOv8kn~rDrArKa;KCmm8nBK~>z1wKMEq2Xhk=wSZ38nB(y$ z7%KAh{(Tf~4zd+Yj{_c%f@u41q$h_%5Wl3_s)LcccZXapf>aBZs;w+5ty$(%vCIv( zyXz`bQR@LHdR_6s%MdS;kb}c;X{|k9xAzxY@MH%|84E7Qf-0%WNje!?&jrrqgy6y5 z)|zxZoE{DXdX+UY=JqI-@jR2>yvwhNesaLfgm^#2Yx=Sq&Yoow^am0n&Wse+l*kmC zG>K?+IqQuDyQ(FqO=)RONpo{`XG-$xen_~xt6Iu<s!)YkQFT?tzp<Jow{!UMjgCJ7 z?GmYw2NTm0L7)vvHhwEk2+;?Mn5?YLZ)G=zWut%huQywQjqtiS8Z-ofROOS|`rIv5 zI^*aQ$F8idGq7L`TIpzKgCq}ev#XO)QDnIGMovrsJ6(dE&?EqjD+K@-X3n1Tw3>q> z^fDR58MrVP`4Lalm=2{*!_f2O6!NETZp|rD?I=*O^azzHOk#9A%=Yq%8arL^_!s3U zkDgL3vnr~I(Aw!eieUO(U2VqN#+=mRb@tZf^OcuWQxhF2|8|$P^ot5d#M66LYP#TB z*C<4;BX$nyA-uS<S(N$%>I*BiB;#f@wiTd(6#zT{G;7gNKcn0jG%h@xuHu5nx~@!t zYK1hl%$FCQCL$vl)hX0>I^K?7tpL-BQ^&0@uTqxR@7I~QNCT=+<!{b+YA7}M`dDFT zVmv()naCOYC0Iey$I!bqfIzBKN3Jf<tLfI*)vauvj9(SddPyIb#ogXAE}xlXGSk)7 z(jA+UpU^BtpMLXNoe&LuOqd2$a5mc9wMpF{2QYHJ;PG}>mK0_rHhGs9+v08(gV*|v z7`+Ft3Qelu&V}-3)$%<~B(y7}C{R+=R9aZou$Plk=D03m+T31QRL--ksE=MJIN7C0 z0PLyN^%|;X#!HpXWm-ju6sbLaL7QkFRXK4Cz?L|oczb4kFTmYPedjkpW*J6HPt&AO zbAh~4%L3v9EScrMnyPWX;9S(KMSucTNSH8Sn7pi3FX`q<xI1O2_@bpsphJjSl!PL@ zPHA>wQk#6|{uSMb$y|<{gk7FmZ5aKD#LzLYu3V}rVTh=kl`Ar!qt7J5Y|bP_wpTaT zretGgYkY#m0{aKFj;|)QG2E{W_BXjPJf<aR43<ukyD>ztzSD+%;>CGGv1%PWFNe?r zvJntoG;t%b6s7rIJu#ct?KYi`aJO2bhnJF<mJ+E%W@X}KYQ+S~XHd|jABusQ;R0@* z=R^}C1n(+HdE{;My7Rv~4Wj>D{wmRjU^(0|9hb@7&d%)oy?E#EVP-%mj<8xCn&0K% zy^t|0>hB$eM@yn<=mj4wDNaXA_M4`gm;Q)YQqsSF>H9gj8npWxK{nH%-GuX!+`NII zp`A|O-fMl*wkMto{Y3VZZgi=Cr47k@S)4Qp+1@0|S>$_rV&x1Vn2<ig;qB2!%KdF^ z<?H#g7)df;O?9}>`ng%phEI)#ed5P<HnMU}TranS%b|cAvpCbw(1l^bnij|Zp7cDy zgX6)?g&uHyId2~um_sk4x;j~*F-1AQzVUH+KMZIvh?ZM!c{aB!-!*o9FIdowq*-Ob zES^+ohOcq**rldpO{zZs+hXVI@PRITB0M{sk7=teUF3AQ$!$`{%QUvtjpe*L^ht3$ zEFlJyvztAP8bz9bQPkHhA`1T(Pu;iy?b)jG*W$*Ifn}5Vuo7&$+WYk9_Idf!i^wk5 zUe&~BmD}d+n|uV#lG$6U!odH0J~T%!w>k7{&|PV*&ddINyM?dUy~K|?zNSKDcBjMR z?H?#WDAcZOYqO&})aUe&MVm#A2o3iX15D0liP6@_^R)Y+{WdnOBkS6w=<zl<Qh`t+ zG?Ryu3nMldhtV?IpYOwRI+57_MNIC&|9f9FXU}t)|B9j2mdbQ^^c07qQS7pCAk6zv z;hjE)JO2daxd!!~l?KPl+;r^#x7+pQfJGxvMU9iJ-rBdS>-BZG0pHvHQg7d%bh=V8 zkuI+<KkgcIK7H4F&CbT6iRb6$3D;I5*}Be-8DQZFsJ^neR5|YJ_hDy{3y#}ro7Qa7 zg9{Uc_OMBSyDEx+{n0Uo3|)bfB0u^;D{WaTB@6BQ082o$zj%;21uy2H6f7x?jh%y+ zpHW&hg=u)zK7#!ENvRY|aE6-+_#eWF<5(e6nJ|80G`U_=b(h<7GLDj<&KjO%_qG~c ztJ`S>c~(E`3<?wr`^!VcSeGI>dh7RbyK#lw3ZPox{W0tZO37ybG<p~*lc%PrPCM=) zc6Plwg6W;LrBgKpmOh*Fd%fBY>%}S`8%NGzMa%nr5ne{Whfga3LxyYXVIa8Fcq9@| zc;3M6i?}aYDzTzbQ9mQYO>CKgBVVY>ZwwBc044m?3&sf00V5EUE0vn#VM#y2c7NqQ zyL*fOhV<@A+6;Y{f6*rX7-{f#6yAhrRTIU_#Tbd>R9<AX%f^2)4H?ro%>DQEGxZ}J zFOGghV3F~JKdTZBcPlZ++s<JmdK`A<yfE?L873wF6!U%gmjB<yL(E;w9EG)hUy*7f zEpz<8=Yu=oL&_qVj_$!eepb6z?$7d_Qn6w+84y3^^7{V!5M=3QVYTp?s-z{Y3*7Nz zH=M1-F{nR3cl;R5;!6_-)dHr95DOA1!$|4(4nN7zk{pyqf&d98tlStf0-B;z6}YKC zXZ*frQ`zufXORd;2+8E5qdEsZuFl?^Z2&x+kNdknl1(E}bQ36CRwvFl9S84mm;bQU z#c&^t=;fXThfe?;*RBnk)hw=g?mgzQm@iYMn~dT584?p<J7@*F8)UZKFPh}(c5<Vc z-0j%c#m&h}$#*#AA|p7s_^@HYdobNn<JeaDP2oAkOKV8tBxsW>Ne1g}pMTzFVY!6n z&+jo~VQ+z@rs8_GOfL9;4}$6KUt&9!R8y_2_gdoZWsf34FBX2qnc?p5!fB44@Jud( zu;M;wgP|Wv#Xf%E{}aK>pD$qKIFHk+sR3ZJi^Ime(xj1pUCb6Z9A+o9O-IarIyGwV zBV~6vU8`>vK4b|*X{;^-jzoto+}-`jlAQt@7Al-)W;b|i>+Pae6w&g#A1~nOx3F<? z+(Dc^|B7qRRI0AO&GY@79&U$z1=;nKC`VvnWJ)duOTBi6Tb%vhuRjxbw_1AmS{eFK zBm$;``ZRT|mgkX)k)1Q*{QvpdT>bl>odfjofo0A-(diM2XZqt^!BxCf>3WLhDhVbs z8HA)r;Z8vfVcj4?R5&i5LmW($n8EGHc>sIHuoj9yn8gGrcY?;g>jr(1Txhp%a|t0* zu>rRYwBG%DFF>05`tj%t+88)^q-`8sIN=ofbiM5cp%}N7vdYt2TDELmO6&lOpbGL$ zs9kLsc>1!ZLE`CU;-BI(S9J4)<_@_PnaFzG>^B-`{a}BvJsmBS)|fZiPz3RmCaUuo zK41&22CpTA!6e3-I&dYA8rDY3Ii99s*PV<|ndpp={Q`(pL`e(qm*PJp#K<KVydUh7 zk|6P<;zmqr^%0!odBJCn97y^E<K#mIwgO!`=bW~gxLvF~>7zL^8ck={>pR(NU*^ge z*W1hEN&sC&>C&9GwLF<AvSi2|Jc#21`_UUBee@7_1bZ@M>+XLCA;eIY)#rS?Ci8}x zv*&(qqfjsus2->i7-3Ur^AHUU4Vw3Ez)1TZC^QMAIB-UgJaAY`Sz~zm-K-c>`!&u* z(7iDMW6#>@xC!0@G$1rnw-Q(_S0g+c98hgNEvx*@45vCfNB_jx6EmQ=#maC%fgsUc zVdG~}GmHSiZT&S;Fdp#Im|`-p+R?~fv`)`%6mc>$o@wLez(0WaKp&MGLl-Yck)+;V z=W(9@Xqm79^Lv~xu4^pq0mYZsvg2-UDN&gNyln8;(OqPxwG)=2MVw@|fARkwBRTT| zwLA|LAWBHhlkoHbbbKjnQ6?1ejLvamOQMH-qX(w7rYx)B8Qk>!iOCv%*G2V0bwr<K z6!{2>7_Xha7EtMMG)nqqJUklLT`(7w3>(&+tA601YdadolIb)pDe==AyRH=_`T+3) zJeWy#T312M!NqYJP^}@2$?89vPg+il(2gt04kYgln?i)d2F{=dvIRn22A}qKi$Edn zjkUQlFdp_7(ar0$hC0f}csPuwgaj}W_D2Iq021blGXV%5Lk5Moa3aZ~c`Wnu+j%*% zgTC4*R$){IRbcCfwIX3$j8k9*!cM`&uN7%TO9IN8Jemg=b2xz(ljSqeX&Pt>@Q*>~ z11iX>>sgd!t$82^;nz1P6z(zR%Zn@jr66|kasZD`R@wpD)@wQ7c!Qqco<S%zP+-=} z(Q+KrwVQZY*x=DEJy0&E;$0W3{Jm7UkEJbLEH59IGt2dl{J@vdsK%0wYoFUt<l<ko zjXioG^%&nxsC!ohtOYbIUa(le(<tMwIBQfy1~dpJZqo#Y<kZ8<Zz39-e<vqDMZ&O{ zg@?p%|4`@a<~s=5ve?QFHS};#lF}4gB)XNdv}TOoUW7m4xi}5-iP8dYTxFO6PZQL{ zR&)?a6N;*;2vTQ-2Fwi?!O0_}cv7JS!!Q=Z*7NOX@V}@AQe8^&5FTju?y)BtOTIY4 zNz^hYYL=Bp57X))0@4vYdC*7zHh>*+Ai?1r&niG2U`uyu1A<w{^^AfU)EUoIDy|p5 z1Is+dD%q~}G&7+jQllI&Cpus-y#$g&%RL>}1X4<P2yTKcOD$N?HUi3IO+A5hlYo>? z!>u#z2aXI>{T;FAZ!Ky#d5~Q=csQUak>yDU>4Am4yLzmDy8cgvy4Tns7#BuK_UxY3 zDpiZ9AR!W{L8d}!aE0hSZw6i1EL&)pG;u<yLZ?CvY6FERmiC~Df+b93n0O%(R)|C) zR0z)lXK@24nRvPUB&&1vXNHu7D3{(~NmEDptv4UXu7!{9?_lVpwTFCfeXsO*(a`_b z`9Xx>82Hsvywi2<m1|sc2^;>Fp+O*;m{)Eevc!tD_=GVMrBkOi!1W%(<e9ws4lHzb zEsf%Y$?~linSWPRe4vP%&J)LVtYPi<U`3CxqP$FzCY5r*wkieg?XAlwgV^@uD@Q_o zrM!6Cn+J>5tS)ek@-mwVJSJDy_Jk`_tIu7%3q`k7z`4;gK(a(BhJljKC@I*s>U>u$ zPU6sl!62*c?yJj~*N3T*bKubSn(sZ|-$!AJWPlHHZc)Q0G9WgdgP-dwGu!a}3m?~- zYAuq3WNOeTM?~5)?RMMW<4G@{HA=Z(my5@vkbsQBFd@Lmrv<HWRS7OPh+I*W2ryLy zO=_5hN|Xd?F+!wOKqS7S)YcFyn1g@Y|LM2L8@LIiR${PJsMZQG*(pSFlS_t3q@Ql1 z9yfreIGDugUI@`a@2-$}mdnAzzC*2a@f;q1lT_lXG)E69m{@h3lLaYrRLP133nPA} z-_)q72~ASgS-wY*OugmBjvjrf!4`#WIcRfTV?uKKGJiHGwB<8UH<^xVqpeDnI{AE3 zCftoZB;7p6usK_)T&G2hjJl3@QCFHc;e&`Vgg+A{X;NWtSL0uTL`>=I4J%RANS@4* zB#mO%gheh+#tVr$S9)Mce**sQR;;t^PWRip-rl%V`@D@6$|3~Xl~Ys==loKo%H%Rs zW~+$*;c>j%GBt(?QtnLnm4rbT#IVsgJxRhj5h2D;`{Sn?>a3@=3FK@zH5e4!9H>m8 ziXvK~P^ux%1bE&svItV96zsMjxe_K-C{mJarV3E%5IRGJ3!D6~vBEkJVYXN)Lnsd! zhHEB`B7mZCNnvYGl`K7pGN%q)E_KQc*Y{!r+DJ<i{<dpET)x+df;VeE+{(Tam9Q`? zy=#>{l<pw)?S@FD2GOB{;}JZ4{%xDv9sh@ueX<xCX{ZfCajEhX@=tsKEM6?#LZ}j7 zFo-4;P^Qpi5i$e{qyWS-vJ-$k3!MIV@nRl;WcVjJ65K{_Jp$=Gli!qX4EfBz9385F zuiS(ZDCm%3JFw9H!$=gX5~bl0y6TfufMNpYF8HniFoqyrTqjx0BiWuES*{WpbB_9^ zRB^qIz+qGgfMh2^Y${k`KEy$i<e(4`X5a~xUNv}2#KkyWaX+_$&^USI^PtyLtF`C- zX6}Z6invsbVc?==E0hHMf9n<a_*O`>bFwF(sp7BAlqX2Kra#i&G7BdoCmul)$dxBV zSb$7YAym0y#OTbH3bHtupUy)+YC)GJ!rm<)Ydwh6%ZLPt9I0Tg4vx>CJ>c-8Gaf{s zD2NbbsWKrX@Z<8S_Xr)SP@oPd;bPA;v!E82!QQPGCP=cDFL`*#97%#a6*wD#Jv}CS z)3M(10p#ew8)VAK31KN1>Z-eiXMA2fAei&i?mUFa5fj1P7A-O`$c~{%0<k*%K+O#8 zK(NO@((firk|csu5<sR*<uD4A31~!!PZKPi7%E(O)98-|q8B!CqbTJoOrZ@I3SEIg zWkja4CM&IXpBoRi_s1`7b+XH^I6o5$cCh#!NJ|PJqj^VlKZg?BTrWXN(`2XS=^SCB zxusMcDht~^JyNqm;bI^p?w}G-iPQ;30*wvM++0(q&@LTdjhMx$uC#p~HzJhi%lFQ2 zP#NUN4`9h0i5fAC;5qpbLK+1T(j<w)NC?a&T2#e{O#R7*IIQ?V(oqrQ2MBb@5e4<^ zN<-%i^83+*fRg_fF7<yFw7FrrMW2A=Y}WgFAXS*>A(Y1TcweN7!bta@1pI^E1!SG) z8Bu^Di4o=}EO00o=1dom9x!s?dPAq^{cpiKUVi^)rI*hCEMWmItoD49k9%EBqnZ#2 zlCrm9U75P??bTE_zFWY*xnr;r;UFq$26AGzwnS{oRCyeo<yya4-tOic;OZ<26)Ttk z3CYZ~6epltSrgpVYsqLnkCQZ|0%Vm_W5d}{lbbfDX(CQG^oo_EQnNT&zMs!2(%3(p zdk^R$=xDYem703HIS+sqewPRtAD)Aa-Aa1T3nrJpwV+IQd?Ybbb+xt5CA`Ybb{!d5 zLV^Cse4N~^O-l>Y@>~6}a2dr7(MGH<TEJ>;x!BlPSjdEM^91GLEUoQfg_$c;|4d3y z(qIV|JVCzL>3WMcQqJGW4dI&=l?S5m`${4mNVvPcv9c~VF-roa+GS*AzKdOc!}B~6 zFi#Z&y4@fm(}cXD;7E!LQ5lXmu4;8}X<=Cv5~#5^S-gZDGE1C8hJ~GRr5as64?*{7 z1;t6}@U5sKLUz&X@g<i?T2@O@T~V{PJg{~LOC$dHwB2%VVP|DuQ61knt$4T)?P{;Q zA{Xb%eCJUwwY92d#$3jG3gM;ZaWrYm5e&o*Vk>L29pgg{rbv<WjgH5U(_->j3C!K8 ziA{*GG%4*y*l7Y!y7|)QYH2FbnVm_-NL6jwx}<vg4aGD^sowR;Q&}*mRA(*|BRgm$ z;V^A_DA>3>sjPf`wz00QDh^GX)otgzfsmBK_H%OTi_t51JcgBZrDY9^aktyWec7<> z<tb|F^7eL)O;M6Sg);nF98OB_N4nnX>N2?LVyTDNl16-RC=aNflp^F4OT0U`vSg{$ zRfeC{!Gt)0iuA}JTfMu!wV^}Q`2D;7d2`p+Oe2dJ^tOjUAQALH2-}TDp}Z?e7&I5# zysW(R>p6X?X7%s?X5yc|)T{IM>TKffYFx}7A6F2eC{B3WRYd6_w*UYNdE4#vrIUy% zw!sh;Q$4ILmx5|<chA4OcE0WXx_<Jd;}6#-OO=YLr&Jbj=IA!f+O*Zqx<dIL=whdP zktKcfkTt%8V|`fe$lhJn>N|a65mXmvw&}OBs|GiscU$!Oy!;{6XF_$I<3tKujl;cx zjcqZbC~~KlBMr@3wF1o59wjYXQb;hSkoQI^v=Zf{Hhn05y*_t~-R@*Q30eWSSpj^< z8rOEi2cBfejZqhn$lAPu<=DGU$#>X4?+R~aqaZ|<K3QE^X~9bMyF!uNacvhAJBirf zwAV4%T+@&(g!TZr8_%Idn8VEG^4`KGDQ@T0DNj;IX8ye_&E3%&9~=z}11oBllI;L+ zOGOlZQs(1f2t~w+r{~Gi7DN*LZgh{ktuR9^9Rs_Kp;x`awrZXf^DXi1{JXs;>d<kw zI9pu}>rC^aCA7fL%6KZHwD0~B><UVyW`KolxmV?6TxY*gXuajppf75iTKBY%G2dQO zkquJPPWqb-9vE?0U0&?5mUfml&h1UI&c*`IFIHLodA<p@C4-ID*-x#~%El^S4=+7k zB)Q$?^_G|dKKr7n+JRjGw%iJ;AyB#9U0u;D3!P~J0W)+o8N`|Z(7o;I+I&Iv!H85) z-_f%t0XrkdMf6aX4f#Py>}>0T6?4bryLa$dJb<3M@^Zf_FQeaf8C!$;UPu@@VLosu zE-Wo6D+0WnZOY3WTT<(?UAUC9#?o?kV`I;%{6UVF)A2usB#+Jg;$PnqnLP<zsZ1OF zBx@PA%6t|%c)@TJ5Igd)^A0w;UC8xDgP&wSHHtH6ZEdjKN?Qfv+(VCQ2thri${Vq= z-}pFP*d;@?ku7jAfY+>&#C4aIpW(F0izr33dc(%DKCVdM7Dv8NQHoz7WM^$%HssrY zcuGCGZt;$`^PnuV*=VintiS(w`Nu+KHwFgL{j}`%_q<*!mYX9roI2rZEBmtYyj~<( z)oc705BHjpda|Fef@SP&jLUz6A)o47Ul%J^q7FUbO!z&JyCVanNo6)Y6GQ(|_$@UQ zSA!dyIt{9>K~PI!Z0ZEG(@@i5qO;n<@Vg#brK$!|k_si~<**4hOyoh-)X`Lwl!k$q z8;MRJtb4z4lLymL)Mak1T@xcIVdm^Ow|E~TthM*FWZaegyuxBqj25H9a0t94?TJH} z4lxED(@LwGJL4*bY3*YJBITmiio|!N2-xJtm3*9LZB@LSIYC*zG^6YZzUN`BZcA!2 zplT6oTW{MD#mvvxaQv(R4C(8<c1w4h9A*`W3nhT2yWoPCFCSV+DeG(QuC1#ai}Z>P zr;RgvQX=YJ+v_~l+WI-l<(yo*$j8leNQ|?+L|v#{RopG=UhaN&%LJuJgUU%;U&KhS zu#9Js3cu6KcpAtQsiZo*=Fyt&rzNz{N*v&SjMMJf`1kkD|3{CM3-=b(rtv5iNm;-u zVg5+MbRs!}X@>lXVKqk~Fcz%jW=R29RDc1R#L)i<YORrQ9>fD;a|nhfh7}954OlJ* zn2l&~#a^8%Jc;>bi}p^~muNOvW2l=gML0m+qp|f8?_Krx-X(7qOo;`{7HFRl*@!vr zXg~?B@dp~nG>v4iE?N9kkD(spAZbEn(<~u)0%oO3H<$4D)yHkp<$G!Jw|L2Uex}lJ z;s2*NcY}<-lLcECy14>e<9zy{LIt|m?GpL1*R$ev^CXW?15)AAz7<x0Z>&4GN=^6z zqbc$Zd6)@=cR)iUiI(mYNg@E9!J^(?RS*L7FMY0T5p&Qg-B6-%5Ckh$E^HfYwc7;8 zNQnsZ(>{1o7f`LwkT6?nK&=Bhl;s#zQnYJcy&nklxmJctqj7PqUkBtW#pFIN*2!WV zR&D%*09ooEf}_COM{y4DIrVtKzpxyVY^jn(&+?!Cp;L-!)z!F_+klrJAP-oSwF6C5 zeqZ~(o81d~JX$DM-M_uIY4YFug9PRdH}`&-rk8c_u<1EJZ$`P&{$RFT34zx3@y>v7 z9cECZuniL~_)k9yP7ruW5AKQnBwk1<CV);58so!zPo%#e{O+N~y`P;CLk7ECRSzbY zWh*l9PU1u%(-Z^dV%Q0n5QcBq$SM<{N|bUKD8wn!fh(lV7LXRSc_jfQv(4Wly@fkJ zXCFc+!PjImes6&j2a^DYBO+LxVgLf8+R%(VsCOfEG;lJSEhUTbd75Y7?qVf~{vz-p zj3@VVsd9G$blDja<e18|zk9i%3VuJ1`W%h5co3*g0J`991Tn^vb0o}n#uV-TUQYl7 zYb&-?5nhQfyU|%qUW4|5nF08GQxcz0pCqZGA|LEeNj^+qB}|qjl(C&;!sI#9WXZVh z8~*OC`;q+L?{&ab>})U;z)dJqg6_*zfA{v&CVpS0%ebL)zdU&&JqV-{4)GJF3K6Pc zV(8u9Uv44!J^NYsfRXG$WC@Uj3TobLz)eFA;G349TQF1siUx`T#>nG+#;ditWQL%{ zdYRru6pbZti3J`AVc;u>a`A#igAPz0V&D=b6(-CDw$i3@XEqsG&=7R8M&VMSA&C1z z*!KYkaZsrW7{i?p(fkk{&cLc4c>Wz;r`zP{quZ7W$lFdP>1uI|Y@2+>i6MxPiAoMC zLm==lXC_SJ+VLS1fYAWp!M2EDl3>|W3gxaxEpR@_5af|s9rjG)Cvp^BL2Gpdu)<WH zP#~jNP8{9G;5WGNFghP6`#czF#q4c^o5%pwqXi3=Vd{*zQRIXxJ!%@QI}U7}MD?Bb zyWK55zl-+@KmtEN{hbJgW{On6-|$#IO^K1ijg>KE7%HgPI9GeZ)QBO4(Q~Os6|iyo z+L%v}>8g5AL^QxC3R9<jL~3C2T$zK7|9p{tz&j7o{CUp4T_jg?qb1Llkby`*bK(Zh zI59{$*>igT9z9pjtj*CS(bVKL|Fvp<xF>>vODFMlcqAtO^XQI%JezvPoo;Hb<?Yf+ z`PLzuJFe$JhUf2n#ekSy!22*~gZgsNjb_(S`u2Gt*0?B=L}1hbaD%DQKBL;7n0De@ zxq<CJ?!0Y)8cnd`_VT)-cFd&79f{g1<KuH5${qwxpIc)yo4JIoufy#62cN&>J>ph# z*Z7jF4AZ-Y-Ps_&R`dbV92>#QY2IXP)A?KpFL13<V$a(?BQR}3d9Q}%>hJe>t-}Gn zY+;Hs*ht<Sg^fg1akK7b5UnUM(a|&Ti><Gd9~APbwfuPucJ*VE3|$QnOdcK5Erar2 zuP|}>X?&#M5oTZQyhkppQvoL;FW%fP9gOPYHG2?i^ZIxO(_F^CyB@gi${v@!l3(rD zQah9V9V}uj%`xmMQLAHl12u;+GKYmPkJ+)2oo9dCiTFnYGXF)+lyv+I#;z7T7*N=3 zySMNU`Ha~UEE}^K=I3P5cmCr;sR$cwQWS`<S_R}VyQ?c=gxNf}ENqmybVBwg+OP4U zs7wds>(}$?2243`q3OzTI1%FnsB;cIVC@)I`hM@*B<}H)8uaSw>s>SXqjUq{aNJ3C z>0qZNMJ5fT4rHPqom^fXlnKGB&wy{6MZ9P5sGz*aQ2`H|)6pJGZzi9)Adh{(77Gy@ zPyUMjCFlcLF`Id6Z)3?4zuRpN=^M-~uurH-x-12Og77{S(Sr)^cT)ZH>JMS!fYNmn z3J|#X-=gB%{<@D@iNXOkBOGewpwr)}5q-+LD7Ak!UwE-ehfYnB;{r=Q)W9b}LZV;x zrS+afcHd02fE9A(y!A3tdGY8OGV+mf9!Ft_(1fFeYwZ+>AYEm*7BG)&0xoH?#Oz0d zru<=*QFIMa0q$j;=?&5ie5lbtEa$F0@=EMK-n4o@Nx7RkvmGm#M;T&3i6otx#OQy6 zsOhm^VPa=U`l8QwFK%!8;9X}jg8sP1dCuw>U^s%IisZzEa@Whx!z2h{-Fc3IHN!ov zh(A{4MC`$-!AhdTRRgMARU!TQ$btT{jtql{uM~B+VPUERvC{8*T(hEs0500=p0Q|0 z(qqyH{cP=Z3Eur#&(K0!<m*Iqpe|OB+x{;Q)z~{FfG_lQZELZ1D!I?9`Z|9ntlcJ# z|9yIUrXanix6OAtOA!e6LMM3NZ&|?x#SULIE2hsEmuY4Z!|Jh=paXTsR0#r_f-sfz z`At(;!Wc;RRqJ-O^*$xoymurrSZ|m{oBCIUSAID|&+dH{RlYM<D2d-$=$<?L`v1wn zg`XK1it4U>YJ=a-?ANT?cnJ9VAF#a^<DK&`rOn0YEB6|Isn-;QcWlx93l5A{E`kad znK@r(igg(1W}`o%fkB%;GrTVZ5NXzyt!$Tm&1O6pnY8MbDFw*m26`|^LP+@ix+s#v z(onw7u&k%cok)&<iS`C<zm=nXpEr4Y$a;)1HQHLKLd{R-(m4Ao034eSPeJ&Ej6fAe zUuj@?57bJjz4Jr{jzsLPZ_84e5o+&{N%CEQY+(P;j$QErLjIXbXG?`3ivHvC#kKWw zgbrwJKbM>HW(Od)&f?x$76^Vxx*aVorDyN_*QIItc%wVxv)H!xjB20;_V_gRcnLX| z5t|=LTV1AtndNnb(*FhldRdkH!OVr;Gr@12<ew||wr!1`{UO^!h~_!n*AOPKA?X;v zV>~I0Jmr2i^NMZlbRk3v@|%XRjsXsQL!DX545X??8?gz6cyfcxP(aaCEwyB#!Z<OP zh0wcHKG18dlv-LUs4ghVg)a}s^5-{^gCRyYz17(=MsrpJ?|z^}5@(}+hgOo&K$P}? zBLg7mSW-GsY-TIcND*<rc#nkDkEROrqZwQaMM2x!;(;=e)(GnQ@-hS4^0G-~fcU;@ zrwf84B;Kh3yWOJ%cQPeH*RL$5d?hHqS)KTh_&v-FZ-JM$INw{-B=)&jenri}&4E=n z>EmF{s{kwvB4%1cR8duGFMu>%P$}>wM+zvEkj^!vUSAwRB3r(_wxu>(atsk+S6wm- z5&E)s+8^d?qH0B~0K&GCSqbu7W*-}aLh<_2I_0s9?#2!yQ7H4zdU@)Cp>s{}br3N0 zIQnYKt1ITjdMB1L+sFA~Y3dV<CvG5}g{1&cwJJ@~U~F$RzW^EJBo@{+Rtz@2)$!D8 zbp-JXR=B&T3>yM@VC){Gv9h!k6oG9`!eHDcWBMV;DS>I#iLvse?-me^0TfjhmQ0~? zgM)kMRKf%B-RX5;o0>xX!jz}D@2Lg8K32jQYx-rz6%5iES%aZLp;C1d3PYsMy4ddq zEQL-%s34?&3SqsvNU(qbON-n6ZvA!lpDxzIrv<POpHE3?Yum^;;A!E?)gX&vPH8>= zDp@t`pVpu3L-e61w*MoOwEo9e%M@P+AC&Hdma?;ZZkCuw(s;<STWIUg&QA@DOz>sJ z$Lj_%gH1sB{OSsXQX78EXkd-=3WEXG(i)qj!!37k8jYXnj$1OLXgR<HR7*$ON;6+h zFgb&|)%UJ;50L@(U~_4nyMRo8a^>sI-rvtojSSS{(q_mp)HpVM!*5PY6+dv5tGjN` z?4-CvYYP3%=3<NeT%NmI%R_m@@SAF<>5}Ve=dWg7(;;dG%ph30P_Ya_*2=aF>?|*U ztm%IA=DCEm4N~?GEMAO9SVhB44LjVOmBKzFXj9okXnP>_Qk%7=@7tGezfiqYW&_yi zXsKPR-AT}ujyEuqMLN1g@yZywSXedSd(<rT)?#FWkGnf}ewhDZO2kVn*s2>A)r7~s zyB4TF>Sb)Xjm7xszm@~?s~JIwRrWT9LFhMf8&IgailVEZB5-XLpyrOV3d4`XTk5!@ z!<97{k4r4;olldffSyP#=cn1-8hd=s_0q%O`b{x?AmRyvz3~{j-Fyw8%SzWa0rT1} zP#A#1!TI(U#j$|t+f9$@(<zkLJN%1d0@?Z*TsT5v?ZTV+r_Z}L?<I*f7zjPAE_YlD z^&`bJm!l7P;d;l<O_qYFKb@zXmo$3^ISqe`Wc!=T%|7=%?Vc9`#YRgWL7iEoDfgT0 zpWlHS)$Y{l7vylC$w<O5bxiCkOF{%Pa3VvXNGm&=y_TA@+@UX-#uxfCh{Q&#q1IO~ zz?%u`QRhy3VRJh?ohmk-ouj!N%+&y$J2Qr_#t|rj?7Dp(&v-$aEtU=KyX&=wixI*v zDrHz1BoMQYL}UABtm6B(O<lH^5w9}cyEge3ltptA=62iMtzB<t{Th=K!3H+6f#K5{ z@7=AHVINv*iMr*(MM+W+DF`1~5Vqlg`Vls4XrJ${zn4EBk6lDDscLyRo<ONl*gd|d zCVqW~TF3Z9K`Kbp!$F$hAHc)>^B#<qK*Ri^eDt}2aSX<a=|lF2nU?oAb`6TKS3`kA z^e*6SIOd>`%XtV9Dn{R{>#;wVM>`Jf<<JosVkFQ;sh-XtXsxU&v064vj0lFPpc#2{ z1C0}VOXiO<y!arbvCEeIRTDQ)^<*o*`vn~e=$Vn_>HrZmT!x$4ZGastLQb!@>p4E2 zHW;FTDqev7`jHdXO)EkKy`+8jxt$Ntds-O%ulG$4Ea>DYgSx@kV;S}P@Gqj)phBAq ztj+!q7`4Pi9C{?)!TKO^xL5Q~o0A$aQIV0W!J8<jItRIVwuh(uziW1MFr+#)70u-^ zy$g%s+O8n81(OKdeeZW{gJB%-M6X%^QGv-G>e?VzNHk;$E}5i6@pv7_`M}ZMk?l&4 zpTYvVR$|0BR7;g-_yVDsPdPug!@Lo23xF$1H~T?k>-iH#$Lm$HLhDBR*=S1UBJNtk zj)^4H<NhuLUNi<Gbje6WcLo=30Z?`g#F&v7@TCCAqJL3fQTm1+l0<<TTg!i+`utxj z9lsh_hK+2?1mWT%W3&FBWqUd}GH48Uy0{z?!D!7*h%?TJbO8|7R*6d}*gB#ma1Pf* zWa}K%aGm70AaVmJs`iZ1W1sk($R0+E4-=6~1tsAT^{ep;AW(;k6nap#F%tqsz!aBJ zYa-Kd5DpPQ2xnknS7yWwr}p=fGCSxRD9&qgzYqLBhjT@7?@Qa74%T7yUedN79)CqA z8hFU+dQXxzF2-aAkFg?DlyCQo=KO!po%}s^+5m~;$!h1U2m(gEjfMh(39{C9wuK&L z_|rkXkf&lQTB0pN%9>*IT)UUpbVSsen8pPW4TV9yYy}BiEI|=5iUl?8Mve@%Za`Uw z`(3DG+OFQqz9Nmzoqv6Q*XH;;IRYuIRm$=UZw1U0Dp~HAzjt!FPr_#gd&U8E(}h>Q zjpu_2Ft=6<++ttkJ(R}>7whQ$zbF2`I}@J%o#*0J?gRkRFE)QCf4^VJ(TS?FVXn!Z z4L{iAPpN<}!|7^eC@kQ;izabm?uZf?delYOT~zam-n8(4Tl{~P!@1g5r0+qKsFyBM znAw3OXVJbtNx&GWke{EWR#xY~=R6Shbv!_;JZQ(&jQD!|4r<?SHC^m+UhVdSZO>=$ z{F#u&hHf-M`Y35)B+L`@!2^)JmA$P=e}}C7>6&_<y&(dSfqhs&bNkT&QRI~(UvJ`V zFS_67c;nB73=~som3@DwiA-8-nDzMlo@R6jq$o}{vR{4t+i0$Ha~#mJFIqa=?jPF| z;ZOhKeDCh6(z(dKew{we3JWj%xmS~+WqvN)(=Ebo@9-@PO&5pUXL)DK`Pa=#6_VWL zd>mazA&&v{k%3bjiyk)HZ0{;6NcNMX(b(IBsQSg@{a-JbRKJdhxz~$rra6DYmDPC| z6<8=t9%633;%(Ta2}=Qlydyk}dN1Jr90ov}u(cG6@IB6WiB~?x;%B)9-Thpl#7^8> zc=<Ofct6tP!&XBZ7)G+&@chc+9<urUz%Dfr8UqTIcG7NlUbL_{yPE4|4x&k9wp*Ua z@jNp5{oZ6Ld9$Io_&8m?R>Ol%ZSpksTJ9{;!Adm@rsj?gFk8PT?B!+xQbwCf{VAlD zT<|^>aWDFOUJcIjfXOhq(Y1c3BInF?Fe7K1`^t)vpow}o&X(sxx#QD=AUoIZ-S6%Y z6qMuXwjCN!ygRLsSO3M|$=s~_3QWlH;N_@iT^TAm9p8R1`!-$hKo~K^-e|wEQWP9~ z$k^<!zFZ+oYmy{H9b=oga{F(O{@sj`<0cM5M_|og@^|@Y->sVEf;^w<q&+~d-O`5q z2i{NMcex8t5XkR#aAD`)u5U=dYs%*GFx}CfX=}c?us)iDygfN(4T9}f-hZIS?xqKe zkWn~WaXif3J&*mrFRIxkt#%w8{FOz=yRKy!SW$HlNHaj{IvI&9H-Gf%IB&DK{Jx)& zWFMB=;8T=)@_%2KRl?lfYus6yC6fA)pDsQ!?nZC0;l*z-7_q4mPt>yh4t8#U&wiaO zx1rmD%cDuvZuT~6=!}I#gve0LzU+ORY-vP?okdo@-kvW>aUkq;qLm?`cJK*UGl$`# zgVpF<;NnRppKYl|hp5wM;k6qQusCEX!FPWGI~abN<n2n;)(`+BEpJ})o1_06zMo1M z7TJQCL_BrpzPPmowz=Cm-oKdL6Uo$i3xHo5=|;YfB@#%g)+C7Jrq0Y~XU574ezpjP z;<vj!4tJZYP4D_PRGIlbzKWKLUcTV(Y%7U|gUx4i2`$`in9~m)d*}SUomg^065yAE zxnFyF+Nd6$_;Vk~0*9&Ok0<>;cNxcqkbyym<lQj{YV&*jU+3CN|G|_xPPOKeVe-5% zL;eL{t=&#{3V{Bze*35EiiE(_=diH&I%-Es?0>Z=$=!DGwR0Idu|QCP!|Zf>yy5IT zz;oOgI+^9$qh0xdaxeLIeLk`kj}}ZB;h{hY75jGUy*Cw;$MZYiAQuK^MCS9g+x9k< z%>TD!>5jxw04>5))=}o(B`HW$T<uKPszO9k*30p6Aya!uKKA-Ru@PeaJCux$gD8NM zPOH#%&DGx40JSSEzziNVuj27rw3nwF<c?C^wZSyR-`!_^eW*Vh+irL}p-8&teOE6y zDU>8oz#>StE`I0hQc5p13_bY_{%WfTsac@L=K42K@@wc%G*)Bv&2I0`e8148za62D z>CR>ySkt|yx!&87nl!gh{JN)qZoTDJAO?dp89D%MPDh{UfB%}tr12JBC6b#ir;GU% z7EP2j((ql&_xBV}529>Q8R(HuTd~^!J3hwQ;WBs&DFKqxl>g^Bo_8#f;_dEoRcv!F z$>42xzxp6OWGO=dT1sGhbqmi$>i>KHp5lHI3V>?;K;{4a`tM^4Uq1_?Fh`V6{Ag;| z`zx19jSlxA=kxG5gBlhff%@w2XQ8G&!q<gxb=`o#oM^s`oowf2YuBep_d*}zKM!A8 zulL~ZX_d}w^!31Au8ca%|NRzCjgEWE{~}8KxoC$LM(gz<wCN12raiV3V|^H|J!$zR z_N%oy0>dMJ3v+6Lda5I>R~mm;+w1BFKXYVQhRW+`@T|>zNTLgb&EUNC`#6>j%!PDQ z3(6krVG7^ZZwxKqc=#y~WnWH&>h1^sC*-X2OP>6;SaXHn=Pn>9SX;x%8B~ccI}4VZ zey{z(W3=xq7r$*{0{N}h$IDtrqwQ$#wn`hT&;Q#+KScy3<qGchvidN%5+zS$Ja)U+ z=W>@NQu|{dK29k|&a5RSa!mG3pV!lz2DGjM0W10A?&lo1;&0*a`&rK{Snh4jry$i& z@4wooEu<ez_axOD?U5v{zC!GvK86mInPMwsEZ8k^si7TZB-rob_&5Wei6wzYPUHzC za6thz54+Fl&oQTFTTPpd(@OIdRPx&iGr~%4T0GgZvp`B&4dXKZm6RBhX|AAhTKph{ zswL$6ezWD*(;aDnxA)uhFEl{_Evn@!mc6U;3B9k~XYa6fF}oRQFj$&B+-6sW=|Ds4 z{&?LB(bK?&Dl5zfz-t=>xEDs1!c>IL&+%np`nq`JGIp47FKA&kxw1tIkB^6m5nsOr zu8QE~cBc!x@A>@u2z0y?H8xBfI+U8bvCG@@eKgmSy*S;;Q|fD0I9yxAeO9-Zk!`Ma zagB1_*!^xhyODg!@~v?Njq;o-lsVZr&!SgC5(oN=m@`c&s?YQEvL~`);zHD%Axk%X zNOR8z;uBQ0lZ(-AG~JS^+@|QQjt8UVYq0zBGrxP`C>#GaKPO+?0opZIm+SU;T8IYG z{Szq_DpidTUCD_3j<<LUhGcI2TuDpc+N89n&2Bpv>Y$4o+gNQ%iD9kfZ^oBvGZsA9 zSuJ}g{A#l$HCH3A861EeAdps(Rb?K0tduC=_=yW{kiGPLy@B0Y^H(|DjxSFK!AjdZ zw$O9Rh9mLyeGo{qMNgCV1o7*3Tf$*wdzh)W@WuN}=7_yk&x<ARWMV63u_UqA`iEJO zz#)KER_P`&uXDj$Jv?nNK!fF2o|%M}b%k<mc*EL#EPd&Qm)FYd^5G~FBeE)GkvwcH zxPVL?aSag2*Eqp)5zERN)n{ry7up>>?WlUkn~TD4EQcHBpE#WOW}|aH54Zc_DMfk1 zKONJ&?xS&SvaBz$zw!Nj5d?AKQXge#x<-ws;5WF3!6x$BUHr_9Nhp{dGP}JKKc0Xo zNj+~C^}dp9)I2|vA$OM4IT#sHg4yX4k;+kF+SImMz1*j=ylO&$a#}?;6{hep@}UYK z0?3Xn873>;9O&c`ExS_t?W7<PD!lXv5e?H7FHry1yMviT%)rtOn#q`$EdVjamL#m^ zSPk9>lUkvQQ?nl7<W>V7nN!tsYEVRZiNXrRV;}X}?W_k8f=GA?rm1D|R#v&)J}v{; z0g5mlvcOS0mbKySCzwn{v1h$@AM5GM7*k5`xb7`NNnKxtZi5!j!<d^cu7}<cPj!@j z`9x5&+(IqATZ}GVoPyO9MX>PEaiS8zi8dZD4`Y+CI=f2bGcfTQ9n%~6xZ4;FaXi`S z8QOM_%FY_FgXd`-mRJ$|dy=dPoosjc*ezmflvxA_rr}EBE$lKp9d8@h!f*G$-kbgg zT-IgkGWwlNHwjiTVbGGlP1y`yrHbRn#UN(UszfHSQSu;a2{a->eIO$NzsE^*^{-Mh zGBb4E0}n@m0WR6ES6{1~mnKz0BLwRwkKk)2OiBYz=ZD+-X4BD22oYo!%^CT<9dW1F zoX%eW2UhpjERf7dPjRYLjn^_&tQIXo^E2Kxyf}!H&vPODKGs6D3UqM$05snyGCQ@# zTfLrLd&d%`2M3l*C(bjpYLUcRRYBYw9SK8ZX-ArDkx+4CGz8c%Sxp$hm9INo<T10} zb|-Te!b<CM)a0b0qM};_yQ_cf*c$`b@d6CqgXzS{%z+o6>`G8UGyuvT26u7i&pTB` zuc#I5EbM}3PFOLW1+F%;*~6t+#ct=0n`qybH9Cz9%$+!5PV*fqG{NSWGn37}r;|H; z_#Hmx(MEPYqX&>E7==`La44sSOyrGIuuhv6dm-GIvWJ;mB{?}!$LC2|R<H9lS8wLm zkOh?<R&oJ2Rh4d6Z}4o>J3WpE0}eTqR}AW%Wni^D88Br_f_IIk8}xN*V7A6+1VCeA zLS&e3q0m;T2G^rARq^6uWwdJU1fZhAbN)&NPFDZSyu)X?JiLby$<df@6{>Y=Syk%C z@VDEa9av-%ao1N9+-P9rHa=FQ)NDLWW<eVRO`TdI5HN5wWfC#KcYU<;G}}KsY#a=j z1Wk{HYc;#@8LI6o&(L(zXLm4OO1HSRpl&}v?SalO4C~013u|jkWQIb3c^_EwjrSIv z`&_b-fJi~|2=1l2EhQ4zQ1$Dlr|CQe_%VO5XvGhi7y6UPF<$8QeBUkH-26-yqt2c{ zNtD(*j_<>wuO8Yx<`3ZhiSqIA;ll5BJ&)AM^P{ZT?U<r%^Z9;H??CDk{j>xdjNcza z20=CD{O%vFfGayY8v~Qmy^JtfjwKN%O`9VfbYy0Fnj82+65*vk(bI4AG}w@F@f&C6 zHB8TPA1WM2XUg`I()&Gz|Gkb$=ebT8Xr!cEWK9Ph*YrxxpZO|b=FnSMZ&5+cZUsLj zfQOL)#!<3Zk0`g<>)_|*<m2(X{<c!5J<`#C5n;~%fs&ZpR7n{50tTwDck%SWU};fq z;b2&2X0?PZ-7o8L<_Ru=xf@Ey-)<?_^S!?h_Ed;^(}=HR$_SBZTH9=IZS}ZoYomtC zAWKzkOzSXpbM&Fim;}c)@ca6-`kOo!@&8@SR`1<7jVV7Qg1?E=I13Xu3Gzq|7aVv# zirHdjQf{v9v~-nuYiFk=3{6y>;2^O39;^?z71SBPutJ@jaM^0!K3_No3|ue2KPaao z`*`ZAa?;^C(`@=Q$S^hEPdp^Mhnvge{{3W5v`<t&#=h$MF!1oRd*2+kSjy8JI&*g` zI>4_(sBW!KM$PWwyBi!ohbC+Rrb~RD$@@9lP8;Fg^?gi~7&dH<&vu^P@WliH!n13+ zeF~g-nzH7H=wsb+yVmSAw!hzxhFT*V1}hE_5CZYoh5nPB@VR%O$f4sK9spEA9twtR z^^&)D@2bGUe}IY6T;$Mc5u=~siqG$0V&>-OX7|5)eUYEr#%S0Kj%;>zL<_3%;Ne@} zV{gF$GStKx#wj<8SlHZ5af*SbdykgBpW`kliLA#T&4dk`yJX^AM}F$iNeo$I@^trD zW-`re^vV!oY)Ww6K=WNdv7%~b-FFN}axnE!h4j8Qm&f6E+*|E@D~QDX{9c;7jngPP zw?+0!fEXFec^}+i<R<8_f~281g1PBxqogpO&GBU6GJX@aP}0p!5<i-Bdv&?Hy}7k3 z4|B<G?2J+z2h(w@;!c_qwa@+fUcQO^Qtx}8`QVEmyNe|8aaMK@OGr#sV;80<KA@Be z)|?K4)rQTGZ&iP)K=I2An(`7HAxD`HPV62&+*u$k#|v19J(IFly$+;SzmuDum50f1 z_u$Wv>bjo#=RubqGplWOn&x}eF<9^qFn#DW?zk~Bbfe=!lVb>vwlclQq`p^p=E9o; z1EgfvNKujxlD@20gA4OzPDZ=bj0W0Go=lnz^Gf64Lw;^2C$mWohUfkL(YT^QZNjYd z2ym*KIB}|jCjRe!;$+|;k>BrmVFz<=dVD-$hMbBzcypPm0wQUz?Q2ZufJ9qoVR5sy ztIS$nKD{+Y(ww1wv&MY6TWG6f^ONfE(L7%ta4Zj}!~fApA4a_zT|zz{MhqirXRDKY z8cJ!9pMfjbNIT;C>BGvnDh;vy#RH6`N*^UgP@8#Tq+`Rf3R$F39S49fCOl2&*JJ)` ze_+UR>ihoPCv65%sX{S+=rkx3d1k-e#02vTTW_|pLgMemxsS&&y3mGmS#QVxVmK08 zxK_f77Gm_>vmO#Ssg$I1wmfPUCZ~^^ft}y|>X9{~*BCH<2RU$Kv6q9LwGTy_H&fSu zptyh-ZAVjQwZ|kkw?#&d-lIqY;zyJj0R!xDj={Yw0rOpF(a=>yDYIj&O@0qA=u40P zZ6ugf$2NBQEW<tgz-nEY=GYb7Xr#~a<9&RdLC$8qtEOs1BlDFb%nZ$70s@v=$LfA| zhj40peLRL;8^Mu70~CR)v7Qt$RjkLsiN;s+ztr0uHE>4WR7J0IFe)@6*P%*9IYCS- z6+o1Pi9>^1q?w1h3FlKkgJypMECyU*AWYR%D2^~+`oMz6lM_DABqEJ4y$F)}^5wDJ z+HNw_Vt3J4DH=M{J_sLbk!r$&MLJ1U((+tWz9u1(vc4CZw0s1LulWILYTJwnbR9f6 z)!h))M<H683<+9ch@xC!Wqf2r_LJct$S6}$R}Rqf>oAZ?B2<@_b+%%_Qr<-t5>ge+ zxvKM$njHKyooK|=jfXBd=v`Y!aW+^;2S<`9nc*J|W+OO-V{pPST?Any!YG+xIa){| z50L_XQIJ$x`(Sx3O`|qIHBiNNbxomgOpg(?giFAT<5W&+nI(5?Q5@KtWLYw#gbFCV z|L=nT?+5+g)13cL7cx5C9$x*}zAP{+eiC1trvzFlBFcSEKOO8EHC3J=A$GO+8C0YQ zk-EbS-0!D)-}l_#mHOXHI(}Za&)M#|5Y(1Tio7vOd&WbkYmB-9i9S``$`ocsVt^18 zs`Qy9Qw4$_xF^432Z~U+1d{i+KvtB(J(s}*dmL{7M7s_dmbBv(i4hs7R{&|^{e=P| zglR~9W3H)Gb1vAgz@G7))P9iaw;(M;tm5bykPZhBv|Y$t89{cmY6XxjN{&=rB?=-U zIRuZq;tfaekfE@v8=4wVyAd6-Ry0*%BuhEWsAnnuoM*z2fp0K*69nX18UD{N|L?VW zK7U3U*5>ZU)=1GYaU@CJU=q|uxmziKP@r5F|6FlV&96m=fhZL^5U7d{umqrtP)A2c zl*iwJ1dP&O6*3@0FaZf7=O!3Q^le}#D6!fU`b06q_`Es*3Kcm85@A4o@YkRKwaKC- zQ(twCJoqc}GWSPNfs$>?QyR_D6y)kFuC5XwuFwwA0ob@A{44LPK*PYK6Bq`7`Y5Pw zYYE8B{4cK*CirlF(}PE)LVeusSDF4dbNhh**NeWKe$Si5X54c`L$eOmt-j8)K_cYq zZ9vCqRw4x4^#}!Kcs+^B&+^zG=+nfWpWE-_%~-1h6u@99Rx>4RR&ekmXbcq`v(l0& z3fv2CSQG@xQeagnQX-3>7Nsdte>^3VCMGNxawYSKlv#tVN_jv#M?usbLU}n#Rr8n_ zdtLWtK|;a-Jy1(UNhU^yFUwU3Y3>SK;D$j>9EKN~TO-!7>9Pb1R4O*A5nBrVez^=K zhcgjgFt^bYWMD$W%*Nq;Zxj#<3KXK_1bDod#>y#fE^e%o)?U#+jyRdZC^#HWil~^M zzQ3QdzY}(R-khf*Ca@S!gib^*cvn(3RzY`R?ZpO*w8<nC+-wnQYUBilQ#zbTNf}Rh zyuTs;&%3_Q=i7FPt;gA4JVex)4Ux2BY&P;3o;>(!Z3h4ggvt?9fQ;q_Y{R@}sh1#& zzEv_$8yzDQ4ghE;A(7e`tDS){gQ$>+oaxG>0Se(+X!nwPk{2;kIs@z`Py=MAWI?cO zg*BopsL<9@Ef~|sac-v#3zi8aNfH|>lcS46CPElzj9m?0--QE4;--5OO0l_nQlh|c zBwC8@xs!1jy;!-SqF#qS9FeCBl8_}AELc{A+vpd1WrBUhg0m-=R*m7J;>Com0O_Ir zz`|&hMCvri%<~VBlPMH8LYto_eE+Zf-!c1HI4xAz9s4^AQ^bZfZ<}R9bP<0bJ8Nth zLw<2QN)BIj{72F*DTovV4?-a9OCkd@g=Kr+I|2In=alI8MJP{OUtdyQHoK=4yN$2Y zTiO>d)64*MLUlHlWyhvk)2PFr9b2SC2@%PS#_b{QE)yWW_^e#b40+{H*cLP6*w)_J z>ME+E`j2O!b^_Ml{rlT6tApX5rnNK*Zmz5uFIaf=9Gyor>66}1K+u*73kpfg&Bevy zrOa$B?Uqy(C9B7W4Bp7AZP$AR`zlRhbf|ZylG2J<i73wMUJ#LS6RN6F113zC)6UJ; zQZGnG9zOdy0ZyX4r_ne5b$#j_3>;{I2ZpRDXVuYHU9;N~X!Udj*h48Zpgfw=R$JO6 z7MgXiMF%n};sI0SUxVHG)orCBcGl%K>=hj^KSLX%Rb*D%ji*&S7)e5XwGs=9YUKUz zrYS?4#Zs$hG3D4z4d_vpN{{!7%nc1VJ@WFcU5~FHTdu9~2x71x&vq%}u?Ae(@8+|& z{9GxAm#<E3D;6tC;)nf)(6V_pOc$%vMHS_xMGf<EBl<Y`q^j&)&Ut0pQ^=`F>*-Up zWTw+B=QB|7*E<%Ks437GQv322cYECuf$_5rvoCXB5@Y2WO~SRyW>+y~YhhS$bgXPA z)@u$A6K(4nHM+y6DwNAoFJ#hNjgS|?2;-*Z-64Bl`|w>hCad^=Z-E{x2}P2fTw1dK zkwL=3>6#rpzx&@untCl4HN@UlCP0A#)vN%ynSmING@itM`h}gfwKFy>%URr)v8FhK zkK5BBE7`=0o8Io061B=}_~dHPNraDxDwf&Hsi;(}@0!xiO_Fk*uD6%v%u!{Fuwc%) zlIE2)tOH~cWZ5&PlrdaQLZe2GC|0(*J)Y9m%9xxkACtKy3RvgUaj)lix;-qnQq?J) z{dwqeEAspvO`^aja8|)mvn2<>c3<z;jr1r5ku6(Xm)2HR0k@Sk6@U<_#YlmAij-&( z<st>es+XzVIx*E108K!$zlu+h4U*#J-fMP#7LU(Al+}ko(Zct~X|`YS*A`VPD$(!V zL`lu<#)LBKEq~*?w`4_)LjC9zE1hOdY`2;u)LZdxs}UkbN|VVbnDA~{B0h+$H<^vX zvn`!1yBfyjmX*xoBRY8c8L=NGFI&5NTP25Rv-uxBnUxo|jF~NyKI3e6l5MZIi;6w^ zI^HPsoeUwo&5c9hZtN<Lqqq7zyvJ5|yBmgTmQ_<dPess%R<_DDl8|-<Rp4zEO9@A} znBqQT*mo}2)bBWa5V-7Y>?+JjN6~qeVKw#vi9(E=H?k10;M_Ary$N}4FR*h>Cs|@e zdci(Qd&>&;DbCl)OOCy#KkToq>=>0(AViTe_O;CE%I4^}6F3zm=H{?F{+CwxRDD#V z0~ZzyQq|#h!3#SYd!=<|3d~EvN2?O0rdxsRZmlbpRU_l%s<AI-VvDSIk$}r2P{R7a zzr}#^7WP)<#U-O=rxZv_+1xO}YxMCnW2?5xqN*J<ewaD74Ch!^SDV;Yl!+Z*MQC!N z6=gNGrDE`sKc`Tyz!cQ_4p&-k-925hqi0c5)cv~I)>J)H(Z3+qk0d06fJw{kbz3PJ z{yv}oKv8M;9R{H~3S|HsRxn+tG9zXV)T1!m(#smo_5<_GiYk%7fEgTEvt2t9Y`u1c z>6LA6teCD|X8N;AYYY}MPmpS-(zzV2HN<68bt;(3t3F_OmdE1dHjp@TTK{!vOLBQ1 zkiDJ;<iHs1I|*;S!QBK{t3~XSRxE1h!@DvgN7K1Jy}G}-vSTbGWdu=GU11sQLQk7c z?QX59Qld#>e2idt?$z3^5ak6(=4fZcB6YZuHEk4xN+Ru&a?s#KXGlDv;Nxtp6((+i z(dB1Jytp+luUe2Ezo*Q=G7<;U_<V`;uh*K!!Nr6dy5rDYJ&Bl#DSPK`Sg^UVWK4FL zw7J@uxM>>M`2Wqvp*8g?!HB70TwStuZ#S>NuAnB&m#bXv_s)ki%ulZzmTWM}A5PfC zmgS?D59+CtlZu0r*W5e7cv=(<lvh)&SvKzj@7%a9pKoVE{|v~a5takg3Y@Q=av8f~ z#*d*R4@Rfu9Pj<^XLNMxlq@V$P;E2^xm!A}=WX_y%Lgkd(H(Q}>Mf=1%s@3LP(aYh z(+eL4Pu}fpMmfjrVKfa*`Bu;zR`Cx@_t6mEs|y)8`!a;i79TYE)w$a(Tt0>qCq|6j zXuXbEz_4-VKYHn;jgZ<C0O_~qP9aDxLPvUL?_536fg=|SS@{i|hV}Uh)>(UUri3*b z-5oBciYpVg$E_hxAuSrty<cw!?VP|4LDhQ?96WgL!0A6<BsJ1QLmZ>?#&tY+;>RVx zd*mXc`KRVEb8_6um}ttN**pch6=d}(kl?^^8}{&kbzwme-X*PM2gJ%GO1L=fuWpE= zttSPpSehI@gbZ=nJAxQ2K;MKHK*8Z|>Sp+Rxb?TTcEVBuL6tqO57fw&tL8k^@TwVB z!hP8cDZk?2p~HHPmEjO&_A~Ob-o-Cy+9>gzY(*49yTv0$M%IrR!3zjlvLLm{@o>3% zQ-Gy<k7w8rWjbxuB&*3|O}Q#s$QY5a*lO0(c@sT^?A<+q4FS^cTLw#YDu5v^P8g6h z+GO*(-+t;)h!!=ShddtwxyS>2(xJd?rsp2eBnlJLZKdb%_3hjM1M5hub&cIUbJRpX z2|L>n)B=D*hyoSG-|Dur=aD33z@YJIi!8<^zyKyq1(2Zqm?w`*Y^AKgil9+2YmIA~ zmzn1v?xO~1!|`^zJ{-Utr;npxMF+Xl(9Y6(3nf}mpy;{LeI0GMOf&QFrB5FvH}pR@ zr;Z|%=s+8*;a3~=byPV%pN<5UjAIQZBq6C_TV?z%)w|auz<%kn*Xm%_hf0_z5gj*p z5hd8cbfML4<Aa%W2O6+oJ#gH>e}Yv9n($>m)6(bk_&Cp^hvR79?e?TjbRf5lDb!3& zI>RtYcZd*0ZDK@<88wVVj+x`f456_L(J}He-bkVr1TZ4RgaGGRuhq(cLVZM-?;bpO z=&+^Jqd;+{rR4?&Ox;X6rhaXuxYOz8yp*Z$<pNOS1P=s#dc|WCUeFU==)8_P*^n`3 z$8@CKFt?s4VDv)@%9B1c3vF|oyL<E83N$JNh<au(-MDrDE0zs`Wmi33w42)8--giQ zKzjG&xdeht>`Zioj+okW<lT2(v$gHDTt_Ta?e1<dd0rXy-9RSI6WVYsShme>rtSPH z(BQdyc9%oSjpdknO`{bjJsdcYU_A2oIzLVJ>%@rw5*PW6J$LWG@1V!M18DlkNSU7+ zQ;U866Ce(Z3DJrqJ$qb#Z^l=vY??5@fXVA}xZRB57yP#n_(G2aL#Jg(tc+j)=fSI1 z7EiU>-BM<H`C1~bw$9Y@=mi59w%5YIbVY{%Mc8NUGfG@_I1?+R=$JJDM3Rix<_s!{ zu@hjz0$ap=sh{UAN^l1QY~^;od+~)ViQ{~g*ArF!GCY&WLN%e6ZDufjnx1~T!?=!t z6%P2gzdFL*1n5J@$_dp{@9D#a3&UZr)BD+f7&uHHJ5YFhq;O~R209=dB>1=3$ek!? z2cIn2e-=Ob9giO`oC~lSr64hslRk~?Tv5En=<jZ^h#V0D^h=r^FJXAB?AW%{u()$D z-?(%VFGjPZTuV_6O&Y|vb~F}$w*Ak5qTR;XLqWXyz1Y_3{(1*-y+^=AYL}y#m&xtx zah-|CZ~!iYj6wx0S0g|d;VC-$9ta$G@6M6da|neiIw)9j*H{yzFMts5p*>BvfhRdZ zPXIY!?lw9JQu8Wk=HiXk+vi+85TrW}{JJR}KW@l);Oa?0lsf@hR>*cf33<}NnDCBg zS@pf!O=S@nS|HPdrlFaG{SL;kibMhB3>!1N&C7=hEh|@dxXI%qz}96~*r*=ETFfgk zkuQGhHderlBtLSRZk?IKhzRY4W+tcC$(b|EU(gV-a!;C^nMBVzce4+mM3O=8!nK9< z_u^L^&7Lb;D-Zwg@Df-9GO)(u))c$m0fi|tbmHGuQ8a_YwjGEs527~qOVbcMJx|tb zQn?Km=A<wHR`?WjSH#a08^G*^3z)H|=T2IW>!5bJ{WNI4$zk91P?d|{f1S|&q9ANf zq6Mt2v5T_htpJHKyqaKCS<o(${Ui-afMF{(gYpgZ2E0hLW=7HG5s{GE;xoi@l+S(C ztN`~88vm-r%lvyx?y3Ch2Wjcj@6Sy%nv>RCZBvK+e-AL(c_<jPmR~4_c-L$vH7&Io zO03HU3JLCy`!6*aL)8l;;cS@aczXFyVt6T|D2^w1P7Y`vyV`C!2Qy!eArqdDA}2+7 zu&U#rRbRehy5ae`_->?u=SImC0W^xWx6Hpm{B167BN-w5aa820Z>ELM4bKP~+l|s| z2qIUn)v}{!1&-|{2n~E4?H`_6m<@d~ERv%7v_2p=Rr+3&SNOCpmRuEx*fnH>4CI2+ z(%0-w1(&tgU03%<R;SoehETeIZ)cAoN{rB|F`0*>fVE@R<bOYENylqgZtRbR58N42 z>BZ>o3r?bnYjn5T)Xe5|d<-;$Xca7h5(a7()@#}ssYC_c>9ImIRuH^_TU(>fd*^@U zfy}k#wHLYG4Mw|q-x{1kU8U@?JAqM=s%htg9x~|BsbLVY1t0h_^3e4vtuGW0<n+B` zTJ39wZagIlt&(ADp{^E9%EdLQ^8`;ouDY<(ES$&XY;p+s$W>mVGnCbNfVgqL!13l1 zG2vMt>Giwr<ZB5uVKSp=MSB9&>Z3)A=I(P+@rKbt+2P4G_D89hqHudQBvh{JOCws{ zPG;-^HU;{bNk4;W3#ZiCF(WMoLJ~a86$L`%%q;d4W53Se`P;;u<l}G4e4J3B%dJT3 zy;@sO(!_7&I@#Ucr1q*0`fiEjJF&4@sW(<*c{D}cwK^mm+y4o+s6jMs%8rZn-yqE3 zeBwFhn9Ivr;{lZ$Tt-^t0VwC?=sinjSZJh%w^@PT?rCeZK_h23=Ouv-fIT*mdr}}# zNMZ0fGttlfX;4D36{wlNq%JKuZB(vRPisL)#t76yK*gYQNfRVH?6a}>jr``7_BP?` z=E50N$6&wV640oh9*{eO23?_+FZDlNB*FXL^X)i2sH>ZsaxMMC-4R(k9|1>J`wx2w zwXR0IuWsjEC0y?xz!ND)F}YdiDXPsUH|$1uLb>I>^Or}%d!IpnE0SM@Sc`pH%>N(P z=NY00nEj^v?&%q(#<<z})*eT*C~-(qlZ(g2cSrV89>Or_o<ej12OGHao>>^kHDbJM z-PI8eL)h|qm$|()D_))s<=#p(dl*{o2D-iBM;Ocxx)-L09o5W^{Y@1qFti1o+uv!8 zxA7AtPt@i9Mc*qNK>V^z-u8Bvy?hT#@~krD@$VFVKE8KS%wN*XSf#Nd?j!pNIreS5 zqZTpN#ob_#B_oD*_;Gs3<rb%}semn%mw|v{*DL-xs}$ifAlPv9nSBiXSD@j&G|-n< z*VmSy#gi@oqsYwH^78Xq!|8^5s6eOC*28TgnH8Bl1<B{#ZZE5aq~FD@w`a0~Y%+uk zv2e8F>)Y;z{s_@Ago)1Z%SGhe=^(v<uJ=c3J{Pdw%=n3tCEKx!IP)Ay`!^Ii?N9N4 zU3d1F|DEx;7dzkI03e0iQz-qgeuJ9);vr=I+)V$%ZU+d%D0c2M$#`N9kg13a0NBJ0 zNBbvb@Et7z5Nk(s_pMbumex8iwz=l?5_{J{ff#4@YJZ?t*T-7Ior3V5EwbNo+~12V zQK&k6CwDa;q-9z9%@h|%_=-g+tmKUijnEt8TH^dS31P4?*VhPJvgL0IQlFK$w(1|z zex#jcr`R%Tom<w+G+ct8_TMp_C<q^Sq7ikLb{8$kz`A$<l&OROQJ}=l)VTjP^8Q<A zp&(Qc+P6myw5LIMM^Du9-juMxA633YP!Nw?aT$#MW$yKjtK)$VZ0Qm9uljv~ZRwKu z_a*y*fdUe(D*N|7#GV3E&iX@E_g#|pHN$p!p>6C9+DBt%F*IMghax^6)iNR*HpidG zTaf4a8_kX4NZ?P&B2AwDKj#+wH=^|M{Y@^Zeaor^FzNl<uE)8-WONY>q)znO#8k%) zG#~PQ-+5Wbm~9^oKQDEE{W05~?>E6_eCMMzn2_==VB!SGj7EtdiypLi_XT6jo8E1$ zYvtB4T3*XNI8wbD4{$(m4V^c8zW(|HoV^(1wT)=~&N*6?=?IGxCTNazJ-=?h)ZM_t zsw7}<>s|a@i%ZLPt0X+muZ62`>ihy|u^q;DdUghf-vKR+t!H<8TWh8Ja<jB#O#1qJ zU#ZhTMzDF?_sMU2I}5w><@@wB)8Y)Q`|6($qsa#Nc&g=J;rZRlX^nDp!7LA#VqZXt zM8GSNHZ-Zeu6x0_!C7fH_HC+~r)pu4B1MBvLtl6J8%rBdD)X#Hi`UPGPp#~Pk;1(i zlSKg*gUNs|Dpd(^oYK#)U;I4Fwj`j}Pk9tcxSF`Wnnbo&yG6K3)5nG2km<gl3R3)( z{~KK-pt`Vr<|BjkELa*&jUN&+iTEI464=m^^e7NXfuoRe=YT6JcowJyi+MBf%Ee(X zOV47DP}5=oR>&<Dcy!`|KBoTRiv}*91(I?NRLO`a^x<KuC?5m;mxnehaw#&y5F_eI zJp&UOq-M@lY|Zf!=gU*wyJxkSZQN)>At{F=pV|VuOFPsN`J7HB{F0j+MtY4?!S2Fx z6fg<{5}S;6gu_OmQlg$lmBAZFx(*-$i`F0wy5us|pJ#IL2WV!2zsTV+1Otq$bMT03 z8{WYy0X;(sFH4Ys3s=K6K`j~4S-ofCX^H0#DST9UVJ-cP7`!A~p-B_#14Oc6P+Fav z>(mGkE{74=fM(>1#{toTiSmmGDBGq74RW+t%2)hC^Fact-<DU;2U}oBCRBO)U3bw! z%azkZdqyJKcPg~kEnrAh*HmvmmxX-4L%cbm#&bCg#Ko*SK1#8Wy2+Osa4ZpZI$co2 zSRF3GL)DC_arp4E!UvfKWwk^N^W!XeA~s+UXtY8@asrCzjG|VeM-GcCFNS<Jq%YI{ zBOuC7EJ#}mAF5|4$NR|ut(Ts|03p0gxes4EgCwwz-c&x&ycV9f^S5|4^PM3y^2t-X z%Wd-+IEv!ai8$Q#$Tu0DET=&_Q4B&)q_bG|Jp&K1*=@|>_ex(u1#aM%hq6xW4p%Jo zu9y8lu-X3L2@;|NZ>A)~Q1t~~1hH{LW5om>g)*CD<W_)E`>+>QAcncrO1I|o>oiMu zmz$c$mD8q0&Ho1`rU>de;lj)f0q3l2>}yvjQdNV>r;r1|eF4c6EV;5{qoDL`HpY}O zxi4LYL)MTb8%9!bXIzosEcQ>k0}-O?6t;tE3#%*aS*=e{eW()6E1AouFa(73N?C%n zP@}~L%n$PvaPYi2c_b_9>=`L3Hc}J}Ef_61-rJc0oD}rgRAW45JeXj|87xtiu<}Z4 z7lJ<(X^y8DNwu{uNpwt#=@Ebk&5Iubh^t^+Ys^wJh6)rkRi#8#F^BrDC6PdTbX%N% z*3Nw9A9>EZK+nv12sS__=%||hHFU_;Av|H|<W;X$BP%u`<YQuQO|KAPMWz4&{c3<E z?~E^js_NptSY-xC5j~MI)pR1^!-5`CLO_%giP}R0=+smrjPle%SV#i^`>;(_%@f;F zineseU^;XJyuW{N3Kcuhq*QQcO*`OHM)xC0W`3A3<V~7JPG)VcYUPSi5|b0%8pLRq zY;9@~7c5MnI@uAb8mPOroI^Y$@TXB_Nu5AwXIW{6X7K0ecrpiqaEZ=uZkQ-h9-mwX z?BI?mT2H^kf|16{B1@&hlC^g;pgo5mBGW>k9u-qLtM|y2sEoIp)NKK)^qEQts|Tma zj?a%wwtiwkBA>m28aT6h2@=j*Utwcgt5}ufq{astK_?E_TG=sI77vSzV^5`2$>zRL zX^|a>)2n+T1OnhzY+}Wl>*ByLQiy8oY()`jQpR}e9I!-n7q5i9g88PVpt^ue!oJji znbI9X1)%^r&G5uc@3xr3&oKM^9?&fJ78efilr=Wwz!0H8<zkAosxTR{oX3&{!o<VT z(qT=ElIHwUg!qeew)em;10c5UQ|02$oGdpJYgt%WFjWqJxX2k>m9LCHINB@ffiNrW zE@_2hQc49RViI7Hnk+%SH4+OZv#2zLjgjl;z>CrAdLWIHv<9rUh6ooy%($|y_&`CR zk6UADTUTPBD0D=65v>n`)^je1*4)Iht|*a(PM@Y*vH&<OV#fsL_ZT<@Ftn7Kj-^?B zcQ~u#LVD;ALKj!o&VFKbuwcH9I+MU9Up8p+IC_{;rc}i2z<QnELg9^EJ(li+MhmR1 zt*~QOg34gU&L&o+GVyJkJqMRd(<xJ^uQsn?FHc$__Vg#KAsGLPibJFTKn4<sSAdn7 z9}nFs08v_^I}w-{RM=LNiHFh1LB#h>hp2J2{r{l;KP(RNzq30Cy-Dw=cfFp~qND|j z87C{3a7BY{Ja=$qp{Sd+t)pPVsL?8`+m&ePs;rfhr)6SIIG*0Yk`=3~Q|Cj-%82t8 zLLKC4bHBo0Tg@^|stW(kEh?)N)0B}11fyGIG`Fhj!2Zc#E_^w7VLtNT2dHCaxw*4b zP?4D8<dt`K@2VubX;)t@`PI!A>cG|2?0x<w(wd@BDN|Th*V(gBg%*Fun6gPyTiY{G zt8RWmjox#Zkt|*pTf`P%QvXYoEN~b_2N3pmvvXpUJ6OI%-R+Q!+U_o@DM^aY$H{#p zV`gzX$-cw2OpF!;tCG@fDp@E`ctqYUVH6)<p0`sOzmyrxF}GSo93dfmgbDPKZpxc0 z2u$Ejo<WV)5UiRxjUI=+vA?rCnYYA&(<Z34s8jYztJ!tfobUd*S0fG<J9An$swgZG zGiuQyu9`%|1`K#K4Qh0}+QYrxXTZQ=6W6NPUbLItq*2aOS<54~ce%7s$r7NkwJa|q zPwxS__=l@4Lxq`5%(4<-=j_^1T&XsZnUfJO?8UB+FlFuk{_Cf=%*PXM3i!ksCh|0( zEiRL4Llvu9Qfav)iDv88(Aip5(z{TsobqttBIcReTBL~Bu!*yvBR$u<BMbGOFl3}Y z-r~A)J>iL6Ht12%rdkDZ>ysxy!<KoK@lawZo*;sb%i&Y6He1H5QLq4oCRy>osbAS( z3Jr2@x%HgFtW;~y*IE^NtdFI84*-lbEQHcpFj3%EGdhr9Tr=O&+te02Rp7X86If7K zqj%!G*?kbBqPesJHDJM+O=oRaoi?uWl3HDniHYDHMpLb_<yFvey%|a!T~HPt=?+ol z0*f?Q#QE17Y|o<NBpLcWSV*d~kH_OvFGr`rtRyBcx3%rj*<RGs(V|CB(i9_mTFKPA zp_2}~88SJ#>*gG)0Dx4Zgn*|mnRaUa(_m9ldvfD@!!s?>D*z_;nJaw@VKEix#vZ3! zYgKL{gadP_Gv|F4h)0z0-nGZkU8N>irZ82>qMc>kvSJz%VeT*s=;+W>I%!aSQj-38 z#zP?-LoI-_y`ZH%Yn&8Gf|X2*^swl67Q_sZ`}Hk=G3>Chv(?#taPjo>l+Y5Y4wfjh zqg4lXL}|j5Jq3=rd;eI?n_|D&>24q0xxUj#CEJt4-en+rTweO=<y(>f1so*>exS+4 z$H;9gzdt@o+vQi^6)9Kt#EGNX;wD|i$HUu$Fq&y7rZ~~=(y5@eV4)Cx!%Uz8Ejvz1 zOcGcrI+u@|1vQwxB&{x{XXr<ftMtEwjT9tL%)l2%X7XhGrVFn1LD>I&s!aX%nLkSh z<w9%gczD6FY7BNI{G&7sOKa8l^Y|j#*O<<K96c^D<8Hr*Pdm(*u8a>aH_lYSvqod* zd)4ixM>+rdWDvI<LbnnDHSPC)Oqx)kSSRbsn?(h|a?<fuoS9-nxc}rjO*F4D>=5&7 ziQN1)jz$XBb!GYeycswWs?Vq_upFuBFxPmi$e7*#>7fH$7+DXfuQki(b7*d?d%|X# zeSObdw#j<R64+RIfn~BU$SJ|rj7ub`@?(Ji`|t=mn3zBko~j&_XsNskO1w$8W)ob! zZo!l)-V~}h9lQ1RvU(i%??`;Ul+atGMj3?s*3ZWiM4Tvq$$alvsYEMZD-WQBv-&$Q z0g9GCFLIe(6*iyG^ZRk9cL36xMeuk$uBSnMWR~7r@DQ)DJcTM(PYgz`ozfn6i<W3O z=U0L)eIz-<DmX6NC02_7Y8wV<xWeV%VNY<+lyJJg@8M(77;x}vyBKAotV}71tGz4r zUC!6_`$$)O*yvEqWKZs9<W<|YizeyD%NVkH$>{3)@Q6Hq=q7hc+!%7L3S6};`Os?U zh+{NsN)VTs#;lnQzl(;l#`{aY{B}1#1IL-tvir*8P=0=ICR({m&imO|e17jkz5k|S ztu;gH0gmHq1Mp6>3xv~L!Y|2UhgWdev9^bUJqf+qWJF#(Kc8ojJx=k;Wfes*aP%cD zH+&1#5THIsA`py*k!G%3C&%-<*`7>j1DR!Rj$61-ZGuYCuqT?JIwnE@4te50xPoN~ z9nhe<*Tw?-t7SWAID0?>O+r=kr<9e8!}g`q^c;8vEo_$1u-oI)k~+A#LCGL`lu(OM z-t<nBJGiaq`*jhg%6b50{R8y@ZCv1)8iaDR|NHUsO7DX~l)>e?U%f1<F0&Fz)r!=$ zGBaGAwacJh?P}GOBz&zNujk2Z4D-3W)|gq(rB=_;!U?>*zBdcL<wfNfCz?5NGy5)2 zfv}j6doT}Shf-Bt;Rx86O#t_HHmPDS3tZSELPy7wg7(LWJRg_ii{D<gFp2uYkh1^# zyIPWr+l)Lf4o=zB^LEI~LpS;gnm`;sCI)8PRBTrNe(YXe`?rII%`Eajly;tf{})0} zbyp8v3(Km#V__B&5Z}2bPNtiMtgEv--_QN?PVWJuH^opLTc3Y@cAn;i9Z+f!yOo4s zaaj)obN0c+)I;mu?_<-JaM4iHl%-Fgwxy51{M38ylK=PNXwg{k(QUWhKrU{6NTAZ5 z5_V?yOV`oaojjK+EbO6;fe#)hPj^mzaitiix0lOsF4f3D9S3BZ9QFTE!Lj|Ntm6M6 zm?wIT>phG(i5bw|qi5-vK7_zkt^(AjAN?=P>SnnMIz%j-T?n%1{NY(ksZd7c(jjM* zp(CZmLTX*`bV1ReHnRjOsK!VI>vqm6AQ6Z0G%1AWFP4hi8W3ED54f~h<jR&R%AX~# z(L=jzT*<Ptn>ADQ&GA#D>1o@P60FG*@^q>!NKl4}ztmJIpqa2TQfO7609Esl7Rg+I z^3!2DOS3T@B@H_LCQ6Y7gHuM#$bRX>7~%cwCyoO`+z8@ArAVYI(F6rR+c@Q6XeSYd zf$1`Osvbf1jI63SsZ-`i^L4@p4j6?rUpLup;OIXrtqIaIooTv+^BwTwJF_2G?6-1V zhZ(LT)W)Gz>u6r>xT$g_hmFk4%nrf`OtYV~ecvbHZKps)fdu)_Gc+6lo4Dz+GIDdK zmNIy`VE+_((4>d>>V??O;foJw3G(L*w0Z)3$?!5UaN9l#&_D$P#+C>Utn>2&T>;M9 zi`_k~CZ-S}Ffnux_mW1?1{3#7<03iPV~O{p-(7?jFC0P#-X)eBIDAi5fwd`ugL#ud zbcT;$OB59?m;g&46^w+B?>#m|=5Jnwq=^&fm&cE$;Kz<Ic@kyF_7y=r0gGi9fH>6- zbgPHK<N?(OCYKpQoISYG=ZJ_%f-#c(#%{FRz|npP=5?xBXG(R_``WEu%9!>?(X@%c zQ};YGH%*X^?)b1|t1qF9H=8tZq%D-F+g+eafuflzaq#eSz9SQh4306nPye9>3{!J* z`~A({2ugEh2h;F~glFvAj2=CsjUVe!rGjJvs7MSUGDPZ`kUX<9J<ir_#iRF2$jGn( z-w3pHNgTssLs}1^w|K_31I8CMY`nM6K^;L{Lw^wD$GodI0ER}T%?ALTO&-j92>C+I zh7;FOg`@jod(KRmg`4NqqjA^8AmfCB+DdVz?~L5)wa(~teDq^U5bK8u!qL-?KmyuD zK~^kf!YGl!wTwhK1&Kt_$N$Fbf1A#u2F5r8rayJ@SQ0@l+azOB6lh?-h>HK6QV8j- zJ}<ugulT%gi|ilmgrLAHdF0;G`Y0w@4xWsi5pTsn6UXDrc!MZOjj{?=q=o4K0%b$D zf<T%u!4pT3q@ElB(oB`o9(4dOgn>&>kQE`)RMk!HjlqgC1KsQl)-^L)<i7Xdk~39N zQ;7)iNflEUlk_^|APi5GAk_?t8s*|8#@2N4lI)%w)xrf&*Quuy)${%11IdgeX%pJh zQb&9fr9}F;-Ie2H=ilYGk~bMS86SV7Dv_If1}TDJOV5xVT|#I)Dj05+qlNki7C~!k zG54=aV&dx=uTx?+if+T33nMx>NMuy!NSqCzoF0t>Bcy{JKiA@FTTuf^I}J0(5vi^3 z6rw^(U$IaP5g`aNzQ+u);DH3h$(y#cVp&u=aL7~n$Aq)fM$5RCzhACGbm;Kcf898S zKVd0L2FS<4)JUPSCPDG=`}+^HjXsG;P?VMQG^f#v&|vBeqJ}%ZyQ^l@H1nwpfmEC* zyiQ@QxqJ#J5+;1=?8#HN3y%G9Fdn^|wZ(SSsgoaYWoR<E%NrALY6eq3c0ys6hJ%MN zvob96$us%dt7y5e{TM==Abql~{9^$=E*1S7O}s#W01ZkKNExaG^jU~U*u(;h>y2GC zmcNtTC|<=%h87GII$s)1A~h@Qhx<AD2Odw>tI{gwx)~cOnXQdJ(tIV8m9lLmvv`di zW6FYaT{yE4+Ij{I6WcyF_pOW)tca?S<HN#g-~w`9^pPudp3B&g+_5x_jF9enW)X|K z)y+cmK>)yJxIqL;Gqb#UyS!3L{Kt|hTb459+fc7Vijpk$nLiJZWJoi1f@C;+%sf}e zVa%#TZZ@!(DUp1CA@V^5%BU77v%~sMuhV+pWe=zOAL^dhxeZ`Sz*R;fe_rpXV#~Fi zTB$*oCLg9Gf^|&g`Ju_*@?aym0P^J3ve4GEO~`m<Wm2{k3W>uLjwZn|8q<SGpc1M2 zDkiFC{t{M1G*$D=X{F9Qf15=~YK02Y<9SpfX2g(a$oP8<u$3m&BuJ7}Xm8F5tVp>H z9%p{YrJV<A;7h=$EqGts(s5??6PYu@n($0pZ-wLtX$W$=lkw6ooG)854}*#1(uNaD z0f<#>TzI^fG6`XJn#3?6uU@}mtZR$uu?s;adYU>emrDqGZsyZq(3o@5;C*GvjEa@4 zlv<;`3*t@4&=Dt4WT6sRTyDH4F=(g8_yl?3gGa5D{?LpEK3t5TJ2_O$rk3t%7fTmR zwjksQR8K<?E`(SG&Tm?7_|{ZXJPn?ztgkLAxKGmD5p>8P?$@qDB5yBFTZ5i_<QMw3 zU#G-^PE}!<F|;(?dNLF#7OU$FmD=^|(8T&@Pn&;svP;Fv{{etagmnb)A>zfmM$Mk~ z&$w1vS2JHy=kv`KXW%A<;!e}KZ11b7<VYdV6rk)FE<#5aFFLgXyB*he1$Ez+ghax5 z7cSsxowA;^ijR{IQuWMQOK)#sSy1}(=!A*Lf8xlNek0o9@b<Rz&=#OT(mM8RnN=Q3 z&d`;sxUx)O(gbp#X&#@nGpI69T`>5KGMxWbUs2sB1ZufjIQlY<RPVMo!Mci>0ueGr zn_=QMlHYH2!{Oc8RiZI5zbg~-HZ<LFjQ&aV3nNyxxv{Wiz{F&{toAq4qePi#?9gJR z11n8UbJ=zb9n7LR5WYPsG3c&suI!kkEIQW5Qz5&-$*#Y5roqGAgkZ@s@lB;tWm(BW zsd-t9rp+KfR!A^NmRn!gRIx8hWDW(#msU?THLX$zH<p!EE!dQ^S4JL`h!Zo*wVAsO zs3B0ky}1ODx_(}^8+ZEq4B*QO3M9=TtBi8_VnR}-`XXQel3ko{2L;ou+?-q0u2^Hs zunzBk&-~L&pE7I!onmR(;@Y1nq~iE_PnLeWpF9P2Mdg4J7nuWdvI&+;dl}I%vJ4Gi z;s#z>^hhh{F44=@$jjDxL{}(Capy+URn*#Aopozcq#WGobGVqyU=1gqY5{|!%rl*8 zYh7DYX#~I1>wTX`k`y_ufh*l^ZmVk9HDR!v^i5NwKtaUjZUde}lkS)BP7*qTQ|8PY zG(FmO{}Ma>iOdR{wXJb|F)I?1$;83QXc%hk@gUGEx4#YeachrQN-kDWRTaZE=G5GR zhkM09IWf@CEa{xENkRw?Zi-$7)y_}@lVHn?eIbM8ygbLwauIjx3E#a~cu1lw6sogl zz^uxoJdaah(>FX{*C%iHxyYi;p<IOk@E0uk_vBE<h3c@={YDUQc7?K{)zh1V*5i2B zFoM2ThgE^1TowjKhNeU0`}OwfI{%0nR$sVkQ?0D-fj)+dx%;nYYtlj_GQ{4!GrO~G zs@x+^0!0I-oxc&GB=yG6==ibdVB$of({$_~dn+5&)H)`QXweEgW{c<FHVajy;7$!o z2JFdl#e(E|0i+%l{0Cav&&p}*?kZPH2qFwgMCkl}KTWO9)9=9#t{H52PSL$dteMA- zq0H>GNI@Dw`g1ta<>qS~Sg<B#lPq5luXzJ{kH+BYf=VEn9gCpjcLpy|BE!OZ$Jb3w zOS=pb4z^FVnmS@eww8;q&s~8k)~joqpnG-;)8F^|elslyrLPa+`CFrj*n8=2`Pf&f zJ^b89&+Ue2yoBlQ?t;bY6&4H@1%4;vf!+0{8gYS>=wZZ|n&zG{ilU{D<S4hP<H$JB z$pLO`ULv?V&8>PKpxzdaW~amd7QDW%L;?QBIUSx%{{9~PfAvYYaIMKm@*hd4K$A;o zijyrh0!2-svrQPF%i95FJ+yXF5)BQ%jXZde+Cp9qW_|Bmp|Agb<kyrWvW%4ZppdiZ z7mW?8{wxG>i2s6m46f9p^h==UvDirrB}K~p60q8Sj&3LUzi*YL8AQWa4`Vg!3lq=j z>a%1B2HwtZH)Oc90gw$dJB5rHC?_S_bG#kR<`0FiuN)!@0kr@?XE?IXz4yGi*?mvu z*2*AJ+7H62gt@F$eSt3=6BeBKJC(U|1HA>?0WF!SLRD-KGoU)m<^e_1_9Ic4v@*mA zwZPi12&^@IU<0&3pUn}U4guc+wr@5+#@}&hvWG7DQ_zc|U^vLL!{!tmB@kV0EW5`k z6ij}E+|ba63^Q>X{?*jR7`H%xGQ|efDvg&ZVV<Ak#I1Yo_t1@g|9zj!rO5?GCCG3A zv!Q4XK`5*S475A#0ckXN=~wHk+XO%tC1vnn%IIID3Xx@sWgjS<NZ@V2fuLv-EC}Em z>PGDt?*P6Q!HIw&moLvq5VdK$bFJdemo)Q^?N(6A{5?f>Q4UuA)A)dLb6oDI@+U5s zm(MdL0ce@P7`_8zJd%QhS*5K4aiKOboMU>l)ZJjs_fc~v_KuP|;N&rV!``c#i2waw z`tt0zVrG&5L`fh^QU`M)1I@9bPizF`ft+r{|Go#FecaLab>xo=8=UOd8S0e?fZz)w z767kxVP_x&@(|Sz%`OB&w-GsJwrr<9O};;vq!{wSrgDKmnVc*aX`!p)g;AF~lc?#6 z!>cLrfBuRW@2RktCUEcZPyMC)Ut!jV3X&HW+<;+SlIFk*_;>m_xN?_Q$vu2XLnQjT z`sSuSAED4AL40<n&*AJk8LPTvM<+z1XMXZTBx(PUqHg}De?bFbdd>^})>;LEFu8P& zvbEoX+!od#HE)j5!Kk$9BaXshs7UAq+>duJK~q%uaKo;3t_eXuUa#cyx}52VpCXDD z9kqswO{?Ga_B8KvdM4k3H{orgq_sX@>8j7?JI3k}-C9_qQss|wqX(VH9+GX%3wQ_N zvHI%!<z)zN%y;wlRhQ4b+m<5cxY2n8`sUlIy@ve<0}@4gL2Y+mc<a6D%9f{J?KO%h zAd#663w|VE-uka=Rj^^>P0#N^m49dbwazIw7B0T_K4hOWzo<d=&d0tB0{(^|>7gRq zTy9SjMga2u32eF3?guFtGU%PkSzO-q;JT%2047SAUH325*YzpDYg0Wx76XQbsHVug zjDy3c)xSZbSBdL?n@a^D{nkSJ8;<vDy_kh^OP41!NKk@6bXzgR5v?!XyTFq1s#K^- zbg+eaF4OFc#&dqobBfLRd9<q)q$JH3)J+`hXE8Q#Ao})Szgg<y-Ce3HQA})*i%s?X zQ@so~F+`{P{(|6>QvR@!X?;f0geD}4?OeK~xT-g3+pnRZ?l7-3y>Q7<RFn6QZ|c|D z#iEZfC8cW%+l#Ey|EEcg6}W~14qPgcQVVgTCH0~$;6)oBecM@~cVNATx1<Xk1Xe9; zG4of4LFIEZ>hl3jP#L?j%)XrTJp~oi=i}UG+$X^0Cb}1llw39$-D^CWHvRv!Y5#~2 zJZLFP4u`Oyc%%Pn&^r9E0|2s@Cw==a2ryV73-?mR29h53)DU21z%AB3pY^>EVCq;T z@IFdZjP}CjdN+CV-gmWhU#foUUDW;;G5?1-;ehlea$vNs8p`z7MKFaB)I(mU%KML0 z^<FpAo0HhQ35pHswWwR8PNJAI?YU*^t)BXm?hVzlE~B6Guj9VGV26fCyf^l6dsAJM zUw5r9(3h?Ke6s7ggAV8G+MrA}`u9j117A*%jn#QGj(_<l$HkC=o9rgj=2?RcX6W?2 zJY8YxeY*bNE4?p5`228SP>EAo2@7{g3KDk<B?Lvtddk+=o>I{v0luffnG{>ijJq0w zABt*-4=S*LN8z`du4r>@wXtBf7pI5oDbV&KsMuXtR2(9yH`7I-4_bid?M^(?vVQ81 z*#=0b$uP4u+uc~)*wm&vP1Nn1&|7k*a9m+`wqcMU<T{c>(c;$Nwpd|dUU2zvgL~lS zQrp>D-`RyH7MLmJZCZU?x}iXcgq6487T0BB`@k>ZY`jlQ(MOTAgr>%_u50{)%?osW zx}2WgzLNQJ!b3(^a~I%`tav4?`I$w0J84Usr~F@gLtSit(~$whPSjZE75|6HkUK>N zscNN*D;B2bQq$9f=&CMEYc^sgSh6IsVV(DT-R^Zom)`}LUGGH{5cYP9QbpC8ioz=B zRXu~A>e9zRBAl3F8;mtQ$f!=m!OTu9W*zsKD$cECL7nv)7Sk1CP(bh`opm*{lqLdr zT?P!JLm-XkRS&T%(rc8>Zt`e#*K`;f-^aHqR_|`cOX9NfPTNIewpS}g13&TghD&bQ zW-q0J*XFybyk{6UY73~kpuVTI#@`%jw7@Tre4&N)v@I=dxV!yQL^<}JbYA3fGPHds zsFfw3G%`ikjOoxDKArdzj^IaHo~^x|y^-R5|8VOBVEzg|HeE;9)@GUfUPHv~=bYiZ z!umIt^G#aqExT8Chsrm#A_!l{C^GZF%sq;nt!|BwNcg?iitS^8de77Sfi0_20<4eP z9^X{o{+o!}TkX%+R<pqZ6q-D6cLgQ(r^869nq1(30D+qI^w;an<+3EfTbv|)EsjC8 zit^uXqAnB~V(ZBN>v_4qA+8q`FT#igFvbX#16I>1n4AGRp&dPgHj!0%Mns&Xaui{T zl?rRIirGjNDcet@Q4Vf;WkDL!vIII7gfyW#UmlFh6T*|wL!6-F0S}x{36hV4g`eXX zqBa^XzfTF$FbEV#mk6XjLhQLtFOwY_4}b<iT90GN3EU453OqDH!RZfI`Ci1q=m?>7 ztHFQ-Oq*QaE;XEunI;W9MJMK(IkC*$;!b9Mvxk}G<o!1~%l7wOjlWDCu*{}jpkyiV z105kSMX9n*4VF%?V9~5Iy~NMai4#~=r-vh70A1<!vRYCDz3PBuGcYTv)ZPyrgBjVc zDU5;mdKf)gq^lq>0d?3<UoJSB5g*BN?NeY!?Q|`ak_fKF4z&-Nx={=yCIlneb1$FJ z724z5KL+g%uEaT<-X%61Hl|G358h2TI9v_#Vs;EF;zI^1G&b*Q^6tKXNugpwnnDfG zE@6+2I80R6FE<wW5P^jC1!4mXr&*8O3E~MOW&}ntL>eH72B{xB5&?w?Vfn8wKp!&` zFm!z!Il+SUx?Lt7{)IQ|$#R8i?)$uuUl#<dDN&#-kTQc&z^r>gT`(4t4yqQ$6}XDV zM1V)e>U!7E3{+n4D*6PH@GOXUs*0YRA0uyKKY#;U5*VHP(vleQf+<g8L<}f_Y^awN zD_1OpAAmX_17>)|^LQ$NhmDKjvCSL<a-C$T_qP|kNij=v6bCOqrZ}MRQ?v(mv_JJ< z8{?xOP-@tC7GZ4&yyV9C{r-IrdmLqO9S%vF#nq~s+%#_!4iTF7fhnXO!F5_W7MyGO zr@an_t{kw#yxg)8z=Nc_@D4vH7hFbYboD$0ECVF<R6y(CgeW^jCnJjJbd2006>H4> zVlguedXTaq4j_v_F>XvLEUau{kiE}BG-P|q|C_rtMD>aEKzN%Tg<5-V2JS@(LX+r) z@pZf1JWR;)N6WI@{`GBa`0je|&%M=cWukOBo-QBBRX;SYU-9tv=7~;@W5;#!I*-H9 z>qGG5X;p4_+iJ?AGG#-rB_bU{QulJ-Yy7!uF8JK5r6CxzTn;Dh>S70&*`)Jc@ZB9_ z{h0VT#OYV8N@>og4`pZe?MV8!0}yitRLae!XRmg;pn&<!GoBqxl=%3+=SN3wS+9FI zTc9cW4<{9SIqm0hs1XE2(dO4Y9xh#yQLFLJo&}I`o@KxHSIlrx$2&z^=Jq~32nMXn z>^3!Z?QCPAH2?rsh>{|LD$f%W69!1><kr~Og2GiXk`N!f2Oy$q1NvCqk8|nd@x6cU zw5ZEEWUgn2W$0twq6YwhjW_ta7iL5oFerfu;}ch7{CzwvGNw=1tu|Y_>Y(yJK4fe@ zXQLyDBQ9iP`)Mt2Hd~d+0#-E0PrU7pKc^{Ap7y{7%!#xcJvD8b^ugmShguN(6lvUR zb+TL_siVN&U9L)O;}$e=FnJw*=>>ZacW)Uw(XTw|*!nqoWK*3nhZWvye7($oRM-fi zQK&Ecp7!B4vzhXDGQ=NDDd@$SR@`ql<)%l3MDRTA9w&=326Nc<wk!ABbmmdxRVa*) z74Jvl>~%ZYaOO`sk=<o&ZJM*8&}6`I*=u$@^&YT2;(qfb8TlBo3e?k7j>DX99~aEb zy*S;4<5rh%_O?~~NrJR<%-mkDqdg})cj0?qy-CUKu9r>FM|q#QW4l)=FZw+0m;XrN zH;F!IM2o+>jJ?Hb{al>cpc>eSCW;&{Tc2+$l8HgPZG1oyaPs8MAY6C8_AXaRf}_v) z@L8_+EUAoP_V~O%2V|(=L+mvx1wP*RxlY^vzpmaXSeR&Q5<IqT+qP}nw(avB+qP}n zwr$(?+}nT8bjQ>~MN~ahtQ~ttuFR$SnIMO^O*fNLTk+d3i)sElYwF^D>rqr6m<&zh z|2$rrIFSiy@Y`E$m7)X1w8ZRkxEjbNmqNz;JqY48eV#6YX4j$ln62H6_Ps8`9@2Kl zTYOjo7Jgb8)nZIyaQs_5b00;zXOb{pbA7$7sH4N;^m;oTDfmF?9?VY*i*9!NlHVNh z=lK0l;^@;fJe}YHNFWw0UAf!YEjm_CiukvbkwQ78v>Nbtc4U3?#ka0b4G5px`QPDg z=22c0B)zxzeCyh?Bmu_4K2k(y;&r<3*S9XU<@OKR#92dk9#7(1!@Ga4S<1UK)^7<# zyj}%sJ=y&am6I4BE=J{lry<zJpE>sU*6Lnn`2O!3qJ8bR{{H6dtc-tUd%2pEsOf{1 zJ6m4UD+)k>cj+W^HhXumdr(Ii;Cue+@=|EQLVPiY`WQdY+bJa!crgPshEoIX@Rdva ze=n5t{Cfock2P{ZC0Qx|FK6DP0K$G8h+nFx-1|)OeMx$w%j;ZVznXBj-y<98Ah!wd z7(RnQj%LLYZJ}Y>^S2zQOOwoDiz3I!%gb>p*7RbuH1Od{6_X@vmH7F&!!6|s<Ky-9 z9Z#{dU|3X^E|c4JB3WGcXYS)v*{>Y_R4dLbM{|<#)&)#d(wdmm<^6D3V;R=kARPJ> zOaHDQ^Hcc)#L4v9Yi!>VepJTC>FvBow}8=X8iH+J3$yuCA>v{O7Hx7lavac5VS!~A zb$jJXOFj;S$^1R?@Z>&5CPs$t^B|Hs%yL;NoNHh$4^E0?^!Tw_K`BpDRetmNTVOVI zGeuta)^Q*B+G%z7e8kKyMwC%KW{8`opE|h$c{aSvBymKPx@N=FzAsbRd{}|4KDQlU z^6(tU9ZwVQ4d30OEZFY#)?jMrIH7#L-I9`5FW>nTw&zusi`(tvZ((P+kY!-Iw-Ng^ zJJ-=rWy_V15<<rDKDt2Wcl?f?hR=hS8Q0LM?YdjB@FBDjx63{L9Q%869TQ;L)!kdA zEQx)NO$kx?k~nyx9Y=lHN&Wbg2L5BKt2H*CjJ|l(4iqwxkOu9m7Bzwy*o*`5eZlSS zU#I=BfBEs`jz>T8pT}2*q9^xIGe{uM9wi&>UgyKd9ZY`1tynw9Rd#%m-k;m86U?iY z-iHoP>u8dljuy6d7H-xn6N$=}l<Ea-c6xZ3N0ynE!Rh&Q*>d~ei37X0>;59fDAU;q z)wQ=}2=X!VQgk0wE>|B%r%BY<VJD~@raL{HCa(e5cqZr|_{yEz6dwk<xH6j^cbm9O z7gUgVbTr#rpRwAS!e;C3(>So5T$CN1qRLe19OO3p>0ni*-N8X09&kz-AK$lIu++Py zsUOF2T_Gi=yfbyHE7IT(fm%6b#wGu&?HfXG0xA{O@ArGPyK9BL^=ebQjH>EAD+IZ@ z=`iC2QE>$-^^0XEHA07rPugw;;YT^RY0+jgVA@unhrt&@_f~Id<w?FajB&f2zf(Qh zlg*xA&FS%1+?~Q`>+Q=RAI@&qMv}=;sbqLKetvuyPBX!f2k^UFIa&Vq=kJ>egoYN$ zytlbrF7LUl$xxr!21@7}nVE2Up4>M>CAWGfMD2R;;uX|^iC*NiTRyz3%m(j6gtK0P z6POPpD@}WMV>ip=+hryacV0a80Of`JM2^whoOT!U$*8N1U1DM}JRTg$dC`>Y@9}jT zmfUe>l1`{ahdmL7DC=w9dF7BU*S~|J-vdqgNTG09Z5&G+P3ubK2qtxTy>>>snp#_R zg`uJ*yK3zw&eG-~m5XeQ7SSgEARL-HuAY?H|1V9v7S#XwX;8jn%(`;ngX})Hi`l@f zi|pGr%hPyqX*B}kLv-2J5eVwz^}ZU?r-PY|bMbX!es<%iM2M=}sEPZ_&`J|&6U^VP zY89SKuh(tu*m(+$uj9p%H$|GJ>!$%11KOi@mB^o|Weqo66t5Rk%)FW~Fa{l^7UfEb zaCGmHoJM<O2SAcXeot*>atxkk4@0+klls7{{#CS5J$DmP_S9iwV>w~<W++yRS6_?! z*s(JpLWkY9m5OHT5Xv3!I$c1jjgv83fN(A6oe5xypwKC(XrWp$k|6ySmZmcW+-3)- z5p>}(eiA2ybK%T=iaU$398#@^PnRGYTr;&RLx}#^S<_nLS+#>7yZ;gCRT3|N{_5s_ zb9r%VyL60Xso2phQ^~5rK)DU|?%;0kUZ$BUbxLKTw0UX7Hm^uv1UT)XGC)JM6k&lr zmzPz)UOhECk?<QA>+fjKSH6-F%yBm1%#N0-1I=ulm)kX^a9$+=s?T!ZPCui8c69MP zy*@we#34_hP+ty#bWm`Tq5pTNeg;-eU<b1!NN}%pmHZS}t9O~z%AFJBUaOY@v%Iom zvO{OjbEJ>+b10R!a)IUVadYi!9imk-f1yeQ)g{y7t^Iaus~cnG$0S~z8omS=$Di=1 zMTRFgLqkh5v(e+imnW28`3!~^Q(j@Yy|mS1uB}Z9t#9yP>XNwBfCGwau?!gE(T^=@ z#sHl6LItujlO${-nh)vKg^;+l+4A9`MUv$B5TY?|{U)#?dpJ-+&)3Jwxaxn!URL|H zq~Mrf8jh+9Hev8*>`wDW@&$2+YBQ10(-kolC%@y-Tn}R>pm-JIgC(iE^bd1GZ(<ZZ z{acESIWLwI_f~}MOdIF(ehK>C?P;S7e<$Mw{QFmgi*xnQV$&`!R|^K^-iHfTOejZ6 zCjZfUH9Gh<b%J9)f*xnCyenX^aD9iPTchG&xaO>mN5i3`^y^j!+fl&E6LXXp4*#_a z-S*Xh2lh_Sx>k35ct8Te=ZNqxaHiKl*Xd)3;Zx6J4yaO|2x-aknGU*$_}cZ$C}V%| zzZgx&wSydIm)*;)Ua^vxcx&p<5+}xumlo+|sDWB1Jw6xvOk4cXqwVdbC5x&v`222z z<4SmsdvqEGhNp>U<IGmYK7II5UKKL9PR0o|9)oTkx2X7kYO{J}LD+7Rq``zFTib!u zdK@=s60}R>AC?XbU{Z1lVWmTad?qd_!MZhgsfJDN1#~?1h+&~AGN#e@$t^PlbZJKe zlEJjgs}ThLL4by6G>}xrhvX6OmJ@AZeK)mdz}o!-_f`;qz3Q%OcD8_}Lg5M#wrmvA z6&)-3+`6>FM17P7Au$SzrU~s2--W@92uV{om-?6D$b@Jm1YI9dCR0$So`&o!Sspqg zZi|jLT@^Dr-w1mMq%jm5JOtw?ni3x}b$p%}>BNW2yI&xHfn*5*LSqt;sS5y6K(4=` z&Ikl0!WL~MTX2g(8<2##-P!4d$cHt1-2F7v_dP=Yd-V5y_V+FC&*fZo_fSlW7f134 zx;4I&_w$|ido=g^(f51$KH?o0cBVU0V$>eeuCxR+3{;;QU0L}sp~9s~pr)EEtcJM5 zh5I=20EEYi1&uoHlcEEIa5x@qB}z()30=Bh0}M%7#KPKY3BA&R1^^}!2Z~P4?CBa4 zLx2`m0AfxCbPz2-mgYpMfGmqTacrc<gCa9f$PFic25I60=Ob4fm7+RmLxl((niR6V z95nU!;!kko{~9(|$A^)v^9tNuuAG3!f*8h$wGUj<*<eAF0;SLUvEcu`@t@Vr`F(6D ztJ}TBa2Z(=Rq}_m#R?H7olR5@(?E$mL}i0f`7$!ms|*Dqgu){)SbzmCB<TMz3qAh5 z$@}y8UK#!cvqn^=C{jCRj3>^7frib?rZc$(SlCz`l-j(F*$||wJ?9Wr0jU&5%gQjT z;NIO?n+nOK0umQhxV&#x^i^YcK2Fwz5yx6omM=t;A8)&vlR!!_#tV#z0i7<7*Yuwt zte1CVpvQ?dae6qvzwrM(WhTUtp$$kpv&MrHsR!^6kS|DRFjmB)tCee8vC;&Cb~+K^ z(9}<=qyS+kc;teRARjo3OvTg-s{dmn+7mv4EaCyC9(V~4@5a6jCRen+#Hs=nXn6=U zKyDnb5aF6KU{Je^Zg5*@|Aqo|aZi;%rm7OzP~p)Qz!fD+g!({<1)C)cEOh2Dm~XIb z-#X*_?fcu)|3010p;7m|zQ+U20_dYfgBOOvAq)arqDl}g05FFCq{`CUqPe%7^(*oI zKMa-&2>UYVKyeajD(-qme`YGw$Py|@H111Ix0AyN+Wm%evw#}?!IDq{>EyxkZF&s- z7NoIxR~H<+3PS`-e3-=RTW}ri>HKtqyD8(Ax2r4WWWs?(+%!D>*~H?tt&igbS*@qT zy(~Dw{4qFMXd6}Pu&`F1em8mb#;-{_EY52-_lrnv*SA_)dUm+Z?_uFYl7D%#*9d(e zNW;>Gzp*U<Ct?(m1TSaAU|8<=@hI%qW$t!pMimAKV}i)b$G`-w#%~UUz>89yz1O`w zD;r|8iGwTXAfx+j;l$5$ECB8FF>mhGG{Pky9XUpX&|0)04d2H(Emk;&B+&#+dz_3O zX8Usp9iC$}wykw_FqEi3AwC8yaKdMr?K_P+E-8M4<N?0NwOCFDQVhAiB|1GK=jYo) zW*bb5DXGDNOrAth6e!j8`BuCPtdhI!=4KhmXaVG2Mgda@&hz@WC24JJ$wY`wn)7}j z?#&vq?<23z`&w4Wk4u{%U8@!UVxBAs!GbVYgXZ-*sEPdZW~VFG?F!^T1IB3`hw0#9 zM>;ME_0OR^DL_6N9v+QK%Y|m`rdMHYR_o7VFYK(=qYy+>_UrF;$u~-!|Lf-DfF{!3 zDNt%>VTXGPqr!nl*tBs%@ay3zjb_*8?6(bmEkbC(f+vSiIo%}tY?>T>wEH7Ahr4Sg zrNe>*lzSAz29MYM?C?Xg`!mRQW`5zVHWzQUa(8cMu*3vkm&ehIr1x&dR}7FAsOl1w zCybt;EQkEh$!$FAlJ|L*4Rr`#c5s%fAznKibk65f9K7#DBMhu{HU-k-A)Y>Sz_axB z?_@N%yYy&&ca$g*1WA>~U}N;o*T=2?V_$n_MTju%(D^^IQD~U!JFO}%DT7C~{9_Cs zw|?jSyU9-lGn(i~r=YR)XGd6@BqHSRi=F(1_pW=Z;=Y|H%GjOX|9r>SrA|^JsKkG~ zxX}|xYV_qJPyS=%bVwU}YUJ9724)KDUFP|+WQkbtHA@_>Wkuq!bpoD#d&LFsf)(nh zwnU!qLt141d-T_Am5Vry?Dp>?%5SN5C<lrycM`2>LQfyyaD0IKtWN$j|Cuw3@Xq%y zEKIg}@8_G{w-!XC(SykSD`2Mv%8&+WXd#^ljrJVlW9E*I#Prks)#b^8gH2y#Lc~Co z6usHk>$j5|EP%Ymd@o=ZOOgX8KsMZk>ESjc&R#RW`LhEUis<1s2>-e!_V2qbkDgpn z*8A#~J&rXcB(OmQYF7zErSNZ?96dBu*tD}09?m5}slX$4+{hUe=W)76y06dL_bvz@ zlasQG9!incrZLKsCNH~}+Is8DE-oM$Mu+b&Bx&tYE-pb$Vwdadp##wzP=3$zd8ekZ z|L^;V(;mvCQ@;b|5|un;(enT5KMH}cSydIQ2IWYt5F{^7eC${s-Y-TUWF;!lvaUT$ zSc(TF8ANjuV!Oo5)RQ=tq|%r>Q!*^$-0X~HQt{l{KJI3RlULMiks~xKR+cPnFV)TX zUa6Z6&G^>pNsUR2c0lLRfl7mllbLInVub>PWfFTG$$-&@^B0C%XyV{JiuAAOaY6`T z7F8t+0fF~!e;gF%PBHiUn~3MHS-_<Bz>e0*%*%eukMW3)Oj21pH{tOB0>^10j#4m$ zjL;c~&9Pn9K@!hzc<fbP`$R^t9t>qClC4{U#0-|8v9_@?^uYUjxCW3dEmutywt}Mz zK`DkDR+(pHu?BwxlJH5u;As*ZBRX=9m>(Zj!APw$oJz}Y6jhH%;MpIPyIK!~wn8*O z=M}FEc9Lnnz|+6ipk0auFbFPDd`h&+NmR$kOONVzWo!h=7eG+2cyR)p_Z0*<aMlp3 z@k1dphg8+dX^aN`=qbsdjG~^dQCXV+MZhE-?8OLB9v$t%HLO*UkO3JhrA1Iv()1~6 z<+@JKau=Nkqf2f8E(P_o4N46fCkiYIT0%_TAa%p@>I=Hz`06K2y}!>`KRym7PZclF zW}~kaqY&=JkDJ>vC#TJAZ`ZP>Fdu64Gw__vK|iPVh{uX;KN~~ez7H&@VoY|XFhI3I z%f`!kE_JNOhLb-^w{}rLHrCggY!YFjTj63xDpk!qF`{wI8e-{;P<$gInId!}d7{>O zQKgpXv{5L@Ay#bp++-p%xha?gX37LPhZ{ytBo##HYoq%3kJG-8>AwV7o%RVJuV52u z@S0}l;1oxvc0m<#I0~NQ;<y?=v>cb9V`>Bti<K7|2(H&LEKfyovZR@UflF?biQ7VM z-o%1U1N)Pao6!tW<syV74L&m;#Tj4`Rahvj3*_~h-$8s^T+b$!&Zl4rrQ)mMa8O8c z0391F9*M!h>+F)LRfU8=K1y`}%LXj*4Nw%WT~r_B>o8H$(X~J3^8XmCveeV;krM@W zgJQ`?V2Pi^&uA3M2g19g3|Hw{peY0v7Pc~Tf{{2x_!@eGKX;KU`M}@Xv+nqPIP<N) ziJ9;G>(MLtit1u(NERO_%kSD*z$rW(Kbt~j)uKc{4ZyTlqotn$OA9;OPNA~pj0-5) zhwLafH*kV0h1jQ7fxKYA%3jUDs1ec~1yJ^Fy^!?&M_l*Uc6Zmf!{hq>YXhk0@c$1= zbHa_<!7-xIyc@|g?;j85%7stb{1j3V$q0MTvHQoShDcicB=sv<ncPc&07a(W;wFb+ z_q8*?I092iug?pV;|7D6v`TD%_K6;ly|Vi}khV@3nw>qFXu6h!iw2mwbaWJDpnrel z&3PhwilDVRiefN3oisql{iSdh3ILf-F>Jz6g^7kyO?aSO`Yi}CR=X@|5}CF@<V`58 z7vk>B459xz`E3WG<+4*c60EDG?I@ChrPhnW3Kbh;WQJ4OfP#S>OGVa>>nMKXK)>e} z-!c#f)Y}PH*PDHmJ}q#4alx$7MWy5bAl>&__+xZ}uSQTz2g<5s0f<iyi4q3@z)sQw zXsgQ0*M%N-I5>|ta$LonLYf%FYFmOwj;MWDN2O_ffjD*={%Cb$tm;McT9+v2wqq*c z4e)^IfTCviZy`b6{(z*;<nuyHdf;x(Z-vvx0?>55%+zGRf7dLKR`(jOT%%4O@M&;- zFcGi4El7zMFa~Dmx@Z$2MpOOvF!``yMFc*X!)Cv{+h5uNM2Z}gFQ1?=#K~M;?%?6_ zJbh&`hetUiy<#utBdG7#piaL4dk*byJ;PI^3@EnZ`IL$8e|(6eQz-e`+snfa`5%B? z+R1~A)91RpMcxs5@pxDZfmi_mgAHoMd|#q8aP_i9+W{dqZp(J<@sY&+KFXWtP^wfa z|KB<Nw&;H5qy0K-U=aq9$m^TCn~HovUu#28yW{T{z&|gqgF5dp^ItqGnv0(QR!9UR z&=v=_KB3=EgBK#i_=I%TToC8m@@YInF)C@Q9&On-FE)7s(Xl??-`*5(j${1E^7Imt zk=46h@2she1hxS|@wq>3kHM!c($CWSfv)Rc$rHE?C6?-s;OkWx()VzH?6I_7?%drV z3}BP-^)W2?U(8xyaOCt^o(Yc}3ha-OaQIBncD=Sya?J0j2>rf>9KE3x5S(Ro;}1{K z<c6oj(Si4oh#pEmP~|B6A5o|W8?c51ZrtWqIQj1;c`$ua?@v*N$mmUcV%VPT+_Ug7 zL>G@u!uKd({7U@1YVQEDb)BxiucFo8b-A}ezZP3T!3Rhbv#tzyzE*?+R?G@l9!*hC z+1+>x@4@1y+~xmDC-;E?)!jh`6YU)apuP8{5MTfd1KqB4`7LGe7ZbJJKGu=LeOP-8 zOx;F!;KdVcX<bDzVgxhNqf&Zrl>CMG#7T*-Hr@W9PV1d{mtP*c_NWfpMuu?7yS}B_ zFps7`7%{P^q$@)O_L0<<Ed76#57;96SEB=0%Efg?t6Dt+RoUOLxysE?k`IUM9vAkf zN_&=996p3uQrj|}A>@z2Kw#nceJ}xc4A=C`J@33K(DNEZbjT0=yl3xn+-p->A1kAy zQ95X9(iAKO|D**`oGc!WOXMDzu=@tztb=}6?0;9{Jwk2kx<={@g}fd8d$~gO3(EfA zruKe)*nm28@S_KT1n4npvNDBA$XI)R;ASgw1;FlFmd&**!S$VBz>n)@&QY&#m;=!0 z)|Zh$82vdKniJ_$m7ja@y}NRwI@_S2C?dN6r=h*Scif_X-;LGya92+={lr_0wOe=J zisNV!v|I2$5al6`_1e#xueBWOZLQZ2u*PaQBl@kA;2qbUxM5eefivEhp}T$l-evJ1 z&B*>aihW$Axz@*I2o2AyW>gXHk1DUw-T+zWZ1Sx2#s3@){3n1@+-<7^1dA6eWNKVC zrE9~|EA&lQPDPaw+Sx0UJ{DX3CrVT0=>PXx0Rvz=C-pCX5eOMcO8ws_w7IWP^~M63 zlf4{K{^7;MaQ`0s{M0zDo?i<wL5mLUi77x~!4R4L?D_uX;Nr%_tYlwwd{|&1#`so@ z_O2!c><MhOe&O$OD(KJXrDsB(u>nA;X41sVQJ53*Cb^mcmxTxrB|T6UNE~MEF|;fi z5O@L*9_GMa-+y=$FHB?E<u3|eY_^n9^*G!v&=@&+<7J2F1Zch_<@xLhyu{FWt-jI( z;$=5CLM>|z=F`0EUPhI1W9hMJAgvtO#-#pk1;w5(;gH=+^`}<)fB)Rw*)0v%G_^W> za-ZnZLnk?TdX2pCdz{78av4oCHsN@dXy6HPA^n|q?QPW(#Lm){K4A-4gfB_ZJPi15 z87;lp%Y0b3UH`G$-_@oihM84s8U%c)iQ$d6j7Q`8|NS=Xwu&_+GZ{9J=@(MvkUJN5 zz1@0y|F!O#A!nhq(S9`QkE{!^$ye_<?T>k1{R>^_>I6mzlz>X9Q;ZBy;(fZzB$T+$ z^ncEIV+HwY2krzztT~RTey!>1b9Y%=O+C$>^-5fW(!pC-m&bR|u2j+$ogg#5KyLvn z&A<H2?eo8rh!SgO;YA&<F1iC~9Ax_8?`<Kz$#4%|tUJc5bM2(j?fxGK*`olGpULgd zNuH?wt4o&_n23(a1ID(R<oEyh<p`K8HR^5|L5{>Rk;g|6;4s76%XxL$pwZBut<$L) zX9&3kaDJGiU0p=4Vh;%hi?1xSC;W+6&)=7MM;6j~PI~!}NaoV*abkP}I#xwo8=O!k zuZ`wPhfy&35_|X}qXPq7mQDg@4@IkxK~s=N?e`m2YJ-v{)2_Al_4cRc&JmK;Cd>_L zMSq^*wSUH-j39aCoR3HSg5cOt`#hX5Wh3lv$cp6m;i`d7XAXX(9gSQF@DnF#LIV=A z7_Y0eOklo!feoFP2JQU3lvTfrb*v3wJ}#VPF5~NCIsB&^C0}@j(^2BSwkrk-$NVd) z=3U~<D6erQakX=&s$?ZUE6(L2-*~#uM189`EsBmPd}iR~O8vL(04~w9!q(C>l**0# zYDA#)+}ZL+P#N)+R=4dDPtau1PoL)3A#XGr+i5dW#omm1vdR8R9D1ykhi3mn($sFZ zU+qF@1-4p{j`em5*vJ*%a2F2?IXBbgdjOOpNlJ(}e3(vE%UpdI>lz(K!I}=W-R*KZ zoD;FETs;g>v$<VK;%N_~@o&t-@B5%AgduLm!>I)|wj*Xu|LS%{5q_y(${#faB&t_8 z8@xYYO_o_+?B}u*vbqi=wUqzod-w*EK5fKf;}s<QrM(Ld-->?fKR*8HNIk6Ort6Jm zGGON(^yn)h4mE)$ma?8IEfcr%=>UB#)i|8K-s70bvQy)2S9^<^U@co}=%P-^Hr5He z#Wn_2q>DThG8(<Hf<)hNQ=7im?KWx;m;d4G=xj^?0zB!`$Lkk_z*%IVm)JYYbXx~# z2G80U2gdhsNTYY%60_siB6QjWG2jJ0$ZJH1hY$VvJ-kpC_eDTdcM{ScS=sLb>woo~ zhas%T!-r<%3?jI>w60vRdbJ3ZD4e^h20P3nOE!X_YIA8@yISGCcF1Yxx_$X9IN;1# zEvV1R$Rm-m_RN?Ci3v)0>?D{M4->#AM}|lUiS~fFn=e{c+gn!DET}^P^SQGm%qVZz z+Tzxj)##NS0;DA3yI?z*$a&tavL&@9qQIJ6EZXwkoGcgfhTd6RRWC_AW(0P0)F{>g zD00cO084U&yQeeV<kHHrVzr3T#dhQ%ln6ej&XD}rxyLFi(ig!-%Zdt`?r%*<^=OF; zuTo+{9%-6xI@y&9Fte{(ngr&L0YagJ@`$SMEozn_)nnkqDwM2LPHO65pGPrZZ*FG2 zsOpgAOrcx9Y(miyB9z$QSOTYjBgJf~=$o%vn^X@ba{ptI{zsoaZh2#2&v@Ztl_IAq zC?nR5IR7RpGRUH*>26L<j{gvRc-7Q|Fu!cOvD6Qp+y0I)9;hA!iEvrsa<@)Dr6IS2 zGxIN+;T<+MpRvu(mdOf*2uo67Pv<|fX(Lq^$@QldEhv4g0Oe3lALPgoEY;l4Tb(;R zuKt2xO}(~iAz86WP8}ivj~Qg=Kdt~wHbzZS79_g>q#AMvId{Bjy`yBNTK#H8H6(uv zd8(U$9@I|2T)MN1`|1U&MMlDyiTd3ojy-weDEMS^_tvaQjnoub2Tnedcxz*&G9luf zC!#hIH*%rX&brRv6t~uZ(GjxEOu}WXHADPP2U`cKs1XaOsGz21qj<?W*-ErUu5AA> z5w46qn*_tUWkWzlPhB0lh~U;u*a!o%<@j9bC6{&vtVXLUo`iQ+fJhjT(#^d^CF)|H zGUp~Agb2p_IsqmWE;gU7#m1J&64eMRLVr)kJiZ|<)t5>3Ce_S2Myy0p&3d_#3US2v zt%MMOgfUBNbIaP5!QuVAcnNzt5u-)c_J$0UGAR{1bMwk2TE}7oADD#Dz&QM*C#S}h z6^brJuVz&^E&-_))4g!jBz%(`7i8o1)hkGEig@^Xmm!w&^47+_eBrz$^O7mleFC;~ zQNpfXsH>)^0*I<qlCzAyoo_0N#z-3eZs!ua&)In!()%_s0ij68e4oUA?p<3;3tQIf z-Z^d!SKhRstIegE9kY3U=UHVOGkU1J4Dy(}wH1q{v3pM*fuhyD1p?AgJaV<EWJrM) zMBl>3wrWMCv_RI8L=YU}={S@(CuV-D63TD<BHAQDPKpfk&2w8MVUdJ}2dk}{0w0EN zBJtWr6?Ui7$=_u62pT#?jFp|0%Se_#YzQa5IEu>Ku(De5(W03urFWv3tPHpprl!lf zN|5fDiJ~B%K2u1V<6cg&wsL3HF!^3X2CPg9)J_LY+bt}h`RfB2Q7BQ>&0wx|`nxFV z2Tg&2>iFX2##TEE28fF>W7g@Nh>nr9?HB;}9VlmQV|T$O_(OR@A}pug4MgIxvh}T% zf)t1>M^jDFv|Lf)(9oR&P>>;D*zV@qhSAD3k_rq|pOji#PeVpAgmr}|9*%`=^@?gl zF%Q?pA7Su9gF^bwf_3DEIVvEn`m1L%Tb--we|u3>5Vp|)1f&L1@!fU(&^UC9!qHN# zmgEKoE<5Pqj+0Dda4*aZiV$jRJGLp$_lW^Xd7>$VNiEmLiwsKDtzTR*L#m7i&KkG! z1dr8kxCszPSJ@hdKMO{m{eHoif5~#AXXxli$Bk{Vcq)(-@l3_>m|n`Zq|BVAPYCCO zpIXXAn$(4lGcjCrK~_v_Wj|5bQcJ07LDBH|3LZ?JNn)KW{8w?Nsx3Qr*X6*ztW+t} z#}aKU*1&RA)If7g$*BjEEH6x#?hJ5Zp6oce^a*V&Sd;5200lzEED(>#Xx^0qsZ}hU zRE$AF!7Au6Bl!r4Pt2_xfW@;eP!<2Af)iD7EF_MW2(!4YEo!Y9F{imWf%9k;)<-|V zj4?g!%qU~cuQ?yp%vpIeMi$O>jB|32^)u@~_h|t=5JXZ=-}W{~BG*ID;v01tjo~Ip zA_aVH+=s4*u6&^fSi!g?z?`ctW8JFobb6RBB#Bn^fxNc@h`%x`1&3e*gJw^;WK-%9 z9;2tXI+$7n=_*z+s3il!l-;W73Ka;NWW;n!!lg&gnmB-xX2!*Qoz>WDWPWxRc96gr zqT?x4+;oL$@zFCi9|L_h-{9PtBS4u#WJ(^iwPfDIoe_&4a!-uo4NcWE{2pI>rRWfI zUukOdJ4!^wVqv1!E45mGJp93fl7nb<u#A&Bq8V-?Sy)|NSSU77Dx0;|)ankHG{lOi zE;Tfu`V-mcz&8iA-K{HX>1$uc0BQO|B=%g-!vo@^k1<a}wTc?2%`-9`Ln&zlg_V1h zM#+z%aU@lndW}2{N3myAu(|hkc0dSW&S97}OmS&H>!&X1?!C6OE~hJ*z>>tuCRN0e zF!&jbrH?dvzT&R!Rri@WE9(oJI`ouD2Sa#-(Yjh)$8NPWd2(wO&$Fypi|-%j-;Hur zUq=&!KbffR%N566Vj9#2CZe~3plogBy=!!+jFKi~3W_I+qiE-7KA4$Yr{MSY2m^5A zR6=JVY737MpH@da%@Y@OtYNgq?jK{@I$Jti$S&PAQipgPO>1g1Wr>Ff*VZaCDk4P5 zk0Cn_rII=ufu4av+J751UI@uZ5?f+=c2+`|&+G|f1oF8@4@|6*Vlln1r+Zv2>_MT^ z<V0wrqCnkVyvJTAH9*F9lqhJNeRIMQavQ!Xt{X$Wl!GK^${;Q?SqS3v?3qG&SDjpi zy_57N4;U;^3`;sC2lBFVph=%XQ*p(+Ugq!qF^DT{Y?M1}R{wgSNjB`?6M4o!l4YZh z4ctcp9EKkyp{X;78?wDz@2Hb!U|!=lfD6o@T!4~bFe#ZX{b%W<A?^ZDvexC+tX1#D z-L{T?oN^3VFie)7J*9(O%$+!3%m!5i-Tx@9SW$7nKp(3~uyRDlXlJy5Gq$1i#tFM< z;xAg+smVX><G7I#;?JH`Y9#C8Auv#wiXAX%*kJQA^>v0Ds`fZL+X7{UBoZ}8J2#n> zOuQz<&7`qptq{WiqgXkRLS{-sab8LNgGu81zFrqXrPRQ7FEwa{b)yu;ux_%5BCE8r zWSH=9En25iSX-1HkE2;L#4EWQROGBHQBi@8Qcq%Bwf9oUH7EXe49$o2zr%duv&T)5 zS35Gc-bO7`q&V3<U+K&6={^kEb;vLqWMsE5vZ$A=KRnmW{kfR&!i8~!PNcG2P!T{V zH0p~z4!3IpP9$DEeZJz|5GP$-QDrJ62B74=KaZB&!_0{=rH)o}x~`~>6z5?=&)^b> zQ?ZhXwuYOBuCVePCtmUevO3&u2RpWWm)PRWJuNq}Rx?^sx6WeqyLm07TkR^QXl7?h z+U;?7h|LcJ8%TJ7Bu%tJlxRuCLq}~H9EYHI%XEHrVuGGP`6yOWk>~t;z87->N?`1* zyNrGxiutqja+`w3PqYl*hxC1&yiI&eyeL5<Z9bO2r*Q<UQOwc({<@Um#mLFfcq)qR zm(gn2D|U$6{u~aC_V&|9;;ydkXgSPjf0H{JI<j-)%8ZKO@nAHno1$7N7OzD=a!q(R zxOutR+E66xR_uig=^HAn!!nS$Tt5t5ZWh2LsepRS*XSgTZlk!3F>x%)PC_b2+uE#e zef++csNcZJ(I5t?FgJe6_;sQ7B?nGI0tOPY6?7$^UuA_YK^6o0&5M?j)B>cWHSoTF z#L@9$<YcydHJO^M&vxlz7;s_;U73I)=xgTH8Ai!<Zn|Dsl9>Y+IEo)4KpNYn3Xt~2 z!f56wqC!Evk!;_7ix%J4>G`;x?jOeYhlx}b^dM-ofTE4Z+}^?Ie{Yvx#(;^HcV(_p z<w~88Z(T+$_Vs^{i%3KDq&42l=01~Q$r6{iT5zcLpQf318gg8X+iGFfiNj@KOl_Fu zz7Bi3fE7E3^Yiz(U0)Z+fk3!Tu<9BFnO%RP;%4`-G@@DEmr-$|m=Q-CioR5Ed>ArC zyvxR$okBVTbI-e0+L8;`RGRF491jO;{HzmqmMXN)@uw!N_I678{4bY|((Yj8rqSP1 zQdsW7{JYQT_lf-81oZ!ssqL%NxWRAzoPGuK1(;gy*7u4fMvE-xu}Ba$gdzlK9b@8n zuo@<#N8g`&_;WhHEhbB>%F#=^hom!l#NQlzi~4@fpML@tE&vMD=<(VeZbyTYrcc+f zUu?i+^+vm#FNVv|?=*QB^SP%<3QcN@g&-QJa%Yhw(ldG=K3sAU;5owZ;5{akiWv6T z%_M6|SPd)wss4`s((Rq+TqV^O+Tn}XD3vS_6flrl1s46O=Vg0yv?9>YbGuz%EJP6} zSTuBbCPD>e+hS%pex{0>{dgr6MC0|mk90u4ftlUt#rZm}X4Eo{i`Qm<eqa7DvfD|w zQF3s$$k6!T#o(GA+fd|&s<SeM5U!PfaNgZFGsA0l^>bD|)5irhyzwDalg+Pl!}Yqh zcNkUPoo;j;RXuKDm#HO}o!s&^Ya?X8-{i^f;NxUL?N576+@CzHk!=V2SUGtZY$vf* zP@$EI=MW5nFYbC|`+NEkirBL?&VJt>O~r+RkDdx~J}2G>YGNN6By6vjBFFM|8b{?X z`T!C3Ffd*cCuanA@Z<CQT^)>vkL30<ZnoX*su4$s8P`7s5mGXbcQ_j_$>lk_uvu8C z%<6Ibe;@9Q6)8&}kU;3Lzu{e?g!(<DA-Cbdz{SdpP#6Ic-g`_-Q75fYX{Pb>`rVrS z=|nFyiCW|5I*~RhxB?2DixmYVIT4P$C%*2fd#|VZss6A3Ss?|)ybQ#5PmtKmYOD<m zX|KG`{k>o0c)9~ti0(5-)DwsEKkqUEZ~ZOY$-{XPF;Ev}6NZ;2TCSuxA*RtDGY~2X zK7Y+wQjL1Y4>5mWWhBoXIB2L`ivUH9$c_0%#c$MeR=aH#fxFM`;KG$fbqyMvxtcxC z=KM->lZfE9ddkD#(Z*Lyz4rj(WF*R$Eh+4TJ)3FbaP3;Q(QT%prQtX~Ev3=x-!ysb zn-l{^p&A!b375<Iw7@R!nfVt8jr$NLg@YO{VPo!cDQS*34JIMvYGK5Ilv;&>CiJ&M zwfFmzFe#mj`WOBQb6G0HhRey)({km%0*jA#p`GSHM#jsJm>Q|i`uUmmH`X5`Vq)#B z_Y}1zMk#6)K$|N!baZ%{L!?NeXv4nFf2iiPs3QOT#A1k`P#Xv=Lt7utK)n|A1|VoL zi=HJ~z&MeCl>l<YkI0GP>{1}flLd*exdowC8lDFj!P0e-HY08U$FYJ)0wOztjH@#m z5w^J+IvP$iv^RVFz1Bp*lPiO8rOCp!<3>fTf@T>Hu=ziIzF-rpjSJOLaur<}@PYrq zcV<oGci2EDaEM%p=+L>HM8)y<a!Q)iZ!`mWU?jqjAO66Fk>{S&Z_GF9u;E6P82bAY zAw{0VLz^=gUh>2$?Jdf{PxGd`2^F^j2@-a7A1k)q_*At$zMhfK@#e}ROGr2aRlUHz z2XZiB`Y@%;2};t#rIKQRwC%K7v=HX$q<46oT>fC9j}Ar8ks19ez=#tT-GXg7dji2C zg))|r2h+%lruHEG5`Y17aGtvz28ZJJ?%m*bz8s*tcWYX(L`;~OCk2djfMRe&y_Ssm zzRm7pL69BTB6%^vtLA8)C+NUY2{!~nGbKsEwD%ZNAPk^?>)FFph6+?*(*!665GPMm zn)<YckAb-X6sJU+U-Nwa4tPB*ejj$v9KeViq)I$@OCW}IBfc<Hn(CwKh7HtI*;W#O z+`?!IWcq+ImgCHwNZ>S-c1ME;<q8I@V}ubmY)pHM8|&5=-nMGvZ}+$!444#BoX48{ zDaF<8g%W{MK<hQqy(3c~Oq(n7=|hP5(q%{mnQ+7SP`OacK+iY033#kBIX*155LzR2 zLQjAb9mNk^#rT}Ii=9wsPZr(vwyDZ>I$R#@<@MqVtSDQb5%KH&fR{%r08HeYgHHS# zgQh3y&kay&{pak6K=^q~bDc?%dQ8NJ!4&BoRfOvKJ!O^JV4Y9vYO!Bu0c>b&J`#Vp z4p=^J!$ytxI{4iYd3^H(KYBD@<RI{81kQyii*Q~`gT{QW<@9MhJ_8YwuvO;o`sfEE zdlq8Dgs1T`0mDEfWVvj$)aQ*&-8+NX=~DM!p7XmxRNujuE`W^h^K=eJY=1nE&pX5Q zd}`=9%W4Tf?-A*~>s{0lc)x$^5UuySs{Mt@H)WJ<#DaN6rI9x4-|#O9_uBFlfzV-S z%!pB=dN29<-v<hlR7*<>RO1~xdEG;EO;?txrvxc#q5_AO@oKT|Qxcmx1rEB3RaWz1 zNW=w*Zn<Iwi~@ePoXI#$M0%RE7&1quS`qVAl@nnbZF)Q<jBIG64n=!?y963_3sa}5 z&mdkn$&!e&auEhTR*oao2~~-V4xzf$WO{){<PbVS(*s0s=3WBTfl$CW%5nxwrIXzF zje{vAD_E1@?9&$R6rqancp4RUbD{{1*b&sG*PFev(kN}z1x|xb0lSKWQ3Q)L!Dj1Q z449n7aFTUR)k@_gR0K>8`OR*J@Z7V0=PSox)kl}HwvbxX3N}>O;h>c)D=Q<1?Gze; zc`C9>=I`&Ay(-#weJWG{dN4aeBCE@tmBEL+&Q06^uq!A<enh_8-6pm4Y(E$!3ZoJH zp$(I^rA>LrNsx$Mbshh*DN(5p@J|vWlyZs6BneT86t(H`5T+4kUQW39;=K(mf~r@N zl0<CDlTU=r-hlDr^maS8zO@<%y15xnuLFr@E!*m(rZTWGW9E8w5=SXHI?n)wN?-cr z%J<;<JI^xHkhg}Z?AKmjUm9BDT*nYaJIIpeVQ#7x6rHT;!;}b+@>HuZ?PJA+VBvUu ziz4h+L^{txsx7y5N5oVdnMnP1K7z=$T(?3E;$d1hWsaPr><B?MNjQtWjWtG}x2XZ8 zPI9UMJ%oqY*lp057fWlx!NZBmTR@Pl>4#&Mer;_9^SGm79V<eT${GtM74*XW;2@8p z0&L3I(-E@tuLV&EGYgB9WCEnMioW%t%01Dosd{E{9V0gCcfRk&<+GF()@7yVzhVV& ziOdO1ege!%#L5|6em`&Oi8c@Wc{2N3zU>OlOspr;3f7j)?m4Ivr~w8P`ijgKrLAkA zT>S-|vXYWPwYWUemF9HSW*;ZVU8JI9+Y2V;BS|9t#igbd4Y@3Q+`Jd_WiQ{PTC2<7 zjw`n9U0hx#I!L#0Q$zZr)YNX{ZhtdMNt5(vE;`Pu7jWT*Vi2^bNzq5E79jyhvPK}j zzW7K{WlSb%CyTw-{q>qFWa|k79(9_kx~dej>OL-CalN&cnpUQ)Kmcki2?ZH5(RDU% z*p%^uViD7F<$Ckc(kGn?xe^u&DyRsIaY<>BYZabMA_nVcR<RbA8~2SO%#O|V{3NoT zUeGP1CY>r2#L}^{Y(WTd%NJSL>t=JG0r(1chQ>;*8Wg3V2b#ROv4S^TjfZuftRf`O zfXkn^*yRZdVR$^PK+X!8L84P3j0{L0Y11_SJMlexq!V)UYlVzh=`x7u##mZ2Eh5qV zh^{ubENYCXBV^@T1bwQt@e(CX(-<8fPcJ6zej>BL1{4pT7~NH+vYD|V53n%^-t|(w zW|{tc4?7;1py289niX<GqvkLITtx!rWGK$$aB7ig1(pG%@DLd#4g{H_4Y4MoR+9`N z39`v#R#>T8)4@Y|vj-8bN_wJFBoC()C4ZN{+-~P#q$2m0mPpGDpcG=nhm_FJqOGk! zx+)RF<%tl+xksnO{FSU3DMO15OL&k0ObZ-F6=ZO<(a=+$^7l{u8{mfJ`u_!arwHph z_|u3KZOxQR2`KVfmdlhJD2aQF%!bfX$D?RXEQm7_$B|g7pg9r_bkUqpDdO&|2}lJ6 z2LYDuN_6Tfs;U*D$rBqLWgQa)^hE5<cQ)0*p09HH{=pOqDiWwvE$RDVC!FQW%ge29 ztJu+AG08dj9`^=T6WVG^Zp~$}@p6kGNIiPm%A{^|GVPCpJzL!Q@5&SgTiLszv2=ih zQ^yZHPr$xK(13{sU#V_MaBNx=%(oj|z)86ty(Q*%w`@hx(z2(LP$i?qspP!Q&bjaI z!N3qiie4ob3SF)L$kP~|pcN-$U$uPDz#}>`G^L5;!#{OFW4m$L@+?`4_peWSBLrX` zdqVz=iPG0uS~FlYSGL=pf98`49lK&t5%{cT&a|*vX}SEqqpzLvFfxhjm@oHBhbWe@ zUZ6N$9nICkhZNKzpWH#a)UFpNh25lDiUS-Pc-%8jsff3-&phjTv*2r}V`igMUBR_c z-|F^p-3Wq4QSgFVgHGIEXQNg+b!p2`K`vcI&Yxct^hS_?yM0{SvR8B@>%>l0EnK)T z-5zc?zy0m)y7RTUntBqQ2_TV30FWeL2rvX1$Q6o^P9~aeq?)uC&pq4C$*lOT{{p{G zsoBcTU0>V$=O(jd>mIkInVRA}YZRZ39NrI*IG!K^=Y0!YlvrUWMZ4uuqLdJKw{y>Z zw(EWyv2Pg_wQlq3VyUTW86cEti**I!6|{=-%|1zGT`3Kf67r~$Sofs2mOKMG*-Ob^ zQQO*DNP&O56qw45>+39s5AqcB8k0n*H2F@JV>ZYZCsli3l$s$K6{onRqfC^Bc6tUq zo;&4^KdqGmHgwEG*wawZNTM&7lgHzDcxXXlEbk1-7&<3YB<!N<78?&Zxx^t$aHw6z zBDBIrYI@p5%{%a32#VdItMD#6Bjv;(A$c%l;9-+F$F^b*XTQ6gEH+qD;%Fw5nwTlZ zM>#1W=_>Q$`g&#Saa$UisWhB)nC^S%w)QWK)U!knFw=#P+U_1f`)U$Wz>dz+<Xmts zJt3zEgyclirfWmkI2imk&a==(Rks8oyZ-?uJYxF9`6%GS5yAVkdQ-EkU1LY1fQAaB z18Z;3(Y_x?g`G`u1H?=!bBT$V#&Y~9a2A1wSnO_q33kcax@r>juzd`-EP+N#Vp-gN zZy{R{&Pp8oE^f~B^w<=d8QPgSx)U6i%Uw~@)YY?rCWghZajC<{lS`JJSADhK*xA&O zEDNQ7;qmb?iUeq_dej1%(yEQcTs&5{{RW0?R&HNcc)ZTShDypktIXc*H5fw^2~a<k z{498e{q`lGSgo+Kf|iyBh=lUD);p(@)7(z<DK~VmoWK7tioggy@UqmU2(Hn=y(%+w z%(QfooMyN4lgo@|P|g%{%=;EzmX4uu6RR@i17U~yQ4aP$gw{PYT-NrcrgE5|;<3A% zC}N(KoA1U$=9Hd-1oqI{(@)KS5a0{1y0H*Q6Ka;blvQ;98(5^QF=bMy+uKZn9bHfc zjagnk186yOvl1!<<L*VIf}~2XD!^5JrL#?xc19*(8qFu6xt$>nF&jI(If#huyv5tW zrlk`J2$UJ3w#vQBJf~ND8I)R|pnnb@W*|c<7YTm>qrZuNbas2Iw<liyN%Y>R0*4}3 z6h6+H{Pa|YYb&s^u(MSLklk~cfWVR=NR$>Xl%R@RLqSWmAb5$fs_yHxe!-F*6ZTX> z)3>EkAT=+I{w(2kw}%<?=&qWc>@eI1Zg)SjZM7;q0V7R#;cApeP$;*uK~SdG>tnUr z-!`#3ZyTMN^MC|M62#92V!un4mpyjxZ{_bjkA&-oo}Dwf4X@g5suGKVGO*-NvxzI8 zM|z*4!(?#O540^djX`y@i7-YMn&xS$C3>Jbaye<;_IN*vlB#GtIY;%mDv0)N4!5hc zApjVZ2XK%G3RwhfRaI?Q6_#u{n_!+U%Woi+M%~`OD)Zr?Y;0OEU&^R?UrwmnYHN$i z!SDT~<l`NS+~FKt2iZ`;0Ni5zW3}|T!~f%2%HU&VOcov1)=|!2Fg7p`xVtwMmOxt= zW@;ZlXq~2>gdXhP&_!2N&E~%9ENn$Uj-!msrM+AL=sR-VFo74(C`Ftl*nn*A<HVc0 z%r1{_i5(j4&YXC?vMeu!T%B06?Pot#W~$G}4YSdVM-Vs+4X#xQtqbIfFL5c?<Xk}E z-y9%=STH5cR~P$LZQlE9?QRI?F3)M;z&}WQWQ&BhrKQ;z0b--c-!{E6>^mPvR}MLn z8e!A-`O2~J9y<R3R^gHHu67~@t2%`b`BE$|#E(FFZx2$m@x-(_B4t{liE*lrE#R0o zdEAZ~R~|^oXRtv8BU;AtG>^v%ihvs;>5cEUuS$ELuQ6$?u|&ng1xwz*V<>e4e=QyE zsqMy3GOQWltvfBBB1g4ZdjDTCJ@=!xvQ9z{L)_$_rhoFi*&+lH0!RVq5&ff61NB4v z72}vrM!K&}J_$|Vkk28LnI<Vd4hBu(qOc)@rw?EH**ynvNq->7WRn`=1<VqR_k^0X z3Io1W9QB7oc=#q2+O$^z%~b1uyL6P@z<x!Je>cwN_7=4A<2Qf6gkZVDW=g<*_#Tek z{qXz}6`EgrJEX?KLI6CBc<s&y*Q~IQ<hu~d1g12}9_yV|f>0k66ex$+8hZ^<?l|&O zf^RT8f!WhWi$#Qee~!K2bMy1g-p`iW$eS6f@JvFD?RHbQWS&41oHP9mQEk`QdZs`k z=0r7y%GeVg;8ck`QxNQMA{@{UCUq-PU3c5r4gr4OptYefSt5-k|2_4I5Im3pu&F_U ztV8JN_Q3ce_2IQQ$SO!pnc(PL%?sjGv1AiZXT<+xUR`QwxPhC?9CpJ$b&#7<OR&)A zwta|DE){?FkZ*&SQt48mGSVx@t=VPMdE=K3GrWB#^Z-T<6I*{mVqgd}phtiwD43jf z4Fk_dU`3ELh)Ic+(`SVOtPt~d8Gt)X@>VV%QD_v1ERQLlm?EVN8W2v@Z7L`Uh_^;E zp=scdgLKus%kU^6ABQ^zMLI4r3SroUm@e5dqT^4FHKCR3;;IB>;cDOKYRUEWudckH zRD)v$sm@_dQe0oMd?^0A-y}eD_yIAgLB@{dfI6x~1w4tYK*3aB&mM2*GAtEJ9&#=t zeCkoQ!k9he7+rbtX9}jairoNRK1x@A=KrFPbAttcJqaLJGfN`l;)nJ>B<%c0kMs7b zC}1-v>XZ^>y{1=#nK8w@TTVqn&t3J>-8cyq|C-}<$oVG55+O(sC5Y~W1Pp>s4APw! z=?}pL-_0>eB+TNOfhvO3`a+yS2x%9R8b$e~;pu;xEGqZQ<5^6rvy?3G0Z=cdf;F71 zwb)-0;mQ8<nRt=?vcP`kbACKvND6`mspklh<_PHMM-rxwhCc#MKrg&$ANtq8c}$z^ z@+<NaHopd9uXgri>*o_3JcZO@3tRsZsbMk5^fbDE$%9h%dporfq_kG_dEo?NF7Xk5 z_2>{T9V4uDt;x)U{<lYFfZ~C}LLNq!*J)n24zq$)#**^gvkgY}yoR(vFxi<!>s>vJ zIUt)i<N6jW#@1FVjb4+h%_tt7?~}|z4-7^W(jTLYz^Pw8L$5U@Gxv_&P@Hj!ROhZt z0*?*<a{#|F5Z;$g4BlUpHZ*5wWo=(jec)ca`)~+E9z;NGYi6=kK2(sP?)@3jCxJ$h zTbpe*J1Z(QQ|3fYaP?&7u5LgJAD2c#Y-?y^DuLLNPkfJiMkYb8di!=`*B)@j&oG%* zQk@v3ChDzB2$0XHtg|BD&zn9_cn)x#q;!pyQ)qBWIkjDREtRe?mZ5z?-m?YdZOiMX zBuV+%%;2Wzr>rfkHWrI##U5<wF}-<lX^+)s71vhnt!qPqL#|TW`j^u6Dr@bjP?H|w zvS}4v&|4Z?B`NcTbzuUEJ*=&jl`~KteY+Vf1YV{l5^Z*a)qIUBlA%h9`^xOgTM(zF zX}3E)mts$`6scTCM$R!eV6VY|G$pl*BE_}4C<~Vf_t+!FKLh(EJsUbT#y@vq-FSzF z*@OXYLTg@5GM-z!VJ8cxD^yaT*N0u32E0CH_>%qy-O{iE#>NK_@R~ohHaisg3R~We z6!N9?R91T{^pb@}E-eeLB)NGfm8VWqs;u2t(&qCgSBT^2-RmnuM!eT?X$X;Cmz?+` z`0FkZr<7Yh*|zf;IFK5Oo4c*NZ7HJyp?Z2%SOO#&IW9_2Rc&2MaDXOT0~RxBbrT$D z#24Owd&S7qknAs<A*9rNBzIohT2qpQ3|;VLtuSjz5mskiU_Vv`;`?6}1-V0uO4-z? zYl?V<nH5Tm60{XeHCyX7NmpImFLR;<A1P>60<j|SkywC5*#n3sQK6MCs%G)?c}rMq zwtCv=;M<tqM|RV|JIpw!O?2xztx9r49P|&h?8qI>XVMQ=C&$wo0K81j)KMJJ>~^uC z1Spm(*-|lJi}^xTYPVZE1XG1V7xDI{lBRy>;?4??2eC*P%`^hv81H#H9a7gum?YIU z^+Nzw(M;A0O{AaN?5yZ!4+=rFqN>geovKrZ6tLqh)Y4%yq7`eJTC#y{OHHY(NSC|Z z@jM1W+^ob*Wrt!fg_tTg8e3mXQ+0>@_L?r&Xzs$sJBM-0?LetjsS=W_tXfs6Er#z9 z2Z|7d1b0^TueWpvCMXq>`+iodOnpw@D#g;=GfM~!tr@V4i|<W2fw(M9B?mkcGYY=1 z-Zn*1C|&|pPqfGIK)g&_^Ur5^wU2qY3YU?zt9K5Nz7C9{s?_xh!&s~M@Q4>SJVQvg zw5~*8%E#I=)fWQl8Vg+QdlF&1kGVqAd`SKWCi#ItR+kt4eF$_akR?eL(dnbC(-g2# zzH>1Y=-o{Eu2UHU)@d5UrJh8%WEw{0^_wmp+<_#6Ju_C663ESRmbD!&Nq+=)0c-JO z%oZ<|qaacFLxso}If5mHaFr@PC`h3)MF=@C1xy<;?Ni>Dg%5`-@Sz-^DZq@GG-9YA zK~Si0L63s0s1Yj!VK&PmK*|v~Ysj$3Kr!M#2&iebf8$x-{nS<<bg2kjVPXYk4$-Ub zGe^%GvP^$acnXD@O(PUAU6>eAL|;k;EsGX1nT(*OFqQgwa0wMDPJq<21f@a*e;KKo z3Tnx)+YK&UpimIv5Cg=Vt1yw!8_xq`U}54z2j|1Esx1&i0tcr_NDL4skUumCS9oW@ zkg@zb^i%r)7`huAti(mVP@mP$eXbs67kUf1JoQ4neIChbC4fo_BR9;pA<Gd0iwFu| z2m_c!a7Yr3jgEu8lHFCc5-u;8uBxm-iAQ@@hLg~NMM6roriU~13vUmHrFd{asFDg_ zKovJ>(!lr<Tsb5tX7bij0xEVNV&0%J5XXR*f&3M33V~4ofr1u;v<Zs?4MGIU0D=({ z1+|YrfdZU_2aW@@*e9-E=Nnd8@ThBU6LY~u|11NfD3_BqC&<<5wlLW0|JZhm*(IW$ zZL$=rR%EJoq(Ra;mb3trH#4q=<-vp$qGb&?EUwRx!2po~Ih7_x9+Ex=3y2UgZ48JO zP!vE46(<ZHQe;Bark6(dLg)Mduye!;iue^NLNeH=0HqHQ3*(M&Bo!)V)NtWqBLu-r z)PI1G^uU>AQNeP6gvED)yO>$*2HM+RFDD%b-BdJGO6Q3K9@WUES)PCsgcOTTlQ6-` zlFMGT7AvbJym!*d5}}vMx8Lkc;pg{zyp_O^ug7e`^J)#m?q=nXED^Tu9}<AGSs6>4 zkR1Uu!srM<`45*BxN#|$fjvo!cyNHI1R3lVAsnnf5AUH^a6rgX4&<g#sKW%584Uw8 zthRdz^t}~SPs@leI3DQ=b5&qDjqs$&_ajnvId74@4Y0=db8a<uV5(~Gq@d+scpT2x zyCxCP5JVyiZKccyQ;9JDyk7Dx0<(8G0Tv`tWFi%vxxDU3fP~Kli9%6z_x}V3flB}p zn_8{uXsAe9`|@$5%4%uvyogwl4F?rgV2lNMmVbuB5iDKYr>t)?oGDVB8y=6*Md6T} z*^=$VwD&WNbu?K9&K4>eMoS<W2G)a*SkqE9SdE*R5!b7feH6d1k(DF-U!ad1!0PCf zk7w|3eAoBqg@)<rGWtM*MeFbpMVvNz%Jj5yhrc~LGB65_L=_?Ag8#E~Ko=E7t@^W* zd$~j&#}v8sRspi0u)mp6M+dWkpY@2FJqLxQ?<*ehRd)3DcI(?ik%Z?Y<NrB>Si?$I zRld8CKWUO65ZHPdHn-PZ#_El!S>pfn`s$)pe>CmtE~aO#YG`0~UUdbW)pnQQ4BP{( zoLG3s!ew~88**m{`#H#gMcva`($XRUuy>*{%)ae-bq!3rY#3<IZb2YgX?s_}ndjp? z$O7+pK(B5^&cP)ynYp)J4Dn8k`K?lp=61C0z9vSi$WvuI*V~#X<I);F^p?|ZfdBRE zPHsMaVUOpdn=>Ss8x)_NC(<14?&H1Vdj4~>y*^lMDwv!Bw}KD!8qt(y4|h(Zh(uYI zf4MS4g%=bI+^AHDYc8LCog1E%U@(wY;pb>^wLFugzlRe+cQyf@rw()#)3!I^=K9x% zoP&VSrZP$tS!V8cKTt5fzrnAAO`6aTjFLt=vDaJELXd+PJDp|rongc`Q2D{1my^8Q z)7nP}-`hL-OO2m*6(GU<Y*}jl_np(@X{lm!t-yoE|FQphR@Uij;$^7n>m8FQO&W+j zdTnucp}oUg3y?8LS7E=aNGME1PG@v}!{KTVFgd}S8_r<ER8?E*D6PvFgaH4w<4k8i zU;OncBc7eMwAx+KssbVQ2>Lah;*8D}^!?{oo`dR|mE#CEvsL!Awn{nFM4X4$1L6eG z3{T||VfFM?vq-G(!)O617)T35Y5VsTCbcvnn2ZlBUvdCWm&4~{ot#ML{g%V4k`_cf zS$y<xw38O6bC&~;Tt2Ph>U@P(0zs{gi*eEI+Ubmu_TM>@Swwh6qZl-_6U3qDb~*fB zro%WfNFRsYxLa)KW(-6LAsv|b{Auz|(SJ{6XQ)|kw~A534q)L2<0_HPj|2F8T{dG$ z!y_r&*egPCn6oUglrte$ZDP2=y!JRY$x2|KqwO7$*({xo?MGQp?6!bB8G|)Di=7=B zVx;1<O>9imA!CEO{NBgecyCi}d+8VNcK>u9*tent0A4_$zg_S<d=KN)#W_1n@9wq| z<v`=mgh&j!oF0YJ7U0bB96w6k-BuSM80Spp!o=%5g{WQm3}VV8seZ4rX5Qp{{9Ly| zzW~blRc*iYQ8|Afs$YM8>P||PfXr^j_Ocng!a-GCZ(2wz@@q!M&RBlT?Of%yd@2$z z^?O$)$!7Ps+=vs^7j>vyukQR^-49!K>P+Hyeuz&44~ZQ3FS;B*Mas}F8<~}uuGm}H zPM!kN3I*-&a<0%n$rmIckupVzK486H&%}R!?m^Y>BSs|R)p7@G>c+EH;4o$Iv|1nQ zUhha`wttR2%;Ue)8xhCvf`)5078^TA;>2RL&TK>|R%QnGc-)T{Np9<QJ-O3xqdaQD z;(WLn(1Qg89SYS}+weCF1yuVIh|>SXX~OxtnDit2Oo|1&8TWpp-}SP&zpbaSkDd=U z_Ia9f$0201csDXFQlcoWv-;jHwhU~H|GM*2NWt%MIv$JMMLRw9!fTQGs?Yj*`;y3% zOh#S3HKRCFi0~xHkb>6X@_N<!bFr4a?*MBb$*EU{%SVWU+vV{t6hMy5Z-Q{of#3C^ zuIYUKZ2V$m!|Tu1sX3|qS3i&-u5*CkEr26KcC)CxjWh+R6*g)xY`yJ!<(Uy;kt<nR z!hEkRokb(kC3oY731#2If;V|esj2q%+c--UJC)U5Wht+@s?lG6#i{oEg9}O1)=0$5 z%O$6BR>Irv_INa_o47%zvfkU$<mG(?SZ34ep;Xn|EtbH=W^V7PZGg;@Afk^yL+Du| zr{4)L3qLv?_|mf1lSJGt<#xO@s^i>TROw)-$ay_%yY+1nMd@)V6X#~+w2fJ_wUmO+ z3?;wGM+vRv1oG^N|3tbBN{~W(oOu{YAr+d*sS>B#c8V9Zy~LUMw~8H;X<o_`+>FzD zHf}yv_wxD%gPlF#z=M~YnLX+Vx;=lauAkGf!p^~9=i*sSOopFKFGtKFkI(H_>r66B zZDBvo9v7Dtw5-185o3wn?dE^~I`b9Fv1^@?<wirW0DvQ6DdUGV#Zr+|KRuS#ETE7} zr>)pjL~^ruV$GbJ^8JzjsH9?VhawiM-+2XeV#YHnm4?st4CPq)HC2SpU3MBZg)%)q zoiLPU{$m(t+gj$&Fg%O6U!$9;IUihTVxZW!$}oj!c618X%j0xmx3`Z_9wodmm`Q8j zh64BO@)m>H>}4(I>8i@sVQ<pee3G)Jis{bPDej8gDfu6o+7N$owKhwXG%!R>h&Pg; zGIQgt+6`?km(#QIB49m9Uw7~s^X9tS+GAg?yrYlL>swMp-=BJGLE{?j8lzQSQW7}8 zofdQ4Eem>FRCWtFC3OK;w0b;%=m4T6^)+j&IMf5}E2feRJwG_MxVS{#S*wffa+)R) zIQlTv=6yYY5t3V|lr~B`6c(3#mjTVjRw>-{DQVv9`i5<bG?>B-KMI?qd@AvBdOF=+ zQ>K3ewG<WUGy|L?PQTlXz|^J|HTESogfp?lza`Ab_x{)gjhnPvm`EgNb34wSR(9qa zo&20``aC@1SF18fJhRvC;yleqPf_i4mm(I`+UBfKwKCT*JVHzQ{jjjW*rS?WCo#l1 zo5$mCy{)9CJN7acEAw^b-rK1=!QuVBelc5MQQ59DdePzXAoWL5j-@&hB6tQPt|8!T z4UgZo&Ta`hBu%s5u)br~WU0d+AfKdemV_UTHONu8cZ7j)-gLP5*pYBchzn69eTDlS zT0y(zW=0#0+r^6&qUGX16f*|ecnBnCz&1>SG=HnZ=l^;eKZBiI#n#i*;Zc0&cbBeL z)dnH8>}vEGZ??#NhmqwXosZHegVJCnr*l*MF#KDw`+HGeSWIAo!{_!oS)SEcQn6gQ zkUrSVTZgYu;z7TAu_7yzv3*?H3f5`v1=I1czYv<FtT7$s8^?zciVxi%=rkMFh;r%v zYKMMkdq%&*^jR3U6cPBEuGIFDf?IM89Tqo~Kr=W)nda<Wr_;&AfC~lcnptqr5z?JK z4LL)gA*kTU4>W6>li`+xqO>_u7ngH&*|As0==lS0xrl#g+D}W|*4#@`)OU1ROdbmF zDQ3>=`2niA9O6tapWVR?z|&nNdNCineY<3SGBMP2ROD>ewnZN=87^nsH!EWD@YeGy zWpnu(lUtC*?u9lE@)hm4dQ#-fv}_fk?*DiHAYDYacv{L7X6LgCJ;vk15sNMbO*%b4 zUq9Q|jc&93Mz*2!Uo9pHqQ?fZ`VJlxj-*$g_kP-S(OzEDGQaNn^K@66`NKH>LAy@Y z$LmAZPi<9$3ai8SwUQx+UTO|XNhM^$VrxfVyg|Qxoz1p&3Y<`OvH(ubQhUB)Thp+y z8<jIe7DgRhH1YU|NfM}|xVoydw^}Gy77R>ch86_3$<sB18Yylj#?{B+C(CWf<M}PI z7VN%z1smcc%-f@^_7!Y68Z+cvf#M?-%any(R?Nb_Y-?9(Uy1Uyt;a?m1gd|S2KzD= z13taMw`Jr0SHEJmCO<2xDFastgQM-ho%1xH!D7&)F>^n63GuIy8t;V*Cs%+3=}~hU zEosB3p$kYbZ{;9D{6|;4Zf7m)CiP;<eC{%cCnOykp3{D>H)=}7&bHRxl0r5Dyle(d zfqqCpp!+G)HP8R?;)L(0F&76kOtHgt<wQ<+kAUJfRa$kd5T!Q1K&TeCoBslWK#>^F z9GX<qV=JX9XUVP1@_FFIPM8I+m3!L(3u@Zizyr_UV<y_zux;l8TKIyo4ik3Q%DLUh zM9wfbSb_j8t%8A#!hG~wk&ByGv^d^$1hToZ(u&~fbd;!jPx|n2ao;BC{<1$YfTn}^ zDBMI!F;`^E^=0?pfLU8sv~pP--pB1K11oErhESj9!(sV=O<RV&PH#2*qO=n;x{jWI zf7RMKPeHk_QM3IdTBP8N#qcJDtcYSt;7yO8KJawx3mA~{`R2qOS4?p$?h4{jzj<EX z;wEsq0Gt@OzW-YgWfrW*BIcN*r3#LE@w9AAQb){73&Z=Vm1X~p;lq1%{2b%m6E`h9 zSSYQ)ZA1q{yZAr%NC6rGu3DX&bRd#3FFN<D!UqHb$YiX$&c_{9T}R`d;1k}@F?&0> zIiVethVFmD0})SB48xTm(dBUx=nUn0Y0L<)S6^SO&Zip_no;!QhD;C7$v%#k9%DOn zJqvbhyX}7NZhYrYojtz{H0u)C`PCbnG^N|^j?O-t$2$Lr;S?$8cNSI~OAx{IsU?dP zEmW$tSov_$!S!4`fZ?O;7AWL(s%HzfZ!h!U>)NIBuZb=ieQjg(bl+CMv6_}}$r_;_ zO;Lyn%A0|(yCZ|3gD-ISQm`ODr`g;=&==lzKOdiQe};$M$7128-@Bil2L846mD!J4 zv7eixNubbWh)AYU1;YRl8zbL~Is4jX%wOfo%g!12*z0Ty3x}OOBo9`e=JoXkvGV_3 zppSW<p{XUe<XeL6B?l7&Q;cC!dK%^SKIxU&ZQ5mYc>df*lb^qN0Z8i5*tBU)!_7Gn z*$=aD=okzbJAWLuhc8(*X;eFtZ3$W26ndD*3wRkbEh|R|&qD8ad2krGdlW7R%*9ya z8Z*0HUAH)!i}Pd;>a=c|J%uc+?^ndH^#G7D92*Ehd{wjGx-2<QZDm?zT}55^)h*l# z@EJ;6yT7@-%&uR94NdbTOqVF2<CY(tZwJP*2D^GP{2{ol9%Cf^Pf(f#1TQiP*cD4r zr{SUwo=vN>&e!WwP%WgBAqh6Gfg)CGvHR#}hcpO%7N>_-Q9+$HV4Z^oATu1=GSuq~ zV&m?5D`Cc%PpQVT#JiXW1d;Ci@)p<VjJ2nyDi!v&_<+GjaPZ)xYOL?~#oq7hYR~8S zWJCK6d~_yi5c&Fyv1{WL{2&gX*CD<JEpCJ7;0h><wY4H>87!~CGmad`RSw?&@xb2y zrw;#jDNJAY76)T-CM15+nKK>)8bTYU%{zkwI1A|0E5Ig_EJUUyYJp`RMvx#;QiTb0 z2X%bPssIfDk7nhZFGPlraEey1vRY|kF#!rjel|g}T|tCcY&I3ejIk*H1W1rDW&it= zpZ{0C?*jwH^&(`YuC3B?KNpH5qR0h&CFTXRF!|&jqkh6{a!Q(6sI5y(NW($n5U8nE zrec;<+y3ReXj~Ibk?`E<ozhbDgNW!|#)%o4#3vsDO(o1Uygxj|W>uqj&gdH!2DjU~ zpB#Od3P`e`l6stgllRH6?`WDm?}yhYNWQmcdx6=+Vb+`XSE1kX`*cbE_m>_2cc|~@ ztRjo|r%3rJot!y7DS@oKPW7yK9?`x4aa8B&cNzyXPB=izvfaai5NB?DANh!G4T!Q% zVYYY(JvW|o3Vr^;t&Ka8A~Q|Fg6M#7fG+$55=Kwh^kCW|Z}n1}53)Z`iL?@a*Va7! zlmFuzO0SS&Zi=XIf>f#k@I$~Bh9@G#n9f76+ifoP=b$L=ANk*#zmH>sv4H}25aetG z9P;t#Ic^;24jevbOF02H;lu&D#D{>niYz-CX`|?u->X>+!TZZyoW<Zal`A4L`fDd| zLHOV5#n9hB+HC&Z&V?OzJ1qcqP#axgc!E|Ve&SMinswfTYadUtARxLWPA5yM;VL3_ zABPw46@4Eyeijq*TW?$Y2pZgO_3-3qTyAa1rMKUQyuX_~KF)3X=l=ADZO`;*$U4KZ zeUWE0v=Yc$pl7NUDjTdD=Jf-gmT{JIN1tW$t8-k`WLwVqnn1WFc+j2Q5QTo%-}^I+ z4uALe#hzTj99|q<5)eKk)(t^kNCd+wzX;HT@Kga9w@eR^<9CT|rr-UxzhC^m-<hz# zx1*u8JNOux^dS+R)<tyjR;KYW`cIB_brn`S?sYxePXFJ%J`Ps1*IEx`;4X!8(iGMc zCO*I-Cc5(`Z=pdSPc-CslBnZGmSel%i8PDae=>pWf<?XK59K6KfJzR^1pk2SoIo2p zBZ<&1EF}r@BkJt|*-XHK0)kao9M?Z3gepj4pbjua3OMwKW4Z{o0p-XYeu2kcEqGYP zsbmTY47NP72M?Qun(}^ci}e4t@MqnyohGwh*-(J%jAk*Xv|-VB>T%Me#s)$I^}ub# z7O4+SKSfB!5=96i`kjRgV)Q}ADYKso-S>7U$&n?dn<p<TQ?*!!s{Hd?AdXw^x);U= zM=mNfSzA_QS563x>j<g*{$^@Arq@@d%x|*}Wn*MlN+K6=;L06N6(#przbM|ZrzW-G z?P?6(XY}#-Z;p;zR@76`(a)H=*Y08zKn_1ECodxxGo@5zLzMbQ<YBBeB1iN3R;dmf z--#NuYV0VII?P$jbVh%BxS<;thXa!>v#LC|s3&Rc%*;YPyPX}#i0UZpYiX*gDe9^! zDdy(L-ffM&ymxAU>}~7lr>0Iziz!h?VlI^m-6suRc(vHyISam@%?^f!<5jxX^wI{7 zP8^Jq2w$(b*-aglnL36Yd*Cdu!c95~n_C;JwRANr5RiY|W|nb=5fCX|L?uOKO*Lz@ zRH@KI2Kbjn%PD8&XU3J(lh>A2RH;9X-t2WR7LkKT`Z(5Wm5!@aPAZ8oiElA6v6f~! zjP@%qVobxQcK<eNmqRxEdMHCPk_csoV{ft`nSIgmF#0Rp6A}^HhR|+y6zy;Ne1(lA z!$S$gKX_|Fd8#UVdlgmH)K$sk3Pgo&dut8-Bkyb2-`d#KPR*Z`mO@ZZP+vqjOD%JD z;AcS<9pq>!l~vVKSF5N|601R%EX4n4)Kk~;)l@5_48>SWLU_c68CWVa9!yXvv8kv2 zV`$4IREyFm$#h(t94!I8Lw0fTK@U6IflOxtCODo+oyGd0LliVMJ9}jnH5FFn3M{Iq zj*x>#@!UCCvdS{sO6r<gg*6J%(tb~qayxLB7Kmkq5#NyXelqpbx`&QbX1xGeqbzK^ z^Hm#F#@U>1&eI4o0)b>45zqas9q8~~Qu@dVD(y=PCyDr3v;SM}j+CKRErILmWx4&9 zE}7JUx!LBk?vJvdq$lQ~B<kTrWFSuA9vi9z_q&ua89i?rb{-7FYl}UalX9cdL=f*z zDMJ-kfQf5IuykDT&d;0p4&rC2ZdaR{$rzD{Vs2qaL8(w;C8iex-$m(ti0g{#3My&6 zgO%#Y2BpVPa7(eLwy$2PLOi4&Wn*Vf%!f}oAP(D$do+jB<Rp6qbyXELwW$ynD;qCQ z;X@<b^`0)73B0>5?-IAJVp~UVbv+UN78~;^Q7QG4Y2{>O=3?M93mZ4BGU2|=tk#u# z_lKCaZG=j{q%1uh9cXY6n*!69M`ENpc8NQ^?&3OfZXLqA1PJR>FB<6r>&wN1^KkWI z>t<wRVxmmpi&j}IaVon?#eAiDRpk^EbGqWqyhp0n7I@wA(}qleMro}Qac;&UM>(hc z-44~PM3M;;IZnV0_tw*5hbAVaGBGX|c5l7XN->=(@Sv4y1P%2iV+^*hZ5^%$E*PaI zrpb71o}QF_qnBjhQxAi_@A(QD8y{3ILka4oEbOICC%zH>Kn-BH+}SanmwjL0#U1W4 zxB=&IAlg%ReS2|<l&)?`WpWh8a=N1oGuxFC+s)_4F71jGXWUf6By<2v{yu)D6F~t} zD6$0VN{XrK<>cm~4;^Lk$^|--Vs%`Xz#{yZ<A-R;b-b;Dc_6Z2cB)dz^qJ|s>WL{U z>*XfW!g7C46mBO0otQM@imJL=)ui;3L7xd^@CM;jc!=inR1mim)FU-@z{BuyxpTR_ z1iqZ_Rm+W%UuN)JrptTl?RHAuz|3LUv>eQqk0Y9VV@<DxSACQBWCWbS1oi(;jk$rW z4o?IehDym#O-&I6_)#R70-(ERl=XWjr6iIfKM@=pAO3hu8!cx5$(ZKG<3MA;B<b-q z2@n+q+Mql~W0eYKe8qDCvIK0qB<Lg~X*<AO#Y8{jP?G2dn!wF&Bv3*?6ipsK!jK(v z0W1~Dmo0P*wl`1PWDuYZ<|imqMw26Dr_XElHz=h}kq9RS{<GU0MwV(vN&fS-60**L zS8mrVS)@?_9t;~Z&RUS$GBUA>)kqyFB~bzq<QCDfnYCcx0;ZP~V3{1AKA?7Hj_;i@ zU)u<5#6gTei2B?<LLL=}2H0R)6k(#w14en!AQLwy{Dz?160jvkKsPB{-0yV-<Eh$d zcNwYMwfm0}*+C%^ECuZIHM5wEM6qJA>s65$TeixFaLR%;ZnAT5mmGI90b|#v$!?R8 z-$D~O12H@+Og#N-l=eJq;@{1Krcnn8N|JFrss*;XE&KaunMKwvDGCA<TLN9g!Q(}N zD}|WKd>ZQe+Ob5B(IrT!C%nbC9PPgg`Um~x3Km5DuQ@KiXC?tv$b`hA$c${%yk7-w z7f&RVNFU14DgO@&oag8WOg|fBk<RCA>d{Hi7jg*RgOD?bQAEJBh!K;Nmp;opCzr_+ z7!nn28JA$eQ#8_sipdSR5W3ZG2S($A&?+(`QI%qj=;-iiwu7+-GS-)ri4e1b{EYBG z(u`{8%HhCL1`U<n(&d`NA)eRqspzQ(A*`LGO2AvjQxFdMGZfMg($ROe!?8&ojJX8J zP4MSg#|jNYI$mgxgVF9aRMN&TLkB`pf}z`UEZb~RX5TC&{6oU`-2J@TPg0I;_*eV~ zuf`AxE}kcVBy9{LEa<vAQBCyvC{AA6=olv=9i9(ioFZ@(33B?1oV-U6AeAOzf_Vca zd5jZl-g*>QF;awTMj)cGX!L?o$x4n4+tn^(RgTj~M9iu{LxNQ7On6$Cn<|Vhx0B_T zR!L%`INj3BY7~1eNqPe%U1Ho|eiKMV1dfaH+Ihy)IPh6TXuT?fsRX*fcbq9|IU|1q zJgdi1iT#SO$LU@HQ}3@Xtd4FN%@^w5WcM_VBpSBPNEnQB1&}0M9Ax%>gRFJ*D@KB5 zI=yT`0zyZSUd`x!%ptP~k|h{+r9DB+3DMknj-y%wO%~Kx!hN9IDBU<3a{-?d34`H0 zCt9IPZn;P{;5NWI$3Zdc*|72jQUpy-gI7Ev@wG|(_zhwQvPVM3WSUu-a3S+F!9O{7 zXt^f0|DY?VLy}C2l<6>N)9N|Et|$-KP?00_FcB8zB`njXdpWE6Y&L%O%y`NalLiGV zWUDGr1JCNk11Ec-E6bn+D$21L5Hl#RnE-Hdm;6eH&@6bj*HrJCR7IY@o5?a)oOHr( zTbp~d`}V&bw8k<J-O>Wc__%}%ayhf(DFDgt6(01!d|0|2o(jeg4X6x&a7g0NKbt15 z97{Z*&&c8pmUGTSZ1&B@#t{ixTu520W;gzh+Mk#nsKGmaPM%&WlKrt?M44Io|AJ2* z3lRL8>S*LiZN(ed1|fj}1Zkk|&12{=011I;{vq8bB1y6;ePGKQ<g0kH2$~j2zyW*X zxgekt)*_9OrazkR;yiM?FBayxT1#?!TqGVTO_KrK@M5i@*F^9G%4Ud;V1#vpDG3H| zavk#TV<JTmdRQlqjS0VKB1LB$$hv4A2#u$%Q7*#;sz=)05PpAGV{>I?50|}H`QHG< zF;y1S$iR36FASQANX5uiff$mAIEbvzk?{jeLn9HhPm45ggT<76fO%wby^c)7&Uuzj zgO_p55oGnC5hZr>6o-(eEwQ5iPZ9JF!5D#5%>l?T)zqFJ#cm40I}|4apY|cp^}+BJ z!4pl>36(~DM!|sbvOc22YCYqqz4Q!?(=rjzdKX6ZxH4dg_RzEcIDhbfea%E3&P855 z_$t_o@aZWkNtzgZ#!+qvd0JV}XhY=oJaT}h2F+2wEKYB8X#|(&Q`?!>0p;@VWpQoz z2eO2ab_5LwhPy$PLB_#>x<*=5c2Kb=P`a9cFce>zj-p^r@bAjno|TQDhSEHM7-+Jw zp{ZcOHC}{g!AT&l`F!D!5^-$-wG6SGk(z31s7%pMQf&)OCI`4-)h{8NA5Mq5TPUgB z$U1=b3q}c^?n@PWB<Zf+CaD@MGVyJuVcmBiXJhs6)+TFU3Ys`CJstQse;VO*3RK5G z67h6(dSl<Gmjgv@2qXZ$<E#44oD|2}!wGU2ih&nJB=)znyWWHLr;~&M0a4qTS*#FS zpL%Nv=4xgTqhr%iF*qs=zHyR3(udJka~A>KmdgdX-tXffiNV8@)8Cz~E?f9nKleEV z@i?-&|6QT=j_9EQ_seV^%`yoiCx(S>x~A_vz>Zy5T0Q#_>~8<KsR6Q|BzZ;+cUxIX zFeg`O@Alp${l=4^Dz#;P0q<Ks!0f7t+WkzIXiVU$A=IkZ+fSa6++pso4TsxJ;)pi1 z|AFmmH(vKPM8*;<Hn0KUl187Xdw?^r_hgop9`cy4Ngg`8ckW6{&g_Q<#doV29~myH zI%BJ91O)LXIMzblCT5ls;V==?KCg&2qT8!5yvpqm|Id;}P7La5q0+6tj4y8L^p%%y zX2#g-Uj`BsRaWbY1Y#oL*$Z`BsJVb@x1vO?mUcTw)D$tOF7)ztkoRTA_+K7YvsIj4 z`vJ^PMAa8$ykI$a$e1CWhYo_p+mK$@m1*R$^Z(?Z`fclRVDJaC3p<6ot}x3<1~Z{e zsC?&I=x5)=6D=w8kdF*A2S!>Gu>6nuCgt%sN@w+NzerO;a*=Pbx2}aHj1-fw-D}{~ zhNGeBOXfQrpLFdY<s6(;rvhwKlGlgWpyrj~_j;ahUKY$J)1!na)d#0?i4!4Nd1y{i zrO``K_9R+0f+0s<1-Gy#9p?g4C&>OMwo~s2Ve=o$fP?I*KL~vf799j9-g`uo+3c() zQvEO>@)vc+XP!l+Zu}Wd6i!i(jqh<x(qpogoUx9bt=xW|<m_ax#;86_{wEIYM+9Nh zeGf?XV!-gc?yvCtLJnl@lzAlr5Nv?OEZTo0M6$-E{~^eqnwpRzMb2;Sw1v)da>ghD z0li;p`fYlayPc`WKup>tO%(rMK{*xo-|AZl((mD`6L1pFLG%cK<Em0M`;C_-TPm>I zgZV0S&RFz$bO=KeyW6>4PKC57&4#kRf3bNb&?xC66P(Yp0bY#mz~B)fwhf#5{OfAN zTm5Evre;xdWNoGVfX&C$|Fb#oh{XTCiTs9_q~&P;hs6EQdx`(C!x-`XZ}hR6LgKT7 z9pFEgq^O)ot&l<B{{v7<0|XQR0ssgAY+&|O(8(4~1U3Kw{5b#s6#x+caBy@lZDnL> zVJ~TIVP|DAGcIs$XH`@U00#<^+F}Zl+F}Zl+G4ePWmH_t)-4bqI3xsjCrEI2g1b93 z(zv@rNCyZOq;U!E?hb+A?(XjH`p7x==H~m(9q-qB-8H&<_o&)?b=BId=3Hxbkb;~z zG6F6F1Ox=Kq=bkP1OyE7%V%RasFznWcO|`-H%Lb%abbv(A^cqk2(B7Q5g`>fy~7k; zGd*>W<LfFyY*%c~dv9xux27iFTIje2zLba3lQMqDS42DWH$VtW;9QAb5KVpyAR-%D zTnQnpZ>G8ON494`FpQw-at<WP!DVf~Vni-C_HMEc`Y0H?M4*%de`v=!JeO*D*xYi} zeV^aT*j7HJx9{$=uQ{yu^3>YLOZC2*z0O&(^H?+0-+Syo+PmEBCWx+4W-fD~vhZ6Q z6hE(3<LQBrjU!?7HZEzYIavi~I48$9v+uS+zyUO)L_O06hn+!*#>SsUYi7;zxIByp zxH(R8%mm!4;Gl>hpom8ppr6v>-f^u>CF)UufS)Jd<G85X>Hy+VpY->}rPXNrJPcjN z+*Nobj&wU|;~qXm9Kf<Q3I+5XzQ*_r0r%<e_9<2nwX=6U&IC4TK8fIP#3mv=6Jo?o z5=uVyG$E6`{p9qOa0TAP0W3}dQzA$O(Oat%YZ5fEI)VW$2mvja<^Z+4v)5$VH<g4F z>b#`&KC)OVUWcPcLBoxA1^_Lmm)ywsu5hDxvBlB0ww3h@ySF%m*u1MQg8#44FKtB- zZRd#dR?rDD8X6J}0uoIDZ6(}9L1?aCp!KGz5dJC<Q#TB|-S2N}1v{b9sML|(P5wIm zAw+hv{9I!{q7u;ZYeN2Nk3uU+%S2$B&z$uFcUW3~4eEwdNG|f|c9NlFMS}X>lM*VC zO9nM%-FWP6>+8QR{Xd%D*vqBj#J(c@%g{gC-B*aU4V&EoBh%#;m&?Ol$Qa)BxRN2= z^XDetE3;ZSWUiM^C@7HJp?iA=y=r@w4xnNyJZI4FNrw<m8+qC|DInL8UgunWpM#N> z2EW#rOVBAR@QysSv~;=obj5%D#Md=B_|EXIZvjYOhM4eSGXFh+_v#?ipm=escKlAt z+;PEvH1>SkV9DEj1T6EiJeov_=}6L9!^~nS&_WtFkg)~ifL`25mQy&FYUKc;$7{mi zQUa+~^-^l@Y|iZz7UCMv7g1fWSclO)%vc4SL#I<1L00N4_#KW>X5_;a=Ci1~Rpcx7 zKY(x)Vk(7_rZ$ZGJmb&U-o^2EgX;tJ0+*7wRA^LKIRb@?v5A;Hu#F&%&=spX5o+3D z%(oc**MO9!xw=s}7V}b7_%KO{oC}>)tl3EybrBW9kgTezGr>icV^Y<5_gY1wKKbJ* zNv#3Fsb~yH+q4X<_vS=)IK5ZZdJR}sqK9AG%HkI6$ga3FaSDRL)!5c=Fb+f1ripqc z1Jtw@M3TImM{TOyOH7+})VQAeMU8gv&elg7hQhxtmxaO%{OG_oy6c-CI!p0vTyPA{ z#q-`YO+8DA@kdRKr!A=x2^n0HntF;z$Ezx9w?3BRIa`|8g}{p5r|F(*Bu-v8=Gthe zoVl5asJskqBybwGoLY!A5pbdU${%f^Z(-4+t$mnN2uP(H2DG+zjv-)fl~VamB`$`w zB1+akX#`GqInQWn>xE%>G}Vn9USrfk@$VhrLGkTvRy@24wBvz`+TGp_+-MGzqrj^R zg`vB<*qG>el6s51tZfrIBzHQT!plFS^X&ePiv=e+VajHtECN?lkeGBN{W_=Q)yn7S zBpHes?)}dw`P@<3gW(|(%no3~H7c2_(3@rv4eD?QH#7gewn*v}h9sB%>^n}CXN$wf ze)MPp{8GyVf2(FBQo$<<XY!j|i4;afdb(U=>S6bi$&@aO6LWURu^yM?CWf)wFXdlO zv38(_R5Ef(VtJYEy!#~0irTCcg9garwkgr=Gu1+6?QjExW98oEwgKkr8NA}Jwcl6; z;A!fN8L^bJQjN!K4(g4kxC?4(h-#3hNT4TqKyZyoROb|v_QDghXdzSk)JYmMCM7S| zwFD)D<g+P{;cL~*qPVNxlrY%KeUw*<s4TBJlA9tDYddjk-a6QR$EM30$TG|=IlfXI zC!1@cA>9_IMF$c^SJbR0Q$>Cr_>fe@Qi>7{qf}p7<Hkr0#Sqsta@dp%eR#ANw%_}j zuJy<G<JRrnn{N0i&oG#QM^V5Y9$tt}{o<BSnDFW3&7kvy^Hu6-PT9@&Zr9LlIr`8# zJN<j@_~uT;PEOVSoAc;Yne+iJ*|SvkA@eX85t85@{gQORQj(pJosh}%HmC1R+iRkS z$>RChjGqGB=aURrPj{xRPdn-d!$aw#V1Pi=tr-K2`^D?h){8#c?Y((dUytiJl@;w$ zz+LZk>w_5?%?c`c;zSo)o$Z6D(u!+p$vByj>C?`<`18f)@b>f8u_m%W1N8)2N#*n5 z;JwVJXYAICCCk88?uT0e-PZH)$dBxBvzR#ef$2AUwa*pjJcgCqObXAuzWYS{cZ0c* zg~J@e0ihdLt|lJ<_)lxoM2^SNDa+6>EnZytf%_4*zSjemfdY?{TiY#}u2aWP7g*1i zKUV<lN^>o4<?pAOu9?u+BQ!oP;Fn7GQ6pLG6%C37WM*!EYrZ(c+t$0~tjbIIX!`Up ztam?EgF2-Fn$7U)#MzjeIvmOKI(Q>ygdP;IZn}hBF#b%)j~{HxGErd+o8$9973kae zfVk`sMdb0O<@D0qMEGgMDE9d-{YP><y|?|u>q{Dn8h_A!$msPF7g$1R>3|EI^JU(( z<@)xn^_fc3+^mXAFtP_BWDHSq_?BRg_Wp9nb?9-kzBI06`L^-!<F?Pk+%bB8c-ngj z+%6MIoB>KK*j_0PYNtk%9h?au3l#%<JcI8Eig&>|yO9(oxp~9M5>EJ=E7_w=1~FfU zBZ_WIkteU?Bww$iMgY7Xt?|(FeMs~3xqz8X$xXT4mKKK@Zj;Nakt~z?xI_j}e$d3% zh$aTspUVfZDHeh_c6;8{x_}@3Omdh;<0w?>FJZ*wY=8NI?mHonh7nVOkIC*KnQ=J{ zaNNx5QnDn24>j1KciSLT8gw&C)bjl)ZXtNX?MM3oy#ijY#in?zBGq`uJQF74kVF_W ze)2UXrIwx0soltcLG-rna$~180~b?2dv11R?_#3svVdmr<AS!&1U_ys*e{n#Gh)D2 zAst~_=L12HuLZD2GozE#9Jx}s0M+=8-rdG+LM1Cfuji`g2M>WmCbNQ0<l<zfv+c%B zoqwSe78g6agk?CB-RX2g3-w6s)0@h~&cvenQBC86+ildN1szw)+_UmA4Hc$zp!{gJ z!*gm<*nv`+uRa5TbO~1jZ_(KCNMJthjy>kNozY<J1N>^lc_Qt>QwH>R3<g-$rGvs( z*+sod5?5Z<pTqL?ouiAxI&cCcH<hCDYbwRGW01J1OtxX^{VXS}j=BMi?{_0BHYuW` z$u;E?<D*W1w_6R}(wA<LQ+c5CtHFR2Rnxil1Z`nzy#Zm_?)TS9l@_F<#Fk*SpRJsq z_rB9@7Zy)^iK89UU5}f|kEmEBnlhnN$eQ%D44d2K_zARip?O-!Bjb!9jj7qe3Bf|J z<l<4K<!i8h$1K+r26Lm<CqH?2*$j^rT_e_SZ@_Mt8Thg$wUP9rN?1U9hIj7G3FL{J z8_LIp`0=>KZ0yYMIZ~~7GL70(#I$J<0zVY4p0Y?**i*}^_0;qW67|fQYb(wGvI;{4 z##{JGl-M#?7@O*8>RM@@G1S5)cPga?*KWl?&o_o3adSm>RP8u}dzSaOy%*KKIYh<% z^kqLT&la-Li^NDN8~ZFD=m>1T&n7(VmC+uEUW=0Umm-Hdj2XjXS!<%UD8+Exm*K>1 z<PyI7##ysvL~TZ&1&}9uiq6SXlZ#@YW18Co_H1@Y6cpiAtrw_(P2`e(+IE7D=0qoR zDYzsB9+rZxI07n0)M-wCnxXkH3@qD(-UYmwshO15Gqq7QKN5Dai1o;yWqTv_!8yz2 zr$FsdJz<&SR<>7lO5%ybH(fx-A|8Gk#rHCbi{^5{57Mg$ua_;nhwToTi|y#>Y<SpW zAFMBpRK_)a6eN^IocfcN7Cr0?k!7_4#Q0CY6)<5?3y>YIUsLKRbm3x*gX~tj9c*kb z7`vcu#Uzy)k`c#h3l>uG`7pmcxhhpsBdWqO=w#P1omYM=0WWtODk|%I`3xD@7*Fo5 zLIIoy>I=clN6_*8p!Y1%EyGPX-@g66oty)6n|tlRuc2$7ooJ=@nC8SI%V2F%h1!S1 zD>eUko5?0!JKlis7KPR9np)oHXfE^t?%v2$K8zKQDCaUGEKRS1HSev;t6)B*pxHoA z5%bRu<rGat{sT0$eVN2KSYx4seLw~D3Y&Il%~DGLzH;p}j8B$W1VIc+5%_tH3l3G1 z-}D>FWJh<1Q>pU9B6Cb{muXYnze}A(59a1HnS8X>;z+NMY+Owh--j|TPIi9}u+F7y zN={WVel%qJ&TLJm@I#|cd?%)xJ}kK@{%0ZfBr9eQNyC<ZMoK{p;UX6h*v*MYxpW6L zhm#*e{P?)^1+fp>FxWoQbO(nowER<yISpcrozPtX@_z5Q`b8=gMoi^Nz}wp|=MFzB z9UTc^z85@6a36EuH0$(S^$ALDMdK&w_8Ke;&3ePb2dfAhp)~6EMxfjS`%zf%vOY4; zJ!dLa;!0Kox}lEXm@I`5!bgpxX^6Dl>BiE?TY`?JwAcsI$TW1$)!mTuFcbK8#T>uV zw&Ub>@-$14sFI`aZis1TBU#&lOxTP_sAmlZ`D|O48XJ#s)O@mZ0cSnl{wxeODmhex z7JHUujM(>-@4ijg+$6DDcOOgNTJW%~ZXWPNWpi7W8Zu*!RCUrV8v_c#L`LyK;=b-l zc%tee2N<O#S@s2L9!}d4lbomQnA8HQ`}@CqY|^y|`(;W5u^NeWlVv2aGUr_pbw7*a zarVPFG!`ZeIw3n<3&v(?^<4F?a9SZV#(&RYw$gM7{D9im?tEuiAfz(De<%VVLbwbO zb!;G&Vw0Z2<KyRaR+H$DGvQX9P|LUI+0*!}Ia)Ug!1E$MY?H5{n4g|4#+y${?nr18 zRTPis)}A{MWdu3|)1Mkcs8MDG0LfGP%xJ+v$Qc!sP8P9GK5cJR>oO@e_9iHAe#{HF z@T3$JZ|ENm^v6e^YSOYfSI2vfH^66;RpUL0>CP*pMVHnnqw5Wo5cR$)s}{fX?(Bl{ z;h{qneNrOp$7)^rj-3I_JD9~UuNwdue_JY3&N0dkRjxkEoLAyl@0iyRWFf1L7SaXH zBEPsHjfN(Ayjcu#2i^VHjzK6)!#vFUb)ZAyJMwd7Aa3%N<-4|ehWxZqdAKUR*dP?x z!eMgLu94{$#1EUghyorY^JK3W6v`AMaxdB)Z<HIq8ayGV9!%sJiu;OI1Q8A2AZpPC z`f1P==7_RkGP5>6j>9+GmD)yq(pLm&qNu^UvSV-hovfA^qaP&VUn%3sl;pE=5X6lX zBP;17-p#FPKar7WSbMP6y=5`Fk6v&qbabz*Rp@*hU6B*~WuUw-k!>y*I5Jw02M<oH zhJOMh^Q3n~`ua!q-vQmt1DS*U@8upPS*{smO9{WPcT$cY5C`xk2(b?>jO|T;rd9mH z66d%FniDF6ie$Bre3Q~&!Um-Rdn?C{#YYTGi?R1XCk~i=ZA$(G-1*<bwfyrF%LQlP ziXmtL7A>1pOZpyTo3_gGlA2Ek)QHvDqEZRX?!TOHe#bc34G(e0G>e^i$C9zJt;rhL zr#=Bqsa55n&W^_7nlt(n8_}s5@vh4>)%&VBpM#mMPJ6m;*<W14v61t$w)|rR<pS3L zkz-2B9(@ZuyK~&unzB2x7t`Eh<3W?}tgh@ghe-sSphYblVfai$0WRh->F@B<8Rt2} zG`#w;>dD9c2hQV8WGZNM<vh!4?ghpGxbpJanlbDYNt+Dze*N?ucg}p{8BTszKfSR7 z6v@NtAGq{0Ci*#V?oS70jKNmh@?PC+)i{dCo710zoi~n{hMGme@M5nyEr&hPL)o3B zSuSs~s6LMY`cfDTd|6QV0vC5Ek7f0uqA)i(((se=8&!?WJEZ53$qz$o>X5{uMs4_H z(YMmK%PPH`VAtn=4j#5`yh=7>T+2>-(>LIJZ7#_SBfOsAY||ri-TG|3p0rFf&IMV_ zQoFjMUP91hLbUNSR8O_MRNuGUDN8F8d2TwAP9HogJy-0dqNzX=Tccj5eF4*yyg4&b zrh=U8c4t7Rf3MV!gr-Nc8McgRqG0|edv-o;3z?Zmwa~)J@{(=HTo&elH`G6KYS3J| zxv_DhIU&VQKO;NdY*#$*uLTN192+oDv3JOBDJ<xlfmmPPDA*fRmd^!B3^MaL7Pt^9 zP!|#lGOXVva*Gf3(1(H@ySKZ7Jxc^NqxdrHu=0Dq9n;`a<(j$nMP5nd5;-xgZlW~6 z2>PN?i>4iTqJPMH_q61xflj5pfH=u_H%2KlzFJF<Rin%-5-2QLN@h_%WtK(*MP+in z*`YRR^E~M&C~;MonBtK2$bpvj=I```d>UXmX=hUoZ6}@6{b5XIk2Uk^)jllFTq&DY z(Km<`op7B`Qg(!BQM%cb-o=Go9;*_xIIr@c|H_XLe@rV}O4>;!q#9XtpI&ozc^KNh zGB|!2olCE^X92ZFN!weqQ4&koe#roN{siP4dpdlyU<1V!#!^|lf<)^Ph4?^?Rq{l= zz;F+~&*Vsh`DN4v7NleH0^m*<?^kwahXRTnD@7vQ_JD$dgcj}{`6teLVoqMzzfwE; zFGsUq;b4B}YZ@X1Ta(u({mn?;{?5Ssy9xTf**SXbeeA@Y`|A+!HqEx&J0B|=>ff25 z9Z#s`ho^WI@s3{a<x2&$|D6pIB!2Bj*nmY7s78(OpX}1_)(LlU;NjrbFF~Qc9tvpi z@cD9cd93L>uD(TS>F2K^Tohl<)jibmcx2AuR#)$H-37wR4-SPHKz0n|mP)d#yElKw z5$3!=DDg@8zV>)wo~>}c{;f4y1+uK!t$)o#FNw0^b4>)$&0p+XQ5}Hv?OK#jy8WIs zeKO}-^kNJi??^axyl>jjU0%B-fcI6Fon~X?q|}7JXg7%1P61wG4al#yTE-e%!XR+; zK_*7_NqBqG-@d|ampZ(4#Cj~|4Xr-hlNWal>9Z^`6bB|FN1t9SC`s`Pm-nW%sb(lU zj=U>9-4CFh8YaJ2R7u_V)kv=m^G6ivDxn^BRs)q<JRl>2Io*gMy_trrhb{pXi*St4 zPL;2ME5{O6h<q4`<oyWSF=9pDsC94PI(|b{i&@BE%fksB;Nw2YTr;0`XoIyy1_|2E zYpAHE{TE6x003xMa=!~21$-9Zm|jFwH<iBv^}Qv~b2}hPy7$!0T?TL7?qAo=klKx5 z2_0X|4F8yzKr?^iYvF!JvdiXV;Xyq1Q{#v5Dp(o)o>o%d%eJ10o2OI2_3TF9@o{^U zn;zVj5UJsOJqLn;eg_GOX7=9i=n~Zp(82Hy5pgH+y3?(B%i1QZvXG9|%rf$b?Y_p) zOx#Ft5v9-U74!id^?AuINX=VT!vg(@V#o%0>@Z_^=7H2SJ{+r$Wb2J+xbp35@eCau z^R4eEeocR8G=>6~Lw^nj4p~L3=r{>+Y6z<rk01ow$=bmO4l+6>y-(6~!)iT6?ERsJ zPY#d-w@7TGckODAUHV?WRu7BF0*kuN&n79*SQ_O^g~D{4Wi5^bL|jHpacGk`ugz3m zL{%&ih9)}Ht6r1`3EL~u5bUX3=`KV&vj_GPT7{|QW)(*i_!&X(Fg)IBlZ*-AzeY@& zs86diNeN6BZi2U0(#*lphU>M3PP=;hjK&jqDSkPQUS<9HI`+M3wwSe0l-4AwuTh}r zesA(-2&QEl<Z%cZ%MuoXCrb;;%ie$NO+xT}0oZG}5}|aqn%eD$9mt6>(u8@duBQ^i zxXFS^y>G5rND0t2i85kSt#r)_$Ucr@K}%W^!Fjp+q@hIDH_|+OJ)9gpPZq}s`}<5v zI&@=lOz-tf00Z{Mwrr(LYXR_{17MHqOze172Ff)te(E5VgwlKtT`DP!zA1glwreT5 z=x?;V(FNe34F{f6Y)IF_Ey~?SVG~<w7J>Xh1oO3sI+dvNjPvt>nx)WTRhKXAJom?_ z%@MZ^^8t-rTA#baV3dk``f^R=W-r*y+mpIp<}>IKPX<&M--h7a`@jU|!w#Fu19~Wt zy8mFbD=;HXmF?4s=>3_srS~MmbSr0?4HA+7^WB_F`*yj1K^{9{NsiyP^3$?Zq{JEU z5W`drM<Iv^CvIX0{WzS#aMBWi2efTr@Y0n*0r1#e{9Nwxi+^1Q5EhVKi&L%eVZJ1d z<x+waCXp{JZZibp0H_1fO=rJ|hQ}rNX<ShT`$52Iye;E9PNa+m4`m+6$>p-29@!c3 ze+_e0x6Qj^JTCcA;z`!st!x;E#3fyYfB5`&K0r#TQIoW!j{5W$aZV*kd8lJM_QB`K zu`C0wa1LK9O$NwE)k^svg=1mGHU(V|6Uy#wfq-}FeO}t9l)1vPxm5l);Cy#WgTc+S zu*YC0{Gw`Voe?DowN_)-BvG8!4)(W}E=_od@$)^gb+uD@DLyPRS2^yJll6+?W0y3Z zWmZwrE4dRkQt|Q=1AcQA<%XSAV%kMgPwxx;lv@(gV5O4=8i;98!4i`EFKeTNN4%bk zAv`zpu}*oVcL-Bk>B`#tS9bP?YOJ_58K}P0!UmsQ*<h~8(Qz?ok$9W_v}J|AV9ncr zy(sO=sk1(v{`^}&3EwdyZSOmj4wIXGg0HIkJ|u&dktS@t8z&uBQ}VcoCx+2yRX(D# zxDIYyhlrvqs{Ny1;5~YAzUF&85dI4Okh;md%q*^l7B|~a)*p0HUTKxziQ(^TnX%L0 z%H0Fy3GwiX4iB>AP>eit{oM;{YZA8?P-4DXX~%82t*Qqu7Mt$g5eZmM1c=us;^O6l z(#$aNpdVf-XI2l`5^RI5O`SqRs@8W)qtbZX6P!i7G@KwO`oxR;FDxTmIhu=&lvkfg zy%Z$K^$UwoY9l$xlF9`YA==cDh_=`S+6?UH^C!cz3YBL-vW2W9Gx$EVes+=f?9r&z zvX=h+d0{nnF$*A<SGmEl6YS<ii$g!ZOpZvk!)*HmWflNmbq^6<U9W|O=v~42SL7W6 z8QaN+%V-Dz&t91%Ue`#4KklK95wGlDA0vh^bz()L;wP<^x)O7Bl)2N7O>ZXvPd_Tv z=L?$4?@L(pY;QX8OK}+wPJan%K(<gOxZ!)*ZYiLh?3sPPO+OrVQHx?dWC@tH?!HHD z%b|;=9{7N^jy$m_M^w})H_e!O7(-Duzu>x%x#~v>!s3L3L_=_;C{HL6`03ch+`k($ z1EFe2pOw)Fs$8z{t>6%V(U#B7l@ag5MvNX$Z1xjY+(mbz9S9ZPtP7&pZsN2kQj8lP zJE>|jldiGmu#;kcE1)+4qv^_bFC{w53Zou{>{F4&r}DWW3n>`OZv{4UiDphy%&7cG z)=1VLapn?c3CpJeatZ79K!)G$K;{EL+E@xt{qho~&r?elc}h=iJrl{QD2e(f_V8y2 zxT?5M)=Sl?%JhT^MHtcEj3!toCsZc=j!CMM2S=V<px(Y-zD3)H+3GGQ7DXuF+3~CD zhV|yOe%o1@NTqHHNMJq}N43Z@aS0q17nXX9v#^P=VgAq@@vMemW-d_ACRr>r9J%@` zO;KtB;5ZE6UhQ9$oA3aQU|ZWu2d7ryabmD$6}InuKHx+0X3AQ`j4J&?p_=!DP%5)T z5H?kqD}>o4HnPgw7PpW_>qp5;04m$I^di7UyqLRh{~iVy8`^MC)2h3<!0=AQF22A; zh`z2m!!0;-fOWJO1eV(Qt_Yz)_|d>=boX-M8SM%-bZ9v`TLr?l>drohTvG7Q#vbIG zxFTBHI)ovAgHcp?aO?<U?n<>e0QzVP%iJL`Xs6RFW<Hk`t4U<DzMHS)>y5e({wW>` z^Wac*`IWw3njbxabj>vk{Uh0+m=j{ONXf6v$^q}hyB^u8lgA9*yg>)c(5Z*A@-K@& znADUDK8?a?dSb__y!AR(I3S~@GljWQz;%XUzPUq{JI!Su=`x?~!ohfNWQy}f`#PsQ zXAS1y?!}XN+PkLx$_1}m84e`Oq-GOzc1`GL;N&`@@eR=VEa_G_H~ESS0t%XvVMXu~ zCA8FsKhrfJh`wOJGqj#JRH;pFdPL4AhhvYn5Ba(qq>jhM-W5$%AKmHNFKb#{&6e4Q z-o@omc2^w<ZR;YoS&TcHY_-FD6#h}OTz6Ws+a2OWKcZvdF<8}OQntOzUS4#g$kig* z-q7v>*Zb|WQ*4Lq3J?RH!^ls8KnwEfSq)F-Nbei#C5GgHk;j;-Re>pLv;dt5N*#M! z_sKyr#t{TB&qUG3dX@<4H@bJaf|G5SS7~foJU>U_&Drb*2BX*XU4*#!WXjHY%QY$= zw%)p2r4@FgRDT1y<HUQ(+CDo$bqkbEYFF@|4=iYk#d3L$YXJP9)V%$!{gE}-_kU=l zsV`x%vrZTn$&~1zv&)b7M}G$T=#e)qJk}PsKrBnS%O@45<1*wLj|Na?Tsc<~Cp`)O z+SEOvqCC?-7tWKb+NlQwyXuM=ckYMW;+^j(jfif`wrV}YS@Or8r>@~`GEhq)qI0zA z`eQ9{78JC7_b<q@y9DelO`Lqje0l<&=9smPU2OW5V~U~3+2Mp91jdPc4QsBB>DrNT zTcz<{R&~y^16PXmOk9SR)4AIes`a8>SC<Pe(7C=UJJ7EWH8?qtTG+8P74L;19EFS0 zttzYv%zCq`H>e_?AUZnt(Jp2FfgUuPsQt#4YX~79j}x={UNjoNuOUqWB0Df0iloa- z#4#tk!ICdKHY`HwIl|?|j$GFDCMK!r0~ijP*NB{$dB~W?2H-RP%KFIpfLBXcOn{ed zzVwxm-;x`kN5Fz=+G_?0fAeH`UC`>Wyeau1%4JA05h41jDz-&yeG@4!Ou2f8QC${2 zmW3&)g>m4sRe|8IN#ud*y9XZ<3Y=tjgvg-sqCo7xKrzng?NId01VS@j+?6S(|IKy; zm*4h8x-QltrD6Yr{XoEpK%-Ip#QbNCTacLKQ`7$16tRt2q?PmsJ+|-Aep6_lMr#6S zEnpyDK_c<R!~N?N7nqP8z0H$=2+aQsM}dG$y5~8=fA0YiAtd@MIKUIjl|)hQLH(oB zzT*rvle)0a2X`y<4=W0O5j&~GJj8#Pmp1)!!lO&VFAx8uT&i!)+>^Zy4(6vzTKM=B zvPb^QcnD}Mk+jWiH^t<KBXiTks}#>hO^hxEUA}6D=NQRl^vY=ySc2TK`S=VlM(r<h zWB8W%)*GJw0B?6QYSo|mF9AoRdN>Vzu*}*6T>f0^ww)XxA*l!^MRON>z?`VX(;gI< zxbJGq>lRt?L*vH+vFl1f6+BfHz8bjQ`J$CCo+$$WctD50`akP%@$Lmj3@l$upmz+e za-<lW*J*34N4+uW?cOw0hEM=}OxCHB$3Ru0W7>6gP9A_R9mr^BtUz1`e#nz{RvjAt z*f#!)tJ$@HEa-FrKKN1&J|fUIbow^YFukCp(b}e6TH9Q2;`LpzWk^llgPxWO=Tg4- zH)(&EfG+~o*JR1w>2x#<0Kh$2p|oPq6A_5WjNm{!ym4DCUmJXE){(EyJo(MAIIBRA zEmKzF>#8+OjBIQoTF^qwkGzi&7r5LpR;P@ZWf5C{)w0j*PnH~voLqu^k2X%*w(f>A zfjE>P78XxtWyjw{>)*PIR}zBN-;;GIgP$q-NZz3nfFHW3o7IvM5>!Zq!_@;bd@*BN zaV__cfRC#WYs$~l=@Ku*2`W*y1zmj@Xbx^7FS^X+ngUx_uc&V!Zmc1MZ_7GvM)eZm z2Suq=z8{fNs9Che<{kB5HpMUmbk7$1Sw-?bkmh~^WhaswONLZ9zHPHpC>|*|@RL@s z4M><T;(AO&I}a=7l)&@@vj#goxm!WtFx4?p&#I;qd0;MDi)&FE%fK>WqTx|22C}zb z?yYc`JIx~Gqj!JLMpwGHQV>+;h5ExmN0gwh?3oz?NSh-Dy%$vtwB9FZI$+>Lv3FMW zQnyQfHn?(Y-sPTOZ4to)xnE~ebJGoX)9gY$0lfu=z!%EYNwTi3V@>-inKJKdJLDFl z2VADwOwRR;I*?gX9Y6O?E+Y78Bp=vJE_hT0skGQHqUPG#ptg9<8QoSngq$Ts*fZws zavIb3ePfRqv+C!V`3OxTxs1W=NnbQ)FM}UtFYch{<nw)YDhVgP@0$XWfq=vma`UGw zZ`b*VX$|R<x^lq+49!~=eVJz-+}qTZ-GkPh!!|LNXvjZqYBLr{)uqevFap=J3Ua@Z zxNx8SiEw<`evgjg!vhiXh-?f4bMV^RDez{}z7N0U+4@w|{VCn^(pl!#h(huOC*S*l ziQRP1TFj{ha+Y!Vf(<nvY6|DhLjPR!nAqjgPitr-POiz_A&AmT9rvaz7j$?Fy1F{o zV&B5GF~dWC(V9^vEiNI|iA9|V86`enyX~z87Ooh@tiPGi&0IyJ2ifB+g_1;@P$s3n zBn5rn_uKR4==6Yat=W%*7*}<7CO9BwE$5M_Z=hyeQE4rN-h$c#n@aNaxEZlEPGp|@ zPvxKL!>odSR|kU&ONYX^qe|3gKSolXBK?_T+J~pUrc&nQXkF8(<94OLaa8<j>T=zz z^$3R^uJ)y5NSC|qsjp^FwU*?3W=5ZVFK2~D^Mi@Chh?D<ip!R%zD3p4Ob@>HV{Z)$ zH)coPy3xl3DEZjJ#k||Svc^j~`qg#Qu(=bneI9i)15432!tp{}7|yOns=VKBepLud z-UQ8mUB89;8f`Jg5fX(NBaK^wtl_YelEMcZa2Q4u(sWWI&ItfLd)^^*bveH<j1QYg z{>A<m`;o4-zNtDJUUjY1{ERT~Q4^J6!(f7;;93lC7)x(^--pc0?cm+gU|cCwsq()5 z)5o=-=I+6>3m<q7OnbS80ic0cah;kIsdA=A4vi(=J??wYT~AGf5CH{OY4JsnWHOO# z^?OD*)ACo<9tNvcMEIrCO$hu1H$-G>0`y<4tJ2I4Yom^AJa%<Ji(4)0gtCjpDfF1* zAG*^KLMjg3M7el889y;Q#io2+<<d)lMsCa<%r5d*apJfq#pEJ-Vwg=zec=0frkq2@ z6b3VJw<Bfe6LkdMhhm}4Mfnc<hvVAeTPF`d8qT)!*i^mU=ahFbE8Uf>A>X$;WW|p? zlwtY=e5_&I03ugvV9>#4R#~qqEZemc;J@lZsJh$U^%+N=T10#<^JjB8mC2CkEDwA0 zE=W((l?C+1cP1C%*nh*&8ou}pzfVhL^@9vyRpo1B>ZBnWN-A$q9cl80PEn#6&^%D@ zw17pvLdDcN!ip~Kjo2AM_f0lPC!@Aradx{MK{1`?&;8RA>Wnj?liV=FIY*3rUBJV| zti#-j?#ODifcR0j@~s(zqDoY;fkRT*xw>GZ#p~{eFLs^bML&XOElOMOfZ7#t@f3Ns zwptb)%+Aj6*|C!w8xbE~EJl?JYOKf(8le&Dccivf+*IUoxr!*C2X42H7M#ON_SaNk z%z4ECQ$XfBF+~C%$%dXaRGQxN_2r)c=qX2CQEcR?@H0%v?XD&08=JUMKby&dzNPT7 zRh%m*r;!dSBL8`NSi<K`g9C>UwILr_B5oeD8F*dKF4BIY92r*jjv7p#o-MWYWiT9( zQ%Qwym=wy##<@^?DsxH?q>dKIVM&8Mnj~BkhO*gND{wR9A;Q&(CQaK1Cl6Lnn)aJI zoV672E4C2Gck!T8T&;<cM+OUDz`0YR&8GXbn1V>w=NG5C&s|2SsTdFUC9SG`r*~>> zq6Zl`hG`r-rqbR=m`FHljTD?RCIb&M%I}pl#4Ks>&|G&!u)GTN`am;+LNaUS{0o}1 za=*3df=aKVdmr#P0Sj)7gAsij$ilZ<LSI_I7-4H5KBAda#U}R-`p+oI0eRc3Ko^iN zkOdL0t&@!$*3QJ$9+sA1sUNi;EgHtmfsLq+W_rvaH;oQJ=v*Aa<?W1<0Z9BLGDvAL z(sb};9_RMNs4THW(z1(#9WNfQXYgMmqB6!x;doTg^hmW9lj83=jiG^+T3+<1tggq@ zXu{(vkUxMScx}nnudQ;+R8Sdsl41Vzv~e*)2Kfbd=h;X>3<agJT(ShpHbL0xptzV- z%#_kh1DdSg!HL!%iD9QtBGPmuANaMq<poFcnx<A@bFN#s)l2Jz=`F=7y!vxpY2osY z<ZVQ?^U$FMe~1u=f@4BrbGA=C|Ci9R0@`Z$lx7~~`+rkm>Jh&nKr9b<=Fk6tu2mrr zXC?EZxQCxU1%0ZM)UKePRe|(D{hw%10rCZ$VhD<0{1Ya6e}r(K_8yN>fc_`Cgo4tL zFM%K}_}h$#w>OWiHaorecd15#e}uV3F^K)%#VN9g*Z({N_yt(IM)A+V{uA)BLwyA| zW{ZDI@xGs%tj&F`auy0`;C3B+K7X3cTqI@Pc<IE+2@RXG)XMF7wz7jL`x_afF!~AK zgXIVGl5m{x7qr(oS?!y66$_zYI(v`5yG+?E*ViUhiz7r0Pfs5&xt+Az-?Z|`iFz}6 z8{1T1R?+TH?M*~~t3Kh++RD7uE~F<66*-=0!FLGJR#P3GL9ua(kx-3b)KI~Y&DxiU zv??D}%NDXxAYjH`7OD@L;<?_&N}Ut@@dU(^qJH%|)LTO%boR;w9ffdk2h?m*Yhdr% zRVoFCQSp7qDpG)uRmG?w-7lz8qTd_Bw2TDoIc;y1rms=8GcZJH{e`TfYOAjx<07p9 z`|kC?zWLy}Hy{I{vtMe@dZ1vk&K$b}<ZqXH4M%+3@M^@7or|A+!-{V`*5<0oWKi_V zNG?=Y)9Y_FX0=wFCHQ53+%8>SHZ+GpJf8*&SPrsR1IiLUkZUTS9~u!TolhE=T66VY zx;545*T*j)!2a^le^2t9pkV#?0pnL)h9@}nt9yYgc$@ns<0l>d`6lt~2h*52BHUHN zmn#y{LvgZ=VZr6%c~6sxsT%{|5vHnTguBdp(-Ddzgmkn_B}d7GEF-xMl<cWLlNZjC zZqMpAw>-qJZ*hiYuK;GkYZ%6YX3M{LA=_hVmrzMhOyCrTA-y0|aS(XqmspN70Y>vL zWu?6TFJ+~AaX&o!&oH_VLd^*piTX$_(Z+$_JCGzc?-B)$&OVJ%d^h{DA<Op(A49F! zoL1s2xF@tG6v+h4a_O%hsJ7or16t)<o$B*8H8CT*LM_Ld1iw>Yotj$gz57XxT@xj{ z30d}iApnaj@wcnyCI2AuIca<C>%8w$v$RT-a=RCY==)d+@V%hDGTk28=`AH%@~Xm$ z;k^S*13Wfk94`+W1)A@rX-<l#86G$80X|i4FiuQ$S@Xjz?UrvsvVI)%>*k7g4Lyw3 zhCl80rw%_4E?46EI4S0lECgKFavZZjJ{diXd6p79?VW5tJ3S5wjD663?j{Cm1MTnw z)(V%O`iG7sGWf#%?zV5WpHD_@`H{aoc##2nBy4<5x6V3O8GIh?v!F0$Ze<l#`s2VJ zbtt!2uER|(H{$?npQB;dl*>ke$4=iz#+$gZ=o$t+t6;Wc?|}|Z@+mZq?)@lc1W+RP zcva-;&Q84%L-Rvdy*fV%y~XxOg1~d-bW8Oih;2&0h8kcGTVLbM!%9Qs`DJuQBxCg^ zfg@n=qBRgTa18@5?v=8@6ZmJV?vuYQS1)QOudSDNYC?p-Mf_%~4>co|i8KKJQmA>a z<NvLQ(MMUKK`4Em?c;D7C1O<bjDE{Q8_z}l(0u57&4{d%`(_qGvV)`raX{$P#)9;> z>8}sBOB~NP3$Cqin_`=LpIe_XTG=*GAKRY!3;}pj|B1PRp1&$v$BS!Mq~GI>lg7t# zYwFmJTYM|t-PhMX<Z-dSqk1JTUqPI(JSc%tQlG1|%@zI&gpbPZ;+jxhsYiV*rXIKL zb^Mu`L(2Y_!ed#Uburp+E%@MH#R$ZUqw?~$IXNhuBB5z4n7J_lL$yi`FdGMVVJP48 zLt9GH{?LXBzZz}`4Q2E}el8x*lK=<a?8oT`$NpUnhr!WJgBYJcewj(Z@XGi=Jj<3% zdAPvjX&r<paGPkt7_A;sLDQ`IYbi}|cErK$95kMC+uqL6UKn{8X}*pW^Q6m^Sz(mW zcE`a&8iie0;@~4EruQ95e{48dwyr^yT=PS1yzbfmRuo$2qXhf?XOcM3%Vtt#`r}z7 zS^M8-E~#@dvT0db0lz)m0_SlE(2rQ>v?2$$^N=->!&BL!sVjwRbYZn74RWokA399l zgRTzkV+wF!0#^rB+a6VKOUo>Z#8P#kC{k@%Z^9YaUrGKinI9$N|6iFOKb8$jD+X$V zC6;Px><0Pci6_-u$D2N3Kz;{mrqE3@qi-YA9-f%~{LLTq-G@Ry6x_{FE^Ya4wCG#k zia)hRFqIwacFCl4){G(}v903Y61&c<a|xds<ZM?5YJ}H>!`Hl~)Xl`pdW|Xty(W_j z3G%1Q>rSs|xsvoODvl1=uL-X6&g9GswdOT@wpUOwwbq*-^NtwW!fal@fCGW<q3^hn zbmHODmVe3Y79k4WR-z7{N)^+py&l)<DXLH-Ul&d+*GxdNpqrA7@1a4W^a>T;bQ_`P z+TKjB_`D&wxEY%%>rh7F9UMzENtG)j`X@};F@Or-bieC!50v()QH}QJi0+|Ej>D5% zKPXv<=5QiUaV2;MMx52dq3%tNGO8R`t{LH8KNEkAh03eJob^-fcE-R2WR#*Yte9_Z ziGAlV`?2Y@g>$zjNxectBCNKyG@7CgAi|q2ty;*{lHODEV*D}3@+mqCa+0)?O6j70 zTS_!tF-EvRg3_CoV~)mHVMZ}VHhwbHKMfejcHQ*oaeUNbdgJx}&;!4IS?k(w?l)fG zmJ!6FQm!DS_up(~ic!fxPTqv7Uz{8?X$Sy!zpkvB5U!Dj?KZId)ONudW6(clhUjIs zatW+FM1yIy(#``&X(cHQMqP@9qspaVjGblUq+?X87T{KJ$C4?q+FVS-5=nZVfUSG4 zoGTu-t|+POP3%UgvKXCfs%As<dp6D}U^MKDWh9V$CD39<)hIz)>wSqM`I>k4{;7FU z`1B;|x$JGPm#A_nEAr>m_`-$%V31_c(e}&)p5Q*L?3o`vVWgbb6d0^ZDSOS1=K4-W z>fV%GECHA%40XFrmdz1|k$!PJGt@oG9;;k0_`ZYDcZrRMtzc#p5NWkWL*YBGM#3^! zV6GVEkMt|EEzGd6pF~cqF`*v|Qf*H`7Q<TlOE4Bqa9FE?CzB#=YLgoCUj<`H=Zk*} z#zxxzFM=_Iq5lZR&VHKS(#|H7Zaru3!X&|c7C0adU``Oi#0(()<JW3J72Jb2;|2r7 zH5@stVL9I3lZ4@!wf|CUEpz@-YcZYut=4LIaGZ62c5nih5!u?Q_fTRhZ(G%>1t_%d zr~$u)UPPI;SMN0KRwAIrZ(?lAl6X$CEW%+xOScmg#Cnr-bS=$E897nb2hGue{1Z)h z)cVWpy^h)y?AEKUwDiL;JrBl;PB@*G2UOS-nDP8rcGF-m_InnMk_S`RBlJIyLJrNH zFF|L@E{@^ru?~X90DXu3MgkZ3E}2O>uYU`*{35}USw8<!YQ@UQ6y~_^aD5Y!T_&`# zL8T;G5doExNXCyxea-vnLmXq8g2xq3)A87Avi$Y!f8e#aAO@9dYL)@g&+gt7v?$qc zJR~3Yz(Pa$7E}`HvRse|1ACV3G3K`t{`L+>H@pDaW`zd2UcC{fn?!{^eHs;Xdk23; zMU3C^*%h7fyX&It+W5azQMLa!RTLo_+x;+q`kUXQ!_ohcLscICmP0LK`Tr@00$r*Z zHs}536lweLPOeLAwYRYnIqZbBLDn2SBb2J6GPUSv*NIX!6t0a>5yvZUemre}rng71 z|NR#;KS9^--bX=f?q8Sw(MIu!^LFKmkM;GxX%XcMEsFC*tpNRl7OBXl1zu697jy5u z`Y(J6>4gq4BK+ffNHhsJVz~gee-;QnL9791{>!&;J#hMbI4+R?Me?K}AAtPdPBaBJ zc=gZT#A#F~&yXS+@X!Xm1{4r44@prukrHA3&;JKdO9KQH00ICA0Bm6PRFZhbvX=4y z04fRr02Kfc0B~@0FKuOHX<;vEZDD6+GBGZ2Zf8|g4FCrUlG<VllG<VllG<YI{Z()s z%MvXB+On9L$+DQ4naN_NEoNqx#mvkWGc#LkF*7qW^Vs*kdye$JW+q}L=3^pugu|__ z>g<B7%$1p|gJq;dU?4FeKYjWHBPJ>+_vzD@x=){gyug9}Tp{Jr1OD^RXFE9&{!itj z*ax3Jy$y;9@+mlL9j8NS%kQkbNxOcNA>EL}Yzhd)q}E08|M}C#7r|jlisj(RHFRmZ zy<Mw#H2TG<swJg~?P;{h!47L-S~gw04Xl$1GByZ}pq6ovN`~45%7T>Yd&R?BM(mQ9 zZA@COiOJ%bD#^)!-2+$VURtb`=L1)V$nJ%6<15ZnB;#<p)_4cA3>Gl&r+<F|z}{hB zbwI*CeTM({=bgpJJL~m!F^&#i`tc9Q@IT&ILEtBV!GC=E-|tuD*H0dt=J|+UKEJzH z^z-NaEo5FnB>Yc6|NOcGK3!i_CW}J@zY_u<1Q<~(b8ha4&7t(9u`MsB*P}SAZPhV* zY>MS5n`|pyPlQ7FyE>!EavU8-ay4>N0P*`b;ME?75S{7I;EvqN2^cFmiacgVnEQ=^ z_MHvD;V~OSRt*il(^xC>p#?ZXP(>u!XKa&As*ac1h8CKy-3&DhN<8)#wY{+h^o84g zzq4rHzoP0lco967Qzwhpkpi3o_E=`?>w8(i!)fn>9g0}PkC68-iBD?`tb4H4oypvO zl`1W#JE+{=qQBcKFE@#d`T4_WdVj+&kL1EVtx>-7dfr4MJHC%e9c?*(Yyz(n{VK-@ z@~+P)TcFK{748!8DpukaF^kw;sfSPF`0qsg1fCo9Bj}CQUk4>RfMA^eal46K-Qv50 z$PyO2>++--jQzlb>g7Qbi2nmrUnC~WxJQ=9zp|ja18qFc{~7<hGfNy9j`oYx_>dw! zu-Z_aaaMyw&%N_{ihL@ZOa@2E+x;wtY=#w_f@Y}>C;LFlT@*-{)p0uLgnvch6$kg* z*Aw5l9dj#wiY?<0`5rg1+3{wL64TzREtIkKJ+Qu<>r9P|b4)3DkY=?}IB#UAQzX5H z>B~OaKU2gD?$?9I!EKIiY$NIWlRCm3)hjkyF!0EcO*42lT8aB1U_~mhdm{uDd&7}E zr&Uk~Wt%O*a7C5Ep?6xsiTRYxY$ZqU-3y`v@p(vMiM%}(rGJ@{a4u2Lc#dP<j$KV$ zl2t99Fuq2qhle<>j5}aVA;{@Hs8)*G4+()*ggpqqB-*Mwu2h!mZbppdiiX!N7}1c; zpEIr%>h0}ir&=&3t*B=A`_4*b&?_X=Yk*o1)QfB<se=LmYfu?VA-scQf>z^M3B%|0 zZZ5_D$kKZEk`p&;VGX+&VzpMUH~AD(5+W`R#nv*Q4|}LkkXOBYEVnNnS|`r(peuIF zu6Zh`Pl*9vVc<XKBKa1-SUF`%PDM`kO@d9TXyU+rksm~)9#bMzA}ryDuw(21_MUxk zy#&;y9Jbx^^TMd%K`T)_AynXW7oV7L4*b7srso@c7?0->8b`!T26BS3rrLSl6BL(6 z+74VM&NFR~JgZpzT^&74FMP-4i$wv}nEOj21+gTadPj}TR7Lk4Qq$v8qLezL%b8b1 z`(3|g8n2hMChI{89w8z>FZJf6T&$*EAtP$hcG{4dmYSN$947hDeC9TI{Suo{mN<r0 zPjp4U<-$qrk|t!Gnpk=d*YfQky+@OOtl70eo+}kY7|$}Sg#Uz$$(DjppRI2K%j8Za z8>?cLIKsjqz!dO2+LhYlYS(_fYGEaLA82CZv&DJuWp`^sQ{lOu-6)_9qC(@qu=X%< z%$g^3VqWU`u#i$Ijda=D%Thj?INk75rrU5TL9>9(Qf;G~g%X)<OzOLuU8bdMHjGF@ z1p`l&KlLj(hsU0(f2&Z*X=^cWZApr9#+rScm%(zW`VEB-)`n=ws@K&7&_7Eb65{@v zj?I2<t(~k@6Qkj{V+KuwBNY)<VHNP*pcO=zLfGS`f2i*}hTc-+*;L})1O{S1z(XOH zi~VQ|t$qIH(VLe;qUe#Sc=vJ2>diLr$=*rj$?4hSyJ5XEkl_RZJJn8JfOtXqu>N=> zISdgB^Y@|wl~O~3X_GQWRSo}M*K|N^GmcVduc_Wfhpl3kQprpZnXHuvotoo9iKHT| zVsyLcNp%u=Sz3OQz1283Vtc%jzY?JIYwuwpJu()RczRW<q)MOqqD2My6c&}I|1rGT z$eg95$Fsz#&zgrGL4#etvLz?Vz=4`9f~5c2@5l<Lmyu}h+nY@efy>A9Ww?rG)1;no zOQUgG;zadnAaC`jF8TUzn~9Z4^F+a_ECMp=!G`^m9SR0OaY*9&bPlIylp02X7<^P# zTjePG_fdTUPbdlon@Lw>&bMwQ0D?dTqa4fd@=AGUi5#+jRHrB6`M^~E3w3k==kjRy zQwm&W!k&TGj$5L>{$Q&Cb&E%*v%%?v=65X{Ns*yw=9u2=%gu_BWY+FPRHsFdSX6fd zLno23`i^PA5WV6V_eQ3#NAZiBF$8%_=9DZ6iOTbhT`@5PTG&$?jtj-4U2`mu4c!__ zavEw%vZ@C8ImJFcSRn%*6wIPZ9Ku7EAw=c$OU6X$se-IG8@T|Vz$Jr%*kc3YA5@Cl z?6V1e;QPF)O=<-+Gf@G|v1=-=b%NHCi6v)Accb1jXV^(jR4lJ^$B8o??cHlY5SwhN zzC5|Pb7xR&-5suP5}iLo$2?Ify_W8pkJp|AW!lBu@cFSN80zbr1JqmP_FwW`bA7Em zS)U86o8wSZZ`m7F=fIvDuN=(s(@V>sio_yTgZix69ilm{y7bAofCs0i)6?3?*VCv~ zJWeQ2$5;E#iA~KSrPQ{ZtZ16EtRD{o#!?Dpx_9CHXVA*2P|Gr+gh-+PIo!~J-5>9N zQ(yQYY8ts3PiR>wuhsg;P6IOdP*G4v@)|>D0~nTG)hHOxYvy3FR~Ja}Qp?(mswm}| z$yuI?->8O%2k-9zZmGAS_iRO$9$l)GNf9#xD@qI?cf~i`lPKXX_*Ru!!{*9pSQJ!B zjxy&JT3gvQJE(H`*@3kQdSgLTmNl`Qvna*caj_*#YB2q(Wf6o4buKq0fTs34VPv$@ zilfkk%gN-ohss|Sxi3b~G;}<*Z;j_7oyu<)&Jm9nL|PXfJWmD({sWp};WM|hLKKLR zrK05xd?iBd+k2VLgBsoJ8jZ}HzrNjJ?;7$<xVuhvJpjdCl5D42hDOc#8Zxj0{qJ0f z68}{Y$+6Vsiw6YL7*T&VuU#;{k@uFD(V)BNKR0r4aQLF_VevF@j$($#ZB!78WEi3D zdGuWJwkG$`nD%8Ua?XMcc_d-9p1Q~obg+oAnLx|aG{hd$-`F8AuXyn5Tzq`|<CfPB zxkYfNO0In}1(ocTjHoeNeVt{)P_GSn9{)0Bd$k5%g&bc|=nF8H>)&C}dQiNqf7IxD zTHTi7>U#3UQ>D?}G(v%KMA*BC7<)D#OCcDpqddnud(s?_#x5nWSWT&KQ;TiUAT+$& z&My!J1iT1BHG`i}ylJ2~?av&7t}U=%<>zG4E2NmniBqNU9Q;PD0MF0Sxk?ReRNcF* z>IErD{Jxn#5)|Y{ykfrPPQ3@dqM__1m>YsDAOrf(nJ)83Ioce{1U6IM^dF@#*wL3$ zHsMo{)a+UW7Iq}34W7N3pb=T7c9`yNFSry)+nc|M;82}~I@YF(Y7n!V8`k(T8RyZ0 zB&rO-wv32xK<!rR4uYd`lHOslSy<c_mM`5?^{1onj^wu@`^YvOqdLw5zv|Mfl}A<2 z(pWlagxy1W8BDfE9@E^5{7S?=Ck1?kqhylz+#38@v!EQK%govV#kQ_2H6E%_a|7S7 zPf*os_YzcrZ&6G$T(YnkJEtzS8|;LTsr8I_<<LNFdMDwcM#f53c(ZrJp9pP>eD~ZV zZ_cz44c8FN8k}0sRg=d>FiO}CLHhZh&2ta@e9;fqBY@uu8oljtwTCB1SVbu?Yrj5C z^0tUIGM>Xka%aIM+*|nLfle(JZAbt+fm)zzy^U;zwJrg*d*M5ZkG_@npk;*9C^;lq zP0DYC-=qk$seTDNX=ytHL5ENA6mh0RA|{N$EuN%twk-qNq;v`@$w^LZrExdkzjGTx z_=YR_MM6iQ0XmfpO-S44dfV2lQ)y9?Jpr@4hJsuw$Mj`=>QrIvqRXrK7E6(kzy_Nz zf)#w_s;KRfUwh+d2+%{1E5<Qp#(>Zq1jS**K)*K~3UkLL_X<PlMhhK2ildGVa!^@Y zJweX4%eatQDI#KU5@H1N|6~3X5v@=4Cod#dE#*~inY*CI4`ecU-c}b5^j<>t4LA4f zB~8Dc`O~k3v`^0;SIdz@6lj={GN42EnvN=2(gz+lbv8#2CEqI;he!-|!3qSo*On5} zR{&3y$*CE3B5b_sRJ5p^I)GEmr0^3Nm6YZ(xxWfzO<)<zW~}H_vMgCpUiwaZ=rG3P zhE5sLv^nwMc@4KXJluz<h+JVkj!=qVf#3nY?((3PE!BoLuTSaPzgQ+~yJUJQcYU6k zNbjGv<JqJDa;#a0vAn4B(Kmff%q|;~cqA`%>2=gs+fdV?wW+PYR9<c}l`{*aP00k& zl-Y$8n~7ycK;iqJ10pB#M`?)N^cmY-rd^<|u|`6ULvjwfxF>slK3M;K8Mm&xla4k% z*t+GGV#2~*EObDr%P2t>g@hh7q@=1-ZI=>*m@b}`OKFB2Ximl=RN5#nhhMd9P!1W& z=qO{`s9WEur7sycoq)294|@eS1v=>{u6rEHreu2UN_AsFS^{nfOrVS=e_S(YLOnJ0 ziXZn$wSq#DxOKCuiJ@bp9}g^9D3a&(*eJ90YKCYMskzGBhP$Jh21WSyWjk>GfI4Hu zRU^*@$|~%=@p`A~Lw_JE7`=jD&d*;Eu`0a&6&ll}))3!>K>j(bI|=?wIg+8^%7{uv zVomXNcGz&(iWNt3W_3ENv*{mCisBR*f}(9Z|0?c^q&EF{{?aQ`Ewe0#$OCPKwqm^% zVxo`UvD!X;zdrSQZUmHs#Qh4dia4`Ju+#>#2)RBAQPa5f>?NY_fUZ+zw`CC}#W#~u zYVt|JM$5bg$paF`VKWOxB~{h#xP=j8$_AU`S|`F<EPx5dm3b=kb_a7Zl{;JNO7DYk zF*P;S#VKsez0JgN6d|I>^6mabe{B*CIt~I&yN^L%WAqk7kL-MvRT03tSL;|Cdcvm1 z7MG>2HUbN4neUqotU^we>k_q2LPIWQv{KQnKUEi_#jCi(u2HKQaQ7@!Ko7>%Q|dN~ z@RFin%4gDl{5#tDKWD1*w2HU7oc5QKHJgV9)QEJ(6nbp0%T2VE)787T)|Mm5JGR5% z#Bwfx@o_1U{2v1b)xc-zF)?LyYQ=4pO;F;ox|%^uY|4`$yE|moL|<pnNJG}rfNaIS zGtM$MN+P+S(PxJc6?a%qT`PO16b00Sj^i2>((<Rhl>w1CQe@P(tb`qZS6{w@%GB_@ zQXP+?33KIrXwbG_UrVPG5>f|4rqfn5WDVDcWKYA$0j(7)y7laG^!=kRIEN2aX|J7H zo4v~C$#g(wXOCw*#CtX+qAHbhKl@TZy-<U4*%;j&Nu9#2Q=7*V<j}o_XJ$hEg)5i) z%9uDFrcrCPtm6-(yxO!4d<Prk@h!l+tX`d_iGNRDTpA`|Vu1bQhDQ;vFY!d)g1Ov? zEPbQWEKJR7a`+6fsqA&lS8^5B@GHASamZ5X&i-bi+&TP7!`@Kib>GaZmeMK4{Z2gs zXY8qVz0hWX<=GY_efjBi;*Q)=h}rXHEMad<QM7Bzc9PrKR;Z_oImGJcjI}M11;vP` zJgH*mG<@w=?aYQXyC!5_j1P4-@JpYC>PB{eDx9ZL!;(%8a38f}%wy;*wW{y{y#{qb zsJzU*f3ZxC?bXv88zWIZeVbZmRYueAuXMPGw`1Q5Dt1a%U$RZ?I2Jp6Av8M0c$6T? zJpG=$be?2GGxV9}nWwFUN5RR=CveL0jx*5~F^hzs1TWh15Aq)UUsfqoE=5}h%Yy6| zgw3}|4w?nN{<F^zMDb@|CkG#p<~XbUG=9hBmswtIe8LfzzKB1gPL@qtTRrwXXgQN- z-!6fXD4<T6J{KBF<#~!Ci2OoiWEQvhrb;>V`~H`LnO6gMm{s<Z1f1`|#tdu4o?bvg z(4iD!oqOSz6Z|p{J%*vh-Ko-6ZqH;lzp|2{CLVLNeQ+{K%#=Ja)WlZ4A{;*)Mallj zi)=fh_I_Jyk$u)D9*GpM#SNDy;J4GM7}KBcd{965^8-EhyIC4XaHR5`uz}`NlA(U- z5w2&kt=%<G%z$w0zPY#OYFWJ+IIqQh_SyFP#RW|qF01DraUFCWBIQ+wP8Ve<y9P(A zXRoEvT6<8fyk3{NXKgY=fw*5+nH{$`Y$g5rk+_5IqxMeboRtr|R~1-;!d=Yoz^XW2 z8N9Q%v8uy@FK)#|i&9-X17EnVHa)4Q#2csVi_TXkaQ4EL)2G%9%)f9f=UBizN#iu@ zVsdXoQySI6{<DvN1G^tx70xZB*pbHRS~nL&kaFr-KZ^HjL6VGloy|vlwPXvv54}W# zwfUxl`|k)4isO?8k-5=5*dvu?YPcN!Zt2H`l?B=o30G&Z+X)z3W1XGl)qxfWL0k|} zvbcY~F;iT$VQUf?WJdq;FGlo20v}ePZQ;@gbEn*p8Me%y^M(VW{yUxVu*36?2=<Z{ zcY3zGK0VwmqLzch71U9969e(`ai8)btV;Y6TL7D+2gd)OBWlv0w~%|c@sBM}!+pQ{ zL#?C!dC*2)uzn3|Txx>#1MVdH6&}}G5=#W|@*<HpEm;oD1Z$Iq%{~qE4(mb(1|opE z%-5uSnB2Sq%|0_|C@i}0HpZ~<dDqcj;3$ZsROPv@>5tRQL4*U0*|eUrfToeY$t-X7 zRqe|M@a+6v?`w272iDrd4GEdfb$npru!fI$KbcOj@OyX=G>VtfLvp1#qOR?=u&$<! z!vslq#}IHgwX-$GM^KrIkWKI&=vzk!%849+m(DEkG@44dlzwvMf><CLiYp^;Gu{=F zk2+-iYWc4-^yg=d3ehvyueJ5~$XWZjuFUkUXzRpgL{SpU?O^fBP=k}`OX`mve}AC& z2%$jm4+RhG%BF&v29u7XUxA~zPF8NAEgM&;k^MOe(%3msMv<dwEzfBKHT_26gV^GF zepDY2M*Mi*u16KqZc?xh{hEmKa(1X=!U7Zfei&9ra9+HEPXsCNv0QX!;GdC!BMQ3s z?|UG_|KyPd6l4ta9xa`R7xm^|^~%+mU;oAXer$zVy^;5~5TxL{!QS^Q^|$9Kb6v{! zJ--lr@>mA=6vDj+O4I%b23N4qqw>DjM~P35jUB+Uc<*IkMG)<Los8?yJ-zmM<&PeC zT<QucKD!7j+|aH3fV{5r;4)6{gTKd@VZfp3-sqOIZ7MJ-a&Ufb`tZNUsY5<J_lxNW z5WQbpI^v%mos*;}13o~o$e;JOax1eC->(;1qNsq!dCN&-Nk?Y9>(tIoacx5%MWjN% z?DsGKEr|E=K(D3Fhhm~oWE@+k@ckcsMet9q>9#M{HL>?0-VH9kxBXPV%{Cp>&vQKY zeg7fda}Yg2sq!}_J|e4SP`suMp63GL^<M9<|4#NVaKb3V$E5A5SrtNDjn3`zRZB*7 zkHFQeDfD9OcCj6liguqZ^6P5}eDeiMf|t_E89J;J*YJTZLWg~_OjBI%Ik13ti~CzR zuiAlLVy{Bh3<`M<@qpzd#x!w>ES9rkSwo7$Eo5i|<BLIEia2X|k6;IIh$?G3+j$^= z3C#vM^lp&668Ltsqn>u_zuhJ9vj6FB#5|ZF(q#wxKxG%iYWQ0zSDyG#a2jS+A{Z#_ zyJtu6VjgUvUnbeHXOkKcJL}<?8u+oOZO5$~VA?2yg1#3smiKXgOXbp8e-uX;=KYMh z0-5AQ>J91HBB^6bA#iT1NO3XNg1=vZ<`B7|+!0$`hTeTBk3kCNl$0*>QaGTX@9+7e z4F&NSTr{%bcJqS>vu0C8ze3sJ$hWhkdrz5y{lH8Ce!u$5fhPs<mP()#8r{Tepe>0b z3|MY)*}>9j_gTxt$++Dh%O;B9M)I(C;_%Iut=r&fso$-<&lx|4w=S-cdSAc6*cG5% z*C0p{>rn+^3AnlKv&lCmz#PztBkT$gCu8UPJeeJ-mf=B7t1>~Szgq&8_))O0TdZ#4 zS6A>DTAgQ9Be&2PQk%{y8g}UK!Zy$bKqebJ3D8k4(I8Nl#wD#ABoTl9@6Pt~T~vXP zPuuxmi||vfCd&R+Z7MzbKcgO{1U&h*ouKSTm&*H%Q%n3uf6PvSZSlR^&~lQW9$9;N zC$Qh^BsHWT+)_sez84?V&)?>{KaFAEZ{ISAKicc&y3_eXAnI>(IvK|I3NUK+kK&nf zebnZB|Dce+&Cy9y-k%<#W<cZpCR`r0xbGj-`=_})H1de|`=APwH{*1_W2~@VbpewD z`UmZ$0Fj%?U9V2jh#2l#2;{H%K^1@h&!)Cf16aL(NC5laO|5%5Z$M`Z1cv9r_Z1y9 zG_=a7;z1f@@Lua`EZmQNH3{|>zz*Dr)6TG(fCTplUd1_FoaMRmi~HRw%K)B~#Ea#e z#S8`RM3K}v9A>YXaY|B@#N-el85$6*CRYg{zrV5jsr^ik;>u;DyRzT*Qd558sP|J9 zsQ}GbzlzjE3-(Eo(W;4Wq~SN7t4OY5_f>Xx;rk#Nk|>48adi@TZ8N{nkAjt425aFO zSuEDPaZE8|Ome^96wrh}1%{Hs)A&fP@5IUEbuY>EW}WrtOxtD@<g)IXyk}e=ySE*5 zpJ4y&`HO~)YIK<EK!8~dVrl!LHgplaUj=s3yN%Wz`&T{W(+KR)sTUW(h3Ksz7lnqY zZJ3*c2b|MGmUR}ERf5)Ni<0IjlKGZhMjQtjCX?1DS!l_Y&c>-gD|S*JE9M4yKtVlZ z`LTAjDTatPKovuenZf1&y^Cy0;)h?`_;EV2oopskA`eDgqnhRs*g~pcv`m%gC)0-m zgjM|f`9hUsi)&E>X<B^`u784}1q4)PS)=+=qcfj8eK)EEFT)&EhBg0pMR{+C;d}h; z7WWY;d;IW)4waITaC)W;Mwl9mKk5Mh9E~sF6;uiTZXsZK*G}{kTqZUB@TWucZqkV` z==^Gp1U6Pp4+K{kNAE*C@SXB>&w-t?ixt`{%%8U2Cq*X#Y<al*B&N&x!|wQ_z)){+ zuRcR(nXS+3)6$WrAxms$vz%SBc2a+n8w6j}&)A4s*F7^sfC5()r0Z2l>YB0?tie|Q zl7F)T{O?W;_~Okt(eHj3_&eU&JQ;^58(trF*AAm3jHs)Lj82ZfVVvH55sHr)Qc65I z>W>jEzwd9dNt%N-G>3|c+u5(8;FrImjk^s#q&jKnAtV|Rwqfn91O0A$8UpL%Miyie zpYcr6I=S-kU~TBr&+;SdCE4dLck}a6>_;-vsn7M{A<swv#ShB2>*Xsfn89+*Y|j)_ z#5BnK1R*oXhL)ZuM@uQEQt^dUWy<b@qT0)zg*)LOE_@vYI((-EgGi!KA6e@;BiI5z zpJ3(0#nB7w@q2UQvfF)@_;(V%dD{n7z%R+WvW|lE0l&BEZXt4gx%0z!vi+6PJbqMu zh#spTh=$&W=m@oT`0}|6c|l}zzYC}l{L#L8!yhBF(5QbbhfacU&-Z4|r1z(58}?yD z^AD#7<sZf5D}?#-A+Y=9PjmYuqWKRem&zY)1s2Nq_#x;H_NVy)twbfldwDDWT3M(j z*I(Z2O4z@;QYS(C+k0z98{r2xF6HDt*n72z^VfRprtB1cuYWrUK6!Ae<W9i7SGDZ$ zf0S~ds!#X_^G4{8EmbL+gZI9<{a-s1wgwpM{W$>|`sw;YJ6f3Mee(m}KZgg7Aq2C} z|GNW9AK5=O)_#j;lEl&WGc(+pUe!w-UH0aQ%j{bSDk#*ykD7$|<wco}BL3k?UO)nU zUX(Zv(pR0$Ty<b-Sm_o<jcLJyt<P+B38Tv4V==2e@YD-aj)#)U*|!Gan3){p3=?Xk z?@tPNG5ogciz1Jivs5!Rj;1gOkl6mn&A_Pzt+nyhA%i^{HQN_OyZ(YZ!ZWWe>De)) zgnq`|*7yc53ll9@INaHH>skgsiu<wAqr)Yqu3o5ovb^!t$4AD<MtSS>POFZwUMk76 zd#)laodfw7v5~+Dl=K1#>RKZ^PuAhUjCdgwGU&fk5Y3OTxfvO0@tRmyZ}bSW)_l=t zZ6hfk&#>b&<K!t(Q@Qt>;%(8<9DcXlWQjpK*$gx*r)E`1USLbL;WOyFMT3th3gxlf zayD}3=pdzbHImf6vE0;bg(`K%c|Dlw7W-Mn$g`{Vdoe2K#4Nkzah!g$SOq&w>e}*U zsXgTZ6RXO*DbW3ERrsXU#os*4Eh{jxOuZgnS!KXNWwX|u`ATz}ji@%-H@WH(H+Ws0 zt(kHG_=EUID8{VVF`u%NYInI;2&xFeXJ|SG%NnnWJ&o$1tT>xQA&TlY;avU`;e|#Q z>UOX1!||QCR%EG2kHms{r;$;-8OQr?QUUH&I(;||l$oO2>UXJtn%Vk2P1lnYiu}Ft z;9a=l*|XizffLqMwwrt_0GqFw=UY>Q6N-lCnW>^KlF;i`GX}o{Y2j++Lao8vLF35) zn#A~@^9(|^nd_v$)wX}g1I2aa1V^<=@5Osg^W>zhsVV0H4Qaf;?ka~|Ek8hgnh)r@ zYWw@C>q`j2I&maN4e7sI-Ul4o!(&;-VzJt4w3wsfoZZYV)ye9yAkUve*{;Hp`lan` z1g3)dyH=6;TC=j}i3d9q+3p=c%S-zZ$5l(ZpIuaGF+z|gs=+wEF)%6aI#ADQreeJq zP_DF^BnMW^dq6MZthd+5)^L~@%Wr`9h1&#=$!@@@TzQBMlGWv6=8FeXg2qePka1km zTz_kU%Vf%C)e;3<UC6h?w?J<M`_y-ijfo(BO=)Rq=5Bp$z4S2F(wK0zGEc2uiQP2F z5ZVP9&S43_)l;Ouhlt{=QG5p`J%g2M>;Ckm1+&pE!K^%Ga2VZV_uSFVsI%JT0y|S4 zl}g=Rb)DpF{&w^VZ`O;=+Hk;pf^Vi>#zn)y*V2YMk;85Bf`tVqsb1T1klv7S=9HDr z6=6+#$Q#FP$*snA2CanDWCh}>d=bf`?Gi!)EhDzq0k`(Vrq&K)t3Ydzei6d7H!YyA zdFA^<DB4ae$MZ~aSxdv&`5X2~tNCl3qsR*No&KZ$ViJAk@8MM2-SdJ#WR{henHheW z<GbNU92~py5DDjB)R2ttJd-cN+WSwD$%%<q{Y~{=Rc(&LF?sI#Lesv_E$WTNS>5ew zrNd$n3f=rssy~IUsuhuVma9Wkg{Zg5VmulUAF~PgrD;JF(hhN$=;qL5CuUX`qm$9V z8}^N@PH^J)U>Zc{y)>={hx(NtYktdO_s&8%tya=<w)<cjMz2jg_sja$<b@;Wy*mnm z5YZnWC~W&<(N7O<E{D?Vw6o+SvF{jJ8XgC&xjZyR_gS(0hv&H5*G6756+`=FYk!Tv zRiyMx05P3CDEgbt)A-!DP!?bX>xHaQsg!j*Y#3OKRU=zL&8-$#mb<?u9|kClS?6=I z;71glq%Hqs&F2x>d+f0(Zh<kgS}s-h{Rz|qSpa9<VEoP~9!2%es)&TTB(d&?!#fA6 zPF*W>K5g?o$!c7@Q+jzhxtVFNwS0oj+$7!>U)Aw#^24c7s-$Au1=KdyWsI3>JawTi z<tv-EtwibF1Q%p@WmoelQmQQXA=fK&#R_WWvDf+!LjMrwR!0lySepvW$g2u`lUa6r zy2!7wz<T@_y72ytPkX&Z!P;<AR>1RH<;r4(U{NL|*Lo-7#b|p9ZA6XLsIMnO@97q| zXl2QjxYAC`=mg5E?ncY8+Y8Orj-!WD<(XGtm9gBxhes7_NSDsh#_WqznKe>NKnlC% zgnK>jIGSH&wLcKtrCjEUq-n0;eqruxwxW~!Ye<kiw!0cj^gU#IYLs@Ev)~2$yYrvp zuV%vDqkX&K0W;Ei<!O(zC^+PK&3&v1$Y<~n<gt@nZOxN#X#alWdc@N4ytx6yJ)vHj zQ&n_Z!(!1QRfE4smNgJ2CTN)npWNibxWkM%f;J1xfCnaCZ4OtqYQ61=D;ID1c3ssN zo&Csa3b{QlIq-tbT>S3b8UOmno=VzsdSQ*OXfr$kq1y~`lRjB}F3mGw?}!z}?s3>P zN<(v*YJgyQGA=FI*_D0`tHyasSbIo;Fzz?z@T~+2gnXomzU#OkIoi`isE<sxwYV^4 z8j7(wet|jju=nwx1?Rd{T79j{bFl$Exx<r~>6g5-t3hqRU36fN8X0NfM_BTKPFF|& zH`6RPi8p0mul#Nv%&P5DOno&wZw}Bamm-8+aI4s1Rc<n*Zo6ZV`29OLVr(l_)AB?t z<wV6A)!~w9gi=AYvPu;EH#t18w%;>`meHfBfz%H<SJOpOZ~OuPij&OL1`CVi%EQ#d zzJ}MD61%~aqlDp~GDsWIY>w`h!)dtg8-BNATfH{g9BsU!pp&>HJPm~q|5#V3z>`9F zNW-i0fY!Us{H-#!raeIA`6g6>v_VV1EMl#m2=~&{>**Gi=H=B~>Eoe`4WhE&SO|@O zvPyk*zD25ZsR~ZBSG7uOC%!&A$IU`XYCZPpZr@1rK>`ZHv)ewAt3S~?5A4`6>Lw4W zIT0(kp0s`3dz<5hAWHZ#3C~DcU}QFZ=|~DRrl~46`SRcjO{-3hi%4~2p2p8tp=spR zo9nDv0`V#wF2-UX^xbI)_t#PNyyQ9=Ia#FzHpv3%HtM5A{E)p!NPB&S7aGY;;k0?r z`6|M{e8LMPxbz|4GlaMKa7%{?0v-CjnHlvrVN^dKDBy#U{P~aVDxi(14fOxN_5a6i z#lLdqd|@<viw<a-f_hvKRdFz7sDsI7dJkN|NAYV19qN(g=RkkVN=^H;Ng)@34D;Tq z&ZYZfzcXfVCc%D8aUJg`6A1x*?-NWW{W0n>rEw+SBg~>~f11aA6Y~9lxco(#!b#xr zeLp_^+Ga31oA3R?W&DdW^~HiseE_MX{xshaop|rL@nZf(nYIRe4?ciYB!8OQ<{HDl zcap;YqD&Xto%Zh^6o(Y$!kH1r^6`~;@xT9ZG}7{sz-m5tKYo9_pC8&nIUin1{Et-M zNnj1%zZ5k1pV$A~86x~)pyGJFZfyQ&Dv|G8s1JDu*WKptMWF>6*sIt-J@qgM&3SHW zE3YqavE)2kVi_L5O8wIQA-E7V3mh}iues93>^5Zes&!|2Gf{4tfJ+^^rKAyO)o9ll zLiEs-Q!|wU9`*tD9{@(2?GKEodwD#oqv@C$pI@HYI~a%>c+>~3Oax*=Zp!J%CA;rT zhk~35i5^DQ`!J&bAc*~~e8amwrz0=D>NAeT!{`B4Y0y2L$)wkf{Xi*~YEF!5u@Koi zl(D9hM^%O~jBh!*tRM2g@jbvrC;L}cJgi!su36sZYidS!PLHpCa}tIuYz%D2(;etd zc2+}63*&jQb5LBhsy5w~rh7a&)Y$doFB5oBgQ-Bi!;~|4u|1Yorj%P6cHT19p1O!d zM3iZ!I<*pMudt!qyLBveA)BIZ42*05?Sf6G>W2nsQn*wF@CMi)Q^BVpdM5k(F~{O~ z0O}8hFI9b~TIGRr-Jd-qVYhiLS>Z%*4L1024d8+gxRZ^hw_DRnDt^DMHlR@_ao}#C z3cT2&Yd@tdwUmNsf=M@zRgS5BaSj_8NMkUmHH^>&YHvs99X7`NpUx)vY~!))UVL?O z7s-9Q*US|t<)+_yq&!On9F?3rv9y%<b!cBtE-A7CJ^)i5o!<YOJc=~2zpgXAYrfQ| z=RWF<mnOqgnmeR8ZU!k`@jP(KVl(q1X1Nxt%VyH?vh0^94}LczX*;(&^}6qCjiPK2 zCSW!u|Lki*eqKR5tA*3&9e|Tp<CEW$Bq$X5uIN@wVA6B{>b@@fBdc^GO{-6j4QSbT z4!)lEX7mkxq%A;L7;h%tr4U9MAm!NC)zp;NkaoAGJT@?x{c9)MwNX<lQN3J-eA`#> z2fMwzlWtp+CTxL3xdPdfMd;Fjc3WX~SO{l7&53!VS#KC0W=%&bk3|`vMX=}xnoCqu z4#)pim=Vy%)80v`nd(y;&I}$?hK;<To))^BN;c%~*VCb0v~Ah=_T%I7cr@wf3l9pf zw@|FJwwtc!i&N-R$@~HaU(ZG<>YUV}eH~8&X}oyiI?1|bS64^RiRbicIKaF;YkKg_ zoMS;9KOncFlKp8Zs`ioEOena#@VCqkJlR>jasmokqI!>3>}+dCT(_K-hK7=flSonh z%g>_}kXR%$29&%3&F`88*+jMfri;me`yFk45s_wTa2#x;yzQ>F5Y8;Eke-#0(iUGM zzS56HQtfk~O5)hKGnjkrSlV65!g`x>qj|O**g-3@qh`07W}+|x*bKyp>2Vlv<wm*< z)THek3>+Q};Fn2`xKz8fFm$lmyXKDL0BzZ~r04dmY*$ARYl8KP_KV&5E!RX1=<8bE zb|T^U(hJ%H{UeqnxL?0=Ywg21OUKjKhmeE7>8k$NldnROE=#0g*^xtpMQIzj9J|*e z0Ohyy_6o*KPLFey)Rr;3)8i_Tt;=eI<s>={BbvL#+1R`1j=8bgrhfg%(Sd=}eOo7| zp=Ji*E6k>=Kqs2#fj3GF;%7v>fGOQ+EK0SUfuD-RS{%WcmVqmyWRQvkZA}&^L`1{} zs(G>n;@Jj#D1i$y8oSfV3USCG0jAHcSDhkCW2XQ-v02oU=BmdXBeO1Uy5DGMe<6_x zEllRr`r~YA_bEuccAc!B)o+{}OeP~9%|gM<*s|@r@p~*dJB>CqmNOMe1nzaC&pipT zt4J=P08v1$ze+1Eiry;9KyF=<@d|BgvpN4LF+8Bj8=L;z<=ZY7`2ungnkM_l!;(?A zml2Qry#@|VO%16vp)1==7Y!aaf_?*ALX_hA3`)(r&Elc_HTxT(*vsuQBUi0e`}KII z4%R6ywb{9soEFsA?TpYE!R=c0Qq+=>gWc^x{&1xd7|WTx+9XM(hWtjAlj>wD)WFbC z%B`cBok|r-W-N+q8IwYc@WF~h?1T{U5`Ohkd3Fn>)R|NJp?FNq=yF;GEn%z9|D}v; z{`?+swWO4-D0HaT&~2FK+YHGvuS2J(wqhDSXi&$_8eiY2LSf8^{I!nXx4N3{B8Pz4 zzqGQDtG)QMheoj@A_Ijg{O6uE35CnjFEt~U^|UDEQ-uobZCXgweR)S)(itm{Ef|L# zdvj=<{cSh%y&HJBraV;6<(kKv1EtRA)fIuig#lz_nhZ_L*{I;li)b0uI0zlWy*<=o z!_62zhmv9Jh7Wn<NI%nL2%h4~Rh}k5r~%C;OAJ=Fb5J)nqFY%npi5{Od;Yc=fRX>^ zix*eMwi?L7{O@p#_@UsDmcDY^1E=(Im!fK(7dvd1yD@#^#MyFpKd&XO(U~2i?m&UI z+GxmUsMJ?K7Sa0LCz7aTE9P%=z{X}igKN;v>YCEB745Y4R2l8K;&xr`Z}67t$1?KW zbi$Z+!7pql1u>_ypbtBqsCS1sUhSYVu;-S%mdGHFuXndvF(ENNRUo9$K7d{zI%PUn znT{QbNqn-eGXuG~8qybV-e<`-9Xq(x7oRkEW2zkVmISIOYgmYEFO+V2y%T^KlVmAk zKn62l6rcvs(#n<%($uvKTrehO;NS<yA3_TYL@y(*)EwcIY36NWXE~_OOcJ~qMb2;I zC<f@}5Y5;1$*5}OLNdsQh~6lf)ViO8JDsl8J!t5SoJc#a;1NfQ{W%lcH)fl%PR`y| z?yw9AD<Z|v7D)nFBM&5B_z?=M;;wWaS^0Zo@XOP^t`;A-OS)g7!-y6i*0s0lC<%TR z*{V=I)>K=tVc|>-jtuz(1S?Co6ktOCAH31~6#+bw=eAyW=%V#ADy1TbdfpsEfE~bd z!(ND)MXfJ<vyse2&#L7>0?_XMcmrTRQ)ek{G#|)zD$87ZiETK0zG(3(;oP_VzRx|i zG$q6q%XTU1_`9)wbabj<sgb+BThzE%zi2m>l<J#}r0$%GiQ%b|U7l>kMkz{OUzDN_ zVZ=<YK|Z;}&#)zagJSGenkf^UWbdA;{M^<U8Xcz8uwK)cL<1Bh<zJ|YBZDXpk5x*t zpA#1p46fR#%Ro%JH^CH5l+ogo@99*j;&<}c{b!IFlbCYJnJ1kkWqat@3WkzdmC!KA z-F>SSCJG_b4Ra>+&BCohy7}<n$y-sQAbR496CM*!dcReW)2o%m8>mIdA5nmt=CVfU ze0B+iYR9{@>&(}>BIe+D&<{;E>)3tD^hERmej%Swv9QvtCAjz<;_1MC9xwL9{njJD zi+M=q)tj#K6=SRKviuflq=1C#y2R0uz>9zNpuW$W1(xd{z?c|6Kaz~chS(0OX1G^F z-BGyTxZGo;`U;ZR=-7<?Widi;tX&@9v_0+7FjC>_dIQzb^jw6OaW}|Nf_p!T5;xnm zl0GBRwDQP$6hU)+*LKx&b@S$Yx4-4J=Ct%Bm8ZmPgPuN_Q;PVls$0pR+RmS7$H28r zyfcVgVH=Iui_$0$-R~z$(sW9dLcuLDB^1q8ee!q1#Ok1jG!Jh`$h!L4Qb`gg1tnQ< z-#1c9y12*3jkv{Z0+_wZs(Y|Y8VPg0!CW`6JTj)J&gUf7CUJQUQ+?m!>mwUm5;QcE z91?B2C9xKc`AQfecU}-PVX+)~r3B@;1E{M_^=uu_UH%FXeV_UsnNcr7+9l(jn1TK? zk=&jzjAWih1A}fopG<XI2eWA(286GuZV~=shdyU`PeO8SHR9iww8{oFsS#`3Y^UUN zX}UeLK{WjwGrh_~IIc|{e9z3&U8W{vFj8vk5Kz!YGVS%DXnYnXDj!A!mP_qiPSh)1 z7YHpE!-A|#O#y}GGMY!>+FFgw!y;OL^Ww!1hlM2m4aM}l^lQ)<WbO~|o28Rl&7khS zUS|z?Jr>@s;Eb#_J^>oI&Ij9gN*`}uXlC3`2M==Q^&%2>3=FKN^7m@Od5qUgLh7S- z>>YO8?=LPgxhy@;-74O0ozxxY(vNq92k3L`(GugPbgG)!G@}!Gd4b_VoTz4Ps9R_b z6SQQ^9CWHG6au!(rlc+tl!_NfV>(q0NGHJ~H|ZH5_#iKChRo}T(W8b5bNI8?)1)T* zW7LB<2*}rQkd3J3%=~BfNjJUq$rzHXgz_%;s2yXbG^~>>hP4X9`*LSdh5Vl7psN8i zS0^%lHu079y?b(djH|o`omrIArqgNZlIIv?-mP&65|n!7d+DplfQy&1juM!%+Vf3# zIvnKL&CY%sx6%dIAa(m_l}5N;jJ0R$d+CkqMyhHckdgymu@ThF)>T`2=~gH)i(WED zfYVX7V@F&;yicr;npZou{Q$nm1(tMWqv>6FnU2bX6zQq1#M5ScmtsIsCA`J|9KB|Q zAOaNzeYWJ2IW4*yfEU@r9$v>qM+5b--QDZ)#o%Ha*9ngNA_vK_6?WamNKRmio0Ow% zphnx-DeFVO5pxp<Sw`1Z^v&&{s~f$+N_A<uR#S_chSA-;7UZ1vK~!w-mSc-%T8zD^ z^B2e_jZWE9dM|RIDhn3T6*-KA_2CoU9R<wveFWrSNK>Wp*ffW(;@CG<ODF}E(-W%I zPPmZR*jzM@=~p7l>83gK#3@s9H0*6=BLQ34Z;%E-ow{5tE4So1KOOyN3L=B03fc1) z&7TktqhJKcADnZ-A0KHlpn8<uE2G;N$Hpd@9L77s-PA^)@>gjT%vyCLtZ~6c32}ob zYAv2*y?;u&LKC12Fb!?rl!b1`*=#<7zg<UDMUR?ra|vzs$CX%aJ8({&PAT__$5riv zYF$*M^x)LB$)L?5J;cN9l!+7gifp3hfd0=}wE&X6t}3uP5Ms!@uR6VivLz17_TX!* zN3y^vPe>bPSkMSfGdmmHzdst9JvwtWu{a22c{%HA!7VLbTKYDGpFXoSuzx&se4LYB zz>uVue4A{DfI?rdlTkoZ`32ykAlgmFMnVH30K14eD%Pcn0Y6$BnktG>-0#P52A0nV z?;27F&Lw_B1p3C#LkyRbOp*nnB?*PhVHQ#(Nz5)FM9D)Ml0gd5&?m!>DmUy;qtZnK zK=IEb4rQ}exz{k&B08!Sf#z@rw?(l4Ml7`~qMVTvV%LBLqj~fXoYHZ!#$JMvrhfo7 zVpQRT2VBeoy>7=%NTf6$Hs!y$4=R>Is0a1~={rIB()n~qzwm9M3OeD+tG@(QfU9)* zur&6zYX`tT<yVB*ORcpUs%`3>&lUcsl0ZirLc25|X-IYT@H)_|G8?&cm|j`5IHNWE zADHogk5>{eHm6~(M*H+SIOLdmbm}D9<*^Y8P118$xxwS?v<q+5N%jG*L#{NHVkqil zb?)V~e<gD|gMA`pYXEo5o_0x_CiE(7lauh&_$vTaL>6rT7&~w?hg7F5q-K1OQ#mLs zhgOrKfE>CHOa|Qs-}0CGWanlq8xx+{&s<heYR1VVahcmdTMt>A<T#7%%?4gK%928{ zRGG?{<=WT~xTUS+yo4>V9rcGjtmGk6dSv-15U5ue9_QdQ4tL$u$>oWpV)79kx4EX{ z(j9GWW~Sa;w@Sx#fgf$v^l=zF{UxQgwwN#vl|->;cQ>o{jbhxfLcODH?%q$8dF_N9 zyo`X<j-34PjuqFIJhBJRE!M~<B)|q!NF*q3TD+Hg&{awl@GuZ<oYodf)elHOw6W?& zj7Vt8zd(oJHC?bqa_QO4NDJ;u+X>xN``PPm_u7k|^wGhpB85?Ti-`JTdfsE|?(^E6 za@oTrh=vmL97~FQBIUQhoM~ia_hF6R+Dz~lJ{~PAI`z~3HyOa{Y0NnR1*4E_dY2_R z6;(;?JdXW5Rem+%BC~1{1sS3tR}Ffo1O+9tl3zSs9Qv@7Vsv}ZiTYRNgOD53hNdvJ zs>?E&N$uFGxXnl?6NC)%R|Ron@5J$18@r|fv%(P#EhWROLfCL89i4L-(~ujrrWL`X zjb~8#`mnzRw?!1QAy%~rIs~e@G-Ud+!$f_>zkZU3=eY{FU?k&z_3|ImP|{Gdtapu8 zjE_%Hm}mVCQRYWzI62T?fTo(=o?*d_>qyz8qE$UWwaE!fljO#e=Phv?w8Lp>YI0-X zEL!gn0#~$JABq%QD%###$YchXx0NHT&K`XZa|&O7#+dT|jN-6s<ST*baS)YrOiur) zFI((?7||uL;3Xa!&$GA4tbm(%jkV68aC9<VdBslf8Oni`Y!ys_*xO*^sO4$rrRJD< zrGfpOp+U0=fb&tA7;B}!wYPQw7erCUUTEA(GA21oyJ>}!r`_yT`cyRy7$bpV-ng(9 zq8Rm%48`AS44S*YQlen4d4yPE+={#)%$g{!ybB;fnQWES-Wo=PeY?k_gh?LmgWOJC zQk6Sh$}ES-&>kjAu&WKV3bbPoK(1!6$3rU3V6eI_FX(pyw^^+mj}`XyAW5;gn*K{@ z`S~u-t~kX|XpSY+=83luF%~)HS6rj`@@W}4js1wKnsk;ox&jI%w%>2qjER$N7~)?r zsO~@a5=f)OF7rgX|8i?mZ<RROzk5uEt1?H4yFN+bY9dJWm3h9fTdu%U>j{DKGD?t# z+?G!iIVI_`*(^%@#np;W8+yJQ)XZh(~Pjm|8@es9$7dUN6z-7Q#FW2g!rY_?%6 ztfLmPPMK48>n}^<E*xn=X;7Nk+*<_6%>ZGP|4l?Tu;9&wBdT0yF69%CKWt=7-I~MH zWq&)57j!0ClYHL^_xR&UAYjF7{AOoo&+A~&pKVLu!ELFyxU^qWA<~D!81EqJXGq+> z9&XkU-_xorA-zav3uUE`nA91<vai5SwlgTl31Po34&)5MVoaT`QPv=GTZx=JHXrR~ zlK<8qigy}<`;;Z5S-!`$!q?vH`t=h2CVFg2_LMLgC>WwG6}`is2bM;arE;32=L{`r z=Ezxnf-NzAW#9|veN(}|6`jqSzVfYu?b@r5X@W3F7AZ{`PDg*8pBMmx7dr6Qimc`d zl9@hzTe0E@!BbO^-b_k;M0E-~$u1bNGB;15Cz=$K)Lqo-Fx+{;UXqHu?5uhb%*LK< zAiiLMZ_*U~d0_k$K<Mb!KaZ#X<Y$Z}NHPl|{tpOC_#Hol+fYikK6}*dHz&@XWCGW# z?~MQ6?yak<#nYmvW>s7J>%M?f8M$hUc6J(b?^RT{%aKUAmDgK%4v7H<1{-dODk^r- zRR4qs`Fsxb;bU_yTbAw{cu=UqBD9tK=xLy^@+Cx=*zPL8sw3Z|%X0VYtwk`4-PG)x zMk_sGC`d;yW7#28S}xU{v2wIAIUAn`WqUvU(vRi<r!ncPv*9$(s36Uw7%NDof2+=< z@l&{od8%j`n<Nq@*q95fChui&rL82)jNC+S9RL{@BwL4KZ0_U0Ymy?F$6lUQR}YCi zu`ae;$Od1}@dfY-JP#*}dkfY$O6Md;aD<k^!C*V!<`X-^fiJ26GOmzT_rN&jUM7qD zV`#>mV4CN9{szD!7a;T${7%W1N5>C=H}hP|qmmSAw5b2XY}d^Z;V1gn+_%515@fZW zY~T!TqvZdFP-`U_IyiXXE85+#8v82!XD#n@O9MC(FL-#?sy233JTf#eaC~g&jOZ=; z5;wB)+<4mUHl$xklJB=z)6!652M+V?P2vuK`r*HwD}A2=k?$W(5-ni^yJ4MPmUU|V z-az|c;O=Wm&HhgcA36{)!Ig3lk)GZYzfnyP#Gp*4<D>TKj%FsFgM-bAeRX6H-CS~X z)s&~{QazV>Fzyflp&d;WRM9ZQkh|CgA2v_Pik24}4tVjkp~*dBvuqLR#foGCRWwn4 zE_jyT<=?a$Nqh~wNSt)CL<55;a9Fnc9*fr;>DjsX8O=I_F{{_wg8cTIppvVrJ_edL zuj5xd3sZA^gtT7SQ^;uFvfG@>P#Zm;=#g(2FF}}3esl|Kjg3Ebk2VBGj7WENe)dag zM(s6jzI2-<lJ-aDzgSrR8_oEk0JL#|VsWz4@oaa3_x5MQ3v2XLmRgh|y2QBkZ>NzZ zrLkFFlR7z7)bx5ZQ*q=NnM;ET;oc39_NLPE`)Z781h^~og_n%daa(WL8<Z=2k+noe zuueaCUFQwm%57<rAUv^w1WQScWplgSAKE3wkB}Ed`R@I{)by|L<&h@yZEYS)j?9>E zw-5E{wMF)g;>0sUel#FRL(L{-xE)5gY*}qB-ui>AO(L^6<&j((QjWKqSN%NpOUo5r zF2YjG&;8%F54&jp4SnFhfCugCo#9KRpL!ZS$!@J3nrAlL-b6Pf0aE(U;P@-5;dL>n z26EO!k0&u~(Q9}(lU3=Z|9BELr23xH@Q=z4qx*rDTyIz<Mx<9@ZZ1lX-@z$C-^C_a zOMtTv^(qv<kKjmK+;1+--QihSJH_(uUe!jAC2i9zNv4n)Xfe3iCcUxxBK8c@yB&lT zu=qxl4s6wwPi5%c-#*wGZKu!ZWZQiVm<i%XaOX3-x;}C{rMa4Rx9_cT&wJ)4CY(lB zBs~OtF*|oQqCX1X;mqfSiW&D%#i%x;&a69C-=k5b)lq;2A}9O~3i&=)In4p+;-+d& z5VFeIDe$VQW1gp!ZDL|!M~AMzYZ+~I<x=IRkW_^EMq2A+>KLHKkU8!`HB%e?L+l6s zbJ64cl5tJR)yW(7%MQTljLllOFmfPk*eYp`#eu*dGxH8GH_S%jCHWilD+Gpr*N1qA zbpkkHeq@_4t{JEN>oXeGDz|;<z;_N`8BW`L5oW$<hmrU}he!Xby>0)~bf*O20Lzb& zF&m(PeZ9lHmIA9W&$&0Qw_d0-?9<bW(q_gtH>Y7hJ*!tOCxs1`%$JWOMv&fwe_s6g z^ptx@B#@hDyLIc4s7a619|ZQph>KbQy-fD6X8oT8R9C$pHy@<`g(T|D4Jrozf7QwO zu`LFS{G^5d*jLP_YnzyL8JG{5p@=`YaTBIO_})(oq1dNKRx#_s4>bjp5V^c~@~<H} z!Jxh$3Z=Y(<$gwr;4?vEyzjX2Z^z{fp*9~n7WmUKhH2sZyiQsT2wpt6x#Zr)_X8C3 z^^->$G}H9wkA(_9BLk0ybv53P!NA`X&H&8A4`E?tpz;202Sd8|l?vYa;JkPw0x%9A zCW6A7ajKuXpnJobh!(?Asq;YUCuoSzpDw-vQ5R5v+*z5bUFeBfm<fP0Oa51wbHu+{ z=CulO$Y`mhutha{jtcQ8XjoJc$gQ2?Cs&k-HK~lC5^2)#a)Uj10YkduNynQzg@J_? zy;jNMeoXNFx`yI!kFoj+Kclqwi*%Az?!L&Rgp)2hAem)@{X*7>wRAHmDi>8Yt-jlX zbzC49FN~+J*#;9S)yb=``wSYi``-l^^DRp1asH%sDP1E=tt^gRsaSh!T7i$c4s<Z@ z+vkFA{+LCKJv~152y?%s<JzTCY!YSCN4qaA>C7eJTXD87UTPO(f|F(GtTvneXj=P6 zM_3znAsfE`sdRuB{pKNgId8Z(?LRqFKBZG*1F4uL7maH7`CBZ}&sp^{r5x0$G|FFD zYSM}drp2_$gCPnpQT4VCRncliw8lhUl@XoaCT3G$Jv<+KY$E#w68A56hBDnw*&aO# zF9ZHh-2pd{Np7TzQKj5Iv?GUk!XTs`22NiHd1&`eb?VSiSiDlfl1|aOG&@^jTXA-2 z>!1{kQasjBi8*ZGjB-iqB$~^Hqe_YUNs=5wSf|(88P7esUsT10>iLhmAk@rXV^V2K zJ)weH3(+Hj2@q<?Go(7vjR@G;cgjIu2bjLn5}1DJwCoAJFW`qv)Xzj(wFYUqqlZt5 zhTiMx#?rk-gp<DhdZ+h#oKQ%|BW0EseX7uDA>u^05+>Y?gflB1`-Xe7xMQm_l5gwS z|77Ws*#sLJT(JqAbXKh>%XUlqb52t6S~AMc(v=&1h{A$;1K;J#{%3@+b$CwY!Fh(R zUR)C4oCdARI%l;0h;Xlkjw`Msb(A)#qbe>ukDC%eS#hyijo}DMru*dFlG&TKowSov zEAu(~|6%tc;2jO~#C<wUe=+BiyV;tF)a)={$g#rPmT<x@)#|VusUF{YT(T-aYIw6T z>hBDP^J~5S)#r=D@%CG*?e#WF%?xivrR{YhN`8(<ZDg5iH7Cz?rP|==h@UdoF4_nv z?;i80Sly4Rw4_|?jHh4gP7&=HGXh_W!gEU39+{R$D!KW_kEm2~KI(zMhpwh$P8kf0 zpf-aBixuc3fC+({n-5ACX1vMaXs!Y&X+Rt#+_1te8q5pn71I!(2XEsG;xiRH-Sf{j zWuJ8iJ})1s`wf4Y9jYUmJ!eOke!LPi1Ws=C7kN}ilP8fDE#Rcgj`{Bdt#+*pm<yF? z^B1O$Z!53cj-IdVu<awS8c)VIe6B>t30{|{l^hwCw<oKqH|xT}&!;yIIM2W*%fE0x zHSmZv&@+iPyy#u4i>!c}uAjnyJ<zx37;qfvr=K-#vNd|Vus?EaH@=>>989lZsVsHQ zc3CY1b?|s>IF;2^r~)2qx?5N4o*eo|Ez;A|rMYf63Z@R`A3RH5Zcb=km@L2jpR`wN zC2;GPGY9MID&<wzwI%nntRYJ;`>k8w=a%BV`%#!k*R|Plui+=*BM*|6mx1)v4o<KK zCrS3J{l4^Pb@H|+`c6r(VEwhC6Y0sKI<M=wjWyG51MNm2h(rngvV$CoQUdBi{(`Rx z&kq2o0~LM*EeZ&~iXb{IE)-c}{o(AxehRN_Q(W(aYlbjViq-O8ziIh!E%V{^*YD8r z*!XFM)u@3HqyxpL`oF5kcd=z?+88mA<KFUb=WPn18Wj605-h=V_+=OA&2oF00mSe; z)M1r)>KzxVnXV~XM*JJxalD?&RU5Jvo%*Lp^j}{M@B%#=7`Q&o#=u$@E&Y}_?iba) zYG``1yXkB=NV!S8(}aDMa@O>ye3U)R$N+oQVu!U{TYo}7^@#Bkza4L3-mYl2I5YR! z!mCr1uA6JsDRQ@c%QwR0c3H4oT3lL^*f~}QaH!VUJe5$+0{yqL{uex96!is)&$?bi z+n|b}qnX5k+blu2cqhkdynioI9{Z!F);<Rcs{66Mj6G<<_yk&wkiR>2wp{O=;(l1) zFESzyp{xiWV-cY&DRmu4PcHKYCF44^P_}!bvbI5OvWY^~)N2Ce>_~7wMKp}M*E6s< z^0Hp-uw-3+ehS18Q95FA41XoSCSJ{uVZCv<(DOMk7zM!%1>CG)uo&K~AHNx`DMhI) zy|!RI&S<>1J#dHgostacjD|nA;XEV-stHWNY^u0l4Y`B$#8454&DrKvyzc0Qkvu`h zZ#tnSAj$x8&(|(1L@8_O%EY?9^93|5asOrlsy$|`A@Q34^1%Aq<)1mudK*+$C6qJ` zgAN8L2EA%)I5f&8H;)7$Mh$K>KzaE=)N&&66EfK>DQud_RSG4WDip6mZBk%VQ&14& z*{0X@RHoXp>T$>U%i4~{;uJn@zZEfWHFN~l6X`?&1j`$oj82b@@@*JTcPBh&&j%uy zQW>V4bi`Nt1A1Udb*ie!8gx3C7(xHFY_v%cMbSL4p}8H^N+g-3)YarlmHglpN#k<e zpk~OmULIEm7*{(~ma|7jib4-gW&ptk!uglIy(z!Q#4C=sw+UnXOT3eUAizofQ@x3? zA0~})o-$v7t0Bd)CqI}KJ7OPvhF`|ZKm0Qk*PSv81wx3G%pl498y5z2!tGmr#k%`u zY!^#ibC=BYvy5n_cuTg6|4C}#IL0^fm>Q{|dU#d!GM3oGe1u*|YgCI+7*aWF39M`t zG941%uH?ji8$)@-jNcQ29YF33zt#x7)qOf72zca$42mZAL*kHe%$>}{$)S5qUvHsS zFJYltcEtE%*-^EMg#yUY(jD#G_bWBZsAdOE+PnqI85GVDQ@x<?(Qca4n8nkzRM2gS zF7Z-bP9!b{<CUc3)zpw3t0>}+ck?1w^s}ysx~3QbMHN;lUaMjG<*U1WyIoxmA`$Ei z90uv5aB#=Z(x7_-!=v1u+D?~=Xr}*7Ux6n4Tl>_?kmO}$H(^EHq@<1xU&qa9=~{5* z>N5{<#-X}C5~Z|EOA{l7qycue+iRVrM8PT)kDWGHQ0Y5AgW18m%ayf_X9%m4c@#UK zC;Ni#v8d7vk{J?ubb$SP;I3X%H#`1DR|Gn7?U#DIJKXi>9@867U@=Ps?Mu!6Qa0AK zt=kx6T!>68;0C`p>S*W~i>Gc5?>hD}Ksu<E%jJ{W@~{w<EAqi~dt^<n!$bNHWHpO* zZnzNhTkqry@T`TeZFs54w+0<-tm)?v8w_hgvkw`B(Gq?+uovgIb4~4G0uecAnz@#y zY#z0*_c1#XeFGwqxZm)+1~XP%3BOU4oUoor^!+#Wg!URdH;^0Ez3hNkQ=&aPNFje) zsa$t01J!lMQe{`~tf3HdE%cf3{H()XJPIp$ZkjwA*!FsLjBXFz!)(}PMfcUJFS&s7 zzL)3ircR~j)74G@u4F!KIAzfCIa<_sh#$eKj4x{+EuJ+t9Q9Q(q>q?S&U!4Y1Y6SA zY@kqC1kkUdCX%`sw+MbF`e$=*8-b0>dKtDAcG0So3sqFT*~m5#dWn8o?tOiI-{=Ws zF|z<vz`B(DdK8<RSzNqfL@3PdX?cU2L*EcucUCM(2DBVxgT1BI5jdfVi1G{!Kr1@t z3>e}u$R8FQlSf{u{Co&fJ<@ge^ooJkU?u`B9_LGEiWSqAc5JO7o6_otIF}tI;ulUv zvZ#%zZVOXVQ)?i1rEph{4q|c2SG+Dj4kI!~PbJH13X~oDrsApa5-W}mPEtw7_D{Dx z*8We9S^&Ct?RbAz1(O&-;X&#wc__XZQXYVuCg*qWd}n`FS0bFS0$RXtz5Jw|+{*5? zZyp!%O0naL!yNG?#lJI;VYqhTR)bN=T#|L+lb!jdg?^VHs%5P<{f^K;&H4Ea!hpX6 z6%PID^7rroT!eHJ7FqCso^O55f;qB;%vcpFVV~fm;SHF7{zCgqkcBEa9NKTtQ{$^8 zjj}iID7G)8U9x?Tt|YPzc^-fX;e+75Qqv-6Ywo|K!<>+yt{~JmDE_TiWxkjc3G0TW zac8HN2Ru(PrxcEVT&iS1MnPeF1!>Hng7RDNcb5nXiXnU3n1xko`z~u87M$xQwRunj zhtg^ad-hvRWRFcH8IIfWl_OQH23s@T&VIw1rtECp$7hKYk&(3I%(;n`IrmnZ-Dekb zqo{Unwe)@i!>FsID{FZpQVuBw4x9hukT3z6WJUS|%m!ytbkk#M5)zRUWnAUOJ<Z3> zLSf>Wg_X9TSWuz3VNu%MX?6E!zYZr0uGIzfkv#5&-k~XjYxK6F?vj(cziw-@eQ8Q@ z@S(YVxUM7D3$F0PPqpy-1+IZ@exNq2ROl2^lSkkKJvd!GS_)+^7%oPkN1kP^$(IIZ z7P!0(`bI9mt(_9$mwz#1*SDV1?W|m9#hKM-dhM9QHbaN)!#PE_oTQc$4TZs=IHeqy z1f(8z-Y(<uJIF*zNJ*;?%Vpi6{<-2UZEFFg0?ou(5L8i){}+G7r*u9X;N7w=FZkl1 zAeK!elF;5}*8MAuWG|}p5P<ex>1KLIm%5e^pA6-FV{4ag0n?Yb>t%Ct3aYZo;*h~> zH5By<bv4Vp_90^-Tqpyj2{bN6W+UUqN}pL0YuE(og{7dTYz2U!qsetI=54w+|MzI6 zxcp@qEfa$Zj^kPKoD5vbVInF-_u;)H)bNPr`^``?`0WLwOs>7>(8CmitGz;3S66f# zj6|`wu_%KbeK-0>NjQ<WlOsMz{ee4pNT2`I5+d$<NritNJ420@50>M2x%fP|zRgt* zxZ4hBcsRC<+eyNc>gTh{khh{%0A!H9g|5oG6HoI_%AXb8#8DqQ0)P||DC4py=ufJg zr6_g8RjnZS=;=E{>0-2G)04`aVd7*2<&vY)x;OO@Q8!K^;>D>bJJfTlWMhLLeuXl_ zzo@}{KRRlm&EBTCN`x7BqF_eK3QqDT+T3*tH8k-_dq4;xL5C*XN2%geqUoIDKkpej z>$@W`XJOa4n0AS7`V^^LqaUJNezlfA{h3I+C1&iGA>4rbFp0f>@EmY|iU><(TG%m4 z^Hs&2q2JZo5+%y=7cAJtFUgT@Ece2*&FhUBi`py&XRPfnk=HWt*vj1J^LThWHR8hh z+_zes6ZD%nT&~w6ENg_Sk_*dP4=2)UJS+3p4_M(26)lb(i?vtr`O*N}6PKEWTho)F z4r?YD@yq*tCs?ijI?nJ!_&GH%aa;d~*?CM@SE&Gmp1Q$jQoPY3KA${LZtv=$F-@u| zW)p~vK|Xoacn*_duvPtcv&lhv>ZQ!RZfN%_be#5g&<<-9GNveB{w1T}PcE;L<d82) zX?d?mCkYQ%IId>JTqnUPUyIxc%r#+Ahkl+Ls$Szgmr*Mhk}jp(CBQ9b*1pb)L!GA~ zV@vHFnBlf#dQHiF3J`A$Y+c&1ZdSp?WUE8H#8meev1lwr2${;R2;twPD&#6y5r5cB zD>Xw=A2eb*gn`u*av|%DruFT14T0UcKA6J5z-Ve}B8*;he-s&FLNg4<N$nhPb!*}B z;L@O(TUxgCJWEd<dd)~qCJUzeKQI_H!CxiIhZ{jIP&JV~9-nYvlE>C2ASVO7<CdeT zA1@>f2_XYRz-}L(0gO0dEuiCfkQ3R4z-@9p@on|G*?cFD$S{6l`)L`c!aZ(othS-8 zW24Bw29j7RV>))g;m*FUff4WCeh#GJMccM>nh;Bf>3^jVQK%RFe4ohESAWL04DaOi z#_=Y>;s||JR-19nabo%OH!IjE@KXnCEzj3QqyA&`wnw?H2fIQNi?yWXs>M_Z9E;=x zr`6S#HrKJ)L(HdWJ1h53o2(|eh5xDf{qh}u<hh>{R@~6MZpng~!{bZIB=Y2&$|cc% z(v73|fvD9DK+4uBsKsVP&ZY{aa4LB4$8cCIcFp}1bFK5ok^h?v&&z(e6(_*^A#Wak z{acjb1xgajN7zdSXuSVR2wM1uY<i5pY5S?PNl@<*r=Ncdk&$UIKjd>W{3Tdm)}cjv zk7Duu#imHL7(ZnF8~!asHt*7=eqVF&<1gMN(`t<U9vmF`TZp{i*QxOyhWboI+j>*A zbYR^K8i)5m26QdpNq#&Is=jLR)TD8TBpA%_QDX>?5rYPWgm_~{Obc0?=!jP;`Z#4( zoYP;^Y*Yqn>^P1x98xV}cn?0p@@hLl3}^pgegK1PqSQyn380<22huS(ke<+O@4L?j z{tkBy^84}10j<B<yPi<-qy|Cg>u^2+>a#*Jyg5k#UD26&r8=?($AA;gQ!&yqEZG57 zaXKFZXnm$WpZ_9>Gru3F7U<JK^s(`%YnzS-fLNO4xQ%>X=KK<=1CXPHTx9^iY6N<X z3(JgKm+A@7da=ZRFvDL+@qOD(Db15T%Jb*mWo^h?ma#-7T`v4$yGTBC?MiOG#TqYM zFl7RTk~Sr0LP<qUr<PkA1=)8?{>6y#FV>_qv38pV3ngZH-}y8oTiQM(hG#+vyT@A_ z&J5=F$ubbUv?}V;+z$<ZV@BA||K+UdG}%T(k7AjV>K7pac=S9>qkP{%<H&42)>kyy z`+W3^P729G@{`7Hbv2}!InkD*LVRLeYC5C^8CzIc{EmTvK_6sI{I-qFSCQ-)8A}~1 z(mDfF#0n(||BTc1u1WD%nwm}$LnsN!=iqf&tz2<^*!lP@rCW6jw-$vX`J5Ugj9;Q; zCF7V7)GgrFxe%Y1VG)o}pdhUC1{~4@3_;g6309AV(>P~~<JvKxUlRi4Q^aHCpLZAM zCR{g@XI9Q$&hG7uP~ESh2i{(;d{RAGrP_X3G~M;!Dc#mL<W4$zssGUf1G;VoCN6ng z=)?%HJv!yIYOD^?6Z(|1_cY2%qU8jg=HxTB5yg;56;ZM5|6!#z#w4X-d}8l%5_}n4 z!)rjGBLDUFU9l3oE@^We`izCk(F!>Dmz?*@#3M55h8gi|o$|1j4-GNHE^FOOJ>)`& zJ(3T1)jZ7FF@)Or92y%@qhAigh3C+Lo2GWDUvLy{M37QUb6K`xj4hAfOuRJ&q?zC< zk(lQc)})pGFDc5n0S(0gjb(3}yD@YVCl$&{IqCtGNJ<{s&vra;(ej-K3D#UB&JO{# zq?f-#9hivSOW=N05^1?^D#Vdn*lT28vf@%(t?OJn@rtoHrE$>p=qL6fh6N$FB09^5 zyt+fR1*H!Xa#6+v5C*U<ekXi@Ot{>Sl@sp5f~YA1Bx25x*en~S@mOxOPL!Mtp=X{Q zSe%`(uPjZChNsisQruA_XdSvf`?TL04s<7Kj8C2E0orQTEP5>0oo{lKsns2KP8z1X z5?5YTZaR4{e61?f>&-{>W~l7*b1Yv@uKROl`g3Y$Wg9j=n`*Btc|YQCyooBFu3A@i zEB7w-tsEUallXnFGxxHkngKYr%nvynB~qya`a^2gfCBFn&cR)57T8y<*&8fh9v#{{ zp1(T-u3mPYeB-avQJ*nqUz-mPe^9+XdM?ecQOz8=Cj>0))F_@eJCl@t+Crxt=P~ZY zXqVhyf5?K8y67qP?F(|~OF^g|WI?Dy^WN|Vc+@}ceRF3ArtL8e9K`|XwnbTNlXim+ zpn;=fkD<SctC0M$5TH_}&&b~DHd>am=`S>`zHY%X4K4wBeFl|qp@K;*je@w-+NH~9 zINpRT8)gsZ+`>{xd;02}?x!_SMH3NZ#Lo(HmM7dGwT(mU+7FBg4b};e_hAch5xckS zpI45zmlwjN$!bu13k&v&yw9N7U@3wxohM5Ey?lWr<RrFl(aR&&B?Xe%R#marc$fDZ zOZ-0VKJ)37ga4QqsznpAWk#OI{H&YiF^}X{3uUK_>DYcdhm*P7`RvC<hHWRy;5Z9T zXF9qoT;NK!&hC|gKsm{o1?DX*&f{~a6!G8=${8dCGwCGn{CDKne0b+IIIrKAG(8>} z_e`Sq96&89U273~tss6p)SInN!bJ0Pb948Bikj-R9$;Y}PhK-l>jUjC9S18$$186t zW3QPvr%z&M?U{~NuX0<N?Se#knptuZHgZtHG%PBQ&MSS*=~&4!#4pWL1#o_k_v^xP z9dz4tWc$8Yr^M+v3gfcZ7u9ueoS3$p^`0C^D^w0xcy8<7{j0FQO>Dd|gnU4ut_ErE z&tbjn&Nb7$q3F(QgI~CD8cDkRi=^8hmyj%kv}4w9&>va(aYUAbzrLI|<QB5Sq(ziO z3gH3Sl-+Q_3F0AlB_raMoL5IW$KEjEpeO9(cS~QM*>y#t>Y&Mz5=C<hU`G8S40D_B z-8<o`#kv?k1d5?e{|Xmo-AK?4i5hIj6LhrYj8CxEDP;IHch8ueGdIt;Mpb#Qtz!#- zXj4Hx5$(d05#*%;o38Wu(Gv^l4fn!xKBTeLfA+E?kP{LywMDcD1+trihadc+Vs9QU z`1c+6L~2kQ-?YnG(&kaTD5Q<$&1ZDSWeJ)vJwmVvhUhy#WQ`5w@N>0TTkoDGB!M*& z!PQV;feTv%4}mK{WAqdnm{g<7MMYF4r~p>bKF{TBm}5;}hd^6o*}PNLeJs^=xZp31 z!93J>?W1<Mv1bF<weptcBXQT`w<$B4ld_hIird%r6fifl)048c2CF-+jC7}T`VsTh zE306%q8{A?WWd)%G}QP%E}CsUWOT2qC7OCyz5+S2tjC^hlN{OJvZeAhJdBlQ;0(5{ z!a`bU2><tB+Cdohc#Uc|Ez?d!k9~gb$6IpSg(RQ$zM}E|7u&iXWCWR#*;H{#!wF=3 zIVxxhk}%e-j_*)dpC%>`B}h~JiT&HPs*<VH^knZFWJ-g!U$<_%k}$gLl0_}G)K1R% zD#<P?()E4A^ee_O!xkY+_R(B)`~0a*bxs1y>^7tyA{r%C*mQW)hIEUASP*21LpKvx z1yFb*{0ijD$g1uSK@ZLR6`Wh_YvX2}M4Rz|?+LxZ6VPZz`D<!pXwcty2`b!Oh01nG z#5Rc#j*7+Oi;8H8U%3b-7NgKdfcGLgazPRyUk2Kb(AaiT2k+<X`0b?p2Xv$V&Sc>O zMUvM_M+(unbB_RPmb%A}0Gy*q3FOcQ&PWb@&&`d^lHSIxJPrKkbkqx6<W{7YIUpgB z!;@Nj?$s2e=m#jTm^+ejl}!{xJ5c^dIJYi2UV;5DOye<e9C1pf!JWw5xJaH*KU0|{ zKY_1t<iN%GneUx;*vSjqoq!n>qydiE?}r@T3RhH**sd0|p2`7l`<Zo_GXskeHt8bt zm;JU(W3mt1<?0h^2f2|8pOF1seXB%w)JxH_?RF&Vnh$~^0=06KAAG7{QG{rf1F%8M z$o<E^r6RV?5ZEad-WX1*#d%XJsg&GXP>?sq;>A`XIrc|eMh=G-RGjYx{8YTwIRmtp z>j_u+C!uwqsloAP0zt=()0~QcM|(?@P}Lt!-th%^=>jX6fV)QBVxKF*oA7PNRSexr zs+91j5=jDMf%WS_k9iqa-g85V8WV-ly48Ym6FTE{fTqvBT?~|b139xqJPV8p^h}eG zF@{&?p=fT@x?d0&9O>i@`rh=mqVm5<(^?_ecns5#Ty_&ApFfwLgBZq%RO%6qmR|)c z^gB`=RDc@nQTH6Nl$h9A$b#GOv%K-fbPQXNiV8VTfs5|Hu)aXiTfT_Nu(dfAY=?7= z{7arECYC3-M{_N<8i{g`SP?bP0Kdrd=6BPSvyYV0*p=79*L5W*p4_trBxn_U-<0F( z=GGGFmBiINHsz38;kKr(xHPI5`Fgyy;$d-v=T+@C+oY%E`M}eb?&ijRWM}Kzl%KA^ z-2|mvtJHj;hY4I(N5Npcb1N?3l1G(P`Mq4G2sy3Wa!<1@J8;P4+g+ks5pwwo5?PT9 zxnh<`v90X2+wMJ6mKI9V{A7ja9d?U1qP%fe<S)PlcL9mM^0L;vsmGc~5Fw-On<)un z%rr{G5Mgq8t-CFM^tS_d{}BF|ZY`STvGksH&U24~&Y`VWVqZ*n_^OQyj4<I@I@-J6 zyknZC6-L}fTI|?GIQ6**BCe553hN<G-lFYD-FOTaXfWcKxA3Hd&KbflK6>Cu$%PP- zXU*zQ`fVO<Co65Ic_{;PsASZtF?$2Q$u$^Hn~$z)6TcrsH@R_9VYC^!vTJa0aRoaf z<hWxV>e+rO2^9}_txK&IOY&(ti!&_~?pz?JD1)8&EPoqJzPRfvUbMv)B@gb5pQ3vv zEBVc>;~18whbIPv2SBnt8mG&B^|^mwY#5s)djrSE$Os#*!B4BTuR0Q5@*5bpgan4b zPsz(V3}xBdm}e3Qi~}0VWU-$&g;Bmp2oBhMNO_V*_dlLDn2$qwGE3(1sydCJBEj3m z{6u~5?|F%;qR<AcYT6~j1-&TYL?Nkz6_Um8ga*sU_U}aLXNg&zf;CWA_xNgUNS0$d zfIJd$uDsD41m)7w#MDug=x(|bbd!TPcQ-de=E~!s{5+l`jzTHvlEWQ63iSq3{U|5X zzdZ&dRFgdX()jv{9$Hw1(%$lQHHW5{AD$C8)&(kvWnx0>PCs(s@YurC!D`J>jjgJs zpv-18Y&1;ru8D!&ZBcrddcUrH&b9c)Uf9Xa>UKXG2Y?_0ni5k@uUUwvQZ$ihyhB~n zse%yg6W(Lvf+6v$R62)pD}dXgY2%w1+XjhPg7%G;k5DkV9t1kTDa4r2af1X$s@Kap z9QmjV#_PUcSs%erNhTSR-{plQ+4RaIoG>d9zf-V-1kNB+|76^%5$O9Rz~N?&joj0Q zu&0LtRYk^GADqK28?-ryIbt0)S}vbqQup?rSy>T6qgSh-Iyjq2U`q_C1;xEP#10~$ z7DKNX@h}zd$9%}Amh`vd6dwtnqR`)CuGFE?*_wzPa@vy19F!21!GNA%7>+|izf<QF z(VSLz1l5D}>Ltyp@;=h9S;6*HZRXEQDz55s5+MV6%}}~qA#;tnP=u@L`zL-yI<YD3 z?%_`-*}tDJ?=(y^wq*mSJ1BZMc8G6-P@sBu5k#8=T>6E!Z$?%Jo?}t;fG>6#s^%CN z7+Q#_x0^YZlQF(Gt$A+M9C_Uwi+9UIb=<Wyt$Dd_AicF7o}^^wEHpT|2s^m2yOL1< z9vzh`^-ao~n)Euxi554aO)&M#i7g2c9}1aC8__4FCSypZQfleesZl8=9}EdiW}k{n zIIOerp(x}FT;U(OqV(x*VXN!b5XQPhNhHeTYw}_s5go-8ur~=8mZEY0B*Ww(6ijwL z(|9L~7}Kaif*DD(pjLnB=hMP}H#ZwCPg^PMAE}W`kaZAqlO|h<AL12u=o23Gi&zoQ zp0e*iC`z1d7Hpr?_Yh$5HZ{jPhO*I}ST~s9o69&T$m(;y-QAB>7NCShI)Iuz&g%D> zv)$}B4=mXf21E*%BL%r%xvo~Z^8L#|Oa)7{4}?z;Hi6gY!m!D?(8o3FZW<5n&=Re) zm&dNT$n{y#`xxy|Sb}o$bk)Sdq8Aq7L9Q6+dEh<jjUmF<8_L<-^DB?-?>%F|=de1x z4z6u?99(Nb{F#oFw@e53xqe_cNvG%yHi+SUrHB^MX=jKLAru)na@6o|-^2>t{hf4w z!ad$HZ6<^>{_GKLNcyFnqILVf-PCGYRv1*YnYWxJdy3w&{=Lg9Jdk*1j?Er|+U7QA z4~Z<)-F#qhaC3KcoqL7ZX7C^}^GOk4D1VWDhwk|j_;#m0<rFUM^`h?7*pz^l`BX*_ zNoX%UH+-b>fQ*ZHrO`vmZ2Yj|;}YsSi(TP)d0V&o-2a-hv%VB5i`h`AH`07FgW$4| zz2g*G`0}gIHx4&qECD-)hHc(V6f!kx+AyZ(i;y0r=yX?s!$u@2S=X~c+k=9;h@ch| zU={ZQQI0-8I0ciDy4a(O;2FG2%zvJW{Wp3WIJpSnb9n07NMcHW5do;=WjG?e-)~F3 z9jDl35fwg&ZM_-oZlanlbC`5US;8*Q2Ot}2_h>B@^3on_Fss1dtBAl~v9q17v+hzN zMO$V4cQ_+sFvv&KDZcV37(->}S1a+?m<Z*%gxGoX)qY#VLDeE7o+srZWOagAqp&I8 zJAa~o&4tQD&z264LLhRCCgE%@L?K-6t6~q0NufH#;tkUYP>WgD#CuIZVGuH052sQQ ze-0OJjptnmYAD$*AQJAYRk4}^QbqbkQz-KyN`Y#7BFy>dej>z8Mu0b4wF*SI%+EJN zoFO0S^%6H!_ckE0d=^pEK>571;xe|v<@wUk|GKeT+ObUc`0$2tmB=y5cCqo0;gs)n zvAshzGBO|?t@0fs{kUN9FB9_VwT~w=VoUR1+-XM~#lR?(bGcSrwFum+_n>kzQPW=L zIhntRoHDo9jUaGn!+K({ef^Qck)S%QB4|k`Z{09nnBfz~s@#_-ZvSKjWDg4V`Dy#; zNu~LI+dyv1`t-P4wrniD2<=hi&)8SA*%gq`++m+u@P?ZiU87*VF~Tm5F@O??jQKHn zpyl;kYfIjai$XnGcrfnH%nFQ`Ngn$wU5bbTk1*n6#V9UDt=r7nlUcIvw#m#o2WS*W zTC7!l>~IR4UH7-9BV1S;9B<3lw+r)kJ*CRe5Y&dy$iGJYes&6syEFck%_~f50*wVM z4C}4)Epox|x5;6x*aG%_w-|5+^DMJJWCqR}mO)kFlF7(@qyBBJt16$82*6M}pJVD9 zRw`5TlkwSx07zTntLG~b1*r;K9Siogjj2n<$?VU_v0La|p|@6HST*s5*q`B3x|`aB z;6HwSLK0Q>NYe!wGSip%!9)bb$+0+Z^jU}<o8A6*)6)$d$!bQNP0$g?)X{*+P|8yA zc)DHZoZ)ave022VjQx237x#)Rm-i6iE5iQqvALyXe&a&Msin9go#*pC1QN;MmgPf& zdBJ%9K#Ty_`};RU@o#VsHbf!xK4j*R0so8?8I;sZdyk&Vf%D=?Wcks5V0-rebbTS3 zY!Zg_4!z`s{JgJ67AFJx9uUoi|G|w*#t?4f^MOzOlLw_g;^6xfyf9>-@&0cH`E*k6 zQQE%}<;n14yca&2|I?#$?l5B?#CyK*KN3|Ti<5rH6#OfCWL$C|>-!YUzY-<zLl}IZ z`TisNRy6$-I>|eT_Qzj|<VdqV5c~WUom0*ba|`$bG0dk&6-c7E&;K7E%)e|ao)HfJ z@YDd!xTV0&o)mG7FYcRjbni$i?Cy*u*Vwn4x+?)$K(AzTSrm-g6Paqw7G5;v&?A-k zU%r2IH1MPZUgo0mOM6p(UF=Yj46VyEsV8gt$qmd&n}*|SHqjh_$;sVS`tp_KRsV%k z$3;?aRNduiE@3zCZe54#T?Qox&_Pb*(p@Txnwk1G`ANtT4Jo(-suR<x=b55}-jUw{ zi~GyqLem$xdXpuFc#EO4DJpRr<vJQpgG?3ot;1)(#qZ?_wbUt?m{(Bwq7<QW@8%I2 zJXhlRqH5%=diGYbV?&)~6`eZ51l2ZQqw;ao$^`Wm+hqr^6hXv7<*-X4xr9kH%k>{3 zMsS(%|FJM49%P}vlUC<1HT3Dq-EL?FZgS-=>Pq%}`^N1eT1E}icYy0z-Cm!8*45xu zYD6D3lgW2vI2*m2p$c1y(^m2w*|`B1pS;-+o^2C<xV1{!PyPW9=HVQmIR_<{S{yvo zCdltuKnbE?ACo{BruP7L@)OIFPbFg=F6@*+o73%Z+z+KpMjMkmhr!9quOl5^B{$E0 z0?4cp&;1Szeupx&e`Noz?wB6IQE}NTc8xVztdNIg8Zxbx8)>#DqF5^l(@^LO4E~h5 zeDjF%?bml)CqvnPmkKa~=ob%-j)z_}EW>4+q03-KnzE;n3RSbEE9y4K5tJ#reZea* z#Um%Xy=_PAvozPKhKjUKrjEDer4~r)4yQWuRmPaoTAW}lQmYAa8#p?$1GxUxVnC;2 zhelZ|T^{T-eBRQOXEBLW>#~tfMN8W^3a3(@^X8JaHWn5q#y8!=8@e--jM{wX<J&=j zvdy5!Hy!-d=XHm7S?5^50qxwDh0GQUEJicw%FezRuK%x)JxcKCK1BMLf%lR=#5dT? z5jUq%2YmPGOa9hcWw)HBels-SJH!p@KFMvm8*`>nkznWkYrwl5LZbY2*5Hr1c4Onm zkp@=+euo#EEUWo@TJNQ6nnpT~Tb=ZsUil*QUyetMhW}?c9yQfiZPfZMR-T-gtoJDA zG??O(=^lqSPHsni46bxRK%+3rpRJ!FRys4k;4GUM{l>UGtZI#N6jk*cxAAwhzbR3y zpLOwvLPc}seqEZ~vO^vI{(Ukme-Vd7m}XPmjIC17%FRlt{81N$sEk8rP0=m8LYZ6V zpv$hhan!e-E5eal?|E86RhWaXENN<7rJ;q)>mvKP3J2_VSF7bVp#&9BZ+>B5r)CBh zsYUN4-jZXP=yqvv1u{R1{dzqmfCoYL;OSIvtGC-r%&CnAj0yT72z3BKK)%2I(oYHL zb5-%h>`mA0B#B7k;de+On8_NIMs1#hZr!uxI+73kcJpG&1C+pILly15fQvVZNvBql zf7yf&9bzh17D*BixztTWO43ni;l8QW$?st(KXv=shTDk2s{nPvL!MnzEtiLT@s6d` zzB-4l^m9BCW_ePWcU1P!FVB`uTVl|6*RDqRPP0D#;&e94Q_IVT6x}!1Hf%XWR>)mG zFxWLpm2uryG-}IgfGx!|b@NoMq8mqXZ!l@jn`fkWm}1?|&H9JtK#$L$P;;vd;ts}8 z@h<tzUmcXi|4ZyR^N!f@kR93L;5y65<amPzxnae#)#OKu@YTD50A_G#k2jls5}NjE zCMOfJ%<Ax+3gcwYZWaNS&n9c?icNZN+eB~x>5YDOLEERMH@7LG*LaJGCi+C{f2b5g z`Egqs>%KA;H)iEWs554Q@ILw2E7$wo$H+6=$#HdN;fR;*i~+u~y(XOz_bjAUM`wS1 zch+PB2Y5c)-1eM)!<%iqL>)_w>HVHT*KFgo0>*JWo5|K~pnsdT++x??Z`J1Z)8_aZ ztGrDg$R&Zpj71r5jH>mLz`zlDJN$bc-m{tAOo8g+Q@Q$f=~G&2lRh&Ze>x9Mg{4`z z+|!7ESI}XV{N)l$Dl<+}J@10b9(tKpwRLBVL1<IiSjQpd&yZY>%$KOHXro&Wa8*-6 zoBi?JS;(G0&)EJJ`Gv=QxJvYy?#*RA{^c|PlkaCe3-E)np=j<Ud|Rsy>btyuN$vf9 zW$Vi>5GaxK<;Qkk80x#_Y%8yu{2e5AxZ{=U#RM3ulZR_k7J-&SZ}nE(oz=%Xv&gWN z_UiG}d&)z)9l<ueS#qx*f|V+InkR8s_u9eZ-?uPJ8cqh~11+9f_XASfAlCO2)s2{- zJ3MxiPOZpPI3of?7nUtO@3|jUg}f%~@nsQ(NZent-ciLtGXV+kwEK|s#iXbIp3|zi z^+C7kZ7XoJ@|>NdPhS%gWH+wI(2}5bx+avkK3d})ZJ1eZRE^tn4$<xeY>&Dq*ggR# zkTvBm4pU9KT$vNP9sh?7xrM;=|ByvKeX{;9S!6a%w&3dEQb#=_jZ_1~NoGH!o%hK# z&{qsmx3uHs?0-J3!<zyxisUhTgZs2zrp#?Jq+WadSfV0c6SOtmet0*+WZ@!F-g;79 z1o3OHMy}RYS6z(7V#!^%_i+3rwzpm*q8Y{k$PhThF@t^P0ARe&vGCgDvNW3jQPN&y z>3+o1!d_6?WH}Hfn`L1Xfs={FPyhzt^nST=R{?4R*0)hPwiWNsfTnp@cHxbTB#P!C z*?r1&)9XfK$-bHr>-Gu)MbmEms8H{QO~l9HxLwnBcE-IrNyOtdQe2Ti!e%2BA_i-0 zSHSJ&FqP1~@@L3cR;qOayx`hCpCG=A&;R;O_?PoB^JhjtN*PDPTskzNogN9p&eR@F zt7%>e>N(6>&j0uxFT&vf=;#>l<_`Toe2?(|@;!b5g@^gTI!6Iy64k*U=cIJnbK&wF z>DRcV!=(3-*pV0UkLk`CB{|Og{_1a{KUSgb9`3jI(fJ_4Paa_<Kp*OOeEt}PHcapB z-XEW?>B>KU$V`C$_UVnT9O}chA8+V$A6kL`@(MHi^r3TIBwlxr@{dJ4;D|rC`({3U z_=wJUe<SDzUOC>dPtX00)E};WdezhT@*#`juTUQa4f_7+0;Q4vBS)R+r$=<<FCRqZ z#oNOC@Rjw?bU^2LTg@M@-ACHMd>onQ|65Re=FdIK>yRJ6F^>N^xqs_`B=SWBb61LH z-{_mpOwq_RbI|O^cZBr*S{#{|6hZ%y3eXlPs6v!Yj`2P7d{p1xj1A{YZT9z6iGzO$ z5V6TH-&_8odVjM(I9+IQ-b=aj_cI&+Um=9V2YK4dyV%!Z|1jQuh<}!gGVq6Mz<;FQ zGW|H>`~UY8;|u?tcC-)I;0dF)A6v^aRvAu5XC0lKq^0f5IO<sFXjnKXC}@;3DDdLb z<01M!j%vhTro@7=MmTJ<!^6{Hy2Z5PQa1Uk{_yC6ZwT}6zb-`^13~yRaz%3`6VI_v zsgFM{H)gLSfA?1+XG{f67!Gg{?^VQ^yX|hq%wj0tmw$-xe<*k?+ctZwMfVX3+n<I3 z_0H3YDF~v#vkn2fYSz_dzTPM}C1E^l?X5C+t==Ekm}{~-WVUjj+IqI$tlg~WL7{pb zR2S(HMK+bZZY6S`YPs&jxFFd9#qV#M;W^PXnqT<%Xbezg;r}1Ej}YI)Lo4>k-gYx7 z=(Nm=b%UJ?aRRho<EcxY#>x_t5p;UxYD|G8=x(m|B)MRiiL5eDr-saxrfSK``7Wd6 z%}`=AK+~(`@K6L0O5eDh5~fyiG(DOiPt&wg=7U(qW%N2<`Sf<OiuN^Cewi(03u4>) zq(#!p^OWg{>{eOXO+Aq`sk}Z4O@l*A<83%IlUeD+YOAD<3EPgj<<`P$=YWUjWvSR> z#9e;$CGeK1vJUBg)RFjMyzXx{lNowC(pUM?$+VU|kLIG4i~nKG_mZLJk^2=Ns8)c& z?cU8F{W@RrAJ6Qtf+{z%fz`0A`Ks7QUyUHS<#g@p%;OSnZg(l8d8f0XXR&b?Z02qR z&da;DF8b*r7N8`4#ALdaHPe>h$Fg9v--MHi$&laHW`7VS`-;X9Vg7g>%Q1HCVKE8P z(TZ<EV>@MbX3;W7a|3<V?m2c$^IGY$c1<*=!6FMEZaq$K2MDd$N;AO&G}(*)>iHqU z?3yg?WKOw>s$^3qluOl5!`XVxX=UM<p`3aQpOz@BAnt%EQ8qERT(~y%vvGTiB8BI5 z$;nfnit%}~UwOA-hU+OkkU7|sHN|UgYX^{dc!Sa~qnN;b-S=8aM*Vo$bGLdQiC1vf zyG$YecJU$s&i22$N_fPeoJg`==eyT$WPFYrO$;KYl$Yy=Tk|zcg4c8m)dzK8fXs*O z2FNd<vBsWOO+mz{5u|(`*jNEqBO-4{cTXL+C40DPlu9xRc=DZ|;`+oEk+vWduhsJ< zzmt_bExKw$v82FnE*wCNPA!tL$9uwCR-1FZ_0*<HcAY)2Tf(Hl0!g*C67BekMiP@{ zc0!>In-lbOHF<p-ZgtnhwC*9}*sW&Jy&T$6E9P8!&n*0`YP1&%V8r_Hpl)oGU!FQ% zrj!bTpxE5BCUBfI6Qmy-OE$LF-YTDO0+JI)xo)Cgro$-Oi{&XA6FlBLhnhP)F7uQn zSMFZR6P6zUEhYoQ=9b4{y@2MPf?^`>9n2DdXMG=zno2usk#q-B1!u<rX@7XCLy4!* zc`RH%L`zcp;cguQ9wJc+CZ&>*r|ytgL}=xdQwGYgI`U0T`Ir<rvSD%UA%uD;<bU=* zFnG^If96R^Vmm&~t+jE}s{fTCA*X%?%d|4p@x!P_(#X*Mi!X5DNX2IFT8U4jvnly> zgE);vChr*xiBGs-tDbBgI#myrf**GTH|Z>ta$`VE70akGw>H4b{JzB}iz0Sb^aAqf z<^p+Rsde7DNo9M$=k+17H!51~h0LiU2rm(({OM$-!<j1^HMSnxP6$ftVKUYViqYx1 zX+v{}4l3|q%W{spzw;a06w}nzj;5Gfbh6enBWZ-k?FD<hQ{CfpzsMSd9eS)eVu-9( zeIGSav4^V2v7|^L9{Vw2(NedbUxevwkz2;x9i^J4$`9p}&vZDvXATKq3eK%dy-%)7 z?THz#24E~M#0_UVcW`KwZ*pIqvL#;X+^kaYx>uHFo)<E`u8$Jo!kV75=({%s`rbTT z`_t54FZIIhJQkW8q=q|kjxVwY++GDc>;O-y3j&Fxxygtn$Wzr+rkzeqI!<|&<?}hg zr`0S?M<9<$OwNVBDv}mr!;wV)^L=`P*DYNvr?Pc*%6v<<H-T@5C&wNHE?~bst!_#l zq7H{gXZImn-qI%iV+upldk<GvR~u{A*E=!RgX_^e8K_$U@C@9s;$weT6T1R;IC6T; zj5ukv+*ccf(xgs3pAD8}W{|1SFSW=Ny!<%f6;V36Wr0nXZ~fzw3J%H8xjI^{4vaM4 zoK}?Q3nx%z>@BNZ^lh{nT(xqi_BF4FEEjOE*m91Gu6mbMxX-g!Sm*N)5IRC#&t4w( z=b+L+K6qv*7L8nGm=~|u=w4@o*gfp-<CJf%k@)(m?LORFr8Yc)3H2TG94==n-&ej4 zC61u6$MbJYEgh~oHjk=1oGtEzLBDLDxYb{FpNKHfq@E$v^aEaoH>Ay))gnC`N7{lM zI_C_wR;n93BF6ZY7>Qk&{aD(K_cz(G;LO*mT2@(x38~?1zpiOsdR08XxZGY{MkF9{ zFuQocJs&4kUM^mNYrI~nTaHhS9bRx8qjB9FJDs)d1au`R!xmerjGjEZje04+om$== zQeCBH^3Xpegl-A}q82^Ro%UXTJ~{z{6|48A%X9i01}-g=nJwIvl(*3EmK_@}tVkj= z84lBWV=wo1A~mhM9#Urmz7^CcOJ<NJCS5+QpJJto@YpPL+3}mCGd$X#TrliObKN~p zY-e&mE?$&_LDiv6o%wug;HA6!jpoLAMU#$SG<=bBD?XNcR-FGpvqi&vYC;uZe4A#H zoO6q7lK#tyE6Z$p^~H_;o_hYGcg+b0K&J=tMxtn?M&}kkdlxfSy$m!~$n_L)HG_5M zSzoTMs)fEkp-z0~F5MkFqH&?2IA5rzNoR3W@#3=e^aMMLqg#c4A_9BLGil9e_v!#h zLGg&!nwv;hUt6}NHM)7>X}Vax*dmFrsI*+P+27BS)+**+97(s^@$#_foo;<DT4;HD z>FgZ7DsMGDG!Cvoof%(bS!K;?z7;<!8^ODlVOO&DeY4qaV_A^qb6e3l<?N)|rINba z(vre)pJsGFU)}IAa|rc-ky4FwGMCphT9+L^Ewq!I06lZ{db%1tb_i2?!VAmZjnVlE zI&J<^X}16axa6wq8%>{mJP;XS@JVpSDk@u@Y}4>cz7u0K@HBjx6(~FA`^%NLcuWB_ zQ$U&WO^s_7dh0*g)aZl2x@BV=&Xm1ogRr<f(Vw7VeyB?YxVI&BY>sZKYK$bH9r}!5 z7n#UFbS#IF%3p<?h!%R;4=S>(HWzwKQPg=WsYTX9VX4{+Y+O&lWIl+{<bf1znJ(U% zhI3qVO!=FgQ4E(X5Uc!RF$p)`x2}v_L?egWndk@AIX-h=>F)J6Qwr(D4#aZ03|jlT z?O`wh!?M;Kv~;t}4Dg9@-iBE3zAIDXjPM|NI`@F^d>caDTd|#yUnLvvI33t4UNhvu zI!zyv{YCfmG5|JXhsXFZDq=$-v4f);(K@ZH`2uySJk|@beLiP?a&&aO_4fNbq$o@_ z`B{^}^)V$hk&}UV>n0Y0a?Xs?BLIs>k#J-|P-uUEZc1o5_hCxJE;9pmIUaE^ObM7r z4~NrmTd+hjDPzi|2QAutl?755BenfJJfnD9@+p8t&PQ=C?1_1F8T(cstFQe~WH}v> zOsl>vzj99p5VP+i)-rYuF8Ai)^5~b07;3-HB4K$s0$basf4g?;AVqm<+8Y%K!%ItX zQN7sm@@#!Rg?cDOY4R6pSZ+#tGJbl!U8Y-DzDUeedz<X<Z-!KQUA`{xT6PM?uMx`b zdl+O<T2e<VL(g>p5nD`>WV%G+*-)30lrE^OgKXNP74yh`xX$(O`W5*M;Zm>^GhiJT z=KWtPgD+C}#oYNgm-{4jFY<)}*UVUEn8wkn&c~XsAxCHfk<%b~7Fyd+@}kL$i#f~J z246Qk7z@diiwf}Sz=#eQ9rja~w}ZEqN4V)|%0NtV=YRH%G?R1wwBAr8lx}zgW3n{2 z@1R@zuE|CA8YC=gK@EMQBT^&Q&dM*$fL{QocvY-O;9~MEf>iN*hbIa%L*8X(rs3H! z@oh%a>#2fD+5Eh$@7sh%t27>qn9$V57rQ;8I@Tzqtza<hK#WudPd-cLIfrMGI;QXy zHu+sDw+){zFF@^Os{G4pS1zG#%ra=nVqEVPbir*~pByJ+n`2`yt$ZbER1SJ@1s>`X z1ca(oR*?mX`5De`<7s5Z<CWR1Bj37Bi=ESoQOg|@Sj^c&N77(&l5|%?$-{WZ+wHxD zQ#{YrYcN#D!|wpE*Vp*9wVS%COwN~_Gmr0Yp=<5NE3$Jv1@-&=o!m#e)M%=ihpUQW zkMzeP=#VHmQ$A2e5ZpzRPJr!iNi;hGR$X6I8NDW>sk{}Kx8b;ZM%d?`wpD9wl~x;l zpt{jYC(#U$k2m6n5So*5#itCf-Da%1a(Msqv3GQQAlVxmH<5YFxM_6!riFkp*rqFD z$%tcz5c)(j3kX*7%Qyl=GL?XgMQkU1iR~qnUJ5W|T9QTCl2`!g-^sF{|JgVdm;vK; z=AKb@4*^YX#c%Ghyl+ktx@EkN4jSBgC2R61`s+d<L0oGws#k)n;sv59q>Uhc^GAgm zk6Cvt!11(LkLP&#IdGLY7~7fw3e$vDfyKzQ^*s1BiMTMesPW!M;*E~`sV$)m&P!=( zK9NI+&24qt=4;s%;=`To=}l~%^l9ju$55P&UZZ?JcQ|9^0*dS9FhagecSQa-oaNpv zplTs;3_hsgU<$Ro9nrbMgRL(_V^d*gtxjub%bjYFn6tpMheBnz$GXk#(;QS_LTNz- zqph*iX|*`cZ*^bXM^2jyyjmPqJq*0=AKq5o?lgJc9(*5(7BtFtSMj(mukd)}Uhm;v z&#!4<5_cMyj+d$)9Jb)_9u7x%?iV^7CuY*PL~69VE-b8Gms*d8hoKnl$XZJbyly&X zE8O-wD>OZZVAh^eUA$t*R!!@1H&HbS^TEkR?+qWdh^_-Y)(Ccf(iqKdgWw_@x6njO zcgbOfs2jFNc!ck|p+>uBB2PbFQ)%?XbdqG~BEJ0&e6>pUJE^fsTl~i3(9iT4<Ub*l z--toQktTQt-n6biQo>EhsWd{}TXc;GX`s)%p!mMD(LoUKWLb%>LO!FVd*cBRcluC+ z<+~BTf|aB`TbT>&naLy!-zV^lxm2f&&E=O?Je$1ecia*MA3HFRq>`}_C7u-mo%jO< zW49}U-%Pk2_8>rg7wt>hK_Wc%WpLX#vr~Jmq|gxaYCbbA^f_*Ix{ILAT4+4Vf$tm? zBm4G~*5-gqYXi%b@pRE>IJp$T&rXBWYEfAV=Se_*NEs3pG>1D|$;)ilja$AzGV?jU zJckAc`e-AR2e^8gh>=Y5`%-cJC7xW(9-vBJc!;EfzP(y+Zgy?;X&nZxy)wt2cq^`~ z_?g*bA=9bJ9i{>2aZjGc{BgTycn6?)m%~9lw$lt}zH+{|m!Tz{9GU6%2vEOsvSVm} z@P+B{+V0HmWw5O=qJFzf1g`3aP?`Hb%$q+ApR<wAdNSa8Yc5H*dg?aTJnCl6gRP~m z@G6mb?s>@$ORU-Zzu&P1^r~OP6UIv6xiWD!G_x$5RbDC+b4yPD2l62V7reu3=|#FA znFy>DZ<tOB_p!VDokNaTfxXLh<Koi2die!+c0li{@pkLt#dRVOr2}MDp`wOu6v07e z;_zXW%)@o@4ptBl2FbNQ@sxYU3&PJ?*dgRC!<(g17nF7(H_(q|-a3bMXb!SQKvQk( zN5>XV_UPlp5J;F~J&TvZBeJdT@0@<Kb)$mVbf@ql!c&FkMW%Orwg;#WXkQ5O+6Fjv zGM4KsIr$(aPjZ+)`?{xm%{}#7lV-IE1~^SpygplYQKjU?L6}@`=0U*}n0~QM(8`HJ zrsPYdt)WjhkZbI9Hl22u5@^@GQ(Qw(nCC8`KJV9-)ObvEK_V4arDX?rHu!BtlKHPt zU-2|#4rK6VoS5$zu%P2U9;UMZ=5I5aBCu+%F)txwDV&E}dnHh<16iK0$0|;Y#!9N} znBZPokI&v7rvRSr-IG2=k34T>k0)z99%qA4XkI4=UKa=_72L1kU&dZ<%a9mC|9Hid zkCzo=|Bv?mF|e~{U;hR>>ade^Y}>YN+qUg=Y}*~%cE`4D+fJVDd!M~e`pkc3&NDMF zCod~&t*TY)S5@DttLpkdSXCl>pZgN#utyb3cyE&fYF+}s=yi?dU{_gd5=i&HM%P$) z3K|fknb_|tYcZ1ER*(8pk=O?qX!B1S{R>16MdnlV++?ZqIxto)*EwcDYts#@i=DV^ zrnW%@Hfa7$b*Ufuy29rsaY(z`Bb6Ox`NUWp6(tkwQC=S?X|g*W{Mv?eLm-5E7areV zqmDNwSGnnsW}J}5`)ePBu#2rqW;mK?7O;TNV$|af6+!I9f#dOO({&eed+9AnS})~8 z+Yx<6Jnfs7%M9kryr5fTnv=zrLlV?D7rF0Mi1;q7t%oKK2`d#cTuiC5#zM_l=j0jw zxo_o%VKrXa`fc9=MyBgN+=pJ1I0^E#nfJB6_tc^xmDcm!uS}eGw1c(U=M%-;sIRH{ z-vppvVzGm6y=~uttzJ2_EA}?YJsc~TssyBaOO}><N|CizVNup-$BrvE_}_;Fq8eJf zD>f9kb%!)J(kF;VQEGMWzG-i-f7~R>!&fxztdqB^Qq&BLt3FLeb+R>jF2r?u_VojX z+8a}4GTU27ExdbwTy|;4zpuMBnM+75gm7lHy-yQM=KWl`_r6{x4&q*ZeUA*J4^cy) zz#ed2t$c*ArjD3fak8zgkhZ$X@c*i0yzap8?5hKj9(<QB;Tb#NZy~Jv&#=b=7<-?D z)pV|3Kbp8?TQ^Neg0ZwdxYZGQ6b6Bj;JcRgRMwvUE2}G37NedMcTlP80Co?rvnkw2 zVil=?f^3l84Bp~sw8O^YoA%8B^96dmO{*!FYpuXX#6)j^`4b0Lw`5+*c4eI<1jTij zpwqO&IMJ&Mk1WQ-{B8v}OLBh9#fD;6{J9@<bwKDiGr4x>J}3Y+9jU(62$gYHlDEf2 zHusBQZDnPkrqN4TO2>~I_!r;KhY2Lo`W`~N%9llA?x*epRw*8gm*?Tm^Wk57%$3K4 zN2pZZtObm3ecc*u0BOJ5A|}qvn2*t0+HnB=Povy61Ub!BGNRl!%}Z$O`xu_Xr%3TO z^9}b(`Q58mYcI<qDC=3V#+w~wFSFHU8eaR0#zYc7t&Q}MFl(AsM(&qi=$)P&RIs%f z^v-+jjiZ(u@9Cy5#VN|`Khx|Ao&`@jj21E}FU}8$yw3(;))B9K2r49f0BJJ@ZaKr5 zd-%Db@4>l!Koz*%wiiAGg_I`cXJ3Aeax3?NbA<-=qTZxr-ay2y^44Mt<&yo=tN?wA zUi@Y;*|=b-43-U3?^C68bbzY4gAbiht}Gyyum$o!wy+3w)!lp7vHkHr@`U*y%flPE zMRZmWs&PT?C*V&#5u5#xOId%u_yIQz=Q>zF^E+ShBKW-V4hFnlkel9NJtZ`Hi^6L2 z9+0XmRpz}_UaKoY2BH~zM<=&N_qKwup;KgeI;<31MR-_rw4OO~mEqaiVpJymTA!kY z5F>@J%*uXqQ?`HGY5=DnSkB6Q%Rg9iUr364U8!p}4cG#GsPW`X9p!#quRKlFetSC4 zzdg!1Su~d}+o*Lp(_9#b?3ZQswrFegkUvi)_I3nPz6;CpqPwU_>u)pg$URFHez(~O z7`h<Etj-k%6KW|xHVU>plX5mZyvJBK(<`4cUNhT^$oURQdk-2?4S=-~mkjU^)J+gV z<6RYbaZKPb9XuV%bM*<9pgC%DvIANd^N+0`A*>=cwiV0LWO~gQFQ5Y?(f$}kay;H5 zZGcYbGY>rw&yNO>Cr;zXAxDrrTk?aHL*#i;p5_|MEEoiNFTGBgeMud*WXSUf<V6!U z1Lb2IQA|^h&Rbf>gQUULFCqHJe4+OVaz<Z_tS-}bAClJDF0u!_rASd)TkPyy7HpN_ z4f&vt^?g(|#~fE0m?JW19rc_ZIw<!sK~hhs1}BaRR&9(M-j0rvP7dCaw&tl34V>$l zF|9WDDLW0cZqJ0^ur0!g<q$m6b+GfIwD*(*$d-dGU*Rl}`~Iam@PP}=4Nw-YJYb4? zwm92i#X+(P)_(C!$BXt`fm&I7`h^)kNf})*_O#zRZr(W>&=kaPvHjq?zi2fb4>x{5 zQ@|;ZTm>C`wCH!~Bs;h|chc+*Bz2f4w7#Tq!ZORY)wU-u=SWCw*gse_``VRd^|CbY z`oQ)6ST8S%);O2q{qjmYc6Ro18ni;}air}1K0htvv!e8H>WsBaU|3IK*ynP2BwUde zvkK8J^4#I#XLDe?8J3#Y(ExE0$kDn&T*fETGuU)bEA~4us1^M)v5Mf}S`klqlK0SX zIUh|gd$&41ZUld3>8qtz8Jk;j8l&Eg!+wFeetF+^bPP6;s-|tDE4cen$0{=Xuq$3& zY$C<;>uEi%5tWo_`|7%q-ctgdW#wJrUT4mBc+vAo^8u{`YwN?3y`fNRd%5*Agx-i$ z{)oGO^uLa1!~dQl&_+bvR^OhT=Uw6$N<6EGiT-PE7~bTZ$El6D^SHmg(Y-gf$rq6S zQesSj^^SJt?;|H*ZdOwA4_Ukm=%}3?Leco?|JGI90IRQCV-h7bDS(9~c`*vT0H^Ri zYgA(3y+hs{+Kh~fYm~{Hl!}tsn13I7#sRdwwUu&G(mM*xO%{zoTq0FZWac56r1(oL zvblPg$aSzNvBzT)lLE$66gCjV`z3?)N#oiq`yO1+C2gWGeH2|ybWt`&$@bY%QY8I{ zf~N$f^TX{qtBZnLKeJl2Fzo<XsfdT%U(SZVA0xtp?QWTuXAK&~*rzm<7j7&)CM?mX znx^RRStg36@bSN^Zp6PPY;<grZfq4Lkv{~<$fhxj?c1^2(-$7uqL*@FlY#mCYzlZ0 zIqWRM(kafrS=CTJk5A-Z3$*JX{*p!cW4_#8$)qDL{)NeI0OP^VqP#x*>zFsmpTpas zwSZ}#CB|_iAB4l5H(|8##Jj&P{{k#0jsx<{QvWskZ=f7Y81T=i2|N#nZ=VIR-9Iqv zW>O#C&xJGoQ#e)ssEW@@VIYPN!fBT9$<4kLwaD3E)joAS#}wM<EsO$y{0i9Oby$6W z%c%9hu-Y+dnI@mD9dX+K=$j9(U2dPn)!E-~Dn%(>_u1Mpdi{?)>i(|txn6n9{@k8O ztOoSA9p&V}5vO+**5A4RjFKOLFaPZHn8yroxO1Dyt@4>F9j*5J_Ts&ezm(kRv@f@| zZWGvLf61eizi*$t7BK${tS!m2f8{dm4*Xa4zrTj?m-n67Y60=TE|&iC%<^^si~pAe zCgz{V{_n2zc|YDUQa*@Gb)&czUkm?9__-Q?_e)Q&h-+)@l@_+~+>Hx!^NtG<2c9p1 ztgia@<NGp`%zynvZ_{|_o|{Tr7mTc*#x_p0%DI;3#-@7=ZC69XuD>}`sZ<kiJ3Baa zmh=6s-`Y5V5tK#2V4A<&ZJ29&6=qjAmrl&Y;l|w!4c=-&%*yOWzQ-19f;v-?D3Fhj zn@p1booy5k;B!;)Qv21~^G5RNOJswa0o{09muoUZfj7%@wtOaqbf877-mGVzy;ZB% z{HXo!J{{$MIFMok#@^aGJ8z(0V7`rU-=CJ*H?zNR(7}Z0Il0ie{_YKv9jYjL;-&_& z#>a;_td-6=&5bv_)=pPx!5T%fMgS6hKQr!Og|UBkB6H`KPn`!39aTe9Q*$E@RSSfp z90PzGHpywpd{hRWORB3$)Up*XiEc{)al#{{0;r&Ww|Gau>f5X8e)_$M1*HyE@3QLF zq?4^X8y@U9Al7K~@tzoARhMYtC4RjY>3vj2R_cRe^6SorvjE8bNa3bFnNEzaiyiy- zR42R(U2*61r?vB6u=MTd4kXaZQ*x7kR8oJ1rBD4g2xv=`M+2KV>)7MvEjQ||*=izt z1`GA#Il&PUz`)4p_Ws^*knTAdVSk6*Kf50xP-1IPp)XD}8znP5vpB96yG8I#dtsD| zILkLSh*&I~jLD~<p(3IouoPJ;lZA-gdG?oA*5vxq%<B4^lI09Dm7EmcGOtGJe|`fY zu&`4D>J9APPYY|<=UiJ{ab3QltkX@qxI`b-%q_{0T;nr)kd-*L>Ad8(B!enHT@2bs zb61mMri2|0vCMjAlHxL|ZLF-0C=cEq=Im=~NNi9C!0>o7caof#R_pcpaiX52)lU|v zWXU!Ku?)@+q5s`3Q+S%V)>Rj3jw{N?$_q&i)5@rY`(vUB6HbrtZ6(0T4?8L1bI93G z!i}o0OGc2TNCz9eZ8rmyxj9`!J^J$kQ^-@4`!E(VGI*(sREeIFi^(dh+-vC#PQ2Zo z#umn<j7{EZ*Us!(R_y}ha4)pkW6kA*td6D1{&8X16-%huXlTlSo)04%E?O@$ZL>LU zI)WD#Z(w5tfnj!@#j<X7)Ace-<tP8|jn_YT9^a=yBQve6&f;xVPlH01q2&5KYqabD z<)4{Sh|@?7D$Ki9!8@s2??2X<E}+*Qv)0|WoW-d+MKbKCTyrZ_SzkiM3nb81NKcNk zVGXV+j9uMop55pM$Ns~f6WDg&#gZ})=n&D?b%cfnOsdZjP*yM~vJ1XF_zyBqe3T<7 zzpbgMZ2CM>Zp?O?6Ze6_fG#CD&GS+~SWlnV^uIU1OX6r?*Q)5f|NNo%T)BWfDu-cw zJ8Y1l>UnN)J__vmf{08WA6E;_Cf)fkWIIAUZeEf4e6MZ2{`yc){o%D|?mhjsA#H`h zOhg}MjvY70YE?!od_KNCekuNFpdsX}LUJ>>&%K%J{E3yf3Oo-$If#CktUqNNj+rpW z^~)RpGyt3JKihCnIR5x<Q(JPqj$L?(;KJSV+s*F`-A4~3U!%FR5$!b~kEgLIvbqiB z&nRm<uAf++({pyN9UX7mJyWG7y^QWWFTt}y4B#Bt%+1H;pJ-_~F5RY8bePCxw%tig zjHE%gU7sTxw+N3sw|F}&bZ4#FPi=m)4Zhp0L%I7JHg7^_lHjM8x}w`?AIg^?Vr``^ zC>kQFs$@D_{A?W7V?jb?e@sp$1|i7L=+*wTiC;<xGUsu9I=?X{^TFBKvB`Q~K0u`f zXQX^q2r^M0wv?)RwP~oGg?AllvJf#x&8-f9AHv(w^w>WK4ywms!DP84i2PR99b~OS za=7lDnUPwz&$X8G4p6ZCmmEIGb22Jz!FpuLWj$5GUP%UfBBmpqTpU~Su;Rw>pTUHm zr-W;K+{%3$wDjG5jG|#$bf0zF=J=UCbIskug8GJjh6%U4B>~b}qZWsrTz|z_Sj%fC zSDd;zue<3s9izc4icTAYb8PKuu=T=oQ6%zE_(DzPzH_Jqq;O5IUd2+1nOGUgtWM3+ zhTOcc&!DD-v9Hf8Y0RRUMMJ{?b)&Zl11YS}NM8_v>>FdQ?2}?fkDRQjqDh#eSmBsi z?Q(`yvs^CuG-BZJ$RQ<5c>+;bX_ZPPWZjUh*NRwOiHPT^(_)!}jPll3c8UVAQuT7# z<}xMF!f7OAbC8HYEyG!eZ^Og=y-}fy2sPa~_m3rCZ*7a0MMujFc!6QPsbz<1p+}io zm%0_2q;lnsZrvoCP?9R5&?&Jwx-(v!Ex8s{>|f$EAA&>;rU$Yjt(zRJ4mTe@&R@RK z!%Yq7I+MhWP@4JtD)-zXUHN{sq9Sn`+gp}~TQuHVq@So=LI*GmPFN#-6k3n1xp|$R z*1&l~<lHWU9mIgOY+dEK<*G$;@HFQk;>dJ7Uj)JKnQ2yq@L%28v+(b3ycP=4f)~pY zHDkzWB+fBv!uIW@FBa0+z=&?3=D<Pt0$clW_4=xM>Y6qV@yQ(q^W7w=Jt=O);ClTW zLt47>o^CG7tM)a$dbEWK)w!uy{^Q5fOzKQJ#le6x<)bLw^WuM@^?(x1#lpX4q1h`W zA|$OSnC16i!L5`|CdMaxMNAt}Qq@wjf+o$GMjeI{G?R<d>N}*EB@smjb(cFFCWG?o zLT?3;l_s-BSJoq2DAmM$*GE$jOv#p;M06~fN<tSC(QCm>$Y&tPLN)Vrbqx{1W!m`v z1g%G(%0*;-#ptf5-QA3<wF@vckOz4N&!0ZvP~epvJi|QvMB|B(ttSe*Fy85U=CL92 z2cXBj{Dkw<g)$86P()EOLZN}uI9Fe-*;RFt=IZ#(z4zz8w^8O{`dmKhGkt+zAwnGO zjwC%3_`l6@)6i~cWiL&#YrV6b$J9Q&a6bq+IQh6bpBnh+xM%=n@>W{tHZ-WYMHb!T zCX!VX+D`7RsGc5OE#DW*)#_0t7mL6x?H0i(4I7bAOyogr3>a2mZPPB8VWR^I(U%l; zCDiUVV?qs^BcL83E35c*+H9dzF}M&_9}3YlT0oZe;Al!I(hB>?tGGNTXh`HGp(JkT zS}di@2=dM7TXARv1C~63t;G0|9Z}?*U?9ZCPYOkb628JE6NV+VowRM6Nl<@?N)Q7; z+x(LJcSHB9!P3xhC3C}+#GTn^2wybPNPQI=eW86AE7hgT<jsRbjWx9TO$mYEzD#|P zjSaMC`%~mAVbpp7{rYytsnA}0^5>~N9R<R(msfb{6!W6WS48K)0E2M!5n+>b6E05E zZ0-75_$T;lsYXWVK-a^6&&mR+0BAiW=I`b1L&n29=0mQPEOpPNv0GjXqs%terd}gj zKO9$pDpy~6N~||N<i-vv(z!x8_iIS!1ivy{x^b;M`rT&~m_VvZDJzc$VPk(R?d*eg zK0I4{HyS#x4QW}$Q_zb!Up=u{C=#(NtH@~;ER-OWwebmh>0S@mDTVTax%r8fql!D4 zS$Ef5(pjY~890%KB~L6N7yXnm7atjRuoE^!44`?8>W1SluEdrqrX-uTfkqGW#`&n} zMcRf5$z$Rsku3Is+8^j0QcT^J!$()h*N%!~Z*CGn=LASwky>8s3bZ8I1|n0T7eh;^ zu4&7W&`w6)fcthskL*T?17AlNX!nlqvm}I{D8c2$EhnCQ;wmeBg}AZt+`2re21yP5 zeTG+;63YXlbELqsa(<TzIb?~m`G|BnNtb)dmx}LYh+DZ2)2+Ux%ei5^?Z~7ED#AK( z7A|aGnyn@Px$D$q@pT{9YQDMco>HaV0*={INPs~83^L(ciFy0?QOJeBr@@oss9=Q{ zGpONz!zC_pU<Ip;2JPrpD%<srJKyE5C%C<Kysb4C56<6~b`t8{-Iv)5>YSw(H(1Pi z(u83cAJR{Ep_|<{)@-k%CM@in@1uF{2i@Ea+c{HetW=ehD_7SzD{9>>sLLPp+0O_e z$BwF0*3v6PM)YueLHk;fPFRxGkR8RTi|Sjd7M02PujfsPUB$`gED(k^%jghH{e^8) zQv7iO9-j>x)Zn2+3WW9`0(|Y+M6t!Kc!zn~{kF^Y+{!1>Fa<fHDGa~flou(yul7mV zr9wj2Ml7AwO(oAR=LAP<hw|Q^7<OQW(p13BH#}+_r}v{5QLw}Zs70jK#(}3BT+0bj zsO=+9fTVX}TM#T5dPP<g`@LJP&X{S@+<9%KGHcNavqS+IbG;GR;{TTzhy*Qd+t196 z@h;DzDTn;O#OSGSJphN5I$bQI-B<fv_-|7+)KP1Z5@bR^PW_wpmWS>`^1L|Hc$<?V z{i@>p1i}h0bT<{-_P=JmCHxQ8TOUoWfvrUkhqSg1Xa_KB^O_ZMAwdS3mNae>Im@u- zzO*1t!`atjb+R6~^k&Vnbg^7`PG3A(-Z2Qb*jgzS$7}2XOCN}l_VzyZM_yaI*jv4z z<<8y+wg<EwJ2lBYU%%CT3lS<afov#Rl``YT6)i)A*@~*?TiPjb#Q}vhOKm>P8eI`W zZ0kB%ZJ1u=w)!8`^oF;w1r=@;N8DL<i00k%Th(8Ftaa;zZ(hiINBe_Ft~6jHf(;X> z1*-*U)JkY=w1`Nd5?4fBN@Fj<9i{Kj$P;);G#?9T4bY!)c`B9(poUp(B7T&JuF9@J zI_h%9Xg|rUmk`jo5LnTg{d=M}`G?^-G_`V~O5^-2An1gAa8v-|=D8XGNyL3qy3*n7 zyajX7TJ##EO*%i8U^wV>apLu`b1rQronbO|We{b|mh4MTVi;hIaDY3;82Tn9i!2I) z5oCk^t#CKJ4FQVP#GHi~+}MzZWroTM&#(v!e!LAkd79^tGzagNWG)Hi_2e~~Bb><; zPHnTVj;Fe|AbHpzhhCxg+ArrYB-X|piqHVJPvg;-@by|zR>iC)87L@VB7a}8M#{an zswW6Xc}fVU>o{>(j#4qNXV2y`N85!3(+PB-dhL=R?&87mUuZYa6Yhs=kn^6z=h#=k zDG$r{$W*3xr<1e9g7;hWHCKu9d;AVO9eBv~O{5oJR6dG~4zg)h&zn@!p{Rm=#FZG+ z03X61)o6ND#;&C^*zaATa#eIA8o0%7*GxG?|Ne=B0(|$Bz*8nVareBb5calqAFaD+ z?R>g){#cxGYjK_%PB}TBO7t==elKACcz9DZ@9+RfN*KGFitMse6@p$E0mY_Qrri@S z;65BUp)?wKd&E8-S<&3qG6;p6FJXZ!AGHq{WPzBew=3z^@%R$(9d!F^8zCkISBm^i z^;fY_{Y^gnh+<$vZ;}OM#3a!rAu2D(x`CR|)H-kw@*zp~;>Rk^OjR>hFPV-6?~a(} zG9rFj5Y?*9jZ43z$BrK22GTLih~koIj0We7k#RNXuSW9n5-p(Spj^O<<mCJ*vR-Y& zWW<G2(J<<CPrDTl&u%SJ-BE<dBjQZWg6RWWAodr93^t<Jw&??JA(fZQy~02+<HOus zy{?iXfJOkwVwG2+Dm(#|B6VdpqH%(P|Gid)_ndt1n>a)l$!ss3#`W?9zmn;-{vNks zwfs1*E5?aihz-|FXEj<B4!$F7UsDm@A<tSfe+q?6Y@Ux<r0NF2Rs>SP?02$*NP9*; z_L7id&T1-M!zZ7&Kzdp*JzXOfw#FN@rbkAeZ5fx)5{suhPajs@RM)MiFQ|gbAJTQI zfOr(P*nw!5P@z)klr~a?NWK9<_>Bowob<gZ8fmL|dm`T-$pu^zojED3EpT~s&(IJl z^mx(*8R;ubet}A5!ir=a*0?o|;Rp#O<5EJ4UiqUC`gfvO!RJ^$q&^M3G6<-WX_XS@ z_@o$cxNGI6QNzCcJ)=@&RYg@((SV4V_{ra~B2k8ihue3;LF05*e7<e3YtpkX+joS* z+-T?}P3fqjw?~z5Bd)8n)5jy1(H@}x=!bYQh(nDi^+soq>QbQsO0y|hR~6sWx%FFU ze&&q7TG)u@P-EJ~YYKk-rNZ#<!<GD*KSbVlwu2gLqaom0ENV?-+fs53&YaikUaK!A zu=zW*Q5Q&eoUl#a?t3cFxeuSOuWvdX_PWz;Yg*bZ6&2@qs7i#p5Zj25Fm~mPylL-F zpRP1-yzM5o2?nb)x`g=iC1vVmq>D*B+>I_-12x&&=Pj93eZAya4gJZp9T4Bu^oBej z@AeESwyL;4s;6a45%Mk_RU-)Vjp}1!ldlW~;AlbBFOf*7=@q8P*gtq(Q%P^WX5ryk zc*7>Om#peQi4K%aCnTV%I0P_%&?>8`YGF94!&<{o&@IX6f?u(eI^+k&Zu2>ZXPmV? zMX_pD5A(hs{A`XtACo~FH0gpNL2@lg-hFqis~jjE@nrvT`X7)RYD{ynwe7$nmD}=b ze}4g~JYGgGf`)FTcI~xSq-CM-)8?WVo-Fj$>_`l{C0NOf6K<s)c`re3-RnRZ>2wDB z#8j9t(7+=0?-5K7gf%!-l5Npd*1vxJ+YMlA3Yas;cTUtcmAGYLnh<m}#eXkp2g3#D zM3IX4YRevQ8e~S=6OCYfbRBow+q-kNH+WihRxE01d*5caDkYR@(#T4sZM(WX8>n;J zdA__@V{np=3=Uq&jMi+5gmCSz*t42!u!jollei>-D3JiR13zraG?Qd@NwE)As|4}Y z2R9g$FRB*N30{=UA_&8VvlwkP*$Ltp18=mYb*GwQb1I5d7g0Wz$W%aqhD8$L&+_pP zvCJp4nY65+Qj{tnL%fbs5u*zh(N0wm=#uj>wOu*j*&$-7TZzCv`mkaui79tM$(PL4 zp*k9XIXPSd2*|o+FZ2nLS>9KZ8b9#ol6OwPp~Q{0cdmO$&iJpvP^NZ2HT0%6o1S=6 zX`#mU`EKZ?D&2udO((h|TO3Ce#O7PC9T1~8Yl{4Et@GrEYi-v*g{kr6tNWG%e*&2Q zpC$QNB3Mc6xGWVEw<*GrLyWW;X46-asKUnl`r3B<mlo=Y$2i-&JdAbHQRbN`;+HJ# zQ;+w(34=@x7(rY}j=}!}EH6ai4}VTN{J;2fM3GN^XVhzY`yMX`AkNG1iQiTFkO#|x z7Y*6|S9m-g3-2RguFaS4!z)<p*%Dg1q3J*S+-uS^GqK~%u-@-6<Z{-dcm5wibb#h5 z^eId`BbSrY?bsX5m&6}&5*~u-Q~cP4@7E%#VbYz>DwQdz>}2GIlw#&Z<+TUc^ZE}O ztnzBM@t+(fwE4hs!Kw)zEVK_TkZ5^N&KISyM_b!YZgMNAD$=CxV_5dt=;@r6r7c$) z3ZwjK|0jX2Sx&y!DcbMG1?TX-c5Eq5h`G`Ep*Dt~B+KF=lRibRZ1dAfbTM%EjdJ+^ zeGDC)MlgnjEmnYLI68c|MWR_jyq#G2x(-P;gAGd{md~C&g7sV`ibv~uiD^y+Xs7n= ze@>1?cK~<qkS{N{dOsa3bHAH+o<Lb5QQB3laj6g{c3Db{r}z$~><C5KIX|$euNJP< z(7W~D8_4Y1W`*1Jg5xs`?u{A_3LCCA9b@bOAxkOm7f{owWMcTlooRkN&$`}q55?Kp z_e0zK1PM@#K6pG!El5iwA>Q97Fs3p4kCqZH0l4*?OmcgFZ@IE$^15=c;xt__y+xLy zKn>r4AVG0bQ1AAd>ALHGfBrR=bY~Y!)wzl5-iCE)DQp7!W75*T^L-DMbqQ#P8!H7q zSt-})6aCIWJsJU;keS&2es?NqOg0=_GA(!Klga`7hf`;LCSTaPvE()T*vPhWQ10ou zOSzx4fAz96RZ8KnA|!r&$b3<Oy-Q={?Lt>;kckyaZzMbDVMG5`%4U4a-<bIkF-IT& z6bvk>V<m&|S#-Pnqf=|ir>3%JE?@T5R$g!~Z=MtRj2@WcXVDI6H>5Dg54RcJPbx3o zq7nXzHN2ljmA3whsTwz6tXar8aCvrfFg}R>TAeNYw_p*^gW)MLc6WR0dCqb-8|XRF z?pgIFK~1@auT9%&UDrvyo-+Eb!y0wuZvTIT)WKyS$A8wMSlEHLPxLD_5%jLkp%3)E ztG!k1b8>4(dh{X#nyK4b_o{iq(lM60SzYs)vpSu|EJ${0=}Qk0KTBk)fO2=$jc-QE z2P+?}&m*1Z>-L-BGT3qaDH}AE*2e-6j9eF;6)E;o@5#~M_+sl}?*0<^bZEf;K<W}P z|2L32=Hwn;?Z0HCN$P(fbyfebAax#9%&_MRhq9=DNo#!I1jSM95f07|s$6WhPq+t| z3)DlHewrvYe{tRNIDNd1^e+w{uuYTM+i}iBb-w&n03K9glR^`lzfUW|Uc$ldn*hQ8 zEodM8u~~UW{Bia9Brn*X!;WrW{>L%VLw${Jf6M7|o)S;wJP3cI_CNt1qk;xF^bkH@ zTl|MFhZbo9^0}5>{+Qcf-2}^i7Mt<{zuelIvE(5BWw^up<=Mq$6kiD7bM|O|<jt*M zrT>xr;m#Iq6bi^+;_4q`@IZXEzZ_<;{^0HYpA-~mDRkw?h9&*n=M>QLch!jCZ`!rU z*-#f0Aa?c@TS}sV{?jr0=t}-BSdnz)ik701hDBXoF;7Dp!`Co!CIeE#ZRxoGuV{3_ zc&!$QgtKBPOED1k@+)d&6nyCa<>$hK4Ra^zz-GZDrCFpj9MqCuH6i`$s46<ossBmk zi<YVIFVjX<R;db^+XEv9c1tDn0n)we_quK4BnR_>NX(TcTm5B80H{Bjn@`stOCFZ= zxbwcFpAT~RXxA*JzQ)-(YS#5?5o&#^hiID61OSS%#l_tQWaM&p{L900eL`mW-9Hrz ze$5N0pO~=E&CCg6df!e7lPgzvyxlFx>j0<z^VxKTalYME&sY_g&?Hvpt{POcuSt~- znJ}oPTi9VFLfp6d8RX{=D~v;+l9y0GZ!Kiojx=HJ+vQfb)s)2E$!nSJr4{f`)=wEU zJW1Ol0Lf|@K_%WGI;%(sm0*z^5ap7Mcorzf9(_-W`w48_5Y{#TjjXIvbiANW`r+C6 zv8fNs*AZyk1+<Q@<^gDJ@(-VGo%Vn7=`8<Gd^+y`w|u%xRA1r15vziOFYYBQWeEkt z(Lo_2x{U7F^y>%V;w~pI*kbFg140vE@3_2CAo2-wM~O4`epn2*KQ0%pxeSs4_7r`= zpc{LPwy*_HV}##YS6}f*)u|WN+QRfJ9m8%mGbvBJXCIG7h@ri!&E`tH-*2)Y0`xA{ z+ZFBx4_Y~}r2mbl3r7LGl{h`9u3TT5Kq64)?y%p<HBSn_GC%J~lUjS<9Y-?T-&~2B zE;YaCczLdpYy7ZfchA7I9dW=|wQ;U`K8sSsE>s(EwhBIc9(F`OVQaIra{1BXNjC|a zas1P(LZiWAt>3RqWT5N#?quE{wf?^P*w3drEUD?m$!zERn+N)-NwHR=#nN*Nteyka zwZu;ZZGFvp?^_SZlakVfmx=05&pD9JKxxr7rPqSKLlPaYbUMcqaCw!KD%=}EV0|O+ z%1UTx0TWJbCL7@8Z{~O&9==GuXg}>w<|~bH-ZWH;qdPskt71F&e6@R^b`S79czinr zi373g9>ieVsMf)`+h9wuq#;-aYQrSLX2QU*vdZ5{AzSO-ay6*|M`6@XiN3G1uA@d+ zEV7dilw#+j-#KlJjaunH+n?n+lwwtSg=dmSb)2=E9tC>JU8Y|yi%+25*Zm~!{s(He z4k|Drb^qh1(2;64w|9lHbV4NC{m<{KYaUZ)WpR!jQXHU-mD<SfG_9H59c%4A^_Uiv zuZa<l?h9cb3zt)0Ps}H<+^u`6VYJP-?0(kQJI)kHvOAr!)Ew*tMv-x^-O8;B$^6Sl z3k;y*V+Vu6)1&QqXyu60=#Q75<G_=1#!n5cn<C}jYik{cGEWB}#Osc=Cx*K-@71Gn zgvM}X9_m)RwXa(CH;x{fA5#mA?ac2n?ORV918NQ2%}z@-piEe|JEuP%2FQ~%kKC#6 zItHlRf0VeZ8{93qpDYiw#ioYd5L$U#?2P+$(BJlpEGK(U+^L;&;xUN+8-!=huR<7V z2I(Zy84$|-A&!eFPJ)+@dPRq;kEF=0^#reY16G%pr7NI%<pk2(4eZLIj63-2f|kq9 zUnjgy1B@XPI-wv6B#Sji!Zha(&&HW4cl*jK^k&TqcOmD3UXOrAH(}7JCkROrvzFcB z0Q-oy=X@>EZ!T)evpvu&pS{YD`y!#1z;fxW(`YTw?BZ?M>S$o`hV+(|AKNFYarTP2 z@nWWm#{k<Stzv1im3<PtvJ^(?CTnPEhT>9Taq}hl><-Ld?4CxZn_D`|V)f~wME}F} zeRiPI;(0~?+x&3PM={44+tgGS+q1{Y39%WIRq3mIIMOBDKW&Tz&=g*~t3$S|4*7UQ zQmB0%Iii$;f{c<>F9tLK4e7_G)3WL)AYus#c>&*R(iepyf5e)VQ;K0cFH|pHjKax; z1O#L<70C69xv~>D05(9$zwHIP1SM^?k}a0fxvm@n1hM*1U!>EH3uRKC+-{RChp+8Y zea)D+eI-lzq>Kr&jva!L$H+;CbLoCiPWD#n`BNtQ4u%PcfjNAL+5#2RhvF(QTU`U8 zd>IYh2(NC7R^^js^+@)Y;%e>*U2-|HwMvJA6$04b!Ahy<%-%MlNfgz>x=`r*{QZ>( z5MuNs;^`pDJ9@c|lEy5i(83<Kz@e1{j+3~`Lg3)HV9dL8W|dTO4Soe%u&0v)4QWH+ z8j=2+tcUeCSubHdjQTks<_}sg?i`)e1#bXh526aC<nalzQ<SBPvrB6pt;bl~g%t5P zv@U(cf`WVwy#!-<+RiU>JK|_ax7J;Gc>0^VmQ}*Z@S=UcduNThS|znyRnQmj?<9<Z z4l!&c;el|R-uCF?^<*D6h0#a|HaX&uhu?)Vs_wp?HtW)`Gvp(7X&n~JXvmf5^UEMk zJGf;Td6?Tqem&U-*JtZwv0IKKRIhUxFJylR9~xu5?i*QJQdOu;IypN#Phntxtq5Hp z(*pfx@Dj(7yscibqD|2>^AxQny3OFpmYYh8Wae6U_^KqAvj80M<wGfdTieJ~d?)Fu zW3MPor0BZ#ydmYOLcFIXkz7HH@Swo&g0EQ4o+>ELP*;CyPzVy-q9BqLxsO7v*uP$* z67nm6IYSGa7Ne|VVg0Z{+=*Cm6UQ!}JV|j-@TNYI9$@#7A+4f`Xi(B)0zhTR+i}-k zojq4Rh8qaI<~F+sc{D72wB?jS`kxQEl^3r|mj)ac9rxhu3333Rh0swv=gQsWkCi8# zzgE!JjRbjUq(ESt0c(j{)1YQeG$)B4invL!jHKCs=c~R9+b0Ijj*2ke#t})M7JDfW zN%V}knFjDqbQNNV#47D9x@%lgM4^a=>6zoSa%Lqd8j!6rwvl+NaakVkI63_leXYev zZlGJdeo$s_`@-Zs21nUEtln<i(0R}?5JF22G?QDxpfw#&95NmH*ngn|p;E(ik0C!_ zP#2k<6X9@wj}s7Z2<xKdFq!7}eBUzDtb1OXD`|+1s%i5T^W#aOIQjkQWx~lR9hK3j zje_5)AY*jkU*X`dKQOui5VG9`^4TMg^M%dT>T>$FbEFM)6j$YTYhzzO2-cy_9*8Sz zyXs*QjkY9_+$%@Kdh^DSBLd9wTeiL3T^^$jd^Y3C5|YM}P$<GtO#$mDCABQ!iv+gn zToLsmhm~@rM!wR!BU_&}4;Z|0-1>g%Xjf^Hr=S%6#e-*qYZV1<q0UX!fAjnvR|<Ls zhOm1hQK&k78p)op4uOK_j^DsySMh%BwnnPj+pr9r5t4GmL_P;+Ls)@-XyTy~P=?*H z{fp=4)~TeI)w{H;&1^3lwlRGhea-bl<m6g(<Y;~Vk^AYZAkzzm)I^=k0yX7BZL{my zh?l($o90iWUoOb12QQNt7L@0cyEW?t`<WJ~g<1@`1x{HSTxMIZu9}6*1rq4qyBi;e z9M7&!<3&5#lVJbFOrrrb&50VK7r&r~pwf6^v)Csqd?*!iW6xoxX^x!^4V0uTe`jJ( zP(!l$-U(&88tq|rYt-wExlTrDR#_7pc`qzMqF~18nyzB@tsqjg&JA;oDrtnb3(XCv z^I5|tJ~2Kq0rmIHvVEg@@IxXOlJihA;|?eBDS7>cbsr<wI)b%Qee`3D<t84a^YNgw z11Ster(<=}ZwR3v1|$ak9S}|}M#jJIXD?&m(~lh&n-pb5SP3``kSqt4;V!7}h$`Ws zG+?}9`fwvvQ8<5`y5C{Ad-t$z;@#I)!C4#fRpRl+ZBJt-!zLCNT?B*(++zH_>S2Sc z!6M3o!-DR=&?YJ@KH4Rcg;7Td(8P9~8EwE7hlzDtoAQHui@U$IQ>7J;$_!03j94_V zwXOa61Z;id9ZSz2XBm(ligO7cFqN=S{sgda-$fwmhzRxAR6>x%d0yi}VM-MB=4e^` zjL4+?UP0-+>&6!EH#T1rR7{D@2J&*}RZ4{r+Mz}8<c3%r(Yo=giJ~thz=&`OV6R^* zJ;$3LG9Q)>*3)*iuGzCZaGIUD=iko<RE;z07nB0!tV%2MoR#b3Vw4k`to(y&YvPgB z^)xhN1$kssElbtVVTdI%Yz{}_rnZs@2{gQlo-5%C2LdINY3_YtQR!X9R^z#Jbw;0% z?5OG}A;ABclo7y!eS1r`f_KO&DpqK9ZiqqF(Q00PN)E5iL=o5fnDPv5^KKnvj^?1x zOG{To>(VETb>|LE$4E9+``u5v@_N}ydI%{Am6Sz@pCjE>z$r`08AYnI6ZO!w_Ql|; zI1*W+v%^P4ZjtFSYhTp?EU_=M?<UXCquNX2VTV1uhw9}Qt1yryCB|~9+HoRLPX!k! zyQcK((6k_GA(vRQie)c@cnVtXJ%xs{Oc!Z~x%<mx7WAiD{WP9Oh=crkU^s=vZ;ddn zcNVM4@&l!br1q<;7BEVa8ja!lB6W`x^fQ-CdimaVksvO4qc_xuJ`Es&GJXKPuLfrt z;c5qBojneB;ZF`*LoZQLt|t|RL^%Sc66viWSSk8MCc-Lb_Ruh2iTw(VW;r(a%JKq& zC<Tj9dkwkRr0-H@4YvY?4#-HHwX@P|cZm7<jIyYxr;@RCRxVBqgN)UR*+08eZfMVb zt+cy8tfDJrvdle>^^TCg-*PKUq&$yxiXLGfUYs2rot)#3u~@wN`@H**Q)NxhEsfK9 zL<9ec52-u>adWVVV_tkFRZ_*j3z`q+=448A2e76rIh4w<W6yYs$C(&9>4K~k+NlV5 z9}yWR1U_jOX`-13Lmj0t5;nWq%`xr~x~isF>_|9eHth&?<ZR0ew#TRErI4L>Y{yL> zRfhVu@hKC+w*~Uy%yeKk=o2%$6WW7hBh>j+!~&8eg_0icp@}VJ%u`%fn^03JB!>!W zs*q5`pABIZPuma8rf0iUQwLT`j!q=XljJNNBS2ZNoQmm=IaP-uNR2Ak1(Ns3#{>rw zOWHCupOC$BsIVFkO*mfAAz&7ehOmWOCq`ea*_$w1=jPoP1xSvR3^{`=2l0P5UhWQ0 z$;_fIT9#O<fv64R6b=ub;8!g{lFvdrZL2eHK5%b%oA4fYvRj(#4jT9=yR-x>!3jub z7uWVHk7C<TCVPBC1S;KP_e4&5!rt|~-63TAYiqyU)MM$bfrx~p@yf$B1Vnyc@E_#m z-Y&wld2U<Tt-!Ju51A9l+}J$m{&2bowVT+`h}a&Lgip|sYigf-B7`mCzCpERo9Z-I z5Q!QhiMB0OfOe8nK<KoGnzKM$ozG1*ivIE>`>}H8^W10(z4^Nu`w6=<BNn^Um~XtN z_YyNKQ=mj&?n{7|TM&!W>94~nzK>sdhoZZ=qn!THu>X8>L%`fu?`$RKHq-I&rmjGO zb;oN>%XPO{x|-PIF!6xVZr}9TBDZCVIAvaTy_Ui4p0@X0@&pHc2$%1D?{$(hirTSp zs*?$Vp@l0{5=(<pV-{kee7V!L_O+%5EyHoSr8P9{g?QyZanx(G3#!|2l)dK2AQ3YY z1=(ttz4cvnwWwCEcRIF<aeYhkIA{y=aAtPPs9Nxq@)SuB*;+2*mW^$!(u(vF#RCct z;?M;V45_3HI)ewinmP%LWg$VPY7mNTA_+811>PpV@yDvL|B4qCXjWajQ|<qz69Qtn z6W=|oA|YI@3$U-R<+DIuXv@AROR1+EEjc?QiZIEy0gH&B2q8Fw$Y?Ji8kF9LM8m3> zKDHN2SXI&o9Cd4BID0XT0}mpTXb!EsaV5t^sb`uh*8~B9jBBl1<h*CJmq2WU_--F- zu5V>(hNbEUUo1O1ED`F^?rWnUB*g{k(sMeI6G{ovt`l;!#a8+gkFszVJ0}!-uv8<3 zIwM_}TusZV!%j71VsL0A#&2Jyzdy9Q4P&naHnV{)&ZvT%qp%5wzBs1b<$OA?+5*hy zbYOz(<#f9*EG;!vZhsuj<Wby0L&16%IJ?u@LRni{yOKr>1>S3^=zTp=zn*rZg`CZc zXkd^R?$4T3Q!luGxEIB`=^|6R8=Fh0uONY}L@0?Jv{i0W#IEP6N@iAudS<G2dJ>it zyShmhMt+Wg*o9^!gXXT~XsGeZn*#C*6@LJo@Rk7C+$9UU9ZCfh@d2-;77=T$#!O}w z6CIi$Va$_o;dx9z2_MuqLZxT{#N-gWkf_1$3mnF1XO}zGZqTS+N3(D&x+_W(9z`TL zk#<%!hy`IDg(S;r>dFdj-RezY6fJcCl`-i(NA_+L_(t%^uy((6%wrFZbI#x`>lpE9 z)5YXH4^))~!^lG@$(QT>${{GopcQ#b0o#LzCx*)>U?~9+sD$NHN#E=b#w}MGERUx1 z5ni@$GFA$uO(4TED4@d8R)}x!?`Z^CDcUYPCSrgPMK?BBXvv5cTfSfaYtI8b80p(0 z22Aam5%R!6!fx0-W=|OL*rf9pGmInP^h2AjUt|uq`sDZyG|>(e{OX3hQVrxWssL?R z8msxgA03G~l7s23a_ewib~to(l`9;P(=^}-#QC<?-ad9__;SBdd$lB+D`blt;{VU# zfFU@rZy);Xud(`BDU}uRX~YqloR3(*JU9Yi!D;+&wo}k8PQ$ocy|vLEO$2+%6?>%% z7nR)h`yy{ekjNsuScgYvCQrxSTram3chdZ<_W%?%zh6Wn7MSYW3#}^{aw1cKk&!V9 zE3*jZK-_-psU8CaFwdqO&aXt8<*p=BL8XTiJaxN0s|9W6gwb%+jj6dA__w=@^$bi# z!ud+Rn17a%sc-?40=+!I9l=ro|Ivy0e(tO`&k&<`Q>P(#_l-^=bOR#)>u^ijms|aC zkpHnn{A27(F2G+4x<9e?q5kp}{P7)NF^cwo*d5;MhyT6W{NoKp|8IZAGVouWfcU_F zrM3NeJj4Gmbo`%>qQSE<U5RQ%J3(KWy!vYe`j;dQ!R=1}^=n(K7`|ZRdO})aVvKgh zdqsIc8v!*tB_*Y&;r=kxv$vrYuc@GCQjnOws}`GQS#wc(f9f{H8?vb>YyKURh<WJD zbf`H;$nvl#O^Y34P6#-I>5+7gft{|NY-mpN%lv?U8CNqK`jAJN&R}gdQVOh*rY;Eg zWsMpb{Nr$7i$LGvRlC`VY+*7qK=GJ@R3(a^dQ|1l*=tfIu(@lx+0vlOa@2c|q}#UJ zjEa4&J<37$*YJZ<Qz0PLz)ddtBKt-4CR0W)80t>QOHZiBRQp5giViWeRBD1-ecnSd z>Oo2yQU;BguZ&8GyM~6c+hV*T5+j3yBGM6XXd~j+_H?y3Bd%g#z&oka8n_#Zva&H* zSbNs45qEoeay`)J)WW&1mJzoi@>&}#D2BPCytqG(e)gCJ05^R#M97gr2V_JH;B!)g zV~NlJ^s}=+V|Q+`T%ae;)U>1fD2ba`pKP$V*LI)Tq=o+emi(oz`T81yyo@oW;(6Nl z6i``T;dhr2PA&#<{reA66EP3VxBw!rZXYSW7H)gyW?0m<oP>Hb2Q@ua9`Ai`I3Zza z_Ehf*=t8lIZb}rpDkcWuqS1&#F(n=mg>yv|NJwnC=+?t`<SRf0?4NR;kdPDnLd4r) z1Ma(B-*#Yb{a%PwNZdcddH6;N+{zG*2l~9vMl<<3?1|ag%7u5lear6c@B}2S<z+nX zzgTS?Hk}%Fj&XPanRj|#!zav56k;xB2O(zGW(B8)b63&*YKLoT=w<6=l<MA8Bd`^c zM}vHj2YHtt(3cZ<Iy0xJt(Bam&7q=Xa?i%sA))=$`o=Wc2DoZn(soqT`-R<D#M;e_ z00u4~58`R;Sb^xfJ)8HLp=#KJxc0I|+zMrBY&kC@+3mOo^X|HQ{N}jzWsDwJ8hy;V z-S7sv|K1^3q|>3;m8n{a;dTm4Y8wW>ObS1@xQE9~X^HYhm43i<lI-5d=6&4?x9+1+ zGNMW*u4%nNvkz%<t1F7f?wM8O)v3*6i5P>*b(v7^PB9nQ*gl3^zrr^B%$O}|$$(Q6 z!2tgaJI=yxLrMr)%*yacJ624nH3u`{&7CA?F#3*XU6l>v5LoRJ!8TSGhd8!0S|mDn z+)!n<&=aT|Ri^t^Lr6?Hy!Fcg?Ug;K5cr!z1S&m|lhf=&Rx$?nq?(KRN8ior*nt$w z=7XYp+0+GH86=D1{Y)PuGL_dRz_arfP$vcZwy4*xU&QaE4?|UQPrK}vLxAU<Lc>A{ zu~wP4<*4Ex5!f!*+K(fhvWY?3>~_54cnMcFvh^=OhO*`Ejb%Bnkk~ZOEiEQn-8p87 z>2LeZc~Nai$0Gsgf?Y?o5rTr~d!4I-A{#^AL*7;K*8`#2jC<A;<Tr!c;}?k$Z)<7| zvWW`#Nff2q?mJ>Cfc;bWKU=3lrF$8U`@<xaJqX~)Zy@v)P|1a4OH}+#DIvNzJBMpp zUieoqAy9;x=RAoENaSkf8s%n0Xnllr*mZkjs${_<5etu`kMJKBql3~&;a%H`m&=jF z$apb+tSiLkrH;!vHZhD+w#d^r&8Dd4KTGchE{%d-u*gOkoOETY!`C6?Wedp*bN4_Q zhZpitg4s%tJ`dW749-lsDO`n_RkalrCU|!*PJDOuoRX3wRLR9X%Dd=|%u&tBRN5BH zc^YiJSBo-UaW%E!pSllmUvr)S%M~q1p&Bo6+f1XR^xEg2IMgz<GoSM)(;hCjU0MS; zQ)0b{kn^089Tm94n3s@^c+^vybBQe|-iI#N`WPKbhN5o$zD+s#^UD~)^g05^gXb9@ zxtDHhW|JfA8K%!Sq_eZdZKR)?R2JtMO8TXD?UI_-9;KZfKR*U*-|jx<l{@Pn1}oi; zz2`jhepa4;+|9k2FJL3rb-YM>^vv**b@8gj<?-iZTYI!VQ(Myurra)c4nF(HadTZW znRX%_)0$2SYq=-iT2y|u%)zGCxZBApsnA9`GZb?+zgy{iy^8XF@)6EpQlgPmkg?X2 zrN5<GUrzJmVB-Xus$EvuDCD%~D@`6gE^X!Lkwd^E?P#2ga$K&qA}TrlUYM8dbo{ia z#Lc7uY>}U^0Mrw}w<O<hsTk?HCaFZVJVVhVWX6qfVLvPkIff%APgf+b_yrXHoAcOa zoSCw+{;H}N55`)t8fBf$x70mJJ$mf$JAHQ8XZ9vu>LN3ynI1*LlshBGdWO!kApf%> zI*XKB7roc2vU6P!x6Xj-Ed1%7L@O8ad_-?$N|5nqsY<hAU6Hq3e;w}3a%AwghzT3G zYIK2m2mP7_<y!=cf@d6t6{kZ}mSa{FubeD+j;6X?A=Y`9ufbyy3LC^w=YpXHA{tQE zCg(n-7hLEpYFDSi!38{y04>jV@-r4S%M&uDOEsB&{p4xSLOD9)^s^G+nbu`zt8gow z7Z>hkUaK#CQ7;`T8_I8;FVOq<n5&cShuH2g<tOa%^i|f9CzS<`7~F%bBCK%%vEG6% zF2}>^zNZS=HIq8ETFU4v-ALHjh=ykDFfdV3Fvu+}%cGhMd2M%yRC9`IOM^86gt9o{ zzN_KAHdZ$r*4?KRcS2ll?)e)`NP?BN5VaQC6-LM>7-n%bp|vBLfw(*_gtK|_Zs{S` zGYsEw)Q(h_cE|WK_$rmjH2034$m^}MRp8E_EzNaD?dq!~n!*l7$}NFU;2zdR=S4VQ zif&h5Z@VFSkX?nki<#@It{Go6dZTtn62Zj_9fHltsj2Etz~aX7Itg(b6)b{w&LzY~ zsFH5nt_#VFgY66_mDHZLQ(+)HG;rFEBI4*5${fxCcC3QEc4wGHMfHenp}|XK5lLi$ zaKqm)w&Ioca*wJmdU4B9$Zm<<7k+o<s|oizOR`z=da;W-e?DR?i*Mh>TB|BYzzLGB zu)Jq<swLxXx?aq5Sd-$LevtU65$%ra*I<?zhX<Ss35O_<YlzX3?D88YcPXf6>DJhn z9g|U3J_>gp#ZIFD!l18rzQ?2?#(~pPl=#WRdsA1GKZweO0A$wLDbbfbZB`Cd;a}Xx z@3c%1TUxceu5!mCE5AOMxU)%jzUwU=hMnb3coRA}M~Wt|)_zECd@Wb4keQBBMbD9| zwYyO!8cw@YaI<2WQENS<BNo`0YSiN^C6D1q7FSTVa?{gkHW#B$H+xP-6jh~~t|tM^ zNKh}ms$*1W^0bbtfn(Ycv0fPH8zFNT2>hveoBEQZQJ;^TCdToiX2Si26J%G8hkHdB z%rEd}k7?PFlzT9kJkU5PFz4&JBTpO1u{h16NX2v}IJq1ty|8eV6BwS5<!jHX-IMB% zT!e4B4Rvl<aCv*o%=l|>j|4|Cp{?i#9x{~AO#CvWuq)i=P0d<Qr(N`{C}6o%&KnV| zLH=_^5b;H^>)o_ml>XHj_-#7%(hJbfQUc~Uxn083fWx$zt}SXY{Z=oGX^DX=wR2%r zxy4*6V-1IvK??EuTKQNjTX6Jhqb?PS<3>cGj+2~Z_{_!0<VEqiAH~Xc+)kVJk+3IN zG7HodRW+=knUmp+8mZqfPQazn4jRAokm_QyhpvXRM_Hg_(pru7wOk>;KerxiSh2~y zOu4fMG#r1dUQJyEE|-7Y-~W1|er`SPmqgicwh-3V#$i4VNcEDy54>OA+balKh~Gtu zS8xMr2oNSD5(2+tWXvgExHK~_Be+qP^JufX$mAU^dVCbPLo8B3=%8c`)!5FI5ruSU zxEr}hEr%SWQUZOwd^LPXKNq1|QCqa~eEQxEin-Le8mR`?)Y~B8QB0-@C1qmsgi%RD zmN2V36iSsAw>Sdylo42j^@0v%Cc~rB1CNgqQD$zlKdAGdsWVWELQjoQ@rx;~w9oCN z8Wv2$3CQ1_$Seu<Mbb}W4BA&9^ltVRL>M;sNWp)7eSPXcItpuL&b|6c&skmF{2{}e zy|vPMmS<xz3|ZLw<K4Qh;r8~f{^33Ym9vEZ&;sr1nHKd&oYMZTF`=U@L&!D+%*A8g zZ5>H=O<rEkdKC=Gvj8dP4R3MmDb%3Ui%sxMtvkX@On%bZ^2lS%=!?hMVEWJuoe@w& z$iyfVao{;-X#Gro_n2%L0foE24qMHEYHH!POoomFBaLrM_Dj+j;73xUW4-L6;jd1M zjq8y#mO;t_ndh@igJ)JfTCYO|dW{2tD3lrp9y|WQ{IEH>u`wf%50*+;W_h>jsyu)+ z1b~EOV_`ocq;FWa!|I@4#)qn+=YeXS*r|pxeAW%ssay&uw`uL3DH4eEH`B)OQ+(Vg z7Po51lZ<~<4OpwI8#q;ycM^$Ps>J$6AC0jFGS~em-}R&CTjfG3=s>)-s8WBHU<B^F zJ{+O^RgwFx)7X~m`T6Vf07UM~%hwjH@k}<(g1f|zIc}Q$Q_GQO_=39KiU|B~Ez&0F zD{E^5(~&kW)gr%J0y{M|za?m-^vJLjjJ5sVKJqbNRg9fR^nh=tp^;(Ub2gT9{Sq7X z3j+j(agB`xjg4%9K0y0<#@A31^hd5%`4E^2H$zR=&8Q}iqd1!Cw$$S8goQWUndRLD z5sZ2lTsBYXivA0It2=Zm>6q<OD({Hg{+*uh@S>_ZQd@4wP7OJ3B{b$i5B?&*Ygc?U z(OTKGxLbh&H6d(BUH(k^*oBD&M0ZLt@)!wSrw;#TfslvOw_njZ%K`7ImE{~+ZJOzt z0I>Z|flpuNO*dH0>ja65q&Xbr%8G(fP9022i%sK*Q?`6fw&9NR%--wnXOcT9*5iea zX~zJ~HJk$MzrnVqkSKQ7ZEX{{J(;~YP5t!lV?|C*SgjL%kAN*630s0Q-wmb2+f2#M z+2Z5wSjre(Q$?bzI*~Tsh(cp5;pT9&P(C<NM8+Cned$Nfg`U;om|`j@_T+eL?W}k? zbM{XUT8Z=^y?v;EkW7|1%23ovVFP|6Up*5Y9UPkwm2aTpur-v@GK!T^O;1b7P(CHA zEGn+7q@bpz932@oSXNb&l2U4kum?d@(UzB5xfw=Ga$s?6Cy#>O9T~mh^sVvcECd@j z%XY{=IDk|g2KiBAh-ifDt`#9J9zteg8<@?_)mUe70M6=MJh3p2ll#*+D)g{fM09p5 zw$|UHFOb9*b?g#}4}!_`POB$Jk}_0gSP5p5DB_yB(fw{L-%+snu|{smDf)+73W>Uo zwAPANEymGNX1oPHL_Pn}FZ?K6XLgqsd6-nn)_?#p`Rbwy<d(Cc)txb%Y<}2hqEH|l z+AQzRqL;u@%x67>g))kxy8w+SJu?<8IExt{D+R+Qy7bWFP8tsTUgWCZ&E$%v8hb)W zkSy!sE>7eWeh*4_h`y#K&)Ll`Y_=5h#`A88d&oAIbIp=A!joi{E^LX2)fFslyC%-h z_(xL`LH>SedPpYQ;aREG@G;2Xcp+&4Y;sG|+9Y5@EX+9A_xky6K5@!S<G|F>WVAlX zZqEKW-aGnZdJHRDr(9$pQgn_6|A2suP7hmc>yPlKotcG?o$k?(<fk)fyb22RhX~9h z&z)S<jdjmEO={}Lsf_`GaPEy6XWV=C_;o85)~8JR@c_XZ+^~!N2=&v1eTAh&P$ki; zs5Rx27#J^6-BpH#>j*)^mL?0Mt2Kva@7Me95HQ3-;!1tu_wywXy15XR{g{}8;njFD zVJP#0Z4!L`%`;+G3cKRS%94>Q`su#Jda2n(T3Zr(@<iX&e-h@$u2jV!)sxVj0KPBx zJIC?Q1WSbfu$4woguk6r>vP_z;E#*;Yg2@t*MJkpFKr=*iXk~cgkOa6@KaMEp)hW0 zpW)R`<A)t45-V4pU`z?tEM=gbki_F(8r6t=lsSfj5;V*&$~8Ue=2!}s7H1tbN@j{9 zREa~wxX;*W)}zm?znSisNgxm0D#<pBspUOyax6e)DX3O7B+6cru>OKHrXap;GjDFK znutrs$;@O;wu2sFOPX2NvXXGIruUt8?3k%s#++i?m#iMU!=R+PRQ-AP`j$MvtGb~D z#6|+Qa^46-Ui$TY(T5YWGotBI^)XO=z;aN+MNhJyzS;ZXbpqRc|D(*+W2|Q2LUi56 zUPXDSZhu3{<Z(o}!#PHFT=q5_-f<bna_y>sm45q`qL<BGS>ID%*~J4-(0E2$vre3q zOYB8b-xH+$G$-tJB4-<3Uf%R3vujRCdqar*rS0Wn5%k%?F1F$s!p=%cLLA*6%-RP) zL|V5mWY^Ptaq*YJ_er@$eOJ#!%esso^Q<|L`hhyxDxer|G&#Z`XqC9X_Wj85{gI|| z4teA93Bd^LN%+911AV@)S=_?JIoWP?2Rt*|84a{K>8jnXd|b`-`b_CRzqr3pMWVA8 zSl<@e18tQmNhjObZOV*ThB$M=fB(K!)mk1K6zGNV>#O#*;I|pD`xG;s{o0ASsNV3J zQhz={qzz2D)m+{iK-7@rDI-`ESzs#EyJXBjj2xk~A9p@083MYd`i60(o0p60QnL%1 z9v4C2%9zI?p{wmXuTS?@*HBoDP6~^8vSHRx*!KGpJMZTH>RK7B2k1T-_LEUSBlb<= zeqJ1_oUm|rVQe+Za-o^PYb*q8(0soCSeVPqMFEv{g|gW-2Qh*`VqmSQB>pUDX}QT| zRMzV7KE0LIjT?xHJUr*z*zmS`?c2%ya5In+=)Y0+ve(jKK9KF3i~@D7$aeX>(8mqN zz{ogv{=#zl*h=dODs<;?8wt^AqiQDnN@-uI#X(6$wK+_CtIz!mq57APk3WyIv$MJR z$x^McyPI2o1UfRK>-BC?(bdiXjND!oHVm8!0_0~VM=UTO%e$?}b>QUZ<-{(@FVD6% z4={P3J$O*m04Jk@5}D0DCxTi1PV{T_#=-oIv6+PX;l)wcCX4=g>!}U=4=;?>H=v`x zcBv+Qx!uX$i&*{(Zj<&qaq}Eo1oX3=Q62D4Y#2)G+0PC_u&cilL7hK%*gkKP%_jWv z=3?TS%k(*MljzGEOVbPJ^ymG<P?P|N1N<ZC^`8@gnSUpCt#L;~f8L{O0?xyYrM6!5 zm(@|z??mYHcOQqp{GY_XJYP*-3t9gEwn|YLX=pZ$BOC|P_D6$nYGFZ_+|?r$u-ROi z-W>D?TyZIgxagejPtD`tiK854gf5BB&RE<#R*GHp2c#oWxcg11@;>h_pM(dae0#L8 zT(Vm5xex0;JZvhC8weX~UUV%hu9ZeXPOI6xC$uLDaw1-6fAHu-j-1msv)}y&v+8DP zV8V<w{omW9d1zq4FyESL$M2l_y5=u?Zv`8*5eu1+oU_(HuGseqS8|P4uipB!!@#~) zbqv{D-W{0f(OtBW&dWM&*s+!XhVXtSQ-UFW?8LFJ7qKj|??i%Lw8@uZ$SVg(wjLKS z!W4|1aK6u@yGudyZZKZBUa>Ct;1-!ImYP_xah}rgeEC$fe1N#w*bj47A5F*G@q5my z%Ypd&2CE5dJ9<6pE1kC>I`t<<+njAJn<<g^qVR=Ja*`%{rpwiy2P3a4e5JP0pFGOK z!Tf!_K~T-bBm34p9)?-<&DLEVUsxmH`<9laxi=QDm@bx2V)gpL9N8N>HoORf!n%DL zwcalM?|vrNyiSE9<PsE)ta}Kn)ESBXawdG<C+$ib=@?SZtLW6vEbN;dO@eVyrAe(m zT~{1RR{3PYB>Ei;;O%iSlKVB=bpQCJA`JKX%(21}5tJRjvt94W+1P&ylrk$3=?s}F zs>$Yf`?mGN>PjNp@PQm#q0iI!OfqDgE%bC?jy_>I8_#_vayvuuz+wb4Ya%;IJuzq6 z!JU2LUPuBuiT>8nQ40l~cIwP!ZEa}@`8zG|>$H!T2hEZ~uHmwcd2G@b&O{4js|hs* zz|q|X&M@Hrw!R7GxjY$=H0)zHH>Os<(Hv4)S*ZEw*+^=H(3VzDqYZkmSbJY)ACtEZ zzIfdoxkQXIB8cg4dl}2=nNc<ld9IriG&9_@y#bCP9SNuG%@h4t=zXb00ynfy?At(< z0V?5}F$}z%K_(vS;67oSmRZvOb&#=RO!@e-64wo4$MV#}9`urn>~Ya`Qk>wk5G5#n z6Tg=N|B%Q~hmL>!p{oNdNzd?~6A?K6VBtd}BRBG^^Y`P)gCSl>dYSE8wbEz<+K!r` zDAQXiOW4|Pr+lNn=t|V0@fwBt6)2u&-kOSWHcyVG;sx}yMCsfujr)45-OWyc6Q-n) z2ig};Aso#Q+X*MNR<|BCo92NLY>#e3#l7rw`@&$~wbSg(UV?%uANSLL2#%U?Juany zlj`}D2XVjD)LL5zOm7g#O}5Z8DuPbjJ_HDBvtL|SclY5Z1Rb*nOvM#?rwP`{@7A0K z&dj}}=^qsK#<IR<OiSNiyp6uu>y6$G&9I%6mbMg3Q!Dh>8Q{@7FF)me%)mN6^fa#K z0rz=f+n?4#)+Q~&Vb$^a_<m|<lVHG|Z^^2zAdOk(2igx<Z5CbiImQ7;g7<3~z9}bF z>0$X#p?)R(AStYBbrc#%H`?r_{=js&(mM@ncC&(_@rgQiMJy}KTts~LMTh4Wois$# zJ65*Ywe8j(dAn9yi(Vd^<;>D+n~`|JUI<wNmCgE@^PRpBMwuH%_xkb&79ELrh@ZM# zQlHHz?eDZH@muR$A=(1n%m;nwqyz1glxKEm*^Sy@X*%{YB6j`H!WWJo6lvTcZ6N2G zofe@y=(BkfN%>U9oh0`M)yY<Q7;zs~tCFe@721nebdXm})^oX{l!TQXD)R`3SXl5_ zTe6YGr&VB;b`suF!O;mjJj$h{)^go%S~6IA#q?jB)et`U#`Or|Jl^dzEt+i2PW8b3 zL|bqVsPyp2laDC98JXVjlu;lGaxCR^QwomU<kIy^@jrn_s>WxH?PUC2wJ39sn<wn# z+#V-C6~3V=WqF;?6^f_A(Icj<BnMKOPUPWHi(4#;nttUK$Extzs(8@o8JTrDgL$%a z&NRcaT9V=ZG)e*bY(7-NwvcUn+!f{~eP{|nV3J6d*bEsv9`qRJ5sapB(ic1!oFxsw zcrAIY+uN=8`Bi?n8*bb=ztSj%p6R&Ke)tp&lKbDAI9D+t_33TD-V^BtT*I~&0L}4< z(XHT+u;Z>yibaCP_(WOtpO9u-AzD){I}-O-P6q72_OzfrDhJOMrPH1UZ@YgQs2l-t ze_})OwV!N!I2g=3zw<&bIo&U2aZ|4>%zAWW9Y!@%*qzre7!3v;-(jv??PEvwhxn|Q zRm_ZmK3G<ku??h~6c+oT#=$i+t6?|$It+8>F=%`KLVsF}ixqS?Nm`A0Yja`L{J7QE z$NhGvKLa~>EHdQ9gue9OKV%#iFn@n9ir_-8^bpBT*EvNbuiri2!-Y$8n`59$Z1A^j zvxTsTjo9u+QkWMOO-~t-%$BGe%#oFgT|JJL+@&EL3SR#74Klkm_X%Z>sq(nD8dGvQ zYcV}pI;nH7vz-sF9xSL?<$sNPd6Kzn_xf6I$wzN|-LLn7CH9#nR@2ae7?5xr@+h(Y z{cBF<2|gU)+ZdAG@IJYT9E>-&*6!v@J*ud!H*D1eWy3?JcwadwWcTe=Sf2;m>Q$zg ztX!cW!)6q2of#x60}IYxh-z2brAvyA#qG<!d24aGKNWls;%|;0r`B-iGL6u3Ql36~ z_)u`PUA|sH8YNJM-(xh|-US;;#?sRhJ~#*&u0CMlj1vFajrFqLIQSn9Ei4=`pCC6; zvZwLK^A$E1#~c=t?VjSz`~ETN%+ir90`S@Hm8bUkx_3!E`|I%Dh}Bb|<R*k=<sj~8 zcuoT2#geVjl;rVET*T|QK%D8NCC>|wrW=ze8q%%v7o;(Vtn32^f7U8&bNtrg(}B=j z;GmypQtBbM|2?E_BKyEjNA)?~GhsgNQoEOSUIW|fV@HB##c)^;eG{GWP{erSV-ZMU zH{&V~X?sUAZn(mY{WkY04$9}pnZ4C#ep(+-lp6ZxGf}@eeMDOa{P&qPVDDG`o%yJU z;1mqfcbmsGXd<5Y&(@fKMpnhQ$Jk?FhR<AV922nL;aqCP51h}D8!ylA$PLy3P~a~d zBHEuIt$-W{>~n|<3;R371<v^L{jX>?@OL!(^9TYA@N?h_{3mebCFTMC9Haik{T-v4 zv;g}41>6Jp9ggx&g2Mv*|BL#$sK1JQd;quuirLp0jD^y(0!(V;Q+z04^L_r>LjmK1 zGZ*D5AdL1m&5{M+Q5hJ66yh_35lr`Y?)*(RIDgR^fBgyZS>zBta~)y3e^*J6%>l2& z=PLQ}XM$ssM*{o#<^BKMzBTT5`1$1lh<{h!rid)g=ZwJq+}@o5I`w%*2PpNsntsLP z@O;h)mI(I8%?)4E9jvDbSU4IZ!`)A$-~Z791OjR!jrnKRB7_C77$vNgmD~3@-+f>m z?*2m*55U+rl>3q{;s`XJUzuO_b2;(z{&fUWha2k%|I69ud4kOExm@_w-{4OzK(1$H zhll%&i<ZUprMa1vmFacSy*>e<aCCMiIy??MkJqMZ{a+}+2)R)2h$zrFunfSP+TR&8 z0eJs>y2Ky)Z;z`_6+Oght?q7=sR&F~r>95Naa52n%SQZFxP(7muA;Yv3~_WszubHW z`loT9g0W0SwYIo-uq>ODqmq~6Q?jz!x}jJMIeFR~c}Klm<!=m_=pMrU@_@?d@Xh;Y z^!~B%(R8PA@ZPfXI!s$11b6XrZK6K#v}J~V{7n%MvwlU(?yT7Sq`{oWS)SiAj!V&b zCyRSo(K2hT!o}l1aR3b*xXsbPnB{?4RM!2siKKzl@w$u~%8UHilg*Qf_U2sIK{ful z_GdlSI9ty#cP)=`N1QJ;3}+-vm3^Jp>SkPIUONfInYNh6RTM>r8}kFq<*IRwcQZx_ zk*jhKF9)Gs_lwKlteJ}(56=7bztuZ7aMuSNr%IYtc<sACP|Ci&I;4S{0!@`_snwk4 z3f&9dG&nwR${WtIiRBjajc;Sm;0}*1-{qc34Y2LW=~$Fh><S-SDH|%*JHnG^wOS9^ zGnuv#DzqD{vishBv6=O#CV`Gg-WAgS;rY(FMq>7SD4flp6KJB5^G_SG5&NaZO*CTr zR!lE7qFBIfcMOHNEe$?+@`K0TycMUe@p;Y=x&+c?`aDq6yT~M8uXV!NSxqfkKi0d+ z&9%nnb}Va;v$?&ie9B2FvE%jJRCj-jwV52QJAT`7_ATc2sJ?;QHHt%fPEYHmJWZSQ z<=0y+tFCxrNWlqxO5R+h>+r{B0%dL3`O~_10#_2!Eh>4I`hi-*eFKZ?WPd?BwSjBA zMLXBAE0-)?@p}CgviK><S_?}GywKi2>pEp@rU6vN52zpgXM`6JeAlPN4S4xnW(;3T zwA3Enrzx@9t`|KV0c@Gy4VKQ`S!S(P++zN9;*1Ue{Vmxe(z5}Byjl(y;aZQt538kN zfJ*J=u>IsBnc0EyYfZs8e?Ik_oA<=%3DT(P^4+d|)~s4ebkBBW=ST6_gC^(sX;!G# zhJAQ(9i_L|NeXkM5QWOyO;BZsvgv>?tkY7NITD3-^Knej`OL>^t%a2TVsvm`{>gb- z<(T<={}YT=vuf33{;P4^^I?H{fMzRH#MpZh*C}CirnAePv{J7da7fn2rZv}MY_)xc z34^3pI42n_KmlaUK<t<}$kWqSmqO(w#ZqFLb9t?NOmphW?G)q%B;VNigv;n67xa(g z4Qs@C#9E_NloG{QI>Z#U16ruK7?<3tJs?5=>*q&A^99Uz5b0_T2C1a>r(65V5^oO= zbf-<q>hx{SROgssGOYuqD|K+~GdPg>AyV)0UK-CHBCwitH`%9}8yP{gKMO6yI<?%^ z+Gn)FTmwko3eMb=Co+zb!JdHP8KQX=+PV*n*InZtq{J#8of|0HoE7O@5frePrSQGQ z#Mgs}R}-{jN))h<O53MK<|$ZrC=Gr`=c-`^#fJ4HT@|tfT9V;%b~i%RYW}l(e1vgI zl!X;Y^RHx;C&Tf3QAT--A$V0K>=o_|`f5vQ)Yylyap?8R5~f0#*VW4>@WE*-=f<*( z7hXTlbFn+4<Fu#Rb?&U~tifK|4uzkx90=B~Z&ukWBIHY3Fz3{<pZe0$skoKP-`6Ir z)AOei=B67ITCctDhrJu6-pBdPvDITR^iz{ZQ#xUpO2eHZR=nLN#xFV=_WE7aA9vYh z<8cb|kgrb6luyFF6?~Z^3Rw~t>n%pC+r$Xq{mP=I1@|S&zsr&t?@+OVkjAT9A&89k zq!>nBFUx@Ji|c5GHF`{IaE7L8DVUS&WBBj)7c9D5Y}!HE-w=fnMUQkr);7Kx?YFKs zpwCt!EN+^U8LVyP-%4DcTX<^D1O2Fd8dgF_IE)GTR$lJd&=U$rP^kzF(<7Tl66nl@ zHY?F`I#MngdM95CL0W5)XnsYmrq}@4NUo%;q{E-?-fl?VTos<^(2Q|kZk#e5tl!CT z{#}XW964|89APyq@93Ja{FfZi(#6@iyAK(ATrFpS_1(@9cOJm+fs_kS>Dku(00cti zJ5NewIwCeIZ5OYPh3K<cpm8$-BU4u^S;(_3AK!~lfk4!Ku_S+e$Z{<o2*ScDSQOLH zt-fxkP0oybu$ijCwp!Ar>`VfsJk>4Pn~K_1djuTh14Vrel2z?(SR*PTgq#ryxom#s zv6lr69_8^sjIxL0swYgeH4yPEGrjnAYFc6rC6VWdJ@>iQ`)NXXRHy6$z5COCR(VTe zaZyJ7iuT~rv#as#D`V8!gP(bUd;R=*pyfn+M`>|TIt^Ro!dyMXcl!O&h{TQyi&gJ< zC~w=^xE(>i%U;%zg^Ky5Sk73v_IyEUBt==us9i3Hl~)pR!DXJb?{lODKT=KFLn*k9 z2ad%A`xLTaXbsK7)Z+B<s*^6P>JtpV&zD;+;++gA=nSoHdtWs%(4ZK^jxJ|xJx#VC zB{ps0R(llmg!Gxkv+9>?((^!JePtl+ou5OABCjA@RSg-c=o5m0ORZ6z3H7g6_rkMi z4@z;Fi|;l5ItCPL^ra}v;5N1v&P?&R>>XZ{Dwa(9F=QKc)NjpTSe3&C3~<7OflB$I zXd*Li&a5bXYS+Hpt4v&oT>4HT>RnQNjJ+H0jlXH>0HU~_aAw+#W~tQmgwc_fn(=ax zqcXc|Mr#ePQvMcmbs-wzcaVbsrt+kW!FuG76(Jcm^nD2cUhPNxFzp_}gwH7O)-S0& z_NE=Ny+x8SpGJjYTEdiu-SHQBwm)-Y;bf-(I|=N9)fl!NjTtWI6IZcKOXZtP=ik@u zr8OQ;%?<*&BcMMPP&8gevOKzp^6%ETD>g>#hTo+Wk63TomdcP0=(%6Ca|;$NpL<=H z3TJ+)@OD^w73DJ+uDOdMvtn&Ss5@edJagX~l0@Gqf{(SbB_D_<(mM|o_DXAYFfyMD zleQRKy}WMVW*)Ta(gklU-;lYSC3=1u(zFNGHS5>E&H|AxA5o)`3RbzClwNGS)!#JP zD(-yABln)^&ndAgaTXtkv542t-KS-i*_xlj=-1cYQs5F6TFn<XWS%)T{{1fKSB;iS zIUZS3sc~Yg1q3(P6y#DiSE_h|v}b0fW<^qB(WiS?<nMxXhc((<i#1dsOLRluyMN`C z<MUW`42|rUo}TA{wKNj9a02g_ktepb7u!r+>{{!9#N(ixo7SHB_j6xVASH6u;W2p$ z?w9jroJ=^G|I7vWrB)~#DT-$Y{ryd}<G`S@P*Pm4Qj_UmEedG6Y_t5xK~>Uy7_SeV zLp?n^hR2~OI-S;palS1etSP;{nq$V!YM5iMG->g0&>l10x{A*aFz<K7ECWw77d52G zvWeBRThgVye*`3Xrkv-dRX3zJK-I!Y`07%xTpux8xlqCY3X=(IL@~=IE}<UFup<zm zOxTVm+I}b<kup1nM}Ff$c=?TDzDN{Yyson8fD-ra7T!6RNOHEx$z-I0OK9Il6E}}^ zO#F&1O9c#pOS@2r9_IjUxc7yW*tG*`CGXf|`C*{&V*(TA?ZiB*mgNU0<Ar701Fzth zAkd4U4ae{f6ymz`51SGAwDZ?3d8(-i78+$|Y4I6X+~>e7?wDf7Et<;BwTMtyBy@BU z_nj#aOfU_8^y@Z7nw`1@xV9t*!|C<e{J!-Dx8fDhmZ#bb$02iT$+=l%=N<k;h<q~F z1Wig?@F7M)X|_oD?3m)GLtWi-2}kv9tJjD!2=*`i>7ui0jHD+P+POQHX1hqI*-5WG z_4Xx=9qPsKy@de3_|z$IA>Wqs=hQ_J=LL9i(VwO%x3#426ZEUUsq{@qz(Qw1?VfPo zTVUH}_;4#KD~9y*ro1b(c&R!VuFipn65G>l#7YvR9N=yYUBb>35J<Cj%)qx4nhxB5 z#oaoY7E80^=iAL|Dy<JAUJ4&t;+IQubfc&2RvxW;Ft(>4qWd#zg9MO&Yr64WVP*W8 zV~4y_SD8&tx2$9Tz~E-SzJBa#6Q$5Z;zn>+kgX^I8+kEHy|G()I`spjCv+LT?~L{L zH{{iefE#CQD_gs`CcCM=VIZShR^#ScTNH&`Ih;fSL|p|ZVdR7Z(~EN*x?x<RQydtY z5ZfSMcda9Kd*_tiwbaVEKP!!`>@a(eO|$;~Fj3xOyyRPY6bHgww$ire%&p$eadcgJ zp;_-xkPqq)qZiRiF)A8UatVTMvflY3(@q7s;w{8JZNP7lvR%%GssZBTlx<p9`jXsg zDd|@Pl~G)t5@#FHWiR(?L04z5d0!um)T%mt6NpnKlu^d$6%{Y?yD{<Pm_VWq_N}># z<<hMzJa*Jtn(0Y^Q@1~wccf9Ay74}sY`T1*xzoJ$$)2j=Lz+Ve6pU27)+w0{9V=Z} z8@s?CpUVaib=ZWzwtPv95fZ6TeVBG9xPx);?6sd7DcXz4B#dc4p?A4HART0qwEOCA zNmALK*CBm%{CsO9*S;mNN;jzRy7Q60COLSlYrV*Jr}S0*d-T7St&@)j93pRZ81$n< z>k$%|Dvpw@??dKUEY(6k2wlPwJ>a0c9M}O#qnwHB_1N!^l*TJ`eWKgZCpcI7{SN9k zdymAGx#ccv+ZIBZIUL?r%`dcG5N?7OFXM#iy)WOwu{}QKgXSysx!}0H9~*WTRToy1 zTlcgfJF;NsJ?&P$Hu^sLN$%E2h-IIo6xuPp^1Uvpy}CwCs^0OvQ+w6z<4(ymy7fRi z{@Cq8SpuM<f2!V|>sHF${8~pQ!dCU=3k0;N0IveC<o7qpt5#bEAnd)G@&Ho%-OFF` zcRT@NG~eftKOm}$b_bZKJ)QA8zfMS8_--n8B^e-2K_(n$D88%d680t88}GiN6L#9{ z<88ab;)%{$BQAEdKal2S9Eg(s=s*>En`|?_01x0h+9{$N7kbyU;2f0*&cj?Jue*3& zhB=)DnS}iYF-|>28-6U7feS`&&{JhgY9|JFq|w8^ta2Ueo@Q6rWG@>H^t;Lr!IM{_ zS^*!B)OoXmn1|I@_hR~aJs9WZmxfEfo=MU>>g7$k4vz;-mZY7E!wM#Zk1-{g=8j$u zIYX;vB`O=Z$rjc9Oj{7W07eXLQvP59=7V<H3L$kc-Y2wPQ0chn$=TPUXXYxioS2C^ z)M6tq%QF|7H4X?zXSRf<r<~}JfE_6A{vwffe|Vfd(USvT(P5^v+GOjI^O!~EG;fi8 zpUj;ri3<c$qscCuyH1N<H70&jY#$fiZiEiwj)z;tP`?k9n2RJTW#{R&#|Ssgp-@FA zFQtKTuU~7HtT+6&D04?;Z#T*1ZqZU-aQNT@QBlbKDtJZ4V_y+^IB^DDtJ%h;iiwz3 z1zBQ@a^?=j1|gixxyDrhu~Ed#j3w{o{YuU;7X}R@G(HyiHQ+_Q`w5s?r0+iNkn;g5 z48QfdhV)qFdi2P*LEe5v$pZ-<mG=v9V9JkTuT@%>`<+Cmbw9pj>Evlam9LIf;rETC z7_-ZY>?^$j(^xE|lBYQ*6^GX?_bsNi3&t%p>HV5rvfXuuHfOFFr_qs@C>id-s=0%c zCpeeJ*Amx=^Qw$RTc9vDM@E4>W|6ILR4hZF4!e<IA-`*p$Xgvd-Q{lD0D}KJ($?J% zur#j~dBKmTR`2hP8<r}qE+sTntmMk;5rr#R58mPp?U%EX)lwKF9@eO)iE}}7X)<Y2 z^APs?cEDXT3&ZIq39{BpSWOc6j*_kx=qt&Fn~daE`1aaDp`@10@Nh;Uc6PJdh>1_l z&u*xjbR@&ZFV*<fsf~zda8?~uifN>-raC+7rE?llUq^2>!@}+&Ys0XDT%fVH$Y%Rp zPLsR?2!0*aa4Pb3pK)~IH4`vNE1W%F`agX&u}iONp=JR$J1R^cga*W+Sp`0wm_TO& zUt(hSaq@CO6n0{&xnJ@W64USu!GmsNzf3uJ$^^+}k$tMeQwu=Jl$h)sq&F|N1fP-H z#*<bc101hKwmDno^wztw%Z>Lr>D#nTzlT!obuH~>!5W5rkl3Lvex0lxnkZQ*7=<NE zhyva1>jGSNg&OtP1>&aZm(+H+v74&pyRyHD2&0G}iKMU3i;_x5tDMXNqDFBJ8P&gg z(<XuPnVXnQyGo;1jG1i`&-EV-Nz^KHXSNXK0uoF5N(-2}$*IRbUy{%TyZdOR^^L-j z_6F<zS+MGch{Pz}SUF3Q@^r3~0#2U1o|dEuon(7ieJH~V7M^bB3WI-OW42Y9*gg}H z&g7bv`K$7U+s5LzHBeN_h=JR6(a_5PO+d20&4E4&G-xCPZZo)tk0Va<!wTFr9KFs= z5)ug*GH!j^X?p`Q<z8oQ0Rg2yu3or0Xdg{2TeCXJ(YeHeqZwNU=1V&1FnTT+fto=@ z<Dj%8yskna`zA0aH@t)JksI)8r1?uvIDuEmYp81net9BSvH9kY6QD;Nw{q+F`LZWo zZ_<sX4I7ROuU<O^$N`GfRvnJ#0+Pgz%wB4@xmlig6fcDv6`gEC?=?$zkAY*1H(8H& zE%^;f>cy9ld+J`E-X#q-Jpj6nsebH!$130M;Z}ECj@4iFodvXNZ+PpB`9<s&Ghy(M zPO8Pw5Od6e*?jOQs*is`j|0)QS?s}c)_rH?*m6(EPTkw6e5-XZ3%pN;Vf|9O|K+<N z{n!p6dT+FnQzu?`_1%{$^A6WGW4L!w-SV8Ugu65hF+H#4Fi8gk;j5@}ptq79L~{TA zaPLvO$y!g<*Ni|cNTdV5=#7B<5;Fpx`jftX>m&OR^H$<7ZFZV>9z|N~droMWKlGfj zyB=`90A}<3QsCxVzEzYDds%JyRZm1kWT&(m|0Th=80>2iGy?n=!21V%S#GZ#h1=6z z)oId+%+kWzhJBL*i*~QoHMzU3ov2Q&HG1PQdUUVBbecSKnY*1YzfdahPNm{eh?*G= zVxtkxb49V(+N{=Ib~U=-aRn6iI0t}Z?<wA?+%}G-hl?u8#H12-L}4sTJ*T1~9Gy$o zXYuFiroFiA^r}^S#>T&GQK(88*>VLxqi`Gd;W7SMl3j%R9p<V}IL>3ics$zEVa0(j zDN%F)Pewhld~+vzd9gL#yGff*NX5p^or+?YI)CDqeMg_m=r-KYYCSq2heHrPVYGHn z2lN@+c+`^$+*dGz2}(TP;Fhl`WTz-Ae3BVU$;^B4YGmzs{&K7<eAxMgw*-3xqI#3- zOgeX5EhCGVPFHEy<?Z{1*-2As=GfEpdoB|tuj%Xp;dI*NnlKz1n1xpf>i{|Q%hO;F z&poqDIwR%&bzAcF5o1Pyo>P-4L!|Bg5%fP(a+=>UUNZFc;=|t5mjxm)Wp7WV#YI{G zGNfnQA3V@bwD%7?4V;~;m%Z!2Kp&y!ajlu&eRJ)b*+JH~&&m#sisvqbA5X{4FxG>b zF+Z=v53L?|`XxInQf>z4CApLJ8^|kLZH2owxa0-1sql;n4LLoqGt!wCp#s}qH|L^) zFvp_7bxgSvBaf6u_@Y2B#+UVAeS0*x_f5jzJa$QdMgIY<#S-b1V9S?^a_@7WM+U)} z_UB>W<O!sThyMDx8r90K=0?<ixFP7!h`~NL%}Hgnf18{Qu4XIhh=@iH2nIFmfdQ~O zDewnwBk)U%+v=k2vQO5Ve}`OGi<O*<POn>}JFFoT*oM2G=ZnuK?vE!F4o`qT8T%&u zQ1oD)HUv6=#FdeiiS%<s;i3Ah7o_}<eBIgYJ@VnZ8>`g(UX&vP{Wlj14gmd)#bQ;( zcq>%0mtZ2)7GNcjS%gI9ZyFxh{lS4OOGEF7BPby|ukg~A>J~7{wD0E!p#zk@xr$|b zKnI0$y7tUBcFEJ;1A$0u^T5IW^5{kRr!?$<ZO^m`GczmBhlAkn!Pa%SQ67<7O1cXm z_?zylQNldLxgogxUv6j(S|EIV|9L3rb2R}zh$p*U&61ip(b%K;jQ*B9twlSU1>%ku zh6N{}s}LQ)=s?WsiwXPha$o}tJXb4FEXA@@Ib@ui;t8f`P#?nE$rIJP$O%05f^Su! z-gIHp7U#XtQvF%+!=<5t<*4EL=j1jR6Cl^|K-WCfApGnf;mGlUr|G-sm*=bCQzr&A zV4fdwzdk_K?m<nU_r(Xk{QeUaloF`m)A9Yk08mQ<1QY-Q00;nVVD?m`Xfu)qj{yK1 zkO2S{01*IiaC9$iWn^h#FKKOIXJs)mE^uyVRa6ZC2MUtfVhWPlVhWPlVqCogkZ?h> zCD^uY+qP}nwr$(CZQHi(?yqf|`@flaZ)Z17T*QsI5m}Li%&f|jkqUC+uuxb~00026 zk`f|H006)>|9Q`a0Q%3JKiw$oKMz1>C2=8ux;dN+0D!+KNfAL6554Oja2FlPG*XDJ zHLP1Wa2y8?oTb860stTa!CF;@mI(<(O;ugh-Ewnt^Rw&Q%-!7EW?p9QRn=6@)XYNS z2?K_TRv^g$5(oq>Yg!%a+P6)201#H<;6zNt5C21vp!dIR_U_l2>&@n`Jz_VDZpimg z;(-4j?$bj6F6b*8J+vJ`9R7bm0O~-BnFfpl`2S!)ALl>cztPuEJc9rK|3oOtIZ*Ll z)c>CSooq}pqmUtkpM;AMU_jy{W$qb!5+f4D3iMf^{;i2dBM^_^e-3+mZ~*;(fdSM( z`aVwpfkJc<qS@ulXSp6^G#&JvzpDaN2l$8i3HV3y{}G1nzl1rv@MdBZA`C6&KjxQ5 zy{|unIQYNteL@tlO!({c^-EuLk|=>8LB8>VzPNYBh6EfeK$7Seq#-h7SizO}Ec|-Z z)X;N|9hixzljZ=@hYX}*dg|_l=Z_%{AbubpJm9VzM4Tu=fk7Y=ASOtrJi$L$`m9+I zCLBm`4!%GKb;7M}M*L5K0)r@_QeFTF5{#ik;I2TaNbSvm0s}7epS%dw3pXKzmH-7t z3|oLiVUjva=1INqF6D}P!Jf#_AiyUS;?*I4EXuEfKA>l*qdU%qIDV&Rn>CwA(f0-^ z8xo}0IJyoAl&PkP9xM+*QBzEk?v+Zdx%{j4@IC3u^uqWt|Cu8Kge%6_oKti@<-om! z;m;gW-o?%d_vZmT(@V(rZ^w7n%|(jzSsl$s1qs!QrZ=cUkiJ}bWC&0o#LRyLA@g7W z3<sKasLfT?i;Wn#ZrQ>`$!PF9_}9d>>O)Q_B8?z)AWqOV=zw76WYZ+#e8<fFuN3rD z)s<Ke?!Oc=O(gJp;{QwSp(cW;)3M3IzyqZG*Q^K13>i8}O+hy=Esw%XWY)|Jk+n1J zcP{>olQC{lRFo8y(_(_j-DKh7Q*IVmG>SyNu5t`5WR|<zK6Z!!8CG$5xRi9gQlgQk zTkRYwIU=Evm7}XzAg3lVtQNeA?k5RNYSBfb=ws>Fs8uSVM#ccF7Ca1pH?*EvRN}fo z4#i1(y|C>|&t%NoPE2G-q^zZ=SD;2&suLt=58rF@qgUiD=qFS-0dGC!-GbF%nP9ql zOC6h!gN3ooEjh1QrdRY!{|B)}9X4dp>2nQ^^@r07v`4h8(J6}haUnT5Ria@gVC**Z z`T4l-yO*5E5I9x2)xeu>-nq<pT{d1@O);TD3Pqt8yZLj;_0g@0MiPWxT|+@9A+JV4 zeJG*VJc;U~6d;&xBC+IVTT`Glwk^&om{554nv2d4`$L*g-EK=EpBjl_V<saLvtH&5 zmIpWUH*EFo4?RLpfx?wPMNdJgIL<UnR?Pk^(JZhY5_|8C3r(Qp($-VdMWCFSQlvyS z>TDA&b_dM`&j1%(_R6#@)WSWb=sv>i!&Yp4WAkbR)4z?J$Ph_dT`{3vofLwyzcdX= zI77&yH`EpN4Py!ve!iyFOTS!qr`DM6jn#lOR<4S6Qc6ax64_|jK6&WZ62G4Eqy+Tj zv_G0ZggAic(F);%PK?kdQErZIS5d8*o+>~dl5p|7KMcCXtDc+PUf9+~$ByWdc(+2P z;DYhpk(4x~Lg_r)ZLnvQvSwc=Yd9Yx3pRSm+xo%7RO3S^sN*E6IeOaVL>dkQ-b3#> zm?U*Jc6@@Gl8$CuRXZttP!Mbj1la64mX?xgS6MwJc@WI^mjudp)CdtsHZe(GQD3W> zpDiL>eOBEmBp5`~`F&>3K4Dp6G3$R%jTFUTdL^}#13jFJoCR?qZ?YQ3463N~8jk<_ zedqVOw*UM6<Nv-2e*g5=?{jy@=i@Dm1+FZS7wQ`#Qd(|yl8$<^UR$r5k19{(vwy4e zgLE!0Bx)xKRomWbJcwGvAo?LHnti#JUMh942ET_sZ{^4_gER#N1vND-#a6GMPG`s? z%R)p*#LHYxkZ0HVXRv_j`4VQWV6oxIX^*#+GZdY%I~Y^6rQ2HiKr_<+j)!jHdHr0o zQxpTTMhuKAbC2R`IqdB{<*|POorn-w&g0<VEv#uMDX3>@=;vuzNE8+!mzw7}NHbEo z)AOWIn}r6`+rY{&*$~nwDq5P&u68!!q?h~5Tk3}>6f%Kuii*a%QcExIZAloy8bL}) zMY*Y?u3UlQdv|dgf2TJPMVy9?da9n1YFkICKC1A?(!7PQZ~QHb1Beq?PIxaP&46=H zY(1I<9rr@yr><|#Ps=EKzU%@!>mlsmgEn@pJza*mFj+MIvk^Lxu|do61~mwp!w0l6 zQKZ%+z9&Tfv!Tt9Ob|?{mC>jk2+*Lk<&+tcT0hA0e6NkMiui@%1JDcfC&q@Lf`TK# z*Mcr02|B$hT<$MHO9)y6OuW3~(aO=_U~d8VgJ?Y@MfwlKPL>tH+9)+T0PC7*cDLKx zU*d`|Ih~c(BbQ#?o(h>gx0A7m)e83Zuu5rrCuI+pX)Z4I0;uxh;i)&*84cfzPN&Q= z46y8A7|K||kQNY|Eb_V)n`=vJi%bT}G)kYDr2(Q$R>bv1!_4b!7n3T~*3iUaE((sN zv8&$pC0Q4q!XVT*-jD>gCRhTbzp>aq3%eXCoW+)xna={hj8xRJwcwv9V(b>n@Zh=j zxqg6ROWOjt26Y3S&KM;UT!`^<G+T-k+3kxZFQA1hiZ;iV$crwWgQ(ov1Q<%Y4*S5t zVsQ8g?RXO@%<oHtEDYR2DyJ#zha+!$ox63<H2FCJ-n0^8C<H6j6uBm~x5hgEF(NU{ zniOl*WN}iMl<qA@1w-f@l0)cJ3P_VId#eS5w(TB+Y-W+mybC-HCq5#r1!I!f3bcX+ z#{urG=fVo7NOEOq;71!H?8Ir+D)OW=ibl<Cb=XMir}%a=(O<j)1Qd$-@Y<|oU*+<w zZyW*T;nJ(j`N<SZl4+6gP=F?Mx;G8fp;hK$f1MHF?8q2B5cd}I;#9FC?kEDRqfG;k z6rUbieCoUiG{{u!a>vG+SH1IKa-9sr983(hPrT+dpm!L9<yo8SUg0S;uXITTTuh{? z3z_Dav1ygys>Ure2l=4Y3qtjIPU9n5AjDtLSYVe{ho5rfhVNlDad~|^9F0~F-PiR{ z67juD_EVK1eD-ZozA(P#2dH5D?_oQvTkAf4hGY0T1GNHb1*RzK=;U#rcQD&Z!m8&Z zr?m>n`I8h=RQriUUH<#^MCU2DE&Qz;9QIE|So~}VJUq@pOWp`=ZJmS}=O-80u1Ln+ znjEx6kY?VoqBO$EmZ{b??iy9ovJSFuaI`?yU|IRN_}+4g7R!V9+3G4Z2J~X!V~Vyw z8&tO|@6pzKiA$7gldsNS2?E~-=J|1eZ=v~AR!+_1)tHyLjJ%xt^z!L{v?xnFT?AbW zQoVFk1YM0BBWB~kJH)G>N0pDD+imyy`;&&J%OOpvopqki2A=1-5Ud^KcmpkdARaxS z%sI#)ybx_=4UH;9P&>pAR0t7@mStmWi>C>L(8;~$$2-c%k6ScB3KX=z?Rw@k-UGho zkl_n)oe|}_Dhg?HAQk$vmUh(+7JJK}tfSw~N1evCyWc7ySv3^}?R9M{tNz(4n89km zWF&cfRb8bbWW`~Ed(BE}M*W^LA)&rJi>N>R8cPKTyXIztN2*Yf7dJi2D+bPpLl}v~ zK8U6x66`u-t!vZg>Ar+U0FnG^UlDNv63)%l+th<Zx^KJ2!n&K)gk<mn14{fo(jt2m zRZ5dIUyYCZP~n8cf#^P+tG(;>_&a=O#-;r`z4}q>nkq>|2I7F>?eH^}5IKRQQd>_S zV-5soAipB_yw}BULmre%CxSk~#%d#F0D6#S_WoO1=cxfu*enPvO}W=cEBQ2;`E?7y zOh)H;*OnD1ZH{Mw(?B+%B)z|(%;Q}jUa9r~K{CBFu$pGq9G;-qSBaN`Utjv7byPr_ zk)Yn(O|e&%-{IIf9FcnxOeUCI*5hnYUi`FOk8eSlAp{UUN+UW*|F$-_%kOEWcdw=k z7c55VJ=>mb2X_U$KpnrGE$~C2D8+V7C2PP{D=oX8W%d)36ZP5UvUljAZ@gTPi{0)1 z*Qau5GY>>6JQ+^9#j)u4Z?J=1M6cb`zAwdQb$+jFvk4{arL|9IG6(a#XOFE|W4%F? zmWd|jZ5Di5x@qu}b<OeUwE-_}0YOxyy|9czmF_rUMk|>cr%+*d8Mn4QJVurKwdBFj zm|@AId|D)VEf`Qm49j=H&D?=->Ki7Uh;sDmipi7L{myMx%RqB<45?<8ge)7b_Nk+1 zfRZrL(uHd94qj|lw_yU&;+wa=KOg(zue_N3MnGgR0Sb|WlhibI(=ml%@Jy@6v(a=5 zS;<7*j#^oSr)|(uIZ24nK-sW)eRXYx&s4M*69y5~@ntm?6A4U0YoOA)Z;!?9Mg09S z_vH#DXu?9hTsK2Ck0?lYDz^;V_!I(yIuh+|t{&do&fmAjHgCkJ3FHAB9+zSN=eSO} zvAHWk)G2nyzK^-CoaDGyGh3Pr<1VM0`Sz8V7Qaf))OPbvFYfG@Klcs_Db4dp!99w` zcmGoeK}KWLHrlxT)`iX!!C5>@si~VR7UfaSmDeI4ZtZr5pxk5YPUk{PgO4gaH;knC z^2~cm%s!v%#~=?v<xU}iO0Cb=0pIj+so(V--j)Wj$ucFO{O7jyRTJJPsdk26rL-(j zAU^V3%o}T4yhbn}AxTf6wUB@h$K`pyiybd!b46kB<uc1ocRf;SU!(ky!zGuuxl+{B ziB6My&F^H8;oQH#aiETotoT_V6Uv1aiIZo2*{d2}MOeY2csB^-{j9r6+}_{Ua^V%@ zA9|SY@7Vf2MS+j+waZ-+bh78Uu9J_|V%n4nM~wh4-m5%p3%l$5r^V1^S5}Wl+`hdH zmoI%rT7M(SZaas|k6!p5Y?`c+j*^+LYhXZ-n}72#E~4YoOmLcEFL$rkI(I9j^pATy zEBqHQVLdj@+_U+jc@c`d!gHmLpr@*D9gI<RcbIp&kqRUuPM2ND%kxj=cbBdz6(2<= z-_vy~H^c34MPq?w6Ox;Ky<9Z1vxQ*r+$Fdd|LFGihL8W4hz}Vkj||DU?Y4d{Q50fR zrCRgiNjyNTTierCs^0=GBuQaUVHc6A4EV?MHmhu`JJ~fM6QK~gInIV&8Uk@iD6bf@ zLbd@?<36vq^}r?IY`%aIx{6wADL{Sjc{@$qC618Rfts?rM#kqHIQK66makN3hLmge zsXZ(E{AMxK%`*K0Jg3m;SS+d%SQ~8c4a0e&q4CkhDW<;!f#jZsK2=$<w#BqKfhf=? zcKIC*NN`I=Nju!Fxs2|wZTH*3m=Yp{;l{S-o7Q&Cmu8F!MK0a+`(~hRTwilOyz>5z z!hoRyCE$4PDRytP9#i6oJS~?>CYUQ|@$8|%*X*sNImFD|bIwv$7L6o@#a)k=dm!Py ziuzE)Jo{eXO^m*K1<j(R-ZjpOX*!Cu#>nVkT6J!+9}p^TOJK=~$}Oc-NH0nxPL7X5 zy`{$@d^98&SOgt=>9_iJ)K)!SFDKm4hf9Qm+<m+n;1G4#f0j=!5SkGnO(iLsb>rp_ z$efht78OqzP8d17^Pu9J_nsORzGbV%(2Yj!w!4Wm1w*%D=;S@G9|J`iM@4%!j9D~z z`+aVEo0+)apVo0?1PSCQE34@foaj|CB(j^`Mp97$AZ~-0p8H{VI8-T0wdhqOB-<Ue z<n*k8IFMaE5zaKyQnE)1w&>s)G;@<O($R)NH!!G10>(FW``ZL&A8D}WJ%h((l)E1H z4v9fxkRLpMk*tE6it6c8#27Vj^~AreG%85kQ+*>PwVV3={lWt9M8~+a4%;uTR;IMW z7f;}6^C$y#1ILfd%u5l#SyT6}#{Omt8#K-WcC8q)=)r3#%KfHxs!)(EOfx+PPFy#6 z1(fs@60<-|Z`BeB6eN!A#q**nSy=AsX%ZO^!xOsmR24rzQ?^yB_AcM4qFC^?Qbl6J z{BdNG#?;A3ATFga14gsxLnRc2H+1~g!E0zW`be3?+`>a;A+~VrXD6UQ8c7LCx*6)J z`Pg3+^kd-sIBDqaTstD^3Z;=o%8B<|Xb}-d$SDp&6<}*L!KxYEbXvD98?$QtR=e$e zoEqtZWL-G)P-;a|sZ5gRG;)CyG7>5h9;T|E^r^^6DyrRtdMJ(>J0j<w)85rd9hmZl z@guj70c7fHN5DF|?%@-$TX)3v<>9DE>A3j9LLlKh1X4mxM0%4!GIP<*(&<#n&dp3p zB)W|2hW?=?VadtbkM91z?7yq}{mra=0pez<cAW3<;H!+3RPrH0O)X1BpMuuf`NQ$1 zgn*reP;L00-_y^QfMvtBP0GWZ{J(DpOQh{PSI!|9QKz*z*{j102{s;-hrRYauUeK+ zq<iN>CVn4dc_?;_R2Fo>*V8Y1m5PuMgMlO1=%eH*tE)#*l;YL77<K$DHS}>1LV$5m zs1QFi(z3ekh70`P;d<(iH2UBBY-wRP3?4gu61mElqs7EN>}T=wp_UX7ywK+yKCr;_ z>gvDYLN2X=LguViE@oP`yJ7d&k_gL*5cK;k9udtTB5B>vG3@T7iZ}pv!?QG5Nt_Z# zf#H8UogEbMX4zIZ`SA((niYj6dNMX@W?nSO7VX05gotYDHeXk`pmf|4+&<HElX`#A z!q_D=CM(eIymJJ!l$@OP1*f&auHOZjWb?c2g*n)cAQL*OW^-XxMs@>+4`8cTZFf{s z1cQ`3iCRsDck`FZv1G}JsOL(mc3%eSpz(c6lk<6Dg|;x3Uaof6GYb11V~D1%;lYU` zJui2*^rW0JUd%E=f{sZ{vUtLyHH~=f+!DwYDwJ23ZTMRWm`<C>Q0%u<av{3PPMc-@ zp1#U3HV8Lz)x(t(TOc?G9Avo?Q8MnW`?uMKrK&&ifA{NuZ-3A1_VzRXl!E6Ag$KxD zXk~n#cG<6%Jm8{N&ka><Dkx{=(3BwU<N?U&`qzz}If!f=wTfaOn;N#pBo<DBI$`I8 zg6zVPV?oJ3&!9W@6BD*CoIVFEnGT=2Y!?xa!-a%=JYVVec1jJtiXSfsr}zEt95R#Q zU;F+A3|~M7e4;&a<I+8+Ed$dR(h^a-jsI)cqn38zz){Pdl}4}E*U!(VJ2EnN9OzLU zRvSEG+{PVBNm^%1g*MRhfXfAvwTLN6S;2^!H+gj^eXN;D(Llq@Z3@iH9aAYQgOb!s z-lR?-9ipWSes^FJdA%S|ClM8zAmX~FyL*&-?W|^Ylb}c%F*hw4TYzK>pN==l&FS}B zr)M|UoH3JG!hsxx#lNjaV_I;5>Imc&%goWy(D^&vqe`2fk)zwx*B*f23h2$vN^Wl? ziob2$`~jgbv9_aWGD*Nx)rRlurBgJIh^nKn_IvBrj?$ohf~gbuU$M;<L=P%lAem6X z>`{)5ZO3};^n~g-V@|C8UKe*M?4YAx2v%PH_%n>Z*Y^)^UEpFeDNRu=14BC%Y>K*l zm1H_MZbMqw;Azgxp$JKZk`aXPE^x82G$W?wkG4g7d40<pybLFYHPs3n<m6<usZU&3 zOO~U}qjLL}7x)<2P0J-5(9VzJ&~9ZkC{mLZOD^rZw^>kTsAY`0&gSvD=WGGv$iU{^ zAdRrm+xzeU5{aV4O(jt!qT$tLP6jq}<<ql}vRi-OQ#19yibND`MWpr(-lE6|_uJ~D zY_T}}eusAJ279AK5($OTjyZo%zlGych7HV19Li0(B-2q(vG|<ct(~=Y1NeZG$+I?% zo|2Gv4K9;Tf@BY$$^;WTY)t@Xm5sAJjN7a16)9CtoimfK62zD!i`+N_k;i9~w%HlQ z^=aLGy$*7@$rhPd8qObwbmF8l^GUF}{Et^H>-}>cS~gbkNsOzk9PJD}r$we^)2E+a z=-Yy6iz2C%NF8_i@%P71e8}X@qVJk#RW6V+<RKh7YAJb;U4=TC_ShXBuf9rOgC!^x zFd}0A-7;V7sMShJ&5O!&@!Ui*vzeH;co=|{q!y1ci@SnFe5MN<q|~Uh<rlaa@AI4) z8iuqi`g|_u3%$32fsLBT6n)(Rrg@e<ySIB}RiYt-zlc@*g)5yX7}V7^29CB0eVuz~ z6iOfaqYvlxySLXl?`9|_55DP%5<Z#7*?4)4$%hZi5bFF~t82__Vbd<6k%Q}d4o*7K zyvuX!Jjaio=&%4T^^4qmoGfO;GG>=wOGYfR@o}&+)>{H1%78sGDJqX6gI4$B!GuU% zJ;jtdsY&%{H197jGnk2Ggqkvz$+g<6kJH8IxA1|(hzTshq^b%x^S+MShn@Cy!IiM^ zQ`n@Hp(PQe?VD3@Fey{JB+s6s?B(=3clb9s8l}*wL!6792_vzavL=zX+1r3tOp;hB zV@agsq>jG5x!*-hWg$B_&%&pTOl(}=;jDy?CK|<ke#X0JC5xWxZ=6&jMq19m`4Y=9 zZZVbxy{7px{Cvjh$CbX!Lc(0;a|TU_!ycDci|v51_G=AfLS^Mu(4~VRCS0IQ_#^k* zor*)T7&rA4u0fNhLlh`Qgg!Hetu(MP+=Xr_OxJ_o-KTYX_c(g17OmP*OqgP1|HdW* zaoH)2r<bp%Ia6S42qfu*?990+j*lpts<NBu=GZsyFxNT+<t#q~@z#)I)~($LLlKhZ z51~*YxyHHpIc=KH%zvd4dU{<l2p#UN4^Ga~`zdPG%d@gFmq0r;D2jKn&gOQlZ?RXR zQ_m=nh85OHX*wPT%8=y8Ok6z^uhJzBqKC&KmF|{aN_Rr!6N-Ry3K@9i!UL3GwCzP@ zDsmmJKd&{=_u|`_4cuc?%+ATBdgZGpEc^YdJM7&ooV@m6cg#Wlj!r`8D5z$XnIOBV z%<6Ug=a~8Hv^17LJST&-ta+2&`T3UD*SJ_17<w>Kk0{T9xBp1*$A~-0!NteVSeKKH zqw&ln741d<R)ryWI7f#sUjLHm=_@L$6%g!mI2`}M$v7ZK3(DzH`4>D~md<e^<yz(B zpI_lJFe5#chU670MzaUad;^#d@bU3TCzerkgdyYSTVmqfU}LOzd{48)m)Da6ATA(( z#vE_-fVeG}+Sl)5pJQX?F?tUax7$sZ9de*el+$w|2l-GXp~$%39R#f#<KV4HE-z`m zCK`*=xyQu3z{+I`YQ~5#O|@N573uf;{JV~A3mp9S>qyJ4M+sqt|2!M2$p|`%Id+RJ zKEHR1hts}%ass;4S;y#mkQt}HP@}L=teMlhzS4DYbaqP4LFO%&XP5UfOaP`G;B9Gm zs;8XIMl&@X-5%qT$K~!$hyVx&8%a5#TJB6Fr)R{byZyVmiA}3(kRE=1G4JLJ0uL9* zfnS!}Af8kLC%6A`xl`M==g8rBOloqsuSFRVP*RvINn#n4K_aTN!N6SDn8~ty1ZE|u zmz8m3*X40D)!R0RNz%o9lx&uykvrk%aB}@|I@c%Z?BnGHw9dc4Jv~jat)4Fr&mkj+ zUt^&_picwp+;8h=wFZ(eP$Z2`no=@KD|_e?k>5oZvi?Vp5?HPsB>2KGD{qxE^mBJZ zpZHPd?_B3-Fow;mET$t8G;Y%fHZUX-+#z%>0)LIcq85{Y4%flc2N6CT7A^TC|NQo1 zea+G#AL=0w5)L?bd|(iT_WW^hj@~<J0JY)LZRR(29;R%pG{DGP`%-w$j?zLUG6ao$ zgl9I^&A&|tPoML7>9d}LX#1WCL>YhU)@`sAE<Xs*d5Cd&gUkGdF~AxuVOr9lYU~m` zC07j6(?<Y82?UIuO<siD!ra_&nwSX_w9Ub450yyJ0m~}Y140ZTou`<ZC=vbM%jXZ0 z3hYN-67!hr|FvdTnlNg@6ljS6^Z5^Z!WQ2VHqwMDR>*s*Bvt}EB*N8kQRKk<#7qi= z1}?XW#xx@Aoc)TH5Db<DD}NuqEMbus08*4x+xp$NkX?Gk01FbSQW6vN!^v*r>?LeS zqymX0_WY*D^YQPg|L4j7V|-uC|9AcGDF643o_>a-A^-*r`|3i>tfEVppO?j!a48c- z%)_$DeQP8^O2dRp1tC*)Eu%+W3=R`i^^yCAtUG-`B+Q*3W8VNa#2#Q3!>G%UOag@t zY6DB9p|qgEi9!zNUhW`K9P85o5(LF|>!R=0u-AA~9oKe|=yq~14thOnF6Za9xtdom zsJ*`OLFFj{|4QP3o}}`r$!J1Xm)Fak#Oed&NG(SL!Qm=A+<eFcD^&35{Pc^A1;)|_ zCN<0?>>v{lZ<zxU1&sG_<@q(XGs37c2Y=Z3qo+<F;y+e56$9p{mpBYw0t<w<IGLyo zS26T`ks`1jJ%#d$=^@jEgU9)4<=<1WvHMq;c`RZBX7%Cwz&eQMum*fJte+x!@NOJ& z+)2W~J9rIz1#tQ>lxK{uFYwbG1n?A5Vqte>%YumcRcxA{bqHdMB^Wun4xkGFtZ+$7 zQAR1Y9o8x@ngqZ>dd1^Z5@`tlP8bNJ#tdJS0F_w?jT?LHoJsS6Hq1e!8*E%wj|i59 zBLmZ-#;eP|jn!@bBNC?F&&)y%AwaHFXfsj$BEY^mzyTiwT!bWsE(PksH(Gc2q>&-0 z60P)dF7dJgZ^FkJ3tozDnucCpx)Fxe-I|x$I7X%rj%}}3ndyrB>3yhUHawn}vvsZ% zgyBSjIRINkfx*#Dvjd-9DAtvk7<nt51q^~DS=i?_9)ayLg-n;>`|E$Y2r;ggcL>Ff z(?M<jmj1Cm#+Ciu6%HtD>_h;_<2+|z;Zg^W-9isXp8;t@21<~-pVuO03;>r&%qjrj zEkF{5;l(0!nG{C01TmQ~3L6XB1V-fV2Q@;XMDbt=ME#&Pfep$#;Go$fsZZJX70{!- z3LhoNnS(w3GaB+IUL>gxv@NON<$<;X4`_>%MVi2b`xUwv89D?DSLk3sdtLtLVZXog ze3UEZd5c=@q_F4{+kZ^W1Q(W&JYC_9tWRC#;pL#`EciVg^qdP$x9iW6QCwG2h>x7) z;pU|4E_k@~&T+0d-)#=tm%1=sKp;CAC%H^1DWJ7xeh67_xI3d(FhU?oI@W#(!kBkK z7hwf?j1LvTng~1qNn?hhB(dfz^X@P*0uwk?F~|r|Bwh8dR&Cm1Xg{JFZsp-8vjV!o zZNhwP3}O%jU5=F?Vc`(qNXnQK#U8b8coKB#1f!hnbDaDqFnnJ54`@}qd$S{mZ*PGE zOcw|TvBU~}Z)bD5eaF}HO>XAf$D3_y<|Bi)F`Rq`by}JBfp6^uanQl570ekzCQHlv zUvz!EkN4?%{-4v!j!D??pgIQ(?szdjq-lG@YUamU$89v&*Nm2&B^FG|19)hpYN=&I zyeKQT1_p`cseMoD;srLp=W6LAzr8Wu?dW5jpxF)+$K;8^#xHihkHhnEeH>n=+qs}! z@bQqm^W!LAYgJS6D!dwSwx1l*3?+>W;-g?-5Y;rj)O-oOBW78mq@Czsa;$Bl$0m4q zySW61f%G5=l+?6J$<IamINXopCt`E0@gIXBkG-IPL7?#_IO@Q$HfwPD{p^5(nz!t` zIgW2@9`Xc5Oy%On0Gq`VwB;&FlZDnr!Zs4#b^^%=P*lG~P-%WfmQC+7pR=GYr*ZD> zX%Xu2t3rYrqdsxJ?}PL(R0$B;ILUBhPa;}Uety}Rn9tTh(D96*_m!X)4UtW_<)!HL z(r93ZtjNxZz}85?U}p~`>S_l4!SdR^(8=MZKP;_dd|i%2#YB)V2qYX*;hNqpT5qc* zk9+RxLJXIJmrx=XK}pHDj0cH#h=mZOW@`A`{hBn##bFH@x%Hv*N@(`--2%7|a_=m@ z&*!V;cJS*7wcv>%gCm-`d06Z)?Qz+LOM3Ry<J@%&iJXzFDjzu5P=;g^6t%M{-Dqg6 z2BctU)WAwQTA6=~gT7&d%C+^A<{z!nPiDEJf+WagTz3ASqlgJD^zyrTtwAN6I}-nd z(BEn5B(T;JtD6E<$BJ@!-7jV8Q}sF>&;E7Ma2+-TDJIOBC<+WzHdd~BMwXnpGg>gB z-4qc^5PEUh=LB>4e1EKy+qq!o@TCu5Xd{cjTERuLuYj3A+o~~$<2O?EOUPYZ<E{{U zpAmzxc_{Jk`901RaF`Fzzt+kdEEhNd{v@qQlYG#&&*6nDem|Uz)3wG8VYUvRK-N($ zPBh_#*&9^hY;_uP51rhOhv8>oHvEx$xI~u`kREGvJ>RTr1n%!$XS;UtxWR)!_~1bU zcyY7V6J-|l?()J)%|BuU<PkMJNv%un2<!X&u9Az#`MY*GuFcohR>mC-q`eRxK|mZZ zq%Gh9D$Cr+l@H@jQdXuwQ%(?~#9ds>G;Q6mQt~MDaNy`!$(;<Yzh3io+||y8n#5ar z>BZ-Y@*F*SKWp)drYWixlz;;XmUYz7hzpPgrM`$7yL$eX1l&#v>}g$Rgw$@kA5RAG z+#jmrdjeUVu?XYv5^?hU7Ca!!@bz;ovzQMbJ8Lp5G!!qMvtWIuNhG#<Ux6Kb(4WW5 zY@|eeqd=)(+9Co6jm+F&TcPOOXAhKM+3G7^HEv#n)&~6>mY}!y@U|~BZaAs7&)#Xg z*mko~a13}rf<w%_teUmIonn63`MEsa4d8)BLngK6d<XFvV_0--@+2Uu{x$!yM&_Jm zxjQok9QHD-IFY#$QF=&wd#i~yO(<OB`zacfkL!3@m%|+<xp{A$qa;sap`SUT1{D)U zcco>MQagsq?ri8AETbdoGAwsnL@N8FZ9eN0q~03O&$qzS10l*Bz8c06et`b3Ge_j{ z1IoBZ1{Wwdo_`9uRx$IyS2g%DXx|uxg+DX=df4@QP8QaBG%_Svd)WG~AMkgZi8Mq& zXK$|;@pZCKZMXXh85q*R5S<c=WegP{M@E0_XW-EP@qY3N0f%mngQd&MH0|%~BF+$h z;I2}U@mtRiUvc&_h!KPAd1T~D1R|zhSbaS|$6E5Hq&)xZ;Z2+>^x~&4AeAg!0u$E# zAK>$Mbqyeu+VLxtqdOe9;yMgauwsw%aeeP?lMUwsZ>$tjdh6Q8l5YxY+}Tl|G)2<Q zUPs!+%OEwu^|b4a7z0Vck0qQKWXv??zfZI09Cp0zZRewqH^c0{(~W6IxA%REsW=bZ zf|VyOoYB9lV8N+W8U_NXaG^dUWcc#MoGi%W@_Q#Hw!8Zo&|;Qdz>pn@eF!589RIc+ zs)5b22>u-eewJRH*~MQ)sI-yDoi}Xy`~nb{KJwpIA2wAS>^$FWI+MKQ^@=hzJe-4T z_i^l77?)pf_cF^%1wudt2IP+%Kya|gzTM1YcSE!H>t@eD1^5OHMgZWmN)UL;pwH!E z5Tk#8zF1+>E;*fSMA}^q!vB_$C7L*Y;xgah=k}XxS9{bWs-Fwi5q;gy$wIk7P()T3 z;ox<I$il`fA{{&W;Bka+?ih06LNGXVVPoA`ce_<9pT$NfNAK+@QkR1I6gG^bAKrV) zIF+28RtjqUVyjv<uy~kl{oRb6kLA{*k0=}9FMA(d+2hd=dB^MYy2}SA$=(kV@)91t zd3$Hi>D?}qqpb9<Dh!bUfpQ(c2FFH;LxXSA`TBLO!$9dW3~bzgYJWwKzRCOf_Ska4 zM6El6<02HFaKiTQ)Y@@+UPC3g;$<BQSeK{O?W^Wv%L|)XM7)W=&cx>SxthbkQKy*x zeF&f`=v5*jsldrm1_h38o7?Z^GcI&WYQwLbNq|g@BG_!9Q01cN<XnEAZhfEnaziBz zu&*pTe?8lVKla+D60t2-X4+n0%Te1&ASDg9h0drnv>-`3uo>ldz18cpZer$S(Soy? zMtuux!hZUKgo%te(aQNcA6_MV4rr%By~D&#mWTn-*#p!Z|HzWd^DRUmKepXyrjL~s zYak(-)Rlqc3iHyQ)xDtKfDh5e&lLa~qtCb<Sejy3e4l&q#|$#4HrU=3BIUg{*VD~> zq$P(6991Ue==XFg4jRj~<@~l+8)xr*zr@)DE?+oWhw=08O2p9bwRLht$^~tZ-qUhL zV?JPTW!dkaGu!z61Pft;_Mtuo?PBA)#kb~gdfAKR?BBa{M_IBsjWB$CbY4B6hO<|H z6gbbj>wP^t)%O&%6_Sz12?YQp#v^4THqh^NuWj&PZ}=T3B*s9ch6$%7z&{&p)Xe2` zxI1cG6-qMsf6TouOw`WT2R8bTBEYCAi(L;6hp$s#h(&{g77LhmiFM)W*xnM8n)SAM zhX;w5EKc&3qfc}m2OOQ2BF`q%CCqrZegtkEV$eB>3V7iq0#r(N+2?kwTxqwL(#g{u zK#mfTO>*q}zaIWrMnjACdTfP$=Oisbk~sd<eLkXak{-hkj({o-a{k+kPM71yI5SD< z@9)i$hXz(gs~N!~h)1S;jqL94U%7w=6bwyC(QR^fR)yJwx1qaVcjdfsug|g2h2TjA z1GqMnQo7i`s|y)s1xvkt^7<xhaR1__&+Fr;2!-8l`*Gbg;<J%aJ8|}F`g)%9_7VXu zI<2YR)l3}^P>ho^5kebYdYLv4%l&?N*}ifrp)dd`dkHe!WZ-wKH1-(|v$b@z2^!z? zc{xVteb0sM!~t96<Nv+6Kqekg@Wvu3P#c?&_WykXvm`lo3EmJhNFFa1uk(4CS0DFb zTJ3`8uRtH9BqS0RACQ_Z1ex>yjhCIP>GvxqjGWK0<9*tmF2>gXtJdul+Q98(DHfmC z&u-)kMF|`#9Y_B;jMd^yUUL81p3g>i?|Wm1t%TWt;X3o?=kyKF)@t+=_5(_dki<gT zEs);c@_3pn@gBdrJC2xiA!9vw9ohjUuD*MnRK~^fylB(6p9_sulHmS+_~6cTwHMHl zR``$4KJV{lOjO%b*C#|v8r~bxCTr4wp?9UTJc?aQcG>sy)iiR9kT_*DK#9;%lrUTt zSwF9v+Z2L#CBDOWOI}a$5BB{ndVsk|I7IWp(~_wnqwrp0f&iepLz;b)*<4y`Rw<yJ zG4Pyu_T?&Q^Mdl=58$09=1mUE7a@_Kl9<{`8H6i$xr2d$>8K2P^}^DThpOjfNj6r4 zva?bOixQ%GaK_>;26V?^^B@{+I*_AFFI>LIyZiAqz5H%Qn}S8rPLT>8QzpIB^FG?q z%|YWxDDM|VE{%&hPkgjbw1GwjPR25LXQN046`m&%67gr}+(;v*JY^`4@6bIy7RCxk zkcpd&o;g*X{PQP|f!9)-_3hnW9`17!;YCM)ygT*@UJQLi(yCP_AZEvJeBvB}<Cw(U zq%;DPp?+wwCz41x5I$#~je$una&{)EQIUYKC5ZrvloBZ?A1jN&gP5?1ht=KKGfB|g zu;JaP>0@Q}i_AWPOo~Q69$cD(^cou*n>b>5nZ)Hj<5im#_^27qKZ8^it$b`T0&)1T zCXqxc9lB@iqtDV-M@kRL$y&SxHiicJTWJ3LJRy^WdNN6Qc(8P{QL&brwVEJMJgf`E zRyx=CsQ`s{+6*v_u#kvYo{%W~r<wT)Q7}hn#3iE^g)Ur@a5F}$IlnmN=|E-GI;)qz z2ZD`10Cgs|vFf_U1CR1NH$%^4Z0g7Z=IA>k5T`osh^XG7z0i6pBc}{ausMR{Y3Kf+ z2-h!=g1Dz+W#?EU0$m^=D;|bs>);(j#{?qkc}Im2c>ynnZG;L*6eh~9%3lPW@0!9- zGlqznJCBo>i_QL_hd>^PM>d-C`!@TcE^t4u$290>dut5Xl0+aPG>bHHU<>Cy>yvBD zhC)p_p@8BmA0Cy@!j2K-+#w1oycn7I$9WB*h<o6JF*3DKtS?EivdyyW>p$bgMpDo$ z3L$PI669%UBPKq-Jc>A2?w`B$vzVd|Q*sE!47@8C$14N<Yb@P|Vitg69+&I@fcMo> zLS#xV6|oo2@G!7pBo}-TuQ<KT=|6F9W}X^HB*g<uM@cv&U7Ak~4Q@uJn#SO%>X`|7 zv?T$~F%)i*VMoleZnBpK<Wy4?ACCg7@5e;@E*5xYLL%b677Fr6(Ws2{GB2~3sAr$l zjL4wSPFdgLWVC{cN8~kA@<0S5vE6}dfxnbh`BLWP=0_77pbl3<ae;H^v5&+)PHgQm zD%r#UlceCf!9_|tp|l`*IOIT0o^|d{2yU(}l1?UKxM&o>zlWH&S9+kA<iW`ag=vlj z>}n-hqIVl%Vq-4yPM4>=Ue4=f@&4O|&-M3RVsU<l7O5yh!e(wW-!|G<H@Qr~GqZc6 zCg!CMl;aSr*efxZkMi+wGn$560QE5fa<Rnx+<?s^!rM@PCm)Ng17RTuFa`cnm-T-) zl!?XqzMOWzd-Kfh+KRbgp_@br$;-}3A`J4MvTUbqxShu9bh_tR#iL|sWu!r_OjU+O zbbu5y&bdceB*+u(92C-%vmo27A(qbBUSVT34WgcEK#~X;em<UNMDOdgX8_{PvKq{6 zJZ3J%nF%v<D&}Mc=1c?*Yo!;zlC~K@C;%;gK*WMgT?&*SQ4k?PIyU%uFQNy^2^dLP zImwwg!$U#Ei4b(U()%Uxl(f@QVYpl)eTy>j=ai0}Q5eURXRYxuFxb8F@IYZ2S3U1J zIi?1S$I$w4;O66>WwV5N420y|c-1&qa1PKt=w;$wX+cRzI;7BLcC#vPErg7;^rAyT zSFlJ!l+;Fw{C)RB4Fyg|QO(GNQoVkDMh1InHFOF=>_mwuPM6+d<u`c%qA4n+avFT5 z#P4KZpQkv4SkMGhsSL!{BIsgk3kOBY1oG5MQ3hy4U$(u*&PJwgJm72GOf;&#%Um0c z&8C(ol}I)sKvs2$d49R^0;UhEn3xDsKp*%<XPyQUaNaXN3_d*Z>p1E`e?L|V9@Bo0 z5IoejOft$ESpQnlxp;##3A(n7GLs2cmZae1X%gwPobmYr@&er(7_0+L)vZTbh2nar zGx>`vg9k(5Cej*Uf<y`1e-GwJ&hFxK@|)iON$^96#gEfnm!N0wDZcN8r-ob#Y+|gk ze2U9h3Ipmj`Ue<d)nJHV0mD=(*fWePSiALU%He+S$L+NQ?gAA3$JDBbEvOR&h)O-u z6&cZ9rVue2V8R=qBvybQHt6%|2`WezIWis^nu<n*))0_@)0#yi$C(=3FCN@$;2P`# z|I>jpY>QE45utXwjo)a}08zR|vv80vVHF4gL;0Y!+6<~HN^l0G85pK|pHE)2U@5jR zCz8eUg|@|Pm?E5;VuBN(*Gm?{T+!6{Yy2$k@PJ?^fu<nTY0(7Wi5PTRuX#lm0ud$C zwfo9ysc9gnXTVK^))_?L#lDHNxXN3{AVDf*(Ed2RT^g+`+ZO&TFZ0#g?i2tGOAq*_ zlA-<>C40H=&0haH9e~Ei7>M_~Ed<~PdEHD31FEJqez5RWH`MV(KT<N-99}?AEc+6X z3l3MP`5>Y~FKvwzllBl|U|<YWLT*~Wn<mHQ-Zc@4`DHyXjA>omX|`A~Fm`LbYlsDw zlKZ;%_$`#+XQVaQv@UK;O9#hFQhgu4q(Nkj=0)+A5leFp<G0NVOcW&xo!F_0g{@3{ zC|>{kw{WV6vp9B~IN(pMP|(muJ?wvyYN1Z|cV)<1ENl|1APB7_g}p`|Qm5D1dG4)e zcB+~S_PxNN!xe*WkyB(beMK6yyq{;0?;I4>88f!!Wt`je8P1wfoOujdeiiRF?nFpY z@75xZABsrI<8M;Ilai1sY4$-oV3jHm<T31U{p9c~0u(taIK~AN{IGchZwsmR#91#C z|MF;@A#P6uD3J7}L+Ep9;ZM;eagWCaTb65q_c=}qdo;q+rXg|_AiGlSOu$w;9Oq$r zsC7Y4VrvbgMiYIz3>8BMCGSRB2g2V<{=k0-@r{Atk%shLUX5LY_F#F%?^7QJe?^^m z+)U4+*SE>lcc2}a@OfDUM8(Qk?)8<;?PTef;=Njh+wXRvwhkoX_CuHX)F&O90M}ik z>$6T$xqrg^-dqh);DRv$^uu(^TEH8S$=>X=4!*sDh|giAIP7-wP>k<>k?(i?l^l#Y zO$n%0tDbLqBM%_za@}Jh-k0=g;L!UXJ?$7YOc+P;r~YRc4x<-@Oi=$IcXV@_$2bn3 zuzZ`^a$Bw>!2&$VYz-~^bu#uEU*6k+^nG*z-9yF!6i;}6rXFONTg=G8$cV!rN;K{t z?>l)QfJe(Opg)M7fs+?8AA+oTJZ;{7UXy2zFZ>I@IuQMxNC<EU-eb*(uY=f_{HZWt z#MTuk{776)u9u4s4@AucYa(wTS;9ke3Vj^tVA-MuLG&SfQ|`}m^G9e6#Fp66Qgq`A zigT!Z$TEx>z0Tlus8fyVyzy13^B>8SFDQHR`~xArKT-_<aL?5+h6%g^fxdz3h$m(m zoPZ*bVtemHe&`h_euuJRl8E?CRz)DW-$RM-WkA->St15ohp>i8&rl~|U_=vnYKs_B z1wDc=LK2z257O6|jz>}t)B)J^K>jO5>z{Zb$kEULNj6g!1Yp1ZDc}Y5R+@nNoRP0_ z^7mhm>RB3c4D>8@I1K#<(IW-oCy;$rT|=g~HcfbsBq*g{SHOQsdHnVx-utfXNx3y} zw?DS(l&5-7{kdQ~(3dpzr@{qYe<qItc-(_N3--8@U-5?R_wRpYe)T|s_|Zr)T>s{u z!8}l9L5V~hEZ30>(e*^d|0tLmbe7`5Z#RB38mJK4pYhKl1!j=mzo08ZE*R5$oticZ zCj#URVf$>Z_g^_{xS@yKXEj(;@ImSvXncqir`Z=y;KeUeD<~w4`>S!ohHeb>0r4Z` z+1e5%-D&+B&lCUs(P;E1gZ#)_9oHX69QZ%*7=`$zI7gs>E7KS%_DXMAyN7QU2?mon zgE%rG=)9x~hZlsL3SVuoaH*Z7c#cB!3mpxt8%-jI$N>u;#r0tMrXT4qIaa&#sFm`& zddIhu<LABnrLLLUDiTmFo`&-OIrZXW<XCn;%dYm_EB|B_s-h44tl!(0!|H#zNQE<x z`1I{)M*xeXMTqYFS1Rg!4{o)QWu!Qwo@VpbhiiK1aMbz~8!Uzb6*&?mpRgcN@?AwM z<vx!;x9<*8WVkb68ih-azC3w6bXn_k6}+!+^#+po8fnCAzW(!)#^XV^<+I={Y&bkB zKljSfQ^5EH5{b>Wj!p@3V9Cnra5qy6$SoE9=<CkbFgjDS`F7e>Qn2m#wlz7X_yvFD z^*Q`D5`O^we(@S#fb1uwIskfFzM}1+`!|H(;g)k?ij9J%2l<4fbtM*Np-o*rq`16M zHH=B~;s7mbJf5>l5b|Di0VxDotHHR=kw}n?X+AtCd@{7T|98uE{2oN7VazAY=S*ET zU*3^t!0Op34P^qKcDCx<P@N|JT3?tQNQBhsez`vfv(b25P|-%QPK$QHmv!`E*j)q* z=*;Bi%^F6ZhKB}y5?!=X6mbd9TTQ?{9F>bHjn!l0uKzMJG$3eb)F>}b8)m)zMd2kF z0jz(Y|J!DE@E!>bEDgeerbCMy+C&0zlzQQqQ#$!iblj=sHFc^OXGvqg@L02HjUh4! zkrrHJY%7fSfuZV>8EjZfTx{hl1R@i&cy7Lub`n;8|L5GL8~kcS92CrzFOY6#Rtc#V zdbm04-szX=IkvUVGG0?|or?)b>z+hJLMSjBI3+0d>kajj|8rdVDS_u$QBvDhy#>@d z6yXcU>HtYVw!bBrZ0jt>x1k@shTo$>Z}fhnPM^=WRUSStwK66~|9cn@H1pu~^9NeD zpVN0d?&K`^5p$<T|9iL2V<PVc+QSV0`*g<lEeeTdqT)-wdkN3w`SLnpF$N)9OQrVS z=b>8}n2lbz!0V^Cx3Vu&8dq5as@}yH((-t&U-$A}(EoSQ%0UH!7_m=AQ%$FZj=J&Z z5j`EOSn6K5zb-ttmF6Er%elh9p<sP1V~<*uex~jpIm<(k+!JyYt==j=Fi?W-$+!Y+ z58Qtxj{awseU5QNM4}ZVF;F5rNt|ymA#w^$cqBYvxUkhz!2So5MV=I~q0%BG21Hi7 zhfCP(LByCI_c-!7>|!=j;CNqxL`Q4Gl(CyYhR(zeDn!#q0TxOQ+&W*X-vrXgg95^& zOOd#~wr=Vai!RrWm8gc=luZMNKcWa8n~Xx7=72$>KsOB7u4w+4yrzXftYb(Mf4Pip z6Ns+BI>;f8Dy0P9w`b7n{;(7P*7O{e486D0?|A*qpNj)I8V$Oj6TXRI1QBYZwQ$9f zQ5y&mIe0pLuaOWuWXY(_E69{gj@$r=n7?>#0tte{HEHXNq!H6FZT6yI!UQ;Ywt{(s zcum1AVm4JOq`)Q+{J>cY77abrY|PkMAVZb`s>>EVikUVdd7c=sSn(7>k$_Aj2C`3X zh&fComppk57oZ0FXVlc$I2FY1W-7mL*T-BK%u`O-KWzdc8zo@cU<|^8R6+t7%3~Kk z91OEf@rn~pf5JE{SigCB3}J+UQnYTz!Xcn6e92KFT;M#~2t;;p?bcODtdUT&ez%l` z8?P~qkBYg`oIrt7DH9Od0-ePQW*#9y1`;Imp>2PSjI}M#GP}^hV$rg0wy^m_VJsRl z@elgL1}lRXIFNuuoG{eatavtFvpG<108L^<2dixrQqz@7+`?5Dfn>Q8i7`KjC?X`+ z4LWnuRhxDX;`kvgMP*IB6olU2*&8q<0>e?WR;?YrAxsw3MGGc9E{Ug*#R4#U6zULV zmADWGO`pg}Y(|WlER#MDSwOX9-0bggR+gndTAFyL+Yv6sfaV1%bT-V71kGkce>m&? zEO}Ou6k{7eVKc!tO@PjhLqQJj{jU5@oObXWEpyB?35SiGB!LhCLwoPb)Un}=y<FR- zFM`H@`|m{Haa2B@HSV(Deg-ytPkWx{Q+^y=08Fo}NS*~0Stv}02q=~Ppe>o?qTaq5 zv+EaADTt6(GJz&8y+J@g5;1+$rs>PTCJ|F76F|ufl%N+n72G)M+C7UfiC_vKh?FQ| zp#u^Lj|H@JqAd`hNXMKW4ACD*9N_=pKs;<<ImJK&CvysZe?ObnkgN9StnXHSzqyfu zaIBTZ>vSjcHngFtp{B5jM0Q93ah7=R;kDabEBrmQ`?rp8)Mz0Shb435@8H+Q$ultt z_u9JeRrSe%04b3a-M*fFR;3`ORj|MGNo=__P_dg_1oiB1c)oosfj|&7QY=`fG@)t0 z?d8b6P7XW5L`}_fwk*kJA{NF<bHN(h#+GlN@%CBx)ZN5^IAJv0|3eRQ|M6v9zx}Fr zo;*8fHe*iK>kZvIHod=x0hw|_G1JWaT@v%Q5`1{2=I^1lRw=E$-Z>%}W|KQpFT3wz zYSQ|r>o`i6e_LycVABr&>vAYTP^00*e@h+BMc(I8QhIUE_bR1jQxR4e4?7DVx1q6m zdTH{tbD4aueNIdBdt)eTtJYJJWdR{Vq};Bp^<*wq5Y{A3wSN0&P>r=>2YzlZ%bc8L z1@(z2FR!e*{4N&h2%4Xxg%lEWGNj;#@aK3TG@5<f#-O(h-G1ZE%Qk5qGz%&f%8Dk` zCim+77+xJ6vaqA3D*t91NBAW?xGzmwT+S6c;1hCedSr_C&(b<=7izM4_A*FkV%a+D zg4^--Faxwjwuy$*S6J9KQAdCvEJjN=U?x?<BXKnD?{O3seS;#u4A;mqGMP<HO+Ag` zoN(dH=Lnvwez%|B^bzqr(jIRkbL9S=vgjQHqFcIw23DtUaf`q7O&nv@TW?!C2_z}B zGB9DY_3UY1UsH$@P!jU;8+H|y)6s^;Udy1Y`$ft6u4WS&vXp|cYWL*|Y6U8ViUUV0 zC)Xr`L!F;@4L9NM^2}TL!=#>Hs8~6XP3oyFkH@#lm`j8(QZ=;ua(elwqrfNlQjB!V z-pBcJDj^Jlvnt^xx%FuGjjb{Qz5nxbEClj;Y92ocp^sh&)n?PXLdm3K!K|Ww?yB4O z(#f7B7mO)&ND#zidt)T~y_{8w!42ApLSg;x!+_WK0AHS0C8*e*FqaAEcqILMl{ Xp7Ta0Gp+o=*+ng-RZr>`C<=%<yXCF>Y<U4FHk5g1G zFh<(Zf_y%of4TEK{Cq1XBV_5N6;|_s;hSJM#@4Xt<94_EXbhjF=3l(c+(>osfAcTg zfdD?z|2^poDvO{DhGxqG4-*#{6so)tzKy)6<Wi`RP9!NI?IhFgv$!#vTACb1NGrY1 zy-HnaOm}kY0uK)dC)f3SX4%AD?d|HZD`%n2U-!A!PNQ|#YH@m8NoD8h>JepoGaN@u ze{A-}3XR{Rlhg0^>@%LBuC1y{1!ev7l;$wN$H^^@I3BvcexRRYb9-rNgO|ay?NcCW zHk!^}ttxyiyQ=;16&_yplKLpCdM~guSc`FCNh!>uNTl8XG`9Z>8I8Z5oxe(h(2xP; z^xUkZtQ-{u4b7x%d+>JeCLd^%dDJ>fyLP0k1Zui@&6G~x_6}yeyrda?A9zmkv-Db| zlTXYR{~Djw%ildLi%M+_`IlCgM_ElHObTfkr{6g*TTPS1DVNtFt5%WBd0UA1)YV&W zuL?4+*S)*Qzq8AJYe>GTW(L}lT(H+U`_#J(7pjz4Ad%1z+&<^OY<yN8C4s!`3>R+f zX6I((Q{?Vo;jvaSQyT$0>pH6;pxS(C26hU3N%LTF)M~7rb?5Ht4l|eG3#gFhD>rT6 zkIsXJPVYVg4`aO>(IrUK;UZl|pj;aDMhBD6?SFF{qL-;#WU}=Y&Pt>CX&vr9@-ZIg z=Xq;&RuG<@QIB*!w$;z+ybo~koEJr$V6@S=?S8FA4zI)G{JC?}c8e+Q=BesO<7s6z zC3$RaUaf4B(^;o2PS3)|pK(}%YD1BNO=j+bmoLh`zY5H|?OAS3GZdY=aLt>W{3;=m zmGn1O2U{{4r`*m3CKl!$K4ZDM3VJwk{~nW0xZiFs?ilkma^b9g>(b)#ns^iqjT$lt zE-X#Aef-{%O(u(?HSgzkDJAZ1?Y$o{2D4c|3?g<j*UOnQ>b!2>+TzaED$7hFb2IV` z)MQHZWEz5iIE5r?vVL%ovGz~j?37R2u3#||Gj*E^`4fx21tUY1GivnVS27p-WL``- z6k^K2NGveQ&JH_I^z_v9x<Q+yiK$sYaH&0(#$cRqalSyCpr;Ulw!Vrh{j7U?sqq+U z7>(|rO=kY8=Qlwj)7#;!tw=;lURn7n1`sK!H)Qa$kqzKqux9tu!KsYdQ)e={ed|kH z_cBy7Ny@;A#a{_yhHCFm?8~I^EP9+y-}V~&oElmky}}lnn3-9t7C0d#DP)^-`kYQD zCj+Sr<y<`M%iBEY=8)|dTs?9|oWA8HCf3DmHqjK*8akzIG;;KsDcf^@vL~WF*#EGN z007Cy!U5Lk_0L*>+)*PfF0XprPE+$XGb4}peZEhjaB`C;%afO)*7^Un`r6~~yp7#D z5hkLfry*UrYw!BCFLSVQSUrUHY-OemIu<XZgMk+?F!OU~<7;s_H#!>W*)w2t-|2L2 z*~`#VB`8y#H|W_reG;;jtQV|WyMBtsF5W(fZajcyMxsy^x0o$^*WdV_E%f=qa?U_- zQWC2|$plp}Av&_>eSiD^9S?;VpEP`k`hwkQv_2^pSOHW6L!eI}U=V`vkTvs4z{It; zz0z2|NOwhI%8C#mC{h5n3)=(LiK;*nhVjZZ1Lt-Ea}JxeeMSBot&H6Cj3vidgL8GA z&GHeLBSp$=%nX&1i=f@^wtm|Nf9v!1P?vS1NgbS3A#EBqjGr!J+z=j#Ft)s(P$%Ce zo8@hv`@YIV3yz<Pj{J|xy`K*H+Tm}!ZKYE~&<q?uG9FkC9W`3X#6h-fnk@?Aw0Q67 z0-yt5Y53ap%2%^&0S8P)b%XxGksXqU&)l=Nw71J+%SJCoMXQ5pf#?7N(^Jw$TG;d~ zu$C}ovOFi=xe8o^8x`!E_@ki_p^%SEDmSIfrdy%kz|dpKo@D-hj@G?BC^4-hVGzax zYpU_Dc)XjP_3Rff#^>^Txa8#~)E*^55~kr?*DPJUTvPz^^d#^>kbtFAGf7Pmk1wa* z^tRvD0{^4nip0f<!{cKTFj*pb8T3Uvz1|JhCIF%0<;yMYtoohnoEMM@2Mv1=HsJt- z*K8LD@C619UA_&JLBt;o|NP*5M~A;b;q2-sWe#IoUEk=iRh>2yrSrknqrV&X@orW* znMB`PR7m9x$Cp;oodDtyRn-%6<p~r~F}bLeSV!8vaZrZ`5==<O&(1`}SnLAf-WZ5c z6j8UyZE*LqQ4c%a9+x`XohOaodkd;#bYEP&qLHd;rOaOTdcC{sMQqvSV%xJicWy|7 zK{#Z~rYNElrTN<Bx3Cwm<)xjG&1m)(5kW;Yu31xH3SmL@`Q9&MuV6Ph=4#f(09_!K zq>vmQ&R7Zwz8?F#ZE%6A_H;66%btvx5ROl#b{wn+rPVLIfq(xO7f%lsNM0St02eeD ztP-4W+2Y^_0?mR$0CbrsN;71N>hf&!`0q*ay#Lb!djH4qggN;fPOpQ0FhviBGjg7Y zYw*5;1m&?L+VfWeJ0@l#?gBC)P$*z1pezQW=ReG2sW3)!!A{uF0QkWZCyD`0QUspU z&ZqJCZ|2w9eZS8abn>}8i|f{U#t)_q9>8=^(Ej_NJ1{|E($F(6ZMhtdhi&=z9nBIo zw(BkZN})I<g<S|1thnPvMs~MQAi)YCoDAWYfFtaf_a6|X*x>@ACZ-)BIr|FU38L6e zFrs~~no+=fei@>3ac;i9?`Hpx^XPq_=h3^q@7HK#bgVD*Ac6bP`OrZrj125tmW^JG zAw38HfH<`zTJP6Xh+1*}kLUcq`%Q6kyV=d*0gMO`MKNX$f%1U5kji)nVUBAv#|{~T zeId^ZCdGDP3sS&{b^#927~2wBQEpJ2+y?(5@Bm6gI1nKctn}dk^nZXz$&&(SUm5tv z&GiZ#2ts+58Nh}R10_fYZw?FiPyp@dpoqkX5`+s)1zsRjuzrCW`3uVv(@+K>(7gRt z4dS{$G^l62(&T<mjAU~7{x25~%=&qjd9ELYp8yP}vJqGSAaK(|3$tyG<Y-keCSZ;F zMN=#*ArfZJoiJ1ol&ai|FE8ujzZY-$zFu{kv=ZCB?(=CqB1{cfY1^oU%$!1a;h#dV z7^tu{4v5j`E$`=>qN1f25BHlPDbFm7$WKHed2k{CwjhL`xP@Ik;Sqa61qF)0{^9wo zS=0{vBTMfbgtlfbJHa{7iwTfn=a)-c!`+vhWr6f@c-;$3=K#WgTAN{tBBf6rJZ!<A zM64K5z`v{w%Z9~}2Zg<usPE(qO@Zs!KvFyf;zj~<`sXwlO(+M2#Fb%R)J(w`oQs73 zxgfD1bDkMEnOD6}i{<%0&@OA@`rp43k@WI9UF?PM^x)Y7gNGbAaM5ryx9D*a-+(y( zjX-{KAo)V!fv9n$F*CEWa#HHUP#69N-lHR=5uW_*)7N(&J}s*{u0ZKF&K?!C?CE5c zRr?Bwqs!L7lo}Mw{M&Zz9v)FQp79IU<jN(O)Cp@g8LQUEm`7L5hXY~Kv=KBl+nqGh zbDPd(KJ!3UJ{-bn)r-srAcdn2Bug{FQR{8?5VGuW+MREr)`;_FPazmIX%fX1_LZ|q zqTt<RIhPF>tU!Z#?mOH%wM+4F7R9$ObDauBBF#Fj+`6PiAwi<(Y18JB$jOsYPo<zn z_o>pk**TTb#c#XdQ4s{Hs3vA4QkwYDszxke6g@Y$x{Om;Mo`Pq)o!WOf_!cqzBG-p zIT@2sAh`H+diiu`U@dQvLJ1V-in0qxXjV3QdC4}-9TEo)W74t{+gf_$_ZHz~F;6o) zvnC>1NhvULW;T94LcEPyv2Jvpw<szn%Cb#Qae$ozrl;uuN^A%a9=-bA3lQ8WnIm)* zlLtvaplEb-eEt5T*4W6x-$~F)CT?a<K0-o9R>m}>2SkoTk;;LyCb9RZ$L|;rM)K<x zx=r4t<DH=x5QgJz*euUnQHY(09+0T`iF9f!D=R3Z4YM1Yzx$!)j@1HN?;pE3j?yxo zd~s-I4@OGPQt+#%8sl8{aoZ^x*D|3zf_P*{OO!SOK0VET)8Zf&|0}ipHC!#u`S_4X z7u7JWIj2`QSuP^N{P2vDIh9CEx9aE_ljhB$rWe<j&ZN-6M#*OB8i{&J3E+0>K8-Yj zWHR$(96k?)%k#T+4}osvX;scC4Ti~PqY}!?9bxacds$pzzLWaB{p_JfZC((zaMah& zQYzBvwhi9eaS70ZF6K-4o|oS=ox7ctmeJ<xiC36Lz+A3FRyS9-UF*A?B~Bf~ETySz z>>Eq$Ecf>T!G!v`X@#jHmC4CQn;>$b<k4}ZUN`EEs!E}bR1|t;%4E`-h;V`U=;Wkb zw=X6`Acuk~={58y+4Oq&fE(P*Ct(xUlT-F~R7T*nzB)ke%=`)o354crG;SM+wANz= z)^e+HdiYe(Q!+By`Dz}jg^L0R71gU|k3k4#u_CG2O%-*b5|CcN{LvcLuT9fb)k?+^ zgxvg$oGxQ&Um*$S#?D!Z<kYk3<P)Nz?Yh>jj>i}x*QOL{*9@3wELvTlVtqWO>>m}f z=t)IWblYm$0!=ir)0u%Y0RFX&l_mIn{uJ`(_?Q_{NQ(c9{O<lp<bYC&0mIiQ>FLeB zR{9Y6M=*<sS2Z^c%1-QQ*_g|G!jw^l=8`jV^QDwC(~|Pi1$2<b^F>XYqS3-QjRe7v zMDko3PKc;M*;FQcj9zhMJQBk=w_Q6tmLw7Ax%_%%MWgFuYjV0>oHfA=;7ATk77SK6 zO;ry<%gT#r*Y)VNwvaU1&Cqe^0A$EiR#DAN%PNd&j&axdMlXNu6w;_g3MervDV4Ug z3(QOWd2hiv#lRwkq|{-4jLB_cJdLcPQ1PNtbMnE)X`_W@)7t26S80-5EToaC-*E|F zy^EEf4y8nLbfz<suy)q;K^Y248mf7z6i{}$g<6jaaq>_Jg^>p;lrCXRL3fOSUl$cV zG@NLLBQ)qLztibzuq0YfQ&F)X%)XS;IP=JMR`#dajo)y0O*q@B#85wiHf}n^s-)bB z_i1<eRAPd$_NAf;iW+)F({d8<=R7H%I6Ao;iWt~fS?)m3qZSOEkhi`?qE@NAtfO3O zt`#N|sKpiA-JWh%VKjPhVkVWMiFt|X@Z%|Y_&4M+*i>?mK^1WtFJE`2atlfuiilZE zg3T2+E>?av^qtc6sz5vdz^VZdd876Y->VG?2KU5$ets5n_j)O7>3e0R1w_pMDAt+Q z*Ujvc+j}jta&WWK5}vxUi$***O=Jny$F&X8MY938o<i6lqJ)~637O-zZw`_?6XYK# z*%|ueQVcArCxM(Mrc{`9<-=*OWAE}=qx>w*r$v*iswijGaZF3g42PTi)vWh0mOTTI zm|3<Y_93Mqc5-T78B)^Lt&V;ELic2l4nZynNfq-FfSaq+was{IGcEG%024WS&0ge% zCX}9sjf2PFskbCAESnA~_M81w+B>kJV-8JGCdMLX1<YvPu=ezFvN1*?L2Q0nR$6M_ zK`t&PbJsb|$=-T<N*PtCOTz{<(}7yn4ks&*<*T9KN<g^q?94pz>@$n}Wid;HM2M!2 zDwTO65TR5LR0$C&F)OL?WabqnYrrza*0U&q%Wzj0*Xv>MvOBpDy#yDKC|H`AxeK73 zsi~!&nN?IwD+4cTK{To)B+JqB?p$9asJ@h?q^DXJ7wI0~p6BUQE@EzSwvvyBFB+pr zM11t(jQr>+y9z}HA(H&iD=Zv*tjr8;XvfRyN#_OSWsJ&!+8f(`7k{1O2f`?5&5=!^ zOm5mayUbgxwI13I{@F^zI@EuMDEGO6<l~WXWa(Zkwg*GdcrRiH5-CA}P-=Jp!h8Aj z14PP~i>lz9%EOgyT;yQGHx>=L5xS@$#_v$5U~@Z*#RCWfjc)2F#2xmegvig%_bUYa z0e~z8YYaK$$`&oEr+Lqt3PJ@=)KaO4GNlL$gg?<=SC+9*Yw4#{;+ZTBMGFRo5ekhy z^eavqT7)lHpmJJ`Rlp5YlqMF3_s*#!qykYe6_nNd1sey19Ma^<>#&9qs6n7DWx_BF z<Fh6h^Z<(J0Y+4y1fuQ0gB{S|$T!Y`E3l|HmJo&kbO{Y~11xbZs^Eo@>xTk9q5Im( z2>-24bW}_ZL<s1BJcE2kk4Src-P3L9JejA13(d>QM42)YFJCBvNr6-Y6>*6GhWLR! z7c~L8AT6jBs|t7S76dvx&ZS&)eS6_KKOV)`3D@Y3R0S}2s8BsSwp?b|6zs)=?ZgTk zgonRGf_(c);3C?h9EK#Q>xCHj`SJ6>=tm=ws?`VJXK+~$Zw@8$LfruTJPBoLegTj; z>!Na}93Vj7#uR<?YC#o5xvnO+EA%v}%7O6!zWC6P?j#2R#`z#<Gf?f^E9Uil*Y8hR z@;M#e0)c$`A{Jr>LogT-;31KTGE4zzT;Bm&2u28$E*HfPfuS9e4n~A-5HGR``YLjm z+N2l(W*2+nPRd|4P^5K3Lk?)6!6HykppeW{JngyzVf-)t&HvLs<f8_dna6l9JfAeK zLtEiR>}$V4jj0R-Um44;r|jYJHTqsWgx6C#UbW*_j~@^a&R?O2glcNm=ZzHkYRF$n z)UHyeYEgQ%qQ~*#_}&^OBgDJPeC3NmZu!u6!r9kVjxPduzORx=>4G1hy~HQC4E0XN znn>_)QP9ZrYf_l9<^6q~w?0Dj-cTZaN;Iy2t?uZF?-4*3A}B6IO+_ae3o?`sU~~zw z?RY%9j15;cZx|)?DE>1AJ+owb;zW~|0(&2xgqX>0>z`^{NBRDP7z*&RVSX-&;Hx1! z&;O6zjOCG4U+3OwDE`z$bxQma7xijYD39wrpY&4R`+|b;$Kmo<vW)l3_&>%bV1qg@ zG)PR@{lv>gvh`i9RnP{0arE_L)W>~$YJc6H*Y~oul#ch+$LavzixcmMNpjj>Q%!yC zj=z<ty1w7_ztvaTzoxQ@@q8bR>9e4(`_rr_9^8bp)DD=b<*QiBS`Z-6ibWwlc@m^X z;?t-7Jd3;_94PwGQ{qvhRSnU*Njnis?hG2heDZ@QLU-})6Xvt+vjCyb8a=<l65iI` zYJZ==gSwTM|Fn8mSw4CG?D^Q4+tYJ|#~gwuWh^y(K&E?P_1)9B{*2pVz}gE8o5Fhh z=;%$2@0mu^pK3^c=zRw8Hy3eSf8c-i(BA<OJ<3Sm!N1A$p5s9Q3y64PGy)>9_KCUg zp0-2IfvF4E31&w1jhc4Vmo7R|Us4Am(1ZTp)gMQi0d7to07w9$Orc_$Un8Rn|5AwO zd=<WTp!h1hYPdh#$&vc1KU{BQ`+xo^7C0E~W95&sI!ygv5)dK+gmF0ajRb%FCJ-E% z9{o4fYz4wV>H)vDI|00xgywzCw++8VF9BW%e}JDJ0wJIfa)G&DR28DsH-bPV6<&8y zgR!kYPtn9BEy|(MP3U7;fx3c42>)eJ2GM<ItE=GZaMi;zQ{y+*G(3&Jb0^$%s{XRO zfR*R_xW)4KV7Z@lYT}~?aR4fEw%YR`cK0$zHK(W=e|YGN$74{vSU;-lG|+k$7ylLu ziqgpg79Wuc^}bh4f5V$XR*Je`tqVm+%?IVwEA==qJ;MJUUG&I-_|W7WSWZzuo``-2 z&=RQ>EGjOhqL!Bne|h<2H{L4{LzAHhfUl7D%oa5AMH8}#=j5N`v3>YSk@q4mf{Z25 zPfaN}P>aUPa51zW`Ip)djExmNIoB#_>kJ%>Z#ya^^q~l7gfK=~wPTpxmF<0B!v9(F zKs2$Plsy9nA1J%;43}6HXfqihIVmAwoJNdu?D5xY-FPW<Xe5>Fq;O2+oG;9|$zUkr zu*$X)GrwzUXc(CrSorv=8j&0O`@cac4N4|ABT<$IQr7SV6ZeDsgnX>Ts$!rMU1Oh) zf}z`5lj0B86FWCASs1~MVnfl%KFwzUkzy;QB;!x&M#zFqj^S*_&y5Ih{*6~UA%(yP zI|+dG7WlT<FGZDZ0GM(U(#n$>CJFUrPCj53r$1WwiK48>PwjU7-AD}%-SKhvg9OG9 zrs!s*<z>?vCr1+AjcjZL&GwTKVP8%{aJTVD0|wp*@tuuqH0;S1I2*4}O5#iyMCdNa zWxJKxuYo)~6JUljg>|y&gl(7M;_8ZQ@)d-VXnCpG(PT^9Z+?lF(csYlF|9-q(@LSy z%f(yb&__jnKjsE{u?UqkDladU*fi}MVq|25KX3CBAfI!u!v4?fc_1G#pqym-4cU+P zgJMDZyyNQHnwgU+se2H<0&dt#p2R_Vh5c$%K|?*KI_hA2wCs!&VeEXGE|YbyI}pfY zuypfvbtKg0*^8W#-x{N>@L{Yh^=eB6OZO6g*+Y+iciF9SpgAuj6&#|weKq|=;GErE z?v6FRe}4?BiD%SqXFY-T9!{V-{<bVE@DnRbx7W_O%h6~6PkUDDfokhn1EauU%yzfm z+1gZ5Qo%tV$Hc;9_CRM0uV}}~Sk(*erfNz;jWQJkBf8MVQR^O%kJmGnTz13V&`iWj zDVdm)pLotpKZB7YK_xM>C7XRHH0H_O*ix0zz|ef`sb@Ddj*SY3<T*7Q{$|2Rt846> zAj>Ucbi8WgWos;HrBo!9n37sbpdITB#!bR821FaqIh3+ne^)Urt4@ielnRyQ+=q`u z-4u%5cDt#OfP+siuSQapA{i-j7yM5XVkujp<Kb*u`q0Q!N|flkq+BoxVa;Q^0r3$( ze9|&h6})}jjPg(*d`{Ltc5Y^?hvH?-iWd;g(dnVi>g1sIsumh<BP@)wF}vMnw~J0b zlR#cp&9qE9clk-n-Nj<4FRny_ezU*7kO<d6rG$JWgH_qti(NUb&3`<ts3io%6KDm& zYVO&xiwp*Ys@&&j?&pfh$oS~sPAZg$o0>T90`EH0O_;<1$a=TTw!11?>G%N?^Fm6m zz~2b42wB+YID+D2_eUE^^3-tR9njxXG{zMGbU;VHy|aykJQV*DJJY40c9NRv2Ry;D zN8-Q39QY7{=9Giy5vZW!;L(&)nt)@<E=VwbKhus+h=B;VL!fS`H1Z%B9|^4JrfCC9 zvH`4+QW|~THP=P&-;3)+7K+hyJQN>5#QjZF^n5$+{v(lx>vf&cHFAqt2KzvvCyT34 zNe%<*3UYDiwMGi8K-_lo|Ae!dKe9xFXOB#y4x^))H1$%*Xah(efrt;CU=_(iEQa9U z`966{Gz9hmE=i`o0M?96Muz;t*^DUhiyq+Bs317;g=Ru<wWrTNGk+m%Axy*dzz|kR zP@1gDvu^kBnL+Tj3e%zWl@F*+F@h%2us{)_0-%55Qa^Uuidn!b@;1ByxJ>x(Gq=FW zFp^9#7Z<j8FGPLAy0ES$SK&h;{j}}Pw|fIE)A4b()dIxx^(w)<qFWx3UJs#kGy+9Z zssUB$fi7fBE=;r6C&}(!tauIjM0|UoR)^gTQ%8{EYZjLZfE5no(Oa3ROhB?|1cl;3 z23=;!xxB*2YpSIjLbTdE@3<;ovgP}@_IMDIOzjk;(a6YS>?pGJ8eQ!x75tBj>*aQ^ z2}w=X%c0H4$Y=8)LdkUXOY>}Oud!MwqaQCmBO!Z<V}`VQBn}!b1&lI#sy?kiPwbqZ zGWOsn={+7o?{FwwU3S0k#OHSHu!*Lh*wG@yz{;)@YKU;mq?q@;jJu<(x*boS7pZ66 zx46R6a}?kbr>1763TO9!^#AT{mw&)zY2k0<X=-v#k|X0XjmzowI<~h~HszD5j(nTj zKh1gy8KiSsyvNNRcV_*6hA&Pn#l0L$vn(&N7wXFz#en2aZ8q9e|6%fP?wmm(5h6>8 z8Sd`AK<b{w{cT@h!-u&>?L-B=8@vtZB#1<TKsMD>y}hX`#VC{a@%fcizQ~FHCD8(S zDpY)LB*lz0c9;7(KT9cJ1#j2l0y~?{tVAybX_#~Ib9>&*{j7N#cZHOo{2A$Qmmu1L zu9|*XH;>!l{tdIUhvm#fH5uhOJGo2(A5mX7gqBjWT5Vn*hwMedF5Gz<7C{FS9J|7~ zwtpF|Ou}f7FO)3DU$0s47!u=Vo2P|h{a9u;1j)ixKMAyu#m9uUI`6*KQ2cWJ_hwQ) zP+&RbU;*=DDQq^jRkSmcs?Se_oSs&*_iz_Un!BDkP@7@K7+u9qLvtAgJ$bi4EyVe$ zYn_3Q+>14~v}zMZBuQnDh+W1Dn!U}2N)iqec8eQ5B+3PYu&zdDabXb$Il1&GyDaUd zKqH|Df%@ic?n~x_5Lqy>dX<xtvlLVkBv<a(Khe&!jis$FSXk7LkNd`BjIYBS%vz1b z69hF}E61DHupW)0ATXDRGjW)(6Z&qeuUD1F(rNU0cD{3btlNAhsFO&V`Z9Bq$@nG+ zh;`eohRUJ_27c;9`Gp`?YLv86^gBxp{gm1g4c2Hicy7wSm)h0MN}}oG9AdJY`?jv4 zYm%nzT&*_4>8>FaM%nI`bEw1u8cnUuzFE;m9I|YBImvm7nfX~sM2xXS+!R{5ohDar zRY9*jE@2Etd2F4GJPb3k)84*TGICY4R}d&Gtjp=A<c`4)QeKRzgeIi85!1BWZ53G0 zAXKC}7B*jBS<Of(hIR<CF7sC0S29F4{Z?apVN*LdMM0=#LtQ5BgA0hz#H_+Jg<U^4 zso~GVpq?BPI|D6aupsgrd1~h=H&zwYvkGXZ6;Dm8Rw;w55R;9KDtQ9ZV>R3@jl}$9 z-IV+}CrmV2x)Lbi$14Ou5^2z*hpz9MpdA~=(c~0mfp)7GKe^R0Sk}%+8Y*F&{EE3r zI!cvs1RZEB>XI%vaf-=J)NX95Xr~2j&`XmpbSlWnG(~#hddjCNx7A~W8?fBjFQQ=H zhyZsto0fk2g;{y(1f;I;v9weJ4iE!!ySjPCx0YQjJ*d!LF5tonvh<o<{ADePp5xjV zE8X$lQ$}5m>$PkNQdZ8y&`ii;W+W#q-<F=Br0Z*uEYm*oExkU|^r)Ilwhn!aLaYVz zF%sK4ZSl1i-A?vnGDU(|7-qIorbLI%M%T&PU|o3843!kpj5`dy=l5X~wTsW#QKhp^ zV|4CTx&vbZE#@@lP!VCNh76NpGBkUdc}1wgL+M)xrLkVM*@F?Hl4)Q}!-ixmwiB$b z+xGcv!H*bex|+G89qw(8Q%KP3GyvW<3VuIJgN=YnUx+;eg(SVUVvfT4+D_{+s4wD) zR|;j*(#146ox7({Lvry5)sjk*e~qt<)GK+k+pVs=>uldQliSRD5G~+})r~9EEPghI zT|pSH<L0UL^m8$h9A~X*1lM^H37I}-E_*<};7CaMDcyAnTn^oyJ7B2>Cn%|<PBiOu ztr(FY-Fsvba<b^kWMXAGh!s)$rz9ol$K(hxxyfD|AinvSh&N9XE5|`uKiE^yk52!n zLGpO=tnNTaH^A8^om2<oZdgk<H$yp{=6l8t9zrK)cBWvvt)LD$6Cu<adkuXh<+xTk z+YMfff!R>XnjWXF+-vElrswD;<e)AVWjdNV|M*fz_ecNR|4}Bmk8uSpZ6b;`iQLS@ z#AdtM>ZZeV`arYaSWlQEV>AVa!>yA&>hAqD7{DireCvG?^KFBP>-hJP)bzd60wSri zH}CJ*Kq5JiR&ukchbK%7Qu!_WrRQ&M42MiZ7a|eU^sJ7LM<rz-b`w8A5>dJlpkIV; z76j`=f{EYLNl%@28<^6;ho4&R_0~Hq3PsoCFXn2H#86Jq{$EK`;=YN-+$LgaCuUuhsD#qc1VF#YJD$*+S<*=ik%=*W*@KpUdGBe*qE)BGJ0KH zym`{VO2ii4LX|}9)RE#KH?%^=kV`9?uGp6=KvWv*O400iTKS^{254M0niY8l`o0@9 zDt8uBKuo!{GP4Sjn$)b~fAfct%+Aj2YpUdpl88*S?N;M?O(aN7uFO(bZ-3tcr3fuz zK$MKtHtS_eGbE76sBbj;c@Q1qgQv&!`}?_s1w+OpT^`eg?E3Yy1<1koNEWL_BRR3A zQdCQ}m6usJ{eHD{fp9!3COhCn%sL4`oMdu|$(aLVC<a8Cy?)z;>(r@w`S3lBK73xQ zbHVks^CgJ}$-;5-^*`C|?bRSE3eg3zm?zrpYSqY`Fb#pmX{;e&-%V&R4JhVy+n=vv zJYE}D@PHvX&pkCRnE5T&3=wT$Q!cKSl7ebE0FT`LA=t<yOJzuet89mO^}akp1x%U- z!0nts=g-(Jrv2Fvm;wJd2_l;`K=Kz)gJjk>X!Elr3>Os<7s8cy-{^L4Fml-tNH*<z z`$*$(pS|>_bfLFslSZcBO>TB#5NUqTa{{h2`u_I)+?_TKh?X!WOJT#Um3X4DV&~xx z7B*>8iRLU>&aQpl{6Fyje*Hg3uUa)575iB@lmo9vg5Fb1=r~0RN>c5-ti=)WO%Ncl zp!mU6LrFHOhJ-{XHu#~%)G)S0n1V%Lw4Uo2+VTksP{vWXkUzP(+659}5Ml6>TptGq zcuYFL{CGl9uzLM({l5;&K*Lz1RXQEF!CDtMnhnHKA)<|qO?kq0r8gg%`+xm^;Qin7 z_qWm@9Sk1hd}b_WLPSV6{z0<bcGZ5lr;{r%)N@J@#zL$iCRnJs3DQmTuvR=2Fv=4# zW3&V;o4guQt^gC#JDgi4OmTAAMZhiZY$TDh@$yEBecMUa;pg%I@*u_bJHBDxu^uxZ zeuSnZs4J(EiA3%isw7*0zI6M!7HA0t^9qE}$%IxG5K05Rix8ny>L}`{E+>>1Aql}K ze#hZ<Lz}R002MVDz2Win5GqHQ4H4L&iFEIK7(46nP$BpKcO@M^C<vZeBp57(2~I|y zQ=^fy(n(6d*^}n<I-Ya=g-mo;Hd9GmVY{4Vn+0v&i9bG(G!jZ?(vh_3w;3GIDh`j6 z?RxMb$<)XDP2}?M-NPZBe=^ey4Fqqf<8FI=e=jH9yS+cb&};8ANkW<)4jzM7tuU~2 zO-M?{k<H@#e7^P$71i!CXAj~P-&wTT)2KGVg9eW81KoT=CL@(9Qfb}p26!J%h1WB7 z#e*!od`v9{VaS_jxC+BdBS|VLC7@|!Ut`aLG>lkOfGD0C!;v$OVY#bFZ=KENbUSu; z7uY$DNzPEw$P;60Yk7;L?pAVDt}XUE*Du<!a9J|B5?CG#Mh%x{F25}~D#mxS#b<V| zFft&bRYfwtBI6mc0uGqv-Q+u-qg1+Iv&821u5fTKaWox_pbQ6Xuy3v}GT2BeR#BEM z-fLlQfFeorEgc61Rm{i9Z*=(mKIP6Pfu!=&QYCQiG02Bba5pqe?)#sQBdu+Ffr7d8 ziir|!aCje=XdZZkpofvrEMi>rj&F6cI>K+}<aB$scUM?g?v2N+p_aF!k(}I&wA|u@ zF1tMLpU<^zw|j}0%$*HY0Y@5G%Nev`p|^Q`x4(gTdyM?*iDb}k?XcNGAf9R;w_7+( z(;WsbLU+NZWD(KR5(rk~;<G9r*4&qp(zy9~Jx=|__2upUgamX_rtq%t^cytIN5*7I zI(}6D4#~&s-Co^Z;AAgyL7*yHMO5V)wWQXuW5Y@>#;)GRTDmSaNvr8wat>mS+cjyR zmy>^zqv8IhlOhEhBPFM%ki)yf$JEae8sZVsQAsvW$;8sH1=b6fNJmd7>mvURl0qla zQqRk?$i~W^<2Xc*MbOeIZ;pe7x3VG8*7-@xnmRg4MmhLZya~FmuWH*mw;fD#C<h_Y zD4(R3MT&7}kIN2_Y48mO48S8IwVDj)4YzKJd|jVF#~P#IM-Ye3DVd{_kWWR7HDb%^ zvh_6;Qmpc@w;Thg&owMtW#L`*`*oK#n=hasrlp*Ck$sur7|4uAfkKu`US35_em0iP zIUXPfR8hys(<&@|c8Sdvl!QtuiB@q%vaYR`KM<YZ$w87B{OY80t@+ft4!$sG8jxJS zfu8$F4#)j$LmxgL>7LcMUkr|5LN<#u>A0FH^$aj9I2M~{<>#nZ9?HwbYyllRESR%j ze0FbR-|?Jd<&a6MgkCg44+oE-5&>^nLMpY}N$C45tg#u3^ym}OQtIYPw7b5}ehNs! zEh;~)Fhv#H8vtRDN1)3TkybD%frKmu0_NU{jswi+IT%V8P*v<H<}G-?%sg1Tb9;x4 zqxnF!CS9?%yvZvdL&4k9EWGOc9q!D&-UjA9c)AJ6sfIbYnYfr(M4{xTNwDhk`2K$W z%<<`#bnqnGtia52HdSG>olWba_0n-6gBg;^OeH9ZgCRDbgqDNwhpqzF6aQ~#qu&`M z&k!=q6!nCS0GtO}T}}sgp>y)zz=*<pO)ynz#DF1>kP+F)_}H}35y^AuLnC8ywrF7x z-RYZW&Mg3{p3By=ok5aV<zP(621dW~@;X0cHCCvcJDr?sJYD0_k&%RngKBUEf(0S? z5k;z0QIXRSAbucW1ai|4AAKy~cv|CQ#|DO-hnI=V8m7^pQ_KrA&9C!tu5GR{-1Wk{ zCpwK3UHL4!8N>NG2%a}S980B+p;1l(+9}1c&hE^_L<=O0;sIYj2NO%B``F01b7F36 z(DM!I6=oBPI6aX@M?omyPtcrrabW8F)oTdBi^$4`bWs6%I;^Y83d;ac3;qm?Oxe-^ z$E!weqkLjuV}&*o$e@BOfk#gt1P}NtMWTj813di9#=mTqC~HTvwS$oHNfjuef0pPg z8KWrUV+i8j-Yu^T8hw(0;_mAW$zutSp$5642^eMF;<1KU!9x)=F|M%}7L7=7DuB#% zK`;4I0ao=+jFBjH8e^m%Jc3d_IF~;m9(lf&ZVrnQ5egePVA*1LS9dJj!zeQgb{LkQ z^?zsSwp!dRP$QI5RALzd=)&1UfE&IElZA2F=5{d|AB>GvE7$9Lygk)4>Jt7K9Z(@d zJp5~GYt7F_bR*GYR2g-VEP&ynf<OQnO6LVPgvz9hNcSHSE`;HclVT)7rAx$w_+q+X z+IChj-SroT?Cs*34^cTp1wkl}i1q(O^S#G>2?Ulgl4QN%@934a%Cz`D4sFJZn57cH zqKlS~Ua-RAaQnUbyPvjRvXSuwCCh+t1weM5ihp#Avmj#SNJL$-IJ@&{qtEK4h;uXn z+Q}oOb20E)KO;3@;0{W^gkbt2;$qQ>fbhYZ_%Tp1Ey%h{dNL~Udw8q#hdV+8OcDE7 zP7bc@Z6pj|+jKsjx3iZcas%ip@UDGNKW}}V8#}KCcbVI}A-+duL>QYEyJdoVeH#V= zuILC4GFCArSo$c!LObp^Kx-4q%O!hGZ#PE)lK4c50)7BOi4T++ruj2Llz>2@$%EE; zp{**Ya>RK_5%!Ad0Y-zV5+=@XJLC2|=`#fllVqNJg_|cH5F-$f3Nr*<U)^ClfKZ@< z@mehLp5>B84mH4#ZB_{y=$aSLUy(4M5pn_me8J@;Dr6cpMBqG!M^ZBtrWRymVlZ@K zSUb-b1Kxr$ej1w|#iKBOvHsinmnOWY;R4~J2{(o0faK#pJpuERQNbbvNK=<iz{tGq z`U&UvdCcDTf8CCkcbz#Gv}^_uT6F$BuZjW1*H%M~1X(XylQ<<&NvX;-xi^7^Qhu6R zVR}mvLx&T!1_(bcNLHXU)IcRvQWX{sjxqynvLrdYvhRA|-uL~?{?8R&tS+#>M2k77 zXt7x$Mq;XJv(;KD0^?Y#*RT{&ILX9emS&!2Q#o%&q}~V+O1snY^#cE@B0X7_2^!A9 zS<XTYw@a9y8cK?(ROV<o8J06Tz=@DzP7@PK(@LTnH82RLBq$x_gsrfx2)fV}2iU&k zfs`r-&WoCwm7v?%$`mf|d#=<`gC&yd$j}O+P0x6LkdCT~d;9S$-PKUg!6XhOB@}^> zoR^zAAWRc!uCEZaUA&wbkvUpgspPeANA6g1g6iqh@4aXg_;yg7vr(dx8UkSU3UD7# zXo{G<3SARYo{j~_<)TF%Xp?!t`$&2Dv;Tc-VZ0wBXUyRF1J}NO0dIbs4wMcEG+gLl zLE@z5XsgMD-zcGg9^8x^EH``zy|9Vux=od|Dace`K(Nlc^iJRZbF9zL>GXW)+pf@B zTNWa(8z%?7C*@$#U@h+374oEH6JY^vuqT^w7}_(NV1qDecy>6^!%xaD4S9@7)LuZ9 zZ?B7$1y0W>wb97Xg&;#eqt-Bqh|~`e(NgyDkCdTFS-5L(-`BH9Sy)@W2BXvScVZLG z$;!_W2j2Lx=N`&i*9~H9;Edk78UR$bV8`2G{u4&<Ep{0{zk}8Mi4NZoU~uec`FzHZ zD0l=wG<C}Ckprh`9vwh3!Cc*@e)5DVKn*$tHj9arIqYAnmik_37!syr6bTsvHW{pe zQFzv11?#Y8sJ4bq;uIW+g_5ae;1VAjLu|}A1~x{Cj@;!r9*dF8nuT!y2%#cc&&ODu zO4!ZTg|WW=6;rS-GP1?FVEklNyZ3|%RUq7~ImElp#sLTrAW&$Yc4uQB0U{J!C=f{- z2Qz0NjvJ>g^}q1~a*Cpw6pd_0#d`N3ih@U>y39>bAofZI_P7IB>DA3n$DGVWL13Hw zVi_W&M8V=PVm^G9XU7IZ`02U&x?N>;3X{bAY6~RD!2s3r7f0l&D5VSv3rCTxto+o0 z(F$n4V9`6c`)KOu5gVZM8W~M1RY#~r3yo*5g$xmK8H3a@ztN((!oMd^888SP@r)bW zUx;i-|EI;tSISyDNqbO`#;KqXk}7F;+d37ffVa@AL3$jTci{hBrqbUEBoB!k1E@@D zc^ZyIMXG~^Ecc)xz?d!bU_qzD#Zuv_nDLP9&YB_tn%Iv%!&$)n#0f*~$6}qr(^r)% zSIR}son3pB`w`h?D=`t$Yqreg%Hgd&9s6h+ezn?Ih;W3jfDseq=ehE#J&Z+;0VrH3 zWo9Xh*A<i{A9*6p02ayvmwg@=*MaQL+gF$?{Wd%YNMNOOiBqP@uI+2vSXS$usX{Gf z!~O5oeAH)p(f_MR^vY9^OK;))BIt4}7Tftmke=x&kTnel>bX^?bAeG9oz!N#i(6gJ z(R-muwtP8fnO9%OlCd*LCC=mN78vybB^-S-hXST8K$<nq#do{4qqvYza0W`76`ek} zb;RDoR+lPTZUx@m&-r4D2Zuh{GyCnXP6FwZ2d`jKsZ!<1<!<uoErqq7z2qqf1Sx%( z5KKTCDiOGDJ6+x-@#*hqPYN#_k4eVY`4@`X{cbKuBfzEa>NQ<`tCaJF8{4UqFCY9; zpt!k0B-`#_qMV%tMTE`w5_GzOr`bl`wlf9U#XHCZD;Dt;zGat#8OQUfb+!_TkMz2= zh@(rw)To&v`e--3ZcqO?K$l4i4}`rS-Danmncm?ze@+G<HEDo)TR~m9z~mi~7EK}- z2ao(%tHbf~a#z#YNbjX^O9&2kA@s-q1r2ECFj$s+&dqY*7RE3U{(6^y_-h~*UKEcw z@zWlUn|=7NIv-c&2n1FwVljXSQh}oH-<NxRi~KvHDC#*?Ol*C>Yk`K(-SPVPcG++| zXs2(_=7Q1WZF_rlC=65XXerXQ96JapcDM73&pJ&+wLqHV!NIAB)C4XWv}PfAd%dm| zE_?zdg1QFDJePxkF%RQGoI=Qqfb>ynHSV&Y6H6IggQh6A+sgYX_}KMM>{Svso!$*= zhu%a)KrK8s+s)1TTO-=t@4sVS@<=4eC2RPe#%>C}1J~`DHUI?&K(f1`$ohKOPGEyH z5=kYvyPX`mD2`qbu-MZ#+8ll-%Y{=_^&8JxBFGi?g+M@VtkfFpj<1(lJqx_Dv`|Qx ze|_uwvaS0+f4S!{#Hh%s+$d!x>Fc*z`QmQefdg{zG`T!}jq+ze-qsORJB@z|gx(j; z#pq|f2Tka<<{2`{eXswxM;le@w@q6+i5#{Bh&Iu^`}th=p;Tc*J1<P}?P$%Def9t% zhs&(WyytSP)|5K2+3;(oO}cpiP1?&8D;Sz?b-NZ?F;K}GHkXc^{a&`rbgwFlX`fIy z&;`*KGCE(l-B(JcedyqWXI-qo<9wWjqZug#vdzZL{O(`rrbLeVb8hr3SESOzfkiC$ z_<Q<CclX~%PxR1<8u-72c-#$N)?isTArWmtmMH`>P8%i-lkFa79-dNiYP+SBD@pLL zKPY9uW(|8hzr3D8s*RTOc1I%{9#-Jl{P*m(I*sk!a9Gb@cDVmOP8`S5ezK#GjUoK< z@kg5r9XessJ-?sT*Tr`H5_Sy|dXIYD-OU>9aCn`{+#}zI!3F=6>+#;-{!e`15Q0Y( z5)2rcT}?A16XsS~gN8vwoz%nj2N+m-U<Ekd9f*~anx8rjRy?C1x(oIR*Y_yq_}i%z zVUAH!Z@D8ig$OwmNNrY00WM6eyt2Jt-M)N^xyea|vBZJofX!tOzXf5knni>GhpJhc z*_1{>K$y)|d%t2AzFLbx<lpJ(DTRp3wYJFgj>p@EP(V*l$WZ>0lT`BN>+75%G*L`n z1$#q*nWJUshZJJXbV-AIkH3M=T@VahgH(9XOwAHcX#(I>uB&5Hwf`JA_}fGqb`jL! zw9_&HVgNJ;vYVM;6^+UI3#~@;lG4S&fEYv!{98BZMW+*;#}#PqXI`LTG`t>c@_Ej8 z5Yh3s7|Ett_-*_}z<cEs)kK7;QDfG^{@^7jCHNRv*O?@w>!y>70{-hWJlx{pV0bPV z-!I>^&e=lBF!tdj^EC4zL15tQX{7X|oFSdh=LhXm77Lhs8@`sP>BQ8UsZ*lvEdMSy z0}zk8osOs@7rcweaMIkcoGcpBut>k<soOjYnms@wKf^Sa#?-kethYOQNc{JkGIGOG zaJV7`iOQ);SybbJ$4J5W*7{;KcofZ{dU(g-aS{<JFlJxGafH87hrP;CoLO!_v7w=m znPL~t282Ti!^(fG)Is3$@0=YOPJExr1<<N^vzl`6xxOqOAS(jZlVkEGGBB`m*<18Q zp~AJDp2uqrG*sz+AQPyG5TwOe_?OvCKr4>0gDDkK%}E%gjoNG*EDeE0=mz;=T0b8x z$Fd-}#!i+a_pr1zJ354aX|%Ldb8&_5=3`*sXSEr$Poe17L>8#puQyYM`dp4Rrdy&U zi%QPU$%M`$QZu|W_jfoJH~P;-_rnG3%AS!|Qc4&Mm)~u-eS@Uh2rK0V0T|^|GqTAE zg9{R58fawQU})bB(a~yvT+vf1XJ+E3;bG4MJo>nh4t5A?rs<|5jS_<UBNI;U0BjGJ zQ}C~9ae91@w(WFVf{RWD>e<>k)L_B9PUj*g0`y<HU3K69Z$Oa0#%|XWz!M)vqGpa_ zG>~&tI9X-4jP?+ssSsf2nWCJNMrcYwlYt+<gM*~hh))~Bpy7%ztwGQ4ql0=a(^{1T zO8b;CJ3~wac!)e{uX}{S)F`=VLWEBL+Jx;<9p`*KYdq(E&(nZ2@Iq!TZNaBS&H4G) z%ys=vIDZ07CkZK<qnZvk2`2Q8u9XxjLXJWMd<&Y*CovJnN>NTomlhb~it9_^yMhHw zODde1Nns2ez-gP|&2&3AH+i70^(3W>bAO`iAQF>OGV_VgM9hWaEgP%dR{*;`YFsU# zv(yrh#qn;jvzmV+jRX4?m>$6YJ1htxKaYV98}|jl(?AsTV&-`v)O9=z%(p;nKr05w z+6ZiP{2NcCUDzyhd>tg(BwDj?aeR<!UJ-w`3q))3(c_&N*4;xxjCVt|3i!3ArHh`_ zE_CnBgyE*w#V&}gO^8IGc2{gOk!sKTN@ySiun$c9E*4B&C}#LAD&sADLeOlPk{>|P zPi@Ul(<{g^H%1jsk(t2-(HM)*k2iV%ijZzdo>XCw7vkWukv*LX*u``Sgfb+T;c<Sz zcezozuZJ0uJ#Wtyg^UAXG#_w>sse}#Xg(Cr0{%7CbO{NCnmbq|%o2kTIk(+%rl3{v z=bpdMA~4*bq%g9w3NjQAG3KOklKRO5c83KRP!wQ`b5dJ(qmQx(kT|s7MuFw<xtQlA z7p(}lH(tp|Jwbe5_*6tt-{xN0u&Rxb|K*75jw-g%-MawRqs1?fMK$@m>die_9P8h) zato!5c=9^Ar!Qs<sxPy_z!1RE7c(~e?@57V?J$54lGc|f@Ah&+h$(CrHY}2|p>q<> z|HHO;@lB%&Lcv^}#I4mM;guEmwGe=yQCHIF%|abXUE=`0I^s}O*d&_V8LZ9+@s$SU z(#e@{CxYaRzqg&1VeR>(6fUClO`;h<Ez9EV_s4OJJ6{JkvZp2S<==vE2sDk(OB6tT z<})7D*>EIW80Ix!AQdX^A$6^{2@QV~5)vEBDnKI4lji{a{~X7_1maI?ndE2E@C#WD zTvh9M+68vCL|T9xeC=Ui_4rt-WptSKAHAZsASwCo$_-~fRuBSY;M!_cR-e<mSmDa| zKlmmNxfWL<-MA+?Q7choasMj!EmYst-7ijzK<s8)o_wRYT<wSYtR!e8WH)qbFdjmQ zJ#7-p4U450R>(-M!Nk${mV^A(^A&wS`tRECepL_$Qup$uX9_bx7?~myAi%T<9>8L; zYY>eTc&u4{Nn-*ZIDr~eCcxA{HvM$Tdd6<S^{95!pT++~Uxg;J!;If^5k}y02K4@1 z+UUn-0=w%y;NNqtBKTwe`*5DJ7=U_^zf^DdgHHPH3?lXs__B2IrfKnlK~H@8zy9Bp zgpsSL|GVftdK^IA&UXq3fMc+F9ljhen25lg?his8;9rW!vAniAfl5Jwt^Zd1q5kmy zOWZ^HU+tg{M5G51KcI&Lyhky)H&RMEBphb11OFR!<=->--)hL`1L8*`#TbI*h2gjd z9)`*fB7o5l0(ZHLKdBn3&&LDGz<iWn@T5Qkl9*QR4-pcpF%t=fszod{-w%qQq#(x+ z$q<m_{e?J4Pp;zmB}==$jpQeSntjAyPteJGQ>DOzO+Yt*e)zH2OwHcgZRU&nmDoxv zKdBY?-d)X!rqG^|Zoz8sv}45!{UU`L!5{pe7HC8d#0Me6Y}RoI5r$v0XW-ByUcY@k z6NDr}IUA7>!Qmc;c;+S?#Rw695hxE^5menNf9BumLd=Uz>b1WJnEE_T%G=L_{HD-p zP?%`j{L;gzJ3|I`2BsmigZaq6tVf4L1jXd{_olLJevh`wsavof?%@MtTd2sy2@FJG zz_wYux8t7%A!xxk)&z)=oYrk;;bHxJD@Cui<J4lP$U)4dYqxqjCnm{3Sc+@Kv%Gcy zQ$Wyli58--*zBg{OOS$~gWdW1S_2Tx8?_HfZkncILUA#h;9&NwGPbeR-9>8$Ce1yx zUGpK7+jA}P;E~XQ9|gnyKRmosuqaBfB)V+dwr$(CZQHhO+s0nDZQHi>&fJ-I|N5&V zDx)h4U0Hy%azCeaFOLbQ=O5U~VDwSi5(H16k6}01%_THS<4aq+F14<c&~&CCPG&1@ zz@knm3n0Eo7msvX#~1YW)5sDsX!671DGW_7s;Fso&E#AJ_)|w+rYRFbX|K1~-o(M^ z{{FrYhclwqaD~z$mr-wQs7Wuuecax27vb;Li3EvR1oB%=wQ93sl4o|imR|FHARR=( zEPgj-wyczcCpn%J77h~JyN;(m;h{n&51~9{nkC~^bILAkdELwxT4>b{2?X@tFJ`Xl zOQmTOV~5~<7=33vfD{TKk3C)PrV$ct9liB*?Hb+mQ8GV0d=Y*B>lSAs`<ZD58pjRL znu!Ur(3<vmTA2;}H9P@7oS!l*#16}4(LY~`TNs@$4eKXv#Ked_6>ekP+|eDs0BH{H zD;6QNbJl$?AZqJtdW$$1feclVnkRSNAD?@E@3a2z_c!`Ijdwjm;c#{G<uw>RYJII* zCeQQ~i1yFi)(skUm}#Z%rJC@xI@K?6SffSoJS@wGy*KhfjcAkQ+q!}u584WL90mE< zwssdetwL~(sUEY`xj<YSR>G@7|FrPZIy^fn>C?toQ{%}}VLM!GeUI>nqUXwL*{&U% zDTdEnvAOYDTH`H!3dPxQtv}x%dPO+lRwFj0{462*rKD&#-w&>?NXK;|UKX&Z&$S9Y zmH3JdznNbBWoBZx{${oP{|>fJCVc3k+eXn5gFF(KPqtpwC{MZYSze~4oY(LxWJ(bf zDl8*F6SZ5N-95KWytSS8gp3S-dYep`Y*Ysg!T4RBORLHshRMtEAfP6lMqC=0`&4X; zw9F_n5;PTaXPdcwD0Em~#h(SS%G;{AWa$naH8PqYYGWLRE$jQd38L++I@dNA+e_+p zUc5}HLZrkb86{xwMs_wfJnL(VJB$VHilHzQz=4W%kq?z8{a&u}e{AN$ObBx&y}eMZ zBq9<M)e|MOI#*ah6CH|~f}NNik=s^MMx#7@*od*fxo}7(7bkc9jiI-g{I2Az-+USj z*LK5TAT_ce4P?w3Ectks3rlNzI@}lKjhre-#{2Og=bI+6e{b#icy!bWP8QFtj{<~C z?80Z}V)qo(2nvd0ZtIVQn1D66cG?2-=wj0ej~N<qr;Ldo57t&=YE2P+r(yn%Nj{`5 zBmZ~Y`o0Q*;O~+D4>g6f2!d|g1`7i(5CzQQfJh0%!I9I3Y~=1SDO0C0L7o_l=a=AI zJ%J!-1a%mK!v-xHxKd+>PC`Q3{Am~nFBz;OsFH_n<qF0@ga|Pm@A-=$7N;8(F2v$K z24U3#EnD!Fi`TG0Xn;ww?15x)I;KUV&EIfT;#h!44~!6?gEHY0_U;ixh%kP}tWguD zY3~M-A8CVS@HA4yCTb4d<3I_*I)|d;`sZgw<!C<97~Q_bEjBxnGc;3WOK5ICC|?8y zoX8*nj1&k<47e+E3t#Y*A~0es%m=_l0v<MUC+HZX5khIKgO?BvUq)5OLOMbq8nIw) zouz2)CKM~kPRQ87Xx<i$705D#I4A=HFdOl{gYXMwQck=`+8D$keabMfbp8ld03oab z574t%^qwpmbR__vEOh_LxJ^!@Sh5A95n(r|Z^$1rC1MVoL6pKpEha(!c_ZD0ESw&I z3RNixB0(gE81YfV#fbpn6e{GNmulcnu=1rLMrVK^bRt<OxG-B%glqlxT?a1r_yIhR zSWf_sAPIvJi7*{BwOp9XjNfO*Ja?%>_2L5NZSg%Roc!2n!^Ud;>QOKW*n&QB;vf=$ z$ZEY}DZ2*|Ef_6icxByOAl$U!L!-GsHzomnkxCe}IFhA*ej+AvAZywPX-JSP8#{1$ z00c@MBRMHAkA{p^?mUPF4IarVTv5snfmOlr!iG-(A}K7uXn}AKD`LrN5fV%rV+eR6 zWE*Kp>bQ9mdL=?c2YG0S_GSmp%!p~{*T7>GIvAk&MJc06cFTHbs69^45;H$*CD8<y z6l!NZW%R<_;Uv3V)!VBcziXF`k=43{lm%ssK1Sw}u!1(TNJ32r&p1jUi=-$HRwnEp z5!k{RbdjF-0O+cV+jrXxtIpQ?3AgTQzf+k5LhQeos2$Y_w&q|-hc}qGYy$-(iHXow z?PiFxUM}x?e;X$+LJ}FunFHCj_zeh<a>L$g{|0{xA1^Pnh4Tpt8aR1=i#!$~GM;wb zwWXCEzBUp`h0qt`o~PHbZid7r>WS?>PW?UayVrdr8<e8cV}*<?UBy1WT>BO;48f_N zKue5oL#Qqv-=3`EkI(4n9%SWWXR}DDTr$|$=NV5)!k=#y^}YT5^W*2`7|!v@IXTVi zo~_y^0V?ZeySn1yX89v&$%qv>SeZ<MaFSPCBFgJVt%;<`B9*_x<B*3g&BgpE1_;9O z7?E-FrHQgqODUhcC_791EI05-2002AHW+;b4+-QOcQ1kQ{>Pb9NF#y~P7^|sMWYY~ zY$jsAx5;%OO&1M<Vrw$V^WFS+$ED~H<i7a-my!wZTe?6f@McKzd;8nBg<Lem<nk^i zx0yR@Cav?adt82p0?KM6YA-A3CZbLO!KNa(!S8hW*7?$unY``Usbs!r6$fLXU)ft` zN!C)SIs)&o*Zb};L6Ipq8ttyaqH<19*gDNy+w^#SosOq0VHZU`{r;Y5AJi*gp_2Lq z<EXS%<Ky@7*%BmVT9T$}Q$ZntCd{C?I4H|M)lT&==K<t28dVxi3<~r6*N52uekLE~ zg55QV-9PgMs4cMfe8{0XAGq)7gniFR#1l3$Jvo(v=z8DP#7jxbQE&B@l0?Rr%C5@n zbhtH3N^kq0x4uw)PLC6*(h&<asnGVckwu&3f4x5YN{)=mS~ac}X3r-sPZ((&2*K_2 zfWKwk#ce_yFE8Hk@1;t^ad*+};6O{a+0>#ScI&p!=GkJyGn;;>wsJ=&1tI`!P}Dpb z&&;^r$zc#mVn$BP(N=9}7Mlf1!LUn`JY5IJ^I5YbM5v@S6qx+PRl$HEYU&gEry3sq zj_I>u{?CRf_*Yvb#h-(KyWdjca_<-iKiIUk;i#QIN9(j5raf+xNver>!-Qw#oxQw1 zE>m#S3=&D1I@@)HI3@{j*k~>OOl)lG2pZSlHF~>$KvUq$@rIG632F896?JtAjDoc! zp5fY?b^PZU&F_%k!|d?aG9{cn#~7h0kg6;*&pGxs*tyK0L@}4V;jbwqg7^lYVl~n| z`F{shVL+5`{W2N4eZ8F&fzh^UK1a6h^!ykaEgusJE?NcadfKW<>C*&Z{UBWIyrT#Y zb^eas<OqLL`FFBM%H6*ZW+Ws^7Q1c9<?^o6024wP8O_GRs%}L9GI<eR*p0jIug@!l zw2(>0#XsQAS6g>BYKe4sAE&1!n1g*i7Slvk05-Bw?%nOuP4{!;cB1j)h>#*`-|%<o zF8Mspt|H)2H4Jsf=zUdKe6K4VhQREVkNCS2UH;cDM<s}D#7QNS@cwF>PbX*UW!D9& zjG~W+*D&*!lz939loZsnx4b`H&ctzNWc^|*Avq2Y8>;x%m03ORml8`Ph|;}aRFs+N z&#zlwC8Kp>xhDQ}Kh5@Yu~s_?4T>oViZt=t7g(;|z$zkX>p7DdUqgL*8Uo&+BGaIN zz||f`uVwIWm3ICgGdG&pMpVTp!GKaSi(B=$Brv(3*SCYksKK?Atv*-3x|StJV{*?I zz=~-=3^yN<qWHb4ch}vl!!+Aey5IKVST}qa|5Qx9+LFv{E^~pcdl-5SgL6}dN5J!O ztQ!U6MVM`bn}!)m|M~6R3OzRN;p4lBHn^N9l;l@aeXZ0z?p}%4$8)J`vNg;ZMx@yH z`brqt{G=DVZ^xft_$bEndEwi(npA4Ov|dG{>NGfbKPyKYRxYzX+n3v6<q+1<*e-om zCFOWfZQ65nV%=?@U$BFGXutOL@<y}sGBuo|r<#x_5f=t_q0eq(w}6i)ObRC|FDt0l zg-If@6%($_@03aF7L%#pcQ`M*SF``J{QrNeZzB7aX$B=To@ZufIV6To-87V<n0hw+ zo?Y?j8KTUv8zCKc*ENo^+x%<W%nUp{92ZpU8rc(0+xEDR&83wOHHEKbd|fVIpD7RC zu{U6Do{cVLzUzdlef|c~)9fEF8`U%Lo#{b`u&pORdxPUev`8*-^0bPfOnx2@&ui&f zUSFGCVdc+i@&q|roewviF^O@f*tI{t!NSa5QY&d#mGaCS_JVAv8f1|s9Zae64X-b; z*aPS9IsZNyikMDXS2FW93gZS!2~we^_#-h`Xl7=tZtlxyynp80(z?X%{5%^gYrQFm zW_C5|UTI(3UNZmVZp;z4gHc~EB}-AK_r;Df1s$)>dDpAU9#A70H6@&-K9_^(kLnv? zGpFsaOP{(mj$Q*NuIHg<H%}uWpKcvO(-u9>1=F)?)0m0Oks?}q8|8O-ealNMjN98> z2q@*t$)((A<R`Iw5mg5Z>5J>1=yYxH+jbY)j|!S3Uki&}T%z&CD0tgx{4Vd`%izGY zG&|vlSqSYgG4vl3sGNhic$nuI&BMb(+b7_m0sufXk)SP;hEUCk2}i@B<C7_N?Q)n2 zPEtu2>%WLJLRnr1kM<}I@5A#EY~EtQKqh|8g8XwX*Fx1RNS+-MNGoLNZqKdTPLsvh z=rj7=3k;3>V^tONu@Lfda~%@DHmzK$GfVJWygnan56qzHB3MtRo8g+>tM+V`A7J1c zUEViua^mfEjI5q^>qR`s=u}So>kW}5m%PpmMh>P$Zj)IJ{bYJ5SlL-G%ZIMl+nOl& zJZ}Go(VyG4T|p}&$-p3vZv%@3+x*<jw?$H?-k-yTr`R0==HOy!GI*mJ1}pd5xpM1S z{l1mW4d*`VMC`HEIN2FZUPU+Z3Z2HN6pc=E4+EEpMxi_3T?U{|aL8w0Pc1#Jsb2$& z4I~(E1}OGk9%(LaCLY)ckq8ks{=y0dLH>DmGnXaM$dk*AiNHk8YIHlt(8$maCRzQx z643WW7bM1h6mrvH=@Lh#D%;29R_<gja1A?s6G*T}9$wOF3i`y2zXH!mq)`?sg)2)> zRqR#D2z7eB)kRfQC@b-~gbiGvnR(--*tv@X3j(sz`}<j0&c={9ZP{FDwhAPjb&tSW z67QYUPm#Cl);L6PA{KFapit8B871WBA>MecAVI*Bai#W^v~{stovWpS9gHAU6{~^I zn`|XW=smq&arI+!$7|W0BLPS<<RP`6!In{|&bp$4*B#rd5)<pC*fK|Nf=}9a`bm(X zsGWbMSxj4=z6Ok5DuF9RLgBE&ojU9*fAdH&c8CNU&OS<5*OleqVKD>zd<Fz8;1*-y zueQlt;qo~>PSv)<LyE_xk;11VafOoX<QJ{J+|Hh9%x3}+++)+ruC1z)EL-=_--q3K zRFVp#&S+d(b31mJ?(@}?PTyIXl)21uy05RVRAU@$l5nu_vR+VZwescMpXIIR0*9hI z-@Ioo->(0E$1PoCztW7M0qG+~TB~P9oahVuR`2`TXYBp_UOoT!_Yj1WonC#osN{65 z+u30a`^&wrtyxB*jHHs81TTEx!kIfZnD>WEeZD%|@)mPdqsI^`6U*%Q<RmI`lNr4Z zR+fg2#$wY>ub0hahK@Q(nere&y1k&)E9ide@Op52`|!DD^zcEH<3W^@iYr%BsrBI| zxNDcE!TT-DhAc5HEg2E|7;2fXqWtReLH@6=kDnRrG#%Y6PJ{3+Ot^Yq1fD_=9-)qU z3U1of$GO(lPLG?N+4thGRFJ#4hJm?)wUfy3=K1~nJ%(3+A;zU8X3&vcYUOm<nw1To z)1cGuR%+{gaq(MbX$87nJhy6^1(N!@G20wn)(?o$Ap7&Q`lubeH8-~W@57^5RYN0j zlGp+H^>*`P^jFs&ck{n!T<AQ)Ng4Spv2K`!t=(d-e&g}gzj|52k?&abVAh4X!3+sE zH2rTiSHJ7(=0|(gR7!U<a<oj2n!-Y)A(0#KpJwa?x{t*`Xj$NGW$V9hIp?dLuj1&e z%7qQi=wNEJW+IS4Cf-nEdmi^@Z#zp%v&+$yQNUd8>sERznz^ViD4baiO)o*J_Lt8O z?VY7)>CT1Ou05955fc-0X;Fho;n9nSI_9-ava^?`C*ktGo;DHnW2z4mp?N#D>1n#@ zX<E8zOPX7O6nO!HW~F6MN1Y}e-G|qKo%*}2m(gA-%v>sIX=$^0(n!e-rPG;ebgi$l zGxW4mb9623+udI9@N+>XvV5>EdZbsYvm&Nu6BjQ=&>?PSwrj+ayWr|x7EP?%&Yi{9 z0`P3|)hh!Rm=+zbSABoy8r>rgNap*eF~mfOLs%=k!$X2i*7L?GZpI48&QO`rb2O-} zfZKrB)Lex}{_mYRDdcmqpT&8AbGO}wAtS-FTYBdKPRLjhh%a9PO~o&3jg%Bc^&G4Q zZ3{-r4k^Qk!3mXe=?n@x%+bce5|ldcyZ$(sx}(vKr}R#9L1UlyQiljK#j4Vh!a~K| z8&ela17v09rzs?gtkXD0iE7+hHwGCQI+`j8G$Cn|su~nX;z6V{Q?jS=2odN<X%gn> z%eJ1r;;5rcZui6M9ZPB_B%KZbE<K^nC}Zz=<{M8;Er_=4Kw5YloIvSa<w^yNb9y34 z!SX~6%8k&6kdLME`Zw7tG}fiHIsI!LheBGXgq*ajTqNXwZU;hN2;&8Hf4eVBZ|13? zp_VwEy7kQ;!f6u++`Pcf&{=^4mfV>{rwx!OdTMfM38IqJ8hIq}H#DdT6i}{VL1Lg> zuTI7KWnT2ei0{n*chG|a$e#vCo*!DwkIf>G5Ue{aFz*6DW_#)iQcE=mPkCuX86W@W zHM#!aY*@W~7O!Wy>M5MT70EJdeX;Kodj6>28B(r!z!Q2|o&pNj`zu(`2&0I`Pz{#} zr=19oR>_Vy0V;L6WGPS*s-357gWA0J2jXkBd@tww@^~Y;{S((ZhEfG9cR=H+?iq$e zfb&7ib+v&;4-Z)w`s+skIW&JbXYwaoT2w<z+hH<TSyP3#CJKQVN+6<BdtiV@YqHSq z9ES4~ngxP|s=|c<Bu)96_C7KQEwPe?DIwwj^*t9S0~b%5fwL$Jp$aEOAc_W-m&5Bi zJ03A$&+qjnvtCZm25&*kLM4C3;puWCJ|5@qd_2>Rxv<D@%$j?ZTEhT{q-$pLDt*r9 zdxaezmzUk3T+Md<VRO}r6S)_n*I2Lu;F9E8B`Y8cY}la0uaMq|jz0q};uj1RybNTO z7lkXfNynKA6*PqaF+YD39r`PDd>CZ@s~}K7A0kYFU#K_;BNBUi8KD^C6R`r~o;!7b zfEbE2QlwA-2#zTbsOmB5H8@h0<lLgi>ovJ}jM4G)bt>7skIUa3j&kz60%y<!F`|Oy zz239zZE!{p+6Pf%O#!O_KQ)u#vDtVYQw4#D$g{KWWc<PY@BZY$9*dg-5)}OHZX*L% ze$a&0OOb*lAv1lp9UG7{5}*>JBbhKyU>&}X_yC3zW)wg@lb}H4dtZJuF8ai~wt+rK zTd->Y1BHbAQIe1!$`6VB#B*8;8$)Y??`t`-ULLP+9n0XJ@W(X(uie?aCrH#&%cPM! z6q9quaPlUK9xHJ8P%;o4$B^7+T}8hLC8VOeXs}y^jWUEQI8(dhVZY6)v+it(c#OV1 zw(DT|$gt8tl#E&>GAF^^%8u_Jk`jog3!ovEMXlllxFgUS?=|f?d?$seZk|h9yZLrg z=MxBQKHWYvu^_yBUWci%Y*+}|!FUxElW2;C1{(v?-KJuuC2sGJy?$ONdl9gsjy7z= zUb!h*=u4+%GN#Sg0#p!5u~q+eBh^Yq46XkBi=v=cCzMRV{5cKS4=9<@bVRHm7Q}}k zN-?24Nq7PbFk8ij#c(krDyjz(BpDrn3n99?4F~Wj1ZKgp!4Nhqtc?;d{`{6T*#vR< zEN;)XSpd!a)F6Ct{AfXN{~`MSsw80p%jXFdV0?NxI5{~<IVI_eI<Ec7M5vG*zxSt3 zA3lU*p0{BjSLzqE1$0Xn-%(p%Oet+{is(6+MMuj!WWf3eD5Xc4wr)_wbi$<e=V@fI zXr){&Jv&jRd3+3Ic00pzKaze|yKJ4!G^Pd-rG%`+I%BS0J~4n4we&u)yRZh8-N$f) zbQ(H5Y^BZ6Y4~aCY<@;NaU?Ao+&4ovkRVBRXW93-b!wMm0~1-^dALBhtX?m3_94}^ za*@xRLqCiZm9$>tXt7HSZRh3_I0vaIt5u{eXBlLvqU){KwTK?rcYXH{DWsfI_v=g@ zJ3$~Zozm<FkR(({BsD~W#gNg+QA<fElZ=V#5Xi~e8k*YZ;@6y;E3IcSvvbOnNX#ls zOzt;{nM(=?6@$^z>8~Ffj8r)@nc~e5Gg?T1IOS5CJK7>{bT0GT%vNr^`{W8Ump~;< z=9h^PqzDvS7<m4jm!Q~fzp1%?FXrIsR1X?Jm_REZdNL0QYtf75r6kd$j~^m0qB;%- zEXkjYMRxeb6AwmGPfkdrIQXCyj~>KIPLIz?94ilz%_NPUqf|RZIhzoA2VhdyS5?x= z9cr~S{|rIT9jXO)Uch>RF1B1Q+Mo@{n>{2qN$G8A9OvCy;xJAsEiF$Di*&@y5e#g! zsbp#Nxhg{mFS%5!9|7riR?G&&J*#3`aZW+HK!AhPJSnGK#(=;HRx<`^Cd!zhtFF|| z#c5(-<+peprC?q;B@3n+LmQbGB@(e--CNg>bbx`e;1Re;BPlm0lK{p?4<eJ6pLM$# z^o?(`UMqh;?({^OaOaQ(2;I4Q880n@(8<1~z;&n)t%T{d-_5+W9ebXZo73i@=N1P$ zX4Xo{r;SOaOjLQW4P3@TkTSLeY#jij?ui<ar=^!F;p%A#t?q{Td?{?j_FCSbLVxP2 z<TZ7Rh_-oWN_Kd&A7goIV}YLyl1Qx|&1c%6IC}Z!72I6D2=Ws4(JV3Z^+NDD({oUU z8yEvpv6GSWPS|JRXEX-|qF&xH&9%0<w!A*iSxoC?NsK^mTYEFGnBRw-hrVpV+m4s5 zx7yzPxDk=-(IGoix@CKFMnIn1x)_?8mU6JT{>+BJ6SMWZ1<$0HmXVE49V(|nwj?YG zpGt({<O9F=G>Dg=t=UnXa?`Q2S?Cs~9-#}M>1>Y@3<`hszX$C~osLaGgjK(Fo<6q` zu$CFl-O`3e-i9`={$@f*lcWoGhd1m5(!6D~K_B0h(5`U4X6CH|+JY>N9N059g`k-F z`1lxE1##@VifRZkW*<6n2@-~CEov4mCJD8fcXs%0e*HVbb8%Ya#>d-D7{<WLb`7Mz zWDW!^1l!YXqN=B0&qTjR`asf@boDjWl3BlN?7-2=Rjiq=o>UL4VCoob8O#D!t%UZq zWgl}Hd`}s?Rsm!+Va}Ej)Uwi2lZzrbe6(N%;QjfV+w}(+%hb6jGVr{E^+AOa@C3iZ z?Rm3l+7K(os~p??((C>@wB6oW-&tReh~>WP<#uNwo{_jrv#jhfZ@%au7vLE5j;{hz zpa_2KwUYk@l@20V-&w2>e}VTB+5h|dW|q(6@qEm<tBAE?q_k)RQiCQVX}77RF^K6O z0JJ$pK*cL&!Qp!u-7QLhWHf{dyV<h^mht5f4MYL`?WSx9M1mQmQxu%24tJjjEzt-{ ztXD<9VDX~dW8vdCi}ku$g{)RiP;cofTd!C_xquq4yU>2)cIYVWiotXQlFl1o_`3H* zs+1XgoE2qyEJ<P+Rk(@`AEMLp`fclMGO8uZzUlEjU2F}+WWX<`Ms(b?t-%r2?Pye} zr#1+^+wEgFXv!>`QLa<StMl<TEmSOLtSBX1>c2_r)eJ|Mo(B(xR@GHWk%fPCho1(| z!$gjunGM-L+`cc#q*1f2rDe5R@yc{4`q}-^zDY9}G-r;_2HFTKsx=)Istr2C>T!9U z4Cefv?cr_#f(lJf6ouD3;;B`dBoA_oN>ommlb@ao`3P%y@5gEE?X8ihPn_RbtJm%M zvA|lq#(M2@s^9^icC2~EDb`c2SSlMa(-yCd6j|qCWyLnOudJtKw~Bh!@?^8_z7c#X zm^g?pn^+bLm5GI@rewNga(Ftc+da>95tS^d;c3-Ntk&!Vt<CJ~b+R_V3i8{~e#7C{ zuvR!RQ-FZ<GxKW{v>r#z8vP{haIIfG0cHcPm?Bm_9i#<^9w9-Z)|GK<d4Y+O(S$Hs zi37_(<m5dEVKyCP-&^`~A;oBV6z;viOy-`f-qq5rTd{cB5O%lo_3ayyRPXaFV$4Nj zmz@#m0M)jRhHiDLGCn_IZVyA-o;nB2K#D1zRJp`StMBq%mL_@6X`9fbrq%B2s%ufG zreveoNDKvk!;72k0RA0$sO$itE-!2>5~*c5ZxN&PZ#dcw24voM6OafP>kvRdSyoE} zI8nW5nGJ8>5;Nl!F|1Tf%~uBqp<TR)nWS-EdtrVH2SntWU_zM8uBV?y-yiz~BQSW| z_yh-g%l7>S4{yU@!L%_78eOs~Nd9nqy5H}HpZ0)mUNThEGZrQtuKgt2;_unGfFY8H z5Kz&eU1F^Bu@)9><XK|<ynoW}LFf$}X$l6<M|c?+HbqfQ`7bU2EeX#Ip`lDXb|*ks ztl<-$P^(^~^q;T)W3LP)k{1XOIJ@EWsv^q98eB3#Ds(N_LONuztCuV9kH~bmr&z2q z9H?@p7`h37ON0TAO4j&Z6l(2x(%Z_RuUrUPU>4VOy&P^M(qxN8F^_hZhT-BUlX-j9 z3U+iWv(gt%^t~UL!DIf%x%z@`^LfA!0*%k@A}}jET)~r>z_QAXU?kPXg4TR!h$LOH zD8Q}~>LrV|!#>Z9Ea8SPB(hj)`Z2g$_GO%haY_M@n`~9H<!59cOQsERER#-QFd~(4 zP&mLSp9ArfR9CgGo5SaE=XOPNzt9;MK&V|qw_PV`-R0f02BYab*VG=QJkV~Dou!R{ zmSR`U7L<cHW=7Zqc-VTv+5M2#1utIf=!Iq^6f2e}YSH6yV)RwOJzBHX+AcLo(zN7+ zxywg>GoB~LM>so|bcoie?Ojf88y(br$SUM?X{S6^vVsdF7{X|nH>*KF0)#Bb8xQ%{ z?Ow5bu8bm~NFW->PXNkBmj*~7hw`XpBG;lEIshHxxjrB+QMh24uo>?PlTZmD8zWG@ zG_Vod0#hLlXnBQ@1mStM??pDiKX{-3a%e&56bSX}z7AaEXOAGS^&&CUD_T;-)`(Wz z3s8ZC;07%wfD;R+QL3>_s-ZAAAiyA{af2O@u>h#f@((hig#@)w6bQ66qBR`?3?Kpe zkUoJO+2NNG2FwTAmjVe2ga`mbyb$10o9PLBkeFZ+8D38*f+jR}<qTe;D(=@8^`W-C zFE4Jt!i1@y=7TT`bIWxirF5ZY8gE!f;2vNVg$Sl#sx|~P<fmXw@R(#620&;Oiiw&J z5n52spXm+a6r{6h5z7Ln7hyeG(VdXYWCr&dalUn^kRwn=I0523xlkfRLdy$gmNO$C z^LuBWVps(zFZp;m^2cSVXHWM$(kKI1zDr^6fn-$a>`0J5>VPD1LInzQHz>@|0tG@_ zbbN$RA7il@;iF$RX2g2ffo0(rxjae}x$k2o)l-DRpd2GpsysPT(hZ0U+-Cp;QW3W| zlzh-8vGD>t-h~H2WS(FG6HuNvP(&N3DRvAfPynTfGeRVzi4|BP1Q=r2Ha0JXASnPA zc|gI#8KD`3YIv)L9DJGt>>#`hiQyMR1#0wdo>M|i8*m0xN&yq4A14G9A*A3fReJ(5 zNDi<D4-);!i;<`Ktg2rFKR_qz)7XC@!SU+(Yz?fYA6r^?=!g>K^06P;5F{_WTtWS} zX)^49V0z&(lw5&8ffYvwJ0jX9J^lee>lffqjB3;E`Gn~byzjSS4bwm8q=76jGC3yz zmJ#d<ZxFgd{{6==jgZI^R26#{s4X5~tWFXxL{DM$s$Sqmfg{MMuHu6JZ@(mt<)`ay zHl7w2R1F*>mJu5sw|0M~`{|Z;tXXxxG(Dk$Ncb6qY{|e>G$7p2!(!PG0&E}|A=pR; z<H;M?p+Z<1HKK(E6JXcQbQ!}wAVZU$q&NcB5y83TTT~;40GfR!L|#9klA98$gd(9x zAPQ(N1xUUY<IO~F!i#&Q^Go`|RC>U3qNMyd?H@{GyG@8Ta_?KnhP7?9wLRZz^4PBQ zu5T}_Eo@-kYhj65QxzT!Cft9xnCTR(?q_xu6*)0<M%@DkC(N_2FEc|yNKj9%ib-<H z<F8)kn!~(ZwC8;`u3(Sv_cC$OWPl_kN?k>h&_E6AEq+{BQQrMtz}LrhveUf1Vg%RP zUouYe$_Z5rrP@=lNqjiW5-|U>61`oorRVqOXg!qGmwz8Ke+oUlYAj3AdC&0rDB@`b zbX{ZVIK3Uk-)w-F#Okq-Z%{w<5Ie10lYbzm6R2dP7;SSh@*K_5VfU4<J2s~qEp<oy zLm1}t?10h#y1!;t+h#^zuo7p}7@tF6oVqI%Cy>$6dhq90TlM^zg5G(OzDJpYFEEBA z|2iJ1T?Id@i|@*d=4#(8Waa50X<NOYMTY51J8L{?v2(1=-9`Q6HDmWT9C(op^||ap z0ag0Hq!UYdPp-)J@x{&wk(CNg&_$}GMuAd3Z<!YvM{nQONwimma*v-5m+(Nm?d+7E zB@axYZe;Q>aMN{jq{a~KzqTV#Wv_TNOWO$}Q2^YXxUhP9Wm_C5n|a=Q)%zW80sl-3 z6)Y+p!XqfL@1+MZ;?89vffzi^sI=H~f9D|>ipw<tZ|cQH)f`8j&|d-l3o?EqtNXvt zff9-*7KoDc9s3FFp8{c_|At(Q!gL<=;%jW*OSl)Js7Os500H=~f^fgoVx0$+f`W|{ z{|8%gX9!|r2Sk+pQz8F?`@%b+-?^nu$oyrV-<!OPOr>4v|9|;+B4t9*`Nt@TxCR)) zL$`}Be{1Ip@jEb8S;1>v(&d+Awf!`Oe+0TBU_8GzECxi>=pT%m@9Pf#a7f9f%>O~} z|G@bEt4L4^;{SI_vvTymu>SACUNSHR>6;ev{dtX$9j|%}kiSA<JX&X>2qwM<^dMtm zRn1?`3fy3>z6Z1rE8ZVrQm&v1yt*Ht8eU*YzU$@MuGk4iA@wLSoMFDsBzul_v(-!o zoArgrW$U=PVoBcR8uGCYEJ~nRVE?4jC#Qj$o=?(Q#ojOyaJ45?&(kT0ZR6{1$ason z<2s}$i=qN&f=f>7*O6Dfo*;s!7i|^EKlEB-BE$9BYqWM|9<^~`34?EA1$J%ivkdWz zmj8Qur7=^F_YJcJBma7Rl1OyN&j*n|xLOf0k$hxxa}|#q6bYH03OJv;;_fmqwX_GR z{zbR-d(6%}c6n#ITpg?zvusBuxYGPTnD~_T<w?mfNVfqNSE;zx@q;o7GHaJ?(s}_M zVW(P~@(LG=fSfe;@65cwv}iJCC+3nHB_zHawadj%S64f{t*{|@X^}`9Jtl*KDr{|B z2J)Z1ghOjva&##3+uY>gzi^F-oBe!(22sXKGh;|e7**m|ZCPPwI@NejE37m-8Tnz) znqTCm>sKZUt3~9(6v^T|YkQE@D#Y3{0gKEPMl^eslFZm+r-d1lSqVTnm}u40$W0K6 z`N#_pzlf_xa`3Hjdg;celS>;B9Q4-NIazNY1XOER$`u$KX#{;>8tj{OeZH*=`~+5b z9P`wq-~o)DrN#oP4zGPG4Klm;ZQ;Gc$z<&MkAyS&6vG(ADG>n!d)hL4Ge=CP0YShi z#?wyB1#a3ywzyagoNDhGEbwqDGLmM9$qu8Rl!cq|u4ywMmAvHgD0=73wZ7po7XfHe z=qSezlnZx<SpZHyS7pzQm4ndySj3LZ0VZ3Qn5?v7NX+puf+r<`Z?z@{fT6a`%E@c+ za559KsZpB&yd6D3kC5@UwnHWW>4T$2C8w55oEwV#1}1(VLKy;<3dIBwk4%p%nKsVR z=oog{?c&Mw2-wIGgQ-|1UBWD_wlTGkV*#N9XKBY%8!F!$rnoq4V`)?YHv(h}=P*0^ zQ37^h9IT@Qc7N6{-{nXNbBGd_Cl${}Ah-ILv*H42NElK;nJDgZ`j5T=3i!D2wY5wY zl1LK?sS}_u1BMOR<zr^Q02>joVYUZNPp3$Iu=Y{uGDgSHfzHu}&66z`buei@Qv3fh zz$39BcH)vPIyyQ~=BDqv|3E8#VAtNGd%z@dUF^!F$cRRUoKG(>znrVjx;4K1yUPP1 zEpvb}Q5Xxixc<4-v0s8TV1_1_O-=<ZiWQD*+(K@(*Af1WVOw8HQ$qQKqr59C1PS6P zx1gdrh5dZy{_<xa2t^pIa914zk(I3qWSXeBqtDyuJ{7myztYqJJNoK)Mv;5GbWPqf z`@VhANONB@lLLytP#5o~BGaEV7Axd<T>qNe>*I%F9GcJJ03ZmXR?)6_!XWXolUu*9 ze%<Y|6VE_8q(ZiQ2G{rK5a~PvZu3>4K=*g+Jr%qAxsJrdH<yn1`x?n}@n(hSfu{OB zAAIQRW9#j97I05j1&7D0ABU4={ceG?2T8YzCAi^6H(tf#aq7^##O;2C!{6~3|LN_0 zh_J{pE#L90=DHsI=x?|0t0O7^_NJ%09luXVVX~Xtex8)0n{Q808DQ%;&@kHZdp1dh z&7$KiiRb&ST1M6ww2TzJ<Cr?8BKbc#bv=PDKf&^YX2n}<1!_U&4o^)Ydx86ZOoXP! z0hZXU1om+#(m;^_mIG3*@xD~c&&Jb%1b%L}bpM3EU5c;-bd!3?=KJ|J8Y5i{C`8iq zHQZYC<jn!SVBo`R+3WQ>_RZmtA_9U7XB2aJSfnFCJs(6up1p&c)4geT3xrby?mFDB z{2-m#`?-6qM?>BIj&%Y+XQ{aFw+f45Lf(C&=lec8a6O~U^MYU(QB+l|n$KT!>o7j; zZtUgXfhsV=q;aDiR9^o6S^!5!+)offWdy~y?R;M@eI;|)y;i2nuS!_j3G9km1IimG zlxfxVxtFbo7Eno5yRV>0Yl37*AYroev$*_jmLih#h^wTo-Bi&{8yzC@v0<8D+;RIK zU2-h%Y)ucK)ns~@{rnnxn>@hp`M1w?fIXrgt9Ks07=x=|%B;=j`hOheu|F;cm^Qev z<NYkyv9b%6kezz(em)bWbZJ(q!_rnxPO|2VShsuq?9oZ1<_=jV?SNAktV(2w$T9AH zoz10lh3z1*;;pOaQVX~)3F3(X?X=V7d$ZuhAsc~I)zusb#AXFElsyR6Uu<?@(;~BR zoQg$04@QOcs8X>}sl>y3l-1{SEU+B`fY<|Z{|rynr<x%FVL-6bob8)T{k=cqWxN@? zJUk?qKmQxh_jPe)d(;R`^*7%I2N&uzo7(GEnUDvu(|f;``MPeJ{&v4zkM_f}EwTiy z$K@}XHRue#`<Xg(=aDxTT8Fm0uIUkfOE+;e_)r*pZAPEn!))jU$lH&8rGN2>0`jjy zSuZfcSyf#RE}|&JZviGEw5-)kwvX*-2cU-JMG&8VsKBB91|<X-Rzw7zXAo=<f;J!u z$kLJi;%N!a3oI8P)NF(-*t-~Ug(c;Tyaf-|LxDmFCz_bbD5U1q{99!b9N0wzFZest z#^^_!tliKoM^xn5Eg<0L507>JEW$*p%s9Nc!3eKXF1Q^|m>%_lXfpIf7CPl~+RXEH z75cMr&xcf~Ofr$ws##3}D)>z<4s|C6baxkj+PRhViwio$vCMZ6pqgvm0I(QC6Nu#X zBSH#C0;5|ph@S}d0tCwhi4!UmJ@xkg+9=(E$J@QgMKYxve;xP=Zf0x%ab}iE<rH@B z``!>ww`XtNwz9g)b*sy88Cc7#rR7(#ClCuZOg|CaL!sJ<dcm`kj8z4%Y7LQKIA-8I z&leP42WcKOVF+0S?!tClf~RZE7yxQl!3QMcNQ(gX{n@$k%VWyFwY|fB5pcB-$kfgB z9cGsH)V=R}%}nHm$Aj_2?3DT37x?RD?-lVlh8vrJvUX2_0=skBGPGKifi`0rGlM!> zRCV*RIulGZI;JGmfg;2qW-yM%{V|@1BSo#G=};8S`IxBZ=kY!QEOIz&Sc<Pnf&{8H zyL)gN_y+I$ypKLrG!rxoj^SftYQ%_I0^MAbXH_E8`aS8XuiL$gE4_G2F^hqX-zso} z32i><XQVa#&TZ%W>@?P@p{<=Agoly;3Vd9M;FnvygbfO*g_pV8lUp0maEL@1f0hjJ zBDFXnQ$Ilpr>i|teXN}Zt@y$)aX~>u7CfQFSKF7Twl|zIO!ZbY8D~0CSBHG1y+%_J z%f$0wK|QEs)))frL36*h6b2y=VIY>ynuQBDmVp{zS!M5RurUIaZctFloa^&{SZe3* zbL+Y|s13&zMq>|xj5|7Knf%`W*~{zodlPhCDp9ALX^VAto%v?~aA-rx&hfKhUQWO5 zz0Qe8Q$vd=b{&iit?)pkn>F<u<M+9d8U2RmCNC;|CH?O=bb#{9EUr}mI8nyEpwXl7 z?X*_!D+&-(btHnk2v6MHot<<m1Fw|_Cug7v*^Yo@;Q=b1J@$3CbB{-SeEFWJfvX^H zfAKOfSvkk5#*!i((d+ibJ1GePGUd3^K+}Vdj6Z+&UIa<KZn7vi9Y<>R{Y<M+=*($D zgea1fUIM$z```z<-Hx>t9Ah%9ibi>D+=pO#j?(i-q_pqpRGyE=y~{L#kb0-===CMG zV~A1F?&E4~5>31Q_euQht}WK#7&X>PO#Y68N=DYys+DVSIrs1Nir$XbA~63HkooZz zkWfgFKU3RIg?#%IF&cW}RaPRSoTsT9Hy{)fgRmpJCUHe$TgmBc@U@J!OWujG#)-A6 z2N_rpw?Y0@W6(;o%+<+Y{94Nk{pj61N~pymX$zAl60~7}yf9|*u}PcyHf>3R(1Nz( z$1vUy2Wfz-qv?8e_AzV2KL$`u-Q8(}G;{vSXL%(wgTc%aGea-$3KjyAbt1YAe>V-C z@4up#zk3CJO2KxiBy&vMMgiPR`S34$PXBTS1@w2Bq9G9p<|>oOYJF2dxkPpHUt8kG z^I#QkEGlP9z{Dj;wM>k}TH4xO9h+6*V*?X83%l*p7;{T%ICix25(to>oTcLDpi2Mx z`oB^N_CpPgd(nb%+GWrw_LMs-8fL5IDxEmr!9ze!U^9p|leb$ginz%FMiEU;1;&5# z3DMdb4WB|5?&XkGS6FQ+7cN|}Qj_kPvI;xyriDQ?jH}lc%aJx_)$XFrTN$GSWf+}M zyc^HwJ9G7iPEo^gY5qS&nY4<gin_S*qrL=4N7s+EFWQqaU_DgPsQI~#p#tR+BpygZ zzqqEHK5W4QvuP(6&se!aEgXQ^-aK*#DJv{?)N9tPRK<dnWZ>rJ=<2UN^TdZFonqz% z^mbB^V5A#YEbguDuUb5yRJ?wM1=e87K?`yj4%2eaKymg&h>+r-mXn`W8|OV+J#Hpd zB>(YT3a5guT#CMm>9n~xy7?)3@<^0o3ox(mS>6riK_wtLXYT&LJ?=~r)P(fu>CIO2 z>Un<7>#_)>wlCkMY_%Zd%SqlB&q!@`J6KL(g2jPG2=QPV+mpgkr5-uu{;?wtB*>L5 zMutncATRj@ENi$`;TfA&#dL9p=~=IUPH9zV!qJ38MFlEDI5;}$fe6S@SM94Q6ipeb z*!;B0fXAItAh&VjM$dumnJH?n&K{+5#Y<PKTAhe8;4R1e-v0eO|CYYLg<`xu0ac2a zmN$CKGf7eoam5Ow51f>oOQT$+LFZW+S}}w~iJWfUt>v_`u6FU$V#2rXWG%&dSlQUv zjqYWb5j4=F)7Y-!f{r1;;5=2u6vjPHh7&jjkt$y8NAWs+e}<a~Ff>~}HPhNfW+t8+ zxZs_IqerKv6H%pEmiJ^|`4vQVVj6=dWQjn2>ewtFy=`mf<SVzks)fnJS;}g7xDv*0 zg1h~=Po&_@ig2ry$c>Fq0~Wf4f#cMR6wOA^=oNg_ap^c4TIzAb4YJd3i+M((8Yzux zFjSS2Rcq7^pd!;zuxA0Va+;gQTvjlOK^uiqL}0T7NC|y`h`?u@n+4nz1rnXynE~Yu zBtmDKb4)3QY5#3L?vIL}g?plbf=PFomzWyGpo^mICZ9%jl;o<Y$!Df0_W_eP!CEsS z6uf*KT(&NQxA+i8CRIa8zT%(P9!q{WnR|ubZu8;e=)x>4l1`2K)X=jrZ}MwMBs)X1 z8uw+OGlYMlW@VTyNco;F2AhqLq!=Qo9W{paiFe%|2X&ko0mZ;cavoJxEq3y-%OdKM z8Hhy<1hjURm^qMvazaH{lUMGlq@gBm4tAqxAq@yJxuCw3Sg6OBFhLgLe@#d*(jl2W z&gwmKL{d^hsAQ0kZd={p0P&EVotMF|4L&MhJz{wy8vSOMnb&Z?bZY|Y^5%C4qDm?P zjl4Q)K?gk^)9l+z><17+{`<>Wbc)o>4?noTs|G2l#g*w~vwEHOjvs}exOwEX3lC;m zpXS1fbt>A)sK1v+$S#m}iSJEBtlpP~e>x;mB~7eaxcmnaB^OswshZROMp)2A%#{;# z9m9vxD;F<B-+vP&=~H~Z&9cytG=e&5VOvMCzG=`hllzK$F+^g8ByuuaLyauhBb%Ap zSlO0QtX&DrVLqk<ri|Wzyp4up5-kS9a<{CYR=jfAqR~*sT`oZGYIcN=O;f9#Ym$AB z-gAn#s$#rq1<BmD%+Y}*lV?AnG2QMFpv-D2cGN7FtC)b4pGss_@^WFV7&o~1&!YDQ zv1gY9NN9p}rz+?RyiRB80G4rS_L|BYMN+AYHfWpmfVwKG482pc!r^CUha?fvqmP<V zNWI(DFa&EXRlQW{Xs`2}-y5W|OM;3veOpBd_+dA<--A4N(M3u33cWp|no8{Gjf7fL zPzfQRnUI|4l!5}6EH=2?(Y?O3>Re^Rius~h6_u*V=`+I4<`GSqjmTeQqJaJkDeh6? z#*i~@?Cg4*h6`-hoBrO}Y9r_?c6@!plOl_w;PCkyr!qtf7c*V3qN#a5Hm6#t81tr6 zPAILdrKVt`zJr?B_k1e#a+5QyIeOcZ<fQ~std9ng?E?y9#!ekIm~3zMx*eAj<U(hF z+|cRLWrL}Z@8R*(`;VYLY`7pZ^D%>h@N>A-(#S*X7b;m4%Wh-wahA*((~&F)I+F-! zDk-Y#>1NK7^3#og2G`kn`54XG#2++X3@W^{B4#ql!pY5f5!y$mJU{65xK*;?ca9uA zNMXVMUXRmQxXv*U5~PltGfjA?@+QxO;XQ%yzM)n(K%z+#%px&dxRM3U89Y|H;P5GC z0B4LN`2{q36==DqV<k!wCic_4jQocLMiX}6<clh$qe6Qx^p=!z7^SQW84P=&hHZK& ztiJ}5zoeKTG%P?uel4pnr<w-a>-WMP>uk~3Kz(h66W9HpHi54;3wF<(+5aVfIAv1Y zHpFZ;_F$X_jaTe_Eylm8n%ryXpo#0Y)#{N7IMh}A1M=PqOxLTL6z3TVU|PTUlFQ*y zpaSJJs<c`SQwdsIw?T^q0X8#^Aq=oA5PAo|vdv?Oo-tv-gaM09Q&sqUY^2>_F+ub@ z1r<Cq;Zb;lJRI~E5Vq3NYoyWbH$A(m(&z709tF}Rj4Nl#;OKK*0MDkeu>B{{FJI6A zML@d0P_fTJ5GI4m?|GHXmJFRz&*J+-z18v%8rmTMfoWnXBR0)^2Q|nE>lZC7Yfh9Z zD!NjV_`q^~jh9CV!OW^@gmf*rcNp}F;19(N3#MDxd0d(fpDw+D2^x0v<$gLZj5)d4 z$J;?1JO+SPs)+G;SnL0?s0IjYMasO$OgbXk2}6c51ICQUtzSpEaw25GR^b-Ia$-#m zkKL@{f)zY-dP41zIs$6LaXgG1wV3Pg{4Z=u1V+BNA?D@l_fY^8q*vV7Lw4l$&&A3; zFk{HHnRK%029*j6FPhf#6jVnx1XGX^A)X&Pjg=?2nu1~+wJ`*<>1RyNM)}DBVG`h! zEu=j>LedO628?x<jmt!|9QvOD;K5-`ldbr#{@+XA_Z|OsCYtlhGdw6GIZu?gL_?Ju z{-6Kf+TV@8w=XyU`8h5QtnDB_JU9=MtPa5msChZrw&Ju09<dPMeYzg!N&&K?rcPWz zg`K)49BhocfFKfZDDcg4J%r@ORDF+5Jqn>Rp^miC!31g?386}$J~1RG3<WtHvWUU) znHf;~5PYs!GCEs#cYTbw4^8sDq)>2-Fif9fH@FH4;UdO||3}~V&)=E<Ul%be619d) zk6#Ad+IY|3RV{rujvr4Z746QalC7VC+b&il(2GrQ``_1=`KXRy1i&oyo?ngBCHtIa zaY5gK;x&C7K|%$LCJ&uDz~fVDE*M!(^nwTEd%w=vJ&!bzGW0t2iAeq!7WQ`d%J9B} zDd=VArY-#q#iT&We-F(4XXncM7={VtJ37QN)6!?(jQ}}2x$$XyVblk%Y=jJhGYtRl z{shbvEPd#}IitT&+%46b>0RWUI17r$gK?2$GV4)Dv@K)KOo)MtBjf#0#xt)*Ag${; znS5#rWhr7@LB_a=$@x(V+V!MVTc1-Yd&vCK`VF@>B@yB{OLt7qQenx00CfK^(hY~x zv8D>ZEO2)JlyW&#3NjfWN1(uY5ej<XaF95N4toeS<>vjMH;M&KLXs>#T~9@?WDXIb zSdk~R{p&tb*tA3PW5U1;*YD$GCsfk_m0SVzD=y#5R5}UrBh<BPlJxnk5i~-cD;lGb zzEiP<=iZ-Se<(SFWqm2HJ=!mrQ@SUqs6U?#l&uM5s0{Z7?gg%+5)-U6M9yKG!~6H@ zOV>Gix5HE1?IDd<G->4HVuG_Ao{pbSmu@Zc;f-#$k+B)&@V#`7?>a`p+H|-%-*@2( z5d|Hp3=byZ<%OJzwC9bk`|G7Pt!<VsTD`2E0!922Y-XUKxZFD^O*bJf+v~2D-p>7{ zr3HTaa|n{D%WW-B3v<dQi)~9sFP|NyR6=Evr?anm4@8Wz2Cl(>;UW(c|1!HNJdybw zb2x0Qn0Y8Tn9MvzDAhWO=_qYA(Q;{61OJ~C<n!VUc$=v>eID=6Nb2dT_zp9mm7%1j znNgd+(?Yw2)txg16m<8`oB!LwN!e{)Tb<+mR8SGtGfl<~AXx0>n`d_*f;<f>@-=)o zjr2pc0dql93m31gbJ~9CF7X!aT*1n4Ep^&H>yglf#Ud{^Omxr9TbQ}xIRGAhq(~5+ zxBb|VG&_FFvy8$(o&rG@7Dhw(Q4Y*ZAuj1{;3+h2@<!I8Pt%Ru8%c)E0OR-!8_uSk zi_1>mx^dctRLQ$%L=(Wlua7xtlhz4~$_3KuLfdbnKn_TD*RX=`KRr&Tvu$wwz5lGh zZ4z-}WpbNeUF4=)T*a$e5yL4%Y=+esy@`Z$etO=hnK)q7CI}-UMRIg2>o%z+#V{T` z*cF7=KyUuZ|NB0gy3wV*={a)4r%KL_n9eFAR^cN&bnW7W%n~3glb4B`=^UJUX$_J} zOe<e|7_z1v5ZDXYJIlfD^LlyRNsBuO6>+o$-D2FZ*Cc6bu8PrgCLTJ1)?25steH+~ z(m4~j+Yf^0!h;J1G#AqDIa|p^?H(R%bx!X(<>`+=v6D+x<5}S6XpV@nrSX$<R9w}O zU$bB;hC-2&Q>#@wWP^Rn&YgO|-xE;*c=>+4X!G;V)6yh3$@t>#<MO^87!O)A&4-?U z!`Y@T{{knUmP;SIc@-uy4rIzdVc+XnV>6SdSmA8$$yLsauphuWFgb%9(xnxSegNSY zR?{td&=xC0v#DLHV~5o?GoMk0rnAaAEEV2ba*Xq9=<*JH6ois5Ns>NVWrU_XJ6;Ie z-|unf=XNhIt+pPf9G{vg5eNVJ%0q-}9K0V-Elk=Z_g1GF=wCT-;Mmu)@PFTbtUX=z zOBSeOH<=d;7vq^q(?0H!RKKg4!|iacH-_^evyOjOJPTSuE-o!+M4LIi@SID+MDt~` zYNvZgieX_~VKmOt6o~YmJMe@kLLF~cqtG$Vy)kxnz=<N2=)An)h7C%K*7xzb(3AH5 zONpjglZcqTC>!8(ospYY%yG_0c>eSO)Cm)+Lp%KXBI{152wTxWn|k&VG+9A{@rUK~ z?i`iC{LnOc`m*<RgH8@H)5mC;6PdPWnme@2@fg2)^_a+k!GvF9=IQ-sqw5ED)gJ|> z+!@ni1u4gugX2VV*qVVe-Qog9$-v2R6ch|jhX)fxpR3YzGGAFM)?|OW*kQeYBX}%3 zypI+qLb>Pmej<iD%j)^C9gE0L!v$pF2$=6})^awO$~}YYOXs9znmPJkkd0MDS22mw zP@_bji+v4R`ss*vIXVcCiTDuv4FA!|Buw7+JNgzsvuAaGj_(>5E%jnFbaZgCTd>P~ zL(VYC89Ra#aj?YXOzD^T%7`7`zuEPc5N7TByHHQRYiW1mxolOObkS@c0uDwaS4~l- znhQCyRjV81_xmeeQnz!3p${AQ9jMyyykGHUB?Z&fEClqUl8SQ0TwXW;G-rU)3t?n0 zmdMT@jc3#CeO#IODpt$i;gX-F<LPeA*k^;6rSCuP+CkKdQz1Xm4hzTQ^FTS4E~#;# z4;csvW^RDDGJ(8OxyxV;A|H=U{e)pUPRc49tJCY|wrZA_&8+FoXfm4mmGbOoV>W9H z{(km2I{fxIA2s+>F`G!+2|Zkm)+ftEP(nS{qO^1@bEPCR7ZxHzQZejcoa1KZvTzL4 z4G}?0Rig|#3hptx$F~#u^+y&=^&%Gy<X42^nL&yfBh-dw#A49@zV_i3DH|06j@J@H zpUAu*5~7hXExlNVid8C{JmW4eFZ*U>iv*gKq=1lS0ZGe+;7INkOrZ@0in45~X^B|d zUf{$bO^{@X^7g7Q?VnCNj))LpI13_#wH5YgupFSw0=XF`Cd83VAT|jlR_x`#?k!cN zBuI93^KqgRG6{TbBpE|K(v@|`d+taG{`(*qwW-X2_WRHTGSeM7-~d&+{T9)mt4I|n zOpy3jxqExyX`dxBC<q1zloyj}0BN8JID`sm)Q>=-8Ka@lbY-u<r(Z`4phRKHsp1nN zQN+`Szjp}P;8uo;Vsg-}YpfiI!Dca!-n}XgzXi}5AW?iUIO~|4DuNCXqQVe)Ar);3 z<ds$R$p1GJPndz4ulatuFbacYQr{43Dyl?BtE~Rj_xpma%Bhl6a$FC$78yzX&pP{- zGy@*O#7~Qjm}6y`?UY<e(k00DQ4yYt65&t;ik~((5dN^@n`F*H^&-%7DT7&noM3B6 znIAY<JB!XDFQhyHU>G<QM9i2(@3(SIk5{L9Y5WAsR1hm0rj4Ti-9yZH4iARo2^ZP7 zJsW(-z`7_&*BL-rV0QYn7;ACCAw%Sdu|h-LP(K7R&bU&`;0gGPz1-_<L3s=6;Wh7V z_v`UC0~bn|7%V!Bc%Qu>d4bxXlT3&R&E=;fY@yUnsD;?aExAI8q6);OGG*OEd}*V4 z=E=~?!my^pd3-8Kii5*GgCO~2;BmncI%Ii&IE4}*(!^jqtQE36-jvrRl+Odn(XjjI zxiy@_Fi@^^*Y|jy8XT)RF_Kvh@w8-#c$Y#{5x^uI%sJC>F2j-!YBN(JOR%ZE^?8$s zL}MTDOhO!9gw!wka<YJvHVdDvHD1G40fh4)8=sk;sY3`ZJ?j~t;PVIqDK+YhtzC9Y z!2*?yw1ENny~5OIf48TMSwF|qVo+TzJ%SSi<r2Of0&z)Vug4o+&i_I6i>I}$Qv=}j z7gpex?KJ%aJ{U49F)t6T9hTiayVwLP5-lIo0y7VG=z~Vg&@=+{T_a+2G^7LyQgUn= zWjMGQfuA=R{GNkEJ3$+SWF?6tgkV)8Csp;m7(Z`QvrG+mi2Bh}B|&mL>@5}(5AdWQ zLCsuTdFp11o&WFCji$Jwjse%R*T@k`_212W<Pj^>oy!*YU7jVYXOf<iLyUmfP8=~k ze(kh#9RK%?x4!%IM}jv9u4ebq&dp2@*|-^ibFe2E&1udwO~V(R;^W34rs!kXP<94H z0we;0aKt}zEw0glE}^1fSzdUqvLT|x0I^~;d+yiM2U;;xKn5Sbwuq4EgmHodWD_XO z@iUp1wz%mJ2^FSDDd;)ZzpK8VSD|`RzyuMBr;IA9s>+0>8)r0>zVK~P5Tn7r`_1&f zGkO0He!t)9<2nDo4SK)V4_Ik{tww>v012Xhw?3{9Zhe$d#93gQo#i|^&p2?57^F^y zmkUga=3+O^6kbsh16=W-m9&OGwM@W)82&C-)3u29X)>A`8eW(5a@Q<W7$F34BIu>1 zib#S$x)~|?Sf%6EnVAlu7AkBEhJ%dT+on-Tm6BvQO(A*SWx$Fkgh`w<V2}pk0#S&O zCJ7pIPsO%g{1UtwMg4D)K-km+4Ri$NP~B7y9_x3(C^juZ5GG7?NDbTs6zpsce}i+s zFK2(x&HBH`==i%A*x0z4Z3A%dcz7r!Aka8d;Tn`wIRO>K;E9>4IuzvsU4;<hWt2(f zp{J+l0FnTS(4}Ar5hz52Xz-zyLD!$3UX&ZWXHdh%yW#14e-rZlfP0^7?!8_dESzk1 zZuHrV{rgokw%Z-05%Ph{A+ig&p&q1+M#=lB7AL`>#tS@GXVS}|Q7s%6?T$er`Wgg9 z+-Ijc6!%as2)G%E)=X&7p`uJfX;3{81ND{krW|1YPpkC57y16bv!!a}9({_>&P>+8 zrLrUs7DxMN!@se1JWo<&8Z|8d6>?XEJc0&}ERWawhdCQf5Qy#)BSecVrZ23W(<F6N zadavY%#e)!1PDWjN6p4P>Gr!FTbnDJJLYcUNWGzXiplhXAjWByC1;N_-tL=RTV9`M z-HrdoHhHbY08Hoj<pi3d*KlJPGGqv#uoP%6^%}qoqh6S-IB;M`K{~Wl(XdNjLxQ5A zUkUK|S3JMc|H3>@^Zj1Grf!0ZiIbfTRE6pXV+s(9kMSL#j6V3QxiD=+L7*~Gq(cTl zu-c2<qQ$0_E@QkPyDqNp{vPuGZpiz-ihL(QeZ}th#Ipq_L>Uk@I;@}j?(vP*JaRG> z8*1x#lEtF}4cT!{%!R)_w~ye2v~-49nVF*1(<_)N@3Gf3O3gLOzs%7WL>8Ic@OfJL znB2dAL)&-x*$p&f$W$45_>MEM+Ld5Wq!9VSiX)<^Sw)uC0Wjhj?SSG60`sx(p~Knw z6~ipB{5pNMUc-nm?>zHlpIHr96m$w!6#DVOc(JFXNfpN-!(9neBL2yk@BYyeeewT2 z=GNQ2#mUKPT#wg;>tL!dappw~V`zeI;?Na=5y1+Qte7C1?S72R{pV<VeqYJa!EQb; zufC#~%K@&th@|gl;(Wh1+8V)qpZ7{j`|HasGbirTTMjzLiBaGzaN-s|m3oP=Ui?`p z=1n{tRf=?^Y;wm)a=+Le3Is+?jVgp9(BNfx$)(eX!$Q3Z2+XBMpLB6VY!o2Q%1d(S zOmu@HNEks)Ra~I}Fv%3)v|xDt99V^~L?meyMOAG9&}x!Ck7&6N1lIRBWNmrAfns>~ z9zu?A(YebX4hIE0rvy=^qERwJ6ezF<O)6p$TSC5X-nMY=DCjqR?g!@lLm|iX{DUFK zDY&B2BndJCG7+7iQ{0@#sdq!u0wO4oLbyVPRP@btZE~Y#Xld!=8HLgL-=F@!Pklen zLr+5hT0!DBJafK1&$J~vMKnw#pZoa?R)%?njT(Yuz#fEv9&BP{%8mrvMFOfw;$H8i z#M-Tcx7Ou*zweVFxR~{bJ%p->>Fy{nzfNvrC-i<V7p<1%_#Y_&L6ACWoj5=S=O!th zY5mG2Oq}^pB+%rN(BKkSp+Q69Lj&Z&{sIyROi!*|Z7WoZ>B2jC<fM|<&qB6zpdzvm z`IQta(iL#w$r4kw^{gOacfV8ee>eGlpQ~qY;s0?|C+t95p@hrA)s!0AX>?^kVen%o zF`;2yp-P^dm^Q9RjQFTmmVNBMYIi)|Mp@~h5>^Oj2K%jRxoqQ;F+=wcA_J!Z5(ucX zA<-W`nii}w;JD6^f8b394j~(XW%_?W$nN~UXFAS%<L4=$ctdHpnIQXEi6TK{>eP$p zB*T9VFcLVeS{LUX@ACW~AN+rZ?)Z9Ek)@Px>}rk#&h`VCqoku+^*=n6{C_V!*11FT z1v6K!>o_2Wbi)S71EishhP??vtINzF;CTu6T482Fo?fjfz;ZlcZJQL&8eit8g7N;l zQtQiP*<KW)fp>_YYylF$v@$gGyvrJiv&Ib<9O15rI8GdQ-=);*V5h<?X0yG>T`)vp zd(fD04a5ncKy(;>SzW}etW;#F0C|63yD`9_nPyA<_bAPd;oGZAuOlzsAFkzCCp7hY z=#hs6I?<<W`Mpl9-lMSMRtz^6)$Mq7Ya=_e0yKh!i{p{=txJ7(57ctKZM5k*_n*N9 zHAxgOfbj=8p3etg>}Cg34S|VFzlZ#Prj%nJ2ikXh8PGi7L_j5IiE5h--d$1>rVp4L z`8&v&cYRMIJp%v*=TW8LZ@5a(#d7e&E=U<PZo`XDUr+8ediQHbMv$v<#Nn5ZA9(TL zLbew&ZXSluPxbXtS8~_Nj)mR{@?u2_gqtx*5HoTxIlWHV=G*PkGvJMbM^BN2={wkj zqro%mb352ie4va_!xVB=m0S(7veNz9-695vZkZ8VE(cfC$bcpWAU(MxH17-4;l)2^ z{?4u;0%DpI98~6Kzv)+|BG^isNFY$DqGZpkx*SVPu)VY?Ip}cCCSk!_SC34gI!+aR zT{nj-WYi?oK``*)o}eS(?W$8uAvQ(@cMC(&>{>PpXG3JcyQ;qTvBp{J;CFrx5HZvR zUx=WwUv8^ai$QYi0d(`{2z{eL6$;g+&xe`enc8m4<0FXo1;h}lMDi2_VCKDEZ!+|R zPs4d(E@1sSjiEA0)`&RW!wIEl#nrTR2$SH67F7D1`ZEx8UITR!K-mPfH-mThVJG$1 z)kkDJehx%PkS=K9(!?G*(YWrjxp!Vz^YGWp7vS<Y6b6YCGI#;&o4I)yd~7anlOwm7 zfo%_CT~m>c@$gOw_Z(Ew!R>IqZV#s!#6To7<Mf=KC4tBe-i|3OaJL69(&$^GLXcV? zx5ngGCy@>S+gE`YObUp^tI*~3@HAli7!)gNJuUS~r>-B6&n#-kv!PGw-m(TrVu=)t zQac04;3)rj&QF!`Xfs?Y<UbVoy6vaS$iek+d;f=VL;=2ta(#xXDqV7`M?!^M*vs@K zWB|~0K9|2@Zr}j+-12I^hWZfj-%N(ZwhJ1%bUbW}-iMEqTMx6}hoNwknt&zvTTHC< zp&~^GX56>kzEvV?pPw<;3$kQbp_qWaaTTX^-j^5iHL@TQ-;uPP0EqoyQ-C)I8M=Jg z$9BEG?-$_YGRL!CFwlXEhcRRmrqIYx=dW#N_BkJ4e=uNu&u^g6$eL=qZAB_T?!JUE zD9@Zci9ut$_s>CGY~ru+fuoU3$1d!50>P4n%zqM7H_hr@wddF22Wt(F)xT@TC%Ec- z{Ck$916lzt?1Hz_V{uiPeA)N{%19hk$?^~^dp%y2#z9$SJ|F9aK%HZ7nT`|M9(z4o z>UD1#0pWSXO@c>+i?7|^W<CAitM+p;pGOX#B#O<iJuOQaqmLau4bzx1RJj9XBtT2V zy6E+>81Q$LC<{M&dr=86^l<*)+09Rxqv~zxOc9Py)Ds~Ebjax9*?j*t;3tVO3|moS z#oI8D@XQIIUZtr}@q2zx?#e}7>+M((gl-W`6q6!o*wSImakjp9tj+Vu<OP@%&OOKU zZDodzFm(W<5p*=35AF+Bqt9+-XikSNZB^cRqXowah6T5|v#&9}cQUcb$Stp=>v3pi zV?cb_s(C|lToAzRxqd!kCGkzyD%V~wM+yNtQ32BdBhc@b(ew9!mLmsg>2oQh-3Q7L zL?Iw$z@`{o-hQa#84@fM>NLUiJ!`|b-&VoV%XAW5gRlTk9^UZ%Th&Z{Z|vz}KpPUS z%5^PV6(-$#o|PKMu_3^F0GecsoX>Yd2bS`;GX|X9aXHlz!<+%ZNZ=0BFm>1*V)uB~ zUk6UijNBe7b6t(R=0Pb<Gr(g<PG;QnI+z4GyZhjf0POO9?zb%t!|l5@Y2fBGdE+Kt z;p_RK2nz1Uyn(sMlxa5Fz2)-|7DX%UuxkoI81cM3uC8|w*(0axcbbdkvQgcGQNa(U z0{#(;pVIky{oaPiDmC4_;EMj+Cu)%?Wc<+4;=!=!`d+wj9L=`RS#A(E%SI1e73AT` z=2-E%yYlumv|6nr=9VVuX22Ov@QoZszjyqdp!fH0Tbtu{aB?>Un>qs`BVov3;R*&d zJIZ|6ZPwq*@RRE2rkL1<nVBMYD;@d1r67!zzp(A}J9X0sfZ5t3J|SIMK>_WBhO#LE z8G@RisbHZH2o}7j*9fAg*^G-5XRf1&vL~2N2}3ewgC^WZfZ)3_aUMfp?JLov3m|4< zG{AL0NZlCJ7>0DrRx$;fZJys;<+>{r<a0?Bf}sRN{L^{5vBRc_n*x+@a8gBCxopOm zH?mpqsV|<x3=(#w5j#mmL!Ssyfl-4t&&RO|#4(p(8w7*zwU(8P&AG6$x($8aKO-$9 z1gx4*M=@(oh(_#{BkCyg#uo@-giEq4fUYUZI`jd=g+Z5Fx*v**1W>X`g4}WB2~||m zOCA!$f64l^e*wtCpc6B}h>}W45J>OeC<nh*sbtE<eA~$8_R8=y9YI2CDhnQrP~9LH z9vs@K^_5p&9WWzItC)gz9?!4^c)CX};?vf49^*l~hT0);96k~I@R8rbI7X(IG+!4x z534fjhzNXyi9CQ5n9Ou6LWm<tJ!DkVvNJ6VgG7ds)QnDBedRMpiG?X4Bq#2htSC7k zLdb-ou&l)ej&3{yo*gLQ;0$Be=SDdHykt)YD@tgB&zD4if<X;MVtX$WhDKgO)YIca z$9Hw-^WeB4H>r-Uh60f+>1pupZ7qeqPBD0?r(1lqm`^5IMQ92Zy;gR|gB46-ZMqXH z&YVng^2Ea8Ga8JuL_cSD95>vvOBqCFOfTKTN<1@LlJuBT@SXx8;Isc18FV;QZ9y|x zl34KMP!<F)$PicgrZ|=YToz9|U0;_ZOh$qeIH)JRl#56H47vp{U_~;$qJB}LGVYvz z+qYsJv=Q=L4rH7N7Qm(sxHoTg-tz{r&tTBDUkfAZ7|N6!5<L^^x`*FFma3}|c!4w& zufHpr@$avzK1-(>Vrt!_kcm38{`ZB_Xlr9{7dH&0;S6KMfkV|Xmn#;CCia`sq7kXP zEKs|Ld7oUcO*PNNJTpvC5EPcc%crQh#~Uqlj_CSaMzn`9Uv6-tOq{IvyXd>6!S?dE zSWqmk5hnn@0Ur1)%r?0lA2ui&BSpSJOL6g}OA4z0E}mvLa$mrDssZ>P@($7|rgf_( z!+3_f;UM1Z<fKsoaj`9}FEn;oAkbct6YHl?0;B>S;*l<aO+O#-LTo@|kaUCel_9Jm z!@sJ2gQsG^Y;=`=)H<`0vsCnZ@J)PDb?{CC^}PJ9Vj0L!_L%el`1qFg*V!+HSNL&S z!`)dW&{LKm?ZSc8v_Mda%&p~Kcp%}TYVRY3m-QKVKHDY$H1<a)1k2APsnQH6nWI)1 zZAk?X&_mHv?JRuSVN5FFO2X_+l%(B{$kkaxbc$fi$In3^DigIrA_j@h!4qcqoy*Li z2V%465$KqeFdVdJM2{~)@qFHh?la8CBCJx1j;1gk7hAd#6)`a{tuHfnzVBip)a95g zF<yAuClU{Ioy0`747mBj3D3<WBubLl!dp<Bvb0q_a~KQhg|sv@01~z~jP$`;q`J5* z+$F)J#v++fX}PgQS{<Lpn^j`yFia9v<3n7S3XvRG5Z5;s3=X`?e#gABSAN`T7Ixk5 zdoz8ETwry263N9CejnrdkHPSK_c{J@JtQIPva~xsPl~mV6I*DNGXOVu+L%2r5HWp? z+6M|*4Q;FGeSukL7cV0a^6_*C3&by$abykwg$vErSTH&?P!Qn}wG$qCZDoBDLh<0C zAKe}_e??JUx^xI{VTk*qu2J@FRRK6<&Z5UAB|^|bP$Evi0py2q33ur`8vsn%!$=lS z#U81c!j^+#Kk=`jSI!i;00NgsLVU5oK%cO>0nA>Nw3*U5SU#JqsMHiRDZ{q`x`MlF z1?{B_U?7TpX9JVjm9&(Je-j^2Tr;({J#ZZK0N99@orhAYT1k-Nr;?f<L}J6%w!na2 zFx{6HA=#AmR4PJ^D1Y1ID{+zb;JR<R6vUNmN+|Dd1^uHVO!HOVHPd7e*fK@5m8uXK z4jp|2zyvi=z!9=`+2az?N_L5lF^|FNd!h#e(sKep&qv{MDzmf~vthC5!GaQg(4k6o zqxVMbs|rvmupu%68#Xh6BqfJdz!1)crsyIZ1JVat>jkUS%HvDz$6LC-(4eX`CqBg? zv^0O%JbENZLg;>jFX0yN)5E|eOvV*()#wWLw6zEbWRG37ciUNcLvQKAmg-oV?1fj@ zI_}oNiu|F}iSWsKeSarCQitY!f3{<TNmSu5a}&4ZPkjtZ!UV9NrlG>~DD?19*t181 zL|0vnakgoh4yg*%-(iJdJj`qUGca{9&;u|ebDY)`e;6}@9YTsM76#`W&C?9kI9*{9 z8Y~A$M<k5p3)&I~a$vQCk}+DXU!}%kmznT<c3FWw->y1f_4lmYzfW+#<@kBHE#d5d zx&ROC@(!C?bz%{H)>fwU@$NSXigkooM2mK-wI|2_@Q$EhB3(^~5#qYdYU>~XLt;Wf zEp7T^tu?J&oz#CjKRaBl|0L_gKENnstb0fVQM=Y$>~FL@YR=?olFRS8Ud=IJRDI4% zkxOZ=?)cwrTqb<_I=>MQnLJ_|PU2lHXKGnlwhaP{yR1tQxZZgwA=T627X=vq%cbn{ zXyp$TYg|S)twUq3NDi>V_9Chq5etziA-2Z0h!xV#`|PM1O_Oxg6`Ab+8k1WON8<T7 zVo};(fDp_S^n8z5h4<C(bTgs(*y*9;%NeQNady&gzE`@^%Y6w^<b!%!yQ5aek@u}a z&f^Yu(n3EzTN89rshN{V$e?iKZ{ZD`{l!3)X;MxY2U^{@@X+0>yUr$qLTOQxa2oIi zzlYE|-O9a%vTSMi8CP{Sg7XXp&7Gd3hP_`U@>j$z^`e0GyrI4+Rbsw&kss!q0SJ04 zjW$+`f*!=%!Eh@rnr0jUr3MNuqO6Z2AEIxPC27uFr3`uUN~!1wGzJ6#A*m}7dS((| z;vZ1XVRS0%1P8pAqYk;1oSP|&g2TiPR8rI%u65Zz2~{p0#*rIrsGy`hXB$@~znrb! z0<k2LyMI3mg(!Sr>EMVaw!LoG(z}EpA?o*3^p)WMpTI3X|7hzJZy^78dAsk&|JR@Y z_mCRNcLF!LNF@qrt`tBDIfO<iVob(XXpVF>3q0Wl4H#hko>avRXd{mOq|85Yt}O4T z4MjjrxPiC6@zQq-?T=<xylfI=7=iy}8-UCtg3;R#25r)#K$;{|C&FS-DiI9bocv68 zf+1-+_5Vuje1M@!hR4_mv@TOgp$h)N(<~FZ_8@>FEbcBTE2tTh>s2f)5BYmQ6$sSA zTGf6Z@PGgO0=@rC%r)c`8-&V2B7!V3va&6%Z0#+v&+lxp+eljW@7d2vyzq$z`nyAw zr0n~@QA)V(^Fx6uWb8jF-v1WIu(8JRyF(cu*k=Pie8EA6qC$fZd>+eBYCqy8v90`P zyMG#r1m%E#+EO0Yv%5Ut{dv-2b5p2`K>iMn*^B#LxJoo7)ORBVK!qcUmYN${dXq}$ zdHl=4vitwj^xee(VN(rg9B+MI!S~eyO92L5`VS-)w&!UF9)fOdUmroBz+62wbLaY8 za}yaf)y}-$WAld-5GSpH@yhQGkM^pZ7@Tmg(~2aI*%wBkU_kah_!wR{ay_5G@d^5? zJWz4cSMyUZ>*qDCXvfb%Lph7Nvu8A{Xk*W#?i!j}`M;-^UzXU^WK&0<N0z0no9V)< zm!Sw=)?R%dCC5(NODgdUfKeA~J40)$(f8KnjdGqNPgLsXoy<588%38-Lx6QPJeb&S zgR?+O&g$U)K{3~;^?Mr?);K&z8F&}6W|DlJsy|GAde-@9aLdGWS5sTS_SH8nft{$b z6)is^=~2_=k?bHpK1pu;p?CsUz+py3;s4!dC<=VuzF%27_YM<gm;bS&`BtL;A7%Ug zToe#?fv~_fHh5HW9rZ-!Jr}wUfL(Ltcr7|P!G1;KqrZa{`p!0(D$@3XY-r|Soyc+Z z-{XmG<G~jG&L!mNUj*l1!iC_m?N)QO&?sz|*=$ZPC*X=@J_(#qtBIQZ-d2Kmr_1M2 z9jHpx>z0lOPv}@VIIo^RhbH3(yp!N8WblZY!u_Dmj#_Zb&uZqW<R26mB0(r*$s_Mp zyCjFg`s(vas<yDRwEICCg?x{@wlNwsy0e_W<Hu?SD+E2!wqII7uc0*?@FnQxosORc z6tLb8Gz>sfqEpNZc+0hQ`dl21P_hVIJ}g?r_aQB+(4Km_y$tOr0ul0cs?iGkn@Y5X zLKiAA+&Q0z{#q(_yVxlpv8HyHeLSBr<Ozxt`v+})ULPA1ysAQDIU`4TZI`>cIa2nm zUe88f!=b$>6{ze#=eb!Y#@pN4YWMJ)_zojL8vm&U{9C#9o)<zYZ~-DkPad=qpw!j7 znFrTi_f}?zhFJ_aOm)>Kv0}6XG2^{qIFvSPeBIj@kVqH1quC$Q4H%U)7&?kluD!R_ z%r6BbgGwnanlSW}{PnE_=>~t#i_v?jxkfAR5SEe39#_rCk2$(+taea9e@Fx6x9i=J zb~gWC1DphkUec}rC?Hh^k*cO-S1k&USn@D&Z9F}DYzIP!yK<e1Ug&D8sXDL@15cQM zCe&tG*L>c!(|+=GrJ+b$R3Nba8bYUphljwlYJI*OKdEV!s(6ZhCPQ37R`8lSSgNd1 z17}6kIFIEcCs2T}#D2^5)^;jtx8G-TUpSZrIC%qSkAR5oB95W4AieUXK1vX{c^J%( zRC|>udi^f0ZUj$1T1=eCA>-r+NY9H^ro5}EDR$YqcjqBJ!_0ljoTACgut6RwzJsjG z@AFUM3UJ_zMum?+a8pSK4&NC&R=@9|shQ})Ql&KPMO*{Q!UFhgxZ{}4ojid3cHtQ? zq|l)g02wEeb9YbRf+gj}XMV1Y^Q+#+haSTUE<os15KuA=n0|L{J2Zy{p;=K1){b5? z5Us^);`;AW#@(kSdAp7RhHdDYQ*>kD`GyzRaCnRn!@I*B>@)4MH1(@!)?_cP|EnZk z4*(kO`{n;d`=udxnBDoe!_5E@acR=_UW)&{QmEzYDJdx{YALHJDXW<nf|!%(>``EV zNOq&Jv2g-@09bE}88}3zyPjPA#%R6&Sj%cp$V`|wTyU7Xx{(QrUZP)&w$>7S@MsL0 znT-C4TB!!flPNc{aXL+w&EDHhX`t3!f}ro^<qNLv^{`CNwyUnjm;cQbCsCS|IY<)< zvG!x(K!_j-=Qd-J?9#7Xk&@x>=!6x8R=<#pkH6!EMCWf^N`5a|;VpG&^?Pdnx=5Q$ z>`b?gwYG>xef|(*Dd=9<DqE4Kz?h)d`?Mb~ce^OP*s=URZLt?(TzORhJ1;V+E`Njm zF|#vd<`mW>Mu~xk7f=XDMMJFn^jXP^^XBq4PQ$CMs@ji>hxaH_AOqNH_7-R(KXy0A zQ$S@^#YFUD+^leA%M6;8Ttyj~?QC!tM-$ZA>bwj*VsunA#Lx5c_`1o%n4Nh43J1si zjWI}(kdxThqlK-Pah=^jvyOJ{n8ucFj)#M#doOfTrDH4F8nVsI!NhFcx_J!^y(-zf zg06RHr68Ufx&_Zx@xd~9Jv={O<8C@A(6yR&yRBcnuXxXl99-<&+iH&2-+Uq=9k((S zu64^2PZMA!W?bd>oUgy3tCcZOitzJP8%(BR#kw)TvT~ag)0k-Z{@gu-XIMhHbiZT! z^F&y2GRTmocD97J^*MU5`W>{x#m~)nHQdm~=teew*>+pMV(tVnup4MtZGLec`Y&>P zv&q*#l`S_G+65M7tDAvTVJ<DDnrZo*6#7UQ4L%2`H?;~#f?#8FlO0Z#L(D5|TCJSE zj<!BM>C|fsSDwBtwhEgX#?;FX0L-+NRzrsn0;>@GjLXYB=p96uWJ{^&S$oWT%&_-b zt!u}Kajvs~<{nH}bi^oRv+w8O;U<-|isf73E(87&@W|6UuJ8GAHVewQ&bh#Q6ny+& z!}&O3zVjvv^vb|~fnWgxT=(M|ITp0Ebd(iirkb{16=JfvnYrRX_nD=`{mygHVD9Jh z!UAG6@(Pc~sTt52)<YwHj}s6SW0XcrNV&HG2vimS9kl?3+|R-hJ*Gzwu&^>(xrC}t zwlqForkl8tNYgX8|J&uj<)RH=E?QeVyv%3uoI=omg)F5F&wH`4wsjP$$JO$9H~1wh zbP1{b@BMmP)uB$7zk$bQ{N$j*`SJT;&BXQnKq56-w8`b=?`5j-OKIn1)8gi1Qr6=l zRZkGAGmKV_B%X|3z*$0}C6CHvm;aF(z82Yp@O-oAe6)T4lu(jHnZx_wwo9I6i@B2| zS}oMPYGvCuyGk`Ca#*}{_lx%uS;#^38|RDI|71}06!-s-WJ&~TbLW@OQ7CD{Pcc3Z zr$@MNbZeJ(C$nffOuYAoaZtJer%+P|jvLNds8Yp9MS~TVFpeS1aK?%}kYb0#-Yis@ zAVj%x!w?(_Y!p}kU0pV0u)0M{5r_pT6uMgI=L?3ZNV%+;G_P+-9o**`Csf#?12+Th z_Y3dIB8SY1^e@)y8#!_(43UP)E;2RC?Ms`$Gq~4f$dFMkJy68O)L=chkl>0h6(ynp zl8F*$!omuW6(YmO5Br-@LK@((UX;z@QgT3Yhk_Ir4zB)T#AHZBXvr?&iP?Fw^%i?G zi4`s$;9;V}g%t!Luz<Ruqh*hjAo|M9x1be~a3QY52|HnSSPirUD<Z&xQ^2Jy9E$~^ zW)wFgf?B#@Ew_#(TB0;~8?KamWHvGRrrD30JcwDqaD~bQa6x2T;j-v3g-5eS{3JyF z8@Cb#hEOLJ*6*hSak#b!_gDp;7k(H4RaQSM-tBPkOB-j}1z+iFU=%!)*t`r|Y&kDo z%HO-ez-thN4IO>XuyvS3lvRjv)rRuyb=LR$C~!9E$D^lXyAOU6W{wW1ryox;V>(<N zQK)0$x5CTSh+)Jip|~G@@&e`!6;AAKu#1+P_xthb0=*Om*a|r_8{OjOG9%I{1=!o+ zKbD}vyhnbFi-&LLzr4l9!NtXjF0Xvv9uIz<^`uCP4sX&9<r*C%Prrkg*EBOL0}B(( z6mUBrIe^^mCI+|4K*XO8^mOv@(1a8lIz`9XQI~}L2zV(Q4I3?h*oYznX^*_#q}4uF z*($Z3VWVJ@1L)afXJlGm+`v9PHan=92`-~311T=D#oOvP@ZT!l9Y}mwU`&=!&bz?w zTjj+YoOPk9O}x7H`m;K_-o73lUY{TK0eZY_qzrZ?AE)MQQbl&~q<9c`!y?7NppsQ| z`zLsz`>b@-EAC6|R`DMz#DJOmh6n|#1vtaXOcNC!wkrfHX0p~BLvZb_a?bO!urP^F z(J7cEgKdeg<wCAHp{u>j@v*P0EG@x>#~(08rx&bM-uS|6(c*ESD1dS*z%}%}oVJQ1 zJ3FTp4j48QKet@gRtOl(AHmH#LyO=rt?;pP@}8kiyl6|SusE6gyLin#=m1HbFjeY~ z`=E?ofp*PLrc&au!po0oSbAUBVAjv;S=e3K=FZkvqb&CVAEQw?`Pwi6+=<Mkq)%q} z0tYik&#wj<0v}4dXnc(mKgG}=h#ks2{*Yo|Q0%;I)y;}5yUN$K!NSAEeQUhBLg{^o zlnlp@hnI_oZRfjmQfzjr%v=49G^ZM<kjQl2otd3QabCwU+FzKL;Si*<Uaylb|3IH< zuiMFeB*n0S3r5Jv%*zD6;#5-t4vg!tO(ruh<1s%SD3!10wXnL&gM7fcdf8pzOE&*# z0pMbzwSBwgnmrsZ{p#5*iNy|$-q*xI8$U0BD58@tw{Ih?gOFSY7IItC$*7!}Vv2Pk zB*lQ+W&}dEB3cr-RB~95z*y-5NzDV>3%>!f!c#PqH=K|7XF=ilIjlnmNt8M!$c-SO zD@20?<S}ONPV;RhEZy@zMV>zwiiZwl*r8s*gqQ9wO{^XY%TCANxK+5;1WKh6HN=ct zOhyo*QCa8x{BJP5ZG9abeKqY8R1seD&<XrlVGN>ZLYMhk9x}K)i(2Yx%DMAWs48mK z$1b5Z1pPufF1N$}_-a*FRMVvqDtiluv3oEE5dBSD`tN1<mz7mD)l}2CFEN5<z~!`Q z71f^4(Qq4+v975noShp1;n!R}{+^QNqJ};hVJEm44!8ba*P5H^vZ^Xtq;c-hQbjN6 z`6$pwc72~u!@xK>;)`pS{B>3JJnDW<a<UtL6^_Vp8jGFp$$W3FE2^sKBTl2y+b%7) z6zcBB17x+oaUcXXK_ZE=N{-LRe&A?TXO)s}9Km5j)=q(2Vn|1p5oI`y8vb5;X>Vtd z7BMLak29G#Lmq-uEdS>MwRe^DWfc`x6}1)hlW_47@+^Q2I!f5QLf@0PxEq^V>WX^m zMYAViy6q_B3mdW`k!~p+@5kf9&&$cZks@7RK?6<x@g=VNMLXV4H87YFMt<e;>Y576 zvKkiY@j;s+JD#}FV-!`}-~DhNEoy0N#f%asKi52SY}H%PBZ}m)h4t@e_?U{!-hKn+ zI}N{;6TM6b(64AYvkZDVm9yEHS6YgJ%3`{@n&L2Q%#IHOW>F&1tVEh(vM?kZZ0wih z;pC)Hr}g{m&;>&*irX*=>84DOyMqZ=$k?2G{MfsbtsfWVq4UQ>Yq&g%iI{gd8Sq1@ zlQA|u6vG+9M9rvfm$T52{_c6OrpOts&-U5NKQ!HC7*$0uM9P7{l2X`P5neodjyR~3 zL(Pt^_Ef}c;kV5(VTCEw@Tny17R(qK+m}Y&mlsp5&N;3VjgVS|4VlR4O<ZrOki6`f zp`dA*v+4aLQjC}y61Sl`Ua`2N(V@te8kei({qz6mX?s$r(oMg3;Q9V?Mv)wi3~*C- z_{1rY7>kO0DxzA7fyj>K{8_-A5D#cfhMwmit$kH-t@C7@)JKw~RIDIXiFK75-iDrT z*(Btanc21gzluZr_%xS?NBR7Qw=qY_bU|Q`!vs=JMB+MUc>MMLwCiq8MCH<WuCH(g zQp{vqC>rjvjcjQUHyejp_-50d5OkP&abkh>f;93Zj3`y8l41>|MhI8;QJc91^8AZK z{}tSD0fkzQzzQ0x8p`mkjxPtklt3$87D2fPC8Ei(%~qqeyfCH4<_sDHxo4IW5NMB( zh*+AQd@gHp^LcNcWO}btG|hp7Gv+K_MSyL(I{y2YI-Ff4RW0kW_jK@*9LEU(?#$UE z<l_p`<YDmE3|jUSa%qK&m!M0byNMOD491xW<)pLbPjI$k5F+{~Pk(-N3yrKIR$a3{ zvJ``nKM?8Z1rA2oI5SRiIV&343BzdD7kRE9N4nQG!qvgS8ETd0?iuAk#GjB}&NM-} z=nh8}gB4Z|G5R&-)RU)<hfzgy<&fMl?$^Lx-lig$&}cvOf27eUjKzlq_fCu=9J#sS z+UIF73Oh!ds8T-e7|Vwxwn@H7CTKjnl72@qecA1Lk_ZYd7tqWbnN(iw`7<22(~3%P zAZU?Z?O_}rb^!7X%K<0%f<lIr#Lw5()mYYDCqjKXzwUDR>@ZitD^k$h`nkEL$NLZ4 zP8A*f{sM1nyPKPW;r6}W-w^<WC3tYl`Fwsi49XYH+0JYkPbAC`jKA4uYZo7P6HG4P zvkIv+;nt02n*K}a*QM=PMgIRZiuU6r17VFn4DLdLk|BGi-zTx{zu)QgzowAEOB|G&H26`tL5pQrP{B#HOs@2U4t^6_s0XdEDx_Q<oEpUj`n;U zCq|OYAuEqHc$Bptf_YPWAIjYMc%KH)^?f~!b$Y(;7bblo&_T=nzG9i}d%h-W1;3)a z#0U;>%X;Jae!JJgv~jGvHd&9@;dL(<k&EN3%lr7YnDB^(v*`SPSHJXGWdErL-w<RB z*><{oyr!g6s2)#mcfCKk^V?;S+HC02n<f<WYhI-FjA22E+39<Hx#M^Hds9^t1mm>o zetk;4#e79B>Pj~Qv~9u2-oVGN9Fb-1{r-sC``@pK5S@)b2$yQ25FkFbERKK<?tjej zf1YsX>s-98-R<<1tB4I8Y_C4h^ZmZB;rqN^z43osp9)~4CXD{Zi&XEr9{)@8dfncD z@8x*99XkUD8WbLTMK@n6W)#Y6yj>Y$9XROf^Lb0w@B8}gD0Hw(%aANqa9n5<Z{Ov9 zqmYP!+3kDK{`a*@j<4_40%6Ku9QoWm=*#-}yQSavHj=5|_jFRbi>dEnYpP9wj`R2d z9Eh;K!EOo(LQJHlgd&Q;GaL6Hf`TQbrJi<uHF1uNp~Hg&6Pmnvt|TG7_za62%q$yE zehw5!P~Jw<_jP&^Z};|bSaN2cP~hQA!U<HgV&fK^Z`koCqCk{>|FZUm&=B3&CoEYB zqgf{-kco%uOa~4`)2UM^V)Xob((d;*5K3ph(#xB=;e%u1HF8*FV_QmR+j67#l>+_h zdJk*x6n$NP(GdpKYEW=uSH1!KP(a<zFewlLB&x4O_!zf)*-Y~lifE}|3s6HIuZ*Ce z+{iz6XwsoL0pB4e^MqLO51h)3=JL@a=s;kpL*D;k_l(zWcb9nU#Dz%ZC{|1|YLF?G z!0B!mIGGwobx?6YBj(=%g{H1joymv&o_*evh~k6Y`S+rFpg|$zlTZ-p_|ZaxN3OkV zq0~7C5Py%s*zFCswbXFT{B#K?KwN=&Ta=Y-@p&#t=I9#gq);;P5rRN4u6eg#A3csH z3#|X|fOjA7Q-F$sU%_s_*ohEZZvpW5Aa1;@3%r7JYF0OoETD1891Ngpgry{jwEq+L zUC-adO)o%B)Y>bwng`FUj5^L&H2d!N0{ri7xH!!B`ucJVF1L}-89D=@(eO+=OvsC7 zolYM=(-m1WC~Oy8e#JyH96Zb{H}ZNT)rP^MWn<;8QEL$JQ<<W(gsB3i3+QoxD-_iZ z;1gnGWW?X=hy3p6y$d$VZCItIC1P2W06=w1r{SLd&wIFi?*}@0JNgnjdFR>wbDqf? zhe%yI3M$gs7hVhraGhcsbuRf%Ul$#R%URD{pV!%rd|&5^IlP_PCJ!G@iPDml8!o3} z-oyPNy8X{>vAlf@bcqrgWVK~Hc{R0LciWnUpT|Rb-`_cVzAk(TdLBo&G93v=*k*6< z7JeZliO_fJ9G}luG__rxnR{#;UMx~(H!gVG&G@tL`-nPz?(gSLeEn?WF*)3wLd3X1 z_y!8E^8fr0^!tlI@lY#5CwT+~5(JWsBO!EU-|}QN998(_4iK0rKEkll<8L~D_wN#S zNqLZ11qxCVA~u~^@$x(Ves6^55*s|@U}AN=6;zh`_RAolV7Kak$to+kBY9u#vjIm- zD5F|65qOd(YBb2e#mCgcf`s@&E~<@&hh=w(Us!5BTX3KepP4$%2=l&id&|0^pmVV^ zGxBi3jW(?C!h8_+Ff%v*iWpVB4BYe<HXbzA{a*Z2pdd?h$f+@s&8j@vEj^u0jI8|q zFXd*JJ&Z(rDwzN@YmRjnTHgh2RSg?o9*U=9jg66ygL%#8^ERZJuBKX880Z6=)LZuZ zxpH>*A|EXmv)ASGckZvAuN;2%VA#jP$NsPC!pFqK&UdYQKd!*+lp@8So80U(e|rG- z7C=a!7;(`POB50!Rx)shjNkEpGg?}IKfYf#G1vae4UhkneWifBYt#-aM=wf<Wi!Xa z!VJ!D#B69NW`L^qHS=OrQ|Wsf{uR?j8(~@Zd{7Jb?l{G;@qQ|{{rhar?{n{&`^%Xu znLBfww}S+jk6iY&kp_Wvmn01P3nY4O7@*se(y}#-CV_&_`#jjgtux#QTAk>{#x3S+ zcQ$il?Bpay%##VtNHbu7VB46vxYu~6iKI(Kod-gu^@aAZsRn~JYI+&;{~8%%?+gp* zmTk9(`3mt;1&c%&S^|C1t`=b&tBJ2vGfRdPag@U=$SsrrFZ);6n1kLn1I~fvNrvb! zPx6uJqs4THaOnRpX%Gvvr@46QFf4httQBuO$S889gJ^4dem(|0cR=7T;`1)=?;hXZ zz0KFe$;IJ*wx>+AN+*3zO5`Z#`nxvu^8L^!AgMIv@km5VPcSb4&N0WaSEaF31=CGy zsKrJUj$O{^82wmK<0)zsI}{iYL^a^B`vCMQHK%DtmxO7T$?4Dk_s#!fOh5lNFFJ+A zE|FPKR^RudvX=C4S|&8<%>D-FNgx0TjTxmKuIDFvuh;wHV1L=g-}<TNcjH+{HVoi- z#ry@#W7iT7SLgVK?;q(5=i_*H#`Fv@+%v6~xWU8>R|7`vOKd^LwFU<YR2UIm^~5!K z<%?G+LQx?b|L4qtg|j@bABmviBS;y+SAU~&xbz~KH=du<D_ssl-VwDYS#AWQy!#x7 zva){xjdSN$A|;e*wBk1UyrG+ykB5s9U^K4(W0dINfC0t%+ssU+(DgT0a7ZL0N_R#f z1^q-E8>>6FAyOl|VnV#Xq0eZRrG?MOc%4=0x;b{2!)+X7+>15#9!`0nLZK;^)$(*4 z^%;E&T%4?&3(FpdcQrpq86r-_{)X#`ll0h%yuC}DtPHGMyRXZwSwg;c<*fXAVZgQ# z$+2aR@7KcmvBKT?c}{X}-ar&NM~CQ$5}76iznj5b;}3yr`y~@+j!dOuQZL%pVJO<* zDH-RB%KvQ8lvFk_j$mOR70lQ^RJlXP_j})hm)paBO}*P$Q%DGd7FHo-#A@LG=X8+F zjL!Fi<u~i^^m#p&u4RjmDmo18#&yk*Q3jOlwY~he-z<%*umV1fLHKrkBYnoN=XJF` zR^Ipft(A`5)>)cDD?*0gPa%i$D;$RF0m;t0%!-J%l12s1B8JMoxv+93t1yrj*wfPO zYG^;;kD(;5bS{KqkJ6@r14y~yAUL~pd30q4QdrNwg$AOnOn@P<%F05415yx5G(HAp zYjnEWFc%%VTsRl@{mT(4RGe^tUQriC$MY|60j?*@0oLpA+TcrFKmQ8^@qVz}eAf5< zB=l=&6(j=_(u2c;rVuI6aooPc>A>nK0{~_~nZLG1Fe4Y*HiEi`w5Zc~-0Uh3_wVy+ z2|thTZ(@zzOw!W(6`!}amL;|+N+-mP{@Og53u`bLD2s>|pLAe<zK_rZ)g~1%oVy>z zBvP}{gCgk2Nkk=StMxoyaJ^~n7Sb_9lZdP{b>C4Gg-3*j0G@|(eaq)8SbmNTcH_gy zk3*_*v$I$+H*Sxl1u5+is6=ziTg02?%0k1!is(w=>j0E0wt8H?9Tt9O^iYxxymNpK z3h>Z+on)YZnLsG8e|q}(P}sw6=av_|x<!SlvY?_{X)?GhvZh9cj!p)F<#wm5PY4v_ zrz$Dx5eLqJU=boBXHf}v#?}fyBkphw>lXoi$e#iVCp0HG5&gGk(z8FF$Pw(AQ#KyP zJ58R9L2Uop0Yj)Xoi4)`EEte^Y~S>$5|M}8{Vx$%d*wnAs=TU9X@WG6ZsyqBxzZ4c z|89Q)7#2z~Ww5%oa@-s_Et84!y&MBUF#%y%fN*v*rU1w;xS|}QCcwdCfoFM}Q|`dT z+)QEZJh7o50rVNNnAz+@?F0!2`Uo02!xdR~TnHvb>s7mdSaICpypU(cB3I-W$dvt1 z^Bfl^^xwyCV4)`busne`NtjU^5!!x8l8G)23jWF|>3hwQIsfnd&l~^G{*OFApErM& zWkpJ~K@c1BE4mk$2U4<egnJ=)`~!Iwi~~dscywTShh<f|94<BL$gK|F&n!B78Si*j z56OJeb;vNDh_5K}6{cTsFChYF3REM*D(eNILhutj*jaiO&}wWwQ7xek+c>QRTU=l& zLPX;MxcZ*=-O(HW`}5nKzpMLlB~{(*iNSriilb`>5eqK}Adf+&oFDo++o5*1=SMYs zFVEXTdOBB4;^hsvKIcE#0ZnHvp+#`&)PIz6!VlMe{w5zZD4_7jG?*dy;ZS5p-+&A* z2I59MyXX*tYw1o@2?$^V2xEaOz|t{thnz(U97ZnR3qNynIns98`F^gqLrdyhveEmc zT4q0{tG<Pqa=bbJv%%RMiU$!nCWXyPtWBnv4ne7?&S3g3_X<A)ox*ixl0~Az-P71p z3zhvAD?9HckU(x;`VyP!5u=#5IQch3sFpst+!Kh9Or7A+xumK{U7u^Zr3I!l!>c$5 zuOU9O22f&_sDT<AJGu$tN7vXejX*z%65+nY6AF^LcOSCRLx_#?6po-vYxoROA*8gF zR15M{l<ffkApTEML{Np_;(~9F1y8sw1|*k!c1jNXtdmARQ4(IeM-flIzdu}8(W#C_ zzI=l8Bd6I-JcUf5S|tkSw8(UT$v(2N1a-wqjRAvjiHYT8>}vTqq`c48zz!3CKeBRo z3^|ZOQ$bHLaZZ*-EMl-_+P3R8C2Fw!ww0q&C{?I#d~#aK+@nX4O}>DtYD1MU_twr1 zzX`Ztd+{|@f&ruh6>Q<T_!m;10TITr-z<;3AwE8fmvDR*L1KC9D(W0h`fgY#hqj7} zT9O>x$3rYjfnfjX@~zKFKomHd>9`}=VsO!jmG=0NY}_ZX!SSzBw@GB}Jjd|rA$`(= zSU3R_|D~fFBu*oBC>KE83c&PcXo5sp^PzYxzACf#pt0jDiyGMxNIr*d0;SwsQkAo) zU<|VipcjR3AN+;~gwiv#bX3M`5ZAPy1Py9vjZQxwF2D%?Sqzi(WRyi|IeCBC&UU`Z zN4;*B2|TjIW4(=`55s8LraB6CyW_)vf{+<wqjy*F>M5|;K&ptbvP?njsqJ|tL@|PJ zF@?#giFqkxV=)K_apd+<ah(UuW;kFWkP^1x1@dw7HKifjzEzG3$UzBU8alA*^-kXA zY~RO`N}OcBQX1RpX&iS3KK%6OJ)*k2`pM7QdoROsH+@|8O#X$pdx`lbo(xG)T%Ej= zmBB6#9^rA3(|Bjb-CNd=qhbV^DAUe9*RS(rvo_I$#o;k1LcdHU4VW3?J5vx=vxl)a zKstbUQ7H?qLf1r9QCBkUZ8CLMblL(^yY>HL>YsvzYl3A_blSFU+qP}nwr$(CZQHhu zZ`#)R*SdS3b0c3mqGP;tXH{i)Rgda=c;CNP01XlZ%O*!DPhDrB%8c7~-#Q11Tqr7S z?JchCwKlO@3q7Cmd;o{f>LNn}$e}vOv9z?dzx;=poA-hQ3Ys&K`z7nE{0dP<GGJ2` zHRXCVF<iE%xo<4s2Vf;mzwdV++becAGcwbx+@~PIVLZNwe>+9qRZK$IV5UY_Fdkv- z?5^FNTn|)UdWzcj@CixG&%<P;hwd9kv%fiTzSz0<g?mN;2~<bWDe3ck+P^_X%0Wbe zn4hj#u&Y-HpV58iE@u}}7BI(V6DU=uGST7JJ<Y}M_hT1LDls`byIjG9EVo@VJ&$T` z8ufm$*;!@Nw|*0&)M>;<iU9S%?8I924MVnf3cVa^^v;h*u3IdbkNpoT<Egev0b9}; z<1=~$q}a|(ihx=c;5(C^WOIj)iiUuL7CiYI(wy39H!$75V;g}<c9sTAU}2Clh???q za1z%Eu(19@uY7YJF={D9<|HQAK^KTuJPr0bB^zFd$;>r;!v~KP3#4KswwDs5h(Xtk z<;2l}fTrgM7v9cozClD2N>q<6-za>7h)6sO^ierOpFo}%9NovUPe4E#WSGP)k4C?C zV$d7?$0UtHcg7f!<f92D>P>MyfH`8GRqb}gyk)m@%~CT|7G#!Xx#QR#{<0Q1nN6SK z1U>{wrBv(;^9mo70oG<>k)yT3a6cX{Rg5M%InJbQXqnDu=I;E&qI$~NQI0=xHW3BG z&7SrgQJ5}$*-AfRiMg6uYDqwX%;F%8v&CIp&gl2@XALxHpg{4=^x+%28O=Qb6h+}2 z^5WscGTL>KI;HYd6J~mXg5V=W_<=_C@Ks9H!_LcQ4pzL$gC(uB?tRfZJk@1?;{7S~ z<jr&WKeqo*p@14?1EEOP{luhttPxOVvfT=$uQKlOn&`5Sf}VzEHPXvo?~2i@IhFJq zTS_`A)>Jf0&4G@z_xwrD^qnpSJ8ctF>UO(I+C}SV=$H^>cYAZI^$rWKDWkVAfI@3| zUroz`f?7pMM_D%hi+uJCjq7aoxVt)vRjChD9Noedtf}aj&9~3=1Wyygfiau8K;f!% z$U|Cn`&TZZ30Ks36I6S@r;B!`VD2pGQKqG+7;g_LL|i*(XFc9NsUcG6CR3LE5+#La zr=oC-vU7>im4&r-|D>pay2|=mDmE<AT+gK7`C+*BmwA2_2r=uBWo}+0*@-FYHg&XA ztW}ox<K?LJ8<{aT9L`?pJcM`6F?7mUZYydim@Zf4$KI^9?9VMKG2~JN5{sW*s3Obm zCV!-mQg9h%axlq8V`*X8iUwRFQKyfyz4vy6>Eey92E#n(M5*=_cGQa~n674G;BkJ( zcY`|~f~;eR$G~aq@{1{JYiXBKah}0V=OUwtqbRAAaAVhih6N2hlUfSK646<G{XTA% zBmJrExWjkNx0A5n3g0TXjUU+ng$w$MsMf<8Z#|9;gT#oz%JkH-N*bnfW@2F=BYhl> z%glBV2=Tvu)GnT|yUSQ?+v5b=U?D=ES5EH?C6(O`g}OwgUG)0he_4+NPZUs0;l<J; zH<8uT(<e@$S_qa_x0&#K__P?&DX`0+omoJQ#x3q(4t)l{$3wpLc-$)5ROrmeC}~o) z^%ScQK52WEp%`e10Bj7Eg)*V-dbZg21Pqib;Tj+f3ZkvsS5>fEOG3td1TJ@1)b0Q{ z0MaqQ&AJpgbi0m^5}I@sB^OGNn_O%BS7Mnqi5474wHv;d299hSbj&44-`5idIp700 zQ`m2q|IX;^TRIc(Of2=oe-$$y)%SVYMhhlQkRh+1jfn4icsTa>lXiXwsl<vfsHiZ? z=B$UCCI2D4E0AEAmZ971DyiBnq@h}B4qi~3*SpVnDo!74Lxd8RJH0ioUzyB6B+^aG zy2HK5cp5Kwc7&EYz2bV;YDvW-V0v~Qg$Cjw4~z+hQOdhHSUVb(y;-eOloZv*A_Vv) zc^-|8c@<TD7(J<cZ@#xj)I1R6nbA~Q)lh(((XdlMJO!WE?P4~FC7tn>OqQOeqEg;R zGxG)q1hiFM3}ls-OIEXN3eUQOAF@Q!<Wz`q+)PqawX33_V#ADP#cYbh)9+X|zYhxa z1ZIF?>u1#+w&sF4#pLLhNXKhvgP*y;g6nS<6Ne)Y)zB#MRMhQt_qQqJ5)%Q`W$0+@ zDV4~R!^&w?!S%pJ7=v(;<X}q2b|nc3Hwv*Vx?Krfp%_T;Y@<IHNjdP)aouk%0<)5W z5`k6RSj83=sZ6_NdzGazK^&r#(@?FJD3gJMk>wVE41WYxR98?@BLG*)X2}3T_pew` z(5HBfkB#5pVN6Zp<L|2)CEQOCkidc^U{eiUOYk!sB4f-_h(!)<`Teu-L<^pprC^!5 z=B+h$yolf9D4911)JTVd@N*lC<c%!_b0v!wI5I&Y&a5%-2%~X%xe9N8gk&55qNiO! z$95?l-NFg_nMu_iM#B#z-RW`_*D^SGuGO1h(N#1a44Ro%Q^Q2H%B?Hf&`{JOITyX# z?Oj~qPM;Y8kt1&MbdA;4guXeyjWx{JlUENUtY<(2AjC8}z24B$)-zd<?u2%J5^?Ji zq9xY`vvYf<?YJ0?ZG|NrL+YjB*mVBA%*9LAHraVh=XMbRQYDnm&dX9^#i^V$P0Fy; zwDA{bClQzf-{AaeUl$HO9R(8wv+d|D^)}i=1z0B?Sp*J>?b*pdZ<KwB(a5u=l%PcX zpGFn;_`yKfsM7$=zz6EIwn7I7Z=nfSFuxNe0a#~mLyY-jMvQ<)FrFRv4-N~*59AUR zL!de3k^uQ*AzWY+l#!*EUqc)c`2eKA;{XYa16Jcbj|gms4`2h9po73NSORzT-9`YR z_#yYfC7Q6}ra&tgBs$<}e<8t9xiSFM+Wvx8&GbRwISd<ug@X<h00ROEs%bNuQ163w zK{}NIreN>^<w}ZOcc)I@_WnPtKvP~~ZZPlo#E@k1qM`>n0ZVt`jEEB`0{+DSD4I0a zup^l=R7=fAhV9r}QeDA<*(0CW(WWRjfAaLF`|mgA?PfUw&>Pdn2zs-H^uEaX5CCxk zEP#1JFhsEfM~!L}NYFqzLMak@OH2eUAPMUL;rJC8uiia`19b#|URb`ZU69X1@Mm-o z^SWhJK@!0Kia1LA!t?U6z<<T44saCLQl%rsiTxs$CAQFxImohs-y9bi3T}-ddM7i5 z7G?pK;`L&~bn*xu-Rd)m9n_gSeAr?!9y`$sdnUrN=8&PGb6RU?Ui5o>GFUvH-1XbL z5`#nvm@lrRssie8K!!02Sm}KeL`szhi=k*5s<MRw05W1OKxPc#^nBln;5i&_W|S`i zD%(ds6AcIuG-D|XmI9B{u)u}Dh7hg97X3dSUMsEj{Z@DY5&5mfp%T$y&<I#+yOX3X zKjb~Af&=408lDSF)dT4xRJdqpVSum>a)I>hG4gXhPeREBTt=q0U_N~eu=Kl{-8RXP z0Q>2IC}SL*7Sn*~)y;RfpGHgfICs3%SwvDyD6af{c>W&i`E6T;9b?bML<|@-Xvjc~ zh!o5n5c}t`V}!nko&E&!$r&+YL`VYG?z&zBASq$6Fe3mQA*ttqT_6E4ho*#X4w3!Z z$uWYFPnNxs2ofx51mH&c@SsC|3L!G500yc}aJWD$1BkC4l2{re=rO<o0i#`SK#!*G zLNNn963$_8I2gKZ_V?Gz{eMp{UM1g@p*(ABvn9X_+uAlse{~QIAemAp3CMl?8lK2D z5gQOJU8cM;!{kE@R{@caCS?rDUv^^vkn1G<b@|zNU^iSXLCF#F14uv!qqG1*>0tuy zECTEMi3t5E<bd8MUM6!YuA=u4o|$A<@B4G8yzVE#(ZTTP(S!*U4MpkP5qyD2{Bf#) z4gG=W!x`Ey>-AUnes{~?%zNWevpj3CC-oIk&?4bP6%@>m6g9{QP6^=XZ~zF=!03UZ z;ZG$H=0SS-60Ru@;UB<=2yl{p0|^p?7FZf}|5JBi3JOq(bH>W){OE6;JBIh0G?Inr z$Vu3*oG;`5+u~(U(Eykf1G0eCk`lrUviY%K3tr<LeJQxX+OlO@p2T0*%PtdX@;u$H zwsxTNam|>X1Yh@SOKIbtnZNn0Hg%4?mYe!V<ROjGCriapp#)JOgj!KmMJ&7H>*<Mh z(n@c>PtEcXLzIDfX{(;(MTCsMdZWSwNg<_3ML7o#!}IT{I#~|@W2~>mZv`91y_EfG zyjLXVMMaApH^OTgVy0SHNN@$CW8-P8bCJY|xv6dz)v9JtSc88O`xy}XO{(YVi6x$O z84v*D<j6KWzG5QZ?^`cF7)EPO3r&}3%(z&%>vPOS<8T(%j=Ym+GWZHxhuheq51>0X zSF;c)4hC-4n@D~ISR47WZ&6F4N#K##8uJd5+B&k&+Pg!~SG(PY5h9d=_-AAiS;>96 zexB!9VB*6I4cxTF<Xk#6^4Go2mHd#B&AAqLLk#ByMoyT-N9lA&VvDDj*t(4H<E0fv zyB$S+Tc9UmW<~y_zgFK}{)YlV$zbP0zs=0|bre0fY*vM4+v1hosJwOh{6V#6Bt-h? zZSrz-{`UL$x{K}2sCPn3n0#anJ4JGAjmagRFeP=W0+*K<BKY3X&GUNH^$LHa*6pg% z_BnE2?^46r!Vj;zHqOx1C|$hwvvZZc_7s*Op?>CF`8A6i;@wE-(X&^6SN?yC{Q*JQ z)PnlKasSA4L4xTNHMcw*qJwY%7ie-!JC28H>A0x`dpdvom+?W9%L%mIuN8t5LY5rA z=N_W<_b}lJXu@UN6TKX2v2ezfGl0l27t|36p7SAW70ytbM*PpepLAp4<-Bm<!10|p z5z%hJYK44lAXGt}|K(pJ^ieDMbh{PAK?+Zhbo1WIb}04jmj8zAi`h|Ca5V0DHckF6 zY1#;Z>_p60xwKD~DaHSvryu*MpuaUK1|lpe^gUxlApw<o10)|rCh}?jbd1eBhcw=a zYJWEQqe;Drk&ykVu<qYX#0a?YYU<^Qv73f|2h|4NLWHuf$f^v$)UMCFW7yVr@^_Ub zsjZ`Y{N0fAu^gg+{I^ivo0(;TMxhtR)ck%Guoz~zz^?kwv?)(-v}r+E94TSnM<pW& zp7Z=12B_qFJc|9p>`9>gN-SPv%kd<KQ9k-8UzG0tHxY#&0p#x{b&nqrS84XALlMwK zLYxi4@#|bDX_fQ;*9*!Ap7Nf&5QG>b6ymkHE^mNrBGQs1Af+!-ygyr<LC14t^}Je8 zp%A#CH3`0+Hu-+n<%HWB6qO<pfZ``vv^nhyp5iBdR|j(oxjn7yQS{u=lSM-_a{MY| z3{VrKp>+KXP<2A$ab^jgr{Pn?Ndd#Yh8h!aKkz=_R6D+T_VR=;w75VMD7X9S{=o|q z{dAXB-(n@fyYE-1!1_Nk$Rpb*NQ!y(U`K$>8#0#f3{{Q(Ag&9#i}_F}I=SSr8wuGz zEMH@3of@cSCGNXOZ!m3=4AcL(WzVFsNz11rPnLN<VG463^?rW`Scj+}U)x!ZXrx;H zUHDF;IefsKoJUoBz1|9-XG+~q(fvOQmyZI<76mCb^x&8aEKg()H-8x_4z8havB`vp zatcC|9bi4wgs^48sax?Ud3bVeMzZsyK#L6Ys`tK4{|;24DI+LWmjO$;66cvbnmQ7= ze-K12$x=qboh>K?0iYLdYBku-_eKF&S^zkDy}yVJn=QkGRQx#du}QT4{hR~taHQ6{ z$Pq}Bc;;BiQ6a+1#fvV$(eaONh=o9@bV-LzU_O+$SlPL-G-&|>f|6IA@-W$#?rNh0 z6^f`Q<BbE6yeY(!=<NGC2HOb&(3}zp*fc$vGWijLta&un!7kZXqCr$siO^Z|VHEj@ zFxhnNLj1H|u%Cn(R6!c_;JpZMyI`_0XcR481d|~+(+8$?gUbMDq^nd8h_xc8rH6(P zG9RMzES$E^^txpA19VhdtLM%h9!2Nxz4(e4Zh$XLGUP)xol+EJJp*)#j1K*M2ziOA z)RN|CsSdgr(o;-!4dFx*s7;+_3hfkt7;q}odXUF5xC>bFHk5GuP>u{eq3~#qbGe1M z184%YIw?Jo8gU_z;nlMllc8C0Uy!lf#LQIr#~Jx`z>E-2FX8D=ARd^0k(0=>3xNRT z(8VY_TXQ^Q{+p@_2vbsEaRmLf5g3FZGc7fBwpcjRYQ1DMYG6k%Mp@k}O+o+@T9S<V zFrRIn53D6(O&w<dG93eE5`>DFoID(K!b0vU26ZaTo(lyO<p6|In+TC{vfxZCC>mMe z1+1`S09BreumCz55-$c)z2Txk+ruYJhH`{9PU{-ujh0ahMSecn%(<Y4ZKc9}o2=~S zq1C`g9tnR;s?6+MViP3<3B^To{9HG?PVmDBCj_c_fitN_h6@pP%(i)E<7c169oax9 zqjSjx4bv*Oi_EM>p~1vBQ?@{wL~|y@eu^jhQpZm?O~VSC6j7`n(Z3I)Qc1r2f9Ts@ zG=MzHBq4$ntle%aAFEiWSRLaPD_G5Dbt3ZC0$K&<qs;jn!w2LcwA-f+w~kdH6DEdm zhlTSbWP2tnK>#u^r~G~YLhO`O>%0PkeMF}BsWt*cTvXz)jSY@1&GHyx+kn4toZl23 z2x1adA|BtjqESP!a`iq~+2;6##X%yWie$U1I|<!=*5IYMU!}c&V#;xz03CzMjV&!5 zE#01aCEV;wtX6ZWu7oPRFx7tRWBHb*lv^c1etxXWo2&-H5mvRiRPA=n*H#Q@m-_Fd zCZpJWDlF9`T9U<dJKCvNuD+>;hu0*($tw>;$;-;zFnfGas{NW@QQH8^hvhsx7_8gK zTG+U=u&1d^kTMGcx54Xp5>JRrUGO81{dN7{iqwI8u$;CM0h@em1}@=0!qm*RtA)d# zRs|$M<(iq-Eg5Atej%7(Ca0(+WeB?dg$h;lDkq3R(dbb~(uTlvjPD#@ak!h>uup)j zqac>AotV+izB*JAE~QZgz8t=7=ifsE0INPlCU=}2txEOvRaUfUAzR>NX$t6qI|R#C z?>Kz>fV+wYyh|u%$(tWzh;{ZngtLk`9Nvyz75fG2m(7}sOw4Zd6?dH!0mXEdoSpX4 zCJFNuD;7|p{hjX|Xh#SR<fW&V@pz#_XxbR{Tsh3_tiYhS0<m$5otv+?TcySD&+&q^ ziGE;qUu3wEm39phUDb!FLtaxa)kZFQ25tr$UpLyuQu@Hz3}Th*t-1&8Go3{A;5LCX zpE8U2K;thfs8u1I`GpMd1*87V>i}0dNp6p83t>E8i-vtny~w_>7ttBj^cD0dGxAzP z8JnSI7{$3nV{&(u3K2!|y9!Kz74|nx1oWCIU2k~%$~uOsmw_%WQ2xuzwxLWYaT4=u z4gi^o%35n0L~$-K@+4A=1U$*vJx>SeP&wdl%agBdu<~R9j)6Rrssg|LKw;QZQZUvd zc~?H_28Pat4xg1>12M&5n!{h?`fCbRtd~!lA))Denu!p5u8(;y_=)kklzx|M3*E#b ziE>k~aqcpm{e)&i+hu3D9FC6O9tFY}S6-}bjchUHOuzg0L@!KN3kQQ)6~E*MK_)78 z*-r25DdRk6deq2ovYV1U$^UI5%L1B5kqwi^NF`jzc8RiN!-vdNG>HP0o3E-}5z{%C zb1^E=mtYK+$vKb;Z3uX!Jm09@ctV?!(FcZ$EJG~aKET)3qaPrXhj-h#yK-4_hO)q0 z`*Z9k11ZM3Kd7Gb4YJffFxY#h{>;4s(bn3=V}qL)Uvq7gA&lD_3S*~1p1e?EZIdGn zPasZ#0b4lhn!A&6q|s~u>^cMUGW+pl;yEW-(H5mb-O?%AKtBY3Nul-=Ef4|5(;KgK z`yzASbYgNY@fBh$3JLZllauNFZ2{}*R^+||WrmZ&nM(p;7N%dehg|tJG2QQlp30!9 zOi!hm2YjuQy-9n-Xe4IWM<pK<O^QLX^Q^I-VJis<mQ_+&Eoa9bv-f+Xp1+?J1C31u z)A2C~=?$`y2IIRMNn7=6o&WPW%}wTmb={b_8AvHkf>@5a%I;uWYhKR-70pVz`H%-# zF)FHowf=;G88JSsh`Xb8h}r4hY>k(~P0^xWpe!Y76JcRM;=>Cp%qFm}PoyN2QB8Z~ zwfAu_Oi#DpyZwAG=l!>1gpf)dc?=U9?p_UfzW;YnoZZ_Y^P<-3VCFM&8%{;plw9t1 z9yYe`clQL{&b5;h)Qj4*Svjf6o)SZ(dd;&&@Z$fw4bSJzFf+l<cEUI=Hm++;B_3GK z+27$7p0)4tCAP1Fpn6U4@G=So7z^|y2dAM8Uanp+HeiufPB-)X@~hwfd$P3~-j2@$ zB6lA+2ZWkhnRD|MUrlLz*Yoobddq2PDB4J{!fpj8;MiVsw60$V`?mL+9zVBhiF-&j z-CmKw`-8kE5i^5y$LqpEzVlMu&fm>;t&*y0iCMST=qZph6e?s0RX<ZP*e$ETe-C+b zcAof4iPJx238_+yXxw%}1@x<HG(_sBuj%p+ZzW(XiYo{ezmdq!(ltOFgg1=#&=f7S zgty<gt+lk$cPpEIvPt$ej;1DOq+uC@rM>5}(Cz+_DNG3lF|X$OU9a@ia6X1Qz(8ZI zftRKb6*1(;^CcnDF3_Fu-_6wp1hlGBQ+2KX47T4?rT47S2toNF1=1)9m=8j0^e>_l zyo>wJ9oDFZ>4$KEhiGI~6s>k_O&>RJv?GjGkVHt)ac^$0izVPN^DZL;u$orLoZv<X zm5hM}43zra&D*?A_eX&#A>rmyf;~PKduOl+(^!bhB@!~63@tNZ2H{7T5of*-pf%Mb z|2mYuj?)%N1Pa}XVYZLMMKE;xEsHzIW>#2KOr{;dpEBXH;Nv*)U}4@XH||dg3n)E9 zD$QkQnD0P*BM~INaFBp0x_XES5<7V$2mBo7Jpt{mmKbq3%}9fNWA%@r@?Q)^IY2wZ z0_V+MjD~j(zoHvcB7&p)Yy3!u66EMdgD(gwkN$ATh9QhB4c$>-WzRb2^}TRvyej>g zat6ZjeCrTCPo|@ZyEwNz2N4Ygf19+O)g_yE;T8{-U$d67#q3&JOSf;lT;0A*PRX8> z;(>fBP(1aZNJ2*9fWtZfsrqEoOV8Ku#h2~w&F~qHZ*1K04Gvo%KRcK!C3JOLnq?|f zr&b<f4luBe5_ce!Y6*|-W|~y6mR^C{l<LO?V>@!rN&%HvF-T;Wg|us;S|LRO18%Z& z->DWD!WSx(_{aws>vp<IkfS3GeRDx$pAdO^rK%I-qWNgKZ9VNe#gnU6X9iAQ`^O9G zwlxgsN9U3a+g#H@3{fjOOoJsXt14+1kJrTTEWI7gI=YF|;PEw>Grk&j`p9%meI?~0 z<p~oYCOK6t9Tm+)+y@S{!oam<BW#0X6I0uoV6&8|9Tz74{6v~(St1e)sp~P$WZdTz zQLGSf=|yH_CnvUrpGNMs2nS9Sf`wIWU|&ZSi12J}4A1c^mM>erY$?++DN;iR`U%6J z!(}*aAYDaORUJ!}3RI^Wv9UN$Gn{@C3HF3Gk#>`>cB^8fMYS55Nz<Y8oXLfui8<2Q z%DS5Aa<H@7+f$YQ03EVELwq}HJ1p0Om}#DElevrJU&Q$R%+VATrs?6)=+~OVhLxi! z#VTmd`@+3RzyNJ^-PF*mUeAt6bjUdkUZh;MG(3EuCN%z&$B&X~CKZ1<LH3$!du~-l zRRZH#E%X5He5(iPeaTT5uj$2aHM+g*C%_7tOXtFgfxor&I1gjDh|m>2hK@!tNc59S zXi)~`$U<cbRONtaRugz2Br>GcS{*Lw;NaRcZt-sd`lW9AD&_=qnqf3BdD0Ed)OC-4 zx$6pA>}QUno@?g}HxrkcD<VhJE_Y1atM~e6nXq8`rd(as`nXK8F`Io84Q)dD2#WoF zU+mQ-uX8&-YPawqR$X7*ZJW67J56!Wtxrdle?XNq-2$3a#4D(iTV@?Wws>B47}Hn< z5rJ~e=57MJ%gf~truc?&d#DHNs?+#E!Y1<B1dR3*lKI?zuA^7sr(qB&CF^~;Hkg^P zqF|h%xU1RuhqUd}-a*lBtb8@ybnYE~4z!T%b;s`EywatM(a^!a6ZUp%I%rB6Q{$9X zRu#+?t5l|NOjEP7bA}?daQN#Dj-n1faob3#!qpR|;k->y^_cA5+O{f%-03J~)>W>s zY0TqkcU#)Yl2BPVCs||HO0hiBqQwu;7gVoSDMCZ>ax>h?Bij2~1&#>gC~1|>*H$Tp zkgxG09nHhOE+ZS-6UJ}2X(EjW2ZM=KH1!pfGiXg0uHbBCg@WaY<%+})Pj!^%cn_f( zicMu(5&KGKNxLhYku`%+S%LXUh1A<Rrm9pZNam>H=@J$AjB|FCphVXEDVpj{rLxI& zixQG_+d0gnODSw>7>f%=qT}W{9^=_Hr&^t~Y-%$)E*lMQ4PK0@j<Uk3jQq(W<xL*N zJf*^A2}{1WZ=#&wh$$l8=~juE8CuGf%BQB`I7{z?%|3brvcbi@JV1mNg+Xo<BdDim zs8^G>gBbD{`Hn9<K;+jWW>~7Rqv2mtQVa|1c-mJtmsZ!;WM`-+%C_)nDTXf87dV%p zBzNH$MhQy4G9gk@*fw~r{5lZhoy3TMia6v)*3hGc=V4YUhA6qnMk#Eos#vSoE&&<H z`B@@-XrvH{@e-_R>%uJ724%W*0aVlThsY;2_mDB#$_k)pAEzi!jz64^__SF-0{&u> zGQH~2?J%x#c2mf(Veq^Zwf<(Z$^4iA>$$^Vfldn;dc}VvE_Xg6D#46}DY)5L!ViQU z9DKC$-KAwR<rB&0lF*MP4XhrrYVcHB5Zh`w$<{mi;5UVMOu%r>$QcOQKZ_Wtxr*x= z>P3KoH7H2FmY@okJB<hgSA*WB6UWSjHu&m659Jv+LnBNfLZl%|KXIQ(wLr+nP?W@H ztz19Z@Ub7ttE5Ul|2blB$v|?NK@*iE6e!f`mroiih$0$Eo3<?ty()y+XLq+i`5dY( z-+v0VLNdk6oHk_X>55t!2(Gj99N!JrD7Ks)Jyifzs!ba>i4@%p3P;%3xOwj56ET;$ z;&N;in=)A0vvZTnDU+kn6bfjT))w?5hfL5hRj8yKi3g>pY3UZMPMs<v_gdrP-`8VX zRZ6OG>5{Nq=VIn)siv%1IC^a|iPFyPLBD`f43AdP*3(i_FP;}iF*_`Y0u!^e3lp1z zg^<z&LCDfk`u?`<S`&s0m_ag{nS!bW(<n*D%ge~|Uw!H3$T8|fl84pwckCt&mM~=s zImN2yjgpQ}8g~Vo$%ORWt_^(2!p2P*G+@-)WmI#faPnCNeasU6356h3(&fv`YZQYG zZ{?>}RIo^7nIc5Vg()oh0IErb$=NRC4nr~DRZ6iL!v@TlJbe=83rRM|$8iK1F&mqg z>G9W!Q4=Oy$>Ydq6evn|73ID(n8|>mV$G<h^thHYWF21MWN9ep=8q&xFc2JB1l1y> zx)~a3L5%i|V)e+PX1A_0B83yq5lQM5a^xPLU}HTXb$trskTN{~nnn)PGLrOb(8hCm zg_Qvr*fz}xZxLwR6pIS#>NJvQNxp1_k(((}-Zl~O5nyFd*=;IMIK$`KW9hf66Nq3$ zK%gBZ(Ms)mk!I2_sa7}{5`p;0m8%%eAkoXlZTm3tQWdp{T4P^d<hmV5fG7voR4X0N z7WtltLOx$#VdLgF31JgbwVxmJs$6=iYm3n{mphg|k76$N_6j-a^CHR-KDwklJ$wud z=8{!{2GfWa*Y7CLSati>?4fHr7zHrHh@(_gQ{-K1RD%XnQp)Mpq(W`LqzMitQM_6i zxVY>df>pU?^~z1%+Mcs^4G$2}xRupYjPI_n+{KCMq_y7~Mq$;gjmjE-SJY_t_+0N6 zBe=27%_^%;N7BmrJP&F?@~9^kEtY9^b(bkbK+YzRPtVjam~w@SmFr|hQFvlm4PX&L zJjvs5tJKRCEnxW4bJLR5wJOX$&%DEET`~_}j=!QybSmg)(aSJlLN!Ik1CkZA6*Y|} zX3-)&j$nFqDp%1>?nALW+xBmyr`54mK`(=RN?CG;OBy?fTII^83bMp!@fZ}1q8LKc zA!YuH>BR%iPKLX;#H>_gu~TNun=*VOfF=pO!)Dw#ODkf*bm}66NQ3gDXHFqPazo7w zTzvRMj8yG6+xltnru~9kjhaFcjYp(8#c1Sl6E%CD|1^5@<_j1$dw4?0=wor;X53+7 z>}?>y9K{OLRqU%5r<dMAy8k=JZ!SNbsG5#$;Rr79t+KWetfr<;F)tfzMo$V0Q|Co_ z1QFHLFi3#VAR%6MFL(0PDM-A{$jEQ;Kmy5DGFzN*Uhu$W&jPKjnlYJ?k)sJJ`mbRL z+C-3>;QlR6iw`CgOg_ZB>fhnqj~CK0;#dSiMk1*y0?uwW)qog3Meh<NIjxE^Ema}q z^nhCDOU?WL)XU%0(=Jah+w#t`gOw5X9Ce<nQpnUUphf*>W&a{3(s8)`Y7~jXpl*5a z^ebtDHrfg)8L|%UuWN$E;qItrz?AMgY!u5{N))IEXkTAu6qZa`Ps3p7Bm~LQsRIP? z!>qkbIDLUm$P?#QuLL0Rc4ClV$h`7a-h+?7V3F7=@_`h)1~pRT9AL6-7>RVt7A%~d zADx&xEZ~o(Te)P>W|@qfM3F3&Ofw4wMob?(dTMYonbP@|mh43<Lrjcs>WEvd){u}N z16-LY`3!^>sx&`H?eX?2XHFI{W%%NglgsItrGSr%hub>JIwYu30sMtTz2T1J-C&kT z$ZQF5<cw@QeAPPx1WOn<fdsSWGz6SAy~NMcr6c|5S0hx)l~LY*l@2JS9CApMtp~NV zl(e*fh4hCoJsp00z7ohq7T0e#^od%t#XiZ;aU5vJnpv=NG4|K_Z)20BF5AwMaC?W3 ziGAbg^sMurXyjxx(SRFijE5_`dJfN|`#&DHg2Qion*l`?O9c@waf1dpW)d<r%0YzX zlIA(L*Va%Gt($^>@bxboxp5U0^MXu1a8>g0TgM|i8h^#%wYrIfRPiuRzF3xW1gfDq zz{Ss+UA>}e--hGo_B=K^1!n5#=NVmLXGJ}~^tY&oHTnGio|@b7+2XZCH=AhEo|^Uj z7Y##|DzHJ@3mFs^e~rPNjF<I&9yiz9wX(U(FEEpI7<ZX=SpON}bGa$Zzq-T4%xT>~ zw~cb7makB9@+t4H5OHk=FQ-f`)u{&^&PO*F&kFw*HSJVxr|*3nZ3V~Gt?g0rBWj}m zz%ic)1@14}wR8F!D!TEJ8(HG&29$|#R&^P5+SYh`j5*yct*%XiUiFx6oymG}40a$# zf$+qQ9v&W6o@=J5eYk4=Y5eD$9D>WyDp)Q&w7vIXM5=;ZwNz_R$F6sMkM(e*D^($l z*5Uw}OX36wRc$Nd&|BQ#<vxp^fr1;0B>GFsa?WyaFz`6sAFQq>d_n-eo}JMk{_%+T z{kBn+diPY@jv#3_BM;NswKaM4BEb;Dg$)_LUC&yx*X?<3u;MbTsg#AIf0orSR(13+ z%v)pO0@S7lkSB(Wszxo0DAZ3v>irlnK)BII7M`sFZ=d!|{7kE7jnyEKOBR%?Vv)8r z9wvIiZ^TkO$1FwhyeaGt@RWfV+cdcUvAyc7tIrO{izWmON)+kTgBTYs7b-Y7x}AJ~ zT(xI!%L=-g>Pi}UIjrCnJULUd1|{Ng2oL5(m_wI{hPgPKuZM6$#ew$oLrkiKx_;^J zDhk2R>2bQ-0>lY$@F=I~ml^!Gb6STC=>yPAPq0#ZCgSTb8sm*gZ6bztsZ6_Ud;Bn5 zBUuEQ=*hAfKh1XIho3q3>gE04k5j>CYi)4KJsSz<xp<eEv3DFk8q$qE&ll(Cb}cNf zu%H^8t)^WYBg53SbgrR8KmRW6?P98;rHzW$_xadMY8IHyzWDj}b0pHMMLO21_5B@Q z$9`S|HzCTql*aF8VP`i4L%|=DIx($N4NPWd>3RCf!wz#T@pIa^ao0fcxyjcv=-cFD zwR7?=3?cl_QZO;s_ded6wc!Qfo@KWQ)0K*9dAe#r?lOE>jGP9v+X4va_bE<g;o=t` zsp9Mu<#)K>ZZE3cv%3u?Cs{jP`dfb}r5Kpf!+eI-;=2Tx-0r4Y3XbaG(cyMF8wY3* zxVZiNONpb%waLNpSz2dEMnW%2Zhr;4@t-yW*svW1H-r<2Q=f40zpsm>Z*t+ayvWdg zG=j)fRZUPr$oYN$rlZ~Q;JPqhSf&0>Ryuqq&+o6DsWXGLbsQ8ug~%rPIXP}LAbkf8 zol`>PDF!nh(8A#?{~KtyVdM!AjpC@mOVgB*=@bJq<IV8>&F~43Y#U24XyKi5!`mi{ z{O7Aj%hB;!+TFF0cOD;={0zG6$JBQ`9O|>2PIofn=XWjbtnD-JEnA>+e2bi2=B^rx z5V$9p+qSQ70r;8qW19JJ^0cdJAS*ps=EzbFU^+#6&JO@d4bOt*`S|^tOFOM8MiST3 zD}<bhmE%O}wCa(Lx$AO$|E_1h;JwRrRvx>E>>T_iY}{!ww6wOfxA0iopEo2gupk@j zJNL2TA|C@Ftu^~FA<E^L2&uKLLP7#36E`akHVS(;8z1(4ojxCL+RoD29ttY7s4;Hv zG8(wa!avD;dX#Wq9_#skkKm5x{gQ#<Xd*G>^fXj+WHB+ZFmSOuoqk_4hE16=Yxhic zJT9gF_fC`zG%sx}fIJBzE;3I4@3D42r;i_>=rM!`D<_7sW(J0l5b-d=RJBwTl~mMp ztY#o*6pPde(nN>I;cY2X55B#kp`_363SN)jLgskH$Zw$tiUd<J{=(4OA4Hr;adIxQ z58T(RP9_V?(Fr@~)4;IxU>oPw4`q_7meK%eDRq10yN?c{F-mYhKu%;L7JT)EaWhbg zDu4?!8#~*jARL0Pom_@!(SZH{ih1*Wvae4uJYS;t=vo=~Ck;d3K$u%TnZE$x(fRS? zVK6QZ&^kh*^nl2@7QQ>j@Sh+K`9z}A!yble^{RRrifSsRGiZqBv`@;ARv_($1D~Nq z!ec%RZWxBmd*BQWh(ij2b=7OHr<1*IV`EWChXSSX0Wk>^Dqe`(92`H7dw)JTbrlsQ z@AuLnacpT#2D~O{x(#1Rfbr{ZD|Ib!^L%uu2VQcZH8Sa7Lng%#8YieC7$2HWtWLHg z4rtAubo)IC4Ji1ovBUG{&`ic@Z~Xl1p=OZHOXKb;rprOpxv$;N&#VpT0`{HDUuyPE zLV|peV$aiX@tTNOS%Q$D+!RINh|z*1gW!TTP+$xW2!;=q&6;CXo7K5Bcw5<MS^xLR zG<2@=pvepqR7zn3rb>jmK<R}5XTbG<=^6-pnT&eXX-F3L7kWA(RbFikf)Syz{d8-Y zV99&J{nK)=vz}R8NVpfEoeETL`!^*7WM~~3Ve>(<2vfb^-2*c0*1gSo_nq%5%W=@g z<cYQ;Rx)$|x_|=BPy$4*-YDRJ3zm!hF?484I6KIY_8U(RoT%gSvZyn#t*$W}Q7A}R zO@{Gv?*8}hQ@Ak+3aTLXtp^7SHi07LNX5CKayYHv+~iD2@NIa!R;}C#K)h&8bF*K= zFmaSH2bGb--_XWS+$2M!7!gRgmYw??Vl$J6%41hn6t!+(fVNwgiU6FrB@qG>>S#kp zO3VUL$RE>$O9rvVy2YxIiNMWpxsd}K!6UO1#|VQ5FqI(JpmwQK(zxAYSf)xF2Xpvg ze#e)?h<HK5zmCnqwYo`C=D+1KBsJWSfDB*2Je6Y9CEdahupU*UoJo^-11V@KR-h~Q zU}Er^%u*~;2tcr3*%074q$-S=9A`5#xTp%{Nx^t_0fK-@gpZ*-zd{li6yuwV9{;<k z*6Ms8&(+ywTiWzNA&<t@)^8RqGK6AmN1h(n^T*Wb{QU0p2|8PfnQt))*Md*z6i=Sz zh2ptHP#{nNY9j&$@$11F9ZK+YiD?<<7}s{#tVLQV)H_Ds@4dVI{>^hzg%eWlzspqM z*iwSqs3_JCntQ^)tbRtXVP`O?9Fg*}$)?KSn_1!~!2@{+P&=#32IPvQXBPx@2R6u! zu{%Ptk_3y!$-Oc=WIpCxc~U|)B0@T%B2Dc@u|P=X5+NxLDP2P$ROag}&F5ta6$eYG zjhMkU@MUO1i+GVzF0pLC$0ztZIqm?$#j_Ai)dUy9LD28W`>Ti&kGEcE_px9nTS;5h z*-CsITLo!I!~2LDJ&12dWa*deS?|l*|0yT(_}~9WLinPmnU35wYS9GazV&nbMHtuc zw3S96+;89<WW&1Z{9XEgpP2vMC;R_|=l}j1NzWJ08CsJ_6+l8aao(Ws|NZ?O%m1Cz z`}^M>igXpeDwL*)+|O>JMLxsyvZd!lhy)v&wds%}ht@!|CCFlM5PxHq?iobt-`}0M z0UC{Pv953)E~(h^tJIc%nGfb65eDtGg3v?B6TOgS(uLgzCHetyfhi#!_`b7Nb_rUb zoAh_)JoSaBlmhM4YY>DSn_Zz?jF2m6ts_FnOLW*g2?nW9&KD&Tcrgl^P!se7K`7ce z=J*ccje*`I=l|T=ibVN;uIKx^R8~3{_#5Gs$_nxu5LARy{K3IeZEl~0?hHWeL!Lr~ z4qZ4Im(r;Z%vtOxNins5KlOh<<Nscm_jfNfLbM4jNFYv-E2gLl=wJV0?tD(p@BcoA zaSrYEdDqK{$P8Tu^@*RCrLMB0OfBbmHE8gEP^i$y3_coV<Z%2mWU8jT%*)9vhj?^# z(i=iYuUeG?bhWY>K_opcu4}}kW|oCJoPyLRlC1{Ql8K3>8=EL;xY;qk`~4K^7pXR< zdG_=A9Ac2`YS$9ng9)Mf$1Ir7o?_6X;lQ9#hL}bS(JRD7^U3~<Faeia>cC7*JxxL+ zh4YCI#Vqo{M96pmFPKC&XO77f`otmynT-*@lyb_|IL~L06@Ji<k*MD4dN=7yx)<o( z|M^o6|4Aqh@gIdD8Q*3iK+9REm@Oc{<&_IhxoCkA+M|TWk%_pAn<P$|;ay_r0v=n# zqNJ~(VA4T!Wtj+@^ny40bjC}M2}Qxk^iyc%jYWL|yo1KUagdYY(h5<EYKS?q78J@z zvc|y%J>r2wI&yx-<8NtX@H<@3(C_lG^Ymq?#tod`Xk;>Wdy1GaiE+jnm!YGfjg*Cp zqp1V0A*nK994QhPz_bu?Ku3^Fg>^jzxt=!P*C^`9@Z7z6geXUzn2ivEpopP9CU$IM zX_7NEGTKR-2onTkLRE3dnE=%U0^(^ot`oAuGO%(JldR!0@P2?#$Bb4AA(>j6T!a`f zU=f{BM4cG@7I7m4%ru-b4P=^zLhiK&?1FOurSE?7|6nkF_kR!b_df5ZhU4Y}A<Nl4 zsRoKFCQOuYhExu(3uvm=q&4)ufEFB!e!#TI{=Vz~Gp2U_?$y@{X9u&zW5=!G8kk<9 zY#b=@V8%R=#PqQNhngb!b$-D@ceyNHOHV1x`E@6E6@{Alp>Q*_Yr=bUlH?+Wypa>c zwxBft0Ao^OL1GY3OtK|U(o<DXp!){{A%I+}#Y0C?6JB6RoIK;wb9K}zjuD6rvB0T8 zkr;@?<^byOI#V){C3r!|adpL+^&Kf92V)~Nx;_=%()rTEp#hzQ1yrCCTm}^+0>>v! zbRzVYfXNn;VdB?-MRGLrT0z4&A==Z?;RII62}NrXoG53*!Qf$TT|7IrK%#7Hc=|@< zz|68F!M)ZFKWonAy(fEy(Z8qiey(*J=mEEY5v3$dgBudXVMM2yCK_L@zXKGsxB!tc z$rP>3h@ki6ktM8^ZxNHhi;!c|7OCS>N@oyAg8&5~8s+H`l79Xe(q`KgE1(Pqz>e9a z^_H2C{_g`RXYuockYV(I8lZbhN*7BT9~4n5aiT;3a^1oyp^k9LUlIWSAR4%EW5}eg zjxL2EAmdgVb*8U>JAWVXe~<hAuhsDNJVWKx@V51+ii%!tN-@B-msQdx0e|l{3dbpQ z$^To>1`3Kd4oRj|X@cgzT^C#mDx}53Vc)vf|El`Mve@CfU-`-N<gh>6{nN$k?dnrB zd<a#HVkzZihBe6kdAO|)+tB(KkAG+UeuD;%c9u_YKiU#_r9Q`(HPZav{hD8qq=c3e zeP|Ihi40A&R!^rJhC-UybYxKr)*^_;FDn6;Z40n0+ycAz*W`)Qg3N)&3{Ca7EUhiF z@^2uQ`ECbi7`V)WCan<kg$sXY07sB3{vZ3c4nV!ZZO`v2#bIghc2r7c<mg8?JN@$r zl-`yaC1PSNF|d9v|J9jVuUA#np%Z5?Ay07nY#I4IwEpkWlXzY##r$|A6p>O@o$rMN z<mRnQ7%>QuD#;nM1WCVp-OFd~Lx;^@pi<Yiq4=hc2UvLiTzO2J-rv2D`(PR{tdkv# zJW}+Mgkbk5D#@s@tvemN{0BfJnz$VI>y{!dd0)dn(1&r<GI8@QzK-vSj=NPWN0UL= zE*LA>8Pl=g+sMGUc{|tY_TEP=On09lETL|ppgFT+p5$`=Znn^bGzSNpN$Rc7GivSc zUUt8i$=T5NW<jsR4B<t!H8vEp#E54Z!0~nqQ0($?CXWxXX&@1Xh0$<%oV6ziweoms zq{H0dJ3p5}AP9woRFQd(*GEEBYC~605F$gD!oS^k`g!312D0H|M=8x?IatfftF+Cj z-0k<X*Lu7dvHV#6s9uOb;%<GvW<`##>HWOS=kWn1wCD#cc$>vi#z`1IuxyLg&7g;n z(yPJIG(#)D(d_WH1!K5w^h4T(P9Qmp!|zb&8|DDLqyuwoJ<i75W9Kd6ksOy-kFVMJ zdRH$a6w}o?{9Ee6F(K$?G;s(WBoU<<*T1bBIcN~$V<spmdEDA^+N~VNDw5be@4G4W zH}GK)B%8^mqFnoHW#0GaVCw(;q#<)bRzgKmF!|*&1i})448}kP!;<UIV=tt*-fAH} z>r^gXH-AWh=B5wh;MUjgdOM9Ch*}Ya9Z%mdf~LlO@+Oks(d|dGy4S2Cj`Q?lI(({$ z==YxH6V8Z6ae_tu#r66dO@o<(iSO#`@C(&n539_nsq>I}-{<9P1g!E@;PtaEx&C(E z;rGkex!8^5_rWPN3j~q(`l5Q9bWZ=@YNnt4$>u~CM450Ef2X-M*eWx80(e85BS#+v zGt1`pS9AM6P*?h!3RCiHHTMjO!ZOEBXkhm}OIMt&#$pLVm|1ytcv<O|Rivnkv)#_3 zPa?k^@0Ux^9H(`^+<~hX8oJLRjwXuOE9Mu!k5OCX$Y$Fwy4VPma)v<2AG&JdfMIX5 z`kfBWwh619=I+4+L=BDmu>=Ohl5%Is=yiU6Z(k2Qp@4VIPj&shN$4$G0619^s1VDt zvw40iCw9CoebRGp^y^=aC`we*vSx?1r#t^u7WqwI8+}i@X-iiyKqr_Xp-vp98GdG7 zpNp&Nfb3Sn3f2lEpWV2>?MW^3^^f*DPPra0Dt@+yTX6ihZKP|Q*+N=V9;uueG&2Us zC$^MK%#4fQZ#Q)UC=MhLQ_2}9!x_fAH~<n%-GQRr-bYi0YBzUHJj#<Be~;54l8=Qt zTrG+9tn6;5-{f$!h=F|p++e;E?6%&{a*7TP_(%tbmVyQl%f-(4{=N<C2L;O|;QzQ0 z3G$vDfWcxYv*G+SwF^m}n&|#dq!uFH9D3Okq<``Z07F2$zfAODaa9_=Oy_Zn*nVZ2 z;EW2OW%TE7+xzZcN8Ghshw~ibKQZ>ML}xh=!5~ga6jCM4tb&J)V^@y+w{7RXX8*4o z`Z`~mJI(msJj~ihii9E(vmnkO0tf_7HX-+7=ef>)?RxA)gQPGd%3kvr_|>~!FV+4o zRoAPvyFF=>N0Fd|>u&u#Mh^z~qZc}q^ajiETPshbPaz;~lKMr|kmHC(ZS(nfj*$;j z`WtV#+2^bsLk=+%$WhDb`|fc%!4L*Hxrf5@R}=?fvyM<jcMl`ZL9WNiM(R-Ry^SpK zHg91DaHdY6$^hvI@H29-K#w%#{_f&{WRfKlB}&4RhJYT@pxyNOJ;t!R@%kXFs_HHM zt*tS@kLNK8m#~<5=6IdogD%(Y+c~UQApz;`T|0XOGxa0^8mTUGc^_A|9b|ndSjf0t zRqT9!SK^;$e@-4Kz8Dj~uQ}apYo}tjaD0rRhN8(+psMquL*w#s+Yi`Wdz(sP5na54 zdtx*gO`1gd9j?bkRb3uYq-v`@A5(7j6PGYSK1!oTm*1^&e3&x7-{y5|kVVa8@Q(%( zNFT~|z7^k-A%KMjgL>#?r!VOGo<_-C|D)*mdKnUiXn4Ovhyw^7PLSJEkYHv+UApw~ zUbW<9a2%;*zd5uxPTV$#KuK8;mt|n~!AK4{bOwk+2nJ^2W@6s({>~-<8A%8sc`^{; zLkpTHiflyxw@zhr@*4-NjJR;}FtO)fmX3f?BF1#fXK0A$lgNP~;qxdIAT=C_6uPgV z-C(^Kv0k_37}PSGmh3pM9YrM8Bi5ZBzO$eWsDCIZ&v=$}`FOD*yKvh<!{CBN2lKXz z^Bzl{N_qR1&hJ5T)q{y9l9-dA$+Otc^cXMDXa``~1N2}pOnl=*?>YjR;@G{h|McIS zcY%0!jI(hw+L}EZPQ%$azdpTS_fUMcjG5tLVBF%h2L?fD{1l!F_8pIBB9nce9GNhm z!4P?I;XnhstY1Qo7HS+edKluD00SDC57%e^DZ>D=qDGD$Ew^{`_41%aiI%%OQDUV- zmR}?;yzgQUpIPu=#l7or6~mIPneZUR0kj!RNpO^X_5JHQ1%TyfwjlHqib|09=Zd^c zwl93l7$6x*j}&|*w{gy@DX<<pcFfqn&1l~ux^%)qGO;jAh9Shoc*ZE_v*|hvQV5H% zpO_KjrAV47q{Vf~7K3|n2{x%gl2Q=RR^~~ps=1|8Cbv!A)m2^;pTY!8bM)X4rKYGn z40|b{(2y{qQYi$L0@HAaX**{?0Y-G%B((8uuwjjj!^%v;V}v5n$CxktHk;^-oQJ^` zNR}jo=iu(xY><oqe<{dOA8WJ?LKF@^4~{;gW{=T15_~U)jMzPB0xJ^OeBh2zHY<2P z5Y#5W+xxpps|yvk6=*S$bmMDRKHzhHKTDaiYv8E}WKNPML`fu0TxUuMqYdL_&2Xrh zfyo^D4rE3IgBn9Cv&-pql*St<Cthe87i!s?K5@QqB<Q{$D}63TgQ1;5gWxDofL=3a z00RmbfF*V$xEwPH4PH5tqRMXyxA;!u#B$K#c{<c;NuJYb=7!f3^oh=nmL29*7ms0h zq1WjUWHx|!YP+jc+wbu?RO9V?`xONVriJmKbqhC_7~-P^6he;`KY9*E=j&t0kwx}( z9mWmpjFK1-h48%Bx#D_#CXzA*e5aZ|d-e>D>y|wXUmtQ!Ho%DklF6Qp!AZ&)naSKP zBZCIXwaDOe{N(Ig=Mg1jI#I$z2054GV}>vU(1Q^R(&L;EL58y?9~+}#%!CKb*lDa7 zuIYX~@!+QofvIt5v2DJV*#pDIjT$c&ymzImpNr{O3VC?Zm`JIvHC1Z5*K|1^hsVi# z8HuPgSowfxoib>SK!6tO+jV!=0!;u1=KJXheBZdv4h}>LEk}_d@-s5gu?Q<B-|lMW zG6aX_0hL@165b=Sa_5F=OUH6EY9!e1>NN;D4!6K8muyEUaKtddFc93<X&>jyY!Le7 zF3EM!((%ogZn~GA_H^MEy^0E<71K-s^Xiov@cMb<l}k-&W*i$ew8QhV+E`~P50tx` z%s?0;x;s~zi2zBsgcaCdgp!1I${a>EnV?zU9*QLQ)Wax&#3W%T!*|mhEH0<V7@7v8 zUe|mS@PozXt;EKO1IKx-1`Wax85ARCTlN8J&vWVi{1zLoiNiL7uy}8>zdCI0wF`ML zl5iwAKCpYi5k4+6Y!MMKyTY~ibC{{;Ps7Iz3~0V#!vHT*yd2E_i8ds0^nHt2oJu!= zxTI95Fkscn)nnK~6%q_B7EJ4~&w~b#H(qszy`nto12v(!;`}AF{-B+#$RwUi9Py=t zYz*8!w#$PDd&_Bl>*sUSh55Q2k($R@C@ew|*;T@n&$Y#C1@7g-#RV^95jpj)N$8Sg z9*57lXAUd$=QYzTtSr|S60HME)F{HS;QTQX*==?b3$cfbmppe34u4Iu!gJ8+bM~*( z5uL%pAQA@n9|Wh%9MhunZ#5n+2-k=g-Y+`%%o5@J#z@QP7lQdDc{$nv=`qB&3xbEo z7>7$quxFj&c~}Hbs88tv<_nP&Mk6XWkf^u@_3}0lt`(&Z&yF}{3R5{BgRA*6t|6dH zz;?&kP(+h-8x4nx@Qw<V4_S9#@kZ<$j&Tqu&_=7Yt3Z#L2>Sq3IK2^%&J0Rmt_E^N zw!V*f{LH)jUA`j^O$2&c9+k2rkx~Vd&L+$QH8PTG<!=N)m?Pr=o40(k0xlXX?I!Ur z3|=%&6U|&SKadH8e1=-3$q1CLr$to6D0Tc9vmkZyy-gVN&w_O)cN(7VrPRtH1~8y6 zZh(#{ug?H&4M~B$iJlHhOt>0oGA@vE)8B%1tj-lUzAxh`cu7NyWA!pAJz%Qkwb7u+ zfoC0*MpP29vAcQ!NKo48UR}lf6rN!Daz+b{VZ_c}sjL5&)=zHTar)Rbfqr#%lH^+J zrB>2M=~4rn7;lFZyYBVuX`MJB9|77+*6@d_thN_Gq*oaa1|-Vf9B{pjvS^%-(+S-D zo4WSnK?hgA<zKxP#NSo0^3$OBn_zfM*mU@Db*NS6>a?(d<AM1P#Ns~zN(ltYAnMK5 zzf-rl9s7NLb6}4|N*v<{qt<aE?Rr56&Am04r)!;-_jjof^;jAj42RcBRAtz2An|vG zN9Lfw#!W<K!s&(n{1l=#)Ev3O#jw&Po$D!9VE(7iOT|v7v0<>q$C=1VsR-s&&$~iO zPG-cob?X)2ko&;L$cLCU(ThHbnwsGwVQR7u)ZWNhA?kTzCTEXVEiuSZ$hkEj#Nt6r zLT>wlok;6*`I>S(zV_OLc^YGG<W{Uy7%|v)2{Q>Hv=y57%t)wd$L5!Td9ISN{hxVc zFBBg>?jf~0R_aiP7aEYj;q-EM4`<$wk+gDDV;@ffdP!C`*;>j=Ki;6fIN|`}dt5{f zdC1>5QNG^#;V!wljfSh!-BT8tYzv~J+gmPgLmNOMrNeSLevkgZB&vm#>xzWuy$*(M zxuqlgil7F4;$#H&hi%Slo(rvDEz#pv+YO3Wn4C*}4OvaG{V>q>iay%$`fff;--N<D z$ra?pOsL=M^Lf;0jfo3-(X6i5(QtM1r31GJeGVXbP@n+;g0wape^+x{UQ}^%O~kiW zWO90$O{Nv+?;*qi#CJ#H`(&jcLu)w{Ar<-301!Hrgrq&Y42F)uO!W1Dd?ZToaUcrN z!{Op8-+WZDi;28T0I>;!C?c&I>@#@jh|rpP{(y|~WfVKf#3*P;GlejQrg<)ITfi*j zIz6BK$7ug6L5P5xOnOy|R3oPEXc35wSOf*y7YBAQ990}ZoIreFAbwg>49u~E3d_Y{ zY~05^ar<}1XWBim|K{)lS5YWM4hP$F_<iaRST!O6&=QHJdj(ihS!0NBX#V$mdLVwz zWEi7fAp_FuJNbG*;@f*Cj22a+rvPn!y@xLSX(qJ&e7)}ebToe5q_DB=rHEnHgF8{6 z`*<Eapb1aI(V~F6B|Lb(Z%dp&bIic}9Heg$ZfG5|3Ybb27*DLVOLqj5fUy)Qk*giA zAXG1@XfS&uG<}*==E2H)%G#r5ZCa8L7X+cTUZMAEHmG{eIDr3y0b~IKUs8-|z_z^? zUMgA*AaEDn0h5eb)iyjj3h6Pe_9yay{V1ZrNzVGFANGD8jY;A<IA3_inux5e+5V5w z=+f&N>&M{gB+E~)G9?<$?Y9kRc>pGe4uXxRM{Ik$x_|`9H+FDi&f0=EbrXCKpwy4w zXc5RlCZiwPK3Jf?14O_8D(Wr&r@2BZK1iO$26|o#5Z`DnpJ;Wa)j72@#}V`r--}Um zz59Mphj(fYp#LA_kpjJsL4?Vafno=b95rRYjA!vdlal!eS{L){iV8p;Q%ULZc{*xK zb+R63vItw=c^P+>MZiJ~O9YDwP&bX4T_un+aoB=|V)nhS<kcrrNe7wa&7#`wc1RuJ z^Z(_C3lvJ5TOlBXPbJ=NbOzsbct6%1`h7&ENd+^2TvpAw>+Q|C$j)^fRSSnJb@HG| zp*_wxK@tcl=$(e`t}Y#Nw};Udx^B7`Tqti2`GW8J*cr#B$us<uHM}?eM#NDH0-BlN zy<dX%W@A&6fD~q4lW}Vm?-3wAIbHp`yg^r?Tn@3sePbdCfjMl;?Ka&@JnmhV)O*;j z=kIUrWQ#|{SnR${2RTIS|E<LjzE?>K`ecXeTi8_D)ln9E!amPg6t9rsN+g>^A*ILj zF%;Jx4s$9UH+A(OdXod*?=pIi{=W;!?+9|+3L@+yCZ)N2`}gSX|Iz<<rv7(Y|9ABF zp1ohd|30q&vkCp;gi_;lF;p~JWDOcM?Vj$h|Fz9aUwZ@UFeWb|tX3UOI+^H*Ng=$o z<xVh1RsQsm?%!CR)|vs$q7B<XSoX24@AGnln>wS~o;Ibi8Kj!8r@H7ZqXu8W_OCQ5 zDNRfB#B08R9jdb`jebG*acaA2G_ZP?IN`vCap56KzE%j4lmzxm*V(HW8VRu$1Py4& zDf;i4z21HfU9jr_9Izj4E_L4vCQyHQu{!m4G<#D&{g0U%-ul-3l`LT(oz%9nUS^Bj zdrT&iK*XA1z6Z|Nf?a#rrch{znBMh|xW!siPEF#%*Q)O_(zUwr`N&JDw`hCK`nsyj zG(S|JRk3?l@MvlU>GraW|6LjLo!~r1zMg%<XVI0pHwfV@tz~7JnB5N6lTcZg$HMh< zV+cn=EV#r9w^F}dlbR~;hvrqI3@qBHJ?7~LY~k^)!~;WV6$6b2v5`c4#xLdF!hnlx zYI^(csJ3@0MVj5(0rAwn$FD(l(05>S&{%@)m*W35R{$xT{@0*?yOO&Hsq*r$V-$;n zPvw8dz43lux8eACJ=YP7l@z07m@p$WWXYoif@Dxcp<_mk{}OnSn`MP6$RMhxj0(Xs zV5m%F1M(+PxUhe-!*t*=T%b;f3l=eL$Z(s~cIu%AlnGB5Tyi^E&SQncAUycKMn%~G z6D10t1~;Tj88>|@U_ODT>C;@pMGWsbX}Ch?OrDzB|2aepm6}5l3c@n?Gh2j^7E?Kq zYke;q?XsG2VdYL1DX$YY34Kbd-Hx3J{atSq?1eUo(pIxb5@|0kmN?47!e{ePqym&d z3*Gw)KwJ(K2(BT75Jn4%ck)P}z-42$$mQ@jJEA<I*E9GhSGu$%2$w5t(y(EBr$@R% z1mRLMY*U~mM>)Zn%Wo^PzyO(kphcy>K!87Jpk8Fgh1C(4R<d}J*<tPkN;qduHD^4> zXl6-_5ts^u7U;SVfm|0Y6f9RJXqbx92Pd4MsHmMMg4?|aA2T@u6`a_-G?@aCrI?KP zH(y-`EQ03>l@%2oU~)ugv;+tPCnsz%1OuxCLwFO>JOComB7jnGDU-gFi&V@)VMUlH zNda#P*DFMzfW30%LgfnSSX~>LVkmsXAVK&9jkYf=C#1o%Mo9z(0_+1hG>i=~6a+r@ zbsz`Zm!eOXBog*xAmf=WCf8l5*TrQCXCgHP<<<fx)trh6qE-gn8krBCYuHTqdcV$e z=5gL}DUJz1WOCljh6a8-0QMq}@S-xf=w7c0H?hz(OS^3Vb!E=5QG7sAZpUNbNJnB% zFjO%9vq-=L8VQIDK|b}Eg~0)XamS#n;EWj!%ul_1ZbDc>3q=rWc%NY|kMsR`IrS5V zAkFuEAAx4G<?8ROOG3>1IeW72<8(V3E=E5Sy8b*9f|J-E-XG5&K>WY(-~hS`mk92W zvT^<L_bY$>yyNdZEj^!(d|J~m*4DQ9G-@Y)o8RBmpD6djMHc73p!Rgs?^e6a=y832 zKJ}CjBBtEg>TE0}N{7MpAzqsvpVQB5MX}?0u8#F=11+W=nn4An*U6~fYivwF?eqJ5 zZUp2l5zuYVYJf|sSW@?YsTwgOIy*mY$cQZXn#v?jC(9AQFrdo%eLdIi6rd8VtSkW0 zu*x0(Jx5=s!OLs=vESbt5z0JbYP1tbZt;7yC&#GmhG(HP^81S5Q&LO<ryNrP{EEG; zR`)go+W2y^J(lj)etc(1fv1Cwj5X)`9)8HAn5uvQe|G7+e97;xijwL1JB0kX^hql~ zL1nZ5+gwY!()V9tJ=B~DOI^%|Ahqq@-%Ig7oWQ5Q@Ns~4Vdaw6Xs>jZ_eIRjdF4c( zk(2UE%t2lF`x4jZ+9bW}@ghh^1f@DT7#+@k$!IvJUy!r<S^G~9PsxiCxYM^lh=#sk zeDZm;Pm2&Wb`(Xm(Sm2UD%c}&nqu`ie}3LbYJ+IapF~z~xA$&Tgxw9%9t+G@V!OM< zfs-+VG2^6a>o0d0ODAW5F*-@6P4+bi6mr8$Hqe^%^;Guxiko9XyXY(3--cSBe}M&E z&i#2+kYYN{$$_%4262yjSFFz7fa>VZpYrQrKm>fINODOW;(l+=R~rxiJ${hd<NRbu zEU@?9FV$Irws8tTc2Yc_{QF=QuZtCz$ic1eTN;S^u*6Y~OUQ_T*Znxtn0KK7{h|oc z&~EB&ZdRNXq-<9j{CzU-4m0BgIeY@w-%}dN!urRIn0lj1)sXv|_xJd$Ys?}Wq-JSd z<z}~~LJ&mvDhtDXGAf0b%i?lc9beZ8-}@vc3<n)YfB?%XS+FRS&d2FxHwM?)<3xR# zzrCYIQV5(%ir2D#ec8p)hHz-*|FZR~Wa;&;X0M{QszDI-k((}$-^l|x={k5Cuer9> z(_O1LM>uXgH~A3Ir87w$(jAA-$BpQ9+p5n-diR}g9#h}f(a)6*`orn;&<tNUm(2P2 zQ{U60I199dXoINpxrjVY7w?@gHiK}|_j*P@6`IgP)4Sk*=58Ktc;4uAFyPl*;J7{S zp0fY_naq4_m*N25Sf5(o{|IIO`~3Hh{CBpR+u4)FiOTC@L%cj}2ZpV_z;U@6dwKyZ zQN&>`Ca2q{cpriWTIzJ{$KH;bh|G6a-}Qnb>ipFW0;!I=9B!X*^>_DoOk=^P+r6%% zQ+2YG!|V=^bCDI8%QI`>0AhN(4aW+QFk~@>DgHIL&&zuVZO$xNhAd-h%3W{AtmAdO z9*n^I3D}c>;ZtH}Ys^g4=+@;<CrbhWh3#)M@HON1^GkmZu4WGI{azBzA4nYF|G<D3 zWbF{d9M2d^bv6|%k)yn<(bU=a*2mrdZet^eUzThH*UdbMP-$}HvPdb;|9R#HQ&f_7 zn2!Tdz2{*nP%H0irIWfHeEiz-BaW6fXW@GwBb0KIa>DdV?92Sv)0;aw#&`EvP|&&6 zp~`*=-0J!hnyBXS`f)33h-Ye`lR6z-42Wj+>{90^WDZddG08A`cRX?8pP=vh#g#i* zx!9QNlbSn*2l7M0CfdQYDariICNukIqc&Lf_NgPsat>3g(wy{em&2{oUkEYnZda)y zinHv@)&$TCb$#yu!w!$5uYrTZ%s<jelak0^Np~da6adA)i|?r{D7_s%296t9I&ygc z)!-Q<`|UpA6I>oISDwUHdm}QDgEl8q?lybl&9A;bzDyBM!9vBJ8*sfn)zKc$qwmx~ zMsm{jS|!9cO!}NYzKiE^W5sSw{?3DxiKn8pM!{lyW-ww@CM<{SUXj`~e*dqv&fD%` zWM$)JuW0fFGY9u;f7fcB`_+%^;$-FEVK6zx-7~04Kew&)vs=%H)>xwT^z*K9vU2cn z^bpioT+*S=O-*@{R=!y@6;-0@GUN5^+)?CS^{%e)@bNLBpr|&dKu-^w9qGNEw*hF^ zp*`wz`WLvX>x;6uI3ha}7aJ-O1QZkr<F-lb<w;uY?2EdGYU1CnG@`qfxqs0D)B}Vx z?MBDWtw-AHbul#WhQUBLK)%{#wCV}h=JNV^Pm8Uhk0r|+ySwcOAtf6svYM)@kq(9Z zZ#%Pmz8RZqDwwS^a~eNJwlCY@ZV5B)^1Ap~`8hcGu`IXOGzFhwXES={3HjOON>Dn* z!RTIhT1r8(u%viDErW>5D)v542V?Ipca_rZpR$WnSxlVVj9$lQtB0KOEQ$)6!tJoQ z-0tKOsFo{2^D`SSzmV!AiR!Hv>E75e#JlMB@o};8m$}cg-fWM;WsJeQcd-*ISvr); z`^(Or4lE;!HdRUUvGUwPC6{r#^>=jo9j-Umv%iY$t)+b#vafGB-EQ7%I5LV-RF_Uk zV}jaUrFBeZSUj%3YaNSc(If+}IItaMWiAWx#L3P<M{QPu4gOmoUw9jY9XDr@n7q0< z^KdhJd2O{UV8JDcnM1YQZjnF2`g)ktSeu68BM0iLY0A9H&5Vm-QmvNHubb9CT+z%3 z<n1?pAEi!P7t!nBV&!3CW=cs(H?*O0!zruz5#c>%?n<RoiBc(~TE7dc%g!LGws5W< z1_P-l6|7QjQ|@0=vwfb~MJ<&fSNJ&X0SI>6f0u1L3+v~0aRx#YR24ThDcI*Oa|mRX z7bvOZ)%44s&%?)RB=GQA35i;G?U&|dXgmzu6xCdQZS}%(FS`96zFX~Kr1A4t|MyJ7 z0kn@4_>yYSz_SQib#}=k#35DC%<;TnFrNYZ%&yU`#F#!iJV#qMWge@`{WaRz{Rz5! zurN?Us=2zhSxA`s{y3d&49ym9>}JPCO0}y(iqXL#p@3SIvBx|<_g<=+$}){FuNV6O zO~u+Wscj6`kiDx9S!Y-E_@>L_<-1_x+M!%@cE<Cyu+qaXBolHS*U(jyf)BbjQtMg1 zY~&oSs77VPh1S4n1e#h(^EcD!-0S5sjVxOpgeM+Qxur7J?|F2U>|SQ$R#C_|sJe~@ z^>R!+M<Q8AL$PQT1+5yBV7z63gNu>*61M0BGli9y5%VDq{@DdyzT1eZXCD!jprq=` zr#|27b@rV>+_kg}9aEpRRqI`afi9n)?=*gh#&xEug1e=~;rIK@-Y!-PH{P=+lV<Ul zF;|z|t^?x4h1aMp)5cKPQWIo=kIi6`V$dQF@u3q((cVfazwi4rb->bN?GBDi5>(Of zG8#w3m0LVHPfxdyhE{bd#HK$Ho%KTJHu@V2$^xcdJ-MSK32GA<fvvkBpXqx=wg~zO zqFv?VCthxTumP?M9FR0?rSC8fT66OLk3~@F^}8)<v2Ix3O@8xc4)mvnl5lTH?F0ua zD;mOzDwKC02RAM%>(O()EAFK`v^KW0ZSX-;9>amC$%Nb81qvvcoE{zoax=%lV5I$` zyz6VMSL9<&_XVc?_I|t^EY~n)oJ*9lrt++7te?l#bj^m{tMY|5)H2y{1I7AsXRYF} z8FXm~NLI42O(J>NwDAOKOXu%j&S-T_m0>1$KaabzeWP|z&6t|420QaDne9%aCSvZ- z_rxY-^s?QGJb1=z>QN*0x;Lx=JL!x(j2rySvPr2nJG%F{H{Z`u6CoCPgOi)hz6ymQ zbSdZPMmv-W5?eC$DcQJ}7|foCrLn8U{nFx<Fk1DlGy*$2Wv%=8v*l#pZtcb99=)7y zelut7CnvMumV(3;pR4H-GT}0YsOhQ|prqc;0K5L*Iz9b-HtwDSQY3g}6$Qm^S7U7# zN54chT9ZXgNx8QRAKb~k$`B-trMiHo5_Rm{n}F6js^@ya`Xd#0zV(4Vx3k|0;v^KI zQcx%AsVNhkuC@{~7T0gLa<5r9HG(7)3M;*Ry&+=;RVo&8j8ACD^yyP2;8n&P9*n1r zpqa5SBQL|(run$H>se;y!!Kp<_Obi|Nvi0O_ITW02Aig>UtU##f*3|GuOyWX?~0;K zdGk|xXu>f1LlWC@$YOFB?7T7Mpat9TYo>_S>KJbQjm`0hjP8C;7u)f7A2YxIv?r=R z?Ei`U2bcl}d@3LuNMLkiq(0}*jr=|yCr|cv7)P4Jgkz>4vk4fGbUU|sFoTMu6}gQR zA%+D?6p<n;=nw;z6k3Ic7#sKmMJS5*FgZ-bOjKGIi-qh{)4*3pz(wqXP!Xhg0OGvw zY?%UqHE9v$0Zs!z)d*81O3iBO?`SFzO8O=#mhbW%pljqFU@0}%v?vI;tE9LO9zzBk z!tF$a@%%DHjhQq`Ob2}akJIz=`aGMit~=5jJ?EwDd3Q8N$_??RbuKhmu_DLS6tM@5 z;_0pI=-}pJUoV<dcSpw&#gHO~`z!al3_f&?d<4?Cgs8D&fy4n-SrOv|L0FJVmV{Ew zDc~zGA@pO<q$B_}G^MBz*a>a`hLMiphwy%b8+i*`BRdLr7f<PO`W;T6N2kW+bAE2$ zLj{xaWs4Oj?=u4PkG09>eB6GPBUl<!Q6O~68pmnbp#j85zIyZy{)^!gDHXQQ$@21W z+Q2AOux)~R_2~&@g?e)2xc3+;c)zi9By1YB3Mhyh%!0uUIx+&&q!dt7)Tk|od);gQ zpsYCq5u!&#K4AMjthwhof5+qH;ys5my9gf{ZLp3cv<id~@hnFy!r;Jgk`Ui+sMF<g z`-8H44v!X%%lkOi?}FwAyLb_!iLWS8g>q^7LA5(jgs=s{N=J(#8sd~P42v)#k)kf! zdw!IH-QUN^!|SsGc!9t?h%gagI??O&dpwZ7)+(LR<9wWtuCR{}YeGto7d4==dW84@ zSrR<oQDC5+X)Q!xa47-+gmw`K5XJ&$Q5PtBc8bP?I9D)15v7+d+i(4?wJ&`BUXFFs z<#f9kEun>H82|-t1YrDR7!LODjnCX`?gSu8Z)iymH4%i|!`$;eaQQ%OOB_FVs6^{1 z>t~P!4p1ndTWqmNO*65$yl<B%Nto5+@-IHGvzd373rvAp0b}X^y*_XUH?#4(m{4Ix zk03f&?35-qY5=`J#F$z@Vr>jWl_^a`avmJgKpi?F3>l-}V)-hVrX)Z^yMw=o(wM7! zgo}I%2b6T&bid(V*F?|ly$^?n)5m5G9v(0jS@Hlc)9Z=i0RArm@sR>uQw%s7&7Vf7 zIP+78qEVp$neEy*0?h&%xt3Yj^b3`wI1cp2R4i1iRPl1an=1+oM9j;`eN0XX3pmlJ z9#cAFwO@O8lGxdqE{^U?ZLm02Po_u@f<;Oioll7(-USGlOPB~b=xWa?fvtda$&#BW zNyzkRj+qzTNp*~}Xi}s)4gx@~7#Y%$McDM!6mrtjsq42pp8UUFwpo=lxEE_hf<_Q0 zprRIP$7a3%Zq@76BL<$phma%M@HQ5e64J{R)@(N#`-N@s@N*i=M@_STKVxlk5|#~` zE?+*m-Nh$4M@>6<WT;0YU~N9C@4nCY`&)U#p*YW)(G$d>t1hQKBJ+L?)lr_qPy0fw zP*zz`nupkL<35d|*X)QG?eZ}7B-n2DwiJsLsZw2Yx7$;tktKA2enKb`PAndu9-T>H zs1irht5!U>dT{V^Q${HOp_rxXrdF*|E_qJ-*8P6i=~)nEi;rJRngm22He<}99S6k_ ztGL-&P^C2TIwcpZ9$Tb}#-nzdmP@y2v9VZ$$hH&)*oXs<Airnze@3lwNnI8c5dyPL z-aN}-)-L1D-C0mhC{eR`Ldy#N#q$4k>)Wn+*(7r*0|hzR)GkvvpO(UA`?c0{*5qf# zA)F}TQOYJxobVWMAyXoC#>j`(kwTX!;l&D=+-GNBNkRv!yU4{rB=#y%D#=N1Yty@* zA>gdr$B24NsqcTR&a<a4LQ>XgfK7^4(CF2Lh?g>>GBKhIBTACC{F@n(380!tckWR` zZkaZLwxYsrXF+MKROwS0D^Iq>5v<D)Hf=y<A`BHckum{NGVrm9tE%&|({>h&qp2_Y zc+q{4DY+{gfIJvhTkQIIIme1%+kN47z7D$7|2wUJQ=f+P+x{1lNHV4PIKkFDX~D$p za}hPx7AJ+8Dv~})N&}ThnlSMWgN5A}F<GuN7NY@9UfcO%+pSf#+Q}p<JU*QrHK>UI zOTeT{mkzDb65;vSOW%hBAN`8&;pnez>K7LxY)<_+g4k^-#c$7|Sp<_QHY2gfp#T(v zN2Xt;cz#Nq$e^$><fEFWR*KLpI1Rq%sim!{PABoYgX<)g7Q!G~(uB&XM3;M=as3ld zFVCqdYTxH%AT66HMMube9tJCz$(E1oY8+%JxloGD-l9g~VbFv=otmXXNGf|Ib%GTO z)t5bOP9%oVf*9nQP_fWy!v)GEF;D`q#>u3&!og}Oe}-C7;pZ&|F$uJK_9})Tv|$lp z+KJUFMT;INkEc#EuY7Ka!a%yS&Wy%l0HoV<JP_z>OFFpuTc?fe7^a|IkoHtKjyG6; z8=j;1V1Ep8@W0?;hS-q~FA#`mnR?x|zpXABn~X|&gr%L8g*uu&#N<d0O~~&|z3B(@ zC&0{=I8$d?Yh`6)L5+gxa<nGEeaV7-W#F&3Id6M~g>^lJdK~z868A1wt@VayrHXVh zEX}foTb6=~j$-X;pe?1NT{>ehCl|}9mH@$UGvGd|(&K#g35}pru_B!e1vT58e`RBa zP|>jHZFWENHCO|#c9ziG>M8AQZ0&56$+*74&tTgKAQF%f^C@ho>Zxt+#j{JjFKYh+ zcLk#s)Y_>toa36n)!yFDzN}WAN!(7C*THx#gHX7kl|@BeUB%A2+SbORJ~{c#lUDyk zE83`}shMI)vk?|=&bh?z<Gz(5NJequIhts<-yeF4!|CS2(jEnqQ}T?`-DY3L0Vc1L zrvVcZFq={#GRa{l4b95kX0x@aqeWBHy+sH`!s&vgbB&oh-}kY0xAxTpjF&^9k}hDX zO~tBrbXmg$7jtB~26b=TI*ZNLw$jG7!py784qo<3wwyDNk6@X<16ggy)1y>>f+-F* zc1DYyEo0wYUK;v|ZkIx>=|psy#*GOwf;;3j`7pJG4W%6aUTC2Nn+>AIW6GeBjPiM^ zn~VF*It%M++iD82?eUf{4+5HfWzlW)JTHq2>l%Z~Ed6_3Pq*hHiS_U7&yy-aM?DE6 za$Gp6u1bNF)+n2#r%~~A;XT}u1;+|yr_;q`1!oW+n*n_&2;F|QuS{T6Hqp~`oee9K zDvij0#q=`MrS*otp+Q`Fk3uqZ*^u?WDeZOQQq0m9afaXhm(L7t9MzO|-qzO2DwJFu zYWcRXFj2zWdhr2#V+E&NwA9dZZ1}JZ-Uc~Yf@5nqwYBc6ekX%4jm3Vmv9h668n>lG zLO067#CQsl+<6(Q&Nf*o0;R3BuCcGAOmpZol=dJPJZ#pmfqc@`^~#$|Yb*Og`%>zX z-{^1RLpQ?v{`f=+ltm#=9f4V!Q<Z;XSAc9`RlCINTx~vqQs9)$ZWBZ+ZrnIy?Y8(% zqI;LXNbCO-3)~9jHez|*wTEm*T^-#LN@`k*N;U3d|K>taUt+gj*7llKCgcVH7R{r+ zs*z)zg?YGs^EaK&m2EX;YJ;R)WEZNouCBD3JPd|^Ki6)%KlT>u<Lqf734tiBq4H~P ze=~Wmv{QCb&Hg3PiK>bvDyb@)oW{=T*6!~@IFWX@(`M>S4X~l0Oye#KKm6_pw%o1v z_fp8l$|{?7hTg`qDp+0W_;W+qT~PJJ{&i_-;$>L~l)*rn3*L_MKyjVpBY1s#Fffus zOgH0iXHFhNgD?ceI?utzQN-Mt9J3p~=Vj`xtlO9+3Hr9|)UmBY#5^05=`-m%IcPwO zc8YSdwKpP7ele7@)%6J*>x!La?KH8MxEQ+8HCURTNr_(ne{)0w%RvKNi-ZG6FoPK# zGz{%#F?1s?L`RRo(OgPklnLU&y-bI+4XDR_{rpgQPaquI@&W6d`O^Z4jY^8?yV)TP z7B+PGl7U8q5>^b7X2IcJRCuvS88lj0|B!zLXk6>9aispH&Yk{cII^Naf($I@&VtM$ zyUYjdV~+vd4iQpk)1MU)sE(+x{CfsbGO-%Nfd+5D0mJ}~%+!X9#}}%Fyn6jv=Y5pt z=VL^cU?LdNW;%Nn0HIW%C)@y19x$e{GOwtzYiAeJIUJQEaq<+xBD{VKNmRwb%9g3L za{DevpQiVHJlwQ|M;jyb4s@(5aD2<ZqvrWK1V=vyvi3PV^uPg<hx9~<Ccu?n)@tWj zr(*iu_D1I+VG5r%7tU3W0&mC!?n4k05d+^8iBcd4KpQ4D?B7NP3OH=xk}GgB0a{CP zx^O1)CqaoJ!XsbmRN~v2O38ZW$}ueHGO>bYSjGT?qsD`L7k(&Rfi2h%eo!MhG@E(8 zKTX)bfh`Z@2G|c`upnaW0+q3>2hKr^R3XzIF*ImOf*DJ4!OHkfI#dXn3&OC1ln?p* zuC7ljCG-E&OeYm9t7%9NwoDm57RYEk9ne&;U^#&l6HMU9faF1q7w~uP)BymqLWcAL zrtlEUnnk`(&?#*8_87f+C9QzrLnlG+O^pd9$f1iLp2N8d2T~w0A`+0`MZ>i{$KZ_h ze=wR1osZYcc1@&&$x9H{_FR)A5d!2(U=~p!xDORr5FH)D1N3wE7PbV_9s$)9yAv4> zREU}~XHGk1hT8`U40M3`ch6sLb2ZQ9iU0RI?WiwBaUj&vsX}x89BM%W7cV(pvp5;B z56@}>=n9BU^AN!=V^9>BEb|WB$Krs6k&+q&hz|$un`gjN@Ac)+rQvxRkDr$rQ~^yr z=O)2Ih##i}@gOmQ8^O@&1GfT(TR74aD1ZWoIsucJkZp(&KmoQx=MMw4q}ag&h>U2P zMvnk5&ma~?)?C<Dk#4w=l&Qmp3d<X?g$*H`j!<Ef8PF>R5m-BX>X4a|suW8G>ra3n zD3ks|*MO&N>4RskN*i#B1pD<(V8=mzWU0x2@AZFz?J`6SK9Q|0mk|L(9SK&Qq&gVZ z36%F-)JR{%dv+m%8Ds#4J~A<e2@xGZuF+|Cb)n7&o|A_*)Ekt^MyV?TMr3r?C(<md z_Dqzv09@IrWwh00HXC|V*lnEL)wy`NOCQHku$h`ljB6(m(1jQ3@I<_Z57RZOMXG@2 zS`m>>H*;XhBdRoW3W-`OI|Y*Zt<31!Sp+a_av2@vRC+^!z(Q}f7S>LC-0$HdOGD`T z^lJ~2?+it5<YdgmJhhDxMyMO&K&x)k<C+sNlRPjcz(l{b|Lkwy3UM{wfZpWJ)a&Tu zdLsFu5jycFB~=8KMFlN!SJ~Z6hnl6OCWiWb9doD=thORaQ{(>jr7C3!`c=CWp1{7g zqI?BJa(P9S%97&!NlI5!YmAZ4+mo_$ABja2^`UmnsFHg9oSJXF4)NF<)dxr>$|S34 zC=yc@U`9T-$=seluNQ0tBc@A}ZBIFKx^}DxUvdeNbb<c$>!~6Tdx4^lsAYAQORYT* zOm{}==b;h1X^G*B!_<h6-tBnmQA^C>QhC6?UWw(o*M%uGddMT+5Qki#^x<k6cJtYO zHL;Aj*9l;==r6S3{r@lNsDU5&l6ruTtwr&NQf>Rym%F-TK_Y3&KvcFkAD_zz7C8N# zyA@Rvl28Wpy?RSY<_!HEdfN%Sr<oIX{$^J@B{@DQ2)`3==eCRUWM<U(!$I$m0xZs| z@Ys*Nvk!~I034kfYu~p?CvfXs5@Gy#b-aGI6G(nwmnt_R8QPi+e^Xlo933IzG6(D9 zeAdQ^(yh-iaJSS14sqyC`6}5j9q5DI@?{n;O=>hyJ^0Zt--Ukv=m_HQAN-~uzFATZ z%DclAM}T)mUVh#XnY7KGDtRvAjmu#)T426~APQuKZq|P4Z7ItI;-0)206!BP?~m^K zt|!g51_X!yzsxHT#DUa3G5{()(*In!1VR8z2U8~r30%1r^A1ExjNIupcshR4(~1AT zWi@bsI*@)&8%L!7qd#}h0b??J_4|PDGyF9kVfLIkfcTj}2#)whM8`LN-b0B4h!aE) zxE)vqt#PAizBJHr1cT8zyVTyTc-0{HKMf6VzZvlLbd5E>@HJplbdSJ={%H$G_rDJl z0Wc-ws!9i6DN=*<Ilf^=M-#tD!m2n_hJY}>bvwYmD|#dN-*yuQEHxRd1GkyH`2k96 zJPFenzp0oy>Q0jtcfw;F6w26b_1SBO=77|l?87#W`+9eVZC+gbdhdHji7{hGHT1n| z>4^3F^By^B$MgTS5Z~L<4pOwFN{o_g+r+i<UA);db$B<2KH>n1BoU1S=|$rXCHu<v z86Y@I5~M|Wx<tU6wr}_@j=&#<h7l4>BMMvwhAi7Wh^*(l30cr&sgR8lO_c`QWshQi z2wr})MBgwg@uy%jG9L!(GGlkce?Zj9ybF|=*%uT{Mvh+Kff@%MIAppL`suSxKXcuL zHBq=!!YC0JzuRP<D-+)J%zhn|!j&dRlS?LqlF-LvG-T~05c+J2fN(P^)@cn9AuBsp zuO7h)YYFTGJjX=f>dlIa0Z9LmC`}O@7%$zlaDOk3Zt%lX0gd4#lh2_x6aE%28@huU z$3LzSt6wtWg?v7ZB-Dh(9i@*At7Q{MfG+De50(s1+J9}gbGw|!<K5;-8X8h9D$2MG z5hht65P;LsL|#eZqOw(H2FA~*O9y5UY#~MUB!56bGNtYL+XbYeJIzIJL@&ZMVkCQ2 zBcCq#Bvb(i(hR0&5lt^UB-sV;hA$b@>J?x*E8x*bjAT7>(5lfx75!mU9L66()Ce4G zQw&mIS~FGd+%N67I{W=i9zr^&fGDEj31)}BRk`=PHpgm36q(|7zW%1C-&Bgi9z?!E z!Po+MKRJWHwO2?EhSKwWKduGcfitoSCUsxl)c3bmhGaP8dEE6*m;Ix<0jqIR`IxT9 z-%%g{INlrRl;`Vdbg-9cB!@!Pd(Q_0Y{^Q1uDY^jHHyePYoFh{&bv>JAn7WpZ6!+= zmK3P4ND<&>a%t8+mmaX0OR?m(ipCrv0V#jYe2yd0&ZQQr%p0!b?roPXd^z{j$e!rg zN!R!7RTP}Au_#~)H?RBA_wPxP*mt)DGESgqFKJbrEpwcbnx0|j|Jg0w6qN*~Bso=I z!`*1+jh7BF^|L#e>Mr*tgg7XUdEkfj@}T4ZqG%zrAzVH|1!Vj?sTfE~(eC`I*Rwqx z`9_z+`z@P?k=hsT2MQd9&VK#<4AnB5aJ|kRJ{QONZ_9<Ff6(9qxHdj_xWlthDVVyH z-v-ac$89264KEVSqz&#k-Y>}-zk=oCFMKE!0u8<4EUmMu9|_sbd2FuwT-L*k7M!WB zE~T6|5bp4U0+lE$H-Gm4li{hv4yClQtVm%Z$|U2yaKW@Ol+=Xg#Fe=CoX#&(tX11q zPQwB+b7l5lm*`*9o|-?|?iq24|K1lNqv;*_#SJ|o=ccwdGzUqOpr@`Xn$Lefs_`ad z^A#Bt$Z$;`p1$7HrZgMw+^@X$dEHiF4&@$nKid%qzEOb=_hKAZz=wf0QQwU!L&T4# zp{-6&7<+Rk43?E5DQGU?mxB$rsg~8!6=d#y9_~vCg#k!=0#MoGTCA?~Cs4vXuj?rw zHRqVD*tZJJfZ>A?sh@~(9tZFca%LNa6c{PaH@C<N-bW;-zfVH)R||~d;9_Vxf*1yg z(tk$n4Z|2~WK2AX0eqpNp>i<G{|&%QcgFk-%5fLN6?7Ft4f_Dn7l0ddcTE|!sW7@g z^FeHzwR^gaq0O&L#RB_2)j?E^ENLs)aWV0;`gjkKs9GVdH3|mfw-4|-AETVI7(%?^ zc$|i&0fEJi9X}dS)lVB^#(K#It#4?kW|UJ<O{6<vz<_Ns@mj)_3P6@cKW$xIRZX!t z;Sry?j(SwtVq>cq!BOI6<>tDH-V#GNcnF-Uq^T!8um3*$*w?x3_igPiGuy?C5PHA+ z(kF;aQ0^^h%#;T~Qrs}h?&ZFj@BtJjP*Qtbgz~y9xAOP+f4Ai>?Cep&&c|Z?P{<Pb z9YXL}f*9l$EV$!*u0o&MR8OPB71>C|bHE0<I(zm`)M0Hl&|K{RQIm$^xM7mjJQ$_! zaPhNs9_Z>=uh9rsZ^4|i_<il9M62YH=Vaq$w|=InQK&4&oT97&x8xL(0*j{4*GWbA zhSbz<Ooj3ykE5X=kz`HP5d2fMA=P?ND-*Z|w8@mF7mEl7IDk8Tp3TeKWT=;s!NS6I z7f32uJw}mpB>`pqVoRBQ)$53Qyg)!E(VA`pwzsVh?h&*><E}3#sw5ddU(o(ONvf)< z0tyvVE(q%3fRTvfWWItLhLS#mz_!B1Hn>D`j#vy}pR?QVDU=}$F_C~~J}v`bg01&1 zl|+%%tfk_5n7_m2bH72Gkz)@t_ZbAw0}S@eOI_|NWD1Xclq~HD+fFVcc?HeTl9V}| z`vI4(?0WP6^IQ+<E~%`|xxii1Y^16CFLd5-K=9Nd!9?LWe@)x>b=IcMn=n|KIQqTx z-MqL&`^}t$@qPuDB2W&3s-pHBv~m;A5g;HDP*U~R^)(hMP0NN)EFHy#QPnD8xzTzU zTM!VBrp$!Fpv$U?ih_b>;nb}g!Hq!bNa9T;>tyJcAcCXS^pVt7RkjxP6lfHejP$tu zafK^K1R%yHjBLe%)=)aPlr;6!bTlxiAGmA&D5i);)6#D2=xJ*eASo5Oi8qz`8Vg5e z{bT18nq&#pRN7ro(^aZiO+m39ZOMQ&<3$P_QMa|MrKX$-bur;Im91SRg~FS>br@5! z7z;kkl2M}0+Rmbmii(0l&0!I)QF)Lsi%uR&RZper5o<51D{HD?2+wWd+L^Eu7ts#X zAi*JRtfHD)ZfpD>Jz|siJE$K(i(Kq=wfBR%!>umY_w^EbyZr-gDCVi_+{wVi!@$U~ zvTqKPYNcw7&i`{DQqLOZrquu?#+#;?+gwm)@%dbyub)S7ik1$IjNbq8{X`9%$AQyY zV1i>!M?xRM5;<2{QE?(BBUjbbr7%bu8Vmgj;&>|OL`%ld1%!8elg-;+PFt0P)#Y7e zPge~>u1w-;Y3$AUHMNLbe4DU-NdUnrTRN0E2njzI`92tWHLePnQe;u9K%9!81?dJ` zSa#VdE6XY5#&yEdt&k`8-Vd&!HIPG)Vy%^JJq^_=3YrBJ+tr|uO<ve7GY4TpuY}UV zwqDayilDS>rcQz=-DoOXO7*q#&qb)Ix3;aLqCtZY#tWy9f-SY)o%9%yNPkm{COaF8 zQ8{H>yV@{`KFOKaj@;x8L{_z=c5h8bvtl(3rILcLn>Ij=RAY|n3Ja?`3i?qLFgUi3 z;?}}?;<#i+PT$VbSll-<M>rx$w08F8RP<vdVH8WkY%NJ7s)E9DV+UY$9S!}2EZ59J zNo-Sgq_|Kaf{@-$K_PtnRxxNXE@-jM)SlD%@LwjLe^Q22!lM;?e_Q7Uhr{76v3dP& z53gP9i8|YGn6Hz8kBLo%_YA?hiinu}cl<ovTwyAPtbApIy@!XGk{%xBwbxs9wO(A6 z+B81L+lzR4Jw~v}hJ^XdD>c2yjL<T&sJ2?RyyMJhh-xSmX1Yn9J_N6VdH|oCNbV1B z?=G-$%{Le7ppUhYBBWgDJ11&4n`M}MZjYfu_>P;q*4AQ@J!WQu2t&<1wD<udqK6JC z2HI7MrJ2n{PDL%v>B9!g`bNLMkJHR`RN>FHun0pn2y~IJF>}Fm(Tov{q4iamEG#J} zlV+e$=~S{cv@{gxMW!dP&7Wn?&bgjXUnPM!4U*Kz5RRyyaN~?gPP|hJce}kc)g1DJ zvRN*#P>E`r?T(7NV$LutcA2?tq3bMIM0~dLhEi7jibac4q6Cd<HT0Dg%AjWOCjRMZ z%I(gMf@aYnX(Z>UE4J0Dl&YgC-aG>@R?)fbZd0KI9ZIyQQe;a_Q4D&MOy({~<Lk#9 z?5ZhMrG#Eiy%NPKX({SaiRsRPn47-b+}`=yoh20#RESfhNaa+0Z7o9i4skJAmWryf zW|1njQ)yBTj;E(3CwWai12`I>jIu^hR@5U(9SDCJ3qNW+ah2fjVC~E8Vs$uuTsc8C zYv>8fT=>7HOQcj|vk4?31`wx>W=~jR<kyX*IYg1LIi&Sf^sjPP5!q?zY!O|2yk5)4 zM2ZL}@v^26AG+*GoriIPG9yO@%0&)T)q<ZOhpCj#&QnxXrX*jXJD{gcU@#IcTtXyD z8a-7}($Uru5MppFQA63*5&zS%68y^)0!h^^B2s5FhYd7;5$_%4MR*U=JSUKWf0Cgh zJ3ez%m1Y6kVl0VL-L+wj50#qUJsn+jopogzLXI6fg9a3Eo_4py>ysi><rRkqeX~}4 z!So@U9VJB~)C3)2;AcUWMMX6i3wg0pe8^|VOHD~pO0eX&7+6dp5+G#~n@VZsd3euJ zSN@&#vV=$wm?IyYxx5~Kw)$M7Nmg1>rp(8|lrLlXH&zM5BJ$EQv;TGst#-?FzqYAO zEH;rOM;@mhjogM<jbBP8dOpw6)-IQjVi_)u?RJ)R2$BZ_Ov7Ik6<7CQS3RXNwbIH} z&(A7ZPpvYS87yG|00Vms$NO|)Ly-~{pg^TiT2HrJ2Fl#Q7CXtyte_sHuAJ8ug9d+R z)mQslN-Zw8MzNjkQaF+bx3)G3U*Y}VUugZaU@mfi+>&`^YHMocFu+~&KvE~Gt7?k8 z%fHTgr%MDk`~xh@8l#NZJ0`N!;Z$RNe7{#B2qlFwk0VXG1O|?4vT`+0gm7F*%pmJ# z!lR^9JDZA<ri27#*sX!+gTXJLHPWPkLe(_%$|Y!NC<hxFoSdiG(iFVy<1&O3mh&c# zsi&$@+5Q>x|HrLU;$O<zy<@7u2rPuS(I;u^Y3B>J;C$M$D{wHg#-AhM?2ZzUeaux* zqXfrvk*E*yv9l0S)TNS(>iIalekW%(nyn?hlf0E#?`7NW{C(A_d>m}NMcRxRHT3`` z6@BFq7`=W^arDzxsz`nO-inQnGwRioWOMKLkJGun`nbJD1&WiGdDA6JH913X&pPk2 zyJGpcoIby=+ZK6cUHx3~T&!Hz4p{cPET<MwQqZQ1X@~0x^YbyB5tAL0Rxh49%wSfW z*i9O<<k?Zxl!{C}j5No1(;*C+8k)$NSD){ThbMQj<)o!GroE9|O8CH?jgO%|sIw1b zaegkh3o-fmn-2?FRmUm5Wq!Ld>8HzTm9f3%|5WVBXrN_TQ<2^@#?`WEt3iPxBj{=e z(zk-A7ZrX0FhHD6Z=sNN-Zi!kgprJ%hNqEAV3Az5bsm1UyI6p<ihkM4zi{%Jh|_>M zn1p%A#4!}L)s!ib&RPPok`7C^xqlEriy&|UrKH(^uj}A!?5pkVECu~*V{v6!C5`q= znTA^=*UrNFzP_(VH-iY$t9v>}c-UGIJ8v;e(Krs-7&}v{QVbo_2_{ubQ#mKOeU$tg zZb~Yq0E9q$zlxTLF$`<`M&qdm<w_@ci&BDd1h&I<{l6c5abq<q_BOUw^|Y^-Ugy3d z8DoYk9JXP5+rViIifQ_N)y<-V#U;di-TX~-FK}^afno>`nsYe3d?zJos+2y;!TPxU zMlt}#sHPC`o#=A-oQ$`|K|bB$U;SL3yD&4~E>UDEY^dj-J$9CQl#_06%fsXHF7VyO zn2)=@bOaC5Pub8TaP|E1x+tvAK98dh%kE^ni7iDf52w4fDCa9LgP6^$Ryz04(9zf| zLdAAtw{KTtVb6wsvXx}wVt73sXUoj$vxZhXrTx3iC}>sDq!(A@{U6uQr+UUPb7+}> z+Y>R$+bf<H&Z-L>Ue+#qMy**hhdEJET{>eY?=k4yZXt?O>UGs1<;f&#Wx3qZOVIl| zeaB#MK!mc#P*_)1lWT|4$gefn0$iXuV^c|wA;vx<|Hy}P0HhksALnYk9|X{Vqy$*d z%{*;Q;{?`Lv`Ebpb<mDu_A)0q<P%kXUi5pqnrjV(nc28oS!}izh+t&kFnSi08x-TY z%;NC5oo~J331_VLcLWyXck&NfVK^uj1W1%iWTw*$8cZTtX-Rh)10AIq;M~j#b+nbq za_;)M^Bc2{(c=b;iS8X{U1b9s4wNu-Qkm9W+OK-+yT@`<ii9-RXnz>{WAVhFwJ>xo zv+c|XVZet^0>-h)k`=!p+C-9vf!Q<+HE-r-Z?@Un?JFi>wQLc|)J2HA&(UpMy143f zB;&<0AH`%7WpFaGpA5lA-ue%;A>VGS-O+|93LEE{oNne|Ldz2%1^B_^)g2DWGstg! zJfCCc<l(f*y6Se>z$G|IZTo$mM$fs}ZEh^?Y-*Dil1!*@xBZK!ke3%dGh!r66!3fW z^n>KghiH)`3lqA@?p)$A2oX?h+LLcP<@tZ#pRAD+K%ix{C-1LMbRd$b$dUB=`9;ea z6*vICz0ME;1|h(R6HT(_kCm1)Ekq<zPaHc*glJG8>NWcX{ZFm0_Wc~)3Gr<v9CCz= zNn!iHeh#y}j$VVkwONQ30u0;#Ex!F6?#BP#{K)_EKE3UY_x~I;=YcvzgAs+=mwY*? z$J2=wA|)qgUP$UIWu%YKf~61i!Q;3WwDJ>m+;ap@23``0b2GpO=Md{Zg2UH}(_s6< zh!aEuoG7rz@4v_M(@4Mc_r5Lm`#-KWAXo5gGzc<@8#%r|;&f(+LVfnIWzRxZ&HIud z3N?V-Jf+X=7Fn?O{cMGe?Cj3-^Yfkx0pcH|%~y51^rdTdeblCB4=4BL<MMGIN75sC zEISg_7FkM*6WZJPc+8;^)w|MZ*RL;KaAd0PxAlsOX5(OL-is~7rHdd^K7OQ7sAlvV zJAbvsz2at9cQW=9=b<fSlC-RXjv}eSuAdg~=U_67Bu^&ZKC!##0r@1!Kxxb}tFb4F z#l8mznk0!8B2doYlqSi=JUB@k;D!LTyQV1m(6J{{6)oY>$P5ssov5=^bQB8%gTXtA z1ea1`#ex$vlI6oAi;%&A%y7%31qe!i_6~ZRm6OOO`QINDnvsImbWs9{ioD@{d`~oL z$8F_yyRB7AHlz|JCgJUp<NG~szoD6zzwv+E{C(cfR6vh@%8kYbv&ZXVh0L%oI6YlQ zERL&HhEk_<pJ)T;dBw9aDHO?rMT2{jXfOzhFm%1Y;lA7~Rz>l@$PnCbNHGxEi2j)O zdAtQrHxDiho#XqztJYs^e~lF}lxDC4Y|Reg6a5q`LJCu3+=m!FB>Y^T-~Igjz0Ldo z?f;(s{jSH$>D={ha$gW8B@s67$<<j<7IV4yE*CbzqRO<p;{EG=+lMAf2f?sZQS0MM zhx&^XtHjX^loFE?H4=c9BNM<6wF>#}0}$~QUJVMifQlr!-04$HWcfYR|2w_=%lH2* z=g-T0BMHcl{5Dstn5an$MuD5j3dbQT$UzyzhHyIlz~bb_j2;}Ggb>+3q;M{wVQScI zXg{$0e**6e5c5zlGH;>qSolDGCWg$zDoG+I?F&6~uA<uZZFLIN`_Y)Ps(E{3iPvyf zXN?n()Ig^r(I<c?M5A0dx-Ha5IJ8&{R+QLiZ~we*`1tYjx{zqc&PE9tMnftVa?j4r z&&=sp{2AO~v=B%&<&70;8abJW#lV?9N1@`<VxWd+D+=ab8l$ADzOFbI0`D!=9`gi^ zBhOAuW(jd5rO3xK9k-k3eQ8B)jf@nEQe?`?;vC=XxFPs3yYj<;!SCY;tV95&>afo- zvqq}*3qEWXPsU?xv2sJl*1!3yUw3MmQ+=2J^$#DM?wvMy);9xVC8v`_W^w!OcMdi9 z1}^`{`&~Yfy0)r-3%Vz)Ekt(t=6%0>vDV&u{&yc<2uroKl^Ql8v!c14Oh_802Kx+= zj@<{JYbzqduzldBG5c0JIy2TkWFzk0e{frani!1{V99d3qr~)N_nCkA$AA9&fB5fz z|KEQ5;i;=vZrs&*Lr8mvA&*9X)aCFauNMdeMy4T^8wDN4;(%e)TI3jq{(mABi~2pj zcska9{^<Yv4^ZI0{QW=t$LAMrUcE7B1hWzHmy4%hAS179v@AjS*_wmOO5@bl*K;Cs zHwNZYndma0e+RsGC+1k{hW#DIRQPHn!dI8=*xX8Uj||TR(d-1Sd)VPpIvz_#BXkzO zu&^jk%qGOZ_bfF#Iy^Nta`}8$_iUnV+lE3RH5p5$;z9lV%Be}Oo1M4%VLBpkWSXX$ z5<U}RlR`ZcLV3Q7lZ=E{Y{-d3b#ZMo>I>r1^n`*pW9`Z~l%pjRUI%kDkq~su8GVA9 z1{EtFBd|o3wFN}u^tAg2i&BRV>SrB+$EQOqwixZMAIbt=4bNIS1P~6H;;q}aHWkW* zLJ2$Ju+h{nY;RKv*g}!evoJ7fNEOys)f5*N6&Kf5S2otwZECGAkfg@@roHJTTUOd$ zDxT~;-)(2LH&#UFhprCKMAPf~1EmuLMrBLqa~n#9Otwg&C@d(fsi|yfsxQl<_gy%9 zdoED1Y483`H7coqClG0iO6uxsON5DOqaEf0VP1ho#FMEtH8oYub=3tj4u!>6Nmw2N zd;8`#wUjRx2?8z?tE6LZbD@CC=Q9Wf<E+6Q)s!~0R)LR3NkdIlT}{=-4I4`NiP;cs z&z21e5idu~b2`k@>a9ELRD7<GM~&%CrZ61o5O6xgGd-+eR7A~YyFgvlUR$OqD5$Ne z-q2Xf_D&o*b;XpH?b^3%OMPjMh$oWf6qS|N*H%>(sRfiUm}(kYHWcOXM6z5NkEEX* zcO=AhEtTc@Y5^&zw|aoT2WH=u7w8JGFqF0Jd9|}vqt(__RW{UD*OzL-bG;|QFpRlc zLi7=ywEV4KfGvkQH8AQ*Vuq7sTB@!+aA0doMTtr#5Qrp&CFM0GIbQvoCqW1Yf^<=C zV?$kuR@>ZIU%>UBIdxSZOyH-D&$L`Vg_XycpKC7^5P(Rn@7Qy2M|-uB-FNNm$%{Ao zboL}16k=Xl_h|^IgG5z%`x`H`2uZ0>45+A;9UI$QilzFoK8uf{soC_#^Nn0WA{?g{ zR8)0zv^Q%7(<67|vc^~TwC3|^W4A9JyRB1KZD_637HA3!#A%(;1|Dhmeh_&0ImIn6 z?r2c4iFdA_>l!u{RJXTQ<QHg))VxUl@Eld5uCK2u)#O)HRn}EkwYRl2l}laYlMbqU z-}C!gN^=Dqu2i8audZsU(8S$(v!7JHVcV|yd_G^8!;a5-iQ9JUs!(wGA{oi2>z{B6 zHAVH+<;7ZURdrQ;b#=#v=Gr2@VPMR|%RjJp=Z1!=$^!6^;mH;1%9@%ADG6#Gji>l| z)h}!<o4tPi>YNA6IT&tW6Hhv=7J@*tv9Y?aKvP*+(caROM{=Azb#~N4Ywp~!Z)2@m z#^(#9+Tzms+UlCp0y&p#wc8Zc8|$@VsFE^=XVZ<&IB7L)HRbAjIhSBITB8uz@t)}k zw0L>N#<zBF1W&+<iV6sR(^Ol|bd4XsHt30>=?R5Uqvjs^`D;6?<))G0g&?9dfY!_4 zYF~I|S9^7NfkMI;2-Vu+hMK~ZRc{F;60tBug{*CEtkC4w)Hl>ANjENB9kM_erN_4D zJ%u9zuhRFAz_(X|zeQa!CAhkRAL<#H2t*<N7!mBU-~>Pnd0fGG&}A})7#bPdX>))H z*kaVpo6L8Hb!nzZ!l5D?YdSV@`_kdFy>5t3m_)%3$<)N;(A_C(jKfXOj!n*(f#|<J zjSJj;<O)>|D`hcGUA#HNmO*S6QaWfoee%?eDJN*oGF4$7p9JC3U4ba3-4kP8>!i_{ zBE;ur=7Lmy4kX$jk*pIvxAbB3`B+fz3d=<tuge*Z$IT1+I6GHHkD0-xIO5YA7MxD| zz~C%dDizSkh-^V3IVWzsf4V2c$}P=dL4@^aJZ3Z+i2|jN6tX&l(XeaQ03NQ8ogkj3 z^FX1&qeFZP8G9OD!A?s8qeH`{I70zp;)!X)$hA+8-?T>3L@K91o5v-`ZFUE^eqzE( zjD`KcHU~Esfq)wT0}+^g{Ej(;#U2R2X)uFH^4m;vR!?$0M>nvZm~~TzFgZtp3|??X zGIRIp(XPAR6(b={OwnizmvL$c{ERYwG-(2xFDuBGkmE6z%i#{eQ7N2ThV(P&oP(5( z&FdyYRH=kdP5CWdXV3Q;19-gZr$MxS5_Le70g9%$f^53|-q+{H=4`$=;Q{GlmJc`5 zC?gV&4(VOo5fosU5c0cC3nraj?}?DXZ<I}mS*&if^1v;hXJKJsdS0JkDT;ELE}L~` zUcX>-Q`v$<$PeuIgwH-{utU7ub#hODfm5u|NT_zJMK^DN*ba0yFADqxpeA`OV{^vI z@e!SuqL%Ssq``3VSf;-E;>4gMMCS?%)Jk&9W3qa{ii?HrjG6Rv)&N18rxKIHR!=Ay za!*=<DrHW@ZTCbHKHHqmWE~wHwZvF?VivZPq%69@!(X1$`D0X$xJZ@5pb(=Wuf+)l zV?+*!`=REx7?Hhs&)(A1{E<ujKJdU<ZUz((ogE*Ya>nISA^5d<jYFS6X)drJF~B<= zR9+XXPiRg+l)pqQ;;>og%yv3YoDMo+rB1@yH)pi@z0owA%>p)-bJhrR+dA75sEyY& zH(?G-Arc3Ig5;R*Km66Tg-9y1P@~WnggBMKi8$s5z{3XO!eP-cD0E>_v4WmX`P>e> z4;&}p>9~1z)*4De{vIp%3r3i7351XI-@bbO{HPUp7e9%ifj9CAAn<LHWqj*uV97FG zf2*E9p*LCPCa>Qa_oqOgMCU%4Eh=WC${v(toZ>Nt#A2eF%tIMw6PCgT3M4`%E(qw4 zr5;$^?5<xybhLyKFAyUO9Ud(fhmA%!1%hL!Rc{i3&70X=B8o%yCh}uK7b*s(x5dQK zkOCH-%5tnwC6PfIJI-2p?gLLD>hNM4(Q_#Fccy6cU&IuJ-`vtrqLOM=s`+c5eQ?8w zD<9ul-hSv85!ELn+o*H1EW;JDv|8GbI4xx~MG}N04MJyQG(z;B_iqkLwVh2(2M+<Y zeRX0DjClc6pQSorGK~$N)n%?oO}F^z?2yAlaQ@K3^i%sjob1Et_tI?th|NcQx;0Xb z_`oQU!u@W6e@12?pvOo=^xbUcMM%_mU)5@H_+SeX3KPFbX+?u9L%&#=dW{HHY-~Wo z(f%6R8&*B!UACCF87mUjqiiiudDxn>vOwfWgBis$iQLwp1LGLz9qhv2{A`E&Zr70; zIygkS$9}$Y(jbvg)6woY8;}1UxS>+8z%3zz&1Q>J8MN&|nJTb={7apZ$$z=Jd<=7x zoMY+twM%Da4qdSmT3WABTk&*pk2pN=$JRsOdsTvAENJRGcUCDNY?OO;@bs0to)n(v zWkt7ub(<pEx??j$2~Wgh(|s4uk2=s4i(fbbI085VI0D}z0!S-eyGvaDJkq@$A-CN3 zSl@f~Rx*=LNyMVyXn;pe_#rz2|Mt_3!1t;IFWR55jVrQO;r69_r31Ft$TI@%d@<v} z(=9)E?QjHe1aJg?YzU;1#Jtj~x&j$7duF(*fnYUtFHCd~8sbm&1ig3)g{#0nHu1#U z^QT1M`?fNovmYu2{XNyw$Db17$1Dp-7+HvLgdP(*{Baxs9044G?~VXs-g1Sq0<ES9 z($3xUSEN<vVHEuD{-q~bLM9&$Zbo^M7~^F>`v`pBmf&X}F}wvh0yqLV0yqLcas-e! z%Kg<`P%fW2q8b)=8CQ#c<Z_EQ?{N|MzAeFzTR;4H9042w9042w9D(l{0q{Kom#h2z zJ#!i`IK45rd@hrUCuRDc1quJ$Q;xv@4=<GU8;=3w761SM07*qoM6N<$f>28X1QY-Q z00;nVVD?l_a#bkM5&!^N6951e01*IiaC9$iWn^h#FKKOIXJs-oE^uyVRa6ZC2MUtf zVhWPlVhWPlV#S#EGaOLY$5)Fkh~7&=g0&HBqDLnY(XFiLy+kJ>Ru^{lPFO_mvU-c& zqIXt}671@|1dnH)f8m{Z&kyH(=QDTioO|b<IrrXh4RvL55+)J=06?y)qM!u;;3VH` zX(HTvZ)4KlcOP)vw3Oul<-;u70Kg*}RRvj{&qli$emdIv$Ts$TP)WFGpuuBh)rY?2 z@4i?Fcc%SiX{Xp03ldmmfd`py3w{EMcT6V%b4WcBa?0>ZdUW%H3K@Y8<ic9dtVwiI z+{pNxd4f6}lB5V0mF79(+rmwrhW9;MygoW6pgxkrjXS(nza4G9Uh|Pz-oIYjzgZf1 z8$4y#y@HGT8bA~b3?MM&7bBv;_XkjB5&6^ONdRzPb2JnC(~~;g1f1Ltxo6D(A55X` zx*N&L4e9zLDG}rg=k^8c?|g?|Q6h$bPFv(efB=n0{t$slg-sWqGYA=1$ecD6B~q$( zqMGdItadv^1}+W<<qO=EZn;ouru((76j7Qq{t#JgTAq=)*c$87j-?jQzzNtyns=9n z{RKfW#n=z~{$T6234L1eO;!FkD?5SUDJJ<s+<c>*kvlj0(_)CAwI<Ou%<4O42NTN^ zX6<u9hYf-npZnhJ>%TuW8wmq%B99+~=;+cnky?Gg%xyTeqUlP9oVuSLv%=L8twa!5 zUWM(IaDW*36P~F8Q0F9qVEIus;J<sHLVlmBRS;h_F}{D>0u=xR_A1Th<pAJY1+^Ks z(hGwVX~C&hK_9o~S%lBGPsB6YZ4Pbb$Cu~PlUiN|IaAQyf)jDr`<bPpI?4H_UbL_T zU$q*o+4lY?CCOHey5*nZm{)z=7uC`2O5a7!-3zh5Y;5b%_AKV;Ze!VoL!Ya&W$lEt zCNg&{ioqf5YKSdA?5Qofup^_fq2NTMIYlqgGe0@sO1qP>CicuPA7-ub5wfl+^m<~u ztZzXmnq?ta*Qe-Tfsgb;i?XKI#10Fo?M@-O1?r+;P$HQlAo$9872ZDaMGbSj@ofM* zbz|Y*d9E#KmX&xDc~?O9j34Mmc$$qBflLK^K0TRM$x*8D@w!y)I&Q`|o4TmRvmI71 z*gnhdn~;IOtt(AYG(JbHc9`>RT%zIe@ZD=WiTw~cFyhx`VDS}+;~t|6Y%R}QTRt|j z^0;%sIHw2qXkV~|d9M^Wcz1B{3_ji;O|c{3gsqzEsL$T*GGfk~_=qQnWf;>;xXpp{ z8Gfk6c7EAyp@goTjLL6z^QgRSEw8GA`t*uO`x<hns<bX_AYTzSO(l!IeDKjV?UP~W zy8UJL^Q7&0%8i)}-P|ErWwmdpuQ#>hUU6oS>Z5ZXKj@;>V=W3jJ&~K4?3Ri@Wd$Wn zd-ZC;J55F<I~;jVR(V7&`HRo_tb2Tx%oZghWstQeSyx-4a}AAE?>zD@>u8bjk8(c! zZ5$0N|D#<KI}7<jak!8P>J$foJ;}@#UR}25T+>=AP8L|qhuV;FYk|u)$lWLP?GL-W zD5hrg3@^M%Tnh58;KRZi$abPWPfOiprUv)d9=StoWFMgKiyq{<_AeG2+cwMGZ9gGG zt;K^<WeWmy8kV6q*rZ>{FK9N0!Ba?`^`2<sin6_GpbZ@r^t|;ucl+GlnaZNBLU?>i zT`Qd?Uq9utt)%x)ug?_pgxLpXkMf6)EuHo>{uS#wwU_#`Mt&oO)n4m-cXB)qDLM63 zud{5<Zr3xXJssX66BAXdrAv)n`@zL??jUpXIC`(KKp?S~1dqV~3~JQza*}{=2YJXd z<Y5EOnW~{jh9J7bsYtp(2Mr=#BLDmr{aDr=XXCgcdxXkO7O~8E4jEUW+$_xdGdlWS zvBU-q{kUnmA+Kx0oMcQ59#ksxLZr$IN1;^@<VO&J3>XTTmK}!)_1NfNwqy9+%l)Ht ziSq|sxwRliJJ+LvUXJ+GCiAvI)Pr-HE$f}N=tJGRlopVTA}V3^8BEn*>iNUS*jYK4 z04Gfa&nT~zVFl~@<2w~4XCVjMuX_^SP8IZ(2A|gvKXeBwIpe2B9`CZtsKUM}D;}98 z9V@ZV`qGJscR<;O5FY}eG0!7FO!(+PbPy)DmQw3(TH-6S0jrE<m0>eYCxpdC3oeN+ zzD5U6C+_6o22%D2=C!a`4o*%Kb#^_2&X6{QjWb<N>jeDNKA!UJ=_G1288sRlhiYmp z{p36EnDcr`I%sU`As>qheAIhZHkJ8Qa?0+2kHc@bB;_hpO5YOEyfoshY`sT_x2Tv@ z)@E20Q_Am{T->V{InI7{4xI8#9^>BF9q;4M(ALY#LR&7+B-p0mU+Z}8=?-~rqQB8O zU`r4Qv)5;hA+xeGL9$XR-H>c^rmyT0X+<_fOyX+~`m$j+&y!=C+p6?ULEO16^@mU> zGEk&Yrp%F@e#0TQThL-5cR4V+7s8EqQOD~*K*+TR>tGWC9ni*Vn%0=bO=SLH>Z*j? z*cEw&Ce!Y|=#reLGb%(l+M&9cR8Ffuco6T3IE6IM?uFrKE*kD!M6C|M2(9qy6I9gW zd3*kJUM>Aa7juh>3kVvaBEU|N6U<d@wkY$<x0eoN(TTq&j30HYrD)idu3G3GOCc4w z!g2`*A{sMv!s65GT(;a@V)be_zj+QFjW5UAp3`SC%t2zhPIgt1lrdxD<J@dI87<nv z_%B=~Fx!G>M;GZC2F$B0aS>28Ji3Uc;2<B?ixgF_WW!&fVLzEU5!{B{@aioOxB5b| zVZ^%>rYKP*TAG$RWP#M3X?M$o8jYw4rsJr5GjFa{fXdfJBkz>XueX%)%n+OJYKl&R z(+iL1D25kdJfXokQ-u?jQO`d5C}j@-J$gstcJiqkSpC#KXlh&5e)a%=7=9ITn<d?f zdb&v4r8q$A5p{QFf^r*v&dC$`S7@<#lFF$b1ApO`p`JutG0JL|1=cLMjo@%U?>{8e zix^mIOs5$(U<r@sp4N;LF{;qFE1iW@ptf47<#bD={lykaf-f?cASad!KR`LNGi#7# z@>jnl`K&(D{~Jn9S2WHC+Swz`dTex!_(~7MoOz3SW^)zD7WvOr$@HzQ8#DR1WID6I zm}~pW^Oe!@{H{nS+QpIh(8Cv!XXy$h3lpSyko33dPA&lFmiU+*l#p3Eb`o0;;d7OQ z=}3*wPH9bazMXr_ZSyE-BkF2PNH=IYLb11%dNW0n!F{c%4|Q>(5U^f@?{&uUfx{xF zmv<={;qYoJmHs;!&S8H~0x(K9kWlvxnVnq`Rl1ur)dcCtN2*p%(Ex}UzhauWps1(W zA#<+u>WvF_%UlxP>++7kkPSpq6%{4!r5?!DUFfQDUuXGRybkkkI5NxZ@7%Ox>8PrL zLFxmy{VLE+qEO=XZ%ZQj#;3J1VSf*x4^Fb`za}a0I2C43GwmjCgi}<3PZxQ3c>6RI zE7q7qw)7@uvXLPyB}m&aO1XgKCii4aJu55d;Z}fYZb%!cZ-M<q^FYUw@#Wu(O~Q)e zrP4>Fx-sFK$|a;o0cY`wB5En4+lvtP&jTJB_Nsgxr$0y8>Py_-y)|O^QmDj$O%K)p z?w|sZ<N0z<KH{{B*dk&i4gq{G9KeD4tSa{OF0o1X_jW^8soY*a%;2P~bt1-o{rjqv zVIt68uNw3+oZ*wip}jIv!hi28&69oRYJDdDgklm)UDfuY0H8tmFLO-4_s=5ArvvUh zc9P_5-fg>H!f6Yz%%3|pz1zYYvHa6r=`p-Uj00_1CK^U$#(j)zo*w|N{S?e~A40{> zc9y-)hY$@$+!j6uipK_V318LR<PqtyCSrIEczj$&+b=`*VK7`f?<CSSgtz2b%G@fN zjH@iC^YO3Xsuj>8>rMK4M#JTIi~b@50`H@~_Pwb2iNBTq`mff#=Q=$wyd&Pg^Z4F7 z=iBW45Po>;@CF7URg1hi-Q1VHY4G5wy{QQOS7X;2?WRxEO>HpT`q!%bd5!VRoYt7l zHEJWyD5l|w?a}L^QpVVnq?VU2*|4ANAC7rC9~Yd8r_UbbL^wiGXKXSjNC6s6Wb~o% zXZ-xh^h!)xBKs7k%fOqU;!?d?a9u(0@wY*}nGbDd;D@H^-H24d$kZZ-MlD%yp;`g{ zUJZ{Fc&$Qe1vZM!-gb9#l2u|#AU?;S`-iUY0igjh+T->pQK3_|+C<Goy;uiTx|&7e zBf3<h73NE2iIS2Rb4)(3)~WWdS6tpALy}G5KFJM*J;euFH%`^bO}q-yJ1C?Le2Ta& zX^L85VI{{l2NAE~rxPD>A|BChKd1Rb1A;3?HIj$R&M(0^l)*eD-Y+($<69-}MvG{# z-sRNJcqs5#m8pH5e=Q?q4iXa%HL|nSjWQR)4M_Rb`_3Z}RU-btoaZ`?hVjmDX~$Jw zAbqHVg;#&{Y-95yMDES+x5K^rFt6@%R++Lr4`fn@3z#h}V}%&oW;{6l5+yu?2(zJh zBQ{p&&On9_bkBdCB`|Sqk#3~L*Q&>|lFfzMFUI(zB=|&~MxqrLY_$Rq7afTgZNQtD z#mIM%)4O?zL0ak)2ksosp=OQyBWC#|-tX+wDmzV6;^OQ>1ne@DlDRW%D5Rk7zz0Kn z=NenLkJr%KfRmP<FlNq1+EcWw;z>vShRHVpDOq?Xq^AiBuQa1~Y=Zx`d{F7LQ8SlP zZRqarpMSeVvU%1q7)z)X&zxK-*fZ(+Geq1!h<YSb)Ki_(waC9I?sKZWU47v+McmrC z2RS`-wDgy!?o%E&taFzRv1)}Ta$6~~qeWM%!gWvo%VeFfJA23L>pn6D^mww!QQ@>~ z3wH}8a5-pI`W!b2EmdeDQnNBJ^EiyR(eFAn6#cr60S%g(-WFTFW<witUyA_AmD=+o ziG>7}PbE1&4(vA>`l%u)9>#V`VK8Ze1HV6qHz{y5<|ghoWEHMisx%EmUA)r&)4FKm ztzO(X+ww=<fah-%F^}l$vMaYeI$>#&ppJ2LT(oGXoOgbN_1Jt=19}ATzQy?${u5M9 zr0C38{v+GTS{-9>S804p^W+_eoNmYU6{r8S!M}As5Us~_=9g9sHl#z}XjSH)?@eq| zv;OU~>v;LTS6}OblMag*b`=OhHQ_=gd%|>uf^XR9f3y^f<dtPicI3a2{o}&!_+!EE z$rm|Ko!Ncu@H+>Z*J_azxC|LUw+LD>g0}TM8$#hK{usJI{w9U$%Q6~ATl2#xC8&HL z`CTnJE4jHjv6vI@_HEU#&-yL9J}_4!C9To-^maA@m-+ImM2vKY<Yy_r6BHw0L8jVu zwT0H)N#eYJCZo>d>C{8d%o2=9u>XW}&&XqZTnmw0#_MtZ_vLD7<Aa{&iZ%AGt%fN} z;Eg+&YTZIx6bp(yjmuE9z2Wcf?|f@j`(A#U%R@J^OFTl3tX-=r#v{Yc2Djg%;eO^$ zUk&77FgQa-8xiIO_S4Y@dtaQ>S#hMzmxJ$n2TQ3In{#e96<}@4)=0V)xUCoa?nW$1 z65QTgBegK~`J{eVvcbrAobhF4-aOy=7d9*R$!_x*%MCkPT6T7uo0Kc~_ZXMHbFiYu z`d1yRE0~ZHh?A=<iEzu%aOKb8pi=1H&9zx1<GKK&*Ec=26ovJlNhFE|6YUCqB<7W? zV}T6loEM))J#0L39B?>!x^U0U!P14;Nz6APHqLPR96U?ya#hxbC75U=;39JzDQx!s z)^k5+pI62#^>FDuWSK_US(^R*5@nlEkA{X>>61(XU-F4zHzF4wF(ZL>jc0~53MVHN z3W&$rLUC4$eqQGcs*(>(>Bhk#i#LtpX(uotV_e7=%tIE(F}DpF&_EnM_P();D5|*D zFF&{7l;Q@Z4{h|8SN{C*1JZIR1o9*p@qII<`s{`J$q}DyZk;2ElC*_V4sj9v_gMVn z#yH1I`GnbrZdn5^FkoNjL{-7C>T~OrZivz@Zh7!m<TSNy&%0S}94EV94n|mt&c8@u zc@Vgwen=`W=AleqGo)`L)tX%E+i>A=@G#I1L-Z*|&;c3gjC%D*2q{Rm*z0Y<&{*j` z%-BWBiF05EGu86@B<AJU@mHVa>HP!WpZ6Y`Q2qDE<>kHlQzjF`Mg;gT!}}l0HzK=9 zXSuShJYd5L^GJ=;kEhMZ27%>mNZV402W_7U6-oOt=JNtq&SitFrFwyF6_{ai=L_AB zJn5U=6_^)PG`|PkaO2g5humyCH6=Oz=~VZ)D_-gZ2dM`DC;_-IVt@K$1Q7`UhvRt# z@$(_X5LVXTd5~y!M#6ar96&hT;4`%C5dA~|{S6`@Fo`dRi^H)J59l&8VfkNzVci{2 zKMtw;saCq%9{2+&iJb1${{_2y*pFY9FdXk04Y)T|MRkR8Ig`Nu08mQ<1QY-Q00;nV zVD?nj9Su!#8~^~o9RL6q01*IWZ(~q$Z*X%jbZB*LVs2q+Y%XeWWoK1X4FCrUlG<Vl zlG<VllG<XOcL!8c-?Q$4fb<R;q=a4sr702w0wRQ<5@}LZI#LAb3PJ=F6oJs>2MC0Y z6oJr@E*+FEEi?fE>Aj}B_+Rhc_wHSHy>;)Mv*)a{_RKzKzO!e~`i3+?ng>{QwGr9? z1qB6QMZN$M4$uTZl$3u5S*XZ^nwFZHii(<^hUNk-BRwM{13d!+6Eiz26Ehn#0|V<t zRyGb!E-o%cmP_D^oM3iNF3!I%p#YKBP*KxSQ`2!WF)(rdw}sRKu+aiB6aa`q2%u!6 z0I^Y!+5rdvP*79+OMw3^6qMu`FVN7^(KC=8s#pO^3J{2r3iLN>vNe!w2dLPn*#+e^ zE^z2u(+GKR$_K}0(hA?kwsIK^?T9GYc!to?U%Uk7zAP#xE+Kj4`VGaKN>F9ZJ6hUs z9fYo-k?}(lQ!{g0J9`Jmr%ujZ-afv5FJAhGzIhuK{_cH5TztaE#D9{KQ?jyia`W;( z7ZjFPR902j)Yg6d*4Ez9+11_CJ3KP_b8LKKa_ZN@;?nQsmDN9MyL<ZwheyXJr)Ph0 z{l)oz<Uhs5M#e=+MFpaw`HPE!((kVW8x^&n+y!<GeHv>I4k7tqTF%?Cnb=l3VFiO7 zE*sAw`immhe~Iq?h4wFG|21GC|087o2JHXhngSR>6y(hVu>mlEV3-vl0c16dw8JVd zy?v$N@#<KzV0tz23iaH(>*wP2Wg&)<w+AjR&-E@*3)oR=D3z3I>>h`!Abt2sl8Yy& z=Nbzi6GFe!dB@Zml<ZWC=yAWWr?LY@Oc^<Ac`4O%YZr@b<al%HYuPxHZ@~Ynn$owL z?9b==ivs*e0Bi-n8<dsECN3OC^g+Z8S>Q<kW}gI%KiMau22LJm(4@1R{&l<Fyz<x7 z`#Baxc(Q^gayF5GWU^sV2R886AxZ}2L0+M&$<)|_S0@1!1Sd7yaSsyE)Z8-E1~DZ2 zL{XzANkA9s{4$`&d1QDB`J-`ap~|v^$|T&U4*;D=k^m4v;t&+N3Tq<)U)1T=U~)wG zJ|_yZKYliZn+U@EI@4dr6#NZmU7e2nwNtzngxE}ul;bW5SpPe}oAWPB=*&Ed^{!D= zEWT?|_a(Oq+OV78h5xh8pr|yZN&*H>jEdY8;t;TZ*2fQXJz_j(i(wqZ>#iigkp%FO zfDPw?xU|um=hH(=U4#z&TdB9<<8-?LZA8gkmT-O<#<d=+p)TQR^HZ~cUp2qqAYyEp zx}~9~;ljMf-o}QX@<ne9rX>6{RZ?rLR732{md=*~CvD%pjz@Xl8VH*et*ccWyL=(` z)+b3})Qsqlb{$#n<YZ{SFQv9r!^w|Dm+iM|YS>YgoAXk9+9cpXwV_|(wKQSNN1<Mf z_kr{q?G8$l`L>d+rr1sf8Laax%V5=vL7U-dr3(*1yR~NOktHrCPJOalqTOCcWp{9_ z7%Q@?;wjX_6H**059X&8t}RK`7JOKl?R~bM-}j|a@0BWzmQwEz?~(oe1GU?OD3{Xr z{!7ZzN3%fKK5|qjdRf(g$0Da1^GY%9I;};_?x*)*<juE}Wz7uoMQZH8JD%{LU@WUX zJSq#ny%%gtb!D*Yg<a*ymaWF}w~g;nJ}M$oV)tBM2s3P7RD5{$EcK$V@2>fjMJHC1 zik4kzNSn(T{`ZV~cOWg{)=U239rtYz84XyhtrK>^;VDlq)dx!ZXC3ma1ImQ?3!ObY z7JTEOH=-;oYrbNPszXLxI%7L%ZO26Xo-N_qykcZ&80J*GjUG^FasE36i9{mCL)Rb3 zb1Dh{E6ZoU7_fq^A|w3Rj8KQ<q&USp1vU#3QQvZ(1{C1e<m>$-1IcG#gf(gvxr}Nj z0lMyx4I+l%jFQ@b$?W9J5XXt+WSTT&O|3cC+!a0>_5t&vHM)t-y&uCp$+=6O*_6Tg ztrKDWuX$Djd`SS5Sc%Dlk^og$?!7YXQYs3zf07bwW3(#&w01*-S9)#(y-y4Xx}mI% zJ>WeXSuLpj79o)%`>$H@UsH-E^E2B&9pZ_wDe~EiQi}kdMw!H9KysD;Q~wpB075$G z!Z@+NqN>gG2k-4EZqfJvL1RJNhh9ApZw_PdJ_24R{|f6mhBhuw&M@7+y5!VH8`7K8 zZL&?hlIqu`8+W%`s4ik=IqI4i<4}7)sMgX=z(>H&kxyP~0Y!}{>e{8BmDvb<EIz#L zeYzr<KUd$u9i!4LP|2v$lE3Xr^D|86Q-_+|(B`Yh`*SbC;bF_|>vVn$Q<g<^R<TBs zPpS?Ria6UO=9l>8wp9we$OW}&PNCiGtqHTc<Ck+1(4scjFnZPdaK^`rseIG%`!E%c zkv&>GgBPQr=YsQzqjFj_sU3*R?X+v@!L7Fp@D(j$ATJKLs=nMsKGNOua?DcTDyxjs zS)9v_FDuwrsj}&%yBeFiwQabb4z2lFImc9$|IV$d);2D{Ohz!yQ2Jgchgv51b*g!L zb3G`-ri~{4L3z#7rf2wu4=+w<ABN33j(;eatSX&)xCMIF+_(ScLxu0=C$CgTzdrP1 z$#2Aos+LP^9M6ai?vSsGem@Aav?@oXF;(vTrjK5Ur*GfijWik3EK(gMpOg<$lNojO zDA`RD!AF#`j2Ffzjy)n4U-1-Ju9>W7@ri+bxUXK59`7#a_qsXBJrT?%59LMCt<kkE zlt7W!?Zt1IHKn~vv^9{AFxvM1it$#g%PWrU^kL8!3D%WN_H1qX15#P3Qgml?dbrnM zu;%Nb8_tM+{yKD3<Hk<sheZu9kF3W?_p3Puh+I06sC0>hhR-*_<u`XUBPF@5M{TN_ zgq+8ln3OAL#n>mNXPB%yZp<de67sa;**2!<l&l_vam&TYLYGNExruyedhx)yZjIDG z6?kOTCljn$LtbMI`{rC(Z+&%Cozeg@8MU3cejjZ)l0$Dm{MqIPa_#l1q?|dYRQQu} zGO%#z-PD|U$}DkBM<kBHl-;5#T4Gpd<X+-0hqnu^&)`w$@9KNqS3JGET~fkwb6>a{ z*Su@E%l!GvQ!e3@n-2kv>kQzxW)C_ar3=;DiG;A)-uPIe(=&kDtIPg=WnbxBwYk4* z{6~oswtcud(-|uX)FrD^9dHj|@dZNT2R%7^i=)p(;(4lz*YtpXkMyLKKTmj_XQdRI zS=?oIZ*)}FY>Zt>F^;Ny@R-)FNuz3Wb6iBU&Ni;iWedz*7{sw_q#TCzv(9;9@p!r? zugBWu_gc317p9y~3Gb%o#ToguyC%iPT_eYj41ULZPCS|7dKqVQtTy(@ru8TNoQ13h zw}IG`Bt*NNSO3;*W5My)k9jGd$Ne5my{9u$(Bbf)Hw}&-05BP1O?P(i%5f(}zXs!V z8|yEbn?IHe;|bp%77hM5_-QCD#I~EZ&=Mcb!uI4v{GFdS3NZQ&iHmK@4p_JHxjSct zEn}XaqkcQ(C1<ObDrrW_O|`$ui9l~m%=SJzley)$^<=!rbN#;f`u;{>?0D>5(;({6 z>zfv>DSTVe@$j5!GtH}6(~0u5x|E-4*b%ts9D<8y1N7R%p^c6iF*5l;X#9tw{BLSD zD>VK^MJDsf+VMu8qdfysQfnG#WH;|W7NzCm!gN^Q>cQy8TH6M{687*cbnLatKH_9^ z{t@E(dA-YCxN$13OW6Et#j}U@j!M6DcpcBDgZrf|Upen&mL-~{Y;KzWDh^whr0>OX z*LJrWaH3r!=e;bLb_UwCZ@n0~Yw>jRr#}0bnV<oenf81n2w&W`JirL|4<&NRyjAP1 zCKq`D^_;RuOWg|#vKHHc3v&BDzh2H;2S*jWda)Dzp%9VRBih2+{^UnA+ixpDE1=sp zrkDc6{a9yFZsOI;9iOfVe0ZF~^{g4=F{Q|WGNYJ&=8=9m%-4X$TQv|`yx_}M<KxOA zH~osiH#*uH;uLM4_Afh#;G^3xmWRt9)!0welos@Voh$sdg!}NwC)&pX^qL&0OxeHt zm3MnGm;;EHy56vJUt_$fuPL%SRauV937A>j=d@1ZNDw$!Z5uTz+O25)Hna7M@!PQK zimOh!z>CG0&D*WfciyLEbFU9qiJi#I_bkLguWNb7=_`b)G?dL%5{RMSUonSzbeUI( ze?!sz0K<oDd|1EKPH*XT&;$J&EA-Iyo|R>&d2qiI3E*wuLAlscws|lbs<==$Bo@jt zMqq0nAp06h<htkQeM*Yjh*t*jK0ZE2;FQDbf9}|9S$O?E{iMkn+4i}6KrbkvPbQ52 z;>a&Ht!#B$GpdYx=C^s}YoRu%_ZoPDo_8gR?vFXs=sy<~e=rV9nz%!8L8f&M(_PZ0 zai;jLv9y+9m#22mey}Te?Q>D>0k90nM-~^VXue-j(~gY2blhNAQo+-#4cg4Auvw+W z2#LjLSnazE>NDmU<jVbXrly5C#}6LeSIg{Hz96+OS>3Mo-K~@^)BZvaUJwK(^0|!< zc$sN3^6yjmJ!ml0E^l9S(O%;=^=I`TO?W_g<;{aa%ECzC0+5>(q5dBk_y1q-J8>ze z2TD+kj#)J#Z!p~ZG4dPomus7sdU$aax~FJGA-Yr%8^9WJ-Z{ZdD)D<;2KQg0>x9mL zJRvqoVd{6;a38!WG;mECsgV11Eo$vWsB#xIm-lX-<@Gvn>G0G*BN@n!MELp7q03jd z;4s^~c+;AwWTx-hT1s*SjFSf~u7h9O?<xH5S6?Th#Yq4M!6o@k<=~s!!=26F-loCl z^Rytxy~DX*E4cPJtCe2@7=rkX(z17T$s;9IHbIBqJs?}XIF=>n1?BF{kD-!F@~NSg z&hM{IRP%FoiLXQksoa4n=;Nx#oP?BGPjk>`<s`ri-Y6da2z(m75b^tq&-puFH|r}m z8J0bHY8Ywu_SLGY9E))?)`-0vakueK27l0q+DxE&$xDL-U4whgTAU9>sX6u4|D76- z-jMLdd5Po`M!|g$_gxkG4@N(;MhvN5#><}CLNe7tcSMe;b}fB=kJeNq+XrsV$l>yU z&KFDG1NuF^6^Hs+D@7BD{ZmkS?<Ie7(}7>}iG7l}GF(J{CZd%8c0@gRsZ^aBEfX`a z-{Kr*|8(Td55izjGV%2=)<i5TbN|yh=Iqjmq1xb&L3A5togh(WS#i(F*egEn7JZ3X z(tI2;p9ENto16PY%>xp^GMpB&RC?<sG9ifEUM*+D-3e2SgVRRbRFG={jbhf%#vC#i zXr(8*z~^`7=L_R2W!LCHrDfFh2g`N!jk*CV?DwzT{x!--{rEZUX&G#GW;`eP)a8YN zYo{^$&25!C@&-RWH9+4zqLKHQm5=(TNdRro$8Zs}hny34uCJ*4OYxunK`xa6U9-t< z4R3+axZvmh=|xeE0UvSkc>S8$oNnvMgi<Uue3=$Z0-WGEKI7oe8@Atn*TH5@->p2K zc;gjI_$iQzwwH$eNh(l!aY5ErGrEIyW!D&XygG^s;6D9OvY3AN^Ojd_*|C~438<_R z+m4eo-BCi&9jz8y9GIczZ`cbt7>bCQv3576jh2x~YYLQR>Ez5vS8%WUD&68%Jj<TE zEx9erwZi_&Vc>~R8wQF|7fmNfz?|c5LE=6=YFJi|-1UJWXAdMdOuL0<_B$>~4P~SA z7h*_&7{uJU1|utQT22v*cauAiFT*PmoG$gHxCU)GxP>moHXjuQCFF~aNkX9uP$>Rm z#hKPYhg@t0sOf%7n37|+!1={#jWdOs^UB}1{6IKb<8X~h9pT{B9Ev|YK6&*J**Lue zunl55dwRtaT@V@In*~cid0$!b1|+xf0-!ZT$wU8=*G?1bmoB~$do|iWcXdw>{(wbX zZ5m^&VNva0Rkbx(ip6bZv+diK3^ViWh;w!8D2J%B7C_z^(BczHhZV+R9aOeX+hiZk z^y_rdKzsPZUqWWgSJJ=(k8{0Dx1W~ijT_b07?#`UE7`{{GaUAuqUQB5TVn}9Lb%J7 zJJuH2MQ;sHntsA|E;=uL<i7f$u1ZV)zRk}B1%>uEj;~_N^9cvqFmu17j^IB5?j!(Z zf_J%w@a5}EFh*{=C>*<G#T=PVC_plJQ%V)9BRYiMr*(-aNudkpYZhzx4<rx=3}oi> z`9-kNOW!xQ*oZZsSMpQ?(a8Jl&x+6c{*+!~S6l5Cxw7a4D(DhGqmukL){R80)AbOl zr~UB7RCEa(f5034)%)QdS9e}aui0cx;!*|gN_2A!K0KrSxlYUT8Kmu8DfUnmZP?nw z9&h=oE3NU^an&pJ9F%&-H|MKia4#~P8$xV$w;g4EV`cp@khVS4ps(G;H&PgN@P@`= z@}}EBhDtSR@>bIElu}7Vn?=>AVj=7wVLRF-;j7UZtj{No#Q8&NjlPx8PEp220+gZM z!b$*tMp_18;YSCOFy989DhB%yR|TT|pMxFGv3@0zhLO==;{>GU_7)7be`=t}l8Hy3 zj6-a{%$RK&ihttYtQUi>oM*)8sLd&$${MB28uSEt+@9q`HQszfLnI~*{ITp$jUB&? zb?Bp5rJ0Ad==Y&2VX)m|x`z8gox^ZfVRU6&1)#d8hQz-L)N+_}uJQB8jB{WR{I+q* z)szIgiN63R0p24<OUE1qT-d=mmxt9-0*>t0U(8%)^<BwZ(EB-XZs9dmcI~jf=tu(P z#qaylDaI2%BfiZ+9H1Ez;ldo-@&r9VV?8>@pr_h$l^CtPiDT`&Z_SFp8aHL|sE^d^ z2DC9f{5T8ZUlVnMgU-lPc+ve?t#GyMEq^QiiIy!azteo$G)KK(lONmZ61p9Ix~7!p zMwDK8jjNd81*OfXGH)<PtRFiWBWF61QZ<nGme24yxUC^fqeXJoi{~a_YTejKMlRmi z!AKB}8t(IMU-!rUMe!0|EG(WKxzvHKY%CD8u8h-`<;4nvc`x+)GykX!#><P(WQ*FV z8h<SJ4*^Fvz7r=>c8%$3ze}q%U;&>_^UI<dT7pA~BLM18X2D(7z8*6>UVhD50(bae z?-j;Pqpn_TwbHz>KZ@3n1O$DWEYt#D5MW01byD;k+tbsXRl*5tOl;Dg#X?$eQ;gC? zBwO?L$2j5B{1t=F8o|549*2~ul}gmAF(do+!BdY4l|bFjj)WlE{_I_i6QkIv(0T%o zIAni2o&@A{h73kM=hN*GI5x8b<I`==3eF5r1&`q$d6?h08lJuzCEh>CmqNJe-HYkk zdVGU$@2<YZFP3CTFGU*y0^;AOg`_s8J!pS!{8Lurv9YWM|1aMVwZiwrV}DcR%$0zD zsFBMpp{HdcXT8csc1(pCOp%_2z*N^LQ?2dRMa}KmH12E2htd;U2x}4$$PULdh3ELF zOD7p`aLSZXAeR7f!cW-2a8j4s2EJZ<Yyiv`+%KydJ+zu|<QB<N6h^aerGcNgc|Lsf zIbjor{>OQX=fzZhZKteiXA7!f#wkObB5V*u6KStb<H=$j)vFdFxaB|cD=BJUvVUY> zH=G3A_JN&oHov`H$f%!3!RRMsWp!S-DL^phA)I-?OvZ7?**~82dqM!OlYnTW1k-TW zjuf`W*8Y?6tK@)%pd_F>xnOMPz$GMqC|`i6y?7(NxP~L+Sp{^_g)6pM$lkpNK9)b@ z<<>5q{$V2MR2@%~2oo)MYTw~kH?QzLZRdvo;j;c|L{tt^I<i1(>2s^`v4FkF+8vbs z4-;!)!Iz<Okd7<y=#Irj;u-$w%&}#)u@3#x4ok&F0Z2|nP~&nN-}UfiC@vK$vcJ(z z-cmHjL5wk-XB|ywHx%FRg)Zn<MdA;N%H`0}MnztutX+Eom=gww$sc18yRJMKqZJX{ zN&@_7h%aj%2?;es@@(7PEQPKU#rIW{LPZ?}U$R>TK=MZh{UF|+vW$k^MI&kxU8A=7 zquz%+USAapzbhmx9nPG3wI1^g=!XP7bbEtP5!IV%^sL3L4|&w=cFt*5faDFkjV(hc z-zo`2Qmb%`0y&3ElB(vK9fnbz@;XwXqam~c9O+%cR4XB}$UZF7ZyR-(;?Cp%becwd zT);;~md{+U!=sS}Dhm<YNDJ2P6xpP24DPwd;&4Tk^{`0FnP^_AkGLE=22R$%8%%>v zQ%YHSdwV)Nrs+MZkOuUNz*$H{K>cW}CST`5EL^Vtt_VVW`5`yTL@YNktT$`+jx?1_ zYPglKduzlulo(zjR=3Q6Hc=xkSI3Wk{<8zbI3eITuk*IfI-5~!)1z3{;=r<W3&{D= zTok*6>0{9cK%a`WIw-n0SRG>W9yOO?ducgJ=d^|?!X&NjYowzv;p4R?Y=r9zE3c4T zd4E<Tzb*Pu;vU*G3flB^se7i;Px0k+c3r=p#G$(!+)-Btx9lLECnAk(W<<F6d|)}U zCtkJ@w((;}%%n~B^y|zY_9JcMkPZnRh|XapTxFz3R5s?G6~vW!LHGxc-exVd=Mh=g z<Z24G6qgPqNPvHgEJP8m6*$R91FZPXGjAzNe>ir2UBSWHz7)pD1BEieX`nRX*lyd& z-@Jw%`_!OJ2`;$ij5;WEEmPz0-C^!)-nXqZqLlM1;)RRA(($8=^xdB0f@G%X$lT}3 ztVX`Ptm<7Fb?{@`jPgKSoY-SeML}};iY}l!Bm8tfx0A%*Xd0x5koU}>eCIW7Rfs8U zcb4~iMih(nT6+X19GH5Lfcr+M3cYES&-M<~Mw<vaFnFWbH2A>GgfPXRmG<Sjn6`HE zrR?&`2(?Jtq@a6OzE)Br#HKOG1JrMF-e(x*7#lxKHs*`=>kUSbfM8`o*qiV*XZxma zWj9U1e~vK3HBML4vQE^P7KbEAF#CNlewYh(vPW==ElXeYgea=ZbL$<0w`1)7)*_j) zthY9aHig*l?RL~gvCUe^%^z?1B@1Z@UYl%*zK6wg^+9@Nx()d{D{P%(j3><(@5i=h zc6Pjj-;QnDwr$(CZQHhO+qUhw``p|&H~DvRx>Eh3Q>p56Qk^>I^9|nw)u?wvPgd=K zsBju2JEs!?4*o&YVx2b*41>w_aGbt=jcKQHvPu0e&`Ao+vZfSh&2Lb$ggz@+uev?h zC^C9{8&rVdS_FIZ+3LAxKWaX!YaDXal!%2&vxk_7_vJKrXUwF*d)bCui3wB}p^h6f z=W1u&li>y4VWHmRlAxx?<QS=EJnxt)+P7oHNuqL@V#LMiKzvS_Guq-`27kIRd$}DP zQT~_pQqsPBxwLL?lhk$P>1KZ5cLpqQ+Z{VivJKB;29MKWx`4D=IMBH1hdSlPKiHyy zz-Va&vSHJBM;Rtp0u{xfGsynz4QYJakkJ?meODm27~g50r_A(^-R;rum*}x_zqFF$ z!=?xuTm{oX!-*5Gru-Iq!^WV$nFkuu?!*V#jP$C-_o*0Z<W!+s8GN@<6K6vlwrQDq z9jDCn>ymK?Pv!T4<%IMKfCV~Lj;_5`#_ILMVpQ{&2yL-aAm_@VQLG<oWasejZ?4xi zv)&U(c9X0KA2@3v(knZ91yP{b#1+N~Y`^C6>6~(|d@hPof5wcHJo6ec-W>aIVpzM` zZX+cDA0k`rFH?4p)A68XZtttycI!?RO5+U#rrf2k&?F17p5yZtp>APS*g<s0vWyRT zLkP@$In)qez35+%-jW7v*Wy0wA9#g3H%__dO?~&RMioI?XmO5k+6fT|QFkKvA+R|z z4I~yWKE1J|KbZgjxn)XdGbjTq5K!zt`(L^IwEr`gKdZyQ@y`}2ji>%bbC#s#M)v98 z*kH4jgT8d8<RvN@LtRvu)kW4Dk4x9fhgJ{b(vrv1b^o>cl2S#!Vq#(3?%f_R5Kw$& zWFQU@(Dw^UF6c)L!8s-B&mUcC^Lc&Wb+LW}AYTz_Wq!qhh1*Ragwnd&*@M`LEd7-n zO5iYRfQG-?4^YE9{Fd~#Vm$$AS5Yo7z@zRlWE$6#{WEg-5x<H}ltUaoeCZKKIsu3N zBUi{##0}_IX11!t^6S8W!FL6?lX5cueJbwzGFMH%@k!Z;a`XiFjb3)AlJl#^(7@-o zt|^)vP&YEsAuSN+^{t2HMZ~Hg-Kt1xYOEF6KmE1Zx0?9Z`>xT1Pi#)8+8@GERa`JI zI9`?+5(w~ba8t!g8W}xew2m;?55!QgU6eS{UL#LxPiMvDAK(>yluZQLP*L|L`zO<k zbr25E2=<qVWK+h6NDIzy^@&pv46;%cBgX#fq`X8efxvwY+snhBwJ0!L91xXKcIw~A z_xOdhKX>I0!_@;sxjjJKdG-7L)sa`}lcIh;ed>=fF_Xg7$G#9hA%3B~+`O#eQgll` z`vpN?M@7e4b`ERb2~tof$mvTeA->QzJ~WX<Un7`F@VG<YB|GTYu}rom|J38%vn}6y z%f)9;l~R6*>}F^ra3B{4L@9B_+ced*W@(*%{Z5k#{`q=T$KQq`4}1DW%~6;LX>~Y; zUrNaSa8fxmR}qY^LG=r*<{xdYZB6YS0I~dM@piXBYjs5`W;P{g76<qmP%Zr|jZ$%v zBAOv56s#u&&9tR`19Kgu{de?qybG=`V=ZetM_oPW<0)4S8*XE5?QO!mfWzMwc0Lg2 zrf8_8C1=MTEDehjjm%`jh$TrL5o^U;ZD02~>gFL!k^YO>l;YF)%EqckN>^iOvcCAO zsT=S<C$A^jGxY4*j1x|+QqKY06Tdi2QK}?cySVAu(k=o!HA+A>r29|7VMluL+qEvy z`T+Q&-3>pySM8fyl{uni>zFM1WOQ=A^A^1)`^o$wt8#dW`R#pTbT&6e!r}X{tM+%* zPIG;2uVk5HaNf$Hi=H@-my~u&#4es;?$vjRx1g=pdS20+_q)1Cvbx`@czT&s$YU1z zcgqgn3`!%%Xb!#R7R>^f5gx0CmN6vk`aAwqr?3^xT<*e}T{1<G%!v&RE9<22cY*nf z1u%#o_XL2;TGR-C8S0Yt4>%dmj(uz}BTM`5NaAB9#s-d_TMybqFUsbN`_vTl>g~yH zyKm?2H>-ggXzd(#)J%o(jcJ#fN)6pM-rh!NQ=wO(-QUVz?QP;QyOYl^-b9-4E&%DL zRfuj=RhJ2SntfIA7ta;xrmRYavby_~5UUVl+}rgy_OIPDzn!mgVBYbYBpM0)iOH9% za$VgS1xW=*%;zca{y~d#|1Wv$Gl=$f*A<^j&bOB7%1@eU_2FaTMim~<PzSf742RMB zj^s+Mu%K?(c@iWp87&{@UsIfJGdn_chi{LQmgfYUjf8Y(r9M~taJ6jJUJNxhz{K(( zlbWu2@9n>7ju$Us4gaw=n4P{VA^6F;5R1Y*nfF<#9oZdt`tHc^x~hKiSTe9~7LshZ z=B%VvKzvxn5o#ix{bsY&XWkCrcFEw~*Y6!_7dCfnijB^};K;DgEdDS<tOMCM-McCK zqOPCgvS8g*c-HjQ`!nr7#%Oibl-y4zUpr?7xfsOYk*i}5sQVKZ0L94;oE4s4pf)}_ z&^sa;(aewR^6YHy8mdtz2}umyM|XJ+;C@t({>zT%9RIam{NkR{i?{j#T0_h)tS_lF ze)-#m91fm&=IAtgTTc2PPD|y<Q`PBl_H_v>g7X4;IrXr!`KtJP_YYuB0yXj(zoWcW zoV$TQ^>ka^jk9wy_j4~W@g)AFEYqKN9t73N!!m2K+Yt6Bvw`4@wuE))z4M8wTRnxh zy2%+X&bt&XcA`ErHDkW2j<Hn|KLF`fewwk5o-K&;4c^?;nl9C0h;*w{G6h5tsqT%x z(!<owRSeN6hUy}Cxlwak)cptNh{oC^mnOu%wb$vJ!*^fbbkvC8j)8#66XK!Ue=zYQ zIT8LAgP!jv;~N8bCX@OBI9MoCUy_TCg?c?Kyfm;zY+y6<3iBS%+@Zt)6x(!c4SENl z#VMX)RMP^=;%;*@J5M|J-cNNqLYOWllFdgAU5I~i@>?BfOlAN?_iD!5#4Y)T2Q44c zV#%=s2yEBJwwQz<>#yvsf(CbgLl*~z_)5Z~6yAOl2#zHR*KYwiXwOGA`>>93E`;L* zi^9#9HCP!L0U!Pg_$!&CP@%Nahta-dQpqHj5qvFh-Yesw34id<@#2Z>s^syU%P^6s z=_t^s&`C)+;&~IWLO7A+v*YCCJ=HiSYV40lC`hQ`iW9D?2q{^D32`u2w%}`RU8<?x z@kWrvIRoFvjX22Y+@lk&CyiCq^_UfhJr;lt`(ZggtU%7eF+^tou>imTwBM`35Y0NC z7hRKA4Y=x-v3hFIb<6b%Y$1-yqMnz?hb<;@Q<Op!yd@B!mazO{aQM`{Mz1tJg6ZmW zX-jNOg5^%8;aRGiPd{0%eb>Mi(~d>_i!dEy+KdGTsM+_(Ws8K~?8ROLsRry!W@h&^ zbvTv|_}p4R;E|+c8HBeuBQzdpgMq5W_9wR01T(0HzHvrowgzBd2=i<>8h?EGpw*?X zJ#iyoFi*#0wldv~L(oYYbuz4hFM9%Df|n?n1GfazOf^|!a~++aSK`H!C~a8bwz;L~ zrn0-Ww(2fd0wX(r^3KyVOP-+y#F4ds(p?2UE~RxgItuMBo?Gf<RIErVymH&yC~zI= z^6wqRq@_6)HXD|vakCdkipw_&gU3CwS#tcz7!nmS4|4Cw4!UoCGc6@EOpeJcW?OU+ z`84eoo$}0GmoYgRKD;U-DZIssQ@EAnF(@sxbq^fk+BgEY4%gcijC8))IqgL`akx@U z!J}mc+Qg!NXY;+-40}>@8tCeM<YYeb3@v4%|5TzaM3f!#^#uqtgqp*`O=#Qczg|FU zBLLFs37RTRe3(#@tfz4><vx{6nAl)xItG^f?%~;Gm0HI^-anC*{7MP0fo^0`^tt$9 zvA~JM(a9iv-1_S615IIxVM2D9f4y%rk+h~X58;3}+hIFacx#&|Eu~wE`7J7B52^(8 znZyM^1p=W<+OML#URpgm4Yj6=nPxWWT%s=0m3DwI)`ov6{M!)?W|}y4GYO0|<FzC$ z77#78x2yhgb%m<J=UB!%u5cj;`Fzoe206}W0bTCFMrrFD)j--rd?#8g+sI5}u!M$Q zjsxqlffQLjXN=OBo%&ZxxI)lQuv$*0z?CqGMg%+QnB@kQG|m=C`q!s6;$u}a+v4Kl zOuwYv!XCs&Vw5U)g)@QMLbG~#0{}r$Lqo^gZSfufkfQ<apJDw7MkF2!<u`~+H!BZH zPdbSX1Mha!^`t+v>C72lq2m_wf-&U(1xoH-zyj}}SLDmgQ|OB9+1KU!&1_DLO3$(( zv|P{E9E*L+<uLVW7zw%q3%L$?#G|QcG27$`S_M@hu@3VrO0vcWFly!0hnW<6tFnIO zMaGHZ?Pi{DZjvQu_x)Tt)p~?XzZ8+NO|FIoo3cU7Y-aPVL2S#RZzEf<C^t+KRLyVm zucS2lQ=~o}18?4aX#VtgCtZS96GLNB{Sgc1d~fyG*+E)XJu&kJ{SG_!_rjRk&ACa{ zVAbnEJk3@X9(S_Fyq+V9?h^N!KjwmZ+(wLG(vu#(&QaVgiYEV16rZtDc!S;Omn6GS zFomH(ettL;+{+ahitDYw7n$Y30Jy);>_jS^HOH7zZp5^lh{A$!Nrnlw0})gHh!`}q zlnqIFfTQBALKfR%NBukdc?O-&g(<=sEAi~ck-0pCRxCMzG0Zi%LFwv|4)Sqi#Ae;0 zb&h)3&ic!Jh3ZwpF4*PB71zC0=!X=tC*uwSP~AGY{bEVW4KCKnnjW&BNUs?mdFtVN zMJl+r55=fyqS>N}c$B8LSDXQgX|)wC9Z|kh@ll!nT`SUsO`;=+e@c+?h9}(Eto-z# ztN{_VDqu=Pu26?@A@_YTD)Qb=0Y#zOU|7<cf5Bk*K(X!Xy6mlou99bmiIQ~nU0F;` zD5j+F+6q<n`iewv1N#S?*}Q$1n=AA3&g*hc_!@y=aaZqiOC*Y-0?+XH0D2`fLjDC* z3$g_#Aowz+=KL}nbwleTqQ3isba3&D>k=;o^=v}(&zoxPAY}ni$V8-5aNNhnZfKD_ zHLHq`e%BsdlC^lfdaXMj0@_nw`^}mRJm}yM*1TtVR0%FZra5}4^ev?wB*`Jiw%Nz| z$jsM@^ieesBXzIFXT9*?F@3z;JLG__j)NYmak;N`o{L@@{>`HJa7G%nHM;0vNXI26 z3@aG<s?H*A3ZB4VhNmThMHzHBCQ;lvV*CW0HJQNB6^jIE`RKsTtW1Cw1VfVYd#Hgn z5c1zTgeyCN^oj*zsAT$?MPuC!qEJcYC_>BA-8A4Uwl{bC)};^CeYxES4MtHIcWD{L z@Jw`~>OkfwTm~xX@S}MS@&4z1h+->qPc!iy$?{03;vy^;xP&~0Q}SYnICROSOc#H4 z#0Yv&zT=T_kfQmAr^Fw2FNv5LtwO9f5_V+ZzV%B=)~*>t9<zM_jXmI|uYL(VAQd9t zsQSR)IjdKL8w~oc0oiy|wZ;)pxlUxxM0m`&4!1XaZr-B+O5Eo~At2+YWaW54L*$ak zPfs4b3L+X<Dn&6!55+aH9&h)6uGK%je!j*^OAUI5lD_aXkM8D#PU;uzF(5GSm6oFS zc`i}_H;9_kelLShY?jy#O#D(yj7fOBl2zK}gbpy0B2-S4b=eb1kLo?waEuyZTxMAi zwDGf1a*dt!`^9kinVujB$W>!pH^&$=#1Y0)N0W#momycLzTxH@%;lrI25m(Eu_0)6 z{nJ1so&=v`po^r>#fQVQ;`af+!HUJ{s@e0yXuA?L+yfe}A?$dUm?LUF<mVUkCMrU$ zII=h=6Y?&aL?XFjI5yz!IFLkLSGWf%e1L%aT$x)L3(y2j*1fPcDUxsf_)GBS<mz>i z<>c}jM-IZa;u2Qf=JngtpWEGLM0~u?3Xn2mVDZ!>lnZN(Ooa_Bxfzy>H?>J2Pp}|< zbKxc=6jU@XU!7$U+VpIT3pf$=q^^NXc{@)T)M^AK6<CSlBU=K?GrTexV6=yU%h3I) z$j35R<&4=b@qSBMHqR@WS~-)>Xty?R+3WcB)~l-aI4{77r7|Z%8tBt8yCXwU>$xet z(r?d_c4yGHycx0ZbMa9O%$a)#ukNG^Lx3B9Mrhzw)P38UsNrC@6V3CF8kPC$@nL1! zT=F_1TE1P>=-UBfr_iiH@K=|O8(S}d<dmoY6qx*^M$jO+5t0SyxuH*#d9Lx(AHa}8 zUS=zt-57@`e**_@(6HWe>pOt}1x!(x1ZtO#FiFNH(Fa0JrH}n&v_;`xRf!ao@yg}o zS>9U>b4^mhOVAQPD0_0y6cXtA0I1;2VXLIVid`;<i}ja#gpB)nhwfHdPnjWy=pxXR z)cxyDf(~F2z=J4Tvu&El+->4`$$s9A`wS^Ax@GRIxt89lR|DYG8U1Kr_L;tjp0ZAd z)_da3xLtP)WCwhoh<{v{*u1Fy4Yw^TPmnudsXZIGXrnK<n4baMXrC+ugvPAITxj7O zT_c3d?1Sk^TQq$e7ku6mI1<yrIVE4Oz<N((_f$n~KeeckhG;u&`G!1I+NP|`Tu;Eo zRE3mii7_{mKhYO~)<mK|Zrlhvy;&BM4bY}^orF{g%ESQgTobO5?`1Kh64Z{fU0wFz znfvviE2_Z8n)jPT{=HsLw=uBrWLjjLWvo286mq0F6==2<^plVNQd;=tbX1z>JH@mA zrn1!sA>54NAB=|DzPpm60rPLijQkk`y+A#Fz;p3MT?>p;td;8i9g;UaZ+I3)VRpm1 z{#*0}`sUIKEyK7rcr+&mOwHbtAnamP6)CW=z6sVy&k*bf$jAG*lD{jcRY7~Tm8C9_ zR@@N0DO9JUrwUxp!Fprd_T{=@v!;@=&fpJFMiTi#o*X@wyFn)eap$K#OVF5%z4sJ@ zmGgaw$QyitlI+X+ds=~Xt0R&$#6L*x%=)B%7(0=8>E)*dSxEKg@zV2tN%4;J*Em>) zvf_jLM}V_r4ZZ@r+JPUA+~;7Tm+xC*kE&m#ei-^xAobnpMdmXfo16cdv>zMZ)=F3~ zg?>%T0a%`S)gaN|55rqOS=nUh=C_X}!kUrWSaWAJ#`b}n$)zRBy_x5(Ru`<wN;UQ0 zD`bxhhhrZSp~UQ$XS=t$B)@WPlWp<abV4B|o#8uE@0k}=Wz5ajU$kK_v^9~#u0lPp zja-u+GyIDVgx_a!+t3Z}S)v*dAuP1S{}3v^@?fK04MWfqS6ZiBN;Q@3$lmdW*cNQS zkEZE%e+Pl>iOr)B`b}6C)LXTVX)YU4+>LYL6M44Ceicuz2yq8ur7W*<eZN@01u9WN zp=v_g8HaBqIjQ9@=MD7iS%$I8c-S)piwER7A4@(Ah1W*|=t&*kQhUKz>kK0dSs)CL z17E+m!;_NKRi>9F4tg5W5O}n1u5FcIdx@O99tnx9{0fP4a-5T(NguAdl@it0w&149 z{-pdpIF=~o=hnmN0U2!`fE8KoLeM->X5CLkE4ou!j9)l3a*`9%Az)Wm{>|Y@+7Pkq ze+jd!`x++;GM+{cy}r$GVGgLU2uVy3(nisI({jyMSe-Ia8}XSImF?driq9|UK2!zN zLV}op$th6J+kFLJaqj(r0QM6)^f301)SdI*J2L6oUOv%Cx=xaQR4wX5=IWtYH*<*( zSwcq+7&ci=jf;oMku1R1G^b5Jja<*c>i%H4N?k2b_yJ}v1{d~zY4RoNLV2TDuR}8( zMlu6V3NB(BO&0@Z^)6(w&gEMp2?{2`3n?9eQSa3Ew}2LoNPJ9DHujU<v!wDD!d;)6 z7k%cP6&Vytqz?=Bl2GrqR?UM37Qnp-|F^v<N~8--EFeb#2R4LY>s5l2uN*AbiFX#! z0IBV;8R>n0))a#VQ`fDblM8PT4hdEf14o$|uT8|BvtPrqd^UMN*Fc|~>lfFmu8!w* z7G^w2y_VcH7vG)todS_rBv!$WcE6Rt3`*{1HH+zrx3Vmf%p|uJag9{Gy@@s1ot-!Q z!;_Qvn~_fuhwpG@TX%U;7=m@zBG{s?)+U(Q@-p=FXWT!rkWk68HCGTRM>2hJ2i5tW zA)ZuZF#7E80k$NOR#5qD)%8WHkQ6B1i3;8uE&}0co*yLWKq8mAYk#lZ>*>&4qSi5` zBLZaw#4w;An$dmjR~(VFC@iX{A9)%B)hMQ?5DWvYdNr839L#|U5MPW1@`R0Op<y2` zj<2kBNEag-D&X(sJu;d%FAHm@6RDr%<1XW9{sl{84rQu5_UNniwGI2vN~7sSie-i3 zk0eKE3{)a8O44V8Wr!jR@(C|1kQ=!nKCJN&t61Tb^CN#GwmNz=vnd1%&71|zCvK;< zo<<RLbe}vwN|w1YKRhe5VLxU*9T#RRv=>V1RuZME!BY@(s&b`khPpH4?q(eh@;Yf} zCL;@oZxL0P8xSyWBT-m}cQ8*`1>k6~O7|-ocu9Aa^=UYK6N=yg-*0xr+SLKJyNNu{ z)d80|^qF^6FilbN5<=8|rY@E)+03A|l1m-J6D@NN(R}){WAaX}zcybBJ&1<q0-R_W zIblRWYE=mvvjs~q9R|8Y>*5E3i)0=cUyZs}_j}GGE+$xKzHgzFUIlaGD=83$<ptPB z3xFr?p@fJmvHtG~Em^%J#E0KElr%>;W<Q4KtJ7IEBP}%Y{U0zzTL`;CPJ$pv<UkCV z*f$_+arpuhrr5p7g$n0O12>3hPrm4bQV{kax+l&c-mPUoX^c3KJFr}!%{4ug$1E_( z-7b{h?q^pbOiRA=cv@;71)o(({-TPLU07<q!+W6&+AH16LfZPg2ZW=DI<LsHE&xlV zPCL}b@%@!GBCK{12{0owS+G=J8nqp3xLkdV^CLb`o(UnJj6AE`E}$>9q%0KK&JGUA z11ne&<`5<`r;*PqMN%-iKnn1}EsIC`$Pzz;KX6JBkkt^Zr0KI;6^i297CssQA0kG1 z6|&#xxAa23!B|}LD}3XX=skR<=HF?mDFD%l-bM+l)0#InHyUyzrvvtuIEwzYD}@6u z$N5@+;xi0=3ECNGSfM@`A69s)E3S(GFJ)i@HxBLr2srDX?5}ADCszgduC4|jxDgmd zcgj_XA!^4C+tq0Ll6%hkMzd<$0+&)XT@K9yLH?N$tJjHT7}V<Xx3P1!!hdv$@Oz-h z(DAb1UEe+X_v^pbcP5Q%<===DKhM+aTep>1Jk9CT)1BC66Plz@E8-z>A7I&z=&ehm zgp7<hM;2rtJOE6B>&u*4ORWNe1GzsDDq-2M??FP$9eyy!;E;~zMMxd_l)oG^SY<wN z^RxJ-QsCqFUTtn90pYtB!Sgn+Pv^^V=kxb2;E<?}MMu(~^{w@NPSuXD_N{P;`)BE6 z=!feULXAde84k>Q-7AGXc@#5E5mgklHY+hvmECJioo^_}^_jh1(c!DX+Ihao@tkUW zqS9zE2EQ<2LdiNJB5^ds4B;xY3%j)^rQ^}+RmNlqQ)oYU^9L}V<~8*P?J6b8J-lAC z-gy10EP@3ZfzzSGN2Y)!dkiRIv*nDMS_sm!*Kxl%4j35P2j7Sn(q~PbZ3r+1i1R;4 zO6Hr6&fbrkmzx@#Akv|eiK+PjI!8e01I;~M%3zy>7w}2jc@ij}P@{E;?hb55iJpF0 z(LA@ABhPhWnASoJ{H`DFfZei^-bVYS#CmSQyWKJc({7aFVc^(eAjRCn9&9p!Vvvg} zFsBYu3oplwp-g{5A}E8g)Z*A$9rPf<gO#K$-r}S#hK(s?;Zz$EJxxZ4kb-z90bzJg zG%`v{@8FXkI6)F1xp%>F<1-Rw>nXwNYimWP4^3iR826Dj9k5{H1uc^@h^v@`qQN_y z1sY8bug@D8fXsITf*Tx}WT^maTSd++yG|cckpLOxT_OcxL3nYP2n%?IrN=I9%^Mzd z(^VcQ1j)#a^HYGSO<dY4(m*cSt=`>}9LS4@x89^KJa!9yhj|8iAK(*D0;0?Zm;WSD z`776(fDv(X>};Jt|KSlhs9Z%!NFg{|E@E&i$K|z#?0pYgew{AauK{?Fo^r{~=9bEW zV%+KZ&GKwARR%x16(b^<PeKU`o9L|;D&L6tcR?zeUYcEB1)R{p*v;14Y)_*r1W3J1 zPaFZh)iW-uDp@o?dZ$^P(M9xO5^I&_ASjXG`(aW&rZOM<w{V?JH#@?y?$Ydg5gS>* zk?t>47Jj_YifuL^5r)5X`3+Kl0+{JP(y-=>Sclm<hnn7gdQP=$<xTF2-fH4XU(BMz z?kb|@unnX03mY>&PAg4!SzYU@jo&&pXJYEKu5vLdGRR`mcbe{_G!5}^$l^_MwW;-5 zHt$C6hxvDTFw!=sTHk^ZvSem=@ov9->d-VSxX9KqF3>#kh8INce~G6X3yVP<9i@IA zRrsU1YZ8!ZtJfRDm1W*wHny)>79LNOj6hyX(Ky+c60CHeEZ{nphQ6n&3ZvWpdT`pO zebgGC#+{b=g(!d+thKn+ED3Wah3|pC7Bus^yj)(j0&Dbfa-g$fTc;OqN8E1^d_(b9 zBY0ZE|4RChRMBm2OyP~+yCZ3;rKxA#T4O$wlJujYg~G^0(o5T+z++|y;YnB4TQ0$Y zYMw<4w&iyWB{-*ZIaz}(eCcx^8EUow|EPf(R%<7d3rA*G4@?kvyCC}*w(B-G`>7)v z;13VrMYZ!-xo^YK@_{XLL}svb!`}JW=KJydYu9e$%(`kWN2#icO5bT!);&eZqwLXc z)?j0v`48KnNY8!Q=UeA3myBXtJ7(Kbtw--#-4T=5pVKtmg%yvbt_QpNQxDz|tLDMv z_tT9F396FXljMQ@0h8;u>*mJ206G}OymzwfLeMe9*yg*jj!(;q5PW2HeF6nZcP5_O z#J)%es(?9J&@Sb1zPJRy@YjSu1I|zh@mXUu<Zf=Kp19U&1U^`NtR)m1+<ROxcG0Z} z|5S<A&;&k7iuTM4?siq@O05Dc=#Aez+lOS{OUjNz(@xm^f}3@NT4|JLrH=Wna6d}u zO8eSt;VY<iw)4~d7mWo34%M)ZJNEguv;_mT4hEcQakne~^e&>%y2+@~6&TLl<1nxO zQ|0ds4qFpCIxbE)Z5<!NUkxv-t=UA++`l$ZTyeI<kj!@^xVPPLj;pOon3<rRITBA= zejd}&yieKcg39<l6axRY{kT0q`fc1lP*=TZq9knSm7r(5S=CKQ7SQ#YB$!sTyow5T zMu#NKE@YHl7VIZ~QNMm1xi5GWBFRaJu2O7t*=q}H%QJF&JqE2jV^MyoJ<Nu<6}t!w zAEaaoCtoJqPe^@FrtAw`&+NHOF#FtWHI>!4^^-9tI$wQ9wLB`IC|9WV1c@96Vebr9 z^!`=x1PKOQg~r26=YK&RBgt;Uq^ReUNn<zKZfdwi<F)@ybz)-hsEkrikRrpwAldPX zHdq=w5R%?S-P0yFmL(~vWbGYzW!RFeDvws|nWk};@F-;w-nVEC?P9^cKbt#*1&3ae z1qJVFZ*;AlltK~BzL1H2C6>lkRxJh%+=-{dI8F%#-!ZPgXW3R_rt8l}4Qyz)X%yVD z5w=*}$sVBFb*@laGbFpLC^19xZLt<0*7<{SSXn{AL0Ud>NNQqYr%q3OXkU+??2<I& zm2=VA?eH7VQ<Zbs*i&0buvh#YUoeUIrE}%Gdp1`+T<?wcr7imHV~5%me6!O2^!#q! z)lI8>ZNA5?mAw6gngUSl&MEm2xvylt*!&<j33NwS;GI2ek=2CZ(WE_JP1e%<?;zMN zCGG<Y?WDgGj1e83FlE_&yHe7#$Il1t)cIe8&~85eQ*~_`;vRkfa`C*82*<z49nRz9 z+jhx`AH1PhwC&k$)GJMlJm~4#a_^GxqTYk9JujT%j|n`!3%<<An=&t$`pO`l$%x|C zZVgr>hS7_ErZj)n%mA%@yjJ380<*mYM_h>78gHJF;(GeaV8UJ=nL=mz_f{#fySs(> zSUVRRxN<U!uo9K~qAdC;xp=TL6WSryxdx6Du~M_3E;de9=G;=BgyGZ#7~&JuZcV1@ zjNDJS!;`_SMxyz(uT*HC=0L)6$rhXQ$h|t(6hbThZqHn^l%=~Z-PyDMi${mUdSNO& zd;w!oKY7wV()HsndU#iNnco4#iHh+N&b7#$l`(z7uC7Q^2vqyXUF9K%Ncqa^n33Ds zW}ID@o~PbvtXEyX4`U~xXp6mDi2|bLpZBL{COWzmWOUuGGK^SLBcr*I+`s4K>PP(j z<g728l;ym}x$#Bkd);bG2B<DyaHei@V+kDCmR0UX1(e#Iq$bjln3oqi61bn+drjCB zi?dpe%Bkyo8&5wRVU+8NJVk8X>oYD_8sE;}Y5{N#=kZl9K*4$eoS1*U#}<a{Kcre= zUM6Y3cfs9J2>LGyD9~SluGT5^okZjho@eoYZ2{xdqp-x{9yc!r@CL1_WEYbu7+Bd( z+1S<}3<sAl<8U)<S0%DtfpJHSmb~C@g>>EXF~za$C1j^uw!cwgGb&UbV$SPVnccbp z2ZL^+v0Qn0X}oPvL>S!1Y7#N|ELI5A@JM%#)Xq3xD+uMf@Z07kM=1QhaMjf2ZrRP! z7jWt`5_U(kZftt?g#7co&=cWTWq2Bp<JHiA?_c6|s=+5yuR?Wrv`Z&x%u%N}`7-z^ zJ+>1<mQ|j{dt+tndLy=R)}B~7miPXbw@e~7@?r(dMG=s<BdH)1oYS;u36O?WZkfS@ zltLr)V8*|R1WE5QQj(g2;f9`6`Kd#iMTA&4!c|4hM)Jb&&R_i2&_6Tjn%Gl)E4cs* z`MO)oyJId@R##_Minw)c%=CVM6AHLaK~~F*L+1h+pej&rcS?LrpCsvqr@uEP@u|VV z^zdSFvH|)%Ucn{xR`{70UU)u9`h8^6aGWx#-Ll70Q;Lt_&XBO5p)n~z(s4oHlf;Sv zxg&R?aOYp;do@y$`XwX*seQ5SHBgc>^y!+j2%s6?+1ip-DE4x$<-U+z4MVQ*lAO5V zbtS5p^C?)L?C``S;h(HpqPFWkRdmjFE==aIWHmFelk+pKxqrwk(vEv>hzJ<5<PAj0 ziey7<H<Ahww1}r7%DWr`n+%{5P|?wnVyfbWEe|g8u}W^4kp3h1d#np}H$KZ*9f9t_ zUZEfkQ4~yfkxLN1Ua!%O!a^u?&Ob0T(Q0h8wL!dfXK5}p62ir84KC?<Zl&YEe?Z78 zAJn<ez17XCv&N0#mJ|;qy+SX@$Q3+c&TcdEcnhE&4JRfyDlcxFrw=hefT>Doq9$Rk zSSR9yJEW`yCyf4AI?;jjC$IfXep33`i@RpNSx(*KWz~lv3ne(fCPh+1b@(WPdN4_{ zSUi+mhyi?uD9Ct%Lfkmeg5?0~t$(bocC_j-E8^fgxH^0GteAXU5i)=bfEB{b4{AVw zJV+p`;cWQSv2Vm`o>JV|iJQ-gjkfZS_RRG_ou=E9-gfw>^jH&77+tra=bX1GT)*Oi zIq7>_^VXh{*kiIQC{l+U@40nt_fS^aN(#o+viS?uW&QT)VQqa3|Dpk^c(WJ!>yg?3 zCJzMJ4oc9Oa5bp^nvHIeCHVb}cz)xYPXTR7Rhflw=3Ys~>g5a1-T6mQ6J=Q?_X2bB zu@scYn6J+<ot83L45?+Z&#kPuzbo9ap>OwoL=5nc&(SROhvpEE&s<_pmD%|Vf56&L z@(+%A%sF708sbW}ZDELmG8n6kWyQ#4WhPg>#y{`PEe>mQE+BQt-oty*8DJh%*8c@w zxd5pW(kMYf2xO?r89n0Vy0T@=crWKsDqYJKgL}sQ5Zk)WB584=X_0=Dexg;^%%g&> zwl!cmNc;G$*(vEgl;*T@ddGy8FW@7(5*{B4!;~lNCDT!{Uwy&ph_`&TJ_d{7twSNL zpF@;|R8g4BR|!JsPztefIx<bq0w_!tBqVhwUteF3C%bdcN{r8$lPdUzXrVv~B7bZC z<QUpKhfzXh7-coLyVFJH2w2F*jl>7y0C@a8CeR+)!MHU8ZBA6dO=*)F$ltkOVwo#t zuPb}~h==AxL<jSxJ2%LO?s{xYpZ2NC4`vp<v@(cDpXo~VP&rEBLJxmXUWIFM|g z2jHb1ocH}aPcyxWNg5RU!|IakwW^9))h<LTGHBwE^DgpvnfoVJ%4fx0IAN@OldIm| z;9Z6t7-F#op#@OCUT?qHs)yw9;VD9M;lWHZqTiDQURJeHCS+PUZFjr1jJStuyo8Hp z=`|@++~YisBHq)aQl4CXET5M`uYt*AI!(p`Dess3(i)EskaNaja)z^W+QwAPieiYg zDNY@5b_6Q`{&<I<sL4z_Nky+01w)h{&~1l$ae1H;i78Py3O}_?Kph_5hY_avo6V<C zaaVMwhvGcJuP7arrSAngK>KY2hBS>TAd|e8H4W(!(@O}unAqzC<_eQY$%_5S!o>xm zX3@{eMNSn5Va`eI8GVk18`e0Q6QD9#C0pB1DAevD&5}L7cK9WK870dqcC6_6=ti`d zu2<y8Gn#x9>}J0u$AhlJJP^8M9oyMo`l_M(h%YhDWn(se!Tc2P2la>a7YLxbv<ru; zOo#FhJS+oP1qaXHd=*#$j~*AW-xR1&G@bd|UGE-fs~k7t;XE^lu8+H4y7f<9(>Sc` ztt6^no#YOpgW!vh;++~OqmteprPZLBv1ptAR|5FHPO&7}G1=T|B3S+wU6p2LRWHr< z_$;`kv0hfj@_8U3GK~c&0P3r~IXcy0WCzHNMtIRP-Br-ifnEZ(9T4j1MVFL2RFab+ zqN{PdwGRvj78}%OsI;QmsH2O+!r^q12*=&QSJMvDhd0gApw>VHpB8Ch6N3*!i(#FK z27?xiO$bH0d-3D@#m2_bOany3J6M)xRKb1jy|T#kW*l~WlV4RkE-JqtnRBjNhEG^I z&MjV#DR*=75!Gi&1ca(V=|!<Gg(5bx4fmoNT0etxGM9^rSQeIlI1N%9iUkH!BK5-^ z1O<4GkqTHpcFURN07q>+DhqR&!yoNCqJ{UtG^G9$BB&J?6=|#-6ILZ@Sq%QAloc%W zdZ!N!2_GG70RXX)u(rVUt~S8RV>*Ho5OpgVdTfsPQVcCqf&r+*lkSG0$%8N#IoCxh zipKuuB?A6~H$sjRwJG3+Mw0QU>0~0X^5JGs?}dC7iJ<L-ag2!yRSX?ypN=2OU`8pd zHPy-q-7?)LJd|ah3+Hn-MOC5^l#eoNDo^LxBxXdyam1bxLRa;=#Y^w4=|THn=Eo$h z-(OI`5;d1v2K=kYB1xL)lk=4lD%E`4m*)zo6wRXG_&q|Dt4>gw%Yy9SqPS(ngVyO< z{E&B2s9z&oVfg87c(#~PLTw`!2m)E-v6l}1*N3`siy=?a=n*GRb8$K`)fDCl0&a#% zsI19oYF-G0*%r@s=Ob(W!Qz~~n<fUjQ%bc3DK0m@M_3)3TaP}Q^>$MlM%g*>GLY*8 zlaqq|<yfY18804vM7K4K7I{*J(o!}xi;S|U4g-0@6p3S2_0_ynX<Mq#)#QS3$1N-) zUSxszYbBJ=teZrw{FIf2-m&X>9!g$rFGpr{Ns)Gsfz=nVxVso77v;gj*F1+Iqa%t* z&Ebn>z0W>!+L0yG@S7{u#g1XM0rGPv9)YoUx|L3;du8p5*S1gGA;NBIOX~AkhJ4fw z1H`E&oR6m}gP;Z5>6OKgf9XGTr7|0#5R-EdpcG^8HaqOG@>YT}{XL2>AMTs>kG|QO zlTAi(6^D%&y~!nfk@KpGAZiC~jng%~-J*0oR)<cIW|xrdJ(kd7uZW?>O#NzpTLFy? zD1y!XhEW4wLkAVedX({|8^45-RT~oiKmPVv3*C-!9TF!mW2BCy{^G1PWD+|9eE==> zT52#G!UGJw<Zv_nEUHP!$j<?E-Zhuxqh&$M)qN4nNxktwQ_F!uA+&L6B)|bTdTNZz zfWs?Gc=X{ZmT=cPgXE@7H&{|!#ZiA^JAj=TpZ6xGmzBRjaP(?%r`lV`VU%qO<e22^ z!O3lM5ut6#N-IA7z|rG}aln6^{7u}1;S+Q4Pi5CpO2`a%aPN_kCRYv<3K-(f1bw9h zygsFP%f;Hlb_)<D@y&r36eK^osQz!YUQC?;LKsBjfzIW71RV3Ek(!LT_^M`YrUYSg z706XUu>hJ9D=_d)LV^$2@&H=MY_<G{J#5&Q;Pt^f9GHJxSb0%c{n*eBiZA~xp>FRy zb-_aZ3jUIY5S;PTFgS)axQpn&8he1stK?Pyvo!56OXu?*eB3NKk_8f-r$1e3^X#5; zEJSFKX`OeXalJb{BRP|Msz^SxL5$CQIXmjj1q&Lye<QrVJ9igx9&L=M!6#1RJHQN8 zFPb!>;uR^Rlcllz0x23j(axfK82lhuW~dtTm|s%gQx3mrEWiOJu;n@+4p@jCLy&q8 zcM<8E9U)kV+)o7wJ9V#6;9d<4|Hwal976w;js&So6zb2Pc2c3AUEwjPwN0E9bKM-R z8cvBpemZOpoPYub_pZ6^doPxJob>aq98HJQd8W<`Bi)-{DREPvQ{~zsW+^ylThnOb z4qlyLnh=y6&zB`n+TY)}t5%m|hwWW&@E|PF{jjlGRns-!;VgPi?rRU(xs;E#b74XS zj53oR4p}Q&EqCfpJWgU8*2i9`A03)CrC5V*a063?n_kQt=ppi3U+KUNLpAwTQMpyD zh7HZ5ixHR}M~ZW$)zc+E_T~aMtxs=C_T=Q>jC65XJXLqN#$^PU67BSSpbDjKISH=( z%sj+uy^2uETtqh)1xu<(;3ps$N%gWKe^t*6xnHn>SI5fCcddKLnFt)2xd!a#P}D~d zg>Dsw_T9GEO4;jGXLbnh8$K35(vkEOy{Qd<Q$jiY0+^Pch8!h99?=^C2WaKi$avo( z?sFBQKMi=8>u@5sPNnlE#!Ohrp_Ck7Yf)Cm@hZ?7d@kcX^*LBT8+iBjuDxHi1D7@u zz$gd)z&aC6r|(TL;(%Cv)e%Ed$FN&cx>SGk6?&Y|vT`2oUXbMfCN|@oRY;zP>DC!N zo|wqpz?1AJEsO7f)7wak!eC1~ed+j1%4PVIF(qbKJ|OEP3T*%*ML>NXLrJw=&w1?3 z(v<`90S$dKvJjNBjT3!f2vbfGg#hsadQ7(*FQqJAzta3orJ{#@t!CD$lEKi3=VB!@ z72|IMs|0Cq=!0gcsMIYB-l>%-4c)TbY4vNTS<JRUemJdU@4R@$%S)Yh{k9icA}FJ+ z_=Pe#eQf5)EBi$Dx-G>#rrsCq+$WU+=j{(zY$!Pk7@qBVO&dT2y2GD`v5MJ?vo+db zO}qovO-ElBIS%sEOsnx`75>Ep7VH-oVm0vM+#=Wg8?w!3CtgpP$@B!Ld(yN;iII{5 z_N#V_>0!LaE3}Hgg)U5RBD8agKC+G;h#oL)P>jU>cw(LSB2yc??x8Q70t@OvhpRWc z>|t?8LrI;QJXDpUS^fOiJ}ra*|Lf)>f?f`4k^a)V$7oorq|+kjy5FH)^K>a0<ASmk z=`LnC)D>ZhDaOZj4P~^wGBBzE`yBa4@a8E|k>*9o)wZWLQQewbYq)U4UfwJ4l4zP8 z_^byvxbh@r>kz&|It9;7{cjz75IKr+LZj5sDDtPU-3A`zwJL6()W&Mr*(!~{dzWY$ z(kKA<{a**BYsTJkbCMLqRsI@^go!Tph)H;Dpij*2<i0(#uF@wbIa<BQ*6BrYn8z!e z3an?F%sb3m3!ATq2_Qix@C<9q4<_$GeI9?o|JFhf)rFzIQiS%tLDL~(*p1WFw)!Ds zqjroeLZccFzcQ%N(hbU3jqvDa=9j_urM^OogukDrdK0OqhNg)dS6q;iJKwDi*vvt= zez_}D5|Ku~8c1#W!-%uIi3`J`Q_2AJJj)=2s7H}tc<7s{xIrRe#0l_NFS+U4|E?jo z<SW6YgMxGc3Gi8NfSVHNM>T-93K&*kHqvmC$~OBVIf~EB^b)=P0dl5XkHWjGLpyTr zch&As)x)J{ybuE(`#HSE>;tE*E#_ycK}qu>{Gb5Bj?H#$MO*%;<6_~RzWs|%Po&y> z2>E93GD+M?d{o^PL7#2=;62tRWpFhS{CiyX&dE`1**{5>;@5(FE{x!!{BE3?h}O7W zp685}j_W_@Kt7elE+iYv5jPQ|g((+P6Nuiuc_yx8E7TEYTF9JZg|O4e%@C)lt+>JS zaHJ*^6C#ZNB2D2}$x-JQyd)9BvHpXQDzb&8;r6a#C3YeV^gLE9bSvn9q3!(kfC~wo z4R6q`wEz;DxfBr;diq~(nP?znS4A0;nYWa2)yXqo!hWR?Q&j~bkVNYN+I7SJtBedt z5n(|e4PzOA;lt>(gziyH?=;M6bBG%|@BqohujIt^KfjdHNHwZWc55MPuGZ#%f&LZ4 zn~XjYdo*GiVDv@M<&SSQR5#*4G01-fr0sm0AGhP`r2oF7j$Z>x8%f?q0>wgxeWD4I zoQ5$cxu{4f`3|o$KcP07j6j=ADpPHfze;4d6pfK1E)o@^Qu{<}&~Ijayx>%9K~5~p zIjI(a<t!uC>sI_>rH|KtB)&d;#h4gHz^>-USAr)Tf<q3B1$wnRTLSp+nO}sL8i)nH z$Lb6R{#IZ+#+smUkjlaCZIe{o3UMa950NCSbAURV6`3z$hph~M(ktQPUqa4Sf`VWX z;eGr~lmYgfhxI#jxCj(xf`ux0jn8NZzLR+{=ucMnLLGl<w<8(BXCgi}ZuBSgEIo|G z%3}X9)8_Lgr-LJVOU#(nkz6MB(MD$1Yg@Ci2q!6yWdP1z8w$uT@Lfbo)D8u4xl{c3 zDnu~hNl@Q|H$I{+)5=z&t{~joJHc22-%*!UPF!InrN!l>-zKq5+{Su?LZ^s^S>|W% zw}MedmZlW7=-~)`L@?d12xDv-lH@q2#mS$_NDYMVqkoKYm>}|?)Qk%Fi8*kenI9rw zXzMR(BhgNJj<@<Viz<4E&55!|2!f!2HC=C6!$KfsNFvD~<MIiY$HC0w=^I>cN5iAk zsO^1XF+%ITSV^UeF_dW>nMltJd;A^uZFJGv?KVteUgdUE9~oa1LmA6_S0YE@xGx7b zj>C3v$spI35>8xkb5f)t5h`wk{wj+CgiCiAN5#Ftk)wpjOo$pZ5&yi<QT)8tf_Vga z9N?1>soMnfcETZuhN#YVE4rQJVjdl%g8i^)foDLgMfwIH2D`sTgMO^ufh_Rw4lh6& z^)vboECf5R;ReT!dk8(AIH*^j#c84fPs@_fgZbeiHTo?;RK-+dg<(bNqHO%=?aoqV zkADv7oHt>?Qi4%B(?uKz-9lELsGc0`Jy)DB3_Iw6har1RlY$`7Bg`A(RW`PbGr`X+ z^nxSdW=fEtu~WZ7<`<BYM%u{IR-!PA(qI+0$&KUUaFQ_AA_BpaDP(e?!tO#luB^N% zP@`f}*F=Y)eNqTeb-=G3kIjLWp&gPd&J4RQ%>bd};s{7dv?8;x&R-4W4_v#2nfmh7 zN$##>K>Y%M&t;vCG>-?ZlY+pev;EOu&l0{z8#Y_J8S&$SLv!Y+`iiAo!ZOBvWVE`s zXB$)TOYxa|>x|s+{pJLKq7DXjiW3r(AbF8WBG!lixXqw2-jV<kBnT!Tv`mP&$8R>3 z@W}HTIE5h2_&JG;w>z2{AZ)Qru~99?t-C)ukRa_+Q_tTsqFOMN)I_p;W#LiJJ#EcW zjU_<zW%IH6Sih5fKtt-|#Zj8{dv|{j|NpW>EyD_bz84@MmVfrY$`0xOXW1c;lW(|B zn5?u2JPZ!ZKY1c}F;PMJf9=RWn}&k;cMpfbK={`HJIIUh165Dsp8e~9nea*R0Rh#; zz<%n1|La5BimEvP0U-?hXTT#irG`L2&y!+;e2T8xmtEkRDq=4@-*p}TE}%1EU_Mz{ zS;|XlS-Laovv_IrjyjIzWq6k@&*qL5_n(=xHcVB!zLT}5j-H>3BMq7t@9QiMm*Yt` zhv~G%T_)`VChbs_zqm7ts5+cV2;k!lE3Q#LDtG2V2Qg%>pMlc3Jg-Rz+<!|%<k=PD z_B4v}iK!E7YwmD<P_)ZzIlYB7zh6!4rt)oX=RI66c<x!UKZSh?eHCZ_`n=!a)ZE?d zCP70oa5nHbymig^2oQ7OJ7S^2Hwd}4KBl?m`Z5K&Ck|NbxkmY5*T_1=x^lh?X|lQD z`wo+XZ2d-^TcgI<8iqV*xcNbv`6pUjzTZUgg!6N=y95K7p%l2@ZXvhO4b%kJFDF2Q zd-c0{ziP%Ca|TN$hx52+{7#)$```z@Q$FVa^GsgXVAIa@-HNC$G@xk2?6E-$5d$70 zXyow(dt#13DWDT0dgavzv__G2oY?+@gEln@;pPzaHTw^L-;Lv#`vJ7X=zpX93Au#{ z3`o-~kE{f3(d)AO1(#B6ApHnUDc$Mcw06@QFr7UoQu}a={dxabh6GLci(m5J1b^@J z?w}!*0h4$vyxlSA--|dt!L{Id1}UTJ)4Gq*nLZ}u&S}RW95Bp{vm!)Ig4Pkfcu8ua zfEMXt$_VyAvfZL3g<fI5M2Hf4M6JBC+{VB_KHM*q)T5Ul?rWT$;|4q{^O-U;!ykaw z<Tmq>I3D8*fnM0crN>9-|K-{L>wN{?GinpZ8>{r^afBiIq{+5(xF^I%k+s$CyiC`8 zcQMI@)=->tm{M9Kr_9XM7}=N40Wo*0mE<v1BM^ZZ+SKAaYFhZ3sPlGYO{#=d^+j~& z;Qzg2yOL=6xCfE@8{2DmBs`keqK5eNI?)$T!KIh!{dc3IIR6f`8m+oF&_%;ds7nz( zb&x>#ibdbQ<;MJ}v_%T2NH4J6QFFxl74jPYlbc{glAaoz*X@RTjsuqKCxoOtwB@(9 zZg6^nMbghhJfitnmhc`&*Xca1bFeeSW1)=9!{ar~g*9XQb!C%x)`DTdV3U_*#5l=0 zof}~RydJN%w9Sp+w}wb-uFbsZDKqM#Rv*awnU|_m6ZCIYv_22GAtgqMi)!-2%#i$@ zdjhPVH)hQ|an99kgigf3PZ{aJJ9b`i-5;9ul4rz_pU+U=5MYy$B1&qe%2!@p?qZ-u z8sw+)n2*Mn%cY<5M7f^O+hZgIbXF`Gogzg*CrGf|vIAX~DOw?a`wc}hB7ct=pg;@Z z1=^O@-~V$Bnmrqs5SU{_6r^_=jt5^@m23S_3#`ui>HLvEl2%Jjzq*Q+1v{{;->9;V zdm3n$KA>@7A40Bgcq0RNkXcKi|9x41J_Y*w(htH;Yj)`ZCs!udKd5<nM+!wBO>73h zW<Vz4*dZhSbm-O@V;WaZA=`Y5@3mzdq#;2pW7nhJ{d4}EVIE@K{&J!{Bx$BPS2p<j ztC<*Nk6VSn8*iYN-iTB@PxOEEKVtTqbl301Z4W_|r$=au$a+kn#Q#D7(Kq1~;oW1| zBa2`K<-y&|>vzbGZWj?`_L|Dv;AlwZEkC6wdx(|^w=BpP-~FxPb9{p)`AzqKzSeRV z10w<+8}Q9Vk)SP2XKIcE<dO40t5%Qr)Tm6zD%30wE!7t<D^2@4qEN*5^50PVd5CZ) z7tRS~uSZ09xcET_s7`f%g@gf@%#B$8O)lz;Vd2KGlK1geQ&$AD##PSl8MgS8c+KeV z;~q|s?^Zs{OPpH+f6JaMs>}AE)f@1hgyw;4nHrhvTgTj{NHJ0c_U`!nzagu@e2+jo z=|Z}Ue5O~k!+}bNlmO&Yz;XX8Tt}1_LnNm+f0iqB^P9Rqd^;%M1#j|>gTUV&*OH%W z=;r?bdO(H0%2|n}RMKAK|5=n4IA177={*(Yo~fu1=KoDpEgZz$zbehEPkvK!_3SsP zG|HirsY^k>pZ$TaegWe4zlq#aALH^zKVg7d5}Mh?V@{wPHX<oi{&<c5-$3vHSDoC_ z$is%HvJ{mf*KGWduldaULud7o2qP=hvV%G32_1aqI}CnT4N(p+xb-SfrEthJaOULI zd)Kev%Qvs$ix1w%yE}K|&7He&|HLt(&9C_4oqPE5{kQSihi~E8lOHMcV?6lj89I#% zL2L66SS~Gs){;G_Iob<>sYgV7ukrtHF#ED-2oF(Ve&!S&n=LNr;M=8gAr5B$a>DZG zhkriknfg9|i_h|kk5`LIg@ZFJk|3IBAB*AVzdU>s_x2Xi71tQDws`d0H+23L_s$;2 zd*{yJ%HG|0^3|7g?{|Fp)34aD?HbmnzKM-Vr(m}_536I(;b*z1)!ziCjw$$mL#)?$ z4uVse50o;H!?O9NEDdg+=U!o+0QXeUDjbv`$Kx@FsfQ|JbnqZOwH1?&KZkrG4k28x z7?lc#XiOD}qpQ-+i>Ejg8!oP7`lTZLvtOcsUitFZCoq{23g7H^kagxG%#XW-A=3-7 zCH<-r=<k5ZrE0a;!ts9#E^pQkTn2P4n1RZGhh_@~R)TQR@Ju#2WLvrUnEw7jkJ#T- z4{2EO6B&aF^&Ni7W)~mw&a1}D`y7;cF&dq4C@(`^a1La;6(Y!kPyFatB?ks>k+501 z3lYT+F?v=4nwo9I{O}#};r{?0YQo1;BD!o0VB*U9tNigAuM*Gj=*iE5@_!Jq)lm^o zo^VzAj3+$frzcN@KKSj)ANYgIO5u%1#2j2cVyr1&(~l=SXjLgRF$9SMi%w<oTc17s zovxYrl!}leQF!ZBqH^I7+JfiyDXmB>{Es++1kSa{txT!V9O7CkKK}RYsa)~!=;a3p zOh1C}A3eq=<e`7{Bi9Z88{`-)3I04U>BD!P&<{SVheGGqc$HwOP<TWx{`x%~>XI1} z{6v(7&>SQQkCc*8%`7fYbwoCoC9gdGn8fSxZ}b*v31MQ92tFo;Q?(D*yh=2$5>*I? zJgHM(S>o~R5k7rOj*DV3_?`a#rU-+O9_0|M%2fahk$Sh3kmXJavzKT3zl0iw&-9-v zsZ#J0KGZM#AJFbK2;YDA3}2I6{6yDZ{3=b0%h%pRLD6-jZ99d#_x>a9so=7C9={NC zeE9h{Le|Pd{aJcjEoAk0#i&#`M4~7WEF8>`tSVWx-Of&=GfRq0V`<{~qMTF<ZSw+r zN*ZM6i8qvAe-FP?(%!gvU-*6uKB>oF;x8ZagVNko4H1v}wZDv%P}TE4Lxz0GcmAuW zmB8}<OF@QH-YbQ?KKb@1@Ju+3evUC{ZWspp4JR?h?=U=)&mjNe=QwctL!5Z<HL|I! zV|HGLN7QkQUzv{~&M~lBQH<C<cd#_55LqR6arMK`5S@P(@r9RAbm9Sip!g4+e-A~6 zZsC(}r3J!}Dd93IpPpBPDt!()t50&hT5;dbNs$)}<uMyuV(BT-GQsr-@G(^+zR5=s zo_`&Id1nw!1d7;s58bRb!Nva=9M<ed(w_U+e)u-xw_kzz!a@w1o(RjunF!u?1)hl) zFl@$F)H7a({*zNN!ZjI&vlB4TDHK*K4`9^vER1qZAYbMNcE9mJe3R!|Jr!$S0YfLp zz-(C>W~?p7)*`u(gAiCL*U<D^jZyOwF=A#S22%k`{3OW!QX(Sq&VQt-IV)fn7K9vu z>-zoZX6zyEG1!S@%<(;d4yN9)U%dxS4E)f<)DtdiauB@l4%!(m7h(9rq9IQ#aYXr` z-zpoptj)mAH$I17!DSfFR?;idAX96-C<QCyFJX%JZWzu=gtPa4v@>0cu<Xm&5Wy{s z463Hp{C9H2>eS1a7JL$|^;Thk^EQlKSPWx2+8C}DVMNZ@?k5{T_zF*`Q2&thogGn( z`XfWpe9Trfw#>zdRXfneHV=cR?8T6&v1o1;hHlQO&|0_)eI}=%gH1TJ+_T`3^*;3G zX2WsgA(#^_Iy=Tgf9XC9p1KXA=Wa)9n^<T@2B5lDC_1=qLvu?%jF^#vk2xuvekKT; zBCi-#JLIDEf!h{{GD;~uICn^#MUgO}Nox2c)gs%5l35Jg^U!}{Dw^sC!N&6pY7Sfh zt5x}MkGY4D^LImc$zF7y6otm78(_7e1bt`ZW5Dbjj0?O1&5#WkI4Kj8yiXwd@Mjn` zH3PQmPs1_j6eb6kz-&n&`nqLeg7+1)Fj|4Qk~hUSWujy|vC+H&OkBGQYvOM}Z+f!0 z$BJLF5->OD5E2et77TFgI+I?~Tx3avQrYrFV4Cnhk#lipZtw}z9O{X%{WtNcY9oj! zq`A?{E(UgiH&I(}3tEniL&CwgaqgXO;j{e))+F8&VK^}|^&BrBoL-rZ$s0@1TzeB7 z)*Z$0sd5G-e?>Nn0>h@IpzHW}G&c0c*tKWT&>$E-`O*ZA&Alkj98#7JFhA-vF>Ej~ za1ydF|BPjM_tA8GC^Tj<=wP{32I5Z(dzvaoevy3z!dqW_k8x`YpfhJ5Iyr1ZL-Ry* zn--16#__1D9fsNQC*hfVo3zPcw6lxGpoRNjzTpB1P6me9hN9%=Gjy<xL7y2r(8M|s z&25s<a!d>w8U>4c-Q0Ge=j1$8H;qI`$88umB@dpl$MEh)AIaP*6~e1T)xtr31N#rZ zaFXc%6X76zCyGswNu-gR*Qf}IkWUncJz@KKw6;ya$W@2YcG5O<a>~K5S^1b9a}Dk7 zLebVX119tGVNJ|CGwz01<jrtSF5-@VMzu;3dOK%ge#AAncppYb(li5|6OeiNH*}@z z=}{yQHe1ozWgDH7Fm~f9^qmxnOV^};JXIP399HKdaL<S6H9Hp_CT<h=n5ZgQT{i4R z*v>bwIpHL<$A`(A%nY2dN6ey<DgO!_jEB8Q76yh)iNv{&$Q-!;9r`*1D0c}@WP02- z9l)5idysVeZQ;5uOTCW%6JpWS&L2akN#SKjN)=H4Jf}dm`2e+stVNfxsnA`p2Riel zCSbvlZ-5vt0Vb;tV^!f77(S~AXWsZke5bclAvE3Qi!f6COA55L@JGV_2UweQ4%+S% z#vlxRCxl~qF#VpLC&K(8;{J`!L^pa>$Oj!3bGBmr&WBX%Cs8?PqQ}%sjPu)%7AD~s z>{bB1WqDNNug18|2hnq4B3hY6qNh_P`c2C~YX?6JU7UyklM;k5w;Gp#J~Io^-6b1M zEW*)pTr6sv1d}F7LJPYzbhOVxb5qjrN*Vo1>ERZvs><i@qH5s~>irofM^Ht!3H?MS zl<WeObY_x~d(L#E`~1f0ttU}kZ!_vy1flhWMCdHu2}iHp*qnJB6Fmyi$t(mGiwiL; z<Tz&f?}av*M{H&doEQZ6kW(0FAB90q2~_*1V{!C(_~u;2u2Z-1(bqrX>VuCFwdX2& zy2fJYoIMygeJ8q4jK|NEG;Sn#rYsMnX*Y#5&{}A;yirqYgSb~7!<^I5#UTn^T~g6f z6^{P~oOe-!$qJ$Nh$STSsbmuPp@G&qaZi{5%vFRzc9CeJw+RF2+<$xo8jRS8E@ojE zN!oItW26YfadIBiI2o#N^qmxg>Cv~b<=}_V44WnH$uvmem>F~&TC-DNyJ-)Gkg!=T z-UGW;1thd7@GgE=gyE=VXdq<!35;D;1Wo6qFmlU6k7;|*&NUAmCg(zLX1)@tJf4W% zx<38s57>AllL?d#2k(OzI<*K^OEVC&?<Vq(zXRXY6G-0w1}?t!C3YQu6L&uR1v`%4 z#ledYapk?Q@!-2(aqB-{<D+jL<I3CL!awyW*2bMcP~IiP?!N_(*t77<xj_}z4VbJr zOqRkO^mi@5bgyF~6~7ZVax?y`MwP-LyK}g3sg4qY0KBtzyEu#D6XnifxcQ9&(C=^Q z<m6S1)!XhuXKoHA`jue1Zx#nE#fLviQ$xjnKK}`~?|!KKdLELwo`=!GZRl(h0mDT{ z(Z@MO2rFC19A4p<KcTCIFY1l<LUR(#*0%8oDSUv4Js+c+eH_}6>b9F(3_Yr?Vo$vX z)0K)@Q5m>=SU7~~39QX~n*_rbV>excCHX`Qu2f{|U#2jLq7+!fCTe*4%`_L+R9FM& zU^JPNjzJ}q=0I^z1XhHvh3;y^oPLI}Ubz@JH3jA?_M(;DRyYJ)g{IdM5eDq)lAoj$ z<)5JGzZ7llGcjO#Av%z+pc$|Zn!cW}U0DE^^@TFfWBL}QhrejQEF1H~_hU`mU3@K{ zz8v`DFDReqar>ihFmdB9@>5b^x?(p1GjEFfk9ln0{{gBL4sNOyCB}s-%K(?MlEj&f zDG65YEF3b&XYPIuo0Ua4^5zq)io1p3PDx1H_m+4jD#231JjHL%xE?6aI=|vEsm$Lg zYEgiXiRGXCMzOO2LrgFB5(HBAox-;BzrZ8qK53j&XlE86IvrVHg^Y4?IeB~tn;B?k z5{;oNO3;f;j$ZTkqNPhBIyfX@McQeM+n9}u@Be^l8xLScz)>s=Q6^(m0*;k+s#?c4 z(p!n_v){pRW&)WE!Qvj9BP_IR%<=gd<e0Oc>9?RBN5Y+53b%4x;=Ty|Gu@|O%Cn{> zfmo7xABM}1q4uCn;vPRz9z%aoF-FZhKxRrJIy>Z`nRyHbEIE$W<AdOtrua0^D9$IG zY6kZtu%1#h?Xb0IOlDgndao<l_(RA!o*VNP=7wK_6$zz)B8a<=-o&cpJDB8u6dlaH zu{!#oxG(Y}dhy60d-@~g<yU%zstBb5ku;NO<}~nFR=(zYkCn<*)NB;~s~>*Dyr7-1 z+fYP)>P2`&$_hvD8k6T0qe|gWhX)8_N$}WXT-uY(7X-Q?N=A4bq*)~4_MW~;Ce&Um zk3B)^w*aHvldzI%7y%|6F{@gjN(AK~K2ibP{>8nq_?4N9w>LPCHYV#~w{ADgh$&hb zZo!)mKM~IajYTUG*OJ6;N&`WgajB?d7>;J9KImy5f$2eev3}bdnB{X8)1oe7Q`R|j zbxcJQt8LJ<Tp-^0Yw*g9kLY09$bxtCEkSScuk`1|;?f5^-i(=@62n=PWR%%su3$3I z4SC7*Q+2f94sq~Z$&8XF2Fs44n(kIKFbqSNF|p#F3@K4t%M;BkBGJe+82#Le(Pc&+ zwC3%^y2RV?BXgD^#DHH=Xj1;K`H~X!u*-*|#}U|i7LlNAMR)QQ2e_p}GiZef|AhP} zRhYDAreWCJBG~yK$LN_^xbnW-?2+ptj!{yj43EG04<$gB-(P_h6UVM{L0ZXO%-wnk zt*oN3W~&^mDlA!r*Ip%F!Xf8m@{j;ZvM7b8IKEqL%B5#Y$p}Iy>Am{)Csg~Mg!7hT z7%?{+BNyahUc@P-2!5ep>?Q)=+`fg2xly>46M#3jr{mk3q&C0&6z?3!$EOE!@!pX_ zyqz75>q#Ma`pZ{D4`LmK;t$Ee=;5#xlLF7c$@?ssSh8jl{T-Ahc2Y%OE&WzCoTkYH zw6F+9#;N<__nn9D!)$6gYU*w#bBKJC-mA!T*@A9l+mD<pTZ1ZvAdT`tg3;VKOxbb> z<_q#+=$<L=i3A9)|Ai<>nv(UOP-)Mz4nf$h+)T=ytL14bd!031=b(meFgn<WU|QgA zaZh|&nY(X1I}Qt|h8-{|0PAz#K?{S;$T|B745vktPa_)$I8KpTv7p7Dp|dCxTJv+U zFy<--P0vHGscD!S{U$lXz8K=3tAvs$K72zokJ~IQ!tVEeMaz-0=~rk7N)MNnzz<*I zdf*xyG3k#z0~+I~VOJcqABI~Y%klP(RNTl2#*N^mc$gQCZ|+{A7r3e*;ZojT8oi6k zISx(D(hyaAUEC9V@RX|+<r}XERR{->k?a%EP%FmFNO}JF%z61t`K?0ju|9L<ZG`WB z2aAI*p_3!2_Q~1s%D9MayUPX}-rSpoyUSd0ccl~FTVjiY1MA~N|9aRxv@z~2bHp)6 zT^urOj=en^BD=i?cVkwH_v9!3z)!zE!rG8y7&$cq?!h-OVn!Nne)PEr@#qgZ;))HP zQq%8$q9YZwC?uIr3lGvfgFTUW@Ez<rA)81ALo1CI&qHOuGD@+T!7D<_u#L67uqggC zw(k3gOtDmPkDm(gOMGxuN*B^ee*r{P{HNmgtHPLNF_;!YW|2`CCVTCMm1iMVWL!aN z$rqTk`2>|+J{paQfZ3V?Oo}=y-VvIRkequ3bA0yWz}25ce@!QcXmKCE^RN$zuZ|TV zp^XN|yJ~Q(XAP9}rR&jkaoVU2j&#uAP)7~+_tK!Kj|NvK4#tHQZsI*vuD<;7H%wZ; z6Ag5I(Z)Iv>taj9{Zheu#i&|yC^_ZiunF-**vDMNT=c@wDaB*1wv~iiEl$JWW!q8R zE>bkxa)(rCx>W6q|C~C4BVz~SjCo(|?OO+j2G+t!{U+G2+XU~gw87owcDONl5RMIO zfOnin;ON*9`1Xcm$nTVvirmAuuyN-NEKfOyY2i1qB|=#sjuOR!D$>Tu;R`-EZTyh$ ziG$+dsQ3`cRvwgI(*yNgLS3D3w71Se(1E*f^-#5^5?|?=z-K`RIz;vVn`CX)G89bQ zBJ^-fg#OYzbQv3pu2yOT0Ba6D{tzY?$HH1fbi45n`XkLPB~gC^D`Jk2ALb9Q#0%JS z{cTvy&qL9L?_s_)2i+$oVAzyY%p{X$Rs4t0bX+6e;k5rD(gD&M+2}ioOsfSuFnQBH zd6ROgwiaHV>5RiYYvH_hGn}^SgySP?<GevroX~593xgZt6bZ)Lc71Vpcmv#<ZH)7a zr;GQPbX=)%4m}f(!*R=1^m5HZSRrc`Nrortkcd}^N`*s^pG%c4xPX2WwWKVZN5a05 zBdR3CFtO4?TOD^6?My;3dhvdAo46eVT;uTWr_zg3ho;?MZi?N#tK(w7dN@9?It~x6 zfn&XE;zFNBIM=T^&JJvXQ$y<Fyh%HJuqzzLmP$WBH8(#ZIkjAy1--ecs5NRWzLU3w z=~Zg&@WIsPvyvA<UGYP?FAl!RwKki5iqMPjd|$9OG(DH2i6!^ZkPY6?OWYGtDd1~0 zI&ohNwBw7PC`P)&(a<4h#sGsSC1afTF>KlUHJXf8ddRubp`fykp}@lYQCQ_Ei3mBX zA~oXq-@~|7$(Xcm4}5YiW5*kxp^k108rnsni}h9vo>PR5lVV}8aUYpAsc1M_Hg!K@ zho11}ho7Uz#7vA{br!DvhjI2MYi&v?B~I;0+UcZ+`}4I?(vLJopL#esq7km@w#1c@ zt#D>^3mnsGfQ#C#aI}9z<aDo(M|aN=Wt7GOG28-};dcn#98xgIeHZ2h?-loC*$OJW zQdBA&g7G;abnx{fP8I$C<tuhJpBIiN^qhW?qsId;SI3`$nde?i_9?;eN%@!=d>Y^U z#u?%WflFIA;j%*?93xeGwr_Qu*KLdv(j1rd+v3v5<~T8!%q$X`iz6E2x^Y{anW2aG z_9)H4lJ@XUDnY*~nHV}L9fr&E@TC~>$sI)e75SaN1KID-@kl4Ku}%oWPJfTS({j*y ztZa???;sQYSTrvH4YmEyeoQE=SLMQao$8}h0&c=ogyWxJjjw-y1h);_$YDQ?ffHgd zbbbyj*6)SA?+vt@kcDPOQD`?d9;W2aO<Y?n-r*J~#?>1iz+qi6^rxl3W^p#G$lu}S zTv`1|uK2bv2)nha<ILcixHzB*F7&R8<GpI)s##a;AJqUys6sq2pf*_zjq!cxVq6Q^ zEZ!3pgXlB^)+V1MA1e{P+zK&vVZ6A<RFsPV{{1qp43!E8JCK|dQ4^3xkj3&0_xE#W z3_p`CED~J1$;9qEbQTBh{fZS)XJ9fv6YU*hVC0!cVd<U6zvIcb-{5v~2=?@^kB=q{ z!I=>aaB5T|oFw)8uEP+V8cqUX)*eTP)kVpu7T7&NgOV<F@aRKsj(kR%N7lSObpoI@ zZ#$-koWihK+wk63Y<y5vt+eyG`)`NVtYG+)`DN#`7kcC<H#hc0Q=^UOGc^`Nr^myb zOh0|nJX`W_z-mPyIkBOrK4d+bnMpH3g5!OPsasBB!sfj&T(ljo;b+iX%L|rEi_wJA z(RqwN`q?GGWy=B78oCaRjC>H7e+j1^`~Yp2Kv>R^txJ-sqV(m@au`h7RWooE+Sx?G zYWa5bb_~N@@(G+a7NM`{S{aC5Eu;D0!}BS~Jo`CD&51_+k!vw|%TeWSIj|OFQ}nT< ze-q;^@Xx!0o1{#pt<S~#pOE%Y`1O~!-at`%s@#m4;*1Un!k|XD=Q12OO*-Mk@D_M) zgB{KfC2caS0p6abg`z=?@t=I9i$HV<JQ0g?3>fc+5md(Q9g?vs_LO-3Nc1iJ%fcb% zWKbgcAGgn`O_pyL^VljTZF%7!vx+p!vp*zbPVmUWpxKF-7<Lt{ZDKIcJz3h#jK@!K z-!A~g-J0U$z@|7gpe{}hAx$x)5t&iVs3xh0Q~Gp&XbrsUtc|y)4n$EW4SxDU4laDG z#1ydYELP?{grnDC^ctUluei*lJPX(?*#`ZEnK1G=ghpoJXltE>KF$T`Ik^Z8Ehue4 zm*5h18a<t&P*2AnZLA`3k}5{sCA-klghw6|`HB8g=%3-}!(T9Q%`P+^wh;@qp1>5} z6Bsq40FkFZM|~|nY`^y-#(SN_(Ak-&VGu;xY%lpJ0T{pK4*J+ghno{8n<5n^=j$iJ z_JU^E3N#v*3QMmem=$=4gf<ISBz(OcBe6F1p$Nl}M&I+S{XamoM2fKw0$y<^(a|&j zm%n%lqXnuaV>61r$4TVieCE#+Hs)T2v(IVNx7Z3Tw*+xd_#=;gN4nielxX!PbE+oJ z={LrWNkeenv;&IC&p2b&4VTTk;oR^>xM|rL2l`gSKAq;cHg6I>dr#Tvi*WhQr<g>Q zO>dVpbefQeZHJY?rQ%@fsVRRosM_b?Kb!_)e6_{ovp2Y>k{>+pkjr1cQM%3M#2}*J zBN#0@gswJ;m=SnNxbSRB%I+{yyGN37*t#z+S#-o%i&nVp&>tV$4Z-PNwMj^7kc~=e zm>jx2?KQaOZYkao_NLO=xZ}c`=<OVaaVw8Ne~ugrB+{x#?1fK$hJ)83R3GJ!dd4y6 zIVl6$^L7YZxzF@H=rl1Dmg~=>i&GwK1J1+e$bZn(JP=Jx0x)=*ENsr8n#cMB7oz#F zbvXGMusr@e4CfbMeeqXlWs`#5Qxh;X=oaS0T|zh4T-3ErMyJUI&|P*2P0ZrZV9<IQ z31@&Kq?0g8#kHh|?y7yLXO@5=WVY!~Nx=I*J;m``pTHyOIOh1A5n=d6H9dbD6p<)V z#euFhY9rjY-htMPL<DAC5chtfvJ%?~QF^%(_6Z9zz4XP;e~`Hxj^PXTi{A9e0yzai z^^<>pcnx2r2jGZa3#$C8<516<I69yXPG~j8UB?l)X514;`q#sbZW?^M!UE?^+GDr1 zHZjll!YpRw9K3_EYxZFH+<eqG*o^p{(jostjQ5kg_$pDUa0qZ3=-~7Uo-1u7;9m+C zDz`*OG+qDa>t8X`{{WVzoJS4aO;{Rr9~0-Ni%Lgw_pi9OzZmZpN1?=^Coc7_hjV(3 zuurQl&JAvev%PEJ$Pf+r9JR<PuZ>TaTA@I%KYn}vzDSF7`hWwMz917P4J+w8`g0TU z#ZRnJsGt?%`X=px*5pVu()WY+-cMn=atF+oZ-dQ-{pd9{9i445py{;&njs!&ZWTl4 zjbzrWKzI8PEQwPWontdd<}>!#M_8YE9V^q$LXR9)>(#r^!aM-gbl0Pnwl_x3%|VX| zsi;L-qme@n+B&79`=k_%Ub+K?*QK8U9`Y@!359m$psDLX8Y>K|lCL8B>_a3SxCZCd ziCB?(614^{RYEcS=n$rb`dfkWNWH8IG7SBd-akU~uEBD7B0}=tB_Bu~;$8;U3UcQz zAR_4~0<y25gGD5)J&$2?q7+`yqNx<X_xrZtz=$R&8CVAwMm5K|t{Pk()eL9t2H?iT z5jbz%8}CmVg`+(+I69~{-U^c)jVh9M-N0}%m-UzL!PvD25npsp+<#0w^hh+Hzgko- z9Gpi!m?-ij@X3QW@#rUBU8LMYI!opkKTvq;9>y=vz>4^*=<h_D!}|c<{fc{6B|bW{ z7as;M#a{D1csSJnCFFpg8CDNR`&Gvk{Wd5W)&!>qH^J564RLgEH5|6@gWGvg<QtRS zqa<X<;rpbK4q$%Vd5j}d#4ky<#q;B`oubMxa8?fN*B!vJq+6I+x~N=b;G!mTQTg65 zs?AMT?Lc=j;WPtfYgKt@bk?AzZW>yeWx#69A+#8mOj;$GOt`Jkw4bAd;z90`Mw-^n z7`y%e`b|rPrr`{6uQG6ZAm@t3O2oiFp0V~;1dVUfJx;D1N?$p+sMw!W2b1W}Nrhk0 zThMX|$EWoB;JuH~L2ol0*JUB~jO>8p4T|^+_dfUr%hGsDiEPXWFTuuCS*wc}6&^TZ z)CuQwTH*Ad1}N!Y9jCNv;n>I;I6SZxj`t_4V7LY+d(<E&U4tXTG}vj-0`KfrEC9ln zzX0~D3a~usHoDn`VDE*y;y%wUfA*rmbN?`^)*OP=k~`GSms_Wf;nz=98(2`7@I;K0 zk#;PQw)Y;k9{U<5iwiN-y#UdNzJXtCxkVLz_#8WQy5lSV#W*~=4Q|`@!!6sMxXL!@ zfO@!L)E%dXHpUrp)DQNlg*&rs@a^e+l#(YTgpxhJp-RkkQvsGHT!Ys1bcAKe0ur?w z&qd~I<zQ%rtiaOPyO<Sx4sDIfJKTQ(@gmhwGTZ266A7ag`_YD&zN<Ppij$%|Z%no5 zfSHHTY)k~^r`|$i(`a;ZOGgjKB<#5Rg$%?mD3#vqm^Yw3_XwrSA2szt<V`if;@hPc z5?ovI*ci4=>EJq?1xB_JNzX_qW^p0!RSNN#Gr(aff96|Yv-}_&$-Fb0l?*pO5^z(0 zEY1E3?Z(IzXYllAQZzhIkIcY1$yk|i1GcO3G1p(|=XlD#DIMQ_i^In4aj-v`$i3_0 zLjR_C+oB(ikUx21XkDBcOhPfJI!^a!fU~{o;QT-h4(PPTj~AuW%{X!O0jw71k!e+k z&SPW5p7jj&bgRhOKY}WJ4lWobo-_lVkfX);<lb$3dPk{AIGLjSNI1CdSrLxZ{dX~X zQ5J^J$wzyKZRqb9g^Rb}7ta{yv(oU!R1+N6?}GFCopDjOE#7t*fFs&1aNThjK3X&u zw>H_5CaH#-{p;YYUN^iSun`}gDkI+UJ0D}j^eBv+odx4%2jLMX$KG%~D3igpqO5Hh zR;%_x$1N4p{LYiv^b$)0i5JDd837ZreM5G=gN7#2unUwbUgTY<Od{s6)zFxPpsrac zHg10(I#jR)@BK*rOA6Me%gIJ!s0WjjVDG;h)wDMt{rqnjze1WZg2JW!Nh<gwyj&{Z zQ<zUAjw0efg8nkO>=!CcC@%?)L*_8&;z#h?@dhTW&!CF!1GKTsK-&o^XfrVljf~{* zlc!I4yc+P;_rJn+Sw5D9T_&^nJmz_;!ojJO8B8H_`Ih5Q>={rOH}u-ze81W#=~WF6 zCJw`evAuA7Xf2!?-W12keCFQs!{)t6U3@5Lz$Cr;;0tUidJnE#nOOxQ?U3|qICj-9 zd6lR_b8recnLKDfNeva+ha?;yT$eUElR`e?;b`hLu=CQp=r=tX{buB&v1I}_=RZL1 z9_i$9u<zf#i(N#pf<D!d(@ul!<aFoIQP{US_8GLr9)tGS)3X{%v>TyhcwI!c(%{p5 zX?XI>*LbQdOM3S1f3P{13Mcj|W`$hDl@BGCKIL&YT!jj|R2}pJ5}*PMo3Rb;#zjIi zXt8ql#gJe4GphGp08O_gBn1Abucb7tmV>74Y>GDwnxTHs^j=1O0{Jk#NnrY}MYY}) zHI=6R6si$}$?QyrrsYiKZW$CAqI^&elnGpa0&$4!6Oh*x@uFOmK{7EN%BxGFPQhUA zHbj+tO=e6iYM2M1jeROcOv`}tMrBkkMX4ANSQL5$E5lDCApcGHrCgCWNjTKG77x<H z@nM1ob_}dWTA~JaQF-pw>4f7>I(RF5K8}+>oFWIkfP9g=cKvZ;vJvppSEZHF@i!jA zV0IjgmlTq3nTMc^)8an2imGXTm8jb15R{P0n^{jCKP74#kw&^9?vc5}VTDZ!td86d zvsHUAX8n0|oRABh83{Ok@s=nqF`H1tRtYHJt#vbSZniaUCT^r}uoWzcE`*Taypm@Z zCc)9?ATj=KxR4Wh^X>nLhF-DKi3rAj=v&;oTmdqkzk;U6GHAMbLfgFv?Toi5cgxV% zB^3=VW6A&UhNi|i<?dgjhrJ(M!_J`END`RV%FMiS(6pL|8alzy4E7))lmq!ho)wxm zGv0(ICV^;XK|aq2KXFg?MM+w=8$&|hXB9LZX2ZLnYRxDrHhCd1cv1+)Z#jyt4oMg` zdpFuo$t0iR5W>>V<L3KJe^~-N%8s!xtQa2A#}U2v9b_Dlld0I>kflU^<;63&A0LQQ z4x?~>kt4pkNlyEdUvPTOLR_-d!Fgw6Tw6T_Z{~;M@ElvbmBps2Qf_o&(KVTyhBevu zG00^b-u_1R&I^B|lo4MYUd|yWaE5;;&s4D5??2<wZ*pX9ndW$e-^+FB&-LAb>0xi6 zk#Q(mk4wkIO?&Vo2@coe!WtH%Dk+m<7z(||L#V|tYR)(vic|L|D32ItZr#C}h|`!% z@x~qb2#dC!#H_V>YI5m)`buf~IbCwXCm-_m3*vtcn&B(Z*d`t3%MXzN$eLgF56eWb zR;Xr>ifV>Y7~rN1<L6IN&BiAoj-sF?GikbcqLFPrT20)BnnPr7FxU9f?FS-`eu2*R z$!KmH1EW>S!g(A4$3f6ux}TV~2)!p|qN}a!EtYfpWnHW3>w)3(4#IieX>3TB&TC~T zC69t3ZV@o`+zAV>0~j(l1FgqK!Z+svzWU{NeEB2$89ckEtZyrL*BumH{SM9>@=$pG z6MXf9q|P5aQb9@cpTS>K-=-j+eXCrRL6nPl_ZhzY{Ru1<WMGJEG<w)=#r2Pg=jho} zwg_Gr|38b$g@Y5IP>(NFb^60+ALE_#a+P%PSo~3zeq*j6c*Gq*M>1b}xaOm!eFo-J zjmhB5|El(fP^{8tp+ii<Af_Vj=P<&$=3qoimN_w!mBZ0BllT57pJQ?833z0^35Rvt zG1N5{F?;2No}c)|3T6h!$VDsbOEoW*!F4m$oL<MFG2RMIKRLNbq(N!j(ezo4X4V;K zX_kW4rgCPUXo*t7{La+?Hx4KcY(M7|Xhwx%2>Bw5!sQ544lct}e1kTktIJMdW;v}X zCmaei79nWi7>QQ40T@N*h6FuV_)Tl>UbJ+GhLhhJ(s)zk&B`E1#04g4)zmmp46Za- za+>^&Xk7b(M-c<d!*;_?=@b+pWpG%oNQKVSD6$H+VnN_x<nNI_AIJEN%79ln<YExA z%V~VZ<JNu<&q%7peZI}n@kA$4h42q$sZ9U)eQ*mbf%V$sSeSGdn-gTO{ZpdX3$4h1 z7?lc#Od_X(vrC5<(MQbt^=EkZw31K`B@)VQNOU1zf?xI<=;oY=w)SM>Pbk3HB{{ft zPdelx2vdUJQ!>e4P<koE^Jm;#C&nPrUH&fJ<o0dB+{#>pr2TJT_|!=Flg;ZywO#B^ z=_Hd5qX;?1=fOom_th*_0DYvK)FkhJA6>>op@vnonEomtI&-9ObZ`!bMmq>P3yxyE z&mM74;eyh9mB-kn`EXd7iLHA+LUUbppkWy_&1a#HQz){|eTtkz?<sf7pc&=~o!QBV z+I|lyJLHtn@@Qy6{?35;7)s`z?ld_R<IfP3RgQ}2VjG4=qkS;IIRVo{4x{+^L(JT` z69ZgRFk->;6Wq9gqY(2Vu48G!J-DuyE7CBYkNw48s~USQeSo1;x4||18hT8~BmtCj zN(6;pK;M5Fl?n$lzDxt3$+{)R;f(VA`-gdWczHszG?$I#_e(g8!4tA!wfZF5TEt<5 zb24szpf+dz8Q=Z#qMTMu(o^qzi+~-s(SLFprg~q;<YnoC=hbzqn(KIybG!<DCS{=W zgmQxxrImx+)1P7PmV;<#6NHg&%7OyrW+^r?4MuYkjFAg=qlIyhyeX2!#RD|b4?xGU zu`pj<f-d8gIo%Ywn)2Gi$supQ4BZ?<uqsMv-4c*r_=M77GBa7EPt(L++$#@Fb0-X% zm5AO}f#`3oj?F5ArsZUGv53UnnB(X&uHpg_mJ6d$Yq$rcEr$G<h00xa?4|iLerY<a zJollUIhifvm8RNqXri+bJFa~ItEGi-_LHqqoN}d=96Iw0V7>k{`Z{I8z`X!7{CDI0 zf4;*zKRiM4sdusK%v-qr(Kn)syZ+%f2+KW-g+cq_n{^4B(=K3hQVA9W6(RY^ZS21N zF{W(V0h4K&nBlb-dv1J)cPW|Xi*nJ+Ef4+NwqxAVH2g>jc*Yv(g_YYsiz+mS>Rj;^ zbJR1kCl!Ht#6*@gxC99Y>B%Q#198aPAAN=HRPZ&&g`fu6&_kB&$I`UR@XNggx3xPk z$L|o_HXMYmTMS&b<ijKRC_-{BA|~$yN^ZP^s~>+y+UEw0rbUv8Q2?7|X_&lWJ0f=9 zz^b^@80nORffHiU(9{pzrskpN#ANKe$Q_fE5~YJ^L+%4~oEU~)u8E@On<3;v;a-C| zv6!%7A6iX`Ks|DF1?W{ZS4}J;FnrNrF)DO`OT|&MgQw-7hB^6E_HmTA+wvxxNJ_6^ zZ9P8>m~j9O0Vgonu3SHc@UzH4pA?A!Q!=3Co{iyTYBBhUd<t~7O2pN#zXva<=@~7B zi@i3raoJ*3K62jp6k|8+A?BB>oyeD^^rsyC2+LFNV&vRC&|aV}a8cIk)y+8*UC77j zI<)}R^p)W){Hl~)%=SBg(e7E87IXrU`;<B8qK6+SICU3R-uqD3cr*IX+>Q?86UZOR zq5LGFg@GSx4O|b?#Ro`3Zi3muLJV+9rAjOt<9)BA?YIaGnUjDGMGs)MbRQb(1);5V zC}zc;g5CNP7&JKrwjR6D)nF}VhF(Miix_mWOTqjAIZyow`IBNXk5`N;%_<=rlnxdS z?sa~mjI;lwoX;Weuy9BLVkGAsf#<fX7)lJ(+#(sREYi`(AxF$Lo*R1@<NfwyLHJR` z9eNx3QvxxaYVc)=H=#eT2qPwEVL|9wj9XWX(F@XHyZIP&7VSkRGSLQ2*@011%lC8K zO0_B#%9K3Rwv0pnX@ziGr*<+*!X@qd0BcfCVA<9Su<_U>?#a~2=iO|5;JWD;R%E^l z%f*UWB$!Kv>f)4!29{f4<Z&Fmoum&SpGas%t|K2|Kb!(?p}D?nJ(87)oLMqE<^+b! z%*3Lk)0nhUSvQNJ48drj7l4&nZ;^AI0iA_P+J$h*%hbaAaM*YN^-Y7&(Kb}xWad=L zpap3SUKvm`n#{gY^82!^<oCPSgrncgZ5Xrp9E=w26!(NZq6n{M<SKM_DTc-%1_mqS zTnTmNA;WfUG5XEQ#k`oSh$vKs(>&!CqbIog**9pxgE_~hW8gIMb;$f&kntuO(!Cxe z@Q%SJVYeX@**E_X^YsT!$|nmV8$BF%p^a$_`Z>g7N$O1unUaYPV`33{>?i0hPDSrY zzSz9|J&YoAd4Bjl?ET;mihCob2cN<+(lU%EPkwu`)%*{m3bRTflOQ-Tz91~$04^lU znQKf+<|jc?D!8YlIr#d6FTTcD@&j5}Cdi)S85tPA;Uv8CA7X-65thYXCTHsmI@`v> z%Ig@+R~Dkby+6D&E@Jn+pUEUkK_}~N=rMU4rl;IT^YI}Vx?m^zOid?Z2Ea4@Hik`! zhuP|4bR{RX{*YzJI&h1=%#d}j5!vsl`yWuPdm5T<F5(`ur5H#@@X5M^&c>nSY_B2b zS{>KJ%VNvtny&Ln^Q5DRc`!8H%k_&$-a>nO@;Ul0Lrq<JUVoarSq?*qp(lGD#@d+E zNG_B^TO?%dZ89?!112ZKYRf5TUa+oK2lEveHZ>WI&6A*MH(R+|22ICB=;L09o>W1! zw0OaAmOeA70?8G%w+{Is&ts@tJo!vfXloe+ztqFxo-AG|yrX6(p*=bO(>CowP_~?f z`GjliC(>*+pO=Ns7F#eY<Rtux-$1{K(dcC#i*}ZNa0@vCr?uJGcJedK3qFiduF)7w z<*_2^B<|De2d=*h-?W36?y&<iJx;=TNde-D&y%VAG46c&2colYV&2BxSQd5|o6;{} zWypR}D$;KGog8>ozrH$DDjcPt^r%CGpZqS#cO_NM8D{^rOkdD5PP>8~*FM4k+hB~L zjN7f=1(VrD80C^gHf%nOXYa!7)%m#bo*Wdw^-=Qv+n7tLbIRHx6r8?;xE*g|zTZL2 z4mbekb-Q3NH39w^vIgT+#H5u7HoHdl?B`UTSMR(-zl4~UbJ!G4W^j`#KafFQ0D8dp zm1jN3PZ~6P2U=Q&VR^FJG)iGa<mKX3P`$@8^clYuF(qH3`ml<tmnfspO5qlHhfIug zXmkS6ikP>FehAtA378jj23d!d4%2d&<+m4YEY`v?V83WaUL1P?euXzNC-^ix3*UtH z<QVM!<OynMlQ!w7j^!#tZ@U;Y85;-9pjEK&*a@TgyI{MdY)B6?o@9H;c(d0f<4r1_ z9Tz?)|3zv(Ht1w?#Gmn^miPZ16=_=r7F;R3uNqYdhmvDD@$l-$kBDd@-B0jF9@Rut zi?DF;NSD%ngK~Tml6n+*hi>ERKl4Nd{3dMh^8QN|V4vc#EXMMpDZwjW$YFQFHJ1M+ zIh6(lksOg+*@ec1Ex*oBIHb%=W3y1yHV8oENuaff;*g67IlUBCc&6W%7FEQq8`zlf z23i=#pp~uS;PMCg5K*$T&ze=n-^n=`EygCmJ^4-OEX#-Xd^S7M(3dpg6m{J!{)8}t ze!<=Ee#J<KEYgy`D7yJELU!H5+~8vfE&2>IA}*u1buzk73B}Badzj>>tWF}dy=3S5 zqdn1UW*&ww+=+>suaKFl<_VbMDK!hX2deAoGa_@ZVqx4HVlig{@`R=6kf>9#<lu2d zT<BBmEK7>2BjEUujp%%*bi9H%@l&QeMZ}k!P5!M~D5XV9zhy)OwTxapDiID&l_Uc* zm6-U%c@VcA<J<dJ@cpN9-tbfMHU1Et68u9sWUflV`F%=%m^rwensYCP0Vssvz6>Ti zcZmH;_vK=8+|l@pc#rvmoqds}XTMP#zmosMh4=$SL3)QCiS~5ySzazuDKMrbzs8AI z&wTNi9tcgMgi&m5bvPeGGr|YmrWB!tZ31cx-ze@$@N@AY<voe{(FZYVRtDNSB?w<j zfc-F$U(OFVc9)4_zww*VZF~|s+GJs(_ZhOqeXu3(HjEdNW*Am(c!~^;KGRdt%rqK_ zMRI|>$bHu^d}bv2Iwg{M6o?Mva$vlH7vbJqx;C!JvXa(~g?BNQG`QoY!!Vh@18WO! z<Kid3U`22V+Uu*WZQQmb%|6Q|lrEn$WI8TI|0znpiWr(h&#5dp>!N!~#4o?W*Gxre zToag7f?WKY3C)=yT1XPpiI=zIauyL0IK@gq3c7J0(Kj+i@tj}eFs~j}2nT0|Atj$P zuK04eo*{|FHN}&sTvIC#RALB5pySz(#Ju#3`H*tQvcQ##Ty*U@DESr>YM6lkC4_3H zZ;0XQA`KNG*`EchV*LDyyenT8W2J^}Ms33oXzEN5_bS8S8Cy|(&?1;FCFX8BPq|BZ zS4bl+`C9oMwC@YFG!1~^;?v|@$DzlpEVQr=BW7Fz&v;(`=+Dp$4Tb*7e3X3lHD<2Q zLGc;V7$H~C#UTYP?0Fu2E;OBHV^hHc;mb+<URsJ)%hC|K`(yN-kc?hawqcM%EV|B0 zLu1<zcqAxG4V5MqXlmpqhO#V;I}7VYa%SY8z%=AyWTJ^tz;qDlIFEcwwyMz&Cg+RF zqx`+nFj5yuLHINHQyk<4k6sBXH>;FXNRx?^_Jrh|N&P$Srj^^H<1fJ^;`cba47uu& znz=BtmlsAHh54c^=uTA}M#14SbRVZER3A<S)R$^lhg9?&ABZK<hp;$wFP29fC%bwz z)tcdmKKMSImZ+^k^uF=|O{WE@Hp~m-wwxu0dak@l&(xY!GteDQn~RWr@(xbkkvkBv z;Umgg{Q5IAooA!DO$;=K{^&}MYK_r8Xkr<H=~0)_*1WuCk>Ggbp^TE{N}?PA+8S?y z)`CK~L|h?<S{VXg4*brsdmo_j$N&s>O^56Ha~S5HiM2d4Fzh_01|30Xhh&UexDNxJ zUQiy&cNB7Be&9I_oRo-OV}h|F{xsHQ-@>ejlUR{_2g95~$j`ZkFNnYWGtZ*NU{$!w zpsDYKDVq;rWx^@c>#eTZt{i0-rBF4BN=r>s7iikgf~Nl}@_UrAV-!SChyIK3oK_{8 zA=9EUYI+Rz+;|u7ead|^^pFY4e_m8T|1c^Q4w*(agcQ9%3F7h<j^z*PLO6d7k$!%W zE@WJsb3SBUrs+8swN1j%%q9t%u4S9ID1Xq@*aw{^Mqp~(TWDsLh+0}3vG=_{P;mPv z7|hCq>B3?pUHkxJS5QseUv3s7H)50VkDODC?h~_7OWPkBEoEg3IyeQ4Mn>M45q1?e zD~i$1SZyuh5d1zbr$gX8^O?}zE+5@(QZPOI61?-@!RSSWsH^3Nx+8sIpsbK6^2vYb zP)?->n+se`s9Ls_<yQ2Ynhnk9jbizK3Et8`reAAH5*BVfjG@lC7(6>4_P!;s_t}ke zWL0U;$indXdFbL;fPQ4c)z($UY6%b{iA2lF2$20h+fIFi-VTx2`{w7!zy2j0Ru^OJ z;v%d|I*Dr!zr&I1-@+s57TQ~<z<60%v$#qx$Bl>Kv;7^+i#-i{FLj-&O28kdtjgR{ zdG}t7IZ5wf`qq0?p(s0h(L)hGouw&V)@)J3AOtmaBjAyK4^vmmejtvEeH=B+t3;*3 zA?rIXO2rA|6wxhV3W{V_4l&kBgkvfxETR4+RMYl_p4U}09hZT2c8ZP8P@<k6dlEVe z4q(*$qv$a?9i|=!&`jSCI<tykv~UONj*f)h5_;wqi@H|jnlhE{(;B8^d+P_Fxpfj6 zkBt)dO6^&K18I~YZaJ{^+6%LFN;|(&pqx*k+C?cy|3%Y%K6*ODqdEBoO^xC(lT4cM zBOf67>{l4?QC4_zC?UV76rqSyHd;Iu%r6O`wJ;mI?tF^r5vNgOgpz)Gq_`MpG&&e_ z!_Ht@*ew#EWf;HZ2sD=QXkrnCHWmq}J~9;b^`kMweK$12rE|?WmztjaF_qEeXx84O z<qQ|>#e_`-aM-vTi=!_f=gPO(arq+zr=Nn8XD-@VM<e|FFGORtN1jtFW0~lYk15_q zv0>*uF}=7-a57|81^Q1+f=BLk44<6=%>Z|KlNpN>O`niKxsgO(Rj10ZrR6qsvyH@} z0A=M7%F|Q!L&dLGi%Nw<CP2DZg54zL#h+ikdGSz?@?gP`^$r)eETHnRTD}vV?c&hF zGK$o!(nDJg?F?6m4Niv4AX~cETykC`V7Rb|YHANm_C14sPFsnw^Dx2ZkQkTrJXm%2 zci$zJ)Yr5t>*rAGLQR8d=;atk4sb5ok5L8|RszkCdDwI7OT0~d7nFS;X3O?Kn*>#7 zdJZ}mdx|hZ?1)B+d`YmQ#=D_DhmquC7|h>^7B=x>(BbpYXstpM`$RObrb=M-9-_e- za@2WCuyxRk+5{)>gV0`{PGN$mR#u0Hl!q)qktTws!Bnb{$fxPIp7P?0`X)i}-~KLU z_?&=8Hm@oe3aixx7%+YtdRQv^g_J`_t%X<^UV@=BQYjruk9=j|+C}|1VOsDNjN5zy zO{mgx3omP`mZ_{rpG5%$SiAK!c3gNLW1N-maeUnJQcB!chnMm>q-anUNM*={Eg#`l z_Dd{6CUdQxFv!*)mNODzH$NM(d%uD4l3l20;7#ViE;KSM*HlW?iRz{NH>jtx0ga6U z(8QPy!-}0^VhJ2hOt}Ipk7`4_&~8iw`b-KZv!NKiIcH$IE(@A&bKth+4EoH>gT?04 zXlJt(7OQrlgJU@P0J)eGeG~Jys#_LtEz1Q>htOcM)@7J@<dC-5iE27zMs=BuUe598 zZo3uUyYHZzeHdEV`k*KI4jsqEptWfv+S*6sT}rRPlA;&R|9Bpn9=t$A2pSp%L3f7S zDN5@67c*0Psu-G^24Gs~S#+^Y#nj-7SQK{^6Z}q!(Zh8OLNRn^E~faLLVN91%3I~} z7lahxs!^&1HB=jmFm#~2b$2D24waROx{?e-*DVcwNHf<r@k1lMzo@J@I5(3?^W~MI za^X<8njK0>U2b%fO_6V=D%*5b2BkpMa;Z6bH5Mh`#k9yv=sP_Q)lI|EYrzrJuuLGQ zTipqXGtCUej7--|2l~Z@tae07O~xC<^FdJ3scEwS%Tvx{WA1%SUZX6aAd;=rN)(r% zEgd{UNrHdL2s%toL49LCIQXB#@{F5s_rHqHlakTVF;m$6&BsKdhH*Tq>m;KAnKm`_ zx1#ryOw5Qp1+&HFH|LQ#mc_@{^85X!<&)VGkHJ%NvF`y;bnSCkuR4zI<TrG;$woul zEc9~QgX(4hXgE1l?2o52`vAI;Ut+dQ4u28NefWV=PdZS3p!BTixejfq#&2rqi;;?O z2*ZkBq2pJv&<+n9moI3#&xX0zA?UcL;m(hb5PRS{x;Z35W4aX@s|1*?y?{;*DQImL zj|m%;EhP9=K`z$8Y64yaX^eB3N$S$~dap!d%NR5tw~c%WWjG8yRmY08HS#ADDiM9B zWnp=$GP6*`!`=v6Fa(N>&vLEi%D(^iQMqt1==-V*`Haj1*=_b1pPf_JQTi*;8>IgD z4aF!!yGdCXG?UDO5#%5nMWT^yGBhTU=r!-4XfiE@XzvvtmeI(si~r*DeDHH_*%Dz` zU?1V&f4)ag+bFa&ib7u}+4{q;$QM*gpCF=Be{lqIlxkD6jpXC(Lw~mdw6KUl9g7q+ za4taOak;2HDhwTM!l5^}5R13o#(3XDSe$(imL7-ET+bT|Bb81!#c<;^%Wo5e^FqY# zyBzJtCt&FGd>C<auW=ZfSSF*9SqL(&{Q^_(<LK>}hT$%Guv@ejZb4VkWN0AjnukDV zo*b^tvGe*-l16-o%vI$>{igWfz$cI4OiugZ59MA<rIiOATpfr$a3#F+<`N7f;h!6E z472Fl-Nq!6z=xx&YY}=)j)Co#L+Cg@38R-Brt(=PUsB?df0T&+0<xW|j1F8eIE3Cq zFL%oOV8x8&1S(}=JUtI_$A3Xz*HjF5E^9iL+(%*fM2D<y#EW#iI#l71bAqHpF4$XE zxpY@%rpm-oFn&+1qct5DN_&@uLpy-%^=!<Ke+#`PCX%D=BLi{Ng5kxl{|b4B?_$1B z5stn4E8I4h+tZHYBrU}0kS$qsL;e?c)Niehy@eLWff&7bH%!*-LEnjyXl1$uK?QfQ zCG#vI_ewkY;@h7>Z*~s4jSUhLeYTPsn7mePP*5H3iqPn9MoaRWMlC8vXR48#Iz&Qy z?k=>j+eYR_647P}F^xBB8%My}lPVFT^%%Rf0Mh{1Kq$X?Y*_P(bIfI3N?#I%11yO= zkGbSzFO9j6*2AP3BnQw_<)JiEl!x*BWNb>i3Y+;kXlEBg-(O8yaUF6_zm4l}{{*w8 z+hMR`7uwsUqdl2B5)>a1PTgarN=PCLbQ}|dR(6!n(Nz9@6*H||vZe>TLH@`lj9Re+ z-R#r`lycy{G44;1NqFU`+UIz}!XcBw<EqpG`RHoJPO85GzwsjET>64+WFImevdE@a zHb-HuQhFLSBUX|s-h}G<!Kk6T1)AaPkousTQxuG5#lqG96xFWB$x)q;(eumJJ1WDU zzs$eN>M<4;W*Yjfa58J0A@hsr$Vcb#75g2=k@MeULOl5gWHS$}I9cg=Xj-_VrAZVT z>3bn^*ZW8~`z3tH<eL(D0VYfKqxZ}ltju~7-KQj?yGy$A)?Xw2z$q;B-;HhOKOmDx zY3*V2LaBM1+H67RiM)UW`$?*gKzURcP}5{0rJFbE@qwn{RC%)!v>?By|EwJJnUa9f z3zW@#xNH>8^vS=7ev@KQQ`=wcD%-*`5FKnn;JRfOg0tnQZ3Y`xj7E9^<P%1sxkV@p zmz0fyRx1)s=M^xRzXx5&;kVy>l$`(580{W`Nj|yQbNK@qNbxt+cU~o`HmeA1w5X$P zM7{X!7kGE4I`i#+N6&Fv(2Pu%nUU9#d`j6YQwWEo{@|$*7~!%5jm^X1u;nC%&dI@w z*gHr)|2^Ul+{d6P8K`gW52MA!7&=Lg5*BY(tR(*uTyTm<f{rHMh&uQ-x{lk5F81mw z>Ix?iELZ1a#O$49awWoUlib;~GIX&EfycHhuvk%q39E}SJ@f<&-P6&8zN0s{7z4<3 zn7-u_td<`nA3<(H%8=<{hEh`|b#K~{+lbxwC7iu;%67+Pzf5sX1B*XE6EZ6s+LBhX zlr`^f<;*DU)hEc_Psc!)9L(9OtVzq+6TTf?uyzr@#S>`SEr#i;Jy@9jfP4{UW+6XQ z;;S*j2ffB8!pZkC8k!}brd~KKJrBS==54Cfl-5U4(aC&h=y?nBuk@DepnQBJ?s0i5 z-UK?BhQN%>R)>Hiuv(ObN$YkZ>D0HFM;g(7zS0jQ#xIG5R9`t>%IDyu3$t0wBY1{i zzyA!k_RA&d{|*LDiA8n2t<YP%A4?L;4YX5+c%J(BDTYj@!kk@%ISKdB!!4T%Bc3$M za`c~;g9)3?VX%7v8jVT7qEtn=n0WO1%gBew6CG-Mis6!-Xl=6<^-Y6eyiyL~mW(N% z4{}XGBg0S(nXwB)XH?WI&!d-fEUZ=@!SEUBn6~*8HtzfiCiBvvJ0}*$KKYf*r?qhK zIgddzilFH)H4!gxBwCmR31lv~Z-imBBo|#R!^r<xf%uDR)40l75DT9*Gzvg#hjeI$ zc#C`DO~tO|rr>5aaoDu|25I235d(tWOt<HT-4tE@41T-bf@XjZ+FD8Gd@9CX$uGM5 zUx4GrvuJD@4vkI(CPX|$x9Qta%ODJzp6c4be8_z0&&`AG!aXosa{zU8lpb>atn$&w zy?3$a*5@!^nMbDa6U3K%fc}p0(4Cfn)B`-?n!(ky9Mt%#QMGVzz61g3_=EI@P~kt& z{fhk-|1FwY`k{_-5}5*7sI8@RDhWDCVrhELAiFz)>~K#i*qP`wr3gb@x52;oF2WCd zL^iS)M$Onk&f+FAGb#>uPz&*8G0Zg%qvxbzaoP=-%uv>85_(f|m!{Jk%!+;wT61<_ zVM0|65){6fJ2ZxosAm=~_5yD@HVj+x-@~16flY}A;IQ#Dnj83Ikkd9YgXDY-Np3EB zW>lGexn2uUUwZ>-$rI=?DV59<e{ruoG|gS%;B^+wNYiTiEK=^4p*{Ie?JR?^DEu52 z#;UDBe~t0$642c?0{!iC(PpF+w(^MDaUN3wcaesfAvVs`3?(zTKOKXYVP$feS*4aI zH|39Ay$@}8+U}sTnTx7;TQ7^j@Tt+{lcl1b_G;8I@J0iZAgVlfLdUhdCTDv5cV+v( zpi<#bKVQZkbWf~}^9<*rU*ItPm#C(@k(|*S)HRP08bCnMQPwoiLo>*moVgIxvWlge zui`pV)rYS@Q?h6KImV!Nzp8eF<xToGVf>mR^l;gRnnOKdx8WfC3aPf5l8R1a)ZrXF zLRF?`Q~tLY<dTXJ)6=0hr{bLJKciyd^_vim%{gylgmWea+AFKLmxoxMNVzQcN8P=( z{a9jF=k0I|x`n1=!cpJKA1%zO^60#j1hL{|D^1&lsH?Xc6E~g2h&gc>?{^ZWUL{yl zbPwIe`NPF`4;;M<#LA2#7Zj4VSpkz(yI?`)qyFrQ<y%5_|DFriuq0v^wB0MtS$`gK z;s6z>GV`&$eLMy)I7;+Rhn=Ug1)eBx{v%rqD~0fPm?&z`|Eon6!odj<V{63~H|0JN zCeKqGiBUF4{2MUzI*ATWMQC7^Bo<p1AX`T?0MG{&((;G-FFCQt(3>3M_~SpqmP`x* zPME?xwRP8#4-y2A+;`!Zt1Q1+37T1lV*qK0!DK?!Hwi~)`y8@+6G&j=FmSp$bB={W zd<5Ocgb-6CVm&$0>r>_GdzC`$G^HLqr`!w8$8JSOs)=hGs7vecGs#9mVF*I=AI0CG zOSM6y-I!Pmnz<Ksj6%@RJQ5A4QsMDObCW;ESWmTqgkn-g9P2DTBo@|l+;kM9SEgZp z=wbAAN`?8VgV3K|1mnef$)`90&G0SIXa%98Q!Yl%-H#z|x#YvifsC@rRAT4hJ2-Rq zYgjKT#Kg^ItBr69C51ShWKpmgMgOJoLr)a5YLt66T3AP;uUi({Tb1V@ep|NiajyBS z`u%*(9!6<Hyg2dqIHdgQt3nlK6=jO&JP4bVeo_U%4y^1zlNtIusBY+w8oCjvYmqEE zuq5Q*co8*yS2BjIc^VpV?`a^Kk`vA=`w5WqE=dn!klnEM+>0d{cM()nacP_9p&7Ip zO^uV$&LshDC&Z$behk{#??9uedC-)0Qps;K`a6W+*oVJiWy~4O_j!p`+Noqk@hN1| z3|I|qkK<^{{X4^DepxGXDDDyBa3U|F0+L;?0tye*8?^z$<`toheKK0uBw)n+os{-$ zVr(A_bya*IE-z)}yV}Eiu`KId40p|eW5_iu-g*V2m+V8YNog3f`80Hvokk5UKa6zW zLFQxuJkvkKB=7U+GbtU7l%{p%)8c~DI?{d%@@@c~)H&^hvRa&Zg9378_LxhNxP>E7 zB3T?-f`|iOU~1S&XxgYv(;QyCDjN~~{2_ysi>&ng>QIH|;H0wrbMF92E2T&75B&(A z-jEAP{~c(0EI<>p7}PW-GpSd_u|@18^58|aDNxg93GBSj(s6;zs<K&ZDl{EtqPtBv zmPPKxkg;lf<%w8EW=3Oju6sFTkTdCxWob9z8M_-Lw|*e=ViBcHoik1};MWMfZ8zZZ zw~yeJbO?TlRX1gG{U$o>6x7uYL=*A{ni>Z~)7nY7`y$8>N){(5Qqtc!5l-P3(9${< z-CYV{zV<BY8AhXlX$)$aDE&m`(AaPzG$TCG)F2R}=I5i%@bzdtW-B)2-bQ<eI59q} z8&wLEHy0x$_bRqu{+#@ajc^G*i{9lr;Z!s=SdA^kx6s=uiv(S6eO(?>f5<*DS*1|z z&Oem&k6pJPEi5*WNg9FMrGvUjw8|IJpP-0}LVx}(mWZMkN^iYFRIWKhqB$Wvh+3(k zxmJ4oJ5HxpJ)dKo2RT?1)8SQg7S*&vP<@~`Y7bt8w&R0gI(sLK7VU-EirpBvFb5j5 zD73eXLTk%F)YPX!?W7K*BLWLE;Tcw^-@zi%3hl=yqQm$?=y)8%0DE%o`Y%V*k#fj- zd2liD%sZ8sax`ZdyS6e4#FUT|Fk8GGd#;u(aId1Y2$WlMA`6ju<pT_L4#S*)3vlwt z$EM^fSRZj5gG|=JYIX*qj(v;zhCZT0uPSJUErPkn0Xe^+X8<$<W6)=EkQk!*#ebv? zF48KRLqTRw8U~VYVC}J={D>oHF(!?CwJdaVNx_5-chSR<S7w}t`ue_TNCN*nhE9*g zou7b79y`$6M%~)E44Uo>VY9geE<VR_<?heO-FF466V6d(Q-rb0b1;0)KGZgkLu1o8 zRJS7G(pruB#-Zp*nygl7ewk+KP<bids?jxMLJ|f}%EF4mk444E;4SRbN?=9Qd33WP z6K}{`w6K>x9ly((iA6#V<yZ97|ABN=VOFV-!`GNccn05-AHTy-AIgP;D??EJMR-PB zLU$5|MJd-wot{98aY>jFcNtCrhhR!(!96Oh+Pc1|HzpanMEpVSIndvD2{lJ54j<E1 zVNTxaxUX9tF~wH2q(d`03>s~+VO<hYd{wTyDuPN$P(Trs{^mdQTb31iPfNs{g!8ao zu@B93<s50Q@kC*=<0mrAfn|XVm_knLC|^|9^M(O2^*E26m>#qbcPN}&=s_$^e;4)i zg3-z<1|~~i)G7IAtd6;Xj&^?NH@lE(^6ltg5e3hb<1loOMHdUn9KzOCY<A6%^=L6R z61p=p5w!bV)EME5=3@e3Pt0pDD+6=<&f(MF<sN@y=O|;nlx#3;H}8Y_!YJfk`x^Zx zm$i1uslg<C<Kv*Wst8kj<T$R+s9qZ8v=ujrv_o98(A_x=ttKYGZ1rhqj7dNYqA-Ab z7elJ#63?h+tej#i8a4S4A7}pns5yKQ`b^n|_O@Z@YNw3)<$%JBWZ_&%zEm8{)?Gp~ zBc-wvlA}bXoH)g@;^LgXI=r-SFqDP@x_FGQUqU!`-Te$Yt~)Stb{f_fT|{e>Xv~X0 ziiLp(5x(ysnFCwISe^!BQ_<Wm6P?|5qQ~@PxFuc|PNG0L8r0F+iU!7{DMoo=-S)T8 z+#&@{Ow-ZSBm_;BwQA)sH-3Q&NvUN71XT%4ZCO`odT&JAafzs797T*LNAYqfSrN!E zQaB_UjE*E`*oQU_i5NIL6H8LBV|m5{)FWS|yK6Dkq#Mw6QWU}uehK}_RX14F?6C~j zDVfv!4!~l;PRt<<w4wMeY1TN@G?dGailz`H>8&k;V6<{Ka<BeC8aWjSMIYh7&2K0j zcd(NDiJ}|dW5>mZ=sYfzw31x-n#~a5&k!bh?-L75>rPLESB^4doC;O4GYS8=cpQE3 z4UFbRV~~|EW^X9OSo)ru|2}keOhG&A1Xygmi~*C$tQzeHs|}aY+9Cvjdmln)YPrgc z{;<a(hpsSW2D;58hkQaB`b^Eh5Id!{j)(Fq#Z=cc6s;#`qtnDp40e{oRhaX5QHD}K zly3-ODr+ctRj9(}U{FHX!J;3cHlXv@pMHuvm&z}1`C=To`97xjm%wdvA!hTI1nWvL zbXqo?HlIS*aS3Q>>I=Ko2hq?Zl4_0B=r(C5s_Xcmx=92~7pVjJ%1Epkwi!LA<sthm zz?xV28|H-?gFVr2W+Hqt?kk~Q9-98^(QHgSsrZ%T1E|9>${^%|^UMcflxv1qht_-h zCzu^V&g>9Riem{n*pYDY(*NWD*B|YRHR&f1zP)@q|BJy>K;sUd#GBvzjA?7gwB$a5 zZp%p<ZpJ_tRk)aQWaTt;4mscbR-ifwp~Z%M=;0g+w}>NDS*#~P_d-LxSTxZNg5m1( z^jkXooOHE{=&rv3OEw=x{_%%!SX6NxtKNp;*nj1=SYh$~pB`ax@(uKunJ&gUX^3%0 zEg%!H+X__cy$sGi*U2O;K?kc4Y{<TZ2_8!8p`aD(JJv>I7N{DSV7w>~8+SZJ%K2|F zXG_ISWZv3r;)c^0OqI`~;1~FGYI)Fwx&r5`#D66m>hbImG3+DR&QclT3NONb9hn`! z0%MjPgG1y6G&f4b*bN8KSoZ}sZ<j^TnYSOh3-i(3Or88B#{n~{>8^wE#zSae<cHSe zWIm79mYdLAYcW<uU4Xu8EYdD~D;8$co{^3X`R}8vbtDE(Nkn^VUlN9jV~aHH7f?;P zmkMVKyyBD|a?Z0-xFg*{!AoJ=dliuLU-{-Y{{+;0%QQ&Sq%!oejz{d72XF}5jdmuo zW|j^tf#Y}%6Sfp!^vnWiFUuuOJs-U$Ct<4J324vG!Q%KESR8&26V{iY-e6xC&Mh0> zqC(Thi%j8M%nd(*m5E9}6%&g-$Qti4zNdq=h(rhDRWNW*f|ciP44$!@gxVjPUY=+- zj?84;<ycz$ADFDp!y?kiM$5Ou)vpA-?L#nhd<bTFstZ|jMwk|AtgjCLm086#=@WI! zSg}XK3n*R==Cczp$UYh-E3=_JYbQB$yHSlC#k^bJqM3oRcC6S+O`0&>N!9jq+(qVA z3KqnwYQO9=ntqEhXigqF*=3-Oo@`B#wW16#bgHavH3QaA?fnKij^%|3GBC;i3VJ&y z!O`~$2F}QbiN|qtn<y7#kZ(#hH1^zsNt;i=uizY}Z;;FB%SST*ZEb^5+sGHKCS;<q zxzd`$iQ}1Rf*z7K9H)%2GH}LZ>Un*T-&Es=Yg%rO<?`o9gbBgpqyCW1zVuVFhT`;! zC5EKW;1W=bg_(EI)W#3G?&XH;i+GeDqN7oUkJx?-1}@~(PfJJdsRb}ya2!J%;?d11 z1I;F+pe6Z-b&NvE*C65PA)8*sH<bqHJ`=W~k)b!TuKtMRGi6)aDIbz2K|1;Iyps=b z{|9os6H3r|d@7ltfw0+Bf`u`cvFFM+R5nGZH!29@)}Djz++s2_kKyd6z>=WTh%Z!o z^cBL$guGI`v~X}9)g_u9-nxMgZd5(|ASOp{VA)#N2gXZ_Df8*5VH$@zR^d<=cIGJ6 z=`b4I&1h<whThY6ps%YknTj7NgwPE2f)<%ux{D8>AK9(~6oF(hV6a;{?tSyCm^U7B z@Et5pxrPZo$5C^HCk9T-LYIkg7$0~PgGoE7J_f(9co$fmb_)^vAE2Xk6xC)*4|usk z80eOZ5li-=?L;zx2AA`RI0EUYD1yv4xwWa>%P&A_P<lzudtnojb3@FlRzCDx^*e-f zPWL#36hksw#Ntu(gD`gfVXF1FVMX2>h&e3Rw&J+Bokx62tf56`!LUG6opp%Ly9i!= zY|xApjF__rMr(JX9nrq;?4v}-7;?J(#e&nJN0bdx`F(}r!{%k8<=7bLlE0+sAk9*l ze-<A4CSTK`4()XEJtUU<=|j$a6Qf8(@BI{O({EvM+)Z>h3`8??U(5_ROWG_2y(Xq$ zO5A0%v-gF6@dM2FQ5T(~%yPs^9$qCX7Y>n8KCydBB$heH!y8xe(G7K<?!QL<ncLX= z#)n8g`8`Gu0Ub7NM}rZ;sACb0E@LX1MJ*f?&}d9DG-fH}gQ!EoRnFs4x>*?KbCI0G za7+rQxcWsa8;aK<hHUR}5{gS`p}z^<JKur%@`Grg6G%3C5_(U`L(S3T)b~`{=|y2n zXu8cshjH7`e;zs41J#|E=upCRGLJzg5^QJRvsB9}Hg+ki$}5FWRqlNbWj8p=(mr7h z`%;BXZ_z6vIl=*?AM~D*Jd9ns3qxFDFw{K*9ZZzrA5>;fNb{7<d@O^e=W4iYIf)@t ze4rWW1xJq(Oxs+HDc*<BmYBHfqzrVOkVIO;6T>D&C~q;NOJ?ssGY_?ls64g(F)LCo zfFJ~c(^etx^u4z8P|r99_4L+|pK=#dHx`g^Z6#W-Lmv``RVf#6>8_k7QuM}WXrb+m zY2IgW<nG5PJg)eZ<;vq#qiW3|5<(?FiQ?`CR>*=hFUb7!uw9&t9%BR1*oJplRf$^$ zP17l;X%GyJVG!A`tD!MSCbKIJ^)0AC)OC#*&*UISO)m<g6@`9IN$}nKCDr~L$$8y? z#)hlWKsSucr2}X~_Upow`!JnTag+IBGg7fU>l4({@j`2hvei0N#?*{hhW5^>Xfq}a ztt_R9#*dW8^nEXMcS^>b=zH{Cb&fML9Z`f%vds7|Z_h<<kqKJbS3>k+CsO>TYmp;C zLylce2+(M(L?b~hU0>8OBzt_s2J{&lia9ZtpzWrv>&0*IA08b`XO5l^!mNlAG9h<k z*|s;S_EpyLD!1Q=rpq+cvmmWKY|{(JVpR=JuzCO%i*qn=ZVKiRy*o@)%uN26B8LsM zJ<)d(Rdn1~(eDMD_4IVd(%9p8=SyCZ1^DX6pK$Trrx@YBjeMYuSQK&#lYDk#+SVIn zbtwF!d|u7dt3;*3Arc_|P|`V3bp1#S*HG9+(IkHbkC<Z!&bfv?Z-eZAIjWLhQR}eQ zc8O?UnMeW>i-u%Q)v-!PHG>E=vWyXPnM)yTc}i@brRXv#8$G6HLu2YM!p@Aj3!8N% zq^?7tvuFpIWx<%Abe|kNWjRfeekojCY$HgWM_^X`ZH(I}eF{<2E0oq>Q;5cv>2L|V zfezN{ko2;W(CBSOb<!Ty^&?QvMw(S+CX1XODT1nGA^$<d&)_U@jml;a*Df4J1m*`a ze-WoXBl|uFO-;6m)zK#fpMitt5wR{+V?9;V%30v@TM8u=`smEgM0dv|bRj>lm7da% z@jHc7%BeB=d1H7*ckN&-*s8QPDt!!`&Ob;<h5IZb=R0afUW|x+KcU6gFtoFcM_uww zB<LOGdloDAU=@}B@{G4IJ+y3#Y$fAZlX)72Z@dNDl^NKSc^$4>4xyV(7<xFSV8GNO z1nzhT26Gdk@1Biu%aqDa5R{vz*>tNseSa5~3Wxe>W&lxuzmr(-V$y`ON#*vN_zNT) z{1~A-Zcw4DhF767-$In9B+kH@2T(_!)bi*pXlNFVW@ERZu4y7#+r+`QSgt_G!KM2M z44<2iL9W|SkF-r^mwdD%r_Rdb1axN=!YlV9j9R=8JzUdax9K$IMJi3H;#2Z_dJFPU zedIcfSh$l+FUj08kCM5X+eM-d&uMqcLQSo5J?`=`8W;z`e8UYi(F=p&TsirNA2ENa z({I(^D(zSfr1>O6i2L+M4vFDArFYT7U_FLT%fOPf_u%Az5bKLC!gTpA)HLx&8%uS6 z4!Qmd%Y(?3_`w%s=C~%HnMD9B*B`)!0(CPTrk+|kBx9iSHZ&iT1dn*dXB3fe8hHOd zxignMlt?Q94^0<S3beven<^>^ic2i#3bZ%&g7unwtjfHD(eCATrc#7wq%)b(T3g7} z%|UC2G_;;Te$SGf=;9a*ul)Bg(7hN#9YS&IJ-H|yr;+EjNE4B@ZPjV~J9sIxiZz9( zA;mBTF6bw?@Dj^`E(zWZ_psyW?Lw-&m5sbfQE+)Ost?^rHC-ZfdHpBP^F-|RL})Uz zMv=MH&{7FihDH{lXyup(t=aovwP-In=)AASQfT_FM%<~l$UF-}{~393+;AEOGnBDc zqVOg9yT)No(mNO*a0Z?2WcvBB>M%Ai-wN}MmxvMLF=|1@X{)@ycss{*EXaHh_0-K` z{sdn1SguXW`b4Fc%&{usWhm?Am7&J3+l5{ee2Foxqx%?2139ji^NL8QvoX<AS#(a- zI>P6mcm<=$_j@`eqN{T@?ENl_1*)G%ON$5;-1v?1u^d}>-B9lS@6fbxqqxXnpIk&` zARAa@N~Ca@&EJNUb5AkYDFyvWn@Lc*l`<Jj{!zzq;bI_U6Y~f(Fyj8A4X8)L*3u*q zeP-oh;!@e)_0ETKt7jGoQCcb!y+Twj9GnR{SU5zcsT>}OWo~}MH*YF6(|-kSuH?d$ z)Y+JK30m{^p#AuCw6v-?e_#oZ-t0CXHS_}Lybevx6EP|L947jcX)vtf*d<N>`4~JU z4L$6VurNk38~AgoP2YL8Sg^UXa~j1bCl?7mQz+fRAr_-%pM<mDDN^fM7{B%i95-cQ z?7BT@F**be5$~eDejpWG8U{_<2~F=+s6Ko-M$e9c<3_oBrfguPnwlLnv5LE5b`h*S z_hG=~6!dmZM@MUwS(w4)RqUyIm=k#cL!7o@0M(e!gDWVGU5c49+D!<F6z*<R^R{)! zM9tAY=rTSL*7NqFvtAT7CS8N0=N`DlT!rE6T<9&$#nPbb=xOMUt3;ZCZvLXOsH^3J z4rX3h8FL(G-;=AC{58~El>;{`Go#4j#r)7c=si9Z6E~c}=;`Y2xb#qYUKN<byfV(B z==vAre<(XsDP{G4AR8|)9Gn<lEnSZ9{{x?1FI%zhFG2Q&WIR^b3^`Om)+>OU&k?k+ z3_<T%yP?rhc59^%s<a#8x(ju5!?E)kuV9{xtK{cuMs7kwW70%@r9&)hX^E~b+u*qQ zJghwqV@Ygzvr2xki``b}FD*em<3O?c2ScV#7PO|%0@4UxFkP4rr@+gY9eR#z^9Ler zy(aO>gAwR9F%32WN6~mp5cC%pU_-XtD{qL4+UdseQLIcRuGP8ULgAyfR>7q8@?ht4 zo=h`!)Uaf1hV`l<=+Do?)W8dv9ihw@;RK4l4~|9-=NG<)GG{~PPkx}To)6lRW@|S- z9OJee#nP+`=u6tiV#Q%JH4H|LQ5#^oq!9B{j$&2n70eAfMvi_qbV)l6nVE+n(+d!C z_<i^kUP2RvzLkPMEA}5#rma#sIm@b!>@_Y3+usD%<z0kFy1MHYL1;T=_=jR*iMUD+ zd9UFh4|Fgl%ffvJw5bA;;MOcQ0R@4@omYjI@HwPWC9V~&{^OVL@K%XB$GUQGoz1U_ zx?4DoL^`GOtJcu9=sY164XvY4$5x&E!{3!(?ma6Bwao*e<(`A~<I<ovH4~#396~>~ zn@J5bWZGnWnm#M3#?Qw%uY+*)k((<@=8+h??l4A@ztMYoK6*IGfq|SNHK%>XMNnb> z0XM(1sHx+Pk#h>raAYu=nr=nkiQCX|Vlw7NUPcR3Zyb3K7%{&Hu0dyEvLFZQY9RbM z@kwSBKFbdX^qi4}zV2Djn0cexXmv$K4keo}O_%M2;qqdbd+b5SF;cULIQUQLL3tH( zHuwiK2p@8ER2RooG%`s-2fIX!m_a_7T>{!zhma5Fk40(6k#p-e^q-Oo*T9o#J0=@; z^qouJk}v0yiM~#0m>qWs69UgueiPB$wCb6Tyg?kFxeSCBV<8sTlIVRLBH`$J1XgRP z^6Mi<Byb4%m-~U#s<P~^fKq1G8xLWu*G?>pyMZ}jazP7O(iBn^s#l0gg@Xrt$*dDN zEsDMS_{Z<?+10B1Ib?2$XkrIaS)ZuAybR6Y73k)aNhZ=3vR^B%b*ncm5v|Mu$$^YO zyNQV~Ua=i!t9C<Y@j=woR(jaWf!AGXX&!<x9{FfxP;tINm+=YUg$L@JgrS|ix(-tr z<^&aENz_4PT=<X*a}}CcdL!e~Z}8pwfXtzMR5K#;PTL1{jQr4CYm->twk8jO=(G&& zC#W^sU!%|DY?v=Qg!Z;ENG?&Qg))Q5BJb@Of(D}lq3N;^j^2N<x(m^c$tt_qR7mYp zXS6ql%svR?Rr|>aexEc!5oSf4hvBk=SQvK<lh>Um?U{w)GZIlvZxgP4{61V(7NADI z73ei35w%Uo-y1@C9JZ1Cv#NySMc@?utOyNh`^m{9gu$piYy&!yh44H$w89DsulyOj zJ)52HNi-PciwPd;Lf<lAS>9hAUP^Na@DHxE=;HB{pYYpfAItkyf?gC-E@P8_UkpvJ zIcUtQqMOD;(^^>_qa13CSVhihq1aiLI|Ma)p~Rei&<t3H0h1~Y5#M*~8#EfV5JM?! zZJh{I*NQ^VNjY!}Ig1&ghcRSMF6x<uqOtipn9ove;xgzi-a)o_6y|KbiiVa|GmECy zJj%l=Xtb80nQ;(0Ob$l-F<VjH+y@OzHe=xA95fygiOyucXgZf$`1vo0!gE6USjVCn zX&R#iip@>MAw-F|iW#dsRW)7QFmP4@nX1wBP6Q^0pT~p^N8y)w8@n#wL4Ct$v^0)J z>cvkmKd|bhg*0uQ(U{D!o>Q~YjI?EA`v~&umcf4QPWYvt!GTM+5u0`be%s!l@=`0e zpDBro1V0D!g}bTp3c$w9FDd*)d9$1b=<k+DzTj%n@S*88OYD2HCG9kd&p*JFEsAhR zCM0m<N2zGN5>)PU2>e+%7(e{*Iqsc2Du4VPaGauqWhOO!x1gSNCaPJIaOkO>bn3(z zBJT1W+@wl!@Z5dqF^imPlTg&s3Pl~$Xd<TC<IRl+lHilPkD#q>5IQ@h2)|*p=V^2x zXT0;oSggo?h)(uV=-`+kCSo-jptL@*xgyLzO3&c6=sl?b)dp`ym&tN|1V52RCR@Ff zGOi?*J@*XBl<DT2ifNGtu_@&(%nLY&xn5^sxTJ`DfWsItEgsQFA7Fw{4noqDrHHuQ zm-`eH8c4|NISEIReCA6Ga3^8vuCC6)tzi_NgYY}@zkrR`adae&=ooe#ov9M&OxlbW za+u+L65g2)C>_P<KQ$F=_uoVt1J%d-YwW-E3#O4@GSD?0I-~{KPardrnA9WoEJAla zKuFOU@D#C*hJL7__53<tL?cy@6&BJAScf{6QK+Fu8cJPAS`btQsBg6qwJcK5-XR8s zZ+-!fjJL2X=nxY2K7`R+W#Mv3`m)cwLcF|iFsMxU*Arfr=lgHuy}to<-CZ@Knh{&j z%05<f)D3WuW2eN|mFJzugrlyOCp4oXp&3oJn0^FwNKiUBL?LvaqRHq5m2R3Y%Te1f zlFX<`44AtMEgh23Vq7Zv&N@Ja6NtvfIcTUCfugs5$A`pdJPJv^EC0@jy^P`RsidXi zFiIINB4mLtL=gJJGb5Evu_KP$6GQ4pFFOIFg$1x*z7L1){|;xem*>Y_#)S2!aPaD9 zBJ5|Msq|BYQO2RBoxywY8P3f{=8Z@2q#9I!f(rwc{0`xiiUcvY07hg^4PSK_Iv!+t z&Ob;s`~hs;e+%pK-$3i}VQ8rrhJI6aLT~NCa@(T)HP*&mg#MahG`Eh%(%74*r5z4V zebKQG;I!rt7R2AhhSU?#o0|@;Mdf@vp$*v7lk+fD?a)Gd9o83pjS-|lYmF*f*Ge(m zp=m!4qvsaGYsXzo3w;mmjeL-C@*!ph?V-wHsR$!05;{wAy;8iSa41D4%0lEG*LSN; zYyTWH1AQ@U?h%YwbO_akRh;J8*?2ST$w6ywn?N;W0^G^m=}69U^&#s}yT2qJ>ls$; z3{9h{nBaE}=AL`WhE7BydS5Il+G9DL{ZLca4~=X|&<4}J=5FF0S(D4lRwEW5e((E8 z*#8ikj&e^xE*Ir-1q^ozMSGiQbhL}WqJ%pb=t3H+m8%$is_C){qnwlA5l9Z|l00;^ ztvI&qd1%_rBr}G5n;ss}bWoNW;`9l|tH>SPJgw=wmJYdo)Yjb(;kfn`22I_K=9Cs| z&!gz=l7>NU$uM1^tlC})Rs<fx$T`_qlJgDuDG3-jJ_rY|e}aWRDd=GvEw)Q&ICMGk zZ-0rwGnBQ0Iax#`*+|0P2aB>y>kQu#w6^d;b6sByp01d|LT;qyHCT8UUF=iP%P|^_ zhWe7W*a`047(TZMwG32#P*&DgKlBRmQo^B1Hm64pK75Mn#bx_f|F4)Ea2Wk3hGOK@ z3=Er)ii;Gr*6d^qnwf)P^LG)`u0{=QF9a0dM_==oXj<e}9JMTDdHk24mt^+-0$ku_ z5x24QLe|Y6VX-6)t&K@LP0J;dEe+ZW_hQ7fiarXn^o9GMij~x>o5YH-VYRh3qqSKu zoc&G<UqLh68*Rq2P*vPVTs6H^{bn?48#>r*rFViz_$r3ini`5`mYEnfGas$TMj-Ck z*YHSv07uV4)X{yxf)>xAm;DA9FFS%pmMLgOChYUj^!3Eyw|~USq|4BBQdSe8Ofrjz zMrS$;b}4OHdmiGUyd-FPxx+Q!nCRWlz4{*X7H=ov%%lAIV^Oxc4?JslZYtuk;P+o0 zUdkaaO+H;bp#l<fjz5<@mVXChXQyIW+-<5c(qZqh7w(~lpfx2KeWqoI-tM+`xoBXN zi12;yVokErsV9tB24Bb@oIc4e%zn~XlWFD}iP9>XKPfkSi2eb7kDu|7j_>d*y&;N@ z!^ypa>Hl{!QjUm!Gcklp=XYg6o37f8(TfW)IrucXkIy2T{tO0A&B2n?8_=Jv^sp=M zGkT8m$3QpoAGCb2wD3dpno)$&%MWAP);qA-d>Xa&eNfjl0*%Kcqn?Rus%9qph4S== zNHdwU>IOUny%|}eW3L6TT;5OhNw|>YWk-j2R5J@l__15ql6oEUwj4uu<8|aOd`-fn zgs%j{W+q_ttbJ%|5r_WM)X7G2jvr&tq%<rHIf{i_Poo?8ZvspraS}w7X;mszmGXQR zNt9$Pjc@DGJ6IBW7>h#BL5H+keSJ2cV=!X=DKbgr%t3ySi&5!$6Zc*fDisb{1~M6H zW>n2_cegr?^?%3OZHM3<vKNs%Z^C*`9C8kw#kq%npp$7Z)fy+!&^{R&?Jz_gJ`bxE zWurdDGQ!NHf;OB=Cb{g1R*y2`(ZMGUCJKrU0jUr9D1FXBORxETZinX{8a`N<=z(ZT z6x2Y2(f;T%Asx+aLeO<m9{SD5M$gH4=r}PEwe`vkc~_V~Ga?lAtYR>k9Oj`;iD+e$ zfYxN5bRHjt+M~TNl+1^A6rYBC1C6r$CU={vBY9<xIB_yU?mrklCktcOTtF)e$(-d| ziZnylLu>vX40p@I#<cs;a!tY~be~s4A2M5=x%b!5=!DV{gTeEUqR$L<xDBt~B0n%> zMkZFrzlUj2CsDd@y5d}OI_0n&W_><$nGp?nq7{#_5aX|SB!LJlU^Z_%^rjYK?7U1| zCg+BiU()D=L5oZ_=Xr8CjL5n8!*qDHcnQrRC0=Bi{;=lYdv70niABw-z?_f*Bp-Ym zehCNg{*RAw^FKeqd~p&cg<l{WGm6x#Hwi}wY78eQyr*I|5OXrAnY2}bQ_6Xe=~qgi zJVd6{0^~y#0Dez;SNtxY`Hl$AKjaNGH{zl8{%CIHi@EW~VZS8@3nNZre&i`k-K6x; z3u%*eqo(B|(i-IV^j(75+EEzhUW9>@Nl1*nu%+ldSb6M64RTc5vnCjzu2N11e@|&a zlaP7oY_T3AXJ(+zsEuf(EXYtEX2ejdA}(R@tT?g7T5ZFP7%(MO_**73)!{48p&XgI zPfA8#68PSBv1o6o?zUS7P0MK*F*6SJsUqk*LlrhoET>g)@PCEAB(x<Dq(w5?l`6(j zo6urPA%geZ!;g}LRPI#r%FM@Cjmmuv#X03{ik1<w9oc*=W1AN+TseIH^)J|4atD4X zx6r}N54vPNEe$_{gLi&I6YYxYOqotk!ko~PFd-(XrBiXCWPx&@)C^yN8bg<1l2<;Q zHWXvz3}&jih&uL@u(t)sj8fO+wpqm+V{U|BP6?I<tD27^eEulIpMRA{#V7T~hQNHo z31TW@z~1HNqr4#Amx4$(*VDvo^k0}(LP+F7d(VRxXJ~4)32}Qrgh!&X7HuVHHhL)x zmLDbOodmYAtGvmz4i_(>=fpS+aSakJR0A9$NpOA8$SMH3b2Bk|LfME06=f-sg4{%B zGbXIbgS7|w4gF`Ko5fbFFT8--MjJ>o2BYQJXw=bJkKVQcXlu3+xu?Iw+U;+k+VIt= zV@$#^CI(#`lCfpSZD`vm{6J*<qqJxJ)uIyNU~!NG4ml}8fAHF`3gI4}t(y2dFFio! zt~)sS&WD)cdjRRDK7hsIT=a6wK!*t`^U|Tjxi;x6_CNR?HtP<e`mm}UaO2e{$e9gA z(T%6@N`DUnc|J6$;DM7<;I>7X15V{6hOQ87mZhQOD`0)fIW!z8m#+C+VB#>dD(UYt zeH$7Y2BC>nCYb{-8ns&<oN;cBRgDz>O9#(KXKf?@QwUy0ny%;@qFI!`MTao2=+hiV zjiJN%Xqb5&LOt#E=rB$$mBSj7%Tchac$XuVj5Wx$2#t)xp|x-y`b|=&AaF<-U(F#N zaEiE&W_GE>&}kSouLRcX_mgvcADt#Xw?GD^S$u<`G%aiTt%bSAF8F2073nu8Ud5oP z8L-`W5^gK@z$5)8M$RU)aM3Y@9{CgxiND%gg^=b<MosfnG_puSAE$gw-=gl)Me%Z@ zOSu-sSBXl5gG)dbyx;-;`<RF<^No{5RqrM{W^p3?i*Df5!ylpT5`!8#8_|AZF3eZ$ zg8PPwOYd|t2tqUMby${m6<x+xEgZr`q1vgPbqEoC8#eF%7`>+#p|2Y`@&;-<`j4fA z>~FahIt$W~dGc*U?R+3_{tZaSP-P`b&%ib4Ikgz|Y`2M_ELDODE1G8Is*Gwx?9B3} zGklgNBtKJj>EPgea9BF4myD^wClR>&Q>;rqgF%kUkbPoWPN(d+6dx3~8JZ!B5qR`- ztjM?whxM{N<g61ZJUWXrFnsxGXmn%H+%64$rjX{fP9i@mgZvqFRJ0nes-Nk%vVcQ7 z+pTc*K1XpMM>od^Obxhz1+nMQ+F~7!fA9o`i*`V3dK~V3_Y9fmJ`rQ%>X}8N|IGcU zZ5)NV`k}BTURjxZ5spjC))WvtD9lwpUL7jc9KyMhIVR8rC5Q`4)De&6V7aQ`;JF?3 zMh0TjjxSKh)Cb*(d2H4l!yx;zRn=8E`y9u@<og&guUNF|RE6sLeyFbJi(#|#QG@s9 z?!OAvsm88BM@utVb8@YzLT_pk;`V<DyY;)!+TbOchATzIg5fRM+K<acL-TM{8(no% zX$5epm+~&rn`zIVVeWp!l&>5$$P{gAn}DvQL5i*^%bPNNnb#FZxjY){coDOQ!X@Ae zs`poCHZs`vqWp~9LU{>=)%v68>KIGqc9gVDDvTB%LYJ{s&*vFHX71Ybb8uRp0XxqU z%vg6E*FOIPdUL{{H$MYIXJnw?tVB2kkf!Z21<g!Tpug$_>KVmAV-yPKO*_E@=VSN3 zMP{GeN1jO`hgnv=fW_ZMrNW^obU|BTU@6;?G2VNLot^qj4k3pv8v&F#OZP(TyY@Mv zN*-e9+yu<_Qylto`Kxd2jatTmRBObMGp?-e@i(BU<4(2WB{(eJ3BPUE(91j-%}AJ> zeT!kbq1=X=|0DWM*oywsqR?k*JnD}2Mnn4|v>BU$?&cB5J@K{@>aStE{+L*NO*6;` znvQa8(yxNjL=?f(ax$oD7S<o=j)1HZgcQDk=ET^GVs@kB*v;tTlz?_-A!uux0-M!` zFpSK*0m>E%LK7%7o*sRce6kf{<iLW2OJXdr;fj28os@<i6V*BD^kFV^LbYLA(QIr2 zY8!0EsJS~aJ@^8AcD@Nm@15v1X**ibvkB`C3tvRje;qno`e9w(=cGYBNgxixGv)%e zU%rEqw|>U8TU9sxH{f|YMmf;vMUzFKw0`{w+}cHn6ZzrUjY>ja5h@i9(aT8*k+hYX z1}fXmye9)1wA;{kfv$6;0GJD9wt00%GJM_AT77_)(xLSLy_xiEx2qQnddK#OsO zqWP|~V?~GWh2Ym;bP(EG`NGDt5Wz{uL_HH*d=Z<rpU1iP$k{Aih5dhrMk@l1Z8On% zN-;FrLFh0k3*)`^<HDO&O%#&QbeWFY7BOgHm5TagPB7#ICdvSlL@+ATT|C12w9D`- zyoo*zVaU4mBlK4sgYDYm7&SW+)@u%-`Q$9rFd-*)N+CMi%4w;>+fX*buT5rc4U;e| z2)##T^C9}!M3VpnqtC1p=<1~O%apU{dDBge{uWqoJO;PmdoW*Fg3(KgpuKb_s_6xx zu2}-=Yx|&@ZV0+e-v`rW2hhSY6g3S)V7_!0oL3*je7}QO7_kqTXC8`du!$&)HvR_P zU;|A2CUkPnLNjX~TSaD@mLeQtF*|j(JP)~fB3b7D0F|3n?6`5-ghnP!Le7v>xPRcM z2UTxD(8nec&VD7ZSx!Di@I|y66OYl;^WdLxk$ezExRiomw6={wpP9Mn>6}=)h*;$i ztRx60EfDTIW=ma0dhz4$#dsY?ct+VeTjR(9ow}vs(mww!T8#-sW0QEa9hZzztB;|D zV<Os3Nre8|?Px!yDu<kyRXdP;qfi(x-H(owr9;elkp>V81sw_#F&x(%f!&4!m>GK$ z4NN1@Yvw+5w%>-qv+`lIWFK0LkHQG|0*qd?9nLG&;UV<0GVfp0Wi@&(ET)?O1e#m; zV3d0<hR@rHng;%2c(??YyZm4SQ(uIg{Q(nwcA%xcH@c3E5tFETxn-iIZ2_8EZH2YZ zHRvweN5U14fipAFePR?$mgSPEM$Ws(PO*a^<NOV|=o`oU2mN6Sk`KZ3&!leDjE+Xn zIeDnB>jy{jQv}37%SS>_sC`>%oUa;Hm{lU_0-{xg9Q4PE*zO3cy6{(}92d)K2Jd(W zHFYDX@Io<cS}MHKE@DGM`PC>SG=2Rse8x_!OudTtWqJNB^mYtH?}-^$x?w+}a!XKr z?j)vc*^M@2n|B_stnys}oIg5bHY<gusSDNk!BoSpKp(30Y>06O&B{Pu=R#ELTeVqO zOM4v*Nia+n?}nylxgqR-fwso}=x9yf>$Q{)Pt-QtM5YLtG`hTf0r^>uX&AHV0y?=S zqm^aF{W>%~HlUip8WOT%446!I{)qLM7<h?H!VS=LS2qtT!(zW9l(rpcZx?~WyPx3g z@1J0E>>>1bj1uNxf0u2jYmtEAvkI^x;XZgdosa|X;qoU>FvK+;3jz-z`Q&|cw%&kd zz0^_DEbU6?Dql056*jA59)$K2(qOV^FSOmtjW7_P3pVTdw^(8FB?{<oq7va?D2XA+ zMqSzR!6=RnkQbF8{=iKbQ0=rP<0?ikEWqhce#K;uJqXP?j;ZUnW7L9dgzbMH9UKDC zTt6HgCgfv`=Lu5X#hB@{ALg@?usZ4rS`ZWP3Wc+x&cb3<F?vsqKzqyeXhdd#Mr$eR zXa}IFi4WSEgy814zann$U1%v=FIR@^|M?X`+iqj<q$pw-b$Eo_34+nzY$NQ}?1tsW z9nkb!iq=+Pbl!+T({fNlucA%daZ(D#dF;k)@BPZ1{|=f~^GQfnz;#0&He{W}@i&3- z<P+57et{QkfcZQc8~Q_sv_`<bhwv%5PbN+xTG+%>n%6_qX1)^Yuc7Jef<+0}(9)Ra z$gDwV!AIz7<4sQWX)F#_n#Rjv<m?n2d<f`!>_Q!r40JLIBPaR@mTbR?YU+lV<so>7 z|FD24hhTO(2$~UIq=nPamrUx+6F23}Qcze9R~pBwN9AS}r@WkSJSE8x$$I)2U!1K- ztmlz>{0f{rj>2ro9<;NJBBw3~^R`~co)3VTA!pEHOcFYcBNJ+L0BY$I<Cz4azGVQK zjEliQ*8+^&v>(%`_F9^D3%%X8qk)k(s*esPHGUK!+do4$>o{_*uS0LfLD+bmKr>T{ zYp53nx^IWYBBkk%GoY4*un{Q-;+itw#{=D6GSGEm966<OCZEi%R9nYB_!&LP>F(x| zi_T8F(2{Dlc@bw}y?P&dk}oBp8gW3ksp)X>KZ)S&*U^0Ni*~nt4&p^hk22)lVC_XT zu!+O)Il1WK9E>JosS+5QgqCCDh|!hRL?}2LAzaytvMBq5rsN-VpAbb(x<BQ=01Zt7 zP|qqFjUCdcrdOr`!gf80<*Kw$zAfLBm>GW?%TnJUQ;mnUY(saO7#zMM3>x^P%K0b! zU4<pc&svXWRIas+gQ)Ua51UOl(S33%n%YL7wRzPuBgFtpG2%iR>ut@wVY#dr59lMI zY327E{C7}^aB!lD3<@P!IG&JNQ;B&Z`Y(F0%c0MhEl51@4%{{rBCq5Fj9o>-5q*XT z7zKkRyD-op0s6$)hD*<2?3(i!6LguhNGe)bC!zhgO!)166KfMMVR6i5^q;mJ^(-P# z!#ooWZ1XV0jqGh=B(K7EP}?pBjqS+hC5Jd<&qrbh)sy#l1z3WT4cU~*%)kO7^>`EG zO=xWwjP==XqNhWIxF@o!bms7??~N_C!P4UlbfzTW3%Ymq;WwBaas-A8<opHJGNtno z`Yc8#N~6W1Vl0SICNot67D3q_D2ZHMYdxA<hGCdXIwFsJhCYt5qA7e;#%-+MS++od z%mX|9Y8gpk-jMwk79`$-v;SGNGY`PR#D{1)ZX0S61J~41CL@WwDHB<RvtK42ZESqV zM9M&S=X7H5Gz=xJ=@@hzy!As}U3G|kS>Jr^(f;J*2cxH5BK-H?Lo4e@44RWo+W$CO zk&jX(IQgQ-pYucX8}5r?OAb;6w*n3Is-BGXs!_G(kmXKSl8`)Tm2ZA=rRu^@-XoXq zdFT7b@Qpf;S>C&lU2+Xm$uv53<6ER0e2W+<7gIt`!oi1^+adF*UxXM}#A_?{o1PDS za-Mky)|L+WR68w4Ev}^oEk_%2hVAC>hW7M09D3tpv>v?$eWve6r-|`+muTH(oaz&C zQSu>M$ID~Lq(~UfPDA?9@6g9wnVD7&nkKW*z?hhQMHW_u@4&+!e#c;oxmc500{!{Y zY%5>)I<88?)}6PpB<uimU8|n2A!LGUPK81H+J|Cp#2si&$whaINZkJxn7VEs+(Ivs zk5O?cB2g6lzS4)`;(ZQ=EB1&TnpWk0L;hAQ`63=f*VUp=qXLA3s}6t%YG^H?%D@+z zQ9S<33!0IBXki+KTEoewX`_y9D`g4PGw{Q_)GyG?DgiyFlXlYCh&mR5Xl$QKepuC8 zG)SGxg27W>fjJRpV7q=l;?MtxKI7Gyh5sI2S~x@xc{##dNT_;F^{~mw2;F@ZyN`Z? zO)s#+cYgREG_j)EM|(3Y)UA`tq3`&3^qEMS!XyZzXI8z9SPz#pbS4cle0m`{spVS3 zltlZ+--4NY8qDVwKx?9Ec9o&axNs86byUE-)6<LE*<S>v6CGmt%s-<{Y+el2M3MfS zy5K??T9TPDJLNsnqTA5bIRUGK_v7q`KV$ghII2XJDWM38BRFbSA==o*qQ&?WF`?^u zwA9;(emwAS<Q8Z;NwZIqhRgXS2J=y1wY8E_pUm72HX(2dze(j&ac$zNAW|(V2)+PD zOiF;koZaMeB*J#p-yhieck$A~A!=W`R)1bAsK{K;!_D^q+`@{HTJk=k_Q>HHVkm@C zn3^_oG01HXRu_CiDpjdz6hbljxhBATBh{Lt{V<RURp2pM+@iHY{Gj;CsQd8C-?282 z%r@6})GHmO$^|K(yR12c(F^j#YU@q)6|<1ykwwj`cWi>ivK=t@*nutCSCzYLO8!V; zxUHT1E{=-7&HOCVz<)?9@nY9}DFSeFGTZ7Rz+ZzObMpD(nOrH6A#M?xlkKlD*bIZ^ zg_sa|7M+P{G$!%rKAm^9Dkr=O&1#I=LZ)XVG<qTA!>Khd#im49YlJVlxn_{#8;GWc zQnSeva%QB6a!_$k%_rXw`>E3foj8oDg-6XuK=|H|(9bOe#`BcnK#zYHVahzQzXE@N zM2&(e$%F2^R7~`}D)vxmY4iWI=3sRz2_ivRR&w#n*I(lO6IIXW7~$dr-8spaA9D=R zMeoR)%mKm)qrx{xgYL`&s4?0XO)M1$PTd5AuzK4KwBor33wL0C^fh@?>7^HiL_tL# z@>98QZyWtcbex<{CRZG43{%W14zA>(o3RgiyF{Sf_#n)UlY57VZYV`qN6bow&8qEK zNq*7#&~gh%u-PL%DB1T3y(3wPYg=hpi5R%{6)VECxba72ye|gpV#!7#R*^=!DmR&l zw>xfcPyUw)3CRc_F}J0fWh7dUO-GF(YEy05H+W`V19HH7PTzrAI!bF|xn%H)Cl+fD zVP@PtEJ;?E1LZ=MA7q9u%?n-gT}~k%!YvnN#}^V!=v&oD>$i2xL>qIZ>6)HDqC<|{ zE*JPk;Kw4Ygv+{}nBtiZ1J__2yHn8&{=Y`0nnMUjY5ph+3gf<a>pFgZr|JN?Kt{i{ zR*zo!0flFOhVJYvY#^WGc{H+(!l;FL(3p`Q(Ys>5fToc>Io^5bHZdBFN4&(=#l$c@ zoszL8;SFLYWkP;AxOf~#;GrMk8hjBwtSe6YY--_$PR^NF9CZza=PM3O6wD(?pb~`{ ziwAiqGd7qX6rPam_TNF6uH+=Eb5E*|^gzdnNpRYD3J#kNiuH1bP3HyMvdbn@m4l|= zIt*WY2=z_Ep*O#x8Crk%N(Arx2(1lPp^f1S#+I>j%%2vYmleUEKpLAXBh>)owZ@uT zC8C{aBr;Da4F+8C2~{jxx&9mUvJXVqo?FPd@*mhPQ=8VGgG&1U15_d$vgidUztSO> zKi@fd0Dt_T?%Vy>(3ueq8;^X<4L=Kg_f*V_K9BxRvE&o*GW#K@ZWw|dZt1Wf0dWtz z0lgW~m>zr>)+@>R?p<+Fwl;?AF<^2A)l%M=;C&ncS?4fx@>Wb-SA@XgicNnV?BdW! zn;gucE66<Yp@Q6sntI;oGbslJm+xak%2im*NI}NAPte?Q6UKWUh2^?q7%(Xc>k<#* z;-}9rY4dh8GgybEk;+&suIAM87hophUvy^ruv93L(Ma2iG#@YEKu)oi7iq|i7`=Em zhRn>SJOrZGghaC2$=U5o>1#VfzC>|Io$><ad=70#EknZLccAIx3C#d63|n{rU7eC( z?|loVi}T1)4nhOV5O`(sQalxXC{3$rV)2H0lopM~PTu5ZWhMPNC*FeLjCe6QtJJ}! z+ClKe3z)R@mU5wK;))tNRPhZbAE!6val{5X)}f~E7IY<lw7WwrnNL)Hn|ERQmOYs4 zwFh^8euCvu`(e3iKYBT*BINKLj9HN@)+`e!rSA(8@DHO>;VAvQNKBb<yvM@vUDe}< z-lZV%#cyN6nqrJ}&qc2(IcVpYgc0+1poLW+7G~eYte|u7&AyLOi&If_>vIfu%SKaE zUT3QO9A{Zq8M$X*xJwpVk0T~G3WM#2)97Ox3a_LquwN|~Ws?Feha+?%o4tXdAJ*o7 z486I9=x!g6X<=6}$TbbK$c8sxkb&vm$Kbp3O|s+D(bg;$I!iC3oox!{MBT=qX~}3| z7>R`u_eo%6zXlIwkTpEJrezJWk~AzioL0$QQzDLF<f2^kp}1|l-#|l?Xf!g7fGG)K zXU7=Kj=PI7n=fPNqQe;Mt}Ix=5fKB5Zz!?;6>R*DqAu0k8XGdZC~o6L`EU=tf`RjL zq0tRO3+ohk?|vIYoHN8``x4UNVdzXtfpgdy^e0WUFi9~pmAM`a{RLT69_et7xC!2W zU4@LH>hv`+4na?sd<>hrk9@!|tl#||v=$vhU4u|GA47hjbuwB{%!Ae914un^AF+Gh zg5~TCvF~|r`v{Dkla9&jvN3DRDFo&7*53R*Wdl%AAyxkUzl%zRLwsAM1OHLd^6({v zL&wz%VFib=?Z8>&9D5t<;xA*sggA7Xkd0POMQBWgT2C(pjkQ8C&Zh)Exu3#*RX$FC z!ix|q`&5&fmaGmmF!DvhneWhbLOl5u;jr?&fbBOwLB{p>F=Vo`{{wNVNG_qlC{G0M zcpJ+zKcvD9g44PqSekST2FvoXB=7>pu00ODMMdb~7=~U;_M)CqFlw5optIXH=&#&^ zVe@vN>-Zd4c%Fo2kTgT2ufbY^2t)K>!QexFQxZsZM(d3ZAqLq>zC)&1Regf*8R#$F zL3aN!xP)Ct6Z4IzM*dbEqiD3I{0Q)?Lc*&qc%DXDP1_%xCS|~K<2my2wqeBd0@N~% z!jO3-nBsc^Gq)VVfaw|VEmnNKr$3hJBwfc)WMBCSH3qN2rk(0oITm^uqMK_L+K-74 zl}oL1{SH!Va+u1~*lTJE=4Ic*fVtaI(>MUt41>_ktq|>;sFIwRi^0>gQNz?1eP(Wl z-n>jip85bAb1y^FbuGHi-HDBb?_=o991M2Zj`1tx{GrGAK_L(St(r!E2bBv4mlS_r zlr@n=Nz1z@597C&5Dpb@{qQ@C=ElR^V>jB`M$!>Wj&TOsT1R4ldjbLu--Tv$7+UBB z!f0U#(oR2wroG%Epgc^bhoSJoHyH0x2$Lndq3JRY<JRs(&+!2;n67M~Sq`12<fFfP zw%D_7PV@}~6kLVYlnA(m>_$(USPYz%he@HAF>uCCbaE>|7fW9Zam|L4*M8_aCu8`W zH1u@yAzvgGwY4kyC>5Xxj6yJI8arT=dmbFtAHXE<16Y=L8ePT)i#4UH4ch|SfYYdH zKs1<fh~igA2~z~(bs0xx(Dd4b*0xD#WS)f1t~*eDs3-c8xza#C4Bc!4uq6B#`i%F% z%FG+kw5zzy8MD`!Pk%w9(ca|-9x`M>w;kgHodtzt7A+%x<|TUkpM$2kqi8j(IeHTs zS%i^!yPopChR&Pmd+V?<^D<hP6Fs^tL|wg5G_%=;9^<H7#;0Lw_$9QmSr6?c`_REQ z97~j)sJH`E49^l0@@i43aIizJ$OBzHg1TYmJID9q=Wky^I5-oPl(8k5EsV@Vcd;g| z+!FN)oEFC+{^<M2ICKV!Lv|o`{|BO1+_&g$=q;(ZZdToaQ_*p3IN8V>Fd^hDwB}`F zhW{D3cpgCJo;Q_HWoW3s9{P(4pgnCjriGL!cmEoio{Q1fJ{;aVZV;1)p^F=LeEFmA zR1!e4{~3Z}PnBlfD$v<EolL|mGXJQeP<C!o#~_HtkSf5-mGXv@?%Uo%3(~4pq57c3 z;Egd|0!bK$F2m$C$0$FE&|AI-jj0BgkZD)Ty*xBc-N<+HLA$X5@Qkjywer7(ruS0x zo>c_HWvOuAbQFi)`W^E(?-Q=Q!BjbdLC}?sGUM;np%UR>$4jg}B*2sVpD0b9`28C^ z<^G0BL1D#^YvmBlxBNcGD>-Lw{7IP2jD^+091NYR)cj(3eR+BQqd(BaF&t)d$c7&2 zjqzK^nO#~Swg}MlkgZX|oRKyS0`|U5%$|wf6H?HL{0iL_dohw6c=Oc<QDdN-OvK6H zWj`6ZOUNIXnuuQGx1qT*zeGNvbTaiR9h_o$53pF3iK1(t!e-@8=r1oMbL#+Vk?%8b zQZg)8N?{dYpZp>(6mrQ6Hb&TFVV^`ACOmVnAvxq@JoaLJ)<@zVXPs?&l}44JnQbcS z>TV_TZ3#T0l(BB~8n5}tZ!=j0X_R#E;K|X;4r3_qe&t&N&+MxhJgWdrtfMF`<why1 za`}|gtG3Y5`$GcIjs)5*_&Q7$yu@TNH4%K~gX1ZsiRwwxU&YTcTyz|*EkfY9`2g<z z!28%|AaTz<-2CDv@|%>Ve(}EAlwK~fSAa@|Lpp`xk`hD0!F>#L{q_B8c=U_x^8ah_ z`^<*ryXgpmP%_@`q_*RZeTay?4`92t+(N-35HQ_q8y3YK#3#f{DMzkj=jCspJu?rs z%MYNQsoIoT#z^ZkufSzf2?^0zG#^L4!^CuS9G`(z+m7Nbb!l1=R5E7|+dx>X$V2G< z&#^r5qPWNHM3U@OXjB<+auh1SWlcKv-S`2+T+=Zl^&Z-q2cn@_B<4q7LBEO8XAsdp zRVohtA@ajcJbzPuS7pAoCNZ#For8H{+cDR#Y}NC!>Z5X08?p`y{Z9)fdyC8?0eVqH zFaAg^Aa@Z2Y7JYB=!4&h`5x8vLc~DOwsz#q>+&!YRdaABD}SAiXTOM)D9I%=&I1j| zcktcyEi@e}ZW-}Bn0lQ3zdFP>=>KC;X^<v2^vCk72k7jQj=DxZ7`v<pHdG-^_NL0P zuUvIsmIbGX^@)t-RiRSh5J^$!BnnnZ%kBNU@XNPVH|17^#<sz5-f#{BTr)6uPQ?Wq ztmmg;3YkY;ZMLGzxMZ?@m!P8)6=a{aWY5dZV#;H2%tee@Q;czb`(d_tCoC51AcyoQ zHWcnh8?B1NDNbMg7!SYt1J~aB0Q0>n`YgPBnaH!E!_R&26gsnV$gbapIwLou;3g4p zlpp2<-9%UG7xd_gRwwD6s{&RYbq08VrvUL1*bWQJwo+CddiimM=mN@b<<_vtF<26R z8&>P{(ZNI+=*O>${)&oUoU!pRoW0M9y*PSJApsA+N*ZGUT93^oQ|Sd`!RR|Ic&c!8 zqHox*KLq0yC1RM(--gI$Sp$J)=u$K!3!(mq^++K<^rNrkw5Exx_hN>RT$@>>hx4x{ z>J_4Lhg>Nmk&Z`H%u4U{ho>&$_m@~@JtSu@tUdEE!}B1DFTV%Bj1y>O=7I3yTWG5j zfKA13V)*o(Wbek&eXhYaQSCIJoVZOGIjsn_hHOCY_3w~#=_hE<sJMY;N1I^uos<W? zMZ2NDv<Smy?SRHG6m|4tsfJWGbuR}K_axl>^h4Z!|2wSOT5i7w1)2s^usZE+w6*fb z2nS{L4$i!&Ny!KDJqd#q`_aTQ5aZS!h1TqBG_%Ws!}9%D5ONY4eP7fz@yDPsThMBZ zT;PG%5K*BS$d2toWSo11=4P9qJv$wX$?;qecNw+Iwd2ba@i*l<Bm$xkC@xNm!Wa!l zt%Q}wPPj+jLvJT_gG}NanOxM<A!oPyI{NNrG#RrMGea+;$M_HooRN%v>b~aXpkc?n z-x3N>l}~G>L4@i=B?Zu3nt*+`e?`4ff#~ACOUwk+^ydZlR*?U*QMBlZbHCNl=mns* zmLIx}3rE)3&(Y2@4Bf4gP|F~M-r0bLTFO93(dxvr*%gT|hdUpB27}posBfBz`nn2z zn4BaXk}ehB`6uyG!of)pMMX8C?7x-A%OuVx=Q8Y8<-vH#Zj6|jh+L{FCvG^6VKcU) zheI4p$cN}KEgp9M=f#r$yi&=4`Fml%aUTXu$wgiLO&IHS1jAjFwOBbJ%4d0$ZZnGr zw6aSSt5q~6=d`ZzR<vX-(_400m3M6CY`uY`V|QRaGYd6`Dy>f<WAd_-Qziz@%g2N* zhp;?enW;$MQq9X2rh#Z~8VcQIJD|7v5NeLgKvSD=tju}~wGG2j-y|EJ@#k@mEKW@y z*`qHROTORUEDW3We1LIF52FK_bQ6M3BfjKI)Eu=516|aCmpq(Ad{hB(C#R7P&It>S z%B++9i?Ja75+-jthbFqRCKr7W9G;-*y9!On;jW?YPrgkk^ylSZ!n&Q<ob?IS#;QZj zACffE5HnZP3r7R0s3!Qzrd=*+wfd-S;D_FhnMB7s=;0cLzD_A<ZyA9F$?sz1+`TYd zUV=sj0We;606Mb^urdDzrutvNh)LmO%H?8J{7p;<I0U0byWkcfcLtM8F0B%#5*wsy ziOuof4&C{C(8(bcIhUnRCWa4DK*d0PrT8C&gR{UhwK;jECHO)l=bt7)*pCwrzru#F z3;2R`;=I5k7(xzkQ`<;%cFq@b0!DbALj&_z44#$;*R>@?$UU&zatZyW=Ag4{A=-{l zfTNdmc)8+Kzgo*80j?n>Se<wUrc3vr*|=!5A}v(%(IfP;mNh@GHLGL;n$D}yY-9?$ z+GqZG)U6Vrn)X^Wu!={w@hO<*FXvzjwiY|+0&T`ckfumMAD3)00Yacf0<JeJ6OD`` zDJ@Ab_dgEDP|_fSm&29J4~A&cP~xv|5J)wuADM?fsBIIE+GZiBK7uNPX?xJtTCN4m zKAK=hdPly-h6LN!Y+~>jGD?fWJ@I=#!otKGFj`kk=~33n5-&*#HM8ao^kXqS;2e%p zrPSZ85YEA;(0gJS<_633$x4pD0kNq}TboP_pK}P!%;eZC{;Jx7rqSL4<Mr1>kG0vX zB1E119?dO-puc<{`7V*7A~RXF4-qGSgV~CmSeJWK<jc|T3`Q+E0>4A|QQIg8Ex0o4 zt~3o(dWG^J$ff5<SQL}6vG#l{Nq!q9b5d~s%Wvrp6NR2pa{hhcATX^(QYke&6Oi%c z1+G>2iTwRnICJ?XtQUvDf5#1&&CS3Vk9}10Mq{XR6bf%XL&pg*WL|`!i&YqAdhdpr zhin1K+Itx;KD(f|gldh6spvmF3!`T#3rUwl_2C{cU!8}QX-Cm?<Z7zTkHKh3F<ktQ zK<foVsJ)BslQ|a-qgBVCF|WAxYXki)s5Lr*9PU(d4qq_8qqjRo&OboRzXm$<ig4+Z z-_g;I%mk}AXh=YMIi<pMQ4R)8PJ+u8b&kAbbcW5UB51m~W7E#}$aGmQ%@19ApZ5W5 zC70urY{Bm+s}wSrSrpT*Jgn!CDcaE;t!*OF(_ZN`EeCEIHCek0gPp?B(Rd4*Ql->v ze7fjoa`9IenBW~vWZaq|D^bUo`y<Fa>R540gL)%^(MT@{Nk>1z8=pKOGm6Zwejb#U zHDX$=M%x<$+$oQvyikM8rUv?(>6sVR{Jv;s6N75Hn^9XY4gIDRk{~K$>FCok&lMYZ zaxZ@jJ?AYrbNg##707|0+;YZT_vBwUs|ZXsk$A3Ll(f9HuLRHjP?h`3Bc$jq)!ONB zi#!ec)yifk<uHyI-ErLx1njsAx2>1p5^x@Fq-jP?OM>lMb$ma4x0IlNhR*angrE2U zP00M|Hzh-~=~pM_<Dn{s3sXn~`5^7YJDBNL0yEECj9a%I*{43mK*t!=>|b$mj;7;6 z(h5N&4686<Q^nnLHN!m7-=zS(?32mVI8BcEAvmwu2aDBYHblzFV3K51v%J7Tt^l#} zxLWwCOmQ9gz4(3W+b7U*PZw)MX?ne2tW=Lh#IPP1HR}M{nY>_u1@Z}M8^*wF!xbTz zrQk|W`F45KCm(6wov$%!LITFDK8SWiQxmVln2~-Gt;bY76ZCmh@4Xggt4c84_a^k+ z%NFfZDKpqL5v{ZWU@<)b|9Jtq_!d(`wt=xWl@xka_^-?=UbE^E6*4#LJ{FT>WYPZ> zID}MxGNS5(SE7kc9CVi#V(NxMagS|GIYJ2-Y8Q_7<MYtmDjkO8pJ==1AnVG9SVq1= z4|{b^GSx5?op?vI$|$!9jZGrZd_pvOPT2+5z*DgHJ&aK^c3@KAH4Jjhf>+)b*cfvL z9??9s;uOZM*a7|7Nr*l79}IR@TdUY=m+2igjm$qoU(_*7LXXL6YudN;N%_%UF3AWw z_&&z@oW>xRES$gl8BV<Q4zw2RMbi=L0u&q<QG%Dq6gDAIgm>2!eF!WB{G3O+(wQIg zP5Q%nqf~P!=@~jP3azb^P{$$$HOR3Q;1`sDJ#3@ko_GzN$P8_2BwL@@XHZF`;T>>w z$u#7(!G<WyrSe0Lp3cmC%E&Q+NvroDJm)NyC!B(n-$8Vn7(^A<#~3vy3+>4F65x0L zbWlWmD4LG<KT#9F%YAALH=&VbIB6PnRIpsdpV5o_%EhtguyE^fEQ(Sz8;=ARGaY$} zL3RBqf-;r)RpP%A4(XhcaPZJ&(UxC%0=Y?2Mj`(?`|Lx;EnqA;wD-l<cswPjZ0uC( zrLWM!Is)|!LokJhl{>~`e&Smg;+Bt=CMvVB$jP|zj5ljn1(4Lf{yOZs{RmUn?G+1G zH#G>t|JUAIz;%^;f8!s!ySuRi0|QW61-liyTP##;lonJ%LQqNs!9WodP_esRYt^;Z zUDplQwNc;CIWuzsMRE80{q6t%dp(Z_=5z0zJ8@>_oHOUloiLpkhgOrrQMr2nx-N~! zlJ%EKt@A_o`A5acrpsdQquHon>K)Y3B(;MoHX8SK$7On$7jX*p2gtcw;+-mX`%ymV zy)=dN>}{C0{xH^UzbghAI!x45Kn}=EA@8)gw#?WX;R~DO1AhymQjpHTb<9`JM-mO+ z$*otH246%8V^37-NxfpztZIqC3R})TAfd7ut)~$2YrDLQyg7HWsfb~$m!C($uB7vK zP{hr83dNTpMD7_+Cm#KPIlhN5$R$xMS+2_)RZojT$FaN7WxBR6mL%Lv$5_iN<HcWJ zWNN^on3J$uE0-<|vy%sq@=J|5YWG+w!t3|<LU}VaG%gr}LvT$gdyGLA`Co;vs#Oe( zo}fTck-+&VZ7Wc%*q?*!?|L|_N9As$UpKZ#{-)Va7Gk}1bJ`O;CZXDDatsQzT}XzT zJ@T|)g|fz9-=R=fXBbMfbHt$eo8h<j7MczAgIB^WQhyvsQaYgysb{_CN5V1bJf%Ax zEk<u5BASiPc6(8(on#JCR<$O3`_UgT#A!FoC&!{-ONp<L^r{}t+<FbqO-HcIHw`fd z9-^ClBpM70g#NHlR5nqP`6FQB(`J=&Ix0W<$z+$$fh35!T|H6IG8hHA6EhoRpDxmE z>IN8(2|?}tKG0Q?`(UwL)@B6cZ8r-xGvkrFDb;HUHAP<J%Nto!7@=OVpA7F3c8Ge` zXfzodjHv+^G01s8%37@;ffI#!0bk!k0O?}fErSv|PFx4W!J!zjYzIuH$ywB|Mcz`p zmF&6}#f;};`S#l+1U^v<MM8`hht=5W--Vo+LzIeYiz|%o`HUfkTZa$hkDt^m&m2Hk zegww4B_i(PJ(M)euA}M-+luuBy4H@U(t86c_1S;|hRe~9)F54x?2DCj6-lRV=zv_j zKA_$#<ZbIj65SiQ4Hl6O`}G4LzY3ywnH6t6Jq8uXh%MeD7z1Wx9=pZbE<;5tCrorZ zh`g=rU_3heq58UV1CX!PY!sz3<?W~)c|e3N@{x5Ze<d-NHk*wKR%8&@nT6VYe2D>; z!E=jTt~+#jJlRgf99=_DxT6;uk0RBrg&piXcOzuy2{;BG6X8ArVdpSAb1pKEkAS_z zAPa{hLRP^fPK3YyWN~0+wJvM0^HTPG26aWpl5nwu{$N+kCmihjj#K+gC&PRZigwV1 z1Lv>R*r&k4LenmQwq)0gTyp{)r-eg*v_BR_eoyT@8I}{|>;tZQ**er43nu<|;cxUD zgavUdSD27r>C{=iB)$LD*T0avvA(+g2#On0H?A+Id+-udVN?^8vv7s+%)O}5H&`qO zE!BA~Oi0}+-;30S`q{Ve&t>2MpX5jAIDR8WtxCh8AK#!xkCkXRGD<Lw0I`dntU{^A zC?!E_ai#zclOZM9kAKLIpWpMmC>dXzn{BcJ^#}Q*+jRL|KqEB<-qpRyh-kE%vz1gp zH8+XuAg!?r8aiY2s_%qSRD+0}fmKM6f>=_ka8Nzb;<)QDn6Mq)mmfi2x1-QmEJH&w zQq4z1qL?}LxUD_V*e(%O`vpPQVi}^(1E>FZj-?w?Vecom&&*gP#Yl)TQiUyF*iRwH zkK7V0+vVof3U3vh!EAOcs&rb827|+>r`2Xj%hL%NcvLI5g+FxW)Ki(dqF7sZD(6O6 zExRO^^fGWwvf|9uE$<nmvL(N1kT2U|1iW8ajlMx>InWm;?gL#Wg`iqDAFN4ygk7m} zlQ)STtDxfMUxmNL9Q?<)d{E0|Uq1Z>_s`3@NIAi!dr!p%Xf^xoL<7<z8PbJ8E5UEi z4a`}80Dh@IqxI-8l(X_cVKYw{+MggokOn1JC^sTQn{gZA9LuZI0uX)jk$Bg~ekVFj z+l}^fwY^oziG7@8GjLu^B7zV2fxKA<m!=&nGg4z`b%$wG!;L}Ld^whExr@P0`%$`M z=3Fif@=%Xgvej~godG6!WL-?e`IBumYY+5@Scbapg|31;%30#VxiA)t1CfZDdEm6; zJ2Ir*QL{%VNzPzY92ABUJy)ZI84;&xFp75xMjrD;q&96raUvRnF#!lU{u5%({sfEh za==26xGJXxGB*a!o%3Yj#QD-iFeW(>haz!285kX>Z$aGw5zr%hL)TOdeT#Hu;uWmj zFfQOB3K>!_XA+E-!}p+Q=XK(|_gvaJ<6>nY<)t`EW30@fX?`y=)HR=tK^`YCCEzL= z^>M`v_jsh;Nr&Z(D7b9U7GtRa11<W$2!G4wU~^HR|AvT3jT~Iq`E@nM&Tj|$EJ}gC z?HUZ3m3{h0U9+)R7Iq4D>r&Bc-WIHke*#@y>Z<kUi}8B~mMI!@jB`(b=@1vBUil59 z=7(VN@*P+}mDXa=YE=3=M=|qm<J=HjvFy0vct)sTCM}mtFtgi^ay9{^;%r9X_Os;k zaf|4WjX{^$@n|$~71|AvI&@aZ+m39V+S5oim;hZ%dCZ$61I>i~7<6?;Q*Y$}i`fYn z?UaJHwmV48^hN%T>ri#ncCj4RX8v9>iuaJ(xeQH)#6qvHAIzt0MGI0dGvGfa9IkDO ztm5nHPDJVMp(xjHotUmJKvbV3@kXP)si*Kmfp)7=$eI|aKB>rUmQYz2kX@5~nKQ?f zg9B`Ly%PP0oLwu^)72RdU3(`~vssJzA?NS|;juFGJQ@uPLi2&zR!d6s$cp?|;h!-F zVf9uJ(mVWcBKw93UxN+F=g_>X8<t01qsCR0ofB{)F)=d%tFP2Kfv!S-3|bk7+@$a7 zDp5nVbwsDRhpGEt4qd_SA`Gip{B>U{5!^%ss-kt3hoEL>SF8v<Mm<sz8us-?`zhPu zwnc7E$55%`d^8;pgNe=uNuuq5L*#MvTDFU9su1XE*`v+ajp*lo82MXd|IWY-D@BWh zisnQ}b!U>a-9Ut;4&l!Ny6V$VWDu#CrYor|*_mJ0YzfTf9wZg>8ro4$BS02QfUXiT zTl0me(>n;oIyzBalj(T|X05*fpQL**8P5zi84EXjPs}Zs0Sm$t0`PP7&F#QqL}t)w zQZ)1i#h_f*NNUgQ0}x}D$D#e$K$y-<fUcSv08sdee0VsP{zYn9rDOsA=-R5cH=0k} zMFLZ$Pin86oxw_(YPf$1zRny1e~I~fx!oZNTqY?hp3;>+53IVdUQLFa8k26+&lxk< z9>LaA&k%X|uJDuTYfdUWazK;v65j<VZ(if^(ML4KLlL&9B#D=<>I~RLK14n%Z`2*S z33d5A^Hz>z%Y>k)xpsOgS1hH)Q3!ugGSx6V$!&7*6^wRFf?h8tx<7*EGj<`rkr%qp zO+cG5TTy#ZINFZif^n-(qKx@!%-nnxbGF=oo^1?@o2^FsS#jt%k0g6tsfO_YBx5dQ zqo@YLTB3`()Z64S3`Eljd(m>Vnm8!l$&!Wae}b~zHllLB2-NMWou5JO9hVu%-EKAp ztUit02J=zeSlh*1If5qRwxGeN7<8JGiXt6Xp{&gY6f#-`-~CTfw8<n?vUG;6-&u5? z83*Hua<>nGCkZ5GV^J+4Eh+&$Fjiayxd;I$-_;dXiw`58(K0k2C3{Y3UW<ZaPCznD z7VISE_CoXF>de9SL=Pk+I4uszb;C}!y|^JK<J&BWL&6PGr>91sLU(1;$-oNHe;2;a z99#mm(eY~{*7ssf2Vo~ZV#z{$9{8O`2;xT^Sh?@+uP`4?MAT1x#QF$CX5_f!Z>S#R zSUFdl#6Z5~`r)9gB6Btx7P^+sC}!n@a(&jL_OSIB;PxF#nEE1DdoSn=wC^NLtWq)H zDF`n`Y>^@vgMKJPhVKN=6X-H$8w~qLpjy8`lphp<(*1afh!5%#!I{lDgu<pC)U!mP z+q?s$+W4YsH(yli6N(Cb0#Lj&@0ch@r<l!|lqLR*^fN+1J~bG&5d}KA!E{a<sScSN zQ;TXKXg@pvc`YfQ(Yv9mp+>v7?j^ctIAR^j^;(PEZI@!z0d;bcW;YP<p`E2|f>5Tj zH!;c%w5NQ^_FRLegFSKacM=9<?025K1K|fAi?dW1L{v(juTnrMk4&@(Bmzd0<58`% z8yq8VVxqeou#j)$??$pIElD-aZ|H$`!<5>|v_!9^u;6f#DMXD3+aq)Iisyy(ov{;! z)GH2m(bl`LGR7lkEaU`o{~F}X9I}R}BwR_E19JB+e@DOkA}8dszuR;27xbIvjkrsX zFlMDTE0imUswT%?=<k89`C=3>2}CJ#KO*WlA}BjC9I9(>PlT;~RN^0Q5IF`flm|(x zsNLNQ1v}WoKmHbc6V9N3(MlLEjYFMYtI%=S1~QgCs3)3@au#b)e~1sMI&)B}XAp9= zb3(JR(Wo*o26@`A#sHU#XgK(D%>OYIY%vQZjaR{F;tuMSvY!i{Tc1=R3vc8ybHn(x z^6(u&c8YpRnR=o||2XIkiHA;`{-U)Rfv)UeDuXlX^yePK73I70ysCBRYPS^;`yRqO z<yTbc?}ow4_Y<T4&6BjUKmik~k4~<rW*dg`=GjmBDrd1ARr`~=+1v>evhG{<H=DXG zsbt|PcQAHoBnHk?9}TI1f}K>G{hN?8b1(vghiD7ZL*Faa=GNh(c=KoWiDI8ZnVzdr z#LS&4hxca9u2ai|xd)Qz<{|Z<DDN{>d!G0>m%BYxeueR<)-w#b^c_%tKp^tBSp+jO zf-81$M@6$`=(Q*rd76{oysgk5w;iRdHo{~PNm_LPWLA*<53>Vh%nhW7OpcsL9R3^N z(`}1du7chAd#Ksd7mq2szVkK`G44R^zGT$4nU5k}T~N?y1@eAoQ#D;pTg(srj+lZB z`Iak$I#sRzCbXWk69$@1A&{2T)p5c$81xIpME~#6te>{bSgybP9QE{?z6%@Een!<U z9^!zY?)I@5xpFsbm+ckj4EA2Q4P#av5PMYRGj~HN!{w;aeFaLGtU<Mb5h&8x5zU5# zA$PNdC}8D`{G_Ti8M_@-c~|zXfzVZ%j#eYKqe=fjbe<dm{ox^KG$I-X)Ax~Dx*y|K zCL!gb{61F4%mKzD{b4<C3)x<t80wOSF7sniyn_=4%m~8Emr`~72&h=RH4@J-_#cp^ zUxl2RgAiaGG-)Nr!l}~PLw!Zg2~4I0lV0nK8a>HiYo&eB<#^OJ(uK*CJ4vb9096Nv zq7F57S(0uo?GB)n^*T(8zKDE=t{4??1cr7oXfiSqw!VkZ-{Um$lP+7fS19zSC8Ohl zG!!xSMv2aTs6h?L#|H?=*rJoVVpeAaBV<@L0vjod_=$i~Q57#Pif2S=Wnd9n3$E1- zLnZ1(3YdAI#c<N~hen~MjTej^cB09cP}Ca~MRt!j^%Ops@Bf213Qhv2Ci*Y5o|!~; zj1TpEYth~=nablu#{D%^wDCjX_HwjKA|a8|wVwqWheUL9*@p@lEBVy&C_z1nh?E*v z#mW_?GvY9R!*Q5Q+JNc)XW*NB6HSM%#fmLFDin>PE!|MTJO~rKFT-$bEE0Zr3h!OF z&|#1tW(D3sC2KD%+VTUM42VMYQM*vOFZG-zE0D{QR96#ka%)Mg^~Lz0!*Jbo5tIGW zpl=%h!x7;KKlv+q+wVaAZluo5OvZ4hBk1k09cz<+Cp9(+^#_KcxY0r!x%&by1j<y- zcWk5lMI|9hAzh5iBTJ(y{a=I}nS-<EW)Op%^uPr5iuJ;D*4rhDIf46z-3UoN3ky3k zP#b8|Mc71rNy(99P`m4K`!ST|kAQZG7_jOTN_6#w;q+v*o18+Di>HHcLTNKE)FnHh zl=&KzBv)rd403l^h2mXYk*n=WG#nNNqZve$-2$;}n>?R`)8-sSRq}&Cn{QqUy_d<7 z%O}Z`O3SscA;e_H6+q8ID2PPZ7NVGZPyQLn5fnBh`(g1>@x{Nel`k5PiAD_~xGu|& zqd*5D9+JjQC+tC`uB4LbsTly=8!IuGuj6twAHNNidj+CazhKlOCNDsOA-|zBdOIEz zVPwWaW5-CB{aC&AXO!+V8*6r{laT1OEQ<t2UxNVZH5!o3;j!~OjBrcE;*ICfypJEu z?UPZtC-rO=0i<SaMfsjlC}rY^v^#&n&gUpBM+ai}$$N-OxlcV5Z>i)BTi0W#+KU+8 za1~mO*@1dPw;`AL2ITD=K}_q0#$#j1hz^FO{XX<razGr>T&n#-^jfkP9mcK4_G=$t zG<z!=_x8qA=dD<=elJ}QVSd0NY&>)qou_FVl?zcM1*o!pMIpt9T2=A?66DAnj0!u^ z6m;{J7(>j4CEQ*KYdB{(aqc?OF5VEktm~=_6@Hu^7fVdIW8x#i&>Apri<ua(>@e!| z_9aP4>Q%!ju$Z$6xth#H_}Skv!s7_alI>tIXEVx?;oM<DC_Iz?z>00xQPFr2Mmg=o zp+|3EHYyyGT(htL5OhV3bIvsJvjESQRhWIfbOfUJ%$!xKE7^;Lz;x)0+(<22hT@%8 z67jg8u8lt`c5p*auUn|pFB~l=CPCLkn=6*7R_e+RBNcQh#dkzI`vg)Gw~E6!dBbL1 zV`)=JHkZs%&74#(D)(gH{pd72bETxfUG$J2L(T3EXi2@=B#*slH7JnOz0GJ!#Mxj# z1PZpZN2MVfV74FydV@pIk0d(J)tcn83sXIh!)MQLFqzIrsLdhfpNBfb*ON9dANe~h zC+9?QwxC$20Pqpnxm%DbU40(v4Ua`J^GKBJ9Edt&LomcSm3qc?DAbA1Qt?EY9zN(b zH(F>9$FBd5nr&u?nlPWZ7P;Ge<~s?$%qSMO)&GyoAxT-`Lx^eh{qDIoe3}z-pLs`K z-0=uC;vKOWGZ>#F%3Euua~1v1LQR_)SR8hgbm<*vHz?EKRTCw|2f9L5B*poFe?9rp zQIee`*2(Mkllrp>t%mUQlsTB_wFe_sk@4GnKG_E{yeuWv)8F_GQ?|1^I*}yJL#l_a zg<Ovz*-PDg0_8dr0d-x68YHcUt=+GDIW%GU*{Y|y6m=?}bPZ=Be-j5X$`>I|v+Rqv zJ_X~^zOW;euL`L>%ShmC*mWNXmmi_UxJc9=lzpGDuYs;6*^cd<QGt7<R+?J)Irwa0 zFvK+;HG8<DR##WFw3Rae<me^A=cD|O!dGmLEG;JKMZmR#hlp{%G?^?5@UX8qN16zq z*E29fupjSHPmlcOHN6vGNvX>e(<z7p#WqIFi4=^@OYy0LzjX)>rHdkAc~1$6a7;Gx z%d>{H&%RseJ39_N7bK!Bb?Xw|aEjuNr*-qOU9&@fL}?2-nk9)<rcl<>6Wtt0U1+fo zmAh_$efR~mpBzfPf(HgTYm1-MM07%0RFR@hcCyOoj*%kJ=}m#*qzD*{i$kAz+OcU; z2C5)gZh)>!NZsiZhQ=edpscwzz`(f4^7H2-&V%bw=EW677nMe7>Rk=Sg~Mgfb5!jt z=Q=TH%_?jYk)EuNsDroR9(xUW_3hxY^A5Hhdmy$&Dr4ykT{HDjlY-0k$xKHxKi|LQ z6nU1d#3mP?bZh91y5q=x>aOx9+!#F$CGS|!%5#hP1FZmcY0_&ICapP3>flS{X((4F za?0!!1^la!Gjpg?i=qmIWhLG@bO>*L7Yj1J3S5Z$zhvzdRLQdfXTVu8BT<ci5aZnv z_>R@f_d>^{Kq5MmgVaU&%3gBnoJ>X|Ze7z^Fq*sv)rW)=acL(}$q5S#xjVR$ejkcT zUHnm%3`+)<OBwMS%z(+PC=75rgWfAsu`2lqMp9#ywF!o`gSO06O}J)a;gkiF^H@En zLYT>a0X&7It4kURknwCeOEQOuM^1*};bmDi23_O%$ZhP2{OujlGUGc4zgN;z-jbsq zrc_z@3@C2uiWy-KQJ~W*=;~{;oGA|xMk$tjFN+JaDPCl=Z6aGP3e6{kW9h~N7_mG~ z*bsb7vw)W*fQT-nnM7&*dJoTUoWc92KZ@6{DJ_XT;ooE?bRAcrpYK_*Gm8YyjKl#| z6^F|ta{m59E(`t*`ujkCOa#hXtwiJgvVAy?bXqR|9(+};ViZK<3v?Ls_xS$6KBPZ+ zD15VnhCYyZ=?9EnxeHbkH)8L(CkTo?CBBuUUc8P4>-S-VV+aCwUKU|Lg`a+VjZ4?= z;_1tOC?iCxNoLg5oq+DscA?X(X!LPV#FzzmYDEz%Khzx*i3(%{GiYSZP}Vva&4x!{ zjL%6FF?NB`xXsAdaxrT5C1x}E-1-uVmo7*2q~-E4=&DR43G4(u`>=FtZLt!C6TRza z!q=OP0;Ga<n7k8<qi!o-W^Ktrj3u)Zuh`%Zn*1gUZ4q<ZQ(n`^Hd%viWV<nNFC~Q@ z&u^m8YDO$Wn;{-(H+(Z0%)7`I@r1$Dy(rjW71<&QVt8Eup~>@d(|>!2^TWDeYu!B9 zp{GMk#~OHiMh+VAA^Z%wrY@-5Em#~~r)wiW!oCrj0{8Y=G5tJDciE3Qe*3Wd_H(S- zc1L<L>KSd!SIuc4pFj5HlB%bVFF8Vv%#ndUA;ia)2oFm2_aCkx{kf)AF&U62{l8Bq z_969&Wzrw7-cUt*qPS%UD)bM4!{!^Xni`2(Jy#=l`(-ei9*HtGYf!nTA39ClM#kD9 zw6^s}4I38}?X(naCdR;K!Unj-Tt@u)$GGtL6;e*$!@;wU5D<GBGrbO=$D}BXa*xL( zpCcH%G#U?{a2HLekP4Qrrk!Vn+;vCb%p)ecX<}Yd$v&G=qsMwQ9UO%A!{stq?%Ktw zJc7LDYmwi?hjey#7)*@EAeX)9;d~HRo;-u!_Dg8l&l#;oMpMHt7lbH4G@Kwo)TZ8Q zmU|LRN3Mg*R_z$IEWpxUR-FJ{u^}+Ai$|Sq&M+AphBng@QL0BE`a16?)oQ&6qlJ|$ zk{MaH6$=tAgm%pY(X+9)Xh#mK1dq6653j2=1NCi#sQ2<lujO*qG0#e4xav9su~l?9 zTq6&5H_U|{HFbC#B2Uv28Zd#b#sbu|rJkqNV)R(5si9Q2Dl1)ssTkpW3|3R(P=BC5 zJuil?sy$ka^u$CGs-x_q5q;tT`mRVq8&!T8mrJi%j!b_tLxEYkEEn%N!`eFsVupN1 ze<D1;{=nko>+tuOLm>1PZ{A9RdvYb~sZOltQ%L^j&9+3P1N)9%gmdUgv>Bd=>VqRu ztg8nq_SlRfChIUe<}s?;1fu7{R5TqDgzgUeNH-3{D9<C9zwrWQtvdqe&6m()(SBIY zBekfHH%gi;M-?kK7><sF{-`jtnz9KFQQx6@??{vzxDk58{n2}7u&f}Kj31t=0?@r` ztnd>rQJ)C4goQUs^$Hf-|Mzx20`r+MgiEXpBvO#&tV1}L>$?GEhipNfj)54pC>|c0 z4&X7hZ|i|x*nI8-Ds}Ti2|gb~TbU<RLaEIg&Zcx%96}*8cjPhBKKi|)>LkQCn8+q` zv`%kG1gi8}1LK*y;eOybT8xet`$#n-n?t83x5E_WqlV5HO6PP$`|yReeVLwA?f642 zh2we<;Y5XqP%ORq^gba@=$#}M*8N%N$*1BLYhfSvE0vAZs(P~Lc%uxBt3fNUix}cW zt-?sHpAY-$>X16bj1tczJ6)3{s5U4Hl}G@NT&*25M~$KI9qn-t6}m4(-4S6ZH6Rp4 zYywcGa{&DJ{S5D|a$l?PeYfGW;|@x9&;}H!^0|Oq6mnYc$Kp&Sn+3>+(WMJ-IV#?Z zx{%?&2LFgT($(;7s;`;^CLXn!N)(I;;~jIQiWq(P339hyfr8enQKd%&s#yo1?bNL( z(#{jzXKq8=u@PuHVH0Zi^(E=B2L;>CMf(x{nC*8Gi-QisczhHZ4-Q1TNpYy&!v_<6 zZ=x;vS<K!BW4q0mu<i`<bZ|oTVKFe7y$>CR%C1{1k01#yv}#_wq$W%jF<O9PJ=T&A zy#`hK#-hudgD{&P59j!+sM}Kwg>oFl;H?J*p#E@@d<}^>%vYg`c_60vULzG_5&Aiw zfa&xtC~8c-2dO=^dMTSgs4OzRuEAK8>=l6O<985oXI-PtB+L{0BpGX<YdQ~Q`iG%R z4?mQ*@FF|O6(vjq&}-Rgl<Vvz!epARa_v2nA}ha=F%)od*>Ob(K|y(lI^ma$pSlQU z;S^MVprOOw1O<#;Vd1b_Y|5akD;J+>d7KMzLo6}J;d(lxG|(Zjx(*kn3>5EpWdH+D z#H?!@4h#EKw5Og>g36!3Is7D6#D9lkX3nVEdm~KdB%#Ojop1^~kNaePc*S0%HeHWl z%lD9KCa2?Y>3JYRkT+eq7J0FjM(j@#qp`!N9`=~k!~0umjSWTm@K%}#qG(iZt>4KB z{vLBsVOh@<LWA7<zeqQcW3u8UGY9K*%pB=TvTTeyA-+>|Uc48rNIf!|ycyl5M&QWx zN4WgxDZ-L(V3=zvMmi^8NpKpHuRO-NA75j_ib#xgii1n+4YV5>iown)sL**C^v5xg zB*J=r90oWh!+hE%OmmLMwu|@C(snbN^a()NetFD*sD#Wm$bkHOzBUml&%vrsYLv<J zDAeuij*0FksXN!!RA+*|Z7?hr>_F1@Pf^&?31uyuP^qgEhOIr0nLc|k(f=Y!nR}tp z(2X!0tIpsP>YQYb-ix-tg3st{<4g8N_BHdLg033bB(0s%cKS9HGhBj>Q^Vl7|2fK- ztU+<LhF%tnel<d7V4)@Kmj4n2Bk_%-Zr-&~*LpDung@YbMKZh=JtJjz?;@fb>aeZ0 z4$+PBBeY%~Tv+k(xs7?-EJQ^cFVyQFh?-rsxn`L}*~HotBb`#vp!-@lZ#s=e!#2Wb z>}GL}$;`lmn794{!j9a;4BsPg+k99?V$>)Jwz`BJk%h*;4_S-QsyZYQvnJKi!KZ0n z>SRfS;5cuXAu<Oc{>Pa^R2--N>KAH%@>CW1DRZ!Q`1TWI3mhY3avK8A{*L7#7qNZc z*VmmhoWJ=aj$gf}o^pl(Q)1AF4CH!4R>N|77!r@O;U?9ZioJYLn2gaD#5}r6ql8~h z(4gmfF>+PHY7I>1>_O+5v2=~c(rstSu+4h7i-dfwXQSb;XmnqkhLNsn!vP_UC3EQN zE`-_mFiZ<NfrVSIqe>U*wQ5gA6&qjDp*=8Q$!?VB<Vpm%1bLgv4H2@!(wI{)o3aI7 zi9aHDqlv;#?ovWGf_~W?*S05M<{AS1(J^Q^JO%|wY8UF_O=-_U?l!Yg+1vx=J2|4` z#2}bV3rC(7bKrmIH&ilrLB1ACP@L>Q22Ckr;7N+r2W^6`?HbhRFDL$G(8OC3?Qf`@ z9Q>^;FN1h5IT+<F-C)1v2@J+Y!)%gLTZK)g<?}H#9lRbDOuaDNWjFdzz4xOY!)@nT zVjd4{IZF94@OLrJh5kjaNy%v`MYpYql=?ax)FVc1T@UfZAP@G-QAJkwWsglj_$d@~ zgny(~sbv|s6sx49c+OO-ID*ip3AQDj#4@rSHl^IgsHKT$+J6HAlhn~#tmd%l!iT)1 zlT%YDv>g>Qf%RXi4DOAH^JUT$MyzM}fP_nrU^Dvw^v6fTXifsA`h5rAE!s2-DqPjc zDA*;K4DSHsYNv)GMXfON@CXl)6+f$NtM~DT-r#WLHFiNUgJl@HBpH1dpF)MMK`7Hz z4FxkLs_>;O9MNKIJS^>#i14zW?kdT(|BMhxJLKXo+(w%T+fZ}hCe-K`ivdehFe~^D zsZHJ}V7eTmywt4KbVf){>g+gf1A5MihJK%Qn6*|d1E$o(Y6xaRQWZp_D10my>_?5> z>xePjQMCIy=nOqDaLqXc?f(tq7s&M>>vx}rcgj^5&qze`(LrSU`J%hi734G0ru4HZ zEAcm*yC3;Xyph)=1O-i%<mWaJ?ZE9v|KvD(mc(3EX>o`E)bs5mRVe}GtvslA*N(AM z$Z}{7mZko62JX-smx%dsH(@d<1cszeSM0hRG3TD3SZitX@M-Om#z-7X{Ys0D)B#3F z(bpl(s5rjsZG=tLboldJn#zXbQDz*N=uBdmGyFrFL!xnI*EYO)%>>GjX^=Awzk4eU zpUby?glEKIm<;m844*S_+4=-agVl%yg?pdQ9|U=1OT?B$#A%2Cbk)9VWC5-Vu6)fk z>gR$MBSJ7O^fD}F?G%UH{3zQ@K$lsuC}`}4!o7V_sH0j*CR$JG*di|utRl?Yd>RI1 z>{qdLLFmc52tIHZ4(pD>#vuWftmPM4o<1W#VDaHMJ5hh=7MRc3ixHmEfRt~fu&`gB zilnQLF=%ldrg|o#sLg5=G+BYxQ&P}+<QB9dwW;CYSWFH64yIEx_i@sgV|mOCSd0q7 zT<-%obXBd_Ab}x=CHcdu9CVhsQDZioOHz6lYWE34Nh@CzHt|J=aXT<~^%3kicteEq z+;j+fHfzvwWIRkpg~C1d0qPB2hXzB`(Z-5q8S-^lhSEJFk<T=Q>?e70m3T=`Zsb6c zn2cK{y4R$Vi8|F9kbw6BD{kR}I;2*)#LKyEA_EbIez?Ka{5l3cps3a8?V?9r7;*`g zBUTDAcJRV=xJ4ckVMO{&8seie;Xr~_`-=AB!6j@ltA(Q$Rj|2UZd`F;oIeQM*ea9x z@DIh!g6Egu?=c7A&m1d&JYW8Do31i-?jAET=Gvif@0CG2%J%@4M1K#vfGenB>4?)0 z<c=jDo-<2iV)y<pKF&Zy#@nCy#0r(y@4w^4?d$mAXeu6G=B;PgU+S8i-JPeeG1Vmv zRm|pM+J>X(G;te-+sktt7;L6&hW)0W(O`HaikM|zZ}2J1^-m>x=OC7?zXF#nr{I@( z6`tXT(P&^4hB#$E%DHB5Qd=6%LOF9M=*mfBG%J)LMkr_I30;#pC~vw3x;8E-Z?*;% ztes#qB^-KW(^T!Y9?gbrAY#?lD`Z0Pb`x=%io7B98up##H8ccN@3N+-28dGlo@s?a zS8)_dnXW=vD>8(KhQnm;4zwH-gKFJ<VY6@-CI=rw?S6sCWv~>+vlGx|egcMjT|l}1 zeuSIq`9xx}<@1uNr8DtI0n0GxT4i4b`!y(Q>5Ym#{b9T69I2FYm^Ujh1@M@eRD!9z zmh)jaG8hIU*TZb~cG22b?>@k!1)+#PB9D|{^kly#1;aD(q-f~{5&id9kRC&AeU{?? zdK<5PQ#8kkiL&u92x%m;h&e)z%)tqWG$?Pu9I{pL;}1LoRHn{k%2Gry2>++E?IGXI z3OI@m)Hv0xU9t1K=kN(v=kBR={ydh5W5Z2wXmneg=&g^v`bCjcLx-qxI&5i>2MM+E zVS9BQ4qH}7BpF!;9ERb~NB4<GxI*QJus(L15P#+=dd*Klhp7p$nUHzzL`lPCDAe8! zx!Sms#3ll0witPg+(=beMTYrol9s_Rbl6Tz6^wZi=TN<eGYqG1!Z{LhZEQU-)9WDO z&izFM?1g1vmyoy95+ag0u%bK*8fUjb+74Wea-9~Vk7EiMu%B7K@(GkC#%X1{4*S1< zhLFQgiHYpcW=aB@5B5alz6-ei*Gq&S`~i)6t%t6uG{{+n&HMzI6%>JF0i!7!F@4P; z)UjTH{db<hbjEhHo)CuGWG7AVJd1)ISD;kab<i6TkCHap1`V8!Y(Jeo)t^~3%JvRJ z2@{@!HkW!3530wdWIN47MIwG(qdDZ~K#tEEw?pFr8!*8B0M#Y+PJ<)Je)GdP&%>zN zD*)zG*OB3U2)xfPZ;HXd>W<8fgy~$_c8=?I<I=Cn#`p-h%uMBkBSn%Q6Y2KF8ys8M z4RH;MVo%Lth#^|p)li4s`ekw3z8ii{miCUQA&U2k*^!gcGX4VO$Q&8fFA||fQ6ASf zs3nggH#u=bRH@R7-U+=Kn7ZZw8ubst&{b)evgR24qUBgO&(Zsk{v4|s*2JmS6_8v{ zhvYi>klMNc_BY6j)W*ed+@dCun-s#C4rOqtO=%o7DvM;RcDNU#Hk4MwQTEjMEr<G} zi$e<ZCvS%D-pnuVk;m`DDef}1-*_j!qtqMhk6HtQ(BI=M3U~5C-JToB9tlR3UZH3* zDiZdgchPZD1P0pgN5$@bXgxg&wQM&KbNIj|>^h7lZ^bmv1au=Nv|D#ZW<urFB)5IU z4H%8xgr=hcP+kq~%FP_KFquMxL8m_xtCN3+eehBAT(}h_%~ye^vsCTkhB1x_n6i35 zhOSIRquxF+v(xs?qSUxOR9oZ(W@BV;In@0m8RZ_ZSeAm8q=uR<K12HbGPuWo2dWy> zAHp_;c9_hc8hR+&%aw$R6K2HRL#MgBQGf`(m?iZ*0B}H$zou?t9ZjooJCWNe0L6Pm zLDzmY3UywNiZ&}T#`73jP|s*GZyWlq+>f<8Z=jCNT5L|c1y-(f_1#d;R2>c^GGl@e z6G*UT{XX1%`VRA5w26*Xb4++*phFD%NN?7!)DZpM?J<aLmJ62*%i~0?g4oxr0QS_< z;fP^HM3ZpcZfhmN37{xq4ZI*`t)!oauQLb77imzEiXd-BDE(BWtuY7xWX*Hn!g#b8 z9xlGJ4s||;fE`jVm&`^#AAUlLK^4TeD2P4v^W(5VAtblRg|lXranhm^PTT4up?N_Z z?phbOX4xQdkhzTh?hRguX%Fexy#E}ETKS`5-!PQz96*vXb2s$y&b!ck_GZ-V;)>o& zkD}e=1XS-EjzZ=EC~O{r#=~~e{c2RPS_@0E8`_NAh|UXA#PDl9+fArW>WJao6!cjf zk4-23M8S5`aG%gN8Xt!N%hbtGTvpL=)Khiw!nlB2=tHVm^`2@LFu&*5G6(_PsQWtI z17St^wjUdgj?-e%Y<L*@uRM;e*WY4A>}AyN=7}->=TV@OI|{Ycjx{4<p?@y@*TB+l zEA+arB}O1=Z%k@k2QSnc8G|BSz0uoYH_XOIz-;6;6tN<syQ7zkM7U|zByYu9uitv) zHgH9a&Os<>;fK6tekfuSjV42*P@%g&3U>BG0Yg7nOpAxj+-*2={|$B>`xOfVFQUze zFf0u@2LA&$F~;XKl5aji%YLrJU_qF+M(uk>`6+Tix5+EHFF<74BbW_WOAdI(w!nx5 zi>x}Sl2ebPD&hR>{zBt8Zdeq@tSVu5%R+cOyBiW)6~ocGd2o7|G4NE4eyaTBIfPoy zpNGGvRuPD$LG-}1|33W}x=Kc2;4DNoWE^QK)wLgf##r|wREeQ5oV5!L283Xuwr*V6 zBo`c~;DAwSr0VH#(WEL4TUWw9{UW$%(HN&K8sdD9rZ}Qs0(%>mM5;kKyttgG@*$_P zcM45IaqBhc?6?<ZQ+LBRO50ow7_?{?iW|&A|D^|DFggO2t=*wNJ`^48W1*`)0&T}^ zMu&;vh&lEaW1J6Q0X1Y9b9=NK7mliZyfBXp<%Yx8KyOGm>FMssYv_p*bS>V|4Mp22 z12qfiDi1~bNpYkCEkL`GYD7=yw}h+`ELovQtGUqY6G$qHGpbmxMi2XasBY#0y{@a# ze)J|(wjy1>%6K#$8G+G%<0$A)LDy_93X`ps$1(!>EqzJ#Ss|u!=vvN0o!)LJW95lj z{Q{ul{k0lppHkk;#$D{zxHRwx>JZ~s8n6{j$802fC5_TpL`>mMHrFClv|5Gnjt3Ba z4p<p^5e`9V=wly-Wt&bSXvbNU>fnH~o!n5pPY|jO^hYcEG}IZOJ|t6PYBbhsDSyo6 zb@+~GI#vnbET9xB0*;~T^X>20)20-@Gi`|7&GR9tK`tC^Spxf8l)xFYDmc}y8j{)+ z$IYD@v&oCxc~d=n0sawla8LF|7~-$+Mi97stA)`J=HFkQzbE5rJ?ivdkNP7cF*Wc3 zZ0BhkyGbSEm&5Uhsa+Tk#u+26X)zqp%Z1ZziXgRlQKWXNfFl;Qk=DK(Zkjd0&0$9P z<#@Cx&KrS<NCFdF_hIDfv*@vGEBejW_N(RZEjbsQfp_uKS@^(k-a(Ww%5HFuSiA=j zM_-~P^?qYqvK!>O%41QWoh#at)YLV}zBq^bQ?4aV$`@=t5&h<EMJkz1rCWb))3cnR zML!?Z>>ELhJ(i?;_QPd9g{p(1P}r1u9kbPfh`$E9N`rBY5T3nuKS~;C+ka*#GGr?( zK;?mCyICwJ^)dTI&Z5o7!ZGqH%%*LD$@J_;F?XL4g#{ZPqnME^a%mGUsdhB_DM*Z4 zw{Hl_l5ntDwhM{pZ{yO>@8BMO3WFwU20bCjJ+(sWR^)o5v@e4*eNA!PrU_2<)Wfk> zC9%J4F{CsvfZvyl$97V){)&{#h*@?E`K@~UoZug+RT_LBsd2T;K>l(d?l~lbT)X>N ze8sLeARI<B648`&{nSejIRr(JVQws+gG<&8u$yd-eGN!YY*_#Y>leg1vqm`IuRRXf z=;4Y@0~|1{iS2DGAZcW8$yXd*CV~D7;?d1+4{BL^pvM$>AP&zM;xD;!e{nU8Cmdr+ z5k+~Z@CGYU$~pj*NX;;vq}FtE5LIt|oyf4XUW!J;*Q1L%cU!ztd6%|y!PuZ%$Ztdv zxowtB+(aPGmGhV8Ged>$uJAtm4AuI0lD(mN9>Rr_lUXuiEYa98_R`>#J2Dc!r6-En ztv$RBqSXX#8R?fnXXJq*T>`|2QB$(F1Q2C#UZOQAZE;oQDZoVAemSa>np%Ib8rVoD z?3JJ?W8{NDPDjvs@+RtO)Lb%p_fBk;Lu#D;P7HLqgf_F{p{Gvb5}2#{ENJRYw%mHO zw%aLYL^H^?;p5z>zUS{o#}Nte+w&uWQg33i?;&&;9YX4P61-!TjmIh$6She64IajM zBhI1@(!*Ba)Sz}qGboMZrUh}TWl<bxRtR@i%|xVrariYUiTA%f5xI$|s?0gTKQqW> z9pS(#ZQ+b6wYX3*-@nE?6(}I$035g9MkQ(-UNb$@?>th^@h~klj%;f@K9Yc#>Upu3 zIQt+O--%6g;Y8<hNVBeqbEDhf;=FFy)+`_1Y?zN@qdVfLgZ7nJlFu{how`kqK$qD& zuqfsMMz|)h5+gz|J-rqE9Z!*F>BQe-cuYQH|3>IquO!<d27{f>qEHLjSfb3T42>=3 z!Z9=zJI-D~)NyT`K64P7kN2`!mW*DD4kK49d6ctY1g;O>A6Cq5Vh;)ByZNE{uuzQf zK8rl0%19tYg|LtTMcVwsUferpGy-7jN(Q>uNz@)1f+D8bk2(7k@^o}Z9<r@UcJ`&V zkX!pm?5XzN@z()ucB*WU;=R|R9vRuDixQEyv)amt^H(@b_DDsi=}~AqH5!Y<u1HT3 zLXyC#J{meefAA($?G}jU{S<SFS26)zi>0X6V<U?7Tt#iBP4wg%lj5U#S5KHt-vz7b zTQOx#GK{BhM-#Hc1};lQWU4j*Lbif7GIZ+#f*O{@t>sg2s-GeDHYkXsX1Q_JpaRYq zl)+i^x=86#A5Vgo<HXRexDX^ibc%1#>Qh8c@VC?|S)Eh>wUP8+fAYzme6Nrc?aI$Q zG9zcLBp$v38;31uJASX2&)<JuEH2)W1g5Q%|0yL5TlMnc5cM1<>*hjoqg*)DI2Y0y z6ehpIRM<i|*tQIHkL7W+XH)#XPxcI=ZbY8Ix@{L>vpf+s`>jL!$uStVQ1t*Ai}AC- zC-tFgI1%Nn$zW~gNQ{zwD<2KgE<Qq4v+U=XHzeuWZu$<CGIK^n)9gnqaNos-pOOX8 z)g6bTMl0#+fU3PTNzRUbNE-4jhm}QRKYGfLl7Q)~STr8Kk%)}!hQ?XflW@T_mkD!y z&Y+To8}!KTE7nyBH2!!-(n*q|6cieM6}zlNzUB)^CEATr7V2=DEHKai7)Go-ge9?8 zQQb6iB4uXzrlHfk{irrP0tMP<|E`hG&=LLYx1+>>4Y1UvlMoJC3c3~(QJ6QxGjc;A z6Hip?9*o>A?J>%I2X6eKG#Al}$_hEZ&Kb#Mm%dJo!oiN!aHye<1gwtijiNZDUkdx$ zS0TZhA3ys$;o<zrI5oeoh%2=+77L#c#3%4o=3q%HKl2e%^e-m~P?a)%pQQbPsP>)W zYW~$57=+fgaVSIGddtyrXpSY9HiCU>Mpwi)$b)0`i76W8MhY><!8*BdoO+R??F-{z zGacd^6~)aV#$;3#MdBzU5l>W&%G-6*Y3NhqTakJ-YTad64%ZAlz+kW+<_0FCO^=1R z_)zM$YogDfP=n!E6q<c~h55vdsNKsO!N+c4?>;3NweFH&ec~OAB<b1Q)*DXIKagtR zOibkf|CE<#Jt>-0FmGyDSMc#(`Pyj)t|nJM2eJ=S%}xblN+Tx<s1;FL)I&Xw1*v0A zov}3Td(!P?Paxm%$P1sI!ru%siM_|XEvVdc1FH1d2(zim24Lc%C~|KrZCpx1=V{?c zy35l(BGGI_C|Zr!fHot8;1O{iHsgJ8i%_wdvl#|tgXvmm0}_&{8K#Fl5%p2P$`|>~ zgHWiIGun>{N7tE~QMAbfc*Nev)U_wjjL$V}Bd4H?PkDl7WErzUabx*~+<((CH0h@u zv&P}&?ZI)KaBTbl{Fb;D3H6KPaGgRpY*85}ts5h`MIodZ6vjRSJ=_j)#lh~zIM`pG zs_73QbKZ%1)iD1&<jfp|gj7cu8){_HbCArT3Vx?ew8{b;?mg?Es>@oi;S8#E_CjUb zFf=D=^70KAOuqZ`<|!QQ+7vtW^5baJyg1Z=><;4my^Ratgh5#xY?=@I8tZVdWiecC zTNMXu>5$a1Hhw%Pw}s?s3k=iTcf)w%4h&y&4z0#VWA8=&+Ag8R&|sL^g=5*KYZ$R~ zCwk3ZkNF`7;Xnr7^gy*Hg(*|jQK9B@P_;)S8VnDHeot+5gBwmNA9c)@5pm8!(-E7X zPsB4L=nC~#BxQNOCS!M0xA8{Dd5MI}735Wo|5eZ|M5-3fiA%-A%_JvkDoZt&rrxPy zS3gV+JdEBmHOWf>I1HCTbBaB5b*G@|gso^#_EI%#FX1N`QG{bA5rGM0`0~b!(P`># zl(lw4qfyalF>VtEd7U6NCkoCxPov+Qofx&|7`izm!FZ<DLz7c&s%vNuy&;h(YT<>N zLn1JA)lsn>&)S3wSe<kgt5dI`qID?Bb=wAA1MU13Ia<Z#<~#n=ghl24?(hn~g!|85 zV~|UN^5wkv*kxef@X>g(XDdz&?}XHrrE#lYOI)z7g*56l4(sQ~;U)#~-fcXt%p(Tc z8;(78gG4+||CRX7Qn{aj9GHV6%1RTU(usDH5>aVb3b=TzPBC*(Q1xzQ<S`gdibuXK zUMQiC71Lf`-4TKxmJP>&wq>!O)T%UM4*nRJMm<S#tz1Z`qr+)~V%Sl?D7NU8#>IXe zaA5H$ytsQ^p&|*^J?aAL^;l0ty&8p#mSU<?<|s<7o<3Ml9faA8SlGIxh{G*AO%FwR zD^Jw!shx>OxGQFEIc6s+So&dA@@;gSq^&>TI*_w>x=h&t^Lb}bp;tJXj*CV8Vg4v= z>47#=4-s>CprXw>bYHp`;c38NJFPLl1l*&@0da07c3g{sRJe{9C3ft|j-cU?RWP5M z0H=gs(Rz^F;V^?XwQ$182)f!!QNY|6?Pu&pEwy_HhZkjHrdR1|by>Ifdg|emQDaCH zstt`oF^jdtTsu&<vj<A`a6|>;b?EGH9Bn2gkR7A-(7a?y)=&P{izsXmN_O=}rM|&1 z7#A#Tz>|-kqMKb5N?ZA%ko9`-!8Sz=Gk1gG*$!f$hReZ=L6qQYJt+cqtCC^o7KIv} zrJBY;v{DFo|2sBS)#28d4oJ1Aj>CrKi9s5ZI$jhz8|N2;J-f&l#~a@BfNGhWlcIl2 zzn_O3n1gwkM+U^Lh82=LCC5wj_yyld_l^in>oph#FHIt88U+2x+cC!ND4tW9`7L*q z3<(pvBG$MD;v15E(WW>q^=*tTt%_s+2t!<UAA`N4tnur1BGP+T@#y4ke0cFl<RsP< zsM6Wak46Jh8+t6;kHH@2VQ#A}S^^n|8&I&712vihbakder#BUaI;<e3p$2L!Z3sC7 zRT4*KTVM2EumzWXe2hKk9tc12?M4;8wBb^*lOiv%6;mb}&L%e#9md9>^~5cxG;{~@ zk<neStpnN&$-eh(Hc%YFLPgf+C&1aVQ$)OA%N?|zz75UDsIT&wqm(}dU8!j(V(vyv z8~|PE5z03^$OTlqBceOmM5|F_P&o3Ldts>O4OFlRfZnhz&{>czP|KdwAt$PXnUtQ~ znuzh1qzqIub3|Lx5_-?uhjt?(VK8hROvePG%Y==n&}jwrWE8*2LX_(4gHqaIKvX`i z{m+%Zy6J4P_kI=kmD<X+A|hNCdORKIfs3=Ok!I2Wd+V3N5!328Zr2Alrds2ORb^Z< zsD?=W>iFy4U1C(GPm1)M)Y;Eg_{Z>%nImnj+;8cPkWTD47wJSJvll_ifnyl&dm5dm zCy~VSLr0RjcVEhCNGB$eqe_`@KWQ)S#>eCBuaA|F1Wryiodm5RG--d1>Mm~!2Q(fQ zh`uY2Vg4F9wfp_&4DwHaQxJWlDqDr_ZdeudJ+9yT8SWwSQ231UXXgAxC~NADJRQAJ z&L$kWJA9pZMczaj@0Asnr_pF4pt;nud1HjzUg0OHLDoS2mdlaXU^#j$O+@zvyHTLw zc$98G5A}MlL$Qu7)H`f|uGJ!9*oDxQ%YLR}CF5oANcbN8mlLs<8!Y@}9monWnY0n5 zIxQfkID-N1-=X%vKr|xNwB@J>Obh(XMi`oECVHW)t@JlR)Gg1ikf-Ig8R8H9{ywmz zUe}w{uxvo#<(~Djr($@Vv<*j>Ps62Ej<_|xJL1jD;KaZVxMJNL$t?@x>ikJ~b>|9x zx^#;|D<MRA$`a=c|5&X$>MzH)wI#C>_+F`1TvsZr(WJGQ6LcA^#|5IjT`IayQ(f^J zVhzUfHCHIzu!STt;L#I4lUpMHl8i47!T0aDrx0246W{Pc$qyLoxDDMF>_G#n*cyGj zv1z|1@tK$@UB-v*IEGO9_#OXd+*AId#sFj60N9L+z~-ZWV7k9rU%`RId)fH%WC<n; z=_Pv=nLuOPaI~GBhWuTE$TrD-reQV^(YWk#in`;5eP}&wGu2l(tmiA6LX=tdY`O;X zP|4a4Q-d#H%<8@1WnFz1#$mAQS=8vinbe^e<hArdu^#>?(N&vB_?)s4iIAE#9W#6q zF=PE1)aoVGGR9uk1F$UWJ4{@A6m`k?Z8&fvjHhqK;?0jxlh=l*-A7ntieUty`cdgQ zGAB=UA%{Fzpc1}<X)^5zvDtxe6p$K%<B1v-(p1*1uE}`#9eRRFHo<7sM;ra4w5XoM z_!=k4VpU`+lgpg8NSa8+LfB)J7q8b%$DX>mv5)MJk0AYp_#*R?(vmsm4FAX=XZZ0N zDe<g6DT2xhY>cO?4}1(mopz$UnJdf}?m_vUq43<P_H)&MD=;Tuy5U-7mys-c@_x0_ z!*}OxH0U3K9*!w!K5`>A?)hH$e-IOIxFPt7!^+B)6)P)Tz9T6lm@{2e+~Uyh(RNY{ zbk((!rzpG#M@%8IWJ2Ze1e6xDiiR3bsVHjbh`OY27qQSbcK$MOJZ3J&h~2?UKf!m$ zMcDbDMXn~wpci?|{3fj12d_hqP^jH9tlWMB5yx-9VrnpkdtO3G3qSCYVWoTcq4w}7 z)YQH+P|BJbt7jdE>y(t)tVmSruf69GA`=XAIe_WJcuhxyqC&R-6tg7thiobRvGFL- zCUc^oz=opm=S^NRCT2a+KX3OeOQQkn2Nar<mxYzpuYzz3vA=c<kz>dyY}j=aQ#=o0 z*9mPUC<UM-L=>VI$x!@57fzR7h>qj~;!EkUuSqU^=QtX1WN)O6wV+OonDrfRL(P%o z#tJ;Ru29Gka%K)u0oq41LQA$0NpZSoFO`Fq(L2?(rmHWy-RJE==`P_Y(Ir6akvi6O zFHYY188K;BG1^fMEgq-m;G`>vOS*)VLl<%C?h_<kzKw{jsd)U1yU;HK=W9EEGkQ22 zL9@}J$ZxO^afkUE48LR<N0lIulNFN<#LJf%#52P^2`vVPpfdG9p1c0WGF|QC9XAqz z&d?Q|7NlUR&m|05sBQZ8We^x~Tv=^6asL^Nr+LG4UIHpu$<d{(P`md^jPg5xx`bb| zew#4TF%sLayhq)hKFDLR7!!F`@!Z|0H(&$xGTBGVbk)gT(w~i*J=da;zEqDT?y_!l zwMId&e>lo^^+euIE+}B_L&o<m^jUQlRr_cw0h#=%+#hKU5=8$dyt!Ugp|Sw85r>hq z%>kvr(LzpfmNPHR?PAetX!i1RVA)oxEr~n+pu8ltJx8p55$tJR6i@x!ac)Q_T%IEL z1z=r7XcCOGh)Vczrh+!U3^}V+A4zsuq$`PXG0}V0Glj9L@eJLuv=*D10pI`n8kKtZ zpk%i|<Tv*gr^GfVm8IRpNDNqU9QFH$q4k&`bamK`=3^qzXmBW++HOGW(Hqfw;dXfK zzKaf{1JG_bF_p(5SWF6q)0Q7#yCfcCT$9mtS}=BB`~`g$pF|mxAm|N<Mo}{#EDe?C zac3A@d{y>|uKGmi4D8T+$SSx6Yu^bNbM?OdLNeG_qd{LU1RwtuEr$A|)9j7VH75hS z$|%hCzKAtjZ=>^UQk%-yia4USmC&$RaRgNc`H~vqi@vUDu$&o%;OK+!+HskT*vatP zF4xfO^>RSomdYmJ%97cm_uM2@=;4O`u18V3XAm)b1gU3Z5O(qb^}09Fyssac4BUjq zBe$Z~ut+o>8-eoHybtXPR2v))!$pUweD0{##S2?bJ|Y`v0Wrf=EDAb-E;FKKCZ7dH zKp~L@iV>4ECIh?9$jvBirg}mWfLhfKpW}zSRD82J)YBH~Ej{0AN}Q_iCi5_F<0bT; ztOh8=Cjjnm#DgrqVl?k<r!ZjIR#;67gXOFQG#$l5zDrTm$R5R;Xmh<7(`S;QDB5f4 zuLM&P#5C05mTfcq;=2OdEQ;a$QeIO-`Eh11S^s$}dJVDb3%6PJB7X!q8sr*7NRamz zcFNhN;$xpOY&7POd!@=8r!NnNt=madARW1KuP~JCybjIBZ$<r~8&QM|S3XO_c=|3f z)<e-^{5I4hUArz%J?Ie#y@3&EKPge{GTv--EE*1rLUBuX=nV^}xUQ&3szcYshfuG( z3mT8vjY5{*VqdIEq)POiC(oYawIz&~urmZouW{@4pLp=<12&(1hC03E^a%b^s*TpL zT4FUfRh(Zj&Se)&Cq?7n!`J9OH5_aA-ADJCfe71i3dvU=5Z>A*a0IH7YxN35(~%KG zh&zeF_oLg?Kv9c})*qlcSOe>EAz0>n49$l|l3k&#S76mch%*$ZxfG3w_{}Ik|NWP+ z{rGR_LIR>C#T~WsC>hfGU^+V<)%&kU{!U(KKRcQ7+ktXc{>an85oIa=#zauVR;D59 z;P;3;!AH3TVZ7@FRJD}EEl?#PmbGQS1a<oaV7TLHYLfs`k2M>BC*?>8*?$jZ+b%(& z?j9K6rzU2Sgl46ep-}6^u$Z+MR?|Z@S+B^5kDy^t3Z2FrF;}o6@(9)MTMV4HmsC?X z)EvB-=wLlU_S_I*BvH#AM>H&da}zIst?g=KdyA_0ZCxPF3^c=;p*_f#On5Fd_3~V5 zv0Ec2qS`Dc_=-WEwF>2Z`fsGR(CvHCtH?@_zvTUfs!bJi$AR-`J3IvS`UIiP*aWdf zz2S^xl(t%p(%pQ}Y~n7I@8pZY%P*mF=hbLDGz4A9u<kH54y8?3qTQHSG#e3xo=cCS z*NT&9HGVsCwO)#Dj%Q)H<fPcI%9JX;aMuke(lZd%M@6DspAbxRS7*oZ`eJTIMn|HA zG4pm~N!Ue{=&%BXTFA!cQfV4!i?Mz%8tp6AY^>jN4Q&SmA@<ZmjCV{#VCp@xZ%*O( z)u%Xc<2h<lPnZF!qIo9~i}|Uf)5jwhsdzjFbL!fknCfv1Jso017{487NoefDI5+Ls zH-#g?gvC+tPP~ae(}Qv0@mnNccmQ5GKEjn4ZsAtc861Y<rmIoZ*b(i=hhp@~1L!#| z9&5JWL$g8aU@$cnEv9TE!Lu0aj{S%Vy~#KqxB-Q&)<D-zn{`aczRe`4oS?k*YRYE| zs`T=M({?qtOf5HH&{ZCTy;p&jqXIC-U0W)kZPQI^YCtL$Z+e7<p*K;!xwiWYvkBR; zB9Ihd8q_kKk7<ENQO0-~3CJiIjo*Ym4hIl-@iA6MXmh#vN1EZ{>pG)Dj(de?siF8S zVIAHcNx|8<Bat$hdoy_s%ZKz#J3}a9f1?8a0dvR}{N=l>6WF9RqS}^j2m$rw{LIb! zr0V#JrI@v;%kMCCFDz&8L8~Ewq%u7wV%bURK?rQU&!S3y4|H=$CEfN2T2F~a;f~8; zVZR4fc3Uxc<zZOO-i5N}PU76}dV@EhxWy`1FF%fslOvF?of8_3*@faHJ&PE6VxhlO ztK?`ENf_SLP1!&#hWNmE_GVa2@x_U&a>$sK0PSPHp4CF!`~w&~!586ix8S_~1WI+| z!#0;-_o+KLdgU@2+Ipi>pEc++QLct$V^r(bbrpx8gozW%SbCt{<lQhB;z?>?0x|jq z^qLch$fWaF9dj0A-F71Wh}>gK)U#+@g#^KTm#y&Mcnr2H;!wYr7g`UEh0UxzSVg_o z)j!_g&d;xK;qnubrl;W%m5hL0m#`+`Hfm5$s;h4&mbdbLyt+oDRyABe>T5g+ge-Hh zgy6``?@OR-<pBNRn^4$rG1Z+^i}<sp*6-}Q@*EbU{84`(shI_O3O|0O^%B;LVxem> z3+2p~lMSY=WMpcg5F!a7!!s~3wsppWu%mE|y@P5tp6E0)2t|mgS5jMa=r8BKaWozX z5Lb>UQ6YGN(=+-Y-l8^cEuDrV{aXNO;lvbwh)r5VILT2IpB}zm{D0naqy)=KlFT9V z%LEyQf3>{VL?1@CDL$C6DoxDqsY#7p&c*{}d#*<F!NF+KFAyyTgrLo!V6^Jz1AD(T z@P6IPHy%KTQGPHO>4UEJu^8`t8U_=?(1d!Ud>!Vagyk|gM<js+IjVMCg8qw=U^UiX z42lYzcy|-JNIV#$jE+4E@GytMRO(*zl(o!X0nSJmH*}+x2LE$VDgq_JWT$E4{|>N9 zK_H4Mkms8(z-QhGqxR$8_+y|rA{sTyhs<vgAAu+y2a@F!ts>%lu6;fQ7Istu>UKDL zF#s;~X1)Qox2uUOGrHk!m>Uk5Rl~-%4XGoOTZ3@DieQv2t9@($d=36Fb38aLH!pkh z>4%gom6cKLVp?=2{Q3K9{PZw$?$ciskW;<;_&FZayT1$f9{!0JTw(=R9{h>qb5ats zHv3xahb8_+#YoKQmkC&G=OW*U0S9&*fNurT^d_TVih1~%)kQIW&;A@iQy<j6EaWAw zD!61aUXQH^lA_CT6CNF-eu4sV2w`*ZgLt2DA>i~GSBlM}fV{3Eo$}{ikOPt9i_Ax+ zB!Tbg4I?35(GPFHCy<aE>PTQ)hXdsR;<Zp-$jRK8wB$2CvLD+R+D=zI7|s(QC8;yr zvSXW$v*$Q+jEC-&dM1W}1!yNj@)>{}TdZag_=<SKF@dw=)R;lIhB9rS<0A%Qmo2GM zFVb;h{&<{Uy+TH$JX!FFdrFMIqX{&=0{@ITxDnry-a)r-snIgu(w)jpUN|mwnd!0^ zT<q86#l9MFIDVHENqGhbRb={~bkBsz>5`uq8KY`p;?9zY=#+_Av~hYq81uu2XB3N? zQY^mLa*=bGWR;5?=uM`?7PQIfio7@ukH~P<(=$is7UK8pR2=ccghz4MOQa)y!~ily z;rA-6NSgy``Lma{Q?7`p-t$}X75B1K{7U?Y9*R@u{I~>E8csmenPfHw{({Vo^WgIG ziVZF;rzJn%Q9zMCr>7!)0XRe^aZ-JW;N&Ab=z$rR?^)o8VSN75!O!F<53WOroea)( zE?G^*BO{rKR-i+nROv<dj6Pi=E*|*8WnqSr<o!l62E7wuMWV9Y63G1K7mS+d@nj-` zZaAZ_z~5sIkuxI$oZKwGtnw6)%=9UoY90A2i^21sq#?xEQIRN)s3elYqIgW~V#|2$ z<cP4}leDCFYy&Wjaw<Gui?5t6FQiH*qUQ!?Ke1d^TdBqYxK=1RPVs}VGuT5_IS1h| z98rif4QD1cRTd^Rde6R`2FKJg=SIyK#3Vn)LZnakBAf_BPV7Wa4MAzMJmu)(M@UL` z1e}Z-5*6=d26UmHj0l<c?<ogSYR;1V_^NW{JS4%02YSb4CC7<#dQ`VuyCNwrr4Rt( z?(3i-C?a#2_+R{pJekO3IuwBZ`Cir#_a5BBS}ug0z?pYb<Tv!dX%fSWZJqcX(*_6O za;d^dMTk<&z=1)<71B(#2+<jfi?``qQi{c%L_{CbUkK)SL+@pOEfW!{Yesrsh8&qg zeorLe%%}v6!u23t2Ts{grtB^A5ZGiqag~T_5sjmy6+3<uLDUU<^Jh+;iAhp~tA{0l z3_`!+Mh27eQuGNKf83?AFH7M}UloDTQJ_@{`)9nDiHaM(6~HgaY0nw{T6lIUOok(1 z7LbHMPP9yxG*!H;QI!|nYZ$A#(*k5T4yCCP<RO?xUb)OnLmWaSrd@=~d?D+IB{aw3 zx11uM<}LG8PDJ_`IJR{Bl5yZWu4@@wl#&A|4^CeSLP}52i+nBfQ1v4MYtc9y-KZ!G z0!Q}aXDtC4Sb*Rg271;giyt%^_$a=5oAs9=^Dbw|kvW7iqGco+<PGlb<%xYP$p||} zIIC0e$)kwQ)uKU0lH@p5S+J~C#~>HA$|g}i9Eod(+f_?2s~_JB;J`9<4#?kCg;vZW zN{A^|dU(WJRwzrI7v!WyPT@$Zi|`^r%`u+ZA7f2vt86}K>9SJ=kQe^Vn#Lzi#TV{# zz|mEDS`dEZqD$=fj?+<&?zt{An27@`ltg^K;h^-up}z_oNy}IR%}@AKKAMyi^(sY} zB+^ge6CZli`UcH$YiQz6gytW{nFWHFE0V<t!Aqcp5fL&jS#JJw__|u9;Ub>jV(V(2 zJg6E)xQrk&3g584FXrX5XJ%-ARH+Iw<e+SJ^7#rGqvQNiB_@>}m5++duh<C*!mqU; z1X`NHL#S08iLcz<GC4_BlztSN0&`S3uEh`R&*7+R7e*mJOQ$++@yBe%$_&R68LH&O zRd`BoE!i(REqT7@u;lonc?*A4{ERqSIKFB(+B?l@{+fQOWx{@ZOBYTwYm`r&0KUnZ zx8^iIDzrx6GEq)kwF18vJsn-8j|xY?4?OioF*LIjJ0bOz<FIV{XZWeG?6O)a;-bC! z$csJxJIH}K7$^f(BAMA+JUn#**H7~Y9}OcJfUAVH;7pX*hd?0AKO9c09$Dl}&`PLo zMI45#akMZQFNF#wM?0jGe|*Pb=uRccCaQ?V&rI|5iZ9}s9X)eA0V*oL*VseE<p6xc zj^l9g-g1dwk+t-i9EWC4zVeEDX$Uh5$$log%Vaa@xXGpZBb`(jGfO3iTR3_YWn<#x zT%@$kL{gHET)j^Cs7aWdI$Hz6LJ^y#$rzf`iYFcWu!bPVqNI~Os<d!8K3`?d>}07V zrEt!IIXD>t%}+fN&^tzpJU9gri(hILo|&kK%LaPJ*r)R6;Cw4?v<KzS%=X{H*O`Mr z=FRt1nisF|<GC|<_v9D+cKZf?xpfOqez;3@MepByz)zRH!{PP8xR$UBH&30WBuFZ} zdXAUBKf$Ztf5n?Wc!?v0B?I;S%a^!+^)lW(euUS5%FU!TNpT`E0oUVp;QPHPIJs>b z#pgvYZ}Ix&GyHt-4&MFA+quZb;qmtm;_wzJ&9(Z?ioNzEi0dO@f6<iU-FvaEKmAiM zA#^!;QXM`}Io=6_ok)XTq;psb$b$<aGvO#4`SXG=DVHf7N=pdPtc}iD3V#Z(#aC#G zV;Hn&0enOC!qYOy(B|pZFZpOOPE?`&if=g?l`h8@bV*UQD<4V6nhBRnCP`@u<TwoD z!8iOO6Bsuxk4T4pv?C(Y#n~+MOgJ&SFq?4Ai!>+?nI;Dzvgfq<nZ5Zn{V)zfb>ilu zd$w(vIXI4}7jjGq{HQfCSCc3&C-j;G3wgYz`Vef&Y0_1^6OlN+@cFOcE6gGDlNnL2 zq$<7r{TZ(9-;Y~|58~%*-{F@##2j~tIr!*-cUs>;Wb@}Qc=e0i;rjQ7_i*{xAzV3} zhPxNfaqUvVRMPY}xN-6Xt|X`6@ikuD!g7h@t5$#ZD_;M>r%1h|Hynplo4=mn(Uq&X zlahwZv72!;DjcsKQU2nPf0m*WXa4!{?geh2K8=f;x8U)~lX!T8r_8^=>)(DxoT~>? z{MX{vk!0LCa|loG-o&2|c!h*afh`cxlm8tM)9NV}MOAGh;6G|0jzaE_pMJy1#6<jb z;R0UVq4EjJk&^qZ`1;SK6eXo!!dJY{1RmiMoGI>AvUH=oGC`=41gr*YX>!43(itF_ z>I=Z>%hz-#)Fn!elVO}PDv?7-mrjC=TZ*ZLdq*C`{qRA4{^XNrUlXx&|HPVs0D9&> zPWxzFJVoM|1k@vPkIOxz><0-{b}YF5TlgEy!A-0(;<E8((E`{{s}`1%R2)&M<b*V2 z$3gffOIT51ERjfdyyiw0fkYS~owy>%$qJE%G)oyCwq<D|iG&@2IHTbe4)55GD~HtL zBnrjN%o63T5KZZL`rsyRo<D-`uk+qVOvPNejQ4XqymAIVoI6R3aSOlQxry!mfp~cC zBDD}T&HLZ+<CP;w32?>vh&A|bgBQ;Fd*EQ;YV2F*g;TyhI2Oi7G{2%;pW)r}UvVll z1V1G0!sD}t@$}|t+}ghl*Z0QYdg@l(Ih24KX*+R!XC%&T3dFsQ!FU)IhAW{#I1v$y zduK^q{lFjRn9&KxC%@vSbC)QM<JcD+hv&ciLhof;+`oJUht?4;q273W>lFF_i62iL z!0G4^+}O7Rzg{~=Rq-coBq!q5_MLcjosW&+xas)*Xc|rh1mM#C6g;C|`_4t)Y~nqB z|LGy_-jwTM7#^KIh?{9iczlWKE&U~4-2EQsc5TIt)CAm2j>mU9lknpSu2W*>2lptg z2ZT1yD3i(}x7Dj>&+y>tCEPxBh=kA)+`e*_-V=imE=<s`{~`_GFP_RHne?4TFYl-x zo|3lkCuth|ZB4KextG7;Sil-wqxzH|MVW>uEf%&6vU)TM`L7^n=3x4v+%zua9Y+|& zbV5Yv#_TP^FfvkV^8q)^KP)-;H4`=ae_-SVV@QAgD9FGEY-(CJ^8^RxU~fsxaf)Js zBPYQA6p_^f?!wtT=H5g*y_P}d#Hn*YVnDixG=;wckp^8@1yJ>w2{N1}5QM6t@XQJL z<E54}!`o+n;PK7tq)ukYK28*`{vg8ni<wUOiJMO{ATN201Ea?&W(1}?!iipFsB#MU zR^-h|QJJ0-Q@we~ALKF%$byAcL7AJx^!2YlQ3Jii;~#Dk(j<RhKF2SQc&eie_2Tzm z@cij-c=gv`pP<PPoa-yRc){AiJN)+W4t_XxP%z`==qRM$Cq|)Qe>}X8J0yJm`r#U$ z-MLDP!puQ!qwxRp-fdjox(OE|LU1--O~!op7FQDEaU~%Zw|2$h$XXAajPS?Rpw-yX zuLmxBIRQUiM5>1ye!b4;mat$|393uBru`4#t3Ai3z||t_>7&~E2(&PnVY5S4|1X96 z$nTRtvY9{e%nG0L{xtX(qh_Z5C6Mnv4)NLWUrI>$<($*!%9wGNCCbMkvV->i<1nAb z$SH--LDm%ilek}kuc!6L{oA;>DGWEy949VdVMDz~2IDLErzm{}{xNfWgKzNv8K|z9 z6(^?lS5Kc}Pv}P6J<Te#90rhc<*4VTE}lCL)p2CG`Oo1Sb9{sUwU9yI+zYUNtn4lE zhNlgQsrRgo3v2Xa=Fm9nzkqMd@eTghg6uH}6xEAia<VPNz%AQ(!u}$gnEcsSG6*w; z=KeeQ#vI?^e=jJzA;Y-Vn1n7op2v@TuepyI;~R5)ga3;`@kZuV-7vFgq_6lT3uFAx z!8hjk2LEdzgVdS&=}CS-P>_uezA?u)_<so$t@DLvP>Vb9v5RiAI_;fs5`_1E3E!CG z8~pDDrAF~ZQ>`*@{(bny9N*v@d;z{O$2a%}Ux07S@eRJgX94&>?Nl$bk!LZ400000 zNkvXXu0mjfP)h>@6aWGM2mowg_EfHAnF_Ye000Bu000#L5dd&-bT4gXWNBe9X>DO= zWidA{aBgQ+R1E+J3X<Al3X<Al3X<Al?7j6@RBih{tcao@AX0*abc2K-IU*(9ozjiu z&?6!uE#2MS9Yc3_BQbQ>Fu=@w#rwIR=l1^m1Md&-TC)~w4KsW8zV>;Y=W!fo>;MHh z2~2ci^n3U2VM=}wRl0W%Rp8#e`&*Aue!a8MH;?@F=f0zo#QS?C!z4TR?kzV<iVCZ^ z>K(vA-??;MR-TAgYXMk%Ls%}OA$?M@x2&q&?Mw2Km(0&48RN5Sgf$Dyny5ZLA6K$n zA19|`92opEjv-<&E7|r`S+f_E_sB*o^2bx+X>Tb_%x3JytO!xl>6qOe?saGUn<BEF zM59Lib)s$q$)yM_U60{roNyc>=<@fMM6kl$mt5y(;!AI#izB=^ZX?am#YX7)`3C9? z0^xmScl!YK-Mv3vH9oCoHNsD}@1eZ<^Tmhq5<{yW0Kd?;L7q6i8C(v7x0NE+$fKc` zDOL{%=c5~&Js^PVE`7K!xi)_u{#4?|JN#<U3Do;S9RwAFbzs<gaN+*_Lk2de+yqsw z;L9bz#7#|gH7>qStN7#F?KyJq^XMZ)d@5`?73OCLrIcpp$#}~6@cy%Vf4zK2Y07F< zd0Ds=;85`PZU2b(j2*#PGwwKIdx8x#!gf1vc6r%yp}bTITFrdzv$fEnb=eQ{JaJsP zO1hfJ)rSx3w;)3OhD}tkqSJXPp%{jt+Y?7l{6T)%<i}Ki6QU)3I7ila7rE!EBlYe= z%QfU^A3iVenHhObe!EE60t-Jo-%$tO#Fhf2uSY+7&A>$(IH8qkF186$a<Cr6&#ji; z_Zo;&PqQN)+4}`@2)beNy*e>LA?wogCM9{rquQ3Nin?Le@SBy(omlWXp*IW7c}NU4 zZ{qIMNmXs*dBYKM9D3>PXj?~eAa(uVMk8T`)ic6rF$#)#6f|7wbmTV-0G<ausTThG zmT|u~Fydq>v}J)xf!bla>P8q<^q*JR?GP)#{<`lTDgbCmm=K&5YKGhxLF_|4A(;Rt zwicqjP`Zs{lCcrbqY*@ZE!*5z^5&~+!lV(0=0o6H{VVsI9#7T!GpO5^H0vI001Ph% zUuNozL_!b1$DANa1%w9(Qs|ND4OuY$lpQ591h`opK~y|DtvoaXT(9Z0DB1XWh7Lbp z9JEo7nW<K1kTN4gw!}4F&85PJOFa=UDR_#LD(&ExY|>cl!wt0C=ggglyz|-T{wiSI zV2!L)y1IBb#%020{hcd~Ij=q-dYJFM$De<{1k_Oi)BLX40n-S+(stz33cTx5fZg{H zd47u^ANYzH{_^;Odj;u!le@E0<%z`hPC(?;kAx|-_&*~XvcQ3W!f3@ww!&Jjph$ST zzB7F6drFH?Mb>tp*VzP{*Nk26!okiBz(ELZlQQJ$emw|4NIm@?LQ-%Z2H*G7hhNLX zTbm4N<QZ=}Qf~%h?c6dp`)+C$*g%_(fWfxsOMsj9+Lr6=qifl)2hWdq!0;JL-*fN1 ze$YAYug|L^*hgM(Zzwz)-}6eO`#K5+pQ~<Vk{@$^H#ZhEln`6PoTH4g`<ZK1+O4sB z+20O0R$h6QB7z{8S2T)+0}!_osqk^ohz*?w9IAi4zvaD#?WG<JD`xZWztuWgppjX- zUBJQWcXt-B;XNKW4FW@<NW{^^#`0DR{q5X{eT7x*GI^DEVNGdhVoGjB-y?AUN9cJi zF3tbEz`JJ(s4QF@*Ii*kH%y1AcvSFElAT=X;5cvpIHIe=QqS{{)SG-aV)%?LxCdTw zR?jxdN1lLswYh~%K+-|rxhuDF5&Pb}H3br(=RrFdT6JBjxu#8JDN5ui6ahPxNM+D5 ztaS8CUaukJ*w?U@;~Pr7jH_Mk3PpMO462)sm8?)UXD;OY7WiUkW;2qLk5_67HWp;( zDK|Vj`W>;gHSxwW<!0r&7d8mK?u<R}178Q9jn&qj4M71nZ|L?rnZ5+V!Iwi}E!U)A zTE4Z6CMh{lG0Pcj1%t~{&!2$nnU<Yf?!?dayg{7O%p8pR9kN%x4b4)+;(}n9-w|@3 z4aq$8br9ZfO^6992K1gzCL&iyhIrqGW-K!c5L&7`{504hM4;jzPIEo<;rOc~l(}6E zy2PN@y^_^-m-70jUI9XlKh-VEiEcR?h3KFB?M06bpD;gSL3}u41NF3j0KG<GF{N&@ z%fvYh6C%e7bj*!!TuSxc)bD<`dr0_>KPT*kJ@!R<z?amUTQiX6({BIRebIi1>aQDc znc3@51ag8eEdr4@$dv9b0CETDhs_AtR*^qF;qP}4r)lH-an{2{h798Pa=on$S_a<? zjUYd7cNTs@2W`V^0WW7n8G6{-$2N0U@V|Wm!>m?dR+L~rGsX|0Ph-AV3AcnMmNY*a z&Uloa!nK}t%v7x_1gk0aydFw@cAs;^7v9N3!{ZB3kX$Y}{N>+|8bRBhutuu%q6WR@ z6!i7Iw=Z-S3v}Oy&XYUc+1j_n%=%PQ2{o&>(qOylJ^;oQ$vf2lZ0FCdj&wibECRxU zhZ9R1!3^(;MrvDr2Kw<#l0%$LJQe9q*S1<<(fVpzJp&w7o4c`F1LdLx=QFqQ{%l@D zscyZLbkpZai!CAV8RqFeiw%hgX(2Y))TJNc4~Kc5Ii`B|900U_mPB=!m_J-11YBc5 z-N`og;j`rMjK!}!?KZ4(ETHg(_TaDM7#T^vC{lu3oMP!D06)QxgjiMHFn%F;)8qFI zpbbw*r4UaD;EEvD;=>`(^WaP$Dk6&T&CttCDNxgDA)G!~<HJX!MRt^a?r-6<)k+Dk zDcH|DW?GMZx0jlD?VYCg-ypU``Qx#c5Nt4axYpYMFowPamwgj^0V@LkklCCbU@^(Z zg^dZs!Pd4?Tmynud-2M1khQ)f0ig3Rz|GE9OJC2o+5U0}0UH?kU?pRiXKw^r9h;>6 zSoyd<NiOsU1!c^LI1l@}!F~|vYA3dnwkhBM74Ou!VfNZrQa&2Ivrnny<nA!OPuOxs z&aY_82>QOA8b=`mJ*(FZT>Fu$+ixIwQ2Xenpnk`dcx5k3-y-NG+)<evdlKVsOD=On zCGaIES3_v)U)2L{%Q@JH7?HnLv}$&$9}J>(0Q7^JW}R6JmXJ!g95fpkUM;XLjA@D8 zIfR8CN7n4aAeWYFKRcu`5<CB0om=aOVnw6Q$FAf8JH)55#qX#0g`RVg@$oifaz}V( z^;-z=1|+#UoHmb2)a=oD_m7mr82X1}+k%_w2KI7)_H3lG^yADS!L`rIQSkt0ZzQNs zF!;MiX*bU1zBAf3T;@dUPbyC$irJ{)QbvR|7xGBO?WA;4XT-A^i7Mc*vZCE6Yjz4c z+l>8a%d`6V>|?ZMk_2I;dG$Wo9%VC$Onss&V~FOYKdQrjePjyJ{VraXNw!~Z32;T3 zO8%U`mfB$%WhpF$ynW01Hj^CwO(1?_ME~|s-t(Z5A9)o9fxQfZB0cE557AUP033b@ zUo?BMsbO_xxm2CeGwE7yGP%k3llF8b8@w!lYvo_TV(mE6&rv!L<Z|K&q93ua7lL2v z!%RS1tl1=odqL~^o1l=C*fsKpXEyqXQ?r(1H)K-GQvsu`s!raX;gHq0ov;!=7WAks z1L_go@U5xuas{BrPkAnxh6x`CKD-r!(b}G6+HD?WJ8D%WscxnAo+-7Qnrxl5)pLQL zk?<B&V#w1vb=C8wdN0I+H@3FQbl1FJUW;t#go}YyX9{_9yQUA7Xr_2sEJ2)AOmF?^ z5JHx>YG(S)o)6`dmoU9e)-rj+w&T5I#z_8a_ft5tB^@;CGjbmu{TI>we$6VPj9h-| zBdtc8{MUapUVTn`$a?=zI9fJ^`mD;j+AWRbZy)lX*OwSP@>zaMsO`#$^MX(yNqe2? z48<GUl?%BEyjlJO&7FKE^5qc?yNK?XPui973Z(z|ax3HGSLTxGS^&Ekx)61z<O{O) zVt@6Ifm<}Viz%^!W5oYBU231MG(Z2@o!w-q?9O*L-{^?YJ2_L|>?D7ipq0o)sGwIz z+Da5IEb#Nu^Dq1N%nrdG)YjUN<5dRAu%6F5@_Hnko_|+LHHYOTq3{-IMMeB_wtOZ| z0@V<zq{>g6vtCo4ugL!a%v%FLJLH&fGtF#BWpzXra3*R>F3z{(fiMf@!1gkgw8<xJ zl1pLz!&d8|b#9AsQA-rXZ5&)a?&E~I>ch<><Um?g9%g+oF?X`$`qfq47%-uQM8vIH zh#Glouo!+l2(f0F+7Dz{uyWPun|QXWVV`+#qW^F%F(Bff>+XlE@Q7vESjkqG<nSOl zg=c5QJ9`p|wMFeJMH!*r7LV8b3hKLMQMWQe1>t!4b)0$rOb5f41Q~8UM`h1@_7zu& zQ^l_;!acAiDhEC=_JEuc_Ime1{5CAtU$0Tn{n@Vr!t<4d-ad^6gUPw2<+_?vx2hCg zNEnv59YS_?RvQ4tRjhgF5&DILk9cOPzV7dQbmELtwWMSmk5%96K)=X}pf)4frn33; z$sV#bBYLGg)uu9b&?Vg9zuo_G!+clu%D2iOA~6&!N_tXQ-#jVs2J)mKG;y5V$wj`$ z|M@?!)ru}{*aCL!vZf-BwO8Hmbjv*&Al{;zlJ_$oH6dbK@6(o0lT>uU3}HQasb001 zKr0m_Wp6}4h3TVYWzs&XhMe1b{O|F&62nQKn(5w{E#h!egglXT)9L%^GwmiTNVk8^ zRI!^Glu(E3+5P+xr`fIpJ_9ccGpHqW|HM~fER4Y(5F{jl_gIWDS2e*T!IvU?ksf&+ zt*vN39X=U7GcYz)c#Ouv<K;2sGI=&RCuq$k#-M0x3Hm-d#$q~f82CTbakpQTP!dFM zB|^0tSOPT<+vCK7Jy%X-zQlc`SC!95KAlSw!9_g_%><mi>IVepHQg$|rb>^YYHZR} zTK3{i-t&vcEik11wzxxHlp9y@_`FEPZ8iFFL%RX(dv$S5j<s<;QB(0qCWQ5%Sm9b! zKlz9>`MAIXS-cZWw-pt=!my-_2J)IDVX6%IR{i6sTO$FgB<JhB{+E!fslrpVXq3Q9 z;(dB*=2Na%b%%)?-%=ym#?o_^ub=+u2&nEa9exa(@hVjb>|_==)wRUxde5*c-*^^} zTYY==!7WSOjzJ=~Sx%@+EcZYgq&fd3rK*VOag1Tx(-~o=sKwJXd!k1cyMesVcAqxw z{-9{$1=1>;Z8oRIdS#^r)ex<}Tx%(BQX|J{u$RM7-SB_MZ2wW>-dv&lA)WzOT^}nW zEXUpE)(4U|pO}H9ly~%qUOYz_d<1%m|C2s*e|XmjIhn{~nRa_Pfz|XgU|KT3PwAAy z?mjc&hc2}r0jBf)W94JLx#3q#wM48c{4Q`JGR4x%=QsmdCkdQNN+E4K&q$P?`CMxI z6Z)Mf+j|+S>qt$+%I8ZBD~Op^ISHsjS?XD~$w3W|`FF1pZ;kbil5$HtMc3(hiUHqG z)m-GApW^-DKXH8ax2hIHa`B-Btg%}5B_77LD_IWm@=>CCmMM;I{p>$YRMwtDs~sxn z)^1K439BeRPv#1)Tv%=LCef!B)jCt0r;|2_jz4&aPl<7>d->gOFQed#RAba4o7(8Z z1AIxC1mzAuLo=66eqiwV^(bpEvz|5CtNMp+*eq{@PLpJp1GC*Nhxvf)^I{*_C?wQN zivjfWg_W71xg`R2JjIZlV}BAC{jryi%m2Cm@=+_$ScaEOI-IpSJoG50vvr`g3;;nu zzQ0WQdAFZyp0$9%x#LyAjCIzK?fF)RCPvj)7vZ}KxtHJ6>;m8|dCS-*?iR{i(_1Mu zLRe~FNK-xubYUdlM%#r$G<FlnO97J&I<B(?<3jg74nL`#$*;I|WerUCR3cA^ssDKL z9+|G4{qzPFSiRG_4(Pi<P;&VntU2bmQyskdq#W~W>rGqjVWT77BeO^)-ALuDm)<N^ zAq?!GlfWkr|7i?rq6T5zyCP#ZH#da^n^nM-Q;rg_Ryfu(jDJP5AXH{kE$c*yC!?pI z-Sk4I3VI<jHSZP3{uF0^`r&GP99>&%CY@<$8Vrara<i2n>HUuJZwaU9agl{vT(lhh z(|>C?6h5j$Rin0YwMXu`hJ;12o_*_BUDZUy<5>B$pPQ9%(*GGtTXP;4F`Cb*c+?ax z|E%k1vldAxM>!b##wbz!$6*!j-FF_1fH&dgx05A1SER>(MS1Z~R1d{(Hd(&^NlvD% zhmD&!CO>{^GbOUMHj*!Jex;A4pi4&aHUrQ}cbx&*3D>AL?0F1chLPLaQTgNSoa1Gn z$i6Aqd>Fj-&+Cf&Y?=c(&eBR4+J1ex5q|me5lR=%&tyo0ZG31ZZ%!dQ1CPJDGee8_ z8*4t?mX&S(A&TOXAT?>l{=^tg%ur<dna!}?5F2opd0(woAq8>P#C^yWx<gbleF3?- zmLc{;)^X-HROtDp;9;D!@p_#+u1%93Q?md1>d8OW_Z@E4r$LSbXzp2_3B{HVT5;Eh z8j{r(;LhjnK&BD1U{i(3(%X|G?RofH-Y;_N<A|N3aXjW~LM*Mb#gHbuH)ps+>8S&; z*R@+B&@=b0)osN$5Q}q4LTZG+0+9{uQ_QQMMxWSCnoY5!EbMv1<I&l1%FS^yN62-q zE(7PqMwIQKRXox%vI;a`uh$*=PP&0rq?Z#D9SZ^AU|YMRDz$h_+Y%V!0qG0A!pU0$ z+Q$_1a&;tyjFbxjq%~WOQvpAy)Kb1Axp<r(w|ab<0N*I*dcHz&+POB&<uADU9br3z zL)1o?YB`+sq2ky+^vL3L+OM`^p>!*R=}p%yq4Co#XYqLt0pJ7su5;SHIl7c)N?;CB zNKi>eBYO@Vg!VtNZU|Rluu6e0fZuk#v5{SZ1;fgkKqZE1v4^YTKxWB^tTxnGK}Cxz zjzxS_w{$H<LSppB5Opb=;_y(+nmbqJ1g+RFOJJ+vJC1wytyCrRdBBV`L|0SqX}!ex z*lsC<otd0hGcz4OT8whasLDf}z2M}?G&>}h<wWu~G47BU`H0-HLoF;kGKaF$L)}`{ z%WKjKwqy-J&gXQst$P}8mj^xAzWDoAtb09P3+=%s6T?quB2#+IvDy>;rmrrO4&}L9 z{D5+EdB4j0YWHa?eE((qKnD|g2W>~w?9(3VOu4b(B;kzs3`VgFM0R6oW=>`4@(AhC zrnAw{AG|j`=ay>b?dK;AA}xx0SYoe5+Auc1>@TZD{TJcRGT)y%eLc35=^aOv8FS0j zX&U(wgqlp<CujEh3+o{u*qqvff;9n?&ta6$T~RSKWH^s1;d%E9$V4yPu(|xy&{!}- zJ^>K~VUe*YiiObgQZpSxoJu4z!Vtf3m4lf3dk13j=w^<Z_zZk>wZq0=FeJV1WWR`1 z3wBt+ZvV@%HbiW}NXCtQ2DR*s>0i;dy)_;qxe<9coH*_UAJ9obw?A5Ogg@I3r}Z#* z@JrSs3nZQ{oQyOo+==^Add=%kUzK6KAJtjukYj#mr}T2ki&Q+>E5v)ajm+Q8`?jZI z2a|HeJoO}j2TQL3N_q1rU0NI|#{OUPz{FKRWuZ(J!vcb#G5uEYVNoO6MC8J3Ef=&f zJ};@EbdA}~Qb&yF3KqKw;%Q~|Qms(1xSVN@f56VAz?4JXFy?H~17DtwiWwYU>X4Qh zbVn^zKM8a-1~mu>JvD3iI{L9@)hd&$*Qc_doH8u(XH>Rsqjl%xKWRQD`>1CV1puLT z!^ux*dV1Yu-TUi_1EaR>-OcK3lXa~RRHH~<u83;>1M_p=sg8t4j=%(omc(;;(C5Zi zLy-5Wx0O5=mT?<}yO7hicJBCIo0O4qmePqCy->gs-u5;|%~pO)$C{HTdKn?+S?btp z@Gox6hRZCvr6;rZke3=LFrv7=?zMIhp$o)P+1Af?E0d^KIVTTy!by1<kp1)JK+t!S zaaU3dpSMe5v=^z>D|{cDi3Po^i&#yT6wcdAu_d&L0kzfY!VVwU>$~Q>UN49h2bH8r zdz2mn|HW9k^j#>QQ@b7~MyPHk_ZrL%jxn$$2IvViCFNT&IXsXWat!ZywZXi9n)NkY z5NCy6U$K;4-@a6XydZ(!C0y4wvfq3lNUsoFMBmqQG%*aBn=U-V0XHvU)Q{ZXSqVL= zFj?2(6LR-3scBU4B|uer_YOxm_b6IhSFSVG_zOhi!XSpNjEb%;GW9D{3tr<_OyaY* z%7f3vm5-ev<jErQxvz-IUyHnd(YpVQX^6}H)COmIWvOn0!$wRP<ELv5&5pm2&sU@b zX4JW3vX{*YRsSxI^qF}OXE_I3#Ieyj1^qt)Ya+#uIE&TJwO$SiIq_Am#Jor+$@@=3 zEGH`BZ4Vx>BnId>AZbA1s`IeDsF$yQ@IGx)E-I9k>m3qd1MwYOE{Qg)EaP7*Ow<`c zT~e^pCxtbI{KC>Cyymz2Sr^=$-)V%ZJ9nY;jO!PWm)u|Ps|eh)qa*;-Qd7L{?$M7D zTe5F%F4`w6mV3m;fs@)b0MYOf>CM*9SS~n@jNvplo{LT&Zj)txsJ|!XPe%d_A`+|T zc&%d(b%pyheLZ}ttvbK*Zn|*lER=^k(;#|{ogLsforA>9bz6QCd2=nXOt|F5bo0ow zqD3MKm)19Wu@s*S^?!aB^Z9J1t&s*Cfj~S`)wG!Ml<E1wt=y31eJaKD<v3RST^)hM zN|j$l$wAe?iPwO(hJSZ?_9jBw==<fD{{n!|@t-$8Ng6!3|EyR1b55e(L{4|{VSBJ_ zO|ByPKLX;b<X^1YNu2&ZiYbbrO`Oa!_9fo~j(<RRpS8zLQIL;aIKI?>F#CHx)z4dH z1}yE#$5y{1#5_z^nZZ-z-<<yW2{Xxi!UL8=QjOdv!($;nZ|$EE{>k`1zwznhWpQ#B z`!x3C^J#0~WDvKoJJgoR^f~3O|H1bp^3?eV>xYzQbXCf>w4!sUj`{VUVgw20dZI^H zKRb9VYp;Lgs9;SdS@KH$Hs<bOV^5hCMP6_gN=j4hqs6;wtkTrX=hNWs7HdZSj8r$i zB)1r$C6wUqd_B7?|1jtuFz9&y3B8%tE$$kB70vju>}v99GzV$53Ew#rpNgq?4^{~+ z&wMIiHIpX@?73<`H#yO~eX99gz|L_oUPV_Ze$15tGK$-9BlS_|2-a5D;U7XaL8dvB zUKGo>yY+^zP+>WB)Q#HI%gLeWVr)kHKTQ5@P)g0U|0jAzEP1DJp6Ck#SFkI#ujoIv z{Tq}V$j2%gC9|KSI~Ns-TuNlY#uK9rfG6*g0mN`Ha3`$=JsE9y;$GWoglB}?+c&L_ z+~JZBU>Y^y7w>-rqHj403%tRbv>oO2n0f@8^NW)@)jXO&Tu?>3xx3dL%I}DF(2u{j zR7~zgjIN73>AD|;O~q$f<@t#ov1Bz-PmS;r(o$K5>e77FAJ=5)QM1u)_VCE9?zjHr zD2t{Xk>a^VMH)~rGf@O`DR#Oba0WEe{*$?m#J!V}8(2pRbI+`B)B&WgukjmZf!Wh3 zpiE%p50Wnp``c1e!+U%jVTI{?=WZL?PrHC@o5}OVC=E>Rwj{(4)2jp5y?(YbxGUy4 zDyS{aFcd`^EwpMh`?KR`c)!HVj&h&hC7)1Mw^M}Lq^Ak|&$0w0PzVC9sMuBHp1Ee} zKdpZ$e(f8+$xj9&;Czt1E2)vvv&1mXyEmrKBRy5LW$GL>g}8Fz$n3+%x^>N0{Y`@j zi&KYLIWRZ9XB{4eT$+y=HwpDSW<t;U%57vT^m=%yW#JI*Cqf0M-cHSFAf?FHINvw% zq=(XFSOSZ_PfTe~dTDdhWB+3@0zZq5RsiQ)FfWhr_u7I9!?=`><d|Qa&4k&|)RB%w zJ^&B57CHc7h@pDU^eECJc*FNc9%&bnK7PSiTKBhO&_V_pnHyeg7`q8*i7OvbJ?y~4 zaO`_ao}5B-5u3oaAtkoPrQ0mFRNLiy`VY%4dYpyI;t-B8<UbnR8NG0R?QQAdj?Tw6 z`h+0ZZ|68MMO`s&SZSnrVghE*bVBp4@Df9=<A>l@<)wB{?LYxjNPn(QxE~Sc*m^3L zo+GWKi)@5L1%OGKaW@*H{R{s0^cBm2y^Yy|jKbQyo0{u?-G!VqztinTS+h^LSQ#S% z{%1t=bUv|kVx`b!=9mCk>0Ww^#x=buNW|;m)v*2XM42l+UhPBCM+1eF*NGP@7OIXb zI(^A$ygWiA!!x~5n(yGi!Q<N*#YUDrnz$uX3%+5l`j4vm<E%}|Z0bzFr?@UqUyajH zV8eHsMiQnA4YcJYVa3uiqkOmFL|ldNv(I5AO@}STLJjUg4R(dt{l5PrOqJAS5=3+# zJ1(J63+>`hJ2TeY2S8THu;QY+t@2Z4hB2_IGH|U<m5r}+*mq?uj0;TZc#^NL0p9IT ztlUWhIg$ph6$SHD2_Lk&{19ry%(GfJB}Pb5oV<8*Ae$zu0`g7i+pRn9a%0+fwwf8q z=Jyqp9TJzR#Zd4)?lV#f`+NS=l>G?IxS>bz&_Om19Yy8t4f74@NScH8@<KbU8qckW zvncvFiU;T(H|kZobC3@l<x}5;J)&hfCkLYSB(Z6LdsSVO?7D81h`FUf|Cqem)*H3{ zwAcT*AJQm6!UL7o)Wi?}#bFy!nV+8kYr{uL{^X+uz$dTF=X4i@9sh9tt~jXAs+t~i zW`_U!Fwd&?OAgX_|8Vn7k5L|L>3xkK`|zh~to!S2ml>CT{iYu3eN+~<_Ca&%KMu0b z`s?jRD}HmVKTe(P%dhxF_|cT>`5y;yiEUk;m{8996+^uhSzyN8Oj39oe~QhIo8F<^ zWJg%PG1bybyBIV6^W11q3X?6K7-j0dN6{7jlc94<y(?L0ml+Tb`P~1ne{tZpo|X;f zDLnhvD&pP=-e353QU6rOdu8qkOPi|DKmOO<c=BsuxP?ibzx;W^#<ZW)XgC@1{&keu zy9INZ44bb#x-A4Y)S5wGOZoo!%~{-cqlP{E>A=g~slxT{&pe^s|F!`4y9yCGk0aX! ziLpmy$(LU=gBO-}Zsk4B0E^2t@<TG0mz0hahEm4q1dw%)tf5BLp`^#~OqO*Rk)o07 z&_Z^j-QE+FjwUhYn0Mdv(_Qf+M)ibjYqW|RZlw<DEFl#C6vW?27#Il;e0e|FCsZ23 zA7aEF#?H_vvTN^%?Qyi7u@^&!*#f$YtZw>1LBSK9-tsu~c+9K(%H@tnL*QDV`x~cZ zZ-1^;TBmNbEkX|0Pf7V6%nJ+91Y7F5@g=qr(y!twEUc90RW^%(R*cj>|1={3ADbsy z^wZ|G64==CqEU#YR6dBWNREfA5{vB3OqeI~FQK|!4*bvyv`LXPxLQwwgBK7G?@_z< z79Wa8*%ER`7-MxwpRCn$XkcOY4?B7GTnFWZxZ8x{WE4ycCAJl*AY9W0`)&}PA6}ao zjv?^zREL9iOkFqNE(@tLxK|>Gz#D5~ciK1)jDZ1{<0c&Yr#Ypr;*xef_*|rv|1_y- zDFf{<G3J^1Xi|b+N4_g#Y@rg_Vv)Q(PH%L6G42_Y&!UoyJ%?OLP}eE4KH@#Yz^|s% zc>=O<CpOV%CLV&`$4OFqL#j9D^l=7#j9<RwI0nvk12xGtjCd1-`EsAURv*M0yHz}( z?x;bHHq|_~tFuqpz3Buqz}RB8Tw)kiOGh{@oT?=pGCtV!yipQX{in?^QIwUZL7H=A zO}3T`wv^<fv~T|tLtnV&YZR_g=TcWh#LL<qy3$NebS%Z?Iy_ZGb?&!{o_j?v&nb|- z8(=fpCOkH=9r2zzchSjTB%v>z!M8KTh$M+in)AqO6bm%G<vp7r*Ek}4J9Ly7bfH5; zOgcykQ<e;;laf^v*J~S8dgOy4CN<^D=VzETmA91HN+J8c_3R_wR(>7%I#?rRFCLSx zd5o42k^P3?AJWGCXY|3X-CqcFG0eqcw8^+w;X4oYo=+3GPElNx9IYhrN9N=1ENL5- z#W$^*=q^^rl6sVTGjDb2UUQajy)c;{eL8|aa{S$jEGY`jmKxeUVqx(#uhZ=t(bHtZ z7Lt;L+z3i_u3VZp%?itu$KAcG#jI2r)mr6(_*@xIx2n*1a7c4emBhz?V&!DYU#saC zb4IPaA=b%Z(bN(;O#P_=0}5j>YJyL%mRQ%geS_?`4m4~gBVOx!5v7xS?lN_K5Bu7# zA4w36{III^dZ0?CnaN#k)-RJ?&w6I?xem-i>WP=iub(Tq4J1bWL!i}`y4!*6F+G%f za9s{V3Tp|QezeuBgUkt++WG_%Y`r3aJ<180cGvz&N(ados!KtKHOw5Uma9<#%XLXI za*|sdJE<|XQ;c)Ito0}F7@lKW%To%~1`S2bCcWD{?uB?t<TfSQc`GW%<u(Bln=rq~ zcX_qxtLugFf9zrLI!Gh<Ck?>#33<p8Bt@3;3CSH{g=2gF))k&U4KdN`P;*}Eb`XeQ ziC((Cx%pVx+0KzNK?!9#BlLa9O9qSzUaK-bl&IYdUKz$+bF+`)XKB2pJL7##4Kvl* zLx)Qi7I5mrV)|r~JlA{f#rJQq7!QOjKz?Xu>DH-o<cdX5L@h4g5z4JZ{Ry9*utn^p zf-RTM&`)bhD|CnlZ2(2Rg%8=JXOwM@|6II<_n#~BwqO%CH#cHC7k$BJ`%vlZ4Al3- za=2+4r$c3nfJ>vqGM0uL{w0lnLcmvL)INUZhE}FpG1dfRXn(qK*PLHLLO{7AL-P;E ze5~`>z-`vCoO=GxEb55gy%>K%Lg@_BKR?cK_wj);POT?@e4JnU7Zn>$zzX~$GPDl7 z`kV$anI$UzBc}Ky(|k@dF_T5>`Xj#mG<o)J^ps;iSnZF%)H?k9-DpK+j_=yP&*YW4 z8<C4R(;o*hFuOw(niInIe_lP&9in*3pBepUSgO236h%8}Z~qM4Pwx=Lx8yOYKO>>$ z9io_aQur65cyxy-I)=?@{zMeazuxAz;-mi;qVR2X#Lx=;JDSE?b_#mGQtnex)I{G; zzFc0a3FDxT5z~s{sPOvON3)QqjilKd8Xq_5->{wGh%Q;3E7KJ_A#|Aaok{bgQ2o&^ z2$R$}@{s7CXq3~Bd9PLeYNHA$U0fc~bWB?2KCMtk4`!4iPbOJd@l)N4R75z!Sxu~k z0`Fp0D~it+L6yMyuwJvf^Wuv^154r0K2;K*@1w9qzJoVurf_X19`6=GkI$>PA5Shh z4frNDMyt32Iqeg+G#{C?@9JLx?}0Ix>_s2nm0<c@Jl6n@R?vOh%utV^5Fz`dweH#L zE_?jcN;|okK-?vD;zQQwnq$)<<0S87tlBwfvL)bm{@a;bb6T}j)ikp9W1R7^cJ|WH zVhWi%+#=iAzHZZ{__%qwf5i{Rtb4@8E69o&3xQe<nZ9@a%Xps@@teD4tSnTj_ZTu7 zbN|FqAin2S@@b6qSsB&4(#{ihc??wL2QFcD`a7|(mZO8@z&IMmvZyi-##-p|T_C-A znxdRJdAS+Y*lEPoz+J=#e*_M@OPCAN27M{wVKL*=%|H=A|9$feBn_5?gX9E3)DZ+$ z1Ld3AWb+yA4)+e1i{Hw1HG{VR4~dAmUJ$Xhbe1{6Ez|WBFD%MPQYPc+G6t>iwQ^8$ z$z)~=f_&ZVlM#Hdlhg9f7sF9Ie*M=>J6lwB;YkFV@HW2{J)gO)oC%3saK-8)4|_M7 ztuOm|m4vE=o0(+;>4TpFxmjc$mBs1@gLV%xV(iLd=MRYiJXeVuRC=;VL0K;h0(88a z7P<o_GseRs|Dorgw;8-FeEhrfiCg@Rb*E2KdTJvzvtvyB;!gR~*6nVE3c(#rUZp`7 zk^6d5Y-4VfTnGB0WUi8{9eFb^hh_*Oq;;GM^^gup!WrW$Pj8D`YKe9waDHzoA=DZg za~x5o;`us98TF0}#zS6gn_oyqy@xf#TvnI&F{!cnWa&3n?63AP$+?3~edhGMSpM0& zeD~^8qKG3dfAu14WL!NYU?72n9N1kQIq59|?=N;`-J9FyR}E~rmCgqX3&rLpz{3G% zA2&)>(#aLeT~eQ%9PLfy$s*NEpehL_ZS||-^*gS+=jtt}k31L-m{8&k_w%aM^Nb_H z3UtHB1#&%~X*-|U*K?gM@7=c1gVS6ru4WgcjeyaqH!fp0FS}4DZ5+ekdb%ZShT%sy zU%WD@py#XKH><X9MWNo1laWyi2YZG~iVol_So4%>a~ss16O2LPA}2^kvKWB*oK&fo zW2bk-dN&)%YT*s!0u$!r|CK8f@IcYVuNtJ~0al?W@sR-68Jx*58?E~uzKGgp9MFg6 zX75Ta>()<Rgqj~3c1q7^c*~?JU8H$CRY^c4R6669UQV2S6m^%1<=8F#aTI%`!z6+D z@Y8xUeBQJU#r8dUpKNZJ9P(*3brAjAtqP;pTbuH2F#Mf^u7?Cy+w)?fbm~i}3r&hj zU%|t4;M;wKrX?1{$?$b%TpueAOx%NEUyen!W?<hAa>mn<GXwIna6xd<F`Rmh93s^Y zh9Id8E`{(IX}bNCZzVs#+Q&T8>XRPDg`Mw53=dQVkI}~3g_#ge<kh^!^}`L9^2ntR z>jbc7`p)HND0kbXQO=<73qfMACfSqqRQI_y+`S$L{atsc+(K<z%Kh})+}tq}qo1nU zx+MwfA=#4!+VmM?`b^;7hjay(yRNncdbraD!$YZG&Vm>Zvhg#m2qEal1&I?{ZksCd zSlIFfG~}_(o*u~HP3~SIu}EE&Q`yUkV@Ji(Loa64{^h~^$+g1U1AXvN(~%{=R!c5J zh^kpq9$f9)<e5&+#leMH$I7HZ;!!|z>{~T{20U2f>jQl>U&FRE{D)%dl*WB6xXFmd z^mVl;-P5ve&fmde2(^aMy!?I_hTCTH=k{7I2svHsqe%EebwjTN(3n)f<s1=<*1DK= z{>v~%0+J`Z?(nHoX9w%JhbDvs?}#oKD)gdD9?p#!u)U#()a^$jtUk?}fELivLB^eA z&Ysk75U!^33FX`{-f%qZ^0H}^amm#T8JIb&T5Hi<@nI>v#Jzz|o^KXk7pEJ<WLT`m zy9wR1a?N?=p=qV1(#$O3tf-)pfK4!}K?L_-eVnGVg1K~Kh4}#ccM#>IDx(s{2+`?o z)ZwCH&(WJu)n$FMuCsP|`&bO;IWyq7z!{0&gLm;!ge)Lh|B(VKrW){Mz29i%q=1=V zri0V<-o}kX1EB*5#nO%+S?|p5wb5O~=jC*r+w|y(2N7)hz#Lk`upd3Znr&GvqYYRJ z5xn-7F~^B5zD1cgsS0}EGNy;#xHliYYZt|^8es%vJ1yzsN|?U%(w~=iI*^48o9{-C zn`aEmu_cZt_9e^>dK7ON?$O1A2(y;73D+8BEuhutL(pTO64}*r9j=%z4}%<%`^Gm* z3b%T*b&vYL{1#bg$_~?L8Va$)6ipVk^pd3C)gPBHbsVz3ESZSly{FqB58?;(h7fAj zPgKmlp<fZYre6J~=JVtUbZOo{05I`BVexHsNuJZ4CU<TE&)Q1ck4S-@zkB6RBK6xB z(S@L*TH0mRqaQsTar?1A2a|k`5dZiK+sW3EH$+L1+VU2!=TEF0%h4ZXGuf3HUCzjv zvH7CvHo97b={&z&cDw~C>P60z51u+B;+u8(0PHL3*Dq~M!mAq7b@LJ3_ejyTWpvLj znvUk&HqGsXkWGz5qo?hQILYxZF>R_Ct6Uibi`%bAdqaoV>KmZ$g5HJ~jqhAiqhL@! zp(s_v_!cic*9uVN4577v@%Np7H@9*2@X;Nbd~*~@L@o)|XT+y@_Pbuu!2j{69#-{< zeYapv(Y%;PUTqVWTwTSNZ|(oVbrJ>?3BTZ%Bf;19KjGKl6J}JFJw39^!JQ1Zf0Yu5 z;l3MH;!^B=@FxVNkGl6I#_*Gp<^DnAa(?Pg$qxpko{Y(eBD!57t$bH{GVb|{RHKP{ z*?qFr^a!?6Sp87LQ=Wd_bRKTtlo~c`X0EDOe|yw}NIO8pWC71YiOR*a{=F601*b&F z9kTNOb@(@P3AOz?E9Lf9mMT6|lOu_cfVcQ`Cdg5gy+ukz2fC^C?$6ND*68?mwzeL* zg0%v5eU(%yrVz@9j(hRB6`h<w9;d9E`i~!IfGmkN>bBMD&{r*Ig+>^Czg@sD>stK6 z`9eL^MsgqdW<i6W)MG7ds7F30btUH}*Me>ugRrci_FZmz$^`%VtxR`AU_@j&pCkLn zScB!yEI)+eWN)L<%IxGDztSR{6N?r7T6GeiS*~#So(QEHuqw(3*j{95Hmilx;Yqe{ z9z_hJGhN6-JhIM2I6>vA?8$r)-nPN7NkE_u+5!2=`P<hXVhu;&X^qR3?2uVO{`*mP zINK*y{0^rGB=2cFWjHI>F*NYPN*-}b8R8%r=tlESCJ*NCG4yPZH>>N7COgmc(0d6a zK1F;TmguWOp>}L$8v<A_4A8y9*3DfB?<pk(cB5?-@`6UyDpC4x=oW$3P6DIE*uHG< z&Mv;k4fVg_O_D!~q~aD_84hYv>0~~0lv8SvwzB(nA~+694*;YJsUY4qlZM&Rg&&pP zgUIykCH#<@8DUGmL0EMJZ{6zl%V0jdgYX7DcVLcveQoyR{E^vPnFM~KgXL`>G^tdw z?Q_Fi&(`(to{fU;$46)3QK#N5?rvA{1y6D?Z|lrIerHSYQ2?I~h(B82^34ptFU^bR zb)-hZcdbaGN`z%Leq?Wq9ze@@t2lDy1vn9*Go$GF=KOt7-^6^TNv|=!P$YpPT`qKm zlzQSBfH!5xckV2oUElj$ffog5vx<I!27^sBeU;LoogkcCI=I}@E}`-*cBYHJoT@<S zK!lWsqMiKnSd$E<CFjd2XsycP*G`u>v`$<tDM0)R9ZU+V!Tn%=SgGkrayQWagAKrL z9PEq8?q_YGSq~k4y<Y!O5&UMBXUaI};jDBQEZrhjQN9t%Q(SPha&e@nVcUl7d~4!{ zCC=#m!D94lOCg8l$x;Aq)|WUj7{W4H%}9bba$^1Ho|mQxrMi3zt=f^_;Z3Pc!bxM* zEi~o=o6cw*S9$j+Wh3$!#7`$|@f*5*M6IDWPY>hoVg9T1Vy?10pGO2x+$Z$ic5LiR zz|h5=IK$?^qNgZ_4s6-uidIOeGvvtSbdkGlVS;CmXGo?PHEeHR2flQ&Ocl3btp8E` ziZ)4)v{9KacTvz(@nbi}0Pq@<!apal9k(a?f_NiNP;;q7w0ZG9WI8aODS;<HIjblb zbo&#>pGW;*BJ&|e1VWYpy!!1RF!U4d_t&{%bF7Rq<AfQbVFTIm(3ArQCC6@oj*dn1 z-2+S87uQzZm!_WZ`e?|5xp&#k+tk*pT_mslv1tAF_6rNO`egA+xCYu+C<T-ubiDL? z)isSjPFD}UhWY@qQVyMNxqlSa23>oNIlP|d$y~iPOrJ1zmq|AZh4Lt?ex!hV;6>wJ zh>(IB-A!C^W%_$d5FeiMZNo=v9`!W3ExjnaxeVLE)d(*QIPk!kF1SJTOmcX~qQjOM z!Dr&OE(kkWqQ6{kB~_W2Fh(iEYFwAS@nnRM@Y+$m6Tq6+SNwFt0ug<&c#fMNaxwgf zG+{Iz`7Y3p#&@_nX(K)0Ysz=y&NqpRi(^G77sdGxKju#Nn{Bk?OFfHmDCsJ~bq<B! z?7A0QK6X;AVNxum*DWBMWI(0x66b2f&$>@<l|6h-<7X{bzk}t^<txf5mtjV3HPb<F z9b3G+Piz=1{n}Zy?=^ytJY@nW#?bZ&!jivW!74p!SdZF}%)=k6rj^1_UpHFZ)+bfe zmH7O`i^~>TrWaU*OIM^lyA&%zs+T)&qd3T+uaH$6v~*)wQ|dQV6r{Bs-w!Z?G(hPg z_V~!)H^V`FlJV}$v#h&t{OaSY=V&+%Wx_hJy1qe%B`9G2SY{;~-_vgB=;#zoINja# z;J1GrxHC)~H=0wkU_t|bMQJVx7Yg;avyC}Ns{R<Di~!&~X`X$23$eC(>3mU+A5A<# zQkE;m0NWdX!}KVyw~Rozo3ON;-Q*;b_dc3l^^{4pxtPRt_al<|q=4o!ddC3Mq>W$+ z#p_6`W5(EDShCyq+FF48X4!&&5J|Xq7#tf~$s**N^y)H(J&1gNZrW<kuIBX3!O%w_ z#m-5?QS`>B$funHLukwF+>CWk5fPbEU`WctlU%K-BgH@v<JE$Dl@3L>qBQj^>ppzS zA~Gm(^(M7Q0;#J7flgn-tE&lq=Y(3NDeo+UW$xLMbHg{;YqKBRjOx$&nAl$o)@0~s z`h|Pol*<s8mUb-pJmsF6D)bg*?d^Sy5j7E{;az6HY|SZaYh9ohPwUjJ_?XSTa_;RL z?sdf|gwn8BvA~W(p1Xrm%*j1E*2bYv6sa0OvnHpc%6M59vDwCRhcEbs7X~Pbm%DE+ zr>3mda!y6GVb_<Nm5mzIB9)1&=SEAzti)bL2Z^@usiv;36Kw6YB;F`c^36vDzP1&l z2(yEnqr;BV#WrO_#<G57YGI3qMFArix#|CWC0o_oPJM{w0Xg3N-}!kF1MM#aAYxtW zz~fhf&U_&jnMsqf7Pt;OV`DpFL6KT{xC|A%D<)wY)_c){W2Vseha1wo-3KPaxtTaC zu8*lV&i21r6K}n)bpww@x#K#BZq2T2Ol}#SYw9*D4r?Z*3@9tP{?PQGhzRLa;%Pfb zTA;ZIuzgz?U9_oOpf*r-F|jn82@;)-8x-(&ER40Vi{Xy&cTNlySQqJ$?O&~r$yo>< z6o?y;E*yISbS0{1aLwr*85dCOo<0<BBXD8AF4mL#qODcyoMInE6i{HW37rAGtxWl4 z;sv6U*vi@;W4owmpJ<22azWs-HHB$MVI{i1;&Fb{Wur<bR884__(-pSSMe{Eh}y>) zjb&^p!(2-&1=70VmYC4X@l*~y;9{AeNTj2chul)P{Ae0JTI^l|e!hSFb&ZhMh)P`} zJ4xuHCL2_g*CKN_5MO60;cU9@9*fRGcccWqy7@+~+o#yr5&5*Fli9<M%&C`?_}7uQ z_6k1f%UL9P%OXChuRK?Zz2dTl1bSU)c1?yuM>MmrbaOVU6kztn3-~Ve<Z7@d<j?xZ zAH&A=lK0Ms5~Do-hgI#5KZz91b|Q=hs%EZmj-hUQHRb@HnJT&j@_6%ohy=?yXm$Se z$>-sgee8Bild-^2yNkt~2Vt_6trM>RH*~|(hwgnqHJ341@m!0P?Phm`R#nsM1_&`k z;>xjU>?lGpaO$S8vb5sSW~p0PJNyyh?PwZ<^9jR9Ug~N{<a=ZFMwP$=bQ@Pt<ZaM3 zVw*S{j@bKxwhpv_9Tl(gr>-}~!Ue@7f5$XMRQg6fo!-^`qa(tpEBQ_a%$sZ_MHC7& z)OW9_-z|;uh|GI3(0oH>e{eq`qBtaMf@gQu>wA?>4a7Oh$_fa!H^2X%Of5~>Gua}K z9LSu5SjSzmFYunpO4HZxe%9^$MxrCfOAMUCf0us!Kz&x#iu><2>4bYR{x<)o0j233 z3Y)vziv#@W$Q_vAa>RhA*sy<m?r^T)SMa|QYIrg~AF^U6VwxL4F6r^J1juROonb1% z^#5wSE<^RfL}ihvsx_~BS^hS}cr{{zf<YTU$ZT8T8N*)8<xlm1{`a)1sm$*c9{nq2 zD2B@Ytg83yz?t(!Q>@iMd=5F&dz=B5<Okz~TZ%5-XmsIJup)!_i}L4w?f*jeez>#m zMh(p$WQYGp8k$z<m*dTi?7oSmvhQB`EgWGdNqP{2{v|=r5}_>MSCQQ5CB}RLtH){k zGJ;!-8f4SM%>veD)(^%0l!L{d&t|0g5qz`nb%4jsJ&WFLyVIGB*0}uD-DdnvO0XaP zD?K_bf9G$s4xMS<$N1;&7dGX<_xKs*7d&;ta^+z6B3br;uO|OYh8EJ6u?Po=3^Yq+ zZyxI%GHt4nTw^Z_%hb}%uA|vaS^v>zbGL37kFBLgDThVl^$#c0*H!eAFE%=ZK*L7V z-`w1ZLvo|1#ga3K<yJ~nNsfGnn1`fh=`M66-#kPAQv(iYee{LE?dd>sl1x3AM>h8b zi#>2IE=rqv6_HXSM8?H>bV^i0?{zvAn)@%?8brOMr=n&q2ZQzTO65&CpI6_Jxw2=x zNxU6n5$iHb>IaJG#0jl#oYoE)Ifo~ZUdp+gXC@S=e@fQ$K7QtFCJ$NICO6Hw|CFuq z?xV86hTf#+Y5ov~@st){3J#P$NcmI1H<Q07JW$EQPW<O;Hp&`Mn9seVY>6OGW_G(N z0TwL$bOpu@xLE6~m~|*iI7q*>TO3VP`b<&;WU8U#*_Uo%fK2PL*=?S1yxra}X|%gZ znUB$L%vYrNYb$o&t#$?bJu&q`ZJylhD?;5Z=_s_}#A^57`m}50se%6K(5~<NjL17P z;F8w@bh75wT`NTEzw-(jd<n{zPS(VXqQuHI;y!*4{oG$1LKXXh7$2K?kwq%Lx(`Rz z1M5r$qtm5Xx3L5~?6XtMOFz-}A<XLRlS&mPs*{U9z}nY2?ZJN(y*(@~aT_G6B=YLR zi9VNFBkgDuJIIqH=_A9p?_K#ZJv||9G9+g8awgN0rYaBqy*x|8(&)w4(SQT{1%AQ# zNI#1gN0a(ONV&z!BRh0YV~5R}rIb>W)R7HQ2QBjscFp&eFLld{t!A34GwL@@`vWNL zFJ-#2Bl&g$O(*f%A{P>WvYA!o!MycEI$0lium|bU2XB3wZIQ^ufeGBu*jg@RZ!-6F zlhT~08gQ_fvXN@gfIdp-f82@WKnt=VRwFKtl>|itf=+7%yCuJ7wKR{~L=`aB?+~j- zH5+&AyjAA|e<xv0n8^4AROQDHzg_Oag{@Y;&v_yHPL|3_fqDmB!q+n&V0u^HStr^{ zKzTUX5M9WYx9zcZaUnfi*$5a3_{zC(LIQs4|Gk+b8VW|n*FRjrh2JFF@<#o~D`4HJ zq$*m~_FHi!-}Y1&&l*Hkz{Cx5siq&c5n1~#Y*;)&q30Ivta}sN{Hj9vN_z5!1Od6$ zlrs|(<^n9L@)~B>)k66(IqUo)jd_vwhcR@l@@S-YiZbrmCaPh^_7wY&_Q{ht!{-($ zipo#rZA&*+KCRy}4ONt>-?q%@WlK%%1?fDVj>6_HPMu7$|K(8G?GrkfY8umZrG`=R zYnr7z7@9xyr0%=kHI%i;^HqJ-*HF^dvm<;!{=1<2*))PZzKU{59LP{lq#uH^kDnY* z?H{yRwGICoEj6EP%eYWz7rUIg6Jk-ukzDThJfZir@uPmJwxSnW)#dnZ<d&dnlSIKU z!fz+*ojtB>2J{7NFDqYyqMKzPQ!5}0P;cAEN-#$r>0ecqk_LreV&*nBL)EPX1s6kp zdAHBXa+h*<x$ipA($?cwHWf5+j>oyLD2rL&_&e|!eiWyywCX%}dl4>_AEu=3nT)-~ z9#pQIy(<jg{yq%%d{OO@Nq0E6)qwsp-rDXf$bhg-cv-%B#(H!o#IW$b1Q(R@P{E`0 zL1SrF^W44|sWlC<rxrI*%lN5gscO>B+t(p}&B2~;B{xodw+5S_MDund#V<T|zBI!; zh)?{>K8+vZRnq^p2K+ObXx_49;)3oUx5@Lp<E+I}+#x^)UwxvBzOxk8V=m9wbML}3 zV=P-D9cR7H*wnIExes!-j4(BlBI3V;(H=#as&EivCG-b}H}B*RpKlsy(e4i&u@HEo zS)N?EG%IBKMPVk7DuT7JNQo-11a)N_%|(wZ*pCZ}S$X2s&{-<QgmDC94_Mv{U9ib7 z)VAq8p4%^Uyq7FQaLI8(*qk!m^>H@*xlc@X^XXM(L-XZgV0o-oBFT|ocks2#-0Vz> zBm2d!=R}q~jtl#-I;{BerR50Ag(C@*!5*Dkoy9Vc3CpGUy~SVd()rnJL7Lc<0hwD0 z8b#uYVe|z9`D~E_hT8Y3OskI0?+p#QRU8FgF5*EguHiaoO+PEGtlbjk3)c)7Qc*tN z^@6>?-CIO&c9@m!NTvJI`E{IPsB)0j&bPR7f8V69=QWDWNbx-n3mc;mO@{t?a;FO| z2i77z(pS=6Pgl^KG2Ib-;Hd%4Ule3o{`8YFDD~hi-Zjpb*MFVe`^VNEqm=Hqzk9&G z+7G*UL`v}VKhAO+zE)`86=ND04C`=YkySSp?v<Wlm2<aSu;V^nPBg*DwsxakkX~}u zdQL@*v;OL6p`XyfG^GRQ^B1#CmmR%F+8)`*gx^RSNGd-(W`N*cZ>?ooC8Z=@2W0GL z|FAvBU0{nAYrJ)DBy?E8x)!SHI(%IJc3~zF#&1w4UvheVq||N~ax{PruI2N<&z29o z9VD^VC4l@D^rzn$Ecg<<{{)=-lpHfCwxcwBxsbN5kD9W5$TLYAjpmv7FjC03Li&0! zk{cIf`f5>0#<p;SZs_aFWcyI8?0$dEXF9$Wx?I+v^~r{e@{Slza~;z@i}YOj`fhzu z!j(e0IRfpJMZGqp_qLi~ts`m5FgvMh(QdmJ6O2-Lx-ify@B5bj=Uf&3xe~l##sP+d z>;q~dSP(1D%L?*$uNR~(2$_Vw4JY{|Zsw!xo4CF?_clDqNPr77e0PgL3&77h7yp)u z#xxAuy#PNr&*+A$73K~B2c<wTK}qk}TPXc%ttme%viVI@u9Qc1R4pXu6b+Fw`>E_$ z3-7OiHyRlC`!7?r+>U<XUDX{r&Sg<6unMEpPnZ7m5UwL_z4Z&{*RZl=OM+7Tq1R1B z<FxAWh6QVdBTV*g9%G^4$-`a(8#h(WBS(JA(u?=*Le(^IPYHO<r^wGDs~;$Smzb&D zslT&6@i9~7y>#)<T_7h6Tznq}Iw%LSPy0HQ3uzS6nq7U@w<*C>j95Fb41`;MZXIj) z;gB%jKKTvi3~nC3GB2;~TUxL$9vFx}^gn?pU1l725<kW>X5+g#L@cw&>$){PWqmfw zib4$VUy<VU>2RrMs=DKk_dQTF$V^9`%Kxjdt|+3FQ=d%S3Tn4<@pJ)o0PO!22I%OZ z?P!91zfaI#+RIh-C>eN9fuXE`*dmc*?)+jpv79&GWspAi*pTVezu3lZ^<FGq9VJ5A zvf43>@X&7Mj7I`=add0!g5?3Yss$iCkmsd{4$!qaa(M-j^2QtLL_EKn+MHcMZO2*H zwW7VS`BxpP_1D%QZL-Tz{vcDuGtf9uRLK3KmuU?I{dS!n3iGPGmzm{>69G_Dd>ifT z!L42FLSwZo>tnVEQ~L^UBv=qmhwLgfi-nqbU)y=l*ug_Ur{u_J&}k}S224Kpl(zA! zq4fN&oi=|<ZB6H29e)w1dOD*@-*JySzuODt{?LkeA6O7u^Xx4>KLJ`-X`Y~15T*p@ z%F?Cza$qNh;i|L8OOn&dcMe1AP_emkbMK(j=~A;*&U=O8Rk)`!b`qR1&CTHRCD1Ue zd;jCm`K9-5EMgaMn+<5Z3`pL(Zq}`Y{nZBl%G?KA02iex-ePKpC)91Xh?6yS()SyT z&Xb(yT5m#D(0?ob=R3}Sz;_~?Uo@eeuJ2~R1M>N8*!Q!vx8%Shv$(HNNUs&Y4z^4p z=F0(TMKnTn#PzB<?9-^=!IhXkxvE?GNTWyX+9*!M+T#!L6e5Wh{e6VUIfKsGpNzL3 zMi+y8-Gl|v#G3hR8{9MfEtDQ)@Uq<I@*;W7o_7)PG#`hZnKD`hEbuJp@qr9homWCt zngvdER#@kQXNjCxC9s>SXC^xGmR_>p<s|a>YUbbCw?KhH7Pu$mE5kVca%0NtfEKB{ z6y&ZJJE#%0x|O0Dk<VH>qnsc1^V5P6l0rT_zz|`qE;QelTXe-XI4kPd{WS++CQ-mb z2YFf=d;r~@946o7b!8V6p}^q}l$SlfA@Y#NA5}ZDGrWFpocjyf(VIa0&E?j6Ks){$ zsfcAZ_#8PNXQ~Hi2XOVv^dt~%ASnFTJ(&O?r_ALrkUK}gS$X8w`~V_ZCs-xO{}7e; zHS##s`*z*qJ!0F46>xoJHxAy(*T2R##s^$Q;_!O62h$_vK^t4JMz3RR(Pp0-DY%y^ z?)CP3^twmkO$j5o!^#yL=q`UpkAH9U2g1^D%k3Dtk{38f!O5TAHF>}9SpvGo-PW<E zuP>Fhho4GS3LKJ5*Z`GW8VUWM``f^B6%)ViRjLzEFbzx)ZAGCv?vK}RBd(eUf8fwr zjxbigGt+9<NeDfX`Btc3k0170q48QS+FRB)v@p=OM2`wh>_GngGgV1RfyvLmu5vEB z4;McuDLYCjd-p;NYmmvZ++sw(rZh^#Wzc{v8K3~oP{nnj>+ryb3Y??iPjy6>0w-?5 z{8AqA@6H#l=by6(1$<dyWnU6KldZ<BXYd;aR72i)4<mBQ+2DP5y6xNZhRd)W{CpMp zTlMN6N9q)}lDL-fdvA6)-`mi|LKkNQakh6$NLH9Iz*Cb2l|k_!rP%^_i0&SbcZ!lS zVy+Yvk=J|*M>Zm7j&3hT;M4lZm*fa%$j@B2Pg^@XsYrR`j($47{>{uV@>)9e7yP@8 zAO3YGhmi-ViZJ9E2yuj1T!FXcklRU@ufRK|>~0@~KRElf<)Pr!g}s;H%Shz@Ofmo- z30k!R!5zuH8&7k+gUMl>fJ<^-WCxo9djVvH7j(u36m15d=_A9Owqmau;j5)V?!He+ zk`eA+cn9OWVXJp{n7E~b$qS6`CixfjQ<M6|Juu)eW*94lx3ogP1A^U~)6fJm%5QN> z9dfYY7p}We*k2^0=YDR6h9>2PpY9>5R0PAJHUp(mR8K&j{ONgOmpFUXft;ja=TCBk z{693lzc@cos%@=lQj$_i{ZYv*&mB3<uFuYE+{5KTbnCO5^g&1-8^{j&p#1&}NSvOd z;IP>|0&BV~&p21<Wj~&*%}^1{BPSiR-85`r`1HORR4|ZxBe~duSLx~ML<VpjMt}BF z)^rGY7||ZHn#f~Ib1<3gxl;J$R_$Y~4kFE0Jqo<D0XjYMwh@)Q#LK&7Lv~EU90BID zG}d-UbjWjT(CHgZ1kf9<kMP|AB72b(T8KR`0s}c=cYEe4o9YSoJ-e8r8wMi?!Q`+G z<n0QgiCOXjF;M01T=4Ru++2M(*L1bf@)pZ(7cOOkivF9DCOj_UH@82hT64-cvnfNC zX@Kzcc7yE~PMPQ!-TheDzYO@yh1jRiV52!>oRe5<=}gKz9AJ3kZ@3x{4jon(DbCGb z&Tv6LCOloj)`s|aOyj1{c*xi4Ct<$Ptf3cFbvPG@b{`M!|Eo5F`+jLf5}`6IH@~R@ zMcQls<ECqS0yqiC7(K41G)^<(VOcC+F{IUq*9X1_;?xTA4J?{z!}g9fQr2Sw9`ztE zvHOOi;1>p(s^6nIca(!uEUN>rv9>I^$WZQ}9}8XCWtyLa;Q(5I300Fyhs`&PAD!2Q z$Bb#W#DlH4qK1a6KQ=W@BWuID`OZEmJmzw!w5Sp%e~FX9Jn)2IxUb6?k48Yy;)1zC z&oA|H@_Vo0;pYLY)0jGE4~SD9v6zb~-0TMvu%Bi$Y`VFch7SXrAycZedzGdJngy9p zeQYOQJ|)qjiE((VBz$B+P)yLDcTi!8D2yq6aIy+)S=|Q#sjJ!0*xkRHen6~^AcsCt z#A{&3>@j{I-)jiECeu<6M*FSGpxxb+beztUDp9Y8@uf2L(1TZQ$uSSyu%PD_L?dEM zd=pBRDKq(Y6i3Q$-z6LPOxH9mliez_%YTrpeHk`U*w9-Q9FRk_m=|IB@y@m>Ax;Mo zXAk<^FCY`zYq1}8aaWTx1ACKS$TJ<{FG$bV67F*pRmF~x@9#FR3T;Q9GYzYz%oIkf zYbRxzF?uTLc2%%9BlwV#0v|W>e~ctDR9*DVJweJaq>fIgk>_VDB0d)P#G&7eSDBr9 zJkP4oxfFGfrUuHjan3;d+wH`Dl#VK!#d_YpS;5rxa6T%PZDbx05`<qPuNQ7skQ2F8 z)WIA($XoqVPk1eY+-<}Tw($~cBu9#uUCb1@wm0`a^ZiA+f#M`^Hbd$+Ui4X_C_7B^ z>s{0xfA(n#pXqzUo2_CEF&YBvQQa1|JBe6SqBrM3>2xy~Ox~b6a-idA5ZT<MgS7!n zTyB2JEnRgKtI^1{Qsqx*R5wwPr)wLKsDwzLNgda_f40<-)zu}B1xHq~MRDnOepH}+ zI$08fTQxJwI*(^nuIC8j!Z!q&c_qb+nhnoMePJHF#COQ@>S=F%Bp8kOk*OzDmV-%> zXSnk|#ff={CU!-^f;B0<*%VYZ#cd(si%KJJ(@5sdg9T=uWOXPMUgt>Ah(4De?^Mx) zY^hz(M&Lkvy<i*9ML<9yoL|Ui#hB$ZBuAYKCb)|E`ilyIlx_Mm{>5|o{9-t?KVytf z5Ywfv4djfV1wP31(*VKfpvmNjMngrlVP6GA?BU8)!Wrm#0Qs{JaH@}30$h|L&sK=C z%trI~5qrqp830V#P``q_{x+-yp<NzNAk~AMx8q+y>JJ04Ik)w{3lWq&!(-XyPs+3u z_+1I5E%&*?d5eGRPMOX=q~nw$nq`ZQ!TUfJYWJ;*NU`XsI%_amXgJp|>c&BuUFTJq z4eHO-1yh{u|H?;c)Md|PtqpP@L@&SbFv>3NUJ=!j%P!cW9FH8-U|0RO&SLcWyHTY$ z$I%@xDAbnM26w7`*Z0-4GKzc1s&v1K{}mXE87##5+YqvtKlndw8rls4GS+NdBf<KD z{x<o-HT;d-O~pS1hQ7HxeLT^zeuHitTjNOMm-=ZSc5+dE&--xk(%fC_O43%R24SHs zRBPz^?0*U_PU~qIW@6%HQ$_!LX)4b^q_`{M2>`J>WpAXgs2K3_QANsb8w-`0HnNH( zRS^^KzZc@Vipq^!b$svGa#NMS)H;J|C}Vt^=35%%$@6e&TQ}<#wOo)?vxkJ!PtW^k zwz+RUiGfz|YVqHg*%-Fj*yJhV{I`18<@v14Xaze#rSSTd2HE5x`IMZ*i=<{g0%iPj z2{)k8Zo1*W8c$L05;YEn>&w}`fxc858APNPOrZJo8oDs<+#p&JIXG7+aLonr@Ops% zvoI*7s(j2*=nR+Q=LlZcOJ<5^Z~35#Ng)ha)m)p5ai&Qs0?rq-S0lL8Mf-+pE>6U& z+_8Y#hSwhBF745q-Wgma*6RF&5Bh%szDnfFH#IYm7$3@p!B=An2=$gC^WRF@YBeUV z5UM6x=&z4rvSDq~I9-m{FeSwYZ|UspXPld@IO87qwXG-}wA^Yxee%D8Y>B%Xkhob_ zXBmH0er0tz_rZ~mMOBvT!|b}4Glg|q&XSehZ=8~ahJK8~CFc(GNNj&p2!qBe87{2r zG|xSWtMe}ktnnWD=k^9a^TD7CbVwULn>=HaUwouKPsC5xqPc%}JxY$<q{D+0H{(Q` z>N@vR>DQEsb#_kd&2;#AL(mEUUO=J0C*zOQ1Y_k$z2Z_s3(^%WV*K<?Dy4O^!;bu8 zNSYF7LVQG~pkaLwrYT$(T_!{~RBTB{=wyk?QPJZ@E?OMzR$85HMZH>jC-qU|_N^vT zkN%cr>X4U&EbM<hXAkZa+2CH&$izl}x(2etZslChRtCD?ZKTf@!H4qFQ;}7DF$P#Y zspA2YnwD5cU0e^bJ+=4eqAhpgQm`|v-FLGX-)1rXDE}Oun*!R>>VAZssb|-T>@^{* z4$ahS<XNL}GluT99%h*5yDI?rGIZ<7#Z@*e$daN)R-Pv6AumkMb5h>@1kCMcO!nB7 zlA_58x!?Ze<vj9AOJYF=n_>phz!eaZ>ZK*R-R{*cl0qh)Y);;`6e}_R=n&ke_bEo# zQX$&(k8&GM|Mrxtv!P;=DX!xr*NGC6$;)y^l%nE8gkF{+X3|SYBavMbkQ)k8bWt=~ z<hNOQ<U#TE(#xG#m;2FO(tBb8y>R=qOeuSRC`pPX?o5(1j8r~bD0H~x*B%`J6x#%W zYNsZ~?Lu6}V2PpNwU%m6ZK3~l5|kz06*?+XY=rN+J*yb3$eSYme!)y`?EulLxtu$l ztR7Gc73U`o06SQWi(0RdU~^cQsN4m5+*8B0O*dn=S?keyPuYRuMV>h<>+-T7wbYEa zc%8CV*4lyxa5X!^r5mfZRMFYKk<APG|2B%1?V)nxRW<#Bo-(>b#BQX@N9Vuws8FZI zUK3s3gV<61ZB5IR%9N-+ud#wbT04t;Z8=y?nEec=(AlfQDp5q(q(op9WT&>!g90k{ z3UQ!}@Gm9-3tKjh2yEF4%P&u+*~~lnaM0_ZEH{79X8Q2u!bQ@-NDTiPuPa@_7M)G< zI(_c2!DWZ!^%N@x_IwMWDGc!lGC&$@abuhQ-@emU?q|O|%6s2@I0Hl{NKD_No(33; zIb+eM6U7R#1~)T3({WN~)$*g|fk;J{PNtrdJQh6iXU+Z&EUBj|Ik<he)zN#<dP|+y z^fL1#gBYkq&=@EQhmgJ>wAyW`#>Sn8wSukP9NbEG(T#AB&%nhb(~KX1<7anuibI+1 zN_{VLr}4$_MrMhGw@`joo{ivZenaZY%xFPK!;>wP<*7)5zH0i3rCW*i*FMsgd(_CZ zfS;mY^)r>Pal2pIc5Wqz*+t$<Q1O3M9fp&}yalsv{oT!YYuqjIE7(hkJ^4!VtXKH6 zVF!=Md=ryVzjr9{@#B9eG4D=L2{HnP2CMK^m_MNY|J^44AMG}&L1pofI9LESPc#dX zy1<|zFKJXqf{D?2YY(VwJUIL3#tc1j1;?(>H|_cljnkG7_**J=>NCH6p8v<0<KET! zOZr`m@_S5?WfO?_n28%GyZjF6-AoO`?%4A3Bf*Rb|9}&XVg{VT7}!-Ww^Y&n=`Ej@ zE-cglEHWGQ>rh_e#3i4#KUH#~r4FT!bAN^{%9ikB_QOkc#hvBlG2yurA%T+jSH#Aq zwKoOP6cP3S_MsdplTGZ-t-8xlIe0x=0({pbAxGPJ?|<ppyP4s*RYk>aCxJPKC+wKX zzh$WqrwV5%Pu3=Z8vjc!R6hHFe1EzW6kZ|Qr>0nN#pR{<UFqZ8&wh|mmR!=?%m<PN z=_vt;r;@&;29;=E>YR$4Hb~a<HWk>3O#GGq`)wiacVr{{K`GR>%bxKNE{HuP!Ku2d zjyQ(f9C7tR<HF8+9JLG|l;#q2+{$BT{?)K~zx>d9{5cw7OUip$0K2dF7hkULvmahx z)V5O?LLQgDTdP$ccCG6049vTAOL*9qIwQSn|Lp@?k<Q@9c;3>U`nBr)aEb?edL*5Q zn8{Q`Q58Q%zy^vKr`}qU^40de51*jW4$}ZqCyHFL;@o~#4zv6oOxl6ozDFsfqth=( zcF@flo+8rDL6u9+*Alm!U8yz;s!5q%I;_0QSE1{WT>sigP5TIn{|>YIi&Eh{ICpq4 zmAdlXxZo~9ClQ?0pw}e`l~76*w;^_eP{4b|l4l%i1?;;9`|g51JN1cK)q{tGTT|ms zp0R2z<IEU>FAsm`@JwLWl0!tmuR<XKoa9eR^f5Ij9u?jpiIe+=yG1UADIT7@?vHWl zxK2yI$>xqw4V}1~9NcB*Zr0}n5^UCzrdy_No4p}w8z0;<k5m{eLv%5&Csv|dKzDif z?A<4vx%bwo4cRuCVaFeC7g?o*8feAMe)I}Q^0G(@=IbTv{slNT_sJs%)U)O<W82A{ z5UG~HY=o38ABYzIYe6irASsXVYUg-TQ=hp2`>Xjva6UASG(lmas|^2jC%V+Xh*Vdv zId}bugwj!+zr&B3MwQ>dU_LW+GjB;+*X6m|P@5#@{Laai=b=B#?zvJJVCYAs&*a%h zr==~js!2ytM^Y+1N-<C!)_Lx*NioMurxFvH)7QJ<8R@sDu*8oOd*GH}rqUlr1Bz2j z*@~nUmoy~?hXbkTK_4>oa+3(O<A?@yG?kEk5|w-MEvuY>q#kB=SSP?RcI}G(?aPC9 zN%k;u0kb(o_52FG!q6%bBMEac3c+lkRW%Tn($)Vuv^r5F;nCp!oANKfST2H5N<fy| zYxFbznZ^YBs8X2g-!okF-rk`SW{y;gjf>yev%?>J6GRf9w%R1!eu_K1zU3t+!vl_R z4$kIX{01WRJBIMYIxI}0rEICWMBeE6wKdOZ&&Z?<&$n?mQpR|n=B45$BJ8khQ7&Q? z2hypG2ms4QFcPi4R?A^9JvSfk!y4(rf_8ET7`OmMkf$2J))q;5IcyN)1ZAe=&4mn= z?ZY_Zy-NL(Vwe~ITh)?+d3T!odE-)XcTE`F>s`h}%x&Vc3;_N;1{ZnnrcEJLCXK`F znH<j_8k-_i)9S3U30D|Zn--k{<0bTLUnlaQ5GyV2jg|m2{=ELgjamBznVq$B?Ehrw zg1ZH_wN})+x~d2ISMti5k%g9{pC+!)Oq=|_fIix=H@>gr0Y*(K<(s_FpN(qBBm8?C zr5T{SMAurLc<Niil$!6Cbh{WzqiyCssPR44d8{Ji{K`M@d-a7xE@5%M^(pt;9-~d( z#rz1UiE4%a(!O4=*F$=BFsVM7Nc_tZ`e&LLxpx*ZQ)o9eo)nu)y#8zqMARoRGwzfa zeoNJsyQWvJOKs*5W>V05Wi8i8o$Yx16KzltiSrO2@na1ce_*?jbG#L-(Qc?HxU;g9 zHzca|{7CT!<VvnBm-Z3fHUpLhRnQ^x#w_<e$bZ9Jjc=>z7Xo7HLwN>u!Ez4`6e-tX z-^JlR`GVO6swX^h#Z1px=<!WPH9lbUNykQ7DA8%>JP0dnA#bRv(PQPz9A3dJR>QrK zT>@H>)1F~!Td=f9gK$C)rju#|1VD_hKhax1$+a^)?Wn%Vh|`#0+a0RN0q~n?>y7Ew z7$-RI^0E|x;$Qzju+X(jXjTs&dVl1`wShb<!o&r}SN^2p4U0^(c^O~qiPcE`@XUd2 zKKcC*onvxKv&ogLr6Gi!3Gi+bxmo7(D0feOtYzi!z=#x1T42cfLvM~qsjplPyh+OV zo?i&>`FqdLp=AH(vJGONDA*aK5VnB9`YPH&@h7JGzl+KAzmpKV=Vae_&C4(!ybU5m z+3@4RMI5)2-W&Q)t&<O-^j*$uP-Y+~JM7!P=Op~X7KYMKA^)yhlDaq0F&+3a+UL)Y zXFdN#pH)Pem|G>gH7}*c3tJahF2<o<&lfnxc)c~TPb*p2T)fb+5(jk#(EHwV{S(HV z(R_w{<TqXLU!E)U?BOSvS5WgEPP2aM3Vx{bCn%A+BT$_#IYH{Xw)K1{hCr1d*jLqv z#jO3<?$zvSU}TG5gYZ8Kpnk;#qH0)~L&LU0;9M&JphxEX<^Rl?j6j_xt$JbIN;e3- zl?hl_zOA}}Edf2XrG7|QoIP=J+Q@n<Kbo{d;mAF21OAfdS-@Q<i+?QXQh{#L{OyJh z4mH<%Wj@{I)As}t5Xj|-$AU*&-YWtn&`M}e_r`yiaE(Hua|JQ-<Z>C4TvzKnFt?4B z3oTxXzQuGgW9#>(^kC%wbJ8i14-2~1uDZy~4o~QgrA&W`07Z)X?Ut?E8kysxuDjqB z-Uo5o<e^a|neYtZbPj`+5^)GJ4xQF@tSu=B1r(%?p6rlPfZ5YI`$~7exjSE%kwhcb zTC~$6TkDrwl(XrjJp=^>J&%)4@AC*W39-hSE_>Kk#AR#sQnEYbRas^<Pa2f2r8qVQ z$9@aT(dAR@OlLTF@rk=unt{%L$@!L{NOfK?<PqYZ0IrPX4tJ%?S^f$Ui;IE+V;7&6 zQez6}+Oj16qM}Rj<l+a*&n3FhPRYd;VVPu4AQu)oN3K%BB3jMpUQX9Nhe7T`G2oZ- z(vYxxnX;kTF=01ux0|>DebdO#bO9k%(sVLyJ?4adNyZ-8q>j}C?T6xmQ!cRtTeGn- zbV7m<%3%LLY*qNK#%}94Z9ghOq<nNhAKG;Q`kQz{04KY}G<mM%D#^&^iA$R@P^pHU zX@PoSm^f&R)wy~1TNBhYdY-}W6C_?)kXJw;KgOCY>`Aqkf~wvOYci43LA7;k^^&an zyn{x2*D?J+4I2Hiwe0BW2aL=wetI0LfEUP|vEyI99`pMdW$vciWu?UPIsyW{lNF1v zh<+P)FOc-T^5sFW(?!A2-uc!|pnG*r6okzZBAI)nDlgZcz2h3tN5d4WxRYNSq*YbY ze0fk&*(fRh5~0?r@Zz5c|F1g`esNNDH%Mrlc{s%G3@0#Yaw&xl!p4z);t}*CZBoDt z7Ny}mRxp}TXrMSc=;(?rz8tH%y*sruv%_}Sv->7dHKtT;po)6mc7F_D{9d}>q(}JI z!b{As>ZAIjM{7}Q($4Ai&DH4ExbW=eSMonUnYjI9SmwbmTM)(=t828ble40)LD^HX zy<OmMknA|PbHTP)+QVt~M9D5`V5Nxf;5=q{($!9@ks?&2cDFv+3QHxg(nF+hL?;Gx zr}SQNvNX73UejO19uP<ATFwZ*dG*7tOz7b&ntJN}=B+CvdczEAx@HD^{8qN}OUN)Y z?>1xD$rEV$bhY$&qf@SlFq?q2{{qwg3y6$g^uc(3M8~1KAim2=Xf3wZ9}{IL-_0GI z;cdX-a2ae9`t!cvFsT)`XpSgd2^`{j5GOM<%!qx2k5QcTCC$A?J3Ij6Kdw0Gj$N`O zSoF=k5_t5dOnF@Ni*~t9Z;Gw|S)2)dayLt^(T<_&PiLfuexDiJgCQp7K)`aPMS3N} zVEAk8K}7Dff~nV!ZRFD*JM$(3bX4dCq4j(B39?55&qrnlZJ25ZlllsjnWtD6rYZlY z#lCv-i<5FfQH4&M1^btKuiYvIaB`;wN*&jn4=Ny$$yxQrir3as$c(q|u>P?W6lFeX zem&nH)fMHQWS`!II_`~HTQ0gQU$A~kqq4^8A3jCv-P%m;GI5MzDA46CP!p=KxyG9+ z$=I+?MB+`c_TK;RSRYw~2f`R(m|%B&K@XwY%Pyh1TA=%K)`M-BXPmQMVgWGOMpXBY z1^bbBS8%GW3q$n)46QBM*rk{Y*ZQ6Z!Mw^%;Y-cZXbb8(_SD&8;u6hwBVt7dDQ8-0 zJ8nalEx6iz)rX<&{cdvp<ng%-qxxGA=j#z((cNf=h=Zw}$}(|4LyrDa^_yIUZ_Y3X z75<Nmmebm!ZGjK=F4;c`27Pztv#T<Fz|kb6Xrx;L2TCX5AyV_|z2Jj#@(2h-hvLRC zkaMQ=R#R;C8AH;=b)KSC|46e$-N)U%9Olw9rb=?g6++*oH%U`RcDK#nTl5|6THb!J zVI_Q9cYN@?C70{dD>^gCSy5%LB*%BAUBRI&cJ%**(bgckvcI$1w(D`5W_(6lS%)u+ zz3)WJlqz0ZnWW9*K;%2R{0V{3xbFCdp4$)I!C1RrbgCF95EmV{RYSj1-jS|<rMwmG z7*q@N^f$aeVS2u!+nIB^4iR-rMtp>tr|WsSMG8sEdlOen)^>lEhXw0LtI1Xc5pSw4 zI=0Dv&g54~Y87+Tayn3I;eUisbD+MP3!TIuQ*9ZWf?dmOq2I8x)MWdVghK=wr&FXP z7*O9Cku-E|T*Wpr&;F+7=Wj)o-TKih_bnHQA2A<5Wrb(K%cpV<qyzIFyCHKU-&42k z${cyHbjYttT>POK&s|6`#P(686w7U0)<`|UMM_S=KL!$t-W5;ns+^olY`LGe`m}ZA z&EVpo=u#!@y%6lhg8ohh$IKrDa%7T%5@?Q}rnscP*xdQWUhaaAA}lMiNLQ~VCE)ZC z98R}>K|GLnUVgGUC%Owe{}kITJHwi|E92?p;6xI9tx?6KihOtzc$&0-cGc!+x_mRa zRsSyh+PGkpO{IWrGAz`b=gc3cneyzF4qZo0(=awZR2eSOrI~IfgVlW0b`uwsdOu3* zKh=i85{{|EPS)>gW1w6j$_jrMHS0a~vBB0#60tG8TDG|1{;)&1*LJF3U_k(mOi;~} zlW#^)PD;ug#r3nLQm|<oQT613)ZVHLtI3h2a354C2m;42w?#M~#fJE(+c^7Ib%&`d zCsfz6*qxKBde|J4D91vg5*F!OHjg~WV8o5z^Rk`oUp#tG>$K-8@5oQ~_iRlcvkwM) zz64}*tmM=&s|r19{Wjk)s$yjKa(A%A9<^lX6=Rs6<58Wt^Y*#RLTt_%`qhW7%}Tq} z<b+b@F5FsZEc{gOR8+~+HSlJ=o7;<zWh_VLa7{>RjmylO9|RRc2$CUFPXi=_?LxoP zS$ClhQ*6b_E(;Os8ZRtQZ0(Jh6aB~Ad_Y+ss~Y`q?5bty!e&gy30bb)nk(lVSxtFJ zQ=+W(VKC#UIi5o0!wY@Wb~-iRsDv$Nt>?55Wggmy!wUNL8BWFJJV5Dt&Ab^6y=-h? zimR)}&_@fNnQA7nPhY^rzxJ{=uk?di_WMmlqWm=$U+eGBpVETIn+XGNcn`8KQv*G^ zjxukt6gYX;B3Ar+J!0DouAvDr(&J8{iKi7Kd#a#V?&B0w^EZKihj-h%rUFV}_1Z(S zrp0xki>jDLX=09&21An%wVO@&jUEA=nhgUyM~&6kxcyD3`dqGysY<rqIZGXRE3_QP zkyM2fKI(hR6ERx0Q;z(BDC`T7DGzeRShVO%C-pmD?7BNcEUbL8gqoWCT}aKb2;cS| zgl$JG_`njsL-<yIp%346CfGv%n0;Av=49nNAwSQ1))!;Zbf-L6{49wrkf+44n@I$^ zZpr!q-Mh;e7jTlxaab7BG8>Ha#Q?U?df6?97uj~R74ON>=WZ@`L5p@;X4?0!Y}0nF z%IJ%JK&zf@`8@ku9(;mIuRSwjl{<ZS*Q>HAZ`x!r<(;n*)jHLe{-OZ#Cc}%6Nb#;@ zPm#f^#iUAUx)8VSkynfbMv4~&s+0GX^=+h~m-`W?EpHsxb>-^u`&*)+zl?C!6a{0f z^O31mO<<^Zf=RWdZNc(X4f?q7FGlk-Zbr9;%;~QX>$-`m=RQg~?3d=KwmBiY$9|Qw zt1G{!fbn>r<bDFI2@D)iRwrxx`d?sgP<W@ss>K@_^(&;bitpy=rg1B={o~<#zkj^3 zK_K|7-=j%?)SVR&l8ig+F(zx|40YC;i_w?gds;pCD8vLBrY1>O?vSY^B;~yxB17Mr zD6&`+%a_E(>bSMv^4XXO9zfH~*+uL|<P|t&oS2<_Y1<c6t0}VmHwvhKvOjqGx;~f* z$Ztcwv76_=^y1hXC0rV)Pq$LjRGi`$yG6Pb!=JC5|2zP4@3<!Ut$pq>fwf<2a^($5 z_2RYi)m97|4`Nu)Z;rB7$j_n-<IABft=zXrH<xsVQJnu=F~Jk-SLVDKC-2-!-Xza@ zHB8$JmoGS2ZyNIpX3z@;MPz1o_P}k{2m4$S-qfnqxKy#EYL{>Lo*IaE1c;AGaOau% z$m%_NlZw~R4a{XqUFT=03A~iI(b9cDLG-_e^DPNu93(j3wP5!ck{P|<V!~^QFs33= zWcal$4qBpDU&G9X`+gmRWPoX43n4dNo|JvsGeW|ifc6&>qP%OGPA_l$J+l4gte0w| zAB}<O+s4Nzjz;RL@VETsKw`Q1<D?L9upaMwh7m11j8w*wx2ddA;%LjYzV)dKdf@?> zreR9cR^yRmaeKUgi^ZDeZx*<K1M2ye2wqm@T6^Yo86YF!;0fHQ{AfOpB~o=$ekiXF z51(M<#9?PajCI5JnJM%@Zi|HxwtX}bq)(E?l=l)g-8UmSn3H?t{|Kbe&vPT+IbyUJ z1)T_>mL?&KB0UnhjZ@PG)E27`D4*#O8cLv#7!yQI)*J^nlB`JP_pLAV6)6Sftj?W^ zy8Ufla(7HM123;OeS4kyZJ(Y!W#iX=RV^-y|BRn;OSV0c#Q4SN0?96a6FTsUVbI69 z@=Y4q#dItV<6SzZCKrh)yU~c_Rr~?Xj_jhDtgWe0=W9I1vJ{hAkG3|w&`ZliHG8pX zNr$%Or6CQn3U7~#lO>vm2~PHh1I-$iTRl-9X$L30ympd;@ITkm9kKBTSqR6E?#|PY z-E|xvV)AUf1MV>jb>G-_tsCsujR6brh7wqPg&N$Q*JRuywgM%4hi7?lY|W3+vOO!2 zT-iwKI))>&ii!8>zdN0UyeFndZ1$#3RhnnS=E4ns5f2r?@S~q&lGR+KgvmX)pL?&8 zt03S0p21qCjmk|_rC^u2!{W%;ZtdVGQMi?wLU!0KV1oO!A+`YRB9m%<2=;OEFgvA< zV^=X9?eLY5pia+5(R7sBMZX_U)KBIGkEJa#<(A9&+TG(URfd2M*-C}{Rrk86zwp`l z6AHsN-ID#i4+`<*xA$Lsa(&@P;^fJ(MCib=oi}<%9eeS-_-3fspTJ)4hOe6{Fj$3a zH1pYp-)KTi>CGTpL>pa!FRu3XSXx7~P`w;)fybY+*)b&62fXNP(lh?ft65Xs4QZ?5 z@^>M!)M4cmsIPk_hDw$>(A`>C(;$*Uls2W8Klyuj%<#R!*|*ZUpLLs?j=!1lY`m{m z7$G^3eHcOiZhb4Be9h-lqWmJEj>Gy&{6Sxnll<Y}v)O@JR=*`uO!9TFXcG2Mw&`Id zdZe!-Q!KqWGI<D8SQgjNoS<h@1^sztXO0W*7q`(Dmhk@R(2tW2+r4o#&YwDKOe#Ea zR{A{OtpBY9&$6N<KGEuAJIOk^=38eKQ5$sSy_zF(PIMd7n17VUrQ`wOZub5Z_+j&0 zlPNmFuXxYv_NO1lg0aA->B#e<`NpjIoiIm&Pl6xbKR=l&v%qpQU!#BOkSF^Q|Jo&g zJk7~d20FE);&Q!xkYQ?4D$jSuOjD;vT02=)!HoZ%BS5PNF5sx@EsQBI(rgK?sLp&r zj^oI3F*Q`VaV1y6^`+ts*5BFXcRqJ&%=e->U}2Dkc~sL(3LOz!#9Fp&AM5;}<6B^y zN~W`HxkMdPhja!3+mctZ$t2|Bg7zFwFe}hQHCDR)ZBO0M!t)JFJ9|V2Ghs{+PD$gy zYh4iEC$#Wrb&~O8rIyKo*^=kQd{kKDdJew2q~z=HIFd>!J};+JD&5^UWY+dX^N$<J zA6^S%XGBxph3c9I06yEm8$S3@R7N~mcm#oW%G!$nXm78+qMaPS<>VT^p=@nDZ)#U+ z=Rg_0!{JdDV<G*8jmUpv&HX!PV9xTe=OIT3e+%UYNhY1bj`a&l<weg?bj-}<w;Wct zOJ$JJ>&op4%zFKJaIe(9n0Ru^OD)+=2iT46K?n78`eqmPVHGoict~MpX@*EZQz(1+ zYYH{&uws>urLS1p1FZ=X?Oby()ktlJwmGu$JsF#Ww6%RnS7JEwYoovFB9HoTh|VkV zCy;85Q2rj>Ber_VsbO@-gW!V%ECKG5yJlY7t@)KAsXmDw*=6$4m<8rsNasOHmhq^B zdg*yd7BcRfS{{$-USCUl6C(P2A?l~_I^e-7K+?AVZf#UomYycL)u_(jWRFk00`SW( z-9(RsYDF90Bh!CL3(WcXFzJ*jmLMZ<K--%x`x{<FHRFW$vG{)L5w^<TsC4ib*zig@ zY6OE*VQo=gQU~AOxPzkvi8AsMDCn^7@0vo~tar@l-OD3{mnwKV9FT7bg0v*xt*YXt z$$8j#$~1l~ZJ_McfAwylPfL%kq5Jvw{|)bD7R9wnwV2a&xEr$j>cRblJdw@_ALSD< z@u)$<K6IuQl)n?hK0`R~Mk{zP^N9Xb3V(fx8GGQK1xDb0|7kJHyNCFH%-K!37vqm_ z@m?-NR=SF%La1le6NbM(AY%v-?~gw{3bIjpWZ~zSLf&;+0%YViUMOG!dUO$SKCGfw z4K1R>*D4@M{u+F$jPFYJ(BY=z%v?yT+!56^QONCj+8so0BWxojuiK2V(yWS<gCK+! z9BNp=42`q9nkulN8epxrewjcKeW`XN$#VF2Zd%4`%JNgR%`)@81qOLCOh@bGc58ms z6|CYH2Hzq@9GMy|VfFYOzP}$&w7VtC7r^44qOnW$lA(-2(D{PZ6RNj=G?}wsfkT%i zrLW}?yV~TF<|l7?BL8m0$q>#lv~Xb-OKO+Wu)ynBvFD;Ws=u$L-Fn;2*-<gK`TZyu zneGN$h(!C@TS)JLPh(b@7E?+}LLgq0NfqlLz1K^VL)Q5K0~pKG8Sy-@f~xv3ZQqsr zc4#|x($YE1PHIGUs*x|EOKSNsxi`%gsWMy>6rNLp^wPYF`<_}|tW6iOK*VvX0~~#y zVsG#L`tVqiv?oL;IsUy@^J0kSGWK}>^41)7iN`YYDBrU(ig!oDcY%`>G-hPx`N{hv zspW|KwSvn8s;eR!aw8y!+cneok?T{qhRj8OcKz(7&4l=SI9tLyxaF+V^?Ay;HZMct zQc$t3Q@hBRAq_HSubvU81srWB-*d4$Z#8=>AUMi!6!>5_(gre!<IemdVU7LZY99W{ zcmPZuKM)XF#>f!ZkxQivpme}@u=VgvwT$sK6eOlt2Pm2dp9J~F_3qQ@nN^tmmNVK# z9_5y-JP6vX>LrQIX9D4cy<F8iUo(rSN%49vAtsIm%4&MS$SUU7#kqsa#+6IkT@E3q zLAunX@NztVwk1GLF}gD2pk`S(DKX1rxpE#JVC{ZtZZWE7AMuLRi*ZDH=*Ld_iAdum zv5d<ndq^oAPiW^?J4F>0YlqUqfq-F^K{Ssw7S$Gs7UO7=yV-wyHw6%qafKr%&#kbF z@!W4M<df=A4;H07!V^Ws=RI$vRuhiGl9w<~i*JSLBz9`MkKzoC$1ZOy)+{(3EUs+n zVFOStUXFq@ktL7fGbVn}z{&k;Pf?qdpRw}jK`l-0pzUN@Z*okRs<l@D1}E?0w-{QU z*uF^w9Uojy;p5&U`yl<vqf$Nji-Ek-nSOw*XFE~7HTcy4yriqeF7%YY^qP#g1v|X2 zLwon0=m8m!XW~`0PZ+707g82l9-YiWChvMT-(Py|yRi{q;`FBUS}%UV3i19&iXC00 z63j?b2G(d$6{`#CIBvw1A<kXU%?(?<iTrvuKdIopVxDS+9Azw{YUvTMdP2@8uga1u zwgabfPgRGna>-Tk>p=|N<X$XYU8-oH2T$qC2f5=}6Hgg9@>JyCUX|Rn68NH~Fa(l9 zZDCBt%)`n`Yfe_~LAPJ<)e)%FDUFRpXHQPfdkVvjSZ_Q()Pjh4{DFwt*Mnc<8%o)d z9mn#U1>Hb%>E%K<L1sR23BgzV>+_P-$;qFeATW9O4BL`asfey`2$C?bw>S2PZN@oQ z=?q)Xqi2cR$dSFtJBmsA`7pW#Y5ivG<+Z%F9?1Bh2OE0f3Kh{qx=Nq(qwuAhyePYK zo@g5Ke3R(u#KOxRMW-)a2BmlT@3X<DVFqJ($Ey2{<;U>8kHE@X<Cji|v`C|4#~~o| z3(a6~E?*<l3L);urws?imct=Vn9b=8fSgFy+e~G}k%l~3U-KprPB(e^Bpbm+`(_h? zk9<8Q-z`}!8r~391V!t*$*as{@!x*>-0N8;FAJZCq)oB+O0l<o)G4O>?t#*05b^Gm zm%0roR|YZ#C%J%XBAdsfa-q6YY!%mV*=p&_qkHxW-q1-;*B?w3DJRW5VUJX>H(-du z7XSQ%H=Z<kNSPy#W21xFg@FuE*9z{?5fymG#ijNNL7xbYPZKNIYX1E^KNggesT52; zF5$=n5kMj;&RKF?KRYu<dKibqY_b(EOyogDGfZ-MzjG1x1pZ#8a**oOA4hCMF**yQ zABMCp*p*f^jlqpKWe?yNuuzpc9ndf2KW~Xgp9q_$@Dr)<JZnOH7;~4?m7enDbAFOP zMU^0!$iw@h{F&!1P7r<V_6PBpn<vA>UijCY`}q0lGlsfunW-C{gkFRD>M{8AS9{c> z7?l2&Uu=%e*{`in)#McLF32={*=tm`>;nDsIDwKP1iwe<;Ehb^7|hS>rv%~XzaX=a z_T;f{0qly$LD&S0et~$B%v7`M&_3wo^kMvRW-qYSTt9M!^;rHiz{~9UiX+wC9lJ_2 zSARXTD-RKy?_bFMZsFg=S^fwP!;h)qPwHXrzMO9ft0BP?pPpl4wmkFJylvTtD0Li1 zxt%zbE@4SI1IjLqDBk!YJhJIaZ}jGN<NN8>f$w@1J)ugF(!6&C$c4#0klCUCo%At- zu>A6V-$a254x}5GXF9*B%$qd*5@R4A+@elekb`B-oJVgJdB5)2$J}XaZ6VdPg3pEt zUDW=MdN|cP?$2h<@=5Cuaeoe!xf$Ma6V3hfQ&oG3V&r(VzyA9pM#NwUr~!fv^?blJ z;Z;p~a6Z;IbH8$ij?*2SrUdF)E}eAv66UN{Oy5~NDaYW%JVHWT2Jx2v-kb;R6%Q4+ z%LM1At}0y1?BhtpKj2y?PUV#psszqson5Mz3#TS~HUsh?8z+v*y69!<SfH5X;G)>j zu$`8*o6NI95(IauRY-9cK4#!%mGRXE<Et0@Oqnqv0Miq+Fd2kF8!sVRH0A-=&RxC? z=GC_=ui3BpX#j%Mbb8!hgz%aHl{($>e2k@p_kRQ1%u!w>ZB?C<^620w1UH`_j3W<c z=a)7Gm3AtBnXu*i=D<(X%hPD+Oe35O5Z`@X^%}?-gVY4`nH$2Bl1u)i&Rwt}IYh(T zy5V*w^OZjrbN`&A*&@@1nCsA4?}wT|I!6ow1+i1bE}59amU&i}J6ED*T^d&GHhH~p z6CLUs*^zpejq?BYOir$U0~jt@IT%to1E@3yr!B82Q8Spy5u~hkdesuKzGJzir?!F- zr)crI-7ao6npqVKAPh3Y<XU!GcKJI1BD+T#wxCL}==`STmNxWqcPE>;%f^KK3XOEb zw;LyD$tB!iw#$PlfZ|usU2bCqn$e>E@H#y~N71|b6<x)Lh8IEj*=C|IuXWd>MFloL z#6pf@vxT}>lAXa}zcBV&qJWtA8_B`kD!G8}nN#MR2&?HXEbOY9Fvv#31|fK^`3LMe z%43@Q&~!5vP#Q#C+~sbAd*Tc+dE}kavW|l4lIsUCtopKl$RRV6inS<g?Dx{2>y|Q0 zPm!M%{j8w!2Q~}$^FEu-c!|dB9p0YOAqiaKqn?d8)$yIo$RlZ7JyGf1b|x|M<kZ(j ziK$hhMuXnbmZ7fqAA*um!9B_>6A@*N<?6*TR8|x$1=U_*%%VXV;vnV6>!(#ue87&~ zV}2h}5<zB@mkDlI*caNK^85R?6f4`<=)4TxDQzno9+p;wV9zfiO30_D#c;K=WJS*r zXHO?@lRZ1$dK2$KYyA`}i-s|KR&CJeTsb{f{jIP>&l;45^C$B|jN=jJDf)h6L^20x zs}kz?H3_9fofrO^GbiJgkyauL_hyC35x{u{1=9;=8stGWaxa+9$oEn9O;Ag3mK4t? z9OeaIjyR*Sa9KN^37du}%VCuES?PRRFfwsb9h=Ke;mIDTNV+2{A`;qEh)_bXx^B5c zzP96XPQC~P&4f`-JF6;*W_PMO#+y#`5u#n`iQdPbN3jeX>72iq%Hc+Dm%-{!`z|j> z$YSq9!>W^aEH$zBdhqX<%2|DowM0*C<_Fn^;IA4JK0P2U4adHu<QSa=*`%KP<{j|; z-!Tvuv?FFxJ|J5sGnSRxEuZHiWqV2pHd(l#v4F4LGIj%;nN){)qomuHJwlOe2Z=9A zBqJ9dz=F=jURmCdG3<@@@mwdqe;%8=#L%$D?+7TW@E_LS&uZ?)wKcEKJpQ`B61nd( zLZQEd{fPGwKt010w&tbdD$ml=F04p{<^kJ1`X)!7?3ql?2;08xpI)&}7XxBOpxxxK zMsm-oV{vtDeXxQ1fc*oGG<-<*;lgNBhtRHRuItmTtK2D|JVDKMGDj2J+zqd^SLybQ z;5b|Vs=pd7Q-A5E!#0$%7oQ!<SqVZyj*Ns?7GCB0@uf{Yp{ec_{<yHhR*3ip1NI!{ zve-a_1sH<dg&JzWU^@uwxAtE&s?p;Yjhg#Kqkwu?*`l>g-S71yy{EXxUkB<H?Ph=9 z8~VYm9n}3=4dpJO{Id(E6}a9NFQD$r1EEVS;33Q!0*GqIEGyG(IvXEN3^6^#RFg9h zbJ71!J1sa-;b6_L=VO{+(xd(G;=k1wDGc|eCS!W4`)s~)Fr#_pywcOCoVEj^vMfLh z4M&WHo;x&7e&POK+Aodz6Euck<9fiJO8ex?G$&n|OQX?U@{*nl`_Jc@gtnHjVy~ak zpXIzYV;}$G>2_<vHKKt&wltz7R`rzS!TMzusjC^2OL~(4`w!c1$PdM_wL#&sxpY*! zbEmZ|rB?aHN%+z7)r~gIrUT>iqdx!#+`ZZ=m6caWjd7-@VG?^RH3Zs1H4vNXDOi1R zQmmSu8R7Awn7qc)O-m408t3EBt(Um7@sN)WbCbKDS$nZV!6eK{1f`8&zAgu8f*p3x z2Dhs)=8WyHai>{r{6S-C_rg^zYi?}@_M9rCD>F{>U22PYf><(4+CwnUY$UC<byp!a zu-TYeRgJB!8V5Zsw`AScvurn%`QOih+oLP%OB2H)$+f+R<9OY44GX-`&i+9R`z&SO z>vR>SQXchQ;w6a9!@$DwjTPG~0UOAfR-q+9^8EUz<DIWa4OQ8_m_~+10d;_WE&R)M ztE2LUBHQn3Ui!Nyow#DR#c&RRn)-t{aEWgmo{%V!@E%N5sb7V~4xq67H_Pps|GUj4 z$91V-225i1la<c+DsZFf`(iK<YTK1gb=c|V_br&vErKwlO2P_*(2NOUHp*lbo~aCw z{AwD#k@ESh&>NCFe5~(zp|SAuiG3n#B!W+{6DO((NAn6>q<O4k_^~-xZdXiLNmGDt z0j7H+R8AyI(Kg0AV<HkuH0(Hx=8|5q@FHm?x@Caq{i*$XQguKR0PJP|x|C7pN2GmM zloDvgH)`?2R4Yd21?|hkQ!<OXxfbxWOY92DlX}6Che|J{@p8`ay5{2S0rE}2bkyP3 zyMA)zS2O`?)SWArFX#m+E_Nj+=vJ&MJ(E-O7P3p#q04?-uBNNq*GwyHg7VEN2~hPB zeWQK=EcJF2bR}6Vj!e8Al>p#Lw%*8le?PqKLV$Wf8ORI3sXjXd-rNj;fy$#Yor|x4 z+7~S&U^@GoYbc=u7NLWjlXqT|-A!`ewZ}Jy-|8suok)kpU>xt1Cz71KS~1c5>0RS2 zu|~?NkaHLe6)4g@Ffq}AHo`zoB3^h?rxUSrUkav)H=y(_B6nozw9^DLEbKQwfVGSl zgz*3MWR&r_i?srM%tSdbg{^$QEp%<P2t@E^%>?g42_H48Ad8v|g?PxK9Foaww~=P+ z)1vo=M;kEKSNeOn%xochy3t{&XXEzU!o6r<SC>rJX~}3yNflck;U(r_BmM}!%Mrh7 zV7H^5JKPx&Q>|A?zProP&&nl`?xoM+$a&><+8jijrjjm95WYtvjxtztVyic?(-Tdb zTp^X3Cw1{v)|x4`p9$Wn;9Q~C;n8z#yqR+&N9?+LF?hYiDS`kXAmp%8k|R3rb)J6k zi8gWsa1!gig9hf&La=$Rq{2y$YA<_?uJ!jO>YF2=lEW(z4&HmIX0efzvS#`<RB#lo ztIWI7-L@@J;L4(9GCA$h-fgaT^o7?5?0&n^?}g_;dHGn&{B?jx%w8I9ZAFdP!<CTS z?9(16y4je32p&q(zNuY>zY@T}9e>3}LSA1J?)v&nV_<{)uA%}Bt?J!4n|I5g7rJ+Y z(w{7`ser_q3m^WJp0O`0_N=}RGner?Z*8v1_1|k{tzrBIu_%hV`PMeq%6=1Z+u9=8 zxK*N93ZeyZ&R89H7}n=c(!T@g?l~RlYIt*Re<<z!WUn+!g&8S&DN`0*dWLIs5a=%E z*5#p|1~$1@p+Fr;3IWR7m4>w(dx4QFuE<T$#?clS$<_qAAw=vWY5C?(*-VkC$h};o z5bUb`msNgG0wFD2crhZJFE5UOB@);qZv}(h&mX))jxNdj<)3x<-B?`>XB7ng^<?C? zcWq|p?9I<9q@BzP+O@NvT`ec7TIS+Ck21pw@gz%8k>308Hn&Uj@3b_5pIWeJtbab< z&(4QaaLNmPi4H;;gAD^K<kYS_UDNWT8{MD_e;AwGqQii1H$*_m<R&Iz|EcE?WN+VA zzg`dY5;QSY2<<?rw_s#@57KQ6TrVwYQ)?NPXNC*kEYIy4Y1&zSs@7;#OFe=wKiKj> zOo!dp>D=3dXCDpZzZ!rwBae<YJ>3y;a-fA9X{I#{4LC4|UiPmM0u{I#z|pnQo+_@R zD#g?v2&2^xKlbOfqc*}vPTTIrQl2;O_DR-rk(O@#bklO365`M7vTk}@<d)*V9W=>V z^Fy}E!SP!A9XCPsx`Ik^jKkYJm&DcgugVdxx4JSqsWBj<BVuKwz7Inj%EK46w9J45 z{lyox#p>(+(-&Gb(%Oq^pyafS4LlnCExOCa$)lx$1*^i`Vj=KNBY6_&CKcXo*Za`m z7L0@<!%TIp3!OEFQ?FLK)nYUU;y|g+D+l{fN7WKn^RAWnjLEMgcka22vg|NTY%}94 z;l&d(-|qJCR|J@8_WCA-0E#c-Bo;mz)mk}=UmD9LkiAaJ4?)*V)y7J`hu#@_a;!Fv z9A4exl7fj_&U%b4PVN+PS~$|Z4m+vk(^G_%5QQ@Fc(~{!{~3v1BR#B#tIrlVZ@Ctt z9p8Wf!)_17hXx)<NALohy`+#I=DnVvxWnHZiA}ByUJ%1aGxWd&{EhS~Oo54q&D!ng z<q|fKz1vPT@+A*-JRWT?C&&TJ^BMxW@k0K;-rh1QuBPc4j$y%qhhV{7g1Zyk-6goY zO9;W;-QC^Yf-|_gJ7JJPhZl0)mn6?x-_MW5ud~j~^y%(XwX3>n?`iF;`0o#6!d{h+ z7(9cS!;>fjH)-vPhHP$L!0dK;aGTc|&v_Jsy6n!WW3?MTNHr7GN`2*XHbi<7+!-t; zzST(H#*;Wb2ueKz83y1{rZh_Zk_YpSeO_(7#SH6Utj1+P7t$r_tIPZt%G4^igpwF` zk-rPckkxMkYI#j>Y8r-8<9cZX#?SSg$9)exs~mFHL*);H9!C7AN$cc9x;MgRqS;E< zxh!n9l(<+Vz_JHcLz8taiPCaOWi8bHSqHHnNFD@>cPID!l+Iy-SD%ZCD-+{#mTO&s zw*o8kqpR06Rc`O+XVI>5c^t@hACFTNqK>s3eV5gxT2_vf2;t#xDYxfliZ28-TkB5C zOP9Ya1sG~swqZ}Z#pAR!=A5+7aOIw(P<p_fE-#&6Hf&b}$ELAeKdwH`TRj*_-H7vy zQucW6-=)w#CVPER&!&>L1!Lj&-9@%vv_H0bfzR8c?Mf3y+suV;vjXtQ32<6Y?%POD zhiKs*a>(0xl;Ab?oqmX+pgzkxduKt*I9|Ien0R@$lQpIfUz6QDAUiBs{}N?khaRhg z0#TPEnY&elQKSputX)wJ2YmijBw<JR+y;CnF=W>re)UWfDfX55MMNLo*}inA?I6FI zb6Qu&vC9Hl>96Mg-RCZ;^IB>($XB%99e+{qn4I{JZ^zJP?u*wVEyZ>D`~QzkN%FY@ zSrYrwn>XskWh2Ws-@2YTk=6p#{}K;6I=H;w9RfM0=N`8Ra(mGlaBQL#SgMz|AHT@= z@2i<!*7hC*@DXjlC^1gAT#&Fz^oVn?b_wUUIYT;LH1h6p;l}dXId0!7<U3rR6jeU$ za=M<kuJa(J2Uemro2Cg3(29jor)Lc=f-TV%PxH1)7PN}v+Q}^ooM3+)_^(hjaxL(G zYtD^Yvbk;ewB~_K5Pt%;tUbXr9x{4Q?Ua>^{3_j#h`nt9g)r@9jXp|RD9`LO0X#J8 zwhQ-Rll>))yMH>ok$M^C&0LTs6Ci5~gSamaad4Ng!qlx)&9hBuv(V^S<3+r|!LS1D z2-1)=j)e#j&Pq?qz-45X@TEJwt(GG=BD`?vM`Coy$ZD)!GSKK&4L1g-Qu0o%TyolM zu|M7rL!G->%TxYJlZWL*hKMFjJ@kJ4DvlZZ4ADJ!CBL#j-DVDh=D7%D2B$_OZ(T1| znbEE4$9i|Xj%<yMGV~ZZaCc<F{wRI2iqcd-`mfWIS1=(9VDCk+&EiJ8v8AFyr-1xL zdMY;#;iccJ#0;%Ruub+U)AAmhEd&Lm>~jP86RcE`O+cg&v{k!jD$EDFo;pSHL8n@? z>#(ZeO7-q9@5Zlw^e6Sz+vo<K_Pk09q8x<^F<6)?-?}|7;C8R_;15%XVjy(YCFXSc z@{u8)Ag51EZN{v3wWxx#SbjiwV3LY+z(|+cHUT!W4^PiA@V46`{8%V1ayP81yrNjf zz}tZqp`^h0?d+2mUn2=o%_~cHL{8<1e6A?K_pA@YI#HlG+Pv!{*aCT-5-`v({7S&v z6%=2v3^d~GsQ#SOrn}BRvrBzk1Ww(wuRqAusg+A#aE0FbfIXxYB7DMu93PExOn4Y= z^2)A9-`lCdT^_VC9GoV%X>B{rttr<zR#ug-b7Vh&i&vb^v<}<OTPJ%?gF9*1xg&ca z>Mu67MkVEdTk&MJ))w|VGjU#F(%+{EOVro8yWH>bZt)JgJcT!~??DUY$~Vo4+3D}@ zX#|heSs$OU3WIgh?j?k=G@^aR&k_aj+#t5@x+bXDz4V8Cv$zfeUvPVuRu4kqk$yQ< zq%R*p@fWut4ZB*y28q@V#K0vAyJribZ6p>7yWKT~`^~iNfpT}=WPTZbV0z5*2}J(u zF__61R08$@Fsm@p<Y&shSlfaXUa120Lb=OZPmJiMj9cxc$>+W+A;4t=Ls_a|6!?59 zIfzU9<!d}*z?2$25XqM6VcoP}5KHf!*-?t1C+x58CwY^&yO!G`IWFDF+47~JzRuU7 z=4^^VYVl25nFN#IOHSF$jlnV#{*z_+<NYBd;PG^yQ@lr{2%wP`q!*ag{`KSES@bgo zS2rNIsyd-9M${q=V&YD{nrfxF-wpp7F4nWG-KujkBV4MjER}={1+3$~>cAASsq!;Y z4*mXKR6!zO!1W??AZ{|NOqpDJLHx{Pa<=#pp_ol&zIUdL?WpUvV8!XdN%V~C)0|MB z|2D?ivJ5ciQ}9_05s%D;C|lvEk!9(%(JdL3asc+iWzq$MSRJ~EmV8v4l)iU6A$#+o zCoS*-Md3;l;;|1gO`aRNFEEZF;PImDP7(jzM}7Za4SaYHI`5t3ED=T~VL!)I4~*bk z-iYihJ15=JhZ{?M={YY|0JAG;;rnx!*uGEM<_RggyB~_UsuYP9xFp#chQujU^eg_0 zz=md;ac3f!s(47=%I_eEDk_+iQm4DG3(x(zEaI&DhVB4qETc0;u!9GY;nc&LvhcCW zo-BGcP@+1a2PdtDf_T2VbUGEZ(na$2OxUDx{yDwP2|vWumim4Oi(=+h9oQOh7I^KF zcen8{*dd?!G_g`@LENTZ{TXT{0UOPcMfsuWhZmnb%F(xWJ@FW-L@dh1q+VW0R=Rby zeMUfEjg|n%O#{%n;5hf|0go2!DScFp*G4rKU_GaJ)H=A;78^?WSvr2Bf{q!h&{daO zkN6`}k?q-mbi;Qhi8fn(gI&CU?sBRRAz97R&*m}a{Uxf&`-D4PHri%5MfR7sGwDBK z54pO;iFfIQAxoqX!h?nszcjM=Wg*r6Rlq@Is_SR!d%0610j%WYw4kg%gHrb}AHs4_ zewu_qFAa2jk-T89X54NYZz`-4A<z%#U6;4#EIWBXFD_{g4|||P#nI)!cP=I4+SBZ) z@B*(`u$6e{1dW<kbqwKc@cD!C?s*)$7enhTGp8gtFD|=2TP)7o=YRB%KB`ws_S6-V zlY6B423q|JK{P?N_Ed|f6|Ek@`=qFS+KBzy8J;}mu~3!~FQR?&^Sr9`+N%^$d-*z^ z(*y>opV!Du>M?10#8z!ZrFv-E`JU--q6T2{TGZnwu%D|o^9r3mX`FLzOC)R@Q2&q+ zI-~lGB|MxnH#b|?qAHzas45G|O>0pmT%Uzxf|N(eeuMe2J$aWLlsvjB0h+!)zNoyk zbMrXj8ubfrwa39T@&Tuq`<80<4665nsQpv=^}$Q&4yRU?r?p8wsp-XB`~Z9ve5LR* zc$C%pZ=OyuoW~Dwn*-U7_51K-pR(N|>&*G&y-QoEhA?KN$-=x)zr%HYL+j1-0F1i2 zNc+sCXm0~Qa=v*r+T?>S<!XL6(7b_Cm(`X$QNsXO9}zHNkDUP|gwlG!7(2jws2kkO zZyj?!e2w4JKLEaEdqSt%GNCD(@n%k4Wc5^*$#S$_MGEp7O?P^L7s03#Z_-iIRFjB? zpyAaC+R1`(9KLyYG-24Hh*pU&Ho)@BJyKEJ`NRaGnkIT{ceJ@2`M?hK_LtPWB^3E9 zKfI0R&)5<}e@TCvywN&#lYHhW5vEF<%3bG~mK8pVN8f&$g@*1f2d^v7``9WbLVn~C z(h@sPZnt=<C3R<57kuJDn;-x=nh2M4jgagDOmLnI1;;J4VI<awp-((&5e-2WQpIyc zE+G$)Pb;@woCX{_X%$o{@bEGJn0c)JnV(A0lo*d%3~>^qZP4jWPaFHpBD{NcJQu0j zdwSxpD5k?uZUMiWx6RD17pj<+t=ZF4ql|X<bLknC?&H*RsD%r;!L3Z9bJLJ7G^VA; z@qUr6fnL?VK%1YG*cT$|L$fV7pgD&4$qYcRSJ;&7uz1!R8k(Xh&(zWiS(h66_L=cq z-D&meSO)m%=P-@7smNaSqAY33O@wejtebwkLUje$fI<p9W=nq^UZ!=B9td~u+s)$4 zLFa`lb;KFD{{sCakKOi@3ag8X&8h|)3%yMU^ZSC{E4a1mn+Ia$oP~M4va0dbyw~B{ z>%JiVT`Rx4d6y5*doVifgI9&?s!1>cCHH(PPian*me1p1n^h5Re*2Et4UUp0OG%p> z+p*alj?#R6#A(#JlPP#Pqg<ly)Q?G;?H$t7j=ZY&pq*$DKXWQxg<a_<5;0iUjSWgp z8dd8*4VZS~Hsav})ASshZ9jg#2Gdtq249_jI@XFX?bJLgp7P7+5GUbPT|UR*yaIuO z_09%Ds=Yws^B9{LiVRz*(qEwlPBi<tM&r3uTlkx)B6mvEw7%%V&_hUJnV<;KDqYI; zTpEfb7v=U1E9s?6u1lWHE3^WBSRa}|TU<Ix(>@;dr+FV1zOOCueR0%`K3uS6fTR*Y zGQ&LytTN__pP5iwAdVtUhxGtHK*7I#wUC);NX|<y_*|QY|5EHIuFrJfm_=_Wq+Uj| zKwtF5RqY$UjgJ-2blKwTZup3H6oxAgueG4FLPk(UOWld|e*noKUwy1td~>og@kzWT zMX|&`jD}(5*pbie>C?WXUpqcLw~~C&&8GMZ<du?EP!2KG;}ZQ9W92><+{#`5q<cdC zAE2#Qob-c(Z^p6CJXq~P4j+OTIDto7m3}0Y#VTtRIUj0vxHoaX`c6@r5vF!~l}J7k zQ@+L9efVU&8=ggrOv%y#s9F6yUYkESbV6E~rT=mf#F#yo6|`+xzV5~!n9*{{>1BTJ zwKX<#<)%30L=OTnY&vz<X|j#2M{dJxdD6y}FMNDC)U6bR(e)HF0N+In?RAmf@D%#T z&jBTzc%)<1Z-!s_*X}pCw-R^+)3f3}58~z(<%SPPj}!@mFu4c#Iidb|Tly8{=S(zl zm#fplFl}cUk2aJ;i;=3c(=FgC{31#Ay*Ob-Vumk*S)|eAs$5VOYlomy;HRM8U_fg? zc!D2NCiYZ-maTU0^~2)gS_SH(CtcnlULH1fNhGHc;VSgY;|iKZ%F!z6gH5X~>;p_o z0Zyy<ZRpCl*F)<&z8#qFKhfKYA7obt-#ow^m#tUm#NPxs|2Rv|aW4$-3af-1J{(c< zJgFbw%<_N@&NN6(-y1x1hTH)j6ZiZW&VN(3R^p;Pd@Q-383#B4&>p)5UHQGaexb+? zb2<+5SovU0?`c#6zrG1pqNA;TSeq%%yslliy^&)N9a_&=e!4?Tte}+amC%j4tZk6# zY}nvD?-)N1TsOrr>!`nw{SPQo2NZT2eF*If`FB!<wB{Je&fJd3*81^(BmDjwqH5Jf z62t@^&O&y*YQx8@N174C+=Bt+*Lq7@E4rzRZW2&NDgOR14==VR_vH{;09%$6H_z%z zS7XCW9;*3YT<k-9x!I18YdLJl0PyA2;(4F_d@q2$nrMzwvt~42O9?T{Wvpv*xYC|f zc`tIjl2YZBwffG_ng~b3(fv&(P6XVWRPsSOgPSZiV@T82jT4A=*VU=`vLD_s^L^#^ zLp6fH>y|YB%ASt&lDpM&A>Yd3I^1ZAl@a0%^Dkkl$L_Iq?7*<uXQ6;nH`3gED0XAp zAO1df@hpik`w<SASPvYy)e?6PCg1|0{v6M|Rjs0?*}T()#(~NGDV~c~>-G$(>JYVi z7#iF+Vh@Qlyy-;#j#h2g!psc17{N2i+ji+1R(<-d<lDsEjgKmOCh9Rq4w7I}9~Imx zsWdT6ltf=UIVedtG)KTTAQ)|MKhHONyNmDSCP#arvb2t_8wiD=Jdmh0K|zn7ME{yf z$fgLg6#%9xS|vzLx%Nmpf-?j#UQ)0HT%Mg5*6j^{ZCi1vra_oUEIf>5>V27L5XhRs zG6?&KKSasaPu_!@O_X(EH46EYG*>iJC(V`baSP7W^&F0P@5}q;Igf)|6VmZUl*CPX z2dqB5cSY+`+wU<}dD2)|Z09H+LW9I*b<eO}M_c73E^g_3H5ZCvVdw9yPj-*gK8%W4 z#NHAeC4+GdCMUhLx8$HJbpSlJpOS72g{JFTA=d{_MH^%&HiO7<q|540yvnyw+Yh+J zc2jV|ZthB^Nj0e7Jz5^Nxv{f}afPlzT{<Om7q925QduKWYEZR*f%KZZDFt)Y{!}l_ zzim~j4Nl5C$6Ex|bbtt&hg4%VoW?c+bfEw+9PsCOR+O#r<Pt0HQmHCluHM8R&Kx$z z%)XvAd7Jg##<pT7hhe9C4eKtnt95#owB?Z%O+Q#(PxQ4|kBaHkR3w<4xh-{l*qp*~ zh8-itfC^?l*j`-tRLgmTD81x-N<F2XMdomOeZ5yqX_IBYP#AWV0)MPHx2)w^wT~L; z@iPU;XMPLZtO{3fv_+Yx6o04TUNb=z&e6xnwd2QNnDvFu-i1Hr@m;G`S%X5Mt4F&y z1*wCB?X{;1f2-!F?xXK0p-n(B1k_gn<&iw+Bs?;50v@fFy_-_ZBXk^!2gkV@uHaZD zNozuDtzIq`smMdhahnX%|M5xepHmbEnUkdFSY~^v-A#GL`xlHwbhrx^ZUmK}@Nfoj zIywosy<c6O#4G1+Yd#8Q^ceMMOgGZJ!!ZL7{Z&bBy>_+rVBo)_e@u%@rE`iDi98}d zD@7oG<_OjZNPmA(=@DMCg7K;HL5!*sb_PO_ezl|leOK8OtTdQ#T<m^o&So^*ckhvB zEn66V(wynFTG~#Ubn0{4tjSZzwi)KE{Q)JPt>taIGWz9*d&vQ9qdpDKVwZBo<B93y zO)lz_*8US4N8(xBnhMw01MkO83?~wf>D@2Xk=oGs1n+$!3&YOu;UB@RDy3)~OR4NY zsakO!wMdcACFIB~`cqXsZ$Hgf=op2|5T~Yvb>A|cU%llI`EY|>t6=JY3k-2|y;usG zAnk3#mS9$X2bVK%Q>kTfGv>9#lwNP`B&yl))|cv2eyxWl!Kn~c{ai=io<BM`MJ868 z9ElZbQ59$WEVl*hhJ%5aFTWaNIOmKm9)b|y5Y_3y)*NdwrSrM?@-t%Q3_Bb6Vf3;K z&MwS#_X}C(y7Mi6sn=1P@hS3GBb0&TeQ*1W42HgfpfI1YASfqX@|4gJsD#V-U}_hk z9Uv6mIAflGXCwq*U9?zk;~OzJqzx1z3;pm7TaJ}zXp$why-k%uHildg@jzJEUaYe_ zV5e|bvhL?D|ASy=cqz|f8!g)aF)rm*tB9wx?S5gc6|l8>+q^jZ?9TiQhpz1u-Im@1 zZ)4R$Ym%UCxJ3>Bs<o<A`6ZxV+elcQkZi>aInye>Oe+{vGY0CaYgHYxA~McAqk8P4 zJ&{n2MHn2hquZDdA76q4^Qn^od|XcWC;B%XRw;XD8G;?awyde1@oxjv_Mn*4@(L%T zO^H0>v<dR!Xq5xb02Vougzrk#@KQZ?JM~@GZrSk3HDAIik1xt9mZv{v)wo5x?iQG_ z)ZhBSpV%UV**9UwaRBPw+a=+tIolO%F62WKBjPBHHR2o?5L1yB+3_tb3NVUruF*Kj zi}30uOT}J>Qw($U`Gk6Ndz-4f=z3m3*~MGO;83@HUNgi~%*{Na7bOt=EwOk#{z}%| zgR~58^3`}NdzTAtl5Vp(T#IS(5Y1q*Cc%ff>+06@x&1GPfU8^m&!-p)2eeA=b2rs$ z2+De-!i8SCSGBp>lvcOgi#4-7^Pj_{q+8pMQ|qjJe4EcsZ{8j<EsW1Fn{vfI?dsxb zqs!A&3$yBYZMU&5LKCbu)<&1Q1V#c9mM_Aw=hD#$7x~d4CU_|+Y;a2}zP@zxNnXO@ zJxRN@=DyV8qPYj_K`B(>w1we;0&|Jn9O6Vx`m&)zd)tS{1!XMLCtwi<P@^Q)s=;*2 zob44jZej(Zd2vX&UV5;xAeJ<>O___09B{YV`$|?szBRl=+MF;bWfR2C#%_6a2}#*= zP-!B!=&FpM`V^r(&cy*{X(Fl7Qw;#5pU+Sq&8M<C)PnF(Cby;W0^gH16+?|s)B;Ay z?$>)=DpS?W@8?&fkDidak(-CPWcJMJO1V9DihKKMpyA$ev1ui>k-DjnNBS|_qDj#@ zF9W2qC4)wT`hA?IE7;MIu~z9!3u_^_SlPqtX?{|1EX2w=jFH+KQ0b<6qe8M_2VaA@ zQRy13CU;b9tFQPXW69Ao&Z|V!1e1%S#g4bvvfZ|K0XT;J-_a;;&hcX}nD&?@5eI`h z7vfky;}hN!U#hNkH1>6tP2NgTk3a_2-eKB`*aIK-M~5AU<<jo!q&DrvrQNqaX)G|* zrN}Qf>wuQPEg21~=VfswqI1i0#Y#ho*1-I@U1$v2We+AAt=#U_^lW*xdP41&H=4HP z*W6q^jbVn5Q}6jnh3n$$yrWlNMy;Z&SMC<aYp>>E9UJ9OVVPJZL6u&evLiI9JpeyE z{9TJ=YO2lt;lz+?7%93Lcp$~|SNj5*>vQ`;^Heah-2gt*;ThF^BN@;5e)I+)5Hxk= zamM#)Q$xV}rE#@(ZW5suZ|ADqE7E|&<KlOQL-QDsHynxQcPV2}H`Z?(Zqc1%YgtjX zpVviw*+v296|?k)IeHeKQwlZPUoN!e_j+2z>y>#qFZ02g*gA>2lu@(!$T~a)eiDZP z77KVI+cJi7L5ygFq$nH%MYJnQl=NJrgHWxx3HMXW;>Kw3#NT9nT;^fw8}O)>rN^V= zcY0!~i&@gLkvBhTRx7CW6I4w1{UE84*N73Q-)Uu<*OW3tW_n32j}WNVHV{Vfz%ZA3 zU#FPbfHOKDyZq6MMhg2q#=w%|+>pvjSbkXznvsp)*HM6vc2fi1&ebl2uggg8|75@* zNDo@v`ZmW2P}p5RzIOBFpl-gW5Ms!205JtT#gHh4x!S%y^B0=7H%tcWnuF_%xA~n4 z>}>9<#Z4O=yg-4oLEyR?Dlt@hHr6VCx6EmV#B|jndvpwftyrs&b3vGo6mu+~%nJdc zcRqeV^5!0iQcH`<(XZeB1*{VTcH?_0?4{BMtFjcVM&1x+ou@dKe~tAijztVjbV|!u zpTH6}d~7FVm?$?S>Iu5B+g*@`W4Os21eCI3U3_X09(-O%d=&ZPi^)COo#E!b3`Mt4 z&s=btN@Lb|o2h7BN@DWPU116DjmHer;Lqg>kJZwK0kA%>nHq9-&y12?b9uqP<}|HQ zF1Nk#kf}Al&a>FL+~IiQMmh{s(*Ww4iBcVsS6X$yTYh+WC;{Zg-U+5SR%s8mU9(6M z{KMzri=0vV@hMnccP2hKL{$@2(nW36r=}Q`{S~m5=2}n~6QlY*#a7H>FHRj$ANd(8 zy%Xa?*<b%diqJk;o@DqE`>$Zpg6L~v+^dqVdD+1SKjXm8!~P$S5DI80m4&Vj$11hl z#c|p-9!kWB*h)g^wtT$rIwWARU%uhhk$*!ssh42FH&#VnFWCBrw3q2C6<kQbi$7$$ zh+p-a%oCgODgRD#=lx7_$D5r!@H?N3_%q2}RBZ<3pW<iGYFZiN<NAMoH?*4LfZ7<^ z?}QB>pGoe<_KfL&C%Hp@y4<W!z4wQlR>X^MaTvz-jKBAmI0iml)~rIehxm;S5JThz z-w-S#dlKC5;!J{1muXaCn|`MQgeCf#u?_J7M-uY4FVQ6Unqd%M0-^akryv9}?-=k^ zXc)=w#Dp|Rb2k|Vrv=N+9(}VGcg9w<`d(9Q9<v<F#PYnq&+3bpXx^>)`T0M=&t!}- z+=(M1Q_rozys0UZE6s7UtcP4BO$7aaD66R;dixsdF)&cCAN4mc;*NxGS>F6jrMDCJ z73vSdp}Lf3ItaA}rV{ptA7{nN<zXC~Kv9n&Og^qZxNzZ-Rh-7Ep6Mm*AybFOU(<@a zxxTM;Bb@h4VuqQJH-5FFKvFQqH7dz=d9JjDci&ZidUEPN5+!eQn$1S-R--4Ob(Vr2 zM_a8;_K>@*-tRr10WZV!+oFE``b(v2SEf0w*ptZ|_-6RbraLue`J`7j!zou0%W04M zp|iMQmy_ZA;$n=$O~?t7!RP>(GeS9NhIGRwoz47!@rdtP=?*{x-bvNIs{eEQ!n`s= zRAW>yhRl0z200=7nXw=Li`^c^@pZD~)<eF3^Vt+Ro}d%VkO&(&&!!LAA9N!Xs;?H2 zYu+2`r0~-pUovneGrchVV*%(;RNTgZ*PYpoQP$ha1*s>VvXC0J_gNQz6%zbsMt_xk zNK0oYdrux|-P~LV=eIKBy%YuYP0F3ONQt*!g-Ow>#m;Y)4$G2ni4D>UQhonZ|0L;o zzDyAf##l(C%=*<mmz~U37CGkon}>dUwVI66`Bet)BBc#e4;{T2bdwwq7}~GmId5>Y zoWzh=mPEDnr`jODPWZ&40N>r+oi8*oKCF=nI&mEtTMaePW5}$fjmDZjpKSRf)bDR7 z>+_C#%|M+@-?3tnjNp>FV8WdDbK5A{6!ie&53#s42ng!YUkA`;6DR(S@#$P{{=Bb$ zXVP4RZW-IwT{MK;`-7AE9kO%dQ1{xKKTK7#$Qm&<;-b(UuhH*j>FiA%r7@c+$g-EF z_tetum~bUOfo7%G*)w_6Y5lI|0VCejPOtSb{Q@tNNA!~%`lI*v>#SWTfx}6YPXn&8 zZJE*8lfng!&XxRuJQq?z%_@?&`Kwn7j~ZkEz4*0=5~*S@4M2sKMYG;FORL^>&P<%b zUa*%KrLSa!5-gYjDqZ30Z#s<?4{w;!Yx-9lP~Tlj`zz+JvU*+~OxqY~a2F1>&y@Q~ zwn-{~`9(0YE^q%Kx5<kKOU5ONu&f%_!u(#aue*f+#wSt0E5<1oyR4q6e3q>}qB9&w z-=F#P#(uWYhH*NW#VT|?7>#wG#zk|C+R?DXLKwXIa5>92Q9IP`wY29Z$)fi#U!oE1 z$jMpAUOlft^WbE{OsOcn!@LT1di&wqZ^Dy0U-*XjIj*jx0Lh~nc5JR|ZFj%qQpS1q zJb$rJ*({x1STCo`Au>Z#<V~97q6O;OR*23ln%RX!3&d=qW=NO0IvwHDpN!}zQFvkR z9ZQlJRApB{{FT({+F{E^j}o=hv_%(hh~^Qf`O=?3^B*^1{`{)3`a>D?-Th3c_|f$M z(yFQFXv1VZe@_xm>~Oh*tn`(;@nE^s|LH{m6zA?=(<t0^FT%{9RcIAU^jY~dqw0)t z!lE@}2@@(hsAFI}2BNv37ISjhd{rpCsdkilXu&LYsqg1g|Ie1md_Ic*o+@6?A6)21 zzetD;UC-P_c<GqD%NK4BW({m>2g!?ma}QKl_qI&ok5p69<joInvhRhDMRmbqqjcD@ zJ%KU180^Kb{?PQ~eSxQ|!PCx_+t$OSzjTtr^_@!-;OO+H^is^$d%Xh1mH4X2O(TZ@ zWK_0!o3f*cHN!eG@BZ^LWXL=>w|0#hF!p^3v=0+jqsvnvKp)vQKBupy!q|6omvE)F zGr5or4%zXv-jG}g+O<WW2K@W;ERd*%)I@|xEaj-_uaR!3R@`R%c4uwN-$ly?Yj~2x ze=xNC`1ZfcZVvHml@>npcs}P+Y#BY)!F}5qgjga?*~EGy=W1F>O|IvIc5zdrPOZ)7 zYnu-KO6E^Lz-2SYBUFCgA1W~tZ3D80Prd-SAcSNUHf`%FFiQAtY#UV%EN&t9Eb~E0 z^8JT-7kMr&Lud<^b>sxi!bBo2qsBjN4lVv<a^a)e%OB0?r#PB54U3qPG5Iv)h&jp| zLs|4#c9~jYr33c`O>0rNRH}DUoF~FaO{uH*%+}xe+&TuBv^jlHsm|o;#w$2OhR$DA z?~G~Mr=@m45dYW8JiUiw9j*=g6^yShIj~UjnYJ`y?kq>#4rw<Vn{zG&?URL<iqjSw zwXi96iB(PFVirH&e7PcsCt0#(QKGeI;@rc6+=RE~N2}T+d@F3nlZD0Gcj9l9ki+z8 za<zIdT{NOFqD(W=h%CrDgrnW&N>u*~q%5~ce*F$1zjl$wf;1~&BGmWAe~n`-O2%>Q z4y^6-VMozV6q|(~zr20_OK$_{pC+8!+|<14pP|zr{*SZ&!a#j!LT&o;CBa9juboPL zKOz3(@)Tbsn8>Px-8Lu(Cqo76#ps{ivY(De-)QPj-<GI(g5xmGh*D`pvG@RaCzyGv zL2EFW|1nsQuV5Ldq19$OuoeGsJu2@yfON1bWN-g)kT%ZmII#UGyi34x(sL;ZfS zLkWd<tZI74+x8EO4z0HK`j1QMl24#aDH&?;4`#$?HL5>`X3q444b?4h$)J88+t&;T z?muO7r=K9I`Tx=9{rWuE7yoClb8fD#Z_$=kS82uOr46gI1o;sDxCfS~LYrbh=}X== zgc{!e0g4qxiE)~GFEszeU<oe_)#~P0W#Io*n2q<xskK_Yl#-XM?%TFp6m}~l9)b9t zva-KYWgDmP#Ub2itC1ZdtzQ4fp*H1NR@VK}%-dqicqwqvVeR%;;J=f{uXAXqhU;on zzK~6wc@8)A0ucKl@~q9(Vd*_*wFjxvGEM5e;%u{=(O2t##ygGl4EWR;u-x)nor+xE zFF$l0=OmM=+Jf~hZZRPA2d>a_e=KYriMiEF0t&dF(2EZGQJs@3>Vl;e*ne@+@iymV zAtWs5p9g|_wyhoS=V6YHQ`1<)C(o9<2%GNaiBFY8Yn(WaYb_iD4+MM&cWZ6(ZK!rS zNerAsib2quPv})>mRkCQ`(pz`VH1#>=ARK#lU4}v1-}PlC==!PrYFKcNxBT%S4QK{ zboQOd&wf9(85OU?6@3`Qi-F$~fB8R>W{-l{GtctnD<~)5_wA<30p&;hi5Dfa6xE$0 zdczy6XLoJyl+NN%q18)w3ytFyNW$i4wVkwg=g)w4C>3d)b58xjJLVVHVCr=gr9J9A z3gX4$xa^(ssns>*JfOE^qD7JuX2aQJ>pMumcCU`<QQO+C63}8XdA}NMTz*jc_OWZ& z6y36^2>vwkQA993A4<;f;%A4y%y|2qe7?JNe=mY`QLf43ZR9Brmj>urMtG)Nkc5ov z%|Ck<`IS0q4QJ>A<9*>ELP3r3*v0?UQe9)-IK(w60=U|+0};f^#PQSF*<(tqkEC#n z4sg$%ONVR5moYAtk_<A9x^pv^PavG4oG;=b9W_5~xGiDMO3{-%oJUv}^Dh_s_wT3E z*QhjTw|`*fs_(qKN~I7|1?O&=jHPciNTqKFWSSK6Xg1xkPids7Q9(9xeAy+U!#E`0 z7QPn2Ul}?4@%8L79L6Qrbwjz-qFgQPTf3}Rt@eD~Y!6?rd>pM}kyd)&ov+b|rm_(z zCq4O6VSu)(m4a*f-mWz&7%{g^nB8*17hy0A<oz1$Uy@P|F`eLV=v<x8a;LW^jP$N7 zJNT2<`ZexgKlY=C+4yW{K$@8Cu+5D6-kDj^*kC;)g>-O58Y1C`PHIKzS6t%LKDXmY zIDzMMrl72%q>GYt7MyKH@gr`Boh^F_mGazC&$9&VPp_yiXP0NEH{wq<hTa2pr?Me~ z!#1<hkhqu9-TxAEkh4tjk^S{hzROQb+lBvgv4Q8OKs8@Ji>nN0S(V!aK>qoeYFgiN zIe^mv#L?0wtAsQ~ZrXxVlCrIMnA~lt!^XBk2xQjxr!j+g7`Y#}{sr|R9a3+ooA@UF zC)&V#8TDFG)~Dhv+f%IYKN1wRFQ3i6?Z9+G3RO#2v-(586I7?jMaOQ5mjt84pR`H2 zrE)i3C|J`C$j*=Fv|G4f%~oxb=$jpt0na&sux90-0a+`A5Ju;2`U!@aXyKMFV+|J= zs=%lUgw}8YM<C1YsD2Sbtc67Aze+J?A1hG!g2P^il4!T(Z3~_xZzGzMf2(ab_vAyR zE$89L4#d-1n&AZ0aEADWqG4X^vAV2t17r#gYt4{`V9>h;gv4#r#GJHAHS?vpxsDf# zHzI_+(4aVy!kAddwJn@t(--T8^l9&|iY}?T5HC|CPa}6ckdTIQ&e-dI$n{6!u6Q2) zY^pRrudKuUk7*M^p4-px<&)X*<Dh10t~6IW6m-X#05L{q9|RSi#wYDMXvsO)iw#K` zM%PbaZfu=jaguvw;-;q2XFKbTV1Z0fKqhZoB}T%hk_R}DZ(*NHS}sXpg!4<7H>a24 zYl$vFm-|}%56B`?>iUVKmoe_c3x+0Ef={cj`lx@r0K_JGGZggQ;|n0D{j<@%`Qhak z^w8yK&ot>aAvc3@!R8QGifeHgux$z4k~=)gWzuSPPI`dm+ZAF$^ea)@feyCjgGz6S z(|2$Gacm{g9iP9&>F|{GYw50|t8^O%UL68ikcR3&vpCcpwq)jsMphU?GAA5cv`Iln zCV7oKIL@^v4-XGxxuq}JZT++SS3<j43Wd7k1P&FVGW);PP4S>$UI)8$H{C6{FHFQ9 z9M3p6iZiBUh$(W$-bQ23nnYsD#S(?C-cp*{gB&6nTa<}?b5eLi2#0%s+3s+0^tH;= z!ky_`yW>2a-tna4WpI*}B?ant@2ul)huY&bE$J;NNURoSip{J7j5`4q+sQ|{Rn29Z zu3U;>D}bbG`8t=}p`CM=4Kc0rg)*m~qe}~zmo~>4uee5A&>rJ^RvT8tKe3(+>&roe z^l-;#HB+rlSR@gyd=`O)dkQWRQ3!s*9_n(w;A(WSgA?K4@wh6`g|$1EglXua>PK-m zff3lPcJdEO$ICHM3gvPDc;G6UB^D!Q5#-<TC+}J=6gA`8EnG<e$<s_z34Ep3h;zXP zeEUyCEsm%bw9(udX{e^E+<wp$i(G5K?7$J<@?ax-ynx1rwbf1;pj1S9U5-lo-RJ)k zhIoe(ZCEiO{fR>=6rVvyEL#TLALxPL3Ag-&`6EkEO7b<spm^l<_8+v$?`k@r{<u_^ z^x|7wDKlcs>)%rnykoEM{!E3KK7p*d1x^`+Kj@nIVBKH*0Yi$Pl`TxqdD;F*PdyFx z<^O+!l^d>h`YThms2+)#d%e_kWAi9S*_d;`6tvFw+x=ug9V?TQ@?>Ves_G-ErCy<` zwqnNJ^~GlgFwGXeIC%Bjpr?`MIwXcxOlT9ZBObjLxz(mQKYz9s&Oc7$`C_wZhG*bT z;r3~K3r%WPfA$UW@41RyX!DQ8x}TpVrLJSWQZI3Ls<{qHMUZ;ON?jiy3+<K?Vv?6b zp=1yJzkc}rlV&jHWX9t^Ghkqn_Mu6*oGrh-JsID~zv1lPj})OrDkQ1rYLk}k??Ff+ zJTo%CMgqewizIf>FLJcnQp$rItS)%<(s5lMObT6X-z(tne%pyAf+eTn^d&GoJ5B$A z3h%qrjMi7!00PM+m_NAxAWxgDs;4_;u(CR3#9v)g5xe=!MK}VtAOwUkNzdsC%dj+C zHTrM53lP=e2tob5LE(&)%XlT5YXdXkcDiE!!o+Z=VO?s_67-Gmt&7Y5I63UYzBs8x zcKR(VK5Kwqhh=@le77`{qFQ)g38ypad}2U1L{a(NHJ3w5e(;1;ZZ!fp98wA?N#hp? z$xltD@*c&4e)Yup=X)5h^qC-(tAsV60^y7Hw-yKS;mT%-j<DC@lW`%Ou~IRIOyPgq zG|n{7azQak0&K_c5?vxhjC{gUE+Q}-VxH^GcTT(=;hf)V2D?P)fP3zK?r}Z^wuvBa zOGJvnmr&&#;;PP$&N6ukzQEbTUCZ9=iYx|4F_%z|WD&0Pza*q0*a6uk#)5W|whO!a z>+B@??{9kMlmN}*Z`J**R(__$gb>;M7L;@>KtC;Q;7-jO2E+qqJB7~90Wn&&W#Vt~ z96=~6Ziz-p=nfR00l#Rm!z)#k(Y1Q}^I<5|)1GsIoh1qzdp5a#{{rz}|02k9GGkH8 zsGQMq+!fkav8|B!X~l(82dJ&?8lzm3db0Ut1^tyKgPJd$eczW;F5U|jQZ47Pyl1Tu zqguTf-&uSC|64*luA}bB5dPpvi+l2rkw>1czjT!3F+2>Udv<k%aw?XV8z$*<2c5|C zd-WxemTLsHLZ?Wh_g!vD-1eBxvD4J5B2N1>676L%Ch93g3>uFDx8g*?Mv$l1Wq%uZ zzr-`atZDx;G4WzO8Prai6Nw|otZx}wbGCyt_IH^siR1|#t<>86#|z3CvVf+X`S6{H zC>yel8@d5T6ar@AZ2z5R{~O)uW~XOIhz1KHLxHVqDH<ZC-hwS9+lk6wvF;!QNsIT- zviW6dI#jkMNf=~q#hLWRHaD&R{-R&Lo6D{_tH^tDm6uaZinRfoTWlXpg_&PKGxg}6 zs~b>}{WszG^A*g|lU*n(<)8dmj^&X*9h;mukQnrnos&EsxjDL2jrh;pdxA8PPM**{ zd`-*220ZO@7W}vUJ<+4{U?<4mEFZJbi=l32A>7MvzdH<lf{OE@Zr0Tnr=-GCanuEl z<FlqpE{j)9{cibhE**>ttcq5MRSaDfYJvleC~(MY2)yPTMvHeEZMZ3`noIBgBTN+p zedIm{9AmJ!swFUe*IfH%4Y4=LP}%t;D6LlwYU1zo%l5mc5U)!f{rvE%t`#U6wW~X% z1GNdwdAoa%pJ0DcCz-yhyRB)`J8sfU$~=|lLFsxHO6iyjGluey8LR&#4rBkUw1Wp) z*>jV0(ycFB?y6_DFbQVh79wc~!}3XFz*<@=mGt%vdiq958)xs!iH6sB2~$=9%Fc3@ zj&>y*Zr)2{{~QN-8$g>A8K0r$on!Co3)|pwX}fPcxZhtXkVK5x9MLBW#s!vXq)RXK zkYY#KZixoN3KRHc#a!MhLUj*dKqY>})6f_owRDqx*j1!8-oSflG8`wWgpDox*aUi) zQYjBQj73X!9yILZ^WWZfiD@~u;~@4YEt>wuZOTC-Th2<tFj3}f1O6B;vWuunMJkBg z%(ZScPMM}$O+V`AS|3EZm<0IXv5eyXAy8gkd^%bH&-NRDzf7EwB}5A}=MG;90Hyh% z4>6y;-({0l*j$KS#fwy*-n?VXCt5{JQr8pOZ<h|&Tg)~(V~qKi$y-<_nh*9;ZL~Od ze=eP-KpS2&f0Z>a_=nX~m<Ia3mvdz^MwzA6E1GjZSs?kPm2>-Ddz5Wj8ZNi9)Xm2| zwLl;q)NVQ1VeTt;<d)qkZu=nd+9+?UTvc4Bh8C>p^jFnlrMMRdqsiy!M(+~I2(I+f z@MLMhS|-zitqPUOHh_mF`(yeTtA*P5L#YFK^VTVjqltm^Cy)7&zxbD7_P-gBPTBc6 zXjMLn2Nz?|p6HsjtTcZ(xt~?@vf(F%P2haVz+#_F$6Ge6gJqhuOSRs0W#;#~4W(@B z4L(WXVO|qqH!Je$%?tqGcP(>z8>6F?@8vtw73A$aksxJ?(_gIDuB~@{eJ3^id<&Zn z{%NHS{sak`YrU?00i3ivX)pgiwv*5y<P-00ZO=y<y3-A2hXF#Pe&{S!bZ(t|eTkKh zTh@DBnquCFA`AO?NB5z+AT%$!o4+SUsses)oG+0hrwLejhe$X<>J$CuHW-)*4!0sj zt?du()sGLq{UP_EHb&Vabv#Ct&L~Q0WL>C!AMQi^xUX)tXh&$0XeVYR{m-0eBe_8% z3);h`4C%_tIKX}hcKPEiJ<(^TFjot&g!FqNW2+B!z3uWf{GEdy@tb%-pwUtHL|rzm zH$tD54i5uNCK`GlnDKUfUF$=4*ZEZ0tshbZZa2RiG@a{y-jMtGX->#Qc=4G>h#N3k z8{&=kxm62zhvMZ$Zg}(L!6qt%w<1(s?e^!dFoi}5ocC9Pk8r=!)Isw7O_16z_B2Jo z>62YP@h6S#l5`+Hu@QVI25dk>WFkCfE%xmv@tVgX<6NmxH)%nH{952JzApBowRX>V z?CxC_?*?$z{^qbC>rh~78waVjh6bS<!B}aNs95PDr!b;O>$S9nODNdY0gda9;E-Bz zaAi1AT3%G>O0XsKXY`UvbV~Sw)e^n0pN)|^n~|DBjmoJKFh`m94Xx9ZQ$7aen$a$g zDaS%ve%<HU*4bOoavfyMKc-X#!aMX0wWok_AVg_O)(Yn%OSt}RXGl9cX@VEDQo!`& zt}2|Zis#K*mQtGit=8pMjzn=ygLqM~a$Gny+4=NUzVP?BoG(2T3qaeA?T8&!y`j(} zxWWB5rTWrpgn|J1hp%m|?9|h@sH&%bi4)o^v8=zZ>o3e0z!-hCi>7B8he;;{Yn*T& z;y3Uh3v^4&Sc4K$@J-N9%!k8-Q`B%nD-`<y>RJhdIMZj@HI!!*9fzf^t~vjL>2h#n ze3!N`Q+jSE{+RDK6q9nNQ+I+UIpfP_Sf}={edhh(EeS~trmrB8t_$eTd6tuiqC0sf z=qRw$7?+n!j3r3g7w%qUpoZ+oa#b{4rE#cBv&w1YVSED?q7;`BCs#}BioO{n82_3% z^hw;FSmjF4J&~OsN%==uWTMdoB~kj(@$|mDb8AfHT9n>$aQ{FW17MxJV%TxK?M)5Z z8|t%62v^kpICag)fOH8=`c?s<T4iM`SztFa)j;&!m0s%hawrG&B)znnPJMy``X+G} z78_k;MSNFS-D%;?U7UNnJJ0D;R7|nQG0DB{MfBjcuBcfMpd=KO>x;@69P10MJmG2b z)9LRujp`urL03wRrn~1JSvKf)P!ote>B9L|A6WxW^I4r3P|erHr1s?B(GvrE`N7^7 z>})kZbBN-<x8{e%-^a`F$<r?5#b{3W+gXvQe!j?mT|To7tRXDHO8t(cNnpwQs8+j1 z6%2nE(+N1-MX#%qlZ3e0kl<8g8eJ5>kY6kw_va7pIyC6Teye^TifIX{HI2q5yS(7f zEA7LhpGoP1AyvNN;8UaMeL+?ksiv02|LJ&oRz2h%+BesE<*W@E^}9@qFec8DLH?sz zxP8RHIjsq^#I?ngmc6!#aMYK}w4Dl$b0S1!O4)(QZa_#!*DBr(*fFG>VmoU<hd9_N z^Pfns1Ng=`=u6tGw)Xb+7C{ji<P6OUzwNe6w|d1TGS%(2Z6-aFy+avm`OC6wiz0TV z<rT&L-JWE8(7~eK>=%vSQuE1aCaMA`^%-x~I@^zw`iiX}h(Ay2k|`k4Dw<N4>8oo# zBo{e3P}7TRIk+iPr#rT|NhW`-Z(3KF$`i@b`p4VG3%p>UrmSbOsFHBY9Lb}h=23Go z5Le)>6niK-RAMbpsyWsGUQLSk58dwN9gGxdk8eK@Ylt=pYU^Lz%gg>05AKJ^y!s<} z^m*gx>GFO%NCpyI1S4npRb*fW7greeK^4)%ThXk+6yaC1Z<vuRaF%L!{ti&|fCv1S z<%Z?uaE*SIl_`I9zZ4B993zZym<ZdK_XYU%e`Cbg-VT78pE14nO|7BWKVETQLd#I_ zcxM-4tCC#P9uJ3855L+zr>U_&NL!*ykh^1HxzmT$wb<Tn{LY<O=T)%1U@9#1pP99L z&QnA4f(Jl-p>4DFCezcSvg++!z!q3`k7xkT)?^Q*e0{%a>Z|S9eNLBWH(mURycy_@ zrh)(RE$hw42<}wz>mV4W=0f4luekp?(X@Vr1*7J^W6zC~sz5qAyAv#(CLJ;sjQREE zrPsKG&rOabXFf5xa2hX$lzjgIzwDr^FSnfo4FdhmKxc0(HZP*ldvqhZjU*!JBW6XE zltU*GEM#d-ZWvixSkm$d)|{Ho&tQIp&k5%O$EAvfK3FR*NBjHhO+3_!(p&n$QUEIb z-l;cyX!!}z)IRqFnSQ6Zb=W0adkf8Lq{mmBAkjkUch+rrJ}~>L3*0L2-flECo$^e0 zt2lEiQzWSim5ZCV`DM>*c$S^vrD|@R4sni)vvrfePi=y3>t^%3&haZQ;Fj|qxw*Q& z3Za99G5=W~qi1N-^bBpTr53zD?=AO0x3Y?_oKDM@2ZT`~4)KI8Fe)v-A4VTeh!JSr zeeTl?fWPt5pc!caHM#bB)NeF$e&NlRQ=r65$$hTo)>wfzdfzj!`UGlDct)WH{Hgmt z(#w7S@)ZFGo(G$m3pC;X17~#@d-!sGP+6RVlZ<1<zi%zvy`>Q^_TYlinD}mcYVx>l zP%B-EVT&~sfzYXyL~_mgMF*7@2=}^;8cLmwoy);9YbIZ-nDyud-*-=SJAVFHCCO_< zwumRN^g4Z9LF2ig8bNw?%pJb5SCK0{eR08ewfqU&z!fzyI7;!)A{fmPfN32-mRgf0 z=NGOQ;o&B25#MV14iUK24-tgu1UkiaVR4SNC}RFOCz?Zg-XYIQlA#SNi0Y_0{b>cd z-@#IX)SPNw??Y9mzB<^d1nhA_Eq=wpi7|?<5C03xBz@}F8PoCOi+S21xT{iRrjb~| z12l(ZtdHMa6I-j5%SQ`lQ;!8v<Am}H0(6F)F`bjrhNyT-!3K{~<8L7-L7FG=@;u<9 z66$=CEe9u2-Jzc&SXx9Fqpak`jCTDr!n3&QJnIQkth`S+W#bo4>15qVlKh5AVXOSM zYGj``I}PwXdnBW!^l2IftgLojiC*>k%a+Hxdu@WHKfyv&hBKPKJ5!%XOtVOr?Rg4? zPq?6Hp*78qz5h<-{?z-0`t8)5e@=6O>S1<PGz!_abo@3k*~4sBgf4g0^oNnJuBVwN z1~T!z!my>xwi5*iTdBk)p!Wu8hu;fQoX^@180b`fPw9sfP+)t4Ej`0uHP~Ypn-OT6 zB#oHul1#FH-a29))<vW@!wYee?Usw>!qLHd3Pm%_Z|_ab+y!Q4Zt)X1H)gkSuo=q8 zZSs8Jvj=iX^HaCb)_Gc*A!xeU*;JHb|0~+2MfHqTxGmHO_$l)XSOAYBgq5Cj0z*>Q zZ+Gy%q3K;-xS;!B$7ypn{8J2kcNSizrK%Mxa3UT4hW)dKu)3C13-$yjEZ}6zo;k?H z*+TX4@~|yE(h50ex6o}+s!eL}RlPM*nnAY7dvJ)~`h)DXTjC3(!Hk#y%So&;wZ;>n z!4v(@2<W!-bu8ix^O7pmYK$V|ut<ZzF@DTQtjU=9`xgFTc*9o~4@-5H%Wj!o+A&Nr z-3DT#9(2i9K_rtsNANViWg7IyHb_lbT&jcwNov@XG_Uv?1yJVU6ERvDm#OAIva@+^ z$y3XZS^ou1iuGuu89wA7=Hkg5xIvzh3k}IT(`#Q4f1tBxGYl+yQ!UoBy987DAt>ry z&u6{76etF11ND-vA+35i)@*koqx9|-BpY>OTgZ@ef*Qrw)c9Et_Nc~B&?GScFQ-c5 zO3)T|+xETw2UeAVfvFWZ&#t*1_TFYJC$&6-sG1j+pU5d^u;Gnl4R_eEUy|NLyBS^B zRkKBb_ZREk@If#cpc?8B<m%=%ojQ(@{lHu=RQteKFKFcwEjZM_v%>MeVz0@a-aF4# z&@<t8X{LzNI>N|eKRv}SbTaGbYgXeof=o@1Vy1updf&m8l~jWU#!VVW_=Yy~Tb@=E z4_R{#;_iw>)mDuJlve4`wu!KMJV_A06S5}z6Fgzx<%Au9k>R1!P$OZv-AGODxstFq z*v+uFRll(f))#x+sdayXBhYv|Bu642lSVTLlg!5$hQvvIFcRC4A(guvvD+%wkJ(fP zKGnr{hePm;AE20ze?EI}U~e6t3NGiG;2WE!M6YvERNnIIy-~k$L1_MY$IlcTn{tun zSH8b=()F0T?0~Ut`wT}eW&e|pctRs>L|?qT@C20vzv>0+Hd^hal@+YO2W^wcPfh%E z0xe{am=!105w%&lgwD?TrJ|9wxH4>Md2m$Kb}TRo{?~B^zhUN@tO_1Ja=4ll`Zkh! z3~{uD(vnYS@ogKgyE<A@#do6S%aYlGVDoe=+XbtJ16l<BKbeHJM5GRhp+R`DWU5Im z<LW~3p=2d3Oo}-&Zz=|AEX8-R|CXwCNIfevM;rP~{H_IN3vIp(q#LC?O)Xn^!ALNA zXxk%Ya6>aFkpZv%aLI+l)^rD38_;6owfoimE!E9b5gP_^I~g0hhR}d^b&Am`k9ZRc z?!Sy|hHtd?B!+-P&SVFfA%}bDx)TicplH4!EU{spHVHP$^TbB1B>8tQBS#P)$pc7w z{>}VzdBYFaj8!7H{v<nHOym5iTTkPX<pO+RxBPHfA13$criWsz>hM$BH<Lz&`?Tp$ zTCEl3L?$8Xu&*ua!!}!ptycML8eUan*1<>g|76TVpR4_BveFMPIKZMSsb`%o3z<8M zKg=;MB6r=!U}D_A!=$H4?aHCE70YMb-=bNBELmYsPXFrSt3Xy3`T9zV`#MK@m#$5Z ze}tyg><!+3lBlxJsE5^`QRoxS>J1bikPzSol!5((wU&;IS<B}P#<4<Nyt0$MXL?{X zLV@G;XJB^!)@r(yMhf+90t0GaNon+jh{5%oAopYxU^cq(Q`6m!DFRK|eM^FlpRNrg zVZUaCZ4_xt@)p$Yd)$eeEqUd%VdI^Wt-R8%zfg<3;Bjf70K))OS{iQI-K5;5pj6%7 zJ^r%oMvi0BNHmJ1dBsOB(Spv$NFSeAY)v;`q}>DoubF+6H!0=&A3swFEE2==^Jyr9 z9)zW2D<hoC6d0X?wSwo|CD&@!?Ni=hk?b0;5{|ePRf}tkaz;u#c)|>FdCHndiKZos z*@-Vv-JVVo4$~Xhc>SH0d6scH<{R3C0u<J)XxKmzwY}RjnaZo&`k_<zHBoqjD_(eG z-#*xs7&t3d%zP4n<T_j2u<LL`N+B)JHW2B?{Zf-!*kbkuj<*}$=taSoWeztXrl=%& zP{M97S-FsXLo6tiM&2aO7yRkQe&VJ??tF1$3Xn`3bOv<B?R$~>5=RYiO|we?mlC^V z@31(iJhc9ixoR{l+zuq|IKFS9ga0p%v3kNW;lXD~jNXKXHvzt0bGd(`n1W{%V;vzq z9suWHX(lBia{Rd9Ds4KNV8rV3Ie2NKND4itzS8|&^1^L{Mv}`Z{ApyV=Cucv^d3ZB z(euH+{js$l^~R%|%ju58m$k9OaUSlx8~(QwxaAxd=A|5{op4?pz!qd@$p2`emv9)b z8wjE5v2N#aV6Uv6Lsx$C$7e=<q|1uDhCY}ldY{>jHA(IVrT0UC%hoC;yF#nVo%OX$ zN~sSf<an73cykd(h#EQgsLF5PmYy+6SB`{9C2q4{s^E-%*g4_<f){LO$C)^J6kt<x zPKCks4m@oXtWipgViKEve70G5Dc)e9sO{HVHvgr*z9|P<h%Pj+)mpz@l5LY;*8G}B zCWbI%V5g&NObJtRi^uRjV&H)XTk7Gs5A;Xj*0cbk&{GVkO3ntPX8=QL;L^hThE@}7 zuame`RSuu_x7_P8e#J?K@0|o<_7$c>Yp*-RNQ4H2K)IMHEa6!t{eXnCFcl9alfT~j zOtTZnz9hTl!j@nNK+qSRd{E0!uEsqivoBpQG&O<D@Y;4iM$;p5!XINfk0F_DL<e1r zR<v(KrQY{`$%1Ty?`^CJxJY5}#bkdcf0)#<h9@zLa|R5?LGz@B!bkN@o}?m>pho?* zRs?HUg!D5^V))=sIvw>cc?b`c>2M)ASOBT*#lK}<9HKg}`NaFl**A)P`v}WmVO2sh z8aYcBkzwn%h<AxEZ14AjGfHTe>$F<sOm8%_mdogBHzRgbou@eRzsL@En+@HTYl9v_ z+@n9@uskq00v&A8S^a~fsjwuwf1*M|W&Z@xza)s^BS%`!W67wsU9Qo@3&Ez^(l@t? zGptGuP>ii*7ors;8xnvu5VVw#H#|Rg_Qo1k5d&k?0&^xoMWmz#YN7oMZdc%p88Hy9 zYMb_ybz+nq-f&)P)&S!tH=lo`sn&>pWwaL;<wh$cKCEywWo%2YKy~Ypept+dpkkEo z5N{8YBF|kiN0Uu6veNH@bFyD>S1_Pqt8^uI?{6ZbEZ*GPJ}*k$8QV@ERx4B_;NF!A zn3jq8{*f7(VZ?a90W(RDSo^BU<Tl_KxAMy{%@$&5FNu)>`Cy<2jx%~V``WgWa$W+| zU#t@Rjo6ThkO)e)^tCKLJPgd0o`)wtQsXqo4YVb0gP4T7Rbvue5QIBK!PBOR-!`Aw z<08zeY_EOXv)P=uZOx0VR!@AFNWZT1)zOIoJs8`y8S_cwz_Me+N??4AO4m>S=#x68 zKf4C8!3NA=;{6)OLr)b4Ncc!X+_KE5Mce1H?~curs!wFiF)zAt>O>jyg+kK@o27zL z49W15+1afgwiWHzx|Ke&y~f{7b4qdGn03kLtkI&!ajv!e$m1%NyEifZWzus+tPmvf z@Mvw4xU?s3Zb#A-d%8l-M%hR{T^~zZFOqj*Rp(ZJg|8=E7rZ6mR>k&uU_QerE?x?f zmfnLHuIxLl&Gio#g{!BS^Znw`y8qAOMm*C?m^x#WU<#L&3dzS=-2IPx2WYU1Ek$#u zmfk$49v`1mKrckW!L-|MG2Jv&{-)@Z%=;d2TEb^qMxO0t@#2t_swLs{|DIZgci<ko zq1Bmsd3g<~H{6R}sjqa%a0OBC_1Fo3?3F)6X-Zqt3sJ*+Ih7wFo>&f0fhE?blktT| zj{9d`H81KL|3`F}4Z6fFkJvvbhF1c1aF0(*s%{CGiCt^8g~X#tw5rsHHQo>)<|3`T z@FomY)x|{08y#J4Qhlm4%M)1;S}nGQ`)^-LSO>yzjZBGL`#}@hC{LQ?@+dK$;B^SR zP%>a5&1gzaZRH{)IWW%#+jF7$7tjJM=IWaLr_wX31K|y|c-_13KPvW*7`<^+aO)=B z|IIG`4<tpsc~?UP^M5{268GX;+%(YF{*R-3VwjJ{s>mO4|LiBBe))#FcpG;Ak9tgT z<m<=RG>pTzuDWhLFP{EHg`@<__;tShKTt~p1QY-Q00;nVVD?nwZHBW&Bmn>kJ^=s~ z01*IiaC9$iWn^h#FKKOIXJs)oE^uyVRa6ZC2MUtfVhWPlVhWPlVvPL-P#xPAEezxC z?iSpgAi>=sxVuYmcMBHW-QC@TJHcH7!QEYcAUXG*-1pvBe^pndiuB&Qd-dwI#+Y-A zIfG@TMPQ+@pa1{>V8uiQ<pBUd=m7wL>>z+%|KhlB-}L$qpq;!3KS22y&K>~3%aE8L zpMta2;ge>VW`Eoc^l|mfC(0Jhxd$9ZXyxpsfJZ%2Q1ux}-w}B<2v&R5SmdI;tO+nR ze-hy703TObpuSTZdO^MI!Ji&k%{zH~pCY{#;6V-87*ptj8e|FNL_SKAQ>b7W=AZxi z>DtqtF2?u+ZL_3$M~P=7<O#FN>G12k_RgW*7!RMqU=kJ4?0s*@eAUK9MEXMwra6G8 zQH4g!{POM3l^~gi0t;OG-Ha>pCO8mj8qEwRrB(A8KJ;AxAYqW7wZe%6%z7Z>w1Guk zaw&$>+xRnV1X)m8IPjLsEp8W2WsKBgu_Czk1G)76K?&dYhKDO;{I}VUmYj}p;VSAX zEyy9ho0_YHzg%`4PRo`cD(t;HpS<9g&+LwXx13K5$0>TTz=;kqBHnoeK)fC>L_Spk zPOHi0g)BUc9o5a6=D*C0KtYLLEa)ADr<;|aDU}P+%(ms&<zRwP*~3K`Apt>%zd$1Z z0KOd<s6YXMT{%ESww!X%aUX;M{e*vF`{mPLf&%_I<Ij0`KoFvV1+==55Wj!+&yVB0 zei^W`p)3XnFTj6~z#ssiXtn9B;0tT5j_d8bDrUpozV)qx;|`}W{EC1+S)lh5Gt)tK z8&B)<rWE({AB+@LS<k^<e@Pf<0lw~mZG9t~WBB~!D>)#j!?ATnojk4W)*27u8b3u5 zEv=?z`VC!m)Pj6^(j?lZcGBER>9Y%Lw$pZ@Qo|Nw{jZif`Jyl@>0fe&D2P8k2v_SB z&<y*IWbXf@PlYpN)0*v&68a*ss}^onocm3IoT`zp@Dlo9B_iM`ZYHj6v=^E_tB1xQ z52s+(qsDA@D*q0!gtWy$|EVe}Cze7%oF=vi;T*`v6Zv+Vt=)|}1y05Z-~Dzbw4(L& zLEFpr)S*7NoAl`l9h)TUcAqVS>sEH`;&O}1Ykm1;t8K0EGTq~T>kR+tbP1mO+4rd; zdVk~RFA;d|TrY|lwe%!;@Y|!Y9B^&CjxQVV?Q*EDgJ<~DBi1r6Gg~}P&+D_>HBjMW zu`J;up4W>3%3~xiZMR!FGU3`JGtLU6aU=e}h^ZXanDQ>=RrzK*b)9jCEL#)GweD66 z@E_0pI-FWQ+|QNBNQ&VW$*zq6<A36@J64xrWX37$mj$^!@c=zQ!oNISs>61A?mMa? z^E$Wod@RuZG#|`?fJP?isPx>u<_hC=Q?MhghO6Zra@*l~clZ*2)sitTc{W;Ix_DJv zq|@<4_oMBxU)#O$L7nEl8dSU}pgNA<lVDs1Xuf(z<{r%O$C#vwTZUc3A&*@%Y|CVw zGjJJ!JlN|T4uC9JDV{=xQa_+#J3grjYPKq0{`y?kVmPm^iN`{$8c^jxU&D`Ulmct) z)c<k6%=gRa#pTa6xPps@wSrj=o4~b$hsoR-E$aYBF0D4z8xghpu2f4?J14#xWvf2z z8z({KmccT*z-(Cr3<98Y8uevi-*Gh0tL3$OJsMDTk7$|C!PcqJRKv?^*WLP^`*ybd za4#lsTWe;{bOr%bKRHNfN?dWNL)Soij@TeZCb-v4D>W%qWWRaa&t{Vt8EW=45cy-B zv->NS&QIhreBL@E<%k?<6;QALh?N?+h;xaDx&(!^j~$y$<6ASXTz!hiw2d9VDaF=l z+!)_$8L?-}sg9(mI(<Z9#Y@Vz#J08uwWKhQy?I3*5be)l?*MO0kXrvh5|BG)8oHb5 z#6G7#EhH#ySeryYs(YLM<>c7I+(wV=5FbVi%GGfZ``Z2D!yd0vwqNyGGJ9FAi_vOD z-p0=?r6kqEoNZ+iYY6ki{_emWY!p$ownCb@9cULJ%b2Idfhgvb07iG07>C>gQwN;Z zjsj1%ZpVhI1+Ie#@Gd#Q^c5T0O)kh$7&%ehVI^Jv0iAh>TrlG2+wQuAG9c(Rve^Tc zmioGv&KCFuf3ydrkIUnf69d11tfKR$lByTz6{7tb6_XugSj%8OK5EHSeUK(!K*rU> z_XZ)K&|Dt7+%4y<41LLU7wy6=w^9prggKE6b<=Wih<X&vJ5FYS5siM%v_uU~)#s>W z2ydIKOzDi@?Ey2?gj0){^eVd&YIF?LULFA^1^hgu>#ZVT^C^Q<6WP0(pH9!yN~9nn zq~+5Ny#jPXnYN2%>H`Bv95)xEY&7c5H+$=&hz^fg-JB}s4yjK{gu9s5DTce5dp$6r z<8JxGs{^`RJF&fmd&Dc9+C<L@++MUZd`r%C(gzRm6FMAa6^Pj1{QbrxHARZcMpbT( zSx2nqxX+1PV(^oKVl<~Zos^<Qh#-^LFPicNXJqGp4r3SU-nY>+Xp+R-S~W)%EIr}r zulsMYyCYy2Q;mh*L;avNq?(Qs=8Xo%iiTkWyo)b$JF)q+SVU4!=D<>4)noPXraNk= z?P~P6N3bzschcQ`$cNElscVQ)H!ZnxcG<+=bAz3F;``HBn*cs{8D|B1z1J~EAwper z+k}r3+&$6&uMJU9*$k}l{-y<70tW-r>c_9%q3nhGL?WvD#I8&isDnZuVmo7koUANW zE}$1wD7Yvy<f|2yIKhuATGGaO1Q>3%F&7~-8|g<A9H=gHRN!JYAP#AUuO8Xg&FTVi zUq6j$S>1f#pBd8P;gTtD$EXmUXFXEIx;1)(U%wic_9-qpEH2G{vD#kNLC<I<lkiJG z(n`)L1mMwnR=8s|a<eJ%0xbc9_kvnS-MVO<_}hTTNt=uEQsr;x7#L+mEbf8YR1aDv zhR=&gSa$20H*mIpU(5MePrtHTyTJscOIxEnABVy3z@wE%!gwMs>_Hc+uoK;xpsbEa z0zJ^4vJ$RcHD-696JeSB1#)wKL^2C5WwfbdF0sY7*q|&57s8uY38<NgxU^ST7dXM~ ze$}Y~eno5q(xcv5>Ia1K?ERCdyrC*w1kXwCV!T524##*Z?2;#PkFsh>R-*gK7@_DW zjPUw%Z_nyg&w@4iH!r7*L;G9uIS{#GktAZ)c-^IH)A@u#b0@{1?Q`pDi1jkV6KIhh z12&c)=>-xqNChHV$+ZC&{N>`Ccj1Gk(k+6&vgxYWaAlW|p7bmxGtB5)NBR@PeKM<} zt+dj<j1iHTvx{k|Y}9V;MHV4{D2ran1Y|@KV~N=|bR=7Yz+Sl;Hf3l{&BfNo=_$v^ z-UC?hqyaUv{3Ye2#`I7pZw6;%gmzarq1)jfu702jukBHPavGlIn`&?bLOxF!*(<dK z+HvDMnL^dTIb}sPMn64vzcn)}ZU`juqsvg8ETq2%Rb)Mt?WE}`k`xNv#+w+MThxzt z4`doJ*Z`<c((g1@g;_MOQz|FvOqi~n9?M~HSo(9dF-PUZQfnOr52q+qS0_N*0K~~4 zQ$G?sU9zHJuzZnG^*Xc@0LSA=j}m?!qb8Z>*@o`TKy^ex`>1@j>6XEk?U$W>6Whyc zqp7rlSgVGQHqRrm20j6}`!ik|EScgqZZEQKi;^z7T7BZA;i$vXgqTnii$<m#xl{DC z{NM_fq~X2Y!VN~6vHipp#Qn*v4V9Ub0(pM*XJ(-GAd=7JKXt5(#ujnRnWYq_2f18s z5!uvb_@vdsHibS6m8n_?MRi4wZa?~#t8A@(?r06Logt>(Ybl}*5VBgeYA!q|pCsLc z1tQ2K&4d!A)r^z=z8hI>Lwp2?V6}JFk#Odr-CTOxfgftUaQ;lLT;0Gi9`$iiIR*#3 zG7q?(2q$ZRr%V5VoSN18XcdZaD&lI3nW<)4ui4^!pZ+@BDIIL-dWa&=xXC%k2b;}M z4s(=w$?a&DG?lmLD5tzEVgWUi($;M<q7Pg-6xN*o+>kO!n6cQXX)3-*AVeZg)qizF z7E-O<d<lJ&tQS54r^baS4{ouq1eLr+x9=lHN>T%>szbtgx1+!7lI!OWyp942;><*r z1)$c3l6U9vdS%Qpj2$U6ropLv03bu8kyw$=#(R=7zaY)z64Weu4z2RS!<%F>a%;@b zGVDp*3j7SKR4q>)(3euX9e;|(PuENnK8)Rw-v)fuxQfox2(~Cr0=<BZ4oxZ8bE968 zl$Tcxs3xq?FVS)V-#z}Q|5?qiR`-KT&sVOFmX2Z5R1*zmy;G+Z6h}8im?n*SL)s7J zc@#winB>vhwRwAyRyL+Wg(K8B<joQl6K5UFcJ_sJ;mYf^!qPd2lQ#6sHN2KX#Shc+ zr#~&gu<;unfs-!p5U|@*AXSIP!gDLazxETxrnDoeVS2eR&Btig`kxqG^GCg6*US@; zO+d&rz;H{JEWX6M(iEq1T2_t%uBjWge)e(9n{7RN(ujP?c^dWXShc~`-S6g`mU`P1 zpBx^WXl24MjMifDr4qNUP;FMzIwl#EzlkxyRx^xe9pI#e@80b&WRtM?;as{_N;dkP z*B<#qP{D*|hAUc$h1)#edwHz4`<vw_0eP#a9JoH`BcR&jnrTF(xa=_c{UYyOS^bV6 zAX~&9munE{;FmiUpX(Q*Bqp>wVli@7#n6J@86DJOtJyF+2WMiQROyp`HPdBn&tZZ^ zw*ru5s|K9Fgdk@}&sZaCDNn%H!kiPhw^nVK=_1*~x#;O4W}BL}Wjayv_0bUHOvY~R zj5XBtB^N!E%AWD=94j&R*pvk`_H2cD9Fd3s0Ep!SLEE*mXI!I~GMf{7^G)+tPRH6$ zEw>M?zfS!9Z$$gb*|k^VcfN;Cl(`=$Z8WPl|73hdZjo(O!*z%CJJ4oloa~o}m@B?Y z9v<qL4P;AgAilGJZaJN6GZ%6O|6WP!Ptaq!b|gtBOxL{YKu`bqWM+@!Ff~_Q#B_i^ zVTm$hPFCeCY$f<`&G=WdYO;)N!Zl+Y=-6dPTqZwuQvqu9QaLm6qf=~L0zQN^c1y%$ z$6_=%Nt4INjwSU~mgH)Dtr%atEu)NLgGW?fUd%HhHCQpGg3$^;U9x=U&uf>hRC9aj zRm?%bR>IeAKj%U7H{9TCqc4{lN&5=J(=jJF%G~1x@0H}mA0};1qw|tY=c6dir)c=j z;ULwCqgJy@cPY6%kcuX8gwMmk2sNu$rEF4QP9llhTS=u;c%ybr9q?h=b)nWqm&Sa@ zXVh0iB}>VS(Kn#!;`X5SF4k<0tTU(pdgmg%A917a_x51X{K$YF^0YhbzxEnEH4T?& zj|UYm&;MdivK)4r^W4@0BjA&Z2G+^OuRoLFzY;pgE?lo|tEeXe6q8)?^tf_`FKZwn zBG{v`j%5V^v7dXM?FU&TuV}F?ur++h6Zpcf=DK9DrIh1c4Kbd6F1chnMCo*Uj)@rk z3d-R)U^0N=BZZ#s_hAu;3ZZ}qWWjv+AVrNTsQbQM$Lo63bM0peu!a+A(gE4y(knHH z7eylys)92eWC~DlGs!27<0!Ff!nV79*kYqc1GyK=>{G9A^k@?lt(K|>Uw-{8{D>f; zA1^N#JOMigBZM$-{{#_0L7A?HIV<#f$y^LacYIm8jxeF0U}hiSAc3xb`RfFHJq(fQ zn^5TwqRy%vrgxN?sOV8<l~u2h3Ip~rbNm56czYXsr-a$}{mo{1t$;9~c7&Dn_^0`U z>7!=8AYjBY5qI-pEB%}Cz8(-D2$A0j|IK$_k9%PN_4@ljJW#(s-xdKmZj^<W@O2{> z<ar@u)EnmYZ=yOsfst<3RZ2V_USXL66~weJFT8s-xX?5ZN$h{QHXx7(wCL{D+Fc-c z<2Y!39d6Ryjiw`;gsZFG^-x{t=O__0U!{Eg2PeV!Vwo=#QmRg$5;W1VJU^WdGKTC{ zh{)|3f4k?3kOjwuS<>^O8kQAHQn9=bs&4;yrxLpY3R}vv*&U?tIzAtGd66Q&vh}Mg znF^Rui~(XH8#saAWBlOE10lX-Nn3q+i+0pdP57b2DG((sTdcWzl@LD-mxM;6?Ax(E zT^EYGlYW@u*wx9k?VuVK9kkC9|G0C6Pbt?2A?u<!?)~70NCV*m01<`-IGA<aU&5wr zwXD(9wvbmB+LE%;cbiuw*DcTHX8cC!3eqP;S5)}$k%3Ohk;Pe}_zY)qiOjOW9<xYM z0a;#0c!)T%*)a47GU;&q(9?o3P~G*|HsvdaIom9LONc3`;FaNp;slfYgm9+G3aK-g zL><VFqdOPpFu0`o((z4s_!liy!zHuUi&>nb51~gW=g>n{@+gwQHpNDusOrf#KgF&^ zwv;DFqoyK9I;?4=4?$4(=Mqlctqa<8f3WeWsjfJ_>?>#2p;&ZFa4V9wKQFC_mS3O7 zGm7^cQW4*cD$E8L=M0uin#l?;@hcEtS+-Oz9dJ=vprm($FP?{IV~`gC88}ZfQ`f<r zY4Yj@YQW(QC`@zUN`}w_kWlIjE^BH2Y9125w=CUDA}?}kcD;cojYC~XZ0FBD&IyS* zT;KVgDNYFVHm$FSUN>5Q8&QlT!H}A7GppwFvnx6xum?j&y9P~4ybmrqZ5=B}{XG^K z1}pGjow{g6_!#y1C-(UkUQ;O8gX|i%N<Ft$m7!^dR-7w=$W+s~mTp08)%Y<GADR8m zoZJsOD9Ddk{eZ+>CqxDNhQ%?Knt)}G*;W%cvF_=wk~Np0SmS!-TFxK8Dk-7ciDYv+ zv|P)%4=VvO)j1%VCm!E^kRN<1K~snnG4t3HO}>G1Sy`py+mSo|xi|ZKyJU>ZI!9n0 z;VI3|w}*1t6|8`ZG>D9am8o=)N!JzOG8sGF+-7Q7av8=#(tt0Ks?Jm)l_aj#Fqd`A z_oAbuI?{}i7#OGMpIZ-2d1R-vuM!FT`r7#1BZ#^L8Cd9Y%zwBvDEP2Y*DLbDV089= zNYmI;mz7bHD%0r8ycup7T`JF**ywu@!tL{UKF??5S*+3XW}cf_wiaaM0>9jZc#}rV zl~Ez=nOU4A9wRz~jyAiW&nH%7KZLYkIm3j>Bgo)SmKQ6BK(<QMB*hqycU5&RuODi4 zBj7>%(a>&9ddiN~vA?N+J9anW<Jkn~q@!meDxsgOSS%TLm3bGS_hfY(NW+R5qA-0{ zM{gDTO~QzGCezW$c}?3Uzvi-{w|RFRT?GpS_u;62xZ+x`yt1<BrA8?MQc%K;R=R>> zp<)M}CP`Z|E(}GHOa6&Ks!Bb4)W5xo=qk-trE8gw!c6ca;F*m{Spp$uiLP+kl7tT+ z|F+EWW<U-AM<X-+3jgxxF~4}UIK|{{!7J|Ms8<l4!T$JVjh9#d?$-~_@S2^j+x4D1 zrq3&*r6Q>}$M@KS8v#{csjPtF$Y%z56p%q!G0jV-kYuuJ03t#|L;TJ!DYA(Jz*}Oh zH9G1KUs|Zcx{{c1aGW2`y6{6vd-5m?R>Xr*4GSqUeq5J*FCw3oY@C{PZJ{F6?2+Uz zD}k0;Ddsc9?GDRj#cty*UOI?5M@pkl{1HC}`w<l{j-(-#;}WLMJXBJwZOOPZlIUSF zH!U?s_tVa%J&}-fbnFj+D|q%Kqmt4`V%TPaqac=oU{SEQcZG$F09MrKM@HSv;&YcT zr=$Ibc4Ij*c9vSu%7<ZYJUp*CD3i`gLepB&F7CEe@x^Hu5c2$?7|A5zVLmF^X7Oqm z(~(Xq#xE~rs^}GV41+3D+uI@+rcBSS7)Ky4eBf?aqx#e>Rl-c#<*J`e<)-2xrDa}r zqf|nGVwKVuMa`foWC(((Mq2b_qhO(MV*{^I9EzjG8|bpK=hwGQdZp8JwW77kKaBHW zC@UdGFVc!q$@(r4yoYBCKLD!o+M4-(la!<ZyV#nGUl^cvoKxzCo1=BFnXjC5!D^Q- zM5WKPslcU<PE|{mp*F!Vh?Lt*v>#ULlhoT#gH!X-+u9M8DnYP(*ogb=IobW8KLW>g zQ%FoDSA0h%+nX%R{gDNYbUX&1#BA|tBi%3LQqn>qlnN6#uP%#R%o6Yu;x1s}hT|oE z-Rw~)wy7n)gC$+z$<_~qYxuT8>V}Zowl<~A1eWmX_i%0y2r=N`Ud*wJp$*8wx06Mz z3`nrj_Il=Ibk=JVP?%B}G%*uDYo}jw?oxdOehP^7@HFLwOd8h$#vBVhcQXMRpncL^ zD#4?~hTgV6)OQr3jauUJKe=qHbm7&MV(k7D=@KS{PXd7EBLUrFi!sbEhOP(cPos#A zEd$Qml26R7_t%2B1W>SHGV@kDxb7`8FrORLm!6JrxN(vgSQ+Nuxekys=QG^JKUXW8 zA++v0v;TCD6PrhS4*0f!q$7%g5uexmI@46w>{ru(Bb!)YNn>sq$sihsN=(|Njc(-| z{!q2@VpOCkZ-3g{bZg{Xp1kd`K%*XwQcKtMWZ8bB(mXb?z{W3oOrt)Q?4@3wV#%Hv zLa~teOCQNmes<&Afkjyb?zm?liKkT9@k|r#vvBAA8Rg1{Rvb=~VOt2+z)x0knqQ7L zwH9aN6oeU=;vCMVt8S}sg}9?>)Xiko3aBOJ)%oE;#DRK^Zkm>GcaL)<89Ew2eqUQV zBBbXpo8?pX|MvQ*958oZq(z!c7-Fndt$6BH&!LNf$9Z6Q4PDwiWVpdyfB1mBft2ZR z-p57lWJ7ob7^@~!?(1W^2p9Osi<8K&${Y9S<pofUzie+T5za(hWxO6kRM>(^gXV!h zlq|Kn+rLoL30KgTst>jV7EvD?#_ei^*As=W>QDHD;29tcNwhXZDvQON+eaD7eyB!Q z-uT|l>D4s+(6%3wgO<UeyVbWw8PzJ#g(fCg1$Dqb9ciIjr)Ag1oLL5JxI0rsTt}-I zvP9N@T)NzI@sYu>N9`xR{vaUbfV#7RpY_8ACz+4)A~g2l$)&%!u`9##*GRy91zeT# zs&X0XF45N|g34S|SyfA~okOpJ29vT#{`JvoEk57C4-GL|qyULkMNo=X_h$h6wS&A- z6#`j0prVsV6CSz4iQ3wXpP+?E7O2|L6odjoXd(S*l$4EvvZ$tCE%@G%o+~dvh94fU zFyiYc9Y`Y2;lwPbQE3Uv)u=eYK5v4>70(Df|AwD`4tjeKGrY(iI)d`(m&3STd3Zmi zBC5Ak$A1$nKI;ULF2nJSaY|eq8$=UOyPYIX(!<g$yB8DUUv}_CSvl0RrBniWAv1?$ zfn9#X(8~k>Zt$nAh{@N>x|b%f<DGO0&-xpwdVe2BD7=d=%UXvK_#eDV{03ra{!b7K zD7H49qw`np2LKR+`1J2|5P(lR;(PL=)H)zRj{Z~ULuf|p<Kr_KxOPGm?m2+Z1c7Yp z`ZQtCL?M+5<ez~Mkj}IQ9Ly^j=JB{%4p81*vyb|+A=CbHzK32$)`8dO?Qcc$ykHJ` z*YlK6uJC*?%;UPX9IDNIf4LXQdGkF*xv=^z33skP+rC*=>f9~2&71eK3%bJ0XM-D} zSQQoB8$ur03^&>Vg$qT%C;$68bx8=Cu9aI6R;npofqTfr^?jK{8cvouag@41kBa@_ zh5SaZM{gRS_WPngD_y|ezifmuuLIM8-zY0JNRS)(*9<7D#+tdl_&MQUQ|*@aSPx(O z-czXt2V#CIM#3E`7vBW`{gCHDh>b<@Dpoa`Z0xqKjS_^DoY-2z&m{EyEQxC?zI|`I zIX+R9ZZMbmfdenW?qQqy#1>HfRk&E7V#uX_;ftfwJ!<%6zfmmIf2K_)h&;Y<F6@T2 zjHA-3d2hbj(-m^P#blf9(MGJblkrjCz5Y!{9S{-4!lnA9yc_cgUfB{z%yH*3*H(fv zJ@<eQp0=0s;b_B;#pm1Gws={N7h<kI2w3W-Ki%R6dZ<OdXHSfMtpSb95lE?>vCHo) z?K<$&+9Nr}(1Uv^i8WzYb+kF$hTFwT_-5-zL!#+vn*}H_EhbG^w$!^CrJum19}hB_ z3^_M><YH}I?yiD=df6yJP}#1Y2oZSJyE0u_%BrIy8IsS9r?Il87<<4&K8c^kBgIZD z#^*zDyFdt<5cFbyqXd^I1~5f(K)mFMWxq8WKJcx8b2v}}v(O0rxdlR!vpRx2Shrl@ z(3IG4Q*u`@#klKxNdu4cXPh$si-s4*BTZI+!{H@(Y~qEZFFSEc1VdDYJOJ20i!?Sr z$H2&yY@ucMzX8=Vbp{9aS{VHNGN_99tHo!G+HPr&HB}``iTS&@|0l3=614sB8GpVA z&ixI~U$AUBS@1RG3w32W4^qoe%IWyX!y~DjNai7E%-=TD>$_|Wl$bs}<Fl+a@80>H z&|5y-yQ4(*)Y_VUmc;g_s@_K<(k)9eoDNVEb28ZLV&9&PQjQpz0cHxN+7sq39%7{F zGDwkH4a~7@mHaLU7?;?myBsMz(+vB_SCXp)Zb|4j^@y6k+e|<M`p>KF{f&31u0tPs zsxv-<j1zaToQ4}Ki?M!I`IzGZx<<}M4Y1BAsBE_Lw(HIW9U&agh_tlrM-8rMVshoI zuiVLd=AdUUb6G-y`8;&2d|bGWrT-d@uqWdv4fqCqMY`ROb|uG{FL3E(O6w!{5SF^i z&m6>r%`#XKh3{|4hi(8Hs_g(1f238n6Qd<=<l}12w(qcC{F2Q?52;PIue;wst(|uQ z>Cy2stu;^pIX}6HD(z8|Q`h|`izCP0eIvYiQ&15C+P#tKyQUW>A<f-5V)Xf2)C-?7 zzfbjH+q96}IRvxUsl|=ai$j!J{)FU0-3%jHUlYYNWuN0HO$+^IM*vNq%{Ub_Bjf+G zi1AAB;zgz=Vp{wEvSw95k%nkYa&*)a$u>3UgS~+TVQ&8P+&cBqjW!HlI+cfMW@W?` zZV8`-G}N}gg#o!xut@qjD|z0Ljz&${yUTB7kgZ%>{rW|7TaR^EFBKlHwajY$M@*1Y zPY$|tOB_<*U}>g1_fmr|GA>FliJ6&s+e(~?c8}!HH_&oqW7@P3{)I{yD7ok;;*zz& zJ=yIVkD!+fX6A^2-BIRZ7zfQna+gbLuDEqU-F#(dNb!Bj5`UsF-Y8kKZidm!$W$>+ zg|gf%I5ST0!aFKhu@hgY878DZ@da-gUaZKGbRP4Qx}24ls!k$_MF+iZlY>e(gN6R? zUngpSmZ+6BcFg8uec=CswK0KUB!|%eH*3ibXB_A;VJwzbKrGq|zbb+zq)+kfjq)e# zGZHY(nJ>1IKg6Loj@f0EW<YZ4;NrKFoqL_1=Ct)K$9-PKH!;D(2BsKgo@H&L4U3(Q z`z$GzGeoK6Kj!WF*cRJNZX#~V5hi{?H-J6(d(#w7@untVXWDM0fRdomwBlyyEV zFVjg87mR={NG(`DYEuIQKE7G(BpNKryX)}{<O9PL`X<(3VK^d4A^nD6_2>`l;UaK& zYzLGfpn>*?1yD}?qar%`x<FiSy7x<>!mt}6n(NW=DZJ*>8LX!gTCn;oBd3y!hSlz! zs%T;2B<YHN&m=)w*-tVGjkMz9jYznGEq4jLxT?QjsxV4GG2X6Yi#&mu4f+P$wK^8= zUouAEn<mV3huo7;7zFUI2=>7JzX<kboPPx5rFu~iiz8`>RYOyAK!X66PbuH^e5A_X z!%9^mlh56^CNfCUTgWNe_dEsDNLVD;N;I7<3zd~_@~78V$HT(GU-4c8WHwMj=J|kZ znwl7tNm}wYBz19$tq{PnEC>`D=p^&9zHl4~C5jgXZlt!?wj|$$(S9#}Ino4}kpn-z z^*dQQ;F{a8r|ucwWKYtlKgxlZd1JabMQy^W;X(djOUav(nAkhr-bh(rx8~>`vRa7F z%^Af$w!UcVpZo`&N_V}(Q_|GD(?XcIU*BN-*T}<MTE%Z5=tK&-HRa+3DjC9r@1)xE zmmkKPkvKz>iZ-PR^h`9rDo^IMVS3g7c#9GT^NbxEma=@-UMmGtbkHp}a24x~n^saf zd!5;F1U*U^jq0?!`S~z}9%s$;HN1HS>>M!C7X?%T=Qp-Sjf9|owm(yljk)JZVpRex zjh7*w+4Z(tzPa@366rf9Q6zW=D$x1S%GD);jfg{7*qcG1=Vq;cqf;?jI^iE-@94Dc z?2{Yshkj1t<Fv|#>;4b=hDkk^kSC8@TB)Z417!$W4qx_q@FgR;EIZ%8D3=kGwH^pJ zfrk)rz5&+AZCSss*QpH0z=#5?T}?AW2t-_1OUzcAUMHoYF~_x|6d_3x=>3p9Dq-y` zf~b9k{aK*?vU32q*loULqF*cR0BQHE<@7-T<zAljOee7&Q$mTu1>3Q&q%$wrpA~Bo zBDY;2o4>E4jUa9cDpC3Ct=d<YX0GV!Ir{TWKjy!XBmj^Ri2N!cgTyj0#X8VN@o<hl z{ortCF)hlS-(Ro~0=dwI7pcR$aVR;ttr~;JNYl_}0Q)bj$NPP#)o_@{^k)uo#J9$d zX{g;IvYXDGj~!WbebxR`aF-aVn}Osp76ib5T>wF31n;&tu{MJ!DA500n-~zwT6F*= z@c$@>jNX((O^&+Qe?imfQ~;ppWMzcuzfSkjCH3|;NHj;U_xbnz@Qy;dUtq6&QnEvx z*`MI-@3<Wt{&C`EdwRvY1h~bg^Bp2{4^|~WvGkbtwwsq+)kX+b^17F*#2F447&^rF z`%mOubza-O{c{=ZPfqKo_iUQPskbpF9q#u+2ZI&n=#k@B{XE(nPP*Go;P_s0ff*xO zO^#drFv^hQL*rxve&y0{xRi>a9De2DaW28@a;OQt!~Jq^iZO09GC>Kvj5n|gOulv_ zUj*(Y2mM@%Id(I~@JjBfd<BTOrqF61UXcao0~2hlpiD~Mtlbb=Md=3nrULHZ>tmoK zdc&vgqCM~Ul<jMC+;4nZI`F;SNCG&=#dxbt$%e$lg1PNYQ}MvUrK~P1MiM<Z>X@M& zII*9JO0IR4lPthjK$)0YprxneQ8dD_ug%v@(Jy&f`{`_ABTkVkC><k&|MkbhAVtR_ zxwP7vY=3PJ9gUW6)t*>6V*g6$3%l^sAptS^Ck{&j_Tlr}^VnqveEklQZ$NL0_;-@X zdwL?vc6YaGftrUZ%nx2q{xm7}uZaBPmfd0Lii+3abAu8uF<r{eS1q#$E#HV)OSt2T zQmfCTx%2Mb!_;Rw?vcQs+MiG7Q>-)Uk`!!<g1nH@t1VepUCh5#hkaT&Mvv9cBUd3@ zR~Ur~x%H0}u!VFJz+#WJx7%VSzBo}2MdsuSxX**CSakZWZ>b=n9<C5Hrznid{FdE} z7OnmYQ_bM5DRS&J>iMHPX!(C!Iz-dk!y;;MWcew5&(xNS+Ej~7K$el;ndw^0PmrY^ zw$2S{9!FiL$TM?I7tA8c<(5ejw(R$|rQqI+`>>ZI>Be5S6!a7^X92A1^75;g$U3Fy zqokNPS3iIadG-ys<#6$;uDv*=n_7)bG-M6mo~dH}Wm9!ntD5r45H}^gmbNOXA{^%H zU@`#}0g7P+`A3Px5@H)Kxxp?qV;>gkeu`azbJ8*e&2E)P(^>%kZWXMrcRf@4XyRW( z>#!Gp1oegEbA5+thyyKLLMkdlJNE7fV?&x%cQEP@tbCq;3dy#&02786Q=)O%VP@^{ zlrDanrkJ%mX4F|V5}4PqbHGFR4PQv#kYt<DT)nT9q0MwT7tcuaOz(2kuJlT|2g+Kt z;(%mU@iL;Y0?`xAHTGN{C~hqfn3S{#qY}E6vvo_3;xTs7#lCYl;x<aH!}`5nF@)tW zngWQjA0;;E*J8*_bt{>RM{PvQrlIN&zpOJHRC>rAJr?Utf7)Y3SM?>@v-=ToAqp9n zTdaI?z+ef#>@d0|&I6j7%`f*NKb-01tZG(>*L{g3GBOIduQ6GsC4c}T&=DlqT3o9N z*wcv^k4gJxFo%X8F3YEWK;@Kn7qCz$S>~<Q)~$4)<G%iA!+n~VRC&#PlfNnDl}}n) zr$g^#?NP(YV8ekkPcy;B$kD?89?R9XL9AX|W&iTx)DW|iDbWp=gE;hSu$!}iwUm+X zt{ClebQq^A8b;d_x8?jVfzGM`P;M-nl84#A53@ciUyg%BG&Tx%{)Kq0K)Koo`oPLL zS%~B0rbk3~x@Y$TnH(6;Rm$Mh0NXzAi^{iB_Kd`DHE%6*@(Wa=Xj$UcJGSU`>smHV zK}q9lPR;}v2NXl3rF|mjFYvv&;paA0@UKo_+WZb>Hd3`^QZa#Bzlutxr(iiHDiIf% zHH=Cjvh)Rp5A|%2=>EY};+_~*R3-(=f}T=Bc`Z;$Ve!(QW8;K?-WFsNa4<OOO!(uo zkpPaHYhVN{#Ajn;3ID5+^`HkZAgtL4o)hM=bm(6}$U8qI9oW_)P>V|{+FG84s~a;p z#Y2;LNyINM;Ab|uQt-k-+eTEq`+J3Y`CJyz<f8wLih(4C^~Sz@`FYe2?L}S<b#3m_ zVYgTot0EVejO1Q#4JysT$rSaapzO*~Ssq(xM1dppb*=OsLx&Y@XEr4hu$o06Ex23$ z+_s2%Z?U$%W%?0AF{7RK(RNy>Q1XZm(RH%dW3n>r(rP@>PhFlYl`R;x)G8%Vjj{(u zvz(W&IZz*lvO@-KJY7cZF@~A<Q(5Z5PX(nj?&AG?<!EIh>^Ifwq_@HKqpDj4?h#Tj ztWDyTCK)S#9bAh@yayN8b2;ibqk+JrNqK_DNA|edq6-LF$vCnk#_)JQrA+%c15Ejy z;lE?Qq#@`3j{QpAz^49*{Z24`DhTwd9vBuZd0lFFF>%ElGg;M&7zbo2&o|da+`^lv z3R-z4ztE#mQ63OkXX!QLp~z`WFvd<ZYyBdMzWZ`bv1p_Vwbhs^4x96OXT_DB0gU9o zVwi6~9eFFn=jVr)7FO?}o(mF#`D76jK#NLCjmupX_3E@gE;3>__Z}~r&95&8{0Q)H z{s&H{{$JrVF=_eM>#m{X`E9xuYNDPF?1S3D>A=~CARHGtB($Q*yBPAHkRR~9!UG@` zo(0rDFY8N3VRe-=y-jLhXnW#!l%0e6po_iKx?*zNOw=&*O7eT5jEdZ31wCRFm{-j{ z_PpK-l3|lZGtpw;XV}6ngH6oX2QjSHbjM6esu^%wRXNA0k^zAz8VDHrSIBL9pX;Wj zio;j`tEIlr_>p4%yEE1(G`8F8IyCKzNwIjgu;PrO9m6m{&?cd$exy%I-)+caj}$dp zs;xPosB=gxX$!7^nYrvYz#f<D0Gwwklg=Jr*-uRchJ{aNfpQ)RS&5(^FKflL0EO*j zKps{1HVyGY<B4g6&imC`aRzBx9$M~~*@OFOUK&wUY4T@gh4O84yFQU;bBj}AS!3eZ zTh@I1TCG8=iEP<T0jywy5Xg>lN4#hDd5LG&emZ)3HlQ3tLfxM=hywycC99;ABM}gn zS7!i%7#L~s7a=<*-df#^Luv2U7o@ZmS;46vj}$<!0A18cc>fKc%WNgT0rbv;H-O$` zmdt0|U?Da+Q4V&~aJQ<z$01_82Eo_VV8L$wY}sU0zvWGtZ=nAzLTsL0Ih3=!rmo$Q z7kXLZF&Se8%ue$$-1qjEVzY=dyCY-D7J>y#4xoLE6WL2(i9!6`sQdnHD4140$~=U6 z{Vu{c>DPf+-LWU$Gk`0TI?L2(SRQ#K$akuJI!E$KUHL4dj_yijk3@pnNqW+BfWKRx zx*P+96h15`zu-Jf!N0=l;IRIzDOAmzATcMn^koPzk9q2AOp<Jt%;fjW+9GPR&#D3U z;2)^OO<av=K`CCh!Gu2{=K&D(f%6ClXF5-u3p|3IH9|z|l&iHhQPeN}TgUIf-X-K# zs89<^3a$!VSgFC~ZuePLD=ZyIr6Jl0_Ot483NYrX2AgXUFZfVPC~K7hflDM|Ml_6} z{eg+>hw6UG-yvtty}v@vTxahn|IsJ}Dzdm_*1R0~oW7331oZMroN|zW!t1W>)cISM zvfEuxg%KJGa>&nvu1tvTKK0zMyvpmHfTlYH{hEO?`=isWTFOldaA!d_K%bq1*vwO0 zGmz5(qgsJt_ie#c5BRDiFJTMhgC?j<m#6L>hSmtIc};)1s?|w(lv8UrO+WK#uQb=2 z-l{T}x_o^_x`_y)9zlX}^DjsR5o2{gq{S|b8|H-Dd*`A<R>?nNB3zP@_>$0}#9jgN z2FSQ`C=*T(j_aKmmLT^y<{Or`MHF=jB39N?Bu1hoD9;Aqmf--)X+6&0Kab-14WQE? zFE3*hj1k6R-_92&k-hLH_5`#ks_$n^X{%1WyZjP&PhkBUgR3F#Zjlu!1qxukXQASG zw`tU$Nj<fx&UU{(NW9LM%uPqFg(5HyZZ$}&3id%^V~JYGVFYqO1xzyn_}4EeeZ9sS zBy5YjbdP8-Y~)(-w{Lv}VFV|>3*{I8pV%@20_3#&Fj_J6-|R#u5t4uab9*ts@-LPl zYxl|~%(VDq;r})qB)zf;-Ez%&u)i1y3)$(Ywfl|AsG>rNh;{Yz1{obs$ID>n9Iz#L z><J>^N684@9E|^73jK%i2KD+kcY(DthxjoZ>*sW_iQDs|8l{KpG`FDbU{}IDZ5Xx1 zfZiJAa?R8b6grSH$%m(s7>OCOMuVD=(8N%7n3=AmoOE{eIGppl?~%?|ne3K%af(XH zIFy5_J<T1}&A88jEX{*sLvCg6fdr_3!t}_IAjBJ}5AlkNk!nyi4If(Z=E%a`w$tRf zyO~WAe+x0(EPPaL{v*T~mJGlXQ`9R`yIHisK&mLur37!P76<C`{lv*2(6jxyw8g=E z?9)DrEX?nCQM~si%;2w?6e>2W^5xaT$;IB4Q7iq&$wXFs2nBJS_Ym|xX1IdcM@D=- zpwoTA(&Z_#{xZJ^q=T6yc(&A{y8uFF4AS4cES8VJVOXhg052tF=i0))NlGxS4*MWN zGoThId$HQIX;*dG<b!OjmEBKkFxeyKpV!S?T*7Y67D^^>px-Ou59q&+>UD&=1Km=g zfZC2`SFG_3IhsEIe+V&(J$?%@pd1Zv<4kBkmri{-LiW`}tsK~*OFp&cg-yPNrV*J! z*~4my2HFex%f{2Vlp!U*HN{i{C4m^`*?qNUh9Y6d<=QA73VBjgLmw*73(_h(-T>=0 zRa7Eh3{WM@cVW^}RlP4)*^m|wvT@*!F83#YR_IHB`IB;iVfLB!CJqxIUh-NH8Cx}< zpFncANYbK0V31fK``)hQD1n1a)<D{_kbBImvqY9U7JFo!tk;bmw6ri1g0TiW23$E} zS+Mj)FQEDE--?Sz06z-yBdd`ADlUFC`{5n4t&&q>NizLganY!ugueW-&!NC-jyuG9 zfzrU}r@afV@SX+#F3ZXCBEHu{X?M2$M2vo5i`I@X-KvbmIO%$%Ecb*wb6j2-w58W9 zXN6J`<45Tfs{lSt6OJmC)j__F`s!NEDxYXwJgb-O=C+Yt=aM;BtUs@oaNs|2X1uI_ z;>?69{~+<NDN4NIx0N#-7}_7bQe%?S-jH|%oOtr|#I%1MTG;h*nYAMssWkW?EzJbP zM-C{N|HvxZ{*hHQ-38(be~9h>Ej2gvJy)d3C&qNTq^5U$@K~(uho|WKudHHV?JfBH zf!1dFf}fcm@}$kF#xeu40VrJy!B|n#$xM_or!Yw^L+)c3E6vWM-62Fp|7qow6+ld& zIlridYWdt~8}e-vLy*0ueVl`sGP<zQ^*{+rGtAeid^KGabWHd2$~tk*9BJDpderhV zY7!#>k~Xfs<oX$h+zE)MD~c=3N!r<g9RiTwIhv9GLTzq~BgdmXOm0>JqO`Pm(_hAL zJj-kd<2oLXE(JE%8W=pOAH9r<TavE6UaV@~Y2Zo;$*^sZ$_C4)Jqoa}SA5;8?TOi? z{{Cwtdn1!8EtFhrz4Lezd#-}!;e{3&7;75_9K4DTOi1aGhQs2nFb;`oNH(S`<4E1- zvs_`)e?d00X@3!%e)PxaJ%3&LjN?2pPE0u_o{Ut-UdAt?pG7{a-Z#_N)`)18jT?EV zDp>{CXrf$;SsLc)vnovvZ+tuocQ81beL7f=5}1&i&%<uU>iIJde7u<nl0JFOu9}M| zGkeybfavFYi`ilw{x{-GqsdAfjwUv*^X;=(3P%J$uYyZ7#gqxV38=WTSUe%@$-ETU zaR<x6h662Wma2>uB}WG9KauCkf(iSz@9&XkwIzjfF+ImXPPMP%l-gk6enaxJ0fh2p zQ)Zwr(DEU$?Njk`=(Twv<{Hl~?CI(g&Ex`ujK$dhyrT^NtC|p@b(~YO%?^E!GwTz) zqS(U!1;&b%8N9=MRFM;3H#Xiuu@?K*j^IVI=Vm0G`QMm0tn0_M+}t%k{hbUZ&ihN% z?K;j;ru4m%K)<TfZjo`{mld$t=}<VFswyGcav_9HyyxBwbTdr6n9Z<=%^p*k1>|>3 zJTTImn84=5vK2oZYbDEov)$a>ofM<;UcrQ!&f;(a3S<0DFoAF9^h<7W*1#_eiO2$9 zO+&z_@i1siubO?J<nFjMEX}_PDaC9EU<*(3M-lO8C8d<xTkQFhk*dp7XM}$^KOQ3> zny)z2khPIg8C7IKT;J`pXLH=~rn8gR91RU{5c84!+f4}6xNXi9EyBc3<*Uf?YgRhw z9}{SZ^DPd^E4Z?f%%oILV>iQmg4g?#$`$*cxU-;f1Mq|(u2%>zl}_N4Cb5fOyoeqd z!-#xI?(R<qyR*?#4VF=sYV~?z3X_8Hhb8xuD*LpY8f*W|M|G1%wy-^z!ob|9qTX1G zkuwHJPB%-Neuw%umGV*_63-8DWp+(;uN>Kn-(m^8m1|;ExX!-Hewt$Fv9!mfyl7Q4 zrm3&FYG2E2zc?X{rzv9+DRMXqNXT%3&mFLK4+Fq_{5nki*fx{C(L6Lc8-SRL=Tax1 z;A69>Kov3vS|)l*NE>i4Nu!=jD;mrm6Mg8N8prtX{acPfdtA=|HsPPQ{q{X5P3@+m z@MXA+e%Hp!WyH-p)hkG_6=|;Hkz4UQZbFN--&daM9SXgK$$Lm<_8vS8)s^k7oCjkU z23JnK74cP;L)bL!jDbhJwh1?C4%vw*G@!zs7G#$=gQjMV#<^)Q79uwr5;(5biv%~( z&Ju2Rv$G;(C96kBxWNZ(izq>qVP$j$HFmh}OEf&<^-oIfh(v{zJrW-t4=|$}Yz$5! zA#n7L&aB>K5zf+PhM?k*9HRR~b@~TY$_4ujveG5blDV_5dtDzHnYBipmK`?Z0a0n; zujmfUJZtm?T+%ID#|FU389Vk0Fw93f8tUK3NEYcGp;9_qNPN;D-&y+5jwWwuIfTbk zR4+&~Xcj7ROdtyg=<EP03r;HG5;59!ySq~C!vGfYTU>kjm3N4f_!Fh3cGwrdDy`N; z5L`d84#5tUSy5P^cOk0xC&FH9a|6<ymRb)Gole2uh%AG56gc`8v`2Av=`gPM)Y&F( z>o-cp&;mNFB6v<reIT%4hu-dnhK+wiCf~mz540LeER)mW;o7L0fnN5+h&UJ)U|rss zkThPv6Jw{*OpsCwWP->V7W#1UW(vLn9VA^Ms()hDh(Jle(TM9nOmCVBUIKQ^C<P)L z8D9KL1$1^CrD-@S6rkTHs=WoZ>&<jA{tjxtUhj{{X?y}^kiRkRfD8bjn5UyC<lixK z*~nMe>I)Es^EdV-;PJ8c{MFKbUQo^_?h0^=&f{`-_ap<?Uhcyx3;5@(Vq)(KtvLID zR-b0$LOBG8OB#YEdxyJ%iu9IKsHYTKB<aV&8*T2V?5oYWZj8wBvK}6{GJ=f8(5WXL zFONHsid46=VUY~(qqdhRzfon+5z03I;tC}<8uBvlLj0AWhl@Nrbfa{)(=&8Klk`vn zRJ=ImKC;h+n%D$HKs>IxKaGhf8?sB&XETN61zk7c?@&vL4f~!6$2$k`&%LgMYiKu7 zH5m5ATcMJCztbZ}E?1MZ6YHp=wgGN@&XZmrnK<ISfeT8q1ze(B7toJ2df0wY2fZAM ziyiu{JNEeMZ@Xu1%4Z7dZ%cuf=p^n!SPn2K&PD0d0G@Z5`PE%3hC=a2>8>iD{KbR1 zYd#jm=a1?y-^Gss3-M6oNV|v5fr5s{iS!W$gm`TO{o88X{wL;byA>`-K!A{F$(p*7 z<`XPzrr}1Q`fJF?>_5*36Ee45fM1<#E&XuZ!peenR+~q6m~@3|j#m0^%VE~4l*jQ! zor=JWJSFdII%?>9#M{?+LbU2GFhO;r^OgYI)%|I`ifxVCoT=zdf$WL-M}J|6=~lf$ zM}8uXSU|SrzNVHs52<oT?hpQp^9a_h{cd7tzy3ivBccukBgGw6+TFUnB}&6LQ_??~ zgI1l8!X!Vhib#Q=^u@Vsk5AQN&{xs5yqVrvPy<?=D$~NN6AIGUbT+V?DpFj&$lpgK zplp6v^co=x;4{(p26JiS@(syi&Rzrxkmzt7S4anOEc<xM3MI6x6JMB82u|_{^-Rf9 zKSm~|e)liAgli?0GJf+p$#tb)NHn(LL!?JuKF@3V4?gXW-S&!=*~g*YFJ4yDO!8pd z3d{qFcerL5Vin9Zj4}%g7fPinJ&cMYLs04I*SO5Ss03v=S7>68t77d>=Ns?SgJ~iN z^6D78*++G8kc3GQky*>DZ?NjO>b<VJo8en<k6S091YPpnNmbqI)i=JUv3MSM(#ylw zh(3*1Z`l?w89t;K%mWOpN7oSbIRU4sZr4v)eyrkevX&$|WH?2tlC8i;36!#m=zHor z_?m-=_glbG@cCW9kvZ@#;3!_Ii+B@oaC1Z?aZq(tIP70@(U70HWr&DnH7~;p`v*Lu zJ%k@j0=>Q#v-rM_6EMEQP8P<7)*soy68PQZTw>XF*VRInn3n-<PIFMd9&za!2{W(` z_m(!#@UkGl#7-+D&X&{(nKTo4L6j`j?DthQT=%bWA5^;FS6NT*BVZ)`Fji?mxVj*u zSA98rVOXd}GU|KcTM8y&W9&s4IPIONmsjRB3g`sy%`KqWoLO9)<|wPTGy}lQR{B_0 z-|PT%tP%JC`ElEmwoQhzgK$<<tQ##0OUL9vYzCrd1ep*NC`aI*V7k-jKf!c_va+kV zma)e!3lM3lOe6RIl|~<cy-TCj=p&mO+85FiKjOj_$M60^Ow-H?H#7fsRM7~rV10tq z_|md8=ro?^c1b;8{fgG1`$bgsp`qQGH=<kX*1v8q!0vcD9}`*iwjzYfcDel)L2Eh| zp!euDsDFkHP6HibuIAS^q?GmC2NLfa;;|^R`uLgbL&S{lB-Abqaqt^8xa>&hYPB=( zrmR`VpvXEW$D)R^X)$b)(mzhiWH1BOqa23_E~~qz@|?hjEnXVHD3VnoAxYY8U95x< zLXYii?ZeUEb-)cObMoWvkqv?Y?G;iDHOKq)psT!*xbpGiX?)Kwp5XYrt00MH=@HQv zUu_)Cm!D6Xaw%Jv@WT1|(0i#$>gd8-*xAxHYL*V>prV7veHHUN&IdXXM<!pEdYO`C zYP(N3uWI=T(r~gdl9DM6<}Zg#pL-RA%n&e8fX=-)dq$i;;CSKJJGNY3N*<<6F9hQT z=O24xA5Y~5Nb~ybp6#UdE!gS4*ls)~6&)MR+Rb|^$5Dp}Y1qIPy^B(?tODm-9Vxix z)7*dE*BQR78PXcnQ1`K)X%_Gme{_8dyVFY=f$m)|w4+X=3)uvR%&S>Dk)Um|PK`jp zGO-lW+gOn}DCUFap^nG>d}*6P`f*v~-7y`gpDEHTqB<)P<H&eu9ByN~IIK$bor>2k z$wHB7!V#uq={s7JC@D#vs!7{o<=1Ii@)XOoR{|?zTqsbVEx6bH;T5=71Qw|7m=7yU zSG{m~*rtY(F&WUEfqRe{C3;QJeG_BYt5a2a(a9Dn4x2TVTFmzW3oJC0E-AAr^DbGN zs5zz1MjpL|EXJlZ)hU<ksoaa3ezc<uHXxu^0m%g%JiM#9*5X{uI$LN*h7)nWXqI+& z{Ws|#W3~E*CZ_VRqcE92_JNl{G2I}UnfY2T0i^L|wls9EDbb+RbmyVmPUu?)o-k*p z*EpQD7YxI!iIR>S^)O?pjw&T@oW4J2Hq^`A!_T(Ty3AUjKuWWvfLBPLnW}f#=spC# zIxI(pfM)TdqmIkkl5|d(E10rmNn=n!lB0q)>nn_6>}80BLsV8_;%<!bx2<xV&j|c4 zbLt9QRu>=md6c3WO366`c*r>!1Xe=XaD-kmXR=D4`P3ujd3S2_EkEZ35Slej$*(T% z&q877Fe*$EkR^#)r+7(|M8SZ7h5c7K)0?G!SWe?<In9)GH83`HdaYIF4Or-Qq!YC{ zJ?XB;*G=FTMpO$=s2@_g!Q8o4Pv=?_c8NU7Z8SO{Bg02vnGp_@PJezT;zKQ7`dCni z$_T2T8M4Gnb$HBB@HMWIMf!CE(J9QX*ED%$T0<1|9@BMgkY};@WxTQ9zOhbd(QyOG z4A&m+k7XJpi@)D`sv-)>K`>k`Rp4E2i~e<{e$@;YR=CjAkL37XOo|)u+3MJ|M8bSM z*#2dxCJw_Z_`tsWuY0MiGE1>2iXe6M&2>P5Uqi@?=(5SAWGcXjd36dQM1hc4k%fbb zdv&e;a3aMAu8o$EIv_9{KOv+=g~b(T;<ajv$Z$dbBY{x!T`53PFOw9&l*g9l$R_e+ z+t2xWH4$BoX{99Na3>(fZ<_JY<00mnO4MVR63o?QhfbyW#t#CJ5AToK0i6>wZn<7r zxSL^Gh*Wqu>u~~0#@}*cVeRT!oeE)dNJ*_#^aGdI#>-%1v)z(zseu`!S_Q3^pw&T_ z|ECF`@V0Lm1**kkW0aN)PA@4bp0jnOvJ1>!<BocPsZcC9`c#v#6eV8t%u2NR4r(4t z%#<AvW^c<#m_n`t#tK3&J${plOtKasY!n6v*f(BAf~XAKh?B*Aj@j&vjKl>=r|9uZ zCa-C}S7tTzhgor+jJ`1|d*?T1b;>pxS@q7WIL6;q=va1-vMFi)HH|U!>IdfFwOnl| zxV?4&RY0o0CzNfp&%(NWzjFhuKlRx`u)FaZ1|-Y#ABS^Z85I5N0MTlZkZZ3!igP<W zu8?X;|4tL^*2BdreIFoec~iG{kucuG(-?>IoNCH<Gsp{*3W_A^5&ADNvv!-K)&f;& zwEZH=8hq9cFIKk%!6vu60US5{I8n;?x+IhAwKn?`sT5IC)yAnr!zJ6Mb6h{FCg){; zK4ey@Eg-WDJ)o$gkvM=~lpe`Jp;<ngs|#vEH~*+wCQ3wA;6=U-Z%-zk4<FKMX|__1 z@jiyNP>g_W(ZJ)EVblQ#5HQd_w{;!0C<uvY%cYc;&z+iXhn=R+xJYMMN-sd|3O>7} zZc#ahu;I5Px&O{AL~Ce;S>0>@$t<*OPc&hD0RLLfZI92d+m`#qqj)*~bWHo0)-fV% z8EW0um2LR81tEIrY=J14Jbq2mH2gG40vzG-s^2IRY9>H5*tuM-qKN_03%Uj^R*7JS z4#ukANjYSiMnXdVDB+Gve7p9MipZwoIu7O@q+GUR4^z3JJPz^%lGqJCF1opt#ga)h zUCmz?z2{u4j^7>g13BZ_erVT-<R?okB)XWw;~uv@3e*bkTtm~RP8yX;qJ`jIZUHCG zsnF#Vxy3+z*%eAENpmKzm+usb`|yEvnCLO~y?d6Qp~ZtZBBsRKRVkhkDj<g4^g`>N z()M;S86@VS?v2odG=(qbkb(dp!k~PnokSG?ZlOE!Y}EkmTK^;?C~4<@#NbYP^9loz zu%?EQ2;hK#B?4ec|Dd!ckcIb;{#3$<0s;igPq2j>y=X$G!K+cHWDi4nr59N|Ec`#3 z_>g}z@zo(l71Y9HP9@Y3E`EQ@*Ka`>trw7-zJ`d1EOXTXxn2*3pI2)h-n-W#Egw5Z zhmXaZAoIWZ&Sm+#Dbz_e!GW&GyaT6dIItk5fwK&L6vKe}d<Q@rz=?#3w3J2tn`C8f zgP64&mTX^U;{C0e=OujQc2MgAdjF$%Cjvo;M9B)O{U6m+00aR6g+F{S-``UD5QN|Q zc+vazf;?qYud|qhjJ21|p9k#+(b_)il|&s+f3ZROVvu{s;n}>B;S1P^=FMZBi~Y>3 z$0g&k>o=Y>ihLzKIWAd*`g|3zr;KL~%DBkxwzb$>L@t%(I;c`hj<@`f>WWySlqq}0 zA|p9tzg-9tR3YVHymhoTt6A)|eNNszn>NEOaF=EI9C$4N^E=1#^=+*^!?GSO-i1ZL z*Hg_YNuCqaVlq8sIVo+O6K9d3(t!ySR-SsmZ+$o|vI#K*70Y-hYDIY_pv5y4)=fKC zBy#J`icZ3*TfARUljm~Yyq^Q7tX>~3{t22;|Bo<!miG8J0SoNan2-7=^MDkdnN3OR zy<d)T>TL+`g;5FR*Zlr*0}%NJiz+F>7~JHPh|yfz2ax7vxQwyI@T-1W>@sgrS=J_u zwrRYhp|Agu8x=nxErW#x^_$2fj6zA#UY*KxeXcL-<Fp=~;I5vRChW-MrxGf%D@@kJ z?}Q;IL(4J}rT`t;C#rYoFTo%5OeDgA(fYA9qr-|9Q4whZdTANcEn4@^(#{@P+o8#+ zhYQL`iclfqkYz!}4qsU8MSm=~m+=S1&Z3Z@YV!Ma7B)kZ7gd1D5Y^Fk!2n&XXxsnM zD;=rFuVt3z>FgMX87LHZI<ACo?rS%T>^<_W1-l^mLMmy1OF3Xi9_n5snCWj`8yOXA zd>c}_nE?~Zb>v&`f9FvrFWnV^kLo|G5jYV1ntdUDr+0jL&3KXe2z3pRwz}GVueG}C zkHI+2=AGug!P%O;sf&d74?pNO_!9IZ8*8HsM+kq6QP6*StI6|3BVz%u`CA6xspTHu zbYzb$T`KFe`zx)KyxLf^rRakY0l@-H;ODa`(mtS~xUC%KiOP@Q4fIYRUr;z?&e_V} z4WNyNRPn?VI^#n^;HSlL_(Nn6J*lz>Gird=C}Zqd2M$(;oiB|!BY!kPsrc5=i^+^S zh%mc(WEDfQ@;QFxw5=|%<&LdU9w-j<5ToUmpeZoF%9i4GL}IG9f3Rou<k&xF9`)36 zIJ27+tBX}Tjq+&10yoSh7um3Pw=bp|WJB9_>o)}PY`Z4UF@5FSsFgOKJpH3zBp`{j zJvy21vaj^n8I%^OHV=&uCja#h2T}-B;?*SlBbWc>{*!@8_sHXTG$Q#~QcA_V)8u6J z-pEOB!#?tI5(!o$JLj}k&T_QsN&lMv`mG+$%dz9VomIPT&;*3(+2(qhI<^u_of1Ka zaBiHTe+?JhZ;PkFCe17Fx$SW%08_?P1N;D82p5qK8ohKf)h@`eF=L#4WtIm38uL$@ z;=^rIiID!cG8xx>-1^ng;)2y^h2V6GqT<ls%A~aG*}xB!mTajH>rn;H2X8J@ap#k^ z6w3$6#)n$!2>HnN+$o;}8fb+Ez86{H3+3k6dQIn|&#h_)wtXITHr-<Oe5HPCx2Ol} z4RF`<`$0>W=@Te%xSouOlAUn5yxoHD78(qz|K%?*_}B<BW73DU3|A}5Z<bNu>)-Tc zz5nOCWmKvc(b&}S*@@(i4b7%kDibL$={Cp=g>1OwDoR>{%VdmS5V1~)S6NjUOrcNL z(THeWTK(Y2sxVIJyQmjd^s#ii&C_D_%LyYo54NG~^pSRQZ44sI#l_&B;9VMhB&%W> zanmY!Q91PN3l5I6I&U{VRIlHY+UiNFBbA{m|7<fwr}2Z*ctqSUIm%5}+}mlPV)Zqi z*vZGZ=e#Ez=b|kmGYwh^?KCBSv0oou(b6;RvK##*RE5FyvLOuK7e*9FQQ+u>3*)0U z$J+4C8V@pVqkWF5bzg`1Pt}LN*3X>EyyIE1qlH6>4|95pa;4Hly!DE?1}UX;NK`d4 z^`KR*YwrldK+0(z3S3)l`>~|zfYbo>pG-wNX)S)siHyU=pt6j10`q`zgYO4@!z`&u z=Q&AG9T;Y7n~HYb!NNPn?oxK#HXXwA9}eYR@bVO-i-0q#MIF%32i+}@i(cOXicKRU zo2JUm+IBTQ`3X==eey*g40I5__ov1JRPDVv4T77Ls0KqC-L|g(N*rtmIdA(oWxD%$ zYk|OWPwM=HqCZPq1cSo*!7zs4#8@p1C5r8Bs73dJiqENzMAjQLiiBnB@XmX7^Q&$} zC=nz)*Z!P(%Z<d5*bq)HiD)ii!_VCo@QC;AZ@epr+;bDV$1%MJ*1E{2we^eoazG60 zI5wGRl8Pf`;&c6#z!lk>G-&m;%l3S2bqA(=HYp*3e~<U;Mif0ow$h!mvD5mlyGO<z zoIvNFH_Sq%|Bg)^J#KY)+?R8k9L5J$^sh7sV>RY%3A7LtbtJ1}e4n_5$prK+<*;bW zGS2)ynv({Z97dY7m@_mqp8#K(x6d;(j~YL$S(_ROFID*CAf}AzdGqmexewqcq`iRX z=4R)&%!yR6s$~LuSfmIhUY?wIiGWhh<fhy7W8D5LBc!bB+p4~tG40)LCh%(>XD{PJ zLjZh-2cjgAFrp?-b(@FI?sH0WRcHx03x>_L{`ueUXjaq!Ys78P#a1)7qUISOYo;kF zI6#*)+?lvG#Xp-I#?y#FEz13TuGju2CsMegUZ2YHa{gJF0T@uq5OZSW$9j?e8L$nM zg+GnDeSM3NLuXTr*Opvv{3|T??Zd&3sm!TG^P&_>E!wKUgteP<t&{hb<{M9j@$z4} zY90-XkYoJRqz=2wSjd>O6&*XR__dk#J-yN~h2)i<c)Zg5N)6=RsKJyAyQ4b5FyVZz z@lQFh=geC962EUz3u|vfFl4e6z*slC751<{tyilViD)hbt``gL{~Ph-z9&cIc?r;$ zZK=XWd_xfzF4iA8i8taJpDlxnfQ}0nJ+K8IquNjrIw)o&vIYqqO`rBz>F_ndhC(NX z;SZF~%XKM3Tg-W$dhIba%aY6hk8oeq0P|zZY5k#}KTr|NsBdobHl0UE%hFW50&F;h z7KgbOr9{t1C((JL;4f1pYP<`5IaGYW{hvD|y0t)$B<XBVCQZc5Ks7*JP^ubidJ2$$ z?4s!`1eN8OFilIu3<+Utk?4|QvkY7v5~qc#!-H^Isk~S4e>l1ve9I!;`zSWZN$fk^ z+sr+IUt6{`B}+iDucNVI8~w@ZxoD=y&P{*`m9{@b>3W9rZG&z|1HHMUxbEiaIX`wW zF0W(4ZId(%NU$kzA{fGh@cNw-kbT$s2uZc3X%ZEo(pMm#fw^ATyAT^jWNZ!=D4B|v zhN>;hxEa<G*8#Q7VUm3N=!17_03RZ%v>|&v^WnIJ9{=@)sfEmK6_Cd!?*i>nG#BdE z3DI!+T<1D~|BmatAu=lhvEPLyUl9Ko0mN@>l+g|xS{udnquAc_q~w5?Gr(##vhTJ4 zc}RoRYLeqw)QE45uh{OgE^2u@efhZJM=!7MQkeAQ!~&9EE-;}yzb1@-+6-0EEBq<c z5{U%>0{VS*r&3tg?O5&5@5!7uGb-aos}A@70PEm)#4RWhh5A4LarBCzi!|eS3IBEu z;JyNJ;ev8qiocUA-vEH37ZoA@q+<So=M#kQTAz7db%_&_m%o%g_;^64gX={SDnS29 zynOO$U#WK3+dp^ju92~Is%%<kzIA&jooV;jS<Q0E))Ku(*Nb=5Jv)puM=v1ibuqat zU=mS8A}^_S?Q8=xoSr4SvUnU;gk~9Zrs$+uO)8%W9NwdX{>PK}26_R5o$Fc+<5+X! z8B5&hSAHaCudlS$oNJXd!ZCBF{Fd|>s$PZZ{(z!{gJIt!l@+6j0e&z1I8>}iGGw3# zbp9WH5Qh|*O6bz+YPZ!l8n=|9sn*iivS1meja8xmZct7_zhv>Tg>%wGFa_;@GECY) zMe6nQ^)Z8RqsRT*+f8YrnpVhi@8;1t$ue&U0ajqFSNLp+8~k7REQPyF8}<K!&#Oos znK)EJoluYkW=gVEX=-?_2%(o1#0YU4BnV1vK;G^`CZHO+qxKG-vbsXfk$%ca0U-z( zX2(_ov!NhK(r(@9)}EU#p@`rCJY4D!9s=ufi{ZklyoIriJVQN_nqFNA)lN6<bswvc znPqs2pklR$XXPu4829L1NnCyytU7aP5C)$>L6iKFF0o;+gCoU@`!-RC%tXaMRXwd4 z$%j~EofqWsv(M<Fbge9)oa$slgTOXuq6z02?$4kI{U_rf$6%3adBS3GU{wk32Mc$& zOAz#K7Y!S3&v%r-5vr1@*b@1WI$D%tP%qK5C%N#PPr)i~*SJ~w^=#$mF6i*GV>2w7 zQXwbQ4V<;XnhO3G6R@0}+dZJqviqXn38a6*IMF!tKXuB4Ny-x-OczI?$0~bccdY!@ z>1?R4f-g^y@q~oT<>TAi_^DZcAA-$iF~Yj_>&vOtIuf3E93$C=cONj&$*->qHF900 z3cFe%ECoU-*?JT6)A-s<tC6f^okq>G+rI+vT0^RJ(dz4RDA8IDlTYHq6P1>fsk14} za?GEA6Q*iI6Hyt?pG(7+Y;f&T{B|HWl;q30P2~Q=TcMCdo35SyE})Xz^-lqnNnxr? zrN@7SKJZ-ccG8>$E9BvVH_82`$3K$$0J@1pivPcKK9h2pgcS&Zs`2J~%bbAfW!~lf zrzgF<E(^@t^UbN~U-9Z!VTmRs-gG`*tv9Qq^&X^)k{|0Uzr$B+X0+C=`wy9pwi;~1 zLq#wG3Ym%QkW14r=r@7lv?Y-mMwZ}xf(B_=D>zDU*Qo&BBCW+9dpi9t-@3lLzi|nK z9uATwATV1yQW_;{2oSd+CoF{Rs7E0byJZ{Vh}f`ES=YQSnYMYaYa1A@UG>fUKqsQi zvytWibF_6{S7zXzHJ}?K$`|3!iiAQ$052*%62{hbcB5<lX7N6)0z_R{2u_p9i@;%f zQvvNh-CjulI&3;EarqPB7pQs$|EP)*+W21$(2sm4wGA<Qw4ZTM;-hD8%AH<@`j{y# z{xa_-FI3>IxG6~BfkF*c!wGGkr3U^613b4cKP|CfyvQG+gC4M$!k-9daz+?jqM4K0 zFocFzt)saynWl0PLR=il)*3x67harHG1ATWnuI<cDT!}ZDBHeb?+JE`vW6DY=9Ix* zho2WwF0rcYeQAlUZ(`><%|un3OKL8+Z9yCG1f?T-qX1s0e`X6}Bp7kc&W}a6BNK@q z#t+gTJ+CAVII21`{)Lg1ELpz>qlwMWrTwoU2&$+@x?4hokgr_LhricYIyHCQnBm#= zV;9`B-#0Lp<Yy`leW{d`Eh)5=;StKmPG!q$s3qE6{FaUBnMBipn83tCEvSE7th>BP zv6%|Cr4!79IfY>ig$faj<KHVSheF9`wosJDpQ*}CZ+Es}!hQ*%z{N0-ef_6I7v8@x zvXM#!O-+Qx8%plYh#LVT8k;(0KzId>_5WWYdWGj}xj8tnqsg#ZpnwoMGKNqG(-Sx5 z0XUJRb)bRuC}c3QYJR&U)c~HxA<bsjiH&;bdnoM0BtJ45^}3@_Wogg=6W%@Xamqmu z%IArFS*5#xMI$<mZ;k;?K{wg?oz|a6f(W<i?-=<g|4|YM^1f~b+<SPSX#HMCx8-GL zNjhJDC5Ys(>HY{)`p)}9C(6G*%!v)Jcg_HYQ5048VSEFN@l7tj8#BtM^;<3<7B|oI z8LZHL)Wm_Rz97|LaPk!fCx}w%SUE7rhS=`fi~B~CKW`@KLt?LQG?|W!Y`|~xPA&(h z$3|IlPp1^oC2tSMeJcjdqv9{gmGqV(-(?&-bt;3yJeLnaGfVmOg}vS?HOzuZwZbk@ zGKue>;^60R6;^6NHEbQZ+RaN2R6>W>YfD-PSJAH1%t1#k9sWRMF_?FVT>K7^QKjs{ ze?w%~^=H;KH)_qD-9v0b^7j}tXTL=pK*(sXE%??RR1Ud&wjByHA0D1A8K;H>Tla_I zSI#xv%S#dJ(kkvWM|+_Z`Edme)lzs-O`9{*l1t)IPLmYjQP@1ciU;E&5;9u63Y?ZA z1bRilI$vx(oSmCgSEPjI_%seKwjQJ`IzoNAx^b+t&9{Pzna1YIyW?I-y_G6+rjr^w zO`)oO0XV^JU**vr_)b2ZM%^rEg0E}s&)S;#@lROV0P7VR!=U?O6E6U7zCz>R29#K! z<HqH8T+B@y)%tS=Td~CU>&kIQ^XRZhL;tznB~V{;T&wv!_H8?N)LpM@P65p01KX6? zP`}wAI<`N!STsh!4xIsfF*(Qx6%~Hr*DoX3NI$fD@XtgcdK49RGCdPWx8cF?3<1QS zt-?0sAOZ!itt8EcBdoGu7ZXaGKl9l{xH)SPTYv1L;w`7OAt5=5tQ3ltrJgNWek-mh z1ArN6U`YAM=brW<GcGMRJAsLsf9f(;Gg1uE{aL}VWY*lOe_plah`O<Y60}a=WiFw{ zY$fR%o<?<7OT8l8=SK-YoPWIed<0jxNT@7lSZ=|&O5a<hdrIy{r?#RbJzxlBjD$_a zK@1h}{Hqam+jtBn;Hqbkb|selhZWU}25^6mWB!}_wJ5y)Kd5(k@D25L^n?6_{{;4J z<EQPPIwd|)#D5g-aSqIGh7270nudG>ZUhkD@xii_1I5G|m+5CnEq-&i0bYWOcp4k^ z8fW_+8fB`?Ia-%5{Ppl!84*gpOAIpARb`Kh)1aW@0E)7}#1V+QB|Mp|`vRFxmdLcq z8EQeKzfr~0he&pUy^LaV%>NOx&qGYR56@Pv2Y&jW$T8PjT@~>Eqpk`s?<CtL`QHWg zc>w?+-2wh5fNc%Zeiwd%cc8v*h$0!m@n6hqXb{BpKb2ivMKi4%EHs;&xz<i$;+AnO zq`iTn8-A$0w;f0(+YiX~vNJJ7NBg1G<Y+@F--=Mncyx0@L!+4Sb9Dz#yN6om-D(<R z8=GL$E%y=TX>UZXPAVT<$XRlKk+!(VWAmT7B?4k^H3gkcf7cZJo(`*VFXzFm^4=r? zl`bVP>vuHS^sJO}AS+s&I40#N<-}Ssv%)4`4YwAkPsk8;nqHYhlH`g6Yut}W#plTk z{g~@(T4Bw5%(v4zk8vfu5VgQyBmceMLD?0g1LFCkAv<)m8sI%qt>siY&0V2_N!*QL zu$CSq8A~?7RCgXBMf+Blz%WNnr`JQ_?#kd?se^7Y72N(sus1L|MhiewsYb;(B?UN% zbL=es?;G)xAn*wAzl!+P@|Ico)q*OWe{J$}G6Rc}hM<T&Pkj1dO@+r6tqe}hX9!1T zv~@sRLaqrZLDXb6MPA;g$7~I^jKf`WgZ3vxsGNn*@VYPT?C2s5ZCF;93ioJ)BoLA^ zlLO*eN3~D&kuXqaM9VfBtoy=CEfUbO^&?-?x*)1G!P8CjRk?EQI2-AK+zWP8ZVz&G zy_9fYNO4~;5%pu=0P*a1WR4yx<qG1hrY}8GTvhaa<?Hue6doXq?^8SdyPfIBH(=77 z=B7?#?rG(^ecLABWtDyq(6UULz3Y~bI<Cyitc>CTpAA`{10+-D6tE<HajHU}ko4$# z9wQ%XS#ma}ZdV&Y&04XIZg2}2pVVKJjH<wV#(ISYi_(fe_+02KZi^LtcT?6IjB69w zBV`Z`^j1SA1A|E@iI_~a7n0vI{Ubo%Nt<qLuBUvDq~A`%yW?iHjIRtlkCy+4ezKz) z3N>&7j3ZZFSINJn5z%5%(uO@QOZbSt@GMa#&{8|K;0H&+*um}QdfN5o`3S{<&3*N1 z+s!dsg;Z*NeRlv#Tfaf9Ec%)A)$>RlQ$nBGDxPu(t;(&<hY*?LHm9lPX7?xCxzMkP z0Qh{WXh}`yVY8l0#d%0;o-fBeS9t+$e2Mn==e^r~;3rg0>+w>rxXAZ@#zb*w^hL7J zA-en5OiB<6hjjb^Vbsj*eMntTOi?xc=DTw7i8#`=@QF^V?X>I(9J}ML|7Fc7ADy)0 z?B_2!E*7tri`~wIe!5iW^<HJ|>f_bNo0q!@KlnYiDV~=F_LH}Ajm$T<@LDeGHyvmZ zxn57beb070?sxDn7vUXGK|c#Q3?Eu}J~>4{Fypx&qCKrE(}~;No=#ja?X+JV{d(yR z?a;h~_mYVI@lrC(^HfuTcgS^tdK&L-_0q3?qsrZp(sq84@N#?O^|<tM*O&HEP|09+ zy<CDUC4SNGm3p`PcxH+|9dP1t-$}=F>qfctv&rs-_M@*g*#1I6dw6&o?+iFTsmv+5 z>?Af8()`VHX#WK`Pfj=G*l|!x2W)W&m?IC5$mb5H=RnBH{pY;^bm{`+?*?(VZ6}&0 z#}7u_FGHw+b)4VxveHjz@VTqCpYVS<oXvUNxlN?CUp??VKgEb-#4DnwAGqF6bv&I= zw>!9;OVE0qgV({S0r~}&@|A(2q7s^aJghJaih7Ro7IZigN-rLo{20cE2u53=Uu2E$ ze?P<HuXV(Fs+<n}z!1uTxji@?_q6_#6W!Bh9e$+kCZpxlTKn0W3pNig=4F4mK@eT) zkyKUcG9{P?if;Y(x`XTH9N%j_UbO5`+sluAQ@P`gct78sfLcP+|FS|ifwSc@CZXBu zr9qFX2JZR5j^}ZX&KYM{;PgTJB_YxK%ASp=X!i8Li{VcES5i=HSXw=6s|@5-_}a7f z2d0eU=i?u=FH2Q$9ySBOUfeTxTV9J39u&^eQAsH5kB1K(dG5Qwh|21DW=JS^D$`TX zy(M%!cP$;EnrU5Tl(&rHl)fbz4F+w|FHeU}UUv^K=za*#Tu-DPX4>D&Xzl|6AYZqQ zPSQW=jqZgNUB6B;&a`)LkBM=2z6tT-nhY}gyIn(6lqz%E@jqIx37Gi0n<h_fmW;DE zx5h~Giu&52^!Re_i=C<I@vc=ZPhx({ZyL8-|3>4i)#!$7tlD*_6ttbM{YcTR|K-;} z=`o$XeqggIKOO#{4-JjH0dqflUj{2u%G<KO3_lu{lWq*G@yrY{+Es6voPTxkv5nUO z(WxLXmoX$6bI*NVZRJb8v@l-D3?G%wJTkeg_M{IZb@tc9EI7&_2C8;vxDeaiiv{zs zWlsKt4WscyH@E6voR7K(EAw5MNi^vwLMXM1ne120vnFa|Q?co}E@3BU)v=?)l%biu zK}CKMkL6)vj*ig>>_KHK<sPXlKNgI-gYN^mu;jdu(n^9EGi3suMFZolzKyjz?oD@b z){2>~{9I0(963yuU(@^1QHSD5(1Y_;;F@|^tP>?i3Tn$BP~&|gE(h5J4DQe#elTms zFAxk$ybb$gce~DQ2^8$LvjK!f{Ksw015Y-Vk+i?heH~1Fb3D`@K-@=E-WaHmtw0u{ zsALkBeqrHSK$0$K42Xx0j`|8|H3Y?=;QvG2lAx(ge}Gx8a(?`JM6bKV>VM`xWtG<x z!Z@9KYW$$|Qvt<{wAJvf1ktoGB2ye(!P`Ji_b3)#Wrl^26C33FE$T|5kf-}K$0m>- zZEk`d$deWzLvpUC1_W<2Bo*~$&S<E6rd>bo3Qsb_>sfLksZZS=SWUTk5Q*GH69*HS zq>fSy;>O6v8?(825OP^A+is%=|EQ46_naJw)nwHHiNB(8qN$*r=c&SG9_m7p)plY7 z2<2(#wIUgv_C|RRI^qGE@-n(Tm$uD)+b-l@a@xQ@FGpSj_ITxttzs-UB2<}%y@9zC zM3C6JUnosK?;vJIQphkGV$pz?@$OL$GUfsjK{qdZna>J6>vPT4HVq!SFWw52lW#ZG zOJ-~avTf=zrG2`~8WmkP=~g75RDAPd&jW#)4a@s7(q<=SM!|_wg$>cA3%D|<ZePW~ zj*EI|e~o|c3aqhhVUiMfx#d;D$Q?Q!%GnZWSaG4Ma`BuN8lQmB7K1tuU#d3H^`A|< zMI%<V8p`2HFgnnQU=3}ix~Rtgz=RyyplYA(fZdMWdTr!x?oC<)!7{vaZM5OH0d1go zzN`A_M0unOt@^!U*&qA18~Wo2K6Z1jqb1AX?WCgxpeB`$EW>ZUNzx21TwV8_AO?o0 zKUck;(SQJP#&#SEg^EYSESbV$3B4lqJO&Ss-E%YY1D$vmk)qcCD(p&YMSDYE7YOBx zu0DmMwiL5FN*~A@s%oM}kTvJqq9jt!*5K&DAyp49w?D(_;ctj&Zp-*-96ETi+StK{ zcqC+BhXhu%pVD&ijZ-T06fM6i|A@8Ch9dy~#irq~`C;g*!KFw&?S9>I3vM%9`%Xh- zO7fn$Br<|Bx~+3gg1_ZP__es=wwx=;g6V@^%eE~OFaLWX5!`o|_vXhIP@Y8c^XDAg zwYs?5un7~b`S~1FdU{3`;w+D&m0NCbzfGwB)&(ulUue}CvsV9)!TWO;d)%}KVg{ET zwQhu}(s?bo8tZOwb=3dO-wlWcYeqxvM-&o*v72d!(FWCPHy+0q+WZJeD3gli?Bu1K zP;2c~fcOPoYbEPKbF}v~x93`bLyQF<zi!H^u#%~uEUqi5p?#f!CNVo7CkiR0QucTv zd!dS$eDVH4dRr02NED33)RTVgOz5-D?;^x%2!GWO{bsaSsGYxO{EXtG^nJwrcR8lu zv>tkivS?eLk%<s4k4UYCJoS3tUtxnWPo&~+`Jai{+!uL3ulsBq*>^k4db|@dxtD(D zBB13j#BXkscPj@Q)+qG5jg&4D7JlHvgcyKazsrWMwy(t<W(-?zf9~H9DMXp?skbqA z7>7!11jfx$%AECOq~xdT$#-j#Bh}2p?p+e*D8vn<$fWdr(#-H%g$V#@@tJEMXh~iA zPL(ljEYfGr?QSr~K3@SY72#98eOrInQIB{jCl>Ah)Kj&Y6B)2yf)-2$5|pLmM|<(L zozp(1|GAN#MrdVPJ)ca=7Hii-#Q{9V*65qTdmx$&=qw1)H2#w;o%12TGvDmf7Q+dk z?VC2s5awl~M8T()EX44~XOM)+5antU+pnMKtKT><8~2&sB~E8^oO^DV2{GPx#$w)_ z8x{M^d6?8qgWS!#Rd;bl2@Tv`b!^yiL%Q-FpP&kkFV;%L8H(F<a~o@EI&Z%3V4gFZ zWw!!;lws@q+f&e@X0x{K<dN>_S4ty$ABbrNO779k;DE7;K(%nJ5NBu<@Suagf`9Y^ zA(Xfs2{$z&*$FjK(ko)>>pQY4V*J7OPU6Vkk=9k7o)FoK`*lk_GMQ%o>a`_tQ%rj9 zek5^Z<27(g9<w^xBd|S0c7&XfB6PRGs*P)wxT+tE(qju<6TOozA9a4;uWjapU!T1r zI4wS;sg~_GOZA6(h!Q;IIR>ySf)CUIZ5KYy@n=7{jK&zn$F?P>vd2h5ii5-zX+ZoX zm*V{d@s<*T-<p@qz0q<12F`1n$ooo>HJf5`B#8n4BAIfe|FC047B|DHS!1n|THL?Y zSG-;j?-`-C_`@$VP`j{F$N8g;hN{~BWQ0~4-`Ys6lEt)|ka)Lfu=f6DrKE2@Z<Yyc zv){&Mq)2=lv{4prUu{$pa#d8-&EF{^5dgr!0Y!G0zpJ3$BNX0YM&En;lKu}>-a_W( zmFNDv3GsJ!Lq`+<Fqn}1tIyxMu~?a(DQmaKRp)j>-!LJ^fxrK!UQ``3Nn5G=R)0lm z%jr-PKKI<h?I@4Y2;Ro;FZ>|jeT;p3knpnf3U13r^j6qPs(qsvUhg9kX#g*BT(ODA z?Wl`tYA<JpP$-T$)ZsqCO93o|=k9s9K)W{mQ4K3nmf5zd>Ff<mKY-(VvfRaZ*%5|` zi5G`TC?|N`Q-(TjzV~?hk$Di|)oy>>HDU+P{hX~gM;OiHO31Qb()h*nI_wCvMTs)b zhwuN<zi!oJo1~7D68ckyj2LcFX7Y*8j@IM(M1jn(!eTfGZKM0<#b-$!o5u*6hg>SV zb(s#=%8OD-*yUFHwbEj@#f>zVGaT`t5Ewq4Tu1|W(e&fV%G+LLt=l&DOD=Kdj%U3b zVifJC?HF+Up#%|W?e=r@u_x`-hj5AOg#vB7mkIceqlguW;!wW`{7<)$&v^>wE=J;M zzZy6r@Z4P<yMlQX@FQ_v_(mVEFSRwF?RN03EaQ1J1{UC+qLR?lpk5fmOPKNEKC>%U ze;f=+tEYyp_AU17KIMpAa;DR4J8zR|OG2*@5m#rRh4zYkzeTi*?;<~bq(02XFajfm z0KBZgd$u_K8e41p#5yYTq!PwPj^*N3U2~5AJga~E#+N4d6%ZrI+g0Od{L<^45qs^( zm*AuDA;MSzQwfV)o_;r>vlda~wrhrcupg}pbR`ApLqj7?bqp=hh*5|evM8%qZtO6g z@GD?bwi0|<ToIR`Np*o0L#r2y=EEH+l?{4@j|(dl4lG$AYP<UBc#lg55gxep@2%*z zCslH%Bx01@+EAZQ-r6209ZYv$M&X6LPWM7Kz&lRj+9;iN#LuZ-v1zj$KX6vs^=Ux$ z2FaRxM8;dN@mnA0Zzn;1m`)7u!bh~-U8|<V#kz;4c{zlhTfh6}W1-eQ&rx7{eQkrn zr5+ZsIf=B;aVyE^vhZPF+?i*mBL1<e4&%Ghyzc2kM3BaE!geU4itb6{&mQ#FpAL0& z38};*Jc*KwZNkT3J1y=;4F^_Qz!J_iVxw4ioP}IS9VB5$nQ^ZQGlk;<_Q2D&k>D0) zuKIE96(mI!s0J5PFJ2P=t4W=1ggp6ROEWk-0^E{km_3wO+7#LZ--&Jcw|ycaCKM?; zByl^8cCzIbw|A%0Lr~?EYz)ffVJ+L?-L}Z2PpKfd;V%|DHPegOtDqs${EeR^3U6)d z(60JA$-Y~@_o+L;AuiLJjz72vXw9x4^nhDFkz37x(Oxyc-E&pb&zm%#DumcdP)_hW z+u=R2?Yrhj0O2KIAvo*DrzNb1qIS<vSz9?=oNdQ9sx;dBB0$yf=^`hn(c7@fYI;v{ z!2&~Es0UOf<72zq!?(Gr>apJZIKY1V<QBDHTpRwu^j!ilVlmllzb4$L2~8&*^cOMA zD1X4<l-cY?D`O5QIbXWSVp{*mL7F&tTM!l)V5GF9Xr;IT_IzOMsd+cply5`MK2&y1 zHA<XcyfKW6P_f>c)j5dYI|ks_yfv!}+g)GJ(1Y!~a(9wFegerX9S=>+SVAn^u=?>< zP{Qy)c|w6-(0f!w&@a6d&oI+Kr_|2e>+z@t4m&(AE}CC{igkFL@0V?$(C#NDi+Z_) z#0~m%yCJ>lJB8@uaT>%Ii432F>{(W=vZ?&LxLh)^r?~kq#5ndwXwQYc%}x!vjxE<w z=z}Sb16-+x$#Cs8(OgJk10zX4!X+fPO-{F9k&-;=BqbvTP0T-^3(2B<csVaN2E5Dw z1}3pf{6<Vb-wd*;UVq%ye`Qh-Kc7B*TV3&1G3!H|+d;}oaPSxWi98oVEW+kk-6b@o z_`QU8XVGNHPNg95jY*Hd!I=3sT=g0`ss(IZ=l(1@9~cxe+uww6Z2L>YTfYK7h{i;} zVp`kSJn3vUChaH<W`0aA7w4VXK$eck@VKs=a|#lPx;Kv6yd)+qFbVN|U$=EIx4OwD zCmQPbS9`i9r!o8pM$>sYX8w*mDJ7>g1O=N0I(P*$=|J)7%W(GD{MNhY?%9@!E}ht> zScB5T+^P6HzhY#j129-0s*yvy0OLp#czDZN=meRj)+y0yO<p~KnmSMOZU!f{hUDxb z5SL$y9A$)nWr-nvQAq*ZW(DXygQN|*tQ**{vBEg@jxE2S-SzR+6Rqsk*0+6~_ZO%v z7NrZ1`%7vCg*7AP=whe0f48a2gTQd9(-i}4Z{0^4QkWb^`|9)k6lpw-Fsmq_m)zp# z$J`SSr-$*hp44&UhuKRQwsO6c3Ilv;N`d(9Uq3jD>LTCU(iuQ5c_NP)+)V4cI>GUo z8PP-CwEIr*=wg(CBfT7RFYKMlm2(3J{6Ct~ZBZ4dd=r%H)4k>@dm)yNXk|8q-U-l% z8@RxZnM!pG?i1<{Y2EYQusT84k9k&zdv+ApXB77B6K`&E=wc6z9oZsw(G8x8FA&I= z4yzS+^b;O0RbVpJGIBZ(FI>@-4qe|OUir8~F#oc5z&{08{iFspz1Wv>Tx)b~o;Qs% zGD3YWm(%SDiQO<;gV+96DGZwvlzng!Qnpf&AT*^O+Vcc7?{$@S%3o1BbPyEgQSE3I zPTEFfyx!+ZN{BNeh@~D@*#rjqM34z5N{mcz#1Y;>`%S8?Qz}RG=P2_3*@h1K1}9|s zLo3-290{&g6D33v@x0{0K)PkX-O~<ab&uE~`?UGO0ggjF)oYvMR-@oPg{ZjU&hRSJ z|63QjaMG43g=uff-lHdhBU7fWfIUpABxWUQ&Hw}QT$7Z%y-4ZqMhINlx+G?LDD0JF zhqGp8QZYjIS8}VW6^BQOTN|!SmH9#E+zAxij>&FzTP4RdJ6n2tush-!%Z?9%@BgzG z9VzR%nGh|Bhs%sBnxeb}AP@n)IEcbq74}I;3|u_cZ@HfUx@bN<-&7Ac;P-E+*K>W^ z6u(vi=b#aIFpK^LP;dYJ`bLEOJmPeo8!B{Ey(Z@A7t?l(R`WjNi(7KiHhUp)jB-$w zb?Zg#z}|>0^Ke`!8&;#uXSBEp$(mP^Z`B0}HP5}jc%P^VSWMJF_OyH8SvOxvnyZo@ zZAzR&8N+Fr#F5)5k|eY{3KN&P)l%;<;V%DpI>3-ZCcmF)*{bHF5iS`;-q$%l(pooI z+!Bjl|6zJ*HU$fC@|$<9iQu9%^y*OJ`4&yDTDN4it3#5umH_I?QC(7Ux=kMfh>slM zf1A=Z7D~{t>Nz${_Vq0n$b2I^Al4jQ-P2LEP+B?&(@U|Nhr=0+c12s$TVuxu?Ldes z(W;K6ijrcf(P`(iwYgySh%ihM6Q?YZW!-eJn4vlWSiv>65I2uxwIGhbh}v<wabgcg z4i6QEc`i@svZC`POc<^oG3<E-ov6gXLX)ZW%(#;@v}F)+Nddq@PJ1jI&k07~;Ogqn zC{t$#OquyP-~x@%3Z+yXGStL1l#1A{ZH9Rw#WLWl)>}*m<sGevJuHdUbaXd{q_iOo z!#Y}BnL<Q&%|53%L27GRVg|%b$NyG-o_qU`dH2;Pj}wfz&yI2`qhqIiPCsu0VcfLu zYiq(tgUN@4cN~r<FH)*z<2c1~;S_ffm%;TaA4dKVxX@rBgly!Z`8m~Tr^0?DPJdF; z&jQANm*bW9xIVjtnTU-NfVbgMBOhmSS-SoF1=UStq93O&udm@|tC=75f9XtD1+3uc zjFZ>6bU>jNm?>{ZDK-dm047#IBL<FI79BF4^wu9k-;vIj1m0<@+3KwX@oY88v+0Lf zW$2EHy-d?qdtm<|Q&^2LUcu4Mff4>XF&~hl$uO*Zui<!~Z3e^>lZP#mK^w>T0-*|` z^90=<o>9&ICF=dB7%l4Z@xjeubDiks0+s>ZlbK?ok@nUA9&lF@Sn2?XSC+%e>v~l2 z7;p80rG0E`e_{ylbhz72()9^xBfKNvF6$I;aGqtSWa%8onW0(GYeihc348SxZ^rmA z&)3Z1lm({TYimFhUxHAhWY(OP>O~EE^~)+*j7)wdwAV_DlD`uG%mF_Hf9mzh*rncO zcBmFOFw+$*rDjlCjQv63jcw?;3v2-DkNLELXAjo$l)Ss#Qze+VL7oT!R&u@oR$Cb= z;s#Aq(c2SpDmos7RMzXo;FoP+cyZf@FP;qz^8qWi*v?W=uCeO8#nI_8F%mtVJ)tHn z#G|RK9dLnZiIb8ZQy0e_`EGraIDJ>(H%0~>;NL#&8t_Nc_p>kvTV9TQoi*L6A)aiA zmS0Tx=9fS{Bia2;K{dq+^08pbE6CpiB+rSQsu@ZqL$H`RD5~{`fM`Og(}iYr_Tzc- zM@t}~>;grn7^AwP<B_}kw8wL>Eogx>iwxk;Bv)&~qOVlU8D#S$aym+SUmg6DLcKOe zPdmaLH`Aw0|LjSK9=soeFhlrDhH(Cj=n4-YLSnP4yfU2}iK+_VA1zPP%0zjQrs}n| z+g1exf?wI02T5kjbwkAvWWbcL%Ss$)9MuvXt}pWB<dP9p0~TnkkoR@0@uKu+rKawL zA73L&{gNEUb#HN;y{Y%-l&!rH_!M6$CL;ulI4`4{A%kOW1I$6qmK->4wJFS=D`Mt> zcU7~Zcw897;OiBD<BFdpMGg6HR}Sr&oz7rWbof-gHL+${t?oTKAmNX;tp4;<2^`l| zhcpBO1ZcwrU~nRej~<BQ8yeupqn|Tu?XG^x#^V?ufj+$9z|p$jp|SsHAdvpFq-$;7 zlwreB+HAn5c#{e6%Dht9bVTC+$=gyA(UTjCQZnK%`2NjtFJl0JqCF=?7XG$XZGa#| zhBX3zcmFG`yh{cMLj05)QT>-mNv8+$a$UB?3(>%-X4abVRvCZ8R&kbhw`lt=a8CXn za<k{|t#pB#t34aH^UeB{%E1iOt~#d^{<m6)&=%wx9%Z=$OK*^Wb%RIpnfCU_UsBCm zD-q3Ub}5(zge>V<pqd+dWjJ;xUn0#E#uZ!T(qBH8ciQv#G}>6a>kvE4Xr+U#icrVr zh(d+?ocypl?60KEHA_AErmP--1b<~a+-yIn--i(b{<{pd@NbU4xn?5#`10}Yy>0n+ zw+KA9`{g5*vgdupd+CZi8!m2-^&b48kxJ&#+puphKjY9nUk=`CX%OFN8Qk07bOvd+ z-HPj<Tzj=TWGLp{oZKbZt+}4>PTd0eDdju^VyfRZyxd24c|2IZbXJ5KXGCjC7;DYL zn~6|mvW!(rzszh|H@y7vy4QA}@O!yW>&^3O>TG)2>u^81efDzoI>6V2%<qQxWPSO; zz5G<hw~g@cSWF~RWNBn&UDTko#htI^qRpEEQ@t}CEm_aYnR=c-#^FV=lE3Q+6pE}v z^HX;klh#<LBo9wTg)8v9hL|pF*3@d{P6|E)(?UcCfesBQcD!vF3Z$zo`xo`OX68BW zt+|K+A5V&MTZo6RVI#5B<_OnDOKFP{CzAR#&*h|$EFTG?Nj?Nb8`UM{cnB-y63;?? z-5a<L#`Oa2dyv4<WE3dwN%~PG8l7_;3G&~m;|?^48oiL0(K`L~&=D?`f&VzS<9S=5 zeQV8(`FMqny^8YC5b**}_w2aE^GK6o^YRw^FxLJw?_x9*R~FfNx>17OezOPO@%ZzE zBFJxN?5QQA_0j#~`ceG(&*5LSk+!F4&>fAZ;Po0cFUtX54~$ctG}{fF6R|ITe{zJw zI<sq%VpvkokEzJCAfIk+?+ehiDpRF(Ak-0VS8r&UZ#+mA#N|ktR;JJ^p4Xp;++KRs zlW$iJ<1#unDp(kvl6-pBNfz%ePF`xv#}eMsu}xq7IL8a<M_vwsA`X>b`bEJ%Fy$D+ zLa}&VKdo6kZsWsq!|~opkgxM2jNbFOR=zC5Yd`;@BSwCqpdvOSDJq6Bo0_)cZ>kFD zz2k9z%$QOps|Bhe>X+8~s{V8skOVzyRU6BES25;s0*?!XLHe{#b+%@}3Ih4BSF#q8 z*lGdGoVjdF+E)GXO-zW7A8H~crD9&|xc<ESmY$PL9rLf&Woxn<l)+nVs?!~%8|k|+ z8L8UBvR=Kfyeg;n86Cu{S7J*oiaFb)B<V*(%VvVKQc^!?V8xLGe9Ohb%NVo700DTZ zQVd+4?T@k;AE#aP=g4E#e}U6A_t+{&wrynok&XBq+tqesRe!{k&=`_g8Zs-CA0h#P zO*uG;Ih(JQu|RcL8RV2Mc%Oqho)8t=ICsoE*1p|cuvKI}Jf$?Edu|Z=uj2LeLm-Tr z59Vx57o=`ZsNH<XxoPpv5|c4$->8fC{B<M5@)<A#qREW<u))Er5NUdaIz4IV$O=}@ z>#eu$TudidAGp#V-&{tU%n6!Ak8azyIDKgO*wH^vYdp+d1EEc+C6v*xAJvEFDrka~ z6}A{iX~L_bt-#I~a|gnwC7zLq8bkq4n431L0n2!`0JIu+yIP-TmnT+IN*<K_tWjN< zggO4DJXZxu0z%puaF&V3GnosPvBr0dpw>kUG>k@puE|g1UnXZgFmWq2bsDZEGd;7Y z(dCuw)_uI{5ly2W{RolY;%Z&K+?b^DGBFpO<X;s{Q8&2p9b2+{zGJhu{kRG4YDGy6 zkSS#{mz)&xGB>VdzpXH_{&yjy-$xx;B!sAn0zJ1KW!A?O2&eRTXF#j&Z`NmeExnSV zI(GYqK(i(gDGs$B&YK1}v&Lm3M>*w{`NT36Kfmw$!X-!u?{6?lEA=kd94ez%lf~o} zN)H;CS|r3WVogAiTg3NtFGkur8g(tK47#hUvTsH~|7#Hk_1T0PycXaHW5CBR(^5;8 zu=+wNtmE#(Bd)7D`ANZ4sB%TNSc=niCY{T!v~)-7vIz<)<4EFLT`D*G>dM;ICer#E z11E1=n;ii(98)o3$P~Z7#VDb*qi1t;oa9WPFZnByeG;cC^G;z|G5C%)OMHfbNdy*I zK$_o-+e^j#mL%o4HSx|UqENXIh5PTQ7$QVkEM)7NFD18lT2g3q>LgsKr3e{s>F+zf z*=95#<Mo!EFw$6F+BMq@WpG1zx}>p;R;q<W=I7u{D&!1|=+#g?bCgLmeWPmW&cO)> zM&^#B2q||tW;bjHd{&$!sdzd&<N8Z(_A07!P%K0}*lq54I<hy!;cgU~bmQA(qct}T zCp=6ZcQYtIZRDe#hG((B-gIF7stN_%bt)%JUHY+f<nXc>NDNgB>bT-t)sNNX|E~g3 zVOTzgbafZNN;itI&r(h?Hyu)|YY1x?kd#91VE%61J=t^YN@a7)i9H^?-6~@1e6Eya z)V^*i-EQ|EN|Lh3&Ro^1z||jbRBoL_cUwgs8|x#1D{^NgLszh<Z%nn22_bA2-=s=* zu#QUUG$K8SpbL<6*^THpKRzd)lHF~HOGZ#fH0SOi+@~lJP^a4Qs8&W5I%yr$k{Jq@ z&3U)|%QZmsx{>GhFh(j;`uy|}CHNnw1##qFeA$E`NXh?ro{NdRy>lt62hjf(s_{wy zsMptiEk;84F(~@&n}Q<!Ip|+sxQM{ZE1y#AP4qXGaRsR~G{4-(LHj!~Vfkhjky7ME z{M#(@>CG%sF{aD#w^=0c%`Bn-it={?Wa7hbv&gRMCug)NiOv5ul=w*jAO8Ecz`g>s ze*{)gl|=;!^!v`cTD_&6xU{0-QlYqJmZ?0C-cM7K`ry8IaeA%#-p{vtRZXK9HNQB5 zruAZ0qr3Y0c-7r&m^rFy`L~H=uM`!9_+7GQsZp4eY3-~O*EkZoqmysSS0tgFuv6r_ z5Rp_hQhv6w`ryUK=`hG-H*T1Ca$<F(=VtmI6+Shk#xL`3U(S>(K-Im|gdL{HTi>y8 zZF|%@%`Dz)zs!}0lJ&GHBpSnk)zqgBz<v{f4M-6nMha>Ne91(B{h7N~yljXrF6uhQ zSqCSY=+Zr5bJGunRl>5g1x_4$blGk&V0aw<Oi&%-or{yPC*zR>yh$vjXs9n<;tN5a zFiDNb=K5_b${fRNh_InO#Q)g2t;SLRsp`ZNy+Ckn7HYQ+>DQoy@>=a|Zxd?Y6db9> z>o7%232$1ve!A1D<a;zAyQR!i%j#Ej3ifO^Us>Sgd3_kIAV|id^|Q)W%WKH_G!1Jv zUUp3EcJU1wxxhZ{f9iAHf_x!WOy`hnb-SegObM|=Mqgh^zh0|uSRt~dJW!qOdA>aq zzN_7$PCVtAdo{m$osD>J<Mt5Dl+XucSPKNEmZ6o%*^Dhja5Kv}B?0Z;JVn;ug53cX z@0A2MyD_;ZICf>_TC-z{==MpYcFps}%6NaX6cF$0?^&cmp<dr}N1RNk{xL*`5*j}I zg30VmihCVM;v=N7>iT(G!x3eo)d+nPhRMK@%g^(IWEOJ%D<zHw^WF6-9UedXm_&Nz zMN{kfi_r+*QLbmn=sFY&*+K3ytLh@Zn5-4JOPY-NvmMTG4UHS4Rv*+2e;Zp8DP@qo z!INA)MHj9ID6wK0MwmCV4Q9;~Kar5Na^SS`T?hmcq>u?{k0Oio4h%NR-JOIg-2RX} z8&0=l)<qD&w+RLF#dA?L2Rn89=H+XyDlY<96mhI13OR1IS*AU(4;|t=vboh^Y8`^2 zEgy?e5tv90^ghWiuNnj@1T$syql=<S$>^8dyCGVVg{qlvYUZaoW+PqD3>R{fkBB!d z1>v<+EpQ#2IKg&kl-9VS9r{TjL$LN!c6^-Fij56nEBDRFZA}lge|?#OB?+!z#8CVP zToq?mK2E?v%?d3(27eQr8)=qkLB%F%VPE_0iD88iHJqHUuD#akwgTf!-*VF$4gJD- z`N1Xw;6aijjbdpH8?A=pmi3EA)eTKBw@#Qqjk$U!UX}q|UwaIP0pi6aH%4$(f(?Tf z0h#T%>blw}{5XpdY3SFdzLk!NqeT(bdW${xNdX;ZAf+k!!}4$8C5Z+oY1JBaKn$=k z>=@IzI{IAT-9z%MI8rV2)LoSv^3o9|#hknN*=amo`2;*za-3!5cOt2f=Y|K$!Jq~; zR<fO)k-08(#y>w<!AI_v-1)2ds8BH8sR)Q#<;Gf-jd;aMKeR<sBst{hSZqskL=}_+ z+Bj(-FxeqSEgr4Ve-AJE=0b+C0uOitItTS-pQ2e@icamEY_P|a5cs|3q<qDbN2}}0 z?xA^tG)=33x?7H+i4lVb>aB^t=Y{jtb~4k=*xj!rALi}(e04fmc8j(YL#?%qY((*= zcQ5+vBfnnoa^=^z_7pK1x*2Z`;Bqd0_dA{t2C7fu!@0LETU-3Xb}7j7)&NXEv%j?X zo5BXW!8VD^cT4>26}Va-;$`osHUM_;IMjr<j&C9FW}MNZ`>&=^<XtNhouh%1o{25e z-8`2T2K-6fMO3GQH7ckgkOQZ?D9=SC+e;grPGtbvAH$`i*>`J^pVLPO1q>;$zh!G0 zkavAgd=KwO=sB@tC^~hcjS)6Vqh7-YiWet$_?&|Z!NeKlVO-m~1{hUT4g;g$epTYt z7M9=8YMILX5#AsZrswyHH{)~TD3a6L6|QbJ-YrT9+`2VP$g`_En5<BfPG6kP!w=@- z+q~@eDV9i$SHOFFj-Jx2)xq5ktpFPEGT2uFaXss6fn1}(kPJPeVM6>MAiTdLAjq}~ z@T=>j-Sx6lEiN7`z4aVE%*XdyHI<Y$CYyu|dSIWd?^)7GKeYGv?tEoQh<q8epT}@1 zaY5WFJRn0tdl*c%+}2FPhQ0oO?EPbWr`_5uh=vujf~wfIQBlRVD@nz+ZJQO_wrv{~ z+qRRFq@MM@t5)xQdiVZypD(9B=ARpL&U<2v3*!PU(<s%NvuZ@vhMEc;mDr#v9=j>o z|Jnr*%lQ<DQ9Da-+DAP@Y@6CY3b$9vp2ahxg)}H)H4QONfzRHnwuZ$j3_DLII%Dxv zAu(BQ!oMe_deZvTy^m0JAi;thI@}Bas!b?6a)n&CyQ;-Ib{0fd!toU(B-Z9KMiB)@ zv+JDp6`M3#aD~;x*W4JC?l*CO(|RV<Wn<I#rbctd#6a?W@kI4PNX+Y7FW1h|R4A~M zk4QB$y{7HcX+*Vngj7<Ms!3v9D_1G8rI$Tr2ky~GEbA%At&&a>HAzn4o*6#akGkaP zE?*)?DhVV3s<b<DF!zqxDga$SeH*C$r`U4e)rAZakMVqmi9(okkJ41>z<}NZfQ3d! zaDsM}76yg!lPzqPe~h0&r^9#YZl$b*jM<#boCh6gU6K|%6lKbGzlO_MJx^m_WY#Zo zakc9P@Ly3gc#mNr*#nD8M+#M^xMDI1Ov5$BsVk@o>4&dQdqr}utW4Z|*sZZ&>P&Xj zoylVq+Na4HFrb*8+(J4%E}RvQZ@t95_<{*cu2x5FN}i5l`IFjcHqUn_f|4Q7QU>(Q z%w=S*>G-*XXN&_7-(bOk08XFi@uHv_JFD#sSXaHSL7NRzwQXu*%XG&M>^y(;gcRpt z{>E8<<na16ppO)RDZ0UXv=-e=76}*%$Yd+ydMU2^PlO|dNu&-dk~>-SG@Ijk8+neA zV$}31m})RO>z@PCF}pvdltGO<$*RCrup(h0-#RzJ6;qH69s+b))cGuZ@2HTcBSTy( zD&jU}HePc8f@CMM6IiWntinj?gs%Pr-}}_J$$D6gfVGB!TJ=tTM(^T~m)y$EFEp<a zE+}Df*S@|`M(>$GJ_qa_jO8<XVgLqS&$n(BgErM!y4Th9_SQbByu*F63J98+9gr4M z6JC1vY`(NipukSx^iGUgd)Qw6nDg*baAjB%?g&6dQ<o@A)jU)5pcE_>z{ba51)P>L zhg552XjK*1hrvMrH7XSqgdh%jy_pn?A#J<zzDfo{j!)I_k;l~@2-|PefHL|4{+$|( zV82rXOeL+NtSE;NXoTHz3GsfERy<JU8Dd!2ue7odUtOrZ_z~G!rj{LIOs`wdx`S@K zwRUcNS&@g^@1kQ)Xh0dct=^D@CqV=;PDYuzNj{(Kn#~Z(tuV^2RXwxQkk7Pj*k~&P z6=*$bIg4>`xc*e^%@cwh8j;=#c<XyP4QDc+$BShN1uJj21i!uuqv3OJ0K2n^!Sd?{ z7O=+Gc9kDtFezXC*BF9p1Nurvb~dc43pZCQV?7f*CH49#>qwL_ooyqZf;37dA<y`o zRVzkNo1%<}t;ZD<%oe+R2$3Ueziog4G*Sf|&k)pw>{alxzZ=O32xqE;?7ZKoMh&B} z__xo5EF}u<`t4yJRcXBrSAN1CeT)PL$kZc!)FSJwC~ZSL>g0N>Q2)f0VY1K~pf18O zAI&x3yZnmV38OQ8m~@pgnjD(YW~>(VYU1*{xd`;kpCA_ArukHj3-ornn1D>K;%ff- zB)~QBi|{VEw`2<+;ye6C^{HJh>hsWq;f0b*EFMYERpTuVD>=h;3Scyz!{`2X`9nr# zB1`Jgjca@4%hL8+n{9KbZTGPk6qOD&;?oJyA)a;F^I_nLe6~z<F4tuO+YD<JWH4=V z5cf6K`kbO5@J|dC#Q1xdh_ymmN5~a28yH*CmY$E1gmT-zuB=xwKcB@yWAU!7C2>w@ z$9ZQ~GQjlJtC0kaJJ&eJV&Cr7EP2bTMYzw9u5t;jBn!*S80T)Q6_Guzv-9dQ8+78H z%xDeK?Qc()aEbemuT}$TzARl*S7xCGrury~-FropzD_<bU#TVHqyhb^f=a915|qs& zeRMtm^Hrq&!2z2>c~TKKmqLeWm%C47ui27dTZjl)c(pe{DLv;y`CXCdY343E+w#k2 zrHD6#{RQv6cr<imC=DnG_s@3l?v;Z6VvgIJ?>p5(G=m^AD=lAj3Cc15l#a$3iz~s( z_r-e`RR0B#f-_ioY+=LGaZw3T?i~;nygW$t>HbeNQ^0$HX8gD7j08N)JSfiqL`OnA z*?{@DZLJJFhCK>DD3ZlHMOrI_hJ2$)`QQP><OG6(9&jKaKm)*f1G16af68G<5dwk` z$WQXG;7FkWMi(7a{s54QQ||}+Z;l3u_{PBCaiac1fNP7`gP!1i9+&Vx^7VP%6|#W% zto|c+>FKS>Tl)Sn{}H?e`cLsb8YqIiI@|wJ!ZL0L0KA!{djfPD7X`9tP@fb~{&RiK z=RIle@2Hk9E;mJB>|-L#=|X;DMLE`}>Z~tKaQ5yFe^icXE|<K++xioC(_CJ+r>IpV z-6&y%^vZrbPC(U!%J1<UrnT6u#~Ru)$bZULu|9*Dp5f%c9!=gte#pbiz4Eu&r7H?9 z9#xif<c*3Y(*VO9q${7K3gBlib0Ze)Q;M_wXMBF{L0st!%@*X$5hvRjH<>ZOg=6H( z%sHAUOD?}wC!4_%rhRL!vf6wjfEdD$DL(4yO_uJGdHl-hHrrRnr{Rj`rAx;K!EJAt zDHi=ol9wWnD}KgTVZalfhCsQ1(sn$90@%7SS@~QN%dL7YzR7A(3{B==M(z}D>UUj~ z_c9ztEb8tT!=c}oaJtd0?ZXdh{GwaFlM4e%#s1{a#i98EQj2ZIB6|ttok3CkM`_{< zH_%KQ?*`|doz1%e9T00Fv64l?lKZi?u8=#)kxHV1%Wl@JcuI@^j@OxN2mR%B;ZKCl zI_Q&&i|0u%*eRz=VhQ9DMzc>f<@#~e4OSWPc2AptVA*I5nhum9QjjGY5w;KPaS$mo zGrhR}Ylq>Do&_^Efee{H!M@|p-VLTPX?lu_h9s0o&vK0SS-V{v^UEM0Khr2X`Dsl( zn|Kjvni5^F!h`pi(EiLP+YD~Z2IH+z1bJ9PGNaGokfP`6Rj`Sg&BtFDd*q^GR8HZ( z!;Sx;Q3?vru}Yh_3-WAxp;8ACM*Qs-<{#=<GFVvJYVd@b1Zfp!(YB0+Ks@#;BB<H> zhTf@Cd%f2NIREk@<bsgF2`zcHehy|>!tsIe%EHBb{Juy@weoXSXxELV`Rr5862Jr| z*qJtt^vbXsr;^s!1)h*CB7JwvRhSr^P4vZmCJgm~^e;W}xn~yo?{%jYzL54@Q;1EL z1nbS!-aH3Le3yY41h4huEtdLK%f7<+q`A&VE5!plf>UX$Hi!75Q&B)QZ!my=eTK+3 z<5QG@;7j~($fT$o-jZ9AT(1wIfLqnN;ve3H^dQ@xh%>qB&jp%!%O^K}Z&eFrC)YB` z9*-ZS3mp3an(a9ZCuLcVKmciz$&<Gm#<f9BURCpab!1ZlhVuabXXV0s4%V53GMb)7 z2!vsq0ngk#nw+{-yIC2k2MCZ@FCeVcj{QIzk{Q)JTt@GhgjwvMP6lqM=7VCNFyD*s zNYn;{Vp0|%B^eULk3rsdoJ-J%ABidQ%1#P@5B50}{X;48?tx;`=?w9Zb2GS5UFZ;g z-7K;1hU@n?v*f?$|I1Mw54F{3>hhP!*BhwiL$R3D!1khonEk=)FO58``5c&N*5;CS zPYMIy_>@+rt)#&BVlh7IPuHm}Eu4*d4!FUp7FF->>C`G@(emVZuRt!~H=dI-kyhDq z@7CX(Gy<ee6#HY=a+Yu-jB2W+NYe4x4VGd*Ymk1z`}}9GO8lJv4Tn|28Qv-dDGxyV z4?}o%|JBgZ{kzj9tLpO!Ak-K4T66I+ov)o_WP%Fan`76zspR>mJ~<3JfuPWXGV%n^ zKCZ1+YdON~7_|Pm@W;JdHYln5JQGN^qD$AeI(g9$H42MZ)1aGnH$PZ1IV@j><?QK~ zXp|9+#>Phz?-AorV2IP@FS>^vHrH^NMmk{az#eNVW8!2Lio9nb$?o=)>xZTzQ#Iaz z_H?SK-deO+VoK#EUe3lg-oMgD!6D?ZB9JsOe|UG5GO1Kisqbnd8b4jrC_ub;+x=ut zl;<q^9?6a1e32twN{wk3PVwjvSA#=1;9?XTZ&W)U5#C!FD~%y{jseY3+DuhDySQu+ z=>rqIxIS7JCFQKQqjo>dGf6IdSo-itY;gK{j^Ck=UgT+FKfNxKPZv^8zCjXY8t$JO z&weS~+knE#P|wx=d8QgyWvM#&Rtx6G%N=AdMK(cKN?f%R1p0)1XyQYTiMMf@o;s9I z&X4)Vzu<*Xz~sOAhkPS14E{&Uwz)h`3GpCAPY-F1T)67`pa5)vY8wk8m<?>kuQcSr zaf1!>N@0tv_JYrlQ(5QIbXz0~;LmpjB$jgIj<U{3(_=0pGfP-nVf~U;aHam#HEYJK z4${<C561-|N=hYiq$oTi%3BF{LlFFAqEXqFW?+A7U$v(QjYLjr_s|(-HZ+hKMY34c z2#zAWmoIO>iO^P4Krns(H9mWqY~UnA;Y3B}@cR-VP4xGwK?B=ymB^ZIk*!cyy4#&a zk!gY4KYL6UfBJ=o&v9p6REIZ<YyWB~`i1F7feTzCe${pCvPsJJp$gtHoBh!Gk|HU! ziTRWF3UH*3G9Js7v8<wcr1mt4R9(sny()n~jj+mSEg}NN1_#Vex|JjY!=JXr(l@x9 zUJdVq%fx@(=+!zW2YVlU6pNF7MD31k+R42-NH)+NSmKXjHgF_xBNGT;XwMRnlZ%U8 z!Tykcn%Y5hzXmdX=`c6YjN|H*VCIW$)eR1tD6$<_m8R{*aaKds*@!+8Q?p_G9*!hP z`>!zR^b2G6K!PTW=qB4~eR2?7iAOVir%2}w{6;y3-}lEHPB<@TbGub-I*!eq`9Y3^ z!k)IlZArhK8wnC5H~5j(al=ebbMEXtE>0r|u)dLgk8<YsbPw;LCz~5Wge*ma{cbu~ zs4B19!+o5b&91XA#rF_R9hXyLRsvuzUpibgR0`F@QGzxt5{|ff3w}T#IyL2OWj*u2 z`wd$fjFa{Lrtms(QRO+w3&wW*2GIyprX+yFqT0w24yJ;sp8mLn8}XT@i2!K&TUVZ_ zmXqF|*RYd{9?^2X!U*OkmHvNOl%0TDz=gEnoS<o@lEW#H%Hy45(z&VdBaqUyVkufP z>4C5SJ{RG)=OSk2MHG^Qv3mbgL;QV{r7b@)1#w%PZ12qNLYH5rU?>+$cc6qQpQ2ut zxS+gOA%n^>634N#wkfgowfZOMUpSo@Fz|6yjXDiHKbK0cj6#n?Pc0O$9~p!JL~kr@ z+x!uf8opoBgX7F=MCJbeA5`X%$}L%IvOkkw1X5R$CP(oo=G$vzS>?8|C#05etxoN6 zkw8rC-|vK!cN^=E_+J)#fm8sXs7QN2fWIN!3&P$+T*=GVfT;hl?H`B&01CSveoFi+ z*1moGGdDNgl{_@?Uzex1z9GTsI<xeze*s5mjyD|2tI<OP|NlPv|BoL1A%ttP7h2rr zNj%ziADq_w^z=durZK0XZ18tNM-IYW*6xc*ZuPKF$QzPpx3+ors~A<z?XcCJjjCG1 z3>p5)@lMOAv401&3me)%e486`S55T_ND<Ahvr&akABtY0%BhsfGydQHYPB3M4pu~R zYxC0spVV~6bL`CVmiaKlzCCwmHH8KkBwXV0Fd#%u;vZeEk#XUi!MYp|Iw8ov^HAUe z(*DSBne`o*l`ho_Pk<wLx>;}PH4Q0zYF=F<#`pY_7l0V5Ljk|>w?hjDL`St&f>P~6 z3*nrIj~sYuG{?WsAS-gDo5Uk<OM5Z8(}c~Kc^2FGmAt=OQizZ$Y^v;jS*mkTY{4uC zCnL%5PYt|{Od>aV&ndELg^%)g!C#sw#a=h(6@;=$d{Pv9*()a%g{~BoevpFPe+X&K z@=I~GhDgN%Z}dog{`Ux=pYQn}KV+3%Hf(ZDxXd)QmHm%TH(0)y&|2ZA{iD=c+?k2g z6#Iq5A8<I*!J#WusUD{f{a4fCFc2dM=5JOQ&L5WB_wXcUzUYknzI2XFi#6eN=JRyi z8LMh>QGv6Nb(QrC=UN0|NpR#LDHbxiKUL|G!2Wy30VIfcU05xEFs4*OZunDbBBkr4 zcWE&?1(_P0)ue?yRA7ngqbh`c7UD-GIG>mD_h@TjS<g&V1$b0CwZ#9{J{``X<qDsI z`oXZV(`Geic(*%b9j_vcSc0rxu$-mObG~>wrS}bD_c#SuvU;k{8JrB)N9^Ax{oAhW z&RuEG{M%i=zg^<XjLzWB2R>_G1whGmxi|~Eih-g;Xf|6$Wy%Pp6k}#%4;-rGT&&C0 z4{N#~85JV{sh!=Y5D#^`QlQZ#9bfqGat)=MA?L7AJ+%ij{Yv>j|2{85KrX-tw#WC_ zD$?-=<CyS$wfBsNUNmFZ#@;oMt`+yR{uCY<1d2VMYj|p@%#RV6a*fw5o}lRKEVPzZ zK|qqAg@9su&x`FjB&8LeX~c8?i<<`^?Adci$>7?oc*B}hn+taB{kALa!tV>mu#p$Z z<C{%xxPyNxckUjQ=DYXbwB@qV1gd$RP{FP8Q24%Z(?gzTWR8jS?=_9S0KRJ{B}|$A z-tdICvoy7V&Tyil7GH3-mk%f7blg!A$Ww@4Sb={^xm;1FIQ0(`3mMD*v`yzJE82nX zJA+R{#$)WOJMn#L1~huuKpS0^i0(7f06g7a3nrZq2TBN5wZ!|a*Pi?PL#TPMoP!Rt zj&GoGjM}FUc@HrU+Iu-KtOr{&ufob?2nCZ?1D~*r^4#-t%8xdx7ozG_cEJv6sBh{y zi{`(2NP4tbK^7CR>X?#(holi-<0vU7Qy~pXel9TV+|hU|q#3}eZd5o1v8s)rZ?0Fo zq^fvz{`&?e5an^Spn(d~L@?*9?c;XWWYa~==e2qn^+eft!n<$NRs7o3c7fYUizo!n zd;=+|FSQ_l$f$_D-m1bQ+>qKqSi7W+d0ympA6&(U$@lp~wNm&8MUTCMLZpz+_aCny z<Ru=zyxjE&)HNoS2YF0$n;A9~Ay;s}4uk;+{I_X_yX{@T?pX$W`#)j=Lts4<v5c@& zAU$&a-gpMzqXMmtyX^js3Z#GA$6ZSSkl_B><Fdp600&6sI8DI*LI#{~N5teVB=`CM z6OaC*l|DuW?RI{Z`atb=adG*WhT+0-*DGfT$Sp6-th$m96^_dC<pGBKs}~v7r|F)r z?;Oa}6MsC*W9w>rJ8jJE`sc242>@+L+^Cwv_T4Gx()0Svc3P{`KS_3YMN#e-&%Y$w z3^?v<7;q9=td0e#uP7A0syghJQNQlRT2s5-?@i^=u~!2rhoWu`{3hpe^NnzN&DG{f z1ezucZ=;aM4RuPYhYml8>>^32C8>!rt`f;BiSZ8FEXX<Ja;BUYsLVQT>oO=(B~LG3 zFqds`+Bu>zj?DZGmLumL!N`F^-SUuvfjy|w?)$D3X-haB?eWHT#>SM7uiJ_ifjXJ{ zawXgD`V{IenX%o^SD)t_qG5&}G`NNk7+tTEB(YrLYrk1Nft59%IXf21c*?pw_w@RQ zr>3#qmJpKy1}da`$owi*zhBA2e!B2(b3a?hztu<%1e)&XQ;#ZBKO!sz>J^EOTbJgr z`jRt+vMpm}s<2-jYb9mr(x@6$ce|=tJyU`#<?(PlngynT)n>5)mqiamb;CnCgRLWe zTD1B!6<qeR4L7;d9At+j^!9OSGC`ay{kE<KEDzVRoc(KfpSBXZY^)lu++o9iyMLIe zWZ89EzcWD8xjZjS8uGM#9FLKuLvm(d;#ovj1<m6+fM@xf+=7vBBf>#g{%p~ekf^a| zm_P#kE}jJOG-2(|BwG?%z4Q1HuXSn;x;?J$+hZ97yij*qFAW)LM*WW^i)*Jk!}rBe zrN+Yj=47P~h1kvkkPBNQz3IH8364I@Z~5Jj1^s-Z>>NH9O=lN-E6-BjHfiMWN{_V3 z06hW$1AZI?7?xD9BguO_NBlifhx8kF+WL9X&<GRQH@sw`hz`(i(fkWCqM-7z>35T) zMf8HL+5swtMT@BYe$3w6M42k#GP+s^G+v?+s-<R0`6z?=2Y40^7ia!`O2I!18k5LR zYc}}7XD0sGun-gbji##aFBz0ldRtTu;n+yFEh2s)l8)6Ol|`>dJh&9+q-Tjv=T_b) zv57%K@Di3FqLr2LI2|e|qRd=3^Gfs^Mj7n*K6@6VUm7`1L8*?st6si(f+xW}Dt)_b z!*@0W>gcQZ4c0S^eU)w_PJKrQnP#hI-Sr_%#x4HFO}n2zu~!In!F=zwBtD!vMnN?% zFP(<~Q&mSDaP?VIj}6D>bF6aO^(KtV!0Z+>v$~l(U;b$^%*p>=YO6Vlhc*b#bj7@U z+Dpd<^)b|#zs?xj_iY}wLn8}2VsBoxk9EtGhy{6A+CFM??tfYMJ^AEi6izp&=uNV- zTdFz;^vPAZ08|=5Jda+t3KvH=+C;gOxEno-5F&IkXq?f#WD4!k8;iG+8gkNrm4sej zEe<(p?aVp0JWCrRQEhSImROb{MXB<h9;Vt<BqKL4O4G`erw3F<P8Tq+Wv)D_qd0nT zxFo-cstdbXy~NDPjADJX6XQ~EY3UQ9kBl3;45URb>U}ziF%Oi;;#K`@hif{_!dJeJ zs3qa_3rbaO@x=qSr$&FrPz&_@+SN8oYhO6UcPIG8A4STY$#}<`YRRJOlhB`p@4=IP zby}ORKU6Y(Q}&qOZNIE`<v*iyVi0xVREw$=+^m>}FRr}mANUlOY|)bAQ~*C8?_Ih- zFI*hXKF6Xn(^K;%Af-n)==@lg#9F~6oJ(evxqH|Kk16$udMUli-_Vuf@BRc>syf<Y z{o-&we2<a)uD&V1^`TFXw~)$QTiz~+A7f(tJnPr=SdoogGL`tq%M&Vx!Juq@ilH>3 z9q7cW#|#Tw|1$nwNS6s&5R)8l;t5JcU)fItg(}bC(+`I43DWd!?}4RvFwG$D<Bm1L zQ-@|xL9RTtus6TS8k-hgLw3rK%8v~|gREtC(?N4goitx03wmxJos}4=w%)ddaZ#XH zFoHfqe=lbt{6jd<FHO<r<(fIS;n+XIK0wntRyoe$yAM1eN<gm?56gXJz=*%+qKf`A z1gz@eaX_5{cUC%TP&3DThP2yk2~W;^YD=SGyaZ(3ad5WFzW4Ry(O~L?X!Om>?m3Lg zR$S=7{!v1K%v~30LVsX_rKQk_j}k__<*t&`Ia}Vy30%WE35&sHwzgqtu5$sKxTuC| zt5wi5F=qZ}xI)%rg<4Ge1uJ@pc+v#Yp&%c2N=w0$=#(&Q;$Q1<DrHQDPJ&~d99>~o z44De)cy?~JPEw7zefxb9YE~5rHHrB4ZwC<qj+7&}j1O)PfeFUZi)s~B(C3xSGXDyZ zGwf=vMQlJMQu)ZZ+$OR?<;W8DM2OdW=W&kv3IW-Ya0PDtu(~x1WA|n*DA-7+`NBnx z%@ecx!>OpSFyq#?Dr4XWw_~6ZM+N6w@5m{=OMjPos9Y^(jC$GrBL%pj3lt_pFF*8H zw3u{*mrn&Xc-tfel)3fXRte7^MY5g=&of`rFAr20S~id<MIi?B_hU0aFFp=l5YIv2 zs7e$&!_g$7<`!jvVAmi6e>0>~A4^fkscJg?jAN9RYusAy4vAX6I7nyhFJRl@3hl!f z?$}5@KCa3Z{W8lhCv<EI6Mcl3^o8>|wc(Am%)2XnX$BH4c!bpwNj=zPlM^JW3yod5 z5r(t#3+#JJCX48y#)P6xh7E>^ZIOs<8J!{rkR<!30|O3BPIjr2C<Sy+Ji9YB22T9a zMm&Z|Sb02=Bft4!c%0rEtV!@;-P8QF16oFAhMZk8wn?vUAu}<iX<Ua+-I=t1v<<gN z+@7K>j6}I<VMN-TIJ}IX3P1?1Q{KA>wtbv+iQffX5FC&w&y3lZy{vom$u}uVHN)$o zrRTG+Ju)hZRw3K5{$nQuo@D$n(86j->A2FUi9`yQjEq}{N*?2-{{`|;B0hQ#78e&! zo#j#SWCPG`TNOtB6yt00gV1&`nQ{=~r-Tsd0I-~TaRtIV@7bcm@hfPO0{-gsYH{j8 zu3NpMP6Zs`x4x{u_odVBL1kc#C)r}dd=7?{dFM_VpIz3#)XyG_OFc)`W3vzVw^U`b z^{`EQb;F&WgGegU&pH!bJ77IShr7uZL_tQhFkQ(*(I*7E#(w_amAcB|s@VjnSa)?M z{PPB&m1tWhS=wi@2->qh7%v(R><TK$Cw!9NbP_7}jc%sCNH)Bt*K_kM%ER)C%2!MD zrv+IqTUF&T!<f8hVfDhTBPWKOwi_h2%^KRiNR>m1h`vl$?2b*6i`fLF_&MENWvA?O zr_|mz1)&^hlDP5^ihAda<{x6DxZ)>+ol~1bhf&6^!LgN<@=wthn#FP%ynWA94bdZ( zpxAF?v-tYl?*_##p?7N{1X`0sB$Yu>iX*ZYe4c9^eM>*b`T9znkRWR2dEF77;!6gi z0{i@`&iFKG83Adz*}45^!7|8z1_G*H<Wm2!2X#nu{2a9!b?bz)xiityQ2k&61eg+T z+PS#i=wv??DHTA;HkrajcVV1o^|cM49s?Pp&@ONcI(3U;9!zHkecPm8yXNy@yIqVN zSqpN^?gCP$)%;Hx6tD-4DC*2X%k_gCU>#h(Te>99`vJ@Kl*TVk{sU#%x`xJ8^&To5 zr5twNs6`~cTMZd_FKhehXGX%PNK7pbMHSyTlxt4J1gVuBmCNJs5a88cNFR6xCOw5( zlOA&WxF^Jk2X+G?Z(aM}3Aql$6&_9?#~y8a@#pXy=yFOa%zxMi-De@kRw8Rop${aD z@NQ(R$b2J5!0%Q@1prK=u}V;vpT|D`vN_=3TD&U_n^n7_g?t!ukbpRpaY^~7Ui3S2 zeLM5K9?M`E{x<$~5PNv=Df=&Rnn!Kkj>EalbOHU1>bc(2h{}Ks{`T+Ui>4Fn3kk$g zL4*BW^;Qazn;QrW@b4e@(BG*6Z@AZg7#QIr+QI%K`RPFb08n^!JnQG*e&)CPa~|5c z>}&I0R$r&Ms2L@7KK<38u6IjRg6*T-<tzJr8{_NPt8;=Q9`)bx!dgJ!LW4z1?k7JU zQCAxsuZ}OQ_$2=3Hd}9vic#oL!Xkwsr2F?6=r3R2ZWbvtq6m)xL7e}Kf+4-NZd>lQ z;q(bMPjHYY@W)>aG7tbLO2+8%@Kv;{b3al>>K|{^zeG#l<EMQNIOo1O9lO86Qq7S8 z5?21zXxg{;1}U;ohCgkVHQJqrL;(Ly0MXvw{($EG*tU9~SCHcV(29?2`%CcU>Uwqm z(i7xAy!asiK!_!xF3;`{sHMYPuPH|mb`;?TfZzZA2r>{jI1_Arb+1#eJA?fafj=Gj zg8yc9IO#ZNf@9C~&;Z*+XI!rC`i<<~&ngXoc)0&=2Ml<ZaA^l@y?njT>wR5Md;Zin z4@L8*#>{_(WfOUL=u{tK&;A|ptpTwHEv#{#W%2hHG<}cwZhFz=_&YH!_HB$?Hw4%J z{+0{xJk{>G%jxgQNd7(<d%`>aPK>L5>+{#+2mkB8o-wZY_QHoCY~R0H*KY7`J6*Vj zJN(;rTK4wBD`YOnzp3v3w1+r2`{Zs&uz%BK@i)3`FvnH=_cL1Gmer)<6UpCIqXm-Q z`aMzVuJrfEaV314Q)PG3EPqcFrni1)slAqC{k`Bs-WJaPJJA0<(0}X_WsnAtT$V2* z8c$o>ySH4dca5V)-|HITJ-ViIi2V5B9Hz^sx6Xb8reUNu`VhW7576@fC~BU3&h5&J zA%dmG=2^c?%|Um8VE8Wjw9Vy#|8SrT3>WABV0b{Cf;4!h(}&%+&7ia#2Z@1=PV3qq z8sgGmv)9~d0K;~dh8A|i42m7fJE?<hMMu8|5K!1PK~-Pj+Z+tnV72dfMV%8_m;O~s z^?D^wt?5|%<?A<>?}U#8#^qJ-$#)9mGH%QlgXgQR^^d$`j#jp$$k$emN^fVfSUNN; zA$!R14Hi-cpV_!%<@nXiDbfqsc7bCypywpSmG;o=?89K_qqAP_H%ABk?cNk;f4#}) zST>Uu=S{t)q*5OR?jrYdjB0-9dTxH$_ps!_<x!8Sg3yQIP;qAf{2Zw2U{OVCCT32h z221)o)KgO=EZb8KYWae<Rzl+vddiBHNwOTz+AY&yVzG+llwSU>Ol^EMWDSB7D13Nt zr^QD*DPSFuu+kYmJ#R((V;?i_lqRF$6s41aXCv+ja(f*B{83^1NE*Q0_tK-h@<wC@ zPv&Gb!*r4BGAt$@TO#R(`QFUqc$=?o%))B0D+C0~nw~>2?^eGqHbNcq3)c$Bv-OW3 zLVzS$0b(`LSZQ`;Iq4rIp68mTh6{D_T>O&8R!)ScleL#YBNj}4s1(#Z0+jcf;8Vj9 zkGypHVP>lpadEo^G!F<?Kikre;a}1y@?2GuYZ>I|;4d%D8NW}htkU68{f?LGVkTgS z`|9v?U{&QBJ(QM*`#BxPBzQA}X*m>b#q|q1*1nZgf|d*_g{zY(ny1!xFWh&5-PNan z%b*y%&cdbNCaIz9Sgh-hV?h35pTP@dwrPe}t2qm*VxW`l^KmUeEvb%^upf++v`A!? zz)TSy>@?GPe;YL`V9Svg1q0OZG>t!auL9R+2}l%`7Zud11^5auQrj?!gm1L?*70BA zwII6)3bvfM8e3`+9}vrP?#}_?&u%Xzo$65zr8D)!84on#q(ni|i=GRsO(DIU#5r^~ z82?PqG=2DL!AMmE<-IU%aImw6kUPS3<+z=MEL!xaC%-b((+Vo@b}fhT@Fb0%>_&I? zwPT&W1{K_!+Z3GOT^;%0I#EJ@P_K*n)P0oQr61uH=8<8cBAxIV|2TYejG?Kv<}|!5 znja)U=5m5$!0G0E87In;(WVh5Pxq$cmz>lEJL)6M<L}?grLIVy2vh)XAG_V7H!!MM zzc@xUQi&PK%7(BriG++c;Lz(S4r?xz6|?_f+40pkQ{Vwub557>n3B{i_Vae5p*25c zG+9{R1Pwij=-kNM=6flAFqzm6+K1=6m^d=e1UKD;$pe;??WcPB$7iA@1Px(8xaiB3 zD}B!^1||>%r{O$J)m-i~5<;RsRYOM#q(Z)-R>TaAh!0sKTWO@lY3RFYUWXbqwnk!9 zRUf6tn$Ja|hpah0-%v7XtHSeRm8pl5Od9o*-of=Ix@cuCol6zj;kFi&-1$s!XhsfJ zk)ZOu;7C95<D%rJm`Q(0r?7~3IW?i>N=8P_63`;Ne`0fhOA7kJdx)#M+(r_dcc0EF z{N5{c*Q3FcchX?{M*WI2h@wE#uSZ*0(GnX?>zXAi2~ACgiB408-(BA`8CJ{dh|NH* zXQ1Z8kD)&nF<;cD3cdF=u<kd6`c>?+@Fz%T(B<9wP{*J69FH`ye20vVWQIAup4rlL z@^j-WXoTIKt%~Oc$rY=`1UST$#K}j3!WQBKh7(?f0qWO5^WhebdFAs@b|%c$CO)WJ zF$Sm%Lq#|K@vulKm0p>I3PrHTc)<Bc(k001Y-UrVH;+erB9OZbzIO)QrcTpP!Y*_< zOu^)a@w}{@hEn9(;*0Frk(+|jsD64zkhXAgcjTc*6glt^zg|ZMJ#pf)y~?o2c?L4- zXNfeDH*)S+ugcP(#eeQb28Ei5WO;^grvrFSdvs$X4OY5+<e|E$pM4~v+MtMwu-L>G zZhgcH;hzlQ!Bpkv#ipbr1fcR{0iH-TNpR;9#6HZoGIDJC+BITSv!Q__m5qF)J9z&F z_rPp|_KPRt$KZfsE@YiFolyY<Rt*leQQ7coBxc9tRG?PpCS@f-Gmm>>UytF7lZ%_h zzFRUdJGDJ*Eyu6MI>w70K-6qOra%zqKKfV5JgcxZrU@u%g0T^7(8hs3Qz-(L@IJd$ zC2Wdn^9ON{ysf55u6i3opt?)dg)wUOv|Cg)P>=2S?$3*!iCrzSi9EL`+3*y>4Wd&q zWPc3s=@9NP-s7V$d)%qrS*JD%57jv6VaTPFkHkjJV!deMwq`1TaV}4`RPJRIWH}Qy z*#5MGxJAOW_lQQ(Z`~K97bVF|kIW&I9Bsz>h(9XNlvm-g?H8gQDK<deszq}LH?7)T zRY|R5y03{`Gj}yd&5`q%3`+M|E2Og1oJ+Jlcbbjw9w(N4BU(`ctT8~<2Vya{6L9p_ zE>%JFg-=C_Klp87Tb?(rs?v%R2`<1qQxW?SB22JtP0icC{p9Maq%@kWENen%Z-%=f zYJ(Zj!k69-j|4bI4ZjFK!MdJBsb-Cl0wkO!5+A!mi20F*7(~)BE>kHq`n@83!jTPr zPUhG5_GOPeBh-^?9ufC|tMn<^>KS@Y5Ph@NTRZ75akG%h5Y<)HrW(U`f%*t(6s0<) z7?54^x>B<@$Qe`*x_Z6l3YO)u?$<#@`C}O<8p(r?!eP9Tra?~0Z>v-t;jOjfsd(!o zzIkNJ)xVclk7E}atzcD~me0SQTbbFR>cnB!9u1{@7baL<VSSria}6NO-jNPefEiy* zVU>@BBPrFBj$j1`P$Ki2H~3?I>a!|;SRk?&qX$U~OB?nUd~>e-+v#e@4`3d<H}&c2 zP92*_LNtthoe}0|Hg0W+oN&>4h-#&B<7Iycdt*Rm4ae||9+M|F=C2IXwJIlY3;WuZ zs6Gl$LL$vcr}1L8vam(<JPri#p1k!T=B*D{i2a`<#?L)|fAJy$-ixC=Z&hIu?MNxf zW~YrCx_d~h%#ghp>0$1gS}*mRuQizvLwEN{VQPX>t))1$3=UEX%cXx-t;K`61}d@{ z+O;~O17O=kAN^`<P1BW82vxNp7gzNjmH+rPt`m5VV5At_P4+v2p4~w<<fG0UE8C-h z(&mdR=Y*k&rCwND2mNGmIxG?Y9*vT(&3G*on{dwC?%}qw;_9ZnW*NTViz0^$Sb|J( z+l#SEUfESYo4cN~)oP{Y{}2&?<%n5wh}H(7^g}oc;|d4ro*<2beO8yyi(zgz%h%O# zQErxBSg(*9=~b_x0Tr*nba_ECN`d<nN&pereY%iXxjF5MwPH$8;X<hlfgjwHI|V$u zmA5m-rp)xZRP@#+OhXENg@n*KpU*+vgDM(A<M*1G^{zSIZtxn^w&i_7H<huZY!oU! z%v?z~W^rQST3JqBreew552Ok(`Hhd#9DBX01LSy_9u|G>0Vz{rY2KcK5U54OX=rPd zv7GE#lz8g8h5owrzf3pe4IQb;XkhGfTkN$nvE%aixE<&P<rp*z{CE=+1k5?5v^3K< z|AhMY$;+hXMshu-XO@uQIaKj4I>;{SJt2E>BUCWKEcn_JSFW0Ow=6K@I-q(T!pk_v zr?ZolsP%XC<Qp0{;=E4kkG6AH#ScMHlI!u?=o>_YH{*-jgS{G=ykH`(lOmt@d~r0L zG!G_ENc7g!7?B&AXNtCopRthzvNuPMmaY@8YLxPvw2LGH8Z?iaCH6*yjAStQ7}|Cp zUxnO@@CELx=wb4`xXx}-OBI(ljMs<|(Z(yoOgS_mcpmqi6%+^cgJ$3Yo|L3w#i=}I zc7t&km6<hq-RZ$tY+no5qQvr#!C&W!#Q*`#!1q__7NLn3j>Xn0?6#z}I&Dh<{ow~+ zK|V|>T^3&*ZwTRBsvf*tEg(N4H<>qy#yTos6T{FvCm@9M$|z>{e?RB5q8+{GGQTb2 z^dUr@IpN#FJFCGC<|2$R-ef4}Q>dgGzj`mh;p&Wc-5BvaqwTu9a3#vFAMdtIe4JD` zgs?E^q=GDMxK`yX*|~Bg5N>V)nrT1?GW7o__OSvYpg*M0atOHacX*A^8yTdFnt{#w zn-pQaNA6@{rGx%W`v~4x7{2l`4cgz4J3N21RGbXxCRN6@i~d_KH3pc&&E`MkQo|T1 zzQFy%`?;yfUap5;kGqyv6$FHDM+%F7>OjAdz-*Ap)ynNv(EwE<%3zKx_PKHqZl09K zf0eV24(m<TGBtBKJL$@c>v^ryjg>=vV=ZIM%~ra#G5WdH2={fr?3jz%BvbZMSfhAP zWFN5-iF5ef(83FW>_T*UBvj)-6L@AiG+8hQ&6<ndlY-Xb#%s`K<b*K`q~cCJw>6kg z-6%}Tic4SB;6-*oe`CX*D4r7ppCrjwrOx)lX??$bRNtxqGUWdG6I@3F*Rk<&t*cDk zW!rc4mCcmR{bvYu;oh8vNsP}%(W=YE8ZYbE)UUE9U+dRjw{Dw8k4IC~;jerCt8QoK zs7LN^tp~&Aayr9(7A=^)7>)sY{crzit2Dncf8@&@oY78Q-s{0d8vCn-@ujk_fc{{j zfF74~D9T3E>xX(P5<=3m!M8z*XfYYfC}eh1qGhB`<@Y{1U=Er#|C?Laz6t+fu1Hes zy{{9)z}OsI)+efxbPO0J8qy$lr*3B-S~$JO6~yir=59}UZ`3c44IYJ9%ueB@Yt;$b z{Wfn`LIqQuTh%ASV<Smdx#rLiCKR#9uPf+BE<OVIl{dg>#Fe*`ADzDbdzH7kETpky zvo6jQT(E%I*!JI@ojy}$ma&WW;&mTM+uBgN|7fJP8t2NT`w<iYD1gzEPiuZu_72Hf zAp@WLCJFa)eBIZYx_ByUoWf#lNHO`CBV5$70{MC?)vTm(sp9GM5nmNyKEJ_)=+kpn zwEH5HTZ3eBEldR&Og#!oKD4BA)1}>UU~SbWfz!*7{-g?H?=DvjR4PliG_jQ=<qLa) zRcK+FxM&U^pXDk(|FbFPKNL{UOTaVyTwpbk$rbV$^$L?G_`sqP><xxc1ih!ElDt>4 zv{ZS%yL!u1^IM=ih@h-!_qudN9p%Ei_!%oN-NaMXRS`<Z@+YNs!}M=`ltCX*^K#@6 z$sjmAz}n(=I4v#W-5~bO9yJW!OSflL6tzW&#1%;5oy71vg}D9WknViJJz|(90Oepm zhH-AakF-e(|1a^=;bsldo(|p;x~kuTln0?*l={V*Sa9fJC(e|H*O|3H(x|tPYs62i zaTXtnrf{B|{iw|=!)!Q80#S%0l4dJA{TklWvEjaSY6=ts3m+P`luRtmc68r<-;lUC zwkFyU(XD<dx6<aY-w^@_x+aJ~i@4i_Q#Af}byWNE4lNBJe{_|G6wuYXO(3(V_X^?j zG;&ei_40{~5=jc5Fx(AJj0o+zAqbr_y}v{d@C3%5+{6lA@W>Aa_z+qGBQlrpv-{cS zKCkknaqFsq<3=YD4bz`Q`2hxwiUsBoTZQen_cGk5cfp1Y*7Jk=8`-cLaEQFt%%ZNV zptu#$!Nr5nkop5^QTANBoY;s13_`X9+&5sRaFU(eBzH+s{-|}^uCYAngOBMGsf}IY z7FI}RpKPh&dbv^d5AB_NV!BrHm2ztSOwJ1?POPWovqImc$KIO60!YXfvYTA_g)t?Y z{Ytp|b<!J5W_qEw$X2D4e8{z1bcjb^Z#`V4*x4Rkug)0TF|v6ee7I|%bbpPVd;mYv zXE^zOslHn$?32a{PUQY=XSYpYNap>aN*sD(<MSmg6H-Mp3IgA#x^iNw!XlY1+g5d= zWLy`v2nn*X2lpy?f1Sy)bNJze1Z4$BK~Y60;h#k7lM-_~Vxmr0zK_i6kSyrM+VV=V zw&cX}*(C!Xh;A#TOiyQ<&ZOCtIgCXvd(3i~ca79Lr>ws<QuB}hcQjJ-Z~q_ENEHPC z-_uCd!ltZ&@h@3ExdU4L-G`Eko}%C)fHSOnGpLG`1v&HV5F6K@4@Gz28+Gu5?(V{f zJd?o_DUZ>xc{x<0V#W6GXZUfU1%hQ$N~n`c&Q~Hfr0s}#>>!kYE1Yo+phkKEq%3Ly zP2fD^hZXxexMksC2-o){4~xyh@+2Xki0!kxO9`@q>?n>o&s^2tH%U0H2c|hUCm3GS z!#|NuTtTzkJ84uT30{_6E2q}8ez<;u45t$|q3EjBohql6o;xXo9ob&hLFiN+Qk1B` z2#gQuI&xHb6;8%-G@L{kg=!#+++`-pV?9O;4d$#~vEjC?yA7@ob}t+}qr=u_`t+`v z>iD6WTKq57RBx_X+QV)kvUwOZ9Q?@tn}kzmX#S_dsVE3htR>2u98M^uhiuaASbJKt zQ@O@wx!wy_(WiPS?j)UG4SCX0K&Al$b%1)s4$tR$DhinE4H=-C9lvK$InEo3+=ziO zIVIIGZ7Y&bc2fD{-GZME(Dxz2Q76jt1<DlYRjxzX1F$`vb}L}#(5VqKkyXMr3C6i5 zvzIAn(#q>>TUq3782pdKRK?xcHw%rpV>fPIGH$99E;_G5V#UzN<5IrUA<0yaOxg(L zY5wqm&0i2h3-%8+8)<Y<LyOLiz%X7|>huzUi-mn#@W|r`H1|zj-VF(?#@59X4ARoX zms{(C&Y=xBKIu5blmZu-2-~w1wV6Vi1A5kOJc`8^rv(}--y6^fB}`vHRpXQ;i=->k zVNFmyZkh~_-~?E3L4X*E(;<bZ)M6#t_b9YBg%*HumL@luo9|kw)fApq!+YvX9NlBc z=T$NHs-cgIgu{S;BY`ijVrTSob!tD7P%xQ~NZf>v#Y;NrY8J<d(^n-UM*WdhmAjx3 zWd&78`aj63GR*(GtSU)qtBQ%z=M5^^0fs2)<-wF%F-)1K{9(K+JwK803$?{o15Q#m zhpqUL&!o2FOzI`v^Ch(Z3!<tE-x6ZRD~Fv_e60xgei}4-a(&qWp@q-qc(;kLi|RX} zNtQ<^N>w0KHQCZJ?QptAh2{3RPsSdlz+T1Uj2Jnuw*B70sHLJ%mKobXD&D-5KKo48 za6l;9fH*Hl54D3%fXXa6b*ogHkeyu#smrV0r_gc%JHBk$n_K<K(38`#JK$SeQ`?YX zvcV4qtuy;&Bs*sW=!PG)x>We3Iiv+RUrC~Ns&n=u%q$K0^M@%gNE$`UCeGU!tZnjZ zLKWAm1thW%CM{_gs<=%D3m>Ot&elvmp<~xQ0ViDD!=tw*K`0N7hGv(A@<CCE{b<-H z&xk$$#q7<o9US+k+Xrvm1{c_b^K0OS2KnUa@eL<~KE0xZhyk2F&GvG1rbl2mCeP(< zH~ySrX-*|T>}^=!xm-yoQW$#_3fnBOLZp{EDchHJc+nl8c|)l>0V1q!kEri`M~-Q| z9nUa@gAR<@I65&Okm`<wuOdU=&r=3A<ik!PxrlXF-&qc>a$+xP6k;q{I>aC|!XOI( z4`r-2wu+SLRmvMmZbfhBF$f!;g=Fu{!9N85wmB1$CTK3>>{k=+r)SE`Ah6M+Tf3MH zOB||PSSXer&OR&vnsO>{q%mo^)|{cIz$W&JGIQrA&$e$v^G#!f3{%J@F<4})B}#W) zna|UWe<Rw!)NO4hU>zO3sNR$3d!Y-t%WF7vNaAmCpA7CnW=n8!gb|aut^V|tgg>Z` zA}e+FcyF>5wa1nwC;bd;iUJ1=$eZUwVHNR1VfDrQLt)jxd8fDRVf*w8#A#%RnssX< z<(MaGmgv<R=e4biO6t@`4eeVcBUJ>`=vsSF3=_-$R0goFQloCId_T8v=6CrL<wEDH zc6Yc^gVzlFQwjB73F}#?YFBJu;tT9=Y%uL4CQGsybTWoaW5<k1iXD1S_-<TBN;VkM zLeyxeEr`%#(!ZlO<RM2bmNF1L*~i5G!UmT>cRucJYls3PY;a|1TU1@4OsK?GkM_da z)=MkQ-rd?ltiV3UQ-Kkt&l@T8)+EklkX^lMCZF3+tzhsEEETwR{#l2~Z)W(vEU!u# zC3GsKV1t~>87OB6i|?4`A3>#jy3?e?f4|LWxd0MmVs7(=t)%(97d>~og`~65$xhqt zL00d=KF6m*>d86d7VO!7LI|%1J7n@ZILIe|k0;D1wu7_>Cjq$F<6p29)O@XDVsNY( z`3yi6eb#i|h-H&w$u0qiNQA67BnLnBq%qg3TkLD`0ENXC-CVDo;9v;7-aUIBCkv~s zWW-1k=-al6Cvv4GZ8qQ%LZaqLB}+y~QYe56vZ;pb;>z2w8l3pwD`E9!dHmO{*8nT? zH8ffPzk|rXk<mdM8WO;Pqu8F`6DxGZV{w9*HvPG@*@yfdrNF%h3Z(LMcm#((^)PKn zdh`XzJ|}jO<rQ@(nrA<K>h<F0f|zy~La8hJ1uk4WaO0thX|v~<K%xZ?9-vx8C@A=; z1ALD~1!S$-TXFU707gB9M;rdjCm=>xAwNKBlYa{3ineblv=<BZULHhoEn6r>uDWG^ zM6kbSuQ&-r{2fvNpC8bko{U@2@1g_sw{v@3^4%FJjIH~(GxFV?O}7CHaQQdyPWw}n zb4ZPoW8vYyGF^5@wZ9<3g88qPYkhfwV7iI`SZehz4@U7FBoit3-}ld|eB)kN3hY5Z zo=+fKfDjxbk5h_cY7V|H;^Z5l|5aYZX&M-j(Er1)_&tyoUG4Y99I6SwpNc1vdBHej z?&LN$sViw4)URKY<Htkf<sr!z3U$>cjoH_`qPtYX-)`47sp&`*3t_(wZu5U;`!cK7 z!d4NF+_hkF!6ugA8pG#b`FN0AS}dZsH{*uV`kL%~J|vjNIZ`xYQC-|T`)l8d4O8is z{c*-SMIVCaVwjvuZ<F>pUo4L46x@f(<7M9XfCmS;Ppek3E&4b*gV(byoCwg7+v@B* z3k-X*?GL@q>qGxjS|rSg;k#Sbmc<j8h@bNE$$wP}A$p|XA}--p2}D*ozeYu8(-<7g zfOO=oE6dzla@;93GYo87cDz~}+C-Ij!kwDS`GI+nA$0IlDXHe5dqV-*uxsF$hVVw3 z4pZc$=+d#0EjB~(F@fgQ@#<-~!JK0NI|5p8XiyE6urXP{UsjZhOTT9Bm8xNNYjTEs z_3_GE!|m+$BtPUu7tIFw>>#gcfhV2)<vtHp<9P@h3Bt)*5e^X+6)+k1YyJa<s#3hg zLdmgQP7M&SE>+A7d_J!&uYcuIH7vnUC4ZzO=5Vn$EC;t*Gq?xY=s1P{pG5u>Orjk9 zBp7{r;#<gH%ICh>|0M4FUT|x{ms4D`6I4q%?Cjm7=-_AgZr=O#QJ-tsoPi^?l)Rk% zPBKrcNszO*-foG5TXF|y5);b#k*wu@SiG#{egw&X-xRJsk(f@9hBb}-nvQHZY1Di< zi!qPMiC(tx)7P#CDRdb6b#1pxHcGiKm814c1jE!eP)p@^W!z?JOP%l0J-ePCN^=p1 zUc8^b-E;pg11}kJOe_cvsFt*K{v7@}H8%iJK(4=xV?MXGb4X25xf!<N;3ilvpphpD zF;SkId*&*BxS2PCbv4exBwrv=(rTcfW$B&tdd*Va0I$3r{HgaL{dw`XN$T~Y%I{F0 zV=4uNK|5NS6r~{Ku33wNaX~^Gn&TqtIy2$#8SEEH@#kGPL7YK#zPipI?$OKVlKhFi zMLisL3`)@z^FybFO3o7^4Vbb;u10dXXhQ7o0r*rif+N#KJ=EIc$d6snt5d}}Kl_PY z{pCvABKP5eJR`VAJqU!#9)2^YjK+)zFcAzd)OLkue}+ilU8FSY|1O++n<Y&eEKI~M zEjQ)Orb8Bb`sw`3VWMf?qJ;xt4aO2DKi0G*iVvnBUgPEn(sd+21mx8yq-`uXhLY*z z9(_phl6ow*84*VB$Py;`KeA?8iWB-IfrH!7!9RQA<r0>D$1jwQS!C4z64K=N8@%}b ztDh@N`lY#LuDs-Iu@|~-aiZF*bf5NG33ddB$R-b%f(mT(1}P1R)!~GakMX2E_%ZZW z8HUsLM5^5ss&8r4+0a{vG)#Sps=7uwT!LaIXx)g#b}wsKidfa*Yl-SzucL;*3q3JX zA=*|Biz!9m;!Ts<V*r#;wJH6iCW}g3b<ybfRG~K4ao@5*_Qp-ciJ&-MYN^MBp!gJE zVUyOW@$aJr1)49>?umrj-|)NM0Pi<X$U2jEUD}Sq{+8>JlkV<)ilfsOd+RrD^2QzW z_*?@7@;xahLinrMuHHq;v>%7QD?`&pEU&Oy<TPT=2bH9C1SXvOxd<x~j`Na3L)-G_ zgXvTd){R=f%Ml3q8MT?FH88~WSJC!OI$_>w9;#J<Dc1k+!xK9W7>fKABwe@tFr2*G z)hQW-oIplCgMDY<BeJZb(Qr6SJ*-C)94tUG6YXzrW~wxafy6n_0U6F}+UCBQtD&2U zXo4M3e^B{ON7osT%$|a3d`rAJYH{`zZs`+Y%cETbYSnaTzTqxZNep)f;To{W(9<`# zMlM`UCZ<co$u!%_y4NgXYOFbXSNQG=<n>U4UV>uRDi{(E4?t7iUU{($ozy-HY-Hsa zB_#vhbAMHk8dHgrOT%hPjvG*#s%;FTK$9k<T+h-QM^=q{*G@o3ne4TaEO;$7aLMig z^VGzZ(&XNN!-tHx(2gqN&_K8B6T2$-y&l)FZy(Neic~HT8zWFk&R_s#Un8ueKQ={C zvvCzb_<64cnaIMx&G(pXlQNc6Sowq668K#(D5px0&TLmAYijxP?c@kMpI+XXv0Wte zZrOZS(c`Zjl)2+wGM|^?T(seKiMZ0q!ym$x2P@lFZ>v3eZK8lKT=E>{IXV>8gu~9l z;(%g4VwE<C&Qsee7N=G&W1}@a)RW!!UVUG_`_iHuxdw-J^v`c>(-}AjI|?Slqiu9l zj9}qq)~ShHr@$;J*+4?d@8PykcVK#8b_xwmPUwim)Wp8qX>v!gS8yboTyOD09vDtz zq6@z-O8krA@!Nsx140HZB$DA$wrt37)M97xk{u&vt^XakX~{5{@Y_2-bb96^hL2rk zCO^8bi`y*`pZ^+vKG)S@e1>gfls_T%Eh^d-jg)4oJ|LN~Ck%_sfAmM|jzYFv+#q&T z0``Yv(yD=UM5YR3np1ca3q`x>b+$Not|8th7r23SA-TRqXTeUI<TeV?n4LBSnRn8{ zM$f9A{4k4d4`<qqwdC<nJq|?)M`hWkh%W~dL>Q&SSCSHF59>-<hC~GhNt&M=c@hkz zqGD=wbxHE*ehsDb>P=)~*B~}+3^(Eff)jvGv*T#05|q@S+u+%;?sY$^`1d{35C})h zALNUXw_6@2As^8JEOd5<izld<)Qh1zWS$$dM95>Tj_rVPkaRA*5yAlgvZPdDLq}cG zB6e2s9s#mZ*@0(D(uJ?v5gpqGfaRtd&`C5SIl|vZzGc(xMG!yAOzyGMwjlFPSX}7| zG#4FYRlfH}xg_a$^x967Q1Gdme3;_|`P!$#H3ZFFr{%{^n$jZl<nE_fWzQ#wD@t<F z75RqbNLa@k_Skc2@-p(;i(@wWOyG=2T&YbDpRkmQm4w>xDXgp1K7tds)vxYkL-t^H zv>J?D)!5$RA!@N2$-8ciO!vkzS}NI)SF?}{o2BJm3T}pg9gi=8ePnz1n1X6dJ9NQ9 z^wBrk1k5hcV>Y+;p~JML6e(N;KPT&$D)>bTqUxuXSM8`xDrNS$fqjuAZy;SShAS#f zaihtLHh=Q9sNi}_47Ueq8ocj{&{BDgyc4sSI#2c6*m>C;KPyr_k0CcDDD`f|l&S5F zNbBLIMkME$TD}K+43^rJB7LF^zKFe@>E$q`8o3}CtXVDa30F~8qn%IIpHs$?6QUmm zc|eW`_$=`R>VkEA_l&i8y1HUQ)k?~`{X_Y9e4VnDFR@jt&P10gOnDF!JeQq3$`kAu z%;M5CWC(g%LZJY}$*^bGr!xpVxh^n4<HD(V5NP!Gy7>(y!Wfp0-WVZC8Tf($E_1X5 zPq!B3oIaE9V{j}}ynNg!c4Jt1=ALUqmUw$(t{~dG4ze`pJ##zwFY!YggAb(%coR#6 z>ksC~q_iQK-^2^H&fIt~yPqzqad*lVC6J=@iTqQ;`gBJ4WTwLPOpj{asrkyp&5-E8 z<`IMV=$OGcg?ufgs?A^p|0;zUv#0w|+}{2{?SM{AIwUiu_@|s|3Oyke4b#~vqY;Mt zdSiM`preS?SVx7?qpV!H%H-1D?AFGF;ZkT{;c(%>!G%hnL$RLWX?-Pm4M4Q!oG;4) zET|p8PbtR>3Yt>(d)5NO^^YXX%mYr42Y<!ipzsjd4laHlV=q>HTJBbn@)YT`T{}l* z`hj}_8hB^;^%zE51rX3yqxg*W)33MXm)G}3EUA6gPuNk*cH!#%fc&WX+RQh%JCHSh zBoz*3Qrxq@`0m<ws)RWjEvOO>KW<V9woS>^xieF}!U`XV@|5CzpIT%Ut~+-s`;^nH zvyn?X(b1AJ@9N!8Phg46gHhjys~#J7n+|Er$UgN%&TWMGcH~A&i1At}p-EsqkhH)K z%QCv!PRt%Nf}KYhw{opr5~pdraaZ(6cfyp}qUB<OcP}ntnJd42SYGYOx`8s5e2;&P zep-)`d)f^bp=2uov61q|U6GWR<m4*hsgFUk$_lc7*n#c(U}U`VCLIA_#ROrxo4<}t zLqDbDx421Q?juK-bLAqX3>DA%sOR!buyntw06tyALiXc|FqwTFy9OE2Te>1|*q#wI zSn_HNx+G;D>{w;65_w)Sn#^=Eiv|<eOvh_NRlSy2JwVB;3wiS)0mCl7bPd(oPtmx? zJ<M&`1xTL_!D!m%2ov%Ya1yd_6=J-!80Z7#6~YdvQqXNkpbRmE;&g-Y(lGSmRs^@l zGr)9=l)C%9$d<P&6;3pZY}-#yMiX1jFMusJ^36@8ESP|laA|jYasfMci$<bn#H?6~ z^S@3PP7kOnb135$4F1@H0t(@_s{><(C*cF2QUu3F^yVf7fsY`ewaUX3D$VOt6e&=r zj$SX%<ioKYE#%e>BsN796g)6tv_ZE70$p<J9_V;V23fOW?ZEvCF2@f5C@ilNN&R;a zv_~AkXoLa6f5f75r<1*rzCyfUm;d-j_1pXZuU!2>2B#o%AjU6~|I4dtd-BZ>ciqC` z3oN-`N7_$bIEeORXYeKi>HOkM5a)O|7BXX&;yulpEE4#BNp7r&an%wo*Xt!;#l6*P zyp{hBAr<7nk+w>Q8g>6*gDtxc|4VF;<?jD}Hptcy^&)|a{d&ZB{UuyP3wOR~b>N1d zM3_g1-sp|b4s`T|W4Q>uwmO~1qPnGFnY(=Cva%dZfIEgnb)93AeATn9pK`aoA4_qs zuSr<YHw2v&DIO0hYx_NZFQWh}-;dttip;+|N^fr~D*E)_-qi$7uI+;eIDQ$hu7zTG zVw5^9A#@2df6|KZsC_9bjg+zInF8pRg)yJ|v8-MFQP)G^7Y`j46@`;Vl8J2wwq%uu zd)A_s7yFh)^9vhA_Fij$=GUu@BKLc5JX%w;2O$<M5DPz@bTStcP0dcjx?0)TSxD%Z z1}O#Jbl4df%t5Ouwg`$L6n;)ynkrbfD*)SbJb*$L-YN`<G>ke}&PIC!qGj2FV}JC~ z>8J0KLwuU}!rad^c$AuHtc|Y3^Fjve4z25eqTj&9$(zkbCb0L_F8%vfTpo)@vOkhV zT{>T&3N*iyZEqkws(utpQ6w3BU3(ckV4_45x!C9N1+6X56pB{BXE=VQlpZ4hBd;dU zHPF$!16x&3jT&aVL8|NV$WEX_-HSyYgj{zG#Q&T~(VDcle7CmjzeMCc4kF13PlT<F zoMFo<NpFh~c~f9!zG2yEy<d7OP%y3FVAVLdVH+S{r@_EG4YLq4UJL|OnA@kbgXuL~ zV;R`zXOw+U@GH5|>v49YTVlMi$F2QQ<4<@hiIEn1(n!_0S$Ek9A0x?PPrHp4sRFcW zR{<|}?083Y+30d3A%yQqzqyuI{8kcTV{2ykhN<Q}R$JqeNz=2=S(bT{=axk^g=1UE zp`pBYG6lAMbeZ4WF}7nG{cT?I=+cOY@^UM_vS>#D)y>F8t4OnxfB+9T2pwYo*9efD ze9oJXw9?4XRRRn*i#VZvwCv>#KZ@y~e`9#j6QkcY#B$D;aj>*8eU5F=Vau}PynCFe z9HsgSklel_PGFYR<%f6U6>y&xOVOjSlrLmY=(8x<w~ahmL|<okb=4;{X>b1%_IX71 z08J>}kgSPN{3V(!8XaAB@%k$j(k&usale$Z`X1taUK#w*(z{aJovF6p;<14W&)k(4 zMk0^co&=cE57^{mQchB<vnAC4qopy*TXb^^6c?yv>ik8Nu!gqV$xo3o7%jPK2F6ub zDN2RNT{G{HJ0U}&_KZ%Y?kx1OHRMTOf`oxq2$}0^<(SA{JdaHGKX~5W`a91HMWtRz zaGnslA{4jl8E({@tM#ggdm2I?>+2^0_vBUpLN=REd{>N?kNi{1aZ0(m>2_sgd4PF^ z)jb*U8W$}CrJj!-W#V9bb0*0+?3fx#m$sYR&Uv>z_P`E_y!O4Q#~`6v0XJL;4b3!i zMh8hSWkZg)=;e2Y?{spH?~)xAe5s+VakGc@aH^+49QB>sbV!;;f<MBV8Bq8dIO%uq z%g>^<_;UwEuE99bGGyvz6;IeMp{l+P8~xT~_+F6ut=ZbRD{3eGY~V!NVc78T8J+o= z>@w!(BX_s_uaaxkx38*czo}SEX@YrFQKL}Tm^NYKk#fXaeT?V54l$8xt3{*$&GSAn zb-md3>3dX}uN9k?&p}(6zkC#Fe3GHjIMXzatsP7r9=DRD2Cq6&Uo<D+R4J?-AdP^F z(X>8P9*R1MF34l7&JXzgLGj>29p;fwhYgi7_JWkZzI%I51clHGIdV=KGS?*$EQHv9 zymOi-O+G+%H!-W4U1R){_&`o%_9Z&z=aci@6rkDssL6g?-%qCNrA&cGM~;a(3dvX% zIzTNooglE{?d59v%{g?0q(vWTwB1svL_<@gIgLMR@x+cI`kNUHPhGKA#RWO1;*%wW zhKl<Ylp);%9x2fW^^;%&;G$BGY;;(&57ugy{s`as^2D-_vj(`jk{+#VPiN_``*9FI zr0y7^vKmi`&K60CEjG@J?XEE=vt3C$P0NInE;KHSaV^^4t$1ws>+q7Sl~vJy4y<jf zSvi4JE?gucPW&8`@zP?XOlMnpUG4V?8IfHAeG#)F_30_dZs*fX$+uXvcw2`pDVrEW zi3WHC0xV%5<WB@SXU%gb3}`p%>@4mwBDoFp8J=n<)jf!*Ebe+DEpC~g0|rl%kl!o4 zT+ZemK@Z;@uCFoP!Lcz;8xUa)L`vX)tze|;B&o|DH>t|NVzU+=E)goAh~*-n=X$T# zc)n#No0y}=n(rFL=|j<L_gbQiT4qfPAr590ZO3ZqJWzd{DRn|fIBTcHM(&rrzBjyO zp*Sn3JI<5;Y^8GhubhL6%G^6#T9j-xwjYvvX~_&%T@?aTVlop<UC<X^bW`aBq^3iI zQWCmUzj*w!^OY5gsXDV8p-2O}aikDEoxli8po(kkyd}D+z)~E9?RJNDl-gz~3@b%2 zV+}!BydU*In|3{FY0kA}b5YQ#raq+_JfXqrAotx?$^V24Dz6Q1w4?JF%+;4sQCA*3 zkQmjjhzz=%etJR4!l0|ipaiHr4%YmfJHRBIpWrX|3G+fnLj=v0IJZuV1TAc3IKW=s zRSpHyXMwuNwraUyg{pWfAkEIVp|2$~m8LdadNaKE*U-~v<0PJkrF1&-2rkc7UEP5u zvS0L*xVF48(uyW>KEyFH%MTbb%(45?-+@5HAf{PxGPL!J?Q@SetHD}!X#<;9?R(P( zFAOV#?+foUp1+uA9Th(5aokST3}{3nPT|R?*C~u++4~|_6Nx*UH^WMQQ{chgXE~^( z{iV#8m{5(4->{zKlH1f~tP^IbyZ?j>7~NVENGT%{+nsX4;2`q<6RIb&3NK$w&s=2o zIdqCSHX+*&8vF~wo+3A%1j{+<nWItP>FsZ~*Bd?SbMXOEeSG>$@QHn@f04b>zz?z~ zO8Gx0dquJTTV!ua@c)$T9jB{q*c1Hkl0Amk<xF#wx}^3tUC}EW+eMv96)E4OFd}am z6%=}ck}{@4!y3Irm!+Bn8bCXtv8a*3x1H{K#xxz5-Bz1WQV1>E2OL}n2dCkN+3AXR znAipFJ3f5VN|HN&w`+2D+CJ((DZYDL>}N0ZuY{kO7_3gQwnfF9gK@kkb~2lzu9~|V zdsfAZL6Kwde^_C=Yjz=TP+^9r#Z9cx<RZhT*6sx(bM~&uXrBPR+{w2+`O+-;?rmH@ z0nSOak8gLQ&nr{?K<KS0D5MySYP(W%a3e0>j(^N)k?(BgI<dN97q@-1-@G`D$Zkd2 zBEw^7Nr|>WFS|988WbfmL;H-mw3x8W9Po`7Q4yir(;4GEk`}J8T%n47qzx#0mPa*- zale~^z(40>BoEua$xkVwnl7tb!&5ixJOXpNU);+dGS(s7D^41=ER2X;z(S}JoG&Qa z>^c}NVuZzQOUt_`Io~LUT;CeL%3f@VR*WXYR8P;0xCYDsQ&!b#8<2E!<HUMAU?O^a zh9JNa-3P?EY4*D-mM@kn;r=n;rZfR8)uqgrS;;Vya-$?zU_;mRqaepQVTQ+lLl4Fu zSp_y>q&Pi%u-JRH5EuE2v=nmv4<<0-)`!XH(IswSlnntm)vp8|;NV;M<7Jep_tnSt zWDCLOZd@{?gOjj7-O5DiBulvIgilLIKzj`I5Q~a2X4Kf2_oPrJ{{g(L!xSyygBiSV z{nO<Ek)ZO8L%JnPT?&UDtIH{juJUg*FFl`ZD$=|R;-_zSGD{Ni8g>Z1q%!fq8()*) zBcCR8)}7InDfv#)@AMl&$No{180e9VNJ{h<ufDov3I1av0ylSNF@jk%;lTCPok(CR z9fm>-c=o6=az4d*w)n=LP)doP8NNii$6`1OYkXQXcZ(WqisPsee<ja*>R*I0T;ty! zJCD!pU!wraxby!`ko11nB*K})viUpr50LonA?@Vw2Y){V=iTksUjw%McOGN=KN8m| z5LfNH|0Q3PQWdemx<$bvTG=Twnc}VJ_B7Z4RhIm?Zk-ak`lKD#={n!Zwng$;`0W|L zo325fS-Jnw*z!ammNMnOAYOI9zY3m>*4Tv;3fdj_hEyOE?&u9ym-5wlf!TYno`>yn zH?t-AGUEG#R+tvk2>^mWhSy_7`ena}!mj0P&?Zuf%bV%S=S)MRoEKZ~_3|RzNx|t8 zKj=iN=Yj52))2Ql=O2F_*+jO0-Rk&_^u8^(ecsCvV+na>{PE1`x4XOG=GZ`+KZC_9 zk-p%u^$`-=^)vxqL7mDAM<!LUb&lP9(Rn(>TlsHMvIqD7ijo~Y-=@msg@exss07Dw zdD`pnzd9{Kjdhb(u#6eoZ)<$o9pzeDfd15>;a)M(HEE4LNiWr6?35Sh<~C|n_Nr#p zasS6V2W&6XWgRZoQkoksBi}Kl_F3`i;9rD|8r$`O!QS<sq~ms)_pkjjdvY}FQ*(Q7 zm)%XDw^%NDt4JCH3xw-g;p+>Lx4iKK$>M=;?O)<W0~;T1xx7*D=YJSmT7QPppYPH5 zS;+N^v;)c28}}k(#>?P9Hy>f_uRhrsbfzSCIFE7fPreZyriXYCcBEw+_TeLWRp=U` zALfhYjfnHX#&W(qu3{qZlg(X9!xK?4p`MN5OB-DXz3y8%RerG>dQ6j6PWCu^JW3a{ zNyqDEHvVwJNntD*fQpqvCD<&W-?&`juas?3q0U~vYy6zzYUW&0?G~&xi3ibVJJ!59 z#}y9EBq|{oN%?UW;OxJWnowuF5={T}o75P?SZ=+1H9vLXJ!Go{ao->1rW0p&U9Fmi zXP@$ZQMMAA)J9j;hUpcZE#V`9HY1`zFa<jz93Sc(k1&VQ9zM!jlN>$C>+uZ5O@)Kf zikPjQTV!A=Ne}3sC*YI0+CA3MHi*cv_x@$mdE@q5*7j9?Syevor0I6qe$`p<ju$UQ z)pqnWnXRtS>{;4Ia%8m9pgEKN>sLXumw^Remhkf330y8=Qnc&z@pM!BOF?9K(0aPZ zy0W%5q8Eh(ovj$-3t#@Q3uAi56_0Xy^qr^fN4!y6!)JP298ElKkN^OLJ!PN+K#0Q` zM@woSTahI>du(;-=#|jp3{m25vt1~Uv$Ry=<{l7mrhdz$>YOfL&%8<-)ZBq$ik(BH z=PvtjAyS~uln_J`*}~GbKtgYsFup*Tg!J&naN|&u@PVz&2*DD8o<6!FM0<c5uWX{S z&APn`?A6EfhQZN0FdqWAkFWEegU1MFNP~&eLJMRj#_pKS{2)HKq$N~SDBvPC?EnlE zZuXILmS!e@_5dlvs|Gc1c5~@nC%#jj{A>sQ1F<iTe=j0QC)=b5I0`YbjlV09?~4xC z6j|zbfjp&6et6B$UmWV@jiYunkr|>rJ$ZW+0K#$L@PKdKFBIdh(1BWU*)Ra9cBgT7 z?O?yz+4syQtkM1@fTs9tzjZRne()=&^J!l>o-CNy-tpe-jE4}aWI|IP_le9(-?E1F z+mAJ^yv&$t+P(2RDbroEizbkeN=P8xaZM)~G!u`l6#FvjroKEdZ+|JkCGOfI!PFfM z)#i$gz!XY`twi!RO<?bu6v~^gq5jEQj*Abyu+%m4LN09OK}MDgK)%J4>Mh6O65@AG zDpoYz*}4!ck}Z6GWE5!BaH8928A`x=C6xp?E<BVX{;<&|?o&fsdmW933>-5C-Ev}| zH1>iz(5T%<OB^j9CUZ6f$2U}kFB4cIX%KLL_&mUE2myOMw&oEO7iQXzozD2PnCRl@ zDiA`!=#;ov7!{07grMM*?!StF^LvLGLP=(ZBjpjO#44nNV9LpRaHg5FYj3(d1wtyt z_dV9I2ewXkJu+vh7mN2FpYj*=H$PwD@@AmX)VDYtJ2{=FiX)$`6C%W!3~z>8m9QFU zPd0);Wuirz$ft+eZ(Kq2H9LdsG|zicSr+J6vdM+&7_%1Inh#3Cwl~U^C6rW~v`YO7 zWm12MpP|ZHb{)%rv6}xOH2KyEcuzOn2&{<m=SV-;G!UZ4kd!#`tEa-TW>XQ)rOV{? zyDXnTzH>I{mW$bK@(Zrtak52%sMF~{0lPn~>I@+ZC~)VrB7Vz9hV3rzv~I$JU<Y4V zStLIZrr)S4dNQu?=7opnaxy^7G)1FQNwO79o>Z=l`R=FJ%{D?J#kX*ui;uOQ#1US4 zb)uOM1x<Lrx9ELlX#wp64m`L`g+6BHRIrW1tX?eU5vX=<al@TLF3xi?xbcm(C}Ar3 zqoc^4mq7-)zu;lWwc~yNsVDbkB^#Rrck8H7NOBc+_8{yQJT7Q^H=+#$$u?5HeHX#r zc-}??<VegTHd%2LRCEF8IB1$j+X6zK#F(mfKVu~ZR7Lqz4uqumT#qKJMqd9b8IJTn zD_sRBh)^}n+&RmCTjJ9azlB47LyK}qLX&9Hh)!Bkih*)LnpKPrhaUi_Y9|sbgqOF? z;5Z<Y+Lt~qSTgt~nA*?f)Rd^v{>~StT)D>_pnez>crph+75O1SuXwzB^uDqf0I|A5 z7(kI0L%ulb$a9X9O0z$PK|*cCEmvKfRCd~otE%cCAEZ-ey|)uYMdefufTa3-A!%Z; zkp6K}IO@;XH70myaRYH|@(}|wfpn3o?o-ZDqQf>}9n$Y+nNBr74N}gN2?;YXW1EKT zfT;(n+0{a@b36sN$EA09-#3j8Z+8cR7XLySb;$zCs6CQEzL7-_`iA~wXlkhm78f=g zBnW#J_VX-h<2!7eUV&|SVdg$yP{ZCOQgRhYo{6ubg_89+6I3wb7B%ZeMU`FXNG4>G z*V!1pWk9R5tMyjR7c_QY;6M^|m|?me`3#r^#6)!>SU6@h@yj|{c}u(W5LQUz=30ev z7|M$j(OStUj6bXGiWBgdgP@ZUXMmhDdk6!MuM?s4$w$PEIp7Ij%>vi1cJ0B7U+~)r z3MsB7SNl^VNm^@CrY-Z1G+n7Y+Yy)Jkf6;Pb=w24<uNY=8{eFLe)ImTL=f1W`;0tr zrzuuY4ySNhu85TXkIA_(cS-QB{xG4qlTrwP&UzthxIo;(`GVFXc+GPx#F6=q4M&Se z<XPIlh?q~fD;LMTzr{?l<cH|kpiG<FBW8fW^!LrKAsC?7!I|X@%<wh<3F^@&GQgwa z(jz=bbN1);i3wP{K?$i#D-4=@F}D4E;wSOVAy;nclc<pKd2}T`2?7D$JDrXSVE{&; zi(b@Xo?*f-c3mSpz}MF2(xRPYlaIJFx|dl$lT9CF)2v_z)^D`|)EY)E4+zS(a#cOo zDF*<X350&u&HN;%p)ncpXJQNzrYlv-mjY>;mMdYi-{jE;1=iFG3)}gM*5_fgn6!$s z*<eu_O2GgL>a8D9Y@S3K?J2jSV46EMiHfpsJd9l+R4Zlm#ATz1=Jo~rX(2PXoDMe~ zEwk)W?!BF3E~JP8kH6h{jukl%K&dyMU{9=6wGJWK#MN&`_D;+gLVSY;HajgaQ2C*| zJ)ZYf#f=TWw-iOGc}{CVWwj~jX;$PFB|o0QogGUdvNDtYn@vWzM7V(Ib9(NaUc214 zKT`o7FpYcn6TueXpLO}qZ*PA*q;m7enOwJEga7-l?@Lz{hyiC`v@Uw$-+p{=KN^Su zw+swd1j>K>P7N{ckxjiUA@KRHmv|b%-@V+rxum-$wjVdQxn27b*KsZ1=k|zP{2JHl zQN|i7Ay`6Vx(${k9!qAsfBGC6OZ^(3bHUA22TM6E9RBu-b~D<sgl%xVe?5_tm|H_= z0TY1cHwzbsLB8*@<`0bq+t}q$2m9A<WAjuj5*1=O|4j1iiv<CIQt7sfxYscZ#U4Wd zRG(nmidV{t8-?RN021FqP-YI6w1>flK!r#hcUV}?+A~JzfzltzgX(M?JpXh72WNbR znjpOG>1qY6#2pI|^YWLJS5c@4>^J*^eRHmf?<`JcCuJ>7=BxKnhYh#$bHLPGuinns z?y>U6-`I3Yg16X(e(r9<ow@?NVqr7%%6p<=J>NH^IkvS`G@{1bk0_E8&aPDA=6I5o z?PDgmZe~|C-z~;*vFQ8V8%z;RV!7Yvc~ifPSZlc7&1VfWjsyQ|+&utXaraHWh=sth zt7;VYi5xkOBsy1DiAW#w;o#A*FftxdQbXX1Sg`S}?XBbL?`E+#VHU2)9X~uHo7+Tj zM#+scW+Q%lI(BdaYJr%O(v=2hTlKxj_QX)AKBJ#Mt*;N7L?s;3DjXKsihsrHAf9D4 z+_I5@@TEWHBx>l%1r+$4DZ{tAuRY~_rYh=F%>AAAO@z&aayI{aT5o4f57^78^8HEF zYn!E-m&er`ST?coAlpJONFuLWX`q(0%>-ilo%0=Si2Ow78K1Uv8W;86Nw>xgFCe0S zU#tI~3`8>v;***jSew2iBWT$`7>##jh%oTLnxwRI;0AHdCwin8Czscjq@a_6d1aJP zMH?dg&HfQC<tF%Dgqv?{Tg0UNSy)JD)yHNp`9PTfih8d%*SB+Cs~bGVn9|=XeW6|E z627hkSjl}c95sob{9NYE5-WV5OBd$z&t@_Pkq<_2^t{#60)Mk(ExYXMuqf`tT<cGj za;5~QdZgMX#n=K!^sV}<U7o}JnQl8&<Br`kgjD4Tqk!5Nwm*RlReKpfiQxfD5HRA( zqQy^wa#|EPX&}$$ba+gMGD6mPq~=pNMKK_hV#i(KJ*7uA!VG<FSk@KI4UTKzCmw&) z9(*Y*Ux5_u9-1$KMhb~d^42N&V|_6;$~iB|)u3PmMCXVy$NbC1SHOtPLE|XR=MUan zEKeX@qE4MCUZNYnE5R|XqC;X#ZMkK>U)CA0M1p%C>8qTRG8jw&&&lx(9Cw=YY<!6a zEM`{IXU`+GhyVcKI2PvPk&Dk8*In44w?N?}5dE_d)WrV_xDGpi0N32#CTi?<hS`=g z?t&*&Ezu6j2OVN#oj+8*H4F{ed&7|_TZF-~L#-=DvIiH9tgi#1vLokYhw}LM`Wvy^ zN3Rn8jFE>Y@rIp>p8N?+aN6wbI?sV++ARob0X$!c?U?9pdfppEY*#xTVO;v;2LnB8 zSNmI^0m~|A+w>5fy?I&>|9roltgvSS9I3L_;kuTY75NCacI#(=@DQR!s$ZP1BfZ;n z=J`cA-z<2CR5T&rI+W2T`cO8Tc%8>2bs|ByS+%@<;Vgt#N9}PHg^49NW^mTS)2b=P zEzR)F*=82@eY#_OgYgm_OHoYWkUwkA=^ZFs90iac8?Ehd-DOIne-({1;M??sj`)<< zYZMx4vF`bb6O)$VBgL>6UwcOIAY>_$DQ^fWGR`9px_5bBOV2b4_xK%@VtDg;A%#!l zVEs8sntGOK>*h97UPpb&Rb&R%Th&fo+30@>z!LSm0oX{p{{wz4AQQ)~wzKU5>E7u# zUY{@>lx;3%LO4EgrePzq5b2k2jl%o0m#X8uL0PeB<6PJ@oocJzQbvmLOXK4Xx-_Gt zD7f2i`YbObnw13(n11RIVUeMu(Jj!6Rz}x*UTAUv=YV1-kh0~5>u-QIv+1}{sPEFu zdesulOE&59|0<w0Yau|aR*-Lx_rYc#eW7I07v)g?Ey9ENPb;yA-&$FG%Dh}pt&(^T z*0`?i{urYp8jrEJuBOTU=-(T@*MM3Cd}z_7RanoCcrEG`Mnv`#0hh*>4BC7WE(YGp zPCk3r9?aOb&lyCt=fb*Q11PAmpKR?ipsB`$jS#37xkF@BXSYTOli|}ZDc{N+tt6}i zab@l%oI&{NuSI7)>*$-6&UT{_UJN}(sIfKKpE&sbtP5BEw{>xNX=;9DadAS)Vp;hH zaG?{Ib4K(k$3`Toi>D=7MJh|>J-jG2A;CU%@UZFb0VGj{Y+{2U2Q2rRnR<s)7LZTg z-C|GOqyq6$)x%Qfc&j0kB8`K=pd{(8r9*7J4J2iDIoaKA<jfv7v3$=Fd*P~Mto<+K zT<?_yydo(u)34%i*SQ4g8t}T{D#2twRb6=O(GE~!mGgP<{u~zLs~||gh<jg&*}j(J zevz0LF>f&YifIyDJl1_Hc6mWwr&EMOIKSjlO`C}AKxj8VPjqy3Mh&Fu1q-*c9y2x+ z_!+7jDnr^+O4Tk8^05Gh&^%W|^~Y~dMy9Hb2dfnXXgAp({T-7OHLwcu3>@4DV=!Hg zd=`TW4xs*wV5U{&Bs?!s_*m@5bH6DH%SpjszajdQta{=|<fCSL3y*CSj(;+R5FhLP z968(-Dj<7*JpH9QOdCPEMtdXP2lI6;zAuxkXMP3uUL;3s=U-g%iuoPgZVX%n{z11c z|4Zl=b@v_JHbxNqe?hluAe}wn|IeUX#jyV|y5+YjhfvYxyVo3(G>4<F{cQ)b`w%Gl z%P=y&f;sA6*p~VO+fI$I)JfIi<vuKA>twEKx2{x(v&lhN>)S{#8BKoWXHzF{0@h(| z^(fnXkmL6ZV{W;sp^=ABVcJF1Sd&HekHq?CN-%;TiPo}Zu~W?Ug+1?wXla$0%0#KH zBbt#5QYV>5!>0I)qRDx;N6srK9Le$C-WW}s=hih<SL2tynv^x%<ftC8R8oiht8Lg2 z|AuPsEB;SW?YMj&>{fbwK>)oF%m=EqNBlswwsh&_@2EC4|9^~X^X;ax(oL%#3mpD{ zOp@?-T)RCl#E9@8*j7p!2wAyOUYac%<!@w*17u3b4IEXwk<%IYAE1{8AsrB+2kbwu z$HafTJ}e_I=s&OjK(-zv?{C8atgm^PD{DR5y2)c-MN%R|<_A$B=BAxzYsyR`&_EK8 z8N`3*C*alk+(68buLny*dA%y9(c9D+NT=;7vu!TtTM4pf)czGY`3qWv78m=6)XGX= zii~Yf)df&tkk$D=55p_Iuy3N-2!Jx!zV78wV{q(!d*WloDZuidg;3#22+TI^SDssG z@#@Lp(H0x@KpZ8L@UMNyh>#ohhtzlA<oX9)|AtK&8iuoAx<daPerkG@1MSJja0_K- zcyp^5MxZy>n1HYTwB8clW(4L=7X6Ok5e>#Xwvx&eI2~Nhrl(d5A9YYjE`I%#7IuqF z3Fm6Q1$-LPH*w=wQ0&YSXFvRu%DWT_Sv~g2c0kbG?L>d&)Vw%XW5)9vS^Cu7`LDE< zNA6q4Y%2_rwbanJ7RRPL<Q0)n!Jui&(9!P~Z`c@+k31E8c{p)@UBX5wU49}?ofK4m zUetKvn~xnc7IeH{?>|B(PTB5R&E=Yr&`5UPsZupxeZX{g?`RWCv$iInZJK?)8{)!r zIX6#zeCQg(+RhOldt)WzlpqFh!gUToR}?YrYtz%^b<NeKlt{=Vaw+OmAwqVM_K&m5 zt?Q?hoZ!hdFE2Gss$G3~U`_pw!t&u*SXOqNja5lZnwjdCOw5H#^BQe!8=(>swzRG? zDQ|-m0y2$?-?@7_ppr?j|6nB7Zn;);a{hd4c3}ek>S{MlUDn`qy-dhXSb@0Z9P<YP z>nJH1TC9Je?<}K5f-Uuddxd;;er>-OCH_%kwnL^x&nJHza!6Fr&Zf^45|q-UxSLhl zy!K-tzqga|^*9V11XY5bnQ@cFGP7^<dr$siqw71K1uqmD_^H`TX3Iw|b83~tjU<Ny z3m<3X76Qt%&En;^f4Cwo^#hDyOA0V)JPOi~qO3mpIvga8ZIW^=vMEcUs#1ju;R_aH z8u<52H$o!{&v;%~VBPsfdI$PSVY{LZRM347BAKgJJ8iKAUyj6KX9i^8#)peHU~Qs; z^lJcKx?~5;Sj|QE#+>*{Q4jYpzc<RUIEA!Jsrm$7PsH8%@!jU)Nrj(|84(cp1;s`^ z>XAH9ECnTEH7iU6fROO|BAW2bh4{wvxAUB+EiI49WK#u)&Aw0HLm!1;lc*+jobvhy zyv8RKEicB~vlh&vo-Qr@{4*^79mIaQD3HqHrON`aj($hWd)EVNO+y_XaR|}m*BV9p zJfc^P;%%p(M-<S0Oun7bRML?BZ914dbH=mHB*{MCp?kG3hNV+*iE1=^o63RM+75A` z={~<~$Ms%<H+v7AW39nGsIS3@)6S*ygc8D2Y*Db_lq_~81w`fSMNmc-KBl`7q*G3x zN|G<~YvgL(>w4;&1_wYw88ULMiF6|#h3>aqBT4Qfmj@Uz#FayP*PKXcUbAyRfkY9$ zZ4SZU`M*q-9TnphSm~S%vvEgLy&UsB0stmu8-2t=CJDtPMY0eya&#51eOv58W=?ju zmvij5KseZrD10<bPAE#5{QbiP=Eqxu#CmOV%2h8<1hCT)(}QS*FhaQlje`}<oug$x zYpstw8?=E@<kw@}$rZY}YWu&sS7oT=!v|oYVHXxC(#3=1>T5Pmyl(WlVGV0&oGoqH zce_xG=L>+IJ<LxcIpWmSI%xL<WBIs=Y5g3d<aoDW3*|Okp!aH;>Ib`GZcrM-_3D{T z+igrT<WnLBkZw`1#;er%GLMMFW%1VXH8wH8L8-xtmVAN>lmaqE#re%#;Gh*2Iug_3 z$T)#`;oU;cV^w~_CN9Z{MvJWdbtV_D9J(v5#wp{QSGAl)(1=gOJ3}Lh1*r80(R0<? zplbTgC<Z{p`g`HaqOM918WJJ2MCc3}dI9zRht1fsj+CMZ0fu!l2W+|E3j6I)C>&#x zPOxm^r-jVHfOP$#=>p!;H4-^j+HA{uXD_jQ=(Tbw|D`B?!}J|zS37r0L*#F)cc6x9 ziQS6w@WLXOkNerP*&{B;_}`if(8G>})vIa{)XjS2)I?U~-#xb&m}aBGAtKjg<=+=K zvvuw9jwbTv&YE86sSHfo_NNI|?6s%NFc-wT8rb^GgF&Y>o}(mVTM!Zi0xJ0(F;;Qt zV9xkyP5kNf(TQ`IQ6helG=ccrIr$5o22N;P8L!HN-EsXQyDIUnG0Hb2!zV*Av(@kp zyBs-NK~k+K$~BH;db}}+f+(^$k$XYBX~eY;6P_uyGu{V=>8=fQ_Xv3;zFX{We19`* z=ae{}`v)g<0;C-=npHkPCj4*`BzEFtr%7FrWk_VlPb5aw$4E=8#!yq)L-CX-N7oGQ zg4vFEA<fXx2ng?Ei?7W{0a~L6X>v#50+lA16BAUNTspVLJH!_PjB%QD<a}`Nc!L;3 z3^-~(xSs-n48Zx@&k8|fOu<#a14Jc7<hYdX<*EF%MC~(t=Vl+W2ZC;j5wS5Jn0H&W zkR=~9IYO%sMU(z+m{J^8U<X6_8)j!w07Qm2`X;sK1oXa@L4Bdw&;L^02Uq$=60Xu$ zGJp2`{=^IO=tVcm`xuMV!J`@3n`A^dG{f^tNYfQ_)d*StyXCbSO4+*RDr&(OPG4k3 zG{A?R9e;`wka>k!c4UMZCBK260>(w7baLF8Z%4jdpobkdkj8Fbt@&5jFFc@YRTN@1 z514|MfKDivwuJ2po*C!EDH9Zo?1XZW!fC0f60At-yAvCD@t;}^Y(WTo2$N`L!7mNh z<ay<cLG6AqB?-gK7bNn(q~rQSb}zK6xD)#OJE!7P_=pz0-q&h<22xsBS{c?M4_d(U z+#?%q=TY;iVZIiL%k##Kth}~OP(U#Z$Q+$Kj7S2;k|&hwi1i@oYMsMf6_}<RV#~C! zhKe#UY>@@bpMcgj*B~z%JrX4renTx}0^A%pp2<*I2<J#@4z$5l6Zswnxor<zk2-cg z1R8z7E-elYx4T*VTgX&Ydb4aqAmrsJzFg#Y>CO6b?3Ewk(vr1<Bx12Jz#`Tft;X6p zO@{?`LD$|c2*XkS>_Mo@WXf*j21xnD1ktYW@-Td#uO#J>QW=|&5D5G>xw!L3yYI^V zx)wG%VT%Xjk(tvkITg;(e@jNi^Q^^{is&0{D&XhS6GqsW&SF#tEjUaS>#(xLe<mIF z3ReA%D_U2r17(Wp8WA+VF9W+2M1tiP>2PQXxe%xOS=yn=vizH&v=8-#Mb?B3o#f&? ze~q*-Mb~eYcBX2U{b!Tf@aT8T__6@E<5Af|C&+q;nivjC7{@m!d6uXj_R2g_Noo)S zi_kt<qT8GIT^q8@WaV6E8W+5X_of7$HHc@ceq`N(e9zI$nKr6oLJyFwm&cQyB1_Df zUO2v?1n?MW<SV>UY-n68t*mE}C*RT66{5EqDRNnp>vC65!ytujq1)w&gTowxs%^jR zv07aDMO><RLwbaG0zWYp6xvjX6$b6e{OV?ex(stShqm7Cjdvh~5}1tVF6NaO!Y#<l zwGGxHH9t5R6V@reIrtg*i668b;c`^;TR13K!F)Ht1_c!6Fzq~Yff5+mb0=L5g*M;( zomZVX0oU&~NhC#pK(t;^!ZFFZewu)&1!(Q%#tICr@DJ1Z9xTv-vrr?i{bZ#+_?}q> z$#i>n4dQ;KwC5JSvN;*abTS!gT!IdANP!nKdj_u}TM;Cn_rW-Xxrj&xDpdxNjaYhp z7ATt@ki6L29>oOoyP|Dg1m6%(N*+j1PhPYc#8ld|TDN>C=bC=05R$A-oibur!|(;M zaBbwmc27os+uk06Fy?f`NBYBXF0z1VLX`^{EH2(7$CvXCuQ7qHe6!hF_q4@D?!U`0 zXfXLJ?hgG9qDmMfPvb^zRtCi!Bwj6IjAC}4snS7x$N0GK82@L^_hX2D(c$e9{F|H@ zd{PPzKS)z%zSu1EnW)%5_f=ZqJ7NM}5cPceATshmIdDSLNe4RDvZ^MkHDRgv{}`Q# zxXqI}?Kl%8-a3eiK;p_h$!{Vg|DX2s1u-0~h^KuGriCA<$ddo|KY_Ke7pr9MkBeM@ zCOv#Afqg;$>&9_2AQ~_cwJ<y0+>5}s$ERz%H}xxLll_NHp7Gr#&ln!Xfk_Nt53S*N z_;mHN4;dFUfScPxtCB5)yEQ+ITIln;pP6^<arN;WP$S9x&gm4p>vgmU8^h$H$eKD0 z&DrX4D#cudjKUp)Qa<S#w|?vH7j^14Ysi;v8Ybfs-N7!NxUx1KO-zi&*NZ74`z#<` zm7YT_TDxAxy%0zPxt9q^4Hl<y$GbqfyQ01fkh27#1-~B<PWFvK8<Xj@M7s2!KbXfP z1p#uG)cRam>iYfD)}<taLhF+@yA2gRS9`{Rx!AYXx{5hiUL@TGM)ltN9_-YY<vw3q zRuQ`JLfp3x5el+!>8oSEpJHrZcafjc=JTyamCJc|`B1T}qs^sPMR5+Wqozl_=45ZW zVqsL!-mXSU8gMxp?sT=;={PrI3-+!eOI{Cuz6tl&Jj5F#dW;uiD`LT<OG?}J{NNYA zBpje9(yC%w-8X8;cZn+Vf07%YLM<ZNS_$fDe7%YLHG3JS{o1Uy>FV&BRkA?)DDweb z-EhWJ0fo6D@X?zR-&jP<y?iL7P0hV7nIyqbc1l%gt8JY5opUf8kjLR^7sJ%qd8xXC z<JDP&cCz)rR|;0Fciyn=kc{;X_`o3YCFi}yR-<ctY9^5v@;x@&Cu24rPwy|g&sOyX zpDz-N6j#+MfdgZ4G=dj@G+d893tA3LxGK4YW>{D>+1)ALtv-T{YOt*r+R`f`C=wMK z>HlCB2AyTC(v%ZoR)idl4Kbqlak+XDz-=MRZY@h6_L<n}8<kv0W67d@O2T?*dQc2B zie9nI?#Ybf@lu8gce4%*4#mt$vjsGoh>dPjy5_^6BN9>_5DcqaJ5hD^zs&WK0&7TZ z`Tfh%Mas%0Y2eV|iQy+JPK3h$&KI=Enr7C5y==HY7i^IdW7>w%5=B>J8lt);1_7$M z-akAVGf@T&=>+5}Tzc0~wbDJ-X+NKfp?6zntHxAD&Hs)MqC}(Czs`$AFB=QdZ#On) z7e;(rD!w4qz=*U6T|r}_R_=t61yev5&ePHm>DAflZj~UZY(1RtqLJ!_!4O*SK_$2^ zly2vMLlY-5zk_uZ96lmQga!~PiohS1Cib9eiVi{I@ejo3=3)I@$foxqhDq9&w%+4G zoLuSdPONCsb-TAjo|$!>#t~b1kU6U2*`d5M#52yaMPq<2sOJ}#uM-)mA&E2Ky(_+e zS<C4M2%E;Ay9IiTp8A4&5Bs<`<eYy4It{jH2D|faMRnkn9cDC;(uM$mVugYgI;=e- z%G4oc(-F-s;LKMO^OISyoA_0r<fgo)yoi_C`CVlMt{$-h#98~noa3DI+f=TNsAanh z?W_Z@>)P+t*Rw-wKjjRHohXWT3%w+Fiw@N6X7446pdNK71EMl8GJHpQO+x`9U8LwQ z8V=G>fpi8b!+CjE%`!~wnn%Zk68|{FtG)6nc(;m%s`>>CEKW3|xQzcHdniY_uVrQ> zELk@@5mcqu<N+<dj9aY{3%?G<ES0Fz{M~73;L_jh%tuPY0W}qRJ{kdbIfwd<`5u!N z8|odQHM`X^@MHCtP_DqoNpf=$(U$MVVL4x3amzVaZ!<%mF2EjrUThp`DF@T0XEtJw z%!aMu2cq>&CIpjx8>L+30V|vSI3fFAJBrN{U6dy-+>4+jQy;uxL^+#2q}De!0{d*1 zQV9BAR{b)R1e6kR(Vp4UU@v--LKcYkV?+(;Hx^<%W<p@o5hObeV7$1dv9`%CLsBED z7@Cg&l<d}Q_txW((7xr|@?rsoEumjnHhGio{R;fHm_H))2#-R<Sdkv;JMZ9~{FCs@ z)Ep13&Lpc=k(|a%BnwGbh$PZ1LeM$nfeIZQ&iJ!%nw!6Tz*AF)JZs_!am^-^t{LM$ zY(cTo^MAk=$WU$lCj65b{l!Waw??X?at<T7BDE$w*^A6&XdlN9z^mZCu-R@>vb^z0 zAw=ME=y~HptnYM`D&hQOwQd^udbCoYLht8QD#1^zi1aExJwW@5&TV0R#y)0cUI^YY zKG&%;uAk&WC0NN?7|x=sqB`4Rhh)Vf__+9<)k$_qk74XMOFIZy*<F4ZP^0s+qwTCV z4|n<Zj}S!gNr1e$UM)d>7-SwKAeXtFM|vs_nd<c6v~*uWGW8B4-@vy2%<gtN4evWo z$l3oXmR$}m*zeO}R}ZZY$w#YyElGAGh_755wr7BvhF$r{`0T@<%U?uFfSgqm@yD9p z&VZB98ZeBQ0aV@xjN)89Yk9StPUUGUuQ?y+&YATj*(T1Kq#>G*m-M}bDkYT+y?6%m zG;&8t{SLA6C^dyW3K>caxJh-$Pa9bZFrydPmx_h^ov?XSG@X)uIzIP4d=zKq$gd+& zqOI+a>S|37xg2*R<hPJg%0ACk8L+Y)CzP@4!CEvz-sS$EG6X@3pjbLC-QjA3nvz^C zb&JC(-+Xm~cQfWMgmGA*wZo_1H<VovU-AK5X#BP@+-ea~)Aez)$pLF2p+oggLi7p} zjs*<tkrS@=9oLae9a02?gMXskZN$I;fr~O}79;FTwHNv2&q5winKDJARmw63KfTk= zfEv%57ZF&v+i!wO;J*}JFHL)hK+3BdS`r2nklxnIgnYcGcO$s5`9Um&Bp5HA?%^R_ z3B@Ele@f0AE;HD-LXmtgazJ4}*D~JL(0tW6TfX%j6aqk5xN<dumXaaMkhdkX%!Zsr zNbA|zMyom_^8KCpM0z-J1F@nC;BSyNo@t@zXGsH2D7X(8-V7YohuA>C?W|AF4Fy`l zI?E&3$I8F)1zJ3n>A;a<DCcp_d0s6!4+sVh3j+)SlbKfX<Ewnk&;DOcPHUpERN8~^ z&A3g4Y&`+kU`!A_N}jG0E~P8d0oZlP>8U=y+o(LHQUcF4Vf<@)d@+@b8OU$s9I(mn zV2+4|hjA=K6?5ooEQ=7P6A*<OnT%mo_)VJ)6)G_>hXaxHI(jINB63t!Dt&8%IfZ(T zh8gsETE`g9XE%|mDTjzM&+ImTI!<PSYiz9xWF=rZw_`_$k-Os~!_kEm){6ARXL_4> zk+!J8IETEvBfc?2DXhn$RvI1_ZPd@;l}Zj*g%&DpCzW0VKbsJv>b`;t{u=DN^zX?t zll$qu*0$wOaIq-lV@$Z#1|uI39`HbH&bNQChTyWhm;)SJZ_WqG1Bot-!@{7@>`!33 z&THXfy@tQ+%haj-IAE(RX3b(Q-nNQ~9C7m1qeub;^Bl?W&|%zqEkg^Ol`BRHFoM>? zqm4*DmMTtI9zpFO09Qb$zp7qObLIRrRI_yH%jYtk4k5J90k-{ytOVE7)n?KZ+v3a5 ztbx$8>X;Oh>G=RGS}Tr$yA^9Vj7jl)$+{WdtVB(C$cNlH8cMlwx*;U!8fQ15TVRj3 zfg1{68K%DPPvUf|wl053LNHSelAKh`(K_sfVtAQzetmg^v`Z@(Q3P*LrVb+i6nEb= zX`pcsVSHIjIzKbem~c`z3ur*Faz#!mpH-fUf_{MPi!7+Q-FN>|8wF&bPcs>xS7KsB zG$>?6a``*%yh~p%PG2Ztgea6E!4dXQ-&w?Sr{~d;?LQ=<NZOMD_xJYqB)Taj6&z*X zy&^B>p}7pv6nS3{9$S*tB#2nMUvYNbvDNv#gb;VmaUz8wA6QZpeB2{j6ocPrhX8<? zGLgEA2Q&&&Y<NUx<sfA$;KbqETg&3*|D$DMq&+9PWCvTq(^|%WcIVPzMFYi$xbHDI zje!7^^9Mxc*V&~Ph}MpWLNm}P3PRpSwdk3JdZ7E8pYy$#i_(F6c%?xKk4Fl17r35> zK2gq-kzM6u;Ee-=h+s#MNFED$h?!O#1CHwe{XzLL;vOq3x}WPx!aotzW($RZUx5J{ za!+CtMaTXfYV)=veYwBk6a)!m|F^3`3I*^%NgBnl(Esf(M!^2>)deYD-hbZ)?-_=W z4k+9=F5B~;Pkb96L|TBkS@m~LkuLGIUf|#Y`Q>zE3OIH=KIUJcJnw7Nd<4rh&+IpQ zQHrhX{JS3x&-2Jx$SWGA$n~2sYboTYIVk`r!L2B9^7gIS%Di~dC{;~K*^<-l3;wIu z;#pgkwdf@ofFh&h?30r`KeB%ABxQ$Y%*f15ni$+w*l7{&ug|mvDwB$&_Ck?bMf`Y$ zzXzWt5eXJCs`-^8zRDp335;j#^$uMu8bC9f>s8sxva1`d@2mS_!;Wg8l$xv1J5USx z1pytwq2wvlmivP^>&sJ21^Fzjn=MLx-n!V$e<G|-x4RLf({DJEx9RzeydFX7NkR`T zp~|u-rRHVv-6;ka7fKg9f<~=yuA&Q~MmY1B<Tv?h1G<J8Xjt-<Pph*h<d-0_a+Fy7 zC;{7|s>*{D8?)J6s9(RRW#EI&3p8eS$`P()BPq&mmfXtaYu=c$ZuYEZJCw7@VwxlA zYu_wr0t0aH!O+~Q#?V!SaC|rbI@BBrHVE}bRn~=r_cfCM+5}W5-A|P-5nsfOpoTkf z6!PJsvE^P6A-9dlii721NA?!xv=-0}fOtU9EF$$sa;a18QML>0dZ%D^SLX?0tdj_Z z7pB9ij;p)7@5-yLdz^}UQ|F2sOrKF!4Wl1(Upfj3G|e4_EzJ7F{hgc2mY21#2TL_t zP+nEd?0(Q^0U;C2!~T?~sS0Hin>JqA5fBu>KR#1HAG}&`+YJ|3(|>j~DCz3!sc9Vx zV;Kq-m0q4{E@*)<$QQyJX97}tP!YT2{tQm`v*YfKoINj|gKv#$X`9%IxSZ^*XY34` zcg}EA1hUe1JWLYDY(u5RWww#GruJ#=hj(7Y%RCt2y9~9u<2*eit5@Kw8-Q+8fAA3$ z6n^@e`l#bMo?PN$X7CXn>b{;h(U}7Y?SZtP!JZ70>ave`_oi%<G>O_(0cF_%ono@2 z$~N!@;AokIYY51P-<;Mjbc)TCpj3Q+YNqR)FzSt)8ME6@1z%;yBdElcf6FB;HW6;1 zbN`LLlmHsTF9(7*P}V4&{}{m=Y@=alLjVdY$72jY$i$oj>(GBbI3llO;=)GXBUW#V z9`$%8K;unC07EY<Jl1;=#IF2G@<K+wXUJV*(rm|5WRjXNXPm%tN2C-#zadJ=O+dw} z4KuaU6{J9IJk%O=MAc$ViDh!uId_|+e+Y&_taJ$F&8ENFs*t1O$85eJsFd4d(*@ki z2D*N}#zJJTU6{!MFUMVqyBRE>p-!#CifQXa*~`J*G?(c`kjO0sSS;QCP;kE9+uMv& zx42Z+kv$+YJ@eHf<(axWFz-4vrD{_UV^<^j)cv$CVmOKm-`)0NaaHX#{Pk(Q1@3oS z3UP0k+wDZ?OpBD+T7#@4*X3}+!%az@`7<m?>Nm#Qp*9y6b9|&VQeY=IX^4~HS0a?V zog!ohou{p|*Pm+|*iT(EuU8t%5bm}TWVm;Gmucopx{yz4fep;+4hM^QFK1k(%TK2n zxbKdWH5TZex-^%@OPKQc%P;w>8m_l(%a3>DX*1YNKz<=xH*oq?$>{eFU1J~`NB^J7 z%{nTI{(b+j#L_E`^uhv53DO`P!qVMck^)NS($b9}ptRHi(gG4vQi60V(v5U3UwM4| zob!AB`^}$oX3lxfx!*H$-S_Ld{C9Ch#VKAhHmv}I+>XNEw_TYZgKn6XD;9jO8}H72 z?gWEVzmX>htR<g|TRDh=Uq8@cnM=mP?pD@Ho!jK*_FNww2bzf<4?UBT-4k^?Ixq`Z z?sq02<3vq>J{Jl#p7-U#Vv85+ex*xjB;<C~vn+CRprwYfy{w|m^jPTB>u$SLjVx%8 zkp&s-H52oF(FWX|MH_RYrFOC0ZMn6BO0aEk(fyFGvZ`;%`_{SwhO8!+rc4iNMUG2U z_+QGu8l$)4g#*&~32k(V-mVa=^#(Q`ck#B1A1{8c&$_F-?aplXTfXZ_qLUs^l%2Cx zr8!K*ZEm0AgMM5bJ$b-u@V+kwu>R|1RTnLu3va%)6w%U&OZEwc1?`LTHrng8%=a`^ zgd4{SI!q2$EA=>r^0T71g$~!DuCCNWL;hU+>cpBSRmgRtj~2+wMzw%zb;S!2KMH7i zW_zgDg2bhZ=G4?hOtMYS-9u*okMPdY%>Dy$<i@5)_4zXi;bZdehLcdT6Oh@#ZNYcq zYVTvp?*_kj=1mkZ)&%GCPt=!!#Vj{8JIu=fySq+l+?Dc=J2lz8=DwUf++_U=4CX`F z5FJULE^~f7T5(1Xb*aFEtzW#Sw%Mt<%c937Xjh~f1|#n*+cS}?LFH<*&BvA1yQg0` zj8a72>FfWTYHj&u`TdWV%#P;U34|){74EaV4ja9z8oaVtf+x7#xBWrMOhbxv0Y6%f zLpCt4D`gmm6w?brH>tgsOC_-xT9l62mo}HNhl--x=_u(!X5ELk9a6XqO9pSSp4&R= zOf7iVwylV^1|9cC^9rZMrGfJewG>ZDV%IOLvf@tq@B@$Vs3UBJxH+N8PfiMCu@8lI zjB%Xf<dKiJ?CRg_a5dot{%|~U<^rTi?8cxKarSG%&iwZ%9JP@C5?QTLWaZuA>@enS zRiLwmNJeso31uDnbMD%YbSk8s8!q~G?{f>8`rEz@(#=khxm0*7BI-nP<EAO<($Uo) z69d_KUw)dnkPf%*s$eoTw57U-2r^nfg`-2Ytm=D{J++3r7sB&~y)nqyZ#zZ(8IBXI zyKB`AbL?XTxwc;c(4(;^Doj=bT=Ewo+Vn<us9ket2C6xpoAnt#EPokxhxFXFFa&=A z<pVrVzi4`;Q`Hl5Vc@FF`oLfJW&el^rMbo(<NZ}F1=Vdo%h?!>n-FLlY0UZHw)JHW zF<(Z`GLgr&+({nop%^S~&!jYs`t;Cg$498mp+^ZJp|vEAUX*FUB`TCLBk@+~8oQ_e ze7`F$LTI4Avmg$d6^XE!sd3soEAk%(RlzgYcbvjpmyf9ZLspdl+AREP*%306nl18g zY21o#rHz?h-OPQ-$TcZ*>ug{M5}^;80ZumMN_caN4E4Q<3(u`jZvEZ6Kg(k^RM8~S zMR#@+u~xLq)e*rrq_=V*u<7Wa%N?&3J~Euxtjr#dTb_hmQdqGpq&(OJjH8yF8e&e^ ztxN(DIkzRLnV~tEKBf--dD1@-jSU$d$CDfLZ)avM0Ury!q)CvrqbHrQ$lQ~w$#Y7p zR?_RJFWW3TS<_{sQ(;G#v2rcY{ZFNP%;61IfXi!;Skl@=o^(|Y3AqXnXkCWW&$1bv zXfgt)ZmN!^@15M*?A8E=Kmu?3-o(sjE%{H85LF*1z`E^E51YK6QFa$8px9|GnodLW zGeTbzRoAIJ<4TDLC3b^11QqA&9c68+@{mf~D}T(OK(UpPF0m0|)OQ(E2iE@8LT-r6 zit85=UScX-4{fVYMjukbTMS6#!5fv8_!!;Pxu5nriCPBrY~43r(9$^zEUC@)2%Pq& zEQ;Xc=gu&OhXqvgQAg-+%%QM_Cfi%t1Q6utCdY>1IgeA46o<Y|^dP0MuFV`hj~)XI zC7TLwKwl*FMt3%|D?_qQxVPW}rrIcs=Eq)WKtEoilXZHhGxi@F%eM&)s@XYDYPuzY zKhpyZ^N&VjF6=0s5y%&=n>bzZWA)u%Q#i^TzPB3S^s^bscIel~R7A6`dWa<|OmLX* zO6ZqPGa9H`v40}dTC`Q+85tv%xfdLyZw$ekjM(FX@*@~k;BoTgt(XC93T4n#LKr{F z7^_%kl-R(dC%UGG=V<**M#zIn#q@Ht3bjxV{;iL&vn_bebFzX_M0m%;Y7Y_uDy^EF zTNx)b^(_ez-WUx?fIEd>pI<_=HD7XAhcDXDL79#x_xSE}&i5@?)e@6y<LJF~Xe9#S zVkKxR+c9HO4>QuQ+Q~}`<E@QbMC@WFq^#_dbbi=ARqWVku_5=ZYe3E}p5K(R?)H_S z&3S8}R$NsCskv4Q)atnKc#$7<>4sem`rZ=e{<LLl_yQJ!@){J?<gAOPX&kR}b{jf_ z<$%glo)#`Nb1KppNA3E441-&V<BlITUkc%4cY6WY%<X77h?|{gg^^N`sZQ%X5@s4t z=zk@Ixon|$D3o6M4*9b>=a1mCgcpG~@8<<g$`5SoZ~b5EXLpJ7vx%3^Z-`t7b+i#( zKxYmGsn_dQUvr$YS=ZaHa|rqyn~LHeSWQ|chinh%;K|ZlPs}&~bIy5n(`dsmsJ1wt z?#8z6sYtD8uY}ObR97;3%?z5;ug<x$%33H=Dnxj0hBR=~oFr-MlQQ$Z1d+_X*R!~O z_mvutf6g0UDy#f4Cdi7KV|Zv;C9Nf4D1!W}ZS}8C&1x{QDcy^%jc|C8lN=oRJZ0{& zn~;O?N!r-J)o@nlTQa$03_LOrCtI2?-X3!vAOaa$pZqCt4X=01@tX({2l_Yk5S&BB znfKlvTv$ALqE)`u`eGl5*al4>Ee9H&!qM53jMXvr1_Gyszw5o;%sH+{Z}3aCNbn0_ zUP=MJqcnB1=ubbfx*svfhTq7QGZe|2a!;?tpmy!X9IasU#^`HBe<8;EnH0~NmLV{n zPk~GGW(gUUVOmYch%B_#08|3mWoMuuI;I}Ca2wKHbCokKDx!qDK6Vg9nRl2QMFG#z zXSGVPAfy-=$4<c8ATk@*P_PQ}!<FHXvR7hL=*RnxKPF|ANWg4}p%a{G@Ps)&ZuTQq zyl+$al*d0|qjZeEj%%J98%8ANII4ZCD<F*3j#K)pboWr_z>x7$Sg@>#Q^w6vl`Ss$ z#f8!Q$S_+&Z7mOt5J=_5DcPT2P)wb1P77jE<|y@Teb`YWR(RZy1dbjnhchtyh{IjB z1y%z8cxRp$0vQ`N_-g(8^{agvqD!knUm`gZ7kvH8{S!U%XN(!$cuJ)=ucmZkHw<qe zYp$njVx=!Mv^GqI5V?o?Q|{#FvSGhWQvnqzQD62*Rk_lG9`nfF{Nr^DFII8M-V*B) z4?hnqKD-f2@-I*>B~;_%uS)*PMAVLql#i}h1DtWGFLurqi?X~p1Hkywt!wjfA2KhV zk{bhYd4FLROk1pQFNoopkTtn|_Wl&niPK;aYS10%ov~$^OvC<*EIWqs#;&T}JV-4h z+KEJUV5F7jiCaQVau!Kl)VylPO3GWj0dJ|qj<8#nxf5zn^TxTXd}d+BXuVwLtiZ(U zOVyjlOA0w84Y+et9+I#KTx)!tA1Vom`J_ins&D#NmV3|CMaRLwSbP|iw=|01;bsa8 zN`r5B$^lDnN#-UH7er*HM@>-FwMMLpLC{>GypZA(F_UcpGUU`W%W3K(bCUDpY6Rog zCsUCX3WD`i-&+NwvZV8t6yMvxF_jt8ieA<W(^f1xpAgNVb)xUSNQD7gh|1or4Iw)3 zeiwu@<s&Nd?-n4q#I=w-)xk1fx0&6B9+wpe5m?q}#&h)h2`_ZV2!YIC(-65}?My4P zP-x^Z0}^$12Cvr0pshc2a(w8+$QC>RJ}}RyP91LEDgu(aHK5U3RG9Sq(f3vo?lqvY z-n0Vh_~brrS|lpA=dO##Zdmvcg3e1T@nOywcma$Mb#9=aFUdF~hV!pwrjOT|6+B1e zsVV4o4zX>HA}r>JeZ963)5M2guoxuKcd^|E;ntSVnLpG|FZJd_%5!Bj8q|ez=uzYs zzfB{gJI=BD*)j|;XmFx3+t|?8tD|B3CsRA+O<=1iNfvBv@BVcE&`8TnC+vl?Tp4Uz zP0~e4NmJ>v8Idvkr-|{ma`2D__8ZPU@YbeL0-%^3P%NUT*`eJ>F3i7GCI%69F6#T& z#@d24lZ}(%G3b4X&gK%%N6-2WG?_uKehCLB5C(s~PdK?2YSaInraWhmL`!~tM7E`f z?wcg3=j?DG2TWA?PcCZY_rn#RiF*-es{OyH*f#|QU%_|0%9`{)lo#io^5O_4C9e^} z2NkPYJpz5JTPaJK?<q0K<Q}u~+MkG(BrV|k-BJQ*)#vToHFW0nr8n0-r76!sf~?e@ z2Q?q7WI9P>1Rh;1^_m(#rv7nprSwcS@2X>kOTu~VAt`iR-;_LC=BS*vQtFwuWWiBF z;MM1Ep<lbyQfVt_BRzwsWwl$%hzIKN=ZLho+(|hiMn1(hni;EEX|E)t$hr_;L{^<6 zlY9Z6_N;2+v9z;Ltn*gk=mZ{tRsy^F$4kyvf|CMeXmcw6GiWY;0*SBQDbmKl`~B1s z-ie;1u6X0yOCH%BF98!kZ+)+fJkCWd`46cXLUB^#ZZ}6pZilXK<8&-en9AWen|y&c zYwvwQy74meO^ys@&Zj*X^O(-qW$w+<E^US%9NL@S_LlV0u|zE~|E|i?8JB@PdYKwZ zjrxoJsnE+EJr}|3_3cT=>8h_)q4>Lk)0JF;G)-?t@9=NGpfhjtyS!Y{c=kc`NdI;? zz!~_dcAM1r`j1DnFyX0ou6ej`brUkWgw~xtQ}%CZ9kEKDJ47-Orz}l+y_RJx<}$71 zG7AdgMAF>Y){xyCOzpLN9Xjl-?*V@MzBX_A$MoqwTi_RDzKTW~{<+g*ciC(?=zvZr zXe(^+dd^t$;@i^bL$S6RLkTxLcap)R=l+81QBMfd>$7Q8qM52j(@&HamTlJI><^SW zDBVzsnn!3;MceL{RGtZ(ye<qKLx(nec;HP;h*e>=WRJs_--kepz{QkGJMsuYFQ546 zNI_eU(LG;`@>z3l7+1>sBA7GG{fgF|gk+j94yxVJyQK+^TO;+VK_)54(7ZU?3)#s{ zD3O#?dd7-RR4Wgq=Me;QM$A15uGR?>MVSE+fszPcm{YVGBog=wLmk__Jf(nOtS*5N zQ*EbMhb%kB%q14d^Td<3gnnrTb!Whv7(z}=$S%`{oS5_-KkJFqrJvz0_23bh)b!iG z`Ttv+DpxO7>d9(w;xvUvXkJot*ekA}+k@}%k;*sxLw+D&29FfTh;LXEwh(Ta0A|fm z&pM@DSp5=xYI#b1c(t-$(6wtrL;fqWRPUb%KC^ZbUuMT34-WV3BI3=C?9D?XJ#9?v z49V{$?P;_iEV9RDAZIoXe4Bfo`;oELb~xszN=b(~M{g(fnOqq40i1cBaz`!FjB6Mi z*%<Qxoh}i|IPkjqWjeDzF)?+;BYWj=3<L%Y60F~ib`NtQZ%lDghXm6w_wwg>`V#d= zh;mV3BhBe}i~tj9`f0c|$L^2fIF%q()Xc4zjU2g;ExRLJ4#izQBd|^H{;o9lq9{Fn zQCf#DzN%7Y2GDL@*uv{M)v}s%6q<q3fJ?umBs9}@t|UsdFwjwa!G(^j6wf(acK;Rd zih7CAuRj7F<wVlfs9@G5i>2^x=-u4wc8bG8rNEy`XS*vRhSZ6<gyA?p+H~sy-%R;d zM?DF5a^p%QyL%0q<N`ODCHfhp9A(C`C2P86X4<To2FJkhPfy(=V)eg^j0!woV<*~% z0Y*tTVJ%;v_ml8fl8==dy0H!09xxzB2|vIE*Mv6&$3AmTt+;(Il7iXwp9h?w!kT)O zy@}<+XMXQxt?ObvPXm%gE=FK$pe#d?sSzfGRifA-Np}m9UTMQkw5L~!p1MC}>0&P# z@|1+l92J!&HV@2#RWcVIPJj_p@_{0BD!!04*g6InSZKuXKJ9&IwJ#?Uitqs7E8xVd zvBm%Sk}85nuf!l;OEy`Hw?VjHXW2KH(ZeH6eRhsWFX?t&OD47C@dQ74&%<;>^JG}H z37z=+)nC;oKO7*Do3-_tS6TNFsw*+gODH=1?!5nGAMTnJ`Pkek?Vg6()g~FHlS#zm zbm#k-jyD)83G?NvqZa0OHam(o(kp#2n42*D5GCAjr8?thYh+@Y9PL~8D_5(Ak7l7C z_ccq7&S`OJtNm!YQ2*c1f*oD(6cCcH>Pj?S<L9}Lbw{%k^;xsryNM{y2uHLqX7RYk zleN2kL4SEe*#McEw|W&gt^(@hAl>Ep@WziX@0U4Z-#a0h$`Al%HRs6?aibL2=W^70 z*%{)eELpM(r=lH5ltM#5DK$#q;bbk>Z!NXyBxY>Df&qk6n#EpX7WC2dr6n@NpnH!b z>e&jXci$?E&Q@xP?^RN9``<(_G!pJ03E&OyM;3`5<Gg%9{{G|&;j)VtcO9D2a4Y%* zz@lh#Fo0#!NR)cxKTjpb5h!FiNhc;cv9RPsm7z+SeI(?5;OQAMVy4j1Ez-q9bvCI) zY;v>HSLQuo^w|*6u|H<ZTM8D+SJ$_jDFA#BsWy`AUtWH@fd^vg3k-Q^6Olb@05u8{ zjOomB9^#(*m8-`SDmWRTzk||<+Zm}Fgm<^Th5Dgx!T!N15%%BzDKzx=s%u*6>UdA0 zM_EOE2|VS3Ac&Mw8e+dVZVeziPJUZYsE-iF#fzVd{a5;9HI>HeolMx4W^`Bh2Ctpc za#y>q1&IT&P%z#*!KmzCSU|Te1Zu^FN#k<NXMO+R%|q|QD7@4V(zC-`#a5PX3humz z-1}>H22^jzrhMgsdfEar#1j?_j1eQ*3DIlucE9_GD74?jkhI?VV}}IP4L92MJjSN` zgx=2jcy;KjGy}1_D)kE#6`^=Kj!Fc~0k<X!Sev}INl%FqLn|n6O3b>Z7D{1%_2jP_ z;lU~qs6Y0-HNpar5*a0~SUJd`PQnbvm~Ej7P+9RO5_P;p3JW0a_D5{QIm{gCp!4jZ zCtPmfRJaE|T0c(#$MHcDm@T+AR?0!A=z5IfwvHMjGY0+aLJ$HTXqXHV<-tDeuqs3& zdG%D`+zE0J_ZS!bJtXQpv9Qt+>npzi2A;O1P*aq>_?W_i93zo5Mxh@|2VqQnla>LF zcisXC4tgqh_f}H_l{eCQUK;};vYI?RF!9JqnyZi1h^VWiGS}V+h)6Fq0X*)L$(Mtq z;oY@=5<!m$L%`@m-%AAsHhXB#3uRmX6;X9Da8JpxN}SS#CC1$5reat2$qjkz$y@*| zt@`CWj$klO1z#{*w+yL!NnMJ9@W0|p1<>Q<aG)Y!t>b}3ok=>4&UPY=F*efi==F1n zg$faZZB&)A2Oyo%JfJa*`Og-TY`mvtjXo6;rzS>x98;DG>cNo4sE?U%MNM)gRv6nS zbzViXZ6>~hr2SQW^t`BsHE9nYiqR7#Hg<k7k}rFzs2>6<lPf<gFJ|7-BKos1D7K)E z%)hrtD#0-!B-H-}bMCSCtdYXEEaN{c50x@e9q&J<7)Br8YsdeOtN#&@?iDZYZwOvu zLYWS`yP70_yMT1xpejmoHM?HmQq2*4x&7C^hYP7@GlVA7g8!#j2kzxoqR>Lp&Aqu$ z#OH7aB;l7jiSIUz<E!^fHE!#Pg@IB-Dv0!=f5nf=?-#FY$>t81!6sTl`%PWL3f5X4 zAl;XYrT50;AA8}e=9v&S)w_Xo6235i<%PUN!1AWl#xlzQDz@yz?A5?MgV_Hq81ExN zyqs~cYPKN_69YPH9p&+xS~8iVzsnMlm3&OUoD%=cyH5l;eMDj#xjSIGCuoN7KU_{( zVY$1pSV!$Y>G}9f{J2Gz?kK34b$QotR{X>H$wj}6nsEGdA|@n3Ag|HupTyIXaE&dr z5im~)9FZ^APxCjx&lcOZny-NhTOiZc*w$;Jo_gS9i7B}J>-D?sxzFETz6{!147mRK zx;6FFNE@y9<t5$1^#yyYy1{4l@D=SxcD07jIIHZDQzI$=Ybm}Gsqcb)yzka09laW< zn^yO)CLKH5@1qIXS(_D=I*5RO@<%*DI;>OK^0e$#AFK9q$&E}Rm8i1cP~Mvs>m70d zGy=IJ<?kryJR8~`EHrNLJMMoIf1liSgLFU&OMWZ(ml&%6?&$J3Qn$x{7Q90FeZb^Y zWh<r4L;ep?O9KQH00ICA0Bm6PRJwp6Nq-mu0QpY>02Kfc0B~@0FKuOHX<;vEZDD6+ zF*q)8Zf8|g4FCrUlG<VllG<VllG<YI{R5M2&9XKOuf}TIwr$(C&DFMT+qP}nwr$() z{?>jDBhI~l!S~Lnh#Ao_Ms=#PGP7#t6(%Pm3Jrk)@$1(wXmK$ig<rowK!5!LY6JuP z`xh8SJHNkQ01gVG0>7%KvCe+|`WY7&;#YFjxy%CBQ(9UJzPU_*1_VZUt|bG2@6QJj zj)GvWj#^$;n#)%XliVm(Uf3xzn`1FoK3CByFUub;4~0O0Fjq<}^#y<j1PmU6!;9r> zUOVxb>0(S+GeL-tJ?hHZKb%(2ak$Q6zxnFEDeeAx*6i4-Rwy$tFrY$-SWE{(j}kEy z6ddpc0J^1x;I}SWSW9PEPgYSH3;-7M{fFTX?`u5^elGN4Sff(Ggwch+jHg}&QzB8d zWS)0v%9K7lJiPoYQnNy+Dj?85S0H+Eaj|6HG_WVvh>t_W2lx-eHWN$^0Rm=w&sL-A zkAp+NmbIUD48}8m?X@4vVz8Y*2rw}iieOz`-Pgy9DpYiOM#hF5QbX)7@P8bRfB+Rk z`Yz?zEDg2S^chod!B8NA7L>tNvC=$x^uY9BM~lnL!y_Xt%~-{x00?;hG)|cSQ6iS| z<}3DiKs<0Omezw^`E0QyB_tTqq-v4FBO(I07E5GvWG;SD68xJf<iJv=NILUN^qVr2 zcYJ=h7qLnOII^mn`r)*OV<qXC1&jz%vHJp`js;#>-$fe9i3L%cz%d!){)wem1UA>( z-RUe|oXRqEu!)qyLV80H7bg70Pzn$jtkrI0tF`*yzoT(^dEO0}+uGX1qE`8AK?5og zy<`eK@5e|}s5MzUo-IcOCBSWo1McK2Aj}l^4dsHIseNwKt_Wv1@av?JT|A51ooIQx z``zvn`>gs;&$oK9M-;>^IMrLaPjQK(#l53=P!@IE0#I=Z<8)4io?Cc6J|AXycHmjb zy+T8bC*Ec-MY7k7N%=2CecAu7-K-1zq8w4K;3==+EuS;BFgG7(wOp-x7>OekZN#6H zd0bjqUh00?1}**VtvYuSo@&1qf_uI7v5@%q7)s6!zF2!F{|xhx5U3PC@L*p~)FIK| zlMQrp$Dm0q9strGBUPYKquy{l&3Ti!xVj`o*!Dosr8vKTG+mk;EAYKYUS_vl-Cx2+ zz85)6UY41!)<zJgK;$feF;*ULY0u6fA3cuZ^#Z7{T=ns~k%u~o<_0C~xL2uN?vk~g zs%??1D$VX<o=<f3e)|Fbvi0HPy5;QG_?dRpkw{;m`E#HDg}O;Gy~AoU{w^$hao&Eb zS8w)zEgf6xSNv=;HL^(-yTi4O_d~=4?Z;D%gLjq#u~C={O3wy`Y9$NPf+-W<pnPQT z`qApgf{vTdt9xfyH=htvz2;PNYb$WaR@u@;rE|v6pJh`ediN|9`_+t#rdT7Ua*_;b z1&b^hWMI73Nc4k9k_`5nn3kXK=N*eBj8j(kDt-ksOAP6NrAUTI4KXg1OXoi;Xpvs; ztZC_n22d&)iWQ7_qfJ}p@rxXpHLPomc6a7g<L2hkOZi}9fG#YfN*G-d^ODX^k^H3U z7f-h`is)JEz+$QtV;Ej9pNh*@n`+EP^QK^++;^u6T^EnTm+#-2X5+x>H<)gFK{Q*m zc8`U5^WPZiUu#dsW3r0VX~j_Aqmb2U3Qcw;p8&A`XASvni~b6ia(fG2kl`lQW~ufQ z2xPoHZ$Hh4tkdS?F?S)FwNR=4G~IKUq1EXm!q1x#M%7u3?uR?1cJ18@Vx4Qza*({H zCTO|@1Ze^xQQ*iz`OAxe3i~Cv-5qrCvFi874(QMK=sxStXZs~(m&n8O{t#(lR%rzN z_rcu=%r&oV|7l$e&;6*!O?Qif>QVgBgv(7C7wdsi#?a%i=FK#%=iv@*_p9+*3aajV zL_mo70W?NO(OHj8SJeFX*S@4~Vv_d#gDzHOSrS%qpjtpd*_uJq(4*|9<5Nn@WXDq# z>(9sazKcnYhl)Vvuw|X+=TPy+kL!%ZkK6M=QAE#$3;!`0v7`Leh)>o-xL5eWQiiqe z?an^y&j#Dkcv-saxBU_>YG)X43pB@%rK$kC)7CLEF0=G_`riFCLbW)p7ug58S2yAI zLF19V(D~2Rf$Wc}=OcP%Y^P^Ir#*8k_nfoW>udvWB-h(%M@-LSo~~J`isyT=4fVH< zJT;7BvDeYgr7Zi9;$AiE56Uc5Q9C>@SAc;gS7E37iFWAev?OkOLZ8lYT}sMW)Lp9_ zc@+AY)*X{6QzV;Yj|khEbh*z;()<cIr5bqY&BfPPiMygXKX!TvnR!sb(17Gw%H^t) z(T53U(O7*!j_e+FlgBP)gV##R&zJRWrQ~N;zY)S%Nq<<S^~kwR`bhTL{O~(AuGQ>^ zN0+eA86ENe@sxZnB(-J>Bx=h>#>V7XY8}>I<GV(d`M>oG%gW3)nsGIb!jZ-H$4at! zt{N4&PkP?ZD{6Ya|Mb5$I?Rl59Xu|OM&iQ0)bV&BBzv`b9)_~C$MX-DS5*as!6o9o zc4yhWM<ymF)^vZ1*wFFq_qnA$1-d98Zfj~#NBU;c&B}iVal`n_5{kjW9Eu+17D=X{ zAR{BAqV70vSjlofDJd%>*X!-j2d0Y%;adv-r1X3mUvIXRWZI8k)bx0ZZsQt6o{QqR z8O?mZuY~Vtf6eVP7Uw+f9?ZN*<7|l9c;D~+Y&7+J^V)d7j)_i8vl;jEe&4<N9_G>0 z+u0g9a9q*TzsvG`fA+ok=ytl^dE9h`_^?{7TQ;qxc-MaZWn1labAeK&()B56C79c3 zK$oZbDfa8RjJ0T|tKo3VMdw@l9rUedwEKG`(`6_JR#)r$P%)>mFu=C9)4crBfJh0r zlzJkeChjZpy5r^i@MxyHvwK?cSau@k>znAPK$9j`BKv#xD3HkBD%CM#g467$LdR{H zR)avh*p(Xk&Fl>!#RWkrGDIigxN&ixhCE#o)O~zMC#hN`Gp}0Q+6;uDMz`^e$j-ZZ z;&rISC41h*>y_%WyjngU{L1WrXej7>x$<k9MoF0%S8{E?b7K5>Lv<&KMzNi@(EP2# znn_>c_AD0G+!G<(gbAs0{__1cE#3%q5}aA*K)K~R;YqMw2KE-}u^v`JN+Q|2oM(O< zBQ5j)ggCh-2z;()XqUM*bQ!)AXh_L3JRg8Iw#BjnfWQULm(Ff(?0^~r+|YTs(80-U z{RN^i=-lp$COI|MR@z|455t&4Hb^~fui9#hosfNIr?Yuv5VW0df49n{2QgnGF|2aW zJYfDc`A0lq9DgDr_9c)m`KtM49G?5W56PR>ubA;>1HoXZw(Ir_xHwLFdiWp#UV*># zpyNX#@W}*(15=xwOlRr(d_CFNWP<uIb*y=g4WU|>zv{2ZDt9<r>b@+g_H>zLuU*%s zQS<hk=HIkfu64N3YR%*huoG7dnY*7ArQCGX{E|q}pk`)S&T%_VgNB~EDS&o4gvR9& zTFztYq3%50DB0dRKU)}5&EAmxoV(eiq>U>i@9D72{G4k|LlxiocI{2DTseN4PfS4C z%eDR**^y8@(b`Rh7tvue8JC?{X>G(MO0{nq0XJK3Q!KP$jffGd#z)mUo=-w3$!2Ua zKZxc~{Vhm4ssfB*r&GR8djVTdu}5xxc!mn4{^KP{3@@S$ljsoDflVkogHg^T$n#l1 z==L(51tP*%li$}uv84p~)rt|Ol6`R?P$YDChm~zj5`Nv`j@S)cv*{NFKF%oc1H@C! z*{F*Vzp2X3Yp)?0aN%rOioww~#0ZD&bDP(*_hdItZJi~F;f64LhZv*ra(!REygc*x ze|K)~;9r?llYb!F8F{F$8W&{FHcDm!?+$K3Oz^B54I9l)No#l7KJP7UxW)QHwFh!h z@N4BQ%KD4Jf9FGvx~`X%e1E&N;L{+Ck3ibol5!o~!Xx0JBZN@sR*4D7Ip5YG*kb(Q zj1BS4&C3Hg$y>?%8?}jntbxtLN(I)wa4|Im1_Foj2Y|v_TU(33+Tn0+PLS|Uhg0+7 z9o0D0*Q7mMK+?P~F|SN=+LzAfHhAjRNuo0DmQ&JZah}ve(oT23r@Mu~;4YdA=MpTg zveG-RRAW0eK_`$(Gp9+3MlTXShJ_3(sctyx{p6V~kg_u42050@ofh&J6pQhG9X11| zGmM+iw&)8Qhmq~xhI0ae7Jc!$ArTN8?-<Gc!uVun8Y<#`^(3-aruGpTg}%RNda~{U z9*YMh0$Eg7ZP1PH_L|DVSr%8G{}yzbi)x<bE40ydT6$^$%^`mq!zLiD<;dA4KeAD~ zf3!dI*W?}+5`9($&%l;7)cIPTa2_UXZe35#L|Vm^gH-faEdj(t%rtSt(on#cfP+fu z-I>{?zzde&Uu+BaTQZ)H2gS7)O~P^W!}8R?=`eZD;WUx3xG-`5zX1l0px$n8VLHYr z6hZQAZQj7HQ&1_FYXFROS*h=ww8s-tFxRYCE}xfXH$b!4E!6;|4IX%(#OeJ+{YJAe zH!xn{2o5g~^bw&}oQs8OwZ?C32wZ&rT%@Bc1=m>qcfWn0Ezz|wC>y-6y{H9p{!@7* zf>EYbdmPd{I{se@GS3$)Hap#3wL9o^dcOt>2t}huH5WMz5%));u{#d8TDCn8nv!t6 zzD4ddCsL^A%&_h5zC>csf3n$r#zk?xG_*cZHWzXs@+SW@v{hf*YI#!S>uOH2Brf>y z<&P}}x?i!3lrGYTz~a_(QiX;?6Bai^MH(C<o*FEk*Y8FZwFb25SSx17{)X<_MY(x= z(LOOuK+OBbR}XJV|2T?s^?dk!u_Zg(O!VVBuBd&jdJRa}%#-UCCuz#M=x2#gqD|_# z6Fe@EG2$^p8rf(=GAbBK(e){r5|$)N-F~wT`7YoHS$x>!E<y+Ne>ZAYqF*=Esq>Xu zPj&lxzY#Ho5&R4NL%GfpNLy5M^q?DEY>+eC&M#v6QNV+_YIopaEJpCa-PTz=mZ`wh zG%1>0S)>Or1JV1%J(21l%|ThhRQtlD{L5lx3LMt6;svc5*smzEI9T$0HmB#L5n0tg z9#_sQr>5c^Uq{15S<XzDEh0fgzXEeqtYq8eg1kngiov7j$GuZlmoNeZxw~|a+HVkh zxXc&Xi%1j$=6sPvLD8cW<D0z|;al2qPL|kg=*kzPLgEdTl84>9@caH?Wty%sPO)1j z0Cg-w5<_5SuPv761w21h;nZuh(xFf*mt|1Fob|@+NC*n10{^~Ys1*0cU@())|4`JO zz_U|X1!zJWeFe_F`@4p`FuOp}GRK6dGNAdL+a<7KFOB~Yjs4;O4#_MY5~Q9~dw-FU z;c&EncIv0TR&UXl-Z{iqp!{6%Uqn>~=l|EzU_$b@O>@se=p6g4qDCU^<OTu~a%fm~ zC_#`p-G379dPfKFe^t^#f@j0}$Nej6|L=Z>70eY1`ei@ogI9(J=2+o;4*?4R2-<9x z^O0dO&G8^5?Ai}tk;<Y8{-z8%fy0Ex!oPX|McWzoGstoi2dhtsbbXrQeVmw_I@N^x z*MYR;C3yJ1Ms{4j=(H8C%YNVASP^KJK8V?_(SAqq@qbN^@rRyX=-LlKm46-Xgi>6& zD6Bu<d>Uu(^2c?MDZGwk$>*O_`TS|)l$xoAMa4g!j!ZTk+UZ_K&|80q8x5kH(P`@> zR06dK2Ln-3-UnZfbY-nJ==xpU{?uo<8JW3<c!us*5fD-ibDC8`+;3t&`Y!B~@Gu7N zukjw_x?#Oieu^ieDiAshd<5Rog_2ipz13kG2kEg`^)rjD|1Rc~G%-*5*Tp~@AvIgD z6HrPk5Wrk%T<?+k+md?ha|>_y6chg6B7!*ZZhIiutl~WB&8HnH0h1wSjs8IJ{^aRg z!QJ)@b;T5R4)+CD>Xoa9J^Ewtb9~@zd3pdd*srK%g8`4uTM!={E?2U2kc#mMRw0Ry ztsNWNFn-jZuOoRIotJ|oNpFw*PRdW{oEgu%8HrMpQ0A1cGoa6x{ho=O_MgEt@|Ld8 zUiND}-o9x;<o53~{h*sq6&S>>r=6ZwlQOMB)#2oXc*ihK<5?E5Y}uCX#4K9w&+Dgy zT8CwVvvd#cx*~1v;b4Q%ssb$ANP7=O{gWCKR+(=1`QVjA*Fjr=hx>Pgoc05xfea~f zM9uPusNqfG*Kcxj7v%$Oq(MmdKVsJ>%npUB+SE$sFN<X18Z}Jt+eX#Sz{xi&oH+uC z))dMf%IovSb_kdiZX9PJ6E8Dh#K8R6$)tre@U-IS{uM>S){#0#uB<i2qgqU#w&aDK zBVc{anw!^LYhELZ%%HEh|5$hFje$BAI9M2-$@bFONX2u7%N!Co3JO@1<^2MtZEi-s z9t*P1_V^b51V6}q980(@_8bt=&mt0kux`iql*2C!6G6T=!(U9>m&YMKMZ???UkgI< z{n{#s%0pB#JuNJ5&P!K$u7+lAB#^8fb|jL;r?ARAEc$57uac7Zhw@e)I9Wd&l~-++ zCnj5vYS8Za(~{~AUaCB%#Pf8$!%1|}L^5GG+~z`J*DxH(S;GvkC>@~??LAv%P&sit zXc`?@IxH>CQR$cKH@D=TB8q21jp3!ZsIe+b9xSFyaY6ZYpnZqZ4M!I}!E~cbYpKky zX^Q__d~pW_X!UARM^FGG--!C{)wfikO=e)x5JB6%yB|SwZ^;|O`ie+;5wk2>Nr0h= zPn$z~Mz9x)T(@|gl}l))+0L5Q+?36=F&x$Q4>iGDAaJ~WC#G^a&}LuZgnw6-<M9jZ zu7l?u<>*najQi)(;=g7(T}nR|;Z)9p5t_^w|L2D);6vvyo9NxMmeJ*r6`Y!i8@T_u zun3p@YbkQqRmoi0GLxU7G}AdmP(fHJC^OUKe?K;o<ttL4QUQ;M0Npp!kesq`Ca2?l zk~BCj`8JxsVCvqnb!@wPlBZ1$(Iy9|v)$HNA%{R#bx*Td6C?q2$i($uWHExvO@WDE z>W)%$Oc_~OGpSdxcwR8BJDSKyEDQh7zq2Cx)dj*nq=SE-*NN&L!}waG)3KGbouJ?b zge+?27eDt<^Wr9(=2|dk>c4Ezu*OBr&w#aEb$?O#2_KZl0>j<#pEW|h4Y1bk^d)m> z?_Z@%GF^fN%N9f(OXW+Yl`tW6s0vnF&C<qkml_$0{#UUoC$ntIFht3h6di>ExA+yq z)%}EoA+O~5s%BU5id85v8J99#e)eov8YO*YO>9;iP3!nRYZaGl)MZT|Nz>-67Pq=3 zOXYEn=2>ftmr7=_o0m-D97!q#bL>qjW7oA393@6`xhS7%{E$q}O8P78M2s5OvA3uc z30S4*yoO2~;s>^BSmq%ZFt#vb<_V1;QB(Q~>da!KX0yyuA`!Yc&KX1cqLjo@@+Y<& zjWQ)u<@0BE1;5b-3F$uJ>LZLOs@6%^l~|$*opLu!yCj%EiZqFuaK4x|E6t+{lNVV! z1m{hgoHL9TEpB%wKuTGfw2S07q{V0f3LtuksMo_zEHN5q{;)>KR?1|J<C#&JcWjq6 zv(NHXter2SL2FQY+mv0!t6L#^CB(`U)pPRiST|HKyZ$LzF>AzV8u-JyR)|J@J}-g6 z&BUEFZkfV_Q37;SVJQ=WW}6FYJ?orqMNzUy#ok2FGJKuLL{X(e+)gdAVt|$Tm%%Id zJ1)4M*F~0$CBJO-%0Ki7dS!EA_gMR)*@_Xkaj$nFesklppM2srv*Eg~6mdwFSZH8l z`XfKY5!eIgj;EF~m^kzh_OGJG4!HoYz_7>w>*e<6RWcC^xyzbNC;{3w4jNeQ%;8F$ zQSs~1F+^kfPNhxmB@jKF%rKZB{1=TI`g_6G;dAsGQ)p5JDp6slznqapz^C}YDWV`2 zewEP&(dpAM(zTn%DzIDG1H`Kw3~n}YRAMv*(zk5f3S?4uh{OQQt`b+MNC6NniBm*O z75Aw_k`zc6ENv*6PXc5~7}ga~h#xT#W@wZ&X<T6h6tWo7R6ucPnYG%|4P=@_5wuek zCx9Rhhf&H%dB!%DQE`;WMB<IFa4e#X1y@hV3FpwQvXmerBBEBH@ha`kvPJs;u7>T9 zsj5#?j-M-QHi)-~N>$>pTgtykg+Wsf0ZGuDSFcie6b$ei6dIIj;;@Y}%r~H-2Ulv1 zZFH8eXmusVRLEz5#(_4}gXSnO<>jf>e2m|Yt~N_rpM{HBsAQ?Q<fz)RURuv$iLBRv zj)nQGs0*8G*(V~QS3zuD*{z=k1i<j$pF?2My;}6EgDHEA-y*Q)gwbkC6*EZ7OS1eE zu~ogi*Ap)tkrq@T2C0!6lDdm#XM`G11?2S^B_5Oqpc*A{GrLzE{EViwA1|!gghz9& zpKGpc_LSOaKFN}$OiDwX;Yt%NvfDqfXtzsp*1L2yyFYxur#d+F%iz!Eky2`qY0Y-A zbGV!T_PVX^{NB5L=$!4ovp)yYYCb6%yVNf&PPQ<f1D5dR0<}pIy51~>ssUUB<zNaX zcj{`Fh*ag%?p&ft_Br5?CI1cL_fSmsKX@3v6R_0FXHb7K)T7EyY}M?7Bw(_%qu}Q& zE|33EVgw|Ib#PrLVh|n&qM){@t?CD>#ezFoRHpjG8#Sk9wZf{|H8`!`MFI4uX2Q6c zpU+BaMYfX7TG2zmWJpK6S@E$BX7+grZerT1_IIL?*#;TNS+-`GVYeQzQMdX}s${JD z*`U(<DWfC^mL$Xq6fCJ@rJkii$xM>SgISxjqVD|(rUVD;g+WACg};U*>(d{>?)U$Q z0*V^2U9(*odQ|D|TznmlZEQ`DOuc?J@4HgHjlb<WYFxdeHdXDjSog1VE`izMem#bp z(2}A=)Cj8^kODB?#GzC0rP#YR5Zz+YLdbtXQ_z}iZP+C#s^6y^01V%M{xy%$v}8R* zw`<V<+XS9fMBJus)iL!Wl{A$fO+{;WpT%tUY{&(v7!TpV1C5mwY1~HN8&dR*IubLp z^2}8#I1x8AJpG{Rfb0ZF8ULsx&z^@aqEAmw#vSH{$?wcg_F*|SkzoiL3bjbH>%LlS z(#sq2K{Iuy{}bi7g>I!^3(}>oiB2gGqGBj7=+UnURE0)u$S?}}Nw6~KFo`EwR*lO5 zy=vec0+NqP)KZ2U1#=dTh})3_TE&inJ2}VwPIB{4z2Gu@Jczg0!AjHAejo+@S#5g# zt}5#wex>ar$5=iB@3Jtm+KYZwbW#T51>h-ctl8}XX2kEx2z)v{ViVK}kk9iGg`s65 z|Js5f2vA7)&%@psOYx{dQ*duhizWBEW>MbT4s9xep?QtZ`;=TNJ!1bOYL%_h{<3-u zA>CMwc|in3NNey3cTe*nK(SA)5eW$+C%%GyjP2rn8+YnM@H!4q$Se>_6}~=yFi6Zw zlR42s<bIfRGeOzfT|s`emkNAZUr3&Q2+`&FTHD!j;s`~XS;IK6J)k2~{Am3*AobrB z@}GYK`23RCP%;eYqqv+G!;EWT#s<r^VB4U)`tL=>7}Tor`~)ue1Xd0>n&him&MVcF z4DgJ*2K<P_Uzx*<^C6P_x`%UB`7QWS<AjdrOy_tC2ExsiOtYaSkdv)gBKq=J4e1Mp z(DC>}F3lU%w)Deb8Bj7rXoshY<5O~Bz<bE^cF^#)!kA+^>xT)TENrO!p41HW--=WP zr+^qDspt%)k7`4Q7=zI!v?H6bSLvDgei7%<!({wktD_nO{;k@HMN-8N>o%3k>YqoY z9M%SY8`~n6|H>YYoCQ)J0Foa)J5i~oDZvr~VUUP8k2TMc`G?X`y3*c>gUC+~WDA_- zb-#`*`5R8kSKR^xV3L6hP)*n%$s{DcC@8hCC8Mr7@SUI<sq#(9J@l7(1d4M0o?Jf? zx&YyspPF%yFY(4KP@Y<+fpI8HI$ow;6Rnb5T`sd(-93s%;VgO}Rj}@iT8iQRy3jnS^Ph8qDr`5LX~RfCteKAS$6hJw5ut`>z=20{?CHIS+7!Xys6O z-?C=)ygj}^UmCzV2{EHx{|J<Px^Kv*RT4)DJIdZ5$R%PB2&h(rKu3Y3#*M(thzZG% ziPcJn(^%2ShAo0amCv9vupy9l=;R@>>HxfAg@Uv{hl8#hi|&MnSlr8Vrg0DsLZ^is zT8T7As$j5a7Pq~>i3)k~1f$^2=wQ@<^QdDx9W}Jt{=C66r9;Nb;o61Fp3-SKL(^!D z<++qfX^1JeM%p>44`SwVf;*{!A@p+#kik+Q4(mKuAV+x7E$vGPBDW%*<>jK`H|WzC zu%rgk<u4z&Gjh^>(MREn=#2)xhO|X>fd9$<tq3ClT?`1U95HTI3;BdzULD&wOKUgA zHv_-Iehu0x2LPccSR%MYF-hhKjGSA5a(WOe>*$`<dZ$OjXXYD7(&%Q_1|}>;_L@t< zkjvgmlJ~F&1BNXf#2%noXA1&vNRkc5_dbXAbP7^UAth_~!ynKzyK8$9uv)mR2O+T3 zs98B{>N^A8g{VL@Xha_^kc`qE)0#a?DMl`0J6}4LIxm2NYR+~o=nOtjrlb|RGg}A6 zV#R2rq=m+k*9ED+x)xajvnh=4A^6=S_=7y#2S-820qKYQ1s_g8QW(1(3+0NJ=@-9C zeJD}tEHKYs<Et{Nw9o%bWwbXe&UQ7UvNa2$O^X37s6DU*UBCfBfsq8Inw!$m6`wVa zzm;-*a2#VLZ8qpu*ACin9Bggrc+pImWD}0g=a#k`giafuVq67dcBU?J7#e1!7UCdU z;g%Ut8N(=RR_hKsNRzJn$<|n}dKXe`b7D?KYsWMZV+Q1vdeUa^v^&Ty%>xs{tr2tc zxpN5B1`;nO@t_KQ@6W!xZRb=p6^fnYi|3&m?X@{TurOPIhn<|V7(K>4R<`p#XXt-A z+@7E}>dB_ReplOyy0U!r9VposWR#qvK)LcBe@8FR7j)eKAXu4x`355ZW*Kfju71ia zxGIEAZwn8FX`eg}01|M_+%GQ*IRf=_R2f|f<P<)Zs@A`uJi|)u!a&`KH8kXcj<wex zH)g)>xPN_;1S%+(wfFQlB;_3>M$g)vB?gIv3S=eNEh4Uk?kOOhZ0(*2thr-&NWaEn zi0+xI07yW$zb7>gBBU9>RPa4va<@ScX<BWqgIbkZuiBu4^<6KPq!NBcuZTpYdtIvk z8BBPu0Vt&>8s}-<yl)WLa)7G_l?sfSmmxQS3Y;3vMQ!|mf=1BExf=9&Ee;CxFoo!< zU~i%b8oWMzz<dxleDbq<s<=LMOdv%C3IpI|G%(#AAI609-cF6PMx8x;GpL%dph<6n z_gJ{-LqC~_&VF7O4D@V)_AcS_+dg~SXqfTu<<0&}kO1Q$0fg{S9jbtRy>Q}2QZWFE z0xEql3#vOKjS5CRC4E8tVG6}k=2|7+H(wOUKauEE5rYay2!V75z2=aiOyR;H95KXL z$3TOip^E)zU|&P?GN}go0D(N{`li1)QN<htjNz*W-Nyl^fcx=)Mea;-*AbJ~qe(K9 zA+;g-=z!^5=T2u`8x?|R!I&2PhgehB?JzE!D}j~eEFWv-NA7WeBCR#^Y{3ff)G_;a z4UwrPIrW0^E>-mUf<*Yeg2NKw<n+Eklwla)vUecm0R@AO2N;Ay(jx0dIAnknoShm9 zz$;`XIg{4QL&$v#`}VOEfQq9FS1tnciIyMKHUwh>(o)uaC2AQ&6tVZyeV_c)ayRr< ziu>cSl}8{tSfN_w1cPSrRBl1UGJV67`Nw<lAPOLAn>8EVCwVH{g17-iPys>M^l-om zfVCjhQV$^D9e$4k4G-Z%(aqv(fzNiz5hkY!SP3E2VT=$5>z)gsAdC2^9YV^XAVM|R z9_e>N$)N>75e4&69pXzHuv_*L<5zA3x&|%lzv~ClD4~xQ&^5tT=%@Pa_N4CDBlumH z>wEf>fGP6i`HcVJ&POJLGM)eoq-&XnsDpl1p<_Z|$TMn4%Wda>o=3;iL<=N=vXZuF zNgo>5hBbu9Ku67OWwLYN!=}5aGn<qvp_?=<Z-wtgkX(HNCxp|_B&`G*I>MVw!wUdE zTLGAYl_;SrO`tWRcQV!ouMelYM1=IBI+iD<v9H*wUJ-QWQ-ao7OP$iAY!t%BH8_fK z3v%K<Zjr89kt9i=69O{Q(qYMi381THbd>2P?{yUyW1#c$yT`k%p>xq=F@Re^4K!IL z1vmRW4_S?_?+sioP}Xdbrv>&K<m@i4mZ%OQ4mE1Y!k|$mL7iG^b`Tq$Q4Y+H4Awpe zm|-@@Htfs_1@RB~wNfjd9rUOwIs_19o{4@Y^y~v&?LDKXaTbZS#63JFW<}-up!D*^ ztq#3AttfItK<@x;heEt*bf>v8O04&Uu&jJ`yMJ<JW}q19pv|g>`cvz|et$pl?<_f} z*w_cCKcmtDhl9DH+lKdJcJhHx;8L^v%mNVeY?E;LfquU+LOO7*Sv4{$ISwqq+RJNW zkXEW(i2(G>QyIqNd*~*RL=s;K;33i|n`V8K-q9wN^|4KRSI`EH@Bsuh5qCKH6_mF( z`OyT;>8ScG#fT$c@q+Z<@BS5I%6mgbh~ntz7>*wW`y^dVXhPk0zA)k`d_Oke-*-$V zQ6xexIJkkJT#FYM-YFfnO==q8wb_vOtNg$C^!jM0-&Uh{205a3Hz<v%yI?55mTLlz zWpsa|ub5$P1FVPt7D>#iW%s1Zbvi_M0Rt#IKU}nYpFm+RB@?-9NHvZwd{~wyVjTh% z_AVBv?N$<TCF?c2VUIKvaVA}^?2}X0b8JsF3XwNLj~TaM9>P$KI2tW`e0KtNC+St3 z%$pf<2DDO=3Wd=-3@kvG?bq%JOixf7%CSc4NmY>YMzi$*qABJwv4J*iHblfpsrzRl zG9-+CKHvpFiCST3Qp#%*HRkp}WPda=%^(D1HbTTmNk0kb1t!-$DsHGSPxiRMm5uKJ zs5R%f4N3!CN^W<rmjs)d8vY}g3-l@?xHediv#rePD%b$18qV6}c>Ql^xFAVqSGC;= z;0XLw68)(_(MuLE-d4%Il@?RtY)3=%%fO=qwR^A}pgJmKZ!QCRDk#cY3Q@#d&0YDL zPfPX62RtuuWzb-l{TKF16I(+OUHzY!BUBV9mP)`!x@)*-#@kgm8G_rRx%0%4T{Qu7 zTh);Ud$yCaS}a72&`ZzXK>)+_{UBggLWYZKN??MZggAMINi=)cFe_+4%P0G9OrJux zzF3eT9b2bxGSF%^V6aT5ME%yF0|Z)*mlUr@;Na4!d0=E}&=5NaP5d!4fquTj*2zhn zr#AgffX@*1uXxK-fWfmAxfx(B<XrUwrW4INui@~JM0Lxk))cQ2{@b8t0;KCv%Jko$ z9~h2W%^~m$fL((NZe%cOmg%#iXv%u`rgWw#`bL2FskFAA2#AuE2e(B*Ni~)=MJ#-~ ze$XHy!w^S6EIcG7a&Lh%QLhL{l%#tLLD6|Ja89+K!ybEG_>+cuuf~jNgAcBl$H^dq zA#Y|Vlop}P8lEK(F>FY%_zI@<v$RXIM@$&0Wv6s5d2r#7=!P-0ENb%nrhcA&Z-vOk zpaMyKs3ml+epLx_m~>@yRd<<6&zW=Uk*2jMAX4=<;2gy(y(y6KrM8;z{gJkh@TdW` z>akaBMm>z&MhvB@0tj^jhzsX*kgNiG(FDmkYBi7*Txf=TAAZWzP*}MLX?3nh3fPNC zL!RS!LIglqXjvlqdqlq=2&wV)1U~IJruv13$v=Jcj{JlfJ&O<!A_ZvrkBS%4tN!Gv z<0aU}A;m|$BF8K-R;%bCj3Wl~Em$@U$Ovj-$xwTT=Ng<c3Sb~rXzFu>Qp!&vsKNDT zfFIBTOXWTCarzNaWWcU9(UA(>%(A`WgQJR)DZw4gA}~i<29g04Kr4lI_|q8&#D=Fq z9Klh52ZMN_oM*@8VWCiifMEAB|E>j5D-CmkBVjAfZY2zx=H~%Xh)4w#7^*v6q{o1? zL@*ShU^@vN1LqbMQ)CN}(cjkZA9#l<Cp{F@&mg)M>kolJ1tn=mNw2=`9H>NkCg>Le z7xcwplS;*{UFqxk^@6_I9(u%WjkEua-zj<5A@$jcC{x>d97vz1qoy!+T^Nf`mk?xv zejQBblc2p2xP|+RZv+8_bSk!n?zR6xLJL5^H^2eAntl_=jyQs1F*Qm6VdP52bunC= zxRF|p4vbS|5`sPwu6XfJBo)*;UC$x8c?;h>!k^IUUfl4}eNvz|YN{mOF4T}YFjfhg z7@Wf{h$kurZexmUT5o078sRS_0=o=Qaj<WJ+CaHbQ6vGdX4Z%hq+if4^m`R10|(%d zbdfi7ktm<POZze9xPJRhLi)?qK*O9G{aLMn(4=rZ-0K7DW+g&Q)Vj0Kh$OPc7T_Gp z0ymCG==XsyHj`@!IwbYbHlQ((yB+;SQJ0!3;5x|ty9$XXT8{qd)wvhV0B5fQ>c&ZOy^IB3h4^7P@Sl-40<c{1HI|uJisIyuWF>AXaD*49?f?O3ZCz zZ;c{XAKW(5D=}p@<H1U}tsxvFwB24`uo_oh{hlh6xA%c2EHC8{E9|n;Ygsg|I!nT< zACTbEpU=+0nO~L9fjB{yWGJc~!gh?kF(7q?eTr&#OoK3tcAz*qd0=;kkU9ilcX*%T zvoP!gzfr9JM%o&w7JJz(C@NK&Ei|XJzp{z`<4nvASWn@=>i)p(8`t!sAX8q&3kN1o zD)1A*H3OL}LYx;CRo2}mBZ$sGPV#MElm-^zv<SGC4QkyXM(5zAtOY;&<>`oY-JM2F zw$Y3iS}cqO+tpPGpSVjDSz#aIx6WL@djjZxA8Dcz=1TBBb<!*ov4s3bjlKY^7Yy;4 zroUIL6$>IqcZfsLHGQAF+qNE=e=&)vUrGWkHk@(fwMM~PFReD_G4o{+r&!0;#2E=A zSrSk?+xPa$_6Fnlst#FVNtxrYWd1#jdD~5}Ow#+LYik_IhyI4*6KkAnX^#s^zk|z= zCHB9LU$6nn1-h(9*Yy8&tx<~4m4A%J&ie<Vq)+eUO98@!f}M79x<LF!97xiw=TQQj zWpLka1yefhUd5eDEH?!q7D(Ue04RHRtM$o}<3HJZlmk=>azE{@*ZhA+9g)6Zc?Ue5 zIX@mAp{_YE4g9w(vS1Kwi4o|}ED+~mDC3O8i>G0}=6~mFL4f;UA=961Kj|S5f%xx> zmwq%NzU6YLm~j6gERJM8Nl!RgA~U7aFd+NLBuYE+PAB3cuhdo|eha9hF+kNMLreUI z1U^<0-z&YO+MlgQ-C^YO;e;6J|F~9tS_fPT@wA#}Jn}Cg;Kll`j!nLRAp;AEBad5? z88~Y8$dULpksX1qqmZL_6>PsZr_7nN*LctalnQLU_YS9X{r8zqJKA6QX<PEGV*MpE zn#eYP$Z;rceUHUbbw_*zKkB&68|dW}DoaVX(7blWvye#p-N6!lr)XnjIF3&g!Ipr) z(}hQ=5&3+2V5Ip!4yYcL0HHS46h)K22mlbk1acFI@f-Dgx4fmd_GnnpBuulfKWtD3 z#*Sn8O5lAD)LOiqFvwJd{`+8w`7b^41qK3t$+?!zWvmM1YK)dF${T^GkVxHd-0|u7 zp)!IM%e?}|J9fTM-SC*s{GUs}Lb)v-u}=*fyYdW+=F;`*AZ(XkRxAMvc47tGl}k7( z7B3f$yr)qe?U5IvpwfUSl7L+yy*<xY95h*7ZnvWc3O0I0GEOhs1CmF(1CcZgNvn|u ze7$+j<wPYQeS6CB(pCJcW>pK-&K#EnP#qF$yO7|ySnSHHLpsi=L+YJp7(e&#+%O5j z%JKiXOo#xxl#nsZm~)oYeEf%)X00Ov#Td#Kc~7A)4EDRj!(viX!T+TM20ys+SsM~h zmz--KQp?tbh38&I{tjg}Hy8JT&`RvM_f01y{K1&$#Z{Vbx0mRM#i6}=H|@+{iFi>9 ze;PBeDV(}!VC-cxrwZe4eX6vJ=GYo3N(2eh_Kc5h&+(wfIOJ2-$Ff&!P;(3{asGoe z8=~0@r91$Z4dbUK#SBb9*6uL2Z)J@wO|N%VGy{U-%UNJ>@VhjVEFL3UiKXuI`I+v@ z8k^JEb2T>bM<PJKa=G!03k6av%VZFZoYdwwVjJbtm-rd<yErkf0$EqQW@gyxu6tf@ zv-Wt3KxOq54dVXi66LGC@_JJ3xJ$_kFtsI)ss#iKR(_!Jr9GWOnMS5^Vv7b9iy%EC zR?|%9sKrZ#Afl>qWS&Z=CP$<5>uL!XBFtpze<@l!rgx1+v3!7KUSGCp<Ccox9mKn4 z?n=ReVrgBrY53HE{^*WiHbN;+E##m-c)bA=v#}~|)(@yb*hVXU)~4nA^^y#j{xrzv z3+RUeI)E<GL7FBg@4)G+cH3GMuaqLO^F{n(Mhjy$HO2>xZMjEt%Em1Xo?9jUZh}6K z<2qrUQeIUds5V5tLMe5*oCQ0p8@WfUee2UGKpc+?KpnY$Xg%YK;t9S~K*kA|QVHLq zL512f=n{k(Yg{Ru;;%f-%LOv!xg+^@y2D7bQ<r;mfBXXCJ=9iKu@U6Ju-IyQnxAi* zt&l~d7qN9ofUu)8sGmsJszz3!Mg@Q7NwJg|0ek8FAIGlgOs519qzgdS5hM4PL{qCw zqggD@rCrf|xJ*mS6*CAqh20>osLNyL_FC(ndx0a$v_%SJs@_z8_&Z`mJM(&YY+r~` zza~3SYfx#uAHz&Gigc+0f!(?M_>@OQLDs)z*4o|}fL&vM*C8Y1aH%kOtzueR<o1v4 zKyUcmXPUFahKK(wZ$MZ5Hd&DmS_~E6Z*HDr6Y7MgqRm4z%YqrDc1}VuX@t3>21G^9 z1h+^-ETzGofVu~F4g6iDklX<PR!Z>gNS3GQ8p~Hhlv^r51Iu7VWf_D}`A2K;Pt<s^ zip3>I)52K=L|8;IW#0bNMv_QDN7L{4S+kNX9rd<{5nLCws*!euE9)*34-ZIyEE!hw z#ni>cIbE-(BRiyE2CHI=si-Oj7zjpzsQ7baK`rvA;B`Zk4TQ+2l1OtIOsu-v)Nn8G zozK#$7>QqJ$obm39aq<aAM26`{lADfE?t(DN?2J%up*sh>5OWB8sh9ogPAl<U)I&} zz#rKFgYJNO%CYWt=Lkh(P%`D3O;;bcc#T3=yu99@&lGbzQESFxnjEz`4|rbQbO#@~ zsh6@yW=BgQ_Z1{5vNQ}CG^2vmq6V%TH8MG>q<=GyhSxT+G>w<5=*NZeW>ElFB1=jP z)<1a%tpke7?3{1KB~s;k8k-O&VPDg|qT<U7{n7@Wc0#3mq#WD+9ak?-G;0Qo6t_rj zmIrE<*~)`7B%0}bQREuKw$Qb|qFthIBCH+wt1=J|yf4^4UJex<o~3{gOwZjg-mu)T z-$m$cE-~%AcH7eWHa-w!@bmM0u+q+3m%3d3<T1;^Y%+FKIG+qD)PRuGID8gZ57+T9 z5)nqr!JR1{E}Wl%C^#@M629&Ea|fER^7u2|E5PcC3-T%cp}0N3gcT<$wABky>1yLf zb$9&<6R;xHWuR#ynd<$yLOF)_9(54ke21l$3E`9;SYbO8+rhTR;EXUj<+u{tP9W_> z`4-vo&n{9hqmExGu@H=XiCf7Vm=LjQa==Ch0NUoG6^lN^;;K^3$^||`*^+sNb}6-* za(^UP%>9-w)U0X08af&7+t-GB1+eiO1w}uO1hq3TOelXp!)Q}fe7p#CQ$JEOCKO19 z7@!s2F49KS-hLoaAelg`j<GDgmKY5s-=`?c<HZ~A?fS16^>$`I@2~d(iBe4$zbH~a zGH|`W!V^tv-AdT9yietU3Y+pEd76j`=5<`j_3319e@x=<;XsGQRZ6H9^R`+7$K{I4 z{8`!i`QUoW>4~wL3l1LqZniz`@Ap1=pAgm=YW7I*@b;5)HuvT!vb(=sc1A9TV-P_K zc7Kfl$y%_J)`phy(1@T-e{3b9;nm=5&+44dFM~JRrD~p*1nK`+2}k`n>U!LNaIooA z3FCI0UNh0ka&SuwVnhdjWC2`Km2v2Z6t8RfiM_MSgY`>!)`;<J>M=HCSP9u$R~bFF z9sK(lK6Nxt8iG-!Pukk7ROG}$;F_rIg0Bp`RI}wE4#c(h;SWVFU6G_ehtC1=YBEP~ zlYm2rmGjM9wbTspIU=r>MuXFDx)>ycsiHz?(s43Zc1TSHZf5~dTgvkbKLv_ILJb{o zLLY}HC#aynoPWUc!x7b+%{9^he`=LC4)I6qRT>H8rE&B&Gm~;^$LT-w&gMK#XM7AU zKaSbveV>Y%E))-IIeg}(B)ogx>`q9yMApSpzZZ9i((&0|67S*OF^<lcos~{Uau|P1 z#RvDk60JkkNGEhQ*Ru5b^Aq5@Cp|dWMdZg!?){UA-c00EDDRAm9)}$iD87@RjGwgN zrma0y``nChUko0Rx491VmA|^pGfp3o3guU1)A}}zX#-!AX>q*grB`~!N81oO!~g*P zXaHz{=>8g^{^KIB)}~3~xw6lkT(@z6*KFPYWG&$GrwI))>b4%)UtgXMysW~{iY3F6 zC1Pze(y3_7fN{9Le8qfLU(@2Qzj(#9kN5XYUH>4>3N}`vP$Dg)00osJvPyU#kU6SP z2bR7TN8%;hKmf2iEr9S#-2{#iL11hxay+xfX)9c4v=w92c0>|4>HqtokEEX7`X!~$ zQw60-3A7TLlqonZ_n_<em`1=_<6+Ln_buPk4KByMbW|b}jrB3RT|s<dIxWoC)AQHM zmd@88M8sNd4%Zf35ak-Vvjf@u2^8Dw=it+YiTCI5q76>YEw+wp0IwYa?$h>NUrVPY z@gdV`^l!lWkQTJ_vAJRsre$4^M>#alI>h0ZF*auFe&B)Iyg5al&mQHaADVlapRVoK z$6qVOdUGiYcI3LBD~1cjGS7)Wn-Miso_k5r716|h!(f74Tq_MrGL~D@zJ&QJenZI* z-~<s?!W*d_gqrmbiIp&xs)e(=FM}raS)MASf)xwtV?t+rW4I7Tb7X>f{g-^S5(yzx z|CThWC0DGDLpH(cY&Tw|*xy)ho)#}$@dprn7-FQ!9Tf2LV%2cYu<nig-WIB5mHUeN zB8A9ie>W!^;#`HYDU`jtwH{qu$p?L{VwDPj>RcI<t}W}Ovv+2uG$nHjOV7+Q^u3Zj z^<$?oXK>R<mM!AoybKnD>C6ihYWKDbmh34Kzh#8eLU7*ueD;#H73)M2=@ri=(={3) zMN_WBXfh_Ey>HU^8Y~012fv(SAA^;g&6_b&km*DWUGg}ZOhi&IyWN+T6{|+mhHs9` zJjo{BZpDUvc$as!CLIOhC`Op1N@Pu|KV#~;>OVK4F`ftY@9en>KQzlbj5Pd))NFPW z>_Fxc79f^Z5^Aa|HWmf7=IE#^bkudu?m6pbVWK?jiAuFro?Tz5iE+y?{HkI#Vggow zSHXpUb1~0ZmrcO6bg?)(M?0ls>(+*zEt_>2r=Bgy&ldpqX<!Lz<m<v#SenU57O=9Z z+GEY&WWzJhU7<?==$aMp`6FnPRc0|5Y8Hq6U=eB-EGF*YuXR*7_R=QX>hU+>dEev< ztBq!C-DEGsIyfaS_u<C}lN?5`bED2!p7-Qj$Wd4KVe-*X9VRBGWmYDk$~bVb+y`*2 zP20he`5)@_kHH7f9%)?H2{Q%s?NI7r2A$5X8Thv@Cd#8^o~R#<%d{zIMjBkbQe`VI z=a=or*RB}vFB?ILKRLnvVLLh>i`%5x>mEj@z7O7U49{g>KMyx+^?`%aH<q&)b&i&% zrlA*z7R_q<nzO66N)-c92oa(M5cI)Ht23i}a_D-61%6A>`E!j}^->4#3mcL}M_pK{ zrOY9fAo`5bp9OXhocL_@_(tI(s}N<mFk^8+fe1&5fii=>3srs-joeYbOXe)YXdjR0 zzEu&RkIYOs+!%-}J!3}wNsv}cdZCI3^YRfFLw_9f2r)}6r3U}5d=NkJgksB0wQa`t zew|o8A;2v9JtrX07z}2HBH2oM5}g}M4o5MLb=$J3gG1#Si8P!PyLkOYwt><*dftx4 z8@GZ*=8PDm8pp^~6o-DYuT}Z?gz57HFPTZcvG(@>k&UrCMiH|QBD43Q@+OTW9u;iV zin$Fd;~b_dyCm=~vo@Mx3f^Z$m{6Xdv`**JxyO<!#GDOA_pLZ@<zuu6#Q@ap-5FRI zsI_G@pQl)ERp_;bvTj-#5up`)aL0mqQsNb5-19@Q6j75%`WX8(J8X|0tU8df>)zrg zKj9}e&AiKkkQrEb2#okyahvYqvyGA|qY077r-=^Pii{j4A-8($BLL*%a!Oj!*__b1 zT;8|G2+r&81_devLf^*x^<BQwGfW$2VQzlBydEywl#_zosn>^3(H-6P{u{!?w~@{a z_^8nvF3$zHMzCTLeRsz(Vcv&9x_g;mmY;(#ALT0x@B>U@6cR!|7-G0q#xAX_8=l90 zUoj3g0*jDC8%m<R$?LUcf3uJoT~;Y~h3%Yer#}yp1}5)*hAyM%Uoq8&lt_lN*j%2Y ztEAnsTK#kB19x?GC`rOq%bHUdmP$49%%QeC3Z0b@Vc0cER->C=@GShd&+$J>mO)6G z1Zyf{GHVi=_;u>>bWjQ#LS%&UG0QaQwS`NPv-?;oNdP*A0$A~f+T%(vRwIL97qjXk z{hE?^{70>HeGJ6Q-ucrkYB%%fEon<1mgzGXjybI67akWlnyp}$6w+RdS~OE-Ku%Lr zQz4kp;9ehtrWkp*>sa)yI!q!>A|*|!wOP3;=l11tl*$LoGT6m8bHE&9j`^aDMknp? ze$iRC=ZT06Gdxyem0fMs#m(wme6xd(k`h?6jX#|$UCG|>i-8{3n5o>_5jlVM=`@ph z+i$j8tP*M@yMNwa=dS5knJr*<JYcoPg%G}4yJPwb#daPCtCS;}K>&MrocRho#-J$k ziWYhTPaQ^*#rLj!WAE?oFl8exT3xTsMn()uch=TWhitSOElo(L@ht^nqzBi#`uS_T z(Ob2>W+EvA`FKx)V*{ZEf^iCnkR0`DN7mS@)?%Opr0yyp^Gbvg1Ld#@L=K7;FX#`= z-W<{;@deEGi1Cg5-Vav1Q{SjOT;y|!0*y>D$3G{&Tz*>>=F5IP`E?}KE_;JwM8f3X zI_HdNclNqH++?{>NoRhApniWH`ec6v)Cjp;?F3{(sYJzleK&RI2xon%X>6}|_GMs{ zC1PHG&Gh7W?qy5GSv!-EW$|iy<36_TX+#EP;yrw>=_|e)qs9do8K1oCccb{i`Fi7b zF+&5!uEh1|2eJW)m+tg|PHe}6Tt7nyAe9Mj=gegM9Qu4?e|^S<EZI~V^Z4}OOI4-y zwBO%1Fw96vVKAAUH|C82l}NLzSJ5vrvk<^#Y(R-p_qbe{EJ`GSDz}_l3^h%m6CArY zODSxRdMp{HxQAfriB%E}RX@=YhJW8?Q_r28_mj``oYcV`WW4#zP`p6j4LkV-UWIBc z8vd|$P(DAme5LQ8yD{11o?Wt4h$09G$}+Lp9)BMe|3FoYWK^#{sx+N_r_{=x?tc&- zw|xdFS9E`!7xj#S>wg5a>Wv8o^Sn(i(EfY`vG;r%YiVV!S@O6y!pQd_>>EUh5E>-1 zFfD3Q-7+CY=l@sLsyBo$N6|#rt`Eu3>8zus>u$P(l9%QUttRQF`(fCkrplu6R0|?@ z)S#>~$7f)A5);Pru>kC@^&w$hb%#}x=!2D3RoneI#>cbbjSOLlmDZ<9B`%Nv8&ugm zhA6Pnhh3i$m>`CTX>iu_q|_=VY6lE@w1$X`Uo3d=mN`O6eC7>nBg9F_#2;m&Jm&^` zt{jFO5py`?{#b&#^+v5SaCUS3rwVHQbWJWufUWYaC?xy7zai!~vZBD=?J0x4W3s8g z)W;boS=H;(Nk65cfoKEfrxM7Vl$Zcc6@_U-lC=n-htnt#8&8l<1_#mGBg&e<vT1+M zr^*xI!P7Bz&Cb0nZb0?gS3J?hvWu52$i;4F!*J;33uKhfHn)#29zlg<$HkPw();Kd zXF{53dE<{{TUiy?bB$N4(lo<cxDRg{yMi0;<?516J7-_xM0Tfv`Ng^4c!Iob`m)E4 zJ2+shMa27g7igC=0U|&-D9oohtyD;0{vj!*u;z_J&Q-10SlJ#E_D%kw{?-xX?NErf zVke=Q2%3JWqwRg}hINOuRVee|(9c0!$n(vXm9hnvc>u^UJ4VQIE~_S0R8*A9cJ|AD z#7xiY&55F-V%=yUWw=VkQ1bKZigk+xQ<c0)KY;COm9*FU@bU_$)ic^_RG-9X9?M#0 zGMiyPqwMF!QvQmrThnQb&t%f#aclS26iQVrF9Dfu_4{#@RC4+9_GvoxT(p3yOw0bP z{#a+h<It{EV$I!rPgjQ^$6b7={Y-esji*-z(=`Jxz&qOu4vD}Iy7Oc3_i<qD1Ehky zzQlo&VGB}lwY&3Ji!Qa>o`m?iiYD#Vw{<t17mo+aq)MJ42$9&+MKT4*07up9T5tpt zH8pfz5YOAG4@!l2k^F@dMSw~G+r0|pK7{zcI&8c@1?f3viY6{4^x6^F-UT(({7luz zqFprPVlWUHPuJA+ieAl^o-L64{F$!#EH_PwR|f-kqyjh?YiN)O-*|ZY!1Zo#nY-EZ zE3&&O*~kLpJ9984$-?1vOI-gn9LP_Jv2-+<i;3X2Y0rx>+PVGCL*+HIQ*BPoVrG6$ zr{MH10l|_B;yQs7<X}9T&GAXiUH#VLC^bJLx2VQxXQifjT{iq{;b6RrlK!%U`Em~H zyL1Wqa#Eirygg<cH8)_MTki8_`V9H2y;0{L#h`0Bu$R){&9rDxLB*bLWvqmQQQI#! zDN`Ok<|z|5aRB7J=TYzx{s7Zlx>>(5CkIfe@Oi$=^*TmvKJ-IOYU+ABS0gR2+M!Dy z&ogyD@0@)U@p^_mYcG9ZKcC=_h#oQ2z<-ysghC+U-ux&cd}LW|E$^csu0kQT*0}%d zBK>e9by-A;6;}}XqD#UsMVLl^>3%=woqQrttmRF2QfkLB?vLzq{v4wq+<AVNBNkQZ zm}sdBE|aCeCWMqhe=EqxF88?_wKpEW_#i}xq(W)&T+goWfUOC4%Bt05-e7>bGYP)i zM>)DHechWk#LMf`<i71b-DIc&rtTG9BLEAy#yYW~@WL`Qo;;E{o8MX|8*dos`Vl_X zx+_AQuI=D__K;+}H-F%KuC1ADXFJS&z3k|kDeSy|aL(ZP<Zms?S(r<qvvjuM9D^-` zUiW~4fT8|;&Ku);yYBV^obrnl)C#dF?BM0Ewof`o&jn28Er^B0u%IIZLy6;f{%E%h z4q-CgeN|3PfhPxt{OG)1J#VRu#lc;0ts7Y<zr*0rKl_DPqbn3iS@wj@jYDgF9jU&> z-??+4ILausRoB4e(DhN;?m!UPk%nQ7O)spgOtV_VdMK4VqQ%2O`FB>lSMq-Z2#X2b znV$%QFS`b2*yFyQW`FHHt6e3Mh*lm}59wyzycFJy6wP>(iu-Ik51Y6=ejGMl{7{84 ziC<)MUnCFlhj-l5yD;44sTez(8Z6$8QSy2|%`QK!d>w0Oeu6iNMnBK3;OlubtdW^T z!eosf*Y?lD+*|L^AkIy0F}ueKXEI8`#q&MFFvofu7#e(kOn+<}^CNS-T&8(Ee?Oj` zSbU!QwmKZ6qq}~>XMf8oFG=!Ry0LgZr!meCM-7cV9qr^DwzkIZ$$T={M~dTN0M5z2 zno2m7%t3K}lrugZ-Bf?VY(xNa*SdY$R7O$bLZ@aw#`J%e5Rr8o(jh6p49xs+y!uH# z9Y-~}9N~WEQ;f5GilV;cZ95fp(%E7A1M{Eq>j<H`d(XE(vp|1;9?G@Sam18ZiOsHC zZ!%GjV{A~Xmw3c7$4HcS=_#Z>!_p1%Fh9im(Nj-2cWE#p<q0;m`!`i&@6@wMZF^6! z4u7g0WaWaE3yi5q@=M>ArQL6|mHBkfEcl2CB>A}2ZXJgcQAgZ#Fy-kE0;W)_A6k(C zi-YCI#81es^@+yt+*!J^4;Mh-b6Wby0UCU{w(!Sg+JYS6ZN{7w@EMOZXrdS9cUbof zbzs@pfkuV6q_$)NZ=FAPd{+v=`vbsFhH^FGvCRpmO!f7^*E!As13+5lT}EzVix>D! zD4aoz$u{@aKOmfKp~R8pPV^xLs?ELCYzhtRv$m>E$c2)ubR3q@6hnX)ekB=~P$gi) z<W~lzLsuyT6{3LQD4+HLH341ruQxHqbZKk}0%?*13R~yA)QTuDbs8mddb<qd#u+|* zzrQwynYn1uU+new*OZ^z^jyd$D88R;c^dA=9;UauXHlq>%#jS5pGRXw%U-(F9@`2C z_z&#Ws#Ssn^cf&}V1ko2Bo|zH#I9BSNs_6FmM$$TL;st(TV26NRPV5t<T#%=p>p59 z^d#SKnXaHY!e}OJRbQlVxqpiPxHvSo%wvQnw3-+Gx+7y)s?H)P<ipy-c<Ewyl^h26 zLe?<<T<5FnIOyA)t$Azt(#)o0Syg^f8mVS&3e_b&xB5Z9eo$sG6g3!WxlprcJ^$_~ ze2eL(5wAsPx9CMxtoB?~&X3t7j1Wzt)Zlqif)s5C)8snAZZ43qxtbUv|C?R={l z(Q*B56WOw@q7kvEP}rD~{$r?><0sSAUe|`d3|FIUk)AH_b;-Nz-NekRoYx$0$Ri%^ z9S7A#;x@|{L-AOls|9h<cK!u=_ldlb2PK7(I~Q706<)OggiJ7$I$H4kihRThBbPp% z&2G4I-BlnO^>`{xN64W+c`B<~Q&w)^DlN0wj2P<O-;y8Qik_my;yCkRlM?bp{VC>f zC8mld+GRJ5D0n|3cSFVQx&uTVEFd_I{&=X1xKMbkid*WwIw419spwqB>@w0=nOJw> z+1K3o0voD3Di>Niw_3B3<Ig?X?{adE-*JQ0<#m4UpgDKpEWUnLE_c;-Ft7pf<^&0A z>66XzJ+m-fQCZXVHDS!Vyb^roA~n?Qjr;Ms|HKDd@2IFq2E5M0178eV19lC$e4NJE zcNn&YQw_ztQzy&wHJ|YQWz3T;NSaMItcei5N=Nie380P#u5aSr*-4C_`GOb&hqd0| z$1Q|aDo=-TzsP1~9--uRHpKgo9H>VCtUQ6JhSAiivw7c(NZ#S%n5PYG1u-c{L9#Ng zAsnEb@ArAKQ!6wZHF0-O{@{R{!R?mV=z-lx6a$++3SGkl#@F*RWuvK6W78m^jLAhJ zW>38G$9)54lg=~ruuM{o4=N45eLEDf0vi!bowUt7N)jUgbHYZC9%&i>^b@oC2{sU? zk(<noC-az~@hNH0@}o5FYBeuZ7<=ASM;r@|Aq_#7d~t%eKhYBZNMe(rl6I5u>k1_Y zeV<!%(1Ug&y}0;~rM0%IPve-;@<kLKgg-o7^D~2bB@if#C6`7;vL!~;xOod!<(kdn z1q`+TERz_JGFZ2vSXpPx>fI><n*o%_WrbI3bF<A(x9G*i`{P+a*XV9-vAtS)Msz<d zh@X;yfx-U40W5BrBsQZ4EjAC*-8A<H?1J5r=Q7C8;HkzIvclVBrmqE;?Xl~+=K%Tv zR9_bBfbiM*F3o_;rK*>g)D$k)DIs{?w-t(26LWtuj4fq{joyKe$fB3i{dZ0A^_RQI zQGQvHOQsw*5lJYv2k6U~^5;c85z?9K<Nb(gXU{4%+F04oJxM=!)%){4yu$h0ev~Wq zSl8R1qy^`(N=Ch9=dUN$O7$P@wG~{i_n~=aU9Y<l-Y<IN+1&!s^mOSzLSZc$=@&6r z&k)GCW#FHg!0rS9Ll%}legQLGuji~6<8wpp?S!=5pBUeRf}w^t^na7-?+@#vYi<d7 zxy0iw+o?wKg!jj=9wF}-RgbqyY!3@{K=9Mxl1J|Q1=u*87#@q;)O`&p+#b)@sh5jv z?NtJBKf@(dQ60~V(F{n7POlMyyC(`23{=X^!Ez~@4tz0z@#e?4@z`dTP$r4zY_C;B z0uMYlL^h|{T3#8RhW0Y=@AepcsGtx;HCI@rAQAO~uRE8<%ZleLDMCvWE<PKpv~5hM zx3xt_Ejb)AW`KRA2z2;%-(<_J=B)+Po53`bHUVAA90Ntho<Eeu;@N}-P?yUH7v*O) zUmZTFCaRK2rg$|TV;pLwKI+8k7|tFqN1tVch1!@ZVANyp2k#0iqO&fO9V>5C0YSeG zQRV(@f1YhOlZBQ7h7h(e)w)sw&Q{(jK(8ZAm0*`fn2rk|+&>vRg!F@l)={speZZ<t zre>oHmtw;U{SostC+gD6@HYBljJaxaCemu>IC0v^)%WN;c>WCl&fABV9zFXF7?bqV zIhW*0Ek%%||Kyqs-hVAl);Ow%$iUJaGiL606+=&>QnaMsK;V`_U};%sU9VO(1^u-j zWuAqi84E2g&ceI|i<4Nnf+<DPpi$-bfhGWnA5Lu<<e5Pt0B4{|bZ5SlXP-X#6eZ^a z^%@=Wis*27nin{T)=(s0GB<K=P#YFMpl@MXZpMQBH+{kN*cVq=!tu$G{=s1Uxv8gj z_gQOHo;o)VJJOq%12Q3!45n8FSHG?ML0m63IeyhSuz3D(!eibxv~#%Hkq;&6&-ra0 zcfG3l1uCSVx`92bZl`jiCcvAzl*0mI7uQk3alM?Qp|d^ZTm3k>8*CEHqO&-{K{I@< z)E$vEZFje<8^iV4$FAwa-5$Z+=+m%1;`lKo`tw-~yHXW`L8Jzo#WL}waYxv1U3U4k z@1z*~{G~6wrf!m*;%$Ds$k_0J>$yn5oM!nnCEbjsoi8{~I3FuwJTUwyQRs|AG%E>4 zh5;9d#^&6|24*9Zmb?w`B`VBM2(kA<H%KBTla1;*!jTU^l>odhlIzohCMn&N;-PkH zK(W;BgD#ThWX~2=-sJRvTS{K`C~Z!k!qw*UZ80T3l$xAQwA2H2N4Bgu+UkmbQOQjq z6@nB-iXmP~9Ff^&g8Mg2fHOR`Dfy-nsqlFJsJ|EdAn<+x9Y#L)E0@FdkZi3`nM&e8 zFM*!;&>lqfM+~As>4V)bDBaos0Tp(OAfe;1QqI`OblnUy{JQV2nfhW<a3g6mUsuW* zc3nR<`3OK0_eSsH9$nw;zfQRe_7(>!2DQ8>kPKa>BX(F9D-(vYf6}GeOXQoY?~Ci? zPpSo4*FD1~It})a#WkoZw~qj;&lBR4A4w|h#9TZR93)uA-WF3o9q+&!lNd<}IXtS) zi5eL9>F%21Fft!ZZLKZ!7eatL7_*`a!sDrLN~}MNuNg|VaN87qF@#{ZBmil<!IuS! z@tX_}VO4@o!;wN$Ace)~)a&!FsBSM`Gp9`b*=79k+_bjF@e)`+`0>2&vFW_ucaY_M zdTjX7c>VPE;d!3<9iytO%n#xp21hX<fvF-e{_)JQk7$tlF*rp0d1=Dyahztd?fEb@ zg5&Ynj#<sf$~^sZq5JbT<3r<ql;pDgePhhqLzX9-(<d1G2D%DkI`a0SMbHnFcauj| zD^S{UwNwB@R<dXe3DP!FM7#6WqFp*dc>TH#0lqbI;(F~pq$3rGBWXSt!L3mUm!#!a zF*t-aJkbQiL5k|;-**z>;pK39ibIF$FPnC9WCl%yZ>h<`yj+~=M{t;3WKdmBWNCEL zX)!OWngeIG8}NKa>N%*z!n05LRBd*rqr%G;;3`N+^CXe$nGn2_G^uYz)%qhFKYcgp zKXS!lVlcl85>Yi~-XKmAQM7H)uv(jw0}XJf4}Ypu7Pz~?<E2kdG>Z+^Yi}}#X(Jft zXOWseP4>(W7nTbbh3f*iJu-*}ABy24z+&!@Q`<MOW|9r_8{!@gg1_rE-_pTsQVcLl z<kuV~^>e9~rbLrnjh5?HcPm(5bH3TzpC*)O!y*mbiIl!!6wnj*4rfin&Gz<DeKn2l zm!@i)Pg9Ip>4nvgKqzID)q<0mX`Bt0-kz39?Ya|CF7$|1W6k&;bro5qAT8@yc(Yfc z&@4Ldeji;-=Mh|jZW8JrJgGUaf>Q3;1W9-;J@m(sPR&k8+ONu?wo0e3utbh@=m~-( z_^T5?2&G2$4grojay3C?CTh349M=8_lPUez(BEt5>ra6_M{k|Fwfc35K_96(WssIe z<(<HILlS_)%sTSCff`Ie$^5v9?SR&f<bvR|n4p2pci<`t?qD&folqQu{Y|bR!XQUo zE$wowP=*AlkiRL6tMMNg2jr7GZbt+1qEd8m&ZCBD$<xhdlbQOUS^Gl}lUeN&f+HU< zVaXsvtyj3(kZV5AS|VBm${vyVFJaC;s55>XU$}i*uUuSq9(-7L>^HL9dIqwWIi0W8 zTHErkZ~HPSX+FHRalJWhwx_c=Ei7RB%1dPh2$plApr=~9hR_b+9M;X1RWkT>s|05^ zjr?8IuI2<ORlHp%s99&SIA5MQuiw8vsE5(E3SfC%51?0OGFWd=Q-1CPUQ%Gu8H8{P zUgiXWD%$sS(ll)!D2GI5e!y-9QI#~#DcThpn+5Dsf`|h7wpejE23!zXRa5g0I@CA9 zy36I7s+@RbvT@dTt;~sx@LH<i+@oLa(a(y(d5KRs>`v-gZ@4Ok=1rChE&#23FqV0) z>3`dIwRw8CQl3_lBQi41Y<8MmtWWViUhI^Zzrc7&bp~<++v!8THLq3Ip<!VJD8rI6 z0RM7uy?UN+r%Wgl&jp3|6$1`3omj@5Ejj+PAo=5VfW|#qI|aEp`#1Y(yZwCl#5tv4 zk;q<=Q)k)d2i%J5oqOe(5Fza!J`t>fABVa0(pZ8t;ukUck(Ao!_rY`+(*zQjJj=9^ zRlE$&=R)FTz`^qcTaeB4o_q8Y?BS_>S-Y92lsARvZ+q%BU68%r_#G3P+lB4?adUU? zsl<{$qyrKxAQzOMskx2*RnN6#GyBKT^3^`~+q3nssn@F;(7{bKUWEs`0W>ZCm#)kz z>~;s4ER@+z0zWG}<bvfYt9Gha(>{4{NSeIALOi~~oW;;hBgMp>Bo%F@hGy4JwAd=F zH?e^9fvpV$$?r8GsA--BOs)=zpwg8Jqf%Z~F<fBnHhskR@sJ<#W@7U&maDCh11u}| z?N5)Q4`WIkRXO~WHo3<;Urhy&7#3;{HuIDn6m5u~y`*nD2W|XP*sP=VB&pbN=aiP^ z>BwkFTK71k;7|P}$&RC~>tV6)j70LLj>ccIrg@tgHWD~2`_Ugi26B>i#Tvkymh(db zvsiIlp9Mt`Hm^tQK5nNr8!#iMk99L&U(Z%MHm>hQ1|1S?(fIGMm$Vod7(`JR)jGFC z4;R@8-WtDil2ou@O1APNqO58wrlyX+>p&`o&gdS!u5*6S%FDKTTu!chychH7*Rx=( zEGKP_x42wiL*HDs!|vSmdr|qTe;fN-ZNxbmjJl4^O}DT4ynZY~`<$D1tb52V-f9xR zU)7Q%_`$b&V36&N;Zt0RCsl<+*ANB1-CxGOlhacl3)mt)45sNY7Sk*SzOPO5Jjpo8 z=q}*KYsFxl+{9EV8Nin5(;m8Sad*2LD0HpsB{?qpH<jJ|xO$?Pea{sWUyA!o_{y4) zGsM0+uJ64JB^y-};&Brw<lHUwe5bM5o<@I7J=ojm-1Tkv(0Jw#$GYn;tIuqDjbREy z;(oo@cXa9EYF18JGYm2HZAo1)m0}qnw$L~TdHb#zr;i6avIEY6?kEcg5oXF680ZS6 z!ZdNFB3NPA`Q)!ySE_8B=q7&EV#8$dfC6e1aAe*`+eh(!8K}Cj7hB4qlE8fh#&jbV znCP;ejouUMiXN<{+M7TB_G0bsv^RMiY9S!*9NtcSpOVHbX_SBx_&siIJU3WmEo_lk zc%G<l7#!R<6NbrQoZo$3f&10<$i1`*t8%r8J;zD=u5#6L{1_@@1k!ZOdQiMg?{=KL z4#Z9wF(of4u%7<T|MNB6L0|R$hT}yWZ6cw0;W+7RZGPD0e-z8jy6G8`gR8E`iC0Xf zIqfp-=QUWXsXmJ;m2BPf;V1VIiofny8p#GLUH%~^fCv2mu>(d+O@mqeK(HR68;jRN z$4w(%s(f&)U6X<yp*j`{m5<BLZn}ANf`dZyNBh}TCN5Abq~=D`G0OY80XrE#!T6*` z4>aEq^SQ?A2(Y`pFP#Zbk^K4-;EOu+6iM4~oid3N#O+jWK}Utcd)ee<htW-J$@-I| zO5LaAwzES@L$mYM>I?z*hjY#1Cdk7%g8Yg(&Jm<)Xc4WZo)ZHWGw(`_Btg4i<>d_1 zLhIvg#B~?W<g#StWu?^cV|cL2)hF!Gc0Ch@j31?A%Cg}+5+u++SS*lMwg>ewS4BcV zugtl$$vH#N%3NypBHfD4J@jL1igg8>O|SVPqcUCeTLaE!7RL_l^1Zb&&rY=2vobQ} zdyp}ZwP+<zsLCI6F=zR}@~_igi=r<F2qa&QMWlr_ctlmcmXSnis*0tfd&~y06%SZJ zBLj!;JeD&nX<}0n-j0uT!DtN*GQ%Xo_k6G5q3#2A(OAlu;<z(kwy|cgv}Url4mGPC z_c#P+7hq<?Ump#?9uW$R(|KA|p5HG|wuMT`aWMFdk<=v0lWQ8`tbDlXc^O*KS^JwA zx2d0$K;h&kFGh)CD8~zi{L-gb1z~TB*9Q6^D;Xv+Bg*Ll<gAvZN&{}k0$9D|%XPa6 zKo}~4s)6OvT3cPMT!kj5H3nj^WIe_P2dg&OHshK$mB3g<|1BY)UHxDQ2kz(w7)sDM zW7JCIrfZ=YPBn^V441!*%wxNmNS>!l`n)6wJ}^L(YJVS_%)PIv>M*;QUI6d;wHR;y zo~z%3!)a!*)u+kp!|N^%wp2FtP2<Wfhs=?0Jz+@yu-$b<=N|9KcD}CteAQ<j#0Nx~ z_l%(UnJ+<!{Qf&|IBg{y)sV6-w`SwUy;n2GAL?++9C#iw3I2rpBfSZ7dzu#bLiS9~ z>f#ZQYrw{iu5S4TAwtb1QVkcD!Rs@$)FYAo*M=Iph*SjDZ<J<yZvnyHZy^Fdto+kf zT%JB%0nummwms1X>&3;%+^Zo#o%LtoSg=8Y`{)#oUCcVuq4%wLP2+%lXHS%20Q%9d z7Z^m0qELz}2Ry)+u=(W~t@ygXCVP}K!yobJ)P%U#vPXl2m&}jMu{TIh%l%SAY}0ku z5BW3xae&(xygK~HLh)-Z5bYpty<Jh39s66KR65nj+EhXKYckJDQJn2rjH5~gw_qVn zT3RN_+Tgvhu0T}Ta&6NxY1`vxfdA`b%k2ZV()?>|K^B{ZPXA4lHZLC;*5{WnVG}V( zo2^pdX29yk^>_1d09EbTILe<PYW>cQ<qnzYBYAe=uHe^2xFyIpsci&${jN$!)ElvT zOSx5Lt^=Z&yja~%{2Lzfk2ro7jLH~2?|k5X1PAF)4=q?X);h@|WW_&QVNqjnvhIt6 z9YO)uJ+AGIdslorb;(;JiEKh(WJVEl7M3s<jI>-Qix|~y-Z)6>-F0{IQ^ob_N}&{o zzCnpgXTaE18pgKs0hg^XY?L>ifOKg+d+inQVqp6)&c!c-Il+>sEWZQhVi63%XoXNA zBGIBA=^~@L*XZE;ClVmHe?8(wWaB74+XLR<qGhiA==m2TXK#r`QjM<SpFaD%_xb4l z*p#k}Z$Z!d)$|j&nykTInUWKUr@tr9O7eej64C5sKQ`QAp3dFRRAgwy3FQ<0NAcpk zVA;5{EbZm{@#@UP=6h+$ucnH1(~=j%D)YgViQLnqcWk1eXEo=97oq`gb#XW7g?(kR z!+yHcxe);ZLx8OIv!c3_YuxNG1$C~z<7N9{uRRKEmZK-DpFp8s#o!%(An15M8kFi; z7j~6(+@|N&*8tgWq-tyQm`+(4KMB6(65v<{jOL&PG|f~>PwzOC`@$EPU^RAxjZ!L7 z6F!ivwQNx-Pz}bA>`(=itAinoKdyykM8}3E2|BKP!=P``noVG+=`OymQ>cQ@u0ZE) zA^q!mbn{f{wrUOYU}T+@y8SNLO?Ar6OHpyNx1a`nD#|V(gp}3Gakg090LSb3(NE)} zyRX4S9meYs+j&Ou;Dx^1j^i*$jn+JAz#IkBYy=GoWTY%*daBv;WkVH~SmWS1>f<{^ z*GrXmKQQ%2G0T09mZp5Cem{gz0_$kLr|RWV>H8shs0Q`p+G^!_ukHD!ANvM~9XQF} z=zE7d`&HVCwk69UymmIbLM^aB1&LlifTd~AsRnYB8mMh>e*v`hS<rFF%Vup!CR*TV zIkC&oqsd`HQxWSh51kVsX@%Fq6Hxg&!4NhmE{f}^RS*jNjw~E3vdT=?(JYDkSh&&5 zShkK*n{&3O`=*u&?}*~8dI&Y<^-eJl@eLQiBbMC~B|u|~b^7(X<L0`Go#7*2oiGGC zq&OlAcnPLsx_p6c(K!m8b}Y<RUnHpj^m{TQnnUqP1W?Y6L^|_!;5m!#R{p(aFlYEd zvhx$l-}$l<s_{K60{NP7y8|d>FZ3L)!`<YF=5XG0F-lq*r-4xEWGxbk)Z;*}c7_Np ztoMQ!dc-heWY`ClTz}#uCT3?<Z-v0{QN7(p;vlA<oO$vt1F<BV!BovhP-=V3go@)P zr6%Wva^~WvI1`)4MsJV%_M{(P8Z)3s5UpS5$**Spr^<4(lRce0C>IPmeKc7jMaQxG zCHY}>4f_v&ZCM}WO^fvgytH=SJn%U8ssz>P@*iBPj{rzOx4#@0d^zV@m((16co}zA zW$~YH2A>7=P^}cLN5-3ZIhmN)a1kOjjgGVwDkAb?%21`NX#L1l4xVQAP;Ml;K<gBO zS4X`BD&q>gm2z1!X=RV^$2A!8Ub|zpKa#BD6>5XP^y?Zoh#ng~qJDAxL%C!lltmkb zb|%`C9)`l3mz{+2{5kh9UepsteJw?zl-6v9nfR@ngz2yQg8g}x-%St4gw?kowAuqD zUjV`K^~C9(qns&y>No3?h(Iob7h+)cYY)e|JTmL@=UqM72%6lp;<rQG$~?smMU?Aj zsx6VzE5i_zvYFdOonxPYI5%6%LbX;dmL5e@{QwKxeS@74p`JI>G`l_5DrQ?Aznx!m zL92F!ykfhA_u(l<FIG*WKCLQ<R4)SttBqvLbOT}<7wfhhZup(ge4%5qNklWAIgf4L z==JZl=>W^M;CV(HNpm!+mQ9(8gM$ZoymGv*i^>C7z$)CkRQh{ls+Pm}^f5Ztt(6CE z6szhEPUK)e(^l#VhUYsN0ZO@UZxufKJ7G^5YJc5-qKQ=I6dxb=8jboxE5NmIOW@Lf zE(>3pf8Jhiw7}luu-hxuDJd9$@AYEN@EC8UQEtcpVhiMMS9cgb6rP1S{U#M^n*E*t z&nO|rd3$IE|LY^6&kcew%Fp{-$jC`#suZB3FC30z7axM7p1h@{A=*sZ75+@dFnb5R z^yWZ%G+pt^?~_P{{>i>vKCi>H983fU=aC8VY5S?3Y>)|YKKSB55&sQi>TTs~uK0QG z0O!>i0sVNzadOF6%ge3MeOohf`);{}(5d@;O_2FQ1GnP?hIZ%$GCrq^+luLy6zN)! z7*H)-IG2P7*42wuORM&Z5+U3%;V8@&O<o>oD<;mfHSuV;t)8NLbTvS%8KK7>Qc6}o z5}We^k$lQghyOC}Q(Yy&(>3Ah=6F<xXk`KKtD!*wGE@aX?$M%4+*wy^=EBMzD1l&o zaC>sC8zJLnBY(3|hXOEq(b@7&9%0PBCsY)TU*zg{^}`VQT#_pKM($Fhq;iIL9%L$o zc>uwmhFr|#9oOI6iROPvj8CZP1QkbD1QDk+${NvP{m|U(a1mxbBb36Mwe#nJ2gIFP ze^CG;E^D512z$~&D;3Tt=A=(USDEY_&!4(kfWqtwpw9K8@L-CQSDgYAbnM%pFIsdb zSV^g8Prl_zZZMd6;|lD)D9I5-{Nt=7XQrF3qP%$hx>1~>tEjJX<&+6Sxu8lN(PEHR zIAkg;bmLz)k@#{iFPzLsvwg`H_4|1To=s+ZiHJ=d2Z3}92ST8g5lV<){kaxb7b7Y3 z$`0va`Y|sRSsaGT;3W+K5l*v!;mq6hG}qgJV7lYJmC;lgJOhDGpx8nOtD<DKy!r?p zWu=5$TP0h3+Nj=meIVc44U9u~uo<Frho1SAOS$Gz^s2J3zPwp97fOs@IMEP;DD(w0 z%DW%;A97qDYiPeO=x<PokkK*)N5IXG5xXI8XrJf-6%Yhr{aXV7x!v?}Aw!ya^J5WY z^j*nS1YTXXp}!^nhI!u&x{mmTgN%s81tYs)+MFnE6-|Uo(`UkuDB4T!D!=WgKYPkT zT`C4!;T58>2GlCe>Ua}d${<mkbOm<qPKB&VqxCoe^qZ(6Q4>X9#?yNw)2JI6pPwmd z)TGE-x|hA18U@As%b=I_dFFEaZ6tAv74VJ2V+6@b1bzurQr;9$pPO(xZq$GcK~l}u z$*)mEzNDa>kPI~o4@RkIF$Z8-g;NqaH>EUpV_wGVzRk1*sVy_-+qu0{V$#0_qS^e| zofRUaEPVjqw=&Gx8{^`-yqAewAQi}-`hkSN#Ut_7--fuV0oe%^QEX+XEuq=F#EA_x z9zEph)@S=4dX4NC1&*n1;#%$fNgA)7FUQt!2&j599q9f3O0Seg8N**nW38&G-LL{< zFI>jJa!wT~du%tID$B3RJ`>B`K=7qp%kJXEFO@638pZ?9auWe*_6Ii?L|VN;9LAeZ zc^rtwy%WSPpPhSuuUtFnogStAc)!2VD-K*0+)Bp6+-3xO#N{Tu*mP)^e;1<{lo`q( z(<y-oi+e8&OI!$c+EqRI01e)3wL5Qp6+wdzGJxg=1CNCY^B8s&T8jv@`E22gWH5X+ z;*W^>bST$8zn&C$zIa@kV~_h+$^12VNCqv2=|JZ*#f9M^J4fJX-7@q%-On7+4v3)$ z;*^c<;jX#0Y#r5}lS{T@HwML&rqGijFvBc?n|!Yp<(su4Ug1*s$|KZj(f$TXS<(c? zC1i=%AmVgOL#nZ9beo&EnpW7|&92+$>V1s%Q}flh6C3XFrR@XNCTUpf2osP!m*53t zo_ZLPz&Y}-{-Tkn8(<_+iAa>nxyX{j1LA9E5bQTD44Qrp?;`W(5mtv>emZh-9QItp z)RY8P$daqXgd$UYe{Hiu;qE`1JEk1Q(GG#Pl8h09-PJ7|1?TGM6<s*DHU0Y8-K;Ht zh-UYqQY3fS{u~*sezpk2R++upGs>!tP(L5zi~!H+>-FP7K^q~w$#4qBo#f#ay9Y_H zCH>mp6TPL?nSru;jG*Z1R(FlKX)x=yvYz9?k+Jr)c%5qzS?=O~-rYE;*vW2mxqBQJ z_sYNr$1j}aWr^g%$%51%Z7$MvS_$LaRcA3iyOu|-(Vz;%x4UmJ=`#5IEtH`$G>lbk z)5!TGB5m1|iZ-^sX=;YX<D7_;;#s&{$y}acDUIP2Dd9hUT&spzOR1i6#(*gRm?hea z`1MOa81DtImZ@KIpb>N<b}wnQh4wqJA_ajAW2!&Hfzf1tgdI@nqltko77$^#<q_Oa zbN~jdj&p%jn#;Yh`_Lz+*A042zQ6@sLa(6LfHUT|1pxs6uGmy|fX6e|r~bik)6P#I zt9+;TyZ6;_6mMwaM+^x4u9ax@s+^^^_D%%o6{I;$U;-*^xrjf^noA{i#~gsL*@g7o z6*W{I9}?!On(}+ui4z}cv_ssQC~VG-D^o4}fb|cz&d4fTU;)hEm)REH0)oSGvgNUA zbN!g*kifOYYl+hk=)iPkY-rrAZNm}lmHlY~yt)BjB1P*-ao!-c=0D4OQMc1hzBX@& zFdSB{T7XGZ;`KG(MR9#tOn12#?VYBNR8Kw$cz8xdJWVk(7kS<uBThTklobplZ_vjK zKHl^u>?_e~Fxog*MeF??OsSm#P|b{7==47V-~?82CEir~+r8QwNj%lG3e&W7Jx|)p z^5Mk&mjrzQglka@xP97*%wc=cq>HdewyiGa!Z9|rgKdGVs*%y-7CCQ1aU-^-RUqiG zY;)RtS`57RG4R;=Y78<0q$@e7GbK*L4zF*aSEdEw+|dQ3V}rqKS4AY4R)HiQtBnC& z-;etCImNjIfntU@e^?aw57TT6)<a1d@M!{<p(QO8Bktn;Cp~xUr*pE}42;Ws*8D|2 zHGV2c9JZn79cYt-Tc!M`=Y1t*vxT$G7S?&11mAbn7-n*!JR<Bv;M=op{UPzm-KE3y zrr2o=udKnG5k3Bx4uA)bQh;nu9pi>RT`C6S3C%#6MXtEMNt9tzbV(Pr?CXk~C}ZB% z9MSH;zUj#-a7GGHM%bbQlefWfyW5SMxJaQKkGS4AV?9VL)IQ%`V(uWB!53&;sx0qo zIj`*3Op|#P*PbR3|M}4Cs=JwM_ln|ZA}4M;9rMYqa{As2ZriYY<`&IBgz_Q|87}tU zi<PdpGKc*+onIaYA3W3nKAvo|p36@eAoS}F(C&=|0VvUL2J)dt10}!tVjv*?>`8o> z4OS3^`l-Ln=<SyWR4R<&)rR&O`A`g%wnZNhKm412$dVDTmGu#fS-T|KY%WG?j@S}B z3INVYz2XEIyXUN*ka}SjbFx}x+Gl!=yk}*3$$t(DPdGc%IEL_RK0J^&7ozkO8J6j4 zD&{<HxA<+$7ffcCK|t54|G3|l^yUbRR72q3Gc^-Ia-d1>BdQV+i7?8@>3`e*Y*pD; z^*<YB)A7w3aJdcm?2zdg*24A|K%t@Yulc1Zltv*VF%lFC6>^VCi3L;5Isy`t_VDC$ zkFyw&0sKu85I=YV%g8W<Mwp{I(O|kbAlgpjRU_*weV<N30SG^;I(8<Ii-dP$Rd@9X z4&2LrJzT#D9u4$quL7<N>?z|9R>K@;J8Ox%7#)45LyCZ6GKLk^*MGyJ{U$<dBTX${ zmal^9aZj;ux?tc>;&16!V^?@Cf?zl78YJ|QpT8g!W`00U8r;^L(IM!<bZ&Qs%RW`g z+f51?y+9En(Dv2$KpHA_f`gZ@+zcAPA7q%ZG>hW|${>&k-GOt=7ELDStTmw)-kGg= z%LkSWr)hQm)sSl}`ZR&Dt8nV@3Mpt_B4MJ8UKvi*ICI=-u~1v}B#-{!%txDdtf%;f z(gun#i~La!)Grxf^q;o}B{2QV1Ws<$-j2UsP&BH544}hssoVxqD=Xq~g}L80c5J9L z6?a&hw~rS$46$KK7Iu{^l$|Y%lB$5(v5LjY1+peOOqP}_P{z0|PFFLU;Z9${aSbCQ z?p~OhSy|K5H|94Dr-3qZ?d<wmRCm_Vd_D=Ka7mTHwD6&>ava(hW{07hxCjdvHsVpe z(3KDb(*IgPo?%aQ1$)Jsj{$Z8#bTq|#7j>*#VO5G2-CX1pP-dI8U#Np|L30=?(&w+ zf=KkjG&|DBuY)U|bwns<>z)fg!|qMB|L)xF^f#w19$w|jh`wqlhvywN#6oI(qGN6^ zjXA1hyGTUq09F>Wsd8rPX0}*iK264f3kKpom=yz6ikGj!$n7V2G%pi3X3w=?IByE} zasuZl5RTCvb>s*ExGSmB=s@Is#*QCfE1C={g?NfgbM<teyNftHSfE{&0OSXE{0z*o zz0O<+UY$a@%%{f1=;Bv=TFQ?pSck796uG)<guc^ovDidj+-P#KPFsXuYO0<*D1pe! zS}uG|&ynRu(Fco{oA<bIV(xQdRhldErfjq}?Jv<upRHksh$0!M$OFFe+8>KjPXSH} zlpC#Y?Vb}85Ibw3{?gc)>Wuw$%nJr}Xp&cewtM^Es3Ed?8N!;LgRcfwk@x;~a<1ZF zeCJu_Mr}nD`oqzK=)8{;uikRc$%#FeQs?6Fv9Dt|3o|rknCBNnNnLq!<<95(STI=w zmS~GJYb~_EgjvcZA!NZ>XG<~(O@@U0kFRc{F#l@Jz!yVO`}BeRXUyL9s=nptW2Ysh zirdof=<P)_#xSK~GBo1k(Zk9DX#*GgXTZ8elWJrn5+Y-Ck*RkQ^jp{Jz&COfM+8Bj zj(b@J%&Vid`#C?DaQm`0X?1r;XGJ6ZxXS~!Mh#s8R=`YIV=F*hFmo<Uu8mdaqN_-C z)^$eA*J%4{vhC0Iveoy;R7*3Vl<a?XznJv`KaEr{^is^nU)ERT+$ArrlMEI~=u)=` zWnI#IFFjad>5wq7X->}+$&#pYUaw>KN^$=d)y%u*{D}6M;M{iHe|?Fg#sh%$lS#Yv z5}lsp;AU2Nja$p0=%G^YnlQQAd>f#rY39+fcv#%fTX^orTga;&NUGGIzYSI#1PPtP z1*668v6Cemp_gUnR!5#^$94;Oj%iLWC|M3pBuP4t0|<CI%ZCn&m|E|8K@yCjgIs?f zfFTx$z2spTw&@9gP5!#^>*1LXZl;I)?`|=$1b9lwqg=D@nFs<<Y*-ZfC`8#+66R5Y zRsAOvA&N(QT=<z62Jvv~GRmc((!(-05+zjeoL#DwvA_awr-OgjER#g>0g}vU&C8Ht zHwS(7oP)ilq1JRuiCwfSVl6S+g)I6~CJP%ua%#BOY9P;Pw4tAyM?FR0_AvXU%gQCD zk&QeS;l713AR7<Q8n2tCBj!9M@rM-wN*#v~l0Oj={h`C4ed_=8!OuVpHP2a~*%U1o z&~~+L_gvtxi`zU>ul4Kl<*UiMU5%M!>>P31siWbV(qlEki8sYyp3T-9^e|3fa1HMx z5mU5b_;#I@Q%0TR8SU`l)<PCg1zoRn!77(=d=;%WPm%X#r$4($Rr%mBsHrB!`I-nL zjRfBb_FDR=yFt^MTrVo43jANh<Wek7fyPepf&lV<tOezG*3X+a;RvEnN&s#J_{x-U zo@B25HR6!1f;LOz7t-8+{Y3NQg+L27eKFm}V1HO`@@rig&0MZ5=Zx31fW8{~@f;Il zTc^`;1D2Bth0-4$8f|t*QA|+qz$K$O(fj>qq6UdqsnxeGaNRdW{lCZvK{&lGmxIMd zajsAVd%WSrBO!U7%}bXli%N>^y(6M?z6_HoX(%_pxw8bmxRwTX@2-kvNXIC7SP_NE zg0EHe+8A!vDDW!x8P})QdUyL@_$ViEe`ki{9_28}ew@^Jf0pLDYFwbCboqWgfYE?@ znxy~pH|0wF->n_u2%UufM#X};Eu{hwQ{czP6EQeA<`x}i<jx(s$T_VH)iHGUd;I?c z4Ui?8+wt@KSB`EDMWV~V`lo}43-3=Cyry#YF_(Cp!hoQ#m%LgYt{cq|5(1e}S>m}a zWde8=$(iU=Q7KqeR#t`hgT(IyEZ$}UKkiN`>xWH@CXg5ZjZn%K4O|L=E&5uS{$Fj0 zNc?n4Ajk(w9XMpoti@QFvn;Kn*=jqS-l2zAZ6fVJo7zLe(*76r0!Q#K<-F*<afSax zX2?ZFJS{4ZH5rV88F6)ZpsOJ6GaLC(3sEFw&saJqNy7NSSvJiB-P_UO5?poqpGHFh z|7tXZ4#x6d5VP(ue%sX$PnmH>vi}2F!3Iz+!0qX~#{FM-DxQE)aSLyg>V*G{FoER* zs1y|agI4?dpV1&@-~O`i#N)6m2KbK;jO6@f?tmA>65!t<So|d@YbKL9{vRPOdhba2 zluut{05tjjdHyWfzg(X%nne9Cl0X1u#Lt&&SRB*T|3}ElzU5_QWrh}dXGH&ID(#qG zRzdCCskOrYhSj@&vC3t*{O{ja&Z}l6v4sCOtaANj6?-O?`JX{{`Bn(|luIw7z%_;b zd4BAFu{y%|2m0TT_XH+~eC}@8j}rIK^N;+?ncPLH1N|HFxB<(Hi;JsQD4Ik6pQ(TW z9DLPr7m{9z(30q-&*VUKxxTLbkG<hY`!)-3ySuKj|1(xE7(ZW=!%0k_;D1oZ53G=b zzQj-5p!P2y;G~xO5`mJwKmSYAvt__af4ztzrIGQ!)sXKm?$P#Myjt*oBZ9MkX^6vK zMeN_cubf9i2WAQQZ$!ZHFJp|(ME+-E<U_^#t071zz>I%qj52>UR6=MH^l!-f{Vxpx z2K18r8w)7;mxj(p)$#ugc>sUc;{V6~|HuCSKePY1Ny2og*5NK%p!!1<;$peBHEW-* zKVo9z(>`$#_&K+Cg-c86_On2}gkr;#d>&=7t^2&T;?W6t*><_g_)oCpdVmxq3u}GK zj^1}WJ#R{HIyvT13HILf9(s<{YYO+Ps&^}sS?pr#J@uwbdkfXw_MJY%KslWc=OhU; zYk6lbI^GJ7$XGW@psGD`oxIHMc=+oU3~7=o-p=Qb;({QgptAO^f_qmn)oimbksH_3 zJ*GyTM9h|NcsJ3kE>N5=-=N2toLaQvPP)9#H{2D`gIP`&ls@TmJBs6bO+H;_eWYL0 zUaxx>vR3RCYu`Kmn7Z38!`QIgbRJ*~5C7<T*-!w}{r&w7$99Mxa6Z2;&UqTDyYKSF zOL9nh-Y<3Tzg0cnrP9%&=#(0~rexp8&ItDlhqI12GeUlkEvdB`7g+CSIm|dD`DoZ5 zsOr*?^Kz&hp5KcuTt8)CAd<?UIape8+uqK~Du2lGm}RO|KyRO<CW4!J`Mft@M#%Ee zwnS#w&G&Yb7tDv?>b&fg;CgEE?lmTWT+@1dw$*=;>U@r3qeh0`Q53xGrX%ZK<M4P~ zU-m)c@;bj+{kWeEG#%-BJ>0EunoCCycsN&UYHK_$_T;!3O8%swAH18lbJ_iO6UhHP z+6nx&_xM?OE<W?-w`){zPfPK|vc2X;d7eI4u`Wv?+V$ExUM?lYaZH&o`Wvf$ULSB= z50@W8hR%s4pVnb<e5{97LOx{BsuG^PKVKDTQF*#e1C&|+q&9vn#GmANJbA^`r0L++ zBvf+p(rVOKYw+$bCXC49aNA!#ik}sHNW@zUt-mTR1V?5udEY<MlQW^8`!fbe|6erw zQxahJ%BonV^_Ah0_mC*jePhU6G10_kf#Sl25m<9_%4+YA6^{(XPRby{jd5gMpB54C z-%U#Xr0e}fI~3r{pN0H>87Mu^I!^bE^0qDE_h6ckoqORu@e?)Y4(n>F4nUSca%UA4 z8tZV<L$<h-JFUk3uXW(y@ag4YxIBy&&ut5!63CLcUT+8WP8-gP9CE@3-CIffQ3cK? z%{I$cn@aMGwj#%o_{B>xTRAW5Et)UPYSPS{<1J@1V{K&KE63bTpcT(I+fAs=0#hg+ z4h3rlD@B=EPHTk#jY#2tI#YxHK|g@tk1(3};v8}p;6T9WM_EbUBHUn2h_3a@4@Y`e z@?)#KV_Bf~lZr>8q|@yWE~*nX>R&zXS9L=>9>`(2!Zls(ly4ZS{uMQ6s&{I0=U&w0 z`KBhX8nb1}^KbTVD^iwP_~xidJSv?RrAF&&pX-LQNtS?VvfJwTMU+vQj*XvF)bdUr zwpQAno}0OT*)X7o^@~i5qb_ZDj-#5vasvK?iwUBWq3DY`XVPTsua*Oi?viM)62 zH+gMlVev!ja+-=AE#gS5mh*?+q7vKhmK{EH=BnE6;;71+X`%mwtA>Z>x19%JMXr9A zz;ww39DAK>_%m+Y5luoQ>pVpL{yn7}@-CI>bikfXH#ydD@@`6#fl{+h7L{nI(Gksm z^0_~~fWh*O<ONB%q_AMigs(%ci$vqEUx2Q<lg3yd6L`B3>sL=Q?yjEW9o|aF0}WM$ zy^5DH)!k+=65AKhxK5YMA-$nW<9_V6QgK*I)9qu>SybI;qDk+vmfSv&Jow#zUV3I* zrHsJ@%%a_XD4sHnL96Wf`RpR<Z(M(^^LFp$L;daUGmB6#GMe~LZe0@mQBB$OhGMn9 zRks2I-(RS}rO^Q8Q)ye_Td{)WS-fX~@Xm6rK^23pKo~(mLOR=P{g;bn!A%crxk6M9 z13CUViBKgmdAICW^$X7$ZucPnSEMLw)iY~0L`F$>H$Y9_n7*OQ#fMC)!wTaJ?^n)e zBpZ3Nj}Nv0B(~1O=Mis?!}M>5>9+Sd<R*m!6G(5r7uT=P>yj1l2kMD$?IVxE!$$Zo z;ojU;@U@hgEP9q9D+DB7%g@7vk(jF$1gTL1^)hf_Zo|}n@+h8Q|6*>HYRE~_O}LBN z>u~`{a}Kfqb4)pIrTH<V87sa}kdiB1DT2*OtlS0;z9y(+%{Kv%r8C5y35{69MX1_% zcM{VCnyuX|X`dYB+!uZBP0%=m0T;BzHfpuy2d^JoIGhZL)p`C9d;k#{T=ZMD=7!ba zSp8(%bs<yJCygG9G+6rM$;rXG>w5peL@Iq&)|5BIrJAzkTqF|R-*jRBl=r**lb!K^ zn!gZtl;4oXd)Lq64+-PGqa$N***_R$Zwg<GauA1MuJM}jO}Q_ba4BZGd<4l+l`MEk zl`|*7G6RpK5Tpbgf^w=aKO$|))_CBPBHNdk8O!EK`7?ItArDGt#8=4)*KNr~O*_>^ z_$4DLUiIuLW6i7bGIG!On9puAB?&Qs?D$#>t=Cl?=QPfK(c|E-rnAkP^@qNNWLolY zIW#h7IX+_(rUc4A<vLx_e6&hI@$aOmFe{A<ViDXo(wHf4mu|2*RA;7Dwcrp=P?syB z9FJbHt<xVb*iVOHv(uwZtr7@x{?%!wj+`|?rie&1>bx3=V+T|eFLk~WRLSK_l)Rc< zb|25!9k=V94!TYOMrB(qUJ<W~nQN`ZhYMFB)bZUvy@_l?&0;)SH}S*STvo?WFBbEo z-mgL<rVCe0QR-0tH)yFLnuS!x-z#!zTxVT}0c4c43m6z4183$Y(c!U(Z@f^ZeW~C- zDTJ=rc?#<}C4ByI?<;D{bexwXmn&w!9XpSD%62DcWDM8PNaq3*kUS)$_-Q)b908=T zSXI5>e0bSWv^}tT*>}45ieOPAzHqVGb_n@Pa@$E-$WO=ba=B2$9a5X7!D?^)vElX6 zEq#c8%EkO_f!*^ch@`P-^RF6RmBO$$>x@?uo8O&@XS&5&b=#0}cX`ev_SBEB8h?w6 zS#mr(xPY0bBp)8t1!3>k$$u5*Q5PVWWx<>C`(4ZNf2evpmClSJ`djspG*Y032UM(l z8cAiHuCY>&cFJ##kQ7FNcYLVLf}?Kq<j}Y+OUrWU+(PL*oJcK;w<pwis=Ynj`G-8z zbbP5E9N{hS$Ml_i+D})3i4pZ!Pi6ya;^X{tAwhue$dMz4*e7N3<10fpNwT5engfKm z)HP*9bHW7mjhZ;d3z_x?owhJ@pyW5XC>dLm*}cxqHBg%hw!ooTP1dv!<8wRj%U0>O zlS*R4*x@@6zdsGH*~0$H^5et$JdYHo_FDfUfuwx+U7S`cWeAyrk9jmFV2dhp_Z2Kd zv+~EYPnWad@?}G$h@hjOO_@&H?)nHT1;3x;Lbb=8--8I>J9}r|ZL_FqPUg#aPVoyY zRjK~OLJQC1_icub+ifM%nckR}3vcH%WqB;;*R3uJm&cb{T^2X&Kk955@ieYn?t<Pi z4ePsHF2yW$KDNGQ;?8Ec>};<2;x@SC#^*6BOALqeEv4mnCM`2x4d_bOVW(=wGpqQN z2Oy*p-HU5o61jZT_4UoIr2RM1M0U(|_tVk9no>|cHt0V<>*D$SU3zl?kq^06z)~a* zPu~HA!LZiC&#!T31qp@T3D#b(aiY~Ok^=EYah0o9+vauq+O-2uWvg-91nRMq4p_nH zb5-mwp|wKquGlYl7DH-u<o^)Jzar#P45GtR1Gq*R>oRzZ?%Mi=d``@hPG`E@_+(EH z3_o;3$Xte=B}}6sVm4Y!8Y%)k<_-t!>q;sL7O0kg8`5MYEy`hXdM{^YOyfu?ldbm| za{N>M0gn%sK?dTVixa0&!2dt?{xLe!X6YNoCz)ho+qUgwV%whBwr$(CZB1<3ww;{O zJJ-IS{p`K(b?vWzto5$dpU(3*s;jH2tE;+y)rTq70+wi&7b(!+K2a`^`Tf5nGFT9Q z5}BxiDc=9`RaRw!DWLz_YboU8ki1FG-+zSFw;cZXzkKQSLFBKC$@fbervJ<4h;pdI z-_rzfC;IE2bi0LBlfUQck2*O1OHS7n_a|rEVn4fJ`g^YAQ1-C@mL|U6)}PVH*<d?8 zrTslurI2>8|0NT&`7@eQwrI{bslVq+DTp2HzkKSJ?ayfb|4glaC7)Ptn}+}`Z5<8y z5ETr?Ii@+p7|HuH%JDHO>3nko3Cd{XeLFLe5s7n3iSdfTlCUz2(=zRHyX@kkLZjj$ zM;J>d6r;mMefADaT16xEH16rhG7JoD3+#1+gELC1F{(p1N^y!Z471Di{`RrCJBe4! zOZyw{efJ5Z>h{XQMnsqXfrW|6NLqW2rs0KO82>346o>~cWz#RwmI*Jn2*)d=@fuk; zk?ub!w=i9bXQ!P@m2$kJ*RT}leYsmoCKosD1Nowr&MW_HeEnUPs8DokAp{d`8rN~> z!@(2!a(jK>Mkk5dRnajD-H6$CkRkIWlQK2M2o?39#Dr7f5w%)sN*ucMmW+e}rEY45 zrjlQizKWhazp<(Ybvk9Z{V}c3{M-?(R%*r;Y44a)H$Gbnx)FK<WW;)&NAcKRXC~;O zHoU5n8NZA-gkj!<|6X6^f=oJZmb|o++ihPTC`oIiW^`lad*{Z*!&7>7(qP+NsYKfA zV9=^Iq|RY{XJ%i$bE<7C^3f4$fWG-uUw&t^w#+c&M)vq>No-?e<wN8|<wRuTFMAHs z$Bp;+<hK%+rG>~!=s2dI^wm_Fu^D8Xn1B;^whjY=@y`F)eu@8i{eW-r4k+s!xAFMQ za;hf|>~}XDZZEpGX}=6UZe|9-DfzIt>NsoG#M8ZvqJ{{=j$*-5>GFKr(7b+o_?3da zs=`uU-{|U>LcCDkDfMS^;EOvQLP6Po5EIyzk^60F%9W$<-kx-WP>xB2qa937W^2|8 zHJ?R(mO375{WgQ=VJRm5ce7;%?vh7Yd*9f6_Ea-S0%Y51_Htd*01RLAWw$&4Y3s!# z=apQ^+>V!un$+Gedd`mfOu7pa?X$<*Uk~$CvEHxwC^aY>yhP$;IIsD&JGW6$S**Ws z6y#Yv-4m59hBo>@p&;*%jf+T{NB4>Z(}xAbb1RTaspxd%l&;K;B-~M>Cmw{Bx06U- zgM<&O5)j+nLp-eBC<*Rq)aFo=YVz6neE7@8+iI8Z42J)GX0>DcZIwV?Qc!5w3&rbC z=X{L>phaEQq=X3Nu<z!tN944+wh}LTzs$XPbPktY?U$fh)k(BBp6j?Br8^80x7$D9 zd7OTS(&;pV4$OnQ@^EYFiC;Jr;nWI{T3j59XHj$&Gc+_lMn#@@tTgLTR$Wm;WQPTT zzbb*=@?noue;pizg0e-X)dD7~VJ>1h6do)}8qU+Jyh8{7o#r5(W}isgn|owP9+V~# z9xfQ>X-i1sbZB=-r6EVZd`Yg}R#@69)wb-87q%KiqLbFSmE0J>bjkq#OXWY@=g-{b zGJy;}E$B&6w#)X6Vz5AXOovx#6TO+|q{>Ho$aO`PM%Z+@q3`$8P?0c<d-dzq{q@rt zPoL@5*0g_;%Yrymfv(+h6TJ0|pW04MgpfsjA|pts6RGKGx^k&W{td6fui8|Qavn%0 zyN3kdeB4!Zdi}A54=ZTtBBr9CU*TiPTYmX*fh!4@Q5k!~fel^#`>}!}9xx{N{1tDN zm9!+5k5+SGrwC>ei%ED&x<TE!XqNjEhN>33m#Ne*v-JMM2-SD|MN-)ukF}qN`@wgE zP^#A{#yW96Tkz7cfPKIkTj#x#m2%E#Hg%O*5m%Mj^;r>#epXz(o$%6t5KUjA(%$RC zdPH(!;#kNE4mE?fn!ac4Tm_ZHvUT}@yor=F0>vL!Ii8G+*2ZW+SN?;7*VNcDTe-Qp zv(s`>V;50x-dr)VIK9h5K0Yy?Fx?MqKdC4J6_rL^n*v5sI!c7)t`S=^oh6mHsv|d6 zOUOb}GCU%sQUMVDv{v{spx2$WTE0xH9gdI`X<%YxQk<V*FC2kNvHEQ!m3?CIXh!gx zN!y~1T3vI4Srme1X(dQp)4^rSHm!U*g=%UdA*NXcg>JhcO?q;o_wC@kqM_v-Q0E|> zzjhO|rDeH4(}G?Ft!BF;(%4LNmQ&CM4~b72V{P?rX#V)hq_vf>(O_|Xz4BeMJ*kyv zcpX26k`x?PrN)?W+@gYhe3|}Ye!j4zDg^W`MVYv_PC#i@rJ>pFx?~b=it^HG<WOSa z4URmgX*snn%v-p=i;6tIzJvldI<r!8cb9nw45Y*nO2ZH-W!bn&icJbu5+k+HEfBST z!T@>IqdAk5>i{^}*go<dd$9U0=E-HnmWrjH0u!BcO!hkh>%mwjJ5~c>r)Y6myZ+^w zGEIY|wTmbIMZ2`*HZ78jSQ%4IDhVsqz~J|(>Ng?vAn}aE1D9QpCk@=?mWWNJw#xjq z;=vOk7rT^{Bx<uXL=>krV(7FJEp6e^^@?YA?VNnO>`_#Et)$oRenTng_!1u4AQDNo zMZe8~hz6!kS~6MLd_1~q^#rvRXS3P-Jw%30o+?;IGVYXy=OXeFrlAbV<mz&G)x}z= zL(&6I`m&VDwP?6^8=&gxeZ@VCv4eHh06YCB>Q_{{w5Mbm8U!4c;>mV><Kt@v_@nS0 z(f<g8LVsRw22iiyFDGqyt@m$>k1q2lyjKuN_@5d1d_K-|6+&Hq9JuTUOh-h~WjRa_ z?;;8@WpzH`Q&EnTQmL!e(yKij4@|VZwmE1<A|&SXbU5hk*Mf2k)dvLyb-&?Lj3P2Q z+&egUGJ<Vei55Ct-v^<$yWLIcvMV$|p&f*5zeDXRLn3f}hssL+9*p?vw#tt)m&=Yq zLro2daKcGLMaPCVE?~rS*#)-Rw=r;++a)zlK|S(#yq_N!y9Nanpr0hCsADZN5|!V_ z%mn%aq%BQB+}nBw*Kn~YsO?oUk)6<%T0ItPih^zh*U;+JUfWDh<`Xdo$QCZBvqnoI z%mRt(0+6Mqp>Xv{Pf}s47tsRguGMMV+n38PH`f4lXOG}YxzJfntE<qMYa7OB;u-UR zJy0o8rR95>?)ijYK|4B4OD?<?`Mw9*Yh_Nae1AkM<REx82BHi+#W|Rb`>LF!9m~Z= z^(*u+y4gy_HD%kL0HXmi98#mH0n?R6OHK_j63soskBXOUUU1z5uD-J|JYQgd_o*Z^ zSvfWbP2abCoW9zRp-vcqLcPt+!Rs21mqaxg1r2oCd}4xTVp4{J?q)k+VsnlD?ab|I z*L<~yZUfh_3Y%^kB~X%ElG4mClhviye*@lw+WiMp?dpm-HCK<&?=c;@#OtK(1~Bzf zD{!8BRf%yL4R$u^rP&RS*xrCjc0Q&96qGZGeYgLJ2TkFCyQTuDp&QSPWVt_acw@5M z>Ln5T@Fb84%JLYLc5=^nI@S#EH;fWfkdF=zK$mH2BgtvTrbp=@5z_>wbk%?GC2i!! z$EpP+(k3#sP;QuM8wHsxs;kRumw*((+9{>bQiE@dO9h$?4)J{6s@HXE#zs5^ZoO6J z8}jQo{|Y!C3x~89cu;^i(ZHDLZnp=bMOLvy4zk*<>xNzGF#id&IbnV<K|$^ensi&X z4C0KtgpyP}BW;yV{YUqO;gns(1Va6OD<{omNIcn4Y6PSbukrqEZb7{*ij2z1KN%ru zA@cYS2VXhB7qJo@3ZH^Mv=$=7Q6&%&mFW;5JX>No|9FgLOd@LkxkHCyL?PsG_Zo`Q zQcwqmlmJPAy?hh{0@9AJ1?qnC&`*$F1wRJg8zlNPX%zhfe@OxI;&!2KJ`k8xqO~+E z#)>k>yjHWIt3ie+E6F1Rj2cKfad5!X#sz%5Tx)SUr9=w2IQS6H=_y56)tR!Bk#Ji) z0m&fxmUX4_AtS?oLK&$3g#Y-aWm|Q-mpw<?Zx65+oHbnM#cet&{2!t*D7PU?iC#FK z<A4C&nl-=a;TRdtr99iin$pt5?IM$7I&zIYNG-|>410teA>J|6BfV7|rR*|lmny{h zhI>df)Q;$&Ao@i+l$Z&qaGta%vsKW+LE)fkQw#->D`1l8z76Oi*1&mNlcc#h#eP8V zFEHal#ve=kP$`MOXASwg5v|x5cz7n+ESy&R{NMFeEfg95gdnKBL6wEbX}{upr^a3r zw*c2KimG{zKk+G5;0da2vd4cG*pK#+bk}1L2Y|Xkjcb7xAAhTihy({YM-?oWgd{Md zxZw#Y%U|KLuq`jXo3r1xywe>*{^pP)D=X;~LCYU6!i`cmzCy;OmZGOc2-mrst3Pm9 zKu_=AicV2TLpkP@(ejg1Ew*Q-i3CT4k*!Crx2d)^*9cRYdX!ELJ(o@;g?5C_HlvKd z!jH|=1?EQQE&#jkISx@N8TH8ROxj`bJWVR}@jPA1iKH)fQu&QxBK%iCR&rKGMz!ZR zb~${aikjjvk{~&avqY_0RVuAgEs)k9zFd66JS<cx$iJOuR12Au$^EQ^n)CHJRO(hZ zHc>X)s}22n-XnS`$RCuBxDxtxtZ%NV)MN2xWZWcB@{(xXit-x`T+}UMZu>4}vaf>L zcBOGYeyk{IL-2L!hps~<c8F;>s{|j<MKg2Vx@m(BH7JRbTL*orpPiir!fDqQa8|<N z32#aX{6~g}0RGV2D)7lZmXm&e?*F{?dNXeG#L7XeeHWRL({bJSxmET9cEP9pE~CAx zqUW58%c4<NEobwZ*M2)(BZT?0#b*Q)i&##6;eHxPRZN|IB8Y7|^R)kfo_cSFR3K|~ zB0Eh<yIljMrc_Hijoo2sfcVfrb^zy<&cJwU9_qd(H9I~2gi}F*Y^w7m{PfmCHA$H; zQ_@Ji$nL1pk)#2^EWU6IkwY!aZV!dcumlcim7ArcP&NmAkji^+knLb94TE|lq$A;G zN1a%7bY#Ngra7%YQY7$)L`E8mh2_};heQ34J0D&R^~W$C8u{3F&+cs6PCXS3b3{rO z^Ee6yv(%G|!TJ3P)f9+`kg@ca$ca<&P)I_sqgXiC1|WHn@`}9Mureg3;$hWJ?cm>} zP98;J4cz>EQb{&^uIu>{9I7H)eQ5Wyf(s;g;{8K1IY|z;LYl(j8~|O_x=mK+BPrQd zc*WOz|F^AV)%~H!jS}5XI%wrK&+S~oA-&W2VN&y^Fr=E+%jQgQk9N=qsspZCZ*37| z5=V}*J1Zg2yDLV*fsyaz%GL2;EOvy@M2Y+?;jYS8znS&34^g+kdfEmGiCsD=6$jTr zeW-s3GBB=!ev!B8skoQ>Q;|4P7tdCPt)<U3>0>ThQnE!&TKbXb$=&DZR6v`v{&2E3 zPG>uLn20cms#<R>@8b#7u?xa%u2E<{!DPJ;hp(0ee^RJ7tV%7ss#T~?`(|~>-x5>M zYKxo6<xp9=%#=1HGcAOVw!Rf_|4^al(O;XEhLm7wm4kBidiAVpAORStW4Zdgq@knO zD$GjF=A||zrau@wXs7$K!f0wWMB7M7hzn1Z&fnAr5l-AwUu_slXRSh<EjDkqm}g`f zCUu9y%RIfyLp6z(Rv-k{6DgdO!fSR>rno{VzHDw(udbDTsjNT1bAwveUkPN|_eaA+ zPHNh~(@M$k^r^MdU5}+Kzq`=}#H?%a7DDP4WsQLn>r?3Zy(z4oU0SbhSom&K!GO=q z_e~*bmK?4@psJQesn$)SB&K~ieh!+6>$iunEZq*E)az+<hZdB+SPd*uI!tdwc7o*% z15kIvsFVz(B;qj35eA`Dk`F6VQ0e^iKX&>Q>_&IQMyEP1_v)%Sc2BviPb3i(DM#wc zX{!!ZQ1y>)ng7#)BLS^JzV1ZGM#KE(IGEecT8Dd!RPOY=tg7+uEReAyX~5q4{M5a- zcGY2^<NVUXBRNeC2JsWW3*Z|IHj>rp)f&74;?f3V5&0cY$5;9-j@;5vgRw<F<027S zNi!CWbT4#Hmk9P%+Q~>e3k>K<?`|zgoL5^_N1+g%20vArU+0GYr$V@?t+$GbH34<X zJ8=>-h$h5HaC&{i;qXnL)A&bdSGDIT;vo<pB~&yi$@d=&;Up@D@gy``eBk(+O0*`@ z84<4Ry@oh)llN*Gps-x&i9{;|>~jp05N#0r9hq?`D~IG2jK+tCua6LU20|ye*s-~g zcLCtcWuXoM-^9n*=_qJ#Q?t^z1H!vj1K=o44^R$Fg0<sBSD%s%!4nlP7<Xa~BtXHk z(&IF1>Dj2DoK03l#zHApj?@u~gI4S-ZS}HC0_Yu(WUTI_;Mg@tRo$yw4Fj4r;i;%I zGm>B;s(pV6m#x0Gt=fBHUJGi0jM3!hZ|paMFPG>ej6#4p3uj<ivhLYCOdBeS+ljZm z0f4si6`m8py$#~8C9MU^RN#IoVXWzODl{PAw(}h6nCF+#Mv_@!=<^(ogK0sap{67@ zuE_BZS`;NIDA}g|^URbp!uRmk>lj?N&XF53vQbymB3HA`RvlEw_Fo9`lXMXG4$8#O z4&fYXpVNT+5Zvy|2?oydXp$J6w~UlAuWNOH_;QcySK27&XuHGU`?@vPmp{j`7X9&i z1yr`0;&*Ye_@NEw4@cFPJZJQSMr>*wf#ihLI36}Cc~31>l{Lhsp)6kE)SwYOFfPRT z+d8f0vcieO(j{0LXEdM~3Zq43`9xhcYD*h`ycN{aMuAT;kOqiN)zr4%TA;K#pB8QS z_Q48B7gULZEdDPG6eYF&agyI8r$-^GCJT)ZT9@XGR)C~OHPq$HD+>?Fi3yCd5+kvf zV;hMizw-MWR}a&c<_=9W;(#*Xwi}a@ii+%GqSOg5Y(xF&qwF2D*NC4;6c4`FEhjLR zVt}7v+do=KO^(@#C(N=kd2(9zltkKuo7%Hq(lB^g^ZQvqV)s{u&RB+01r3H8T*Tw; zj3z-H5B|0Q!WADokjTiuI*LcZ8K0o>_0s&g%vc{VZDNNp7FAj8Tp<7-q@}8*A%kv* zc4y;UoY@4tzCf{0`7%}o$3?P3n9jpSwh+ki6lWcBD<Ku2w_Dc&LZTG@BH0Ed5VQ%Y zBTAWRh=z({7y>)DMQde1@XsB@JP=HC6*{;3tmCbBSJ_hE3jT@~>(6VVmaQkT*`an= zD;y}YKVdV|UwGBgorl{|BH1p}t%z$r`{~H;rSEv#USFc#<E@`1(^THOTk9rKveENl z*zMg0B5<g;!SM1Y#p|@v)=Xc%k!BcaKrvrlh((1)lz!Z2lw);zZPzB?Zdgm?BqTiZ zC~yVb`1f_s1fY`rj%}%&An{Y#nytjC%z-?u<5a?g1}esq8(B*W*_ezXaL)KCDf^@e z=X%|$1IKru4opk}xM>c9xcYnFFx(#M4qe(jfoBNif^1^AiE&&4Pwm4IpO)qiO|jx2 z!SJ^mofcPCwK63pp!pcp^i0|><l%)it8x5dwDRExifvIbh8ia-A57QL8E}4xL)3ha zXuJtH&|dfxABEB&B9R(g`4fWJ*%u8SnSp*XWL8j(j~~P^IIWQ)7Zw)>-30iLX4@nE z7T$?><|f#u3U_D_&;`NZxY}Vump0O>pi0b$Wavxu^^eFF5-fo+TQlfX*kM>+D<8x) zv@c{L37!KUpmlIT(7S}v+-q<{%Z&R@M6fJh3gV)vpb(rZq(@5rgr7hp2#QNW^9J19 z{P=(C6o$oq+uJ@m$R2Ed$c<On+PTqSlQ(nQ$@)#Z#T|u}^l*b$jnw;$59?a{8O=CP zTZ~utN0~}&yPorI-)pM)v=y~01Lhc>LRZCoK?LA)DGy+b#g@LeeC6Y14x;jW8U3cA zbbBvy+0uM}8qcBDeHeX%(_X9*+1Q>t;<jD={gkOqQ5MHqDjq0+zZ?qFn<$)f{CkXS z!yo$;ktY~L4q>ff(_Xy~yMUf-Q`veD(NdKM?TzYH#jxBVjXv}@sg=2agg&|m<hM`( zMl2*~QVn&mH8PW`fSk}wlpkUUYiX(J>1$&e8fn~?DM|Gk+R@Di1HPk#`dgGd(T)DB z#f9zAbUQTUrhZ9K$!`I%lfL$7VJ3~*u}$<vqZCyX59r3ijna~X#+Slw)^)X>yZ-t) z;3v3v#5>`(qrs&JA24aNPHw4M&tTIiXjc1iu+Ad-TIXk4%d!I$1SI+bP5J&y#8xr4 z=KE8+B2uban|r><>56iV1DC-O>@S1-d&MREj}O=a68*E@_gyRtsmcGxe?}+yKHfw- zVRf%NsX0f>!Fp+Jd-o4X;TCgayWk|RU1D`>wz&0(E!Ub%&fnv;KQ?>VJak^UKBPHG z$2Y!Z3H02<ZGLTNlnV@VN=(QCU-J8w$KnmvscP~3z<fD#(l@D-8{U=8q0<V%+D_HH z-^2=N8vfN-56veI-d2Yh=^loW+L5#fCYv2kA<*K=qnN_h|Mb-STchbJwcMX{AzY_D zsbSzDc~IlU<%-6CBam?U$Ax@LskAoS`XTEQPVrzixO^VgIp2>@V53&+9~gWtc-%)c zey^LDA=701vLZszqcbe6RXHdKP|w6-QseySX^w~2kQZcXr>`feHGV4E=cSX2+IpoZ zn{ihrHz<Seu+Hl3^+8OA5qr)v9Q!DnBYp7H(}#R!{`dM8EXOC5dX)d%2ImC%k>xi0 z?t#X==Y44MxZPpU|Jkd0*plgKyOkE&TaJC(Z?fSix`h;j#vQQyp_)y2P|)2!I9%5s z682K{VLXvm;|X}te%9sVDf;NMb;L2Ygn)450#*uo51}@C5zDN<s)T&?=+V2JkFg3Q z1=+5nTAOu|G81zOQY}2nogY;?)d(*Hq3*x&?V)`~X5Ovq$RrF8^3fz~K!|gO43`Lp z+)xoj84Owp7}m~Q(GmCF28gj&*~FDF8i>eL57!aBV-3_LL$uMvYaP++Q9i3FHFo<A zXBMzX<jNZPVFYOhW`ZnfAsit{1!&!ab7hRyYN?omGvg9aUC3&=X{LWyr;-1p!mOIp z1V|0wy4w#W<8#Wx^8~9S2%qYR3xSimpcl>ECClmH&M6e>TP)^<%o>O$#o=5Ef74dQ zST23-Bc!-VKE+(3-#=qKgM!M%8LD7Wun+8|FD`E5*4;D?!r^qM&itpTVgYG?F(eF; zv0YZLZ0*4|tG>_7lfWfDd3X*q+iWZD+ttsI#Z0I3@OZt4BAYFrPj|ga8_bcswrn#K ziO)rK?nQUl<jl4>Pv-ZfEGwOZ$)fYUZZr%lqHtRGkB5u@j`%sP9JCjl>9O0EqQ$;t z;y^EHASh_i&+uBqTJ3$7CYuY<)N!54NQrWI_0mOfWQIf7J61tw!1;vyEUk13frv%e zP=?4*emKoI$2GAnSjNQwgT<@2PpocIN~OMM*L(v~#0nabvN@${B5C9&pZZ>2PA&KX zry8k!D=%U0-p)vDbeNsh?9W<LT~8fKCC>F+h!ieZd$n*vs%Ipuo|ef-BOMn0J%v$K zC$|)OT?OP;<<1=k9&f`v(d3@Jhd4Gq(SDa|Nxv1?WsLciI{5drB7+oBw4O>JrSgCv z?2@n01R-d7%r_7%i4LHCi>V;c<s-PL8(XEDb_3%e>hgAM4`a6=DoH7E)xJz+QAiAT==n2+G#8KEL1*iGLkzc< zkKZuP#Zn*2O-Zfy^AV4WtLFgZm0QL2_Zk}ar+R|=&6vZR=%$*lk1gGe+dH%-18<(M zt@SC~$`nJg#utQ?qiwFQK7^=kz3(}0DcheL_v1^}Tl;I<ZIT7Q_Qi5bkWSjl<=$VY zyj?zUdNLULEWojrxE)66j<xSr*67>i9<#Ma^00V>)J0!$V063Rm!~-wTq^TRO~p@~ z^tIh?`$&@P3m6%-&TVT*Req5j&__&+&F$%@kS8K|S#CA!e%Cj6x^U#^Nud#yFb}SG zbI}%`Ma(g!0%8dhHdiOl!Y_ArqpUzqmmQ%l9wS*{ufnGzquOprY6YL9F#(rd1SuDW zT)grwEH-I%*Sfg8KG?20W3&{fqq~diMbQQC4NhV|y2}lIsz7i{@|x;|o36*}jS7Hk z0r#LbVFHNkiQBQY)wi}1SGs};BWDCs(Qy5lQ|v=4EM53yTx@u|ApsLds3r_H^SneO zZH9UIdvmqz@JFiRa=jFQ)#TLlyo)?Ar)Fm8!n3&``hxN4(XmI%jO6(AGOfy_L1D?U zbAcuGFqn()1H87*pd013!X$7bbbUcof{3*AN*&Rv4;%g^15b9eF)OU1B3w(P^nCw3 zzCi`*DvVi_Y#&`d9Oc!uh3s(cl$p!&JnSFKf!lT;rKir+f2_w}s68xr^LF^4v(~)n zGkGg)z3u5{I^Ni=bC;ao{g94ts%{6eC|yB7({cEsBkSGFZ{E9S%l7_!j1rALb@MXu z`^7^%)9}~vG5G$Eas2IdsrONg1iQ}$IEkka%%w}4o*$rEYz~<DP@vc_7I<{j=j7WA zvQ|b=ke%4ootOYpK&`)e<<#nOJBavmwd(HXv82hU;S;^t<EqKD)YRm0%T8shBOCg* z2zucL^SAm!<4!fD{e?sEJ%glTGRI*87ngO(>1mht6=md<YPH0PQKC+(eZcIU2S&%J z!MbcARzBt;$@RybWrex5<gGgL+A2zFCvzOX?&C|5O{E59HX-+8mFf(2)poX8Da5#b z2`DuF(z|7-KI6K?4fNVi`WOVV@cZgkm!Qh^qo%gCh*+h`DDPLNT&JNpq`MKb;FS(3 zZo}VBT5gf0308-S@DJrmeYHM>DQ4SprwJUkTuwe|wMGq0Cr2*<1$6`clX11(H7!1= zBN$RkErz=(fd;QpxyDW)C@jQta=`VWcwlf~%r_hvk0Qa83Tj>3f5!K1y!*emamY~# zT3E%AhORj9YRf1!|6b3S=gL9P^ha!iWnTQw!NS8OI$JY_hDu9*yZt2hDWt{sI#xA! zEha9j%9w(J0*ZkpRlG-HpCl5~jowIi$*B`(8uY5Ab)8*Z%%7SP5)1ZEsKO6m_beT{ z>%j}o_fKS#{b7@d$!uos%L%L+E(h2BWHv~=cDt)i2XF7UenQ;yZnmr6Z|mL;>w@>& zYo=*VRLDhGH62&Qt3>-A-+7+mK-yXTa4R5{>E7<Ay?L+WbG895B6X^%=O;M~&jJG+ z>$i@1Ut9O~{_TrCK6^Npt*Oq3(j{QQycX|(w&Pu{V#$u`tY;jkRKk@fbb@rrPS%*3 zp@tX#4eaG|X^EVSjDibUJXd@N8EXPYk4V}Z?ruY%r6l1)`!l5h&QWM{2$Vu*MPa+% zjdxICwW;GHI%osxZ*94y^fk5gbS>XB?-#=IYXd1Y)U+tJiVI(9!y4|j^jyy+Add+} z&4OCOz_scJK8@U}e?Uc1nZr=!!i8b@9_lO~O-|C?RgZ&M6bAWTmQ&EM(UElpSx6jh zXr<5|<WW9LIl>Cog9svO9m*9ez6t=rXlfi!(~w`;istRi=Q)`mA$X6{)KgDP(%kry zG=tI6jO9eM7156b4(%1uU^3L)A#0B)wc{_NHA1+d32bY^o01hW%aPlTWm3~*X7tn= zMgAgIYNy}sGHPd_8o!J^yi$`OO|Oi!IYeZ5B#>$c6VDX#wmUtblebimk}$k6NJaS+ zGBVEoaS#R({EI&o@6hx`tHm%iIq8s!pwM_~(qXV1u5;^<XIC-;@@OwUg)87h@Cu!$ z3QL}(iGhY|*=cZ;3B$MRs6b1(+Qat!3NGxF!;Kc9rM?iKtmd1imkmv;0$MVdO;RnY zl4Vr6<XzI~fdsj=M5}r$W3jPOdq5``T`A5mmAiMVUs7K|bzxy4dU!j0DHD&2JOzn| z^@xY<gEBqIKOGks@DdCiom?|YhtuaA%@QhHz2>#sQ9#!gPbikh>Shf$!*zKBS=7(W z(^-t3ZnLSX?i#Fyl3qEnniw1gvmxc4bO!&~;*NgkUsxX8KuPnb7hzf4FQ1n!e0kL0 z={lbiwxeuL4f>OZZQM@+G+sipGJJ+fn1-R1xPQ6WyuUvlqgJgzESgMQ(!C$f`O?q9 zSmcbieccbi=ipNH{{?R0US)xflR^L{({eLgwRIYM(1^(xtMg5<3PqepJnsup6`vT> zjm@bVfV{;{8f@c$8mn`jprod~L5ZYHIXFVzBYG7Zr_xB>Pg&LmCywPVLg0^n*dVk# zxlpBmw%w3)azQmP&mWz}Bp{*ck+ZHXNeNRA685fgJg%V)3M5IMJ#`y|ve$rzNQmHW zDLj&hTzW}Y0<}#-N~cWzc>!q-zI#gUKcJ)%T3s@!-Ad24xhShR*tgM!OPB^a7^Gg7 zH@x^4sz!BX))hv8S^H@s)0Y<Qcr@TFWSnOS-YFbPJ3hsxLMY}Q3Z)`0Rur%S3fdN~ z8UIXh(XoN38QMA2$ZQbAE&dVv>&E`RUnL_|xwaM`ec;zV6-hDX`FkPzHUV$2`tCNH zSU#w22V@u(k&9lh7G2kD68sZK&`RF43vO}Y@9nvkLe#am5ZUs7U}^@`a#lluslL~= z`bPYAXnSS-rhb2~U0p%I39;K!Eznx>D$UMrg4!zF1+T97*O6(<hKnu5#3Txi*rd8z z;&FE-a(|hM&fu&TKTs5-GV<Y+Hu|1QaUpDLl=~I;=S;u0P<EWe1TFQ{v=p?*;H}_4 z3u$OU%K5wi!F^5!H64$|35Pc2YfZ9fw42$^hXKn`Xso<T0VJ|K_kM@(WZ7+`o9jm= zU+HhwUPn-7H!rhcpY<`1J4fN^pJ-c;d)K7%5+|*Z6jUUBKY@7`RZ6czXT1)$&W2)S z?oOTGU%0YcA0zoW&!=LJx1HZ!(Iz-VJFCAYdFTWY=U~#Eedxu-;xXBLAPa~#U))+i zAw@1Z>gI$aj|85tw1G%Uj1PMQdNmR6Wa86VT=e93Hy+?&Bqk=b<&<{lAcAbX2vI$* zkSRh75ax`@7<gLnT^H5DkHKc+6`1t=1D9NvugM^ajE?EFR>ppST}CsYxcB*M4Vw2l zy-*J-{zieC$G3K>tsl`<V`ob=LY-)atgD}XI1N?^V5l2}6YbM{t!Tu;KC$Zs{tdaR z<Ehh#A4(k9U1WHGih5`Qnn&QGC8dl0+Yls6m?9NEh_)aDKXm~9C}d{w;8r{J_^m95 zI59fv)-&V<-8jhS4RQV$HFq0`GEFQcIVpx0OhVuV+?hS-=V`>6Dx$>100<O+M^XZW zs#YEzaZbeVR0bFR&~a(4N~rf2_eI+2P|uWvblr+yf+}*zO5=)%#fQIt(^IYwI%C(U z#NW%n&e!_q?>)6r;Rq6?CjD~*GUq2UuHk1CBqqa1eqi<yKQQr35cq?VCINo4lFh0@ z6<!)IDFgcT&}NSJ&4bT4>vfsgK$bXKMked&Tm)^;!v%q!(D_-EW}*0gK=pgHn;3%c z4;dv=qP`hpNLeIyr^KW^+Ym9C@$`(Wv^0c;>Aw4)+$<)&ecUH#`ij(X7<opA!30kd z&MGQDo^YUO&lZ&R*DdASz$MRfe&C^^p`;ktW$?6+L`s#y7Hk$t!cz-@+=!2k2t+hA z2!^RiV0=cQFzC+B&oMC~H1$)#Lm{dpCaZ?45I$LkW`{<_?rhEZ&(@^bq9gs1fKOHX z1fda9PE$`yyZR+S0H%Pft)fsrfD?=%6$cZA%)uiqDSeNT*B*|Dz>UpsXn#bh=@r8J z6IO?(I{;odrH(7{dctlQp0LKEGRPQ(eTla!!2|jkqxG5M7-<&9QRCG9<$DrU=D5)& z&^LOIIORxk{mb9OlCDCaX;ychKV1*&8J`cN#|I{0SROw#3C@HI5VppQtO7PpPfUx! zMUlh57$zXU01W8190FiF77$t(r>E+zH-y7C3bZb8bgrI8`J*Q+YnR`-(swP=5V{*? zH`RK^5D}EM+ray{?7}Yg?t&$gmLC(6(t_-g=zuN#)a2350D+>Jtq;B;5CH2yNt_|j zFStzUY{}khdwZu`mVJ~-6lD4&?X>r)2$)599<CSeaK~c^?>1KvN)nm|roJ!HcFR|e z|FaB%z{gqzjdkwXffz8KZ2Xz}yfZ2%=LbwRsVs9Qe5RE%u$FE<qnu&Q0-2V?GfChN zzm!X<^sZK#K}rR1G;t)!{uhAs7KFMZg$IyP(jp6c&99Qd@b$WG>^{nu%tPYFMze;9 zDchs&(&c(=$k$ssJZ}glo;&^*(A6k}6c8+r5}u8s_`ixag@k|Gx0<_DvGBUtN_1l5 zi@~BR@zPu;@kyt!;EeC`yuoTZeuTiC)_}m9v$uNrBox(|zrnhVy9p%?iQ0`F87&2O zbu{Cl!WsfzdWnKbhKBbQNrtH45b^!?#eK_XZVR_%oD@;a$zrMhSEUy|2+(-;^i{{> z>*TzR*P$N<KaE%Z9s4~pFFC#x%jlmx6C3WYD+RzFovRbd<+#2Z+5Imlt~ZEQwH}%7 z^H9KX5eU<r*-FFie$$(Oa2hNyllQ?y!!Q_4$btBuDVy+3Id7_Plix`m<qW@;I{AMU zx=8<4Xz`dvi0Hl!-38K|LPGqL-nNkZR4!eI%~I``c1l`w+Ox5YM{>V@$(~Vs^7~sr zaTmB8iaA|8b;#eNnA?$noLtPQ*Cl}e3#wQKq!h9VNeor+?;qF<|1$<_7A;HazsCnR zA_0{PT!O?8{uiip3*n#fXu_ajN&Y?kOCjGsGWIiM_%G~L{Z*8!(my!#Uy6RY5dN5% z4F2DgzWh%(M)g-w?xJm7-TyoM|DPQGUo|u9Wu?{16Kfymx|{DBPV=8476!}a>cfqs zGH5A?8J?4Y6(wY{m#LU)lz-bv4B^aoWrC3T+q2~5?X@SF7|haAE{DTbU7f7t0+m@v zYI8%WzbiTKivJ0>0LzL4=w6l(NbUdH1UwC;U%MX~8khVnOkRWkuWw)4*l2D*e&eAn zQ?#f3)Dw?6N9Fq4>o8`fK-_aF8}CPAE}_dhP(*<@tp-+f{;n1p7R3FRR$fGkmNWKG z=Q_$1;~uPTVds#3^EwW9)5=>~R!mEo8q!>qGDr6+kxg+#Zn{eyp7j+sHb0r}EAZ@p zo9lFbIz^C0I`pr12~G-vlY1sqR2|o;!t-}G<*|$A4Qm&(iT%ufnBxVpj1tYL`jlcG z;;kFH$#v9-k}0_~P3>&tN~a&^(*d!Rc9I6#*3j@0sN_c~7SD3n#GxatO!-$=Ye7G+ z<%5b3vQqe{_-*PW-J^`Aulh2UeW(VfIu9E+pbUIGjaNU$*FjAV1ZY3sgnM{aA8rTn zcu*Luw%o3#Bvv}iN3T&`<7K?ePeb)QoOPY=0pM-@r2?=a{f4k=OCpvqNPnHE1B_=o zI?e*@X5cco$<9Fp)r3R>WH#ea1v?u#1U)GI(pm62AG<izt{3{J+ivz4c9~bByRY0S z9iAfo;`1GRC0eEWt9<YGZ*lcg!F<;VBb$wm+w-hsKeB9Q1`=LEsrA`%o~Gp1!rg$q zKC=&maXsKaYe+M~2}`-$+56rD(zA8PWlToVcIM*)9a3{wlO`vXlYV{cJ@ZvfO_kN! z!|c&<G9E;P-NgG|0+~o>ov?ycAbnyhU4A_h@oEth+UCOZ@NvrKmv`YTYyo82q{>UG z5asXldn>#z3$F`02gZ1fxDqlFo)@#*5+}u)m)9_>vxU5R;p;1D_KK?2btMxjCgslO zz2b6TZozzWrn}Er*Hsb|I8&pnyaZKhkGBM`>KLTCsca^PTvZJQ)C?>wGQvjq`=^F} zi8)_;;u;NTq<m|i%XGMKxE$MiVYAQ4Ve*>9dO~d?TS6vu$4e2)+*}piHJs%{c#`GH z&z-7p-zKm3T5@Z;VP_0yciDn+xo!@S(8yWok*6M-kgitG^tG={tSOk*9~$o1PkVRO zBmx{;XrE_$vT&ds5C$SiVi?^n5I#>hUYo)!OH%)s9-DE#Rl8yd-8Oh#6_-b2vReTC zF1MN29&Q)?9MsDpW8Mw&$IEk@HZ#7v%`sI;i?<xNtD3n4qB60k{_QH)qQ)h9_q8Up zqCrptBQA})^1}Qv#0w^`9>oS@ceXOFKI07WofpJEN{fYe47S$x`N(mRJf3ttefs3{ za(0yyxx+u?HL24ij?%Hw_!1g@kIBb^N56}#u#$JqUDhH&Ij+>fWNxv1M5^BSB`|mW zndG&nVk1Z(ej-#5{m!LCvxO2UAC#URz-tGy+4-dFEfmsPQOMbRSXwC!QjVxy<dBae zfD)fS=L@X4*<BvnsV|j!lB{jmW?nm;^N5=zrc*5OSs&LC1ng0ud38&r@~LP~g>d&x zn9NUHV1XS`3Z?vOcmHwjp+WWp$xO?@pf3YScnt69{*PjYl{7UOp?p2SMDl<@QN1lw z^fWQoZ`}s4dD*$m<>yNHFFiF;mo-Kr#*fY8Yy2T85|b&3^W2{Y4{O5Sv}Sk5Z;SBk zA7ZTE?5mh}H;|C}V^l(PTyXg0)&6nO4mKIEXpfh}>`_;ofegBA`@?%>;RjWUSIe+u zQ(Z<z3@Zn7-4O4Ve_Z!;ql2*w?uknJ29L!?^W7l|i<fbx$KnG#V*Ey`m)DO%l3~|< z(+yo^w?-S|sn>bH{KyIWB$CQH5xAqmw}t&_^I=s!jW_9x_qm=akJF_CZy3>Tcf-lf z4IAE<>QO><HWV-0!^4hei6MS67d64WH+*R4nPtkakinUNE$wu#D_gS_>f58uBDBdK zWEd=mHS#RvoCi(2p*PQvrZmu&?|w+rU9Z7ZeSBlqAsX%?2<zQQ`qB|3GHcUxSjn~5 zA+m5`SBsUOK#=lKqd*uAQ)jxmx7xz7-Kw2rfw(cC^S>J$NMY?#i1LzyKaX86+-10* zQ_O<PAB|Y54Ai;+RfAvdw^qyNlQ5b-D>v!yCi3FKis#|_=7{W5AbmPoV0_xwUM%9` zOmrM3wQdgTwNy6i!#NlC?X3q93l4T+8o$tvx_|d4Aq5Zn*=)J4dTn;SJXz!@TYXq2 zd17?8IBM?O9gUp*wff|eA<{>pd&~x5@S)WxGRcNAokRu5q91#a*3Qoam|I{GK<pBE zBtTqSU~R4`s6~y!(<)`^%!%0v&NG_iWG&utJ}%@5{F)PC6gdkc>gSF7>47+djEvl9 z;-;NjxlFYMy%cVRhf|8hdebNl0VwaHdvCII!{Hu2>-jJpF4<nR26UFmV0!K<dlhA& zjF0D^3k;oP63=IhZ&cIni)eY*H=bT@uKOQ7NnWIo?#$2A%3w9Vbx`?q97#VMI-L(l zCKO(KzZh<a_hjkmdfnb}4TyK@o9HC{(s=GC(+p5{Q`V3v^={;xddS0DzM9Wswp+O} zvgvtTJ!(3?U7KaL*D|k^g>k)k%lYym^J#axY%VAug|&Faj!9R&8cw?*5fgj5;=D#o zmpgKqQk022=m;j8t4Z<7Q@Y${<u=sm=I0}jzLRK>#gQY$)lc!>(-vTwvzeF0Ng`&s zTx%R>b`?l(N%-SvWuIXsopNqZJG9twQ&WE5x(oTjTr}6q7U}Vx<eR<w`X0UZrCfS( zUv6umT+eH`7(6u=-eTmYSDnL&5qWW;Zz_MQGCl|N58dh{5IDNbM7DU#k-f`N8q3EL z#8Qqe;b1b8^kZpM<~grNw+l61?y%`z%}8^Pn;`#4tyofB|6ZKmXtht)p<g^bwBi;` zY_{#PeUTJWY^iP3mkQNMs%)usxfBI9>30b7({!!Ns=>`Sl{<vhtC{6$LpRfTZD2OR zQ|GM90v3Is5yD#t$+q3_FnzZ_zG+Q`?=IZYOq5AH-L{LGPLY=6E3D8_JhI@N7oI*k zuG$gk#uVF{^z)wW&J(H=TF^ywL)=>`^y`+!j;~B6Hl#q`DUG?WWXraNnjz|NoNuT2 zVEfLrdRvYy=co&dDjndi%Nxhhs@Q5Xp8XVf72OI}U9Gt6tsWk?xrXej3+Z9U;?v?@ z;2b}_NK7KWXyLNzWqmic0p8k5tW{{V{v65`UpmM<aSV)h=&4%+Ew@r&^kC7g-9utG zmefG@qT^CPHi)aGO%VjB4?Sv+$maP+4*AoD;8*ph_kM3NFU6_ia1=IsuFn^c7mmkR z%i?gPB%j0HP2uOq+b~DW)#`^}l*3GGodH;JBnO4nSYhLB0Or$GWm&>sm&@q3Y_q!F z-L$R|!8l*em|>)RTqG*W;3gpw+sAh0nXk7bH77#s&ja2v5ZX*Ld;s44y#Xv>EjF7^ zmqU=x7Q@LowGd(xp%4Zk0}q&*AzO@JE7LM0GagC=;*8fX`P-|ik5=zT`y~<@_-r`7 z#DN7CWdi+DV5mMyR4w&iZK~kPrhA}@!#JBhA)+COFxINdBPQ~@1u;KS>X)oER5?yA zwvBV_#}*(;2EH0S2TAGl#40&?tIj;8V9>OEWpC$f-ljWrAO?U*Jt6w2cKOaLk!U+E z!qaF-7ETM@#i{$eQ1h#s+fY3S_s`Y}8>&;8G^f}X+jbx4nrNu-+&E_CK1SJ=n6xIb zRvJGu4m&yn3F@lXt;HRlWhiz-Rm@|9LCOWj2yJb0CK{4ZiZ`AM0({&qr>BzNc+Y;P ze|f57S+Kh=q*7K0sC87YUMpZzZh5%8O+l)T3tLxms9xBZy^pLdUME{USacqptbJXI zKgHh45~1B)(Y`3OiI|-I{<F$>xYQnnOe!A%qH>fyAjMadn=QLU+n@>{+gMm~YWek9 zx)({fUrPmchk++cH(YWNVf8soK(#wbve*fJimo^0Ny%64DUkg*Q3+|TfoU$SUadE4 zpk35_1~QxGY=)SO{qf3-e>UhAK^aKRS1yyz+MLsCdgHeEQQOUXx}uc#%==!czh1p7 zn6SU+X<10*%@n8@^iJ01e%?`(<7(!hACG>?_j%2w7<{a7CtDC2v)!9L?$P{pU6QQq zRY=7XNl8p9>kCpz9(MQZwOnBLm^;1h-1e{<{WY4H3U-~>+hX%`Qs+Z>bevMtTD{<` z+w0tCUE|73UqX#VIwRRe+VZqg7gMjt*^({C7HRsedsp7y_Wre5r7i8{&#13|18>SI zgGm(((h!C!(FAq1{(#Ovrq3B9K^5BMdielof6mcVcY0+|UB>1UGw++?9af*5B8W&} zE@CQ!E1H(LKTwcC-*jC?1{ZWJ;mYJvBHz;Xg8YfczNWXneyb{HzJ0!s|3D^0CnhF@ zC#f?g8X^}Pq)hc4hR1ANDJS0&Y)$rFyaBYG^6YgfDN%0|U8*|Q2zf{**;bRE$WsXc zV+$(8h6~Ta`{A&Jk>V4BAVGkT<h~mlS9LvAHW`1cuR@GYnRMNm+g+<qbKhsDJsvmY zxcva(hCgu`O^pmJ$nk7E#Pe{zcu)NFQW7-qo|0QU&Uxo^xhQ|lciMSWtnPAt*@2qk zdVV{i<J|&y-+F-c5J0fWcD$zF!zwR%^ReF#b)HXIe4fcoqUn0Io=1FaV-p=e<8ja6 z?`B%RR+iV-efUe#l|T&?o=u%L7l2`DjQ)m702|gt_wjp5v7LQAe(czp8yA5MqCCj6 zkVgiI1j#LTo=rt(U~IgQ)cisLgm{e+4E8`IG>BqTIc&IB5=G_RzB^Vap4d##Cl@^b zV2QZ7Ju>JI>g?egEv5p00?SA|i?;mor5Q!IkC`)4L;}0;P*qDZu<+|@P=*<C|0$*+ zMe|O0yF$PMssLb~tkdNcQ$;~wv?P>u0Zf8rl*^nY^c8M@{!WFe;FU|pp&0HJ6tbnW zo2zovp6i_ffR!)QTF&$l(wXbcg&Iu8R~4^xkW;<?GX0QW{6QcHQxl=rc{R{22cOn0 zI_HzTCHt7k)w32m8%*2!GH9#N<dg;P;9M(_<2IlcT$Ma`Op^~)Od7@8EXr(uA(xTb zP3*OnsyCeR1R2W7Xusf~{W!Qo?NDxf-o6@-#P}i+!M&}Fhs}<f<C^p)v^*?3W2Aqo z3QfAZb^M)u<zP|<`4>m3DbLc=-5MgG6Q!tp1%LVYm;SurN*+%|OGQJfieu%OFK<_3 zoz!A5k0oeqtWrkwlWtK<k_|j6((3fXN#pQhDx55{#;I&IE)E{9hti}TR92uQstx$+ za|>f0$>iGuMQo&z7L4m#gsh`&Ydi2T-1IDowM*%mv%T_1!P!AjzhV}!XP+`QmqZOq zm@3S*%f-*AR;7ls2xI$E`iz0aSs)N9{BOX28UoVEd<xB3`%S#2wL!#)HI|1RpS|^7 zs#JHb<%2RrAarOCx6#1PJeW)OBjCQ~!t**}DFIE#^J9SOM-KP<qF-~ufs%vvrQedD zfpzCyd0{IrpQq1G#95YZV<vZ%%gMuSG0`@{-F_aAE_QM;pVgcG{I>I@m8As$aI;nZ zy}gGH77qaUZR`$a<0RvY%<v-<9GF4&TY2m{Z81hcKZMuSuhjzKJd>+fpeGC;%R9(f zL&0eK>1djs+>BKwJkn{0b33pxiW;9j&4C>|09!ag0N@tP%bod>$M&x8p(0B5>47B@ z`$bf3v$o;qy^0vMmS=yf<b;*!8sN&$ASF`X8D#(ZzTd}K38wT#V4x9AWFJk}kzmtR zW?Y4+E|&eYy*If1G=o_77xfjX%Ht{lrmW#wR#cb&*y%i)q!k_0k!LBv?i|{7tl<2H zCxSNzjD>>+LEXeLSedo{2@U{Q<YW18tnC2ugH;br7un}dQ=WYtRc5g_!4Wy4K0PDv zpqy^+t-~iliI{Knw_K+lhLqvWX(>CUM{a9tPx?*Pqm0ArTCCwHvbar6tF@_6(Zt(V zrRPW0+|m-PiDX`Y5FupYwhR(en9b?Ytk?kK-7N1xF;yQ&hFXJ_F=vVW`)?of*VIIx z(ENBT+v*|Do(M;Kf+UG1tA-U4$r6lPiI5G)?>Oi=L3HXLBHQMfYx)?f-?Pom0Tu<e zx4Vnk8_#V03rI;6Z0sA_esrB9{R<7*S_=fuF0on;Cv4lESZjE44;fq3iC>0-K~LVL z9c`?l!P-FbBhqvQ(BQt`z%!MB$=08iabD^_fBO|*%O>Ehr(;%}!+EK%&sFl+!l2u2 z(qLey7H)Xn-vk<Ld#bfNXpc_KQ9gZ}S7@@)9tAsR^=WRYyH;*fXR^l1aM(Bc{$S=S z(}G)W4v2f;cn%?Q;<8wTF?@tMvZ?d}D=voXq4aV!pY!#D_)gd1|M6D-AW5rdF$Kt6 z9=@M@YZyaL3i$a<_)U4l%I7`ojB(d-md?w){BmBlKc|v?&iQ>rau=AEHKwJ?_4lG` zh)`+8uqkAJPWPI_dtc6{N4aJW5%sVR#Dk5{T*|A#cD=4wPuZ$ZrU-^5jLDX=?&}Kd z-Y{$kA%Z1!txK3Uk>}ozgYx~g^S~weM^!tPt-vl=aUDio&wxwss@CBcsF3uiiga*g z_yaz73qs%)TU)HAvKV81tFNb2?syW0QRi_E>-e5=n0SzOXbjHZqi*?0dVI|ZNA~>| ztRJ%N6kKpo@(?4Gkk7CYU5NR0Y9p!3lSiA6K_RM&s9OTcOm6wsxW>Xnh0I~n*k?z2 z{oNl&LgX(I!wPY+ti8@PY~$t#GFhcL&0pt3UmeDRPM4q2YQ_OV64|i!CHw-7j8YML zNWIMSWg__Gk<Lt6Z2lrxK?aDgrT2)uA~3C3_uu0y{YO?v#&a<!99J7rNP`yqRfaZw zTe@CuBu;rBg3C-=PCE?ITRVUy=~(Xgjkwxc69v7JImMfd!^HWElnbU42?na?5QV#m zh;WYmzx`!0j<9}D`_fS~Z#~wlJ_lTwu@3n~hdaxnPi)Q1P;VBQZ0sLPnHkj`51#30 zbzkH(I8N-+ER!f+Iz55oKJmO0sR{rtOhU(89@@tv3noOF#rK9j%Ci#LJ`$t`)ACb@ z{RD9f$@AIIg5sIRd36j`(jBj62LO(W2NKXk{)qeAUBuo-&dYt_{dzZ#1oW(k{y`iC zuvly+?<UgcN7K<QTr^B8pkA(Z<~d}!<GIgD+{j79^fI-gVS<kJ%tI#ec}pS1@<d0h zlo_Ae6KSg^(22Ghb62f&z1lI?qXkQ+Ve#wX#r;(5cbRWVcW#(Ah*vLs`hZI<YBSZ` z;zUbFGjgP5CNvbP68fH?uvXN`LVLsGM_Pk&U7=3<*%-cF=@&)PG3V^<6~hq^%!^DR zL0qzB^>0Ue2t`?_bjA0EEG<tuH%#M0WkyneQsE$it92pFNQ$tbGbxE$n7{l!K0JjV zL4kG8aWqH6Rjbcft>3}ME}QYJ&vcu~Tp;ml#6j5FH0#Vu?#=d8kI$?KHL7dVqH<?P zN!50ds?>wF-Tov61Q~2nvMMW9a_T9z4Ih6??3Ksu%Y@#F8}%ISpd0=#;y>9y-ar}O z$G9d@2vYl|$CfUt4(X4W6;C4ueT5LxOn|*;)cCCsNnx^xj#_(k<Pb(1vrxpXZC(!d z-X};5iL}LV=9CE(p`%4yrVPE0jn-sg(hMEwToul~(aZJInE>nc;vG|9k*zz_?hNA7 zYi$^{;&cv-ja=pBUOdvIfMNkLMO?3-<Z%qPH4+imKxj67nj8iy8j+B&uvqUMv*1Hu zl-smd-Z)ATlyrWX!zyCZ&CzYUxf^s`(yzjYGTs#l4oy@#16+C7ciPTUI*!>!wimN5 zhcA&5s$gBt2VD~xNi3Fpq9bZB2%G}}(-==mGb6Q!%=W8#qA9g3s!JBL-RNkyaY@vS zW&y3d#ySm*>F--a%;OdLv(d*?wqhyr3m94M)?96gP06T0?z>R+sCea^W2m_4`7B+Z zPqun}pa%nfvd=%BT^1+qSG37t|I%HZ^p4o$xR3YY>R}Cc&*x97*W2IQY;!(*Z^x59 zHijP48E_S91P-I~(m9rtRaU1Cx05YeEH9nB-xY?A3}Lyod#)$vC?)kmY1!TYN;!VF zWV~Od&wd5Yck-4lkQ!jX@+31BN_hm&Uw83&G$A?~51*1;GO$@U32!w^>}#Gzy@0s! zq1b{iN34>5;zApXf<-HqnC<(gPCf+2F22bd)XV-(=ZUr-$^7ameIgt|q{iN}M*h&* zASM}QH*9#G#0Qp3H8_f!5<PxLQJ;N@Kp`LKv_~4vW+2ny`H~Y8P;9eGqJRc9NAaZ~ z$JMx#66JNiqKac|II3eaQdNfKAqKA_OJkL=w7pmML?s-7Ptqa{%F0dxQbcFRp>kg# z7K8I6VkleAEi{7Z(=|b_ySrM4JaodhpS3yAObmH7#edeh-0@$8IPy=qfG7+$yOS8* zB^Erp*&YO@WtmL+&$AAb4NlwKS`$Sf5gIUv$zzfu=wvC7&!_4{J-2R|@Y8l=UA1nS z01eEzgxw<Z-T5{U1C95UT?QK_tHFgMGN;$O#i9BMfCS*49LAMOjgdcDeDTQ13a1B{ zig!hZ)}4pVxGBX|MzIaA0-!XqB5eagU6Mrbm~p&~JMxN=FhtzM=A*t0qD)?Y8r1Of z8^}+50bo8)mv~aR`cYP|dTl8jFTg=ei4VR?oq#)N$%pCWlj`=`^WtgXdC8_@R6D^3 zX#bGx2qwxhV6b|b)rZh9`-%x)Z)YZu-%AE}L-}*mglvyioOH3HT=MH_N_QJ@KxNM_ zAfRiA5?&i&hY4;A+$Dm7nMm)8U0vmNyx)Ia$>*LrK%!M0^(~{Ouz>jS6pPmK?QVvP zHe}|{>Kb#MSfoRH?xH(!e%(@Tl<b#eY=*E6{Yn+ckyBAbWvR%Njx7qW^&;>Cv8I>; z=90x&199+<c0Ma$;8FB_QzV{kx!gWkHpN&HL5Y~MY$j_Ekf!*3_69W|=cu_M<sjxQ zCi!5r7?!?{^c}K_lTJxm^J6dD0HC`cQbcxzhE*C1ky3ZJy`C(n;u!pbNVjmQR8;uJ za8P|@BAQ2MN~lQ*p>9M|7e%0d!b~8gmk&eco!@J+YA%GPc(_+VDh+U(Dm*{<IPdfA zApA~;ZTrR3#`ekFuWdK1aE6Z%D8MP*eAOYB(tO(Yuq(uduuxW5_1#Ew8E1`%G~`G! zJd}f~p+GPm7_B54zQMPla!3k~*+`+J#2xRxeYY1$vSC1B7fOaarPDPCgWKIT!Bt%m ztD<NjY{<6-Xb=Tek4u1MGlrt3C!VY$K=qfiSv~B`zA{n;vF-(!?~JfiTfD_-f07j{ z%<Bu$>!n|8#9V{J$wEi8b#&NwkiV=W_Z<8|5|isN7=t5i`JI@BhK1#F4(g=9t%o3` z)~7^=MQ?1{c*A*-WNaQVO7v!74vQVp;VC6Cl-fw)InDTZ-8{S80GIFshf7YorRVhk zu0*qEtu3#xw6Ho%PTX{FU{^q={XSTW$!LxyWhkq3^ZD*9{%#tpr(_5Wy5nl-foc@3 z=2P@_``kyY)A(Y#!MfeWdCAIvmNY7)$NW9|A%cjn(FF%}0R)&qbSIO^q+M|>-1Mf1 zB8S8nFzse-zjc$~!D~vYs>4XS>w5d8*nL;4Fm*)Lkhf5>tiuzG?RJ`d$*F7#kgm8U zv4Fw5YdHRRjn46YJFWau@4tgow-)fJjI?GzEsx5MuhL|&H=l-71ej~=Z+L$pPtCnb zB%rF-ao=V+j*HR;p%dYsytS<(BT9^g$rY*8;Wpz;G!f7C#a<3(jKDNl1A-xVh7^M+ z6SdIufB{iw+OQO#z|<P8F9D0!@z|&deIuS8+OFpeMMZnYH~Q;I(`Iv-F+b{jZgh8g zTEzxS7xF_29Jan`RcJWMu2FD)Jz_0#A<krBQPM2s)BRLz51juVQMF$pvV}H>Fd}t# zBsTo*P36+s=q9uqqJI=bXpyV)hy%8uaB{=;tfZ%vb5!iP!bR7jTVmyI<HpP9iTTjh z(%nULX`t={P=~|9jf1MF*`SAc(0AmOhafp{?(0Z78}E2d{y1Z!bbV6wNr^y7`;b1> zYF&(8l83pDSiehuG}#{@%JC=Q4-T%?^VG+_6ur$Swz53<zQwLij3(P<r;Sx+fcN~B z1kb$eM^*a(37@Vd)JYw|Q>imNu`HN}B#l-PTZ&^h#-Xv<{`8=$ZL{_>_o-hMHnKK- z*7_)G|3nxF{@b7C*F3#Vv*u}dGug70#4!*%f9yEVr~5H|MtZ!t3#P^PQIg{MIW4Vh zbxcxpa1berMeeb~;bkcM`ZQO59jxOp>2&*e`1K+pZMn%uuzz%`&Ihq916mw2?$V|E z^#SKqdPt$3|2q)&I}p6BbnbGgKp?cV*Za1pZpuPPW6q1~;#0{ol-a#iH=@|*`*z94 zbHzURro}|%r`+IiaKh2_D}~UaqiGtICUM40#zR(Z?0|U*rxK^zVj-mZLMh-}8^xZ- zkTVb8BLY8vDR)878}1^oeN_{0l(B25K{cyDRj3+MXn3BM03JuxBR$C`Jz6XCM6br$ z;0=>k?Rj^rApY>-BP6DchpVXvG)BgY%Sj>V0w6ZS;Gv=F9Nd#mxqva`(KZPy)76jH z^Lq7ZLt=wtN94nLx}@}KKQ5Ey($&c~>-k5HTS7Y_&FMJT7nV4QZvDvHzYL0x=SAUK z-s#zAAKGB$JTw)@PyNIL0N6Y)PV2dnAsEf2%l(#oYYS_1b|bGP85LtLSD$)v?bqQ{ ziouz51Y2A0uhq{zGOf2qj&ElkiY9qg_&ZTQ=@f!G{o+!xpGTa=zaHuixKP1_23+xq zCZ<btU0zEI#=j0&>6+}5#ZlS;`EahZ1n%?@X5c<INucm%*{h`jWU|?ST~RmtR#W`& ziC_-r0MTeI)8uf%1{)XDFC$H~o_?Q?;<p)>M_e6Jx;#kXo{s7KLEhu+^%xO$m$lir zG8kpCWg594POC)cuHC6@7wv7r1#sa1*{t}}W=Xy&lecqsM6h5fpA6&qynh~)UG0_b zgm~YInHtG0vzKdjia0{WwGRQg{UI|&`cb;<<=xZjFnu|oWQ~)yCKr?oDeU#z1t}nl z=ek{-Y4^up`Nsb=A*pZWaswyrk72Ck@Q-f`W%DH`ut4m8JZyXT&kZ-Py}iiUCHWd` zMXob3y;@PElXSP`0)$?-f0+6|+Q|T3^)%{61OSFpQ`sfK9S35jWgcqk+CwLY_c(K2 zS}Pa}A3g)*1i1hyN~VQ2HjtcO>T(5J#5741SeyHr+dX9O{|*&@rVD)FSLICpa}MCe zR`|JZqiIWvjoINgO4iXTs}$xRp8tQf+z^D&UbQ?7)eSq?(=G=3#><}f(MViY=v~@> z4f9{^X9`j%zcM+~Z8}#?Yr(j<a|-0Ocn_7q$l~T8)(g<T#QtwgX+sR`Kr(_lebjyU zROsm1xw_1|NN=KeGk-{Q;xjm$u=I#!@ZR+y%r-)4{>}T}fEgt4jg|AzFX@<}{%#20 zK=K9gf2hU^gF#pR4a<LVErsMui9Ej<G358R|NDXhl?tF^{%z;@GguHmQO=^eqFDp} z_T_I%1d%}hQs}?8lPHi}$j2ca(G31?f6I9}{LtUi1b+|#mJ4z>s41BId#=7IgB$!k z&A+Y(EfwghTb?!kd#-#b0~!9F=3m!?D&=jhoSQQJJy$<b`q2ND<{y6}_Gc>CTsSpi z{5@Aw91cg&<o}DFBOCBGHqX;OhJF2ql8XcN(Z?y8%U0WQw!>{MltFiqDgNK~>SrzL zD<R-Db?Go0^wE)J($$}56O;9_JB)`9{TRI^LdBn}iu4<@UT5>el>6W9;F<VlKgI+f zB5SZZ@5T%*Qy5H+<sW>&{1KUUKStAkngtjznQYdR9Huar-?#Q$q})E@KQvm1zA2Zk zJ3(Lr|Ggk+|LCR^3cmpIzu1H`h`VI-sg106OF^Bt!N>7i44zj{oz7_pR)R=$C?2!Z zfh;L;RA=cn=w`LU4*b8fZ$o0cV|#y-7vN!W-XYvE3%Z$)wFC0!4>F_^l=7KyFRm}O zTb=W=1QmL)p~ttDiHzfD-0jguJ>36Lg%*M@@h+sI390~^BdPYvk3US&g6M0Zlyf~< zdB0+LXu@{vdMWqK<X7qzYq`c{^pSu6r-}R$&aJXOZ})*swO?+{`vn4=CA8yspVI5) zVWA1fhRw$hfR({bWj9}N-8KrCIxhrF`KyZ|ngF$TOE~tbUjwuMHK9O3^wm)S4;jH2 z8M<{42#ohd{DL-{&fAM<WG+DNO8@jCJb}OAMBzMdmB(G&ZRpT5?FU2sye6b`<7X<) z;W9g!nS6$nzq^Y;(QI<xOtZN(wVMw7zHRw(42-ZRM}z?utr%~yTAP;$`2F^PL(lB? zlh6Llw0}1F2@fJn5}WDisd9mTw)CiS-Iv&pmi-(=3KqNO(^dEWwSPDU*Z35RYL3(P z!O84)bK1)l1Q;Km2)>~lJ_<2i;XR&ATx?e`C~vOw>k64+;pM9Q(r_)Sg)}(#2OEzj zVDg6IdGoRX$Fx#SbBJdwY(dQI@b|>_R4b)p^ea;DC*S^cju(=*<Dk%w|FH;rU=LkQ z9lPI37CltnDzOe}y9UaL676?e9Yccx0?6+BTTlCsY&!ZSjM!WcTh$IWX(>#_<6OmT zDl1Qe>lQ9cnYm}vO)cA=L9~n~jt-9=U%$-dzw+j<+E}`VCF4QLXVmd_Pk_rP7qTtM zAnO!iuh!jm-g?vN2R`pxP0u=ST+W8ItT-=c_K)VL0Pud_@qY>WcD*I6ck<xc^7|IH zy4~_=eIAX|ocgE!Tp{!5c0nZpU%g+V%IHzi;>#&VVyJ*Ls_~gU>|=1?n=3Ljn#Z$6 z-zD`bc`cDbRB#tyPmza>5S3p4YWLfq4dtrj(-7>EvBE6GyF_x|^ML3n1|WP4uk9lp zX?ujirWk1O05k~GGMo3O4}DqR@WRNJj%`n+KL7&zN(_+~^bXFzHrn7RcG)ZGEN(>U z?P{3^{@?e++ZlgY>`{ClmU?wkiI@AmWRgX2X(i1H-MEw%%Hb$8zr}M<&X9g3ZfOx_ zE!vOykBR)d`rE*53Y>tJxPbKf_GW_ZDEdCi&{p@A^J<dk#>U!$W<wLD;q5#^50u&l z=|oAb##!jCah^dhbo@+>H0@Xf+4+=mHX4hf{f?zlWAF#Vy9t@ooN9&+V0ddDO*YN# zoTZ+fMaANLi)~rS(`oAl<I8LAkX2{IeX>||0&Y8NL15N$fjDd|NgYb;*M6pytPGpA zo2j$>+T7wj6Sk~{#`UvJI-;wd#!Fl8Ep`NOuaRO(tZmVl&yTtAaM2&!0K77=tU1tG z+hUKEUuRJbltSRDZlRQ)a>^&`5zHjwU%KWExsXmVpFwEAK({2b&_k0QNg1Nx1x8P> zFUsM&gL0~&n=xncrItct+ghU5`8Ba?H0y^|63<eDIjH)ID1h<qtO#D}%aL3i&yU1y zc9NVU;F)j5P&1#f(Q-<hfV?@jO6Pla`Z59kga<qGFXbN;46Ua%Fw2Y<`IG~WMO4lq z0ZAue$^pWc6#mKU=e)FFje-oXvXh)9RVJ#btbDyU8^*Y+-}`Oo0LMxniuGOUNMc^} zDKZ$$f-OG0tOG%I>?!7c2F|?W9Vtx}w~P^bx!PP>!|CeKl<OLV=q~J_f5kBHwndO_ z@qvj@txpc2OWwy^p{^wf8*&@(jHnP+lMJu(1j~+@N(5^MI1oo<-0Ng~3DPbx?*7tb zH7knYPnr=#=`%PIFFXNFUZ#rsGeVbSFsliX1x9e7-4z<oPr<=~>&AzXbur(~*WcF8 z!ix{;;5M?oyPLcU?hfg}`z@vUfXtm%K9CRc^78WK6@yB<?*X-FN9tgWOsl2TN>=4Q zi;D9JVuN?;pNL({r>_>k2_$Z)sosq=Avue+yJ2ZTELWHnDur}XM!8L98_0YDU*a2* zN>`LFs+8v1JJs#h>SM^q26v2G`aG+>0bn68`%sfwr2?cC!L|j~qd#N@S%G$OwpZjj zQUF8!(&B<BL0YX<7Z6uC`|~Q`tG))$m?RqmM{?Oz)@18tcl3EhN^dA3-rdW`#*gv5 z{uHegKa>gDAwC{$y5W1*7~;6JMW1%F;5e*QYaH9IFvOICh`SJRe>NkAkw&*F2T9q- zw@{3MZU2sd^Q_VYX*sT9dj?pyucs6yv^c`Wy@$=9;}$JhL3%R)4z7SyImW3Kz~Q=$ z#U)ey;x+mXttQja)0<E-NZG*|6b9*u&sPAJvrY2KK`(+m)OX<Ju`OvqbNKK~AeqVp zDe-dTd&&?Mv!KF|wT<U7oxg7=(h8NH9YQOHb4T0-JG63my&r@+Mn$%PzVA;rEa(zH zyYC*Ez7<6Gl75K`=4_7;N~v|oA(6DMT(+|YI2z>{27NP~9zz`Ni^a|X>3kgZtMd6= z_v2^V_O>zRHv2ePWC8neEHx?)VM3c1aML7hwLCF_!xh`8jQo}J+}&}8=5h$#QYQ2c zGc;*q865U2I{9qpK6Q36lo$fF8L8Ahh*cJ9G_PDv9#YlQfBYTn8b*p#X`@UULMlC> z><6U0ld)*Ca3g}EzXaJBC=u&yS*{}6GONO<fMkCCEYD(tAR$82J+wM;Qjr!5Tf6{* z6F)J^W2VE#5M&rlKCrCdwrw_nLuG8mPlCn#q#uh8@O|^y0{Hc61m2oT-;oEL_#Q~F zNIOIMFgeNvAO*C!!vShV)AmGyG!dX%SOMj7;+rO~K0b<^D@(^4K9jMMjWttT#~b%k zJkP~FABPc3GwsB?jrp2a6Vh!8=EHYv`I1c6vZV?JL50(yddi_jq~^F{u<*^ua$cD@ zeZw<FXn6SM2XXH%+^pHqbpkl<kO&V@+5-}<nWNr31?jVS89{?~iHW7b?K2cSr2>p# zjq^oBT#YOIoHYWn-l9^HPcIjYmDA8sK&vtB$&_LJScw;AnhuLgCKWRmVoG^KF5@v9 z=|+fEi&XeZdD-^k{yBd|5ZKjb)+7YD<c06yMOy7PL@330O;TxZ#M3-OXfM@rK^i@4 z+ROR1xT*G+hu=Xjp5!^^2KUeOy?aA<_2f<FZFOx6bm2*VpQ2T*!y$uVjM&ys(v@bh z;y(Ah0nVGmT|SHvr_VM!&mSj!Y%V+&AJ&oe$eF=Kw|$nIxFHr)Gd}NP&gA*1S|1q$ zL{X`_VTz<81}1^5FIKfZKcl@%l@^F0C;^sPa@KfMg{1;XRCsGS@hWOc6aD^}rmgVm zYP>Ng`!3LxnaMG2azP*wsC5E+gl{rf2FCsJ=l--0Z3z|jazTM3`ErQ(ig#uKV#H2r zE#ImVGC=O}@yX!jD`T&W%Y8yvs1@pd)4D;<B{eRU2git;ZSKE(kJoYv=T|n}dfHpI z;7wAv^3l=CahO`{25`yZGVj`am3$22O&nfJbh*DuyU8RByny6VQ2aQZA}7{PkDpx= zyI0n|!;SdNx6^&7dnw2FQ6b%ZG+k<n=r1ymB^WZ28-r^whmS3{O%qO=A+~dGtcNOk z%7q;L890zjpun?ub-JYTvu>&o-wQHjn(CUW*%Zo3w;emcv9m&8ES32)wxYUL5~H<5 zzMgt^7N!Iu;QCK;<W36I0hQ<>F7|T!vnzit;}`jA9{5nHM21jKL!JM{eSO~@QFuy< z(dOfQ4mj+3xxm=HFZxbZw%Khf#mAv|tBU4FxG7cuHM@n5`LQh(T#Yqq<w;hGn(bpm zY02u0T6ejl%ifD<u{Hwd<w*7NwsK%z#wcy`Wft$S+hZ`xc{=TQ4o@$|d0WGnF@Q(K zj^IftFEZ;>;4Zb<J%U9+T@*E%lF=o-;ACIvXT8#-v8h^>{ylTL7TVQedF=gO9lf|0 zI2?)-FBxAOZB<f98f)-#;N{u8DA!^LJ;5>&8fXDOzP}nl|20E#iYZ!Otb=3o9P3l_ zy1Vx|L%tEiQkRydghrPLO1r`Q8BWyW(|0}F9w?ou&&9UmOpoE>6xlIi0(U@QVVuqJ zggvGlYWYkm-GR8yL!E#pT0_@$GF)3=xc~%36%BWeV=EMm!1?MuMv_2dP6=l&<Y~f% zX_RtyPXnd^M||Y>wfv!}2oy#aL3UPI-ukLRoQOnJ2^9U2oH_+b<&i|ViAzINi`pKM zk$KzDV-MA!RM@6+63LdjtmMnkkpyLa6#I6<9S`_WdEn#}7P$CW@2*rrht`POUA8Qb zJr^|-*>j-_*f!%vkB~(T8h7oFgZNdB0b~J5y0^no7Y$O_8479C@R+VULN~(3PJ^*I z+#p;|Cycm>?Ajck$f|qv;)CipwM8p~lBqU%WH)5JP-`(+Kw5Jb7vOW9?uv7J@QAKj zIqyK$l9AyyC<-ThlhxtGm$)~c8ErjwvIya)z!Ibp=&FIC9s5UYJEHV#fYPo=@knir z8h4x%Y-B8@P%@vqPl}8^BgaakcYj<Qk(hC?aa6k=a`^^K>Ph0+Pc)%nKWn3)ns?02 z7Cqg!-@V%{jI+b`=dZDp2Ua%j8Tf>3x5Ar{sF|lxAX0FWD(BjX8v_bLW9^nDx+=&( zp*0E;J(bn|HSF^ra(cH0KdKZyh0p@(1jN5?zc^w0zU(F^zxLBJK8*zB57}T;g3QeG z=&nAh4m3MR9?(o8&E6zNS!uj{l1l~76jj*+w^%8;7J7*x%i&Y_z@qcy37h~Q!HeJU zULhH^?^mbWP<tK_hb@6|LQ(eig4zvoJPkE5kE@!+Bq-Ba_)16SIWhv`2_cZ{V~>@{ zE<9mhF~TSfEemp`)VT=-QS3WgbH9NPkOI9XEeRk3cE|7Hvmp37xaJ9kh$>y!gT$%m zlh*epX~x{i+xLULYh>eG6CFNSdvxE;h0jOvrY@IT;3`ND*Zi?*<bpn3_M2HWsnqLp z@MN05R!XjapL-{<&CZw-G^(`CYSIdn7!Q>EETAkLgW1(=NVp^PAWZz;;_ZCECoFMi zh^4COB3>Cgh+j$Z)<Y5^6MJ7X(RF!T24ItOes*jislBhUuooKg$Zx=@NeO`!Lu}R$ zcjHgXhdf-K)RH^a<+Pjk&&Q7|@;~Z`2XzXM*Bhr-M`}_dAfRZ%4zgTkD(6g+)*nNj z=1JUhBV(zVc|7Er0mZ3k#mcTaV;qI?gsYDuOZ<fowJItXR0;eiDdc;q6Ie;^#)=MK zaU8X}s9JL;$yWie9v_8}@CbgwW+cvPm?UV3d8~3*ZWYAL<lJl06)ISbeas`m-fI_D z`M902)CokF&wTK;J(bxd9KU}|_TatGc@wjJo`2b+pVgPryLiN|Mzg+EwQ87B5@J#f zczYZm8i3^pJd{Amrr9f#OARR19JaQMkx`bMx5hyG02XjRx&|Ou!|B``jJG!iApkW% z%D;v4Gj4kEVP;EoR-i=EGjLRc9M_PP@>V*>^OW)7DS%F)+!iy&U2qsdO-nfn!OSx# zG0&0r0xYj!*MxbMSfsnqrs55h*fs{S-K=@K;JUXMFOH~ISXD%OUiJj-lj^rkPjam- ztv*LlPSNJzx@+9Oc6KlTjvnu593R)Tfu=DrPvSnv%Aq1+U84J;X79zS%H)m?#2(Kt z)sP?f6g|!B5X#J93a-~~RlDXL*w@S1Ve47H??5iU!mO!UVrkRtQC7d|VhzL?`qv&` zW94uOvF4|y<r$U5{P3%t9h>)2#K4HdLX`+eMjgp*8r}3#3~|yjc&-Og3{g8aHE9U% zQ9zEC0IHGs9$N_wh|CLqv^Q((o1LAg6$OVV_0sf)p(u<8Db3-;0+n)Xc%WV5Jh$;z zXQGw;y<Gz?N!G(A;yQWPRyJ8{U7GP9tezJ8>vM36R>MLrz4_Z@INq}3Tc#2~mCkrd z1h9lA11NM`jQcfjyq@MM%|IodzPjkkH5!;y#K@|6g@Mm*9}WQ!?elaVBC3UU;+5?; z-}lrNgA$vih|VKB@=c>`UnW`q#A(%=p>TTD`@1NqsCyBkm7nt2r;ZSZ<4&4eH_n(A zDb-r@U!mqBDZNznb3j&JOHs+u<pMv9Aj{>h+pqJQ@OOlMmP3Bbc<%hl*(Gu{*1ers z${%z7wK&*Msk(N9SU59g1gKCoC5b-Z6&u&}2rc?Ozqp108RRN!@?2S*2xcz=(bRnL zG9Au4k3urC8#kM)xf*y}`jq7O<7|`Q-SUi8g&f&jXxSNpO}foeFCk18fO4M~-3W_K z|9);Wl1LHoWp)t(PZ*&+mno7l_`H4T{!!JFK!w+Bky*dm$*V+@X+Yjcl~&iOzoY{^ zuZrUx$?%xMNMyR+Vby#ZsuEjw*(G4FU_j2_bUCFvH9ov@FmugsOaL9knn#B}{lX@l z#~9n*^8*T@ysPBBIzYPz2;&i_96kqmkM!0beSk?Ihi)@@tMu*UbG;KRjq?$n3VHVs zp~UG2Q2#aOLv-?1=hBU2%)FJ1QqTorQt4-e&2VyyafFlPnJoL6Vsa@8`tAtz_2vCR zf~@n8!3NWNJQydiwP*>P)>hrGWACSXE3h7o*883nOviNt%e|uK!m<uK4P;AC9}BO! z$PT9SZ7+_MV-Y;XAM4$a-XbE=U0M(&kzdtM^XYi;e=@g`FhEQX{%IN!Sgp;eoQKQ( zl&lN-7cA_%S$a9++?^BJ=3_?AHefyytBFrTe*T#23=pk+$$YuF%BjRPSf*Wk{aCVm z{q|N@s0m}mq0qH|-o0G9I19Et*_0A3!_y}jjm4(oV7b$aBQ1Ch=YeG&6eO9beE2Mg zY)uQtsk~Lr!Q(l$Ij`8rBo)iCem58Fje%tPqII(Jwl+4MezN~KVTav)6`O{`DPlOa z=6xi0bAQx};V+FjqA34#J1RL8BcmM2YNgw<e~>g!TK0ueZdfXN(w!3w*<eF4@!VtD z^U}O+s7uTL>$stg9f#6mjTVy#6An$UG-fEoeMT!`?+3v!ra(bmUQ(v@#{Fq@&7xmb zwt;5ExQq}3{5L;bG2bl;%n|Yr(AZ3m-rxLVZ*8BZ6;-8H7b%wAo%0cwU#~lACkpq% z>!k$Si(ZmzZ_zJim=NA;iK%w4c89p`gr2%s^a@?$k>;BfTkxloK`M5!TRtX6Wva`5 zx()MA%g3g2sMn`taEl=4>6Fh4^*x(8UN7R0!yRzUS)6p@T{j9TXQQ$QXnJSkdRxC^ zLp-+Kj(^VYYJ7b6b$>32v7k%wZZ9~U`2ED+QtA?NlLZ);<u&Wd+}?DQMIKtZT7BR0 zOU#k(;?Cam6=6xK@~UzFHH1#c%N;12*L_*Rz+S+cxqwYXw*TX-BcAhX(+TNq2^-_~ zJSTe%n>*X_u5bk{Z#b#2ITr{1`U8pWWx)^bxha-vPLUSh(FD*`<Ksq%UB2YAqMY(j z@wV3=1DAc=aX07f7*ij^dTA=&YCYF9YNxOLofZ$rJ9m!_(1@g~gv%?PQv!9Bo%==k zj$Yu=UNF63(R0uNi^bU$Fl~THTxGQlgZ)zzt2d5aZz*#1VtTog>ar~5OSHEVg9D=D zIZF2-M|N|X_p8iXc790qvtTb@_b4))?0fgyUXiw-u~zrjC7Z7LGhR*SBc6>aHiyD3 z=?B=C#Z)Q-K_`yd%_7-$$DQ9cc+QBH)ti0)y6Es!JFEIDqxV9iCRmqN?FmyBMf=an z8=HNoBV9?}_0BY@cHIUHzLVjs!C_h+pY>{aH<z!0cX%`)Y`7A~Tqy2^xvmKNGE(oC zRw}w9?`AeUa{$5ToDe3_s>=;YK=-<?V%OIR$9qpuKr$d$%X4&x=*{^@#z_krTzBnd z#dHQ;r=jh3z?=Uz+$44pT}`HY<>@)nZNad%*K1MnerAC#-gSbQ?Dbadjy5zxZpwoq z($QpVz$Qf^*IMDJfyQ&QmJYoKV~6_8aC|aC52nc*X-2AZ!QGEb0mOVG9U6;y9pVrG zK&j{cQ^)<9_2Oq0FWTd3O`9mss>4=b2U8kV7};}*3J&M(CYl}5Rjundt_1AoM?i4x z&d+H`Z|scnnXTmhBZSrG4c_aoy)O>Oy_K4l&&vf2QTfn~RBlF>LQfO-MOWLmbzQj6 zl$@x}jg*C_>F4cgqwDE22SLyEU7*|VsUo(Hxuw!KCanog*IggeON|py-H>oB(k!_+ z)MDI6Cf&uC*Gn-{JP1qHC*%>~ltTU<>xd!Em#bA2EW0N7S(L~*?q&|F!2s{$CT8u} zt?LA*i(O@eX7e7ROHnG&IEx-PY$%+4WfTSPZKf|wYMj-KjNmQriu~@`ep=k&u}U-W zLEV+R!KbcCvvSU%Zoba@ez^TPlOS5K2MW*a-wbO$oZ6^KMMx?L%FPTy#`8D|L3@f! z!kgir8PWYVbREam2Aa8$98Q$oV1DQ%_{u?*YvyH;v*Vwtf;JFc9x*aJx3AG6j5jN6 zIT!DV<#1I^IdduZ2~t#feU4wu{WUo4ScFx3_hT{rd=)eEV3@)c<c>k5pjz~MW4HU& z3SZUB)oJO_2bGXs^%)$U&mbRFC-$3ga2IY@2T9LTIlpZ*&fp+YSbaK6vd)Z{Eq;#| zA&<DQyg!xu>OXJrh|1o1R3E5}<MIi>g)R_!`D3qyyadA*@x2H7>_gnoemM5x(b~x8 z1h_Fh#w2-cxwizLN#DY7MMJmS?M1Nx02KBsE*Wj9Mcm&(P6ek1qna7jK{g$97&)|V zm21nU7rXPk-e9D#<C(9Fbp=-7QG!LH(c@$7M{~OmUaq3Jp0lJf-|wliSn&&bZoF{W z7#g<0@bEB=D9(aJ1aRJXYMQ^S?u`u_h99mfA%j|(Rk}N~r1b6KI6eorTjFo$3;QJ0 zP|Vlbn%!+>?v}osE_$P6`9vNIG{G(_+nqU<lS(rSk$fp5zEn>S;XYZ3pVf2_AIjlr zM1lwc%7$oSK5OcCrY65`$By8lW2Yri5X_%<G#jd=IA2%4ysz4_mT5iDNR?H?e?17f zOW3Fel@cOz&sC3qBQ6z4q(lqG?6KbXdR*o-3#|~av(m*e?J#u|flRPB9c6++>80!W zv^#m3?LWW~P|mZ7VfCWn(pW#GLy!w1#2I0y0|tH=J(dJ`_FY>vMP0s&<_^St_+MY* z_F1EboJt=7uwe4O&6%&r>Kknn*KZ?QZv2}4_TiWZCpi3PVW|7;Hy-T@`^w+8DJA4E z>-lbXE*O#x-raG$a+4#|{9Z=QV70USwSf(3t{1)t5Ztv|Bl@|>Bb&x4utCFmv40Yn zhxW+jqqSG`cI92@eq__sQ>mxV?AqFygwq5vsJfQS5LJCrAUapoz!c)6eS4wlv1o%7 zlSt=tsNSs;=E8T`rkbtH%b~J-(Q(~!HYB@kS&Vn~DFp$p6p<dZpE3io|MhO%DvO%7 z?MI8jS!lF*r>avtjw~pS6l}aXI%k{_Gmv2|YqrrDqQy#THWB&e%|-XXcBqefUj1>* z{g!t<ySzhcgyl5qcz3wre9D%=@=|Hhjq#~iWP$wR8RT!>P$hTCYAg*4JK0VVuuw&1 zqtv5!93Pn>h=Z^(kpIy1<!HX0-BL;{)DK(qdTiz8Tz~Q80kAm!!v|D5O|<<#&c6A9 zht|j9_KE$vD-`VByVq$+lpcC~CSD&nzt-K-`lVTLw&ulba_Jhljxw(62k##M7~Md# z^Bsr$k6w?oJ+Br^Ki!9!x74!gXEClD8na+q)`ncz7GN^-d)iFPf_{*?g3qu#3%q79 z*KC8FHUP<EkzaO`KTe@=sH5dPI}KJGf|XU%Q!jS9+s%Y7AbcNz0~=>c@s_3?Z>N|n z+v`7ErvjT3ZK}A+X3Vv}EaqW7)Z~4whzFT5-$yTLpBj6H!LuS#WYh|$;7XYuOFyfb z@-aU+mn?@;7%QIp%1jcTmsCZWRQlv`G76fB46ick_V1i1Wu`W}gThixY3T9g%bEcZ zx!A5CRq+urd5djyL~IJr-?O4)5K#5PVV6<l)(mHd40&lhABw@_^=y?t<Jk1fb=ond z!E4f|;r;B~2XnqEP+Zyj^*9>6yXDMuPNE%X?92%C<k_d|RAM-@(@eCkOJ#%2MAYTh z|I}}IZEa7Z%V+Iz(^8eP8g0;gJ@_F0%T2iAm51%NShv9=;ckTpSIM*Wx`jCo%4cY0 zBi+8kR+o3<j)!J#4c^@#i9-yJ#+nGF9I}_ywTte@GydDtfy@4u=k7{bf=rj;GmkXo z!)z9u_QEuwxoY~i*0Nh$eZ);Hl1wX&N`lr?miPiy=ECu}M?6Y1&=rD8jl>Hi+5626 zA=c1{_05*8i(rb9NRB9Ghsr4HpT!x_xDAyZ(^Q6Opg+Zii4Lw93cVAdtR7A?No!+m z3=LY)a#OJu;g9BDtY70a8#YRvk|9)H!<`UTuD^ZzdJq@lSCUJY>z^~xj9T?7X^4kZ zj;PwBzJqkD04n1D2BIJA%Ulzyd~SIUd7H3;(!oMvfd7#uv^k-<y0($1O5R!Svr~kY zu;khfhJnTsNX)y7Me@Nt<`K(b@&&<klc*{d@gvE&a$m&BBbH*ZwClIEj^#GQ>!nEg zmJG-C3N{XBNu7BsQ}DfD8B7UQe6X|P=G$6%a^<S(g$~N9L0A_VANGbyr?HFXS6sn$ zrt{^@y;P7a+tpTWQ{$&nAB(yJsm1_Npv>Mgzn;gha~wXHlhR~I_VZ$fO?NoPEwPVm zU1t7ieTCe^bAmk?!!cY#>YCWo+A*qw*1S~X(OA_HEl^2y8rf&@!#t1Yd61O>)g(rj z{Y<G6JIu%HIMtEB1=dl=Qb+Rr8R3JST0b(=r@VP3o;gJLpn0&e_3+!h#?X%M9&v5^ zfeLX*>>G_;o>h7YS2w(QM-zQV=cKv_0({OA+{o@k4dYRzS6J2Smi!)+xvOS22D_Ns z_g&N{!AeCBC9sEhx<#q7b%uxm<?vSLx=)u{4|-+?-~D0-mt|ikPj2m@njw6<xcSGL zN%fS2@ysWuox`8<@Yo2#dS%9I{dQ%(15CJOou=TNDpW~UO%7squ9Wkl9Z9A@|L1_4 z9>}>Lpx3uxcK1swz%4!CHJ}Tkm}eyLJ@kTB<QciZ!*UX<E`=<)SuO}<Jns_IkZWF- z`+d#^eEXTFJtSpf02a>YNPEt*$Sr}g(1%>fu<6E2-HO!*Hy3MO!oWZ<KmI#O7$!*o zrDD*@eVBVKSiFovkSPowvyaBp(KcL5eCq&}LiN2iE1{nWEa&ayRd{)qZsVNx8C{3b zT$U<a9S-!a)NvlnS|b@Yz#{XOLnqxT{ff5a%cw~6l3yhCq#;*ogGEYuom)1Gj9H#} zdp+W7<x(3(e@UPtiDQCGR5=uciqb31oKZIYDt(BmuIl78?@~lIdHOCP=<q(cQdfuj zu9_pQUhU~b#%B;yi2zBtcqf$M=hMm{_hNATf}Gdac_nIslZZ_pDR?V!uEf{wTppe` z_<Cn3xuyeUPo-A6+t;LEFe&LN8(O^ewpqEB7p=WYbYuGqoPdTa|I0wXbd=$=^T+jv zIYWwv-9Ry=P@GAXk6jLRM{Gvk&*k(aS)bq1;tm*a<+1O*<F|47cCxXNx5D?vrsxAA z>Jn}vP*$6VwW=v`p^k}AJs%QJ9Z}HSQ~v{TIpGGjL;}=sr{QrtwX~FQW%lY@p88vq zL)PVBr2C8+X2rrA07m&c%<e|C`WZ`Q*3z;wx!oTQ;HuX*OLDkBSebs+rG>f+F7Pz6 zTy6?h6JFbG9+wnyuek15V8U2~AOfSbPgBCB)NhA0c618cmUeqxDG}_t;5b-P_{b6D zi0OxG7dX<28Td=MbnC9W3tZ&z+JzNVkE9Vs5J0L!Q+c6!#8YMsqR?*EIC3FY`Z&T+ zWygIfky_ak#|s%KelOFKO7TKyhLxOESqQNCB%#KhhBcjK%cnG?Hg=4<LY;mNTfRg# zUN*9Ju7S(JQwWMjwqYS_(q2^fsK`#oodnb4+9o;$KHiN${0o;7@vUb*3PY|fWTRMD z2;2KTm(Bkf(c21PX#KQGIe@h=O<YSEx1n5av(APLtp~Z6ld;{|QgX{jw(W*c^<BR^ zwxdL_27QGIL;4r-7sGr7Ln7G!$k`FNWIcU-W1J{3bJ^$S+x;1?s`ZuEC5?T{Yunh9 zw_!s|dj%&~7yR4k6lJo9?5lHni_A>h0Ez1p)cjMoChvht1T`N*vv|9}hT*sh%HEug z>gHiTQG@JzE>LwdS$<F1+_n?XtsUks=a2I;Lc!foVu<SOgSlEvx;h8eIsqIrUwdoA z@>oN>U!>?^8A~o3ETT{dPJRW-$p3&gT?ykGD-(pj&f8#m*S(_1_Q59wembvvsp?)Z zQt3XQNxFXjH#iwQ69~R|=3})GTIM6I@Ap4HY5&Ckvmniv%G-sAe9RpFqUD&2Z{#K> zNNJUW{#$UOC{n1Aa;P)3Hn<2A$n3%_Gx$hx&PhunG)-8L0gpR#zuVt}te!#i-9XdC z{H#^KyahjoK60-4yd7m7h_qEil5!aW5<~{z(mD6Y*hpg<Hv+eKBojgY1Hna(@cXWa z+%Iwix*gx%nH}j5BggP3H05&BrwFc){{fg=LH)Rh0V)+R>4Dn;0{8uSj1+o{VweR7 z&+=c8h%v<9luJdOu`+-BJ$eil(U)?8-<KWdKLL)ixw;!}vuuzNI^elboihUJe;&=2 z_*O0_d&%(v^Y23M2btn|&a{ci3f=wTd|xd8(g@YwmS79_7a2~OZ>z;zQ}C$&A!U33 zNH>T3#W3D<CbttOpjdA<`DahJof1O3>rBuN$UhL6vVXdoaACj%|9jjZBCr~NupZF= z$3ca;kb2PnMbI{X37YMRa}E0MxsnT_|M9mpf9A6Nr2{Mv9IL<A(O+26@Bc4W^#4`s z|CiM|)1j0X3?pm!+QPiz;&C`uSw=-Q^*IAho56XW2P3V6W49<$BQkl2QAD=H=DZ@e zpB$2}KU_pKYrkIKUi|o}u09?>yJ<(ebPAiHJ;RpQAq9p}PK(Pu)ipRHOmC6}!<88N zRO+xVXA&b-@DaM=JUvV0zPO4j0$Px93;)Py={!A_?-Si}QL1WXRNFA@nZg2s@-Kk3 zZ}v~<a)Gmg!n>bkA8lUpHX6E0B4VqM*Y?oCDj*<~I&_fn>A%ls6XXePflF3GwKiQj zf89Lf$7!l#mlF2&?S-eBJEUw|yF(8ZKTacqI-n)nXldi7W?Ei3N;5%j?n#?dr%1rW z04bW#R3KZ8j%UK?u@wiiVE*4VXl5ULAeZt1*elx52kIXD76s&`M>S>ozU@3?;M6b3 ztqn>yHTk5PTf!;y=TWCGADd6q`qrtOHv1}<pEVB-y=$k7X$%jM!Bo1x<ySdJ8c#DQ z<8X(k_al0wXn94b%>w+})|6)X#`)?cZ`BMP#GH~N$)$~%^DVF<bxGdD&|>S`@B*=* z!M}jF@S*(5Bf=Gz5iduAg(vhv%RdlHrV~DpF94p%7ly!_Zhs`;Xn*WNc0W3QBqe($ z11mh7Qk|{K18%Se{@gS9azr;tN@9V7%EBa1z1XJa=#HxLZx%ib&wf0S#>6wEZWBG% z$^9qI1>U>%W<H*pm<zKo72=eJul21)R*b&*EwcM3mq3~2)hj_>y3sHDRF)Ojm2^!* z_J*uzWH(F^p&a#bDxAG;I31&S%;j^Pn#M;NH+dZuz?~QBU;A)u6MD(zGd>HX>;SG_ z6AQKKczBw>$6%Pm>bie081#t{w2?3i6-!lLPcHB`dH`=qCcc}kJ(t3ubh;u1YjMI6 zjr=_sg)|ld*?>!pAc5I>8k{*tzLYPmn8=?GyWG~~Z5){WhOSNx9UpDqe1?~$DxqpW zRUjZZweDDpk>=i@=L3DORGa&q97x77fXq;Sj!=8QDU37{16HeDPS~Y<{?`$c>Z#nv zuNhrEkPJ?|303r^WX^jd(bk=t^We!+#k0KtKIx7r(?c3fD=r*P)}+kW@ymz=VWN`- zBET$F4hSrgVw+NXduK!O;+-FHM_-5qT37vz93Q<D8^vI9*D)?Vr`AViN2Hqpi$l=@ zPEAXmhu>nBF#4Q1=+LOXUGFSPLpynzr!)F}vx`)P1syNgzue!Ipl`VVgZqUC>v1>O zHV1X{)eKjJwOgU%ro;2>7Y{OE4+)UN5wXM)`04R1*>ceN5O$}l^0h={VC<lyG5n>< z6NmB(HWY<|45Na}!F7}9dGl_A_vzK)4Wu9OOOO_0ZIB9*B~Q>wDT8|L`08-u`NG;O z0|Nsn-4VKuky8~#E+<q8O9BsiT@S|Xi6hGhW!YMT`r>;FQR_i<hQLFlHPzBUp8gq; z;5~YRoZIboW9nK400}vGsP1-$>kWiUf(&!Wml3$2SAB^eRj^J8BlZmAswAMSW04{k zKu1y_g9Ovf4i)I5`E3~{8{QL#b`<--_|ZzqU3!_HRLA-UQ_KAhSJ4nvOrX>W0AFP+ zy#VhUYFEuvL2ZnRr65V`p~?2FG~sGfXp##Tj$t<jS+PCL0^F~b_oycrB<VCvnG`g; z2Z>_ejIgqAc1~_4(oCDWQzIS9&JprFjp&W-L+y83&Vx+)j`N$=?GyS(61iN<BOa{p zB^@+pA&s`G_8b(h442_&%y!UMlE(#mRXc@dsAAXAFYy2J%<Tw%TP^;T<>WsF?E_oC zC1(+L8PAKxZ+25QC&z6-q=g5kFqCLPQ!qk$7y)4h6;kbF^f2s@2{Q!=EkB_B@_~TC zhBt^dH4j?^suy|==t(jk@xd+z!U4b&>%^^ql(1?vM|={t=St!24Q!5+3_@{VjSop< zXh~;3DZMJ}!HJrQuc>S0Lq(5dirxz@f}obh!Hz*Jz&e;!U|Js*Wk|88R2SC$`oYI^ zT&1J<6S#pUeM7CSjFQD9v%cN$wr*NbzHS2#|MjRYPO)7G4PmI#2&}VOCo-|&QI49? ztw^9@|H9sob7Z%-9x<LxTpCEkgC8c&0W8z5no;VH!VGB>k!M432|j7<00ytT3M$3p zLR2qjp!T)3p+g;~!603Zm1AT<-URbBFtln4Qi4tcR3dW+Xr`=<@g!M^7tO7)KMqg( z0L1&;{-?QikXckhu;nSmznK78cwKjFa9DIa`Yb1%Qc|iZE-G=SYm%K#RB-uuyCHxP zmMz7y-Z=@Q@6vSH>oOeAo0l_2s7%XRZ5f!WRmnx5O7lP3+KBBNy8Sz)-l(MZlLwja z*q*aXX@sFS83uppcxMzqMCR9tmh^)n>Hf81{|U?4y={-*dV`(c!q+OcwKZP=#q~Qa z(XdTyKiI5RnweG{H|oeC|EdHb@Y^bZoHfF9!C;gni^dlAZxTINk#tsSJ&RHLGB|o? zf46Ed6hE<|f1yOeCx%dLd)jrqfw8bh8%wspXoNtsN^FX-IZNbOPBhEtIJVMdHI_It zAHt?QS-}|+eIhVBwe*|r0u+Ia7AS~c@*m=a;aGQ!$~BP89hg0@u&UD%Nvtil8VQFz zuFz-ZipNG95Gdg*OvS+pbC^66&9~{LuawZ8fn?eh*Tfx-Cb9EuXW9-hk0dbK&xt>J zhcQcS-uzf)R#6v>C!H?hG?o{`*3;w{7Y(}B0o-kKa9O=VLQc^2kIqBBpBi~9w?(^h z&Y<2okXRir|1Qs0bqdd5`#j>`uM#Z`n3^9bbb&b@?@)+RS}{_$@ec}uRkvB`+iDs_ zoui+}L@pc2IA&#<Qgq>RNgJF%!MRZ?h_C>a#;Lks6!9?=o7OelBFZ-mv&LfVj-G3M z49uHYP`@%#XN4_#G(MQ!HmhwZc0kMjt9-?UY(_`>E(KJUF6~rTUB$t6`wj0BT19nv z;kM_@3-59T_g!T%LW6RfnsRHkxUr;5?_3wx-SKitq%3to=_v&TD!Hra^D#x&t7nwo z`s~Vc2M>Gz)=#GtvM7?dh?+$LI`4C`GeQ{tWs{q<SQeXZGLW*{O64k7_I>qE2%_84 zqbjfqdImnpmN@7V-O;o_xFh|{LY$pdLKVnC_N{1b@MihL(ULregJONi-*Y=nzMnV) zNp+E;JT}CdQDwrpeb!&`LHF+YekSI=z2*hWJJ#BbX_3Rbe7C@gf4z=C!+FDDcz{M> z3IRq~atc?Z_+v$H0>VRl{%hjuhpPb&3iDw?L{HwSKhV6QRR5?5=F^W=HWEQbl~eMf z{%-U2DG`xeJs+Gpbd+#xGmNGK{VR3k+5C0rZL;W`e27W}X|P4yZDxrzXK$DV@gG|+ z8CVB@RQQuyTB>4-(3oLXVr4S*rvYw-+qEX1G?%0qu_QU?Vtyvu^kw<|+$OBHF@r;a zeOHsUe=XSR+3(W)v?H!2GarUg8_KwA{-LW>)O&4&0`1R2<k!lfw10$Fqac9d&0V+& zoD3z+C&%6bIKGb((EFTsr(S{2=Y#$jzMlNXddvP~X*?WrJbL`-fx-DNz2UN>qk_kr z?uMONl#C}VqnvKLkNvl~{F0}xj@KGlI`toVr3oGINBqA@{+fm2+16F+6un=}D79P= zzsF(`LkDy~x!enj+g5{y>!R+Q>ry~IWpDvNDlcG~JE#hJnOL)~wQFs$oq>+q7+`J0 zd)DC#vPS%1c6sQm3zTJJT*sjcU*IA6I3_Mc^AG{`Fa9$u0S!)AVqCz_ON3=3riU4# zBgt4~Bt@nS;aOainfQ|3s>RL2$!8Zg4zEsgo{u|i_k$z6vhR~u&I8l2P2|pgMww-! z4i&$c>v9X2v00{h^c>F^E7B}*i4mY>*-A<yF0?=l+v<+0p?eJW{;~S6kj^~kPw2kr zs<}T;S9cRo@kA3xKJtAW+>d8NBX7|A#=dlmwxFTVcoo&FlYK&?e?*AtxLyPY_Ty21 zWT~TvpRcDpNTYMP%o4fv$5?t7k5pn0vdTBYg0z$UB{jDzuyjlV7HOzH|KNAP1$wnK z1sq_MNI@${PkH8c+4z}dWL-D`GHL#4?2Fi9`{0oTM$+M0%uzxlFN2$-Z_A&xK2q{Q zT5SZ)ps}}ahVwc!(E%(tALaNYN-9}7Fv1!D%|+`cir4%{R5qW~>17?b(VX>M!-Fd@ z`z!-)5o|6_GYYsKLgxPud;b(=hq|>5fJq@`+qP1+ZLYFyBjuEBJ7wEW%C?!ZZFg#) z|NFmvcCx#BbYJvMkCBUHR93AQbI$jf&lGDY(zJa4B(`nsY)ft*vhcVTl8efO{%#8= zJ7j)rzw|Xbn4xesVe)@mLV<5D%ZEStQ$Lv6imaWzeWr3JhXLgPv>Wu_mK5CHzg`em z*a*D+fFQQ!d+YE_ASXE4=d@RN#e?j7RCqemcqtUc)k1uAcXLvMGF!e_VjN~Y%cUBV znLR1v^2ZizHxkOuSWW)rsJUba<`NfuMppko$liZQ)zKv4iJ=<?UN#q4#f$(O<Vp}Y zjWM=<wA7mvqPC-A-$0V6TTnJ7Rh8G9;mGD3m#xj2XUQBiYmPq({o<oO;%;S)>Mmc6 zgM~wcK(QAIEBxYU%gnHdNK@MV+#tn_Pv2faWcw;$O5f}_SVHvk1g2(IK$7KHu(Ypd z)=(s<r`J>9OH6gL2~IyHJ(5m+o{+DjA;$u#ap;GZ6N)uAA@iZ-9!CdPm6B?8rk<8r z`pn46T?cjN?NJA;NSp&}i&|yIq>M>+W)XMC=0=moD)pqa^>*>U2rVCLp|88q+7}bg zqImarG*79_jhkY_U>3?{+B&ZBL15M2@m?m^+H}OZ9R2ggliy0iJL(f!d0_(IN?<ee z$*>{3Fw4xc-`Lc(o~&5SnKVE8ti3Z%b#5JfP2;ePD|N3J^al)*9r&vwrTP!C`X-|B zN}%ee<`*C>`7uG*DawHA9(si*$3hg=!32=j!~#l{mL;pv6cHr}RYI!;IWg8c2C}tV zO{(D#18x?sG{#JLial6ZVLz-25z;Wb&z%=7ZW_)$;^KSMixjdcemF}`16bQ7IlWj? zYNZcV<HK+yc`C7!n9jTU<<PVSX&(X`6!iJ&jhRI!>@>elhKkkVP;GJ5U1^CH0CTEj z%B7sjvN|P7b7drn6dASO1lIxCAWe_%Xcdb{uF}kvIF=GGH~wHIDODnWXgrl{G1E;% zEIa&l&Mi0xr{EkBnN!WozcgcPO2aU7cwB#L!oDNz&Lh}(whHv!+su&tX0w#niZ_h2 z*jB#3;ro>mxOZ}!|3!QyIwtoKYX`qKdn<^AJC_(&-#e@kCiz9>1=0V_!+w_>(Z%W2 zyG)T+hx07;e#{2i{Fg#hk$nIR1j4Nnvr*TdYuQ+?(bT>uHjK{X;}sNM(F_JeI6WjD zGI`b~OC>>Yc-2hknb7u*hO;w$&H3V^{Xst#W;t%T-d}H(7Sp1;VP<yG#D=IgOpO1# z*P9cOD3v0V*jJLskj;(aG^v}RXl3dw=Gy3cl|hvedVF<Js;7?_F7?y1vFvm|$(WEz zl2cP7BBT{j9}jNLakvO~sIfxB^Rl)zz8DQJ_6{hme-VcD;C(t5nUvz0DEPEa5;06p z>%%za$Vs!h9Xs+v?2Eh4F_mhv;^DZ0%Z+|L{aXq-JUqkdlr%8fF5o~EG;P3A#a=Im zLL>GeKssiB$5-Z7Oq=ZrlGHl2T+xJhYvsui{K{|-F%@0{`Ku{P-HD@7isfF9Sc?F6 zzhsmuV9QAV-BAmjx_U7Tp<E|Nk!+bQ*ywm*B2OT7nJ!m0z5{Q$YAK*}yI4WB7j4mC zvZQw)aS|;RsWo$Qa5Fh52kstoq{IuN&PX)t*rV|rYTMCaDh;Ihi@pH@x}aFR%Ji^% z9TlfZFak*TyGF~pbG~$TI6fq|y>{67G1i=obh_{MNSYE)4#@j0`K6)0$*A(*-Vfc> zZ!0ZB9P`Y9;sjIjedqRZ7)xj0>Tryr6xRVyQaY-Kesp80b=<^M41`+UJC;rWVX+tf z$}=%ukXC=?cdA6V&q)aB?4}3F8vrN~ewn!AYmOyMC2{1mx*ZbI$tq$o1O#NZRiHj5 zsK%7CaMVe<Ud<eiD4PjQy|^ht3KDHtv6se!na<Jbd-xclvPjd%A}6<=kZRoBh?PI7 z(|2)5YF#89s${t2<dWkbW~Y;|NHb_=P=~H_+BMV|Z2)wYOv&BSV4aELT6NLYTe2lP zcUMbx_fYde*lk(D>wh4bXIBUxZX;^gFi&bq@re#>z@lJvIa8@rkQE5(jObGzXc!ud z+J8TPkh$Adu4G)&pS||D>W#*_V8J=AkSU-f+@WiSWxEMxbK{ozc#^vHdO4P=JRCDr zalY{=TuIG^{E3TKc1aO73E9jqA04M<SvpB=R1@kj5?IQO4nF(<;))J>Iw%U}goE_1 zTN;BkN$-WNE?wDLD*LZCf{vm<{b`*f7kQhDqIhpJNlDsTnkk!aqtPl!?MdlbSq)CT zkN(f=vI{q@U4GL^G!*BP#52dHuckY|QQpxH3$e|>p?F%T$5<|TyXVDC*+gKCGpq_~ zX7^U(V5fKy=-H<W%jd;Oh{1Y*q9Zq@LODmR`XY$`5Iyip1Zes4LZaVacDTzRKN9>O zR_qrlZ3u-qtB=B3?y%q3$|^7-0VJ^+Q{Rt%1B}Nv%LkxJOCSs92**91X?EEDn2Ybv zx-)5ARAqPmoI`>?Q4XOCs@8al%LevOHqa!9&*7#(MVao4qtoJsVqSas!#xCp?u2f` z*W;NB)Q+N&WrQRyO8SZuT_?s>A84?5*iG;OP}F)2^86b?Yc2S#ePjBrp>e{B*mH0j z*{pQk<!f}}A?w=OteB!CE1sn(LE)0@g`wbOcRX*=*-wNdXwsnDS<2Srjd!g<1^EW) z6lVPu={L?Y0=y1yu|rQqBmHcR)B1krnJj7Srn<a;$%5zkTCB_eS=c52CVxt1xlw}9 z{AzN|t8UZAqLJ17alH6($m*yO_XJC{#ATLQ5cN=m8%D*A^W!$k;R(@)6R>|$ufRTm zcW;*y(`PXhQEm6jc79Rw?bY{#d!<v)KF`}zU7$AeWKzjbg%3!geT}SbPlay{Bk5Kx zWuE)d4c($1oo@GQ{&$&b^2KEsVXcpQoyQst#`7d_XpjAkcn4{ziPY;mxa}W*ZOI7) zo@&OaOdjbs0`~*ZXsZs5TV+7r>m{tt^Ti=+=0o>YR;EO|fr#^A)y2bWKN+m~qP$Ym z%{S`J!uIx^0Xs}#$9r%q<8$6D?{sm27e%s_UGL|?w^q}>b{C^4eCEoI%O7Knz;7oT z37l!}AE2ASfvTlHR0~wEcADb+a|K@r&rim7BvIqBC6d`(Ci8MDQ9Ew+pfElYyvbgX z6;f~xO;gY0b2=;Inp^WaJ@Zu+?8K%FCz4Z*3|t(dKxJwwN-CUvF`SG?vT4&wV$s`_ z-ctBvLC=38Z8XmFaNUqwX8TyyNjoYo*c4qj#;*q-%<{2FV3HKl{kMzHg{Wf%v_0_) zx;c*pD?T-JG?Xw{o!SV*MlV$~gmzM2cS-~MZYntJ(LRp)#}L>RHrIRs0G5thJ^aeS zu`4w?kKuf9>|AAe*}YeUxl@tS!F<s1KLE%-aUe+l-h+W;!mF(~yZmh+@1vGF6(#V; ze_z@ESsxNO{<5R&KFR&Rgt#V2e|_1KkRIH>1X6&0{d(@~q@P58Ci8{TJ}70IA_Z{& zOPB!SJxt)Q?Hl#y<-uD4$pz#{Bj5f@Y=aE`E9DH58w8K<pTj0~5IrT7Gj(gcR2HtE z!%OXk1r@VY*U_!Ka2n@@BU8SzxoI~uSR4*P_Up^j!fUcP%?V<qa#$wRvtl}P{1lr9 zvRpV9VtPC(v%TVB<D8&r-&SJ5eb&I_Xs<Uh`tDc-h<O;Hl~y~hys8M*;zelb=!3n* zk@>q$2J`r+0s?YmAyGN~_<AqZv@TDVFgli(E&mf12qh=i)H>rb2l?m%LKy}OAXZgf zA$UkWC=C6X^GZ|7G*dyrpikdEWW%6e{8MP#q4$!c_u#>TrGj>yjcghREB?Q_arof! z|3a!!`=o4(Tj0bpaMUBiTK8RbJ-B-u*q=T&f-vlsQ4HKx9yZCv9_k2#qP;d!cDnfx zPmHU;%R!y%TR@8GHe@I33el4QYzZ%#i#rmd<-227?fKdN`_|~+Z!NjPH<vr&tIaEy zj_ei2tM6A<pugDrOXpC*gS^2oNClj&sMtbol!1uPQWOkXp1FZS^%<W({nrhz`o2d? zEaj(^c(vyFBoeEHLHf2aTYA9@@*&$)uEP+vje1Uzh9se`(&;vrz|4$8_t|&1J9}Gb z_OOv21JSRTij8NN+Kuft>t(eRr1sM?vo;W?1yV?%&UPlUrh1(*Qb8JwYh{|Y84~~| znpa(IQ^#Sh0Zi+TPG;SF$8Nx^pipnM5=h-vW7K8YP;<{^d8<R1dq1en%76OJ(M`?8 z>__PRfYF;t0ZUk8MIxkWkF@^2|2TkK>2(sjl^lPIfJf<ed23y|Sg(}zqQO%yg}6-! zmo&UlPE}ybvb`PyD_n}r-N&qx5wlI@s$?$YBA+q7ls>DqlCHq8sCASsE<r0gwVaqr zP3>5$Cn&~{Sm&O29BZMeibhM+DPMDm$f>`?5Tc^a+JtRs?%L-w4z=o7g-&^Dk`q?F zw_iBRz51$cvwmZ~9)Q`(Rn)2zEVx*bM1*<D2Jydok`9p`GP-r%B6`}o)9ks?#~ja- zTx+_@Nw+HS)<|%DVf~nO$9+Gh=kt-5elK6PF6v8)1}+7+A*e)k*#h!gdE)wA*}=7J zW-h@0FrvX=rD>v%5i(Q(0i24+ECv_TqUrlacr`)Lnp)2QcyxmE!MHuTHmR&C%_A<o znr_c^#;~SVops{`Lfb3>r}A4tV!|n^o%rMM$|tCSr-eOCcm({j9h0ow9;UqPm;yFD z%(zd(Is6%Rak6ckJ+Gl<PJ~q2L1vLfC@JcD`t})ijBF7!NK_2r;zrhxL~<B$<EOC8 zx>;P8Q?;A3_)K2c2C`FUq!w-A)^+<CJBhtZ36&9kE5S+_5St+q!UEIO)WaNFP9dyq zjv00Zl0l6JIsIf$erLx>qzE>`;PvM=(_h&g`c|NxyG%WeCS*TC(9hys2;cyfM!3cy z97#rvnXI9%?$A4`fsc~Ty6$WiXtUE)I9ZEvXhlkGsj+TTivVR6ZaPV&y|!5R9^_cH z$gArji>8|QRCDxeke$t$tWS<(UhQZx<WT>0iJPc4PO^=y^R4@j6MT^CKdDVMR=ycr zslk;0U)|n^1=0VkJfIFy3V|H^y|1wA2uIa7WJcF4zd=#9*B;X_9tXZw-f$$_mDU3w z97Z$siPfWyCYi^sttODr>=G)+6P2SnkIhBTRktQNn$Q7PI+S1zi@ATlvgsA^uyaC0 z0BNNRHkuHX3*~{|du@AAIUsNX1$#%b){HNa;F;LQtUoS%fellWr8Rg0nrL&AdQKFH zm4+PgHXVtYN!hwYVicor`%aIkPLntL*X2I!+CblnPf8sX!CMSSK9jIy&Lbz~feTXo z#i?Vi)_xo7q&)sB`1l@O7^1cO4;!x)C=wJ=F)P!Kp?2h`d>}gqHFTL67&2+&+KKcA zlq#vgMQo5vbB;i&V(3?^Z-FtG5nZe#%&DH1w!)fdA%YGuluWJt4bHiUk_xx}vt~G* zT+Y^<4ppSdx(CZ><H<||MVY2}cctm_o{8z`wgFK)>3MkXnzne{-frw>d7$0^Cq1tt zD0njsar!1>d}h;kc!6Y`iPQpBT85eBy4t!vmFU7Q`lz6ioDcMx9>m>g5l8}8<YCi^ zD8m$5gqln%u)<5jj8G8Lh{U#vwBb-!VrnV$5p{;}S9XN(wU~PeRA%(8yPVR|=XWH+ zX$8T+;u&crjU%p0XLYoh3t~;5Fe{uY#ME^n%bssgkiY2UidHV{S_4Sw+D*@jY~lKI z@_v+pTW5rBY<5|(Z<@*%7XHjWO4&C)ZoZg4%(Ql>beX-8@SDCuGaKAxxLml|c3P$q z337-0TWY}f7`{q{0OCscK_Ue)Kt>59v$Yz5=cw(713`xr<Ny{+84YPyX~sE<I|tet z?Z_Dm0z0ZlLVLf2P|AqwbwU|1*m^zLvvH}~P;&R0u@hbC;^Ic*KJ1LC9i<>855S@~ z-UVV<a9YhDv8~mp39)c*8m+M210mue7`vuADK0Qy{;K(IU*`c)G?MVg5|Mf@X~GYj zS#XU)M(qnX`Ohxdr#IRUnRl%lpQAQL#1}UPg$egaJwuE-#6^9#g{fw}lW2b+rD^ss zWvaQ%D3xZ6HAYL0ch0jVH*3oQu1f-1ex#P+u@4FJr6G@4#d6Qb`=yV|y+k^tqW1Bd ztmUJX?~7V0o7)#UDxqVIK^+9KVv!ZU_B+<ptA`gSwsiN(8Ma$y>&xYf)1e$#&QHut z4oQeNpenE&&IIHy)ku>T9$rfbbcqNIOKP1G+8oB@g{M0zwCf<4l*7K%j{%D>?hMqR zKG8O?MMS}<H6G>zT;>tgDB4vJ);WsJwm_qaqtf<?oNhAzQvEgAFn5j^uhZ<K5F3fW zbEFss3@5^jjZg$vv<<2MeQ#~0zqu3(m=Q@~36SLb<MCk~`3k*)k7X(D@H&#owvx%Z zV$q8vRq0%I>%lf?A>#B?x&)tPJwkde7R-N{_w#2ut|aP8EB`|1eT7CyJ*CLukcNwk zo$X!%`_%O$=6ucu^(s;9Eo``Im91xIM1WkC+qn2~AXb}HD6^~K7GH(Z^X{?;)vN$6 z=rpX%i6gh=9A40=Z2cyv8$B`}OHuGk2eD@ZLIYWRuh{2K)BN!GJV6=hxE(QAh>xNr zrPRj`?cWvf=*<-ZZE-si60}bt<P8~>pvxIxp_MDqmA^YtO=Hzp$kw5Y2&x!KeM_P? z`f}8T2i^NclKD;(MtE)*p%`6gg@^iQr4hvjG=Fd)_rQ=7LQH7d=`B9vIQAf5n0!p4 zAnld9k+_^zH1SG}!wtunH>|4m(DQEIvo+SOlCZ^za+d^+FN5dEjkE>B{q(u6rBK83 zwBg9rJz`#*1w)u!b+Vxh_(SfrXBE)@q7x3Fb_tZ&PB3$>rdz$&`jj_c?zD25n)?G) zHI*FVMwZ<J$3`n@N9?Uvm!V0yQX>Xb2jeU6+5{nWf8oLzT67~Da0Kk3SZ)%GT2fk} zK&qPBrtwSdL<wPatXUL1`^CvfA+TrY6e}*(6QBAt`r{v(O+_vD1K*BZF(B;or*4hX z8duTNb3}^IrEW_sO{`<I<Mauz^symbGzNWb9u0=!>YIciC<VjeG|<d~eHbzgo8um% z>!Me>3mZziZ{)&-dMDg<>+{AEvSN@!`x38C#U<!OW16hIWtcE`rb@+ZGDg~7K%>8; zg}@q&*Jml;IX>*2wrcmqiN9^&+%>sbN0K-$B9Q+Lv&A6n14^Q?gqSGC%@er<Zpre1 z=#%v;>368@KA|Kyex%q`z-OJ+NV0R5QbU_o1CypSloqKOC{la|?;Lew9$zzKtvRN- z2Jq&1HqAhCqSe#^s8e87>Ln5#`$S|Ci4#Dr<vBR|B4~K@588_=_UhP`;-8I-O%(`A zC4C4KlPeTZY4e`%EB&whV+jKwQ}nfa)GZzCAqXrzK5CI?qyW-r@=L1<cCE1JR0QQU zo~E-ae*Q3>q@N|=)yz5$F|4B%bzW1u?KmQJrP}uhx-^z0KY5pl&$KVUWI~eXZsx`q zoC`!eL?}^*o^Ur1>3{Q=zLWg&b@b#O9Y4{24DH=-ElrkZwtGf?B*hD8%e2PXs@_L^ z&|EafKdEvJP58umfYc+zN2*@<Id78^Ymydf%cUgfRbm{G;KJiOODRwYEm7H8k;Q;a z$Cszf4iQX-+~q7hy(34F#Z=PLd<Dyp(8AoU71IehHiA04_JsW~TK;-6vih!ysUg*r z-Q2pWCf_JRPc}Fg4Kd7}$<}Bi5}4-1A4@}_0BdBuau_T!<=*5s#A#<idDXPtYBTPR zFCfId!!gUZ%VzZ(Vi;Rp+KqE&+O{ouOPf{NILEiJJ8Kc(#_v{XRkoX3%R%za6-29& z>_=rC6L;2jD8fgE^uK9FCIlY}Vsv#l+$BsPW#Tjn9xYN*APi;a$48@9waHb5niWy* zCa3V;oHS<!{Z}Pw9R+Hp_`(|0*pC!C7fF1sT)c4J(aip*j*P>Cf?QFuTM*F2j=W8M zG+}13>asyKm2q}kWac?$FN{pXH3Sfj_nzNL3}rinI&J;Sr`fygACqsB4M^^9WpUve z{igHPGCkEA81b)0&CC)Ua4egZtE%K;?b__~*>@s-WO7^_)F>*lMUg19u%^(v#P&$e zGOR96P?98`5+BS`H-%R`&IC5@)CY_MnaBkq4%wq)ur?6n(gUI+TxmI-J?K;SJ_&gV z#EYx5cWsi4s?*346K^{zUTTQ54jTY3JZkqjJSHoYTwuGhNKUP+WfOio@*-_PchA^1 z32N1DP92Tcq9^1FRQ%g3O!Z5Y9_Mvi=-5^hH18%xw2kkb&!&2DG*KZAc!prrx;lhC zS}jsVgvdTrD=rkwNAli4RaC<aYq5!V_rYyX9kc7Z5uNf5nxsV43A&mj(;(;4<sZk) zv>n9S!@{KLB%7FmyGQM$;X$Ppr}X2Y%|I9Xwnr*da|ueA9-7Kq<estDHttX}Tc_lu z_kpmL3nq-}3veo2Sp6Jr`jYGaG6r)xgkQ^Z6Bn?X(abTWMA-qJQgV;0t=%7fH+O(t zu)%Jb>!Ni>p9v-Q_0;C%!j_ZG$#`*pc5d{7ds4t0=Pn}u6+r~(uAJKDKyl6Gl7*Sn zU@R3#pmrea2xd{&_}1!nO5ymNX=B%FY+qDa%mgjQ_v;NNV3d2drqrYE;K7Gt*-?d& z#UyFMBA%^{rh?{GS`jsn4znVN@XRPNL%LBWE@SMF`Q(5UPw;T}y5<C#8@7d(<}@&G zbY~!=Qo^m6WV5QUJGP|mF$}m<Uoo4X?gItzg7Z1~QmBq<*$`{9i-i8pCG1W`#G^um zNlsezUYBgCd&_G3n)Li~eMZ>*C6x&AfGzCbSS2Fcu@pv=wv0(ZNyb?NjWNpUqnvAp zN7(LI@=~x-VEv~C5gkpz7`AICNzxc{*^>=H>N$+agXhAh%L(NxvL|_{VbJRCeL%&j z2C4W&l6O0*h>qDp$7FW*x!VZz940uq4RTLt_A#;wk<?yWm!fFwY^z!5lAVBFKwt-? zr%UUXy}d#zj#OOG(qRA3p&xeIM?_%h#i0q25Sldlp`Y98W%_9h#ZQE8coXb4S2#dp z%%+;L(l<nc(_sYTQKp`ZQ@=v%9tdrf#Yb4BYNa}h*4x!U)uzoE)Bhk5Ol*09Rx_kX zK3paJG^utdUWC|uC4$xklLVs_(vA9(BTX2VO^)-qZ;`*W7OVY{V94_dNXQJDQQ)q` zg$O*A7IrBerD=bc0nZo{Qhn&OYe#5m!=Cv5drG00SM<ak#kz;|nr%1AGRWMfzQr+u zmW!%e{;hALM&Scc(TLFW-mgnQh_pOrU)d}_J&?I`d#c!r%vUoVx}-`dO(TH(-waDW zQHX0yKvC{DTb{qB<~RW%y55yNfq=cIdW(El20u+UOaEJPcqB-b?+5|{<bPVB;(u>w zIr}n~cRGps<s%UOcZjO`y@hC8zmNZ;n?H{czEV2gF691|8+<PC)uz%o0c<slARhFu zj-jdyHYzDyEn(f~!2dUud=8usCA1z_*!|bP^y5AZC&*lqs#)XUrj?77^5Hi?oPYS9 zZWmI$Dp3dff4M78BtGrz(-qEhm_Ji%9AO{y131E{kN<_+av}WyDB`?>^#J~j#uoVb z<))w0<&@KO4~FW}?&iXJ^Yh9(kR<(zVmKBq2lN|_$NiD=;n+eJm)9+sCdBW_8Ta1n zeE(=_)0O@<iz8vb?cAjV$GGvK4p{rjti6Nx!#52iaBH`Q_!Sm9lW;IPtaUAby12q= zmglrwVJ&P@=YzfEqm7AXK8j)1@q^cW{L`uPkWkBBxeAMSdAf^NAGeDDioI{d+3(rG z!JL5LbNf*t6z?L+>l5MB*t|EoA^~*3YQl$U$Bt^pQ-NPHS${tMh4nE~4oWegLn7t! zsEoL@B;{HFT|lD0F-d4N_L6lzCe2iw^dee{5-!DwuoywPgL&I~`nI#8+>dfbOO)XG zpB-#{YQ?`J?-|&WdNpx5?*IJZ*By9~Oo&zzJy=4pvTsSqx7r^6Vb;-?s7EaQGgwKU zC4S>@w<{(bD+vsM1r0?hoBKz*fyc%-T#Gy@6!X_&!78`}Cud@*<_ycik_rDr1!2S- zmV-TaPZ=M9UGRdRq(uVlj?uY`|71IV27FysC72{d`GWaqK0FAGi9oe){*Y`wDdBfH z1^!F?SV0KGP&Tt!ffJZDQz?6REuE0Gg*1x=LZ6rz#6nOY>jN`eGo)Itl!fDJ*y_F$ zZalTi1+0XF$AA3ij<sdJ^P?aVh6#v&UBD;@?#_W%3=oPDgH&q#P@Y62dNq#f6RaN) zPmT*Ho~*>*68HYZmXBet;9OQ;vSFa0em7HpXj`4m?-nCg!NHHhp^*!H^G`A5V<q|7 z_J#VmiN`-Elp`xHOEYP1Xj%%Z+r7*A<{&rYP%v4J6^Fd~P#L6JATYtGpiO|*KfAq> zrV{^jO8Cr_yYmKp(h*Nffk09mszk0VQl;*<KG+;_AI4#sT5P&IZhibZZH#iFYPyrR z!HWeFLGw%&K@gfl=nh93x>>-R@O2R#4HpY={0UqvMv*`6zxtOr5x>;5KxPJsp&1&g zYZf%qsbs)YZRdE)gZ!o*G#>#;;?_Sor=z&CL4ef;czh`hQ9ckuJXc4dbTwSJJ0Cka zb*EU{fA`E!x|AB%93?Qgb`Nr0_X{897RM-eVu2{E=N^D9EuD>QYiKLE5ultcSmCAF z_}pwRMJUOxl<84u>Fw47*?gw{-$glp{m})fQ^ldFjJEP65G;$<qjM`2BkY0Ht8yX& zQo>sDo^4B~A0a8!<Xt)WtG&;xTs1^&o4`6;qXrIYtYz>{;%zE1Q@k8p>8DaNzx_Uw zy3M@qvtsw?6W60rK~~9W89|go5kKgP-%QLM8NM|lT`)fv(e=ZW)j>o{)M+OSrhL;& zFv{VpK{lGJX)t<@S=w~kJf?o|NOStlS0RAdO4<leZZf)9QoTBLB{e;x8hVjGMe%`u zFuoZ^*bwy@H>-$ygIT+`^4z6vqp8+=0>5mTjpJ>;UN@4OqKYyb+Oa1IW+T^jq~7&J z6~XnyC(;(@<KRs>Xxg+Amjh~DJ5av}!?(mwDn^_N10X$vs=b%i4r;dcvoCj<SiKcu zTFx0Eb6l~P!JFHJ&|6Bkjb&5ZPvlA4jURUXo~WXv&qN(Coez>j7y!xtF`fJ9A8BWM z;F73O!(>~nuYaDw9j`Q>eFLCe8@^h3EXjUq@Y427PvmSm`+&jYmfVZsn6mI?k$y!Z zFej23!^H2az|YO)-PJpdTUL@SfyXSBRZrO=z7}n%hv*m1RWG<No5K$$$7!n9(NN;S ziE52OhASQk3U|pEDZqE}9maEvh&GSR4)_jDySO+0nq2&gS!=BN_w#_W#4}#o1903O zV)nj!TI<!TLEMY9pRcNbfY0%q2_L*MwruDQv&4ZWv~3)F9XT=vgZt;RWvmFo{rJZ5 zCz_0eAqYq;R`<u+gr$$dhQKK_5I}otP2lZ!jCLfv#Y?<r4=*E1_e`2Nh#mtl8>wl_ z1~rB}zUZmzU!Qan{txIO`7VS*3K7w$VAu57am}s-T0Ad%?l20@gZE3FJuOYjip=Pw z|7_x%Y4!AIS@^>@&XkQ0J{6?rqq{qmT*I#tR8bc#NH(c_C2Ko+z(IG|oz!_h7oLQP zzGiA^uukY{RJT`FGi;{PkqXo&b`&cW^6pbsg#x4XQI*c#wuxS0Xkkr#tr)@-q`dQB zTq!J(L|pe^Z`67m-EF)r(UI>hxyC9I(Bf{=FYH(e`1M{qK!sDLQiSjf!1_a;>qA{h zB%=EvgAj#Mw88d{f%8kYeC3<kMoTo_qwzH7cys;U8^gw3^_k9vfHZZWM9&+CfP!e1 z!O@4^moUPKKQ`6b*)#aN)&KE);7dXFODci;)s7>Lbm45+6Wrgc-&c@d9a<jvj=oQ- z2gm5s@MMaM%~cEkvT4;E>28Lt*VO`|4V}tsY{nvPSAi!%gKMkX>Op)2ONK3(77tW( zXBd12k%l2zf^tQ)wQV_0Bgh6An5axfd^_s3pW_{mj-R|ZBg(dNW_Rb}mlOC1ys)hw zGGA>h{8lCM=^0O3Bb01^93_~{vuHbyd&&j4ZG)d!%b1L5B=2E+{!HtnT;J0yYh{Lg z{iV&M(e(WWU&7uaHh0!ji|4f5BoCHKrIlBfREj29AGrPx*~|jcv|>>E)V9B0rPo5D z*N>$xi_~&h=6%F3u!E2K*v&$V<-NK;DJ4Ki-4Kj}cg1X!O~^z&NUKbaERvTwW5xC( zW`W4I$&7P7P%0edvEwp}I4p!t#VDVtqpdBcW+&LG+l(3xO;ci-;WWFnJwAT+QZS5I zU(II(Ov|s&KU?Kh-CDsF5$V&^C0fBs-?QtE8tPN`;i}X=W+O$?Y=VRg!m*;Bm=+{! z6exM`&#`N!ao;T3;)%%XXJ((lr7a$<MW)&+(rXeehM%Xb&Z*yxoMRfwqCP!L&wo}% zP*bgN@60L9dG;xZcFi|WjnU)JC?-rrG!n1gC5A~!+1u*K2Vof-j1LD_&a85C0^CCa z)vQ00^a+wOa|Uwwq9k-kbx%R89Wt${zWne+Cuzt?DMwAOHVso9vFtH6mX~eVsT!MN zmOcRA`tfy|nc<LtPO#IFyl-WhNjOLaL!H3Sm#pn+WKGnD{IDOTT)a5ODO!VCTeL$? zn?ssfa}#-?IUh;TPv-~<lamx<nHDDwWjcaGq*a-9v6-$#Z`XM&@JXRu-?}_Y3vi8w zbaYYTkt>?#h=JuK#M58DW{C_|^+_80p#>KKYbUgAUobDh+-e@iK0x-1Y6(2_mDo>X z&JatJqL*z3$A~R-D2F)blG%ibFIG`)>}Bd(3so%wse$bmEO`w-W_7{q=Rd~SjTGI1 zil0e-SXznNpANH6g2+R;&?t1Haq4K{80GPR`%ffU97HwLjQ-O=2PVC2eKs+(()t_6 z6I-5)Iq-<@S8ku~on<(aRbnyrZ0>>Jsu!*ZV9J-k|6AWZi9D9p39A8c;9XY9-HmXT zP?L`EKYToaZlMjgBJ5MC3y|ennGw6S^mZM;6KFT5U#1xcc^m85wfmns5YMe!?lgyW z8g@F*9M2`WNBox_)e*7nxV?R~usLSatkS;4z0GE0i&h<dvX1UIR*%ON#^b9eT#vmf z<BJK-up)z_`?tW=Y4)yk?^~SR^V(KHoq^}Q0)GaRc;z4*U29$iH?egI=fn`;rwOIl zER(KbZU|22-S8<w1C1}$a^3l!hV<BrA*8XS;UxwfOKlH*%I76Gq16lmco;GWoy_q} zOa!5VG4;aOEG8@Z^a669LRJS%ECpA|UNy|p{oAaQDTqumyz)|Z5tz59=s`Q!(vgw# z3E>aEvxEb-(wSL=iU+tn(<>4Cd@ShudFi`nv?5WtpVHav1YlGuh_fw%eexE_Rknrk z?%_kfDeTtIqS&xzm6tTK)OH&qrnseF#mgE7K{ag|>6|zk>v$JK-xVJ`7I@_!CBZTW z-I?7-=}4AWM7JD$wG)E^o}AUy-O-W~+)Acj4IfL7k+$6t(RJZf5REw<+I>C5OpBs3 zMfqQ-M^t5U;$ZWvve@@_)*O*_$o+IZI%|P4xN+`IwYK6gx3WfdF&f9%qj-?1xbVz1 z${S;fUBGJPNwjkq_y|JXL8ZPRubnRRvFjAH`}~lqMIYHE{w)0T!i7veL;h27#Yt#9 zeu<LA$E_e1L+CFgLt)`*8`9&Yl*B#;6Xo|7A!^Eu%G(vm_r`>t)l8r3QnBT+LWhRa z#8K>f^yx2m1cj{vMoS9_AyWF1IYyB0sFlc4CX6#<NuQkUqdxT1QszyQcdr)W;TBZ5 zI3R>uMwZS)zI<TO;S*p~$AS<6h~?ZJh(;d3tg~5YDp6uYKw@k)&y_@P3lKx|f=R1U z9DISXb6;#!{@xuC8}2HPa`?p|JXDWKiC|DS*c4NuFMJya{oqB++oFN=!1(e%X<GkN zFQ@|4PFg8vWcQ77_D%H*g&Mi`kc$n!c~w=D0PZ@9M}ie3k=kt+<AHxvAdE%W^c7kP zYovH;TM<5>PU}A*6T?--zI46{MJAn7?!fe#!7b89F|GENk?1qp_)PCgJ9)t7b^oO& zK)8~Ula|bAJ8vFD8?B*v%huz7IgJNVAzkH^oOIE_s-a7-I5&ZNU|)faVws_{Np?}G zV}GP7kla#eb!@~~(pZOIyC75UG8kC_P<Z-vjMX64NqO`7`S_evnl{V~rFwNeX<|&v zK=UQ9e`m&N<BSM9G!cbOS8q0^&0~6CZ>zj%!0qim7N<u1M}M;82c*<KRVmcW!_MKV z5?Z@$a>OzinjcOF=tp!1`<uB-+|G*PEJ#K~nz6)GF1~s{7gd&H*sYI8^YqN>7`A%m z<CxqGNY94HPzKW4qP{8Isc>m1*NFF+6uBxPdC}B&C=VZo+-f>tT4$_a7akg|i<<qq z2`L};AFh{mK;CXCI;$2_t1rPCx6*?XWKN;ihnNtA>3^%_Z_nVfkq=lvWjsLYA68%^ zk!=k!mY`KcM(X~N5M%iu(t9jS<;ZkGT~5zEU!r5bA;Rfvq|}^D?42^29&g2q>zNyf z4po)Zmue0`;ZV>r@@m^P`AiawYy*hL7bclpdq}u@c1M*)SZ|7lv(gFdJ?Ty?05KjP zVmOtxS@5&0Cw_=b;vSe1Np`l7k$?!(w*<or8ygz9vPexD)`#4m>Y`4S4dtN7E7;^B z8_%y?4Di}YG^ec~Lx2^w7`|1#-<7bZwrm4fEmI83X1SsbL&*qp=Zej%Hiwu?p#rO( z<r3RiUlu7TxXa03XmZS*Pd0q(9RY|q<%ueK(f~B_h|(>{^Ak#z#B|g~uf{6oU`Or5 zZPeM}3C%8hecBdX&JtQWH`U^5QiVLID$?y@%NHN&XExPoO34l#Mk|&%JJ}InZuX@F z6=yGDb6Aru6zkYeFTHv!k3@9ADk=~Ny2SsMhqU|`r=vXl`6PSzA*?jbkNdTS0~1cU zm6D8(*wYmXZKtnUDZ6hK{OxB5SN;4zID{TSc>7-MdYsdt>b_v(nDGcj;Zqm@g=P(3 z2&<WU(TF{WJ59?uaacc8_D4yo+^u46T*{SlrJlSl!$D62KMVqlutl7Vs;X1qxAKW| zUG`>Xad{o!)iV#Gu)sJ9ol}-^=cUOI2U}<ArKURLOLhxLfMNl(Bz1Z3w`S~2_3B^8 z!LAV$Vskzb(pJompmg{cY9cAi5poY*u18t>z|p7ps&eMy9&=FlgUAM8!rFf%X1J5_ z$#2+fzuesDw5by>rA*Yr>1LNq;_v0vwm|K|D4}Joi$EkQ{n1QG^iV@?(PLcuuxdM4 zG_PGB=`2^%Yutj%o#hSayYQAkO;y>)fmyqb{5WbOw2YUN(oS-_eCR((l=HeSDIzm# z1qtWJ8BM9y(mKp^5H>uI+AFErn4hM}j_2s(&00HxQ2XbBV;*(UqiWBXfvt9p+t&;< z0y%C-?2X%@$v8SA%&TybiBglsP>jf-f3ML(%P2W0IdeC3(3BFic?O{vT741I@95Xm zYR~33`&)`oB#2uWrD3gV-~u%gl7V^nYX4k_KP)N>9W6V;Fhc;z^SY&-geghVq<-(* zxz}L~G-}0g(=$Ovd9QA1(7kz*+!V%%V50P3dI%|ER?8`N>nsV^wYXZ`W=-<pT@e>5 zgCc-wS^zz#cYl0|nm?+AW4yWjm*AUpUm~`($Q|Z`hfjPXKm|orH!aWzMfYhwr=Z1w ziV#=R@?cMMUf36{A<=~`cIKF97)#&6v85_0{3XlHCCceSkD6u`GL4kT_07hG*W!t$ z!o}>=?(wr5G#(?VIm2eA47v$-K{PbPxq;Qh{Mx6YiQM}ahfCQTzH$G{WqoTz+@~pl z-$*e68c%jO`jkXN9%sk`00V)`Qmd-zV&b7poJJn*!lICtA=cuZZ8EaUw!Xj|UQnnJ zLR431jxE<XnD~MC2^0!yK8>+gsUmNf-Z7zO1;#PulT|>pqsU{nWYRrVOFuL<t#m6@ zU#<KAN9lX0gjJ4QzHwN8gTrh98ZEFuBG89({5qcyJ2XbAcT8{A>_JDENc!kyS4l3i zo?N`x5IFg>AIo4@M1dAZLAdzf$j&O|7=NPMN<3)@oa6yj-Hw#uLvIG=6na_oj)B6; z!3g{50>75hR~j}am)@)6XrrjO&>cs$lq56s`sP0U+>s%=>5Gg+(+h0FsgK7i*rblB zaUHc;^eg3?j(%%9OiU@UYo?ei$e&7TfUn|vTz?&(wdRfyC1tPp*&`G3-<gjp(g_PC zf(HKBgH`QCZAzEy(O3}7e%yilMcGXFJk;CUBQmHPjlhT9${{kQ!l;%PNWrzLjgYd% zWqZhL_B^xm-l^kF(3W|b+lJb&_cyHx!VK1oyJZykOe8_%AMCb_m}1wfl*PoYt>k+0 z@LJA^o5Bm8qffhbH@8hu2Gh}WA%iPweTVngOo+WB9&@^MmR3=a+H$(0#~6;(PEM2- ziHDok6Q$GM4_9Gx7Gv&5b<B7*dW~tRlbq?s#h}X!B1@-%LAXS|+o}+~s!^+1M)gN) z9D^6(>k{lr>*;t8J3KzXLk5i$Ks_8za=OA}1!Ylc+o2&C8RR&L0?^jc!@I1WSyj{a z6(o_vFg~g-sr8j>5G6|PCPn)qv1JKs%otJJExn5VfG(SAn3z*Qos~!3K^jG{cbK!i zLIFo7toS&5m%MrHIR{<@V%kx+V3eG5;>Ef!J3F+^HzZApH8mxmr&D4dpYD!mv}1KP zLE93I`U0QZ<tvm7=---F2>!%wN$@-~qp_m!+)T%ST@$~lbQ@}GuK)?Ybi;TQkXK#M z_^4L2t`Y_*!c|#oKha)Vg#IIQ>qrV^GAZ4*4q?<rU|pcuh61&cyNrvTf|CiS>ewN} zu0^H2cbNC4;fvw-^F(1@YT~FxgGtu7Mu3^`y`jx2YCbZnz+DO2HRf>kz`e~dy-VV? z!%naGx*FmzY;UrATERYMej6C&YRPNbq7!%MwTuuOvM`Z$)qW|Fae~}l2HVdBJxi`@ z11a7Qs#^I-qq#DV&654sy~s{qALPpMz6f-JJAB@5yGkedw92m#(3{5yM_*d{F=pJ( z)n<r{$3m=}qq0||nQ&ahYamFBYF51zxI)w1k%i<+%(=o6@xY{L1Jb~?Jlb=EZN98Y zO$KtY$EAssjYaf0$+ovItlY=XQmmA$6%#r;6uThXZUi~sjFq3JXZBLWz@2w939~nK z>$~l&bf(BB$iLfv_^Bf$0!NO&68Zf<XiIYn!0p|B0b;-@l*BZ;nHEb@ij??U6B}oU z>r52G>g6C)j9)lh1ra@F^USPyp%oGC5XeV{V1kXf{JTE0Y2gf5?%!Tp4RAh`LmKV~ zXWtLtLIHgCedz~X=1D~h{s_M=9Slf3WV%q=xHWC#?<{06<;Nlc`CbTvf5{{k1jnzG zgF7H^g7|YLu{_CF)$F28fBJt(1txe;DvgfxP5YNrV8DASa41sWzoY^Oy{7^TazI-D zOSnV{f)6E>QU)FP&%If21wNGgKVSU^0C@?U9`wKDL4&{NLFeWEB>k5>=!6eS|3BaS z7&<-b|H*NVpHrgFN~q^rc%ZRRKbxmSd6ULu;fmQ=pZa<H(ZO9U-+^70MD;|`WRe#q zxNy2PQ4gfTDNa!}%4P8L5$Q<))^FEO^Da`Ts}r6XrYki${?W1ZM_8>B{X?64C=jTq zDvo*?mnHv)WNc~i*g8ZjAjx!c`T57gdT+5q-W4vaC?2PynwrsgU3?&}wa^m&3xn0X zl<pcj>t&#p$Z19A6*w6!kGsWf{9((L?^Pc2j!r!=qsffCM4NF$T=cF>>9n)i$1748 z5CHNn>mIY;k9sxrJG;qP`oSEm^F;IefU+SFtm0QdK^2-OMvJBxGQX*MN=g8Q4}gNo z7;SQ!<9gZs4vQBesgb#N1s>9$%6#Q=;y8y%n@)OjtB|T8o`~C9TGzhD|ATbbW}!t{ zStxy$Bw3Av)2ksEi$spi7hns424o&4{_)sD->)^sq0K_5iQ`w3-tINjEQ#>F3|Ai0 z$g?#aMw==v`ltyt9TUTV5vwj9#~(qr6uCcSC}1BppqSZ@(SgPCR-{&Q7==4g%FUpi z>S!KS7(Ok4FD4>kwrH0f$ZubI#WPE=Ks!n!Lk^I}yl~ZLptame1huEBt^9xjl>z&$ zS&{f(-8!(f?*=^o>cuh9CU{2OLbBJPk-3caC`D0gs^zC_x?WrNohUy@0I#SJ+-M~0 zyr$sLxwGdGQ7XfX+*7XB;Q7vTyhE_F{cLen&xO}@>?hWn1U;5@7e+7Mh0yIFQU1~X zfxroag|SfC16+sV(A!<rCL|}lQikZTNEKX1Z4}Tv^${4Z1L<|bz0De*qQh7^{cZeZ z2u5zY?3m;cI;-6mbQpX64c?e4y`kjNpPo3lUg>%iSeAX&g;-gKY65$gr`mPaji2pj zaP9P@d6cvt{XMPcZKs*!MYQ&jw+?RS;n1!G(s=Z{0j1W)cH!FJC#Zi@PY<BHt5P;9 z=JO<R`IyNz_%*W!i_X{jm22OUHi9sLzy~A%2YuS+)K}+<9BWfI#pJLO{9w$`N0Lg( zb2*#Omi&{j0!xY8<(Vh|WIVu;yl3KlZd;H>seqew=o5aeC8+Y5-)A;U0D*Y^wbH4% zs>IKlNSQ6Dl%&gQ^H%wI`Y8C-=-oOJ&%zQV&0R$h(m3osqp~Vk)1D$_158|di#FAT z)Kxizp!Qy=jnG(QX{Arxqb3i?aregi68VTKwF_~)<iB^0!bc3AY!k3VDph(jsM%4$ za2QGmQ1WmoZ_D2m282vs)!wvP=kJCy9`okE`KMi?Y}40n#xS|c^OsoDm6up?(y&}z zq97+T9uUh?ofjrO2x4`sv}q$ty|+MsrXm{8(nk8CwZh9Y>y4&yMS|UNtch60o#WNz zkw_?!{;JxsA=Qq<nn?4VL$v{7o>4^tD$PAKdc~a>A|%g)xZAI>-7qBS<ixKMbx!Ol zvVtJ3Q(ki`k$Zl@PH<{U{N|N3e-Q?24povfDT)vYGp;@_9Q#M=ja&-S08049$=c<m zG$V;03Ki|r)VBnhMfnZp^r@G&Xmw}Cu=W=J%imQW$Y((*;JwYsb;#C990=>wNq$Xj zzH5AQaMc0PjZ+4^Lx<iA*+{$^yMA(9zw~uXO^w9snc3ZTOzQVzH8p|+(S7iT1EqU( zUXp|v+-<r&>6`i<RuaKPGqFk0o;zpp$n9<UREnv0M;nE(f=(5WmRiHdsmfBTFrgF! ziCiJOP;8C3IH#9B)WdSQf`WN$K6D7D7gfuKi<P@~#x8_N)Qm%GdTa_aYz!b0^J-g# zN}bD)?@<&zBEFbf9{A$alT)i&9UYwFiiQF?{H$ogUB{n>JZ2f(>Z)fnFiY*c0UG+d zwN*t3mIegZJI{PhaYNkwz8;k8V5_KknqvOA#a<#v2@Hb^abNsXp@!Jv5b21<H;|YI zFlz_c7pqUyTbi^BG5^L{nEmdzn-0rIeO9wASv5#tX&>ye^6$1sd)P*xIHiISRchww zUnMny1)h@JYe8SD6I%io{F;_W?}7fgS(L$1E%i3l+$f$@+DmV%i%Y;a;Pt(!m!=*; z#a=)?d!gF#7()E-V`rn0g0%o*5tRouk%gQd<+P3WiY!-~qMO$rXhd|XibJ<=Pf~@n z46}VCnXHSza1z_i;1vZZ1B=Zvh4|Ks2(%YwW?RwjsZTJsY3OcTs;E~XN8R=zTidEZ z?RHAPOhoIbs_n|P4!i2<<(Hb+fyr+={$>~SK=c(+5YakSor0ShhE)ry?G+PdV`)RU zt%u^6_<k+ob6y4Y7OK<mH-C<Wt{k})Bw1)Bbqtvs!gzyWD|<4-7F@3plTu>QvWE(o z6iDY#BPtbXsHV`y(7^<zJvNb;D68dFp~a#CX~_jb(Ehn5H78n))4fqzEJ{>za4gDf zzj0&|#L-oLzrdo;h8eh$b(@~r`yRH8VXN#B3criEJy3NqBmzn6Ib%(5;84OLVshS~ z!$H~=ki&PG=|_`L->JM_<=o(uSQVA(^omhC6eMJ7YNkpGiv>CKq9NE3#oD2&Yg&MC z*l4pBrOKn(p{aqJ*)qS)0i%tV=x!JcOezhhz_3Ew4<pBfxa>m1<{WkrV7y}f{3A5T zj|`EgkEccuy(FHZNg6b19K)WQ=84V{OU)4)sAz85r~QGUOja!8A8>dUq#z0z(K<}k z&$1GBNJ)$6RrOFPXMebE7^8CD!a@E)hLM8h0l_pg>SF8FCWj~(1(Vd|(=1TK>7upI z6M2;Sp?Hs^XK>Na%mf5|J3sXbg0neDA@3#kAu)~87++Iyh8W8&*_<k)k2orIHwzXy z5PaM?-%G<GTJt8wBJvlh8^fY2TlBh->f~J|vtp0ijgH!T_WEexq;G6eV`Ui!9Jiw< zbw}^wJQ9^De2KVuKO3c0u%?tsk_!sT?$Bt7q3*{LI)pQm@+^A!@sn-}P2CJmXF|$J z%dNZkheVBVSBGURouqYAX6<t(EvB^7m=wQM*fMl`6d@nU7tKL-Efze)_64{yO(u|k zxX}A<%+I%&79L?pGtRWUDkZl`sjaiws10?Xue~5=#~jvten=0~peXy({Wpmv0U66) zp6Rz$EY=r5`IzmKDnjHTqSL0PuXQt^L3v6la|cz3svs}~OJ(p%Y$<6oqyi7m07+pp zFBzIJr8Fj|(+rVKw^185^`-q9Wxg`NKG?`HLkI<xcU4Z4TdFrXC?Bc&RuD8l>j;6u zBROl9U@t||P>(%nkVBV!wlnlldE`o35n2`bt*6qlw=2P3PQ5NByAZjp2UH{*EC4r~ za}et(>@$YZM+EnE`<i{v++LwOp}-u_gS}Y#@8LGXdLI@Sf8iNSF?(0uAxxuW3Xul= zBV?jO1Y>I#47+4BSQY$bwX!i#@%7$wCm8A9a-+x*g6#n067d|1;ol&g?4?as+c*)j z<5ugYZ#bF{Pj%NMmcqU_lBb4#bN+k2>;Ir!exT|W-!eZ{TQ@N9svFTu6z*Lo2b`i$ zg-ZxkGNvdV2^EFIDv5zk_rLtGsKjE}C!jy{R@DB5#xEtHcQU{SV(}=<5>!+3`g8I` z*<2@wJCk-sHla56F-2?+>Q4AbO-52^xBCuvMkYOeyGlEdD&I0JM>Wd|{An`YoMfj5 z(=pOp?K)qntcf6alGf=(|EQMV6RcX`ez_{Eg>*k5{_Lta;(RQ_KjN4xg7~wm^Z&-@ ziv+a#F`554be>O^aH7q<_p&~XGA)v^a2e}%9&l!3?y~;%wjcv5bp3ugu|^`OHu4Nk z`Pjz62A$;B+H-`zjmOFIV9;n(0srn5F@i*T%U^cBwYfT+2(wDJFvKv~=rq{=2zBX{ z!pvHH9b9+LY`U)LfqE2MTI%rbw=e?pLg!+8@Kwy}xYYcap_^qFXVYT&wXDqkv5`~9 z!}!OWmw~&x`EK-<4jz|t-HoY(<bLIaoRjcQ<PdN_n2x<!TYW^bPh{X%zIjBxGP(In z5v$*1gb}=M)*IQ9n8*axFe;KP&qmWjz*|7X7?uo$#O9^mc2IEKx_Fmg=rOnaadoq^ z;)~bCp)O-c7#_UnrUHW~%%R2V_U%i;Q6nx%ckP~xq{Z9*PS76Rvy;y`tM{O<k??qD zjidr#{5v=u|2GY!U!GriE7;gSPy72K!Gva~*->^=H9LDTa1*ed=aWK6q0Ra|!QxdW z^!8I~BMNt2)0Zs%a&~Q<hTKf(QSEqM>nb%!jy0vu&Vwdv1WZ5-i|3caSWa(7B8TrG z9b3E4PK%u{kLKzzXB&lC9$t%aKK<5`B*c2hqbcGnLsN?c{_6brpWc%pePo1?{wX{7 zEg(x+JgW-MO>feTk0PPw&=Kf4Z;N+1Bdxd(ie4g1!31sxh3$ItiPB);?3%lsHp+7| zzWt3E_=Ubc%?>qxjV`#Mdh2{tIkSXlU0Q28nvH$@h-CcCKvdC@7d<GoowM!FhRAEU zT~s&O5#zTEHyg*lMV1c}Y5k-N1H$(eiBFpV8sv8eoZDwBtMYLxb+x?Ei_Oh+UbG%Y z6xLH2&}^}{mfBtDh0n`!_GYgG@KnsolcY0UdAx1q6dzg`rZuGSPQ5GpvU|hblf+83 zH+O-t#VB&iefjV@$3MSr*H1^P&FN*?cVFERGbpa2ossDAv9zMy?hb2M$E~&EP1<F} z)^&L;>9yvjbj~X&s@2|h6>J%{aK){^J}I`ZoUY>*&c1s^4T*NA@aH=RL;F`V4J56w zs!zWgr#Of@K-sh38?S{a(kEzqE15LEi2K<%x)Jd(UhPJ&#n|tWiu2<-mroi&7awwM z8sDCBqt3)Gc;9TMMaAa4ao|vS8Qz$cBiuCY_okts7{nGCqj<C&9DY7LiLzR|<>@-T zEU1N@UQN!3_=)BbPrr44{H284K&t$x+=*2n|6CAvCZGFDAWG*}EIff<4IUNsdQ<8f z3J*^<uXxkLMZb+Cq22sAoTW0a&Wm?3vCzOpV!^GyBx0a(xGbBzj-rb6o3GOiP2oUs z!{bt_=MdS_`m2qZefB*9#@+7viT80#zjp$rsMukp7o+=%uzxy-*E4cRCwXSwtjZ}k z;#7mhjqd{#o|mzPV3bMNr}x3<UsbcM=SghA|7p_3FnzYbs3`q78&Az6qn6baJg286 zcNy~oY414h`+P;SY~CKGo)w32>9E+};5s{*<-_017S!**GvcxJq6DNmIlX#6d)1^? z7rEZmfO=C$c0N56UM(1#^dD(!Rh?J%_ph<j5HWHaeNG5d_YD|tQ|3M0Ktq!j<FU|` zqko@6*#p^Y+?fOT&B8(W-0P*V%49zA;?X2C2sQ2>-T&}>8vMFJF^H<+(;L;|db*<a z`Va+@IN9Efo5CJS%RBt@DVV}NG=Iz^{e<H7c}n!TZUM*4JoWIl;6zxsH=?*RGc7~p z9@fZeeQw%uCdj2-t<KHU;EhRVX~4f>t8jCwuK<6;kr*e`f$w|b2PFb%_}>)<3~01I z0mX`#hKMBd)7e1eJ;J=yoAB7RM!(VHlt>|I%`>k!k!azxXODu&6nF2Vc6_45TLue< z0XCJh0VI`e+v9966doP7fXwW()2oejE@wQ=GGN`K=#>qFey5=<yO2k--Aw1IahB8h zBua94Y@$?Y|9y&@Dg0MTWSG#Z-<odIOMPoE-du%K9~ihe@S_$8xQ?)4Z>o%e7L&lR z%))N5dAq+=H2hA|QOa0j@BR8Yg5VLL?hY`zDJDp1+#P)x9Tg86M&)hKIX@8u?px*J z83c^duRxe$f;)ct^`K?&qp<w*EyZ^R$F5weF<%a8DkWQI(*N24IDz4^soUs&j9Ob> zL}hjJolUKDzKQSXu0cbw_S%Y~dw$($R`l>Q%RK1&`PfJ$3p3heb}u~0y2j1xA|?qi z8ZC~wdo?ec9jaf*4p01L#PL4>_ATW^Gk#O{QHXSoe71!(Y|Z-TjF;`$gWA55hivBY z<tSxj8rSVbny1w62zFd*joYLlMF>_YywYP?8^j3nA=J00rJ7W~R@P^ui%ni`$Fs7s zWp74@SG+9kizOYEHf1li(?>P-6s91#tC+_=r04D2o1m!Fx<cznxKkg#@n0({GPy=- z`)8i2PX#gGmTM9Gbep%z#+Kw77oWmevV%>ZFaekhvl3uBV($(B>Y|JTsXSNj@KD&^ zZ2ffPeQ$H6a>m0<T&dglg`U&#DP+ssU(Vfgry^r{O|AZ>=O?kki&<4czW3om+F9Gy zt_5Op%rApKiX(YzrTQ?jLYB4eMCdeR)fmCi@{ke$N3-5gi7_Ro0{d}hmI_?g<WYNa z)Rg%5{vZ?2UK`%->Z@iv*2iUNxWnRG;=W6FHm=tjIjiRQ2v0ppZ`(Q5(nmV3M-ezd z3;m9*)xw~){bo;djVBrp+ud)jVmj`J-2qXr3<u<^^OlB(Rrj}kX^C`dEhpp{sfSn| zbuEYBwT$>TV-KAv?pswIOcXba-uFken5<0pyHlcjfxQ&6FamnNjt=6z1vl#NF!2-6 z$qm-)J>SNU<NlXL8n7)gX>6P^tkpG5#pc?}0Xt`rm7g==7Z{fP)w@IWo$kAS_u`Dk zZ-;@ChYeQ*Y5j1gEAndc7%QSG{x>ICT$Eb{;s!Pn?P5Ac8lFbn7&}-iO=cI2oSP0N zBON!XG3xmz>&lj2tdLSP&!L3Vy54O&&O7bgjiCJ7OP&Z`$BI{G!;X>_AA77Gm@V1! zsGnP<iV0#WN%t-wXpRi2|I$%}6lj1Yg8%>DH2?p*?&|u=C?%>qR2GzP8o0;DkyZ=m zLUS_-DC*1+8n~&CJ&%1wD$8|il`MzZFw*jkuzr6&?NGjv5`i+b>8p85O)Z{r(PSwk z#E>3u$4FhJ3pe@b84&HL7R&@T?y43KgYQ{urGey_P=DMD1&F>n%2Y6kw3pA2;IWM! zE<uOyhc{NVaE^_EbhPum-O2;(t&E>^QojGv^1WRU<?t|5I-SSH-d;r|^zqNf{T=w% zfnt`~&fz9T40PuI2$m=R=Bd#fi<+sXDkzqcRW7}C;P2=f;5%F}rmie*b#Saf{Audx z8?~(g09-tb%aJzp&k>TZ@3o!SFpApGX$AhuiIXebd8P#=yG6&8iBG_}sFaf9K)IpD zl(Eu%*pFEjkO~lkuvL|rshPwE?OCKOmnwTyr3=bQmG7N_4KOWF{ggo&In8OV@kg}& zD62Ar9{|BYx76ghgMr$~iRd{ammFaB;uk<PVq~hy0+*!4uE7j@uEXL=noTq&vxg5D z1Xtp5Xz~QbhN1y;r383AN}_|)nUp#b&rm}g#b<h`e-_SP&VkT<qTZrIcWg8VF2mmB z%#0D0KljhDMv<0s)l=?3^qg%wB+tAGo;r8#D*|rsm_abiFri)w?0<<vIsMXw)I$r1 z!Hj4M{-fbBk{?qNnYsfmbYZ7zImWP;3veCsg5f5_Fp@;fvn7;0KrtSQ40#YGjATac zWiY*e9tQ9|<(JYE%>w*~xtUbzF2;2P!~hww&Z(7qIY83Vy0_E@68L0eW<+)MW{JY9 z@pdI(>wi|6uNuFWhfa~IBsL0MZs<4nGCDY;Yu=nMnW$<>xSPm1<nzameP1N`bscm_ zrQDkxSf&&3tB%xlH6t&sEF>v#%Hm;^4TQ^%O8DL2fBeeGUwRtrs?t$uI9MYwJ@D<x zS2|;snVz48r|etlg6-FTYfQw4LP%_O2_;z@hPDs#?R}uZC@tZV^GyO(0N3;n6)20# zOESqgLD2<%20ZX`$J>T<Aj7mscuJXnP#XLAK7v88o|l7U-fvIq^W_?%Z%MCdUQ_&O z*0Ot@(-xiUD%4pCJL@@yo=&bpwxN>4<ez}(1wWL)pGhQsCXZG;oJW)yr<Q`S)O_)6 z0C@DJGlTl?q!?oqCq?I%?wR=ae~=VvmlxwjUfkE^p_Zb8eu}Pl5_sq<EQkso!5;gq zm}=k`FmW;`<2^h&io)fVfSG*De^chkTNklj+DWn8+C8@17#%)e=0fr;;HlPLT~yO& za#-tXE6GtAJrdC5_^OXT0R^7!usf2HY)RVAcW-eu50Zm9>A)g3S(KlWj}#EdRDSow zDh=U}Qd+x#a`+D%608TLbnSY#>SC3b)zs9aVbh-QT8RX5`-=GOiKmtG(vkN&Sd#Q= z49?@n%#O_jX$7y$!Yn$9g14;JDvwM$%VgRH)t|If7H-sSlr2P|3iv<ye!VM==!8<; zl!LHhK#>bKGI*&VfFcb?jP(EBIXdb2xc6&q_7A=KIg%tz2CwJ)0sJbwPK&ciGY(&Z zSFb!qsm6#*jUzZua!)5hYEV)6PzS@W!}>AI&?Y{7vPAIHR0AcU##5j=!+xusiVS<8 z@9nAuuZbj$>)zY9nAT&?`kDIYfn~Qpv0~%?!<0F)0x>y6=MoEf7W5L1(9bj(*%4f< zllVXEBN&cpXm!NA(u@!(eb9eXPL!AsBYbU+?#Q(puG!(29Sm&2vbqNbGD&)W53-L2 z%&8t8j_p}zGygLEW)kF12(r3$-^My6uCtO5DneGvAZ)?@0SQpSo95kCl8~F2%DoH7 zuctk$x+JHv4qv1{b->_RQB`oGLrqM6f@hNi(RT)2RND+O|ED$hW`aacM`vSY<uo10 z@AqldewfBuB5>%ONietOO5$)znVb32sX-yU0=9M_wPYJ*sPqmk3VLKPz7U3?oHUm+ zX>?ABtkwdxbiA$ZqY?ivkiv%&n!hHb@ta}H1=%OPK9yeadOE3qx}u(>p1!J5DXhpZ znYbnvXbKkG?ut$YsAu^uIa#&gOUu{kBi|lge1ge$NAXG4;-4#ZLx=$Vr`($&ptIS2 zlT<vFtWlcavM_Jf%i7Nyq<ilc{~E;NuM)(}^vP8Q&@zcWOx1%_PN}9m>P<zZ`53DI z%d#@OV+`8gZDSY6e#_@1wv~iD0$wHybBtjW8f)UpS^j|R{6&6#bP4Mf1pEgJ)dsUw zgdvvl0u36S1UhL|=`FvSXN@}KnVA}G88>~;+~M17bnqUYUvFIXdcP^bKkZQy8DC?% zi`qgnu@-(o8K$D37d5oW2!%<PoL#^r_lvBcSd3(lYPGJKc*$G!;9$0*=^CNYbmjz} zPIDmeJFW7S(%<I~uLUVzede~Iv{E&(;4oXM026HR5WO`qZV5<;#@KKPjrKPke$r7& zt>#=d&&@CUJm{17Ki|!%OS&B7ZwVGKK1UU;r)^hbwPv(0iHQgLxU|aA%;j_?SF*)v z6lM5F`egDr;Mdge!()`ae`x%MnH+)a?Cjny>E85F=!JL-*QXdVPJ{X(e?9Q5(iF)& zRx%F;h8Htx`kySK66LT#+@L-lORa0TVV?X}kXH!;d$F}YnOk07?$}SCs-0Sa>7dQF zD+e>mi?fuXt*x*cmpQ>bJOeW82*=?4ZAdfKT7iWu&TGV_39iQKtQ#W$lZA`Ewn{`D zSeoU!t4^qrNe&l8KkC;jxNxLc_ZvOY!uXN&F*<)J@ro9%01~iwB&#POx2j2lC2yc8 zsF35pL!5+?gARTT`@VNk-rR&gKi=QSzP1UVBm94cM){~q1RU)SX5MG&?2YAH=(jT9 z@s!e9xPF$(vp0H&o~tSF9)C=(**65LE`oGosL8bHF!PkhATXk0VY+#4_y+pNr6Bx5 z)W`%)nI7t!*WbI^Rst4+tI1plJ;45eqaxqYx4bX+mB;$CYe(h*d)psjcrdJwb`B(H zl5~dANM5)7(FELVr%?jOHyEr;-5s@1LglaC!{O)N=S<w$NO-Z8-3sQ=FCpxnE6(YD z0iip!zjO(+s6IMQ!YMGYN?-BChf+Wyu?lF2qNYutZ7_9ww@2zUl}-+YTRt4i!$A^g z=g;-rK74d?0m-H{d2HO?qkZftl>D?u)c8ITrNarG`HQ_!0-@r`_9@=KUV1>;_vi45 z!lz<pZzr$)9>7E1M5W}m6u1gsVsw5s0~XpYy>Oo(kY%rc6F;Am&DP<E7>xyS;VhE@ z!g7Mr%ThBz5ClpGTqmNRvSh?A1huHi>C_k^QWq&|$%vn7%r^@bA3<h^)NV%$i_m5s z*sJY#L*}*%GV+<Pj}Ko43}+zX&`JLQ)$j>{sw*HTClVHg`6+|J&Bc1{F*)OKz{7<6 z4M(ym11n2Rt9j1*RpdT%i}%+zMIQ+1#gLm_=J+Zp)Z_|K0h;ZN^`zGnvY{_VO<JU+ ze`4SkZhi5m4tDh}YN{>x3SxZ33R_AE39mIRHnok`1a5@zgSb4+-0;(ExawlHjaRqm zvhM*>KUGgMnQXxRq?Cxy_o)vI80^kGkbjccB!u@VdcrHz<X4lySoA?MTZt$nJu1;j zX1XIc8M=CQs_O*B>|2Nt+%fJ^{A3citdpXLhgb=|9`2Rb&+hdLgg4JU2T}C12Y?q2 zW;Ip^sAj0{F2y3b%R2YVaI7FBFyaFrkE<kOFes?`Qd;(i{Gm-gK*<}u19Z%pHW56g zt>L<dKuN<%{Crw+ik|PmHf9Id9~FcPh`tok$}NyKM4z6s?>@e-<(twef&USwk&)g8 zsZkz}T(GmB%?!N3{{U-b`@ELW`vOBTWit|^?Yy|na{j^&L)1%BaYcTIl!7`2Y}<Iw zA4OIabBv_h0b2G&ReIhylRzHVMkqKEA2ugEv^z-gwcK`REdNjS)<3O5FNi(>r36C3 zO1Lpx5_DJyUbq>)mY?daz+yDremyUu3g(L$m#TEF!nBm2@s`BU-jW||*g#W25jJhy zJ=080I4><+&~B;4PW;Fm?j?D18BXsXl_EzBUm1`+)3&0N%C|(=4l7NWm+#B+n!D9( zQ-qms6vFZ<n0d?|ii63rllRk6BHw=kS)lF#%5@@|2TFkq0ABlN6M_&700if)-XO24 zg$JIX`xAI#ehW@sOz%kwX@;JPNvqZ{?Q_1IqLD?a)ePIEbU}`rVVb^VHH%1ztD%Ye zNYA;r*oQ4{{cRFtSqXiroX5cdbLh{(E)1V!Kma;_OD#HDpd)8LnRI3v)jDjM@98B^ zz262+$n+Hr1NZdm#4mqzH{B{#?Hg6q2niMo@>Kcst_)IARl-An^uC}UX;b*l0?TQp zF?$}vCH1YS;&Jknz02Z)knkTjm?4f|03Z-X&(Rp0W@3FkuQ*S+0`gK|QY8EEZsm69 zCT&#kFz&+HJ)m4OKJ;7{fErD4iN;DKgKk~2n(G-8TvVpUQDjDEo{_Z_#JtC`wG`4@ zCx$uLT6Qh;v=eZ}h@JOg?`oMoR_Jvv>Fd$4R5Yp4?1w=!jRE~pg5iBsRRYM<f8m{p zSt+TTiFnM+Cu53>AO``u;sUG%n;8q*7+>kkTV&}nK~#Sv^(TvW%E4;Qa;@Z3uRv;a z{gNzdqK$`ni<$hwy=&<(9#L3*;0Ucmu3AL+^6b^E#BJ65VIfq9awSC(6!3e1JmH1H zc)hu$=TfRRaGW}$i8NiPxVVEwA(icqt!lqH{KuyltA;Mkko+pL{<*psYFfp`+Fcjt zkN@8S;@Vd=y8<+H>0g*1(f6E7q8135f62Lwf6uvOkW2ozgj4<xt^saBtUtv6%<%*> zeC&Y~#vmW@`Im{B?=+jJBT_oZpMO93FHnYT^zAd)pD8VF-(P40cT(CG@y~2oj?^!& zC*G$E`(K9ifxlyo|EH@j5|IA{>F_UTgXle56k!#F?9Yq<{t(Ew|DSIDXF8+Fn9!mj zE2B!aM`EYYnc`{Jr7MplE0u~d4LMThs78yMSD%^%pgWMv7<F#Hr19>p%+*|_dI74# z_dC=yVtziii*lnSbvn==?;bx9Kmd>xAJ;)jPRBlt_*qjd843|&iuBIjX(1CY`b0P| z)L$M3y^pAqmPLGuUs6jmewL&9ZcdPzZm5v@g}t7TG++iZ-B2g!8o!-a=q3w&*@%5j zN+IkAK7qm=^sQBzF7KQZjM8y(y34v+8!^2Tm;=9TjamCTUQuil>fs~2xFEv3u6qx3 zP~0C5Nmu-9A7t<L#h}C8YOKS0ZR<`1=k*xj<B8uHHmvum+~c<mqzxr&tI3v6lS>^Y z4*NlLo`jV?o>&#0cajCu-G%g9QSrD_%ko@xmv7K_a~_E^Xnvm7YU`*W?m_e1IW{#` zNXLQj4zqGv#hKd}vKb^7yh`mI`E3y6C$+Z`H!;@GRXGyfC$iy#7=9wZi@`Mq5Phmj zkv)kPvvKVumFtq?4weekQF7`WuOjk@mT7$rg~Qq*pS85^?GR*coAU0RjahKZp=xt% z1!k>Ab0X72z%StCL@#HZA(pB9Q??SK4Y!V)z|Kuq57&-*H)pD^1;4o18d<_vYED?o z^^_VdK}6f1#lz{L#6xE=wruA%n6MJq#P?5)dGO)mO5~;=2^&NXwC4xE{#Edz@ZzFI zhDAv1fC~^GQnoama?)@s`30Da;{yoBUtPw;Fk=&OVY<aBkS*+D5}fCxF-vVIP*$5h z*Og5%e{7kuJw!SZzMyiX)S6F3*+JM`qC)<Y>|4A;ZDwWb5<=GpeOiJif{D7?y1?zV zTv;qbp5CMkN#Fd0mVs~bcb^}=LJG=<Q(YW)&VTfJM-w72b{r8XVO=pyuGX{!$dgJA zc_;)KYYSo;-&bKn)R=@P%gTzCz1y_JG1#ZT%lc@jOczpvCee$#|7dZ!5QD`5!L(`; z($hwP4TYNuBn0oXzW^C_?dTCyYN^r^iCl)@M3)Ol>KB1g4X)Sgiqc9yzYR9j?x`OG z6)cvh%7n4^$TpX;IcR?$?}{9H-ZjN+=onEnX)a@g>}4P`3TjECqso=M-S(ESzU(=8 za6~U-_J^uoyGCq41?|)W`op4D5Q6yuMgM8@z+EJ8Dp#C;csN?>|K1o|3<mYl3JrU* zPAE_pN$ohCOlJknIGaP_#8RW8Ex(J@q68t=-BP12BG77{&>Bb)0K}vpOiG!`Et!XG zW|G3KSDrhV7Y-&3XBc{Mk+VM7vJB}if-AjHcR*wpp?5ypg}ELNtp~+*=NTCLCzIF= zqA!Ocfg2+boRs8h<G<sEB&{P2h}s0b9ARkt)Y8~au+T$2T4lfD9p-0!WIe&ANm`cO zT5e%S`wQ`-$-(q~6Hi%*%d2r-1}VN{GH_vsDam0EMD-8I7ULW~hA<coAbW{voxuKS zkf6Bog?2o6dq)hLHz3rn7bV*PlcmfFDRCzsG9L85V|s+PZ578hy*8E$@{=p4`9lq! zSfTSOEC=HocwS0-qp?Zq@~FS;H3JZR5hTJbL*@GQkPnPxDRvq6rdU;WLttK^YOkmN zEk!LtAhyL%P|N4>WFk{+54E`>z057Sg;yhLhX&rz=IE9BaJe@WJuyk1ljd5@Iphd^ zOQ*C(BG)Bu0SWuW%AsGd{b2Ode^p9;<zpqVEos@V-wWe0H8ps}w%L6%;aG}l3;~+B zNWFuE(t)DZ)@sP|UU{{8c`ewA_`w>g4Mpv4VM6p&)&8LCG|Epdw3?T;Awoy?OJm_j zpCm&YTfB2k2yl19KNrLxP*V}ymil}F!a4YKs~w0jtYKMerZRv$K7CARR##`9$euQX z%d{(YxoPZg#JF1(oLOSUnGo<r!hqXR*?(5VR=robC2qCn!jd8<%yQZsw8Q;CU4Vqd z)rfv|f!0J*9|W+4{9pRZ_5|{HD=YI&_Snn}!t;RW;?@Xs3P#mBt-U3OecRG~dQ4?a z-$vi6HE}GXduUzzyt32X>gC8LK~cI`_~pFe3HQZ`e}hz*<vn<3s|?YTLz%bxa#L0Q z<+2W_V7JYhjQHYsI8r>-3<w7|a7#x6$F=jatrs91W;Ly%(xxqR#dIe$>0@LEizg9l z43~kzu3}>nO870!a=PSZ+Yad<)3H(+k(83%#&U0zEdJAfH_;Npw>~clx2U*Hd8@!n zLzD#&IZqhr3lBS|i#2f=2w@Wdd$>N-;%2(LtOXx-CeFZ#brM)0zr=?p-(TsBXWV>_ zC^peYf&fcEw7-4-RZ{q*00IFON_N8sdBkh~BsmfpZ|ZeXMkEdD67z*~|4#qinivzH zsk>|&p5@YxKF^|9Lva5o6^$L?-B)-W{vX%iapsJJM6t6b+Cdgui9rQp40XOn$;t+{ zP3+?tJF_9+LsuC~Q&(v0Co`n<<(6ihU-LW0(zfa8<v}txk^g~Zd~O5pbY54_fX0!n zC^`AWwnS}^QFtC(=TmJw?`6GJO<$k7-$pQS#)-2JVW@Dm<QG{E_rh@9@2fdQVjD;q z4g=G}UvCmb#kydw@Y0?Zp4H}iVgeI;E~f3h*sZ$uf5_ir?fx=Pg!u5eCGZ4H!{ezy zT@5b`y9Thdxo#6cnElmN9+~G;6^6@t8p;@mz}1(GP$Aw4dV;hTOEbtQfrR@o8_200 zsRci?pHfqv^-5EWr!vYRfvjsuvAE?~3*mxC&ypJxO%##aP*Oh&-B2HTXulfL<HYWb z9TMB1)JoCkan}FxXCE500O_u1XP%Z~XQ8N&e}8rzIe|_hX5SX-Ev}Z0S~ZH66l<He z{oq_cOQW)C9O@n>I)?mCfEk{zt{A}J#9Ey$ne9XyIu+{fQ*u@d#a4=-TcFEr4j0^Q zaO_K*ReHT#LvyUbfM9+2=<xq)tEk_af-)?Pl{gL4Y^i;3_GQ?zg^kK%n?{S9w;MX7 zL|8HuW-3;-#D0f?L6kcN5(et9%#mc5VD-~l7m2XQB)~?oxQvbj1RB+HRZ+Ty!hk)N zjp}Ck_`Aq(G!<(`ug`!m2e&w-m%N?mrlOb}QafVU<hRfBkl)${M;Kz@(iSqU{%ej1 zA2fpL%0+8X)|+UTmCyIpK~Cl8)02Yxk2TCXg-fYhq}1y1NvP{{6JoJ(pFV?}te-AF zDsSiv`C8dQ0L#?Z-E{6osyUoB5zuTXabm!$+o1}UO(4VXSA*#5pd40f0r$I8eyq^Q zUkKLWuGc%q`meAZg6V&fizbRP5t`x9!XI^o2OC2vXVw(ZxNLoi!>?gflyYvjJo~wC z(E$O-949adXXTH>hokj{0~1)!VV4df=|x}MZ)$S1B8aVf7SamWIrN@qi;2L9isfuD zrA#eY-<t<wxxi{3#ek@OlXKcWdU7*N+hF?p36vq2@-}&0bbY6FnpHilM13`jjABw| z?TL`G_Bio*NCO*x>CP&EfdqT4^VZNpDO;#6wLAjjZ#fOe@vG=0GI^Fu)Ju(4glT1I zZ$2_jR#+k7O=B+o8EFxl4cogk!SC*d{$4a!)(w3sF_#2E!V&F0K$BQ|`c*@;wG3Os zToj&s#;8pm;qPlQfoIchzRd<bJ1#5;GG0kkYJX6SWnTAIG}@TX-+rW^n9WbPXm&AC zZm;L2c$1Bi#vY8%uyLXFw&#bCral>d0yyt(Y!<Fps9=YM5fvianSEaXl{~|B)t!HA zWKCc;p@w|kB_&Qj4IlH9hCdhhP!f%%P7VbG3-W~_SN>6G_v?S>-EoI~#U!8MB{(%5 z4$cDGeY&;cPEE9PoZX!FC9-yZu27`PqzD^-Yh0wM<bHL23Fdq~k?m{_9O66~oqbaO z6d@yh?Ed_-<Ar#XHT?L^6fn8FOX0A$o-7uSyBnp<^Eec8tg|ECNiVErHCJ2pT?0N? z7>K?VOpV$Zb!p}Wf>;KwZ0^Kr{zWS==)bvMq6zKJn|hR1nfx_+BC-T8dVHRPRQEH9 zV(*vopT#peXd`l{0XGqn*jYMNx|`o#Y<N45SN%?|<9?W>C?V$X3wo<vo<Dyt8De3; zuV^N1dPsmPiBg;_dQY)3FX2(`tglE(?0cUB#QpBd;l6yJ`^`h<gg1rlxOl8+@J}<@ zD}dP*_gPv#WTAO`p9OTev(CHP--xal+0kw9#mH*2AL9LN<h1A|eb7wqFjrRQFKF?q zpt(Bla;Al0SKn)MY|gQ!+U(UI(p3H6eP3R)`PVF`#&<_h!x1?B_gPN-y64PSS#Zxc z2d({Ny%#k79acpU%GhiPpIP3jIR&1=%_3ntjBnePD`fE~D!`A@m~Pi}@?)1qOP#SX zxK0BvAYP(am6K4~>(lNbFKq&eXK36oWWMqRzb9sZ{tmr;_||*sX2NE^W;!#l5$#p) zLCw>qmO*kHb{LvJ{Mb5u>pnYcHUptqQ+|7Gkk;^fGKZ}vix^Ig&d9LM>0rM|ih9{i z0_IVz-!h%@#}aA4D}hx$TWPUUG(t*@(Hrsk<yU;QoL<dF`w9FT3&jX@;$%audhg-j z{PTf5g$cE&y|~Qu<}nrNm(BjsU06YJ-;GxQGff9-v2@)kniR-V+h`-DaN60<c80l~ zerl`*>*7ZAOB>s(=O>N-xi?#U+cvj=w?SqaRywVVv<nZYhuc1@&ZnDDIN6ww2aVjf z3#+Uo7?;5HtTQvMqr^D8#8yJ&*bv<BDCG8+cyPEM%m0?p<ER5<1@jbzZF82zMM#hP zklkv-`hyXEAO6=eaJqux`2VHU6_Kyu0C&mG7VBTyrV4#1kqbKCF#MO)ne6vU+lffO z<$qx&2!P}QIQ-$r{v`|oNAgSHf}F8e{+#dQ1B(#+!aYElIDVP5kFi5bowZlnquk73 z!Jl$(wKg?-#mFJlOhm?N`9<GYFJjEM{SBwMY<djE{f7$t7d`cy`4Ua_^Oe<^s6HCF zcAjI<G=hy;mH0n}J~H|Kn?nfyzZ`-RPVyfpgw{V&2!_8=2rE(oA%CL~X5J|T|8S~~ z6ergF6Lq{r)rpeZmDOy<X1Lu~K!>&Z*&SGLo{IpEkQ8t(*@*ie=SanWPeJGAaXszO zus?NoZftW6T2mA1^gPe#-l)Wqz+>_tOdl$zQJ=?GU%s=1eL2sU-Da+`>8?NX8gz8K zXEJ_{nG$s43=L9#&DvN?9gls~uNtR0S|+qRJ8u!amTs`}UB%b0z$~Fc5tm4{*@q&7 zs&gJ+#ko~I=zp?ywazL-N%t#uiH}8$rRPZdy}a{-Pckulu4@3LiUg4y6VB)V7i2=b z>VL?D4%OyZk)efhP07^fuD;ow7IgAPnZHUQ=RvgLmNKK?I}1j!p*qN$8E8e%D6vA4 zFp`GJtE9N>Je7o^+L%sBD7B3dHtd?0j-*phsFFpk;y4%Rb*p2t^+m?w6pT4dav*>F z6MZE43m#_|+z4AnOtn|UePp&IhgQmeJgbpm5fa<wDv6CRhwp)!J2)s-noPzp(i^CK z%V2yC%*z+;wpD=aRo65u&mfW3R*J@?rq-+^7cJ=_qTY0<nn2L}p<*^h+LCT%#zOC6 z&7^K)<X7P`91DllB49fw7^pXwlKGwG52e;5@L?r#20I0mu}O5hh&5;H@3AD}J6z8t z{40w0vQO&r8R1V6Eqeg~>KUV5`=<#kI^dDoH|_A+8qt!{V4E5E!fDlNa_sj>EQkUK z(#)dj#k;fT`6fm7$eJRxusgIf`R`--5Hu4wO~1ioQDV5hIwDe2R|E_A6+@&(m@3aH zmGbrxxUL9sSZbFu&Gj23`Lh-8-vd+qLC5h4-rYT|n)uX$VQ8!MJ6Zr@EEi>h(k#Y& z*krFJ(^Q_Jc-<x^CePCDq_-?l8YC*yVngkzTy;9CLvWV8n%!>OhgnV2&yn7TNalRe z7b86f4~t6d>c@qt!FdXtP?nx4g{O0eyZj==oN2xBB#~LM65P~`gG{u`MRX$b>*WQK z$TY8C(2<i`qzIIxzFnhiR|B#A$=Jm~^n9b7sp^c3j*r1rB9IL~I_yPeA1cOhn5$xz zdo^-S1(KFD1jnro&$!r*F72XL5-ncE`{tu08E~U^_#kq(&|r!Mvs@v(0#XnQV%h^Q zt;FP>n6A)=t&XoM%p3!xHj$VgFwojslbka_oV;yzx4l^D=m5GTNRTOKwk%`EMxUhM z&`07{<(u=TbTA4Zbfth;(L8v<X=_5GJYLxf*2(Kxr5SQ<T@)xmtBLk;m>)#OW`Tg- zmqxbzhSNYNaau*p$r*O_{h^ZQLr^7L22%ynJL2N9RTln3?$HIUv8g*b341+q2gH{- z8KfBX;JVgXzHD0=i_O-?uYJDa%1**2Ka<Oejkfovyd09!RT!KTIjeq8N}N~*|8;ai zs`mOX1uC%ZLsOJs7Ex@so`N)^Qt7dl^0albDG{HyRe|Yrx4iqX_2dzC5}D1D6L=F7 zs$YgxcP+h<9SE8&Fkng)0tnK!r*8{JP`O-KE5Di$ZH6s%ebjVZXC+m)iqH-v2cz~_ z)f`lJ0^m4Ma7f;2-hK-G17B$mL|+U!2@frMcFR>5ers>dPUvey(!)y9EfTPCV3UWn z;ErKT?cd`(P1}n;&#Xxtk*GY%U=p|F*M}{xy%JtUtwSLKO;yOX$e=1`>l$xQsZ9qN zd;FE+22KlNU!Rz*<tW`so%u(N=Dg)&QOGNq1BK`2{h0d0{yyU$!lTz5?@S>A35Y?6 zRU)32Y^l3$yEPhdS1lbUsae5+%@_1YZ!4#51B!UJMQ3;W3XAIjY$lI<)gah*(D7Ai z%*L{BKv~qqjN`OQNL4rxw3;q4R_gU#$l@J$7}MD8mg#$4P=7LBA2r_3q566pR?RCO zgnNTTDP$UN_%4AOfoD?B;xE_Uc=p}3N4gy~ai5)cG{sOL_pG1oFkZncu@FOIY{j^g z@(VV+Nx@pyPkE1AWf+-)4#S=BkoQG^My-~EKtf;y2t~O%XUF28Xlr1axmE~H23Sft zY`11_{OQG}CH%9~ojT{D_rRrtUK?u_1S#0JI<5Bb-Y{pViXh1ePF_(7{ZJKd>Ux$5 z6mE5XWE)N+Lx}O`JtPpFRG4KgrIW+s*M;XuR|{7b;U5~=5Q0kMIb-hNp>`%eBwel& zzRtCFQZbA|F7uTaO>J@@S36LY%>F?C1L7zG8Dn?Ym9p$EQsoH?oZW|QAxJXxE0;sS zOlL^zi}jCc%P-xN^kpkjughD&rwN%=s?ZeKEh3wm$OCm!Zb7_?wg$G@h$YP3e{L*R znoB|i`UKT*T1>hcUyUuEp72OBx@&-7Z=@2y3B|-2rRd_235$tG7uWTY2br2>t!u*; zPe5>hsXk_K_IbE$qX$vaa$NR*o7jK&ThshtPr&|hweTqZ&%h68nIZ>7^DF5=48Q4R z!mkY#QdtOUWk}*96Cl@84RE00mHF}2fh(bcRS|gB>2|^Xo@I#!6pV5yQ2LaRK&KD+ zu;{ZQXr1OZhhuwW>O#|>*oFWC=`?@pqw|k%!~961Og>jT(c=|#^n_3%cYMdDzTgRQ zPONNp*#lUexA^ku4_Ppw5!ykN$XGAI%6|fY^9WxlXPnA7Ye_wM2`lAHY67kP1!-2i zPlKJ${B2eL^Ia+LKPS~%_!lI3`aX5s<pkp%6zE@Kz#rVB|MYnuT(NIAwS{M9k262- zzrVh9?qKjra#eyg6av$-p19h2Jo)KpCry6D(v~TI=-!D?Ic>YR6`~_6Hachq8`NOs zb+ZE5YhmwoYB(65_hxykW&9M!+ibu8#_4(fU`=UHJuT<G9%i+5>G5iT9d^491mm;b z=;63prD6{zT#GTlf+L+;_1mK9MSpG=`vHT|YIE)iZ=3~)4&a>@--}KkBwJXOG403Y zRz`nh&me(t&33%rkD6a++f2|2^A_}0p1(hT+&ybwsHR^2(&8T-)xm>_Vz4?dCio=k zAMbIcRp=IsVwe$%*7sXFp(x_M%W1R^8VvGl;7atxWvl}MwA1oh8MQUhgI^0}!5~EU z_xq22w1{t?)*p23t?T@=Ekx>{$Iy1bF$+;M0?y(@J1#kOhF=CV)R~o|ohY@@e`}MH zDf*Q*?GbPL;0>LzXaDhF4vz9n=YA{Kf>Dcx#9+8meN83eTCGe29Yvi|xQ78)JF#rm zT>Y*R5Y|wvZ2fHTnB|S3t?jfOaYuG0xzuj@O|H+fXUtddELkPm^YVh3aY?}B;81@I z8P0>f^5)h1$wx|Rf$(F|Y@f1wd(MkWQ<W=difSyQVb4g|5*ICA?GdIxmlZPBz8mOb z5FJ>f$v~n@hPCU}I1CAe_;{<PM4w9NWEK96nD{wyj2!E$BfXZF@S3LAxsROYB%$3Z zM(x{bcpKCjWkG%V(<ZRWS~2<O7Po+LC%>H{)5K`6x0_b^c_>g!Ngm0!d(j&|e&CYb z2r0yl{Ein%oVPRE+^$a!qosYxl7)B=t3@%sYFZjfTb7fH`Zwz<4mp|Vw=h%#ZfhhM zxc~I8zN-;WDBTQZD=WXb0<Vff%Nyx=4DZ;iwmnI{Hah$)xH#j!7m2ID&@jWGwDliq z6F%*HZs+wNM9$vq-2sFt1Qm;Pv_1Ur1k67lWfDEkU-4>c-z*Z9#L##@zrGIhR?I-M zsTFBjUWUq{3_cUoib3fxZawvK){ES{)c)A8qPatZTM^JOB!ZA<;QAOnS487l9!Hln zYf7DRy?B53S_NQ1+`p_2fpCc5F*q)}n?Dc_!&A7Cm}k~usNJZ@?lF!|axMIv9A?46 zcIm~YK7VcotmFDc+xID$prnLYZgBS_9t@Pi>uXpY@iPzlf;5c$$yO~Z)(V?5)A^I% z4H7dEL>^o6dCiyIC^%%QdVk{V)p`gnvl#U=V6?Uy{qqjQ7jx#4$>-Of8pYjA>*|*S zozL2}Qa2g8kNtLUD3@(Un+J|R^p@(p2_T+V^ys{nyEKG&Jk%JIKc8-WTH`PleNbj^ z=){(KGnN~u{)mTi)M2ELIxdKOX)eco^Q;xboTbXYYmEM1-D&@W71V(eBuh^-<=gpC z99JL&rPNGYWk)>H*>=Y{kp?;e5IN&;VXqM-Z~}yT7M05{b6-`AO+!VdTizxwy<V$U z!xWhBF~Y39*z0%f<h3Zxkrb)n9(GW|$QrB^@=07!HJwk$@YZ$mqP}cKJlY513&ik* zz41DPC&+yy>UJcdC%cZ;S!;SK*MozkmpcYw6pVe`PdZRRwb)QeT`X|&HgBb;6OTA) zxot_h@?NL|kU>q}7_q)yKqmIIn2m3}-TGBnBrobEy)C1aL_2<ac?t0hvRfXZ|JWfZ z^QbQhJLcVNv>A4TM~T;p9Oyi64<N~#IajRgTvtg*vaL*lo+iO-M9@+=G<-WlM4hb< zrj$K(8Z-}vFZY9_>LqicXLH1u2L>MK2Lp8~Aoy-Xw2H{mQgq_u|JIVwi^-hG#AU05 z$05`?8s`3!_Xx{X@UZiN{%#ZMo)>JDT^6E*L;Z~g!=*SDkjhbP@dbQ;uvbZP3N@Z2 zO4E6@IgE-qVE7oNp3$<ek*xcNat*9MCGuodpZITBd>SOxiwo6!J>iW(H=XX(Bp1w| z#}+j(($Xs5JkpM_tcPCqt$LiQcVi*$X^r9JgoF}PIwGy%M(tTw6;T0u;7fFg<Wu(~ zpL%%sq0Z(`@%AugMMzWK&k8cv%}nC0Q{4~)+!3262i1IzH~Zz2ZZ?cKgv0Ok#ewmB zWqH+Rb()(eQKmQumuakwCJIfP;cXw!!h%z8pPR*KboE%A#_$Gnc&{oj*6#YO+*U_% z@U)6w`UTlzgEZNQ4$@a7pCV>DTnL~&Rb3hGTEcok)rJ<u=ZV9Ps?u>J#Xp}YCLWI; zsVF!oA(-wXOzAIlV)4FK^mv5wdoOzGUwr$BXh+HZ;6@6Gv#NcS+w)*S>lIViJ_PJ7 zqU~WFf(esXuRAdiHn6#=4&aPqJzha;KFq@rPwI=YSxyLKO2kfZW!@hPc{!%wN3q8h zCja<{N~z5OFtU2ud%Pc&uBA^}?yHg{tRtAKI=Z@a(9AEn_d!^qa7>I?v2HxY543f! zrQ-?RB&tCXr&q5$4cZY0Xxl-;TkEa6_AhwDfa{keb#kdg(1K^to-|OE42|02;OHDb z5ffVPvsc1;4r5YeBLkz$pFHds4z9`yP;UsG1tk$3OlWSOUZs?BD{%OM3z*7FF2|X+ zC1P?^=cBD?9Dk%{6U3R(66af(ewfivQYvW?(G1>$lrNgNQM*{TDSf-r7DjI|U8<bc z8SGRl++_n7)c+Y?m>LlvNWlI$9yd13?bf3Ga;!<P4u|GALyo&j!SS+lq_~~ak+`YU zJ=qu;8yf{T)ocC8o472t$Vx+TH}od)aN&dIWU*M$>Aeu<Co^Sa+Ba*iC%P$;iX<C^ z*|iy^04Cm+6HzaW{!}8@d#R?Tc;h|n=PX63f;mJ7Wif$+85xtYQndkL^D3$gGd6_; zA2ce61r25Y@xMpC=x2QY9uA7pDf!%ohZtyhvePx;i--3(@2TUA3!56KHq4Rt)F088 zj6;RTVa;D9g{Eyb_|@?(nx<A?Jh*E!tcJScU^vqFfW9%#!dB!ZH~_g_XJr7Ct;FO& zpu)7z+LfwKQ_PWKJ?TJ6g`vRJetEK6w9VH0O?KX*E86jS0$VU-i^sy_Fl#qszO(eK zFKtZmr8fjv`U+bn2ziW~_&7~OrMsT%Gk#;FvBcD---3A!DrUbBO8(BFI%8pI&bcRb zsX%DvX62|(t(}wWy^WssAmU^5HlWjPSWt;qoexO=0q`&jRaA7{<3`ga)r+f1`XG0N z_;^xQ_0H8bP1M%-qL~2sdxx>hCT_lsbRlQ(VgcUr3&lkJ#nBXxV9*j<Ol$`mAR36O z&Dz(AN9-~pT|T}k&w0#}p2f?VET-iYuPZO5=u5*VW7P@VW|`9|>Tl@PGI6TzyU21v z#vzjale@PifM%Y3KFdG3qiH_2&+W8?NkS|)V2hmbknPIm=Jjyqn^K@j4FpBCvfy3# zh;B`7nk_DK1Knn?Z>pE7D8J*L3M3A%gN#9SVd82|9G?rbn@oAMKRngOy9rjXV{n)> z58Gm+F+3zY5W|Y810jm2<{UAY)wBHOXPkC=HIxP2+>V2z0?7s?xbCSv^}Kfl#&xeq z(jEDQcs)KRaJH#zv_y4~)p#(ZqJcw;VZZG>wBdZv5+mt4UW9;W|1sQasf9+oebBQ% z22U%5!*a_N74MpiK7o0ZPlyo@2QZ)7Y{R3GU_7g;K}BB*If?d^62R;#sgeXndSp=M zam8Aptr#t#bK}$n55O}<i}B@q=wnYItjQasv(&^HD2EtfffBqHjO)@5;hgQ1KrY<x zyg@mT&5Mmb?5sw=>hu6~RF;?)L?r9m5^+;Ulv5O4NnTU?xqsxPNHwG0Er;MhvqyvM zN*~$?FuN{EW_zKZOH`o&s`-yw-&|(6U&Yi5B}aW*t=p!w%QXwefe1bbdtfaqU3lRf zp`jfA{I>jrbzW4#IF6>(<0G!$2WyQyD8*+cUZ}A%U0!4*5R?fLj*mk?*cTUx^WE{2 z9iqK-4>#?U6}<|5<caAgcKRI)!!e{O5vf4*P2yF0247-<a61me&kX?_NeYh=hp6|u z5D3Tj0_g~Lj`Qm7^A#^@^`%Mz3I~l@ZkJ+!qb;q@`t7Dyuk|;|2y02~w9ttDw4>P0 zz_;8y5)k|kAHn%P0KtF#08+r=6W=v)PKT$(_-xZ5fAKx*K`B)HD67*H$6m*e<ndM_ zYilV_cESalXB0EZ*^!0DKHW$TRXV{B=~BN8o`@}MDO`N*aR=feD4*6FKf}|2^@x6{ zgma7w%?tGGc_p9qMfeD`pW8xYOXW#ZCv?}VU?SQnJ&GZ*p>s=-$JmRy+&8b_YG|#& z<+PpG>?=+kb5t{};<O(*+ahnVe|F>B!^Fclblcto4b<}t20;Q^)Kw&;;r_@sPCX(g z58z!God#vU>V~%+9ZM3Ja$bTf7q64%Rm<}f6|c^ALIN6(dryV>#lw~aDVfh~_puUp z<mzP7-(<fy61di@G0+S^iXO;i?zKZf&mTx-cBQ7}hc&!(F|0n#^RiuZD!|1RmdM?$ znYKp9PADg7sQ`&gmIURCWdk6#FnH>6nYE`)-TQw?hk~o4Uz+n}OrB3k-Q%3BS%?Yn zUqF=uTtO=3kdVtuq7v_VGo{r;$a+&%4a&uqsb|8?Fj171lENC$Jhnny8p6apt&Bvj z>R2O+cP&iuX&>EA-tvl7D`p6B|L3OOFHK4i=wp|hgt(ZVLf@2tIuOYYTz;nJeNtu8 zGIf#7m+hlVO1EWD?Mn$KCx;XOj`BHPM|K5G?YapaNp`1o`$cC^J33VlI7gwetAcUt z{FIK^+NJfn!;U{qSV{W)8l9UUx{G^&N1esE3y&3%f%X^gAI54{;ef}ltw!qx-V0a5 zOYAH<1OOgmG|yvsQ>}wT7nv1Rs})rnuHCtX1Zwu<fHUHiAG7T@q%eE4#sp~lrn_{| z`7!=8;CQqL%~~F>XUFs7M@MVRYoDRh1bLVn*U2k$Tr}}+>sfIrGPjy|MtBk#5)-eM zT8Jy$8=IBUgm20Xoq_RP7oXER-M8qxa}2Y)QVGqdwX7?F;$ov)mdb>lOqNg6@VM@J zzPIvtwj%p{GMJmaG4Ud){QRU!s#1P{LXLJKiXE1Kq;=o+WuEC81(RoHiDKwz4pdBF zZJO~*6Um$+W;<EzrY^ubhEjYFH>p?3)y$ZkGh4>G?;;43c}v7$c!=>d4iMx!>jcPo z`Bo?*3ysUOuq%NKNzb3R5(kc&qf#TTSIq@xRnEigxe;iG3b*vQAN&1$&}hRr7v=8? z*O&HH6kUP};vje?fA?_i*1vHqr?EuV^ZCtQtE1!kma)+IMJMrLtZ+y8CX#A7;p(C@ zUZqid&%hzQ6ZL9rfwuOpokJ_ZTCGOD1tI>PklXQ*8tWkQM1PEaSg&7PCF1!`VenEX z9+LE1t^xYa5~HlDVV;gtR*kHEcZ}x>jkgxf19d&j?cu`-?PNcFT#4ILSmn5jC+nPs z!}Mfc#2qNXODtl~uGg-&<i!4>Hpe(w$%st420A1G!~sMe$rV<X_u0Cnr15maL)YFq zuc+Jgms4a(oUzeM=UY&+GXAw_wAp1km$%40*e~2?5rxZ$TCb-kvfgX15bf!5Xx^SJ zbY>J<uR|kv-o2P=>>xMs9a`2HGK~-qW`vh%Z-=Kn_lJS*TZnGO2O~<a(>0RI^_@>` z*?5b%%(;8g0Bd7+MU^aZlo3K_Yw_)f)^)1q;T=T3sNHqO1v{Oa_NXj~&Z@BSRqwM5 z*-Yu>jajm@_N&*(`B7&Ryvn)uYsbvf!)Zfklgy4<w<ia`S4OrV9Oh3W#IH;~t^Ig_ z>eajFUPIQmb3`bnrF>0+A@HuBH~x7d*UnO`@sJAH?k^7~eQ=SYo{!h1V|R{{cWI%? zD~jV!5U_oPJam2~U`_P-XPDEt9GHJoTRvTT`1_j_9J;lao!UyRW7oXH-dz<h?%g7{ zG~Vkd-a1bjjH|EHc3&CcvWmVmvD)sSy&b$=WG6A+Tc>}@hR?lBSao<^@qEiSxuaWq z-f`%Bo+bnPRD(s_tzFpR>AbqZ%6QCVl;(2N{x;d6n0XEcch~l|41v*oKhqrbpvqrB z`Bh?=f&8I)W|@ePWUUo?HPk>}ym%kOc3EIpzrr}>kfEW3WLe3tP}UILTSTCo$<i7! z?(1~DB#UGmZ^C2`1(xU>MPXqBt$XfiLmh-BzrhgX57h`$i*t4U0LW&0N$QfzJPuFj z<h;@7?zWW;6eA^k<+ZK7_!&<I=v%pqN$~$Yj1NHbSzlA=9p`iS=(3OSrt7lgwP{I@ zd8BFa9|a!M1konLsbq)@_VH+EKDk2}(Z5N)tvWrm-judqQ-}E!>L$S@JvXUpTiUFe z79`>yEh!;R>$ua^$<ls?17!cW0v14~8{k73GVKKOXzQV3!MvTNIIBu(5UMC`sxY9B zxz=T=TnX)S%iD^b-(SMX?C_Utr6bFtr{-UO+I3r8^$ta)4GA8TNo!Z1hpK_L9V9&C zDZm;ER-xj=SoB#|p|ncKi;MRVrD5M`c*M!<+DXeJ-LaLJ0{Ae8Q898@Fa>`2Uw!|c zM~EMgEzEnOwrxSjT?~}L@?&6$)#OKp=gv~&Q_NHB+8R=XFr=XORgekLaegh7%<38K zQG<uJh}zt>8*+sDMUwL3(){L5XUn3z{%$|fuPx?0^a|XYu{N{Ay}Bs|Z^u`meL1)X z#yz_^Cupy*a)};%8g|3V<J+3b<JxFGvyLMO(DIeNE~bNx!+|F0wZD=_^9fnvn18Wz z`&lQLGL03uxVY?7>ON$MntY9JKA?(TqIu{jfhoAAXdOwD`*$(MCj&8lN%Ll;A_F#K z{pBighzc@<XMDXRPPO!3zsjs$F-tsnl}I3-0B}rK7f84p(HO=JDi}jxSPTgQ#K;?U z_iz-<Ze<rK`=99YS9gBA^2lpr6SI+?QViFaQ?R>--s9{@whR>;YWD#ZwRB1ilMq<j z$_^6;!NkW-Ic&yvJP$WTcbJzIN5+)f=QGGs<~i?bg|{SXLkXs&%BsvP(YYzQ$}(Ft z4NwOa24w%u>i$Oyk3lXKP$cZ8o9U{3g{dSw&%WC?%r)j!7Kvqdg_oOC(5Klcx~pU8 z7d@G>aT0eji<TI=D!qX=icT%S&8UiqQBtUBiJkE}86NTMT-LH!K$Pj{Qj$mx0J_pD zj7r06XL~TvN;8gQ<uP1kB^6g~Sy3&o13rNKV;zQ~_;>&UJr4pKNE<N4x{|fb#f>n9 zRyq}{Dd(;qQGj~KD%MsQ`F6)=?(!&XTp9Ynu>y*6?PQM3W549!%s?)e%jlM99v8{l z<L?^z8%iuu68bfn@Yd7D%b~pt1Qz2PdPaEK+Ktv_uCj|lGI;-W2Je66g9LIdhJ?tz z;#AP$H!}1fz7mC0wkZu0!`k{99{ZykPIx)LG;%&~ad=Kl<{&I;XNBar^u%lA_QH{i zP(dflN<LPiZ?NFek~$1>ve9%FvpBCu{n1|2#_0U`KoYNOqI#5SzO{<#&0c5yh^hP6 znF!A}T<6QsOX8u>{PR*i0B!N%%K`|TKxbcpZv?cSc5dTC&f?wV{H|TixH@{3XAGK7 zik`|f`}j&;mQWE^_gbQ<zOZh~DWGF6TZ=!LAD9v`gUWJUn!94i{y&I&%c!`zt!psB zf`$Yr+}&M*ySqCCcXtoL-Q67ucZURbcMZYa-5Q?v-tWDaq`Uw082zut*rTe>*=L`< z=bUS<wX}1&43~V;Z}qgKaH?sz&t-cG0;nxw>SnG(qcYgp`sJbdclBn11QD8vU`5|c zO<Y~KO0lFOH*Ul*cT+C&xPN?mZJ$s-fG`LN3-{{Gi8AWXmR-`9_MG;?G`dsIi7`ga z<74RCD4i8qth7%TJO~2?B`v5;`ne>pSJHHI=4JDVnP9<o#mM<w;M{pc{K?k>xw~^c ze|bPQ2#KJjv+5@@KP^%V78;lIZZml4h@Y+E)!k2uyc{!C3}4$7-f1>p1yhCl(uCE2 zaqNl%&u5v1Z5%i^xmhm-;cCJ+d!&94sPX;p)kQl3W;i5+xY6uSJMxL-=gEl2ke8w{ z0xpT~t{AQxnMD(V-tvDfg&(;@-^dwF>WOoHq~0gi1N718vgp8iynmczDN*O*d?<s3 zdOIbo_&jAY;XG1fv|N`4bs{~#IFTGV5wUsZc*?!l6@#6#*;=rsFC!w+@c#Qr`;vU! zNIcp2;4MIe3zYFZASq6?2a{VAlx(twf_$?;O+gCzZteMG{LV~RRAIpWTr;2gV&Ap# zB_ZT+{&n!f>-Q@{O5XqX@BZuk6MLsfDz94;@a`|)z2$is#Bq#bdi&D6e)N`r%7iu$ z3%&ZwukzsHKxRU3c2ZYCK>p>sk!0RzIYI1u42Pm_e_XCONc$1aZHK}2fTinbXz!rW z%EOVl@<Xv%#xYK7tM$wlcv6J5rT)*zn>As>Wopm*`@B_{ZQSw)-Ho#PFlmzCQI(p> zHg{J^IDO`4+Tm>tf)6Xx+Y#N*SC?q#D>3sTWi!urVdGqQ@z2Ad5<+MmyRCc=5okEK zb{SHtaEbjJSqtG$zp+oR5*`U)nSS`PpksQR!goK^8@U^I5ZHk6l#OjHz-N2ES!`=y zPqR!mlLt;7`w^BE?N9J@ca1l-+RxOBJ7wWdDuK!?o+Kep<t;>AZmXLlcP(~1aZ$}e zhN<bKqNE|+iJB`&1R-6AqikAUEdpKbw61IQ^AT(xIfVmokXSr82*OM-v%mJ8;=e3V zEqyeU|DMtxNW`>yJ;N-^U%jZP+t;$t^gj6`53yZGsd`=avgnU&IB|Qan>Y8T<Ps8P zIqeA|yRan%&{A`*&^#U98_j78I)wyJ$4H>wW$=mFf_t(GtateGmb1K9$l8}oy?yg+ zB}74v+t#j5IwDI@+)VVnJ+bZ-$7~H)6X$!(^W9p1n|dByv-{o@HXlh`c@%igG>_cI zS!zBQ*v^5MYcwZf%4{NgJSDWpJX07wJkYFu4njNBbj&yhGgp@y0E9W{86oN8!uD5{ zkL%rCPCQF6RF;4+s13}9tYQH8koEJ9i9S5eqWC#0xc8xI&G583U1<9`ue<e+x5zJY zb2^UhU~pv-5x_&QAXezbZXi9ar-a4$xbsubU+ws*@N5KkJ!8T_GJP^P%_YN^khCfx zAzgne<U=FK0e!Q)cLjebx4Ug-mpwpJz&=_!J@4!x#9`W($xOkcHib@ni-wMxQ1yHs zkYp)j-n%TDy%XkoZaN=q&ZivgeLBm>NZr&M&@}FKTXi^+c1H{pLT<}5_aBPd4yU#! zm*@7}zYefeI9Cf2=YH<)>o7Z}UrZQsHZbm@h9&zc!j8|%7Z)t|F~eyElheuYA{m`7 zmp0ekF&A;{tlo(78Rc}5Jx(R(g`k9AaguiV;AcJcImLnHr26ZNKPGeIhI<g8H7l_w z@QtZE0gu{IYiPvdA^>Ghu@P`ydKYotUB<4aDYUs=`N~`*Vu*HB&sEOdO!?4q4_Avy z9KTy5BCzcWnN2|A2i-T_emims?&6=q5ZT^x$hnJ_s3D~zC`F3J-tyCJYfGR<uehM; z$U$CA4=RXU8RQEk<9Ebf*g9u+!26LSr30wmY<w@IUGDeoqbBHa;&&-jogL*I`qgb8 zuT0hc4!R6`Y$6QNv~DGttD|9@MxD#R$QAzZZRJ_Vb}FS&hpDtfROo2mu5Rr%`RDLS z7d41Th5U;-mZ2M(5xzRC4r1EJpF_{KF>|L%9o)OhvrpPqK^7mq%+U6lExjn-6QYpl zUL>e@JzwW!?|Y$x2$SmU95SD-=q|Sy_w>TSuXE4x_2-Z`3qPHlHs>Yhbmi1<lrx|2 z!aoj&E{1f=q@XoCINUD&CdRXzK%dM&B0{<7x$aW0{k=NB5|ttPNXn`<9?E@N=e#c{ zpAdDpSs{lY_Y*Y&cGoK~>$xC~j`40HO?Rf=FMQb9@S(rjahllUhm{DpQB-0M``|AN ze%89*v!J^1KZPZuDvIKRC$<IF+UMenc7p1;w|7#`66gdIziZt<+Abg{k`{bHgMD*K zXnk^~aM8SM=DO259d{Zf_0ZPUG4addPQ;UUJGv9hq`U0ae)8;vW8hk+hHlom)L>~2 zNf7dK?+lGV2Z=d6twxK+X+J+NUg^Rwl2{(Y7izc4^BGEBYoaOHR1zK;|FGeqL69S~ zob>q{$&{1V7P0KJ>&(bvj~GPPVh|Bvg=$5U!jf9bl*mN9e?{F)Ssmo#a;9_6aM}Su z%1EPnKhJLZ`18G+?#y!jlP;5E-pApnW@oV-db;JO#UNXT;?9f^K0Mbjbe2OoMs6}F zw6K>+O6XRPFxw;*_+i@fA*PX=x45BECDdK&i+sk=_b<(724FH*hxW83qrJ#Fw5?Adl@F|uU6Rr~FYoz}1993f!`F=T-HO2Q z_wTCPQ+L~B1|`g@q#s9i%=VN4-<*Y~GaGwi1x@2^W2YUT8yha`e@~UkQo#=2_)Igz zbFr^SV5+hfG59M44@+7AxhUd_#=fDR65gY(iOG@;=WIr>rZ4syvdafd;adEjJ@ayK zBkNM}<P5@502#L$Epo@-lp_?#7@q7kw=>d>q<#N<8@g!lJ-Wn6+=QHQ+cJ)s=_26j ztY(~|;Ne(aUQE8v$ow<J1PrU&QA!r{W;z)G-+v#vi3?zc?QV9r&0FoKQhcaq>S4(K z%+H<|Fs+_s3|_S7$6WOL0mp#L2`W-E80^xshJjuMQkJ4@S}z@uK;+KRzVm^-I|il{ zd!{q2vDqEAhqlp%L-p*;MFf9$c5<Da2$Y~3pB%Z=GY$r>Ge<rgn?|yL2>gak3>pY> zF*5&zZq<12sK)^Pw1hIta}N(v`#HH&Sw$-~q{(@nkN2kHRC3)m&-jKW33*;{oX%3{ zuJ}X!h3j;Xz%geT1Bo{fLOzwpRmb>Zc6(*sL(=>{bM|arqgjGJ`YcRh#YU6j>SxmL z-q{C^@8#hO9)8~kdZ%_^4AbI|xcNt5M(j5i%sfHF>QZbvKNx}gCLab~dG7jU)q9aW z<q0CqgkXSf$?y3fb7|zs8J_FX6-z#>egri+M>G+SJv*hr5ueTzX%P;r{~*T{rKlNX zTm8)t4Xi|fE)K3nJDu>-PR_*D(SMCC7uy0uL4{(3LVgde8ihzR^58RRIsUn<Md%Rm zGsz&NosCwH0jxrn&Ch|%H`pnk!&{+aY^VIb+~cUqxzK&)uv(saN)ss`-RoDxYVG0S zsvGq;ukA6Sdzq(AJ*5!%he`y0eQLQgErzTEPe+X^ZNc)C4Eam#Bbeh(i_yb+pxl>5 zBq0`ujO0=9tF@k*dNCr{*2lr|$>Q!*oDgo&JGk57%uUqi0^=Tcc@`V@GV@&dUUV6* z_^KG&ZMsA6gTsqq<7eQitf!C#R793OhQr}(NROhfpl<kuxEx=^`t7XM&4&{G{EG+# z*U)W#9OZNYOK=P83l!#h69bWri8_dGD}!OpjzxBY+%<fOc7Gc)Z*oRUV>Hw^AV-1Z z7Y%G)jBhUVc`(^<%h}yd#OgiucIz3!Kr>6T_>UFVivjk_Dvd$>{J~ykb{ZJFwb+hG z*<8aSW}F*61Ikufx@J=vA2hjyKo?!edX_se`hqJ$B0LAEg{>1UMzVr46#oekKA#*K z;#}m_l#UWK?hBUR#HxG-6m&7l<AcSU26qy{!f_Ft<Q!!~CXu4!!sz1dy7l)_(PL?Q zj@9r<nnvy$UZmo<+Xh#<B7xj=RE4$L(XeyOfv_qobXMS$UQ9%UbPM;aUKzL^w`wnY z{rEXNF>G`VNfaZ77zD29K**kj<)j@~nQb|Od|!jG_8tF+uo{t0LDZv%Ft=i~98tYn zn~YGXKe+tf=Z3T9WzKeP?rr~PHFB#!X%eX2&DOJ!sOC_ZI?F_xg_b0(ATk`vq*^wY zti*U_gfCNv$1Ga+58rNRnp)9+dg`>yOE`QEcl$luc#zPm{jeEm>m$X%{UA~o9m&*H zUgpupt-8F`P^blzN+@A6Y_HETYRC1b=*p&I$SrnCq|9PzE1*_o!M-;*@%Ptl57uIq zvEnjjjz=FBe$vn^f4WLQyso9t#>Shv7s8k=PbwY2PNb;o;xTnM^GQXSPLY&@NIf`O zoW<lD<RrL5Y1LmOH^)i(EOxnPW8+qJG4werQcJ{Zy^eI0*Eh)qt6-*(ZyhXN=MB2p z`0VXVi<EXcg3^H$o~P9`vU(cKBsSc5Rc7af9~SIBmBEp{+m0lU3cL|N4WaeZTkqv3 zxtWX0KTR>M3O!KrBNo?K$N2!zUms0Gdy9J=K!W6|{PYrh34_6bXZzFzvk_6h&iRR; z`m1Q-_%FsW<BTN%SB7Ns6dAB<M2zWXa@W1w<XnvD^0ZgEcrUaecODw#Ep6zB(zt)L z>TX_PU=Wtw3(eX%*CG%%ZsN|ddRA(=<~(xE+m$kCndSDd^ON!Gxi_cd`Wwef3<WF1 zO$lx0llU7M``Yrt)WTSFdj3lCVxryw$Mlx~y5Ijcx-R)n(YOVQ;s5S$W&DWO%RV9g zZ4}k&g?O$@CZ6K`Iri;`KH&?ML38p;#Qoc-Ga?TF-KrxL{{3J0BQe1XGwE-j=mPuO zXiv&Jpp2pK2YBup^UamAAvVd<na+Uh{e;8dZBk>Vg{{uc8Ds2kr)d<k#|I<k%uFH| zb6*Y9zN<SOrzyCx!HuYtIfmQ(F^3XhXEK0=7TZVqV+tes-b8EZ=8<KKO6<>8CWB^J z77K^uF#c~D@&j&U0C4Px;69>QS+Dd{)Lr6}%kwE!)Wci_SzT~&*oVF1?0aS<smcZ@ zls`%G^XoqjJWHm?QBbPY+BmGm1}A>~b1o-+eq1Q{)i{JJ8f>l0=$U=>04^ELlw0f~ zW-|cqxa^Jl+=ODq!*z0UmUT*0zn2DHR0Ji^<qw7khnX-}%>JBbySq92;t$7s1T`-~ zHFfwYR^`E3*=d5A^fbTw=L`iLPjCKQX`tLAk$=c)BT5^_b~>SA0xnMWk#hpc%-5LA zp;49OZbR#<&}jqHZAQ+gs6O(ypq~UJ$K^iNqvdYpKD~WMYc;9h*uKT<wDJBp?wG@q zc>d&{z(jv_&+%2pW_dYx`{T%7fi|44p~S*kvf8z+MAiq|{JIE3dv1zVX@RnZn+J~9 z_{P;X#3k)jhDX4(c-w1OBTc6`Pt`{SE8{>$mMGrpc&*)$wZUjZmMN!_+U;S_X%yGA zKZ2VkL2o@rX#>aSa|HUvQ~0+2LwM1&O#0U)D|ELtm9O+_dd|z;Z8S&D?h)~7MUP0T z>IZg^Y1`yoXy=%K3{E(&t09JC43%HwTcCf47wjODl*-0Cb6fsWCd@T%ioASx6e?JY zIK`hW;FQ>;TdFmusF^$h$?NqGM3Jma0K@kd@`2fk@Hkdwre@aqMfQimJp#+#1dgL= zeKQ1=d*Q^pW9D4^%ffDA#VF|GK$$R|57HTd2{fwu3WfmcRgVpwVli>JMR`Cqyn5y7 zO<R+Q^gh8z^N;MqD%GkSI!}ojVk4)49Kqt5so)W*Z4Vty8vEe%86!-qk2t1>NK7FV z{Kdr<R3yOb!&SAY9bDxp4Wb2US9z;w{;QfEf%Vh5v+ND^U@e83GD$;)e)rV;y0a$G zI>R2Vz^nXk5=jCm>^y=Em36ITQ9qGXm9^22cN{go=R1nk)UsI#$r~=tT+Q3)JNED$ z6{X@X&BtJ1g)l8XL-Sby;NC7}+z3bs8pXo>`I&~oh1gi%p|p}E{L&)!>p6j#I+Px3 zCO1hvxnC6{V%<F|lG^6Nd`zfpbp@@AO~cftsFE;BR>gK~de>N-hg9PT+1p)YR!}ME zO0MR!O@O41&BeUPs1_K?Ckb(Fi|Pod8lle@0>E5%LlmwHa{SE>Z*dCMaX0$P>oV2# zD{OMg@IY@nE+$tc^EP>;lCqfKQQqnX>D6ya>f7EWR~<ROP(jVGdabl;5Mtk{)K~{8 z%pa&FvZ-z6ecsL|?H_8c>4NS^udHwb_QKg+UC<SmRQQf_+-;+Yd;cM#K}t|48sBKN zKP()ibY@?K3tR=<J<-^Sf~5LPOxB)-YDiKfC<UdzC-~VFb+B%#tRkzK?p$nrON^!> zZa*&;zz`+1xEo@j(mr&=NXQNc*X3tr8!W@;AGbT{Q6;IMsM^RH{thWPv)~Ln$u3qQ zrv|A?zgaWzbBFWfke-;dcx_<pkOK>4sxtANt9&6Jue<_fygn?J#mU1rNR|8*7#vke z2Po9}DDu2(BC>tswfwrWwx$-ED|0?+#uW*|G**<vel(cI0@v@fMl?(5W6*Cmva^gI zHFAE`mjeToMAvgA`H0-Yiw0L=Wb=uFLTy!pDiOX(&-8ONn#KH_RlbMc6pCuPYlnSQ zmBmF*`--$oump+)SC}j#UF5Q_TZj^Tla~o*M7jqCG$#yX=n)IDnfE*xV%7$?jMD4n z=tq^<4KvIwRr%y6BjL=fM~k!Mzn=l6&<;YT;t-fD)z*vEm38#Vll-iLSRQ$Ox%Kd_ z8NrUH8kO-NGNIm{VH+skCV9|Br7`(@y%7iS&hzBJT$ItzRK0}D`nFZ)-7qz1GO|HP zt{q%rykD}1BJ?LBhv9_h-(e+qvWP)c86k+)XJ&#Y*9i!ohjfk{S{C@i=R}&Goct8% zkUf)(B8MScWc9ee)V7|xBV05-9CghtlA(pm;A=mjBc~cFWK-C5jsgJ0^2FL$-GKzB zhGU6nsg)OQ==j#>2Y$w)h<}{M$YA+#<hg@gcQk&hDrCJPI(>%}sbyY~+M%{dWHik5 z8Z~rb8FY~k68Fe%I7y7TOV&&N!t^F0N%&~QV@(p20%C#W)wcISB!&uTJVn^m<w~5C zpgCPB6GjWY)1+9H=3MaE1^Q&w{v%pdD7L|w1N76&RL%fOwX9KpPi`G0gI2P~Aa~4? z7M)y9J)LU>c&x1hKLK8bKXyqskV!EB!T@sb^%<E9OHvM(nfd(@yWsUo;j)$*+T`3& zK@8$YoP{j0)+%?90Dxw*J|HemF4x_{e720pXn$dPD&EjCr@Uo%$nxvPy<vO^<m_;Q zmU{suTs3UE!<N*PL2Is10!mn^HnPJCis2Bjcr7~rSHH|uAN5ahR=CTWGDQaBVW9ge zY<>1OrI#ypg15WsL4r&BV@vXS-I7E!f0tPX)?-}si4_LKTNndo94?pLEVw4`%BYWt zl*r(Da@(Yw3ygP4Eb6pDX~^q$%%-rICteUnj<7N#c_;2;;amwsPp!e8B@LA+Vb@2+ z{yYhbA?o*?WwX~~B;p(T!D1ysu16gDTC;hsgY&b(f@w@{W8@B3!54>)8kk%6TVI~C zVrRRRQmx12C(_#jJVP8FlPIg?Sq9j_aHlEJ5ySWQENu3u<@PI&L+ETJ*DbFP9sC*U z_n8@2S<(pUIbIgJ!pP^d1CyY!Q)Sw4_U^H_aD!GAY6ukzE3Kq5jE=g<hVfEOEkcjB z2-v59vQHJDp=(TMrY^y<v#|A;)G$g&QVWl7)lo%3AFh(ilbIS3R>0UKO)gB{l0%{E z4}sVIgM#E>qo8Nh6rZ6;cn_CubaOvkCoUygczmoAYzUjegd=@Q$(=ddY?gof$R<!j zs4z`jvjNlWbWyhU(;6u2jt7&!?qa1tsoEaXg5aX_cjm!HlypPr@75NP)ghHMo@;~e z($ne}yT#fX`OU8_gDt+9kEkU7b2y*lIFmmh54imSsJy_=Q~=45!(w=Xk|G=uY#xx- zSNWq_)pBnZXd@o&FnOOXXqfC@v1u&H3v%78j|Bf~RD=>T6WZW?81-L)_yFP$W#a)W zJeY5P!`iB!aFt16jP1SuHYlI|0@Gtx`H<iJ4fIywej|?sXKecGC6P(LVEF%sf8_xT zfS_yse}At$faEjvK9IltFc0zzbEx_zgz~rW5bfp*Uy;0}(trQg&=SlGtx)C3`D-LB z@$BVy^B<6_-u*T11pY!CC^K&zc2}CsH~9nnL4+|l9>%KT+?s6}Q;ZVV_{T3(;Ngwv z-QBmv+)!R<YADj!OzTFLUWz>az|Yv8Po~+I?9IJg=>b4&mn3(=2srf4g2n40ADI~H zMZjoHPFmgFd@${#H^^c!V)hJIc<&dZ$|i`tg*dp0(_nv_x40M`#HAQ|m!@C-QvBfZ z3-&U}qJYU|$M=1@g!G(O9JCX{nNqnDW#a2oAl)UXs3@5KH~=$1%)e2G^FLlY=ZC(h z^~y~_lN9Y)h|U7GJAvWf12!o&X3FyFF3ay5uLv;YN3s>Eo-TSU2vFaMDLfycHcH7A zYW8$44_h0_11io;3d>N~1aG4S{bsEs<J5J>lbb-*@z*&vZ*~b1T-^k6^^d;vW=x;F zVo`y^iBmmx_cHCkXqVj@S~4g>JtDO)>{ZV^k39C!#K;D<@9p2PNm`=UKV&3wTE7Fw zIyOgnIoWpGHny2FzfY_8aCaM~UPe{j&eAlKb3EFJN7(vCYJIlrpiyfe#D^FGPf+yN z#(f(};Q7k&viuqg7xuO7@j@dyL#id!Kv4`ht355mGd`usDypv6;7nwwm49Wy9GoU1 zCBNr05A(n>#oW~Eu}xm^4XhX76qjmNQ3nlJ3^(fksEr56(kjt=cxOgv1ltpg#DbGS z9KrP)MGHYuNFhzQ`vlc=2dRqE(q{o_dnFHR-Y6pWad^PEL^$w@xY;eL6mw#>nfwbU z`S7k-vgmw1s*jz_S_?hif*RZ;k)}0CFiP&Ius9~fU|s*I(eF8rXYNnE^l$<usdb^3 zY@_N6Ib7J!V1{qCOhmD-jO`f=(yOYE7sYt9h3KnptLG>d!=qeU9>;0Ziy0UaEi7|3 z8SdNt)&0!C*{kjJ*=IAR^P!u&^F_`m4fi9@?O!>rP510tPL8u4Sl+F7xy3o?<ey!} zM*DdcovtZOO}7_>g_n6kza4u#gxVE?!7-JDg}U`ar}>FUUf-NU8`?6`sIx|d|1?s0 zPMiL`pj#2Jfs*b)mEMY78^zdBp*4flbHskVJV%3(7fY~cB&)G3J_d$hH0Ly(oZ=y` z@b21)V|&Hmc$c2JwX^o}=qAjgQY-y@_e<%Prvs{Rw@3EFGs2~g^91h%$C?qQ`1v=< zU$zfn7$IzC_aUeb7OmJzyp%(-@VC;RlX>5~?R;QeNWn}gGM&YIcZ(&D#SXe`&3(T~ z()t{?X19hE@E)h9idAldLAbnGnNZXtKc03cBps7;SnUbAv`@2l&a7@*;7571)c|F_ zrR(Y;eDWa!xa>AwM*TW@s8{cl24Y{8CQzJX3>QQDp|MV5=ONU&*H2P>LEj7FZ)S9B zf?(MoZ^yDPAN0eYUd_&G^o{qGs7UYpg_9D|ww@!Gbe8AfYSG#vS8{uua#Uz^9)WZB zcE8#HE5v1>ul0wobqr4KDdj>@29$&!uC|Ib_QPUxk(TQ$lzBOF_zl+2CK$$_G1;3- zHy2u5X>BW1G?j_f;7DlL;-IRG1DR^G?INBnE<A*#Kdi`=E8zi|U6j`}zO~U06{v2; z3(dAz(CE9BsthMjkDTErAch71L~(xMQDN{_Igf1H#CLuLMXqYlvK6lCnz;p+Ne5Q7 z@Z7dQPTTU*M}6gAr@`El6DURHrS>eOVJquQ8IEbx%e~ig6dfLwSVB}PLJ?IZ6Vi7K zTd1=hs9W)IFvr+{xY*z)7(<1<h{6|!W~P*PJx*e(3M7WP0O|^3*Wt9B2y+sA`VW8D zE#KFTvs;)1;e+Bv*CQhmDLB>@u|^d)an^;CICtJoHr&V$FPr-Xv40h*(h(K!$6>XR zz6~^V$QI7lY-Tk}QHZ^j;&07)`1^a}>sZT2$A^A{EYqkTdAaJ?<({FP{2JTr2A=cJ zMdC15Q<b|jC9T~bEhpZc+R!NVFnYA+bK8)M9}MKJEN-?O`gBaz2i+!HpuD=04;-jJ zTW&DAZTwPli9q@iOAyz-8{LUNFhjTVy)n4EwgXQDd|4wO@)}k@ADT=L*FZ*5-Ky)r z4dhYUuRX5zxYQ`9Fg8G8jQ)~~E&a)d{FOipYsi`R<)rs(vsnC}ZH?#Y6DsR<OaWK@ zuJ?zl-Wa)&O}o|St#p65Fsg#p8mf!E&8%YVEaMH^hdJf8lOLb~A3~1^_-T$qg=RUd zEB31rqEad943}5A&N{4}f0B8LR3ku2e0r~d2jgy{imtA4>Bp@+`s>zPh96FI2X1<# zh`>B5;rrkc5jPoL>=TjjWC#;S1ZR1n1cazN1C83{$*CdPm~pRxw$c8to6e<eKz<mj zPX^a-ob-HCHM3^rg5mU1^H_<s0PIHkZtO;4Dvh@Lz@gDI<+~=WNKt8VWS0obUsPvo zA4m>j#^H2N(=hZsRZZ+ypGu44k5{%4{QW=3YYA;Nj~7{SVjLuVJj%*Q=SmWG#NCpl zgm#<a9~I#L-=kX^%#cb&qq$7u!s9r_O#;q%V`<Prm?rp^DdSP1`#wgzb*Xt<T>ByS zezlC{X?o`Ps?BCMFFx^z%l61f`1uq_N*;zZe3fIrIh@5pt%=qcFAb&&14hjHGCyWM zB}j3ZRD(PF7huQDa{S>32?k1X_Z8ZUvEzWPsJlc=!e0jB4TW>0i=<e<R<d6RmHWH| zGB{9><#nvaCifBd#vjlq@izK+-8NX{^^2Dv`HgIrTu@S_0Ho#ygqHq|yhEYN%EV%# zq_U|*-IU^}a;yU5wHWjwSkOM|iZOm(ra)6SwONQ<8b8jxwSt`g%}VIQ0I42Svbr-b zYM8o8%edBx>gQU%S8Fbh^Kw*Q?#NcH6C82%+T_f5=)=S_q`ui$&Uoz51nl*mMU<DS zw_CU^3tP5K)!99dPjatbr?n+{HF>Hp2Vi-e`vYLSe;^TlBhO`_QdpMxnGNs+sJp%^ zt<yi*39cTI(tbvd8<AIQm1#!FgQipzO!*uvArjRQS&B`rf17v!{D)_1M^AmprQMJp zNA`qt5(n_h&?QWK!;}WvGR%*CPS0O(;~H}%yN_hRnXeZ98H2$l9znS#RRcwi6O*x+ zG9PeZFDls3(m=`x6W6$Y22tgUm&Csz-vn^o`R2bDL28`DMly0sx#CKQOm#g|Yv4ZB zi_Y?h_rK^Am)3S|4AgL$=Wym2NO+k3sNLZ9NW#Kl^8j~y?$mByf4jTo)sP9@W{9G^ zDzB+XFFzEduquC_l+2Dige15LfLYn$y6Eszhc*gMYCkexra|;W9zx@4Dkh3@K^po! z@MGMn2irMw*ZbMEg5fD&R^D;*VVCpyvhp6s`G8`TV<s;wOvqoVj^k{O;29UZc!R<A zsVlskqmDqfE<aiG=<p$+Rr^*fX7Ap4alGrBye<VK0?4}9JH@^qW(_CI^OL3sO9AkL zlHw=^CrguefwR9{cIF7El8~zVvTCa()O}dobZ^GOXPnO#9ln0`2~f|qvQ(Qi?%jn_ z=gMazW5>|OB|j$ku}(ZI%p?dqQM`DXJ0|R&EvK+fMFk~pr5<wBTBSR3jOwegcoTMj z$n(`T)^vX#fVDc0t2v!UyxP{h)XK7FwUHX_!@?_iYqU!u(gxK(U7vJEaHg66L~yoz zornj^YF<IyDT@OGarb}X#@?rRwCC{?>|758pC5rLO6NtjOi>ua7a7vi)MXW1O_JnX zSKDDX<3<sl?T?#wRUgeaShig~JzE}yx%b+Mse82dp2P00rx3aCczXw1tu(|9uo-RF zcEa<waM~UwxVyF4P9JjAF`OPYI^wb>so<nBzl?iqWi&mX29%D|aM~0e0~>6M_Vure zu;rQQLC_lM$1ZK1l%G?2$`hIw+p2bpBaU_-dK1=xR=rLs^+GIO=NGtFg6nqns1Bx| z6Z3&%zt#d`HN%%b6zJwiIGC7O?_o8abrZJ<)EyNgPV~*s$imgG2{^RQK71J#EnNEj z_#JpGg5dC>Zmy*G5oCX%*3%*+@aSAihnPkzMqE5lvWG}AsJW2-Wo<W2A8nDNd}^Ij zlEq=5Hb4~PuWb8TJXm46-_k~<cN20F!YjG={-``67gAalFags~{Z14(h|Xs4n6Rp7 zpQZd+cLT|7BS{E5Xd_9X-hhZHEp}IS)1eYTf(b6~52zWMugsuM0w`&dr1on06@2+Z zy(iY}nOFLSQ6A9v^St3qFnUCuwG1}~uZSCe4G1IeB_OQKDD-$3GZpuJ&z0$ZCV+L% zWLElr_3KC@FhhX*LC81>w%JtqhdL|O>a2V|;%Jn|-7|;llKG~`_xm|_?W7gT(LrY0 zo)@i;t9Lr}L!<~S$mJnuZE&mZdq?WsVNM(kqc^pemC|3_Sa-u<yCWQ*4M(DBu$(Qu z7Dps&DS*YtiEeq@+uR;{Tf%!d_v2AkPxTfV8dpI;!Sg(+xUDD`es-MOBXQ+z>f+}; z`1Bb0<Hw&Pk{J)bYTIzQh+=}q{3cG<&mTx=H5Ku=Gt>^xCsgt+kHu6d&A>Mr9w+b( z9x+0$NGuX(ugY1eX`0eAwn}z>YT}3AeRpkXRJmnLVPJ;31uW>9uESB1qfh60Ud>h6 zlnC8Q6w~Fo>fW{lW>O4=^~KqR6<w-`%Z77Q?u8RZ)>3uTxmEjuWUnj#T)aeTCo+0M z$<wvA9DoT~{t<UW<PKJJvBo6E+qH0H+}@H&&MzwBx4i<X*De=|*&-Yr!37XqBgPZh zgHyauzY)2=$rVGE*EyhA(PJMn@GKAygl@cC6b$M9Iky>_N2f`X&p6qob2Qzi;EL(e zluH{sU#h=05_~F5I0Rar&!ti)oxagX)`X$7DtD@3n8cX(a%5y@0sd27t2TrQfY{JH z`M`yCzw(50Sae^(;71BWuS~7g#DQ-p9B=+;dzh^rYEll@#_Vpe(E~32?0S!q)+6+U zsB!oxnnI}_G9_4FN<OJK)Fk+^!DCX`P>cP%Q_two&q&o*1O-yU;~y(<!4tU(FC+-P zO}-AU2?S<#uf8Szx$2A~C0$vp95)4CCyAXYJ&lfeWq(JHaS0(Af&o*qM6pTqLYO+- zkSQe_?|;Q^qXs>;A%qP_#K?JO%Pue<#Rf-1j_xLAh|bNALq5A0%pIs($(yiu3b&u} zoZkZH<h?u=F?z9Y<n|kbrOVXO$?m`YG(SyQ!Kq`+NNsjp)K=~fu8vyOXuH`eIb$b> zIYgN3YxFX{lXe^N&^Mc$jURc~Ez1{Xrw(ETnC;J&--o#D4O9&psiC($`OJ2OZ7Qno zbE_)?5&VSi7MN$foUHpFSD!{<tVGRU9=q4`!wgPPa{FU5P200f&8hk$FMIVb7%FW| z<z%6)fgB41vQH;?-^dv?!~G~D<Qi%9nl<;?I_2o<m2dkw#YRMOi8lps8b>HF&h4u( z&H0Om9{a!K^wKc^#}Zk-zyDvZ?upRgYO1Wq@76bHWaz2Cucs{!&`|@p&O4SrgdHO) z$0bCr+SwiENUEc>tzJb*0`9t6R0%o@uIi6&(t!dg+IG)+Yz(isag3$?b_xn@Zg{Yc ztKt%|yLtr2?W_F$e7E-9)m8V5B$=pU;Zcvrc=^+>+NATrLCe!E>fvN{#d^<Lr37bO zT8md<X0bE_0cJK>I^wX+4y{(qH9EduPa-A>VG!pSSJtm5g?63)f2Aj}ulg1D+uVoM zP;9gQ%^#n4aA<&=L)vFW)0>V=MuxK8!rb{afKq6O)w}*?WSR!#=O_5)Zmf(2h4VFV zyIkz^E$M3xn@r&$Rk`}dGTo$9hO?duQn(R7G%%8wh2Gw9G@Qh9jKOZ+C&J<xMsFf& za5;?~d;WPsM6gr-T6x&@mO|Tkk7zgjwsv#I;#yhi_;JZ6t@`+B@96TFec|MXya&+W z(p^|<V)MK_0ts1NGk=HcGc#C^)Ys%Y=rAly0u2-pt$iYsuax`04o28#i9Qkkr#|<C z5udiWP`BUcNw4-&t+hr)BaS6<nX)$HXEAtOhKT1y(sP4`IA2h&BSUKqZWF!z+5i=d zWy-T>7MA<UO~DF9ee5zaS@A<i_sAI?%MyihEaF8;2fWpsf+8u*m@Bnrlv79%i_x;2 zZ0+ufoQ*}M*$zv!B_(N$V{v)6TU>MPsRrjP_lbXEW9G%yeD#(Rbre-|hRLy=hUV(^ z?{MSwg&kgZzx?qm!=m?KmN$FK?a-Kz5~d)2UUfQ;1s3H7UM0X_mmaCiucvp?<#z=1 zhP_hJpZ~*Fh}b}H?Yu2N`f*9){=}>8nE%n@FpV24x%p-^*vb*(>><DYoaFh-iTde? zAIidW@2K|ku$A`xc0!Yvm+&Q4^{D6b{$csDoEF=DZCOl$mFC^{xzXw`qN|Z|H?4=Y z!S*Mokc6eHo>i|~tE=b9A$6Fpv3?vbC--01UMjU0GZ}T}w_fe|maUuqEKj#MZIk2I zN;=cp%eMuB&sYB9G|xMm=^0los<hXu!P@X?oKMT;^-o@9D>p{_Pm{fahNDe+C-H*? zo>vn^DAI7t8jRc5R@zNViw@4);m7T^mmY&{H@DMX_BqnHF0DzFA3>-=6e4X1-)f6L zGQQQE-9C-X)oVRT?k<N(n}-fzqa96gjWG-s*G+ph0WTh#7W;mUs<Ck2>C$T(ZAsW1 zE~FBrwAG!4gA*)MX}jzR&vHE(+a2~*R~=j7JHT@|N_U-SxW=^csl!NfoW*UgLj`0f zZDx4<9w$GIDZrkaq+*B<HG0zYx))dun6A}Tc5QE8uPo52!$4hDyZ;4x>4jGsZg0IU zU3cIN9A0DfIBzfa`nm|zeX?WN#s(?mOZ`J1wMIm3T)LmcsXM%18Qk_GEp2=@n~^*r z=;VGhJotHKSJjz%7U7k@l@mffFtDX@_Y~e*utizYL}07l{XLsSE7mDev#t2l4Ccet z!Q69%)l!T3qH;Y|ToHGHI<|B6;qRe|W@d|ar&Evuat8V-x2uQR`E&6>XrnL<>@N;g z_XlRmR%Ev)z41b@pqUigqYoD~l*n#gs)F6U$a^9EL)&|elgpZqpxY}Al{-H5D|HpW znR^cn<<MNK>(!Z1-Pa!liRzVBWOX#;M?v31W<uLQ{PCoOe*FX6lQ+9h&XO849S2cZ zJUZf(80ejwstsm654j)PBBod@owk-kQ@LHA^B-;SJn{`XM(??*ifrz^7=;@qoGvKF zAC1a_I+EL$TQ@sr9L~&NHB7u$y9*e5%v<+l7g$+W#{9hFku-PX5h9MG!NuJ7cr-R{ z?uF+zQ<vRDhVw14hhJNzqww)wEqguMt8&$zo!W^`!Dt@k7g%PuBi0U&$zqIIqV8aj z7RjG@0LjD{!}Nc%&3yBD$1-V$`&X^r{?$=~<&?(6{}-+Ph2@UC`>SFe{;HU-msK17 zO)>vQ-i7wpsKMl`Ysh}dVFvbZ;RqSOFQ9)73a}ycX)C_^BjWZGh_u+73)YX=W-(VA zZ6CKfJ6Ye;Ip1U%P+U6__1HcphmhH#Sy2COl+yFXWpyWQ@|-VorUu>nmvnE-s(+$l zYE<62ss|Z8Yt%Xf^5(D35c;GQMLh79#?)q7o^L)sE-23~M()#0#5hTp^XvaxG2f>J z$p0+{!3B0E3qWVP5)s$7IDaYyKpFZCIvp2>)Uap<!1|re=ZiA$$y|?P%QiF8_jll9 z{$&>E|FQr4+C{XHRWuOgg9z)`OfeN$gkddh?*C?|#dJxMsw}Qg_h($?1>Wk}+cS<T zkq!2~U@6v5>RKBbDzjymvg6L~AuOGO=xL0XGri20!a0Y0v9m>O6DD~&xJ}1v(|+Ny zQ@^OXD+w?tHWw$Fj5~u&r-j1C;*EDi<i*}AOOBh|w@fjoq098y7x1wPn(+-(p^F$L z8JF}P?6IeXSJTinjE`$<9Vvp}dFVxw+fkumf-F}O^3qR}`&xVMAp%Qzf6MpoDQGaY zH6z#1gtrDx^&;#~A5O>jPjslL7DMcy&X3bM%NaTMK$-$N@J)QIRwwNP<zuE=r_tht zr(8p;lW(T2CR<}e<)a`aKr7Ai)}+eA;*O7eSr-8xqmR<)LE#(8xP~#kfV*?&tZyd9 zM2rW>H@VJw?|j+n#N{$$Re47+Tk!An<)f{CJBOH7un!uf>s(gm<s4eB+qP-)b6rmx z?>9q(Z0zMZs{mQhyQd^r1nqaZ2UU-a47L+)INW+4tuCrOr;lAfDCaC+y9Ye23VbDZ z=FBt-Ga2zY+DRRUT&cv&pk+*AKR$L|PX6)E80_n_>Z4^>D!LxM9KpBkC7qo#hta~T z1*R(R@uz&zMetsg?}tc9Fv`ay@i-TD4crXe(PinbUdtr&t#aEo69l=Cl)q{|_?Cc( zR8&2iGr~L7WjLkduQRftY_cx)tQKu|xjy{{`N-b@mkD^Aog#n>PtoVT+4{5dg8{X) z7)2^DQ5s!Vt+aw>20uo?oJ<gap~r;3GR}!Qr&u5o*aRxnA^V%`Rn*%eANQ=HIF(Xw zCQvQ171t}>31K2du^6Nmy^5Zkr&w=tbomfr&WTWbWL#U7GzB|gRz$ZY>Mz#(D{@nh z999`$u3O0D9&6XcgU|*(86D`}k57Oh-lNx>$ow$_B8@JIU@H@dj14F?(`0dso3&s; z%)cOAb~Dh58;Ytl0w`L}du3{MF%urE%DV``rP1egr(5PbNeWo7YHQNi6MHmlMyEBW z4p&WFN09)FhLc!gzetJFl%|5`YvjGUpwNuKi}f5Wvql|5B&zJ#yjbDeYso~NXtSKE zTWIRmRn8*Bt%A*tLnVWV>^3J5bHU$Eo#<EBLcTk*_7bQnkIoBor#co>!96pIG#^Fk zQUp#=Z=j5mdPxCe)3D~R{2uEdNG7w?OEbH{0Y&dcwgLmW*Ie=TuTm_pTKw@Z@Z$RE zMzd{bg1C{phEHCgr$%abE#i(&3ObM(hX3gHJ?aZhB_BCSq&5%uE`Is3hxHIpkeg5Y zbq1*Ag|FK&2P>5p0n*$M(3NJZOKlQT^-K8nzlHY_ANujIZ4vJY1TC<Q22FU^)-Eu{ zrh?BnU0hU1FU@CIkij4ecl}^Jr`?e}#dILz>(^VFypyPBZCpTFZ8tm44@F}Dee1m7 z2ASjmOw5Dv<%)s_#|{l!It^}Nh$7bYo<7bzW{J&LAn40U?c&Jwb0la-qZ8oqu~u0v z$to&{%bJ8rU-vWXYzBcvFfo3DH&&{#78S5}+_Sn=bNnCwQQTmRW+bly%yfs_D2XEM zcD&{uT#GbSm6WN9;ev9D{GP@~Rx-4_iT8-oo1AhU`=MnT?W}kt2KC7&tq`N|ed~vH z%CnEPJSKaVtS}N7^}XuZgGvhsMHlvZY>R&90|MIRMbJf(rv;@>3{jW`%tWN`$J)r& zbS4nq9E3Iak=H;O_X7IKxRs`G+tQ^&8xz%@U1q);a`yB@_X}b?xngCX$M{bBqj+Ns zvW;2KQhDP>qrC0B)-Xi$Fj+)G0k_GjIC!i9)rrW_h4sgThagzZ9k{RoC*h@5MY7bA z%kx>up`MA*dEOqXa^G+frm2)Nds3VQF?dN4Djg6QmP+b!3MOKQ5N*9Li~aqV`NnJg z&7>BHmV~_qRZeS4LKJV0(-0odV!j0{!38L$=5mCTUy^muZMIkeKw^wu62-PqBQ=-i z`KR^wG$}q2^!co1`bb6iVWOC#tw$wxKdU;(rpq1&1Vs0UW!2v&FvXJtYC6%X^~ogt zzMHU@y2wEwyVedgZ})i`WKAP1ClzkXwc0t=<*Cbz-LhIPwd7BPIR6o4cLQ-Lflj*C z5_kKh;K;|jqX1C(A+L2H-wAMqIS}N`V)wHs+^hbc>KZF*J!kW<=tqeYlcxie7&;4t zVknB0&85{>iuc?7HA%eL0Xpf92@oxl4Ul%YAlggBSCmq=a+8na+w_RdsAv4ypJfxx zoyf?gw2qc2fnJr8wtZmk7W@PfF0hpny*Zza@%DHmjI0Mnwt<R^py=Fp%b^`)IkKLr z?2#wo>OU&~(g4&Rxy6>`11pTpZ|MilyIn+MSZ_|Uuz>bvl+t}?bWDO@QM1hwN}$je z(LrZFwVWsjt%DcuZ%kYDH#e26eSoj;Gn-;2vZRo2<M15bSk|9VbHm4R$Y#soT9J@L z)odSPQ8h{J7@nV3N<pwPIVB^X>UL6cl>3!$e;g)tkROVu<NqenJyIUzwg?&y+f&4Y zq{O5~8{cx97=v^$T7kHC!K8u6v|5rbIzlYx8qDys-y*sy!?eocWYY{;IBBDRru$Lb zIOS4ezfzp~h33K4&%D*Eft_)H!^A<)RhJX_WIPWG4t#d#K(DVfD&H`wMM9i`(9hTz zN(6OU=bOwH^<{@vHGi}6;Ic1kx#UKnul7<ZvicI;9Q%F~Gi#NNzC)Eod`w3L`s;$m zfoTb?%r^7Rpgq??3$@a5HikQY%2`2Mv@$XUJCE#KmKe=<6DeggmPqO*H>^++IHA5} zMoTUU4<UWaFSCK4%M{njF?@p&6=%?Yz}+r6J}jWXigWsh`-A)+@#s7>@<9qUkr?+- z`65BTI*bgXpJqt1^^z{51phWo`}R^TBF}ioX#>To2=d@O5gEMo7>uf2v)rOGg@5sb zG9J`@y|%ni)bDV1DNZRHK2y4F>yMV92O9a%6DMm|ESk3X2yNB5+^kaHs**>cRQ(9U zGNxkYk}ve`YAgJVFyxc%nhmFlsqK82gzW8M<B=YdiwvOcU?eJB`@U+@Hyh+1ZL-OJ zyzJsA3v#cl1UI}#Jm=<4%CLxO-yUK&`GAd(Avt>172exJOZ;Yq_KV@dD`xcvyNdPZ zo#%>y*p(BzTOd-rFPvwOC#<q1#)NqPCtT$F+&2ncB_m!S>kP6`)a1B}D!$z@%7Ug2 z!H(aZVX|9X$^c#K{1<1C|GP#$dBfs-o6He<d=^MW9OVsVp#(EsC_OT_;WSx%mb&jH z8ojJ_rw0J*m8c%29hSPj9k~C%x|LvM7j3pzXKq{#J9RE5>oStU!KqX<shpP!ar0SC zAuvYTx5M8T2MtpYi`G_}cI!4UOh7Z=gW-OPeg~8hkzq`k0xQ!7Pg*o3A4@cmJIDX> zUn%AiKcx4dFa=C_I*8x*uYNFcvB#ofd>rBIYqn}EHQp$h=FD+n&;nrL(hk4sOXr|J z&fccW<3(n%<=AJfuINJYJ|#!e6+IjbUt^dEUKs{GWM=<Veo}q-Y{IAG7|8so@B7O& zA&>36;RCqGP&>)xvBeiizIn&lJ$ClzK)z%4ZFZ}^z3P@#WMoM1R0JNt0GSko&zpBQ z1B`wMK#!X{fKa7&vk6@UU!6?Hy;e;Q8H)1$2p5B<Dir4JBf*2za5;?ioX{usLk%K+ zS@8Z~eSm>asKambRoK0)<Gw=p#l~sY-Br9ZeBZ_gWNPHQ^&C-IC43=Yj8M$ppWf!7 z=z^#<Hd@U5nvY7cyggJ;O61Ogmi%o&#0V+!!uc`(Fr`Bhe{}`zU;Hr=jzpz)l9DO@ z^Wiw@8iyt6>xP85>opZl%WmmxOa1h|>_*(BhER{FACKkBbJ&b0$$8_q=pzA%*RD|< z1+-NRjs?kuu$qwfQMYgV^weH*ye4gY`eEV9QAq#xZQ#JoL~!wR8^nnlt}8cioX1%{ zTbz|jYmKz@R)$!;TRwpIJmE}uZe+QHyM7Pa%5>K3)P7&@Gw&dUf|>C`W`o}WKW+c< zy0n1VTg)E7-yvBHQ#U^{6T#*w_?KNgRZCnnTCB7z=2F`;`}$9@I}1J>oy~U@DsLQD zhgi}Ks43`5<Gu5~c;ToM4B3BRLqQ&LJ~agBl9h>$vF6LPGtci4WmxjbksZv(b%HoZ zp6JnZA+(nH&qg+r<_1_beTnBCjf21A!Oy!|!0Q9eW5V)h(<{{=_4(gvXPFm{e|WR; ztssm=hg++&-!DRGHdyPda1<Oztl=EW#!9H01PqSFQ79XZ)(uQzA`4x;8!91!^*_7n ztE>njcv%WI2T5pe-FbMCGx}^UA5^WwWq<e3ts;v75URW5DB908Sde?_T?ZlwWgsQ+ zL2lJ~XIh=+2QGtVSIT0CnjK5E>nPIAvtP4ANS*E(?aiy1zK)IJ8C5&M&l@}>lgU8U z@p5n5Ufqnu?X%!u*ZE_<+T?aBe@@BIfesqbhJybWD--@z-!7_yQ5rm883X>+5Gs)d zQ&l2A<A+(dA=Q{q!*FP5Wn+TpLfRK(jw7%$d4QZQFTc?Xt6mqL+UI%XVe}hdcm>m+ z4nNqDfwHoc{mc4hhM3;tVN`w&_JWkz{dSi0V$93zz}`<vF8m<=fSvtc6RQFumv|b; zbktU7TT#)uuprtmvdi_}C)DDAvLg!yEFaX{UBS;koO5CVr6|Ipl-8-jc)GJPxos}| zTW)m6W^+ohX$p>(<`*q?twti`(jxW>B6=-EiHC+4t`Szt6xOT^kZ`9Aha|T68WW1R z_J{a#K@b@Mj8t$5KXB?t6eP;aHo~o#D%8y(!V4QkBUNcNa2daW<unlrGf&H{n$3kX zpD@Sr{^M6_2w#6?ROn;I-VWksH*b@~gtAEERY}6M5g)R<g-o3Qd$VRI98NG>i3I`< zypsdTqa}hBvAcB@189{hflEguL*Y-VW5RX_zAr;@sb)~Ni@V`YF7JTB9E04XJI92z z9ue<ncHid))W%0H^oi<d*HslsQa2L;UFSVA^+m|cb5p(NiEBrVLo<53Ox2zUz6-up zlU~+v;zwZQLkCXSWnf=$@WnhE+vtw7UEHU<agTwRz8HRm3S&W&mb_uAH2Zo%_2%V9 zkym5mbpAmwFgJ99_G_25ySAp4k31tQl|?#yJX*%yw?%XfwYYfJlFtg&LgQa24akva z@8;f#qNL|bMSLP=s(q~pIO7E_moPtuUT(sHU5$_*n_F9_*Z-ctbMuif7Iu5WHJV|7 zkG9rV4Nu=9b5D0roQ-I>Lp`K4OP49ln^|tzZMF`nSHifv5)KN@xbWUMBGvqt#z(52 z>K;MiKgBc$yvS8xWYoKCLcCp$G>XBLY(=x&^xx4^O<FrhoTZ~*E|3oGG^)R_(;1vx z1UcVE3;It-O#lz-ggq*eKUcTQSDx~Cn6wa(i8~xd7nj-Ae2yv=)|DM^no-cg-%r(? z5>Uf5F>^qtb*S%lePOkRCaC&fyeP;>iq`u)OiU@t*&~sHd@nrZbT!;!ye8y>x&6~; z5-av4`5M2(y(YOxE+d$xlwcLjIY0CX**Oued4yGZtnW}cXg;MTf&FQHeeeCC<QEEt zm=qwlCz{v)EvmpI7uZ9VR;WHCMzEQE2);<AC#FLdw!#1ru$zup03xT{lEf}}9um_d zdZ$#ou;sfErNQ%akFBUBvAz^QrGa2WuDVxNb2brZr&XF;(mxWc9=}y;v1=!8D`tpL z>wuk;7aT^1GAGl#;iplNDbRIKb9-&cJ->O+tCMTHbkM_J>Lc{0_O&mL+pdTglQ+OW zuS}wrjkcWyW-heJ>EO645JDziw+MzZKk7Uwan<iG?;sR?#e7BqBu_c+Um~LnR{@vd z2epw^jBEHlOy?qKK_8KCeM?-_p&}NaMKnFFobXzAvQNDyMZ9{f4&q8+R(MenFTEJr z>NVE|vfS1r4sxaggcO<Pq>yz$qviSgtcHd~YUHIs+lWk(6$0m9pjXn58X3PSh(@GH zx+7H`zgQ^*Cb3f~qI^o4Di~_~Q^PC7-S6eLcp<>}QhQdqg!sH6)A1_tLg6CXpd~cT zYNh(Jjy@84L{kJSfArz`LK<rMya&@Ni2Hlrctdlg$)JqdQ70>*Ev}!$zqxpe)i?~K za;b_><41JWcR~KB*2DjGp^&d9{&q7$zcxvXjgF(>13XS_`~({v$!-1^*W}YY8`_YO zD&=5q)@c-NZ1i;Fc16vvAnwTtBXnDmRRyPdKil0aRRu+humOj&(b4F9KBx?nN!rD$ z;@&lOP<^~)u|`QW=i*$v?KES&yNSQ7GVa%$MY)fYT#Cw_+joAXNeNHrRgo#h$0vIS zGfhDb+{(WtcNsYI#hWqdL;(Ex^$m}u^1el|KHnG2>IqUDYTD!^7Zljb#H&|gA$aCj zvWP>v>Jr1HsC7gVg5aD7oB6(vN-`MG9Fl?#4OfJM{3&O%y<R~yeSkq>>Jp?!vy#%& z7v7YjqZ3oJNM(<CLF84I@_QTFflc(5UBS)($3BeTSTo}TKMD&RN-3ACG!wS&4Uq>U z!=<>CR@qR<_6nBB1S1~OD0wEq|GZmPZw>{&V5Mnsegolt#p@LV3^hTIA#zE%**tM= z3~qw$6IchaaO>sK&3nTeIz+0?<-`6Hg{WlPhyJgq9_-B*N0k@|-A-lykg^T9)1Gg8 zVoZ1%EH1ZgNxbir<ktsWHrHcvsVLUb&GNLPHQ%AL)y+eWI%;|_pXconKoNT6$6-0k z;mYH<Jfzria<B9LnJbI<dX2H|(h@V&aD<Pc7!VthD$UA7$A=UCy+5V9d)9@qrMys@ z#rjV*LdwqVds1U#$0Tcr&KJUolFWz}VhS5omURv9*jR$L9(x}dQ5+Z&wvSvcw@{B{ z?0&>?7&OLrGOH)uW2)HbmTt1PX4O*SaxBUK6FhJj9^`|~r<KRic(Suk8;By|G<Sxr zDU<(<PUN$Bqvhn}$a}zb{WahBwO&-q5MTfa<nXVl#5J$*=&&vo{I7uz(RYf0dVfut z$bZcv-fh?~d4sEXAi#vmv>I(M2Sgw^jiFy4H`EKTme);ze5*8Fl33SXldLX1BsCd4 zuZ7e)c~xF<mpl)Sa@4GofGUH4qH!VBQu8Wtn{#oba_wa4rR4NN7_jeuaKpLHcd)B` z(lK(n!z;H7DbrlbmNRqN8IuX#VdU`<Iy?1Xu#WuM2~TyNLDXiqxk6o?fzEJw)F;S_ z4hCMnQtv+u=6<a;Di*W6N#24{8ed1TQcDr3GnbgA!&XOQ9YNSS<(AODKq9ZMkkwy< z(e*Yu68))x{^aq)UVFuP_sz7KlE7@))uXY|dI8Rt1&l)2IHBu9ZqF{~ZXkPhmTwlL zcv)}~=n;2Yd09PPDj0((?Lx<nYn@_j$ch3`=I7qr6DWmLNiEbTp8$1TqOe}Q!4M6K zXkf5B4TGnLz!VO*9F0`3$Gcb*44>BwS66`+qGZgURDwYRRAB~Gvf{~6KNFa^Tbjlg zOxMnqhw+=lrM73l!hXtQeT#NE5+w4cQL7bVya|+yif)WkpSiF+;RfB+y9x{)R5}8v zqYL^J-Pm)wWxHmq(vz&(3@8c|@-^c3e|ejU=>Ov+>qGn96t}AD*bpmDgNvcA&FquO z^VSE=Tgo;V8Wl}t!10cwVOuDi?AqDkWu67ijVQJrhI5PCAV)%>@e-C>!=4`_P-z?( z0Dn--a+#2&7hzAyT0!(1M@v$V?^|_j!{ZB5gp{ptjhpUHL)I6FK4>VX#s}(ZO^XW5 z9EMnwjxjhL$7v2_XlB8}!7G`E2KfZ|$L10RgiQx77&4@TUgphz4>OO`jS()M$Pui= zo<GKsSV+wCCz>_0H7lViXSdeZ%fqx@jb54Tv`umoL)fSea~rti2PE673;lST3!m^K zF2kcfk0c47aA5ZM$x6GFMq0|X)aW@qLvt7x(#j#xs#OJoAX(DjHX`oicPVR?2QZqq zL=CSfw82(o>3EL8Mgc$cvQG?OPlzB!@Dbet#R6`Ioy#oJr(80SJx*QMpwttMu?}t4 zQbhmM+&JvIrmWWXJ7$!xFHtu-fyw^&y{~-|;?l%b&cE4NV9n(Q0xt>WJ)?CP?SrrK z!Hm?QBbK_1X!_kV2B`WUlCz^r;&8Wv$(i?H$zX2oYN<S~9*7qmjS#9~QldC(vT7v_ zrI_r|*9(f|Y7oK^vg67Ys!4?ALoP#aQ;+B5;~(P6BU4gB40AaC1Qvwe6us!jt<?)x zP3`NK;~}HV$L`gqM$g<VjPr)~c0M!Bz(J2uZH0Dt$E5;@O3oSf6&#IWV20<kt1xp} z+x00!&vD)9<#9Qe%Rkk0YdG(n9dxe*^cqQXj`v5cSU|;V>e>ms+9t6NlM0R{x^N3< zjkwQinE1{l+vRh!ZA+ISr`xF2g_X@$WQOa=$+yEBylU;5Z|-*Hd((7s1AiiicNt^! z*77uBAvk{}l;+-EOU2~560=k)<mN^@@sQ?vOl`a;Ysw9o2iaUQn2oZQ!tG@oaXgD0 zER_wwbE(@DhM=%|SLbBj+y5|0EBp~0Z#%3HFyL3ygZlPO2>8)hmcUQBwdq_gUEDSY zLE%E;YA+~(!WeeC8>-eX5{13??w$0qr~t15Jw|SGm@20}>d{<pg2|V0Pt}3kd<+iv ziux6<W{D(|5;(-bp?niEM+F5%a}F8qir&ps%}Tn*3H!Uz^ynrvx3&l^@tRh~1&tP? z(5HD%fPP&vy*h-94sXX#k`;$J#*-rr^8FUmQNhW)o?JiT7+1>m0)k58Mn&E_8`-_K z{s#gN!;%s-Y5H(<!=1TwM?5j)keQO9(!(effWApWe3f^}r5$orKZD_D)7c^B>OAeI zWusMelOY96H^+`(d|AI9N9h05yZ&b$L_r+uO*+>N4<hVSl)i_rDd~B@;~X4U$1$PF z#WKnsO*)Qr7O)9i^35JZIp~;M`a}Hg$mcg%6Pl*J)Q(;k<JQ9q>F!Xl6%{S4z4`GO zN~iJS=PBwt&Xy+KTgyk!Z-OIpjq}2&*o>NGajRpFy)AhLTJR>t`(u79zQPWH-}H%; z#jS3j=@WnkE*PTMIA~e)998LS{Ol0G>8oMQ)>3EbJz(*W?#D_>;h68!i}9GtUyI+z zYAH+koG1_s%=v1vPH!tA?_6s4<vl79n<e8_N6?!{tN)R0YXx$eR-Ce6UdQ(vG$WYv za!p>_l+Aj)?j%XElD}*Sk_bA`!c+N6|3L(nZu9cQoNMpBPg>c-6m44+zPL}|Jf?N7 zXylM1RHVWKLDUn?=#cU)*4YOa<pj+du{Ht{SDn*STpuF>W<coB4XtuAeYCZ(AXPP! zKvN*nGJ<pSwI!E!vzt!6m2gq!e19KgPByTvy`dzRiI~Ci0Xrwe6m1N5UNo5zL%qn| zZ|jg*Rdj27rRi~hBqeflTWh4Bcfz(V4NWigFuQw>3FRbIuTCc6H5E3n?!v`+?n_FB zs9vUzLEV0Tta9uSnK-sct-FJIYBnB5Mu}|$6Vb})6P_<S?)q%7M%Jm`VBcE|fbTsa z7*Yz;YyV(n@6~>}Q^bO4meknryY3`}B2{^Y;a8u3BpK^Zl$d+ilEH?91UXS<y-@@G z_yVh+*?`}LEs6uDT^XY8&os%}<{M8c5knm0DK7^)bO^yANpmVERf_4kg(?G}Zm;*b z&G9<!P{=XVv)`>5|B{ZPzVFsd&IW^n`zu5a^@QyPe!u#Ug9unpY0-n5`0le|LG>#f ztFo#iNcJ-5wxJ7ZenDU?oOupfLg4(mY=$chrF^Ze+$YS8mV%?!iDI{As$&TwbE5q| z`tW%rUgF{(ln3~t^pBetd%!Qknpw7&Qb@ETR1`R0jEIePODiT4rf@of<gX%X9JkK6 z;GYASuHp;%^o;r--)<H`KT0B&6`6Y5GH=D1EpE*(-S5>|%G=D=N??((ih#SJ#4zQ# z&0<D}6W?HFLH*-aJN1Z4%@BQFYyDrb%(qF2ixw8ux7Eoxy&U8DC4yQl22lKalgwrt z!QHiolKsW`8^imDii$l{2UWOzWZXpxu}@77dy^ZIa+);uLSkF~puY-%3`_}Iz|1yL z5Aw|&ycD#A0d}!la??#BW0SIZ`hs}2WQl+%<-}T4OG(dBQ3tXVv30TXT;I-3<Gix# zXrE>WQWsW_NFV9ML_~Sgb`l5HG<S%5L5uz%VT~i%mB1LM?S68>JVIiow5+2X&Tbe5 z)^r3SJ@#-SeHqoK8FD2BW3z%jr6Lkb5ivEPk@5VcDK*3QDw)s*{9#;gCoG9)qk7TI zQi{65>)A`~_J{mqKg-tCl+}R5gsdnjozAl53Slad6rRoi;pd_)LURv&$DSw2#~|?~ zWgwl!Spd?<sj!2f`zeFlQBQS*um=TpFf^{2kp;#$ZaJ2(%O7YI;{+T-AH-;2_sxnB z=c|?ZdT_E;TP7z8<ZA1f&MT|xE@Mq3k4(Q9v{0c-FcCT<ByAE#iJc18X-_ueiHN9` zXvV|}F?`8o{IYo++bq0&mRoCGw<V5pF5|u(KGU#kyF8U2?NgJOS5wWTUO!bZ)qX*l z9}>x2Np2Dgr6iZe7?D)P$HK3eBrss!SJP}eS2l<>Z-gF3F$fGN`arMp^{9_ns6(0b zS_19!8^}CGVtskAl7HXsG;&0fi^5cWanwV?96y}?onpxQy-ZK>j3Wal*RsB9d~cXK zlcVO+mf3I)g2de{X=Cqb0rA(Q)3kAz{UuSB_ewGYUy3G8r1UAfOd8ft0CI6M6Y+~L zC+x|HMk!C|gsKLNge&RtfV=Qh>_DD~CnoV$mUBX&Lh{i96t3eSxy6b8vR%TdrF8d4 z*7kkRXgKH7#`}717GsFZyYt0kw<lfV&*>g5cUtQI$^=&Ow>P?+EZ_Q?OUBgoa>SQN z9ff%9=q%{h8M~k!z1FWuau}$qU6{XT*BY&JoAYceKyox(_zzMh0R!S=lyToP%XQyK z<DTu>2^@XQc;04V(~@*=O%5LPy6ktu;kHWyb#f<>9HDxaT)A8pcx-MRMM2Ieuk^vX zR$VRF7)?LMvQ6?_bsy!jv?_vVR36@W-~+a2LwH%yyQ;4DY5TP4pbZv{KsV^g?wK{v z#a<g67#h;4yM5yMs?hGWJlgNT72m&m#--e+^JtN1ZeY!tJ*lFF5;ed!Eg>XQfaK~v zIO)(AF}nQqQ3;SQX~=kxev))KlwG@^ngqR5t23xuf~09HO;&$OhyGt&^RstQA0U}= zu-?)xh4J&}K7HKC<2JsD9rhrX8;y2a&CSlrgeRSB_kMhaW=ahlwYPNjM=l|5YZ!=S zRYvUE7Bi{Cu&T39`qId-aZCcwN--bk>6xy@1yzQ4D`%bonh3{4o49~P#z}v(p8&+) zlj0+f0s2*KTYla7>#q5?w&4qy5&SBWIm3O+w?#E{*ET0&sG+JErWBNm>8zT~4=fC- z9fl06(ULJw>O$P>dtIOt%-WJ`sPpr5&T_)eLJSG#NyAh_yab!9Q!AP_>WBs2Nl&<v z7zN@<qf=boWVnZQsvcK;B<2_t+A>8_f>qy#cqdxrU1w^xdjp5d(E$3Y4|)-Qq|1N( zlt?R_W0Uq}7k$%AG;U;DrI#44iNo@zr{&}V|DfS!9#vS{ih^mOFL=V^wl9^EbG-?{ zw~qxM>UK*FoI2&Ioy|LigyB-C7wsWP>p2rE!PtrPR;te)yTlYR+A}&2%}^us+nN1C z5-sw2f)BFtAu0LmO#nRK;~tIlf{r{AtXRL(E#+s}rQ^5KjI5*lekj~+VK+E&;qtX| zYT(QQy!G)(uz<Lz@#aGlU*m9BaVrt%lLtTWwk8+*4pGQ*57s2q0KYbz(Irh!jP16_ zRD5-i7+##Is2@xffKzN{)O{d^QMC{iGU+@q`Sec-q{H-i!D8(AVly-6ow3Lq4~yzn zQw76h#@c>NG&iy$kZG00m73d=is@>z1PQZfGAc*0S21-OOS1nSDWEChDprYxa;$YK zn&ISR#BjVx`dZ6{C5xe61RR;_IOOmPvoUN+^N-kKh2h^~dUL^Hy@yK(%Ghkm77%t9 z_8^ARW)h6p^+e%{ma^l-7`|-Wws$upaHZK?TVGh|b3Mev>*gkhtBA#g|6-jyQvlG{ z%PokLg!w{@!VA0{RZAN`J3qXt-HQHupI=xhMM#!=vZAF)2_VhQTuyuu<_cI8DGSC} zY;r*-Qap!RTp2_FG*eXcv+zBtQ;{~YUp(_2jJ}lB*Yq%H$txXn*4vrGF4AG$AYAu( zL4kV`27?Et@+>`dnbxfV@U>#+$4w4bf~ww^HC&Sxa52q47NnC^F!A<8+?{?>MaBso z+t4F|!-xsAJV(=M^_}NP>A5UB9-B~Vw6(S|VsfheDH$z+ov8z&uO_--5KMS|9zC*X za51>1#}kGSp*WcL<f^|JMgh@3AMeaSQHnW!K9n3(YO-^wVvkT-h$?p5oFE@(_?kb| zHyX{n2+Tt2{(dA+@j~8BRnpWH(KtN#UR^-_$@vx8O&q7<YiE+S-c;iT6s56+2TF)- z2}{H8&aJQ#i<&p7D+b(hp=Z!E8&}dr@;VfEMfx|&V_`(Fxr<f*abRWElWp9}7SQ!w zwivG=Bpe`Nlm1yEAQ|!11gZu@qfVwRX>q6C`lOl!SI<<4v!s32DvWzD>zOBS+}NAi z@#J&HEM?3n<d^WtqY`dE;c!56B64&M>&rGJes!{lEaic!(|{;%t3KJ%`?$j21u2Oh z`oqaS60T=te3(sR6ck0VA2;(#(^@2p1gCfMU??%6a#}`Gr-(fLnun<2`Xjf6S=Rq7 z?6Hx|;|b&&XztY^B=m~YKF(7PcjYbxl>)k>jY5dX<4xB0S<~3InAdR)BnlM+q!2SS ztO})V#mWjq!V9LTEmjD-lhgV^sEfVNFseXB#knjBMH5JAEK)qAn|@4;=rKhq@!m%q zPm1!7`#MD3Rg|;vc))PijMI1BCaD|d85^*%{Y6vz`5L67pV_BHh)yD2ll!W#DgE+3 zUxsPL1rc%Rc3?6TDT(Ni%Bmvg2S}&jhTw08W3~usYCHapEsr1fkV_^-Q`7_ElNBaO zWu0-!`N$tFurf-Wf#(c%xsH-(R!;sNRQ*bCA_C2ijO_MPZ2?z~3DU(A8o3mbgF)@* z#-FpK&yQQKh}Rr7HpVkYGpaM#i)3lQIk~bCLricS4=oRjAC50dX39Woz7|^a7|uns zQ<!2q+7pw)S}iJ*EiPqTk!|Cko;9s5suN28QSjA4Q?Vtl+hH^rT4V*X&bC#%YT}Dv zG5+Z)cvkRM2g-mS2lv2DQNiWs6qm-viY&c|8eeKyOcGSsKjQrI@jTeYd`B>S0{tAL zm+H2wzuDuYB_}?x<($zKWgRFfcd+|@dsXo!uLD!S<;AKidLp<9j+M&KwZP(kLIqFF zLLG;~rPU5!HE*<n4!D*Hkx`e_-t$vj0*gxX$F&yoETvIK4Al+-gPV-AV?|5H(S<eD zw_439d;oqHYL%xvt&uAdj_*ZWM2c#US&j?_HNWnCRk;h7>oT1wk@}J_7_w(Dl3=#F zd1;ZNEEbS+p*%}8i?Q`kI1^QRzvp|QP?aRNtLK>Aq;;ow`j-<F?;j&_il=;L#DkJo zg?R>9tjOV4X;HrX$`3T{{Z^4=w0W}Cc?Z)|W>9Q831otZ7S85e6F>U4NOSXoYlBih zinl|u*X3x^bKEDMA-K+l+P02AHGwi0W0|2E37f4QSwAEf8DMMb=qkvI2wPl&eT<$) zpLCS_v{0h7d1SCfNqcU-lVpk>VRfo?wHYdq0;YPG3^G^Q)eP==T)@g5RLhovh9^2) zse^0dI+>mG{?B?bqPP)?StWHYRbIU#QZ)n6e$pgN%_91n8>TWne<`)|l@D^m23(by zqgLlUT2LuVhFMSIl<Q}>h))1~UEFNxq@NncU%c%S4j>!QlG#}H$QF&DlhdLJRpi!# z)?ws2z)4jGgDGmwZLvz&&XJ17(y^g}?K$X2dRV`$KUJ!rSJ%hqsp^dLCdJ6cRLk$7 z4prJvoPW{16IDP8`49&)=KrdRcYXSyY^>YBK=D`4|NqNZc>u|%M?=tmt-Trl4mj3z zX5{$S!aa1a2@?M7)qH=e78LZ_U8C|L3F~itC?sItD`W+&jg<T~Z9w<c7XVg3slP<& zW%$<urilFS6#xIY)iW&sIv0}13uJ+EIyvD_frpO(HDMjRGoTn&PA2mYx6o?zG`jvG z5M|j{rukZaw7`sMW|U~-HNn9TODJcMn0%UU$kGs18vp31bxrB>Y9qY@s*X#jbTcJh zE~F5S-u}=aPRBv_4Q06OAC<|(L0rnAHTMq5v}6)x{O;}_z7)}1^;|E0v#Kk?=#$Q& zlXd#l_q4t@tulikiDw6!&h;5ZQ4yeoYhpBNYj)nE?xbEK+@-$2Hz<vEiu&3FPGCFT zX8aRFus#Cw42ffB(4I$+cRiLHPNO`FBhXVUO~K1@Ew57)(mV3)AqML0uI%SeeL-Ar z@`Ce8Q?!50*Y_!14l^TD!7q#}z%@BC)dm4o%w3}9*{dA1HFI0Za50Q;6ofMhRW*`Q z$qx^1tw(Iz{r_DNbwOmyI{N!`WzRx#&vJ1~0Z~A;M0Zy1z~q$DYuTgDVnp3yEq}J2 z4}0Q^=o1@1MMX&$w9plUC%zmmE98m|y?v1W|6&ineYFVA{lx|`wGHgvwc3Vk-&?$v z=y4srj|0Lv;2eIg6(?X#bY6g$tuf7!Pwb<L>YJf5kHILK;2GTi2o_1Ec3FY!AI+3f z_5>x`mq)tkxQ+_<c4>4V^f@Vt*pen00r|+SNL3|~<7JQ!o22WYR&xp0$Z!Vj?NhvE zFXl3(kM%j#f|I`-(#O#HK`}^W9!J<U!5(_s6Uizde-FAM21HOGY#!*b&Z6@9EQ|Ne zDwA4ph+^P=0JCC>$taJk7SFu;TvG(4P2z<@-utVK5Q|4HcO%y?5|Z}tTN7_pNtK&b zjpo#hs)-F343(N9&I=gk+^;Q{E1ps16X8pGnx4ddTXy$zpS)sURfok6BjCfP?*uwZ znk*5c{(}b>=)+k^P3qJdrvBwse1rjQh514)1v*7kH~T<8k<vudOc9o`YL+PD;*!?Y zG?a<$MkEJyAI-Me{Vd_Z*MEEuMM2IzCMAl%un)=6u*t6bdhv}z-qAj`W%60GxsxUK zYw19d1uqU&zXFFC|M!|k`YkgTmXT*&c?x<)pQP&<n_UE^NC?VtB0mu1fj2;#ScuzD z?&j+G+T&f=hWV4^!Ay?>pp1tVPvdvCI&FIMcc29dP$E!7a*R)QjBRf!K83y)v}GMu zthyN_8ggjGm97fBPMMo7-*niIj#p_Dr%|cNR;bB1uyrSuPK$j8>K-*!!>)~EzJ0#7 zVz|<ZSsk0raJ#ueQ)=X*c5y{qp_9t;1m}EWd{tdNvkV3$n|h~GNkvhGT=LPurIEs7 ztY+%Iv9fgw?KKo1!)mjuC!5YnS`|eR`okA^dRH>tju+y&poW>lYeJ(IB(=>0sMtmK zEaB3sl9pYBkw0NsAy*=6iyy;=mm;(;L4Oa<YRVBMLcZln>O!<KiCah_u_X)1CH0_( z?LJicA|z5uPebWb&?>)Y++Re&JV1bMWg@4WQA=h!yP;YOMZwDxn{A{F!Ot%OYpgES z-LoziwrAqeWmrKqs!}o!EirFP#Blt5R)eu!CD7Y0DCAk8^Gc~T3l+-1TF&^*R{4wV z)9aEUBx&y@{x=5-Cy>8wRa@m%T3jD#qa!|atz$~(n#Py>W<hhKMTO&)pGPC7eY{<r zWB$zoL3*0F-sfzo%61T3bhUL8QUB+jg&4gvaTaw^?Gz&$5-EW-m0jpA8e5%ku=cPP zIB)MKT6@D&Frg!bwvt8#k-Tw>m4PA!JaB=%Eo}ukasiVI?Ck;Q5Q6xMXb_P!q==7u z3r$_`VXDboe~5Tk<WY2WY%cDLYtA+)D(M@QP0gAq`)vq(47jAj`o#8!*QpG0qn>=D zEq>(~q)H>Irbm`sq9mVT?`mH*i7N^KfZE@u+zKlxPN-#V>(-d)FRXFZ352PRURhLn z_d>c#$niuear-)g_iUraaxqoK%i<KMO9yl<loAwX#MvO)NvfT{FSRLdaDr;p69eRK zqXpZzHoft{X;0Q@)bAEFiG1U-yc@iDv!{NU8ho4`pY$(xF@`kdd7hN3u@>!0{}TTw z#AdNPD9*`bGY>B*{fG7s@P1J6s|l-g?`L0!Bfz_i7HS+|?LJCRp$Ja5AwP~vVj_{6 zpCpO}clfeK{DoXIn}{i)ZO;EvYBdSh;3q@;X6qq)2>nJpxa34|UzJOp=UCm?BTB4s zc1qa#I!zjwbmE|MYM!*~$j_(BnJyy!>&*<?R{CBlq`k3E7vJt6U7S>1tiUxgNMc=$ zvA@N>-#txZQ|?FCMBJtqhpweW|3d+~`TR=Q7EzCtL4tMk%#j?ScFnUr>o5jFaa3=+ z7qtX((p*8$B<Z2~W{djo+c%vKHa2BU!Ejg!a=c4>L`m{<t8F_j=V^VZQ<dYF$JVDP z5>9V&4|nj(MW6K{em<yIJk%X>gFSlhXaMyAI`5+1i95Jh*3xcp)WoEdzkdT<`pjN^ z`)KN0uS^Ij$uQG*-g%Su&`7o<#C{-}Nm!2t$4-DC#y^)9>3D~EFpV5}7P>f^RATA9 zg*~Uju}cm<SvO)4uoBq6G#naIT;-|oIfi0*09}01;hr<88}ZjLVU4Zw0oCasd2Y%3 z2KId5o*YjJSWU&t<f)njE-(U1rw!STR5yRE#j8a0689VD`{8+Pt1W=WGq}S3QU06^ za-)`fYBhloL5_a-3x`^G5a&MjVj5a($XR9VIK^O=vv`OBhq)PMLVZO+i`_Dp_0K)F z+ty_(OpnfFrf~8oGpjSSI=AwYDU3<^26y?e_WkOr*pH}e)y^OU*R`?njk3IWa5xK} zQ6~~{=h%zq4NlirsILQEuacSKyPZ`a$smg-#E%8~gDC2a864`3l(M~Dyq7yY%eM1r zbEhPHvr@4>Li}%KKo^N$d-EA-9MjiZBG@!hdAwf{KK1D-_IbQlO%$(XSdHpaa?%_+ z$tt{{1qP#aE8X==-X;>zh-$JasVAiJ8NzqxCRY6<dsjp)X@REcuJp=>tiy8LlP@?g z`o()M4tFOC`qQtoQi2LgEHM`48;SCdG@SYnlYxaHcg>O%YsBsxQFm->q3$pE&DGo6 z)?ZrW4E-i<JcnY>w6|`Kwsrboa{_NLJ&w4$%~)aztKz6S0o2d`m#|7vz~0irQG~Ke z?)4aTGcw8WRM@hOXqc(bQb3oLg<-O~IAe_*n*S$@|2#RQzivDvWu%8^9AfOixpuE} zd#nvLQXCZtQ)_>5yPHdYMmM{i=b44+{rI?Hue^kwTfc8a^6{~=GUG~967h6%g`Y~A zX^Q*mk;^`7$%>kQ?+5-r{7l-W&#Ljm;8oJ<dEVE`0>bzSSrO0DIPEj}8qsl{5u&tG z#0W-)Dlg@Pv!DJm^v$`y`8f^`fDsSzZFSxDT#m+!Gv8dP?-QKe7@+XTQ!97FJ&)Oy z6||gw5ZlgoI5CDyQMj`8={7e+F2Ap)QCeOutDBJOPf%HKR`6NTPmK?&;fIrbFV0)a z+n}@t+rJZyNqb1|aa&Bs9^Y_!myQOIt702{epiS)!6zcHhdDOKbx*GFgZ_NbA$=Hm z1QCBj@w&~6y(!7aH<q9PTom*_?SQ<$&URZfyeiJarsS7zPPaI<HS9w^DZ6I4RP3sA z&SDO43vkghJWU85e>%RuUQBMQtKrc&I^>vlo5#CvVZB+XRp(N%&U^0i4!2_v=Xy#4 zblW=LhHAL2W+xLFRG0TIB!PlV2E6k47z0GRyl9E|O9_2UG2Krl7qwHT2DrZ^Hu#b- z{)=!({*dvrY}^-DPuO{Obgp$8CAc3QdY;O;gsGJ{-;!2O|3Vup<CjZ~#NCv0xjCpz z({=B~Y1EyNe)Ib`cy&O8=ce~odhkx&LKVjFrN&diG1r7^*4=o1Da<PO#B5#TQ?riM z1J&)6{IHoNKOlL>=jVfq5N-rTA924FxJEytXm*OPPT>Hhuud{y{nwgLl47T1$Mk1} z{|anEdaII;B-O{p#t9Bs#*{~^hZqJW*=;4Y3k9PLC7Eas9Ee=bVw<_^E*5Ze$PcB< zTZhD38TQLsrZ#74L}Y3k__6FqT^5`dr#o9dpB{TS9De9d1$f<qx<H-TRenflksi8r zK6kppc^+Byv<*-6x>jCHccZ*3sJgtLHh!VVJW^1R6tVKDu!aP`O6qNMph&+=42KR7 z3(rRZQREZUiNrvvi8w7A`O+6Sg?+t=oaf7YJpZeKgb|4H@8`#JbuY$P*LZk^?(_u} zGVshOn6&$d%Mr3fkIMUd?t?bDr&BobElrn0zT;gK?IuTId$U7}d|!KulTH1yNV=;y z=fy`j3z)X08qJy5pyC2YCgz9SU*e10Zi^x<2E9(@?!RB2WblZlbnS4_y_L3l+dCcO z)a$gh0*qIGSlzn3L90Kke#p$~GV$bQXbO3(3GRROOZ>4xY`uB0GRiqec6760bVMp6 zH-ym|&~|-(Zb$yKR~C$)L}+huGX?K;F%h^)!FVFUzg~Z*Dek(On$+&nxyzKRPU!A8 zHENaa`cMo<Bb=-r%RSx~2gCiir5E9-ai()#P{<c^-}PyE>NUlm={l_N4IK<6d4EW8 zp*ug*+ja$23a!aitv5N#KFH#6Zzg_WG3akJCM;QRLPt+eZ#GjBWf#!?bQ^y|<;3)~ zj6zT?yu#u1G)q7*t5F{~oXli5ld6uggfEPR_Mp1IC9Eyss^)dF?#0x8|Dj;p!{ole z@L6B_yuZ<`{_(Omm-}-g-+JS0C}-L$Mc-aFI(!3{AE11jeGYOWj*6ZWZA25@Hzf7p zw5QSdS!jwQJcS+}AE}nB#l=vTb_(yC&eU3t#R%`FRz1ykj@!@r&TWz;?Db46Bu^W! zMi|byZ~fpO9@I&;J=O+sIP2>#g{y(sOZbAMrO?B72lcwO1`3fjU-2U4UnoCocmLP7 zVcG9L;%+KAN&HdVe?4xQY5?^2mdz4Y6B~ER_Qd1?=xFXbquWjo55Reyt%o!4Y9sWI z;{*wAcO%+}c9ed`j=N1^;$0EyIJa6FwKTT}@)0ZJ%{g?AmoIa(z0K`>%fbc8eN$AR zyTluhViY1MLHu$VF(xd5;BSLmxU{w|JJE>@(s3?m5zXHvLO7NEKa{sw@n*F-KAk0{ zjhEMJDsUrH-zpe9M>L7;Vc(x29Ku_;iVQwvPM;snb19E@H^U#g?|rC70FKp4bGaV3 zlpWVRWp1mjMK_gZG+Yf4+`FNat$I4mQ&n41lT-cDy%V)zgT#+`?aDcBScUYqjVa!1 zAw6a6z(@JJN@%mEtK&L%=c~RGX(uMmIh(`PRgd0H97nCj{bK2oCKmyXo2RmEx47c5 zzRjn$b7g}v8GUc1NJAQ}_Cs!DilFV_x*}wM@(UjGog6Pko3#&E+m<bQkBE!FL7|a@ z!e`f6T~5I}7324>xnb`VN%i#Y-x@x*!Cu&Y)ALT8x)p^>d(z^1DQ@$Xq17m>O|Q|u z^0MnKiL|??QGG*><#lUzUe@KAruK4crFoqMjp^JZyW7e^QaE%~6bp4=_js>9s5oHH zOWWjjX^?X}x^A+~-AY2kC4T!t6&tJ!=e5aYZ*tOGIZ6@a)u>b(3hUVJZaIP#_q+Q; z+smFFjq^b<lE~KYZk46o{RmJ5y^LDax*ZPAfXE3)2HeOoQ;sD&&sMFczUvBb5JiW7 zxfP6;Wze|RNBVX(`uym-Wk@T~ZvU+onnYpWtGx^$t5U$o89q?wuDj?I^e?@*)ypTh zpB*ZTIpsZ<yJK-<_q@n?y7t&8+Y`j0WgAV^RFhSdrQH`hPWLazt|0F#^Sn|Yu4M}n z;ZBg|uG$T%7B9jbjELzb|G(>)^EDe1wrxzeS&UKusjj0es;zGLauutw_%tXPCc?ew zGPK2k>sKXgP?MJP?NUiq1eF%9zg9ctiZbJ>AsMIr8HKhha6kOM{V@Y2870jRGT=4W z&H3eq*Hp*fcx8E>5F=Sa(lG9Z`vR5h4Tn=Xw`aini~B-1wXqJG?dOegQ|2r`G$U{~ zxa^-R=Yn6Ngp{W~*Ghajvu|f}ewv8;OlNkbaeh|yHJkk0Sbl$=o!P_f9)SQQ=)((6 zr+T@+r89lTw`tXhKjPL_vQ`7<?FK{l_gr36GhZ7T*&f4>^ZrevJjFXHJ4K6^#rvya zn3&1CMcL0EUJ!?kQUB=YueAVX9Bk|WxTxw9?Yar~yd>R!Dw{YtlH}|x#2qwKx|&;K z{$}u3Ks*eNSUeH!8&o<vL_aop=z(wkanw4fL@eDcAb@Tt<xyzctZlkh*SW<Jpre}& z_eYor@%4|XFRzejNF^YVA3Z!%P*#(K#zdESJki5~nm~oGaFok?s^X1<Y0m#uE8OpM zAUf-U)#Wk{g^4CRI9Q12EeY+v(yXXHTgwTt^75Kc*{b>kCKV`TOnW%A!pRYyLF?cB zU<WVqb!4S;T?LcXQ+qQFE>gIwidk7Ot^HV-T(dL-TPV(Tj8%#ris6ETKFsWjK4qGc z7TM&;>RS3&;pWTAC?-}_MxgUOSX|TNB&Nv9d-V#dXHB5}ZP~ViPp@rUdcPRLZXO0v zYqT{t0_$$qrlCI5S}7;*cH|P)WGPPdhU3f|V{)8Fb%pPo*WpQS#m4$(ALfmFoQ-y| z^5sX3VgJSP{xVk(zc;&~T7|aY;^H^e=p)&}w+FA@N_}^*UF?g3`htS^9OoJeEAlA2 ztTyDbm&{30gSioTy6Z{|P-YVWu8$y?|5I_j!7WZ1UXeGEZ^QowVWuyk?~>!=Rp{HT zLjwoowhUS{nCM($UT_nRsJOo;%IdnGc`YTDFm+Rp9ISmQ4=HONHuM22FuL2)-zT)Z zKk7nR>~7E(jbv=Ohjm#+!g?v5#dDrQ2u<O)fxg~+tM7xmA7;F?>Krps&qaN>ZRCY! zo1Nx+G<`l_b7EgTp>|#V9B-!aSC%Mka)Hesc;Q7}&o~o2!pRk{ZaU2-4k>Dk`Rx7k zZPy3lV4id!U%dO+7}-LK1eOlJnTEYkTt02OROi`#YbxU|rv9p`@NMEJAnkC<Vs;$C zbAg#MqtZm-a!3tml)V3#El-Rw^Ff%zIx3!IIOfVI%Et9W?V}ljg{~}KS}3Lqe!301 z8Gs+2kw~BM64*p&*91!RVN;`ko@-Fe+D2^!vk;{c?xPt--iWy|m3SGo(oFJ5s4A8Z zAsxVI`CF9*TZTy>NuI;hI3OsFS-D$1I|aTMi_l>{b26k?W%e6&3q5Cn@5Sk9pS7t; zxM9zPx&MY?i<po4VkP0)*V<KaQAm%T=pxgeDD{{!Ahnz#!EdZ(sRBC}h3v|7;M`}z zED3nnw*gRz&mcK2k1cl_tq~cbB_~6ZPFya`&W$J;&Cjpxs}emxSv@aX_Z+->_uFz{ z9ha0XLVCUOt0O*yXL5;A_s&0FZr87>wmvrU9%uGzMf<~!Rts%cxB}8ukuZCkzR&3L zIp0lJY!5J0P0PX=gd^6l=?Tu%0kvb)OJ+8!v)InwDRJ@M^VtoXIaY&Hu8v!@U|zUd zY|GFLe@HM2eka3q?{GTJFhlq8+b`8Z23QZsX^ICf|7EL%Kg5&`yvTw^zI;NG!@L+F zKA-Im_(XQSvL(fH#!LSx&S`1YQ^%c#4N*s}Oy`YT#5>ipuhgNqBL@8*t+^1~+kcef z(?AndOj&xOw;LRwLdjj@FHP$p>H9vtn7b&u&k*zgsEtn+!a>Xk4y#O-Ky|7wx+7k_ zBv1FRxB0bazZ>(+;Cz#5f3|YOG)eZ4?;z%rfjUb~HUjJS0?OiwFZd86X#O&Hd^HP( z<t%nT_nOET1x-v%Jco0aBkW9|V+%{qF=63aN~bNQwPaM+tngwjr-Oc#Izp*m*kj%P zq0r_NzUI0u%}y8@|BhJ>CkGHKO`<uVK;OEFFK)|#>vH1rEJeW)?B}MgX%7*lg^CrU z_>X}^uPn|C{mUuwq=|4&_d_WI>9zj1FLB;X^vRH;JWxXofUPkLBj>ADMOq8qaApFn zmPYPz=BBV2JKMi#tXg9&N}hmqY|S;MPoNzEY}0x{m4WxlpP^-CF{qB&UDZ;eit`i| zZ(;nx^F$>XGAU(Ae>GN;IF%K)Ovxjnc<Pz_(O_Qw+dl?@Lc!Y){Vf=sA|kEXhuM-% zO<<_B+m7Y#N1w%sEDHPcQX)cSz*Yfy8=<eg#Nv}fTEv#jiV#Oc7SC3$G%M&gkS7>P zb_LVyos@#(cG@#bjO?pZIg9w|3!v(o^d-br2Iki>vf35&M~VbfFQoen_na@p>oYfW z9L*!oD#Z$Ak60D)Rrt=t0TJk{wb{{3&6_%QDMWeNNK}6W>wuqLCA?MSc5Nt9rhJxa z@&kkk7UfnPdqJnN>!DLYPDwe5>y=unGc%WEZ>rrY75lV>_i2n9E!so!PcetCriY%> z@iw)m{1VEvfDwv8N9znv|B2Xj;Uc`4XR>7NRNlxl=Z3n@t72)U4D_b2<IpY&AF=7_ z6G1Y*2{60N)zEIZ#b`oAO(OkqG!VVYp|DdQ3Gk9uqUjq62A5^8t#4Pds9^%5<Avy- zh2k~90gOfJ{g<@{bo_Qur+vA2WUxduVL%lP3Ist>yrvJ#;|98|+YUDJKw$t2_!ms5 zJTE^_K1J@LX$MEw@(sCa(hAQAIev}=(<C_gr88u<6Gk|PC^ep;*TxwL;5Jza`MhxY zco~3FU;?;VrIF83tvt-`0#Wr|i@&^Um>TMYQ&}D-pz(X}+w>J&>$Lx)@1aNkkHB~8 zx#?&Gkw=OXQ(r(KTFBTmx-Wsr_0@nC$;#wZ97=XJ>G&c+p=F(dM*rC+_9+fiIIgdj z<ra3aReAcSpI1%4lzG51CF{8Aa6`TLW4_Yt%-4ql=h!^^9~y$iGa`$}!Yyh&W0k`C zYBSE<euFHcYeOVkYy9lFvh@y%?!P8#<n-K-3P*ORkICXcZgSNxFS?o*oc!XW)oe;U zyHPY(Kp^ZGbIw3}+j`P^8ET`Fe537~gzs5-zx@Y%^<^UFJ$2Wb<)|A(4KC!>#w<lc zfZ#Rffs;of1FEoAbX)U)BSG8{cJMT5J6?cXP7`B)af6(e`&O!;=(`T4@G}$Bo!B^o ze)_zQ%?W#<JH~l=5qpNu!w3H5->2y^)E7h12rg^m*w|Xxc7f|6gV7c<j+8+VS}w@* zP32M|5riqx_<%?Q3@L?KqhA4OyWSNG%9cT7SiPUC6?U@e)(R0X)RPg;va_l8NWV{J z<~Ha#(IrG@(`8Z(4$)5A=3ey;M+0KHxHe6*YpL)LPZ{hc)v~iTyGts^KfhgvWjOyN zyv<tG?X$%^^te?}X4UnT54efxl41GfCL?k-;R~i9!EI>N4Sh5*)UW>#t-Z`r6F*M` z@bU5FCiUsZ`$^a!D$73)zuQ~y?IiJU*)Hp0#i>k$ZQ(|_o;6u;55S3~Z!^@Qz;zJ6 zn2>)jf=DWT7OQG%6mCK}jNP)zH&sTKVZKgRCltmIsRT{udc!9_?nr6FaJp>#a>`|X zNk${j3UBFZ)uxt7*ZW#FI|p+ukWR4e73{mBG)u=UW6W>gd-}1tv&QEwj20Ds^<4CK zu(8MKR|#;>uZt9KN?w6~!ud0_pZ)5#m>0lv7-n||=15ObmZcJ|N%YeyWW}_8qHGL& zHN}0CJd4#J<NY(e?}fhE`jz4A?=r^}kPf~7(cVQC7$tkRL8;FGoeW}{+3{0KwTlE~ zf2#vdisH}k{|50la>mB%fE{x%32lshECr144}V@EESQX6&%21Szjrx8c<tz9iRJyb z+(U1=Pdos0P>!a*`XR`~U)wVM`PBwbuosE}S_W~|g=>|5s)3K`UR~h?wd}@%gDurY zWfi1)JC>ETU$0>J{l^8~xAL)zc{8OqVL4ng5II2b)y(0l+Gj(sqW4TeTl#t~4nyhD zb4QBc;UiB8APGX(rMt^t9Y&2;Xe-AdKt72e;3@}B{y}^ii9XFQXiU#Uik$4OU>ue& z9!2|Z`1%bx;h2;F6e|htBL<c2;v!Mta9o@nboBSznzWWZPOJyV0hQKr3YG~!j9)v` z^#PKR7l-iQKrMX{p3VE3yaRc&L5K;sNhjITSEo-9Aw;~UloHmw3YpjON^?o=4UhQ> zL)$r<t3d<OYyRl_*8-F1e`JZq^C-n><d0RikXk#Jlj}2$nD*4{zm}=_O27k-*8BdC z;~<j9$bR$A;B0z~)ti@=2`r!FWjW<<w^f_InFDXITvq!UPC}er=-mBwcbp`Oiw<4& z*2MbHjeK~lldvG`eBU(w+OC`0dw^=;iS;yiI&fi2rAA|FW>zp3ujX;`tEll_Sw<fo ztp#Kx1*1h>vfta-)Aw(?a0)hJs}k);5Bw2<uGd)SrYZ)YNc&JMyc28-CNi2@DC#!& z3lrPyV!11J^&SoL#^CQE!9Mc<ew+VMa_Q6iq6JLKMG~u!`j(8&6dnvVSrY{ZX}Y%k zkMseH_9b1OI%tbvFH|#;XGJ-(-wT%0-ncK9+4&}GI3U0-bPTDxmOa_iFOl!bhe@Iu z7C%m0z0TH38G^HC%>I@2iURdeNgZZkN&BmeLfW6!T(eN?yBTQzYrfyVkL#OM*FK)I zhgPyG-nUR`uV&Z$_IfY^b%(nvv3emUYcKB~<gBDka-TCV{isvuc0k`l<`PC;10x@{ zMNYr_QgY56rvw&G1;l=r+JiWoG?q}Qtqn7v8aHVEjoGr#&oijApOZbVb>*Jv$+N8c z>GHuVV#q^t_s*-lYpcp&)~GWP{6AmcPh+*3OkrHzy06te<vU~sXt+899Bbm4tV&Ae zP+ypH%F}9nz-xD&^qJZqFFhO%_li=(;iIM!!8|h1WF9<PZ?H2>0D99{O73e%tk_|i zlV9QHiiRcw>{P!*r!&oz<x>iSyGtm0`(`{GqOS5UI&Q%%-P$Cmh_YS|iYBY}eL0`k z4zS!4DiqH+-4w8_GiA?SBi4h92>mGJC7}QL9QBAZpWJ}az97$>sxbU#Araf$&FJ#` z3zgA5rGPz@T}>>+syvdM)kHy5mdW}+fFj@XVB-<MOX#WiiSzRd3I&u#go+RMCX&&; ztWB<e6J^0IuA+y|svov9lq~Wo=j@u-FxzoZ<8GcDV$)Ty^xVyGSZ=v_<#nuu0;;Ai zYN*f;5eQJCq(wWMBqU1zRSISZQe-gDU&`b#b&ESqOlPO>Nu`?Xk+48UEh5_YU^$Lf zA!i!r-m9UskQ4VAvD_tRzO#6nq(>$lptPy>a}O09Ey)766z@|yPg^lxv_L<HJV4Hc zzu&a#B$VEA-lIzLhM1^7Dp#Lc(V8qEq=Aw#=2^nt7`dk)C_y?sq}2Pes4Q5mSmO>Z zh%<FP;>e)IeKI+8fO2tgwunSk9mO*B$6V^<Ei=Q6rC-*W?E0p|{)Lx2q%*#HO0ht* zHdfVBJ6ar(FJbKIZ9eFKygY4)W3~~iRC-)6<s}u-M~JIR=xk;w9?_?lUNW=KYs|Nt zg_(Vi8HXRzqn;PqvlPFSVKBhZyK~^5c~Gd}fc2#PFxKMo!Mavlbu;>9c5mmiVxaAQ z^yK!MWI`KJ17|<WAieLB;mHJ;tBz21+nT_#cwe}?!Tv%(KVIy`T(8`2sIEKRkDkrW zW~`=L%Bk}NOM`rWG^!4QJ|4Me*Q&pinN(dv(@alzzbMkQo{+Y@zJnVhE&^*+G9@+i zYjQ19|EP%5{6p%y6{#t<zTS-4UIJcvnr9Fdr2n$ENa7BmWQUaByH7)71wPC=Trv@U zjr<vMWks6xArJ3miw)*U--0%=P$$OkG4+)z3JVoTV#XiTogO7C6U6j^HPT;YwBM6c zF_KhWkVPa*X6Dq|5(VBYqL&;bIvX_?YMPRtiW!g2KpXwLXbO3`%Di`CylroqD5Gr? z=w;q%_)*vL`+th4IF-!pnBzY4d$Xen&p#G!U<K^T%~E$3FG@)udvycZ)eM9b&tx42 z!|3+K2D7{yAm!n|)R$;<-P6nqo0^$~6_7?sHLEhdDUzJomX#}xd$#qY&j-}ac|u2^ z7181Cz#xpFGlBVMuPFdVHX54Hq#=F$mz`zZCGr_kJ~}1}A!&YiM{~5UM{qh{(URm~ zfGX^@@7Azt>7gIyvgM53@2N<5*v)gA;p)c=;=J9t-0WA&iQTvC+wN?mAF*Lgi@KcI zbtCj^QjBpZpG1m^nQYkS#ws}vUubu_A>Xp&?v)pHsDhyp%(T}}htK&$Wnt?sUyc8U zTwcr5+^e~^!}Qs<aqo4|Z|1~rT~XY(?AbEPR?iVt?I1@1(WCmtf=Y^M;)0lU(tN%v zE7h1vmhOaDoM;iUzJM(nT!d?DE?Srn0^MJ!$SJuHBm#<Y8N1S(6XgH0tDr$s070$% z2CZi)t;l>#Tujt`+Ee8G*C#OlG(`GAZ4{7C)ecsO)*XFOXct;EV2Z!fIls|1RdJEl zB*aDQJ+2VB6f<t@JvuUfqU@|gupWY@^x`GSkuMah$(FM_olNX7P{=D<K|iQpD(4J| z7Ie%mpZye}P+fwZ$CKofdr&^tq@<v9T|qs}k2(;{k@knxR~z!>8ghpZ4~6)eD#Ve6 zOnkEJ^C}t_7HN|OZK)lOb6f~=9GG%0eTMCXXNyEX;E?TvO0LK${zMOvK)0Q0Zq#tD z>dktHYcZo+od-?^28)SRV`>{A5K)YO7m~gH8K*>Z5x<3&F1dDOHb^hf#QQgi_?2RA zyiiORDi0T%qv8J8&YFy>Pcty{feHyhtXNU<8R$uj8#Rt2cai<Mcm|qN^A@2p6~=y3 zDN>FGoLbpA)QIBFu;3A|6;{8>P0L)%Ch-AojMuZ$XN-pWJQlm123m5HnTj8m0(0$A zi=%>3JH`@OQr`c8O-&K{%oGdTX?8tw^pkCz$&rgSQjC`MoLX_M@WnOG0J>_5Hd`%8 zg9n7i#Ld)1R!X4@wuKB$g8?(Y)&k=FSj2&aVe$9j1joec8JGpux5Q+_2O^2mB&u*Y z3wT%!@?5XwZ40a+#WcPnyUVL@BC84o&?5c*_Ge+3v#5Xh<b5Y?zX&&@%>&ET>H&6S z(*z4z0K1igbVD|mLsz>v`=&}1KQe$Je{o?%5|LGSOYRK=l?NA#yPsOzi~&MZM3a3< zi>2lSGFz2HMs#5+NaS7>b2XZQpPF8&877hKuG@}<bu1%6YJJ_Vp|JAQG+R94YLR;a zW)Y|Vcyv{WZNFl0oEttjGrh>m3OX2RkV!NF`_nVL1ZEf-9xinRSsgAF4EbU3iql*H zUi5jFlL*SC+e?JZU4-ag1Z`rT?R1I}8-7Guv=N)huVsw$RD^&qB`2~Zi2Wfl)-Y7s zEae(whC`LJ?pxk{M8-FwAhH~@{YsV?;IKd9G*n$bv*+=mp48{M>ZD3*fPOhqaM4eL zD;bk1_VSp}@ZPWySUI2|TpG4LaabkZuqn>YUoQ8{YpGUAOa(*#zuBW>(s{6zBPCt0 zz##t`(+Gdp$cNbLxn$@FuxQ*0QejeEM}7zT7dk_G`x@eX;>73sYmF8+5QWIibTWd! za-IIy7PM!_pFjU~bP16MFu*A<<onm_&v*wM+gK&Q|LbTY$v5&?xBSq*-y8R9*sEPw z;IE^$FW2;!4Ap;$z@D$sTd#<~Pk$TTNPh>EIZC3(|EuNv;nfBIjQtt!Z=-#juc0ai z1A)J~%KzV{xR9^WXdv*fO!N#fk&cax?KWo!zoSfZKj+Y}UBtuu8u*<OA}a*mJ4-Kx z<ptIrud3;I8Vgem?0@WvN7?+8ntC+v(p)d_-Cv@0JZ2Xa7AIIpk8_L7)Z*P^!c41^ zDu2PP>`2j;wNH;-;psw~eSj&)Y}ee|iT?b$>rEx}KlyU#xHqSltrmBt)!vN6Nm?|S zsDWFYoba2e2kQwlD*?Bfa>7cV(6!N*uTS>)+LI2&0xn$!N<}%p?uAL+7V+m)_9o*- z>i<>|jsGATp)~2d6j@(WMJyK>2R+3DlJi+K8n^<o_O0YYC`rAv!)|R4ybq@U2B%fV zXj`(x_edooDe;C*<GP6)C~<vzkc;pQjP{cZw#}?FUKHFl@YGLuLsw6DdC!Q0kceS# zT@*pzh5!TgMiuLAdxxWN3-J#5ou_7PR9}?$8*i2#uUD=gx??+wm|rW;8=t?zG8eDj z{gIDtR>_hh93BN`W<r<Wj#x@Rk8){IaZ8TuB$8hW6|h2t``u8fN*-qE2w;4Yru~9L zOy1&#!@a)P+x*!mqxx`gf7Ht9(<HxYO17{)1P+8-AhYXAfi|2*KDS)0BU<`)YA#o; zr`_$5h%RczjgO&-OQHK1xP|<H^TtLS9$E^Z;j-~g-SBM(f-K05obs_T9*v93kMmts z!JAJ-6nYbr`3Bps3GUgBMY5xS|7pZq=2|)6wujG2A~k<oz^7QjHlspur#m_zfpYyS z+(-Q+T#$Bj;g)J0U$=$*zxq1&c&7J1ju%=TMRiufkWQh9m`D?jbaB6KbBTnxn@eqk zB)26s#H?7RHJ7<<VmK~C!a9>mbJ+-WVs4Eva(6h7^T+Su^!R=M{eHiHeZP;#`}KUk zKkwHIL0?JvCk8>ae*_rZbn!5y5900S@@3XS>ji(;kfGZALgMWWg?^vM-G&OOSMaGB z35OP-`OQSh<K_gx+?M<Ms<8*sYO-(a<tsr4R$?oN;kWt9jO2yK=zrwjhqy&6JkL4- ztKJ{F)n?#EKX0Iyx~;vN3fN8B)<KGqIr!!(j8f*1B!Mj5>1sGqJ(h8Ih>56SvhIs# zI$=u0I+3Wap1k&DXit?xP%Va4>)~zylcY*@qX_%=7fX13f3PF8)l>CR;{`X@d^xs^ zTfnH-ra1kBQe>(l`sXVaFJ++2H_)*r$YI7C!AL8y^rQZ|srd|>)^i8Px^j{e;#S>h z38b>2i8?FRG7W5H;<BlqqASgO<oUaS1sXc=nhLJ*#kPBf96me27YOh~6iZ;_W&&RX z1*z&sq`*6y6*BiEJIWTR7fanDY?7eAn@>>h)BEn*Bdk4+r9LT2Wi=lFpK}}GG@uyr zjW=^BgG!pRT`F+)k^b)=NP&gG%aN0B&#i3`qVckoJ#2aR2*{cfyUwua{KB(?mAy!@ zPO^%7(JOo+T;k4f9M${U76Z}mu;*jJs-Zk0BFqa4xKD9(_Fcfc&ZiUEJ&8`|Sz|VZ z8u}@}+M$vxE+gsAE!X-!xsuSe7N4&ate++CU|_N4Ir1Z&+`Hdb?;U8}TYtsOv|3tc zG#v^ntF;t$o2}0?S2|z1uOfGE+Bgh1lO$B8+x81vakvG-X4XAuV8Dn^Qj!%#M>A?Z z?l7_p)G~{tfMwPD7cLj~bS?X3bH$Af{u5fh`Pq#VS*jX^$KQyg`+(P!JamwJ`~Yp@ zTFvDn5G@_*P})X^0k2S)MfK=a<Cpr^>VP^;xeD-sPK1lICzVtmSO>GpJp>F|${-_5 z@ZVdqfci`+k1}*HE@hV(;>6-<$KgqBes7`wlPcQ=Cc2&TodiGSB^7S6>meM+8u%uF ze%ky6p2@^LM=R@5z2yV6?7~C5ew4!kaIxfPPCZh)PK3|5I^j;>=0_rSa%9`Z*ovz$ zwwe0t%1@^y??Rjw|6IL>fj~X7PXufj!z?W6ePwf<;@bjWo@~v3Y_F!SpRuKx<ODzd z%et#1r1s#rU)Cj|<Zc=z7b<WKrU*NtWFS>nuMbpqL>5H8nn0q}7%jdd<T=x4Rl0rW zTWv;Rjt6g7L@qXpMy}iZekOA&S3xc(!9foy`l!^@a!4Yq<(9W&7@@2Aw6|2Y!xsV} zJ%Y@Z753eaE9uoFvvRxMontFqutDp~0vxKSw!s&urlW{7=-H;%TW8)EXBq08*YwAx z#U3k%n)dCB6Y2#Kou<RBR7qT}>;~Ar>ITQ?u)YLCS5Dr|Z12bgYBUO=u4%E|4tbNb zi!O>{%WJxaiYqijvADPMJDtJrmBwFZYNlPj3PT^px!O6{@aY2~E2YrWq4*b+0NE6~ zY0mqk#%g+$bH-F|?z3gw;NUC<U3|%M<G`Gso0lasKex5K$RMrN{r#epAb)TSnq!*I zLokR^FwQp+|Jqp|lV-`1rn{48eesRUPp>_>f=GUP+IQdNge)NPsrD>2Y;<91`uR~w z*hWU25{JbCHXff-t1vnYwuZeL-C5r4RiEK5qi}L=yArS#(j2z%1WGq8TB*r~gCH5c zFG>1ix&&619!94q69!haAQR&2u;%eL7=5+w8~@fx-jDaEbxqkm8Q`zvlsAdUIe^G? zqM_=gEFiMvtz_wjP=}k$ojaHw4dY%CF3)cqpuyCd>Yl|Kv@TMyq3E#aA_<U+$-&Y- z*5Dxpr(?ap#m~ianr+*0Z7|}6Q$LzvCzOR%I&Jr#e6cdoDt_v<!cg`6Ex=L5t^-J+ zBkq>Z#C<>H5W~pAaWiWxAJ^DzM;ENaJJCH68zH28naN*Fmh5w8T+hh<Z<@S-A+gY? z#|yT_#Qw8zMOm3FxJ|atssHhAtCmi9ZVk$#roVb$FoVpY$~(rm%&0!+e|sP=ibpqV zU}MGdxP3=h#WxC|rtvE}`dw9cT&xwKM0#jxm|GJ1Hae!wI?3%uJeizyodsw+DgGu# zV`8m5RgvJ^^&m<x$>;c336B=|8Wxrc0;{$Bq~#a5-9=G&vhN~e+9j*af0xJC=k{MT z6EzprIY#slIdl-tH#L7U5M-Tws}U<6VbIbk8bzreTU`$!#ai6D_%V9{HBhk($_H*M zI*;}Y-`bU_P;tuR#-s_X4J-$!Cbcv`?F0Q&Mo}p@sW5x@!nW(9JQRZ+O)S6j*7)^7 zn8t>4fq<;*bn;<dE;)7WIA3kJvd2<8B!KSS*OlWX>A4(HJAALU<-LDK=@iE7`WXJ^ zU9H&Z<Jk1vm$iarseW{%l$w4qkGl7pZ8E7yaV41;y0SY@nQku2mK2A<ABuIF3}En& zHKB<bzT3UejfBD}qR8vx4OJ#CVnh_*CchJT=8wtrE_;FbnIu*!x`;QCKi9xX_8{t( zV)pa*Q1Why+izlf?v^cPJ!^QKR;FS+BL<h?ois7-(eSjX;Au9_(j{QpSC2)4_-Y6T z|MqaZ0MvxlYc*X;wsv>bkVt{Fco=$jjl9xX-Id!;1r(QwdBwE2$W_99H32|*kF8|d zpi#Pu<VT_%?4|0$e7<~sVD_A|2TiO34n>3#2wrjv*4X(Q@l&)7zmMmG6XdX%?d!=3 zTLDW`JmqkWRCGG-OPJj?Z%1j+lTa=0G};z$bXFyz+@eZ{`N7JCtmf1UNz=~_d4K}@ zJ%SA6uPNEorY*PBiJJWGl1^_Qq9~caaRSdV0`wc~q;@Ph^~Xzb`mc<B?&^gD1U=&y zvm?d#KWrW;)P~F#a1*=)X%B2vDx1ETKAH%8sC_9;EvM+yM+X(Hx?zcvfiLuV-ex5* zIWDJ`)2`kU;u_%XYJ?~T=S@BG3O>SdIDp{TtDtPcTZv}p%uPysU<_7_Db-jdL<{T2 zXp+^y=tHHbr|WpLIoj=A7_VylH(u_MZHhlyXlX(lDJhUnsn_~5z3s0mB6?ifG3yEl zKzHOqm8zH}ZQ#3FFHEPkk#zX7J@Z$ZXC)~-ZzcvVEb@oN?o5$_vgwS!a5Tdph}q}( zl$*-JUNlD7_bUZDfIew1?X1<Ha$er<NY|C4DUBle@(*#A{n9iok9#p8H-Ed;D*#d3 z)^Tt7>dhd7>T&&?=+vk1sTkv^BcRx)Wk$x|%$f{XaVc=jeHIhhr<YeV_#BwVIl~+( zNA7E1B5v5nZsVR#ky+T`EFUURJ-Qb3xLoYiK!+VSnP9cnJgA7b@|Wv(lGoP0E7%6O zsX(D{2SYqi%`Px?%XLGDf4i+b%iKJc34Y%-rAsTh+cD8x$iPg3^jfHAg1olPDL-Gm z=S*7FIkL0Wb?K!JeCJOVgmn(c+xy5ozrJy-uHRkn)6J;08qMSXWiL_S=3}Bka-^S5 z0ZX>d!D~SvKc51cZ<6u<dG)!dCpJ0xr^F|^iOpHfgsWpeyDRU%35$+o^6{S{YO~1t zM(n4y8@g+jzwFq&OfFkqqF%fa`!`Ta0|XQR0ssgAY+&|O6@rx{Gy?$uLM#CQ6#x+c zaBy@lZDnL>VJ~TIVP|DAHZE{(XH`@U00#<^+F}Zl+F}Zl+G6beXH-+&_cn|wiU<m* z^d^V`0@9mw1Oe$Cqz36d^w1HME=78;(o5)p0HFy;?*s^;_ufJ;2k!e<ZvN*T<9s;J zc*Z&J`+P7uwmW;THQTzbIp<mlQk0j(#v;YKckdpy)TfWi_wGG(zjyCJ%wx2hE6$Vd zZ8v}2cTkoTy;sslzIN~4b(hq~52`MDn@C&_9krC}>xW8{%+-El)?U=l3IJp$!Pr)# zrInUM5fVgkXv|F4ztU%{-<??3Jy9m|d0Zatmo1+0P$L`bQx_Kg2Pw_`IfOxlmiaxu z(n9OJOnO36EQEykzWWSs=UV3_59n&ji1r{6W6WrI>R`pSPj-7H)uCS%?!EiFz?af+ z+T-BQ%#J6V@_P5^N_cI>4tUg<UEsarb-tB9t#A$7kG)JI<&eK7)WIR4Qsnfxx}1Ke zrT6-$5-RCD^kZ3c&^@%rR9|mDB9cU$l&DLly54Z1(NGNlkbvy#v%>B}0CmX=;*YBL z?>~Gda_{Ej4|9|8{-(q);%u~Y*Ew~y(<^@IIzN+FU;p)_ESax?mX0X8;!e4yAJ_Yr zJdm+S(tm$hME?YRTG`>x$Q(<|i|534K36=2g=d9b$Bh=f{d<4ka{KYt_5St(!zpv7 z@7m+T<GAC8Kqn{Hor|CH;7G=Q4_MJ2?V}D2oJQ5m<zbhgKK;R0I~TqL<$t~Cp3hGr zeYLqi$M?C2pWpZN@v)iRU#{&s0Blvhr?$Zl{_nh_?mgF#*Lm|&5Dhr`Mx*Mu&Cd92 zC+Pv1*N@bf88rX8>uXaUe%|&DeEYt@v%L2{Jl!6%J018MZK0Z^KmPS7V|tO_YOzR( z?C1ZThe-Onhmk<|7#xYzKBPrCfhr*okR$4lK+ux?<A3kE`H;|}+9TIcIN#4P-r@>% zSYi3hTIVcl)=-CtWzs}y001*J`X9vPB6CpHENP8a)<C(1{n+J+ps>94jqT0H?Oui! z78@JX1q9kZVcS)`GO-}p<VKIBNdKS)3dXp1=36NZR!jS}RbM(#&Q+kJ6M*8JlT#I5 z6lV?j@L?qn%jdB%?Z#hK#$IowdAWo6UVr_MfLPz5Nv+gC`4I@W0=GK1j@9RC91Xvu z3aeAuxXK14feH#cB7}yt@`v+9&@(ME8`RoT4GDO9yQ(`5{iO_HPnsa4mWvqMSVPrE z%~Q}bf&KjK3}3;u@w-L_I5&%{a<|<dy&D0I&+qP&!}^Cr7^J8)e~%(2#wM5j@T&0W zB-*vr)Pig9E$9PDA9q0!8Z1B?J(xXevbwsem=Wc0&^2}xR=wmvM%H8KJiN|qT$oVe zLwBfZ=%5Yq9WXZVG+bt@vng$Kn^fm!0#c-w=Gs)#H<W!TJt?W`mAe@MqxtTD`acHn z><@LsoB8z(3+)ul9|Z-_$ylCV-Ju~Hu}oNBEIL*!X<RY31fQpxAVtFGLK-|!)%r?m zkdqS^8=H2{GqSR_(FPlvVRmubE*B?BNlACh?nnu7cQp#8VhSHMZ*fX=LsFu5o%kis zl-nR+-3d<Z;&m0B$qDVlp+C?5X&GH=RPMh=;Z@bf#*%7kt&yYFmKw|nf@KAUsPfaq zzO{XW5H>sx#>bWxmIR;7gS$g>+GUH<8a-UQ*T=?Um)o_n3#^lM5r|PiyY2m@#1o5A z!>U@{0<UKK9gWN7UScPZV`Wtp=uN^ZsS%}$wy<||<iuGOxNvxCX%vnq4$y5}byfr@ zEXuf|7UB~hA(6{!4TT(8?7vF4OTvz-$6{lcimkV{9>jz&<Y*M~AP6#Xq!3B@+xoBv zjeb3765NI0j>4A7(K5AxOFQYT((&R2{aC%Zvsy-#pAYdOT-ofO{oB-T!-oQu_Knud z+-iw{qdZLU+B`}>+xABjPRWZiv`arKX@s}D%U|^>ibyC7a;h-xAM+<vYoMS&swEO9 zY9p%LX1U)YU9vlTjV<e(TvpbNr@?2vNzxlO+7nat?^fK)dlK6V^c*DB!TYMQUl{S- zCpFxR!B)q?%tMB|N8HGJ)htwN8#Y9-qRqyMSeCjC<*pOuIj5lqNn*Kkjsc%5^sKb1 zWd~RFC((N?5ePXkE&hfd1lQcAUQgud3knnK<NW)$EsR$p+iUd*Vj<%UoXie6^bI<7 zRV=~5W3r3;Cg3m`b<-R+HSeXG-(>fKX|*|0@YNlEKI?q+U#0sf(LJNIb1e&pq?Uf^ zj66j>c%>%S>TAM5k{xwT!w5IgmB>wMQiq@{URqvlLKC62CQP$Uh7-PzSP+x#JujM# zpVU{mP6N-3ZNm6*-73TyrU$335Vpc@YA(50DWA1Dh~3=E2GQC=-JE4Fn{)vvJXDfm z+&j%_A)~D<XJ4IaqwLxzMeS4R>VO4tUh7GkU!z5<Jqv@#v3es-nE;{!>}i)V#X^7^ zL7OX23iiVQBt;=XZjjB<)TskmLoGCnkcC!-N>>;(lVV?moj?Yc*va|f`q<&|KQz6E z#`Zjp_I+X!0fVdQYD)2RHPN^5r9y;z$H=;)#|MYuDOvpImjfA$1eK$GaPo<GHojb7 z(c0EXipKKbL=5l7&i3|xD%nY~dY$R2fH0o@M<FP*K06>Gz=l8@IaQfHfj}6_E=>7D zM_x1cV&<!ApX}2dBx&(Al$uZ}4i)`OY^c{I81n5L<KB_r-WeRKu5Qzg)68aC)81qz zn@snrO+XI&2NZ8vYRgVmZ54MDjjRZNjoIolv1Zj&%atSNaE~|I=C`!gPSISLK#bMf zTT3)T>ROY8laTc~UuMdeM=iBunLcNp&s!97=H`EL>GbVkvPU^^9G7r$EfZs{%%Fw+ zV-ZN-M5m@^1|}qM)DC5z7_4SBK)#%=$L93>kXmfjR)hTBlo&@WF%jsL>vyh)O{bQ4 zx?)>7uql2Wd+BEG{`$y-QaK`)-y$aUcwn1^$vS}x6#N<g*;BDxBQ3)x0K{M+yCrFy zc~@VET>X-ZWy3Qo*{rcu?9-$2#Iw`xSa*nrd0eP-1$!yP!MYG)1%~BkyM8ig%a!Za z=sR9c-ghyJnYUm;_|tUb3-Eqe{S9q5?v)`uRPLDUd72&j-K}byq<*b9$IE8;;>3j~ z{LJ>Bx{i7K?71E4=qPlLaK(Ixwqg_frBfQ1^`v4#++<#Srq<XuWL#1K-W2?viD@J& z%QEw5d_Y%}n}g}4>Z1qzrtufriR%m1>BliVrCK&NQ9SMy<@6IoET)Cd%wTtdKhe{Z zMf}K~pGYLd*7WrTPIZY-(0dMwmEJ$}MLm_^LXLy2FAciWayDvsWGg)WvPAM$@%)W! zaqCZWP_!lWo0hak^vPA(xEBMXai=dUxBKLK?adKC-B6-%3npisq<)^nB^BYY5C2dW z^}`!wA!U9MTUHTn^p3U@O>0<<;s~u<aP0YRYji<f6rwm~>Wi@&0@R0HCDl-sVBNav zDz#<}4N%+_JSvE<5<3-wn+j1?WC2@u!&=>uzOl|g-T5Yq09rt$zgpub)Hba4+~sfe z0xY&ImiB!*>8$_c)iTAv!n43&#1wTEkilvOPHTEp(O+*t8{;<Wa;ZF1x+9Ywpjw$z zQX-`2;Hlz38?qVzlbr0XE}*OUHF#XyJN+wtMK7B)4-1cs@Ljj8n^W=V^7XU^?}pUN z|0?PRR@I11^^x$waVKa#tej0tLAh5PWWpccv#_8&a&&f2>PRwY><vLVy3Gt`_nss+ zEPbUtSv_j;?Ku-Uu<lF|ANQFWVR^?+;$pL^e#EOBmT&#J^cQ^vCva&$HUpvW(q>X# z$N>@(7pS~vKl76En>)p$!Z~Z`j!@F6vA$UQt9*=VsY+hsb$#boL0+7RFV)9ul#j!W zxmWtF#3mvImwT0dEdFD>s+l6y$hpuU`DJ(aN3?2(Dqtc$?4SqKIXX~8>_#=sj!Y0& zRF+iCB=pR`9sLMVQ~8~>w7?c6-5>zz(>_oiFr?a5e6yPNlr&Hl-`ptWS4g1`#O_a| z2~Z)ZWGrU7-Ru12<f~s}=W<^rnrQtJkQm2;COl@xqSnbfy&-F~3|!UVLdL_w*7}6f z=9q+pcfEusuX;&6m=B;J2X&J^E7{&zp&%For<<Bt@|J9`xt_zsdUdSvbf~Rvp>{b? zR8#TVmh~U5Lhvf$-Mq5?0AjQ}J>vt2pcha+7Lrnl4ZYvhW8)`&&kb7rrNlXCwXcYJ zb8`r<VXOGeH^0y3z!>VI<~PkTS*1AhTYL8uMvcRgY6s(UDHX0-?AKPxU4!^iGqdmm zHQaY3DpRYC8Iiz01;vF2IgO4xTH|N+sbR4+4yHV7=S>38pepR?OKoJaWiRZN80Dmg z(blBi3a{rvB~dzhW8nCCyD3=HgzTvt<Cy#T>Bh^F(g}tgMAvfP7{v2*BX?^y?%iJE zuQ1z?;y|7Uq5lkVt7x6nB|VP4Q>PUTBt$y`^%>^dP0W5;2CIS@*H0S2pU8w)EyD}z zDdzbb=u1dhu*@wfYO3Cr7O+-q=@&vuN(*P5{Pg~0Bsvvw1D5$u1_-^16C#xA#PP}P z=t~ojl|}R_VT42`)$e))DxX~GpiAf$I<-b?yP0HN#v}m8*Hz4-^S@T>r-8}OCJ!%L z#R}G~>&ogUJT6N;UG66mNfqlMm%T8{VV8xY2z>j@ZHy$df`Nfmq<K!tinfQHS{m%R zRV^gOU}l!tkD{3A+<v%(UhkvU_|w@4zJn+KR3qaqA#xrMe!}C%Eqr0Sva!Q!zAc5~ zikeXoKEO-6I&33i6dgZF>ARfCs;i)dkEJ<w(UF>tG;B0o9@C`iy3dM~V2r^`_xr*q zUGQj~9E2NYfBE~9aF|;7CGGPb<E6b{@&r0ogHU6=0IvliA;IgLOXmK1qZ@P$;3L7E z#2W9<y?XGXeq66Xp4zKu6_b(gImGX!pZ9L0SPO4lwc)~suR`E6E?LKLVT233i)Cu) z$dV==dFXeF(z_2lyeit_rw}w;mp}X6Gsy-90d>y5mB2t;9`nDB{Rpnx`}(S@lH8BH z`=!!|t>)tsp~nq{D|1JH!;2z^6?amTq_2{_C9Vwz7{ce`8t0%%uj&f$4k~pUkaw{p zqb@Xc=?^(w2$hj{i_5>dirSdwsCD0J-%d?)RYRVhZAf2KQ0A5JR6B2xn}u5M_$2CV zdbk{b)rPBt5vTs_+mk0Lu`KVd!*~KdH_k>X^ph)+9F!c7Y+qLd@PMuj7AAMBuAFAb zJoy_KJWQ8p02aND9lpyf9-=e4W5}cIkT~#Vvli|eDz&$miN~$Zg41Ju*kOi;SEc#> zUg9GsjT}3He=q?Nstl1K-W&HpzF0)MFIxK!!iTGzCoU!qG@K7DP^mA^kG?*}*HMA% zJIlc>V6eoA1Rzh};sS-q7;PBI)RRHRR|n8K6rd&N;S-yIlIIEFm3157s60g<+_`w9 ztCqUQHi5ds1)=hgkZ7z&uUw~Yv@kj~tZJDtf@^NcPrNF$x3FqBL*<HiM<%!zMlj9e z>KYUWK7tuo$+r3~8z-zB3%0ue)?y~!mcfmRq>6er6X(Z_4;nB_n*+8vwM&5PN9wPf zs}tlXV#dyw%Y!CAD#vusy2}VRa7DZvvR7#f3hl0xG9LW8za<hTb_bLcoS&aBkPgB} zhbr}*Knwe0%M*MKlrD#>NuhC7&hS3KM7hx{zjuSi8J~7yqWUo>GoXQ`Ons0EP+g7; zdCVRTZO=h>FtsH5E&F2(QRd;Z{bX2u=Zvt#$n?Y$nL;rg`nd{Kfzf!yP)&qSzTVC% z_sccEeZ-6<#J|}Ol&}yDFb#)!7FACpEHZPoc@oyT3)VMUUYAcZBmH7)PrHclj+{0u zt1A6w<Aa>U^!5u1CF3A_fqI4T23xUUO6B9}?IWBmSK#(efy&fGI!o8O7P2xun^9zB zcqv<Ll%ux*7>{J-H)wpW&_s(;r?D7*>a848#1CVCHaTT<)FhjdKb7vHdl`}2?X@|4 z?;p%;i0BWY-I`E3%|V<y<i#3{ilt?3YfQsD!Hw%(r|hWN>%b)@UA(Hqk{h1ePysR7 z-j6lbbIGZ2*+NS@UCxD~GbWLBIF{(a>gD#jn#5)(bcTngw~=ALJoncz9zaw3s(awO zV?0%>-LYy$#=>XR)FoZ&8K{4(e$fFUV}UXN&8eaK9>lT1pR8)T&KtV&KuH;}vYwL@ z>+{}<b#{o5fQeDV?S8C!9T!W2ZW6B^2S=i<1z>|IA;g>0B1P9kO5aa7u!h0o-hjt{ zIY>F-pO<#ViSR-}tYg1VTE0AoFs3ap_|PP8j=JSurH#!E1hK4Ws7{@1-(B*SPxTZ; z3W_z3fPQfQinq>f=t`_<>cX=lc>HJX9|Qi8F47Wc`Oxz7o;U~sDYDtgPiW9@-kje$ zQrauHM|CIb@KL9=MfTMlZ1NMWb`uBiQ-qWB{vD#O{WXvg$cJ+`rBeR*nH}55e|qsf zpUQ`UHA9g!fPa2l<ZECE+kanj`|*oL<abQ$yHn~rmp|(Kxbs>ODyI9?C6z{<M0YMz z%^N(Wy7NVI%x8AlG%~QqcP>9CGQ2b1XP;zlrop7SFMj88U=8tuJ6{yhx*3UiXC%u% zM@%L1yNy`n&KHMXP|Zur#CklxbD5gC{mxXWB4Y17*U&0o47qdpMs$z<kLdo7=>91> zw&xlE1q~4J<<gNe2z8jS;8w@akKrBGlMk-5UMi0%-a<aWSW<cu@SpE3y&6CaP7V!C zjwK9BsRI;1ATY1W5T=%?#@IJ^esvbWbU8Ofx$8lM7PX=?+UVuwWk$^QhE_xRoNr${ z0b^W0c<Xa*x!lj;_{1}RXpmw1kF|}Bt*y<?5q@u3<b|;esb$Bwz!?<IZ2rF3>BxGE z>7Y<+rQat1hLulz#(OXfM?%xRI^$!*Vo&9TjOnEO{-x1$cJwnhJ_G{8H$AAzsS2+{ z6-EECTqB)sjEj3rfxL3f8o*swX855_KE41t$?r}#_VyAc2>>bp<iuJB95Sc-VjRLX zCm|<4$CjLQWk`t*-&q266<1y^#~n+bZXBH^O~!JKM>1A`%(&2AvpgfQbB$Bv(@Kid zv2}+BC=~Cw?d}!e_8(9e!nTjN!W(Uy0_0N)#|sNAWG^p_<>Y^l!bhR{N1B2%UgJ<J z=TL+EoQdwUSV(c|j>p@#Gu2_!iCQ}ce{>4WEp4nyv}&teoqL-kB>`aO#gRUnq6H3v z#em0L|F*x+_jPkpy%*7OC9)H2uO6f@Iaog)MU>fZUmT%Z7eBFZ$LCI|T0Vw7$ORm= z9xYWM9jN>iLcNh%AO-D^zC1Vn*#4A;>at?%grpouVM9Y*LACR)P64DMd#&hb0=JSA zJ5|p0gMNR!{{;3osa3Uy&xmP#;sY5~zD@U4S=ODoY48-6Xg5IfZGObw<MwtmUpWO8 z>CHEM>DYXd%--of8QYsO!v-oQ0vdY(0o;%>PiMsB((<uvEJZh2`1ysmiRElQ$ZA+p zX=*gdig%aqKMn{J0UWQNqPi`$5ZY*kZf;}TT<`L=CI;Cx=tP&>L#9h&bI?-`G{DK) z+N0WP*==G_->nqIHPm)bFEO6wx<&HWZfy`}ooi2*Y<+edM<Yw2)-=p*hBFRg@b-<% z0Ys3vCmSq=d9(CntNDEipRsXW{K-_;!{`n{asa#L4w$tszBIz44=Bg0K{IoWmvc^( zsk?LCUMC1og)QV!Q;WG8CCuiJL!;+*?TQzFL~Z2Nk&j;hC2aTpN}etv)!hccOt%uK zwa@vVg>MM$=HYhh-_4&;+Q}O~DqKum+?;ew*->3@Wvn(5L`<Ad39e9joz(NEIw)^X zmK*fl4@mP4KbV^C=^O@HXEtc7um0-k_1*!-7yx{KN@RIFWcWno5!PKtV!3S&IZk#% zt}j7lWZ<Tb^x5V%3J#WXG8>VPfV}BE6IJQiCRGi|S*Y)F4*lzi=YJ-b#F%$iGrJ?( zE5^oV#>R$>;H<~aPL3!!&Tg!8x5=cHb!j;hwG2&^&hWtdq&21zjDN=q-p4KuI+7p3 z49VpK+G=^c%s@@R=x^8&O$E^*C#WbDIa>d#3bd-LlT&NBPQ=O5`3`s893XTJj)PBS zoEEu(=E7rX`-E-GcZ|a;xe-bHXHb5Aw}MCe2PQ-EWS`aYv|BmdxlR5cjh1GmDV`HE zp$!&dxz~*`1NpYjVBKCd)%l==pc*0XOXw?X_!2pu9m=_iImvr$OF>Tfn$J_j3>fO! zS=lY2aNgDLeQ;W^wlY&)?&?D%-3A7Y{QxCZVA)kF4&(eQC=$n@(ax{y));)yj|-j- zi_Nx1;l``^B|PcXdhyx2IdMkey;Ivdy5S_;`Or<_$hp{cSD4OYRTbH?og$VHXlbC} z-tAi}16S+StoQKpG(lx}t{xUtpg4HIg^8>y<)htky(nf2Q||7Xt9;w}2l5SB9Ni{l zS>-@8d^DO@&-l|I8?}@+XIpy3PX(@b%~t@R1RfvHjvOW}ypt&h?U$N%>-Zc#Fw0@< zgB(>gxzpWbTyZY*K4XY3XuT4b>1FcOQ4Wj;S!R0{tpX&|smlxAoUAmEk6HeMj0q;- zocW~k@7PF={-T7TXR4rVsagf2Kepc3r_NdM_|F63sq!@(WK-Gh{S*Lp$@%aE++e5P z;w+grKr&fRj{mwELFi>Rna{|L{myg>rJa(d%d@h(7LrmY^a!{+Ub*8HX3v?^_c*#j zWV4S%OQ*(4%DuJx)U%r`PQfY_QE_-yg4<8_c_){*6vKU4c%Y;gRFBO)$yY$i&Y$LX zpb=VJ0WZ;wOt@5kDHqyJTQZWvZ+KSli0}oD&e9;Q-=wLb^TvA5_Zsd|O;&fQ(fzQ| zb9KttkBZVX|5=F5e0+FI+87B(EHnBe67o`CIp|ELxoR#*0>?N<k~g;Fk!3^to$GpD z&0B`cDZ(bblWZYGs#VphOy=6w+*HF?1J=l@Wr>i~YMM})vqY!Km;}ayBmQKBP@^@< zcai~_lX1XuzPhD@<OI2@Iaqe1rNpf<M;JQ@PYNOG*1nN(6aRkvBSNHyhiXG^a&U4o zX9qD10lMxipVfx+1Ffv`Ha1R{dFnbid#qvBr#jX}3xc#`2$sYF$V*UonRcVQWvn~< z3@4jOPlT-uMrgjdPPP5%@3B)krY&7v%cLZs;lY}6&Ee(OMjy)lvvR}GQc||8x2(lp zx@A@rc6r#9y%eNiOagB6UzZ;UJD$WR`qLtx&I}Agp*t7uTCrSXvI(F0>&%V2eN+2c zK95aqQE=oqA5HmeOidF}9j_+A9<}m%hRcV`7dg6daZYt5NA&_=<z?q+OG6XLGPeoe zqz;{G50c}K6+|(4fXMTQ2Gk|6lA}>eI_A%;bvd~e?grLkp2*+RM+oghH7zJK6SCV? zg~Z#qn2FDRYi+HaW>WWv=bJ|5SYdwgtC=kbcp8t4u(C)`z3LDgF0fyjR9N|JqK>@v z!G8+IEIydS%Pf}Wx?Ap*)$fwLPekHJ5M|KQvu)S2mnsz){<QV6JWN|!15-si@3}%# zKJ$QFyMv))G{LcMDM!c7)!?lnODp1<f#MyFu{PTsW#?7M>W};sMEzN+|4~I4?|e;v zWk0MpWaR{!vQH{M;v9|nQBtRY!n$}1^<){Y;Z$99JO<ZTgUVWNITa?Yz~z!z8|<VG zBH7^Hj?G<1sh-r6PNl|DDwftN!!SmA=-Vv%k~|*h(K{<k%N<tD3sd)v$?CoyBBkB` zmi|78uqlExOyhP2C$h7J9u&uqml~mBtGY2-3iWieY_{@hi?Us3K(9@GOZ?G$8Oi95 zP!k8QfbQiqGIeBeM%5jE1S%O5oSjQTYf_Q$tcmLCuoVs|kYi=B9%7p7a}fKB?1INX zsC@#H2AtR0`yLc5PgR?T)B+D|twWW#O#QZ@Q|D9Gx$*<fzKzJLt(TsoV*x#I;MV0< zEJg{xT2Kzlp>xN0-Bti2VH&ujo_DyQK*$jpQO9+>4(p>7vPBrLc#n5iT686MZ%<TO zBXZoC55nLJV!5f_6T$r3u0~G)ooaoM$I768)qFoTA$VUePbt>5*3FD8d8mv{H!Po5 z)PsdmSP$!@IQn-ckHoe@mDHS?@)^DIfJ2j2OR3$2Zl)T!UaMaVFk!{*^>UprYYp4x zRdSOm@((lw_NS^>Zek;B0&X>#?D_;;x0Q;)y%(cHz|LT9LXY{~`@#P7N~N)U%n?(A zsUPIY9J%$|8cReDrI39`3$KHGN)~88K<;Uk%uH2ocyI&aWvx{hQEadFUTd@GqlTU3 zVU=M8T^FR_<c@7=?>GJ(mz_&YO1+wSAGz)J@4+{>FF<|5{a+!7V<SnN{!>9X!d$Ii z8+nk~c;B_9{uP3CBP2rD@hdE8oIh%acjQ5cT;QVa?>+&plas9+{yw<VMgcAhtixur ze#^&ivevdMV1)^`^>gJY`=~lJmG#+yToP!4V%t)0s(S6dxIqFFZf-4tcqrfoP6(j= zbSJPVud9IAIA4C;`aZ~CHvNu#EKZse;uvObmMp9RvcT4SQIvl;9pv<FBV>X0epTn( zWFH#}8~Z_me>TeI*_KQ!@@*pU7yZ9!xIfx7JIvXd!K9ji{A>U-5{9a&cAhbh;>NSG zS+n?@dCu8W(nn!Uq3fx}HR<=x*4^WVHmF(a`qq^?ns!W9rzYM2MYj9~=ntuAT@q(B zHHq}^=mwwwmN_>St~*>O{SbZLIe_JIQbp|U^=S0K8tGb49@#$$R5av<kGURGR!RPo zeJK-C%`+@bXV~0HB~0HCt0koO$jg7S9%;?5frZiT0nk_fWInD>p4r8Ku9e*XIfS>y zH!Mtfn_}JnpPXxnN#wWM^rht1^Sgt+O`>J3!w>9%*GX#bUf1W!Hus$Vm1pzWe?bgt zx<7iZHY%I=S#LCq7vOf#d)3f*-MVUqQ%wBarwpUsy796=Yz99$BK%W0K4joepiD#E z^%XEdU~a38DSYZblTB#=H|*sKhx(>>^8?(vwP_U=J%T>y=83E(`Qq)1YRW8}{0ZFP zX+)q*7uusGX!6m~UZL@Ww!Dt(azwuUC7B#FzG0UYejJA3E`&vRn0mB3%a6n}i~zg` zR*sG~i=H~NVc}soB?IcJ8X9|)XdisAJcS3W9!jg~J0_d|xVeAzS$@3*`d|0|Ky&UR zrnvmX_>WGP{CgTo-8x?bEu&!^=CKbe8J}Li(tqgk9~r)WBl4R|bQk|0tXjnWeo1C* zmPn3wP)#JRgYsR5Tzf-wmzKpX?y}_C8(Xkv{9ktKTYyiRFvMv%JdJ+lOvT~mg5-?> z*l%*J|GNR`^zntk2H5K`O#yPLuOfuu@bs3U#N9kw&x-u}zq^Fq4!8{2?ZkUTm_QE! zB<hVL1s79tlnv{3{J~0vxs7{p%1en{`ypHz$_;vn*tS0lpc!4aZ8-&^*ST0dh8>0> zLT=lD^J^JSeK#0r6yUv7o0;gUYtFc^GyF=e_eblh<cfxsP;+%n_R~(ft-!)#jF62+ zrOwx=HL$1tUKV(n-zfD|%X4)OeAQu!k;?M!+GB&jNoRliNZD(4+~=CX?K^%Q?jPL0 z1S2u~^}#gv&S4b3qj_RTdZDAg^vc3Up^&qV=bCC@BEIA-QbuD2)hao44LgCT1V=eB z*RBpV4OK^}KOHebp*PlSPKnQ)BSmnq_K7YU+ne2{9rm8cWPxA5ozjA$eBEV3)UVYL zXgpNM(wb~2dzE08w93~dI-H+2h*psq*~?_rKwN?Ar~sZGfu(PFU22>8Kyv<b_uR_s z#ZLL1M%49wkMCLb^`Lf1v6K#Q$5(FGKp~USm0rg%q%nCx*OI*cdsMdn&o~DGV!AX> zO6#DuPl30YmRBMJG5!``T!kQ4=W3MKyFdMmTLvG0e{$#nMrDNS!q$P)Y`go>cpAFi zEe;TYk+sXKx}E8=s|EN@$OFr(<q$@pqi%v@|K3u;%h2o@;V*5$c$Tsf2_7$@hWgTD zjM>}1?n3;mKRi!wLdX7Uvdd6!u#}KzB{-}>_-fi;)BC_DC|d^=4{bQ31k_m%@@RM% zm0sZ~=#`z#hsJs4Qrj4fY1{pYNv-oTn}M`Wq?E-u)c@HnFCh4a(qTh|RrE-QM+CGK zd&W6<xp>C7Yrc)@fAWn8!tCA8Boopgs{g+8?UNf{ixH7}s4G_DaT-fE@x&Tx@v`E3 z=LWuM=x{A8T(cp%c5=z+h4XVJ+JIzt!5k$M<ZM$+O@_C6>hz)FC?;LKaCv3l4)4ZO z2YQ2t5AA7XHon%_Q0PE;7qx6x8DPZLJ2YTQr0kHk56J{Mm{h~_*u27*&9QTS$Lr!7 z;B4XanDTh9fT-H?!)9160(xNxzG|gYwZ4?IHMjgDTeQChT|i7*2!W$tE4W>Yu*R;b zv83(bPO<apJlELClEH|J@SL?&Kz|fRE0{SJkIk&w9VuoTlemAeiR)GoZU|h``-nVL zHrZ~=*BgKF0T?<nK>i5#Da&QTwJn?kYTd6oZn*|GXbIQw-XCb!qzuQb@n775Vx#Yo zURC8jO5Aah7G00;>nbT$=KOG+fGbZKd3Z^AB0H+W|H4r{675rz9MzS5pTi6++hT3~ z$p(f){`F>Xw$nzV1>H=_lsgR69b9mufr4r8IYA-~Y&}9{p+-k$Qi@aDLYDXY=f!QB z+iAsq^<g&_XGB0em)>2s@6_R5LaAdNqnWx0c(Tiw^06A$!Q6!<wcw|GKK9=H)$que zPhE!9IYemDWM20p*$c<Em1oeF7XCMfzbE+*oXJpsE&wNFRbFdN1Pz|v#`WoYdnif0 z3%her#}>asYQxolkEWkT@Y_#R8}Au<AL@0~J}?v?t-A72QbR3(likP0PMtdeta4~u z1t=TZgi*I3-;&ZgRQ-HQ+^7-7N~4Zlf+is`)M$^wyKcV3d$;X?-|OJXuv22Lo6#S$ z5eLCWw^u~~Z-}R*E$z`CJRx;d2mqT|@yAOX@!%T&<T2cbtmk7vmnW8#@4uY;nP5&t zZNUW{t|HQ9K-3iOR~&HM5;php%TloW&!z~zj+I&Qj}^k+hddbS`PhrQQ9k7J>&xi4 zL_!BF!o+#nE4Vls#{LrgEFO}3{a-fZmiQa(4p-z!Nge48c-P9;W{4A8^(VYs@TM<} zx;h^`LF2FnYY9fw=2TRtDPCi*=(EHgVB{qPE~$Lueah4v*9bbnOyhSmyAm7QDdxLw zDfofN#Slwx;b-g)2<Nc_WdNs4V-<2PY+3NmgmE5$ecGng67pvv3O~U5{hGtW$F&(k zM!Qy*f9rhY^y>ih4f?f18_#AVxW;x)W~Fw#Y&QBtM#Y#{MtV*PeM%Wzn(e#J$u_(u zs(H_ImCJto!MO3svL>0E<rfU7t!uirIbCnOwpn4OUrQ}X6FA-6wOcE=FxL9Bn2f$& z2}Gf*LEbs_t5ZV7>3;T+7*WZsXq2GT*?28!DkD1U+<zw&xon@a)Fg~}AMJ;OE*mLv zx1D~z3HbGn|7G1|-N16{<jYgsa5JA)rtPZgaKMgmUGe1JxJKjkc00*8M%YmdgvE;Z zy>4G&;2hp3h8Q<!ANU=rB!KTh)>Q?l_+<Pnd)rk8PQh5fd_6b&;{9l68tu=cvw$ht zoMe}!wjHn4z4>jI49%&{g^NESEPZQ7rG4%@E`8qBhUaZ{Mw>~+!8;W_yvoZ)YZwZ3 z9EK+HJ>=TI0%e}GJ`%%Wd8etW#<c-R#E1(;Ru`<3oyWGz39N-&vpb9`JnAn^J8SpV zHqo1b0Yf!o`u;TJ^&sV5abxuM7@={Kak%h0dS$K0B4qKhHjaAWeT~**jTf`ao`c=r z!#$QT;KEKBc#Bp#sF9hX>n<rgjJ)uxLmuIZxs0?!oQr}8TD;ON?UP(`uX3m~0ggaD z$s0T*_HQyQbfT&Kgi)Ilwo6gJ5L|B?L)i|Y%and#&B=pT96PU0c>vX~BCdJDVVhW{ z>pSznO@{+%ruvHg6Drqb{<M&^s_xhQuL4{+`rudd^UeIUl(qHi?AJq2koLdMDZK4` z8frP>+s{{pH)312?CU7?c3U*BPB(~P4Tn=;d5U+dXRR9V{&*|AWU+seGJkBq0O4hv zb_ifGJ`w+YKkB5Lcc+oHW}wV;gQXR!zrq4V^M1|oWt1hj9H^Gj(6@I3_Y=`+e_U5A z2)Q`UT{oDn*Zn>mgKT^Mp4%bk2B-F3@6?9tZa1#Je6Nko8$=#S>##G7{tXiSbPTo( zT=t&QRopE*73=><*JwJE>sU@6S?dy7P&aFJecJicbVvI<{m1lWYEubj!UIo@vuJx; zJTyA1KNW#<FFq}EKFuE~-qC~h2(x-LJFAUiGA7%0t9HvpDY~yEh;73Pc@K9pHuk(~ z4SaxgE${g6Kl=J2bm*9z^v8HsegmRRbeezp9!pap-`viY9N@fs&|KkDDwoQPbt-Dw zO&65R<+7Y(d8kMK4MaysKX1>tdkAON;o5+*Y(FtH(Yp?M1)`Qqwy)F`JvvmdDTJPg zy36#72;nK5jkG~LJ!gjM#>wj+zljhV9ZWlkOZX7`%E^75uCTy2N*qsUf33ghY!Vi4 zG?;5$6Vth~+iEh=@Gcdq@Jh}Wx^|gXV-pMBY}R~F2km}`a}mdJktU~yFq{tSzc`64 z5U1RonJ_jzEngA7{BeVgu2Y)ne`^L%a95Vzgq4;47hn}pKI#<@YFwA?9CVPXZoR<_ zMU>jK8YJBNS_^d9?f{umBB)_s$=OpMa7rm{NpVxR&5XCGt*EKDykwEL$8x*&gPxX; zSMc>C9TU_6HNAt5r@`6UU?=bof1Qs%9)vdBKpoGXEq@cB8&dmKgI7bHLOu_K(2bzN zMORM#2GX;kY2ls3QM!5iT+0!A&$3isX`K@?*UwgVM$zIB>6!R6jdV88dzcnx(EU6g za*@F-csYdr@j6wO4=@E<VysN}5m)TA|I|LuRUn<4<b$2r2VIKmqd%DoIDK6bvGgLr zgPn*l;QK>YLN*<=&Sd{rG4SFKrUaXh5Nc{p0d*j9?6K~gP8CFV?gqMPDqW4n7yU?% z={JLKv4a+0JM{LjZU}UFcfNKIp_Nrm5o4rJj?hUd9D0x&x6HH_>ajxlaqu-WhpAI2 zSvI*K%?UmCvr3meu~8->J{~*lsb^KQgrIO(Jh>inPxbS|%zUOcC!f-e;v}L?HDq;D zZIER;>B`J<wBW&R>o;hBymnZ9m2JkboLKktZf#Ugd1pq26ao-94%{tm6*Xw{kv7Ww zI3uSxcj_L3TUZ}=fi19Bj;+?eNjzS9wMq}e#(lC=G$ka<j^~-UcnId`VTv0cnP#tj zQgR3=e7{dwDHqCrN>)FW*JK4q>`D7R%W!b)?O`5MYd9ouK_u?DWcbIeeio3W(`Z9o zp~YgmwnX9W-V8(9i?UF+6N}%hDIXfox9xlDF<7)MoaSdqS6^v1E|lgkgLL5@$6|34 z^g=A#p{dO*2HsHww+!Qxh<2+bTSg0$H6i$fX^@R3?i2jJr#2Axg4B(hME$bGVLYy| z&mds?fzW42ykI6ZOS>N+qdPb7U4y!;Pb3+YpW0jWtqX=|6-w;dtrl;?_!g#=(3*2X zJ}%{&Y}QUBg!PM4N}k>a4U=(zx37HrR6;woq>f2Ss;)wOUS`PVrN)sn?SYtnIPBwu zI4xEoqV4Fau-U!o(YoU1z4TAoPfT(iw#MT7uYf<b!%KVsDfy*SiXjM1EQtKclmuv| zWy&JzZ51TYd7WR3c~O@4;?oMd>?&6&LsI*Blp-qG8F2t;(1vDq*BY`P2LG%>%GrWj znv%Ud3hS3uivgrl##iO2KDF$D5bZgV4!yp?DJbcx)%W#fwxyIE%+8@Y@Q46A1Wy&4 znQnj!{)gn^BZU<8EiZRL6F%$Dm1LgUFOl^_k|)&yW=_8mxba`XIM1FKb8B~>{}jXk z7f3my56Hb!3JnJ9o<xdX79Ykgo!dbBDgtY;jEMe_ffjLoSVe<anqX=vVkVhZ*4Bym zl>y13PkAvIEhw?u1!(t4UTh_WH1>r7Y?>9k#pcvUrZi~3tRkAV4~gT$xVwM)Pid)- z1TvPUvToS&Z|-WIFKd_Q;K;Ck={npc_ef%UxUnopLr^W8S|?!t3F#kOtlg%ra9v;h zoA^v_z~a0;z?*!3=??-TiR>VN{bCjH2HTSX9wRMjSXK)PTKFx^niV|7=3*Iy9oJd< zyRbXHG$-u&6oUHP+UD{kM>`(DbXaWZ*{ohn9f$6S<&Mm=thfLUh<G6{;mYTOS?P=_ zQd`cSvn}Xg%Y5&C;QQV~i(yFrY<a_lNt!2$&p5=6ZF;Tt);;J(9mI~4ccI-@Ci+9N zyn8#XFs`?5tq>7!x<Ad0%B_Xp2;YByHy>=FI@0c+F!`N{o^x~r>Nx`+S!d3A3>l|3 zkaR`!*>{io$SplXxHQcInMQtT<K(E2Y!gYGx2%hv7T3N;p#fd>c3-#-o_%rvTv5C~ z8vO+Na}Jz%yym)fBy_^0_YG`9sC;Sz;MDd!QP&_~o5#{rh<A#2<B_vIner49dtM>u zIt2bbDyO2BW{KnBT>>F#h0V9FbMGxaA+jC^Ne=590KFSanPyujBWvl_89;@{vJ60n zkc`fm>$TbA3yJE>4J~t$v&Y)X?{}N=BO5_<N$z5kBC*p)KVai5mOKd$#aG`!B*RcZ z?Z{HnTH1qcv#00EegzaP0xPmoetI@jaqZ`3pX|f}n^JOq7XPr4A9+44MADat2a;ww zvhQo6Nb3WkJ(4DdQcu+<Yf{eFvAN9>){vVX*l(E)-R{kidgyg>?NxyK{+igvHRh1J zX*c%XX5F>3Z2;YI*GLD;SnOWkkxT-*5|n8oXYYvj<f>}>rA)$xnOd_hUZzp`a>Rts zSi=@Chs^9u2zAt@NY>P4Ci_YaTO5MjeZ}8ei8Uf)qS0<f4(^Ko(^}Su;7{xadYI6_ zTT@d}T~So^l|7xuI`iiOriGM^(uD3JG1xQ@hqS}m06A-AK9qZO91_yr6r7ZCZX16Q zJSaJN(SyJ>4E$Pbz1+vFON7(#HFe^vTWRX_<*EEH3vLS3mfnJO_w#ZGsX^)zk1;$q zxfHLt^$;hH7`z8>rxGtu3l?SY8hUXHnUl68%qHJlwwRhs)MaF@FIx-LSo~2(-GmZo zQ5W*)wb!of$sexZWB*MeF!l_Q0M~G%gM>-<Zxqb!5n|iAwCpmvR8UwImx=!Agt=j< zZ}SCR>QvF!-G|3Aozd5)XGe1$a9P4>&7A7#qe!inr=j&kJj=VWFUR@XYe&1tH$CY_ zBZ`F^g^gB%WD|RS?KZ_t7;j6HUTE!kE+rL@JLD_4OlHWC%VAduu+)qVZhprbO3wCS zu@3^PZ7wA@*MgglHJ)}3BOZ^MMoxUST!nppfaqR!$+epMwRoF(`i{BjwS{_)17WY) zkG*HKZ2O3?kYyJp_s6>hl*gRl3NR-~Y1bBsIVH{Z;WWLR1#jEIB0rsbV#rfB?9h@z zV^no;5`c_d9)6c1&-EU1If{jNb|px-0^XV6S;`c6260()9fpM0Q$U5Cbv%1SkQ!%A zX_Go3Z+%5HVd3l##AX_}-?PSA;2t+Y<UMyQmY+;LI%ABd4RIbH>zH0#jPRvCW>AH@ z%oynhlpO1(XUybe;{;Ny=y7G@aHhmf91kH(2E0}LL7lG;dR?Zyj-W1Vi?P@oi#-i5 z&T|&(1rN9QnGdQd%DqhWwZlq_*Uw+SY&=m@*x7J@adq7CAngpW;|bnreDd-{uBFu- zFyk2I;KGbCNqTjIuO~HpWO2F<y2<orqN;4j)cLrsM<$70KqjkgK0Qw$k6w`z?i$&W z1Y7~c_BokQ4BRd?h@+l^Mm_gteKeMpm?U=khDZK?jCyCftpN`(EMnZrQc8ZTy#q&1 z1QXlW@SBuVtWt)OW-4Vt8VkD4`-M`^&NkZ}gbsFPz9|TtgF{z(uJ$XAP)vZaLg9g^ z>$7OjzO<ai>uij;WDfUETrYl3gl9k={_&`6`HYZ9w&&0#ucCwZa>3AMI~YjvX{CYh zSNbb83b!KoXLtSYiv74k9IE=C_=MxmGr_6T;B)<k2Vf7|PY|Oa{*j-$u}4o}uYNk) zEr#Di!+ba|)Q(54M=dpE-Zl_^`NG`dXW`ssiqq95A@4DJFZ284N2&DNfU;7KSat%& zT8rcQ%AJpcs?5Wn(F97-myH*wuuhCnmTyhd2+z4!$BY$^){AO$z?92gaCI!}y_^LY zDEQpiAm^DJ&6-Tqv1f?J^WZQGljr5k@ORGJlb72dbQrv~G6y<&4*E0RS7c3WwJ`uT z8)-4#k*QR_lp6)bB^FXmx5l*#nA3Vcsvv=CdT{^A=)lQwW+pVDJ+x-FSx&@0hB5Zk zhOz(R72^r%R}b&mRR2s3{+;*=+ff<Yqcevd4uE{%6#mon!mr7x%1TXk4i)k0rzpKq z&^@%;$E&ih_YDQ&JS4cS`HCNVZH8Mhs=P&>8>(_G@@pu+{k2*C6erimH27RY_5?(} z?ImtM@gYXVkHb^r>bZv6Xp^!CPfO>!t-6vLHU+a86K6yr={|PfbeG^3`i@7g!*dBg zczb|ws{K99?{10j*ahe7VyvkSGG_khC<gIL=-3%!OX$>kc<Oy{0w;g-hF2_5a6Px% zD`mhx29B1hr?fmHu0mV;&CuE#BhSb{HBY)7#t^<ASksl2W?!(B7gSTPp5)nXeO~oo zx^(JwG(D@s!UXKZV9fTT8!zhct(@#{E@^)56qDz6*$dJokMXG^<cpL)h3@k@J62Ms z#X87hp|#@MWh*+A|G+0!drowz<BIlCCkDQPUKt-)cuxRFoQlS0@Oj~nF!f&}ZAM9j z_nvE%7#K$gIXqIXY{2SHZ&rQo^Vp}f;YX9`KZ+BNZyq8p^5)6il(_2Gzz`pw|KDp* z^HE}9J^Bg>J>wo~`hxcuhwjmM>0GXsqS0@0jNEnk<$vu8scBk$KRga>Tu*5LtGQ?l zU1UBsqcVSgT5j-_pw0O=NB;KC4sP+s{_Y0D4szCcR2JIfkC>ZNRp-c^#1~f<PRkD% z4Xnhpg3z7@NpCt$>I|Xr)p{%_co!sami@9!D6;1>{#T7gtbFm8DAh+1A}V|xKiF%| zCJS21?^>EqK1%3V5TsEVBdcO`PC=AfS<Bb^8iFxDL=d|7{U0ve_lbNF$Xoj^-%Xk1 zp|p6D4$q=eHJaUXjS24HV2%2Fc%%fv4=?UL#q@vp@7CFfd(YvIn^mj|&~&h*V;~+J zrWxj^M-*It7rWA}(8mi)t?I&pU;ndq)%k?ALv3I8Bl?|!lofjX0t2EXYyM72Z2xvc z^^Cac-R-C9UjqyOFCP2MF2;jM>BF6pnD&k4%eVL#!v3je8Wxe?|5qcpag6GXy!UtN zcl9?W+X;G3@XtnGpK=1K`Tr*kR`vM!SW<0&pANinxlpLB=asXl{o&4l?)l6=CU@8! z#GB!sn=}*#L~l~RX7<y@>-cdkESaJaZSd#e9Upp2<m2sr)He-7ieo~lH3+uP#8~Fk zYo9(|5Blfi#qky2{`#8tmPA5ACk1>_^cFn=^G?63qBB|>R^T{q)+RI+>&~br9^Z&q zPD4rQ&TIK^MZCez@Z+CvF@Aj`Vs2e=@jD{ke0U?`lI}d#J0cFf5%Gj00fG1(5#!y6 zxQ;oi<<8K!Z$xZ7tfq>8N5t|sBHo1l_@9G)YWaH<FnV1Fi}S8C4Y+dO3J1qwzaY5V z0=xer?>0&Z?y@vq^UPe23%V|m*hh#K0WaYV6oSH+mr0Ef76lgsLZSF_b!Ln^4B>56 zhDA+zw@_{C6YhCkMCrNd?za+kMjp3ZwSBqtE$!4hPUtF$vUV=E;A)*xPldR8ch7t3 zqAnK;DCL18j66MD+aT20TiDoV{<Ao6REW}aV5J9oA0_S4b9I9T{f(O$5>{fq?RRPs zV*Zc9_)yA%at#XDKYgkXO7aR+8X$)ocU;Wi)@KQEh8jdJmUaAw$eq9&FXpd#Y=T)B z@vh$qtY6ggi#dHpRe-(MzFp(@OvUBq?_LX@U30#46CF#p)a;0hHgRnwn!Xx)AZMV4 zT8m3_Nb9WYBM<ziYELooEyEa*fg5u~FB>i=fS38#3YuiRu072f-ujwb2;AO8_IN4= z!l48B)nN`ycuTv3SYRwPgtPY7i7CR8rKa=BVE-I^I=h1UVPCh>xKn4*p3TjPRa}tY z)3$Ry!X$itmU-+c9YBW(#Szl?r5ATF!*vptu8HYjoqhHXxd*>heDoY1*1)1WwwE1u zbj4gSF{(D|U4306Tz?vH^G7oKwD21IfkW4gT_YziP=+VmbFSl>oZx76)caykEiKvE z<U%%DYV15f!?TL7s+#S+;c{%A)}`f2@%3kKC9{DTk9p=!9nBJhUw3*9Tzm|~b?B!% zP+6&I7dAV6@wS$I8Qz|7slux-XPJ;~NMocRYQMh@fOr|B7bR>_aXvF4Y^MA@>PTde zv;~+pk}3C*6T@lb!;bF3Pw(M=EQs$C!*8frtFia-wu)R}wl{%|c_h=}7|T+Q$6*>8 zLpG;y()D5CKBUn^H!;5Y-sv4npGGqm*MZu}oPYU<gk=Z4^V62QKEHr$ACHyjUZdKR zrpv{wf9)M;q=uV!J_ia<Jrp?G*{INX>DctUK8eCDeL2PBLy8x6=!Vzj84!mOdQbUF z49@j=meAUxPr)fRDNdJ=)JBktZ|l58#GOtIeC7!C->5Un>)hkxI_t~!En%BY?e=&8 z(sm=MAMCp7CuyyJG=F_jy-QomyXm=boM9I&ny*mBvR6#Nc_1IWbk%6*ZL^Zj*-X%= z=D$3FuSj2%sCkgVB76XZ#mi;CWxr@jgKuCoL_0lbo##%Q`lk=*8=(&c*G#({gz~V1 zOxH33m#Q1j;<Qbe;PnwL#VR<$r<upPc@xE8VbF2o^?uzpjMUTnOw5kAecStMXv$QK zJ8k(;yMOb1WzAm7g2godmvxP_%UIy(d@~05B7$4&`OR2y8xP*2n_N3?z5qO5hHINL z0nV;yFL(1__YcN}6F__x@AQRazq^q~)wS38PUDQWTsPpdb$c7`m0hzTL#b1Jc=_b| zD(~Q^a9Uw*>;VF{qwV~DnF&Z{S48J^p4M^gO{r{zDue@cP!+)Ov(?nf2H+-2O(Dtj zZM1aF+69SZvO!MwlsS)F$l4=Tkcn)gg|O%OQ^psP9-kEN1T?}=mLL~DWx&avleV*v zp#}Gz^@1>{$8>|PK|y#Ud%#wPh3RaD$n4R(N;a7FFxUBEc3R0v3*epFQ@jd|FRR?& zY_4D__mE7pp4t@9nbqtFDWwGW?pQswc>GapwsY(P-Qc~RvEAj2o*AcEemn^~SC9b4 zKk=f-50U&GwY<@99Mfz_8`Si90P^}`I7Ya4GdpAFBTk=9em>sx(b2W%Ze=|8MpF6m zWydvJl(1GeWaGF&GvHH6Ar?<#<&w8tyhSVyL+tr%8fBgH#<48DGvukKHJq{W7)S_y z2xG!PHeeX8pSD;wc1>cvxU-KT0qa*)fg-uL=7A6BM~aoMp7(-xBF_x#&fs-cZTf)V z(_DqKnJS?0yLLO`BL-FE6oKd2=}KKH{CC{dd2i~=(E(KjpJYU(=$W2RvPmUYr;p*C zmCOiT`A1F8kIMrES-~ZyQD9jpoR%cGPPDbS(-0^1I(66(b~VmJ^b7Ot)~Dx<A^Ih& zT5t0jI4iUK>+ZK-3z;Qu&ko7PRS&<lu`5VLs|9Rtr|zwEENZC@-EnQr$G?c}@-Mv| zP9%lAPCD7_qS;6x*W>*!FTE`Syjo+z6^^;+fA3op#K*kPMb0?^)NNT@90EpJK#irV zo<!>=OiX4YUG2qnfInJ}V-KMUn*e?d&yy5ya~N9!#y@@ehmcRDb6=@);@}YB?#$KB z`4wx8W<9Rm(0vRhuWM1{VGLu*cCOag9u0CT`vDgZ3haF<K0_W2+;{@Ga#K6E@UWju z*nULZ%ooqZ)-y(w7zsVf<w0Gp9XF@2+9P?z5QcAgilcO<chLdF`Ejb)AeK-a<4@uL z^dEGr=(9eOYS+YBz5`_L^pOUS8T-oDOB~yz;$n88(`gRi^={+xa~pa}bcUTY$6sFW zZ({bLd$4zfX~#6r8J3T_>d_3?M(v80Vc2No(m~y__lsEsVTFT)t^3p7czRFPDTZIw z<aajmWYb36tk($rUeMO2yEq`Mhz{3dBW(%#v2<iJ5BH9Q)P2em7VP;&4s>^jIixJF z4=Lxy%qS8opZwGPibSCNruRbca4OaE8-zo1EM$FW6>+@5n?ooX&_9txp3x1MlHT^5 zyn|QQux?1yhRpUIDAajN3#ZO2Dei1(x&fxr@VKcvwi<c!B8J*ybN)L#kMV}*m9W&_ zF*ll9LW9C+1V`$c@!y?+NEuq@pTLdu8&I)c0a9mYyE~b#f1yfi@C}*@?^@lbyLN?B z>TP)}nTpc~$==;5HAIw`=6Lu4Na4LzcC8v+&@QecPXG0P+!Rcpzw#q^%Z>DoDDrPm zezv^q{X3#4yAcHe0>w%GPf;in-H0M39_<cpGPo5*^@jN!jQ@-IMihK(=yw80+l|cC ztl-18cWA2a4NY}2!1^BprJ64oFUg&|vuO-^qw@9N_;<)K!Hvw-%5)W4|EV4-ryG@z z1kv9?r3|;M!JsbH|BiarZ|0egr*hY}if&%i<}8SPM;#+K^HiqGxp&95KHt3P|0{vs zBIR&~#c<$-`SFJP)ozFI<<+tGrv~b~(|r7+vMK(-^w}6>TllKU4v4&F63>@0`kigN zv7`&WoEU#_Wi@sGe5*tCvr=W}9TFq0HQUQGbCD+4=<TU6v-quph-NkTM~&W^r|0$M zv5J+(&`VXEyR4`B>)2VtUV9RTf<Wo+kJohI+i|^oZzDU09`WEVvC%`r^1Jz8o?zvb zKY@ii$KFP4Uz7sxj-X3MBtsGKle=Q}QStt|o5h`AvGnFff$|OFx_A7m{vkD}Z}kc# zQ?+w;@GdmJgc&@htbJoGN>pcsw94<Ii=O|-=O4a6|A-lE62^G{h16YpuYVZK*3ss- zRlmyn*k|yyeoo!#TVg>$X_<e&CYYD`(fzv<T1P8lc!zqK>2>ES?6&C@0UEiZJ?R_M zEgW$VJiF8MdU|8!F~AumhdUy@wMgZiSL*?H=6-9uFi*+eJ9ED^H0g$bJjy$a4lJ_w zx`as2Wp2Nl#TzxM@kG*f@u#FoPrTjHgehZxi^G%U-72uBocOPw73FHnnhsv;`ME;p z6aBQ6XO}zP-bg2Sw$c|h5#87q_UaF5BEIoW3fNnu<3tA;MMg)eBrdj&ABI>&s$69R zjXo#EjcwuK_5eScAtkjx`g|Z3`QfumRp<TxdYDA|$#ade8Yiz>yM^}i?YbSr%+=9c z0Ht1$RcG$VLwv*qqVY0`&+TBj_w2Zjf2U~o{oDrN8v6F|WV}P@D52k@od^@55i?uf z&CI{>gJVh`oS)xGZuv6p>M&QPxGw)c>x7~?S~l7388`(TwDQTH&2^Q{w>)p=ys@z% zr&#O_tlO$S=;H?uJrhN^w_wtddmaw%2Mxswc|t{tcD%38&3pC-(f`5KpMPSTXSYP_ zZG{|mGe2?|HcFWoXuDcT^A@U{aMska{h6wHNKmCLQ(GHS<tsDdAyX?#6kZ!LFG^G^ zcy+R%*&kFKq)SHFm^@VUNwv=+5wT9}EVlBX)15aNu|8|j^v0%|(fhb=Ml%f)kCxoF z={`))8Q$$z{yWQ<%g$2!gkdbcS`wu-4O|w(;eE4X$ot>ihCcDb8~m+atc98nVVNA2 z+i~gOXRet=n>ouv02`5VS!0ubKG5Z8F<03jp?C@cg97;+_Dn1n^F)or^~g{CQ|>zr z;eto;nt`aD>#H3?d6s+~xr~~PqUhYv?W^;~Yi$Utu6-vBt<SpaupG}sg}0hmP)x2X zDu^z1z{8h?eFW?lKO~19jVRHrv!aOZ6uw#zwkXpX+xECb!NIUIixjb>qDqs^gS6{< zbFhK`Lb$MA$aYE1JeD61t?Xo_`7j7}KtXUB1NIR22~Jg#Qx(%D;hO5$e!#|bHhm0R z8RI7AEO4BOf~hm6_4Ub<6~3{npn2&uqSP;N@S}TMG+|Y|fBdDY+;4*oyl*D0GVqTS ziyUlKqi6yu-)Sdo>i61j?W3AB1GGfqqn~DC?OqDcd?Wz?%mBR(l5Sp}!uDEnC%tGP z_~Cz5{`zf%^zSNb1h*gaw&0sHO_?@)_6dE7=GGd!1rPH|Y3Yo_p;Zi;cn;GrY&y=J z3<qQ57xlR^8@RXvyG?9{?SJ;NC@=GRRp>VOoYbc>>6psw)xYlTg?mp43=a<4t!2ke z3S4jRT*;g63JMCkNd;^~pCwwBlm!&xT<_vur(=@vv;1<fyS&I|@$7sk;P%#ATnAV9 zqLituq(ok(G1_6wM*Tal!?LV)a`_OHy&_LmfuTSNzu@dG!+;De57!tWMbVG2$oOYH z%jAzf_SY~eAC{Z;zjV?ZTc3Ey@ab_^7a<eL(rXJTT04jCp;vs0NQxhwTrW6Zj_ho| zXJf=AKqlmu5_2{{y)NC*nP51|cFu1Z9yVN^Z8$kZ)2L;QaQ5bGPdD(_21zB9ZrOmv z3BDj~7zt(b%iu#p)M>Lt`XyX+g8z+h(rEb~bucJBb|r=Op94a#_gSu$S75rjy33~v zVf@U*-)rtGls5CB91ZD`M2_9eBR{T;!Nj0-bzH*fUptO3qI+5e@*~=@=kTlPT{s{S zYqpn#7IgthP5o26Spl@phlSVzveL$RR$EGZZ#qe;+4cx>PfOyZejLM&8;*o{R1)+* z6a+n!)fUzMwKA%?UjF@cPc@%QEYRRvkxhnRVW3R^`H_#}YT><c(@Y~YNCV+F!qE>V zpW-v}zN#NfpFRp&Tl!9AQ~t&p<jzzXsNlJ-lGx6vl9)(}l3P#I=oKr=9IAPhfW``{ zYbj!MIxu_v-;LRi7vJ0%Q?^6b&D{V&{GQbjz=t?jJ>eux`s2Ar0-Z@;Xr(Hr`apPb zT|=tc7faUz2z^-^@BOGWv-|O5NvF<JWAxw`W^Hi*UqGP0FM}~E-!gw5z1S|n<g(kb z+b7^OA9_P(NB>^Qig3#8V=s}f`OmA-iCPw+kpn)46Qk%xbElp#T1}*=gF4-`T?a*Q z4Zip|acfG$j{=3KiL&^?Nlx+Gtq(ccKbmQ|laRl$m_6BBh{6?(VwXZ7^`7+3Y)j;6 z%87q-HqMvY+*Tu=YL9Bba@b=3FFi7U^6Q1&)_9rN%96PTvKQd<U0%UyzxZA!^C{y6 zA<@ifVMENHX&$a*>vuoP@zISh(aJ8S@Q>bUReri3q`Pmra8QpZspYTO@z{ON2S@~c zIBL3>e5qA}9yC!>x{DR{U+f@KaBD++uX&yvOa%ZX{>b9_<#YliT^tyH+BlRa8GFw@ zpbSi)>gp<REjVfI{h_luVLR8XH@1HI;&Cw)%J-)v#>v8O!t=v5137lPjLoxb4^BS< zJXXsiW%g!YE6;Lh8>gI#wN{^LhyOC}0wW$6-+2CI_M`=ui7lNJ*T8fK4dnZS{D|s+ zYH=!PBI`vfJ$z2m?Z43Bt&b{oiH4r*(rpOz5WiZL6jt^y&>*vDPOZyNmnt%y;&gRP zsw>mBwl3~Neme%4W66gXC7jy`aIE!?txxia3NyA3`*NbYz=+#7O(VFj=V@8Xq<0Gw z93hd<K4#4KG_F5}m{nl@g7yfQx99>yvN^o!goZ1%cpjs_=HaM|AMIsAZpLnRcQNCS zm<_r-4#UgFwb3Lw{K0Pbgo~eM67fWi*5tv{q%W*kTy|ErTW0ds3hehXv83(ang0W$ ze4vU6+z5OfHgK9(msT@TrDNH?iOm5ul+<3VU8y?L%x$qDrHpv-u)i;+-DbLYSS7{) z*gc2|sm30een2b2j(d5*<9)z`D|o1=?nzM+`qmL1tDBQ|Q595+Q%PoMW}KKqC3KL` zKYmXnNKL`o-0T1@Gx@o{SZplwKt|spn-+0T!f(C$t)QXJa5+^hvhvfhVt%)5hICfi z){(!2tWseeL9jWB2)2u^9Wl|0obrwN-OH`0t^O9qPNuppwYFBxSa+JLsc!md>y^p5 z6KJNJnAvb1u?O(9fDp6s++Qa_e6R>fJc4^)!jFWQ@lGbB8N{#|+R8Gt-Ha$Wc%4d4 zmG6UI$0p;@vHi#Xn*KaFloY7Gw2&N;IZp)_ti!#<C?`v{(yrFhIHfY%w7l6)PFB3H zOqo<GFj0}N689tJ4uIE3KpS~(%7b4oHX<te_-?|CG$%`fheyKr18aIBfJfPSY=ikX z`smLA<E?6Qvt>3iH*0Cn*zbDMqWH+Q>_rq?@6+P1+B9(^9oy20gd_@8O1jG}(1h=a zNnP56m$QYRU+`#K&()wXu@Dcd`#RkR93?OA*;-n<{pPud4${Vez-1dhwW`zSR@Y(g zQLK`2FRMYQD19x6`FiZjyEyE|B|oHU+7bT;I+3CUp=CZ)D^^b&C<ULxSw>+S{S_a- zkB;j329g_ujdJ?Q`*J=1ef&7oqel+=*;^f|nQ-408Cs10;5-_ikN1^)%T+Yh;?s2^ z?-nAn0AB+w50BZH?i6x<z93Fe^Lst2)g^w<NA=-nwRkMXgny;7nm%Eb7TCT)(UaXR zRZ=$<w7il2_2F(A;W^cOmt?5nT}=Px28l~WfBJTZ9WB1Tp_}2P9e2kk^)Rp|^6k$@ zcaOZ0yy2UaTw!<L75Vs?9gPw-_T5uT!bR9%_j%Lod2b#eks{)KooD$1TlC-boM4tL zf)TP~&U*)^hlqS}&{-OizFQ%Byht5!Mh?HFaLY-+Wo4S7yT#zF4<Z>6XqlOnZ|qlo zKpIfR;GH!_X%ZvfI}eHe`Bn54`bY76Tch8oqX!+^6X)kh@XnW<!nXr=Z_Q>&-<A9@ zklNs_D54rYDKXuVJ#~H3p61+Gy%G+rA3Q!6Cd_7Kzbgc3&D&i|N7a`z>{nY0)6i?} zVCDXrz{3Cca#k6d#{>KSO$_<}q#XWt2=uRgmZUR{CA9{+X7B$;o(h#b|4~eny2OA$ zrBhcN@jsY4=c#IuVxXGe(kN<#@DA^nx|x2mTL|<{BHI=7h97HqD{0^1$8@)Q0@s<= zgYWQTnj1;$U5Z=Zd1LZz#WNq0$9TszZnq1%qKK;QR6OlpP|Y*sPG^?<kDSE~nI8rG zuNiDKtSME{-3^1%`=pgpy0K;CZ#w6r`nO22RsnDw!Cc<a`Od%8pzrv&{$js7T<C07 z!D~P2`ZVpjjH#fc#H)jUdhchr$Kp52i`jTKLkUS4bM(Ixh>!8v@TunuzTX!kyODzr zKKju%@;qh7W95dmDUzt<$_pNi8-~B15B!G1x7tPo*j!&<-`t$4by&IKH&-{jq$DHb zOXKBd?VkpK2(G`LS#~4BU>Yf*zf;7RR!AtS5O7(b{`{r)#a?cT^P~^P%e+neZ{~t? zX_pgeTaDLOT2gyAx2)e#`6-y^`Jg0agMKqwlt0G5%QQEd>S_=}-cDWm`FOc;H&5fK z923#S4eNC8waK687d)PVG+u7S>A6V>TT0EH&s<+s^b5Jq{|*AePM5teI=nq@SaXVi z>;BCgin9G<3_kMzrS~qC^uXsth5TI(j}<L%MfeNd>$DqSu`G?Jeti;tZPrpud419W znX>QR05@I@hI^?xXlm)591bhYxGaP=o+EcE<8Awrd2cvAOr4nF)9^OwYhBN-zg<l~ z{zex5n283rBOiRTyIu(P+R&aE+Kf#p9pacdpFVax9}~VD7Vb^qKdxB_8~zRVBhss} zgfnmDeQ`D)x+1}XR$C*EnjYZ(-b8RFrkg#v+u!4pjP7+doMy4Sev2P0Ei8JPp_(%N zX3pKZY$rtCdqk2HP9rzi#oK(o`_0YM**eG%7NZodmU$XGYgKXnW%N&PJ1I(s^Vt7B z=|)TWy>VCcal?*hHT5LJf;G?`!9Q~<53vBcc5CAZU)VMr<_ceS3V<6pD?4uKaTo=^ z1oV0I-?f1z+nePMJAmEzucb#ey}DW*VQA)=ZXMTBEPS;W4zAx1Mkq5;Y_6>h5|X;b zub_U=*5JIKy~o{8Y%J!x{Firpym1XS?!P?3o^Zgv`5Uf~OK&2VmXsNe(BXg>>Ie6m z$|sLezj9i<jw;e9To->XbcFMC9ujm4pAClRD5PyCVRzR)BL8=F>9!F<N>WMguUh;= zd>zk=1xk1caiIp7`_<TYOuWM%+sn{x=*F#yrd?mGTwm>6dmZ%hSaP(sw@Ywzpk}Tw zXNrr9Cv_JLDbM2x$zzqj<vsa#%T#@KZ7nbR4xn12(bQRsCW__nqjsK{MXqlFz0dI! z1Tto&D?XpW3<WvNhklu+x=Nf|T-+eQ+%a<4hVIT#m>+bZ`yK7YBpk-=yg4o&LO5~B z-9_>h`d4iKVc|3HCpyY@en7Zq*(l)z9C&{_4^ebk@@(MJP&;wrpR+%bLYZ~7hsGV? zhNDEiq5g&TP`uu5mPU^o*D!O<Kr8ioLS&Dj;fF(%cw6g;juCk-_KLcseBG7dHe(u{ z`V~8`lG5MVD~-+2pPErkh0I*w`r?3sf}-)HjpcA-bD}~)_|nnuOEw(M;_q$KUjes= zrTx{7rYMS*I5<R0a+`SA9&uX;<(W!c(~cw~B|Q|>#iNsdmqDsR@OOZ_U0#W){`Tv) z>9&?DeJPDsC~#G^BE*WqdHl;{_J9pGAebvh{_i;X9TT5z-T*A>{}=ES8GLw%-Z4oa z_T-81Ni*(C&%?pVrU=_Yvl^qn2BnyK8-6E%BX^D>?D}vMe#zZ}`0j?^+gz$?qmt#F z@QZO9ephMM@3c@X-TsP1>ZL^Sowb7ecCE;W%X@uit;oGyD~`yjB<`#g&u-R=0KLqx zJ8Q-N-ogHT+QCF)i7Vpz%!s$rm+vl2Y<nKh=Tsn?vCi8o-pMTUTdl|-SXtwLz&QIC z;|=a0`L!6Ai<3R^A2l}!yij=UZX47uG}m4`H4VDnRLB3OSqFLEsU|+$x`FM=&-B9z z@!fp*?gHxk$M~!rZ3IQCZr^2}|GOEi0?VJ{d-;|KLs(NDzJ8dcsxxD#=$!!x+;{HN zC;$K4#Hd(~HgmZR3dptjsMES2OMmD87|>{^NK?~80t;2$Qr!OeuqM{WH9ljk4|Q+8 zHIR#cr}vWP)w8E%LpacJ3fLRIROx@66h``RoWhIqklI>AzY?>Q|H5oTY4R?i_<UcT zfSve%;bDYr;Weq=SEpxZXX_c^mL;_kV`s<Pbvt3AJQzZIzwuh97#YgS%J!Dx0P>$p z)?LRmO=%R;ShZ=ot7u`##z`t-ks3X}R9jbi60*D<1X+bVeTumgh-jjUwjxVOI@djw zI-V{UX%a9te`>I_x?GqUX|q_KZg5XZOdNWoVEFxfzh_OZ;7d+;VrJul{W^X_#T%Au z&h~n+wxkDZKv!P(Azaow$(Q1bUODc}$zel*(eiMsSMu4FqCX*<6{QVtDAtSHKxfQQ zN;B~~bc{fFK9Sp6%hc4=+xxmbl+4K&=CC4v>Cr}@VN~3pEQA_SK_ZcwDv?yG`Ws`# zf`Wnuzv-;+zY5WsH7APZ@}B0>43cK}a0-(O_|g+MtFNAXy4#8ia&lS=PrRx`?-*+F zdvd%vk=1BdaFGI<UTasCwgRZ3(YWum5y_oc>?g1r2iuRyEI(KKD21)h@R#x;(r!y6 z7wZ{WVZv7~m!rHZ$qxH{87;V~pSx!^=SUtbmy1SjJT`|1faE4y+Iky3W`4D@F3Z@m zCO!EaMW@im_moyH@mJqywEoC`K$&3&vo5qUD{G;XF0Ch#?C)kViG-%dA9YNef;EHY z^mZMLdoA#yXdUT)>Tb-JOzr9dI7y&w3C3iYap(*@bvkc0B42>me(7qE2y_)&t0D{~ z;=41U360ws8(}?KEFiz!FOCkoYE9KV(QF0k%;0=w*~=)R43BrP{9N5Z(^zxCli6?c zp;`fWS^=|)L4fB(MPjPM29rxBFSz2xDzH7D{C>)m6ogn4qKwKdSj_31L`qFXK7DYE z9aA-sEMzJt{Ah-vS$5y$K|3dtumYgiz~4>%dwfZm(-W_IP_edm5%NMKo@)EWuW+3$ zUlprpqT?*Tp?ojpZ!;G5DPH8Kww#<?%kRC;ed11W`nbP~$@_T3+krA0kNSnqH<N&{ ziK49cixFau6a7Wyw%-ECfc17`MVco0{)A2+k)5`qY8vJ-VY)FHvK~C_YdZ~Bf7XVw zqz-QIDwAIQ$zBH~=v!F=hiQp6M84DNp~2N7#?W5Z8x(P{-0L6~eX}@D5f;b1BGPsI ziOKC~<={{;v@xy?Y;bA|CdhGGe)y?dzK2~#@CKCDFNE>;arQ<N7X=~mrSlK{+lrKw zY-Y~JAXcPgeu<_p-Bw?5smoO}>Zv9S%k#@EJ=&8KFo}bmpwX$ELZMJeN>9~mEhDwH z-*^g@Bn9StZ9#kqIE2qfEuw;+WLq>I4#`w!^E+=U!k=j3$*tEEIp$oEaa*x&cpu(| z<W$$KDtP8J_nuQ}ZUvu!e_vdXv<8JN{^G_v6>MYUj?cSH&-f}mUO~#$FwAEYOcL!j z>P*VKF5UQ9d!%#om}OR%-Bpqx-;#1WCDAp#XS7HChiyRPWxq5!LdihqTaYyO?OG+J z2LAy5YO#P!cE_2oZj2K=`Xi5dD5;#kC-J0&Gj?%sDgYWyDb|%1IKIFyE>?s=!a%W( zZ$e@tZxLL~A=*&><t^LMRrWNe<%|_1PB2inR6B$}enEIx7H?j-xu-6_s%q5Zk5L0i zLuTI6(vnL(%dNMl=Z72DiAN8e(a0zHR9^bO;=aFH(^c8it6dX>+8lU&WGYA^)82Mx zf!(|WcDBAYoLk2TM-iD_U7RkHoL5{OS)SJ6gy$#e5k#>cW)E^Wuho~U*}*(ymyaHC zP;3|GO4-77L8tcWsKXUag+wb)amEH$32=cpw^nJwTOaK_S3U8%Czsz0j%<zdTEA7< zOChHY>%s3S7}+$$)C5l#qp)E^7#zo#HEVL-=!N)d{qfWu#W;TUy}kXg$@YPSOkL9u zmWTm$)8cRZAG21YrAift*P2Us)XD?C!_Y+oV$X4~D0a7_nwu#(4Dg`nGb7Gc<IRNY zJ3{6&Lfa84Xy?o!ZW@V)(#vFs<~@?hTo_%{4_k<3q|4d9<IFG3fCNM>8>QnB%|X7I ze`S8s&cT?MM?wjk;p_L($lwXA^LC>Ve);1!NwZ9r8&))1?xi)~csES7A{9#W`W<G- z#_F@aQP#rFYYq#~S312e&iLTRmXQj76t_;SR6MvQNJN7PsBU2e71gfA@?h%bmlurT ze-z(>=H^lt_-?DG=iyGgwk_W=VZARar*$0wP$5!pIVJCDLME-nCkm(^KdON<B`Z9@ z>8XJM+s(2LsCjg4$>)xTReb8a@x08(8OCQjo;&Wn9MFZ+9*%xTz-YFdZVTL4Ul$u$ zWeG1(E1c3m)zk8*mayBU@i@tp7XiFaV%R@3s)@y5T8G&L+lHuM)8xohbC(sk?KWd1 z0k~EiTCsT+D;X0DehJ*-(zHku{L#<upc+puspm?Hq#UHYLc8BJXnQj0=L$DGPx#I; zO(N@Y*c`d>02zEAFC(j#Gk`t=8A~SF_gQEFSDAG;KFEb@sB+exQ7cJPGbe4&Gn1rM zYd)Kguj|j_J|%d*S&`Uvq*MbOEuzxITRohF+d2S3NrH3u4-0p&^9BpqtfqCEC0CRB zJif-~B#6CmJKOJfimwfz+aYyo05)RGxD4b<mRinh%F1zO`cj&?>8aFEGyHO*y>7v9 z7{g805pEX62+GkzX~=T8oA~+eM9sho9!lplS~4*)9fhXXx_MG{fOT;xxNE}}i-44W z_s{)eVx4*(cZKyR34bbWH&TXqFd?E3-SFrej&9?ezpWN3mw>%lMbFrM-~)zu=lY1s z2mPL|XB2rNG%hSvS{WgAeA&Z^o#)$i{SAH+O360y+?JVB0h)|4M(z^Xd*X^YS2iPy zmP!$PZ*yh`k}WJ-U!?GC^n34<SvhuP;{__}`4wgEj?zgz=acT}i)VX1&Tr%3m>9pP z=NuJ8nz!vNCU;ODWZ{cWQ}j)cwNjThYBA=i`s)+I#}ryeA`W3>XIJHM4`dB4*BSe8 z9vq)8+R!E2ik4n6wAH_M)GNIBhM%FKy?<5z#JUEHOH2vaWR0js-_UOt86i`AJypbW z)L`voW1Scql?yhn#i_V}(vHJT?!|YDo$(%Ky-O9BT>HHAEU`A<^i?s(DUncoh1cxj z873j$d(RO3lKOq=<JTiR-m3^py6^_91F}xn#^U#XrC8EGqqS1l(G)?h7B{rg)m7d~ zcNzu+eb4?*EA!&|_X?03#eV-sD6yxv4sznpi-}Yv(+7OK>P7L3VSX3i12O_H7}RH# znw{x&T$f@rusXR9ZzD7oefHZ9!mC(%X|AC^Z)$8N>Kzc1lODsy=FxiPt_<l6A@Y>V zxa7L{!|Sm4Ei9R8vHZVD&m<ZRsa=A}25x+x4k}mB5t-tiFu`8y@C3R^0j-yFUC(rn zE~5P`nrmjig?U+~@jGu+QVY$9ISPZwhNfR7E=ue=g2>BcXY2#rVG_5svL;_fj~36~ zB;%6J{E1Y{33X3>03klQO#gW|xW}M=wu{XnMd-7lm(y<5MrkV!|9s$U1Gg#p#^3w_ zF!ZSmV_cqt7a7uSx!?OF+KE!8m<kj*7z;gmbk$(<Q;-56A@jz#%zJ@N#UE}D+WSX8 zhVBX!XcT=h*_WE;%CP&%|I$&HYMe_mw{)a<eJVbkv5`lK^c(N;1G+|q(vxX;TKK@A zUNoB_ROnDaYK)mt9sTxzmYet_>=PMQGxFwgDNL*Gg$^h9P)h==;+(RxZrVHgFpKNb zSQ#JxTee}$Hy|%;h|%^8e0>H^j^5fAKdvU^!9Z8Sq>Fa!&@iKN+-W#oH~E@uL6G*| zqF8q~k9c~ZEg3ePKVUJQWaI(aU3<hK2U~*oy!G(g(;6b_QE^hdl*`-Pc*jH%oc~S6 zlpV8yXmIlZiQ93sXq>(o{u$w8U6R72GyKJKn|2k(k=Ox0@4eJc<Omm=-+Hu0_b#WR zXB&M11URaHVcth22FLPO*VbJ?=&NAIHIf9gSr1Bnv~A0$r?&WRIVNaQ<<O#}^+!=* znyWd9V^qa$C=A2XZTwQzx_77X`iht^N|yKg^lAQ@CrbA(v$kWE^vqeh#3USU!vYXI zCn!&TzXLKJW0rZ(F7;QxbA-PLy@by8%Vs{Nursktn*B*6LYEVq<}~JXgDeu0LVAi1 z_z)Gj23?xkpBUYOYQtqZ7%(X2m#w&iU~4%^zGR{&Zf(d*P16KP3a4mIPb25}Qti17 z(`;3w@3BaLbH(YAY|8w&ieQE2fe*$@m&Kowgzwp>Jky*+b1IGo`13uoKkI4Jv=+v{ zs*z`ReGYXl39v7{AD&*Bbb7jymImVZc2ZC=|7?r#Sz_)DwyE4}z<$%?GH`D<JKQ|3 z^S5>2#D*q+E~ECExmBKSbwWX;C{e|0nN@8n3$qCZ`s&j~I^q12W*nEgQ>Vx+K3{xH zWaUz#GiErwYLd}Ika%39XJKMD`B^*q`PI<!iQ57OBshrl!8+-|5fA1=v&&wN9468< z=9)86kgh~A?o+R?d2ViGlT-UIBbJ*){oPtheqLN(HeSPV3@_7Dhe{y}AJSfua&NCh zwr2>L8ho}|iV3%`NJu(vVe23_jD3SY#7Chwt1rLr6E#ftITA+bC!yLBe)xvOKd001 z&5ADJ-|g4<a#SYnt!SWtey4?xAWQv<-m;g?$WXaz=YE5VwOZHj(~e)N?{Q=HY&XEL zy|b!$xwYjxG+tMR9yJYE$62RlB(-6rIfk&3an`BrXZYDjrv7@}BQ!|6lIMBqd9IUW zr8^yO7{gu=sOZgq&kEviLuHdh*vMZmwTweh@yhAqYLLyz7St7%>%gI;?U6Ki^Av2< z07S&r44vm0Xaf&*B*p&5D$#|<a5bza@5?MKLv*IV25pAy)yDQN=EiI_&54N=drO5^ zkZ(V?3CQJKY5DwNg_xiT=%h$&5=ZHnVx0{4C~ANrTPQXUIVXoc)l7JXNq#MH<YZ}w z;SkwhS(K))2?_vRzc_cvf>E{%EkXD_N;eL!#{1VCr~-a(;-ozwlzM)fN0smZomg;< zTqez3O*NL(y2(5IDI6W0jvB;}F#h~|#feQD{-^3CZH<QBbD39+51+mDyx(hMe)%P6 zQ$&SY$AnLwtfoU2Xdy2FfO~Z_K~(pdsc41(Sp}ptw*IUI0_IO|)FGySyp8OV0FWlU z;V6bHmhUZeNcxLP*^?yZ;A;>pPh*AM{Xqh0rLTd7`0jpu|LoCgT7C8wuI85|mZtu% zj6lJ|&uZ@rpi%8qtkSptl;(>xxtp-~aGMce`2YK#Cm0I;D-Xfzu)GQoE28Y<+bD_y zc)1$2foqo&>vmxLp?q((jZ@#4z6xyVdc*tX3#nRD@wXlL_k?kyPVH#RKBYCaxtyGw z2KQq^Mlpa8j4i>EzV(4J^-i>ooxiZBn_^cj40aVnm-;75iS*5AU+b~?g1Z_flBYTjgPy;IMzYsPDpep&`u8yBZ#SaYN>b6?N7rJ3 zofv>X$Ekwu_Iwe)ALDE2uk@uT2%@6>4ZJ3pb!rq1YZ@B?r&F#gDKN#3zW^EAPF+{2 z-GW4e5oHIZcfEF~&J3-!wRP8rT3x#~f>W-5tpDsXyODVdc4x+8G{cTCYjg8K%=uqZ zQNa-unp6?sub4`Gyer8b9K`SCUu)Wh(OP7hm~$@2G3!na4(=^RDbT)SghM*VinVj) zQxaJnB47QdL+S>a)NWY#J~5fnSRjgD`&@BBTeJBw&c~@pHyKZMwqzQUNjxrlYc8YE z&T36s{Y3PAMQ~?y9_18zfXP}|zQQ0Jy%r~DDlbM$X%gn7s7Yi%^KS4k-QFQZZrKKh zIS{eN%S0a9+<zA95Kx%^L$}(3W&y+F*_)h!3%6#~PV1aKyEb3LnrE^4c$w3RIXHmJ zb&Xy!?%c47Y@^G8$1rUqdS-Pt43Y{au%UI;;Cjp9y1$s1m{|0hiPOh3sV0Tsfc}g6 zsL;vmH;a74_zB235~Qx$r-_I`Rq$EjaQkTb=8c_Ry)~kENgMDzUP@@MoSOkAebj4E z$DZ@Vpxt>oC2}e``Y-eBL=UF4OAy9&a&ih6I?KCqdXRd<>~-Key}k)0B_$!u&_AhJ zNm-STC1vbneGhKfe9c1GlZF{7g=zb4Cfe-CVy&t!?$0c1d72d_6UMyIo}yvWbGXcg zU*Ery5O4m<K_pB}^BY~ITjYmp68#D&d3J8VjfYl?64<I7)^l5<nE}{9aAm7A?gw3+ zNw1A*1G(C6D`z1@EY1po;2WfA95W21Ixzi=vHsl2Igiued6@S0Lb&itaz3R=x2xZH z3ek<7AE@>q&PGgwpsW!M*gioh#_)5K%GHsnqZG}b#&xK6G9YJ4iG{$$ZY%5y9v7_| z4UzZX=?oeBX(0Pl>6dT(@`pW^;D%+i_NOj1-B|M`YM)pH4hO_YRY|qlB?}nUiw4rG zJXhR_j3}aD!#XqMVK@+A!W-aQrb-Ua+^oah(<JgtzBU4Gpy^D2#6_K20uK*Q;fzz! z^fv>g{zp5NhsK%m8t@KDGyhLAcsDe@Bb1B?6;!mny0#{D<yssKgLIyuHmp~mKrD`r zC`{Y!+LcLM9}0eF9j8$>3!tg#N~QU5<kOZ}e#XOvwm64Xxo}v2KzzT&@EV6{pAN(( zMJQ(^LbuL2p^%j=tx(znVGRiyk&Rh7<Y_Y^^E21u0)9R(`RQysYIZ@HUZlpppp!M| zm~9Rm3DCY6AM>%vU4_pggZ!q-<A>8}{_4s3dOY_M<x;U#up4(s_v%37)pCZ)je7}c zUMF&%eK|W^(*Sr@x&P4xA&t`p`=M7Bt;A8X5Y8Hi;J9H{DtxZ%H|X{Eursyg3`*7H zf-jcF@**q!X}~lkU;QA>jkRidZ~B;TU>uvasTaLI&A+Rq3lt(~f^~y*zs!KQl`@tR z6A|-Pg<@55A<^x<+=o)2dna0?YMHLn@aN4i6`P#ujO7p618i%B%6UIJyC@!IEPT{l zd(akdM6oLcZL$`fZg@s6T9C26#yu6&$w%v1+BHM*2nGxE7DMOf8}G^EanCDVqvf|3 z6;_*ifU20bgoRVgnEEDVfF*qmd*rM-a^;r0yWkgj;Vb}pXY#XYp`*~{>OWf)!?uu$ za-5cUQ0)2Mi=GM3it)3$0Hezy?zHQpg|{0k1+K@nS$w&T^qOp9!c!hqU6Xl5YWodI z-=B@5OSM;n>%OJDn3PlU2H3j@HIs<q)c(BP=KI#asW3s(y*xmw$l$eD##Eu|1#d~- zTj#E5dec<bob!T`t9ABN=JT}-%XX;qYF)s}xM8^3*{mE6bRaK@a=Y=`3!r({3Kr;9 z+FsC22yk8g!O_P`1nL!wOQVyGPj8Gq(<D-Nl2aNT=zXz02c10Itmt32*H;yc$tdrA z?J-mD>L4ce4csF7ekodIyWvdOV!z5v$ftBj?BQ44q0Rz+(u&$G4My0zX=#`UgQ zuW!6DX8R-c0f^^`R?(wh0w_#mRNHX)R;exvj1s2?2xgM2xm03CEMX~_BQbG$Zu!hk z9ZeFUc&MyC)Rqt110guG;+d%12W!U}&Gq*we=O|#V+3x3TQ69u{a1)X3ntyFbYl#> zP7RNr_Miy(HY)tA&$$w3WbTLw?DMO~^Ytr<n*fBgu>Z7g6H`E|FePOVXhg_*q+v=g zlkpxkA%Km#X$*<#>?)kFo~=UZbR&y88-ODRTxr|cPg7(4Oo)4wdi1wPx}VU<`O#_7 zPFM1@rcECkkn%t|vVXlO;pD~JCe~i~Yj`95avrg)+V~G<h~hy){woWiy?L^jU(#pM zb#wk?Q}ky8%%9k+<ph!P3Ac4X<)qr_)PmaS##+9pzmDXl!u6R8sd1Dxy(XUwPHb4a z&HOy>D)O?U<a<4cDQ!E<nnGxa88LJ|c21w|eni;y+>Nr9Ueue#$$yc5LCI5fYivxN zBQ7&S!yDquyJF`KJuO^I^_i$HG^Zt0`=F^EEeW=?HeJ;$3jH!AAXY^X^<7<-H}GxE zjJ`b0qke)Oj^-Bt*Chf6d)H2yxYa4qY&uQ6yu(MrmGDi!uWvuc<bCQ7{VXf(U}F>> zOtLE-#rWw}!!s)r)*l+P8O}81Q6)d-WtU9)BvAuRrMbnLGm6X4Aa21=kt(0@8c*dN ztk?KjonPA?)C+N{QXVu%qL2mil}#tG^X(8VYBP3BFWa{IwW(UolvxYiG<RSOaGATt zPya&Cui5^aUD#UJ0O>lzS48ZaZ>)3t-Ej^-!d>Y*O`XPMJun?5ldW}2yj5h?+2TpZ zO@gv^!lSSB#wpYnZsk7-7LW5eoR|+w&?kCBg0Kh!s~nPKPEK07YPplR`LJs^|J_LY z<~cDekP*gxhL~kOa-iD~<-s0CH@O^TqnkKlFO{c?tmLJY>v;jolbJ-1UDb{^CEKps z*VU&-fBCXNS3k8)aB6cdr$P<A&~L|Bc?wFv2>G(%m)!o#JpmBc&qcQR=#y)GhGUH{ zc}i+mZ|IEg4=o0r6A<Pqrz#Iu!tj)SP04_`lIOHw9y6XvkF%faihvbH&S4+JMFn4> z$j$7^O;)uDfWn1aIE9+G^TKLD<tl32-$ebUcJ_%)SfwbKD30$$6yd!2yI)Q${S7s< z!yKy#jjUN~&&;cofpKvPEvhfM{`;khT!)gJIix0-nX&T^IUwGay&okbSq|9fE3SU_ zWxdkG9V`-EofNLpCHfO(#u%Vzu|$<QtA5`#I=+ga`5|Ak8v2y6xl+RKS<{9yo7l_= zO$zPr@&-ncrIV*VC+!|34G~o~r=e1H_=<7;;e6|F>wMWZ$QUYx_;eE9GPVJ+GQ@JD zdwrb!hkHBpt`zodsxa0$HH>S!U-!x+irwZ!>@UsiH?qz;ybFxBq7PrZq5R%CqnT5! zNf+#JStNf|YrzmPGZRg`o_Cz+{>dXNQbS7PKDYJc8?iQfZg0pFds2iAHdiX@w8#oM z+PH?zYX4WsxD<`%x!q~(i;1oTZ0`kNpB>yMo}+R0Qn#^Bp!^659Q2a|GtQVye)L9F z5wo~x<+vqMp!bS-CwbaM*K!Hha7$^BBmGdzyYZpe72L1Bpt*xXlBTCP@Y24GhIPJj zY%rLnp|$!cXF?c5!^?mrywQNI)T&0uru91Ums$2;kjrjJ{0K@4_JC?f?~^h_p#2y6 z;F80!UT+aFFYhd#&*O3f0H=O?Tp|N-vu-nq`!o^f$er&XouWC}$uolyh{h{N^)LiS zSJ`rUKLhgEq@lG7KjRptnUMU@JAQcautfH%PnprTFr*jtxXza|ynlT$t*}7kmA8th z`>QT#Z_>>XGmk9$f=FOcd4A-UuTDp`^-n>?H2Y?<+yK`TCGy*Xt<tTKq^35TXKhAG z@JLgDYm*MUjCNaNtuV5UUR@IC!MHBPuQXi2!vX&7n%7c|%vzP7mY}8$d^#ir2Fu&d zOm-tx5?jGGJHp&+K<FB6Qlos1leFnZI-ZdA47uBOUPb3^3)SS$sfMHp{O47HgI2xC zyH+d(ohBhq)H;{5q%G=fkx_<6nYNS}liV1Pgsu-2&KZRw4h(Ek3bp1_TlG<ZI<6Bw zsq)9pjps#-pT4!K;qV0wmXKjG0=K)BiE6%Ps`NE8E2fIC`Mq)KHk4)1b`Y`<rGP}= z2zr1aK~Zj}?gVibF0lV8<#%1kCzQM@i;nwN)iTmzT2i^{L)@7bu>GK4cqY0Kur&w6 z<kMz5@N(o}gMU19LeH4dovZ$Y8U5~1?41<gR|@S$9eX1vw!nH>xf0Zf{3xlNTnAZP z+S5$Aa2TywI^>~YbQ+MB8=gVej_~?3nRmjF(6G?k@iS#MbltbekiS5Dxm`wgJ19Z0 zuiyjPzdDZ$s(IecZ|`FAC~=;vCrS2DP?@yqM7^u2p7!JtO3TxtSI`d4+gh_mQ@KCG zU1yS{4<J=Z2JV;(8Xl=v2YstU)S);(W`HK&%uq~^{Z=0`t4lII=gz<xJ>uekE$3`W zNz1<1nlds0nhAQ;UDug=)U_tX>0HDce$%x|Eo(4wds9>E;GsSLVam|(FMs~dlgnn# zu8PQdBr?XMS}LvNUXF-%E}AUS04(m=R5?|2JetX17-6DW$6h6S(L6{zlcxg;P#6lA zdSrA#^~24y&ExcYaXextBW-0bZM1m{WhkVP#rfh&PRe)f{9y>`BhBl3ZK|D~GZP?{ zo`59&cVgEs{HhtHW@sK_DztC!qVL(U-cWLC*7>?tjY3T&C9P}d@;YztE3mqTyMhEI zam=g!+c>U?-m~eWE@+%$)ssko`AnpVVBpupZD$(GRhTANJCE4(u^*Pb0NP`Gz+Wi| z$L?4rsdAy^c*AI`i<7;d8H$lQ{yFq9YJRow<kz>2e^_q-q<nk`g~Df_<eH{e<Fzo2 z{yN{~8MVmow$dAQy?DWj2(Z=m#&p6|BVj^=3d%wx*Lw*rBz6XeK2F~DHALs#d#(}W z{B%?_ogKaM@+)&|z;>f@0#zlcj{#;pFwL;crc9voHWmBnwi|XTIQs5S5!#@A)Twp- zdG|*^|L<_CxwuZh@byJ9ufrkGW|UsSg1~J|)3o7Yznd+AMoQ%ebTJ};VQPH*v*5`< zzYU%Tm_g0cv!UDl7zsic_TtLP$+;hIJ6Wa!P>Xm90zbv7>=g<wzKPTIO9Y%xre1uG z8j5S>g6q6a*5RPHIaBS>-hb5fAt(e<IoB!2rSP61GPei3jE=LTpW)}N%7EcXy2>P+ zyfEc4dm`i~DrG3-9Epq6ap(g(@M8U)I*Pu{#3&bR=k+@;w1-|MbhxghfaZhf&P3JE z3tmjQZ4}?IWt)>q+qo7&_oMh$l$p6X3BU7Z9#NK03{|Pq##m}<Y6?Hd#M){<TC;*7 z?&0yY`%ZS8UIFBScO{uaz-bIUJ%G}yrm(QEqQYUa(!5pWZT3HQv(ik0a?`xr#Kc;c zdy}%(K^J=+08i8?XxcRwNL~05Ay)P5t;lRJW638M`!oUL`=j(3VyGkUy*8p7N*Pcg zPkVUVs%c9ot@-Z_s!gR5I<Raz%{WNyTJL_$?0S)YqQ2=HDZ{Yx)4GsDUsPqc%Zrji zDRU3m6h5xTWaJq}TmsD+Eu5~Cv;~9GLowIi#Pg@-Vf-*wUQ07l!cYA(j<cr8#SniI zd%Ubzn=XRH%5ZL>t2bkp##gDBTM#u0_8L9ZXz9ZmW3rftcb(o+SNYB_n%N%1%WWCJ z0J)I1+eoi2R8Wg0Wat3@3?o6*!Zdw>>x<tw;J6R@4Hn|qOfQT2s&sffJv3-f-`fjA zk;nS0&w@J#-hCPih&e-k9e<T*bZPYJ@!tm=utNXJWN_dzxwsz=N}|A*VkN@5TC}-s z_9neaC6Vi#)XULI-WQJ8Y8pjyXB{uyt@h^I!iBGD5R`4w3mXf!X%EXN*;*}Lhe2_o zS~_w*Z{@nmy#C^NUVv)(Eafr*qxwnT=*W7JQt%jtGYHfHfU46R5T|Uw!EwI?)VyOd zpDfz2yji2ohEFBB4Lt5i<l3lN2n*q(<f02%mu9l7-)kp}89#)n)12b4nTr04un%cd z=R;>L$BGhofO=+6pT)GQC<r<oO_<Jj9Q5Y21d!YR8OoN~no8%D#&MR*5uM1Z^OvoS z?V}(z5zr=Fs{YdY2qds5SR%`k1d82v+{ic8bKl~MqT*x?gvz~@Dy)*f(Zkr1h2{n! zdEU*69zhWxIvhB}zf?IaUqSiYhUauUHF!-C(3LFBMz>AclQWtVr&b2^+|bsXG0QMS zl-2+VtNLJ?nL-T6a#>Q4?YbKO`_Z5mb(cp7R0&)2m)*}ZQ8_ccQ5Ks_kSPO+B8F;< zQ3i*aQ=KY`FV8k}zq<-oS64HH=1Z+MSi9vKT}G>D?(OuRBtGO97tAi0<oUFlMQ`bU zwp+VZjW8M-8_T&!N=iccyr%S=we%=Yr`jO%`Fq3Y9NO}4>chR;#s-$v9~=%tBnOJ= z_WPZ58-OSY@21M1?Ybc3(#scTzogP1<SL|XPgfiDc{yU`dGyeWmJQXYvAbGSrJnyP zuuj8dQbi>Qd&A6&l%c&(O;%}fEaGXCVxgzRj6@%W3njNWq&Mrr8OQmBL}ZG)$cEk^ zfB9MwjZ;t2snMw5sU#Q2oQ}eCo240ilDyx#tVVG&0&v!!qw*<&a}uf>W#iD-rsP44 zYa0L!s*#yW$gUlMngYku9z{$Ft!@56YgLazPfwzAy<@$ny}iXrEEw6xq12<j6#b8S zz5K^N7<c_kAwg#!?PVMfAfdsehzuYh00$P{MWt%1Q#;89EF6fNQivR={!V>TuAH(J z;Lkvw7=HONIRA@>hDmWyQiW@XAMEEA@t?$u9kEe(PtgwAi>Hs@yccV_4RgdMJ{lb1 zM@G0&pSgZK^|J?i?yb~_KH$Gx8*&WYma_+>aGFQvlsfhbxy&gZv#c@a7={au$$_O_ z=sH*R<1>bWTU2snc@KIxkaTJex`x~_PnlG)d6%M99Iv4-l5JZsp?@qOB&u%4Cz}=h zlctVqjxFCY11Ow7zm2X{7qppruM2_QaAuDRk!7`mfu1B)C!V-o$$(XnB&v0^il=H{ z+@otrTBqWFRwaE;zfuO*@~(=YilQBBddGA;;hcWRCNX3#z$sh6i%g0#<X->#g{P1N z>GUL2mD*R@jTd^7N;un>m&(dSH+p3}WZ&Cj&kQ+UubTaxlGEsWY4F)M;jOp!0a}Ne zsvzp+pr(l^1_TsYsdX7+bP#i~PD=v9H@{fz`5Z;J{pU6pA(liqoB=!JjWKvs3Z0G% z5_&e`$@b^QJ;JbNlG;3qZaZBx-Q`M2zbA&HP%W9_A%}7L=SN$b4uJ~k$6k_>9hb*5 zJG4*4S<@QKr?^OmV`|4fdg52w3nxYz<(2kMr{z#OZ%rEKUSW+a|Ft8=N1Bj0Cs2m2 zBf}JU7L}udp<8f>@)_$k|L|$oN?{F`Z<Q*l=Ciqn_{JL+7s(pJll;hK{4S#L_{S?# z4*gt83G%sCn;CetDOo!9oiu!nJeH~k^1X6goA?pIDn0p24%<?V{2%bAK2gox@b8#l zzCzYH$uXNDsp)EKgs;%@4;ASg0&2d)0WqiGobjF|0zYZ^9OljwcAX4JVeJ>&F&<kp zoSbSt%waxio@g$L0%;4Rs;z@SF?g6a6YT+rK8H`H^}W|?AGD4bi_D)pkKW{rN(dEx zW%<yePFJtQ+6YDG&`4t-b}qD#%mH7qQ6zF1%hHp+fIaSA%t;LmzO=GyE-U5<nJ4jN zuYnv*Y|tO|z8D6r(_%jCh;i?vf|r1XH`u=ucIW$VlWKWBjyG<AS!@Uz2t9g2&*ow! ztFf#VH2{e}AB=v}nwUuXq(o6u=I2h`j*!hfgH3MK?a5w>KDURDhSF-zOn%}Ao6$NP zDi)dL0D7W-_Nn5#$L9;Ad|w+8aG54QR1$*gxffqubXaM8?ka$)3K+IO1z?Z9rKh(U zk<yEF7x2&ZX%>&HR`7JN%n`zRJzBwsTd|Ul#jEGK6oY0-CR~EmBjDmvQq1gzE}`k4 zVW?ffylt-z!WJFVUhwabe68~#x)#S^=VYI$uzGaN`1Op3?qtk6H#z%W#Si%<)(Ii+ zFu{1))}mK`_b9(*m3<z^Y&7ZT${Z!H#&x|=S6ci~ni4vxxaKqnUsNpO?5yk6VeW+j z{4^tS8ix~S*%^B``KXHpM$THln=(n~9Ap%=(SW_jqBZL}bxv{mE>5cR#;lTJr%z$b zJ+UPc^ccD<{m@c|M>+v?ItPR^7FB<y?#B>x$fX~Y$|Z5H35?3>T7<4Xmn8pbNz2{( zW})kytv%d2u{E^*l=pN*(yKU(T3Q*B>>|lf#y7GlyILr+A2>;YPy)s-7Kg0oym2UC zXyZ8`S1So3AlOY3|E5HV#x@$JRS;31ok8zV98}`=+naMKF{3z!xqOxHXPr)cQ;ywV zyPrg|F`ugZ&Zc_f;$PgjeMUwIbz`M%*m@<GVKx}HQ>1GuvuzK4V{X50j~vVpZpcX5 zoM8MN9395Do(J?kM>z9!%X;LO1^@Qt5LO~!r5nc7a9$b-&ik!dCnfi!Aw{eq{mN-& zo3kQ!SA-|YPmfsLDq@%HduEegzV<Q}u*!f=ZFK6}ictA><udaM$0eCth*pbrRYe#h zo)-r2*Pz^ctyXi3mu~*W4vH0@hOBj`i*eAyNeHTK{EkOh7xiNwCcT~XG;`S;FMIt3 zeRDj_fK5Ast~QCSAZdOF-Dx9V0e6OmtU^-WHapW(Si<wMnKGY6WJd$hNNkDylX}`n zOSuur=B<aQM`e_9wI-|5&?l34VGsXR;L=C;r=Mp}GFlxOyXvjxXZ&7LQnt2*Sttco zp?0T?tHo@N%e5aa9^%dJH0R74xMk_vTWSUISfdlAb!c*Q1C!)4DShnTn*>3%+V6i8 z6<_AWG(nJ`<g0qQ>>_R0QA&Vu6$w;6H6wC&HmOcUrmC!*woW#;&OHv}b!A=wsVxZF zvkjnxF0#OB85@pX4X`>qa8mm`iZks8tX{9?w`4r3-m4&aa0V}rx2~bVyB3tsX_0D= z*~Z7}vSj$26gaNVh&384cV412Snw4H#*cdMT4=q@mf=f6u$_9&uIjNm#uQ#cvMh#Q zUV!QRyTEaH0pq31>`%#;Bq|AcWfVp~Gla^0-TOZp+dw;YeJx>0A7sL!tSmD3@|VEd zxh2kv8t6T_5ve?_(+wvC7n`Gn20^Fq*x~Wf73T@*_MY0$mL`*Kqw_E4(?=O@!(O*m z$Oz8Uw&tX?+r~Ms<qkgld$S?Kvx<f<&p`n^+3~%uOparrEy%;=>Zn=ghBoP_VeW7f zy7_p2vx)FNE>DQ<Dxq&Y?YV7qt$X(eTaXLDFKQDftu#~$+PS%8{SrpO@1ZT8G$nhS z&>M%^-P+z#?}0$-TszUjdB@)1^uDr0WK)b%AAg3>HcwY#b83ns6A9E3iWa0Xp!>Af z11xV!t?f3RP3;SPDU|cea&Cw8c4|S28lJ^aIbQD#{O(kdh%r7Q2VoS{ZF#9)u^A$a zF{g!y8u{yEAQbC$c=Q`_%qP=*+jBNDo)c$b`=N^i*272>C~&BV>jxzP8`s_z4v@PD zH1jP3F#c?Y6JWea_Pe)Wmo4^~EJFat2z0W)N@o!yVvPCYWP5jXKP;H*9L}ZDZ;s<y z1)X$fKWoCm)-&fu%hG6)ePE&fW==OSOT#xdCi82K1IoJXOmwBPBUf`IU9-!ew=6Ex z#K&p=X@-ahj^sTb{D;mv)5SUvtBJ@rJBDGr5}obgl$0b`G@Zs~iC?tT;@#WcquqZf z{YhjcuC-B37qcp@fa?F%-d_jBxorX8U_u}S4<1~CyA#~q-62@x5IlHrCj@tI+}#Nt z+}#4f-Cd^p+;i`NGgCEHQ&TnXSM#O#Bk9o3ezvaPT6;+(vb=B}JH#qR=U<6&2*F{2 zDfQxEF9UxGK^p5{9ui=01bKcp07!E3n9)<xv<E1W{wFUhIPxUaIxFf$z(X83FYBC@ z^2^8*!EZrDG>yTMFCtGgz>z1$bqZ!LB2VDJNo2Rls9ppj8-pWH;+8~#FCtH9z+p03 z$@wHN!eoH2kkvGtaAIGC$^3uiWf3gumOQSOX0+|YL)>pR;&E_rE-bLS7Zm@Fkswd| zDhS-(0>{{I^u#2P$aKIaXMr@?Gt+FU#mUKP=c8pm<M2u&^VS|wce(INvI*S(<<LQc zdv6;qy>+<QP?eWwvNv5)fKjHH=DJ&OczCER1v7LH(vw@x$EEJ>?nXeG@+y5Q%CoVc zKn9K4kDVa1iCjk~Ctcfa^a2bokZ$~4d@y^b0373ATgx^z{e$C0uyv$$mvMZYnPVb8 zKp^#QlzEeMrHIpbrm?cj^P=c>rdV1@^6VHG)-M1|ke1$bvPvG`Gr1ydF`r(#!IuQ= zZECFp)K(hId=j@4^Klm|Q8ob>#7XcqpXJ0h>fSNr>eQ+-n(asNvCEX3M8kX39Z82~ z1&D1I3FtPZDBdJQIE@LaQN7jDN33SGwSR|*t`(Rv{kjK!{sVhm%MI;}^f=|S(0Yne z{t)DNS*@+1<T}6*woFw*V4?MhhRk4gVkD2-<*b@VUI`o~T?(s3Tq>~Pw4XZG*OOIA zXj6H1NPl;-z#5T#`D-?ZcIY0y=e53@;M2GieX7&E*;cA^8l_rUlKL<v?6S*Ns%u}4 z0&g##a|%64{r%}c4b3RY_U>-uc2?+O#=yFny}T`zvPiO`^x4w+NkhRlIGfS*O+_!h zR`b`BnYPD^>oG#&rKSzl1zM3Q-t|bKwFUIp&BCJ6N-K6Aiw%{0P1n1Fx{(wPW~wAs z4-?l3ZWdV<O-uRn-J&wxudDvM@@Kmxb<2fnO95SH*cc`G+;{s`Hmx^+=wR$7haJVM zO9tb$%StRhYz0*nJQkNzqk+<j!gHtmeBQc6yU-m2phk_k$~3#leFke;ztvKsBh?H7 zvd4jn44dWbd+Z=U$(v{Cg9B84rk%d^`s)T;%`s~~g*q^IuHN=f3WvRAv;KtTTxGYP zI`|G7f(pkv5%N-kr%Y`L(zP#M-xSe#$uT}nO_dB<rBjWkg-UPbtT2yhrh=@(^PTFl zhvLc9`Obulz@>g@M1MO^e~Iq&qV$EkBO8Yw@j}w}&zrL?YA+SaYBVL4y%du0LLz>> z1rI!If1BdLBGm<m!rBo1^CHTQcz)6z=g6{C$ueFhD|RHc&Y3UCJ+$-eREzz|t)p%2 zjQcn??W>sFU3eU1T6%Sj9_xS)xXUNNGpfI$;Q4)+{U-PL!QtgU<zMUc&t&t=b&{yQ z{gEku*ladrTcX#dtM))Hle7*;;HcsWqK?M6Cy-8N-XXx(1cO1VnS)`y(z?W5AOXYf zeF%rmZk^&H!D0F+AaZRtiso%M9o&>QvzmnU?(inp-gfEtdR&pK`LcBM+oV@xLVVk5 zdK+L5aut4)<ISIxO1UX6n~BzBt|}8B*#bYGIUY@8nWP|N%k{43o`b!7?q?0ZJAPMr zqarLj=2DJ^N5^PY0`}Gst)Wg3J^AL^uU1`lWI&bss6wC2L8nLGeARNqI+FiR4?>1N zF<ev{nsha`cF+nLn;Vr(S{~Q9=R2Ut=a1O0kf1@L+%k_ThJ8-esZkc?|0rDP<(QR- z^P}#TZXQB9!5*ET^jXFKNny*70#0<J!7e-6uwSav<j}EeQRpUH9PbcyK=$Pg!$wA| z8el2uPCl)qq-3-BHcE<4AtTGg9Vh0ll2wEvvE!9Y8wLJst(8`}HJM-4-6Nj+aeF(9 zs|v?<W-(we0eSz|XjUu@8GB2ixX=K$FZp8OPXTDW825V9;jQvcM7SiWzFKMtZ1(e- zhMQZuT-9AX5ni^hh%#83elVudX94EPafOI~9j&p}u5;W4MQ;I)={8|zlZg?kpYk>$ zw$j|JJCf_8;O8>}%xu1tlO8!gEB70g!B2%8Ka3mzL_oX0s4sRp3grlh8_~X-nX{LY z3RTtJNvV%&Tj@hA1G^sWCS8xkk;r)eas1FD>djgm2#qP1^g35Vj2Wu%2bm)3Y~W$r zT9L%G08Vj(Pp6u$3s9Z*Swe7ceGGBZwei0EVPQkrVn<i=!=jTKwwsOnd|V&*!eCfC z%wc~|xVY4>jP}^=jmD|<RU*lAX+z2E(A3c@m|y0g99!X4BxKOZ2pBnSzcbY_+ewTk zV5K$R$r>l_bgi>GD`EK0NMngyR8q?B15{~S)5ywaN>l*_`qFFbzSBd(6H#Kgw!-Cw zH#@dy&jJs@`H~6{$Wy*_Ah0jKUp&&%69iT%()Nyz(|AafmenM2$`_+(-(Uy__Y1(i z^PSM(6mxFFk#xhq&Hd=$8-94rM16%uH;?1EXy=$0O&tE4v-<N=OmOA+P2CX&6S{e= z*5E~^hy~}gnh9fJP)g-|g`t@08Hri-G+jM?dYZ(n^R6Bcev`2D>9*{tf1cQlJodYq z??LO`;eczsM20T!MvRhbvHEK0kI8{~<FTBRrBy&0OS1IsbiwWoi5_p<L`Dq)V<+W# zL>EbwIgG%wg&P^guZbKFh@)#cS9BJ$u`hHTWb93l!LA<jc>s`4uvMvC)y(MPH0x7V zpO8U2t2w7aQx7uZ*wy1?-}wNOts5o8=BiYH+*>L3%K8r$u;XM{w`y7`3-+!X#X~DK zBVWJJM~*fo!q=oXg>%TLs5s!`nXz5UhneruNV6(kC2u$o%z$vaKmuna?GG=w&vjj3 zx2b-d5kHT-Wd%vSl|+x(jc7+%iEovx55`>Lffh~oXCr)k9A!Jk&TU_fvvhfH)}v*} z6!x9`X3L(K#>!e|WN(C*=Fs^-7-7?!XH_;Qrdz}MM*0!vh*auONb-4^fG$fL^<Rg_ zWLj1FbtR_TachiaWOJ@#`<K@EtsZqlvMa9jO@7HTJwtCdE`N^d)W*_KZIPfeFSy@n z#yg(fCZr4jHmp;-i^`|#I$P~PTB$BqH#KUVDlemP0&DmZ%F@Njh2{O>ac#Ku%8iqq z95HTZ^7@x(ve|*cST20`{lm12Lkc^n#qfP03lwJ4p>mj(r2(t50Pm9E0#W>LeX-(T zt|LMJ?0lW0m?QMcdlmHqXnKpLrt?Qjymag@QZ^&iii%puvyo_IX%b}Vk`P88IGi}C zQw2j(iV_jW!$NEVWJb1o7|uLKJ1^ypS<<sFzQW`Y2bLIcpc|3Fuu^Z}z$9@sUay5F zCnqmiZP@p76js^w`*ndSt^qdY3`?*fNy!HC{V%d|w<~MXu^9*xsqL0hbeCJ_e{R4e zEL8LlSyzL^y?+yPlB(1Lf019esDC0umaoqblCqFr;;J0HRa{z$b*=|yO=&ohcapFY zAv|-{1s9?J{x~HZhkxiSWabpgd?&~$r$3b|lYDO6f4Nudu###$MO}6?A_(~j<9RAY zDr=Qhh6KgG%YdL${VeQ&J@}dw&MyI1URa*f6xdJn!mrl<9q8ltJP|J)X4gPy{DI)* zeUm1LcFp>t=wBqo;qU7H@Y45q9EEUAQYy~<Md<ZwV!EDJFVhUgfjC>Ua{WbG)OYV~ z8Q=b2-rE>7bZ`Feq5D5{=s@TD3^>Aec2-?SX9=WLS<KKq6s0c(>Z&9)Ctq}-%GGmd z+Yhl)85}LQxR{tCDU;>aLQR(+C%sGp9Mc4r6xxWK+Zm;$rEzf>4;fw{<;wYRk;7y- zB^-x+cdNFxRw9}V-CvGzJe0n5c4?`_WF)PF8JEkc*t{sIXx@KI6!Bk~xG6=oJA2Fx za)<-IbgJ6JKF=uNJw_{!f;_Y2ykdok`xX=0ygS21h0o{!zKTrV0x|tRDrEkfgDf#p zc_z~7KgCtUR7RPG(~Un~W@nQ5?Dvrlm2e59t!RG92L`yNI4`?^RhBh^2~^mg^Rl#= z5CK{|WeQ^-;D3UYtxwnc$OM&`*zvX6JRjD&LkZmW8Qn7O3Yqv$x=>XjDHZx+uJ`nw zT!9xn2QM-aRYQq>T5EiIymNetT_bgqn>pzv@Y*Y>D^;)Pu=K5P+?y^?%G-sma*!{h z0%E-11u!h3<bINo+a)E4hG0(4)75Eo*r^)fwb(2>FI%HVw;kr#O302`eS^deK70?3 zf3UH?EMXx66K2!}Ofc^ZKuEGUwaT>JujnmAN^?Jzcqsa^7l313uA~cd*At(Y+u@MW z!TeBUT2fm(jiyf!((fSNF(~n(48uDTv=4nj7I&8iczAdqCM>o2b8Y*lXUX&KAn8sK zhXvKK2g_t~YKpWWc%W8;F}Ca>sf`Iao@@v(l!Tswp`_fi=?4Ri(Dz~+W&RWw)h=9% zp;W3yYHCRDzbY?!1m}_kHXOCyUHcUKrAjiruxKEA{|KvRDao0mWxharN?@~^2T1`I zdmyX#+&I8RX8?_L2wghI{0o7acP;LV{8+r;Z#vw?9j1+o`U9fj??ziO+jnS6-f)9d zOV}g6jpF-@FI9?A%HbW%<j^m6`%iRG&!sLtJ)BQmlwG1!3&a}`9o(13`i1oF$6HW_ zvyF^C`Y{6rDaxN>N|@A;*|rra3xC#HE!2N6;@3iap3v)cI{1zpVCZ~sY)!3y={}>1 zF;Cm+sa1h-oyY<(yb7gj6sI>k3!^S;Rvdu)(==*Ld_;B@TQsQR_h4X*UQ$p??{zZ} zi0_*32?%<5)^wwMm=2;Y9G@rYv`)^999*K&B~mpp$#a=Pm^!aYR^%|<q=E_2sLYSy zT*N3`WV2bmzpQKHsSnhT;+A-s`@#=4M!1VL#UuN-B$9~fCftu9A-(wGyLyls$CARD zN%MSkK3sq|>in&o)a&G=BzGLcu=)Z(=Q#rxX;PpQeKj*+bCYo@r36l_IWPZ30u(y= zl2}IttG}~jtxxTmAN6g&8Nl<u{d*Df^FpK$t!MWzf{v=vpNC6LDnH|BwW84MK^RIg zcYX5bqfjPE1H4T18m`)5?CQH0bM{#obo7Q79_BE<I8_wEeh*W4$}chkipIV|p2^>p z#eOjgq~O$Jic12<|HnNRq;buFttJ04gDGYxvMOV#P`30_ob~kd#Ory^q1g_x&cw)` zO<1sUyf_h5!8uKffe~wvu*bUYC*6mKhdgeVVQYYKmY3NWK~hkdGLYpz5iw>K7RfAT ziim+fUQ~z@&Hi~TqK(9RouOlL4dU*ZnHe<`{9A!GO|2?Hx!{W^jlw(;SLYRvI?vIv z&B)(LJXb2DzswLaPub^oGt-xJYX?56c;~Z7h>AoJTP6_(QO@hsQ&bEO50i*QzwEO7 z=TF3Rs8Z5t+!|+m=7m}Djg5_3HZ3)LXJ0{Q8V0>?F?mTxqvM`+(?M-2m-BpLR$iLx z?taxs>&<5J5YgY>4OaKL_2P-?pd)@$g?6jyY?#ZVLW!cHp<62Sm17WxYTx3|9$d#M z6*a4+#wn6xAmfka!9->ilc{z;AM;RJ9tq^K*4tfwOx;h8yUNjRMw>&)CRy?iZUeM+ zL4qSi-bJb<<I(;0-68037&Ko#P9ft8p}nYCp#ZTXs%_nDdw<fK{C*8|0MFLjX5XkF zm9#1aogQ~0HJx;#t7)&6_Je&(+U_^#<&xQka4Sv6h(#zD>TG6404V#VO^2KyjcTwc zWDhNpBBGyj!tqZyJ5>uxvb;P}Y*C1g=gkIN3fOI8<?*s^&xLwBSAi5AqmaXXb5KD$ z=faPTI+|Akxum2dFU2mTq>bte=-jqkZq^8-9)Uq63&UZT<)ij42ndlsciaKSYrgMc ze<A8~!L~z#OmGH`GX-nhEdH#_%vG?tg#)dQV!i%q*=;C#B2R9{{YNrCauALV1%v`_ zmZ`8AXvWUV$dVS%$;if})doF-3ztE{tf+xWFKj))zF#RbChf#Ajb281hK#;L&1=Zn zOjTyCKQlY~&*R<E6?$g=pr|R3qdXt|`P+ySmIO&D34zbU4t!@P@sp7N1f26IK{7Y3 zn48r_`;n>Q7??<Nb8~m(c;d*<HfDVMJPn=?u2oqh@tLZ(-8LWc<*jB)by|I5GI54? zX6ENLnY-6{-OaK@6^TSXAao~c8d0SD))WhP!CWz|VBXOzEhxld20+48LyRt?Zalu% zj*5>w+AS(W9Qxv5`5}LYW(kn{Q?6Zq+A#{ITl|GI?feKXYV>7QaH$N4$FxW&uy<Ac zYqU6?dRk~g&&iG^j~o3bg)Fla>QZ0_&Jqb=t5uM^AM{%NGU~$9=E-<l=mkAx(Su1y zFDjUQP5=kZO~RM#O;k35gQ}JSj|Z7YCV5d?WiAIJyl!NEZ}UTm$noCfz?nGhe;Gii zG;dEcH?_g9f?;9KP3}VE+GjWmi=#=xgIEeovz-vW(C8pWacanIK*=S+dNBk+;B}yx zA89z0#G15U+5SBZ9N%l^%%_I!uQd-TXtA|_=+7}`I)ku8l{?$_))Ka^njnCQ10+QM zRE@v=aEVhVEotSJ?~()3>8GvpGW!~5blrxQEOhzyDA;ABDJ4RJI2Ns0%0vqcssKYw z=t_9?Rn&R5f(FkI24TXbpaDpo+a6jGI5t6fcOZkbK>XaEpwtl>(;NaDn)A(J+qhJ# z$IT!Wmot|mEn@WwVX+l0S|UjU_2B+NsegnMIg-k!uU9jeZPy|tI@MhEe!0QB&BY@5 zE$xMcW}6aF;hM|^St>$P6D%5I@oD=zJ1}&?xIY+$GoK&T?@8sYTF2SX$Nr9bmHJQA zYXr9SkTIpILtDAUBujX}-^aSUcL;|N1uq^4@i%^Rh$iPF)n%<(O9@4ATynP2pWg4^ z;r*l5nOJ0Y?X?@!f<M00WE4P$GwZ*jQ~6<F-`jRON^Z-jlFo)I!@LN9Rr(fG#B%4a z`62+;6r`?TBeaO)yhsDe0<Jt!rT21|g}nu7J7c4v)vy1r@mTN4kEKmVtxfYTlQT1X zPxoh;cCNZ*^VQ+u;q-0ymGs6YCR@ubZoYwgeYv@0vBtWm=!M)Dh2z{Hg3p}WjkG9j z=qWK#uKYaKYM$(4$;2w4(f#haUqzB9+R<n(JB!<+MzI!y++veWpxnCFwf!D-n%iY3 z=UEQq&uHKhQ;E^1Tu06JTf?ajzTd&(s<d<%b0p!b*>bas#dL86Wm)}NNMAJhUB`ED zIzy>=Is}A9_tc92czn(-YHDisMBw4f>%(@U(KcVNg<9W&WR@I|Jgg~KI&pkz%DA5s z1h2AO2P}HU^|pUR)4##i#5UaS79AAb3LtzZP!CD9w4!f0S9ED?z>?;nG*2#R<j2bd z%*XV1Vd56b>-{b?ad)&Y+N#wYk&>&i3;h6PgOv1qS$Tu~YGLcp1Ss)M|Du4Xk`0jF zQl@k^KR>Thq?$<X7*|Fp$!9rVZ3g;jjo}Qwg3_s5@w^LXUsnHIb+8)34;W4<2>OK? zm1;lC(dtS@V>^~5B3bZ?hN=Y;t%u@K0)_o8^Oyn-o25LzDTMfxJxImqp9n1IUm(AT z0==&7jE*x5^C$a+a<h{@WdbZo#WZV3^_aou6=uAd(8WpD6qU;jx<i<UKM9@ik9Mad zEhMJg9ksPJHQmiylpzcY>|pVfO*pS$-N&lwCiY@Ce3n6T1Bs`|-*3s;63fy=_J4yk zFpPxcE=xqPM0wzNJK<;2`l|k?IV4hi&RS#hpT4Y_K=@~B^#=_wP?4v*SAyge=%gK- zXX7&bGwj<Sw&OCiRc~^vNq4=S{XNa?u)$w0hvI(Ja-pIZKe;BY4>f@_M)Su9`(M)~ zTG1xkQU#yBOc!gIdopY)zoMkD717_+F_ncLPGB@#sI^LRnNY}d_A%SY)F>?=gPgGn z;7wG5dVbB!zw<5!#n$X?E=U-ccOnkV%cjQf?Q3ssGg6|XQ3}yUSD6iR{sf5x3Ukzm z;*BK85O;?KmB|Mk7-rjO$`JMDuNAq!7dL*ix}#B0dFx;#h*2gLjyDQJ>9pchNS9-N zPZYClz|ZpJTMPQAjD?q<D1C*&dRLWb&ILNpry34nrBS{2@_!&;+gmX`Pc#^W0-6^p zy1LC!hg|F7-v>fPGY-)S*65+IjSfvSpf$Ts=AGFjyiHcofq7jZ$>p>^DvM4frJ_@3 zt#hnP=^s=}28)JnSikoH{aZsa7TH{pJYz7%Q9*dS4rkP#yC7xg;2jBeXuYMVBbV(` zx3I#f#4>ww23D@ZH~xvu=+F0LMhsLx;hJKxu@6>ycCM>KQNm`7V4cseMzu`YE7o>& z?cXMsd-g&Z#aCesO_zzk<Q?rTHV#$t5e_|=KQ|nznBpq?5!a=qfg_i>+hjhu3j^8& zcy>6Uuc+W#*y%rYvAV<>En28#3erGnN*1febQJy~nIe0hP#gwIF}U8Lw&bpUFqQiR zsS3jCY;%aQ&q1^lp7jAm+8!J&N9vDznAB-$eCVcws;&8F3vPBW01NPt+>r+&IFb>0 z${O6m&14%@LbNI!eOas?64muw+TX0yKm_I(X@LTW?yrLe=y=iJZ`Y>O^jMMY?me^v zq~K^~%Jj<8SwA~u7?kVhlZZT%9Sq#y`>FX*!7JM(x1$z~h0imwB32sK&c5$j79{1& zm4svM9xi4~XsHu^rY!EIW#t<Vktmiri&BOupGDIY4P+0u3JI5JP%<l-IAckeJze?L z#BTY)pbqM|pIq4{!gm*O@RuM?edE~8&#w2S&SdU;?jS%I8zki&*=n%YdUpt?^W7xw zV6G{4@De6d>Q9W~$X;CD=+Z)X*_^=RPG0)u(zh64J@PA9n5<eJ7PnrDRf9pc51ByI zsNTT=(gLAUGiBiKaNSGm>JQTBEbt4jsJ=9=2H@DuV+uDnj>!Bt0}*Gkk=KBB_wy2Y zKi|QEFL8J{!*#0w;j*nBTB_S&_w|1wl=ux=DQEqp0cnyWO$(n*Thdigc2%kGhIAC9 z0Yoe3I}>MLlxa*_t7p{YVoM!uU0E%5S_PwpgIy*k@Us%S5R5O3M?0#iPqG+fVv1&& zrmS9}kC{!tb>}l8+nFv*QP2w2FdO<`f1!DyAA-ox*oW=_C39$dk>`!0XsOnB_mxfy z>r_R*+!pAAIP|2xF)L-5H~98qN}iRlNDc#Wf?RcJ0I_yI;6e-Rkdv3WUB{cV{Bq4( z5SN<;!n^?<U=V!${o0vSmm)V<XKGN}Ff*YAc1bn4KVP-4Y0#?4XCWymDFx7Tn(^m( zE!Y6P3{8_&1>j|wMQPdu?y0$B&6Ux)cjpScB#p)EAqpzZ31t)HHk^`TfqZT-*_47b z_85y11sh1wDzL^r)l92ZOJcVEZ?FjggH5jR_fZ25=c=z)CjPKy%ADq*ZMV0#5N+oi z;qw>?d2?vGsJ?z$P?C0^USf{%5t_%F*f|>B>tBvPbT2!YD6?v>;XLEjI^d-^5^HOn zZA7Ry3KiL(CqzXjT<cc}I~T!_=ih58EBgf%iT7;GKazux%I-4eh2KuL&bJ_o>MMo= zp%=9cP(dKV;U@XQBW8>a^!<6agv%Gq@(Zlfr|^(|d;v0;pzj~>NZ-BS_I1dhdePyu zsOJ{j&(&ZzmP`CxkLRGtU<V<r{n13O@5P7nAP^FDLz>`yVVU6oJF-;e8NK-M0HQ!l z8>Eyw*PP{-m3ckhYze7cH0#!w;o#utdEOZ7^@9}f7PqUnNHftgGBQ*H&Fj?4F1so~ zm$hJW!Kx`Du*;6tNWM{fmd6wu)SQvIPh|-5acohHE7@Ltl~_ZXc}<zahM|#VS|)U3 z_f1mvt@@PwCD;unlP9VMhU7WGp+G8z)ekn@r8+M+fH>)~y|<)pSyN4IE7U|<nZahc znbl%?Hbza`wtKxV+GDkM#Ov`4C>2k}(XChiWi^e*&C;5dme#O00^vZxUq6Ie*Zo9< z{lR4`HE$fXM@K1FdS`c+$r#V>7g1iSQxd)EB1qqs<M*HM*Y>!Wx>R|{2<ZLJ?ayCZ z3yv4(ma#6ha(2D~yHMjlu1Cx5_KAdIB=WPI^G7eA``9TF%-!Z6P5PeNQd^#_w0hhX zsuU>;mv>~YrWXh?&=mVQV_W?rZ}O$RtBL9SwL&t`kg98HWRh6=*1(CYVJ*!qEF5#K z<<8NCceZ4b*+4%-@ruYk^xKUfrQN3aq{rYQ4k9>_*@TMt)ZYlC>qnHO!AP-GghQ0) zpQFeJ0U5|77C#IMi&@Q<3%t&RAykp`=jm7C8_*b=M_^z4Y=Vq_Eg=_tp*ZMGw#d|y zp_;rnC<I*yebl%|w}F~s*9_9p(_ME9F7{@~yNI4^b+KgN%0?4c=+vqywmn!O&^{Tk z=xEEciMT_3rYM{LP*lb*_IA6CShXG+N2z6hGD3y=jh+veU-WpQO_EtRCJU6Ra)adv z8IymH3L(|-6%iR=w!&<oO;gqLfN;UeC;yG1t3Yodfya-kG-dE&yrOiSY*U~XfwLqF ze70TW55b~I6EHnCX1kea0+^~mr9b3OaEnQsK?~>ln6u#n&Z6J2m4?$eOluKr4IzRI zD;~jfIhzs@B4-&VZ!TgWU0I@4x2co0_EVz@P;jHbm^bTRMi=?rfM`fNQJ!s+UnC8M zO-a9xIv1uiDG7VXXjktc<^JdA{@+X1m&5GLodsUL7RW;BG&$JMOPunLfkipXkMYsb zFSGiA#wDeyT~;7c>j}g94{?<^{g=4%e-@yN@HQS$?LL+k$0CK}g3VQwpPXHC=o2A` zNXrKx&L~8fWs@`%N6}q{VnU`3WLGJ|H=7odgz-$Xx~_GPr<53@u(MRbPAXGvw;c7G z3@#Ic^CDLOwks#zjqIAFvew%|(a<5KZg2ubwlry749e$_Dhr0xH8%b;5zZ%7<==p! z4f_ykmUa|$haIOf+dn;X1yQ3i_YTqOt8n+qMR;6Jrkyacz`|0kI=Zg|(SpKSsNI5% z0|Pp}`L70-1{wNv{WYTt+=?c9e$(L<evd<@T2o2e%w@Vl_WFDpq4X`MYrd%S(IQP^ zCo^(CKRd$CWL$X>!~;>n7nCZ&mdMZTjPh@h;|*w02e0R|v2cb~O=T$^oJjX{{gdX$ zA=SQkr_WW6Ab3|UGjD?Ui&$uCs3f*YEt9SOYUtYrh}&%CkwX?;U0vzg?(J5{Z~?C~ zeHuqqd>En0uoxu`Rf*>BRYE+cnf;~hjcGNDNV`oTESumfgU+HgsQDqD*O_?__ATM$ zUy@ueeH~huxJeQ5X)S0dnY~w8M+!DJldRasjILoFr6nh_Q^!6*TL4wNed7zD6TYfY zW_2Qk!#>I+KL(c1y7dMCCCIpdz8Rx0Z6IPj->1W@(~7rRwRyxPKUPdUc&+>8OnHJO zc1w0>$Al-^Il5}O7dWnBB7>eJS(uTv@+}@c9P+v6C=qx+wop_T()L-y0@%m^t|Xpp zLV*@~ysUS(du1cpCjbTQLAy`P!7&pEvi<V<IY~!{unA&IDEP$YLz^2F=z(q-OKBv1 zB(a+llX{vH+f4_OBkL_29@BUAVLdS9DH+6`4|{rhdI&gV^(craQAGdp?2+}a0eZ9b z|BuWZCVnL5!Fuw=rj4CxR$w%`H7PK2{o(^{>!jVjsWEqNmC4#bz|q&0O;m}HQNQHG zc&VsQGc1LQ$D(B<&e`1rA12@mGjGQ{v8v~Sm_GRLVpWM5l+sG3=_+I?gH4_mm<Xt} zXU~O17kH~p0!m(Mf$*#~e5TIW|FDzeu>KEP<g5(dK6h-Ib6xwWD_;r8WQpo!a#I$? zkYMZ1MBbKuiMp&av{^$^SsIm&#lgAx^tgvVSuo03ejbl-9dkowaVxxLf<(vn>o?i1 z?S8$mk{h2}MK#W(G8OV&wMX)9t$r2eT#8I)jMHIrSQ+WP`_%jFURXW|Yy^a9td{aq z^=fc?Yc9vP<hp*xsbjwvL(Fo(v+ao-ZJjOo;Wz;&`qWom9SCIyd$0)31ArQ5eMP0b z5gVM8a{QB<syL4Ka@G*m4L+t;%l)@Ebd(=~1`_-M6zX|@uQYRy*F+M`?*3KIO>Jnk zlD)zR`I!6%_tQRd@|(gsl7{ECjl8R&3LTm7R779KGbcC!``Qeks#_J<OMsZ8sx&lz z)tCwS_!CRe7Pk)y^jAvo4We<K@jx6&BEJ0~qa>T>{q-+-3JE%)iJVWpv2Mna=kHQC znv%Pl_!e$b)>L&S1TsmdXJ#<3fg{}|TMS!(T7|JktWIsZ?q>`XS@#NA&56^)JJv>z z_s(K44u9?}TsD&<WfaACWkW@r(%5+)Bt&P?TK8SUVgGmVql0itW%W%)N>UlW^3`1h zr8~z3mgD~}Q>k>n1r@CYzIyfIGCK*>lzFw$3xq?b2R-OS=+%qzIpQ+kf~Z+FnO+cF z2nfpxuZdp0bOs>f?~28y#d>jt(hZ_AmHYRvUR)$Af~Zh3JTB~oOZ6JKMv>>cS1%Lj zgFOO7rFvf6^PGUo^zcExdSU0AgjD=qe+bfw%(oQu^q%g|MgrNyM)p*aYyXoa{t~#q zzrWbzY;*jDXKr#br*crLRWLSBS0#x&?JF^h7M|S@>rDMcm?Q?xyqc9#q)aXuMbU@X zdJU2VCTmSxvz!w@G4<RPj0?gu1DmXnFw6&Jh;g|Wor;Qn)DRVfn?E0*4CTK-t?%mp z6{t0{{2SCv4)~sKM&jvou(2I(gfZ!~>rF=RleMIz24*V^vjvg6abVRJ&%yq}l5!uM zWfGZyMMVQKj=zWkQ=I0_TGc@^DV+B;J6+>{O<5zHobDwP3g#IhypPv^K)Nge_K(7k z=es!)(St>;f>sR@ekwvh%=kjEv1rGn+iW6NMyUuBBxvcTnRgv(#xT7AR+!Ii<sXdy zYuVCq-2qxzSzXfTIdSgHB)VEz9e~y(Jg|ctO5s)?^dL@)x>hnE1d-mT<K00WxS&k; z?pqNkW|LuM;dQvaVU8_aJs#A!debptpz<q>Slt7~>g;QBiN%C+`Q-gU<`HErpQ@mR zI-8YRt7Ki7DE;LQ^BPxh#U2&PU5BCW67>pVs!<t5)N#UpqfZE_L!n0xmI;M548#ta z_G)-)U&GVmT~kw2S<B`8?}7%<DGVFpPQ3w6liT#IJQ8s<C9H$PpCZJka=I$g$GulJ zm9r+Op+N&&wL=Wowrg`J+2dvfr02uZEPZ2Zg>Zo@qDC)B8bo(Mwgyg)8U4dJ@^s)g zkmJ2E5)%`P!b0x`;ILVaqVPK757tbaxlW}bk4x5y5qO+0+K+@c>Qi#GY_9C5NS|h} zDJA`7+lsc_n=a|58jk-?jN7?EXE8Za$+_x>ih_|;S3VtD_|AW>9p_l^2zSCjw#r(m z?ClIe0B>SB49PQnD?=C(j9Fu2qoWx&amC>*MN43p*Jwq7A6)iXF#x>ZBA7a8H85h+ zb}|qk$hs;BI%C)rC6jsIJxE4*tpL$2B0@7`RR-g>XdLbW8FvFi%?-X1baQn@`*ORc zZ@;H@tdEguPPtiB)>_#98Hc#fB;7-GKt@SX@{{26D;s`q@Mu6y_c_<gt_;b-AD(GK z=O=eL6saqZ0+WCAgyWd7!@$dCn!3uc2csK%gUjupZROLbI4(6hCZ(LnoKk$NU{%P- z|MKg99EIW4I^Dp9dkcUXqFF1}sB+H?EtB8)t(Bjs@~Ju=-5e|yz_)hM(Pj6_so?B4 zv>w$iR4B;|`hrmzE%m<Pi_d){O8K!sE2c)8;g3awYT1q|;}9j(OgW|TbPFuHx2X?x z{m&80l<fe1jgQdIWrC<!x2n?(Zs<u?4~w;E#$|%efkH!A=9{C^SZ4ltfOj=tNAfTi zix|F6=rn(s<X67V`6_X<Red_KbS8vX=>KC!<_*Rbt+4g8gRJW>8zf%F;U7E9V38?8 z^E_zw7KpdT`7lMF$>O!`f^{43PX`XH5jY%c$?B`GhcL?%!+8d8+5P2`O8Y3~nkwl4 zO&uvrgC8r1Ib|3VDL-0a99hGrTUfim?eRmkI5pBg^3qN9PtNV%tRA`~SoljkGvn|} zz<`_g`m)r!L5C7*Ue$p^`}OSL{5M%d`r+v6JetBzS=-|+xBAfFcQT`_h^d0ML&=b~ zA)2qn9pbEd-Uj$8RMSNB<emE``8zcvS_xea@}3<4B&3~0iMH#zdg-0QD$$NIuLp|< z9PPInG+3w4imrVA^tWk`2kEfssCD$>D_}0IMQi7LLXQ1Rx&0__oY_@Zi6yhC4u`DD z_kKc-uS6@^&VRx^hS)p5+XjHdL#r*_TF_YVjcjqSS-bRt(!dp}rSKadyjsKE+gXSd zZ5qKb3F&-ERZU3=waqGf!ANNf><Th3^06L-w4aRppBWj-!6Q*{8KO8{tO3r!eqCEU zigjb#i<kGU%U!7)CUKA^B+YqbhLtZn)~|7@zeR|0vYTc-nb*S=-#lc41uo}T7ucjF zFHi=cT~afRqG0^)y6GB}$UUhb(ttx1T&{s(YEz`7X8t`g!Q;u7mTAHOn;G;fy9*F@ zj)XkVO)J#@GiRN7I*;%l>^Se0)Ftt>TMZ1AD20qxUu7&+3Z6-6M#eGxR?z5Y<CFAP zX*8C~Ox2RB%KqFjexU1L*vzC5jf$V3=kKUIsO!%rCxdEs2P=c?9~b3VCb*&?pg&=8 z=!s)qBS<DvXvctucZ)vDSTbEfp6+f(G(dPpw!#10JMMkHYB_SO&A%W?RHUy81+p4m zrAaIouT0g4<S$)bRP-CO-w)e7WytqIsIx6@b-K%y#!@J`{|*pC+p4!KlMcquWcay6 zv-~i3#naYp&ObTqd2w+8<+)>DVV)q$3y4QMNdF<ax&AC3>u1or_qN6+GvlACG~ADo ztAJvc?%7Jh2m6@!bY+5)lr@HGC7Qrg=Bzk@I8Cd6YNG#B+!F8!63t|{hhYhy4cA}c z?ej}!@J%7jAli$%km%s>uOCaY*)MEO>fjP+{)vJwuGfgc08_bO#_}AB;6q;_&y+JL zy?aq1Fb70mB2HZ4FQ7^vnQ#po0{|=Vg0#>;r1i@>Z|sEuiv~nMogLCdFR<tb7>ni( zSYCvb1&DkLvQST;gnZ%1rwBqq;-*y57q+%?aE&uKX8#u#r6S;ZkVbVArZ22w7_W&- z_4RY#zo@e)4z9Df?}YurhvWYq)c^k(R0_|oi@zP4kUYSSu>Qxp#}M`uIp+p=)QMHY zoO>V+ry~*KU}0rFSZY#B+}3+=zglumhPNNm)0i_nD~c-k3C<?8vI>R2Vd3fBVEeqV zrrA5Re-%;M8ceMEZxy8+g*(XsCB~kA++`&#xSqR|X5fNz(Zps8HcYzg&sNaV(t<EH znoNc&o>NKg`8;ZTh9ssdF{+Y6Jb>VsfCi){xUjDJus6lXS}bH$vL;$^=ouPjOJqBK z=N#1uz|^ePAu=0pdPACvuF#FJ@X3BJ&ap3jfH?8<Z86NE(?-lEj-UhWi_iC!gV(SL z{xQ~ifowPJ&;%@dY%b4NS_atFaZ~zgnCpl|3gP0@QS(^@*Wo9e!9@^4R{@5`&m@nJ zJCXKW><c}NH<3{TJodC!6l*mtOe$5#tZSJRd85hYrq@KHfBzj6_~$#H^^K3n-eOBb z1Gq$x<bT~~TimE}(IrBvHj>`8W9k;xwwp*#=4}npTHWd|*4u(_qZ_u;_5u*%^*nE; zOSEK|n;IMG8n?3&GWH7c(m4N)3uJF`8%VKLVo!ubQSHn=EKs_T<vtNkR!=px`N^zv z#3jE2+>Q8*x^_!dOm5S#fx!%jxdCYkSxM<Rwe&6L<7RoO7@87FsK!jrhuYzR5G$I` zJy5?v2C)9e{TC@p5UPpd@cPg9y7sUJiGtc%)hR_Ex5EapIzLM9;i|G>?(<HLtrXP# z+O0IV;glweu~Zk8K5!ULw=#fNxQyy})Wf)ch(!JoiTn6xv>a~(*l!zKvs(7#B5Doc zq3BIb%E&swN(f1JgN(ck8npFndAn@kHna$<Ykf4w-b|TVD5Sx66&&;@8twYy(x$_x zFta2IM2_|MZZj$4dlYy$tkWQ{9|Hpho7O{yx-wB<u#58RZt?z=N-6%~-Q3Xv2JfOz z$?7snddb@g&~!SD=W{0MjyR4-Emxjr$tw=zNbEMt?jY4=)|zQbRZKd8L0}cQqcPF= z`3!aXlHhTbAjX#q#gbIUwin;6`0YZLNNCpRSNvz&Zyll&)0Q$)UOTe^YK2Ffvt7jz z{eC+~d(21n#C~bWray*~Gr4Xx&g_0CFTM1)Of>hc#?}b}0zxj~oxH0`&pl{B3~0Lz z0ixZ!m9@kYwylQ+MMX-4RIktOFAo;#tQG)({6Xdr2{bxzO%#i^kTr1Kn`jt;*NT(a z9RBRqXnAj@xC|7U^Ms_KSfDT+m|+&TV%3d<mpsP9$&tAB8K7hvVL;PBPyI^Ce~Rl8 z%h;_0hWt9IAYyxaTRsD4<=(GGg=Hgj+g+gSt*;={Vax#MtoSpVh4ANVVmc@kP8&9< z-;047*m;pcQ!VRJQV!Fl%=>=qwuu<{?#Jx_vVP1D6rRj;=CP^MShs>qJZ0J7ytnqs z<)*3j77gGy>aFFj*c{LnurD(A!R0~)CZ;Dcn|Pi^r&lY48=&y~feROOV~-&Q*mQpW znr%4+wfSDf45XMSo;oH{p$;kqL*a+q?-rF&v7@fd&vE<f!v5^CHaU|X+=L5LAz;-; z&BW$7VYekMKA0>}@^vuJE-;F^f;W4SmW{z3Ies?>1|d}?najr=sS0gqzdP>+H&yqJ zZAyGO=Uy=Y!^){~MmRDz)AD^n4Z4dm|Ct(~J2mlUj5{_9uKN}2@nEs0scDRuK&z0n zF!mWkD2MO&`%5Xb>;(#_&#=q;$~l6$qd(QBCW>P^h)~0O7voeH=P`z*o(B%V>vb9D zN)8SwoFJv@QYSWz((yh}mo=jdPPed1O<*5}E3&cU86W<s{63mh(<3dAkr*N|9<ts& zXNNwI=QybVYj{42bgP1@2lkHKY#KE0{5>eg)-7CS!AX}Oduk^SH5r+J9^CpS8>Puv z9}35qtktOKmuhCN4OF(4A55^LlExQ-Y>Bw?+DsWI>cn>u!p~jkQ9rZ>4YUaSDoM_z z@hR%Ao*cEz{IOnP*o)ZoBSXgKvTigdBu(M5{d&k!9(j<j+O+ABL4uk^A9xXc*-E42 zH#b9+%aPPQei`OEyF<f#0+bXTx+iH5mdj?1Zq+$bk#l2KiAl~S@Ezbaj9j{f2EShG z!+{O;<e=-7@?gHWx|WsePBJO8PBgyV>XPuYk=vjKPhi+!E$sY8hjn9yy<Q15GY<N8 z*Hv-VFw^UA9q2gp#@#%pzdo{3t^<m`{tm#g9@SCbgkQD{&+yqVsO=xeSWWuGbY<(0 zQPSmPoV}T3$^Cu>b^~z8rD)4WqwuK7R`BM)%CKFufT^)e0*NaX^m6O(na`rp$$8uR z$kVxPmbnKE>YUl#q#&0jZS87xb^z9>O(htW)`xb^3Gi(F((Yz6!YgS6Z1zn=tuRs9 zg4upGEjzi%XnGAF1*VkTtVo9tFF2MY)IZaI`A5+Hq`(koTpQOYKC&jLVvsf&OcG;C zX53y>gKONsc>pJL#6sdJ8(Oq#juF<olQy+Y8d9}*$8I&hZq2G62Uqw>sZ_SiQSxCG z$!pfAH2UK67^m=<PoGlgUUjdp1nvrKbPrnIF=2K6C<dig-*pGfkaHrGr^Ne7U8{m4 zDcpT1_M)AMJh=X8rRxy%rB{7hWC&BE)-gv#v1L=6aHIRG7i_lW3Q5<B`*}m~LdgZ< zDvwdhJFVBW)eyDuLKb&hUXNS12Co*@Ka)<`-X>L!b_Ythdb2!RSM?B6^JqkpIWL3$ zaAggK#JAl-E)W`EI-^#Lag1Y=zWFdN9ircsSOZm6c76X!@xV`+N)$s%7%Te!CI`k} zDh|BZ%b<g7Nf0<HJCcXLAg3r4in}1{^G#qBaV`_^V@7hnx}rMgl7P(renav-=r@W` zID^?<WQIrtr?D{WRj_&y^zjCSj7-}kg)a)I8dHJjFc(j(=7r4_9-PJ^BRZe>g|BJ> zi1`woaHn1{9}_r@g|BQ@$O}Bq1*fr?w^hb@k;Z}_M8fc#!BqdBzbx3@*ZF8UH#c{8 z@J}##nz+!`%~m?!UU8MK=gr3F&D?Xa$70Y%A$q?O2YH{8$U;}))?djiquv;fU!N)< zhlht}4$+rqbX+Lcfjtyeh4?H!%+5<zQm~GotEy7Xgo&yYsCRbGG(wzAeB#c_OcsUu zh5A44HuA0}E(M)5wbj-8iw#QcqQDy}gSm43&SH%!zewGMI_stRiHVP^S(p_bcb8TR zwL=Mv*%Tbqbgq|kCMqL;$8V92+%xU$?v8sqIy&Cq;kznFO(#YUhI53fzpnfzK#Rf_ z+!%_DQ{fb~br*`t6m@BR)_-zPir5Tn4kd$Ym3Ja?6@#8Xoy4HuQE&SvBua}Yu~@I| z5yVCG)|2ryj!6;|Xwgv@S65(<eQ=4A4zqDV&HjpKX*WK~3nIs-!j4+<dw8_iV5MoG z05)NL%E%xcL%+ng%yl|?T84~%1R!MY=5h*8kw|o{v60swD{gIb422}H+F7S%#yV@6 zBoSz9ZzX5gs|DW1t&&zt&a%d_C{H<Qo0cUK8x$6*`G1^3mHpISA}39su;?JZ`lhV5 zb{aC}HnXY8Z6u9{kqiKp0b3JlXQifj{QKH@!8#z?ZZv5jp{5ud91;Goc7l3I_{`}^ z5K5AGjfuRbFn#m&py7XtLsV@gar&lkyHo-k2aCS*T+V_+%e?MSM#*-%l*#M=W>^bf zEPKh@wNUz9_Zg!sLl0-v9m_{BUr!*rnri&E?Zw07Hc_!kPEJ-40ybPsYpE5huMTS_ z1c_8(X)2n+PBGQ~RpzphovDCB(hycLR=G5sRCx`YQqe?2wL}v=>HE=U%Cq1JnY6!y zCze8PG}#?@m8ZlAd4*&~TW)uYa=FgyPkL}RGT>Fx0|`85O%rbGRn4XHV{Z*M2NQSU zE`m<fhFt+5&OrHM2y^pp;y@4QcOn6NjGcU^kbq#3xmF&jKkU~Co=f$+Fga-$5Rwz? z316M1KP{@Tc8-@MEHsYxQPU3ZZ*PA+?IUNkjA_WIl&v(A0N1@Y4Gi4rAMrS}*Az2% zhXk6>{wN^uvuW%@%mXKtR3LC6bB}G)xG3E0`hC{$kHJMg{~L!CoJaGVlgc$5=YwNb zb^`98hc*tob(lo<#I`>i=Cb3APAdziYF?D9VqV8Yp4^qOL4@Ka8^0YA(x%JBlp1vl zLY=h1m4pgmLh@Y>)n_|-kIj*E0?pD>WhOmdNw2?BMJnYpp47}J&sL9NtiL(g_(P^7 zBy1GQ0L+iN#6rikY_%KRKA95M*wG(ZvMO2Z_tR{+P=H95DCgkK8hv!!D=YTt?1YDh z+k<!ut+oC2IC!p<vE?%&Ozz1PTVd5A=LZv>Vu`_pb`mGCCdx6MX)D?7FHD9Ds>`b5 zxZ4qa#n+4~8{pJJgu;X;SP-uNF$$V;3j8M*qhlyI7vt5h5!)Lw6-&s1f^S!?S1q?H zq377x*o$*8JOu-1Ns!_ntj%2olG#nOe%8fyg8&_}5H=y0awzj=lR%d5!9gZ00S|Lu zDEdv4)4}+plIf0y4F*%goCHa9uvr8kTp4wvOykGhQ5&EBo^&Pi@Tbm}JSlt0Mz{X` zqRdTd6Xt`>O-jX7_ok8SxMj)~GIbWxwZkA&@)LK}Twj*NXr-F$TeZY=yMD^6Ww$aE zQ_e#WaRjaGGgcSYl4Uwi-*m;O`_Jn#^y<3q09&~>&WqBN>B((!RZ*xaIxNHMNW>_C zO)Y^vLNYSpP59$1(?;l=Dd+czCTSeT{b+hyX-@NIobp=pvp?S7ZrYthD<?b?sf-XG z32cp*-1tKa1g{<@61TxAHFBICRSQ2z?05uQsT&Oc@`V{JDB&=yMN0i{ezFXLa7@=K zjbi|jUM8moyT$H4g5f4~i5xTg&320JKu<LZQy%RkdK@IB^bjdc{%?Gb!{8>j+r!*u z5b&ef7uGsarWT{UPeM;V>?~eC*DyZ7Lv2em4s3;2@tb~6)ece!v$w@-LK=dlprDG( zrI1>xhMnc&CH9-9B-`F5XOPQuSJukHD4Y0)Vtdb53n55UCbzX54Q!Sj!Xe7G(8uuq z&Rp=OcmOHtmiCdynSuC)Ulrrg_oF3_qpN@XyXzaS5xTHTH&1oWY(G_XW<1*JqJt3x zzP~GPC(HeY=KBSksH2ORKPgN2w{qG$G~eqe<6bIABg#tudEwXk$ZIU0^@DzXZgM2` zqd9)3MqA>o+yx{52VQ_7m^9KjgQAP@4J;CbUGBxfQ}e~FjeYB31Ho2{+tFR>SaZYC zV#|!~T^&-=gO|mDBT0xd`KZx1Jvm~-hm)LrCN(}CH&Y4vXikonAsP%r7Jd_z$JjWs zhd&WIlwa3O7;b;41cy*zP_UWF19VtKIR!pSZsg{Vs;g~CD^@&Oe?2ai&y2v^^&Ue@ z*^ZLZdpwP2Hm{}n+T)}UrEl5&RC&C&@ydzt)$4csuOQxk<3A!9JqwX);s;&=(Y`31 zi|R*iUn*zfh?G{+Bs+wrj>E7{XJBitXm(M~^ZQaIA>(XEQXXWIio}#}L0}py!A?m{ z^q~+jK4dJF1F->#07V?Q?<7OR7a=8^CM%Lu`AsAtQE#KwRkkv_=V-K}JteB$x42fu zG{xg{tIu_6021A|hR_K9VFoIR*8N+R^jcL$vV1C2!tt-DGV+R*IaIC3H`*}Y7fF9G zFT7~{vg*@RaIWA#e+~_y_tPX$Zy8DRuYSCO1b2z#{kBUt@QQb*OW|BShV4gL+hgOR z)70`krTRu)*g)Y>quu4ce59AzQEBD||M{!$tkFM5FF7|-8$1DqAqFSVDlt7dp<WXq zNB;d~MFLT?1D|Xy0KImCtmsxwl5F<5<8K^LU^b;usI4}rC4C+K>~{U|v)CVaC3w<e zifu##y;bOutX!;zT(zAsF78>Ye}13PxDBurHHZ@#GeWl*2UZ3;y2K|%jC2>u^BkCr zq+RHY^Sv(W-R1+#t(qj_S^aNfUO{F-y7Jp5Hh!TrpBF9DZcucy&=b($xCV(X$?ya1 z=*v*+JPNDqeb(5TUtc4nCRE3K<T)IR;z~1V)rl-_3&tVnv@=$#d8U4p$Ope$iMXsW z><O!QJ9hi00x1QXdOCCG6GtXTVPW8zz#nYbrTD-KlUXW{7%L~wmapNZa|P4s%)nPV z`A!W_vgCU1J(?3?SwOMM>w=4xqt?57yRF(*Sm+(QqwXlm0z9*-*~xkmwFiR-A`=#8 zgk4pEo)WUAw~n+Iv*5B%o_J1<3LEfkGUK>4qvo4}F{N28_<)V<+p{4-%7XATUD_hy zjJp~AHy3*|M{!!#Fc&E1lss*=ocEfz+4PYAELL*wnA3n7wZQMJ))&Ruz*)z}z7k2r z4Qq?f9!iDP<SHpwfk8adKpNgHq5KrreC#Gxd#fl>cyvZ*es~|80X`|i+<oemzL?!( zEDL2(6Y@LNAa0{YEQi>kZ0a>FxDtTK)T$K?wbJ1?;eqT0wah!uxd(N%?Cx8uPeq@O zvJtVIH#Q$)Lj)<b@OXEAgkqeJ)CW}z-3KQ`d%8SCMvr-Yqdc}a326nrstpOh<Mnd= z?jROKxNJsmQ75Jdg@i|(6D_^04*r={#fL@d!&$hE;toRCfMTt>Qn~_z3n)`YmhOH* zV_Gy!aDm|qHj|s;cfp7QlxOApCpovbadoVr7`ITjOcAD|f<$Fu9%gSrBa?B3@;PwS zZ6+;ID8m+}x~^`ZK~2|%G&Hns$tgLhrly8eGLuHN)Mnz1hJP&A93)Q^A{?vF-dGp2 zi*ceG=L%^<tnyG9a!OfuU>NzHIhIfBf438O(8bBWtrd=-5?`#fsn_y~?wNGMK2U~i zEV}@ir8u(y3iL&x>N@&Yw>RouQk)XNH42Sk?I|xy8o_^dC4YwRtB|5P?ssHG+DRqL z<kR0^BEzdb1i;lyf1>sw|L4~vU^42H99F;JKs<i~QwRu(QZjWCZNGm$1O0bW4CtW} zn22>m|9nRH%A1Vv+nTwLNQcNf{^xJ-fBd5(v)42$3`9=mYm5it$i68ghbGyCPbgo3 zculv(RV4zK%gJ(gvfx%DS;?_VDI3S}h)&WV7D9U<v*^-x&zO7~HM#ro;m+cU*<9eu zt{@@ON;%B`T5v`3)<%mz_y|=oX`9OBYz@M3%g6C_DuIP2=cDz$=)3cs3AZ#p0POR3 znkI`3UE_4vj?Cw|-Olc@{{7S2Vy1Md&PMM5IT=GYOes$`^^>i^{q+egw^;7m=U-hG zCB*Em0UdAh#emsz{g0wy^5xWBGj>~GlBvK`!;k><xowT4r?Xilk<vCwH^+3JDd9eN z$BY6GD|6F{EU>!|yEr#nReVjaWnWXv6lMkP{BHLZB$20V=@J_zaRD~Wsu5>nsjxI+ z<G{M4v9QAFc-{=?v8mE!kLbZIeINQ^-`a3-YQJoL&V48SP~eY`lbrgxn2w9Z7~`>{ zo0q}Ucl(br-s--(=|7`H7)bycrWuebur-{z$K|on9~(_B*CYF9f38Z7`=o2SL<@<4 zm)m?Yf3}l6vx-G50ymM_Bw`H^SM$kXdsGbHr7MC@gnpr9x0Q7oSOFMH+F)A@p;-bc zEoWOJS0&&|e7)ZZ>bSu6X}7$$Ru-l3{4)L6VYnQM&U8AB>!M(v>m}!vRF6N_l>Vmz zl>Pv(^X)Ov98JrSryI$%^<&|jZ-5lV>(#)e_jX4+dFgSvQ)-n}`ketJTsuh7(;YI} zxs#uARxoJP2{}s2EQ47~<>U~Bk$C(1x<fGucw8sB<K0lnq(_O9$Q4Egcn_Io>ugrQ z4%*4=^o1wVH#B?oDeg?z{no6)!w7Z7MQUZWE(Procw7#A)3Q-ElvR;+uAb+U4dn8o z?sXTKu(Uu7WrTD2R9=sHOdUJJ(F}pZ8)aY9h*HL@JT{Np^SWi%A{q(oXB%c+_U8da zHi2j5S@5+DP?!64v_ZSa#iIQPW!#37-(joMD)>9C7h2%VRz%5-f2?<X8|x36tbQD| zT<JbV?3ErAp!wLWv?^j+{kRZlh!8AJCyI9`5EMO+wd8Ct#v6*j5x<<GnIwaXX$-tJ z<ph^|NRIJ7eSnwI))Q$_OpZ)-AYk!VzXr^Gy3RIDvg7h&cVOmZJ(HZMsEFd0^D2!} zoxV6t$65;WfLIy@(E80t`|p#u#Il6W?hO2*E^A(k6phy%sd_LBCdEBvb28^$b%=6@ z1D^$HkW?!~llBgl0-z2Def(1K=hmrq0DC|>3#|~>j*hW3QaYwqqsBb;QM~MpP6e#p z_3<h?<pB6<WQ<`(WHkb`g~gOGruYN1{RR!RA4%nSuiKI4@eZ8Px$IV`(in_>MN%r| z)^mk$QHBB9s0?xwe4(=4egE`?PsA-P{qTUgt(^HOA7i-I6)fRyq{<Np(yN<9VTRU9 zn-1q|t&*+#58gl{Qq-y<_sJV(s#lvTZ08;ZWs1*xWPUjtuhq3+2T?+#T2hms6D;+P zB0pK<xh5}d)<t3H)=rfZQP+F@KLv(?wOz2NDnG&#dErVd_oK`9<pUWf`T30|(oB%2 zM@HWi0A4_$zens6my6D3WoH)L_*uA+Y{UJt$K*eHFQUiSmiH%&UvkEnY~SN^e=WCS ztkUaW3uTKK(wwYSF_4a;>8@uH%5M*6U;f}I(cn~zG+oy!$UM+WHNcB(VMaAP^OXp$ zwn!Bv_1*#M>cDq=H^wjb?Yutqs(hQObI^cjSk~xJWX8p+l<YOcU<0iyiWx@dSm3N3 z;jpX@x10%G0|kdUWzeH>LGa~z{%B|}{Ycf8&#iCIu;5<S6y+VXzo{>1;1<y0-yO}@ zNa^}>r?Z$vEe?y<k3&aYK0D?eNg~VEqT(V)#{<TvXp6J=G^9!K@CU~07UtD)KNhYD zA`07oq|Irt{UaJ0M<JO@Ti+LuqI(j98tpI=U6`i49_Hs^xm@sSeg&dSo+K8MLO%|O zA?0wsO`{k=4{+v9+A`Z~wci?!$uM=gt9~X*e#P=fgh+Y)2Ip<vc<7I%uG*TBU{D{; zrJGQ7==Py?tRVY{!W_bvAbLt43Q%U3oQn~J%g~6VePEg+v;t6?Y$OG?)s;(Zmv$Ez z{D}-v>ZXf>qs=9856F#PYp_GpX)KOaD{#=o_!u(8g^(C!uE=a#&W@|>>JK0iA@QyG z^+?h&%=oc5XCl8y13y8MT-@#1`7a5x4y><UQhVS(V2#aI8Pi+S5ll)B4o;kv?x?I% zsc<|HQ>mw)RBW%C(erAtyfS^WAS8AXhA2<TR|4w`(kg~F2NRjI=~=3n!p6R+&au>z z@WuYbFa~lNe9)@Z%@*qpPF<>;c{3ZFy?sN0ci?u?jhSt&eBi?AQj)}Vy<UgbXo`}{ zA{}mhy%bARC=@m}gD=hr_|YZdhwfjsFNTa^{u(Kje_~R(up$IHitgErUXVt{uPK&T zrKTvnzRF*$<Xn;n*2?{XhHHPPkT_n;tNB0-_wGOpU4P<`S=0KiATO=Iaw9y#04u7n z_29C8{%$vADvDG}+mM<DKY8B7M%OOTzxY}>pG4F_9?I#k>4>*Yyv5j3@^MGeO-*G5 zlUw8cjg|7f5bL3b>TR(Gi3nv0f6y@6&Cw<bmdN^I1<#p$8>cpLMsPh%f8$qOr(D(L zPOs2!o1`NfZ2+Pbz(|@^qxcvtkBxCOx6ntjAwl~YUu2J_pH_8Cain3J@0v{d9^*2{ zblOqe;FYsib~xRBU--p$3%+?aU5hX|G3>>qoXxSN5f=-x#2W2;vj!)_SgAU;7~@(1 znvrcBc=Y%YQ=&;}dt3bZW)?p#bK{kswB}0AQ>Rblz%Ca{6=&+3gPx0`#JkytXg+k6 zz`FjU$H^!}<Qo=C0mBx%A<Jo}IUjShKhf(hw~fl0c+15%N^m@C!=0mlepGO}-_i)e z#rvDXuEuQjzf1ODEpo`%eWV?Q15-cd>%z`67SQX4i~R-C-6RrIu`fV6p-I{@_BC3} z*X_(ekd#*Ip37-umj5i=XJ#>7+~>JX7m9?zs6^3cW9f};e5>&-0`9M_Yx=$7^25*& z&wcG3M?AW`Tza!@m9GH+3X`x}SXfBK2x=5-uaK1$cl7h@g!3pLf9?uGt`N&P{h2vf zC;!9t%EGe-;exYFUNx_e))=2Hez8)?zT#C;kyS!3iXrMVL>zmUQSWLe;sDV*<#hCx zk40NCft~LpJ6gQZuyl^2Bx@Wk#M(bgcZuNvJFq;s3u1p*q}Ue2A@HC5z6}83r1jh7 z`c4UljXd0Y*dr9$8<^&vjZl+ki?<~TM3-uGT+sn9ptI2*^syEL^SkFC5{^=Xz}0o5 zlG*Gf&uW2Qwh@Zi_xXqaS9mn&$SKurY5cO<VbII!v=3sfh;G@f`<t_gT$zPR<4}(x z00>!S%v11!;QNcil5y^?j@0xXCQX+53{1L1(1(j?4)&&coIg2X)F2rNT@Qlzl~z?E z&Yzg8Zhol~;`wW62J_Q}NV(mDm`^yN6r`L}#nxIcaav5%MDt|sEjHMj45x5--hcH- z?9UkN|LQU1R8=FI;2(Di0&Q}+v`Iy$vvVxO=Yv4Y4?<?g?NOqGF||_dxjZ=nMr>B| zNzhSpxj%=x0W3o#;B9u;8Nbbn5lD<ZxlK9%ScEgcmHh4r#{s9I`||szbsBG{!1FPI zdbgfcPbQo4VLqE$J6m3&C#==FXP2BmfC+|nXUy)SA@g30t;x#n_}1aMc0;^kthKPq zA$I{C%xK+voXAP_Mw@K)@!W9y(;O}$28`$Z$4&wDpPI$QY9pRji_PWK2+rjuo~zb~ zK=eC)i`$j;!#Vr8IRWRPF-G+r5)8>w1+yVK-kfHOYmK|oWp?Fz=l$7L*&lcuc1ECa z0%;XfYK;Mic!kOm<k&;{ec}Ttlcez}3y1IGl8fi1qHcPDgMuNlQc3>YlPojE8ioSg zRaGu$fE$~%!E`>a4nLTR-qm$=5IwV7&9m4nbHkA572|u|+ZGt?d4d2MguYE>lievX z?Rn{*^P*$#ao8-&$2R&Nu2%H!cADNk<@vZh*WL1c_*+8;I>_c1`K}i2LE=~DWTbMY zdZz7cnCpTWjaW%CS#kgJaA^+?-wa--H9%o4YaEkWlC0WZvNI4V-UfSPPw%O5kM5uj zv?i|hvP44Zbeq5KPEscOJ0y8ZT7JT!L_%MTcK9)b#SHkBOSYC<EG^Y1J2bHLgAyxd zE+kGyP&~xp;r61#SO^5VIvgp22PjYL0ocFlOyw1d2!rcCw?mW!`9*8?cUY9Qkn!x; zaYa}118Z)tj_BKS=_(BmHhd@5fV0#|OySQJ&CzDaQx)y`c&$OBsX`UjxX0+h$kIq_ z#_1?(a@iDyKTcwdaUOS<;RJlGS>2JJBWK@<qz`uRTrK_yWv4{gK`81WO1uJlQLLkf z%yX#Z-i0JfyyqPH$eMpj)M~m|YqgNTXh_9LKpGIjYu29|<IvY?DS76%56-!?!l}I@ z{T2zI+kR8JEqvX81<nDaEkGmUM*f7;h-TigYs^B=Wc=4A15JatL|ya!>40a4E;=NT zB8OW02B9xjBAN`OCwa(D;c|bKccy~<l86H?yABz!E-a23fy=?Po2Q&^EqT`baJjIH zV*a~`$@oKKLP9~ioY(DyEK3pqZYRZoCMlJSI_eP@$PM(N5gBcxaU5-?bwl{TK*$+y z>LD0jG@950yWt*JBlqU{S#z!lv6NX4spcwif*YKr$xrP`8cSTVwjQFyim{u>WGsn( zNt>w<BCeU$n1ov4d#l98ny(&-8a{3rl7N82R!kgdOoWZ9<R>}3|4wzg&}~}+k%Dpz z(p=FoJOm(Y_`IoVHg9W1ZAb6?51~fM5rRA8&<|8M;0O@PW#b+DI7zi7QrgTg0X|#C z?uhdMmHBryKd=?F2f9PiIuwnLE@t#*<lsysh$UGHdor?A6!pdwi79<|wG){h1e4?q zDXXVaZSa}B3k^Se4jVZR?m#`);p50b>i>8}zB~-C2oMdW0s_58JH$YuW!r9*2F~5= zia-mlBC8@MIDSkhn5Vlq=UniT6zbtutf2a>3jH@HcG_dGXQ5QWj*%wtP-1s`at?I% z>9o9;stpSv7#n82qW_p5LMHyQzxZG~1+4fraDfylW;vHIYRawLd~<5!h%$uqB5T0E zisl$N8v`kdKJf7`^oboh=pMrIj~p6H_ZQBM`R;a91+R(67fW&8sR8RmsR<m_7GY&x zoGd2J`pP*5Yz(@cF4Ly(C3!bh*+>+{(8zS6DWJDzzSdCKL=_iH_riel9-@JQ&g#5| zYbJNmoP**_rpZgqUAw>;g>9?@UL!~y;ivp3sgu&#H?kV={ZruLepFJPh42~6t;SR$ z%K?Z28f>Xe1%MD!%C($d2{KA8f+7cwVsR=VOKP^T?gbE@KvwjJhF|OwpVW3caZypX zf=MDz;dOXA9T2063xf&90b|bU13@{d<Jhc92syzxu+(K<ATB-}v>dFgtoD8;Ecrja zr<gBtGb|e~-RLeDFl^nG$Mj#12xnk)|DP~uf+-i;wq6T^e*G?n90WVMtz#Fo^Yim4 zKzU#-tiQH_c5IUX(z}<UnO6K&_mod)e+=OZbJbg-Z)@g}{y!03%3vsvXx99qkcje9 zViQ8jYa>*?uYdje#at7<MpJ{Mqf+vDA@#BSKvG`-1A_f!ix?!J7TZOPC7(~xH-6vu z{I;yW1b@GM*`g1qMcVp&X&8uq%_v3bTa9;%-(Iw+83}3;3Nw~c;6>LF1VLRVg!9IE z*&-YYzirL$EGE*IT^D$_URtkOtX|>u<T-S?JN4HMcZFduRqD;n*;bxRGC<U!FQZg4 zTzFw-K=vSQa>j=rCO)G(3H_-+DNnTmmdN6wGMdGC$Y8a@-xaV6CpIk%07?ED)chvH z56=`oQwfL$>Qc{#TLf$t@qG|_j4v-+r&BjZ;PVt-W{Z6<&BuIk<bw~aPu}k6@djw| z^m=Tuj)#j4wY9aa9(SsoTRd);(kY*8fB*E3b;{v^d^zN4q#)f^QCn()IhM5Bu@iwE zw14xmV5p&`VE{_G(h^5tOXXS(bxb(fR36tQFbQmp({jG~+!qco*`KZO)J!5h1y>=t z?H}2eI_Y0L_E6Hp>E39b+IG22yj5amzi+*r0;EP2Corkr(!?z6V9*IqSvJ0{SWy-D z#D$^x!i4Mu;X+BbkW1ZIV>!n}N#~IUQpkDLsN7-{Ke=BY+y3b>D+DNsx^vZLt~9$; zq3IO-N#gT*^n*c7AqHW`#d=?~qaFf?3N!C2oW>PAkK9(0nN5c0Yb>mSO0?>RlUN64 zY?_=7ZpY(WbBLS{7tK~bNkFYo-~4t1z8&Y70Pz^7L;hS0r^;O~f!Cr7$_4k51gh*B zjfpU?stXl|{ng>p?aq3%X?{h<jdgvrUB|`wgdC1m&0M*@@9XdL5~s9g7@H-obM+C0 z_IGRDq3QSQ<YE!HW-Fz7ZMuU?m2o=G8mfkjbyLoM=^mGJ^G|c1Uq4@t8Zh+_*5{pa zPQ1uZB~E?Iq8!~Fph*Phy0ti7v>(}-iRl?DBN4=)QO}5YRAbt<Owx$;`C>PqX-?>< z>|FJp%lemWlp$bsTFWN(@@!#SZHZ;zmU8itqC)qE-7t?#>9oH`@`O7zb1?|QR>$aO znCr;F9+{mL5&1IEiA2aZU_WOf^i(dX_5O#nop`p?(P2(m6HS-w5V`hP_TR_&FJZzn zM51U`Z17gfhkpHl*ETNINhX=uuhUQ6W9$RAHHRq7ZvE-~ZldBnGoQ-oxZ4$s3i_wq zZa#nSa*G?f8%*kHWx{NxP+&|~K4BCwn?%hWQ)9JJUz9?&=uP-Vk@ap^;!=#Xoru6- z5l|{VpgD=rFksD5^__4lOazq6y#?rq^o2&6PIYxj;}x(cTMr1pP=s1!L6+J5>HTJ* z&SvBt)g+A>hNcG3)!0txEHvM>05dV=2lEV*zO<~$y;8Ocr3nwQ`bMlVu$K6hC#&t% zD;hEhVFBg;O$IvhFEv{;FPd<Dt#zq*Iu*_Q<KOMRA4S7Huvw~)$5h+K<0r7&q;bI+ z5ybS?n@x~OU^}{>kBM#g29&P7kH?t-AU8Ukf%cPXyZf(5B5NlywCrfs8-3j!6HAWw z7uXD+zac1Nj!dM#r4*GCfPbxQp2e+9BH5w1<4&x-L{yriLGfy;&Fkr$iK+v~>hsU4 zVmFKq^arJv{8UH?lHhi+9~^#5x;aPl7paz<en*PEm|FY5=@+eQDTJIU-<l40K9tI( zmYshG(j#JL$>t&_sMGp~fsJo>(x~rbyGc?M3vcm^JwtK{J~~2==fIP;NY?~}m>VUk z?bAp*P20ulTxo_)U_M`}7sQ};6|EC4_vUjg*loy*NkU?L^SG=D^qe4!m0*qAeVDPc zidp;KvQCKV?YJA`h~acmK`to|Qc=B&ZjK624(jPJ_H-X4kd@V~|I*$Tz21-|7l=gQ zge@TvrZOny;z}nSKfa_K9U-exsE_`}ACM`nV2rLwIY3oPvq#sVddFzQCs_{*y$$jF zJPU)gQ_yB}3J0zZ<f56sli+e*`;}fEYk_o7i*6DsgE%NC`I@s0x499tHNt4M($`~C zmnzjb79^^+Z}P1cYEyaK*wz(k)AB}SW3s3w`(KGhGZf{T@LpHR=jK<!s@yQFr^W4q zpo_kVSYvwWlho?nG)oPu#k4R?Jl>DDFBFUju=TFp4|I$-ypN>L{IQ;Yx|Sks2Sn~~ zZIjxdFgpGrhHqPe*+&ax(p-gox=?NXU4S+XQY7$Qw~5Fb&jn)p(QA~p$);mmfNMvx z7ZN{dbeq*LHcC<gHc8WgbME>dA^JV5`>`%gxjl02L^J#bfN-$cxJvZNK8scEB1>xD ziY%i{lm!}QLT~O_A7ZK1%;ov8#&;+AE+&;UI!t%==-63U$1wES{bXb++O@13faB2L zF8|eu){woHBagBMAit!mUl-FMNSQOF^qHIbLE0<<Gpp6+U=~RGG1tHP!1K5r8vSt8 zL+@A_c29`lcJyq7@9DS`Y2kg8mMdv|D(VEVLU1l>Gj`3Ul)`^F$773Y<pd6Yx9V`a zl`E7~p-@4YM!02n!(}c}vo+mqtegQhH-)`~T0h&dBKoUjrh^il#WZ%#V27gIRF8}v zT+Y4{j;1aL!J<0$(vq~E^PYj<ke7}tdpz2V$JJ8&m`jqtOW`7d2Ps*pIA7EJ$<bx7 zuG`=XbA#c5wT5<9W0geB_d~7npF!11il2%aSJ6n7MlF{b9W%4eLe3~+at7-v+go;f zfSCVz7NHo#&Cz>12mA>TEQF$%+Srsi0IaO6f)(=>wfqGm7)$$8clI;=IAOleepFOh zklxv*q7I<S*;B(aaotLFKK-C9DAkV9-GBc_KdEMo8|CW|X<dxV2N4tJ!hEX)Xe-MX zVlnR>i)mO<-WTECA<7=(H*+rKAH^bO%iu6*2pgw9Nqzs%?W#QEYXfcckJ)b^2_w0@ z@xR+<*4ybBzWpyBV1T%2xpI6E6=Fy@qZeK6BLJOk0%DE&UqE04K|z;>_%A|qLFTvJ z5W#4A{}QU?wYlH?>!VZRZ)^RbG*17blZ^VWZwX(1v@Y_hI~G%8U+_gsAk;g7f7$r^ zU!ku;sOc+b{a>_1_-$<s>t*AFk(eOd)HSMrd(jdubQL3hZ*-4)#VRFN8i+dc@| zB5p=6R4V>x)_=*w_M0{wh@-tM3G-`JG<2-6>5ag{VcNq^=kxNMuQuEKR*L3Z!v|}p zcxh3GT0>Z+05JyW$ss0~RCgDq>^=y~PKJ7ucIZ1ln8w3p)_3|!eHtKQFI|yqTxl|1 zN)b5v#w>TTXrC%36$0To1V{59h7{?wdHTLZ7+){@8}gP|ZP&UK3&7#%-Q$T|&ZVs$ zr+wr?E0UVrr@uY|lo0+lL6H~T_lSMRpDF|4U~RI*TO50<#`YqRkWJ^X-&}04zrdEt zHIfJH8JBD9&#oY@m*9&xoqsu8YGU6Qd2Mb<d;=0pEBBl1Al-bHCc0bh*%H|Q%YGoQ z+v+~29Cx_}TGt+TmqUlziUUG{h^gEzb{qY%9=GQT$sl1(t5In*lEyQ3*+{9-tIHO= zJ`R*ZBH*R@Rzn}65eYVQxMEqtaz$xHlgZ52*`)K?@}%IfTWhy@wmjm##~HQv`lMb3 z2<Pe3em3JJVuX6#K)y4$!~z=1QXK30Ogb*9;QUlB=UYxm0dy!>L6_kE-{Y!Z`(r3$ z>5?ydVP(2Dsc+}P%-_qrt*WkwQI_C4p<z=SHP$2})l%iei<jCtWmZBVoDi#vAbM9Z zCbDHD68=!oSG>lzwlglKvs;j?z~ZxhHsfySF(5b_h#})Lg-Wb%wrnn}uaKhp-Ppm* zLCFg-GB<=b<!?$<*3fxWP`*_j#ecR@-N5!qOQoXi=}O~)ocePOfma?8Jd28dlxsNR zHu|E;1D#4GDRFt-uj_69P*s*8oS$wC#1`atF+fq=w^Uxvfp2a3>FlK$5r)QK@<6+M zFp=5hV7_LW|IW;qud$>y_%)@FRKO&w-TJRcKs2R}V&3%U$NQW4__m8_E#o}GcWcdN z6S*#Dn>Ug|(`+`&`|$HYr|s}bg|_$rES=$Bq#OYJ{>lp`-`uj4VHo6zu8qN}5ne4P z&gtJEMsr@Y4a6Dvy33LQSsRWYLTL7>&Epq)m4;IU8x%nj?r3Avr&#Rmg8HY&yMqYh z(h&3Uoby=0O4z~1w|3Gnr6`6iv>y^|m(1QiH}B|%3?Q0Pj!5Q}TiO>Be)F7yK49Gw z8HGR||G<RLRAg1bHl%>1>SW3_X_Oe5<PRqxPS10H+&RB?_okpd*{1a-SkAp;@DRj} zpaYps!e%T>1e0Eu+i^F>qe;K>EhRsnzjSVO@{ET?#*TQ=b{^bHU+eh-^9Z-nv{hnM znnw9&Z~1qX-C9Oe4x-{i)dTSiq1c0;ZcTX4ur$7$;5O`X23TS<ihRXol&V(B+Oa5W zQFRjSQTn;04$>XCzx@7243y0mmtFC^JAg*QSN^m8MPa3K(Dv@~07X1g<+!E}kf}1! zY?(O#D3ye<STdfFxjAe)616sVd1d<MpMm%W9*9xX_=1cOkKybjAC(UINd2iomCVL3 z;~XK8VFY}w<04Vh;A()Wuy#w)!~nh-Ta7BW!-ifyRA7nI)8m6ohek-Y({3hz3IriI zSymQlR1j5l#@kFK6DEqP*x?S*n9Z;VidbTO45kDR2Z?R@+Z5b5$f&c-u7;f7-~A>) z{8}|=x;t4=x*I%iVHN<7wU!qQn+u@_=*KYa3BzhNUa6z8mo_*2p@^A>;=S+niGf^b z#0$NzR3m8Y?TfpP^`iRffk`rT`)Scj(4Nl}^uI75k~uvcpg)?e=q!`VsP7Fz{uqFO zqq;*epG{qSz7|R!F#Jw}$9yHlbG@fe%1a*3S{!MAzDBAb*7M?vRI~f4KW0upTBagD zjVf_Z5-k_~T=Pi}jz_nFj(hA{m=OWbG}e&d@InQTv)NjOvDD<(pWj{^Kd8Oo;m%Z~ zPEt6hWMa%#SK5c*08NjAppHJvz~DLk!0h=SWsUnfHrH!(v-1Xtnq3KTzNfe)UfO3O z3OkXXE@VK3e)NQD;=_D76+CdsOZEsaN*bFP5M~@dhp$EyPo)T3(uBUKWF&#uG^%mH z$SGpE=tAX;GRWJ7p<}wfmFw@JbT4!Isha=N!ctpmjLIx8#yLr1N1|{p9e-aD(|DG+ zQS+M8!2Exs_!Ie;h^@p^eq07y(ydmj8N8Lg<DrPNAnRLu&EP^MSP!ol$~>zIlru}_ z5*@p0Tmz>kbh8RhR0$m#sIg$tHVsFE5%dkDa8siA(V_k9Ue0Wnz8iUNN$iiRA^9i% zaF~_Z1G9<(IkQl9t;UJj89PXj=q(w8SwXJl(f5;TW3Y7Nvz)edUr*KoTu~iFCs}-- z$y`}N%x>e(EoE%oxQDf`Y;mbkcKUvxmlFD2{iKSWyfoRP`2#jq<z3CqT|^O$ZTAq` z1h~3iKG48al~%sb6Skkjdn?II7ZyFPhQNw&$!$i*S!6G2k3q58PV{nYLz)6_xIbI$ zV@QQ!7wiKFyK6(RfX=~jkjidt-z4KWV3TB9&Cmr+##uIUj*Icom52=#NnJ&pRSX!D zz83~1KEnSvuPtpnYbShWxB345mx3*&{AigTU)@;oA%h|f+SIG+Bu`mujS{PYA^UEm zLbstGdJH-c5`7`6{T;*3{*n&A0+HN*ztOv!pQ)rtYdC20m0Ef@s2>u%7}8nnoc{}z z_r(^}v0&N+Ti~fm?Lhn{ierKcK1}oINa~6WS^f+opIP({U<HqW5xNlzc+Rx(QDcwq z!{spbmR1}`k6^S0ma~Wq%SXL$X18&q+w`R>iI`R`W`sL<6Q^Q*MM0&FeDKc<KnTKw zm(3wd_kF|UYi+b>lDB1xK%RURsw=6^_`R45w>}QMP&?d`!)Be^6gvZ|fmf0NECYo* zTg$1&cqI@`ICUZ3DJSZ8n{8D#H5dM4=yP%>D`kjB>`KliqW}^MQE5IQduak4JY!nO z_COmwk)wn+V1JxbsT!xNWjC8~jRG3Dm~pa=_T%)(N<R<NOqE)Wd2PY8>(C;i#j~TN zL^oan591a=c8hg>XYdR22oWwIW}3JgDuWJ(Iuv>DI!XFW$r!;{Lz+UVs7LApP2H46 z?#%@Q#`?s?3KJ+`H`dp>Vgnjj3d%WpG!I4P-F9e#Nv*VK2ztr^^4bs;0DahUl^jI2 z&|mZFjB2`%C+Ix!nH%(Y#&^|qb!xlfT3T9JXoZuinURL7`WwTOnSprQ=6&&a4X}}! z9UHe(vOfODlm&_*)G=?(B))O3sQ51ycAje6bm)G@b5r1GIjm-U_spF55mJ+(XX+y^ zj+1<-LxUn#zrPfRs<IPCSA9Qm)@v{q>B@ZjpjM{qNrvS8mUQ$FBORKWFE3X8-v)J4 zUJzh!YB6&M@b95++jdWxYxtKu{bCS$X+v}Yv2c<}$uZhXt0f!g%K$CL`<INH6!<En z$YmN<?xiCk;N!P7^IG&yz5m}ox?8azX5HRw=5%dxgK-5Tw0&qjV(9H_um3(ZANsY^ zyNiq<1kgiTA?FtsJbVeBu6wgD(_J>Po&f)u!^MV0Lv3o+;@LK@HryuHi(SL-JWl(w zj4KizD*N>qblUlEiJs~#=L}Z*#kZ+hRWa{C|64&+ReJKb*%fiyu9Gxeo#SUIzMUfC zi~&(W*`O%QI%DLjWV-)fSPt_QUpKZ!gPzyNQZ7bE0Wq_;52PmxOsE+@<h*`<f}p+& zroKUKQPLx~SJQsDy})5HjZA5^+Xy)adN|F17zy17B$BrbOjw-{wLR|EqvZlxV;5c5 ze~1m{VuMx2>0%98)tm6|_&kMrAV4okucha6K1^xc#^!X`20`~6#a%t*7KrP5zY~-l z2~A&5ONR`|xv@FyjLkPW+k_;j8Ad<k$)!JTvbTXRe0$Q#@So{Oek7{Pc2b=iAn{Au z;(k+EKy$E(p0>A8XLB&%zCD^5O)gie-B2l)&RfZ5KABG{6}LZEMQ*OaPP$u-69+E5 z**jlju{3-=CPsh<0@2}AE{m%?W167#)y}|pI-PkY=6)vRz7mOOvV(=Xk@R}}l5iY$ zu>I12mn~z<=qZWSVxMFEnLXbW1A?r&QNVhmv>uIO^h0iCPQ7*gYCz+@3~5$Q%zeI3 z2NNu--zf^PvN|!1$v8w*t-Q$V>9I2a!5+z*I}xN$SaOSTSwgWJoS{Ehin0dfMr*8T zNEYU#H)14Hs~hebY9M7_Dpj5eP8+-lu6Qb)R6HRV`_h+AXFEw6D*92JmxnP7j}DH2 zUD)zAe_E|$d~rHR6G}wmLSBSCD;ec%TzO1P>b0W31h9YiRGfX_Df##xzl~~m@53Kj z98`1*82>Xnt9}qjH~ii^S#LS7J5af<WO_s$3#6C^F}snT*4FmsCsk`RxK{TYJ7X%U z8fhX#uey@dTR#|7mdF7fC1qiIhmM_JKR$wUUXcuu(ox-wSxw8xieqUq<&^&TC>Fqy zEPYe({cLMwX85tBZn-}wzc|pK=Ie>U4@PJsJ?5wdz{+{-1P76Yo!i;w&<O9HrKpK) z$|u`iJZIB)=>fy1FilG^B9Sa9E4nC4rq`XZ8-_}e>2w~Go7-#3<{7Llf8qH?syTWT z8L$jZUPXP1HPU#aX*YP+s{Lo!o-FgT&7ID#tKsj&FO{gt>2JJX;g5V?#A{loS;kr} z-_z`JX2flzieq8bl+84VP=at3O5bXV%<wessoADUmQyy76Avz)9SrG3$olnch@I~w zST4bTsmZxat4_AT<?`9B_?;tY!WF-Hq9jR6AZ@p@jymKxolp258R^~9W<S#HWrl_J z4bZpkbH{j?Nj2c<AXnwS`<`4zI!`HcUNZxl1|KGBZ8|3w(5Qla8;5uNLb{F*>Q+3D ze+y`YB9gyD6nEkU?SgoISjO|%Dge=DQoO(ymplpP@fEmg^U59UMUShcUnMk1ub#(W z2outG8-J;hQ~A)#yQT2GUDAR=y25;_P~Mnh2e(@t95~!Gh_OBDv_ky(k+kIEa>0fR zeZBScBf#@6eXo9h7<_Nu73Mhw&?yKbTczn%aC?v^lqHH$)ALX{m7^<A_Qm!yXZV#d z2yjuK;9-GDTJlsp7V9uO{@t!|pUCN0I7L$-^*Ink;!@g~@&;)h7Q-V6jGc8fXi+8| z#9LLz66S_Q`)kVMQgg;_99XWd*@8T9@8_T2{0KtaP|+PI)r4cHTKUuKG@?-{tJ5!z zlY}hfGX&_Z^8biN{wR74U3b5#TBdt2v;6Mh6kS#En%bdX{GjGcmaqEHI?!gc<D(*4 zlhc8sIZ)4Q5rtmw>nc<M)5bm}AqF+F;gIMK&`rI-L!&C|W2X1|@weA+DvML&c$FzO zdT?yQc;Ao#&@4i_i!Q;hd`+KN!jNQ;M)b?ha3WX6GleSjX<GDqDT=@Ysr;<!Uc!U8 z)@8+WpX^aru-Ufs(K|vdv1c?+O`k%9+s@VghhKXFqah97kW(LQ7zq$<mnIT2R<Dks zx>U7N?guHyzMx4>?>5?*ZD8o41jF5Xt=i1-yb>oQYP^cq3)GLBvIYKxy*)K(B~eb2 zE)w5j(sGg>R)5ktDtOXl6}?s?i2vu@e}nR07OyP~d7IEPN~TV3;y|u!$Usg^N$IZ& z5Q28QKW|fKj~U4guVFf|<SO-W`VW#9Awv%^gth#K$z?<-V-GXa*FM-0PPej%7Nd=! z(P`I5daPk-Q3aues&&GIri^rmMUoyV5sIZ&H222DLvB;6d38I+3r>#-Oc9#pvkRCA z%RJkn-iIXeG4SHpWz`lgw!5bZHeAc-Me*HEdD&tAz02p%M*SQ(x=rop1^T-xM6e=7 zk$0(+F`8O&`&#t~l#j(0YAll2|L%P?<6d$3#p!60z4g|WAmqJP<_KZwjx`N$`>cYP zg#X{j0P>%RnHMt&SRmnpj{0i@SFKxj^u=uzs4Z&nMd?~06ZuPAU<Ba;wjtgz#7kTd z0g;HRw#p{t3-cVy+t+AnhQ)7mUz+_&z_-#NMg1u+?UOy=_>3^epKvc*M2DF?<}Fq2 zYX9G_=g0CFC>KH9f(g=;2%@WA)08n0_T?4wXUM`3Th>|JFVO$$mmvya&s4&mkJ`Vw z`ySNY4k{+-e{~lI)Lna>W7wD7g#ve1U1am6-IIk3+}%<*-Iq7fCH$c7!WR9){a1Iv zSK@<??bQG3E@*%?_0bdGyzEZ`q`Y=`1Kn4smzVGmpcbi%iS1unOR=Lt1jsl8Rraz) zRYG~1Sjm&KuY2k{ZM@1~J)Efrqc~U~ypugkzK-;CxQPL;6<wVGC;biMI9_A#9@pML z7Lv&~@2tdl0_0CxtyHu!KK{?OK!{MmHa0Cy`BOui@n)Yew$IOUBuoO%$aM+AI%{0j z>+RiuFX-f8hw-OJ)13pQpi*qgalF5~0|ALr2`j}%d7s{uY6~ZwOnDCP&5nd|Zc3`% z?Zp|mxSQyxKgs>h-NEr#-2T7AIl2c!LQ%TbMiKL<R~Go@n=9(55KxSImFnS}QHSfB zUfu5~zkeJm+`}XOJxyp3eH#AXF)U6huKhJ#C+bAr#qi>!iQ77MG_(t5o|`gmEMO3I zu(+bW#@|`4o*zX2+tw`pP1Bzn_y5WM9cdFrjlK5E0)N(u0Rm&4q-W~$fDhM_BuICt zTLUoscf*1gSU$C{-pd7chRSct`h?B&=H+xNfESpf@iE-X1?CCXIP`=7|5{*Fpy|#o zh4*~9z=q^90@2k@4E3g{6V90f)`yfrq@G&qe|yDxTMik}YOg5e`c&LM#kte(!9I@P zuWflMr`+buLpvF86%O@Z?(IMI5@^Ne*0U5`yRiCSp>w!w2=2fcUg)j%`zLs=JeZr^ zM0VT|#4r{BBrxvNdY$4QGt$kc9UtPmuUX-M@t$Spv1aWyTVC?F_e1`MP1(9oR_=GV zmO4pmDCrx%hFj=PeARSVaT2)qtgsLBXkWje{Le3ha5Ot)Z<Er0Yyx)0tKmFcjx?+J zOJ!ONeHxurbGE%(<4HtE)16ca`nqUK>C@exj`XrG3o9M%L;fr3Ng@c-7Vi5-#K(0D zaPh-vM_v`9&iw9oI00z4iwS+oaiV+=%-zsV9F)5C2g~D_)<Zdrl^^QZvU8mz9>_;9 z=SPebedi9Y#HE4<H-s9y*4gnXw0WuL=3L0nizX@*4Q9?wPB6W=)Hf{DPP|k7Yl)yr zcrpL+=@o_GDX0&r8=}0QY=S*%n~LXwg@yVNr<de~2MK4?a2x}nN0(83ydn6M>5udz zyH!WM(CHCv+FFr!JoD5rdc@<6bEEAY#eHY4f9>Z!Xjnr90sG~^t&zdO@;%e7wc3}O z^Zi~}uelQx#;4QTBaG`^SPHY=r_PT+<2PJaSM(3MqBbFI6~zq4o8x*su@xTOL$`<& z%NKe6QhYScF6C>j2vhpMWx6*^8Xu>;_No1^mNeZ@-M3Ol%LYc!-Y%onKds6^A$UF^ zu+lBw+vKE3=_QR{h(#JUNv?d&km@!LR%Am%P5G~<QU(mndCFQ;E;d)yu`_*a+E=;N zlI(8iR%4j2K>HQ7ZA$6Wa2_B!U!F%4vABO5pYr_qo`2h%wrex(EC;2s<B7v+(^J9O z!T=wv=a3VWAthDp-qd5~XHMM@wBpP5;}w=p24cDf$17W&F)9*H(&ScXdaZFXplvBD z_ksSwMa+DAajS-s-eV7`3FY_}iT2@7vi^6=yVgc!`D&xfs`&{_uf5PQJg@f#*r#wB zCfPreh-n*ieRFt1{JprRScB3Ruc06MO~{?rN#B}%O^h{SP~D~QW)0<?BHdAtI-BbZ zR*+=3-x(RfN6bTQ^7^Jhv)-uq;lEzo8JO?4iMoL@Pd1*d$KP!<dG#|gXkOFnyb`Yq zOV;{&-~|aQtk_j6qZ=lL0sBU5SN3K?k4)<AgZq1<suA0~s@*Tu1qUAf&U6@PauZX? z@zJmB6T|&43Enz4f7AU^F2i-#xxjgqyTGe*J+(r8e~)*lKyzf$pb#?gB#pve{&aEY z^D6tZQ%Wv1Jbv~QL=G)YC)(ugp_=deNTcuT6NY7PVZIt8sTRz9r$-lEnge19kA&Ky z)7U9aN0ekCey>U2(H@<h(3tzqM*2Xon}V1b3(Lnf*n0E{o~=fT+Ve6f?vayn%C@}Z zxTj7Bvfy}mtUZ-L?+};ha8&d2bSN_LyFn+EoSN9U;d`Cx2?xDI&HDQ|&)l&paYKsy z?TAw2_QPJP5<{Q;eW<4qlaT+OPY&$fX$soyxlc=0KpwBPTpV%w?y|RG6!(J}ByYR9 z9y7kI3Y*PT{%-SnDlPq^?isdsf5JZ^-Vxi9v*LLZ?LWXr)pF`SS3AY}PWFpLPs)9S zBfabmlE3r(n^Z%H!JN&4HpD}%HzGGZBS>qGho6%LUG$oozWix(=r1oOHx?Z$Mz^n; zuw{Dea)U@%xmJEpqzth>r}m~$V>|XD`!$YupXmx{8%S_Dy3QcKQV7sr4Q~@aSIaV8 zndrva^M!K#Y+@Ou_5RQ8tXd4jOyX=D=M~{Er^oQMGEXvkK}9AmeCoyH)(+?%XrcVs z0O4G_V;0*c5>~#Jw&Pty%pEE#7!-@pwx(YHFbEg6o%W8t2aQx3u6`{s;2MNQkM^+o z`Hr`azvmIca077S><s2%jXi1RBJhw?r9x3O_H52}yNKDD#bNT`!LUj;-02_5!3MEZ zTF<FC56gGw-SNG(>~lo=fzpRZYT(F<@^zkl1v4z7Gv(yjnKPtLOu|-&cIF4Qwkycq z#;DRqA>Vfia1kx`3Vk86Pm`jR*>%K#kV%~d<hQ31{w&hGl#xIUf+Z~MQitQj&%I`( z2!T(MVGuFgN@Zbca|%W>jO-is0kZwZ)ho?IXdCjMjL*ej%bMR8;(o}d%o7zvjS*Lh zg<EKH78Yp)w>y*ACS`Os@`Tp)rL@~<o&TgttWjA{Cz9&drUCE3TPlk&<HgvBM>#wk z>iZ(Bnegn7a)yVy+)}xPVR=Z<w^Yhv!a5FUR0}GeXnnNZHEZUyaRdVGjm{U;E5+F& zc~o(c(dG9K>^{FsXszFk@!<}eMgsmBCsFV??F&!;vGOmnfmVTCVpDz{H(BWiR3WJB z*##OkmomgVM^Kv*4tP~@AcyD`$%m_X<cqqm9^%!&`hNa_ki)-NYCN6$=~NGM*-=Q% zAL+{3b>lr%@yz98#t+5!=&<z|ulJaiACa&|l8v!|=R<PTlNi62FoyBNN{do|-PU<! zMFv@Q`94+C6FAswYIG<#V?15knUKESi4$OV^luQ1#qrz=4IUZ4sDWh;=%8|ALjO6Y z%@QeS)!tkx;b6?rdUCKw<zDY)>o)Ut&ci$dO?U?jJ@K8+9H_w$A_7$%K@#4l#fR@_ z_;3%Y6xZTA;t#`{AQ%gNuU~ej>gjTQpSd7U<7?G68Pl5c8N>ds@YNO0SU^`huq2hD zOW7}kM=n&EebpNYA@MO7IM_FO@kgrtCULYVdVeP7_Bs}YnoBZpTjkK;JwvgL?Y*Rq zRn{e$lyXgXi#D}GF~xvcmi894?X{L3{5V;*ZB8FjZ+t|)%~FtEHl%?{<#AVQG4wJn zUF<8Yul8!O9rCLBF@^8$x9<c3@(_0%(Vl{y#PYnH(WjvL9B&v9{|ilfD5mh;z)lgq zi$fn`jy^T{C4pf78O_GXc)g->dp(sUMiP<PQhF-&hb*n78v%B`E3(pvIj9;=MLKjg z<x`dOhtDD3bc&9Vg&~yg2bm-T-?Y!src$^$Yk78`6hY5g@zlh|M@YI-$1jd1=I4<^ zVfSb*-&PDqsvXZC?uEvhaCM=lB`)7yOgxlQQ>hOu#`5NUibAw)VCT|Gk@TL3k@81S zA^PYVHB@$-+1%>YirWP=EThR*7whZb;|4Mqn(3_{A@87G!JPyeXvYux;le>^x3S25 z4kggR>pF25W|l?R1<;o7{NvWZgtBec4eW4L;=@d7c6HWj?8ShhD*TdOEw*rHXo2qZ zNYvI?A6^|ob7%6i_?Mru{DxYjbpCGWAJ(RbH=2r{8nf5_w0)KPr7rI_%He+M)!R%k z*uULGJvAbo{Yhy)xOGDJW?eI@_lFInIn~B-?2zIVo~L1=xlT+q3)RZjZgOwz@Y%{? zY^*|{DohiyvLii}FJlpMS!&@jG?JDWDSVR;3SOQb40J1}F5Tizxq*NySK_k5rb7}> zMd9&D=f_ml!Nd&6EN6*d62p$$Q>WSWo^#RYI+%Rq@<2otk<KXcgSN=&DYJ@8=59s; z1Xm<n<P?)CuSw4aL0ELv6U#BE|E^DSnDgqj@kDC3i66Ry#$sv8{Bj&Nwk8!m^8xG+ zNw9p7CyDi%{;7<mg(3Pep2t?Hv9RXTdT@-67|P1Vp@pUV#A$9H^A9{rL`8l-jd&6U zP3koHL@R$JhkjiVQKgm2DPv>rL|&XDt}?S4=(RU&8+%bTNWpa7K#+(CpQTm!!R4O5 zC`m8cSuy;P4;y1r=qQrnHG;}kC{HM`BY^7G*+|Rw+=gt5YTw;NP4OmNS-D&9{=g?f zxxtxHOQ3t<a7gizp{Km%Q9aR(PEYo6g{|p)FpO@DwBf=8)fYB=2KR8%%!^ahBz+Jt zsssHqKyDvbu+VaJNI-tl=8J)zT6g!kLh)_$kizTEiL!S9IwX1MmIx|B_MX``)lvqE zjE;Y_!NyR2IcmCtgJO~%c3$+m+=9JN>)6p16Ea8I4&Cs;2%qRHO2<$Aw2CI-uz72o z%k#LFhdPX%gqEksYC0chcQh+k%JmK{na_&++infyX}WZbAEXIHCT^PIi!%)5B^7!s z5<YXhLbz{<?UH}BzPnH;l%OkA=2M5G#%Kuj1%GzRaatS--H{xKC^kpLiRf@cMfX0M zV1;gM>V`acWJUY_7lEV7Or${3tmi_Dsw_{wTy}iaUW6JEgXs~weD}?Fo2yW{obd6? zH(Xo!?7kjG#<_*)c;5BL$TTVj$^n_no*0}+X8J`D#xlj+8W?#0_}lO!LWTepDW@&V z_X=03Jc+ioZ!NQe3Bx8XTT9Ko3$e?@XU0->SV;t(_ti+5b_gc|y~y+J)t6jKu*s&B zbbKQx%kHgr+B|ZDCl$uuyr*dKllrdRUw7eMCUYO3hhbv5J%2(yCtbF1sw;w?lYZlT zzE}5He$B-t>56j!WNuF`MmyfYQ<GOaZppTY@^XX*ewmBUg;Xd$56Z&0ZCg}oeiETo z-5Q7wycax1G;UI!R6tR7JmWG*cDx$H+K&+9<U6W>|8Hkf-<@lRNkJPbYjxoD$oI9^ zML6M4S2|nmMCg_p0|_0ryltRv{E|Ie&Kz5Gb0~5Vlj9rI$mJ8vU?Ae~wp#G0<(1~+ zopD8XxpRRYH#L7GRCnkiZwWpSG?!jY+{J#6SHF&!5C}gD+y0d(=`m~UFLdAexvCYT z_?nuYC8F&s#Q!|yQGc=bOm+ND(8PckBQ!zktshUFrp!194SAyb>S7%?SL2>68fH63 zRK0LWi<*2I#{|H*z1%wstztKkv@X_947Qzm^}Y1JHYae%L28ZV&qS8QHFJKS`pH2^ zdF`QQ*XzFz`+OYlW;C@W+%9<wWYg^rY8IIQHXhkm-BW+0zWwcr<}FG%YQI&Ft$%s_ z>R)bPav*(~d&l5q4v+06P!la~4~Z{b<0HvIT6CI21;R@&duxa%g5XBFU`Vy7&{v>8 z5+bs~rGlS*{vS|F0|XQR0ssgAY+&|Osu)tClJNilg#`fs6#x+caBy@lZDnL>VJ~TI zVP|DAH7;;&XH`@U00#<^+F}Zl+F}Zl+G6azbC71s(l^@Ec2C>3ZQHhO+qS2tZQHhO z+qUg*_BrQ$&))yvh<oG4*HO{k>xmUBvof=?ez`I$pKv)DQ5Z-JNB{r;7;!Nn1pok` zT>t>UAK-w0J}EsR5B>A!hoge106^6g)+qqM_n5d4zml8IMJ9wF(%|Zs=ajaZOsh)O zp&SY_yO8_>07cl(o1Sh_B&7~I5vCjwDL`?&a5VUCaQZxWrI`}461=dy5l~_NgP%dd zRfijg8daS~AH25DSlo=<%Q$rH?+>im>Lz97<vz-rp9`9{oyKc5`t_3+&K_DS)ysy> zlrqh$6)SVr5u&#(8xg|>O{r2QtX~frl`6%1jj2eX!`2RzU;Rc5AYV@&o&MdAzIf3| z6ZtqAbv@z!y0^qWeYw+$lBL)*$&$V*I}RpD8r%)KK<0LpJ*;nBn>5wqm+}=d<?{g; zyF}HZ^zPI&v4ReFc)a!V`334+HuZ%ut9x{mD9xjW4xXJf872x7B<X`DptzJ%^(n}z zslz6Y6gKUmy|yNU7f)$O{HILnlR6()bn6un^%WDDCQWSCDv|TXbsm#62NpE<NvRto zv|rOfEH`P~5tybqOe)pG!4)@wlH`NQ5yMA!99()v^y%Ctlo8ef66yWtwP_nT^}_t+ zDM;x`Jr<4mGB%M0uI=0;<)fNM4y)8EvC9VZ?pibnGW7Xv5g;HUODIqn8;36Gmm_lp z3GSOEN!s#SI`zoL4*{ZS5S6BnYIb?!N+DyV)CMYyqR|B`u*t(mPi+(C5zEGk7bfZJ z7PT$%c7w()n*QsD4efT!@vAn@3FHxz`{eeNC-OAK28}roH!xM!Ly2~<Y5hte^&L2V zF6#0&#UP2GWC^{>8hdps)+){GM$H~vG+Mn@_3Bb8P-(rp&S{e_r%NpL=z23)<}Q)N z6PLA1wK?y3L?spdxlf`Egl6rTIuA}6xoXIWQ_TUt=QB)LTK$GDg{O2D$|eqkj{#9P zP*qUdK=|?}sZM^H)Q^+9t67mWmrL=BPv~e(8#-u6A}g%~Gk74QevwN@Vo;dC$)(C$ zqn-h8sUY<m*n4!S)DMRoG46WeQQm75a<Xr-Kz$7xDo~vS!pf$CB&yEnykKsM(XUR> zEFdK(@OG%gBmM-~w5nU1L7Z8q!Z|Rl)$HWEhF=l8WXWwNGoQ1cklA=J#)${HjQws_ z)0R<98!aOnB!(@A;I5uHuQ3bmi`Eym6=X%kGU=gX$7)fWn6p7a>~hYZZ?|%@OPP^A z@L}CI`6;C{Xj4z7!YXk>b)Pophsn#vZIdp^!3KHG#OaU1-FHaNyjtL8L%eC=m;>K4 zpm@|nyy<K$5k7qBoH8>juU0&GNOQlV(4rm`50osFT(@7vM^QhVzt9VJLWRTG#t3Qc z;yx?Ned5V-sx1aUa#B|k1%^Fg!_29L!j!W&XnoLgsm~uiJJ*6aBV!UfeqOuU*^()} z6MT%E1?W<}Cqx031+5c`=?xmRsleC@B1aYp^&C-<+%92OGL5dJTkBZ~TfMMxDCFKj z)`+RCSnDw-MWXfN(xhqs4D!uy-ddtr)6Nk9&PJUPhpnXutaYD7(ARO-9atynfr<1i znxuaopc4N%W<6y7W(NR#V~T_{3&*Cl5V@RsGH6L~KbOLdYL^2g9n}?#BBJZ8SMi6i z^X~5xBC^O;5?4r!wZP&mgI-32WRd5`6l@mBH1t@~`pNyFP4l?*(MZuS^v+%*lpq%^ zB-t&ejieK(7RQ6EVeO#M;EmLl-a^q`kv<qd9aGo5Mr)hF+?ETR_W6stF+_~Z;CDHX zNbb!ek<bT@!(MadbS`riP4YUs9TDbTb{HXJ8n5V39dw$ogu96Z(yaD{08cPDg>tBZ z+2^^r840o~;oC87eUa|CA^}?fG}f%f9zU8Guw*E1pl_yKh%goUVs}6EX2~=d*C@Gx zWSjc_7*iAl2vmHEYt`0$DL0Wl-4i;<w~A$her%AYq6UYKU~ZR<l9Q>C9_q=Xrac>E z2C`%jTB?q%1N=bWHY_*9o!STyJC2!Dd&VCS7DoN2HmDrG7UbZO+*0zaTIgq^?TV0H z>pD!RU}K3VLpVjYphu9aMNzZ#`St@WdMpvZrljguGEeAnRNFQqzHE9sj~mAvk;Ue3 ze%0>f8r8LH*_5wd0+@CMzoHyzvOQ_8G+3Xrn2}dcY90+>M}!g+q1vc*Y*6DAj~h1@ zre_w)C}Ly<s>GKgxe_ap>geaqJe;Y|&%n-dgNmxFrzYuaIdVkfkPkO9`48w5`qMF2 z6A$_3ZaxBXOC^I5`P3M>1qyWSml_WmN_fZY$OkXGq6a0cn$z?mE*T9%^(JLqIkV@= zA8N-Iqil_kbs-a?3JW1^$>ptV%76oQ+#W2(hGK7}=zsxNLshezadS=J)os{>@qg%} z!k9VmvG7l)+-#K-(uy)3@NVf@1ZR}M>!jh-LrsegT1g^inm6xKa$yR8@)4#|-F2IA zZXvO7z1l}?+BmS~Lf{)Aw*w*k7z`<hW6k5R^3&<tb<*6B37rHLhLI=VhjLF|r8*_U z(4i({3(68NfPW|eWF}S*lT)O7Bdd3-K%?b*Eh2Xti>w=pL_i*l#KHj5%^7jC++U=v zLkFBRjBh4yDKQv;>h$xE8HY>_w7MA+f;A~0Ht#ds+U=Vr=}^rm)ZrS73&+#|vSmAw zbw}NqjY$sd;I+ajfsW$0I*}9@0Ktw;PJ96FP;UIL%|{fJTGOJ5U8MN6VWw=U-9aVi zOGX_4K|sF0#mFURL?Bf03lz2iav%|!CC5XEldoZgO2!=mr~~oZJQ6xp4%W%8<5SKF zl?jxIzzD#pgX6*}m6|1awUn(AO)8b%rq2%w2&7pu#I)t-3diARI6VH4PD$oqmWd;u z`OYMm8d`t=BcDBfEjdi1FrnMcm211?!C>SRWF>JM90Ee$GKd=iOD-~34!|OH8~UZ8 zC|t<LuqTE$v~*|@-*a473~Ob7_>zcD9^s6GTcYPY7Mh~ktnW<erc4|Tixc*#2bz-r z%{Vw95Uv)Wt&3Nz4`n~Dvab5<ml=i<T5+Lz9ALDq;Mdt^j0ylo6fvF@-Id&&5ndEL z($~2I->H5>K~7|@%}L8Ios)Yr)DqE;AkMWYe5erq850Jv-jf-dJ2tEn;29>88~~zO z4zhBilU}~DsEJAQ8Emv)eBV1yenmauF$!UNaY_tAarERv@HU*FGICFI-1v|9Su=)* zzs=1Kn98vo7WG|M#&d>@!DHSh4w%L>qdn0wv4r`Ddw!~87aOJoY0gIn?5^T@U^F-E zIgR#c@$q4-&nn~lSzS57*^qBU!OCLTSZw@uxZnBVCxk}LF_w|U6orJxXzU03LYB6O zpEey+O!vmPKq(OmmI#3j6M@zoZ>C?HrZ;m&Gsp+%y$%B(v-BXqn)D+!3Se<IcsV+$ zfuoZR8xC*7Yc88loC?sUSsSSVy*qbDrFOQ5CXf_SPjWd>gHjoc7lq7_i<#~P5k52v z-(cLbK3Ap%{if$;>;(&Z<1BzA5PaC1eBUPS#0(kL1ATyNh=+tsOE#RHdh^JhEs?3& z$vkdW&b_Q6`AAR$n)1e^&pWm_dmOqkI=8~f)CkHsLOugA)_@C0AD$1?O>bqM9&)%I zn;VrIOj{%byhZrZ?Mm%d>6a;6mMKp9sQSeKBUW>oXh<mohJ@k-EYlyHQ2<&~RC3K! zkG%<DfWj_Oug|nkHt4r>B`j~W5Q_uOclR~$Yc^aTJHZk?ixig2Lbx#y?u{o4g^rtT zQ^hk4*_He)C&gsuBk7NWU2I3o7vtiN>t0QwiPZsvJo(K)ZnHu)qkjAI2Nkqq&oo47 zG#ChufSciHeDCGZK7a-WNPKfJVkX8D3OUip7~R6@Z&I+k;T#kah8_Qw(1YaTU}5b1 z{Og^so4n%O<JB2+JHvevQPIJBA?y`_37~{QiX$+sM%a*YH?H<Ex}^in6kGkSV8iZU zY2NEK3)aGYh;U6*g&!sy?gD))r98IGAXw(u$<1+7X4od3OPY1e>R2_VmcEv{5y&XC z(KC`}>L7E#G?m`CHOZFjLMT$U#-f15Z)9_*vYf(=2Df-W5dJ&-m5B7#>YOR97*jfw zscl&3r}amyE@}}f047d6!m(z?LR@Zp%stNCQiQprB1O-x>Bc?yB12mzgEC8=Z6Q9% zPqO19Ci@uT03d$-&sZ=3w9BVkou6=?KPyh1<C0<P7(hMg0jY+NHnQxZv}5jNO>u;p zAJErh)^)s;ycAk#-Njbb(9o#X;r2rRxfciO@Y%X{s^1#yjo2cw^FG35Y2RLdM#KmB zzoS$VU@J>)e4m<}l7@mDg?DTK_SVXU<5rg_blkwhgQLJjUS8h76iktSX}{v_@jRQ& ze(zv3eyuHjMSyozl8*bo-2NF#w16hE_Tuy^P8R0|2t0FhHBP`#xk3ttnPgH6a%T|P z*ivEhaS#nYn{Ce19OqOe_Z-e=34eYFDYFCs|IQb4AOL|pUISm=(LG;gZY8rTDw*>K zOdMP)>~0nn(#q^EX&}&&lbGXyqMBOCYv;{Bb+IPiqoqIruko8Zr)>8;;M*dG20<E& z-Wt&*5kd==hDJJ_C774v;shNXeWZpz5OfqJ<W$@bSnPjC4hj5?^=G_QVotICWe8d5 zAts=9eGzFo#GK%EzcT1|Fg&(zPen|{PKr)Ug&X8Qgs=b&m=uch=1jm$PEGx~H=ZGj zLi=j7_&gk&X|`1XVZ<R51fg{=w7l0wRKB3=bvr1_^J>)N_rorI*1>NcipY~dxJ)e# zazJN7^JCf9di>1MhA<ETOOw&^4B<MMdx{4}xdhE`#dNsL@F3Ma^6P0X!b89DDc_DN zGNzoO3@`YV{Twx9l5jb`Y;y8-`}@GLtkRxQMYuJE^uJ6JN#V(JzTJI$XZqIcT<v!E zf%$qhdo0HF<=41dhBmn|N#z*Q7W9B|u8t=8a_CceuIo>`7w4Pbo7}kdg6>hOR(XBg z4jYTIm0$E$WJX4eRK>4M&$y1LWUk59t>d#GCx22GqP&2<CzW#ITcZ9>_^rm`+Am_c zLJC7}eC)W2+wd`5%dA^v&0OND^6FTEZF*Fx)zLk?h>8wlG)3gsA?%m{@B8wJd+2y9 zY`Oh*p4Y*sj-`|SUmZn(6P3*_+pf6v|LToi0P?L+Z*Q`XCy`rGBaJ|dnqp8D5%I3z z9t6EydBgIIH0<Bua9LGa(RP@F^tYl%9zWVrslK4J4hfa=5b-E2zi5_?a(9}@Un#;k ztkImW32z@aU_Yc1#5r9NUO%_nvz65F2&|8glssDycWkTa_QY_}a^RG#9jEW&RX?jU zS?Kp!otpdIrefr;9acNZ^<i6c&D7MyvMgRtJ{9l6wx2TBx%7sx4)0l+{La>7*#DKJ z%~_E4K;`O9aX3)X`)8^na_m{n=9P2%9}AeHIVFJ~g<}|89ieqkq!AAir@#|I|7)BG z5GhNQn%QD5h~G~aLA+eZVy_eT-!1P~?b9|(SRzh?g<{~s<-$qPX<TPAB09zSNK=$5 zgPN?JQ?+}0tVh0V*ZHz@8(A)u>sq{SGtJx8UEj-a3)XVJXA7mru47-u-~8WRyTOm= zK3q;6be-b+I>`?yHz$NT&G+57UJqZQP_fvwV?5s<zF*r7`@y19V`9V4*WKS=V7T5< z*VF9X<509+N@{KmS(}R`F_TIcc5X<T_4PcuN%yhh(*$?zn-=M>XOYsF>5`dQh1*wO z#}B^kvWLtzW}MGotlv(~hK(G-x-uQ#zN$R;k;t;$Eh=B!PIq9>%(_p>p2g+gXJ021 zw_QONXNJ5TJl@{RqIhDv4D_PXd%PMj9&QK1V`=KN)+bLli?6hkOFkF&$GBi%2^1T2 zTW|cI8qynLU%$N);JeLl54(9bNxyB_PgtKHlzeZ$%ZwKsW^Sr5kE~82bYn4fG^XPA zsJE)M-GXGJ`i_Y_;$lAO#$B}!^LAY+9JdrgzIDdR6D7v^%S)>XdMQrINOa$19+Ej< zq!%inCCiP8iC_7JXYE5FKh6S9dDi?rO5IRCH-}pfo#)8bTz7+S`=dT|y;t*!_h|p? z`|Q#nhz??T_Ic}fNMK!)dx}fclAK+vwtsvxQ=X;CGnYgTm%A6XV;dJb&&^q(M9%Mi znC<pG^Sr$@s@p<$Up7r;)_rr>=ZzY49j$#mVzLDJO3v3$oy|6Sep^<F%U16{w0vLd z&eL{Z{0=cM>i)b;MVxBzm3r+Cz3x06$qjgw^lf=+JI5ps&3a$Qjo~=wzW<QS7uj-n zxcL&!u12FfNp^{+oXo=mHPXm@pjGi=y{(@1VzT`T;|%>ids^?-{j@HxPp49QIhADG z_IOQ9#zl9Yh7t5_{S1FcVd`$uedo9-*>3&VkLBTTINkn!eBf?|vFdun_4U2Yj7^J9 z<$aA?w>_7C*xOEG!Cg_ED;3>JX6$Bv57DFzLbGzR$>!;v;ZZOCYVP&g+zebVrYr<o zs{GQww6Of%-e!G3^{$gS^m<w)pJc_bczJz&3@P7!Huuy!lFFWbxV2`-T(Vhlo!X4u z^03Z^Vr=qlb(0iPoy^uo9!7nYG4Ht2y>F&?oW5M_G%ngL6t4L)eMgQJ<LN%pxIX{( zI+MQ-S1<7OE`#=Xsa*$sICb0&e`Wl3RbX!~*U%tOoP(KKBYU!>#K4ozmQwz%vhvyP zT$Zd{&+@pY?uL82&HjGQ&&w>q8TNU($={>2xhh^FuuuspOsw!((YyQx(<=0oY<wtR zs?s)YJ&JvXNsRout|#Upb+~o?&e_U5d+r|LpgZT~wVXQK4G#Aa#nxo>?QL?bYUL?A ze>3kwcW3|aMtB1+HnLopv!jPbhc@N=c1lY1AY_J$wT5d)*ZU^_@guNpkGXhtev-s; zcXl6&M~BU20&yh+Jhj1U)!|?yF02_m8@(l$5VyqFdRc+U?-+VRFXztnVx`t%vFsfO z4P+YKRef~^KakbtmECsxtK)Kg$?JL38!m>z(NoJf2Gi$tTsocgdb1r>hGB4UPzQuC zU@n!>^z$~>S7ZgfUY(qR<26$EV{f7KcdUF!ZMXG&QQ@SCpwja@$+yF0!)vR*2286o zV-joETT?C_e{2`I<|q04m@b8-D=205^E{kHEL0yB+a1cZ&bq^lG>2*|j_aG$v3e(1 zqY`8c7NYa}Wbr%THl=zpoW*N@kzc&<&VvYd^;PZ#EnAh2wlnIjX<<nWx_;=_+#hu) zs78sPYCF$<!K@#So#`tPwOn3Ux@UIpM0;#GX_tpVQ3WJ+4rl)0O{(bS7mb7RAbY=S z{2hWl+*G~2U8b4BE2kr-LNAHAd$nyCgiF@)>L1bF{_P3SS*842htfS#N28<rFlStG z8aGsy^nam>hAbX_G>&+w&*$6Bfb$$<h26Uf2!|8PS2;CiusXH@w#EBGsp1O`Ic>*{ z08wCA=uc5HCo82OfXETxxsQwbX^|b_6KAj3mlHPBSF6<zMuo4lCrnZ3@5LP5Ee?Z$ zl6_H^!d0yFri0Zprq=zY^J{dU`5k=LEp~&2xctxx6??m3WK5Q_^yKDGwcS!1ZCZhz z)cxVuMO!(zh;KFh+ui^|ZrUpqEr-3CTtSpbY4a@{NJrgV-QFhKqH4o)l{8GLAOq%` z+93=fD*R6RlT1L~q=}HYx<@<zJiXw(?XN2D0YYKKYljB2wUHMK)Kf5E7|kGylNm`| z+Lhu9-49ybFJI(hjP8|Kg#tU`%@Xm*UkXTG?B|uZ0$$EHj1|jWk}nxj1W-0Rb+~cL z6LU>w2od?lP(V4Nz$aF`)7=rnGQIk|Gj7k!ANo5)h-WHD*H~XN|Amsp(R}R89KfzU zVKH?AVS>K<nAB}hUw*<^zCGW<>&M_27<uUY$hX8U<N;XAT~-?{xBft2dh0fG1rP-v zxBJ73cu`wzkLQ_=Q|!1?+3#1r+ixF{-=EK!t&zO1GbWEl3zi$X`|h}-&$d3dgLkf5 zsgX0$Gbba6=?OTTE=>74+7<fF39Y}T)uk~KlTh~CY?6z;+hasyaqK;@)Yc(^eBECx zinitIEw}QTeZbT5_75O&otQJiz7d<o7)BY;wK2NZ+CIK>Jd#vz!0BZq)dbzvEtS#W z^_P}u3a8Mt3UM1=B7WK&SJ|2G2I45_X5#urY4m%70im(8);=HukIerU+v2$c9xj~N zgpS&jp1brGgCse|E(5!wf|xj^4<0#tBFC;C-nB`yIBvd~8eg2qZ5Zd*_o}O;*B1!M z$KdGR#YR7U5hpz`O^@C`Q*SOg)j-s0Nk~pVdo`Bd$~CY4KBCv%a9d83j_zWQv$>}j zEG(Xz|FtJ{|L}k#?Wk%ys%DR{oqp@B(Kf2(R3MBUpMO%oUD-wXc_Cu%>ETh&>hUvK zeh37dV4opfgPC`RuKSQhv%Zb2bW|%UxDd>>N?AjgJ{eO{iCeJE#j4<)d2XE80*J|C zO<=XzXSkL~qeLI7TQk(<Hxizm$3fxXSQpC)58}6gMcl&_#olN>uZ9-)-7Y`%@>JGi zVD(B_xon4B#9l6<!B;XBVVy)<!|o$|e)m=?sgHLf5>IkEuZopl!pUMv%zt6$m~c)8 z26wn6^VL@*&bdxTlhi#W`G-Rr3eVsRIGeBO_Cv`PRiWLguFg6|vCumXgiYHkGg}I4 z*Vz;PxlV^`(e!eM-KwQ7N{DZ%mACZ<>5t<3fir|tL+hPG1VT#tl&$YmukH<DfFw8n zR!rxMC5P=jxMefI*A=*X?;n~<x#+uk`Alu#RTsPy>KCpK)0#*#OY#wkAhCCiwy%-+ z?jl513yuewsF&YP9(0u5yy4IYQFqKvtI0vR>cqNhH<97h-(Q0qIrV!#60sKcKsr_s zEj@||{u?~aOaJjmTY19wBM#_3=1Lz!s<JQB`C|`pteal@(yXx??&}q^n=sNVXC9NX zSpp1k`)uc_xt89hn{3kV4_z`AN3&gUI_&RVa9P-SM}gB!#wl$WOb6rXSt=yHJF%T9 zXt!b5?gNWL@=w%0<U0m9q6n;QW(PMo{tx$wnEM=gOl>DwqM+nFsQ13eTA!E|r%2O} zX30|+6=|K`G;6%tKbMs<m``H+JwNC~?`d_H_E=qY3WVBxOkswc@#nvr*k~<h!f<?& zpQVp6U)u(@cEpnt1DI>XlUO=(Kk{_Tue}b7TKK%#PdZi>9T8`r!XFX-KL0WNUuIqp zW36dvl2?|j-Sc0(qv8h=9bT<<zu7h-c;?(&9ZGk^!3STAp?r~UAdifl+6E+OTR2(< zW$%)IVJ(1PMgQhaHvM}@_yR#>BwCF|V}-y3@kO#G|8iJRjMDc$$Yv)oNTXzII&Lv5 zhI>xYp22JQ(hqEX|Ev4P76Q&pt(JlB0nB<NE#D>B1vGInPoL%;nG$cB<R6i4gHJzb zwP+J=*_h$EB`bGlkE_2f59hZI^&4Ak3vj@@8N~`%1H)cJkd8t#ZK=)qe9NE#;NPR= zG9taV+hJ*&=5h+!-VX5{=$|uiyk5zo9fK`AZ{djz1KJkKQd<nJpHZMNn3;{=di<%Y zn%(l7h{G|(<T#e4<@}pb9?=-ryk0E}R%2!xX!v~akqZuYWCAfsOPu4mDHDZ-EcMG4 z{3{Bssr_2r^7{z3r{R71)*2b!XF_p{St?3e7xwM&RSPDvuI*TCRxFX@hx{GB$>X~& zZD*`jL3;Ttk&QAKF89>*sn)Qv*zv^Fn|TTBl9EWxqvtgoF@>vE5uK&08CNvihb-*a zVSPr*bKK_P$_b_ayKJYRf6PzwerqY5-L?FQHQzcYAe00F3rSo9InX7{ON%G8FYMON z7MPc7acFt;>sK%r%MGb1ZrL)xNi8ZhWlJ@Wh3p|*0L1Ry()IS&fA7URpQT!}$j*j) zxRm#+oBTo5c4|nB0YOP*E1EsQZn-Y8;w&g5C6w<FNXcyWZIc9^w?&JkvEJ_URwQCB z(116tBAE|$zvE5f4eE>8JIrGkVmI^fP|Aian$)z+CCG(7b`5PJ7j;-C&u-fyGKf!| z&&iC7EW|Q}N&W{o2=z4F7Dvk@uV37G+-4o~0}}lL_)$F?tz=RiP+5mmy&Bm0Ln>nU zpq2~;#Kp<ES=$Sw^pbv8m7PjwaL>N4e8RYiK%#rHV8<s=c%xiTI_%;*_<(Ks;PF#& zlD~>TowDT@TS2N+9Te^FQgw?+aW03tkBGgI*0t(0ak4n6ICtdqq`7bIA^<rVoWH$K z>Uo$?%C@o-V=Zpw#wpHkfYh4DM=4v|=5~IqGh$Bg(_CovFvGmE@CEw<U(k35{a$Q3 zTAb?RZ3L>KeM1B)HeBA~v(ZP5=m=_Kt}b~U5gaG2pgZF&owYO@HfsF0HZ353C|)g1 z(v|5)$}u(_IE^;t$|N%?fGs4v)!`7yK>*uzo6WJ~<p7PX(>>P=r18OJ;E>-kOII5g z@}gGJhP?Kp4&8VbuwwD*HE&Af^ich;os>oSofdCoPne{S?gwL1dd<yCz395qlkDm% z45u-ZL3C%8)G^Q*B9xc_=gd9=Y9OBId#uSNgZ=L9iw3sifEyQmH|0|UOYm5!Vb_aY zo*Q1e`l0FLSGRqoJ6TiT@*g?Ld4i{~*lt+WrDWO^PeNWRt9u^RMEsb(vTOMh(HSuI zN-v$;wN&EN8$7klS-FrBDD^<0hSv_jkhoDfIFi|vk3*H_s9EDgvhDSKF2NLQ$8TEM zYy33mBjo6-T#;5`#d6!_D0kbm^B>;nv3@LauY|20H(}}bS51h))TK1BOdCCNN>;z= z)+t65re7bEkhEhbqP<VbGgFBiJZj`XZXPaO>4@kLDDSxnLr~jj30gnu-D9%{AL<_1 z#^K>+c(twTWnS68N#Qne`}RO8maHvO*UD0eM_i<*L@CV$@#jPWUbtzIml*tQ)1NYU z_Slv|l8)`HqIwjL8M{n9Dy32nb=6H12^dv^&lOcjH?o<Va#>=V+HXEI#y5E3;E5Eu z7@@{->Y~Tget{D?ej!5GA{nRiLj=)}+%DiJm@(AYu|x7GtxWY~LXjGlN%N+qi@O}3 zY3jVCxNN<_9#Ao*u}SfQG(SfRZ%^v#!H@zFR7c8%8oL?)d8?$h1U6-ru`-oQGA1*b zBP9xyiR?tgXd!y2KTZq(y5><px?}iW<Jc++D^{7b3gt)9u0-@kr5PCQ9Jxxf_D41~ zO62OHgNGa=Rd7NQfMlff-F=wyiY0UEBn?xjYApd2Q;=$HvA8K>woOBn6Rpzv{?IpN zm{wj(Cr<kKIYZ<#lY*w45FDhRE|r+|Bb&5N`+Q{LZ<F@^Ju%01ZJp3z8<8Xv+cpE2 zebN!t;$f>sPyEnX0ve`(#dDYbsHiiE^Muy%nUqr%MvgqN6=^eK`#l!PW)W6C3nzRh zv<K*hD)a&=vftbTHrPLB3JVL<JeG*udRmEhA`yOGt;zn-O`x-MO>x&zyo~GP&N=Gc zx=9T-F7mL)ec{}+5+>ecX@;>>uJvL1Bh<Wj&H33<D~IL0vlCb|^;nQh&02gyy80aa z!NX1Mvw?oV8oT8EEW5ql-Nv?Apv81loaeIVP7oeGGS@U}Y?-Gy^i9}y1J`|)Mhn$@ zHM`=Z)Nv`B^u<dTjZGb?gIx2?7N##td+~G5TVf9Sv*RJ;NfOE{G9=*Dd?K>0RZGG6 zm0x33E!cM}w>wk9q6l3ogUUyC?UO7Y)q8b$rn@wCeXVexKe4f>W9AEMt!=bWU85Ea zT~jk!0G2M-Zj=Pw=cF9Q^D0!hEDq2^vi6wNFV6&k+gFbU1oV?J$FKO8gS(=rjP(OF zaek|{QYt3cB&cd<$%PbSErIW#?=`kh=y2L7Ei45eBP;>uH|I0g`~rxPY{3O-S{Mib zgS6pzaGP-6<7Lw-X?zf&>xrMU>gP3DAdWTQ6aaC*X;DdL11IMCIY|bHg?`&2ge~m` z+eSqOV8fe$7MVJ(WlT4(2Oo^+TC!K$I%$UAKB}#<C!{aOU?+fMBFXU<gv{FP#QE?O zOs21qS|**2$}z$H7Rzo=|J*r!66I&pp3fs-({PB!o=L(Yl1n2p7fteFf{COcbHVgZ zEB-VnSK<u`JW`9`EEx^gR0R%~eFtp10fl4R1Wt!`h5(9AY6^z{WF+!#l$~ZCquXpc z5hB-=9q*35iFmvy*-CEyo^#+apu<heZIIoL`#%5fj24|pE=;YQkdBT?2R#yH)&XQ2 zrw+B-2PAC=EIiSuHUECv1xq<laa$)#hv&`FFHE@2GNeMG_1t1VhAdh$az5o7C;R<1 znhgX6PbTuMAh)_5d}D{b#9aVkE&*x0$!5CkJ})TJdlVJj{g&+xxnDA|h|O48%Wm#r zXYv~;?rj<y5%UxR(Bk&#>{>KXUCw+6Z8uT<ieM5GCUqnC2yj5Q=ra9^lc!GmtNJwk z<&d)EgO>x+P?@34DS!0Ph4o7|&k_5ls2kQEzp29xIT;7!s~`m@5~@yoSp&TBkI}<E zONFe%vWPyA8v$`tVT5mLtF<m`R41gYrC(HTY^heT@{(>@0+~Chpvme;+W`{mc<ESf zE90K1)huST9SXtW=oquRwE|&#(f}AUN^)E?d3P*|&Zs&jZizs}Ft(f>F>!%VE}k_5 zh?_P|`_?g(>-eA-cUn$~ZTNM<dI9u3hT7Onc?SLMlm4c71sq$fKgD6=xi}6H+@J*6 zcex>}u{+XlvP68`ICI5vpi-k*i=?hJZ}S(GwIEYrq5~rGtjxGRa1ru}+(y+WUCa#^ zfMn&}3!w~@0r-!1I{|KTVkO<Ar<h8i6ewMw<$yZ^js~k`cH;4&w=5mXzz9Jb3de)& zVRHn6_Vug9h&ma7cNJ&kZ_@nR_^{(tj94O01*C7@ghkAJ$tWJ6-Hmgl7vf-auvE-R zJkzkNtw!Vy3vXbG918-D0eos{gAL?tIa^||b)%{hpXV2sA}LY)OA$AKGlaLV(Y z-iwt$2*k5*TDh)exDDpxFZx{f)<`E1>#UJzK|fHNyC5demW2_K$fhA5N<OpMqa#Kf z_qF_>l}{#|G^FhZn2xYD8Z1DMsFK=hJh{Z%w^P5Ev!RKn0Ox`v01}WU)XEhc@-Lg} zrG%FN4;YAH#nB0IVH{H73rPYo>Dc9hjbkt~2!m^A!d#hU<^y2QrNaTHLh7Z(M$)>y zP0*OXK)Wbdh364Qc1E+wvCk2i@eC$<!xh31$^l_*j?&3!*+fG1d+SdGm0G}H2$Fz4 zap)8YtqQ;jb?C`GwVi|#z877dTI_<TPZs?uW1R-8!l@Y!C3hA)Z{Gm_xo{d$EL5Av zY%~xxx4RXrCK~V836*6#H+14tHTMt&+OscEt|xbtxF)E^d6)~FVv>v)fiVqUqQup3 zARpe2%}O0|@}f&=W9{BCk`KU2!(@kjqHiY*wQ3Y~;xf8}AzZi1LR0T<#U{FjK8<n0 z^Z~UAKP_Ei&P5Wp5ducYQ3Mhwsodu|@#GX{$!P^e76;)iBvQ#@j%$rY14q@sT!3qX zhaQ%zZZFJLk^6pIBB)LWP^)f#oU}`d1ndgiqLy3OiGmqavmSt{dW*LrQ;G}(wlUPw zj&&Cr1!z=3bN6!^m<wtqT*6+lq)LdOvu7cK6DGMQegu{~J%%6d%^*#k968mZY2SzP zKIc6jQxHR7Y)lfs8&ekXfeWk+%Zc%d8`>6|#1<pzd7s@h<VjRos5D(jd)zzb_{ZB% zzFc=}7Ogd-p>i;6DG_Kl^Mq796KfX;c;KEMT0*MYgpo^veZ<;gzp@O!y`3x}(zq*# zPqR=H<W|~IW3zBq+^mRG7bPIqKXJ1Rm#>^2rHGK*1OHn(wcNT}dn>jKnaR%mUT3H( zLderxi~-S4WSVD0i(pi14mR}(V>iOEH~}j}H`rF>4g&h35OTo$2&Uvl;A%y#OKk&) zIQ_O};A&VdVf~;Uy^ZME7CtaR`wgKILcMs(Tw(f;c+)T?fe`u}q7LJmF!}^=s|852 zMdVew@sT}CXobT=g^PiGr6|;h0cK(I8^0bwWzeq^H8&RyePsCCSis%V69mSeRuFk} zx7~DZITb4C!0jC@<)ui|j1RaUsMSB5RH1Jdh$+0F?x`o5?G$YF(M~$(RQK3VZ<E;V zWAzVg>vx5tpOLKW?>GhpagKhX#o@VB7|-Chkn0oo68@0&Wv%d35%X+shc>iUD-f#g z!?3OsluE}|>3F%-8+7DjoZO)Y%QbZ9D*;OcuEn!Qub^3}xZNTPriYM~uZ14R>t2Ag z3|cWAd?F|kFf(4Ez{9<@2!<YTln~N1u-%>1bks*eE;Os&cjgP+2@j8hC?gE+VN?-H zUx_8&0tVj`sVlS9jTM)&bR+6p@<(;R7^tM)Bu|4fz=*X*^DMZ?0b({5uh)+vI6^@U zkch+=QHrqW=!F7Z(oZSO4C4#shp4b{3oA~Y%YntmyXA3Clhi6<)KRbz%Is$zY$G-y z>G*M5<P;8%eFg`r|MRyz$QrZ@X3BLYtlG*=PcVY~zL}bq+j9g8LSQ)Zaz7(t5jK5p z*o<IpZohC?NjZSzZQ3JSrduZ404UKA5jg0sK7u~1A#c_YiWKKaIT$sJU=H@Qchvfg zO9-)W*1j1?2ljzG?5#n+Cvx8qa5`eoYK~07fZK6c<xdk6`kMX4fQ`YW7?LJK$RF0> zK_tb<n-C=KKS+i!!pPJkET1@Tap2prm|)&8EA%1|O(^Nn%4xL{mJNS+BtUryIfuiD zPYqClLyAewnNg8)us)P(>qwxd6#a?=2udZ_z8qsv#5dtDr-rG7d^bSfdd<t!9}F~~ zq^Jcnrosn;?x?Ub*b^!SC5SYs6gs>W5cc&$8j$0MJ}jZtX<(4{?~3Lq><15>B?Xmm zXci~8w`H@t)=LT5%}VK{L-4z~MQYDbiDCc%miE&x84T&mPax@Fl9vN3_$7oryeuc* zA}-b92(O5h)*k>W(wI4uZa}A+*fzkKP#b~foM|vWcmWCt639>lcOcR?@pDMb4NEUX zoQNPzf}kMh$87xU6WY24-<UPcEs`Km&UWgA4CjPV1c(AeADp&m?Yec|wXin7xxQNv z`A<g-8o<neJdcAcKVz8#gucRjZv1nuqc#T8AkgI6(h;6nMRPPeKne*^{csVaKti>4 zY!yxqT%=zsXESZT;&=Rf@IW~?Ab*Ls2o_ZD<odhZhS?(^_htIQgI9sWQyTIT!CMDu zLia<U7YMla_fQJovq{jK`*Xrw2G^XQAfQp^LI|no=YZS)4$%}a@j1W`nah3Wrwtbw z(nB^8n<b%(+w+|rRMrkVOVdvghBr!+6v;0e)s*m`_|;4SHVAHz7)n!tN7px=Bi(U( z^DwwSodgP>N<!$wWmsurntDRUS@f=D-16gaX`uhdvft>sF?qis+GJGTSRlX?eCj;{ zP^pyG=tSxUtijoEju7Y`4%a*VRl+FAqexO!`IuLjR_X)7YA`(tO?djosmuE1PyZD= zKvxzI#+9)V8685mjC@`FoXD?ebF}t>%OG^%U-q7@MisDqEz@%BkGTN-UEoG3!MQ-j zHh|t>i0S4IzP-=@>z&}*;QAYk25Df*wU{lHGjVyLaX7rATE&VX8)Oxm3d3jA)Qpk( zVp(A){tQ%tK4@O#c!9~#HuUY|@)0@#q{ud68$f5;Arn0kBB*A^Oi@*IiQsauwdIC) zfZY-Nz-cO0s&_7SsS-cbu_p|Ku6qK7hdf(ism;-($7eKb2oT?XA(jd^j4Od)tn0fN z>?se>ObOtMuKM>}2po30`R?Uez{T7Dbn}?StI1oWS05Cju6I9iGee?;o}WWM^htab z<ATSIVW9iT$W?R*pdkgH0%gB;TOe$1C#k<c0z(v7-oOy%i|&voU+{F|Wrmh|*s~65 zOHlJu--iE0nLJYpVy`y3g1$$|8o&)kKY`LQ)L}cqAG|pMecr3=he#2XaR59mLTMW< z^IyRBUk-Ud^QE}*Ml_U?V<Axiv=IQNs>=`0`<5@kU9V&E!lYyWmTibp)F=|w0W`#e zD`o)ig2u6rW4}*RKq*O0YG6n&v?F=AJH=LC{eFy6a4Ya`La`W}zQtb9mXCu&j~{+M zV5R)F$)8=y=jSL$BuIi9Mp4l%*^}ObzVevR**@|QQMgn{7Xg>?0S2qfKbwfnu&aSD zN<Lo2T@}Nm2>JTp$UrfsV{Zwzjx^o+J`Cu6JQM?#tWA_yK|&26e}Wr5C7y~wDmHQ) zo+CDa^uP&tbPxfba36Hun)X3uq<@&171|Hu3BYj%9hDNwkKh{yU{=(uQ5Wb|qX=Bb zafZz3SJ-lCM)=)eo8EL-7b4)^rrkrb2qkAk|E<7XwTpc+LP*0QLY*kTQ#x9HMsl}( zeFR<@3vnyfl-ZD5@IW#vpZ&N~Rj$uLRnRhJt2Hwedy*a*mMaGInUNj2oSjXo`kf;t zP9MbmR1oVj8SI<{1Hi#_g@T+CG=KatcnX!GBt0Er%kq0Xx7pEiiG*aSl6~grS=69B z>9Icm`n$gb6<JlZbdFk1QmrcI`{s;R7+c>?=(sj#7R$g7#Qg!4S%<BFphDg)PB65@ z5&ej1#CnBvmO*VF8he-eaV$l$14xOoS&B%HC^#ZF=GV$k!57V=)Ip~xad=hp(h0QI znPw_8j)!T6S@vI3DksploBU5`C=m=pW^+;UzXt&kt6;oQ_nFZRaxQP{hM|Fss)5-; zlThn3%#1cT4WNg({LFZrD4Z<SL>Ae7%Au-A{GhRE>UT;~HUX;<q2-JNw2kUoh(;#y zp12l=N~b1Q>CJl81c1vhc?@M_Q`xvi2U^2^l#r&@2IL}0VAbEyeeu^P^XrfHK&+{x zYltC^W`U|w+P1A=1LsKTjo2Y5Y@Aag-q)&fA?y7J4)RwO{d_yUTj{wpsZV0BRgeD} zx715)On{3GxQ|f6Vt?7k9R`@dwppV;Ho4m<khR+<H_jjz4__r!zAKZU6R^tsqMh?; z%tqdZDS-l{wAgUfWKagvD7d>rk3Xe`MyqEQ^gBi04<#Jh5`reII6&%NPc1Sl!XAr> zG7Z!@sWu53k_(m+LnJ`cASJ38*2LB*heig4u68e+D6wA;M+|!oL`ad->WBjc?CAVV zj6%vn;y9=+$se$bztG5<8<^>1fhz~^i@wY;!tH(Mh)=ZHAc&er;3UyN68WAx4S@M3 zA<wrbDcbZ$7Gn)i<ftH^?brzVC!&TjaCOW1ZdQCaOZx;vNsR5!;FHlkpul4MqL7A~ zY_x|T03yf+(bT<qfYG!(1P)*$cHlOAEyFj^1DRCGbos0i{sK^s<o6DHFMu0GOzs8w zs$z@=DS9-5<9!oBUxhC6%|JlV^p*KgdP4$rzwzNT0H(1PVWe>C&;b3~Cw%w1{C+30 z%WMc5*aDEIY9)wfxGnY8(Gnt~zU&T(!p!6zP6igU;~<#nsFvmo7MMeDut54fM@7Nf zVbmqA6s{fMMo_{jMhyugx6`}t_u_%7kAQ<aHroZptLr2PKCbms3X1i85cG?NM^K;& zMoShb0l<i&rk*+Usu5*b%N^aVF!wUU9sbtWPD2i~(SmLYVzL4^q3qwNnqcg41vjBc zkRl&!(GWqK``uC!Wpr!w8?R!|mAonl4NyN#g-c+NH|noi%zst8-%)p%OkxPis`!Zi zqvnsuP6Rxq?YZqJN-G7G`0oXMKM?4Mdgw+k(Ef4zFAd<5S;ca0HH?4Unj>P0`_FQ~ z1p>b4ERD<FxxeRRegP~;)xrJs4<7<B2fM`g_H7?an1xSU3?a&R)X?P9N=-8=+<&qx z0)8$JYjblIq<`)%{K+;6h;3}M=Mu~2(x3o2E%l#Q$51~k9?s?zsQ$W1;wM`s$^&2U z^oXz`AS)FAUko=U0(fgvtldR#(oA?aJ8-18VM%jc)oamQM0yMua9cFuFl$0tHDzC( zx@Qzrk(p%40+tHwY=hlRiOKtTyDXu%($Gr$kD%o8lMy|W>MLYtM;);XCu@pbJMtHd zzE-oEie!ddozDg($G64(fECjCkfME_UwOY~pH^GXap917?lAj3q_3LV-%Fd8tz%Wq zEgsy0UO4|%xkv`Ma3aoXikN&}6d#P5n8A=LHJa72ZIQmdQ$cO+{F}ShVSc$<w^}!Q zTr(@P^_%ZYm3=#d%e~Cu-qeOjE)YV<;$gydxq<UrE_`m{RbV>X<c#?(Ut)yyE}rOW z6ORRVd92&VcO6sTykyqWuGnDlUpeXD0L&f;oq1Kmj4w+1+j)vAgXsh2@ZzlN^Sl+? zZq1()Lgs!<zK`3AH@cNtzfPND-NG0;31G$?Es=i+MsFEhM^0IKM|A8b^RjZ1Vu_Dx zWrlyg%F?zM8Zw#TlRJn1p{2}fX#B4%xTOf<CD19(w0AIAH93bmzkkem<}ul)^KNg` zRGm<@cIhdO$4-?WpXkubd+z&n*#adUBSMKbFhd%1iQ_mfCX?07&NQ#?)8WCTYWBOe zrq`Fp-b*;5@6y-Odk;94+F0XtxAi;!=<T)3>le@SOw(F$Oyj?eIZVV4gFCltcINVJ zGY;sOQvy*UlP^yM=XpQ$zC9U<_*c{K_y(?aVYQgm%)GP*ir2M?7+?!L|Ix=ZexrBf z*Ni39>#tXa*B9mX>ug?EPaZXQ%WK{;^PARInSROj*Lfj~9ZNhqmGFOO`hWaU<}H5j z4)@iKf4%n9i+H@azG?>?4(CGii4X&+vcTFW7-XNr>sRPw+-pqRca<zpM*UNJq2l)~ z>Pxk1UvMf2#DWlD>NRYMqnWKwjs;_=?=@>gWa`KCw!S?3hH9VGX+!?<KvxgPUq#D& z#(!2`tl<37V-%YUn#uK8!PPXBrA%lh*@c|@(W?;T>jo5U<!rda$LA8~eV<H+&q$A- z<b<+!b<6#ee)z!z6OkMg#KHE`{d)PZIdV0ph?lki-o(Z^*OxXw-Ad%O=-RBMzN&uW zUuwi72h?K3fJz=c_ug5_#VH&Vr<Z2A6|a9yEuw~^UNVxc5POUCbm>1;qeyFC#5=+S z=D0ZV|1kYHo=n#Dt|v&|ZzYm51V<axNuY~_!HDSe`rPm8COm`McJf|G?zxU{|6FO? z>Dx63?{=LUG)(AR+lB{Qj#^5g8Ho6o%OLpUdJN^yw4Ls%5Je3NN<6>ZVQ9`1?Y~~l ztu=@PG$kD$>I+}1JF8^7N3(c3!)a$E_Fk2=$G$(_U$aod!<Jz!9?AqKGs?03?V@S; zHPSL)?jy(00>vUD^5S<al=p{qHlFx<=&C~nqjfIZAfcrGTKLHLe9<_GI%&g<r!!k` zII;SWCHF4AZ-Rka$%(OF&DQ;f_0pCbAH@%ChvP7jJm-t$uD8OQKgHm$jyzP8?u=ii zF3{hC3v9a?;cyu2>jTz3rg60EIbX{_S)T_a1IG20<hrxiy7EyheOCOwhdK!mfAyS_ z{`7_;>=t=0b(yrlshUkZ=Dl1Jti^u2);XMA8jIYfMYp@no~DFNS-H;Ku%4Kd7|{{y zqEN`s{%Sfx{!3Xq(0^G5<o6JwD42-)41~W=Z@aBJ#?WdQkx09U#RHJadO;C&=jcTw zu(a2(b^i_(j;r)>-Jx#m=Vo@p9Ugs>zrc*;chGO2on;<d^#T2l@gPzlUi74I+4!t? zx82`0*}skvyFZybR{Fa_X<;%p^+RI)4NhpQVW7ZDiA7S2J8o<#9vNSpb_!u229{6Q zq>b7f#9ZK_XHH&Bo&k=tJ#nyGM3~wxln>rP({!RMyR^CKKmP0^p+x=z5Gj-B(HIZq zs?UAUp6yPWQ1#;Uo{4jF*s#aBeTv)I)Eb9(S^g~+;mO(L;sC%cCJQZ?OfKzJF$6R7 z8qH-ne5@TrdqY}@Qc<WQd#)zk(9W2uIr|Q3&*8By+G2K{kjcJfU8iinG_Cw&m}d6$ z4?`h7;$IyJKsbKqT8-S(?q@Sm6|iWeu<g3Oxn25C$m=Q9pbQ0LF`vTaQ{35M+^m#W zcfJfs#s<TtTzL%bNal~570W_GrDorpB9pt<9b^1KtTfNxyV1)!UXP_dzis$<<uKUz zKG$zrzG)hQ({i?Ze$Xq1WPZIkZ(DG@Z!I<b%ElYERXGY_FN)RNR_XHRv-LWu-kwrU zyVP;~>b#{ecz7=nr|r7c*!vW<UaDzQdF68SjVgb}boS-N=D=4pg!8s7g-^tKS-6*9 zYu>)roy)?!3%v#nS2t!ZKlaW3UAbK`YJKeD#$G@833IM%QQs{0GrO1adsOUtrs1n_ zH8u9h>fUQUO0wKLJ|;VS#qxe=xN^8gHJL{HeRHBah@@k`5YBPS`-`@DkUJA%3hjr5 zli>q+INF;D42k9QF|W!%Kui=Q@B7A08Boq_C&Z;5r1Sfk<TR$lx|ue4&Tqq#t&y42 zxYpoO>jTi?l$Cwpa0J5!X#`*oy#qZptID)+Xo0B}7^PR#u5#^hlw>gBg0d7t-##W4 z6>iVfr)JzQ(-EU#zaeR4)2ojeS{PxS>==hPx70VZ#|6V*#bry|-gQ!|-+~|Wl-Z&W zSfaTl61}Vz^6^}dUA|A0j|n#4*Nv#}#^%15*zVD^PoyXA^O4`zc?VTMlisV@w2fzk zj1<52yFR1to^j@cUE|bFC)2!}QB9m@pF_$e_jSERrd&ej^0cXfE2o95mpbJ9zF*fj zudQs?I76hqB}OrxhNKy4bbmV!VpeO<PQADnnK{s<(hGh-lB5b?2bJJvo+u5PW!Q&Z zbL7`)kiB>N_AG1u?r@VJ(RDZ|QE2)s|3*WV=^XBUd;hqUD9*JXeEw~U>+4zm+gmY( zeFs_<^XMK{eVWzMqkWJdE8Z<%AZ=X#&Kj<&(@<Z%o6b>d|AEG|rRA`VtKo6&n#T)y z&BJn6-1s>*UMS$W1BviMW0>SIG2Rm8jbz>%728F**yAysto1sn{3q9G!_S=RNctmQ z?2YtO5v~0jAdv^0ZK`G8$i-|hopj|USKY#fW!^NStA^s?NeZef$hrP|OdZOb<F0-( znZ2d#=I!tE;a&HDgt%j#o16XZ>bRe$u3J9$h=zTW2l~P4H>0MABwvE>2xsUh4`MLh zXG-#&9_ad{TRa8{JRwp>^uNCNe0o<?cQvU_tI?9B%82~JpIyjCgkl10uin?AYJ%2I zXU6Umzg<1oGq1V6T)UwIu3Gcsf0w@xxmqkxmc904xy_c^?b^t3n59J~CdTqmSKEoD z>aU7+b!!UMd}x1zUA`}{$>nd2u~H_EBbFssO{|4uIQpXmuy)wA0n^Dhk0S!gduf+p zNv2dojXAoHAJCkwaL_8*h}f!d7luWS6e2eo`b|rZy`TBXU8d?M!BpB3iY=rw$|z39 z!B*rOI60DAq<v}(!=9t<!ez60^@H`FQOBbk7kqZTQ?@phH!OUK`WwvXfTBVqu#A2k zF}aB-YhW7~1N&!XZQ=jw%OfL|@lrinF~6f=k?cHrtd^)Z+OhS5TTad|?$Xr#i9z+) zfW$Bw$;E!%?tdvbz1n(Hh>LtEt64pQzV5bK`1~av$0WVnv2eV5BR1x+Wj*~Kf9e?S zF7aE~=#JtK9=8E#3ZB0`?tg~~H{EiTZRh=@zd;0ktLpw}L|8wH_kclNvc+N*yr3yy z%@fQK46rl}KDGJ?I?SpawCBs;cUl>Y1M(VpG@bzkcmaLwk><KlESQ27^7FUzb(rXX z^LkLg3=YMO)Y&jZqCXntHQzd>tLh)XX@Lwu>FzLZVd*JJ5)ImbXO3^=%rXdp>Q$9Y zpo52ir&CJBO}K#Pi$WA~?+)n}E!2BldT)d(kZO+a>g9_tcjEU*A^}t~cU#cQK&-4L zDx4Lbe#HZ3deenNVX@D?svLgOu=ce~Dj<sWZ9Yk7&gxnSU(@4-m_O;ALi}D+&Jq|> zee7bz0T{+gd6h)LicoS_m)!@+gI(U=*w2Ln`vl<0yO|wP^`_q41BCL};jnR?-SUo) zlwbkvDz&uT?z~iz&gqW?`2I8)mR8oSiqP4Oxs|1e&+^oi*W>rC8(rqM@tjIF40};2 z{HP-C)dflpmXu1K+}++E$2axneH;Qa6RkFTSK57jaHjWL=l0-pvJCv?oF|$rlzK>Q z8=tAG@q46HUx#Kq$rq9Bd|y_;3yULjeU=W;qoEwnUJX_Z!awHa<mCi}qYEznPHhhz zJRep(y7mY3nLpHHM~UUm^?9gPIqC^rwqX>!8cswx-ft;9dIc5R>W2=+7$FR1u1VFo zRvuce3ZH9NOuxjbB=7dAcjAdzW4`96u`6b|C;a&Ln{0n9--oOBfb8aGj>OM%pd<H3 z0@ug+b^dGHc?Ae9$%;T~Ptk50cM7#FM<Ju;mF_uKx!$1n&6=WNCv7yhZ|&XjR2bTr z4AS0CQkmW@E2sQ+Zxwe*-K_f<H7Z*c3xr3hNm|}DQZM5G4$mD)EUP8eY=y5cJ2AM~ zXO!1=E*{~-Qme#lAXB=-leiYys~@r2QSBtfSXoNSI)M`Hd}7n#EyIMKGCO_Gx^bB% z7bYl{&Z32h>uiK>tr?4MVPDOkuk#Op*u2P`E*u$PgX_YNe)LhZGgOt5)g<}VobRuk z^+&NIX}+>cAD9f;-4(N)kJOXpEuixCzM9A<w=u^d(%N^oT-{!(ir<IYExEMXoCTG0 zHaQ>oxQpVTyw2w3WREmB<=&_7L_2FZ)kq(m3J`Mnm^)V2RFXgM!fm@H>5KzL*V?d- z2DIh`vxM5{g7u${${deEY+}$TfTb_UvfB9Pn)uis!`~losr43pgmY4A3@lCFd*EG( zEd$&Xc~-TjgJ_o?kk#)AyfsPd@YB0itJ!2OmsBlwgsl@h9wmiVIbFYQ60b>1F6%Ze z1%$#!Zs|l1<l`S?03o^TcQJNRE$$t5TRIeqcc*?C#52bc%m{Yce9$bwQyMD+0O7p* zcG6xY`$aaf;Wk&GPPTLOxR-OEA9QDJJF22&$jVF~$4+Wq*ABYm`YDF`_a()t9o)Y1 z;@%K{;mikX)Ps8I1=VyTj*ZYsgi5_?l3V;xM!o0W-7?-CegFI_ig~)>w|cB(lDN9> z8@|jhaPANUHJ|?05lQpULiC8OrUEawZuj^hTGXD!PZB|u9*%|nwrrKLNVKKaJZH{Q zvMhPezZ^3+mq{v%-jTzKoAR;0b$k94quXx#k>-s*PHkNjMX4!u=J{0M@>pe)apaiN z3)LFlDVY2wcx}eM-xsB;;!#VPu-pEc20!fD@xGBQ5WUwbDnnjVp}V&ItzI{u{4ff& z-YfW7xFf5$oLwO&@8*#B*XH+QX&ZZOd&}7B&5HX--V5+JC|J(QZnbb_j?6|7+rw7} z`unjst&vARy8ig&yX!^l`ld2gHwKSd&9syj$VT9k*YG9Za+JW4ZlfQZk{`Z?*v9w~ z0#Jq-t&!B(;BiZc+~A0{ta|)2w$npi)H7`hWbhiV3XLs6P)6HJ;#wce&S|#26j*yA z&;~zlYpCpb<m*#HQuxss!gWFBhc4=(SCvGB-+R|l7W}}W<7v1W112C>S#{(VD(?(; z|3~^QH%)Wb*CqZwy6+j|K_KR4BVLSZVq3^=jZaU$BY^^?@kN{Ujz`z`d$X)_<c+B6 zeb~c?%-NAFMQwFFT2_9ei~#rQNHY)9^t^g$0r-G)#j|sGrxl6AX=}G66O8VPA1<)f zdq)ijoV}!CDuf18d-bR~Kj&LqJ`@yeXVMD@-V9iSJNu>r94wt($n9$dCC~JupXUT? zaCIebBi*ePWtu{VdfTEbLvkk6J6t-^anSov*!ml?Xwg<n#dWCc6W3cUTirWctK6_w zTNhDyTUq>kj16Cl|FAaf6?mG@m#1wb&b!)%?D8O#!NE42f4S&ehS@FRBHJO{Ipa44 z=?SP}jKm-taU339qVr%+msn!ruKA=WU}eTy;t28g{WRE)ZOt87hdQ)D_G^VM|GM(Z z?_Pgdn8}cQ$rU1=i{W=D7Z8;Ta}*)8EN7oK1DZ>i^4EZBFP?95W1)rBZ@eghjmU0} z0Bt|#p(*rzTwy7MP)G?}ZoAR?^XFpcC_@R<Z5-?pJ<s6O5@uXXa2~W=XB?px8v-1p zaHqh#0(uq;j7SsTFAF`aLSq%YsiGB8AQ>TxGS=)aTOFJDNW#j~Hg=RnpX$kSzS2lI z<g`)Kh1iTUa@j)!UQv#w>$x+mfUe7hkU&PYG=0kRD*JC-C7U5d#I+CQ7x?wfkr^0r zWfC%k#{6>Sr|4B2wg5MtH_eITEFTk~or2=#`R2%ZWFF+7?YP=5PeN1_i$%4>7*b|f zXxk4>s;vdR*5*YwVc_A<GX;uW?{3*S$N*13u)iJOj+O+Md&OPZ7<BRPUo*fS3;EX* zq@GKW;P=0sX5ISC@&3XTt^5g{!iLSFDdiqf1GR#zOR{|Vp{*X4^pN@)Q|fQ}Dd$g` z*IsrQZSn-kezqP8S+{RojWvvm2jC%|_tL;%q{-fQ8c2L8J4@X)gN}w<?{T|ZQC`|k zQcAWCx=l5AZ`z~v3B|);`$IvmLuSSOh41N=>&~hl5?b-ozgQ)OC?)m(I7tc!ByyVv zn{Gl;Gw?K4SN#Y)G7-Xdh3;+LAo;Q7TP?f?QUY1cPd{CcJ;GXv>tX(FWWvz98nTSu z@^K0f(bPS&IccvTA!8lrcQc_AoSSbSUrC@;8?{(s-U}Bd^NZ)N>*a!QhnEr6M4f$L zh6NPWh88X*$bR&RDj3D<??8KSJL|@Nm8h2A?9k~unV0W@TL$pb@f6RhdQPZku{4e< zxuF{#Uv6v+C~2;D1k^PoS#AdWvZ<sY)hmUC?SRN9v*te2j>peuOy6^k$GSdOAC%Ln z+s_%Vs?HhP-TPkU6fNt_XmeuGpg`tbZ!?kExNZ)kU!=U;HwSq@vNRLEcl#ftaO_PM zIv3_g9@u9C+0?Q{&q_p>PlTlB%%=zA{L!OmIKZ2D&xg-E&32>X<JBYLWKABz5yOs@ z5`Gw)emUc)vW<Cm<E}mpEf;SaJDuL&)x&41Mi@F!k!-TXZNgS4LVolgJsG@5u84Vq zCcSC1W~6(bY;6ToVub!I!Kd^O-q6!ia_-b9U39(JPkmol@Y=t*AC?zW-JIF`^B1xf zC+!{&qD&PjpWM|BO;1A5>Fhv@K@dWS{QEUsA~EjNnXBIdi%8Q>s}!e-q~FX-!C2VG z{SyJgvozRGKPbcZg=gU4epaEpl-f`~UxzrJ?c(BmABhcf+9-4lkI128?9E@V_nJ04 zodPoxF9{SZS{|3{uD{twFC_{RaG@?#oqhp^D%9xC#?rh!PTW!V^LegvYQs0Fr!=ko zPz09!_JfWtCZW5Lp*tWhBG+)iNE$KWQ|`y>)k18_w{%46wejo4)LP*e|LB^U5u+-I zL3fT0%+#DfPwRLZlz7%0yT$%maKW@*wiD|K@Y!f>pQ*hpd1KG>f#qys-x#ceLy(~( zhp8~Nx;4w`t3z`-y>}(Me=?+*brtKl&xCTmqMU8_qZ06bzBO)7c=C>eh+QE5v&3dt zh9_^hCEv)_+gVQ?qh#39ZWcRdRg(p1`d{1Y3MzL^#P!EH<P)2>QbTX3LbB;)WoBYg z@WvjMx0`u+*TP?Teo_`G++=-8<$xv-29K7qqA>?P@g9$I#rf?Pxhhkxoa<Zr1cah7 zCpI*3?^hp2q(Hh+6CCxUZ>5W<8mG7gb^*`2a({SzPBCb{N4}x=1!O2dN1xO^$IFxl zi?sPos@=xA(|xfsG7uZM5Od)~Mxhy7n~nH8H-yz?@26)W;O2&YvjY+K%N6ICalVY` zRnOM|Jk3ap(|7J{3qd>}JlsjtK#`_MS-3vDW8H47G3${0@Df0u6+_y7;+D+P2JkLj zzYy0dvlG+@sod5lMAuCo2{6~!--4hSlCHThWl`6gARh#eY3ze4v@wm0y-3CTl-_(8 zTgFuw3>77R3e}R5wWKv^_Ir<@$&)O-$Mf+g@2si}M%f>vn~Qu41owDl&b0<DuR~u1 zr(UL%^my>a>eZ>CXz)gL)?azSN2NU9j(u=|5OLzaN&3Zh?wi*9W%OzDP5Z@CsH~2C zgdGpS-1Z|Y9-`dnb5sqq?dh(Ichkf4fb{uGw_TQ~&4eQkUSI_@!#C{#OX{eGbw9AX zR&&O>UsO2{WOL?`i{YEoCbD)~9sIb)5x%L=LsT`&IX3)sYNnrPNSuLiyDl2-Rfup5 zA0Cv@z<wYytXSOod+MgF)b0DLghN?1E36cNjW~4BIj&F0s?$j%tBK?Kxcxd3o?Rzn zIl360=B@vb+7NB_Q-k{FsQ`vB%oZt&q4fk%cif%YGbM}~ldsukjsR;=Snbx%WU(qr zLx<Qpy8_HAI`K=+Hm){Dhznnf<tNrWRGMZS?U-DlGDB}vflH_=C`a*v7;|d*l~iwQ zO!e27U{2A9dPSdYx1xHx)8^yECE6qP%pl9<^LsI%&o_ih!C8EGqzpg;TcY_sVrq8p zl3p9;2JM))z{ed)7n&l^bV*KmY@0_fuL&%6hqAYGp4N|D)McAa^T}z}$~6zgt=wh6 zCkG;0`*0E4UnH2or`@b0;+xe<_4(Oxf{}UPybih<D86A2&2U)CX+~TAgE@k0S6Vb> z+#hr?=XphW<eyOu#tf*1BCI*i8wjKo5=?!+PQ!-KUdcZ$?(?#JBnq@^)E*OvyO6)% zbYU03l!Yz?QYIRI9=)`0*lcS+5DvOdN4A+;D)hrzNfvyAa$tJG1*31?8XJ8KkNmv2 zDTa$|it(}tvKw~lrhzsf$mEkZ?lf6i9CW~89<6R_lmdN-e9*Y%<Td*`+0((2n@c0T znrB}*<n)T*%@t7o7D{Ve(G%DY{e|4HiyYkmESYaMoUW@+`@rK`>O*MX|Ef&P&%9Q| z5AM}(DPebh64(8G&uZ_T>XbaN7lq?RXE4W?Stt)jKNP76&()Wx2QX7s(aCcyA0Gk| zb=Y;?h&&f}CH1{p&ugS1z8ROp0E@i&j1NWD+Y!H=p^Khe;)bJNr->^p->oN-9`I9@ z-WLo}wKMGT{A(V>2T$lCbu)==6Q_x}m@aTTa!W_&j0*`bwFUb#sO&;^-rtVW;^yu= zy~6iO!Fkebh2H#r>TNSi$(1&uUTL9Zz(9gmnt9iFOz^L*2BYbL5^g-@*eJu-hrs=+ zX^mT+bUgrlp&GZY3XA^d`(rDXgvNJiSWj@dl$v>N?sh6S5Q0{=bpa}56ZjxbiP-B| zclI!trP}Q?>HYDJr*{Y%XwR(HH;mKA07Q3x>mQ#dI8M5H6BEwIlW8v089Yo9>+0?7 z`*V_2LraS(noRMSnr1mwSo9IyMYKnxilk?V$*r{vR3@9ZO@{adD9`t6`uaJPwjfe9 zN8`g&E(Q!=EdK?$wM>+@OYlRaY}$l1Pu)<8jf_$0``36r#%!R2)-vORp}g}+z)eCi zXIINnwZctwub5Oi2RNqaXqhf_ZQjGR!&|;#29?PX-Lp4yQ1_g<*#a_r@h3?<e)&Ym z<oG5=RDZto(kbf1OBTKX`SN4xuhH_E%vl*vVL((T4uJy4{t#8sB;v^>f`u5Ihqfq7 zQBj*TY;WDwqIp%xls43|A5+THDEa%X&-fd%RlYPeuVxCtf*UC%?4*hCh^i1jES!KU z&gafmXfB49VQZMcMcATi?`Pi}v@vqWblq(Be7`<BzJUBAds&qlb0N4~KzMb~4Dgl_ z1TzIK2>W|lSJ08FnB&y(i8oYlW~okIu1ntgb%P9jo{Q<KoeF|3wK(bZqC^)d7*<L) zT%<TyZzCHozwt{CQ{Dgw2`Uy>-R03B2byKPc97p;7F_rm-;2|u`?C4l!}MhtEzKdR z4wLJMVcIEV=rkntYCaW}wK!V220uxhfHa(YlC(&^78q(0y7Ny}<M!1Eb9u)YQK)ry z4KfQ~%Z1wX%<Ug;y=G~(e>TIYf0nW*qGKK2i6*y1OI&&7YkuAPcF_tZ&#cyrh5j;% zDf8cUyRRm4<k%mL&3sYN1s#y!Etelj5_~*&GXLe%wWV`)HxeK}xj$%%6?rta_pGw5 z{;&!0Y~GMh8L=zLBBvPc2Md-mW>3l6#_I%Cz_?XJ^=AW^tzR{nmYvuve6$rEz7hma zi(y**er@JaU(NEKoq8j$lp)AOz~HcvL#4(ou}JB8Tsrv#+Y^lrK9(vV*B+NMYM8nP zsba3p##>V_mI<Do5jRT<#ff!E6v8X;!nhT0d{4B`D^&jc$prU9nF87CTd-NR)<|)7 zSmeQ&#qgs;t8gEizUd+<D2;E{cB9h$q{wF=Tqsppog=Uj_;Nwy79>f2AKBpMzR9fm zSJ;KJN&y+VC{#BZ^Nm3R;1~v|eCl-xipni@j9Lh#|ADgW#|}K2)R?MWo}8l`A<NKd zM&i`yjP7AMv-{VlN`LZ-!H{^jLj%F#DXYcr3&tFf6jtcg{FpQaD-_A-C4w#KI2dhs zG}FBe!eFS{=8~_mRO+klocWKbOWmuOmB`E^)8?!M6S&%ZTuS&zHm0|@-_icyC#p=I zZ*3~HpLL6pf|^}Ug5$|H9PfqSu1}Jab5nv6DYM_MUPq}V8N1A(oo!C1@tIBiU`4}y zo0p+fnWW{shvON^PL}<7)#xyz4T}3lt`ZXHu*|J^8>R~_&bD0kPI|N9BinsX=+wH) zJ$VX(iX1ADF_v2#Z+&;a%6r?OCEfQxz%Ong%AeXDO)@f1p?skdqgKe{<l*Bkf_*<g zrWo~;dscQ(mp6Vs5kuY|q=XV8T8{p7yKOC{?LEO!*U&ngS`XcHf1iA_Rs<TAV`-TW zvR+AWOPn^6u<jPzkA6G&^cG#ZYKAdA$SscbiUlxTlL@ucf^TQjnud22e6Mbc4$Ird zoXg4T@)lXvB1#Rqnmm=YRuWh(R*WkbHA)>3E{|#6hD{ql{#cJ2+7h2-6Z~wob{#uP zuxRVSNvaz@u$g2!x5RT!%`|Bi(fc)j6oP4rDNlZ{onMo{<-jYiJLsHl1IibCl~cNI zKOaim5D%OtvN^~|X+^8{O;agv6GXIDk0nmXI?p_2wBzR^$@5L|fx2I*`5xV-n|hmF zowq>}(y7!<ZBv5^(k9JbraY?{Rr`R+1~83s2|<`oWxpKG&=Xk?agJ_o$%|Cap0AxQ zetOC;>y(0DYg_Wc>NG4@e6MHI+hACT*{F!QvZlM`ppeEcC|P|;VL|^o{pef&F%sE2 zI8Lz!JeqyYm}E(60CUnIwSAQTvVOgnCmE<6ZR5q)7-m>lD&z;z*8B2=zUZ@v`x}Ag z`oUAY%em|U+QP}OLt1MpJoHI;ia|*$-|&;HuLDizvEL&)X~8x@%u^8Y+xX-9w*w&m zNV4BMTY~-0#>%cP(>Kb>6#N<psN0EE$_>mSOGIVrN*uy^fWQMGx{QBc3<?UjoMM6~ z)MWtHjqBBt^$Yn>Fap1m$b88h(OWyk8KvAhudoo#0^d4`dh~MCvUD2Qp-Bh#v2&W$ zf@17t1j0L)Lgv8Ii3p}&w)}*$*R350)`pO_q9J^xAF#S7LNuWcdT?xI;R5B0a@|E5 z`YG@prpM)&LMKn&lUim194^6`&)g7QE`o065PI1}?BSOVI#JY}m{dNdF85fgk2}US zXq0*(utsIsFFf5wNYQAHz^-Osu<SVDIIOcu){Em?uxMqqdcCE|w2h^b-bI#nA$r!= zLKdUuk7)7Dyy#FFANL!hmW2?h?mMe)DLCW@w(=2syVKoKQ7wFzw|NE3OM;mt@N_h! zZMlQ*>z-)%NFieNd1l&2cegB;v^Wvm5~_=9UU-o|+vn5jw5zX|xj^lrtYM`)c`ydI z1?kITZNIlfA2$<4$!w(WTF2=UC-goYPOaMaMnxiJE=c}k4J6}FDq-5L#xXuJ(`?Tv zL_+})z`Dqpc*K>%|8!Nz8A9aKN^V0(Rf8W9j!q6kE`(jqjsMCy4OwhXWmsG4E>q5w zWIT78y*L?+2?QHwK~DH+xs*zow)DcR4X}rh%NG?^+P?f6&+T*;c!r>8773-{y;-a1 zr0qbv^sr?yt79O<_oZ_SIeB#L2`8p99Z;GD<Bm$Wv*!du{Ch=H20Y-xNo@@ryZXzx z;_xH+&#c3XcM+0xrImn(li$;ZR)!7R7VnnxNn5~CCoK<xa2thi@dhmxh!DS|bY-lp zlzLlEN0-w6(Ftu#)DMFjg*AQoew`2mJL4<!VQiRfOTCa}o;NMSyXR;dl~~6kh!8pw z12*(}BfHr$>#!_e@}-G?#mcO2z;|Fgr91v_EEWL&uy|mb{IzTUeRbo1WTT4AjLL%I zeOrN|i3rtNl88@5C%F;Oi---#ebqPF@=EvPZv|UDr}%oKR*Sn2TBT_^gXRpj66N#x z4Q$*C^qqBO_aga4m~(<GFwyDt{kv*SAL)`FE|vkGu!cA*L}p`9-#)jx-@WAa^~V1= z`;LUq$LS#eGuv~Cq3l-Tkf|e+I#JDHlav6$T~QGh5e6rK;=<8vxI;QXD|#W&lI8o| z|7L-%&Xo(QPw?O8l#BwG%pzKAM=rmY?~7K2g$<>gyyl+P#GW?PGsJ3C9&%=y{-d#< z9^iwsc!NE>ld+)3X694Fl8h)&Ea~h#!CYdBRQ8hXhe*DOFp5=FPvGC0()j`R{V^8O zWl~smYf6SQ+{U#!EaOp+5<~Zsh_*)^c1lFptE_=ODiT$;B9gxqz?HxQpPVa9nKZa} zCMRT^>1cTAtBY??xvXED&!1PxO#2PQrl&ysosI?jA2mg|_&LQMchn)U^(;KM-MVVW zF6X&PP8=D;qknT-)Cy$ocO!Q~Pm}(g67wH9SV}9_=l#7<Z!yTPH7y~2km#R1`ULzi zI-44p&i`HnD5niBm#><fWWfG+BeeLdvhF|ScmFFzK4*NsXdP{hh{L}>w}kpH4kRV( zv;M(BFaWcMvpIQE{NH>0HT|T!Bxh65JR9@)4e*aA<LOa6dXx*YtBd@jvhdHt{|Hi3 zBkl1YBx(MTESHq5&G<XX#=l5fo0~8FgJj#!9Fb}o>OqIU6I?*~vu+y;3)N-+E}yf% z<kQxGH2x3yX#SDUa#E5B_uu97_sYZn&cgaH`TSpI|I4gc5Z~9_w`BJ|ZQJzuwlJ@> zG!~`5$64F))yudeukhqy`|{Us9({cuf?!FON!jY+?OWe#><E`MBq`lh%_I^X$j6Q4 zCG*DlOtcrC)jE*^-iDi`7b`<$X<cmd(gFPO!bj<(?=4_&Y#`Lc>;C#jda%$I?EJnk zgbBWgpb(h~u3cx@8;l47)md$UyYSg(=z8tvjE9ngn2*A0(d*q&W8zZEg>$FmNXK)0 zW1lbl#_yo5z;Ir#Ux6+j49(Wyzrswl%{+r2gKD0najfS|KOWjj7tW>Mn6myOa6yQj z&PAJ}TfRe*&s$m9EZoL2F)oc(Z=3Il6gs@+rAPPoEXi91m`N?)r5R7r*Sp^G+gfI* zhwjXINB3-NZ|6eDFE^QKZN$(M+G?G=S%*glg7htOj3m5*60w`*jvm%th5>6WB!@Hx zX&UT`OxZmymluf3Gkmb$-b_3?O}ij+k;Oix9jy98+Ut2)xGn@C+=_J{T#NA!)WN#% zK5>VF1!QNuf$Z<~zX7Y~FoYv=f#<;DB_xHFSbDUkIG&DpeLXE1ztQm<F!zdi&ILKr zX*Zc!6SkJMRh7Bh^lA-jq0a@npz$FY8G(Ys9lB;lpstnV=L86cED~z!8#G6EP+E$P z)7>o>h9)(>hOZ>*I~6}Zb+=J+GmCfApIO>0i<~xdpSNy=#-)r8p?wL@;4_zWQ0-08 zA5--R{)hy<@*D>=LD079ri(%wyc0@;w_g21R8DBA3kP8>)9Z6SxpM8Yv0ZkOYfby- zby3yG^}-2q?y%!u7M@cC4?g=d7m_Wc4>ngXr`8Jtdo;)2!K1wGyLj1l)i<-_8<yJZ zdghlVj40q8#imQ7&T;rH)lfP2!*UCTwgc2y#Q?KM4T?SnwyM@Dw~|4~^RF9!=?ujN zjLj;k^f=dc-wq@!d^G27z7P)OT%Cq(YIa<HsF3LPheLV{Cy2bALT6NH<Y%AOd|J$} zua?IRza3Z>(FGA`T0S!{aCARnr{iE$o;<kFvW8#sqDl}rbFu`X32`7$nBr%cVjhwv zV#!ZHN&=ugKMcNjVS^u-d_$p88~y8)+^eC=oxOxLaiVcL#9k_~c`(AAY0IUHfCpU7 zM)P6k_Lj+VanPCNOFH=^MRb!R=nq%_Wsi;!(3g(2TU?2&-_3=#-{RluKGEP^HMD_{ zi^qll@Af*n*`{F*r;psKpUeY~hwZV;8;{F&yud3%Ml_ylX*#~pjSZg<r`qbD0Y$5J z#y6+h>oMDpDZYT%EO*wHYp101{h!<n?+@lFPCz&sY=@B*JR*S+*D6QSXPexo(1w}6 z+|LK_er#WGT~xGr1W!B)`s$tW#Sb2DE53;qR&RS7^iEVK%+9HWAQEm<YrkaDsU~#D z?w;g1vj3u=c<FxYg3viHULM@Sx`2yQ1hc5@dZB0{6|o}4dVo3HS_hiUT>XAxogN(z zzhX@UcQ0Y}jqTJ|7=h66Riq^Ffn_{;x-I@NOajcjthRa?kl!IC>IYE%9qn<Cm14N4 zxu4A)N}@ouEgbJ08^>RL=BV5%de=!aVJuu!ywI-mO;2GO)F1wxP(T^Hn{=(-aK44c z+SuU0<PRH`y!Bi>H&fcGW~A(k=8FxpPBV~86EdE?QQ38ufB%wIzHpMbUYUydFDHlw z2xEJS;t9&mOIxk40)6~rTN6w|%-h?duXgp9`8O7FLO4$;YSGQop_C`7HnO;XLZ0vq z$3XjcWb6m+Af0jc_ZFu+zF~-*IdOGQShKB3vm-*H+*e4jT@a;A*0lXLFCaYFl{338 z@L>fKgFWiajSkQ-bYM)vYF(Tz2*xNpbcDcRdx)eWsGzd}Y6REBBah@Ni*cvNV8!`S znZ^$R(E}=?B7ZLJXRHr3kx)1E(N=vBKhBx;+D!C?fYXowclTk>UdMjdoIvt6-?uL9 zM&4UvAn}c;SIO;G%5%`h?!h?w-Bi#a$=<1O|7hO|w4;{7%!)_-%<M$kX~(Hk#K(|1 z2Bw>;(hhz7R*%e$g-TEJXSba|P1=Wavo>|syJudq1}TA$%-?3iY~u7I+ewc?SkGM4 za3hw|F6A7YbZ0l)3k+>;(1C4ymG6h#C}&u-B9QiIP+`{<t_bLI`hHG<cdD&S%pQl# zT#kRWlJdt8&WX$YdNMbz#W@WMn@&Mmhdj~TU%aYCPvcXka}4Qt{Xh^kg}Z{?r(eir za17ZJ!?LJ{V+`oaVe7B1{cR2!hdPR7Ae8)|-lZO#Q-fCfU4E-?vM>PSpfAk!@M#8K zmoqRu5pWdl$#mYORlgZhR(N|&1<kQpzDH<!l(tG=F?$9Ko<uALbSl)n4H@S0VfMj3 zw$bAiT(Pc63iYznn!EfEuFR{Ha4zcolQLK3TX1`N6UFzWL^B+X0RkW^7t4vy*F!r= z|0TqCE^e=~?k0QPDvYII7L(t($YU`kYmvjNru-2RzAhX$O<yOfLfJW?dRbZ7oZ#+p za{P7ptgW;_?df#J>h2j=amqXm$yNCDtDw4e!9HxM9F7````)c&9qsq#jO7vMS2$sm zq4U*+0`$YNyzSBJ&;;m8fQoz6hq0JQw9gs`Dy`7JP+SDx1FL!%Fhp6r-7J=d=1Sg< zYNZ7FB=JtH`Uu!kqu<?<lDr*s4hEhu$=jz9QU8fPtI_W^uBPUR3L>Fc3;j-#@ty~o zYpcV_^LAAk%<?f?)okla0>ePyVtAp76Vw-q$u?aK^WZ_Np#l8lCaVKN^8C_Rx}>mL zB(-!GxcdD5>QUb?Cz{Nc_0}?-g*00mU+8kBFSL6r&Wq%}H6h;$KZ=@!^N@g7_w^{z zkgg)sdSk8r4h=5d<^&#etTkyY1mz46E|>;-5e01VYHVfBX4pqvx)J%iC1sP7#IaL- zk=DP2sO{e80P7JbcD&$;J9svco2r*55{|_{tQ-9CxQ>!B?<myLulWrBOyTO?A#?X` zzUf9hr<d)1eyNVeD4GcYIi>!`#cW}g%*NZIXZ`!=NeZ8eO8-v?1gGIB_-5d&Qe5)1 zwtx{8Rpq{%Mm$<v#!YXPke1@eg{60mj!KL&pfvGJ<=6)h)+dYT2T@f?%_}`?NRqL{ ztobTii-j-L?Ym(S_gHfeCLzm^#7Wa^SUafOEeQFBGEBZ8qQ}&;{Fbed6XC_ZlDEgQ zBf-pfH!7I7PL$sa6EQJ0_<M;s%bv$GTgv>RMis~+?D;KamN|JEP5o%qo-&V=Vp`GS zSCZWVY)D9)`ka(ib(cwExLGUD?J}HaT(io7&0}6y1D<`Vazgjc;m)}wT{I!2e>QQ| zxMTgAVbIN?z0HDi6T>+mmxq>4`aC^1FLHNJLgG3b4?4GHp=uQ$nHUYfu%0*u6P5en zIV7N1uSru9wy<aqklT*5S9oR*VGopP;(tXbVtDqPZEr{Y<*G+vxm5?*H8JIY#5)>0 zh`#b2&B7+y^V|dp`fN`lj}^N#xE!HDLYrs=>ne@n@1H14%h=sDZWr?v_toPZ$7(oO zYPpKe^*{BEp>)kKwaiLJuh1e`YNv`&Z#irsGuNNnuA{KDKX^z{$0xetu(hG*G#<U% zB#y-yb{~%$)RyOApCPG|g|uN0hn;YS^+cM7SOFLfo_5-o2dY`g{i{3($pi=Icp-gy zAfP7(LQNB=EO~Kk`fs*=fYB}5bFIy7nRU_BN_EV7X-6#wWnAf?!l^852NGgUT0<LR zx@!%zh!-+u<gd-z@@~-d);xcWk4MB<uR9Q+cmhiSg?l0jyF;I$bOyl|JIfZZJ+o!S zU*5gpb2EFiwj;|D{i_|B1fD!6$5Nor5B=QNp0J$La--L!SWu!ITJR7C2>HC|i(~@k z-*#MKos<%D{EU0dH8d`vVGcs!@<&zE$?i8L29);WwOSjvjs31kDgA~oZDxauq+wc# zB~^y!<yB(yu&JNV->UB-jJ+ajvw=)rZ4`fEF^=0TQf9dL@aHHwd@%zE2UfzO2nBBM ze%=#0eH_}MNKwP)7!1UsZR+1*AAYu@sql<n5E~AC8%ldu?gg%85SdGK2&VL+A!mGp zcFyKe5@j%zvDUcU){D<=HDomK_Sym&bq0-EN0s^MGU2tK@fgad;p>><I2s3e1y2zi z-)*eZ>{pJW^i&}g?s9w7{fUqGDWFmEv1Xv}Zm|jd^`v@^fm!hjLxm!-p^^W36T){% z^wV2_MV_;btkthPgu=|A<Z??ePeciNAJ=p=S(kNK)rUto4b|H=$4HZ>-j|mO12fZ+ z>x~m9$#B0VT4Y%uCncmTmU9Zh(Y%L^;;Y36AC2ZKZ)Mh-kdh4pB9#s`O)m^*@&|;u z-u3gK^DWqk*i00RV&MpC_-(+-Q!XPAPrJiJrSE_y$winN7e=){-2|W6h<Wb~wwzDC zfk*0iUC@m1sJN6FFqWj31d|aKvhsN(r_h$_btg%jh!H)3ikZ>idZeiGFGpUV&sJ9> z?mUZ!=&N4b0;R!DnY0Qod+mo@2p~lTwJ?G}6hb)S$wTpFrsM7U^X%S}jN7+h4n53G z#}ias;Z)T)5K@ttqg`~ukPErMmb_l>#9OkI25JXmmj-H2pjTFGdU!|h%El75g%b!S zviN^TibOeW)=FQyk!cl<<1z;IBF@ArJ0(#F7-W4B3$32nmNB$)1gP<^cTzLX!^s$l zogy%xw82V+DQ!k9c(hT0k)pNv?;<Mj{X`RYhPaAUOG>bnih%Vf3}6U5zm{3E_Ny_b zw|q0UwJZGUn9YM2JEuu?9v5N5sj<NsDk;_q2yKH{Qi09o`-+XzjE5Gw#o>SwvQc=R z)1=s5u$rT=G4rSjVAFc0PaSbX>IgXSS3j>rLLGhjO2}I_t2H|PDnH$-w-_vQuf88Y zwFYqujSkzc^PG<6XV3RGndC_Zph*?H;t}8t1(<W>1{{tHSkVXP)R;|_UMx(Q$#_sQ z2G&y9<fI3F4c^TRKPWn$@ksRUIs4wls^?nbFKE}+<PhhM#5xdLJh*K}{M+KFiGMna zu*vJ98rtx9rqf!5Z7&nk7>bGCn(3y3b)R)C=O{8}OW{4aY*;nw9UpQN80cBXp+{rs zEJ}`OG`r28_}7)}ZY^TR4Y-SB+%-zO1XQ)na3j1ETQw(>xjf8pgtQctW5|rYpNn=0 zyZxl}Ro;TO0(O*{K5UUtN~J04b&2&Zqe)uqyBj&%&3)EE^+xt@6P|k2mxubidI^OU zb%P9dXZR87&<K3y6CIxy>I)HWYq)X46I;rr%JscRHDZ?7BxM=&hW9G?5=vWu!gB)z z@sbbbl_$V5WRceRow>v1SA^XR@-Z6-d$Ko;7)G<LISNrv|8AlB*eL_pM?`-qSG7J# zYL_n?0^BSWajlv!T+{ljHbNt*QFA{47?KCcaQ1S{-UeQvhJwqXOokX9=7fXhTh?ws z{JYzCm-&yMYlD>i7qDC7+lh2eyMg3Hcyunc5?W)~tP$X^=8Z$u2ff#p=?0bWp3K!> zL0@$)=?Hzv27dk>WcjNtFt+39dxdPFr$`%rVglv5&H@@8;;Km4;HomLzri*>bEmcL z(PT?h{F>=?zOBn2z^<z#?zxBA%Y7+rwc4DA;`w0~`DgFWBHu4i8_fOhG730*D3mpC zWb6D%z8tgJcAnzkU&zh!<#5^W;K^{cO(bn|s*j1WyGe!}(`I5^Sh~Mv+*F~Rw<RWG zt~Arpc+zv%_mn^gXP<!#rceX84HN`6za>o*kR{-eWeassw~l6Q7JIDAyG<Lzvf<ZF zK<=gNvgJQJ5xeXi$hdD7=#zbr>0u$FV{8}B1xO(G9?5)HKUUKuI=9@WA^y{QSxytY z$D3dQGMF`+10K#hBPb)-4W?r&2jOR+tY>FwL~mH359=>J^ak2M;Q;8laLmj18Ec^& zaQqr*L9_iiU1JbQV>z^v<{+KCI;6WBL|fNs2&0lU8)RWs%S+4_my)tRQQC$N4A4># z1Gb=Wme!y)L-*$E+hM@X@EeNWgRWckw~YlXI^mu2gzs#hr?0%XiYXrJ;-vX!L>hXH zR&8nk3d%`R)Jb;I9f+JeRX~_ZWU7@Wjj3g$=x;z7+Hg$uL9H}bPX~IG{OydnZN1Hf zYZXr7@tQ>X+L=!U?-onlbd00Q>#Z*lp&9P|epfK`k1$CwEQP490nxr?uo;DwZ00hw z$HyC<bHSbbT?da)K~C$=sTPa93na=5lLt-aU%Cg}=kMedlx5}d-kl8?yrr|aTjpiY z4Y?xKLzSa>|608kh;qfnwFHc0^p76ga!)OFR-2B9Pcd`~)UUjiic{BBh#~U2XJ<Ef zQu)cKStZSOpSPQ`=QP~io?<cJoM;dJQ=%>XlGCg=VX&&0{!{_QhM`Xr6Fo;lar^#v zON3AEc{h4U*PS$Vbr8C8L<|NbBwTm$pD|G)3=q2XRQfF<w6;9<Q;{r23ZB|}ei(7# zWusdY8jh%JV4&vk0@M#ok0z({j*C(g&cH)?vsXEc%jZ#7abXccm@>n*g(a@iABu`> zAj}?+tgw+H|2Xe0;P-WM0rvmsk#1&=_kUbN6rlXDcv!H2OA7hNi}aG&Rj|Kbi{Ukb z%jFlVc-AoegCD-=DV~2^1C|Q=VQ@FD1s3A}<AAz_)6+i>tcy_tE}WDu;!wf-gCDv4 zdboeE%x3|gBO+V*q-XvQe*7>pz5j6ytPlyn>|xOeCMoz2eilwHfc{?*p_C_N%r8KQ ze@^D?Cmk{>YO##D8p1!Q<NbJRtNH)Q#Q(4D{C`h`iuU&O<o_lagkXoWnfiViu}Ham zbVYvmIhQvNlG*-nGEdoVXozY5pFA92;$Mf7W0$pCEFa%C+u@Q|F_|npzuZw9t582P z6kmA{ziReR><eYeQ7YTD7OtoyKR!|e{&2boZsqp6ywBsfiqUwwmhbJ@jYqrIY(BX} zC@eF$boN``Fci*4mvu2>^6o!L2(-V_vgvc)W}C~BtowynTvn#8ZMC|?9C62qR=RJa zOP~1S=el0j*Y}um#mg!0!N{e|z*vLD32l!TagWX@R$4rkLtyOhXF4orwY5O&Luhr& z7-|({|DMMo;-7hpHrQ=~W#in)I)N#&be^2`uA1kXCVf7vCU4`0k5K0?{yJ~ZQqBr- zyi&iNqLjQ#6w$V6b(LElIvfo+CX(4%m^!SU&{57|y5!tzl4y*@*{(a-f9~Q`s2<Mo z3^5^HL&O40n)Y&?<tgr5JcQfw6ix>(R5LD=#`^Qi=}Mj9eAS&3YqFh}?dd5p{_;3x ze|@=1r_EqL#t;o_ok7F+x%2Gz)~Ym2fwOVqa<c606LCGsgj%uI?M=h5C(&9(q86x$ z=)ZA8JcQk(S;f-iG<N~S!_e_#*STuoRY#k9$lG*3@3$AlMTa7<?IN&;$i1a4w$pMo z%~b(0HAlmv-7Ckhdb8st=Jcj2_4a%@+jLr86D~@eAH%hqmP^*3_M1bOc~2CVY>Dko zXHglp%hnnkmQx!WLd!mEPnGHKt3|l1*3>nu)>Z|q<s}V?DwjqK4oHXBY)(ekQ-o7Q zy_`=~X)IUav(sJgv&(&F!_w(ppH^G-vb>)=4b?z62ct+tr47!Uupg6A$Dz!+k8>x< zj{Vu7;)eqR|FK^^p+DBE(#@uPpx|4zUFu2r5nCwSu99~5)Pkjd%&u+om>yNXZX97N zSuZ(NUhT8X<`bYD3(VIO{w;YywpHu$2rHhp`X0gJR7e+e#MWZ*R-lS{efPQ2q5Tf) z5IbgXw|c&>qoe%OCsM@tnr!3q^SA3zthcedzQN_bta9~dj`;pNS@!4l3-KXV7^y4w zfAYj7(touxXmsg>E`M{JrCGGOqFHH_tuIfn+#QlmSH9<<<)|UmU3jZ~T$d@+UBP52 zk;aa2h9Q=tZU0`8Pkz4e;s1^!v_1X3g3zD$kx2O@#&X&AY?HY{-U$1C%Y5C{{_wNR zdJ^aECTg|1i|6rq-n8p&>;Cz{oP-Lp+vmAbdKfXM?!8mKyX&?~9MQz9)@1n%PL-It z@!T1m-q|R9BlTWIq-}uM&Yk2x3*X=DFP0ypCoW9NHa8S+KEJm<uJ@X|xJo+1(z85m zTAb^*S~JsLgx*ZAseSIdDOqt8zf)%m6ct^%*Q9dvkNpWrrC%;rf-+}iFSQySl7F7t z9TH<VxMSkv0%Liy(rDn{D@IqNvD>)CviL|muIbXdY*?d8pd}$vc296)WNWT}?Pq1& z?%hBkTZX!%wo)Rn6LZa@2-<e{HhH|YpG|<l{ZAT`=&xoKm_{J`ZAMO~u7kqTFneto zYb{Q19gXtXlh!bvu$^7!L%z|O+0_e|UkeLho+#E@Ot!Zh)vjfMz?PwuRo%x;U8tBC z>e!*IRGJ*FqpX%Li6zeUEZsTFJNV1cT}(^>!unU9jHuP@MGZJ^>m@o()NICEsFnkC z5WJaCHZ7NLnpGEeNx7sCy&Hv4$uw^co3N9uZ8qsVK-K76HL9k@mldhwu54#6I2<2S zDxO<utxl3+Y*^f;nvs;%zIJ+G)*1U`8?|1$bFoPkPsSxoBVBuUn4u5XnVWLH-k%hs zU(t8Tv|3!QyKS9i&tm&fZyWCGIbYh)s*oJ9M^$fTyLW}U*9%zaR+VjVICIZKl=aq{ zyjfj(qH&#*JD#>z>l-dkmlw0~4v>kUfkU!roB6rjEraW-ULQ-zo&^->sou72K6Xvt z#d({Q$zHcxeYOs<=H{42y38j_=``1?Y`(MOxYY|iI_^!I_HKt6uDl!S8M9sACA-`j z1G*Dx9r{ND_E5Dgxs%+}yxx|c`)nJdNi6syF`L=bDa{W#b1lP%-qz<P6B^!f@@cN! zS8?xEb~LX&y1`b%MYcy%njKE@XMM)w9abYVoS_eNQK(rn!pO%@?$c3O^<bY~9}C+L zHd!-)m3o7eu~ORFNLy+ez8p1Xb3v!+NQLv(^CVB#Xt*tProAun*E)303jL$8$1xe7 z>s_O<kwl^FnIzqud6oi$rvFn{5+>Vo7s~sA?^Cvx-j@-V>g;n~2gE6Z<jLQ=b%mM? zcbaBik#1$`JYqBZV$@r;zjt9^xut)TlZAbTKCOggqy4t_f%}ZZ;V^SEzf;#9VoaH? zO10`BVZV09#?o<jExdgNL1prQbhX-Hbz7u(NprH+R^<b1XK}o&_<i$X$<7IfHP3Zw z?-l`jss8Ld6^fa8?84q`9K!oLijCWGdkXgshfQvOt;TlWNb7<FPGv^LlhAH4Shoq& z{%nRyF(29N%YNRBxHY|+hKr@mCVOD5-t06Q@>v*s?!a<6!K+nlxxE#Achq@182c)3 zp}O!9!ugg>icg*ivfcT4aJ}_rHSV)%S9md!Wv%ObyIR)A!rh*wJ*~T?*#7mr=E-|- zh)X6PL!ElN9n5=_ee+_W=0Rq=Sa+Cib^OFtZ7wDyb+WJeeY>uz^3iatW)3hs`mw>h z?cHFYI~v|mt#ZxPGVOe&+})B>TS(;Fzn9UWKzzB;<xR`Ysjcie%-ZpJ*P_0CofNTf z$^H?e*=~M&l?h_Wi}igl;eP&v1#wWGfW6vCZhFhg%bDrUzWtrzTf%f-_qB<!zB%ms zancRNioI$%j<eCM-QQx*M(^TbxXRKXT+H9ywYy<<8c%5*@JsSOdFqSIbUC*JhWDUi zy;>TbJ?)|6HqFEnwM>~z0V|!yYqz`H6^r8DwMx;m`J=|oSpOVHdo6eXO}fLFJNS=E zx9k8Ny03e5enh%Wh{n|0ea^X`$B;KwoZGw&w(8ePZx;JZsW(C9Prj`NzGtWRfP#c} zXFbjqMcVqloY8Q%XV33myg`(_-OMptS-pPk7Zz@UX-|mPuf5mlP5vvd{TpItnV3gT za=(81PQ06g+R$1rNVyPZE$dR!!ghu!gr{eVjJw^n?FMkOIP-`yFn^Mp@ZAL#<Nk^2 z(<*+&Pt&<u|HT?E2Fqn!`En8W*^9|~Yb>zWIV`4AmzVSF5i6UzL-8BG|JO?hC5L&D z_;HaesnnOA;6NE0*?ETcOQ+0}^71C*T@zTSuA@4oxNeKZ6qKaP37`s+t@=%M?Yycb zx>3XVg6T+&XNc}{w<jh<^6^Ie{VGR_ws&Z!_%Tjy<9Pu|e80zT*!o-35Z$nPjltB4 zspC`GHp`V$_<{_>1B}0m*VCLL<B~|lhvVnVDk}o+;1Vc^o85u+^M;c+7&>FCPX^<8 zWg`cw(Xjt?F%RQuz1L-4CG82%Ns<2Z#=<efB<bl)+n{ba&-N^=5N`&(@y17GU-K0R z9MAp0iKMs7TfQYP8t>`67IH_W`uliQr_AAu&Y_pVWM2j@qBf?5-DQ5eif?(-POz%> zFTdH%Y{7-OB)B@G^^RrcX6V+VI8R!*w7lm^oeqgSRQ<g@6sN?veo$vsR86cmld}oi zC*WnXr0=|14WgIy%E_5++O+4hJlAY2Ds1utJFN9uhhnezS&Df&BAFLrEKe3IWsm0* zJVk+3(`3hBn|qng^hB%G#0E}JgGXbE|I}!S`MEp@X>=OdUUd-?bj+=5t&qr29rSUZ zKZhsI`lyuOYYJ=Ms20Drsy=lZ^ep<rc?q-7syl)g?ZUEt9xbb~Hd9XZV=8gBVJ%&x zi^!sL7T6}kX4X$%+MgPGYhq8Rw{|bIehZaLzGo@wM%4?q^QPSG8ORqnd&GF%wGM}B zZSHFkb-mnC+F;FfI?pauH)kuvTyDs%<xUSy8l%ZK*uMV8WzvN&oFz8=VtLy2-=rD2 zntAP@@qTxywbrP;3R7_F@!Cz?)F=y#QEbKi_8xO3n6bLF{j>Am!a)mtp=P-HTz7eg z>MZtlI`+$kGL3h(8dsNBU(H?ZQ9d@d=eefuRd=sId)v0}ByDeRR;CKuUwpcZ6@YNc z>1)1ge%&m*z<0MiaA{$q>u^6ru*6(iI>x$1xL8wJd5TvzF{th|W0l{PzgthsV7Tue zmgt2-{ektq_WjwaR%|;|>~d*~&tocO6Am`I4`T(gPm!g60Jh;5*Hd$URZGKqE2`7^ zQnT+iKkCAIx68avHbjU1v;VHk1J0>Cu2kk*wQa1pOyyhD_kAZ2M@f?NN+P_>!Sr=G zMMtkOq3E~wgY>etN7vXcYGC!4%yzrIcGvXK#!iPWG!kdqcEx(f`OJ&U!~XeJR=bfb zI^8CFhi>snyYA`bNv%XWlF@M-v*f}poYIRjoGd!`&RAr77@}kj<elVEPHlI((=;+_ zez{S$r}_4HT_g+Dy2n_&Z;j0KxCayRV206nQh!VpbMUUc*L=I})K*Y?k<2xx4bIHk zvIV`2T#VJHp1yu8=R^LU+GzfV346!Wd~62yRRMk{*3EyuQP&Ut$J%WC8LIHQ@0za! zRGpbq3zVyOdnMN`_RrJT#MN}6m&UfEUVI+W%N}H_O<P<~P1H=~#icya@2|2(&*3%h zH2wFJA=zV_MBX&r_nnknYynUNbnEx6_nVX}g#4qOx<X5@KCWNh@t7jpEPUPN?joUG zf^Cs&f5M63z%rx2`H^<XMl(OwsBf5!ipL`n&wCoe;m@NGmsxR?OEo6TEDw)&&QMF2 z)jjHLYBfUSs(I6gK-VX5d*bTlw&9XmxF_2nT}cO&s(Ey?MM<W%gSgN)mnCZ#L)-1o z5Xr$D%?8Hh(0sdntx4dmi@V$X(9i{$+RVkm@0HtTV@yvfb|}}XEFS%_^Yejp-u(BP z(s<DaSPaWZ*NPV=(O(OvuOo>2HPA}OX!^EU-sk(V+<6W($M$rtuNt@aP1<(i%RQhE zwRaJUYj*-Rj{QHqeW8-@JYPoQ?CRirW^2wHz3UINUo~B@RjE&r%~l;0pfW<NySKbu za-$TjQMG&}?d174ya@Z42Du5j_&0~b-RDR%>1F=|Yb*aC@OTS%)!w(q`z_78Uexm@ z?5Fkv2~guumkQ0h+uzMRn;nm0J@8z+8Q7u8)9$X(WZfiz&`n6zGp=UOH<=`i7*1xy z8Z{>?;fi@tG1qE|<*=}6PM1cUEsoDmHPc<chq#sG&nC26DVa#Li@ySC!KvaN5?k%- zCs6K=Zv_^?w(O}`P2(3R_akyyT_9ztAQ(9|*eW~|8eOI?b$xEyIDAHMeBO7goNaQ+ zd?z)Wr;FQGGZ|$r!l~@^H>Xfbe2_F%KTGb9dr>Q^&$b!0x|ghH$rTZBITcE5f*hUB zIjBMhKLn@smxYOvg8sw+4#&zrjtRUa6TLW(Hw)hn(wCNb=$tq3GUwxvJP#SDDGatb zX%{7xePRDt8T9$OMz$`3FDFz}l@9r4&)WUjMbHOR0$U+9>48Zm2WHGqE7T1)W48_$ z&wVLsI``c!#5qLDnL6<t1_=+R%i(DmW$)TE7hfZ#Z6TFNm79pR`Ap$M^mNs&$5h0B zNB_};e9>8A@k^G=P5Oa&6tc6uK-*qlhw1l@4nAv-`^)UtpU>li+t_4ech&kq{i2^C zmxBEzLfujIdW#*)s^N=Gugd+`Omtt&r!!P@rb8ypr7k;p`vel$!_QaqO%fb+PHzdd zv9cK0U+yM-REsjzEl*cmx!WlJr@gn1t>f9c1!Kn;Q_O6~%*<@Z%*@Q}V`hk%nVFfH z?U<RFnVH!h|K4}Mdy^RrXr$58NbjisIj!!h-Meb<TGeY+SG7&)XxN~l?S0F!)3|)e zt^?9O>fnbOO<Ns55{aq$j^k3m@@(}(>cT<MxArxMT;OVr5ZKenwuR7zcKV~_plK<L zx7)ZQ?H9AUgD6ioDf5$i82t1AK7MR(B-CIj`y6kDq1l21(5VK0z+!<oroMPfnn}C$ zBVsJ>F)}lwEfV&8$XbhV<h-m9;hmbp(JE=Q6mm3}xI*V@QA?-O(F$4d+G%clLt9j8 zCJY>^Z>~!!3VJk87DWkH^&sSZ#C4-ZbJmkId%fLJZ7k27<Q*rsJFj1+>+EX&rCS5| zf?QlB+5pr&8MYdF#Pe_>-o$_H5La~ekJ9@H$TWG4rt_-79Dr-BRk(luqh>ls^Ms{x zO%o~XOt+zt^`MQ9MVrHYa1XU!M4ZrkpewxAsHDHsC@~Uaz3=zZno%gSNjF}%h)v5k z#C65$LzQZ7s=9K%_lA}f5W#b^_hUsQbuLRC9rwpNwZX`Uuj0lXxzBY5>$a8S#AnuQ z2%0LY8fXYTQ&C{YSsoW7^IHnW3^JiAr+UB2S8|%WM0joDOb+QW=7LkI+pUDIyI!IS zcQy<1mkk6XM`$F*ZSd7hM<ADsYL{V3jZ4jEUzuCgv;*gJ_5e!)R;W9SDpXt!udN+| zz>%Ds^pG^DP3w(E8Vm8QwQVC@^_Y{@#v|0`j&4E@WL^Z<690u2Xn|)BgPkBl+f7?X zDw>TR%at`|%3Wrlx!CQ5V)wb8wQLS77ogknG#T7hzqoma;%r==x3UdfPJnp`L7x@h zRKuc(`x!wSmJ!#@T{R2Yw^;UbREiCT9%eQQ1%`o~qRXN*99NhE>>G}s<!TPH_U$aJ zStHJrEYF_5UUBV@sgbnQ-qkm*Wo;PFXbG3fpQL7Z(ioYdj=eniQQS=rB<Si4BZIU+ ztsFA}@LQ%_41|j^!>Ge=X1iVw&ml<?@QFu(JybB+=Bz4nHQNrOju&*Hx1Duk)Q3x# zSfQB9rxlC<0tJx?%~uco`HI6(OXsP%!A&Ycnz<P!Fz7LH4>?0~Dv8TB)@Qe(m0qRK z5SpylEc%tq*L)%IZh;-j3rkl^ElIMTIq6>RQ+|OY<)n^fn(4W>O-=I66kUk_l1TqZ z`@-aU?a@7*HTT2?uD#YSUdn!C)R(4JIOehjuC;R0oiNp7Ezk_XX;Mgo*mxSI)gyE- zHr$TKDD2iVuXfm<j@c+6n;%7AtEJUuTe%J(oN8IYY`j>KLO7t-=;)LA#SUAkniJYy zWE4g*p42R5Z(Yj`w~oS0JJ=?pdDG%#X(eDUs9hXUp~-1^Uveh<;1Z(v*niei1cZKL zmtes--f2CMLljU_CN+WQK^><nK9r(55tiC~RiqWhGJIOXetW9f>L`rl?Pb5vf;-Z+ zXrnVmKSxj`o5&r2^U*&SuBhfF<bpSlLKQq?JnS_kz@aa~F1*#R8mp~VB2;>6Jp;(Z z!01?KkJjMOwsGn2h(z5Zj$x*h?16G)QoY$5sNJt@(6kxy-wP_!iZH)M`WI5=`-Rc2 zapvya6A0zG*i@M}o9iqlesA%vyFPHDkRCNEo5bN{6!F-F|9XF^B?{8R+$6FFo2d2U z9e!NW4i)3fIO1`M!FcS=Vm(jz<Dw@$*fklXGS<fN0`E9xlAkTMK=<oZ6~gCygMQ$G z`}_m4<ZaDK@x;jY{Q<Ux)gt6auIU1fCE-y;zMV35M4c%AM(6u=Ti=Z~HrLip&`4jP z1z_#1pTcm+bZeoO_^ZewXo#a1_f33XKa7$2`p)xJEbgWMnCjz1HG>l9*OA4EbC)?# z{PzbBItoJPwoVbjX56v&0xTo@feuOW`YO(L>Z!o8VCA`_{Bpg)enXCQRI25xtywRR zI`MDQ&&z@EB_u;n;9f8_;9S#d%_j5LKF&=9UI073hcE|icfSVpyW#X6Pp(|fpFB^c z*U<mkQjqu4iCE!nZcEA?$SGa1p|F%=OX(6?eV8a6FVVel)%R`6D>H>Z2UJm^F_y&f zlP}&*wGp+n>NQDnvHhEIrP8l`S}5y#Bv~FJYuepMM^=_K*iO4BW*-Ai*0DK`FXRtA z-aO7D&YGJkI$w3J7Y7E$myrrqA}cg$^^+-|EhwRM3Eu2a9C7H&yck|R@r{q;ip3qV z<}}|A$14jX7s7HSpW!ZW5mbp}MPS_4nQfzzjy0R@3c|1+hRbLctOnQGiJW#0Zj8dw znT|j=d=$2DO#nkcyuaVd7Frev5Hp+dV^PYl=c;4B_8?fJ+3RzV37n@L^p9!O3oD<= zb0|w<@)(|12!s}iE4S&NnK`uUBeJ#-wuVdHPAf4P^rU1|grb~j-M)UbSGZmh1iVox zGjrC{P^L|JUskKmCYUZhWUp|Xx*K1|?6yzW(%`O&R5KmVzBEM3YrEORVFbp2|BDk* zNc-|YE0&?VUhuIex+$oBBgLY%aT0UC|C%oReWuTDdTO)#w^fQw4Oe{Y?b6XkF_`j% zx8lgUi&K~S^Mnt<lCncJK=FaL#!!o`O1bsYFv!qNnR;Yt=jUY4``0;{`GgiK4nrL6 zR@W6#>8*QQ6q?ulmoW~{^){oe7hI{#yCpLRb)pr}#<wSLt>hHqy9?dj6*H2$wsS<6 z5$+Z1NdioSJ4+gM2(pA{?AG)J=ZzM{!C@DRfdGe*4wdT1P=KwH8ckY!4v`8KQ4 zw(N8joBYNz$NSCd%ZXxQ<g{ifk1J1|<AtYP$;%#UqgDLcdb4R?13^Yi8xzGom1?8m z%DLpD{&-sA#)oI1D|Le%218SPgH5UDLWcMR>_%#V$wP`D#RCWOMu33ade}Z!ixJNH zWluzG$id=!rc$}qv*36PO~;F44~_!|IY=cVYKDC_vKw3r^vh7-9-w%pPWa-6!LdR$ z_QG}_@N6r8)vQ^oZlr?bHe<)Zw2G%r?DDPgy~_IiI=<Oug~grYV$JE}ZhhEtzy~XK zv8Tvn!so;NdPa1~%5;`0yLvnKHdjDgz0d_A>dg&pX+?|v*7n1*nUwd`GAV6<g=$3A zNdht>epWEv_Dt8$B|A~eS-0NH&z}Bb#gGEUD*^FZwV`q^zJ0O=a%~I!%$0HRazAY1 zdRf!a5T64Vl)-XwC*Z`(p$AzxW8t`rJy??>8<-CMUkhVMcsX3Bxi*`4{DxJ}I6{VM zwFan-&C$faA>7(RoFB#B&grM=0M_+qA4$%SD$LXlqE{VCQN0>m$L8I~>htduA0%)W zI`x}>Mm$odOgUaQiO%$EIjM5IF>}q&uT`Soj516_H1RThS+HCktk->SmE{!u8RDgs zm^vVh<(aH91HbG(ky2@gLZkk$!(II_LY<MDk-?eMwhm>6azEeRFO|V+v%9Az;rQ{{ zam@j#kK2C2uEp~n>OKAap)zw>7dsiA$7;cC=c~_sepj{J%I!}l^%qdaNqpQ8B#yrr zLfXZ{k(Lg9+;Gr6RpS(!rj}vB9^=gf?qS<q1)+}6&Q>=cWX06yqF|tu>QNoAK0Nou zC%}w<Zr6$u3Wj=jW^&gI4I2+|)$25Jvzp=`(Em4Us=)paFUW?{r07alq8Q+^(e@N> z@fC#QdD5JHo}=DlsPMB;Vi>Qh(vcMs8RTAdjd#tkEPR>3<o3$ZhBJ+qvw1{VH=_xP z);h?A`Ef3D<?<!<9D_Q(VHs^l<F0<i5oO*}J#hTQa#`R0a#v^^+o8U4{&@W<?+ay% z<&!F=^VxPM#~y31$ec9_WeY0nMK$~8Jg1kInsxhq+p-vosgq~$dPA3p9k+XIr^S>8 z({e#Mnss`>@FJU=PATrq>DZlZZUu<q)$EbAVP%E)_tl6U_0Qh_zSfT&D22pc7S4dt zaPIK5NinB+=n(kT&Ds-uA%-2B`V6@l{GhlU({6sB;}nMd;TY7*s*J_Mu&e)PzV1YJ zkCg(<41{IJfesz;Y~56i1C|P->9)PI*eB>(?tNdpAU1oKYjaSa%`d(0$EH4+>*{PY zxw^klqS36LS3VUoerUVC?npFhtipcx>}zQk1geUGUZGt|bvm{y)*XG_hM|$hdO%Nr zZEQYBCb5FSmKHdX6isA?AB^b1R4U`AFs|#!0>F9L$0aFV-UPFXvy0+WxtSd-$8&_z z@lDk$t4K3fc)YF%b4;x7c2l?!a*%R8ua#BHcamAmddx0v`PPOvoQQ3L8UMG+pokU7 z?ADfcwf*!>(hVO)YgtY6vXt9$BwCY+^>d`X?ma>ftmexU&Ip1AIN9%Pi^lHnvBPKW zXB_EQ7A-z63~zqow%ux)J)OtkyQWy2wrY<g!&c{)80G%4@3_yW(L0&g%l8ssyQHhE zma9C5%h@wkrikF_>uYorUmb|{Wt;S$O0cg8-d=?D;+^-R%Dz(=EvLaPV9OpGIkvZW zec(u{F`i7e*w}Q9zqY^FDpx!j?ahm4cs$&XD>}IBi~m~^^NC{KHZNP?xECC2ZgJ7a zD%&dxC+1o;R0|$O7YA%!o1C({Z5S^+$IAKL>`fHFQA`i2UtuT`#x)z{^QYc3j6GAc zh?+u9PF8RBDD(?Uqj8a08=+gShGEATJ|}kM?4Oo)_l2?)SCExIOQf;lbM8wZCsI<r z<eD3YXAoxVjK7*}-70Zjn?<CD4sdfzYjR+|nAlC+NN=cR<WF4D&wpq&xjofL^Q1L0 zH>zkRlwdc2VN*95TvqY<wodkDKuZ+-*XQm<GX8<Gqjd~Y$gfRT2WM{LV$&yeXVzAY zH|m6#5xH%s-0}x(Q1hOgF4u)A5-jZW;9Pf$MdB3S_u6C39o>7{RAcx3z|$bL@|KA7 z`y(avW*)_;acV<<MBzK$4kp+jW!f$u3#vE%PWacNL2vROyy04)GUiqZ*1lTofGf95 z%b2S3u3Wx*Mc?zb@{7JP3JkuQnjyBx{fak}cON+ACzSE$>&lgaiK=WT*i-neJ?*6h zW6wX<Fj9X`YxcU8PNdl#teyCxM~<qN=`k8iv8#6(_a2c@Pr2N`fi|c!(0@j6hQVfh zTq!J+z`t+qft1NzxCAr0`%~;tf(_I!T<Iv;5B%rK=vnK}ikRBGRk{AuS(pibc8Fyr z^#A(&`~O|BX18Vw29&gaDnwvNK0VTdnKVc6=ekPAf7VrM##aCSQ(D3F&(s43praJ| z=eo*e_$;CSW$gdYj5U!=;ILf$>U-tF)~FF4GV{@KsM9PJ?kU$5(<w|f(Y2>P3mmCx z+Z0o&R$ilix6gCDj(X*CGXO$<wG;QEm7)H0nMWYGg68@5TB%i$DpQO=>P$pfoYSKG zb0`V)zfG0;G`0Ust7_M`Z-KkoWW6*LXSf1|OTVX$ZMeu-W)l^Rxf}(wqWkAPw!-W3 z#ZPW0O%?yd(Db{0#n5<ekJhy6lbi1UtkI7CbP`f{hn=zG3-Mf`Al$`TzP*X!$(+kE z(_#QJ+i-n*OMzCG%D<Q0dn*w0hGz(z1eFHwfAO7Y+5>HoXKAC<qPyNeJEy};JZaN@ z?O-&sithLx^U%LEMU7fGX}f(2(=lTVxGap2^%T@FB+Re;CP)4e+@gn;$RLx_BW?xr zob2}$jx_qV!c$<uC)cD1;w~HJA^!7K@hA4r%b9X*pf>8*PO2g49GF;9jCOXpZWgcG zc!q=#vGePRI6h@!R%ChFhte$R2-Y4DUjKQz?PJe|XJE`YF=;JxsQ+w~PA2vXgR4dt zmImYDchf}ND!TN^S}UHG@VE&B`Z~?A@w}pTB=imIhs7`}QHWa@v7NF3tW|}U)H|DD z;BiWhXT}jL$?BD6-8Bf2b+cfPQzRC%TeuC4&#IT}vy$NzNc-vp`T>WBpHXkPwx{7l znGM{i*#*U1nXFqsOlmtsPYj!-vFV<>%VPwjYye`@?}U$e4>ONSk~b;hiH6LVxPn3l zVQzuf1=Wdu5d!v_jSMS}*Ku-=WlznAj*p6I<C+(74`S_l)eStnWE?cY!<(29^b*DB z!RO;PM?ozWhXk7Q!XhaqIxN%8!)epU@+)l3JPU`5)Jpp)ciY`eY$KLe^37_yn<-e` zj_YV;ZP0h&%*%A!2TV7Vz{l2HhjaBdv)(mN)U4K8?kHWM5bgvO%Kr|syU!paXyu*h ziq%ecFOMm=y9fYvT{ZR~p13*EOq<c$yf6-zE8sz@lcNyJ91<Eo(QD7BI*3mET5;Aq zL%jRLE`5i!;&GIqwE(1SHabzhB~0bkc4fl&l<~NFDffWuMufz0Qb2Y(_btSFvRB6x zk>W#YuSBO<4Z6)GDu%&h3AvW|!7^L3-en_tfjm?hjVi|<^r4vxG4pi|G5rnHg8j1H zxRtDSW0GPMves$+`jo#BM8g(;y3Ez?$`5wU@l{u+fG2g-6YdPnrY%!Sl3K%4BU7}p z6-;uq`o=51b^hiuM%XwLqBz2K3$YUBn8~ffO4c;Ba=WP+SBsH^<fR14{Wgc&oL0(t z=bSm}g`56Kd#uw<IJHviMX~ZXS-O|vt3gkz@u4wvcO|!Oa}Gy-A60G(jB3XePs5YV zu$@~#Skp_pr*}<V(;i&Tj;UnjUF8?xf2j{;|9O+gIJ(6&;&@C{=_nQI4aYrAX6*9A zK)A3W+H4fi{@y;}6EQO@=tt0_?8uDG**3Awmhus%LG3o1WldtFh)?2PcTu!-`i9<5 z(>d+Q3)e2}78{WsM;pA9<Kfl=ybD-uuDZy|;$1*s!hYNi0z*^+4X@`HT17%S1T*y< zRjrU{V<VlcCro~;NNRdL$znZs6Eq<nt7T6coH4)M3+?&Y>X&-6!xwjKf5^;9yMCG9 zY5fSXcP{vTY|mP1dFl>p_3UnrHXVf6%OS`F0N?ZM`sm=MGw7Y;^R7sreL7}|yR!p^ zC5Kmr<H<K2(HgeFO`yUgA+^ka_-0QvfYP|SYSay`xKD-zNALCTFI)uiea5W!d3Fd@ z`Yue`be#i-;Q)6hr$r)q$&{0n*P*vfYrw>`>V{1LCBA}fKj`c7S1*Y{*@kl^rswE0 z**Z<eU<-vn=JKx?TwT``E%L8y7-jrx@wmsGK6xc&7MNIwAj7fAOEOEfJexG@6k$;* z)JZ~ldGuS&gPXyjB&2-ER?gXq&p!ow9j2Bd5lyV>*@q+Uu<`X+9g{rpRnnQMzV>_e zNPI%7^p&HK3^0Y)A-V*aHPfFVPR?tq*u&jR00Dt0_nmWWv8oh!Wfr{?-v+Ze9Kod- z8hXM#JGVG&VJ8wFzyGL7rD#3}laf8l)8i~b2gXN`cKMP9mEu$mcg~+Z#Lpk-R(X}% z<i8mRIe+CUA*AC<jp7%@;(bQ?@-1ZJJi!7O07T=S-;|JTaT1x99w(p1I9*s0nZWS= z-&rsiF-u7Lm*UMR?C|&*7$!nrg!AHibYkY=FaN^q)*r!CtG|)TX~5DX96dYcfA_TL z6lU|dwvorxzFyV9yszVzhSyj(0%g6v?u3kQW9psVXW~fA+?L@1J%shrWSEGN<>><9 z(+8=g3()x62eY=^ViQ)}>xT062@}makOY@vkXWuXczZJEc0bX5{rA8^{yDT~Ky06? z3)eqzgq}<TG&nuXPtQze=h9jW4!<%DtBsc1twU`%%lQmFHbPh~-;~@pGoXO$5kFHm z+c4*h#hs8kJt4NMRd%Ul7ulgdq(AInm9?EBukx7a4yK4RMK`d^i_h3^B6>)JV0V1Q z$H7xV2w6oatcxny`WoExqD%%;gWo+YTq;%fgEks9;^HtT!xy=_2JM#2!vfv8orTsK zG4VHL_LU`qCDvTFSKxT!np2KIr0Bdn&z3no-oHVLKZHy!iJx>rAi3T5H(J8^CIR!{ zlk}W^i>~G_=i{YZl6$^10nIWSh}*(Kik^Wd)EIn|(OvVc+V=+?P6t2pv@A~gVdo*E zRd$7}SDPCp#KCJBA_4PfW&UFi1>y)^ULj2h`#cx3cKYpeUJS@-U>ZwJB-CEsQ(AQw zeTB!L)4d_cG32%4FL)!UCkjWA@)>HKwC<oK9qiASXF(k`&OdisRCa8OLc;=IcD8z{ zOM5L$ztX(&2E~thvgo>)i13O+*h8kuTXn`kWkR(3VXR+;x5iu11keytfh%YH{5KYQ z0+HzJ>x<7czng%+Qu$7%fr=wr;s+5x@O27~0|pL^h_Q%9FTrc_YEOq1)c}HmwVU8s zp8&rruJ0X@pP%lz6In9?wBQ&B^**pB{|g789~T}KDZbOgnf5YA7m85+-Igi4q#5;D z%3r>odNhap+l`fwwUFW|M&Xr5D3|Lq)dT7eMkM`JJ^!>5>2fHJqRy6_-{Kr-GN3$o zj;$4=cyqEp`RV#8gV?jCg^$A|sPrS(ltC&hG{u!w9jtA;z4S~-`<sx$5dCJkKFbkU z8*zcm`1f)N8Me<6k0Ox3E?D?S*3=GB*?Z@RGjyveI_OB{d%Ql(e*zX9=(!~gcDPN* z5<jXH3z1k^Xxw3z7_5xq-(8~bpD*l$;Z6{HTLY_*VhtPxjsBs-X8uR0ANYSznPdMi z+4}!qmH)qro0?eb#d@a|@PUkrmlDp4d!dsR&EQ$vbce15DU<+gXzeOv9JlQ?7n|No zRC1-e|EZjp@}JpAlNVO)n2G7RM_rk@D@=vKS^098BI3Z<@>In~I)5$ZK#uk604Nmq z>YUN(?#8X9R=8<=TpUVbT+<p(;Y_eu(wI@|nAw1CZGK^);!a5VQVuHiV%1$x&wQR; zV(m%#Qq1MCEJW2ot@%F*Ym>~W%4*>rh9YhVojn=j4ceOrCXuW8#~ChL2IK^rC8U-` zyoWo_%r9(14|*FPq64LsW%abkwQZ?O3u2CP5ZE>r*X?1vSS_?g#^@0g%BL4!C^v~r z=Av-!yZ$9#64Ka%@WT`l6k}@1<Q|*bL%K+kW51{|BlFcFpm(?ZVHK`Qck8F5DLY34 z#$sjrU4@seN{MrdSSq*93|3RAov9C;H6pEi>t}vDTYkAa(Ke23>4;UAo1DNJWFn{K zDmeCz*O#s>{lT8lel9K#^FdHBNp~jCu5IL3#y734mr$<GZ)(FXB_d!?khl%5=y-4m zFf=^0QZ7Hw8e4WYw|w>``47nRA3Qzh7@P&fl{2S=+L?Ao&U(V1t6W(eiiFlUbbXAu z@y>hyLGTleAy}Bk((*!n++LTbDLDeBOlt(xuO-u=jxf@BBDcboBBA-C%|xZA6Wpd0 zkYtg21E2+V0WFrz_r@1BxMEpFsdl518`j0ZYfg+~wiMsb9cDh*7IG#wCs!HW(Vs;} zk}1e~c;t&x5qLA*W5UHZ<g9Q~lX!*CslXzzirrtg`gdvU3no}?u4lJ;g!Lipk-jI~ z`36S(*h{9iU}}92aJe`=yt`CqAn9bf*;?n=Z~^RGT^LKXZA~q7a_v6bte=|JCVF+U zRFD|F2y1ydOmS`)&lhp+1iX33LQj<LLh{9dUu)l9Ut%NTpw;eLUoR<iGA!OubdF&) z&zyTa&cjC%-MBoCC)#1R<k+{@MAlGr{;0FY+~?wAD^tf=y?vU$|LPh9ldp3iCAd_} za_?bd%@WYcaX%N*q4`9mUV-(G{@dMnRak@e1ct&EMLMY+Z&z(8cQ4!Eb<&*f@*y^! z%y)na?u6=E$ZCW86MG||Gsxs7mRic6<jJkH2}_;@ww@e@#sgH}nj3{_B4f_Z%ab;s zke7t^8sBKUR(4Q<N}F3%X_ypg2J-ZrW?C%)<=--9PZMfH`|@K$(!U0frgwJZKE~ZO z_t70uB(ZZj4f5>W9Ad5)sNM!thK$Qq0U~dFnDK;cG>k5;hiCv{_zDx}*50Md?O%S# zO9fC|#GY`g-W+S(-6(csP|3*^kSr}}-1o!u^%3Rj>ZgjcIqnXGgEM04cU4H5E4gzX zO<ghkJln0l0nlA`3A3N2anmH*#gN<FbnFP#PiQufU8g51Fc)VoW*uBCZ=c-TEmU%# z$bG$k6~Mezd5_TVlHCie{dmf_V0e!{mvoK5xcD&MeDNAbTk5b@_RM|<9$PU2ytzsS zZH{ZcCnKy=WjAwZPRXZZ96x{WPmZ1u$j(2f2iBhgIS@oFr<v&^tkNGUouFQdr6sJZ z@yhrfi_?RHR_0+qZF6uN`1*l$|C=$L3R;q<c`Yqkh@PwKL@t*Eg4`iiRf)@ViD}it zyzx7e`=;H@)`qi!w7pZNmvh{PD$fW*Ur8_dOhPbDJ3MwU+=1!7-9b7BXJDZK#?F`< ziYxVWp8ICfA(!+6O?B^0ksR<q<3UM5V!QYN=X-Uoc!3DD@KtfnZ<4NHO^NR340=8e z!%NY)G8-g@U;Pu5WaLIT9-RS8gg<$8b2db>0Bb2rN8akL+YG!*sAMxXO7YtjqRCDj zHIW`$c9EPsZr6(k+%*qJE2TYy#UB|=?<ug%`5%izl@rdc3WbR3jzorw=F2Uba|mWr zCE+y=PC-HooiyR)k6j(%5rrLmQ#`RJ(@72YPRro<F#1W&_ixX(VOPOZR7L_LSqJ=C zl}cbmYwzAbca5G_KW3J05HDN`Z4;&4T<*h`a7Vk11v|KME9BgF<K!AMsCa~5<hV;8 z$Q{n^gEUgLX|ra=Cl-#+L&Hl^2o#H~1IH9i6O)6o71)~GWtq~pB+?wmL{zJGeX(=F zo?d^ZK6rGoxO`5a)8nF=J6yIRBs6hd_u+{wWD-FT%x(#F^7W?qp~|2f-OgQmk=0m7 zmLDX!z#cnC?N^!jpEhzE4he+B$Kx(5CK*RCM;T_W7TqFx<fm<K6Gq%;w(vsMv7co! zL;<WkSZ)eYA*`j^$yiUJ8Q47gdrSH_+N*k}evryJToE)WS(&3AR<c3JgH0irS||&m zbH$s%unbzVYsj{RT(@^$#$t8#Qjg^8Avp+a2=GM<odtZPm*~VsU^0!_$6a)+d0T%} zvv!S0Z)3n~&S0@2$ewGyC{cu0o~de=^0#`XQ<ITH)RJ}EwLdd$qmx&+j|8DlY^*w4 zj;9E*NT)LAl#&ap-8OkVx6*`%oP=3v?Dx1iJ$do61XbY#PnZ7^g;doC6Fr(`{^3E$ zKNq^Nv1GOWE>px1W<SomaevoOCvHDc{kVr@S^kXpQc3UrAfg#4jNZ$qdUhOnnzD`i zm6O)_XGG3!SdX<rdCg}_L(}CPWNI`Plb*zkpVjS#v#+{}E+0GK#fm(paDCXX2}!zX z&2c*&z<=z)(xk-3avdiREgbu|s?39H9zCeC9P8V*Ft??Z+{Ud?9og(0l>jW8q^_=q zIy0K^12#rJXZ*`y3hCl=K+O{^3RS!DM`szo0$scMm!`ngB*CR4SV9rf>6l#W&%Ipk zA8-^suW}exkMJh0^}P?et@xrfKhzE+(?<bP)#w<CaAWnJ9kf^iwUifIoVELr6&~wK zKcUY8-;L$0Y*?VUq>Wh{vDEe~XByOQ%E9~_jUzqZyHHB!`LZHg71SHotuGDIp=kD1 z^aDI(rQuEIvg4W8hjGd!M{q_rvg=ICsdjoeEpni&Yzrl$SQ4zJQKXB0Ir23m0pFWa zHl6s>v|l3%Q$kfLvxq2k@;K&|=^E7vbtx5ZP|Gj1yybNyZ#GBRmGbrE3&Ee%U#z#* zPd`teV>8@>)(EP>A(B<LRW~$v8K@lEwg`+%(2jNO#TuVNKiiaiKx+zytYe}X;LC?G z9FT6cU(H2x90YAKRP&cB9IC0T!gk4)I%66)0&<K3Dk@Z`WT3+=UP!-5xhu9ig;~+% z0;Ao%=J@uZr!ODLHJZmc94=N&{u8d|(xQqqtrv%ZLXX^EIY8W6+j};DKfv9cVcE)q z)Fuw4O(;FR#=LnRT*^<RS1*1L;beF`_v0M?Y%=c|5x^}EUWg=%C6dvwA5~OAQq0}K zyL?hCfq&b)R%MS&92%)e%CEq&nrb^cz|%T<ZswT#g`CEfz}6Ve;J82T%+AV$>Y)~i z!L`&Nk$szxc4f4OTVZ|&2B>%DKuyx@;W`LFnzNfCbZUJVyC@Gaxpse9aiaLTKG{6H zyYc}kyFO7SQ580EWj4Nd?eeqok}CBe1$M*ohU`(j50QA*8de$&z_9jh771UuHe|YK zpecFc1=RJagqZr<R;g}^vEwgf+WFP?sd|Iu#z-T;B(@|t+(oT(gjp~uV4Q91q!i!w zXHwtbYGk@Sli4;yj(I1uS&ZYWfvk#HkKM?Czi}VI_wAr!jMNbT9evyUHY8smndA&e zfETEF=lB`p>%28loW}`i-vJ_E6*In~CxC=A?AM!xv7=4|hfFWEFOKYfTVV^S&XaNl z;Ft`IDp!4!w3+XMOUb>gqFq*GJ8a)!Bmx_XCzFdu%jxc|!(*Mb{a||Px2Zon&yMcS zdXJoRPp)_+pV+u<{arqymRl_vQ+LPg*uB6$-VG1py-vGBJ)~URkEK~@C3_w5*Zj-u zIT=eJZc!?I&#|4o%ba3uIJA>U<gXW~YfYM%73Me7zKrsTE$h6EZ5>>csx5#VZsy`C z`A%s;3f+#qfrs`3Jw=m8T}_UG6@8PWhtQn7RvIjw<$AojA-n;OBxFCkAvwFL*{9r) zmh+i4bSPea`{r}8QcBwP7nHE`%c2<Q06RnRPF@q#5tP2y2DHty)KZ#VGui8HE=(4y zMVB^wL*&e6DSDbps1!Vk`C6V-dRFua&8zO&{f8dzq=$vopgmPEUqlIr>a;0%@b=ZY z;=$&<4iif*I>L&P9P*$YNQS2}*)tEYqwm_%vJ=DeYy<@Cm=+3ZyD&Ck%?*isCbH;W z#EwDn3Xt{ArXK1(Kg~j`h+KQ>k5!2Ff6X7FFp%;Kx&j2pC8333MCWW4^ER(1gFPm` zDU{l582dtrlB|Vz8oL`jv@4mvtv=Ak?%bGmZC1T)BdbJZMV#aapZ%_?B^Rn?%CjtK z!T_Z(3QzA~Zx%cNy0B~e&H;l94i$II$Kqig<p0xs1%Z}_NS(**)*v`v>RIBT96(Aj zu+qIlUcmye+B(ZNwOW&n(N9g?X?Acfa-6VVy^4Q{;Qem@n9iTxc_723!f6?h<TdGU zH)Uw#R+?FS6jeph^wM_F*aR+d5p|KxeNx<084w3zXBNpr?=U`lwS%K-odxV5H}IC? z3hNAAIzcSyMF@X+t~SQPa=ioBON|1$5yjgHqNVL@nVWNsjm*~QuDq+ND8`H2#kLcM zwZv~J+d{3J{QgyUCu&m>7{vo}bqjN{AI$}0O%HyPeA<n|)+)Y1XV_57S!ZM(yJLd8 z-C^f3<M)F)9LU)TJaW_!VlS#3i5W0A6_u+-^xG16C@jv>d1MP({dNHVKwM8R@DXGY zR2^fF%MDcjkQh~4UtOT@M`U6k#Z}>KOs-gX23BR9*qNnc=n45^3I8^E3bU7$)Q8u3 zZI77i=>7hhSR`utfzT=2a#<q7XyK|?$xEAho4PGDa2g;(kMDbuc@KU|9#X2BJX-b5 z9R`ox^-1hAs%N_*6C4(tfQc-Or<b(BSW#qR(E$mV<(=fVxpv6=_p^#-HRhv5(}Vj% zZ_lga5NI5WS+pEw9o##%-vW8G$<R69nMwd$j)c808l1ByfgIr&8S3Wj0>cUlX(>Oy zRw-neXyV3Lp&#QDtrN85yMZ+aKEj-MCDx<76F9Q<ZR3>ofZN3bm4|T}_rY#h*@qs5 z8cn)k&RHs)vZBcGI2RQ%nIUNz-oJvhs&p;8%xGuqyil&fhbgPq?d1M`pqYSzsX~is z9K0&mmd=Ppq?gV0cTaxq+WswulM4)!LV99H-sH^Ql|rv-2)}qq4~)loxM5sw3e_Xo zx`!t-H10Wj7(eG@OpNQ4iMn>wSxfy*K!&Wo;yLjl21pkkj*2Z(O-j-pZl)YxGOumS z>dHPtC*)Rv?IM_V!+yx(CN2mj?6_d>RBD%9Lf-Qegxg!y*_@y5;dZ=?6&u0K&Sk@Z zOGEcRcmVEWA<NL`v~kHfb66+oIxYmz{0CGM*I3+3#nqwP*d(?~4~BqKM8w-fibw<3 ztZ12$E^c1=*{f}Bl{==3^@9T0uNgQSU;WH4lLcFOuy}B|F`F6sdFpkXL=4{0c!(eb zW-T8(sA`hMeSnU-EAcawhr<f__27ESHAWM3MTyP}X_AlevG7v1L`qh0n55Vg!NDxa z{NJOHb)t!HK=`FU`|<l|xGPQDL}<hLw5I1mb(>N6vLGXfo2QRQZQop{hX+_rXi4T2 z7ok?Uqroj2=A&mn037X@mMWioz^+GGq!drP;hgcl>Klp_B@zNNM?t5ykArT_3@>j3 zs33&<2f6e|D>NeUd(}5ZB?z-ya(=fIdaK<wC>$E6rMfw)am9Vhubf;zmCRBIEyRlt zD&XO9j;}%w+e~tvY7bv<pV}rklD3jay16#Dw_kFhy<uP<u7#>+20A(Adr2mBXKx7H zP|nt8Om`_FA1*;js}{-=;U5WWW=g3~7yA2x^zdpMTby+<_s53rq{mCPpzP&D^~ms} zLV2ty@zo?wzXpn@C&)S3D=V;YH$muE$4yu&hpVFWna@~#PehwSQP<2t@@(ig7TdU+ zo1a6cYGL_iY~XI?9#c=<mqDZL(YNGvY)&)gQqZYCUn>3p2HE>arYmu|<e#V@Gbk3; zJwg8cPH^qFNj0~#k9)3!mk92WM#H|Ad$|C=JX~hYf=h@wM;#n4QkhVi?Qp+@*daAx z6BF?+bV|{a)zIV2!V1y8FTi{VLQJSJ30^FBUA^-K6y2q?@pO6`cjapRxJJAMlXAd# zLb}OLi8GrW=jK8VX;3N*DTMl1@AhQyocVGyN21bMUcm$Qm|6i|$|@-$w3(hYPoqEg z`BAV?C~|^yPJZ@ir!7D7$uhXq<lV-b%&v%}w<-zX256(-Y&L<VvN3a7M_e?RJ%$R6 zU=1^SP52GpVl?}sv?}PRIHG1bj^=Bs6%z7`<B93&o>DIq<~-58Cpv5)@D@&f!1sAe zcaD6~Iv_=Nd-QBIR|EgmCe5CD2zgtb8m+Y$uBs6=6AKPYpch0jTC6~f^yLd&$`J6I zw&jvmM`?i-<q4yD4CH#x2W`jWxK70t>npqbxvy`~abj_HrII@t4L&I6BY^dj>+x_) zV?*urR@L_m{Vs}uN3yH!tv+JB%Qtg&;c*!pm*$^{UGH<rd}}mY9NHb*H=D#>@<<@H zP`8S4igtWg4s1sbD}e;`5+aSk%2IPQCnc4>q4INIKHhbCXS(#?8h!oJgO&I`@d`w~ z&4uN{lec)>ME#iq56_Y*Z{uJ#8NL2Q<P2M%R`kbHYi+f+?4fbjfm?k02#SC^&r7)> zLg4!3IFPx2bTANq$33<_+NOgbw0#?)(hH&I3tj%!oBzCpg78gb-AZ{lL*3cZi4kM> z#?*S`7P_ShKB76oG>NT}wSEQ7d%<~LJ3>D=9Lz^ZnL$dwf(90Wg&RE^-B~iBjM)>L zG+U#;i;%co<eOnT#?f%jTO2l^Q~D6#r^*<%?UVVO40cM&ap7eOpr{ydhmxRTYh1qP zlyx<hsJ!L3o8cZI4^7{fuq|y^pniQW4pf5kd}{RA8Q@kvQE4)J<sW%zd)@s7GE?{^ z$u}?}P9G+1%*cFQ0!nF&0M<K~;vKMCw~Z;Ry`g(BAdfnaU3wx#=UD=;qC5AVrQZhz ztvKM#)j7O~0{F1K$|)B$&1gvnhsBuWmc3IlBr@(t{_zF#o^c^5kXm&2%os4AZGJMj z->-4S&wjxwF`+x+kCS>y^s}o(-$A0FJtr*wip>a07~jNIXRPI7brJ?;_Gx!$*mp`o z;kiUES2=4-{%kfDYWh8TC;2js0sbQ3vU_0iFa)^xZF^0n_rPE7B359~ZbjW;%rb_9 zXfCV3!o@n4hxOvLIyT_J5~r{o8(dium&bgfN;H@gUaqj?`{8$rp#*SXY<jMxS~K(K zZK~Q2z-xCptojS)z=xwj!}}Q0P9X*_MLrX|n<vbnZrRUo@T9}(%=aHCxMHI#3yx#6 zPJjz6x#u2G@Vig}#Xxq+;uk02DXjUquhCjQv8G!wYnfEj6K0hgM>OPAX17SkBFI$3 z*;p_80TtY9!-%SC3eFh=ixC;_&95n1z(q4b8JwNH<D}~y2II91%BYJej1e`s8N2fK zuUWOGnQpkw20AO7(?z}1*8TG7tS-m9Ls9u*)uFRhd~dFIdR44D$a+9>e!ODl_OyBv z($Nv!dQrcCynU@rhR#!xgk$k|&Ft?f5Q>OE(h5Vi{SX?BXQ?*k&x?6!ZK{8IXM8*B zqgOxyx_=$UA95GTdPc~?ZhvmT7MB99_u)<MvDp>LUN{L?QfF;sw3_`zO<kYEGFu>4 zbFfe_Z=@;u`_~sH_Eu2HC|;%?GIDZi8gf2s<MsY|ixr?#S@0IH)s)Ax!HdbI7z#mx zgx-D-RR<(~!NDR~#0XhJmBHo1?0@d`pkNFf7O9o49%=a3J_*79>{6gtS|jz>E(OW| z>{4LGm5~0YOz8it*xAFm<~tR~Kk1DWkzW|?#0}&p0)NVc(jjGXl@I3im;TyP0UyZh zHf6D-4Dqjx4~Tig|7RPU6cQR*YWGx{cY3sQq9oce%D4v^C$)VRbsgRd{I8Gu^HTlb z<#44kF;I&BvvxIj+Ox&#S~cWHd!&Z7&gIOAkxPtXVVwnlGe@3QX_df#*YX09)TRYE zD`hg5_?xB?|J6ZVyuwV0{-;;Y2tU2Tv65c@=cXDWn*T60|LfBKb?N`pONlENQd{!% zhyJ^_1|V3waY`ko0=D8TwJNtA*w>g-=i+Jv%kq4ZC5Th!^yp@+)J1tI$S}?9^`oAI zBV0JwW9Ws6Y>b$hl6lh^TbC?`EvAczm17(TfDlN*f#k!Lo%VjojY%zakaVWRH?{Ri zHm;~KnnIN0u=p-#MaOv5DuW`L+51*NOdjS+V$MabNGAURVFV70Ot)`di#s}n`-}m+ ze-w;ffuv+qz8a<PcR})B(TL!XGk)>4ONJ6x$Ijz~$33RDha_2R^<+_W`$&0f?PLna ztMl2T*{2SV#WsIN{_J<)OR_l+4Qf=0+We$Kn751%2{vG+ybmG;m@s~|w7JPG`>u7Q z7r*7)XauiXW%&PLln82~pOp#mH=^HGJve;8gi#Pck68q&DQgKLdIfmiGeW;B?nTSJ z`dQ89MyR`niIXUo3i5=c6VPV<C7|RLgq)OZ&jE4qG(^<NEVIZ#9*e~I=RfyfWU2!7 zXX+c?8(RH~I?c-Yhhi6tI*9#?XWjcJp=o4{hX2K?l8gQNzbrTl7-aY!@bcc8cHy)|-QSaC&Ot-G&S zTl4<X&6IqFK>YfW9XSx@q8myWsr}1`2B*V#-iYd?%S(m%xy`RKhj=y<hjk`%qQ$gl zfO5LyjCKF6Q$zdiOm)gCwsU)~*`=Z&d_qp@jLV{P_a5_wQ9MFe<QRqlSF1u};bHw` z3Vd>S#Em3Oxg|D6<lst^CK+X;%0+YGriDbd{4BGh!6=pD)Q|l@!)eYz^)6;ms6}kt zVaV~TwHrB2+YOqhsY2YV^!sh;(MrAcxZAFOq9^)v8sz=Ns}FxNmENr{{|PhcTB}lC zE+JpE=m<aWiZPNK@)4|`+`3m$75O@Si|1aemcd4-7S!s?MOyAU@wA)Ms@3IW)cc2_ z2yD8r(lKTpXBZ;4Fpg5@JzOWcetHG7w&EEBIc+>D%0}ua0o_(h0t=p&0aYqfM0=%K zv$o^1JY5I#<hM%4hRNRJlLG#0v+OoTYb~F6Nz&w<$wEZ0htrgT&Xnf^@QD!!q~k*t z2I7ili|#`!W6%!v`m=aCuXlj1^zszNq<yhH`SVpxA717oaJ$&>#_2PvOc)PzcxrP= z)x;I*3+Ns|Is6Hq=UCO*1v;|@@Ad#?p)F7GX{i)>?-;eNQ!zUdyekQt;G@*@W<xj* z^*orB#p+7R&4+4Zk4&@T`K}Ud<GwT%aCZ8rJ2!z$*4?tFZM7afCytrtaK>dn#es`T zn4vvj7lSrUII}HXF46YgY<PO7@6PqD<OAaEprzl9TkG0%y?D3gc(pLGQf@l2g8p$- z12tx6zc@#*A@}AHk)SI((%9eQiG;uExKsrFro~ab!+LF+PFeCMTnO2K-pD!2i`tEu z!t7&}_D1<34D#Z><!41I^L{+nkgm>giu4!9kj>UjxC4oWhxXwjE`jEA&6}Trs+|}} zju#63ib=wfgi%i;os@1KyA6d1t^_+&0q{meF{bkkzVvl~nEkd{JX3(P=Y<{8-tQJ% zI1b=^TP(GD`?2Tvj~CI02yVqHmpQGz`DO|x*W)^^a`K_<NRkOT`$p}DDVi`@qjv0q z?vY>+F3*?A=#C*EPNer2*F_Jlare^ex?FH+a+nk|^66>f+6>GWzr+{P$L)AQ?13;S ziO4i3a4_-<P)5DxoASZn>Fqso?`A9CT8v{JRpp4bVnG*!mdeM2a2V{dXHdx?CiAtr zPD{64Q1o|D<cap=ObJxP2xvY!w%j8?4_V3>AhewHQoi<NAe<90CANX4)8m8Mpz-!o z=ep#i{lg<~$452#s{%TqKwFNzWR-4#S3wc}S+`v&3=s6I9tJ%$h3&e^?bdF<;SkUf zH%4PmqPEg_E=RL?p`#f=tDITlBV#;lKhxmt-qkwTHA?F<pXD<=O1lWbnkl)}o>sr7 zQecE7lHp2#<<mP$Tdqz|;RY&&zd84sE$QXj6cr{dq?^=)-DehC{&Kwvy|~*=*)?6Q z@bznfMNa;eCQokzsu>$%X{vj!qr5gZU#f=S2(F{&?Xd_Q&btA_dni5U>rnPLO|*1d z@qrWS`H3l(lerC<;<y|3m3t6zv>ElRv?t|zQ)7ptsA{LN5KCccWbC!;t&*RH8wD&p z8@9BoV+7eF6>e~!<H7AYS8`|D+GHHg^lHaCXeU|w)#ApU-k5DKjUxAK`7w|pSzx_` z54|RP`6|72@iMS^<|}p&B{pd)EA%NE8&G9n1^>Y5W9mhm4-GN(*^PE`k@xwKtFCRB zDK0vgUy|3iYi0_URz(KLF#h4q^)-hd^fc#o>j`O!*@)O^gp`M630;qqqpzGIKXANJ zR23~8EL^3G1wY#2rMM+o6b&C6LYzs4Ye}0Q)WQ-A-W^OiXOJV8O+UCEJr|G{FGmDI z3Y4LI#|gcoGQNMOb^bx~tln#2B*J!uvV!F-wf)5Q2xmOV^aFlXG_QD}K)rH4#BOAN zts_}y;5?q~Bz>^!>5c@`y?f2(wUB8AY47wrJ+)ghLYURt((M}2ujamw<3;mfS<UPC zD-_9Xt5vtKckNB$`*X_zcXwi^rt1$i4EN6Wde4QmrxSnhH&Iy6+ZB$N_Q%-w%!$q* zMsFy8qQ|4BlXG{^cHQW!*a}WH1hV)KaSe7AW+rt_hgly`sRhruL<X=tG(owEZ_O1v zxX8+1j7-ky7~*UL(u$Y`d;}${ig!rF+g1dIPImYEE;=u_)5vH#-iEi!2VkwVUhiAw zwcJ16U|z(wwKWpEqbwQs!PqeGk{>~XR(PGbJ86Ypgj#?1J85aW>R%4%w|XtBZQj1E zG#_|XwmrUYYm)3F!fJ{;!S##c&ck)dTL~5G9F8H_7z>Ul(?e%az=dzFVcUqCCHt+q zMn9FX>;MuyZ?})mcduj_1kr#Vb3!>>2W2(Xlp+TFIp?<>^nKTnPsOJ#@z;@_Iar)8 zM(Vp=O|y&x67f#g;acU}j%QeRpRn%N72H~%b8a>1tk`xs7#-l~K5k^($UwMd*OTDa zlr6dIl&{~|*TpBDQq2vZzhQlh@Fw40*jIvSY)r}_r2h_*N4_0xx}y@lU}__G^|9%y zGcM=^FTw7=M3kf@+|Zbs5UHwxB))Nl>P)@1?mWS9-aq--yg!s_yc$`ub~BRwcrgR8 zly_T>p7Uyc8uxT+Z@$k<bi5@5<BcXhpbOmu!%o9TZTxoSInQz6@dRuEXc0_?H+5%N zZXq(XzVyH|X_v2T(TVmn6g`}Ec{2ZQTVQqsT^uoer)85cw*sY)eovl{#jUOndIP+R z3PzE-6{Jdc0ssw--aWcw*LJ$W)||$)Z+`YZ8Mj<4yK(4jd3x`n(lk$aGw%-sd_1&& zq~6cp(0E*SMF#2{Lft?nuz|H}*qgSlQ)J{0sg}f)@!5w~K3ZsKOsz)jQ+fc7N|tZ| z)AVACDHXe3nYAwB87<3Q096)y(FNDgGP}vA_D$-;)@$;zd^g8k7j@usl_pU{m7p@! zS{=se^3s!a)DCdZPSkpQxwfoU&W_0pNIV8SSH}+ZJAd<Kr8v@w$}5oBr-ZIX<+U7_ z<V)F#j%D0T-qep^=e@n~D;^hvYMDbfc`e3DV~=BPopj#VUN=*e(~Say`Z-SU=;r5l zWa+~`ny@2EsHUy_1T`VmTwsa-?f!h<qmE0#<fQqY8o#3<O3@IvWCO&<HK3p49CdEO zi}o$|wX8xJ3}_>xb^14n)@!#<DC1qJnvKuY^$9D)VEM8up%X(gAzsf{Unq|X9m`&A zD`TeI9{r*<Er-u(5<^|y4kKVrLgM;0TN}y?WpYV`=6=K<-@aNnqYl095$Lm@q~F|H zb#-X`oVHL222YzfB6p5AT8L~@yU1}}C*W^A8JW!4V|y>QJ39fD_NVd{cXSmmLG(m+ z`3(bOgLpAnBZvQc_hN|Q2YGx+UG9rX8Om8vP$2)E=7fRiV)cXN1N6y4(_vA5Pq`CZ z%SR$rgy-E}p<Ax(GUr`}H4UnV+!a<Ibgs8>LdT83V~c`C8sda8fmJ9+XsEmC`0;E_ zGS}N_gXGr(LgJZx0L5^kejbSlg@y+%=XpJ9!-f9$O_6kI;ZuUgbf<WxVPzWW{)Lgo zGSzvtSMp!*4+;k~10e6g{@F8)nG2ofo8xkVk?h@Z-U7Yhr*7cN1Bvph4Msi?!0d&f zkchiZOCfvKXxoBW)TJWK21=)nlkq@(GRi#Qt^~Vr2r5uWgF*-9sC$Al+bQ7SB&*Lh z+9}uMPxQ3pBCH!?B1Lv*QLQQuS`kke^pw`kX4$Zh!t3xj(`R8cqTdo3yD=#2;(p7$ ze{tuu9car6Ys;;?NPU%FSCxtP9ThXVBdldDwVSxH9L8zN%VfWwIoLoUg{eH<sD0V% zJdDq_(C)BZnaWu+XGSG=Xw_at(A6rMip|3msc==m^zV#v7+^o({4n9(W$$9#P9s0Y z!=D5R!{r{yOmmS+6=|G3Td{{NgSXK{puIi{C7gpC1oqG+jMB?uKX8B;&b{`Dy`f(* zKu@DK@*U=^BicOx0`w^u8735Sx}2@qv2wLe^ifq?(Vq;Tuv55sGDA$|xF&p9c5U)- zHu29m24u!7_r&Bagpx*<5cJHINH>VNXAH7fZO6-48iDo9`q>@6hFYBi)}P!%iDwwx zHkgk0IjCVF*%7r1asd?B6TX%gszkvVn=?WXf-J(dJ*MFOp5Jc~<Bov3A<M?1yn%@6 zh@X{giVzJ=K+D5>%QaZUl$CwJgkiU2wGGge^fed|&%x?hb$__V`xPA*9qN_%3En`{ ze+xdLCo!wB<&UR-{kR_o<t#Z~ec=Gsg4OZCqtzi)@X?@5oKS)AL}CmQru-49$VVnD zvz(#kkyW1=;#%e^GbvBSt)y0NOD4$2Sq==!O$|@lm({&>Eh>O$p!bUxf)F@foOYvi zzGHORt&*$uel&wN`SoCEW_xt`!gT>qp8TeL;klr8n%ISwzdf2zZ0z(qsGlwM=>~H? zn*KnHuqSddehrCBuF3TNndt4hwmD=&B|Zl#qwjVD{C&WSli;OXFjGMsJ0cgE6Gt~w z;HXo<!l&`!*TcAJFf-@<-78<k6XsxuJkPKdwY#L3fsAZuo%U+-E)jBdJ6uh#|JgOz zq|V06kT6Fh^;?zHiHyuF!%25UyA}1|ENo)gvf}g9xUX92D-ah$v69K{kEsFEk@r|~ zi`2Qn?3%$H!U5)p8f}*sFh}oT9p?P%N_x>#;e>PRy7DgLhRgug)}uB}N7EB8HoH1C zZ5`X~%j#MxYO}q2|NIBe3CD0ID+K${8bEY^A;s;sw}JBSq@Snff!UnDqJN8F<6MQu z)MoS62_E3(o}YT!#uLpLF3=`>j^rDP^DLSPt@g>)-IIRw<DFuA#%{WSFEwgp?U^?q z{ormO3GnK+s)I9OSgTEEQ#@^M_QZ7L0f}V^mD3PgIA^?wHe$_m3VCFWs3i5^ybiCu zc+NRMeq~;)D*DNi1p%=LN&8gvCe=b$)C^N${*d=$MqF>5F?{l?`g;X!sFe44JUf;$ zg~bF|pBBXRk2vR`rE_|uu*H*zht|=W!)!~quitbRYrzoYA+G8Ow#=zdXT81?ktcM% zEN^?I%~qhX=drAya+N+@`Z%hseR%9mh(AnMQ+wR3XhMW%d@;Yr8b%pnwv-KtN4rlT zRuLYq+T=qpZmiqZI?gNI${4%)X|VBo{30>40poiH!lA=upuG!H71B?5Ew`1YBi019 ztoZZrl>V~;t?S`=Wv}Yo=h30#c5M%;42I>a7Voo?h03IxL?*zPdc(W(In06}Ec^HL zqYW0ND({^;=P602L2?^1Q29j{$U(l(M%cButh0C@96X?s=PSsh)P8yBLG@_N`e94z zw<NawJM<jHh@2CK3gMf@IUYCcerh9x){(w?CLX5V^O;MmCxu^cUFT71i_DM!@w7XS z*a~IP8$D}=Qgxuz>qs}Qm`r~3fYog#CsDzXksZ;+2*`*PaD;JNFy1lispvApE&R)( zzT2RHwtTOZXeoEJ1(Z_#0_$aHhyA_rloZb#Amvo)+FkbOBEeF+tUTPYepdG-b?V{> zTJzh+X;~|@x@^|1pOSM#ULfq*(;*+JpU}ygh#+c!YYkzTe&9#3siqZ<nCZc(gX#pI zAU5OKE_?`+1LkZgRP13;?!X3D+$PZqMHIl(f+|bbIIHR2WG2!5$WSFm%K$HBFT7() zSMLSW)*tVwT7TttGlO+o3V*8*F&~iqshi!z_JSo$ouwI$SL5M|XS0$JSbTnLkUm{S z`7)!^6p41dg_pnMX8O}bd2z_#?R>k{`-9ELN$VN)C>a{(Q%ClOthEm@XG+xeXhoK1 zWJlUBF1tzRY3BB%?r|roMwy}|^6lk-w7xLau(6Mxha&nngQpTABJI7k%N<Pi*3}*J z$kFucF=^8q+p&(a1V2`e<Gy+-0?^s;ACiYMkEqd9qvD}nB)f^N*;O8UX&V?QKN@dX z5<HiEwqw*O)!VvAl-;LN&(i1__{pMOd@`v8mx!f)&6dmmu7>8<Hck-yewqJtFYz-$ zN$Z?Dgl};v{j8b-e(ZkiJ@@74q9FOUoWvIgQ7(`G(BD+}&>0)!zDhEmKWcQ=uNgoU z3vt~nHklq};bv(I_1vf*Uw6!4afz%EHd88@n3J9U*ttAY5&GOZ=n&jVvp6lCpn%bg zUaO7o=-lKyLiyYmj!7`m=S&-h%WD#^Yb-HYi^+$3Ib&5%s!s57narh&+6TV!;M)*Z zRmr<|AGRN)O3^Rc21NEHW7AxUb8((ArD{4&O2S}7AdN!Py>6C#*eefTSJvo>Vb0Ib z`50<H#qI-O*Cg20x$d@diM!6WKb~>mXjPrguuNb0@(VKn_QDQyL?-l2kInu5?11Ts zT{DoZAr@}PK7pr%D^pG#*Lm>P1US8bC@%OMP2qMgXT{fT1nK^?;}m{CUtSmYRwM%& zu4g9qo^&Fjs7kZ-5^?#AjT}du2Rk=0LP<y1n4=KATKJ1t9xf2G=*>&-w3PQ*FU>3S zvHaCE2+D4?;bGhxWv@V(|4}zbKh?yl#jwo1UIA<Cl$E^&RMkuO_zlus(%s$NA>AF) z-Q6wS-BME0AQCDm2uP!JcZ+oAd+zoB{H~}VFRp`fmg}?k%<P=+%t695IcOU0peqnM zf~2YY;#EgDSg(CNt4rUh*XJd?i~|B}^JOSB6z;mxHU>nO<9Lq9M3R{gqf^R@I6*U) z-GzYP*0Nt&u`8eZPJkyQ^+=c&?0EV8w!RhvdV*{tsv1*SGn_|88WI?|rRTmMttTl5 z@Ul*eD9HES576il=af>rWAm)Cj5N4Q8)K(zdxoti2HE~;$<(Pd##ZU+v`a4+C+i9$ zhu%1Rptxe=8Tqbkg6ZQXrGe{>uA#EOmYv&hfI;=vCXw~)ho-vO?eLY6olP~bbm-F| zhvF%-k`wv#r*u}Y>>b~ShG;rE*^TF-)A&nUit_0&Re+4c6fUf#1%0|oPWD(wR4#UV zZU8YL{oMtTYY;i?1KzjEBoJfWD8;4cb}cZFEKRjq%NU>cz&V@q2quc?7qd$ziUlG{ zkeqFctFV2C;pN;9Nnb$?_Slx~2#<<OCmFz5)o8reu37ucmA<tXbUncdnG=e7Be>8o z@<xBAd#!5FQ_OW7Yix<d`|G~R<r9iJmQ=I~6bTJOZP;~h8pKytZ-sn~@m|1*?JK_9 z8}&h(w;|Nu6?e`?p6q8ZuO-wrCV8RF!aT+&Z{%)c)57OFnazt_2v11bz>N?e6_;Eu zLz_MtrCcv8ZO+Z_5Y+-vQLQ%8_Y#V}I>CaM2d0IQ3C*pVz1bPY_x(p<okCo%0OTY{ zC@;3SDcM0?<;`L01x7O8mhos2)+L|kzz{H_4VcFR*$YM`jlG7HFLF|p4z+pLhH3~J z5Zh_Lzx1Dlae1`_p6W-S$H?r>lLa(Kk6rw+zkh*enr^YN2G5<Z?Um20mmfY97ei2X zHj!79KL^r_M$EwJ2<O>4?K8wiPkr|$OVC6GM{|~mEK`f&GBqrx?*i+&5*SZ$2>bfQ z*WXie(!8Y?fBGzb09wGG1FVb4-vpNp=V?SRP3+UsMyxy}IOFvKN%%aNCKD()K?|Nz zXxYQOpwsRA%+`$Dl2_~2g_f%1lv%h*!eoj*PTWAYIOj{M7FxsmWf0Cj=(0HF_V@@^ z+zen({6zWyt|tLRztos|;`SX|hYIbS%r<Kvt`_tCD^}Lb55zSbM>pCO6g8|$gcRv- zpD~5m;kBsEXL??5z2bFz$+UXSN5uA3iL)c6-sM#CfGyIORL!J^_h`#mpk6gN4LbfS zbm=wZEt?gqV?b&sW!o^bv+fve&zehY_*rV}>WbiI60MJ34?Yj8mi&c9qmXfpgZ_ct z!52p$4>!>Gy-*?%{ZZI>)e+zr&vgN+%;AAGVJ*MTuYGe@7=BW^R?&_Vm*`NjVcy>8 z@@^vhlM2m)+xi(kj^%CL&?3TgIBG4sAtKG$?2{MB4jTy|9N=n9omfDzt8{WWNowXq z^q`HcDYb!TQjiS&w;i22$9}~utlDz7hg0k(xYi>BI+!?!bM&{I2JJ0+cB~EG3~rrI zP#06a1aKVT&Ev1T`LYBU$#g`&8UVb{-d|XCyBmHD2T?Oadp%L#fIF2774zonC?)<W zwUVUxF}Ls(y6CtJ((JD9Z1js;Ql4e*ci=30G4!`Mm;@LYkuXzuczAL>;Xx?o@H#%S z4umZl&;=_6X-w~Upt+bBR3%}botnDD0U1Tox;KyXhs=tj_sN9u5!9eLs2rq2BD(W8 zq7;p=ph>}!4pywdkVC(nDT~lXRL4D$%R7dUhI@_wDgUkVxNIDQl!_=lS%}QruJ^S# zeyC|%m_e$M-vqxl_aZ)DpXF|0oi@%^Jkd_@2fj^}4#>#Z=#|w^LBV+jp)<e$lCx8! zh{J&^(`M$&MA*1&7a_6KkGn~-=cxg#=kmrKanSjykpws>1JwP*FZY&_QrGw<#{6i` z1v|?IZdd&**oeB#UgYGouwQc3Le$+jN5Bf|>sK$M5#<pk!&S037|+l*wKkA7lyn){ z%v)}H`EQ+pT6^=EUr_1A+*~}_U;lc!Eae7@x2HRf2IIq~d3`v3+)`<5w0nCw$McjR zVS3V#W4)#HC6Dms#riG2f<?BrXmg?|%39^LyW?@rZHeDF>`h9n)A=QRa*NF^OYBbX z?Kt?5p`Kn>)JmuJcg;ptH6NZRTt*Dn<{Z#&R0><6t3u(<%4}C%Df?ba%ie}X$B}5i z+)^kgD8^TUFBfjlNl52?p-AWaA!S7eJSwzD#qF>{+o!#j&*k_B3<B0yZMrQZ`@Bfk ziVB|C*LrpiQr&*a&(7u}mVC#_r!6FSO}Y;!+PoPfiUo6ytd=-_5lF8YY*w5P*A{w^ zeHIII5&6;<UJpw^V7}#Q{Veh&<ShLy^VFnXg2KU~7*e5UW@FyhI@=w0i*l|Yjg5dd zk=0(GGUpGYs}7ozkRWiA_BB@|NF6efihEBOMzTrMp}kwbWDK0JeE?G-KizJ`nxy10 zM~_#BQt^C;;Y1Y77sa@A%XYGU7%uG1wTPV8w8mGfKC_?Ee`Ct`adggqkt8=ygB8#T zKwcxvyX_wOxO0JeykX63SUPiy99X2aq9lu?rvYoet-m$hlE?ww$~=JUO@fesun+eX zDXux+6ms0(>hsL>Ow^@jk)1qmRs4YUY~gt|^LlWei;;FS^5^(4RyE$I_Ddl$34M$D zGKE|<iiOL>N5G}Dw=7ag-`P8HfQ>G9<Zv$q`Rm^@!bt{MNWaZ+jGQ?$X&_3WeJQn6 zGV%5hl+zytlf7i0<9n%XF+H==(o@re6F6);S{<f&yu$-M)Gz9Uog|Y*%D3u${!0Z- zw=mI#*Tx@55XiRI+fUwAdmS2#z!ssb)fE>c>{{kyg!6QyQNMBtu}FI&8{VtuhcDFK z`QB#w>vKxt8N3y8rWc?NPa~Xg>iN{rU2z;uJBTM7jI#=M5jbKk9H;xKffdJN&cfF7 z#T-$}hYCnZuiRXASlh`|cSlq?@WjbwTTJsoU~7j4E6Rg)WU^^Hd+Hdmu+za@%jmkK zJqO8g@CQ;j5@nBOYNy^!T|-bQPF#N5hP4^W=;B^8k5<#D;66%CL`=c`>RvaIve4%6 z);zIu{OLt7cJxLTv8=^FqKbW?+S>+$pl#x)tw<Y#gV|)y?zr`$M5Zuo-;o&GK4ejO zhUKHEJfCQZSUDMXr57={iQJ*dTD**EDItE9ACPomO18e*LhqKMq@>YZ$fP_I6K^j= z)BFD9ncXx{mY850%&v8qG3V!CJ6jXinjk)&sVnxKLt=X-LtbD+ZdQ$qH<K>kEEIMY zQDK!%ltgjA%z5ZAE1ba5z)y-LP!t-DkE)uED1{7rI0RD|4uzK>&mu`5j$FahDIajr z>h7S`yb+;!4^Gh6x}C3DZ-f^-5A!x=ADB?c$L$lUV_vIY+s1ROv!P&Dp$%IT3JJR{ z_1YQjT)Vv?$7_jI24@C~)H&)mUl7ctpho81an#S~GIZW<fG|~xU<|!;Ig5tLlw^!S zi^Q7|O0q+F#tMT?ga)ZtRZMQ43N2{VPgKibsZzMN(e}CDc_f4HMDNpQK^uZq{;mk8 zqys80>^%5TPgZ689-knBG#J&Vm!U3;*0}qTTHmDftg{s?Ni2X6xCDZ=jo2uT6lLHA z>qzANw?hVdU{@%}rFp#gaj0zJRafIm%avS}cQ{{a(ezP-3+va6z@Y1nlr5AolZ(MU zk)>~NW!?~q6f^pG{B{XO6-=za#Hvyj$9gW$uSY%7GT(zjbS<CFiht+!)w|k6PwK;5 zP@Gz%pyVy;O~(FZ9vuc_PnYi(wwQ{z8NMkr7FI0GJ}(DazwH78H)qYEDkW*mj`PI} zO?V1K^zTPzkW5u{ypCqBjR$tKCNh}$)_C3}O9J$~X{ZWU3`SCcTt;R<A2n^igq(gM z%6>3oKAj#Rz!UQAU?puj?tGyvh4N>69gf-~*$p`Z$>y;L{6sYf<ub}X>r?AhVu-rT zk`@h8zGk!o?iHx#ko;Zb=|o<iG=|>H&a9C!q;ipn%N*H}@{@#=Dy#L6jj(KRJ4cXk z52)0*<?}d+6e(0V+bc<TAh9qlc$hB&!6b6c64<%V_5rR|MZjr(3F9~G)8sl64RFx- zVD)9-RPZExYR(5PXgbdMO!$lx2V%-_aswK^+HowtH|^G2k4$gtS^2A(&DkB7iqT$T z7xDwmm2=6xcj{lT+8KQKYPUa|(j`N7y5=!oVdhiP=NS!V;S9OnG;8YWh=UU!Vf$0s zIS|)&Bdt2DU;7yE;})vt6Sm}?!$}ph^EJP2Z3|0Eu#$GbddZO<%f}+8Aqve2Z`}1n zLT<JpmQTZ((05z-nES11BHk-JIMGnZL}RlYuSpMT@ptk48-;i)+eU~V&~PoeZu@xI zcy1^1k-5A4q%x&r$~ij}HlHGyK2zkH{In>VUJz@H%9%L>OGW$CNoEkW&sl4dk*(1! z+Jdxv3ToQ?^8&Ora*_D!xtkK=^ZL=Y&jTON&scH_gA1uEg=C(pb&G(3CA*4vdl_E{ z(<SFux5_w_U#~l|cRm^CE7CmGQZx^D9y%JS9-=8rl`7ga3L}P9t8QFiCn62JfO~ym zmS`~&7e+t0@;tPhCVa<Ij<nv?5(d^O+5JNVk9z=uvD78DO}Vi2!3beEm$oRiu^drJ zOpG^OkL)~kG&#1|#ge_6kPHZVQFA)!I~YodIt@{`GMQR}k^%#$>=@8@E2?TjYJQP| zQsSyQzS5JEK=VSV1c=@S&lQ{BnQra?2W@sET<5i&NYhGG#;|9hZ^G7vJhLt=9*{-5 zuHAInBZM5q$BDH9UlCP8JmAHms2T`7HuQ%Z&l$cDVkM9`7H^4c;)+S7XZo0A4t&$& z&FQyJ$BiS}z47unE=oIdx2|ay%vAVj0vGP_1yRs@ONfNm;<I~kunfo_kYVVt=QOlr z+1aEg>SA5jItrd;tytTd7^QqSc~hC+bKFUTl!nV2T;g*yO<uZs3GAI7j>l&gWkbHl zO<Aw&tf0abF>YidUOKe6YfZmdTGMtV&JA699IIE%>zrZlUaiuCtE*oH{mC{{;n<2{ zl1db9s6<6t7sVY#_syHd!fTWDOXedtJs-6w)kAM0rAdyFFQXD-Plvv+Q)<f9csNvH znLiC8h}&auzXHenR?!7>wYlkpM6%!DznV8~ed}$h2Tn#>t*5i*{jr+(HOVM0%G}qP z04mgVqRc5;?b^|S=qZnwvZ0tc><Vo5?g6V-SPf<}XG#iRe@Pz3un?4!&jFqjUWhn} zUW0gCUG3+5^O)#9$Y)u}rE#^})5zaQm`qiMoW2yVylx-p5SsKesZC@2ur;n}Skh`f zzKf?4Xt{%6<6Vx_iO@gjVFO=|y=fSFvHqTBAAj*h2zk$#uIN0M^79Z1^W7P7`Omc$ zrWRJNuIMzJHs1;et*HmfV=4?5yYoZLET4I@JhSOWug$|&1m*hvp#`Nanu51clyj{} zFrSXXNcP4n9I`<MGf%$GV^?&XVeUygIcEhF`xm})w$Fl-n=)OCu@>VrD!34<<Fb0J zMMBA3y_;8TX;*=!&2AQzbcI2eE7Grm+s;RBj?Qb>i<6`dB`)<V*mfIOAXti6zOj4t zOL%|loX!FL)B{AeJDeCYLn=cHx5YHa44z)CJdb3|iF*L6%#;V6-uz7RoqruMm&}CY z`e{3=s530IyxS<-`5RHH5@@4yX^MC=(VnRJm!e<OLB^>ZSX#My#1CKMuq0_MQ%HPf zY1e8SvgYk?XVd`$`RJWK^76UWXtYYrg5Y#&REsT%0C;@!R{AN7;U+<KP?~(*>Cy~S zIpg*ArxbYiRY`{Jyeermvr}jpJ<Fn}*v?o$m#?FV@+DY0zN;1nPA)78q(<`y)~{}2 zARJtTtJcqbX{XE|%+}$qpJ1@3N9U9%r5{vtPpr%3fHh+?h~$0QN*DI+67^#H`KA-M zBP>&-|J&Us$z1F`vb7D8*%lPDHt8=RE%OJTo|mghYgaa{6SNA^;-9zqRKi;VJ}R$U z|8&S#hIsl$Gy1%Z3ZzMMcG=b6ybNv1UDenT9%}{Dd<Go9#L&qPA%d}b(~*1v=1}ru z05(L&BxIhp0BHUA>=!LROW?6l95=XE9laV0JHQc_HeNoKaZ!Gt@TTDgt5F_8#lyuL z4Iiq$9CGQGa6l^C_BV>{E_Q*y4QCxsG-suTqo{|SUjwcT)vfu+2b>SJ;b!ELM(91u zQ#(+jnf*ptv6@f(oRm{djIs~BoO4`H!GrAe3yK$+Fj|DUX6$z5r|UIf@FeeY5;!Gt zXuBB&xmf6Nt;6(!v2%es!*gr>99pTm4M0c)wkw>iSyIEM$QCykXQ^~AQ^`$jjOGmw zR&Y~Tb*u?YL-j7nI<h%$ElM;?;Ry3i+OI>D_gRn^Rtp5%`_gj^3#J;YI`VGYP|RO2 z7uH?dWj!|>m=RNlq4@gRV7SK!a5iyw!Jvm%)f*XxEu3sk3S>0Ly%&myv#JuS875J~ zqhuCkSKW;(t!$NRjSJgJ3xt(0kpjh;bJM7wwatKDms1|v{%u_KNflIooSR^EN#+xu zaWk+}A=$b8)^bnI(mHQPWcS;KRlqTx5^pcNs$HdK+PUr*PNla-s1V_X#q|?$xnskQ z+*SS~+vMO9_S1DB4X$svi%O9@f(1Q`Iz$OOy*-(4HC+6hiF;7!#QZ)G(I&Q6YhUgR zpb}Yrrf2U%9NB+cmr0~E$%uDbF!midbgR|c>xhn4(;Z>`EAAy}c4@hbC!6khE1jOL zh^D)JanYf>B1`H@S#rJ4b-%yZfu%r%Qv9Z9X~JMsrb}{HWgk@_yh=;b*`7UPizz&s z?yQ@qR{iTL*d}2{w0UikBCurjuiAq4gm@>m!I+4%?6S&{6*YxXlGTL3BWP^eD8N{+ zJvW&%#U}PCXX4<;l>#<IuLZyE9O;<qr$Q%!yaoGQFi+#@F5)|~nb0MgZeJV9kX}(Q z;yt1lXWf^93IsvDXt)fxVsLb7R^jTR=(40c5l%)r)}f)hpg8#<(yeq4Gy~fB4aG>T zM4W6!C>w2f{+>Gbb_bNEnJWZk;BMiVSLV&o-Zit&@!R7zO99rRQrgkuX7Cgtq*wKj zb@hR?_MjfUn@NoEJP?Y>mEqNuBtunW!Gr}}<C^D6ei^C5w$H!zm36+nc<K{kB|eNl zB?YHYOhe|XWTTytg+?iOsR!J|ou?qH!{dRu%34$bk<1cAf0Uik$bfc$yc`v&Flo!V z_tmsQET;_m6GJj|d5U;~(?N<pK9YJUoDfxGy@mK!ni&$pk67WupLGNrzwxn|YFwrT ze<^sriWf4*kMMMrOP9S&jJ$Y%pMlPWO-hXcHO%;3w!gbsL*zi`$KY~08-FFOm^X1a zpyHVUdhe+ueRohSUpythA`LSoeK&y^BEXx}EUd)fd^0*4$d&axNl;okGcuS1i?2(I zZ%Hk(7F4s~%7g8b;OA*g-v+?1rJo)#btF`y>ZGC0TGPlypLjhJ{CvvhGgOO#*ns;K z!=P9lXLuRJhmNOD?1^ePu~Xm#=ZhBY-vnK;ZO6+@T+1R&tYW97ngb_tc4!7%j#^|$ zv?RfypnTe=1Y*L9nnaea1l+AOHWHMMwwD1Zb@Ld^jgh=*)}?tR#JmfYz|$J?_Oo!i zn;l2<_|WCIr10Yn!Iml1Ce9l>5_V96aPSv>zU`Ps&XN<=Eh<W3Ru@2uo|N4;Hzj(B zOEavC6vIpLw0QZj>Q>z5SbDE16R^h$tH1GHhH}yK<71@Dxyn+xspdqLc`0$^;n+JB zHABW@=}ROFjB*oYlzcw#nWWH%m3Zc`8*QW$PNV8&lt+$lVrzLA|K;+S=}b+{dz`<R zN<dfCT*D9zUk<Nf)y2IqlV8GvEIqd)FjpZkE#s3;Fl|+T9+IgoeJmvAsfG>Z$23X> zMK)173DT(&B~uZLaM0YE&4tbq{e%M_VU1o}wBG1<fmCp+D}?I!ZVdHV4*r~OSd@M) zh1v|)+ot{(=FS8daNY0la~CrX((25bTxCW#iiJG}pE2%uc#hQ~q85w_t-Oh=r>;wb zBx4z3JPi|`b$1sPoeE&5seb+HfRR}c7jVJFzm-a(;|(@G+j^gk@L)}?q(Yl0*`dc& zABDHnO_xC&ff7SiHhdE#)8y9|m7(3R=0L9<oOG~5v8T~cJl|qmrhVKpulq=-oOI%{ zkf~!i!bwnAKQoaduQ{CUs{^6_Ud=5L-{NzxIX1M#Qlu2EPfL^58)g3DW{vfd^7-Q3 zTu@X9iPwl2g}an;<0Pwxv7IdakSZjE7KhaOJHrdo`(FZ2b!qXPCGoy`aKV}cYIenf zXYp*m%;$_0gzxEW)gfeqWa(4YL)A;!Rd7jEn&qajOnX87-g^dC3~&A{%3I+{k)$5O zbTB3*PW9zU=RAa7l8I`KURcshuy!Up$y@&09G?!dFF=XOW%9YmR?_UWDMIgcU@@M3 z2z!UU`2khEk{(n;AIX49RXi?5(K{cUyl;{Cb`+eKH``8|Z+l6@83=nDp4{tjc-fyB z8LNG{WW;M19rh-WPB<S$74ta_NdGC)rZJyKL%AS}U1g3P3xyMt;cx+NtCknX++-3G zCpFx<*78D0ZLEs<%3Bt81hn)XrIBD|%&S6_gVu(I?oclW2j!gT9lctK!Yq|M^oy50 zKmp}F(LJHuJ~{H#zBJ$!@8S6q;}M-%QubqJJmKLbNS}?CB=*6ZGMtO}zX~rlhhq11 z9jH#ohG-dce{uqC@vUN2Gi@^C>;T8X;**|ya?!Jzrsp2Y-aYPVZ-CR%VBo;On?<-w zC~N`^ze9NTgFJ<jny2e0mK(2{wK6i#On)PviQ^P?HO!jeBbp2OrpEZ3l*tzc6|Fzy zlf<E<k2*h84_G!O{TM{Yg5;Lj5>7Fnk~p)FRVpXci}}1sfy}M)hKZ#@vm~oAr*ft^ zf-00HhZrLtg<upWJzet_=$12Kn#*%Z0XReA1-nIY@NJ%TX!5<OnQdy>o0DR^g>BqP zO_xD95M<+so@%9_!pfA!Q$JBoLpDiy92~G{=L8H~+kUKcRtE5p?sAnJc^*9n7u6Mr zMHo|EgG(Vx1%+g)FRaU3DlGmo13@vJ5f#!4!yqm=Ytvs#x4Rd47QiPe>l;LtCkB#1 zt|vUy-#!&SST~q_r>(*}nFJfn+y4qSO6hr*p*k|`t|iL%J%|1ot%Foc#Mzh^m&I8H zx!HnbigYc92yTw2pW>C(p-EvnG8L9y^@s)Y<;vDouL#EzvzSn#1MwV9Ppb#Qa`aZk z?tblairgovp9m;=8jEd-$;ndKt<7b7ge0>;g;rGHy$9;<;J3vuTY6>}pKSw#g;f=a zmn-sA5H+FpJIFi3a}`>Zg)^K&_5;K1kF9WY{T(ibCR*#LnPf@tJmMpGM|oBDUOEra zY`uzTkE4_!az-$fb(ovB;zRCaZppx*#vxsdWg(Iztg-EeW@2ppWT~n!=hMrx*$s^? zdX^*0uu4~6%Ox{o=^Y!iHkRu<8Xviiy0pFyc$my|tlYV%L$)kmLSf$G+SNYbR#DV! zAfxsH?5x2p?wO0uA*m%?ORE9)<b0p8Z)1hJJH~W2L*|U*>HA<vW{5>ugnh=V@##u1 ziFY`gn6z*^#kR4GBlt>aPf@9pKNTP1`njv<gwH4iyXoadI}+Qx<JU~BfD^_JP`+k% z${*1oQ*|H5WvvjkOd+qaqG5D!7E&lAve&4gHo<E99=${M2F4Ve%B#(+6FU~turT&K z=9)IF&1OvxlC*D7iIeB7nt7#|b7H*qfS2}Vg;f>2o$5rQ&(z@)j^vr@9G#E6eRHF( zPtX|^Xj-z{Ch{<)dw0z#n*H9(Y|8d!Jg+cL?*!H^y2hf3K<F5`L|bS-XT01o8FbB& zoJ4RpU)$tbZqN7_2w|oZyD(^DD}_6Hy^ne;x;Ij+IEJj`$Wjz?EIMReb2B?ld};Tz z>zVDX;&gGPMWKoRWv70vHuhEqS%mB^#ZE7hVS#rFshhxeFgvoCbmbODvNB+Eg@&e= zF(H93<uw8avN#8PVxbK(x7mPFO>7$$_N6!J#=cop&g>r_F%U~kFIeketbtxjb1;}R zvdBjmL7Ddh^SK=QHts4*+O0%wf9F;z`~)PGYcjbh3jHxtgAvYY<rr(>3MtZpmz=P| zYU`Vu!TA!V{+I@68pG_k(bl>tckgbV!^lCijhkDZ8sB>=d|rG5RzG8RRh9fQvAjY8 zK^6xYy})bxl~)_YoNw5Lk4Q5-V3_5L_JR@inmdV;Ix{JjNThDHp4{xz$SFq)pc~dP zTqnYqVrlG;Nh1a|=vR$)GSR^^diglNdEJ9$j8NuRH?CF5CPN5%u?+LZ=n7p_?Yw#| zT_#!1DJ)Ls#DZ#WT?J2TuuDJqBJM-&iGFc{+p|kr(M-s#0C05M2|V&*$CnnYC&H;N zbE{5$N|3;k&L#C9JzcSkLf(`?5<=5#7t@34n9v!yyvI~iG|oZ56s}6#RE(Am-8^U> zlm~oDY)XBG7^J_0H%c*oU}S4g30RzB+8QTHo!$&az#3I1ty($ajBrWCXNMFkqr$zD zZ=+gUavLMc;oZ+{l{_z|vw}oj<;M0WdlXOV3nQe>!h%ZuGV*M^CRdwkSGLkPYN7E8 zzz2Lvz?mR$T)+5EyukLE3t9xdykrIjJ_HtsQSupn&D};m5!<Vhby|b{(Rw?o`Jz~o zcBfmS*8$n_Q!vq|1N5-tYgY)?`RnloCAN0k%5^qHPq7umcl<Liuy6EyyAb(dtUT<F zb(2xVpUI1IC7_U|sFFz`zP?OIDIz{E@S_UnlGnzpKZt_f#aE~BEEn0j(TOP3dK18} za>|&!dJS=#yU!_&AcK!Z!i3$3T%W=_hto2OK4(}Z_2Kn&bpcAaA2G3I=d^}JEmH-? zSJp$~+tx)BTJI&wO&mfXM><g04SZ>6;l7k_l=D2|$1TNps(^<}I!87OEva~jU+FQl zh$vNF`R)t1W)D(j28*4ukE0(C_J-becieRK4|Jl~Gmp|XHD|nJ#G^+{%nm%O28Is2 zCCrLEe7()VvSvGpWbbvG-yz`VqIm$S;jnPKR07Hu1!pRjcoh-te_@3=Tx^FD%WvIr z7P8ZaiynKMVEFRn9F~#Q^9k%LetdzA!zz<-jMuR@TX_7<fq>ud4F+{BGS=$LN4;DH zO1zPs&x;CbYqNN(td#efj66?XkHB(a8HD&0H(eCv(t(*$3E%14purk19T#45o*9LB z&aK5#B9Q7h{s)bdZ#s!jaV}utPsj@pG9@YeTp4N7mSw2bXx6^I#0RN|6T@;i4tW*? zV!S#IG3Gk%B-@rBzPh>3hF}e;)6Rt9YnOMUTZdrCL}wpl&Li#VsH2@vJSd^UQF46h ziB3k671CL!)PO)k4UayuyC`FOp4_XCw?ni%_TKDBTSe4N9bXJ0s+l}4u!VkoVc$&) za$g-e$Z=h>EV>I}`|I;S>)J@RXm9a$5C+{_0-ZFzYf3K1)TJWV1tn?2jv!a0?VwM` zN3T5yo!w5#VwnrVbza#sW-d_!e@@qgUdDvD!hc72eW;^OfK%x8q@r<DYBw%$=?SN) zTo*W<7S%A-@am#5X4SBg{z0_TXM-&Lr=RnxjB?f;ZjI(>vwX*VsMqm$swd;5kaz0f z(+LGVLK(b$PfF~ad#!F?RMmlHa(!{*zbG|exjt)E`>?k!q?ot78<l%(jBeup$&~Gc zhE7|P=&8O(VJ~PLuJq`d`&&w0Q*qnDS>;={n7ECUOWJ*_V@*;Uzm*8*Z%DIU(D2Bt z-<AQ750^z34thCrMB1?4t@V<u_N_J^y(r*DZ8^eXT)C_$-{b1-vU%39bseN+3PK>G zV&|<R`SSUti!WJ|=ORf~8uOGsFq9ngCxh#L$D+)Tu<7M|d6XpT>k_?~MZeO1SS}Yo z&RVbpW~Tn5twjPVRSyGat50v-vkyexME7?w`69~sy4~b77t{)Xhlsswi6gxV@s=zj z#HY5@(Xdk1><FiVJKWEb>x=uEmfu}DAAajY=GjQU_|3k8b&Ls<0=3!`?OE}1b=WL@ zmaV2r3jdjtq3h`$@3GV2QnfXiPPV5w6`Bp!5qC&T%lRRfE$&583`-f{ldE~0cru&n zARQ*q*`)IqSzvKc-x;~+dD?W9)yOnwq$ZtC@yI!~s2B87u^N2|{8(1iiQNhU-v@UU zJJEPl!gI3Rqg1rRk5nG!Na+!_|9PmuT8+~<+9{$A%=r74n7480nCsHaZ0nMr!AP(* zl-3hFa%;>g$<WS8CYrtZ18)ProZ@G9FGSEeird4rN}&WN*KqPx@Ur3^;5zU3;jV=# zsMC;wjBdVk0hh<PN}+%CI`@eev=odrxwpNXITj;5tX^xFAMIuLb@Yoqf8GkiC=@4H zG>eZ+d|B{=6uA6>pVU`-1e;{eECgGS5>r>#PGP^<A|xzwe_OUog5iEwxG#4~mRiLG zk+`<)4sAEzc$*+sb}KP_Ayo!7PAz**C{btld8PFxry|N^sszkf|9zY5XEc^pLj>ML zr03&q!QcHBtZ0zj!HZQyk(DJTx7Y(y;q28FUVx*9(2(}ITbrt9CfgVmS$zK>-GkwS z>t1BV=@eEGAhNQ}ACJ*xO1EwxgJH1^#yDQWA-k6z!T;sBR@Jf{<3KM5-**WE-M*2n zAN*2oiiz^PhDpVwjVYnP&MQ{GYot^;%m5T#XZM9QArVXP?K&o-pR0iQw`M|haGQ7K zBaOznpv>|62t6tm-Hl7eBj>g_1<SIO3Hfscx7{Babs45YwvU4q>GQ?R;=?0B5ZY$G ztBkR9U~^7UjXvic<(c0N)FXw@-j6qhZYNfyNa-|#&06oW!M~E5xsD!Ods05d6O_EB zoeKqQ%Pq6aaGY2x-J#iydeOE7H7qo;lC&H8+BHamA!*9l#_?tFDYQ-3MZPZudz-J% za{?);TyS@AE_n9nKxD1z6z{ju7X&>Up}{QC*$Bi{6e5S)8{_ydUk=6DkLj=&KUF9! zZ=jwB#xihC32E4GJEVCt@Lq9oo}YBbc~ehOnU7}@6kg@CDkdI}ncS6CV+;?KBZ?>( z`}jiWULG`dp<T{$ln)jIOkBXxE?#WJ8MZd0{;6(&UyX|vL>}IJ4&d5`d)%e+i3?-K zlfl=|1ZqHxYc|`vO<Z<Ct>I2Mfi)AwtMvjXcj;JwD;OBL!gYdebWEU!a9LUhtZ($d z4@Wqx#ck|Ry6~}Td_R6VwJSeaF8|mE7vgTbd9j?Xp5^i!v8y<`%xa3ihIb)5ZEAYO zC0kWrabvJm3i6h@9||}m{hIS^|3K7N->Q{d<O2HWv^IP58Hv=1Efnk~xsNjV{`e(K zl61J23%#^>XM9T#mw&cupi#HLEvd&R$Qv9BsK%hw8!AGn6_l)x#6fPiV1AH%pDlnE zjgTgENeKiG))ddKu26J+PVCwSd)fpU)^46CwCwpwZ-W`%e0_7Rpm|3A+$?6TzvHYF z6tj(f5fyR%;>JNnl_d~(d0kFc;Vpyld$Cks2^9x{>2pBUF1U&BJ^YfQbNa~3Ad5(j zZZ_Ll0^H|9mH6~yRq=KgUiP6J50wxw4+V|32i>b%^rz>?oA|JvSBdnums}>29IwCJ zSP^#m%A=@zAnxlHL7g)zjNwW#-fY(3Gu*x+<BP}XYLOr2FDX7iYv23lU-b;b-FgZ9 zgk+Ud{6(9$W?Q=md*m7t@$8UHQ}o&V3WAh=;n`e#x7hMhAfQiyo&Z4tS?Qf9Ph3aE z6aWDM)d5~8KuAD#c24w8`UY0UN>1)p#*TDu)>bOYa6k~y@lyu>d%^Wd!22^`2rM>* zxtiU0(>_xmdD=!m?Yad_l}NZLV3voxJZpS@5KrIFFPWR7zHP(;a=QSGT+ce24*?$I z8DJ<dW<P6hUZeL08pgeDzJSMG&fT%}soJ+Mug%i!!1Ej(g+i^xa^CZ%YHWNzHc^<d z{s5b=dFDBsMB=xO8@7}HJ`$GI%3k76kX!Syuy-}oTpUEpgQe46d2IAU@ii5VkHB00 zyTkOE^6?!81_I&-1p*B6$1v?2j2-12Z0-I$$npeD%V`Fjj(Lbnc+uT(=V~uP**JQ? zR&Zk{e1Y0k;l8@a{2E-td2gNgy3H*?O3(O?#f)1yuCa?P{fz)_<4iU~_&sPpfv70+ z<M+L-@6u_d1r{1{G$+#)Ru@7X7Ay|;KY8?!m1bZy9aSGsfjfTLU`h*UI#ogou9z$p ztWQcC;jqlC3OG6(+i4r?xpe>dB?OcZ4_+~5Vf&r!etN}lREe}BhRF-1P?hVr_V33l zc*C#X<!fgxgAJMR84XX<pS;oN?VFsno}6BgJ>d*>e@jb**o<r^=`NiTSpN}915v#{ zP&^qYqfn%g0Fs1AfmTFhzfKtDiAarfN^nAaULrlGWVmef-Z}DXY2LHJf$SFlfKkpf zjn9o`N@N7tg#y8tej?A&W7SeSA@xbbuf7c$8zk3Gu@2Q`gMUzRF7+mD^4f;3R<nky zuj))2sKjE<utXqttlTy_s&bDUXc>&d%JegRpAw1M0oVrB%OHEgB&kRdUg9r87$55B zPZXJjp+b((#LuLfa1-Mec!gr8DRQhD3Y}YDMi^lRHymit<tAvRFbHEz{*l7+Wat8$ zI(_$$_@bm<h-;KjUv#&XBqj9>naPWe_v*6W)(7OSNtEZ>YrXi#BtZT%2^Vu?*ZWN( zN~zZda4NS^ZHr&M866^)LKsxJ*n%D>R@~Fon*6<kRqwaGjd9lm0ry0ZLN^yz6Vvbg zPR*sTlSM#NlaVK$P^3N3<h8WS7jZ4TQIvjN<tv>UNne|uaAouINqg6SwP=6^1*6I5 z$@_-k-GdQYTf%Xap@!xd1cMp_`K;S$LGx(^EH+7ZsEU@R$3lqbSp`Lne5LG2(%UK& zsGhyhHT`m4oY5;@3qA^gv}AAdZoANI4sFp^z{jJg=_Xqa3va+eyo(ZtNy%v~LeZ9Y z$O#u;fT*<R$vC21batXYXb4XI8u<2bXy&}mfd>Z;oSka&mQJrmnVdpZ)Ft%ADxd4F zU~lj&8A2Ky0(C1~vt~=wGY}J{thQ*D!OT}ulU~!WG3MqWtNF9!w7(S88Krz(G!pJ^ zro_StZ|~O9$QuW1f3`GeLGHpC>Z~AG;j(X4S6y6*<Jw6#lO^;nldODjWs0<6vc6qY z%bm_nCQRUfxdQCwiGeSV3)Sq-pbzlf^@B=+vEBr%-CIZ?AVh#m8`&EEyL9yWc6NUZ zTji?ya?_$1H+<%|tp|lNn#+MzbwVMfRN5U7>cryHF~g(HB;+{RuC7qV*?Lrn$;m^0 zJ#0hH%0X2wQWLM8V-pWdy<858ef3S#1A%O~UyFnv%<&HL?k=A?oMLI!Yu6+)<-($P zs>_hZm-t%+q)rSVl#W-c4QeZ+cIH?MMNF8fXNpQU<+t48b;&Og^e`HPC%&0{^L$|j zbBM*{sXWr#z(DJ;6-Zhkx)7GiI4yYW4QNJ55hF)yf;67WoN1g%GNwUJUO`qx9IC@x zDhp)dz0WpAg}B9q0W^zWdX|WWl!{whVFb8e0<lA}re$3?A(|;b(s4%z!F3tS95GtS zw~0qnkGBa+21^sZB%D|i_(t9nPC$kmm{*!3s6BGpv3u%=2I2>s&mfnhq<2Bi<UEfk ztv(?<qzG*mLU@*8ckYN}rT`@R#+>L9QRd0_35>|70^03B0d`On@EZB&sv?7e5rmYp z=|IGg;M`e$sgfpX2uX3RP%0QVk~`<_Dj&cwp)EMek_kJ$tXT+0fa_avMk;AvU5B*P zf4{X8yQ*8;sRSwy3Dm#!zrjG*LKpIfos*2LnVD5x?{+ms#ODZjKVf-Z4d-j$dTG9B zrQr`3A(eMbMYX(KJ78c#=t4{WF8gz$55c7F<(Hr-+vB<TQ@d8%e%I#+7v6YCTcaoq zcA!lq?@qBZk3X=NH_^;$R*7RhKSS%V{gkMXLBFToDRX`#2&PW+@?vQ(BXe#U&})m@ z$$6>1MN}a}s*PK%Q)OD7>)~~6SsOQ<QDto=iAlF{q%<ivtDra-NON+{{?PxrsL!)B zN<D~YEgWekG32P^)JzF4_||Y1;`^3~xcOk2yCr@5u<6cRMnl8as1Ir_uKP~oltIfP zf+0#RJKOB6MwJ$lV|r6Q`2j9fu!e3+V<`uzDk9($QUv>b=iJuwLZ|AUic%1X>TqHE zI^*%~x6Glyl*cfU_9}LMO(AW6e`+UI^D=E;y<ng(SM8dVnGVY{_XE{;_x@Fis<V@d z7M+y!YE#ASCPeJPj;qtOeHTNiEXY&6Pw8-RJs0Up;`@jvRJ}{-pKtw%l2h_cF4t-8 zZv{=Qr{`ZD`!o_Oq|Ix3tyb=af8hW8$_oA<q9~cHgJ@0bCWV5^kcBiwtTsk&)RH#* z)M3<j3KstKM39DE^TkO%lZ<5HPT`J-<B~<3Dvp`lH)2wbpf~X%qOD|T-4M7uGRXKb z4$QzcbTE+yp7GkQZ&#pKil&*O<^02*<aZ^OzZ+NdK+zMPQy+moGv8#1>7!d`K|Gqq z{z@Hc^(id>DzLnk8~tc-r@`+A;clE*f&;xV1jPAQPkzMt|BDlbwhqRB3>4n++Li$f zPlI<ME)n8OzYC$DzEfo}#y_$MXvM*9g4rJlwn!u?{qA#}TV7{ujPAeYJ&@ptoG@8O zl?g{dYmr7YPuvCE{Y|TjNCba!CX+x6o6J#l3|X-TB+BIIf@)Ew&l1eG#6|!Uc&du5 z*l;f2%vc)5u<RU~>NT&FI5wT73Zo&viXV38co`55qC*HZ1C43$qU;7+9ujUMCw@}@ zJ1S4X0mejmKNhUZteBWGV3o}XFmDGT)wXS{_o48M;<mLIt##H-Y}*RcEio-Rx^tHb z+Jp_&OE1jg4<{g%o;V}(G`p5+0W;U;)(P#TYB6bWup_+VWi^`JOqNbp^F)#YK3|Te zqtUsVFzpxizg^P~^N-q~i@z8)AB=?QUer3_7TB3^U%Ebec7VypYw9Qrf{d6VT!C+F zgcXv&K@?H(q52~44Oh)x3!`0k6E-L&)N+@kTvWh|6Wr`ur6csaOGFnue0>C1o&xY6 zMd*J^<m~8VYyHPXYD$ub$rDEm+D*Q~r;%kAvKeEMe_LwIW;h(B)~GE>(``V2!rh7y zv(^&hS>JG>Sn|oN<S;pW<Wi>{hB74ER%EWB4Mu_yOJRmQc}wu=0)xnYr~|u+?rV?y z1Nn_rj8>#kAt7%cJUY7ffhkl$`KO2iM#7{jDtwHvP{`_TE5mt_cuA1D(3Kuq^o#*{ z6mYMi1L|KC8Mr0mG6>30X&v>dac(ut4cA^&#uLIfe;@|@24lXXEbgYym^TD9O+`gR zcEZ;MATr~?Fc*zEX5P`OBh5q<irGmT$!hNX%AK9_%9U3qsf8Y0)OfQkdo&O_&<BdL z$LL`Y{uEb0S1=z`<=iJ@w+^mC_Q)~cgY!b!tWI>d_aL{eYzg-hP6l0FENpNu*1$Jj z+azoQ&KJNEOKrxcy~%kG-l!q@n$HI9`67NpW-%DZ4audfJ~}vt*_5{EiH*)@YHJky zQPuR(3%X3RC*&yV6;@4nQmf7~m%7pK+ajG}aYl`sM`okxo)bAfh1FigCY51B8|wD) zSvMw1zqC%zUd5d1tgu(DI5~?Qnohf7Jyz#XLo3seLw(C0j-4?v3*XBC=kKau+pg!{ zmO2fWru*GDoAc0d<5mp3jT_U>HY8SdbWDCLY;ioz5+aHhr5f`IC*FvX5$=mTuC0>j zvLKhC{4@!CZ&e7<cPIftD}x5?r`6>F><!&V&=KbjE~)uWoXsOWjWUC>GCjk*y^#zK zbpwQ~$g?r3uW^kh_boAUg793p-wiv=PDRxYq?V-hI^_ax5*)WH4$YcJKM_08w@RKK z-E?vyldt`lno7wTJX0~1^{hT?F1;VNXBK{TP9?j+M06%AWdnReeeh#^m7#k&$y8is z!}(PJ3gW!P3tw)(>rc%4yUj_^ZjFwmZfUI2QDXSpPaC<K1nAo-Z0Bn}dx3iH^}r(| zbnKnR6{tBVue<YqEUI6)I^AE*_Cj9OxjGTD10jeI021(V1q<%0L|FT92ncMzPtalh zYu=O{^0Ev7euGK;kKaH6TDbrB_2QquHJ{nqI2qeG=_<S189QqK@FK7ut=z99u@<Z^ z(10N63@E5z?vU~Ud|d})D@S^|f4-|I-$M`xihi{NkU9_e{{(jk8vy1%ZKb1?xskCW z{SVl`Kd}6x)5BO2>kHU509NfcEGgK1SmwWDxr$gh{=usLhJ6l*L4Vek>F?N;uOxyE z04xV!D(_B048(m{#=m2amswT*Jhy3p;`h(mvi=>*Iu$wlXY3fjmi~-o|2tMLTTVkA zFag}qKtT9+ECB`P2lj^v{L_B}%v0aV+}7srR4_;Si~9dJwS;%5A7JlOmhlmDYXMug z#sJV(1+X)4m-`9sUM|Dm_3b?2Q$7LcYYMRbyQc6A;XW?s-?7F>IMb^D?C<^%ig+KE z<L}teIuGqXyICXBeOR`?V|An{AO-<0wge9Z^z_c6?IZud{%QpG#+L}^5QBeObwq$8 zq257(pxx2%-^lXsknd%&j;n6009efcd%VjE#{8Z2Z<M;1MSlrVTnk_w16<}Vs{;3T z*1ukPFUv4SSH&N|vIcndT~;CC@2r34|6W!(*_2&1z@}RP)^?X=P5L|QU$?%OHT1b4 zd<&o#Il!auvW%#HXZ;&~?`7%JT#>r~Sbo2aF`n*s*1s|LUKT}4JAcPNV+5G~UA?54 zerNp~4DMykA8hL(1N0&T*caLz`%+>51M6X!B}VYV4FFdEn}L;a{SN!r?eA6WI{BPS z5-?dxroSq-!}mLj@!!yNFO2c#+tWcn_-F=1JlZ>>^cMRGCav#o>+EzVSO0j6@e%Rg zcg3WvA0VRzAcN|Tj3V(LGHh&}j2)GJE(iX5=Mlk5pe2%h2@q9s0IB+Jf*FwbUBG|n zhaE<>9V`FO)EnuCs1Lg|0d(E#almAV0Q9{(;dJtkn(#;D@$8k#h(BwtukeuO4?8`_ za`?ysK=Z!eG>=n$l;)49?yP7}X8tUrU*%CU9+87q&&x&rJUdWo56#ZQDdgHMviP58 zChWgC66f<rY5s^@f4>YV&Bw@KdPK!q@rAf>5wOCqe)A=5t%qjk;UIs%=8?LO()<yH z+x;@K^d2SS5k*{o?HuQyZRd^tL$mX6$v{}XAphr>uwe8U%^4pNBS*i+@Bhy}Y3>AJ z6qCou`2Q*5ZfGL`q^kdGAMVd3kLc5m-?Rat16=GDkO1!vgU#$G88Z5gPR0&*^3{*G z9$`nWM9c={01-2Q;^wZ1BJ;<Hc!ZM?8Oxyg0_sD2$zOX6D$75J__u=nq5s46PY*oi z^#8K?UDeN>e&XJ{0*{E$_lqEQd5nlhEWrIDWLzI3;t>mQzc;wLJx0VMlJNZ^Lfs!D z;t`qbei3ONj}h^R+U;i%cYV6V^D!bA|9>vVT^WsDkCO2So4S7-1Ky94@rdN`vy8jm zx8U;_8IPy{>b=$v|D1pJeSe7fuex=l|L@-qhmBx_arkmTIC=%BYwvD(5C;6D`2T|H zPvPj_nZLKWxIZJ~Mg7FRHyklNA|W&oQ^?Z+Ix9v%n|8PMXNZ1iMjqCjOj6NE6F{W} zq?x-jQWp0I&HtT|AH#UKcN>GyU)}~ZsL?1uKty-4uv*f?+`sg3?K;NC-vMCi-@u74 z{{nt^Ce-G4q00f_Jiz|UU5$sb{{nv4=-m9<@`(Xp55TV4UGSIuzknaEHTS}Vv;N#} z3K#zX|K}I~s}TNs=MgDTcF`JL9AF%(fCAyJ<`yM?(fr{$kXmKi7z_Z01z6o(Fi6E; zzz;W_bWI0+C;%|aZyIY<{RRARkF1awaQzYh&ILq|yMEGC^Dy|~ZpuBiOGyl{pZ^W( zS8n0^hq({;u&l(awp;+C8w6|+-PM<``C;zE^RQ2cY}N<p{(j%$=xY1H{m;UFx4B2; z;c~2*{y!V__fLNp@Q7N1_)8JgpGSbw@pl1_sE61&D~JC{T?>F^y*u?Boexj_!vX3R zTruYWV1h4x3)L3g4|5-mPm6^8G57#o%>etQclG^eGwZi*=BE_!aCoXi8XTGc=*#e% zzSzSLa~}>K#ULYOeE`#@2L$T7`aT2nmJjLsaO_~hrymmsYzF9J{~DBZXCCJM*c-gJ zI)G!O*kuMNy!~5HI$Qb+_~GDjo)Ss+3IO&7tlZr&>b3qC@Wa^~o#(s7pPkTp`v>?T zFMmWOoOY5{@n<JY`2KeR|N6<pPfzc!$lmY#VQPMQH2b5vVR}T3dcTaG-ABoI#8$)o zGG_K3CF2nx_kI~W`;U_Gh^TwN44}hD$#_KIy<Z0M(W7KMq9pQp#_;^lo<VZ_L&ig% z@rW|NP4`Tg2;kGdSBsJ-e;CA1(fEhS-W!FWVv$z=3CHoUzXpq@i@$&$jzTfy0+s*d zrLVt%*KYm-e)y5iS)(|09AGNykbc#e5(N0cK+p7WCiM$1%J}CYl`5b(x*IoPApZh> zIF*hhs0~5`QmF%=n!5{r4*M7I!@2bRD9w>BKx0Zk`FR&yi}V-p!^u>&T)hDo0ImUa zm3P6$sDA-JoK5vtNzwk?01jjP1^jRYx}Mbr`4(UmZ-4945b^#3ez;`5e>V<=_z&RU zQpO{k`(yFqQg{$BP*^qaFOO|`Nq&g1Ha0TXr#H9OH#KJDq_eXzz1N@L+J%zs18gl4 z@7FR2rsT=L-tliF`rls0Pd_~D9Exuwm&91Wfb>nkemS`y{pJVvCmq=zRPowwuAy}O z3DDaoAito-Rv`XW@h23=gQy{Bp`|OpXj1{6b@x0)dmr?_C?_*xYh(I<zd!6t&rCP* z2W|m7>nOm#pg@LypnlTo;WaQd6<MSKoE{^>{&hW{4#WI9K)}YvL+eSARM44300u;= z@$0+?&cgo6VtWwvY!CI2&Kd|P7O;zace1o@e%t{1X@sl~qWE3mRct7MfN-gQMfF=E z|Ed+sgD6lHYFSV~ef{#cCG<)9f%<6)AGXn><b#Md0O||ib$5Ur>Az{k_@Gwz8&*&5 zZ(2PZ{e|O9x}pFzekkB|S1YLE-?U<SP^)5;%BUP77@&__Fu$NCtA9f=KZr^w@lLG< zbnJit^UG77rZL=qSMaCMaHnN|^n;}S^~MbYb6_A^i(lQKcl?KlpX?2AH0>cb_|lCg z3(5urbjA7W$rgJ-{9g@@@!_GzyLG%xJ^-A>0J!MgQ!*c1e`5h^hKKaZH)D<mj{ye4 zj{TLDU_tPkUJtLXtb+>07eM-Y4%oxItJmx~;jb*f-ta?ujp4${IN$&QeFU7jLcg=o zx(`eA-_;-|GiPf98+~&tItx4F`;$saXdMVM2Ox3)UUxMsrX>1Jvxftkwo$3S;3?ps z0N{0(MPTqd>){!zFiwN61JvCh^S`nRG>CuI3($@~G-J!w!PO!FZ-C<abtSXONq%EJ z9MkGw5K8!BJOMhFd-BT|DWpk%V?CVWQ2mogSOA5s5Y4Z8eKR8ejrDK_D8W$7i3c=q zL14eK49zHhV?CS#?p~Ay6rlh6dcpae@?X|(*JkfIDSh`Y>dzzs%^##+Zl>PDxqE@} zXAZOW56&;w8SmlTy-4>n=TL|8Ki~PkYjyWv?%uQc8G~*36Xw5LH}`PvUIzJ@(`@uJ d=clV7|3?A?WI`aI2*4kFdLW=9Q%b;3{~w)8Yq0<T literal 0 HcmV?d00001 -- 2.20.1

1 0

[PATCH openEuler-5.10-LTS] atm: idt77252: fix use-after-free bugs caused by tst_timer
by Zheng Zengkai 02 Nov '22

02 Nov '22

From: Duoming Zhou <duoming(a)zju.edu.cn> stable inclusion from stable-v5.10.138 commit a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e category: bugfix bugzilla: 187909, https://gitee.com/src-openeuler/kernel/issues/I5X3ML CVE: CVE-2022-3635 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream. There are use-after-free bugs caused by tst_timer. The root cause is that there are no functions to stop tst_timer in idt77252_exit(). One of the possible race conditions is shown below: (thread 1) | (thread 2) | idt77252_init_one | init_card | fill_tst | mod_timer(&card->tst_timer, ...) idt77252_exit | (wait a time) | tst_timer | | ... kfree(card) // FREE | | card->soft_tst[e] // USE The idt77252_dev is deallocated in idt77252_exit() and used in timer handler. This patch adds del_timer_sync() in idt77252_exit() in order that the timer handler could be stopped before the idt77252_dev is deallocated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- drivers/atm/idt77252.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 5f0472c18bcb..82f6f1fbe9e7 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -3767,6 +3767,7 @@ static void __exit idt77252_exit(void) card = idt77252_chain; dev = card->atmdev; idt77252_chain = card->next; + del_timer_sync(&card->tst_timer); if (dev->phy->stop) dev->phy->stop(dev); -- 2.20.1

1 0

[PATCH openEuler-5.10-LTS 01/43] block: fix null-deref in percpu_ref_put
by Zheng Zengkai 02 Nov '22

02 Nov '22

1 42

[PATCH openEuler-5.10-LTS 00/10] Backport 5.10.133 LTS
by Zheng Zengkai 02 Nov '22

02 Nov '22

Backport 5.10.133 LTS patches from upstream. git cherry-pick v5.10.132..v5.10.133~1 -s Already merged(-138, by CVE-2022-29900): tools headers: Remove broken definition of __LITTLE_ENDIAN tools arch: Update arch/x86/lib/mem{cpy,set}_64.S copies used in 'perf bench mem memcpy' - again objtool: Fix elf_create_undef_symbol() endianness kvm: fix objtool relocation warning um: Add missing apply_returns() x86/bugs: Remove apostrophe typo tools headers cpufeatures: Sync with the kernel sources tools arch x86: Sync the msr-index.h copy with the kernel sources x86/kvm: fix FASTOP_SIZE when return thunks are enabled efi/x86: use naked RET on mixed mode call wrapper x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current x86/ftrace: Add UNWIND_HINT_FUNC annotation for ftrace_stub x86/xen: Fix initialisation in hypercall_page after rethunk x86, kvm: use proper ASM macros for kvm_vcpu_is_preempted tools/insn: Restore the relative include paths for cross building x86/static_call: Serialize __static_call_fixup() properly x86/speculation: Disable RRSBA behavior x86/kexec: Disable RET on kexec x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported x86/bugs: Add Cannon lake to RETBleed affected CPU list x86/retbleed: Add fine grained Kconfig knobs x86/cpu/amd: Enumerate BTC_NO x86/common: Stamp out the stepping madness x86/speculation: Fill RSB on vmexit for IBRS KVM: VMX: Fix IBRS handling after vmexit KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS KVM: VMX: Convert launched argument to flags KVM: VMX: Flatten __vmx_vcpu_run() objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} x86/speculation: Remove x86_spec_ctrl_mask x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit x86/speculation: Fix SPEC_CTRL write on SMT state change x86/speculation: Fix firmware entry SPEC_CTRL handling x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n x86/cpu/amd: Add Spectral Chicken objtool: Add entry UNRET validation x86/bugs: Do IBPB fallback check only once x86/bugs: Add retbleed=ibpb x86/xen: Rename SYS* entry points objtool: Update Retpoline validation intel_idle: Disable IBRS during long idle x86/bugs: Report Intel retbleed vulnerability x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS x86/bugs: Optimize SPEC_CTRL MSR writes x86/entry: Add kernel IBRS implementation x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value x86/bugs: Enable STIBP for JMP2RET x86/bugs: Add AMD retbleed= boot parameter x86/bugs: Report AMD retbleed vulnerability x86: Add magic AMD return-thunk objtool: Treat .text.__x86.* as noinstr x86: Use return-thunk in asm code x86/sev: Avoid using __x86_return_thunk x86/vsyscall_emu/64: Don't use RET in vsyscall emulation x86/kvm: Fix SETcc emulation for return thunks x86/bpf: Use alternative RET encoding x86/ftrace: Use alternative RET encoding x86,static_call: Use alternative RET encoding objtool: skip non-text sections when adding return-thunk sites x86,objtool: Create .return_sites x86: Undo return-thunk damage x86/retpoline: Use -mfunction-return Makefile: Set retpoline cflags based on CONFIG_CC_IS_{CLANG,GCC} x86/retpoline: Swizzle retpoline thunk x86/retpoline: Cleanup some #ifdefery x86/cpufeatures: Move RETPOLINE flags to word 11 x86/kvm/vmx: Make noinstr clean x86/realmode: build with -D__DISABLE_EXPORTS x86/entry: Remove skip_r11rcx objtool: Fix SLS validation for kcov tail-call replacement crypto: x86/poly1305 - Fixup SLS objtool: Default ignore INT3 for unreachable kvm/emulate: Fix SETcc emulation function offsets with SLS tools arch: Update arch/x86/lib/mem{cpy,set}_64.S copies used in 'perf bench mem memcpy' x86: Add straight-line-speculation mitigation objtool: Add straight-line-speculation validation x86/alternative: Relax text_poke_bp() constraint x86: Fix objtool build warning x86: Prepare inline-asm for straight-line-speculation x86: Prepare asm files for straight-line-speculation x86/lib/atomic64_386_32: Rename things bpf,x86: Respect X86_FEATURE_RETPOLINE* bpf,x86: Simplify computing label offsets x86/alternative: Implement .retpoline_sites support x86/retpoline: Create a retpoline thunk array x86/retpoline: Move the retpoline thunk declarations to nospec-branch.h x86/asm: Fixup odd GEN-for-each-reg.h usage x86/asm: Fix register order x86/retpoline: Remove unused replacement symbols objtool,x86: Replace alternatives with .retpoline_sites objtool: Explicitly avoid self modifying code in .altinstr_replacement objtool: Classify symbols objtool: Handle __sanitize_cov*() tail calls objtool: Introduce CFI hash objtool: Make .altinstructions section entry size consistent objtool: Remove reloc symbol type checks in get_alt_entry() objtool: print out the symbol type when complaining about it objtool: Teach get_alt_entry() about more relocation types objtool: Don't make .altinstructions writable objtool/x86: Ignore __x86_indirect_alt_* symbols objtool: Only rewrite unconditional retpoline thunk calls objtool: Fix .symtab_shndx handling for elf_create_undef_symbol() x86/alternative: Optimize single-byte NOPs at an arbitrary position objtool: Support asm jump tables objtool/x86: Rewrite retpoline thunk calls objtool: Skip magical retpoline .altinstr_replacement objtool: Cache instruction relocs objtool: Keep track of retpoline call sites objtool: Add elf_create_undef_symbol() objtool: Extract elf_symbol_add() objtool: Extract elf_strtab_concat() objtool: Create reloc sections implicitly objtool: Add elf_create_reloc() helper objtool: Rework the elf_rebuild_reloc_section() logic objtool: Handle per arch retpoline naming objtool: Correctly handle retpoline thunk calls x86/retpoline: Simplify retpolines x86/alternatives: Optimize optimize_nops() x86: Add insn_decode_kernel() x86/alternative: Use insn_decode() x86/insn: Add an insn_decode() API x86/insn: Add a __ignore_sync_check__ marker x86/insn: Rename insn_decode() to insn_decode_from_regs() x86/alternative: Use ALTERNATIVE_TERNARY() in _static_cpu_has() x86/alternative: Support ALTERNATIVE_TERNARY x86/alternative: Support not-feature x86/alternative: Merge include files x86/xen: Support objtool vmlinux.o validation in xen-head.S x86/xen: Support objtool validation in xen-asm.S objtool: Combine UNWIND_HINT_RET_OFFSET and UNWIND_HINT_FUNC objtool: Assume only ELF functions do sibling calls objtool: Support retpoline jump detection for vmlinux.o objtool: Support stack layout changes in alternatives objtool: Add 'alt_group' struct objtool: Refactor ORC section generation KVM/nVMX: Use __vmx_vcpu_run in nested_vmx_check_vmentry_hw KVM/VMX: Use TEST %REG,%REG instead of CMP $0,%REG in vmenter.S To be merged(10): e6f8dc86a1c1 x86/insn-eval: Handle return values from the decoder b0e2dc950654 x86/alternative: Handle Jcc __x86_indirect_thunk_\reg 3d13ee0d411a x86/alternative: Try inline spectre_v2=retpoline,amd 38a80a3ca2cb x86/alternative: Add debug prints to apply_retpolines() 42ec4d71353f objtool: Fix code relocs vs weak symbols 3e8afd072d09 objtool: Fix type of reloc::addend e1db6c8a69ec objtool: Fix symbol creation 236b959da9d1 objtool: Fix objtool regression on x32 systems ecc0d92a9f6c x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit 6849ed81a33a x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds Total patches: 148 - 138 = 10 Borislav Petkov (1): x86/insn-eval: Handle return values from the decoder Jiri Slaby (1): x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit Mikulas Patocka (1): objtool: Fix objtool regression on x32 systems Peter Zijlstra (7): x86/alternative: Handle Jcc __x86_indirect_thunk_\reg x86/alternative: Try inline spectre_v2=retpoline,amd x86/alternative: Add debug prints to apply_retpolines() objtool: Fix code relocs vs weak symbols objtool: Fix type of reloc::addend objtool: Fix symbol creation x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds Makefile | 1 + arch/x86/kernel/alternative.c | 60 +++++++- arch/x86/kernel/head_32.S | 1 + arch/x86/lib/insn-eval.c | 34 +++-- tools/objtool/check.c | 9 +- tools/objtool/elf.c | 251 ++++++++++++++++++++++++++++++---- tools/objtool/elf.h | 4 +- 7 files changed, 312 insertions(+), 48 deletions(-) -- 2.20.1

1 10

[PATCH openEuler-5.10-LTS 0/1] Backport 5.10.131 LTS
by Zheng Zengkai 02 Nov '22

02 Nov '22

Backport 5.10.131 LTS patches from upstream. git cherry-pick v5.10.130..v5.10.131~1 -s cc5ee0e0eed0 Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting" Total patches: 1 Greg Kroah-Hartman (1): Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting" drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.20.1

1 1

[PATCH openEuler-5.10-LTS 000/109] Backport 5.10.132 LTS
by Zheng Zengkai 02 Nov '22

02 Nov '22

Backport 5.10.132 LTS patches from upstream. git cherry-pick v5.10.131..v5.10.132~1 -s Already merged(-1): 136d7987fcfd x86: Clear .brk area at early boot Context conflict: 91530f675e88 fix race between exit_itimers() and /proc/pid/timers 9d883b3f000d Revert "evm: Fix memleak in init_desc" KABI changed(-2): 7657e3958535 cgroup: Use separate src/dst nodes when preloading css_sets for migration 104594de2778 nvme: fix regression when disconnect a recovering ctrl Total patches: 112 - 1 - 2 = 109 Andrea Mayer (3): seg6: fix skb checksum evaluation in SRH encapsulation/insertion seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors seg6: bpf: fix skb checksum in bpf_push_seg6_encap() Ard Biesheuvel (2): ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle Baokun Li (1): ext4: fix race condition between ext4_write and ext4_convert_inline_data Chanho Park (1): tty: serial: samsung_tty: set dma burst_size to 1 Charles Keepax (5): ASoC: wm5110: Fix DRE control ASoC: dapm: Initialise kcontrol data for mux/demux controls ASoC: cs47l15: Fix event generation for low power mux control ASoC: madera: Fix event generation for OUT1 demux ASoC: madera: Fix event generation for rate controls Chia-Lin Kao (AceLan) (2): net: atlantic: remove deep parameter on suspend/resume functions net: atlantic: remove aq_nic_deinit() when resume Chris Wilson (1): drm/i915/gt: Serialize TLB invalidates with GT resets Coiby Xu (1): ima: force signature verification when CONFIG_KEXEC_SIG is configured Cristian Ciocaltea (1): spi: amd: Limit max transfer and message size Dan Carpenter (1): drm/i915/selftests: fix a couple IS_ERR() vs NULL tests Dave Chinner (1): fs/remap: constrain dedupe of EOF blocks Dmitry Osipenko (3): ARM: 9213/1: Print message about disabled Spectre workarounds only once drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error drm/panfrost: Fix shrinker list corruption by madvise IOCTL Felix Fietkau (1): wifi: mac80211: fix queue selection for mesh/OCB interfaces Filipe Manana (1): btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents Florian Westphal (1): netfilter: br_netfilter: do not skip all hooks with 0 priority Francesco Dolcini (1): ASoC: sgtl5000: Fix noise on shutdown/remove Gabriel Fernandez (1): ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 Gal Pressman (1): net/mlx5e: Fix capability check for updating vnic env counters Geert Uytterhoeven (1): sh: convert nommu io{re,un}map() to static inline functions Gowans, James (1): mm: split huge PUD on wp_huge_pud fallback Hangyu Hua (2): drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() net: tipc: fix possible refcount leak in tipc_sk_create() Haowen Bai (1): pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux() Hector Martin (2): ASoC: tas2764: Correct playback volume range ASoC: tas2764: Fix amp gain register offset & default Huaxin Lu (1): ima: Fix a potential integer overflow in ima_appraise_measurement Ilpo Järvinen (3): serial: stm32: Clear prev values before setting RTS delays serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle serial: 8250: Fix PM usage_count for console handover Jianglei Nie (2): ima: Fix potential memory leak in ima_init_crypto() net: sfp: fix memory leak in sfp_probe() John Garry (1): scsi: hisi_sas: Limit max hw sectors for v3 HW Jon Hunter (1): net: stmmac: dwc-qos: Disable split header for Tegra194 Juergen Gross (2): xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue x86/pat: Fix x86_has_pat_wp() Kai-Heng Feng (1): platform/x86: hp-wmi: Ignore Sanitization Mode event Keith Busch (1): nvme-pci: phison e16 has bogus namespace ids Kris Bahnsen (1): ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count Kuniyuki Iwashima (18): sysctl: Fix data races in proc_dointvec(). sysctl: Fix data races in proc_douintvec(). sysctl: Fix data races in proc_dointvec_minmax(). sysctl: Fix data races in proc_douintvec_minmax(). sysctl: Fix data races in proc_doulongvec_minmax(). sysctl: Fix data races in proc_dointvec_jiffies(). tcp: Fix a data-race around sysctl_tcp_max_orphans. inetpeer: Fix data-races around sysctl. net: Fix data-races around sysctl_mem. cipso: Fix data-races around sysctl. icmp: Fix data-races around sysctl. ipv4: Fix a data-race around sysctl_fib_sync_mem. sysctl: Fix data-races in proc_dointvec_ms_jiffies(). icmp: Fix a data-race around sysctl_icmp_ratelimit. icmp: Fix a data-race around sysctl_icmp_ratemask. raw: Fix a data-race around sysctl_raw_l3mdev_accept. ipv4: Fix data-races around sysctl_ip_dynaddr. nexthop: Fix data-races around nexthop_compat_mode. Liang He (2): net: ftgmac100: Hold reference returned by of_get_child_by_name() cpufreq: pmac32-cpufreq: Fix refcount leak bug Linus Torvalds (1): signal handling: don't use BUG_ON() for debugging Linus Walleij (1): soc: ixp4xx/npe: Fix unused match warning Linyu Yuan (1): usb: typec: add missing uevent when partner support PD Lucien Buchmann (1): USB: serial: ftdi_sio: add Belimo device ids Mark Brown (1): ASoC: ops: Fix off by one in range control validation Martin Povišer (2): ASoC: tas2764: Add post reset delays ASoC: tas2764: Fix and extend FSYNC polarity handling Meng Tang (6): ALSA: hda - Add fixup for Dell Latitidue E5430 ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model ALSA: hda/realtek: Fix headset mic for Acer SF313-51 ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop Michael Walle (1): NFC: nxp-nci: don't print header length mismatch on i2c error Michal Suchanek (1): ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero Muchun Song (1): mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE Nicolas Dichtel (1): ip: fix dflt addr selection for connected nexthop Oleg Nesterov (1): fix race between exit_itimers() and /proc/pid/timers Peter Ujfalusi (3): ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow Ryan Wanner (1): ARM: dts: at91: sama5d2: Fix typo in i2s1 node Ryusuke Konishi (1): nilfs2: fix incorrect masking of permission flags for symlinks Sagi Grimberg (1): nvme-tcp: always fail a request when sending it failed Srinivas Neeli (1): Revert "can: xilinx_can: Limit CANFD brp to 2" Stafford Horne (1): irqchip: or1k-pic: Undefine mask_ack for level triggered hardware Stephan Gerhold (2): virtio_mmio: Add missing PM calls to freeze/restore virtio_mmio: Restore guest page size on resume Steven Rostedt (Google) (1): net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer Tariq Toukan (3): net/mlx5e: kTLS, Fix build time constant test in TX net/mlx5e: kTLS, Fix build time constant test in RX net/tls: Check for errors in tls_device_init Thinh Nguyen (1): usb: dwc3: gadget: Fix event pending check Vitaly Kuznetsov (1): KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() Xiu Jianfeng (1): Revert "evm: Fix memleak in init_desc" Yangxi Xiang (1): vt: fix memory overlapping when deleting chars in the buffer Yi Yang (1): serial: 8250: fix return error code in serial8250_request_std_resource() Zhen Lei (1): ARM: 9210/1: Mark the FDT_FIXED sections as shareable Zheng Yejian (1): tracing/histograms: Fix memory leak problem Íñigo Huguet (2): sfc: fix use after free when disabling sriov sfc: fix kernel panic when creating VF Documentation/networking/ip-sysctl.rst | 4 +- arch/arm/boot/dts/imx6qdl-ts7970.dtsi | 2 +- arch/arm/boot/dts/sama5d2.dtsi | 2 +- arch/arm/boot/dts/stm32mp151.dtsi | 2 +- .../boot/dts/sun8i-h2-plus-orangepi-zero.dts | 2 +- arch/arm/include/asm/mach/map.h | 1 + arch/arm/include/asm/ptrace.h | 26 +++++++++ arch/arm/mm/alignment.c | 3 ++ arch/arm/mm/mmu.c | 15 +++++- arch/arm/mm/proc-v7-bugs.c | 9 ++-- arch/arm/probes/decode.h | 26 +-------- arch/sh/include/asm/io.h | 8 ++- arch/x86/kernel/ima_arch.c | 2 + arch/x86/kvm/x86.c | 18 ++++--- arch/x86/mm/init.c | 14 ++++- drivers/cpufreq/pmac32-cpufreq.c | 4 ++ drivers/gpu/drm/i915/display/intel_dp_mst.c | 1 + drivers/gpu/drm/i915/gt/intel_gt.c | 15 +++++- drivers/gpu/drm/i915/gt/selftest_lrc.c | 8 +-- drivers/gpu/drm/panfrost/panfrost_drv.c | 4 +- drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- drivers/irqchip/irq-or1k-pic.c | 1 - drivers/net/can/xilinx_can.c | 4 +- .../ethernet/aquantia/atlantic/aq_pci_func.c | 23 +++----- drivers/net/ethernet/faraday/ftgmac100.c | 15 +++++- .../mellanox/mlx5/core/en_accel/ktls_rx.c | 3 +- .../mellanox/mlx5/core/en_accel/ktls_tx.c | 3 +- .../ethernet/mellanox/mlx5/core/en_stats.c | 2 +- drivers/net/ethernet/sfc/ef10.c | 3 ++ drivers/net/ethernet/sfc/ef10_sriov.c | 10 ++-- .../stmicro/stmmac/dwmac-dwc-qos-eth.c | 1 + drivers/net/phy/sfp.c | 2 +- drivers/net/xen-netback/rx.c | 1 + drivers/nfc/nxp-nci/i2c.c | 8 ++- drivers/nvme/host/pci.c | 3 +- drivers/nvme/host/tcp.c | 3 +- drivers/pinctrl/aspeed/pinctrl-aspeed.c | 4 +- drivers/platform/x86/hp-wmi.c | 3 ++ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 7 +++ drivers/soc/ixp4xx/ixp4xx-npe.c | 2 +- drivers/spi/spi-amd.c | 8 +++ drivers/tty/serial/8250/8250_core.c | 4 ++ drivers/tty/serial/8250/8250_port.c | 4 +- drivers/tty/serial/amba-pl011.c | 23 +++++++- drivers/tty/serial/samsung_tty.c | 5 +- drivers/tty/serial/serial_core.c | 5 -- drivers/tty/serial/stm32-usart.c | 2 + drivers/tty/vt/vt.c | 2 +- drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/serial/ftdi_sio.c | 3 ++ drivers/usb/serial/ftdi_sio_ids.h | 6 +++ drivers/usb/typec/class.c | 1 + drivers/virtio/virtio_mmio.c | 26 +++++++++ fs/btrfs/inode.c | 14 ++++- fs/exec.c | 2 +- fs/ext4/extents.c | 5 ++ fs/nilfs2/nilfs.h | 3 ++ fs/remap_range.c | 3 +- include/linux/kexec.h | 6 +++ include/linux/sched/task.h | 2 +- include/linux/serial_core.h | 5 ++ include/net/raw.h | 2 +- include/net/sock.h | 2 +- include/net/tls.h | 4 +- include/trace/events/sock.h | 6 ++- kernel/exit.c | 2 +- kernel/kexec_file.c | 11 +++- kernel/signal.c | 8 +-- kernel/sysctl.c | 53 ++++++++++--------- kernel/time/posix-timers.c | 19 +++++-- kernel/trace/trace_events_hist.c | 2 + mm/memory.c | 27 +++++----- net/bridge/br_netfilter_hooks.c | 21 ++++++-- net/core/filter.c | 1 - net/ipv4/af_inet.c | 4 +- net/ipv4/cipso_ipv4.c | 12 +++-- net/ipv4/fib_semantics.c | 4 +- net/ipv4/fib_trie.c | 2 +- net/ipv4/icmp.c | 10 ++-- net/ipv4/inetpeer.c | 12 +++-- net/ipv4/nexthop.c | 5 +- net/ipv4/tcp.c | 3 +- net/ipv6/route.c | 2 +- net/ipv6/seg6_iptunnel.c | 5 +- net/ipv6/seg6_local.c | 2 - net/mac80211/wme.c | 4 +- net/tipc/socket.c | 1 + net/tls/tls_device.c | 4 +- net/tls/tls_main.c | 7 ++- security/integrity/evm/evm_crypto.c | 7 +-- security/integrity/ima/ima_appraise.c | 3 +- security/integrity/ima/ima_crypto.c | 1 + sound/pci/hda/patch_conexant.c | 1 + sound/pci/hda/patch_realtek.c | 16 ++++++ sound/soc/codecs/cs47l15.c | 5 +- sound/soc/codecs/madera.c | 14 +++-- sound/soc/codecs/sgtl5000.c | 9 ++++ sound/soc/codecs/sgtl5000.h | 1 + sound/soc/codecs/tas2764.c | 46 +++++++++------- sound/soc/codecs/tas2764.h | 6 +-- sound/soc/codecs/wm5110.c | 8 ++- sound/soc/intel/skylake/skl-nhlt.c | 40 +++++++++----- sound/soc/soc-dapm.c | 5 ++ sound/soc/soc-ops.c | 4 +- sound/soc/sof/intel/hda-loader.c | 8 +-- 105 files changed, 556 insertions(+), 252 deletions(-) -- 2.20.1

1 109

[PATCH openEuler-5.10-LTS 00/50] Backport 5.10.130 LTS
by Zheng Zengkai 02 Nov '22

02 Nov '22

Backport 5.10.130 LTS patches from upstream. git cherry-pick v5.10.129..v5.10.130~1 -s Already merged(-5): 6c32496964da mm/slub: add missing TID updates on slab deactivation 0a5e36dbcb44 netfilter: nf_tables: stricter validation of element data b81212828ad1 fbmem: Check virtual screen sizes in fb_set_var() b727561ddc93 fbcon: Disallow setting font bigger than screen size cecb806c766c fbcon: Prevent that screen size is smaller than font size Total patches: 55 - 5 = 50 Andrei Lalaev (1): pinctrl: sunxi: sunxi_pconf_set: use correct offset Claudiu Beznea (2): ARM: at91: pm: use proper compatible for sama5d2's rtc ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt Dan Williams (1): memregion: Fix memregion_free() fallback definition Daniel Borkmann (2): bpf: Fix incorrect verifier simulation around jmp32's jeq/jne bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals Dmitry Osipenko (1): dmaengine: pl330: Fix lockdep warning about non-static key Duoming Zhou (1): net: rose: fix UAF bug caused by rose_t0timer_expiry Eric Sandeen (1): xfs: remove incorrect ASSERT in xfs_rename Eugen Hristev (2): ARM: dts: at91: sam9x60ek: fix eeprom compatible and size ARM: dts: at91: sama5d2_icp: fix eeprom compatibles Guiling Deng (1): fbdev: fbmem: Fix logo center image dx issue Heiner Kallweit (1): r8169: fix accessing unset transport header Hsin-Yi Wang (1): video: of_display_timing.h: include errno.h Ivan Malov (1): xsk: Clear page contiguity bit when unmapping pool Jason A. Donenfeld (1): powerpc/powernv: delay rng platform device creation until later in boot Jimmy Assarsson (3): can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits Konrad Dybcio (1): arm64: dts: qcom: msm8994: Fix CPU6/7 reg values Liang He (1): can: grcan: grcan_probe(): remove extra of_node_get() Linus Torvalds (1): ida: don't use BUG_ON() for debugging Lukasz Cieplicki (1): i40e: Fix dropped jumbo frames statistics Miaoqian Lin (3): ARM: meson: Fix refcount leak in meson_smp_prepare_cpus dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate Michael Walle (1): dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly Oliver Hartkopp (1): can: bcm: use call_rcu() instead of costly synchronize_rcu() Oliver Neukum (1): usbnet: fix memory leak in error case Pablo Neira Ayuso (1): netfilter: nft_set_pipapo: release elements in clone from abort path Peng Fan (3): arm64: dts: imx8mp-evk: correct mmc pad settings arm64: dts: imx8mp-evk: correct gpio-led pad settings arm64: dts: imx8mp-evk: correct I2C3 pad settings Peter Robinson (1): dmaengine: imx-sdma: Allow imx8m for imx7 FW revs Rafael J. Wysocki (1): PM: runtime: Redefine pm_runtime_release_supplier() Rhett Aultman (1): can: gs_usb: gs_usb_open/close(): fix memory leak Rick Lindsley (1): ibmvnic: Properly dispose of all skbs during a failover. Samuel Holland (2): pinctrl: sunxi: a83t: Fix NAND function name for some pins dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo Satish Nagireddy (1): i2c: cadence: Unregister the clk notifier in error path Sherry Sun (1): arm64: dts: imx8mp-evk: correct the uart2 pinctl value Shuah Khan (3): misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer misc: rtsx_usb: use separate command and response buffers misc: rtsx_usb: set return value in rsp_buf alloc err path Stephan Gerhold (1): arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo Tim Crawford (1): ALSA: hda/realtek: Add quirk for Clevo L140PU Vladimir Oltean (3): selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT selftests: forwarding: fix error message in learning_test Yian Chen (1): iommu/vt-d: Fix PCI bus rescan device hot add .../dma/allwinner,sun50i-a64-dma.yaml | 2 +- arch/arm/boot/dts/at91-sam9x60ek.dts | 3 +- arch/arm/boot/dts/at91-sama5d2_icp.dts | 6 +- arch/arm/mach-at91/pm.c | 6 +- arch/arm/mach-meson/platsmp.c | 2 + arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 18 +- .../dts/qcom/msm8992-bullhead-rev-101.dts | 2 +- .../boot/dts/qcom/msm8992-xiaomi-libra.dts | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 4 +- arch/powerpc/platforms/powernv/rng.c | 16 +- drivers/base/core.c | 3 +- drivers/base/power/runtime.c | 20 +- drivers/dma/at_xdmac.c | 5 + drivers/dma/imx-sdma.c | 2 +- drivers/dma/pl330.c | 2 +- drivers/dma/ti/dma-crossbar.c | 5 + drivers/i2c/busses/i2c-cadence.c | 1 + drivers/iommu/intel/dmar.c | 2 +- drivers/misc/cardreader/rtsx_usb.c | 27 +- drivers/net/can/grcan.c | 1 - drivers/net/can/usb/gs_usb.c | 23 +- drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 25 +- .../net/can/usb/kvaser_usb/kvaser_usb_core.c | 255 ++++++++++-------- .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 4 +- .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 119 ++++---- drivers/net/ethernet/ibm/ibmvnic.c | 9 + drivers/net/ethernet/intel/i40e/i40e.h | 16 ++ drivers/net/ethernet/intel/i40e/i40e_main.c | 73 +++++ .../net/ethernet/intel/i40e/i40e_register.h | 13 + drivers/net/ethernet/intel/i40e/i40e_type.h | 1 + drivers/net/ethernet/realtek/r8169_main.c | 10 +- drivers/net/usb/usbnet.c | 17 +- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 10 +- drivers/pinctrl/sunxi/pinctrl-sunxi.c | 2 + drivers/video/fbdev/core/fbmem.c | 2 +- fs/xfs/xfs_inode.c | 1 - include/linux/memregion.h | 2 +- include/linux/pm_runtime.h | 5 +- include/linux/rtsx_usb.h | 2 - include/video/of_display_timing.h | 2 + kernel/bpf/verifier.c | 113 ++++---- lib/idr.c | 3 +- net/can/bcm.c | 18 +- net/netfilter/nft_set_pipapo.c | 48 ++-- net/rose/rose_route.c | 4 +- net/xdp/xsk_buff_pool.c | 1 + sound/pci/hda/patch_realtek.c | 1 + tools/testing/selftests/net/forwarding/lib.sh | 6 +- 48 files changed, 570 insertions(+), 344 deletions(-) -- 2.20.1

1 50

[PATCH] uacce: add the reference counter protection
by Laibin Qiu 02 Nov '22

02 Nov '22

From: Yu'an Wang <wangyuan46(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5VVP6 CVE: NA -------------------------------- The device driver pointer will be set null during hot plugging. So should use the device driver null check to pretect put queue. Otherwise the null pointer may cause the oom ops as doing hot plugging. Signed-off-by: Yu'an Wang <wangyuan46(a)huawei.com> Reviewed-by: Kai Ye <yekai13(a)huawei.com> Reviewed-by: Longfang Liu <liulongfang(a)huawei.com> Reviewed-by: li yongxin <liyongxin1(a)huawei.com> Signed-off-by: Laibin Qiu <qiulaibin(a)huawei.com> --- drivers/misc/uacce/uacce.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index b0cdc244e882..dc3aaae30752 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -229,10 +229,8 @@ static void uacce_free_dma_buffers(struct uacce_queue *q) return; while (i < qfr->dma_list[0].total_num) { WARN_ON(!qfr->dma_list[i].size || !qfr->dma_list[i].dma); - dev_dbg(uacce->pdev, "free dma qfr %s (kaddr=%lx, dma=%llx)\n", - uacce_qfrt_str(qfr), - (unsigned long)qfr->dma_list[i].kaddr, - qfr->dma_list[i].dma); + dev_dbg(uacce->pdev, "free dma qfr %s (index = %d)\n", + uacce_qfrt_str(qfr), i); dma_free_coherent(uacce->pdev, qfr->dma_list[i].size, qfr->dma_list[i].kaddr, qfr->dma_list[i].dma); @@ -383,8 +381,8 @@ static int uacce_mmap_dma_buffers(struct uacce_queue *q, slice[i].size); if (ret) { dev_err(uacce->pdev, - "mmap dma buf fail(dma=0x%llx,size=0x%x)!\n", - slice[i].dma, slice[i].size); + "mmap dma buf fail(dma index=%d,size=0x%x)!\n", + i, slice[i].size); goto DMA_MMAP_FAIL; } @@ -736,6 +734,12 @@ static void uacce_put_queue(struct uacce_queue *q) q->state = UACCE_Q_ZOMBIE; q->filep->private_data = NULL; uacce_queue_drain(q); + + if (!uacce->pdev->driver) { + dev_warn(uacce->pdev, "the parent device is hot plugged!\n"); + return; + } + if (module_refcount(uacce->pdev->driver->owner) > 0) module_put(uacce->pdev->driver->owner); } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/2] usb: mon: make mmapped memory read only
by Yongqiang Liu 02 Nov '22

02 Nov '22

From: Tadeusz Struk <tadeusz.struk(a)linaro.org> stable inclusion from stable-v4.19.262 commit bf7e2cee3899ede4c7c6548f28159ee3775fb67f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5XTU4 CVE: CVE-2022-43750 -------------------------------- commit a659daf63d16aa883be42f3f34ff84235c302198 upstream. Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues. Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set. Also clear VM_MAYWRITE to make it impossible to change it to writable later. Cc: "Dmitry Vyukov" <dvyukov(a)google.com> Cc: stable <stable(a)kernel.org> Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team <pageexec(a)freemail.hu> # for the VM_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c9… Reported-by: syzbot+23f57c5ae902429285d7(a)syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk <tadeusz.struk(a)linaro.org> Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhao Wenhui <zhaowenhui8(a)huawei.com> Reviewed-by: Zhang Qiao <zhangqiao22(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/usb/mon/mon_bin.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c index f48a23adbc35..094e812e9e69 100644 --- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *filp, struct vm_area_struct *vma) { /* don't do anything here: "fault" will set up page table entries */ vma->vm_ops = &mon_bin_vm_ops; + + if (vma->vm_flags & VM_WRITE) + return -EPERM; + + vma->vm_flags &= ~VM_MAYWRITE; vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; vma->vm_private_data = filp->private_data; mon_bin_vma_open(vma); -- 2.25.1

1 1

[PATCH openEuler-5.10 1/9] RDMA/hns: Fix PBL page MTR find
by Zheng Zengkai 01 Nov '22

01 Nov '22

From: Chengchang Tang <tangchengchang(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5Y79T ------------------------------------------------------------------- Now, The address of the first two pages in the MR will be searched. And an exception will occur when there is only one page in this MR. This patch fix the number of page to search. Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process") Signed-off-by: Chengchang Tang <tangchengchang(a)huawei.com> Reviewed-by: Yangyang Li <liyangyang20(a)huawei.com> Reviewed-by: YueHaibing <yuehaibing(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 87872c6e1977..c6348e520fb1 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -3266,7 +3266,8 @@ static int set_mtpt_pbl(struct hns_roce_dev *hr_dev, int i, count; count = hns_roce_mtr_find(hr_dev, &mr->pbl_mtr, 0, pages, - ARRAY_SIZE(pages), &pbl_ba); + min_t(int, ARRAY_SIZE(pages), mr->npages), + &pbl_ba); if (count < 1) { ibdev_err(ibdev, "failed to find PBL mtr, count = %d.\n", count); -- 2.20.1

1 8

[PATCH openEuler-1.0-LTS 1/4] ext4: fix bug_on in __es_tree_search caused by bad quota inode
by Yongqiang Liu 01 Nov '22

01 Nov '22

From: Baokun Li <libaokun1(a)huawei.com> hulk inclusion category: bugfix bugzilla: 187821,https://gitee.com/openeuler/kernel/issues/I5X9U0 CVE: NA -------------------------------- We got a issue as fllows: Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> ================================================================== kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_es_cache_extent+0xe2/0x210 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_getblk+0x82/0x340 ext4_bread+0x14/0x110 ext4_quota_read+0xf0/0x180 v2_read_header+0x24/0x90 v2_check_quota_file+0x2f/0xa0 dquot_load_quota_sb+0x26c/0x760 dquot_load_quota_inode+0xa5/0x190 ext4_enable_quotas+0x14c/0x300 __ext4_fill_super+0x31cc/0x32c0 ext4_fill_super+0x115/0x2d0 get_tree_bdev+0x1d2/0x360 ext4_get_tree+0x19/0x30 vfs_get_tree+0x26/0xe0 path_mount+0x81d/0xfc0 do_mount+0x8d/0xc0 __x64_sys_mount+0xc0/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup ext4_enable_quotas ext4_quota_enable ext4_iget --> get error inode <5> ext4_ext_check_inode --> Wrong imode makes it escape inspection make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode dquot_load_quota_inode vfs_setup_quota_inode --> check pass dquot_load_quota_sb v2_check_quota_file v2_read_header ext4_quota_read ext4_bread ext4_getblk ext4_map_blocks ext4_ext_map_blocks ext4_find_extent ext4_cache_extents ext4_es_cache_extent __es_tree_search.isra.0 ext4_es_end --> Wrong extents trigger BUG_ON In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, the ext4_ext_check_inode check in the ext4_iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __es_tree_search function. To solve this issue, check whether the inode is bad_inode in vfs_setup_quota_inode(). Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/quota/dquot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index ddb379abd919..316f49cbc032 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -2312,6 +2312,10 @@ static int vfs_load_quota_inode(struct inode *inode, int type, int format_id, if (!fmt) return -ESRCH; + if (is_bad_inode(inode)) { + error = -EUCLEAN; + goto out_fmt; + } if (!S_ISREG(inode->i_mode)) { error = -EACCES; goto out_fmt; -- 2.25.1

1 3

[PATCH openEuler-5.10-LTS 00/66] Backport 5.10.129 LTS
by Zheng Zengkai 01 Nov '22

01 Nov '22

Backport 5.10.129 LTS patches from upstream. git cherry-pick v5.10.128..v5.10.129~1 -s Already merged(-10): 8f74cb27c2b4 net: rose: fix UAF bugs caused by timer handler da61388f9a75 xfs: Skip repetitive warnings about mount options f874e16870cc xfs: update superblock counters correctly for !lazysbcount 9203dfb3ed6b xfs: fix xfs_reflink_unshare usage of filemap_write_and_wait_range cfea428030be xen/blkfront: fix leaking data in shared pages 728d68bfe68d xen/netfront: fix leaking data in shared pages 4923217af574 xen/netfront: force data bouncing when backend is untrusted cbbd2d253153 xen/blkfront: force data bouncing when backend is untrusted 547b7c640df5 xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() 43c8d33ce353 xen/arm: Fix race in RB-tree based P2M accounting Defered(-2): b261cd005ab9 xfs: use current->journal_info for detecting transaction recursion 6b7dab812cba xfs: rename variable mp to parsing_mp Total patches: 78 - 10 - 2 = 66 Alexey Khoroshilov (1): NFSD: restore EINVAL error translation in nfsd_commit() Anthony Iliopoulos (1): xfs: fix xfs_trans slab cache name Carlo Lobrano (1): net: usb: qmi_wwan: add Telit 0x1060 composition Chris Ye (1): nvdimm: Fix badblocks clear off-by-one error Christophe Leroy (1): powerpc/book3e: Fix PUD allocation size in map_kernel_page() Chuck Lever (1): SUNRPC: Fix READ_PLUS crasher Daniele Palmas (1): net: usb: qmi_wwan: add Telit 0x1070 composition Demi Marie Obenour (1): xen/gntdev: Avoid blocking in unmap_grant_pages() Dimitris Michailidis (1): selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test Doug Berger (1): net: dsa: bcm_sf2: force pause link settings Enguerrand de Ribaucourt (2): net: dp83822: disable false carrier interrupt net: dp83822: disable rx error interrupt Eric Dumazet (3): net: bonding: fix possible NULL deref in rlb code tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() tcp: add a missing nf_reset_ct() in 3WHS handling Gao Xiang (1): xfs: ensure xfs_errortag_random_default matches XFS_ERRTAG_MAX Greg Kroah-Hartman (1): clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() Heinz Mauelshagen (1): dm raid: fix accesses beyond end of raid member array Jakub Kicinski (3): net: tun: unlink NAPI from device on destruction net: tun: stop NAPI when detaching queues net: tun: avoid disabling NAPI twice Jason A. Donenfeld (1): s390/archrandom: simplify back to earlier design and initialize earlier Jason Wang (2): virtio-net: fix race between ndo_open() and virtio_device_ready() caif_virtio: fix race between virtio_device_ready() and ndo_open() Jens Axboe (1): io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio Jose Alonso (1): net: usb: ax88179_178a: Fix packet receiving Kamal Heib (1): RDMA/qedr: Fix reporting QP timeout attribute Krzysztof Kozlowski (1): nfc: nfcmrvl: Fix irq_of_parse_and_map() return value Liam Howlett (1): powerpc/prom_init: Fix kernel config grep Liang He (1): drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c Masahiro Yamada (1): s390: remove unneeded 'select BUILD_BIN2C' Mathieu Desnoyers (15): selftests/rseq: introduce own copy of rseq uapi header selftests/rseq: Remove useless assignment to cpu variable selftests/rseq: Remove volatile from __rseq_abi selftests/rseq: Introduce rseq_get_abi() helper selftests/rseq: Introduce thread pointer getters selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store selftests/rseq: Fix ppc32 offsets by using long rather than off_t selftests/rseq: Fix warnings about #if checks of undefined tokens selftests/rseq: Remove arm/mips asm goto compiler work-around selftests/rseq: Fix: work-around asm goto compiler bugs selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area selftests/rseq: Change type of rseq_offset to ptrdiff_t Miaoqian Lin (2): RDMA/cm: Fix memory leak in ib_cm_insert_listen PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events Michael Walle (1): NFC: nxp-nci: Don't issue a zero length i2c_master_read() Mikulas Patocka (1): dm raid: fix KASAN warning in raid5_add_disks Naveen N. Rao (1): powerpc/bpf: Fix use of user_pt_regs in uapi Nicolas Dichtel (1): ipv6: take care of disable_policy when restoring routes Oliver Neukum (1): usbnet: fix memory allocation in helpers Pablo Greco (1): nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) Pablo Neira Ayuso (1): netfilter: nft_dynset: restore set element counter when failing to update Ruili Ji (1): drm/amdgpu: To flush tlb for MMHUB of RAVEN series Shuah Khan (1): selftests/rseq: remove ARRAY_SIZE define from individual tests Tao Liu (1): linux/dim: Fix divide by 0 in RDMA DIM Tong Zhang (1): epic100: fix use after free on rmmod Victor Nogueira (1): net/sched: act_api: Notify user space if any actions were flushed before error Xin Long (1): tipc: move bc link creation back to tipc_node_create Yang Yingliang (1): hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails Yevhen Orlov (1): net: bonding: fix use-after-free after 802.3ad slave unbind YueHaibing (1): net: ipv6: unexport __init-annotated seg6_hmac_net_init() katrinzhou (1): ipv6/sit: fix ipip6_tunnel_get_prl return value kernel test robot (1): sit: use min arch/powerpc/include/asm/bpf_perf_event.h | 9 + .../powerpc/include/uapi/asm/bpf_perf_event.h | 9 - arch/powerpc/kernel/prom_init_check.sh | 2 +- arch/powerpc/mm/nohash/book3e_pgtable.c | 6 +- arch/s390/Kconfig | 1 - arch/s390/crypto/arch_random.c | 111 +--------- arch/s390/include/asm/archrandom.h | 13 +- arch/s390/kernel/setup.c | 5 + drivers/clocksource/timer-ixp4xx.c | 1 - drivers/cpufreq/qoriq-cpufreq.c | 1 + drivers/devfreq/event/exynos-ppmu.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 3 +- drivers/hwmon/ibmaem.c | 12 +- drivers/infiniband/core/cm.c | 4 +- drivers/infiniband/hw/qedr/qedr.h | 1 + drivers/infiniband/hw/qedr/verbs.c | 4 +- drivers/md/dm-raid.c | 34 +-- drivers/md/raid5.c | 1 + drivers/net/bonding/bond_3ad.c | 3 +- drivers/net/bonding/bond_alb.c | 2 +- drivers/net/caif/caif_virtio.c | 10 +- drivers/net/dsa/bcm_sf2.c | 5 + drivers/net/ethernet/smsc/epic100.c | 4 +- drivers/net/phy/dp83822.c | 4 +- drivers/net/tun.c | 15 +- drivers/net/usb/ax88179_178a.c | 101 ++++++--- drivers/net/usb/qmi_wwan.c | 2 + drivers/net/usb/usbnet.c | 4 +- drivers/net/virtio_net.c | 8 +- drivers/nfc/nfcmrvl/i2c.c | 6 +- drivers/nfc/nfcmrvl/spi.c | 6 +- drivers/nfc/nxp-nci/i2c.c | 3 + drivers/nvdimm/bus.c | 4 +- drivers/nvme/host/pci.c | 3 +- drivers/xen/gntdev-common.h | 7 + drivers/xen/gntdev.c | 140 ++++++++---- fs/io_uring.c | 4 + fs/nfsd/vfs.c | 3 +- fs/xfs/xfs_error.c | 2 + fs/xfs/xfs_super.c | 2 +- include/linux/dim.h | 2 +- net/ipv4/ip_tunnel_core.c | 2 +- net/ipv4/tcp_ipv4.c | 4 +- net/ipv6/addrconf.c | 4 - net/ipv6/route.c | 9 +- net/ipv6/seg6_hmac.c | 1 - net/ipv6/sit.c | 10 +- net/netfilter/nft_set_hash.c | 2 + net/sched/act_api.c | 22 +- net/sunrpc/xdr.c | 2 +- net/tipc/node.c | 41 ++-- tools/testing/selftests/net/udpgso_bench.sh | 2 +- tools/testing/selftests/rseq/Makefile | 2 +- .../selftests/rseq/basic_percpu_ops_test.c | 5 +- tools/testing/selftests/rseq/compiler.h | 30 +++ tools/testing/selftests/rseq/param_test.c | 8 +- tools/testing/selftests/rseq/rseq-abi.h | 151 +++++++++++++ tools/testing/selftests/rseq/rseq-arm.h | 110 +++++----- tools/testing/selftests/rseq/rseq-arm64.h | 79 +++++-- .../rseq/rseq-generic-thread-pointer.h | 25 +++ tools/testing/selftests/rseq/rseq-mips.h | 71 ++----- .../selftests/rseq/rseq-ppc-thread-pointer.h | 30 +++ tools/testing/selftests/rseq/rseq-ppc.h | 128 +++++++---- tools/testing/selftests/rseq/rseq-s390.h | 55 +++-- tools/testing/selftests/rseq/rseq-skip.h | 2 +- .../selftests/rseq/rseq-thread-pointer.h | 19 ++ .../selftests/rseq/rseq-x86-thread-pointer.h | 40 ++++ tools/testing/selftests/rseq/rseq-x86.h | 200 ++++++++++++------ tools/testing/selftests/rseq/rseq.c | 165 +++++++-------- tools/testing/selftests/rseq/rseq.h | 30 ++- 70 files changed, 1167 insertions(+), 647 deletions(-) create mode 100644 arch/powerpc/include/asm/bpf_perf_event.h delete mode 100644 arch/powerpc/include/uapi/asm/bpf_perf_event.h create mode 100644 tools/testing/selftests/rseq/compiler.h create mode 100644 tools/testing/selftests/rseq/rseq-abi.h create mode 100644 tools/testing/selftests/rseq/rseq-generic-thread-pointer.h create mode 100644 tools/testing/selftests/rseq/rseq-ppc-thread-pointer.h create mode 100644 tools/testing/selftests/rseq/rseq-thread-pointer.h create mode 100644 tools/testing/selftests/rseq/rseq-x86-thread-pointer.h -- 2.20.1

1 66

[PATCH openEuler-5.10-LTS 0/5] Backport 5.10.128 LTS
by Zheng Zengkai 01 Nov '22

01 Nov '22

Backport 5.10.128 LTS patches from upstream. git cherry-pick v5.10.127..v5.10.128~1 -s Already merged(-3): 09c9902cd80a bcache: memset on stack variables in bch_btree_check() and bch_sectors_dirty_init() db3f8110c3b0 xfs: use kmem_cache_free() for kmem_cache objects 0cdccc05da76 xfs: punch out data fork delalloc blocks on COW writeback failure Defered(-3): 1e76bd4c6722 xfs: Fix the free logic of state in xfs_attr_node_hasname 071e750ffb3d xfs: remove all COW fork extents when remounting readonly 6b734f7b7071 xfs: check sb_meta_uuid for dabuf buffer recovery Total patches: 11 - 3 - 3 = 5 Amir Goldstein (1): MAINTAINERS: add Amir as xfs maintainer for 5.10.y Christoph Hellwig (1): drm: remove drm_fb_helper_modinit Masahiro Yamada (1): tick/nohz: unexport __init-annotated tick_nohz_full_setup() Naveen N. Rao (1): powerpc/ftrace: Remove ftrace init tramp once kernel init is complete Vladimir Oltean (1): net: mscc: ocelot: allow unregistered IP multicast flooding MAINTAINERS | 3 ++- arch/powerpc/include/asm/ftrace.h | 4 +++- arch/powerpc/kernel/trace/ftrace.c | 15 ++++++++++--- arch/powerpc/mm/mem.c | 2 ++ drivers/gpu/drm/drm_crtc_helper_internal.h | 10 --------- drivers/gpu/drm/drm_fb_helper.c | 21 ------------------ drivers/gpu/drm/drm_kms_helper_common.c | 25 +++++++++++----------- drivers/net/ethernet/mscc/ocelot.c | 8 +++++-- kernel/time/tick-sched.c | 1 - 9 files changed, 37 insertions(+), 52 deletions(-) -- 2.20.1

1 5

[PATCH openEuler-1.0-LTS 1/2] ext4: ext4_read_bh_lock() should submit IO if the buffer isn't uptodate
by Yongqiang Liu 01 Nov '22

01 Nov '22

From: Zhang Yi <yi.zhang(a)huawei.com> mainline inclusion from mainline-v6.1-rc1 commit 0b73284c564d3ae4feef4bc920292f004acf4980 category: bugfix bugzilla: 187414, https://gitee.com/openeuler/kernel/issues/I5XZ6O CVE: NA -------------------------------- Recently we notice that ext4 filesystem would occasionally fail to read metadata from disk and report error message, but the disk and block layer looks fine. After analyse, we lockon commit 88dbcbb3a484 ("blkdev: avoid migration stalls for blkdev pages"). It provide a migration method for the bdev, we could move page that has buffers without extra users now, but it lock the buffers on the page, which breaks the fragile metadata read operation on ext4 filesystem, ext4_read_bh_lock() was copied from ll_rw_block(), it depends on the assumption of that locked buffer means it is under IO. So it just trylock the buffer and skip submit IO if it lock failed, after wait_on_buffer() we conclude IO error because the buffer is not uptodate. This issue could be easily reproduced by add some delay just after buffer_migrate_lock_buffers() in __buffer_migrate_folio() and do fsstress on ext4 filesystem. EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #73193: comm fsstress: reading directory lblock 0 EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #75334: comm fsstress: reading directory lblock 0 Fix it by removing the trylock logic in ext4_read_bh_lock(), just lock the buffer and submit IO if it's not uptodate, and also leave over readahead helper. Cc: stable(a)kernel.org Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20220831074629.3755110-1-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Conflict: fs/ext4/super.c Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/ext4/super.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index e4abf3de254f..37a2e66b77a7 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -195,19 +195,12 @@ int ext4_read_bh(struct buffer_head *bh, int op_flags, bh_end_io_t *end_io) int ext4_read_bh_lock(struct buffer_head *bh, int op_flags, bool wait) { - if (trylock_buffer(bh)) { - if (wait) - return ext4_read_bh(bh, op_flags, NULL); + lock_buffer(bh); + if (!wait) { ext4_read_bh_nowait(bh, op_flags, NULL); return 0; } - if (wait) { - wait_on_buffer(bh); - if (buffer_uptodate(bh)) - return 0; - return -EIO; - } - return 0; + return ext4_read_bh(bh, op_flags, NULL); } /* @@ -254,7 +247,8 @@ void ext4_sb_breadahead_unmovable(struct super_block *sb, sector_t block) struct buffer_head *bh = sb_getblk_gfp(sb, block, 0); if (likely(bh)) { - ext4_read_bh_lock(bh, REQ_RAHEAD, false); + if (trylock_buffer(bh)) + ext4_read_bh_nowait(bh, REQ_RAHEAD, NULL); brelse(bh); } } -- 2.25.1

1 1

openEuler Kernel SIG双周例会
by openEuler conference 01 Nov '22

01 Nov '22

您好！ Kernel SIG 邀请您参加 2022-11-04 14:00 召开的Zoom会议(自动录制) 会议主题：openEuler Kernel SIG双周例会会议内容： 1.进展update 2.议题征集中欢迎大家积极申报议题~（新增议题可以回复邮件反馈，或者录入会议看板）会议链接：https://us06web.zoom.us/j/87646118604?pwd=Q3doR3VOQW4zRm51QjZHZzBJcldYUT09 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 温馨提醒：建议接入会议后修改参会人的姓名，也可以使用您在gitee.com的ID 更多资讯尽在：https://openeuler.org/zh/ Hello! openEuler Kernel SIG invites you to attend the Zoom conference(auto recording) will be held at 2022-11-04 14:00, The subject of the conference is openEuler Kernel SIG双周例会, Summary: 1.进展update 2.议题征集中欢迎大家积极申报议题~（新增议题可以回复邮件反馈，或者录入会议看板） You can join the meeting at https://us06web.zoom.us/j/87646118604?pwd=Q3doR3VOQW4zRm51QjZHZzBJcldYUT09. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. Note: You are advised to change the participant name after joining the conference or use your ID at gitee.com. More information: https://openeuler.org/en/

1 0